diff --git a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog-min.json b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog-min.json
index 2b551956..45d90403 100644
--- a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog-min.json
+++ b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog-min.json
@@ -1 +1 @@
-{"catalog":{"uuid":"d42ac376-bf01-4baf-bad5-d0b7ee2626d5","metadata":{"title":"NIST Special Publication 800-53 Revision 4 HIGH IMPACT BASELINE","last-modified":"2023-11-02T11:49:45.965719-04:00","version":"2015-01-22","oscal-version":"1.1.1","props":[{"name":"resolution-tool","value":"OSCAL Profile Resolver XSLT Pipeline OPRXP"}],"links":[{"href":"NIST_SP-800-53_rev4_HIGH-baseline_profile.xml","rel":"source-profile"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"71c97c27-4f09-4d06-a6a4-065a54c19a1f","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["31a5dd8f-978a-4558-8ade-846211607d40"]},{"role-id":"contact","party-uuids":["31a5dd8f-978a-4558-8ade-846211607d40"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Access Control Policy and Procedures","params":[{"id":"ac-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ac-1_prm_2","label":"organization-defined frequency"},{"id":"ac-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-1"},{"name":"sort-id","value":"ac-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ac-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and associated access controls; and"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ac-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Access control policy {{ insert: param, ac-1_prm_2 }}; and"},{"id":"ac-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Access control procedures {{ insert: param, ac-1_prm_3 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ac-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-1.a_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)"}],"parts":[{"id":"ac-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)"}],"parts":[{"id":"ac-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1]"}],"prose":"develops and documents an access control policy that addresses:","parts":[{"id":"ac-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ac-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ac-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ac-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ac-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ac-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ac-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ac-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the access control policy are to be disseminated;"},{"id":"ac-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[3]"}],"prose":"disseminates the access control policy to organization-defined personnel or roles;"}]},{"id":"ac-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)"}],"parts":[{"id":"ac-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls;"},{"id":"ac-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ac-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ac-1.b_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)"}],"parts":[{"id":"ac-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)"}],"parts":[{"id":"ac-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current access control policy;"},{"id":"ac-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)[2]"}],"prose":"reviews and updates the current access control policy with the organization-defined frequency;"}]},{"id":"ac-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)"}],"parts":[{"id":"ac-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current access control procedures; and"},{"id":"ac-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)[2]"}],"prose":"reviews and updates the current access control procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","params":[{"id":"ac-2_prm_1","label":"organization-defined information system account types"},{"id":"ac-2_prm_2","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_3","label":"organization-defined procedures or conditions"},{"id":"ac-2_prm_4","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-2"},{"name":"sort-id","value":"ac-02"}],"parts":[{"id":"ac-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies and selects the following types of information system accounts to support organizational missions\/business functions: {{ insert: param, ac-2_prm_1 }};"},{"id":"ac-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assigns account managers for information system accounts;"},{"id":"ac-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establishes conditions for group and role membership;"},{"id":"ac-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;"},{"id":"ac-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Requires approvals by {{ insert: param, ac-2_prm_2 }} for requests to create information system accounts;"},{"id":"ac-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Creates, enables, modifies, disables, and removes information system accounts in accordance with {{ insert: param, ac-2_prm_3 }};"},{"id":"ac-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Monitors the use of information system accounts;"},{"id":"ac-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Notifies account managers:","parts":[{"id":"ac-2_smt.h.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"When accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"When individual information system usage or need-to-know changes;"}]},{"id":"ac-2_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Authorizes access to the information system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Other attributes as required by the organization or associated missions\/business functions;"}]},{"id":"ac-2_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Reviews accounts for compliance with account management requirements {{ insert: param, ac-2_prm_4 }}; and"},{"id":"ac-2_smt.k","name":"item","props":[{"name":"label","value":"k."}],"prose":"Establishes a process for reissuing shared\/group account credentials (if deployed) when individuals are removed from the group."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Information system account types include, for example, individual, shared, group, system, guest\/anonymous, emergency, developer\/manufacturer\/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission\/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission\/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared\/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-10","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ac-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.a_obj","name":"objective","props":[{"name":"label","value":"AC-2(a)"}],"parts":[{"id":"ac-2.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(a)[1]"}],"prose":"defines information system account types to be identified and selected to support organizational missions\/business functions;"},{"id":"ac-2.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(a)[2]"}],"prose":"identifies and selects organization-defined information system account types to support organizational missions\/business functions;"}]},{"id":"ac-2.b_obj","name":"objective","props":[{"name":"label","value":"AC-2(b)"}],"prose":"assigns account managers for information system accounts;"},{"id":"ac-2.c_obj","name":"objective","props":[{"name":"label","value":"AC-2(c)"}],"prose":"establishes conditions for group and role membership;"},{"id":"ac-2.d_obj","name":"objective","props":[{"name":"label","value":"AC-2(d)"}],"prose":"specifies for each account (as required):","parts":[{"id":"ac-2.d_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(d)[1]"}],"prose":"authorized users of the information system;"},{"id":"ac-2.d_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(d)[2]"}],"prose":"group and role membership;"},{"id":"ac-2.d_obj.3","name":"objective","props":[{"name":"label","value":"AC-2(d)[3]"}],"prose":"access authorizations (i.e., privileges);"},{"id":"ac-2.d_obj.4","name":"objective","props":[{"name":"label","value":"AC-2(d)[4]"}],"prose":"other attributes;"}]},{"id":"ac-2.e_obj","name":"objective","props":[{"name":"label","value":"AC-2(e)"}],"parts":[{"id":"ac-2.e_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(e)[1]"}],"prose":"defines personnel or roles required to approve requests to create information system accounts;"},{"id":"ac-2.e_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(e)[2]"}],"prose":"requires approvals by organization-defined personnel or roles for requests to create information system accounts;"}]},{"id":"ac-2.f_obj","name":"objective","props":[{"name":"label","value":"AC-2(f)"}],"parts":[{"id":"ac-2.f_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(f)[1]"}],"prose":"defines procedures or conditions to:","parts":[{"id":"ac-2.f_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][a]"}],"prose":"create information system accounts;"},{"id":"ac-2.f_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][b]"}],"prose":"enable information system accounts;"},{"id":"ac-2.f_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][c]"}],"prose":"modify information system accounts;"},{"id":"ac-2.f_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][d]"}],"prose":"disable information system accounts;"},{"id":"ac-2.f_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][e]"}],"prose":"remove information system accounts;"}]},{"id":"ac-2.f_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(f)[2]"}],"prose":"in accordance with organization-defined procedures or conditions:","parts":[{"id":"ac-2.f_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][a]"}],"prose":"creates information system accounts;"},{"id":"ac-2.f_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][b]"}],"prose":"enables information system accounts;"},{"id":"ac-2.f_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][c]"}],"prose":"modifies information system accounts;"},{"id":"ac-2.f_obj.2.d","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][d]"}],"prose":"disables information system accounts;"},{"id":"ac-2.f_obj.2.e","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][e]"}],"prose":"removes information system accounts;"}]}]},{"id":"ac-2.g_obj","name":"objective","props":[{"name":"label","value":"AC-2(g)"}],"prose":"monitors the use of information system accounts;"},{"id":"ac-2.h_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)"}],"prose":"notifies account managers:","parts":[{"id":"ac-2.h.1_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(1)"}],"prose":"when accounts are no longer required;"},{"id":"ac-2.h.2_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(2)"}],"prose":"when users are terminated or transferred;"},{"id":"ac-2.h.3_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(3)"}],"prose":"when individual information system usage or need to know changes;"}]},{"id":"ac-2.i_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)"}],"prose":"authorizes access to the information system based on;","parts":[{"id":"ac-2.i.1_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(1)"}],"prose":"a valid access authorization;"},{"id":"ac-2.i.2_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(2)"}],"prose":"intended system usage;"},{"id":"ac-2.i.3_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(3)"}],"prose":"other attributes as required by the organization or associated missions\/business functions;"}]},{"id":"ac-2.j_obj","name":"objective","props":[{"name":"label","value":"AC-2(j)"}],"parts":[{"id":"ac-2.j_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(j)[1]"}],"prose":"defines the frequency to review accounts for compliance with account management requirements;"},{"id":"ac-2.j_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(j)[2]"}],"prose":"reviews accounts for compliance with account management requirements with the organization-defined frequency; and"}]},{"id":"ac-2.k_obj","name":"objective","props":[{"name":"label","value":"AC-2(k)"}],"prose":"establishes a process for reissuing shared\/group account credentials (if deployed) when individuals are removed from the group."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications or records of recently transferred, separated, or terminated employees\n\nlist of recently disabled information system accounts along with the name of the individual associated with each account\n\naccess authorization records\n\naccount management compliance reviews\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes account management on the information system\n\nautomated mechanisms for implementing account management"}]}],"controls":[{"id":"ac-2.1","class":"SP800-53-enhancement","title":"Automated System Account Management","props":[{"name":"label","value":"AC-2(1)"},{"name":"sort-id","value":"ac-02.01"}],"parts":[{"id":"ac-2.1_smt","name":"statement","prose":"The organization employs automated mechanisms to support the management of information system accounts."},{"id":"ac-2.1_gdn","name":"guidance","prose":"The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using telephonic notification to report atypical system account usage."},{"id":"ac-2.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to support the management of information system accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.2","class":"SP800-53-enhancement","title":"Removal of Temporary \/ Emergency Accounts","params":[{"id":"ac-2.2_prm_1","select":{"choice":["removes","disables"]}},{"id":"ac-2.2_prm_2","label":"organization-defined time period for each type of account"}],"props":[{"name":"label","value":"AC-2(2)"},{"name":"sort-id","value":"ac-02.02"}],"parts":[{"id":"ac-2.2_smt","name":"statement","prose":"The information system automatically {{ insert: param, ac-2.2_prm_1 }} temporary and emergency accounts after {{ insert: param, ac-2.2_prm_2 }}."},{"id":"ac-2.2_gdn","name":"guidance","prose":"This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator."},{"id":"ac-2.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(2)[1]"}],"prose":"the organization defines the time period after which the information system automatically removes or disables temporary and emergency accounts; and"},{"id":"ac-2.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(2)[2]"}],"prose":"the information system automatically removes or disables temporary and emergency accounts after the organization-defined time period for each type of account."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system-generated list of temporary accounts removed and\/or disabled\n\ninformation system-generated list of emergency accounts removed and\/or disabled\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.3","class":"SP800-53-enhancement","title":"Disable Inactive Accounts","params":[{"id":"ac-2.3_prm_1","label":"organization-defined time period"}],"props":[{"name":"label","value":"AC-2(3)"},{"name":"sort-id","value":"ac-02.03"}],"parts":[{"id":"ac-2.3_smt","name":"statement","prose":"The information system automatically disables inactive accounts after {{ insert: param, ac-2.3_prm_1 }}."},{"id":"ac-2.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.3_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(3)[1]"}],"prose":"the organization defines the time period after which the information system automatically disables inactive accounts; and"},{"id":"ac-2.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(3)[2]"}],"prose":"the information system automatically disables inactive accounts after the organization-defined time period."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system-generated list of temporary accounts removed and\/or disabled\n\ninformation system-generated list of emergency accounts removed and\/or disabled\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.4","class":"SP800-53-enhancement","title":"Automated Audit Actions","params":[{"id":"ac-2.4_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"AC-2(4)"},{"name":"sort-id","value":"ac-02.04"}],"parts":[{"id":"ac-2.4_smt","name":"statement","prose":"The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies {{ insert: param, ac-2.4_prm_1 }}."},{"id":"ac-2.4_gdn","name":"guidance","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"ac-2.4_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.4_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(4)[1]"}],"prose":"the information system automatically audits the following account actions:","parts":[{"id":"ac-2.4_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][d]"}],"prose":"disabling;"},{"id":"ac-2.4_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][e]"}],"prose":"removal;"}]},{"id":"ac-2.4_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(4)[2]"}],"prose":"the organization defines personnel or roles to be notified of the following account actions:","parts":[{"id":"ac-2.4_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.2.d","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][d]"}],"prose":"disabling;"},{"id":"ac-2.4_obj.2.e","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][e]"}],"prose":"removal;"}]},{"id":"ac-2.4_obj.3","name":"objective","props":[{"name":"label","value":"AC-2(4)[3]"}],"prose":"the information system notifies organization-defined personnel or roles of the following account actions:","parts":[{"id":"ac-2.4_obj.3.a","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.3.b","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.3.c","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.3.d","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][d]"}],"prose":"disabling; and"},{"id":"ac-2.4_obj.3.e","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][e]"}],"prose":"removal."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nnotifications\/alerts of account creation, modification, enabling, disabling, and removal actions\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.5","class":"SP800-53-enhancement","title":"Inactivity Logout","params":[{"id":"ac-2.5_prm_1","label":"organization-defined time-period of expected inactivity or description of when to log out"}],"props":[{"name":"label","value":"AC-2(5)"},{"name":"sort-id","value":"ac-02.05"}],"parts":[{"id":"ac-2.5_smt","name":"statement","prose":"The organization requires that users log out when {{ insert: param, ac-2.5_prm_1 }}."},{"id":"ac-2.5_gdn","name":"guidance","links":[{"href":"#sc-23","rel":"related"}]},{"id":"ac-2.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.5_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(5)[1]"}],"prose":"defines either the time period of expected inactivity that requires users to log out or the description of when users are required to log out; and"},{"id":"ac-2.5_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(5)[2]"}],"prose":"requires that users log out when the organization-defined time period of inactivity is reached or in accordance with organization-defined description of when to log out."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity violation reports\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy"}]}]},{"id":"ac-2.11","class":"SP800-53-enhancement","title":"Usage Conditions","params":[{"id":"ac-2.11_prm_1","label":"organization-defined circumstances and\/or usage conditions"},{"id":"ac-2.11_prm_2","label":"organization-defined information system accounts"}],"props":[{"name":"label","value":"AC-2(11)"},{"name":"sort-id","value":"ac-02.11"}],"parts":[{"id":"ac-2.11_smt","name":"statement","prose":"The information system enforces {{ insert: param, ac-2.11_prm_1 }} for {{ insert: param, ac-2.11_prm_2 }}."},{"id":"ac-2.11_gdn","name":"guidance","prose":"Organizations can describe the specific conditions or circumstances under which information system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time."},{"id":"ac-2.11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.11_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(11)[1]"}],"prose":"the organization defines circumstances and\/or usage conditions to be enforced for information system accounts;"},{"id":"ac-2.11_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(11)[2]"}],"prose":"the organization defines information system accounts for which organization-defined circumstances and\/or usage conditions are to be enforced; and"},{"id":"ac-2.11_obj.3","name":"objective","props":[{"name":"label","value":"AC-2(11)[3]"}],"prose":"the information system enforces organization-defined circumstances and\/or usage conditions for organization-defined information system accounts."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem-generated list of information system accounts and associated assignments of usage circumstances and\/or usage conditions\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.12","class":"SP800-53-enhancement","title":"Account Monitoring \/ Atypical Usage","params":[{"id":"ac-2.12_prm_1","label":"organization-defined atypical usage"},{"id":"ac-2.12_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"AC-2(12)"},{"name":"sort-id","value":"ac-02.12"}],"parts":[{"id":"ac-2.12_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2.12_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Monitors information system accounts for {{ insert: param, ac-2.12_prm_1 }}; and"},{"id":"ac-2.12_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Reports atypical usage of information system accounts to {{ insert: param, ac-2.12_prm_2 }}."}]},{"id":"ac-2.12_gdn","name":"guidance","prose":"Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations.","links":[{"href":"#ca-7","rel":"related"}]},{"id":"ac-2.12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.12.a_obj","name":"objective","props":[{"name":"label","value":"AC-2(12)(a)"}],"parts":[{"id":"ac-2.12.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(12)(a)[1]"}],"prose":"defines atypical usage to be monitored for information system accounts;"},{"id":"ac-2.12.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(12)(a)[2]"}],"prose":"monitors information system accounts for organization-defined atypical usage;"}],"links":[{"href":"#ac-2.12_smt.a","rel":"corresp"}]},{"id":"ac-2.12.b_obj","name":"objective","props":[{"name":"label","value":"AC-2(12)(b)"}],"parts":[{"id":"ac-2.12.b_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(12)(b)[1]"}],"prose":"defines personnel or roles to whom atypical usage of information system accounts are to be reported; and"},{"id":"ac-2.12.b_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(12)(b)[2]"}],"prose":"reports atypical usage of information system accounts to organization-defined personnel or roles."}],"links":[{"href":"#ac-2.12_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system monitoring records\n\ninformation system audit records\n\naudit tracking and monitoring reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.13","class":"SP800-53-enhancement","title":"Disable Accounts for High-risk Individuals","params":[{"id":"ac-2.13_prm_1","label":"organization-defined time period"}],"props":[{"name":"label","value":"AC-2(13)"},{"name":"sort-id","value":"ac-02.13"}],"parts":[{"id":"ac-2.13_smt","name":"statement","prose":"The organization disables accounts of users posing a significant risk within {{ insert: param, ac-2.13_prm_1 }} of discovery of the risk."},{"id":"ac-2.13_gdn","name":"guidance","prose":"Users posing a significant risk to organizations include individuals for whom reliable evidence or intelligence indicates either the intention to use authorized access to information systems to cause harm or through whom adversaries will cause harm. Harm includes potential adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. Close coordination between authorizing officials, information system administrators, and human resource managers is essential in order for timely execution of this control enhancement.","links":[{"href":"#ps-4","rel":"related"}]},{"id":"ac-2.13_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.13_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(13)[1]"}],"prose":"defines the time period within which accounts are disabled upon discovery of a significant risk posed by users of such accounts; and"},{"id":"ac-2.13_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(13)[2]"}],"prose":"disables accounts of users posing a significant risk within the organization-defined time period of discovery of the risk."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem-generated list of disabled accounts\n\nlist of user activities posing significant organizational risk\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-3"},{"name":"sort-id","value":"ac-03"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"}]},{"id":"ac-3_obj","name":"objective","prose":"Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy"}]}]},{"id":"ac-4","class":"SP800-53","title":"Information Flow Enforcement","params":[{"id":"ac-4_prm_1","label":"organization-defined information flow control policies"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-4"},{"name":"sort-id","value":"ac-04"}],"parts":[{"id":"ac-4_smt","name":"statement","prose":"The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on {{ insert: param, ac-4_prm_1 }}."},{"id":"ac-4_gdn","name":"guidance","prose":"Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners\/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and\/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering\/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"}]},{"id":"ac-4_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-4_obj.1","name":"objective","props":[{"name":"label","value":"AC-4[1]"}],"prose":"the organization defines information flow control policies to control the flow of information within the system and between interconnected systems; and"},{"id":"ac-4_obj.2","name":"objective","props":[{"name":"label","value":"AC-4[2]"}],"prose":"the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system baseline configuration\n\nlist of information flow authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-5","class":"SP800-53","title":"Separation of Duties","params":[{"id":"ac-5_prm_1","label":"organization-defined duties of individuals"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-5"},{"name":"sort-id","value":"ac-05"}],"parts":[{"id":"ac-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Separates {{ insert: param, ac-5_prm_1 }};"},{"id":"ac-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents separation of duties of individuals; and"},{"id":"ac-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Defines information system access authorizations to support separation of duties."}]},{"id":"ac-5_gdn","name":"guidance","prose":"Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and\/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ps-2","rel":"related"}]},{"id":"ac-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-5.a_obj","name":"objective","props":[{"name":"label","value":"AC-5(a)"}],"parts":[{"id":"ac-5.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-5(a)[1]"}],"prose":"defines duties of individuals to be separated;"},{"id":"ac-5.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-5(a)[2]"}],"prose":"separates organization-defined duties of individuals;"}]},{"id":"ac-5.b_obj","name":"objective","props":[{"name":"label","value":"AC-5(b)"}],"prose":"documents separation of duties; and"},{"id":"ac-5.c_obj","name":"objective","props":[{"name":"label","value":"AC-5(c)"}],"prose":"defines information system access authorizations to support separation of duties."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\ninformation system configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\ninformation system access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing separation of duties policy"}]}]},{"id":"ac-6","class":"SP800-53","title":"Least Privilege","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-6"},{"name":"sort-id","value":"ac-06"}],"parts":[{"id":"ac-6_smt","name":"statement","prose":"The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions."},{"id":"ac-6_gdn","name":"guidance","prose":"Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions\/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-2","rel":"related"}]},{"id":"ac-6_obj","name":"objective","prose":"Determine if the organization employs the principle of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}],"controls":[{"id":"ac-6.1","class":"SP800-53-enhancement","title":"Authorize Access to Security Functions","params":[{"id":"ac-6.1_prm_1","label":"organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information"}],"props":[{"name":"label","value":"AC-6(1)"},{"name":"sort-id","value":"ac-06.01"}],"parts":[{"id":"ac-6.1_smt","name":"statement","prose":"The organization explicitly authorizes access to {{ insert: param, ac-6.1_prm_1 }}."},{"id":"ac-6.1_gdn","name":"guidance","prose":"Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers\/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users.","links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"}]},{"id":"ac-6.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(1)[1]"}],"prose":"defines security-relevant information for which access must be explicitly authorized;"},{"id":"ac-6.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(1)[2]"}],"prose":"defines security functions deployed in:","parts":[{"id":"ac-6.1_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-6(1)[2][a]"}],"prose":"hardware;"},{"id":"ac-6.1_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-6(1)[2][b]"}],"prose":"software;"},{"id":"ac-6.1_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-6(1)[2][c]"}],"prose":"firmware;"}]},{"id":"ac-6.1_obj.3","name":"objective","props":[{"name":"label","value":"AC-6(1)[3]"}],"prose":"explicitly authorizes access to:","parts":[{"id":"ac-6.1_obj.3.a","name":"objective","props":[{"name":"label","value":"AC-6(1)[3][a]"}],"prose":"organization-defined security functions; and"},{"id":"ac-6.1_obj.3.b","name":"objective","props":[{"name":"label","value":"AC-6(1)[3][b]"}],"prose":"security-relevant information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.2","class":"SP800-53-enhancement","title":"Non-privileged Access for Nonsecurity Functions","params":[{"id":"ac-6.2_prm_1","label":"organization-defined security functions or security-relevant information"}],"props":[{"name":"label","value":"AC-6(2)"},{"name":"sort-id","value":"ac-06.02"}],"parts":[{"id":"ac-6.2_smt","name":"statement","prose":"The organization requires that users of information system accounts, or roles, with access to {{ insert: param, ac-6.2_prm_1 }}, use non-privileged accounts or roles, when accessing nonsecurity functions."},{"id":"ac-6.2_gdn","name":"guidance","prose":"This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.","links":[{"href":"#pl-4","rel":"related"}]},{"id":"ac-6.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(2)[1]"}],"prose":"defines security functions or security-relevant information to which users of information system accounts, or roles, have access; and"},{"id":"ac-6.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(2)[2]"}],"prose":"requires that users of information system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to information system accounts or roles\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.3","class":"SP800-53-enhancement","title":"Network Access to Privileged Commands","params":[{"id":"ac-6.3_prm_1","label":"organization-defined privileged commands"},{"id":"ac-6.3_prm_2","label":"organization-defined compelling operational needs"}],"props":[{"name":"label","value":"AC-6(3)"},{"name":"sort-id","value":"ac-06.03"}],"parts":[{"id":"ac-6.3_smt","name":"statement","prose":"The organization authorizes network access to {{ insert: param, ac-6.3_prm_1 }} only for {{ insert: param, ac-6.3_prm_2 }} and documents the rationale for such access in the security plan for the information system."},{"id":"ac-6.3_gdn","name":"guidance","prose":"Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).","links":[{"href":"#ac-17","rel":"related"}]},{"id":"ac-6.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.3_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(3)[1]"}],"prose":"defines privileged commands to which network access is to be authorized only for compelling operational needs;"},{"id":"ac-6.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(3)[2]"}],"prose":"defines compelling operational needs for which network access to organization-defined privileged commands are to be solely authorized;"},{"id":"ac-6.3_obj.3","name":"objective","props":[{"name":"label","value":"AC-6(3)[3]"}],"prose":"authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs; and"},{"id":"ac-6.3_obj.4","name":"objective","props":[{"name":"label","value":"AC-6(3)[4]"}],"prose":"documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of operational needs for authorizing network access to privileged commands\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.5","class":"SP800-53-enhancement","title":"Privileged Accounts","params":[{"id":"ac-6.5_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"AC-6(5)"},{"name":"sort-id","value":"ac-06.05"}],"parts":[{"id":"ac-6.5_smt","name":"statement","prose":"The organization restricts privileged accounts on the information system to {{ insert: param, ac-6.5_prm_1 }}."},{"id":"ac-6.5_gdn","name":"guidance","prose":"Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information\/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.","links":[{"href":"#cm-6","rel":"related"}]},{"id":"ac-6.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.5_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(5)[1]"}],"prose":"defines personnel or roles for which privileged accounts on the information system are to be restricted; and"},{"id":"ac-6.5_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(5)[2]"}],"prose":"restricts privileged accounts on the information system to organization-defined personnel or roles."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.9","class":"SP800-53-enhancement","title":"Auditing Use of Privileged Functions","props":[{"name":"label","value":"AC-6(9)"},{"name":"sort-id","value":"ac-06.09"}],"parts":[{"id":"ac-6.9_smt","name":"statement","prose":"The information system audits the execution of privileged functions."},{"id":"ac-6.9_gdn","name":"guidance","prose":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT).","links":[{"href":"#au-2","rel":"related"}]},{"id":"ac-6.9_obj","name":"objective","prose":"Determine if the information system audits the execution of privileged functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms auditing the execution of least privilege functions"}]}]},{"id":"ac-6.10","class":"SP800-53-enhancement","title":"Prohibit Non-privileged Users from Executing Privileged Functions","props":[{"name":"label","value":"AC-6(10)"},{"name":"sort-id","value":"ac-06.10"}],"parts":[{"id":"ac-6.10_smt","name":"statement","prose":"The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards\/countermeasures."},{"id":"ac-6.10_gdn","name":"guidance","prose":"Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users."},{"id":"ac-6.10_obj","name":"objective","prose":"Determine if the information system prevents non-privileged users from executing privileged functions to include:","parts":[{"id":"ac-6.10_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(10)[1]"}],"prose":"disabling implemented security safeguards\/countermeasures;"},{"id":"ac-6.10_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(10)[2]"}],"prose":"circumventing security safeguards\/countermeasures; or"},{"id":"ac-6.10_obj.3","name":"objective","props":[{"name":"label","value":"AC-6(10)[3]"}],"prose":"altering implemented security safeguards\/countermeasures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions for non-privileged users"}]}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","params":[{"id":"ac-7_prm_1","label":"organization-defined number"},{"id":"ac-7_prm_2","label":"organization-defined time period"},{"id":"ac-7_prm_3","select":{"choice":["locks the account\/node for an {{ insert: param, ac-7_prm_4 }} ","locks the account\/node until released by an administrator","delays next logon prompt according to {{ insert: param, ac-7_prm_5 }} "]}},{"id":"ac-7_prm_4","depends-on":"ac-7_prm_3","label":"organization-defined time period"},{"id":"ac-7_prm_5","depends-on":"ac-7_prm_3","label":"organization-defined delay algorithm"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AC-7"},{"name":"sort-id","value":"ac-07"}],"parts":[{"id":"ac-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforces a limit of {{ insert: param, ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-7_prm_2 }}; and"},{"id":"ac-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically {{ insert: param, ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ia-5","rel":"related"}]},{"id":"ac-7_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-7.a_obj","name":"objective","props":[{"name":"label","value":"AC-7(a)"}],"parts":[{"id":"ac-7.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-7(a)[1]"}],"prose":"the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;"},{"id":"ac-7.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-7(a)[2]"}],"prose":"the organization defines the time period allowed by a user of the information system for an organization-defined number of consecutive invalid logon attempts;"},{"id":"ac-7.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-7(a)[3]"}],"prose":"the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;"}]},{"id":"ac-7.b_obj","name":"objective","props":[{"name":"label","value":"AC-7(b)"}],"parts":[{"id":"ac-7.b_obj.1","name":"objective","props":[{"name":"label","value":"AC-7(b)[1]"}],"prose":"the organization defines account\/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;"},{"id":"ac-7.b_obj.2","name":"objective","props":[{"name":"label","value":"AC-7(b)[2]"}],"prose":"the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:","parts":[{"id":"ac-7.b_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][a]"}],"prose":"locks the account\/node for the organization-defined time period;"},{"id":"ac-7.b_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][b]"}],"prose":"locks the account\/node until released by an administrator; or"},{"id":"ac-7.b_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][c]"}],"prose":"delays next logon prompt according to the organization-defined delay algorithm."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for unsuccessful logon attempts"}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","params":[{"id":"ac-8_prm_1","label":"organization-defined system use notification message or banner"},{"id":"ac-8_prm_2","label":"organization-defined conditions"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-8"},{"name":"sort-id","value":"ac-08"}],"parts":[{"id":"ac-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Displays to users {{ insert: param, ac-8_prm_1 }} before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:","parts":[{"id":"ac-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government information system;"},{"id":"ac-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Use of the information system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and"},{"id":"ac-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Displays system use information {{ insert: param, ac-8_prm_2 }}, before granting further access;"},{"id":"ac-8_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Includes a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages\/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content."},{"id":"ac-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-8.a_obj","name":"objective","props":[{"name":"label","value":"AC-8(a)"}],"parts":[{"id":"ac-8.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-8(a)[1]"}],"prose":"the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system;"},{"id":"ac-8.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2]"}],"prose":"the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that:","parts":[{"id":"ac-8.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](1)"}],"prose":"users are accessing a U.S. Government information system;"},{"id":"ac-8.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](2)"}],"prose":"information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8.a.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](3)"}],"prose":"unauthorized use of the information system is prohibited and subject to criminal and civil penalties;"},{"id":"ac-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](4)"}],"prose":"use of the information system indicates consent to monitoring and recording;"}]}]},{"id":"ac-8.b_obj","name":"objective","props":[{"name":"label","value":"AC-8(b)"}],"prose":"the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system;"},{"id":"ac-8.c_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)"}],"prose":"for publicly accessible systems:","parts":[{"id":"ac-8.c.1_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)"}],"parts":[{"id":"ac-8.c.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)[1]"}],"prose":"the organization defines conditions for system use to be displayed by the information system before granting further access;"},{"id":"ac-8.c.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)[2]"}],"prose":"the information system displays organization-defined conditions before granting further access;"}]},{"id":"ac-8.c.2_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(2)"}],"prose":"the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8.c.3_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(3)"}],"prose":"the information system includes a description of the authorized uses of the system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of information system use notification messages or banners\n\ninformation system audit records\n\nuser acknowledgements of notification message or banner\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system use notification messages\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for providing legal advice\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing system use notification"}]}]},{"id":"ac-10","class":"SP800-53","title":"Concurrent Session Control","params":[{"id":"ac-10_prm_1","label":"organization-defined account and\/or account type"},{"id":"ac-10_prm_2","label":"organization-defined number"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-10"},{"name":"sort-id","value":"ac-10"}],"parts":[{"id":"ac-10_smt","name":"statement","prose":"The information system limits the number of concurrent sessions for each {{ insert: param, ac-10_prm_1 }} to {{ insert: param, ac-10_prm_2 }}."},{"id":"ac-10_gdn","name":"guidance","prose":"Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts."},{"id":"ac-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-10_obj.1","name":"objective","props":[{"name":"label","value":"AC-10[1]"}],"prose":"the organization defines account and\/or account types for the information system;"},{"id":"ac-10_obj.2","name":"objective","props":[{"name":"label","value":"AC-10[2]"}],"prose":"the organization defines the number of concurrent sessions to be allowed for each organization-defined account and\/or account type; and"},{"id":"ac-10_obj.3","name":"objective","props":[{"name":"label","value":"AC-10[3]"}],"prose":"the information system limits the number of concurrent sessions for each organization-defined account and\/or account type to the organization-defined number of concurrent sessions allowed."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing concurrent session control\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for concurrent session control"}]}]},{"id":"ac-11","class":"SP800-53","title":"Session Lock","params":[{"id":"ac-11_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-11"},{"name":"sort-id","value":"ac-11"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"}],"parts":[{"id":"ac-11_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prevents further access to the system by initiating a session lock after {{ insert: param, ac-11_prm_1 }} of inactivity or upon receiving a request from a user; and"},{"id":"ac-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains the session lock until the user reestablishes access using established identification and authentication procedures."}]},{"id":"ac-11_gdn","name":"guidance","prose":"Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.","links":[{"href":"#ac-7","rel":"related"}]},{"id":"ac-11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-11.a_obj","name":"objective","props":[{"name":"label","value":"AC-11(a)"}],"parts":[{"id":"ac-11.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-11(a)[1]"}],"prose":"the organization defines the time period of user inactivity after which the information system initiates a session lock;"},{"id":"ac-11.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-11(a)[2]"}],"prose":"the information system prevents further access to the system by initiating a session lock after organization-defined time period of user inactivity or upon receiving a request from a user; and"}]},{"id":"ac-11.b_obj","name":"objective","props":[{"name":"label","value":"AC-11(b)"}],"prose":"the information system retains the session lock until the user reestablishes access using established identification and authentication procedures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for session lock"}]}],"controls":[{"id":"ac-11.1","class":"SP800-53-enhancement","title":"Pattern-hiding Displays","props":[{"name":"label","value":"AC-11(1)"},{"name":"sort-id","value":"ac-11.01"}],"parts":[{"id":"ac-11.1_smt","name":"statement","prose":"The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."},{"id":"ac-11.1_gdn","name":"guidance","prose":"Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information."},{"id":"ac-11.1_obj","name":"objective","prose":"Determine if the information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system session lock mechanisms"}]}]}]},{"id":"ac-12","class":"SP800-53","title":"Session Termination","params":[{"id":"ac-12_prm_1","label":"organization-defined conditions or trigger events requiring session disconnect"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AC-12"},{"name":"sort-id","value":"ac-12"}],"parts":[{"id":"ac-12_smt","name":"statement","prose":"The information system automatically terminates a user session after {{ insert: param, ac-12_prm_1 }}."},{"id":"ac-12_gdn","name":"guidance","prose":"This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use.","links":[{"href":"#sc-10","rel":"related"},{"href":"#sc-23","rel":"related"}]},{"id":"ac-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-12_obj.1","name":"objective","props":[{"name":"label","value":"AC-12[1]"}],"prose":"the organization defines conditions or trigger events requiring session disconnect; and"},{"id":"ac-12_obj.2","name":"objective","props":[{"name":"label","value":"AC-12[2]"}],"prose":"the information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect occurs."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing session termination\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing user session termination"}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","params":[{"id":"ac-14_prm_1","label":"organization-defined user actions"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-14"},{"name":"sort-id","value":"ac-14"}],"parts":[{"id":"ac-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies {{ insert: param, ac-14_prm_1 }} that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions; and"},{"id":"ac-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none.","links":[{"href":"#cp-2","rel":"related"},{"href":"#ia-2","rel":"related"}]},{"id":"ac-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-14.a_obj","name":"objective","props":[{"name":"label","value":"AC-14(a)"}],"parts":[{"id":"ac-14.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-14(a)[1]"}],"prose":"defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions;"},{"id":"ac-14.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-14(a)[2]"}],"prose":"identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions; and"}]},{"id":"ac-14.b_obj","name":"objective","props":[{"name":"label","value":"AC-14(b)"}],"prose":"documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-17"},{"name":"sort-id","value":"ac-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference"},{"href":"#d1a4e2a9-e512-4132-8795-5357aba29254","rel":"reference"}],"parts":[{"id":"ac-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and documents usage restrictions, configuration\/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes remote access to the information system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.a_obj","name":"objective","props":[{"name":"label","value":"AC-17(a)"}],"parts":[{"id":"ac-17.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-17(a)[1]"}],"prose":"identifies the types of remote access allowed to the information system;"},{"id":"ac-17.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-17(a)[2]"}],"prose":"establishes for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][b]"}],"prose":"configuration\/connection requirements;"},{"id":"ac-17.a_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][c]"}],"prose":"implementation guidance;"}]},{"id":"ac-17.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-17(a)[3]"}],"prose":"documents for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.3.a","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.3.b","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][b]"}],"prose":"configuration\/connection requirements;"},{"id":"ac-17.a_obj.3.c","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][c]"}],"prose":"implementation guidance; and"}]}]},{"id":"ac-17.b_obj","name":"objective","props":[{"name":"label","value":"AC-17(b)"}],"prose":"authorizes remote access to the information system prior to allowing such connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nremote access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing remote access connections\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Remote access management capability for the information system"}]}],"controls":[{"id":"ac-17.1","class":"SP800-53-enhancement","title":"Automated Monitoring \/ Control","props":[{"name":"label","value":"AC-17(1)"},{"name":"sort-id","value":"ac-17.01"}],"parts":[{"id":"ac-17.1_smt","name":"statement","prose":"The information system monitors and controls remote access methods."},{"id":"ac-17.1_gdn","name":"guidance","prose":"Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"ac-17.1_obj","name":"objective","prose":"Determine if the information system monitors and controls remote access methods."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system monitoring records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms monitoring and controlling remote access methods"}]}]},{"id":"ac-17.2","class":"SP800-53-enhancement","title":"Protection of Confidentiality \/ Integrity Using Encryption","props":[{"name":"label","value":"AC-17(2)"},{"name":"sort-id","value":"ac-17.02"}],"parts":[{"id":"ac-17.2_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_gdn","name":"guidance","prose":"The encryption strength of mechanism is selected based on the security categorization of the information.","links":[{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ac-17.2_obj","name":"objective","prose":"Determine if the information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions"}]}]},{"id":"ac-17.3","class":"SP800-53-enhancement","title":"Managed Access Control Points","params":[{"id":"ac-17.3_prm_1","label":"organization-defined number"}],"props":[{"name":"label","value":"AC-17(3)"},{"name":"sort-id","value":"ac-17.03"}],"parts":[{"id":"ac-17.3_smt","name":"statement","prose":"The information system routes all remote accesses through {{ insert: param, ac-17.3_prm_1 }} managed network access control points."},{"id":"ac-17.3_gdn","name":"guidance","prose":"Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections.","links":[{"href":"#sc-7","rel":"related"}]},{"id":"ac-17.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-17.3_obj.1","name":"objective","props":[{"name":"label","value":"AC-17(3)[1]"}],"prose":"the organization defines the number of managed network access control points through which all remote accesses are to be routed; and"},{"id":"ac-17.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-17(3)[2]"}],"prose":"the information system routes all remote accesses through the organization-defined number of managed network access control points."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\nlist of all managed network access control points\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms routing all remote accesses through managed network access control points"}]}]},{"id":"ac-17.4","class":"SP800-53-enhancement","title":"Privileged Commands \/ Access","params":[{"id":"ac-17.4_prm_1","label":"organization-defined needs"}],"props":[{"name":"label","value":"AC-17(4)"},{"name":"sort-id","value":"ac-17.04"}],"parts":[{"id":"ac-17.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Authorizes the execution of privileged commands and access to security-relevant information via remote access only for {{ insert: param, ac-17.4_prm_1 }}; and"},{"id":"ac-17.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Documents the rationale for such access in the security plan for the information system."}]},{"id":"ac-17.4_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ac-17.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.4.a_obj","name":"objective","props":[{"name":"label","value":"AC-17(4)(a)"}],"parts":[{"id":"ac-17.4.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-17(4)(a)[1]"}],"prose":"defines needs to authorize the execution of privileged commands and access to security-relevant information via remote access;"},{"id":"ac-17.4.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-17(4)(a)[2]"}],"prose":"authorizes the execution of privileged commands and access to security-relevant information via remote access only for organization-defined needs; and"}],"links":[{"href":"#ac-17.4_smt.a","rel":"corresp"}]},{"id":"ac-17.4.b_obj","name":"objective","props":[{"name":"label","value":"AC-17(4)(b)"}],"prose":"documents the rationale for such access in the information system security plan.","links":[{"href":"#ac-17.4_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing remote access management"}]}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-18"},{"name":"sort-id","value":"ac-18"}],"links":[{"href":"#238ed479-eccb-49f6-82ec-ab74a7a428cf","rel":"reference"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference"},{"href":"#6f336ecd-f2a0-4c84-9699-0491d81b6e0d","rel":"reference"}],"parts":[{"id":"ac-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration\/connection requirements, and implementation guidance for wireless access; and"},{"id":"ac-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes wireless access to the information system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include, for example, microwave, packet radio (UHF\/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP\/TLS, PEAP), which provide credential protection and mutual authentication.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.a_obj","name":"objective","props":[{"name":"label","value":"AC-18(a)"}],"prose":"establishes for wireless access:","parts":[{"id":"ac-18.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-18(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-18.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-18(a)[2]"}],"prose":"configuration\/connection requirement;"},{"id":"ac-18.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-18(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-18.b_obj","name":"objective","props":[{"name":"label","value":"AC-18(b)"}],"prose":"authorizes wireless access to the information system prior to allowing such connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nwireless access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Wireless access management capability for the information system"}]}],"controls":[{"id":"ac-18.1","class":"SP800-53-enhancement","title":"Authentication and Encryption","params":[{"id":"ac-18.1_prm_1","select":{"how-many":"one-or-more","choice":["users","devices"]}}],"props":[{"name":"label","value":"AC-18(1)"},{"name":"sort-id","value":"ac-18.01"}],"parts":[{"id":"ac-18.1_smt","name":"statement","prose":"The information system protects wireless access to the system using authentication of {{ insert: param, ac-18.1_prm_1 }} and encryption."},{"id":"ac-18.1_gdn","name":"guidance","links":[{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ac-18.1_obj","name":"objective","prose":"Determine if the information system protects wireless access to the system using encryption and one or more of the following:","parts":[{"id":"ac-18.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-18(1)[1]"}],"prose":"authentication of users; and\/or"},{"id":"ac-18.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-18(1)[2]"}],"prose":"authentication of devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing wireless access protections to the information system"}]}]},{"id":"ac-18.4","class":"SP800-53-enhancement","title":"Restrict Configurations by Users","props":[{"name":"label","value":"AC-18(4)"},{"name":"sort-id","value":"ac-18.04"}],"parts":[{"id":"ac-18.4_smt","name":"statement","prose":"The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities."},{"id":"ac-18.4_gdn","name":"guidance","prose":"Organizational authorizations to allow selected users to configure wireless networking capability are enforced in part, by the access enforcement mechanisms employed within organizational information systems.","links":[{"href":"#ac-3","rel":"related"},{"href":"#sc-15","rel":"related"}]},{"id":"ac-18.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.4_obj.1","name":"objective","props":[{"name":"label","value":"AC-18(4)[1]"}],"prose":"identifies users allowed to independently configure wireless networking capabilities; and"},{"id":"ac-18.4_obj.2","name":"objective","props":[{"name":"label","value":"AC-18(4)[2]"}],"prose":"explicitly authorizes the identified users allowed to independently configure wireless networking capabilities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms authorizing independent user configuration of wireless networking capabilities"}]}]},{"id":"ac-18.5","class":"SP800-53-enhancement","title":"Antennas \/ Transmission Power Levels","props":[{"name":"label","value":"AC-18(5)"},{"name":"sort-id","value":"ac-18.05"}],"parts":[{"id":"ac-18.5_smt","name":"statement","prose":"The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries."},{"id":"ac-18.5_gdn","name":"guidance","prose":"Actions that may be taken by organizations to limit unauthorized use of wireless communications outside of organization-controlled boundaries include, for example: (i) reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be used by adversaries outside of the physical perimeters of organizations; (ii) employing measures such as TEMPEST to control wireless emanations; and (iii) using directional\/beam forming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational information systems as well as other systems that may be operating in the area.","links":[{"href":"#pe-19","rel":"related"}]},{"id":"ac-18.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.5_obj.1","name":"objective","props":[{"name":"label","value":"AC-18(5)[1]"}],"prose":"selects radio antennas to reduce the probability that usable signals can be received outside of organization-controlled boundaries; and"},{"id":"ac-18.5_obj.2","name":"objective","props":[{"name":"label","value":"AC-18(5)[2]"}],"prose":"calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Wireless access capability protecting usable signals from unauthorized access outside organization-controlled boundaries"}]}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-19"},{"name":"sort-id","value":"ac-19"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference"},{"href":"#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","rel":"reference"},{"href":"#6513e480-fada-4876-abba-1397084dfb26","rel":"reference"}],"parts":[{"id":"ac-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and"},{"id":"ac-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes the connection of mobile devices to organizational information systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes\/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.a_obj","name":"objective","props":[{"name":"label","value":"AC-19(a)"}],"prose":"establishes for organization-controlled mobile devices:","parts":[{"id":"ac-19.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-19(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-19.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-19(a)[2]"}],"prose":"configuration\/connection requirement;"},{"id":"ac-19.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-19(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-19.b_obj","name":"objective","props":[{"name":"label","value":"AC-19(b)"}],"prose":"authorizes the connection of mobile devices to organizational information systems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational information systems\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel using mobile devices to access organizational information systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Access control capability authorizing mobile device connections to organizational information systems"}]}],"controls":[{"id":"ac-19.5","class":"SP800-53-enhancement","title":"Full Device \/ Container-based Encryption","params":[{"id":"ac-19.5_prm_1","select":{"choice":["full-device encryption","container encryption"]}},{"id":"ac-19.5_prm_2","label":"organization-defined mobile devices"}],"props":[{"name":"label","value":"AC-19(5)"},{"name":"sort-id","value":"ac-19.05"}],"parts":[{"id":"ac-19.5_smt","name":"statement","prose":"The organization employs {{ insert: param, ac-19.5_prm_1 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.5_prm_2 }}."},{"id":"ac-19.5_gdn","name":"guidance","prose":"Container-based encryption provides a more fine-grained approach to the encryption of data\/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields.","links":[{"href":"#mp-5","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}]},{"id":"ac-19.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.5_obj.1","name":"objective","props":[{"name":"label","value":"AC-19(5)[1]"}],"prose":"defines mobile devices for which full-device encryption or container encryption is required to protect the confidentiality and integrity of information on such devices; and"},{"id":"ac-19.5_obj.2","name":"objective","props":[{"name":"label","value":"AC-19(5)[2]"}],"prose":"employs full-device encryption or container encryption to protect the confidentiality and integrity of information on organization-defined mobile devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access control for mobile devices\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nencryption mechanism s and associated configuration documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities for mobile devices\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Encryption mechanisms protecting confidentiality and integrity of information on mobile devices"}]}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Information Systems","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-20"},{"name":"sort-id","value":"ac-20"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"}],"parts":[{"id":"ac-20_smt","name":"statement","prose":"The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and\/or maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Access the information system from external information systems; and"},{"id":"ac-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Process, store, or transmit organization-controlled information using external information systems."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems\/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing\/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"ac-20_obj","name":"objective","prose":"Determine if the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and\/or maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20.a_obj","name":"objective","props":[{"name":"label","value":"AC-20(a)"}],"prose":"access the information system from the external information systems; and"},{"id":"ac-20.b_obj","name":"objective","props":[{"name":"label","value":"AC-20(b)"}],"prose":"process, store, or transmit organization-controlled information using external information systems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing the use of external information systems\n\nexternal information systems terms and conditions\n\nlist of types of applications accessible from external information systems\n\nmaximum security categorization for information processed, stored, or transmitted on external information systems\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing terms and conditions on use of external information systems"}]}],"controls":[{"id":"ac-20.1","class":"SP800-53-enhancement","title":"Limits On Authorized Use","props":[{"name":"label","value":"AC-20(1)"},{"name":"sort-id","value":"ac-20.01"}],"parts":[{"id":"ac-20.1_smt","name":"statement","prose":"The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:","parts":[{"id":"ac-20.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or"},{"id":"ac-20.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Retains approved information system connection or processing agreements with the organizational entity hosting the external information system."}]},{"id":"ac-20.1_gdn","name":"guidance","prose":"This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations.","links":[{"href":"#ca-2","rel":"related"}]},{"id":"ac-20.1_obj","name":"objective","prose":"Determine if the organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:","parts":[{"id":"ac-20.1.a_obj","name":"objective","props":[{"name":"label","value":"AC-20(1)(a)"}],"prose":"verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or","links":[{"href":"#ac-20.1_smt.a","rel":"corresp"}]},{"id":"ac-20.1.b_obj","name":"objective","props":[{"name":"label","value":"AC-20(1)(b)"}],"prose":"retains approved information system connection or processing agreements with the organizational entity hosting the external information system.","links":[{"href":"#ac-20.1_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing the use of external information systems\n\nsecurity plan\n\ninformation system connection or processing agreements\n\naccount management documents\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing limits on use of external information systems"}]}]},{"id":"ac-20.2","class":"SP800-53-enhancement","title":"Portable Storage Devices","params":[{"id":"ac-20.2_prm_1","select":{"choice":["restricts","prohibits"]}}],"props":[{"name":"label","value":"AC-20(2)"},{"name":"sort-id","value":"ac-20.02"}],"parts":[{"id":"ac-20.2_smt","name":"statement","prose":"The organization {{ insert: param, ac-20.2_prm_1 }} the use of organization-controlled portable storage devices by authorized individuals on external information systems."},{"id":"ac-20.2_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used."},{"id":"ac-20.2_obj","name":"objective","prose":"Determine if the organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing the use of external information systems\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system connection or processing agreements\n\naccount management documents\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for restricting or prohibiting use of organization-controlled storage devices on external information systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing restrictions on use of portable storage devices"}]}]}]},{"id":"ac-21","class":"SP800-53","title":"Information Sharing","params":[{"id":"ac-21_prm_1","label":"organization-defined information sharing circumstances where user discretion is required"},{"id":"ac-21_prm_2","label":"organization-defined automated mechanisms or manual processes"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AC-21"},{"name":"sort-id","value":"ac-21"}],"parts":[{"id":"ac-21_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for {{ insert: param, ac-21_prm_1 }}; and"},{"id":"ac-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs {{ insert: param, ac-21_prm_2 }} to assist users in making information sharing\/collaboration decisions."}]},{"id":"ac-21_gdn","name":"guidance","prose":"This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program\/compartment.","links":[{"href":"#ac-3","rel":"related"}]},{"id":"ac-21_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-21.a_obj","name":"objective","props":[{"name":"label","value":"AC-21(a)"}],"parts":[{"id":"ac-21.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-21(a)[1]"}],"prose":"defines information sharing circumstances where user discretion is required;"},{"id":"ac-21.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-21(a)[2]"}],"prose":"facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information sharing circumstances;"}]},{"id":"ac-21.b_obj","name":"objective","props":[{"name":"label","value":"AC-21(b)"}],"parts":[{"id":"ac-21.b_obj.1","name":"objective","props":[{"name":"label","value":"AC-21(b)[1]"}],"prose":"defines automated mechanisms or manual processes to be employed to assist users in making information sharing\/collaboration decisions; and"},{"id":"ac-21.b_obj.2","name":"objective","props":[{"name":"label","value":"AC-21(b)[2]"}],"prose":"employs organization-defined automated mechanisms or manual processes to assist users in making information sharing\/collaboration decisions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of users authorized to make information sharing\/collaboration decisions\n\nlist of information sharing circumstances requiring user discretion\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel responsible for making information sharing\/collaboration decisions\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms or manual process implementing access authorizations supporting information sharing\/user collaboration decisions"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","params":[{"id":"ac-22_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-22"},{"name":"sort-id","value":"ac-22"}],"parts":[{"id":"ac-22_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Designates individuals authorized to post information onto a publicly accessible information system;"},{"id":"ac-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Reviews the content on the publicly accessible information system for nonpublic information {{ insert: param, ac-22_prm_1 }} and removes such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and\/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-13","rel":"related"}]},{"id":"ac-22_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-22.a_obj","name":"objective","props":[{"name":"label","value":"AC-22(a)"}],"prose":"designates individuals authorized to post information onto a publicly accessible information system;"},{"id":"ac-22.b_obj","name":"objective","props":[{"name":"label","value":"AC-22(b)"}],"prose":"trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22.c_obj","name":"objective","props":[{"name":"label","value":"AC-22(c)"}],"prose":"reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;"},{"id":"ac-22.d_obj","name":"objective","props":[{"name":"label","value":"AC-22(d)"}],"parts":[{"id":"ac-22.d_obj.1","name":"objective","props":[{"name":"label","value":"AC-22(d)[1]"}],"prose":"defines the frequency to review the content on the publicly accessible information system for nonpublic information;"},{"id":"ac-22.d_obj.2","name":"objective","props":[{"name":"label","value":"AC-22(d)[2]"}],"prose":"reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; and"},{"id":"ac-22.d_obj.3","name":"objective","props":[{"name":"label","value":"AC-22(d)[3]"}],"prose":"removes nonpublic information from the publicly accessible information system, if discovered."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational information systems\n\ntraining materials and\/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to nonpublic information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Security Awareness and Training Policy and Procedures","params":[{"id":"at-1_prm_1","label":"organization-defined personnel or roles"},{"id":"at-1_prm_2","label":"organization-defined frequency"},{"id":"at-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-1"},{"name":"sort-id","value":"at-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"at-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"at-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security awareness and training policy {{ insert: param, at-1_prm_2 }}; and"},{"id":"at-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security awareness and training procedures {{ insert: param, at-1_prm_3 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"at-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-1.a_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)"}],"parts":[{"id":"at-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)"}],"parts":[{"id":"at-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1]"}],"prose":"develops and documents an security awareness and training policy that addresses:","parts":[{"id":"at-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"at-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"at-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"at-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"at-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"at-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"at-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"at-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security awareness and training policy are to be disseminated;"},{"id":"at-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[3]"}],"prose":"disseminates the security awareness and training policy to organization-defined personnel or roles;"}]},{"id":"at-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)"}],"parts":[{"id":"at-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;"},{"id":"at-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"at-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"at-1.b_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)"}],"parts":[{"id":"at-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)"}],"parts":[{"id":"at-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security awareness and training policy;"},{"id":"at-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)[2]"}],"prose":"reviews and updates the current security awareness and training policy with the organization-defined frequency;"}]},{"id":"at-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)"}],"parts":[{"id":"at-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security awareness and training procedures; and"},{"id":"at-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)[2]"}],"prose":"reviews and updates the current security awareness and training procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security awareness and training responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Security Awareness Training","params":[{"id":"at-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-2"},{"name":"sort-id","value":"at-02"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference"},{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"at-2_smt","name":"statement","prose":"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"As part of initial training for new users;"},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, at-2_prm_1 }} thereafter."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories\/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.","links":[{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"at-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-2.a_obj","name":"objective","props":[{"name":"label","value":"AT-2(a)"}],"prose":"provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2.b_obj","name":"objective","props":[{"name":"label","value":"AT-2(b)"}],"prose":"provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes; and"},{"id":"at-2.c_obj","name":"objective","props":[{"name":"label","value":"AT-2(c)"}],"parts":[{"id":"at-2.c_obj.1","name":"objective","props":[{"name":"label","value":"AT-2(c)[1]"}],"prose":"defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors); and"},{"id":"at-2.c_obj.2","name":"objective","props":[{"name":"label","value":"AT-2(c)[2]"}],"prose":"provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nappropriate codes of federal regulations\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for security awareness training\n\norganizational personnel with information security responsibilities\n\norganizational personnel comprising the general information system user community"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing security awareness training"}]}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","props":[{"name":"label","value":"AT-2(2)"},{"name":"sort-id","value":"at-02.02"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"The organization includes security awareness training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures.","links":[{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"at-2.2_obj","name":"objective","prose":"Determine if the organization includes security awareness training on recognizing and reporting potential indicators of insider threat."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel that participate in security awareness training\n\norganizational personnel with responsibilities for basic security awareness training\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Security Training","params":[{"id":"at-3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-3"},{"name":"sort-id","value":"at-03"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"at-3_smt","name":"statement","prose":"The organization provides role-based security training to personnel with assigned security roles and responsibilities:","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Before authorizing access to the information system or performing assigned duties;"},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, at-3_prm_1 }} thereafter."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition\/procurement officials, information system managers, system\/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sa-16","rel":"related"}]},{"id":"at-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-3.a_obj","name":"objective","props":[{"name":"label","value":"AT-3(a)"}],"prose":"provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties;"},{"id":"at-3.b_obj","name":"objective","props":[{"name":"label","value":"AT-3(b)"}],"prose":"provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes; and"},{"id":"at-3.c_obj","name":"objective","props":[{"name":"label","value":"AT-3(c)"}],"parts":[{"id":"at-3.c_obj.1","name":"objective","props":[{"name":"label","value":"AT-3(c)[1]"}],"prose":"defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities; and"},{"id":"at-3.c_obj.2","name":"objective","props":[{"name":"label","value":"AT-3(c)[2]"}],"prose":"provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security training implementation\n\ncodes of federal regulations\n\nsecurity training curriculum\n\nsecurity training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for role-based security training\n\norganizational personnel with assigned information system security roles and responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing role-based security training"}]}]},{"id":"at-4","class":"SP800-53","title":"Security Training Records","params":[{"id":"at-4_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AT-4"},{"name":"sort-id","value":"at-04"}],"parts":[{"id":"at-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains individual training records for {{ insert: param, at-4_prm_1 }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the option of the organization.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pm-14","rel":"related"}]},{"id":"at-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-4.a_obj","name":"objective","props":[{"name":"label","value":"AT-4(a)"}],"parts":[{"id":"at-4.a_obj.1","name":"objective","props":[{"name":"label","value":"AT-4(a)[1]"}],"prose":"documents individual information system security training activities including:","parts":[{"id":"at-4.a_obj.1.a","name":"objective","props":[{"name":"label","value":"AT-4(a)[1][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.1.b","name":"objective","props":[{"name":"label","value":"AT-4(a)[1][b]"}],"prose":"specific role-based information system security training;"}]},{"id":"at-4.a_obj.2","name":"objective","props":[{"name":"label","value":"AT-4(a)[2]"}],"prose":"monitors individual information system security training activities including:","parts":[{"id":"at-4.a_obj.2.a","name":"objective","props":[{"name":"label","value":"AT-4(a)[2][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.2.b","name":"objective","props":[{"name":"label","value":"AT-4(a)[2][b]"}],"prose":"specific role-based information system security training;"}]}]},{"id":"at-4.b_obj","name":"objective","props":[{"name":"label","value":"AT-4(b)"}],"parts":[{"id":"at-4.b_obj.1","name":"objective","props":[{"name":"label","value":"AT-4(b)[1]"}],"prose":"defines a time period to retain individual training records; and"},{"id":"at-4.b_obj.2","name":"objective","props":[{"name":"label","value":"AT-4(b)[2]"}],"prose":"retains individual training records for the organization-defined time period."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security training records\n\nsecurity awareness and training records\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security training record retention responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting management of security training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Audit and Accountability Policy and Procedures","params":[{"id":"au-1_prm_1","label":"organization-defined personnel or roles"},{"id":"au-1_prm_2","label":"organization-defined frequency"},{"id":"au-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-1"},{"name":"sort-id","value":"au-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"au-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"au-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Audit and accountability policy {{ insert: param, au-1_prm_2 }}; and"},{"id":"au-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Audit and accountability procedures {{ insert: param, au-1_prm_3 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"au-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-1.a_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)"}],"parts":[{"id":"au-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)"}],"parts":[{"id":"au-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1]"}],"prose":"develops and documents an audit and accountability policy that addresses:","parts":[{"id":"au-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"au-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"au-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"au-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"au-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"au-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"au-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"au-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the audit and accountability policy are to be disseminated;"},{"id":"au-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[3]"}],"prose":"disseminates the audit and accountability policy to organization-defined personnel or roles;"}]},{"id":"au-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)"}],"parts":[{"id":"au-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;"},{"id":"au-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"au-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"au-1.b_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)"}],"parts":[{"id":"au-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)"}],"parts":[{"id":"au-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current audit and accountability policy;"},{"id":"au-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)[2]"}],"prose":"reviews and updates the current audit and accountability policy with the organization-defined frequency;"}]},{"id":"au-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)"}],"parts":[{"id":"au-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current audit and accountability procedures; and"},{"id":"au-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)[2]"}],"prose":"reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Audit Events","params":[{"id":"au-2_prm_1","label":"organization-defined auditable events"},{"id":"au-2_prm_2","label":"organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-2"},{"name":"sort-id","value":"au-02"}],"links":[{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"au-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines that the information system is capable of auditing the following events: {{ insert: param, au-2_prm_1 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Determines that the following events are to be audited within the information system: {{ insert: param, au-2_prm_2 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.","links":[{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"au-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.a_obj","name":"objective","props":[{"name":"label","value":"AU-2(a)"}],"parts":[{"id":"au-2.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(a)[1]"}],"prose":"defines the auditable events that the information system must be capable of auditing;"},{"id":"au-2.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(a)[2]"}],"prose":"determines that the information system is capable of auditing organization-defined auditable events;"}]},{"id":"au-2.b_obj","name":"objective","props":[{"name":"label","value":"AU-2(b)"}],"prose":"coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"},{"id":"au-2.c_obj","name":"objective","props":[{"name":"label","value":"AU-2(c)"}],"prose":"provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;"},{"id":"au-2.d_obj","name":"objective","props":[{"name":"label","value":"AU-2(d)"}],"parts":[{"id":"au-2.d_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(d)[1]"}],"prose":"defines the subset of auditable events defined in AU-2a that are to be audited within the information system;"},{"id":"au-2.d_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(d)[2]"}],"prose":"determines that the subset of auditable events defined in AU-2a are to be audited within the information system; and"},{"id":"au-2.d_obj.3","name":"objective","props":[{"name":"label","value":"AU-2(d)[3]"}],"prose":"determines the frequency of (or situation requiring) auditing for each identified event."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system auditable events\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing"}]}],"controls":[{"id":"au-2.3","class":"SP800-53-enhancement","title":"Reviews and Updates","params":[{"id":"au-2.3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"AU-2(3)"},{"name":"sort-id","value":"au-02.03"}],"parts":[{"id":"au-2.3_smt","name":"statement","prose":"The organization reviews and updates the audited events {{ insert: param, au-2.3_prm_1 }}."},{"id":"au-2.3_gdn","name":"guidance","prose":"Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient."},{"id":"au-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.3_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(3)[1]"}],"prose":"defines the frequency to review and update the audited events; and"},{"id":"au-2.3_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(3)[2]"}],"prose":"reviews and updates the auditable events with organization-defined frequency."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\nlist of organization-defined auditable events\n\nauditable events review and update records\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting review and update of auditable events"}]}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-3"},{"name":"sort-id","value":"au-03"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event."},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user\/process identifiers, event descriptions, success\/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred).","links":[{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#si-11","rel":"related"}]},{"id":"au-3_obj","name":"objective","prose":"Determine if the information system generates audit records containing information that establishes:","parts":[{"id":"au-3_obj.1","name":"objective","props":[{"name":"label","value":"AU-3[1]"}],"prose":"what type of event occurred;"},{"id":"au-3_obj.2","name":"objective","props":[{"name":"label","value":"AU-3[2]"}],"prose":"when the event occurred;"},{"id":"au-3_obj.3","name":"objective","props":[{"name":"label","value":"AU-3[3]"}],"prose":"where the event occurred;"},{"id":"au-3_obj.4","name":"objective","props":[{"name":"label","value":"AU-3[4]"}],"prose":"the source of the event;"},{"id":"au-3_obj.5","name":"objective","props":[{"name":"label","value":"AU-3[5]"}],"prose":"the outcome of the event; and"},{"id":"au-3_obj.6","name":"objective","props":[{"name":"label","value":"AU-3[6]"}],"prose":"the identity of any individuals or subjects associated with the event."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing of auditable events"}]}],"controls":[{"id":"au-3.1","class":"SP800-53-enhancement","title":"Additional Audit Information","params":[{"id":"au-3.1_prm_1","label":"organization-defined additional, more detailed information"}],"props":[{"name":"label","value":"AU-3(1)"},{"name":"sort-id","value":"au-03.01"}],"parts":[{"id":"au-3.1_smt","name":"statement","prose":"The information system generates audit records containing the following additional information: {{ insert: param, au-3.1_prm_1 }}."},{"id":"au-3.1_gdn","name":"guidance","prose":"Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest."},{"id":"au-3.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-3.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-3(1)[1]"}],"prose":"the organization defines additional, more detailed information to be contained in audit records that the information system generates; and"},{"id":"au-3.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-3(1)[2]"}],"prose":"the information system generates audit records containing the organization-defined additional, more detailed information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system audit capability"}]}]},{"id":"au-3.2","class":"SP800-53-enhancement","title":"Centralized Management of Planned Audit Record Content","params":[{"id":"au-3.2_prm_1","label":"organization-defined information system components"}],"props":[{"name":"label","value":"AU-3(2)"},{"name":"sort-id","value":"au-03.02"}],"parts":[{"id":"au-3.2_smt","name":"statement","prose":"The information system provides centralized management and configuration of the content to be captured in audit records generated by {{ insert: param, au-3.2_prm_1 }}."},{"id":"au-3.2_gdn","name":"guidance","prose":"This control enhancement requires that the content to be captured in audit records be configured from a central location (necessitating automation). Organizations coordinate the selection of required audit content to support the centralized management and configuration capability provided by the information system.","links":[{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"}]},{"id":"au-3.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-3.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-3(2)[1]"}],"prose":"the organization defines information system components that generate audit records whose content is to be centrally managed and configured by the information system; and"},{"id":"au-3.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-3(2)[2]"}],"prose":"the information system provides centralized management and configuration of the content to be captured in audit records generated by the organization-defined information system components."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system capability implementing centralized management and configuration of audit record content"}]}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Storage Capacity","params":[{"id":"au-4_prm_1","label":"organization-defined audit record storage requirements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-4"},{"name":"sort-id","value":"au-04"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"The organization allocates audit record storage capacity in accordance with {{ insert: param, au-4_prm_1 }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"au-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-4_obj.1","name":"objective","props":[{"name":"label","value":"AU-4[1]"}],"prose":"defines audit record storage requirements; and"},{"id":"au-4_obj.2","name":"objective","props":[{"name":"label","value":"AU-4[2]"}],"prose":"allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for information system components\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Processing Failures","params":[{"id":"au-5_prm_1","label":"organization-defined personnel or roles"},{"id":"au-5_prm_2","label":"organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-5"},{"name":"sort-id","value":"au-05"}],"parts":[{"id":"au-5_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Alerts {{ insert: param, au-5_prm_1 }} in the event of an audit processing failure; and"},{"id":"au-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Takes the following additional actions: {{ insert: param, au-5_prm_2 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit processing failures include, for example, software\/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.","links":[{"href":"#au-4","rel":"related"},{"href":"#si-12","rel":"related"}]},{"id":"au-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.a_obj","name":"objective","props":[{"name":"label","value":"AU-5(a)"}],"parts":[{"id":"au-5.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(a)[1]"}],"prose":"the organization defines the personnel or roles to be alerted in the event of an audit processing failure;"},{"id":"au-5.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(a)[2]"}],"prose":"the information system alerts the organization-defined personnel or roles in the event of an audit processing failure;"}]},{"id":"au-5.b_obj","name":"objective","props":[{"name":"label","value":"AU-5(b)"}],"parts":[{"id":"au-5.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(b)[1]"}],"prose":"the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure; and"},{"id":"au-5.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(b)[2]"}],"prose":"the information system takes the additional organization-defined actions in the event of an audit processing failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system response to audit processing failures"}]}],"controls":[{"id":"au-5.1","class":"SP800-53-enhancement","title":"Audit Storage Capacity","params":[{"id":"au-5.1_prm_1","label":"organization-defined personnel, roles, and\/or locations"},{"id":"au-5.1_prm_2","label":"organization-defined time period"},{"id":"au-5.1_prm_3","label":"organization-defined percentage"}],"props":[{"name":"label","value":"AU-5(1)"},{"name":"sort-id","value":"au-05.01"}],"parts":[{"id":"au-5.1_smt","name":"statement","prose":"The information system provides a warning to {{ insert: param, au-5.1_prm_1 }} within {{ insert: param, au-5.1_prm_2 }} when allocated audit record storage volume reaches {{ insert: param, au-5.1_prm_3 }} of repository maximum audit record storage capacity."},{"id":"au-5.1_gdn","name":"guidance","prose":"Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities."},{"id":"au-5.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(1)[1]"}],"prose":"the organization defines:","parts":[{"id":"au-5.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-5(1)[1][a]"}],"prose":"personnel to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity;"},{"id":"au-5.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-5(1)[1][b]"}],"prose":"roles to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity; and\/or"},{"id":"au-5.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-5(1)[1][c]"}],"prose":"locations to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity;"}]},{"id":"au-5.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(1)[2]"}],"prose":"the organization defines the time period within which the information system is to provide a warning to the organization-defined personnel, roles, and\/or locations when allocated audit record storage volume reaches the organization-defined percentage of repository maximum audit record storage capacity;"},{"id":"au-5.1_obj.3","name":"objective","props":[{"name":"label","value":"AU-5(1)[3]"}],"prose":"the organization defines the percentage of repository maximum audit record storage capacity that, if reached, requires a warning to be provided; and"},{"id":"au-5.1_obj.4","name":"objective","props":[{"name":"label","value":"AU-5(1)[4]"}],"prose":"the information system provides a warning to the organization-defined personnel, roles, and\/or locations within the organization-defined time period when allocated audit record storage volume reaches the organization-defined percentage of repository maximum audit record storage capacity."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit storage limit warnings"}]}]},{"id":"au-5.2","class":"SP800-53-enhancement","title":"Real-time Alerts","params":[{"id":"au-5.2_prm_1","label":"organization-defined real-time period"},{"id":"au-5.2_prm_2","label":"organization-defined personnel, roles, and\/or locations"},{"id":"au-5.2_prm_3","label":"organization-defined audit failure events requiring real-time alerts"}],"props":[{"name":"label","value":"AU-5(2)"},{"name":"sort-id","value":"au-05.02"}],"parts":[{"id":"au-5.2_smt","name":"statement","prose":"The information system provides an alert in {{ insert: param, au-5.2_prm_1 }} to {{ insert: param, au-5.2_prm_2 }} when the following audit failure events occur: {{ insert: param, au-5.2_prm_3 }}."},{"id":"au-5.2_gdn","name":"guidance","prose":"Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less)."},{"id":"au-5.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(2)[1]"}],"prose":"the organization defines audit failure events requiring real-time alerts;"},{"id":"au-5.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(2)[2]"}],"prose":"the organization defines:","parts":[{"id":"au-5.2_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-5(2)[2][a]"}],"prose":"personnel to be alerted when organization-defined audit failure events requiring real-time alerts occur;"},{"id":"au-5.2_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-5(2)[2][b]"}],"prose":"roles to be alerted when organization-defined audit failure events requiring real-time alerts occur; and\/or"},{"id":"au-5.2_obj.2.c","name":"objective","props":[{"name":"label","value":"AU-5(2)[2][c]"}],"prose":"locations to be alerted when organization-defined audit failure events requiring real-time alerts occur;"}]},{"id":"au-5.2_obj.3","name":"objective","props":[{"name":"label","value":"AU-5(2)[3]"}],"prose":"the organization defines the real-time period within which the information system is to provide an alert to the organization-defined personnel, roles, and\/or locations when the organization-defined audit failure events requiring real-time alerts occur; and"},{"id":"au-5.2_obj.4","name":"objective","props":[{"name":"label","value":"AU-5(2)[4]"}],"prose":"the information system provides an alert within the organization-defined real-time period to the organization-defined personnel, roles, and\/or locations when organization-defined audit failure events requiring real-time alerts occur."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nrecords of notifications or real-time alerts when audit processing failures occur\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing real-time audit alerts when organization-defined audit failure events occur"}]}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Review, Analysis, and Reporting","params":[{"id":"au-6_prm_1","label":"organization-defined frequency"},{"id":"au-6_prm_2","label":"organization-defined inappropriate or unusual activity"},{"id":"au-6_prm_3","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-6"},{"name":"sort-id","value":"au-06"}],"parts":[{"id":"au-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviews and analyzes information system audit records {{ insert: param, au-6_prm_1 }} for indications of {{ insert: param, au-6_prm_2 }}; and"},{"id":"au-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reports findings to {{ insert: param, au-6_prm_3 }}."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group\/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review\/analysis may be carried out by other organizations granted such authority.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-19","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"au-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.a_obj","name":"objective","props":[{"name":"label","value":"AU-6(a)"}],"parts":[{"id":"au-6.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(a)[1]"}],"prose":"defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;"},{"id":"au-6.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(a)[2]"}],"prose":"defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;"},{"id":"au-6.a_obj.3","name":"objective","props":[{"name":"label","value":"AU-6(a)[3]"}],"prose":"reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;"}]},{"id":"au-6.b_obj","name":"objective","props":[{"name":"label","value":"AU-6(b)"}],"parts":[{"id":"au-6.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(b)[1]"}],"prose":"defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; and"},{"id":"au-6.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(b)[2]"}],"prose":"reports findings to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews\/analyses of audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"au-6.1","class":"SP800-53-enhancement","title":"Process Integration","props":[{"name":"label","value":"AU-6(1)"},{"name":"sort-id","value":"au-06.01"}],"parts":[{"id":"au-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities."},{"id":"au-6.1_gdn","name":"guidance","prose":"Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits.","links":[{"href":"#au-12","rel":"related"},{"href":"#pm-7","rel":"related"}]},{"id":"au-6.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(1)[1]"}],"prose":"employs automated mechanisms to integrate:","parts":[{"id":"au-6.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-6(1)[1][a]"}],"prose":"audit review;"},{"id":"au-6.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-6(1)[1][b]"}],"prose":"analysis;"},{"id":"au-6.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-6(1)[1][c]"}],"prose":"reporting processes;"}]},{"id":"au-6.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(1)[2]"}],"prose":"uses integrated audit review, analysis and reporting processes to support organizational processes for:","parts":[{"id":"au-6.1_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-6(1)[2][a]"}],"prose":"investigation of suspicious activities; and"},{"id":"au-6.1_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-6(1)[2][b]"}],"prose":"response to suspicious activities."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms integrating audit review, analysis, and reporting processes"}]}]},{"id":"au-6.3","class":"SP800-53-enhancement","title":"Correlate Audit Repositories","props":[{"name":"label","value":"AU-6(3)"},{"name":"sort-id","value":"au-06.03"}],"parts":[{"id":"au-6.3_smt","name":"statement","prose":"The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness."},{"id":"au-6.3_gdn","name":"guidance","prose":"Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission\/business process, and information system) and supports cross-organization awareness.","links":[{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"}]},{"id":"au-6.3_obj","name":"objective","prose":"Determine if the organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records across different repositories\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting analysis and correlation of audit records"}]}]},{"id":"au-6.5","class":"SP800-53-enhancement","title":"Integration \/ Scanning and Monitoring Capabilities","params":[{"id":"au-6.5_prm_1","select":{"how-many":"one-or-more","choice":["vulnerability scanning information","performance data","information system monitoring information"," {{ insert: param, au-6.5_prm_2 }} "]}},{"id":"au-6.5_prm_2","depends-on":"au-6.5_prm_1","label":"organization-defined data\/information collected from other sources"}],"props":[{"name":"label","value":"AU-6(5)"},{"name":"sort-id","value":"au-06.05"}],"parts":[{"id":"au-6.5_smt","name":"statement","prose":"The organization integrates analysis of audit records with analysis of {{ insert: param, au-6.5_prm_1 }} to further enhance the ability to identify inappropriate or unusual activity."},{"id":"au-6.5_gdn","name":"guidance","prose":"This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation\/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations.","links":[{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ra-5","rel":"related"}]},{"id":"au-6.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.5_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(5)[1]"}],"prose":"defines data\/information to be collected from other sources;"},{"id":"au-6.5_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(5)[2]"}],"prose":"selects sources of data\/information to be analyzed and integrated with the analysis of audit records from one or more of the following:","parts":[{"id":"au-6.5_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-6(5)[2][a]"}],"prose":"vulnerability scanning information;"},{"id":"au-6.5_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-6(5)[2][b]"}],"prose":"performance data;"},{"id":"au-6.5_obj.2.c","name":"objective","props":[{"name":"label","value":"AU-6(5)[2][c]"}],"prose":"information system monitoring information; and\/or"},{"id":"au-6.5_obj.2.d","name":"objective","props":[{"name":"label","value":"AU-6(5)[2][d]"}],"prose":"organization-defined data\/information collected from other sources; and"}]},{"id":"au-6.5_obj.3","name":"objective","props":[{"name":"label","value":"AU-6(5)[3]"}],"prose":"integrates the analysis of audit records with the analysis of selected data\/information to further enhance the ability to identify inappropriate or unusual activity."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing capability to integrate analysis of audit records with analysis of data\/information sources"}]}]},{"id":"au-6.6","class":"SP800-53-enhancement","title":"Correlation with Physical Monitoring","props":[{"name":"label","value":"AU-6(6)"},{"name":"sort-id","value":"au-06.06"}],"parts":[{"id":"au-6.6_smt","name":"statement","prose":"The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."},{"id":"au-6.6_gdn","name":"guidance","prose":"The correlation of physical audit information and audit logs from information systems may assist organizations in identifying examples of suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain information systems with the additional physical security information that the individual was actually present at the facility when the logical access occurred, may prove to be useful in investigations."},{"id":"au-6.6_obj","name":"objective","prose":"Determine if the organization correlates information from audit records with information obtained from monitoring physical access to enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing physical access monitoring\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ndocumentation providing evidence of correlated information obtained from audit records and physical access monitoring records\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing capability to correlate information from audit records with information from monitoring physical access"}]}]}]},{"id":"au-7","class":"SP800-53","title":"Audit Reduction and Report Generation","props":[{"name":"priority","value":"P2"},{"name":"label","value":"AU-7"},{"name":"sort-id","value":"au-07"}],"parts":[{"id":"au-7_smt","name":"statement","prose":"The information system provides an audit reduction and report generation capability that:","parts":[{"id":"au-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and"},{"id":"au-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Does not alter the original content or time ordering of audit records."}]},{"id":"au-7_gdn","name":"guidance","prose":"Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient.","links":[{"href":"#au-6","rel":"related"}]},{"id":"au-7_obj","name":"objective","prose":"Determine if the information system provides an audit reduction and report generation capability that supports:","parts":[{"id":"au-7.a_obj","name":"objective","props":[{"name":"label","value":"AU-7(a)"}],"parts":[{"id":"au-7.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-7(a)[1]"}],"prose":"on-demand audit review;"},{"id":"au-7.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-7(a)[2]"}],"prose":"analysis;"},{"id":"au-7.a_obj.3","name":"objective","props":[{"name":"label","value":"AU-7(a)[3]"}],"prose":"reporting requirements;"},{"id":"au-7.a_obj.4","name":"objective","props":[{"name":"label","value":"AU-7(a)[4]"}],"prose":"after-the-fact investigations of security incidents; and"}]},{"id":"au-7.b_obj","name":"objective","props":[{"name":"label","value":"AU-7(b)"}],"prose":"does not alter the original content or time ordering of audit records."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit reduction and report generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit reduction and report generation capability"}]}],"controls":[{"id":"au-7.1","class":"SP800-53-enhancement","title":"Automatic Processing","params":[{"id":"au-7.1_prm_1","label":"organization-defined audit fields within audit records"}],"props":[{"name":"label","value":"AU-7(1)"},{"name":"sort-id","value":"au-07.01"}],"parts":[{"id":"au-7.1_smt","name":"statement","prose":"The information system provides the capability to process audit records for events of interest based on {{ insert: param, au-7.1_prm_1 }}."},{"id":"au-7.1_gdn","name":"guidance","prose":"Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"au-7.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-7.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-7(1)[1]"}],"prose":"the organization defines audit fields within audit records in order to process audit records for events of interest; and"},{"id":"au-7.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-7(1)[2]"}],"prose":"the information system provides the capability to process audit records for events of interest based on the organization-defined audit fields within audit records."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit reduction and report generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit reduction and report generation capability"}]}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","params":[{"id":"au-8_prm_1","label":"organization-defined granularity of time measurement"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-8"},{"name":"sort-id","value":"au-08"}],"parts":[{"id":"au-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Uses internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets {{ insert: param, au-8_prm_1 }}."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.","links":[{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"au-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-8.a_obj","name":"objective","props":[{"name":"label","value":"AU-8(a)"}],"prose":"the information system uses internal system clocks to generate time stamps for audit records;"},{"id":"au-8.b_obj","name":"objective","props":[{"name":"label","value":"AU-8(b)"}],"parts":[{"id":"au-8.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-8(b)[1]"}],"prose":"the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);"},{"id":"au-8.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-8(b)[2]"}],"prose":"the organization defines the granularity of time measurement to be met when recording time stamps for audit records; and"},{"id":"au-8.b_obj.3","name":"objective","props":[{"name":"label","value":"AU-8(b)[3]"}],"prose":"the organization records time stamps for audit records that meet the organization-defined granularity of time measurement."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing time stamp generation"}]}],"controls":[{"id":"au-8.1","class":"SP800-53-enhancement","title":"Synchronization with Authoritative Time Source","params":[{"id":"au-8.1_prm_1","label":"organization-defined frequency"},{"id":"au-8.1_prm_2","label":"organization-defined authoritative time source"},{"id":"au-8.1_prm_3","label":"organization-defined time period"}],"props":[{"name":"label","value":"AU-8(1)"},{"name":"sort-id","value":"au-08.01"}],"parts":[{"id":"au-8.1_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Compares the internal information system clocks {{ insert: param, au-8.1_prm_1 }} with {{ insert: param, au-8.1_prm_2 }}; and"},{"id":"au-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than {{ insert: param, au-8.1_prm_3 }}."}]},{"id":"au-8.1_gdn","name":"guidance","prose":"This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network."},{"id":"au-8.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-8.1.a_obj","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)"}],"parts":[{"id":"au-8.1.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)[1]"}],"prose":"the organization defines the authoritative time source to which internal information system clocks are to be compared;"},{"id":"au-8.1.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)[2]"}],"prose":"the organization defines the frequency to compare the internal information system clocks with the organization-defined authoritative time source; and"},{"id":"au-8.1.a_obj.3","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)[3]"}],"prose":"the information system compares the internal information system clocks with the organization-defined authoritative time source with organization-defined frequency; and"}],"links":[{"href":"#au-8.1_smt.a","rel":"corresp"}]},{"id":"au-8.1.b_obj","name":"objective","props":[{"name":"label","value":"AU-8(1)(b)"}],"parts":[{"id":"au-8.1.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-8(1)(b)[1]"}],"prose":"the organization defines the time period that, if exceeded by the time difference between the internal system clocks and the authoritative time source, will result in the internal system clocks being synchronized to the authoritative time source; and"},{"id":"au-8.1.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-8(1)(b)[2]"}],"prose":"the information system synchronizes the internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period."}],"links":[{"href":"#au-8.1_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing internal information system clock synchronization"}]}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-9"},{"name":"sort-id","value":"au-09"}],"parts":[{"id":"au-9_smt","name":"statement","prose":"The information system protects audit information and audit tools from unauthorized access, modification, and deletion."},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}]},{"id":"au-9_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-9_obj.1","name":"objective","props":[{"name":"label","value":"AU-9[1]"}],"prose":"the information system protects audit information from unauthorized:","parts":[{"id":"au-9_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-9[1][a]"}],"prose":"access;"},{"id":"au-9_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-9[1][b]"}],"prose":"modification;"},{"id":"au-9_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-9[1][c]"}],"prose":"deletion;"}]},{"id":"au-9_obj.2","name":"objective","props":[{"name":"label","value":"AU-9[2]"}],"prose":"the information system protects audit tools from unauthorized:","parts":[{"id":"au-9_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-9[2][a]"}],"prose":"access;"},{"id":"au-9_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-9[2][b]"}],"prose":"modification; and"},{"id":"au-9_obj.2.c","name":"objective","props":[{"name":"label","value":"AU-9[2][c]"}],"prose":"deletion."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation, information system audit records\n\naudit tools\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit information protection"}]}],"controls":[{"id":"au-9.2","class":"SP800-53-enhancement","title":"Audit Backup On Separate Physical Systems \/ Components","params":[{"id":"au-9.2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"AU-9(2)"},{"name":"sort-id","value":"au-09.02"}],"parts":[{"id":"au-9.2_smt","name":"statement","prose":"The information system backs up audit records {{ insert: param, au-9.2_prm_1 }} onto a physically different system or system component than the system or component being audited."},{"id":"au-9.2_gdn","name":"guidance","prose":"This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records.","links":[{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"}]},{"id":"au-9.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-9.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-9(2)[1]"}],"prose":"the organization defines the frequency to back up audit records onto a physically different system or system component than the system or component being audited; and"},{"id":"au-9.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-9(2)[2]"}],"prose":"the information system backs up audit records with the organization-defined frequency, onto a physically different system or system component than the system or component being audited."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation, system or media storing backups of information system audit records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing the backing up of audit records"}]}]},{"id":"au-9.3","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"AU-9(3)"},{"name":"sort-id","value":"au-09.03"}],"parts":[{"id":"au-9.3_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools."},{"id":"au-9.3_gdn","name":"guidance","prose":"Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.","links":[{"href":"#au-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"au-9.3_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"au-9.3_obj.1","name":"objective","props":[{"name":"label","value":"AU-9(3)[1]"}],"prose":"uses cryptographic mechanisms to protect the integrity of audit information; and"},{"id":"au-9.3_obj.2","name":"objective","props":[{"name":"label","value":"AU-9(3)[2]"}],"prose":"uses cryptographic mechanisms to protect the integrity of audit tools."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system hardware settings\n\ninformation system configuration settings and associated documentation, information system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting integrity of audit information and tools"}]}]},{"id":"au-9.4","class":"SP800-53-enhancement","title":"Access by Subset of Privileged Users","params":[{"id":"au-9.4_prm_1","label":"organization-defined subset of privileged users"}],"props":[{"name":"label","value":"AU-9(4)"},{"name":"sort-id","value":"au-09.04"}],"parts":[{"id":"au-9.4_smt","name":"statement","prose":"The organization authorizes access to management of audit functionality to only {{ insert: param, au-9.4_prm_1 }}."},{"id":"au-9.4_gdn","name":"guidance","prose":"Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.","links":[{"href":"#ac-5","rel":"related"}]},{"id":"au-9.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-9.4_obj.1","name":"objective","props":[{"name":"label","value":"AU-9(4)[1]"}],"prose":"defines a subset of privileged users to be authorized access to management of audit functionality; and"},{"id":"au-9.4_obj.2","name":"objective","props":[{"name":"label","value":"AU-9(4)[2]"}],"prose":"authorizes access to management of audit functionality to only the organization-defined subset of privileged users."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation, system-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing access to audit functionality"}]}]}]},{"id":"au-10","class":"SP800-53","title":"Non-repudiation","params":[{"id":"au-10_prm_1","label":"organization-defined actions to be covered by non-repudiation"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AU-10"},{"name":"sort-id","value":"au-10"}],"parts":[{"id":"au-10_smt","name":"statement","prose":"The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed {{ insert: param, au-10_prm_1 }}."},{"id":"au-10_gdn","name":"guidance","prose":"Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).","links":[{"href":"#sc-12","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-23","rel":"related"}]},{"id":"au-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-10_obj.1","name":"objective","props":[{"name":"label","value":"AU-10[1]"}],"prose":"the organization defines actions to be covered by non-repudiation; and"},{"id":"au-10_obj.2","name":"objective","props":[{"name":"label","value":"AU-10[2]"}],"prose":"the information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing non-repudiation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing non-repudiation capability"}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_prm_1","label":"organization-defined time period consistent with records retention policy"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AU-11"},{"name":"sort-id","value":"au-11"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"The organization retains audit records for {{ insert: param, au-11_prm_1 }} to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.","links":[{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#mp-6","rel":"related"}]},{"id":"au-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-11_obj.1","name":"objective","props":[{"name":"label","value":"AU-11[1]"}],"prose":"defines a time period to retain audit records that is consistent with records retention policy;"},{"id":"au-11_obj.2","name":"objective","props":[{"name":"label","value":"AU-11[2]"}],"prose":"retains audit records for the organization-defined time period consistent with records retention policy to:","parts":[{"id":"au-11_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-11[2][a]"}],"prose":"provide support for after-the-fact investigations of security incidents; and"},{"id":"au-11_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-11[2][b]"}],"prose":"meet regulatory and organizational information retention requirements."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Generation","params":[{"id":"au-12_prm_1","label":"organization-defined information system components"},{"id":"au-12_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-12"},{"name":"sort-id","value":"au-12"}],"parts":[{"id":"au-12_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides audit record generation capability for the auditable events defined in AU-2 a. at {{ insert: param, au-12_prm_1 }};"},{"id":"au-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allows {{ insert: param, au-12_prm_2 }} to select which auditable events are to be audited by specific components of the information system; and"},{"id":"au-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Generates audit records for the events defined in AU-2 d. with the content defined in AU-3."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records.","links":[{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"}]},{"id":"au-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.a_obj","name":"objective","props":[{"name":"label","value":"AU-12(a)"}],"parts":[{"id":"au-12.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(a)[1]"}],"prose":"the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a;"},{"id":"au-12.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(a)[2]"}],"prose":"the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components;"}]},{"id":"au-12.b_obj","name":"objective","props":[{"name":"label","value":"AU-12(b)"}],"parts":[{"id":"au-12.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(b)[1]"}],"prose":"the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system;"},{"id":"au-12.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(b)[2]"}],"prose":"the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system; and"}]},{"id":"au-12.c_obj","name":"objective","props":[{"name":"label","value":"AU-12(c)"}],"prose":"the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of auditable events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}],"controls":[{"id":"au-12.1","class":"SP800-53-enhancement","title":"System-wide \/ Time-correlated Audit Trail","params":[{"id":"au-12.1_prm_1","label":"organization-defined information system components"},{"id":"au-12.1_prm_2","label":"organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail"}],"props":[{"name":"label","value":"AU-12(1)"},{"name":"sort-id","value":"au-12.01"}],"parts":[{"id":"au-12.1_smt","name":"statement","prose":"The information system compiles audit records from {{ insert: param, au-12.1_prm_1 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.1_prm_2 }}."},{"id":"au-12.1_gdn","name":"guidance","prose":"Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances.","links":[{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"au-12.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(1)[1]"}],"prose":"the organization defines the information system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail;"},{"id":"au-12.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(1)[2]"}],"prose":"the organization defines the level of tolerance for the relationship between time stamps of individual records in the audit trail; and"},{"id":"au-12.1_obj.3","name":"objective","props":[{"name":"label","value":"AU-12(1)[3]"}],"prose":"the information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within the organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem-wide audit trail (logical or physical)\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}]},{"id":"au-12.3","class":"SP800-53-enhancement","title":"Changes by Authorized Individuals","params":[{"id":"au-12.3_prm_1","label":"organization-defined individuals or roles"},{"id":"au-12.3_prm_2","label":"organization-defined information system components"},{"id":"au-12.3_prm_3","label":"organization-defined selectable event criteria"},{"id":"au-12.3_prm_4","label":"organization-defined time thresholds"}],"props":[{"name":"label","value":"AU-12(3)"},{"name":"sort-id","value":"au-12.03"}],"parts":[{"id":"au-12.3_smt","name":"statement","prose":"The information system provides the capability for {{ insert: param, au-12.3_prm_1 }} to change the auditing to be performed on {{ insert: param, au-12.3_prm_2 }} based on {{ insert: param, au-12.3_prm_3 }} within {{ insert: param, au-12.3_prm_4 }}."},{"id":"au-12.3_gdn","name":"guidance","prose":"This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours.","links":[{"href":"#au-7","rel":"related"}]},{"id":"au-12.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.3_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(3)[1]"}],"prose":"the organization defines information system components on which auditing is to be performed;"},{"id":"au-12.3_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(3)[2]"}],"prose":"the organization defines individuals or roles authorized to change the auditing to be performed on organization-defined information system components;"},{"id":"au-12.3_obj.3","name":"objective","props":[{"name":"label","value":"AU-12(3)[3]"}],"prose":"the organization defines time thresholds within which organization-defined individuals or roles can change the auditing to be performed on organization-defined information system components;"},{"id":"au-12.3_obj.4","name":"objective","props":[{"name":"label","value":"AU-12(3)[4]"}],"prose":"the organization defines selectable event criteria that support the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components; and"},{"id":"au-12.3_obj.5","name":"objective","props":[{"name":"label","value":"AU-12(3)[5]"}],"prose":"the information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem-generated list of individuals or roles authorized to change auditing to be performed\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}]}]}]},{"id":"ca","class":"family","title":"Security Assessment and Authorization","controls":[{"id":"ca-1","class":"SP800-53","title":"Security Assessment and Authorization Policy and Procedures","params":[{"id":"ca-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ca-1_prm_2","label":"organization-defined frequency"},{"id":"ca-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CA-1"},{"name":"sort-id","value":"ca-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ca-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ca-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security assessment and authorization policy {{ insert: param, ca-1_prm_2 }}; and"},{"id":"ca-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security assessment and authorization procedures {{ insert: param, ca-1_prm_3 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ca-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-1.a_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)"}],"parts":[{"id":"ca-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)"}],"parts":[{"id":"ca-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1]"}],"prose":"develops and documents a security assessment and authorization policy that addresses:","parts":[{"id":"ca-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ca-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ca-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ca-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ca-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ca-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ca-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ca-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;"},{"id":"ca-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[3]"}],"prose":"disseminates the security assessment and authorization policy to organization-defined personnel or roles;"}]},{"id":"ca-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)"}],"parts":[{"id":"ca-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;"},{"id":"ca-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ca-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ca-1.b_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)"}],"parts":[{"id":"ca-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)"}],"parts":[{"id":"ca-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security assessment and authorization policy;"},{"id":"ca-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)[2]"}],"prose":"reviews and updates the current security assessment and authorization policy with the organization-defined frequency;"}]},{"id":"ca-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)"}],"parts":[{"id":"ca-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security assessment and authorization procedures; and"},{"id":"ca-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)[2]"}],"prose":"reviews and updates the current security assessment and authorization procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment and authorization responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Security Assessments","params":[{"id":"ca-2_prm_1","label":"organization-defined frequency"},{"id":"ca-2_prm_2","label":"organization-defined individuals or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-2"},{"name":"sort-id","value":"ca-02"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"ca-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a security assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security controls and control enhancements under assessment;"},{"id":"ca-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine security control effectiveness; and"},{"id":"ca-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assesses the security controls in the information system and its environment of operation {{ insert: param, ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produces a security assessment report that documents the results of the assessment; and"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provides the results of the security control assessment to {{ insert: param, ca-2_prm_2 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.","links":[{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.a_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)"}],"prose":"develops a security assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2.a.1_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(1)"}],"prose":"security controls and control enhancements under assessment;"},{"id":"ca-2.a.2_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(2)"}],"prose":"assessment procedures to be used to determine security control effectiveness;"},{"id":"ca-2.a.3_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)"}],"parts":[{"id":"ca-2.a.3_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[1]"}],"prose":"assessment environment;"},{"id":"ca-2.a.3_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[2]"}],"prose":"assessment team;"},{"id":"ca-2.a.3_obj.3","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[3]"}],"prose":"assessment roles and responsibilities;"}]}]},{"id":"ca-2.b_obj","name":"objective","props":[{"name":"label","value":"CA-2(b)"}],"parts":[{"id":"ca-2.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(b)[1]"}],"prose":"defines the frequency to assess the security controls in the information system and its environment of operation;"},{"id":"ca-2.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(b)[2]"}],"prose":"assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"}]},{"id":"ca-2.c_obj","name":"objective","props":[{"name":"label","value":"CA-2(c)"}],"prose":"produces a security assessment report that documents the results of the assessment;"},{"id":"ca-2.d_obj","name":"objective","props":[{"name":"label","value":"CA-2(d)"}],"parts":[{"id":"ca-2.d_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(d)[1]"}],"prose":"defines individuals or roles to whom the results of the security control assessment are to be provided; and"},{"id":"ca-2.d_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(d)[2]"}],"prose":"provides the results of the security control assessment to organization-defined individuals or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security assessment planning\n\nprocedures addressing security assessments\n\nsecurity assessment plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting security assessment, security assessment plan development, and\/or security assessment reporting"}]}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","params":[{"id":"ca-2.1_prm_1","label":"organization-defined level of independence"}],"props":[{"name":"label","value":"CA-2(1)"},{"name":"sort-id","value":"ca-02.01"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"The organization employs assessors or assessment teams with {{ insert: param, ca-2.1_prm_1 }} to conduct security control assessments."},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and\/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments."},{"id":"ca-2.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(1)[1]"}],"prose":"defines the level of independence to be employed to conduct security control assessments; and"},{"id":"ca-2.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(1)[2]"}],"prose":"employs assessors or assessment teams with the organization-defined level of independence to conduct security control assessments."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security assessments\n\nsecurity authorization package (including security plan, security assessment plan, security assessment report, plan of action and milestones, authorization statement)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-2.2","class":"SP800-53-enhancement","title":"Specialized Assessments","params":[{"id":"ca-2.2_prm_1","label":"organization-defined frequency"},{"id":"ca-2.2_prm_2","select":{"choice":["announced","unannounced"]}},{"id":"ca-2.2_prm_3","select":{"how-many":"one-or-more","choice":["in-depth monitoring","vulnerability scanning","malicious user testing","insider threat assessment","performance\/load testing"," {{ insert: param, ca-2.2_prm_4 }} "]}},{"id":"ca-2.2_prm_4","depends-on":"ca-2.2_prm_3","label":"organization-defined other forms of security assessment"}],"props":[{"name":"label","value":"CA-2(2)"},{"name":"sort-id","value":"ca-02.02"}],"parts":[{"id":"ca-2.2_smt","name":"statement","prose":"The organization includes as part of security control assessments, {{ insert: param, ca-2.2_prm_1 }}, {{ insert: param, ca-2.2_prm_2 }}, {{ insert: param, ca-2.2_prm_3 }}."},{"id":"ca-2.2_gdn","name":"guidance","prose":"Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes.","links":[{"href":"#pe-3","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"ca-2.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.2_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(2)[1]"}],"prose":"selects one or more of the following forms of specialized security assessment to be included as part of security control assessments:","parts":[{"id":"ca-2.2_obj.1.a","name":"objective","props":[{"name":"label","value":"CA-2(2)[1][a]"}],"prose":"in-depth monitoring;"},{"id":"ca-2.2_obj.1.b","name":"objective","props":[{"name":"label","value":"CA-2(2)[1][b]"}],"prose":"vulnerability scanning;"},{"id":"ca-2.2_obj.1.c","name":"objective","props":[{"name":"label","value":"CA-2(2)[1][c]"}],"prose":"malicious user testing;"},{"id":"ca-2.2_obj.1.d","name":"objective","props":[{"name":"label","value":"CA-2(2)[1][d]"}],"prose":"insider threat assessment;"},{"id":"ca-2.2_obj.1.e","name":"objective","props":[{"name":"label","value":"CA-2(2)[1][e]"}],"prose":"performance\/load testing; and\/or"},{"id":"ca-2.2_obj.1.f","name":"objective","props":[{"name":"label","value":"CA-2(2)[1][f]"}],"prose":"other forms of organization-defined specialized security assessment;"}]},{"id":"ca-2.2_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(2)[2]"}],"prose":"defines the frequency for conducting the selected form(s) of specialized security assessment;"},{"id":"ca-2.2_obj.3","name":"objective","props":[{"name":"label","value":"CA-2(2)[3]"}],"prose":"defines whether the specialized security assessment will be announced or unannounced; and"},{"id":"ca-2.2_obj.4","name":"objective","props":[{"name":"label","value":"CA-2(2)[4]"}],"prose":"conducts announced or unannounced organization-defined forms of specialized security assessments with the organization-defined frequency as part of security control assessments."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security assessments\n\nsecurity plan\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting security control assessment"}]}]}]},{"id":"ca-3","class":"SP800-53","title":"System Interconnections","params":[{"id":"ca-3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CA-3"},{"name":"sort-id","value":"ca-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#2711f068-734e-4afd-94ba-0b22247fbc88","rel":"reference"}],"parts":[{"id":"ca-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"},{"id":"ca-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates Interconnection Security Agreements {{ insert: param, ca-3_prm_1 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.a_obj","name":"objective","props":[{"name":"label","value":"CA-3(a)"}],"prose":"authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"},{"id":"ca-3.b_obj","name":"objective","props":[{"name":"label","value":"CA-3(b)"}],"prose":"documents, for each interconnection:","parts":[{"id":"ca-3.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-3.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(b)[2]"}],"prose":"the security requirements;"},{"id":"ca-3.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-3(b)[3]"}],"prose":"the nature of the information communicated;"}]},{"id":"ca-3.c_obj","name":"objective","props":[{"name":"label","value":"CA-3(c)"}],"parts":[{"id":"ca-3.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(c)[1]"}],"prose":"defines the frequency to review and update Interconnection Security Agreements; and"},{"id":"ca-3.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(c)[2]"}],"prose":"reviews and updates Interconnection Security Agreements with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system Interconnection Security Agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements\n\norganizational personnel with information security responsibilities\n\npersonnel managing the system(s) to which the Interconnection Security Agreement applies"}]}],"controls":[{"id":"ca-3.5","class":"SP800-53-enhancement","title":"Restrictions On External System Connections","params":[{"id":"ca-3.5_prm_1","select":{"choice":["allow-all, deny-by-exception","deny-all, permit-by-exception"]}},{"id":"ca-3.5_prm_2","label":"organization-defined information systems"}],"props":[{"name":"label","value":"CA-3(5)"},{"name":"sort-id","value":"ca-03.05"}],"parts":[{"id":"ca-3.5_smt","name":"statement","prose":"The organization employs {{ insert: param, ca-3.5_prm_1 }} policy for allowing {{ insert: param, ca-3.5_prm_2 }} to connect to external information systems."},{"id":"ca-3.5_gdn","name":"guidance","prose":"Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.","links":[{"href":"#cm-7","rel":"related"}]},{"id":"ca-3.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.5_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(5)[1]"}],"prose":"defines information systems to be allowed to connect to external information systems;"},{"id":"ca-3.5_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(5)[2]"}],"prose":"employs one of the following policies for allowing organization-defined information systems to connect to external information systems:","parts":[{"id":"ca-3.5_obj.2.a","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][a]"}],"prose":"allow-all policy;"},{"id":"ca-3.5_obj.2.b","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][b]"}],"prose":"deny-by-exception policy;"},{"id":"ca-3.5_obj.2.c","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][c]"}],"prose":"deny-all policy; or"},{"id":"ca-3.5_obj.2.d","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][d]"}],"prose":"permit-by-exception policy."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system interconnection agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for managing connections to external information systems\n\nnetwork administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing restrictions on external system connections"}]}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-5_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"CA-5"},{"name":"sort-id","value":"ca-05"}],"links":[{"href":"#2c5884cd-7b96-425c-862a-99877e1cf909","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"}],"parts":[{"id":"ca-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates existing plan of action and milestones {{ insert: param, ca-5_prm_1 }} based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#pm-4","rel":"related"}]},{"id":"ca-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-5.a_obj","name":"objective","props":[{"name":"label","value":"CA-5(a)"}],"prose":"develops a plan of action and milestones for the information system to:","parts":[{"id":"ca-5.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-5(a)[1]"}],"prose":"document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;"},{"id":"ca-5.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-5(a)[2]"}],"prose":"reduce or eliminate known vulnerabilities in the system;"}]},{"id":"ca-5.b_obj","name":"objective","props":[{"name":"label","value":"CA-5(b)"}],"parts":[{"id":"ca-5.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-5(b)[1]"}],"prose":"defines the frequency to update the existing plan of action and milestones;"},{"id":"ca-5.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-5(b)[2]"}],"prose":"updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:","parts":[{"id":"ca-5.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][a]"}],"prose":"security controls assessments;"},{"id":"ca-5.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][b]"}],"prose":"security impact analyses; and"},{"id":"ca-5.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][c]"}],"prose":"continuous monitoring activities."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing plan of action and milestones\n\nsecurity plan\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nplan of action and milestones\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Security Authorization","params":[{"id":"ca-6_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-6"},{"name":"sort-id","value":"ca-06"}],"links":[{"href":"#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","rel":"reference"},{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"ca-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assigns a senior-level executive or manager as the authorizing official for the information system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that the authorizing official authorizes the information system for processing before commencing operations; and"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Updates the security authorization {{ insert: param, ca-6_prm_1 }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission\/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"}]},{"id":"ca-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-6.a_obj","name":"objective","props":[{"name":"label","value":"CA-6(a)"}],"prose":"assigns a senior-level executive or manager as the authorizing official for the information system;"},{"id":"ca-6.b_obj","name":"objective","props":[{"name":"label","value":"CA-6(b)"}],"prose":"ensures that the authorizing official authorizes the information system for processing before commencing operations;"},{"id":"ca-6.c_obj","name":"objective","props":[{"name":"label","value":"CA-6(c)"}],"parts":[{"id":"ca-6.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-6(c)[1]"}],"prose":"defines the frequency to update the security authorization; and"},{"id":"ca-6.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-6(c)[2]"}],"prose":"updates the security authorization with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security authorization\n\nsecurity authorization package (including security plan\n\nsecurity assessment report\n\nplan of action and milestones\n\nauthorization statement)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security authorization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that facilitate security authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_1","label":"organization-defined metrics"},{"id":"ca-7_prm_2","label":"organization-defined frequencies"},{"id":"ca-7_prm_3","label":"organization-defined frequencies"},{"id":"ca-7_prm_4","label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-7"},{"name":"sort-id","value":"ca-07"}],"links":[{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"},{"href":"#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","rel":"reference"},{"href":"#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","rel":"reference"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishment of {{ insert: param, ca-7_prm_1 }} to be monitored;"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishment of {{ insert: param, ca-7_prm_2 }} for monitoring and {{ insert: param, ca-7_prm_3 }} for assessments supporting such monitoring;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of security-related information generated by assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of security-related information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security status of organization and the information system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess\/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission\/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports\/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware\/software\/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-7.a_obj","name":"objective","props":[{"name":"label","value":"CA-7(a)"}],"parts":[{"id":"ca-7.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(a)[1]"}],"prose":"develops a continuous monitoring strategy that defines metrics to be monitored;"},{"id":"ca-7.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(a)[2]"}],"prose":"develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;"},{"id":"ca-7.a_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(a)[3]"}],"prose":"implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.b_obj","name":"objective","props":[{"name":"label","value":"CA-7(b)"}],"parts":[{"id":"ca-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(b)[1]"}],"prose":"develops a continuous monitoring strategy that defines frequencies for monitoring;"},{"id":"ca-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(b)[2]"}],"prose":"defines frequencies for assessments supporting monitoring;"},{"id":"ca-7.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(b)[3]"}],"prose":"develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;"},{"id":"ca-7.b_obj.4","name":"objective","props":[{"name":"label","value":"CA-7(b)[4]"}],"prose":"implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.c_obj","name":"objective","props":[{"name":"label","value":"CA-7(c)"}],"parts":[{"id":"ca-7.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(c)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security control assessments;"},{"id":"ca-7.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(c)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.d_obj","name":"objective","props":[{"name":"label","value":"CA-7(d)"}],"parts":[{"id":"ca-7.d_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(d)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;"},{"id":"ca-7.d_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(d)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.e_obj","name":"objective","props":[{"name":"label","value":"CA-7(e)"}],"parts":[{"id":"ca-7.e_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(e)[1]"}],"prose":"develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;"},{"id":"ca-7.e_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(e)[2]"}],"prose":"implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.f_obj","name":"objective","props":[{"name":"label","value":"CA-7(f)"}],"parts":[{"id":"ca-7.f_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(f)[1]"}],"prose":"develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;"},{"id":"ca-7.f_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(f)[2]"}],"prose":"implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.g_obj","name":"objective","props":[{"name":"label","value":"CA-7(g)"}],"parts":[{"id":"ca-7.g_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(g)[1]"}],"prose":"develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;"},{"id":"ca-7.g_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(g)[2]"}],"prose":"develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;"},{"id":"ca-7.g_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(g)[3]"}],"prose":"develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; and"},{"id":"ca-7.g_obj.4","name":"objective","props":[{"name":"label","value":"CA-7(g)[4]"}],"prose":"implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security controls\n\nprocedures addressing configuration management\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nconfiguration management records, security impact analyses\n\nstatus reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Mechanisms implementing continuous monitoring"}]}],"controls":[{"id":"ca-7.1","class":"SP800-53-enhancement","title":"Independent Assessment","params":[{"id":"ca-7.1_prm_1","label":"organization-defined level of independence"}],"props":[{"name":"label","value":"CA-7(1)"},{"name":"sort-id","value":"ca-07.01"}],"parts":[{"id":"ca-7.1_smt","name":"statement","prose":"The organization employs assessors or assessment teams with {{ insert: param, ca-7.1_prm_1 }} to monitor the security controls in the information system on an ongoing basis."},{"id":"ca-7.1_gdn","name":"guidance","prose":"Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services."},{"id":"ca-7.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-7.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(1)[1]"}],"prose":"defines a level of independence to be employed to monitor the security controls in the information system on an ongoing basis; and"},{"id":"ca-7.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(1)[2]"}],"prose":"employs assessors or assessment teams with the organization-defined level of independence to monitor the security controls in the information system on an ongoing basis."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security controls\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nsecurity impact analyses\n\nstatus reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ca-8","class":"SP800-53","title":"Penetration Testing","params":[{"id":"ca-8_prm_1","label":"organization-defined frequency"},{"id":"ca-8_prm_2","label":"organization-defined information systems or system components"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-8"},{"name":"sort-id","value":"ca-08"}],"parts":[{"id":"ca-8_smt","name":"statement","prose":"The organization conducts penetration testing {{ insert: param, ca-8_prm_1 }} on {{ insert: param, ca-8_prm_2 }}."},{"id":"ca-8_gdn","name":"guidance","prose":"Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and\/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses\/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing.","links":[{"href":"#sa-12","rel":"related"}]},{"id":"ca-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-8_obj.1","name":"objective","props":[{"name":"label","value":"CA-8[1]"}],"prose":"defines information systems or system components on which penetration testing is to be conducted;"},{"id":"ca-8_obj.2","name":"objective","props":[{"name":"label","value":"CA-8[2]"}],"prose":"defines the frequency to conduct penetration testing on organization-defined information systems or system components; and"},{"id":"ca-8_obj.3","name":"objective","props":[{"name":"label","value":"CA-8[3]"}],"prose":"conducts penetration testing on organization-defined information systems or system components with the organization-defined frequency."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing penetration testing\n\nsecurity plan\n\nsecurity assessment plan\n\npenetration test report\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities, system\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting penetration testing"}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","params":[{"id":"ca-9_prm_1","label":"organization-defined information system components or classes of components"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-9"},{"name":"sort-id","value":"ca-09"}],"parts":[{"id":"ca-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorizes internal connections of {{ insert: param, ca-9_prm_1 }} to the information system; and"},{"id":"ca-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated."}]},{"id":"ca-9_gdn","name":"guidance","prose":"This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook\/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and\/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-9.a_obj","name":"objective","props":[{"name":"label","value":"CA-9(a)"}],"parts":[{"id":"ca-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-9(a)[1]"}],"prose":"defines information system components or classes of components to be authorized as internal connections to the information system;"},{"id":"ca-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-9(a)[2]"}],"prose":"authorizes internal connections of organization-defined information system components or classes of components to the information system;"}]},{"id":"ca-9.b_obj","name":"objective","props":[{"name":"label","value":"CA-9(b)"}],"prose":"documents, for each internal connection:","parts":[{"id":"ca-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-9(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-9(b)[2]"}],"prose":"the security requirements; and"},{"id":"ca-9.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-9(b)[3]"}],"prose":"the nature of the information communicated."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Configuration Management Policy and Procedures","params":[{"id":"cm-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cm-1_prm_2","label":"organization-defined frequency"},{"id":"cm-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-1"},{"name":"sort-id","value":"cm-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"cm-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cm-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Configuration management policy {{ insert: param, cm-1_prm_2 }}; and"},{"id":"cm-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Configuration management procedures {{ insert: param, cm-1_prm_3 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"cm-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-1.a_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)"}],"parts":[{"id":"cm-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)"}],"parts":[{"id":"cm-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1]"}],"prose":"develops and documents a configuration management policy that addresses:","parts":[{"id":"cm-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cm-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cm-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cm-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cm-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cm-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cm-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cm-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the configuration management policy is to be disseminated;"},{"id":"cm-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[3]"}],"prose":"disseminates the configuration management policy to organization-defined personnel or roles;"}]},{"id":"cm-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)"}],"parts":[{"id":"cm-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls;"},{"id":"cm-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"cm-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cm-1.b_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)"}],"parts":[{"id":"cm-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)"}],"parts":[{"id":"cm-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current configuration management policy;"},{"id":"cm-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)[2]"}],"prose":"reviews and updates the current configuration management policy with the organization-defined frequency;"}]},{"id":"cm-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)"}],"parts":[{"id":"cm-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current configuration management procedures; and"},{"id":"cm-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)[2]"}],"prose":"reviews and updates the current configuration management procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-2"},{"name":"sort-id","value":"cm-02"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-2_smt","name":"statement","prose":"The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system."},{"id":"cm-2_gdn","name":"guidance","prose":"This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and\/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings\/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-7","rel":"related"}]},{"id":"cm-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2_obj.1","name":"objective","props":[{"name":"label","value":"CM-2[1]"}],"prose":"develops and documents a current baseline configuration of the information system; and"},{"id":"cm-2_obj.2","name":"objective","props":[{"name":"label","value":"CM-2[2]"}],"prose":"maintains, under configuration control, a current baseline configuration of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting configuration control of the baseline configuration"}]}],"controls":[{"id":"cm-2.1","class":"SP800-53-enhancement","title":"Reviews and Updates","params":[{"id":"cm-2.1_prm_1","label":"organization-defined frequency"},{"id":"cm-2.1_prm_2","label":"Assignment organization-defined circumstances"}],"props":[{"name":"label","value":"CM-2(1)"},{"name":"sort-id","value":"cm-02.01"}],"parts":[{"id":"cm-2.1_smt","name":"statement","prose":"The organization reviews and updates the baseline configuration of the information system:","parts":[{"id":"cm-2.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":" {{ insert: param, cm-2.1_prm_1 }};"},{"id":"cm-2.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"When required due to {{ insert: param, cm-2.1_prm_2 }}; and"},{"id":"cm-2.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"As an integral part of information system component installations and upgrades."}]},{"id":"cm-2.1_gdn","name":"guidance","links":[{"href":"#cm-5","rel":"related"}]},{"id":"cm-2.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.1.a_obj","name":"objective","props":[{"name":"label","value":"CM-2(1)(a)"}],"parts":[{"id":"cm-2.1.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(1)(a)[1]"}],"prose":"defines the frequency to review and update the baseline configuration of the information system;"},{"id":"cm-2.1.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(1)(a)[2]"}],"prose":"reviews and updates the baseline configuration of the information system with the organization-defined frequency;"}],"links":[{"href":"#cm-2.1_smt.a","rel":"corresp"}]},{"id":"cm-2.1.b_obj","name":"objective","props":[{"name":"label","value":"CM-2(1)(b)"}],"parts":[{"id":"cm-2.1.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(1)(b)[1]"}],"prose":"defines circumstances that require the baseline configuration of the information system to be reviewed and updated;"},{"id":"cm-2.1.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(1)(b)[2]"}],"prose":"reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances; and"}],"links":[{"href":"#cm-2.1_smt.b","rel":"corresp"}]},{"id":"cm-2.1.c_obj","name":"objective","props":[{"name":"label","value":"CM-2(1)(c)"}],"prose":"reviews and updates the baseline configuration of the information system as an integral part of information system component installations and upgrades.","links":[{"href":"#cm-2.1_smt.c","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the information system\n\nprocedures addressing information system component installations and upgrades\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of information system baseline configuration reviews and updates\n\ninformation system component installations\/upgrades and associated records\n\nchange control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting review and update of the baseline configuration"}]}]},{"id":"cm-2.2","class":"SP800-53-enhancement","title":"Automation Support for Accuracy \/ Currency","props":[{"name":"label","value":"CM-2(2)"},{"name":"sort-id","value":"cm-02.02"}],"parts":[{"id":"cm-2.2_smt","name":"statement","prose":"The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system."},{"id":"cm-2.2_gdn","name":"guidance","prose":"Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and\/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities.","links":[{"href":"#cm-7","rel":"related"},{"href":"#ra-5","rel":"related"}]},{"id":"cm-2.2_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to maintain:","parts":[{"id":"cm-2.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(2)[1]"}],"prose":"an up-to-date baseline configuration of the information system;"},{"id":"cm-2.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(2)[2]"}],"prose":"a complete baseline configuration of the information system;"},{"id":"cm-2.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-2(2)[3]"}],"prose":"an accurate baseline configuration of the information system; and"},{"id":"cm-2.2_obj.4","name":"objective","props":[{"name":"label","value":"CM-2(2)[4]"}],"prose":"a readily available baseline configuration of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nconfiguration change control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance"}]}]},{"id":"cm-2.3","class":"SP800-53-enhancement","title":"Retention of Previous Configurations","params":[{"id":"cm-2.3_prm_1","label":"organization-defined previous versions of baseline configurations of the information system"}],"props":[{"name":"label","value":"CM-2(3)"},{"name":"sort-id","value":"cm-02.03"}],"parts":[{"id":"cm-2.3_smt","name":"statement","prose":"The organization retains {{ insert: param, cm-2.3_prm_1 }} to support rollback."},{"id":"cm-2.3_gdn","name":"guidance","prose":"Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records."},{"id":"cm-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.3_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(3)[1]"}],"prose":"defines previous versions of baseline configurations of the information system to be retained to support rollback; and"},{"id":"cm-2.3_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(3)[2]"}],"prose":"retains organization-defined previous versions of baseline configurations of the information system to support rollback."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations"}]}]},{"id":"cm-2.7","class":"SP800-53-enhancement","title":"Configure Systems, Components, or Devices for High-risk Areas","params":[{"id":"cm-2.7_prm_1","label":"organization-defined information systems, system components, or devices"},{"id":"cm-2.7_prm_2","label":"organization-defined configurations"},{"id":"cm-2.7_prm_3","label":"organization-defined security safeguards"}],"props":[{"name":"label","value":"CM-2(7)"},{"name":"sort-id","value":"cm-02.07"}],"parts":[{"id":"cm-2.7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-2.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Issues {{ insert: param, cm-2.7_prm_1 }} with {{ insert: param, cm-2.7_prm_2 }} to individuals traveling to locations that the organization deems to be of significant risk; and"},{"id":"cm-2.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Applies {{ insert: param, cm-2.7_prm_3 }} to the devices when the individuals return."}]},{"id":"cm-2.7_gdn","name":"guidance","prose":"When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging\/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family."},{"id":"cm-2.7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.7.a_obj","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)"}],"parts":[{"id":"cm-2.7.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)[1]"}],"prose":"defines information systems, system components, or devices to be issued to individuals traveling to locations that the organization deems to be of significant risk;"},{"id":"cm-2.7.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)[2]"}],"prose":"defines configurations to be employed on organization-defined information systems, system components, or devices issued to individuals traveling to such locations;"},{"id":"cm-2.7.a_obj.3","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)[3]"}],"prose":"issues organization-defined information systems, system components, or devices with organization-defined configurations to individuals traveling to locations that the organization deems to be of significant risk;"}],"links":[{"href":"#cm-2.7_smt.a","rel":"corresp"}]},{"id":"cm-2.7.b_obj","name":"objective","props":[{"name":"label","value":"CM-2(7)(b)"}],"parts":[{"id":"cm-2.7.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(7)(b)[1]"}],"prose":"defines security safeguards to be applied to the devices when the individuals return; and"},{"id":"cm-2.7.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(7)(b)[2]"}],"prose":"applies organization-defined safeguards to the devices when the individuals return."}],"links":[{"href":"#cm-2.7_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the information system\n\nprocedures addressing information system component installations and upgrades\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of information system baseline configuration reviews and updates\n\ninformation system component installations\/upgrades and associated records\n\nchange control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations"}]}]}]},{"id":"cm-3","class":"SP800-53","title":"Configuration Change Control","params":[{"id":"cm-3_prm_1","label":"organization-defined time period"},{"id":"cm-3_prm_2","label":"organization-defined configuration change control element (e.g., committee, board)"},{"id":"cm-3_prm_3","select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-3_prm_4 }} "," {{ insert: param, cm-3_prm_5 }} "]}},{"id":"cm-3_prm_4","depends-on":"cm-3_prm_3","label":"organization-defined frequency"},{"id":"cm-3_prm_5","depends-on":"cm-3_prm_3","label":"organization-defined configuration change conditions"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-3"},{"name":"sort-id","value":"cm-03"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines the types of changes to the information system that are configuration-controlled;"},{"id":"cm-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;"},{"id":"cm-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents configuration change decisions associated with the information system;"},{"id":"cm-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implements approved configuration-controlled changes to the information system;"},{"id":"cm-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retains records of configuration-controlled changes to the information system for {{ insert: param, cm-3_prm_1 }};"},{"id":"cm-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Audits and reviews activities associated with configuration-controlled changes to the information system; and"},{"id":"cm-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Coordinates and provides oversight for configuration change control activities through {{ insert: param, cm-3_prm_2 }} that convenes {{ insert: param, cm-3_prm_3 }}."}]},{"id":"cm-3_gdn","name":"guidance","prose":"Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled\/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.","links":[{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-12","rel":"related"}]},{"id":"cm-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-3.a_obj","name":"objective","props":[{"name":"label","value":"CM-3(a)"}],"prose":"determines the type of changes to the information system that must be configuration-controlled;"},{"id":"cm-3.b_obj","name":"objective","props":[{"name":"label","value":"CM-3(b)"}],"prose":"reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;"},{"id":"cm-3.c_obj","name":"objective","props":[{"name":"label","value":"CM-3(c)"}],"prose":"documents configuration change decisions associated with the information system;"},{"id":"cm-3.d_obj","name":"objective","props":[{"name":"label","value":"CM-3(d)"}],"prose":"implements approved configuration-controlled changes to the information system;"},{"id":"cm-3.e_obj","name":"objective","props":[{"name":"label","value":"CM-3(e)"}],"parts":[{"id":"cm-3.e_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(e)[1]"}],"prose":"defines a time period to retain records of configuration-controlled changes to the information system;"},{"id":"cm-3.e_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(e)[2]"}],"prose":"retains records of configuration-controlled changes to the information system for the organization-defined time period;"}]},{"id":"cm-3.f_obj","name":"objective","props":[{"name":"label","value":"CM-3(f)"}],"prose":"audits and reviews activities associated with configuration-controlled changes to the information system;"},{"id":"cm-3.g_obj","name":"objective","props":[{"name":"label","value":"CM-3(g)"}],"parts":[{"id":"cm-3.g_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(g)[1]"}],"prose":"defines a configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities;"},{"id":"cm-3.g_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(g)[2]"}],"prose":"defines the frequency with which the configuration change control element must convene; and\/or"},{"id":"cm-3.g_obj.3","name":"objective","props":[{"name":"label","value":"CM-3(g)[3]"}],"prose":"defines configuration change conditions that prompt the configuration change control element to convene; and"},{"id":"cm-3.g_obj.4","name":"objective","props":[{"name":"label","value":"CM-3(g)[4]"}],"prose":"coordinates and provides oversight for configuration change control activities through organization-defined configuration change control element that convenes at organization-defined frequency and\/or for any organization-defined configuration change conditions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system configuration change control\n\nconfiguration management plan\n\ninformation system architecture and configuration documentation\n\nsecurity plan\n\nchange control records\n\ninformation system audit records\n\nchange control audit and review reports\n\nagenda \/minutes from configuration change control oversight meetings\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms that implement configuration change control"}]}],"controls":[{"id":"cm-3.1","class":"SP800-53-enhancement","title":"Automated Document \/ Notification \/ Prohibition of Changes","params":[{"id":"cm-3.1_prm_1","label":"organized-defined approval authorities"},{"id":"cm-3.1_prm_2","label":"organization-defined time period"},{"id":"cm-3.1_prm_3","label":"organization-defined personnel"}],"props":[{"name":"label","value":"CM-3(1)"},{"name":"sort-id","value":"cm-03.01"}],"parts":[{"id":"cm-3.1_smt","name":"statement","prose":"The organization employs automated mechanisms to:","parts":[{"id":"cm-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Document proposed changes to the information system;"},{"id":"cm-3.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Notify {{ insert: param, cm-3.1_prm_1 }} of proposed changes to the information system and request change approval;"},{"id":"cm-3.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Highlight proposed changes to the information system that have not been approved or disapproved by {{ insert: param, cm-3.1_prm_2 }};"},{"id":"cm-3.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Prohibit changes to the information system until designated approvals are received;"},{"id":"cm-3.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Document all changes to the information system; and"},{"id":"cm-3.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Notify {{ insert: param, cm-3.1_prm_3 }} when approved changes to the information system are completed."}]},{"id":"cm-3.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-3.1.a_obj","name":"objective","props":[{"name":"label","value":"CM-3(1)(a)"}],"prose":"employs automated mechanisms to document proposed changes to the information system;","links":[{"href":"#cm-3.1_smt.a","rel":"corresp"}]},{"id":"cm-3.1.b_obj","name":"objective","props":[{"name":"label","value":"CM-3(1)(b)"}],"parts":[{"id":"cm-3.1.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(1)(b)[1]"}],"prose":"defines approval authorities to be notified of proposed changes to the information system and request change approval;"},{"id":"cm-3.1.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(1)(b)[2]"}],"prose":"employs automated mechanisms to notify organization-defined approval authorities of proposed changes to the information system and request change approval;"}],"links":[{"href":"#cm-3.1_smt.b","rel":"corresp"}]},{"id":"cm-3.1.c_obj","name":"objective","props":[{"name":"label","value":"CM-3(1)(c)"}],"parts":[{"id":"cm-3.1.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(1)(c)[1]"}],"prose":"defines the time period within which proposed changes to the information system that have not been approved or disapproved must be highlighted;"},{"id":"cm-3.1.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(1)(c)[2]"}],"prose":"employs automated mechanisms to highlight proposed changes to the information system that have not been approved or disapproved by organization-defined time period;"}],"links":[{"href":"#cm-3.1_smt.c","rel":"corresp"}]},{"id":"cm-3.1.d_obj","name":"objective","props":[{"name":"label","value":"CM-3(1)(d)"}],"prose":"employs automated mechanisms to prohibit changes to the information system until designated approvals are received;","links":[{"href":"#cm-3.1_smt.d","rel":"corresp"}]},{"id":"cm-3.1.e_obj","name":"objective","props":[{"name":"label","value":"CM-3(1)(e)"}],"prose":"employs automated mechanisms to document all changes to the information system;","links":[{"href":"#cm-3.1_smt.e","rel":"corresp"}]},{"id":"cm-3.1.f_obj","name":"objective","props":[{"name":"label","value":"CM-3(1)(f)"}],"parts":[{"id":"cm-3.1.f_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(1)(f)[1]"}],"prose":"defines personnel to be notified when approved changes to the information system are completed; and"},{"id":"cm-3.1.f_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(1)(f)[2]"}],"prose":"employs automated mechanisms to notify organization-defined personnel when approved changes to the information system are completed."}],"links":[{"href":"#cm-3.1_smt.f","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system configuration change control\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\nautomated configuration control mechanisms\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nchange approval requests\n\nchange approvals\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms implementing configuration change control activities"}]}]},{"id":"cm-3.2","class":"SP800-53-enhancement","title":"Test \/ Validate \/ Document Changes","props":[{"name":"label","value":"CM-3(2)"},{"name":"sort-id","value":"cm-03.02"}],"parts":[{"id":"cm-3.2_smt","name":"statement","prose":"The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system."},{"id":"cm-3.2_gdn","name":"guidance","prose":"Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals\/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities\/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems)."},{"id":"cm-3.2_obj","name":"objective","prose":"Determine if the organization, before implementing changes on the operational system:","parts":[{"id":"cm-3.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(2)[1]"}],"prose":"tests changes to the information system;"},{"id":"cm-3.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(2)[2]"}],"prose":"validates changes to the information system; and"},{"id":"cm-3.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-3(2)[3]"}],"prose":"documents changes to the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing information system configuration change control\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms supporting and\/or implementing testing, validating, and documenting information system changes"}]}]}]},{"id":"cm-4","class":"SP800-53","title":"Security Impact Analysis","props":[{"name":"priority","value":"P2"},{"name":"label","value":"CM-4"},{"name":"sort-id","value":"cm-04"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"The organization analyzes changes to the information system to determine potential security impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills\/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"cm-4_obj","name":"objective","prose":"Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing security impact analysis for changes to the information system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for conducting security impact analysis\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security impact analysis"}]}],"controls":[{"id":"cm-4.1","class":"SP800-53-enhancement","title":"Separate Test Environments","props":[{"name":"label","value":"CM-4(1)"},{"name":"sort-id","value":"cm-04.01"}],"parts":[{"id":"cm-4.1_smt","name":"statement","prose":"The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice."},{"id":"cm-4.1_gdn","name":"guidance","prose":"Separate test environment in this context means an environment that is physically or logically isolated and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not used, organizations determine the strength of mechanism required when implementing logical separation (e.g., separation achieved through virtual machines).","links":[{"href":"#sa-11","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"cm-4.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-4.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-4(1)[1]"}],"prose":"analyzes changes to the information system in a separate test environment before implementation in an operational environment;"},{"id":"cm-4.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-4(1)[2]"}],"prose":"when analyzing changes to the information system in a separate test environment, looks for security impacts due to:","parts":[{"id":"cm-4.1_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-4(1)[2][a]"}],"prose":"flaws;"},{"id":"cm-4.1_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-4(1)[2][b]"}],"prose":"weaknesses;"},{"id":"cm-4.1_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-4(1)[2][c]"}],"prose":"incompatibility; and"},{"id":"cm-4.1_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-4(1)[2][d]"}],"prose":"intentional malice."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing security impact analysis for changes to the information system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nanalysis tools and associated outputs information system design documentation\n\ninformation system architecture and configuration documentation\n\nchange control records\n\ninformation system audit records\n\ndocumentation evidence of separate test and operational environments\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for conducting security impact analysis\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security impact analysis\n\nautomated mechanisms supporting and\/or implementing security impact analysis of changes"}]}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-5"},{"name":"sort-id","value":"cm-05"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system."},{"id":"cm-5_gdn","name":"guidance","prose":"Any changes to the hardware, software, and\/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#pe-3","rel":"related"}]},{"id":"cm-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-5_obj.1","name":"objective","props":[{"name":"label","value":"CM-5[1]"}],"prose":"defines physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.2","name":"objective","props":[{"name":"label","value":"CM-5[2]"}],"prose":"documents physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.3","name":"objective","props":[{"name":"label","value":"CM-5[3]"}],"prose":"approves physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.4","name":"objective","props":[{"name":"label","value":"CM-5[4]"}],"prose":"enforces physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.5","name":"objective","props":[{"name":"label","value":"CM-5[5]"}],"prose":"defines logical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.6","name":"objective","props":[{"name":"label","value":"CM-5[6]"}],"prose":"documents logical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.7","name":"objective","props":[{"name":"label","value":"CM-5[7]"}],"prose":"approves logical access restrictions associated with changes to the information system; and"},{"id":"cm-5_obj.8","name":"objective","props":[{"name":"label","value":"CM-5[8]"}],"prose":"enforces logical access restrictions associated with changes to the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\n\nautomated mechanisms supporting\/implementing\/enforcing access restrictions associated with changes to the information system"}]}],"controls":[{"id":"cm-5.1","class":"SP800-53-enhancement","title":"Automated Access Enforcement \/ Auditing","props":[{"name":"label","value":"CM-5(1)"},{"name":"sort-id","value":"cm-05.01"}],"parts":[{"id":"cm-5.1_smt","name":"statement","prose":"The information system enforces access restrictions and supports auditing of the enforcement actions."},{"id":"cm-5.1_gdn","name":"guidance","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"}]},{"id":"cm-5.1_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"cm-5.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-5(1)[1]"}],"prose":"enforces access restrictions for change; and"},{"id":"cm-5.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-5(1)[2]"}],"prose":"supports auditing of the enforcement actions."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the information system\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\n\nautomated mechanisms implementing enforcement of access restrictions for changes to the information system\n\nautomated mechanisms supporting auditing of enforcement actions"}]}]},{"id":"cm-5.2","class":"SP800-53-enhancement","title":"Review System Changes","params":[{"id":"cm-5.2_prm_1","label":"organization-defined frequency"},{"id":"cm-5.2_prm_2","label":"organization-defined circumstances"}],"props":[{"name":"label","value":"CM-5(2)"},{"name":"sort-id","value":"cm-05.02"}],"parts":[{"id":"cm-5.2_smt","name":"statement","prose":"The organization reviews information system changes {{ insert: param, cm-5.2_prm_1 }} and {{ insert: param, cm-5.2_prm_2 }} to determine whether unauthorized changes have occurred."},{"id":"cm-5.2_gdn","name":"guidance","prose":"Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process.","links":[{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-8","rel":"related"}]},{"id":"cm-5.2_obj","name":"objective","prose":"Determine if the organization, in an effort to ascertain whether unauthorized changes have occurred:","parts":[{"id":"cm-5.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-5(2)[1]"}],"prose":"defines the frequency to review information system changes;"},{"id":"cm-5.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-5(2)[2]"}],"prose":"defines circumstances that warrant review of information system changes;"},{"id":"cm-5.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-5(2)[3]"}],"prose":"reviews information system changes with the organization-defined frequency; and"},{"id":"cm-5.2_obj.4","name":"objective","props":[{"name":"label","value":"CM-5(2)[4]"}],"prose":"reviews information system changes with the organization-defined circumstances."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the information system\n\nconfiguration management plan\n\nsecurity plan\n\nreviews of information system changes\n\naudit and review reports\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\n\nautomated mechanisms supporting\/implementing information system reviews to determine whether unauthorized changes have occurred"}]}]},{"id":"cm-5.3","class":"SP800-53-enhancement","title":"Signed Components","params":[{"id":"cm-5.3_prm_1","label":"organization-defined software and firmware components"}],"props":[{"name":"label","value":"CM-5(3)"},{"name":"sort-id","value":"cm-05.03"}],"parts":[{"id":"cm-5.3_smt","name":"statement","prose":"The information system prevents the installation of {{ insert: param, cm-5.3_prm_1 }} without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization."},{"id":"cm-5.3_gdn","name":"guidance","prose":"Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication.","links":[{"href":"#cm-7","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"cm-5.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cm-5.3_obj.1","name":"objective","props":[{"name":"label","value":"CM-5(3)[1]"}],"prose":"the organization defines software and firmware components that the information system will prevent from being installed without verification that such components have been digitally signed using a certificate that is recognized and approved by the organization; and"},{"id":"cm-5.3_obj.2","name":"objective","props":[{"name":"label","value":"CM-5(3)[2]"}],"prose":"the information system prevents the installation of organization-defined software and firmware components without verification that such components have been digitally signed using a certificate that is recognized and approved by the organization."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the information system\n\nconfiguration management plan\n\nsecurity plan\n\nlist of software and firmware components to be prohibited from installation without a recognized and approved certificate\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\n\nautomated mechanisms preventing installation of software and firmware components not signed with an organization-recognized and approved certificate"}]}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","params":[{"id":"cm-6_prm_1","label":"organization-defined security configuration checklists"},{"id":"cm-6_prm_2","label":"organization-defined information system components"},{"id":"cm-6_prm_3","label":"organization-defined operational requirements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-6"},{"name":"sort-id","value":"cm-06"}],"links":[{"href":"#990268bf-f4a9-4c81-91ae-dc7d3115f4b1","rel":"reference"},{"href":"#0b3d8ba9-051f-498d-81ea-97f0f018c612","rel":"reference"},{"href":"#0916ef02-3618-411b-a525-565c088849a6","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"},{"href":"#e95dd121-2733-413e-bf1e-f1eb49f20a98","rel":"reference"},{"href":"#647b6de3-81d0-4d22-bec1-5f1333e34380","rel":"reference"}],"parts":[{"id":"cm-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and documents configuration settings for information technology products employed within the information system using {{ insert: param, cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implements the configuration settings;"},{"id":"cm-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies, documents, and approves any deviations from established configuration settings for {{ insert: param, cm-6_prm_2 }} based on {{ insert: param, cm-6_prm_3 }}; and"},{"id":"cm-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and\/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input\/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms\/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems.","links":[{"href":"#ac-19","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"cm-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.a_obj","name":"objective","props":[{"name":"label","value":"CM-6(a)"}],"parts":[{"id":"cm-6.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(a)[1]"}],"prose":"defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed;"},{"id":"cm-6.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(a)[2]"}],"prose":"ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6.a_obj.3","name":"objective","props":[{"name":"label","value":"CM-6(a)[3]"}],"prose":"establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;"}]},{"id":"cm-6.b_obj","name":"objective","props":[{"name":"label","value":"CM-6(b)"}],"prose":"implements the configuration settings established\/documented in CM-6(a);;"},{"id":"cm-6.c_obj","name":"objective","props":[{"name":"label","value":"CM-6(c)"}],"parts":[{"id":"cm-6.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(c)[1]"}],"prose":"defines information system components for which any deviations from established configuration settings must be:","parts":[{"id":"cm-6.c_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][a]"}],"prose":"identified;"},{"id":"cm-6.c_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][b]"}],"prose":"documented;"},{"id":"cm-6.c_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][c]"}],"prose":"approved;"}]},{"id":"cm-6.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(c)[2]"}],"prose":"defines operational requirements to support:","parts":[{"id":"cm-6.c_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][a]"}],"prose":"the identification of any deviations from established configuration settings;"},{"id":"cm-6.c_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][b]"}],"prose":"the documentation of any deviations from established configuration settings;"},{"id":"cm-6.c_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][c]"}],"prose":"the approval of any deviations from established configuration settings;"}]},{"id":"cm-6.c_obj.3","name":"objective","props":[{"name":"label","value":"CM-6(c)[3]"}],"prose":"identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"},{"id":"cm-6.c_obj.4","name":"objective","props":[{"name":"label","value":"CM-6(c)[4]"}],"prose":"documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"},{"id":"cm-6.c_obj.5","name":"objective","props":[{"name":"label","value":"CM-6(c)[5]"}],"prose":"approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"}]},{"id":"cm-6.d_obj","name":"objective","props":[{"name":"label","value":"CM-6(d)"}],"parts":[{"id":"cm-6.d_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(d)[1]"}],"prose":"monitors changes to the configuration settings in accordance with organizational policies and procedures; and"},{"id":"cm-6.d_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(d)[2]"}],"prose":"controls changes to the configuration settings in accordance with organizational policies and procedures."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings\n\nautomated mechanisms that implement, monitor, and\/or control information system configuration settings\n\nautomated mechanisms that identify and\/or document deviations from established configuration settings"}]}],"controls":[{"id":"cm-6.1","class":"SP800-53-enhancement","title":"Automated Central Management \/ Application \/ Verification","params":[{"id":"cm-6.1_prm_1","label":"organization-defined information system components"}],"props":[{"name":"label","value":"CM-6(1)"},{"name":"sort-id","value":"cm-06.01"}],"parts":[{"id":"cm-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for {{ insert: param, cm-6.1_prm_1 }}."},{"id":"cm-6.1_gdn","name":"guidance","links":[{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"}]},{"id":"cm-6.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(1)[1]"}],"prose":"defines information system components for which automated mechanisms are to be employed to:","parts":[{"id":"cm-6.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-6(1)[1][a]"}],"prose":"centrally manage configuration settings of such components;"},{"id":"cm-6.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-6(1)[1][b]"}],"prose":"apply configuration settings of such components;"},{"id":"cm-6.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-6(1)[1][c]"}],"prose":"verify configuration settings of such components;"}]},{"id":"cm-6.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(1)[2]"}],"prose":"employs automated mechanisms to:","parts":[{"id":"cm-6.1_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-6(1)[2][a]"}],"prose":"centrally manage configuration settings for organization-defined information system components;"},{"id":"cm-6.1_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-6(1)[2][b]"}],"prose":"apply configuration settings for organization-defined information system components; and"},{"id":"cm-6.1_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-6(1)[2][c]"}],"prose":"verify configuration settings for organization-defined information system components."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings\n\nautomated mechanisms implemented to centrally manage, apply, and verify information system configuration settings"}]}]},{"id":"cm-6.2","class":"SP800-53-enhancement","title":"Respond to Unauthorized Changes","params":[{"id":"cm-6.2_prm_1","label":"organization-defined security safeguards"},{"id":"cm-6.2_prm_2","label":"organization-defined configuration settings"}],"props":[{"name":"label","value":"CM-6(2)"},{"name":"sort-id","value":"cm-06.02"}],"parts":[{"id":"cm-6.2_smt","name":"statement","prose":"The organization employs {{ insert: param, cm-6.2_prm_1 }} to respond to unauthorized changes to {{ insert: param, cm-6.2_prm_2 }}."},{"id":"cm-6.2_gdn","name":"guidance","prose":"Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected information system processing.","links":[{"href":"#ir-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"cm-6.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(2)[1]"}],"prose":"defines configuration settings that, if modified by unauthorized changes, result in organizational security safeguards being employed to respond to such changes;"},{"id":"cm-6.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(2)[2]"}],"prose":"defines security safeguards to be employed to respond to unauthorized changes to organization-defined configuration settings; and"},{"id":"cm-6.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-6(2)[3]"}],"prose":"employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nalerts\/notifications of unauthorized changes to information system configuration settings\n\ndocumented responses to unauthorized changes to information system configuration settings\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for responding to unauthorized changes to information system configuration settings\n\nautomated mechanisms supporting and\/or implementing security safeguards for response to unauthorized changes"}]}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","params":[{"id":"cm-7_prm_1","label":"organization-defined prohibited or restricted functions, ports, protocols, and\/or services"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-7"},{"name":"sort-id","value":"cm-07"}],"links":[{"href":"#e42b2099-3e1c-415b-952c-61c96533c12e","rel":"reference"}],"parts":[{"id":"cm-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Configures the information system to provide only essential capabilities; and"},{"id":"cm-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibits or restricts the use of the following functions, ports, protocols, and\/or services: {{ insert: param, cm-7_prm_1 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports\/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.","links":[{"href":"#ac-6","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"cm-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.a_obj","name":"objective","props":[{"name":"label","value":"CM-7(a)"}],"prose":"configures the information system to provide only essential capabilities;"},{"id":"cm-7.b_obj","name":"objective","props":[{"name":"label","value":"CM-7(b)"}],"parts":[{"id":"cm-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(b)[1]"}],"prose":"defines prohibited or restricted:","parts":[{"id":"cm-7.b_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.b_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(b)[2]"}],"prose":"prohibits or restricts the use of organization-defined:","parts":[{"id":"cm-7.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.b_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][d]"}],"prose":"services."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing least functionality in the information system\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols, and\/or services\n\nautomated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and\/or services"}]}],"controls":[{"id":"cm-7.1","class":"SP800-53-enhancement","title":"Periodic Review","params":[{"id":"cm-7.1_prm_1","label":"organization-defined frequency"},{"id":"cm-7.1_prm_2","label":"organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and\/or nonsecure"}],"props":[{"name":"label","value":"CM-7(1)"},{"name":"sort-id","value":"cm-07.01"}],"parts":[{"id":"cm-7.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Reviews the information system {{ insert: param, cm-7.1_prm_1 }} to identify unnecessary and\/or nonsecure functions, ports, protocols, and services; and"},{"id":"cm-7.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Disables {{ insert: param, cm-7.1_prm_2 }}."}]},{"id":"cm-7.1_gdn","name":"guidance","prose":"The organization can either make a determination of the relative security of the function, port, protocol, and\/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols.","links":[{"href":"#ac-18","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ia-2","rel":"related"}]},{"id":"cm-7.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.1.a_obj","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)"}],"parts":[{"id":"cm-7.1.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1]"}],"prose":"defines the frequency to review the information system to identify unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.a_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][a]"}],"prose":"functions;"},{"id":"cm-7.1.a_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][b]"}],"prose":"ports;"},{"id":"cm-7.1.a_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.a_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.1.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2]"}],"prose":"reviews the information system with the organization-defined frequency to identify unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.a_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][a]"}],"prose":"functions;"},{"id":"cm-7.1.a_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][b]"}],"prose":"ports;"},{"id":"cm-7.1.a_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.a_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][d]"}],"prose":"services;"}]}],"links":[{"href":"#cm-7.1_smt.a","rel":"corresp"}]},{"id":"cm-7.1.b_obj","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)"}],"parts":[{"id":"cm-7.1.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1]"}],"prose":"defines, within the information system, unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.b_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.1.b_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.1.b_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.b_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.1.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2]"}],"prose":"disables organization-defined unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.1.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.1.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.b_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][d]"}],"prose":"services."}]}],"links":[{"href":"#cm-7.1_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\ndocumented reviews of functions, ports, protocols, and\/or services\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the information system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for reviewing\/disabling nonsecure functions, ports, protocols, and\/or services\n\nautomated mechanisms implementing review and disabling of nonsecure functions, ports, protocols, and\/or services"}]}]},{"id":"cm-7.2","class":"SP800-53-enhancement","title":"Prevent Program Execution","params":[{"id":"cm-7.2_prm_1","select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-7.2_prm_2 }} ","rules authorizing the terms and conditions of software program usage"]}},{"id":"cm-7.2_prm_2","depends-on":"cm-7.2_prm_1","label":"organization-defined policies regarding software program usage and restrictions"}],"props":[{"name":"label","value":"CM-7(2)"},{"name":"sort-id","value":"cm-07.02"}],"parts":[{"id":"cm-7.2_smt","name":"statement","prose":"The information system prevents program execution in accordance with {{ insert: param, cm-7.2_prm_1 }}."},{"id":"cm-7.2_gdn","name":"guidance","links":[{"href":"#cm-8","rel":"related"},{"href":"#pm-5","rel":"related"}]},{"id":"cm-7.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cm-7.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(2)[1]"}],"prose":"the organization defines policies regarding software program usage and restrictions;"},{"id":"cm-7.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(2)[2]"}],"prose":"the information system prevents program execution in accordance with one or more of the following:","parts":[{"id":"cm-7.2_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(2)[2][a]"}],"prose":"organization-defined policies regarding program usage and restrictions; and\/or"},{"id":"cm-7.2_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(2)[2][b]"}],"prose":"rules authorizing the terms and conditions of software program usage."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\nspecifications for preventing software program execution\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes preventing program execution on the information system\n\norganizational processes for software program usage and restrictions\n\nautomated mechanisms preventing program execution on the information system\n\nautomated mechanisms supporting and\/or implementing software program usage and restrictions"}]}]},{"id":"cm-7.5","class":"SP800-53-enhancement","title":"Authorized Software \/ Whitelisting","params":[{"id":"cm-7.5_prm_1","label":"organization-defined software programs authorized to execute on the information system"},{"id":"cm-7.5_prm_2","label":"organization-defined frequency"}],"props":[{"name":"label","value":"CM-7(5)"},{"name":"sort-id","value":"cm-07.05"}],"parts":[{"id":"cm-7.5_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identifies {{ insert: param, cm-7.5_prm_1 }};"},{"id":"cm-7.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and"},{"id":"cm-7.5_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Reviews and updates the list of authorized software programs {{ insert: param, cm-7.5_prm_2 }}."}]},{"id":"cm-7.5_gdn","name":"guidance","prose":"The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"cm-7.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.5.a_obj","name":"objective","props":[{"name":"label","value":"CM-7(5)(a)"}],"prose":"Identifies\/defines software programs authorized to execute on the information system;","links":[{"href":"#cm-7.5_smt.a","rel":"corresp"}]},{"id":"cm-7.5.b_obj","name":"objective","props":[{"name":"label","value":"CM-7(5)(b)"}],"prose":"employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system;","links":[{"href":"#cm-7.5_smt.b","rel":"corresp"}]},{"id":"cm-7.5.c_obj","name":"objective","props":[{"name":"label","value":"CM-7(5)(c)"}],"parts":[{"id":"cm-7.5.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(5)(c)[1]"}],"prose":"defines the frequency to review and update the list of authorized software programs on the information system; and"},{"id":"cm-7.5.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(5)(c)[2]"}],"prose":"reviews and updates the list of authorized software programs with the organization-defined frequency."}],"links":[{"href":"#cm-7.5_smt.c","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of software programs authorized to execute on the information system\n\nsecurity configuration checklists\n\nreview and update records associated with list of authorized software programs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for identifying software authorized to execute on the information system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for identifying, reviewing, and updating programs authorized to execute on the information system\n\norganizational process for implementing whitelisting\n\nautomated mechanisms implementing whitelisting"}]}]}]},{"id":"cm-8","class":"SP800-53","title":"Information System Component Inventory","params":[{"id":"cm-8_prm_1","label":"organization-defined information deemed necessary to achieve effective information system component accountability"},{"id":"cm-8_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-8"},{"name":"sort-id","value":"cm-08"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops and documents an inventory of information system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accurately reflects the current information system;"},{"id":"cm-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes all components within the authorization boundary of the information system;"},{"id":"cm-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Includes {{ insert: param, cm-8_prm_1 }}; and"}]},{"id":"cm-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information system component inventory {{ insert: param, cm-8_prm_2 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pm-5","rel":"related"}]},{"id":"cm-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.a_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)"}],"parts":[{"id":"cm-8.a.1_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(1)"}],"prose":"develops and documents an inventory of information system components that accurately reflects the current information system;"},{"id":"cm-8.a.2_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(2)"}],"prose":"develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;"},{"id":"cm-8.a.3_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(3)"}],"prose":"develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;"},{"id":"cm-8.a.4_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)"}],"parts":[{"id":"cm-8.a.4_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)[1]"}],"prose":"defines the information deemed necessary to achieve effective information system component accountability;"},{"id":"cm-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)[2]"}],"prose":"develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;"}]}]},{"id":"cm-8.b_obj","name":"objective","props":[{"name":"label","value":"CM-8(b)"}],"parts":[{"id":"cm-8.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(b)[1]"}],"prose":"defines the frequency to review and update the information system component inventory; and"},{"id":"cm-8.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(b)[2]"}],"prose":"reviews and updates the information system component inventory with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting an inventory of information system components\n\nautomated mechanisms supporting and\/or implementing the information system component inventory"}]}],"controls":[{"id":"cm-8.1","class":"SP800-53-enhancement","title":"Updates During Installations \/ Removals","props":[{"name":"label","value":"CM-8(1)"},{"name":"sort-id","value":"cm-08.01"}],"parts":[{"id":"cm-8.1_smt","name":"statement","prose":"The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates."},{"id":"cm-8.1_obj","name":"objective","prose":"Determine if the organization updates the inventory of information system components as an integral part of:","parts":[{"id":"cm-8.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(1)[1]"}],"prose":"component installations;"},{"id":"cm-8.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(1)[2]"}],"prose":"component removals; and"},{"id":"cm-8.1_obj.3","name":"objective","props":[{"name":"label","value":"CM-8(1)[3]"}],"prose":"information system updates."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\ncomponent installation records\n\ncomponent removal records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for updating the information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for updating inventory of information system components\n\nautomated mechanisms implementing updating of the information system component inventory"}]}]},{"id":"cm-8.2","class":"SP800-53-enhancement","title":"Automated Maintenance","props":[{"name":"label","value":"CM-8(2)"},{"name":"sort-id","value":"cm-08.02"}],"parts":[{"id":"cm-8.2_smt","name":"statement","prose":"The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components."},{"id":"cm-8.2_gdn","name":"guidance","prose":"Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities.","links":[{"href":"#si-7","rel":"related"}]},{"id":"cm-8.2_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to maintain an inventory of information system components that is:","parts":[{"id":"cm-8.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(2)[1]"}],"prose":"up-to-date;"},{"id":"cm-8.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(2)[2]"}],"prose":"complete;"},{"id":"cm-8.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-8(2)[3]"}],"prose":"accurate; and"},{"id":"cm-8.2_obj.4","name":"objective","props":[{"name":"label","value":"CM-8(2)[4]"}],"prose":"readily available."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing information system component inventory\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system inventory records\n\nchange control records\n\ninformation system maintenance records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing the automated mechanisms implementing the information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining the inventory of information system components\n\nautomated mechanisms implementing the information system component inventory"}]}]},{"id":"cm-8.3","class":"SP800-53-enhancement","title":"Automated Unauthorized Component Detection","params":[{"id":"cm-8.3_prm_1","label":"organization-defined frequency"},{"id":"cm-8.3_prm_2","select":{"how-many":"one-or-more","choice":["disables network access by such components","isolates the components","notifies {{ insert: param, cm-8.3_prm_3 }} "]}},{"id":"cm-8.3_prm_3","depends-on":"cm-8.3_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"CM-8(3)"},{"name":"sort-id","value":"cm-08.03"}],"parts":[{"id":"cm-8.3_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employs automated mechanisms {{ insert: param, cm-8.3_prm_1 }} to detect the presence of unauthorized hardware, software, and firmware components within the information system; and"},{"id":"cm-8.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Takes the following actions when unauthorized components are detected: {{ insert: param, cm-8.3_prm_2 }}."}]},{"id":"cm-8.3_gdn","name":"guidance","prose":"This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing.","links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#ra-5","rel":"related"}]},{"id":"cm-8.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.3.a_obj","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)"}],"parts":[{"id":"cm-8.3.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1]"}],"prose":"defines the frequency to employ automated mechanisms to detect the presence of unauthorized:","parts":[{"id":"cm-8.3.a_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1][a]"}],"prose":"hardware components within the information system;"},{"id":"cm-8.3.a_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1][b]"}],"prose":"software components within the information system;"},{"id":"cm-8.3.a_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1][c]"}],"prose":"firmware components within the information system;"}]},{"id":"cm-8.3.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2]"}],"prose":"employs automated mechanisms with the organization-defined frequency to detect the presence of unauthorized:","parts":[{"id":"cm-8.3.a_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2][a]"}],"prose":"hardware components within the information system;"},{"id":"cm-8.3.a_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2][b]"}],"prose":"software components within the information system;"},{"id":"cm-8.3.a_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2][c]"}],"prose":"firmware components within the information system;"}]}],"links":[{"href":"#cm-8.3_smt.a","rel":"corresp"}]},{"id":"cm-8.3.b_obj","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)"}],"parts":[{"id":"cm-8.3.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[1]"}],"prose":"defines personnel or roles to be notified when unauthorized components are detected;"},{"id":"cm-8.3.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2]"}],"prose":"takes one or more of the following actions when unauthorized components are detected:","parts":[{"id":"cm-8.3.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2][a]"}],"prose":"disables network access by such components;"},{"id":"cm-8.3.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2][b]"}],"prose":"isolates the components; and\/or"},{"id":"cm-8.3.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2][c]"}],"prose":"notifies organization-defined personnel or roles."}]}],"links":[{"href":"#cm-8.3_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system inventory records\n\nalerts\/notifications of unauthorized components within the information system\n\ninformation system monitoring records\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized information system component detection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for detection of unauthorized information system components\n\nautomated mechanisms implementing the detection of unauthorized information system components"}]}]},{"id":"cm-8.4","class":"SP800-53-enhancement","title":"Accountability Information","params":[{"id":"cm-8.4_prm_1","select":{"how-many":"one-or-more","choice":["name","position","role"]}}],"props":[{"name":"label","value":"CM-8(4)"},{"name":"sort-id","value":"cm-08.04"}],"parts":[{"id":"cm-8.4_smt","name":"statement","prose":"The organization includes in the information system component inventory information, a means for identifying by {{ insert: param, cm-8.4_prm_1 }}, individuals responsible\/accountable for administering those components."},{"id":"cm-8.4_gdn","name":"guidance","prose":"Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach\/compromise, component needs to be recalled\/replaced, or component needs to be relocated)."},{"id":"cm-8.4_obj","name":"objective","prose":"Determine if the organization includes in the information system component inventory for information system components, a means for identifying the individuals responsible and accountable for administering those components by one or more of the following:","parts":[{"id":"cm-8.4_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(4)[1]"}],"prose":"name;"},{"id":"cm-8.4_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(4)[2]"}],"prose":"position; and\/or"},{"id":"cm-8.4_obj.3","name":"objective","props":[{"name":"label","value":"CM-8(4)[3]"}],"prose":"role."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing the information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining the inventory of information system components\n\nautomated mechanisms implementing the information system component inventory"}]}]},{"id":"cm-8.5","class":"SP800-53-enhancement","title":"No Duplicate Accounting of Components","props":[{"name":"label","value":"CM-8(5)"},{"name":"sort-id","value":"cm-08.05"}],"parts":[{"id":"cm-8.5_smt","name":"statement","prose":"The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories."},{"id":"cm-8.5_gdn","name":"guidance","prose":"This control enhancement addresses the potential problem of duplicate accounting of information system components in large or complex interconnected systems."},{"id":"cm-8.5_obj","name":"objective","prose":"Determine if the organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system inventory responsibilities\n\norganizational personnel with responsibilities for defining information system components within the authorization boundary of the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining the inventory of information system components\n\nautomated mechanisms implementing the information system component inventory"}]}]}]},{"id":"cm-9","class":"SP800-53","title":"Configuration Management Plan","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-9"},{"name":"sort-id","value":"cm-09"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-9_smt","name":"statement","prose":"The organization develops, documents, and implements a configuration management plan for the information system that:","parts":[{"id":"cm-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Addresses roles, responsibilities, and configuration management processes and procedures;"},{"id":"cm-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"},{"id":"cm-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Defines the configuration items for the information system and places the configuration items under configuration management; and"},{"id":"cm-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects the configuration management plan from unauthorized disclosure and modification."}]},{"id":"cm-9_gdn","name":"guidance","prose":"Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development\/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#sa-10","rel":"related"}]},{"id":"cm-9_obj","name":"objective","prose":"Determine if the organization develops, documents, and implements a configuration management plan for the information system that:","parts":[{"id":"cm-9.a_obj","name":"objective","props":[{"name":"label","value":"CM-9(a)"}],"parts":[{"id":"cm-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(a)[1]"}],"prose":"addresses roles;"},{"id":"cm-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(a)[2]"}],"prose":"addresses responsibilities;"},{"id":"cm-9.a_obj.3","name":"objective","props":[{"name":"label","value":"CM-9(a)[3]"}],"prose":"addresses configuration management processes and procedures;"}]},{"id":"cm-9.b_obj","name":"objective","props":[{"name":"label","value":"CM-9(b)"}],"prose":"establishes a process for:","parts":[{"id":"cm-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(b)[1]"}],"prose":"identifying configuration items throughout the SDLC;"},{"id":"cm-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(b)[2]"}],"prose":"managing the configuration of the configuration items;"}]},{"id":"cm-9.c_obj","name":"objective","props":[{"name":"label","value":"CM-9(c)"}],"parts":[{"id":"cm-9.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(c)[1]"}],"prose":"defines the configuration items for the information system;"},{"id":"cm-9.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(c)[2]"}],"prose":"places the configuration items under configuration management;"}]},{"id":"cm-9.d_obj","name":"objective","props":[{"name":"label","value":"CM-9(d)"}],"prose":"protects the configuration management plan from unauthorized:","parts":[{"id":"cm-9.d_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(d)[1]"}],"prose":"disclosure; and"},{"id":"cm-9.d_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(d)[2]"}],"prose":"modification."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nautomated mechanisms implementing the configuration management plan\n\nautomated mechanisms for managing configuration items\n\nautomated mechanisms for protecting the configuration management plan"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"priority","value":"P2"},{"name":"label","value":"CM-10"},{"name":"sort-id","value":"cm-10"}],"parts":[{"id":"cm-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Uses software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs.","links":[{"href":"#ac-17","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"cm-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-10.a_obj","name":"objective","props":[{"name":"label","value":"CM-10(a)"}],"prose":"uses software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10.b_obj","name":"objective","props":[{"name":"label","value":"CM-10(b)"}],"prose":"tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10.c_obj","name":"objective","props":[{"name":"label","value":"CM-10(c)"}],"prose":"controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing software usage restrictions\n\nconfiguration management plan\n\nsecurity plan\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\norganizational personnel with software license management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for tracking the use of software protected by quantity licenses\n\norganization process for controlling\/documenting the use of peer-to-peer file sharing technology\n\nautomated mechanisms implementing software license tracking\n\nautomated mechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","params":[{"id":"cm-11_prm_1","label":"organization-defined policies"},{"id":"cm-11_prm_2","label":"organization-defined methods"},{"id":"cm-11_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-11"},{"name":"sort-id","value":"cm-11"}],"parts":[{"id":"cm-11_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes {{ insert: param, cm-11_prm_1 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Enforces software installation policies through {{ insert: param, cm-11_prm_2 }}; and"},{"id":"cm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Monitors policy compliance at {{ insert: param, cm-11_prm_3 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.","links":[{"href":"#ac-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"cm-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-11.a_obj","name":"objective","props":[{"name":"label","value":"CM-11(a)"}],"parts":[{"id":"cm-11.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(a)[1]"}],"prose":"defines policies to govern the installation of software by users;"},{"id":"cm-11.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(a)[2]"}],"prose":"establishes organization-defined policies governing the installation of software by users;"}]},{"id":"cm-11.b_obj","name":"objective","props":[{"name":"label","value":"CM-11(b)"}],"parts":[{"id":"cm-11.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(b)[1]"}],"prose":"defines methods to enforce software installation policies;"},{"id":"cm-11.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(b)[2]"}],"prose":"enforces software installation policies through organization-defined methods;"}]},{"id":"cm-11.c_obj","name":"objective","props":[{"name":"label","value":"CM-11(c)"}],"parts":[{"id":"cm-11.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(c)[1]"}],"prose":"defines frequency to monitor policy compliance; and"},{"id":"cm-11.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(c)[2]"}],"prose":"monitors policy compliance at organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing user installed software\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of rules governing user installed software\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records\n\ncontinuous monitoring strategy"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the information system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes governing user-installed software on the information system\n\nautomated mechanisms enforcing rules\/methods for governing the installation of software by users\n\nautomated mechanisms monitoring policy compliance"}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Contingency Planning Policy and Procedures","params":[{"id":"cp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-1_prm_2","label":"organization-defined frequency"},{"id":"cp-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-1"},{"name":"sort-id","value":"cp-01"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"cp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and"}]},{"id":"cp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cp-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Contingency planning policy {{ insert: param, cp-1_prm_2 }}; and"},{"id":"cp-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Contingency planning procedures {{ insert: param, cp-1_prm_3 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"cp-1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cp-1.a_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)"}],"parts":[{"id":"cp-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)"}],"parts":[{"id":"cp-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1]"}],"prose":"the organization develops and documents a contingency planning policy that addresses:","parts":[{"id":"cp-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cp-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cp-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cp-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cp-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cp-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cp-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cp-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[2]"}],"prose":"the organization defines personnel or roles to whom the contingency planning policy is to be disseminated;"},{"id":"cp-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[3]"}],"prose":"the organization disseminates the contingency planning policy to organization-defined personnel or roles;"}]},{"id":"cp-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)"}],"parts":[{"id":"cp-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[1]"}],"prose":"the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls;"},{"id":"cp-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[2]"}],"prose":"the organization defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"cp-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[3]"}],"prose":"the organization disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cp-1.b_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)"}],"parts":[{"id":"cp-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)"}],"parts":[{"id":"cp-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)[1]"}],"prose":"the organization defines the frequency to review and update the current contingency planning policy;"},{"id":"cp-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)[2]"}],"prose":"the organization reviews and updates the current contingency planning with the organization-defined frequency;"}]},{"id":"cp-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)"}],"parts":[{"id":"cp-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)[1]"}],"prose":"the organization defines the frequency to review and update the current contingency planning procedures; and"},{"id":"cp-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)[2]"}],"prose":"the organization reviews and updates the current contingency planning procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","params":[{"id":"cp-2_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-2_prm_3","label":"organization-defined frequency"},{"id":"cp-2_prm_4","label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-2"},{"name":"sort-id","value":"cp-02"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a contingency plan for the information system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and"},{"id":"cp-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Reviews the contingency plan for the information system {{ insert: param, cp-2_prm_3 }};"},{"id":"cp-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Communicates contingency plan changes to {{ insert: param, cp-2_prm_4 }}; and"},{"id":"cp-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Protects the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission\/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission\/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and\/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly\/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.","links":[{"href":"#ac-14","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-11","rel":"related"}]},{"id":"cp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.a_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)"}],"prose":"develops and documents a contingency plan for the information system that:","parts":[{"id":"cp-2.a.1_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(1)"}],"prose":"identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2.a.2_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)"}],"parts":[{"id":"cp-2.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[1]"}],"prose":"provides recovery objectives;"},{"id":"cp-2.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[2]"}],"prose":"provides restoration priorities;"},{"id":"cp-2.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[3]"}],"prose":"provides metrics;"}]},{"id":"cp-2.a.3_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)"}],"parts":[{"id":"cp-2.a.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[1]"}],"prose":"addresses contingency roles;"},{"id":"cp-2.a.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[2]"}],"prose":"addresses contingency responsibilities;"},{"id":"cp-2.a.3_obj.3","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[3]"}],"prose":"addresses assigned individuals with contact information;"}]},{"id":"cp-2.a.4_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(4)"}],"prose":"addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;"},{"id":"cp-2.a.5_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(5)"}],"prose":"addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;"},{"id":"cp-2.a.6_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)"}],"parts":[{"id":"cp-2.a.6_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)[1]"}],"prose":"defines personnel or roles to review and approve the contingency plan for the information system;"},{"id":"cp-2.a.6_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"cp-2.b_obj","name":"objective","props":[{"name":"label","value":"CP-2(b)"}],"parts":[{"id":"cp-2.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(b)[1]"}],"prose":"defines key contingency personnel (identified by name and\/or by role) and organizational elements to whom copies of the contingency plan are to be distributed;"},{"id":"cp-2.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(b)[2]"}],"prose":"distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements;"}]},{"id":"cp-2.c_obj","name":"objective","props":[{"name":"label","value":"CP-2(c)"}],"prose":"coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2.d_obj","name":"objective","props":[{"name":"label","value":"CP-2(d)"}],"parts":[{"id":"cp-2.d_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(d)[1]"}],"prose":"defines a frequency to review the contingency plan for the information system;"},{"id":"cp-2.d_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(d)[2]"}],"prose":"reviews the contingency plan with the organization-defined frequency;"}]},{"id":"cp-2.e_obj","name":"objective","props":[{"name":"label","value":"CP-2(e)"}],"prose":"updates the contingency plan to address:","parts":[{"id":"cp-2.e_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(e)[1]"}],"prose":"changes to the organization, information system, or environment of operation;"},{"id":"cp-2.e_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(e)[2]"}],"prose":"problems encountered during plan implementation, execution, and testing;"}]},{"id":"cp-2.f_obj","name":"objective","props":[{"name":"label","value":"CP-2(f)"}],"parts":[{"id":"cp-2.f_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(f)[1]"}],"prose":"defines key contingency personnel (identified by name and\/or by role) and organizational elements to whom contingency plan changes are to be communicated;"},{"id":"cp-2.f_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(f)[2]"}],"prose":"communicates contingency plan changes to organization-defined key contingency personnel and organizational elements; and"}]},{"id":"cp-2.g_obj","name":"objective","props":[{"name":"label","value":"CP-2(g)"}],"prose":"protects the contingency plan from unauthorized disclosure and modification."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nevidence of contingency plan reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan development, review, update, and protection\n\nautomated mechanisms for developing, reviewing, updating and\/or protecting the contingency plan"}]}],"controls":[{"id":"cp-2.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-2(1)"},{"name":"sort-id","value":"cp-02.01"}],"parts":[{"id":"cp-2.1_smt","name":"statement","prose":"The organization coordinates contingency plan development with organizational elements responsible for related plans."},{"id":"cp-2.1_gdn","name":"guidance","prose":"Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans."},{"id":"cp-2.1_obj","name":"objective","prose":"Determine if the organization coordinates contingency plan development with organizational elements responsible for related plans."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans"}]}]},{"id":"cp-2.2","class":"SP800-53-enhancement","title":"Capacity Planning","props":[{"name":"label","value":"CP-2(2)"},{"name":"sort-id","value":"cp-02.02"}],"parts":[{"id":"cp-2.2_smt","name":"statement","prose":"The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations."},{"id":"cp-2.2_gdn","name":"guidance","prose":"Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions\/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning."},{"id":"cp-2.2_obj","name":"objective","prose":"Determine if the organization conducts capacity planning so that necessary capacity exists during contingency operations for:","parts":[{"id":"cp-2.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(2)[1]"}],"prose":"information processing;"},{"id":"cp-2.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(2)[2]"}],"prose":"telecommunications; and"},{"id":"cp-2.2_obj.3","name":"objective","props":[{"name":"label","value":"CP-2(2)[3]"}],"prose":"environmental support."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\ncapacity planning documents\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2.3","class":"SP800-53-enhancement","title":"Resume Essential Missions \/ Business Functions","params":[{"id":"cp-2.3_prm_1","label":"organization-defined time period"}],"props":[{"name":"label","value":"CP-2(3)"},{"name":"sort-id","value":"cp-02.03"}],"parts":[{"id":"cp-2.3_smt","name":"statement","prose":"The organization plans for the resumption of essential missions and business functions within {{ insert: param, cp-2.3_prm_1 }} of contingency plan activation."},{"id":"cp-2.3_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions\/business functions may be dependent on the severity\/extent of disruptions to the information system and its supporting infrastructure.","links":[{"href":"#pe-12","rel":"related"}]},{"id":"cp-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(3)[1]"}],"prose":"defines the time period to plan for the resumption of essential missions and business functions as a result of contingency plan activation; and"},{"id":"cp-2.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(3)[2]"}],"prose":"plans for the resumption of essential missions and business functions within organization-defined time period of contingency plan activation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nbusiness impact assessment\n\nother related plans\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.4","class":"SP800-53-enhancement","title":"Resume All Missions \/ Business Functions","params":[{"id":"cp-2.4_prm_1","label":"organization-defined time period"}],"props":[{"name":"label","value":"CP-2(4)"},{"name":"sort-id","value":"cp-02.04"}],"parts":[{"id":"cp-2.4_smt","name":"statement","prose":"The organization plans for the resumption of all missions and business functions within {{ insert: param, cp-2.4_prm_1 }} of contingency plan activation."},{"id":"cp-2.4_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions\/business functions may be dependent on the severity\/extent of disruptions to the information system and its supporting infrastructure.","links":[{"href":"#pe-12","rel":"related"}]},{"id":"cp-2.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.4_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(4)[1]"}],"prose":"defines the time period to plan for the resumption of all missions and business functions as a result of contingency plan activation; and"},{"id":"cp-2.4_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(4)[2]"}],"prose":"plans for the resumption of all missions and business functions within organization-defined time period of contingency plan activation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nbusiness impact assessment\n\nother related plans\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.5","class":"SP800-53-enhancement","title":"Continue Essential Missions \/ Business Functions","props":[{"name":"label","value":"CP-2(5)"},{"name":"sort-id","value":"cp-02.05"}],"parts":[{"id":"cp-2.5_smt","name":"statement","prose":"The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and\/or storage sites."},{"id":"cp-2.5_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and\/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites).","links":[{"href":"#pe-12","rel":"related"}]},{"id":"cp-2.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.5_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(5)[1]"}],"prose":"plans for the continuance of essential missions and business functions with little or no loss of operational continuity; and"},{"id":"cp-2.5_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(5)[2]"}],"prose":"sustains that operational continuity until full information system restoration at primary processing and\/or storage sites."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness impact assessment\n\nprimary processing site agreements\n\nprimary storage site agreements\n\nalternate processing site agreements\n\nalternate storage site agreements\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for continuing missions and business functions"}]}]},{"id":"cp-2.8","class":"SP800-53-enhancement","title":"Identify Critical Assets","props":[{"name":"label","value":"CP-2(8)"},{"name":"sort-id","value":"cp-02.08"}],"parts":[{"id":"cp-2.8_smt","name":"statement","prose":"The organization identifies critical information system assets supporting essential missions and business functions."},{"id":"cp-2.8_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions\/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and\/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets.","links":[{"href":"#sa-14","rel":"related"},{"href":"#sa-15","rel":"related"}]},{"id":"cp-2.8_obj","name":"objective","prose":"Determine if the organization identifies critical information system assets supporting essential missions and business functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness impact assessment\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","params":[{"id":"cp-3_prm_1","label":"organization-defined time period"},{"id":"cp-3_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CP-3"},{"name":"sort-id","value":"cp-03"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"cp-3_smt","name":"statement","prose":"The organization provides contingency training to information system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Within {{ insert: param, cp-3_prm_1 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"cp-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, cp-3_prm_2 }} thereafter."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers\/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles\/responsibilities reflects the specific continuity requirements in the contingency plan.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-2","rel":"related"}]},{"id":"cp-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-3.a_obj","name":"objective","props":[{"name":"label","value":"CP-3(a)"}],"parts":[{"id":"cp-3.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-3(a)[1]"}],"prose":"defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility;"},{"id":"cp-3.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-3(a)[2]"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility;"}]},{"id":"cp-3.b_obj","name":"objective","props":[{"name":"label","value":"CP-3(b)"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes;"},{"id":"cp-3.c_obj","name":"objective","props":[{"name":"label","value":"CP-3(c)"}],"parts":[{"id":"cp-3.c_obj.1","name":"objective","props":[{"name":"label","value":"CP-3(c)[1]"}],"prose":"defines the frequency for contingency training thereafter; and"},{"id":"cp-3.c_obj.2","name":"objective","props":[{"name":"label","value":"CP-3(c)[2]"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsecurity plan\n\ncontingency training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency training"}]}],"controls":[{"id":"cp-3.1","class":"SP800-53-enhancement","title":"Simulated Events","props":[{"name":"label","value":"CP-3(1)"},{"name":"sort-id","value":"cp-03.01"}],"parts":[{"id":"cp-3.1_smt","name":"statement","prose":"The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations."},{"id":"cp-3.1_obj","name":"objective","prose":"Determine if the organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency training\n\nautomated mechanisms for simulating contingency events"}]}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","params":[{"id":"cp-4_prm_1","label":"organization-defined frequency"},{"id":"cp-4_prm_2","label":"organization-defined tests"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CP-4"},{"name":"sort-id","value":"cp-04"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference"}],"parts":[{"id":"cp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Tests the contingency plan for the information system {{ insert: param, cp-4_prm_1 }} using {{ insert: param, cp-4_prm_2 }} to determine the effectiveness of the plan and the organizational readiness to execute the plan;"},{"id":"cp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Initiates corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"}]},{"id":"cp-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-4.a_obj","name":"objective","props":[{"name":"label","value":"CP-4(a)"}],"parts":[{"id":"cp-4.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-4(a)[1]"}],"prose":"defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan;"},{"id":"cp-4.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-4(a)[2]"}],"prose":"defines a frequency to test the contingency plan for the information system;"},{"id":"cp-4.a_obj.3","name":"objective","props":[{"name":"label","value":"CP-4(a)[3]"}],"prose":"tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan;"}]},{"id":"cp-4.b_obj","name":"objective","props":[{"name":"label","value":"CP-4(b)"}],"prose":"reviews the contingency plan test results; and"},{"id":"cp-4.c_obj","name":"objective","props":[{"name":"label","value":"CP-4(c)"}],"prose":"initiates corrective actions, if needed."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\nsecurity plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency plan testing, reviewing or responding to contingency plan tests\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\n\nautomated mechanisms supporting the contingency plan and\/or contingency plan testing"}]}],"controls":[{"id":"cp-4.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-4(1)"},{"name":"sort-id","value":"cp-04.01"}],"parts":[{"id":"cp-4.1_smt","name":"statement","prose":"The organization coordinates contingency plan testing with organizational elements responsible for related plans."},{"id":"cp-4.1_gdn","name":"guidance","prose":"Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements.","links":[{"href":"#ir-8","rel":"related"},{"href":"#pm-8","rel":"related"}]},{"id":"cp-4.1_obj","name":"objective","prose":"Determine if the organization coordinates contingency plan testing with organizational elements responsible for related plans."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-4.2","class":"SP800-53-enhancement","title":"Alternate Processing Site","props":[{"name":"label","value":"CP-4(2)"},{"name":"sort-id","value":"cp-04.02"}],"parts":[{"id":"cp-4.2_smt","name":"statement","prose":"The organization tests the contingency plan at the alternate processing site:","parts":[{"id":"cp-4.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"To familiarize contingency personnel with the facility and available resources; and"},{"id":"cp-4.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"To evaluate the capabilities of the alternate processing site to support contingency operations."}]},{"id":"cp-4.2_gdn","name":"guidance","links":[{"href":"#cp-7","rel":"related"}]},{"id":"cp-4.2_obj","name":"objective","prose":"Determine if the organization tests the contingency plan at the alternate processing site to:","parts":[{"id":"cp-4.2.a_obj","name":"objective","props":[{"name":"label","value":"CP-4(2)(a)"}],"prose":"familiarize contingency personnel with the facility and available resources; and","links":[{"href":"#cp-4.2_smt.a","rel":"corresp"}]},{"id":"cp-4.2.b_obj","name":"objective","props":[{"name":"label","value":"CP-4(2)(b)"}],"prose":"evaluate the capabilities of the alternate processing site to support contingency operations.","links":[{"href":"#cp-4.2_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nalternate processing site agreements\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\n\nautomated mechanisms supporting the contingency plan and\/or contingency plan testing"}]}]}]},{"id":"cp-6","class":"SP800-53","title":"Alternate Storage Site","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-6"},{"name":"sort-id","value":"cp-06"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and"},{"id":"cp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site."}]},{"id":"cp-6_gdn","name":"guidance","prose":"Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery\/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions\/business functions despite disruption, compromise, or failure in organizational information systems.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"}]},{"id":"cp-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-6_obj.1","name":"objective","props":[{"name":"label","value":"CP-6[1]"}],"prose":"establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and"},{"id":"cp-6_obj.2","name":"objective","props":[{"name":"label","value":"CP-6[2]"}],"prose":"ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing and retrieving information system backup information at the alternate storage site\n\nautomated mechanisms supporting and\/or implementing storage and retrieval of information system backup information at the alternate storage site"}]}],"controls":[{"id":"cp-6.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-6(1)"},{"name":"sort-id","value":"cp-06.01"}],"parts":[{"id":"cp-6.1_smt","name":"statement","prose":"The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats."},{"id":"cp-6.1_gdn","name":"guidance","prose":"Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission\/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-6.1_obj","name":"objective","prose":"Determine if the organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-6.2","class":"SP800-53-enhancement","title":"Recovery Time \/ Point Objectives","props":[{"name":"label","value":"CP-6(2)"},{"name":"sort-id","value":"cp-06.02"}],"parts":[{"id":"cp-6.2_smt","name":"statement","prose":"The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives."},{"id":"cp-6.2_obj","name":"objective","prose":"Determine if the organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time objectives and recovery point objectives (as specified in the information system contingency plan)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nalternate storage site configurations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with responsibilities for testing related plans\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\n\nautomated mechanisms supporting recovery time\/point objectives"}]}]},{"id":"cp-6.3","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-6(3)"},{"name":"sort-id","value":"cp-06.03"}],"parts":[{"id":"cp-6.3_smt","name":"statement","prose":"The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-6.3_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-6.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-6.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-6(3)[1]"}],"prose":"identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster; and"},{"id":"cp-6.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-6(3)[2]"}],"prose":"outlines explicit mitigation actions for such potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-7","class":"SP800-53","title":"Alternate Processing Site","params":[{"id":"cp-7_prm_1","label":"organization-defined information system operations"},{"id":"cp-7_prm_2","label":"organization-defined time period consistent with recovery time and recovery point objectives"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-7"},{"name":"sort-id","value":"cp-07"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-7_prm_1 }} for essential missions\/business functions within {{ insert: param, cp-7_prm_2 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer\/resumption; and"},{"id":"cp-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site."}]},{"id":"cp-7_gdn","name":"guidance","prose":"Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer\/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions\/business functions despite disruption, compromise, or failure in organizational information systems.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-6","rel":"related"}]},{"id":"cp-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-7.a_obj","name":"objective","props":[{"name":"label","value":"CP-7(a)"}],"parts":[{"id":"cp-7.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-7(a)[1]"}],"prose":"defines information system operations requiring an alternate processing site to be established to permit the transfer and resumption of such operations;"},{"id":"cp-7.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-7(a)[2]"}],"prose":"defines the time period consistent with recovery time objectives and recovery point objectives (as specified in the information system contingency plan) for transfer\/resumption of organization-defined information system operations for essential missions\/business functions;"},{"id":"cp-7.a_obj.3","name":"objective","props":[{"name":"label","value":"CP-7(a)[3]"}],"prose":"establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions\/business functions, within the organization-defined time period, when the primary processing capabilities are unavailable;"}]},{"id":"cp-7.b_obj","name":"objective","props":[{"name":"label","value":"CP-7(b)"}],"parts":[{"id":"cp-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-7(b)[1]"}],"prose":"ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site; or"},{"id":"cp-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-7(b)[2]"}],"prose":"ensures that contracts are in place to support delivery to the site within the organization-defined time period for transfer\/resumption; and"}]},{"id":"cp-7.c_obj","name":"objective","props":[{"name":"label","value":"CP-7(c)"}],"prose":"ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency planning and\/or alternate site arrangements\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for recovery at the alternate site\n\nautomated mechanisms supporting and\/or implementing recovery at the alternate processing site"}]}],"controls":[{"id":"cp-7.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-7(1)"},{"name":"sort-id","value":"cp-07.01"}],"parts":[{"id":"cp-7.1_smt","name":"statement","prose":"The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats."},{"id":"cp-7.1_gdn","name":"guidance","prose":"Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission\/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-7.1_obj","name":"objective","prose":"Determine if the organization identifies an alternate processing site that is separated from the primary storage site to reduce susceptibility to the same threats."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.2","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-7(2)"},{"name":"sort-id","value":"cp-07.02"}],"parts":[{"id":"cp-7.2_smt","name":"statement","prose":"The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-7.2_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-7.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-7.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-7(2)[1]"}],"prose":"identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; and"},{"id":"cp-7.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-7(2)[2]"}],"prose":"outlines explicit mitigation actions for such potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.3","class":"SP800-53-enhancement","title":"Priority of Service","props":[{"name":"label","value":"CP-7(3)"},{"name":"sort-id","value":"cp-07.03"}],"parts":[{"id":"cp-7.3_smt","name":"statement","prose":"The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives)."},{"id":"cp-7.3_gdn","name":"guidance","prose":"Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site."},{"id":"cp-7.3_obj","name":"objective","prose":"Determine if the organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]},{"id":"cp-7.4","class":"SP800-53-enhancement","title":"Preparation for Use","props":[{"name":"label","value":"CP-7(4)"},{"name":"sort-id","value":"cp-07.04"}],"parts":[{"id":"cp-7.4_smt","name":"statement","prose":"The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions."},{"id":"cp-7.4_gdn","name":"guidance","prose":"Site preparation includes, for example, establishing configuration settings for information system components at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and other logistical considerations are in place.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"}]},{"id":"cp-7.4_obj","name":"objective","prose":"Determine if the organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nalternate processing site configurations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing recovery at the alternate processing site"}]}]}]},{"id":"cp-8","class":"SP800-53","title":"Telecommunications Services","params":[{"id":"cp-8_prm_1","label":"organization-defined information system operations"},{"id":"cp-8_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-8"},{"name":"sort-id","value":"cp-08"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#fb5844de-ff96-47c0-b258-4f52bcc2f30d","rel":"reference"},{"href":"#3ac12e79-f54f-4a63-9f4b-ee4bcd4df604","rel":"reference"}],"parts":[{"id":"cp-8_smt","name":"statement","prose":"The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of {{ insert: param, cp-8_prm_1 }} for essential missions and business functions within {{ insert: param, cp-8_prm_2 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_gdn","name":"guidance","prose":"This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions\/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary\/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits\/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"cp-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-8_obj.1","name":"objective","props":[{"name":"label","value":"CP-8[1]"}],"prose":"defines information system operations requiring alternate telecommunications services to be established to permit the resumption of such operations;"},{"id":"cp-8_obj.2","name":"objective","props":[{"name":"label","value":"CP-8[2]"}],"prose":"defines the time period to permit resumption of organization-defined information system operations for essential missions and business functions; and"},{"id":"cp-8_obj.3","name":"objective","props":[{"name":"label","value":"CP-8[3]"}],"prose":"establishes alternate telecommunications services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions and business functions, within the organization-defined time period, when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting telecommunications"}]}],"controls":[{"id":"cp-8.1","class":"SP800-53-enhancement","title":"Priority of Service Provisions","props":[{"name":"label","value":"CP-8(1)"},{"name":"sort-id","value":"cp-08.01"}],"parts":[{"id":"cp-8.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and"},{"id":"cp-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_gdn","name":"guidance","prose":"Organizations consider the potential mission\/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions."},{"id":"cp-8.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-8.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-8(1)[1]"}],"prose":"develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan); and"},{"id":"cp-8.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-8(1)[2]"}],"prose":"requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting telecommunications"}]}]},{"id":"cp-8.2","class":"SP800-53-enhancement","title":"Single Points of Failure","props":[{"name":"label","value":"CP-8(2)"},{"name":"sort-id","value":"cp-08.02"}],"parts":[{"id":"cp-8.2_smt","name":"statement","prose":"The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"id":"cp-8.2_obj","name":"objective","prose":"Determine if the organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with information system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-8.3","class":"SP800-53-enhancement","title":"Separation of Primary \/ Alternate Providers","props":[{"name":"label","value":"CP-8(3)"},{"name":"sort-id","value":"cp-08.03"}],"parts":[{"id":"cp-8.3_smt","name":"statement","prose":"The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats."},{"id":"cp-8.3_gdn","name":"guidance","prose":"Threats that affect telecommunications services are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber\/physical attacks, and errors of omission\/commission. Organizations seek to reduce common susceptibilities by, for example, minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment."},{"id":"cp-8.3_obj","name":"objective","prose":"Determine if the organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nalternate telecommunications service provider site\n\nprimary telecommunications service provider site\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with information system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-8.4","class":"SP800-53-enhancement","title":"Provider Contingency Plan","params":[{"id":"cp-8.4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"CP-8(4)"},{"name":"sort-id","value":"cp-08.04"}],"parts":[{"id":"cp-8.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-8.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Requires primary and alternate telecommunications service providers to have contingency plans;"},{"id":"cp-8.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and"},{"id":"cp-8.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Obtains evidence of contingency testing\/training by providers {{ insert: param, cp-8.4_prm_1 }}."}]},{"id":"cp-8.4_gdn","name":"guidance","prose":"Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training."},{"id":"cp-8.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-8.4.a_obj","name":"objective","props":[{"name":"label","value":"CP-8(4)(a)"}],"parts":[{"id":"cp-8.4.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-8(4)(a)[1]"}],"prose":"requires primary telecommunications service provider to have contingency plans;"},{"id":"cp-8.4.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-8(4)(a)[2]"}],"prose":"requires alternate telecommunications service provider(s) to have contingency plans;"}],"links":[{"href":"#cp-8.4_smt.a","rel":"corresp"}]},{"id":"cp-8.4.b_obj","name":"objective","props":[{"name":"label","value":"CP-8(4)(b)"}],"prose":"reviews provider contingency plans to ensure that the plans meet organizational contingency requirements;","links":[{"href":"#cp-8.4_smt.b","rel":"corresp"}]},{"id":"cp-8.4.c_obj","name":"objective","props":[{"name":"label","value":"CP-8(4)(c)"}],"parts":[{"id":"cp-8.4.c_obj.1","name":"objective","props":[{"name":"label","value":"CP-8(4)(c)[1]"}],"prose":"defines the frequency to obtain evidence of contingency testing\/training by providers; and"},{"id":"cp-8.4.c_obj.2","name":"objective","props":[{"name":"label","value":"CP-8(4)(c)[2]"}],"prose":"obtains evidence of contingency testing\/training by providers with the organization-defined frequency."}],"links":[{"href":"#cp-8.4_smt.c","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprovider contingency plans\n\nevidence of contingency testing\/training by providers\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and testing responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]}]},{"id":"cp-9","class":"SP800-53","title":"Information System Backup","params":[{"id":"cp-9_prm_1","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_2","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_3","label":"organization-defined frequency consistent with recovery time and recovery point objectives"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-9"},{"name":"sort-id","value":"cp-09"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conducts backups of user-level information contained in the information system {{ insert: param, cp-9_prm_1 }};"},{"id":"cp-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conducts backups of system-level information contained in the information system {{ insert: param, cp-9_prm_2 }};"},{"id":"cp-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conducts backups of information system documentation including security-related documentation {{ insert: param, cp-9_prm_3 }}; and"},{"id":"cp-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects the confidentiality, integrity, and availability of backup information at storage locations."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"cp-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-9.a_obj","name":"objective","props":[{"name":"label","value":"CP-9(a)"}],"parts":[{"id":"cp-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(a)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;"},{"id":"cp-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(a)[2]"}],"prose":"conducts backups of user-level information contained in the information system with the organization-defined frequency;"}]},{"id":"cp-9.b_obj","name":"objective","props":[{"name":"label","value":"CP-9(b)"}],"parts":[{"id":"cp-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(b)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;"},{"id":"cp-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(b)[2]"}],"prose":"conducts backups of system-level information contained in the information system with the organization-defined frequency;"}]},{"id":"cp-9.c_obj","name":"objective","props":[{"name":"label","value":"CP-9(c)"}],"parts":[{"id":"cp-9.c_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(c)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;"},{"id":"cp-9.c_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(c)[2]"}],"prose":"conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and"}]},{"id":"cp-9.d_obj","name":"objective","props":[{"name":"label","value":"CP-9(d)"}],"prose":"protects the confidentiality, integrity, and availability of backup information at storage locations."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\nbackup storage location(s)\n\ninformation system backup logs or records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and\/or implementing information system backups"}]}],"controls":[{"id":"cp-9.1","class":"SP800-53-enhancement","title":"Testing for Reliability \/ Integrity","params":[{"id":"cp-9.1_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"CP-9(1)"},{"name":"sort-id","value":"cp-09.01"}],"parts":[{"id":"cp-9.1_smt","name":"statement","prose":"The organization tests backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity."},{"id":"cp-9.1_gdn","name":"guidance","links":[{"href":"#cp-4","rel":"related"}]},{"id":"cp-9.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-9.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(1)[1]"}],"prose":"defines the frequency to test backup information to verify media reliability and information integrity; and"},{"id":"cp-9.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(1)[2]"}],"prose":"tests backup information with the organization-defined frequency to verify media reliability and information integrity."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and\/or implementing information system backups"}]}]},{"id":"cp-9.2","class":"SP800-53-enhancement","title":"Test Restoration Using Sampling","props":[{"name":"label","value":"CP-9(2)"},{"name":"sort-id","value":"cp-09.02"}],"parts":[{"id":"cp-9.2_smt","name":"statement","prose":"The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing."},{"id":"cp-9.2_gdn","name":"guidance","links":[{"href":"#cp-4","rel":"related"}]},{"id":"cp-9.2_obj","name":"objective","prose":"Determine if the organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\n\norganizational personnel with contingency planning\/contingency plan testing responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and\/or implementing information system backups"}]}]},{"id":"cp-9.3","class":"SP800-53-enhancement","title":"Separate Storage for Critical Information","params":[{"id":"cp-9.3_prm_1","label":"organization-defined critical information system software and other security-related information"}],"props":[{"name":"label","value":"CP-9(3)"},{"name":"sort-id","value":"cp-09.03"}],"parts":[{"id":"cp-9.3_smt","name":"statement","prose":"The organization stores backup copies of {{ insert: param, cp-9.3_prm_1 }} in a separate facility or in a fire-rated container that is not collocated with the operational system."},{"id":"cp-9.3_gdn","name":"guidance","prose":"Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection\/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-8","rel":"related"}]},{"id":"cp-9.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-9.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(3)[1]"}],"parts":[{"id":"cp-9.3_obj.1.a","name":"objective","props":[{"name":"label","value":"CP-9(3)[1][a]"}],"prose":"defines critical information system software and other security-related information requiring backup copies to be stored in a separate facility; or"},{"id":"cp-9.3_obj.1.b","name":"objective","props":[{"name":"label","value":"CP-9(3)[1][b]"}],"prose":"defines critical information system software and other security-related information requiring backup copies to be stored in a fire-rated container that is not collocated with the operational system; and"}]},{"id":"cp-9.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(3)[2]"}],"prose":"stores backup copies of organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\nbackup storage location(s)\n\ninformation system backup configurations and associated documentation\n\ninformation system backup logs or records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-9.5","class":"SP800-53-enhancement","title":"Transfer to Alternate Storage Site","params":[{"id":"cp-9.5_prm_1","label":"organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives"}],"props":[{"name":"label","value":"CP-9(5)"},{"name":"sort-id","value":"cp-09.05"}],"parts":[{"id":"cp-9.5_smt","name":"statement","prose":"The organization transfers information system backup information to the alternate storage site {{ insert: param, cp-9.5_prm_1 }}."},{"id":"cp-9.5_gdn","name":"guidance","prose":"Information system backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media."},{"id":"cp-9.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-9.5_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(5)[1]"}],"prose":"defines a time period, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to transfer information system backup information to the alternate storage site;"},{"id":"cp-9.5_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(5)[2]"}],"prose":"defines a transfer rate, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to transfer information system backup information to the alternate storage site; and"},{"id":"cp-9.5_obj.3","name":"objective","props":[{"name":"label","value":"CP-9(5)[3]"}],"prose":"transfers information system backup information to the alternate storage site with the organization-defined time period and transfer rate."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup logs or records\n\nevidence of system backup information transferred to alternate storage site\n\nalternate storage site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for transferring information system backups to the alternate storage site\n\nautomated mechanisms supporting and\/or implementing information system backups\n\nautomated mechanisms supporting and\/or implementing information transfer to the alternate storage site"}]}]}]},{"id":"cp-10","class":"SP800-53","title":"Information System Recovery and Reconstitution","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-10"},{"name":"sort-id","value":"cp-10"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing information system contingency plan activities to restore organizational missions\/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point\/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery\/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#sc-24","rel":"related"}]},{"id":"cp-10_obj","name":"objective","prose":"Determine if the organization provides for:","parts":[{"id":"cp-10_obj.1","name":"objective","props":[{"name":"label","value":"CP-10[1]"}],"prose":"the recovery of the information system to a known state after:","parts":[{"id":"cp-10_obj.1.a","name":"objective","props":[{"name":"label","value":"CP-10[1][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.1.b","name":"objective","props":[{"name":"label","value":"CP-10[1][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.1.c","name":"objective","props":[{"name":"label","value":"CP-10[1][c]"}],"prose":"a failure;"}]},{"id":"cp-10_obj.2","name":"objective","props":[{"name":"label","value":"CP-10[2]"}],"prose":"the reconstitution of the information system to a known state after:","parts":[{"id":"cp-10_obj.2.a","name":"objective","props":[{"name":"label","value":"CP-10[2][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.2.b","name":"objective","props":[{"name":"label","value":"CP-10[2][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.2.c","name":"objective","props":[{"name":"label","value":"CP-10[2][c]"}],"prose":"a failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for information system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, recovery, and\/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes implementing information system recovery and reconstitution operations\n\nautomated mechanisms supporting and\/or implementing information system recovery and reconstitution operations"}]}],"controls":[{"id":"cp-10.2","class":"SP800-53-enhancement","title":"Transaction Recovery","props":[{"name":"label","value":"CP-10(2)"},{"name":"sort-id","value":"cp-10.02"}],"parts":[{"id":"cp-10.2_smt","name":"statement","prose":"The information system implements transaction recovery for systems that are transaction-based."},{"id":"cp-10.2_gdn","name":"guidance","prose":"Transaction-based information systems include, for example, database management systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, transaction rollback and transaction journaling."},{"id":"cp-10.2_obj","name":"objective","prose":"Determine if the information system implements transaction recovery for systems that are transaction-based."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system recovery and reconstitution\n\ncontingency plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\ninformation system transaction recovery records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing transaction recovery capability"}]}]},{"id":"cp-10.4","class":"SP800-53-enhancement","title":"Restore Within Time Period","params":[{"id":"cp-10.4_prm_1","label":"organization-defined restoration time-periods"}],"props":[{"name":"label","value":"CP-10(4)"},{"name":"sort-id","value":"cp-10.04"}],"parts":[{"id":"cp-10.4_smt","name":"statement","prose":"The organization provides the capability to restore information system components within {{ insert: param, cp-10.4_prm_1 }} from configuration-controlled and integrity-protected information representing a known, operational state for the components."},{"id":"cp-10.4_gdn","name":"guidance","prose":"Restoration of information system components includes, for example, reimaging which restores components to known, operational states.","links":[{"href":"#cm-2","rel":"related"}]},{"id":"cp-10.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-10.4_obj.1","name":"objective","props":[{"name":"label","value":"CP-10(4)[1]"}],"prose":"defines a time period to restore information system components from configuration-controlled and integrity-protected information representing a known, operational state for the components; and"},{"id":"cp-10.4_obj.2","name":"objective","props":[{"name":"label","value":"CP-10(4)[2]"}],"prose":"provides the capability to restore information system components within the organization-defined time period from configuration-controlled and integrity-protected information representing a known, operational state for the components."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system recovery and reconstitution\n\ncontingency plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nevidence of information system recovery and reconstitution operations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing recovery\/reconstitution of information system information"}]}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Identification and Authentication Policy and Procedures","params":[{"id":"ia-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-1_prm_2","label":"organization-defined frequency"},{"id":"ia-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-1"},{"name":"sort-id","value":"ia-01"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ia-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ia-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and"}]},{"id":"ia-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ia-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identification and authentication policy {{ insert: param, ia-1_prm_2 }}; and"},{"id":"ia-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Identification and authentication procedures {{ insert: param, ia-1_prm_3 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ia-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-1.a_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)"}],"parts":[{"id":"ia-1.a.1_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)"}],"parts":[{"id":"ia-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1]"}],"prose":"develops and documents an identification and authentication policy that addresses:","parts":[{"id":"ia-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ia-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ia-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ia-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ia-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ia-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ia-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ia-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the identification and authentication policy is to be disseminated; and"},{"id":"ia-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[3]"}],"prose":"disseminates the identification and authentication policy to organization-defined personnel or roles;"}]},{"id":"ia-1.a.2_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)"}],"parts":[{"id":"ia-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls;"},{"id":"ia-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ia-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ia-1.b_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)"}],"parts":[{"id":"ia-1.b.1_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)"}],"parts":[{"id":"ia-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current identification and authentication policy;"},{"id":"ia-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)[2]"}],"prose":"reviews and updates the current identification and authentication policy with the organization-defined frequency; and"}]},{"id":"ia-1.b.2_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)"}],"parts":[{"id":"ia-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current identification and authentication procedures; and"},{"id":"ia-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)[2]"}],"prose":"reviews and updates the current identification and authentication procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (organizational Users)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-2"},{"name":"sort-id","value":"ia-02"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference"},{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"}]},{"id":"ia-2_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for uniquely identifying and authenticating users\n\nautomated mechanisms supporting and\/or implementing identification and authentication capability"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts","props":[{"name":"label","value":"IA-2(1)"},{"name":"sort-id","value":"ia-02.01"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ia-2.1_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for network access to privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Network Access to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(2)"},{"name":"sort-id","value":"ia-02.02"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to non-privileged accounts."},{"id":"ia-2.2_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for network access to non-privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.3","class":"SP800-53-enhancement","title":"Local Access to Privileged Accounts","props":[{"name":"label","value":"IA-2(3)"},{"name":"sort-id","value":"ia-02.03"}],"parts":[{"id":"ia-2.3_smt","name":"statement","prose":"The information system implements multifactor authentication for local access to privileged accounts."},{"id":"ia-2.3_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ia-2.3_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for local access to privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.4","class":"SP800-53-enhancement","title":"Local Access to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(4)"},{"name":"sort-id","value":"ia-02.04"}],"parts":[{"id":"ia-2.4_smt","name":"statement","prose":"The information system implements multifactor authentication for local access to non-privileged accounts."},{"id":"ia-2.4_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for local access to non-privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts - Replay Resistant","props":[{"name":"label","value":"IA-2(8)"},{"name":"sort-id","value":"ia-02.08"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"The information system implements replay-resistant authentication mechanisms for network access to privileged accounts."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators."},{"id":"ia-2.8_obj","name":"objective","prose":"Determine if the information system implements replay-resistant authentication mechanisms for network access to privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of privileged information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms supporting and\/or implementing replay resistant authentication mechanisms"}]}]},{"id":"ia-2.9","class":"SP800-53-enhancement","title":"Network Access to Non-privileged Accounts - Replay Resistant","props":[{"name":"label","value":"IA-2(9)"},{"name":"sort-id","value":"ia-02.09"}],"parts":[{"id":"ia-2.9_smt","name":"statement","prose":"The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts."},{"id":"ia-2.9_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording\/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators."},{"id":"ia-2.9_obj","name":"objective","prose":"Determine if the information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of non-privileged information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms supporting and\/or implementing replay resistant authentication mechanisms"}]}]},{"id":"ia-2.11","class":"SP800-53-enhancement","title":"Remote Access - Separate Device","params":[{"id":"ia-2.11_prm_1","label":"organization-defined strength of mechanism requirements"}],"props":[{"name":"label","value":"IA-2(11)"},{"name":"sort-id","value":"ia-02.11"}],"parts":[{"id":"ia-2.11_smt","name":"statement","prose":"The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets {{ insert: param, ia-2.11_prm_1 }}."},{"id":"ia-2.11_gdn","name":"guidance","prose":"For remote access to privileged\/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ia-2.11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ia-2.11_obj.1","name":"objective","props":[{"name":"label","value":"IA-2(11)[1]"}],"prose":"the information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access;"},{"id":"ia-2.11_obj.2","name":"objective","props":[{"name":"label","value":"IA-2(11)[2]"}],"prose":"the information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access;"},{"id":"ia-2.11_obj.3","name":"objective","props":[{"name":"label","value":"IA-2(11)[3]"}],"prose":"the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to privileged accounts;"},{"id":"ia-2.11_obj.4","name":"objective","props":[{"name":"label","value":"IA-2(11)[4]"}],"prose":"the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to non-privileged accounts;"},{"id":"ia-2.11_obj.5","name":"objective","props":[{"name":"label","value":"IA-2(11)[5]"}],"prose":"the information system implements multifactor authentication for remote access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements; and"},{"id":"ia-2.11_obj.6","name":"objective","props":[{"name":"label","value":"IA-2(11)[6]"}],"prose":"the information system implements multifactor authentication for remote access to non-privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of privileged and non-privileged information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","props":[{"name":"label","value":"IA-2(12)"},{"name":"sort-id","value":"ia-02.12"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"ia-2.12_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"ia-2.12_obj.1","name":"objective","props":[{"name":"label","value":"IA-2(12)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials; and"},{"id":"ia-2.12_obj.2","name":"objective","props":[{"name":"label","value":"IA-2(12)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing acceptance and verification of PIV credentials"}]}]}]},{"id":"ia-3","class":"SP800-53","title":"Device Identification and Authentication","params":[{"id":"ia-3_prm_1","label":"organization-defined specific and\/or types of devices"},{"id":"ia-3_prm_2","select":{"how-many":"one-or-more","choice":["local","remote","network"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-3"},{"name":"sort-id","value":"ia-03"}],"parts":[{"id":"ia-3_smt","name":"statement","prose":"The information system uniquely identifies and authenticates {{ insert: param, ia-3_prm_1 }} before establishing a {{ insert: param, ia-3_prm_2 }} connection."},{"id":"ia-3_gdn","name":"guidance","prose":"Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type\/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol\/Internet Protocol [TCP\/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify\/authenticate devices on local and\/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability.","links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"}]},{"id":"ia-3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ia-3_obj.1","name":"objective","props":[{"name":"label","value":"IA-3[1]"}],"prose":"the organization defines specific and\/or types of devices that the information system uniquely identifies and authenticates before establishing one or more of the following:","parts":[{"id":"ia-3_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-3[1][a]"}],"prose":"a local connection;"},{"id":"ia-3_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-3[1][b]"}],"prose":"a remote connection; and\/or"},{"id":"ia-3_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-3[1][c]"}],"prose":"a network connection; and"}]},{"id":"ia-3_obj.2","name":"objective","props":[{"name":"label","value":"IA-3[2]"}],"prose":"the information system uniquely identifies and authenticates organization-defined devices before establishing one or more of the following:","parts":[{"id":"ia-3_obj.2.a","name":"objective","props":[{"name":"label","value":"IA-3[2][a]"}],"prose":"a local connection;"},{"id":"ia-3_obj.2.b","name":"objective","props":[{"name":"label","value":"IA-3[2][b]"}],"prose":"a remote connection; and\/or"},{"id":"ia-3_obj.2.c","name":"objective","props":[{"name":"label","value":"IA-3[2][c]"}],"prose":"a network connection."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing device identification and authentication\n\ninformation system design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing device identification and authentication capability"}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","params":[{"id":"ia-4_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-4_prm_2","label":"organization-defined time period"},{"id":"ia-4_prm_3","label":"organization-defined time period of inactivity"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-4"},{"name":"sort-id","value":"ia-04"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"The organization manages information system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ insert: param, ia-4_prm_1 }} to assign an individual, group, role, or device identifier;"},{"id":"ia-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, or device;"},{"id":"ia-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, or device;"},{"id":"ia-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ insert: param, ia-4_prm_2 }}; and"},{"id":"ia-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disabling the identifier after {{ insert: param, ia-4_prm_3 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#sc-37","rel":"related"}]},{"id":"ia-4_obj","name":"objective","prose":"Determine if the organization manages information system identifiers by:","parts":[{"id":"ia-4.a_obj","name":"objective","props":[{"name":"label","value":"IA-4(a)"}],"parts":[{"id":"ia-4.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(a)[1]"}],"prose":"defining personnel or roles from whom authorization must be received to assign:","parts":[{"id":"ia-4.a_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][c]"}],"prose":"a role identifier; and\/or"},{"id":"ia-4.a_obj.1.d","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][d]"}],"prose":"a device identifier;"}]},{"id":"ia-4.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(a)[2]"}],"prose":"receiving authorization from organization-defined personnel or roles to assign:","parts":[{"id":"ia-4.a_obj.2.a","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.2.b","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.2.c","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][c]"}],"prose":"a role identifier; and\/or"},{"id":"ia-4.a_obj.2.d","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][d]"}],"prose":"a device identifier;"}]}]},{"id":"ia-4.b_obj","name":"objective","props":[{"name":"label","value":"IA-4(b)"}],"prose":"selecting an identifier that identifies:","parts":[{"id":"ia-4.b_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(b)[1]"}],"prose":"an individual;"},{"id":"ia-4.b_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(b)[2]"}],"prose":"a group;"},{"id":"ia-4.b_obj.3","name":"objective","props":[{"name":"label","value":"IA-4(b)[3]"}],"prose":"a role; and\/or"},{"id":"ia-4.b_obj.4","name":"objective","props":[{"name":"label","value":"IA-4(b)[4]"}],"prose":"a device;"}]},{"id":"ia-4.c_obj","name":"objective","props":[{"name":"label","value":"IA-4(c)"}],"prose":"assigning the identifier to the intended:","parts":[{"id":"ia-4.c_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(c)[1]"}],"prose":"individual;"},{"id":"ia-4.c_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(c)[2]"}],"prose":"group;"},{"id":"ia-4.c_obj.3","name":"objective","props":[{"name":"label","value":"IA-4(c)[3]"}],"prose":"role; and\/or"},{"id":"ia-4.c_obj.4","name":"objective","props":[{"name":"label","value":"IA-4(c)[4]"}],"prose":"device;"}]},{"id":"ia-4.d_obj","name":"objective","props":[{"name":"label","value":"IA-4(d)"}],"parts":[{"id":"ia-4.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(d)[1]"}],"prose":"defining a time period for preventing reuse of identifiers;"},{"id":"ia-4.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(d)[2]"}],"prose":"preventing reuse of identifiers for the organization-defined time period;"}]},{"id":"ia-4.e_obj","name":"objective","props":[{"name":"label","value":"IA-4(e)"}],"parts":[{"id":"ia-4.e_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(e)[1]"}],"prose":"defining a time period of inactivity to disable the identifier; and"},{"id":"ia-4.e_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(e)[2]"}],"prose":"disabling the identifier after the organization-defined time period of inactivity."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","params":[{"id":"ia-5_prm_1","label":"organization-defined time period by authenticator type"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-5"},{"name":"sort-id","value":"ia-05"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"The organization manages information system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for authenticators defined by the organization;"},{"id":"ia-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost\/compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Changing default content of authenticators prior to information system installation;"},{"id":"ia-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;"},{"id":"ia-5_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Changing\/refreshing authenticators {{ insert: param, ia-5_prm_1 }};"},{"id":"ia-5_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and"},{"id":"ia-5_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Changing authenticators for group\/role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-28","rel":"related"}]},{"id":"ia-5_obj","name":"objective","prose":"Determine if the organization manages information system authenticators by:","parts":[{"id":"ia-5.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(a)"}],"prose":"verifying, as part of the initial authenticator distribution, the identity of:","parts":[{"id":"ia-5.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(a)[1]"}],"prose":"the individual receiving the authenticator;"},{"id":"ia-5.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(a)[2]"}],"prose":"the group receiving the authenticator;"},{"id":"ia-5.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(a)[3]"}],"prose":"the role receiving the authenticator; and\/or"},{"id":"ia-5.a_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(a)[4]"}],"prose":"the device receiving the authenticator;"}]},{"id":"ia-5.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(b)"}],"prose":"establishing initial authenticator content for authenticators defined by the organization;"},{"id":"ia-5.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(c)"}],"prose":"ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(d)"}],"parts":[{"id":"ia-5.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(d)[1]"}],"prose":"establishing and implementing administrative procedures for initial authenticator distribution;"},{"id":"ia-5.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(d)[2]"}],"prose":"establishing and implementing administrative procedures for lost\/compromised or damaged authenticators;"},{"id":"ia-5.d_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(d)[3]"}],"prose":"establishing and implementing administrative procedures for revoking authenticators;"}]},{"id":"ia-5.e_obj","name":"objective","props":[{"name":"label","value":"IA-5(e)"}],"prose":"changing default content of authenticators prior to information system installation;"},{"id":"ia-5.f_obj","name":"objective","props":[{"name":"label","value":"IA-5(f)"}],"parts":[{"id":"ia-5.f_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(f)[1]"}],"prose":"establishing minimum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(f)[2]"}],"prose":"establishing maximum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(f)[3]"}],"prose":"establishing reuse conditions for authenticators;"}]},{"id":"ia-5.g_obj","name":"objective","props":[{"name":"label","value":"IA-5(g)"}],"parts":[{"id":"ia-5.g_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(g)[1]"}],"prose":"defining a time period (by authenticator type) for changing\/refreshing authenticators;"},{"id":"ia-5.g_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(g)[2]"}],"prose":"changing\/refreshing authenticators with the organization-defined time period by authenticator type;"}]},{"id":"ia-5.h_obj","name":"objective","props":[{"name":"label","value":"IA-5(h)"}],"prose":"protecting authenticator content from unauthorized:","parts":[{"id":"ia-5.h_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(h)[1]"}],"prose":"disclosure;"},{"id":"ia-5.h_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(h)[2]"}],"prose":"modification;"}]},{"id":"ia-5.i_obj","name":"objective","props":[{"name":"label","value":"IA-5(i)"}],"parts":[{"id":"ia-5.i_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(i)[1]"}],"prose":"requiring individuals to take specific security safeguards to protect authenticators;"},{"id":"ia-5.i_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(i)[2]"}],"prose":"having devices implement specific security safeguards to protect authenticators; and"}]},{"id":"ia-5.j_obj","name":"objective","props":[{"name":"label","value":"IA-5(j)"}],"prose":"changing authenticators for group\/role accounts when membership to those accounts changes."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system authenticator types\n\nchange control records associated with managing information system authenticators\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing authenticator management capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","params":[{"id":"ia-5.1_prm_1","label":"organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type"},{"id":"ia-5.1_prm_2","label":"organization-defined number"},{"id":"ia-5.1_prm_3","label":"organization-defined numbers for lifetime minimum, lifetime maximum"},{"id":"ia-5.1_prm_4","label":"organization-defined number"}],"props":[{"name":"label","value":"IA-5(1)"},{"name":"sort-id","value":"ia-05.01"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"The information system, for password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Enforces minimum password complexity of {{ insert: param, ia-5.1_prm_1 }};"},{"id":"ia-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforces at least the following number of changed characters when new passwords are created: {{ insert: param, ia-5.1_prm_2 }};"},{"id":"ia-5.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Stores and transmits only cryptographically-protected passwords;"},{"id":"ia-5.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Enforces password minimum and maximum lifetime restrictions of {{ insert: param, ia-5.1_prm_3 }};"},{"id":"ia-5.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Prohibits password reuse for {{ insert: param, ia-5.1_prm_4 }} generations; and"},{"id":"ia-5.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Allows the use of a temporary password for system logons with an immediate change to a permanent password."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.","links":[{"href":"#ia-6","rel":"related"}]},{"id":"ia-5.1_obj","name":"objective","prose":"Determine if, for password-based authentication:","parts":[{"id":"ia-5.1.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)"}],"parts":[{"id":"ia-5.1.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[1]"}],"prose":"the organization defines requirements for case sensitivity;"},{"id":"ia-5.1.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[2]"}],"prose":"the organization defines requirements for number of characters;"},{"id":"ia-5.1.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[3]"}],"prose":"the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;"},{"id":"ia-5.1.a_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[4]"}],"prose":"the organization defines minimum requirements for each type of character;"},{"id":"ia-5.1.a_obj.5","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[5]"}],"prose":"the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;"}],"links":[{"href":"#ia-5.1_smt.a","rel":"corresp"}]},{"id":"ia-5.1.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)"}],"parts":[{"id":"ia-5.1.b_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)[1]"}],"prose":"the organization defines a minimum number of changed characters to be enforced when new passwords are created;"},{"id":"ia-5.1.b_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)[2]"}],"prose":"the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;"}],"links":[{"href":"#ia-5.1_smt.b","rel":"corresp"}]},{"id":"ia-5.1.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(c)"}],"prose":"the information system stores and transmits only encrypted representations of passwords;","links":[{"href":"#ia-5.1_smt.c","rel":"corresp"}]},{"id":"ia-5.1.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)"}],"parts":[{"id":"ia-5.1.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[1]"}],"prose":"the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;"},{"id":"ia-5.1.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[2]"}],"prose":"the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;"},{"id":"ia-5.1.d_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[3]"}],"prose":"the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;"},{"id":"ia-5.1.d_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[4]"}],"prose":"the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;"}],"links":[{"href":"#ia-5.1_smt.d","rel":"corresp"}]},{"id":"ia-5.1.e_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)"}],"parts":[{"id":"ia-5.1.e_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)[1]"}],"prose":"the organization defines the number of password generations to be prohibited from password reuse;"},{"id":"ia-5.1.e_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)[2]"}],"prose":"the information system prohibits password reuse for the organization-defined number of generations; and"}],"links":[{"href":"#ia-5.1_smt.e","rel":"corresp"}]},{"id":"ia-5.1.f_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(f)"}],"prose":"the information system allows the use of a temporary password for system logons with an immediate change to a permanent password.","links":[{"href":"#ia-5.1_smt.f","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing password-based authenticator management capability"}]}]},{"id":"ia-5.2","class":"SP800-53-enhancement","title":"Pki-based Authentication","props":[{"name":"label","value":"IA-5(2)"},{"name":"sort-id","value":"ia-05.02"}],"parts":[{"id":"ia-5.2_smt","name":"statement","prose":"The information system, for PKI-based authentication:","parts":[{"id":"ia-5.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;"},{"id":"ia-5.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforces authorized access to the corresponding private key;"},{"id":"ia-5.2_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Maps the authenticated identity to the account of the individual or group; and"},{"id":"ia-5.2_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network."}]},{"id":"ia-5.2_gdn","name":"guidance","prose":"Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.","links":[{"href":"#ia-6","rel":"related"}]},{"id":"ia-5.2_obj","name":"objective","prose":"Determine if the information system, for PKI-based authentication:","parts":[{"id":"ia-5.2.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)"}],"parts":[{"id":"ia-5.2.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)[1]"}],"prose":"validates certifications by constructing a certification path to an accepted trust anchor;"},{"id":"ia-5.2.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)[2]"}],"prose":"validates certifications by verifying a certification path to an accepted trust anchor;"},{"id":"ia-5.2.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)[3]"}],"prose":"includes checking certificate status information when constructing and verifying the certification path;"}],"links":[{"href":"#ia-5.2_smt.a","rel":"corresp"}]},{"id":"ia-5.2.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(b)"}],"prose":"enforces authorized access to the corresponding private key;","links":[{"href":"#ia-5.2_smt.b","rel":"corresp"}]},{"id":"ia-5.2.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(c)"}],"prose":"maps the authenticated identity to the account of the individual or group; and","links":[{"href":"#ia-5.2_smt.c","rel":"corresp"}]},{"id":"ia-5.2.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(d)"}],"prose":"implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.","links":[{"href":"#ia-5.2_smt.d","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing PKI-based, authenticator management capability"}]}]},{"id":"ia-5.3","class":"SP800-53-enhancement","title":"In-person or Trusted Third-party Registration","params":[{"id":"ia-5.3_prm_1","label":"organization-defined types of and\/or specific authenticators"},{"id":"ia-5.3_prm_2","select":{"choice":["in person","by a trusted third party"]}},{"id":"ia-5.3_prm_3","label":"organization-defined registration authority"},{"id":"ia-5.3_prm_4","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"IA-5(3)"},{"name":"sort-id","value":"ia-05.03"}],"parts":[{"id":"ia-5.3_smt","name":"statement","prose":"The organization requires that the registration process to receive {{ insert: param, ia-5.3_prm_1 }} be conducted {{ insert: param, ia-5.3_prm_2 }} before {{ insert: param, ia-5.3_prm_3 }} with authorization by {{ insert: param, ia-5.3_prm_4 }}."},{"id":"ia-5.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-5.3_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(3)[1]"}],"prose":"defines types of and\/or specific authenticators to be received in person or by a trusted third party;"},{"id":"ia-5.3_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(3)[2]"}],"prose":"defines the registration authority with oversight of the registration process for receipt of organization-defined types of and\/or specific authenticators;"},{"id":"ia-5.3_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(3)[3]"}],"prose":"defines personnel or roles responsible for authorizing organization-defined registration authority;"},{"id":"ia-5.3_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(3)[4]"}],"prose":"defines if the registration process is to be conducted:","parts":[{"id":"ia-5.3_obj.4.a","name":"objective","props":[{"name":"label","value":"IA-5(3)[4][a]"}],"prose":"in person; or"},{"id":"ia-5.3_obj.4.b","name":"objective","props":[{"name":"label","value":"IA-5(3)[4][b]"}],"prose":"by a trusted third party; and"}]},{"id":"ia-5.3_obj.5","name":"objective","props":[{"name":"label","value":"IA-5(3)[5]"}],"prose":"requires that the registration process to receive organization-defined types of and\/or specific authenticators be conducted in person or by a trusted third party before organization-defined registration authority with authorization by organization-defined personnel or roles."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nregistration process for receiving information system authenticators\n\nlist of authenticators requiring in-person registration\n\nlist of authenticators requiring trusted third party registration\n\nauthenticator registration documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\nregistration authority\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-5.11","class":"SP800-53-enhancement","title":"Hardware Token-based Authentication","params":[{"id":"ia-5.11_prm_1","label":"organization-defined token quality requirements"}],"props":[{"name":"label","value":"IA-5(11)"},{"name":"sort-id","value":"ia-05.11"}],"parts":[{"id":"ia-5.11_smt","name":"statement","prose":"The information system, for hardware token-based authentication, employs mechanisms that satisfy {{ insert: param, ia-5.11_prm_1 }}."},{"id":"ia-5.11_gdn","name":"guidance","prose":"Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI."},{"id":"ia-5.11_obj","name":"objective","prose":"Determine if, for hardware token-based authentication:","parts":[{"id":"ia-5.11_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(11)[1]"}],"prose":"the organization defines token quality requirements to be satisfied; and"},{"id":"ia-5.11_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(11)[2]"}],"prose":"the information system employs mechanisms that satisfy organization-defined token quality requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\nautomated mechanisms employing hardware token-based authentication for the information system\n\nlist of token quality requirements\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing hardware token-based authenticator management capability"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authenticator Feedback","props":[{"name":"priority","value":"P2"},{"name":"label","value":"IA-6"},{"name":"sort-id","value":"ia-06"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation\/use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops\/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.","links":[{"href":"#pe-18","rel":"related"}]},{"id":"ia-6_obj","name":"objective","prose":"Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation\/use by unauthorized individuals."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator feedback\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing the obscuring of feedback of authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-7"},{"name":"sort-id","value":"ia-07"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference"},{"href":"#b09d1a31-d3c9-4138-a4f4-4c63816afd7d","rel":"reference"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.","links":[{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ia-7_obj","name":"objective","prose":"Determine if the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing cryptographic module authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic module authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (non-organizational Users)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-8"},{"name":"sort-id","value":"ia-08"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#599fe9ba-4750-4450-9eeb-b95bd19a5e8f","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference"},{"href":"#654f21e2-f3bc-43b2-abdc-60ab8d09744b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sc-8","rel":"related"}]},{"id":"ia-8_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","props":[{"name":"label","value":"IA-8(1)"},{"name":"sort-id","value":"ia-08.01"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.1_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"ia-8.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-8(1)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials from other agencies; and"},{"id":"ia-8.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-8(1)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials from other agencies."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of Third-party Credentials","props":[{"name":"label","value":"IA-8(2)"},{"name":"sort-id","value":"ia-08.02"}],"parts":[{"id":"ia-8.2_smt","name":"statement","prose":"The information system accepts only FICAM-approved third-party credentials."},{"id":"ia-8.2_gdn","name":"guidance","prose":"This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.","links":[{"href":"#au-2","rel":"related"}]},{"id":"ia-8.2_obj","name":"objective","prose":"Determine if the information system accepts only FICAM-approved third-party credentials."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of FICAM-approved third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms that accept FICAM-approved credentials"}]}]},{"id":"ia-8.3","class":"SP800-53-enhancement","title":"Use of Ficam-approved Products","params":[{"id":"ia-8.3_prm_1","label":"organization-defined information systems"}],"props":[{"name":"label","value":"IA-8(3)"},{"name":"sort-id","value":"ia-08.03"}],"parts":[{"id":"ia-8.3_smt","name":"statement","prose":"The organization employs only FICAM-approved information system components in {{ insert: param, ia-8.3_prm_1 }} to accept third-party credentials."},{"id":"ia-8.3_gdn","name":"guidance","prose":"This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.","links":[{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-8.3_obj.1","name":"objective","props":[{"name":"label","value":"IA-8(3)[1]"}],"prose":"defines information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials; and"},{"id":"ia-8.3_obj.2","name":"objective","props":[{"name":"label","value":"IA-8(3)[2]"}],"prose":"employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nthird-party credential validations\n\nthird-party credential authorizations\n\nthird-party credential records\n\nlist of FICAM-approved information system components procured and implemented by organization\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information system security, acquisition, and contracting responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Ficam-issued Profiles","props":[{"name":"label","value":"IA-8(4)"},{"name":"sort-id","value":"ia-08.04"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"The information system conforms to FICAM-issued profiles."},{"id":"ia-8.4_gdn","name":"guidance","prose":"This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange).","links":[{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.4_obj","name":"objective","prose":"Determine if the information system conforms to FICAM-issued profiles."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-issued profiles and associated, approved protocols\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms supporting and\/or implementing conformance with FICAM-issued profiles"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Incident Response Policy and Procedures","params":[{"id":"ir-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-1_prm_2","label":"organization-defined frequency"},{"id":"ir-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-1"},{"name":"sort-id","value":"ir-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ir-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ir-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Incident response policy {{ insert: param, ir-1_prm_2 }}; and"},{"id":"ir-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Incident response procedures {{ insert: param, ir-1_prm_3 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ir-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-1.a_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)"}],"parts":[{"id":"ir-1.a.1_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)"}],"parts":[{"id":"ir-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1]"}],"prose":"develops and documents an incident response policy that addresses:","parts":[{"id":"ir-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ir-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ir-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ir-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ir-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ir-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ir-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ir-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the incident response policy is to be disseminated;"},{"id":"ir-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[3]"}],"prose":"disseminates the incident response policy to organization-defined personnel or roles;"}]},{"id":"ir-1.a.2_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)"}],"parts":[{"id":"ir-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls;"},{"id":"ir-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ir-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ir-1.b_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)"}],"parts":[{"id":"ir-1.b.1_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)"}],"parts":[{"id":"ir-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current incident response policy;"},{"id":"ir-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)[2]"}],"prose":"reviews and updates the current incident response policy with the organization-defined frequency;"}]},{"id":"ir-1.b.2_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)"}],"parts":[{"id":"ir-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current incident response procedures; and"},{"id":"ir-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)[2]"}],"prose":"reviews and updates the current incident response procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-2_prm_1","label":"organization-defined time period"},{"id":"ir-2_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-2"},{"name":"sort-id","value":"ir-02"}],"links":[{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"ir-2_smt","name":"statement","prose":"The organization provides incident response training to information system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Within {{ insert: param, ir-2_prm_1 }} of assuming an incident response role or responsibility;"},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"ir-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, ir-2_prm_2 }} thereafter."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle\/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources.","links":[{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-2.a_obj","name":"objective","props":[{"name":"label","value":"IR-2(a)"}],"parts":[{"id":"ir-2.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-2(a)[1]"}],"prose":"defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility;"},{"id":"ir-2.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-2(a)[2]"}],"prose":"provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility;"}]},{"id":"ir-2.b_obj","name":"objective","props":[{"name":"label","value":"IR-2(b)"}],"prose":"provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes;"},{"id":"ir-2.c_obj","name":"objective","props":[{"name":"label","value":"IR-2(c)"}],"parts":[{"id":"ir-2.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-2(c)[1]"}],"prose":"defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities; and"},{"id":"ir-2.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-2(c)[2]"}],"prose":"after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nsecurity plan\n\nincident response plan\n\nsecurity plan\n\nincident response training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"ir-2.1","class":"SP800-53-enhancement","title":"Simulated Events","props":[{"name":"label","value":"IR-2(1)"},{"name":"sort-id","value":"ir-02.01"}],"parts":[{"id":"ir-2.1_smt","name":"statement","prose":"The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations."},{"id":"ir-2.1_obj","name":"objective","prose":"Determine if the organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that support and\/or implement simulated events for incident response training"}]}]},{"id":"ir-2.2","class":"SP800-53-enhancement","title":"Automated Training Environments","props":[{"name":"label","value":"IR-2(2)"},{"name":"sort-id","value":"ir-02.02"}],"parts":[{"id":"ir-2.2_smt","name":"statement","prose":"The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment."},{"id":"ir-2.2_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to provide a more thorough and realistic incident response training environment."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nautomated mechanisms supporting incident response training\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that provide a thorough and realistic incident response training environment"}]}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","params":[{"id":"ir-3_prm_1","label":"organization-defined frequency"},{"id":"ir-3_prm_2","label":"organization-defined tests"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-3"},{"name":"sort-id","value":"ir-03"}],"links":[{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"The organization tests the incident response capability for the information system {{ insert: param, ir-3_prm_1 }} using {{ insert: param, ir-3_prm_2 }} to determine the incident response effectiveness and documents the results."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel\/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response.","links":[{"href":"#cp-4","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-3_obj.1","name":"objective","props":[{"name":"label","value":"IR-3[1]"}],"prose":"defines incident response tests to test the incident response capability for the information system;"},{"id":"ir-3_obj.2","name":"objective","props":[{"name":"label","value":"IR-3[2]"}],"prose":"defines the frequency to test the incident response capability for the information system; and"},{"id":"ir-3_obj.3","name":"objective","props":[{"name":"label","value":"IR-3[3]"}],"prose":"tests the incident response capability for the information system with the organization-defined frequency, using organization-defined tests to determine the incident response effectiveness and documents the results."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"ir-3.2","class":"SP800-53-enhancement","title":"Coordination with Related Plans","props":[{"name":"label","value":"IR-3(2)"},{"name":"sort-id","value":"ir-03.02"}],"parts":[{"id":"ir-3.2_smt","name":"statement","prose":"The organization coordinates incident response testing with organizational elements responsible for related plans."},{"id":"ir-3.2_gdn","name":"guidance","prose":"Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans."},{"id":"ir-3.2_obj","name":"objective","prose":"Determine if the organization coordinates incident response testing with organizational elements responsible for related plans."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-4"},{"name":"sort-id","value":"ir-04"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinates incident handling activities with contingency planning activities; and"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission\/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission\/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user\/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission\/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).","links":[{"href":"#au-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ir-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-4.a_obj","name":"objective","props":[{"name":"label","value":"IR-4(a)"}],"prose":"implements an incident handling capability for security incidents that includes:","parts":[{"id":"ir-4.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-4(a)[1]"}],"prose":"preparation;"},{"id":"ir-4.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-4(a)[2]"}],"prose":"detection and analysis;"},{"id":"ir-4.a_obj.3","name":"objective","props":[{"name":"label","value":"IR-4(a)[3]"}],"prose":"containment;"},{"id":"ir-4.a_obj.4","name":"objective","props":[{"name":"label","value":"IR-4(a)[4]"}],"prose":"eradication;"},{"id":"ir-4.a_obj.5","name":"objective","props":[{"name":"label","value":"IR-4(a)[5]"}],"prose":"recovery;"}]},{"id":"ir-4.b_obj","name":"objective","props":[{"name":"label","value":"IR-4(b)"}],"prose":"coordinates incident handling activities with contingency planning activities;"},{"id":"ir-4.c_obj","name":"objective","props":[{"name":"label","value":"IR-4(c)"}],"parts":[{"id":"ir-4.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-4(c)[1]"}],"prose":"incorporates lessons learned from ongoing incident handling activities into:","parts":[{"id":"ir-4.c_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][b]"}],"prose":"training;"},{"id":"ir-4.c_obj.1.c","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][c]"}],"prose":"testing\/exercises;"}]},{"id":"ir-4.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-4(c)[2]"}],"prose":"implements the resulting changes accordingly to:","parts":[{"id":"ir-4.c_obj.2.a","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.2.b","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][b]"}],"prose":"training; and"},{"id":"ir-4.c_obj.2.c","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][c]"}],"prose":"testing\/exercises."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident handling capability for the organization"}]}],"controls":[{"id":"ir-4.1","class":"SP800-53-enhancement","title":"Automated Incident Handling Processes","props":[{"name":"label","value":"IR-4(1)"},{"name":"sort-id","value":"ir-04.01"}],"parts":[{"id":"ir-4.1_smt","name":"statement","prose":"The organization employs automated mechanisms to support the incident handling process."},{"id":"ir-4.1_gdn","name":"guidance","prose":"Automated mechanisms supporting incident handling processes include, for example, online incident management systems."},{"id":"ir-4.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to support the incident handling process."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that support and\/or implement the incident handling process"}]}]},{"id":"ir-4.4","class":"SP800-53-enhancement","title":"Information Correlation","props":[{"name":"label","value":"IR-4(4)"},{"name":"sort-id","value":"ir-04.04"}],"parts":[{"id":"ir-4.4_smt","name":"statement","prose":"The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response."},{"id":"ir-4.4_gdn","name":"guidance","prose":"Sometimes the nature of a threat event, for example, a hostile cyber attack, is such that it can only be observed by bringing together information from different sources including various reports and reporting procedures established by organizations."},{"id":"ir-4.4_obj","name":"objective","prose":"Determine if the organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\nsecurity plan\n\nautomated mechanisms supporting incident and event correlation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident management correlation logs\n\nevent management correlation logs\n\nsecurity information and event management logs\n\nincident management correlation reports\n\nevent management correlation reports\n\nsecurity information and event management reports\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with whom incident information and individual incident responses are to be correlated"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for correlating incident information and individual incident responses\n\nautomated mechanisms that support and or implement correlation of incident response information with individual incident responses"}]}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-5"},{"name":"sort-id","value":"ir-05"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"The organization tracks and documents information system security incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user\/administrator reports.","links":[{"href":"#au-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ir-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-5_obj.1","name":"objective","props":[{"name":"label","value":"IR-5[1]"}],"prose":"tracks information system security incidents; and"},{"id":"ir-5_obj.2","name":"objective","props":[{"name":"label","value":"IR-5[2]"}],"prose":"documents information system security incidents."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident monitoring capability for the organization\n\nautomated mechanisms supporting and\/or implementing tracking and documenting of system security incidents"}]}],"controls":[{"id":"ir-5.1","class":"SP800-53-enhancement","title":"Automated Tracking \/ Data Collection \/ Analysis","props":[{"name":"label","value":"IR-5(1)"},{"name":"sort-id","value":"ir-05.01"}],"parts":[{"id":"ir-5.1_smt","name":"statement","prose":"The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information."},{"id":"ir-5.1_gdn","name":"guidance","prose":"Automated mechanisms for tracking security incidents and collecting\/analyzing incident information include, for example, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents.","links":[{"href":"#au-7","rel":"related"},{"href":"#ir-4","rel":"related"}]},{"id":"ir-5.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to assist in:","parts":[{"id":"ir-5.1_obj.1","name":"objective","props":[{"name":"label","value":"IR-5(1)[1]"}],"prose":"the tracking of security incidents;"},{"id":"ir-5.1_obj.2","name":"objective","props":[{"name":"label","value":"IR-5(1)[2]"}],"prose":"the collection of incident information; and"},{"id":"ir-5.1_obj.3","name":"objective","props":[{"name":"label","value":"IR-5(1)[3]"}],"prose":"the analysis of incident information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nautomated mechanisms supporting incident monitoring\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms assisting in tracking of security incidents and in the collection and analysis of incident information"}]}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-6_prm_1","label":"organization-defined time period"},{"id":"ir-6_prm_2","label":"organization-defined authorities"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-6"},{"name":"sort-id","value":"ir-06"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#02631467-668b-4233-989b-3dfded2fd184","rel":"reference"}],"parts":[{"id":"ir-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Requires personnel to report suspected security incidents to the organizational incident response capability within {{ insert: param, ir-6_prm_1 }}; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reports security incident information to {{ insert: param, ir-6_prm_2 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling.","links":[{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-6.a_obj","name":"objective","props":[{"name":"label","value":"IR-6(a)"}],"parts":[{"id":"ir-6.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-6(a)[1]"}],"prose":"defines the time period within which personnel report suspected security incidents to the organizational incident response capability;"},{"id":"ir-6.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-6(a)[2]"}],"prose":"requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;"}]},{"id":"ir-6.b_obj","name":"objective","props":[{"name":"label","value":"IR-6(b)"}],"parts":[{"id":"ir-6.b_obj.1","name":"objective","props":[{"name":"label","value":"IR-6(b)[1]"}],"prose":"defines authorities to whom security incident information is to be reported; and"},{"id":"ir-6.b_obj.2","name":"objective","props":[{"name":"label","value":"IR-6(b)[2]"}],"prose":"reports security incident information to organization-defined authorities."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing incident reporting"}]}],"controls":[{"id":"ir-6.1","class":"SP800-53-enhancement","title":"Automated Reporting","props":[{"name":"label","value":"IR-6(1)"},{"name":"sort-id","value":"ir-06.01"}],"parts":[{"id":"ir-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to assist in the reporting of security incidents."},{"id":"ir-6.1_gdn","name":"guidance","links":[{"href":"#ir-7","rel":"related"}]},{"id":"ir-6.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to assist in the reporting of security incidents."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing reporting of security incidents"}]}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-7"},{"name":"sort-id","value":"ir-07"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required.","links":[{"href":"#at-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"ir-7_obj","name":"objective","prose":"Determine if the organization provides an incident response support resource:","parts":[{"id":"ir-7_obj.1","name":"objective","props":[{"name":"label","value":"IR-7[1]"}],"prose":"that is integral to the organizational incident response capability; and"},{"id":"ir-7_obj.2","name":"objective","props":[{"name":"label","value":"IR-7[2]"}],"prose":"that offers advice and assistance to users of the information system for the handling and reporting of security incidents."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing incident response assistance"}]}],"controls":[{"id":"ir-7.1","class":"SP800-53-enhancement","title":"Automation Support for Availability of Information \/ Support","props":[{"name":"label","value":"IR-7(1)"},{"name":"sort-id","value":"ir-07.01"}],"parts":[{"id":"ir-7.1_smt","name":"statement","prose":"The organization employs automated mechanisms to increase the availability of incident response-related information and support."},{"id":"ir-7.1_gdn","name":"guidance","prose":"Automated mechanisms can provide a push and\/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support."},{"id":"ir-7.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to increase the availability of incident response-related information and support."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing an increase in the availability of incident response information and support"}]}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-8_prm_2","label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-8_prm_3","label":"organization-defined frequency"},{"id":"ir-8_prm_4","label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-8"},{"name":"sort-id","value":"ir-08"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability; and"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Is reviewed and approved by {{ insert: param, ir-8_prm_1 }};"}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the incident response plan to {{ insert: param, ir-8_prm_2 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the incident response plan {{ insert: param, ir-8_prm_3 }};"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Updates the incident response plan to address system\/organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Communicates incident response plan changes to {{ insert: param, ir-8_prm_4 }}; and"},{"id":"ir-8_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Protects the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.","links":[{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}]},{"id":"ir-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-8.a_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)"}],"prose":"develops an incident response plan that:","parts":[{"id":"ir-8.a.1_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(1)"}],"prose":"provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8.a.2_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(2)"}],"prose":"describes the structure and organization of the incident response capability;"},{"id":"ir-8.a.3_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(3)"}],"prose":"provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8.a.4_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)"}],"prose":"meets the unique requirements of the organization, which relate to:","parts":[{"id":"ir-8.a.4_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[1]"}],"prose":"mission;"},{"id":"ir-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[2]"}],"prose":"size;"},{"id":"ir-8.a.4_obj.3","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[3]"}],"prose":"structure;"},{"id":"ir-8.a.4_obj.4","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[4]"}],"prose":"functions;"}]},{"id":"ir-8.a.5_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(5)"}],"prose":"defines reportable incidents;"},{"id":"ir-8.a.6_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(6)"}],"prose":"provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8.a.7_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(7)"}],"prose":"defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8.a.8_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)"}],"parts":[{"id":"ir-8.a.8_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)[1]"}],"prose":"defines personnel or roles to review and approve the incident response plan;"},{"id":"ir-8.a.8_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"ir-8.b_obj","name":"objective","props":[{"name":"label","value":"IR-8(b)"}],"parts":[{"id":"ir-8.b_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(b)[1]"}],"parts":[{"id":"ir-8.b_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-8(b)[1][a]"}],"prose":"defines incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed;"},{"id":"ir-8.b_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-8(b)[1][b]"}],"prose":"defines organizational elements to whom copies of the incident response plan are to be distributed;"}]},{"id":"ir-8.b_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(b)[2]"}],"prose":"distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and\/or by role) and organizational elements;"}]},{"id":"ir-8.c_obj","name":"objective","props":[{"name":"label","value":"IR-8(c)"}],"parts":[{"id":"ir-8.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(c)[1]"}],"prose":"defines the frequency to review the incident response plan;"},{"id":"ir-8.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(c)[2]"}],"prose":"reviews the incident response plan with the organization-defined frequency;"}]},{"id":"ir-8.d_obj","name":"objective","props":[{"name":"label","value":"IR-8(d)"}],"prose":"updates the incident response plan to address system\/organizational changes or problems encountered during plan:","parts":[{"id":"ir-8.d_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(d)[1]"}],"prose":"implementation;"},{"id":"ir-8.d_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(d)[2]"}],"prose":"execution; or"},{"id":"ir-8.d_obj.3","name":"objective","props":[{"name":"label","value":"IR-8(d)[3]"}],"prose":"testing;"}]},{"id":"ir-8.e_obj","name":"objective","props":[{"name":"label","value":"IR-8(e)"}],"parts":[{"id":"ir-8.e_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(e)[1]"}],"parts":[{"id":"ir-8.e_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-8(e)[1][a]"}],"prose":"defines incident response personnel (identified by name and\/or by role) to whom incident response plan changes are to be communicated;"},{"id":"ir-8.e_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-8(e)[1][b]"}],"prose":"defines organizational elements to whom incident response plan changes are to be communicated;"}]},{"id":"ir-8.e_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(e)[2]"}],"prose":"communicates incident response plan changes to organization-defined incident response personnel (identified by name and\/or by role) and organizational elements; and"}]},{"id":"ir-8.f_obj","name":"objective","props":[{"name":"label","value":"IR-8(f)"}],"prose":"protects the incident response plan from unauthorized disclosure and modification."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"System Maintenance Policy and Procedures","params":[{"id":"ma-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-1_prm_2","label":"organization-defined frequency"},{"id":"ma-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MA-1"},{"name":"sort-id","value":"ma-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ma-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and"}]},{"id":"ma-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ma-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System maintenance policy {{ insert: param, ma-1_prm_2 }}; and"},{"id":"ma-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System maintenance procedures {{ insert: param, ma-1_prm_3 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ma-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-1.a_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)"}],"parts":[{"id":"ma-1.a.1_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)"}],"parts":[{"id":"ma-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1]"}],"prose":"develops and documents a system maintenance policy that addresses:","parts":[{"id":"ma-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ma-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ma-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ma-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ma-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ma-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ma-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ma-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system maintenance policy is to be disseminated;"},{"id":"ma-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[3]"}],"prose":"disseminates the system maintenance policy to organization-defined personnel or roles;"}]},{"id":"ma-1.a.2_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)"}],"parts":[{"id":"ma-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls;"},{"id":"ma-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ma-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ma-1.b_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)"}],"parts":[{"id":"ma-1.b.1_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)"}],"parts":[{"id":"ma-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system maintenance policy;"},{"id":"ma-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)[2]"}],"prose":"reviews and updates the current system maintenance policy with the organization-defined frequency;"}]},{"id":"ma-1.b.2_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)"}],"parts":[{"id":"ma-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system maintenance procedures; and"},{"id":"ma-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)[2]"}],"prose":"reviews and updates the current system maintenance procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Maintenance policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","params":[{"id":"ma-2_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-2_prm_2","label":"organization-defined maintenance-related information"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-2"},{"name":"sort-id","value":"ma-02"}],"parts":[{"id":"ma-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Requires that {{ insert: param, ma-2_prm_1 }} explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and"},{"id":"ma-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Includes {{ insert: param, ma-2_prm_2 }} in organizational maintenance records."}]},{"id":"ma-2_gdn","name":"guidance","prose":"This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and\/or data\/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components\/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"ma-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-2.a_obj","name":"objective","props":[{"name":"label","value":"MA-2(a)"}],"parts":[{"id":"ma-2.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(a)[1]"}],"prose":"schedules maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.1.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[1][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.1.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[1][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(a)[2]"}],"prose":"performs maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.2.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[2][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.2.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[2][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.3","name":"objective","props":[{"name":"label","value":"MA-2(a)[3]"}],"prose":"documents maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.3.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[3][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.3.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[3][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.4","name":"objective","props":[{"name":"label","value":"MA-2(a)[4]"}],"prose":"reviews records of maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.4.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[4][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.4.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[4][b]"}],"prose":"organizational requirements;"}]}]},{"id":"ma-2.b_obj","name":"objective","props":[{"name":"label","value":"MA-2(b)"}],"parts":[{"id":"ma-2.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(b)[1]"}],"prose":"approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(b)[2]"}],"prose":"monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"}]},{"id":"ma-2.c_obj","name":"objective","props":[{"name":"label","value":"MA-2(c)"}],"parts":[{"id":"ma-2.c_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(c)[1]"}],"prose":"defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.c_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(c)[2]"}],"prose":"requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"}]},{"id":"ma-2.d_obj","name":"objective","props":[{"name":"label","value":"MA-2(d)"}],"prose":"sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.e_obj","name":"objective","props":[{"name":"label","value":"MA-2(e)"}],"prose":"checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;"},{"id":"ma-2.f_obj","name":"objective","props":[{"name":"label","value":"MA-2(f)"}],"parts":[{"id":"ma-2.f_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(f)[1]"}],"prose":"defines maintenance-related information to be included in organizational maintenance records; and"},{"id":"ma-2.f_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(f)[2]"}],"prose":"includes organization-defined maintenance-related information in organizational maintenance records."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing controlled information system maintenance\n\nmaintenance records\n\nmanufacturer\/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system\n\norganizational processes for sanitizing information system components\n\nautomated mechanisms supporting and\/or implementing controlled maintenance\n\nautomated mechanisms implementing sanitization of information system components"}]}],"controls":[{"id":"ma-2.2","class":"SP800-53-enhancement","title":"Automated Maintenance Activities","props":[{"name":"label","value":"MA-2(2)"},{"name":"sort-id","value":"ma-02.02"}],"parts":[{"id":"ma-2.2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-2.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and"},{"id":"ma-2.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed."}]},{"id":"ma-2.2_gdn","name":"guidance","links":[{"href":"#ca-7","rel":"related"},{"href":"#ma-3","rel":"related"}]},{"id":"ma-2.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-2.2.a_obj","name":"objective","props":[{"name":"label","value":"MA-2(2)(a)"}],"prose":"employs automated mechanisms to:","parts":[{"id":"ma-2.2.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(2)(a)[1]"}],"prose":"schedule maintenance and repairs;"},{"id":"ma-2.2.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(2)(a)[2]"}],"prose":"conduct maintenance and repairs;"},{"id":"ma-2.2.a_obj.3","name":"objective","props":[{"name":"label","value":"MA-2(2)(a)[3]"}],"prose":"document maintenance and repairs;"}],"links":[{"href":"#ma-2.2_smt.a","rel":"corresp"}]},{"id":"ma-2.2.b_obj","name":"objective","props":[{"name":"label","value":"MA-2(2)(b)"}],"prose":"produces up-to-date, accurate, and complete records of all maintenance and repair actions:","parts":[{"id":"ma-2.2.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(2)(b)[1]"}],"prose":"requested;"},{"id":"ma-2.2.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(2)(b)[2]"}],"prose":"scheduled;"},{"id":"ma-2.2.b_obj.3","name":"objective","props":[{"name":"label","value":"MA-2(2)(b)[3]"}],"prose":"in process; and"},{"id":"ma-2.2.b_obj.4","name":"objective","props":[{"name":"label","value":"MA-2(2)(b)[4]"}],"prose":"completed."}],"links":[{"href":"#ma-2.2_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing controlled information system maintenance\n\nautomated mechanisms supporting information system maintenance activities\n\ninformation system configuration settings and associated documentation\n\nmaintenance records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing controlled maintenance\n\nautomated mechanisms supporting and\/or implementing production of records of maintenance and repair actions"}]}]}]},{"id":"ma-3","class":"SP800-53","title":"Maintenance Tools","props":[{"name":"priority","value":"P3"},{"name":"label","value":"MA-3"},{"name":"sort-id","value":"ma-03"}],"links":[{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"}],"parts":[{"id":"ma-3_smt","name":"statement","prose":"The organization approves, controls, and monitors information system maintenance tools."},{"id":"ma-3_gdn","name":"guidance","prose":"This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware\/software diagnostic test equipment and hardware\/software packet sniffers. This control does not cover hardware\/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig, or the hardware and software implementing the monitoring port of an Ethernet switch.","links":[{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-6","rel":"related"}]},{"id":"ma-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-3_obj.1","name":"objective","props":[{"name":"label","value":"MA-3[1]"}],"prose":"approves information system maintenance tools;"},{"id":"ma-3_obj.2","name":"objective","props":[{"name":"label","value":"MA-3[2]"}],"prose":"controls information system maintenance tools; and"},{"id":"ma-3_obj.3","name":"objective","props":[{"name":"label","value":"MA-3[3]"}],"prose":"monitors information system maintenance tools."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for approving, controlling, and monitoring maintenance tools\n\nautomated mechanisms supporting and\/or implementing approval, control, and\/or monitoring of maintenance tools"}]}],"controls":[{"id":"ma-3.1","class":"SP800-53-enhancement","title":"Inspect Tools","props":[{"name":"label","value":"MA-3(1)"},{"name":"sort-id","value":"ma-03.01"}],"parts":[{"id":"ma-3.1_smt","name":"statement","prose":"The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications."},{"id":"ma-3.1_gdn","name":"guidance","prose":"If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper\/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.","links":[{"href":"#si-7","rel":"related"}]},{"id":"ma-3.1_obj","name":"objective","prose":"Determine if the organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for inspecting maintenance tools\n\nautomated mechanisms supporting and\/or implementing inspection of maintenance tools"}]}]},{"id":"ma-3.2","class":"SP800-53-enhancement","title":"Inspect Media","props":[{"name":"label","value":"MA-3(2)"},{"name":"sort-id","value":"ma-03.02"}],"parts":[{"id":"ma-3.2_smt","name":"statement","prose":"The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system."},{"id":"ma-3.2_gdn","name":"guidance","prose":"If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures.","links":[{"href":"#si-3","rel":"related"}]},{"id":"ma-3.2_obj","name":"objective","prose":"Determine if the organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for inspecting media for malicious code\n\nautomated mechanisms supporting and\/or implementing inspection of media used for maintenance"}]}]},{"id":"ma-3.3","class":"SP800-53-enhancement","title":"Prevent Unauthorized Removal","params":[{"id":"ma-3.3_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"MA-3(3)"},{"name":"sort-id","value":"ma-03.03"}],"parts":[{"id":"ma-3.3_smt","name":"statement","prose":"The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:","parts":[{"id":"ma-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verifying that there is no organizational information contained on the equipment;"},{"id":"ma-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Sanitizing or destroying the equipment;"},{"id":"ma-3.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Retaining the equipment within the facility; or"},{"id":"ma-3.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Obtaining an exemption from {{ insert: param, ma-3.3_prm_1 }} explicitly authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_gdn","name":"guidance","prose":"Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards."},{"id":"ma-3.3_obj","name":"objective","prose":"Determine if the organization prevents the unauthorized removal of maintenance equipment containing organizational information by:","parts":[{"id":"ma-3.3.a_obj","name":"objective","props":[{"name":"label","value":"MA-3(3)(a)"}],"prose":"verifying that there is no organizational information contained on the equipment;","links":[{"href":"#ma-3.3_smt.a","rel":"corresp"}]},{"id":"ma-3.3.b_obj","name":"objective","props":[{"name":"label","value":"MA-3(3)(b)"}],"prose":"sanitizing or destroying the equipment;","links":[{"href":"#ma-3.3_smt.b","rel":"corresp"}]},{"id":"ma-3.3.c_obj","name":"objective","props":[{"name":"label","value":"MA-3(3)(c)"}],"prose":"retaining the equipment within the facility; or","links":[{"href":"#ma-3.3_smt.c","rel":"corresp"}]},{"id":"ma-3.3.d_obj","name":"objective","props":[{"name":"label","value":"MA-3(3)(d)"}],"parts":[{"id":"ma-3.3.d_obj.1","name":"objective","props":[{"name":"label","value":"MA-3(3)(d)[1]"}],"prose":"defining personnel or roles that can grant an exemption from explicitly authorizing removal of the equipment from the facility; and"},{"id":"ma-3.3.d_obj.2","name":"objective","props":[{"name":"label","value":"MA-3(3)(d)[2]"}],"prose":"obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility."}],"links":[{"href":"#ma-3.3_smt.d","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for preventing unauthorized removal of information\n\nautomated mechanisms supporting media sanitization or destruction of equipment\n\nautomated mechanisms supporting verification of media sanitization"}]}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-4"},{"name":"sort-id","value":"ma-04"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference"}],"parts":[{"id":"ma-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approves and monitors nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;"},{"id":"ma-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Maintains records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Terminates session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-17","rel":"related"}]},{"id":"ma-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-4.a_obj","name":"objective","props":[{"name":"label","value":"MA-4(a)"}],"parts":[{"id":"ma-4.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(a)[1]"}],"prose":"approves nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(a)[2]"}],"prose":"monitors nonlocal maintenance and diagnostic activities;"}]},{"id":"ma-4.b_obj","name":"objective","props":[{"name":"label","value":"MA-4(b)"}],"prose":"allows the use of nonlocal maintenance and diagnostic tools only:","parts":[{"id":"ma-4.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(b)[1]"}],"prose":"as consistent with organizational policy;"},{"id":"ma-4.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(b)[2]"}],"prose":"as documented in the security plan for the information system;"}]},{"id":"ma-4.c_obj","name":"objective","props":[{"name":"label","value":"MA-4(c)"}],"prose":"employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4.d_obj","name":"objective","props":[{"name":"label","value":"MA-4(d)"}],"prose":"maintains records for nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.e_obj","name":"objective","props":[{"name":"label","value":"MA-4(e)"}],"parts":[{"id":"ma-4.e_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(e)[1]"}],"prose":"terminates sessions when nonlocal maintenance or diagnostics is completed; and"},{"id":"ma-4.e_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(e)[2]"}],"prose":"terminates network connections when nonlocal maintenance or diagnostics is completed."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing nonlocal information system maintenance\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing nonlocal maintenance\n\nautomated mechanisms implementing, supporting, and\/or managing nonlocal maintenance\n\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nautomated mechanisms for terminating nonlocal maintenance sessions and network connections"}]}],"controls":[{"id":"ma-4.2","class":"SP800-53-enhancement","title":"Document Nonlocal Maintenance","props":[{"name":"label","value":"MA-4(2)"},{"name":"sort-id","value":"ma-04.02"}],"parts":[{"id":"ma-4.2_smt","name":"statement","prose":"The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections."},{"id":"ma-4.2_obj","name":"objective","prose":"Determine if the organization documents in the security plan for the information system:","parts":[{"id":"ma-4.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(2)[1]"}],"prose":"the policies for the establishment and use of nonlocal maintenance and diagnostic connections; and"},{"id":"ma-4.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(2)[2]"}],"prose":"the procedures for the establishment and use of nonlocal maintenance and diagnostic connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing non-local information system maintenance\n\nsecurity plan\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-4.3","class":"SP800-53-enhancement","title":"Comparable Security \/ Sanitization","props":[{"name":"label","value":"MA-4(3)"},{"name":"sort-id","value":"ma-04.03"}],"parts":[{"id":"ma-4.3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-4.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or"},{"id":"ma-4.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system."}]},{"id":"ma-4.3_gdn","name":"guidance","prose":"Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced.","links":[{"href":"#ma-3","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ma-4.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-4.3.a_obj","name":"objective","props":[{"name":"label","value":"MA-4(3)(a)"}],"prose":"requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or","links":[{"href":"#ma-4.3_smt.a","rel":"corresp"}]},{"id":"ma-4.3.b_obj","name":"objective","props":[{"name":"label","value":"MA-4(3)(b)"}],"parts":[{"id":"ma-4.3.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(3)(b)[1]"}],"prose":"removes the component to be serviced from the information system;"},{"id":"ma-4.3.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(3)(b)[2]"}],"prose":"sanitizes the component (with regard to organizational information) prior to nonlocal maintenance or diagnostic services and\/or before removal from organizational facilities; and"},{"id":"ma-4.3.b_obj.3","name":"objective","props":[{"name":"label","value":"MA-4(3)(b)[3]"}],"prose":"inspects and sanitizes the component (with regard to potentially malicious software) after service is performed on the component and before reconnecting the component to the information system."}],"links":[{"href":"#ma-4.3_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing nonlocal information system maintenance\n\nservice provider contracts and\/or service-level agreements\n\nmaintenance records\n\ninspection records\n\naudit records\n\nequipment sanitization records\n\nmedia sanitization records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\ninformation system maintenance provider\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for comparable security and sanitization for nonlocal maintenance\n\norganizational processes for removal, sanitization, and inspection of components serviced via nonlocal maintenance\n\nautomated mechanisms supporting and\/or implementing component sanitization and inspection"}]}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-5"},{"name":"sort-id","value":"ma-05"}],"parts":[{"id":"ma-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"ma-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-5.a_obj","name":"objective","props":[{"name":"label","value":"MA-5(a)"}],"parts":[{"id":"ma-5.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-5(a)[1]"}],"prose":"establishes a process for maintenance personnel authorization;"},{"id":"ma-5.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-5(a)[2]"}],"prose":"maintains a list of authorized maintenance organizations or personnel;"}]},{"id":"ma-5.b_obj","name":"objective","props":[{"name":"label","value":"MA-5(b)"}],"prose":"ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"},{"id":"ma-5.c_obj","name":"objective","props":[{"name":"label","value":"MA-5(c)"}],"prose":"designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for authorizing and managing maintenance personnel\n\nautomated mechanisms supporting and\/or implementing authorization of maintenance personnel"}]}],"controls":[{"id":"ma-5.1","class":"SP800-53-enhancement","title":"Individuals Without Appropriate Access","props":[{"name":"label","value":"MA-5(1)"},{"name":"sort-id","value":"ma-05.01"}],"parts":[{"id":"ma-5.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:","parts":[{"id":"ma-5.1_smt.a.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;"},{"id":"ma-5.1_smt.a.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and"}]},{"id":"ma-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system."}]},{"id":"ma-5.1_gdn","name":"guidance","prose":"This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems.","links":[{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"}]},{"id":"ma-5.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-5.1.a_obj","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)"}],"prose":"implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:","parts":[{"id":"ma-5.1.a.1_obj","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(1)"}],"prose":"maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who:","parts":[{"id":"ma-5.1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(1)[1]"}],"prose":"are fully cleared;"},{"id":"ma-5.1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(1)[2]"}],"prose":"have appropriate access authorizations;"},{"id":"ma-5.1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(1)[3]"}],"prose":"are technically qualified;"}],"links":[{"href":"#ma-5.1_smt.a.1","rel":"corresp"}]},{"id":"ma-5.1.a.2_obj","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(2)"}],"prose":"prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances, or formal access approvals:","parts":[{"id":"ma-5.1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(2)[1]"}],"prose":"all volatile information storage components within the information system are sanitized; and"},{"id":"ma-5.1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(2)[2]"}],"prose":"all nonvolatile storage media are removed; or"},{"id":"ma-5.1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(2)[3]"}],"prose":"all nonvolatile storage media are physically disconnected from the system and secured; and"}],"links":[{"href":"#ma-5.1_smt.a.2","rel":"corresp"}]}],"links":[{"href":"#ma-5.1_smt.a","rel":"corresp"}]},{"id":"ma-5.1.b_obj","name":"objective","props":[{"name":"label","value":"MA-5(1)(b)"}],"prose":"develops and implements alternative security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.","links":[{"href":"#ma-5.1_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing maintenance personnel\n\ninformation system media protection policy\n\nphysical and environmental protection policy\n\nsecurity plan\n\nlist of maintenance personnel requiring escort\/supervision\n\nmaintenance records\n\naccess control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing maintenance personnel without appropriate access\n\nautomated mechanisms supporting and\/or implementing alternative security safeguards\n\nautomated mechanisms supporting and\/or implementing information storage component sanitization"}]}]}]},{"id":"ma-6","class":"SP800-53","title":"Timely Maintenance","params":[{"id":"ma-6_prm_1","label":"organization-defined information system components"},{"id":"ma-6_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-6"},{"name":"sort-id","value":"ma-06"}],"parts":[{"id":"ma-6_smt","name":"statement","prose":"The organization obtains maintenance support and\/or spare parts for {{ insert: param, ma-6_prm_1 }} within {{ insert: param, ma-6_prm_2 }} of failure."},{"id":"ma-6_gdn","name":"guidance","prose":"Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place.","links":[{"href":"#cm-8","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#sa-14","rel":"related"},{"href":"#sa-15","rel":"related"}]},{"id":"ma-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-6_obj.1","name":"objective","props":[{"name":"label","value":"MA-6[1]"}],"prose":"defines information system components for which maintenance support and\/or spare parts are to be obtained;"},{"id":"ma-6_obj.2","name":"objective","props":[{"name":"label","value":"MA-6[2]"}],"prose":"defines the time period within which maintenance support and\/or spare parts are to be obtained after a failure;"},{"id":"ma-6_obj.3","name":"objective","props":[{"name":"label","value":"MA-6[3]"}],"parts":[{"id":"ma-6_obj.3.a","name":"objective","props":[{"name":"label","value":"MA-6[3][a]"}],"prose":"obtains maintenance support for organization-defined information system components within the organization-defined time period of failure; and\/or"},{"id":"ma-6_obj.3.b","name":"objective","props":[{"name":"label","value":"MA-6[3][b]"}],"prose":"obtains spare parts for organization-defined information system components within the organization-defined time period of failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for ensuring timely maintenance"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Media Protection Policy and Procedures","params":[{"id":"mp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"mp-1_prm_2","label":"organization-defined frequency"},{"id":"mp-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-1"},{"name":"sort-id","value":"mp-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"mp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"mp-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Media protection policy {{ insert: param, mp-1_prm_2 }}; and"},{"id":"mp-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Media protection procedures {{ insert: param, mp-1_prm_3 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"mp-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-1.a_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)"}],"parts":[{"id":"mp-1.a.1_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)"}],"parts":[{"id":"mp-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1]"}],"prose":"develops and documents a media protection policy that addresses:","parts":[{"id":"mp-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"mp-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"mp-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"mp-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"mp-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"mp-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"mp-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"mp-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the media protection policy is to be disseminated;"},{"id":"mp-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[3]"}],"prose":"disseminates the media protection policy to organization-defined personnel or roles;"}]},{"id":"mp-1.a.2_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)"}],"parts":[{"id":"mp-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls;"},{"id":"mp-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"mp-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"mp-1.b_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)"}],"parts":[{"id":"mp-1.b.1_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)"}],"parts":[{"id":"mp-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current media protection policy;"},{"id":"mp-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)[2]"}],"prose":"reviews and updates the current media protection policy with the organization-defined frequency;"}]},{"id":"mp-1.b.2_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)"}],"parts":[{"id":"mp-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current media protection procedures; and"},{"id":"mp-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)[2]"}],"prose":"reviews and updates the current media protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Media protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","params":[{"id":"mp-2_prm_1","label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-2_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-2"},{"name":"sort-id","value":"mp-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"The organization restricts access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"}]},{"id":"mp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-2_obj.1","name":"objective","props":[{"name":"label","value":"MP-2[1]"}],"prose":"defines types of digital and\/or non-digital media requiring restricted access;"},{"id":"mp-2_obj.2","name":"objective","props":[{"name":"label","value":"MP-2[2]"}],"prose":"defines personnel or roles authorized to access organization-defined types of digital and\/or non-digital media; and"},{"id":"mp-2_obj.3","name":"objective","props":[{"name":"label","value":"MP-2[3]"}],"prose":"restricts access to organization-defined types of digital and\/or non-digital media to organization-defined personnel or roles."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for restricting information media\n\nautomated mechanisms supporting and\/or implementing media access restrictions"}]}]},{"id":"mp-3","class":"SP800-53","title":"Media Marking","params":[{"id":"mp-3_prm_1","label":"organization-defined types of information system media"},{"id":"mp-3_prm_2","label":"organization-defined controlled areas"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"MP-3"},{"name":"sort-id","value":"mp-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"}],"parts":[{"id":"mp-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"},{"id":"mp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Exempts {{ insert: param, mp-3_prm_1 }} from marking as long as the media remain within {{ insert: param, mp-3_prm_2 }}."}]},{"id":"mp-3_gdn","name":"guidance","prose":"The term security marking refers to the application\/use of human-readable security attributes. The term security labeling refers to the application\/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.","links":[{"href":"#ac-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"mp-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-3.a_obj","name":"objective","props":[{"name":"label","value":"MP-3(a)"}],"prose":"marks information system media indicating the:","parts":[{"id":"mp-3.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-3(a)[1]"}],"prose":"distribution limitations of the information;"},{"id":"mp-3.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-3(a)[2]"}],"prose":"handling caveats of the information;"},{"id":"mp-3.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-3(a)[3]"}],"prose":"applicable security markings (if any) of the information;"}]},{"id":"mp-3.b_obj","name":"objective","props":[{"name":"label","value":"MP-3(b)"}],"parts":[{"id":"mp-3.b_obj.1","name":"objective","props":[{"name":"label","value":"MP-3(b)[1]"}],"prose":"defines types of information system media to be exempted from marking as long as the media remain in designated controlled areas;"},{"id":"mp-3.b_obj.2","name":"objective","props":[{"name":"label","value":"MP-3(b)[2]"}],"prose":"defines controlled areas where organization-defined types of information system media exempt from marking are to be retained; and"},{"id":"mp-3.b_obj.3","name":"objective","props":[{"name":"label","value":"MP-3(b)[3]"}],"prose":"exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nsecurity plan\n\nlist of information system media marking security attributes\n\ndesignated controlled areas\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for marking information media\n\nautomated mechanisms supporting and\/or implementing media marking"}]}]},{"id":"mp-4","class":"SP800-53","title":"Media Storage","params":[{"id":"mp-4_prm_1","label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-4_prm_2","label":"organization-defined controlled areas"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-4"},{"name":"sort-id","value":"mp-04"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Physically controls and securely stores {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }}; and"},{"id":"mp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and\/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and\/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection.","links":[{"href":"#cp-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pe-3","rel":"related"}]},{"id":"mp-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-4.a_obj","name":"objective","props":[{"name":"label","value":"MP-4(a)"}],"parts":[{"id":"mp-4.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-4(a)[1]"}],"prose":"defines types of digital and\/or non-digital media to be physically controlled and securely stored within designated controlled areas;"},{"id":"mp-4.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-4(a)[2]"}],"prose":"defines controlled areas designated to physically control and securely store organization-defined types of digital and\/or non-digital media;"},{"id":"mp-4.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-4(a)[3]"}],"prose":"physically controls organization-defined types of digital and\/or non-digital media within organization-defined controlled areas;"},{"id":"mp-4.a_obj.4","name":"objective","props":[{"name":"label","value":"MP-4(a)[4]"}],"prose":"securely stores organization-defined types of digital and\/or non-digital media within organization-defined controlled areas; and"}]},{"id":"mp-4.b_obj","name":"objective","props":[{"name":"label","value":"MP-4(b)"}],"prose":"protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsecurity plan\n\ninformation system media\n\ndesignated controlled areas\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing information media\n\nautomated mechanisms supporting and\/or implementing secure media storage\/media protection"}]}]},{"id":"mp-5","class":"SP800-53","title":"Media Transport","params":[{"id":"mp-5_prm_1","label":"organization-defined types of information system media"},{"id":"mp-5_prm_2","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-5"},{"name":"sort-id","value":"mp-05"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"}],"parts":[{"id":"mp-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protects and controls {{ insert: param, mp-5_prm_1 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};"},{"id":"mp-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintains accountability for information system media during transport outside of controlled areas;"},{"id":"mp-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents activities associated with the transport of information system media; and"},{"id":"mp-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Restricts the activities associated with the transport of information system media to authorized personnel."}]},{"id":"mp-5_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and\/or procedural safeguards to meet the requirements established for protecting information and\/or information systems. Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and\/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records.","links":[{"href":"#ac-19","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}]},{"id":"mp-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-5.a_obj","name":"objective","props":[{"name":"label","value":"MP-5(a)"}],"parts":[{"id":"mp-5.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-5(a)[1]"}],"prose":"defines types of information system media to be protected and controlled during transport outside of controlled areas;"},{"id":"mp-5.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-5(a)[2]"}],"prose":"defines security safeguards to protect and control organization-defined information system media during transport outside of controlled areas;"},{"id":"mp-5.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-5(a)[3]"}],"prose":"protects and controls organization-defined information system media during transport outside of controlled areas using organization-defined security safeguards;"}]},{"id":"mp-5.b_obj","name":"objective","props":[{"name":"label","value":"MP-5(b)"}],"prose":"maintains accountability for information system media during transport outside of controlled areas;"},{"id":"mp-5.c_obj","name":"objective","props":[{"name":"label","value":"MP-5(c)"}],"prose":"documents activities associated with the transport of information system media; and"},{"id":"mp-5.d_obj","name":"objective","props":[{"name":"label","value":"MP-5(d)"}],"prose":"restricts the activities associated with transport of information system media to authorized personnel."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsecurity plan\n\ninformation system media\n\ndesignated controlled areas\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing information media\n\nautomated mechanisms supporting and\/or implementing media storage\/media protection"}]}],"controls":[{"id":"mp-5.4","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"MP-5(4)"},{"name":"sort-id","value":"mp-05.04"}],"parts":[{"id":"mp-5.4_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas."},{"id":"mp-5.4_gdn","name":"guidance","prose":"This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external\/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers).","links":[{"href":"#mp-2","rel":"related"}]},{"id":"mp-5.4_obj","name":"objective","prose":"Determine if the organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media transport\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system media transport records\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media transport responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas"}]}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","label":"organization-defined information system media"},{"id":"mp-6_prm_2","label":"organization-defined sanitization techniques and procedures"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-6"},{"name":"sort-id","value":"mp-06"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"},{"href":"#a47466c4-c837-4f06-a39f-e68412a5f73d","rel":"reference"}],"parts":[{"id":"mp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitizes {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} in accordance with applicable federal and organizational standards and policies; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections\/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information.","links":[{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-4","rel":"related"}]},{"id":"mp-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-6.a_obj","name":"objective","props":[{"name":"label","value":"MP-6(a)"}],"parts":[{"id":"mp-6.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-6(a)[1]"}],"prose":"defines information system media to be sanitized prior to:","parts":[{"id":"mp-6.a_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.1.c","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-6(a)[2]"}],"prose":"defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:","parts":[{"id":"mp-6.a_obj.2.a","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.2.b","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.2.c","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-6(a)[3]"}],"prose":"sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and"}]},{"id":"mp-6.b_obj","name":"objective","props":[{"name":"label","value":"MP-6(b)"}],"prose":"employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization\n\nmedia sanitization records\n\naudit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization"}]}],"controls":[{"id":"mp-6.1","class":"SP800-53-enhancement","title":"Review \/ Approve \/ Track \/ Document \/ Verify","props":[{"name":"label","value":"MP-6(1)"},{"name":"sort-id","value":"mp-06.01"}],"parts":[{"id":"mp-6.1_smt","name":"statement","prose":"The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions."},{"id":"mp-6.1_gdn","name":"guidance","prose":"Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking\/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal.","links":[{"href":"#si-12","rel":"related"}]},{"id":"mp-6.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-6.1_obj.1","name":"objective","props":[{"name":"label","value":"MP-6(1)[1]"}],"prose":"reviews media sanitization and disposal actions;"},{"id":"mp-6.1_obj.2","name":"objective","props":[{"name":"label","value":"MP-6(1)[2]"}],"prose":"approves media sanitization and disposal actions;"},{"id":"mp-6.1_obj.3","name":"objective","props":[{"name":"label","value":"MP-6(1)[3]"}],"prose":"tracks media sanitization and disposal actions;"},{"id":"mp-6.1_obj.4","name":"objective","props":[{"name":"label","value":"MP-6(1)[4]"}],"prose":"documents media sanitization and disposal actions; and"},{"id":"mp-6.1_obj.5","name":"objective","props":[{"name":"label","value":"MP-6(1)[5]"}],"prose":"verifies media sanitization and disposal actions."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\nmedia sanitization and disposal records\n\nreview records for media sanitization and disposal actions\n\napprovals for media sanitization and disposal actions\n\ntracking records\n\nverification records\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media sanitization and disposal responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization"}]}]},{"id":"mp-6.2","class":"SP800-53-enhancement","title":"Equipment Testing","params":[{"id":"mp-6.2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"MP-6(2)"},{"name":"sort-id","value":"mp-06.02"}],"parts":[{"id":"mp-6.2_smt","name":"statement","prose":"The organization tests sanitization equipment and procedures {{ insert: param, mp-6.2_prm_1 }} to verify that the intended sanitization is being achieved."},{"id":"mp-6.2_gdn","name":"guidance","prose":"Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities (e.g., other federal agencies or external service providers)."},{"id":"mp-6.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-6.2_obj.1","name":"objective","props":[{"name":"label","value":"MP-6(2)[1]"}],"prose":"defines the frequency for testing sanitization equipment and procedures to verify that the intended sanitization is being achieved; and"},{"id":"mp-6.2_obj.2","name":"objective","props":[{"name":"label","value":"MP-6(2)[2]"}],"prose":"tests sanitization equipment and procedures with the organization-defined frequency to verify that the intended sanitization is being achieved."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\nprocedures addressing testing of media sanitization equipment\n\nresults of media sanitization equipment and procedures testing\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media sanitization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization"}]}]},{"id":"mp-6.3","class":"SP800-53-enhancement","title":"Nondestructive Techniques","params":[{"id":"mp-6.3_prm_1","label":"organization-defined circumstances requiring sanitization of portable storage devices"}],"props":[{"name":"label","value":"MP-6(3)"},{"name":"sort-id","value":"mp-06.03"}],"parts":[{"id":"mp-6.3_smt","name":"statement","prose":"The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: {{ insert: param, mp-6.3_prm_1 }}."},{"id":"mp-6.3_gdn","name":"guidance","prose":"This control enhancement applies to digital media containing classified information and Controlled Unclassified Information (CUI). Portable storage devices can be the source of malicious code insertions into organizational information systems. Many of these devices are obtained from unknown and potentially untrustworthy sources and may contain malicious code that can be readily transferred to information systems through USB ports or other entry portals. While scanning such storage devices is always recommended, sanitization provides additional assurance that the devices are free of malicious code to include code capable of initiating zero-day attacks. Organizations consider nondestructive sanitization of portable storage devices when such devices are first purchased from the manufacturer or vendor prior to initial use or when organizations lose a positive chain of custody for the devices.","links":[{"href":"#si-3","rel":"related"}]},{"id":"mp-6.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-6.3_obj.1","name":"objective","props":[{"name":"label","value":"MP-6(3)[1]"}],"prose":"defines circumstances requiring sanitization of portable storage devices; and"},{"id":"mp-6.3_obj.2","name":"objective","props":[{"name":"label","value":"MP-6(3)[2]"}],"prose":"applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under organization-defined circumstances requiring sanitization of portable storage devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\nlist of circumstances requiring sanitization of portable storage devices\n\nmedia sanitization records\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media sanitization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization of portable storage devices\n\nautomated mechanisms supporting and\/or implementing media sanitization"}]}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","params":[{"id":"mp-7_prm_1","select":{"choice":["restricts","prohibits"]}},{"id":"mp-7_prm_2","label":"organization-defined types of information system media"},{"id":"mp-7_prm_3","label":"organization-defined information systems or system components"},{"id":"mp-7_prm_4","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-7"},{"name":"sort-id","value":"mp-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-7_smt","name":"statement","prose":"The organization {{ insert: param, mp-7_prm_1 }} the use of {{ insert: param, mp-7_prm_2 }} on {{ insert: param, mp-7_prm_3 }} using {{ insert: param, mp-7_prm_4 }}."},{"id":"mp-7_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting\/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling\/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.","links":[{"href":"#ac-19","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"mp-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-7_obj.1","name":"objective","props":[{"name":"label","value":"MP-7[1]"}],"prose":"defines types of information system media to be:","parts":[{"id":"mp-7_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-7[1][a]"}],"prose":"restricted on information systems or system components; or"},{"id":"mp-7_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-7[1][b]"}],"prose":"prohibited from use on information systems or system components;"}]},{"id":"mp-7_obj.2","name":"objective","props":[{"name":"label","value":"MP-7[2]"}],"prose":"defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:","parts":[{"id":"mp-7_obj.2.a","name":"objective","props":[{"name":"label","value":"MP-7[2][a]"}],"prose":"restricted; or"},{"id":"mp-7_obj.2.b","name":"objective","props":[{"name":"label","value":"MP-7[2][b]"}],"prose":"prohibited;"}]},{"id":"mp-7_obj.3","name":"objective","props":[{"name":"label","value":"MP-7[3]"}],"prose":"defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and"},{"id":"mp-7_obj.4","name":"objective","props":[{"name":"label","value":"MP-7[4]"}],"prose":"restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\n\nautomated mechanisms restricting or prohibiting use of information system media on information systems or system components"}]}],"controls":[{"id":"mp-7.1","class":"SP800-53-enhancement","title":"Prohibit Use Without Owner","props":[{"name":"label","value":"MP-7(1)"},{"name":"sort-id","value":"mp-07.01"}],"parts":[{"id":"mp-7.1_smt","name":"statement","prose":"The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner."},{"id":"mp-7.1_gdn","name":"guidance","prose":"Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion).","links":[{"href":"#pl-4","rel":"related"}]},{"id":"mp-7.1_obj","name":"objective","prose":"Determine if the organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\n\nautomated mechanisms prohibiting use of media on information systems or system components"}]}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Physical and Environmental Protection Policy and Procedures","params":[{"id":"pe-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-1_prm_2","label":"organization-defined frequency"},{"id":"pe-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-1"},{"name":"sort-id","value":"pe-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"pe-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and"}]},{"id":"pe-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pe-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Physical and environmental protection policy {{ insert: param, pe-1_prm_2 }}; and"},{"id":"pe-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Physical and environmental protection procedures {{ insert: param, pe-1_prm_3 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"pe-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-1.a_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)"}],"parts":[{"id":"pe-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)"}],"parts":[{"id":"pe-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1]"}],"prose":"develops and documents a physical and environmental protection policy that addresses:","parts":[{"id":"pe-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pe-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pe-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pe-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pe-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pe-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pe-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pe-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the physical and environmental protection policy is to be disseminated;"},{"id":"pe-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[3]"}],"prose":"disseminates the physical and environmental protection policy to organization-defined personnel or roles;"}]},{"id":"pe-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)"}],"parts":[{"id":"pe-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls;"},{"id":"pe-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"pe-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pe-1.b_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)"}],"parts":[{"id":"pe-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)"}],"parts":[{"id":"pe-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current physical and environmental protection policy;"},{"id":"pe-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)[2]"}],"prose":"reviews and updates the current physical and environmental protection policy with the organization-defined frequency;"}]},{"id":"pe-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)"}],"parts":[{"id":"pe-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current physical and environmental protection procedures; and"},{"id":"pe-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)[2]"}],"prose":"reviews and updates the current physical and environmental protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","params":[{"id":"pe-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-2"},{"name":"sort-id","value":"pe-02"}],"parts":[{"id":"pe-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Issues authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the access list detailing authorized facility access by individuals {{ insert: param, pe-2_prm_1 }}; and"},{"id":"pe-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Removes individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible.","links":[{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ps-3","rel":"related"}]},{"id":"pe-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-2.a_obj","name":"objective","props":[{"name":"label","value":"PE-2(a)"}],"parts":[{"id":"pe-2.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-2(a)[1]"}],"prose":"develops a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-2(a)[2]"}],"prose":"approves a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2.a_obj.3","name":"objective","props":[{"name":"label","value":"PE-2(a)[3]"}],"prose":"maintains a list of individuals with authorized access to the facility where the information system resides;"}]},{"id":"pe-2.b_obj","name":"objective","props":[{"name":"label","value":"PE-2(b)"}],"prose":"issues authorization credentials for facility access;"},{"id":"pe-2.c_obj","name":"objective","props":[{"name":"label","value":"PE-2(c)"}],"parts":[{"id":"pe-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PE-2(c)[1]"}],"prose":"defines the frequency to review the access list detailing authorized facility access by individuals;"},{"id":"pe-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PE-2(c)[2]"}],"prose":"reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and"}]},{"id":"pe-2.d_obj","name":"objective","props":[{"name":"label","value":"PE-2(d)"}],"prose":"removes individuals from the facility access list when access is no longer required."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nsecurity plan\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to information system facility\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations\n\nautomated mechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","params":[{"id":"pe-3_prm_1","label":"organization-defined entry\/exit points to the facility where the information system resides"},{"id":"pe-3_prm_2","select":{"how-many":"one-or-more","choice":[" {{ insert: param, pe-3_prm_3 }} ","guards"]}},{"id":"pe-3_prm_3","depends-on":"pe-3_prm_2","label":"organization-defined physical access control systems\/devices"},{"id":"pe-3_prm_4","label":"organization-defined entry\/exit points"},{"id":"pe-3_prm_5","label":"organization-defined security safeguards"},{"id":"pe-3_prm_6","label":"organization-defined circumstances requiring visitor escorts and monitoring"},{"id":"pe-3_prm_7","label":"organization-defined physical access devices"},{"id":"pe-3_prm_8","label":"organization-defined frequency"},{"id":"pe-3_prm_9","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-3"},{"name":"sort-id","value":"pe-03"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference"},{"href":"#398e33fd-f404-4e5c-b90e-2d50d3181244","rel":"reference"},{"href":"#61081e7f-041d-4033-96a7-44a439071683","rel":"reference"},{"href":"#dd2f5acd-08f1-435a-9837-f8203088dc1a","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference"}],"parts":[{"id":"pe-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforces physical access authorizations at {{ insert: param, pe-3_prm_1 }} by;","parts":[{"id":"pe-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Controlling ingress\/egress to the facility using {{ insert: param, pe-3_prm_2 }};"}]},{"id":"pe-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintains physical access audit logs for {{ insert: param, pe-3_prm_4 }};"},{"id":"pe-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides {{ insert: param, pe-3_prm_5 }} to control access to areas within the facility officially designated as publicly accessible;"},{"id":"pe-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Escorts visitors and monitors visitor activity {{ insert: param, pe-3_prm_6 }};"},{"id":"pe-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Secures keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Inventories {{ insert: param, pe-3_prm_7 }} every {{ insert: param, pe-3_prm_8 }}; and"},{"id":"pe-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Changes combinations and keys {{ insert: param, pe-3_prm_9 }} and\/or when keys are lost, combinations are compromised, or individuals are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and\/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and\/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"pe-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-3.a_obj","name":"objective","props":[{"name":"label","value":"PE-3(a)"}],"parts":[{"id":"pe-3.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(a)[1]"}],"prose":"defines entry\/exit points to the facility where the information system resides;"},{"id":"pe-3.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2]"}],"prose":"enforces physical access authorizations at organization-defined entry\/exit points to the facility where the information system resides by:","parts":[{"id":"pe-3.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](1)"}],"prose":"verifying individual access authorizations before granting access to the facility;"},{"id":"pe-3.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)"}],"parts":[{"id":"pe-3.a.2_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[a]"}],"prose":"defining physical access control systems\/devices to be employed to control ingress\/egress to the facility where the information system resides;"},{"id":"pe-3.a.2_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b]"}],"prose":"using one or more of the following ways to control ingress\/egress to the facility:","parts":[{"id":"pe-3.a.2_obj.2.b.1","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b][1]"}],"prose":"organization-defined physical access control systems\/devices; and\/or"},{"id":"pe-3.a.2_obj.2.b.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b][2]"}],"prose":"guards;"}]}]}]}]},{"id":"pe-3.b_obj","name":"objective","props":[{"name":"label","value":"PE-3(b)"}],"parts":[{"id":"pe-3.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(b)[1]"}],"prose":"defines entry\/exit points for which physical access audit logs are to be maintained;"},{"id":"pe-3.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(b)[2]"}],"prose":"maintains physical access audit logs for organization-defined entry\/exit points;"}]},{"id":"pe-3.c_obj","name":"objective","props":[{"name":"label","value":"PE-3(c)"}],"parts":[{"id":"pe-3.c_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(c)[1]"}],"prose":"defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;"},{"id":"pe-3.c_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(c)[2]"}],"prose":"provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;"}]},{"id":"pe-3.d_obj","name":"objective","props":[{"name":"label","value":"PE-3(d)"}],"parts":[{"id":"pe-3.d_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(d)[1]"}],"prose":"defines circumstances requiring visitor:","parts":[{"id":"pe-3.d_obj.1.a","name":"objective","props":[{"name":"label","value":"PE-3(d)[1][a]"}],"prose":"escorts;"},{"id":"pe-3.d_obj.1.b","name":"objective","props":[{"name":"label","value":"PE-3(d)[1][b]"}],"prose":"monitoring;"}]},{"id":"pe-3.d_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(d)[2]"}],"prose":"in accordance with organization-defined circumstances requiring visitor escorts and monitoring:","parts":[{"id":"pe-3.d_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(d)[2][a]"}],"prose":"escorts visitors;"},{"id":"pe-3.d_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(d)[2][b]"}],"prose":"monitors visitor activities;"}]}]},{"id":"pe-3.e_obj","name":"objective","props":[{"name":"label","value":"PE-3(e)"}],"parts":[{"id":"pe-3.e_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(e)[1]"}],"prose":"secures keys;"},{"id":"pe-3.e_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(e)[2]"}],"prose":"secures combinations;"},{"id":"pe-3.e_obj.3","name":"objective","props":[{"name":"label","value":"PE-3(e)[3]"}],"prose":"secures other physical access devices;"}]},{"id":"pe-3.f_obj","name":"objective","props":[{"name":"label","value":"PE-3(f)"}],"parts":[{"id":"pe-3.f_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(f)[1]"}],"prose":"defines physical access devices to be inventoried;"},{"id":"pe-3.f_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(f)[2]"}],"prose":"defines the frequency to inventory organization-defined physical access devices;"},{"id":"pe-3.f_obj.3","name":"objective","props":[{"name":"label","value":"PE-3(f)[3]"}],"prose":"inventories the organization-defined physical access devices with the organization-defined frequency;"}]},{"id":"pe-3.g_obj","name":"objective","props":[{"name":"label","value":"PE-3(g)"}],"parts":[{"id":"pe-3.g_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(g)[1]"}],"prose":"defines the frequency to change combinations and keys; and"},{"id":"pe-3.g_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(g)[2]"}],"prose":"changes combinations and keys with the organization-defined frequency and\/or when:","parts":[{"id":"pe-3.g_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][a]"}],"prose":"keys are lost;"},{"id":"pe-3.g_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][b]"}],"prose":"combinations are compromised;"},{"id":"pe-3.g_obj.2.c","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][c]"}],"prose":"individuals are transferred or terminated."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nsecurity plan\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\ninformation system entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access control\n\nautomated mechanisms supporting and\/or implementing physical access control\n\nphysical access control devices"}]}],"controls":[{"id":"pe-3.1","class":"SP800-53-enhancement","title":"Information System Access","params":[{"id":"pe-3.1_prm_1","label":"organization-defined physical spaces containing one or more components of the information system"}],"props":[{"name":"label","value":"PE-3(1)"},{"name":"sort-id","value":"pe-03.01"}],"parts":[{"id":"pe-3.1_smt","name":"statement","prose":"The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at {{ insert: param, pe-3.1_prm_1 }}."},{"id":"pe-3.1_gdn","name":"guidance","prose":"This control enhancement provides additional physical security for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers).","links":[{"href":"#ps-2","rel":"related"}]},{"id":"pe-3.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-3.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(1)[1]"}],"prose":"defines physical spaces containing one or more components of the information system; and"},{"id":"pe-3.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(1)[2]"}],"prose":"enforces physical access authorizations to the information system in addition to the physical access controls for the facility at organization-defined physical spaces containing one or more components of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\ninformation system entry and exit points\n\nlist of areas within the facility containing concentrations of information system components or information system components requiring additional physical protection\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access control to the information system\/components\n\nautomated mechanisms supporting and\/or implementing physical access control for facility areas containing information system components"}]}]}]},{"id":"pe-4","class":"SP800-53","title":"Access Control for Transmission Medium","params":[{"id":"pe-4_prm_1","label":"organization-defined information system distribution and transmission lines"},{"id":"pe-4_prm_2","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-4"},{"name":"sort-id","value":"pe-04"}],"links":[{"href":"#06dff0ea-3848-4945-8d91-e955ee69f05d","rel":"reference"}],"parts":[{"id":"pe-4_smt","name":"statement","prose":"The organization controls physical access to {{ insert: param, pe-4_prm_1 }} within organizational facilities using {{ insert: param, pe-4_prm_2 }}."},{"id":"pe-4_gdn","name":"guidance","prose":"Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and\/or (iii) protection of cabling by conduit or cable trays.","links":[{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-8","rel":"related"}]},{"id":"pe-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-4_obj.1","name":"objective","props":[{"name":"label","value":"PE-4[1]"}],"prose":"defines information system distribution and transmission lines requiring physical access controls;"},{"id":"pe-4_obj.2","name":"objective","props":[{"name":"label","value":"PE-4[2]"}],"prose":"defines security safeguards to be employed to control physical access to organization-defined information system distribution and transmission lines within organizational facilities; and"},{"id":"pe-4_obj.3","name":"objective","props":[{"name":"label","value":"PE-4[3]"}],"prose":"controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for transmission medium\n\ninformation system design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to information system distribution and transmission lines\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access control to distribution and transmission lines\n\nautomated mechanisms\/security safeguards supporting and\/or implementing access control to distribution and transmission lines"}]}]},{"id":"pe-5","class":"SP800-53","title":"Access Control for Output Devices","props":[{"name":"priority","value":"P2"},{"name":"label","value":"PE-5"},{"name":"sort-id","value":"pe-05"}],"parts":[{"id":"pe-5_smt","name":"statement","prose":"The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_gdn","name":"guidance","prose":"Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices.","links":[{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-18","rel":"related"}]},{"id":"pe-5_obj","name":"objective","prose":"Determine if the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of information system components\n\nactual displays from information system components\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access control to output devices\n\nautomated mechanisms supporting and\/or implementing access control to output devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","params":[{"id":"pe-6_prm_1","label":"organization-defined frequency"},{"id":"pe-6_prm_2","label":"organization-defined events or potential indications of events"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-6"},{"name":"sort-id","value":"pe-06"}],"parts":[{"id":"pe-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews physical access logs {{ insert: param, pe-6_prm_1 }} and upon occurrence of {{ insert: param, pe-6_prm_2 }}; and"},{"id":"pe-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinates results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.","links":[{"href":"#ca-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"pe-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-6.a_obj","name":"objective","props":[{"name":"label","value":"PE-6(a)"}],"prose":"monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"},{"id":"pe-6.b_obj","name":"objective","props":[{"name":"label","value":"PE-6(b)"}],"parts":[{"id":"pe-6.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-6(b)[1]"}],"prose":"defines the frequency to review physical access logs;"},{"id":"pe-6.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-6(b)[2]"}],"prose":"defines events or potential indication of events requiring physical access logs to be reviewed;"},{"id":"pe-6.b_obj.3","name":"objective","props":[{"name":"label","value":"PE-6(b)[3]"}],"prose":"reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and"}]},{"id":"pe-6.c_obj","name":"objective","props":[{"name":"label","value":"PE-6(c)"}],"prose":"coordinates results of reviews and investigations with the organizational incident response capability."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical access\n\nautomated mechanisms supporting and\/or implementing physical access monitoring\n\nautomated mechanisms supporting and\/or implementing reviewing of physical access logs"}]}],"controls":[{"id":"pe-6.1","class":"SP800-53-enhancement","title":"Intrusion Alarms \/ Surveillance Equipment","props":[{"name":"label","value":"PE-6(1)"},{"name":"sort-id","value":"pe-06.01"}],"parts":[{"id":"pe-6.1_smt","name":"statement","prose":"The organization monitors physical intrusion alarms and surveillance equipment."},{"id":"pe-6.1_obj","name":"objective","prose":"Determine if the organization monitors physical intrusion alarms and surveillance equipment."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nautomated mechanisms supporting and\/or implementing physical access monitoring\n\nautomated mechanisms supporting and\/or implementing physical intrusion alarms and surveillance equipment"}]}]},{"id":"pe-6.4","class":"SP800-53-enhancement","title":"Monitoring Physical Access to Information Systems","params":[{"id":"pe-6.4_prm_1","label":"organization-defined physical spaces containing one or more components of the information system"}],"props":[{"name":"label","value":"PE-6(4)"},{"name":"sort-id","value":"pe-06.04"}],"parts":[{"id":"pe-6.4_smt","name":"statement","prose":"The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as {{ insert: param, pe-6.4_prm_1 }}."},{"id":"pe-6.4_gdn","name":"guidance","prose":"This control enhancement provides additional monitoring for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, communications centers).","links":[{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"}]},{"id":"pe-6.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-6.4_obj.1","name":"objective","props":[{"name":"label","value":"PE-6(4)[1]"}],"prose":"defines physical spaces containing one or more components of the information system; and"},{"id":"pe-6.4_obj.2","name":"objective","props":[{"name":"label","value":"PE-6(4)[2]"}],"prose":"monitors physical access to the information system in addition to the physical access monitoring of the facility at organization-defined physical spaces containing one or more components of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nlist of areas within the facility containing concentrations of information system components or information system components requiring additional physical access monitoring\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical access to the information system\n\nautomated mechanisms supporting and\/or implementing physical access monitoring for facility areas containing information system components"}]}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-8_prm_1","label":"organization-defined time period"},{"id":"pe-8_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PE-8"},{"name":"sort-id","value":"pe-08"}],"parts":[{"id":"pe-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintains visitor access records to the facility where the information system resides for {{ insert: param, pe-8_prm_1 }}; and"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews visitor access records {{ insert: param, pe-8_prm_2 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-8.a_obj","name":"objective","props":[{"name":"label","value":"PE-8(a)"}],"parts":[{"id":"pe-8.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-8(a)[1]"}],"prose":"defines the time period to maintain visitor access records to the facility where the information system resides;"},{"id":"pe-8.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-8(a)[2]"}],"prose":"maintains visitor access records to the facility where the information system resides for the organization-defined time period;"}]},{"id":"pe-8.b_obj","name":"objective","props":[{"name":"label","value":"PE-8(b)"}],"parts":[{"id":"pe-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-8(b)[1]"}],"prose":"defines the frequency to review visitor access records; and"},{"id":"pe-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-8(b)[2]"}],"prose":"reviews visitor access records with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nsecurity plan\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and\/or implementing maintenance and review of visitor access records"}]}],"controls":[{"id":"pe-8.1","class":"SP800-53-enhancement","title":"Automated Records Maintenance \/ Review","props":[{"name":"label","value":"PE-8(1)"},{"name":"sort-id","value":"pe-08.01"}],"parts":[{"id":"pe-8.1_smt","name":"statement","prose":"The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records."},{"id":"pe-8.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to facilitate the maintenance and review of visitor access records."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nautomated mechanisms supporting management of visitor access records\n\nvisitor access control logs or records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and\/or implementing maintenance and review of visitor access records"}]}]}]},{"id":"pe-9","class":"SP800-53","title":"Power Equipment and Cabling","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-9"},{"name":"sort-id","value":"pe-09"}],"parts":[{"id":"pe-9_smt","name":"statement","prose":"The organization protects power equipment and power cabling for the information system from damage and destruction."},{"id":"pe-9_gdn","name":"guidance","prose":"Organizations determine the types of protection necessary for power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. This includes, for example, generators and power cabling outside of buildings, internal cabling and uninterruptable power sources within an office or data center, and power sources for self-contained entities such as vehicles and satellites.","links":[{"href":"#pe-4","rel":"related"}]},{"id":"pe-9_obj","name":"objective","prose":"Determine if the organization protects power equipment and power cabling for the information system from damage and destruction."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power equipment\/cabling protection\n\nfacilities housing power equipment\/cabling\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for protecting power equipment\/cabling\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing protection of power equipment\/cabling"}]}]},{"id":"pe-10","class":"SP800-53","title":"Emergency Shutoff","params":[{"id":"pe-10_prm_1","label":"organization-defined location by information system or system component"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-10"},{"name":"sort-id","value":"pe-10"}],"parts":[{"id":"pe-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides the capability of shutting off power to the information system or individual system components in emergency situations;"},{"id":"pe-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Places emergency shutoff switches or devices in {{ insert: param, pe-10_prm_1 }} to facilitate safe and easy access for personnel; and"},{"id":"pe-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protects emergency power shutoff capability from unauthorized activation."}]},{"id":"pe-10_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#pe-15","rel":"related"}]},{"id":"pe-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-10.a_obj","name":"objective","props":[{"name":"label","value":"PE-10(a)"}],"prose":"provides the capability of shutting off power to the information system or individual system components in emergency situations;"},{"id":"pe-10.b_obj","name":"objective","props":[{"name":"label","value":"PE-10(b)"}],"parts":[{"id":"pe-10.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-10(b)[1]"}],"prose":"defines the location of emergency shutoff switches or devices by information system or system component;"},{"id":"pe-10.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-10(b)[2]"}],"prose":"places emergency shutoff switches or devices in the organization-defined location by information system or system component to facilitate safe and easy access for personnel; and"}]},{"id":"pe-10.c_obj","name":"objective","props":[{"name":"label","value":"PE-10(c)"}],"prose":"protects emergency power shutoff capability from unauthorized activation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nsecurity plan\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting emergency power shutoff capability from unauthorized activation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing emergency power shutoff"}]}]},{"id":"pe-11","class":"SP800-53","title":"Emergency Power","params":[{"id":"pe-11_prm_1","select":{"how-many":"one-or-more","choice":["an orderly shutdown of the information system","transition of the information system to long-term alternate power"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-11"},{"name":"sort-id","value":"pe-11"}],"parts":[{"id":"pe-11_smt","name":"statement","prose":"The organization provides a short-term uninterruptible power supply to facilitate {{ insert: param, pe-11_prm_1 }} in the event of a primary power source loss."},{"id":"pe-11_gdn","name":"guidance","links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"pe-11_obj","name":"objective","prose":"Determine if the organization provides a short-term uninterruptible power supply to facilitate one or more of the following in the event of a primary power source loss:","parts":[{"id":"pe-11_obj.1","name":"objective","props":[{"name":"label","value":"PE-11[1]"}],"prose":"an orderly shutdown of the information system; and\/or"},{"id":"pe-11_obj.2","name":"objective","props":[{"name":"label","value":"PE-11[2]"}],"prose":"transition of the information system to long-term alternate power."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing uninterruptible power supply\n\nthe uninterruptable power supply"}]}],"controls":[{"id":"pe-11.1","class":"SP800-53-enhancement","title":"Long-term Alternate Power Supply - Minimal Operational Capability","props":[{"name":"label","value":"PE-11(1)"},{"name":"sort-id","value":"pe-11.01"}],"parts":[{"id":"pe-11.1_smt","name":"statement","prose":"The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source."},{"id":"pe-11.1_gdn","name":"guidance","prose":"This control enhancement can be satisfied, for example, by the use of a secondary commercial power supply or other external power supply. Long-term alternate power supplies for the information system can be either manually or automatically activated."},{"id":"pe-11.1_obj","name":"objective","prose":"Determine if the organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nalternate power supply\n\nalternate power supply documentation\n\nalternate power supply test records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing alternate power supply\n\nthe alternate power supply"}]}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-12"},{"name":"sort-id","value":"pe-12"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"pe-12_obj","name":"objective","prose":"Determine if the organization employs and maintains automatic emergency lighting for the information system that:","parts":[{"id":"pe-12_obj.1","name":"objective","props":[{"name":"label","value":"PE-12[1]"}],"prose":"activates in the event of a power outage or disruption; and"},{"id":"pe-12_obj.2","name":"objective","props":[{"name":"label","value":"PE-12[2]"}],"prose":"covers emergency exits and evacuation routes within the facility."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing emergency lighting capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-13"},{"name":"sort-id","value":"pe-13"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"The organization employs and maintains fire suppression and detection devices\/systems for the information system that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices\/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors."},{"id":"pe-13_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-13_obj.1","name":"objective","props":[{"name":"label","value":"PE-13[1]"}],"prose":"employs fire suppression and detection devices\/systems for the information system that are supported by an independent energy source; and"},{"id":"pe-13_obj.2","name":"objective","props":[{"name":"label","value":"PE-13[2]"}],"prose":"maintains fire suppression and detection devices\/systems for the information system that are supported by an independent energy source."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\ntest records of fire suppression and detection devices\/systems\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression\/detection devices\/systems"}]}],"controls":[{"id":"pe-13.1","class":"SP800-53-enhancement","title":"Detection Devices \/ Systems","params":[{"id":"pe-13.1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-13.1_prm_2","label":"organization-defined emergency responders"}],"props":[{"name":"label","value":"PE-13(1)"},{"name":"sort-id","value":"pe-13.01"}],"parts":[{"id":"pe-13.1_smt","name":"statement","prose":"The organization employs fire detection devices\/systems for the information system that activate automatically and notify {{ insert: param, pe-13.1_prm_1 }} and {{ insert: param, pe-13.1_prm_2 }} in the event of a fire."},{"id":"pe-13.1_gdn","name":"guidance","prose":"Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and\/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information."},{"id":"pe-13.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-13.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-13(1)[1]"}],"prose":"defines personnel or roles to be notified in the event of a fire;"},{"id":"pe-13.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-13(1)[2]"}],"prose":"defines emergency responders to be notified in the event of a fire;"},{"id":"pe-13.1_obj.3","name":"objective","props":[{"name":"label","value":"PE-13(1)[3]"}],"prose":"employs fire detection devices\/systems for the information system that, in the event of a fire,:","parts":[{"id":"pe-13.1_obj.3.a","name":"objective","props":[{"name":"label","value":"PE-13(1)[3][a]"}],"prose":"activate automatically;"},{"id":"pe-13.1_obj.3.b","name":"objective","props":[{"name":"label","value":"PE-13(1)[3][b]"}],"prose":"notify organization-defined personnel or roles; and"},{"id":"pe-13.1_obj.3.c","name":"objective","props":[{"name":"label","value":"PE-13(1)[3][c]"}],"prose":"notify organization-defined emergency responders."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\nalerts\/notifications of fire events\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fire detection devices\/systems\n\nactivation of fire detection devices\/systems (simulated)\n\nautomated notifications"}]}]},{"id":"pe-13.2","class":"SP800-53-enhancement","title":"Suppression Devices \/ Systems","params":[{"id":"pe-13.2_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-13.2_prm_2","label":"organization-defined emergency responders"}],"props":[{"name":"label","value":"PE-13(2)"},{"name":"sort-id","value":"pe-13.02"}],"parts":[{"id":"pe-13.2_smt","name":"statement","prose":"The organization employs fire suppression devices\/systems for the information system that provide automatic notification of any activation to {{ insert: param, pe-13.2_prm_1 }} and {{ insert: param, pe-13.2_prm_2 }}."},{"id":"pe-13.2_gdn","name":"guidance","prose":"Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and\/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information."},{"id":"pe-13.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-13.2_obj.1","name":"objective","props":[{"name":"label","value":"PE-13(2)[1]"}],"prose":"defines personnel or roles to be provided automatic notification of any activation of fire suppression devices\/systems for the information system;"},{"id":"pe-13.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-13(2)[2]"}],"prose":"defines emergency responders to be provided automatic notification of any activation of fire suppression devices\/systems for the information system;"},{"id":"pe-13.2_obj.3","name":"objective","props":[{"name":"label","value":"PE-13(2)[3]"}],"prose":"employs fire suppression devices\/systems for the information system that provide automatic notification of any activation to:","parts":[{"id":"pe-13.2_obj.3.a","name":"objective","props":[{"name":"label","value":"PE-13(2)[3][a]"}],"prose":"organization-defined personnel or roles; and"},{"id":"pe-13.2_obj.3.b","name":"objective","props":[{"name":"label","value":"PE-13(2)[3][b]"}],"prose":"organization-defined emergency responders."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems documentation\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices\/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression devices\/systems\n\nactivation of fire suppression devices\/systems (simulated)\n\nautomated notifications"}]}]},{"id":"pe-13.3","class":"SP800-53-enhancement","title":"Automatic Fire Suppression","props":[{"name":"label","value":"PE-13(3)"},{"name":"sort-id","value":"pe-13.03"}],"parts":[{"id":"pe-13.3_smt","name":"statement","prose":"The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis."},{"id":"pe-13.3_obj","name":"objective","prose":"Determine if the organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems documentation\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices\/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression devices\/systems\n\nactivation of fire suppression devices\/systems (simulated)"}]}]}]},{"id":"pe-14","class":"SP800-53","title":"Temperature and Humidity Controls","params":[{"id":"pe-14_prm_1","label":"organization-defined acceptable levels"},{"id":"pe-14_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-14"},{"name":"sort-id","value":"pe-14"}],"parts":[{"id":"pe-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintains temperature and humidity levels within the facility where the information system resides at {{ insert: param, pe-14_prm_1 }}; and"},{"id":"pe-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Monitors temperature and humidity levels {{ insert: param, pe-14_prm_2 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#at-3","rel":"related"}]},{"id":"pe-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-14.a_obj","name":"objective","props":[{"name":"label","value":"PE-14(a)"}],"parts":[{"id":"pe-14.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-14(a)[1]"}],"prose":"defines acceptable temperature levels to be maintained within the facility where the information system resides;"},{"id":"pe-14.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-14(a)[2]"}],"prose":"defines acceptable humidity levels to be maintained within the facility where the information system resides;"},{"id":"pe-14.a_obj.3","name":"objective","props":[{"name":"label","value":"PE-14(a)[3]"}],"prose":"maintains temperature levels within the facility where the information system resides at the organization-defined levels;"},{"id":"pe-14.a_obj.4","name":"objective","props":[{"name":"label","value":"PE-14(a)[4]"}],"prose":"maintains humidity levels within the facility where the information system resides at the organization-defined levels;"}]},{"id":"pe-14.b_obj","name":"objective","props":[{"name":"label","value":"PE-14(b)"}],"parts":[{"id":"pe-14.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-14(b)[1]"}],"prose":"defines the frequency to monitor temperature levels;"},{"id":"pe-14.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-14(b)[2]"}],"prose":"defines the frequency to monitor humidity levels;"},{"id":"pe-14.b_obj.3","name":"objective","props":[{"name":"label","value":"PE-14(b)[3]"}],"prose":"monitors temperature levels with the organization-defined frequency; and"},{"id":"pe-14.b_obj.4","name":"objective","props":[{"name":"label","value":"PE-14(b)[4]"}],"prose":"monitors humidity levels with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\nsecurity plan\n\ntemperature and humidity controls\n\nfacility housing the information system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing maintenance and monitoring of temperature and humidity levels"}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-15"},{"name":"sort-id","value":"pe-15"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.","links":[{"href":"#at-3","rel":"related"}]},{"id":"pe-15_obj","name":"objective","prose":"Determine if the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are:","parts":[{"id":"pe-15_obj.1","name":"objective","props":[{"name":"label","value":"PE-15[1]"}],"prose":"accessible;"},{"id":"pe-15_obj.2","name":"objective","props":[{"name":"label","value":"PE-15[2]"}],"prose":"working properly; and"},{"id":"pe-15_obj.3","name":"objective","props":[{"name":"label","value":"PE-15[3]"}],"prose":"known to key personnel."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the information system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Master water-shutoff valves\n\norganizational process for activating master water-shutoff"}]}],"controls":[{"id":"pe-15.1","class":"SP800-53-enhancement","title":"Automation Support","params":[{"id":"pe-15.1_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"PE-15(1)"},{"name":"sort-id","value":"pe-15.01"}],"parts":[{"id":"pe-15.1_smt","name":"statement","prose":"The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts {{ insert: param, pe-15.1_prm_1 }}."},{"id":"pe-15.1_gdn","name":"guidance","prose":"Automated mechanisms can include, for example, water detection sensors, alarms, and notification systems."},{"id":"pe-15.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-15.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-15(1)[1]"}],"prose":"defines personnel or roles to be alerted when the presence of water is detected in the vicinity of the information system;"},{"id":"pe-15.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-15(1)[2]"}],"prose":"employs automated mechanisms to detect the presence of water in the vicinity of the information system; and"},{"id":"pe-15.1_obj.3","name":"objective","props":[{"name":"label","value":"PE-15(1)[3]"}],"prose":"alerts organization-defined personnel or roles when the presence of water is detected in the vicinity of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the information system\n\nautomated mechanisms for water shutoff valves\n\nautomated mechanisms detecting presence of water in vicinity of information system\n\nalerts\/notifications of water detection in information system facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing water detection capability and alerts for the information system"}]}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","params":[{"id":"pe-16_prm_1","label":"organization-defined types of information system components"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PE-16"},{"name":"sort-id","value":"pe-16"}],"parts":[{"id":"pe-16_smt","name":"statement","prose":"The organization authorizes, monitors, and controls {{ insert: param, pe-16_prm_1 }} entering and exiting the facility and maintains records of those items."},{"id":"pe-16_gdn","name":"guidance","prose":"Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries.","links":[{"href":"#cm-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-12","rel":"related"}]},{"id":"pe-16_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-16_obj.1","name":"objective","props":[{"name":"label","value":"PE-16[1]"}],"prose":"defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;"},{"id":"pe-16_obj.2","name":"objective","props":[{"name":"label","value":"PE-16[2]"}],"prose":"authorizes organization-defined information system components entering the facility;"},{"id":"pe-16_obj.3","name":"objective","props":[{"name":"label","value":"PE-16[3]"}],"prose":"monitors organization-defined information system components entering the facility;"},{"id":"pe-16_obj.4","name":"objective","props":[{"name":"label","value":"PE-16[4]"}],"prose":"controls organization-defined information system components entering the facility;"},{"id":"pe-16_obj.5","name":"objective","props":[{"name":"label","value":"PE-16[5]"}],"prose":"authorizes organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.6","name":"objective","props":[{"name":"label","value":"PE-16[6]"}],"prose":"monitors organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.7","name":"objective","props":[{"name":"label","value":"PE-16[7]"}],"prose":"controls organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.8","name":"objective","props":[{"name":"label","value":"PE-16[8]"}],"prose":"maintains records of information system components entering the facility; and"},{"id":"pe-16_obj.9","name":"objective","props":[{"name":"label","value":"PE-16[9]"}],"prose":"maintains records of information system components exiting the facility."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing delivery and removal of information system components from the facility\n\nsecurity plan\n\nfacility housing the information system\n\nrecords of items entering and exiting the facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for controlling information system components entering and exiting the facility\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling information system-related items entering and exiting the facility\n\nautomated mechanisms supporting and\/or implementing authorizing, monitoring, and controlling information system-related items entering and exiting the facility"}]}]},{"id":"pe-17","class":"SP800-53","title":"Alternate Work Site","params":[{"id":"pe-17_prm_1","label":"organization-defined security controls"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PE-17"},{"name":"sort-id","value":"pe-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference"}],"parts":[{"id":"pe-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs {{ insert: param, pe-17_prm_1 }} at alternate work sites;"},{"id":"pe-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assesses as feasible, the effectiveness of security controls at alternate work sites; and"},{"id":"pe-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides a means for employees to communicate with information security personnel in case of security incidents or problems."}]},{"id":"pe-17_gdn","name":"guidance","prose":"Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative.","links":[{"href":"#ac-17","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"pe-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-17.a_obj","name":"objective","props":[{"name":"label","value":"PE-17(a)"}],"parts":[{"id":"pe-17.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-17(a)[1]"}],"prose":"defines security controls to be employed at alternate work sites;"},{"id":"pe-17.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-17(a)[2]"}],"prose":"employs organization-defined security controls at alternate work sites;"}]},{"id":"pe-17.b_obj","name":"objective","props":[{"name":"label","value":"PE-17(b)"}],"prose":"assesses, as feasible, the effectiveness of security controls at alternate work sites; and"},{"id":"pe-17.c_obj","name":"objective","props":[{"name":"label","value":"PE-17(c)"}],"prose":"provides a means for employees to communicate with information security personnel in case of security incidents or problems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nsecurity plan\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel approving use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security at alternate work sites\n\nautomated mechanisms supporting alternate work sites\n\nsecurity controls employed at alternate work sites\n\nmeans of communications between personnel at alternate work sites and security personnel"}]}]},{"id":"pe-18","class":"SP800-53","title":"Location of Information System Components","params":[{"id":"pe-18_prm_1","label":"organization-defined physical and environmental hazards"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PE-18"},{"name":"sort-id","value":"pe-18"}],"parts":[{"id":"pe-18_smt","name":"statement","prose":"The organization positions information system components within the facility to minimize potential damage from {{ insert: param, pe-18_prm_1 }} and to minimize the opportunity for unauthorized access."},{"id":"pe-18_gdn","name":"guidance","prose":"Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones).","links":[{"href":"#cp-2","rel":"related"},{"href":"#pe-19","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"pe-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-18_obj.1","name":"objective","props":[{"name":"label","value":"PE-18[1]"}],"prose":"defines physical hazards that could result in potential damage to information system components within the facility;"},{"id":"pe-18_obj.2","name":"objective","props":[{"name":"label","value":"PE-18[2]"}],"prose":"defines environmental hazards that could result in potential damage to information system components within the facility;"},{"id":"pe-18_obj.3","name":"objective","props":[{"name":"label","value":"PE-18[3]"}],"prose":"positions information system components within the facility to minimize potential damage from organization-defined physical and environmental hazards; and"},{"id":"pe-18_obj.4","name":"objective","props":[{"name":"label","value":"PE-18[4]"}],"prose":"positions information system components within the facility to minimize the opportunity for unauthorized access."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing positioning of information system components\n\ndocumentation providing the location and position of information system components within the facility\n\nlocations housing information system components within the facility\n\nlist of physical and environmental hazards with potential to damage information system components within the facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for positioning information system components\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for positioning information system components"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Security Planning Policy and Procedures","params":[{"id":"pl-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-1_prm_2","label":"organization-defined frequency"},{"id":"pl-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-1"},{"name":"sort-id","value":"pl-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"pl-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pl-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security planning policy {{ insert: param, pl-1_prm_2 }}; and"},{"id":"pl-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security planning procedures {{ insert: param, pl-1_prm_3 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"pl-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-1.a_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)"}],"parts":[{"id":"pl-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)"}],"parts":[{"id":"pl-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1]"}],"prose":"develops and documents a planning policy that addresses:","parts":[{"id":"pl-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pl-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pl-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pl-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pl-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pl-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pl-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pl-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the planning policy is to be disseminated;"},{"id":"pl-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[3]"}],"prose":"disseminates the planning policy to organization-defined personnel or roles;"}]},{"id":"pl-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)"}],"parts":[{"id":"pl-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls;"},{"id":"pl-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"pl-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pl-1.b_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)"}],"parts":[{"id":"pl-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)"}],"parts":[{"id":"pl-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current planning policy;"},{"id":"pl-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)[2]"}],"prose":"reviews and updates the current planning policy with the organization-defined frequency;"}]},{"id":"pl-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)"}],"parts":[{"id":"pl-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current planning procedures; and"},{"id":"pl-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)[2]"}],"prose":"reviews and updates the current planning procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Planning policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security Plan","params":[{"id":"pl-2_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-2_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-2"},{"name":"sort-id","value":"pl-02"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"}],"parts":[{"id":"pl-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a security plan for the information system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly defines the authorization boundary for the system;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describes the operational context of the information system in terms of missions and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Provides the security categorization of the information system including supporting rationale;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Describes the operational environment for the information system and relationships with or connections to other information systems;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides an overview of the security requirements for the system;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Identifies any relevant overlays, if applicable;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the security plan and communicates subsequent changes to the plan to {{ insert: param, pl-2_prm_1 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the security plan for the information system {{ insert: param, pl-2_prm_2 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Updates the plan to address changes to the information system\/environment of operation or problems identified during plan implementation or security control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protects the security plan from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls\/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions\/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management\/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"}]},{"id":"pl-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-2.a_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)"}],"prose":"develops a security plan for the information system that:","parts":[{"id":"pl-2.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(1)"}],"prose":"is consistent with the organization’s enterprise architecture;"},{"id":"pl-2.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(2)"}],"prose":"explicitly defines the authorization boundary for the system;"},{"id":"pl-2.a.3_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(3)"}],"prose":"describes the operational context of the information system in terms of missions and business processes;"},{"id":"pl-2.a.4_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(4)"}],"prose":"provides the security categorization of the information system including supporting rationale;"},{"id":"pl-2.a.5_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(5)"}],"prose":"describes the operational environment for the information system and relationships with or connections to other information systems;"},{"id":"pl-2.a.6_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(6)"}],"prose":"provides an overview of the security requirements for the system;"},{"id":"pl-2.a.7_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(7)"}],"prose":"identifies any relevant overlays, if applicable;"},{"id":"pl-2.a.8_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(8)"}],"prose":"describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions;"},{"id":"pl-2.a.9_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(9)"}],"prose":"is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"}]},{"id":"pl-2.b_obj","name":"objective","props":[{"name":"label","value":"PL-2(b)"}],"parts":[{"id":"pl-2.b_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(b)[1]"}],"prose":"defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated;"},{"id":"pl-2.b_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(b)[2]"}],"prose":"distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles;"}]},{"id":"pl-2.c_obj","name":"objective","props":[{"name":"label","value":"PL-2(c)"}],"parts":[{"id":"pl-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(c)[1]"}],"prose":"defines the frequency to review the security plan for the information system;"},{"id":"pl-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(c)[2]"}],"prose":"reviews the security plan for the information system with the organization-defined frequency;"}]},{"id":"pl-2.d_obj","name":"objective","props":[{"name":"label","value":"PL-2(d)"}],"prose":"updates the plan to address:","parts":[{"id":"pl-2.d_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(d)[1]"}],"prose":"changes to the information system\/environment of operation;"},{"id":"pl-2.d_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(d)[2]"}],"prose":"problems identified during plan implementation;"},{"id":"pl-2.d_obj.3","name":"objective","props":[{"name":"label","value":"PL-2(d)[3]"}],"prose":"problems identified during security control assessments;"}]},{"id":"pl-2.e_obj","name":"objective","props":[{"name":"label","value":"PL-2(e)"}],"prose":"protects the security plan from unauthorized:","parts":[{"id":"pl-2.e_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(e)[1]"}],"prose":"disclosure; and"},{"id":"pl-2.e_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(e)[2]"}],"prose":"modification."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing security plan development and implementation\n\nprocedures addressing security plan reviews and updates\n\nenterprise architecture documentation\n\nsecurity plan for the information system\n\nrecords of security plan reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security plan development\/review\/update\/approval\n\nautomated mechanisms supporting the information system security plan"}]}],"controls":[{"id":"pl-2.3","class":"SP800-53-enhancement","title":"Plan \/ Coordinate with Other Organizational Entities","params":[{"id":"pl-2.3_prm_1","label":"organization-defined individuals or groups"}],"props":[{"name":"label","value":"PL-2(3)"},{"name":"sort-id","value":"pl-02.03"}],"parts":[{"id":"pl-2.3_smt","name":"statement","prose":"The organization plans and coordinates security-related activities affecting the information system with {{ insert: param, pl-2.3_prm_1 }} before conducting such activities in order to reduce the impact on other organizational entities."},{"id":"pl-2.3_gdn","name":"guidance","prose":"Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate.","links":[{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"}]},{"id":"pl-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-2.3_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(3)[1]"}],"prose":"defines individuals or groups with whom security-related activities affecting the information system are to be planned and coordinated before conducting such activities in order to reduce the impact on other organizational entities; and"},{"id":"pl-2.3_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(3)[2]"}],"prose":"plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\naccess control policy\n\ncontingency planning policy\n\nprocedures addressing security-related activity planning for the information system\n\nsecurity plan for the information system\n\ncontingency plan for the information system\n\ninformation system design documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities\n\norganizational individuals or groups with whom security-related activities are to be planned and coordinated\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PL-4"},{"name":"sort-id","value":"pl-04"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"}],"parts":[{"id":"pl-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates the rules of behavior {{ insert: param, pl-4_prm_1 }}; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised\/updated."}]},{"id":"pl-4_gdn","name":"guidance","prose":"This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data\/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"}]},{"id":"pl-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-4.a_obj","name":"objective","props":[{"name":"label","value":"PL-4(a)"}],"parts":[{"id":"pl-4.a_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(a)[1]"}],"prose":"establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"},{"id":"pl-4.a_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(a)[2]"}],"prose":"makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"}]},{"id":"pl-4.b_obj","name":"objective","props":[{"name":"label","value":"PL-4(b)"}],"prose":"receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"},{"id":"pl-4.c_obj","name":"objective","props":[{"name":"label","value":"PL-4(c)"}],"parts":[{"id":"pl-4.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(c)[1]"}],"prose":"defines the frequency to review and update the rules of behavior;"},{"id":"pl-4.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(c)[2]"}],"prose":"reviews and updates the rules of behavior with the organization-defined frequency; and"}]},{"id":"pl-4.d_obj","name":"objective","props":[{"name":"label","value":"PL-4(d)"}],"prose":"requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised\/updated."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel who are authorized users of the information system and have signed and resigned rules of behavior\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nautomated mechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and Networking Restrictions","props":[{"name":"label","value":"PL-4(1)"},{"name":"sort-id","value":"pl-04.01"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"The organization includes in the rules of behavior, explicit restrictions on the use of social media\/networking sites and posting organizational information on public websites."},{"id":"pl-4.1_gdn","name":"guidance","prose":"This control enhancement addresses rules of behavior related to the use of social media\/networking sites: (i) when organizational personnel are using such sites for official duties or in the conduct of official business; (ii) when organizational information is involved in social media\/networking transactions; and (iii) when personnel are accessing social media\/networking sites from organizational information systems. Organizations also address specific rules that prevent unauthorized entities from obtaining and\/or inferring non-public organizational information (e.g., system account information, personally identifiable information) from social media\/networking sites."},{"id":"pl-4.1_obj","name":"objective","prose":"Determine if the organization includes the following in the rules of behavior:","parts":[{"id":"pl-4.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(1)[1]"}],"prose":"explicit restrictions on the use of social media\/networking sites; and"},{"id":"pl-4.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(1)[2]"}],"prose":"posting organizational information on public websites."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel who are authorized users of the information system and have signed rules of behavior\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing rules of behavior\n\nautomated mechanisms supporting and\/or implementing the establishment of rules of behavior"}]}]}]},{"id":"pl-8","class":"SP800-53","title":"Information Security Architecture","params":[{"id":"pl-8_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-8"},{"name":"sort-id","value":"pl-08"}],"parts":[{"id":"pl-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops an information security architecture for the information system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes how the information security architecture is integrated into and supports the enterprise architecture; and"},{"id":"pl-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describes any information security assumptions about, and dependencies on, external services;"}]},{"id":"pl-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information security architecture {{ insert: param, pl-8_prm_1 }} to reflect updates in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements\/acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement\/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs. In today’s modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission\/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)\/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product\/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate\/show consistency with the organization’s enterprise architecture and information security architecture.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53r4","rel":"related"}]},{"id":"pl-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-8.a_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)"}],"prose":"develops an information security architecture for the information system that describes:","parts":[{"id":"pl-8.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)(1)"}],"prose":"the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)(2)"}],"prose":"how the information security architecture is integrated into and supports the enterprise architecture;"},{"id":"pl-8.a.3_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)(3)"}],"prose":"any information security assumptions about, and dependencies on, external services;"}]},{"id":"pl-8.b_obj","name":"objective","props":[{"name":"label","value":"PL-8(b)"}],"parts":[{"id":"pl-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PL-8(b)[1]"}],"prose":"defines the frequency to review and update the information security architecture;"},{"id":"pl-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PL-8(b)[2]"}],"prose":"reviews and updates the information security architecture with the organization-defined frequency to reflect updates in the enterprise architecture;"}]},{"id":"pl-8.c_obj","name":"objective","props":[{"name":"label","value":"PL-8(c)"}],"prose":"ensures that planned information security architecture changes are reflected in:","parts":[{"id":"pl-8.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-8(c)[1]"}],"prose":"the security plan;"},{"id":"pl-8.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-8(c)[2]"}],"prose":"the security Concept of Operations (CONOPS); and"},{"id":"pl-8.c_obj.3","name":"objective","props":[{"name":"label","value":"PL-8(c)[3]"}],"prose":"the organizational procurements\/acquisitions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing information security architecture development\n\nprocedures addressing information security architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security architecture documentation\n\nsecurity plan for the information system\n\nsecurity CONOPS for the information system\n\nrecords of information security architecture reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities\n\norganizational personnel with information security architecture development responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing, reviewing, and updating the information security architecture\n\nautomated mechanisms supporting and\/or implementing the development, review, and update of the information security architecture"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Personnel Security Policy and Procedures","params":[{"id":"ps-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-1_prm_2","label":"organization-defined frequency"},{"id":"ps-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-1"},{"name":"sort-id","value":"ps-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ps-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and"}]},{"id":"ps-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ps-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Personnel security policy {{ insert: param, ps-1_prm_2 }}; and"},{"id":"ps-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Personnel security procedures {{ insert: param, ps-1_prm_3 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ps-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-1.a_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)"}],"parts":[{"id":"ps-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)"}],"parts":[{"id":"ps-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1]"}],"prose":"develops and documents an personnel security policy that addresses:","parts":[{"id":"ps-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ps-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ps-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ps-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ps-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ps-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ps-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ps-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the personnel security policy is to be disseminated;"},{"id":"ps-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[3]"}],"prose":"disseminates the personnel security policy to organization-defined personnel or roles;"}]},{"id":"ps-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)"}],"parts":[{"id":"ps-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls;"},{"id":"ps-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ps-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ps-1.b_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)"}],"parts":[{"id":"ps-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)"}],"parts":[{"id":"ps-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current personnel security policy;"},{"id":"ps-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)[2]"}],"prose":"reviews and updates the current personnel security policy with the organization-defined frequency;"}]},{"id":"ps-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)"}],"parts":[{"id":"ps-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current personnel security procedures; and"},{"id":"ps-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)[2]"}],"prose":"reviews and updates the current personnel security procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","params":[{"id":"ps-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-2"},{"name":"sort-id","value":"ps-02"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference"}],"parts":[{"id":"ps-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assigns a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates position risk designations {{ insert: param, ps-2_prm_1 }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances).","links":[{"href":"#at-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-3","rel":"related"}]},{"id":"ps-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-2.a_obj","name":"objective","props":[{"name":"label","value":"PS-2(a)"}],"prose":"assigns a risk designation to all organizational positions;"},{"id":"ps-2.b_obj","name":"objective","props":[{"name":"label","value":"PS-2(b)"}],"prose":"establishes screening criteria for individuals filling those positions;"},{"id":"ps-2.c_obj","name":"objective","props":[{"name":"label","value":"PS-2(c)"}],"parts":[{"id":"ps-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PS-2(c)[1]"}],"prose":"defines the frequency to review and update position risk designations; and"},{"id":"ps-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PS-2(c)[2]"}],"prose":"reviews and updates position risk designations with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nsecurity plan\n\nrecords of position risk designation reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","params":[{"id":"ps-3_prm_1","label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-3"},{"name":"sort-id","value":"ps-03"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference"}],"parts":[{"id":"ps-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Screens individuals prior to authorizing access to the information system; and"},{"id":"ps-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Rescreens individuals according to {{ insert: param, ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-2","rel":"related"}]},{"id":"ps-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-3.a_obj","name":"objective","props":[{"name":"label","value":"PS-3(a)"}],"prose":"screens individuals prior to authorizing access to the information system;"},{"id":"ps-3.b_obj","name":"objective","props":[{"name":"label","value":"PS-3(b)"}],"parts":[{"id":"ps-3.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-3(b)[1]"}],"prose":"defines conditions requiring re-screening;"},{"id":"ps-3.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-3(b)[2]"}],"prose":"defines the frequency of re-screening where it is so indicated; and"},{"id":"ps-3.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-3(b)[3]"}],"prose":"re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel screening"}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","params":[{"id":"ps-4_prm_1","label":"organization-defined time period"},{"id":"ps-4_prm_2","label":"organization-defined information security topics"},{"id":"ps-4_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-4_prm_4","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-4"},{"name":"sort-id","value":"ps-04"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"The organization, upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Disables information system access within {{ insert: param, ps-4_prm_1 }};"},{"id":"ps-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Terminates\/revokes any authenticators\/credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conducts exit interviews that include a discussion of {{ insert: param, ps-4_prm_2 }};"},{"id":"ps-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Retrieves all security-related organizational information system-related property;"},{"id":"ps-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retains access to organizational information and information systems formerly controlled by terminated individual; and"},{"id":"ps-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Notifies {{ insert: param, ps-4_prm_3 }} within {{ insert: param, ps-4_prm_4 }}."}]},{"id":"ps-4_gdn","name":"guidance","prose":"Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"ps-4_obj","name":"objective","prose":"Determine if the organization, upon termination of individual employment,:","parts":[{"id":"ps-4.a_obj","name":"objective","props":[{"name":"label","value":"PS-4(a)"}],"parts":[{"id":"ps-4.a_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(a)[1]"}],"prose":"defines a time period within which to disable information system access;"},{"id":"ps-4.a_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(a)[2]"}],"prose":"disables information system access within the organization-defined time period;"}]},{"id":"ps-4.b_obj","name":"objective","props":[{"name":"label","value":"PS-4(b)"}],"prose":"terminates\/revokes any authenticators\/credentials associated with the individual;"},{"id":"ps-4.c_obj","name":"objective","props":[{"name":"label","value":"PS-4(c)"}],"parts":[{"id":"ps-4.c_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(c)[1]"}],"prose":"defines information security topics to be discussed when conducting exit interviews;"},{"id":"ps-4.c_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(c)[2]"}],"prose":"conducts exit interviews that include a discussion of organization-defined information security topics;"}]},{"id":"ps-4.d_obj","name":"objective","props":[{"name":"label","value":"PS-4(d)"}],"prose":"retrieves all security-related organizational information system-related property;"},{"id":"ps-4.e_obj","name":"objective","props":[{"name":"label","value":"PS-4(e)"}],"prose":"retains access to organizational information and information systems formerly controlled by the terminated individual;"},{"id":"ps-4.f_obj","name":"objective","props":[{"name":"label","value":"PS-4(f)"}],"parts":[{"id":"ps-4.f_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(f)[1]"}],"prose":"defines personnel or roles to be notified of the termination;"},{"id":"ps-4.f_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(f)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel or roles; and"},{"id":"ps-4.f_obj.3","name":"objective","props":[{"name":"label","value":"PS-4(f)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of information system accounts\n\nrecords of terminated or revoked authenticators\/credentials\n\nrecords of exit interviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel termination\n\nautomated mechanisms supporting and\/or implementing personnel termination notifications\n\nautomated mechanisms for disabling information system access\/revoking authenticators"}]}],"controls":[{"id":"ps-4.2","class":"SP800-53-enhancement","title":"Automated Notification","params":[{"id":"ps-4.2_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"PS-4(2)"},{"name":"sort-id","value":"ps-04.02"}],"parts":[{"id":"ps-4.2_smt","name":"statement","prose":"The organization employs automated mechanisms to notify {{ insert: param, ps-4.2_prm_1 }} upon termination of an individual."},{"id":"ps-4.2_gdn","name":"guidance","prose":"In organizations with a large number of employees, not all personnel who need to know about termination actions receive the appropriate notifications—or, if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to specific organizational personnel or roles (e.g., management personnel, supervisors, personnel security officers, information security officers, systems administrators, or information technology administrators) when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including, for example, telephonically, via electronic mail, via text message, or via websites."},{"id":"ps-4.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-4.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(2)[1]"}],"prose":"defines personnel or roles to be notified upon termination of an individual; and"},{"id":"ps-4.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(2)[2]"}],"prose":"employs automated mechanisms to notify organization-defined personnel or roles upon termination of an individual."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of personnel termination actions\n\nautomated notifications of employee terminations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel termination\n\nautomated mechanisms supporting and\/or implementing personnel termination notifications"}]}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","params":[{"id":"ps-5_prm_1","label":"organization-defined transfer or reassignment actions"},{"id":"ps-5_prm_2","label":"organization-defined time period following the formal transfer action"},{"id":"ps-5_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-5_prm_4","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PS-5"},{"name":"sort-id","value":"ps-05"}],"parts":[{"id":"ps-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems\/facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiates {{ insert: param, ps-5_prm_1 }} within {{ insert: param, ps-5_prm_2 }};"},{"id":"ps-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Notifies {{ insert: param, ps-5_prm_3 }} within {{ insert: param, ps-5_prm_4 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-4","rel":"related"}]},{"id":"ps-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-5.a_obj","name":"objective","props":[{"name":"label","value":"PS-5(a)"}],"prose":"when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current:","parts":[{"id":"ps-5.a_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(a)[1]"}],"prose":"logical access authorizations to information systems;"},{"id":"ps-5.a_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(a)[2]"}],"prose":"physical access authorizations to information systems and facilities;"}]},{"id":"ps-5.b_obj","name":"objective","props":[{"name":"label","value":"PS-5(b)"}],"parts":[{"id":"ps-5.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(b)[1]"}],"prose":"defines transfer or reassignment actions to be initiated following transfer or reassignment;"},{"id":"ps-5.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(b)[2]"}],"prose":"defines the time period within which transfer or reassignment actions must occur following transfer or reassignment;"},{"id":"ps-5.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-5(b)[3]"}],"prose":"initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment;"}]},{"id":"ps-5.c_obj","name":"objective","props":[{"name":"label","value":"PS-5(c)"}],"prose":"modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer;"},{"id":"ps-5.d_obj","name":"objective","props":[{"name":"label","value":"PS-5(d)"}],"parts":[{"id":"ps-5.d_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(d)[1]"}],"prose":"defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5.d_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(d)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; and"},{"id":"ps-5.d_obj.3","name":"objective","props":[{"name":"label","value":"PS-5(d)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel transfer\n\nsecurity plan\n\nrecords of personnel transfer actions\n\nlist of information system and facility access authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel transfer\n\nautomated mechanisms supporting and\/or implementing personnel transfer notifications\n\nautomated mechanisms for disabling information system access\/revoking authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-6_prm_1","label":"organization-defined frequency"},{"id":"ps-6_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PS-6"},{"name":"sort-id","value":"ps-06"}],"parts":[{"id":"ps-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops and documents access agreements for organizational information systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the access agreements {{ insert: param, ps-6_prm_1 }}; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that individuals requiring access to organizational information and information systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or {{ insert: param, ps-6_prm_2 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.","links":[{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-8","rel":"related"}]},{"id":"ps-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-6.a_obj","name":"objective","props":[{"name":"label","value":"PS-6(a)"}],"prose":"develops and documents access agreements for organizational information systems;"},{"id":"ps-6.b_obj","name":"objective","props":[{"name":"label","value":"PS-6(b)"}],"parts":[{"id":"ps-6.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-6(b)[1]"}],"prose":"defines the frequency to review and update the access agreements;"},{"id":"ps-6.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-6(b)[2]"}],"prose":"reviews and updates the access agreements with the organization-defined frequency;"}]},{"id":"ps-6.c_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)"}],"parts":[{"id":"ps-6.c.1_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)(1)"}],"prose":"ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;"},{"id":"ps-6.c.2_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)"}],"parts":[{"id":"ps-6.c.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)[1]"}],"prose":"defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated;"},{"id":"ps-6.c.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)[2]"}],"prose":"ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing access agreements for organizational information and information systems\n\nsecurity plan\n\naccess agreements\n\nrecords of access agreement reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access agreements\n\nautomated mechanisms supporting access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"Third-party Personnel Security","params":[{"id":"ps-7_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-7_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-7"},{"name":"sort-id","value":"ps-07"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"}],"parts":[{"id":"ps-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes personnel security requirements including security roles and responsibilities for third-party providers;"},{"id":"ps-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Requires third-party providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Requires third-party providers to notify {{ insert: param, ps-7_prm_1 }} of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges within {{ insert: param, ps-7_prm_2 }}; and"},{"id":"ps-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Monitors provider compliance."}]},{"id":"ps-7_gdn","name":"guidance","prose":"Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials\/privileges associated with individuals transferred or terminated.","links":[{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-21","rel":"related"}]},{"id":"ps-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-7.a_obj","name":"objective","props":[{"name":"label","value":"PS-7(a)"}],"prose":"establishes personnel security requirements, including security roles and responsibilities, for third-party providers;"},{"id":"ps-7.b_obj","name":"objective","props":[{"name":"label","value":"PS-7(b)"}],"prose":"requires third-party providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7.c_obj","name":"objective","props":[{"name":"label","value":"PS-7(c)"}],"prose":"documents personnel security requirements;"},{"id":"ps-7.d_obj","name":"objective","props":[{"name":"label","value":"PS-7(d)"}],"parts":[{"id":"ps-7.d_obj.1","name":"objective","props":[{"name":"label","value":"PS-7(d)[1]"}],"prose":"defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.2","name":"objective","props":[{"name":"label","value":"PS-7(d)[2]"}],"prose":"defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.3","name":"objective","props":[{"name":"label","value":"PS-7(d)[3]"}],"prose":"requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges; and"}]},{"id":"ps-7.e_obj","name":"objective","props":[{"name":"label","value":"PS-7(e)"}],"prose":"monitors provider compliance."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing third-party personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\nthird-party providers\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing and monitoring third-party personnel security\n\nautomated mechanisms supporting and\/or implementing monitoring of provider compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","params":[{"id":"ps-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-8_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PS-8"},{"name":"sort-id","value":"ps-08"}],"parts":[{"id":"ps-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Notifies {{ insert: param, ps-8_prm_1 }} within {{ insert: param, ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.","links":[{"href":"#pl-4","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"ps-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-8.a_obj","name":"objective","props":[{"name":"label","value":"PS-8(a)"}],"prose":"employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;"},{"id":"ps-8.b_obj","name":"objective","props":[{"name":"label","value":"PS-8(b)"}],"parts":[{"id":"ps-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-8(b)[1]"}],"prose":"defines personnel or roles to be notified when a formal employee sanctions process is initiated;"},{"id":"ps-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-8(b)[2]"}],"prose":"defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and"},{"id":"ps-8.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-8(b)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel sanctions\n\nrules of behavior\n\nrecords of formal sanctions\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing personnel sanctions\n\nautomated mechanisms supporting and\/or implementing notifications"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Risk Assessment Policy and Procedures","params":[{"id":"ra-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ra-1_prm_2","label":"organization-defined frequency"},{"id":"ra-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-1"},{"name":"sort-id","value":"ra-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ra-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ra-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Risk assessment policy {{ insert: param, ra-1_prm_2 }}; and"},{"id":"ra-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Risk assessment procedures {{ insert: param, ra-1_prm_3 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ra-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-1.a_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)"}],"parts":[{"id":"ra-1.a.1_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)"}],"parts":[{"id":"ra-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1]"}],"prose":"develops and documents a risk assessment policy that addresses:","parts":[{"id":"ra-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ra-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ra-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ra-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ra-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ra-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ra-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ra-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the risk assessment policy is to be disseminated;"},{"id":"ra-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[3]"}],"prose":"disseminates the risk assessment policy to organization-defined personnel or roles;"}]},{"id":"ra-1.a.2_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)"}],"parts":[{"id":"ra-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls;"},{"id":"ra-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ra-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ra-1.b_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)"}],"parts":[{"id":"ra-1.b.1_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)"}],"parts":[{"id":"ra-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current risk assessment policy;"},{"id":"ra-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)[2]"}],"prose":"reviews and updates the current risk assessment policy with the organization-defined frequency;"}]},{"id":"ra-1.b.2_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)"}],"parts":[{"id":"ra-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current risk assessment procedures; and"},{"id":"ra-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)[2]"}],"prose":"reviews and updates the current risk assessment procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"risk assessment policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-2"},{"name":"sort-id","value":"ra-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"}],"parts":[{"id":"ra-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"ra-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents the security categorization results (including supporting rationale) in the security plan for the information system; and"},{"id":"ra-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission\/business owners, and information owners\/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted.","links":[{"href":"#cm-8","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"ra-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-2.a_obj","name":"objective","props":[{"name":"label","value":"RA-2(a)"}],"prose":"categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"ra-2.b_obj","name":"objective","props":[{"name":"label","value":"RA-2(b)"}],"prose":"documents the security categorization results (including supporting rationale) in the security plan for the information system; and"},{"id":"ra-2.c_obj","name":"objective","props":[{"name":"label","value":"RA-2(c)"}],"prose":"ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and information systems\n\nsecurity plan\n\nsecurity categorization documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-3_prm_1","select":{"choice":["security plan","risk assessment report"," {{ insert: param, ra-3_prm_2 }} "]}},{"id":"ra-3_prm_2","depends-on":"ra-3_prm_1","label":"organization-defined document"},{"id":"ra-3_prm_3","label":"organization-defined frequency"},{"id":"ra-3_prm_4","label":"organization-defined personnel or roles"},{"id":"ra-3_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-3"},{"name":"sort-id","value":"ra-03"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ra-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;"},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents risk assessment results in {{ insert: param, ra-3_prm_1 }};"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews risk assessment results {{ insert: param, ra-3_prm_3 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Disseminates risk assessment results to {{ insert: param, ra-3_prm_4 }}; and"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Updates the risk assessment {{ insert: param, ra-3_prm_5 }} or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.","links":[{"href":"#ra-2","rel":"related"},{"href":"#pm-9","rel":"related"}]},{"id":"ra-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-3.a_obj","name":"objective","props":[{"name":"label","value":"RA-3(a)"}],"prose":"conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:","parts":[{"id":"ra-3.a_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(a)[1]"}],"prose":"the information system;"},{"id":"ra-3.a_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(a)[2]"}],"prose":"the information the system processes, stores, or transmits;"}]},{"id":"ra-3.b_obj","name":"objective","props":[{"name":"label","value":"RA-3(b)"}],"parts":[{"id":"ra-3.b_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(b)[1]"}],"prose":"defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report);"},{"id":"ra-3.b_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(b)[2]"}],"prose":"documents risk assessment results in one of the following:","parts":[{"id":"ra-3.b_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][a]"}],"prose":"the security plan;"},{"id":"ra-3.b_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][b]"}],"prose":"the risk assessment report; or"},{"id":"ra-3.b_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][c]"}],"prose":"the organization-defined document;"}]}]},{"id":"ra-3.c_obj","name":"objective","props":[{"name":"label","value":"RA-3(c)"}],"parts":[{"id":"ra-3.c_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(c)[1]"}],"prose":"defines the frequency to review risk assessment results;"},{"id":"ra-3.c_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(c)[2]"}],"prose":"reviews risk assessment results with the organization-defined frequency;"}]},{"id":"ra-3.d_obj","name":"objective","props":[{"name":"label","value":"RA-3(d)"}],"parts":[{"id":"ra-3.d_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(d)[1]"}],"prose":"defines personnel or roles to whom risk assessment results are to be disseminated;"},{"id":"ra-3.d_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(d)[2]"}],"prose":"disseminates risk assessment results to organization-defined personnel or roles;"}]},{"id":"ra-3.e_obj","name":"objective","props":[{"name":"label","value":"RA-3(e)"}],"parts":[{"id":"ra-3.e_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(e)[1]"}],"prose":"defines the frequency to update the risk assessment;"},{"id":"ra-3.e_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(e)[2]"}],"prose":"updates the risk assessment:","parts":[{"id":"ra-3.e_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-3.e_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][b]"}],"prose":"whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and"},{"id":"ra-3.e_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][c]"}],"prose":"whenever there are other conditions that may impact the security state of the system."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nsecurity plan\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for risk assessment\n\nautomated mechanisms supporting and\/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Scanning","params":[{"id":"ra-5_prm_1","label":"organization-defined frequency and\/or randomly in accordance with organization-defined process"},{"id":"ra-5_prm_2","label":"organization-defined response times"},{"id":"ra-5_prm_3","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-5"},{"name":"sort-id","value":"ra-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"}],"parts":[{"id":"ra-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Scans for vulnerabilities in the information system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system\/applications are identified and reported;"},{"id":"ra-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Analyzes vulnerability scan reports and results from security control assessments;"},{"id":"ra-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remediates legitimate vulnerabilities {{ insert: param, ra-5_prm_2 }} in accordance with an organizational assessment of risk; and"},{"id":"ra-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Shares information obtained from the vulnerability scanning process and security control assessments with {{ insert: param, ra-5_prm_3 }} to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine\/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"ra-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.a_obj","name":"objective","props":[{"name":"label","value":"RA-5(a)"}],"parts":[{"id":"ra-5.a_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(a)[1]"}],"parts":[{"id":"ra-5.a_obj.1.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[1][a]"}],"prose":"defines the frequency for conducting vulnerability scans on the information system and hosted applications; and\/or"},{"id":"ra-5.a_obj.1.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[1][b]"}],"prose":"defines the process for conducting random vulnerability scans on the information system and hosted applications;"}]},{"id":"ra-5.a_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(a)[2]"}],"prose":"in accordance with the organization-defined frequency and\/or organization-defined process for conducting random scans, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[2][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[2][b]"}],"prose":"hosted applications;"}]},{"id":"ra-5.a_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(a)[3]"}],"prose":"when new vulnerabilities potentially affecting the system\/applications are identified and reported, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.3.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[3][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.3.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[3][b]"}],"prose":"hosted applications;"}]}]},{"id":"ra-5.b_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)"}],"prose":"employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5.b.1_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)"}],"parts":[{"id":"ra-5.b.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[1]"}],"prose":"enumerating platforms;"},{"id":"ra-5.b.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[2]"}],"prose":"enumerating software flaws;"},{"id":"ra-5.b.1_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[3]"}],"prose":"enumerating improper configurations;"}]},{"id":"ra-5.b.2_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)"}],"parts":[{"id":"ra-5.b.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)[1]"}],"prose":"formatting checklists;"},{"id":"ra-5.b.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)[2]"}],"prose":"formatting test procedures;"}]},{"id":"ra-5.b.3_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(3)"}],"prose":"measuring vulnerability impact;"}]},{"id":"ra-5.c_obj","name":"objective","props":[{"name":"label","value":"RA-5(c)"}],"parts":[{"id":"ra-5.c_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(c)[1]"}],"prose":"analyzes vulnerability scan reports;"},{"id":"ra-5.c_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(c)[2]"}],"prose":"analyzes results from security control assessments;"}]},{"id":"ra-5.d_obj","name":"objective","props":[{"name":"label","value":"RA-5(d)"}],"parts":[{"id":"ra-5.d_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(d)[1]"}],"prose":"defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;"},{"id":"ra-5.d_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(d)[2]"}],"prose":"remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk;"}]},{"id":"ra-5.e_obj","name":"objective","props":[{"name":"label","value":"RA-5(e)"}],"parts":[{"id":"ra-5.e_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(e)[1]"}],"prose":"defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared;"},{"id":"ra-5.e_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(e)[2]"}],"prose":"shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); and"},{"id":"ra-5.e_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(e)[3]"}],"prose":"shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nautomated mechanisms supporting and\/or implementing vulnerability scanning, analysis, remediation, and information sharing"}]}],"controls":[{"id":"ra-5.1","class":"SP800-53-enhancement","title":"Update Tool Capability","props":[{"name":"label","value":"RA-5(1)"},{"name":"sort-id","value":"ra-05.01"}],"parts":[{"id":"ra-5.1_smt","name":"statement","prose":"The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned."},{"id":"ra-5.1_gdn","name":"guidance","prose":"The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible.","links":[{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ra-5.1_obj","name":"objective","prose":"Determine if the organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update by Frequency \/ Prior to New Scan \/ When Identified","params":[{"id":"ra-5.2_prm_1","select":{"how-many":"one-or-more","choice":[" {{ insert: param, ra-5.2_prm_2 }} ","prior to a new scan","when new vulnerabilities are identified and reported"]}},{"id":"ra-5.2_prm_2","depends-on":"ra-5.2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"RA-5(2)"},{"name":"sort-id","value":"ra-05.02"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"The organization updates the information system vulnerabilities scanned {{ insert: param, ra-5.2_prm_1 }}."},{"id":"ra-5.2_gdn","name":"guidance","links":[{"href":"#si-3","rel":"related"},{"href":"#si-5","rel":"related"}]},{"id":"ra-5.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(2)[1]"}],"prose":"defines the frequency to update the information system vulnerabilities scanned;"},{"id":"ra-5.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(2)[2]"}],"prose":"updates the information system vulnerabilities scanned one or more of the following:","parts":[{"id":"ra-5.2_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-5(2)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-5.2_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-5(2)[2][b]"}],"prose":"prior to a new scan; and\/or"},{"id":"ra-5.2_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-5(2)[2][c]"}],"prose":"when new vulnerabilities are identified and reported."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.4","class":"SP800-53-enhancement","title":"Discoverable Information","params":[{"id":"ra-5.4_prm_1","label":"organization-defined corrective actions"}],"props":[{"name":"label","value":"RA-5(4)"},{"name":"sort-id","value":"ra-05.04"}],"parts":[{"id":"ra-5.4_smt","name":"statement","prose":"The organization determines what information about the information system is discoverable by adversaries and subsequently takes {{ insert: param, ra-5.4_prm_1 }}."},{"id":"ra-5.4_gdn","name":"guidance","prose":"Discoverable information includes information that adversaries could obtain without directly compromising or breaching the information system, for example, by collecting information the system is exposing or by conducting extensive searches of the web. Corrective actions can include, for example, notifying appropriate organizational personnel, removing designated information, or changing the information system to make designated information less relevant or attractive to adversaries.","links":[{"href":"#au-13","rel":"related"}]},{"id":"ra-5.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.4_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(4)[1]"}],"prose":"defines corrective actions to be taken if information about the information system is discoverable by adversaries;"},{"id":"ra-5.4_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(4)[2]"}],"prose":"determines what information about the information system is discoverable by adversaries; and"},{"id":"ra-5.4_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(4)[3]"}],"prose":"subsequently takes organization-defined corrective actions."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\n\nsecurity assessment report\n\npenetration test results\n\nvulnerability scanning results\n\nrisk assessment report\n\nrecords of corrective actions taken\n\nincident response records\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning and\/or penetration testing responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel responsible for risk response\n\norganizational personnel responsible for incident management and response\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for risk response\n\norganizational processes for incident management and response\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nautomated mechanisms supporting and\/or implementing risk response\n\nautomated mechanisms supporting and\/or implementing incident management and response"}]}]},{"id":"ra-5.5","class":"SP800-53-enhancement","title":"Privileged Access","params":[{"id":"ra-5.5_prm_1","label":"organization-identified information system components"},{"id":"ra-5.5_prm_2","label":"organization-defined vulnerability scanning activities"}],"props":[{"name":"label","value":"RA-5(5)"},{"name":"sort-id","value":"ra-05.05"}],"parts":[{"id":"ra-5.5_smt","name":"statement","prose":"The information system implements privileged access authorization to {{ insert: param, ra-5.5_prm_1 }} for selected {{ insert: param, ra-5.5_prm_2 }}."},{"id":"ra-5.5_gdn","name":"guidance","prose":"In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning."},{"id":"ra-5.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ra-5.5_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(5)[1]"}],"prose":"the organization defines information system components to which privileged access is authorized for selected vulnerability scanning activities;"},{"id":"ra-5.5_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(5)[2]"}],"prose":"the organization defines vulnerability scanning activities selected for privileged access authorization to organization-defined information system components; and"},{"id":"ra-5.5_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(5)[3]"}],"prose":"the information system implements privileged access authorization to organization-defined information system components for selected organization-defined vulnerability scanning activities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\nsystem\/network administrators\n\norganizational personnel responsible for access control to the information system\n\norganizational personnel responsible for configuration management of the information system\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nautomated mechanisms supporting and\/or implementing access control\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"System and Services Acquisition Policy and Procedures","params":[{"id":"sa-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sa-1_prm_2","label":"organization-defined frequency"},{"id":"sa-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-1"},{"name":"sort-id","value":"sa-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"sa-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sa-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and services acquisition policy {{ insert: param, sa-1_prm_2 }}; and"},{"id":"sa-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and services acquisition procedures {{ insert: param, sa-1_prm_3 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"sa-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-1.a_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)"}],"parts":[{"id":"sa-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)"}],"parts":[{"id":"sa-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1]"}],"prose":"develops and documents a system and services acquisition policy that addresses:","parts":[{"id":"sa-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sa-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sa-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sa-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sa-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sa-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sa-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sa-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and services acquisition policy is to be disseminated;"},{"id":"sa-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[3]"}],"prose":"disseminates the system and services acquisition policy to organization-defined personnel or roles;"}]},{"id":"sa-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)"}],"parts":[{"id":"sa-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls;"},{"id":"sa-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"sa-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sa-1.b_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)"}],"parts":[{"id":"sa-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)"}],"parts":[{"id":"sa-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and services acquisition policy;"},{"id":"sa-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)[2]"}],"prose":"reviews and updates the current system and services acquisition policy with the organization-defined frequency;"}]},{"id":"sa-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)"}],"parts":[{"id":"sa-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and services acquisition procedures; and"},{"id":"sa-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)[2]"}],"prose":"reviews and updates the current system and services acquisition procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-2"},{"name":"sort-id","value":"sa-02"}],"links":[{"href":"#29fcfe59-33cd-494a-8756-5907ae3a8f92","rel":"reference"}],"parts":[{"id":"sa-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines information security requirements for the information system or information system service in mission\/business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establishes a discrete line item for information security in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system\/service.","links":[{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"}]},{"id":"sa-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-2.a_obj","name":"objective","props":[{"name":"label","value":"SA-2(a)"}],"prose":"determines information security requirements for the information system or information system service in mission\/business process planning;"},{"id":"sa-2.b_obj","name":"objective","props":[{"name":"label","value":"SA-2(b)"}],"prose":"to protect the information system or information system service as part of its capital planning and investment control process:","parts":[{"id":"sa-2.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-2(b)[1]"}],"prose":"determines the resources required;"},{"id":"sa-2.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-2(b)[2]"}],"prose":"documents the resources required;"},{"id":"sa-2.b_obj.3","name":"objective","props":[{"name":"label","value":"SA-2(b)[3]"}],"prose":"allocates the resources required; and"}]},{"id":"sa-2.c_obj","name":"objective","props":[{"name":"label","value":"SA-2(c)"}],"prose":"establishes a discrete line item for information security in organizational programming and budgeting documentation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the allocation of resources to information security requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities\n\norganizational personnel responsible for determining information security requirements for information systems\/services\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information security requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nautomated mechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-3_prm_1","label":"organization-defined system development life cycle"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-3"},{"name":"sort-id","value":"sa-03"}],"links":[{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference"}],"parts":[{"id":"sa-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Manages the information system using {{ insert: param, sa-3_prm_1 }} that incorporates information security considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Defines and documents information security roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies individuals having information security roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrates the organizational information security risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions\/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission\/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies.","links":[{"href":"#at-3","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-8","rel":"related"}]},{"id":"sa-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-3.a_obj","name":"objective","props":[{"name":"label","value":"SA-3(a)"}],"parts":[{"id":"sa-3.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-3(a)[1]"}],"prose":"defines a system development life cycle that incorporates information security considerations to be used to manage the information system;"},{"id":"sa-3.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-3(a)[2]"}],"prose":"manages the information system using the organization-defined system development life cycle;"}]},{"id":"sa-3.b_obj","name":"objective","props":[{"name":"label","value":"SA-3(b)"}],"prose":"defines and documents information security roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3.c_obj","name":"objective","props":[{"name":"label","value":"SA-3(c)"}],"prose":"identifies individuals having information security roles and responsibilities; and"},{"id":"sa-3.d_obj","name":"objective","props":[{"name":"label","value":"SA-3(d)"}],"prose":"integrates the organizational information security risk management process into system development life cycle activities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security into the system development life cycle process\n\ninformation system development life cycle documentation\n\ninformation security risk management strategy\/program documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security and system life cycle development responsibilities\n\norganizational personnel with information security risk management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining and documenting the SDLC\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational process for integrating information security risk management into the SDLC\n\nautomated mechanisms supporting and\/or implementing the SDLC"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-4"},{"name":"sort-id","value":"sa-04"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference"},{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference"},{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#0a5db899-f033-467f-8631-f5a8ba971475","rel":"reference"},{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"},{"href":"#d818efd3-db31-4953-8afa-9e76afe83ce2","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"},{"href":"#56d671da-6b7b-4abf-8296-84b61980390a","rel":"reference"},{"href":"#c95a9986-3cd6-4a98-931b-ccfc56cb11e5","rel":"reference"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference"},{"href":"#bbd50dd1-54ce-4432-959d-63ea564b1bb4","rel":"reference"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission\/business needs:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Security strength requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Security-related documentation requirements;"},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Requirements for protecting security-related documentation;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Description of the information system development environment and environment in which the system is intended to operate; and"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.","links":[{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"}]},{"id":"sa-4_obj","name":"objective","prose":"Determine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission\/business needs:","parts":[{"id":"sa-4.a_obj","name":"objective","props":[{"name":"label","value":"SA-4(a)"}],"prose":"security functional requirements;"},{"id":"sa-4.b_obj","name":"objective","props":[{"name":"label","value":"SA-4(b)"}],"prose":"security strength requirements;"},{"id":"sa-4.c_obj","name":"objective","props":[{"name":"label","value":"SA-4(c)"}],"prose":"security assurance requirements;"},{"id":"sa-4.d_obj","name":"objective","props":[{"name":"label","value":"SA-4(d)"}],"prose":"security-related documentation requirements;"},{"id":"sa-4.e_obj","name":"objective","props":[{"name":"label","value":"SA-4(e)"}],"prose":"requirements for protecting security-related documentation;"},{"id":"sa-4.f_obj","name":"objective","props":[{"name":"label","value":"SA-4(f)"}],"prose":"description of:","parts":[{"id":"sa-4.f_obj.1","name":"objective","props":[{"name":"label","value":"SA-4(f)[1]"}],"prose":"the information system development environment;"},{"id":"sa-4.f_obj.2","name":"objective","props":[{"name":"label","value":"SA-4(f)[2]"}],"prose":"the environment in which the system is intended to operate; and"}]},{"id":"sa-4.g_obj","name":"objective","props":[{"name":"label","value":"SA-4(g)"}],"prose":"acceptance criteria."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nacquisition contracts for the information system, system component, or information system service\n\ninformation system design documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security functional, strength, and assurance requirements\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and\/or implementing acquisitions and inclusion of security requirements in contracts"}]}],"controls":[{"id":"sa-4.1","class":"SP800-53-enhancement","title":"Functional Properties of Security Controls","props":[{"name":"label","value":"SA-4(1)"},{"name":"sort-id","value":"sa-04.01"}],"parts":[{"id":"sa-4.1_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed."},{"id":"sa-4.1_gdn","name":"guidance","prose":"Functional properties of security controls describe the functionality (i.e., security capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.","links":[{"href":"#sa-5","rel":"related"}]},{"id":"sa-4.1_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or information system services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security functional requirements\n\ninformation system developer or service provider\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security functional, requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and\/or implementing acquisitions and inclusion of security requirements in contracts"}]}]},{"id":"sa-4.2","class":"SP800-53-enhancement","title":"Design \/ Implementation Information for Security Controls","params":[{"id":"sa-4.2_prm_1","select":{"how-many":"one-or-more","choice":["security-relevant external system interfaces","high-level design","low-level design","source code or hardware schematics"," {{ insert: param, sa-4.2_prm_2 }} "]}},{"id":"sa-4.2_prm_2","depends-on":"sa-4.2_prm_1","label":"organization-defined design\/implementation information"},{"id":"sa-4.2_prm_3","label":"organization-defined level of detail"}],"props":[{"name":"label","value":"SA-4(2)"},{"name":"sort-id","value":"sa-04.02"}],"parts":[{"id":"sa-4.2_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {{ insert: param, sa-4.2_prm_1 }} at {{ insert: param, sa-4.2_prm_3 }}."},{"id":"sa-4.2_gdn","name":"guidance","prose":"Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission\/business requirements, requirements for trustworthiness\/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system.","links":[{"href":"#sa-5","rel":"related"}]},{"id":"sa-4.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-4.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-4(2)[1]"}],"prose":"defines level of detail that the developer is required to provide in design and implementation information for the security controls to be employed in the information system, system component, or information system service;"},{"id":"sa-4.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-4(2)[2]"}],"prose":"defines design\/implementation information that the developer is to provide for the security controls to be employed (if selected);"},{"id":"sa-4.2_obj.3","name":"objective","props":[{"name":"label","value":"SA-4(2)[3]"}],"prose":"requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes, at the organization-defined level of detail, one or more of the following:","parts":[{"id":"sa-4.2_obj.3.a","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][a]"}],"prose":"security-relevant external system interfaces;"},{"id":"sa-4.2_obj.3.b","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][b]"}],"prose":"high-level design;"},{"id":"sa-4.2_obj.3.c","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][c]"}],"prose":"low-level design;"},{"id":"sa-4.2_obj.3.d","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][d]"}],"prose":"source code;"},{"id":"sa-4.2_obj.3.e","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][e]"}],"prose":"hardware schematics; and\/or"},{"id":"sa-4.2_obj.3.f","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][f]"}],"prose":"organization-defined design\/implementation information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the information system, system components, or information system services\n\ndesign and implementation information for security controls employed in the information system, system component, or information system service\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\ninformation system developer or service provider\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining level of detail for system design and security controls\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and\/or implementing development of system design details"}]}]},{"id":"sa-4.9","class":"SP800-53-enhancement","title":"Functions \/ Ports \/ Protocols \/ Services in Use","props":[{"name":"label","value":"SA-4(9)"},{"name":"sort-id","value":"sa-04.09"}],"parts":[{"id":"sa-4.9_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use."},{"id":"sa-4.9_gdn","name":"guidance","prose":"The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources.","links":[{"href":"#cm-7","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"sa-4.9_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle:","parts":[{"id":"sa-4.9_obj.1","name":"objective","props":[{"name":"label","value":"SA-4(9)[1]"}],"prose":"the functions intended for organizational use;"},{"id":"sa-4.9_obj.2","name":"objective","props":[{"name":"label","value":"SA-4(9)[2]"}],"prose":"the ports intended for organizational use;"},{"id":"sa-4.9_obj.3","name":"objective","props":[{"name":"label","value":"SA-4(9)[3]"}],"prose":"the protocols intended for organizational use; and"},{"id":"sa-4.9_obj.4","name":"objective","props":[{"name":"label","value":"SA-4(9)[4]"}],"prose":"the services intended for organizational use."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\ninformation system design documentation\n\ninformation system documentation including functions, ports, protocols, and services intended for organizational use\n\nacquisition contracts for information systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice-level agreements\n\norganizational security requirements, descriptions, and criteria for developers of information systems, system components, and information system services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\ninformation system developers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","props":[{"name":"label","value":"SA-4(10)"},{"name":"sort-id","value":"sa-04.10"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."},{"id":"sa-4.10_gdn","name":"guidance","links":[{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"}]},{"id":"sa-4.10_obj","name":"objective","prose":"Determine if the organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or information system service\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\norganizational personnel with responsibility for ensuring only FIPS 201-approved products are implemented\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for selecting and employing FIPS 201-approved products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"Information System Documentation","params":[{"id":"sa-5_prm_1","label":"organization-defined actions"},{"id":"sa-5_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SA-5"},{"name":"sort-id","value":"sa-05"}],"parts":[{"id":"sa-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtains administrator documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security functions\/mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"}]},{"id":"sa-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Obtains user documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"User-accessible security functions\/mechanisms and how to effectively use those security functions\/mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and"},{"id":"sa-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service;"}]},{"id":"sa-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes {{ insert: param, sa-5_prm_1 }} in response;"},{"id":"sa-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects documentation as required, in accordance with the risk management strategy; and"},{"id":"sa-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Distributes documentation to {{ insert: param, sa-5_prm_2 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality\/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system\/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation.","links":[{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"sa-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-5.a_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)"}],"prose":"obtains administrator documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5.a.1_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)"}],"parts":[{"id":"sa-5.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[1]"}],"prose":"secure configuration of the system, system component, or service;"},{"id":"sa-5.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[2]"}],"prose":"secure installation of the system, system component, or service;"},{"id":"sa-5.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[3]"}],"prose":"secure operation of the system, system component, or service;"}]},{"id":"sa-5.a.2_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)"}],"parts":[{"id":"sa-5.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)[1]"}],"prose":"effective use of the security features\/mechanisms;"},{"id":"sa-5.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)[2]"}],"prose":"effective maintenance of the security features\/mechanisms;"}]},{"id":"sa-5.a.3_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(3)"}],"prose":"known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"}]},{"id":"sa-5.b_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)"}],"prose":"obtains user documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5.b.1_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)"}],"parts":[{"id":"sa-5.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)[1]"}],"prose":"user-accessible security functions\/mechanisms;"},{"id":"sa-5.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)[2]"}],"prose":"how to effectively use those functions\/mechanisms;"}]},{"id":"sa-5.b.2_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(2)"}],"prose":"methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner;"},{"id":"sa-5.b.3_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(3)"}],"prose":"user responsibilities in maintaining the security of the system, component, or service;"}]},{"id":"sa-5.c_obj","name":"objective","props":[{"name":"label","value":"SA-5(c)"}],"parts":[{"id":"sa-5.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(c)[1]"}],"prose":"defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(c)[2]"}],"prose":"documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.3","name":"objective","props":[{"name":"label","value":"SA-5(c)[3]"}],"prose":"takes organization-defined actions in response;"}]},{"id":"sa-5.d_obj","name":"objective","props":[{"name":"label","value":"SA-5(d)"}],"prose":"protects documentation as required, in accordance with the risk management strategy;"},{"id":"sa-5.e_obj","name":"objective","props":[{"name":"label","value":"SA-5(e)"}],"parts":[{"id":"sa-5.e_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(e)[1]"}],"prose":"defines personnel or roles to whom documentation is to be distributed; and"},{"id":"sa-5.e_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(e)[2]"}],"prose":"distributes documentation to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing information system documentation\n\ninformation system documentation including administrator and user guides\n\nrecords documenting attempts to obtain unavailable or nonexistent information system documentation\n\nlist of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation\n\nrisk management strategy documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\nsystem administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\ninformation system developers\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation"}]}]},{"id":"sa-8","class":"SP800-53","title":"Security Engineering Principles","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-8"},{"name":"sort-id","value":"sa-08"}],"links":[{"href":"#21b1ed35-56d2-40a8-bdfe-b461fffe322f","rel":"reference"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system."},{"id":"sa-8_gdn","name":"guidance","prose":"Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions.","links":[{"href":"#pm-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sa-8_obj","name":"objective","prose":"Determine if the organization applies information system security engineering principles in:","parts":[{"id":"sa-8_obj.1","name":"objective","props":[{"name":"label","value":"SA-8[1]"}],"prose":"the specification of the information system;"},{"id":"sa-8_obj.2","name":"objective","props":[{"name":"label","value":"SA-8[2]"}],"prose":"the design of the information system;"},{"id":"sa-8_obj.3","name":"objective","props":[{"name":"label","value":"SA-8[3]"}],"prose":"the development of the information system;"},{"id":"sa-8_obj.4","name":"objective","props":[{"name":"label","value":"SA-8[4]"}],"prose":"the implementation of the information system; and"},{"id":"sa-8_obj.5","name":"objective","props":[{"name":"label","value":"SA-8[5]"}],"prose":"the modification of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing security engineering principles used in the specification, design, development, implementation, and modification of the information system\n\ninformation system design documentation\n\ninformation security requirements and specifications for the information system\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\norganizational personnel with information system specification, design, development, implementation, and modification responsibilities\n\ninformation system developers\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for applying security engineering principles in information system specification, design, development, implementation, and modification\n\nautomated mechanisms supporting the application of security engineering principles in information system specification, design, development, implementation, and modification"}]}]},{"id":"sa-9","class":"SP800-53","title":"External Information System Services","params":[{"id":"sa-9_prm_1","label":"organization-defined security controls"},{"id":"sa-9_prm_2","label":"organization-defined processes, methods, and techniques"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-9"},{"name":"sort-id","value":"sa-09"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"}],"parts":[{"id":"sa-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Requires that providers of external information system services comply with organizational information security requirements and employ {{ insert: param, sa-9_prm_1 }} in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs {{ insert: param, sa-9_prm_2 }} to monitor security control compliance by external service providers on an ongoing basis."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.","links":[{"href":"#ca-3","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ps-7","rel":"related"}]},{"id":"sa-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.a_obj","name":"objective","props":[{"name":"label","value":"SA-9(a)"}],"parts":[{"id":"sa-9.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(a)[1]"}],"prose":"defines security controls to be employed by providers of external information system services;"},{"id":"sa-9.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(a)[2]"}],"prose":"requires that providers of external information system services comply with organizational information security requirements;"},{"id":"sa-9.a_obj.3","name":"objective","props":[{"name":"label","value":"SA-9(a)[3]"}],"prose":"requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"}]},{"id":"sa-9.b_obj","name":"objective","props":[{"name":"label","value":"SA-9(b)"}],"parts":[{"id":"sa-9.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(b)[1]"}],"prose":"defines and documents government oversight with regard to external information system services;"},{"id":"sa-9.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(b)[2]"}],"prose":"defines and documents user roles and responsibilities with regard to external information system services;"}]},{"id":"sa-9.c_obj","name":"objective","props":[{"name":"label","value":"SA-9(c)"}],"parts":[{"id":"sa-9.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(c)[1]"}],"prose":"defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; and"},{"id":"sa-9.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(c)[2]"}],"prose":"employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing external information system services\n\nprocedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services\n\nacquisition contracts, service-level agreements\n\norganizational security requirements and security specifications for external provider services\n\nsecurity control assessment evidence from external providers of information system services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\nexternal providers of information system services\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring security control compliance by external service providers on an ongoing basis\n\nautomated mechanisms for monitoring security control compliance by external service providers on an ongoing basis"}]}],"controls":[{"id":"sa-9.2","class":"SP800-53-enhancement","title":"Identification of Functions \/ Ports \/ Protocols \/ Services","params":[{"id":"sa-9.2_prm_1","label":"organization-defined external information system services"}],"props":[{"name":"label","value":"SA-9(2)"},{"name":"sort-id","value":"sa-09.02"}],"parts":[{"id":"sa-9.2_smt","name":"statement","prose":"The organization requires providers of {{ insert: param, sa-9.2_prm_1 }} to identify the functions, ports, protocols, and other services required for the use of such services."},{"id":"sa-9.2_gdn","name":"guidance","prose":"Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions\/services or blocking certain ports\/protocols.","links":[{"href":"#cm-7","rel":"related"}]},{"id":"sa-9.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(2)[1]"}],"prose":"defines external information system services for which providers of such services are to identify the functions, ports, protocols, and other services required for the use of such services;"},{"id":"sa-9.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(2)[2]"}],"prose":"requires providers of organization-defined external information system services to identify:","parts":[{"id":"sa-9.2_obj.2.a","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][a]"}],"prose":"the functions required for the use of such services;"},{"id":"sa-9.2_obj.2.b","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][b]"}],"prose":"the ports required for the use of such services;"},{"id":"sa-9.2_obj.2.c","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][c]"}],"prose":"the protocols required for the use of such services; and"},{"id":"sa-9.2_obj.2.d","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][d]"}],"prose":"the other services required for the use of such services."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing external information system services\n\nacquisition contracts for the information system, system component, or information system service\n\nacquisition documentation\n\nsolicitation documentation, service-level agreements\n\norganizational security requirements and security specifications for external service providers\n\nlist of required functions, ports, protocols, and other services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nexternal providers of information system services"}]}]}]},{"id":"sa-10","class":"SP800-53","title":"Developer Configuration Management","params":[{"id":"sa-10_prm_1","select":{"how-many":"one-or-more","choice":["design","development","implementation","operation"]}},{"id":"sa-10_prm_2","label":"organization-defined configuration items under configuration management"},{"id":"sa-10_prm_3","label":"organization-defined personnel"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-10"},{"name":"sort-id","value":"sa-10"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"sa-10_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Perform configuration management during system, component, or service {{ insert: param, sa-10_prm_1 }};"},{"id":"sa-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, manage, and control the integrity of changes to {{ insert: param, sa-10_prm_2 }};"},{"id":"sa-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Document approved changes to the system, component, or service and the potential security impacts of such changes; and"},{"id":"sa-10_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_prm_3 }}."}]},{"id":"sa-10_gdn","name":"guidance","prose":"This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence\/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software\/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission\/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"sa-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-10.a_obj","name":"objective","props":[{"name":"label","value":"SA-10(a)"}],"prose":"requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following:","parts":[{"id":"sa-10.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(a)[1]"}],"prose":"system, component, or service design;"},{"id":"sa-10.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(a)[2]"}],"prose":"system, component, or service development;"},{"id":"sa-10.a_obj.3","name":"objective","props":[{"name":"label","value":"SA-10(a)[3]"}],"prose":"system, component, or service implementation; and\/or"},{"id":"sa-10.a_obj.4","name":"objective","props":[{"name":"label","value":"SA-10(a)[4]"}],"prose":"system, component, or service operation;"}]},{"id":"sa-10.b_obj","name":"objective","props":[{"name":"label","value":"SA-10(b)"}],"parts":[{"id":"sa-10.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(b)[1]"}],"prose":"defines configuration items to be placed under configuration management;"},{"id":"sa-10.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(b)[2]"}],"prose":"requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-10.b_obj.2.a","name":"objective","props":[{"name":"label","value":"SA-10(b)[2][a]"}],"prose":"document the integrity of changes to organization-defined items under configuration management;"},{"id":"sa-10.b_obj.2.b","name":"objective","props":[{"name":"label","value":"SA-10(b)[2][b]"}],"prose":"manage the integrity of changes to organization-defined items under configuration management;"},{"id":"sa-10.b_obj.2.c","name":"objective","props":[{"name":"label","value":"SA-10(b)[2][c]"}],"prose":"control the integrity of changes to organization-defined items under configuration management;"}]}]},{"id":"sa-10.c_obj","name":"objective","props":[{"name":"label","value":"SA-10(c)"}],"prose":"requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10.d_obj","name":"objective","props":[{"name":"label","value":"SA-10(d)"}],"prose":"requires the developer of the information system, system component, or information system service to document:","parts":[{"id":"sa-10.d_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(d)[1]"}],"prose":"approved changes to the system, component, or service;"},{"id":"sa-10.d_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(d)[2]"}],"prose":"the potential security impacts of such changes;"}]},{"id":"sa-10.e_obj","name":"objective","props":[{"name":"label","value":"SA-10(e)"}],"parts":[{"id":"sa-10.e_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(e)[1]"}],"prose":"defines personnel to whom findings, resulting from security flaws and flaw resolution tracked within the system, component, or service, are to be reported;"},{"id":"sa-10.e_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(e)[2]"}],"prose":"requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-10.e_obj.2.a","name":"objective","props":[{"name":"label","value":"SA-10(e)[2][a]"}],"prose":"track security flaws within the system, component, or service;"},{"id":"sa-10.e_obj.2.b","name":"objective","props":[{"name":"label","value":"SA-10(e)[2][b]"}],"prose":"track security flaw resolution within the system, component, or service; and"},{"id":"sa-10.e_obj.2.c","name":"objective","props":[{"name":"label","value":"SA-10(e)[2][c]"}],"prose":"report findings to organization-defined personnel."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer configuration management\n\nautomated mechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-11","class":"SP800-53","title":"Developer Security Testing and Evaluation","params":[{"id":"sa-11_prm_1","select":{"how-many":"one-or-more","choice":["unit","integration","system","regression"]}},{"id":"sa-11_prm_2","label":"organization-defined depth and coverage"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-11"},{"name":"sort-id","value":"sa-11"}],"links":[{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference"},{"href":"#0931209f-00ae-4132-b92c-bc645847e8f9","rel":"reference"},{"href":"#4ef539ba-b767-4666-b0d3-168c53005fa3","rel":"reference"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Create and implement a security assessment plan;"},{"id":"sa-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform {{ insert: param, sa-11_prm_1 }} testing\/evaluation at {{ insert: param, sa-11_prm_2 }};"},{"id":"sa-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the security assessment plan and the results of the security testing\/evaluation;"},{"id":"sa-11_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during security testing\/evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental security testing\/evaluation occurs at all post-design phases of the system development life cycle. Such testing\/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing\/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing\/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing\/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans\/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.","links":[{"href":"#ca-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"sa-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-11.a_obj","name":"objective","props":[{"name":"label","value":"SA-11(a)"}],"prose":"requires the developer of the information system, system component, or information system service to create and implement a security plan;"},{"id":"sa-11.b_obj","name":"objective","props":[{"name":"label","value":"SA-11(b)"}],"parts":[{"id":"sa-11.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-11(b)[1]"}],"prose":"defines the depth of testing\/evaluation to be performed by the developer of the information system, system component, or information system service;"},{"id":"sa-11.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-11(b)[2]"}],"prose":"defines the coverage of testing\/evaluation to be performed by the developer of the information system, system component, or information system service;"},{"id":"sa-11.b_obj.3","name":"objective","props":[{"name":"label","value":"SA-11(b)[3]"}],"prose":"requires the developer of the information system, system component, or information system service to perform one or more of the following testing\/evaluation at the organization-defined depth and coverage:","parts":[{"id":"sa-11.b_obj.3.a","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][a]"}],"prose":"unit testing\/evaluation;"},{"id":"sa-11.b_obj.3.b","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][b]"}],"prose":"integration testing\/evaluation;"},{"id":"sa-11.b_obj.3.c","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][c]"}],"prose":"system testing\/evaluation; and\/or"},{"id":"sa-11.b_obj.3.d","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][d]"}],"prose":"regression testing\/evaluation;"}]}]},{"id":"sa-11.c_obj","name":"objective","props":[{"name":"label","value":"SA-11(c)"}],"prose":"requires the developer of the information system, system component, or information system service to produce evidence of:","parts":[{"id":"sa-11.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-11(c)[1]"}],"prose":"the execution of the security assessment plan;"},{"id":"sa-11.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-11(c)[2]"}],"prose":"the results of the security testing\/evaluation;"}]},{"id":"sa-11.d_obj","name":"objective","props":[{"name":"label","value":"SA-11(d)"}],"prose":"requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process; and"},{"id":"sa-11.e_obj","name":"objective","props":[{"name":"label","value":"SA-11(e)"}],"prose":"requires the developer of the information system, system component, or information system service to correct flaws identified during security testing\/evaluation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\nsystem developer security test plans\n\nrecords of developer security testing results for the information system, system component, or information system service\n\nsecurity flaw and remediation tracking records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nautomated mechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation"}]}]},{"id":"sa-12","class":"SP800-53","title":"Supply Chain Protection","params":[{"id":"sa-12_prm_1","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-12"},{"name":"sort-id","value":"sa-12"}],"links":[{"href":"#8ab6bcdc-339b-4068-b45e-994814a6e187","rel":"reference"},{"href":"#bdd2f49e-edf7-491f-a178-4487898228f3","rel":"reference"}],"parts":[{"id":"sa-12_smt","name":"statement","prose":"The organization protects against supply chain threats to the information system, system component, or information system service by employing {{ insert: param, sa-12_prm_1 }} as part of a comprehensive, defense-in-breadth information security strategy."},{"id":"sa-12_gdn","name":"guidance","prose":"Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition\/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems\/components. This control also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping\/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.","links":[{"href":"#at-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-14","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-18","rel":"related"},{"href":"#sa-19","rel":"related"},{"href":"#sc-29","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"sa-12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-12_obj.1","name":"objective","props":[{"name":"label","value":"SA-12[1]"}],"prose":"defines security safeguards to be employed to protect against supply chain threats to the information system, system component, or information system service; and"},{"id":"sa-12_obj.2","name":"objective","props":[{"name":"label","value":"SA-12[2]"}],"prose":"protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\nlist of supply chain threats\n\nlist of security safeguards to be taken against supply chain threats\n\nsystem development life cycle documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining safeguards for and protecting against supply chain threats\n\nautomated mechanisms supporting and\/or implementing safeguards for supply chain threats"}]}]},{"id":"sa-15","class":"SP800-53","title":"Development Process, Standards, and Tools","params":[{"id":"sa-15_prm_1","label":"organization-defined frequency"},{"id":"sa-15_prm_2","label":"organization-defined security requirements"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SA-15"},{"name":"sort-id","value":"sa-15"}],"parts":[{"id":"sa-15_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Requires the developer of the information system, system component, or information system service to follow a documented development process that:","parts":[{"id":"sa-15_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Explicitly addresses security requirements;"},{"id":"sa-15_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Identifies the standards and tools used in the development process;"},{"id":"sa-15_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Documents the specific tool options and tool configurations used in the development process; and"},{"id":"sa-15_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Documents, manages, and ensures the integrity of changes to the process and\/or tools used in development; and"}]},{"id":"sa-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews the development process, standards, tools, and tool options\/configurations {{ insert: param, sa-15_prm_1 }} to determine if the process, standards, tools, and tool options\/configurations selected and employed can satisfy {{ insert: param, sa-15_prm_2 }}."}]},{"id":"sa-15_gdn","name":"guidance","prose":"Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes.","links":[{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"}]},{"id":"sa-15_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-15.a_obj","name":"objective","props":[{"name":"label","value":"SA-15(a)"}],"prose":"requires the developer of the information system, system component, or information system service to follow a documented development process that:","parts":[{"id":"sa-15.a.1_obj","name":"objective","props":[{"name":"label","value":"SA-15(a)(1)"}],"prose":"explicitly addresses security requirements;"},{"id":"sa-15.a.2_obj","name":"objective","props":[{"name":"label","value":"SA-15(a)(2)"}],"prose":"identifies the standards and tools used in the development process;"},{"id":"sa-15.a.3_obj","name":"objective","props":[{"name":"label","value":"SA-15(a)(3)"}],"parts":[{"id":"sa-15.a.3_obj.1","name":"objective","props":[{"name":"label","value":"SA-15(a)(3)[1]"}],"prose":"documents the specific tool options used in the development process;"},{"id":"sa-15.a.3_obj.2","name":"objective","props":[{"name":"label","value":"SA-15(a)(3)[2]"}],"prose":"documents the specific tool configurations used in the development process;"}]},{"id":"sa-15.a.4_obj","name":"objective","props":[{"name":"label","value":"SA-15(a)(4)"}],"parts":[{"id":"sa-15.a.4_obj.1","name":"objective","props":[{"name":"label","value":"SA-15(a)(4)[1]"}],"prose":"documents changes to the process and\/or tools used in the development;"},{"id":"sa-15.a.4_obj.2","name":"objective","props":[{"name":"label","value":"SA-15(a)(4)[2]"}],"prose":"manages changes to the process and\/or tools used in the development;"},{"id":"sa-15.a.4_obj.3","name":"objective","props":[{"name":"label","value":"SA-15(a)(4)[3]"}],"prose":"ensures the integrity of changes to the process and\/or tools used in the development;"}]}]},{"id":"sa-15.b_obj","name":"objective","props":[{"name":"label","value":"SA-15(b)"}],"parts":[{"id":"sa-15.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-15(b)[1]"}],"prose":"defines a frequency to review the development process, standards, tools, and tool options\/configurations;"},{"id":"sa-15.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-15(b)[2]"}],"prose":"defines security requirements to be satisfied by the process, standards, tools, and tool option\/configurations selected and employed; and"},{"id":"sa-15.b_obj.3","name":"objective","props":[{"name":"label","value":"SA-15(b)[3]"}],"parts":[{"id":"sa-15.b_obj.3.a","name":"objective","props":[{"name":"label","value":"SA-15(b)[3][a]"}],"prose":"reviews the development process with the organization-defined frequency to determine if the process selected and employed can satisfy organization-defined security requirements;"},{"id":"sa-15.b_obj.3.b","name":"objective","props":[{"name":"label","value":"SA-15(b)[3][b]"}],"prose":"reviews the development standards with the organization-defined frequency to determine if the standards selected and employed can satisfy organization-defined security requirements;"},{"id":"sa-15.b_obj.3.c","name":"objective","props":[{"name":"label","value":"SA-15(b)[3][c]"}],"prose":"reviews the development tools with the organization-defined frequency to determine if the tools selected and employed can satisfy organization-defined security requirements; and"},{"id":"sa-15.b_obj.3.d","name":"objective","props":[{"name":"label","value":"SA-15(b)[3][d]"}],"prose":"reviews the development tool options\/configurations with the organization-defined frequency to determine if the tool options\/configurations selected and employed can satisfy organization-defined security requirements."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security requirements during the development process\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\nsystem developer documentation listing tool options\/configuration guides, configuration management records\n\nchange control records\n\nconfiguration control records\n\ndocumented reviews of development process, standards, tools, and tool options\/configurations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]}]},{"id":"sa-16","class":"SP800-53","title":"Developer-provided Training","params":[{"id":"sa-16_prm_1","label":"organization-defined training"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SA-16"},{"name":"sort-id","value":"sa-16"}],"parts":[{"id":"sa-16_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to provide {{ insert: param, sa-16_prm_1 }} on the correct use and operation of the implemented security functions, controls, and\/or mechanisms."},{"id":"sa-16_gdn","name":"guidance","prose":"This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organizational information systems. Training options include, for example, classroom-style training, web-based\/computer-based training, and hands-on training. Organizations can also request sufficient training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#sa-5","rel":"related"}]},{"id":"sa-16_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-16_obj.1","name":"objective","props":[{"name":"label","value":"SA-16[1]"}],"prose":"defines training to be provided by the developer of the information system, system component, or information system service; and"},{"id":"sa-16_obj.2","name":"objective","props":[{"name":"label","value":"SA-16[2]"}],"prose":"requires the developer of the information system, system component, or information system service to provide organization-defined training on the correct use and operation of the implemented security functions, controls, and\/or mechanisms."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing developer-provided training\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\ndeveloper-provided training materials\n\ntraining records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information system security responsibilities\n\nsystem developer\n\norganizational or third-party developers with training responsibilities for the information system, system component, or information system service"}]}]},{"id":"sa-17","class":"SP800-53","title":"Developer Security Architecture and Design","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-17"},{"name":"sort-id","value":"sa-17"}],"parts":[{"id":"sa-17_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:","parts":[{"id":"sa-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture;"},{"id":"sa-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and"},{"id":"sa-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection."}]},{"id":"sa-17_gdn","name":"guidance","prose":"This control is primarily directed at external developers, although it could also be used for internal (in-house) development. In contrast, PL-8 is primarily directed at internal developers to help ensure that organizations develop an information security architecture and such security architecture is integrated or tightly coupled to the enterprise architecture. This distinction is important if\/when organizations outsource the development of information systems, information system components, or information system services to external entities, and there is a requirement to demonstrate consistency with the organization’s enterprise architecture and information security architecture.","links":[{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"}]},{"id":"sa-17_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:","parts":[{"id":"sa-17.a_obj","name":"objective","props":[{"name":"label","value":"SA-17(a)"}],"prose":"is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture;"},{"id":"sa-17.b_obj","name":"objective","props":[{"name":"label","value":"SA-17(b)"}],"prose":"accurately and completely describes:","parts":[{"id":"sa-17.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-17(b)[1]"}],"prose":"the required security functionality;"},{"id":"sa-17.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-17(b)[2]"}],"prose":"the allocation of security controls among physical and logical components; and"}]},{"id":"sa-17.c_obj","name":"objective","props":[{"name":"label","value":"SA-17(c)"}],"prose":"expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security architecture and design specification for the information system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\ndesign specification and security architecture documentation for the system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with security architecture and design responsibilities"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"System and Communications Protection Policy and Procedures","params":[{"id":"sc-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sc-1_prm_2","label":"organization-defined frequency"},{"id":"sc-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-1"},{"name":"sort-id","value":"sc-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"sc-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and"}]},{"id":"sc-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sc-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and communications protection policy {{ insert: param, sc-1_prm_2 }}; and"},{"id":"sc-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and communications protection procedures {{ insert: param, sc-1_prm_3 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"sc-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-1.a_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)"}],"parts":[{"id":"sc-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)"}],"parts":[{"id":"sc-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1]"}],"prose":"develops and documents a system and communications protection policy that addresses:","parts":[{"id":"sc-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sc-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sc-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sc-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sc-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sc-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sc-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sc-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and communications protection policy is to be disseminated;"},{"id":"sc-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[3]"}],"prose":"disseminates the system and communications protection policy to organization-defined personnel or roles;"}]},{"id":"sc-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)"}],"parts":[{"id":"sc-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;"},{"id":"sc-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"sc-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sc-1.b_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)"}],"parts":[{"id":"sc-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)"}],"parts":[{"id":"sc-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and communications protection policy;"},{"id":"sc-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)[2]"}],"prose":"reviews and updates the current system and communications protection policy with the organization-defined frequency;"}]},{"id":"sc-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)"}],"parts":[{"id":"sc-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and communications protection procedures; and"},{"id":"sc-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)[2]"}],"prose":"reviews and updates the current system and communications protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sc-2","class":"SP800-53","title":"Application Partitioning","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-2"},{"name":"sort-id","value":"sc-02"}],"parts":[{"id":"sc-2_smt","name":"statement","prose":"The information system separates user functionality (including user interface services) from information system management functionality."},{"id":"sc-2_gdn","name":"guidance","prose":"Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.","links":[{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sc-2_obj","name":"objective","prose":"Determine if the information system separates user functionality (including user interface services) from information system management functionality."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing application partitioning\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Separation of user functionality from information system management functionality"}]}]},{"id":"sc-3","class":"SP800-53","title":"Security Function Isolation","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-3"},{"name":"sort-id","value":"sc-03"}],"parts":[{"id":"sc-3_smt","name":"statement","prose":"The information system isolates security functions from nonsecurity functions."},{"id":"sc-3_gdn","name":"guidance","prose":"The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-13","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-39","rel":"related"}]},{"id":"sc-3_obj","name":"objective","prose":"Determine if the information system isolates security functions from nonsecurity functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nlist of security functions to be isolated from nonsecurity functions\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Separation of security functions from nonsecurity functions within the information system"}]}]},{"id":"sc-4","class":"SP800-53","title":"Information in Shared Resources","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-4"},{"name":"sort-id","value":"sc-04"}],"parts":[{"id":"sc-4_smt","name":"statement","prose":"The information system prevents unauthorized and unintended information transfer via shared system resources."},{"id":"sc-4_gdn","name":"guidance","prose":"This control prevents information, including encrypted representations of information, produced by the actions of prior users\/roles (or the actions of processes acting on behalf of prior users\/roles) from being available to any current users\/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and\/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users\/roles.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#mp-6","rel":"related"}]},{"id":"sc-4_obj","name":"objective","prose":"Determine if the information system prevents unauthorized and unintended information transfer via shared system resources."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms preventing unauthorized and unintended transfer of information via shared system resources"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial of Service Protection","params":[{"id":"sc-5_prm_1","label":"organization-defined types of denial of service attacks or references to sources for such information"},{"id":"sc-5_prm_2","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-5"},{"name":"sort-id","value":"sc-05"}],"parts":[{"id":"sc-5_smt","name":"statement","prose":"The information system protects against or limits the effects of the following types of denial of service attacks: {{ insert: param, sc-5_prm_1 }} by employing {{ insert: param, sc-5_prm_2 }}."},{"id":"sc-5_gdn","name":"guidance","prose":"A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.","links":[{"href":"#sc-6","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"sc-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-5_obj.1","name":"objective","props":[{"name":"label","value":"SC-5[1]"}],"prose":"the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects;"},{"id":"sc-5_obj.2","name":"objective","props":[{"name":"label","value":"SC-5[2]"}],"prose":"the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks; and"},{"id":"sc-5_obj.3","name":"objective","props":[{"name":"label","value":"SC-5[3]"}],"prose":"the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing denial of service protection\n\ninformation system design documentation\n\nsecurity plan\n\nlist of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial of service attacks\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms protecting against or limiting the effects of denial of service attacks"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-7_prm_1","select":{"choice":["physically","logically"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-7"},{"name":"sort-id","value":"sc-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#756a8e86-57d5-4701-8382-f7a40439665a","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"}],"parts":[{"id":"sc-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implements subnetworks for publicly accessible system components that are {{ insert: param, sc-7_prm_1 }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.","links":[{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"sc-7_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-7.a_obj","name":"objective","props":[{"name":"label","value":"SC-7(a)"}],"parts":[{"id":"sc-7.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(a)[1]"}],"prose":"monitors communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(a)[2]"}],"prose":"monitors communications at key internal boundaries within the system;"},{"id":"sc-7.a_obj.3","name":"objective","props":[{"name":"label","value":"SC-7(a)[3]"}],"prose":"controls communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.4","name":"objective","props":[{"name":"label","value":"SC-7(a)[4]"}],"prose":"controls communications at key internal boundaries within the system;"}]},{"id":"sc-7.b_obj","name":"objective","props":[{"name":"label","value":"SC-7(b)"}],"prose":"implements subnetworks for publicly accessible system components that are either:","parts":[{"id":"sc-7.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(b)[1]"}],"prose":"physically separated from internal organizational networks; and\/or"},{"id":"sc-7.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(b)[2]"}],"prose":"logically separated from internal organizational networks; and"}]},{"id":"sc-7.c_obj","name":"objective","props":[{"name":"label","value":"SC-7(c)"}],"prose":"connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the information system\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system configuration settings and associated documentation\n\nenterprise security architecture documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability"}]}],"controls":[{"id":"sc-7.3","class":"SP800-53-enhancement","title":"Access Points","props":[{"name":"label","value":"SC-7(3)"},{"name":"sort-id","value":"sc-07.03"}],"parts":[{"id":"sc-7.3_smt","name":"statement","prose":"The organization limits the number of external network connections to the information system."},{"id":"sc-7.3_gdn","name":"guidance","prose":"Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections."},{"id":"sc-7.3_obj","name":"objective","prose":"Determine if the organization limits the number of external network connections to the information system."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability\n\nautomated mechanisms limiting the number of external network connections to the information system"}]}]},{"id":"sc-7.4","class":"SP800-53-enhancement","title":"External Telecommunications Services","params":[{"id":"sc-7.4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SC-7(4)"},{"name":"sort-id","value":"sc-07.04"}],"parts":[{"id":"sc-7.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implements a managed interface for each external telecommunication service;"},{"id":"sc-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Establishes a traffic flow policy for each managed interface;"},{"id":"sc-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Protects the confidentiality and integrity of the information being transmitted across each interface;"},{"id":"sc-7.4_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Documents each exception to the traffic flow policy with a supporting mission\/business need and duration of that need; and"},{"id":"sc-7.4_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Reviews exceptions to the traffic flow policy {{ insert: param, sc-7.4_prm_1 }} and removes exceptions that are no longer supported by an explicit mission\/business need."}]},{"id":"sc-7.4_gdn","name":"guidance","links":[{"href":"#sc-8","rel":"related"}]},{"id":"sc-7.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-7.4.a_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(a)"}],"prose":"implements a managed interface for each external telecommunication service;","links":[{"href":"#sc-7.4_smt.a","rel":"corresp"}]},{"id":"sc-7.4.b_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(b)"}],"prose":"establishes a traffic flow policy for each managed interface;","links":[{"href":"#sc-7.4_smt.b","rel":"corresp"}]},{"id":"sc-7.4.c_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(c)"}],"prose":"protects the confidentiality and integrity of the information being transmitted across each interface;","links":[{"href":"#sc-7.4_smt.c","rel":"corresp"}]},{"id":"sc-7.4.d_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(d)"}],"prose":"documents each exception to the traffic flow policy with:","parts":[{"id":"sc-7.4.d_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(4)(d)[1]"}],"prose":"a supporting mission\/business need;"},{"id":"sc-7.4.d_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(4)(d)[2]"}],"prose":"duration of that need;"}],"links":[{"href":"#sc-7.4_smt.d","rel":"corresp"}]},{"id":"sc-7.4.e_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)"}],"parts":[{"id":"sc-7.4.e_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)[1]"}],"prose":"defines a frequency to review exceptions to traffic flow policy;"},{"id":"sc-7.4.e_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)[2]"}],"prose":"reviews exceptions to the traffic flow policy with the organization-defined frequency; and"},{"id":"sc-7.4.e_obj.3","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)[3]"}],"prose":"removes traffic flow policy exceptions that are no longer supported by an explicit mission\/business need"}],"links":[{"href":"#sc-7.4_smt.e","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\ninformation system security architecture\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for documenting and reviewing exceptions to the traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nautomated mechanisms implementing boundary protection capability\n\nmanaged interfaces implementing traffic flow policy"}]}]},{"id":"sc-7.5","class":"SP800-53-enhancement","title":"Deny by Default \/ Allow by Exception","props":[{"name":"label","value":"SC-7(5)"},{"name":"sort-id","value":"sc-07.05"}],"parts":[{"id":"sc-7.5_smt","name":"statement","prose":"The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception)."},{"id":"sc-7.5_gdn","name":"guidance","prose":"This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed."},{"id":"sc-7.5_obj","name":"objective","prose":"Determine if the information system, at managed interfaces:","parts":[{"id":"sc-7.5_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(5)[1]"}],"prose":"denies network traffic by default; and"},{"id":"sc-7.5_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(5)[2]"}],"prose":"allows network traffic by exception."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing traffic management at managed interfaces"}]}]},{"id":"sc-7.7","class":"SP800-53-enhancement","title":"Prevent Split Tunneling for Remote Devices","props":[{"name":"label","value":"SC-7(7)"},{"name":"sort-id","value":"sc-07.07"}],"parts":[{"id":"sc-7.7_smt","name":"statement","prose":"The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."},{"id":"sc-7.7_gdn","name":"guidance","prose":"This control enhancement is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local information system resources such as printers\/file servers. However, split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling."},{"id":"sc-7.7_obj","name":"objective","prose":"Determine if the information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability\n\nautomated mechanisms supporting\/restricting non-remote connections"}]}]},{"id":"sc-7.8","class":"SP800-53-enhancement","title":"Route Traffic to Authenticated Proxy Servers","params":[{"id":"sc-7.8_prm_1","label":"organization-defined internal communications traffic"},{"id":"sc-7.8_prm_2","label":"organization-defined external networks"}],"props":[{"name":"label","value":"SC-7(8)"},{"name":"sort-id","value":"sc-07.08"}],"parts":[{"id":"sc-7.8_smt","name":"statement","prose":"The information system routes {{ insert: param, sc-7.8_prm_1 }} to {{ insert: param, sc-7.8_prm_2 }} through authenticated proxy servers at managed interfaces."},{"id":"sc-7.8_gdn","name":"guidance","prose":"External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites.","links":[{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"}]},{"id":"sc-7.8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-7.8_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(8)[1]"}],"prose":"the organization defines internal communications traffic to be routed to external networks;"},{"id":"sc-7.8_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(8)[2]"}],"prose":"the organization defines external networks to which organization-defined internal communications traffic is to be routed; and"},{"id":"sc-7.8_obj.3","name":"objective","props":[{"name":"label","value":"SC-7(8)[3]"}],"prose":"the information system routes organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers at managed interfaces."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing traffic management through authenticated proxy servers at managed interfaces"}]}]},{"id":"sc-7.18","class":"SP800-53-enhancement","title":"Fail Secure","props":[{"name":"label","value":"SC-7(18)"},{"name":"sort-id","value":"sc-07.18"}],"parts":[{"id":"sc-7.18_smt","name":"statement","prose":"The information system fails securely in the event of an operational failure of a boundary protection device."},{"id":"sc-7.18_gdn","name":"guidance","prose":"Fail secure is a condition achieved by employing information system mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces (e.g., routers, firewalls, guards, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones), information systems do not enter into unsecure states where intended security properties no longer hold. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases.","links":[{"href":"#cp-2","rel":"related"},{"href":"#sc-24","rel":"related"}]},{"id":"sc-7.18_obj","name":"objective","prose":"Determine if the information system fails securely in the event of an operational failure of a boundary protection device."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing secure failure"}]}]},{"id":"sc-7.21","class":"SP800-53-enhancement","title":"Isolation of Information System Components","params":[{"id":"sc-7.21_prm_1","label":"organization-defined information system components"},{"id":"sc-7.21_prm_2","label":"organization-defined missions and\/or business functions"}],"props":[{"name":"label","value":"SC-7(21)"},{"name":"sort-id","value":"sc-07.21"}],"parts":[{"id":"sc-7.21_smt","name":"statement","prose":"The organization employs boundary protection mechanisms to separate {{ insert: param, sc-7.21_prm_1 }} supporting {{ insert: param, sc-7.21_prm_2 }}."},{"id":"sc-7.21_gdn","name":"guidance","prose":"Organizations can isolate information system components performing different missions and\/or business functions. Such isolation limits unauthorized information flows among system components and also provides the opportunity to deploy greater levels of protection for selected components. Separating system components with boundary protection mechanisms provides the capability for increased protection of individual components and to more effectively control information flows between those components. This type of enhanced protection limits the potential harm from cyber attacks and errors. The degree of separation provided varies depending upon the mechanisms chosen. Boundary protection mechanisms include, for example, routers, gateways, and firewalls separating system components into physically separate networks or subnetworks, cross-domain devices separating subnetworks, virtualization techniques, and encrypting information flows among system components using distinct encryption keys.","links":[{"href":"#ca-9","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sc-7.21_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-7.21_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(21)[1]"}],"prose":"defines information system components to be separated by boundary protection mechanisms;"},{"id":"sc-7.21_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(21)[2]"}],"prose":"defines missions and\/or business functions to be supported by organization-defined information system components separated by boundary protection mechanisms; and"},{"id":"sc-7.21_obj.3","name":"objective","props":[{"name":"label","value":"SC-7(21)[3]"}],"prose":"employs boundary protection mechanisms to separate organization-defined information system components supporting organization-defined missions and\/or business functions."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\nenterprise architecture documentation\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing the capability to separate information system components supporting organizational missions and\/or business functions"}]}]}]},{"id":"sc-8","class":"SP800-53","title":"Transmission Confidentiality and Integrity","params":[{"id":"sc-8_prm_1","select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-8"},{"name":"sort-id","value":"sc-08"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference"},{"href":"#90c5bc98-f9c4-44c9-98b7-787422f0999c","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference"},{"href":"#06dff0ea-3848-4945-8d91-e955ee69f05d","rel":"reference"}],"parts":[{"id":"sc-8_smt","name":"statement","prose":"The information system protects the {{ insert: param, sc-8_prm_1 }} of transmitted information."},{"id":"sc-8_gdn","name":"guidance","prose":"This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and\/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality\/integrity. In such situations, organizations determine what types of confidentiality\/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk.","links":[{"href":"#ac-17","rel":"related"},{"href":"#pe-4","rel":"related"}]},{"id":"sc-8_obj","name":"objective","prose":"Determine if the information system protects one or more of the following:","parts":[{"id":"sc-8_obj.1","name":"objective","props":[{"name":"label","value":"SC-8[1]"}],"prose":"confidentiality of transmitted information; and\/or"},{"id":"sc-8_obj.2","name":"objective","props":[{"name":"label","value":"SC-8[2]"}],"prose":"integrity of transmitted information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity"}]}],"controls":[{"id":"sc-8.1","class":"SP800-53-enhancement","title":"Cryptographic or Alternate Physical Protection","params":[{"id":"sc-8.1_prm_1","select":{"how-many":"one-or-more","choice":["prevent unauthorized disclosure of information","detect changes to information"]}},{"id":"sc-8.1_prm_2","label":"organization-defined alternative physical safeguards"}],"props":[{"name":"label","value":"SC-8(1)"},{"name":"sort-id","value":"sc-08.01"}],"parts":[{"id":"sc-8.1_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to {{ insert: param, sc-8.1_prm_1 }} during transmission unless otherwise protected by {{ insert: param, sc-8.1_prm_2 }}."},{"id":"sc-8.1_gdn","name":"guidance","prose":"Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems.","links":[{"href":"#sc-13","rel":"related"}]},{"id":"sc-8.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-8.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-8(1)[1]"}],"prose":"the organization defines physical safeguards to be implemented to protect information during transmission when cryptographic mechanisms are not implemented; and"},{"id":"sc-8.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-8(1)[2]"}],"prose":"the information system implements cryptographic mechanisms to do one or more of the following during transmission unless otherwise protected by organization-defined alternative physical safeguards:","parts":[{"id":"sc-8.1_obj.2.a","name":"objective","props":[{"name":"label","value":"SC-8(1)[2][a]"}],"prose":"prevent unauthorized disclosure of information; and\/or"},{"id":"sc-8.1_obj.2.b","name":"objective","props":[{"name":"label","value":"SC-8(1)[2][b]"}],"prose":"detect changes to information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity\n\nautomated mechanisms supporting and\/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards"}]}]}]},{"id":"sc-10","class":"SP800-53","title":"Network Disconnect","params":[{"id":"sc-10_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SC-10"},{"name":"sort-id","value":"sc-10"}],"parts":[{"id":"sc-10_smt","name":"statement","prose":"The information system terminates the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_prm_1 }} of inactivity."},{"id":"sc-10_gdn","name":"guidance","prose":"This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP\/IP address\/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses."},{"id":"sc-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-10_obj.1","name":"objective","props":[{"name":"label","value":"SC-10[1]"}],"prose":"the organization defines a time period of inactivity after which the information system terminates a network connection associated with a communications session; and"},{"id":"sc-10_obj.2","name":"objective","props":[{"name":"label","value":"SC-10[2]"}],"prose":"the information system terminates the network connection associated with a communication session at the end of the session or after the organization-defined time period of inactivity."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing network disconnect\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing network disconnect capability"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","params":[{"id":"sc-12_prm_1","label":"organization-defined requirements for key generation, distribution, storage, access, and destruction"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-12"},{"name":"sort-id","value":"sc-12"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with {{ insert: param, sc-12_prm_1 }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.","links":[{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"}]},{"id":"sc-12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-12_obj.1","name":"objective","props":[{"name":"label","value":"SC-12[1]"}],"prose":"defines requirements for cryptographic key:","parts":[{"id":"sc-12_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-12[1][a]"}],"prose":"generation;"},{"id":"sc-12_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-12[1][b]"}],"prose":"distribution;"},{"id":"sc-12_obj.1.c","name":"objective","props":[{"name":"label","value":"SC-12[1][c]"}],"prose":"storage;"},{"id":"sc-12_obj.1.d","name":"objective","props":[{"name":"label","value":"SC-12[1][d]"}],"prose":"access;"},{"id":"sc-12_obj.1.e","name":"objective","props":[{"name":"label","value":"SC-12[1][e]"}],"prose":"destruction; and"}]},{"id":"sc-12_obj.2","name":"objective","props":[{"name":"label","value":"SC-12[2]"}],"prose":"establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\ninformation system design documentation\n\ncryptographic mechanisms\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}],"controls":[{"id":"sc-12.1","class":"SP800-53-enhancement","title":"Availability","props":[{"name":"label","value":"SC-12(1)"},{"name":"sort-id","value":"sc-12.01"}],"parts":[{"id":"sc-12.1_smt","name":"statement","prose":"The organization maintains availability of information in the event of the loss of cryptographic keys by users."},{"id":"sc-12.1_gdn","name":"guidance","prose":"Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys (e.g., due to forgotten passphrase)."},{"id":"sc-12.1_obj","name":"objective","prose":"Determine if the organization maintains availability of information in the event of the loss of cryptographic keys by users."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment, management, and recovery\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment or management"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","params":[{"id":"sc-13_prm_1","label":"organization-defined cryptographic uses and type of cryptography required for each use"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-13"},{"name":"sort-id","value":"sc-13"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference"},{"href":"#6a1041fc-054e-4230-946b-2e6f4f3731bb","rel":"reference"},{"href":"#9b97ed27-3dd6-4f9a-ade5-1b43e9669794","rel":"reference"}],"parts":[{"id":"sc-13_smt","name":"statement","prose":"The information system implements {{ insert: param, sc-13_prm_1 }} in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"sc-13_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-13_obj.1","name":"objective","props":[{"name":"label","value":"SC-13[1]"}],"prose":"the organization defines cryptographic uses; and"},{"id":"sc-13_obj.2","name":"objective","props":[{"name":"label","value":"SC-13[2]"}],"prose":"the organization defines the type of cryptography required for each use; and"},{"id":"sc-13_obj.3","name":"objective","props":[{"name":"label","value":"SC-13[3]"}],"prose":"the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS validated cryptographic modules\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices","params":[{"id":"sc-15_prm_1","label":"organization-defined exceptions where remote activation is to be allowed"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-15"},{"name":"sort-id","value":"sc-15"}],"parts":[{"id":"sc-15_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibits remote activation of collaborative computing devices with the following exceptions: {{ insert: param, sc-15_prm_1 }}; and"},{"id":"sc-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provides an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated.","links":[{"href":"#ac-21","rel":"related"}]},{"id":"sc-15_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-15.a_obj","name":"objective","props":[{"name":"label","value":"SC-15(a)"}],"parts":[{"id":"sc-15.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-15(a)[1]"}],"prose":"the organization defines exceptions where remote activation of collaborative computing devices is to be allowed;"},{"id":"sc-15.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-15(a)[2]"}],"prose":"the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed; and"}]},{"id":"sc-15.b_obj","name":"objective","props":[{"name":"label","value":"SC-15(b)"}],"prose":"the information system provides an explicit indication of use to users physically present at the devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing management of remote activation of collaborative computing devices\n\nautomated mechanisms providing an indication of use of collaborative computing devices"}]}]},{"id":"sc-17","class":"SP800-53","title":"Public Key Infrastructure Certificates","params":[{"id":"sc-17_prm_1","label":"organization-defined certificate policy"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-17"},{"name":"sort-id","value":"sc-17"}],"links":[{"href":"#58ad6f27-af99-429f-86a8-8bb767b014b9","rel":"reference"},{"href":"#8f174e91-844e-4cf1-a72a-45c119a3a8dd","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"}],"parts":[{"id":"sc-17_smt","name":"statement","prose":"The organization issues public key certificates under an {{ insert: param, sc-17_prm_1 }} or obtains public key certificates from an approved service provider."},{"id":"sc-17_gdn","name":"guidance","prose":"For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services.","links":[{"href":"#sc-12","rel":"related"}]},{"id":"sc-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-17_obj.1","name":"objective","props":[{"name":"label","value":"SC-17[1]"}],"prose":"defines a certificate policy for issuing public key certificates;"},{"id":"sc-17_obj.2","name":"objective","props":[{"name":"label","value":"SC-17[2]"}],"prose":"issues public key certificates:","parts":[{"id":"sc-17_obj.2.a","name":"objective","props":[{"name":"label","value":"SC-17[2][a]"}],"prose":"under an organization-defined certificate policy: or"},{"id":"sc-17_obj.2.b","name":"objective","props":[{"name":"label","value":"SC-17[2][b]"}],"prose":"obtains public key certificates from an approved service provider."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key certificates\n\nservice providers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing the management of public key infrastructure certificates"}]}]},{"id":"sc-18","class":"SP800-53","title":"Mobile Code","props":[{"name":"priority","value":"P2"},{"name":"label","value":"SC-18"},{"name":"sort-id","value":"sc-18"}],"links":[{"href":"#e716cd51-d1d5-4c6a-967a-22e9fbbc42f1","rel":"reference"},{"href":"#e6522953-6714-435d-a0d3-140df554c186","rel":"reference"}],"parts":[{"id":"sc-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Defines acceptable and unacceptable mobile code and mobile code technologies;"},{"id":"sc-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and"},{"id":"sc-18_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Authorizes, monitors, and controls the use of mobile code within the information system."}]},{"id":"sc-18_gdn","name":"guidance","prose":"Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#si-3","rel":"related"}]},{"id":"sc-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-18.a_obj","name":"objective","props":[{"name":"label","value":"SC-18(a)"}],"prose":"defines acceptable and unacceptable mobile code and mobile code technologies;"},{"id":"sc-18.b_obj","name":"objective","props":[{"name":"label","value":"SC-18(b)"}],"parts":[{"id":"sc-18.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-18(b)[1]"}],"prose":"establishes usage restrictions for acceptable mobile code and mobile code technologies;"},{"id":"sc-18.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-18(b)[2]"}],"prose":"establishes implementation guidance for acceptable mobile code and mobile code technologies;"}]},{"id":"sc-18.c_obj","name":"objective","props":[{"name":"label","value":"SC-18(c)"}],"parts":[{"id":"sc-18.c_obj.1","name":"objective","props":[{"name":"label","value":"SC-18(c)[1]"}],"prose":"authorizes the use of mobile code within the information system;"},{"id":"sc-18.c_obj.2","name":"objective","props":[{"name":"label","value":"SC-18(c)[2]"}],"prose":"monitors the use of mobile code within the information system; and"},{"id":"sc-18.c_obj.3","name":"objective","props":[{"name":"label","value":"SC-18(c)[3]"}],"prose":"controls the use of mobile code within the information system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code usage restrictions, mobile code implementation policy and procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for controlling, authorizing, monitoring, and restricting mobile code\n\nautomated mechanisms supporting and\/or implementing the management of mobile code\n\nautomated mechanisms supporting and\/or implementing the monitoring of mobile code"}]}]},{"id":"sc-19","class":"SP800-53","title":"Voice Over Internet Protocol","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-19"},{"name":"sort-id","value":"sc-19"}],"links":[{"href":"#7783f3e7-09b3-478b-9aa2-4a76dfd0ea90","rel":"reference"}],"parts":[{"id":"sc-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and"},{"id":"sc-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes, monitors, and controls the use of VoIP within the information system."}]},{"id":"sc-19_gdn","name":"guidance","links":[{"href":"#cm-6","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-15","rel":"related"}]},{"id":"sc-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-19.a_obj","name":"objective","props":[{"name":"label","value":"SC-19(a)"}],"parts":[{"id":"sc-19.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-19(a)[1]"}],"prose":"establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;"},{"id":"sc-19.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-19(a)[2]"}],"prose":"establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;"}]},{"id":"sc-19.b_obj","name":"objective","props":[{"name":"label","value":"SC-19(b)"}],"parts":[{"id":"sc-19.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-19(b)[1]"}],"prose":"authorizes the use of VoIP within the information system;"},{"id":"sc-19.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-19(b)[2]"}],"prose":"monitors the use of VoIP within the information system; and"},{"id":"sc-19.b_obj.3","name":"objective","props":[{"name":"label","value":"SC-19(b)[3]"}],"prose":"controls the use of VoIP within the information system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing VoIP\n\nVoIP usage restrictions\n\nVoIP implementation guidance\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing VoIP"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling VoIP\n\nautomated mechanisms supporting and\/or implementing authorizing, monitoring, and controlling VoIP"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name \/ Address Resolution Service (authoritative Source)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-20"},{"name":"sort-id","value":"sc-20"}],"links":[{"href":"#28115a56-da6b-4d44-b1df-51dd7f048a3e","rel":"reference"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-20_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host\/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host\/service names and network addresses provide other means to assure the authenticity and integrity of response data.","links":[{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}]},{"id":"sc-20_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-20.a_obj","name":"objective","props":[{"name":"label","value":"SC-20(a)"}],"prose":"provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries;"},{"id":"sc-20.b_obj","name":"objective","props":[{"name":"label","value":"SC-20(b)"}],"prose":"provides the means to, when operating as part of a distributed, hierarchical namespace:","parts":[{"id":"sc-20.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-20(b)[1]"}],"prose":"indicate the security status of child zones; and"},{"id":"sc-20.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-20(b)[2]"}],"prose":"enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services)."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution service (authoritative source)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing secure name\/address resolution service"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name \/ Address Resolution Service (recursive or Caching Resolver)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-21"},{"name":"sort-id","value":"sc-21"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"The information system requests and performs data origin authentication and data integrity verification on the name\/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host\/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.","links":[{"href":"#sc-20","rel":"related"},{"href":"#sc-22","rel":"related"}]},{"id":"sc-21_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-21_obj.1","name":"objective","props":[{"name":"label","value":"SC-21[1]"}],"prose":"requests data origin authentication on the name\/address resolution responses the system receives from authoritative sources;"},{"id":"sc-21_obj.2","name":"objective","props":[{"name":"label","value":"SC-21[2]"}],"prose":"requests data integrity verification on the name\/address resolution responses the system receives from authoritative sources;"},{"id":"sc-21_obj.3","name":"objective","props":[{"name":"label","value":"SC-21[3]"}],"prose":"performs data origin authentication on the name\/address resolution responses the system receives from authoritative sources; and"},{"id":"sc-21_obj.4","name":"objective","props":[{"name":"label","value":"SC-21[4]"}],"prose":"performs data integrity verification on the name\/address resolution responses the system receives from authoritative sources."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution service (recursive or caching resolver)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing data origin authentication and data integrity verification for name\/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name \/ Address Resolution Service","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-22"},{"name":"sort-id","value":"sc-22"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"The information systems that collectively provide name\/address resolution service for an organization are fault-tolerant and implement internal\/external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).","links":[{"href":"#sc-2","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-24","rel":"related"}]},{"id":"sc-22_obj","name":"objective","prose":"Determine if the information systems that collectively provide name\/address resolution service for an organization:","parts":[{"id":"sc-22_obj.1","name":"objective","props":[{"name":"label","value":"SC-22[1]"}],"prose":"are fault tolerant; and"},{"id":"sc-22_obj.2","name":"objective","props":[{"name":"label","value":"SC-22[2]"}],"prose":"implement internal\/external role separation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing architecture and provisioning for name\/address resolution service\n\naccess control policy and procedures\n\ninformation system design documentation\n\nassessment results from independent, testing organizations\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing name\/address resolution service for fault tolerance and role separation"}]}]},{"id":"sc-23","class":"SP800-53","title":"Session Authenticity","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-23"},{"name":"sort-id","value":"sc-23"}],"links":[{"href":"#90c5bc98-f9c4-44c9-98b7-787422f0999c","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"},{"href":"#1ebdf782-d95d-4a7b-8ec7-ee860951eced","rel":"reference"}],"parts":[{"id":"sc-23_smt","name":"statement","prose":"The information system protects the authenticity of communications sessions."},{"id":"sc-23_gdn","name":"guidance","prose":"This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks\/session hijacking and the insertion of false information into sessions.","links":[{"href":"#sc-8","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-11","rel":"related"}]},{"id":"sc-23_obj","name":"objective","prose":"Determine if the information system protects the authenticity of communications sessions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing session authenticity"}]}]},{"id":"sc-24","class":"SP800-53","title":"Fail in Known State","params":[{"id":"sc-24_prm_1","label":"organization-defined known-state"},{"id":"sc-24_prm_2","label":"organization-defined types of failures"},{"id":"sc-24_prm_3","label":"organization-defined system state information"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-24"},{"name":"sort-id","value":"sc-24"}],"parts":[{"id":"sc-24_smt","name":"statement","prose":"The information system fails to a {{ insert: param, sc-24_prm_1 }} for {{ insert: param, sc-24_prm_2 }} preserving {{ insert: param, sc-24_prm_3 }} in failure."},{"id":"sc-24_gdn","name":"guidance","prose":"Failure in a known state addresses security concerns in accordance with the mission\/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission\/business processes.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-22","rel":"related"}]},{"id":"sc-24_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-24_obj.1","name":"objective","props":[{"name":"label","value":"SC-24[1]"}],"prose":"the organization defines a known-state to which the information system is to fail in the event of a system failure;"},{"id":"sc-24_obj.2","name":"objective","props":[{"name":"label","value":"SC-24[2]"}],"prose":"the organization defines types of failures for which the information system is to fail to an organization-defined known-state;"},{"id":"sc-24_obj.3","name":"objective","props":[{"name":"label","value":"SC-24[3]"}],"prose":"the organization defines system state information to be preserved in the event of a system failure;"},{"id":"sc-24_obj.4","name":"objective","props":[{"name":"label","value":"SC-24[4]"}],"prose":"the information system fails to the organization-defined known-state for organization-defined types of failures; and"},{"id":"sc-24_obj.5","name":"objective","props":[{"name":"label","value":"SC-24[5]"}],"prose":"the information system preserves the organization-defined system state information in the event of a system failure."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing information system failure to known state\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of failures requiring information system to fail in a known state\n\nstate information to be preserved in system failure\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fail-in-known state capability\n\nautomated mechanisms preserving system state information in the event of a system failure"}]}]},{"id":"sc-28","class":"SP800-53","title":"Protection of Information at Rest","params":[{"id":"sc-28_prm_1","select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}},{"id":"sc-28_prm_2","label":"organization-defined information at rest"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-28"},{"name":"sort-id","value":"sc-28"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"sc-28_smt","name":"statement","prose":"The information system protects the {{ insert: param, sc-28_prm_1 }} of {{ insert: param, sc-28_prm_2 }}."},{"id":"sc-28_gdn","name":"guidance","prose":"This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection\/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and\/or continuous monitoring to identify malicious code at rest.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"sc-28_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-28_obj.1","name":"objective","props":[{"name":"label","value":"SC-28[1]"}],"prose":"the organization defines information at rest requiring one or more of the following:","parts":[{"id":"sc-28_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-28[1][a]"}],"prose":"confidentiality protection; and\/or"},{"id":"sc-28_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-28[1][b]"}],"prose":"integrity protection;"}]},{"id":"sc-28_obj.2","name":"objective","props":[{"name":"label","value":"SC-28[2]"}],"prose":"the information system protects:","parts":[{"id":"sc-28_obj.2.a","name":"objective","props":[{"name":"label","value":"SC-28[2][a]"}],"prose":"the confidentiality of organization-defined information at rest; and\/or"},{"id":"sc-28_obj.2.b","name":"objective","props":[{"name":"label","value":"SC-28[2][b]"}],"prose":"the integrity of organization-defined information at rest."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing protection of information at rest\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing confidentiality and integrity protections for information at rest"}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-39"},{"name":"sort-id","value":"sc-39"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"The information system maintains a separate execution domain for each executing process."},{"id":"sc-39_gdn","name":"guidance","prose":"Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sc-39_obj","name":"objective","prose":"Determine if the information system maintains a separate execution domain for each executing process."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system design documentation\n\ninformation system architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation, other relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Information system developers\/integrators\n\ninformation system security architect"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing separate execution domains for each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"System and Information Integrity Policy and Procedures","params":[{"id":"si-1_prm_1","label":"organization-defined personnel or roles"},{"id":"si-1_prm_2","label":"organization-defined frequency"},{"id":"si-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-1"},{"name":"sort-id","value":"si-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"si-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"si-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and information integrity policy {{ insert: param, si-1_prm_2 }}; and"},{"id":"si-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and information integrity procedures {{ insert: param, si-1_prm_3 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"si-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-1.a_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)"}],"parts":[{"id":"si-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)"}],"parts":[{"id":"si-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1]"}],"prose":"develops and documents a system and information integrity policy that addresses:","parts":[{"id":"si-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"si-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"si-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"si-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"si-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"si-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"si-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"si-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and information integrity policy is to be disseminated;"},{"id":"si-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[3]"}],"prose":"disseminates the system and information integrity policy to organization-defined personnel or roles;"}]},{"id":"si-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)"}],"parts":[{"id":"si-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls;"},{"id":"si-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"si-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"si-1.b_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)"}],"parts":[{"id":"si-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)"}],"parts":[{"id":"si-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and information integrity policy;"},{"id":"si-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)[2]"}],"prose":"reviews and updates the current system and information integrity policy with the organization-defined frequency;"}]},{"id":"si-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)"}],"parts":[{"id":"si-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and information integrity procedures; and"},{"id":"si-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)[2]"}],"prose":"reviews and updates the current system and information integrity procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","params":[{"id":"si-2_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-2"},{"name":"sort-id","value":"si-02"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"si-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies, reports, and corrects information system flaws;"},{"id":"si-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Installs security-relevant software and firmware updates within {{ insert: param, si-2_prm_1 }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporates flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required\/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and\/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-11","rel":"related"}]},{"id":"si-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.a_obj","name":"objective","props":[{"name":"label","value":"SI-2(a)"}],"parts":[{"id":"si-2.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(a)[1]"}],"prose":"identifies information system flaws;"},{"id":"si-2.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(a)[2]"}],"prose":"reports information system flaws;"},{"id":"si-2.a_obj.3","name":"objective","props":[{"name":"label","value":"SI-2(a)[3]"}],"prose":"corrects information system flaws;"}]},{"id":"si-2.b_obj","name":"objective","props":[{"name":"label","value":"SI-2(b)"}],"parts":[{"id":"si-2.b_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(b)[1]"}],"prose":"tests software updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2.b_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(b)[2]"}],"prose":"tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"}]},{"id":"si-2.c_obj","name":"objective","props":[{"name":"label","value":"SI-2(c)"}],"parts":[{"id":"si-2.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(c)[1]"}],"prose":"defines the time period within which to install security-relevant software updates after the release of the updates;"},{"id":"si-2.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(c)[2]"}],"prose":"defines the time period within which to install security-relevant firmware updates after the release of the updates;"},{"id":"si-2.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-2(c)[3]"}],"prose":"installs software updates within the organization-defined time period of the release of the updates;"},{"id":"si-2.c_obj.4","name":"objective","props":[{"name":"label","value":"SI-2(c)[4]"}],"prose":"installs firmware updates within the organization-defined time period of the release of the updates; and"}]},{"id":"si-2.d_obj","name":"objective","props":[{"name":"label","value":"SI-2(d)"}],"prose":"incorporates flaw remediation into the organizational configuration management process."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the information system\n\nlist of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws)\n\ntest results from the installation of software and firmware updates to correct information system flaws\n\ninstallation\/change control records for security-relevant software and firmware updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for flaw remediation\n\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for identifying, reporting, and correcting information system flaws\n\norganizational process for installing software and firmware updates\n\nautomated mechanisms supporting and\/or implementing reporting, and correcting information system flaws\n\nautomated mechanisms supporting and\/or implementing testing software and firmware updates"}]}],"controls":[{"id":"si-2.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-2(1)"},{"name":"sort-id","value":"si-02.01"}],"parts":[{"id":"si-2.1_smt","name":"statement","prose":"The organization centrally manages the flaw remediation process."},{"id":"si-2.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of flaw remediation processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation security controls."},{"id":"si-2.1_obj","name":"objective","prose":"Determine if the organization centrally manages the flaw remediation process."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for flaw remediation"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of the flaw remediation process\n\nautomated mechanisms supporting and\/or implementing central management of the flaw remediation process"}]}]},{"id":"si-2.2","class":"SP800-53-enhancement","title":"Automated Flaw Remediation Status","params":[{"id":"si-2.2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SI-2(2)"},{"name":"sort-id","value":"si-02.02"}],"parts":[{"id":"si-2.2_smt","name":"statement","prose":"The organization employs automated mechanisms {{ insert: param, si-2.2_prm_1 }} to determine the state of information system components with regard to flaw remediation."},{"id":"si-2.2_gdn","name":"guidance","links":[{"href":"#cm-6","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"si-2.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(2)[1]"}],"prose":"defines a frequency to employ automated mechanisms to determine the state of information system components with regard to flaw remediation; and"},{"id":"si-2.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(2)[2]"}],"prose":"employs automated mechanisms with the organization-defined frequency to determine the state of information system components with regard to flaw remediation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for flaw remediation"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms used to determine the state of information system components with regard to flaw remediation"}]}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","params":[{"id":"si-3_prm_1","label":"organization-defined frequency"},{"id":"si-3_prm_2","select":{"how-many":"one-or-more","choice":["endpoint","network entry\/exit points"]}},{"id":"si-3_prm_3","select":{"how-many":"one-or-more","choice":["block malicious code","quarantine malicious code","send alert to administrator"," {{ insert: param, si-3_prm_4 }} "]}},{"id":"si-3_prm_4","depends-on":"si-3_prm_3","label":"organization-defined action"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-3"},{"name":"sort-id","value":"si-03"}],"links":[{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"}],"parts":[{"id":"si-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Configures malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the information system {{ insert: param, si-3_prm_1 }} and real-time scans of files from external sources at {{ insert: param, si-3_prm_2 }} as the files are downloaded, opened, or executed in accordance with organizational security policy; and"},{"id":"si-3_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, si-3_prm_3 }} in response to malicious code detection; and"}]},{"id":"si-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system."}]},{"id":"si-3_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions\/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and\/or actions in response to detection of maliciousness when attempting to open or execute files.","links":[{"href":"#cm-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sa-13","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-3.a_obj","name":"objective","props":[{"name":"label","value":"SI-3(a)"}],"prose":"employs malicious code protection mechanisms to detect and eradicate malicious code at information system:","parts":[{"id":"si-3.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(a)[1]"}],"prose":"entry points;"},{"id":"si-3.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(a)[2]"}],"prose":"exit points;"}]},{"id":"si-3.b_obj","name":"objective","props":[{"name":"label","value":"SI-3(b)"}],"prose":"updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1);"},{"id":"si-3.c_obj","name":"objective","props":[{"name":"label","value":"SI-3(c)"}],"parts":[{"id":"si-3.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(c)[1]"}],"prose":"defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system;"},{"id":"si-3.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(c)[2]"}],"prose":"defines action to be initiated by malicious protection mechanisms in response to malicious code detection;"},{"id":"si-3.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3]"}],"parts":[{"id":"si-3.c.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)"}],"prose":"configures malicious code protection mechanisms to:","parts":[{"id":"si-3.c.1_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)[a]"}],"prose":"perform periodic scans of the information system with the organization-defined frequency;"},{"id":"si-3.c.1_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)[b]"}],"prose":"perform real-time scans of files from external sources at endpoint and\/or network entry\/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy;"}]},{"id":"si-3.c.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)"}],"prose":"configures malicious code protection mechanisms to do one or more of the following:","parts":[{"id":"si-3.c.2_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[a]"}],"prose":"block malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[b]"}],"prose":"quarantine malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.c","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[c]"}],"prose":"send alert to administrator in response to malicious code detection; and\/or"},{"id":"si-3.c.2_obj.3.d","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[d]"}],"prose":"initiate organization-defined action in response to malicious code detection;"}]}]}]},{"id":"si-3.d_obj","name":"objective","props":[{"name":"label","value":"SI-3(d)"}],"parts":[{"id":"si-3.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(d)[1]"}],"prose":"addresses the receipt of false positives during malicious code detection and eradication; and"},{"id":"si-3.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(d)[2]"}],"prose":"addresses the resulting potential impact on the availability of the information system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for malicious code protection\n\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational process for addressing false positives and resulting potential impact\n\nautomated mechanisms supporting and\/or implementing employing, updating, and configuring malicious code protection mechanisms\n\nautomated mechanisms supporting and\/or implementing malicious code scanning and subsequent actions"}]}],"controls":[{"id":"si-3.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-3(1)"},{"name":"sort-id","value":"si-03.01"}],"parts":[{"id":"si-3.1_smt","name":"statement","prose":"The organization centrally manages malicious code protection mechanisms."},{"id":"si-3.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls.","links":[{"href":"#au-2","rel":"related"},{"href":"#si-8","rel":"related"}]},{"id":"si-3.1_obj","name":"objective","prose":"Determine if the organization centrally manages malicious code protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing malicious code protection\n\nautomated mechanisms supporting centralized management of malicious code protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for malicious code protection"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of malicious code protection mechanisms\n\nautomated mechanisms supporting and\/or implementing central management of malicious code protection mechanisms"}]}]},{"id":"si-3.2","class":"SP800-53-enhancement","title":"Automatic Updates","props":[{"name":"label","value":"SI-3(2)"},{"name":"sort-id","value":"si-03.02"}],"parts":[{"id":"si-3.2_smt","name":"statement","prose":"The information system automatically updates malicious code protection mechanisms."},{"id":"si-3.2_gdn","name":"guidance","prose":"Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates.","links":[{"href":"#si-8","rel":"related"}]},{"id":"si-3.2_obj","name":"objective","prose":"Determine if the information system automatically updates malicious code protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing malicious code protection\n\nautomated mechanisms supporting centralized management of malicious code protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for malicious code protection"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing automatic updates to malicious code protection capability"}]}]}]},{"id":"si-4","class":"SP800-53","title":"Information System Monitoring","params":[{"id":"si-4_prm_1","label":"organization-defined monitoring objectives"},{"id":"si-4_prm_2","label":"organization-defined techniques and methods"},{"id":"si-4_prm_3","label":"organization-defined information system monitoring information"},{"id":"si-4_prm_4","label":"organization-defined personnel or roles"},{"id":"si-4_prm_5","select":{"how-many":"one-or-more","choice":["as needed"," {{ insert: param, si-4_prm_6 }} "]}},{"id":"si-4_prm_6","depends-on":"si-4_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-4"},{"name":"sort-id","value":"si-04"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"},{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"si-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors the information system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with {{ insert: param, si-4_prm_1 }}; and"},{"id":"si-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identifies unauthorized use of the information system through {{ insert: param, si-4_prm_2 }};"},{"id":"si-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Deploys monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Strategically within the information system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;"},{"id":"si-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"},{"id":"si-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and"},{"id":"si-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Provides {{ insert: param, si-4_prm_3 }} to {{ insert: param, si-4_prm_4 }} {{ insert: param, si-4_prm_5 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.a_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)"}],"parts":[{"id":"si-4.a.1_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)"}],"parts":[{"id":"si-4.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[1]"}],"prose":"defines monitoring objectives to detect attacks and indicators of potential attacks on the information system;"},{"id":"si-4.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2]"}],"prose":"monitors the information system to detect, in accordance with organization-defined monitoring objectives,:","parts":[{"id":"si-4.a.1_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2][a]"}],"prose":"attacks;"},{"id":"si-4.a.1_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2][b]"}],"prose":"indicators of potential attacks;"}]}]},{"id":"si-4.a.2_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)"}],"prose":"monitors the information system to detect unauthorized:","parts":[{"id":"si-4.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[1]"}],"prose":"local connections;"},{"id":"si-4.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[2]"}],"prose":"network connections;"},{"id":"si-4.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[3]"}],"prose":"remote connections;"}]}]},{"id":"si-4.b_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)"}],"parts":[{"id":"si-4.b.1_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)(1)"}],"prose":"defines techniques and methods to identify unauthorized use of the information system;"},{"id":"si-4.b.2_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)(2)"}],"prose":"identifies unauthorized use of the information system through organization-defined techniques and methods;"}]},{"id":"si-4.c_obj","name":"objective","props":[{"name":"label","value":"SI-4(c)"}],"prose":"deploys monitoring devices:","parts":[{"id":"si-4.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(c)[1]"}],"prose":"strategically within the information system to collect organization-determined essential information;"},{"id":"si-4.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(c)[2]"}],"prose":"at ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4.d_obj","name":"objective","props":[{"name":"label","value":"SI-4(d)"}],"prose":"protects information obtained from intrusion-monitoring tools from unauthorized:","parts":[{"id":"si-4.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(d)[1]"}],"prose":"access;"},{"id":"si-4.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(d)[2]"}],"prose":"modification;"},{"id":"si-4.d_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(d)[3]"}],"prose":"deletion;"}]},{"id":"si-4.e_obj","name":"objective","props":[{"name":"label","value":"SI-4(e)"}],"prose":"heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"},{"id":"si-4.f_obj","name":"objective","props":[{"name":"label","value":"SI-4(f)"}],"prose":"obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations;"},{"id":"si-4.g_obj","name":"objective","props":[{"name":"label","value":"SI-4(g)"}],"parts":[{"id":"si-4.g_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(g)[1]"}],"prose":"defines personnel or roles to whom information system monitoring information is to be provided;"},{"id":"si-4.g_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(g)[2]"}],"prose":"defines information system monitoring information to be provided to organization-defined personnel or roles;"},{"id":"si-4.g_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(g)[3]"}],"prose":"defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles;"},{"id":"si-4.g_obj.4","name":"objective","props":[{"name":"label","value":"SI-4(g)[4]"}],"prose":"provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:","parts":[{"id":"si-4.g_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-4(g)[4][a]"}],"prose":"as needed; and\/or"},{"id":"si-4.g_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-4(g)[4][b]"}],"prose":"with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Continuous monitoring strategy\n\nsystem and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\nfacility diagram\/layout\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\nlocations within information system where monitoring devices are deployed\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility monitoring the information system"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\n\nautomated mechanisms supporting and\/or implementing information system monitoring capability"}]}],"controls":[{"id":"si-4.2","class":"SP800-53-enhancement","title":"Automated Tools for Real-time Analysis","props":[{"name":"label","value":"SI-4(2)"},{"name":"sort-id","value":"si-04.02"}],"parts":[{"id":"si-4.2_smt","name":"statement","prose":"The organization employs automated tools to support near real-time analysis of events."},{"id":"si-4.2_gdn","name":"guidance","prose":"Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and\/or notifications generated by organizational information systems."},{"id":"si-4.2_obj","name":"objective","prose":"Determine if the organization employs automated tools to support near real-time analysis of events."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for monitoring the information system\n\norganizational personnel with responsibility for incident response\/management"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for near real-time analysis of events\n\norganizational processes for information system monitoring\n\nautomated mechanisms supporting and\/or implementing information system monitoring\n\nautomated mechanisms\/tools supporting and\/or implementing analysis of events"}]}]},{"id":"si-4.4","class":"SP800-53-enhancement","title":"Inbound and Outbound Communications Traffic","params":[{"id":"si-4.4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SI-4(4)"},{"name":"sort-id","value":"si-04.04"}],"parts":[{"id":"si-4.4_smt","name":"statement","prose":"The information system monitors inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for unusual or unauthorized activities or conditions."},{"id":"si-4.4_gdn","name":"guidance","prose":"Unusual\/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components."},{"id":"si-4.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.4_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(4)[1]"}],"prose":"defines a frequency to monitor:","parts":[{"id":"si-4.4_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-4(4)[1][a]"}],"prose":"inbound communications traffic for unusual or unauthorized activities or conditions;"},{"id":"si-4.4_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-4(4)[1][b]"}],"prose":"outbound communications traffic for unusual or unauthorized activities or conditions;"}]},{"id":"si-4.4_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(4)[2]"}],"prose":"monitors, with the organization-defined frequency:","parts":[{"id":"si-4.4_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-4(4)[2][a]"}],"prose":"inbound communications traffic for unusual or unauthorized activities or conditions; and"},{"id":"si-4.4_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-4(4)[2][b]"}],"prose":"outbound communications traffic for unusual or unauthorized activities or conditions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system protocols\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for monitoring the information system\n\norganizational personnel with responsibility for the intrusion detection system"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection\/information system monitoring\n\nautomated mechanisms supporting and\/or implementing intrusion detection capability\/information system monitoring\n\nautomated mechanisms supporting and\/or implementing monitoring of inbound\/outbound communications traffic"}]}]},{"id":"si-4.5","class":"SP800-53-enhancement","title":"System-generated Alerts","params":[{"id":"si-4.5_prm_1","label":"organization-defined personnel or roles"},{"id":"si-4.5_prm_2","label":"organization-defined compromise indicators"}],"props":[{"name":"label","value":"SI-4(5)"},{"name":"sort-id","value":"si-04.05"}],"parts":[{"id":"si-4.5_smt","name":"statement","prose":"The information system alerts {{ insert: param, si-4.5_prm_1 }} when the following indications of compromise or potential compromise occur: {{ insert: param, si-4.5_prm_2 }}."},{"id":"si-4.5_gdn","name":"guidance","prose":"Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission\/business owners, system owners, or information system security officers.","links":[{"href":"#au-5","rel":"related"},{"href":"#pe-6","rel":"related"}]},{"id":"si-4.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-4.5_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(5)[1]"}],"prose":"the organization defines compromise indicators for the information system;"},{"id":"si-4.5_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(5)[2]"}],"prose":"the organization defines personnel or roles to be alerted when indications of compromise or potential compromise occur; and"},{"id":"si-4.5_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(5)[3]"}],"prose":"the information system alerts organization-defined personnel or roles when organization-defined compromise indicators occur."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\nalerts\/notifications generated based on compromise indicators\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for monitoring the information system\n\norganizational personnel with responsibility for the intrusion detection system"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection\/information system monitoring\n\nautomated mechanisms supporting and\/or implementing intrusion detection\/information system monitoring capability\n\nautomated mechanisms supporting and\/or implementing alerts for compromise indicators"}]}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","params":[{"id":"si-5_prm_1","label":"organization-defined external organizations"},{"id":"si-5_prm_2","select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-5_prm_3 }} "," {{ insert: param, si-5_prm_4 }} "," {{ insert: param, si-5_prm_5 }} "]}},{"id":"si-5_prm_3","depends-on":"si-5_prm_2","label":"organization-defined personnel or roles"},{"id":"si-5_prm_4","depends-on":"si-5_prm_2","label":"organization-defined elements within the organization"},{"id":"si-5_prm_5","depends-on":"si-5_prm_2","label":"organization-defined external organizations"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-5"},{"name":"sort-id","value":"si-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"}],"parts":[{"id":"si-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receives information system security alerts, advisories, and directives from {{ insert: param, si-5_prm_1 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Generates internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminates security alerts, advisories, and directives to: {{ insert: param, si-5_prm_2 }}; and"},{"id":"si-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission\/business partners, supply chain partners, external service providers, and other peer\/supporting organizations.","links":[{"href":"#si-2","rel":"related"}]},{"id":"si-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-5.a_obj","name":"objective","props":[{"name":"label","value":"SI-5(a)"}],"parts":[{"id":"si-5.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(a)[1]"}],"prose":"defines external organizations from whom information system security alerts, advisories and directives are to be received;"},{"id":"si-5.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(a)[2]"}],"prose":"receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;"}]},{"id":"si-5.b_obj","name":"objective","props":[{"name":"label","value":"SI-5(b)"}],"prose":"generates internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5.c_obj","name":"objective","props":[{"name":"label","value":"SI-5(c)"}],"parts":[{"id":"si-5.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(c)[1]"}],"prose":"defines personnel or roles to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(c)[2]"}],"prose":"defines elements within the organization to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-5(c)[3]"}],"prose":"defines external organizations to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.4","name":"objective","props":[{"name":"label","value":"SI-5(c)[4]"}],"prose":"disseminates security alerts, advisories, and directives to one or more of the following:","parts":[{"id":"si-5.c_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][a]"}],"prose":"organization-defined personnel or roles;"},{"id":"si-5.c_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][b]"}],"prose":"organization-defined elements within the organization; and\/or"},{"id":"si-5.c_obj.4.c","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][c]"}],"prose":"organization-defined external organizations; and"}]}]},{"id":"si-5.d_obj","name":"objective","props":[{"name":"label","value":"SI-5(d)"}],"parts":[{"id":"si-5.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(d)[1]"}],"prose":"implements security directives in accordance with established time frames; or"},{"id":"si-5.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(d)[2]"}],"prose":"notifies the issuing organization of the degree of noncompliance."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the information system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nautomated mechanisms supporting and\/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nautomated mechanisms supporting and\/or implementing security directives"}]}],"controls":[{"id":"si-5.1","class":"SP800-53-enhancement","title":"Automated Alerts and Advisories","props":[{"name":"label","value":"SI-5(1)"},{"name":"sort-id","value":"si-05.01"}],"parts":[{"id":"si-5.1_smt","name":"statement","prose":"The organization employs automated mechanisms to make security alert and advisory information available throughout the organization."},{"id":"si-5.1_gdn","name":"guidance","prose":"The significant number of changes to organizational information systems and the environments in which those systems operate requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational missions and business functions. Based on the information provided by the security alerts and advisories, changes may be required at one or more of the three tiers related to the management of information security risk including the governance level, mission\/business process\/enterprise architecture level, and the information system level."},{"id":"si-5.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to make security alert and advisory information available throughout the organization."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing security alerts, advisories, and directives\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nautomated mechanisms supporting the distribution of security alert and advisory information\n\nrecords of security alerts and advisories\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the information system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts and advisories are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories\n\nautomated mechanisms supporting and\/or implementing dissemination of security alerts and advisories"}]}]}]},{"id":"si-6","class":"SP800-53","title":"Security Function Verification","params":[{"id":"si-6_prm_1","label":"organization-defined security functions"},{"id":"si-6_prm_2","select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-6_prm_3 }} ","upon command by user with appropriate privilege"," {{ insert: param, si-6_prm_4 }} "]}},{"id":"si-6_prm_3","depends-on":"si-6_prm_2","label":"organization-defined system transitional states"},{"id":"si-6_prm_4","depends-on":"si-6_prm_2","label":"organization-defined frequency"},{"id":"si-6_prm_5","label":"organization-defined personnel or roles"},{"id":"si-6_prm_6","select":{"how-many":"one-or-more","choice":["shuts the information system down","restarts the information system"," {{ insert: param, si-6_prm_7 }} "]}},{"id":"si-6_prm_7","depends-on":"si-6_prm_6","label":"organization-defined alternative action(s)"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-6"},{"name":"sort-id","value":"si-06"}],"parts":[{"id":"si-6_smt","name":"statement","prose":"The information system:","parts":[{"id":"si-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifies the correct operation of {{ insert: param, si-6_prm_1 }};"},{"id":"si-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Performs this verification {{ insert: param, si-6_prm_2 }};"},{"id":"si-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Notifies {{ insert: param, si-6_prm_5 }} of failed security verification tests; and"},{"id":"si-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":" {{ insert: param, si-6_prm_6 }} when anomalies are discovered."}]},{"id":"si-6_gdn","name":"guidance","prose":"Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and\/or hardware indications such as lights.","links":[{"href":"#ca-7","rel":"related"},{"href":"#cm-6","rel":"related"}]},{"id":"si-6_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-6.a_obj","name":"objective","props":[{"name":"label","value":"SI-6(a)"}],"parts":[{"id":"si-6.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-6(a)[1]"}],"prose":"the organization defines security functions to be verified for correct operation;"},{"id":"si-6.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-6(a)[2]"}],"prose":"the information system verifies the correct operation of organization-defined security functions;"}]},{"id":"si-6.b_obj","name":"objective","props":[{"name":"label","value":"SI-6(b)"}],"parts":[{"id":"si-6.b_obj.1","name":"objective","props":[{"name":"label","value":"SI-6(b)[1]"}],"prose":"the organization defines system transitional states requiring verification of organization-defined security functions;"},{"id":"si-6.b_obj.2","name":"objective","props":[{"name":"label","value":"SI-6(b)[2]"}],"prose":"the organization defines a frequency to verify the correct operation of organization-defined security functions;"},{"id":"si-6.b_obj.3","name":"objective","props":[{"name":"label","value":"SI-6(b)[3]"}],"prose":"the information system performs this verification one or more of the following:","parts":[{"id":"si-6.b_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-6(b)[3][a]"}],"prose":"at organization-defined system transitional states;"},{"id":"si-6.b_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-6(b)[3][b]"}],"prose":"upon command by user with appropriate privilege; and\/or"},{"id":"si-6.b_obj.3.c","name":"objective","props":[{"name":"label","value":"SI-6(b)[3][c]"}],"prose":"with the organization-defined frequency;"}]}]},{"id":"si-6.c_obj","name":"objective","props":[{"name":"label","value":"SI-6(c)"}],"parts":[{"id":"si-6.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-6(c)[1]"}],"prose":"the organization defines personnel or roles to be notified of failed security verification tests;"},{"id":"si-6.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-6(c)[2]"}],"prose":"the information system notifies organization-defined personnel or roles of failed security verification tests;"}]},{"id":"si-6.d_obj","name":"objective","props":[{"name":"label","value":"SI-6(d)"}],"parts":[{"id":"si-6.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-6(d)[1]"}],"prose":"the organization defines alternative action(s) to be performed when anomalies are discovered;"},{"id":"si-6.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-6(d)[2]"}],"prose":"the information system performs one or more of the following actions when anomalies are discovered:","parts":[{"id":"si-6.d_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-6(d)[2][a]"}],"prose":"shuts the information system down;"},{"id":"si-6.d_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-6(d)[2][b]"}],"prose":"restarts the information system; and\/or"},{"id":"si-6.d_obj.2.c","name":"objective","props":[{"name":"label","value":"SI-6(d)[2][c]"}],"prose":"performs organization-defined alternative action(s)."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing security function verification\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nalerts\/notifications of failed security verification tests\n\nlist of system transition states requiring security functionality verification\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security function verification responsibilities\n\norganizational personnel implementing, operating, and maintaining the information system\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security function verification\n\nautomated mechanisms supporting and\/or implementing security function verification capability"}]}]},{"id":"si-7","class":"SP800-53","title":"Software, Firmware, and Information Integrity","params":[{"id":"si-7_prm_1","label":"organization-defined software, firmware, and information"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-7"},{"name":"sort-id","value":"si-07"}],"links":[{"href":"#6bf8d24a-78dc-4727-a2ac-0e64d71c495c","rel":"reference"},{"href":"#3878cc04-144a-483e-af62-8fe6f4ad6c7a","rel":"reference"}],"parts":[{"id":"si-7_smt","name":"statement","prose":"The organization employs integrity verification tools to detect unauthorized changes to {{ insert: param, si-7_prm_1 }}."},{"id":"si-7_gdn","name":"guidance","prose":"Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.","links":[{"href":"#sa-12","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-3","rel":"related"}]},{"id":"si-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7_obj.1","name":"objective","props":[{"name":"label","value":"SI-7[1]"}],"parts":[{"id":"si-7_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-7[1][a]"}],"prose":"defines software requiring integrity verification tools to be employed to detect unauthorized changes;"},{"id":"si-7_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-7[1][b]"}],"prose":"defines firmware requiring integrity verification tools to be employed to detect unauthorized changes;"},{"id":"si-7_obj.1.c","name":"objective","props":[{"name":"label","value":"SI-7[1][c]"}],"prose":"defines information requiring integrity verification tools to be employed to detect unauthorized changes;"}]},{"id":"si-7_obj.2","name":"objective","props":[{"name":"label","value":"SI-7[2]"}],"prose":"employs integrity verification tools to detect unauthorized changes to organization-defined:","parts":[{"id":"si-7_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-7[2][a]"}],"prose":"software;"},{"id":"si-7_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-7[2][b]"}],"prose":"firmware; and"},{"id":"si-7_obj.2.c","name":"objective","props":[{"name":"label","value":"SI-7[2][c]"}],"prose":"information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated\/triggered from integrity verification tools regarding unauthorized software, firmware, and information changes\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools"}]}],"controls":[{"id":"si-7.1","class":"SP800-53-enhancement","title":"Integrity Checks","params":[{"id":"si-7.1_prm_1","label":"organization-defined software, firmware, and information"},{"id":"si-7.1_prm_2","select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-7.1_prm_3 }} "," {{ insert: param, si-7.1_prm_4 }} "]}},{"id":"si-7.1_prm_3","depends-on":"si-7.1_prm_2","label":"organization-defined transitional states or security-relevant events"},{"id":"si-7.1_prm_4","depends-on":"si-7.1_prm_2","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SI-7(1)"},{"name":"sort-id","value":"si-07.01"}],"parts":[{"id":"si-7.1_smt","name":"statement","prose":"The information system performs an integrity check of {{ insert: param, si-7.1_prm_1 }} {{ insert: param, si-7.1_prm_2 }}."},{"id":"si-7.1_gdn","name":"guidance","prose":"Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort."},{"id":"si-7.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-7.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(1)[1]"}],"prose":"the organization defines:","parts":[{"id":"si-7.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[1][a]"}],"prose":"software requiring integrity checks to be performed;"},{"id":"si-7.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[1][b]"}],"prose":"firmware requiring integrity checks to be performed;"},{"id":"si-7.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[1][c]"}],"prose":"information requiring integrity checks to be performed;"}]},{"id":"si-7.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(1)[2]"}],"prose":"the organization defines transitional states or security-relevant events requiring integrity checks of organization-defined:","parts":[{"id":"si-7.1_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[2][a]"}],"prose":"software;"},{"id":"si-7.1_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[2][b]"}],"prose":"firmware;"},{"id":"si-7.1_obj.2.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[2][c]"}],"prose":"information;"}]},{"id":"si-7.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-7(1)[3]"}],"prose":"the organization defines a frequency with which to perform an integrity check of organization-defined:","parts":[{"id":"si-7.1_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[3][a]"}],"prose":"software;"},{"id":"si-7.1_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[3][b]"}],"prose":"firmware;"},{"id":"si-7.1_obj.3.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[3][c]"}],"prose":"information;"}]},{"id":"si-7.1_obj.4","name":"objective","props":[{"name":"label","value":"SI-7(1)[4]"}],"prose":"the information system performs an integrity check of organization-defined software, firmware, and information one or more of the following:","parts":[{"id":"si-7.1_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[4][a]"}],"prose":"at startup;"},{"id":"si-7.1_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[4][b]"}],"prose":"at organization-defined transitional states or security-relevant events; and\/or"},{"id":"si-7.1_obj.4.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[4][c]"}],"prose":"with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools"}]}]},{"id":"si-7.2","class":"SP800-53-enhancement","title":"Automated Notifications of Integrity Violations","params":[{"id":"si-7.2_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"SI-7(2)"},{"name":"sort-id","value":"si-07.02"}],"parts":[{"id":"si-7.2_smt","name":"statement","prose":"The organization employs automated tools that provide notification to {{ insert: param, si-7.2_prm_1 }} upon discovering discrepancies during integrity verification."},{"id":"si-7.2_gdn","name":"guidance","prose":"The use of automated tools to report integrity violations and to notify organizational personnel in a timely matter is an essential precursor to effective risk response. Personnel having an interest in integrity violations include, for example, mission\/business owners, information system owners, systems administrators, software developers, systems integrators, and information security officers."},{"id":"si-7.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(2)[1]"}],"prose":"defines personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification; and"},{"id":"si-7.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(2)[2]"}],"prose":"employs automated tools that provide notification to organization-defined personnel or roles upon discovering discrepancies during integrity verification."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nautomated tools supporting alerts and notifications for integrity discrepancies\n\nalerts\/notifications provided upon discovering discrepancies during integrity verifications\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools\n\nautomated mechanisms providing integrity discrepancy notifications"}]}]},{"id":"si-7.5","class":"SP800-53-enhancement","title":"Automated Response to Integrity Violations","params":[{"id":"si-7.5_prm_1","select":{"how-many":"one-or-more","choice":["shuts the information system down","restarts the information system","implements {{ insert: param, si-7.5_prm_2 }} "]}},{"id":"si-7.5_prm_2","depends-on":"si-7.5_prm_1","label":"organization-defined security safeguards"}],"props":[{"name":"label","value":"SI-7(5)"},{"name":"sort-id","value":"si-07.05"}],"parts":[{"id":"si-7.5_smt","name":"statement","prose":"The information system automatically {{ insert: param, si-7.5_prm_1 }} when integrity violations are discovered."},{"id":"si-7.5_gdn","name":"guidance","prose":"Organizations may define different integrity checking and anomaly responses: (i) by type of information (e.g., firmware, software, user data); (ii) by specific information (e.g., boot firmware, boot firmware for a specific types of machines); or (iii) a combination of both. Automatic implementation of specific safeguards within organizational information systems includes, for example, reversing the changes, halting the information system, or triggering audit alerts when unauthorized modifications to critical security files occur."},{"id":"si-7.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-7.5_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(5)[1]"}],"prose":"the organization defines security safeguards to be implemented when integrity violations are discovered;"},{"id":"si-7.5_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(5)[2]"}],"prose":"the information system automatically performs one or more of the following actions when integrity violations are discovered:","parts":[{"id":"si-7.5_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-7(5)[2][a]"}],"prose":"shuts the information system down;"},{"id":"si-7.5_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-7(5)[2][b]"}],"prose":"restarts the information system; and\/or"},{"id":"si-7.5_obj.2.c","name":"objective","props":[{"name":"label","value":"SI-7(5)[2][c]"}],"prose":"implements the organization-defined security safeguards."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nrecords of integrity checks and responses to integrity violations\n\ninformation audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools\n\nautomated mechanisms providing an automated response to integrity violations\n\nautomated mechanisms supporting and\/or implementing security safeguards to be implemented when integrity violations are discovered"}]}]},{"id":"si-7.7","class":"SP800-53-enhancement","title":"Integration of Detection and Response","params":[{"id":"si-7.7_prm_1","label":"organization-defined security-relevant changes to the information system"}],"props":[{"name":"label","value":"SI-7(7)"},{"name":"sort-id","value":"si-07.07"}],"parts":[{"id":"si-7.7_smt","name":"statement","prose":"The organization incorporates the detection of unauthorized {{ insert: param, si-7.7_prm_1 }} into the organizational incident response capability."},{"id":"si-7.7_gdn","name":"guidance","prose":"This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges.","links":[{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"si-7.7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7.7_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(7)[1]"}],"prose":"defines unauthorized security-relevant changes to the information system; and"},{"id":"si-7.7_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(7)[2]"}],"prose":"incorporates the detection of unauthorized organization-defined security-relevant changes to the information system into the organizational incident response capability."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response records\n\ninformation audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incorporating detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nautomated mechanisms supporting and\/or implementing incorporation of detection of unauthorized security-relevant changes into the incident response capability"}]}]},{"id":"si-7.14","class":"SP800-53-enhancement","title":"Binary or Machine Executable Code","props":[{"name":"label","value":"SI-7(14)"},{"name":"sort-id","value":"si-07.14"}],"parts":[{"id":"si-7.14_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-7.14_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and"},{"id":"si-7.14_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Provides exceptions to the source code requirement only for compelling mission\/operational requirements and with the approval of the authorizing official."}]},{"id":"si-7.14_gdn","name":"guidance","prose":"This control enhancement applies to all sources of binary or machine-executable code including, for example, commercial software\/firmware and open source software. Organizations assess software products without accompanying source code from sources with limited or no warranty for potential security impacts. The assessments address the fact that these types of software products may be very difficult to review, repair, or extend, given that organizations, in most cases, do not have access to the original source code, and there may be no owners who could make such repairs on behalf of organizations.","links":[{"href":"#sa-5","rel":"related"}]},{"id":"si-7.14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7.14.a_obj","name":"objective","props":[{"name":"label","value":"SI-7(14)(a)"}],"parts":[{"id":"si-7.14.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(14)(a)[1]"}],"prose":"prohibits the use of binary or machine-executable code from sources with limited or no warranty;"},{"id":"si-7.14.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(14)(a)[2]"}],"prose":"prohibits the use of binary or machine-executable code without the provision of source code;"}],"links":[{"href":"#si-7.14_smt.a","rel":"corresp"}]},{"id":"si-7.14.b_obj","name":"objective","props":[{"name":"label","value":"SI-7(14)(b)"}],"parts":[{"id":"si-7.14.b_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(14)(b)[1]"}],"prose":"provides exceptions to the source code requirement only for compelling mission\/operational requirements; and"},{"id":"si-7.14.b_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(14)(b)[2]"}],"prose":"provides exceptions to the source code requirement only with the approval of the authorizing official."}],"links":[{"href":"#si-7.14_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\napproval records for execution of binary and machine-executable code\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nauthorizing official\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing prohibition of the execution of binary or machine-executable code"}]}]}]},{"id":"si-8","class":"SP800-53","title":"Spam Protection","props":[{"name":"priority","value":"P2"},{"name":"label","value":"SI-8"},{"name":"sort-id","value":"si-08"}],"links":[{"href":"#c6e95ca0-5828-420e-b095-00895b72b5e8","rel":"reference"}],"parts":[{"id":"si-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and"},{"id":"si-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"id":"si-8_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook\/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"}]},{"id":"si-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-8.a_obj","name":"objective","props":[{"name":"label","value":"SI-8(a)"}],"prose":"employs spam protection mechanisms:","parts":[{"id":"si-8.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-8(a)[1]"}],"prose":"at information system entry points to detect unsolicited messages;"},{"id":"si-8.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-8(a)[2]"}],"prose":"at information system entry points to take action on unsolicited messages;"},{"id":"si-8.a_obj.3","name":"objective","props":[{"name":"label","value":"SI-8(a)[3]"}],"prose":"at information system exit points to detect unsolicited messages;"},{"id":"si-8.a_obj.4","name":"objective","props":[{"name":"label","value":"SI-8(a)[4]"}],"prose":"at information system exit points to take action on unsolicited messages; and"}]},{"id":"si-8.b_obj","name":"objective","props":[{"name":"label","value":"SI-8(b)"}],"prose":"updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nconfiguration management policy and procedures (CM-1)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for implementing spam protection\n\nautomated mechanisms supporting and\/or implementing spam protection"}]}],"controls":[{"id":"si-8.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-8(1)"},{"name":"sort-id","value":"si-08.01"}],"parts":[{"id":"si-8.1_smt","name":"statement","prose":"The organization centrally manages spam protection mechanisms."},{"id":"si-8.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection security controls.","links":[{"href":"#au-3","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-8.1_obj","name":"objective","prose":"Determine if the organization centrally manages spam protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of spam protection\n\nautomated mechanisms supporting and\/or implementing central management of spam protection"}]}]},{"id":"si-8.2","class":"SP800-53-enhancement","title":"Automatic Updates","props":[{"name":"label","value":"SI-8(2)"},{"name":"sort-id","value":"si-08.02"}],"parts":[{"id":"si-8.2_smt","name":"statement","prose":"The information system automatically updates spam protection mechanisms."},{"id":"si-8.2_obj","name":"objective","prose":"Determine if the information system automatically updates spam protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for spam protection\n\nautomated mechanisms supporting and\/or implementing automatic updates to spam protection mechanisms"}]}]}]},{"id":"si-10","class":"SP800-53","title":"Information Input Validation","params":[{"id":"si-10_prm_1","label":"organization-defined information inputs"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-10"},{"name":"sort-id","value":"si-10"}],"parts":[{"id":"si-10_smt","name":"statement","prose":"The information system checks the validity of {{ insert: param, si-10_prm_1 }}."},{"id":"si-10_gdn","name":"guidance","prose":"Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks."},{"id":"si-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-10_obj.1","name":"objective","props":[{"name":"label","value":"SI-10[1]"}],"prose":"the organization defines information inputs requiring validity checks; and"},{"id":"si-10_obj.2","name":"objective","props":[{"name":"label","value":"SI-10[2]"}],"prose":"the information system checks the validity of organization-defined information inputs."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify validity of information\n\nlist of information inputs requiring validity checks\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing validity checks on information inputs"}]}]},{"id":"si-11","class":"SP800-53","title":"Error Handling","params":[{"id":"si-11_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SI-11"},{"name":"sort-id","value":"si-11"}],"parts":[{"id":"si-11_smt","name":"statement","prose":"The information system:","parts":[{"id":"si-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and"},{"id":"si-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reveals error messages only to {{ insert: param, si-11_prm_1 }}."}]},{"id":"si-11_gdn","name":"guidance","prose":"Organizations carefully consider the structure\/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission\/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#sc-31","rel":"related"}]},{"id":"si-11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-11.a_obj","name":"objective","props":[{"name":"label","value":"SI-11(a)"}],"prose":"the information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries;"},{"id":"si-11.b_obj","name":"objective","props":[{"name":"label","value":"SI-11(b)"}],"parts":[{"id":"si-11.b_obj.1","name":"objective","props":[{"name":"label","value":"SI-11(b)[1]"}],"prose":"the organization defines personnel or roles to whom error messages are to be revealed; and"},{"id":"si-11.b_obj.2","name":"objective","props":[{"name":"label","value":"SI-11(b)[2]"}],"prose":"the information system reveals error messages only to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system error handling\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ndocumentation providing structure\/content of error messages\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for error handling\n\nautomated mechanisms supporting and\/or implementing error handling\n\nautomated mechanisms supporting and\/or implementing management of error messages"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Handling and Retention","props":[{"name":"priority","value":"P2"},{"name":"label","value":"SI-12"},{"name":"sort-id","value":"si-12"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention.","links":[{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"}]},{"id":"si-12_obj","name":"objective","prose":"Determine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements:","parts":[{"id":"si-12_obj.1","name":"objective","props":[{"name":"label","value":"SI-12[1]"}],"prose":"handles information within the information system;"},{"id":"si-12_obj.2","name":"objective","props":[{"name":"label","value":"SI-12[2]"}],"prose":"handles output from the information system;"},{"id":"si-12_obj.3","name":"objective","props":[{"name":"label","value":"SI-12[3]"}],"prose":"retains information within the information system; and"},{"id":"si-12_obj.4","name":"objective","props":[{"name":"label","value":"SI-12[4]"}],"prose":"retains output from the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention\n\nmedia protection policy and procedures\n\nprocedures addressing information system output handling and retention\n\ninformation retention records, other relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information handling and retention\n\norganizational personnel with information security responsibilities\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information handling and retention\n\nautomated mechanisms supporting and\/or implementing information handling and retention"}]}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","params":[{"id":"si-16_prm_1","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-16"},{"name":"sort-id","value":"si-16"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"The information system implements {{ insert: param, si-16_prm_1 }} to protect its memory from unauthorized code execution."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.","links":[{"href":"#ac-25","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"si-16_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-16_obj.1","name":"objective","props":[{"name":"label","value":"SI-16[1]"}],"prose":"the organization defines security safeguards to be implemented to protect information system memory from unauthorized code execution; and"},{"id":"si-16_obj.2","name":"objective","props":[{"name":"label","value":"SI-16[2]"}],"prose":"the information system implements organization-defined security safeguards to protect its memory from unauthorized code execution."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing memory protection for the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of security safeguards protecting information system memory from unauthorized code execution\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing safeguards to protect information system memory from unauthorized code execution"}]}]}]}],"back-matter":{"resources":[{"uuid":"0c97e60b-325a-4efa-ba2b-90f20ccd5abc","title":"5 C.F.R. 731.106","citation":{"text":"Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106, Designation of Public Trust Positions and Investigative Requirements (5 C.F.R. 731.106)."},"rlinks":[{"href":"http:\/\/www.gpo.gov\/fdsys\/granule\/CFR-2012-title5-vol2\/CFR-2012-title5-vol2-sec731-106\/content-detail.html"}]},{"uuid":"bb61234b-46c3-4211-8c2b-9869222a720d","title":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)","citation":{"text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},"rlinks":[{"href":"http:\/\/www.gpo.gov\/fdsys\/granule\/CFR-2009-title5-vol2\/CFR-2009-title5-vol2-sec930-301\/content-detail.html"}]},{"uuid":"a4aa9645-9a8a-4b51-90a9-e223250f9a75","title":"CNSS Policy 15","citation":{"text":"CNSS Policy 15"},"rlinks":[{"href":"https:\/\/www.cnss.gov\/policies.html"}]},{"uuid":"2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","title":"DoD Information Assurance Vulnerability Alerts","citation":{"text":"DoD Information Assurance Vulnerability Alerts"}},{"uuid":"61081e7f-041d-4033-96a7-44a439071683","title":"DoD Instruction 5200.39","citation":{"text":"DoD Instruction 5200.39"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"e42b2099-3e1c-415b-952c-61c96533c12e","title":"DoD Instruction 8551.01","citation":{"text":"DoD Instruction 8551.01"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"e6522953-6714-435d-a0d3-140df554c186","title":"DoD Instruction 8552.01","citation":{"text":"DoD Instruction 8552.01"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"c5034e0c-eba6-4ecd-a541-79f0678f4ba4","title":"Executive Order 13587","citation":{"text":"Executive Order 13587"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/the-press-office\/2011\/10\/07\/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"56d671da-6b7b-4abf-8296-84b61980390a","title":"Federal Acquisition Regulation","citation":{"text":"Federal Acquisition Regulation"},"rlinks":[{"href":"https:\/\/acquisition.gov\/far"}]},{"uuid":"023104bc-6f75-4cd5-b7d0-fc92326f8007","title":"Federal Continuity Directive 1","citation":{"text":"Federal Continuity Directive 1"},"rlinks":[{"href":"http:\/\/www.fema.gov\/pdf\/about\/offices\/fcd1.pdf"}]},{"uuid":"ba557c91-ba3e-4792-adc6-a4ae479b39ff","title":"FICAM Roadmap and Implementation Guidance","citation":{"text":"FICAM Roadmap and Implementation Guidance"},"rlinks":[{"href":"http:\/\/www.idmanagement.gov\/documents\/ficam-roadmap-and-implementation-guidance"}]},{"uuid":"39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","title":"FIPS Publication 140","citation":{"text":"FIPS Publication 140"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html"}]},{"uuid":"d715b234-9b5b-4e07-b1ed-99836727664d","title":"FIPS Publication 140-2","citation":{"text":"FIPS Publication 140-2"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#140-2"}]},{"uuid":"f2dbd4ec-c413-4714-b85b-6b7184d1c195","title":"FIPS Publication 197","citation":{"text":"FIPS Publication 197"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#197"}]},{"uuid":"e85cdb3f-7f0a-4083-8639-f13f70d3760b","title":"FIPS Publication 199","citation":{"text":"FIPS Publication 199"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#199"}]},{"uuid":"c80c10b3-1294-4984-a4cc-d1733ca432b9","title":"FIPS Publication 201","citation":{"text":"FIPS Publication 201"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#201"}]},{"uuid":"ad733a42-a7ed-4774-b988-4930c28852f3","title":"HSPD-12","citation":{"text":"HSPD-12"},"rlinks":[{"href":"http:\/\/www.dhs.gov\/homeland-security-presidential-directive-12"}]},{"uuid":"4ef539ba-b767-4666-b0d3-168c53005fa3","title":"http:\/\/capec.mitre.org","citation":{"text":"http:\/\/capec.mitre.org"},"rlinks":[{"href":"http:\/\/capec.mitre.org"}]},{"uuid":"e95dd121-2733-413e-bf1e-f1eb49f20a98","title":"http:\/\/checklists.nist.gov","citation":{"text":"http:\/\/checklists.nist.gov"},"rlinks":[{"href":"http:\/\/checklists.nist.gov"}]},{"uuid":"6a1041fc-054e-4230-946b-2e6f4f3731bb","title":"http:\/\/csrc.nist.gov\/cryptval","citation":{"text":"http:\/\/csrc.nist.gov\/cryptval"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/cryptval"}]},{"uuid":"b09d1a31-d3c9-4138-a4f4-4c63816afd7d","title":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html","citation":{"text":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html"}]},{"uuid":"0931209f-00ae-4132-b92c-bc645847e8f9","title":"http:\/\/cve.mitre.org","citation":{"text":"http:\/\/cve.mitre.org"},"rlinks":[{"href":"http:\/\/cve.mitre.org"}]},{"uuid":"15522e92-9192-463d-9646-6a01982db8ca","title":"http:\/\/cwe.mitre.org","citation":{"text":"http:\/\/cwe.mitre.org"},"rlinks":[{"href":"http:\/\/cwe.mitre.org"}]},{"uuid":"5ed1f4d5-1494-421b-97ed-39d3c88ab51f","title":"http:\/\/fips201ep.cio.gov","citation":{"text":"http:\/\/fips201ep.cio.gov"},"rlinks":[{"href":"http:\/\/fips201ep.cio.gov"}]},{"uuid":"85280698-0417-489d-b214-12bb935fb939","title":"http:\/\/idmanagement.gov","citation":{"text":"http:\/\/idmanagement.gov"},"rlinks":[{"href":"http:\/\/idmanagement.gov"}]},{"uuid":"275cc052-0f7f-423c-bdb6-ed503dc36228","title":"http:\/\/nvd.nist.gov","citation":{"text":"http:\/\/nvd.nist.gov"},"rlinks":[{"href":"http:\/\/nvd.nist.gov"}]},{"uuid":"bbd50dd1-54ce-4432-959d-63ea564b1bb4","title":"http:\/\/www.acquisition.gov\/far","citation":{"text":"http:\/\/www.acquisition.gov\/far"},"rlinks":[{"href":"http:\/\/www.acquisition.gov\/far"}]},{"uuid":"9b97ed27-3dd6-4f9a-ade5-1b43e9669794","title":"http:\/\/www.cnss.gov","citation":{"text":"http:\/\/www.cnss.gov"},"rlinks":[{"href":"http:\/\/www.cnss.gov"}]},{"uuid":"3ac12e79-f54f-4a63-9f4b-ee4bcd4df604","title":"http:\/\/www.dhs.gov\/telecommunications-service-priority-tsp","citation":{"text":"http:\/\/www.dhs.gov\/telecommunications-service-priority-tsp"},"rlinks":[{"href":"http:\/\/www.dhs.gov\/telecommunications-service-priority-tsp"}]},{"uuid":"c95a9986-3cd6-4a98-931b-ccfc56cb11e5","title":"http:\/\/www.niap-ccevs.org","citation":{"text":"http:\/\/www.niap-ccevs.org"},"rlinks":[{"href":"http:\/\/www.niap-ccevs.org"}]},{"uuid":"647b6de3-81d0-4d22-bec1-5f1333e34380","title":"http:\/\/www.nsa.gov","citation":{"text":"http:\/\/www.nsa.gov"},"rlinks":[{"href":"http:\/\/www.nsa.gov"}]},{"uuid":"a47466c4-c837-4f06-a39f-e68412a5f73d","title":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml","citation":{"text":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml"},"rlinks":[{"href":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml"}]},{"uuid":"02631467-668b-4233-989b-3dfded2fd184","title":"http:\/\/www.us-cert.gov","citation":{"text":"http:\/\/www.us-cert.gov"},"rlinks":[{"href":"http:\/\/www.us-cert.gov"}]},{"uuid":"6caa237b-531b-43ac-9711-d8f6b97b0377","title":"ICD 704","citation":{"text":"ICD 704"},"rlinks":[{"href":"http:\/\/www.dni.gov\/index.php\/intelligence-community\/ic-policies-reports\/intelligence-community-directives"}]},{"uuid":"398e33fd-f404-4e5c-b90e-2d50d3181244","title":"ICD 705","citation":{"text":"ICD 705"},"rlinks":[{"href":"http:\/\/www.dni.gov\/index.php\/intelligence-community\/ic-policies-reports\/intelligence-community-directives"}]},{"uuid":"1737a687-52fb-4008-b900-cbfa836f7b65","title":"ISO\/IEC 15408","citation":{"text":"ISO\/IEC 15408"},"rlinks":[{"href":"http:\/\/www.iso.org\/iso\/iso_catalog\/catalog_tc\/catalog_detail.htm?csnumber=50341"}]},{"uuid":"fb5844de-ff96-47c0-b258-4f52bcc2f30d","title":"National Communications Systems Directive 3-10","citation":{"text":"National Communications Systems Directive 3-10"}},{"uuid":"654f21e2-f3bc-43b2-abdc-60ab8d09744b","title":"National Strategy for Trusted Identities in Cyberspace","citation":{"text":"National Strategy for Trusted Identities in Cyberspace"},"rlinks":[{"href":"http:\/\/www.nist.gov\/nstic"}]},{"uuid":"bdd2f49e-edf7-491f-a178-4487898228f3","title":"NIST Interagency Report 7622","citation":{"text":"NIST Interagency Report 7622"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsNISTIRs.html#NIST-IR-7622"}]},{"uuid":"9cb3d8fe-2127-48ba-821e-cdd2d7aee921","title":"NIST Special Publication 800-100","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-100"}],"citation":{"text":"NIST Special Publication 800-100"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","title":"NIST Special Publication 800-111","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-111"}],"citation":{"text":"NIST Special Publication 800-111"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-111"}]},{"uuid":"349fe082-502d-464a-aa0c-1443c6a5cf40","title":"NIST Special Publication 800-113","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-113"}],"citation":{"text":"NIST Special Publication 800-113"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-113"}]},{"uuid":"1201fcf3-afb1-4675-915a-fb4ae0435717","title":"NIST Special Publication 800-114 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-114r1"}],"citation":{"text":"NIST Special Publication 800-114 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-114r1"}]},{"uuid":"c4691b88-57d1-463b-9053-2d0087913f31","title":"NIST Special Publication 800-115","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-115"}],"citation":{"text":"NIST Special Publication 800-115"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"2157bb7e-192c-4eaa-877f-93ef6b0a3292","title":"NIST Special Publication 800-116 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-116r1"}],"citation":{"text":"NIST Special Publication 800-116 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-116r1"}]},{"uuid":"5c201b63-0768-417b-ac22-3f014e3941b2","title":"NIST Special Publication 800-12 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-12r1"}],"citation":{"text":"NIST Special Publication 800-12 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"d1a4e2a9-e512-4132-8795-5357aba29254","title":"NIST Special Publication 800-121","citation":{"text":"NIST Special Publication 800-121"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-121"}]},{"uuid":"0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","title":"NIST Special Publication 800-124","citation":{"text":"NIST Special Publication 800-124"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-124"}]},{"uuid":"080f8068-5e3e-435e-9790-d22ba4722693","title":"NIST Special Publication 800-128","citation":{"text":"NIST Special Publication 800-128"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-128"}]},{"uuid":"cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","title":"NIST Special Publication 800-137","citation":{"text":"NIST Special Publication 800-137"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-137"}]},{"uuid":"6bf8d24a-78dc-4727-a2ac-0e64d71c495c","title":"NIST Special Publication 800-147","citation":{"text":"NIST Special Publication 800-147"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-147"}]},{"uuid":"3878cc04-144a-483e-af62-8fe6f4ad6c7a","title":"NIST Special Publication 800-155","citation":{"text":"NIST Special Publication 800-155"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-155"}]},{"uuid":"825438c3-248d-4e30-a51e-246473ce6ada","title":"NIST Special Publication 800-16","citation":{"text":"NIST Special Publication 800-16"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-16"}]},{"uuid":"8ab6bcdc-339b-4068-b45e-994814a6e187","title":"NIST Special Publication 800-161","citation":{"text":"NIST Special Publication 800-161"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-161"}]},{"uuid":"6513e480-fada-4876-abba-1397084dfb26","title":"NIST Special Publication 800-164","citation":{"text":"NIST Special Publication 800-164"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-164"}]},{"uuid":"9c5c9e8c-dc81-4f55-a11c-d71d7487790f","title":"NIST Special Publication 800-18","citation":{"text":"NIST Special Publication 800-18"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-18"}]},{"uuid":"0a5db899-f033-467f-8631-f5a8ba971475","title":"NIST Special Publication 800-23","citation":{"text":"NIST Special Publication 800-23"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-23"}]},{"uuid":"21b1ed35-56d2-40a8-bdfe-b461fffe322f","title":"NIST Special Publication 800-27","citation":{"text":"NIST Special Publication 800-27"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-27"}]},{"uuid":"e716cd51-d1d5-4c6a-967a-22e9fbbc42f1","title":"NIST Special Publication 800-28","citation":{"text":"NIST Special Publication 800-28"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-28"}]},{"uuid":"a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","title":"NIST Special Publication 800-30","citation":{"text":"NIST Special Publication 800-30"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-30"}]},{"uuid":"8f174e91-844e-4cf1-a72a-45c119a3a8dd","title":"NIST Special Publication 800-32","citation":{"text":"NIST Special Publication 800-32"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-32"}]},{"uuid":"748a81b9-9cad-463f-abde-8b368167e70d","title":"NIST Special Publication 800-34","citation":{"text":"NIST Special Publication 800-34"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-34"}]},{"uuid":"0c775bc3-bfc3-42c7-a382-88949f503171","title":"NIST Special Publication 800-35","citation":{"text":"NIST Special Publication 800-35"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-35"}]},{"uuid":"d818efd3-db31-4953-8afa-9e76afe83ce2","title":"NIST Special Publication 800-36","citation":{"text":"NIST Special Publication 800-36"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-36"}]},{"uuid":"0a0c26b6-fd44-4274-8b36-93442d49d998","title":"NIST Special Publication 800-37","citation":{"text":"NIST Special Publication 800-37"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-37"}]},{"uuid":"d480aa6a-7a88-424e-a10c-ad1c7870354b","title":"NIST Special Publication 800-39","citation":{"text":"NIST Special Publication 800-39"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-39"}]},{"uuid":"bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","title":"NIST Special Publication 800-40","citation":{"text":"NIST Special Publication 800-40"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-40"}]},{"uuid":"756a8e86-57d5-4701-8382-f7a40439665a","title":"NIST Special Publication 800-41","citation":{"text":"NIST Special Publication 800-41"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-41"}]},{"uuid":"c6e95ca0-5828-420e-b095-00895b72b5e8","title":"NIST Special Publication 800-45","citation":{"text":"NIST Special Publication 800-45"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-45"}]},{"uuid":"5309d4d0-46f8-4213-a749-e7584164e5e8","title":"NIST Special Publication 800-46","citation":{"text":"NIST Special Publication 800-46"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-46"}]},{"uuid":"2711f068-734e-4afd-94ba-0b22247fbc88","title":"NIST Special Publication 800-47","citation":{"text":"NIST Special Publication 800-47"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-47"}]},{"uuid":"238ed479-eccb-49f6-82ec-ab74a7a428cf","title":"NIST Special Publication 800-48","citation":{"text":"NIST Special Publication 800-48"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-48"}]},{"uuid":"e12b5738-de74-4fb3-8317-a3995a8a1898","title":"NIST Special Publication 800-50","citation":{"text":"NIST Special Publication 800-50"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-50"}]},{"uuid":"90c5bc98-f9c4-44c9-98b7-787422f0999c","title":"NIST Special Publication 800-52","citation":{"text":"NIST Special Publication 800-52"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-52"}]},{"uuid":"cd4cf751-3312-4a55-b1a9-fad2f1db9119","title":"NIST Special Publication 800-53A","citation":{"text":"NIST Special Publication 800-53A"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-53A"}]},{"uuid":"81f09e01-d0b0-4ae2-aa6a-064ed9950070","title":"NIST Special Publication 800-56","citation":{"text":"NIST Special Publication 800-56"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-56"}]},{"uuid":"a6c774c0-bf50-4590-9841-2a5c1c91ac6f","title":"NIST Special Publication 800-57","citation":{"text":"NIST Special Publication 800-57"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-57"}]},{"uuid":"7783f3e7-09b3-478b-9aa2-4a76dfd0ea90","title":"NIST Special Publication 800-58","citation":{"text":"NIST Special Publication 800-58"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-58"}]},{"uuid":"f152844f-b1ef-4836-8729-6277078ebee1","title":"NIST Special Publication 800-60","citation":{"text":"NIST Special Publication 800-60"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-60"}]},{"uuid":"be95fb85-a53f-4624-bdbb-140075500aa3","title":"NIST Special Publication 800-61","citation":{"text":"NIST Special Publication 800-61"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-61"}]},{"uuid":"644f44a9-a2de-4494-9c04-cd37fba45471","title":"NIST Special Publication 800-63","citation":{"text":"NIST Special Publication 800-63"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-63"}]},{"uuid":"abd950ae-092f-4b7a-b374-1c7c67fe9350","title":"NIST Special Publication 800-64","citation":{"text":"NIST Special Publication 800-64"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-64"}]},{"uuid":"29fcfe59-33cd-494a-8756-5907ae3a8f92","title":"NIST Special Publication 800-65","citation":{"text":"NIST Special Publication 800-65"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-65"}]},{"uuid":"84a37532-6db6-477b-9ea8-f9085ebca0fc","title":"NIST Special Publication 800-70","citation":{"text":"NIST Special Publication 800-70"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-70"}]},{"uuid":"ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","title":"NIST Special Publication 800-73","citation":{"text":"NIST Special Publication 800-73"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-73"}]},{"uuid":"2a71298a-ee90-490e-80ff-48c967173a47","title":"NIST Special Publication 800-76","citation":{"text":"NIST Special Publication 800-76"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-76"}]},{"uuid":"99f331f2-a9f0-46c2-9856-a3cbb9b89442","title":"NIST Special Publication 800-77","citation":{"text":"NIST Special Publication 800-77"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-77"}]},{"uuid":"2042d97b-f7f6-4c74-84f8-981867684659","title":"NIST Special Publication 800-78","citation":{"text":"NIST Special Publication 800-78"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-78"}]},{"uuid":"6af1e841-672c-46c4-b121-96f603d04be3","title":"NIST Special Publication 800-81","citation":{"text":"NIST Special Publication 800-81"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-81"}]},{"uuid":"6d431fee-658f-4a0e-9f2e-a38b5d398fab","title":"NIST Special Publication 800-83","citation":{"text":"NIST Special Publication 800-83"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-83"}]},{"uuid":"0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","title":"NIST Special Publication 800-84","citation":{"text":"NIST Special Publication 800-84"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-84"}]},{"uuid":"263823e0-a971-4b00-959d-315b26278b22","title":"NIST Special Publication 800-88","citation":{"text":"NIST Special Publication 800-88"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-88"}]},{"uuid":"672fd561-b92b-4713-b9cf-6c9d9456728b","title":"NIST Special Publication 800-92","citation":{"text":"NIST Special Publication 800-92"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-92"}]},{"uuid":"d1b1d689-0f66-4474-9924-c81119758dc1","title":"NIST Special Publication 800-94","citation":{"text":"NIST Special Publication 800-94"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-94"}]},{"uuid":"1ebdf782-d95d-4a7b-8ec7-ee860951eced","title":"NIST Special Publication 800-95","citation":{"text":"NIST Special Publication 800-95"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-95"}]},{"uuid":"6f336ecd-f2a0-4c84-9699-0491d81b6e0d","title":"NIST Special Publication 800-97","citation":{"text":"NIST Special Publication 800-97"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-97"}]},{"uuid":"06dff0ea-3848-4945-8d91-e955ee69f05d","title":"NSTISSI No. 7003","citation":{"text":"NSTISSI No. 7003"},"rlinks":[{"href":"http:\/\/www.cnss.gov\/Assets\/pdf\/nstissi_7003.pdf"}]},{"uuid":"9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","title":"OMB Circular A-130","citation":{"text":"OMB Circular A-130"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/omb\/circulars_a130_a130trans4"}]},{"uuid":"2c5884cd-7b96-425c-862a-99877e1cf909","title":"OMB Memorandum 02-01","citation":{"text":"OMB Memorandum 02-01"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/omb\/memoranda_m02-01"}]},{"uuid":"ff3bfb02-79b2-411f-8735-98dfe5af2ab0","title":"OMB Memorandum 04-04","citation":{"text":"OMB Memorandum 04-04"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy04\/m04-04.pdf"}]},{"uuid":"58ad6f27-af99-429f-86a8-8bb767b014b9","title":"OMB Memorandum 05-24","citation":{"text":"OMB Memorandum 05-24"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2005\/m05-24.pdf"}]},{"uuid":"4da24a96-6cf8-435d-9d1f-c73247cad109","title":"OMB Memorandum 06-16","citation":{"text":"OMB Memorandum 06-16"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2006\/m06-16.pdf"}]},{"uuid":"990268bf-f4a9-4c81-91ae-dc7d3115f4b1","title":"OMB Memorandum 07-11","citation":{"text":"OMB Memorandum 07-11"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2007\/m07-11.pdf"}]},{"uuid":"0b3d8ba9-051f-498d-81ea-97f0f018c612","title":"OMB Memorandum 07-18","citation":{"text":"OMB Memorandum 07-18"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2007\/m07-18.pdf"}]},{"uuid":"0916ef02-3618-411b-a525-565c088849a6","title":"OMB Memorandum 08-22","citation":{"text":"OMB Memorandum 08-22"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2008\/m08-22.pdf"}]},{"uuid":"28115a56-da6b-4d44-b1df-51dd7f048a3e","title":"OMB Memorandum 08-23","citation":{"text":"OMB Memorandum 08-23"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2008\/m08-23.pdf"}]},{"uuid":"599fe9ba-4750-4450-9eeb-b95bd19a5e8f","title":"OMB Memorandum 10-06-2011","citation":{"text":"OMB Memorandum 10-06-2011"}},{"uuid":"74e740a4-c45d-49f3-a86e-eb747c549e01","title":"OMB Memorandum 11-11","citation":{"text":"OMB Memorandum 11-11"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/memoranda\/2011\/m11-11.pdf"}]},{"uuid":"bedb15b7-ec5c-4a68-807f-385125751fcd","title":"OMB Memorandum 11-33","citation":{"text":"OMB Memorandum 11-33"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/memoranda\/2011\/m11-33.pdf"}]},{"uuid":"dd2f5acd-08f1-435a-9837-f8203088dc1a","title":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)","citation":{"text":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)"}},{"uuid":"8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","title":"US-CERT Technical Cyber Security Alerts","citation":{"text":"US-CERT Technical Cyber Security Alerts"},"rlinks":[{"href":"http:\/\/www.us-cert.gov\/ncas\/alerts"}]}]}}}
\ No newline at end of file
+{"catalog":{"uuid":"d3d0fe20-8c66-4ead-a7bf-10455eada4ac","metadata":{"title":"NIST Special Publication 800-53 Revision 4 HIGH IMPACT BASELINE","last-modified":"2023-12-05T21:54:41.390821Z","version":"2015-01-22","oscal-version":"1.1.1","props":[{"name":"resolution-tool","value":"OSCAL Profile Resolver XSLT Pipeline OPRXP"}],"links":[{"href":"NIST_SP-800-53_rev4_HIGH-baseline_profile.xml","rel":"source-profile"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"71c97c27-4f09-4d06-a6a4-065a54c19a1f","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["31a5dd8f-978a-4558-8ade-846211607d40"]},{"role-id":"contact","party-uuids":["31a5dd8f-978a-4558-8ade-846211607d40"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Access Control Policy and Procedures","params":[{"id":"ac-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ac-1_prm_2","label":"organization-defined frequency"},{"id":"ac-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-1"},{"name":"sort-id","value":"ac-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ac-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and associated access controls; and"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ac-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Access control policy {{ insert: param, ac-1_prm_2 }}; and"},{"id":"ac-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Access control procedures {{ insert: param, ac-1_prm_3 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ac-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-1.a_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)"}],"parts":[{"id":"ac-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)"}],"parts":[{"id":"ac-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1]"}],"prose":"develops and documents an access control policy that addresses:","parts":[{"id":"ac-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ac-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ac-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ac-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ac-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ac-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ac-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ac-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the access control policy are to be disseminated;"},{"id":"ac-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[3]"}],"prose":"disseminates the access control policy to organization-defined personnel or roles;"}]},{"id":"ac-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)"}],"parts":[{"id":"ac-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls;"},{"id":"ac-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ac-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ac-1.b_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)"}],"parts":[{"id":"ac-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)"}],"parts":[{"id":"ac-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current access control policy;"},{"id":"ac-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)[2]"}],"prose":"reviews and updates the current access control policy with the organization-defined frequency;"}]},{"id":"ac-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)"}],"parts":[{"id":"ac-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current access control procedures; and"},{"id":"ac-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)[2]"}],"prose":"reviews and updates the current access control procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","params":[{"id":"ac-2_prm_1","label":"organization-defined information system account types"},{"id":"ac-2_prm_2","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_3","label":"organization-defined procedures or conditions"},{"id":"ac-2_prm_4","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-2"},{"name":"sort-id","value":"ac-02"}],"parts":[{"id":"ac-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies and selects the following types of information system accounts to support organizational missions\/business functions: {{ insert: param, ac-2_prm_1 }};"},{"id":"ac-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assigns account managers for information system accounts;"},{"id":"ac-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establishes conditions for group and role membership;"},{"id":"ac-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;"},{"id":"ac-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Requires approvals by {{ insert: param, ac-2_prm_2 }} for requests to create information system accounts;"},{"id":"ac-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Creates, enables, modifies, disables, and removes information system accounts in accordance with {{ insert: param, ac-2_prm_3 }};"},{"id":"ac-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Monitors the use of information system accounts;"},{"id":"ac-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Notifies account managers:","parts":[{"id":"ac-2_smt.h.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"When accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"When individual information system usage or need-to-know changes;"}]},{"id":"ac-2_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Authorizes access to the information system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Other attributes as required by the organization or associated missions\/business functions;"}]},{"id":"ac-2_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Reviews accounts for compliance with account management requirements {{ insert: param, ac-2_prm_4 }}; and"},{"id":"ac-2_smt.k","name":"item","props":[{"name":"label","value":"k."}],"prose":"Establishes a process for reissuing shared\/group account credentials (if deployed) when individuals are removed from the group."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Information system account types include, for example, individual, shared, group, system, guest\/anonymous, emergency, developer\/manufacturer\/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission\/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission\/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared\/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-10","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ac-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.a_obj","name":"objective","props":[{"name":"label","value":"AC-2(a)"}],"parts":[{"id":"ac-2.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(a)[1]"}],"prose":"defines information system account types to be identified and selected to support organizational missions\/business functions;"},{"id":"ac-2.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(a)[2]"}],"prose":"identifies and selects organization-defined information system account types to support organizational missions\/business functions;"}]},{"id":"ac-2.b_obj","name":"objective","props":[{"name":"label","value":"AC-2(b)"}],"prose":"assigns account managers for information system accounts;"},{"id":"ac-2.c_obj","name":"objective","props":[{"name":"label","value":"AC-2(c)"}],"prose":"establishes conditions for group and role membership;"},{"id":"ac-2.d_obj","name":"objective","props":[{"name":"label","value":"AC-2(d)"}],"prose":"specifies for each account (as required):","parts":[{"id":"ac-2.d_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(d)[1]"}],"prose":"authorized users of the information system;"},{"id":"ac-2.d_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(d)[2]"}],"prose":"group and role membership;"},{"id":"ac-2.d_obj.3","name":"objective","props":[{"name":"label","value":"AC-2(d)[3]"}],"prose":"access authorizations (i.e., privileges);"},{"id":"ac-2.d_obj.4","name":"objective","props":[{"name":"label","value":"AC-2(d)[4]"}],"prose":"other attributes;"}]},{"id":"ac-2.e_obj","name":"objective","props":[{"name":"label","value":"AC-2(e)"}],"parts":[{"id":"ac-2.e_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(e)[1]"}],"prose":"defines personnel or roles required to approve requests to create information system accounts;"},{"id":"ac-2.e_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(e)[2]"}],"prose":"requires approvals by organization-defined personnel or roles for requests to create information system accounts;"}]},{"id":"ac-2.f_obj","name":"objective","props":[{"name":"label","value":"AC-2(f)"}],"parts":[{"id":"ac-2.f_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(f)[1]"}],"prose":"defines procedures or conditions to:","parts":[{"id":"ac-2.f_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][a]"}],"prose":"create information system accounts;"},{"id":"ac-2.f_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][b]"}],"prose":"enable information system accounts;"},{"id":"ac-2.f_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][c]"}],"prose":"modify information system accounts;"},{"id":"ac-2.f_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][d]"}],"prose":"disable information system accounts;"},{"id":"ac-2.f_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][e]"}],"prose":"remove information system accounts;"}]},{"id":"ac-2.f_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(f)[2]"}],"prose":"in accordance with organization-defined procedures or conditions:","parts":[{"id":"ac-2.f_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][a]"}],"prose":"creates information system accounts;"},{"id":"ac-2.f_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][b]"}],"prose":"enables information system accounts;"},{"id":"ac-2.f_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][c]"}],"prose":"modifies information system accounts;"},{"id":"ac-2.f_obj.2.d","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][d]"}],"prose":"disables information system accounts;"},{"id":"ac-2.f_obj.2.e","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][e]"}],"prose":"removes information system accounts;"}]}]},{"id":"ac-2.g_obj","name":"objective","props":[{"name":"label","value":"AC-2(g)"}],"prose":"monitors the use of information system accounts;"},{"id":"ac-2.h_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)"}],"prose":"notifies account managers:","parts":[{"id":"ac-2.h.1_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(1)"}],"prose":"when accounts are no longer required;"},{"id":"ac-2.h.2_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(2)"}],"prose":"when users are terminated or transferred;"},{"id":"ac-2.h.3_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(3)"}],"prose":"when individual information system usage or need to know changes;"}]},{"id":"ac-2.i_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)"}],"prose":"authorizes access to the information system based on;","parts":[{"id":"ac-2.i.1_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(1)"}],"prose":"a valid access authorization;"},{"id":"ac-2.i.2_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(2)"}],"prose":"intended system usage;"},{"id":"ac-2.i.3_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(3)"}],"prose":"other attributes as required by the organization or associated missions\/business functions;"}]},{"id":"ac-2.j_obj","name":"objective","props":[{"name":"label","value":"AC-2(j)"}],"parts":[{"id":"ac-2.j_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(j)[1]"}],"prose":"defines the frequency to review accounts for compliance with account management requirements;"},{"id":"ac-2.j_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(j)[2]"}],"prose":"reviews accounts for compliance with account management requirements with the organization-defined frequency; and"}]},{"id":"ac-2.k_obj","name":"objective","props":[{"name":"label","value":"AC-2(k)"}],"prose":"establishes a process for reissuing shared\/group account credentials (if deployed) when individuals are removed from the group."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications or records of recently transferred, separated, or terminated employees\n\nlist of recently disabled information system accounts along with the name of the individual associated with each account\n\naccess authorization records\n\naccount management compliance reviews\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes account management on the information system\n\nautomated mechanisms for implementing account management"}]}],"controls":[{"id":"ac-2.1","class":"SP800-53-enhancement","title":"Automated System Account Management","props":[{"name":"label","value":"AC-2(1)"},{"name":"sort-id","value":"ac-02.01"}],"parts":[{"id":"ac-2.1_smt","name":"statement","prose":"The organization employs automated mechanisms to support the management of information system accounts."},{"id":"ac-2.1_gdn","name":"guidance","prose":"The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using telephonic notification to report atypical system account usage."},{"id":"ac-2.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to support the management of information system accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.2","class":"SP800-53-enhancement","title":"Removal of Temporary \/ Emergency Accounts","params":[{"id":"ac-2.2_prm_1","select":{"choice":["removes","disables"]}},{"id":"ac-2.2_prm_2","label":"organization-defined time period for each type of account"}],"props":[{"name":"label","value":"AC-2(2)"},{"name":"sort-id","value":"ac-02.02"}],"parts":[{"id":"ac-2.2_smt","name":"statement","prose":"The information system automatically {{ insert: param, ac-2.2_prm_1 }} temporary and emergency accounts after {{ insert: param, ac-2.2_prm_2 }}."},{"id":"ac-2.2_gdn","name":"guidance","prose":"This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator."},{"id":"ac-2.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(2)[1]"}],"prose":"the organization defines the time period after which the information system automatically removes or disables temporary and emergency accounts; and"},{"id":"ac-2.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(2)[2]"}],"prose":"the information system automatically removes or disables temporary and emergency accounts after the organization-defined time period for each type of account."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system-generated list of temporary accounts removed and\/or disabled\n\ninformation system-generated list of emergency accounts removed and\/or disabled\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.3","class":"SP800-53-enhancement","title":"Disable Inactive Accounts","params":[{"id":"ac-2.3_prm_1","label":"organization-defined time period"}],"props":[{"name":"label","value":"AC-2(3)"},{"name":"sort-id","value":"ac-02.03"}],"parts":[{"id":"ac-2.3_smt","name":"statement","prose":"The information system automatically disables inactive accounts after {{ insert: param, ac-2.3_prm_1 }}."},{"id":"ac-2.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.3_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(3)[1]"}],"prose":"the organization defines the time period after which the information system automatically disables inactive accounts; and"},{"id":"ac-2.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(3)[2]"}],"prose":"the information system automatically disables inactive accounts after the organization-defined time period."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system-generated list of temporary accounts removed and\/or disabled\n\ninformation system-generated list of emergency accounts removed and\/or disabled\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.4","class":"SP800-53-enhancement","title":"Automated Audit Actions","params":[{"id":"ac-2.4_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"AC-2(4)"},{"name":"sort-id","value":"ac-02.04"}],"parts":[{"id":"ac-2.4_smt","name":"statement","prose":"The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies {{ insert: param, ac-2.4_prm_1 }}."},{"id":"ac-2.4_gdn","name":"guidance","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"ac-2.4_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.4_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(4)[1]"}],"prose":"the information system automatically audits the following account actions:","parts":[{"id":"ac-2.4_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][d]"}],"prose":"disabling;"},{"id":"ac-2.4_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][e]"}],"prose":"removal;"}]},{"id":"ac-2.4_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(4)[2]"}],"prose":"the organization defines personnel or roles to be notified of the following account actions:","parts":[{"id":"ac-2.4_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.2.d","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][d]"}],"prose":"disabling;"},{"id":"ac-2.4_obj.2.e","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][e]"}],"prose":"removal;"}]},{"id":"ac-2.4_obj.3","name":"objective","props":[{"name":"label","value":"AC-2(4)[3]"}],"prose":"the information system notifies organization-defined personnel or roles of the following account actions:","parts":[{"id":"ac-2.4_obj.3.a","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.3.b","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.3.c","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.3.d","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][d]"}],"prose":"disabling; and"},{"id":"ac-2.4_obj.3.e","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][e]"}],"prose":"removal."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nnotifications\/alerts of account creation, modification, enabling, disabling, and removal actions\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.5","class":"SP800-53-enhancement","title":"Inactivity Logout","params":[{"id":"ac-2.5_prm_1","label":"organization-defined time-period of expected inactivity or description of when to log out"}],"props":[{"name":"label","value":"AC-2(5)"},{"name":"sort-id","value":"ac-02.05"}],"parts":[{"id":"ac-2.5_smt","name":"statement","prose":"The organization requires that users log out when {{ insert: param, ac-2.5_prm_1 }}."},{"id":"ac-2.5_gdn","name":"guidance","links":[{"href":"#sc-23","rel":"related"}]},{"id":"ac-2.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.5_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(5)[1]"}],"prose":"defines either the time period of expected inactivity that requires users to log out or the description of when users are required to log out; and"},{"id":"ac-2.5_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(5)[2]"}],"prose":"requires that users log out when the organization-defined time period of inactivity is reached or in accordance with organization-defined description of when to log out."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity violation reports\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy"}]}]},{"id":"ac-2.11","class":"SP800-53-enhancement","title":"Usage Conditions","params":[{"id":"ac-2.11_prm_1","label":"organization-defined circumstances and\/or usage conditions"},{"id":"ac-2.11_prm_2","label":"organization-defined information system accounts"}],"props":[{"name":"label","value":"AC-2(11)"},{"name":"sort-id","value":"ac-02.11"}],"parts":[{"id":"ac-2.11_smt","name":"statement","prose":"The information system enforces {{ insert: param, ac-2.11_prm_1 }} for {{ insert: param, ac-2.11_prm_2 }}."},{"id":"ac-2.11_gdn","name":"guidance","prose":"Organizations can describe the specific conditions or circumstances under which information system accounts can be used, for example, by restricting usage to certain days of the week, time of day, or specific durations of time."},{"id":"ac-2.11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.11_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(11)[1]"}],"prose":"the organization defines circumstances and\/or usage conditions to be enforced for information system accounts;"},{"id":"ac-2.11_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(11)[2]"}],"prose":"the organization defines information system accounts for which organization-defined circumstances and\/or usage conditions are to be enforced; and"},{"id":"ac-2.11_obj.3","name":"objective","props":[{"name":"label","value":"AC-2(11)[3]"}],"prose":"the information system enforces organization-defined circumstances and\/or usage conditions for organization-defined information system accounts."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem-generated list of information system accounts and associated assignments of usage circumstances and\/or usage conditions\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.12","class":"SP800-53-enhancement","title":"Account Monitoring \/ Atypical Usage","params":[{"id":"ac-2.12_prm_1","label":"organization-defined atypical usage"},{"id":"ac-2.12_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"AC-2(12)"},{"name":"sort-id","value":"ac-02.12"}],"parts":[{"id":"ac-2.12_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2.12_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Monitors information system accounts for {{ insert: param, ac-2.12_prm_1 }}; and"},{"id":"ac-2.12_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Reports atypical usage of information system accounts to {{ insert: param, ac-2.12_prm_2 }}."}]},{"id":"ac-2.12_gdn","name":"guidance","prose":"Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations.","links":[{"href":"#ca-7","rel":"related"}]},{"id":"ac-2.12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.12.a_obj","name":"objective","props":[{"name":"label","value":"AC-2(12)(a)"}],"parts":[{"id":"ac-2.12.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(12)(a)[1]"}],"prose":"defines atypical usage to be monitored for information system accounts;"},{"id":"ac-2.12.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(12)(a)[2]"}],"prose":"monitors information system accounts for organization-defined atypical usage;"}],"links":[{"href":"#ac-2.12_smt.a","rel":"corresp"}]},{"id":"ac-2.12.b_obj","name":"objective","props":[{"name":"label","value":"AC-2(12)(b)"}],"parts":[{"id":"ac-2.12.b_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(12)(b)[1]"}],"prose":"defines personnel or roles to whom atypical usage of information system accounts are to be reported; and"},{"id":"ac-2.12.b_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(12)(b)[2]"}],"prose":"reports atypical usage of information system accounts to organization-defined personnel or roles."}],"links":[{"href":"#ac-2.12_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system monitoring records\n\ninformation system audit records\n\naudit tracking and monitoring reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.13","class":"SP800-53-enhancement","title":"Disable Accounts for High-risk Individuals","params":[{"id":"ac-2.13_prm_1","label":"organization-defined time period"}],"props":[{"name":"label","value":"AC-2(13)"},{"name":"sort-id","value":"ac-02.13"}],"parts":[{"id":"ac-2.13_smt","name":"statement","prose":"The organization disables accounts of users posing a significant risk within {{ insert: param, ac-2.13_prm_1 }} of discovery of the risk."},{"id":"ac-2.13_gdn","name":"guidance","prose":"Users posing a significant risk to organizations include individuals for whom reliable evidence or intelligence indicates either the intention to use authorized access to information systems to cause harm or through whom adversaries will cause harm. Harm includes potential adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. Close coordination between authorizing officials, information system administrators, and human resource managers is essential in order for timely execution of this control enhancement.","links":[{"href":"#ps-4","rel":"related"}]},{"id":"ac-2.13_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.13_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(13)[1]"}],"prose":"defines the time period within which accounts are disabled upon discovery of a significant risk posed by users of such accounts; and"},{"id":"ac-2.13_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(13)[2]"}],"prose":"disables accounts of users posing a significant risk within the organization-defined time period of discovery of the risk."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem-generated list of disabled accounts\n\nlist of user activities posing significant organizational risk\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-3"},{"name":"sort-id","value":"ac-03"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"}]},{"id":"ac-3_obj","name":"objective","prose":"Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy"}]}]},{"id":"ac-4","class":"SP800-53","title":"Information Flow Enforcement","params":[{"id":"ac-4_prm_1","label":"organization-defined information flow control policies"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-4"},{"name":"sort-id","value":"ac-04"}],"parts":[{"id":"ac-4_smt","name":"statement","prose":"The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on {{ insert: param, ac-4_prm_1 }}."},{"id":"ac-4_gdn","name":"guidance","prose":"Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners\/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and\/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering\/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"}]},{"id":"ac-4_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-4_obj.1","name":"objective","props":[{"name":"label","value":"AC-4[1]"}],"prose":"the organization defines information flow control policies to control the flow of information within the system and between interconnected systems; and"},{"id":"ac-4_obj.2","name":"objective","props":[{"name":"label","value":"AC-4[2]"}],"prose":"the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system baseline configuration\n\nlist of information flow authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-5","class":"SP800-53","title":"Separation of Duties","params":[{"id":"ac-5_prm_1","label":"organization-defined duties of individuals"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-5"},{"name":"sort-id","value":"ac-05"}],"parts":[{"id":"ac-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Separates {{ insert: param, ac-5_prm_1 }};"},{"id":"ac-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents separation of duties of individuals; and"},{"id":"ac-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Defines information system access authorizations to support separation of duties."}]},{"id":"ac-5_gdn","name":"guidance","prose":"Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and\/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ps-2","rel":"related"}]},{"id":"ac-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-5.a_obj","name":"objective","props":[{"name":"label","value":"AC-5(a)"}],"parts":[{"id":"ac-5.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-5(a)[1]"}],"prose":"defines duties of individuals to be separated;"},{"id":"ac-5.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-5(a)[2]"}],"prose":"separates organization-defined duties of individuals;"}]},{"id":"ac-5.b_obj","name":"objective","props":[{"name":"label","value":"AC-5(b)"}],"prose":"documents separation of duties; and"},{"id":"ac-5.c_obj","name":"objective","props":[{"name":"label","value":"AC-5(c)"}],"prose":"defines information system access authorizations to support separation of duties."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\ninformation system configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\ninformation system access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing separation of duties policy"}]}]},{"id":"ac-6","class":"SP800-53","title":"Least Privilege","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-6"},{"name":"sort-id","value":"ac-06"}],"parts":[{"id":"ac-6_smt","name":"statement","prose":"The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions."},{"id":"ac-6_gdn","name":"guidance","prose":"Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions\/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-2","rel":"related"}]},{"id":"ac-6_obj","name":"objective","prose":"Determine if the organization employs the principle of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}],"controls":[{"id":"ac-6.1","class":"SP800-53-enhancement","title":"Authorize Access to Security Functions","params":[{"id":"ac-6.1_prm_1","label":"organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information"}],"props":[{"name":"label","value":"AC-6(1)"},{"name":"sort-id","value":"ac-06.01"}],"parts":[{"id":"ac-6.1_smt","name":"statement","prose":"The organization explicitly authorizes access to {{ insert: param, ac-6.1_prm_1 }}."},{"id":"ac-6.1_gdn","name":"guidance","prose":"Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers\/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users.","links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"}]},{"id":"ac-6.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(1)[1]"}],"prose":"defines security-relevant information for which access must be explicitly authorized;"},{"id":"ac-6.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(1)[2]"}],"prose":"defines security functions deployed in:","parts":[{"id":"ac-6.1_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-6(1)[2][a]"}],"prose":"hardware;"},{"id":"ac-6.1_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-6(1)[2][b]"}],"prose":"software;"},{"id":"ac-6.1_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-6(1)[2][c]"}],"prose":"firmware;"}]},{"id":"ac-6.1_obj.3","name":"objective","props":[{"name":"label","value":"AC-6(1)[3]"}],"prose":"explicitly authorizes access to:","parts":[{"id":"ac-6.1_obj.3.a","name":"objective","props":[{"name":"label","value":"AC-6(1)[3][a]"}],"prose":"organization-defined security functions; and"},{"id":"ac-6.1_obj.3.b","name":"objective","props":[{"name":"label","value":"AC-6(1)[3][b]"}],"prose":"security-relevant information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.2","class":"SP800-53-enhancement","title":"Non-privileged Access for Nonsecurity Functions","params":[{"id":"ac-6.2_prm_1","label":"organization-defined security functions or security-relevant information"}],"props":[{"name":"label","value":"AC-6(2)"},{"name":"sort-id","value":"ac-06.02"}],"parts":[{"id":"ac-6.2_smt","name":"statement","prose":"The organization requires that users of information system accounts, or roles, with access to {{ insert: param, ac-6.2_prm_1 }}, use non-privileged accounts or roles, when accessing nonsecurity functions."},{"id":"ac-6.2_gdn","name":"guidance","prose":"This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.","links":[{"href":"#pl-4","rel":"related"}]},{"id":"ac-6.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(2)[1]"}],"prose":"defines security functions or security-relevant information to which users of information system accounts, or roles, have access; and"},{"id":"ac-6.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(2)[2]"}],"prose":"requires that users of information system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to information system accounts or roles\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.3","class":"SP800-53-enhancement","title":"Network Access to Privileged Commands","params":[{"id":"ac-6.3_prm_1","label":"organization-defined privileged commands"},{"id":"ac-6.3_prm_2","label":"organization-defined compelling operational needs"}],"props":[{"name":"label","value":"AC-6(3)"},{"name":"sort-id","value":"ac-06.03"}],"parts":[{"id":"ac-6.3_smt","name":"statement","prose":"The organization authorizes network access to {{ insert: param, ac-6.3_prm_1 }} only for {{ insert: param, ac-6.3_prm_2 }} and documents the rationale for such access in the security plan for the information system."},{"id":"ac-6.3_gdn","name":"guidance","prose":"Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).","links":[{"href":"#ac-17","rel":"related"}]},{"id":"ac-6.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.3_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(3)[1]"}],"prose":"defines privileged commands to which network access is to be authorized only for compelling operational needs;"},{"id":"ac-6.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(3)[2]"}],"prose":"defines compelling operational needs for which network access to organization-defined privileged commands are to be solely authorized;"},{"id":"ac-6.3_obj.3","name":"objective","props":[{"name":"label","value":"AC-6(3)[3]"}],"prose":"authorizes network access to organization-defined privileged commands only for organization-defined compelling operational needs; and"},{"id":"ac-6.3_obj.4","name":"objective","props":[{"name":"label","value":"AC-6(3)[4]"}],"prose":"documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of operational needs for authorizing network access to privileged commands\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.5","class":"SP800-53-enhancement","title":"Privileged Accounts","params":[{"id":"ac-6.5_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"AC-6(5)"},{"name":"sort-id","value":"ac-06.05"}],"parts":[{"id":"ac-6.5_smt","name":"statement","prose":"The organization restricts privileged accounts on the information system to {{ insert: param, ac-6.5_prm_1 }}."},{"id":"ac-6.5_gdn","name":"guidance","prose":"Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information\/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.","links":[{"href":"#cm-6","rel":"related"}]},{"id":"ac-6.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.5_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(5)[1]"}],"prose":"defines personnel or roles for which privileged accounts on the information system are to be restricted; and"},{"id":"ac-6.5_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(5)[2]"}],"prose":"restricts privileged accounts on the information system to organization-defined personnel or roles."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.9","class":"SP800-53-enhancement","title":"Auditing Use of Privileged Functions","props":[{"name":"label","value":"AC-6(9)"},{"name":"sort-id","value":"ac-06.09"}],"parts":[{"id":"ac-6.9_smt","name":"statement","prose":"The information system audits the execution of privileged functions."},{"id":"ac-6.9_gdn","name":"guidance","prose":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT).","links":[{"href":"#au-2","rel":"related"}]},{"id":"ac-6.9_obj","name":"objective","prose":"Determine if the information system audits the execution of privileged functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms auditing the execution of least privilege functions"}]}]},{"id":"ac-6.10","class":"SP800-53-enhancement","title":"Prohibit Non-privileged Users from Executing Privileged Functions","props":[{"name":"label","value":"AC-6(10)"},{"name":"sort-id","value":"ac-06.10"}],"parts":[{"id":"ac-6.10_smt","name":"statement","prose":"The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards\/countermeasures."},{"id":"ac-6.10_gdn","name":"guidance","prose":"Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users."},{"id":"ac-6.10_obj","name":"objective","prose":"Determine if the information system prevents non-privileged users from executing privileged functions to include:","parts":[{"id":"ac-6.10_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(10)[1]"}],"prose":"disabling implemented security safeguards\/countermeasures;"},{"id":"ac-6.10_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(10)[2]"}],"prose":"circumventing security safeguards\/countermeasures; or"},{"id":"ac-6.10_obj.3","name":"objective","props":[{"name":"label","value":"AC-6(10)[3]"}],"prose":"altering implemented security safeguards\/countermeasures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions for non-privileged users"}]}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","params":[{"id":"ac-7_prm_1","label":"organization-defined number"},{"id":"ac-7_prm_2","label":"organization-defined time period"},{"id":"ac-7_prm_3","select":{"choice":["locks the account\/node for an {{ insert: param, ac-7_prm_4 }} ","locks the account\/node until released by an administrator","delays next logon prompt according to {{ insert: param, ac-7_prm_5 }} "]}},{"id":"ac-7_prm_4","depends-on":"ac-7_prm_3","label":"organization-defined time period"},{"id":"ac-7_prm_5","depends-on":"ac-7_prm_3","label":"organization-defined delay algorithm"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AC-7"},{"name":"sort-id","value":"ac-07"}],"parts":[{"id":"ac-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforces a limit of {{ insert: param, ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-7_prm_2 }}; and"},{"id":"ac-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically {{ insert: param, ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ia-5","rel":"related"}]},{"id":"ac-7_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-7.a_obj","name":"objective","props":[{"name":"label","value":"AC-7(a)"}],"parts":[{"id":"ac-7.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-7(a)[1]"}],"prose":"the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;"},{"id":"ac-7.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-7(a)[2]"}],"prose":"the organization defines the time period allowed by a user of the information system for an organization-defined number of consecutive invalid logon attempts;"},{"id":"ac-7.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-7(a)[3]"}],"prose":"the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;"}]},{"id":"ac-7.b_obj","name":"objective","props":[{"name":"label","value":"AC-7(b)"}],"parts":[{"id":"ac-7.b_obj.1","name":"objective","props":[{"name":"label","value":"AC-7(b)[1]"}],"prose":"the organization defines account\/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;"},{"id":"ac-7.b_obj.2","name":"objective","props":[{"name":"label","value":"AC-7(b)[2]"}],"prose":"the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:","parts":[{"id":"ac-7.b_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][a]"}],"prose":"locks the account\/node for the organization-defined time period;"},{"id":"ac-7.b_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][b]"}],"prose":"locks the account\/node until released by an administrator; or"},{"id":"ac-7.b_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][c]"}],"prose":"delays next logon prompt according to the organization-defined delay algorithm."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for unsuccessful logon attempts"}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","params":[{"id":"ac-8_prm_1","label":"organization-defined system use notification message or banner"},{"id":"ac-8_prm_2","label":"organization-defined conditions"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-8"},{"name":"sort-id","value":"ac-08"}],"parts":[{"id":"ac-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Displays to users {{ insert: param, ac-8_prm_1 }} before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:","parts":[{"id":"ac-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government information system;"},{"id":"ac-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Use of the information system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and"},{"id":"ac-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Displays system use information {{ insert: param, ac-8_prm_2 }}, before granting further access;"},{"id":"ac-8_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Includes a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages\/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content."},{"id":"ac-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-8.a_obj","name":"objective","props":[{"name":"label","value":"AC-8(a)"}],"parts":[{"id":"ac-8.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-8(a)[1]"}],"prose":"the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system;"},{"id":"ac-8.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2]"}],"prose":"the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that:","parts":[{"id":"ac-8.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](1)"}],"prose":"users are accessing a U.S. Government information system;"},{"id":"ac-8.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](2)"}],"prose":"information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8.a.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](3)"}],"prose":"unauthorized use of the information system is prohibited and subject to criminal and civil penalties;"},{"id":"ac-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](4)"}],"prose":"use of the information system indicates consent to monitoring and recording;"}]}]},{"id":"ac-8.b_obj","name":"objective","props":[{"name":"label","value":"AC-8(b)"}],"prose":"the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system;"},{"id":"ac-8.c_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)"}],"prose":"for publicly accessible systems:","parts":[{"id":"ac-8.c.1_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)"}],"parts":[{"id":"ac-8.c.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)[1]"}],"prose":"the organization defines conditions for system use to be displayed by the information system before granting further access;"},{"id":"ac-8.c.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)[2]"}],"prose":"the information system displays organization-defined conditions before granting further access;"}]},{"id":"ac-8.c.2_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(2)"}],"prose":"the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8.c.3_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(3)"}],"prose":"the information system includes a description of the authorized uses of the system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of information system use notification messages or banners\n\ninformation system audit records\n\nuser acknowledgements of notification message or banner\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system use notification messages\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for providing legal advice\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing system use notification"}]}]},{"id":"ac-10","class":"SP800-53","title":"Concurrent Session Control","params":[{"id":"ac-10_prm_1","label":"organization-defined account and\/or account type"},{"id":"ac-10_prm_2","label":"organization-defined number"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-10"},{"name":"sort-id","value":"ac-10"}],"parts":[{"id":"ac-10_smt","name":"statement","prose":"The information system limits the number of concurrent sessions for each {{ insert: param, ac-10_prm_1 }} to {{ insert: param, ac-10_prm_2 }}."},{"id":"ac-10_gdn","name":"guidance","prose":"Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts."},{"id":"ac-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-10_obj.1","name":"objective","props":[{"name":"label","value":"AC-10[1]"}],"prose":"the organization defines account and\/or account types for the information system;"},{"id":"ac-10_obj.2","name":"objective","props":[{"name":"label","value":"AC-10[2]"}],"prose":"the organization defines the number of concurrent sessions to be allowed for each organization-defined account and\/or account type; and"},{"id":"ac-10_obj.3","name":"objective","props":[{"name":"label","value":"AC-10[3]"}],"prose":"the information system limits the number of concurrent sessions for each organization-defined account and\/or account type to the organization-defined number of concurrent sessions allowed."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing concurrent session control\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for concurrent session control"}]}]},{"id":"ac-11","class":"SP800-53","title":"Session Lock","params":[{"id":"ac-11_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-11"},{"name":"sort-id","value":"ac-11"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"}],"parts":[{"id":"ac-11_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prevents further access to the system by initiating a session lock after {{ insert: param, ac-11_prm_1 }} of inactivity or upon receiving a request from a user; and"},{"id":"ac-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains the session lock until the user reestablishes access using established identification and authentication procedures."}]},{"id":"ac-11_gdn","name":"guidance","prose":"Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.","links":[{"href":"#ac-7","rel":"related"}]},{"id":"ac-11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-11.a_obj","name":"objective","props":[{"name":"label","value":"AC-11(a)"}],"parts":[{"id":"ac-11.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-11(a)[1]"}],"prose":"the organization defines the time period of user inactivity after which the information system initiates a session lock;"},{"id":"ac-11.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-11(a)[2]"}],"prose":"the information system prevents further access to the system by initiating a session lock after organization-defined time period of user inactivity or upon receiving a request from a user; and"}]},{"id":"ac-11.b_obj","name":"objective","props":[{"name":"label","value":"AC-11(b)"}],"prose":"the information system retains the session lock until the user reestablishes access using established identification and authentication procedures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for session lock"}]}],"controls":[{"id":"ac-11.1","class":"SP800-53-enhancement","title":"Pattern-hiding Displays","props":[{"name":"label","value":"AC-11(1)"},{"name":"sort-id","value":"ac-11.01"}],"parts":[{"id":"ac-11.1_smt","name":"statement","prose":"The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."},{"id":"ac-11.1_gdn","name":"guidance","prose":"Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information."},{"id":"ac-11.1_obj","name":"objective","prose":"Determine if the information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system session lock mechanisms"}]}]}]},{"id":"ac-12","class":"SP800-53","title":"Session Termination","params":[{"id":"ac-12_prm_1","label":"organization-defined conditions or trigger events requiring session disconnect"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AC-12"},{"name":"sort-id","value":"ac-12"}],"parts":[{"id":"ac-12_smt","name":"statement","prose":"The information system automatically terminates a user session after {{ insert: param, ac-12_prm_1 }}."},{"id":"ac-12_gdn","name":"guidance","prose":"This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use.","links":[{"href":"#sc-10","rel":"related"},{"href":"#sc-23","rel":"related"}]},{"id":"ac-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-12_obj.1","name":"objective","props":[{"name":"label","value":"AC-12[1]"}],"prose":"the organization defines conditions or trigger events requiring session disconnect; and"},{"id":"ac-12_obj.2","name":"objective","props":[{"name":"label","value":"AC-12[2]"}],"prose":"the information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect occurs."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing session termination\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing user session termination"}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","params":[{"id":"ac-14_prm_1","label":"organization-defined user actions"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-14"},{"name":"sort-id","value":"ac-14"}],"parts":[{"id":"ac-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies {{ insert: param, ac-14_prm_1 }} that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions; and"},{"id":"ac-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none.","links":[{"href":"#cp-2","rel":"related"},{"href":"#ia-2","rel":"related"}]},{"id":"ac-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-14.a_obj","name":"objective","props":[{"name":"label","value":"AC-14(a)"}],"parts":[{"id":"ac-14.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-14(a)[1]"}],"prose":"defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions;"},{"id":"ac-14.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-14(a)[2]"}],"prose":"identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions; and"}]},{"id":"ac-14.b_obj","name":"objective","props":[{"name":"label","value":"AC-14(b)"}],"prose":"documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-17"},{"name":"sort-id","value":"ac-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference"},{"href":"#d1a4e2a9-e512-4132-8795-5357aba29254","rel":"reference"}],"parts":[{"id":"ac-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and documents usage restrictions, configuration\/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes remote access to the information system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.a_obj","name":"objective","props":[{"name":"label","value":"AC-17(a)"}],"parts":[{"id":"ac-17.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-17(a)[1]"}],"prose":"identifies the types of remote access allowed to the information system;"},{"id":"ac-17.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-17(a)[2]"}],"prose":"establishes for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][b]"}],"prose":"configuration\/connection requirements;"},{"id":"ac-17.a_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][c]"}],"prose":"implementation guidance;"}]},{"id":"ac-17.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-17(a)[3]"}],"prose":"documents for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.3.a","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.3.b","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][b]"}],"prose":"configuration\/connection requirements;"},{"id":"ac-17.a_obj.3.c","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][c]"}],"prose":"implementation guidance; and"}]}]},{"id":"ac-17.b_obj","name":"objective","props":[{"name":"label","value":"AC-17(b)"}],"prose":"authorizes remote access to the information system prior to allowing such connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nremote access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing remote access connections\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Remote access management capability for the information system"}]}],"controls":[{"id":"ac-17.1","class":"SP800-53-enhancement","title":"Automated Monitoring \/ Control","props":[{"name":"label","value":"AC-17(1)"},{"name":"sort-id","value":"ac-17.01"}],"parts":[{"id":"ac-17.1_smt","name":"statement","prose":"The information system monitors and controls remote access methods."},{"id":"ac-17.1_gdn","name":"guidance","prose":"Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"ac-17.1_obj","name":"objective","prose":"Determine if the information system monitors and controls remote access methods."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system monitoring records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms monitoring and controlling remote access methods"}]}]},{"id":"ac-17.2","class":"SP800-53-enhancement","title":"Protection of Confidentiality \/ Integrity Using Encryption","props":[{"name":"label","value":"AC-17(2)"},{"name":"sort-id","value":"ac-17.02"}],"parts":[{"id":"ac-17.2_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_gdn","name":"guidance","prose":"The encryption strength of mechanism is selected based on the security categorization of the information.","links":[{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ac-17.2_obj","name":"objective","prose":"Determine if the information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions"}]}]},{"id":"ac-17.3","class":"SP800-53-enhancement","title":"Managed Access Control Points","params":[{"id":"ac-17.3_prm_1","label":"organization-defined number"}],"props":[{"name":"label","value":"AC-17(3)"},{"name":"sort-id","value":"ac-17.03"}],"parts":[{"id":"ac-17.3_smt","name":"statement","prose":"The information system routes all remote accesses through {{ insert: param, ac-17.3_prm_1 }} managed network access control points."},{"id":"ac-17.3_gdn","name":"guidance","prose":"Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections.","links":[{"href":"#sc-7","rel":"related"}]},{"id":"ac-17.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-17.3_obj.1","name":"objective","props":[{"name":"label","value":"AC-17(3)[1]"}],"prose":"the organization defines the number of managed network access control points through which all remote accesses are to be routed; and"},{"id":"ac-17.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-17(3)[2]"}],"prose":"the information system routes all remote accesses through the organization-defined number of managed network access control points."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\nlist of all managed network access control points\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms routing all remote accesses through managed network access control points"}]}]},{"id":"ac-17.4","class":"SP800-53-enhancement","title":"Privileged Commands \/ Access","params":[{"id":"ac-17.4_prm_1","label":"organization-defined needs"}],"props":[{"name":"label","value":"AC-17(4)"},{"name":"sort-id","value":"ac-17.04"}],"parts":[{"id":"ac-17.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Authorizes the execution of privileged commands and access to security-relevant information via remote access only for {{ insert: param, ac-17.4_prm_1 }}; and"},{"id":"ac-17.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Documents the rationale for such access in the security plan for the information system."}]},{"id":"ac-17.4_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ac-17.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.4.a_obj","name":"objective","props":[{"name":"label","value":"AC-17(4)(a)"}],"parts":[{"id":"ac-17.4.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-17(4)(a)[1]"}],"prose":"defines needs to authorize the execution of privileged commands and access to security-relevant information via remote access;"},{"id":"ac-17.4.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-17(4)(a)[2]"}],"prose":"authorizes the execution of privileged commands and access to security-relevant information via remote access only for organization-defined needs; and"}],"links":[{"href":"#ac-17.4_smt.a","rel":"corresp"}]},{"id":"ac-17.4.b_obj","name":"objective","props":[{"name":"label","value":"AC-17(4)(b)"}],"prose":"documents the rationale for such access in the information system security plan.","links":[{"href":"#ac-17.4_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing remote access management"}]}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-18"},{"name":"sort-id","value":"ac-18"}],"links":[{"href":"#238ed479-eccb-49f6-82ec-ab74a7a428cf","rel":"reference"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference"},{"href":"#6f336ecd-f2a0-4c84-9699-0491d81b6e0d","rel":"reference"}],"parts":[{"id":"ac-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration\/connection requirements, and implementation guidance for wireless access; and"},{"id":"ac-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes wireless access to the information system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include, for example, microwave, packet radio (UHF\/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP\/TLS, PEAP), which provide credential protection and mutual authentication.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.a_obj","name":"objective","props":[{"name":"label","value":"AC-18(a)"}],"prose":"establishes for wireless access:","parts":[{"id":"ac-18.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-18(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-18.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-18(a)[2]"}],"prose":"configuration\/connection requirement;"},{"id":"ac-18.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-18(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-18.b_obj","name":"objective","props":[{"name":"label","value":"AC-18(b)"}],"prose":"authorizes wireless access to the information system prior to allowing such connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nwireless access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Wireless access management capability for the information system"}]}],"controls":[{"id":"ac-18.1","class":"SP800-53-enhancement","title":"Authentication and Encryption","params":[{"id":"ac-18.1_prm_1","select":{"how-many":"one-or-more","choice":["users","devices"]}}],"props":[{"name":"label","value":"AC-18(1)"},{"name":"sort-id","value":"ac-18.01"}],"parts":[{"id":"ac-18.1_smt","name":"statement","prose":"The information system protects wireless access to the system using authentication of {{ insert: param, ac-18.1_prm_1 }} and encryption."},{"id":"ac-18.1_gdn","name":"guidance","links":[{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ac-18.1_obj","name":"objective","prose":"Determine if the information system protects wireless access to the system using encryption and one or more of the following:","parts":[{"id":"ac-18.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-18(1)[1]"}],"prose":"authentication of users; and\/or"},{"id":"ac-18.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-18(1)[2]"}],"prose":"authentication of devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing wireless access protections to the information system"}]}]},{"id":"ac-18.4","class":"SP800-53-enhancement","title":"Restrict Configurations by Users","props":[{"name":"label","value":"AC-18(4)"},{"name":"sort-id","value":"ac-18.04"}],"parts":[{"id":"ac-18.4_smt","name":"statement","prose":"The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities."},{"id":"ac-18.4_gdn","name":"guidance","prose":"Organizational authorizations to allow selected users to configure wireless networking capability are enforced in part, by the access enforcement mechanisms employed within organizational information systems.","links":[{"href":"#ac-3","rel":"related"},{"href":"#sc-15","rel":"related"}]},{"id":"ac-18.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.4_obj.1","name":"objective","props":[{"name":"label","value":"AC-18(4)[1]"}],"prose":"identifies users allowed to independently configure wireless networking capabilities; and"},{"id":"ac-18.4_obj.2","name":"objective","props":[{"name":"label","value":"AC-18(4)[2]"}],"prose":"explicitly authorizes the identified users allowed to independently configure wireless networking capabilities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms authorizing independent user configuration of wireless networking capabilities"}]}]},{"id":"ac-18.5","class":"SP800-53-enhancement","title":"Antennas \/ Transmission Power Levels","props":[{"name":"label","value":"AC-18(5)"},{"name":"sort-id","value":"ac-18.05"}],"parts":[{"id":"ac-18.5_smt","name":"statement","prose":"The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries."},{"id":"ac-18.5_gdn","name":"guidance","prose":"Actions that may be taken by organizations to limit unauthorized use of wireless communications outside of organization-controlled boundaries include, for example: (i) reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be used by adversaries outside of the physical perimeters of organizations; (ii) employing measures such as TEMPEST to control wireless emanations; and (iii) using directional\/beam forming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational information systems as well as other systems that may be operating in the area.","links":[{"href":"#pe-19","rel":"related"}]},{"id":"ac-18.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.5_obj.1","name":"objective","props":[{"name":"label","value":"AC-18(5)[1]"}],"prose":"selects radio antennas to reduce the probability that usable signals can be received outside of organization-controlled boundaries; and"},{"id":"ac-18.5_obj.2","name":"objective","props":[{"name":"label","value":"AC-18(5)[2]"}],"prose":"calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Wireless access capability protecting usable signals from unauthorized access outside organization-controlled boundaries"}]}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-19"},{"name":"sort-id","value":"ac-19"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference"},{"href":"#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","rel":"reference"},{"href":"#6513e480-fada-4876-abba-1397084dfb26","rel":"reference"}],"parts":[{"id":"ac-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and"},{"id":"ac-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes the connection of mobile devices to organizational information systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes\/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.a_obj","name":"objective","props":[{"name":"label","value":"AC-19(a)"}],"prose":"establishes for organization-controlled mobile devices:","parts":[{"id":"ac-19.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-19(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-19.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-19(a)[2]"}],"prose":"configuration\/connection requirement;"},{"id":"ac-19.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-19(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-19.b_obj","name":"objective","props":[{"name":"label","value":"AC-19(b)"}],"prose":"authorizes the connection of mobile devices to organizational information systems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational information systems\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel using mobile devices to access organizational information systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Access control capability authorizing mobile device connections to organizational information systems"}]}],"controls":[{"id":"ac-19.5","class":"SP800-53-enhancement","title":"Full Device \/ Container-based Encryption","params":[{"id":"ac-19.5_prm_1","select":{"choice":["full-device encryption","container encryption"]}},{"id":"ac-19.5_prm_2","label":"organization-defined mobile devices"}],"props":[{"name":"label","value":"AC-19(5)"},{"name":"sort-id","value":"ac-19.05"}],"parts":[{"id":"ac-19.5_smt","name":"statement","prose":"The organization employs {{ insert: param, ac-19.5_prm_1 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.5_prm_2 }}."},{"id":"ac-19.5_gdn","name":"guidance","prose":"Container-based encryption provides a more fine-grained approach to the encryption of data\/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields.","links":[{"href":"#mp-5","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}]},{"id":"ac-19.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.5_obj.1","name":"objective","props":[{"name":"label","value":"AC-19(5)[1]"}],"prose":"defines mobile devices for which full-device encryption or container encryption is required to protect the confidentiality and integrity of information on such devices; and"},{"id":"ac-19.5_obj.2","name":"objective","props":[{"name":"label","value":"AC-19(5)[2]"}],"prose":"employs full-device encryption or container encryption to protect the confidentiality and integrity of information on organization-defined mobile devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access control for mobile devices\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nencryption mechanism s and associated configuration documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities for mobile devices\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Encryption mechanisms protecting confidentiality and integrity of information on mobile devices"}]}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Information Systems","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-20"},{"name":"sort-id","value":"ac-20"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"}],"parts":[{"id":"ac-20_smt","name":"statement","prose":"The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and\/or maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Access the information system from external information systems; and"},{"id":"ac-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Process, store, or transmit organization-controlled information using external information systems."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems\/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing\/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"ac-20_obj","name":"objective","prose":"Determine if the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and\/or maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20.a_obj","name":"objective","props":[{"name":"label","value":"AC-20(a)"}],"prose":"access the information system from the external information systems; and"},{"id":"ac-20.b_obj","name":"objective","props":[{"name":"label","value":"AC-20(b)"}],"prose":"process, store, or transmit organization-controlled information using external information systems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing the use of external information systems\n\nexternal information systems terms and conditions\n\nlist of types of applications accessible from external information systems\n\nmaximum security categorization for information processed, stored, or transmitted on external information systems\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing terms and conditions on use of external information systems"}]}],"controls":[{"id":"ac-20.1","class":"SP800-53-enhancement","title":"Limits On Authorized Use","props":[{"name":"label","value":"AC-20(1)"},{"name":"sort-id","value":"ac-20.01"}],"parts":[{"id":"ac-20.1_smt","name":"statement","prose":"The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:","parts":[{"id":"ac-20.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or"},{"id":"ac-20.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Retains approved information system connection or processing agreements with the organizational entity hosting the external information system."}]},{"id":"ac-20.1_gdn","name":"guidance","prose":"This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations.","links":[{"href":"#ca-2","rel":"related"}]},{"id":"ac-20.1_obj","name":"objective","prose":"Determine if the organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:","parts":[{"id":"ac-20.1.a_obj","name":"objective","props":[{"name":"label","value":"AC-20(1)(a)"}],"prose":"verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or","links":[{"href":"#ac-20.1_smt.a","rel":"corresp"}]},{"id":"ac-20.1.b_obj","name":"objective","props":[{"name":"label","value":"AC-20(1)(b)"}],"prose":"retains approved information system connection or processing agreements with the organizational entity hosting the external information system.","links":[{"href":"#ac-20.1_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing the use of external information systems\n\nsecurity plan\n\ninformation system connection or processing agreements\n\naccount management documents\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing limits on use of external information systems"}]}]},{"id":"ac-20.2","class":"SP800-53-enhancement","title":"Portable Storage Devices","params":[{"id":"ac-20.2_prm_1","select":{"choice":["restricts","prohibits"]}}],"props":[{"name":"label","value":"AC-20(2)"},{"name":"sort-id","value":"ac-20.02"}],"parts":[{"id":"ac-20.2_smt","name":"statement","prose":"The organization {{ insert: param, ac-20.2_prm_1 }} the use of organization-controlled portable storage devices by authorized individuals on external information systems."},{"id":"ac-20.2_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used."},{"id":"ac-20.2_obj","name":"objective","prose":"Determine if the organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing the use of external information systems\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system connection or processing agreements\n\naccount management documents\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for restricting or prohibiting use of organization-controlled storage devices on external information systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing restrictions on use of portable storage devices"}]}]}]},{"id":"ac-21","class":"SP800-53","title":"Information Sharing","params":[{"id":"ac-21_prm_1","label":"organization-defined information sharing circumstances where user discretion is required"},{"id":"ac-21_prm_2","label":"organization-defined automated mechanisms or manual processes"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AC-21"},{"name":"sort-id","value":"ac-21"}],"parts":[{"id":"ac-21_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for {{ insert: param, ac-21_prm_1 }}; and"},{"id":"ac-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs {{ insert: param, ac-21_prm_2 }} to assist users in making information sharing\/collaboration decisions."}]},{"id":"ac-21_gdn","name":"guidance","prose":"This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program\/compartment.","links":[{"href":"#ac-3","rel":"related"}]},{"id":"ac-21_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-21.a_obj","name":"objective","props":[{"name":"label","value":"AC-21(a)"}],"parts":[{"id":"ac-21.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-21(a)[1]"}],"prose":"defines information sharing circumstances where user discretion is required;"},{"id":"ac-21.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-21(a)[2]"}],"prose":"facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information sharing circumstances;"}]},{"id":"ac-21.b_obj","name":"objective","props":[{"name":"label","value":"AC-21(b)"}],"parts":[{"id":"ac-21.b_obj.1","name":"objective","props":[{"name":"label","value":"AC-21(b)[1]"}],"prose":"defines automated mechanisms or manual processes to be employed to assist users in making information sharing\/collaboration decisions; and"},{"id":"ac-21.b_obj.2","name":"objective","props":[{"name":"label","value":"AC-21(b)[2]"}],"prose":"employs organization-defined automated mechanisms or manual processes to assist users in making information sharing\/collaboration decisions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of users authorized to make information sharing\/collaboration decisions\n\nlist of information sharing circumstances requiring user discretion\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel responsible for making information sharing\/collaboration decisions\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms or manual process implementing access authorizations supporting information sharing\/user collaboration decisions"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","params":[{"id":"ac-22_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-22"},{"name":"sort-id","value":"ac-22"}],"parts":[{"id":"ac-22_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Designates individuals authorized to post information onto a publicly accessible information system;"},{"id":"ac-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Reviews the content on the publicly accessible information system for nonpublic information {{ insert: param, ac-22_prm_1 }} and removes such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and\/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-13","rel":"related"}]},{"id":"ac-22_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-22.a_obj","name":"objective","props":[{"name":"label","value":"AC-22(a)"}],"prose":"designates individuals authorized to post information onto a publicly accessible information system;"},{"id":"ac-22.b_obj","name":"objective","props":[{"name":"label","value":"AC-22(b)"}],"prose":"trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22.c_obj","name":"objective","props":[{"name":"label","value":"AC-22(c)"}],"prose":"reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;"},{"id":"ac-22.d_obj","name":"objective","props":[{"name":"label","value":"AC-22(d)"}],"parts":[{"id":"ac-22.d_obj.1","name":"objective","props":[{"name":"label","value":"AC-22(d)[1]"}],"prose":"defines the frequency to review the content on the publicly accessible information system for nonpublic information;"},{"id":"ac-22.d_obj.2","name":"objective","props":[{"name":"label","value":"AC-22(d)[2]"}],"prose":"reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; and"},{"id":"ac-22.d_obj.3","name":"objective","props":[{"name":"label","value":"AC-22(d)[3]"}],"prose":"removes nonpublic information from the publicly accessible information system, if discovered."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational information systems\n\ntraining materials and\/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to nonpublic information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Security Awareness and Training Policy and Procedures","params":[{"id":"at-1_prm_1","label":"organization-defined personnel or roles"},{"id":"at-1_prm_2","label":"organization-defined frequency"},{"id":"at-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-1"},{"name":"sort-id","value":"at-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"at-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"at-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security awareness and training policy {{ insert: param, at-1_prm_2 }}; and"},{"id":"at-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security awareness and training procedures {{ insert: param, at-1_prm_3 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"at-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-1.a_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)"}],"parts":[{"id":"at-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)"}],"parts":[{"id":"at-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1]"}],"prose":"develops and documents an security awareness and training policy that addresses:","parts":[{"id":"at-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"at-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"at-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"at-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"at-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"at-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"at-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"at-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security awareness and training policy are to be disseminated;"},{"id":"at-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[3]"}],"prose":"disseminates the security awareness and training policy to organization-defined personnel or roles;"}]},{"id":"at-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)"}],"parts":[{"id":"at-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;"},{"id":"at-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"at-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"at-1.b_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)"}],"parts":[{"id":"at-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)"}],"parts":[{"id":"at-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security awareness and training policy;"},{"id":"at-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)[2]"}],"prose":"reviews and updates the current security awareness and training policy with the organization-defined frequency;"}]},{"id":"at-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)"}],"parts":[{"id":"at-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security awareness and training procedures; and"},{"id":"at-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)[2]"}],"prose":"reviews and updates the current security awareness and training procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security awareness and training responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Security Awareness Training","params":[{"id":"at-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-2"},{"name":"sort-id","value":"at-02"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference"},{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"at-2_smt","name":"statement","prose":"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"As part of initial training for new users;"},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, at-2_prm_1 }} thereafter."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories\/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.","links":[{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"at-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-2.a_obj","name":"objective","props":[{"name":"label","value":"AT-2(a)"}],"prose":"provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2.b_obj","name":"objective","props":[{"name":"label","value":"AT-2(b)"}],"prose":"provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes; and"},{"id":"at-2.c_obj","name":"objective","props":[{"name":"label","value":"AT-2(c)"}],"parts":[{"id":"at-2.c_obj.1","name":"objective","props":[{"name":"label","value":"AT-2(c)[1]"}],"prose":"defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors); and"},{"id":"at-2.c_obj.2","name":"objective","props":[{"name":"label","value":"AT-2(c)[2]"}],"prose":"provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nappropriate codes of federal regulations\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for security awareness training\n\norganizational personnel with information security responsibilities\n\norganizational personnel comprising the general information system user community"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing security awareness training"}]}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","props":[{"name":"label","value":"AT-2(2)"},{"name":"sort-id","value":"at-02.02"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"The organization includes security awareness training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures.","links":[{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"at-2.2_obj","name":"objective","prose":"Determine if the organization includes security awareness training on recognizing and reporting potential indicators of insider threat."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel that participate in security awareness training\n\norganizational personnel with responsibilities for basic security awareness training\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Security Training","params":[{"id":"at-3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-3"},{"name":"sort-id","value":"at-03"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"at-3_smt","name":"statement","prose":"The organization provides role-based security training to personnel with assigned security roles and responsibilities:","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Before authorizing access to the information system or performing assigned duties;"},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, at-3_prm_1 }} thereafter."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition\/procurement officials, information system managers, system\/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sa-16","rel":"related"}]},{"id":"at-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-3.a_obj","name":"objective","props":[{"name":"label","value":"AT-3(a)"}],"prose":"provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties;"},{"id":"at-3.b_obj","name":"objective","props":[{"name":"label","value":"AT-3(b)"}],"prose":"provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes; and"},{"id":"at-3.c_obj","name":"objective","props":[{"name":"label","value":"AT-3(c)"}],"parts":[{"id":"at-3.c_obj.1","name":"objective","props":[{"name":"label","value":"AT-3(c)[1]"}],"prose":"defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities; and"},{"id":"at-3.c_obj.2","name":"objective","props":[{"name":"label","value":"AT-3(c)[2]"}],"prose":"provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security training implementation\n\ncodes of federal regulations\n\nsecurity training curriculum\n\nsecurity training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for role-based security training\n\norganizational personnel with assigned information system security roles and responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing role-based security training"}]}]},{"id":"at-4","class":"SP800-53","title":"Security Training Records","params":[{"id":"at-4_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AT-4"},{"name":"sort-id","value":"at-04"}],"parts":[{"id":"at-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains individual training records for {{ insert: param, at-4_prm_1 }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the option of the organization.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pm-14","rel":"related"}]},{"id":"at-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-4.a_obj","name":"objective","props":[{"name":"label","value":"AT-4(a)"}],"parts":[{"id":"at-4.a_obj.1","name":"objective","props":[{"name":"label","value":"AT-4(a)[1]"}],"prose":"documents individual information system security training activities including:","parts":[{"id":"at-4.a_obj.1.a","name":"objective","props":[{"name":"label","value":"AT-4(a)[1][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.1.b","name":"objective","props":[{"name":"label","value":"AT-4(a)[1][b]"}],"prose":"specific role-based information system security training;"}]},{"id":"at-4.a_obj.2","name":"objective","props":[{"name":"label","value":"AT-4(a)[2]"}],"prose":"monitors individual information system security training activities including:","parts":[{"id":"at-4.a_obj.2.a","name":"objective","props":[{"name":"label","value":"AT-4(a)[2][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.2.b","name":"objective","props":[{"name":"label","value":"AT-4(a)[2][b]"}],"prose":"specific role-based information system security training;"}]}]},{"id":"at-4.b_obj","name":"objective","props":[{"name":"label","value":"AT-4(b)"}],"parts":[{"id":"at-4.b_obj.1","name":"objective","props":[{"name":"label","value":"AT-4(b)[1]"}],"prose":"defines a time period to retain individual training records; and"},{"id":"at-4.b_obj.2","name":"objective","props":[{"name":"label","value":"AT-4(b)[2]"}],"prose":"retains individual training records for the organization-defined time period."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security training records\n\nsecurity awareness and training records\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security training record retention responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting management of security training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Audit and Accountability Policy and Procedures","params":[{"id":"au-1_prm_1","label":"organization-defined personnel or roles"},{"id":"au-1_prm_2","label":"organization-defined frequency"},{"id":"au-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-1"},{"name":"sort-id","value":"au-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"au-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"au-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Audit and accountability policy {{ insert: param, au-1_prm_2 }}; and"},{"id":"au-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Audit and accountability procedures {{ insert: param, au-1_prm_3 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"au-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-1.a_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)"}],"parts":[{"id":"au-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)"}],"parts":[{"id":"au-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1]"}],"prose":"develops and documents an audit and accountability policy that addresses:","parts":[{"id":"au-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"au-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"au-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"au-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"au-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"au-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"au-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"au-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the audit and accountability policy are to be disseminated;"},{"id":"au-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[3]"}],"prose":"disseminates the audit and accountability policy to organization-defined personnel or roles;"}]},{"id":"au-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)"}],"parts":[{"id":"au-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;"},{"id":"au-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"au-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"au-1.b_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)"}],"parts":[{"id":"au-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)"}],"parts":[{"id":"au-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current audit and accountability policy;"},{"id":"au-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)[2]"}],"prose":"reviews and updates the current audit and accountability policy with the organization-defined frequency;"}]},{"id":"au-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)"}],"parts":[{"id":"au-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current audit and accountability procedures; and"},{"id":"au-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)[2]"}],"prose":"reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Audit Events","params":[{"id":"au-2_prm_1","label":"organization-defined auditable events"},{"id":"au-2_prm_2","label":"organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-2"},{"name":"sort-id","value":"au-02"}],"links":[{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"au-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines that the information system is capable of auditing the following events: {{ insert: param, au-2_prm_1 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Determines that the following events are to be audited within the information system: {{ insert: param, au-2_prm_2 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.","links":[{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"au-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.a_obj","name":"objective","props":[{"name":"label","value":"AU-2(a)"}],"parts":[{"id":"au-2.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(a)[1]"}],"prose":"defines the auditable events that the information system must be capable of auditing;"},{"id":"au-2.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(a)[2]"}],"prose":"determines that the information system is capable of auditing organization-defined auditable events;"}]},{"id":"au-2.b_obj","name":"objective","props":[{"name":"label","value":"AU-2(b)"}],"prose":"coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"},{"id":"au-2.c_obj","name":"objective","props":[{"name":"label","value":"AU-2(c)"}],"prose":"provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;"},{"id":"au-2.d_obj","name":"objective","props":[{"name":"label","value":"AU-2(d)"}],"parts":[{"id":"au-2.d_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(d)[1]"}],"prose":"defines the subset of auditable events defined in AU-2a that are to be audited within the information system;"},{"id":"au-2.d_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(d)[2]"}],"prose":"determines that the subset of auditable events defined in AU-2a are to be audited within the information system; and"},{"id":"au-2.d_obj.3","name":"objective","props":[{"name":"label","value":"AU-2(d)[3]"}],"prose":"determines the frequency of (or situation requiring) auditing for each identified event."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system auditable events\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing"}]}],"controls":[{"id":"au-2.3","class":"SP800-53-enhancement","title":"Reviews and Updates","params":[{"id":"au-2.3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"AU-2(3)"},{"name":"sort-id","value":"au-02.03"}],"parts":[{"id":"au-2.3_smt","name":"statement","prose":"The organization reviews and updates the audited events {{ insert: param, au-2.3_prm_1 }}."},{"id":"au-2.3_gdn","name":"guidance","prose":"Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient."},{"id":"au-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.3_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(3)[1]"}],"prose":"defines the frequency to review and update the audited events; and"},{"id":"au-2.3_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(3)[2]"}],"prose":"reviews and updates the auditable events with organization-defined frequency."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\nlist of organization-defined auditable events\n\nauditable events review and update records\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting review and update of auditable events"}]}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-3"},{"name":"sort-id","value":"au-03"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event."},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user\/process identifiers, event descriptions, success\/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred).","links":[{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#si-11","rel":"related"}]},{"id":"au-3_obj","name":"objective","prose":"Determine if the information system generates audit records containing information that establishes:","parts":[{"id":"au-3_obj.1","name":"objective","props":[{"name":"label","value":"AU-3[1]"}],"prose":"what type of event occurred;"},{"id":"au-3_obj.2","name":"objective","props":[{"name":"label","value":"AU-3[2]"}],"prose":"when the event occurred;"},{"id":"au-3_obj.3","name":"objective","props":[{"name":"label","value":"AU-3[3]"}],"prose":"where the event occurred;"},{"id":"au-3_obj.4","name":"objective","props":[{"name":"label","value":"AU-3[4]"}],"prose":"the source of the event;"},{"id":"au-3_obj.5","name":"objective","props":[{"name":"label","value":"AU-3[5]"}],"prose":"the outcome of the event; and"},{"id":"au-3_obj.6","name":"objective","props":[{"name":"label","value":"AU-3[6]"}],"prose":"the identity of any individuals or subjects associated with the event."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing of auditable events"}]}],"controls":[{"id":"au-3.1","class":"SP800-53-enhancement","title":"Additional Audit Information","params":[{"id":"au-3.1_prm_1","label":"organization-defined additional, more detailed information"}],"props":[{"name":"label","value":"AU-3(1)"},{"name":"sort-id","value":"au-03.01"}],"parts":[{"id":"au-3.1_smt","name":"statement","prose":"The information system generates audit records containing the following additional information: {{ insert: param, au-3.1_prm_1 }}."},{"id":"au-3.1_gdn","name":"guidance","prose":"Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest."},{"id":"au-3.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-3.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-3(1)[1]"}],"prose":"the organization defines additional, more detailed information to be contained in audit records that the information system generates; and"},{"id":"au-3.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-3(1)[2]"}],"prose":"the information system generates audit records containing the organization-defined additional, more detailed information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system audit capability"}]}]},{"id":"au-3.2","class":"SP800-53-enhancement","title":"Centralized Management of Planned Audit Record Content","params":[{"id":"au-3.2_prm_1","label":"organization-defined information system components"}],"props":[{"name":"label","value":"AU-3(2)"},{"name":"sort-id","value":"au-03.02"}],"parts":[{"id":"au-3.2_smt","name":"statement","prose":"The information system provides centralized management and configuration of the content to be captured in audit records generated by {{ insert: param, au-3.2_prm_1 }}."},{"id":"au-3.2_gdn","name":"guidance","prose":"This control enhancement requires that the content to be captured in audit records be configured from a central location (necessitating automation). Organizations coordinate the selection of required audit content to support the centralized management and configuration capability provided by the information system.","links":[{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"}]},{"id":"au-3.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-3.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-3(2)[1]"}],"prose":"the organization defines information system components that generate audit records whose content is to be centrally managed and configured by the information system; and"},{"id":"au-3.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-3(2)[2]"}],"prose":"the information system provides centralized management and configuration of the content to be captured in audit records generated by the organization-defined information system components."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system capability implementing centralized management and configuration of audit record content"}]}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Storage Capacity","params":[{"id":"au-4_prm_1","label":"organization-defined audit record storage requirements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-4"},{"name":"sort-id","value":"au-04"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"The organization allocates audit record storage capacity in accordance with {{ insert: param, au-4_prm_1 }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"au-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-4_obj.1","name":"objective","props":[{"name":"label","value":"AU-4[1]"}],"prose":"defines audit record storage requirements; and"},{"id":"au-4_obj.2","name":"objective","props":[{"name":"label","value":"AU-4[2]"}],"prose":"allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for information system components\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Processing Failures","params":[{"id":"au-5_prm_1","label":"organization-defined personnel or roles"},{"id":"au-5_prm_2","label":"organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-5"},{"name":"sort-id","value":"au-05"}],"parts":[{"id":"au-5_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Alerts {{ insert: param, au-5_prm_1 }} in the event of an audit processing failure; and"},{"id":"au-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Takes the following additional actions: {{ insert: param, au-5_prm_2 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit processing failures include, for example, software\/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.","links":[{"href":"#au-4","rel":"related"},{"href":"#si-12","rel":"related"}]},{"id":"au-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.a_obj","name":"objective","props":[{"name":"label","value":"AU-5(a)"}],"parts":[{"id":"au-5.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(a)[1]"}],"prose":"the organization defines the personnel or roles to be alerted in the event of an audit processing failure;"},{"id":"au-5.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(a)[2]"}],"prose":"the information system alerts the organization-defined personnel or roles in the event of an audit processing failure;"}]},{"id":"au-5.b_obj","name":"objective","props":[{"name":"label","value":"AU-5(b)"}],"parts":[{"id":"au-5.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(b)[1]"}],"prose":"the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure; and"},{"id":"au-5.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(b)[2]"}],"prose":"the information system takes the additional organization-defined actions in the event of an audit processing failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system response to audit processing failures"}]}],"controls":[{"id":"au-5.1","class":"SP800-53-enhancement","title":"Audit Storage Capacity","params":[{"id":"au-5.1_prm_1","label":"organization-defined personnel, roles, and\/or locations"},{"id":"au-5.1_prm_2","label":"organization-defined time period"},{"id":"au-5.1_prm_3","label":"organization-defined percentage"}],"props":[{"name":"label","value":"AU-5(1)"},{"name":"sort-id","value":"au-05.01"}],"parts":[{"id":"au-5.1_smt","name":"statement","prose":"The information system provides a warning to {{ insert: param, au-5.1_prm_1 }} within {{ insert: param, au-5.1_prm_2 }} when allocated audit record storage volume reaches {{ insert: param, au-5.1_prm_3 }} of repository maximum audit record storage capacity."},{"id":"au-5.1_gdn","name":"guidance","prose":"Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities."},{"id":"au-5.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(1)[1]"}],"prose":"the organization defines:","parts":[{"id":"au-5.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-5(1)[1][a]"}],"prose":"personnel to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity;"},{"id":"au-5.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-5(1)[1][b]"}],"prose":"roles to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity; and\/or"},{"id":"au-5.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-5(1)[1][c]"}],"prose":"locations to be warned when allocated audit record storage volume reaches organization-defined percentage of repository maximum audit record storage capacity;"}]},{"id":"au-5.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(1)[2]"}],"prose":"the organization defines the time period within which the information system is to provide a warning to the organization-defined personnel, roles, and\/or locations when allocated audit record storage volume reaches the organization-defined percentage of repository maximum audit record storage capacity;"},{"id":"au-5.1_obj.3","name":"objective","props":[{"name":"label","value":"AU-5(1)[3]"}],"prose":"the organization defines the percentage of repository maximum audit record storage capacity that, if reached, requires a warning to be provided; and"},{"id":"au-5.1_obj.4","name":"objective","props":[{"name":"label","value":"AU-5(1)[4]"}],"prose":"the information system provides a warning to the organization-defined personnel, roles, and\/or locations within the organization-defined time period when allocated audit record storage volume reaches the organization-defined percentage of repository maximum audit record storage capacity."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit storage limit warnings"}]}]},{"id":"au-5.2","class":"SP800-53-enhancement","title":"Real-time Alerts","params":[{"id":"au-5.2_prm_1","label":"organization-defined real-time period"},{"id":"au-5.2_prm_2","label":"organization-defined personnel, roles, and\/or locations"},{"id":"au-5.2_prm_3","label":"organization-defined audit failure events requiring real-time alerts"}],"props":[{"name":"label","value":"AU-5(2)"},{"name":"sort-id","value":"au-05.02"}],"parts":[{"id":"au-5.2_smt","name":"statement","prose":"The information system provides an alert in {{ insert: param, au-5.2_prm_1 }} to {{ insert: param, au-5.2_prm_2 }} when the following audit failure events occur: {{ insert: param, au-5.2_prm_3 }}."},{"id":"au-5.2_gdn","name":"guidance","prose":"Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less)."},{"id":"au-5.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(2)[1]"}],"prose":"the organization defines audit failure events requiring real-time alerts;"},{"id":"au-5.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(2)[2]"}],"prose":"the organization defines:","parts":[{"id":"au-5.2_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-5(2)[2][a]"}],"prose":"personnel to be alerted when organization-defined audit failure events requiring real-time alerts occur;"},{"id":"au-5.2_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-5(2)[2][b]"}],"prose":"roles to be alerted when organization-defined audit failure events requiring real-time alerts occur; and\/or"},{"id":"au-5.2_obj.2.c","name":"objective","props":[{"name":"label","value":"AU-5(2)[2][c]"}],"prose":"locations to be alerted when organization-defined audit failure events requiring real-time alerts occur;"}]},{"id":"au-5.2_obj.3","name":"objective","props":[{"name":"label","value":"AU-5(2)[3]"}],"prose":"the organization defines the real-time period within which the information system is to provide an alert to the organization-defined personnel, roles, and\/or locations when the organization-defined audit failure events requiring real-time alerts occur; and"},{"id":"au-5.2_obj.4","name":"objective","props":[{"name":"label","value":"AU-5(2)[4]"}],"prose":"the information system provides an alert within the organization-defined real-time period to the organization-defined personnel, roles, and\/or locations when organization-defined audit failure events requiring real-time alerts occur."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nrecords of notifications or real-time alerts when audit processing failures occur\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing real-time audit alerts when organization-defined audit failure events occur"}]}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Review, Analysis, and Reporting","params":[{"id":"au-6_prm_1","label":"organization-defined frequency"},{"id":"au-6_prm_2","label":"organization-defined inappropriate or unusual activity"},{"id":"au-6_prm_3","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-6"},{"name":"sort-id","value":"au-06"}],"parts":[{"id":"au-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviews and analyzes information system audit records {{ insert: param, au-6_prm_1 }} for indications of {{ insert: param, au-6_prm_2 }}; and"},{"id":"au-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reports findings to {{ insert: param, au-6_prm_3 }}."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group\/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review\/analysis may be carried out by other organizations granted such authority.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-19","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"au-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.a_obj","name":"objective","props":[{"name":"label","value":"AU-6(a)"}],"parts":[{"id":"au-6.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(a)[1]"}],"prose":"defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;"},{"id":"au-6.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(a)[2]"}],"prose":"defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;"},{"id":"au-6.a_obj.3","name":"objective","props":[{"name":"label","value":"AU-6(a)[3]"}],"prose":"reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;"}]},{"id":"au-6.b_obj","name":"objective","props":[{"name":"label","value":"AU-6(b)"}],"parts":[{"id":"au-6.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(b)[1]"}],"prose":"defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; and"},{"id":"au-6.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(b)[2]"}],"prose":"reports findings to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews\/analyses of audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"au-6.1","class":"SP800-53-enhancement","title":"Process Integration","props":[{"name":"label","value":"AU-6(1)"},{"name":"sort-id","value":"au-06.01"}],"parts":[{"id":"au-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities."},{"id":"au-6.1_gdn","name":"guidance","prose":"Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits.","links":[{"href":"#au-12","rel":"related"},{"href":"#pm-7","rel":"related"}]},{"id":"au-6.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(1)[1]"}],"prose":"employs automated mechanisms to integrate:","parts":[{"id":"au-6.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-6(1)[1][a]"}],"prose":"audit review;"},{"id":"au-6.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-6(1)[1][b]"}],"prose":"analysis;"},{"id":"au-6.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-6(1)[1][c]"}],"prose":"reporting processes;"}]},{"id":"au-6.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(1)[2]"}],"prose":"uses integrated audit review, analysis and reporting processes to support organizational processes for:","parts":[{"id":"au-6.1_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-6(1)[2][a]"}],"prose":"investigation of suspicious activities; and"},{"id":"au-6.1_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-6(1)[2][b]"}],"prose":"response to suspicious activities."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms integrating audit review, analysis, and reporting processes"}]}]},{"id":"au-6.3","class":"SP800-53-enhancement","title":"Correlate Audit Repositories","props":[{"name":"label","value":"AU-6(3)"},{"name":"sort-id","value":"au-06.03"}],"parts":[{"id":"au-6.3_smt","name":"statement","prose":"The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness."},{"id":"au-6.3_gdn","name":"guidance","prose":"Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission\/business process, and information system) and supports cross-organization awareness.","links":[{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"}]},{"id":"au-6.3_obj","name":"objective","prose":"Determine if the organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records across different repositories\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting analysis and correlation of audit records"}]}]},{"id":"au-6.5","class":"SP800-53-enhancement","title":"Integration \/ Scanning and Monitoring Capabilities","params":[{"id":"au-6.5_prm_1","select":{"how-many":"one-or-more","choice":["vulnerability scanning information","performance data","information system monitoring information"," {{ insert: param, au-6.5_prm_2 }} "]}},{"id":"au-6.5_prm_2","depends-on":"au-6.5_prm_1","label":"organization-defined data\/information collected from other sources"}],"props":[{"name":"label","value":"AU-6(5)"},{"name":"sort-id","value":"au-06.05"}],"parts":[{"id":"au-6.5_smt","name":"statement","prose":"The organization integrates analysis of audit records with analysis of {{ insert: param, au-6.5_prm_1 }} to further enhance the ability to identify inappropriate or unusual activity."},{"id":"au-6.5_gdn","name":"guidance","prose":"This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation\/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations.","links":[{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ra-5","rel":"related"}]},{"id":"au-6.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.5_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(5)[1]"}],"prose":"defines data\/information to be collected from other sources;"},{"id":"au-6.5_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(5)[2]"}],"prose":"selects sources of data\/information to be analyzed and integrated with the analysis of audit records from one or more of the following:","parts":[{"id":"au-6.5_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-6(5)[2][a]"}],"prose":"vulnerability scanning information;"},{"id":"au-6.5_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-6(5)[2][b]"}],"prose":"performance data;"},{"id":"au-6.5_obj.2.c","name":"objective","props":[{"name":"label","value":"AU-6(5)[2][c]"}],"prose":"information system monitoring information; and\/or"},{"id":"au-6.5_obj.2.d","name":"objective","props":[{"name":"label","value":"AU-6(5)[2][d]"}],"prose":"organization-defined data\/information collected from other sources; and"}]},{"id":"au-6.5_obj.3","name":"objective","props":[{"name":"label","value":"AU-6(5)[3]"}],"prose":"integrates the analysis of audit records with the analysis of selected data\/information to further enhance the ability to identify inappropriate or unusual activity."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing capability to integrate analysis of audit records with analysis of data\/information sources"}]}]},{"id":"au-6.6","class":"SP800-53-enhancement","title":"Correlation with Physical Monitoring","props":[{"name":"label","value":"AU-6(6)"},{"name":"sort-id","value":"au-06.06"}],"parts":[{"id":"au-6.6_smt","name":"statement","prose":"The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."},{"id":"au-6.6_gdn","name":"guidance","prose":"The correlation of physical audit information and audit logs from information systems may assist organizations in identifying examples of suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain information systems with the additional physical security information that the individual was actually present at the facility when the logical access occurred, may prove to be useful in investigations."},{"id":"au-6.6_obj","name":"objective","prose":"Determine if the organization correlates information from audit records with information obtained from monitoring physical access to enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing physical access monitoring\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ndocumentation providing evidence of correlated information obtained from audit records and physical access monitoring records\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing capability to correlate information from audit records with information from monitoring physical access"}]}]}]},{"id":"au-7","class":"SP800-53","title":"Audit Reduction and Report Generation","props":[{"name":"priority","value":"P2"},{"name":"label","value":"AU-7"},{"name":"sort-id","value":"au-07"}],"parts":[{"id":"au-7_smt","name":"statement","prose":"The information system provides an audit reduction and report generation capability that:","parts":[{"id":"au-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and"},{"id":"au-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Does not alter the original content or time ordering of audit records."}]},{"id":"au-7_gdn","name":"guidance","prose":"Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient.","links":[{"href":"#au-6","rel":"related"}]},{"id":"au-7_obj","name":"objective","prose":"Determine if the information system provides an audit reduction and report generation capability that supports:","parts":[{"id":"au-7.a_obj","name":"objective","props":[{"name":"label","value":"AU-7(a)"}],"parts":[{"id":"au-7.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-7(a)[1]"}],"prose":"on-demand audit review;"},{"id":"au-7.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-7(a)[2]"}],"prose":"analysis;"},{"id":"au-7.a_obj.3","name":"objective","props":[{"name":"label","value":"AU-7(a)[3]"}],"prose":"reporting requirements;"},{"id":"au-7.a_obj.4","name":"objective","props":[{"name":"label","value":"AU-7(a)[4]"}],"prose":"after-the-fact investigations of security incidents; and"}]},{"id":"au-7.b_obj","name":"objective","props":[{"name":"label","value":"AU-7(b)"}],"prose":"does not alter the original content or time ordering of audit records."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit reduction and report generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit reduction and report generation capability"}]}],"controls":[{"id":"au-7.1","class":"SP800-53-enhancement","title":"Automatic Processing","params":[{"id":"au-7.1_prm_1","label":"organization-defined audit fields within audit records"}],"props":[{"name":"label","value":"AU-7(1)"},{"name":"sort-id","value":"au-07.01"}],"parts":[{"id":"au-7.1_smt","name":"statement","prose":"The information system provides the capability to process audit records for events of interest based on {{ insert: param, au-7.1_prm_1 }}."},{"id":"au-7.1_gdn","name":"guidance","prose":"Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"au-7.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-7.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-7(1)[1]"}],"prose":"the organization defines audit fields within audit records in order to process audit records for events of interest; and"},{"id":"au-7.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-7(1)[2]"}],"prose":"the information system provides the capability to process audit records for events of interest based on the organization-defined audit fields within audit records."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit reduction and report generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit reduction and report generation capability"}]}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","params":[{"id":"au-8_prm_1","label":"organization-defined granularity of time measurement"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-8"},{"name":"sort-id","value":"au-08"}],"parts":[{"id":"au-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Uses internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets {{ insert: param, au-8_prm_1 }}."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.","links":[{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"au-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-8.a_obj","name":"objective","props":[{"name":"label","value":"AU-8(a)"}],"prose":"the information system uses internal system clocks to generate time stamps for audit records;"},{"id":"au-8.b_obj","name":"objective","props":[{"name":"label","value":"AU-8(b)"}],"parts":[{"id":"au-8.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-8(b)[1]"}],"prose":"the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);"},{"id":"au-8.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-8(b)[2]"}],"prose":"the organization defines the granularity of time measurement to be met when recording time stamps for audit records; and"},{"id":"au-8.b_obj.3","name":"objective","props":[{"name":"label","value":"AU-8(b)[3]"}],"prose":"the organization records time stamps for audit records that meet the organization-defined granularity of time measurement."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing time stamp generation"}]}],"controls":[{"id":"au-8.1","class":"SP800-53-enhancement","title":"Synchronization with Authoritative Time Source","params":[{"id":"au-8.1_prm_1","label":"organization-defined frequency"},{"id":"au-8.1_prm_2","label":"organization-defined authoritative time source"},{"id":"au-8.1_prm_3","label":"organization-defined time period"}],"props":[{"name":"label","value":"AU-8(1)"},{"name":"sort-id","value":"au-08.01"}],"parts":[{"id":"au-8.1_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Compares the internal information system clocks {{ insert: param, au-8.1_prm_1 }} with {{ insert: param, au-8.1_prm_2 }}; and"},{"id":"au-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than {{ insert: param, au-8.1_prm_3 }}."}]},{"id":"au-8.1_gdn","name":"guidance","prose":"This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network."},{"id":"au-8.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-8.1.a_obj","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)"}],"parts":[{"id":"au-8.1.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)[1]"}],"prose":"the organization defines the authoritative time source to which internal information system clocks are to be compared;"},{"id":"au-8.1.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)[2]"}],"prose":"the organization defines the frequency to compare the internal information system clocks with the organization-defined authoritative time source; and"},{"id":"au-8.1.a_obj.3","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)[3]"}],"prose":"the information system compares the internal information system clocks with the organization-defined authoritative time source with organization-defined frequency; and"}],"links":[{"href":"#au-8.1_smt.a","rel":"corresp"}]},{"id":"au-8.1.b_obj","name":"objective","props":[{"name":"label","value":"AU-8(1)(b)"}],"parts":[{"id":"au-8.1.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-8(1)(b)[1]"}],"prose":"the organization defines the time period that, if exceeded by the time difference between the internal system clocks and the authoritative time source, will result in the internal system clocks being synchronized to the authoritative time source; and"},{"id":"au-8.1.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-8(1)(b)[2]"}],"prose":"the information system synchronizes the internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period."}],"links":[{"href":"#au-8.1_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing internal information system clock synchronization"}]}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-9"},{"name":"sort-id","value":"au-09"}],"parts":[{"id":"au-9_smt","name":"statement","prose":"The information system protects audit information and audit tools from unauthorized access, modification, and deletion."},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}]},{"id":"au-9_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-9_obj.1","name":"objective","props":[{"name":"label","value":"AU-9[1]"}],"prose":"the information system protects audit information from unauthorized:","parts":[{"id":"au-9_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-9[1][a]"}],"prose":"access;"},{"id":"au-9_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-9[1][b]"}],"prose":"modification;"},{"id":"au-9_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-9[1][c]"}],"prose":"deletion;"}]},{"id":"au-9_obj.2","name":"objective","props":[{"name":"label","value":"AU-9[2]"}],"prose":"the information system protects audit tools from unauthorized:","parts":[{"id":"au-9_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-9[2][a]"}],"prose":"access;"},{"id":"au-9_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-9[2][b]"}],"prose":"modification; and"},{"id":"au-9_obj.2.c","name":"objective","props":[{"name":"label","value":"AU-9[2][c]"}],"prose":"deletion."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation, information system audit records\n\naudit tools\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit information protection"}]}],"controls":[{"id":"au-9.2","class":"SP800-53-enhancement","title":"Audit Backup On Separate Physical Systems \/ Components","params":[{"id":"au-9.2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"AU-9(2)"},{"name":"sort-id","value":"au-09.02"}],"parts":[{"id":"au-9.2_smt","name":"statement","prose":"The information system backs up audit records {{ insert: param, au-9.2_prm_1 }} onto a physically different system or system component than the system or component being audited."},{"id":"au-9.2_gdn","name":"guidance","prose":"This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records.","links":[{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"}]},{"id":"au-9.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-9.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-9(2)[1]"}],"prose":"the organization defines the frequency to back up audit records onto a physically different system or system component than the system or component being audited; and"},{"id":"au-9.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-9(2)[2]"}],"prose":"the information system backs up audit records with the organization-defined frequency, onto a physically different system or system component than the system or component being audited."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation, system or media storing backups of information system audit records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing the backing up of audit records"}]}]},{"id":"au-9.3","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"AU-9(3)"},{"name":"sort-id","value":"au-09.03"}],"parts":[{"id":"au-9.3_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools."},{"id":"au-9.3_gdn","name":"guidance","prose":"Cryptographic mechanisms used for protecting the integrity of audit information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.","links":[{"href":"#au-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"au-9.3_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"au-9.3_obj.1","name":"objective","props":[{"name":"label","value":"AU-9(3)[1]"}],"prose":"uses cryptographic mechanisms to protect the integrity of audit information; and"},{"id":"au-9.3_obj.2","name":"objective","props":[{"name":"label","value":"AU-9(3)[2]"}],"prose":"uses cryptographic mechanisms to protect the integrity of audit tools."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system hardware settings\n\ninformation system configuration settings and associated documentation, information system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting integrity of audit information and tools"}]}]},{"id":"au-9.4","class":"SP800-53-enhancement","title":"Access by Subset of Privileged Users","params":[{"id":"au-9.4_prm_1","label":"organization-defined subset of privileged users"}],"props":[{"name":"label","value":"AU-9(4)"},{"name":"sort-id","value":"au-09.04"}],"parts":[{"id":"au-9.4_smt","name":"statement","prose":"The organization authorizes access to management of audit functionality to only {{ insert: param, au-9.4_prm_1 }}."},{"id":"au-9.4_gdn","name":"guidance","prose":"Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.","links":[{"href":"#ac-5","rel":"related"}]},{"id":"au-9.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-9.4_obj.1","name":"objective","props":[{"name":"label","value":"AU-9(4)[1]"}],"prose":"defines a subset of privileged users to be authorized access to management of audit functionality; and"},{"id":"au-9.4_obj.2","name":"objective","props":[{"name":"label","value":"AU-9(4)[2]"}],"prose":"authorizes access to management of audit functionality to only the organization-defined subset of privileged users."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation, system-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing access to audit functionality"}]}]}]},{"id":"au-10","class":"SP800-53","title":"Non-repudiation","params":[{"id":"au-10_prm_1","label":"organization-defined actions to be covered by non-repudiation"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AU-10"},{"name":"sort-id","value":"au-10"}],"parts":[{"id":"au-10_smt","name":"statement","prose":"The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed {{ insert: param, au-10_prm_1 }}."},{"id":"au-10_gdn","name":"guidance","prose":"Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).","links":[{"href":"#sc-12","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-23","rel":"related"}]},{"id":"au-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-10_obj.1","name":"objective","props":[{"name":"label","value":"AU-10[1]"}],"prose":"the organization defines actions to be covered by non-repudiation; and"},{"id":"au-10_obj.2","name":"objective","props":[{"name":"label","value":"AU-10[2]"}],"prose":"the information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing non-repudiation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing non-repudiation capability"}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_prm_1","label":"organization-defined time period consistent with records retention policy"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AU-11"},{"name":"sort-id","value":"au-11"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"The organization retains audit records for {{ insert: param, au-11_prm_1 }} to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.","links":[{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#mp-6","rel":"related"}]},{"id":"au-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-11_obj.1","name":"objective","props":[{"name":"label","value":"AU-11[1]"}],"prose":"defines a time period to retain audit records that is consistent with records retention policy;"},{"id":"au-11_obj.2","name":"objective","props":[{"name":"label","value":"AU-11[2]"}],"prose":"retains audit records for the organization-defined time period consistent with records retention policy to:","parts":[{"id":"au-11_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-11[2][a]"}],"prose":"provide support for after-the-fact investigations of security incidents; and"},{"id":"au-11_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-11[2][b]"}],"prose":"meet regulatory and organizational information retention requirements."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Generation","params":[{"id":"au-12_prm_1","label":"organization-defined information system components"},{"id":"au-12_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-12"},{"name":"sort-id","value":"au-12"}],"parts":[{"id":"au-12_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides audit record generation capability for the auditable events defined in AU-2 a. at {{ insert: param, au-12_prm_1 }};"},{"id":"au-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allows {{ insert: param, au-12_prm_2 }} to select which auditable events are to be audited by specific components of the information system; and"},{"id":"au-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Generates audit records for the events defined in AU-2 d. with the content defined in AU-3."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records.","links":[{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"}]},{"id":"au-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.a_obj","name":"objective","props":[{"name":"label","value":"AU-12(a)"}],"parts":[{"id":"au-12.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(a)[1]"}],"prose":"the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a;"},{"id":"au-12.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(a)[2]"}],"prose":"the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components;"}]},{"id":"au-12.b_obj","name":"objective","props":[{"name":"label","value":"AU-12(b)"}],"parts":[{"id":"au-12.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(b)[1]"}],"prose":"the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system;"},{"id":"au-12.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(b)[2]"}],"prose":"the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system; and"}]},{"id":"au-12.c_obj","name":"objective","props":[{"name":"label","value":"AU-12(c)"}],"prose":"the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of auditable events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}],"controls":[{"id":"au-12.1","class":"SP800-53-enhancement","title":"System-wide \/ Time-correlated Audit Trail","params":[{"id":"au-12.1_prm_1","label":"organization-defined information system components"},{"id":"au-12.1_prm_2","label":"organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail"}],"props":[{"name":"label","value":"AU-12(1)"},{"name":"sort-id","value":"au-12.01"}],"parts":[{"id":"au-12.1_smt","name":"statement","prose":"The information system compiles audit records from {{ insert: param, au-12.1_prm_1 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.1_prm_2 }}."},{"id":"au-12.1_gdn","name":"guidance","prose":"Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances.","links":[{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"au-12.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(1)[1]"}],"prose":"the organization defines the information system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail;"},{"id":"au-12.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(1)[2]"}],"prose":"the organization defines the level of tolerance for the relationship between time stamps of individual records in the audit trail; and"},{"id":"au-12.1_obj.3","name":"objective","props":[{"name":"label","value":"AU-12(1)[3]"}],"prose":"the information system compiles audit records from organization-defined information system components into a system-wide (logical or physical) audit trail that is time-correlated to within the organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem-wide audit trail (logical or physical)\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}]},{"id":"au-12.3","class":"SP800-53-enhancement","title":"Changes by Authorized Individuals","params":[{"id":"au-12.3_prm_1","label":"organization-defined individuals or roles"},{"id":"au-12.3_prm_2","label":"organization-defined information system components"},{"id":"au-12.3_prm_3","label":"organization-defined selectable event criteria"},{"id":"au-12.3_prm_4","label":"organization-defined time thresholds"}],"props":[{"name":"label","value":"AU-12(3)"},{"name":"sort-id","value":"au-12.03"}],"parts":[{"id":"au-12.3_smt","name":"statement","prose":"The information system provides the capability for {{ insert: param, au-12.3_prm_1 }} to change the auditing to be performed on {{ insert: param, au-12.3_prm_2 }} based on {{ insert: param, au-12.3_prm_3 }} within {{ insert: param, au-12.3_prm_4 }}."},{"id":"au-12.3_gdn","name":"guidance","prose":"This control enhancement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near real-time, within minutes, or within hours.","links":[{"href":"#au-7","rel":"related"}]},{"id":"au-12.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.3_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(3)[1]"}],"prose":"the organization defines information system components on which auditing is to be performed;"},{"id":"au-12.3_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(3)[2]"}],"prose":"the organization defines individuals or roles authorized to change the auditing to be performed on organization-defined information system components;"},{"id":"au-12.3_obj.3","name":"objective","props":[{"name":"label","value":"AU-12(3)[3]"}],"prose":"the organization defines time thresholds within which organization-defined individuals or roles can change the auditing to be performed on organization-defined information system components;"},{"id":"au-12.3_obj.4","name":"objective","props":[{"name":"label","value":"AU-12(3)[4]"}],"prose":"the organization defines selectable event criteria that support the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components; and"},{"id":"au-12.3_obj.5","name":"objective","props":[{"name":"label","value":"AU-12(3)[5]"}],"prose":"the information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem-generated list of individuals or roles authorized to change auditing to be performed\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}]}]}]},{"id":"ca","class":"family","title":"Security Assessment and Authorization","controls":[{"id":"ca-1","class":"SP800-53","title":"Security Assessment and Authorization Policy and Procedures","params":[{"id":"ca-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ca-1_prm_2","label":"organization-defined frequency"},{"id":"ca-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CA-1"},{"name":"sort-id","value":"ca-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ca-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ca-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security assessment and authorization policy {{ insert: param, ca-1_prm_2 }}; and"},{"id":"ca-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security assessment and authorization procedures {{ insert: param, ca-1_prm_3 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ca-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-1.a_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)"}],"parts":[{"id":"ca-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)"}],"parts":[{"id":"ca-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1]"}],"prose":"develops and documents a security assessment and authorization policy that addresses:","parts":[{"id":"ca-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ca-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ca-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ca-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ca-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ca-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ca-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ca-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;"},{"id":"ca-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[3]"}],"prose":"disseminates the security assessment and authorization policy to organization-defined personnel or roles;"}]},{"id":"ca-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)"}],"parts":[{"id":"ca-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;"},{"id":"ca-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ca-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ca-1.b_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)"}],"parts":[{"id":"ca-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)"}],"parts":[{"id":"ca-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security assessment and authorization policy;"},{"id":"ca-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)[2]"}],"prose":"reviews and updates the current security assessment and authorization policy with the organization-defined frequency;"}]},{"id":"ca-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)"}],"parts":[{"id":"ca-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security assessment and authorization procedures; and"},{"id":"ca-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)[2]"}],"prose":"reviews and updates the current security assessment and authorization procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment and authorization responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Security Assessments","params":[{"id":"ca-2_prm_1","label":"organization-defined frequency"},{"id":"ca-2_prm_2","label":"organization-defined individuals or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-2"},{"name":"sort-id","value":"ca-02"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"ca-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a security assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security controls and control enhancements under assessment;"},{"id":"ca-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine security control effectiveness; and"},{"id":"ca-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assesses the security controls in the information system and its environment of operation {{ insert: param, ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produces a security assessment report that documents the results of the assessment; and"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provides the results of the security control assessment to {{ insert: param, ca-2_prm_2 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.","links":[{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.a_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)"}],"prose":"develops a security assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2.a.1_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(1)"}],"prose":"security controls and control enhancements under assessment;"},{"id":"ca-2.a.2_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(2)"}],"prose":"assessment procedures to be used to determine security control effectiveness;"},{"id":"ca-2.a.3_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)"}],"parts":[{"id":"ca-2.a.3_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[1]"}],"prose":"assessment environment;"},{"id":"ca-2.a.3_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[2]"}],"prose":"assessment team;"},{"id":"ca-2.a.3_obj.3","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[3]"}],"prose":"assessment roles and responsibilities;"}]}]},{"id":"ca-2.b_obj","name":"objective","props":[{"name":"label","value":"CA-2(b)"}],"parts":[{"id":"ca-2.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(b)[1]"}],"prose":"defines the frequency to assess the security controls in the information system and its environment of operation;"},{"id":"ca-2.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(b)[2]"}],"prose":"assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"}]},{"id":"ca-2.c_obj","name":"objective","props":[{"name":"label","value":"CA-2(c)"}],"prose":"produces a security assessment report that documents the results of the assessment;"},{"id":"ca-2.d_obj","name":"objective","props":[{"name":"label","value":"CA-2(d)"}],"parts":[{"id":"ca-2.d_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(d)[1]"}],"prose":"defines individuals or roles to whom the results of the security control assessment are to be provided; and"},{"id":"ca-2.d_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(d)[2]"}],"prose":"provides the results of the security control assessment to organization-defined individuals or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security assessment planning\n\nprocedures addressing security assessments\n\nsecurity assessment plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting security assessment, security assessment plan development, and\/or security assessment reporting"}]}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","params":[{"id":"ca-2.1_prm_1","label":"organization-defined level of independence"}],"props":[{"name":"label","value":"CA-2(1)"},{"name":"sort-id","value":"ca-02.01"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"The organization employs assessors or assessment teams with {{ insert: param, ca-2.1_prm_1 }} to conduct security control assessments."},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and\/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments."},{"id":"ca-2.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(1)[1]"}],"prose":"defines the level of independence to be employed to conduct security control assessments; and"},{"id":"ca-2.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(1)[2]"}],"prose":"employs assessors or assessment teams with the organization-defined level of independence to conduct security control assessments."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security assessments\n\nsecurity authorization package (including security plan, security assessment plan, security assessment report, plan of action and milestones, authorization statement)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-2.2","class":"SP800-53-enhancement","title":"Specialized Assessments","params":[{"id":"ca-2.2_prm_1","label":"organization-defined frequency"},{"id":"ca-2.2_prm_2","select":{"choice":["announced","unannounced"]}},{"id":"ca-2.2_prm_3","select":{"how-many":"one-or-more","choice":["in-depth monitoring","vulnerability scanning","malicious user testing","insider threat assessment","performance\/load testing"," {{ insert: param, ca-2.2_prm_4 }} "]}},{"id":"ca-2.2_prm_4","depends-on":"ca-2.2_prm_3","label":"organization-defined other forms of security assessment"}],"props":[{"name":"label","value":"CA-2(2)"},{"name":"sort-id","value":"ca-02.02"}],"parts":[{"id":"ca-2.2_smt","name":"statement","prose":"The organization includes as part of security control assessments, {{ insert: param, ca-2.2_prm_1 }}, {{ insert: param, ca-2.2_prm_2 }}, {{ insert: param, ca-2.2_prm_3 }}."},{"id":"ca-2.2_gdn","name":"guidance","prose":"Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes.","links":[{"href":"#pe-3","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"ca-2.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.2_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(2)[1]"}],"prose":"selects one or more of the following forms of specialized security assessment to be included as part of security control assessments:","parts":[{"id":"ca-2.2_obj.1.a","name":"objective","props":[{"name":"label","value":"CA-2(2)[1][a]"}],"prose":"in-depth monitoring;"},{"id":"ca-2.2_obj.1.b","name":"objective","props":[{"name":"label","value":"CA-2(2)[1][b]"}],"prose":"vulnerability scanning;"},{"id":"ca-2.2_obj.1.c","name":"objective","props":[{"name":"label","value":"CA-2(2)[1][c]"}],"prose":"malicious user testing;"},{"id":"ca-2.2_obj.1.d","name":"objective","props":[{"name":"label","value":"CA-2(2)[1][d]"}],"prose":"insider threat assessment;"},{"id":"ca-2.2_obj.1.e","name":"objective","props":[{"name":"label","value":"CA-2(2)[1][e]"}],"prose":"performance\/load testing; and\/or"},{"id":"ca-2.2_obj.1.f","name":"objective","props":[{"name":"label","value":"CA-2(2)[1][f]"}],"prose":"other forms of organization-defined specialized security assessment;"}]},{"id":"ca-2.2_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(2)[2]"}],"prose":"defines the frequency for conducting the selected form(s) of specialized security assessment;"},{"id":"ca-2.2_obj.3","name":"objective","props":[{"name":"label","value":"CA-2(2)[3]"}],"prose":"defines whether the specialized security assessment will be announced or unannounced; and"},{"id":"ca-2.2_obj.4","name":"objective","props":[{"name":"label","value":"CA-2(2)[4]"}],"prose":"conducts announced or unannounced organization-defined forms of specialized security assessments with the organization-defined frequency as part of security control assessments."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security assessments\n\nsecurity plan\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting security control assessment"}]}]}]},{"id":"ca-3","class":"SP800-53","title":"System Interconnections","params":[{"id":"ca-3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CA-3"},{"name":"sort-id","value":"ca-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#2711f068-734e-4afd-94ba-0b22247fbc88","rel":"reference"}],"parts":[{"id":"ca-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"},{"id":"ca-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates Interconnection Security Agreements {{ insert: param, ca-3_prm_1 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.a_obj","name":"objective","props":[{"name":"label","value":"CA-3(a)"}],"prose":"authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"},{"id":"ca-3.b_obj","name":"objective","props":[{"name":"label","value":"CA-3(b)"}],"prose":"documents, for each interconnection:","parts":[{"id":"ca-3.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-3.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(b)[2]"}],"prose":"the security requirements;"},{"id":"ca-3.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-3(b)[3]"}],"prose":"the nature of the information communicated;"}]},{"id":"ca-3.c_obj","name":"objective","props":[{"name":"label","value":"CA-3(c)"}],"parts":[{"id":"ca-3.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(c)[1]"}],"prose":"defines the frequency to review and update Interconnection Security Agreements; and"},{"id":"ca-3.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(c)[2]"}],"prose":"reviews and updates Interconnection Security Agreements with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system Interconnection Security Agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements\n\norganizational personnel with information security responsibilities\n\npersonnel managing the system(s) to which the Interconnection Security Agreement applies"}]}],"controls":[{"id":"ca-3.5","class":"SP800-53-enhancement","title":"Restrictions On External System Connections","params":[{"id":"ca-3.5_prm_1","select":{"choice":["allow-all, deny-by-exception","deny-all, permit-by-exception"]}},{"id":"ca-3.5_prm_2","label":"organization-defined information systems"}],"props":[{"name":"label","value":"CA-3(5)"},{"name":"sort-id","value":"ca-03.05"}],"parts":[{"id":"ca-3.5_smt","name":"statement","prose":"The organization employs {{ insert: param, ca-3.5_prm_1 }} policy for allowing {{ insert: param, ca-3.5_prm_2 }} to connect to external information systems."},{"id":"ca-3.5_gdn","name":"guidance","prose":"Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.","links":[{"href":"#cm-7","rel":"related"}]},{"id":"ca-3.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.5_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(5)[1]"}],"prose":"defines information systems to be allowed to connect to external information systems;"},{"id":"ca-3.5_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(5)[2]"}],"prose":"employs one of the following policies for allowing organization-defined information systems to connect to external information systems:","parts":[{"id":"ca-3.5_obj.2.a","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][a]"}],"prose":"allow-all policy;"},{"id":"ca-3.5_obj.2.b","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][b]"}],"prose":"deny-by-exception policy;"},{"id":"ca-3.5_obj.2.c","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][c]"}],"prose":"deny-all policy; or"},{"id":"ca-3.5_obj.2.d","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][d]"}],"prose":"permit-by-exception policy."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system interconnection agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for managing connections to external information systems\n\nnetwork administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing restrictions on external system connections"}]}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-5_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"CA-5"},{"name":"sort-id","value":"ca-05"}],"links":[{"href":"#2c5884cd-7b96-425c-862a-99877e1cf909","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"}],"parts":[{"id":"ca-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates existing plan of action and milestones {{ insert: param, ca-5_prm_1 }} based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#pm-4","rel":"related"}]},{"id":"ca-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-5.a_obj","name":"objective","props":[{"name":"label","value":"CA-5(a)"}],"prose":"develops a plan of action and milestones for the information system to:","parts":[{"id":"ca-5.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-5(a)[1]"}],"prose":"document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;"},{"id":"ca-5.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-5(a)[2]"}],"prose":"reduce or eliminate known vulnerabilities in the system;"}]},{"id":"ca-5.b_obj","name":"objective","props":[{"name":"label","value":"CA-5(b)"}],"parts":[{"id":"ca-5.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-5(b)[1]"}],"prose":"defines the frequency to update the existing plan of action and milestones;"},{"id":"ca-5.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-5(b)[2]"}],"prose":"updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:","parts":[{"id":"ca-5.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][a]"}],"prose":"security controls assessments;"},{"id":"ca-5.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][b]"}],"prose":"security impact analyses; and"},{"id":"ca-5.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][c]"}],"prose":"continuous monitoring activities."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing plan of action and milestones\n\nsecurity plan\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nplan of action and milestones\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Security Authorization","params":[{"id":"ca-6_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-6"},{"name":"sort-id","value":"ca-06"}],"links":[{"href":"#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","rel":"reference"},{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"ca-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assigns a senior-level executive or manager as the authorizing official for the information system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that the authorizing official authorizes the information system for processing before commencing operations; and"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Updates the security authorization {{ insert: param, ca-6_prm_1 }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission\/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"}]},{"id":"ca-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-6.a_obj","name":"objective","props":[{"name":"label","value":"CA-6(a)"}],"prose":"assigns a senior-level executive or manager as the authorizing official for the information system;"},{"id":"ca-6.b_obj","name":"objective","props":[{"name":"label","value":"CA-6(b)"}],"prose":"ensures that the authorizing official authorizes the information system for processing before commencing operations;"},{"id":"ca-6.c_obj","name":"objective","props":[{"name":"label","value":"CA-6(c)"}],"parts":[{"id":"ca-6.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-6(c)[1]"}],"prose":"defines the frequency to update the security authorization; and"},{"id":"ca-6.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-6(c)[2]"}],"prose":"updates the security authorization with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security authorization\n\nsecurity authorization package (including security plan\n\nsecurity assessment report\n\nplan of action and milestones\n\nauthorization statement)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security authorization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that facilitate security authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_1","label":"organization-defined metrics"},{"id":"ca-7_prm_2","label":"organization-defined frequencies"},{"id":"ca-7_prm_3","label":"organization-defined frequencies"},{"id":"ca-7_prm_4","label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-7"},{"name":"sort-id","value":"ca-07"}],"links":[{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"},{"href":"#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","rel":"reference"},{"href":"#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","rel":"reference"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishment of {{ insert: param, ca-7_prm_1 }} to be monitored;"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishment of {{ insert: param, ca-7_prm_2 }} for monitoring and {{ insert: param, ca-7_prm_3 }} for assessments supporting such monitoring;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of security-related information generated by assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of security-related information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security status of organization and the information system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess\/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission\/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports\/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware\/software\/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-7.a_obj","name":"objective","props":[{"name":"label","value":"CA-7(a)"}],"parts":[{"id":"ca-7.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(a)[1]"}],"prose":"develops a continuous monitoring strategy that defines metrics to be monitored;"},{"id":"ca-7.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(a)[2]"}],"prose":"develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;"},{"id":"ca-7.a_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(a)[3]"}],"prose":"implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.b_obj","name":"objective","props":[{"name":"label","value":"CA-7(b)"}],"parts":[{"id":"ca-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(b)[1]"}],"prose":"develops a continuous monitoring strategy that defines frequencies for monitoring;"},{"id":"ca-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(b)[2]"}],"prose":"defines frequencies for assessments supporting monitoring;"},{"id":"ca-7.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(b)[3]"}],"prose":"develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;"},{"id":"ca-7.b_obj.4","name":"objective","props":[{"name":"label","value":"CA-7(b)[4]"}],"prose":"implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.c_obj","name":"objective","props":[{"name":"label","value":"CA-7(c)"}],"parts":[{"id":"ca-7.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(c)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security control assessments;"},{"id":"ca-7.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(c)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.d_obj","name":"objective","props":[{"name":"label","value":"CA-7(d)"}],"parts":[{"id":"ca-7.d_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(d)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;"},{"id":"ca-7.d_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(d)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.e_obj","name":"objective","props":[{"name":"label","value":"CA-7(e)"}],"parts":[{"id":"ca-7.e_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(e)[1]"}],"prose":"develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;"},{"id":"ca-7.e_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(e)[2]"}],"prose":"implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.f_obj","name":"objective","props":[{"name":"label","value":"CA-7(f)"}],"parts":[{"id":"ca-7.f_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(f)[1]"}],"prose":"develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;"},{"id":"ca-7.f_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(f)[2]"}],"prose":"implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.g_obj","name":"objective","props":[{"name":"label","value":"CA-7(g)"}],"parts":[{"id":"ca-7.g_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(g)[1]"}],"prose":"develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;"},{"id":"ca-7.g_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(g)[2]"}],"prose":"develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;"},{"id":"ca-7.g_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(g)[3]"}],"prose":"develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; and"},{"id":"ca-7.g_obj.4","name":"objective","props":[{"name":"label","value":"CA-7(g)[4]"}],"prose":"implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security controls\n\nprocedures addressing configuration management\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nconfiguration management records, security impact analyses\n\nstatus reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Mechanisms implementing continuous monitoring"}]}],"controls":[{"id":"ca-7.1","class":"SP800-53-enhancement","title":"Independent Assessment","params":[{"id":"ca-7.1_prm_1","label":"organization-defined level of independence"}],"props":[{"name":"label","value":"CA-7(1)"},{"name":"sort-id","value":"ca-07.01"}],"parts":[{"id":"ca-7.1_smt","name":"statement","prose":"The organization employs assessors or assessment teams with {{ insert: param, ca-7.1_prm_1 }} to monitor the security controls in the information system on an ongoing basis."},{"id":"ca-7.1_gdn","name":"guidance","prose":"Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services."},{"id":"ca-7.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-7.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(1)[1]"}],"prose":"defines a level of independence to be employed to monitor the security controls in the information system on an ongoing basis; and"},{"id":"ca-7.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(1)[2]"}],"prose":"employs assessors or assessment teams with the organization-defined level of independence to monitor the security controls in the information system on an ongoing basis."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security controls\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nsecurity impact analyses\n\nstatus reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ca-8","class":"SP800-53","title":"Penetration Testing","params":[{"id":"ca-8_prm_1","label":"organization-defined frequency"},{"id":"ca-8_prm_2","label":"organization-defined information systems or system components"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-8"},{"name":"sort-id","value":"ca-08"}],"parts":[{"id":"ca-8_smt","name":"statement","prose":"The organization conducts penetration testing {{ insert: param, ca-8_prm_1 }} on {{ insert: param, ca-8_prm_2 }}."},{"id":"ca-8_gdn","name":"guidance","prose":"Penetration testing is a specialized type of assessment conducted on information systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational information systems have to adversaries within a set of specified constraints (e.g., time, resources, and\/or skills). Penetration testing attempts to duplicate the actions of adversaries in carrying out hostile cyber attacks against organizations and provides a more in-depth analysis of security-related weaknesses\/deficiencies. Organizations can also use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted on the hardware, software, or firmware components of an information system and can exercise both physical and technical security controls. A standard method for penetration testing includes, for example: (i) pretest analysis based on full knowledge of the target system; (ii) pretest identification of potential vulnerabilities based on pretest analysis; and (iii) testing designed to determine exploitability of identified vulnerabilities. All parties agree to the rules of engagement before the commencement of penetration testing scenarios. Organizations correlate the penetration testing rules of engagement with the tools, techniques, and procedures that are anticipated to be employed by adversaries carrying out attacks. Organizational risk assessments guide decisions on the level of independence required for personnel conducting penetration testing.","links":[{"href":"#sa-12","rel":"related"}]},{"id":"ca-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-8_obj.1","name":"objective","props":[{"name":"label","value":"CA-8[1]"}],"prose":"defines information systems or system components on which penetration testing is to be conducted;"},{"id":"ca-8_obj.2","name":"objective","props":[{"name":"label","value":"CA-8[2]"}],"prose":"defines the frequency to conduct penetration testing on organization-defined information systems or system components; and"},{"id":"ca-8_obj.3","name":"objective","props":[{"name":"label","value":"CA-8[3]"}],"prose":"conducts penetration testing on organization-defined information systems or system components with the organization-defined frequency."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing penetration testing\n\nsecurity plan\n\nsecurity assessment plan\n\npenetration test report\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities, system\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting penetration testing"}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","params":[{"id":"ca-9_prm_1","label":"organization-defined information system components or classes of components"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-9"},{"name":"sort-id","value":"ca-09"}],"parts":[{"id":"ca-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorizes internal connections of {{ insert: param, ca-9_prm_1 }} to the information system; and"},{"id":"ca-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated."}]},{"id":"ca-9_gdn","name":"guidance","prose":"This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook\/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and\/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-9.a_obj","name":"objective","props":[{"name":"label","value":"CA-9(a)"}],"parts":[{"id":"ca-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-9(a)[1]"}],"prose":"defines information system components or classes of components to be authorized as internal connections to the information system;"},{"id":"ca-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-9(a)[2]"}],"prose":"authorizes internal connections of organization-defined information system components or classes of components to the information system;"}]},{"id":"ca-9.b_obj","name":"objective","props":[{"name":"label","value":"CA-9(b)"}],"prose":"documents, for each internal connection:","parts":[{"id":"ca-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-9(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-9(b)[2]"}],"prose":"the security requirements; and"},{"id":"ca-9.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-9(b)[3]"}],"prose":"the nature of the information communicated."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Configuration Management Policy and Procedures","params":[{"id":"cm-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cm-1_prm_2","label":"organization-defined frequency"},{"id":"cm-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-1"},{"name":"sort-id","value":"cm-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"cm-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cm-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Configuration management policy {{ insert: param, cm-1_prm_2 }}; and"},{"id":"cm-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Configuration management procedures {{ insert: param, cm-1_prm_3 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"cm-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-1.a_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)"}],"parts":[{"id":"cm-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)"}],"parts":[{"id":"cm-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1]"}],"prose":"develops and documents a configuration management policy that addresses:","parts":[{"id":"cm-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cm-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cm-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cm-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cm-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cm-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cm-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cm-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the configuration management policy is to be disseminated;"},{"id":"cm-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[3]"}],"prose":"disseminates the configuration management policy to organization-defined personnel or roles;"}]},{"id":"cm-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)"}],"parts":[{"id":"cm-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls;"},{"id":"cm-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"cm-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cm-1.b_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)"}],"parts":[{"id":"cm-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)"}],"parts":[{"id":"cm-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current configuration management policy;"},{"id":"cm-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)[2]"}],"prose":"reviews and updates the current configuration management policy with the organization-defined frequency;"}]},{"id":"cm-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)"}],"parts":[{"id":"cm-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current configuration management procedures; and"},{"id":"cm-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)[2]"}],"prose":"reviews and updates the current configuration management procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-2"},{"name":"sort-id","value":"cm-02"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-2_smt","name":"statement","prose":"The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system."},{"id":"cm-2_gdn","name":"guidance","prose":"This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and\/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings\/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-7","rel":"related"}]},{"id":"cm-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2_obj.1","name":"objective","props":[{"name":"label","value":"CM-2[1]"}],"prose":"develops and documents a current baseline configuration of the information system; and"},{"id":"cm-2_obj.2","name":"objective","props":[{"name":"label","value":"CM-2[2]"}],"prose":"maintains, under configuration control, a current baseline configuration of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting configuration control of the baseline configuration"}]}],"controls":[{"id":"cm-2.1","class":"SP800-53-enhancement","title":"Reviews and Updates","params":[{"id":"cm-2.1_prm_1","label":"organization-defined frequency"},{"id":"cm-2.1_prm_2","label":"Assignment organization-defined circumstances"}],"props":[{"name":"label","value":"CM-2(1)"},{"name":"sort-id","value":"cm-02.01"}],"parts":[{"id":"cm-2.1_smt","name":"statement","prose":"The organization reviews and updates the baseline configuration of the information system:","parts":[{"id":"cm-2.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":" {{ insert: param, cm-2.1_prm_1 }};"},{"id":"cm-2.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"When required due to {{ insert: param, cm-2.1_prm_2 }}; and"},{"id":"cm-2.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"As an integral part of information system component installations and upgrades."}]},{"id":"cm-2.1_gdn","name":"guidance","links":[{"href":"#cm-5","rel":"related"}]},{"id":"cm-2.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.1.a_obj","name":"objective","props":[{"name":"label","value":"CM-2(1)(a)"}],"parts":[{"id":"cm-2.1.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(1)(a)[1]"}],"prose":"defines the frequency to review and update the baseline configuration of the information system;"},{"id":"cm-2.1.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(1)(a)[2]"}],"prose":"reviews and updates the baseline configuration of the information system with the organization-defined frequency;"}],"links":[{"href":"#cm-2.1_smt.a","rel":"corresp"}]},{"id":"cm-2.1.b_obj","name":"objective","props":[{"name":"label","value":"CM-2(1)(b)"}],"parts":[{"id":"cm-2.1.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(1)(b)[1]"}],"prose":"defines circumstances that require the baseline configuration of the information system to be reviewed and updated;"},{"id":"cm-2.1.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(1)(b)[2]"}],"prose":"reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances; and"}],"links":[{"href":"#cm-2.1_smt.b","rel":"corresp"}]},{"id":"cm-2.1.c_obj","name":"objective","props":[{"name":"label","value":"CM-2(1)(c)"}],"prose":"reviews and updates the baseline configuration of the information system as an integral part of information system component installations and upgrades.","links":[{"href":"#cm-2.1_smt.c","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the information system\n\nprocedures addressing information system component installations and upgrades\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of information system baseline configuration reviews and updates\n\ninformation system component installations\/upgrades and associated records\n\nchange control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting review and update of the baseline configuration"}]}]},{"id":"cm-2.2","class":"SP800-53-enhancement","title":"Automation Support for Accuracy \/ Currency","props":[{"name":"label","value":"CM-2(2)"},{"name":"sort-id","value":"cm-02.02"}],"parts":[{"id":"cm-2.2_smt","name":"statement","prose":"The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system."},{"id":"cm-2.2_gdn","name":"guidance","prose":"Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and\/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities.","links":[{"href":"#cm-7","rel":"related"},{"href":"#ra-5","rel":"related"}]},{"id":"cm-2.2_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to maintain:","parts":[{"id":"cm-2.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(2)[1]"}],"prose":"an up-to-date baseline configuration of the information system;"},{"id":"cm-2.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(2)[2]"}],"prose":"a complete baseline configuration of the information system;"},{"id":"cm-2.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-2(2)[3]"}],"prose":"an accurate baseline configuration of the information system; and"},{"id":"cm-2.2_obj.4","name":"objective","props":[{"name":"label","value":"CM-2(2)[4]"}],"prose":"a readily available baseline configuration of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nconfiguration change control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance"}]}]},{"id":"cm-2.3","class":"SP800-53-enhancement","title":"Retention of Previous Configurations","params":[{"id":"cm-2.3_prm_1","label":"organization-defined previous versions of baseline configurations of the information system"}],"props":[{"name":"label","value":"CM-2(3)"},{"name":"sort-id","value":"cm-02.03"}],"parts":[{"id":"cm-2.3_smt","name":"statement","prose":"The organization retains {{ insert: param, cm-2.3_prm_1 }} to support rollback."},{"id":"cm-2.3_gdn","name":"guidance","prose":"Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records."},{"id":"cm-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.3_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(3)[1]"}],"prose":"defines previous versions of baseline configurations of the information system to be retained to support rollback; and"},{"id":"cm-2.3_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(3)[2]"}],"prose":"retains organization-defined previous versions of baseline configurations of the information system to support rollback."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations"}]}]},{"id":"cm-2.7","class":"SP800-53-enhancement","title":"Configure Systems, Components, or Devices for High-risk Areas","params":[{"id":"cm-2.7_prm_1","label":"organization-defined information systems, system components, or devices"},{"id":"cm-2.7_prm_2","label":"organization-defined configurations"},{"id":"cm-2.7_prm_3","label":"organization-defined security safeguards"}],"props":[{"name":"label","value":"CM-2(7)"},{"name":"sort-id","value":"cm-02.07"}],"parts":[{"id":"cm-2.7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-2.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Issues {{ insert: param, cm-2.7_prm_1 }} with {{ insert: param, cm-2.7_prm_2 }} to individuals traveling to locations that the organization deems to be of significant risk; and"},{"id":"cm-2.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Applies {{ insert: param, cm-2.7_prm_3 }} to the devices when the individuals return."}]},{"id":"cm-2.7_gdn","name":"guidance","prose":"When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging\/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family."},{"id":"cm-2.7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.7.a_obj","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)"}],"parts":[{"id":"cm-2.7.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)[1]"}],"prose":"defines information systems, system components, or devices to be issued to individuals traveling to locations that the organization deems to be of significant risk;"},{"id":"cm-2.7.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)[2]"}],"prose":"defines configurations to be employed on organization-defined information systems, system components, or devices issued to individuals traveling to such locations;"},{"id":"cm-2.7.a_obj.3","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)[3]"}],"prose":"issues organization-defined information systems, system components, or devices with organization-defined configurations to individuals traveling to locations that the organization deems to be of significant risk;"}],"links":[{"href":"#cm-2.7_smt.a","rel":"corresp"}]},{"id":"cm-2.7.b_obj","name":"objective","props":[{"name":"label","value":"CM-2(7)(b)"}],"parts":[{"id":"cm-2.7.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(7)(b)[1]"}],"prose":"defines security safeguards to be applied to the devices when the individuals return; and"},{"id":"cm-2.7.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(7)(b)[2]"}],"prose":"applies organization-defined safeguards to the devices when the individuals return."}],"links":[{"href":"#cm-2.7_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the information system\n\nprocedures addressing information system component installations and upgrades\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of information system baseline configuration reviews and updates\n\ninformation system component installations\/upgrades and associated records\n\nchange control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations"}]}]}]},{"id":"cm-3","class":"SP800-53","title":"Configuration Change Control","params":[{"id":"cm-3_prm_1","label":"organization-defined time period"},{"id":"cm-3_prm_2","label":"organization-defined configuration change control element (e.g., committee, board)"},{"id":"cm-3_prm_3","select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-3_prm_4 }} "," {{ insert: param, cm-3_prm_5 }} "]}},{"id":"cm-3_prm_4","depends-on":"cm-3_prm_3","label":"organization-defined frequency"},{"id":"cm-3_prm_5","depends-on":"cm-3_prm_3","label":"organization-defined configuration change conditions"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-3"},{"name":"sort-id","value":"cm-03"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines the types of changes to the information system that are configuration-controlled;"},{"id":"cm-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;"},{"id":"cm-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents configuration change decisions associated with the information system;"},{"id":"cm-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implements approved configuration-controlled changes to the information system;"},{"id":"cm-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retains records of configuration-controlled changes to the information system for {{ insert: param, cm-3_prm_1 }};"},{"id":"cm-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Audits and reviews activities associated with configuration-controlled changes to the information system; and"},{"id":"cm-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Coordinates and provides oversight for configuration change control activities through {{ insert: param, cm-3_prm_2 }} that convenes {{ insert: param, cm-3_prm_3 }}."}]},{"id":"cm-3_gdn","name":"guidance","prose":"Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled\/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.","links":[{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-12","rel":"related"}]},{"id":"cm-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-3.a_obj","name":"objective","props":[{"name":"label","value":"CM-3(a)"}],"prose":"determines the type of changes to the information system that must be configuration-controlled;"},{"id":"cm-3.b_obj","name":"objective","props":[{"name":"label","value":"CM-3(b)"}],"prose":"reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;"},{"id":"cm-3.c_obj","name":"objective","props":[{"name":"label","value":"CM-3(c)"}],"prose":"documents configuration change decisions associated with the information system;"},{"id":"cm-3.d_obj","name":"objective","props":[{"name":"label","value":"CM-3(d)"}],"prose":"implements approved configuration-controlled changes to the information system;"},{"id":"cm-3.e_obj","name":"objective","props":[{"name":"label","value":"CM-3(e)"}],"parts":[{"id":"cm-3.e_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(e)[1]"}],"prose":"defines a time period to retain records of configuration-controlled changes to the information system;"},{"id":"cm-3.e_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(e)[2]"}],"prose":"retains records of configuration-controlled changes to the information system for the organization-defined time period;"}]},{"id":"cm-3.f_obj","name":"objective","props":[{"name":"label","value":"CM-3(f)"}],"prose":"audits and reviews activities associated with configuration-controlled changes to the information system;"},{"id":"cm-3.g_obj","name":"objective","props":[{"name":"label","value":"CM-3(g)"}],"parts":[{"id":"cm-3.g_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(g)[1]"}],"prose":"defines a configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities;"},{"id":"cm-3.g_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(g)[2]"}],"prose":"defines the frequency with which the configuration change control element must convene; and\/or"},{"id":"cm-3.g_obj.3","name":"objective","props":[{"name":"label","value":"CM-3(g)[3]"}],"prose":"defines configuration change conditions that prompt the configuration change control element to convene; and"},{"id":"cm-3.g_obj.4","name":"objective","props":[{"name":"label","value":"CM-3(g)[4]"}],"prose":"coordinates and provides oversight for configuration change control activities through organization-defined configuration change control element that convenes at organization-defined frequency and\/or for any organization-defined configuration change conditions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system configuration change control\n\nconfiguration management plan\n\ninformation system architecture and configuration documentation\n\nsecurity plan\n\nchange control records\n\ninformation system audit records\n\nchange control audit and review reports\n\nagenda \/minutes from configuration change control oversight meetings\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms that implement configuration change control"}]}],"controls":[{"id":"cm-3.1","class":"SP800-53-enhancement","title":"Automated Document \/ Notification \/ Prohibition of Changes","params":[{"id":"cm-3.1_prm_1","label":"organized-defined approval authorities"},{"id":"cm-3.1_prm_2","label":"organization-defined time period"},{"id":"cm-3.1_prm_3","label":"organization-defined personnel"}],"props":[{"name":"label","value":"CM-3(1)"},{"name":"sort-id","value":"cm-03.01"}],"parts":[{"id":"cm-3.1_smt","name":"statement","prose":"The organization employs automated mechanisms to:","parts":[{"id":"cm-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Document proposed changes to the information system;"},{"id":"cm-3.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Notify {{ insert: param, cm-3.1_prm_1 }} of proposed changes to the information system and request change approval;"},{"id":"cm-3.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Highlight proposed changes to the information system that have not been approved or disapproved by {{ insert: param, cm-3.1_prm_2 }};"},{"id":"cm-3.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Prohibit changes to the information system until designated approvals are received;"},{"id":"cm-3.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Document all changes to the information system; and"},{"id":"cm-3.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Notify {{ insert: param, cm-3.1_prm_3 }} when approved changes to the information system are completed."}]},{"id":"cm-3.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-3.1.a_obj","name":"objective","props":[{"name":"label","value":"CM-3(1)(a)"}],"prose":"employs automated mechanisms to document proposed changes to the information system;","links":[{"href":"#cm-3.1_smt.a","rel":"corresp"}]},{"id":"cm-3.1.b_obj","name":"objective","props":[{"name":"label","value":"CM-3(1)(b)"}],"parts":[{"id":"cm-3.1.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(1)(b)[1]"}],"prose":"defines approval authorities to be notified of proposed changes to the information system and request change approval;"},{"id":"cm-3.1.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(1)(b)[2]"}],"prose":"employs automated mechanisms to notify organization-defined approval authorities of proposed changes to the information system and request change approval;"}],"links":[{"href":"#cm-3.1_smt.b","rel":"corresp"}]},{"id":"cm-3.1.c_obj","name":"objective","props":[{"name":"label","value":"CM-3(1)(c)"}],"parts":[{"id":"cm-3.1.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(1)(c)[1]"}],"prose":"defines the time period within which proposed changes to the information system that have not been approved or disapproved must be highlighted;"},{"id":"cm-3.1.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(1)(c)[2]"}],"prose":"employs automated mechanisms to highlight proposed changes to the information system that have not been approved or disapproved by organization-defined time period;"}],"links":[{"href":"#cm-3.1_smt.c","rel":"corresp"}]},{"id":"cm-3.1.d_obj","name":"objective","props":[{"name":"label","value":"CM-3(1)(d)"}],"prose":"employs automated mechanisms to prohibit changes to the information system until designated approvals are received;","links":[{"href":"#cm-3.1_smt.d","rel":"corresp"}]},{"id":"cm-3.1.e_obj","name":"objective","props":[{"name":"label","value":"CM-3(1)(e)"}],"prose":"employs automated mechanisms to document all changes to the information system;","links":[{"href":"#cm-3.1_smt.e","rel":"corresp"}]},{"id":"cm-3.1.f_obj","name":"objective","props":[{"name":"label","value":"CM-3(1)(f)"}],"parts":[{"id":"cm-3.1.f_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(1)(f)[1]"}],"prose":"defines personnel to be notified when approved changes to the information system are completed; and"},{"id":"cm-3.1.f_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(1)(f)[2]"}],"prose":"employs automated mechanisms to notify organization-defined personnel when approved changes to the information system are completed."}],"links":[{"href":"#cm-3.1_smt.f","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system configuration change control\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\nautomated configuration control mechanisms\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nchange approval requests\n\nchange approvals\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms implementing configuration change control activities"}]}]},{"id":"cm-3.2","class":"SP800-53-enhancement","title":"Test \/ Validate \/ Document Changes","props":[{"name":"label","value":"CM-3(2)"},{"name":"sort-id","value":"cm-03.02"}],"parts":[{"id":"cm-3.2_smt","name":"statement","prose":"The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system."},{"id":"cm-3.2_gdn","name":"guidance","prose":"Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals\/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities\/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems)."},{"id":"cm-3.2_obj","name":"objective","prose":"Determine if the organization, before implementing changes on the operational system:","parts":[{"id":"cm-3.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(2)[1]"}],"prose":"tests changes to the information system;"},{"id":"cm-3.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(2)[2]"}],"prose":"validates changes to the information system; and"},{"id":"cm-3.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-3(2)[3]"}],"prose":"documents changes to the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing information system configuration change control\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms supporting and\/or implementing testing, validating, and documenting information system changes"}]}]}]},{"id":"cm-4","class":"SP800-53","title":"Security Impact Analysis","props":[{"name":"priority","value":"P2"},{"name":"label","value":"CM-4"},{"name":"sort-id","value":"cm-04"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"The organization analyzes changes to the information system to determine potential security impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills\/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"cm-4_obj","name":"objective","prose":"Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing security impact analysis for changes to the information system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for conducting security impact analysis\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security impact analysis"}]}],"controls":[{"id":"cm-4.1","class":"SP800-53-enhancement","title":"Separate Test Environments","props":[{"name":"label","value":"CM-4(1)"},{"name":"sort-id","value":"cm-04.01"}],"parts":[{"id":"cm-4.1_smt","name":"statement","prose":"The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice."},{"id":"cm-4.1_gdn","name":"guidance","prose":"Separate test environment in this context means an environment that is physically or logically isolated and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not used, organizations determine the strength of mechanism required when implementing logical separation (e.g., separation achieved through virtual machines).","links":[{"href":"#sa-11","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"cm-4.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-4.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-4(1)[1]"}],"prose":"analyzes changes to the information system in a separate test environment before implementation in an operational environment;"},{"id":"cm-4.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-4(1)[2]"}],"prose":"when analyzing changes to the information system in a separate test environment, looks for security impacts due to:","parts":[{"id":"cm-4.1_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-4(1)[2][a]"}],"prose":"flaws;"},{"id":"cm-4.1_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-4(1)[2][b]"}],"prose":"weaknesses;"},{"id":"cm-4.1_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-4(1)[2][c]"}],"prose":"incompatibility; and"},{"id":"cm-4.1_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-4(1)[2][d]"}],"prose":"intentional malice."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing security impact analysis for changes to the information system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nanalysis tools and associated outputs information system design documentation\n\ninformation system architecture and configuration documentation\n\nchange control records\n\ninformation system audit records\n\ndocumentation evidence of separate test and operational environments\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for conducting security impact analysis\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security impact analysis\n\nautomated mechanisms supporting and\/or implementing security impact analysis of changes"}]}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-5"},{"name":"sort-id","value":"cm-05"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system."},{"id":"cm-5_gdn","name":"guidance","prose":"Any changes to the hardware, software, and\/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#pe-3","rel":"related"}]},{"id":"cm-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-5_obj.1","name":"objective","props":[{"name":"label","value":"CM-5[1]"}],"prose":"defines physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.2","name":"objective","props":[{"name":"label","value":"CM-5[2]"}],"prose":"documents physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.3","name":"objective","props":[{"name":"label","value":"CM-5[3]"}],"prose":"approves physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.4","name":"objective","props":[{"name":"label","value":"CM-5[4]"}],"prose":"enforces physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.5","name":"objective","props":[{"name":"label","value":"CM-5[5]"}],"prose":"defines logical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.6","name":"objective","props":[{"name":"label","value":"CM-5[6]"}],"prose":"documents logical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.7","name":"objective","props":[{"name":"label","value":"CM-5[7]"}],"prose":"approves logical access restrictions associated with changes to the information system; and"},{"id":"cm-5_obj.8","name":"objective","props":[{"name":"label","value":"CM-5[8]"}],"prose":"enforces logical access restrictions associated with changes to the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\n\nautomated mechanisms supporting\/implementing\/enforcing access restrictions associated with changes to the information system"}]}],"controls":[{"id":"cm-5.1","class":"SP800-53-enhancement","title":"Automated Access Enforcement \/ Auditing","props":[{"name":"label","value":"CM-5(1)"},{"name":"sort-id","value":"cm-05.01"}],"parts":[{"id":"cm-5.1_smt","name":"statement","prose":"The information system enforces access restrictions and supports auditing of the enforcement actions."},{"id":"cm-5.1_gdn","name":"guidance","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"}]},{"id":"cm-5.1_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"cm-5.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-5(1)[1]"}],"prose":"enforces access restrictions for change; and"},{"id":"cm-5.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-5(1)[2]"}],"prose":"supports auditing of the enforcement actions."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the information system\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\n\nautomated mechanisms implementing enforcement of access restrictions for changes to the information system\n\nautomated mechanisms supporting auditing of enforcement actions"}]}]},{"id":"cm-5.2","class":"SP800-53-enhancement","title":"Review System Changes","params":[{"id":"cm-5.2_prm_1","label":"organization-defined frequency"},{"id":"cm-5.2_prm_2","label":"organization-defined circumstances"}],"props":[{"name":"label","value":"CM-5(2)"},{"name":"sort-id","value":"cm-05.02"}],"parts":[{"id":"cm-5.2_smt","name":"statement","prose":"The organization reviews information system changes {{ insert: param, cm-5.2_prm_1 }} and {{ insert: param, cm-5.2_prm_2 }} to determine whether unauthorized changes have occurred."},{"id":"cm-5.2_gdn","name":"guidance","prose":"Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process.","links":[{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-8","rel":"related"}]},{"id":"cm-5.2_obj","name":"objective","prose":"Determine if the organization, in an effort to ascertain whether unauthorized changes have occurred:","parts":[{"id":"cm-5.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-5(2)[1]"}],"prose":"defines the frequency to review information system changes;"},{"id":"cm-5.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-5(2)[2]"}],"prose":"defines circumstances that warrant review of information system changes;"},{"id":"cm-5.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-5(2)[3]"}],"prose":"reviews information system changes with the organization-defined frequency; and"},{"id":"cm-5.2_obj.4","name":"objective","props":[{"name":"label","value":"CM-5(2)[4]"}],"prose":"reviews information system changes with the organization-defined circumstances."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the information system\n\nconfiguration management plan\n\nsecurity plan\n\nreviews of information system changes\n\naudit and review reports\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\n\nautomated mechanisms supporting\/implementing information system reviews to determine whether unauthorized changes have occurred"}]}]},{"id":"cm-5.3","class":"SP800-53-enhancement","title":"Signed Components","params":[{"id":"cm-5.3_prm_1","label":"organization-defined software and firmware components"}],"props":[{"name":"label","value":"CM-5(3)"},{"name":"sort-id","value":"cm-05.03"}],"parts":[{"id":"cm-5.3_smt","name":"statement","prose":"The information system prevents the installation of {{ insert: param, cm-5.3_prm_1 }} without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization."},{"id":"cm-5.3_gdn","name":"guidance","prose":"Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication.","links":[{"href":"#cm-7","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"cm-5.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cm-5.3_obj.1","name":"objective","props":[{"name":"label","value":"CM-5(3)[1]"}],"prose":"the organization defines software and firmware components that the information system will prevent from being installed without verification that such components have been digitally signed using a certificate that is recognized and approved by the organization; and"},{"id":"cm-5.3_obj.2","name":"objective","props":[{"name":"label","value":"CM-5(3)[2]"}],"prose":"the information system prevents the installation of organization-defined software and firmware components without verification that such components have been digitally signed using a certificate that is recognized and approved by the organization."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the information system\n\nconfiguration management plan\n\nsecurity plan\n\nlist of software and firmware components to be prohibited from installation without a recognized and approved certificate\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\n\nautomated mechanisms preventing installation of software and firmware components not signed with an organization-recognized and approved certificate"}]}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","params":[{"id":"cm-6_prm_1","label":"organization-defined security configuration checklists"},{"id":"cm-6_prm_2","label":"organization-defined information system components"},{"id":"cm-6_prm_3","label":"organization-defined operational requirements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-6"},{"name":"sort-id","value":"cm-06"}],"links":[{"href":"#990268bf-f4a9-4c81-91ae-dc7d3115f4b1","rel":"reference"},{"href":"#0b3d8ba9-051f-498d-81ea-97f0f018c612","rel":"reference"},{"href":"#0916ef02-3618-411b-a525-565c088849a6","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"},{"href":"#e95dd121-2733-413e-bf1e-f1eb49f20a98","rel":"reference"},{"href":"#647b6de3-81d0-4d22-bec1-5f1333e34380","rel":"reference"}],"parts":[{"id":"cm-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and documents configuration settings for information technology products employed within the information system using {{ insert: param, cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implements the configuration settings;"},{"id":"cm-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies, documents, and approves any deviations from established configuration settings for {{ insert: param, cm-6_prm_2 }} based on {{ insert: param, cm-6_prm_3 }}; and"},{"id":"cm-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and\/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input\/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms\/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems.","links":[{"href":"#ac-19","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"cm-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.a_obj","name":"objective","props":[{"name":"label","value":"CM-6(a)"}],"parts":[{"id":"cm-6.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(a)[1]"}],"prose":"defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed;"},{"id":"cm-6.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(a)[2]"}],"prose":"ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6.a_obj.3","name":"objective","props":[{"name":"label","value":"CM-6(a)[3]"}],"prose":"establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;"}]},{"id":"cm-6.b_obj","name":"objective","props":[{"name":"label","value":"CM-6(b)"}],"prose":"implements the configuration settings established\/documented in CM-6(a);;"},{"id":"cm-6.c_obj","name":"objective","props":[{"name":"label","value":"CM-6(c)"}],"parts":[{"id":"cm-6.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(c)[1]"}],"prose":"defines information system components for which any deviations from established configuration settings must be:","parts":[{"id":"cm-6.c_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][a]"}],"prose":"identified;"},{"id":"cm-6.c_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][b]"}],"prose":"documented;"},{"id":"cm-6.c_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][c]"}],"prose":"approved;"}]},{"id":"cm-6.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(c)[2]"}],"prose":"defines operational requirements to support:","parts":[{"id":"cm-6.c_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][a]"}],"prose":"the identification of any deviations from established configuration settings;"},{"id":"cm-6.c_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][b]"}],"prose":"the documentation of any deviations from established configuration settings;"},{"id":"cm-6.c_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][c]"}],"prose":"the approval of any deviations from established configuration settings;"}]},{"id":"cm-6.c_obj.3","name":"objective","props":[{"name":"label","value":"CM-6(c)[3]"}],"prose":"identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"},{"id":"cm-6.c_obj.4","name":"objective","props":[{"name":"label","value":"CM-6(c)[4]"}],"prose":"documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"},{"id":"cm-6.c_obj.5","name":"objective","props":[{"name":"label","value":"CM-6(c)[5]"}],"prose":"approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"}]},{"id":"cm-6.d_obj","name":"objective","props":[{"name":"label","value":"CM-6(d)"}],"parts":[{"id":"cm-6.d_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(d)[1]"}],"prose":"monitors changes to the configuration settings in accordance with organizational policies and procedures; and"},{"id":"cm-6.d_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(d)[2]"}],"prose":"controls changes to the configuration settings in accordance with organizational policies and procedures."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings\n\nautomated mechanisms that implement, monitor, and\/or control information system configuration settings\n\nautomated mechanisms that identify and\/or document deviations from established configuration settings"}]}],"controls":[{"id":"cm-6.1","class":"SP800-53-enhancement","title":"Automated Central Management \/ Application \/ Verification","params":[{"id":"cm-6.1_prm_1","label":"organization-defined information system components"}],"props":[{"name":"label","value":"CM-6(1)"},{"name":"sort-id","value":"cm-06.01"}],"parts":[{"id":"cm-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for {{ insert: param, cm-6.1_prm_1 }}."},{"id":"cm-6.1_gdn","name":"guidance","links":[{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"}]},{"id":"cm-6.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(1)[1]"}],"prose":"defines information system components for which automated mechanisms are to be employed to:","parts":[{"id":"cm-6.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-6(1)[1][a]"}],"prose":"centrally manage configuration settings of such components;"},{"id":"cm-6.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-6(1)[1][b]"}],"prose":"apply configuration settings of such components;"},{"id":"cm-6.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-6(1)[1][c]"}],"prose":"verify configuration settings of such components;"}]},{"id":"cm-6.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(1)[2]"}],"prose":"employs automated mechanisms to:","parts":[{"id":"cm-6.1_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-6(1)[2][a]"}],"prose":"centrally manage configuration settings for organization-defined information system components;"},{"id":"cm-6.1_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-6(1)[2][b]"}],"prose":"apply configuration settings for organization-defined information system components; and"},{"id":"cm-6.1_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-6(1)[2][c]"}],"prose":"verify configuration settings for organization-defined information system components."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings\n\nautomated mechanisms implemented to centrally manage, apply, and verify information system configuration settings"}]}]},{"id":"cm-6.2","class":"SP800-53-enhancement","title":"Respond to Unauthorized Changes","params":[{"id":"cm-6.2_prm_1","label":"organization-defined security safeguards"},{"id":"cm-6.2_prm_2","label":"organization-defined configuration settings"}],"props":[{"name":"label","value":"CM-6(2)"},{"name":"sort-id","value":"cm-06.02"}],"parts":[{"id":"cm-6.2_smt","name":"statement","prose":"The organization employs {{ insert: param, cm-6.2_prm_1 }} to respond to unauthorized changes to {{ insert: param, cm-6.2_prm_2 }}."},{"id":"cm-6.2_gdn","name":"guidance","prose":"Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected information system processing.","links":[{"href":"#ir-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"cm-6.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(2)[1]"}],"prose":"defines configuration settings that, if modified by unauthorized changes, result in organizational security safeguards being employed to respond to such changes;"},{"id":"cm-6.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(2)[2]"}],"prose":"defines security safeguards to be employed to respond to unauthorized changes to organization-defined configuration settings; and"},{"id":"cm-6.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-6(2)[3]"}],"prose":"employs organization-defined security safeguards to respond to unauthorized changes to organization-defined configuration settings."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nalerts\/notifications of unauthorized changes to information system configuration settings\n\ndocumented responses to unauthorized changes to information system configuration settings\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for responding to unauthorized changes to information system configuration settings\n\nautomated mechanisms supporting and\/or implementing security safeguards for response to unauthorized changes"}]}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","params":[{"id":"cm-7_prm_1","label":"organization-defined prohibited or restricted functions, ports, protocols, and\/or services"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-7"},{"name":"sort-id","value":"cm-07"}],"links":[{"href":"#e42b2099-3e1c-415b-952c-61c96533c12e","rel":"reference"}],"parts":[{"id":"cm-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Configures the information system to provide only essential capabilities; and"},{"id":"cm-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibits or restricts the use of the following functions, ports, protocols, and\/or services: {{ insert: param, cm-7_prm_1 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports\/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.","links":[{"href":"#ac-6","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"cm-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.a_obj","name":"objective","props":[{"name":"label","value":"CM-7(a)"}],"prose":"configures the information system to provide only essential capabilities;"},{"id":"cm-7.b_obj","name":"objective","props":[{"name":"label","value":"CM-7(b)"}],"parts":[{"id":"cm-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(b)[1]"}],"prose":"defines prohibited or restricted:","parts":[{"id":"cm-7.b_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.b_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(b)[2]"}],"prose":"prohibits or restricts the use of organization-defined:","parts":[{"id":"cm-7.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.b_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][d]"}],"prose":"services."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing least functionality in the information system\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols, and\/or services\n\nautomated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and\/or services"}]}],"controls":[{"id":"cm-7.1","class":"SP800-53-enhancement","title":"Periodic Review","params":[{"id":"cm-7.1_prm_1","label":"organization-defined frequency"},{"id":"cm-7.1_prm_2","label":"organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and\/or nonsecure"}],"props":[{"name":"label","value":"CM-7(1)"},{"name":"sort-id","value":"cm-07.01"}],"parts":[{"id":"cm-7.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Reviews the information system {{ insert: param, cm-7.1_prm_1 }} to identify unnecessary and\/or nonsecure functions, ports, protocols, and services; and"},{"id":"cm-7.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Disables {{ insert: param, cm-7.1_prm_2 }}."}]},{"id":"cm-7.1_gdn","name":"guidance","prose":"The organization can either make a determination of the relative security of the function, port, protocol, and\/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols.","links":[{"href":"#ac-18","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ia-2","rel":"related"}]},{"id":"cm-7.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.1.a_obj","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)"}],"parts":[{"id":"cm-7.1.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1]"}],"prose":"defines the frequency to review the information system to identify unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.a_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][a]"}],"prose":"functions;"},{"id":"cm-7.1.a_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][b]"}],"prose":"ports;"},{"id":"cm-7.1.a_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.a_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.1.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2]"}],"prose":"reviews the information system with the organization-defined frequency to identify unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.a_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][a]"}],"prose":"functions;"},{"id":"cm-7.1.a_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][b]"}],"prose":"ports;"},{"id":"cm-7.1.a_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.a_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][d]"}],"prose":"services;"}]}],"links":[{"href":"#cm-7.1_smt.a","rel":"corresp"}]},{"id":"cm-7.1.b_obj","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)"}],"parts":[{"id":"cm-7.1.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1]"}],"prose":"defines, within the information system, unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.b_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.1.b_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.1.b_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.b_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.1.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2]"}],"prose":"disables organization-defined unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.1.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.1.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.b_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][d]"}],"prose":"services."}]}],"links":[{"href":"#cm-7.1_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\ndocumented reviews of functions, ports, protocols, and\/or services\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the information system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for reviewing\/disabling nonsecure functions, ports, protocols, and\/or services\n\nautomated mechanisms implementing review and disabling of nonsecure functions, ports, protocols, and\/or services"}]}]},{"id":"cm-7.2","class":"SP800-53-enhancement","title":"Prevent Program Execution","params":[{"id":"cm-7.2_prm_1","select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-7.2_prm_2 }} ","rules authorizing the terms and conditions of software program usage"]}},{"id":"cm-7.2_prm_2","depends-on":"cm-7.2_prm_1","label":"organization-defined policies regarding software program usage and restrictions"}],"props":[{"name":"label","value":"CM-7(2)"},{"name":"sort-id","value":"cm-07.02"}],"parts":[{"id":"cm-7.2_smt","name":"statement","prose":"The information system prevents program execution in accordance with {{ insert: param, cm-7.2_prm_1 }}."},{"id":"cm-7.2_gdn","name":"guidance","links":[{"href":"#cm-8","rel":"related"},{"href":"#pm-5","rel":"related"}]},{"id":"cm-7.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cm-7.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(2)[1]"}],"prose":"the organization defines policies regarding software program usage and restrictions;"},{"id":"cm-7.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(2)[2]"}],"prose":"the information system prevents program execution in accordance with one or more of the following:","parts":[{"id":"cm-7.2_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(2)[2][a]"}],"prose":"organization-defined policies regarding program usage and restrictions; and\/or"},{"id":"cm-7.2_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(2)[2][b]"}],"prose":"rules authorizing the terms and conditions of software program usage."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\nspecifications for preventing software program execution\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes preventing program execution on the information system\n\norganizational processes for software program usage and restrictions\n\nautomated mechanisms preventing program execution on the information system\n\nautomated mechanisms supporting and\/or implementing software program usage and restrictions"}]}]},{"id":"cm-7.5","class":"SP800-53-enhancement","title":"Authorized Software \/ Whitelisting","params":[{"id":"cm-7.5_prm_1","label":"organization-defined software programs authorized to execute on the information system"},{"id":"cm-7.5_prm_2","label":"organization-defined frequency"}],"props":[{"name":"label","value":"CM-7(5)"},{"name":"sort-id","value":"cm-07.05"}],"parts":[{"id":"cm-7.5_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identifies {{ insert: param, cm-7.5_prm_1 }};"},{"id":"cm-7.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and"},{"id":"cm-7.5_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Reviews and updates the list of authorized software programs {{ insert: param, cm-7.5_prm_2 }}."}]},{"id":"cm-7.5_gdn","name":"guidance","prose":"The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. In addition to whitelisting, organizations consider verifying the integrity of white-listed software programs using, for example, cryptographic checksums, digital signatures, or hash functions. Verification of white-listed software can occur either prior to execution or at system startup.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"cm-7.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.5.a_obj","name":"objective","props":[{"name":"label","value":"CM-7(5)(a)"}],"prose":"Identifies\/defines software programs authorized to execute on the information system;","links":[{"href":"#cm-7.5_smt.a","rel":"corresp"}]},{"id":"cm-7.5.b_obj","name":"objective","props":[{"name":"label","value":"CM-7(5)(b)"}],"prose":"employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system;","links":[{"href":"#cm-7.5_smt.b","rel":"corresp"}]},{"id":"cm-7.5.c_obj","name":"objective","props":[{"name":"label","value":"CM-7(5)(c)"}],"parts":[{"id":"cm-7.5.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(5)(c)[1]"}],"prose":"defines the frequency to review and update the list of authorized software programs on the information system; and"},{"id":"cm-7.5.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(5)(c)[2]"}],"prose":"reviews and updates the list of authorized software programs with the organization-defined frequency."}],"links":[{"href":"#cm-7.5_smt.c","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of software programs authorized to execute on the information system\n\nsecurity configuration checklists\n\nreview and update records associated with list of authorized software programs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for identifying software authorized to execute on the information system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for identifying, reviewing, and updating programs authorized to execute on the information system\n\norganizational process for implementing whitelisting\n\nautomated mechanisms implementing whitelisting"}]}]}]},{"id":"cm-8","class":"SP800-53","title":"Information System Component Inventory","params":[{"id":"cm-8_prm_1","label":"organization-defined information deemed necessary to achieve effective information system component accountability"},{"id":"cm-8_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-8"},{"name":"sort-id","value":"cm-08"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops and documents an inventory of information system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accurately reflects the current information system;"},{"id":"cm-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes all components within the authorization boundary of the information system;"},{"id":"cm-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Includes {{ insert: param, cm-8_prm_1 }}; and"}]},{"id":"cm-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information system component inventory {{ insert: param, cm-8_prm_2 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pm-5","rel":"related"}]},{"id":"cm-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.a_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)"}],"parts":[{"id":"cm-8.a.1_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(1)"}],"prose":"develops and documents an inventory of information system components that accurately reflects the current information system;"},{"id":"cm-8.a.2_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(2)"}],"prose":"develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;"},{"id":"cm-8.a.3_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(3)"}],"prose":"develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;"},{"id":"cm-8.a.4_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)"}],"parts":[{"id":"cm-8.a.4_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)[1]"}],"prose":"defines the information deemed necessary to achieve effective information system component accountability;"},{"id":"cm-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)[2]"}],"prose":"develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;"}]}]},{"id":"cm-8.b_obj","name":"objective","props":[{"name":"label","value":"CM-8(b)"}],"parts":[{"id":"cm-8.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(b)[1]"}],"prose":"defines the frequency to review and update the information system component inventory; and"},{"id":"cm-8.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(b)[2]"}],"prose":"reviews and updates the information system component inventory with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting an inventory of information system components\n\nautomated mechanisms supporting and\/or implementing the information system component inventory"}]}],"controls":[{"id":"cm-8.1","class":"SP800-53-enhancement","title":"Updates During Installations \/ Removals","props":[{"name":"label","value":"CM-8(1)"},{"name":"sort-id","value":"cm-08.01"}],"parts":[{"id":"cm-8.1_smt","name":"statement","prose":"The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates."},{"id":"cm-8.1_obj","name":"objective","prose":"Determine if the organization updates the inventory of information system components as an integral part of:","parts":[{"id":"cm-8.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(1)[1]"}],"prose":"component installations;"},{"id":"cm-8.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(1)[2]"}],"prose":"component removals; and"},{"id":"cm-8.1_obj.3","name":"objective","props":[{"name":"label","value":"CM-8(1)[3]"}],"prose":"information system updates."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\ncomponent installation records\n\ncomponent removal records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for updating the information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for updating inventory of information system components\n\nautomated mechanisms implementing updating of the information system component inventory"}]}]},{"id":"cm-8.2","class":"SP800-53-enhancement","title":"Automated Maintenance","props":[{"name":"label","value":"CM-8(2)"},{"name":"sort-id","value":"cm-08.02"}],"parts":[{"id":"cm-8.2_smt","name":"statement","prose":"The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components."},{"id":"cm-8.2_gdn","name":"guidance","prose":"Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities.","links":[{"href":"#si-7","rel":"related"}]},{"id":"cm-8.2_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to maintain an inventory of information system components that is:","parts":[{"id":"cm-8.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(2)[1]"}],"prose":"up-to-date;"},{"id":"cm-8.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(2)[2]"}],"prose":"complete;"},{"id":"cm-8.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-8(2)[3]"}],"prose":"accurate; and"},{"id":"cm-8.2_obj.4","name":"objective","props":[{"name":"label","value":"CM-8(2)[4]"}],"prose":"readily available."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing information system component inventory\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system inventory records\n\nchange control records\n\ninformation system maintenance records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing the automated mechanisms implementing the information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining the inventory of information system components\n\nautomated mechanisms implementing the information system component inventory"}]}]},{"id":"cm-8.3","class":"SP800-53-enhancement","title":"Automated Unauthorized Component Detection","params":[{"id":"cm-8.3_prm_1","label":"organization-defined frequency"},{"id":"cm-8.3_prm_2","select":{"how-many":"one-or-more","choice":["disables network access by such components","isolates the components","notifies {{ insert: param, cm-8.3_prm_3 }} "]}},{"id":"cm-8.3_prm_3","depends-on":"cm-8.3_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"CM-8(3)"},{"name":"sort-id","value":"cm-08.03"}],"parts":[{"id":"cm-8.3_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employs automated mechanisms {{ insert: param, cm-8.3_prm_1 }} to detect the presence of unauthorized hardware, software, and firmware components within the information system; and"},{"id":"cm-8.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Takes the following actions when unauthorized components are detected: {{ insert: param, cm-8.3_prm_2 }}."}]},{"id":"cm-8.3_gdn","name":"guidance","prose":"This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing.","links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#ra-5","rel":"related"}]},{"id":"cm-8.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.3.a_obj","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)"}],"parts":[{"id":"cm-8.3.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1]"}],"prose":"defines the frequency to employ automated mechanisms to detect the presence of unauthorized:","parts":[{"id":"cm-8.3.a_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1][a]"}],"prose":"hardware components within the information system;"},{"id":"cm-8.3.a_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1][b]"}],"prose":"software components within the information system;"},{"id":"cm-8.3.a_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1][c]"}],"prose":"firmware components within the information system;"}]},{"id":"cm-8.3.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2]"}],"prose":"employs automated mechanisms with the organization-defined frequency to detect the presence of unauthorized:","parts":[{"id":"cm-8.3.a_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2][a]"}],"prose":"hardware components within the information system;"},{"id":"cm-8.3.a_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2][b]"}],"prose":"software components within the information system;"},{"id":"cm-8.3.a_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2][c]"}],"prose":"firmware components within the information system;"}]}],"links":[{"href":"#cm-8.3_smt.a","rel":"corresp"}]},{"id":"cm-8.3.b_obj","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)"}],"parts":[{"id":"cm-8.3.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[1]"}],"prose":"defines personnel or roles to be notified when unauthorized components are detected;"},{"id":"cm-8.3.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2]"}],"prose":"takes one or more of the following actions when unauthorized components are detected:","parts":[{"id":"cm-8.3.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2][a]"}],"prose":"disables network access by such components;"},{"id":"cm-8.3.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2][b]"}],"prose":"isolates the components; and\/or"},{"id":"cm-8.3.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2][c]"}],"prose":"notifies organization-defined personnel or roles."}]}],"links":[{"href":"#cm-8.3_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system inventory records\n\nalerts\/notifications of unauthorized components within the information system\n\ninformation system monitoring records\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized information system component detection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for detection of unauthorized information system components\n\nautomated mechanisms implementing the detection of unauthorized information system components"}]}]},{"id":"cm-8.4","class":"SP800-53-enhancement","title":"Accountability Information","params":[{"id":"cm-8.4_prm_1","select":{"how-many":"one-or-more","choice":["name","position","role"]}}],"props":[{"name":"label","value":"CM-8(4)"},{"name":"sort-id","value":"cm-08.04"}],"parts":[{"id":"cm-8.4_smt","name":"statement","prose":"The organization includes in the information system component inventory information, a means for identifying by {{ insert: param, cm-8.4_prm_1 }}, individuals responsible\/accountable for administering those components."},{"id":"cm-8.4_gdn","name":"guidance","prose":"Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach\/compromise, component needs to be recalled\/replaced, or component needs to be relocated)."},{"id":"cm-8.4_obj","name":"objective","prose":"Determine if the organization includes in the information system component inventory for information system components, a means for identifying the individuals responsible and accountable for administering those components by one or more of the following:","parts":[{"id":"cm-8.4_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(4)[1]"}],"prose":"name;"},{"id":"cm-8.4_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(4)[2]"}],"prose":"position; and\/or"},{"id":"cm-8.4_obj.3","name":"objective","props":[{"name":"label","value":"CM-8(4)[3]"}],"prose":"role."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing the information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining the inventory of information system components\n\nautomated mechanisms implementing the information system component inventory"}]}]},{"id":"cm-8.5","class":"SP800-53-enhancement","title":"No Duplicate Accounting of Components","props":[{"name":"label","value":"CM-8(5)"},{"name":"sort-id","value":"cm-08.05"}],"parts":[{"id":"cm-8.5_smt","name":"statement","prose":"The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories."},{"id":"cm-8.5_gdn","name":"guidance","prose":"This control enhancement addresses the potential problem of duplicate accounting of information system components in large or complex interconnected systems."},{"id":"cm-8.5_obj","name":"objective","prose":"Determine if the organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system inventory responsibilities\n\norganizational personnel with responsibilities for defining information system components within the authorization boundary of the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining the inventory of information system components\n\nautomated mechanisms implementing the information system component inventory"}]}]}]},{"id":"cm-9","class":"SP800-53","title":"Configuration Management Plan","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-9"},{"name":"sort-id","value":"cm-09"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-9_smt","name":"statement","prose":"The organization develops, documents, and implements a configuration management plan for the information system that:","parts":[{"id":"cm-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Addresses roles, responsibilities, and configuration management processes and procedures;"},{"id":"cm-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"},{"id":"cm-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Defines the configuration items for the information system and places the configuration items under configuration management; and"},{"id":"cm-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects the configuration management plan from unauthorized disclosure and modification."}]},{"id":"cm-9_gdn","name":"guidance","prose":"Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development\/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#sa-10","rel":"related"}]},{"id":"cm-9_obj","name":"objective","prose":"Determine if the organization develops, documents, and implements a configuration management plan for the information system that:","parts":[{"id":"cm-9.a_obj","name":"objective","props":[{"name":"label","value":"CM-9(a)"}],"parts":[{"id":"cm-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(a)[1]"}],"prose":"addresses roles;"},{"id":"cm-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(a)[2]"}],"prose":"addresses responsibilities;"},{"id":"cm-9.a_obj.3","name":"objective","props":[{"name":"label","value":"CM-9(a)[3]"}],"prose":"addresses configuration management processes and procedures;"}]},{"id":"cm-9.b_obj","name":"objective","props":[{"name":"label","value":"CM-9(b)"}],"prose":"establishes a process for:","parts":[{"id":"cm-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(b)[1]"}],"prose":"identifying configuration items throughout the SDLC;"},{"id":"cm-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(b)[2]"}],"prose":"managing the configuration of the configuration items;"}]},{"id":"cm-9.c_obj","name":"objective","props":[{"name":"label","value":"CM-9(c)"}],"parts":[{"id":"cm-9.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(c)[1]"}],"prose":"defines the configuration items for the information system;"},{"id":"cm-9.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(c)[2]"}],"prose":"places the configuration items under configuration management;"}]},{"id":"cm-9.d_obj","name":"objective","props":[{"name":"label","value":"CM-9(d)"}],"prose":"protects the configuration management plan from unauthorized:","parts":[{"id":"cm-9.d_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(d)[1]"}],"prose":"disclosure; and"},{"id":"cm-9.d_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(d)[2]"}],"prose":"modification."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nautomated mechanisms implementing the configuration management plan\n\nautomated mechanisms for managing configuration items\n\nautomated mechanisms for protecting the configuration management plan"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"priority","value":"P2"},{"name":"label","value":"CM-10"},{"name":"sort-id","value":"cm-10"}],"parts":[{"id":"cm-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Uses software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs.","links":[{"href":"#ac-17","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"cm-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-10.a_obj","name":"objective","props":[{"name":"label","value":"CM-10(a)"}],"prose":"uses software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10.b_obj","name":"objective","props":[{"name":"label","value":"CM-10(b)"}],"prose":"tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10.c_obj","name":"objective","props":[{"name":"label","value":"CM-10(c)"}],"prose":"controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing software usage restrictions\n\nconfiguration management plan\n\nsecurity plan\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\norganizational personnel with software license management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for tracking the use of software protected by quantity licenses\n\norganization process for controlling\/documenting the use of peer-to-peer file sharing technology\n\nautomated mechanisms implementing software license tracking\n\nautomated mechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","params":[{"id":"cm-11_prm_1","label":"organization-defined policies"},{"id":"cm-11_prm_2","label":"organization-defined methods"},{"id":"cm-11_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-11"},{"name":"sort-id","value":"cm-11"}],"parts":[{"id":"cm-11_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes {{ insert: param, cm-11_prm_1 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Enforces software installation policies through {{ insert: param, cm-11_prm_2 }}; and"},{"id":"cm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Monitors policy compliance at {{ insert: param, cm-11_prm_3 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.","links":[{"href":"#ac-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"cm-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-11.a_obj","name":"objective","props":[{"name":"label","value":"CM-11(a)"}],"parts":[{"id":"cm-11.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(a)[1]"}],"prose":"defines policies to govern the installation of software by users;"},{"id":"cm-11.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(a)[2]"}],"prose":"establishes organization-defined policies governing the installation of software by users;"}]},{"id":"cm-11.b_obj","name":"objective","props":[{"name":"label","value":"CM-11(b)"}],"parts":[{"id":"cm-11.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(b)[1]"}],"prose":"defines methods to enforce software installation policies;"},{"id":"cm-11.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(b)[2]"}],"prose":"enforces software installation policies through organization-defined methods;"}]},{"id":"cm-11.c_obj","name":"objective","props":[{"name":"label","value":"CM-11(c)"}],"parts":[{"id":"cm-11.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(c)[1]"}],"prose":"defines frequency to monitor policy compliance; and"},{"id":"cm-11.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(c)[2]"}],"prose":"monitors policy compliance at organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing user installed software\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of rules governing user installed software\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records\n\ncontinuous monitoring strategy"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the information system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes governing user-installed software on the information system\n\nautomated mechanisms enforcing rules\/methods for governing the installation of software by users\n\nautomated mechanisms monitoring policy compliance"}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Contingency Planning Policy and Procedures","params":[{"id":"cp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-1_prm_2","label":"organization-defined frequency"},{"id":"cp-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-1"},{"name":"sort-id","value":"cp-01"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"cp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and"}]},{"id":"cp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cp-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Contingency planning policy {{ insert: param, cp-1_prm_2 }}; and"},{"id":"cp-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Contingency planning procedures {{ insert: param, cp-1_prm_3 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"cp-1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cp-1.a_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)"}],"parts":[{"id":"cp-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)"}],"parts":[{"id":"cp-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1]"}],"prose":"the organization develops and documents a contingency planning policy that addresses:","parts":[{"id":"cp-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cp-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cp-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cp-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cp-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cp-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cp-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cp-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[2]"}],"prose":"the organization defines personnel or roles to whom the contingency planning policy is to be disseminated;"},{"id":"cp-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[3]"}],"prose":"the organization disseminates the contingency planning policy to organization-defined personnel or roles;"}]},{"id":"cp-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)"}],"parts":[{"id":"cp-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[1]"}],"prose":"the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls;"},{"id":"cp-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[2]"}],"prose":"the organization defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"cp-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[3]"}],"prose":"the organization disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cp-1.b_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)"}],"parts":[{"id":"cp-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)"}],"parts":[{"id":"cp-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)[1]"}],"prose":"the organization defines the frequency to review and update the current contingency planning policy;"},{"id":"cp-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)[2]"}],"prose":"the organization reviews and updates the current contingency planning with the organization-defined frequency;"}]},{"id":"cp-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)"}],"parts":[{"id":"cp-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)[1]"}],"prose":"the organization defines the frequency to review and update the current contingency planning procedures; and"},{"id":"cp-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)[2]"}],"prose":"the organization reviews and updates the current contingency planning procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","params":[{"id":"cp-2_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-2_prm_3","label":"organization-defined frequency"},{"id":"cp-2_prm_4","label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-2"},{"name":"sort-id","value":"cp-02"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a contingency plan for the information system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and"},{"id":"cp-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Reviews the contingency plan for the information system {{ insert: param, cp-2_prm_3 }};"},{"id":"cp-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Communicates contingency plan changes to {{ insert: param, cp-2_prm_4 }}; and"},{"id":"cp-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Protects the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission\/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission\/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and\/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly\/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.","links":[{"href":"#ac-14","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-11","rel":"related"}]},{"id":"cp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.a_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)"}],"prose":"develops and documents a contingency plan for the information system that:","parts":[{"id":"cp-2.a.1_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(1)"}],"prose":"identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2.a.2_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)"}],"parts":[{"id":"cp-2.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[1]"}],"prose":"provides recovery objectives;"},{"id":"cp-2.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[2]"}],"prose":"provides restoration priorities;"},{"id":"cp-2.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[3]"}],"prose":"provides metrics;"}]},{"id":"cp-2.a.3_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)"}],"parts":[{"id":"cp-2.a.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[1]"}],"prose":"addresses contingency roles;"},{"id":"cp-2.a.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[2]"}],"prose":"addresses contingency responsibilities;"},{"id":"cp-2.a.3_obj.3","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[3]"}],"prose":"addresses assigned individuals with contact information;"}]},{"id":"cp-2.a.4_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(4)"}],"prose":"addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;"},{"id":"cp-2.a.5_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(5)"}],"prose":"addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;"},{"id":"cp-2.a.6_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)"}],"parts":[{"id":"cp-2.a.6_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)[1]"}],"prose":"defines personnel or roles to review and approve the contingency plan for the information system;"},{"id":"cp-2.a.6_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"cp-2.b_obj","name":"objective","props":[{"name":"label","value":"CP-2(b)"}],"parts":[{"id":"cp-2.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(b)[1]"}],"prose":"defines key contingency personnel (identified by name and\/or by role) and organizational elements to whom copies of the contingency plan are to be distributed;"},{"id":"cp-2.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(b)[2]"}],"prose":"distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements;"}]},{"id":"cp-2.c_obj","name":"objective","props":[{"name":"label","value":"CP-2(c)"}],"prose":"coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2.d_obj","name":"objective","props":[{"name":"label","value":"CP-2(d)"}],"parts":[{"id":"cp-2.d_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(d)[1]"}],"prose":"defines a frequency to review the contingency plan for the information system;"},{"id":"cp-2.d_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(d)[2]"}],"prose":"reviews the contingency plan with the organization-defined frequency;"}]},{"id":"cp-2.e_obj","name":"objective","props":[{"name":"label","value":"CP-2(e)"}],"prose":"updates the contingency plan to address:","parts":[{"id":"cp-2.e_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(e)[1]"}],"prose":"changes to the organization, information system, or environment of operation;"},{"id":"cp-2.e_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(e)[2]"}],"prose":"problems encountered during plan implementation, execution, and testing;"}]},{"id":"cp-2.f_obj","name":"objective","props":[{"name":"label","value":"CP-2(f)"}],"parts":[{"id":"cp-2.f_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(f)[1]"}],"prose":"defines key contingency personnel (identified by name and\/or by role) and organizational elements to whom contingency plan changes are to be communicated;"},{"id":"cp-2.f_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(f)[2]"}],"prose":"communicates contingency plan changes to organization-defined key contingency personnel and organizational elements; and"}]},{"id":"cp-2.g_obj","name":"objective","props":[{"name":"label","value":"CP-2(g)"}],"prose":"protects the contingency plan from unauthorized disclosure and modification."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nevidence of contingency plan reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan development, review, update, and protection\n\nautomated mechanisms for developing, reviewing, updating and\/or protecting the contingency plan"}]}],"controls":[{"id":"cp-2.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-2(1)"},{"name":"sort-id","value":"cp-02.01"}],"parts":[{"id":"cp-2.1_smt","name":"statement","prose":"The organization coordinates contingency plan development with organizational elements responsible for related plans."},{"id":"cp-2.1_gdn","name":"guidance","prose":"Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans."},{"id":"cp-2.1_obj","name":"objective","prose":"Determine if the organization coordinates contingency plan development with organizational elements responsible for related plans."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans"}]}]},{"id":"cp-2.2","class":"SP800-53-enhancement","title":"Capacity Planning","props":[{"name":"label","value":"CP-2(2)"},{"name":"sort-id","value":"cp-02.02"}],"parts":[{"id":"cp-2.2_smt","name":"statement","prose":"The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations."},{"id":"cp-2.2_gdn","name":"guidance","prose":"Capacity planning is needed because different types of threats (e.g., natural disasters, targeted cyber attacks) can result in a reduction of the available processing, telecommunications, and support services originally intended to support the organizational missions\/business functions. Organizations may need to anticipate degraded operations during contingency operations and factor such degradation into capacity planning."},{"id":"cp-2.2_obj","name":"objective","prose":"Determine if the organization conducts capacity planning so that necessary capacity exists during contingency operations for:","parts":[{"id":"cp-2.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(2)[1]"}],"prose":"information processing;"},{"id":"cp-2.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(2)[2]"}],"prose":"telecommunications; and"},{"id":"cp-2.2_obj.3","name":"objective","props":[{"name":"label","value":"CP-2(2)[3]"}],"prose":"environmental support."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\ncapacity planning documents\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2.3","class":"SP800-53-enhancement","title":"Resume Essential Missions \/ Business Functions","params":[{"id":"cp-2.3_prm_1","label":"organization-defined time period"}],"props":[{"name":"label","value":"CP-2(3)"},{"name":"sort-id","value":"cp-02.03"}],"parts":[{"id":"cp-2.3_smt","name":"statement","prose":"The organization plans for the resumption of essential missions and business functions within {{ insert: param, cp-2.3_prm_1 }} of contingency plan activation."},{"id":"cp-2.3_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions\/business functions may be dependent on the severity\/extent of disruptions to the information system and its supporting infrastructure.","links":[{"href":"#pe-12","rel":"related"}]},{"id":"cp-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(3)[1]"}],"prose":"defines the time period to plan for the resumption of essential missions and business functions as a result of contingency plan activation; and"},{"id":"cp-2.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(3)[2]"}],"prose":"plans for the resumption of essential missions and business functions within organization-defined time period of contingency plan activation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nbusiness impact assessment\n\nother related plans\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.4","class":"SP800-53-enhancement","title":"Resume All Missions \/ Business Functions","params":[{"id":"cp-2.4_prm_1","label":"organization-defined time period"}],"props":[{"name":"label","value":"CP-2(4)"},{"name":"sort-id","value":"cp-02.04"}],"parts":[{"id":"cp-2.4_smt","name":"statement","prose":"The organization plans for the resumption of all missions and business functions within {{ insert: param, cp-2.4_prm_1 }} of contingency plan activation."},{"id":"cp-2.4_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of all missions\/business functions may be dependent on the severity\/extent of disruptions to the information system and its supporting infrastructure.","links":[{"href":"#pe-12","rel":"related"}]},{"id":"cp-2.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.4_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(4)[1]"}],"prose":"defines the time period to plan for the resumption of all missions and business functions as a result of contingency plan activation; and"},{"id":"cp-2.4_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(4)[2]"}],"prose":"plans for the resumption of all missions and business functions within organization-defined time period of contingency plan activation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nbusiness impact assessment\n\nother related plans\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.5","class":"SP800-53-enhancement","title":"Continue Essential Missions \/ Business Functions","props":[{"name":"label","value":"CP-2(5)"},{"name":"sort-id","value":"cp-02.05"}],"parts":[{"id":"cp-2.5_smt","name":"statement","prose":"The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and\/or storage sites."},{"id":"cp-2.5_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Primary processing and\/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency (e.g., backup sites may become primary sites).","links":[{"href":"#pe-12","rel":"related"}]},{"id":"cp-2.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.5_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(5)[1]"}],"prose":"plans for the continuance of essential missions and business functions with little or no loss of operational continuity; and"},{"id":"cp-2.5_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(5)[2]"}],"prose":"sustains that operational continuity until full information system restoration at primary processing and\/or storage sites."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness impact assessment\n\nprimary processing site agreements\n\nprimary storage site agreements\n\nalternate processing site agreements\n\nalternate storage site agreements\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for continuing missions and business functions"}]}]},{"id":"cp-2.8","class":"SP800-53-enhancement","title":"Identify Critical Assets","props":[{"name":"label","value":"CP-2(8)"},{"name":"sort-id","value":"cp-02.08"}],"parts":[{"id":"cp-2.8_smt","name":"statement","prose":"The organization identifies critical information system assets supporting essential missions and business functions."},{"id":"cp-2.8_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions\/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and\/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets.","links":[{"href":"#sa-14","rel":"related"},{"href":"#sa-15","rel":"related"}]},{"id":"cp-2.8_obj","name":"objective","prose":"Determine if the organization identifies critical information system assets supporting essential missions and business functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness impact assessment\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","params":[{"id":"cp-3_prm_1","label":"organization-defined time period"},{"id":"cp-3_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CP-3"},{"name":"sort-id","value":"cp-03"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"cp-3_smt","name":"statement","prose":"The organization provides contingency training to information system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Within {{ insert: param, cp-3_prm_1 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"cp-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, cp-3_prm_2 }} thereafter."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers\/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles\/responsibilities reflects the specific continuity requirements in the contingency plan.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-2","rel":"related"}]},{"id":"cp-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-3.a_obj","name":"objective","props":[{"name":"label","value":"CP-3(a)"}],"parts":[{"id":"cp-3.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-3(a)[1]"}],"prose":"defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility;"},{"id":"cp-3.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-3(a)[2]"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility;"}]},{"id":"cp-3.b_obj","name":"objective","props":[{"name":"label","value":"CP-3(b)"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes;"},{"id":"cp-3.c_obj","name":"objective","props":[{"name":"label","value":"CP-3(c)"}],"parts":[{"id":"cp-3.c_obj.1","name":"objective","props":[{"name":"label","value":"CP-3(c)[1]"}],"prose":"defines the frequency for contingency training thereafter; and"},{"id":"cp-3.c_obj.2","name":"objective","props":[{"name":"label","value":"CP-3(c)[2]"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsecurity plan\n\ncontingency training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency training"}]}],"controls":[{"id":"cp-3.1","class":"SP800-53-enhancement","title":"Simulated Events","props":[{"name":"label","value":"CP-3(1)"},{"name":"sort-id","value":"cp-03.01"}],"parts":[{"id":"cp-3.1_smt","name":"statement","prose":"The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations."},{"id":"cp-3.1_obj","name":"objective","prose":"Determine if the organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency training\n\nautomated mechanisms for simulating contingency events"}]}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","params":[{"id":"cp-4_prm_1","label":"organization-defined frequency"},{"id":"cp-4_prm_2","label":"organization-defined tests"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CP-4"},{"name":"sort-id","value":"cp-04"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference"}],"parts":[{"id":"cp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Tests the contingency plan for the information system {{ insert: param, cp-4_prm_1 }} using {{ insert: param, cp-4_prm_2 }} to determine the effectiveness of the plan and the organizational readiness to execute the plan;"},{"id":"cp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Initiates corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"}]},{"id":"cp-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-4.a_obj","name":"objective","props":[{"name":"label","value":"CP-4(a)"}],"parts":[{"id":"cp-4.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-4(a)[1]"}],"prose":"defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan;"},{"id":"cp-4.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-4(a)[2]"}],"prose":"defines a frequency to test the contingency plan for the information system;"},{"id":"cp-4.a_obj.3","name":"objective","props":[{"name":"label","value":"CP-4(a)[3]"}],"prose":"tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan;"}]},{"id":"cp-4.b_obj","name":"objective","props":[{"name":"label","value":"CP-4(b)"}],"prose":"reviews the contingency plan test results; and"},{"id":"cp-4.c_obj","name":"objective","props":[{"name":"label","value":"CP-4(c)"}],"prose":"initiates corrective actions, if needed."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\nsecurity plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency plan testing, reviewing or responding to contingency plan tests\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\n\nautomated mechanisms supporting the contingency plan and\/or contingency plan testing"}]}],"controls":[{"id":"cp-4.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-4(1)"},{"name":"sort-id","value":"cp-04.01"}],"parts":[{"id":"cp-4.1_smt","name":"statement","prose":"The organization coordinates contingency plan testing with organizational elements responsible for related plans."},{"id":"cp-4.1_gdn","name":"guidance","prose":"Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements.","links":[{"href":"#ir-8","rel":"related"},{"href":"#pm-8","rel":"related"}]},{"id":"cp-4.1_obj","name":"objective","prose":"Determine if the organization coordinates contingency plan testing with organizational elements responsible for related plans."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-4.2","class":"SP800-53-enhancement","title":"Alternate Processing Site","props":[{"name":"label","value":"CP-4(2)"},{"name":"sort-id","value":"cp-04.02"}],"parts":[{"id":"cp-4.2_smt","name":"statement","prose":"The organization tests the contingency plan at the alternate processing site:","parts":[{"id":"cp-4.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"To familiarize contingency personnel with the facility and available resources; and"},{"id":"cp-4.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"To evaluate the capabilities of the alternate processing site to support contingency operations."}]},{"id":"cp-4.2_gdn","name":"guidance","links":[{"href":"#cp-7","rel":"related"}]},{"id":"cp-4.2_obj","name":"objective","prose":"Determine if the organization tests the contingency plan at the alternate processing site to:","parts":[{"id":"cp-4.2.a_obj","name":"objective","props":[{"name":"label","value":"CP-4(2)(a)"}],"prose":"familiarize contingency personnel with the facility and available resources; and","links":[{"href":"#cp-4.2_smt.a","rel":"corresp"}]},{"id":"cp-4.2.b_obj","name":"objective","props":[{"name":"label","value":"CP-4(2)(b)"}],"prose":"evaluate the capabilities of the alternate processing site to support contingency operations.","links":[{"href":"#cp-4.2_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nalternate processing site agreements\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\n\nautomated mechanisms supporting the contingency plan and\/or contingency plan testing"}]}]}]},{"id":"cp-6","class":"SP800-53","title":"Alternate Storage Site","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-6"},{"name":"sort-id","value":"cp-06"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and"},{"id":"cp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site."}]},{"id":"cp-6_gdn","name":"guidance","prose":"Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery\/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions\/business functions despite disruption, compromise, or failure in organizational information systems.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"}]},{"id":"cp-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-6_obj.1","name":"objective","props":[{"name":"label","value":"CP-6[1]"}],"prose":"establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and"},{"id":"cp-6_obj.2","name":"objective","props":[{"name":"label","value":"CP-6[2]"}],"prose":"ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing and retrieving information system backup information at the alternate storage site\n\nautomated mechanisms supporting and\/or implementing storage and retrieval of information system backup information at the alternate storage site"}]}],"controls":[{"id":"cp-6.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-6(1)"},{"name":"sort-id","value":"cp-06.01"}],"parts":[{"id":"cp-6.1_smt","name":"statement","prose":"The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats."},{"id":"cp-6.1_gdn","name":"guidance","prose":"Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission\/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-6.1_obj","name":"objective","prose":"Determine if the organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-6.2","class":"SP800-53-enhancement","title":"Recovery Time \/ Point Objectives","props":[{"name":"label","value":"CP-6(2)"},{"name":"sort-id","value":"cp-06.02"}],"parts":[{"id":"cp-6.2_smt","name":"statement","prose":"The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives."},{"id":"cp-6.2_obj","name":"objective","prose":"Determine if the organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time objectives and recovery point objectives (as specified in the information system contingency plan)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nalternate storage site configurations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with responsibilities for testing related plans\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\n\nautomated mechanisms supporting recovery time\/point objectives"}]}]},{"id":"cp-6.3","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-6(3)"},{"name":"sort-id","value":"cp-06.03"}],"parts":[{"id":"cp-6.3_smt","name":"statement","prose":"The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-6.3_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-6.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-6.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-6(3)[1]"}],"prose":"identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster; and"},{"id":"cp-6.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-6(3)[2]"}],"prose":"outlines explicit mitigation actions for such potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-7","class":"SP800-53","title":"Alternate Processing Site","params":[{"id":"cp-7_prm_1","label":"organization-defined information system operations"},{"id":"cp-7_prm_2","label":"organization-defined time period consistent with recovery time and recovery point objectives"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-7"},{"name":"sort-id","value":"cp-07"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-7_prm_1 }} for essential missions\/business functions within {{ insert: param, cp-7_prm_2 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer\/resumption; and"},{"id":"cp-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site."}]},{"id":"cp-7_gdn","name":"guidance","prose":"Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer\/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions\/business functions despite disruption, compromise, or failure in organizational information systems.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-6","rel":"related"}]},{"id":"cp-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-7.a_obj","name":"objective","props":[{"name":"label","value":"CP-7(a)"}],"parts":[{"id":"cp-7.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-7(a)[1]"}],"prose":"defines information system operations requiring an alternate processing site to be established to permit the transfer and resumption of such operations;"},{"id":"cp-7.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-7(a)[2]"}],"prose":"defines the time period consistent with recovery time objectives and recovery point objectives (as specified in the information system contingency plan) for transfer\/resumption of organization-defined information system operations for essential missions\/business functions;"},{"id":"cp-7.a_obj.3","name":"objective","props":[{"name":"label","value":"CP-7(a)[3]"}],"prose":"establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions\/business functions, within the organization-defined time period, when the primary processing capabilities are unavailable;"}]},{"id":"cp-7.b_obj","name":"objective","props":[{"name":"label","value":"CP-7(b)"}],"parts":[{"id":"cp-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-7(b)[1]"}],"prose":"ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site; or"},{"id":"cp-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-7(b)[2]"}],"prose":"ensures that contracts are in place to support delivery to the site within the organization-defined time period for transfer\/resumption; and"}]},{"id":"cp-7.c_obj","name":"objective","props":[{"name":"label","value":"CP-7(c)"}],"prose":"ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency planning and\/or alternate site arrangements\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for recovery at the alternate site\n\nautomated mechanisms supporting and\/or implementing recovery at the alternate processing site"}]}],"controls":[{"id":"cp-7.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-7(1)"},{"name":"sort-id","value":"cp-07.01"}],"parts":[{"id":"cp-7.1_smt","name":"statement","prose":"The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats."},{"id":"cp-7.1_gdn","name":"guidance","prose":"Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission\/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-7.1_obj","name":"objective","prose":"Determine if the organization identifies an alternate processing site that is separated from the primary storage site to reduce susceptibility to the same threats."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.2","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-7(2)"},{"name":"sort-id","value":"cp-07.02"}],"parts":[{"id":"cp-7.2_smt","name":"statement","prose":"The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-7.2_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-7.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-7.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-7(2)[1]"}],"prose":"identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; and"},{"id":"cp-7.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-7(2)[2]"}],"prose":"outlines explicit mitigation actions for such potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.3","class":"SP800-53-enhancement","title":"Priority of Service","props":[{"name":"label","value":"CP-7(3)"},{"name":"sort-id","value":"cp-07.03"}],"parts":[{"id":"cp-7.3_smt","name":"statement","prose":"The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives)."},{"id":"cp-7.3_gdn","name":"guidance","prose":"Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site."},{"id":"cp-7.3_obj","name":"objective","prose":"Determine if the organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]},{"id":"cp-7.4","class":"SP800-53-enhancement","title":"Preparation for Use","props":[{"name":"label","value":"CP-7(4)"},{"name":"sort-id","value":"cp-07.04"}],"parts":[{"id":"cp-7.4_smt","name":"statement","prose":"The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions."},{"id":"cp-7.4_gdn","name":"guidance","prose":"Site preparation includes, for example, establishing configuration settings for information system components at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and other logistical considerations are in place.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"}]},{"id":"cp-7.4_obj","name":"objective","prose":"Determine if the organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nalternate processing site configurations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing recovery at the alternate processing site"}]}]}]},{"id":"cp-8","class":"SP800-53","title":"Telecommunications Services","params":[{"id":"cp-8_prm_1","label":"organization-defined information system operations"},{"id":"cp-8_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-8"},{"name":"sort-id","value":"cp-08"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#fb5844de-ff96-47c0-b258-4f52bcc2f30d","rel":"reference"},{"href":"#3ac12e79-f54f-4a63-9f4b-ee4bcd4df604","rel":"reference"}],"parts":[{"id":"cp-8_smt","name":"statement","prose":"The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of {{ insert: param, cp-8_prm_1 }} for essential missions and business functions within {{ insert: param, cp-8_prm_2 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_gdn","name":"guidance","prose":"This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions\/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary\/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits\/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"cp-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-8_obj.1","name":"objective","props":[{"name":"label","value":"CP-8[1]"}],"prose":"defines information system operations requiring alternate telecommunications services to be established to permit the resumption of such operations;"},{"id":"cp-8_obj.2","name":"objective","props":[{"name":"label","value":"CP-8[2]"}],"prose":"defines the time period to permit resumption of organization-defined information system operations for essential missions and business functions; and"},{"id":"cp-8_obj.3","name":"objective","props":[{"name":"label","value":"CP-8[3]"}],"prose":"establishes alternate telecommunications services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions and business functions, within the organization-defined time period, when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting telecommunications"}]}],"controls":[{"id":"cp-8.1","class":"SP800-53-enhancement","title":"Priority of Service Provisions","props":[{"name":"label","value":"CP-8(1)"},{"name":"sort-id","value":"cp-08.01"}],"parts":[{"id":"cp-8.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and"},{"id":"cp-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_gdn","name":"guidance","prose":"Organizations consider the potential mission\/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions."},{"id":"cp-8.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-8.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-8(1)[1]"}],"prose":"develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan); and"},{"id":"cp-8.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-8(1)[2]"}],"prose":"requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting telecommunications"}]}]},{"id":"cp-8.2","class":"SP800-53-enhancement","title":"Single Points of Failure","props":[{"name":"label","value":"CP-8(2)"},{"name":"sort-id","value":"cp-08.02"}],"parts":[{"id":"cp-8.2_smt","name":"statement","prose":"The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"id":"cp-8.2_obj","name":"objective","prose":"Determine if the organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with information system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-8.3","class":"SP800-53-enhancement","title":"Separation of Primary \/ Alternate Providers","props":[{"name":"label","value":"CP-8(3)"},{"name":"sort-id","value":"cp-08.03"}],"parts":[{"id":"cp-8.3_smt","name":"statement","prose":"The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats."},{"id":"cp-8.3_gdn","name":"guidance","prose":"Threats that affect telecommunications services are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber\/physical attacks, and errors of omission\/commission. Organizations seek to reduce common susceptibilities by, for example, minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services meeting the separation needs addressed in the risk assessment."},{"id":"cp-8.3_obj","name":"objective","prose":"Determine if the organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nalternate telecommunications service provider site\n\nprimary telecommunications service provider site\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with information system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-8.4","class":"SP800-53-enhancement","title":"Provider Contingency Plan","params":[{"id":"cp-8.4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"CP-8(4)"},{"name":"sort-id","value":"cp-08.04"}],"parts":[{"id":"cp-8.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-8.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Requires primary and alternate telecommunications service providers to have contingency plans;"},{"id":"cp-8.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and"},{"id":"cp-8.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Obtains evidence of contingency testing\/training by providers {{ insert: param, cp-8.4_prm_1 }}."}]},{"id":"cp-8.4_gdn","name":"guidance","prose":"Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security, state, and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training."},{"id":"cp-8.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-8.4.a_obj","name":"objective","props":[{"name":"label","value":"CP-8(4)(a)"}],"parts":[{"id":"cp-8.4.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-8(4)(a)[1]"}],"prose":"requires primary telecommunications service provider to have contingency plans;"},{"id":"cp-8.4.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-8(4)(a)[2]"}],"prose":"requires alternate telecommunications service provider(s) to have contingency plans;"}],"links":[{"href":"#cp-8.4_smt.a","rel":"corresp"}]},{"id":"cp-8.4.b_obj","name":"objective","props":[{"name":"label","value":"CP-8(4)(b)"}],"prose":"reviews provider contingency plans to ensure that the plans meet organizational contingency requirements;","links":[{"href":"#cp-8.4_smt.b","rel":"corresp"}]},{"id":"cp-8.4.c_obj","name":"objective","props":[{"name":"label","value":"CP-8(4)(c)"}],"parts":[{"id":"cp-8.4.c_obj.1","name":"objective","props":[{"name":"label","value":"CP-8(4)(c)[1]"}],"prose":"defines the frequency to obtain evidence of contingency testing\/training by providers; and"},{"id":"cp-8.4.c_obj.2","name":"objective","props":[{"name":"label","value":"CP-8(4)(c)[2]"}],"prose":"obtains evidence of contingency testing\/training by providers with the organization-defined frequency."}],"links":[{"href":"#cp-8.4_smt.c","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprovider contingency plans\n\nevidence of contingency testing\/training by providers\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and testing responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]}]},{"id":"cp-9","class":"SP800-53","title":"Information System Backup","params":[{"id":"cp-9_prm_1","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_2","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_3","label":"organization-defined frequency consistent with recovery time and recovery point objectives"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-9"},{"name":"sort-id","value":"cp-09"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conducts backups of user-level information contained in the information system {{ insert: param, cp-9_prm_1 }};"},{"id":"cp-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conducts backups of system-level information contained in the information system {{ insert: param, cp-9_prm_2 }};"},{"id":"cp-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conducts backups of information system documentation including security-related documentation {{ insert: param, cp-9_prm_3 }}; and"},{"id":"cp-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects the confidentiality, integrity, and availability of backup information at storage locations."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"cp-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-9.a_obj","name":"objective","props":[{"name":"label","value":"CP-9(a)"}],"parts":[{"id":"cp-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(a)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;"},{"id":"cp-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(a)[2]"}],"prose":"conducts backups of user-level information contained in the information system with the organization-defined frequency;"}]},{"id":"cp-9.b_obj","name":"objective","props":[{"name":"label","value":"CP-9(b)"}],"parts":[{"id":"cp-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(b)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;"},{"id":"cp-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(b)[2]"}],"prose":"conducts backups of system-level information contained in the information system with the organization-defined frequency;"}]},{"id":"cp-9.c_obj","name":"objective","props":[{"name":"label","value":"CP-9(c)"}],"parts":[{"id":"cp-9.c_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(c)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;"},{"id":"cp-9.c_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(c)[2]"}],"prose":"conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and"}]},{"id":"cp-9.d_obj","name":"objective","props":[{"name":"label","value":"CP-9(d)"}],"prose":"protects the confidentiality, integrity, and availability of backup information at storage locations."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\nbackup storage location(s)\n\ninformation system backup logs or records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and\/or implementing information system backups"}]}],"controls":[{"id":"cp-9.1","class":"SP800-53-enhancement","title":"Testing for Reliability \/ Integrity","params":[{"id":"cp-9.1_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"CP-9(1)"},{"name":"sort-id","value":"cp-09.01"}],"parts":[{"id":"cp-9.1_smt","name":"statement","prose":"The organization tests backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity."},{"id":"cp-9.1_gdn","name":"guidance","links":[{"href":"#cp-4","rel":"related"}]},{"id":"cp-9.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-9.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(1)[1]"}],"prose":"defines the frequency to test backup information to verify media reliability and information integrity; and"},{"id":"cp-9.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(1)[2]"}],"prose":"tests backup information with the organization-defined frequency to verify media reliability and information integrity."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and\/or implementing information system backups"}]}]},{"id":"cp-9.2","class":"SP800-53-enhancement","title":"Test Restoration Using Sampling","props":[{"name":"label","value":"CP-9(2)"},{"name":"sort-id","value":"cp-09.02"}],"parts":[{"id":"cp-9.2_smt","name":"statement","prose":"The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing."},{"id":"cp-9.2_gdn","name":"guidance","links":[{"href":"#cp-4","rel":"related"}]},{"id":"cp-9.2_obj","name":"objective","prose":"Determine if the organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\n\norganizational personnel with contingency planning\/contingency plan testing responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and\/or implementing information system backups"}]}]},{"id":"cp-9.3","class":"SP800-53-enhancement","title":"Separate Storage for Critical Information","params":[{"id":"cp-9.3_prm_1","label":"organization-defined critical information system software and other security-related information"}],"props":[{"name":"label","value":"CP-9(3)"},{"name":"sort-id","value":"cp-09.03"}],"parts":[{"id":"cp-9.3_smt","name":"statement","prose":"The organization stores backup copies of {{ insert: param, cp-9.3_prm_1 }} in a separate facility or in a fire-rated container that is not collocated with the operational system."},{"id":"cp-9.3_gdn","name":"guidance","prose":"Critical information system software includes, for example, operating systems, cryptographic key management systems, and intrusion detection\/prevention systems. Security-related information includes, for example, organizational inventories of hardware, software, and firmware components. Alternate storage sites typically serve as separate storage facilities for organizations.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-8","rel":"related"}]},{"id":"cp-9.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-9.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(3)[1]"}],"parts":[{"id":"cp-9.3_obj.1.a","name":"objective","props":[{"name":"label","value":"CP-9(3)[1][a]"}],"prose":"defines critical information system software and other security-related information requiring backup copies to be stored in a separate facility; or"},{"id":"cp-9.3_obj.1.b","name":"objective","props":[{"name":"label","value":"CP-9(3)[1][b]"}],"prose":"defines critical information system software and other security-related information requiring backup copies to be stored in a fire-rated container that is not collocated with the operational system; and"}]},{"id":"cp-9.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(3)[2]"}],"prose":"stores backup copies of organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\nbackup storage location(s)\n\ninformation system backup configurations and associated documentation\n\ninformation system backup logs or records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-9.5","class":"SP800-53-enhancement","title":"Transfer to Alternate Storage Site","params":[{"id":"cp-9.5_prm_1","label":"organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives"}],"props":[{"name":"label","value":"CP-9(5)"},{"name":"sort-id","value":"cp-09.05"}],"parts":[{"id":"cp-9.5_smt","name":"statement","prose":"The organization transfers information system backup information to the alternate storage site {{ insert: param, cp-9.5_prm_1 }}."},{"id":"cp-9.5_gdn","name":"guidance","prose":"Information system backup information can be transferred to alternate storage sites either electronically or by physical shipment of storage media."},{"id":"cp-9.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-9.5_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(5)[1]"}],"prose":"defines a time period, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to transfer information system backup information to the alternate storage site;"},{"id":"cp-9.5_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(5)[2]"}],"prose":"defines a transfer rate, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to transfer information system backup information to the alternate storage site; and"},{"id":"cp-9.5_obj.3","name":"objective","props":[{"name":"label","value":"CP-9(5)[3]"}],"prose":"transfers information system backup information to the alternate storage site with the organization-defined time period and transfer rate."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup logs or records\n\nevidence of system backup information transferred to alternate storage site\n\nalternate storage site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for transferring information system backups to the alternate storage site\n\nautomated mechanisms supporting and\/or implementing information system backups\n\nautomated mechanisms supporting and\/or implementing information transfer to the alternate storage site"}]}]}]},{"id":"cp-10","class":"SP800-53","title":"Information System Recovery and Reconstitution","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-10"},{"name":"sort-id","value":"cp-10"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing information system contingency plan activities to restore organizational missions\/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point\/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery\/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#sc-24","rel":"related"}]},{"id":"cp-10_obj","name":"objective","prose":"Determine if the organization provides for:","parts":[{"id":"cp-10_obj.1","name":"objective","props":[{"name":"label","value":"CP-10[1]"}],"prose":"the recovery of the information system to a known state after:","parts":[{"id":"cp-10_obj.1.a","name":"objective","props":[{"name":"label","value":"CP-10[1][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.1.b","name":"objective","props":[{"name":"label","value":"CP-10[1][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.1.c","name":"objective","props":[{"name":"label","value":"CP-10[1][c]"}],"prose":"a failure;"}]},{"id":"cp-10_obj.2","name":"objective","props":[{"name":"label","value":"CP-10[2]"}],"prose":"the reconstitution of the information system to a known state after:","parts":[{"id":"cp-10_obj.2.a","name":"objective","props":[{"name":"label","value":"CP-10[2][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.2.b","name":"objective","props":[{"name":"label","value":"CP-10[2][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.2.c","name":"objective","props":[{"name":"label","value":"CP-10[2][c]"}],"prose":"a failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for information system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, recovery, and\/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes implementing information system recovery and reconstitution operations\n\nautomated mechanisms supporting and\/or implementing information system recovery and reconstitution operations"}]}],"controls":[{"id":"cp-10.2","class":"SP800-53-enhancement","title":"Transaction Recovery","props":[{"name":"label","value":"CP-10(2)"},{"name":"sort-id","value":"cp-10.02"}],"parts":[{"id":"cp-10.2_smt","name":"statement","prose":"The information system implements transaction recovery for systems that are transaction-based."},{"id":"cp-10.2_gdn","name":"guidance","prose":"Transaction-based information systems include, for example, database management systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, transaction rollback and transaction journaling."},{"id":"cp-10.2_obj","name":"objective","prose":"Determine if the information system implements transaction recovery for systems that are transaction-based."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system recovery and reconstitution\n\ncontingency plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\ninformation system transaction recovery records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing transaction recovery capability"}]}]},{"id":"cp-10.4","class":"SP800-53-enhancement","title":"Restore Within Time Period","params":[{"id":"cp-10.4_prm_1","label":"organization-defined restoration time-periods"}],"props":[{"name":"label","value":"CP-10(4)"},{"name":"sort-id","value":"cp-10.04"}],"parts":[{"id":"cp-10.4_smt","name":"statement","prose":"The organization provides the capability to restore information system components within {{ insert: param, cp-10.4_prm_1 }} from configuration-controlled and integrity-protected information representing a known, operational state for the components."},{"id":"cp-10.4_gdn","name":"guidance","prose":"Restoration of information system components includes, for example, reimaging which restores components to known, operational states.","links":[{"href":"#cm-2","rel":"related"}]},{"id":"cp-10.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-10.4_obj.1","name":"objective","props":[{"name":"label","value":"CP-10(4)[1]"}],"prose":"defines a time period to restore information system components from configuration-controlled and integrity-protected information representing a known, operational state for the components; and"},{"id":"cp-10.4_obj.2","name":"objective","props":[{"name":"label","value":"CP-10(4)[2]"}],"prose":"provides the capability to restore information system components within the organization-defined time period from configuration-controlled and integrity-protected information representing a known, operational state for the components."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system recovery and reconstitution\n\ncontingency plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nevidence of information system recovery and reconstitution operations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing recovery\/reconstitution of information system information"}]}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Identification and Authentication Policy and Procedures","params":[{"id":"ia-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-1_prm_2","label":"organization-defined frequency"},{"id":"ia-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-1"},{"name":"sort-id","value":"ia-01"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ia-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ia-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and"}]},{"id":"ia-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ia-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identification and authentication policy {{ insert: param, ia-1_prm_2 }}; and"},{"id":"ia-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Identification and authentication procedures {{ insert: param, ia-1_prm_3 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ia-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-1.a_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)"}],"parts":[{"id":"ia-1.a.1_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)"}],"parts":[{"id":"ia-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1]"}],"prose":"develops and documents an identification and authentication policy that addresses:","parts":[{"id":"ia-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ia-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ia-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ia-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ia-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ia-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ia-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ia-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the identification and authentication policy is to be disseminated; and"},{"id":"ia-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[3]"}],"prose":"disseminates the identification and authentication policy to organization-defined personnel or roles;"}]},{"id":"ia-1.a.2_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)"}],"parts":[{"id":"ia-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls;"},{"id":"ia-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ia-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ia-1.b_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)"}],"parts":[{"id":"ia-1.b.1_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)"}],"parts":[{"id":"ia-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current identification and authentication policy;"},{"id":"ia-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)[2]"}],"prose":"reviews and updates the current identification and authentication policy with the organization-defined frequency; and"}]},{"id":"ia-1.b.2_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)"}],"parts":[{"id":"ia-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current identification and authentication procedures; and"},{"id":"ia-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)[2]"}],"prose":"reviews and updates the current identification and authentication procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (organizational Users)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-2"},{"name":"sort-id","value":"ia-02"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference"},{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"}]},{"id":"ia-2_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for uniquely identifying and authenticating users\n\nautomated mechanisms supporting and\/or implementing identification and authentication capability"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts","props":[{"name":"label","value":"IA-2(1)"},{"name":"sort-id","value":"ia-02.01"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ia-2.1_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for network access to privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Network Access to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(2)"},{"name":"sort-id","value":"ia-02.02"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to non-privileged accounts."},{"id":"ia-2.2_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for network access to non-privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.3","class":"SP800-53-enhancement","title":"Local Access to Privileged Accounts","props":[{"name":"label","value":"IA-2(3)"},{"name":"sort-id","value":"ia-02.03"}],"parts":[{"id":"ia-2.3_smt","name":"statement","prose":"The information system implements multifactor authentication for local access to privileged accounts."},{"id":"ia-2.3_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ia-2.3_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for local access to privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.4","class":"SP800-53-enhancement","title":"Local Access to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(4)"},{"name":"sort-id","value":"ia-02.04"}],"parts":[{"id":"ia-2.4_smt","name":"statement","prose":"The information system implements multifactor authentication for local access to non-privileged accounts."},{"id":"ia-2.4_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for local access to non-privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts - Replay Resistant","props":[{"name":"label","value":"IA-2(8)"},{"name":"sort-id","value":"ia-02.08"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"The information system implements replay-resistant authentication mechanisms for network access to privileged accounts."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators."},{"id":"ia-2.8_obj","name":"objective","prose":"Determine if the information system implements replay-resistant authentication mechanisms for network access to privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of privileged information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms supporting and\/or implementing replay resistant authentication mechanisms"}]}]},{"id":"ia-2.9","class":"SP800-53-enhancement","title":"Network Access to Non-privileged Accounts - Replay Resistant","props":[{"name":"label","value":"IA-2(9)"},{"name":"sort-id","value":"ia-02.09"}],"parts":[{"id":"ia-2.9_smt","name":"statement","prose":"The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts."},{"id":"ia-2.9_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording\/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators."},{"id":"ia-2.9_obj","name":"objective","prose":"Determine if the information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of non-privileged information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms supporting and\/or implementing replay resistant authentication mechanisms"}]}]},{"id":"ia-2.11","class":"SP800-53-enhancement","title":"Remote Access - Separate Device","params":[{"id":"ia-2.11_prm_1","label":"organization-defined strength of mechanism requirements"}],"props":[{"name":"label","value":"IA-2(11)"},{"name":"sort-id","value":"ia-02.11"}],"parts":[{"id":"ia-2.11_smt","name":"statement","prose":"The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets {{ insert: param, ia-2.11_prm_1 }}."},{"id":"ia-2.11_gdn","name":"guidance","prose":"For remote access to privileged\/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ia-2.11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ia-2.11_obj.1","name":"objective","props":[{"name":"label","value":"IA-2(11)[1]"}],"prose":"the information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access;"},{"id":"ia-2.11_obj.2","name":"objective","props":[{"name":"label","value":"IA-2(11)[2]"}],"prose":"the information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access;"},{"id":"ia-2.11_obj.3","name":"objective","props":[{"name":"label","value":"IA-2(11)[3]"}],"prose":"the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to privileged accounts;"},{"id":"ia-2.11_obj.4","name":"objective","props":[{"name":"label","value":"IA-2(11)[4]"}],"prose":"the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to non-privileged accounts;"},{"id":"ia-2.11_obj.5","name":"objective","props":[{"name":"label","value":"IA-2(11)[5]"}],"prose":"the information system implements multifactor authentication for remote access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements; and"},{"id":"ia-2.11_obj.6","name":"objective","props":[{"name":"label","value":"IA-2(11)[6]"}],"prose":"the information system implements multifactor authentication for remote access to non-privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of privileged and non-privileged information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","props":[{"name":"label","value":"IA-2(12)"},{"name":"sort-id","value":"ia-02.12"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"ia-2.12_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"ia-2.12_obj.1","name":"objective","props":[{"name":"label","value":"IA-2(12)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials; and"},{"id":"ia-2.12_obj.2","name":"objective","props":[{"name":"label","value":"IA-2(12)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing acceptance and verification of PIV credentials"}]}]}]},{"id":"ia-3","class":"SP800-53","title":"Device Identification and Authentication","params":[{"id":"ia-3_prm_1","label":"organization-defined specific and\/or types of devices"},{"id":"ia-3_prm_2","select":{"how-many":"one-or-more","choice":["local","remote","network"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-3"},{"name":"sort-id","value":"ia-03"}],"parts":[{"id":"ia-3_smt","name":"statement","prose":"The information system uniquely identifies and authenticates {{ insert: param, ia-3_prm_1 }} before establishing a {{ insert: param, ia-3_prm_2 }} connection."},{"id":"ia-3_gdn","name":"guidance","prose":"Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type\/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol\/Internet Protocol [TCP\/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify\/authenticate devices on local and\/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability.","links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"}]},{"id":"ia-3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ia-3_obj.1","name":"objective","props":[{"name":"label","value":"IA-3[1]"}],"prose":"the organization defines specific and\/or types of devices that the information system uniquely identifies and authenticates before establishing one or more of the following:","parts":[{"id":"ia-3_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-3[1][a]"}],"prose":"a local connection;"},{"id":"ia-3_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-3[1][b]"}],"prose":"a remote connection; and\/or"},{"id":"ia-3_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-3[1][c]"}],"prose":"a network connection; and"}]},{"id":"ia-3_obj.2","name":"objective","props":[{"name":"label","value":"IA-3[2]"}],"prose":"the information system uniquely identifies and authenticates organization-defined devices before establishing one or more of the following:","parts":[{"id":"ia-3_obj.2.a","name":"objective","props":[{"name":"label","value":"IA-3[2][a]"}],"prose":"a local connection;"},{"id":"ia-3_obj.2.b","name":"objective","props":[{"name":"label","value":"IA-3[2][b]"}],"prose":"a remote connection; and\/or"},{"id":"ia-3_obj.2.c","name":"objective","props":[{"name":"label","value":"IA-3[2][c]"}],"prose":"a network connection."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing device identification and authentication\n\ninformation system design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing device identification and authentication capability"}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","params":[{"id":"ia-4_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-4_prm_2","label":"organization-defined time period"},{"id":"ia-4_prm_3","label":"organization-defined time period of inactivity"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-4"},{"name":"sort-id","value":"ia-04"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"The organization manages information system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ insert: param, ia-4_prm_1 }} to assign an individual, group, role, or device identifier;"},{"id":"ia-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, or device;"},{"id":"ia-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, or device;"},{"id":"ia-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ insert: param, ia-4_prm_2 }}; and"},{"id":"ia-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disabling the identifier after {{ insert: param, ia-4_prm_3 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#sc-37","rel":"related"}]},{"id":"ia-4_obj","name":"objective","prose":"Determine if the organization manages information system identifiers by:","parts":[{"id":"ia-4.a_obj","name":"objective","props":[{"name":"label","value":"IA-4(a)"}],"parts":[{"id":"ia-4.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(a)[1]"}],"prose":"defining personnel or roles from whom authorization must be received to assign:","parts":[{"id":"ia-4.a_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][c]"}],"prose":"a role identifier; and\/or"},{"id":"ia-4.a_obj.1.d","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][d]"}],"prose":"a device identifier;"}]},{"id":"ia-4.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(a)[2]"}],"prose":"receiving authorization from organization-defined personnel or roles to assign:","parts":[{"id":"ia-4.a_obj.2.a","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.2.b","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.2.c","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][c]"}],"prose":"a role identifier; and\/or"},{"id":"ia-4.a_obj.2.d","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][d]"}],"prose":"a device identifier;"}]}]},{"id":"ia-4.b_obj","name":"objective","props":[{"name":"label","value":"IA-4(b)"}],"prose":"selecting an identifier that identifies:","parts":[{"id":"ia-4.b_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(b)[1]"}],"prose":"an individual;"},{"id":"ia-4.b_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(b)[2]"}],"prose":"a group;"},{"id":"ia-4.b_obj.3","name":"objective","props":[{"name":"label","value":"IA-4(b)[3]"}],"prose":"a role; and\/or"},{"id":"ia-4.b_obj.4","name":"objective","props":[{"name":"label","value":"IA-4(b)[4]"}],"prose":"a device;"}]},{"id":"ia-4.c_obj","name":"objective","props":[{"name":"label","value":"IA-4(c)"}],"prose":"assigning the identifier to the intended:","parts":[{"id":"ia-4.c_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(c)[1]"}],"prose":"individual;"},{"id":"ia-4.c_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(c)[2]"}],"prose":"group;"},{"id":"ia-4.c_obj.3","name":"objective","props":[{"name":"label","value":"IA-4(c)[3]"}],"prose":"role; and\/or"},{"id":"ia-4.c_obj.4","name":"objective","props":[{"name":"label","value":"IA-4(c)[4]"}],"prose":"device;"}]},{"id":"ia-4.d_obj","name":"objective","props":[{"name":"label","value":"IA-4(d)"}],"parts":[{"id":"ia-4.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(d)[1]"}],"prose":"defining a time period for preventing reuse of identifiers;"},{"id":"ia-4.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(d)[2]"}],"prose":"preventing reuse of identifiers for the organization-defined time period;"}]},{"id":"ia-4.e_obj","name":"objective","props":[{"name":"label","value":"IA-4(e)"}],"parts":[{"id":"ia-4.e_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(e)[1]"}],"prose":"defining a time period of inactivity to disable the identifier; and"},{"id":"ia-4.e_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(e)[2]"}],"prose":"disabling the identifier after the organization-defined time period of inactivity."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","params":[{"id":"ia-5_prm_1","label":"organization-defined time period by authenticator type"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-5"},{"name":"sort-id","value":"ia-05"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"The organization manages information system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for authenticators defined by the organization;"},{"id":"ia-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost\/compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Changing default content of authenticators prior to information system installation;"},{"id":"ia-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;"},{"id":"ia-5_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Changing\/refreshing authenticators {{ insert: param, ia-5_prm_1 }};"},{"id":"ia-5_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and"},{"id":"ia-5_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Changing authenticators for group\/role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-28","rel":"related"}]},{"id":"ia-5_obj","name":"objective","prose":"Determine if the organization manages information system authenticators by:","parts":[{"id":"ia-5.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(a)"}],"prose":"verifying, as part of the initial authenticator distribution, the identity of:","parts":[{"id":"ia-5.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(a)[1]"}],"prose":"the individual receiving the authenticator;"},{"id":"ia-5.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(a)[2]"}],"prose":"the group receiving the authenticator;"},{"id":"ia-5.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(a)[3]"}],"prose":"the role receiving the authenticator; and\/or"},{"id":"ia-5.a_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(a)[4]"}],"prose":"the device receiving the authenticator;"}]},{"id":"ia-5.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(b)"}],"prose":"establishing initial authenticator content for authenticators defined by the organization;"},{"id":"ia-5.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(c)"}],"prose":"ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(d)"}],"parts":[{"id":"ia-5.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(d)[1]"}],"prose":"establishing and implementing administrative procedures for initial authenticator distribution;"},{"id":"ia-5.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(d)[2]"}],"prose":"establishing and implementing administrative procedures for lost\/compromised or damaged authenticators;"},{"id":"ia-5.d_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(d)[3]"}],"prose":"establishing and implementing administrative procedures for revoking authenticators;"}]},{"id":"ia-5.e_obj","name":"objective","props":[{"name":"label","value":"IA-5(e)"}],"prose":"changing default content of authenticators prior to information system installation;"},{"id":"ia-5.f_obj","name":"objective","props":[{"name":"label","value":"IA-5(f)"}],"parts":[{"id":"ia-5.f_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(f)[1]"}],"prose":"establishing minimum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(f)[2]"}],"prose":"establishing maximum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(f)[3]"}],"prose":"establishing reuse conditions for authenticators;"}]},{"id":"ia-5.g_obj","name":"objective","props":[{"name":"label","value":"IA-5(g)"}],"parts":[{"id":"ia-5.g_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(g)[1]"}],"prose":"defining a time period (by authenticator type) for changing\/refreshing authenticators;"},{"id":"ia-5.g_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(g)[2]"}],"prose":"changing\/refreshing authenticators with the organization-defined time period by authenticator type;"}]},{"id":"ia-5.h_obj","name":"objective","props":[{"name":"label","value":"IA-5(h)"}],"prose":"protecting authenticator content from unauthorized:","parts":[{"id":"ia-5.h_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(h)[1]"}],"prose":"disclosure;"},{"id":"ia-5.h_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(h)[2]"}],"prose":"modification;"}]},{"id":"ia-5.i_obj","name":"objective","props":[{"name":"label","value":"IA-5(i)"}],"parts":[{"id":"ia-5.i_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(i)[1]"}],"prose":"requiring individuals to take specific security safeguards to protect authenticators;"},{"id":"ia-5.i_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(i)[2]"}],"prose":"having devices implement specific security safeguards to protect authenticators; and"}]},{"id":"ia-5.j_obj","name":"objective","props":[{"name":"label","value":"IA-5(j)"}],"prose":"changing authenticators for group\/role accounts when membership to those accounts changes."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system authenticator types\n\nchange control records associated with managing information system authenticators\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing authenticator management capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","params":[{"id":"ia-5.1_prm_1","label":"organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type"},{"id":"ia-5.1_prm_2","label":"organization-defined number"},{"id":"ia-5.1_prm_3","label":"organization-defined numbers for lifetime minimum, lifetime maximum"},{"id":"ia-5.1_prm_4","label":"organization-defined number"}],"props":[{"name":"label","value":"IA-5(1)"},{"name":"sort-id","value":"ia-05.01"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"The information system, for password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Enforces minimum password complexity of {{ insert: param, ia-5.1_prm_1 }};"},{"id":"ia-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforces at least the following number of changed characters when new passwords are created: {{ insert: param, ia-5.1_prm_2 }};"},{"id":"ia-5.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Stores and transmits only cryptographically-protected passwords;"},{"id":"ia-5.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Enforces password minimum and maximum lifetime restrictions of {{ insert: param, ia-5.1_prm_3 }};"},{"id":"ia-5.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Prohibits password reuse for {{ insert: param, ia-5.1_prm_4 }} generations; and"},{"id":"ia-5.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Allows the use of a temporary password for system logons with an immediate change to a permanent password."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.","links":[{"href":"#ia-6","rel":"related"}]},{"id":"ia-5.1_obj","name":"objective","prose":"Determine if, for password-based authentication:","parts":[{"id":"ia-5.1.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)"}],"parts":[{"id":"ia-5.1.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[1]"}],"prose":"the organization defines requirements for case sensitivity;"},{"id":"ia-5.1.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[2]"}],"prose":"the organization defines requirements for number of characters;"},{"id":"ia-5.1.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[3]"}],"prose":"the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;"},{"id":"ia-5.1.a_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[4]"}],"prose":"the organization defines minimum requirements for each type of character;"},{"id":"ia-5.1.a_obj.5","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[5]"}],"prose":"the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;"}],"links":[{"href":"#ia-5.1_smt.a","rel":"corresp"}]},{"id":"ia-5.1.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)"}],"parts":[{"id":"ia-5.1.b_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)[1]"}],"prose":"the organization defines a minimum number of changed characters to be enforced when new passwords are created;"},{"id":"ia-5.1.b_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)[2]"}],"prose":"the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;"}],"links":[{"href":"#ia-5.1_smt.b","rel":"corresp"}]},{"id":"ia-5.1.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(c)"}],"prose":"the information system stores and transmits only encrypted representations of passwords;","links":[{"href":"#ia-5.1_smt.c","rel":"corresp"}]},{"id":"ia-5.1.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)"}],"parts":[{"id":"ia-5.1.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[1]"}],"prose":"the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;"},{"id":"ia-5.1.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[2]"}],"prose":"the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;"},{"id":"ia-5.1.d_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[3]"}],"prose":"the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;"},{"id":"ia-5.1.d_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[4]"}],"prose":"the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;"}],"links":[{"href":"#ia-5.1_smt.d","rel":"corresp"}]},{"id":"ia-5.1.e_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)"}],"parts":[{"id":"ia-5.1.e_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)[1]"}],"prose":"the organization defines the number of password generations to be prohibited from password reuse;"},{"id":"ia-5.1.e_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)[2]"}],"prose":"the information system prohibits password reuse for the organization-defined number of generations; and"}],"links":[{"href":"#ia-5.1_smt.e","rel":"corresp"}]},{"id":"ia-5.1.f_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(f)"}],"prose":"the information system allows the use of a temporary password for system logons with an immediate change to a permanent password.","links":[{"href":"#ia-5.1_smt.f","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing password-based authenticator management capability"}]}]},{"id":"ia-5.2","class":"SP800-53-enhancement","title":"Pki-based Authentication","props":[{"name":"label","value":"IA-5(2)"},{"name":"sort-id","value":"ia-05.02"}],"parts":[{"id":"ia-5.2_smt","name":"statement","prose":"The information system, for PKI-based authentication:","parts":[{"id":"ia-5.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;"},{"id":"ia-5.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforces authorized access to the corresponding private key;"},{"id":"ia-5.2_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Maps the authenticated identity to the account of the individual or group; and"},{"id":"ia-5.2_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network."}]},{"id":"ia-5.2_gdn","name":"guidance","prose":"Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.","links":[{"href":"#ia-6","rel":"related"}]},{"id":"ia-5.2_obj","name":"objective","prose":"Determine if the information system, for PKI-based authentication:","parts":[{"id":"ia-5.2.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)"}],"parts":[{"id":"ia-5.2.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)[1]"}],"prose":"validates certifications by constructing a certification path to an accepted trust anchor;"},{"id":"ia-5.2.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)[2]"}],"prose":"validates certifications by verifying a certification path to an accepted trust anchor;"},{"id":"ia-5.2.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)[3]"}],"prose":"includes checking certificate status information when constructing and verifying the certification path;"}],"links":[{"href":"#ia-5.2_smt.a","rel":"corresp"}]},{"id":"ia-5.2.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(b)"}],"prose":"enforces authorized access to the corresponding private key;","links":[{"href":"#ia-5.2_smt.b","rel":"corresp"}]},{"id":"ia-5.2.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(c)"}],"prose":"maps the authenticated identity to the account of the individual or group; and","links":[{"href":"#ia-5.2_smt.c","rel":"corresp"}]},{"id":"ia-5.2.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(d)"}],"prose":"implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.","links":[{"href":"#ia-5.2_smt.d","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing PKI-based, authenticator management capability"}]}]},{"id":"ia-5.3","class":"SP800-53-enhancement","title":"In-person or Trusted Third-party Registration","params":[{"id":"ia-5.3_prm_1","label":"organization-defined types of and\/or specific authenticators"},{"id":"ia-5.3_prm_2","select":{"choice":["in person","by a trusted third party"]}},{"id":"ia-5.3_prm_3","label":"organization-defined registration authority"},{"id":"ia-5.3_prm_4","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"IA-5(3)"},{"name":"sort-id","value":"ia-05.03"}],"parts":[{"id":"ia-5.3_smt","name":"statement","prose":"The organization requires that the registration process to receive {{ insert: param, ia-5.3_prm_1 }} be conducted {{ insert: param, ia-5.3_prm_2 }} before {{ insert: param, ia-5.3_prm_3 }} with authorization by {{ insert: param, ia-5.3_prm_4 }}."},{"id":"ia-5.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-5.3_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(3)[1]"}],"prose":"defines types of and\/or specific authenticators to be received in person or by a trusted third party;"},{"id":"ia-5.3_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(3)[2]"}],"prose":"defines the registration authority with oversight of the registration process for receipt of organization-defined types of and\/or specific authenticators;"},{"id":"ia-5.3_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(3)[3]"}],"prose":"defines personnel or roles responsible for authorizing organization-defined registration authority;"},{"id":"ia-5.3_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(3)[4]"}],"prose":"defines if the registration process is to be conducted:","parts":[{"id":"ia-5.3_obj.4.a","name":"objective","props":[{"name":"label","value":"IA-5(3)[4][a]"}],"prose":"in person; or"},{"id":"ia-5.3_obj.4.b","name":"objective","props":[{"name":"label","value":"IA-5(3)[4][b]"}],"prose":"by a trusted third party; and"}]},{"id":"ia-5.3_obj.5","name":"objective","props":[{"name":"label","value":"IA-5(3)[5]"}],"prose":"requires that the registration process to receive organization-defined types of and\/or specific authenticators be conducted in person or by a trusted third party before organization-defined registration authority with authorization by organization-defined personnel or roles."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nregistration process for receiving information system authenticators\n\nlist of authenticators requiring in-person registration\n\nlist of authenticators requiring trusted third party registration\n\nauthenticator registration documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\nregistration authority\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-5.11","class":"SP800-53-enhancement","title":"Hardware Token-based Authentication","params":[{"id":"ia-5.11_prm_1","label":"organization-defined token quality requirements"}],"props":[{"name":"label","value":"IA-5(11)"},{"name":"sort-id","value":"ia-05.11"}],"parts":[{"id":"ia-5.11_smt","name":"statement","prose":"The information system, for hardware token-based authentication, employs mechanisms that satisfy {{ insert: param, ia-5.11_prm_1 }}."},{"id":"ia-5.11_gdn","name":"guidance","prose":"Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI."},{"id":"ia-5.11_obj","name":"objective","prose":"Determine if, for hardware token-based authentication:","parts":[{"id":"ia-5.11_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(11)[1]"}],"prose":"the organization defines token quality requirements to be satisfied; and"},{"id":"ia-5.11_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(11)[2]"}],"prose":"the information system employs mechanisms that satisfy organization-defined token quality requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\nautomated mechanisms employing hardware token-based authentication for the information system\n\nlist of token quality requirements\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing hardware token-based authenticator management capability"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authenticator Feedback","props":[{"name":"priority","value":"P2"},{"name":"label","value":"IA-6"},{"name":"sort-id","value":"ia-06"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation\/use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops\/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.","links":[{"href":"#pe-18","rel":"related"}]},{"id":"ia-6_obj","name":"objective","prose":"Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation\/use by unauthorized individuals."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator feedback\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing the obscuring of feedback of authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-7"},{"name":"sort-id","value":"ia-07"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference"},{"href":"#b09d1a31-d3c9-4138-a4f4-4c63816afd7d","rel":"reference"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.","links":[{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ia-7_obj","name":"objective","prose":"Determine if the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing cryptographic module authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic module authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (non-organizational Users)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-8"},{"name":"sort-id","value":"ia-08"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#599fe9ba-4750-4450-9eeb-b95bd19a5e8f","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference"},{"href":"#654f21e2-f3bc-43b2-abdc-60ab8d09744b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sc-8","rel":"related"}]},{"id":"ia-8_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","props":[{"name":"label","value":"IA-8(1)"},{"name":"sort-id","value":"ia-08.01"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.1_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"ia-8.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-8(1)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials from other agencies; and"},{"id":"ia-8.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-8(1)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials from other agencies."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of Third-party Credentials","props":[{"name":"label","value":"IA-8(2)"},{"name":"sort-id","value":"ia-08.02"}],"parts":[{"id":"ia-8.2_smt","name":"statement","prose":"The information system accepts only FICAM-approved third-party credentials."},{"id":"ia-8.2_gdn","name":"guidance","prose":"This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.","links":[{"href":"#au-2","rel":"related"}]},{"id":"ia-8.2_obj","name":"objective","prose":"Determine if the information system accepts only FICAM-approved third-party credentials."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of FICAM-approved third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms that accept FICAM-approved credentials"}]}]},{"id":"ia-8.3","class":"SP800-53-enhancement","title":"Use of Ficam-approved Products","params":[{"id":"ia-8.3_prm_1","label":"organization-defined information systems"}],"props":[{"name":"label","value":"IA-8(3)"},{"name":"sort-id","value":"ia-08.03"}],"parts":[{"id":"ia-8.3_smt","name":"statement","prose":"The organization employs only FICAM-approved information system components in {{ insert: param, ia-8.3_prm_1 }} to accept third-party credentials."},{"id":"ia-8.3_gdn","name":"guidance","prose":"This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.","links":[{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-8.3_obj.1","name":"objective","props":[{"name":"label","value":"IA-8(3)[1]"}],"prose":"defines information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials; and"},{"id":"ia-8.3_obj.2","name":"objective","props":[{"name":"label","value":"IA-8(3)[2]"}],"prose":"employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nthird-party credential validations\n\nthird-party credential authorizations\n\nthird-party credential records\n\nlist of FICAM-approved information system components procured and implemented by organization\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information system security, acquisition, and contracting responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Ficam-issued Profiles","props":[{"name":"label","value":"IA-8(4)"},{"name":"sort-id","value":"ia-08.04"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"The information system conforms to FICAM-issued profiles."},{"id":"ia-8.4_gdn","name":"guidance","prose":"This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange).","links":[{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.4_obj","name":"objective","prose":"Determine if the information system conforms to FICAM-issued profiles."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-issued profiles and associated, approved protocols\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms supporting and\/or implementing conformance with FICAM-issued profiles"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Incident Response Policy and Procedures","params":[{"id":"ir-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-1_prm_2","label":"organization-defined frequency"},{"id":"ir-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-1"},{"name":"sort-id","value":"ir-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ir-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ir-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Incident response policy {{ insert: param, ir-1_prm_2 }}; and"},{"id":"ir-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Incident response procedures {{ insert: param, ir-1_prm_3 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ir-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-1.a_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)"}],"parts":[{"id":"ir-1.a.1_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)"}],"parts":[{"id":"ir-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1]"}],"prose":"develops and documents an incident response policy that addresses:","parts":[{"id":"ir-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ir-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ir-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ir-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ir-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ir-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ir-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ir-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the incident response policy is to be disseminated;"},{"id":"ir-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[3]"}],"prose":"disseminates the incident response policy to organization-defined personnel or roles;"}]},{"id":"ir-1.a.2_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)"}],"parts":[{"id":"ir-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls;"},{"id":"ir-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ir-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ir-1.b_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)"}],"parts":[{"id":"ir-1.b.1_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)"}],"parts":[{"id":"ir-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current incident response policy;"},{"id":"ir-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)[2]"}],"prose":"reviews and updates the current incident response policy with the organization-defined frequency;"}]},{"id":"ir-1.b.2_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)"}],"parts":[{"id":"ir-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current incident response procedures; and"},{"id":"ir-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)[2]"}],"prose":"reviews and updates the current incident response procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-2_prm_1","label":"organization-defined time period"},{"id":"ir-2_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-2"},{"name":"sort-id","value":"ir-02"}],"links":[{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"ir-2_smt","name":"statement","prose":"The organization provides incident response training to information system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Within {{ insert: param, ir-2_prm_1 }} of assuming an incident response role or responsibility;"},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"ir-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, ir-2_prm_2 }} thereafter."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle\/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources.","links":[{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-2.a_obj","name":"objective","props":[{"name":"label","value":"IR-2(a)"}],"parts":[{"id":"ir-2.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-2(a)[1]"}],"prose":"defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility;"},{"id":"ir-2.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-2(a)[2]"}],"prose":"provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility;"}]},{"id":"ir-2.b_obj","name":"objective","props":[{"name":"label","value":"IR-2(b)"}],"prose":"provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes;"},{"id":"ir-2.c_obj","name":"objective","props":[{"name":"label","value":"IR-2(c)"}],"parts":[{"id":"ir-2.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-2(c)[1]"}],"prose":"defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities; and"},{"id":"ir-2.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-2(c)[2]"}],"prose":"after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nsecurity plan\n\nincident response plan\n\nsecurity plan\n\nincident response training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"ir-2.1","class":"SP800-53-enhancement","title":"Simulated Events","props":[{"name":"label","value":"IR-2(1)"},{"name":"sort-id","value":"ir-02.01"}],"parts":[{"id":"ir-2.1_smt","name":"statement","prose":"The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations."},{"id":"ir-2.1_obj","name":"objective","prose":"Determine if the organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that support and\/or implement simulated events for incident response training"}]}]},{"id":"ir-2.2","class":"SP800-53-enhancement","title":"Automated Training Environments","props":[{"name":"label","value":"IR-2(2)"},{"name":"sort-id","value":"ir-02.02"}],"parts":[{"id":"ir-2.2_smt","name":"statement","prose":"The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment."},{"id":"ir-2.2_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to provide a more thorough and realistic incident response training environment."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nautomated mechanisms supporting incident response training\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that provide a thorough and realistic incident response training environment"}]}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","params":[{"id":"ir-3_prm_1","label":"organization-defined frequency"},{"id":"ir-3_prm_2","label":"organization-defined tests"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-3"},{"name":"sort-id","value":"ir-03"}],"links":[{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"The organization tests the incident response capability for the information system {{ insert: param, ir-3_prm_1 }} using {{ insert: param, ir-3_prm_2 }} to determine the incident response effectiveness and documents the results."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel\/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response.","links":[{"href":"#cp-4","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-3_obj.1","name":"objective","props":[{"name":"label","value":"IR-3[1]"}],"prose":"defines incident response tests to test the incident response capability for the information system;"},{"id":"ir-3_obj.2","name":"objective","props":[{"name":"label","value":"IR-3[2]"}],"prose":"defines the frequency to test the incident response capability for the information system; and"},{"id":"ir-3_obj.3","name":"objective","props":[{"name":"label","value":"IR-3[3]"}],"prose":"tests the incident response capability for the information system with the organization-defined frequency, using organization-defined tests to determine the incident response effectiveness and documents the results."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"ir-3.2","class":"SP800-53-enhancement","title":"Coordination with Related Plans","props":[{"name":"label","value":"IR-3(2)"},{"name":"sort-id","value":"ir-03.02"}],"parts":[{"id":"ir-3.2_smt","name":"statement","prose":"The organization coordinates incident response testing with organizational elements responsible for related plans."},{"id":"ir-3.2_gdn","name":"guidance","prose":"Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans."},{"id":"ir-3.2_obj","name":"objective","prose":"Determine if the organization coordinates incident response testing with organizational elements responsible for related plans."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-4"},{"name":"sort-id","value":"ir-04"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinates incident handling activities with contingency planning activities; and"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission\/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission\/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user\/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission\/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).","links":[{"href":"#au-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ir-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-4.a_obj","name":"objective","props":[{"name":"label","value":"IR-4(a)"}],"prose":"implements an incident handling capability for security incidents that includes:","parts":[{"id":"ir-4.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-4(a)[1]"}],"prose":"preparation;"},{"id":"ir-4.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-4(a)[2]"}],"prose":"detection and analysis;"},{"id":"ir-4.a_obj.3","name":"objective","props":[{"name":"label","value":"IR-4(a)[3]"}],"prose":"containment;"},{"id":"ir-4.a_obj.4","name":"objective","props":[{"name":"label","value":"IR-4(a)[4]"}],"prose":"eradication;"},{"id":"ir-4.a_obj.5","name":"objective","props":[{"name":"label","value":"IR-4(a)[5]"}],"prose":"recovery;"}]},{"id":"ir-4.b_obj","name":"objective","props":[{"name":"label","value":"IR-4(b)"}],"prose":"coordinates incident handling activities with contingency planning activities;"},{"id":"ir-4.c_obj","name":"objective","props":[{"name":"label","value":"IR-4(c)"}],"parts":[{"id":"ir-4.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-4(c)[1]"}],"prose":"incorporates lessons learned from ongoing incident handling activities into:","parts":[{"id":"ir-4.c_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][b]"}],"prose":"training;"},{"id":"ir-4.c_obj.1.c","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][c]"}],"prose":"testing\/exercises;"}]},{"id":"ir-4.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-4(c)[2]"}],"prose":"implements the resulting changes accordingly to:","parts":[{"id":"ir-4.c_obj.2.a","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.2.b","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][b]"}],"prose":"training; and"},{"id":"ir-4.c_obj.2.c","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][c]"}],"prose":"testing\/exercises."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident handling capability for the organization"}]}],"controls":[{"id":"ir-4.1","class":"SP800-53-enhancement","title":"Automated Incident Handling Processes","props":[{"name":"label","value":"IR-4(1)"},{"name":"sort-id","value":"ir-04.01"}],"parts":[{"id":"ir-4.1_smt","name":"statement","prose":"The organization employs automated mechanisms to support the incident handling process."},{"id":"ir-4.1_gdn","name":"guidance","prose":"Automated mechanisms supporting incident handling processes include, for example, online incident management systems."},{"id":"ir-4.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to support the incident handling process."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that support and\/or implement the incident handling process"}]}]},{"id":"ir-4.4","class":"SP800-53-enhancement","title":"Information Correlation","props":[{"name":"label","value":"IR-4(4)"},{"name":"sort-id","value":"ir-04.04"}],"parts":[{"id":"ir-4.4_smt","name":"statement","prose":"The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response."},{"id":"ir-4.4_gdn","name":"guidance","prose":"Sometimes the nature of a threat event, for example, a hostile cyber attack, is such that it can only be observed by bringing together information from different sources including various reports and reporting procedures established by organizations."},{"id":"ir-4.4_obj","name":"objective","prose":"Determine if the organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\nsecurity plan\n\nautomated mechanisms supporting incident and event correlation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident management correlation logs\n\nevent management correlation logs\n\nsecurity information and event management logs\n\nincident management correlation reports\n\nevent management correlation reports\n\nsecurity information and event management reports\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with whom incident information and individual incident responses are to be correlated"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for correlating incident information and individual incident responses\n\nautomated mechanisms that support and or implement correlation of incident response information with individual incident responses"}]}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-5"},{"name":"sort-id","value":"ir-05"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"The organization tracks and documents information system security incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user\/administrator reports.","links":[{"href":"#au-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ir-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-5_obj.1","name":"objective","props":[{"name":"label","value":"IR-5[1]"}],"prose":"tracks information system security incidents; and"},{"id":"ir-5_obj.2","name":"objective","props":[{"name":"label","value":"IR-5[2]"}],"prose":"documents information system security incidents."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident monitoring capability for the organization\n\nautomated mechanisms supporting and\/or implementing tracking and documenting of system security incidents"}]}],"controls":[{"id":"ir-5.1","class":"SP800-53-enhancement","title":"Automated Tracking \/ Data Collection \/ Analysis","props":[{"name":"label","value":"IR-5(1)"},{"name":"sort-id","value":"ir-05.01"}],"parts":[{"id":"ir-5.1_smt","name":"statement","prose":"The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information."},{"id":"ir-5.1_gdn","name":"guidance","prose":"Automated mechanisms for tracking security incidents and collecting\/analyzing incident information include, for example, the Einstein network monitoring device and monitoring online Computer Incident Response Centers (CIRCs) or other electronic databases of incidents.","links":[{"href":"#au-7","rel":"related"},{"href":"#ir-4","rel":"related"}]},{"id":"ir-5.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to assist in:","parts":[{"id":"ir-5.1_obj.1","name":"objective","props":[{"name":"label","value":"IR-5(1)[1]"}],"prose":"the tracking of security incidents;"},{"id":"ir-5.1_obj.2","name":"objective","props":[{"name":"label","value":"IR-5(1)[2]"}],"prose":"the collection of incident information; and"},{"id":"ir-5.1_obj.3","name":"objective","props":[{"name":"label","value":"IR-5(1)[3]"}],"prose":"the analysis of incident information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nautomated mechanisms supporting incident monitoring\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms assisting in tracking of security incidents and in the collection and analysis of incident information"}]}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-6_prm_1","label":"organization-defined time period"},{"id":"ir-6_prm_2","label":"organization-defined authorities"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-6"},{"name":"sort-id","value":"ir-06"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#02631467-668b-4233-989b-3dfded2fd184","rel":"reference"}],"parts":[{"id":"ir-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Requires personnel to report suspected security incidents to the organizational incident response capability within {{ insert: param, ir-6_prm_1 }}; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reports security incident information to {{ insert: param, ir-6_prm_2 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling.","links":[{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-6.a_obj","name":"objective","props":[{"name":"label","value":"IR-6(a)"}],"parts":[{"id":"ir-6.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-6(a)[1]"}],"prose":"defines the time period within which personnel report suspected security incidents to the organizational incident response capability;"},{"id":"ir-6.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-6(a)[2]"}],"prose":"requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;"}]},{"id":"ir-6.b_obj","name":"objective","props":[{"name":"label","value":"IR-6(b)"}],"parts":[{"id":"ir-6.b_obj.1","name":"objective","props":[{"name":"label","value":"IR-6(b)[1]"}],"prose":"defines authorities to whom security incident information is to be reported; and"},{"id":"ir-6.b_obj.2","name":"objective","props":[{"name":"label","value":"IR-6(b)[2]"}],"prose":"reports security incident information to organization-defined authorities."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing incident reporting"}]}],"controls":[{"id":"ir-6.1","class":"SP800-53-enhancement","title":"Automated Reporting","props":[{"name":"label","value":"IR-6(1)"},{"name":"sort-id","value":"ir-06.01"}],"parts":[{"id":"ir-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to assist in the reporting of security incidents."},{"id":"ir-6.1_gdn","name":"guidance","links":[{"href":"#ir-7","rel":"related"}]},{"id":"ir-6.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to assist in the reporting of security incidents."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing reporting of security incidents"}]}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-7"},{"name":"sort-id","value":"ir-07"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required.","links":[{"href":"#at-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"ir-7_obj","name":"objective","prose":"Determine if the organization provides an incident response support resource:","parts":[{"id":"ir-7_obj.1","name":"objective","props":[{"name":"label","value":"IR-7[1]"}],"prose":"that is integral to the organizational incident response capability; and"},{"id":"ir-7_obj.2","name":"objective","props":[{"name":"label","value":"IR-7[2]"}],"prose":"that offers advice and assistance to users of the information system for the handling and reporting of security incidents."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing incident response assistance"}]}],"controls":[{"id":"ir-7.1","class":"SP800-53-enhancement","title":"Automation Support for Availability of Information \/ Support","props":[{"name":"label","value":"IR-7(1)"},{"name":"sort-id","value":"ir-07.01"}],"parts":[{"id":"ir-7.1_smt","name":"statement","prose":"The organization employs automated mechanisms to increase the availability of incident response-related information and support."},{"id":"ir-7.1_gdn","name":"guidance","prose":"Automated mechanisms can provide a push and\/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support."},{"id":"ir-7.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to increase the availability of incident response-related information and support."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing an increase in the availability of incident response information and support"}]}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-8_prm_2","label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-8_prm_3","label":"organization-defined frequency"},{"id":"ir-8_prm_4","label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-8"},{"name":"sort-id","value":"ir-08"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability; and"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Is reviewed and approved by {{ insert: param, ir-8_prm_1 }};"}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the incident response plan to {{ insert: param, ir-8_prm_2 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the incident response plan {{ insert: param, ir-8_prm_3 }};"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Updates the incident response plan to address system\/organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Communicates incident response plan changes to {{ insert: param, ir-8_prm_4 }}; and"},{"id":"ir-8_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Protects the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.","links":[{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}]},{"id":"ir-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-8.a_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)"}],"prose":"develops an incident response plan that:","parts":[{"id":"ir-8.a.1_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(1)"}],"prose":"provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8.a.2_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(2)"}],"prose":"describes the structure and organization of the incident response capability;"},{"id":"ir-8.a.3_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(3)"}],"prose":"provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8.a.4_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)"}],"prose":"meets the unique requirements of the organization, which relate to:","parts":[{"id":"ir-8.a.4_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[1]"}],"prose":"mission;"},{"id":"ir-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[2]"}],"prose":"size;"},{"id":"ir-8.a.4_obj.3","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[3]"}],"prose":"structure;"},{"id":"ir-8.a.4_obj.4","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[4]"}],"prose":"functions;"}]},{"id":"ir-8.a.5_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(5)"}],"prose":"defines reportable incidents;"},{"id":"ir-8.a.6_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(6)"}],"prose":"provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8.a.7_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(7)"}],"prose":"defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8.a.8_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)"}],"parts":[{"id":"ir-8.a.8_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)[1]"}],"prose":"defines personnel or roles to review and approve the incident response plan;"},{"id":"ir-8.a.8_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"ir-8.b_obj","name":"objective","props":[{"name":"label","value":"IR-8(b)"}],"parts":[{"id":"ir-8.b_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(b)[1]"}],"parts":[{"id":"ir-8.b_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-8(b)[1][a]"}],"prose":"defines incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed;"},{"id":"ir-8.b_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-8(b)[1][b]"}],"prose":"defines organizational elements to whom copies of the incident response plan are to be distributed;"}]},{"id":"ir-8.b_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(b)[2]"}],"prose":"distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and\/or by role) and organizational elements;"}]},{"id":"ir-8.c_obj","name":"objective","props":[{"name":"label","value":"IR-8(c)"}],"parts":[{"id":"ir-8.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(c)[1]"}],"prose":"defines the frequency to review the incident response plan;"},{"id":"ir-8.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(c)[2]"}],"prose":"reviews the incident response plan with the organization-defined frequency;"}]},{"id":"ir-8.d_obj","name":"objective","props":[{"name":"label","value":"IR-8(d)"}],"prose":"updates the incident response plan to address system\/organizational changes or problems encountered during plan:","parts":[{"id":"ir-8.d_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(d)[1]"}],"prose":"implementation;"},{"id":"ir-8.d_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(d)[2]"}],"prose":"execution; or"},{"id":"ir-8.d_obj.3","name":"objective","props":[{"name":"label","value":"IR-8(d)[3]"}],"prose":"testing;"}]},{"id":"ir-8.e_obj","name":"objective","props":[{"name":"label","value":"IR-8(e)"}],"parts":[{"id":"ir-8.e_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(e)[1]"}],"parts":[{"id":"ir-8.e_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-8(e)[1][a]"}],"prose":"defines incident response personnel (identified by name and\/or by role) to whom incident response plan changes are to be communicated;"},{"id":"ir-8.e_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-8(e)[1][b]"}],"prose":"defines organizational elements to whom incident response plan changes are to be communicated;"}]},{"id":"ir-8.e_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(e)[2]"}],"prose":"communicates incident response plan changes to organization-defined incident response personnel (identified by name and\/or by role) and organizational elements; and"}]},{"id":"ir-8.f_obj","name":"objective","props":[{"name":"label","value":"IR-8(f)"}],"prose":"protects the incident response plan from unauthorized disclosure and modification."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"System Maintenance Policy and Procedures","params":[{"id":"ma-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-1_prm_2","label":"organization-defined frequency"},{"id":"ma-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MA-1"},{"name":"sort-id","value":"ma-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ma-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and"}]},{"id":"ma-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ma-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System maintenance policy {{ insert: param, ma-1_prm_2 }}; and"},{"id":"ma-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System maintenance procedures {{ insert: param, ma-1_prm_3 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ma-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-1.a_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)"}],"parts":[{"id":"ma-1.a.1_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)"}],"parts":[{"id":"ma-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1]"}],"prose":"develops and documents a system maintenance policy that addresses:","parts":[{"id":"ma-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ma-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ma-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ma-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ma-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ma-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ma-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ma-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system maintenance policy is to be disseminated;"},{"id":"ma-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[3]"}],"prose":"disseminates the system maintenance policy to organization-defined personnel or roles;"}]},{"id":"ma-1.a.2_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)"}],"parts":[{"id":"ma-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls;"},{"id":"ma-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ma-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ma-1.b_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)"}],"parts":[{"id":"ma-1.b.1_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)"}],"parts":[{"id":"ma-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system maintenance policy;"},{"id":"ma-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)[2]"}],"prose":"reviews and updates the current system maintenance policy with the organization-defined frequency;"}]},{"id":"ma-1.b.2_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)"}],"parts":[{"id":"ma-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system maintenance procedures; and"},{"id":"ma-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)[2]"}],"prose":"reviews and updates the current system maintenance procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Maintenance policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","params":[{"id":"ma-2_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-2_prm_2","label":"organization-defined maintenance-related information"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-2"},{"name":"sort-id","value":"ma-02"}],"parts":[{"id":"ma-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Requires that {{ insert: param, ma-2_prm_1 }} explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and"},{"id":"ma-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Includes {{ insert: param, ma-2_prm_2 }} in organizational maintenance records."}]},{"id":"ma-2_gdn","name":"guidance","prose":"This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and\/or data\/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components\/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"ma-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-2.a_obj","name":"objective","props":[{"name":"label","value":"MA-2(a)"}],"parts":[{"id":"ma-2.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(a)[1]"}],"prose":"schedules maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.1.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[1][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.1.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[1][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(a)[2]"}],"prose":"performs maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.2.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[2][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.2.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[2][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.3","name":"objective","props":[{"name":"label","value":"MA-2(a)[3]"}],"prose":"documents maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.3.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[3][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.3.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[3][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.4","name":"objective","props":[{"name":"label","value":"MA-2(a)[4]"}],"prose":"reviews records of maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.4.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[4][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.4.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[4][b]"}],"prose":"organizational requirements;"}]}]},{"id":"ma-2.b_obj","name":"objective","props":[{"name":"label","value":"MA-2(b)"}],"parts":[{"id":"ma-2.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(b)[1]"}],"prose":"approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(b)[2]"}],"prose":"monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"}]},{"id":"ma-2.c_obj","name":"objective","props":[{"name":"label","value":"MA-2(c)"}],"parts":[{"id":"ma-2.c_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(c)[1]"}],"prose":"defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.c_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(c)[2]"}],"prose":"requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"}]},{"id":"ma-2.d_obj","name":"objective","props":[{"name":"label","value":"MA-2(d)"}],"prose":"sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.e_obj","name":"objective","props":[{"name":"label","value":"MA-2(e)"}],"prose":"checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;"},{"id":"ma-2.f_obj","name":"objective","props":[{"name":"label","value":"MA-2(f)"}],"parts":[{"id":"ma-2.f_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(f)[1]"}],"prose":"defines maintenance-related information to be included in organizational maintenance records; and"},{"id":"ma-2.f_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(f)[2]"}],"prose":"includes organization-defined maintenance-related information in organizational maintenance records."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing controlled information system maintenance\n\nmaintenance records\n\nmanufacturer\/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system\n\norganizational processes for sanitizing information system components\n\nautomated mechanisms supporting and\/or implementing controlled maintenance\n\nautomated mechanisms implementing sanitization of information system components"}]}],"controls":[{"id":"ma-2.2","class":"SP800-53-enhancement","title":"Automated Maintenance Activities","props":[{"name":"label","value":"MA-2(2)"},{"name":"sort-id","value":"ma-02.02"}],"parts":[{"id":"ma-2.2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-2.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and"},{"id":"ma-2.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed."}]},{"id":"ma-2.2_gdn","name":"guidance","links":[{"href":"#ca-7","rel":"related"},{"href":"#ma-3","rel":"related"}]},{"id":"ma-2.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-2.2.a_obj","name":"objective","props":[{"name":"label","value":"MA-2(2)(a)"}],"prose":"employs automated mechanisms to:","parts":[{"id":"ma-2.2.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(2)(a)[1]"}],"prose":"schedule maintenance and repairs;"},{"id":"ma-2.2.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(2)(a)[2]"}],"prose":"conduct maintenance and repairs;"},{"id":"ma-2.2.a_obj.3","name":"objective","props":[{"name":"label","value":"MA-2(2)(a)[3]"}],"prose":"document maintenance and repairs;"}],"links":[{"href":"#ma-2.2_smt.a","rel":"corresp"}]},{"id":"ma-2.2.b_obj","name":"objective","props":[{"name":"label","value":"MA-2(2)(b)"}],"prose":"produces up-to-date, accurate, and complete records of all maintenance and repair actions:","parts":[{"id":"ma-2.2.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(2)(b)[1]"}],"prose":"requested;"},{"id":"ma-2.2.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(2)(b)[2]"}],"prose":"scheduled;"},{"id":"ma-2.2.b_obj.3","name":"objective","props":[{"name":"label","value":"MA-2(2)(b)[3]"}],"prose":"in process; and"},{"id":"ma-2.2.b_obj.4","name":"objective","props":[{"name":"label","value":"MA-2(2)(b)[4]"}],"prose":"completed."}],"links":[{"href":"#ma-2.2_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing controlled information system maintenance\n\nautomated mechanisms supporting information system maintenance activities\n\ninformation system configuration settings and associated documentation\n\nmaintenance records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing controlled maintenance\n\nautomated mechanisms supporting and\/or implementing production of records of maintenance and repair actions"}]}]}]},{"id":"ma-3","class":"SP800-53","title":"Maintenance Tools","props":[{"name":"priority","value":"P3"},{"name":"label","value":"MA-3"},{"name":"sort-id","value":"ma-03"}],"links":[{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"}],"parts":[{"id":"ma-3_smt","name":"statement","prose":"The organization approves, controls, and monitors information system maintenance tools."},{"id":"ma-3_gdn","name":"guidance","prose":"This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware\/software diagnostic test equipment and hardware\/software packet sniffers. This control does not cover hardware\/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig, or the hardware and software implementing the monitoring port of an Ethernet switch.","links":[{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-6","rel":"related"}]},{"id":"ma-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-3_obj.1","name":"objective","props":[{"name":"label","value":"MA-3[1]"}],"prose":"approves information system maintenance tools;"},{"id":"ma-3_obj.2","name":"objective","props":[{"name":"label","value":"MA-3[2]"}],"prose":"controls information system maintenance tools; and"},{"id":"ma-3_obj.3","name":"objective","props":[{"name":"label","value":"MA-3[3]"}],"prose":"monitors information system maintenance tools."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for approving, controlling, and monitoring maintenance tools\n\nautomated mechanisms supporting and\/or implementing approval, control, and\/or monitoring of maintenance tools"}]}],"controls":[{"id":"ma-3.1","class":"SP800-53-enhancement","title":"Inspect Tools","props":[{"name":"label","value":"MA-3(1)"},{"name":"sort-id","value":"ma-03.01"}],"parts":[{"id":"ma-3.1_smt","name":"statement","prose":"The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications."},{"id":"ma-3.1_gdn","name":"guidance","prose":"If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper\/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.","links":[{"href":"#si-7","rel":"related"}]},{"id":"ma-3.1_obj","name":"objective","prose":"Determine if the organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for inspecting maintenance tools\n\nautomated mechanisms supporting and\/or implementing inspection of maintenance tools"}]}]},{"id":"ma-3.2","class":"SP800-53-enhancement","title":"Inspect Media","props":[{"name":"label","value":"MA-3(2)"},{"name":"sort-id","value":"ma-03.02"}],"parts":[{"id":"ma-3.2_smt","name":"statement","prose":"The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system."},{"id":"ma-3.2_gdn","name":"guidance","prose":"If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures.","links":[{"href":"#si-3","rel":"related"}]},{"id":"ma-3.2_obj","name":"objective","prose":"Determine if the organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for inspecting media for malicious code\n\nautomated mechanisms supporting and\/or implementing inspection of media used for maintenance"}]}]},{"id":"ma-3.3","class":"SP800-53-enhancement","title":"Prevent Unauthorized Removal","params":[{"id":"ma-3.3_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"MA-3(3)"},{"name":"sort-id","value":"ma-03.03"}],"parts":[{"id":"ma-3.3_smt","name":"statement","prose":"The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:","parts":[{"id":"ma-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verifying that there is no organizational information contained on the equipment;"},{"id":"ma-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Sanitizing or destroying the equipment;"},{"id":"ma-3.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Retaining the equipment within the facility; or"},{"id":"ma-3.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Obtaining an exemption from {{ insert: param, ma-3.3_prm_1 }} explicitly authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_gdn","name":"guidance","prose":"Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards."},{"id":"ma-3.3_obj","name":"objective","prose":"Determine if the organization prevents the unauthorized removal of maintenance equipment containing organizational information by:","parts":[{"id":"ma-3.3.a_obj","name":"objective","props":[{"name":"label","value":"MA-3(3)(a)"}],"prose":"verifying that there is no organizational information contained on the equipment;","links":[{"href":"#ma-3.3_smt.a","rel":"corresp"}]},{"id":"ma-3.3.b_obj","name":"objective","props":[{"name":"label","value":"MA-3(3)(b)"}],"prose":"sanitizing or destroying the equipment;","links":[{"href":"#ma-3.3_smt.b","rel":"corresp"}]},{"id":"ma-3.3.c_obj","name":"objective","props":[{"name":"label","value":"MA-3(3)(c)"}],"prose":"retaining the equipment within the facility; or","links":[{"href":"#ma-3.3_smt.c","rel":"corresp"}]},{"id":"ma-3.3.d_obj","name":"objective","props":[{"name":"label","value":"MA-3(3)(d)"}],"parts":[{"id":"ma-3.3.d_obj.1","name":"objective","props":[{"name":"label","value":"MA-3(3)(d)[1]"}],"prose":"defining personnel or roles that can grant an exemption from explicitly authorizing removal of the equipment from the facility; and"},{"id":"ma-3.3.d_obj.2","name":"objective","props":[{"name":"label","value":"MA-3(3)(d)[2]"}],"prose":"obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility."}],"links":[{"href":"#ma-3.3_smt.d","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for preventing unauthorized removal of information\n\nautomated mechanisms supporting media sanitization or destruction of equipment\n\nautomated mechanisms supporting verification of media sanitization"}]}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-4"},{"name":"sort-id","value":"ma-04"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference"}],"parts":[{"id":"ma-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approves and monitors nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;"},{"id":"ma-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Maintains records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Terminates session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-17","rel":"related"}]},{"id":"ma-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-4.a_obj","name":"objective","props":[{"name":"label","value":"MA-4(a)"}],"parts":[{"id":"ma-4.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(a)[1]"}],"prose":"approves nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(a)[2]"}],"prose":"monitors nonlocal maintenance and diagnostic activities;"}]},{"id":"ma-4.b_obj","name":"objective","props":[{"name":"label","value":"MA-4(b)"}],"prose":"allows the use of nonlocal maintenance and diagnostic tools only:","parts":[{"id":"ma-4.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(b)[1]"}],"prose":"as consistent with organizational policy;"},{"id":"ma-4.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(b)[2]"}],"prose":"as documented in the security plan for the information system;"}]},{"id":"ma-4.c_obj","name":"objective","props":[{"name":"label","value":"MA-4(c)"}],"prose":"employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4.d_obj","name":"objective","props":[{"name":"label","value":"MA-4(d)"}],"prose":"maintains records for nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.e_obj","name":"objective","props":[{"name":"label","value":"MA-4(e)"}],"parts":[{"id":"ma-4.e_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(e)[1]"}],"prose":"terminates sessions when nonlocal maintenance or diagnostics is completed; and"},{"id":"ma-4.e_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(e)[2]"}],"prose":"terminates network connections when nonlocal maintenance or diagnostics is completed."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing nonlocal information system maintenance\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing nonlocal maintenance\n\nautomated mechanisms implementing, supporting, and\/or managing nonlocal maintenance\n\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nautomated mechanisms for terminating nonlocal maintenance sessions and network connections"}]}],"controls":[{"id":"ma-4.2","class":"SP800-53-enhancement","title":"Document Nonlocal Maintenance","props":[{"name":"label","value":"MA-4(2)"},{"name":"sort-id","value":"ma-04.02"}],"parts":[{"id":"ma-4.2_smt","name":"statement","prose":"The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections."},{"id":"ma-4.2_obj","name":"objective","prose":"Determine if the organization documents in the security plan for the information system:","parts":[{"id":"ma-4.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(2)[1]"}],"prose":"the policies for the establishment and use of nonlocal maintenance and diagnostic connections; and"},{"id":"ma-4.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(2)[2]"}],"prose":"the procedures for the establishment and use of nonlocal maintenance and diagnostic connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing non-local information system maintenance\n\nsecurity plan\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-4.3","class":"SP800-53-enhancement","title":"Comparable Security \/ Sanitization","props":[{"name":"label","value":"MA-4(3)"},{"name":"sort-id","value":"ma-04.03"}],"parts":[{"id":"ma-4.3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-4.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or"},{"id":"ma-4.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Removes the component to be serviced from the information system prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system."}]},{"id":"ma-4.3_gdn","name":"guidance","prose":"Comparable security capability on information systems, diagnostic tools, and equipment providing maintenance services implies that the implemented security controls on those systems, tools, and equipment are at least as comprehensive as the controls on the information system being serviced.","links":[{"href":"#ma-3","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ma-4.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-4.3.a_obj","name":"objective","props":[{"name":"label","value":"MA-4(3)(a)"}],"prose":"requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or","links":[{"href":"#ma-4.3_smt.a","rel":"corresp"}]},{"id":"ma-4.3.b_obj","name":"objective","props":[{"name":"label","value":"MA-4(3)(b)"}],"parts":[{"id":"ma-4.3.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(3)(b)[1]"}],"prose":"removes the component to be serviced from the information system;"},{"id":"ma-4.3.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(3)(b)[2]"}],"prose":"sanitizes the component (with regard to organizational information) prior to nonlocal maintenance or diagnostic services and\/or before removal from organizational facilities; and"},{"id":"ma-4.3.b_obj.3","name":"objective","props":[{"name":"label","value":"MA-4(3)(b)[3]"}],"prose":"inspects and sanitizes the component (with regard to potentially malicious software) after service is performed on the component and before reconnecting the component to the information system."}],"links":[{"href":"#ma-4.3_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing nonlocal information system maintenance\n\nservice provider contracts and\/or service-level agreements\n\nmaintenance records\n\ninspection records\n\naudit records\n\nequipment sanitization records\n\nmedia sanitization records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\ninformation system maintenance provider\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for comparable security and sanitization for nonlocal maintenance\n\norganizational processes for removal, sanitization, and inspection of components serviced via nonlocal maintenance\n\nautomated mechanisms supporting and\/or implementing component sanitization and inspection"}]}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-5"},{"name":"sort-id","value":"ma-05"}],"parts":[{"id":"ma-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"ma-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-5.a_obj","name":"objective","props":[{"name":"label","value":"MA-5(a)"}],"parts":[{"id":"ma-5.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-5(a)[1]"}],"prose":"establishes a process for maintenance personnel authorization;"},{"id":"ma-5.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-5(a)[2]"}],"prose":"maintains a list of authorized maintenance organizations or personnel;"}]},{"id":"ma-5.b_obj","name":"objective","props":[{"name":"label","value":"MA-5(b)"}],"prose":"ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"},{"id":"ma-5.c_obj","name":"objective","props":[{"name":"label","value":"MA-5(c)"}],"prose":"designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for authorizing and managing maintenance personnel\n\nautomated mechanisms supporting and\/or implementing authorization of maintenance personnel"}]}],"controls":[{"id":"ma-5.1","class":"SP800-53-enhancement","title":"Individuals Without Appropriate Access","props":[{"name":"label","value":"MA-5(1)"},{"name":"sort-id","value":"ma-05.01"}],"parts":[{"id":"ma-5.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:","parts":[{"id":"ma-5.1_smt.a.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;"},{"id":"ma-5.1_smt.a.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and"}]},{"id":"ma-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system."}]},{"id":"ma-5.1_gdn","name":"guidance","prose":"This control enhancement denies individuals who lack appropriate security clearances (i.e., individuals who do not possess security clearances or possess security clearances at a lower level than required) or who are not U.S. citizens, visual and electronic access to any classified information, Controlled Unclassified Information (CUI), or any other sensitive information contained on organizational information systems. Procedures for the use of maintenance personnel can be documented in security plans for the information systems.","links":[{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"}]},{"id":"ma-5.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-5.1.a_obj","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)"}],"prose":"implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:","parts":[{"id":"ma-5.1.a.1_obj","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(1)"}],"prose":"maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who:","parts":[{"id":"ma-5.1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(1)[1]"}],"prose":"are fully cleared;"},{"id":"ma-5.1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(1)[2]"}],"prose":"have appropriate access authorizations;"},{"id":"ma-5.1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(1)[3]"}],"prose":"are technically qualified;"}],"links":[{"href":"#ma-5.1_smt.a.1","rel":"corresp"}]},{"id":"ma-5.1.a.2_obj","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(2)"}],"prose":"prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances, or formal access approvals:","parts":[{"id":"ma-5.1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(2)[1]"}],"prose":"all volatile information storage components within the information system are sanitized; and"},{"id":"ma-5.1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(2)[2]"}],"prose":"all nonvolatile storage media are removed; or"},{"id":"ma-5.1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"MA-5(1)(a)(2)[3]"}],"prose":"all nonvolatile storage media are physically disconnected from the system and secured; and"}],"links":[{"href":"#ma-5.1_smt.a.2","rel":"corresp"}]}],"links":[{"href":"#ma-5.1_smt.a","rel":"corresp"}]},{"id":"ma-5.1.b_obj","name":"objective","props":[{"name":"label","value":"MA-5(1)(b)"}],"prose":"develops and implements alternative security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.","links":[{"href":"#ma-5.1_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing maintenance personnel\n\ninformation system media protection policy\n\nphysical and environmental protection policy\n\nsecurity plan\n\nlist of maintenance personnel requiring escort\/supervision\n\nmaintenance records\n\naccess control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing maintenance personnel without appropriate access\n\nautomated mechanisms supporting and\/or implementing alternative security safeguards\n\nautomated mechanisms supporting and\/or implementing information storage component sanitization"}]}]}]},{"id":"ma-6","class":"SP800-53","title":"Timely Maintenance","params":[{"id":"ma-6_prm_1","label":"organization-defined information system components"},{"id":"ma-6_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-6"},{"name":"sort-id","value":"ma-06"}],"parts":[{"id":"ma-6_smt","name":"statement","prose":"The organization obtains maintenance support and\/or spare parts for {{ insert: param, ma-6_prm_1 }} within {{ insert: param, ma-6_prm_2 }} of failure."},{"id":"ma-6_gdn","name":"guidance","prose":"Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place.","links":[{"href":"#cm-8","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#sa-14","rel":"related"},{"href":"#sa-15","rel":"related"}]},{"id":"ma-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-6_obj.1","name":"objective","props":[{"name":"label","value":"MA-6[1]"}],"prose":"defines information system components for which maintenance support and\/or spare parts are to be obtained;"},{"id":"ma-6_obj.2","name":"objective","props":[{"name":"label","value":"MA-6[2]"}],"prose":"defines the time period within which maintenance support and\/or spare parts are to be obtained after a failure;"},{"id":"ma-6_obj.3","name":"objective","props":[{"name":"label","value":"MA-6[3]"}],"parts":[{"id":"ma-6_obj.3.a","name":"objective","props":[{"name":"label","value":"MA-6[3][a]"}],"prose":"obtains maintenance support for organization-defined information system components within the organization-defined time period of failure; and\/or"},{"id":"ma-6_obj.3.b","name":"objective","props":[{"name":"label","value":"MA-6[3][b]"}],"prose":"obtains spare parts for organization-defined information system components within the organization-defined time period of failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for ensuring timely maintenance"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Media Protection Policy and Procedures","params":[{"id":"mp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"mp-1_prm_2","label":"organization-defined frequency"},{"id":"mp-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-1"},{"name":"sort-id","value":"mp-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"mp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"mp-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Media protection policy {{ insert: param, mp-1_prm_2 }}; and"},{"id":"mp-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Media protection procedures {{ insert: param, mp-1_prm_3 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"mp-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-1.a_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)"}],"parts":[{"id":"mp-1.a.1_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)"}],"parts":[{"id":"mp-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1]"}],"prose":"develops and documents a media protection policy that addresses:","parts":[{"id":"mp-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"mp-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"mp-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"mp-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"mp-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"mp-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"mp-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"mp-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the media protection policy is to be disseminated;"},{"id":"mp-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[3]"}],"prose":"disseminates the media protection policy to organization-defined personnel or roles;"}]},{"id":"mp-1.a.2_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)"}],"parts":[{"id":"mp-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls;"},{"id":"mp-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"mp-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"mp-1.b_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)"}],"parts":[{"id":"mp-1.b.1_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)"}],"parts":[{"id":"mp-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current media protection policy;"},{"id":"mp-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)[2]"}],"prose":"reviews and updates the current media protection policy with the organization-defined frequency;"}]},{"id":"mp-1.b.2_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)"}],"parts":[{"id":"mp-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current media protection procedures; and"},{"id":"mp-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)[2]"}],"prose":"reviews and updates the current media protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Media protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","params":[{"id":"mp-2_prm_1","label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-2_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-2"},{"name":"sort-id","value":"mp-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"The organization restricts access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"}]},{"id":"mp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-2_obj.1","name":"objective","props":[{"name":"label","value":"MP-2[1]"}],"prose":"defines types of digital and\/or non-digital media requiring restricted access;"},{"id":"mp-2_obj.2","name":"objective","props":[{"name":"label","value":"MP-2[2]"}],"prose":"defines personnel or roles authorized to access organization-defined types of digital and\/or non-digital media; and"},{"id":"mp-2_obj.3","name":"objective","props":[{"name":"label","value":"MP-2[3]"}],"prose":"restricts access to organization-defined types of digital and\/or non-digital media to organization-defined personnel or roles."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for restricting information media\n\nautomated mechanisms supporting and\/or implementing media access restrictions"}]}]},{"id":"mp-3","class":"SP800-53","title":"Media Marking","params":[{"id":"mp-3_prm_1","label":"organization-defined types of information system media"},{"id":"mp-3_prm_2","label":"organization-defined controlled areas"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"MP-3"},{"name":"sort-id","value":"mp-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"}],"parts":[{"id":"mp-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"},{"id":"mp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Exempts {{ insert: param, mp-3_prm_1 }} from marking as long as the media remain within {{ insert: param, mp-3_prm_2 }}."}]},{"id":"mp-3_gdn","name":"guidance","prose":"The term security marking refers to the application\/use of human-readable security attributes. The term security labeling refers to the application\/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.","links":[{"href":"#ac-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"mp-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-3.a_obj","name":"objective","props":[{"name":"label","value":"MP-3(a)"}],"prose":"marks information system media indicating the:","parts":[{"id":"mp-3.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-3(a)[1]"}],"prose":"distribution limitations of the information;"},{"id":"mp-3.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-3(a)[2]"}],"prose":"handling caveats of the information;"},{"id":"mp-3.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-3(a)[3]"}],"prose":"applicable security markings (if any) of the information;"}]},{"id":"mp-3.b_obj","name":"objective","props":[{"name":"label","value":"MP-3(b)"}],"parts":[{"id":"mp-3.b_obj.1","name":"objective","props":[{"name":"label","value":"MP-3(b)[1]"}],"prose":"defines types of information system media to be exempted from marking as long as the media remain in designated controlled areas;"},{"id":"mp-3.b_obj.2","name":"objective","props":[{"name":"label","value":"MP-3(b)[2]"}],"prose":"defines controlled areas where organization-defined types of information system media exempt from marking are to be retained; and"},{"id":"mp-3.b_obj.3","name":"objective","props":[{"name":"label","value":"MP-3(b)[3]"}],"prose":"exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nsecurity plan\n\nlist of information system media marking security attributes\n\ndesignated controlled areas\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for marking information media\n\nautomated mechanisms supporting and\/or implementing media marking"}]}]},{"id":"mp-4","class":"SP800-53","title":"Media Storage","params":[{"id":"mp-4_prm_1","label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-4_prm_2","label":"organization-defined controlled areas"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-4"},{"name":"sort-id","value":"mp-04"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Physically controls and securely stores {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }}; and"},{"id":"mp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and\/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and\/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection.","links":[{"href":"#cp-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pe-3","rel":"related"}]},{"id":"mp-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-4.a_obj","name":"objective","props":[{"name":"label","value":"MP-4(a)"}],"parts":[{"id":"mp-4.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-4(a)[1]"}],"prose":"defines types of digital and\/or non-digital media to be physically controlled and securely stored within designated controlled areas;"},{"id":"mp-4.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-4(a)[2]"}],"prose":"defines controlled areas designated to physically control and securely store organization-defined types of digital and\/or non-digital media;"},{"id":"mp-4.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-4(a)[3]"}],"prose":"physically controls organization-defined types of digital and\/or non-digital media within organization-defined controlled areas;"},{"id":"mp-4.a_obj.4","name":"objective","props":[{"name":"label","value":"MP-4(a)[4]"}],"prose":"securely stores organization-defined types of digital and\/or non-digital media within organization-defined controlled areas; and"}]},{"id":"mp-4.b_obj","name":"objective","props":[{"name":"label","value":"MP-4(b)"}],"prose":"protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsecurity plan\n\ninformation system media\n\ndesignated controlled areas\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing information media\n\nautomated mechanisms supporting and\/or implementing secure media storage\/media protection"}]}]},{"id":"mp-5","class":"SP800-53","title":"Media Transport","params":[{"id":"mp-5_prm_1","label":"organization-defined types of information system media"},{"id":"mp-5_prm_2","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-5"},{"name":"sort-id","value":"mp-05"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"}],"parts":[{"id":"mp-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protects and controls {{ insert: param, mp-5_prm_1 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};"},{"id":"mp-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintains accountability for information system media during transport outside of controlled areas;"},{"id":"mp-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents activities associated with the transport of information system media; and"},{"id":"mp-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Restricts the activities associated with the transport of information system media to authorized personnel."}]},{"id":"mp-5_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and\/or procedural safeguards to meet the requirements established for protecting information and\/or information systems. Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and\/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records.","links":[{"href":"#ac-19","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}]},{"id":"mp-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-5.a_obj","name":"objective","props":[{"name":"label","value":"MP-5(a)"}],"parts":[{"id":"mp-5.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-5(a)[1]"}],"prose":"defines types of information system media to be protected and controlled during transport outside of controlled areas;"},{"id":"mp-5.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-5(a)[2]"}],"prose":"defines security safeguards to protect and control organization-defined information system media during transport outside of controlled areas;"},{"id":"mp-5.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-5(a)[3]"}],"prose":"protects and controls organization-defined information system media during transport outside of controlled areas using organization-defined security safeguards;"}]},{"id":"mp-5.b_obj","name":"objective","props":[{"name":"label","value":"MP-5(b)"}],"prose":"maintains accountability for information system media during transport outside of controlled areas;"},{"id":"mp-5.c_obj","name":"objective","props":[{"name":"label","value":"MP-5(c)"}],"prose":"documents activities associated with the transport of information system media; and"},{"id":"mp-5.d_obj","name":"objective","props":[{"name":"label","value":"MP-5(d)"}],"prose":"restricts the activities associated with transport of information system media to authorized personnel."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsecurity plan\n\ninformation system media\n\ndesignated controlled areas\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing information media\n\nautomated mechanisms supporting and\/or implementing media storage\/media protection"}]}],"controls":[{"id":"mp-5.4","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"MP-5(4)"},{"name":"sort-id","value":"mp-05.04"}],"parts":[{"id":"mp-5.4_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas."},{"id":"mp-5.4_gdn","name":"guidance","prose":"This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external\/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers).","links":[{"href":"#mp-2","rel":"related"}]},{"id":"mp-5.4_obj","name":"objective","prose":"Determine if the organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media transport\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system media transport records\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media transport responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas"}]}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","label":"organization-defined information system media"},{"id":"mp-6_prm_2","label":"organization-defined sanitization techniques and procedures"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-6"},{"name":"sort-id","value":"mp-06"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"},{"href":"#a47466c4-c837-4f06-a39f-e68412a5f73d","rel":"reference"}],"parts":[{"id":"mp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitizes {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} in accordance with applicable federal and organizational standards and policies; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections\/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information.","links":[{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-4","rel":"related"}]},{"id":"mp-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-6.a_obj","name":"objective","props":[{"name":"label","value":"MP-6(a)"}],"parts":[{"id":"mp-6.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-6(a)[1]"}],"prose":"defines information system media to be sanitized prior to:","parts":[{"id":"mp-6.a_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.1.c","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-6(a)[2]"}],"prose":"defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:","parts":[{"id":"mp-6.a_obj.2.a","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.2.b","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.2.c","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-6(a)[3]"}],"prose":"sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and"}]},{"id":"mp-6.b_obj","name":"objective","props":[{"name":"label","value":"MP-6(b)"}],"prose":"employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization\n\nmedia sanitization records\n\naudit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization"}]}],"controls":[{"id":"mp-6.1","class":"SP800-53-enhancement","title":"Review \/ Approve \/ Track \/ Document \/ Verify","props":[{"name":"label","value":"MP-6(1)"},{"name":"sort-id","value":"mp-06.01"}],"parts":[{"id":"mp-6.1_smt","name":"statement","prose":"The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions."},{"id":"mp-6.1_gdn","name":"guidance","prose":"Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking\/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal.","links":[{"href":"#si-12","rel":"related"}]},{"id":"mp-6.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-6.1_obj.1","name":"objective","props":[{"name":"label","value":"MP-6(1)[1]"}],"prose":"reviews media sanitization and disposal actions;"},{"id":"mp-6.1_obj.2","name":"objective","props":[{"name":"label","value":"MP-6(1)[2]"}],"prose":"approves media sanitization and disposal actions;"},{"id":"mp-6.1_obj.3","name":"objective","props":[{"name":"label","value":"MP-6(1)[3]"}],"prose":"tracks media sanitization and disposal actions;"},{"id":"mp-6.1_obj.4","name":"objective","props":[{"name":"label","value":"MP-6(1)[4]"}],"prose":"documents media sanitization and disposal actions; and"},{"id":"mp-6.1_obj.5","name":"objective","props":[{"name":"label","value":"MP-6(1)[5]"}],"prose":"verifies media sanitization and disposal actions."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\nmedia sanitization and disposal records\n\nreview records for media sanitization and disposal actions\n\napprovals for media sanitization and disposal actions\n\ntracking records\n\nverification records\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media sanitization and disposal responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization"}]}]},{"id":"mp-6.2","class":"SP800-53-enhancement","title":"Equipment Testing","params":[{"id":"mp-6.2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"MP-6(2)"},{"name":"sort-id","value":"mp-06.02"}],"parts":[{"id":"mp-6.2_smt","name":"statement","prose":"The organization tests sanitization equipment and procedures {{ insert: param, mp-6.2_prm_1 }} to verify that the intended sanitization is being achieved."},{"id":"mp-6.2_gdn","name":"guidance","prose":"Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities (e.g., other federal agencies or external service providers)."},{"id":"mp-6.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-6.2_obj.1","name":"objective","props":[{"name":"label","value":"MP-6(2)[1]"}],"prose":"defines the frequency for testing sanitization equipment and procedures to verify that the intended sanitization is being achieved; and"},{"id":"mp-6.2_obj.2","name":"objective","props":[{"name":"label","value":"MP-6(2)[2]"}],"prose":"tests sanitization equipment and procedures with the organization-defined frequency to verify that the intended sanitization is being achieved."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\nprocedures addressing testing of media sanitization equipment\n\nresults of media sanitization equipment and procedures testing\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media sanitization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization"}]}]},{"id":"mp-6.3","class":"SP800-53-enhancement","title":"Nondestructive Techniques","params":[{"id":"mp-6.3_prm_1","label":"organization-defined circumstances requiring sanitization of portable storage devices"}],"props":[{"name":"label","value":"MP-6(3)"},{"name":"sort-id","value":"mp-06.03"}],"parts":[{"id":"mp-6.3_smt","name":"statement","prose":"The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: {{ insert: param, mp-6.3_prm_1 }}."},{"id":"mp-6.3_gdn","name":"guidance","prose":"This control enhancement applies to digital media containing classified information and Controlled Unclassified Information (CUI). Portable storage devices can be the source of malicious code insertions into organizational information systems. Many of these devices are obtained from unknown and potentially untrustworthy sources and may contain malicious code that can be readily transferred to information systems through USB ports or other entry portals. While scanning such storage devices is always recommended, sanitization provides additional assurance that the devices are free of malicious code to include code capable of initiating zero-day attacks. Organizations consider nondestructive sanitization of portable storage devices when such devices are first purchased from the manufacturer or vendor prior to initial use or when organizations lose a positive chain of custody for the devices.","links":[{"href":"#si-3","rel":"related"}]},{"id":"mp-6.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-6.3_obj.1","name":"objective","props":[{"name":"label","value":"MP-6(3)[1]"}],"prose":"defines circumstances requiring sanitization of portable storage devices; and"},{"id":"mp-6.3_obj.2","name":"objective","props":[{"name":"label","value":"MP-6(3)[2]"}],"prose":"applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under organization-defined circumstances requiring sanitization of portable storage devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\nlist of circumstances requiring sanitization of portable storage devices\n\nmedia sanitization records\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media sanitization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization of portable storage devices\n\nautomated mechanisms supporting and\/or implementing media sanitization"}]}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","params":[{"id":"mp-7_prm_1","select":{"choice":["restricts","prohibits"]}},{"id":"mp-7_prm_2","label":"organization-defined types of information system media"},{"id":"mp-7_prm_3","label":"organization-defined information systems or system components"},{"id":"mp-7_prm_4","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-7"},{"name":"sort-id","value":"mp-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-7_smt","name":"statement","prose":"The organization {{ insert: param, mp-7_prm_1 }} the use of {{ insert: param, mp-7_prm_2 }} on {{ insert: param, mp-7_prm_3 }} using {{ insert: param, mp-7_prm_4 }}."},{"id":"mp-7_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting\/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling\/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.","links":[{"href":"#ac-19","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"mp-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-7_obj.1","name":"objective","props":[{"name":"label","value":"MP-7[1]"}],"prose":"defines types of information system media to be:","parts":[{"id":"mp-7_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-7[1][a]"}],"prose":"restricted on information systems or system components; or"},{"id":"mp-7_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-7[1][b]"}],"prose":"prohibited from use on information systems or system components;"}]},{"id":"mp-7_obj.2","name":"objective","props":[{"name":"label","value":"MP-7[2]"}],"prose":"defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:","parts":[{"id":"mp-7_obj.2.a","name":"objective","props":[{"name":"label","value":"MP-7[2][a]"}],"prose":"restricted; or"},{"id":"mp-7_obj.2.b","name":"objective","props":[{"name":"label","value":"MP-7[2][b]"}],"prose":"prohibited;"}]},{"id":"mp-7_obj.3","name":"objective","props":[{"name":"label","value":"MP-7[3]"}],"prose":"defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and"},{"id":"mp-7_obj.4","name":"objective","props":[{"name":"label","value":"MP-7[4]"}],"prose":"restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\n\nautomated mechanisms restricting or prohibiting use of information system media on information systems or system components"}]}],"controls":[{"id":"mp-7.1","class":"SP800-53-enhancement","title":"Prohibit Use Without Owner","props":[{"name":"label","value":"MP-7(1)"},{"name":"sort-id","value":"mp-07.01"}],"parts":[{"id":"mp-7.1_smt","name":"statement","prose":"The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner."},{"id":"mp-7.1_gdn","name":"guidance","prose":"Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion).","links":[{"href":"#pl-4","rel":"related"}]},{"id":"mp-7.1_obj","name":"objective","prose":"Determine if the organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\n\nautomated mechanisms prohibiting use of media on information systems or system components"}]}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Physical and Environmental Protection Policy and Procedures","params":[{"id":"pe-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-1_prm_2","label":"organization-defined frequency"},{"id":"pe-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-1"},{"name":"sort-id","value":"pe-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"pe-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and"}]},{"id":"pe-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pe-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Physical and environmental protection policy {{ insert: param, pe-1_prm_2 }}; and"},{"id":"pe-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Physical and environmental protection procedures {{ insert: param, pe-1_prm_3 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"pe-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-1.a_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)"}],"parts":[{"id":"pe-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)"}],"parts":[{"id":"pe-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1]"}],"prose":"develops and documents a physical and environmental protection policy that addresses:","parts":[{"id":"pe-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pe-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pe-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pe-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pe-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pe-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pe-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pe-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the physical and environmental protection policy is to be disseminated;"},{"id":"pe-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[3]"}],"prose":"disseminates the physical and environmental protection policy to organization-defined personnel or roles;"}]},{"id":"pe-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)"}],"parts":[{"id":"pe-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls;"},{"id":"pe-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"pe-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pe-1.b_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)"}],"parts":[{"id":"pe-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)"}],"parts":[{"id":"pe-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current physical and environmental protection policy;"},{"id":"pe-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)[2]"}],"prose":"reviews and updates the current physical and environmental protection policy with the organization-defined frequency;"}]},{"id":"pe-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)"}],"parts":[{"id":"pe-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current physical and environmental protection procedures; and"},{"id":"pe-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)[2]"}],"prose":"reviews and updates the current physical and environmental protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","params":[{"id":"pe-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-2"},{"name":"sort-id","value":"pe-02"}],"parts":[{"id":"pe-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Issues authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the access list detailing authorized facility access by individuals {{ insert: param, pe-2_prm_1 }}; and"},{"id":"pe-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Removes individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible.","links":[{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ps-3","rel":"related"}]},{"id":"pe-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-2.a_obj","name":"objective","props":[{"name":"label","value":"PE-2(a)"}],"parts":[{"id":"pe-2.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-2(a)[1]"}],"prose":"develops a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-2(a)[2]"}],"prose":"approves a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2.a_obj.3","name":"objective","props":[{"name":"label","value":"PE-2(a)[3]"}],"prose":"maintains a list of individuals with authorized access to the facility where the information system resides;"}]},{"id":"pe-2.b_obj","name":"objective","props":[{"name":"label","value":"PE-2(b)"}],"prose":"issues authorization credentials for facility access;"},{"id":"pe-2.c_obj","name":"objective","props":[{"name":"label","value":"PE-2(c)"}],"parts":[{"id":"pe-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PE-2(c)[1]"}],"prose":"defines the frequency to review the access list detailing authorized facility access by individuals;"},{"id":"pe-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PE-2(c)[2]"}],"prose":"reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and"}]},{"id":"pe-2.d_obj","name":"objective","props":[{"name":"label","value":"PE-2(d)"}],"prose":"removes individuals from the facility access list when access is no longer required."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nsecurity plan\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to information system facility\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations\n\nautomated mechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","params":[{"id":"pe-3_prm_1","label":"organization-defined entry\/exit points to the facility where the information system resides"},{"id":"pe-3_prm_2","select":{"how-many":"one-or-more","choice":[" {{ insert: param, pe-3_prm_3 }} ","guards"]}},{"id":"pe-3_prm_3","depends-on":"pe-3_prm_2","label":"organization-defined physical access control systems\/devices"},{"id":"pe-3_prm_4","label":"organization-defined entry\/exit points"},{"id":"pe-3_prm_5","label":"organization-defined security safeguards"},{"id":"pe-3_prm_6","label":"organization-defined circumstances requiring visitor escorts and monitoring"},{"id":"pe-3_prm_7","label":"organization-defined physical access devices"},{"id":"pe-3_prm_8","label":"organization-defined frequency"},{"id":"pe-3_prm_9","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-3"},{"name":"sort-id","value":"pe-03"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference"},{"href":"#398e33fd-f404-4e5c-b90e-2d50d3181244","rel":"reference"},{"href":"#61081e7f-041d-4033-96a7-44a439071683","rel":"reference"},{"href":"#dd2f5acd-08f1-435a-9837-f8203088dc1a","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference"}],"parts":[{"id":"pe-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforces physical access authorizations at {{ insert: param, pe-3_prm_1 }} by;","parts":[{"id":"pe-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Controlling ingress\/egress to the facility using {{ insert: param, pe-3_prm_2 }};"}]},{"id":"pe-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintains physical access audit logs for {{ insert: param, pe-3_prm_4 }};"},{"id":"pe-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides {{ insert: param, pe-3_prm_5 }} to control access to areas within the facility officially designated as publicly accessible;"},{"id":"pe-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Escorts visitors and monitors visitor activity {{ insert: param, pe-3_prm_6 }};"},{"id":"pe-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Secures keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Inventories {{ insert: param, pe-3_prm_7 }} every {{ insert: param, pe-3_prm_8 }}; and"},{"id":"pe-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Changes combinations and keys {{ insert: param, pe-3_prm_9 }} and\/or when keys are lost, combinations are compromised, or individuals are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and\/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and\/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"pe-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-3.a_obj","name":"objective","props":[{"name":"label","value":"PE-3(a)"}],"parts":[{"id":"pe-3.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(a)[1]"}],"prose":"defines entry\/exit points to the facility where the information system resides;"},{"id":"pe-3.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2]"}],"prose":"enforces physical access authorizations at organization-defined entry\/exit points to the facility where the information system resides by:","parts":[{"id":"pe-3.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](1)"}],"prose":"verifying individual access authorizations before granting access to the facility;"},{"id":"pe-3.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)"}],"parts":[{"id":"pe-3.a.2_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[a]"}],"prose":"defining physical access control systems\/devices to be employed to control ingress\/egress to the facility where the information system resides;"},{"id":"pe-3.a.2_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b]"}],"prose":"using one or more of the following ways to control ingress\/egress to the facility:","parts":[{"id":"pe-3.a.2_obj.2.b.1","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b][1]"}],"prose":"organization-defined physical access control systems\/devices; and\/or"},{"id":"pe-3.a.2_obj.2.b.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b][2]"}],"prose":"guards;"}]}]}]}]},{"id":"pe-3.b_obj","name":"objective","props":[{"name":"label","value":"PE-3(b)"}],"parts":[{"id":"pe-3.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(b)[1]"}],"prose":"defines entry\/exit points for which physical access audit logs are to be maintained;"},{"id":"pe-3.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(b)[2]"}],"prose":"maintains physical access audit logs for organization-defined entry\/exit points;"}]},{"id":"pe-3.c_obj","name":"objective","props":[{"name":"label","value":"PE-3(c)"}],"parts":[{"id":"pe-3.c_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(c)[1]"}],"prose":"defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;"},{"id":"pe-3.c_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(c)[2]"}],"prose":"provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;"}]},{"id":"pe-3.d_obj","name":"objective","props":[{"name":"label","value":"PE-3(d)"}],"parts":[{"id":"pe-3.d_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(d)[1]"}],"prose":"defines circumstances requiring visitor:","parts":[{"id":"pe-3.d_obj.1.a","name":"objective","props":[{"name":"label","value":"PE-3(d)[1][a]"}],"prose":"escorts;"},{"id":"pe-3.d_obj.1.b","name":"objective","props":[{"name":"label","value":"PE-3(d)[1][b]"}],"prose":"monitoring;"}]},{"id":"pe-3.d_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(d)[2]"}],"prose":"in accordance with organization-defined circumstances requiring visitor escorts and monitoring:","parts":[{"id":"pe-3.d_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(d)[2][a]"}],"prose":"escorts visitors;"},{"id":"pe-3.d_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(d)[2][b]"}],"prose":"monitors visitor activities;"}]}]},{"id":"pe-3.e_obj","name":"objective","props":[{"name":"label","value":"PE-3(e)"}],"parts":[{"id":"pe-3.e_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(e)[1]"}],"prose":"secures keys;"},{"id":"pe-3.e_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(e)[2]"}],"prose":"secures combinations;"},{"id":"pe-3.e_obj.3","name":"objective","props":[{"name":"label","value":"PE-3(e)[3]"}],"prose":"secures other physical access devices;"}]},{"id":"pe-3.f_obj","name":"objective","props":[{"name":"label","value":"PE-3(f)"}],"parts":[{"id":"pe-3.f_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(f)[1]"}],"prose":"defines physical access devices to be inventoried;"},{"id":"pe-3.f_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(f)[2]"}],"prose":"defines the frequency to inventory organization-defined physical access devices;"},{"id":"pe-3.f_obj.3","name":"objective","props":[{"name":"label","value":"PE-3(f)[3]"}],"prose":"inventories the organization-defined physical access devices with the organization-defined frequency;"}]},{"id":"pe-3.g_obj","name":"objective","props":[{"name":"label","value":"PE-3(g)"}],"parts":[{"id":"pe-3.g_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(g)[1]"}],"prose":"defines the frequency to change combinations and keys; and"},{"id":"pe-3.g_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(g)[2]"}],"prose":"changes combinations and keys with the organization-defined frequency and\/or when:","parts":[{"id":"pe-3.g_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][a]"}],"prose":"keys are lost;"},{"id":"pe-3.g_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][b]"}],"prose":"combinations are compromised;"},{"id":"pe-3.g_obj.2.c","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][c]"}],"prose":"individuals are transferred or terminated."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nsecurity plan\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\ninformation system entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access control\n\nautomated mechanisms supporting and\/or implementing physical access control\n\nphysical access control devices"}]}],"controls":[{"id":"pe-3.1","class":"SP800-53-enhancement","title":"Information System Access","params":[{"id":"pe-3.1_prm_1","label":"organization-defined physical spaces containing one or more components of the information system"}],"props":[{"name":"label","value":"PE-3(1)"},{"name":"sort-id","value":"pe-03.01"}],"parts":[{"id":"pe-3.1_smt","name":"statement","prose":"The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at {{ insert: param, pe-3.1_prm_1 }}."},{"id":"pe-3.1_gdn","name":"guidance","prose":"This control enhancement provides additional physical security for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers).","links":[{"href":"#ps-2","rel":"related"}]},{"id":"pe-3.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-3.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(1)[1]"}],"prose":"defines physical spaces containing one or more components of the information system; and"},{"id":"pe-3.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(1)[2]"}],"prose":"enforces physical access authorizations to the information system in addition to the physical access controls for the facility at organization-defined physical spaces containing one or more components of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\ninformation system entry and exit points\n\nlist of areas within the facility containing concentrations of information system components or information system components requiring additional physical protection\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access control to the information system\/components\n\nautomated mechanisms supporting and\/or implementing physical access control for facility areas containing information system components"}]}]}]},{"id":"pe-4","class":"SP800-53","title":"Access Control for Transmission Medium","params":[{"id":"pe-4_prm_1","label":"organization-defined information system distribution and transmission lines"},{"id":"pe-4_prm_2","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-4"},{"name":"sort-id","value":"pe-04"}],"links":[{"href":"#06dff0ea-3848-4945-8d91-e955ee69f05d","rel":"reference"}],"parts":[{"id":"pe-4_smt","name":"statement","prose":"The organization controls physical access to {{ insert: param, pe-4_prm_1 }} within organizational facilities using {{ insert: param, pe-4_prm_2 }}."},{"id":"pe-4_gdn","name":"guidance","prose":"Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and\/or (iii) protection of cabling by conduit or cable trays.","links":[{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-8","rel":"related"}]},{"id":"pe-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-4_obj.1","name":"objective","props":[{"name":"label","value":"PE-4[1]"}],"prose":"defines information system distribution and transmission lines requiring physical access controls;"},{"id":"pe-4_obj.2","name":"objective","props":[{"name":"label","value":"PE-4[2]"}],"prose":"defines security safeguards to be employed to control physical access to organization-defined information system distribution and transmission lines within organizational facilities; and"},{"id":"pe-4_obj.3","name":"objective","props":[{"name":"label","value":"PE-4[3]"}],"prose":"controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for transmission medium\n\ninformation system design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to information system distribution and transmission lines\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access control to distribution and transmission lines\n\nautomated mechanisms\/security safeguards supporting and\/or implementing access control to distribution and transmission lines"}]}]},{"id":"pe-5","class":"SP800-53","title":"Access Control for Output Devices","props":[{"name":"priority","value":"P2"},{"name":"label","value":"PE-5"},{"name":"sort-id","value":"pe-05"}],"parts":[{"id":"pe-5_smt","name":"statement","prose":"The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_gdn","name":"guidance","prose":"Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices.","links":[{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-18","rel":"related"}]},{"id":"pe-5_obj","name":"objective","prose":"Determine if the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of information system components\n\nactual displays from information system components\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access control to output devices\n\nautomated mechanisms supporting and\/or implementing access control to output devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","params":[{"id":"pe-6_prm_1","label":"organization-defined frequency"},{"id":"pe-6_prm_2","label":"organization-defined events or potential indications of events"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-6"},{"name":"sort-id","value":"pe-06"}],"parts":[{"id":"pe-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews physical access logs {{ insert: param, pe-6_prm_1 }} and upon occurrence of {{ insert: param, pe-6_prm_2 }}; and"},{"id":"pe-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinates results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.","links":[{"href":"#ca-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"pe-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-6.a_obj","name":"objective","props":[{"name":"label","value":"PE-6(a)"}],"prose":"monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"},{"id":"pe-6.b_obj","name":"objective","props":[{"name":"label","value":"PE-6(b)"}],"parts":[{"id":"pe-6.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-6(b)[1]"}],"prose":"defines the frequency to review physical access logs;"},{"id":"pe-6.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-6(b)[2]"}],"prose":"defines events or potential indication of events requiring physical access logs to be reviewed;"},{"id":"pe-6.b_obj.3","name":"objective","props":[{"name":"label","value":"PE-6(b)[3]"}],"prose":"reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and"}]},{"id":"pe-6.c_obj","name":"objective","props":[{"name":"label","value":"PE-6(c)"}],"prose":"coordinates results of reviews and investigations with the organizational incident response capability."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical access\n\nautomated mechanisms supporting and\/or implementing physical access monitoring\n\nautomated mechanisms supporting and\/or implementing reviewing of physical access logs"}]}],"controls":[{"id":"pe-6.1","class":"SP800-53-enhancement","title":"Intrusion Alarms \/ Surveillance Equipment","props":[{"name":"label","value":"PE-6(1)"},{"name":"sort-id","value":"pe-06.01"}],"parts":[{"id":"pe-6.1_smt","name":"statement","prose":"The organization monitors physical intrusion alarms and surveillance equipment."},{"id":"pe-6.1_obj","name":"objective","prose":"Determine if the organization monitors physical intrusion alarms and surveillance equipment."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nautomated mechanisms supporting and\/or implementing physical access monitoring\n\nautomated mechanisms supporting and\/or implementing physical intrusion alarms and surveillance equipment"}]}]},{"id":"pe-6.4","class":"SP800-53-enhancement","title":"Monitoring Physical Access to Information Systems","params":[{"id":"pe-6.4_prm_1","label":"organization-defined physical spaces containing one or more components of the information system"}],"props":[{"name":"label","value":"PE-6(4)"},{"name":"sort-id","value":"pe-06.04"}],"parts":[{"id":"pe-6.4_smt","name":"statement","prose":"The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as {{ insert: param, pe-6.4_prm_1 }}."},{"id":"pe-6.4_gdn","name":"guidance","prose":"This control enhancement provides additional monitoring for those areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, communications centers).","links":[{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"}]},{"id":"pe-6.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-6.4_obj.1","name":"objective","props":[{"name":"label","value":"PE-6(4)[1]"}],"prose":"defines physical spaces containing one or more components of the information system; and"},{"id":"pe-6.4_obj.2","name":"objective","props":[{"name":"label","value":"PE-6(4)[2]"}],"prose":"monitors physical access to the information system in addition to the physical access monitoring of the facility at organization-defined physical spaces containing one or more components of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nlist of areas within the facility containing concentrations of information system components or information system components requiring additional physical access monitoring\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical access to the information system\n\nautomated mechanisms supporting and\/or implementing physical access monitoring for facility areas containing information system components"}]}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-8_prm_1","label":"organization-defined time period"},{"id":"pe-8_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PE-8"},{"name":"sort-id","value":"pe-08"}],"parts":[{"id":"pe-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintains visitor access records to the facility where the information system resides for {{ insert: param, pe-8_prm_1 }}; and"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews visitor access records {{ insert: param, pe-8_prm_2 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-8.a_obj","name":"objective","props":[{"name":"label","value":"PE-8(a)"}],"parts":[{"id":"pe-8.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-8(a)[1]"}],"prose":"defines the time period to maintain visitor access records to the facility where the information system resides;"},{"id":"pe-8.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-8(a)[2]"}],"prose":"maintains visitor access records to the facility where the information system resides for the organization-defined time period;"}]},{"id":"pe-8.b_obj","name":"objective","props":[{"name":"label","value":"PE-8(b)"}],"parts":[{"id":"pe-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-8(b)[1]"}],"prose":"defines the frequency to review visitor access records; and"},{"id":"pe-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-8(b)[2]"}],"prose":"reviews visitor access records with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nsecurity plan\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and\/or implementing maintenance and review of visitor access records"}]}],"controls":[{"id":"pe-8.1","class":"SP800-53-enhancement","title":"Automated Records Maintenance \/ Review","props":[{"name":"label","value":"PE-8(1)"},{"name":"sort-id","value":"pe-08.01"}],"parts":[{"id":"pe-8.1_smt","name":"statement","prose":"The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records."},{"id":"pe-8.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to facilitate the maintenance and review of visitor access records."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nautomated mechanisms supporting management of visitor access records\n\nvisitor access control logs or records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and\/or implementing maintenance and review of visitor access records"}]}]}]},{"id":"pe-9","class":"SP800-53","title":"Power Equipment and Cabling","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-9"},{"name":"sort-id","value":"pe-09"}],"parts":[{"id":"pe-9_smt","name":"statement","prose":"The organization protects power equipment and power cabling for the information system from damage and destruction."},{"id":"pe-9_gdn","name":"guidance","prose":"Organizations determine the types of protection necessary for power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. This includes, for example, generators and power cabling outside of buildings, internal cabling and uninterruptable power sources within an office or data center, and power sources for self-contained entities such as vehicles and satellites.","links":[{"href":"#pe-4","rel":"related"}]},{"id":"pe-9_obj","name":"objective","prose":"Determine if the organization protects power equipment and power cabling for the information system from damage and destruction."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power equipment\/cabling protection\n\nfacilities housing power equipment\/cabling\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for protecting power equipment\/cabling\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing protection of power equipment\/cabling"}]}]},{"id":"pe-10","class":"SP800-53","title":"Emergency Shutoff","params":[{"id":"pe-10_prm_1","label":"organization-defined location by information system or system component"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-10"},{"name":"sort-id","value":"pe-10"}],"parts":[{"id":"pe-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides the capability of shutting off power to the information system or individual system components in emergency situations;"},{"id":"pe-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Places emergency shutoff switches or devices in {{ insert: param, pe-10_prm_1 }} to facilitate safe and easy access for personnel; and"},{"id":"pe-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protects emergency power shutoff capability from unauthorized activation."}]},{"id":"pe-10_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#pe-15","rel":"related"}]},{"id":"pe-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-10.a_obj","name":"objective","props":[{"name":"label","value":"PE-10(a)"}],"prose":"provides the capability of shutting off power to the information system or individual system components in emergency situations;"},{"id":"pe-10.b_obj","name":"objective","props":[{"name":"label","value":"PE-10(b)"}],"parts":[{"id":"pe-10.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-10(b)[1]"}],"prose":"defines the location of emergency shutoff switches or devices by information system or system component;"},{"id":"pe-10.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-10(b)[2]"}],"prose":"places emergency shutoff switches or devices in the organization-defined location by information system or system component to facilitate safe and easy access for personnel; and"}]},{"id":"pe-10.c_obj","name":"objective","props":[{"name":"label","value":"PE-10(c)"}],"prose":"protects emergency power shutoff capability from unauthorized activation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nsecurity plan\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting emergency power shutoff capability from unauthorized activation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing emergency power shutoff"}]}]},{"id":"pe-11","class":"SP800-53","title":"Emergency Power","params":[{"id":"pe-11_prm_1","select":{"how-many":"one-or-more","choice":["an orderly shutdown of the information system","transition of the information system to long-term alternate power"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-11"},{"name":"sort-id","value":"pe-11"}],"parts":[{"id":"pe-11_smt","name":"statement","prose":"The organization provides a short-term uninterruptible power supply to facilitate {{ insert: param, pe-11_prm_1 }} in the event of a primary power source loss."},{"id":"pe-11_gdn","name":"guidance","links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"pe-11_obj","name":"objective","prose":"Determine if the organization provides a short-term uninterruptible power supply to facilitate one or more of the following in the event of a primary power source loss:","parts":[{"id":"pe-11_obj.1","name":"objective","props":[{"name":"label","value":"PE-11[1]"}],"prose":"an orderly shutdown of the information system; and\/or"},{"id":"pe-11_obj.2","name":"objective","props":[{"name":"label","value":"PE-11[2]"}],"prose":"transition of the information system to long-term alternate power."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing uninterruptible power supply\n\nthe uninterruptable power supply"}]}],"controls":[{"id":"pe-11.1","class":"SP800-53-enhancement","title":"Long-term Alternate Power Supply - Minimal Operational Capability","props":[{"name":"label","value":"PE-11(1)"},{"name":"sort-id","value":"pe-11.01"}],"parts":[{"id":"pe-11.1_smt","name":"statement","prose":"The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source."},{"id":"pe-11.1_gdn","name":"guidance","prose":"This control enhancement can be satisfied, for example, by the use of a secondary commercial power supply or other external power supply. Long-term alternate power supplies for the information system can be either manually or automatically activated."},{"id":"pe-11.1_obj","name":"objective","prose":"Determine if the organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nalternate power supply\n\nalternate power supply documentation\n\nalternate power supply test records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing alternate power supply\n\nthe alternate power supply"}]}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-12"},{"name":"sort-id","value":"pe-12"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"pe-12_obj","name":"objective","prose":"Determine if the organization employs and maintains automatic emergency lighting for the information system that:","parts":[{"id":"pe-12_obj.1","name":"objective","props":[{"name":"label","value":"PE-12[1]"}],"prose":"activates in the event of a power outage or disruption; and"},{"id":"pe-12_obj.2","name":"objective","props":[{"name":"label","value":"PE-12[2]"}],"prose":"covers emergency exits and evacuation routes within the facility."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing emergency lighting capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-13"},{"name":"sort-id","value":"pe-13"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"The organization employs and maintains fire suppression and detection devices\/systems for the information system that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices\/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors."},{"id":"pe-13_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-13_obj.1","name":"objective","props":[{"name":"label","value":"PE-13[1]"}],"prose":"employs fire suppression and detection devices\/systems for the information system that are supported by an independent energy source; and"},{"id":"pe-13_obj.2","name":"objective","props":[{"name":"label","value":"PE-13[2]"}],"prose":"maintains fire suppression and detection devices\/systems for the information system that are supported by an independent energy source."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\ntest records of fire suppression and detection devices\/systems\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression\/detection devices\/systems"}]}],"controls":[{"id":"pe-13.1","class":"SP800-53-enhancement","title":"Detection Devices \/ Systems","params":[{"id":"pe-13.1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-13.1_prm_2","label":"organization-defined emergency responders"}],"props":[{"name":"label","value":"PE-13(1)"},{"name":"sort-id","value":"pe-13.01"}],"parts":[{"id":"pe-13.1_smt","name":"statement","prose":"The organization employs fire detection devices\/systems for the information system that activate automatically and notify {{ insert: param, pe-13.1_prm_1 }} and {{ insert: param, pe-13.1_prm_2 }} in the event of a fire."},{"id":"pe-13.1_gdn","name":"guidance","prose":"Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and\/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information."},{"id":"pe-13.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-13.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-13(1)[1]"}],"prose":"defines personnel or roles to be notified in the event of a fire;"},{"id":"pe-13.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-13(1)[2]"}],"prose":"defines emergency responders to be notified in the event of a fire;"},{"id":"pe-13.1_obj.3","name":"objective","props":[{"name":"label","value":"PE-13(1)[3]"}],"prose":"employs fire detection devices\/systems for the information system that, in the event of a fire,:","parts":[{"id":"pe-13.1_obj.3.a","name":"objective","props":[{"name":"label","value":"PE-13(1)[3][a]"}],"prose":"activate automatically;"},{"id":"pe-13.1_obj.3.b","name":"objective","props":[{"name":"label","value":"PE-13(1)[3][b]"}],"prose":"notify organization-defined personnel or roles; and"},{"id":"pe-13.1_obj.3.c","name":"objective","props":[{"name":"label","value":"PE-13(1)[3][c]"}],"prose":"notify organization-defined emergency responders."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\nalerts\/notifications of fire events\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fire detection devices\/systems\n\nactivation of fire detection devices\/systems (simulated)\n\nautomated notifications"}]}]},{"id":"pe-13.2","class":"SP800-53-enhancement","title":"Suppression Devices \/ Systems","params":[{"id":"pe-13.2_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-13.2_prm_2","label":"organization-defined emergency responders"}],"props":[{"name":"label","value":"PE-13(2)"},{"name":"sort-id","value":"pe-13.02"}],"parts":[{"id":"pe-13.2_smt","name":"statement","prose":"The organization employs fire suppression devices\/systems for the information system that provide automatic notification of any activation to {{ insert: param, pe-13.2_prm_1 }} and {{ insert: param, pe-13.2_prm_2 }}."},{"id":"pe-13.2_gdn","name":"guidance","prose":"Organizations can identify specific personnel, roles, and emergency responders in the event that individuals on the notification list must have appropriate access authorizations and\/or clearances, for example, to obtain access to facilities where classified operations are taking place or where there are information systems containing classified information."},{"id":"pe-13.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-13.2_obj.1","name":"objective","props":[{"name":"label","value":"PE-13(2)[1]"}],"prose":"defines personnel or roles to be provided automatic notification of any activation of fire suppression devices\/systems for the information system;"},{"id":"pe-13.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-13(2)[2]"}],"prose":"defines emergency responders to be provided automatic notification of any activation of fire suppression devices\/systems for the information system;"},{"id":"pe-13.2_obj.3","name":"objective","props":[{"name":"label","value":"PE-13(2)[3]"}],"prose":"employs fire suppression devices\/systems for the information system that provide automatic notification of any activation to:","parts":[{"id":"pe-13.2_obj.3.a","name":"objective","props":[{"name":"label","value":"PE-13(2)[3][a]"}],"prose":"organization-defined personnel or roles; and"},{"id":"pe-13.2_obj.3.b","name":"objective","props":[{"name":"label","value":"PE-13(2)[3][b]"}],"prose":"organization-defined emergency responders."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems documentation\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices\/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression devices\/systems\n\nactivation of fire suppression devices\/systems (simulated)\n\nautomated notifications"}]}]},{"id":"pe-13.3","class":"SP800-53-enhancement","title":"Automatic Fire Suppression","props":[{"name":"label","value":"PE-13(3)"},{"name":"sort-id","value":"pe-13.03"}],"parts":[{"id":"pe-13.3_smt","name":"statement","prose":"The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis."},{"id":"pe-13.3_obj","name":"objective","prose":"Determine if the organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems documentation\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices\/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression devices\/systems\n\nactivation of fire suppression devices\/systems (simulated)"}]}]}]},{"id":"pe-14","class":"SP800-53","title":"Temperature and Humidity Controls","params":[{"id":"pe-14_prm_1","label":"organization-defined acceptable levels"},{"id":"pe-14_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-14"},{"name":"sort-id","value":"pe-14"}],"parts":[{"id":"pe-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintains temperature and humidity levels within the facility where the information system resides at {{ insert: param, pe-14_prm_1 }}; and"},{"id":"pe-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Monitors temperature and humidity levels {{ insert: param, pe-14_prm_2 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#at-3","rel":"related"}]},{"id":"pe-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-14.a_obj","name":"objective","props":[{"name":"label","value":"PE-14(a)"}],"parts":[{"id":"pe-14.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-14(a)[1]"}],"prose":"defines acceptable temperature levels to be maintained within the facility where the information system resides;"},{"id":"pe-14.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-14(a)[2]"}],"prose":"defines acceptable humidity levels to be maintained within the facility where the information system resides;"},{"id":"pe-14.a_obj.3","name":"objective","props":[{"name":"label","value":"PE-14(a)[3]"}],"prose":"maintains temperature levels within the facility where the information system resides at the organization-defined levels;"},{"id":"pe-14.a_obj.4","name":"objective","props":[{"name":"label","value":"PE-14(a)[4]"}],"prose":"maintains humidity levels within the facility where the information system resides at the organization-defined levels;"}]},{"id":"pe-14.b_obj","name":"objective","props":[{"name":"label","value":"PE-14(b)"}],"parts":[{"id":"pe-14.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-14(b)[1]"}],"prose":"defines the frequency to monitor temperature levels;"},{"id":"pe-14.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-14(b)[2]"}],"prose":"defines the frequency to monitor humidity levels;"},{"id":"pe-14.b_obj.3","name":"objective","props":[{"name":"label","value":"PE-14(b)[3]"}],"prose":"monitors temperature levels with the organization-defined frequency; and"},{"id":"pe-14.b_obj.4","name":"objective","props":[{"name":"label","value":"PE-14(b)[4]"}],"prose":"monitors humidity levels with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\nsecurity plan\n\ntemperature and humidity controls\n\nfacility housing the information system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing maintenance and monitoring of temperature and humidity levels"}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-15"},{"name":"sort-id","value":"pe-15"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.","links":[{"href":"#at-3","rel":"related"}]},{"id":"pe-15_obj","name":"objective","prose":"Determine if the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are:","parts":[{"id":"pe-15_obj.1","name":"objective","props":[{"name":"label","value":"PE-15[1]"}],"prose":"accessible;"},{"id":"pe-15_obj.2","name":"objective","props":[{"name":"label","value":"PE-15[2]"}],"prose":"working properly; and"},{"id":"pe-15_obj.3","name":"objective","props":[{"name":"label","value":"PE-15[3]"}],"prose":"known to key personnel."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the information system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Master water-shutoff valves\n\norganizational process for activating master water-shutoff"}]}],"controls":[{"id":"pe-15.1","class":"SP800-53-enhancement","title":"Automation Support","params":[{"id":"pe-15.1_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"PE-15(1)"},{"name":"sort-id","value":"pe-15.01"}],"parts":[{"id":"pe-15.1_smt","name":"statement","prose":"The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts {{ insert: param, pe-15.1_prm_1 }}."},{"id":"pe-15.1_gdn","name":"guidance","prose":"Automated mechanisms can include, for example, water detection sensors, alarms, and notification systems."},{"id":"pe-15.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-15.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-15(1)[1]"}],"prose":"defines personnel or roles to be alerted when the presence of water is detected in the vicinity of the information system;"},{"id":"pe-15.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-15(1)[2]"}],"prose":"employs automated mechanisms to detect the presence of water in the vicinity of the information system; and"},{"id":"pe-15.1_obj.3","name":"objective","props":[{"name":"label","value":"PE-15(1)[3]"}],"prose":"alerts organization-defined personnel or roles when the presence of water is detected in the vicinity of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the information system\n\nautomated mechanisms for water shutoff valves\n\nautomated mechanisms detecting presence of water in vicinity of information system\n\nalerts\/notifications of water detection in information system facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing water detection capability and alerts for the information system"}]}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","params":[{"id":"pe-16_prm_1","label":"organization-defined types of information system components"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PE-16"},{"name":"sort-id","value":"pe-16"}],"parts":[{"id":"pe-16_smt","name":"statement","prose":"The organization authorizes, monitors, and controls {{ insert: param, pe-16_prm_1 }} entering and exiting the facility and maintains records of those items."},{"id":"pe-16_gdn","name":"guidance","prose":"Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries.","links":[{"href":"#cm-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-12","rel":"related"}]},{"id":"pe-16_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-16_obj.1","name":"objective","props":[{"name":"label","value":"PE-16[1]"}],"prose":"defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;"},{"id":"pe-16_obj.2","name":"objective","props":[{"name":"label","value":"PE-16[2]"}],"prose":"authorizes organization-defined information system components entering the facility;"},{"id":"pe-16_obj.3","name":"objective","props":[{"name":"label","value":"PE-16[3]"}],"prose":"monitors organization-defined information system components entering the facility;"},{"id":"pe-16_obj.4","name":"objective","props":[{"name":"label","value":"PE-16[4]"}],"prose":"controls organization-defined information system components entering the facility;"},{"id":"pe-16_obj.5","name":"objective","props":[{"name":"label","value":"PE-16[5]"}],"prose":"authorizes organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.6","name":"objective","props":[{"name":"label","value":"PE-16[6]"}],"prose":"monitors organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.7","name":"objective","props":[{"name":"label","value":"PE-16[7]"}],"prose":"controls organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.8","name":"objective","props":[{"name":"label","value":"PE-16[8]"}],"prose":"maintains records of information system components entering the facility; and"},{"id":"pe-16_obj.9","name":"objective","props":[{"name":"label","value":"PE-16[9]"}],"prose":"maintains records of information system components exiting the facility."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing delivery and removal of information system components from the facility\n\nsecurity plan\n\nfacility housing the information system\n\nrecords of items entering and exiting the facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for controlling information system components entering and exiting the facility\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling information system-related items entering and exiting the facility\n\nautomated mechanisms supporting and\/or implementing authorizing, monitoring, and controlling information system-related items entering and exiting the facility"}]}]},{"id":"pe-17","class":"SP800-53","title":"Alternate Work Site","params":[{"id":"pe-17_prm_1","label":"organization-defined security controls"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PE-17"},{"name":"sort-id","value":"pe-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference"}],"parts":[{"id":"pe-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs {{ insert: param, pe-17_prm_1 }} at alternate work sites;"},{"id":"pe-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assesses as feasible, the effectiveness of security controls at alternate work sites; and"},{"id":"pe-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides a means for employees to communicate with information security personnel in case of security incidents or problems."}]},{"id":"pe-17_gdn","name":"guidance","prose":"Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative.","links":[{"href":"#ac-17","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"pe-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-17.a_obj","name":"objective","props":[{"name":"label","value":"PE-17(a)"}],"parts":[{"id":"pe-17.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-17(a)[1]"}],"prose":"defines security controls to be employed at alternate work sites;"},{"id":"pe-17.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-17(a)[2]"}],"prose":"employs organization-defined security controls at alternate work sites;"}]},{"id":"pe-17.b_obj","name":"objective","props":[{"name":"label","value":"PE-17(b)"}],"prose":"assesses, as feasible, the effectiveness of security controls at alternate work sites; and"},{"id":"pe-17.c_obj","name":"objective","props":[{"name":"label","value":"PE-17(c)"}],"prose":"provides a means for employees to communicate with information security personnel in case of security incidents or problems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nsecurity plan\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel approving use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security at alternate work sites\n\nautomated mechanisms supporting alternate work sites\n\nsecurity controls employed at alternate work sites\n\nmeans of communications between personnel at alternate work sites and security personnel"}]}]},{"id":"pe-18","class":"SP800-53","title":"Location of Information System Components","params":[{"id":"pe-18_prm_1","label":"organization-defined physical and environmental hazards"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PE-18"},{"name":"sort-id","value":"pe-18"}],"parts":[{"id":"pe-18_smt","name":"statement","prose":"The organization positions information system components within the facility to minimize potential damage from {{ insert: param, pe-18_prm_1 }} and to minimize the opportunity for unauthorized access."},{"id":"pe-18_gdn","name":"guidance","prose":"Physical and environmental hazards include, for example, flooding, fire, tornados, earthquakes, hurricanes, acts of terrorism, vandalism, electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. In addition, organizations consider the location of physical entry points where unauthorized individuals, while not being granted access, might nonetheless be in close proximity to information systems and therefore increase the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones).","links":[{"href":"#cp-2","rel":"related"},{"href":"#pe-19","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"pe-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-18_obj.1","name":"objective","props":[{"name":"label","value":"PE-18[1]"}],"prose":"defines physical hazards that could result in potential damage to information system components within the facility;"},{"id":"pe-18_obj.2","name":"objective","props":[{"name":"label","value":"PE-18[2]"}],"prose":"defines environmental hazards that could result in potential damage to information system components within the facility;"},{"id":"pe-18_obj.3","name":"objective","props":[{"name":"label","value":"PE-18[3]"}],"prose":"positions information system components within the facility to minimize potential damage from organization-defined physical and environmental hazards; and"},{"id":"pe-18_obj.4","name":"objective","props":[{"name":"label","value":"PE-18[4]"}],"prose":"positions information system components within the facility to minimize the opportunity for unauthorized access."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing positioning of information system components\n\ndocumentation providing the location and position of information system components within the facility\n\nlocations housing information system components within the facility\n\nlist of physical and environmental hazards with potential to damage information system components within the facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for positioning information system components\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for positioning information system components"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Security Planning Policy and Procedures","params":[{"id":"pl-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-1_prm_2","label":"organization-defined frequency"},{"id":"pl-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-1"},{"name":"sort-id","value":"pl-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"pl-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pl-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security planning policy {{ insert: param, pl-1_prm_2 }}; and"},{"id":"pl-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security planning procedures {{ insert: param, pl-1_prm_3 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"pl-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-1.a_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)"}],"parts":[{"id":"pl-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)"}],"parts":[{"id":"pl-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1]"}],"prose":"develops and documents a planning policy that addresses:","parts":[{"id":"pl-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pl-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pl-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pl-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pl-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pl-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pl-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pl-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the planning policy is to be disseminated;"},{"id":"pl-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[3]"}],"prose":"disseminates the planning policy to organization-defined personnel or roles;"}]},{"id":"pl-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)"}],"parts":[{"id":"pl-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls;"},{"id":"pl-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"pl-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pl-1.b_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)"}],"parts":[{"id":"pl-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)"}],"parts":[{"id":"pl-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current planning policy;"},{"id":"pl-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)[2]"}],"prose":"reviews and updates the current planning policy with the organization-defined frequency;"}]},{"id":"pl-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)"}],"parts":[{"id":"pl-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current planning procedures; and"},{"id":"pl-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)[2]"}],"prose":"reviews and updates the current planning procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Planning policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security Plan","params":[{"id":"pl-2_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-2_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-2"},{"name":"sort-id","value":"pl-02"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"}],"parts":[{"id":"pl-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a security plan for the information system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly defines the authorization boundary for the system;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describes the operational context of the information system in terms of missions and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Provides the security categorization of the information system including supporting rationale;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Describes the operational environment for the information system and relationships with or connections to other information systems;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides an overview of the security requirements for the system;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Identifies any relevant overlays, if applicable;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the security plan and communicates subsequent changes to the plan to {{ insert: param, pl-2_prm_1 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the security plan for the information system {{ insert: param, pl-2_prm_2 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Updates the plan to address changes to the information system\/environment of operation or problems identified during plan implementation or security control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protects the security plan from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls\/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions\/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management\/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"}]},{"id":"pl-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-2.a_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)"}],"prose":"develops a security plan for the information system that:","parts":[{"id":"pl-2.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(1)"}],"prose":"is consistent with the organization’s enterprise architecture;"},{"id":"pl-2.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(2)"}],"prose":"explicitly defines the authorization boundary for the system;"},{"id":"pl-2.a.3_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(3)"}],"prose":"describes the operational context of the information system in terms of missions and business processes;"},{"id":"pl-2.a.4_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(4)"}],"prose":"provides the security categorization of the information system including supporting rationale;"},{"id":"pl-2.a.5_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(5)"}],"prose":"describes the operational environment for the information system and relationships with or connections to other information systems;"},{"id":"pl-2.a.6_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(6)"}],"prose":"provides an overview of the security requirements for the system;"},{"id":"pl-2.a.7_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(7)"}],"prose":"identifies any relevant overlays, if applicable;"},{"id":"pl-2.a.8_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(8)"}],"prose":"describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions;"},{"id":"pl-2.a.9_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(9)"}],"prose":"is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"}]},{"id":"pl-2.b_obj","name":"objective","props":[{"name":"label","value":"PL-2(b)"}],"parts":[{"id":"pl-2.b_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(b)[1]"}],"prose":"defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated;"},{"id":"pl-2.b_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(b)[2]"}],"prose":"distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles;"}]},{"id":"pl-2.c_obj","name":"objective","props":[{"name":"label","value":"PL-2(c)"}],"parts":[{"id":"pl-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(c)[1]"}],"prose":"defines the frequency to review the security plan for the information system;"},{"id":"pl-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(c)[2]"}],"prose":"reviews the security plan for the information system with the organization-defined frequency;"}]},{"id":"pl-2.d_obj","name":"objective","props":[{"name":"label","value":"PL-2(d)"}],"prose":"updates the plan to address:","parts":[{"id":"pl-2.d_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(d)[1]"}],"prose":"changes to the information system\/environment of operation;"},{"id":"pl-2.d_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(d)[2]"}],"prose":"problems identified during plan implementation;"},{"id":"pl-2.d_obj.3","name":"objective","props":[{"name":"label","value":"PL-2(d)[3]"}],"prose":"problems identified during security control assessments;"}]},{"id":"pl-2.e_obj","name":"objective","props":[{"name":"label","value":"PL-2(e)"}],"prose":"protects the security plan from unauthorized:","parts":[{"id":"pl-2.e_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(e)[1]"}],"prose":"disclosure; and"},{"id":"pl-2.e_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(e)[2]"}],"prose":"modification."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing security plan development and implementation\n\nprocedures addressing security plan reviews and updates\n\nenterprise architecture documentation\n\nsecurity plan for the information system\n\nrecords of security plan reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security plan development\/review\/update\/approval\n\nautomated mechanisms supporting the information system security plan"}]}],"controls":[{"id":"pl-2.3","class":"SP800-53-enhancement","title":"Plan \/ Coordinate with Other Organizational Entities","params":[{"id":"pl-2.3_prm_1","label":"organization-defined individuals or groups"}],"props":[{"name":"label","value":"PL-2(3)"},{"name":"sort-id","value":"pl-02.03"}],"parts":[{"id":"pl-2.3_smt","name":"statement","prose":"The organization plans and coordinates security-related activities affecting the information system with {{ insert: param, pl-2.3_prm_1 }} before conducting such activities in order to reduce the impact on other organizational entities."},{"id":"pl-2.3_gdn","name":"guidance","prose":"Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate.","links":[{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"}]},{"id":"pl-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-2.3_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(3)[1]"}],"prose":"defines individuals or groups with whom security-related activities affecting the information system are to be planned and coordinated before conducting such activities in order to reduce the impact on other organizational entities; and"},{"id":"pl-2.3_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(3)[2]"}],"prose":"plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\naccess control policy\n\ncontingency planning policy\n\nprocedures addressing security-related activity planning for the information system\n\nsecurity plan for the information system\n\ncontingency plan for the information system\n\ninformation system design documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities\n\norganizational individuals or groups with whom security-related activities are to be planned and coordinated\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PL-4"},{"name":"sort-id","value":"pl-04"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"}],"parts":[{"id":"pl-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates the rules of behavior {{ insert: param, pl-4_prm_1 }}; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised\/updated."}]},{"id":"pl-4_gdn","name":"guidance","prose":"This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data\/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"}]},{"id":"pl-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-4.a_obj","name":"objective","props":[{"name":"label","value":"PL-4(a)"}],"parts":[{"id":"pl-4.a_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(a)[1]"}],"prose":"establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"},{"id":"pl-4.a_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(a)[2]"}],"prose":"makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"}]},{"id":"pl-4.b_obj","name":"objective","props":[{"name":"label","value":"PL-4(b)"}],"prose":"receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"},{"id":"pl-4.c_obj","name":"objective","props":[{"name":"label","value":"PL-4(c)"}],"parts":[{"id":"pl-4.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(c)[1]"}],"prose":"defines the frequency to review and update the rules of behavior;"},{"id":"pl-4.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(c)[2]"}],"prose":"reviews and updates the rules of behavior with the organization-defined frequency; and"}]},{"id":"pl-4.d_obj","name":"objective","props":[{"name":"label","value":"PL-4(d)"}],"prose":"requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised\/updated."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel who are authorized users of the information system and have signed and resigned rules of behavior\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nautomated mechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and Networking Restrictions","props":[{"name":"label","value":"PL-4(1)"},{"name":"sort-id","value":"pl-04.01"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"The organization includes in the rules of behavior, explicit restrictions on the use of social media\/networking sites and posting organizational information on public websites."},{"id":"pl-4.1_gdn","name":"guidance","prose":"This control enhancement addresses rules of behavior related to the use of social media\/networking sites: (i) when organizational personnel are using such sites for official duties or in the conduct of official business; (ii) when organizational information is involved in social media\/networking transactions; and (iii) when personnel are accessing social media\/networking sites from organizational information systems. Organizations also address specific rules that prevent unauthorized entities from obtaining and\/or inferring non-public organizational information (e.g., system account information, personally identifiable information) from social media\/networking sites."},{"id":"pl-4.1_obj","name":"objective","prose":"Determine if the organization includes the following in the rules of behavior:","parts":[{"id":"pl-4.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(1)[1]"}],"prose":"explicit restrictions on the use of social media\/networking sites; and"},{"id":"pl-4.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(1)[2]"}],"prose":"posting organizational information on public websites."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel who are authorized users of the information system and have signed rules of behavior\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing rules of behavior\n\nautomated mechanisms supporting and\/or implementing the establishment of rules of behavior"}]}]}]},{"id":"pl-8","class":"SP800-53","title":"Information Security Architecture","params":[{"id":"pl-8_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-8"},{"name":"sort-id","value":"pl-08"}],"parts":[{"id":"pl-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops an information security architecture for the information system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes how the information security architecture is integrated into and supports the enterprise architecture; and"},{"id":"pl-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describes any information security assumptions about, and dependencies on, external services;"}]},{"id":"pl-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information security architecture {{ insert: param, pl-8_prm_1 }} to reflect updates in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements\/acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement\/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs. In today’s modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission\/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)\/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product\/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate\/show consistency with the organization’s enterprise architecture and information security architecture.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53r4","rel":"related"}]},{"id":"pl-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-8.a_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)"}],"prose":"develops an information security architecture for the information system that describes:","parts":[{"id":"pl-8.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)(1)"}],"prose":"the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)(2)"}],"prose":"how the information security architecture is integrated into and supports the enterprise architecture;"},{"id":"pl-8.a.3_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)(3)"}],"prose":"any information security assumptions about, and dependencies on, external services;"}]},{"id":"pl-8.b_obj","name":"objective","props":[{"name":"label","value":"PL-8(b)"}],"parts":[{"id":"pl-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PL-8(b)[1]"}],"prose":"defines the frequency to review and update the information security architecture;"},{"id":"pl-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PL-8(b)[2]"}],"prose":"reviews and updates the information security architecture with the organization-defined frequency to reflect updates in the enterprise architecture;"}]},{"id":"pl-8.c_obj","name":"objective","props":[{"name":"label","value":"PL-8(c)"}],"prose":"ensures that planned information security architecture changes are reflected in:","parts":[{"id":"pl-8.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-8(c)[1]"}],"prose":"the security plan;"},{"id":"pl-8.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-8(c)[2]"}],"prose":"the security Concept of Operations (CONOPS); and"},{"id":"pl-8.c_obj.3","name":"objective","props":[{"name":"label","value":"PL-8(c)[3]"}],"prose":"the organizational procurements\/acquisitions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing information security architecture development\n\nprocedures addressing information security architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security architecture documentation\n\nsecurity plan for the information system\n\nsecurity CONOPS for the information system\n\nrecords of information security architecture reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities\n\norganizational personnel with information security architecture development responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing, reviewing, and updating the information security architecture\n\nautomated mechanisms supporting and\/or implementing the development, review, and update of the information security architecture"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Personnel Security Policy and Procedures","params":[{"id":"ps-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-1_prm_2","label":"organization-defined frequency"},{"id":"ps-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-1"},{"name":"sort-id","value":"ps-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ps-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and"}]},{"id":"ps-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ps-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Personnel security policy {{ insert: param, ps-1_prm_2 }}; and"},{"id":"ps-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Personnel security procedures {{ insert: param, ps-1_prm_3 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ps-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-1.a_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)"}],"parts":[{"id":"ps-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)"}],"parts":[{"id":"ps-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1]"}],"prose":"develops and documents an personnel security policy that addresses:","parts":[{"id":"ps-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ps-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ps-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ps-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ps-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ps-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ps-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ps-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the personnel security policy is to be disseminated;"},{"id":"ps-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[3]"}],"prose":"disseminates the personnel security policy to organization-defined personnel or roles;"}]},{"id":"ps-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)"}],"parts":[{"id":"ps-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls;"},{"id":"ps-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ps-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ps-1.b_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)"}],"parts":[{"id":"ps-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)"}],"parts":[{"id":"ps-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current personnel security policy;"},{"id":"ps-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)[2]"}],"prose":"reviews and updates the current personnel security policy with the organization-defined frequency;"}]},{"id":"ps-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)"}],"parts":[{"id":"ps-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current personnel security procedures; and"},{"id":"ps-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)[2]"}],"prose":"reviews and updates the current personnel security procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","params":[{"id":"ps-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-2"},{"name":"sort-id","value":"ps-02"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference"}],"parts":[{"id":"ps-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assigns a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates position risk designations {{ insert: param, ps-2_prm_1 }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances).","links":[{"href":"#at-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-3","rel":"related"}]},{"id":"ps-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-2.a_obj","name":"objective","props":[{"name":"label","value":"PS-2(a)"}],"prose":"assigns a risk designation to all organizational positions;"},{"id":"ps-2.b_obj","name":"objective","props":[{"name":"label","value":"PS-2(b)"}],"prose":"establishes screening criteria for individuals filling those positions;"},{"id":"ps-2.c_obj","name":"objective","props":[{"name":"label","value":"PS-2(c)"}],"parts":[{"id":"ps-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PS-2(c)[1]"}],"prose":"defines the frequency to review and update position risk designations; and"},{"id":"ps-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PS-2(c)[2]"}],"prose":"reviews and updates position risk designations with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nsecurity plan\n\nrecords of position risk designation reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","params":[{"id":"ps-3_prm_1","label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-3"},{"name":"sort-id","value":"ps-03"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference"}],"parts":[{"id":"ps-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Screens individuals prior to authorizing access to the information system; and"},{"id":"ps-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Rescreens individuals according to {{ insert: param, ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-2","rel":"related"}]},{"id":"ps-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-3.a_obj","name":"objective","props":[{"name":"label","value":"PS-3(a)"}],"prose":"screens individuals prior to authorizing access to the information system;"},{"id":"ps-3.b_obj","name":"objective","props":[{"name":"label","value":"PS-3(b)"}],"parts":[{"id":"ps-3.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-3(b)[1]"}],"prose":"defines conditions requiring re-screening;"},{"id":"ps-3.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-3(b)[2]"}],"prose":"defines the frequency of re-screening where it is so indicated; and"},{"id":"ps-3.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-3(b)[3]"}],"prose":"re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel screening"}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","params":[{"id":"ps-4_prm_1","label":"organization-defined time period"},{"id":"ps-4_prm_2","label":"organization-defined information security topics"},{"id":"ps-4_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-4_prm_4","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-4"},{"name":"sort-id","value":"ps-04"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"The organization, upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Disables information system access within {{ insert: param, ps-4_prm_1 }};"},{"id":"ps-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Terminates\/revokes any authenticators\/credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conducts exit interviews that include a discussion of {{ insert: param, ps-4_prm_2 }};"},{"id":"ps-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Retrieves all security-related organizational information system-related property;"},{"id":"ps-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retains access to organizational information and information systems formerly controlled by terminated individual; and"},{"id":"ps-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Notifies {{ insert: param, ps-4_prm_3 }} within {{ insert: param, ps-4_prm_4 }}."}]},{"id":"ps-4_gdn","name":"guidance","prose":"Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"ps-4_obj","name":"objective","prose":"Determine if the organization, upon termination of individual employment,:","parts":[{"id":"ps-4.a_obj","name":"objective","props":[{"name":"label","value":"PS-4(a)"}],"parts":[{"id":"ps-4.a_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(a)[1]"}],"prose":"defines a time period within which to disable information system access;"},{"id":"ps-4.a_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(a)[2]"}],"prose":"disables information system access within the organization-defined time period;"}]},{"id":"ps-4.b_obj","name":"objective","props":[{"name":"label","value":"PS-4(b)"}],"prose":"terminates\/revokes any authenticators\/credentials associated with the individual;"},{"id":"ps-4.c_obj","name":"objective","props":[{"name":"label","value":"PS-4(c)"}],"parts":[{"id":"ps-4.c_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(c)[1]"}],"prose":"defines information security topics to be discussed when conducting exit interviews;"},{"id":"ps-4.c_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(c)[2]"}],"prose":"conducts exit interviews that include a discussion of organization-defined information security topics;"}]},{"id":"ps-4.d_obj","name":"objective","props":[{"name":"label","value":"PS-4(d)"}],"prose":"retrieves all security-related organizational information system-related property;"},{"id":"ps-4.e_obj","name":"objective","props":[{"name":"label","value":"PS-4(e)"}],"prose":"retains access to organizational information and information systems formerly controlled by the terminated individual;"},{"id":"ps-4.f_obj","name":"objective","props":[{"name":"label","value":"PS-4(f)"}],"parts":[{"id":"ps-4.f_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(f)[1]"}],"prose":"defines personnel or roles to be notified of the termination;"},{"id":"ps-4.f_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(f)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel or roles; and"},{"id":"ps-4.f_obj.3","name":"objective","props":[{"name":"label","value":"PS-4(f)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of information system accounts\n\nrecords of terminated or revoked authenticators\/credentials\n\nrecords of exit interviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel termination\n\nautomated mechanisms supporting and\/or implementing personnel termination notifications\n\nautomated mechanisms for disabling information system access\/revoking authenticators"}]}],"controls":[{"id":"ps-4.2","class":"SP800-53-enhancement","title":"Automated Notification","params":[{"id":"ps-4.2_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"PS-4(2)"},{"name":"sort-id","value":"ps-04.02"}],"parts":[{"id":"ps-4.2_smt","name":"statement","prose":"The organization employs automated mechanisms to notify {{ insert: param, ps-4.2_prm_1 }} upon termination of an individual."},{"id":"ps-4.2_gdn","name":"guidance","prose":"In organizations with a large number of employees, not all personnel who need to know about termination actions receive the appropriate notifications—or, if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to specific organizational personnel or roles (e.g., management personnel, supervisors, personnel security officers, information security officers, systems administrators, or information technology administrators) when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including, for example, telephonically, via electronic mail, via text message, or via websites."},{"id":"ps-4.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-4.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(2)[1]"}],"prose":"defines personnel or roles to be notified upon termination of an individual; and"},{"id":"ps-4.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(2)[2]"}],"prose":"employs automated mechanisms to notify organization-defined personnel or roles upon termination of an individual."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of personnel termination actions\n\nautomated notifications of employee terminations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel termination\n\nautomated mechanisms supporting and\/or implementing personnel termination notifications"}]}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","params":[{"id":"ps-5_prm_1","label":"organization-defined transfer or reassignment actions"},{"id":"ps-5_prm_2","label":"organization-defined time period following the formal transfer action"},{"id":"ps-5_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-5_prm_4","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PS-5"},{"name":"sort-id","value":"ps-05"}],"parts":[{"id":"ps-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems\/facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiates {{ insert: param, ps-5_prm_1 }} within {{ insert: param, ps-5_prm_2 }};"},{"id":"ps-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Notifies {{ insert: param, ps-5_prm_3 }} within {{ insert: param, ps-5_prm_4 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-4","rel":"related"}]},{"id":"ps-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-5.a_obj","name":"objective","props":[{"name":"label","value":"PS-5(a)"}],"prose":"when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current:","parts":[{"id":"ps-5.a_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(a)[1]"}],"prose":"logical access authorizations to information systems;"},{"id":"ps-5.a_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(a)[2]"}],"prose":"physical access authorizations to information systems and facilities;"}]},{"id":"ps-5.b_obj","name":"objective","props":[{"name":"label","value":"PS-5(b)"}],"parts":[{"id":"ps-5.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(b)[1]"}],"prose":"defines transfer or reassignment actions to be initiated following transfer or reassignment;"},{"id":"ps-5.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(b)[2]"}],"prose":"defines the time period within which transfer or reassignment actions must occur following transfer or reassignment;"},{"id":"ps-5.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-5(b)[3]"}],"prose":"initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment;"}]},{"id":"ps-5.c_obj","name":"objective","props":[{"name":"label","value":"PS-5(c)"}],"prose":"modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer;"},{"id":"ps-5.d_obj","name":"objective","props":[{"name":"label","value":"PS-5(d)"}],"parts":[{"id":"ps-5.d_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(d)[1]"}],"prose":"defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5.d_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(d)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; and"},{"id":"ps-5.d_obj.3","name":"objective","props":[{"name":"label","value":"PS-5(d)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel transfer\n\nsecurity plan\n\nrecords of personnel transfer actions\n\nlist of information system and facility access authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel transfer\n\nautomated mechanisms supporting and\/or implementing personnel transfer notifications\n\nautomated mechanisms for disabling information system access\/revoking authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-6_prm_1","label":"organization-defined frequency"},{"id":"ps-6_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PS-6"},{"name":"sort-id","value":"ps-06"}],"parts":[{"id":"ps-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops and documents access agreements for organizational information systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the access agreements {{ insert: param, ps-6_prm_1 }}; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that individuals requiring access to organizational information and information systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or {{ insert: param, ps-6_prm_2 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.","links":[{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-8","rel":"related"}]},{"id":"ps-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-6.a_obj","name":"objective","props":[{"name":"label","value":"PS-6(a)"}],"prose":"develops and documents access agreements for organizational information systems;"},{"id":"ps-6.b_obj","name":"objective","props":[{"name":"label","value":"PS-6(b)"}],"parts":[{"id":"ps-6.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-6(b)[1]"}],"prose":"defines the frequency to review and update the access agreements;"},{"id":"ps-6.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-6(b)[2]"}],"prose":"reviews and updates the access agreements with the organization-defined frequency;"}]},{"id":"ps-6.c_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)"}],"parts":[{"id":"ps-6.c.1_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)(1)"}],"prose":"ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;"},{"id":"ps-6.c.2_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)"}],"parts":[{"id":"ps-6.c.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)[1]"}],"prose":"defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated;"},{"id":"ps-6.c.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)[2]"}],"prose":"ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing access agreements for organizational information and information systems\n\nsecurity plan\n\naccess agreements\n\nrecords of access agreement reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access agreements\n\nautomated mechanisms supporting access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"Third-party Personnel Security","params":[{"id":"ps-7_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-7_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-7"},{"name":"sort-id","value":"ps-07"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"}],"parts":[{"id":"ps-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes personnel security requirements including security roles and responsibilities for third-party providers;"},{"id":"ps-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Requires third-party providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Requires third-party providers to notify {{ insert: param, ps-7_prm_1 }} of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges within {{ insert: param, ps-7_prm_2 }}; and"},{"id":"ps-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Monitors provider compliance."}]},{"id":"ps-7_gdn","name":"guidance","prose":"Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials\/privileges associated with individuals transferred or terminated.","links":[{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-21","rel":"related"}]},{"id":"ps-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-7.a_obj","name":"objective","props":[{"name":"label","value":"PS-7(a)"}],"prose":"establishes personnel security requirements, including security roles and responsibilities, for third-party providers;"},{"id":"ps-7.b_obj","name":"objective","props":[{"name":"label","value":"PS-7(b)"}],"prose":"requires third-party providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7.c_obj","name":"objective","props":[{"name":"label","value":"PS-7(c)"}],"prose":"documents personnel security requirements;"},{"id":"ps-7.d_obj","name":"objective","props":[{"name":"label","value":"PS-7(d)"}],"parts":[{"id":"ps-7.d_obj.1","name":"objective","props":[{"name":"label","value":"PS-7(d)[1]"}],"prose":"defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.2","name":"objective","props":[{"name":"label","value":"PS-7(d)[2]"}],"prose":"defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.3","name":"objective","props":[{"name":"label","value":"PS-7(d)[3]"}],"prose":"requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges; and"}]},{"id":"ps-7.e_obj","name":"objective","props":[{"name":"label","value":"PS-7(e)"}],"prose":"monitors provider compliance."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing third-party personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\nthird-party providers\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing and monitoring third-party personnel security\n\nautomated mechanisms supporting and\/or implementing monitoring of provider compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","params":[{"id":"ps-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-8_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PS-8"},{"name":"sort-id","value":"ps-08"}],"parts":[{"id":"ps-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Notifies {{ insert: param, ps-8_prm_1 }} within {{ insert: param, ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.","links":[{"href":"#pl-4","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"ps-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-8.a_obj","name":"objective","props":[{"name":"label","value":"PS-8(a)"}],"prose":"employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;"},{"id":"ps-8.b_obj","name":"objective","props":[{"name":"label","value":"PS-8(b)"}],"parts":[{"id":"ps-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-8(b)[1]"}],"prose":"defines personnel or roles to be notified when a formal employee sanctions process is initiated;"},{"id":"ps-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-8(b)[2]"}],"prose":"defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and"},{"id":"ps-8.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-8(b)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel sanctions\n\nrules of behavior\n\nrecords of formal sanctions\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing personnel sanctions\n\nautomated mechanisms supporting and\/or implementing notifications"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Risk Assessment Policy and Procedures","params":[{"id":"ra-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ra-1_prm_2","label":"organization-defined frequency"},{"id":"ra-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-1"},{"name":"sort-id","value":"ra-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ra-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ra-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Risk assessment policy {{ insert: param, ra-1_prm_2 }}; and"},{"id":"ra-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Risk assessment procedures {{ insert: param, ra-1_prm_3 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ra-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-1.a_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)"}],"parts":[{"id":"ra-1.a.1_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)"}],"parts":[{"id":"ra-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1]"}],"prose":"develops and documents a risk assessment policy that addresses:","parts":[{"id":"ra-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ra-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ra-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ra-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ra-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ra-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ra-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ra-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the risk assessment policy is to be disseminated;"},{"id":"ra-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[3]"}],"prose":"disseminates the risk assessment policy to organization-defined personnel or roles;"}]},{"id":"ra-1.a.2_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)"}],"parts":[{"id":"ra-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls;"},{"id":"ra-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ra-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ra-1.b_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)"}],"parts":[{"id":"ra-1.b.1_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)"}],"parts":[{"id":"ra-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current risk assessment policy;"},{"id":"ra-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)[2]"}],"prose":"reviews and updates the current risk assessment policy with the organization-defined frequency;"}]},{"id":"ra-1.b.2_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)"}],"parts":[{"id":"ra-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current risk assessment procedures; and"},{"id":"ra-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)[2]"}],"prose":"reviews and updates the current risk assessment procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"risk assessment policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-2"},{"name":"sort-id","value":"ra-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"}],"parts":[{"id":"ra-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"ra-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents the security categorization results (including supporting rationale) in the security plan for the information system; and"},{"id":"ra-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission\/business owners, and information owners\/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted.","links":[{"href":"#cm-8","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"ra-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-2.a_obj","name":"objective","props":[{"name":"label","value":"RA-2(a)"}],"prose":"categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"ra-2.b_obj","name":"objective","props":[{"name":"label","value":"RA-2(b)"}],"prose":"documents the security categorization results (including supporting rationale) in the security plan for the information system; and"},{"id":"ra-2.c_obj","name":"objective","props":[{"name":"label","value":"RA-2(c)"}],"prose":"ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and information systems\n\nsecurity plan\n\nsecurity categorization documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-3_prm_1","select":{"choice":["security plan","risk assessment report"," {{ insert: param, ra-3_prm_2 }} "]}},{"id":"ra-3_prm_2","depends-on":"ra-3_prm_1","label":"organization-defined document"},{"id":"ra-3_prm_3","label":"organization-defined frequency"},{"id":"ra-3_prm_4","label":"organization-defined personnel or roles"},{"id":"ra-3_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-3"},{"name":"sort-id","value":"ra-03"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ra-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;"},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents risk assessment results in {{ insert: param, ra-3_prm_1 }};"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews risk assessment results {{ insert: param, ra-3_prm_3 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Disseminates risk assessment results to {{ insert: param, ra-3_prm_4 }}; and"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Updates the risk assessment {{ insert: param, ra-3_prm_5 }} or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.","links":[{"href":"#ra-2","rel":"related"},{"href":"#pm-9","rel":"related"}]},{"id":"ra-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-3.a_obj","name":"objective","props":[{"name":"label","value":"RA-3(a)"}],"prose":"conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:","parts":[{"id":"ra-3.a_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(a)[1]"}],"prose":"the information system;"},{"id":"ra-3.a_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(a)[2]"}],"prose":"the information the system processes, stores, or transmits;"}]},{"id":"ra-3.b_obj","name":"objective","props":[{"name":"label","value":"RA-3(b)"}],"parts":[{"id":"ra-3.b_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(b)[1]"}],"prose":"defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report);"},{"id":"ra-3.b_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(b)[2]"}],"prose":"documents risk assessment results in one of the following:","parts":[{"id":"ra-3.b_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][a]"}],"prose":"the security plan;"},{"id":"ra-3.b_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][b]"}],"prose":"the risk assessment report; or"},{"id":"ra-3.b_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][c]"}],"prose":"the organization-defined document;"}]}]},{"id":"ra-3.c_obj","name":"objective","props":[{"name":"label","value":"RA-3(c)"}],"parts":[{"id":"ra-3.c_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(c)[1]"}],"prose":"defines the frequency to review risk assessment results;"},{"id":"ra-3.c_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(c)[2]"}],"prose":"reviews risk assessment results with the organization-defined frequency;"}]},{"id":"ra-3.d_obj","name":"objective","props":[{"name":"label","value":"RA-3(d)"}],"parts":[{"id":"ra-3.d_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(d)[1]"}],"prose":"defines personnel or roles to whom risk assessment results are to be disseminated;"},{"id":"ra-3.d_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(d)[2]"}],"prose":"disseminates risk assessment results to organization-defined personnel or roles;"}]},{"id":"ra-3.e_obj","name":"objective","props":[{"name":"label","value":"RA-3(e)"}],"parts":[{"id":"ra-3.e_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(e)[1]"}],"prose":"defines the frequency to update the risk assessment;"},{"id":"ra-3.e_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(e)[2]"}],"prose":"updates the risk assessment:","parts":[{"id":"ra-3.e_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-3.e_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][b]"}],"prose":"whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and"},{"id":"ra-3.e_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][c]"}],"prose":"whenever there are other conditions that may impact the security state of the system."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nsecurity plan\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for risk assessment\n\nautomated mechanisms supporting and\/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Scanning","params":[{"id":"ra-5_prm_1","label":"organization-defined frequency and\/or randomly in accordance with organization-defined process"},{"id":"ra-5_prm_2","label":"organization-defined response times"},{"id":"ra-5_prm_3","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-5"},{"name":"sort-id","value":"ra-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"}],"parts":[{"id":"ra-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Scans for vulnerabilities in the information system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system\/applications are identified and reported;"},{"id":"ra-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Analyzes vulnerability scan reports and results from security control assessments;"},{"id":"ra-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remediates legitimate vulnerabilities {{ insert: param, ra-5_prm_2 }} in accordance with an organizational assessment of risk; and"},{"id":"ra-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Shares information obtained from the vulnerability scanning process and security control assessments with {{ insert: param, ra-5_prm_3 }} to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine\/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"ra-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.a_obj","name":"objective","props":[{"name":"label","value":"RA-5(a)"}],"parts":[{"id":"ra-5.a_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(a)[1]"}],"parts":[{"id":"ra-5.a_obj.1.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[1][a]"}],"prose":"defines the frequency for conducting vulnerability scans on the information system and hosted applications; and\/or"},{"id":"ra-5.a_obj.1.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[1][b]"}],"prose":"defines the process for conducting random vulnerability scans on the information system and hosted applications;"}]},{"id":"ra-5.a_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(a)[2]"}],"prose":"in accordance with the organization-defined frequency and\/or organization-defined process for conducting random scans, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[2][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[2][b]"}],"prose":"hosted applications;"}]},{"id":"ra-5.a_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(a)[3]"}],"prose":"when new vulnerabilities potentially affecting the system\/applications are identified and reported, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.3.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[3][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.3.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[3][b]"}],"prose":"hosted applications;"}]}]},{"id":"ra-5.b_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)"}],"prose":"employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5.b.1_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)"}],"parts":[{"id":"ra-5.b.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[1]"}],"prose":"enumerating platforms;"},{"id":"ra-5.b.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[2]"}],"prose":"enumerating software flaws;"},{"id":"ra-5.b.1_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[3]"}],"prose":"enumerating improper configurations;"}]},{"id":"ra-5.b.2_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)"}],"parts":[{"id":"ra-5.b.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)[1]"}],"prose":"formatting checklists;"},{"id":"ra-5.b.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)[2]"}],"prose":"formatting test procedures;"}]},{"id":"ra-5.b.3_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(3)"}],"prose":"measuring vulnerability impact;"}]},{"id":"ra-5.c_obj","name":"objective","props":[{"name":"label","value":"RA-5(c)"}],"parts":[{"id":"ra-5.c_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(c)[1]"}],"prose":"analyzes vulnerability scan reports;"},{"id":"ra-5.c_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(c)[2]"}],"prose":"analyzes results from security control assessments;"}]},{"id":"ra-5.d_obj","name":"objective","props":[{"name":"label","value":"RA-5(d)"}],"parts":[{"id":"ra-5.d_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(d)[1]"}],"prose":"defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;"},{"id":"ra-5.d_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(d)[2]"}],"prose":"remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk;"}]},{"id":"ra-5.e_obj","name":"objective","props":[{"name":"label","value":"RA-5(e)"}],"parts":[{"id":"ra-5.e_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(e)[1]"}],"prose":"defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared;"},{"id":"ra-5.e_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(e)[2]"}],"prose":"shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); and"},{"id":"ra-5.e_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(e)[3]"}],"prose":"shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nautomated mechanisms supporting and\/or implementing vulnerability scanning, analysis, remediation, and information sharing"}]}],"controls":[{"id":"ra-5.1","class":"SP800-53-enhancement","title":"Update Tool Capability","props":[{"name":"label","value":"RA-5(1)"},{"name":"sort-id","value":"ra-05.01"}],"parts":[{"id":"ra-5.1_smt","name":"statement","prose":"The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned."},{"id":"ra-5.1_gdn","name":"guidance","prose":"The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible.","links":[{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ra-5.1_obj","name":"objective","prose":"Determine if the organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update by Frequency \/ Prior to New Scan \/ When Identified","params":[{"id":"ra-5.2_prm_1","select":{"how-many":"one-or-more","choice":[" {{ insert: param, ra-5.2_prm_2 }} ","prior to a new scan","when new vulnerabilities are identified and reported"]}},{"id":"ra-5.2_prm_2","depends-on":"ra-5.2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"RA-5(2)"},{"name":"sort-id","value":"ra-05.02"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"The organization updates the information system vulnerabilities scanned {{ insert: param, ra-5.2_prm_1 }}."},{"id":"ra-5.2_gdn","name":"guidance","links":[{"href":"#si-3","rel":"related"},{"href":"#si-5","rel":"related"}]},{"id":"ra-5.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(2)[1]"}],"prose":"defines the frequency to update the information system vulnerabilities scanned;"},{"id":"ra-5.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(2)[2]"}],"prose":"updates the information system vulnerabilities scanned one or more of the following:","parts":[{"id":"ra-5.2_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-5(2)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-5.2_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-5(2)[2][b]"}],"prose":"prior to a new scan; and\/or"},{"id":"ra-5.2_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-5(2)[2][c]"}],"prose":"when new vulnerabilities are identified and reported."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.4","class":"SP800-53-enhancement","title":"Discoverable Information","params":[{"id":"ra-5.4_prm_1","label":"organization-defined corrective actions"}],"props":[{"name":"label","value":"RA-5(4)"},{"name":"sort-id","value":"ra-05.04"}],"parts":[{"id":"ra-5.4_smt","name":"statement","prose":"The organization determines what information about the information system is discoverable by adversaries and subsequently takes {{ insert: param, ra-5.4_prm_1 }}."},{"id":"ra-5.4_gdn","name":"guidance","prose":"Discoverable information includes information that adversaries could obtain without directly compromising or breaching the information system, for example, by collecting information the system is exposing or by conducting extensive searches of the web. Corrective actions can include, for example, notifying appropriate organizational personnel, removing designated information, or changing the information system to make designated information less relevant or attractive to adversaries.","links":[{"href":"#au-13","rel":"related"}]},{"id":"ra-5.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.4_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(4)[1]"}],"prose":"defines corrective actions to be taken if information about the information system is discoverable by adversaries;"},{"id":"ra-5.4_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(4)[2]"}],"prose":"determines what information about the information system is discoverable by adversaries; and"},{"id":"ra-5.4_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(4)[3]"}],"prose":"subsequently takes organization-defined corrective actions."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\n\nsecurity assessment report\n\npenetration test results\n\nvulnerability scanning results\n\nrisk assessment report\n\nrecords of corrective actions taken\n\nincident response records\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning and\/or penetration testing responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel responsible for risk response\n\norganizational personnel responsible for incident management and response\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for risk response\n\norganizational processes for incident management and response\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nautomated mechanisms supporting and\/or implementing risk response\n\nautomated mechanisms supporting and\/or implementing incident management and response"}]}]},{"id":"ra-5.5","class":"SP800-53-enhancement","title":"Privileged Access","params":[{"id":"ra-5.5_prm_1","label":"organization-identified information system components"},{"id":"ra-5.5_prm_2","label":"organization-defined vulnerability scanning activities"}],"props":[{"name":"label","value":"RA-5(5)"},{"name":"sort-id","value":"ra-05.05"}],"parts":[{"id":"ra-5.5_smt","name":"statement","prose":"The information system implements privileged access authorization to {{ insert: param, ra-5.5_prm_1 }} for selected {{ insert: param, ra-5.5_prm_2 }}."},{"id":"ra-5.5_gdn","name":"guidance","prose":"In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning."},{"id":"ra-5.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ra-5.5_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(5)[1]"}],"prose":"the organization defines information system components to which privileged access is authorized for selected vulnerability scanning activities;"},{"id":"ra-5.5_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(5)[2]"}],"prose":"the organization defines vulnerability scanning activities selected for privileged access authorization to organization-defined information system components; and"},{"id":"ra-5.5_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(5)[3]"}],"prose":"the information system implements privileged access authorization to organization-defined information system components for selected organization-defined vulnerability scanning activities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\nsystem\/network administrators\n\norganizational personnel responsible for access control to the information system\n\norganizational personnel responsible for configuration management of the information system\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nautomated mechanisms supporting and\/or implementing access control\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"System and Services Acquisition Policy and Procedures","params":[{"id":"sa-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sa-1_prm_2","label":"organization-defined frequency"},{"id":"sa-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-1"},{"name":"sort-id","value":"sa-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"sa-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sa-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and services acquisition policy {{ insert: param, sa-1_prm_2 }}; and"},{"id":"sa-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and services acquisition procedures {{ insert: param, sa-1_prm_3 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"sa-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-1.a_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)"}],"parts":[{"id":"sa-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)"}],"parts":[{"id":"sa-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1]"}],"prose":"develops and documents a system and services acquisition policy that addresses:","parts":[{"id":"sa-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sa-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sa-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sa-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sa-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sa-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sa-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sa-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and services acquisition policy is to be disseminated;"},{"id":"sa-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[3]"}],"prose":"disseminates the system and services acquisition policy to organization-defined personnel or roles;"}]},{"id":"sa-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)"}],"parts":[{"id":"sa-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls;"},{"id":"sa-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"sa-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sa-1.b_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)"}],"parts":[{"id":"sa-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)"}],"parts":[{"id":"sa-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and services acquisition policy;"},{"id":"sa-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)[2]"}],"prose":"reviews and updates the current system and services acquisition policy with the organization-defined frequency;"}]},{"id":"sa-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)"}],"parts":[{"id":"sa-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and services acquisition procedures; and"},{"id":"sa-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)[2]"}],"prose":"reviews and updates the current system and services acquisition procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-2"},{"name":"sort-id","value":"sa-02"}],"links":[{"href":"#29fcfe59-33cd-494a-8756-5907ae3a8f92","rel":"reference"}],"parts":[{"id":"sa-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines information security requirements for the information system or information system service in mission\/business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establishes a discrete line item for information security in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system\/service.","links":[{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"}]},{"id":"sa-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-2.a_obj","name":"objective","props":[{"name":"label","value":"SA-2(a)"}],"prose":"determines information security requirements for the information system or information system service in mission\/business process planning;"},{"id":"sa-2.b_obj","name":"objective","props":[{"name":"label","value":"SA-2(b)"}],"prose":"to protect the information system or information system service as part of its capital planning and investment control process:","parts":[{"id":"sa-2.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-2(b)[1]"}],"prose":"determines the resources required;"},{"id":"sa-2.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-2(b)[2]"}],"prose":"documents the resources required;"},{"id":"sa-2.b_obj.3","name":"objective","props":[{"name":"label","value":"SA-2(b)[3]"}],"prose":"allocates the resources required; and"}]},{"id":"sa-2.c_obj","name":"objective","props":[{"name":"label","value":"SA-2(c)"}],"prose":"establishes a discrete line item for information security in organizational programming and budgeting documentation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the allocation of resources to information security requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities\n\norganizational personnel responsible for determining information security requirements for information systems\/services\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information security requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nautomated mechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-3_prm_1","label":"organization-defined system development life cycle"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-3"},{"name":"sort-id","value":"sa-03"}],"links":[{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference"}],"parts":[{"id":"sa-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Manages the information system using {{ insert: param, sa-3_prm_1 }} that incorporates information security considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Defines and documents information security roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies individuals having information security roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrates the organizational information security risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions\/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission\/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies.","links":[{"href":"#at-3","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-8","rel":"related"}]},{"id":"sa-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-3.a_obj","name":"objective","props":[{"name":"label","value":"SA-3(a)"}],"parts":[{"id":"sa-3.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-3(a)[1]"}],"prose":"defines a system development life cycle that incorporates information security considerations to be used to manage the information system;"},{"id":"sa-3.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-3(a)[2]"}],"prose":"manages the information system using the organization-defined system development life cycle;"}]},{"id":"sa-3.b_obj","name":"objective","props":[{"name":"label","value":"SA-3(b)"}],"prose":"defines and documents information security roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3.c_obj","name":"objective","props":[{"name":"label","value":"SA-3(c)"}],"prose":"identifies individuals having information security roles and responsibilities; and"},{"id":"sa-3.d_obj","name":"objective","props":[{"name":"label","value":"SA-3(d)"}],"prose":"integrates the organizational information security risk management process into system development life cycle activities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security into the system development life cycle process\n\ninformation system development life cycle documentation\n\ninformation security risk management strategy\/program documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security and system life cycle development responsibilities\n\norganizational personnel with information security risk management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining and documenting the SDLC\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational process for integrating information security risk management into the SDLC\n\nautomated mechanisms supporting and\/or implementing the SDLC"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-4"},{"name":"sort-id","value":"sa-04"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference"},{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference"},{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#0a5db899-f033-467f-8631-f5a8ba971475","rel":"reference"},{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"},{"href":"#d818efd3-db31-4953-8afa-9e76afe83ce2","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"},{"href":"#56d671da-6b7b-4abf-8296-84b61980390a","rel":"reference"},{"href":"#c95a9986-3cd6-4a98-931b-ccfc56cb11e5","rel":"reference"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference"},{"href":"#bbd50dd1-54ce-4432-959d-63ea564b1bb4","rel":"reference"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission\/business needs:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Security strength requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Security-related documentation requirements;"},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Requirements for protecting security-related documentation;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Description of the information system development environment and environment in which the system is intended to operate; and"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.","links":[{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"}]},{"id":"sa-4_obj","name":"objective","prose":"Determine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission\/business needs:","parts":[{"id":"sa-4.a_obj","name":"objective","props":[{"name":"label","value":"SA-4(a)"}],"prose":"security functional requirements;"},{"id":"sa-4.b_obj","name":"objective","props":[{"name":"label","value":"SA-4(b)"}],"prose":"security strength requirements;"},{"id":"sa-4.c_obj","name":"objective","props":[{"name":"label","value":"SA-4(c)"}],"prose":"security assurance requirements;"},{"id":"sa-4.d_obj","name":"objective","props":[{"name":"label","value":"SA-4(d)"}],"prose":"security-related documentation requirements;"},{"id":"sa-4.e_obj","name":"objective","props":[{"name":"label","value":"SA-4(e)"}],"prose":"requirements for protecting security-related documentation;"},{"id":"sa-4.f_obj","name":"objective","props":[{"name":"label","value":"SA-4(f)"}],"prose":"description of:","parts":[{"id":"sa-4.f_obj.1","name":"objective","props":[{"name":"label","value":"SA-4(f)[1]"}],"prose":"the information system development environment;"},{"id":"sa-4.f_obj.2","name":"objective","props":[{"name":"label","value":"SA-4(f)[2]"}],"prose":"the environment in which the system is intended to operate; and"}]},{"id":"sa-4.g_obj","name":"objective","props":[{"name":"label","value":"SA-4(g)"}],"prose":"acceptance criteria."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nacquisition contracts for the information system, system component, or information system service\n\ninformation system design documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security functional, strength, and assurance requirements\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and\/or implementing acquisitions and inclusion of security requirements in contracts"}]}],"controls":[{"id":"sa-4.1","class":"SP800-53-enhancement","title":"Functional Properties of Security Controls","props":[{"name":"label","value":"SA-4(1)"},{"name":"sort-id","value":"sa-04.01"}],"parts":[{"id":"sa-4.1_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed."},{"id":"sa-4.1_gdn","name":"guidance","prose":"Functional properties of security controls describe the functionality (i.e., security capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.","links":[{"href":"#sa-5","rel":"related"}]},{"id":"sa-4.1_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or information system services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security functional requirements\n\ninformation system developer or service provider\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security functional, requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and\/or implementing acquisitions and inclusion of security requirements in contracts"}]}]},{"id":"sa-4.2","class":"SP800-53-enhancement","title":"Design \/ Implementation Information for Security Controls","params":[{"id":"sa-4.2_prm_1","select":{"how-many":"one-or-more","choice":["security-relevant external system interfaces","high-level design","low-level design","source code or hardware schematics"," {{ insert: param, sa-4.2_prm_2 }} "]}},{"id":"sa-4.2_prm_2","depends-on":"sa-4.2_prm_1","label":"organization-defined design\/implementation information"},{"id":"sa-4.2_prm_3","label":"organization-defined level of detail"}],"props":[{"name":"label","value":"SA-4(2)"},{"name":"sort-id","value":"sa-04.02"}],"parts":[{"id":"sa-4.2_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {{ insert: param, sa-4.2_prm_1 }} at {{ insert: param, sa-4.2_prm_3 }}."},{"id":"sa-4.2_gdn","name":"guidance","prose":"Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission\/business requirements, requirements for trustworthiness\/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system.","links":[{"href":"#sa-5","rel":"related"}]},{"id":"sa-4.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-4.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-4(2)[1]"}],"prose":"defines level of detail that the developer is required to provide in design and implementation information for the security controls to be employed in the information system, system component, or information system service;"},{"id":"sa-4.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-4(2)[2]"}],"prose":"defines design\/implementation information that the developer is to provide for the security controls to be employed (if selected);"},{"id":"sa-4.2_obj.3","name":"objective","props":[{"name":"label","value":"SA-4(2)[3]"}],"prose":"requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes, at the organization-defined level of detail, one or more of the following:","parts":[{"id":"sa-4.2_obj.3.a","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][a]"}],"prose":"security-relevant external system interfaces;"},{"id":"sa-4.2_obj.3.b","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][b]"}],"prose":"high-level design;"},{"id":"sa-4.2_obj.3.c","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][c]"}],"prose":"low-level design;"},{"id":"sa-4.2_obj.3.d","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][d]"}],"prose":"source code;"},{"id":"sa-4.2_obj.3.e","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][e]"}],"prose":"hardware schematics; and\/or"},{"id":"sa-4.2_obj.3.f","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][f]"}],"prose":"organization-defined design\/implementation information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the information system, system components, or information system services\n\ndesign and implementation information for security controls employed in the information system, system component, or information system service\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\ninformation system developer or service provider\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining level of detail for system design and security controls\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and\/or implementing development of system design details"}]}]},{"id":"sa-4.9","class":"SP800-53-enhancement","title":"Functions \/ Ports \/ Protocols \/ Services in Use","props":[{"name":"label","value":"SA-4(9)"},{"name":"sort-id","value":"sa-04.09"}],"parts":[{"id":"sa-4.9_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use."},{"id":"sa-4.9_gdn","name":"guidance","prose":"The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources.","links":[{"href":"#cm-7","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"sa-4.9_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle:","parts":[{"id":"sa-4.9_obj.1","name":"objective","props":[{"name":"label","value":"SA-4(9)[1]"}],"prose":"the functions intended for organizational use;"},{"id":"sa-4.9_obj.2","name":"objective","props":[{"name":"label","value":"SA-4(9)[2]"}],"prose":"the ports intended for organizational use;"},{"id":"sa-4.9_obj.3","name":"objective","props":[{"name":"label","value":"SA-4(9)[3]"}],"prose":"the protocols intended for organizational use; and"},{"id":"sa-4.9_obj.4","name":"objective","props":[{"name":"label","value":"SA-4(9)[4]"}],"prose":"the services intended for organizational use."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\ninformation system design documentation\n\ninformation system documentation including functions, ports, protocols, and services intended for organizational use\n\nacquisition contracts for information systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice-level agreements\n\norganizational security requirements, descriptions, and criteria for developers of information systems, system components, and information system services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\ninformation system developers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","props":[{"name":"label","value":"SA-4(10)"},{"name":"sort-id","value":"sa-04.10"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."},{"id":"sa-4.10_gdn","name":"guidance","links":[{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"}]},{"id":"sa-4.10_obj","name":"objective","prose":"Determine if the organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or information system service\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\norganizational personnel with responsibility for ensuring only FIPS 201-approved products are implemented\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for selecting and employing FIPS 201-approved products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"Information System Documentation","params":[{"id":"sa-5_prm_1","label":"organization-defined actions"},{"id":"sa-5_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SA-5"},{"name":"sort-id","value":"sa-05"}],"parts":[{"id":"sa-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtains administrator documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security functions\/mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"}]},{"id":"sa-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Obtains user documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"User-accessible security functions\/mechanisms and how to effectively use those security functions\/mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and"},{"id":"sa-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service;"}]},{"id":"sa-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes {{ insert: param, sa-5_prm_1 }} in response;"},{"id":"sa-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects documentation as required, in accordance with the risk management strategy; and"},{"id":"sa-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Distributes documentation to {{ insert: param, sa-5_prm_2 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality\/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system\/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation.","links":[{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"sa-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-5.a_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)"}],"prose":"obtains administrator documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5.a.1_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)"}],"parts":[{"id":"sa-5.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[1]"}],"prose":"secure configuration of the system, system component, or service;"},{"id":"sa-5.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[2]"}],"prose":"secure installation of the system, system component, or service;"},{"id":"sa-5.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[3]"}],"prose":"secure operation of the system, system component, or service;"}]},{"id":"sa-5.a.2_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)"}],"parts":[{"id":"sa-5.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)[1]"}],"prose":"effective use of the security features\/mechanisms;"},{"id":"sa-5.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)[2]"}],"prose":"effective maintenance of the security features\/mechanisms;"}]},{"id":"sa-5.a.3_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(3)"}],"prose":"known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"}]},{"id":"sa-5.b_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)"}],"prose":"obtains user documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5.b.1_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)"}],"parts":[{"id":"sa-5.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)[1]"}],"prose":"user-accessible security functions\/mechanisms;"},{"id":"sa-5.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)[2]"}],"prose":"how to effectively use those functions\/mechanisms;"}]},{"id":"sa-5.b.2_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(2)"}],"prose":"methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner;"},{"id":"sa-5.b.3_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(3)"}],"prose":"user responsibilities in maintaining the security of the system, component, or service;"}]},{"id":"sa-5.c_obj","name":"objective","props":[{"name":"label","value":"SA-5(c)"}],"parts":[{"id":"sa-5.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(c)[1]"}],"prose":"defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(c)[2]"}],"prose":"documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.3","name":"objective","props":[{"name":"label","value":"SA-5(c)[3]"}],"prose":"takes organization-defined actions in response;"}]},{"id":"sa-5.d_obj","name":"objective","props":[{"name":"label","value":"SA-5(d)"}],"prose":"protects documentation as required, in accordance with the risk management strategy;"},{"id":"sa-5.e_obj","name":"objective","props":[{"name":"label","value":"SA-5(e)"}],"parts":[{"id":"sa-5.e_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(e)[1]"}],"prose":"defines personnel or roles to whom documentation is to be distributed; and"},{"id":"sa-5.e_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(e)[2]"}],"prose":"distributes documentation to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing information system documentation\n\ninformation system documentation including administrator and user guides\n\nrecords documenting attempts to obtain unavailable or nonexistent information system documentation\n\nlist of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation\n\nrisk management strategy documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\nsystem administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\ninformation system developers\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation"}]}]},{"id":"sa-8","class":"SP800-53","title":"Security Engineering Principles","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-8"},{"name":"sort-id","value":"sa-08"}],"links":[{"href":"#21b1ed35-56d2-40a8-bdfe-b461fffe322f","rel":"reference"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system."},{"id":"sa-8_gdn","name":"guidance","prose":"Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions.","links":[{"href":"#pm-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sa-8_obj","name":"objective","prose":"Determine if the organization applies information system security engineering principles in:","parts":[{"id":"sa-8_obj.1","name":"objective","props":[{"name":"label","value":"SA-8[1]"}],"prose":"the specification of the information system;"},{"id":"sa-8_obj.2","name":"objective","props":[{"name":"label","value":"SA-8[2]"}],"prose":"the design of the information system;"},{"id":"sa-8_obj.3","name":"objective","props":[{"name":"label","value":"SA-8[3]"}],"prose":"the development of the information system;"},{"id":"sa-8_obj.4","name":"objective","props":[{"name":"label","value":"SA-8[4]"}],"prose":"the implementation of the information system; and"},{"id":"sa-8_obj.5","name":"objective","props":[{"name":"label","value":"SA-8[5]"}],"prose":"the modification of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing security engineering principles used in the specification, design, development, implementation, and modification of the information system\n\ninformation system design documentation\n\ninformation security requirements and specifications for the information system\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\norganizational personnel with information system specification, design, development, implementation, and modification responsibilities\n\ninformation system developers\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for applying security engineering principles in information system specification, design, development, implementation, and modification\n\nautomated mechanisms supporting the application of security engineering principles in information system specification, design, development, implementation, and modification"}]}]},{"id":"sa-9","class":"SP800-53","title":"External Information System Services","params":[{"id":"sa-9_prm_1","label":"organization-defined security controls"},{"id":"sa-9_prm_2","label":"organization-defined processes, methods, and techniques"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-9"},{"name":"sort-id","value":"sa-09"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"}],"parts":[{"id":"sa-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Requires that providers of external information system services comply with organizational information security requirements and employ {{ insert: param, sa-9_prm_1 }} in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs {{ insert: param, sa-9_prm_2 }} to monitor security control compliance by external service providers on an ongoing basis."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.","links":[{"href":"#ca-3","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ps-7","rel":"related"}]},{"id":"sa-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.a_obj","name":"objective","props":[{"name":"label","value":"SA-9(a)"}],"parts":[{"id":"sa-9.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(a)[1]"}],"prose":"defines security controls to be employed by providers of external information system services;"},{"id":"sa-9.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(a)[2]"}],"prose":"requires that providers of external information system services comply with organizational information security requirements;"},{"id":"sa-9.a_obj.3","name":"objective","props":[{"name":"label","value":"SA-9(a)[3]"}],"prose":"requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"}]},{"id":"sa-9.b_obj","name":"objective","props":[{"name":"label","value":"SA-9(b)"}],"parts":[{"id":"sa-9.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(b)[1]"}],"prose":"defines and documents government oversight with regard to external information system services;"},{"id":"sa-9.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(b)[2]"}],"prose":"defines and documents user roles and responsibilities with regard to external information system services;"}]},{"id":"sa-9.c_obj","name":"objective","props":[{"name":"label","value":"SA-9(c)"}],"parts":[{"id":"sa-9.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(c)[1]"}],"prose":"defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; and"},{"id":"sa-9.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(c)[2]"}],"prose":"employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing external information system services\n\nprocedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services\n\nacquisition contracts, service-level agreements\n\norganizational security requirements and security specifications for external provider services\n\nsecurity control assessment evidence from external providers of information system services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\nexternal providers of information system services\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring security control compliance by external service providers on an ongoing basis\n\nautomated mechanisms for monitoring security control compliance by external service providers on an ongoing basis"}]}],"controls":[{"id":"sa-9.2","class":"SP800-53-enhancement","title":"Identification of Functions \/ Ports \/ Protocols \/ Services","params":[{"id":"sa-9.2_prm_1","label":"organization-defined external information system services"}],"props":[{"name":"label","value":"SA-9(2)"},{"name":"sort-id","value":"sa-09.02"}],"parts":[{"id":"sa-9.2_smt","name":"statement","prose":"The organization requires providers of {{ insert: param, sa-9.2_prm_1 }} to identify the functions, ports, protocols, and other services required for the use of such services."},{"id":"sa-9.2_gdn","name":"guidance","prose":"Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions\/services or blocking certain ports\/protocols.","links":[{"href":"#cm-7","rel":"related"}]},{"id":"sa-9.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(2)[1]"}],"prose":"defines external information system services for which providers of such services are to identify the functions, ports, protocols, and other services required for the use of such services;"},{"id":"sa-9.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(2)[2]"}],"prose":"requires providers of organization-defined external information system services to identify:","parts":[{"id":"sa-9.2_obj.2.a","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][a]"}],"prose":"the functions required for the use of such services;"},{"id":"sa-9.2_obj.2.b","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][b]"}],"prose":"the ports required for the use of such services;"},{"id":"sa-9.2_obj.2.c","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][c]"}],"prose":"the protocols required for the use of such services; and"},{"id":"sa-9.2_obj.2.d","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][d]"}],"prose":"the other services required for the use of such services."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing external information system services\n\nacquisition contracts for the information system, system component, or information system service\n\nacquisition documentation\n\nsolicitation documentation, service-level agreements\n\norganizational security requirements and security specifications for external service providers\n\nlist of required functions, ports, protocols, and other services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nexternal providers of information system services"}]}]}]},{"id":"sa-10","class":"SP800-53","title":"Developer Configuration Management","params":[{"id":"sa-10_prm_1","select":{"how-many":"one-or-more","choice":["design","development","implementation","operation"]}},{"id":"sa-10_prm_2","label":"organization-defined configuration items under configuration management"},{"id":"sa-10_prm_3","label":"organization-defined personnel"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-10"},{"name":"sort-id","value":"sa-10"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"sa-10_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Perform configuration management during system, component, or service {{ insert: param, sa-10_prm_1 }};"},{"id":"sa-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, manage, and control the integrity of changes to {{ insert: param, sa-10_prm_2 }};"},{"id":"sa-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Document approved changes to the system, component, or service and the potential security impacts of such changes; and"},{"id":"sa-10_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_prm_3 }}."}]},{"id":"sa-10_gdn","name":"guidance","prose":"This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence\/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software\/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission\/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"sa-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-10.a_obj","name":"objective","props":[{"name":"label","value":"SA-10(a)"}],"prose":"requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following:","parts":[{"id":"sa-10.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(a)[1]"}],"prose":"system, component, or service design;"},{"id":"sa-10.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(a)[2]"}],"prose":"system, component, or service development;"},{"id":"sa-10.a_obj.3","name":"objective","props":[{"name":"label","value":"SA-10(a)[3]"}],"prose":"system, component, or service implementation; and\/or"},{"id":"sa-10.a_obj.4","name":"objective","props":[{"name":"label","value":"SA-10(a)[4]"}],"prose":"system, component, or service operation;"}]},{"id":"sa-10.b_obj","name":"objective","props":[{"name":"label","value":"SA-10(b)"}],"parts":[{"id":"sa-10.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(b)[1]"}],"prose":"defines configuration items to be placed under configuration management;"},{"id":"sa-10.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(b)[2]"}],"prose":"requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-10.b_obj.2.a","name":"objective","props":[{"name":"label","value":"SA-10(b)[2][a]"}],"prose":"document the integrity of changes to organization-defined items under configuration management;"},{"id":"sa-10.b_obj.2.b","name":"objective","props":[{"name":"label","value":"SA-10(b)[2][b]"}],"prose":"manage the integrity of changes to organization-defined items under configuration management;"},{"id":"sa-10.b_obj.2.c","name":"objective","props":[{"name":"label","value":"SA-10(b)[2][c]"}],"prose":"control the integrity of changes to organization-defined items under configuration management;"}]}]},{"id":"sa-10.c_obj","name":"objective","props":[{"name":"label","value":"SA-10(c)"}],"prose":"requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10.d_obj","name":"objective","props":[{"name":"label","value":"SA-10(d)"}],"prose":"requires the developer of the information system, system component, or information system service to document:","parts":[{"id":"sa-10.d_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(d)[1]"}],"prose":"approved changes to the system, component, or service;"},{"id":"sa-10.d_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(d)[2]"}],"prose":"the potential security impacts of such changes;"}]},{"id":"sa-10.e_obj","name":"objective","props":[{"name":"label","value":"SA-10(e)"}],"parts":[{"id":"sa-10.e_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(e)[1]"}],"prose":"defines personnel to whom findings, resulting from security flaws and flaw resolution tracked within the system, component, or service, are to be reported;"},{"id":"sa-10.e_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(e)[2]"}],"prose":"requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-10.e_obj.2.a","name":"objective","props":[{"name":"label","value":"SA-10(e)[2][a]"}],"prose":"track security flaws within the system, component, or service;"},{"id":"sa-10.e_obj.2.b","name":"objective","props":[{"name":"label","value":"SA-10(e)[2][b]"}],"prose":"track security flaw resolution within the system, component, or service; and"},{"id":"sa-10.e_obj.2.c","name":"objective","props":[{"name":"label","value":"SA-10(e)[2][c]"}],"prose":"report findings to organization-defined personnel."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer configuration management\n\nautomated mechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-11","class":"SP800-53","title":"Developer Security Testing and Evaluation","params":[{"id":"sa-11_prm_1","select":{"how-many":"one-or-more","choice":["unit","integration","system","regression"]}},{"id":"sa-11_prm_2","label":"organization-defined depth and coverage"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-11"},{"name":"sort-id","value":"sa-11"}],"links":[{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference"},{"href":"#0931209f-00ae-4132-b92c-bc645847e8f9","rel":"reference"},{"href":"#4ef539ba-b767-4666-b0d3-168c53005fa3","rel":"reference"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Create and implement a security assessment plan;"},{"id":"sa-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform {{ insert: param, sa-11_prm_1 }} testing\/evaluation at {{ insert: param, sa-11_prm_2 }};"},{"id":"sa-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the security assessment plan and the results of the security testing\/evaluation;"},{"id":"sa-11_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during security testing\/evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental security testing\/evaluation occurs at all post-design phases of the system development life cycle. Such testing\/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing\/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing\/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing\/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans\/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.","links":[{"href":"#ca-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"sa-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-11.a_obj","name":"objective","props":[{"name":"label","value":"SA-11(a)"}],"prose":"requires the developer of the information system, system component, or information system service to create and implement a security plan;"},{"id":"sa-11.b_obj","name":"objective","props":[{"name":"label","value":"SA-11(b)"}],"parts":[{"id":"sa-11.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-11(b)[1]"}],"prose":"defines the depth of testing\/evaluation to be performed by the developer of the information system, system component, or information system service;"},{"id":"sa-11.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-11(b)[2]"}],"prose":"defines the coverage of testing\/evaluation to be performed by the developer of the information system, system component, or information system service;"},{"id":"sa-11.b_obj.3","name":"objective","props":[{"name":"label","value":"SA-11(b)[3]"}],"prose":"requires the developer of the information system, system component, or information system service to perform one or more of the following testing\/evaluation at the organization-defined depth and coverage:","parts":[{"id":"sa-11.b_obj.3.a","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][a]"}],"prose":"unit testing\/evaluation;"},{"id":"sa-11.b_obj.3.b","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][b]"}],"prose":"integration testing\/evaluation;"},{"id":"sa-11.b_obj.3.c","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][c]"}],"prose":"system testing\/evaluation; and\/or"},{"id":"sa-11.b_obj.3.d","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][d]"}],"prose":"regression testing\/evaluation;"}]}]},{"id":"sa-11.c_obj","name":"objective","props":[{"name":"label","value":"SA-11(c)"}],"prose":"requires the developer of the information system, system component, or information system service to produce evidence of:","parts":[{"id":"sa-11.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-11(c)[1]"}],"prose":"the execution of the security assessment plan;"},{"id":"sa-11.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-11(c)[2]"}],"prose":"the results of the security testing\/evaluation;"}]},{"id":"sa-11.d_obj","name":"objective","props":[{"name":"label","value":"SA-11(d)"}],"prose":"requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process; and"},{"id":"sa-11.e_obj","name":"objective","props":[{"name":"label","value":"SA-11(e)"}],"prose":"requires the developer of the information system, system component, or information system service to correct flaws identified during security testing\/evaluation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\nsystem developer security test plans\n\nrecords of developer security testing results for the information system, system component, or information system service\n\nsecurity flaw and remediation tracking records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nautomated mechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation"}]}]},{"id":"sa-12","class":"SP800-53","title":"Supply Chain Protection","params":[{"id":"sa-12_prm_1","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-12"},{"name":"sort-id","value":"sa-12"}],"links":[{"href":"#8ab6bcdc-339b-4068-b45e-994814a6e187","rel":"reference"},{"href":"#bdd2f49e-edf7-491f-a178-4487898228f3","rel":"reference"}],"parts":[{"id":"sa-12_smt","name":"statement","prose":"The organization protects against supply chain threats to the information system, system component, or information system service by employing {{ insert: param, sa-12_prm_1 }} as part of a comprehensive, defense-in-breadth information security strategy."},{"id":"sa-12_gdn","name":"guidance","prose":"Information systems (including system components that compose those systems) need to be protected throughout the system development life cycle (i.e., during design, development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk. Organizations consider implementing a standardized process to address supply chain risk with respect to information systems and system components, and to educate the acquisition workforce on threats, risk, and required security controls. Organizations use the acquisition\/procurement processes to require supply chain entities to implement necessary security safeguards to: (i) reduce the likelihood of unauthorized modifications at each stage in the supply chain; and (ii) protect information systems and information system components, prior to taking delivery of such systems\/components. This control also applies to information system services. Security safeguards include, for example: (i) security controls for development systems, development facilities, and external connections to development systems; (ii) vetting development personnel; and (iii) use of tamper-evident packaging during shipping\/warehousing. Methods for reviewing and protecting development plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.","links":[{"href":"#at-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-14","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-18","rel":"related"},{"href":"#sa-19","rel":"related"},{"href":"#sc-29","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"sa-12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-12_obj.1","name":"objective","props":[{"name":"label","value":"SA-12[1]"}],"prose":"defines security safeguards to be employed to protect against supply chain threats to the information system, system component, or information system service; and"},{"id":"sa-12_obj.2","name":"objective","props":[{"name":"label","value":"SA-12[2]"}],"prose":"protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\nlist of supply chain threats\n\nlist of security safeguards to be taken against supply chain threats\n\nsystem development life cycle documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining safeguards for and protecting against supply chain threats\n\nautomated mechanisms supporting and\/or implementing safeguards for supply chain threats"}]}]},{"id":"sa-15","class":"SP800-53","title":"Development Process, Standards, and Tools","params":[{"id":"sa-15_prm_1","label":"organization-defined frequency"},{"id":"sa-15_prm_2","label":"organization-defined security requirements"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SA-15"},{"name":"sort-id","value":"sa-15"}],"parts":[{"id":"sa-15_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Requires the developer of the information system, system component, or information system service to follow a documented development process that:","parts":[{"id":"sa-15_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Explicitly addresses security requirements;"},{"id":"sa-15_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Identifies the standards and tools used in the development process;"},{"id":"sa-15_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Documents the specific tool options and tool configurations used in the development process; and"},{"id":"sa-15_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Documents, manages, and ensures the integrity of changes to the process and\/or tools used in development; and"}]},{"id":"sa-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews the development process, standards, tools, and tool options\/configurations {{ insert: param, sa-15_prm_1 }} to determine if the process, standards, tools, and tool options\/configurations selected and employed can satisfy {{ insert: param, sa-15_prm_2 }}."}]},{"id":"sa-15_gdn","name":"guidance","prose":"Development tools include, for example, programming languages and computer-aided design (CAD) systems. Reviews of development processes can include, for example, the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes enables accurate supply chain risk assessment and mitigation, and requires robust configuration control throughout the life cycle (including design, development, transport, delivery, integration, and maintenance) to track authorized changes and prevent unauthorized changes.","links":[{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"}]},{"id":"sa-15_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-15.a_obj","name":"objective","props":[{"name":"label","value":"SA-15(a)"}],"prose":"requires the developer of the information system, system component, or information system service to follow a documented development process that:","parts":[{"id":"sa-15.a.1_obj","name":"objective","props":[{"name":"label","value":"SA-15(a)(1)"}],"prose":"explicitly addresses security requirements;"},{"id":"sa-15.a.2_obj","name":"objective","props":[{"name":"label","value":"SA-15(a)(2)"}],"prose":"identifies the standards and tools used in the development process;"},{"id":"sa-15.a.3_obj","name":"objective","props":[{"name":"label","value":"SA-15(a)(3)"}],"parts":[{"id":"sa-15.a.3_obj.1","name":"objective","props":[{"name":"label","value":"SA-15(a)(3)[1]"}],"prose":"documents the specific tool options used in the development process;"},{"id":"sa-15.a.3_obj.2","name":"objective","props":[{"name":"label","value":"SA-15(a)(3)[2]"}],"prose":"documents the specific tool configurations used in the development process;"}]},{"id":"sa-15.a.4_obj","name":"objective","props":[{"name":"label","value":"SA-15(a)(4)"}],"parts":[{"id":"sa-15.a.4_obj.1","name":"objective","props":[{"name":"label","value":"SA-15(a)(4)[1]"}],"prose":"documents changes to the process and\/or tools used in the development;"},{"id":"sa-15.a.4_obj.2","name":"objective","props":[{"name":"label","value":"SA-15(a)(4)[2]"}],"prose":"manages changes to the process and\/or tools used in the development;"},{"id":"sa-15.a.4_obj.3","name":"objective","props":[{"name":"label","value":"SA-15(a)(4)[3]"}],"prose":"ensures the integrity of changes to the process and\/or tools used in the development;"}]}]},{"id":"sa-15.b_obj","name":"objective","props":[{"name":"label","value":"SA-15(b)"}],"parts":[{"id":"sa-15.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-15(b)[1]"}],"prose":"defines a frequency to review the development process, standards, tools, and tool options\/configurations;"},{"id":"sa-15.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-15(b)[2]"}],"prose":"defines security requirements to be satisfied by the process, standards, tools, and tool option\/configurations selected and employed; and"},{"id":"sa-15.b_obj.3","name":"objective","props":[{"name":"label","value":"SA-15(b)[3]"}],"parts":[{"id":"sa-15.b_obj.3.a","name":"objective","props":[{"name":"label","value":"SA-15(b)[3][a]"}],"prose":"reviews the development process with the organization-defined frequency to determine if the process selected and employed can satisfy organization-defined security requirements;"},{"id":"sa-15.b_obj.3.b","name":"objective","props":[{"name":"label","value":"SA-15(b)[3][b]"}],"prose":"reviews the development standards with the organization-defined frequency to determine if the standards selected and employed can satisfy organization-defined security requirements;"},{"id":"sa-15.b_obj.3.c","name":"objective","props":[{"name":"label","value":"SA-15(b)[3][c]"}],"prose":"reviews the development tools with the organization-defined frequency to determine if the tools selected and employed can satisfy organization-defined security requirements; and"},{"id":"sa-15.b_obj.3.d","name":"objective","props":[{"name":"label","value":"SA-15(b)[3][d]"}],"prose":"reviews the development tool options\/configurations with the organization-defined frequency to determine if the tool options\/configurations selected and employed can satisfy organization-defined security requirements."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security requirements during the development process\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\nsystem developer documentation listing tool options\/configuration guides, configuration management records\n\nchange control records\n\nconfiguration control records\n\ndocumented reviews of development process, standards, tools, and tool options\/configurations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]}]},{"id":"sa-16","class":"SP800-53","title":"Developer-provided Training","params":[{"id":"sa-16_prm_1","label":"organization-defined training"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SA-16"},{"name":"sort-id","value":"sa-16"}],"parts":[{"id":"sa-16_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to provide {{ insert: param, sa-16_prm_1 }} on the correct use and operation of the implemented security functions, controls, and\/or mechanisms."},{"id":"sa-16_gdn","name":"guidance","prose":"This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organizational information systems. Training options include, for example, classroom-style training, web-based\/computer-based training, and hands-on training. Organizations can also request sufficient training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#sa-5","rel":"related"}]},{"id":"sa-16_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-16_obj.1","name":"objective","props":[{"name":"label","value":"SA-16[1]"}],"prose":"defines training to be provided by the developer of the information system, system component, or information system service; and"},{"id":"sa-16_obj.2","name":"objective","props":[{"name":"label","value":"SA-16[2]"}],"prose":"requires the developer of the information system, system component, or information system service to provide organization-defined training on the correct use and operation of the implemented security functions, controls, and\/or mechanisms."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing developer-provided training\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\ndeveloper-provided training materials\n\ntraining records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information system security responsibilities\n\nsystem developer\n\norganizational or third-party developers with training responsibilities for the information system, system component, or information system service"}]}]},{"id":"sa-17","class":"SP800-53","title":"Developer Security Architecture and Design","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-17"},{"name":"sort-id","value":"sa-17"}],"parts":[{"id":"sa-17_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:","parts":[{"id":"sa-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture;"},{"id":"sa-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and"},{"id":"sa-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection."}]},{"id":"sa-17_gdn","name":"guidance","prose":"This control is primarily directed at external developers, although it could also be used for internal (in-house) development. In contrast, PL-8 is primarily directed at internal developers to help ensure that organizations develop an information security architecture and such security architecture is integrated or tightly coupled to the enterprise architecture. This distinction is important if\/when organizations outsource the development of information systems, information system components, or information system services to external entities, and there is a requirement to demonstrate consistency with the organization’s enterprise architecture and information security architecture.","links":[{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"}]},{"id":"sa-17_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:","parts":[{"id":"sa-17.a_obj","name":"objective","props":[{"name":"label","value":"SA-17(a)"}],"prose":"is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture;"},{"id":"sa-17.b_obj","name":"objective","props":[{"name":"label","value":"SA-17(b)"}],"prose":"accurately and completely describes:","parts":[{"id":"sa-17.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-17(b)[1]"}],"prose":"the required security functionality;"},{"id":"sa-17.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-17(b)[2]"}],"prose":"the allocation of security controls among physical and logical components; and"}]},{"id":"sa-17.c_obj","name":"objective","props":[{"name":"label","value":"SA-17(c)"}],"prose":"expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security architecture and design specification for the information system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\ndesign specification and security architecture documentation for the system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with security architecture and design responsibilities"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"System and Communications Protection Policy and Procedures","params":[{"id":"sc-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sc-1_prm_2","label":"organization-defined frequency"},{"id":"sc-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-1"},{"name":"sort-id","value":"sc-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"sc-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and"}]},{"id":"sc-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sc-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and communications protection policy {{ insert: param, sc-1_prm_2 }}; and"},{"id":"sc-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and communications protection procedures {{ insert: param, sc-1_prm_3 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"sc-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-1.a_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)"}],"parts":[{"id":"sc-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)"}],"parts":[{"id":"sc-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1]"}],"prose":"develops and documents a system and communications protection policy that addresses:","parts":[{"id":"sc-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sc-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sc-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sc-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sc-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sc-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sc-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sc-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and communications protection policy is to be disseminated;"},{"id":"sc-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[3]"}],"prose":"disseminates the system and communications protection policy to organization-defined personnel or roles;"}]},{"id":"sc-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)"}],"parts":[{"id":"sc-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;"},{"id":"sc-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"sc-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sc-1.b_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)"}],"parts":[{"id":"sc-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)"}],"parts":[{"id":"sc-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and communications protection policy;"},{"id":"sc-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)[2]"}],"prose":"reviews and updates the current system and communications protection policy with the organization-defined frequency;"}]},{"id":"sc-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)"}],"parts":[{"id":"sc-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and communications protection procedures; and"},{"id":"sc-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)[2]"}],"prose":"reviews and updates the current system and communications protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sc-2","class":"SP800-53","title":"Application Partitioning","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-2"},{"name":"sort-id","value":"sc-02"}],"parts":[{"id":"sc-2_smt","name":"statement","prose":"The information system separates user functionality (including user interface services) from information system management functionality."},{"id":"sc-2_gdn","name":"guidance","prose":"Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.","links":[{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sc-2_obj","name":"objective","prose":"Determine if the information system separates user functionality (including user interface services) from information system management functionality."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing application partitioning\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Separation of user functionality from information system management functionality"}]}]},{"id":"sc-3","class":"SP800-53","title":"Security Function Isolation","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-3"},{"name":"sort-id","value":"sc-03"}],"parts":[{"id":"sc-3_smt","name":"statement","prose":"The information system isolates security functions from nonsecurity functions."},{"id":"sc-3_gdn","name":"guidance","prose":"The information system isolates security functions from nonsecurity functions by means of an isolation boundary (implemented via partitions and domains). Such isolation controls access to and protects the integrity of the hardware, software, and firmware that perform those security functions. Information systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including, for example, through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk, and address space protections that protect executing code. Information systems restrict access to security functions through the use of access control mechanisms and by implementing least privilege capabilities. While the ideal is for all of the code within the security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions within the isolation boundary as an exception.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-13","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-39","rel":"related"}]},{"id":"sc-3_obj","name":"objective","prose":"Determine if the information system isolates security functions from nonsecurity functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nlist of security functions to be isolated from nonsecurity functions\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Separation of security functions from nonsecurity functions within the information system"}]}]},{"id":"sc-4","class":"SP800-53","title":"Information in Shared Resources","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-4"},{"name":"sort-id","value":"sc-04"}],"parts":[{"id":"sc-4_smt","name":"statement","prose":"The information system prevents unauthorized and unintended information transfer via shared system resources."},{"id":"sc-4_gdn","name":"guidance","prose":"This control prevents information, including encrypted representations of information, produced by the actions of prior users\/roles (or the actions of processes acting on behalf of prior users\/roles) from being available to any current users\/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and\/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users\/roles.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#mp-6","rel":"related"}]},{"id":"sc-4_obj","name":"objective","prose":"Determine if the information system prevents unauthorized and unintended information transfer via shared system resources."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms preventing unauthorized and unintended transfer of information via shared system resources"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial of Service Protection","params":[{"id":"sc-5_prm_1","label":"organization-defined types of denial of service attacks or references to sources for such information"},{"id":"sc-5_prm_2","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-5"},{"name":"sort-id","value":"sc-05"}],"parts":[{"id":"sc-5_smt","name":"statement","prose":"The information system protects against or limits the effects of the following types of denial of service attacks: {{ insert: param, sc-5_prm_1 }} by employing {{ insert: param, sc-5_prm_2 }}."},{"id":"sc-5_gdn","name":"guidance","prose":"A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.","links":[{"href":"#sc-6","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"sc-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-5_obj.1","name":"objective","props":[{"name":"label","value":"SC-5[1]"}],"prose":"the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects;"},{"id":"sc-5_obj.2","name":"objective","props":[{"name":"label","value":"SC-5[2]"}],"prose":"the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks; and"},{"id":"sc-5_obj.3","name":"objective","props":[{"name":"label","value":"SC-5[3]"}],"prose":"the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing denial of service protection\n\ninformation system design documentation\n\nsecurity plan\n\nlist of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial of service attacks\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms protecting against or limiting the effects of denial of service attacks"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-7_prm_1","select":{"choice":["physically","logically"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-7"},{"name":"sort-id","value":"sc-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#756a8e86-57d5-4701-8382-f7a40439665a","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"}],"parts":[{"id":"sc-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implements subnetworks for publicly accessible system components that are {{ insert: param, sc-7_prm_1 }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.","links":[{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"sc-7_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-7.a_obj","name":"objective","props":[{"name":"label","value":"SC-7(a)"}],"parts":[{"id":"sc-7.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(a)[1]"}],"prose":"monitors communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(a)[2]"}],"prose":"monitors communications at key internal boundaries within the system;"},{"id":"sc-7.a_obj.3","name":"objective","props":[{"name":"label","value":"SC-7(a)[3]"}],"prose":"controls communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.4","name":"objective","props":[{"name":"label","value":"SC-7(a)[4]"}],"prose":"controls communications at key internal boundaries within the system;"}]},{"id":"sc-7.b_obj","name":"objective","props":[{"name":"label","value":"SC-7(b)"}],"prose":"implements subnetworks for publicly accessible system components that are either:","parts":[{"id":"sc-7.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(b)[1]"}],"prose":"physically separated from internal organizational networks; and\/or"},{"id":"sc-7.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(b)[2]"}],"prose":"logically separated from internal organizational networks; and"}]},{"id":"sc-7.c_obj","name":"objective","props":[{"name":"label","value":"SC-7(c)"}],"prose":"connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the information system\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system configuration settings and associated documentation\n\nenterprise security architecture documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability"}]}],"controls":[{"id":"sc-7.3","class":"SP800-53-enhancement","title":"Access Points","props":[{"name":"label","value":"SC-7(3)"},{"name":"sort-id","value":"sc-07.03"}],"parts":[{"id":"sc-7.3_smt","name":"statement","prose":"The organization limits the number of external network connections to the information system."},{"id":"sc-7.3_gdn","name":"guidance","prose":"Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections."},{"id":"sc-7.3_obj","name":"objective","prose":"Determine if the organization limits the number of external network connections to the information system."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability\n\nautomated mechanisms limiting the number of external network connections to the information system"}]}]},{"id":"sc-7.4","class":"SP800-53-enhancement","title":"External Telecommunications Services","params":[{"id":"sc-7.4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SC-7(4)"},{"name":"sort-id","value":"sc-07.04"}],"parts":[{"id":"sc-7.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implements a managed interface for each external telecommunication service;"},{"id":"sc-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Establishes a traffic flow policy for each managed interface;"},{"id":"sc-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Protects the confidentiality and integrity of the information being transmitted across each interface;"},{"id":"sc-7.4_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Documents each exception to the traffic flow policy with a supporting mission\/business need and duration of that need; and"},{"id":"sc-7.4_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Reviews exceptions to the traffic flow policy {{ insert: param, sc-7.4_prm_1 }} and removes exceptions that are no longer supported by an explicit mission\/business need."}]},{"id":"sc-7.4_gdn","name":"guidance","links":[{"href":"#sc-8","rel":"related"}]},{"id":"sc-7.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-7.4.a_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(a)"}],"prose":"implements a managed interface for each external telecommunication service;","links":[{"href":"#sc-7.4_smt.a","rel":"corresp"}]},{"id":"sc-7.4.b_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(b)"}],"prose":"establishes a traffic flow policy for each managed interface;","links":[{"href":"#sc-7.4_smt.b","rel":"corresp"}]},{"id":"sc-7.4.c_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(c)"}],"prose":"protects the confidentiality and integrity of the information being transmitted across each interface;","links":[{"href":"#sc-7.4_smt.c","rel":"corresp"}]},{"id":"sc-7.4.d_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(d)"}],"prose":"documents each exception to the traffic flow policy with:","parts":[{"id":"sc-7.4.d_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(4)(d)[1]"}],"prose":"a supporting mission\/business need;"},{"id":"sc-7.4.d_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(4)(d)[2]"}],"prose":"duration of that need;"}],"links":[{"href":"#sc-7.4_smt.d","rel":"corresp"}]},{"id":"sc-7.4.e_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)"}],"parts":[{"id":"sc-7.4.e_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)[1]"}],"prose":"defines a frequency to review exceptions to traffic flow policy;"},{"id":"sc-7.4.e_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)[2]"}],"prose":"reviews exceptions to the traffic flow policy with the organization-defined frequency; and"},{"id":"sc-7.4.e_obj.3","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)[3]"}],"prose":"removes traffic flow policy exceptions that are no longer supported by an explicit mission\/business need"}],"links":[{"href":"#sc-7.4_smt.e","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\ninformation system security architecture\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for documenting and reviewing exceptions to the traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nautomated mechanisms implementing boundary protection capability\n\nmanaged interfaces implementing traffic flow policy"}]}]},{"id":"sc-7.5","class":"SP800-53-enhancement","title":"Deny by Default \/ Allow by Exception","props":[{"name":"label","value":"SC-7(5)"},{"name":"sort-id","value":"sc-07.05"}],"parts":[{"id":"sc-7.5_smt","name":"statement","prose":"The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception)."},{"id":"sc-7.5_gdn","name":"guidance","prose":"This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed."},{"id":"sc-7.5_obj","name":"objective","prose":"Determine if the information system, at managed interfaces:","parts":[{"id":"sc-7.5_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(5)[1]"}],"prose":"denies network traffic by default; and"},{"id":"sc-7.5_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(5)[2]"}],"prose":"allows network traffic by exception."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing traffic management at managed interfaces"}]}]},{"id":"sc-7.7","class":"SP800-53-enhancement","title":"Prevent Split Tunneling for Remote Devices","props":[{"name":"label","value":"SC-7(7)"},{"name":"sort-id","value":"sc-07.07"}],"parts":[{"id":"sc-7.7_smt","name":"statement","prose":"The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."},{"id":"sc-7.7_gdn","name":"guidance","prose":"This control enhancement is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local information system resources such as printers\/file servers. However, split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling."},{"id":"sc-7.7_obj","name":"objective","prose":"Determine if the information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability\n\nautomated mechanisms supporting\/restricting non-remote connections"}]}]},{"id":"sc-7.8","class":"SP800-53-enhancement","title":"Route Traffic to Authenticated Proxy Servers","params":[{"id":"sc-7.8_prm_1","label":"organization-defined internal communications traffic"},{"id":"sc-7.8_prm_2","label":"organization-defined external networks"}],"props":[{"name":"label","value":"SC-7(8)"},{"name":"sort-id","value":"sc-07.08"}],"parts":[{"id":"sc-7.8_smt","name":"statement","prose":"The information system routes {{ insert: param, sc-7.8_prm_1 }} to {{ insert: param, sc-7.8_prm_2 }} through authenticated proxy servers at managed interfaces."},{"id":"sc-7.8_gdn","name":"guidance","prose":"External networks are networks outside of organizational control. A proxy server is a server (i.e., information system or application) that acts as an intermediary for clients requesting information system resources (e.g., files, connections, web pages, or services) from other organizational servers. Client requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers providing access to the Internet. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites.","links":[{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"}]},{"id":"sc-7.8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-7.8_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(8)[1]"}],"prose":"the organization defines internal communications traffic to be routed to external networks;"},{"id":"sc-7.8_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(8)[2]"}],"prose":"the organization defines external networks to which organization-defined internal communications traffic is to be routed; and"},{"id":"sc-7.8_obj.3","name":"objective","props":[{"name":"label","value":"SC-7(8)[3]"}],"prose":"the information system routes organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers at managed interfaces."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing traffic management through authenticated proxy servers at managed interfaces"}]}]},{"id":"sc-7.18","class":"SP800-53-enhancement","title":"Fail Secure","props":[{"name":"label","value":"SC-7(18)"},{"name":"sort-id","value":"sc-07.18"}],"parts":[{"id":"sc-7.18_smt","name":"statement","prose":"The information system fails securely in the event of an operational failure of a boundary protection device."},{"id":"sc-7.18_gdn","name":"guidance","prose":"Fail secure is a condition achieved by employing information system mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces (e.g., routers, firewalls, guards, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones), information systems do not enter into unsecure states where intended security properties no longer hold. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases.","links":[{"href":"#cp-2","rel":"related"},{"href":"#sc-24","rel":"related"}]},{"id":"sc-7.18_obj","name":"objective","prose":"Determine if the information system fails securely in the event of an operational failure of a boundary protection device."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing secure failure"}]}]},{"id":"sc-7.21","class":"SP800-53-enhancement","title":"Isolation of Information System Components","params":[{"id":"sc-7.21_prm_1","label":"organization-defined information system components"},{"id":"sc-7.21_prm_2","label":"organization-defined missions and\/or business functions"}],"props":[{"name":"label","value":"SC-7(21)"},{"name":"sort-id","value":"sc-07.21"}],"parts":[{"id":"sc-7.21_smt","name":"statement","prose":"The organization employs boundary protection mechanisms to separate {{ insert: param, sc-7.21_prm_1 }} supporting {{ insert: param, sc-7.21_prm_2 }}."},{"id":"sc-7.21_gdn","name":"guidance","prose":"Organizations can isolate information system components performing different missions and\/or business functions. Such isolation limits unauthorized information flows among system components and also provides the opportunity to deploy greater levels of protection for selected components. Separating system components with boundary protection mechanisms provides the capability for increased protection of individual components and to more effectively control information flows between those components. This type of enhanced protection limits the potential harm from cyber attacks and errors. The degree of separation provided varies depending upon the mechanisms chosen. Boundary protection mechanisms include, for example, routers, gateways, and firewalls separating system components into physically separate networks or subnetworks, cross-domain devices separating subnetworks, virtualization techniques, and encrypting information flows among system components using distinct encryption keys.","links":[{"href":"#ca-9","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sc-7.21_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-7.21_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(21)[1]"}],"prose":"defines information system components to be separated by boundary protection mechanisms;"},{"id":"sc-7.21_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(21)[2]"}],"prose":"defines missions and\/or business functions to be supported by organization-defined information system components separated by boundary protection mechanisms; and"},{"id":"sc-7.21_obj.3","name":"objective","props":[{"name":"label","value":"SC-7(21)[3]"}],"prose":"employs boundary protection mechanisms to separate organization-defined information system components supporting organization-defined missions and\/or business functions."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\nenterprise architecture documentation\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing the capability to separate information system components supporting organizational missions and\/or business functions"}]}]}]},{"id":"sc-8","class":"SP800-53","title":"Transmission Confidentiality and Integrity","params":[{"id":"sc-8_prm_1","select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-8"},{"name":"sort-id","value":"sc-08"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference"},{"href":"#90c5bc98-f9c4-44c9-98b7-787422f0999c","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference"},{"href":"#06dff0ea-3848-4945-8d91-e955ee69f05d","rel":"reference"}],"parts":[{"id":"sc-8_smt","name":"statement","prose":"The information system protects the {{ insert: param, sc-8_prm_1 }} of transmitted information."},{"id":"sc-8_gdn","name":"guidance","prose":"This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and\/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality\/integrity. In such situations, organizations determine what types of confidentiality\/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk.","links":[{"href":"#ac-17","rel":"related"},{"href":"#pe-4","rel":"related"}]},{"id":"sc-8_obj","name":"objective","prose":"Determine if the information system protects one or more of the following:","parts":[{"id":"sc-8_obj.1","name":"objective","props":[{"name":"label","value":"SC-8[1]"}],"prose":"confidentiality of transmitted information; and\/or"},{"id":"sc-8_obj.2","name":"objective","props":[{"name":"label","value":"SC-8[2]"}],"prose":"integrity of transmitted information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity"}]}],"controls":[{"id":"sc-8.1","class":"SP800-53-enhancement","title":"Cryptographic or Alternate Physical Protection","params":[{"id":"sc-8.1_prm_1","select":{"how-many":"one-or-more","choice":["prevent unauthorized disclosure of information","detect changes to information"]}},{"id":"sc-8.1_prm_2","label":"organization-defined alternative physical safeguards"}],"props":[{"name":"label","value":"SC-8(1)"},{"name":"sort-id","value":"sc-08.01"}],"parts":[{"id":"sc-8.1_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to {{ insert: param, sc-8.1_prm_1 }} during transmission unless otherwise protected by {{ insert: param, sc-8.1_prm_2 }}."},{"id":"sc-8.1_gdn","name":"guidance","prose":"Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems.","links":[{"href":"#sc-13","rel":"related"}]},{"id":"sc-8.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-8.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-8(1)[1]"}],"prose":"the organization defines physical safeguards to be implemented to protect information during transmission when cryptographic mechanisms are not implemented; and"},{"id":"sc-8.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-8(1)[2]"}],"prose":"the information system implements cryptographic mechanisms to do one or more of the following during transmission unless otherwise protected by organization-defined alternative physical safeguards:","parts":[{"id":"sc-8.1_obj.2.a","name":"objective","props":[{"name":"label","value":"SC-8(1)[2][a]"}],"prose":"prevent unauthorized disclosure of information; and\/or"},{"id":"sc-8.1_obj.2.b","name":"objective","props":[{"name":"label","value":"SC-8(1)[2][b]"}],"prose":"detect changes to information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity\n\nautomated mechanisms supporting and\/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards"}]}]}]},{"id":"sc-10","class":"SP800-53","title":"Network Disconnect","params":[{"id":"sc-10_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SC-10"},{"name":"sort-id","value":"sc-10"}],"parts":[{"id":"sc-10_smt","name":"statement","prose":"The information system terminates the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_prm_1 }} of inactivity."},{"id":"sc-10_gdn","name":"guidance","prose":"This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP\/IP address\/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses."},{"id":"sc-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-10_obj.1","name":"objective","props":[{"name":"label","value":"SC-10[1]"}],"prose":"the organization defines a time period of inactivity after which the information system terminates a network connection associated with a communications session; and"},{"id":"sc-10_obj.2","name":"objective","props":[{"name":"label","value":"SC-10[2]"}],"prose":"the information system terminates the network connection associated with a communication session at the end of the session or after the organization-defined time period of inactivity."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing network disconnect\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing network disconnect capability"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","params":[{"id":"sc-12_prm_1","label":"organization-defined requirements for key generation, distribution, storage, access, and destruction"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-12"},{"name":"sort-id","value":"sc-12"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with {{ insert: param, sc-12_prm_1 }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.","links":[{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"}]},{"id":"sc-12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-12_obj.1","name":"objective","props":[{"name":"label","value":"SC-12[1]"}],"prose":"defines requirements for cryptographic key:","parts":[{"id":"sc-12_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-12[1][a]"}],"prose":"generation;"},{"id":"sc-12_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-12[1][b]"}],"prose":"distribution;"},{"id":"sc-12_obj.1.c","name":"objective","props":[{"name":"label","value":"SC-12[1][c]"}],"prose":"storage;"},{"id":"sc-12_obj.1.d","name":"objective","props":[{"name":"label","value":"SC-12[1][d]"}],"prose":"access;"},{"id":"sc-12_obj.1.e","name":"objective","props":[{"name":"label","value":"SC-12[1][e]"}],"prose":"destruction; and"}]},{"id":"sc-12_obj.2","name":"objective","props":[{"name":"label","value":"SC-12[2]"}],"prose":"establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\ninformation system design documentation\n\ncryptographic mechanisms\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}],"controls":[{"id":"sc-12.1","class":"SP800-53-enhancement","title":"Availability","props":[{"name":"label","value":"SC-12(1)"},{"name":"sort-id","value":"sc-12.01"}],"parts":[{"id":"sc-12.1_smt","name":"statement","prose":"The organization maintains availability of information in the event of the loss of cryptographic keys by users."},{"id":"sc-12.1_gdn","name":"guidance","prose":"Escrowing of encryption keys is a common practice for ensuring availability in the event of loss of keys (e.g., due to forgotten passphrase)."},{"id":"sc-12.1_obj","name":"objective","prose":"Determine if the organization maintains availability of information in the event of the loss of cryptographic keys by users."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment, management, and recovery\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment or management"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","params":[{"id":"sc-13_prm_1","label":"organization-defined cryptographic uses and type of cryptography required for each use"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-13"},{"name":"sort-id","value":"sc-13"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference"},{"href":"#6a1041fc-054e-4230-946b-2e6f4f3731bb","rel":"reference"},{"href":"#9b97ed27-3dd6-4f9a-ade5-1b43e9669794","rel":"reference"}],"parts":[{"id":"sc-13_smt","name":"statement","prose":"The information system implements {{ insert: param, sc-13_prm_1 }} in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"sc-13_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-13_obj.1","name":"objective","props":[{"name":"label","value":"SC-13[1]"}],"prose":"the organization defines cryptographic uses; and"},{"id":"sc-13_obj.2","name":"objective","props":[{"name":"label","value":"SC-13[2]"}],"prose":"the organization defines the type of cryptography required for each use; and"},{"id":"sc-13_obj.3","name":"objective","props":[{"name":"label","value":"SC-13[3]"}],"prose":"the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS validated cryptographic modules\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices","params":[{"id":"sc-15_prm_1","label":"organization-defined exceptions where remote activation is to be allowed"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-15"},{"name":"sort-id","value":"sc-15"}],"parts":[{"id":"sc-15_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibits remote activation of collaborative computing devices with the following exceptions: {{ insert: param, sc-15_prm_1 }}; and"},{"id":"sc-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provides an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated.","links":[{"href":"#ac-21","rel":"related"}]},{"id":"sc-15_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-15.a_obj","name":"objective","props":[{"name":"label","value":"SC-15(a)"}],"parts":[{"id":"sc-15.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-15(a)[1]"}],"prose":"the organization defines exceptions where remote activation of collaborative computing devices is to be allowed;"},{"id":"sc-15.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-15(a)[2]"}],"prose":"the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed; and"}]},{"id":"sc-15.b_obj","name":"objective","props":[{"name":"label","value":"SC-15(b)"}],"prose":"the information system provides an explicit indication of use to users physically present at the devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing management of remote activation of collaborative computing devices\n\nautomated mechanisms providing an indication of use of collaborative computing devices"}]}]},{"id":"sc-17","class":"SP800-53","title":"Public Key Infrastructure Certificates","params":[{"id":"sc-17_prm_1","label":"organization-defined certificate policy"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-17"},{"name":"sort-id","value":"sc-17"}],"links":[{"href":"#58ad6f27-af99-429f-86a8-8bb767b014b9","rel":"reference"},{"href":"#8f174e91-844e-4cf1-a72a-45c119a3a8dd","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"}],"parts":[{"id":"sc-17_smt","name":"statement","prose":"The organization issues public key certificates under an {{ insert: param, sc-17_prm_1 }} or obtains public key certificates from an approved service provider."},{"id":"sc-17_gdn","name":"guidance","prose":"For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services.","links":[{"href":"#sc-12","rel":"related"}]},{"id":"sc-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-17_obj.1","name":"objective","props":[{"name":"label","value":"SC-17[1]"}],"prose":"defines a certificate policy for issuing public key certificates;"},{"id":"sc-17_obj.2","name":"objective","props":[{"name":"label","value":"SC-17[2]"}],"prose":"issues public key certificates:","parts":[{"id":"sc-17_obj.2.a","name":"objective","props":[{"name":"label","value":"SC-17[2][a]"}],"prose":"under an organization-defined certificate policy: or"},{"id":"sc-17_obj.2.b","name":"objective","props":[{"name":"label","value":"SC-17[2][b]"}],"prose":"obtains public key certificates from an approved service provider."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key certificates\n\nservice providers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing the management of public key infrastructure certificates"}]}]},{"id":"sc-18","class":"SP800-53","title":"Mobile Code","props":[{"name":"priority","value":"P2"},{"name":"label","value":"SC-18"},{"name":"sort-id","value":"sc-18"}],"links":[{"href":"#e716cd51-d1d5-4c6a-967a-22e9fbbc42f1","rel":"reference"},{"href":"#e6522953-6714-435d-a0d3-140df554c186","rel":"reference"}],"parts":[{"id":"sc-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Defines acceptable and unacceptable mobile code and mobile code technologies;"},{"id":"sc-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and"},{"id":"sc-18_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Authorizes, monitors, and controls the use of mobile code within the information system."}]},{"id":"sc-18_gdn","name":"guidance","prose":"Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#si-3","rel":"related"}]},{"id":"sc-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-18.a_obj","name":"objective","props":[{"name":"label","value":"SC-18(a)"}],"prose":"defines acceptable and unacceptable mobile code and mobile code technologies;"},{"id":"sc-18.b_obj","name":"objective","props":[{"name":"label","value":"SC-18(b)"}],"parts":[{"id":"sc-18.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-18(b)[1]"}],"prose":"establishes usage restrictions for acceptable mobile code and mobile code technologies;"},{"id":"sc-18.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-18(b)[2]"}],"prose":"establishes implementation guidance for acceptable mobile code and mobile code technologies;"}]},{"id":"sc-18.c_obj","name":"objective","props":[{"name":"label","value":"SC-18(c)"}],"parts":[{"id":"sc-18.c_obj.1","name":"objective","props":[{"name":"label","value":"SC-18(c)[1]"}],"prose":"authorizes the use of mobile code within the information system;"},{"id":"sc-18.c_obj.2","name":"objective","props":[{"name":"label","value":"SC-18(c)[2]"}],"prose":"monitors the use of mobile code within the information system; and"},{"id":"sc-18.c_obj.3","name":"objective","props":[{"name":"label","value":"SC-18(c)[3]"}],"prose":"controls the use of mobile code within the information system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code usage restrictions, mobile code implementation policy and procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for controlling, authorizing, monitoring, and restricting mobile code\n\nautomated mechanisms supporting and\/or implementing the management of mobile code\n\nautomated mechanisms supporting and\/or implementing the monitoring of mobile code"}]}]},{"id":"sc-19","class":"SP800-53","title":"Voice Over Internet Protocol","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-19"},{"name":"sort-id","value":"sc-19"}],"links":[{"href":"#7783f3e7-09b3-478b-9aa2-4a76dfd0ea90","rel":"reference"}],"parts":[{"id":"sc-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and"},{"id":"sc-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes, monitors, and controls the use of VoIP within the information system."}]},{"id":"sc-19_gdn","name":"guidance","links":[{"href":"#cm-6","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-15","rel":"related"}]},{"id":"sc-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-19.a_obj","name":"objective","props":[{"name":"label","value":"SC-19(a)"}],"parts":[{"id":"sc-19.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-19(a)[1]"}],"prose":"establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;"},{"id":"sc-19.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-19(a)[2]"}],"prose":"establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;"}]},{"id":"sc-19.b_obj","name":"objective","props":[{"name":"label","value":"SC-19(b)"}],"parts":[{"id":"sc-19.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-19(b)[1]"}],"prose":"authorizes the use of VoIP within the information system;"},{"id":"sc-19.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-19(b)[2]"}],"prose":"monitors the use of VoIP within the information system; and"},{"id":"sc-19.b_obj.3","name":"objective","props":[{"name":"label","value":"SC-19(b)[3]"}],"prose":"controls the use of VoIP within the information system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing VoIP\n\nVoIP usage restrictions\n\nVoIP implementation guidance\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing VoIP"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling VoIP\n\nautomated mechanisms supporting and\/or implementing authorizing, monitoring, and controlling VoIP"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name \/ Address Resolution Service (authoritative Source)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-20"},{"name":"sort-id","value":"sc-20"}],"links":[{"href":"#28115a56-da6b-4d44-b1df-51dd7f048a3e","rel":"reference"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-20_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host\/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host\/service names and network addresses provide other means to assure the authenticity and integrity of response data.","links":[{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}]},{"id":"sc-20_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-20.a_obj","name":"objective","props":[{"name":"label","value":"SC-20(a)"}],"prose":"provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries;"},{"id":"sc-20.b_obj","name":"objective","props":[{"name":"label","value":"SC-20(b)"}],"prose":"provides the means to, when operating as part of a distributed, hierarchical namespace:","parts":[{"id":"sc-20.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-20(b)[1]"}],"prose":"indicate the security status of child zones; and"},{"id":"sc-20.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-20(b)[2]"}],"prose":"enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services)."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution service (authoritative source)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing secure name\/address resolution service"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name \/ Address Resolution Service (recursive or Caching Resolver)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-21"},{"name":"sort-id","value":"sc-21"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"The information system requests and performs data origin authentication and data integrity verification on the name\/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host\/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.","links":[{"href":"#sc-20","rel":"related"},{"href":"#sc-22","rel":"related"}]},{"id":"sc-21_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-21_obj.1","name":"objective","props":[{"name":"label","value":"SC-21[1]"}],"prose":"requests data origin authentication on the name\/address resolution responses the system receives from authoritative sources;"},{"id":"sc-21_obj.2","name":"objective","props":[{"name":"label","value":"SC-21[2]"}],"prose":"requests data integrity verification on the name\/address resolution responses the system receives from authoritative sources;"},{"id":"sc-21_obj.3","name":"objective","props":[{"name":"label","value":"SC-21[3]"}],"prose":"performs data origin authentication on the name\/address resolution responses the system receives from authoritative sources; and"},{"id":"sc-21_obj.4","name":"objective","props":[{"name":"label","value":"SC-21[4]"}],"prose":"performs data integrity verification on the name\/address resolution responses the system receives from authoritative sources."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution service (recursive or caching resolver)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing data origin authentication and data integrity verification for name\/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name \/ Address Resolution Service","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-22"},{"name":"sort-id","value":"sc-22"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"The information systems that collectively provide name\/address resolution service for an organization are fault-tolerant and implement internal\/external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).","links":[{"href":"#sc-2","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-24","rel":"related"}]},{"id":"sc-22_obj","name":"objective","prose":"Determine if the information systems that collectively provide name\/address resolution service for an organization:","parts":[{"id":"sc-22_obj.1","name":"objective","props":[{"name":"label","value":"SC-22[1]"}],"prose":"are fault tolerant; and"},{"id":"sc-22_obj.2","name":"objective","props":[{"name":"label","value":"SC-22[2]"}],"prose":"implement internal\/external role separation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing architecture and provisioning for name\/address resolution service\n\naccess control policy and procedures\n\ninformation system design documentation\n\nassessment results from independent, testing organizations\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing name\/address resolution service for fault tolerance and role separation"}]}]},{"id":"sc-23","class":"SP800-53","title":"Session Authenticity","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-23"},{"name":"sort-id","value":"sc-23"}],"links":[{"href":"#90c5bc98-f9c4-44c9-98b7-787422f0999c","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"},{"href":"#1ebdf782-d95d-4a7b-8ec7-ee860951eced","rel":"reference"}],"parts":[{"id":"sc-23_smt","name":"statement","prose":"The information system protects the authenticity of communications sessions."},{"id":"sc-23_gdn","name":"guidance","prose":"This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks\/session hijacking and the insertion of false information into sessions.","links":[{"href":"#sc-8","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-11","rel":"related"}]},{"id":"sc-23_obj","name":"objective","prose":"Determine if the information system protects the authenticity of communications sessions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing session authenticity"}]}]},{"id":"sc-24","class":"SP800-53","title":"Fail in Known State","params":[{"id":"sc-24_prm_1","label":"organization-defined known-state"},{"id":"sc-24_prm_2","label":"organization-defined types of failures"},{"id":"sc-24_prm_3","label":"organization-defined system state information"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-24"},{"name":"sort-id","value":"sc-24"}],"parts":[{"id":"sc-24_smt","name":"statement","prose":"The information system fails to a {{ insert: param, sc-24_prm_1 }} for {{ insert: param, sc-24_prm_2 }} preserving {{ insert: param, sc-24_prm_3 }} in failure."},{"id":"sc-24_gdn","name":"guidance","prose":"Failure in a known state addresses security concerns in accordance with the mission\/business needs of organizations. Failure in a known secure state helps to prevent the loss of confidentiality, integrity, or availability of information in the event of failures of organizational information systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving information system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission\/business processes.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-22","rel":"related"}]},{"id":"sc-24_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-24_obj.1","name":"objective","props":[{"name":"label","value":"SC-24[1]"}],"prose":"the organization defines a known-state to which the information system is to fail in the event of a system failure;"},{"id":"sc-24_obj.2","name":"objective","props":[{"name":"label","value":"SC-24[2]"}],"prose":"the organization defines types of failures for which the information system is to fail to an organization-defined known-state;"},{"id":"sc-24_obj.3","name":"objective","props":[{"name":"label","value":"SC-24[3]"}],"prose":"the organization defines system state information to be preserved in the event of a system failure;"},{"id":"sc-24_obj.4","name":"objective","props":[{"name":"label","value":"SC-24[4]"}],"prose":"the information system fails to the organization-defined known-state for organization-defined types of failures; and"},{"id":"sc-24_obj.5","name":"objective","props":[{"name":"label","value":"SC-24[5]"}],"prose":"the information system preserves the organization-defined system state information in the event of a system failure."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing information system failure to known state\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of failures requiring information system to fail in a known state\n\nstate information to be preserved in system failure\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fail-in-known state capability\n\nautomated mechanisms preserving system state information in the event of a system failure"}]}]},{"id":"sc-28","class":"SP800-53","title":"Protection of Information at Rest","params":[{"id":"sc-28_prm_1","select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}},{"id":"sc-28_prm_2","label":"organization-defined information at rest"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-28"},{"name":"sort-id","value":"sc-28"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"sc-28_smt","name":"statement","prose":"The information system protects the {{ insert: param, sc-28_prm_1 }} of {{ insert: param, sc-28_prm_2 }}."},{"id":"sc-28_gdn","name":"guidance","prose":"This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection\/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and\/or continuous monitoring to identify malicious code at rest.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"sc-28_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-28_obj.1","name":"objective","props":[{"name":"label","value":"SC-28[1]"}],"prose":"the organization defines information at rest requiring one or more of the following:","parts":[{"id":"sc-28_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-28[1][a]"}],"prose":"confidentiality protection; and\/or"},{"id":"sc-28_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-28[1][b]"}],"prose":"integrity protection;"}]},{"id":"sc-28_obj.2","name":"objective","props":[{"name":"label","value":"SC-28[2]"}],"prose":"the information system protects:","parts":[{"id":"sc-28_obj.2.a","name":"objective","props":[{"name":"label","value":"SC-28[2][a]"}],"prose":"the confidentiality of organization-defined information at rest; and\/or"},{"id":"sc-28_obj.2.b","name":"objective","props":[{"name":"label","value":"SC-28[2][b]"}],"prose":"the integrity of organization-defined information at rest."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing protection of information at rest\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing confidentiality and integrity protections for information at rest"}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-39"},{"name":"sort-id","value":"sc-39"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"The information system maintains a separate execution domain for each executing process."},{"id":"sc-39_gdn","name":"guidance","prose":"Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sc-39_obj","name":"objective","prose":"Determine if the information system maintains a separate execution domain for each executing process."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system design documentation\n\ninformation system architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation, other relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Information system developers\/integrators\n\ninformation system security architect"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing separate execution domains for each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"System and Information Integrity Policy and Procedures","params":[{"id":"si-1_prm_1","label":"organization-defined personnel or roles"},{"id":"si-1_prm_2","label":"organization-defined frequency"},{"id":"si-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-1"},{"name":"sort-id","value":"si-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"si-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"si-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and information integrity policy {{ insert: param, si-1_prm_2 }}; and"},{"id":"si-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and information integrity procedures {{ insert: param, si-1_prm_3 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"si-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-1.a_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)"}],"parts":[{"id":"si-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)"}],"parts":[{"id":"si-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1]"}],"prose":"develops and documents a system and information integrity policy that addresses:","parts":[{"id":"si-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"si-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"si-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"si-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"si-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"si-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"si-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"si-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and information integrity policy is to be disseminated;"},{"id":"si-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[3]"}],"prose":"disseminates the system and information integrity policy to organization-defined personnel or roles;"}]},{"id":"si-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)"}],"parts":[{"id":"si-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls;"},{"id":"si-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"si-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"si-1.b_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)"}],"parts":[{"id":"si-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)"}],"parts":[{"id":"si-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and information integrity policy;"},{"id":"si-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)[2]"}],"prose":"reviews and updates the current system and information integrity policy with the organization-defined frequency;"}]},{"id":"si-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)"}],"parts":[{"id":"si-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and information integrity procedures; and"},{"id":"si-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)[2]"}],"prose":"reviews and updates the current system and information integrity procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","params":[{"id":"si-2_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-2"},{"name":"sort-id","value":"si-02"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"si-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies, reports, and corrects information system flaws;"},{"id":"si-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Installs security-relevant software and firmware updates within {{ insert: param, si-2_prm_1 }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporates flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required\/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and\/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-11","rel":"related"}]},{"id":"si-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.a_obj","name":"objective","props":[{"name":"label","value":"SI-2(a)"}],"parts":[{"id":"si-2.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(a)[1]"}],"prose":"identifies information system flaws;"},{"id":"si-2.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(a)[2]"}],"prose":"reports information system flaws;"},{"id":"si-2.a_obj.3","name":"objective","props":[{"name":"label","value":"SI-2(a)[3]"}],"prose":"corrects information system flaws;"}]},{"id":"si-2.b_obj","name":"objective","props":[{"name":"label","value":"SI-2(b)"}],"parts":[{"id":"si-2.b_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(b)[1]"}],"prose":"tests software updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2.b_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(b)[2]"}],"prose":"tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"}]},{"id":"si-2.c_obj","name":"objective","props":[{"name":"label","value":"SI-2(c)"}],"parts":[{"id":"si-2.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(c)[1]"}],"prose":"defines the time period within which to install security-relevant software updates after the release of the updates;"},{"id":"si-2.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(c)[2]"}],"prose":"defines the time period within which to install security-relevant firmware updates after the release of the updates;"},{"id":"si-2.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-2(c)[3]"}],"prose":"installs software updates within the organization-defined time period of the release of the updates;"},{"id":"si-2.c_obj.4","name":"objective","props":[{"name":"label","value":"SI-2(c)[4]"}],"prose":"installs firmware updates within the organization-defined time period of the release of the updates; and"}]},{"id":"si-2.d_obj","name":"objective","props":[{"name":"label","value":"SI-2(d)"}],"prose":"incorporates flaw remediation into the organizational configuration management process."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the information system\n\nlist of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws)\n\ntest results from the installation of software and firmware updates to correct information system flaws\n\ninstallation\/change control records for security-relevant software and firmware updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for flaw remediation\n\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for identifying, reporting, and correcting information system flaws\n\norganizational process for installing software and firmware updates\n\nautomated mechanisms supporting and\/or implementing reporting, and correcting information system flaws\n\nautomated mechanisms supporting and\/or implementing testing software and firmware updates"}]}],"controls":[{"id":"si-2.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-2(1)"},{"name":"sort-id","value":"si-02.01"}],"parts":[{"id":"si-2.1_smt","name":"statement","prose":"The organization centrally manages the flaw remediation process."},{"id":"si-2.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of flaw remediation processes. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw remediation security controls."},{"id":"si-2.1_obj","name":"objective","prose":"Determine if the organization centrally manages the flaw remediation process."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for flaw remediation"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of the flaw remediation process\n\nautomated mechanisms supporting and\/or implementing central management of the flaw remediation process"}]}]},{"id":"si-2.2","class":"SP800-53-enhancement","title":"Automated Flaw Remediation Status","params":[{"id":"si-2.2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SI-2(2)"},{"name":"sort-id","value":"si-02.02"}],"parts":[{"id":"si-2.2_smt","name":"statement","prose":"The organization employs automated mechanisms {{ insert: param, si-2.2_prm_1 }} to determine the state of information system components with regard to flaw remediation."},{"id":"si-2.2_gdn","name":"guidance","links":[{"href":"#cm-6","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"si-2.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(2)[1]"}],"prose":"defines a frequency to employ automated mechanisms to determine the state of information system components with regard to flaw remediation; and"},{"id":"si-2.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(2)[2]"}],"prose":"employs automated mechanisms with the organization-defined frequency to determine the state of information system components with regard to flaw remediation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for flaw remediation"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms used to determine the state of information system components with regard to flaw remediation"}]}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","params":[{"id":"si-3_prm_1","label":"organization-defined frequency"},{"id":"si-3_prm_2","select":{"how-many":"one-or-more","choice":["endpoint","network entry\/exit points"]}},{"id":"si-3_prm_3","select":{"how-many":"one-or-more","choice":["block malicious code","quarantine malicious code","send alert to administrator"," {{ insert: param, si-3_prm_4 }} "]}},{"id":"si-3_prm_4","depends-on":"si-3_prm_3","label":"organization-defined action"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-3"},{"name":"sort-id","value":"si-03"}],"links":[{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"}],"parts":[{"id":"si-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Configures malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the information system {{ insert: param, si-3_prm_1 }} and real-time scans of files from external sources at {{ insert: param, si-3_prm_2 }} as the files are downloaded, opened, or executed in accordance with organizational security policy; and"},{"id":"si-3_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, si-3_prm_3 }} in response to malicious code detection; and"}]},{"id":"si-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system."}]},{"id":"si-3_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions\/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and\/or actions in response to detection of maliciousness when attempting to open or execute files.","links":[{"href":"#cm-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sa-13","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-3.a_obj","name":"objective","props":[{"name":"label","value":"SI-3(a)"}],"prose":"employs malicious code protection mechanisms to detect and eradicate malicious code at information system:","parts":[{"id":"si-3.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(a)[1]"}],"prose":"entry points;"},{"id":"si-3.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(a)[2]"}],"prose":"exit points;"}]},{"id":"si-3.b_obj","name":"objective","props":[{"name":"label","value":"SI-3(b)"}],"prose":"updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1);"},{"id":"si-3.c_obj","name":"objective","props":[{"name":"label","value":"SI-3(c)"}],"parts":[{"id":"si-3.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(c)[1]"}],"prose":"defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system;"},{"id":"si-3.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(c)[2]"}],"prose":"defines action to be initiated by malicious protection mechanisms in response to malicious code detection;"},{"id":"si-3.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3]"}],"parts":[{"id":"si-3.c.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)"}],"prose":"configures malicious code protection mechanisms to:","parts":[{"id":"si-3.c.1_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)[a]"}],"prose":"perform periodic scans of the information system with the organization-defined frequency;"},{"id":"si-3.c.1_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)[b]"}],"prose":"perform real-time scans of files from external sources at endpoint and\/or network entry\/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy;"}]},{"id":"si-3.c.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)"}],"prose":"configures malicious code protection mechanisms to do one or more of the following:","parts":[{"id":"si-3.c.2_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[a]"}],"prose":"block malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[b]"}],"prose":"quarantine malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.c","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[c]"}],"prose":"send alert to administrator in response to malicious code detection; and\/or"},{"id":"si-3.c.2_obj.3.d","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[d]"}],"prose":"initiate organization-defined action in response to malicious code detection;"}]}]}]},{"id":"si-3.d_obj","name":"objective","props":[{"name":"label","value":"SI-3(d)"}],"parts":[{"id":"si-3.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(d)[1]"}],"prose":"addresses the receipt of false positives during malicious code detection and eradication; and"},{"id":"si-3.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(d)[2]"}],"prose":"addresses the resulting potential impact on the availability of the information system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for malicious code protection\n\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational process for addressing false positives and resulting potential impact\n\nautomated mechanisms supporting and\/or implementing employing, updating, and configuring malicious code protection mechanisms\n\nautomated mechanisms supporting and\/or implementing malicious code scanning and subsequent actions"}]}],"controls":[{"id":"si-3.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-3(1)"},{"name":"sort-id","value":"si-03.01"}],"parts":[{"id":"si-3.1_smt","name":"statement","prose":"The organization centrally manages malicious code protection mechanisms."},{"id":"si-3.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls.","links":[{"href":"#au-2","rel":"related"},{"href":"#si-8","rel":"related"}]},{"id":"si-3.1_obj","name":"objective","prose":"Determine if the organization centrally manages malicious code protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing malicious code protection\n\nautomated mechanisms supporting centralized management of malicious code protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for malicious code protection"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of malicious code protection mechanisms\n\nautomated mechanisms supporting and\/or implementing central management of malicious code protection mechanisms"}]}]},{"id":"si-3.2","class":"SP800-53-enhancement","title":"Automatic Updates","props":[{"name":"label","value":"SI-3(2)"},{"name":"sort-id","value":"si-03.02"}],"parts":[{"id":"si-3.2_smt","name":"statement","prose":"The information system automatically updates malicious code protection mechanisms."},{"id":"si-3.2_gdn","name":"guidance","prose":"Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates.","links":[{"href":"#si-8","rel":"related"}]},{"id":"si-3.2_obj","name":"objective","prose":"Determine if the information system automatically updates malicious code protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing malicious code protection\n\nautomated mechanisms supporting centralized management of malicious code protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for malicious code protection"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing automatic updates to malicious code protection capability"}]}]}]},{"id":"si-4","class":"SP800-53","title":"Information System Monitoring","params":[{"id":"si-4_prm_1","label":"organization-defined monitoring objectives"},{"id":"si-4_prm_2","label":"organization-defined techniques and methods"},{"id":"si-4_prm_3","label":"organization-defined information system monitoring information"},{"id":"si-4_prm_4","label":"organization-defined personnel or roles"},{"id":"si-4_prm_5","select":{"how-many":"one-or-more","choice":["as needed"," {{ insert: param, si-4_prm_6 }} "]}},{"id":"si-4_prm_6","depends-on":"si-4_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-4"},{"name":"sort-id","value":"si-04"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"},{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"si-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors the information system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with {{ insert: param, si-4_prm_1 }}; and"},{"id":"si-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identifies unauthorized use of the information system through {{ insert: param, si-4_prm_2 }};"},{"id":"si-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Deploys monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Strategically within the information system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;"},{"id":"si-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"},{"id":"si-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and"},{"id":"si-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Provides {{ insert: param, si-4_prm_3 }} to {{ insert: param, si-4_prm_4 }} {{ insert: param, si-4_prm_5 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.a_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)"}],"parts":[{"id":"si-4.a.1_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)"}],"parts":[{"id":"si-4.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[1]"}],"prose":"defines monitoring objectives to detect attacks and indicators of potential attacks on the information system;"},{"id":"si-4.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2]"}],"prose":"monitors the information system to detect, in accordance with organization-defined monitoring objectives,:","parts":[{"id":"si-4.a.1_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2][a]"}],"prose":"attacks;"},{"id":"si-4.a.1_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2][b]"}],"prose":"indicators of potential attacks;"}]}]},{"id":"si-4.a.2_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)"}],"prose":"monitors the information system to detect unauthorized:","parts":[{"id":"si-4.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[1]"}],"prose":"local connections;"},{"id":"si-4.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[2]"}],"prose":"network connections;"},{"id":"si-4.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[3]"}],"prose":"remote connections;"}]}]},{"id":"si-4.b_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)"}],"parts":[{"id":"si-4.b.1_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)(1)"}],"prose":"defines techniques and methods to identify unauthorized use of the information system;"},{"id":"si-4.b.2_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)(2)"}],"prose":"identifies unauthorized use of the information system through organization-defined techniques and methods;"}]},{"id":"si-4.c_obj","name":"objective","props":[{"name":"label","value":"SI-4(c)"}],"prose":"deploys monitoring devices:","parts":[{"id":"si-4.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(c)[1]"}],"prose":"strategically within the information system to collect organization-determined essential information;"},{"id":"si-4.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(c)[2]"}],"prose":"at ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4.d_obj","name":"objective","props":[{"name":"label","value":"SI-4(d)"}],"prose":"protects information obtained from intrusion-monitoring tools from unauthorized:","parts":[{"id":"si-4.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(d)[1]"}],"prose":"access;"},{"id":"si-4.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(d)[2]"}],"prose":"modification;"},{"id":"si-4.d_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(d)[3]"}],"prose":"deletion;"}]},{"id":"si-4.e_obj","name":"objective","props":[{"name":"label","value":"SI-4(e)"}],"prose":"heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"},{"id":"si-4.f_obj","name":"objective","props":[{"name":"label","value":"SI-4(f)"}],"prose":"obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations;"},{"id":"si-4.g_obj","name":"objective","props":[{"name":"label","value":"SI-4(g)"}],"parts":[{"id":"si-4.g_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(g)[1]"}],"prose":"defines personnel or roles to whom information system monitoring information is to be provided;"},{"id":"si-4.g_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(g)[2]"}],"prose":"defines information system monitoring information to be provided to organization-defined personnel or roles;"},{"id":"si-4.g_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(g)[3]"}],"prose":"defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles;"},{"id":"si-4.g_obj.4","name":"objective","props":[{"name":"label","value":"SI-4(g)[4]"}],"prose":"provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:","parts":[{"id":"si-4.g_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-4(g)[4][a]"}],"prose":"as needed; and\/or"},{"id":"si-4.g_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-4(g)[4][b]"}],"prose":"with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Continuous monitoring strategy\n\nsystem and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\nfacility diagram\/layout\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\nlocations within information system where monitoring devices are deployed\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility monitoring the information system"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\n\nautomated mechanisms supporting and\/or implementing information system monitoring capability"}]}],"controls":[{"id":"si-4.2","class":"SP800-53-enhancement","title":"Automated Tools for Real-time Analysis","props":[{"name":"label","value":"SI-4(2)"},{"name":"sort-id","value":"si-04.02"}],"parts":[{"id":"si-4.2_smt","name":"statement","prose":"The organization employs automated tools to support near real-time analysis of events."},{"id":"si-4.2_gdn","name":"guidance","prose":"Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and\/or notifications generated by organizational information systems."},{"id":"si-4.2_obj","name":"objective","prose":"Determine if the organization employs automated tools to support near real-time analysis of events."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for monitoring the information system\n\norganizational personnel with responsibility for incident response\/management"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for near real-time analysis of events\n\norganizational processes for information system monitoring\n\nautomated mechanisms supporting and\/or implementing information system monitoring\n\nautomated mechanisms\/tools supporting and\/or implementing analysis of events"}]}]},{"id":"si-4.4","class":"SP800-53-enhancement","title":"Inbound and Outbound Communications Traffic","params":[{"id":"si-4.4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SI-4(4)"},{"name":"sort-id","value":"si-04.04"}],"parts":[{"id":"si-4.4_smt","name":"statement","prose":"The information system monitors inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for unusual or unauthorized activities or conditions."},{"id":"si-4.4_gdn","name":"guidance","prose":"Unusual\/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components."},{"id":"si-4.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.4_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(4)[1]"}],"prose":"defines a frequency to monitor:","parts":[{"id":"si-4.4_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-4(4)[1][a]"}],"prose":"inbound communications traffic for unusual or unauthorized activities or conditions;"},{"id":"si-4.4_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-4(4)[1][b]"}],"prose":"outbound communications traffic for unusual or unauthorized activities or conditions;"}]},{"id":"si-4.4_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(4)[2]"}],"prose":"monitors, with the organization-defined frequency:","parts":[{"id":"si-4.4_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-4(4)[2][a]"}],"prose":"inbound communications traffic for unusual or unauthorized activities or conditions; and"},{"id":"si-4.4_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-4(4)[2][b]"}],"prose":"outbound communications traffic for unusual or unauthorized activities or conditions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system protocols\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for monitoring the information system\n\norganizational personnel with responsibility for the intrusion detection system"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection\/information system monitoring\n\nautomated mechanisms supporting and\/or implementing intrusion detection capability\/information system monitoring\n\nautomated mechanisms supporting and\/or implementing monitoring of inbound\/outbound communications traffic"}]}]},{"id":"si-4.5","class":"SP800-53-enhancement","title":"System-generated Alerts","params":[{"id":"si-4.5_prm_1","label":"organization-defined personnel or roles"},{"id":"si-4.5_prm_2","label":"organization-defined compromise indicators"}],"props":[{"name":"label","value":"SI-4(5)"},{"name":"sort-id","value":"si-04.05"}],"parts":[{"id":"si-4.5_smt","name":"statement","prose":"The information system alerts {{ insert: param, si-4.5_prm_1 }} when the following indications of compromise or potential compromise occur: {{ insert: param, si-4.5_prm_2 }}."},{"id":"si-4.5_gdn","name":"guidance","prose":"Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission\/business owners, system owners, or information system security officers.","links":[{"href":"#au-5","rel":"related"},{"href":"#pe-6","rel":"related"}]},{"id":"si-4.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-4.5_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(5)[1]"}],"prose":"the organization defines compromise indicators for the information system;"},{"id":"si-4.5_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(5)[2]"}],"prose":"the organization defines personnel or roles to be alerted when indications of compromise or potential compromise occur; and"},{"id":"si-4.5_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(5)[3]"}],"prose":"the information system alerts organization-defined personnel or roles when organization-defined compromise indicators occur."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\nalerts\/notifications generated based on compromise indicators\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for monitoring the information system\n\norganizational personnel with responsibility for the intrusion detection system"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection\/information system monitoring\n\nautomated mechanisms supporting and\/or implementing intrusion detection\/information system monitoring capability\n\nautomated mechanisms supporting and\/or implementing alerts for compromise indicators"}]}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","params":[{"id":"si-5_prm_1","label":"organization-defined external organizations"},{"id":"si-5_prm_2","select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-5_prm_3 }} "," {{ insert: param, si-5_prm_4 }} "," {{ insert: param, si-5_prm_5 }} "]}},{"id":"si-5_prm_3","depends-on":"si-5_prm_2","label":"organization-defined personnel or roles"},{"id":"si-5_prm_4","depends-on":"si-5_prm_2","label":"organization-defined elements within the organization"},{"id":"si-5_prm_5","depends-on":"si-5_prm_2","label":"organization-defined external organizations"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-5"},{"name":"sort-id","value":"si-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"}],"parts":[{"id":"si-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receives information system security alerts, advisories, and directives from {{ insert: param, si-5_prm_1 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Generates internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminates security alerts, advisories, and directives to: {{ insert: param, si-5_prm_2 }}; and"},{"id":"si-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission\/business partners, supply chain partners, external service providers, and other peer\/supporting organizations.","links":[{"href":"#si-2","rel":"related"}]},{"id":"si-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-5.a_obj","name":"objective","props":[{"name":"label","value":"SI-5(a)"}],"parts":[{"id":"si-5.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(a)[1]"}],"prose":"defines external organizations from whom information system security alerts, advisories and directives are to be received;"},{"id":"si-5.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(a)[2]"}],"prose":"receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;"}]},{"id":"si-5.b_obj","name":"objective","props":[{"name":"label","value":"SI-5(b)"}],"prose":"generates internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5.c_obj","name":"objective","props":[{"name":"label","value":"SI-5(c)"}],"parts":[{"id":"si-5.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(c)[1]"}],"prose":"defines personnel or roles to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(c)[2]"}],"prose":"defines elements within the organization to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-5(c)[3]"}],"prose":"defines external organizations to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.4","name":"objective","props":[{"name":"label","value":"SI-5(c)[4]"}],"prose":"disseminates security alerts, advisories, and directives to one or more of the following:","parts":[{"id":"si-5.c_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][a]"}],"prose":"organization-defined personnel or roles;"},{"id":"si-5.c_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][b]"}],"prose":"organization-defined elements within the organization; and\/or"},{"id":"si-5.c_obj.4.c","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][c]"}],"prose":"organization-defined external organizations; and"}]}]},{"id":"si-5.d_obj","name":"objective","props":[{"name":"label","value":"SI-5(d)"}],"parts":[{"id":"si-5.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(d)[1]"}],"prose":"implements security directives in accordance with established time frames; or"},{"id":"si-5.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(d)[2]"}],"prose":"notifies the issuing organization of the degree of noncompliance."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the information system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nautomated mechanisms supporting and\/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nautomated mechanisms supporting and\/or implementing security directives"}]}],"controls":[{"id":"si-5.1","class":"SP800-53-enhancement","title":"Automated Alerts and Advisories","props":[{"name":"label","value":"SI-5(1)"},{"name":"sort-id","value":"si-05.01"}],"parts":[{"id":"si-5.1_smt","name":"statement","prose":"The organization employs automated mechanisms to make security alert and advisory information available throughout the organization."},{"id":"si-5.1_gdn","name":"guidance","prose":"The significant number of changes to organizational information systems and the environments in which those systems operate requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational missions and business functions. Based on the information provided by the security alerts and advisories, changes may be required at one or more of the three tiers related to the management of information security risk including the governance level, mission\/business process\/enterprise architecture level, and the information system level."},{"id":"si-5.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to make security alert and advisory information available throughout the organization."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing security alerts, advisories, and directives\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nautomated mechanisms supporting the distribution of security alert and advisory information\n\nrecords of security alerts and advisories\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the information system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts and advisories are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories\n\nautomated mechanisms supporting and\/or implementing dissemination of security alerts and advisories"}]}]}]},{"id":"si-6","class":"SP800-53","title":"Security Function Verification","params":[{"id":"si-6_prm_1","label":"organization-defined security functions"},{"id":"si-6_prm_2","select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-6_prm_3 }} ","upon command by user with appropriate privilege"," {{ insert: param, si-6_prm_4 }} "]}},{"id":"si-6_prm_3","depends-on":"si-6_prm_2","label":"organization-defined system transitional states"},{"id":"si-6_prm_4","depends-on":"si-6_prm_2","label":"organization-defined frequency"},{"id":"si-6_prm_5","label":"organization-defined personnel or roles"},{"id":"si-6_prm_6","select":{"how-many":"one-or-more","choice":["shuts the information system down","restarts the information system"," {{ insert: param, si-6_prm_7 }} "]}},{"id":"si-6_prm_7","depends-on":"si-6_prm_6","label":"organization-defined alternative action(s)"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-6"},{"name":"sort-id","value":"si-06"}],"parts":[{"id":"si-6_smt","name":"statement","prose":"The information system:","parts":[{"id":"si-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifies the correct operation of {{ insert: param, si-6_prm_1 }};"},{"id":"si-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Performs this verification {{ insert: param, si-6_prm_2 }};"},{"id":"si-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Notifies {{ insert: param, si-6_prm_5 }} of failed security verification tests; and"},{"id":"si-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":" {{ insert: param, si-6_prm_6 }} when anomalies are discovered."}]},{"id":"si-6_gdn","name":"guidance","prose":"Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and\/or hardware indications such as lights.","links":[{"href":"#ca-7","rel":"related"},{"href":"#cm-6","rel":"related"}]},{"id":"si-6_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-6.a_obj","name":"objective","props":[{"name":"label","value":"SI-6(a)"}],"parts":[{"id":"si-6.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-6(a)[1]"}],"prose":"the organization defines security functions to be verified for correct operation;"},{"id":"si-6.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-6(a)[2]"}],"prose":"the information system verifies the correct operation of organization-defined security functions;"}]},{"id":"si-6.b_obj","name":"objective","props":[{"name":"label","value":"SI-6(b)"}],"parts":[{"id":"si-6.b_obj.1","name":"objective","props":[{"name":"label","value":"SI-6(b)[1]"}],"prose":"the organization defines system transitional states requiring verification of organization-defined security functions;"},{"id":"si-6.b_obj.2","name":"objective","props":[{"name":"label","value":"SI-6(b)[2]"}],"prose":"the organization defines a frequency to verify the correct operation of organization-defined security functions;"},{"id":"si-6.b_obj.3","name":"objective","props":[{"name":"label","value":"SI-6(b)[3]"}],"prose":"the information system performs this verification one or more of the following:","parts":[{"id":"si-6.b_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-6(b)[3][a]"}],"prose":"at organization-defined system transitional states;"},{"id":"si-6.b_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-6(b)[3][b]"}],"prose":"upon command by user with appropriate privilege; and\/or"},{"id":"si-6.b_obj.3.c","name":"objective","props":[{"name":"label","value":"SI-6(b)[3][c]"}],"prose":"with the organization-defined frequency;"}]}]},{"id":"si-6.c_obj","name":"objective","props":[{"name":"label","value":"SI-6(c)"}],"parts":[{"id":"si-6.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-6(c)[1]"}],"prose":"the organization defines personnel or roles to be notified of failed security verification tests;"},{"id":"si-6.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-6(c)[2]"}],"prose":"the information system notifies organization-defined personnel or roles of failed security verification tests;"}]},{"id":"si-6.d_obj","name":"objective","props":[{"name":"label","value":"SI-6(d)"}],"parts":[{"id":"si-6.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-6(d)[1]"}],"prose":"the organization defines alternative action(s) to be performed when anomalies are discovered;"},{"id":"si-6.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-6(d)[2]"}],"prose":"the information system performs one or more of the following actions when anomalies are discovered:","parts":[{"id":"si-6.d_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-6(d)[2][a]"}],"prose":"shuts the information system down;"},{"id":"si-6.d_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-6(d)[2][b]"}],"prose":"restarts the information system; and\/or"},{"id":"si-6.d_obj.2.c","name":"objective","props":[{"name":"label","value":"SI-6(d)[2][c]"}],"prose":"performs organization-defined alternative action(s)."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing security function verification\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nalerts\/notifications of failed security verification tests\n\nlist of system transition states requiring security functionality verification\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security function verification responsibilities\n\norganizational personnel implementing, operating, and maintaining the information system\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security function verification\n\nautomated mechanisms supporting and\/or implementing security function verification capability"}]}]},{"id":"si-7","class":"SP800-53","title":"Software, Firmware, and Information Integrity","params":[{"id":"si-7_prm_1","label":"organization-defined software, firmware, and information"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-7"},{"name":"sort-id","value":"si-07"}],"links":[{"href":"#6bf8d24a-78dc-4727-a2ac-0e64d71c495c","rel":"reference"},{"href":"#3878cc04-144a-483e-af62-8fe6f4ad6c7a","rel":"reference"}],"parts":[{"id":"si-7_smt","name":"statement","prose":"The organization employs integrity verification tools to detect unauthorized changes to {{ insert: param, si-7_prm_1 }}."},{"id":"si-7_gdn","name":"guidance","prose":"Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.","links":[{"href":"#sa-12","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-3","rel":"related"}]},{"id":"si-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7_obj.1","name":"objective","props":[{"name":"label","value":"SI-7[1]"}],"parts":[{"id":"si-7_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-7[1][a]"}],"prose":"defines software requiring integrity verification tools to be employed to detect unauthorized changes;"},{"id":"si-7_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-7[1][b]"}],"prose":"defines firmware requiring integrity verification tools to be employed to detect unauthorized changes;"},{"id":"si-7_obj.1.c","name":"objective","props":[{"name":"label","value":"SI-7[1][c]"}],"prose":"defines information requiring integrity verification tools to be employed to detect unauthorized changes;"}]},{"id":"si-7_obj.2","name":"objective","props":[{"name":"label","value":"SI-7[2]"}],"prose":"employs integrity verification tools to detect unauthorized changes to organization-defined:","parts":[{"id":"si-7_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-7[2][a]"}],"prose":"software;"},{"id":"si-7_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-7[2][b]"}],"prose":"firmware; and"},{"id":"si-7_obj.2.c","name":"objective","props":[{"name":"label","value":"SI-7[2][c]"}],"prose":"information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated\/triggered from integrity verification tools regarding unauthorized software, firmware, and information changes\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools"}]}],"controls":[{"id":"si-7.1","class":"SP800-53-enhancement","title":"Integrity Checks","params":[{"id":"si-7.1_prm_1","label":"organization-defined software, firmware, and information"},{"id":"si-7.1_prm_2","select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-7.1_prm_3 }} "," {{ insert: param, si-7.1_prm_4 }} "]}},{"id":"si-7.1_prm_3","depends-on":"si-7.1_prm_2","label":"organization-defined transitional states or security-relevant events"},{"id":"si-7.1_prm_4","depends-on":"si-7.1_prm_2","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SI-7(1)"},{"name":"sort-id","value":"si-07.01"}],"parts":[{"id":"si-7.1_smt","name":"statement","prose":"The information system performs an integrity check of {{ insert: param, si-7.1_prm_1 }} {{ insert: param, si-7.1_prm_2 }}."},{"id":"si-7.1_gdn","name":"guidance","prose":"Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort."},{"id":"si-7.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-7.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(1)[1]"}],"prose":"the organization defines:","parts":[{"id":"si-7.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[1][a]"}],"prose":"software requiring integrity checks to be performed;"},{"id":"si-7.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[1][b]"}],"prose":"firmware requiring integrity checks to be performed;"},{"id":"si-7.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[1][c]"}],"prose":"information requiring integrity checks to be performed;"}]},{"id":"si-7.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(1)[2]"}],"prose":"the organization defines transitional states or security-relevant events requiring integrity checks of organization-defined:","parts":[{"id":"si-7.1_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[2][a]"}],"prose":"software;"},{"id":"si-7.1_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[2][b]"}],"prose":"firmware;"},{"id":"si-7.1_obj.2.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[2][c]"}],"prose":"information;"}]},{"id":"si-7.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-7(1)[3]"}],"prose":"the organization defines a frequency with which to perform an integrity check of organization-defined:","parts":[{"id":"si-7.1_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[3][a]"}],"prose":"software;"},{"id":"si-7.1_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[3][b]"}],"prose":"firmware;"},{"id":"si-7.1_obj.3.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[3][c]"}],"prose":"information;"}]},{"id":"si-7.1_obj.4","name":"objective","props":[{"name":"label","value":"SI-7(1)[4]"}],"prose":"the information system performs an integrity check of organization-defined software, firmware, and information one or more of the following:","parts":[{"id":"si-7.1_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[4][a]"}],"prose":"at startup;"},{"id":"si-7.1_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[4][b]"}],"prose":"at organization-defined transitional states or security-relevant events; and\/or"},{"id":"si-7.1_obj.4.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[4][c]"}],"prose":"with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools"}]}]},{"id":"si-7.2","class":"SP800-53-enhancement","title":"Automated Notifications of Integrity Violations","params":[{"id":"si-7.2_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"SI-7(2)"},{"name":"sort-id","value":"si-07.02"}],"parts":[{"id":"si-7.2_smt","name":"statement","prose":"The organization employs automated tools that provide notification to {{ insert: param, si-7.2_prm_1 }} upon discovering discrepancies during integrity verification."},{"id":"si-7.2_gdn","name":"guidance","prose":"The use of automated tools to report integrity violations and to notify organizational personnel in a timely matter is an essential precursor to effective risk response. Personnel having an interest in integrity violations include, for example, mission\/business owners, information system owners, systems administrators, software developers, systems integrators, and information security officers."},{"id":"si-7.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(2)[1]"}],"prose":"defines personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification; and"},{"id":"si-7.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(2)[2]"}],"prose":"employs automated tools that provide notification to organization-defined personnel or roles upon discovering discrepancies during integrity verification."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nautomated tools supporting alerts and notifications for integrity discrepancies\n\nalerts\/notifications provided upon discovering discrepancies during integrity verifications\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools\n\nautomated mechanisms providing integrity discrepancy notifications"}]}]},{"id":"si-7.5","class":"SP800-53-enhancement","title":"Automated Response to Integrity Violations","params":[{"id":"si-7.5_prm_1","select":{"how-many":"one-or-more","choice":["shuts the information system down","restarts the information system","implements {{ insert: param, si-7.5_prm_2 }} "]}},{"id":"si-7.5_prm_2","depends-on":"si-7.5_prm_1","label":"organization-defined security safeguards"}],"props":[{"name":"label","value":"SI-7(5)"},{"name":"sort-id","value":"si-07.05"}],"parts":[{"id":"si-7.5_smt","name":"statement","prose":"The information system automatically {{ insert: param, si-7.5_prm_1 }} when integrity violations are discovered."},{"id":"si-7.5_gdn","name":"guidance","prose":"Organizations may define different integrity checking and anomaly responses: (i) by type of information (e.g., firmware, software, user data); (ii) by specific information (e.g., boot firmware, boot firmware for a specific types of machines); or (iii) a combination of both. Automatic implementation of specific safeguards within organizational information systems includes, for example, reversing the changes, halting the information system, or triggering audit alerts when unauthorized modifications to critical security files occur."},{"id":"si-7.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-7.5_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(5)[1]"}],"prose":"the organization defines security safeguards to be implemented when integrity violations are discovered;"},{"id":"si-7.5_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(5)[2]"}],"prose":"the information system automatically performs one or more of the following actions when integrity violations are discovered:","parts":[{"id":"si-7.5_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-7(5)[2][a]"}],"prose":"shuts the information system down;"},{"id":"si-7.5_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-7(5)[2][b]"}],"prose":"restarts the information system; and\/or"},{"id":"si-7.5_obj.2.c","name":"objective","props":[{"name":"label","value":"SI-7(5)[2][c]"}],"prose":"implements the organization-defined security safeguards."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nrecords of integrity checks and responses to integrity violations\n\ninformation audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools\n\nautomated mechanisms providing an automated response to integrity violations\n\nautomated mechanisms supporting and\/or implementing security safeguards to be implemented when integrity violations are discovered"}]}]},{"id":"si-7.7","class":"SP800-53-enhancement","title":"Integration of Detection and Response","params":[{"id":"si-7.7_prm_1","label":"organization-defined security-relevant changes to the information system"}],"props":[{"name":"label","value":"SI-7(7)"},{"name":"sort-id","value":"si-07.07"}],"parts":[{"id":"si-7.7_smt","name":"statement","prose":"The organization incorporates the detection of unauthorized {{ insert: param, si-7.7_prm_1 }} into the organizational incident response capability."},{"id":"si-7.7_gdn","name":"guidance","prose":"This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges.","links":[{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"si-7.7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7.7_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(7)[1]"}],"prose":"defines unauthorized security-relevant changes to the information system; and"},{"id":"si-7.7_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(7)[2]"}],"prose":"incorporates the detection of unauthorized organization-defined security-relevant changes to the information system into the organizational incident response capability."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response records\n\ninformation audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incorporating detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nautomated mechanisms supporting and\/or implementing incorporation of detection of unauthorized security-relevant changes into the incident response capability"}]}]},{"id":"si-7.14","class":"SP800-53-enhancement","title":"Binary or Machine Executable Code","props":[{"name":"label","value":"SI-7(14)"},{"name":"sort-id","value":"si-07.14"}],"parts":[{"id":"si-7.14_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-7.14_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and"},{"id":"si-7.14_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Provides exceptions to the source code requirement only for compelling mission\/operational requirements and with the approval of the authorizing official."}]},{"id":"si-7.14_gdn","name":"guidance","prose":"This control enhancement applies to all sources of binary or machine-executable code including, for example, commercial software\/firmware and open source software. Organizations assess software products without accompanying source code from sources with limited or no warranty for potential security impacts. The assessments address the fact that these types of software products may be very difficult to review, repair, or extend, given that organizations, in most cases, do not have access to the original source code, and there may be no owners who could make such repairs on behalf of organizations.","links":[{"href":"#sa-5","rel":"related"}]},{"id":"si-7.14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7.14.a_obj","name":"objective","props":[{"name":"label","value":"SI-7(14)(a)"}],"parts":[{"id":"si-7.14.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(14)(a)[1]"}],"prose":"prohibits the use of binary or machine-executable code from sources with limited or no warranty;"},{"id":"si-7.14.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(14)(a)[2]"}],"prose":"prohibits the use of binary or machine-executable code without the provision of source code;"}],"links":[{"href":"#si-7.14_smt.a","rel":"corresp"}]},{"id":"si-7.14.b_obj","name":"objective","props":[{"name":"label","value":"SI-7(14)(b)"}],"parts":[{"id":"si-7.14.b_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(14)(b)[1]"}],"prose":"provides exceptions to the source code requirement only for compelling mission\/operational requirements; and"},{"id":"si-7.14.b_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(14)(b)[2]"}],"prose":"provides exceptions to the source code requirement only with the approval of the authorizing official."}],"links":[{"href":"#si-7.14_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\napproval records for execution of binary and machine-executable code\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nauthorizing official\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing prohibition of the execution of binary or machine-executable code"}]}]}]},{"id":"si-8","class":"SP800-53","title":"Spam Protection","props":[{"name":"priority","value":"P2"},{"name":"label","value":"SI-8"},{"name":"sort-id","value":"si-08"}],"links":[{"href":"#c6e95ca0-5828-420e-b095-00895b72b5e8","rel":"reference"}],"parts":[{"id":"si-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and"},{"id":"si-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"id":"si-8_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook\/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"}]},{"id":"si-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-8.a_obj","name":"objective","props":[{"name":"label","value":"SI-8(a)"}],"prose":"employs spam protection mechanisms:","parts":[{"id":"si-8.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-8(a)[1]"}],"prose":"at information system entry points to detect unsolicited messages;"},{"id":"si-8.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-8(a)[2]"}],"prose":"at information system entry points to take action on unsolicited messages;"},{"id":"si-8.a_obj.3","name":"objective","props":[{"name":"label","value":"SI-8(a)[3]"}],"prose":"at information system exit points to detect unsolicited messages;"},{"id":"si-8.a_obj.4","name":"objective","props":[{"name":"label","value":"SI-8(a)[4]"}],"prose":"at information system exit points to take action on unsolicited messages; and"}]},{"id":"si-8.b_obj","name":"objective","props":[{"name":"label","value":"SI-8(b)"}],"prose":"updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nconfiguration management policy and procedures (CM-1)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for implementing spam protection\n\nautomated mechanisms supporting and\/or implementing spam protection"}]}],"controls":[{"id":"si-8.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-8(1)"},{"name":"sort-id","value":"si-08.01"}],"parts":[{"id":"si-8.1_smt","name":"statement","prose":"The organization centrally manages spam protection mechanisms."},{"id":"si-8.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection security controls.","links":[{"href":"#au-3","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-8.1_obj","name":"objective","prose":"Determine if the organization centrally manages spam protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of spam protection\n\nautomated mechanisms supporting and\/or implementing central management of spam protection"}]}]},{"id":"si-8.2","class":"SP800-53-enhancement","title":"Automatic Updates","props":[{"name":"label","value":"SI-8(2)"},{"name":"sort-id","value":"si-08.02"}],"parts":[{"id":"si-8.2_smt","name":"statement","prose":"The information system automatically updates spam protection mechanisms."},{"id":"si-8.2_obj","name":"objective","prose":"Determine if the information system automatically updates spam protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for spam protection\n\nautomated mechanisms supporting and\/or implementing automatic updates to spam protection mechanisms"}]}]}]},{"id":"si-10","class":"SP800-53","title":"Information Input Validation","params":[{"id":"si-10_prm_1","label":"organization-defined information inputs"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-10"},{"name":"sort-id","value":"si-10"}],"parts":[{"id":"si-10_smt","name":"statement","prose":"The information system checks the validity of {{ insert: param, si-10_prm_1 }}."},{"id":"si-10_gdn","name":"guidance","prose":"Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks."},{"id":"si-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-10_obj.1","name":"objective","props":[{"name":"label","value":"SI-10[1]"}],"prose":"the organization defines information inputs requiring validity checks; and"},{"id":"si-10_obj.2","name":"objective","props":[{"name":"label","value":"SI-10[2]"}],"prose":"the information system checks the validity of organization-defined information inputs."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify validity of information\n\nlist of information inputs requiring validity checks\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing validity checks on information inputs"}]}]},{"id":"si-11","class":"SP800-53","title":"Error Handling","params":[{"id":"si-11_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SI-11"},{"name":"sort-id","value":"si-11"}],"parts":[{"id":"si-11_smt","name":"statement","prose":"The information system:","parts":[{"id":"si-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and"},{"id":"si-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reveals error messages only to {{ insert: param, si-11_prm_1 }}."}]},{"id":"si-11_gdn","name":"guidance","prose":"Organizations carefully consider the structure\/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission\/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#sc-31","rel":"related"}]},{"id":"si-11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-11.a_obj","name":"objective","props":[{"name":"label","value":"SI-11(a)"}],"prose":"the information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries;"},{"id":"si-11.b_obj","name":"objective","props":[{"name":"label","value":"SI-11(b)"}],"parts":[{"id":"si-11.b_obj.1","name":"objective","props":[{"name":"label","value":"SI-11(b)[1]"}],"prose":"the organization defines personnel or roles to whom error messages are to be revealed; and"},{"id":"si-11.b_obj.2","name":"objective","props":[{"name":"label","value":"SI-11(b)[2]"}],"prose":"the information system reveals error messages only to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system error handling\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ndocumentation providing structure\/content of error messages\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for error handling\n\nautomated mechanisms supporting and\/or implementing error handling\n\nautomated mechanisms supporting and\/or implementing management of error messages"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Handling and Retention","props":[{"name":"priority","value":"P2"},{"name":"label","value":"SI-12"},{"name":"sort-id","value":"si-12"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention.","links":[{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"}]},{"id":"si-12_obj","name":"objective","prose":"Determine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements:","parts":[{"id":"si-12_obj.1","name":"objective","props":[{"name":"label","value":"SI-12[1]"}],"prose":"handles information within the information system;"},{"id":"si-12_obj.2","name":"objective","props":[{"name":"label","value":"SI-12[2]"}],"prose":"handles output from the information system;"},{"id":"si-12_obj.3","name":"objective","props":[{"name":"label","value":"SI-12[3]"}],"prose":"retains information within the information system; and"},{"id":"si-12_obj.4","name":"objective","props":[{"name":"label","value":"SI-12[4]"}],"prose":"retains output from the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention\n\nmedia protection policy and procedures\n\nprocedures addressing information system output handling and retention\n\ninformation retention records, other relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information handling and retention\n\norganizational personnel with information security responsibilities\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information handling and retention\n\nautomated mechanisms supporting and\/or implementing information handling and retention"}]}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","params":[{"id":"si-16_prm_1","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-16"},{"name":"sort-id","value":"si-16"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"The information system implements {{ insert: param, si-16_prm_1 }} to protect its memory from unauthorized code execution."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.","links":[{"href":"#ac-25","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"si-16_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-16_obj.1","name":"objective","props":[{"name":"label","value":"SI-16[1]"}],"prose":"the organization defines security safeguards to be implemented to protect information system memory from unauthorized code execution; and"},{"id":"si-16_obj.2","name":"objective","props":[{"name":"label","value":"SI-16[2]"}],"prose":"the information system implements organization-defined security safeguards to protect its memory from unauthorized code execution."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing memory protection for the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of security safeguards protecting information system memory from unauthorized code execution\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing safeguards to protect information system memory from unauthorized code execution"}]}]}]}],"back-matter":{"resources":[{"uuid":"0c97e60b-325a-4efa-ba2b-90f20ccd5abc","title":"5 C.F.R. 731.106","citation":{"text":"Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106, Designation of Public Trust Positions and Investigative Requirements (5 C.F.R. 731.106)."},"rlinks":[{"href":"http:\/\/www.gpo.gov\/fdsys\/granule\/CFR-2012-title5-vol2\/CFR-2012-title5-vol2-sec731-106\/content-detail.html"}]},{"uuid":"bb61234b-46c3-4211-8c2b-9869222a720d","title":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)","citation":{"text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},"rlinks":[{"href":"http:\/\/www.gpo.gov\/fdsys\/granule\/CFR-2009-title5-vol2\/CFR-2009-title5-vol2-sec930-301\/content-detail.html"}]},{"uuid":"a4aa9645-9a8a-4b51-90a9-e223250f9a75","title":"CNSS Policy 15","citation":{"text":"CNSS Policy 15"},"rlinks":[{"href":"https:\/\/www.cnss.gov\/policies.html"}]},{"uuid":"2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","title":"DoD Information Assurance Vulnerability Alerts","citation":{"text":"DoD Information Assurance Vulnerability Alerts"}},{"uuid":"61081e7f-041d-4033-96a7-44a439071683","title":"DoD Instruction 5200.39","citation":{"text":"DoD Instruction 5200.39"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"e42b2099-3e1c-415b-952c-61c96533c12e","title":"DoD Instruction 8551.01","citation":{"text":"DoD Instruction 8551.01"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"e6522953-6714-435d-a0d3-140df554c186","title":"DoD Instruction 8552.01","citation":{"text":"DoD Instruction 8552.01"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"c5034e0c-eba6-4ecd-a541-79f0678f4ba4","title":"Executive Order 13587","citation":{"text":"Executive Order 13587"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/the-press-office\/2011\/10\/07\/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"56d671da-6b7b-4abf-8296-84b61980390a","title":"Federal Acquisition Regulation","citation":{"text":"Federal Acquisition Regulation"},"rlinks":[{"href":"https:\/\/acquisition.gov\/far"}]},{"uuid":"023104bc-6f75-4cd5-b7d0-fc92326f8007","title":"Federal Continuity Directive 1","citation":{"text":"Federal Continuity Directive 1"},"rlinks":[{"href":"http:\/\/www.fema.gov\/pdf\/about\/offices\/fcd1.pdf"}]},{"uuid":"ba557c91-ba3e-4792-adc6-a4ae479b39ff","title":"FICAM Roadmap and Implementation Guidance","citation":{"text":"FICAM Roadmap and Implementation Guidance"},"rlinks":[{"href":"http:\/\/www.idmanagement.gov\/documents\/ficam-roadmap-and-implementation-guidance"}]},{"uuid":"39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","title":"FIPS Publication 140","citation":{"text":"FIPS Publication 140"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html"}]},{"uuid":"d715b234-9b5b-4e07-b1ed-99836727664d","title":"FIPS Publication 140-2","citation":{"text":"FIPS Publication 140-2"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#140-2"}]},{"uuid":"f2dbd4ec-c413-4714-b85b-6b7184d1c195","title":"FIPS Publication 197","citation":{"text":"FIPS Publication 197"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#197"}]},{"uuid":"e85cdb3f-7f0a-4083-8639-f13f70d3760b","title":"FIPS Publication 199","citation":{"text":"FIPS Publication 199"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#199"}]},{"uuid":"c80c10b3-1294-4984-a4cc-d1733ca432b9","title":"FIPS Publication 201","citation":{"text":"FIPS Publication 201"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#201"}]},{"uuid":"ad733a42-a7ed-4774-b988-4930c28852f3","title":"HSPD-12","citation":{"text":"HSPD-12"},"rlinks":[{"href":"http:\/\/www.dhs.gov\/homeland-security-presidential-directive-12"}]},{"uuid":"4ef539ba-b767-4666-b0d3-168c53005fa3","title":"http:\/\/capec.mitre.org","citation":{"text":"http:\/\/capec.mitre.org"},"rlinks":[{"href":"http:\/\/capec.mitre.org"}]},{"uuid":"e95dd121-2733-413e-bf1e-f1eb49f20a98","title":"http:\/\/checklists.nist.gov","citation":{"text":"http:\/\/checklists.nist.gov"},"rlinks":[{"href":"http:\/\/checklists.nist.gov"}]},{"uuid":"6a1041fc-054e-4230-946b-2e6f4f3731bb","title":"http:\/\/csrc.nist.gov\/cryptval","citation":{"text":"http:\/\/csrc.nist.gov\/cryptval"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/cryptval"}]},{"uuid":"b09d1a31-d3c9-4138-a4f4-4c63816afd7d","title":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html","citation":{"text":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html"}]},{"uuid":"0931209f-00ae-4132-b92c-bc645847e8f9","title":"http:\/\/cve.mitre.org","citation":{"text":"http:\/\/cve.mitre.org"},"rlinks":[{"href":"http:\/\/cve.mitre.org"}]},{"uuid":"15522e92-9192-463d-9646-6a01982db8ca","title":"http:\/\/cwe.mitre.org","citation":{"text":"http:\/\/cwe.mitre.org"},"rlinks":[{"href":"http:\/\/cwe.mitre.org"}]},{"uuid":"5ed1f4d5-1494-421b-97ed-39d3c88ab51f","title":"http:\/\/fips201ep.cio.gov","citation":{"text":"http:\/\/fips201ep.cio.gov"},"rlinks":[{"href":"http:\/\/fips201ep.cio.gov"}]},{"uuid":"85280698-0417-489d-b214-12bb935fb939","title":"http:\/\/idmanagement.gov","citation":{"text":"http:\/\/idmanagement.gov"},"rlinks":[{"href":"http:\/\/idmanagement.gov"}]},{"uuid":"275cc052-0f7f-423c-bdb6-ed503dc36228","title":"http:\/\/nvd.nist.gov","citation":{"text":"http:\/\/nvd.nist.gov"},"rlinks":[{"href":"http:\/\/nvd.nist.gov"}]},{"uuid":"bbd50dd1-54ce-4432-959d-63ea564b1bb4","title":"http:\/\/www.acquisition.gov\/far","citation":{"text":"http:\/\/www.acquisition.gov\/far"},"rlinks":[{"href":"http:\/\/www.acquisition.gov\/far"}]},{"uuid":"9b97ed27-3dd6-4f9a-ade5-1b43e9669794","title":"http:\/\/www.cnss.gov","citation":{"text":"http:\/\/www.cnss.gov"},"rlinks":[{"href":"http:\/\/www.cnss.gov"}]},{"uuid":"3ac12e79-f54f-4a63-9f4b-ee4bcd4df604","title":"http:\/\/www.dhs.gov\/telecommunications-service-priority-tsp","citation":{"text":"http:\/\/www.dhs.gov\/telecommunications-service-priority-tsp"},"rlinks":[{"href":"http:\/\/www.dhs.gov\/telecommunications-service-priority-tsp"}]},{"uuid":"c95a9986-3cd6-4a98-931b-ccfc56cb11e5","title":"http:\/\/www.niap-ccevs.org","citation":{"text":"http:\/\/www.niap-ccevs.org"},"rlinks":[{"href":"http:\/\/www.niap-ccevs.org"}]},{"uuid":"647b6de3-81d0-4d22-bec1-5f1333e34380","title":"http:\/\/www.nsa.gov","citation":{"text":"http:\/\/www.nsa.gov"},"rlinks":[{"href":"http:\/\/www.nsa.gov"}]},{"uuid":"a47466c4-c837-4f06-a39f-e68412a5f73d","title":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml","citation":{"text":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml"},"rlinks":[{"href":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml"}]},{"uuid":"02631467-668b-4233-989b-3dfded2fd184","title":"http:\/\/www.us-cert.gov","citation":{"text":"http:\/\/www.us-cert.gov"},"rlinks":[{"href":"http:\/\/www.us-cert.gov"}]},{"uuid":"6caa237b-531b-43ac-9711-d8f6b97b0377","title":"ICD 704","citation":{"text":"ICD 704"},"rlinks":[{"href":"http:\/\/www.dni.gov\/index.php\/intelligence-community\/ic-policies-reports\/intelligence-community-directives"}]},{"uuid":"398e33fd-f404-4e5c-b90e-2d50d3181244","title":"ICD 705","citation":{"text":"ICD 705"},"rlinks":[{"href":"http:\/\/www.dni.gov\/index.php\/intelligence-community\/ic-policies-reports\/intelligence-community-directives"}]},{"uuid":"1737a687-52fb-4008-b900-cbfa836f7b65","title":"ISO\/IEC 15408","citation":{"text":"ISO\/IEC 15408"},"rlinks":[{"href":"http:\/\/www.iso.org\/iso\/iso_catalog\/catalog_tc\/catalog_detail.htm?csnumber=50341"}]},{"uuid":"fb5844de-ff96-47c0-b258-4f52bcc2f30d","title":"National Communications Systems Directive 3-10","citation":{"text":"National Communications Systems Directive 3-10"}},{"uuid":"654f21e2-f3bc-43b2-abdc-60ab8d09744b","title":"National Strategy for Trusted Identities in Cyberspace","citation":{"text":"National Strategy for Trusted Identities in Cyberspace"},"rlinks":[{"href":"http:\/\/www.nist.gov\/nstic"}]},{"uuid":"bdd2f49e-edf7-491f-a178-4487898228f3","title":"NIST Interagency Report 7622","citation":{"text":"NIST Interagency Report 7622"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsNISTIRs.html#NIST-IR-7622"}]},{"uuid":"9cb3d8fe-2127-48ba-821e-cdd2d7aee921","title":"NIST Special Publication 800-100","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-100"}],"citation":{"text":"NIST Special Publication 800-100"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","title":"NIST Special Publication 800-111","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-111"}],"citation":{"text":"NIST Special Publication 800-111"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-111"}]},{"uuid":"349fe082-502d-464a-aa0c-1443c6a5cf40","title":"NIST Special Publication 800-113","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-113"}],"citation":{"text":"NIST Special Publication 800-113"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-113"}]},{"uuid":"1201fcf3-afb1-4675-915a-fb4ae0435717","title":"NIST Special Publication 800-114 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-114r1"}],"citation":{"text":"NIST Special Publication 800-114 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-114r1"}]},{"uuid":"c4691b88-57d1-463b-9053-2d0087913f31","title":"NIST Special Publication 800-115","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-115"}],"citation":{"text":"NIST Special Publication 800-115"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"2157bb7e-192c-4eaa-877f-93ef6b0a3292","title":"NIST Special Publication 800-116 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-116r1"}],"citation":{"text":"NIST Special Publication 800-116 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-116r1"}]},{"uuid":"5c201b63-0768-417b-ac22-3f014e3941b2","title":"NIST Special Publication 800-12 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-12r1"}],"citation":{"text":"NIST Special Publication 800-12 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"d1a4e2a9-e512-4132-8795-5357aba29254","title":"NIST Special Publication 800-121","citation":{"text":"NIST Special Publication 800-121"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-121"}]},{"uuid":"0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","title":"NIST Special Publication 800-124","citation":{"text":"NIST Special Publication 800-124"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-124"}]},{"uuid":"080f8068-5e3e-435e-9790-d22ba4722693","title":"NIST Special Publication 800-128","citation":{"text":"NIST Special Publication 800-128"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-128"}]},{"uuid":"cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","title":"NIST Special Publication 800-137","citation":{"text":"NIST Special Publication 800-137"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-137"}]},{"uuid":"6bf8d24a-78dc-4727-a2ac-0e64d71c495c","title":"NIST Special Publication 800-147","citation":{"text":"NIST Special Publication 800-147"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-147"}]},{"uuid":"3878cc04-144a-483e-af62-8fe6f4ad6c7a","title":"NIST Special Publication 800-155","citation":{"text":"NIST Special Publication 800-155"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-155"}]},{"uuid":"825438c3-248d-4e30-a51e-246473ce6ada","title":"NIST Special Publication 800-16","citation":{"text":"NIST Special Publication 800-16"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-16"}]},{"uuid":"8ab6bcdc-339b-4068-b45e-994814a6e187","title":"NIST Special Publication 800-161","citation":{"text":"NIST Special Publication 800-161"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-161"}]},{"uuid":"6513e480-fada-4876-abba-1397084dfb26","title":"NIST Special Publication 800-164","citation":{"text":"NIST Special Publication 800-164"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-164"}]},{"uuid":"9c5c9e8c-dc81-4f55-a11c-d71d7487790f","title":"NIST Special Publication 800-18","citation":{"text":"NIST Special Publication 800-18"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-18"}]},{"uuid":"0a5db899-f033-467f-8631-f5a8ba971475","title":"NIST Special Publication 800-23","citation":{"text":"NIST Special Publication 800-23"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-23"}]},{"uuid":"21b1ed35-56d2-40a8-bdfe-b461fffe322f","title":"NIST Special Publication 800-27","citation":{"text":"NIST Special Publication 800-27"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-27"}]},{"uuid":"e716cd51-d1d5-4c6a-967a-22e9fbbc42f1","title":"NIST Special Publication 800-28","citation":{"text":"NIST Special Publication 800-28"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-28"}]},{"uuid":"a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","title":"NIST Special Publication 800-30","citation":{"text":"NIST Special Publication 800-30"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-30"}]},{"uuid":"8f174e91-844e-4cf1-a72a-45c119a3a8dd","title":"NIST Special Publication 800-32","citation":{"text":"NIST Special Publication 800-32"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-32"}]},{"uuid":"748a81b9-9cad-463f-abde-8b368167e70d","title":"NIST Special Publication 800-34","citation":{"text":"NIST Special Publication 800-34"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-34"}]},{"uuid":"0c775bc3-bfc3-42c7-a382-88949f503171","title":"NIST Special Publication 800-35","citation":{"text":"NIST Special Publication 800-35"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-35"}]},{"uuid":"d818efd3-db31-4953-8afa-9e76afe83ce2","title":"NIST Special Publication 800-36","citation":{"text":"NIST Special Publication 800-36"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-36"}]},{"uuid":"0a0c26b6-fd44-4274-8b36-93442d49d998","title":"NIST Special Publication 800-37","citation":{"text":"NIST Special Publication 800-37"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-37"}]},{"uuid":"d480aa6a-7a88-424e-a10c-ad1c7870354b","title":"NIST Special Publication 800-39","citation":{"text":"NIST Special Publication 800-39"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-39"}]},{"uuid":"bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","title":"NIST Special Publication 800-40","citation":{"text":"NIST Special Publication 800-40"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-40"}]},{"uuid":"756a8e86-57d5-4701-8382-f7a40439665a","title":"NIST Special Publication 800-41","citation":{"text":"NIST Special Publication 800-41"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-41"}]},{"uuid":"c6e95ca0-5828-420e-b095-00895b72b5e8","title":"NIST Special Publication 800-45","citation":{"text":"NIST Special Publication 800-45"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-45"}]},{"uuid":"5309d4d0-46f8-4213-a749-e7584164e5e8","title":"NIST Special Publication 800-46","citation":{"text":"NIST Special Publication 800-46"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-46"}]},{"uuid":"2711f068-734e-4afd-94ba-0b22247fbc88","title":"NIST Special Publication 800-47","citation":{"text":"NIST Special Publication 800-47"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-47"}]},{"uuid":"238ed479-eccb-49f6-82ec-ab74a7a428cf","title":"NIST Special Publication 800-48","citation":{"text":"NIST Special Publication 800-48"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-48"}]},{"uuid":"e12b5738-de74-4fb3-8317-a3995a8a1898","title":"NIST Special Publication 800-50","citation":{"text":"NIST Special Publication 800-50"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-50"}]},{"uuid":"90c5bc98-f9c4-44c9-98b7-787422f0999c","title":"NIST Special Publication 800-52","citation":{"text":"NIST Special Publication 800-52"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-52"}]},{"uuid":"cd4cf751-3312-4a55-b1a9-fad2f1db9119","title":"NIST Special Publication 800-53A","citation":{"text":"NIST Special Publication 800-53A"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-53A"}]},{"uuid":"81f09e01-d0b0-4ae2-aa6a-064ed9950070","title":"NIST Special Publication 800-56","citation":{"text":"NIST Special Publication 800-56"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-56"}]},{"uuid":"a6c774c0-bf50-4590-9841-2a5c1c91ac6f","title":"NIST Special Publication 800-57","citation":{"text":"NIST Special Publication 800-57"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-57"}]},{"uuid":"7783f3e7-09b3-478b-9aa2-4a76dfd0ea90","title":"NIST Special Publication 800-58","citation":{"text":"NIST Special Publication 800-58"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-58"}]},{"uuid":"f152844f-b1ef-4836-8729-6277078ebee1","title":"NIST Special Publication 800-60","citation":{"text":"NIST Special Publication 800-60"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-60"}]},{"uuid":"be95fb85-a53f-4624-bdbb-140075500aa3","title":"NIST Special Publication 800-61","citation":{"text":"NIST Special Publication 800-61"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-61"}]},{"uuid":"644f44a9-a2de-4494-9c04-cd37fba45471","title":"NIST Special Publication 800-63","citation":{"text":"NIST Special Publication 800-63"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-63"}]},{"uuid":"abd950ae-092f-4b7a-b374-1c7c67fe9350","title":"NIST Special Publication 800-64","citation":{"text":"NIST Special Publication 800-64"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-64"}]},{"uuid":"29fcfe59-33cd-494a-8756-5907ae3a8f92","title":"NIST Special Publication 800-65","citation":{"text":"NIST Special Publication 800-65"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-65"}]},{"uuid":"84a37532-6db6-477b-9ea8-f9085ebca0fc","title":"NIST Special Publication 800-70","citation":{"text":"NIST Special Publication 800-70"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-70"}]},{"uuid":"ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","title":"NIST Special Publication 800-73","citation":{"text":"NIST Special Publication 800-73"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-73"}]},{"uuid":"2a71298a-ee90-490e-80ff-48c967173a47","title":"NIST Special Publication 800-76","citation":{"text":"NIST Special Publication 800-76"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-76"}]},{"uuid":"99f331f2-a9f0-46c2-9856-a3cbb9b89442","title":"NIST Special Publication 800-77","citation":{"text":"NIST Special Publication 800-77"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-77"}]},{"uuid":"2042d97b-f7f6-4c74-84f8-981867684659","title":"NIST Special Publication 800-78","citation":{"text":"NIST Special Publication 800-78"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-78"}]},{"uuid":"6af1e841-672c-46c4-b121-96f603d04be3","title":"NIST Special Publication 800-81","citation":{"text":"NIST Special Publication 800-81"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-81"}]},{"uuid":"6d431fee-658f-4a0e-9f2e-a38b5d398fab","title":"NIST Special Publication 800-83","citation":{"text":"NIST Special Publication 800-83"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-83"}]},{"uuid":"0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","title":"NIST Special Publication 800-84","citation":{"text":"NIST Special Publication 800-84"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-84"}]},{"uuid":"263823e0-a971-4b00-959d-315b26278b22","title":"NIST Special Publication 800-88","citation":{"text":"NIST Special Publication 800-88"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-88"}]},{"uuid":"672fd561-b92b-4713-b9cf-6c9d9456728b","title":"NIST Special Publication 800-92","citation":{"text":"NIST Special Publication 800-92"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-92"}]},{"uuid":"d1b1d689-0f66-4474-9924-c81119758dc1","title":"NIST Special Publication 800-94","citation":{"text":"NIST Special Publication 800-94"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-94"}]},{"uuid":"1ebdf782-d95d-4a7b-8ec7-ee860951eced","title":"NIST Special Publication 800-95","citation":{"text":"NIST Special Publication 800-95"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-95"}]},{"uuid":"6f336ecd-f2a0-4c84-9699-0491d81b6e0d","title":"NIST Special Publication 800-97","citation":{"text":"NIST Special Publication 800-97"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-97"}]},{"uuid":"06dff0ea-3848-4945-8d91-e955ee69f05d","title":"NSTISSI No. 7003","citation":{"text":"NSTISSI No. 7003"},"rlinks":[{"href":"http:\/\/www.cnss.gov\/Assets\/pdf\/nstissi_7003.pdf"}]},{"uuid":"9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","title":"OMB Circular A-130","citation":{"text":"OMB Circular A-130"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/omb\/circulars_a130_a130trans4"}]},{"uuid":"2c5884cd-7b96-425c-862a-99877e1cf909","title":"OMB Memorandum 02-01","citation":{"text":"OMB Memorandum 02-01"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/omb\/memoranda_m02-01"}]},{"uuid":"ff3bfb02-79b2-411f-8735-98dfe5af2ab0","title":"OMB Memorandum 04-04","citation":{"text":"OMB Memorandum 04-04"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy04\/m04-04.pdf"}]},{"uuid":"58ad6f27-af99-429f-86a8-8bb767b014b9","title":"OMB Memorandum 05-24","citation":{"text":"OMB Memorandum 05-24"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2005\/m05-24.pdf"}]},{"uuid":"4da24a96-6cf8-435d-9d1f-c73247cad109","title":"OMB Memorandum 06-16","citation":{"text":"OMB Memorandum 06-16"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2006\/m06-16.pdf"}]},{"uuid":"990268bf-f4a9-4c81-91ae-dc7d3115f4b1","title":"OMB Memorandum 07-11","citation":{"text":"OMB Memorandum 07-11"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2007\/m07-11.pdf"}]},{"uuid":"0b3d8ba9-051f-498d-81ea-97f0f018c612","title":"OMB Memorandum 07-18","citation":{"text":"OMB Memorandum 07-18"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2007\/m07-18.pdf"}]},{"uuid":"0916ef02-3618-411b-a525-565c088849a6","title":"OMB Memorandum 08-22","citation":{"text":"OMB Memorandum 08-22"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2008\/m08-22.pdf"}]},{"uuid":"28115a56-da6b-4d44-b1df-51dd7f048a3e","title":"OMB Memorandum 08-23","citation":{"text":"OMB Memorandum 08-23"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2008\/m08-23.pdf"}]},{"uuid":"599fe9ba-4750-4450-9eeb-b95bd19a5e8f","title":"OMB Memorandum 10-06-2011","citation":{"text":"OMB Memorandum 10-06-2011"}},{"uuid":"74e740a4-c45d-49f3-a86e-eb747c549e01","title":"OMB Memorandum 11-11","citation":{"text":"OMB Memorandum 11-11"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/memoranda\/2011\/m11-11.pdf"}]},{"uuid":"bedb15b7-ec5c-4a68-807f-385125751fcd","title":"OMB Memorandum 11-33","citation":{"text":"OMB Memorandum 11-33"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/memoranda\/2011\/m11-33.pdf"}]},{"uuid":"dd2f5acd-08f1-435a-9837-f8203088dc1a","title":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)","citation":{"text":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)"}},{"uuid":"8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","title":"US-CERT Technical Cyber Security Alerts","citation":{"text":"US-CERT Technical Cyber Security Alerts"},"rlinks":[{"href":"http:\/\/www.us-cert.gov\/ncas\/alerts"}]}]}}}
\ No newline at end of file
diff --git a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.json b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.json
index 08099a13..3e82a28d 100644
--- a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.json
+++ b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.json
@@ -1,9 +1,9 @@
 {
   "catalog": {
-    "uuid": "d42ac376-bf01-4baf-bad5-d0b7ee2626d5",
+    "uuid": "d3d0fe20-8c66-4ead-a7bf-10455eada4ac",
     "metadata": {
       "title": "NIST Special Publication 800-53 Revision 4 HIGH IMPACT BASELINE",
-      "last-modified": "2023-11-02T11:49:45.965719-04:00",
+      "last-modified": "2023-12-05T21:54:41.390821Z",
       "version": "2015-01-22",
       "oscal-version": "1.1.1",
       "props": [
diff --git a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog-min.json b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog-min.json
index b6dc9b88..b8bb2071 100644
--- a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog-min.json
+++ b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog-min.json
@@ -1 +1 @@
-{"catalog":{"uuid":"bec68292-6541-40e5-bc3b-5fcfee922bd9","metadata":{"title":"NIST Special Publication 800-53 Revision 4 LOW IMPACT BASELINE","last-modified":"2023-11-02T11:49:37.69093-04:00","version":"2015-01-22","oscal-version":"1.1.1","props":[{"name":"resolution-tool","value":"OSCAL Profile Resolver XSLT Pipeline OPRXP"}],"links":[{"href":"NIST_SP-800-53_rev4_LOW-baseline_profile.xml","rel":"source-profile"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"96310e12-f661-41a7-bed9-842b6a931875","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["fcde62b1-8cce-4a57-a26b-b07ad2865ae1"]},{"role-id":"contact","party-uuids":["fcde62b1-8cce-4a57-a26b-b07ad2865ae1"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Access Control Policy and Procedures","params":[{"id":"ac-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ac-1_prm_2","label":"organization-defined frequency"},{"id":"ac-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-1"},{"name":"sort-id","value":"ac-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ac-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and associated access controls; and"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ac-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Access control policy {{ insert: param, ac-1_prm_2 }}; and"},{"id":"ac-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Access control procedures {{ insert: param, ac-1_prm_3 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ac-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-1.a_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)"}],"parts":[{"id":"ac-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)"}],"parts":[{"id":"ac-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1]"}],"prose":"develops and documents an access control policy that addresses:","parts":[{"id":"ac-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ac-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ac-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ac-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ac-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ac-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ac-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ac-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the access control policy are to be disseminated;"},{"id":"ac-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[3]"}],"prose":"disseminates the access control policy to organization-defined personnel or roles;"}]},{"id":"ac-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)"}],"parts":[{"id":"ac-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls;"},{"id":"ac-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ac-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ac-1.b_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)"}],"parts":[{"id":"ac-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)"}],"parts":[{"id":"ac-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current access control policy;"},{"id":"ac-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)[2]"}],"prose":"reviews and updates the current access control policy with the organization-defined frequency;"}]},{"id":"ac-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)"}],"parts":[{"id":"ac-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current access control procedures; and"},{"id":"ac-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)[2]"}],"prose":"reviews and updates the current access control procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","params":[{"id":"ac-2_prm_1","label":"organization-defined information system account types"},{"id":"ac-2_prm_2","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_3","label":"organization-defined procedures or conditions"},{"id":"ac-2_prm_4","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-2"},{"name":"sort-id","value":"ac-02"}],"parts":[{"id":"ac-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies and selects the following types of information system accounts to support organizational missions\/business functions: {{ insert: param, ac-2_prm_1 }};"},{"id":"ac-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assigns account managers for information system accounts;"},{"id":"ac-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establishes conditions for group and role membership;"},{"id":"ac-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;"},{"id":"ac-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Requires approvals by {{ insert: param, ac-2_prm_2 }} for requests to create information system accounts;"},{"id":"ac-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Creates, enables, modifies, disables, and removes information system accounts in accordance with {{ insert: param, ac-2_prm_3 }};"},{"id":"ac-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Monitors the use of information system accounts;"},{"id":"ac-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Notifies account managers:","parts":[{"id":"ac-2_smt.h.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"When accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"When individual information system usage or need-to-know changes;"}]},{"id":"ac-2_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Authorizes access to the information system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Other attributes as required by the organization or associated missions\/business functions;"}]},{"id":"ac-2_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Reviews accounts for compliance with account management requirements {{ insert: param, ac-2_prm_4 }}; and"},{"id":"ac-2_smt.k","name":"item","props":[{"name":"label","value":"k."}],"prose":"Establishes a process for reissuing shared\/group account credentials (if deployed) when individuals are removed from the group."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Information system account types include, for example, individual, shared, group, system, guest\/anonymous, emergency, developer\/manufacturer\/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission\/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission\/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared\/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-10","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ac-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.a_obj","name":"objective","props":[{"name":"label","value":"AC-2(a)"}],"parts":[{"id":"ac-2.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(a)[1]"}],"prose":"defines information system account types to be identified and selected to support organizational missions\/business functions;"},{"id":"ac-2.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(a)[2]"}],"prose":"identifies and selects organization-defined information system account types to support organizational missions\/business functions;"}]},{"id":"ac-2.b_obj","name":"objective","props":[{"name":"label","value":"AC-2(b)"}],"prose":"assigns account managers for information system accounts;"},{"id":"ac-2.c_obj","name":"objective","props":[{"name":"label","value":"AC-2(c)"}],"prose":"establishes conditions for group and role membership;"},{"id":"ac-2.d_obj","name":"objective","props":[{"name":"label","value":"AC-2(d)"}],"prose":"specifies for each account (as required):","parts":[{"id":"ac-2.d_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(d)[1]"}],"prose":"authorized users of the information system;"},{"id":"ac-2.d_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(d)[2]"}],"prose":"group and role membership;"},{"id":"ac-2.d_obj.3","name":"objective","props":[{"name":"label","value":"AC-2(d)[3]"}],"prose":"access authorizations (i.e., privileges);"},{"id":"ac-2.d_obj.4","name":"objective","props":[{"name":"label","value":"AC-2(d)[4]"}],"prose":"other attributes;"}]},{"id":"ac-2.e_obj","name":"objective","props":[{"name":"label","value":"AC-2(e)"}],"parts":[{"id":"ac-2.e_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(e)[1]"}],"prose":"defines personnel or roles required to approve requests to create information system accounts;"},{"id":"ac-2.e_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(e)[2]"}],"prose":"requires approvals by organization-defined personnel or roles for requests to create information system accounts;"}]},{"id":"ac-2.f_obj","name":"objective","props":[{"name":"label","value":"AC-2(f)"}],"parts":[{"id":"ac-2.f_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(f)[1]"}],"prose":"defines procedures or conditions to:","parts":[{"id":"ac-2.f_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][a]"}],"prose":"create information system accounts;"},{"id":"ac-2.f_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][b]"}],"prose":"enable information system accounts;"},{"id":"ac-2.f_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][c]"}],"prose":"modify information system accounts;"},{"id":"ac-2.f_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][d]"}],"prose":"disable information system accounts;"},{"id":"ac-2.f_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][e]"}],"prose":"remove information system accounts;"}]},{"id":"ac-2.f_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(f)[2]"}],"prose":"in accordance with organization-defined procedures or conditions:","parts":[{"id":"ac-2.f_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][a]"}],"prose":"creates information system accounts;"},{"id":"ac-2.f_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][b]"}],"prose":"enables information system accounts;"},{"id":"ac-2.f_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][c]"}],"prose":"modifies information system accounts;"},{"id":"ac-2.f_obj.2.d","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][d]"}],"prose":"disables information system accounts;"},{"id":"ac-2.f_obj.2.e","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][e]"}],"prose":"removes information system accounts;"}]}]},{"id":"ac-2.g_obj","name":"objective","props":[{"name":"label","value":"AC-2(g)"}],"prose":"monitors the use of information system accounts;"},{"id":"ac-2.h_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)"}],"prose":"notifies account managers:","parts":[{"id":"ac-2.h.1_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(1)"}],"prose":"when accounts are no longer required;"},{"id":"ac-2.h.2_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(2)"}],"prose":"when users are terminated or transferred;"},{"id":"ac-2.h.3_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(3)"}],"prose":"when individual information system usage or need to know changes;"}]},{"id":"ac-2.i_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)"}],"prose":"authorizes access to the information system based on;","parts":[{"id":"ac-2.i.1_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(1)"}],"prose":"a valid access authorization;"},{"id":"ac-2.i.2_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(2)"}],"prose":"intended system usage;"},{"id":"ac-2.i.3_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(3)"}],"prose":"other attributes as required by the organization or associated missions\/business functions;"}]},{"id":"ac-2.j_obj","name":"objective","props":[{"name":"label","value":"AC-2(j)"}],"parts":[{"id":"ac-2.j_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(j)[1]"}],"prose":"defines the frequency to review accounts for compliance with account management requirements;"},{"id":"ac-2.j_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(j)[2]"}],"prose":"reviews accounts for compliance with account management requirements with the organization-defined frequency; and"}]},{"id":"ac-2.k_obj","name":"objective","props":[{"name":"label","value":"AC-2(k)"}],"prose":"establishes a process for reissuing shared\/group account credentials (if deployed) when individuals are removed from the group."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications or records of recently transferred, separated, or terminated employees\n\nlist of recently disabled information system accounts along with the name of the individual associated with each account\n\naccess authorization records\n\naccount management compliance reviews\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes account management on the information system\n\nautomated mechanisms for implementing account management"}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-3"},{"name":"sort-id","value":"ac-03"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"}]},{"id":"ac-3_obj","name":"objective","prose":"Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy"}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","params":[{"id":"ac-7_prm_1","label":"organization-defined number"},{"id":"ac-7_prm_2","label":"organization-defined time period"},{"id":"ac-7_prm_3","select":{"choice":["locks the account\/node for an {{ insert: param, ac-7_prm_4 }} ","locks the account\/node until released by an administrator","delays next logon prompt according to {{ insert: param, ac-7_prm_5 }} "]}},{"id":"ac-7_prm_4","depends-on":"ac-7_prm_3","label":"organization-defined time period"},{"id":"ac-7_prm_5","depends-on":"ac-7_prm_3","label":"organization-defined delay algorithm"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AC-7"},{"name":"sort-id","value":"ac-07"}],"parts":[{"id":"ac-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforces a limit of {{ insert: param, ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-7_prm_2 }}; and"},{"id":"ac-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically {{ insert: param, ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ia-5","rel":"related"}]},{"id":"ac-7_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-7.a_obj","name":"objective","props":[{"name":"label","value":"AC-7(a)"}],"parts":[{"id":"ac-7.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-7(a)[1]"}],"prose":"the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;"},{"id":"ac-7.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-7(a)[2]"}],"prose":"the organization defines the time period allowed by a user of the information system for an organization-defined number of consecutive invalid logon attempts;"},{"id":"ac-7.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-7(a)[3]"}],"prose":"the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;"}]},{"id":"ac-7.b_obj","name":"objective","props":[{"name":"label","value":"AC-7(b)"}],"parts":[{"id":"ac-7.b_obj.1","name":"objective","props":[{"name":"label","value":"AC-7(b)[1]"}],"prose":"the organization defines account\/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;"},{"id":"ac-7.b_obj.2","name":"objective","props":[{"name":"label","value":"AC-7(b)[2]"}],"prose":"the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:","parts":[{"id":"ac-7.b_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][a]"}],"prose":"locks the account\/node for the organization-defined time period;"},{"id":"ac-7.b_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][b]"}],"prose":"locks the account\/node until released by an administrator; or"},{"id":"ac-7.b_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][c]"}],"prose":"delays next logon prompt according to the organization-defined delay algorithm."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for unsuccessful logon attempts"}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","params":[{"id":"ac-8_prm_1","label":"organization-defined system use notification message or banner"},{"id":"ac-8_prm_2","label":"organization-defined conditions"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-8"},{"name":"sort-id","value":"ac-08"}],"parts":[{"id":"ac-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Displays to users {{ insert: param, ac-8_prm_1 }} before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:","parts":[{"id":"ac-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government information system;"},{"id":"ac-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Use of the information system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and"},{"id":"ac-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Displays system use information {{ insert: param, ac-8_prm_2 }}, before granting further access;"},{"id":"ac-8_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Includes a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages\/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content."},{"id":"ac-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-8.a_obj","name":"objective","props":[{"name":"label","value":"AC-8(a)"}],"parts":[{"id":"ac-8.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-8(a)[1]"}],"prose":"the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system;"},{"id":"ac-8.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2]"}],"prose":"the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that:","parts":[{"id":"ac-8.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](1)"}],"prose":"users are accessing a U.S. Government information system;"},{"id":"ac-8.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](2)"}],"prose":"information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8.a.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](3)"}],"prose":"unauthorized use of the information system is prohibited and subject to criminal and civil penalties;"},{"id":"ac-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](4)"}],"prose":"use of the information system indicates consent to monitoring and recording;"}]}]},{"id":"ac-8.b_obj","name":"objective","props":[{"name":"label","value":"AC-8(b)"}],"prose":"the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system;"},{"id":"ac-8.c_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)"}],"prose":"for publicly accessible systems:","parts":[{"id":"ac-8.c.1_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)"}],"parts":[{"id":"ac-8.c.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)[1]"}],"prose":"the organization defines conditions for system use to be displayed by the information system before granting further access;"},{"id":"ac-8.c.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)[2]"}],"prose":"the information system displays organization-defined conditions before granting further access;"}]},{"id":"ac-8.c.2_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(2)"}],"prose":"the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8.c.3_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(3)"}],"prose":"the information system includes a description of the authorized uses of the system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of information system use notification messages or banners\n\ninformation system audit records\n\nuser acknowledgements of notification message or banner\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system use notification messages\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for providing legal advice\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing system use notification"}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","params":[{"id":"ac-14_prm_1","label":"organization-defined user actions"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-14"},{"name":"sort-id","value":"ac-14"}],"parts":[{"id":"ac-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies {{ insert: param, ac-14_prm_1 }} that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions; and"},{"id":"ac-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none.","links":[{"href":"#cp-2","rel":"related"},{"href":"#ia-2","rel":"related"}]},{"id":"ac-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-14.a_obj","name":"objective","props":[{"name":"label","value":"AC-14(a)"}],"parts":[{"id":"ac-14.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-14(a)[1]"}],"prose":"defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions;"},{"id":"ac-14.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-14(a)[2]"}],"prose":"identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions; and"}]},{"id":"ac-14.b_obj","name":"objective","props":[{"name":"label","value":"AC-14(b)"}],"prose":"documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-17"},{"name":"sort-id","value":"ac-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference"},{"href":"#d1a4e2a9-e512-4132-8795-5357aba29254","rel":"reference"}],"parts":[{"id":"ac-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and documents usage restrictions, configuration\/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes remote access to the information system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.a_obj","name":"objective","props":[{"name":"label","value":"AC-17(a)"}],"parts":[{"id":"ac-17.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-17(a)[1]"}],"prose":"identifies the types of remote access allowed to the information system;"},{"id":"ac-17.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-17(a)[2]"}],"prose":"establishes for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][b]"}],"prose":"configuration\/connection requirements;"},{"id":"ac-17.a_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][c]"}],"prose":"implementation guidance;"}]},{"id":"ac-17.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-17(a)[3]"}],"prose":"documents for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.3.a","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.3.b","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][b]"}],"prose":"configuration\/connection requirements;"},{"id":"ac-17.a_obj.3.c","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][c]"}],"prose":"implementation guidance; and"}]}]},{"id":"ac-17.b_obj","name":"objective","props":[{"name":"label","value":"AC-17(b)"}],"prose":"authorizes remote access to the information system prior to allowing such connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nremote access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing remote access connections\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Remote access management capability for the information system"}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-18"},{"name":"sort-id","value":"ac-18"}],"links":[{"href":"#238ed479-eccb-49f6-82ec-ab74a7a428cf","rel":"reference"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference"},{"href":"#6f336ecd-f2a0-4c84-9699-0491d81b6e0d","rel":"reference"}],"parts":[{"id":"ac-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration\/connection requirements, and implementation guidance for wireless access; and"},{"id":"ac-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes wireless access to the information system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include, for example, microwave, packet radio (UHF\/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP\/TLS, PEAP), which provide credential protection and mutual authentication.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.a_obj","name":"objective","props":[{"name":"label","value":"AC-18(a)"}],"prose":"establishes for wireless access:","parts":[{"id":"ac-18.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-18(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-18.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-18(a)[2]"}],"prose":"configuration\/connection requirement;"},{"id":"ac-18.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-18(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-18.b_obj","name":"objective","props":[{"name":"label","value":"AC-18(b)"}],"prose":"authorizes wireless access to the information system prior to allowing such connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nwireless access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Wireless access management capability for the information system"}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-19"},{"name":"sort-id","value":"ac-19"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference"},{"href":"#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","rel":"reference"},{"href":"#6513e480-fada-4876-abba-1397084dfb26","rel":"reference"}],"parts":[{"id":"ac-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and"},{"id":"ac-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes the connection of mobile devices to organizational information systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes\/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.a_obj","name":"objective","props":[{"name":"label","value":"AC-19(a)"}],"prose":"establishes for organization-controlled mobile devices:","parts":[{"id":"ac-19.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-19(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-19.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-19(a)[2]"}],"prose":"configuration\/connection requirement;"},{"id":"ac-19.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-19(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-19.b_obj","name":"objective","props":[{"name":"label","value":"AC-19(b)"}],"prose":"authorizes the connection of mobile devices to organizational information systems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational information systems\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel using mobile devices to access organizational information systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Access control capability authorizing mobile device connections to organizational information systems"}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Information Systems","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-20"},{"name":"sort-id","value":"ac-20"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"}],"parts":[{"id":"ac-20_smt","name":"statement","prose":"The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and\/or maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Access the information system from external information systems; and"},{"id":"ac-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Process, store, or transmit organization-controlled information using external information systems."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems\/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing\/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"ac-20_obj","name":"objective","prose":"Determine if the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and\/or maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20.a_obj","name":"objective","props":[{"name":"label","value":"AC-20(a)"}],"prose":"access the information system from the external information systems; and"},{"id":"ac-20.b_obj","name":"objective","props":[{"name":"label","value":"AC-20(b)"}],"prose":"process, store, or transmit organization-controlled information using external information systems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing the use of external information systems\n\nexternal information systems terms and conditions\n\nlist of types of applications accessible from external information systems\n\nmaximum security categorization for information processed, stored, or transmitted on external information systems\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing terms and conditions on use of external information systems"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","params":[{"id":"ac-22_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-22"},{"name":"sort-id","value":"ac-22"}],"parts":[{"id":"ac-22_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Designates individuals authorized to post information onto a publicly accessible information system;"},{"id":"ac-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Reviews the content on the publicly accessible information system for nonpublic information {{ insert: param, ac-22_prm_1 }} and removes such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and\/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-13","rel":"related"}]},{"id":"ac-22_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-22.a_obj","name":"objective","props":[{"name":"label","value":"AC-22(a)"}],"prose":"designates individuals authorized to post information onto a publicly accessible information system;"},{"id":"ac-22.b_obj","name":"objective","props":[{"name":"label","value":"AC-22(b)"}],"prose":"trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22.c_obj","name":"objective","props":[{"name":"label","value":"AC-22(c)"}],"prose":"reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;"},{"id":"ac-22.d_obj","name":"objective","props":[{"name":"label","value":"AC-22(d)"}],"parts":[{"id":"ac-22.d_obj.1","name":"objective","props":[{"name":"label","value":"AC-22(d)[1]"}],"prose":"defines the frequency to review the content on the publicly accessible information system for nonpublic information;"},{"id":"ac-22.d_obj.2","name":"objective","props":[{"name":"label","value":"AC-22(d)[2]"}],"prose":"reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; and"},{"id":"ac-22.d_obj.3","name":"objective","props":[{"name":"label","value":"AC-22(d)[3]"}],"prose":"removes nonpublic information from the publicly accessible information system, if discovered."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational information systems\n\ntraining materials and\/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to nonpublic information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Security Awareness and Training Policy and Procedures","params":[{"id":"at-1_prm_1","label":"organization-defined personnel or roles"},{"id":"at-1_prm_2","label":"organization-defined frequency"},{"id":"at-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-1"},{"name":"sort-id","value":"at-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"at-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"at-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security awareness and training policy {{ insert: param, at-1_prm_2 }}; and"},{"id":"at-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security awareness and training procedures {{ insert: param, at-1_prm_3 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"at-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-1.a_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)"}],"parts":[{"id":"at-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)"}],"parts":[{"id":"at-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1]"}],"prose":"develops and documents an security awareness and training policy that addresses:","parts":[{"id":"at-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"at-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"at-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"at-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"at-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"at-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"at-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"at-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security awareness and training policy are to be disseminated;"},{"id":"at-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[3]"}],"prose":"disseminates the security awareness and training policy to organization-defined personnel or roles;"}]},{"id":"at-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)"}],"parts":[{"id":"at-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;"},{"id":"at-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"at-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"at-1.b_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)"}],"parts":[{"id":"at-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)"}],"parts":[{"id":"at-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security awareness and training policy;"},{"id":"at-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)[2]"}],"prose":"reviews and updates the current security awareness and training policy with the organization-defined frequency;"}]},{"id":"at-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)"}],"parts":[{"id":"at-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security awareness and training procedures; and"},{"id":"at-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)[2]"}],"prose":"reviews and updates the current security awareness and training procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security awareness and training responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Security Awareness Training","params":[{"id":"at-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-2"},{"name":"sort-id","value":"at-02"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference"},{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"at-2_smt","name":"statement","prose":"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"As part of initial training for new users;"},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, at-2_prm_1 }} thereafter."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories\/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.","links":[{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"at-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-2.a_obj","name":"objective","props":[{"name":"label","value":"AT-2(a)"}],"prose":"provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2.b_obj","name":"objective","props":[{"name":"label","value":"AT-2(b)"}],"prose":"provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes; and"},{"id":"at-2.c_obj","name":"objective","props":[{"name":"label","value":"AT-2(c)"}],"parts":[{"id":"at-2.c_obj.1","name":"objective","props":[{"name":"label","value":"AT-2(c)[1]"}],"prose":"defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors); and"},{"id":"at-2.c_obj.2","name":"objective","props":[{"name":"label","value":"AT-2(c)[2]"}],"prose":"provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nappropriate codes of federal regulations\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for security awareness training\n\norganizational personnel with information security responsibilities\n\norganizational personnel comprising the general information system user community"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing security awareness training"}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Security Training","params":[{"id":"at-3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-3"},{"name":"sort-id","value":"at-03"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"at-3_smt","name":"statement","prose":"The organization provides role-based security training to personnel with assigned security roles and responsibilities:","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Before authorizing access to the information system or performing assigned duties;"},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, at-3_prm_1 }} thereafter."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition\/procurement officials, information system managers, system\/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sa-16","rel":"related"}]},{"id":"at-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-3.a_obj","name":"objective","props":[{"name":"label","value":"AT-3(a)"}],"prose":"provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties;"},{"id":"at-3.b_obj","name":"objective","props":[{"name":"label","value":"AT-3(b)"}],"prose":"provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes; and"},{"id":"at-3.c_obj","name":"objective","props":[{"name":"label","value":"AT-3(c)"}],"parts":[{"id":"at-3.c_obj.1","name":"objective","props":[{"name":"label","value":"AT-3(c)[1]"}],"prose":"defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities; and"},{"id":"at-3.c_obj.2","name":"objective","props":[{"name":"label","value":"AT-3(c)[2]"}],"prose":"provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security training implementation\n\ncodes of federal regulations\n\nsecurity training curriculum\n\nsecurity training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for role-based security training\n\norganizational personnel with assigned information system security roles and responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing role-based security training"}]}]},{"id":"at-4","class":"SP800-53","title":"Security Training Records","params":[{"id":"at-4_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AT-4"},{"name":"sort-id","value":"at-04"}],"parts":[{"id":"at-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains individual training records for {{ insert: param, at-4_prm_1 }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the option of the organization.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pm-14","rel":"related"}]},{"id":"at-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-4.a_obj","name":"objective","props":[{"name":"label","value":"AT-4(a)"}],"parts":[{"id":"at-4.a_obj.1","name":"objective","props":[{"name":"label","value":"AT-4(a)[1]"}],"prose":"documents individual information system security training activities including:","parts":[{"id":"at-4.a_obj.1.a","name":"objective","props":[{"name":"label","value":"AT-4(a)[1][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.1.b","name":"objective","props":[{"name":"label","value":"AT-4(a)[1][b]"}],"prose":"specific role-based information system security training;"}]},{"id":"at-4.a_obj.2","name":"objective","props":[{"name":"label","value":"AT-4(a)[2]"}],"prose":"monitors individual information system security training activities including:","parts":[{"id":"at-4.a_obj.2.a","name":"objective","props":[{"name":"label","value":"AT-4(a)[2][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.2.b","name":"objective","props":[{"name":"label","value":"AT-4(a)[2][b]"}],"prose":"specific role-based information system security training;"}]}]},{"id":"at-4.b_obj","name":"objective","props":[{"name":"label","value":"AT-4(b)"}],"parts":[{"id":"at-4.b_obj.1","name":"objective","props":[{"name":"label","value":"AT-4(b)[1]"}],"prose":"defines a time period to retain individual training records; and"},{"id":"at-4.b_obj.2","name":"objective","props":[{"name":"label","value":"AT-4(b)[2]"}],"prose":"retains individual training records for the organization-defined time period."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security training records\n\nsecurity awareness and training records\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security training record retention responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting management of security training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Audit and Accountability Policy and Procedures","params":[{"id":"au-1_prm_1","label":"organization-defined personnel or roles"},{"id":"au-1_prm_2","label":"organization-defined frequency"},{"id":"au-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-1"},{"name":"sort-id","value":"au-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"au-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"au-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Audit and accountability policy {{ insert: param, au-1_prm_2 }}; and"},{"id":"au-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Audit and accountability procedures {{ insert: param, au-1_prm_3 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"au-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-1.a_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)"}],"parts":[{"id":"au-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)"}],"parts":[{"id":"au-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1]"}],"prose":"develops and documents an audit and accountability policy that addresses:","parts":[{"id":"au-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"au-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"au-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"au-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"au-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"au-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"au-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"au-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the audit and accountability policy are to be disseminated;"},{"id":"au-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[3]"}],"prose":"disseminates the audit and accountability policy to organization-defined personnel or roles;"}]},{"id":"au-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)"}],"parts":[{"id":"au-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;"},{"id":"au-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"au-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"au-1.b_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)"}],"parts":[{"id":"au-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)"}],"parts":[{"id":"au-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current audit and accountability policy;"},{"id":"au-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)[2]"}],"prose":"reviews and updates the current audit and accountability policy with the organization-defined frequency;"}]},{"id":"au-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)"}],"parts":[{"id":"au-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current audit and accountability procedures; and"},{"id":"au-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)[2]"}],"prose":"reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Audit Events","params":[{"id":"au-2_prm_1","label":"organization-defined auditable events"},{"id":"au-2_prm_2","label":"organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-2"},{"name":"sort-id","value":"au-02"}],"links":[{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"au-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines that the information system is capable of auditing the following events: {{ insert: param, au-2_prm_1 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Determines that the following events are to be audited within the information system: {{ insert: param, au-2_prm_2 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.","links":[{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"au-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.a_obj","name":"objective","props":[{"name":"label","value":"AU-2(a)"}],"parts":[{"id":"au-2.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(a)[1]"}],"prose":"defines the auditable events that the information system must be capable of auditing;"},{"id":"au-2.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(a)[2]"}],"prose":"determines that the information system is capable of auditing organization-defined auditable events;"}]},{"id":"au-2.b_obj","name":"objective","props":[{"name":"label","value":"AU-2(b)"}],"prose":"coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"},{"id":"au-2.c_obj","name":"objective","props":[{"name":"label","value":"AU-2(c)"}],"prose":"provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;"},{"id":"au-2.d_obj","name":"objective","props":[{"name":"label","value":"AU-2(d)"}],"parts":[{"id":"au-2.d_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(d)[1]"}],"prose":"defines the subset of auditable events defined in AU-2a that are to be audited within the information system;"},{"id":"au-2.d_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(d)[2]"}],"prose":"determines that the subset of auditable events defined in AU-2a are to be audited within the information system; and"},{"id":"au-2.d_obj.3","name":"objective","props":[{"name":"label","value":"AU-2(d)[3]"}],"prose":"determines the frequency of (or situation requiring) auditing for each identified event."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system auditable events\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing"}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-3"},{"name":"sort-id","value":"au-03"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event."},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user\/process identifiers, event descriptions, success\/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred).","links":[{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#si-11","rel":"related"}]},{"id":"au-3_obj","name":"objective","prose":"Determine if the information system generates audit records containing information that establishes:","parts":[{"id":"au-3_obj.1","name":"objective","props":[{"name":"label","value":"AU-3[1]"}],"prose":"what type of event occurred;"},{"id":"au-3_obj.2","name":"objective","props":[{"name":"label","value":"AU-3[2]"}],"prose":"when the event occurred;"},{"id":"au-3_obj.3","name":"objective","props":[{"name":"label","value":"AU-3[3]"}],"prose":"where the event occurred;"},{"id":"au-3_obj.4","name":"objective","props":[{"name":"label","value":"AU-3[4]"}],"prose":"the source of the event;"},{"id":"au-3_obj.5","name":"objective","props":[{"name":"label","value":"AU-3[5]"}],"prose":"the outcome of the event; and"},{"id":"au-3_obj.6","name":"objective","props":[{"name":"label","value":"AU-3[6]"}],"prose":"the identity of any individuals or subjects associated with the event."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing of auditable events"}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Storage Capacity","params":[{"id":"au-4_prm_1","label":"organization-defined audit record storage requirements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-4"},{"name":"sort-id","value":"au-04"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"The organization allocates audit record storage capacity in accordance with {{ insert: param, au-4_prm_1 }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"au-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-4_obj.1","name":"objective","props":[{"name":"label","value":"AU-4[1]"}],"prose":"defines audit record storage requirements; and"},{"id":"au-4_obj.2","name":"objective","props":[{"name":"label","value":"AU-4[2]"}],"prose":"allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for information system components\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Processing Failures","params":[{"id":"au-5_prm_1","label":"organization-defined personnel or roles"},{"id":"au-5_prm_2","label":"organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-5"},{"name":"sort-id","value":"au-05"}],"parts":[{"id":"au-5_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Alerts {{ insert: param, au-5_prm_1 }} in the event of an audit processing failure; and"},{"id":"au-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Takes the following additional actions: {{ insert: param, au-5_prm_2 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit processing failures include, for example, software\/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.","links":[{"href":"#au-4","rel":"related"},{"href":"#si-12","rel":"related"}]},{"id":"au-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.a_obj","name":"objective","props":[{"name":"label","value":"AU-5(a)"}],"parts":[{"id":"au-5.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(a)[1]"}],"prose":"the organization defines the personnel or roles to be alerted in the event of an audit processing failure;"},{"id":"au-5.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(a)[2]"}],"prose":"the information system alerts the organization-defined personnel or roles in the event of an audit processing failure;"}]},{"id":"au-5.b_obj","name":"objective","props":[{"name":"label","value":"AU-5(b)"}],"parts":[{"id":"au-5.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(b)[1]"}],"prose":"the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure; and"},{"id":"au-5.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(b)[2]"}],"prose":"the information system takes the additional organization-defined actions in the event of an audit processing failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system response to audit processing failures"}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Review, Analysis, and Reporting","params":[{"id":"au-6_prm_1","label":"organization-defined frequency"},{"id":"au-6_prm_2","label":"organization-defined inappropriate or unusual activity"},{"id":"au-6_prm_3","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-6"},{"name":"sort-id","value":"au-06"}],"parts":[{"id":"au-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviews and analyzes information system audit records {{ insert: param, au-6_prm_1 }} for indications of {{ insert: param, au-6_prm_2 }}; and"},{"id":"au-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reports findings to {{ insert: param, au-6_prm_3 }}."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group\/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review\/analysis may be carried out by other organizations granted such authority.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-19","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"au-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.a_obj","name":"objective","props":[{"name":"label","value":"AU-6(a)"}],"parts":[{"id":"au-6.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(a)[1]"}],"prose":"defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;"},{"id":"au-6.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(a)[2]"}],"prose":"defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;"},{"id":"au-6.a_obj.3","name":"objective","props":[{"name":"label","value":"AU-6(a)[3]"}],"prose":"reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;"}]},{"id":"au-6.b_obj","name":"objective","props":[{"name":"label","value":"AU-6(b)"}],"parts":[{"id":"au-6.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(b)[1]"}],"prose":"defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; and"},{"id":"au-6.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(b)[2]"}],"prose":"reports findings to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews\/analyses of audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","params":[{"id":"au-8_prm_1","label":"organization-defined granularity of time measurement"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-8"},{"name":"sort-id","value":"au-08"}],"parts":[{"id":"au-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Uses internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets {{ insert: param, au-8_prm_1 }}."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.","links":[{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"au-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-8.a_obj","name":"objective","props":[{"name":"label","value":"AU-8(a)"}],"prose":"the information system uses internal system clocks to generate time stamps for audit records;"},{"id":"au-8.b_obj","name":"objective","props":[{"name":"label","value":"AU-8(b)"}],"parts":[{"id":"au-8.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-8(b)[1]"}],"prose":"the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);"},{"id":"au-8.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-8(b)[2]"}],"prose":"the organization defines the granularity of time measurement to be met when recording time stamps for audit records; and"},{"id":"au-8.b_obj.3","name":"objective","props":[{"name":"label","value":"AU-8(b)[3]"}],"prose":"the organization records time stamps for audit records that meet the organization-defined granularity of time measurement."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing time stamp generation"}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-9"},{"name":"sort-id","value":"au-09"}],"parts":[{"id":"au-9_smt","name":"statement","prose":"The information system protects audit information and audit tools from unauthorized access, modification, and deletion."},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}]},{"id":"au-9_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-9_obj.1","name":"objective","props":[{"name":"label","value":"AU-9[1]"}],"prose":"the information system protects audit information from unauthorized:","parts":[{"id":"au-9_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-9[1][a]"}],"prose":"access;"},{"id":"au-9_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-9[1][b]"}],"prose":"modification;"},{"id":"au-9_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-9[1][c]"}],"prose":"deletion;"}]},{"id":"au-9_obj.2","name":"objective","props":[{"name":"label","value":"AU-9[2]"}],"prose":"the information system protects audit tools from unauthorized:","parts":[{"id":"au-9_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-9[2][a]"}],"prose":"access;"},{"id":"au-9_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-9[2][b]"}],"prose":"modification; and"},{"id":"au-9_obj.2.c","name":"objective","props":[{"name":"label","value":"AU-9[2][c]"}],"prose":"deletion."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation, information system audit records\n\naudit tools\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit information protection"}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_prm_1","label":"organization-defined time period consistent with records retention policy"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AU-11"},{"name":"sort-id","value":"au-11"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"The organization retains audit records for {{ insert: param, au-11_prm_1 }} to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.","links":[{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#mp-6","rel":"related"}]},{"id":"au-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-11_obj.1","name":"objective","props":[{"name":"label","value":"AU-11[1]"}],"prose":"defines a time period to retain audit records that is consistent with records retention policy;"},{"id":"au-11_obj.2","name":"objective","props":[{"name":"label","value":"AU-11[2]"}],"prose":"retains audit records for the organization-defined time period consistent with records retention policy to:","parts":[{"id":"au-11_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-11[2][a]"}],"prose":"provide support for after-the-fact investigations of security incidents; and"},{"id":"au-11_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-11[2][b]"}],"prose":"meet regulatory and organizational information retention requirements."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Generation","params":[{"id":"au-12_prm_1","label":"organization-defined information system components"},{"id":"au-12_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-12"},{"name":"sort-id","value":"au-12"}],"parts":[{"id":"au-12_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides audit record generation capability for the auditable events defined in AU-2 a. at {{ insert: param, au-12_prm_1 }};"},{"id":"au-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allows {{ insert: param, au-12_prm_2 }} to select which auditable events are to be audited by specific components of the information system; and"},{"id":"au-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Generates audit records for the events defined in AU-2 d. with the content defined in AU-3."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records.","links":[{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"}]},{"id":"au-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.a_obj","name":"objective","props":[{"name":"label","value":"AU-12(a)"}],"parts":[{"id":"au-12.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(a)[1]"}],"prose":"the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a;"},{"id":"au-12.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(a)[2]"}],"prose":"the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components;"}]},{"id":"au-12.b_obj","name":"objective","props":[{"name":"label","value":"AU-12(b)"}],"parts":[{"id":"au-12.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(b)[1]"}],"prose":"the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system;"},{"id":"au-12.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(b)[2]"}],"prose":"the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system; and"}]},{"id":"au-12.c_obj","name":"objective","props":[{"name":"label","value":"AU-12(c)"}],"prose":"the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of auditable events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}]}]},{"id":"ca","class":"family","title":"Security Assessment and Authorization","controls":[{"id":"ca-1","class":"SP800-53","title":"Security Assessment and Authorization Policy and Procedures","params":[{"id":"ca-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ca-1_prm_2","label":"organization-defined frequency"},{"id":"ca-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CA-1"},{"name":"sort-id","value":"ca-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ca-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ca-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security assessment and authorization policy {{ insert: param, ca-1_prm_2 }}; and"},{"id":"ca-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security assessment and authorization procedures {{ insert: param, ca-1_prm_3 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ca-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-1.a_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)"}],"parts":[{"id":"ca-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)"}],"parts":[{"id":"ca-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1]"}],"prose":"develops and documents a security assessment and authorization policy that addresses:","parts":[{"id":"ca-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ca-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ca-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ca-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ca-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ca-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ca-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ca-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;"},{"id":"ca-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[3]"}],"prose":"disseminates the security assessment and authorization policy to organization-defined personnel or roles;"}]},{"id":"ca-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)"}],"parts":[{"id":"ca-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;"},{"id":"ca-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ca-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ca-1.b_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)"}],"parts":[{"id":"ca-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)"}],"parts":[{"id":"ca-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security assessment and authorization policy;"},{"id":"ca-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)[2]"}],"prose":"reviews and updates the current security assessment and authorization policy with the organization-defined frequency;"}]},{"id":"ca-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)"}],"parts":[{"id":"ca-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security assessment and authorization procedures; and"},{"id":"ca-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)[2]"}],"prose":"reviews and updates the current security assessment and authorization procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment and authorization responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Security Assessments","params":[{"id":"ca-2_prm_1","label":"organization-defined frequency"},{"id":"ca-2_prm_2","label":"organization-defined individuals or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-2"},{"name":"sort-id","value":"ca-02"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"ca-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a security assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security controls and control enhancements under assessment;"},{"id":"ca-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine security control effectiveness; and"},{"id":"ca-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assesses the security controls in the information system and its environment of operation {{ insert: param, ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produces a security assessment report that documents the results of the assessment; and"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provides the results of the security control assessment to {{ insert: param, ca-2_prm_2 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.","links":[{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.a_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)"}],"prose":"develops a security assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2.a.1_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(1)"}],"prose":"security controls and control enhancements under assessment;"},{"id":"ca-2.a.2_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(2)"}],"prose":"assessment procedures to be used to determine security control effectiveness;"},{"id":"ca-2.a.3_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)"}],"parts":[{"id":"ca-2.a.3_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[1]"}],"prose":"assessment environment;"},{"id":"ca-2.a.3_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[2]"}],"prose":"assessment team;"},{"id":"ca-2.a.3_obj.3","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[3]"}],"prose":"assessment roles and responsibilities;"}]}]},{"id":"ca-2.b_obj","name":"objective","props":[{"name":"label","value":"CA-2(b)"}],"parts":[{"id":"ca-2.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(b)[1]"}],"prose":"defines the frequency to assess the security controls in the information system and its environment of operation;"},{"id":"ca-2.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(b)[2]"}],"prose":"assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"}]},{"id":"ca-2.c_obj","name":"objective","props":[{"name":"label","value":"CA-2(c)"}],"prose":"produces a security assessment report that documents the results of the assessment;"},{"id":"ca-2.d_obj","name":"objective","props":[{"name":"label","value":"CA-2(d)"}],"parts":[{"id":"ca-2.d_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(d)[1]"}],"prose":"defines individuals or roles to whom the results of the security control assessment are to be provided; and"},{"id":"ca-2.d_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(d)[2]"}],"prose":"provides the results of the security control assessment to organization-defined individuals or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security assessment planning\n\nprocedures addressing security assessments\n\nsecurity assessment plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting security assessment, security assessment plan development, and\/or security assessment reporting"}]}]},{"id":"ca-3","class":"SP800-53","title":"System Interconnections","params":[{"id":"ca-3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CA-3"},{"name":"sort-id","value":"ca-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#2711f068-734e-4afd-94ba-0b22247fbc88","rel":"reference"}],"parts":[{"id":"ca-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"},{"id":"ca-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates Interconnection Security Agreements {{ insert: param, ca-3_prm_1 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.a_obj","name":"objective","props":[{"name":"label","value":"CA-3(a)"}],"prose":"authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"},{"id":"ca-3.b_obj","name":"objective","props":[{"name":"label","value":"CA-3(b)"}],"prose":"documents, for each interconnection:","parts":[{"id":"ca-3.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-3.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(b)[2]"}],"prose":"the security requirements;"},{"id":"ca-3.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-3(b)[3]"}],"prose":"the nature of the information communicated;"}]},{"id":"ca-3.c_obj","name":"objective","props":[{"name":"label","value":"CA-3(c)"}],"parts":[{"id":"ca-3.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(c)[1]"}],"prose":"defines the frequency to review and update Interconnection Security Agreements; and"},{"id":"ca-3.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(c)[2]"}],"prose":"reviews and updates Interconnection Security Agreements with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system Interconnection Security Agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements\n\norganizational personnel with information security responsibilities\n\npersonnel managing the system(s) to which the Interconnection Security Agreement applies"}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-5_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"CA-5"},{"name":"sort-id","value":"ca-05"}],"links":[{"href":"#2c5884cd-7b96-425c-862a-99877e1cf909","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"}],"parts":[{"id":"ca-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates existing plan of action and milestones {{ insert: param, ca-5_prm_1 }} based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#pm-4","rel":"related"}]},{"id":"ca-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-5.a_obj","name":"objective","props":[{"name":"label","value":"CA-5(a)"}],"prose":"develops a plan of action and milestones for the information system to:","parts":[{"id":"ca-5.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-5(a)[1]"}],"prose":"document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;"},{"id":"ca-5.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-5(a)[2]"}],"prose":"reduce or eliminate known vulnerabilities in the system;"}]},{"id":"ca-5.b_obj","name":"objective","props":[{"name":"label","value":"CA-5(b)"}],"parts":[{"id":"ca-5.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-5(b)[1]"}],"prose":"defines the frequency to update the existing plan of action and milestones;"},{"id":"ca-5.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-5(b)[2]"}],"prose":"updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:","parts":[{"id":"ca-5.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][a]"}],"prose":"security controls assessments;"},{"id":"ca-5.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][b]"}],"prose":"security impact analyses; and"},{"id":"ca-5.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][c]"}],"prose":"continuous monitoring activities."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing plan of action and milestones\n\nsecurity plan\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nplan of action and milestones\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Security Authorization","params":[{"id":"ca-6_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-6"},{"name":"sort-id","value":"ca-06"}],"links":[{"href":"#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","rel":"reference"},{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"ca-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assigns a senior-level executive or manager as the authorizing official for the information system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that the authorizing official authorizes the information system for processing before commencing operations; and"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Updates the security authorization {{ insert: param, ca-6_prm_1 }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission\/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"}]},{"id":"ca-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-6.a_obj","name":"objective","props":[{"name":"label","value":"CA-6(a)"}],"prose":"assigns a senior-level executive or manager as the authorizing official for the information system;"},{"id":"ca-6.b_obj","name":"objective","props":[{"name":"label","value":"CA-6(b)"}],"prose":"ensures that the authorizing official authorizes the information system for processing before commencing operations;"},{"id":"ca-6.c_obj","name":"objective","props":[{"name":"label","value":"CA-6(c)"}],"parts":[{"id":"ca-6.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-6(c)[1]"}],"prose":"defines the frequency to update the security authorization; and"},{"id":"ca-6.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-6(c)[2]"}],"prose":"updates the security authorization with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security authorization\n\nsecurity authorization package (including security plan\n\nsecurity assessment report\n\nplan of action and milestones\n\nauthorization statement)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security authorization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that facilitate security authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_1","label":"organization-defined metrics"},{"id":"ca-7_prm_2","label":"organization-defined frequencies"},{"id":"ca-7_prm_3","label":"organization-defined frequencies"},{"id":"ca-7_prm_4","label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-7"},{"name":"sort-id","value":"ca-07"}],"links":[{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"},{"href":"#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","rel":"reference"},{"href":"#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","rel":"reference"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishment of {{ insert: param, ca-7_prm_1 }} to be monitored;"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishment of {{ insert: param, ca-7_prm_2 }} for monitoring and {{ insert: param, ca-7_prm_3 }} for assessments supporting such monitoring;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of security-related information generated by assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of security-related information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security status of organization and the information system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess\/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission\/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports\/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware\/software\/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-7.a_obj","name":"objective","props":[{"name":"label","value":"CA-7(a)"}],"parts":[{"id":"ca-7.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(a)[1]"}],"prose":"develops a continuous monitoring strategy that defines metrics to be monitored;"},{"id":"ca-7.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(a)[2]"}],"prose":"develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;"},{"id":"ca-7.a_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(a)[3]"}],"prose":"implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.b_obj","name":"objective","props":[{"name":"label","value":"CA-7(b)"}],"parts":[{"id":"ca-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(b)[1]"}],"prose":"develops a continuous monitoring strategy that defines frequencies for monitoring;"},{"id":"ca-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(b)[2]"}],"prose":"defines frequencies for assessments supporting monitoring;"},{"id":"ca-7.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(b)[3]"}],"prose":"develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;"},{"id":"ca-7.b_obj.4","name":"objective","props":[{"name":"label","value":"CA-7(b)[4]"}],"prose":"implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.c_obj","name":"objective","props":[{"name":"label","value":"CA-7(c)"}],"parts":[{"id":"ca-7.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(c)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security control assessments;"},{"id":"ca-7.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(c)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.d_obj","name":"objective","props":[{"name":"label","value":"CA-7(d)"}],"parts":[{"id":"ca-7.d_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(d)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;"},{"id":"ca-7.d_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(d)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.e_obj","name":"objective","props":[{"name":"label","value":"CA-7(e)"}],"parts":[{"id":"ca-7.e_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(e)[1]"}],"prose":"develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;"},{"id":"ca-7.e_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(e)[2]"}],"prose":"implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.f_obj","name":"objective","props":[{"name":"label","value":"CA-7(f)"}],"parts":[{"id":"ca-7.f_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(f)[1]"}],"prose":"develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;"},{"id":"ca-7.f_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(f)[2]"}],"prose":"implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.g_obj","name":"objective","props":[{"name":"label","value":"CA-7(g)"}],"parts":[{"id":"ca-7.g_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(g)[1]"}],"prose":"develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;"},{"id":"ca-7.g_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(g)[2]"}],"prose":"develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;"},{"id":"ca-7.g_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(g)[3]"}],"prose":"develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; and"},{"id":"ca-7.g_obj.4","name":"objective","props":[{"name":"label","value":"CA-7(g)[4]"}],"prose":"implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security controls\n\nprocedures addressing configuration management\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nconfiguration management records, security impact analyses\n\nstatus reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Mechanisms implementing continuous monitoring"}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","params":[{"id":"ca-9_prm_1","label":"organization-defined information system components or classes of components"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-9"},{"name":"sort-id","value":"ca-09"}],"parts":[{"id":"ca-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorizes internal connections of {{ insert: param, ca-9_prm_1 }} to the information system; and"},{"id":"ca-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated."}]},{"id":"ca-9_gdn","name":"guidance","prose":"This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook\/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and\/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-9.a_obj","name":"objective","props":[{"name":"label","value":"CA-9(a)"}],"parts":[{"id":"ca-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-9(a)[1]"}],"prose":"defines information system components or classes of components to be authorized as internal connections to the information system;"},{"id":"ca-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-9(a)[2]"}],"prose":"authorizes internal connections of organization-defined information system components or classes of components to the information system;"}]},{"id":"ca-9.b_obj","name":"objective","props":[{"name":"label","value":"CA-9(b)"}],"prose":"documents, for each internal connection:","parts":[{"id":"ca-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-9(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-9(b)[2]"}],"prose":"the security requirements; and"},{"id":"ca-9.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-9(b)[3]"}],"prose":"the nature of the information communicated."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Configuration Management Policy and Procedures","params":[{"id":"cm-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cm-1_prm_2","label":"organization-defined frequency"},{"id":"cm-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-1"},{"name":"sort-id","value":"cm-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"cm-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cm-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Configuration management policy {{ insert: param, cm-1_prm_2 }}; and"},{"id":"cm-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Configuration management procedures {{ insert: param, cm-1_prm_3 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"cm-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-1.a_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)"}],"parts":[{"id":"cm-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)"}],"parts":[{"id":"cm-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1]"}],"prose":"develops and documents a configuration management policy that addresses:","parts":[{"id":"cm-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cm-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cm-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cm-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cm-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cm-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cm-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cm-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the configuration management policy is to be disseminated;"},{"id":"cm-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[3]"}],"prose":"disseminates the configuration management policy to organization-defined personnel or roles;"}]},{"id":"cm-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)"}],"parts":[{"id":"cm-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls;"},{"id":"cm-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"cm-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cm-1.b_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)"}],"parts":[{"id":"cm-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)"}],"parts":[{"id":"cm-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current configuration management policy;"},{"id":"cm-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)[2]"}],"prose":"reviews and updates the current configuration management policy with the organization-defined frequency;"}]},{"id":"cm-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)"}],"parts":[{"id":"cm-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current configuration management procedures; and"},{"id":"cm-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)[2]"}],"prose":"reviews and updates the current configuration management procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-2"},{"name":"sort-id","value":"cm-02"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-2_smt","name":"statement","prose":"The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system."},{"id":"cm-2_gdn","name":"guidance","prose":"This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and\/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings\/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-7","rel":"related"}]},{"id":"cm-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2_obj.1","name":"objective","props":[{"name":"label","value":"CM-2[1]"}],"prose":"develops and documents a current baseline configuration of the information system; and"},{"id":"cm-2_obj.2","name":"objective","props":[{"name":"label","value":"CM-2[2]"}],"prose":"maintains, under configuration control, a current baseline configuration of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting configuration control of the baseline configuration"}]}]},{"id":"cm-4","class":"SP800-53","title":"Security Impact Analysis","props":[{"name":"priority","value":"P2"},{"name":"label","value":"CM-4"},{"name":"sort-id","value":"cm-04"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"The organization analyzes changes to the information system to determine potential security impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills\/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"cm-4_obj","name":"objective","prose":"Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing security impact analysis for changes to the information system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for conducting security impact analysis\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security impact analysis"}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","params":[{"id":"cm-6_prm_1","label":"organization-defined security configuration checklists"},{"id":"cm-6_prm_2","label":"organization-defined information system components"},{"id":"cm-6_prm_3","label":"organization-defined operational requirements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-6"},{"name":"sort-id","value":"cm-06"}],"links":[{"href":"#990268bf-f4a9-4c81-91ae-dc7d3115f4b1","rel":"reference"},{"href":"#0b3d8ba9-051f-498d-81ea-97f0f018c612","rel":"reference"},{"href":"#0916ef02-3618-411b-a525-565c088849a6","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"},{"href":"#e95dd121-2733-413e-bf1e-f1eb49f20a98","rel":"reference"},{"href":"#647b6de3-81d0-4d22-bec1-5f1333e34380","rel":"reference"}],"parts":[{"id":"cm-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and documents configuration settings for information technology products employed within the information system using {{ insert: param, cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implements the configuration settings;"},{"id":"cm-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies, documents, and approves any deviations from established configuration settings for {{ insert: param, cm-6_prm_2 }} based on {{ insert: param, cm-6_prm_3 }}; and"},{"id":"cm-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and\/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input\/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms\/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems.","links":[{"href":"#ac-19","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"cm-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.a_obj","name":"objective","props":[{"name":"label","value":"CM-6(a)"}],"parts":[{"id":"cm-6.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(a)[1]"}],"prose":"defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed;"},{"id":"cm-6.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(a)[2]"}],"prose":"ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6.a_obj.3","name":"objective","props":[{"name":"label","value":"CM-6(a)[3]"}],"prose":"establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;"}]},{"id":"cm-6.b_obj","name":"objective","props":[{"name":"label","value":"CM-6(b)"}],"prose":"implements the configuration settings established\/documented in CM-6(a);;"},{"id":"cm-6.c_obj","name":"objective","props":[{"name":"label","value":"CM-6(c)"}],"parts":[{"id":"cm-6.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(c)[1]"}],"prose":"defines information system components for which any deviations from established configuration settings must be:","parts":[{"id":"cm-6.c_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][a]"}],"prose":"identified;"},{"id":"cm-6.c_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][b]"}],"prose":"documented;"},{"id":"cm-6.c_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][c]"}],"prose":"approved;"}]},{"id":"cm-6.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(c)[2]"}],"prose":"defines operational requirements to support:","parts":[{"id":"cm-6.c_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][a]"}],"prose":"the identification of any deviations from established configuration settings;"},{"id":"cm-6.c_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][b]"}],"prose":"the documentation of any deviations from established configuration settings;"},{"id":"cm-6.c_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][c]"}],"prose":"the approval of any deviations from established configuration settings;"}]},{"id":"cm-6.c_obj.3","name":"objective","props":[{"name":"label","value":"CM-6(c)[3]"}],"prose":"identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"},{"id":"cm-6.c_obj.4","name":"objective","props":[{"name":"label","value":"CM-6(c)[4]"}],"prose":"documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"},{"id":"cm-6.c_obj.5","name":"objective","props":[{"name":"label","value":"CM-6(c)[5]"}],"prose":"approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"}]},{"id":"cm-6.d_obj","name":"objective","props":[{"name":"label","value":"CM-6(d)"}],"parts":[{"id":"cm-6.d_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(d)[1]"}],"prose":"monitors changes to the configuration settings in accordance with organizational policies and procedures; and"},{"id":"cm-6.d_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(d)[2]"}],"prose":"controls changes to the configuration settings in accordance with organizational policies and procedures."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings\n\nautomated mechanisms that implement, monitor, and\/or control information system configuration settings\n\nautomated mechanisms that identify and\/or document deviations from established configuration settings"}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","params":[{"id":"cm-7_prm_1","label":"organization-defined prohibited or restricted functions, ports, protocols, and\/or services"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-7"},{"name":"sort-id","value":"cm-07"}],"links":[{"href":"#e42b2099-3e1c-415b-952c-61c96533c12e","rel":"reference"}],"parts":[{"id":"cm-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Configures the information system to provide only essential capabilities; and"},{"id":"cm-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibits or restricts the use of the following functions, ports, protocols, and\/or services: {{ insert: param, cm-7_prm_1 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports\/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.","links":[{"href":"#ac-6","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"cm-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.a_obj","name":"objective","props":[{"name":"label","value":"CM-7(a)"}],"prose":"configures the information system to provide only essential capabilities;"},{"id":"cm-7.b_obj","name":"objective","props":[{"name":"label","value":"CM-7(b)"}],"parts":[{"id":"cm-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(b)[1]"}],"prose":"defines prohibited or restricted:","parts":[{"id":"cm-7.b_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.b_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(b)[2]"}],"prose":"prohibits or restricts the use of organization-defined:","parts":[{"id":"cm-7.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.b_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][d]"}],"prose":"services."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing least functionality in the information system\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols, and\/or services\n\nautomated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and\/or services"}]}]},{"id":"cm-8","class":"SP800-53","title":"Information System Component Inventory","params":[{"id":"cm-8_prm_1","label":"organization-defined information deemed necessary to achieve effective information system component accountability"},{"id":"cm-8_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-8"},{"name":"sort-id","value":"cm-08"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops and documents an inventory of information system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accurately reflects the current information system;"},{"id":"cm-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes all components within the authorization boundary of the information system;"},{"id":"cm-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Includes {{ insert: param, cm-8_prm_1 }}; and"}]},{"id":"cm-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information system component inventory {{ insert: param, cm-8_prm_2 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pm-5","rel":"related"}]},{"id":"cm-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.a_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)"}],"parts":[{"id":"cm-8.a.1_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(1)"}],"prose":"develops and documents an inventory of information system components that accurately reflects the current information system;"},{"id":"cm-8.a.2_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(2)"}],"prose":"develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;"},{"id":"cm-8.a.3_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(3)"}],"prose":"develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;"},{"id":"cm-8.a.4_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)"}],"parts":[{"id":"cm-8.a.4_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)[1]"}],"prose":"defines the information deemed necessary to achieve effective information system component accountability;"},{"id":"cm-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)[2]"}],"prose":"develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;"}]}]},{"id":"cm-8.b_obj","name":"objective","props":[{"name":"label","value":"CM-8(b)"}],"parts":[{"id":"cm-8.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(b)[1]"}],"prose":"defines the frequency to review and update the information system component inventory; and"},{"id":"cm-8.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(b)[2]"}],"prose":"reviews and updates the information system component inventory with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting an inventory of information system components\n\nautomated mechanisms supporting and\/or implementing the information system component inventory"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"priority","value":"P2"},{"name":"label","value":"CM-10"},{"name":"sort-id","value":"cm-10"}],"parts":[{"id":"cm-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Uses software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs.","links":[{"href":"#ac-17","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"cm-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-10.a_obj","name":"objective","props":[{"name":"label","value":"CM-10(a)"}],"prose":"uses software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10.b_obj","name":"objective","props":[{"name":"label","value":"CM-10(b)"}],"prose":"tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10.c_obj","name":"objective","props":[{"name":"label","value":"CM-10(c)"}],"prose":"controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing software usage restrictions\n\nconfiguration management plan\n\nsecurity plan\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\norganizational personnel with software license management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for tracking the use of software protected by quantity licenses\n\norganization process for controlling\/documenting the use of peer-to-peer file sharing technology\n\nautomated mechanisms implementing software license tracking\n\nautomated mechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","params":[{"id":"cm-11_prm_1","label":"organization-defined policies"},{"id":"cm-11_prm_2","label":"organization-defined methods"},{"id":"cm-11_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-11"},{"name":"sort-id","value":"cm-11"}],"parts":[{"id":"cm-11_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes {{ insert: param, cm-11_prm_1 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Enforces software installation policies through {{ insert: param, cm-11_prm_2 }}; and"},{"id":"cm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Monitors policy compliance at {{ insert: param, cm-11_prm_3 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.","links":[{"href":"#ac-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"cm-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-11.a_obj","name":"objective","props":[{"name":"label","value":"CM-11(a)"}],"parts":[{"id":"cm-11.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(a)[1]"}],"prose":"defines policies to govern the installation of software by users;"},{"id":"cm-11.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(a)[2]"}],"prose":"establishes organization-defined policies governing the installation of software by users;"}]},{"id":"cm-11.b_obj","name":"objective","props":[{"name":"label","value":"CM-11(b)"}],"parts":[{"id":"cm-11.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(b)[1]"}],"prose":"defines methods to enforce software installation policies;"},{"id":"cm-11.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(b)[2]"}],"prose":"enforces software installation policies through organization-defined methods;"}]},{"id":"cm-11.c_obj","name":"objective","props":[{"name":"label","value":"CM-11(c)"}],"parts":[{"id":"cm-11.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(c)[1]"}],"prose":"defines frequency to monitor policy compliance; and"},{"id":"cm-11.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(c)[2]"}],"prose":"monitors policy compliance at organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing user installed software\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of rules governing user installed software\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records\n\ncontinuous monitoring strategy"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the information system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes governing user-installed software on the information system\n\nautomated mechanisms enforcing rules\/methods for governing the installation of software by users\n\nautomated mechanisms monitoring policy compliance"}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Contingency Planning Policy and Procedures","params":[{"id":"cp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-1_prm_2","label":"organization-defined frequency"},{"id":"cp-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-1"},{"name":"sort-id","value":"cp-01"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"cp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and"}]},{"id":"cp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cp-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Contingency planning policy {{ insert: param, cp-1_prm_2 }}; and"},{"id":"cp-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Contingency planning procedures {{ insert: param, cp-1_prm_3 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"cp-1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cp-1.a_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)"}],"parts":[{"id":"cp-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)"}],"parts":[{"id":"cp-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1]"}],"prose":"the organization develops and documents a contingency planning policy that addresses:","parts":[{"id":"cp-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cp-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cp-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cp-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cp-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cp-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cp-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cp-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[2]"}],"prose":"the organization defines personnel or roles to whom the contingency planning policy is to be disseminated;"},{"id":"cp-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[3]"}],"prose":"the organization disseminates the contingency planning policy to organization-defined personnel or roles;"}]},{"id":"cp-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)"}],"parts":[{"id":"cp-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[1]"}],"prose":"the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls;"},{"id":"cp-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[2]"}],"prose":"the organization defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"cp-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[3]"}],"prose":"the organization disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cp-1.b_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)"}],"parts":[{"id":"cp-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)"}],"parts":[{"id":"cp-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)[1]"}],"prose":"the organization defines the frequency to review and update the current contingency planning policy;"},{"id":"cp-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)[2]"}],"prose":"the organization reviews and updates the current contingency planning with the organization-defined frequency;"}]},{"id":"cp-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)"}],"parts":[{"id":"cp-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)[1]"}],"prose":"the organization defines the frequency to review and update the current contingency planning procedures; and"},{"id":"cp-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)[2]"}],"prose":"the organization reviews and updates the current contingency planning procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","params":[{"id":"cp-2_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-2_prm_3","label":"organization-defined frequency"},{"id":"cp-2_prm_4","label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-2"},{"name":"sort-id","value":"cp-02"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a contingency plan for the information system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and"},{"id":"cp-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Reviews the contingency plan for the information system {{ insert: param, cp-2_prm_3 }};"},{"id":"cp-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Communicates contingency plan changes to {{ insert: param, cp-2_prm_4 }}; and"},{"id":"cp-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Protects the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission\/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission\/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and\/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly\/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.","links":[{"href":"#ac-14","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-11","rel":"related"}]},{"id":"cp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.a_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)"}],"prose":"develops and documents a contingency plan for the information system that:","parts":[{"id":"cp-2.a.1_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(1)"}],"prose":"identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2.a.2_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)"}],"parts":[{"id":"cp-2.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[1]"}],"prose":"provides recovery objectives;"},{"id":"cp-2.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[2]"}],"prose":"provides restoration priorities;"},{"id":"cp-2.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[3]"}],"prose":"provides metrics;"}]},{"id":"cp-2.a.3_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)"}],"parts":[{"id":"cp-2.a.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[1]"}],"prose":"addresses contingency roles;"},{"id":"cp-2.a.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[2]"}],"prose":"addresses contingency responsibilities;"},{"id":"cp-2.a.3_obj.3","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[3]"}],"prose":"addresses assigned individuals with contact information;"}]},{"id":"cp-2.a.4_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(4)"}],"prose":"addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;"},{"id":"cp-2.a.5_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(5)"}],"prose":"addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;"},{"id":"cp-2.a.6_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)"}],"parts":[{"id":"cp-2.a.6_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)[1]"}],"prose":"defines personnel or roles to review and approve the contingency plan for the information system;"},{"id":"cp-2.a.6_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"cp-2.b_obj","name":"objective","props":[{"name":"label","value":"CP-2(b)"}],"parts":[{"id":"cp-2.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(b)[1]"}],"prose":"defines key contingency personnel (identified by name and\/or by role) and organizational elements to whom copies of the contingency plan are to be distributed;"},{"id":"cp-2.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(b)[2]"}],"prose":"distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements;"}]},{"id":"cp-2.c_obj","name":"objective","props":[{"name":"label","value":"CP-2(c)"}],"prose":"coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2.d_obj","name":"objective","props":[{"name":"label","value":"CP-2(d)"}],"parts":[{"id":"cp-2.d_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(d)[1]"}],"prose":"defines a frequency to review the contingency plan for the information system;"},{"id":"cp-2.d_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(d)[2]"}],"prose":"reviews the contingency plan with the organization-defined frequency;"}]},{"id":"cp-2.e_obj","name":"objective","props":[{"name":"label","value":"CP-2(e)"}],"prose":"updates the contingency plan to address:","parts":[{"id":"cp-2.e_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(e)[1]"}],"prose":"changes to the organization, information system, or environment of operation;"},{"id":"cp-2.e_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(e)[2]"}],"prose":"problems encountered during plan implementation, execution, and testing;"}]},{"id":"cp-2.f_obj","name":"objective","props":[{"name":"label","value":"CP-2(f)"}],"parts":[{"id":"cp-2.f_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(f)[1]"}],"prose":"defines key contingency personnel (identified by name and\/or by role) and organizational elements to whom contingency plan changes are to be communicated;"},{"id":"cp-2.f_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(f)[2]"}],"prose":"communicates contingency plan changes to organization-defined key contingency personnel and organizational elements; and"}]},{"id":"cp-2.g_obj","name":"objective","props":[{"name":"label","value":"CP-2(g)"}],"prose":"protects the contingency plan from unauthorized disclosure and modification."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nevidence of contingency plan reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan development, review, update, and protection\n\nautomated mechanisms for developing, reviewing, updating and\/or protecting the contingency plan"}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","params":[{"id":"cp-3_prm_1","label":"organization-defined time period"},{"id":"cp-3_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CP-3"},{"name":"sort-id","value":"cp-03"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"cp-3_smt","name":"statement","prose":"The organization provides contingency training to information system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Within {{ insert: param, cp-3_prm_1 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"cp-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, cp-3_prm_2 }} thereafter."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers\/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles\/responsibilities reflects the specific continuity requirements in the contingency plan.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-2","rel":"related"}]},{"id":"cp-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-3.a_obj","name":"objective","props":[{"name":"label","value":"CP-3(a)"}],"parts":[{"id":"cp-3.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-3(a)[1]"}],"prose":"defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility;"},{"id":"cp-3.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-3(a)[2]"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility;"}]},{"id":"cp-3.b_obj","name":"objective","props":[{"name":"label","value":"CP-3(b)"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes;"},{"id":"cp-3.c_obj","name":"objective","props":[{"name":"label","value":"CP-3(c)"}],"parts":[{"id":"cp-3.c_obj.1","name":"objective","props":[{"name":"label","value":"CP-3(c)[1]"}],"prose":"defines the frequency for contingency training thereafter; and"},{"id":"cp-3.c_obj.2","name":"objective","props":[{"name":"label","value":"CP-3(c)[2]"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsecurity plan\n\ncontingency training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency training"}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","params":[{"id":"cp-4_prm_1","label":"organization-defined frequency"},{"id":"cp-4_prm_2","label":"organization-defined tests"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CP-4"},{"name":"sort-id","value":"cp-04"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference"}],"parts":[{"id":"cp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Tests the contingency plan for the information system {{ insert: param, cp-4_prm_1 }} using {{ insert: param, cp-4_prm_2 }} to determine the effectiveness of the plan and the organizational readiness to execute the plan;"},{"id":"cp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Initiates corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"}]},{"id":"cp-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-4.a_obj","name":"objective","props":[{"name":"label","value":"CP-4(a)"}],"parts":[{"id":"cp-4.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-4(a)[1]"}],"prose":"defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan;"},{"id":"cp-4.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-4(a)[2]"}],"prose":"defines a frequency to test the contingency plan for the information system;"},{"id":"cp-4.a_obj.3","name":"objective","props":[{"name":"label","value":"CP-4(a)[3]"}],"prose":"tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan;"}]},{"id":"cp-4.b_obj","name":"objective","props":[{"name":"label","value":"CP-4(b)"}],"prose":"reviews the contingency plan test results; and"},{"id":"cp-4.c_obj","name":"objective","props":[{"name":"label","value":"CP-4(c)"}],"prose":"initiates corrective actions, if needed."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\nsecurity plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency plan testing, reviewing or responding to contingency plan tests\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\n\nautomated mechanisms supporting the contingency plan and\/or contingency plan testing"}]}]},{"id":"cp-9","class":"SP800-53","title":"Information System Backup","params":[{"id":"cp-9_prm_1","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_2","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_3","label":"organization-defined frequency consistent with recovery time and recovery point objectives"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-9"},{"name":"sort-id","value":"cp-09"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conducts backups of user-level information contained in the information system {{ insert: param, cp-9_prm_1 }};"},{"id":"cp-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conducts backups of system-level information contained in the information system {{ insert: param, cp-9_prm_2 }};"},{"id":"cp-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conducts backups of information system documentation including security-related documentation {{ insert: param, cp-9_prm_3 }}; and"},{"id":"cp-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects the confidentiality, integrity, and availability of backup information at storage locations."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"cp-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-9.a_obj","name":"objective","props":[{"name":"label","value":"CP-9(a)"}],"parts":[{"id":"cp-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(a)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;"},{"id":"cp-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(a)[2]"}],"prose":"conducts backups of user-level information contained in the information system with the organization-defined frequency;"}]},{"id":"cp-9.b_obj","name":"objective","props":[{"name":"label","value":"CP-9(b)"}],"parts":[{"id":"cp-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(b)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;"},{"id":"cp-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(b)[2]"}],"prose":"conducts backups of system-level information contained in the information system with the organization-defined frequency;"}]},{"id":"cp-9.c_obj","name":"objective","props":[{"name":"label","value":"CP-9(c)"}],"parts":[{"id":"cp-9.c_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(c)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;"},{"id":"cp-9.c_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(c)[2]"}],"prose":"conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and"}]},{"id":"cp-9.d_obj","name":"objective","props":[{"name":"label","value":"CP-9(d)"}],"prose":"protects the confidentiality, integrity, and availability of backup information at storage locations."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\nbackup storage location(s)\n\ninformation system backup logs or records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and\/or implementing information system backups"}]}]},{"id":"cp-10","class":"SP800-53","title":"Information System Recovery and Reconstitution","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-10"},{"name":"sort-id","value":"cp-10"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing information system contingency plan activities to restore organizational missions\/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point\/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery\/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#sc-24","rel":"related"}]},{"id":"cp-10_obj","name":"objective","prose":"Determine if the organization provides for:","parts":[{"id":"cp-10_obj.1","name":"objective","props":[{"name":"label","value":"CP-10[1]"}],"prose":"the recovery of the information system to a known state after:","parts":[{"id":"cp-10_obj.1.a","name":"objective","props":[{"name":"label","value":"CP-10[1][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.1.b","name":"objective","props":[{"name":"label","value":"CP-10[1][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.1.c","name":"objective","props":[{"name":"label","value":"CP-10[1][c]"}],"prose":"a failure;"}]},{"id":"cp-10_obj.2","name":"objective","props":[{"name":"label","value":"CP-10[2]"}],"prose":"the reconstitution of the information system to a known state after:","parts":[{"id":"cp-10_obj.2.a","name":"objective","props":[{"name":"label","value":"CP-10[2][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.2.b","name":"objective","props":[{"name":"label","value":"CP-10[2][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.2.c","name":"objective","props":[{"name":"label","value":"CP-10[2][c]"}],"prose":"a failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for information system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, recovery, and\/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes implementing information system recovery and reconstitution operations\n\nautomated mechanisms supporting and\/or implementing information system recovery and reconstitution operations"}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Identification and Authentication Policy and Procedures","params":[{"id":"ia-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-1_prm_2","label":"organization-defined frequency"},{"id":"ia-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-1"},{"name":"sort-id","value":"ia-01"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ia-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ia-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and"}]},{"id":"ia-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ia-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identification and authentication policy {{ insert: param, ia-1_prm_2 }}; and"},{"id":"ia-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Identification and authentication procedures {{ insert: param, ia-1_prm_3 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ia-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-1.a_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)"}],"parts":[{"id":"ia-1.a.1_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)"}],"parts":[{"id":"ia-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1]"}],"prose":"develops and documents an identification and authentication policy that addresses:","parts":[{"id":"ia-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ia-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ia-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ia-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ia-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ia-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ia-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ia-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the identification and authentication policy is to be disseminated; and"},{"id":"ia-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[3]"}],"prose":"disseminates the identification and authentication policy to organization-defined personnel or roles;"}]},{"id":"ia-1.a.2_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)"}],"parts":[{"id":"ia-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls;"},{"id":"ia-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ia-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ia-1.b_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)"}],"parts":[{"id":"ia-1.b.1_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)"}],"parts":[{"id":"ia-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current identification and authentication policy;"},{"id":"ia-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)[2]"}],"prose":"reviews and updates the current identification and authentication policy with the organization-defined frequency; and"}]},{"id":"ia-1.b.2_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)"}],"parts":[{"id":"ia-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current identification and authentication procedures; and"},{"id":"ia-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)[2]"}],"prose":"reviews and updates the current identification and authentication procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (organizational Users)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-2"},{"name":"sort-id","value":"ia-02"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference"},{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"}]},{"id":"ia-2_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for uniquely identifying and authenticating users\n\nautomated mechanisms supporting and\/or implementing identification and authentication capability"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts","props":[{"name":"label","value":"IA-2(1)"},{"name":"sort-id","value":"ia-02.01"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ia-2.1_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for network access to privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","props":[{"name":"label","value":"IA-2(12)"},{"name":"sort-id","value":"ia-02.12"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"ia-2.12_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"ia-2.12_obj.1","name":"objective","props":[{"name":"label","value":"IA-2(12)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials; and"},{"id":"ia-2.12_obj.2","name":"objective","props":[{"name":"label","value":"IA-2(12)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing acceptance and verification of PIV credentials"}]}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","params":[{"id":"ia-4_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-4_prm_2","label":"organization-defined time period"},{"id":"ia-4_prm_3","label":"organization-defined time period of inactivity"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-4"},{"name":"sort-id","value":"ia-04"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"The organization manages information system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ insert: param, ia-4_prm_1 }} to assign an individual, group, role, or device identifier;"},{"id":"ia-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, or device;"},{"id":"ia-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, or device;"},{"id":"ia-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ insert: param, ia-4_prm_2 }}; and"},{"id":"ia-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disabling the identifier after {{ insert: param, ia-4_prm_3 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#sc-37","rel":"related"}]},{"id":"ia-4_obj","name":"objective","prose":"Determine if the organization manages information system identifiers by:","parts":[{"id":"ia-4.a_obj","name":"objective","props":[{"name":"label","value":"IA-4(a)"}],"parts":[{"id":"ia-4.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(a)[1]"}],"prose":"defining personnel or roles from whom authorization must be received to assign:","parts":[{"id":"ia-4.a_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][c]"}],"prose":"a role identifier; and\/or"},{"id":"ia-4.a_obj.1.d","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][d]"}],"prose":"a device identifier;"}]},{"id":"ia-4.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(a)[2]"}],"prose":"receiving authorization from organization-defined personnel or roles to assign:","parts":[{"id":"ia-4.a_obj.2.a","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.2.b","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.2.c","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][c]"}],"prose":"a role identifier; and\/or"},{"id":"ia-4.a_obj.2.d","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][d]"}],"prose":"a device identifier;"}]}]},{"id":"ia-4.b_obj","name":"objective","props":[{"name":"label","value":"IA-4(b)"}],"prose":"selecting an identifier that identifies:","parts":[{"id":"ia-4.b_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(b)[1]"}],"prose":"an individual;"},{"id":"ia-4.b_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(b)[2]"}],"prose":"a group;"},{"id":"ia-4.b_obj.3","name":"objective","props":[{"name":"label","value":"IA-4(b)[3]"}],"prose":"a role; and\/or"},{"id":"ia-4.b_obj.4","name":"objective","props":[{"name":"label","value":"IA-4(b)[4]"}],"prose":"a device;"}]},{"id":"ia-4.c_obj","name":"objective","props":[{"name":"label","value":"IA-4(c)"}],"prose":"assigning the identifier to the intended:","parts":[{"id":"ia-4.c_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(c)[1]"}],"prose":"individual;"},{"id":"ia-4.c_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(c)[2]"}],"prose":"group;"},{"id":"ia-4.c_obj.3","name":"objective","props":[{"name":"label","value":"IA-4(c)[3]"}],"prose":"role; and\/or"},{"id":"ia-4.c_obj.4","name":"objective","props":[{"name":"label","value":"IA-4(c)[4]"}],"prose":"device;"}]},{"id":"ia-4.d_obj","name":"objective","props":[{"name":"label","value":"IA-4(d)"}],"parts":[{"id":"ia-4.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(d)[1]"}],"prose":"defining a time period for preventing reuse of identifiers;"},{"id":"ia-4.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(d)[2]"}],"prose":"preventing reuse of identifiers for the organization-defined time period;"}]},{"id":"ia-4.e_obj","name":"objective","props":[{"name":"label","value":"IA-4(e)"}],"parts":[{"id":"ia-4.e_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(e)[1]"}],"prose":"defining a time period of inactivity to disable the identifier; and"},{"id":"ia-4.e_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(e)[2]"}],"prose":"disabling the identifier after the organization-defined time period of inactivity."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","params":[{"id":"ia-5_prm_1","label":"organization-defined time period by authenticator type"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-5"},{"name":"sort-id","value":"ia-05"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"The organization manages information system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for authenticators defined by the organization;"},{"id":"ia-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost\/compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Changing default content of authenticators prior to information system installation;"},{"id":"ia-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;"},{"id":"ia-5_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Changing\/refreshing authenticators {{ insert: param, ia-5_prm_1 }};"},{"id":"ia-5_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and"},{"id":"ia-5_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Changing authenticators for group\/role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-28","rel":"related"}]},{"id":"ia-5_obj","name":"objective","prose":"Determine if the organization manages information system authenticators by:","parts":[{"id":"ia-5.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(a)"}],"prose":"verifying, as part of the initial authenticator distribution, the identity of:","parts":[{"id":"ia-5.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(a)[1]"}],"prose":"the individual receiving the authenticator;"},{"id":"ia-5.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(a)[2]"}],"prose":"the group receiving the authenticator;"},{"id":"ia-5.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(a)[3]"}],"prose":"the role receiving the authenticator; and\/or"},{"id":"ia-5.a_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(a)[4]"}],"prose":"the device receiving the authenticator;"}]},{"id":"ia-5.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(b)"}],"prose":"establishing initial authenticator content for authenticators defined by the organization;"},{"id":"ia-5.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(c)"}],"prose":"ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(d)"}],"parts":[{"id":"ia-5.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(d)[1]"}],"prose":"establishing and implementing administrative procedures for initial authenticator distribution;"},{"id":"ia-5.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(d)[2]"}],"prose":"establishing and implementing administrative procedures for lost\/compromised or damaged authenticators;"},{"id":"ia-5.d_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(d)[3]"}],"prose":"establishing and implementing administrative procedures for revoking authenticators;"}]},{"id":"ia-5.e_obj","name":"objective","props":[{"name":"label","value":"IA-5(e)"}],"prose":"changing default content of authenticators prior to information system installation;"},{"id":"ia-5.f_obj","name":"objective","props":[{"name":"label","value":"IA-5(f)"}],"parts":[{"id":"ia-5.f_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(f)[1]"}],"prose":"establishing minimum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(f)[2]"}],"prose":"establishing maximum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(f)[3]"}],"prose":"establishing reuse conditions for authenticators;"}]},{"id":"ia-5.g_obj","name":"objective","props":[{"name":"label","value":"IA-5(g)"}],"parts":[{"id":"ia-5.g_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(g)[1]"}],"prose":"defining a time period (by authenticator type) for changing\/refreshing authenticators;"},{"id":"ia-5.g_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(g)[2]"}],"prose":"changing\/refreshing authenticators with the organization-defined time period by authenticator type;"}]},{"id":"ia-5.h_obj","name":"objective","props":[{"name":"label","value":"IA-5(h)"}],"prose":"protecting authenticator content from unauthorized:","parts":[{"id":"ia-5.h_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(h)[1]"}],"prose":"disclosure;"},{"id":"ia-5.h_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(h)[2]"}],"prose":"modification;"}]},{"id":"ia-5.i_obj","name":"objective","props":[{"name":"label","value":"IA-5(i)"}],"parts":[{"id":"ia-5.i_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(i)[1]"}],"prose":"requiring individuals to take specific security safeguards to protect authenticators;"},{"id":"ia-5.i_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(i)[2]"}],"prose":"having devices implement specific security safeguards to protect authenticators; and"}]},{"id":"ia-5.j_obj","name":"objective","props":[{"name":"label","value":"IA-5(j)"}],"prose":"changing authenticators for group\/role accounts when membership to those accounts changes."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system authenticator types\n\nchange control records associated with managing information system authenticators\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing authenticator management capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","params":[{"id":"ia-5.1_prm_1","label":"organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type"},{"id":"ia-5.1_prm_2","label":"organization-defined number"},{"id":"ia-5.1_prm_3","label":"organization-defined numbers for lifetime minimum, lifetime maximum"},{"id":"ia-5.1_prm_4","label":"organization-defined number"}],"props":[{"name":"label","value":"IA-5(1)"},{"name":"sort-id","value":"ia-05.01"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"The information system, for password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Enforces minimum password complexity of {{ insert: param, ia-5.1_prm_1 }};"},{"id":"ia-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforces at least the following number of changed characters when new passwords are created: {{ insert: param, ia-5.1_prm_2 }};"},{"id":"ia-5.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Stores and transmits only cryptographically-protected passwords;"},{"id":"ia-5.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Enforces password minimum and maximum lifetime restrictions of {{ insert: param, ia-5.1_prm_3 }};"},{"id":"ia-5.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Prohibits password reuse for {{ insert: param, ia-5.1_prm_4 }} generations; and"},{"id":"ia-5.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Allows the use of a temporary password for system logons with an immediate change to a permanent password."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.","links":[{"href":"#ia-6","rel":"related"}]},{"id":"ia-5.1_obj","name":"objective","prose":"Determine if, for password-based authentication:","parts":[{"id":"ia-5.1.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)"}],"parts":[{"id":"ia-5.1.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[1]"}],"prose":"the organization defines requirements for case sensitivity;"},{"id":"ia-5.1.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[2]"}],"prose":"the organization defines requirements for number of characters;"},{"id":"ia-5.1.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[3]"}],"prose":"the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;"},{"id":"ia-5.1.a_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[4]"}],"prose":"the organization defines minimum requirements for each type of character;"},{"id":"ia-5.1.a_obj.5","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[5]"}],"prose":"the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;"}],"links":[{"href":"#ia-5.1_smt.a","rel":"corresp"}]},{"id":"ia-5.1.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)"}],"parts":[{"id":"ia-5.1.b_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)[1]"}],"prose":"the organization defines a minimum number of changed characters to be enforced when new passwords are created;"},{"id":"ia-5.1.b_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)[2]"}],"prose":"the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;"}],"links":[{"href":"#ia-5.1_smt.b","rel":"corresp"}]},{"id":"ia-5.1.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(c)"}],"prose":"the information system stores and transmits only encrypted representations of passwords;","links":[{"href":"#ia-5.1_smt.c","rel":"corresp"}]},{"id":"ia-5.1.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)"}],"parts":[{"id":"ia-5.1.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[1]"}],"prose":"the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;"},{"id":"ia-5.1.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[2]"}],"prose":"the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;"},{"id":"ia-5.1.d_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[3]"}],"prose":"the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;"},{"id":"ia-5.1.d_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[4]"}],"prose":"the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;"}],"links":[{"href":"#ia-5.1_smt.d","rel":"corresp"}]},{"id":"ia-5.1.e_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)"}],"parts":[{"id":"ia-5.1.e_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)[1]"}],"prose":"the organization defines the number of password generations to be prohibited from password reuse;"},{"id":"ia-5.1.e_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)[2]"}],"prose":"the information system prohibits password reuse for the organization-defined number of generations; and"}],"links":[{"href":"#ia-5.1_smt.e","rel":"corresp"}]},{"id":"ia-5.1.f_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(f)"}],"prose":"the information system allows the use of a temporary password for system logons with an immediate change to a permanent password.","links":[{"href":"#ia-5.1_smt.f","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing password-based authenticator management capability"}]}]},{"id":"ia-5.11","class":"SP800-53-enhancement","title":"Hardware Token-based Authentication","params":[{"id":"ia-5.11_prm_1","label":"organization-defined token quality requirements"}],"props":[{"name":"label","value":"IA-5(11)"},{"name":"sort-id","value":"ia-05.11"}],"parts":[{"id":"ia-5.11_smt","name":"statement","prose":"The information system, for hardware token-based authentication, employs mechanisms that satisfy {{ insert: param, ia-5.11_prm_1 }}."},{"id":"ia-5.11_gdn","name":"guidance","prose":"Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI."},{"id":"ia-5.11_obj","name":"objective","prose":"Determine if, for hardware token-based authentication:","parts":[{"id":"ia-5.11_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(11)[1]"}],"prose":"the organization defines token quality requirements to be satisfied; and"},{"id":"ia-5.11_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(11)[2]"}],"prose":"the information system employs mechanisms that satisfy organization-defined token quality requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\nautomated mechanisms employing hardware token-based authentication for the information system\n\nlist of token quality requirements\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing hardware token-based authenticator management capability"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authenticator Feedback","props":[{"name":"priority","value":"P2"},{"name":"label","value":"IA-6"},{"name":"sort-id","value":"ia-06"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation\/use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops\/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.","links":[{"href":"#pe-18","rel":"related"}]},{"id":"ia-6_obj","name":"objective","prose":"Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation\/use by unauthorized individuals."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator feedback\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing the obscuring of feedback of authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-7"},{"name":"sort-id","value":"ia-07"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference"},{"href":"#b09d1a31-d3c9-4138-a4f4-4c63816afd7d","rel":"reference"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.","links":[{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ia-7_obj","name":"objective","prose":"Determine if the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing cryptographic module authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic module authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (non-organizational Users)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-8"},{"name":"sort-id","value":"ia-08"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#599fe9ba-4750-4450-9eeb-b95bd19a5e8f","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference"},{"href":"#654f21e2-f3bc-43b2-abdc-60ab8d09744b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sc-8","rel":"related"}]},{"id":"ia-8_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","props":[{"name":"label","value":"IA-8(1)"},{"name":"sort-id","value":"ia-08.01"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.1_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"ia-8.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-8(1)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials from other agencies; and"},{"id":"ia-8.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-8(1)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials from other agencies."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of Third-party Credentials","props":[{"name":"label","value":"IA-8(2)"},{"name":"sort-id","value":"ia-08.02"}],"parts":[{"id":"ia-8.2_smt","name":"statement","prose":"The information system accepts only FICAM-approved third-party credentials."},{"id":"ia-8.2_gdn","name":"guidance","prose":"This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.","links":[{"href":"#au-2","rel":"related"}]},{"id":"ia-8.2_obj","name":"objective","prose":"Determine if the information system accepts only FICAM-approved third-party credentials."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of FICAM-approved third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms that accept FICAM-approved credentials"}]}]},{"id":"ia-8.3","class":"SP800-53-enhancement","title":"Use of Ficam-approved Products","params":[{"id":"ia-8.3_prm_1","label":"organization-defined information systems"}],"props":[{"name":"label","value":"IA-8(3)"},{"name":"sort-id","value":"ia-08.03"}],"parts":[{"id":"ia-8.3_smt","name":"statement","prose":"The organization employs only FICAM-approved information system components in {{ insert: param, ia-8.3_prm_1 }} to accept third-party credentials."},{"id":"ia-8.3_gdn","name":"guidance","prose":"This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.","links":[{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-8.3_obj.1","name":"objective","props":[{"name":"label","value":"IA-8(3)[1]"}],"prose":"defines information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials; and"},{"id":"ia-8.3_obj.2","name":"objective","props":[{"name":"label","value":"IA-8(3)[2]"}],"prose":"employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nthird-party credential validations\n\nthird-party credential authorizations\n\nthird-party credential records\n\nlist of FICAM-approved information system components procured and implemented by organization\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information system security, acquisition, and contracting responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Ficam-issued Profiles","props":[{"name":"label","value":"IA-8(4)"},{"name":"sort-id","value":"ia-08.04"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"The information system conforms to FICAM-issued profiles."},{"id":"ia-8.4_gdn","name":"guidance","prose":"This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange).","links":[{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.4_obj","name":"objective","prose":"Determine if the information system conforms to FICAM-issued profiles."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-issued profiles and associated, approved protocols\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms supporting and\/or implementing conformance with FICAM-issued profiles"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Incident Response Policy and Procedures","params":[{"id":"ir-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-1_prm_2","label":"organization-defined frequency"},{"id":"ir-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-1"},{"name":"sort-id","value":"ir-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ir-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ir-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Incident response policy {{ insert: param, ir-1_prm_2 }}; and"},{"id":"ir-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Incident response procedures {{ insert: param, ir-1_prm_3 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ir-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-1.a_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)"}],"parts":[{"id":"ir-1.a.1_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)"}],"parts":[{"id":"ir-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1]"}],"prose":"develops and documents an incident response policy that addresses:","parts":[{"id":"ir-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ir-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ir-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ir-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ir-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ir-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ir-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ir-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the incident response policy is to be disseminated;"},{"id":"ir-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[3]"}],"prose":"disseminates the incident response policy to organization-defined personnel or roles;"}]},{"id":"ir-1.a.2_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)"}],"parts":[{"id":"ir-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls;"},{"id":"ir-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ir-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ir-1.b_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)"}],"parts":[{"id":"ir-1.b.1_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)"}],"parts":[{"id":"ir-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current incident response policy;"},{"id":"ir-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)[2]"}],"prose":"reviews and updates the current incident response policy with the organization-defined frequency;"}]},{"id":"ir-1.b.2_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)"}],"parts":[{"id":"ir-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current incident response procedures; and"},{"id":"ir-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)[2]"}],"prose":"reviews and updates the current incident response procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-2_prm_1","label":"organization-defined time period"},{"id":"ir-2_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-2"},{"name":"sort-id","value":"ir-02"}],"links":[{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"ir-2_smt","name":"statement","prose":"The organization provides incident response training to information system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Within {{ insert: param, ir-2_prm_1 }} of assuming an incident response role or responsibility;"},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"ir-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, ir-2_prm_2 }} thereafter."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle\/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources.","links":[{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-2.a_obj","name":"objective","props":[{"name":"label","value":"IR-2(a)"}],"parts":[{"id":"ir-2.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-2(a)[1]"}],"prose":"defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility;"},{"id":"ir-2.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-2(a)[2]"}],"prose":"provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility;"}]},{"id":"ir-2.b_obj","name":"objective","props":[{"name":"label","value":"IR-2(b)"}],"prose":"provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes;"},{"id":"ir-2.c_obj","name":"objective","props":[{"name":"label","value":"IR-2(c)"}],"parts":[{"id":"ir-2.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-2(c)[1]"}],"prose":"defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities; and"},{"id":"ir-2.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-2(c)[2]"}],"prose":"after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nsecurity plan\n\nincident response plan\n\nsecurity plan\n\nincident response training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-4"},{"name":"sort-id","value":"ir-04"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinates incident handling activities with contingency planning activities; and"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission\/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission\/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user\/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission\/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).","links":[{"href":"#au-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ir-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-4.a_obj","name":"objective","props":[{"name":"label","value":"IR-4(a)"}],"prose":"implements an incident handling capability for security incidents that includes:","parts":[{"id":"ir-4.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-4(a)[1]"}],"prose":"preparation;"},{"id":"ir-4.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-4(a)[2]"}],"prose":"detection and analysis;"},{"id":"ir-4.a_obj.3","name":"objective","props":[{"name":"label","value":"IR-4(a)[3]"}],"prose":"containment;"},{"id":"ir-4.a_obj.4","name":"objective","props":[{"name":"label","value":"IR-4(a)[4]"}],"prose":"eradication;"},{"id":"ir-4.a_obj.5","name":"objective","props":[{"name":"label","value":"IR-4(a)[5]"}],"prose":"recovery;"}]},{"id":"ir-4.b_obj","name":"objective","props":[{"name":"label","value":"IR-4(b)"}],"prose":"coordinates incident handling activities with contingency planning activities;"},{"id":"ir-4.c_obj","name":"objective","props":[{"name":"label","value":"IR-4(c)"}],"parts":[{"id":"ir-4.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-4(c)[1]"}],"prose":"incorporates lessons learned from ongoing incident handling activities into:","parts":[{"id":"ir-4.c_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][b]"}],"prose":"training;"},{"id":"ir-4.c_obj.1.c","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][c]"}],"prose":"testing\/exercises;"}]},{"id":"ir-4.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-4(c)[2]"}],"prose":"implements the resulting changes accordingly to:","parts":[{"id":"ir-4.c_obj.2.a","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.2.b","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][b]"}],"prose":"training; and"},{"id":"ir-4.c_obj.2.c","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][c]"}],"prose":"testing\/exercises."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident handling capability for the organization"}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-5"},{"name":"sort-id","value":"ir-05"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"The organization tracks and documents information system security incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user\/administrator reports.","links":[{"href":"#au-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ir-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-5_obj.1","name":"objective","props":[{"name":"label","value":"IR-5[1]"}],"prose":"tracks information system security incidents; and"},{"id":"ir-5_obj.2","name":"objective","props":[{"name":"label","value":"IR-5[2]"}],"prose":"documents information system security incidents."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident monitoring capability for the organization\n\nautomated mechanisms supporting and\/or implementing tracking and documenting of system security incidents"}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-6_prm_1","label":"organization-defined time period"},{"id":"ir-6_prm_2","label":"organization-defined authorities"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-6"},{"name":"sort-id","value":"ir-06"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#02631467-668b-4233-989b-3dfded2fd184","rel":"reference"}],"parts":[{"id":"ir-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Requires personnel to report suspected security incidents to the organizational incident response capability within {{ insert: param, ir-6_prm_1 }}; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reports security incident information to {{ insert: param, ir-6_prm_2 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling.","links":[{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-6.a_obj","name":"objective","props":[{"name":"label","value":"IR-6(a)"}],"parts":[{"id":"ir-6.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-6(a)[1]"}],"prose":"defines the time period within which personnel report suspected security incidents to the organizational incident response capability;"},{"id":"ir-6.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-6(a)[2]"}],"prose":"requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;"}]},{"id":"ir-6.b_obj","name":"objective","props":[{"name":"label","value":"IR-6(b)"}],"parts":[{"id":"ir-6.b_obj.1","name":"objective","props":[{"name":"label","value":"IR-6(b)[1]"}],"prose":"defines authorities to whom security incident information is to be reported; and"},{"id":"ir-6.b_obj.2","name":"objective","props":[{"name":"label","value":"IR-6(b)[2]"}],"prose":"reports security incident information to organization-defined authorities."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing incident reporting"}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-7"},{"name":"sort-id","value":"ir-07"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required.","links":[{"href":"#at-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"ir-7_obj","name":"objective","prose":"Determine if the organization provides an incident response support resource:","parts":[{"id":"ir-7_obj.1","name":"objective","props":[{"name":"label","value":"IR-7[1]"}],"prose":"that is integral to the organizational incident response capability; and"},{"id":"ir-7_obj.2","name":"objective","props":[{"name":"label","value":"IR-7[2]"}],"prose":"that offers advice and assistance to users of the information system for the handling and reporting of security incidents."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing incident response assistance"}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-8_prm_2","label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-8_prm_3","label":"organization-defined frequency"},{"id":"ir-8_prm_4","label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-8"},{"name":"sort-id","value":"ir-08"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability; and"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Is reviewed and approved by {{ insert: param, ir-8_prm_1 }};"}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the incident response plan to {{ insert: param, ir-8_prm_2 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the incident response plan {{ insert: param, ir-8_prm_3 }};"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Updates the incident response plan to address system\/organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Communicates incident response plan changes to {{ insert: param, ir-8_prm_4 }}; and"},{"id":"ir-8_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Protects the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.","links":[{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}]},{"id":"ir-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-8.a_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)"}],"prose":"develops an incident response plan that:","parts":[{"id":"ir-8.a.1_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(1)"}],"prose":"provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8.a.2_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(2)"}],"prose":"describes the structure and organization of the incident response capability;"},{"id":"ir-8.a.3_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(3)"}],"prose":"provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8.a.4_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)"}],"prose":"meets the unique requirements of the organization, which relate to:","parts":[{"id":"ir-8.a.4_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[1]"}],"prose":"mission;"},{"id":"ir-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[2]"}],"prose":"size;"},{"id":"ir-8.a.4_obj.3","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[3]"}],"prose":"structure;"},{"id":"ir-8.a.4_obj.4","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[4]"}],"prose":"functions;"}]},{"id":"ir-8.a.5_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(5)"}],"prose":"defines reportable incidents;"},{"id":"ir-8.a.6_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(6)"}],"prose":"provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8.a.7_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(7)"}],"prose":"defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8.a.8_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)"}],"parts":[{"id":"ir-8.a.8_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)[1]"}],"prose":"defines personnel or roles to review and approve the incident response plan;"},{"id":"ir-8.a.8_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"ir-8.b_obj","name":"objective","props":[{"name":"label","value":"IR-8(b)"}],"parts":[{"id":"ir-8.b_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(b)[1]"}],"parts":[{"id":"ir-8.b_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-8(b)[1][a]"}],"prose":"defines incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed;"},{"id":"ir-8.b_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-8(b)[1][b]"}],"prose":"defines organizational elements to whom copies of the incident response plan are to be distributed;"}]},{"id":"ir-8.b_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(b)[2]"}],"prose":"distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and\/or by role) and organizational elements;"}]},{"id":"ir-8.c_obj","name":"objective","props":[{"name":"label","value":"IR-8(c)"}],"parts":[{"id":"ir-8.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(c)[1]"}],"prose":"defines the frequency to review the incident response plan;"},{"id":"ir-8.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(c)[2]"}],"prose":"reviews the incident response plan with the organization-defined frequency;"}]},{"id":"ir-8.d_obj","name":"objective","props":[{"name":"label","value":"IR-8(d)"}],"prose":"updates the incident response plan to address system\/organizational changes or problems encountered during plan:","parts":[{"id":"ir-8.d_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(d)[1]"}],"prose":"implementation;"},{"id":"ir-8.d_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(d)[2]"}],"prose":"execution; or"},{"id":"ir-8.d_obj.3","name":"objective","props":[{"name":"label","value":"IR-8(d)[3]"}],"prose":"testing;"}]},{"id":"ir-8.e_obj","name":"objective","props":[{"name":"label","value":"IR-8(e)"}],"parts":[{"id":"ir-8.e_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(e)[1]"}],"parts":[{"id":"ir-8.e_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-8(e)[1][a]"}],"prose":"defines incident response personnel (identified by name and\/or by role) to whom incident response plan changes are to be communicated;"},{"id":"ir-8.e_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-8(e)[1][b]"}],"prose":"defines organizational elements to whom incident response plan changes are to be communicated;"}]},{"id":"ir-8.e_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(e)[2]"}],"prose":"communicates incident response plan changes to organization-defined incident response personnel (identified by name and\/or by role) and organizational elements; and"}]},{"id":"ir-8.f_obj","name":"objective","props":[{"name":"label","value":"IR-8(f)"}],"prose":"protects the incident response plan from unauthorized disclosure and modification."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"System Maintenance Policy and Procedures","params":[{"id":"ma-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-1_prm_2","label":"organization-defined frequency"},{"id":"ma-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MA-1"},{"name":"sort-id","value":"ma-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ma-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and"}]},{"id":"ma-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ma-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System maintenance policy {{ insert: param, ma-1_prm_2 }}; and"},{"id":"ma-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System maintenance procedures {{ insert: param, ma-1_prm_3 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ma-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-1.a_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)"}],"parts":[{"id":"ma-1.a.1_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)"}],"parts":[{"id":"ma-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1]"}],"prose":"develops and documents a system maintenance policy that addresses:","parts":[{"id":"ma-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ma-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ma-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ma-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ma-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ma-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ma-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ma-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system maintenance policy is to be disseminated;"},{"id":"ma-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[3]"}],"prose":"disseminates the system maintenance policy to organization-defined personnel or roles;"}]},{"id":"ma-1.a.2_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)"}],"parts":[{"id":"ma-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls;"},{"id":"ma-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ma-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ma-1.b_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)"}],"parts":[{"id":"ma-1.b.1_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)"}],"parts":[{"id":"ma-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system maintenance policy;"},{"id":"ma-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)[2]"}],"prose":"reviews and updates the current system maintenance policy with the organization-defined frequency;"}]},{"id":"ma-1.b.2_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)"}],"parts":[{"id":"ma-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system maintenance procedures; and"},{"id":"ma-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)[2]"}],"prose":"reviews and updates the current system maintenance procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Maintenance policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","params":[{"id":"ma-2_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-2_prm_2","label":"organization-defined maintenance-related information"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-2"},{"name":"sort-id","value":"ma-02"}],"parts":[{"id":"ma-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Requires that {{ insert: param, ma-2_prm_1 }} explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and"},{"id":"ma-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Includes {{ insert: param, ma-2_prm_2 }} in organizational maintenance records."}]},{"id":"ma-2_gdn","name":"guidance","prose":"This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and\/or data\/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components\/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"ma-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-2.a_obj","name":"objective","props":[{"name":"label","value":"MA-2(a)"}],"parts":[{"id":"ma-2.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(a)[1]"}],"prose":"schedules maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.1.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[1][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.1.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[1][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(a)[2]"}],"prose":"performs maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.2.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[2][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.2.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[2][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.3","name":"objective","props":[{"name":"label","value":"MA-2(a)[3]"}],"prose":"documents maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.3.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[3][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.3.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[3][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.4","name":"objective","props":[{"name":"label","value":"MA-2(a)[4]"}],"prose":"reviews records of maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.4.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[4][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.4.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[4][b]"}],"prose":"organizational requirements;"}]}]},{"id":"ma-2.b_obj","name":"objective","props":[{"name":"label","value":"MA-2(b)"}],"parts":[{"id":"ma-2.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(b)[1]"}],"prose":"approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(b)[2]"}],"prose":"monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"}]},{"id":"ma-2.c_obj","name":"objective","props":[{"name":"label","value":"MA-2(c)"}],"parts":[{"id":"ma-2.c_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(c)[1]"}],"prose":"defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.c_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(c)[2]"}],"prose":"requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"}]},{"id":"ma-2.d_obj","name":"objective","props":[{"name":"label","value":"MA-2(d)"}],"prose":"sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.e_obj","name":"objective","props":[{"name":"label","value":"MA-2(e)"}],"prose":"checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;"},{"id":"ma-2.f_obj","name":"objective","props":[{"name":"label","value":"MA-2(f)"}],"parts":[{"id":"ma-2.f_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(f)[1]"}],"prose":"defines maintenance-related information to be included in organizational maintenance records; and"},{"id":"ma-2.f_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(f)[2]"}],"prose":"includes organization-defined maintenance-related information in organizational maintenance records."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing controlled information system maintenance\n\nmaintenance records\n\nmanufacturer\/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system\n\norganizational processes for sanitizing information system components\n\nautomated mechanisms supporting and\/or implementing controlled maintenance\n\nautomated mechanisms implementing sanitization of information system components"}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-4"},{"name":"sort-id","value":"ma-04"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference"}],"parts":[{"id":"ma-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approves and monitors nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;"},{"id":"ma-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Maintains records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Terminates session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-17","rel":"related"}]},{"id":"ma-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-4.a_obj","name":"objective","props":[{"name":"label","value":"MA-4(a)"}],"parts":[{"id":"ma-4.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(a)[1]"}],"prose":"approves nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(a)[2]"}],"prose":"monitors nonlocal maintenance and diagnostic activities;"}]},{"id":"ma-4.b_obj","name":"objective","props":[{"name":"label","value":"MA-4(b)"}],"prose":"allows the use of nonlocal maintenance and diagnostic tools only:","parts":[{"id":"ma-4.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(b)[1]"}],"prose":"as consistent with organizational policy;"},{"id":"ma-4.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(b)[2]"}],"prose":"as documented in the security plan for the information system;"}]},{"id":"ma-4.c_obj","name":"objective","props":[{"name":"label","value":"MA-4(c)"}],"prose":"employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4.d_obj","name":"objective","props":[{"name":"label","value":"MA-4(d)"}],"prose":"maintains records for nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.e_obj","name":"objective","props":[{"name":"label","value":"MA-4(e)"}],"parts":[{"id":"ma-4.e_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(e)[1]"}],"prose":"terminates sessions when nonlocal maintenance or diagnostics is completed; and"},{"id":"ma-4.e_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(e)[2]"}],"prose":"terminates network connections when nonlocal maintenance or diagnostics is completed."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing nonlocal information system maintenance\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing nonlocal maintenance\n\nautomated mechanisms implementing, supporting, and\/or managing nonlocal maintenance\n\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nautomated mechanisms for terminating nonlocal maintenance sessions and network connections"}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-5"},{"name":"sort-id","value":"ma-05"}],"parts":[{"id":"ma-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"ma-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-5.a_obj","name":"objective","props":[{"name":"label","value":"MA-5(a)"}],"parts":[{"id":"ma-5.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-5(a)[1]"}],"prose":"establishes a process for maintenance personnel authorization;"},{"id":"ma-5.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-5(a)[2]"}],"prose":"maintains a list of authorized maintenance organizations or personnel;"}]},{"id":"ma-5.b_obj","name":"objective","props":[{"name":"label","value":"MA-5(b)"}],"prose":"ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"},{"id":"ma-5.c_obj","name":"objective","props":[{"name":"label","value":"MA-5(c)"}],"prose":"designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for authorizing and managing maintenance personnel\n\nautomated mechanisms supporting and\/or implementing authorization of maintenance personnel"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Media Protection Policy and Procedures","params":[{"id":"mp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"mp-1_prm_2","label":"organization-defined frequency"},{"id":"mp-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-1"},{"name":"sort-id","value":"mp-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"mp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"mp-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Media protection policy {{ insert: param, mp-1_prm_2 }}; and"},{"id":"mp-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Media protection procedures {{ insert: param, mp-1_prm_3 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"mp-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-1.a_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)"}],"parts":[{"id":"mp-1.a.1_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)"}],"parts":[{"id":"mp-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1]"}],"prose":"develops and documents a media protection policy that addresses:","parts":[{"id":"mp-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"mp-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"mp-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"mp-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"mp-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"mp-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"mp-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"mp-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the media protection policy is to be disseminated;"},{"id":"mp-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[3]"}],"prose":"disseminates the media protection policy to organization-defined personnel or roles;"}]},{"id":"mp-1.a.2_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)"}],"parts":[{"id":"mp-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls;"},{"id":"mp-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"mp-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"mp-1.b_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)"}],"parts":[{"id":"mp-1.b.1_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)"}],"parts":[{"id":"mp-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current media protection policy;"},{"id":"mp-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)[2]"}],"prose":"reviews and updates the current media protection policy with the organization-defined frequency;"}]},{"id":"mp-1.b.2_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)"}],"parts":[{"id":"mp-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current media protection procedures; and"},{"id":"mp-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)[2]"}],"prose":"reviews and updates the current media protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Media protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","params":[{"id":"mp-2_prm_1","label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-2_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-2"},{"name":"sort-id","value":"mp-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"The organization restricts access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"}]},{"id":"mp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-2_obj.1","name":"objective","props":[{"name":"label","value":"MP-2[1]"}],"prose":"defines types of digital and\/or non-digital media requiring restricted access;"},{"id":"mp-2_obj.2","name":"objective","props":[{"name":"label","value":"MP-2[2]"}],"prose":"defines personnel or roles authorized to access organization-defined types of digital and\/or non-digital media; and"},{"id":"mp-2_obj.3","name":"objective","props":[{"name":"label","value":"MP-2[3]"}],"prose":"restricts access to organization-defined types of digital and\/or non-digital media to organization-defined personnel or roles."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for restricting information media\n\nautomated mechanisms supporting and\/or implementing media access restrictions"}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","label":"organization-defined information system media"},{"id":"mp-6_prm_2","label":"organization-defined sanitization techniques and procedures"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-6"},{"name":"sort-id","value":"mp-06"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"},{"href":"#a47466c4-c837-4f06-a39f-e68412a5f73d","rel":"reference"}],"parts":[{"id":"mp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitizes {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} in accordance with applicable federal and organizational standards and policies; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections\/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information.","links":[{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-4","rel":"related"}]},{"id":"mp-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-6.a_obj","name":"objective","props":[{"name":"label","value":"MP-6(a)"}],"parts":[{"id":"mp-6.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-6(a)[1]"}],"prose":"defines information system media to be sanitized prior to:","parts":[{"id":"mp-6.a_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.1.c","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-6(a)[2]"}],"prose":"defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:","parts":[{"id":"mp-6.a_obj.2.a","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.2.b","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.2.c","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-6(a)[3]"}],"prose":"sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and"}]},{"id":"mp-6.b_obj","name":"objective","props":[{"name":"label","value":"MP-6(b)"}],"prose":"employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization\n\nmedia sanitization records\n\naudit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization"}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","params":[{"id":"mp-7_prm_1","select":{"choice":["restricts","prohibits"]}},{"id":"mp-7_prm_2","label":"organization-defined types of information system media"},{"id":"mp-7_prm_3","label":"organization-defined information systems or system components"},{"id":"mp-7_prm_4","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-7"},{"name":"sort-id","value":"mp-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-7_smt","name":"statement","prose":"The organization {{ insert: param, mp-7_prm_1 }} the use of {{ insert: param, mp-7_prm_2 }} on {{ insert: param, mp-7_prm_3 }} using {{ insert: param, mp-7_prm_4 }}."},{"id":"mp-7_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting\/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling\/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.","links":[{"href":"#ac-19","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"mp-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-7_obj.1","name":"objective","props":[{"name":"label","value":"MP-7[1]"}],"prose":"defines types of information system media to be:","parts":[{"id":"mp-7_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-7[1][a]"}],"prose":"restricted on information systems or system components; or"},{"id":"mp-7_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-7[1][b]"}],"prose":"prohibited from use on information systems or system components;"}]},{"id":"mp-7_obj.2","name":"objective","props":[{"name":"label","value":"MP-7[2]"}],"prose":"defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:","parts":[{"id":"mp-7_obj.2.a","name":"objective","props":[{"name":"label","value":"MP-7[2][a]"}],"prose":"restricted; or"},{"id":"mp-7_obj.2.b","name":"objective","props":[{"name":"label","value":"MP-7[2][b]"}],"prose":"prohibited;"}]},{"id":"mp-7_obj.3","name":"objective","props":[{"name":"label","value":"MP-7[3]"}],"prose":"defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and"},{"id":"mp-7_obj.4","name":"objective","props":[{"name":"label","value":"MP-7[4]"}],"prose":"restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\n\nautomated mechanisms restricting or prohibiting use of information system media on information systems or system components"}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Physical and Environmental Protection Policy and Procedures","params":[{"id":"pe-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-1_prm_2","label":"organization-defined frequency"},{"id":"pe-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-1"},{"name":"sort-id","value":"pe-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"pe-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and"}]},{"id":"pe-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pe-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Physical and environmental protection policy {{ insert: param, pe-1_prm_2 }}; and"},{"id":"pe-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Physical and environmental protection procedures {{ insert: param, pe-1_prm_3 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"pe-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-1.a_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)"}],"parts":[{"id":"pe-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)"}],"parts":[{"id":"pe-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1]"}],"prose":"develops and documents a physical and environmental protection policy that addresses:","parts":[{"id":"pe-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pe-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pe-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pe-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pe-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pe-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pe-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pe-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the physical and environmental protection policy is to be disseminated;"},{"id":"pe-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[3]"}],"prose":"disseminates the physical and environmental protection policy to organization-defined personnel or roles;"}]},{"id":"pe-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)"}],"parts":[{"id":"pe-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls;"},{"id":"pe-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"pe-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pe-1.b_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)"}],"parts":[{"id":"pe-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)"}],"parts":[{"id":"pe-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current physical and environmental protection policy;"},{"id":"pe-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)[2]"}],"prose":"reviews and updates the current physical and environmental protection policy with the organization-defined frequency;"}]},{"id":"pe-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)"}],"parts":[{"id":"pe-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current physical and environmental protection procedures; and"},{"id":"pe-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)[2]"}],"prose":"reviews and updates the current physical and environmental protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","params":[{"id":"pe-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-2"},{"name":"sort-id","value":"pe-02"}],"parts":[{"id":"pe-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Issues authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the access list detailing authorized facility access by individuals {{ insert: param, pe-2_prm_1 }}; and"},{"id":"pe-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Removes individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible.","links":[{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ps-3","rel":"related"}]},{"id":"pe-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-2.a_obj","name":"objective","props":[{"name":"label","value":"PE-2(a)"}],"parts":[{"id":"pe-2.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-2(a)[1]"}],"prose":"develops a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-2(a)[2]"}],"prose":"approves a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2.a_obj.3","name":"objective","props":[{"name":"label","value":"PE-2(a)[3]"}],"prose":"maintains a list of individuals with authorized access to the facility where the information system resides;"}]},{"id":"pe-2.b_obj","name":"objective","props":[{"name":"label","value":"PE-2(b)"}],"prose":"issues authorization credentials for facility access;"},{"id":"pe-2.c_obj","name":"objective","props":[{"name":"label","value":"PE-2(c)"}],"parts":[{"id":"pe-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PE-2(c)[1]"}],"prose":"defines the frequency to review the access list detailing authorized facility access by individuals;"},{"id":"pe-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PE-2(c)[2]"}],"prose":"reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and"}]},{"id":"pe-2.d_obj","name":"objective","props":[{"name":"label","value":"PE-2(d)"}],"prose":"removes individuals from the facility access list when access is no longer required."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nsecurity plan\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to information system facility\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations\n\nautomated mechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","params":[{"id":"pe-3_prm_1","label":"organization-defined entry\/exit points to the facility where the information system resides"},{"id":"pe-3_prm_2","select":{"how-many":"one-or-more","choice":[" {{ insert: param, pe-3_prm_3 }} ","guards"]}},{"id":"pe-3_prm_3","depends-on":"pe-3_prm_2","label":"organization-defined physical access control systems\/devices"},{"id":"pe-3_prm_4","label":"organization-defined entry\/exit points"},{"id":"pe-3_prm_5","label":"organization-defined security safeguards"},{"id":"pe-3_prm_6","label":"organization-defined circumstances requiring visitor escorts and monitoring"},{"id":"pe-3_prm_7","label":"organization-defined physical access devices"},{"id":"pe-3_prm_8","label":"organization-defined frequency"},{"id":"pe-3_prm_9","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-3"},{"name":"sort-id","value":"pe-03"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference"},{"href":"#398e33fd-f404-4e5c-b90e-2d50d3181244","rel":"reference"},{"href":"#61081e7f-041d-4033-96a7-44a439071683","rel":"reference"},{"href":"#dd2f5acd-08f1-435a-9837-f8203088dc1a","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference"}],"parts":[{"id":"pe-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforces physical access authorizations at {{ insert: param, pe-3_prm_1 }} by;","parts":[{"id":"pe-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Controlling ingress\/egress to the facility using {{ insert: param, pe-3_prm_2 }};"}]},{"id":"pe-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintains physical access audit logs for {{ insert: param, pe-3_prm_4 }};"},{"id":"pe-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides {{ insert: param, pe-3_prm_5 }} to control access to areas within the facility officially designated as publicly accessible;"},{"id":"pe-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Escorts visitors and monitors visitor activity {{ insert: param, pe-3_prm_6 }};"},{"id":"pe-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Secures keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Inventories {{ insert: param, pe-3_prm_7 }} every {{ insert: param, pe-3_prm_8 }}; and"},{"id":"pe-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Changes combinations and keys {{ insert: param, pe-3_prm_9 }} and\/or when keys are lost, combinations are compromised, or individuals are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and\/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and\/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"pe-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-3.a_obj","name":"objective","props":[{"name":"label","value":"PE-3(a)"}],"parts":[{"id":"pe-3.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(a)[1]"}],"prose":"defines entry\/exit points to the facility where the information system resides;"},{"id":"pe-3.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2]"}],"prose":"enforces physical access authorizations at organization-defined entry\/exit points to the facility where the information system resides by:","parts":[{"id":"pe-3.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](1)"}],"prose":"verifying individual access authorizations before granting access to the facility;"},{"id":"pe-3.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)"}],"parts":[{"id":"pe-3.a.2_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[a]"}],"prose":"defining physical access control systems\/devices to be employed to control ingress\/egress to the facility where the information system resides;"},{"id":"pe-3.a.2_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b]"}],"prose":"using one or more of the following ways to control ingress\/egress to the facility:","parts":[{"id":"pe-3.a.2_obj.2.b.1","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b][1]"}],"prose":"organization-defined physical access control systems\/devices; and\/or"},{"id":"pe-3.a.2_obj.2.b.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b][2]"}],"prose":"guards;"}]}]}]}]},{"id":"pe-3.b_obj","name":"objective","props":[{"name":"label","value":"PE-3(b)"}],"parts":[{"id":"pe-3.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(b)[1]"}],"prose":"defines entry\/exit points for which physical access audit logs are to be maintained;"},{"id":"pe-3.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(b)[2]"}],"prose":"maintains physical access audit logs for organization-defined entry\/exit points;"}]},{"id":"pe-3.c_obj","name":"objective","props":[{"name":"label","value":"PE-3(c)"}],"parts":[{"id":"pe-3.c_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(c)[1]"}],"prose":"defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;"},{"id":"pe-3.c_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(c)[2]"}],"prose":"provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;"}]},{"id":"pe-3.d_obj","name":"objective","props":[{"name":"label","value":"PE-3(d)"}],"parts":[{"id":"pe-3.d_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(d)[1]"}],"prose":"defines circumstances requiring visitor:","parts":[{"id":"pe-3.d_obj.1.a","name":"objective","props":[{"name":"label","value":"PE-3(d)[1][a]"}],"prose":"escorts;"},{"id":"pe-3.d_obj.1.b","name":"objective","props":[{"name":"label","value":"PE-3(d)[1][b]"}],"prose":"monitoring;"}]},{"id":"pe-3.d_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(d)[2]"}],"prose":"in accordance with organization-defined circumstances requiring visitor escorts and monitoring:","parts":[{"id":"pe-3.d_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(d)[2][a]"}],"prose":"escorts visitors;"},{"id":"pe-3.d_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(d)[2][b]"}],"prose":"monitors visitor activities;"}]}]},{"id":"pe-3.e_obj","name":"objective","props":[{"name":"label","value":"PE-3(e)"}],"parts":[{"id":"pe-3.e_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(e)[1]"}],"prose":"secures keys;"},{"id":"pe-3.e_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(e)[2]"}],"prose":"secures combinations;"},{"id":"pe-3.e_obj.3","name":"objective","props":[{"name":"label","value":"PE-3(e)[3]"}],"prose":"secures other physical access devices;"}]},{"id":"pe-3.f_obj","name":"objective","props":[{"name":"label","value":"PE-3(f)"}],"parts":[{"id":"pe-3.f_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(f)[1]"}],"prose":"defines physical access devices to be inventoried;"},{"id":"pe-3.f_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(f)[2]"}],"prose":"defines the frequency to inventory organization-defined physical access devices;"},{"id":"pe-3.f_obj.3","name":"objective","props":[{"name":"label","value":"PE-3(f)[3]"}],"prose":"inventories the organization-defined physical access devices with the organization-defined frequency;"}]},{"id":"pe-3.g_obj","name":"objective","props":[{"name":"label","value":"PE-3(g)"}],"parts":[{"id":"pe-3.g_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(g)[1]"}],"prose":"defines the frequency to change combinations and keys; and"},{"id":"pe-3.g_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(g)[2]"}],"prose":"changes combinations and keys with the organization-defined frequency and\/or when:","parts":[{"id":"pe-3.g_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][a]"}],"prose":"keys are lost;"},{"id":"pe-3.g_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][b]"}],"prose":"combinations are compromised;"},{"id":"pe-3.g_obj.2.c","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][c]"}],"prose":"individuals are transferred or terminated."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nsecurity plan\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\ninformation system entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access control\n\nautomated mechanisms supporting and\/or implementing physical access control\n\nphysical access control devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","params":[{"id":"pe-6_prm_1","label":"organization-defined frequency"},{"id":"pe-6_prm_2","label":"organization-defined events or potential indications of events"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-6"},{"name":"sort-id","value":"pe-06"}],"parts":[{"id":"pe-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews physical access logs {{ insert: param, pe-6_prm_1 }} and upon occurrence of {{ insert: param, pe-6_prm_2 }}; and"},{"id":"pe-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinates results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.","links":[{"href":"#ca-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"pe-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-6.a_obj","name":"objective","props":[{"name":"label","value":"PE-6(a)"}],"prose":"monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"},{"id":"pe-6.b_obj","name":"objective","props":[{"name":"label","value":"PE-6(b)"}],"parts":[{"id":"pe-6.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-6(b)[1]"}],"prose":"defines the frequency to review physical access logs;"},{"id":"pe-6.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-6(b)[2]"}],"prose":"defines events or potential indication of events requiring physical access logs to be reviewed;"},{"id":"pe-6.b_obj.3","name":"objective","props":[{"name":"label","value":"PE-6(b)[3]"}],"prose":"reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and"}]},{"id":"pe-6.c_obj","name":"objective","props":[{"name":"label","value":"PE-6(c)"}],"prose":"coordinates results of reviews and investigations with the organizational incident response capability."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical access\n\nautomated mechanisms supporting and\/or implementing physical access monitoring\n\nautomated mechanisms supporting and\/or implementing reviewing of physical access logs"}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-8_prm_1","label":"organization-defined time period"},{"id":"pe-8_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PE-8"},{"name":"sort-id","value":"pe-08"}],"parts":[{"id":"pe-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintains visitor access records to the facility where the information system resides for {{ insert: param, pe-8_prm_1 }}; and"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews visitor access records {{ insert: param, pe-8_prm_2 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-8.a_obj","name":"objective","props":[{"name":"label","value":"PE-8(a)"}],"parts":[{"id":"pe-8.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-8(a)[1]"}],"prose":"defines the time period to maintain visitor access records to the facility where the information system resides;"},{"id":"pe-8.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-8(a)[2]"}],"prose":"maintains visitor access records to the facility where the information system resides for the organization-defined time period;"}]},{"id":"pe-8.b_obj","name":"objective","props":[{"name":"label","value":"PE-8(b)"}],"parts":[{"id":"pe-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-8(b)[1]"}],"prose":"defines the frequency to review visitor access records; and"},{"id":"pe-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-8(b)[2]"}],"prose":"reviews visitor access records with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nsecurity plan\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and\/or implementing maintenance and review of visitor access records"}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-12"},{"name":"sort-id","value":"pe-12"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"pe-12_obj","name":"objective","prose":"Determine if the organization employs and maintains automatic emergency lighting for the information system that:","parts":[{"id":"pe-12_obj.1","name":"objective","props":[{"name":"label","value":"PE-12[1]"}],"prose":"activates in the event of a power outage or disruption; and"},{"id":"pe-12_obj.2","name":"objective","props":[{"name":"label","value":"PE-12[2]"}],"prose":"covers emergency exits and evacuation routes within the facility."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing emergency lighting capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-13"},{"name":"sort-id","value":"pe-13"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"The organization employs and maintains fire suppression and detection devices\/systems for the information system that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices\/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors."},{"id":"pe-13_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-13_obj.1","name":"objective","props":[{"name":"label","value":"PE-13[1]"}],"prose":"employs fire suppression and detection devices\/systems for the information system that are supported by an independent energy source; and"},{"id":"pe-13_obj.2","name":"objective","props":[{"name":"label","value":"PE-13[2]"}],"prose":"maintains fire suppression and detection devices\/systems for the information system that are supported by an independent energy source."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\ntest records of fire suppression and detection devices\/systems\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression\/detection devices\/systems"}]}]},{"id":"pe-14","class":"SP800-53","title":"Temperature and Humidity Controls","params":[{"id":"pe-14_prm_1","label":"organization-defined acceptable levels"},{"id":"pe-14_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-14"},{"name":"sort-id","value":"pe-14"}],"parts":[{"id":"pe-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintains temperature and humidity levels within the facility where the information system resides at {{ insert: param, pe-14_prm_1 }}; and"},{"id":"pe-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Monitors temperature and humidity levels {{ insert: param, pe-14_prm_2 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#at-3","rel":"related"}]},{"id":"pe-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-14.a_obj","name":"objective","props":[{"name":"label","value":"PE-14(a)"}],"parts":[{"id":"pe-14.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-14(a)[1]"}],"prose":"defines acceptable temperature levels to be maintained within the facility where the information system resides;"},{"id":"pe-14.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-14(a)[2]"}],"prose":"defines acceptable humidity levels to be maintained within the facility where the information system resides;"},{"id":"pe-14.a_obj.3","name":"objective","props":[{"name":"label","value":"PE-14(a)[3]"}],"prose":"maintains temperature levels within the facility where the information system resides at the organization-defined levels;"},{"id":"pe-14.a_obj.4","name":"objective","props":[{"name":"label","value":"PE-14(a)[4]"}],"prose":"maintains humidity levels within the facility where the information system resides at the organization-defined levels;"}]},{"id":"pe-14.b_obj","name":"objective","props":[{"name":"label","value":"PE-14(b)"}],"parts":[{"id":"pe-14.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-14(b)[1]"}],"prose":"defines the frequency to monitor temperature levels;"},{"id":"pe-14.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-14(b)[2]"}],"prose":"defines the frequency to monitor humidity levels;"},{"id":"pe-14.b_obj.3","name":"objective","props":[{"name":"label","value":"PE-14(b)[3]"}],"prose":"monitors temperature levels with the organization-defined frequency; and"},{"id":"pe-14.b_obj.4","name":"objective","props":[{"name":"label","value":"PE-14(b)[4]"}],"prose":"monitors humidity levels with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\nsecurity plan\n\ntemperature and humidity controls\n\nfacility housing the information system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing maintenance and monitoring of temperature and humidity levels"}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-15"},{"name":"sort-id","value":"pe-15"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.","links":[{"href":"#at-3","rel":"related"}]},{"id":"pe-15_obj","name":"objective","prose":"Determine if the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are:","parts":[{"id":"pe-15_obj.1","name":"objective","props":[{"name":"label","value":"PE-15[1]"}],"prose":"accessible;"},{"id":"pe-15_obj.2","name":"objective","props":[{"name":"label","value":"PE-15[2]"}],"prose":"working properly; and"},{"id":"pe-15_obj.3","name":"objective","props":[{"name":"label","value":"PE-15[3]"}],"prose":"known to key personnel."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the information system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Master water-shutoff valves\n\norganizational process for activating master water-shutoff"}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","params":[{"id":"pe-16_prm_1","label":"organization-defined types of information system components"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PE-16"},{"name":"sort-id","value":"pe-16"}],"parts":[{"id":"pe-16_smt","name":"statement","prose":"The organization authorizes, monitors, and controls {{ insert: param, pe-16_prm_1 }} entering and exiting the facility and maintains records of those items."},{"id":"pe-16_gdn","name":"guidance","prose":"Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries.","links":[{"href":"#cm-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-12","rel":"related"}]},{"id":"pe-16_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-16_obj.1","name":"objective","props":[{"name":"label","value":"PE-16[1]"}],"prose":"defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;"},{"id":"pe-16_obj.2","name":"objective","props":[{"name":"label","value":"PE-16[2]"}],"prose":"authorizes organization-defined information system components entering the facility;"},{"id":"pe-16_obj.3","name":"objective","props":[{"name":"label","value":"PE-16[3]"}],"prose":"monitors organization-defined information system components entering the facility;"},{"id":"pe-16_obj.4","name":"objective","props":[{"name":"label","value":"PE-16[4]"}],"prose":"controls organization-defined information system components entering the facility;"},{"id":"pe-16_obj.5","name":"objective","props":[{"name":"label","value":"PE-16[5]"}],"prose":"authorizes organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.6","name":"objective","props":[{"name":"label","value":"PE-16[6]"}],"prose":"monitors organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.7","name":"objective","props":[{"name":"label","value":"PE-16[7]"}],"prose":"controls organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.8","name":"objective","props":[{"name":"label","value":"PE-16[8]"}],"prose":"maintains records of information system components entering the facility; and"},{"id":"pe-16_obj.9","name":"objective","props":[{"name":"label","value":"PE-16[9]"}],"prose":"maintains records of information system components exiting the facility."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing delivery and removal of information system components from the facility\n\nsecurity plan\n\nfacility housing the information system\n\nrecords of items entering and exiting the facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for controlling information system components entering and exiting the facility\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling information system-related items entering and exiting the facility\n\nautomated mechanisms supporting and\/or implementing authorizing, monitoring, and controlling information system-related items entering and exiting the facility"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Security Planning Policy and Procedures","params":[{"id":"pl-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-1_prm_2","label":"organization-defined frequency"},{"id":"pl-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-1"},{"name":"sort-id","value":"pl-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"pl-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pl-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security planning policy {{ insert: param, pl-1_prm_2 }}; and"},{"id":"pl-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security planning procedures {{ insert: param, pl-1_prm_3 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"pl-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-1.a_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)"}],"parts":[{"id":"pl-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)"}],"parts":[{"id":"pl-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1]"}],"prose":"develops and documents a planning policy that addresses:","parts":[{"id":"pl-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pl-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pl-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pl-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pl-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pl-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pl-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pl-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the planning policy is to be disseminated;"},{"id":"pl-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[3]"}],"prose":"disseminates the planning policy to organization-defined personnel or roles;"}]},{"id":"pl-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)"}],"parts":[{"id":"pl-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls;"},{"id":"pl-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"pl-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pl-1.b_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)"}],"parts":[{"id":"pl-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)"}],"parts":[{"id":"pl-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current planning policy;"},{"id":"pl-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)[2]"}],"prose":"reviews and updates the current planning policy with the organization-defined frequency;"}]},{"id":"pl-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)"}],"parts":[{"id":"pl-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current planning procedures; and"},{"id":"pl-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)[2]"}],"prose":"reviews and updates the current planning procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Planning policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security Plan","params":[{"id":"pl-2_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-2_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-2"},{"name":"sort-id","value":"pl-02"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"}],"parts":[{"id":"pl-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a security plan for the information system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly defines the authorization boundary for the system;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describes the operational context of the information system in terms of missions and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Provides the security categorization of the information system including supporting rationale;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Describes the operational environment for the information system and relationships with or connections to other information systems;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides an overview of the security requirements for the system;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Identifies any relevant overlays, if applicable;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the security plan and communicates subsequent changes to the plan to {{ insert: param, pl-2_prm_1 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the security plan for the information system {{ insert: param, pl-2_prm_2 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Updates the plan to address changes to the information system\/environment of operation or problems identified during plan implementation or security control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protects the security plan from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls\/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions\/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management\/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"}]},{"id":"pl-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-2.a_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)"}],"prose":"develops a security plan for the information system that:","parts":[{"id":"pl-2.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(1)"}],"prose":"is consistent with the organization’s enterprise architecture;"},{"id":"pl-2.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(2)"}],"prose":"explicitly defines the authorization boundary for the system;"},{"id":"pl-2.a.3_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(3)"}],"prose":"describes the operational context of the information system in terms of missions and business processes;"},{"id":"pl-2.a.4_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(4)"}],"prose":"provides the security categorization of the information system including supporting rationale;"},{"id":"pl-2.a.5_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(5)"}],"prose":"describes the operational environment for the information system and relationships with or connections to other information systems;"},{"id":"pl-2.a.6_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(6)"}],"prose":"provides an overview of the security requirements for the system;"},{"id":"pl-2.a.7_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(7)"}],"prose":"identifies any relevant overlays, if applicable;"},{"id":"pl-2.a.8_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(8)"}],"prose":"describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions;"},{"id":"pl-2.a.9_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(9)"}],"prose":"is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"}]},{"id":"pl-2.b_obj","name":"objective","props":[{"name":"label","value":"PL-2(b)"}],"parts":[{"id":"pl-2.b_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(b)[1]"}],"prose":"defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated;"},{"id":"pl-2.b_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(b)[2]"}],"prose":"distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles;"}]},{"id":"pl-2.c_obj","name":"objective","props":[{"name":"label","value":"PL-2(c)"}],"parts":[{"id":"pl-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(c)[1]"}],"prose":"defines the frequency to review the security plan for the information system;"},{"id":"pl-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(c)[2]"}],"prose":"reviews the security plan for the information system with the organization-defined frequency;"}]},{"id":"pl-2.d_obj","name":"objective","props":[{"name":"label","value":"PL-2(d)"}],"prose":"updates the plan to address:","parts":[{"id":"pl-2.d_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(d)[1]"}],"prose":"changes to the information system\/environment of operation;"},{"id":"pl-2.d_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(d)[2]"}],"prose":"problems identified during plan implementation;"},{"id":"pl-2.d_obj.3","name":"objective","props":[{"name":"label","value":"PL-2(d)[3]"}],"prose":"problems identified during security control assessments;"}]},{"id":"pl-2.e_obj","name":"objective","props":[{"name":"label","value":"PL-2(e)"}],"prose":"protects the security plan from unauthorized:","parts":[{"id":"pl-2.e_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(e)[1]"}],"prose":"disclosure; and"},{"id":"pl-2.e_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(e)[2]"}],"prose":"modification."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing security plan development and implementation\n\nprocedures addressing security plan reviews and updates\n\nenterprise architecture documentation\n\nsecurity plan for the information system\n\nrecords of security plan reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security plan development\/review\/update\/approval\n\nautomated mechanisms supporting the information system security plan"}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PL-4"},{"name":"sort-id","value":"pl-04"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"}],"parts":[{"id":"pl-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates the rules of behavior {{ insert: param, pl-4_prm_1 }}; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised\/updated."}]},{"id":"pl-4_gdn","name":"guidance","prose":"This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data\/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"}]},{"id":"pl-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-4.a_obj","name":"objective","props":[{"name":"label","value":"PL-4(a)"}],"parts":[{"id":"pl-4.a_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(a)[1]"}],"prose":"establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"},{"id":"pl-4.a_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(a)[2]"}],"prose":"makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"}]},{"id":"pl-4.b_obj","name":"objective","props":[{"name":"label","value":"PL-4(b)"}],"prose":"receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"},{"id":"pl-4.c_obj","name":"objective","props":[{"name":"label","value":"PL-4(c)"}],"parts":[{"id":"pl-4.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(c)[1]"}],"prose":"defines the frequency to review and update the rules of behavior;"},{"id":"pl-4.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(c)[2]"}],"prose":"reviews and updates the rules of behavior with the organization-defined frequency; and"}]},{"id":"pl-4.d_obj","name":"objective","props":[{"name":"label","value":"PL-4(d)"}],"prose":"requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised\/updated."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel who are authorized users of the information system and have signed and resigned rules of behavior\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nautomated mechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Personnel Security Policy and Procedures","params":[{"id":"ps-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-1_prm_2","label":"organization-defined frequency"},{"id":"ps-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-1"},{"name":"sort-id","value":"ps-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ps-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and"}]},{"id":"ps-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ps-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Personnel security policy {{ insert: param, ps-1_prm_2 }}; and"},{"id":"ps-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Personnel security procedures {{ insert: param, ps-1_prm_3 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ps-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-1.a_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)"}],"parts":[{"id":"ps-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)"}],"parts":[{"id":"ps-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1]"}],"prose":"develops and documents an personnel security policy that addresses:","parts":[{"id":"ps-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ps-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ps-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ps-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ps-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ps-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ps-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ps-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the personnel security policy is to be disseminated;"},{"id":"ps-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[3]"}],"prose":"disseminates the personnel security policy to organization-defined personnel or roles;"}]},{"id":"ps-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)"}],"parts":[{"id":"ps-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls;"},{"id":"ps-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ps-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ps-1.b_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)"}],"parts":[{"id":"ps-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)"}],"parts":[{"id":"ps-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current personnel security policy;"},{"id":"ps-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)[2]"}],"prose":"reviews and updates the current personnel security policy with the organization-defined frequency;"}]},{"id":"ps-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)"}],"parts":[{"id":"ps-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current personnel security procedures; and"},{"id":"ps-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)[2]"}],"prose":"reviews and updates the current personnel security procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","params":[{"id":"ps-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-2"},{"name":"sort-id","value":"ps-02"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference"}],"parts":[{"id":"ps-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assigns a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates position risk designations {{ insert: param, ps-2_prm_1 }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances).","links":[{"href":"#at-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-3","rel":"related"}]},{"id":"ps-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-2.a_obj","name":"objective","props":[{"name":"label","value":"PS-2(a)"}],"prose":"assigns a risk designation to all organizational positions;"},{"id":"ps-2.b_obj","name":"objective","props":[{"name":"label","value":"PS-2(b)"}],"prose":"establishes screening criteria for individuals filling those positions;"},{"id":"ps-2.c_obj","name":"objective","props":[{"name":"label","value":"PS-2(c)"}],"parts":[{"id":"ps-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PS-2(c)[1]"}],"prose":"defines the frequency to review and update position risk designations; and"},{"id":"ps-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PS-2(c)[2]"}],"prose":"reviews and updates position risk designations with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nsecurity plan\n\nrecords of position risk designation reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","params":[{"id":"ps-3_prm_1","label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-3"},{"name":"sort-id","value":"ps-03"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference"}],"parts":[{"id":"ps-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Screens individuals prior to authorizing access to the information system; and"},{"id":"ps-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Rescreens individuals according to {{ insert: param, ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-2","rel":"related"}]},{"id":"ps-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-3.a_obj","name":"objective","props":[{"name":"label","value":"PS-3(a)"}],"prose":"screens individuals prior to authorizing access to the information system;"},{"id":"ps-3.b_obj","name":"objective","props":[{"name":"label","value":"PS-3(b)"}],"parts":[{"id":"ps-3.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-3(b)[1]"}],"prose":"defines conditions requiring re-screening;"},{"id":"ps-3.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-3(b)[2]"}],"prose":"defines the frequency of re-screening where it is so indicated; and"},{"id":"ps-3.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-3(b)[3]"}],"prose":"re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel screening"}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","params":[{"id":"ps-4_prm_1","label":"organization-defined time period"},{"id":"ps-4_prm_2","label":"organization-defined information security topics"},{"id":"ps-4_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-4_prm_4","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-4"},{"name":"sort-id","value":"ps-04"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"The organization, upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Disables information system access within {{ insert: param, ps-4_prm_1 }};"},{"id":"ps-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Terminates\/revokes any authenticators\/credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conducts exit interviews that include a discussion of {{ insert: param, ps-4_prm_2 }};"},{"id":"ps-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Retrieves all security-related organizational information system-related property;"},{"id":"ps-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retains access to organizational information and information systems formerly controlled by terminated individual; and"},{"id":"ps-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Notifies {{ insert: param, ps-4_prm_3 }} within {{ insert: param, ps-4_prm_4 }}."}]},{"id":"ps-4_gdn","name":"guidance","prose":"Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"ps-4_obj","name":"objective","prose":"Determine if the organization, upon termination of individual employment,:","parts":[{"id":"ps-4.a_obj","name":"objective","props":[{"name":"label","value":"PS-4(a)"}],"parts":[{"id":"ps-4.a_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(a)[1]"}],"prose":"defines a time period within which to disable information system access;"},{"id":"ps-4.a_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(a)[2]"}],"prose":"disables information system access within the organization-defined time period;"}]},{"id":"ps-4.b_obj","name":"objective","props":[{"name":"label","value":"PS-4(b)"}],"prose":"terminates\/revokes any authenticators\/credentials associated with the individual;"},{"id":"ps-4.c_obj","name":"objective","props":[{"name":"label","value":"PS-4(c)"}],"parts":[{"id":"ps-4.c_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(c)[1]"}],"prose":"defines information security topics to be discussed when conducting exit interviews;"},{"id":"ps-4.c_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(c)[2]"}],"prose":"conducts exit interviews that include a discussion of organization-defined information security topics;"}]},{"id":"ps-4.d_obj","name":"objective","props":[{"name":"label","value":"PS-4(d)"}],"prose":"retrieves all security-related organizational information system-related property;"},{"id":"ps-4.e_obj","name":"objective","props":[{"name":"label","value":"PS-4(e)"}],"prose":"retains access to organizational information and information systems formerly controlled by the terminated individual;"},{"id":"ps-4.f_obj","name":"objective","props":[{"name":"label","value":"PS-4(f)"}],"parts":[{"id":"ps-4.f_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(f)[1]"}],"prose":"defines personnel or roles to be notified of the termination;"},{"id":"ps-4.f_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(f)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel or roles; and"},{"id":"ps-4.f_obj.3","name":"objective","props":[{"name":"label","value":"PS-4(f)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of information system accounts\n\nrecords of terminated or revoked authenticators\/credentials\n\nrecords of exit interviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel termination\n\nautomated mechanisms supporting and\/or implementing personnel termination notifications\n\nautomated mechanisms for disabling information system access\/revoking authenticators"}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","params":[{"id":"ps-5_prm_1","label":"organization-defined transfer or reassignment actions"},{"id":"ps-5_prm_2","label":"organization-defined time period following the formal transfer action"},{"id":"ps-5_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-5_prm_4","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PS-5"},{"name":"sort-id","value":"ps-05"}],"parts":[{"id":"ps-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems\/facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiates {{ insert: param, ps-5_prm_1 }} within {{ insert: param, ps-5_prm_2 }};"},{"id":"ps-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Notifies {{ insert: param, ps-5_prm_3 }} within {{ insert: param, ps-5_prm_4 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-4","rel":"related"}]},{"id":"ps-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-5.a_obj","name":"objective","props":[{"name":"label","value":"PS-5(a)"}],"prose":"when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current:","parts":[{"id":"ps-5.a_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(a)[1]"}],"prose":"logical access authorizations to information systems;"},{"id":"ps-5.a_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(a)[2]"}],"prose":"physical access authorizations to information systems and facilities;"}]},{"id":"ps-5.b_obj","name":"objective","props":[{"name":"label","value":"PS-5(b)"}],"parts":[{"id":"ps-5.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(b)[1]"}],"prose":"defines transfer or reassignment actions to be initiated following transfer or reassignment;"},{"id":"ps-5.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(b)[2]"}],"prose":"defines the time period within which transfer or reassignment actions must occur following transfer or reassignment;"},{"id":"ps-5.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-5(b)[3]"}],"prose":"initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment;"}]},{"id":"ps-5.c_obj","name":"objective","props":[{"name":"label","value":"PS-5(c)"}],"prose":"modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer;"},{"id":"ps-5.d_obj","name":"objective","props":[{"name":"label","value":"PS-5(d)"}],"parts":[{"id":"ps-5.d_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(d)[1]"}],"prose":"defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5.d_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(d)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; and"},{"id":"ps-5.d_obj.3","name":"objective","props":[{"name":"label","value":"PS-5(d)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel transfer\n\nsecurity plan\n\nrecords of personnel transfer actions\n\nlist of information system and facility access authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel transfer\n\nautomated mechanisms supporting and\/or implementing personnel transfer notifications\n\nautomated mechanisms for disabling information system access\/revoking authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-6_prm_1","label":"organization-defined frequency"},{"id":"ps-6_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PS-6"},{"name":"sort-id","value":"ps-06"}],"parts":[{"id":"ps-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops and documents access agreements for organizational information systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the access agreements {{ insert: param, ps-6_prm_1 }}; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that individuals requiring access to organizational information and information systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or {{ insert: param, ps-6_prm_2 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.","links":[{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-8","rel":"related"}]},{"id":"ps-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-6.a_obj","name":"objective","props":[{"name":"label","value":"PS-6(a)"}],"prose":"develops and documents access agreements for organizational information systems;"},{"id":"ps-6.b_obj","name":"objective","props":[{"name":"label","value":"PS-6(b)"}],"parts":[{"id":"ps-6.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-6(b)[1]"}],"prose":"defines the frequency to review and update the access agreements;"},{"id":"ps-6.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-6(b)[2]"}],"prose":"reviews and updates the access agreements with the organization-defined frequency;"}]},{"id":"ps-6.c_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)"}],"parts":[{"id":"ps-6.c.1_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)(1)"}],"prose":"ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;"},{"id":"ps-6.c.2_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)"}],"parts":[{"id":"ps-6.c.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)[1]"}],"prose":"defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated;"},{"id":"ps-6.c.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)[2]"}],"prose":"ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing access agreements for organizational information and information systems\n\nsecurity plan\n\naccess agreements\n\nrecords of access agreement reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access agreements\n\nautomated mechanisms supporting access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"Third-party Personnel Security","params":[{"id":"ps-7_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-7_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-7"},{"name":"sort-id","value":"ps-07"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"}],"parts":[{"id":"ps-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes personnel security requirements including security roles and responsibilities for third-party providers;"},{"id":"ps-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Requires third-party providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Requires third-party providers to notify {{ insert: param, ps-7_prm_1 }} of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges within {{ insert: param, ps-7_prm_2 }}; and"},{"id":"ps-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Monitors provider compliance."}]},{"id":"ps-7_gdn","name":"guidance","prose":"Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials\/privileges associated with individuals transferred or terminated.","links":[{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-21","rel":"related"}]},{"id":"ps-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-7.a_obj","name":"objective","props":[{"name":"label","value":"PS-7(a)"}],"prose":"establishes personnel security requirements, including security roles and responsibilities, for third-party providers;"},{"id":"ps-7.b_obj","name":"objective","props":[{"name":"label","value":"PS-7(b)"}],"prose":"requires third-party providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7.c_obj","name":"objective","props":[{"name":"label","value":"PS-7(c)"}],"prose":"documents personnel security requirements;"},{"id":"ps-7.d_obj","name":"objective","props":[{"name":"label","value":"PS-7(d)"}],"parts":[{"id":"ps-7.d_obj.1","name":"objective","props":[{"name":"label","value":"PS-7(d)[1]"}],"prose":"defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.2","name":"objective","props":[{"name":"label","value":"PS-7(d)[2]"}],"prose":"defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.3","name":"objective","props":[{"name":"label","value":"PS-7(d)[3]"}],"prose":"requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges; and"}]},{"id":"ps-7.e_obj","name":"objective","props":[{"name":"label","value":"PS-7(e)"}],"prose":"monitors provider compliance."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing third-party personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\nthird-party providers\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing and monitoring third-party personnel security\n\nautomated mechanisms supporting and\/or implementing monitoring of provider compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","params":[{"id":"ps-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-8_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PS-8"},{"name":"sort-id","value":"ps-08"}],"parts":[{"id":"ps-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Notifies {{ insert: param, ps-8_prm_1 }} within {{ insert: param, ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.","links":[{"href":"#pl-4","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"ps-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-8.a_obj","name":"objective","props":[{"name":"label","value":"PS-8(a)"}],"prose":"employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;"},{"id":"ps-8.b_obj","name":"objective","props":[{"name":"label","value":"PS-8(b)"}],"parts":[{"id":"ps-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-8(b)[1]"}],"prose":"defines personnel or roles to be notified when a formal employee sanctions process is initiated;"},{"id":"ps-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-8(b)[2]"}],"prose":"defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and"},{"id":"ps-8.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-8(b)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel sanctions\n\nrules of behavior\n\nrecords of formal sanctions\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing personnel sanctions\n\nautomated mechanisms supporting and\/or implementing notifications"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Risk Assessment Policy and Procedures","params":[{"id":"ra-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ra-1_prm_2","label":"organization-defined frequency"},{"id":"ra-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-1"},{"name":"sort-id","value":"ra-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ra-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ra-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Risk assessment policy {{ insert: param, ra-1_prm_2 }}; and"},{"id":"ra-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Risk assessment procedures {{ insert: param, ra-1_prm_3 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ra-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-1.a_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)"}],"parts":[{"id":"ra-1.a.1_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)"}],"parts":[{"id":"ra-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1]"}],"prose":"develops and documents a risk assessment policy that addresses:","parts":[{"id":"ra-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ra-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ra-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ra-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ra-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ra-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ra-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ra-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the risk assessment policy is to be disseminated;"},{"id":"ra-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[3]"}],"prose":"disseminates the risk assessment policy to organization-defined personnel or roles;"}]},{"id":"ra-1.a.2_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)"}],"parts":[{"id":"ra-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls;"},{"id":"ra-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ra-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ra-1.b_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)"}],"parts":[{"id":"ra-1.b.1_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)"}],"parts":[{"id":"ra-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current risk assessment policy;"},{"id":"ra-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)[2]"}],"prose":"reviews and updates the current risk assessment policy with the organization-defined frequency;"}]},{"id":"ra-1.b.2_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)"}],"parts":[{"id":"ra-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current risk assessment procedures; and"},{"id":"ra-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)[2]"}],"prose":"reviews and updates the current risk assessment procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"risk assessment policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-2"},{"name":"sort-id","value":"ra-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"}],"parts":[{"id":"ra-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"ra-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents the security categorization results (including supporting rationale) in the security plan for the information system; and"},{"id":"ra-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission\/business owners, and information owners\/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted.","links":[{"href":"#cm-8","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"ra-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-2.a_obj","name":"objective","props":[{"name":"label","value":"RA-2(a)"}],"prose":"categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"ra-2.b_obj","name":"objective","props":[{"name":"label","value":"RA-2(b)"}],"prose":"documents the security categorization results (including supporting rationale) in the security plan for the information system; and"},{"id":"ra-2.c_obj","name":"objective","props":[{"name":"label","value":"RA-2(c)"}],"prose":"ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and information systems\n\nsecurity plan\n\nsecurity categorization documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-3_prm_1","select":{"choice":["security plan","risk assessment report"," {{ insert: param, ra-3_prm_2 }} "]}},{"id":"ra-3_prm_2","depends-on":"ra-3_prm_1","label":"organization-defined document"},{"id":"ra-3_prm_3","label":"organization-defined frequency"},{"id":"ra-3_prm_4","label":"organization-defined personnel or roles"},{"id":"ra-3_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-3"},{"name":"sort-id","value":"ra-03"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ra-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;"},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents risk assessment results in {{ insert: param, ra-3_prm_1 }};"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews risk assessment results {{ insert: param, ra-3_prm_3 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Disseminates risk assessment results to {{ insert: param, ra-3_prm_4 }}; and"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Updates the risk assessment {{ insert: param, ra-3_prm_5 }} or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.","links":[{"href":"#ra-2","rel":"related"},{"href":"#pm-9","rel":"related"}]},{"id":"ra-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-3.a_obj","name":"objective","props":[{"name":"label","value":"RA-3(a)"}],"prose":"conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:","parts":[{"id":"ra-3.a_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(a)[1]"}],"prose":"the information system;"},{"id":"ra-3.a_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(a)[2]"}],"prose":"the information the system processes, stores, or transmits;"}]},{"id":"ra-3.b_obj","name":"objective","props":[{"name":"label","value":"RA-3(b)"}],"parts":[{"id":"ra-3.b_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(b)[1]"}],"prose":"defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report);"},{"id":"ra-3.b_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(b)[2]"}],"prose":"documents risk assessment results in one of the following:","parts":[{"id":"ra-3.b_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][a]"}],"prose":"the security plan;"},{"id":"ra-3.b_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][b]"}],"prose":"the risk assessment report; or"},{"id":"ra-3.b_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][c]"}],"prose":"the organization-defined document;"}]}]},{"id":"ra-3.c_obj","name":"objective","props":[{"name":"label","value":"RA-3(c)"}],"parts":[{"id":"ra-3.c_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(c)[1]"}],"prose":"defines the frequency to review risk assessment results;"},{"id":"ra-3.c_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(c)[2]"}],"prose":"reviews risk assessment results with the organization-defined frequency;"}]},{"id":"ra-3.d_obj","name":"objective","props":[{"name":"label","value":"RA-3(d)"}],"parts":[{"id":"ra-3.d_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(d)[1]"}],"prose":"defines personnel or roles to whom risk assessment results are to be disseminated;"},{"id":"ra-3.d_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(d)[2]"}],"prose":"disseminates risk assessment results to organization-defined personnel or roles;"}]},{"id":"ra-3.e_obj","name":"objective","props":[{"name":"label","value":"RA-3(e)"}],"parts":[{"id":"ra-3.e_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(e)[1]"}],"prose":"defines the frequency to update the risk assessment;"},{"id":"ra-3.e_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(e)[2]"}],"prose":"updates the risk assessment:","parts":[{"id":"ra-3.e_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-3.e_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][b]"}],"prose":"whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and"},{"id":"ra-3.e_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][c]"}],"prose":"whenever there are other conditions that may impact the security state of the system."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nsecurity plan\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for risk assessment\n\nautomated mechanisms supporting and\/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Scanning","params":[{"id":"ra-5_prm_1","label":"organization-defined frequency and\/or randomly in accordance with organization-defined process"},{"id":"ra-5_prm_2","label":"organization-defined response times"},{"id":"ra-5_prm_3","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-5"},{"name":"sort-id","value":"ra-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"}],"parts":[{"id":"ra-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Scans for vulnerabilities in the information system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system\/applications are identified and reported;"},{"id":"ra-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Analyzes vulnerability scan reports and results from security control assessments;"},{"id":"ra-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remediates legitimate vulnerabilities {{ insert: param, ra-5_prm_2 }} in accordance with an organizational assessment of risk; and"},{"id":"ra-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Shares information obtained from the vulnerability scanning process and security control assessments with {{ insert: param, ra-5_prm_3 }} to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine\/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"ra-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.a_obj","name":"objective","props":[{"name":"label","value":"RA-5(a)"}],"parts":[{"id":"ra-5.a_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(a)[1]"}],"parts":[{"id":"ra-5.a_obj.1.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[1][a]"}],"prose":"defines the frequency for conducting vulnerability scans on the information system and hosted applications; and\/or"},{"id":"ra-5.a_obj.1.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[1][b]"}],"prose":"defines the process for conducting random vulnerability scans on the information system and hosted applications;"}]},{"id":"ra-5.a_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(a)[2]"}],"prose":"in accordance with the organization-defined frequency and\/or organization-defined process for conducting random scans, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[2][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[2][b]"}],"prose":"hosted applications;"}]},{"id":"ra-5.a_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(a)[3]"}],"prose":"when new vulnerabilities potentially affecting the system\/applications are identified and reported, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.3.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[3][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.3.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[3][b]"}],"prose":"hosted applications;"}]}]},{"id":"ra-5.b_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)"}],"prose":"employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5.b.1_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)"}],"parts":[{"id":"ra-5.b.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[1]"}],"prose":"enumerating platforms;"},{"id":"ra-5.b.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[2]"}],"prose":"enumerating software flaws;"},{"id":"ra-5.b.1_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[3]"}],"prose":"enumerating improper configurations;"}]},{"id":"ra-5.b.2_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)"}],"parts":[{"id":"ra-5.b.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)[1]"}],"prose":"formatting checklists;"},{"id":"ra-5.b.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)[2]"}],"prose":"formatting test procedures;"}]},{"id":"ra-5.b.3_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(3)"}],"prose":"measuring vulnerability impact;"}]},{"id":"ra-5.c_obj","name":"objective","props":[{"name":"label","value":"RA-5(c)"}],"parts":[{"id":"ra-5.c_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(c)[1]"}],"prose":"analyzes vulnerability scan reports;"},{"id":"ra-5.c_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(c)[2]"}],"prose":"analyzes results from security control assessments;"}]},{"id":"ra-5.d_obj","name":"objective","props":[{"name":"label","value":"RA-5(d)"}],"parts":[{"id":"ra-5.d_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(d)[1]"}],"prose":"defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;"},{"id":"ra-5.d_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(d)[2]"}],"prose":"remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk;"}]},{"id":"ra-5.e_obj","name":"objective","props":[{"name":"label","value":"RA-5(e)"}],"parts":[{"id":"ra-5.e_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(e)[1]"}],"prose":"defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared;"},{"id":"ra-5.e_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(e)[2]"}],"prose":"shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); and"},{"id":"ra-5.e_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(e)[3]"}],"prose":"shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nautomated mechanisms supporting and\/or implementing vulnerability scanning, analysis, remediation, and information sharing"}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"System and Services Acquisition Policy and Procedures","params":[{"id":"sa-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sa-1_prm_2","label":"organization-defined frequency"},{"id":"sa-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-1"},{"name":"sort-id","value":"sa-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"sa-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sa-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and services acquisition policy {{ insert: param, sa-1_prm_2 }}; and"},{"id":"sa-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and services acquisition procedures {{ insert: param, sa-1_prm_3 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"sa-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-1.a_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)"}],"parts":[{"id":"sa-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)"}],"parts":[{"id":"sa-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1]"}],"prose":"develops and documents a system and services acquisition policy that addresses:","parts":[{"id":"sa-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sa-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sa-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sa-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sa-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sa-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sa-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sa-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and services acquisition policy is to be disseminated;"},{"id":"sa-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[3]"}],"prose":"disseminates the system and services acquisition policy to organization-defined personnel or roles;"}]},{"id":"sa-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)"}],"parts":[{"id":"sa-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls;"},{"id":"sa-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"sa-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sa-1.b_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)"}],"parts":[{"id":"sa-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)"}],"parts":[{"id":"sa-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and services acquisition policy;"},{"id":"sa-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)[2]"}],"prose":"reviews and updates the current system and services acquisition policy with the organization-defined frequency;"}]},{"id":"sa-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)"}],"parts":[{"id":"sa-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and services acquisition procedures; and"},{"id":"sa-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)[2]"}],"prose":"reviews and updates the current system and services acquisition procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-2"},{"name":"sort-id","value":"sa-02"}],"links":[{"href":"#29fcfe59-33cd-494a-8756-5907ae3a8f92","rel":"reference"}],"parts":[{"id":"sa-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines information security requirements for the information system or information system service in mission\/business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establishes a discrete line item for information security in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system\/service.","links":[{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"}]},{"id":"sa-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-2.a_obj","name":"objective","props":[{"name":"label","value":"SA-2(a)"}],"prose":"determines information security requirements for the information system or information system service in mission\/business process planning;"},{"id":"sa-2.b_obj","name":"objective","props":[{"name":"label","value":"SA-2(b)"}],"prose":"to protect the information system or information system service as part of its capital planning and investment control process:","parts":[{"id":"sa-2.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-2(b)[1]"}],"prose":"determines the resources required;"},{"id":"sa-2.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-2(b)[2]"}],"prose":"documents the resources required;"},{"id":"sa-2.b_obj.3","name":"objective","props":[{"name":"label","value":"SA-2(b)[3]"}],"prose":"allocates the resources required; and"}]},{"id":"sa-2.c_obj","name":"objective","props":[{"name":"label","value":"SA-2(c)"}],"prose":"establishes a discrete line item for information security in organizational programming and budgeting documentation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the allocation of resources to information security requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities\n\norganizational personnel responsible for determining information security requirements for information systems\/services\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information security requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nautomated mechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-3_prm_1","label":"organization-defined system development life cycle"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-3"},{"name":"sort-id","value":"sa-03"}],"links":[{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference"}],"parts":[{"id":"sa-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Manages the information system using {{ insert: param, sa-3_prm_1 }} that incorporates information security considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Defines and documents information security roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies individuals having information security roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrates the organizational information security risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions\/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission\/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies.","links":[{"href":"#at-3","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-8","rel":"related"}]},{"id":"sa-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-3.a_obj","name":"objective","props":[{"name":"label","value":"SA-3(a)"}],"parts":[{"id":"sa-3.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-3(a)[1]"}],"prose":"defines a system development life cycle that incorporates information security considerations to be used to manage the information system;"},{"id":"sa-3.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-3(a)[2]"}],"prose":"manages the information system using the organization-defined system development life cycle;"}]},{"id":"sa-3.b_obj","name":"objective","props":[{"name":"label","value":"SA-3(b)"}],"prose":"defines and documents information security roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3.c_obj","name":"objective","props":[{"name":"label","value":"SA-3(c)"}],"prose":"identifies individuals having information security roles and responsibilities; and"},{"id":"sa-3.d_obj","name":"objective","props":[{"name":"label","value":"SA-3(d)"}],"prose":"integrates the organizational information security risk management process into system development life cycle activities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security into the system development life cycle process\n\ninformation system development life cycle documentation\n\ninformation security risk management strategy\/program documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security and system life cycle development responsibilities\n\norganizational personnel with information security risk management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining and documenting the SDLC\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational process for integrating information security risk management into the SDLC\n\nautomated mechanisms supporting and\/or implementing the SDLC"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-4"},{"name":"sort-id","value":"sa-04"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference"},{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference"},{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#0a5db899-f033-467f-8631-f5a8ba971475","rel":"reference"},{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"},{"href":"#d818efd3-db31-4953-8afa-9e76afe83ce2","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"},{"href":"#56d671da-6b7b-4abf-8296-84b61980390a","rel":"reference"},{"href":"#c95a9986-3cd6-4a98-931b-ccfc56cb11e5","rel":"reference"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference"},{"href":"#bbd50dd1-54ce-4432-959d-63ea564b1bb4","rel":"reference"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission\/business needs:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Security strength requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Security-related documentation requirements;"},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Requirements for protecting security-related documentation;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Description of the information system development environment and environment in which the system is intended to operate; and"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.","links":[{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"}]},{"id":"sa-4_obj","name":"objective","prose":"Determine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission\/business needs:","parts":[{"id":"sa-4.a_obj","name":"objective","props":[{"name":"label","value":"SA-4(a)"}],"prose":"security functional requirements;"},{"id":"sa-4.b_obj","name":"objective","props":[{"name":"label","value":"SA-4(b)"}],"prose":"security strength requirements;"},{"id":"sa-4.c_obj","name":"objective","props":[{"name":"label","value":"SA-4(c)"}],"prose":"security assurance requirements;"},{"id":"sa-4.d_obj","name":"objective","props":[{"name":"label","value":"SA-4(d)"}],"prose":"security-related documentation requirements;"},{"id":"sa-4.e_obj","name":"objective","props":[{"name":"label","value":"SA-4(e)"}],"prose":"requirements for protecting security-related documentation;"},{"id":"sa-4.f_obj","name":"objective","props":[{"name":"label","value":"SA-4(f)"}],"prose":"description of:","parts":[{"id":"sa-4.f_obj.1","name":"objective","props":[{"name":"label","value":"SA-4(f)[1]"}],"prose":"the information system development environment;"},{"id":"sa-4.f_obj.2","name":"objective","props":[{"name":"label","value":"SA-4(f)[2]"}],"prose":"the environment in which the system is intended to operate; and"}]},{"id":"sa-4.g_obj","name":"objective","props":[{"name":"label","value":"SA-4(g)"}],"prose":"acceptance criteria."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nacquisition contracts for the information system, system component, or information system service\n\ninformation system design documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security functional, strength, and assurance requirements\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and\/or implementing acquisitions and inclusion of security requirements in contracts"}]}],"controls":[{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","props":[{"name":"label","value":"SA-4(10)"},{"name":"sort-id","value":"sa-04.10"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."},{"id":"sa-4.10_gdn","name":"guidance","links":[{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"}]},{"id":"sa-4.10_obj","name":"objective","prose":"Determine if the organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or information system service\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\norganizational personnel with responsibility for ensuring only FIPS 201-approved products are implemented\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for selecting and employing FIPS 201-approved products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"Information System Documentation","params":[{"id":"sa-5_prm_1","label":"organization-defined actions"},{"id":"sa-5_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SA-5"},{"name":"sort-id","value":"sa-05"}],"parts":[{"id":"sa-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtains administrator documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security functions\/mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"}]},{"id":"sa-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Obtains user documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"User-accessible security functions\/mechanisms and how to effectively use those security functions\/mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and"},{"id":"sa-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service;"}]},{"id":"sa-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes {{ insert: param, sa-5_prm_1 }} in response;"},{"id":"sa-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects documentation as required, in accordance with the risk management strategy; and"},{"id":"sa-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Distributes documentation to {{ insert: param, sa-5_prm_2 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality\/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system\/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation.","links":[{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"sa-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-5.a_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)"}],"prose":"obtains administrator documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5.a.1_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)"}],"parts":[{"id":"sa-5.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[1]"}],"prose":"secure configuration of the system, system component, or service;"},{"id":"sa-5.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[2]"}],"prose":"secure installation of the system, system component, or service;"},{"id":"sa-5.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[3]"}],"prose":"secure operation of the system, system component, or service;"}]},{"id":"sa-5.a.2_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)"}],"parts":[{"id":"sa-5.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)[1]"}],"prose":"effective use of the security features\/mechanisms;"},{"id":"sa-5.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)[2]"}],"prose":"effective maintenance of the security features\/mechanisms;"}]},{"id":"sa-5.a.3_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(3)"}],"prose":"known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"}]},{"id":"sa-5.b_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)"}],"prose":"obtains user documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5.b.1_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)"}],"parts":[{"id":"sa-5.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)[1]"}],"prose":"user-accessible security functions\/mechanisms;"},{"id":"sa-5.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)[2]"}],"prose":"how to effectively use those functions\/mechanisms;"}]},{"id":"sa-5.b.2_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(2)"}],"prose":"methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner;"},{"id":"sa-5.b.3_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(3)"}],"prose":"user responsibilities in maintaining the security of the system, component, or service;"}]},{"id":"sa-5.c_obj","name":"objective","props":[{"name":"label","value":"SA-5(c)"}],"parts":[{"id":"sa-5.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(c)[1]"}],"prose":"defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(c)[2]"}],"prose":"documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.3","name":"objective","props":[{"name":"label","value":"SA-5(c)[3]"}],"prose":"takes organization-defined actions in response;"}]},{"id":"sa-5.d_obj","name":"objective","props":[{"name":"label","value":"SA-5(d)"}],"prose":"protects documentation as required, in accordance with the risk management strategy;"},{"id":"sa-5.e_obj","name":"objective","props":[{"name":"label","value":"SA-5(e)"}],"parts":[{"id":"sa-5.e_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(e)[1]"}],"prose":"defines personnel or roles to whom documentation is to be distributed; and"},{"id":"sa-5.e_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(e)[2]"}],"prose":"distributes documentation to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing information system documentation\n\ninformation system documentation including administrator and user guides\n\nrecords documenting attempts to obtain unavailable or nonexistent information system documentation\n\nlist of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation\n\nrisk management strategy documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\nsystem administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\ninformation system developers\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation"}]}]},{"id":"sa-9","class":"SP800-53","title":"External Information System Services","params":[{"id":"sa-9_prm_1","label":"organization-defined security controls"},{"id":"sa-9_prm_2","label":"organization-defined processes, methods, and techniques"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-9"},{"name":"sort-id","value":"sa-09"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"}],"parts":[{"id":"sa-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Requires that providers of external information system services comply with organizational information security requirements and employ {{ insert: param, sa-9_prm_1 }} in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs {{ insert: param, sa-9_prm_2 }} to monitor security control compliance by external service providers on an ongoing basis."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.","links":[{"href":"#ca-3","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ps-7","rel":"related"}]},{"id":"sa-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.a_obj","name":"objective","props":[{"name":"label","value":"SA-9(a)"}],"parts":[{"id":"sa-9.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(a)[1]"}],"prose":"defines security controls to be employed by providers of external information system services;"},{"id":"sa-9.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(a)[2]"}],"prose":"requires that providers of external information system services comply with organizational information security requirements;"},{"id":"sa-9.a_obj.3","name":"objective","props":[{"name":"label","value":"SA-9(a)[3]"}],"prose":"requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"}]},{"id":"sa-9.b_obj","name":"objective","props":[{"name":"label","value":"SA-9(b)"}],"parts":[{"id":"sa-9.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(b)[1]"}],"prose":"defines and documents government oversight with regard to external information system services;"},{"id":"sa-9.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(b)[2]"}],"prose":"defines and documents user roles and responsibilities with regard to external information system services;"}]},{"id":"sa-9.c_obj","name":"objective","props":[{"name":"label","value":"SA-9(c)"}],"parts":[{"id":"sa-9.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(c)[1]"}],"prose":"defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; and"},{"id":"sa-9.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(c)[2]"}],"prose":"employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing external information system services\n\nprocedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services\n\nacquisition contracts, service-level agreements\n\norganizational security requirements and security specifications for external provider services\n\nsecurity control assessment evidence from external providers of information system services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\nexternal providers of information system services\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring security control compliance by external service providers on an ongoing basis\n\nautomated mechanisms for monitoring security control compliance by external service providers on an ongoing basis"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"System and Communications Protection Policy and Procedures","params":[{"id":"sc-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sc-1_prm_2","label":"organization-defined frequency"},{"id":"sc-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-1"},{"name":"sort-id","value":"sc-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"sc-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and"}]},{"id":"sc-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sc-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and communications protection policy {{ insert: param, sc-1_prm_2 }}; and"},{"id":"sc-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and communications protection procedures {{ insert: param, sc-1_prm_3 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"sc-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-1.a_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)"}],"parts":[{"id":"sc-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)"}],"parts":[{"id":"sc-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1]"}],"prose":"develops and documents a system and communications protection policy that addresses:","parts":[{"id":"sc-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sc-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sc-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sc-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sc-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sc-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sc-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sc-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and communications protection policy is to be disseminated;"},{"id":"sc-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[3]"}],"prose":"disseminates the system and communications protection policy to organization-defined personnel or roles;"}]},{"id":"sc-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)"}],"parts":[{"id":"sc-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;"},{"id":"sc-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"sc-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sc-1.b_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)"}],"parts":[{"id":"sc-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)"}],"parts":[{"id":"sc-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and communications protection policy;"},{"id":"sc-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)[2]"}],"prose":"reviews and updates the current system and communications protection policy with the organization-defined frequency;"}]},{"id":"sc-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)"}],"parts":[{"id":"sc-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and communications protection procedures; and"},{"id":"sc-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)[2]"}],"prose":"reviews and updates the current system and communications protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial of Service Protection","params":[{"id":"sc-5_prm_1","label":"organization-defined types of denial of service attacks or references to sources for such information"},{"id":"sc-5_prm_2","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-5"},{"name":"sort-id","value":"sc-05"}],"parts":[{"id":"sc-5_smt","name":"statement","prose":"The information system protects against or limits the effects of the following types of denial of service attacks: {{ insert: param, sc-5_prm_1 }} by employing {{ insert: param, sc-5_prm_2 }}."},{"id":"sc-5_gdn","name":"guidance","prose":"A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.","links":[{"href":"#sc-6","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"sc-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-5_obj.1","name":"objective","props":[{"name":"label","value":"SC-5[1]"}],"prose":"the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects;"},{"id":"sc-5_obj.2","name":"objective","props":[{"name":"label","value":"SC-5[2]"}],"prose":"the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks; and"},{"id":"sc-5_obj.3","name":"objective","props":[{"name":"label","value":"SC-5[3]"}],"prose":"the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing denial of service protection\n\ninformation system design documentation\n\nsecurity plan\n\nlist of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial of service attacks\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms protecting against or limiting the effects of denial of service attacks"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-7_prm_1","select":{"choice":["physically","logically"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-7"},{"name":"sort-id","value":"sc-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#756a8e86-57d5-4701-8382-f7a40439665a","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"}],"parts":[{"id":"sc-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implements subnetworks for publicly accessible system components that are {{ insert: param, sc-7_prm_1 }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.","links":[{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"sc-7_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-7.a_obj","name":"objective","props":[{"name":"label","value":"SC-7(a)"}],"parts":[{"id":"sc-7.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(a)[1]"}],"prose":"monitors communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(a)[2]"}],"prose":"monitors communications at key internal boundaries within the system;"},{"id":"sc-7.a_obj.3","name":"objective","props":[{"name":"label","value":"SC-7(a)[3]"}],"prose":"controls communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.4","name":"objective","props":[{"name":"label","value":"SC-7(a)[4]"}],"prose":"controls communications at key internal boundaries within the system;"}]},{"id":"sc-7.b_obj","name":"objective","props":[{"name":"label","value":"SC-7(b)"}],"prose":"implements subnetworks for publicly accessible system components that are either:","parts":[{"id":"sc-7.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(b)[1]"}],"prose":"physically separated from internal organizational networks; and\/or"},{"id":"sc-7.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(b)[2]"}],"prose":"logically separated from internal organizational networks; and"}]},{"id":"sc-7.c_obj","name":"objective","props":[{"name":"label","value":"SC-7(c)"}],"prose":"connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the information system\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system configuration settings and associated documentation\n\nenterprise security architecture documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","params":[{"id":"sc-12_prm_1","label":"organization-defined requirements for key generation, distribution, storage, access, and destruction"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-12"},{"name":"sort-id","value":"sc-12"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with {{ insert: param, sc-12_prm_1 }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.","links":[{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"}]},{"id":"sc-12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-12_obj.1","name":"objective","props":[{"name":"label","value":"SC-12[1]"}],"prose":"defines requirements for cryptographic key:","parts":[{"id":"sc-12_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-12[1][a]"}],"prose":"generation;"},{"id":"sc-12_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-12[1][b]"}],"prose":"distribution;"},{"id":"sc-12_obj.1.c","name":"objective","props":[{"name":"label","value":"SC-12[1][c]"}],"prose":"storage;"},{"id":"sc-12_obj.1.d","name":"objective","props":[{"name":"label","value":"SC-12[1][d]"}],"prose":"access;"},{"id":"sc-12_obj.1.e","name":"objective","props":[{"name":"label","value":"SC-12[1][e]"}],"prose":"destruction; and"}]},{"id":"sc-12_obj.2","name":"objective","props":[{"name":"label","value":"SC-12[2]"}],"prose":"establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\ninformation system design documentation\n\ncryptographic mechanisms\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","params":[{"id":"sc-13_prm_1","label":"organization-defined cryptographic uses and type of cryptography required for each use"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-13"},{"name":"sort-id","value":"sc-13"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference"},{"href":"#6a1041fc-054e-4230-946b-2e6f4f3731bb","rel":"reference"},{"href":"#9b97ed27-3dd6-4f9a-ade5-1b43e9669794","rel":"reference"}],"parts":[{"id":"sc-13_smt","name":"statement","prose":"The information system implements {{ insert: param, sc-13_prm_1 }} in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"sc-13_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-13_obj.1","name":"objective","props":[{"name":"label","value":"SC-13[1]"}],"prose":"the organization defines cryptographic uses; and"},{"id":"sc-13_obj.2","name":"objective","props":[{"name":"label","value":"SC-13[2]"}],"prose":"the organization defines the type of cryptography required for each use; and"},{"id":"sc-13_obj.3","name":"objective","props":[{"name":"label","value":"SC-13[3]"}],"prose":"the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS validated cryptographic modules\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices","params":[{"id":"sc-15_prm_1","label":"organization-defined exceptions where remote activation is to be allowed"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-15"},{"name":"sort-id","value":"sc-15"}],"parts":[{"id":"sc-15_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibits remote activation of collaborative computing devices with the following exceptions: {{ insert: param, sc-15_prm_1 }}; and"},{"id":"sc-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provides an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated.","links":[{"href":"#ac-21","rel":"related"}]},{"id":"sc-15_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-15.a_obj","name":"objective","props":[{"name":"label","value":"SC-15(a)"}],"parts":[{"id":"sc-15.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-15(a)[1]"}],"prose":"the organization defines exceptions where remote activation of collaborative computing devices is to be allowed;"},{"id":"sc-15.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-15(a)[2]"}],"prose":"the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed; and"}]},{"id":"sc-15.b_obj","name":"objective","props":[{"name":"label","value":"SC-15(b)"}],"prose":"the information system provides an explicit indication of use to users physically present at the devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing management of remote activation of collaborative computing devices\n\nautomated mechanisms providing an indication of use of collaborative computing devices"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name \/ Address Resolution Service (authoritative Source)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-20"},{"name":"sort-id","value":"sc-20"}],"links":[{"href":"#28115a56-da6b-4d44-b1df-51dd7f048a3e","rel":"reference"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-20_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host\/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host\/service names and network addresses provide other means to assure the authenticity and integrity of response data.","links":[{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}]},{"id":"sc-20_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-20.a_obj","name":"objective","props":[{"name":"label","value":"SC-20(a)"}],"prose":"provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries;"},{"id":"sc-20.b_obj","name":"objective","props":[{"name":"label","value":"SC-20(b)"}],"prose":"provides the means to, when operating as part of a distributed, hierarchical namespace:","parts":[{"id":"sc-20.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-20(b)[1]"}],"prose":"indicate the security status of child zones; and"},{"id":"sc-20.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-20(b)[2]"}],"prose":"enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services)."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution service (authoritative source)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing secure name\/address resolution service"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name \/ Address Resolution Service (recursive or Caching Resolver)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-21"},{"name":"sort-id","value":"sc-21"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"The information system requests and performs data origin authentication and data integrity verification on the name\/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host\/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.","links":[{"href":"#sc-20","rel":"related"},{"href":"#sc-22","rel":"related"}]},{"id":"sc-21_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-21_obj.1","name":"objective","props":[{"name":"label","value":"SC-21[1]"}],"prose":"requests data origin authentication on the name\/address resolution responses the system receives from authoritative sources;"},{"id":"sc-21_obj.2","name":"objective","props":[{"name":"label","value":"SC-21[2]"}],"prose":"requests data integrity verification on the name\/address resolution responses the system receives from authoritative sources;"},{"id":"sc-21_obj.3","name":"objective","props":[{"name":"label","value":"SC-21[3]"}],"prose":"performs data origin authentication on the name\/address resolution responses the system receives from authoritative sources; and"},{"id":"sc-21_obj.4","name":"objective","props":[{"name":"label","value":"SC-21[4]"}],"prose":"performs data integrity verification on the name\/address resolution responses the system receives from authoritative sources."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution service (recursive or caching resolver)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing data origin authentication and data integrity verification for name\/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name \/ Address Resolution Service","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-22"},{"name":"sort-id","value":"sc-22"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"The information systems that collectively provide name\/address resolution service for an organization are fault-tolerant and implement internal\/external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).","links":[{"href":"#sc-2","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-24","rel":"related"}]},{"id":"sc-22_obj","name":"objective","prose":"Determine if the information systems that collectively provide name\/address resolution service for an organization:","parts":[{"id":"sc-22_obj.1","name":"objective","props":[{"name":"label","value":"SC-22[1]"}],"prose":"are fault tolerant; and"},{"id":"sc-22_obj.2","name":"objective","props":[{"name":"label","value":"SC-22[2]"}],"prose":"implement internal\/external role separation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing architecture and provisioning for name\/address resolution service\n\naccess control policy and procedures\n\ninformation system design documentation\n\nassessment results from independent, testing organizations\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing name\/address resolution service for fault tolerance and role separation"}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-39"},{"name":"sort-id","value":"sc-39"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"The information system maintains a separate execution domain for each executing process."},{"id":"sc-39_gdn","name":"guidance","prose":"Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sc-39_obj","name":"objective","prose":"Determine if the information system maintains a separate execution domain for each executing process."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system design documentation\n\ninformation system architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation, other relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Information system developers\/integrators\n\ninformation system security architect"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing separate execution domains for each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"System and Information Integrity Policy and Procedures","params":[{"id":"si-1_prm_1","label":"organization-defined personnel or roles"},{"id":"si-1_prm_2","label":"organization-defined frequency"},{"id":"si-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-1"},{"name":"sort-id","value":"si-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"si-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"si-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and information integrity policy {{ insert: param, si-1_prm_2 }}; and"},{"id":"si-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and information integrity procedures {{ insert: param, si-1_prm_3 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"si-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-1.a_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)"}],"parts":[{"id":"si-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)"}],"parts":[{"id":"si-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1]"}],"prose":"develops and documents a system and information integrity policy that addresses:","parts":[{"id":"si-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"si-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"si-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"si-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"si-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"si-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"si-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"si-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and information integrity policy is to be disseminated;"},{"id":"si-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[3]"}],"prose":"disseminates the system and information integrity policy to organization-defined personnel or roles;"}]},{"id":"si-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)"}],"parts":[{"id":"si-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls;"},{"id":"si-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"si-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"si-1.b_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)"}],"parts":[{"id":"si-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)"}],"parts":[{"id":"si-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and information integrity policy;"},{"id":"si-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)[2]"}],"prose":"reviews and updates the current system and information integrity policy with the organization-defined frequency;"}]},{"id":"si-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)"}],"parts":[{"id":"si-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and information integrity procedures; and"},{"id":"si-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)[2]"}],"prose":"reviews and updates the current system and information integrity procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","params":[{"id":"si-2_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-2"},{"name":"sort-id","value":"si-02"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"si-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies, reports, and corrects information system flaws;"},{"id":"si-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Installs security-relevant software and firmware updates within {{ insert: param, si-2_prm_1 }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporates flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required\/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and\/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-11","rel":"related"}]},{"id":"si-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.a_obj","name":"objective","props":[{"name":"label","value":"SI-2(a)"}],"parts":[{"id":"si-2.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(a)[1]"}],"prose":"identifies information system flaws;"},{"id":"si-2.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(a)[2]"}],"prose":"reports information system flaws;"},{"id":"si-2.a_obj.3","name":"objective","props":[{"name":"label","value":"SI-2(a)[3]"}],"prose":"corrects information system flaws;"}]},{"id":"si-2.b_obj","name":"objective","props":[{"name":"label","value":"SI-2(b)"}],"parts":[{"id":"si-2.b_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(b)[1]"}],"prose":"tests software updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2.b_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(b)[2]"}],"prose":"tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"}]},{"id":"si-2.c_obj","name":"objective","props":[{"name":"label","value":"SI-2(c)"}],"parts":[{"id":"si-2.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(c)[1]"}],"prose":"defines the time period within which to install security-relevant software updates after the release of the updates;"},{"id":"si-2.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(c)[2]"}],"prose":"defines the time period within which to install security-relevant firmware updates after the release of the updates;"},{"id":"si-2.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-2(c)[3]"}],"prose":"installs software updates within the organization-defined time period of the release of the updates;"},{"id":"si-2.c_obj.4","name":"objective","props":[{"name":"label","value":"SI-2(c)[4]"}],"prose":"installs firmware updates within the organization-defined time period of the release of the updates; and"}]},{"id":"si-2.d_obj","name":"objective","props":[{"name":"label","value":"SI-2(d)"}],"prose":"incorporates flaw remediation into the organizational configuration management process."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the information system\n\nlist of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws)\n\ntest results from the installation of software and firmware updates to correct information system flaws\n\ninstallation\/change control records for security-relevant software and firmware updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for flaw remediation\n\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for identifying, reporting, and correcting information system flaws\n\norganizational process for installing software and firmware updates\n\nautomated mechanisms supporting and\/or implementing reporting, and correcting information system flaws\n\nautomated mechanisms supporting and\/or implementing testing software and firmware updates"}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","params":[{"id":"si-3_prm_1","label":"organization-defined frequency"},{"id":"si-3_prm_2","select":{"how-many":"one-or-more","choice":["endpoint","network entry\/exit points"]}},{"id":"si-3_prm_3","select":{"how-many":"one-or-more","choice":["block malicious code","quarantine malicious code","send alert to administrator"," {{ insert: param, si-3_prm_4 }} "]}},{"id":"si-3_prm_4","depends-on":"si-3_prm_3","label":"organization-defined action"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-3"},{"name":"sort-id","value":"si-03"}],"links":[{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"}],"parts":[{"id":"si-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Configures malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the information system {{ insert: param, si-3_prm_1 }} and real-time scans of files from external sources at {{ insert: param, si-3_prm_2 }} as the files are downloaded, opened, or executed in accordance with organizational security policy; and"},{"id":"si-3_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, si-3_prm_3 }} in response to malicious code detection; and"}]},{"id":"si-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system."}]},{"id":"si-3_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions\/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and\/or actions in response to detection of maliciousness when attempting to open or execute files.","links":[{"href":"#cm-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sa-13","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-3.a_obj","name":"objective","props":[{"name":"label","value":"SI-3(a)"}],"prose":"employs malicious code protection mechanisms to detect and eradicate malicious code at information system:","parts":[{"id":"si-3.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(a)[1]"}],"prose":"entry points;"},{"id":"si-3.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(a)[2]"}],"prose":"exit points;"}]},{"id":"si-3.b_obj","name":"objective","props":[{"name":"label","value":"SI-3(b)"}],"prose":"updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1);"},{"id":"si-3.c_obj","name":"objective","props":[{"name":"label","value":"SI-3(c)"}],"parts":[{"id":"si-3.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(c)[1]"}],"prose":"defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system;"},{"id":"si-3.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(c)[2]"}],"prose":"defines action to be initiated by malicious protection mechanisms in response to malicious code detection;"},{"id":"si-3.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3]"}],"parts":[{"id":"si-3.c.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)"}],"prose":"configures malicious code protection mechanisms to:","parts":[{"id":"si-3.c.1_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)[a]"}],"prose":"perform periodic scans of the information system with the organization-defined frequency;"},{"id":"si-3.c.1_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)[b]"}],"prose":"perform real-time scans of files from external sources at endpoint and\/or network entry\/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy;"}]},{"id":"si-3.c.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)"}],"prose":"configures malicious code protection mechanisms to do one or more of the following:","parts":[{"id":"si-3.c.2_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[a]"}],"prose":"block malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[b]"}],"prose":"quarantine malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.c","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[c]"}],"prose":"send alert to administrator in response to malicious code detection; and\/or"},{"id":"si-3.c.2_obj.3.d","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[d]"}],"prose":"initiate organization-defined action in response to malicious code detection;"}]}]}]},{"id":"si-3.d_obj","name":"objective","props":[{"name":"label","value":"SI-3(d)"}],"parts":[{"id":"si-3.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(d)[1]"}],"prose":"addresses the receipt of false positives during malicious code detection and eradication; and"},{"id":"si-3.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(d)[2]"}],"prose":"addresses the resulting potential impact on the availability of the information system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for malicious code protection\n\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational process for addressing false positives and resulting potential impact\n\nautomated mechanisms supporting and\/or implementing employing, updating, and configuring malicious code protection mechanisms\n\nautomated mechanisms supporting and\/or implementing malicious code scanning and subsequent actions"}]}]},{"id":"si-4","class":"SP800-53","title":"Information System Monitoring","params":[{"id":"si-4_prm_1","label":"organization-defined monitoring objectives"},{"id":"si-4_prm_2","label":"organization-defined techniques and methods"},{"id":"si-4_prm_3","label":"organization-defined information system monitoring information"},{"id":"si-4_prm_4","label":"organization-defined personnel or roles"},{"id":"si-4_prm_5","select":{"how-many":"one-or-more","choice":["as needed"," {{ insert: param, si-4_prm_6 }} "]}},{"id":"si-4_prm_6","depends-on":"si-4_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-4"},{"name":"sort-id","value":"si-04"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"},{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"si-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors the information system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with {{ insert: param, si-4_prm_1 }}; and"},{"id":"si-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identifies unauthorized use of the information system through {{ insert: param, si-4_prm_2 }};"},{"id":"si-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Deploys monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Strategically within the information system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;"},{"id":"si-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"},{"id":"si-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and"},{"id":"si-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Provides {{ insert: param, si-4_prm_3 }} to {{ insert: param, si-4_prm_4 }} {{ insert: param, si-4_prm_5 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.a_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)"}],"parts":[{"id":"si-4.a.1_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)"}],"parts":[{"id":"si-4.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[1]"}],"prose":"defines monitoring objectives to detect attacks and indicators of potential attacks on the information system;"},{"id":"si-4.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2]"}],"prose":"monitors the information system to detect, in accordance with organization-defined monitoring objectives,:","parts":[{"id":"si-4.a.1_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2][a]"}],"prose":"attacks;"},{"id":"si-4.a.1_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2][b]"}],"prose":"indicators of potential attacks;"}]}]},{"id":"si-4.a.2_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)"}],"prose":"monitors the information system to detect unauthorized:","parts":[{"id":"si-4.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[1]"}],"prose":"local connections;"},{"id":"si-4.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[2]"}],"prose":"network connections;"},{"id":"si-4.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[3]"}],"prose":"remote connections;"}]}]},{"id":"si-4.b_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)"}],"parts":[{"id":"si-4.b.1_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)(1)"}],"prose":"defines techniques and methods to identify unauthorized use of the information system;"},{"id":"si-4.b.2_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)(2)"}],"prose":"identifies unauthorized use of the information system through organization-defined techniques and methods;"}]},{"id":"si-4.c_obj","name":"objective","props":[{"name":"label","value":"SI-4(c)"}],"prose":"deploys monitoring devices:","parts":[{"id":"si-4.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(c)[1]"}],"prose":"strategically within the information system to collect organization-determined essential information;"},{"id":"si-4.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(c)[2]"}],"prose":"at ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4.d_obj","name":"objective","props":[{"name":"label","value":"SI-4(d)"}],"prose":"protects information obtained from intrusion-monitoring tools from unauthorized:","parts":[{"id":"si-4.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(d)[1]"}],"prose":"access;"},{"id":"si-4.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(d)[2]"}],"prose":"modification;"},{"id":"si-4.d_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(d)[3]"}],"prose":"deletion;"}]},{"id":"si-4.e_obj","name":"objective","props":[{"name":"label","value":"SI-4(e)"}],"prose":"heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"},{"id":"si-4.f_obj","name":"objective","props":[{"name":"label","value":"SI-4(f)"}],"prose":"obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations;"},{"id":"si-4.g_obj","name":"objective","props":[{"name":"label","value":"SI-4(g)"}],"parts":[{"id":"si-4.g_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(g)[1]"}],"prose":"defines personnel or roles to whom information system monitoring information is to be provided;"},{"id":"si-4.g_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(g)[2]"}],"prose":"defines information system monitoring information to be provided to organization-defined personnel or roles;"},{"id":"si-4.g_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(g)[3]"}],"prose":"defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles;"},{"id":"si-4.g_obj.4","name":"objective","props":[{"name":"label","value":"SI-4(g)[4]"}],"prose":"provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:","parts":[{"id":"si-4.g_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-4(g)[4][a]"}],"prose":"as needed; and\/or"},{"id":"si-4.g_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-4(g)[4][b]"}],"prose":"with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Continuous monitoring strategy\n\nsystem and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\nfacility diagram\/layout\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\nlocations within information system where monitoring devices are deployed\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility monitoring the information system"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\n\nautomated mechanisms supporting and\/or implementing information system monitoring capability"}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","params":[{"id":"si-5_prm_1","label":"organization-defined external organizations"},{"id":"si-5_prm_2","select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-5_prm_3 }} "," {{ insert: param, si-5_prm_4 }} "," {{ insert: param, si-5_prm_5 }} "]}},{"id":"si-5_prm_3","depends-on":"si-5_prm_2","label":"organization-defined personnel or roles"},{"id":"si-5_prm_4","depends-on":"si-5_prm_2","label":"organization-defined elements within the organization"},{"id":"si-5_prm_5","depends-on":"si-5_prm_2","label":"organization-defined external organizations"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-5"},{"name":"sort-id","value":"si-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"}],"parts":[{"id":"si-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receives information system security alerts, advisories, and directives from {{ insert: param, si-5_prm_1 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Generates internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminates security alerts, advisories, and directives to: {{ insert: param, si-5_prm_2 }}; and"},{"id":"si-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission\/business partners, supply chain partners, external service providers, and other peer\/supporting organizations.","links":[{"href":"#si-2","rel":"related"}]},{"id":"si-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-5.a_obj","name":"objective","props":[{"name":"label","value":"SI-5(a)"}],"parts":[{"id":"si-5.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(a)[1]"}],"prose":"defines external organizations from whom information system security alerts, advisories and directives are to be received;"},{"id":"si-5.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(a)[2]"}],"prose":"receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;"}]},{"id":"si-5.b_obj","name":"objective","props":[{"name":"label","value":"SI-5(b)"}],"prose":"generates internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5.c_obj","name":"objective","props":[{"name":"label","value":"SI-5(c)"}],"parts":[{"id":"si-5.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(c)[1]"}],"prose":"defines personnel or roles to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(c)[2]"}],"prose":"defines elements within the organization to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-5(c)[3]"}],"prose":"defines external organizations to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.4","name":"objective","props":[{"name":"label","value":"SI-5(c)[4]"}],"prose":"disseminates security alerts, advisories, and directives to one or more of the following:","parts":[{"id":"si-5.c_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][a]"}],"prose":"organization-defined personnel or roles;"},{"id":"si-5.c_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][b]"}],"prose":"organization-defined elements within the organization; and\/or"},{"id":"si-5.c_obj.4.c","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][c]"}],"prose":"organization-defined external organizations; and"}]}]},{"id":"si-5.d_obj","name":"objective","props":[{"name":"label","value":"SI-5(d)"}],"parts":[{"id":"si-5.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(d)[1]"}],"prose":"implements security directives in accordance with established time frames; or"},{"id":"si-5.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(d)[2]"}],"prose":"notifies the issuing organization of the degree of noncompliance."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the information system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nautomated mechanisms supporting and\/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nautomated mechanisms supporting and\/or implementing security directives"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Handling and Retention","props":[{"name":"priority","value":"P2"},{"name":"label","value":"SI-12"},{"name":"sort-id","value":"si-12"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention.","links":[{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"}]},{"id":"si-12_obj","name":"objective","prose":"Determine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements:","parts":[{"id":"si-12_obj.1","name":"objective","props":[{"name":"label","value":"SI-12[1]"}],"prose":"handles information within the information system;"},{"id":"si-12_obj.2","name":"objective","props":[{"name":"label","value":"SI-12[2]"}],"prose":"handles output from the information system;"},{"id":"si-12_obj.3","name":"objective","props":[{"name":"label","value":"SI-12[3]"}],"prose":"retains information within the information system; and"},{"id":"si-12_obj.4","name":"objective","props":[{"name":"label","value":"SI-12[4]"}],"prose":"retains output from the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention\n\nmedia protection policy and procedures\n\nprocedures addressing information system output handling and retention\n\ninformation retention records, other relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information handling and retention\n\norganizational personnel with information security responsibilities\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information handling and retention\n\nautomated mechanisms supporting and\/or implementing information handling and retention"}]}]}]}],"back-matter":{"resources":[{"uuid":"0c97e60b-325a-4efa-ba2b-90f20ccd5abc","title":"5 C.F.R. 731.106","citation":{"text":"Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106, Designation of Public Trust Positions and Investigative Requirements (5 C.F.R. 731.106)."},"rlinks":[{"href":"http:\/\/www.gpo.gov\/fdsys\/granule\/CFR-2012-title5-vol2\/CFR-2012-title5-vol2-sec731-106\/content-detail.html"}]},{"uuid":"bb61234b-46c3-4211-8c2b-9869222a720d","title":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)","citation":{"text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},"rlinks":[{"href":"http:\/\/www.gpo.gov\/fdsys\/granule\/CFR-2009-title5-vol2\/CFR-2009-title5-vol2-sec930-301\/content-detail.html"}]},{"uuid":"a4aa9645-9a8a-4b51-90a9-e223250f9a75","title":"CNSS Policy 15","citation":{"text":"CNSS Policy 15"},"rlinks":[{"href":"https:\/\/www.cnss.gov\/policies.html"}]},{"uuid":"2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","title":"DoD Information Assurance Vulnerability Alerts","citation":{"text":"DoD Information Assurance Vulnerability Alerts"}},{"uuid":"61081e7f-041d-4033-96a7-44a439071683","title":"DoD Instruction 5200.39","citation":{"text":"DoD Instruction 5200.39"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"e42b2099-3e1c-415b-952c-61c96533c12e","title":"DoD Instruction 8551.01","citation":{"text":"DoD Instruction 8551.01"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"c5034e0c-eba6-4ecd-a541-79f0678f4ba4","title":"Executive Order 13587","citation":{"text":"Executive Order 13587"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/the-press-office\/2011\/10\/07\/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"56d671da-6b7b-4abf-8296-84b61980390a","title":"Federal Acquisition Regulation","citation":{"text":"Federal Acquisition Regulation"},"rlinks":[{"href":"https:\/\/acquisition.gov\/far"}]},{"uuid":"023104bc-6f75-4cd5-b7d0-fc92326f8007","title":"Federal Continuity Directive 1","citation":{"text":"Federal Continuity Directive 1"},"rlinks":[{"href":"http:\/\/www.fema.gov\/pdf\/about\/offices\/fcd1.pdf"}]},{"uuid":"ba557c91-ba3e-4792-adc6-a4ae479b39ff","title":"FICAM Roadmap and Implementation Guidance","citation":{"text":"FICAM Roadmap and Implementation Guidance"},"rlinks":[{"href":"http:\/\/www.idmanagement.gov\/documents\/ficam-roadmap-and-implementation-guidance"}]},{"uuid":"39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","title":"FIPS Publication 140","citation":{"text":"FIPS Publication 140"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html"}]},{"uuid":"d715b234-9b5b-4e07-b1ed-99836727664d","title":"FIPS Publication 140-2","citation":{"text":"FIPS Publication 140-2"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#140-2"}]},{"uuid":"f2dbd4ec-c413-4714-b85b-6b7184d1c195","title":"FIPS Publication 197","citation":{"text":"FIPS Publication 197"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#197"}]},{"uuid":"e85cdb3f-7f0a-4083-8639-f13f70d3760b","title":"FIPS Publication 199","citation":{"text":"FIPS Publication 199"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#199"}]},{"uuid":"c80c10b3-1294-4984-a4cc-d1733ca432b9","title":"FIPS Publication 201","citation":{"text":"FIPS Publication 201"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#201"}]},{"uuid":"ad733a42-a7ed-4774-b988-4930c28852f3","title":"HSPD-12","citation":{"text":"HSPD-12"},"rlinks":[{"href":"http:\/\/www.dhs.gov\/homeland-security-presidential-directive-12"}]},{"uuid":"e95dd121-2733-413e-bf1e-f1eb49f20a98","title":"http:\/\/checklists.nist.gov","citation":{"text":"http:\/\/checklists.nist.gov"},"rlinks":[{"href":"http:\/\/checklists.nist.gov"}]},{"uuid":"6a1041fc-054e-4230-946b-2e6f4f3731bb","title":"http:\/\/csrc.nist.gov\/cryptval","citation":{"text":"http:\/\/csrc.nist.gov\/cryptval"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/cryptval"}]},{"uuid":"b09d1a31-d3c9-4138-a4f4-4c63816afd7d","title":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html","citation":{"text":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html"}]},{"uuid":"15522e92-9192-463d-9646-6a01982db8ca","title":"http:\/\/cwe.mitre.org","citation":{"text":"http:\/\/cwe.mitre.org"},"rlinks":[{"href":"http:\/\/cwe.mitre.org"}]},{"uuid":"5ed1f4d5-1494-421b-97ed-39d3c88ab51f","title":"http:\/\/fips201ep.cio.gov","citation":{"text":"http:\/\/fips201ep.cio.gov"},"rlinks":[{"href":"http:\/\/fips201ep.cio.gov"}]},{"uuid":"85280698-0417-489d-b214-12bb935fb939","title":"http:\/\/idmanagement.gov","citation":{"text":"http:\/\/idmanagement.gov"},"rlinks":[{"href":"http:\/\/idmanagement.gov"}]},{"uuid":"275cc052-0f7f-423c-bdb6-ed503dc36228","title":"http:\/\/nvd.nist.gov","citation":{"text":"http:\/\/nvd.nist.gov"},"rlinks":[{"href":"http:\/\/nvd.nist.gov"}]},{"uuid":"bbd50dd1-54ce-4432-959d-63ea564b1bb4","title":"http:\/\/www.acquisition.gov\/far","citation":{"text":"http:\/\/www.acquisition.gov\/far"},"rlinks":[{"href":"http:\/\/www.acquisition.gov\/far"}]},{"uuid":"9b97ed27-3dd6-4f9a-ade5-1b43e9669794","title":"http:\/\/www.cnss.gov","citation":{"text":"http:\/\/www.cnss.gov"},"rlinks":[{"href":"http:\/\/www.cnss.gov"}]},{"uuid":"c95a9986-3cd6-4a98-931b-ccfc56cb11e5","title":"http:\/\/www.niap-ccevs.org","citation":{"text":"http:\/\/www.niap-ccevs.org"},"rlinks":[{"href":"http:\/\/www.niap-ccevs.org"}]},{"uuid":"647b6de3-81d0-4d22-bec1-5f1333e34380","title":"http:\/\/www.nsa.gov","citation":{"text":"http:\/\/www.nsa.gov"},"rlinks":[{"href":"http:\/\/www.nsa.gov"}]},{"uuid":"a47466c4-c837-4f06-a39f-e68412a5f73d","title":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml","citation":{"text":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml"},"rlinks":[{"href":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml"}]},{"uuid":"02631467-668b-4233-989b-3dfded2fd184","title":"http:\/\/www.us-cert.gov","citation":{"text":"http:\/\/www.us-cert.gov"},"rlinks":[{"href":"http:\/\/www.us-cert.gov"}]},{"uuid":"6caa237b-531b-43ac-9711-d8f6b97b0377","title":"ICD 704","citation":{"text":"ICD 704"},"rlinks":[{"href":"http:\/\/www.dni.gov\/index.php\/intelligence-community\/ic-policies-reports\/intelligence-community-directives"}]},{"uuid":"398e33fd-f404-4e5c-b90e-2d50d3181244","title":"ICD 705","citation":{"text":"ICD 705"},"rlinks":[{"href":"http:\/\/www.dni.gov\/index.php\/intelligence-community\/ic-policies-reports\/intelligence-community-directives"}]},{"uuid":"1737a687-52fb-4008-b900-cbfa836f7b65","title":"ISO\/IEC 15408","citation":{"text":"ISO\/IEC 15408"},"rlinks":[{"href":"http:\/\/www.iso.org\/iso\/iso_catalog\/catalog_tc\/catalog_detail.htm?csnumber=50341"}]},{"uuid":"654f21e2-f3bc-43b2-abdc-60ab8d09744b","title":"National Strategy for Trusted Identities in Cyberspace","citation":{"text":"National Strategy for Trusted Identities in Cyberspace"},"rlinks":[{"href":"http:\/\/www.nist.gov\/nstic"}]},{"uuid":"9cb3d8fe-2127-48ba-821e-cdd2d7aee921","title":"NIST Special Publication 800-100","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-100"}],"citation":{"text":"NIST Special Publication 800-100"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","title":"NIST Special Publication 800-111","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-111"}],"citation":{"text":"NIST Special Publication 800-111"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-111"}]},{"uuid":"349fe082-502d-464a-aa0c-1443c6a5cf40","title":"NIST Special Publication 800-113","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-113"}],"citation":{"text":"NIST Special Publication 800-113"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-113"}]},{"uuid":"1201fcf3-afb1-4675-915a-fb4ae0435717","title":"NIST Special Publication 800-114 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-114r1"}],"citation":{"text":"NIST Special Publication 800-114 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-114r1"}]},{"uuid":"c4691b88-57d1-463b-9053-2d0087913f31","title":"NIST Special Publication 800-115","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-115"}],"citation":{"text":"NIST Special Publication 800-115"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"2157bb7e-192c-4eaa-877f-93ef6b0a3292","title":"NIST Special Publication 800-116 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-116r1"}],"citation":{"text":"NIST Special Publication 800-116 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-116r1"}]},{"uuid":"5c201b63-0768-417b-ac22-3f014e3941b2","title":"NIST Special Publication 800-12 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-12r1"}],"citation":{"text":"NIST Special Publication 800-12 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"d1a4e2a9-e512-4132-8795-5357aba29254","title":"NIST Special Publication 800-121","citation":{"text":"NIST Special Publication 800-121"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-121"}]},{"uuid":"0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","title":"NIST Special Publication 800-124","citation":{"text":"NIST Special Publication 800-124"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-124"}]},{"uuid":"080f8068-5e3e-435e-9790-d22ba4722693","title":"NIST Special Publication 800-128","citation":{"text":"NIST Special Publication 800-128"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-128"}]},{"uuid":"cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","title":"NIST Special Publication 800-137","citation":{"text":"NIST Special Publication 800-137"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-137"}]},{"uuid":"825438c3-248d-4e30-a51e-246473ce6ada","title":"NIST Special Publication 800-16","citation":{"text":"NIST Special Publication 800-16"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-16"}]},{"uuid":"6513e480-fada-4876-abba-1397084dfb26","title":"NIST Special Publication 800-164","citation":{"text":"NIST Special Publication 800-164"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-164"}]},{"uuid":"9c5c9e8c-dc81-4f55-a11c-d71d7487790f","title":"NIST Special Publication 800-18","citation":{"text":"NIST Special Publication 800-18"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-18"}]},{"uuid":"0a5db899-f033-467f-8631-f5a8ba971475","title":"NIST Special Publication 800-23","citation":{"text":"NIST Special Publication 800-23"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-23"}]},{"uuid":"a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","title":"NIST Special Publication 800-30","citation":{"text":"NIST Special Publication 800-30"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-30"}]},{"uuid":"748a81b9-9cad-463f-abde-8b368167e70d","title":"NIST Special Publication 800-34","citation":{"text":"NIST Special Publication 800-34"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-34"}]},{"uuid":"0c775bc3-bfc3-42c7-a382-88949f503171","title":"NIST Special Publication 800-35","citation":{"text":"NIST Special Publication 800-35"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-35"}]},{"uuid":"d818efd3-db31-4953-8afa-9e76afe83ce2","title":"NIST Special Publication 800-36","citation":{"text":"NIST Special Publication 800-36"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-36"}]},{"uuid":"0a0c26b6-fd44-4274-8b36-93442d49d998","title":"NIST Special Publication 800-37","citation":{"text":"NIST Special Publication 800-37"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-37"}]},{"uuid":"d480aa6a-7a88-424e-a10c-ad1c7870354b","title":"NIST Special Publication 800-39","citation":{"text":"NIST Special Publication 800-39"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-39"}]},{"uuid":"bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","title":"NIST Special Publication 800-40","citation":{"text":"NIST Special Publication 800-40"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-40"}]},{"uuid":"756a8e86-57d5-4701-8382-f7a40439665a","title":"NIST Special Publication 800-41","citation":{"text":"NIST Special Publication 800-41"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-41"}]},{"uuid":"5309d4d0-46f8-4213-a749-e7584164e5e8","title":"NIST Special Publication 800-46","citation":{"text":"NIST Special Publication 800-46"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-46"}]},{"uuid":"2711f068-734e-4afd-94ba-0b22247fbc88","title":"NIST Special Publication 800-47","citation":{"text":"NIST Special Publication 800-47"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-47"}]},{"uuid":"238ed479-eccb-49f6-82ec-ab74a7a428cf","title":"NIST Special Publication 800-48","citation":{"text":"NIST Special Publication 800-48"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-48"}]},{"uuid":"e12b5738-de74-4fb3-8317-a3995a8a1898","title":"NIST Special Publication 800-50","citation":{"text":"NIST Special Publication 800-50"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-50"}]},{"uuid":"cd4cf751-3312-4a55-b1a9-fad2f1db9119","title":"NIST Special Publication 800-53A","citation":{"text":"NIST Special Publication 800-53A"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-53A"}]},{"uuid":"81f09e01-d0b0-4ae2-aa6a-064ed9950070","title":"NIST Special Publication 800-56","citation":{"text":"NIST Special Publication 800-56"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-56"}]},{"uuid":"a6c774c0-bf50-4590-9841-2a5c1c91ac6f","title":"NIST Special Publication 800-57","citation":{"text":"NIST Special Publication 800-57"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-57"}]},{"uuid":"f152844f-b1ef-4836-8729-6277078ebee1","title":"NIST Special Publication 800-60","citation":{"text":"NIST Special Publication 800-60"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-60"}]},{"uuid":"be95fb85-a53f-4624-bdbb-140075500aa3","title":"NIST Special Publication 800-61","citation":{"text":"NIST Special Publication 800-61"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-61"}]},{"uuid":"644f44a9-a2de-4494-9c04-cd37fba45471","title":"NIST Special Publication 800-63","citation":{"text":"NIST Special Publication 800-63"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-63"}]},{"uuid":"abd950ae-092f-4b7a-b374-1c7c67fe9350","title":"NIST Special Publication 800-64","citation":{"text":"NIST Special Publication 800-64"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-64"}]},{"uuid":"29fcfe59-33cd-494a-8756-5907ae3a8f92","title":"NIST Special Publication 800-65","citation":{"text":"NIST Special Publication 800-65"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-65"}]},{"uuid":"84a37532-6db6-477b-9ea8-f9085ebca0fc","title":"NIST Special Publication 800-70","citation":{"text":"NIST Special Publication 800-70"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-70"}]},{"uuid":"ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","title":"NIST Special Publication 800-73","citation":{"text":"NIST Special Publication 800-73"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-73"}]},{"uuid":"2a71298a-ee90-490e-80ff-48c967173a47","title":"NIST Special Publication 800-76","citation":{"text":"NIST Special Publication 800-76"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-76"}]},{"uuid":"99f331f2-a9f0-46c2-9856-a3cbb9b89442","title":"NIST Special Publication 800-77","citation":{"text":"NIST Special Publication 800-77"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-77"}]},{"uuid":"2042d97b-f7f6-4c74-84f8-981867684659","title":"NIST Special Publication 800-78","citation":{"text":"NIST Special Publication 800-78"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-78"}]},{"uuid":"6af1e841-672c-46c4-b121-96f603d04be3","title":"NIST Special Publication 800-81","citation":{"text":"NIST Special Publication 800-81"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-81"}]},{"uuid":"6d431fee-658f-4a0e-9f2e-a38b5d398fab","title":"NIST Special Publication 800-83","citation":{"text":"NIST Special Publication 800-83"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-83"}]},{"uuid":"0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","title":"NIST Special Publication 800-84","citation":{"text":"NIST Special Publication 800-84"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-84"}]},{"uuid":"263823e0-a971-4b00-959d-315b26278b22","title":"NIST Special Publication 800-88","citation":{"text":"NIST Special Publication 800-88"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-88"}]},{"uuid":"672fd561-b92b-4713-b9cf-6c9d9456728b","title":"NIST Special Publication 800-92","citation":{"text":"NIST Special Publication 800-92"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-92"}]},{"uuid":"d1b1d689-0f66-4474-9924-c81119758dc1","title":"NIST Special Publication 800-94","citation":{"text":"NIST Special Publication 800-94"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-94"}]},{"uuid":"6f336ecd-f2a0-4c84-9699-0491d81b6e0d","title":"NIST Special Publication 800-97","citation":{"text":"NIST Special Publication 800-97"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-97"}]},{"uuid":"9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","title":"OMB Circular A-130","citation":{"text":"OMB Circular A-130"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/omb\/circulars_a130_a130trans4"}]},{"uuid":"2c5884cd-7b96-425c-862a-99877e1cf909","title":"OMB Memorandum 02-01","citation":{"text":"OMB Memorandum 02-01"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/omb\/memoranda_m02-01"}]},{"uuid":"ff3bfb02-79b2-411f-8735-98dfe5af2ab0","title":"OMB Memorandum 04-04","citation":{"text":"OMB Memorandum 04-04"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy04\/m04-04.pdf"}]},{"uuid":"4da24a96-6cf8-435d-9d1f-c73247cad109","title":"OMB Memorandum 06-16","citation":{"text":"OMB Memorandum 06-16"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2006\/m06-16.pdf"}]},{"uuid":"990268bf-f4a9-4c81-91ae-dc7d3115f4b1","title":"OMB Memorandum 07-11","citation":{"text":"OMB Memorandum 07-11"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2007\/m07-11.pdf"}]},{"uuid":"0b3d8ba9-051f-498d-81ea-97f0f018c612","title":"OMB Memorandum 07-18","citation":{"text":"OMB Memorandum 07-18"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2007\/m07-18.pdf"}]},{"uuid":"0916ef02-3618-411b-a525-565c088849a6","title":"OMB Memorandum 08-22","citation":{"text":"OMB Memorandum 08-22"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2008\/m08-22.pdf"}]},{"uuid":"28115a56-da6b-4d44-b1df-51dd7f048a3e","title":"OMB Memorandum 08-23","citation":{"text":"OMB Memorandum 08-23"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2008\/m08-23.pdf"}]},{"uuid":"599fe9ba-4750-4450-9eeb-b95bd19a5e8f","title":"OMB Memorandum 10-06-2011","citation":{"text":"OMB Memorandum 10-06-2011"}},{"uuid":"74e740a4-c45d-49f3-a86e-eb747c549e01","title":"OMB Memorandum 11-11","citation":{"text":"OMB Memorandum 11-11"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/memoranda\/2011\/m11-11.pdf"}]},{"uuid":"bedb15b7-ec5c-4a68-807f-385125751fcd","title":"OMB Memorandum 11-33","citation":{"text":"OMB Memorandum 11-33"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/memoranda\/2011\/m11-33.pdf"}]},{"uuid":"dd2f5acd-08f1-435a-9837-f8203088dc1a","title":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)","citation":{"text":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)"}},{"uuid":"8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","title":"US-CERT Technical Cyber Security Alerts","citation":{"text":"US-CERT Technical Cyber Security Alerts"},"rlinks":[{"href":"http:\/\/www.us-cert.gov\/ncas\/alerts"}]}]}}}
\ No newline at end of file
+{"catalog":{"uuid":"90cfe612-52c5-4daa-8ec1-9a6c223fa571","metadata":{"title":"NIST Special Publication 800-53 Revision 4 LOW IMPACT BASELINE","last-modified":"2023-12-05T21:54:40.489331Z","version":"2015-01-22","oscal-version":"1.1.1","props":[{"name":"resolution-tool","value":"OSCAL Profile Resolver XSLT Pipeline OPRXP"}],"links":[{"href":"NIST_SP-800-53_rev4_LOW-baseline_profile.xml","rel":"source-profile"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"96310e12-f661-41a7-bed9-842b6a931875","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["fcde62b1-8cce-4a57-a26b-b07ad2865ae1"]},{"role-id":"contact","party-uuids":["fcde62b1-8cce-4a57-a26b-b07ad2865ae1"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Access Control Policy and Procedures","params":[{"id":"ac-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ac-1_prm_2","label":"organization-defined frequency"},{"id":"ac-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-1"},{"name":"sort-id","value":"ac-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ac-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and associated access controls; and"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ac-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Access control policy {{ insert: param, ac-1_prm_2 }}; and"},{"id":"ac-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Access control procedures {{ insert: param, ac-1_prm_3 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ac-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-1.a_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)"}],"parts":[{"id":"ac-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)"}],"parts":[{"id":"ac-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1]"}],"prose":"develops and documents an access control policy that addresses:","parts":[{"id":"ac-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ac-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ac-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ac-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ac-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ac-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ac-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ac-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the access control policy are to be disseminated;"},{"id":"ac-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[3]"}],"prose":"disseminates the access control policy to organization-defined personnel or roles;"}]},{"id":"ac-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)"}],"parts":[{"id":"ac-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls;"},{"id":"ac-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ac-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ac-1.b_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)"}],"parts":[{"id":"ac-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)"}],"parts":[{"id":"ac-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current access control policy;"},{"id":"ac-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)[2]"}],"prose":"reviews and updates the current access control policy with the organization-defined frequency;"}]},{"id":"ac-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)"}],"parts":[{"id":"ac-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current access control procedures; and"},{"id":"ac-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)[2]"}],"prose":"reviews and updates the current access control procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","params":[{"id":"ac-2_prm_1","label":"organization-defined information system account types"},{"id":"ac-2_prm_2","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_3","label":"organization-defined procedures or conditions"},{"id":"ac-2_prm_4","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-2"},{"name":"sort-id","value":"ac-02"}],"parts":[{"id":"ac-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies and selects the following types of information system accounts to support organizational missions\/business functions: {{ insert: param, ac-2_prm_1 }};"},{"id":"ac-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assigns account managers for information system accounts;"},{"id":"ac-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establishes conditions for group and role membership;"},{"id":"ac-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;"},{"id":"ac-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Requires approvals by {{ insert: param, ac-2_prm_2 }} for requests to create information system accounts;"},{"id":"ac-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Creates, enables, modifies, disables, and removes information system accounts in accordance with {{ insert: param, ac-2_prm_3 }};"},{"id":"ac-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Monitors the use of information system accounts;"},{"id":"ac-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Notifies account managers:","parts":[{"id":"ac-2_smt.h.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"When accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"When individual information system usage or need-to-know changes;"}]},{"id":"ac-2_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Authorizes access to the information system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Other attributes as required by the organization or associated missions\/business functions;"}]},{"id":"ac-2_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Reviews accounts for compliance with account management requirements {{ insert: param, ac-2_prm_4 }}; and"},{"id":"ac-2_smt.k","name":"item","props":[{"name":"label","value":"k."}],"prose":"Establishes a process for reissuing shared\/group account credentials (if deployed) when individuals are removed from the group."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Information system account types include, for example, individual, shared, group, system, guest\/anonymous, emergency, developer\/manufacturer\/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission\/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission\/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared\/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-10","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ac-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.a_obj","name":"objective","props":[{"name":"label","value":"AC-2(a)"}],"parts":[{"id":"ac-2.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(a)[1]"}],"prose":"defines information system account types to be identified and selected to support organizational missions\/business functions;"},{"id":"ac-2.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(a)[2]"}],"prose":"identifies and selects organization-defined information system account types to support organizational missions\/business functions;"}]},{"id":"ac-2.b_obj","name":"objective","props":[{"name":"label","value":"AC-2(b)"}],"prose":"assigns account managers for information system accounts;"},{"id":"ac-2.c_obj","name":"objective","props":[{"name":"label","value":"AC-2(c)"}],"prose":"establishes conditions for group and role membership;"},{"id":"ac-2.d_obj","name":"objective","props":[{"name":"label","value":"AC-2(d)"}],"prose":"specifies for each account (as required):","parts":[{"id":"ac-2.d_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(d)[1]"}],"prose":"authorized users of the information system;"},{"id":"ac-2.d_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(d)[2]"}],"prose":"group and role membership;"},{"id":"ac-2.d_obj.3","name":"objective","props":[{"name":"label","value":"AC-2(d)[3]"}],"prose":"access authorizations (i.e., privileges);"},{"id":"ac-2.d_obj.4","name":"objective","props":[{"name":"label","value":"AC-2(d)[4]"}],"prose":"other attributes;"}]},{"id":"ac-2.e_obj","name":"objective","props":[{"name":"label","value":"AC-2(e)"}],"parts":[{"id":"ac-2.e_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(e)[1]"}],"prose":"defines personnel or roles required to approve requests to create information system accounts;"},{"id":"ac-2.e_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(e)[2]"}],"prose":"requires approvals by organization-defined personnel or roles for requests to create information system accounts;"}]},{"id":"ac-2.f_obj","name":"objective","props":[{"name":"label","value":"AC-2(f)"}],"parts":[{"id":"ac-2.f_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(f)[1]"}],"prose":"defines procedures or conditions to:","parts":[{"id":"ac-2.f_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][a]"}],"prose":"create information system accounts;"},{"id":"ac-2.f_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][b]"}],"prose":"enable information system accounts;"},{"id":"ac-2.f_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][c]"}],"prose":"modify information system accounts;"},{"id":"ac-2.f_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][d]"}],"prose":"disable information system accounts;"},{"id":"ac-2.f_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][e]"}],"prose":"remove information system accounts;"}]},{"id":"ac-2.f_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(f)[2]"}],"prose":"in accordance with organization-defined procedures or conditions:","parts":[{"id":"ac-2.f_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][a]"}],"prose":"creates information system accounts;"},{"id":"ac-2.f_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][b]"}],"prose":"enables information system accounts;"},{"id":"ac-2.f_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][c]"}],"prose":"modifies information system accounts;"},{"id":"ac-2.f_obj.2.d","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][d]"}],"prose":"disables information system accounts;"},{"id":"ac-2.f_obj.2.e","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][e]"}],"prose":"removes information system accounts;"}]}]},{"id":"ac-2.g_obj","name":"objective","props":[{"name":"label","value":"AC-2(g)"}],"prose":"monitors the use of information system accounts;"},{"id":"ac-2.h_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)"}],"prose":"notifies account managers:","parts":[{"id":"ac-2.h.1_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(1)"}],"prose":"when accounts are no longer required;"},{"id":"ac-2.h.2_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(2)"}],"prose":"when users are terminated or transferred;"},{"id":"ac-2.h.3_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(3)"}],"prose":"when individual information system usage or need to know changes;"}]},{"id":"ac-2.i_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)"}],"prose":"authorizes access to the information system based on;","parts":[{"id":"ac-2.i.1_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(1)"}],"prose":"a valid access authorization;"},{"id":"ac-2.i.2_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(2)"}],"prose":"intended system usage;"},{"id":"ac-2.i.3_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(3)"}],"prose":"other attributes as required by the organization or associated missions\/business functions;"}]},{"id":"ac-2.j_obj","name":"objective","props":[{"name":"label","value":"AC-2(j)"}],"parts":[{"id":"ac-2.j_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(j)[1]"}],"prose":"defines the frequency to review accounts for compliance with account management requirements;"},{"id":"ac-2.j_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(j)[2]"}],"prose":"reviews accounts for compliance with account management requirements with the organization-defined frequency; and"}]},{"id":"ac-2.k_obj","name":"objective","props":[{"name":"label","value":"AC-2(k)"}],"prose":"establishes a process for reissuing shared\/group account credentials (if deployed) when individuals are removed from the group."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications or records of recently transferred, separated, or terminated employees\n\nlist of recently disabled information system accounts along with the name of the individual associated with each account\n\naccess authorization records\n\naccount management compliance reviews\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes account management on the information system\n\nautomated mechanisms for implementing account management"}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-3"},{"name":"sort-id","value":"ac-03"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"}]},{"id":"ac-3_obj","name":"objective","prose":"Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy"}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","params":[{"id":"ac-7_prm_1","label":"organization-defined number"},{"id":"ac-7_prm_2","label":"organization-defined time period"},{"id":"ac-7_prm_3","select":{"choice":["locks the account\/node for an {{ insert: param, ac-7_prm_4 }} ","locks the account\/node until released by an administrator","delays next logon prompt according to {{ insert: param, ac-7_prm_5 }} "]}},{"id":"ac-7_prm_4","depends-on":"ac-7_prm_3","label":"organization-defined time period"},{"id":"ac-7_prm_5","depends-on":"ac-7_prm_3","label":"organization-defined delay algorithm"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AC-7"},{"name":"sort-id","value":"ac-07"}],"parts":[{"id":"ac-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforces a limit of {{ insert: param, ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-7_prm_2 }}; and"},{"id":"ac-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically {{ insert: param, ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ia-5","rel":"related"}]},{"id":"ac-7_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-7.a_obj","name":"objective","props":[{"name":"label","value":"AC-7(a)"}],"parts":[{"id":"ac-7.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-7(a)[1]"}],"prose":"the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;"},{"id":"ac-7.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-7(a)[2]"}],"prose":"the organization defines the time period allowed by a user of the information system for an organization-defined number of consecutive invalid logon attempts;"},{"id":"ac-7.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-7(a)[3]"}],"prose":"the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;"}]},{"id":"ac-7.b_obj","name":"objective","props":[{"name":"label","value":"AC-7(b)"}],"parts":[{"id":"ac-7.b_obj.1","name":"objective","props":[{"name":"label","value":"AC-7(b)[1]"}],"prose":"the organization defines account\/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;"},{"id":"ac-7.b_obj.2","name":"objective","props":[{"name":"label","value":"AC-7(b)[2]"}],"prose":"the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:","parts":[{"id":"ac-7.b_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][a]"}],"prose":"locks the account\/node for the organization-defined time period;"},{"id":"ac-7.b_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][b]"}],"prose":"locks the account\/node until released by an administrator; or"},{"id":"ac-7.b_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][c]"}],"prose":"delays next logon prompt according to the organization-defined delay algorithm."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for unsuccessful logon attempts"}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","params":[{"id":"ac-8_prm_1","label":"organization-defined system use notification message or banner"},{"id":"ac-8_prm_2","label":"organization-defined conditions"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-8"},{"name":"sort-id","value":"ac-08"}],"parts":[{"id":"ac-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Displays to users {{ insert: param, ac-8_prm_1 }} before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:","parts":[{"id":"ac-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government information system;"},{"id":"ac-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Use of the information system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and"},{"id":"ac-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Displays system use information {{ insert: param, ac-8_prm_2 }}, before granting further access;"},{"id":"ac-8_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Includes a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages\/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content."},{"id":"ac-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-8.a_obj","name":"objective","props":[{"name":"label","value":"AC-8(a)"}],"parts":[{"id":"ac-8.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-8(a)[1]"}],"prose":"the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system;"},{"id":"ac-8.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2]"}],"prose":"the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that:","parts":[{"id":"ac-8.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](1)"}],"prose":"users are accessing a U.S. Government information system;"},{"id":"ac-8.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](2)"}],"prose":"information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8.a.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](3)"}],"prose":"unauthorized use of the information system is prohibited and subject to criminal and civil penalties;"},{"id":"ac-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](4)"}],"prose":"use of the information system indicates consent to monitoring and recording;"}]}]},{"id":"ac-8.b_obj","name":"objective","props":[{"name":"label","value":"AC-8(b)"}],"prose":"the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system;"},{"id":"ac-8.c_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)"}],"prose":"for publicly accessible systems:","parts":[{"id":"ac-8.c.1_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)"}],"parts":[{"id":"ac-8.c.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)[1]"}],"prose":"the organization defines conditions for system use to be displayed by the information system before granting further access;"},{"id":"ac-8.c.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)[2]"}],"prose":"the information system displays organization-defined conditions before granting further access;"}]},{"id":"ac-8.c.2_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(2)"}],"prose":"the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8.c.3_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(3)"}],"prose":"the information system includes a description of the authorized uses of the system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of information system use notification messages or banners\n\ninformation system audit records\n\nuser acknowledgements of notification message or banner\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system use notification messages\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for providing legal advice\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing system use notification"}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","params":[{"id":"ac-14_prm_1","label":"organization-defined user actions"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-14"},{"name":"sort-id","value":"ac-14"}],"parts":[{"id":"ac-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies {{ insert: param, ac-14_prm_1 }} that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions; and"},{"id":"ac-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none.","links":[{"href":"#cp-2","rel":"related"},{"href":"#ia-2","rel":"related"}]},{"id":"ac-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-14.a_obj","name":"objective","props":[{"name":"label","value":"AC-14(a)"}],"parts":[{"id":"ac-14.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-14(a)[1]"}],"prose":"defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions;"},{"id":"ac-14.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-14(a)[2]"}],"prose":"identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions; and"}]},{"id":"ac-14.b_obj","name":"objective","props":[{"name":"label","value":"AC-14(b)"}],"prose":"documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-17"},{"name":"sort-id","value":"ac-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference"},{"href":"#d1a4e2a9-e512-4132-8795-5357aba29254","rel":"reference"}],"parts":[{"id":"ac-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and documents usage restrictions, configuration\/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes remote access to the information system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.a_obj","name":"objective","props":[{"name":"label","value":"AC-17(a)"}],"parts":[{"id":"ac-17.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-17(a)[1]"}],"prose":"identifies the types of remote access allowed to the information system;"},{"id":"ac-17.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-17(a)[2]"}],"prose":"establishes for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][b]"}],"prose":"configuration\/connection requirements;"},{"id":"ac-17.a_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][c]"}],"prose":"implementation guidance;"}]},{"id":"ac-17.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-17(a)[3]"}],"prose":"documents for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.3.a","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.3.b","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][b]"}],"prose":"configuration\/connection requirements;"},{"id":"ac-17.a_obj.3.c","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][c]"}],"prose":"implementation guidance; and"}]}]},{"id":"ac-17.b_obj","name":"objective","props":[{"name":"label","value":"AC-17(b)"}],"prose":"authorizes remote access to the information system prior to allowing such connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nremote access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing remote access connections\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Remote access management capability for the information system"}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-18"},{"name":"sort-id","value":"ac-18"}],"links":[{"href":"#238ed479-eccb-49f6-82ec-ab74a7a428cf","rel":"reference"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference"},{"href":"#6f336ecd-f2a0-4c84-9699-0491d81b6e0d","rel":"reference"}],"parts":[{"id":"ac-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration\/connection requirements, and implementation guidance for wireless access; and"},{"id":"ac-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes wireless access to the information system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include, for example, microwave, packet radio (UHF\/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP\/TLS, PEAP), which provide credential protection and mutual authentication.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.a_obj","name":"objective","props":[{"name":"label","value":"AC-18(a)"}],"prose":"establishes for wireless access:","parts":[{"id":"ac-18.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-18(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-18.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-18(a)[2]"}],"prose":"configuration\/connection requirement;"},{"id":"ac-18.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-18(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-18.b_obj","name":"objective","props":[{"name":"label","value":"AC-18(b)"}],"prose":"authorizes wireless access to the information system prior to allowing such connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nwireless access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Wireless access management capability for the information system"}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-19"},{"name":"sort-id","value":"ac-19"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference"},{"href":"#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","rel":"reference"},{"href":"#6513e480-fada-4876-abba-1397084dfb26","rel":"reference"}],"parts":[{"id":"ac-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and"},{"id":"ac-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes the connection of mobile devices to organizational information systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes\/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.a_obj","name":"objective","props":[{"name":"label","value":"AC-19(a)"}],"prose":"establishes for organization-controlled mobile devices:","parts":[{"id":"ac-19.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-19(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-19.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-19(a)[2]"}],"prose":"configuration\/connection requirement;"},{"id":"ac-19.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-19(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-19.b_obj","name":"objective","props":[{"name":"label","value":"AC-19(b)"}],"prose":"authorizes the connection of mobile devices to organizational information systems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational information systems\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel using mobile devices to access organizational information systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Access control capability authorizing mobile device connections to organizational information systems"}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Information Systems","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-20"},{"name":"sort-id","value":"ac-20"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"}],"parts":[{"id":"ac-20_smt","name":"statement","prose":"The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and\/or maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Access the information system from external information systems; and"},{"id":"ac-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Process, store, or transmit organization-controlled information using external information systems."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems\/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing\/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"ac-20_obj","name":"objective","prose":"Determine if the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and\/or maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20.a_obj","name":"objective","props":[{"name":"label","value":"AC-20(a)"}],"prose":"access the information system from the external information systems; and"},{"id":"ac-20.b_obj","name":"objective","props":[{"name":"label","value":"AC-20(b)"}],"prose":"process, store, or transmit organization-controlled information using external information systems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing the use of external information systems\n\nexternal information systems terms and conditions\n\nlist of types of applications accessible from external information systems\n\nmaximum security categorization for information processed, stored, or transmitted on external information systems\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing terms and conditions on use of external information systems"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","params":[{"id":"ac-22_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-22"},{"name":"sort-id","value":"ac-22"}],"parts":[{"id":"ac-22_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Designates individuals authorized to post information onto a publicly accessible information system;"},{"id":"ac-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Reviews the content on the publicly accessible information system for nonpublic information {{ insert: param, ac-22_prm_1 }} and removes such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and\/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-13","rel":"related"}]},{"id":"ac-22_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-22.a_obj","name":"objective","props":[{"name":"label","value":"AC-22(a)"}],"prose":"designates individuals authorized to post information onto a publicly accessible information system;"},{"id":"ac-22.b_obj","name":"objective","props":[{"name":"label","value":"AC-22(b)"}],"prose":"trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22.c_obj","name":"objective","props":[{"name":"label","value":"AC-22(c)"}],"prose":"reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;"},{"id":"ac-22.d_obj","name":"objective","props":[{"name":"label","value":"AC-22(d)"}],"parts":[{"id":"ac-22.d_obj.1","name":"objective","props":[{"name":"label","value":"AC-22(d)[1]"}],"prose":"defines the frequency to review the content on the publicly accessible information system for nonpublic information;"},{"id":"ac-22.d_obj.2","name":"objective","props":[{"name":"label","value":"AC-22(d)[2]"}],"prose":"reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; and"},{"id":"ac-22.d_obj.3","name":"objective","props":[{"name":"label","value":"AC-22(d)[3]"}],"prose":"removes nonpublic information from the publicly accessible information system, if discovered."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational information systems\n\ntraining materials and\/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to nonpublic information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Security Awareness and Training Policy and Procedures","params":[{"id":"at-1_prm_1","label":"organization-defined personnel or roles"},{"id":"at-1_prm_2","label":"organization-defined frequency"},{"id":"at-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-1"},{"name":"sort-id","value":"at-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"at-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"at-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security awareness and training policy {{ insert: param, at-1_prm_2 }}; and"},{"id":"at-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security awareness and training procedures {{ insert: param, at-1_prm_3 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"at-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-1.a_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)"}],"parts":[{"id":"at-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)"}],"parts":[{"id":"at-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1]"}],"prose":"develops and documents an security awareness and training policy that addresses:","parts":[{"id":"at-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"at-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"at-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"at-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"at-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"at-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"at-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"at-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security awareness and training policy are to be disseminated;"},{"id":"at-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[3]"}],"prose":"disseminates the security awareness and training policy to organization-defined personnel or roles;"}]},{"id":"at-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)"}],"parts":[{"id":"at-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;"},{"id":"at-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"at-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"at-1.b_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)"}],"parts":[{"id":"at-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)"}],"parts":[{"id":"at-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security awareness and training policy;"},{"id":"at-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)[2]"}],"prose":"reviews and updates the current security awareness and training policy with the organization-defined frequency;"}]},{"id":"at-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)"}],"parts":[{"id":"at-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security awareness and training procedures; and"},{"id":"at-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)[2]"}],"prose":"reviews and updates the current security awareness and training procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security awareness and training responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Security Awareness Training","params":[{"id":"at-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-2"},{"name":"sort-id","value":"at-02"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference"},{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"at-2_smt","name":"statement","prose":"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"As part of initial training for new users;"},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, at-2_prm_1 }} thereafter."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories\/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.","links":[{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"at-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-2.a_obj","name":"objective","props":[{"name":"label","value":"AT-2(a)"}],"prose":"provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2.b_obj","name":"objective","props":[{"name":"label","value":"AT-2(b)"}],"prose":"provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes; and"},{"id":"at-2.c_obj","name":"objective","props":[{"name":"label","value":"AT-2(c)"}],"parts":[{"id":"at-2.c_obj.1","name":"objective","props":[{"name":"label","value":"AT-2(c)[1]"}],"prose":"defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors); and"},{"id":"at-2.c_obj.2","name":"objective","props":[{"name":"label","value":"AT-2(c)[2]"}],"prose":"provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nappropriate codes of federal regulations\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for security awareness training\n\norganizational personnel with information security responsibilities\n\norganizational personnel comprising the general information system user community"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing security awareness training"}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Security Training","params":[{"id":"at-3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-3"},{"name":"sort-id","value":"at-03"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"at-3_smt","name":"statement","prose":"The organization provides role-based security training to personnel with assigned security roles and responsibilities:","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Before authorizing access to the information system or performing assigned duties;"},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, at-3_prm_1 }} thereafter."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition\/procurement officials, information system managers, system\/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sa-16","rel":"related"}]},{"id":"at-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-3.a_obj","name":"objective","props":[{"name":"label","value":"AT-3(a)"}],"prose":"provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties;"},{"id":"at-3.b_obj","name":"objective","props":[{"name":"label","value":"AT-3(b)"}],"prose":"provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes; and"},{"id":"at-3.c_obj","name":"objective","props":[{"name":"label","value":"AT-3(c)"}],"parts":[{"id":"at-3.c_obj.1","name":"objective","props":[{"name":"label","value":"AT-3(c)[1]"}],"prose":"defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities; and"},{"id":"at-3.c_obj.2","name":"objective","props":[{"name":"label","value":"AT-3(c)[2]"}],"prose":"provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security training implementation\n\ncodes of federal regulations\n\nsecurity training curriculum\n\nsecurity training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for role-based security training\n\norganizational personnel with assigned information system security roles and responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing role-based security training"}]}]},{"id":"at-4","class":"SP800-53","title":"Security Training Records","params":[{"id":"at-4_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AT-4"},{"name":"sort-id","value":"at-04"}],"parts":[{"id":"at-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains individual training records for {{ insert: param, at-4_prm_1 }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the option of the organization.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pm-14","rel":"related"}]},{"id":"at-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-4.a_obj","name":"objective","props":[{"name":"label","value":"AT-4(a)"}],"parts":[{"id":"at-4.a_obj.1","name":"objective","props":[{"name":"label","value":"AT-4(a)[1]"}],"prose":"documents individual information system security training activities including:","parts":[{"id":"at-4.a_obj.1.a","name":"objective","props":[{"name":"label","value":"AT-4(a)[1][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.1.b","name":"objective","props":[{"name":"label","value":"AT-4(a)[1][b]"}],"prose":"specific role-based information system security training;"}]},{"id":"at-4.a_obj.2","name":"objective","props":[{"name":"label","value":"AT-4(a)[2]"}],"prose":"monitors individual information system security training activities including:","parts":[{"id":"at-4.a_obj.2.a","name":"objective","props":[{"name":"label","value":"AT-4(a)[2][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.2.b","name":"objective","props":[{"name":"label","value":"AT-4(a)[2][b]"}],"prose":"specific role-based information system security training;"}]}]},{"id":"at-4.b_obj","name":"objective","props":[{"name":"label","value":"AT-4(b)"}],"parts":[{"id":"at-4.b_obj.1","name":"objective","props":[{"name":"label","value":"AT-4(b)[1]"}],"prose":"defines a time period to retain individual training records; and"},{"id":"at-4.b_obj.2","name":"objective","props":[{"name":"label","value":"AT-4(b)[2]"}],"prose":"retains individual training records for the organization-defined time period."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security training records\n\nsecurity awareness and training records\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security training record retention responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting management of security training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Audit and Accountability Policy and Procedures","params":[{"id":"au-1_prm_1","label":"organization-defined personnel or roles"},{"id":"au-1_prm_2","label":"organization-defined frequency"},{"id":"au-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-1"},{"name":"sort-id","value":"au-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"au-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"au-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Audit and accountability policy {{ insert: param, au-1_prm_2 }}; and"},{"id":"au-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Audit and accountability procedures {{ insert: param, au-1_prm_3 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"au-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-1.a_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)"}],"parts":[{"id":"au-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)"}],"parts":[{"id":"au-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1]"}],"prose":"develops and documents an audit and accountability policy that addresses:","parts":[{"id":"au-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"au-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"au-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"au-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"au-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"au-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"au-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"au-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the audit and accountability policy are to be disseminated;"},{"id":"au-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[3]"}],"prose":"disseminates the audit and accountability policy to organization-defined personnel or roles;"}]},{"id":"au-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)"}],"parts":[{"id":"au-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;"},{"id":"au-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"au-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"au-1.b_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)"}],"parts":[{"id":"au-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)"}],"parts":[{"id":"au-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current audit and accountability policy;"},{"id":"au-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)[2]"}],"prose":"reviews and updates the current audit and accountability policy with the organization-defined frequency;"}]},{"id":"au-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)"}],"parts":[{"id":"au-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current audit and accountability procedures; and"},{"id":"au-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)[2]"}],"prose":"reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Audit Events","params":[{"id":"au-2_prm_1","label":"organization-defined auditable events"},{"id":"au-2_prm_2","label":"organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-2"},{"name":"sort-id","value":"au-02"}],"links":[{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"au-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines that the information system is capable of auditing the following events: {{ insert: param, au-2_prm_1 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Determines that the following events are to be audited within the information system: {{ insert: param, au-2_prm_2 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.","links":[{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"au-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.a_obj","name":"objective","props":[{"name":"label","value":"AU-2(a)"}],"parts":[{"id":"au-2.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(a)[1]"}],"prose":"defines the auditable events that the information system must be capable of auditing;"},{"id":"au-2.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(a)[2]"}],"prose":"determines that the information system is capable of auditing organization-defined auditable events;"}]},{"id":"au-2.b_obj","name":"objective","props":[{"name":"label","value":"AU-2(b)"}],"prose":"coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"},{"id":"au-2.c_obj","name":"objective","props":[{"name":"label","value":"AU-2(c)"}],"prose":"provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;"},{"id":"au-2.d_obj","name":"objective","props":[{"name":"label","value":"AU-2(d)"}],"parts":[{"id":"au-2.d_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(d)[1]"}],"prose":"defines the subset of auditable events defined in AU-2a that are to be audited within the information system;"},{"id":"au-2.d_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(d)[2]"}],"prose":"determines that the subset of auditable events defined in AU-2a are to be audited within the information system; and"},{"id":"au-2.d_obj.3","name":"objective","props":[{"name":"label","value":"AU-2(d)[3]"}],"prose":"determines the frequency of (or situation requiring) auditing for each identified event."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system auditable events\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing"}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-3"},{"name":"sort-id","value":"au-03"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event."},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user\/process identifiers, event descriptions, success\/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred).","links":[{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#si-11","rel":"related"}]},{"id":"au-3_obj","name":"objective","prose":"Determine if the information system generates audit records containing information that establishes:","parts":[{"id":"au-3_obj.1","name":"objective","props":[{"name":"label","value":"AU-3[1]"}],"prose":"what type of event occurred;"},{"id":"au-3_obj.2","name":"objective","props":[{"name":"label","value":"AU-3[2]"}],"prose":"when the event occurred;"},{"id":"au-3_obj.3","name":"objective","props":[{"name":"label","value":"AU-3[3]"}],"prose":"where the event occurred;"},{"id":"au-3_obj.4","name":"objective","props":[{"name":"label","value":"AU-3[4]"}],"prose":"the source of the event;"},{"id":"au-3_obj.5","name":"objective","props":[{"name":"label","value":"AU-3[5]"}],"prose":"the outcome of the event; and"},{"id":"au-3_obj.6","name":"objective","props":[{"name":"label","value":"AU-3[6]"}],"prose":"the identity of any individuals or subjects associated with the event."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing of auditable events"}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Storage Capacity","params":[{"id":"au-4_prm_1","label":"organization-defined audit record storage requirements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-4"},{"name":"sort-id","value":"au-04"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"The organization allocates audit record storage capacity in accordance with {{ insert: param, au-4_prm_1 }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"au-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-4_obj.1","name":"objective","props":[{"name":"label","value":"AU-4[1]"}],"prose":"defines audit record storage requirements; and"},{"id":"au-4_obj.2","name":"objective","props":[{"name":"label","value":"AU-4[2]"}],"prose":"allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for information system components\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Processing Failures","params":[{"id":"au-5_prm_1","label":"organization-defined personnel or roles"},{"id":"au-5_prm_2","label":"organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-5"},{"name":"sort-id","value":"au-05"}],"parts":[{"id":"au-5_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Alerts {{ insert: param, au-5_prm_1 }} in the event of an audit processing failure; and"},{"id":"au-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Takes the following additional actions: {{ insert: param, au-5_prm_2 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit processing failures include, for example, software\/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.","links":[{"href":"#au-4","rel":"related"},{"href":"#si-12","rel":"related"}]},{"id":"au-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.a_obj","name":"objective","props":[{"name":"label","value":"AU-5(a)"}],"parts":[{"id":"au-5.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(a)[1]"}],"prose":"the organization defines the personnel or roles to be alerted in the event of an audit processing failure;"},{"id":"au-5.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(a)[2]"}],"prose":"the information system alerts the organization-defined personnel or roles in the event of an audit processing failure;"}]},{"id":"au-5.b_obj","name":"objective","props":[{"name":"label","value":"AU-5(b)"}],"parts":[{"id":"au-5.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(b)[1]"}],"prose":"the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure; and"},{"id":"au-5.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(b)[2]"}],"prose":"the information system takes the additional organization-defined actions in the event of an audit processing failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system response to audit processing failures"}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Review, Analysis, and Reporting","params":[{"id":"au-6_prm_1","label":"organization-defined frequency"},{"id":"au-6_prm_2","label":"organization-defined inappropriate or unusual activity"},{"id":"au-6_prm_3","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-6"},{"name":"sort-id","value":"au-06"}],"parts":[{"id":"au-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviews and analyzes information system audit records {{ insert: param, au-6_prm_1 }} for indications of {{ insert: param, au-6_prm_2 }}; and"},{"id":"au-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reports findings to {{ insert: param, au-6_prm_3 }}."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group\/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review\/analysis may be carried out by other organizations granted such authority.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-19","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"au-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.a_obj","name":"objective","props":[{"name":"label","value":"AU-6(a)"}],"parts":[{"id":"au-6.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(a)[1]"}],"prose":"defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;"},{"id":"au-6.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(a)[2]"}],"prose":"defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;"},{"id":"au-6.a_obj.3","name":"objective","props":[{"name":"label","value":"AU-6(a)[3]"}],"prose":"reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;"}]},{"id":"au-6.b_obj","name":"objective","props":[{"name":"label","value":"AU-6(b)"}],"parts":[{"id":"au-6.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(b)[1]"}],"prose":"defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; and"},{"id":"au-6.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(b)[2]"}],"prose":"reports findings to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews\/analyses of audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","params":[{"id":"au-8_prm_1","label":"organization-defined granularity of time measurement"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-8"},{"name":"sort-id","value":"au-08"}],"parts":[{"id":"au-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Uses internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets {{ insert: param, au-8_prm_1 }}."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.","links":[{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"au-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-8.a_obj","name":"objective","props":[{"name":"label","value":"AU-8(a)"}],"prose":"the information system uses internal system clocks to generate time stamps for audit records;"},{"id":"au-8.b_obj","name":"objective","props":[{"name":"label","value":"AU-8(b)"}],"parts":[{"id":"au-8.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-8(b)[1]"}],"prose":"the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);"},{"id":"au-8.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-8(b)[2]"}],"prose":"the organization defines the granularity of time measurement to be met when recording time stamps for audit records; and"},{"id":"au-8.b_obj.3","name":"objective","props":[{"name":"label","value":"AU-8(b)[3]"}],"prose":"the organization records time stamps for audit records that meet the organization-defined granularity of time measurement."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing time stamp generation"}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-9"},{"name":"sort-id","value":"au-09"}],"parts":[{"id":"au-9_smt","name":"statement","prose":"The information system protects audit information and audit tools from unauthorized access, modification, and deletion."},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}]},{"id":"au-9_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-9_obj.1","name":"objective","props":[{"name":"label","value":"AU-9[1]"}],"prose":"the information system protects audit information from unauthorized:","parts":[{"id":"au-9_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-9[1][a]"}],"prose":"access;"},{"id":"au-9_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-9[1][b]"}],"prose":"modification;"},{"id":"au-9_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-9[1][c]"}],"prose":"deletion;"}]},{"id":"au-9_obj.2","name":"objective","props":[{"name":"label","value":"AU-9[2]"}],"prose":"the information system protects audit tools from unauthorized:","parts":[{"id":"au-9_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-9[2][a]"}],"prose":"access;"},{"id":"au-9_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-9[2][b]"}],"prose":"modification; and"},{"id":"au-9_obj.2.c","name":"objective","props":[{"name":"label","value":"AU-9[2][c]"}],"prose":"deletion."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation, information system audit records\n\naudit tools\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit information protection"}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_prm_1","label":"organization-defined time period consistent with records retention policy"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AU-11"},{"name":"sort-id","value":"au-11"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"The organization retains audit records for {{ insert: param, au-11_prm_1 }} to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.","links":[{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#mp-6","rel":"related"}]},{"id":"au-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-11_obj.1","name":"objective","props":[{"name":"label","value":"AU-11[1]"}],"prose":"defines a time period to retain audit records that is consistent with records retention policy;"},{"id":"au-11_obj.2","name":"objective","props":[{"name":"label","value":"AU-11[2]"}],"prose":"retains audit records for the organization-defined time period consistent with records retention policy to:","parts":[{"id":"au-11_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-11[2][a]"}],"prose":"provide support for after-the-fact investigations of security incidents; and"},{"id":"au-11_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-11[2][b]"}],"prose":"meet regulatory and organizational information retention requirements."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Generation","params":[{"id":"au-12_prm_1","label":"organization-defined information system components"},{"id":"au-12_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-12"},{"name":"sort-id","value":"au-12"}],"parts":[{"id":"au-12_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides audit record generation capability for the auditable events defined in AU-2 a. at {{ insert: param, au-12_prm_1 }};"},{"id":"au-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allows {{ insert: param, au-12_prm_2 }} to select which auditable events are to be audited by specific components of the information system; and"},{"id":"au-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Generates audit records for the events defined in AU-2 d. with the content defined in AU-3."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records.","links":[{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"}]},{"id":"au-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.a_obj","name":"objective","props":[{"name":"label","value":"AU-12(a)"}],"parts":[{"id":"au-12.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(a)[1]"}],"prose":"the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a;"},{"id":"au-12.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(a)[2]"}],"prose":"the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components;"}]},{"id":"au-12.b_obj","name":"objective","props":[{"name":"label","value":"AU-12(b)"}],"parts":[{"id":"au-12.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(b)[1]"}],"prose":"the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system;"},{"id":"au-12.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(b)[2]"}],"prose":"the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system; and"}]},{"id":"au-12.c_obj","name":"objective","props":[{"name":"label","value":"AU-12(c)"}],"prose":"the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of auditable events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}]}]},{"id":"ca","class":"family","title":"Security Assessment and Authorization","controls":[{"id":"ca-1","class":"SP800-53","title":"Security Assessment and Authorization Policy and Procedures","params":[{"id":"ca-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ca-1_prm_2","label":"organization-defined frequency"},{"id":"ca-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CA-1"},{"name":"sort-id","value":"ca-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ca-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ca-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security assessment and authorization policy {{ insert: param, ca-1_prm_2 }}; and"},{"id":"ca-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security assessment and authorization procedures {{ insert: param, ca-1_prm_3 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ca-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-1.a_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)"}],"parts":[{"id":"ca-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)"}],"parts":[{"id":"ca-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1]"}],"prose":"develops and documents a security assessment and authorization policy that addresses:","parts":[{"id":"ca-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ca-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ca-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ca-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ca-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ca-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ca-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ca-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;"},{"id":"ca-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[3]"}],"prose":"disseminates the security assessment and authorization policy to organization-defined personnel or roles;"}]},{"id":"ca-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)"}],"parts":[{"id":"ca-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;"},{"id":"ca-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ca-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ca-1.b_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)"}],"parts":[{"id":"ca-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)"}],"parts":[{"id":"ca-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security assessment and authorization policy;"},{"id":"ca-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)[2]"}],"prose":"reviews and updates the current security assessment and authorization policy with the organization-defined frequency;"}]},{"id":"ca-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)"}],"parts":[{"id":"ca-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security assessment and authorization procedures; and"},{"id":"ca-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)[2]"}],"prose":"reviews and updates the current security assessment and authorization procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment and authorization responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Security Assessments","params":[{"id":"ca-2_prm_1","label":"organization-defined frequency"},{"id":"ca-2_prm_2","label":"organization-defined individuals or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-2"},{"name":"sort-id","value":"ca-02"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"ca-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a security assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security controls and control enhancements under assessment;"},{"id":"ca-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine security control effectiveness; and"},{"id":"ca-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assesses the security controls in the information system and its environment of operation {{ insert: param, ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produces a security assessment report that documents the results of the assessment; and"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provides the results of the security control assessment to {{ insert: param, ca-2_prm_2 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.","links":[{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.a_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)"}],"prose":"develops a security assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2.a.1_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(1)"}],"prose":"security controls and control enhancements under assessment;"},{"id":"ca-2.a.2_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(2)"}],"prose":"assessment procedures to be used to determine security control effectiveness;"},{"id":"ca-2.a.3_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)"}],"parts":[{"id":"ca-2.a.3_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[1]"}],"prose":"assessment environment;"},{"id":"ca-2.a.3_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[2]"}],"prose":"assessment team;"},{"id":"ca-2.a.3_obj.3","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[3]"}],"prose":"assessment roles and responsibilities;"}]}]},{"id":"ca-2.b_obj","name":"objective","props":[{"name":"label","value":"CA-2(b)"}],"parts":[{"id":"ca-2.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(b)[1]"}],"prose":"defines the frequency to assess the security controls in the information system and its environment of operation;"},{"id":"ca-2.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(b)[2]"}],"prose":"assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"}]},{"id":"ca-2.c_obj","name":"objective","props":[{"name":"label","value":"CA-2(c)"}],"prose":"produces a security assessment report that documents the results of the assessment;"},{"id":"ca-2.d_obj","name":"objective","props":[{"name":"label","value":"CA-2(d)"}],"parts":[{"id":"ca-2.d_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(d)[1]"}],"prose":"defines individuals or roles to whom the results of the security control assessment are to be provided; and"},{"id":"ca-2.d_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(d)[2]"}],"prose":"provides the results of the security control assessment to organization-defined individuals or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security assessment planning\n\nprocedures addressing security assessments\n\nsecurity assessment plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting security assessment, security assessment plan development, and\/or security assessment reporting"}]}]},{"id":"ca-3","class":"SP800-53","title":"System Interconnections","params":[{"id":"ca-3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CA-3"},{"name":"sort-id","value":"ca-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#2711f068-734e-4afd-94ba-0b22247fbc88","rel":"reference"}],"parts":[{"id":"ca-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"},{"id":"ca-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates Interconnection Security Agreements {{ insert: param, ca-3_prm_1 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.a_obj","name":"objective","props":[{"name":"label","value":"CA-3(a)"}],"prose":"authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"},{"id":"ca-3.b_obj","name":"objective","props":[{"name":"label","value":"CA-3(b)"}],"prose":"documents, for each interconnection:","parts":[{"id":"ca-3.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-3.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(b)[2]"}],"prose":"the security requirements;"},{"id":"ca-3.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-3(b)[3]"}],"prose":"the nature of the information communicated;"}]},{"id":"ca-3.c_obj","name":"objective","props":[{"name":"label","value":"CA-3(c)"}],"parts":[{"id":"ca-3.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(c)[1]"}],"prose":"defines the frequency to review and update Interconnection Security Agreements; and"},{"id":"ca-3.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(c)[2]"}],"prose":"reviews and updates Interconnection Security Agreements with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system Interconnection Security Agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements\n\norganizational personnel with information security responsibilities\n\npersonnel managing the system(s) to which the Interconnection Security Agreement applies"}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-5_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"CA-5"},{"name":"sort-id","value":"ca-05"}],"links":[{"href":"#2c5884cd-7b96-425c-862a-99877e1cf909","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"}],"parts":[{"id":"ca-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates existing plan of action and milestones {{ insert: param, ca-5_prm_1 }} based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#pm-4","rel":"related"}]},{"id":"ca-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-5.a_obj","name":"objective","props":[{"name":"label","value":"CA-5(a)"}],"prose":"develops a plan of action and milestones for the information system to:","parts":[{"id":"ca-5.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-5(a)[1]"}],"prose":"document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;"},{"id":"ca-5.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-5(a)[2]"}],"prose":"reduce or eliminate known vulnerabilities in the system;"}]},{"id":"ca-5.b_obj","name":"objective","props":[{"name":"label","value":"CA-5(b)"}],"parts":[{"id":"ca-5.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-5(b)[1]"}],"prose":"defines the frequency to update the existing plan of action and milestones;"},{"id":"ca-5.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-5(b)[2]"}],"prose":"updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:","parts":[{"id":"ca-5.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][a]"}],"prose":"security controls assessments;"},{"id":"ca-5.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][b]"}],"prose":"security impact analyses; and"},{"id":"ca-5.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][c]"}],"prose":"continuous monitoring activities."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing plan of action and milestones\n\nsecurity plan\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nplan of action and milestones\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Security Authorization","params":[{"id":"ca-6_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-6"},{"name":"sort-id","value":"ca-06"}],"links":[{"href":"#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","rel":"reference"},{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"ca-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assigns a senior-level executive or manager as the authorizing official for the information system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that the authorizing official authorizes the information system for processing before commencing operations; and"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Updates the security authorization {{ insert: param, ca-6_prm_1 }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission\/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"}]},{"id":"ca-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-6.a_obj","name":"objective","props":[{"name":"label","value":"CA-6(a)"}],"prose":"assigns a senior-level executive or manager as the authorizing official for the information system;"},{"id":"ca-6.b_obj","name":"objective","props":[{"name":"label","value":"CA-6(b)"}],"prose":"ensures that the authorizing official authorizes the information system for processing before commencing operations;"},{"id":"ca-6.c_obj","name":"objective","props":[{"name":"label","value":"CA-6(c)"}],"parts":[{"id":"ca-6.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-6(c)[1]"}],"prose":"defines the frequency to update the security authorization; and"},{"id":"ca-6.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-6(c)[2]"}],"prose":"updates the security authorization with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security authorization\n\nsecurity authorization package (including security plan\n\nsecurity assessment report\n\nplan of action and milestones\n\nauthorization statement)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security authorization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that facilitate security authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_1","label":"organization-defined metrics"},{"id":"ca-7_prm_2","label":"organization-defined frequencies"},{"id":"ca-7_prm_3","label":"organization-defined frequencies"},{"id":"ca-7_prm_4","label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-7"},{"name":"sort-id","value":"ca-07"}],"links":[{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"},{"href":"#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","rel":"reference"},{"href":"#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","rel":"reference"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishment of {{ insert: param, ca-7_prm_1 }} to be monitored;"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishment of {{ insert: param, ca-7_prm_2 }} for monitoring and {{ insert: param, ca-7_prm_3 }} for assessments supporting such monitoring;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of security-related information generated by assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of security-related information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security status of organization and the information system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess\/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission\/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports\/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware\/software\/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-7.a_obj","name":"objective","props":[{"name":"label","value":"CA-7(a)"}],"parts":[{"id":"ca-7.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(a)[1]"}],"prose":"develops a continuous monitoring strategy that defines metrics to be monitored;"},{"id":"ca-7.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(a)[2]"}],"prose":"develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;"},{"id":"ca-7.a_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(a)[3]"}],"prose":"implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.b_obj","name":"objective","props":[{"name":"label","value":"CA-7(b)"}],"parts":[{"id":"ca-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(b)[1]"}],"prose":"develops a continuous monitoring strategy that defines frequencies for monitoring;"},{"id":"ca-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(b)[2]"}],"prose":"defines frequencies for assessments supporting monitoring;"},{"id":"ca-7.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(b)[3]"}],"prose":"develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;"},{"id":"ca-7.b_obj.4","name":"objective","props":[{"name":"label","value":"CA-7(b)[4]"}],"prose":"implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.c_obj","name":"objective","props":[{"name":"label","value":"CA-7(c)"}],"parts":[{"id":"ca-7.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(c)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security control assessments;"},{"id":"ca-7.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(c)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.d_obj","name":"objective","props":[{"name":"label","value":"CA-7(d)"}],"parts":[{"id":"ca-7.d_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(d)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;"},{"id":"ca-7.d_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(d)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.e_obj","name":"objective","props":[{"name":"label","value":"CA-7(e)"}],"parts":[{"id":"ca-7.e_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(e)[1]"}],"prose":"develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;"},{"id":"ca-7.e_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(e)[2]"}],"prose":"implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.f_obj","name":"objective","props":[{"name":"label","value":"CA-7(f)"}],"parts":[{"id":"ca-7.f_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(f)[1]"}],"prose":"develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;"},{"id":"ca-7.f_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(f)[2]"}],"prose":"implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.g_obj","name":"objective","props":[{"name":"label","value":"CA-7(g)"}],"parts":[{"id":"ca-7.g_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(g)[1]"}],"prose":"develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;"},{"id":"ca-7.g_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(g)[2]"}],"prose":"develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;"},{"id":"ca-7.g_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(g)[3]"}],"prose":"develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; and"},{"id":"ca-7.g_obj.4","name":"objective","props":[{"name":"label","value":"CA-7(g)[4]"}],"prose":"implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security controls\n\nprocedures addressing configuration management\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nconfiguration management records, security impact analyses\n\nstatus reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Mechanisms implementing continuous monitoring"}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","params":[{"id":"ca-9_prm_1","label":"organization-defined information system components or classes of components"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-9"},{"name":"sort-id","value":"ca-09"}],"parts":[{"id":"ca-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorizes internal connections of {{ insert: param, ca-9_prm_1 }} to the information system; and"},{"id":"ca-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated."}]},{"id":"ca-9_gdn","name":"guidance","prose":"This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook\/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and\/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-9.a_obj","name":"objective","props":[{"name":"label","value":"CA-9(a)"}],"parts":[{"id":"ca-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-9(a)[1]"}],"prose":"defines information system components or classes of components to be authorized as internal connections to the information system;"},{"id":"ca-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-9(a)[2]"}],"prose":"authorizes internal connections of organization-defined information system components or classes of components to the information system;"}]},{"id":"ca-9.b_obj","name":"objective","props":[{"name":"label","value":"CA-9(b)"}],"prose":"documents, for each internal connection:","parts":[{"id":"ca-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-9(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-9(b)[2]"}],"prose":"the security requirements; and"},{"id":"ca-9.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-9(b)[3]"}],"prose":"the nature of the information communicated."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Configuration Management Policy and Procedures","params":[{"id":"cm-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cm-1_prm_2","label":"organization-defined frequency"},{"id":"cm-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-1"},{"name":"sort-id","value":"cm-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"cm-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cm-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Configuration management policy {{ insert: param, cm-1_prm_2 }}; and"},{"id":"cm-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Configuration management procedures {{ insert: param, cm-1_prm_3 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"cm-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-1.a_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)"}],"parts":[{"id":"cm-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)"}],"parts":[{"id":"cm-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1]"}],"prose":"develops and documents a configuration management policy that addresses:","parts":[{"id":"cm-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cm-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cm-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cm-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cm-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cm-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cm-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cm-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the configuration management policy is to be disseminated;"},{"id":"cm-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[3]"}],"prose":"disseminates the configuration management policy to organization-defined personnel or roles;"}]},{"id":"cm-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)"}],"parts":[{"id":"cm-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls;"},{"id":"cm-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"cm-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cm-1.b_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)"}],"parts":[{"id":"cm-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)"}],"parts":[{"id":"cm-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current configuration management policy;"},{"id":"cm-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)[2]"}],"prose":"reviews and updates the current configuration management policy with the organization-defined frequency;"}]},{"id":"cm-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)"}],"parts":[{"id":"cm-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current configuration management procedures; and"},{"id":"cm-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)[2]"}],"prose":"reviews and updates the current configuration management procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-2"},{"name":"sort-id","value":"cm-02"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-2_smt","name":"statement","prose":"The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system."},{"id":"cm-2_gdn","name":"guidance","prose":"This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and\/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings\/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-7","rel":"related"}]},{"id":"cm-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2_obj.1","name":"objective","props":[{"name":"label","value":"CM-2[1]"}],"prose":"develops and documents a current baseline configuration of the information system; and"},{"id":"cm-2_obj.2","name":"objective","props":[{"name":"label","value":"CM-2[2]"}],"prose":"maintains, under configuration control, a current baseline configuration of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting configuration control of the baseline configuration"}]}]},{"id":"cm-4","class":"SP800-53","title":"Security Impact Analysis","props":[{"name":"priority","value":"P2"},{"name":"label","value":"CM-4"},{"name":"sort-id","value":"cm-04"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"The organization analyzes changes to the information system to determine potential security impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills\/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"cm-4_obj","name":"objective","prose":"Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing security impact analysis for changes to the information system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for conducting security impact analysis\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security impact analysis"}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","params":[{"id":"cm-6_prm_1","label":"organization-defined security configuration checklists"},{"id":"cm-6_prm_2","label":"organization-defined information system components"},{"id":"cm-6_prm_3","label":"organization-defined operational requirements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-6"},{"name":"sort-id","value":"cm-06"}],"links":[{"href":"#990268bf-f4a9-4c81-91ae-dc7d3115f4b1","rel":"reference"},{"href":"#0b3d8ba9-051f-498d-81ea-97f0f018c612","rel":"reference"},{"href":"#0916ef02-3618-411b-a525-565c088849a6","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"},{"href":"#e95dd121-2733-413e-bf1e-f1eb49f20a98","rel":"reference"},{"href":"#647b6de3-81d0-4d22-bec1-5f1333e34380","rel":"reference"}],"parts":[{"id":"cm-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and documents configuration settings for information technology products employed within the information system using {{ insert: param, cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implements the configuration settings;"},{"id":"cm-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies, documents, and approves any deviations from established configuration settings for {{ insert: param, cm-6_prm_2 }} based on {{ insert: param, cm-6_prm_3 }}; and"},{"id":"cm-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and\/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input\/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms\/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems.","links":[{"href":"#ac-19","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"cm-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.a_obj","name":"objective","props":[{"name":"label","value":"CM-6(a)"}],"parts":[{"id":"cm-6.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(a)[1]"}],"prose":"defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed;"},{"id":"cm-6.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(a)[2]"}],"prose":"ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6.a_obj.3","name":"objective","props":[{"name":"label","value":"CM-6(a)[3]"}],"prose":"establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;"}]},{"id":"cm-6.b_obj","name":"objective","props":[{"name":"label","value":"CM-6(b)"}],"prose":"implements the configuration settings established\/documented in CM-6(a);;"},{"id":"cm-6.c_obj","name":"objective","props":[{"name":"label","value":"CM-6(c)"}],"parts":[{"id":"cm-6.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(c)[1]"}],"prose":"defines information system components for which any deviations from established configuration settings must be:","parts":[{"id":"cm-6.c_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][a]"}],"prose":"identified;"},{"id":"cm-6.c_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][b]"}],"prose":"documented;"},{"id":"cm-6.c_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][c]"}],"prose":"approved;"}]},{"id":"cm-6.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(c)[2]"}],"prose":"defines operational requirements to support:","parts":[{"id":"cm-6.c_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][a]"}],"prose":"the identification of any deviations from established configuration settings;"},{"id":"cm-6.c_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][b]"}],"prose":"the documentation of any deviations from established configuration settings;"},{"id":"cm-6.c_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][c]"}],"prose":"the approval of any deviations from established configuration settings;"}]},{"id":"cm-6.c_obj.3","name":"objective","props":[{"name":"label","value":"CM-6(c)[3]"}],"prose":"identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"},{"id":"cm-6.c_obj.4","name":"objective","props":[{"name":"label","value":"CM-6(c)[4]"}],"prose":"documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"},{"id":"cm-6.c_obj.5","name":"objective","props":[{"name":"label","value":"CM-6(c)[5]"}],"prose":"approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"}]},{"id":"cm-6.d_obj","name":"objective","props":[{"name":"label","value":"CM-6(d)"}],"parts":[{"id":"cm-6.d_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(d)[1]"}],"prose":"monitors changes to the configuration settings in accordance with organizational policies and procedures; and"},{"id":"cm-6.d_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(d)[2]"}],"prose":"controls changes to the configuration settings in accordance with organizational policies and procedures."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings\n\nautomated mechanisms that implement, monitor, and\/or control information system configuration settings\n\nautomated mechanisms that identify and\/or document deviations from established configuration settings"}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","params":[{"id":"cm-7_prm_1","label":"organization-defined prohibited or restricted functions, ports, protocols, and\/or services"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-7"},{"name":"sort-id","value":"cm-07"}],"links":[{"href":"#e42b2099-3e1c-415b-952c-61c96533c12e","rel":"reference"}],"parts":[{"id":"cm-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Configures the information system to provide only essential capabilities; and"},{"id":"cm-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibits or restricts the use of the following functions, ports, protocols, and\/or services: {{ insert: param, cm-7_prm_1 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports\/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.","links":[{"href":"#ac-6","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"cm-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.a_obj","name":"objective","props":[{"name":"label","value":"CM-7(a)"}],"prose":"configures the information system to provide only essential capabilities;"},{"id":"cm-7.b_obj","name":"objective","props":[{"name":"label","value":"CM-7(b)"}],"parts":[{"id":"cm-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(b)[1]"}],"prose":"defines prohibited or restricted:","parts":[{"id":"cm-7.b_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.b_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(b)[2]"}],"prose":"prohibits or restricts the use of organization-defined:","parts":[{"id":"cm-7.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.b_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][d]"}],"prose":"services."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing least functionality in the information system\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols, and\/or services\n\nautomated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and\/or services"}]}]},{"id":"cm-8","class":"SP800-53","title":"Information System Component Inventory","params":[{"id":"cm-8_prm_1","label":"organization-defined information deemed necessary to achieve effective information system component accountability"},{"id":"cm-8_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-8"},{"name":"sort-id","value":"cm-08"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops and documents an inventory of information system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accurately reflects the current information system;"},{"id":"cm-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes all components within the authorization boundary of the information system;"},{"id":"cm-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Includes {{ insert: param, cm-8_prm_1 }}; and"}]},{"id":"cm-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information system component inventory {{ insert: param, cm-8_prm_2 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pm-5","rel":"related"}]},{"id":"cm-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.a_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)"}],"parts":[{"id":"cm-8.a.1_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(1)"}],"prose":"develops and documents an inventory of information system components that accurately reflects the current information system;"},{"id":"cm-8.a.2_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(2)"}],"prose":"develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;"},{"id":"cm-8.a.3_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(3)"}],"prose":"develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;"},{"id":"cm-8.a.4_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)"}],"parts":[{"id":"cm-8.a.4_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)[1]"}],"prose":"defines the information deemed necessary to achieve effective information system component accountability;"},{"id":"cm-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)[2]"}],"prose":"develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;"}]}]},{"id":"cm-8.b_obj","name":"objective","props":[{"name":"label","value":"CM-8(b)"}],"parts":[{"id":"cm-8.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(b)[1]"}],"prose":"defines the frequency to review and update the information system component inventory; and"},{"id":"cm-8.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(b)[2]"}],"prose":"reviews and updates the information system component inventory with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting an inventory of information system components\n\nautomated mechanisms supporting and\/or implementing the information system component inventory"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"priority","value":"P2"},{"name":"label","value":"CM-10"},{"name":"sort-id","value":"cm-10"}],"parts":[{"id":"cm-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Uses software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs.","links":[{"href":"#ac-17","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"cm-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-10.a_obj","name":"objective","props":[{"name":"label","value":"CM-10(a)"}],"prose":"uses software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10.b_obj","name":"objective","props":[{"name":"label","value":"CM-10(b)"}],"prose":"tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10.c_obj","name":"objective","props":[{"name":"label","value":"CM-10(c)"}],"prose":"controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing software usage restrictions\n\nconfiguration management plan\n\nsecurity plan\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\norganizational personnel with software license management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for tracking the use of software protected by quantity licenses\n\norganization process for controlling\/documenting the use of peer-to-peer file sharing technology\n\nautomated mechanisms implementing software license tracking\n\nautomated mechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","params":[{"id":"cm-11_prm_1","label":"organization-defined policies"},{"id":"cm-11_prm_2","label":"organization-defined methods"},{"id":"cm-11_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-11"},{"name":"sort-id","value":"cm-11"}],"parts":[{"id":"cm-11_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes {{ insert: param, cm-11_prm_1 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Enforces software installation policies through {{ insert: param, cm-11_prm_2 }}; and"},{"id":"cm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Monitors policy compliance at {{ insert: param, cm-11_prm_3 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.","links":[{"href":"#ac-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"cm-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-11.a_obj","name":"objective","props":[{"name":"label","value":"CM-11(a)"}],"parts":[{"id":"cm-11.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(a)[1]"}],"prose":"defines policies to govern the installation of software by users;"},{"id":"cm-11.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(a)[2]"}],"prose":"establishes organization-defined policies governing the installation of software by users;"}]},{"id":"cm-11.b_obj","name":"objective","props":[{"name":"label","value":"CM-11(b)"}],"parts":[{"id":"cm-11.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(b)[1]"}],"prose":"defines methods to enforce software installation policies;"},{"id":"cm-11.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(b)[2]"}],"prose":"enforces software installation policies through organization-defined methods;"}]},{"id":"cm-11.c_obj","name":"objective","props":[{"name":"label","value":"CM-11(c)"}],"parts":[{"id":"cm-11.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(c)[1]"}],"prose":"defines frequency to monitor policy compliance; and"},{"id":"cm-11.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(c)[2]"}],"prose":"monitors policy compliance at organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing user installed software\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of rules governing user installed software\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records\n\ncontinuous monitoring strategy"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the information system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes governing user-installed software on the information system\n\nautomated mechanisms enforcing rules\/methods for governing the installation of software by users\n\nautomated mechanisms monitoring policy compliance"}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Contingency Planning Policy and Procedures","params":[{"id":"cp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-1_prm_2","label":"organization-defined frequency"},{"id":"cp-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-1"},{"name":"sort-id","value":"cp-01"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"cp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and"}]},{"id":"cp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cp-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Contingency planning policy {{ insert: param, cp-1_prm_2 }}; and"},{"id":"cp-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Contingency planning procedures {{ insert: param, cp-1_prm_3 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"cp-1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cp-1.a_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)"}],"parts":[{"id":"cp-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)"}],"parts":[{"id":"cp-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1]"}],"prose":"the organization develops and documents a contingency planning policy that addresses:","parts":[{"id":"cp-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cp-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cp-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cp-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cp-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cp-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cp-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cp-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[2]"}],"prose":"the organization defines personnel or roles to whom the contingency planning policy is to be disseminated;"},{"id":"cp-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[3]"}],"prose":"the organization disseminates the contingency planning policy to organization-defined personnel or roles;"}]},{"id":"cp-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)"}],"parts":[{"id":"cp-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[1]"}],"prose":"the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls;"},{"id":"cp-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[2]"}],"prose":"the organization defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"cp-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[3]"}],"prose":"the organization disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cp-1.b_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)"}],"parts":[{"id":"cp-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)"}],"parts":[{"id":"cp-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)[1]"}],"prose":"the organization defines the frequency to review and update the current contingency planning policy;"},{"id":"cp-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)[2]"}],"prose":"the organization reviews and updates the current contingency planning with the organization-defined frequency;"}]},{"id":"cp-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)"}],"parts":[{"id":"cp-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)[1]"}],"prose":"the organization defines the frequency to review and update the current contingency planning procedures; and"},{"id":"cp-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)[2]"}],"prose":"the organization reviews and updates the current contingency planning procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","params":[{"id":"cp-2_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-2_prm_3","label":"organization-defined frequency"},{"id":"cp-2_prm_4","label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-2"},{"name":"sort-id","value":"cp-02"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a contingency plan for the information system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and"},{"id":"cp-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Reviews the contingency plan for the information system {{ insert: param, cp-2_prm_3 }};"},{"id":"cp-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Communicates contingency plan changes to {{ insert: param, cp-2_prm_4 }}; and"},{"id":"cp-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Protects the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission\/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission\/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and\/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly\/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.","links":[{"href":"#ac-14","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-11","rel":"related"}]},{"id":"cp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.a_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)"}],"prose":"develops and documents a contingency plan for the information system that:","parts":[{"id":"cp-2.a.1_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(1)"}],"prose":"identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2.a.2_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)"}],"parts":[{"id":"cp-2.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[1]"}],"prose":"provides recovery objectives;"},{"id":"cp-2.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[2]"}],"prose":"provides restoration priorities;"},{"id":"cp-2.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[3]"}],"prose":"provides metrics;"}]},{"id":"cp-2.a.3_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)"}],"parts":[{"id":"cp-2.a.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[1]"}],"prose":"addresses contingency roles;"},{"id":"cp-2.a.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[2]"}],"prose":"addresses contingency responsibilities;"},{"id":"cp-2.a.3_obj.3","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[3]"}],"prose":"addresses assigned individuals with contact information;"}]},{"id":"cp-2.a.4_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(4)"}],"prose":"addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;"},{"id":"cp-2.a.5_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(5)"}],"prose":"addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;"},{"id":"cp-2.a.6_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)"}],"parts":[{"id":"cp-2.a.6_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)[1]"}],"prose":"defines personnel or roles to review and approve the contingency plan for the information system;"},{"id":"cp-2.a.6_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"cp-2.b_obj","name":"objective","props":[{"name":"label","value":"CP-2(b)"}],"parts":[{"id":"cp-2.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(b)[1]"}],"prose":"defines key contingency personnel (identified by name and\/or by role) and organizational elements to whom copies of the contingency plan are to be distributed;"},{"id":"cp-2.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(b)[2]"}],"prose":"distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements;"}]},{"id":"cp-2.c_obj","name":"objective","props":[{"name":"label","value":"CP-2(c)"}],"prose":"coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2.d_obj","name":"objective","props":[{"name":"label","value":"CP-2(d)"}],"parts":[{"id":"cp-2.d_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(d)[1]"}],"prose":"defines a frequency to review the contingency plan for the information system;"},{"id":"cp-2.d_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(d)[2]"}],"prose":"reviews the contingency plan with the organization-defined frequency;"}]},{"id":"cp-2.e_obj","name":"objective","props":[{"name":"label","value":"CP-2(e)"}],"prose":"updates the contingency plan to address:","parts":[{"id":"cp-2.e_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(e)[1]"}],"prose":"changes to the organization, information system, or environment of operation;"},{"id":"cp-2.e_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(e)[2]"}],"prose":"problems encountered during plan implementation, execution, and testing;"}]},{"id":"cp-2.f_obj","name":"objective","props":[{"name":"label","value":"CP-2(f)"}],"parts":[{"id":"cp-2.f_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(f)[1]"}],"prose":"defines key contingency personnel (identified by name and\/or by role) and organizational elements to whom contingency plan changes are to be communicated;"},{"id":"cp-2.f_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(f)[2]"}],"prose":"communicates contingency plan changes to organization-defined key contingency personnel and organizational elements; and"}]},{"id":"cp-2.g_obj","name":"objective","props":[{"name":"label","value":"CP-2(g)"}],"prose":"protects the contingency plan from unauthorized disclosure and modification."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nevidence of contingency plan reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan development, review, update, and protection\n\nautomated mechanisms for developing, reviewing, updating and\/or protecting the contingency plan"}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","params":[{"id":"cp-3_prm_1","label":"organization-defined time period"},{"id":"cp-3_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CP-3"},{"name":"sort-id","value":"cp-03"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"cp-3_smt","name":"statement","prose":"The organization provides contingency training to information system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Within {{ insert: param, cp-3_prm_1 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"cp-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, cp-3_prm_2 }} thereafter."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers\/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles\/responsibilities reflects the specific continuity requirements in the contingency plan.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-2","rel":"related"}]},{"id":"cp-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-3.a_obj","name":"objective","props":[{"name":"label","value":"CP-3(a)"}],"parts":[{"id":"cp-3.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-3(a)[1]"}],"prose":"defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility;"},{"id":"cp-3.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-3(a)[2]"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility;"}]},{"id":"cp-3.b_obj","name":"objective","props":[{"name":"label","value":"CP-3(b)"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes;"},{"id":"cp-3.c_obj","name":"objective","props":[{"name":"label","value":"CP-3(c)"}],"parts":[{"id":"cp-3.c_obj.1","name":"objective","props":[{"name":"label","value":"CP-3(c)[1]"}],"prose":"defines the frequency for contingency training thereafter; and"},{"id":"cp-3.c_obj.2","name":"objective","props":[{"name":"label","value":"CP-3(c)[2]"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsecurity plan\n\ncontingency training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency training"}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","params":[{"id":"cp-4_prm_1","label":"organization-defined frequency"},{"id":"cp-4_prm_2","label":"organization-defined tests"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CP-4"},{"name":"sort-id","value":"cp-04"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference"}],"parts":[{"id":"cp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Tests the contingency plan for the information system {{ insert: param, cp-4_prm_1 }} using {{ insert: param, cp-4_prm_2 }} to determine the effectiveness of the plan and the organizational readiness to execute the plan;"},{"id":"cp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Initiates corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"}]},{"id":"cp-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-4.a_obj","name":"objective","props":[{"name":"label","value":"CP-4(a)"}],"parts":[{"id":"cp-4.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-4(a)[1]"}],"prose":"defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan;"},{"id":"cp-4.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-4(a)[2]"}],"prose":"defines a frequency to test the contingency plan for the information system;"},{"id":"cp-4.a_obj.3","name":"objective","props":[{"name":"label","value":"CP-4(a)[3]"}],"prose":"tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan;"}]},{"id":"cp-4.b_obj","name":"objective","props":[{"name":"label","value":"CP-4(b)"}],"prose":"reviews the contingency plan test results; and"},{"id":"cp-4.c_obj","name":"objective","props":[{"name":"label","value":"CP-4(c)"}],"prose":"initiates corrective actions, if needed."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\nsecurity plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency plan testing, reviewing or responding to contingency plan tests\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\n\nautomated mechanisms supporting the contingency plan and\/or contingency plan testing"}]}]},{"id":"cp-9","class":"SP800-53","title":"Information System Backup","params":[{"id":"cp-9_prm_1","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_2","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_3","label":"organization-defined frequency consistent with recovery time and recovery point objectives"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-9"},{"name":"sort-id","value":"cp-09"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conducts backups of user-level information contained in the information system {{ insert: param, cp-9_prm_1 }};"},{"id":"cp-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conducts backups of system-level information contained in the information system {{ insert: param, cp-9_prm_2 }};"},{"id":"cp-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conducts backups of information system documentation including security-related documentation {{ insert: param, cp-9_prm_3 }}; and"},{"id":"cp-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects the confidentiality, integrity, and availability of backup information at storage locations."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"cp-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-9.a_obj","name":"objective","props":[{"name":"label","value":"CP-9(a)"}],"parts":[{"id":"cp-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(a)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;"},{"id":"cp-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(a)[2]"}],"prose":"conducts backups of user-level information contained in the information system with the organization-defined frequency;"}]},{"id":"cp-9.b_obj","name":"objective","props":[{"name":"label","value":"CP-9(b)"}],"parts":[{"id":"cp-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(b)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;"},{"id":"cp-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(b)[2]"}],"prose":"conducts backups of system-level information contained in the information system with the organization-defined frequency;"}]},{"id":"cp-9.c_obj","name":"objective","props":[{"name":"label","value":"CP-9(c)"}],"parts":[{"id":"cp-9.c_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(c)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;"},{"id":"cp-9.c_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(c)[2]"}],"prose":"conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and"}]},{"id":"cp-9.d_obj","name":"objective","props":[{"name":"label","value":"CP-9(d)"}],"prose":"protects the confidentiality, integrity, and availability of backup information at storage locations."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\nbackup storage location(s)\n\ninformation system backup logs or records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and\/or implementing information system backups"}]}]},{"id":"cp-10","class":"SP800-53","title":"Information System Recovery and Reconstitution","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-10"},{"name":"sort-id","value":"cp-10"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing information system contingency plan activities to restore organizational missions\/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point\/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery\/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#sc-24","rel":"related"}]},{"id":"cp-10_obj","name":"objective","prose":"Determine if the organization provides for:","parts":[{"id":"cp-10_obj.1","name":"objective","props":[{"name":"label","value":"CP-10[1]"}],"prose":"the recovery of the information system to a known state after:","parts":[{"id":"cp-10_obj.1.a","name":"objective","props":[{"name":"label","value":"CP-10[1][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.1.b","name":"objective","props":[{"name":"label","value":"CP-10[1][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.1.c","name":"objective","props":[{"name":"label","value":"CP-10[1][c]"}],"prose":"a failure;"}]},{"id":"cp-10_obj.2","name":"objective","props":[{"name":"label","value":"CP-10[2]"}],"prose":"the reconstitution of the information system to a known state after:","parts":[{"id":"cp-10_obj.2.a","name":"objective","props":[{"name":"label","value":"CP-10[2][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.2.b","name":"objective","props":[{"name":"label","value":"CP-10[2][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.2.c","name":"objective","props":[{"name":"label","value":"CP-10[2][c]"}],"prose":"a failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for information system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, recovery, and\/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes implementing information system recovery and reconstitution operations\n\nautomated mechanisms supporting and\/or implementing information system recovery and reconstitution operations"}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Identification and Authentication Policy and Procedures","params":[{"id":"ia-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-1_prm_2","label":"organization-defined frequency"},{"id":"ia-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-1"},{"name":"sort-id","value":"ia-01"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ia-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ia-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and"}]},{"id":"ia-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ia-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identification and authentication policy {{ insert: param, ia-1_prm_2 }}; and"},{"id":"ia-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Identification and authentication procedures {{ insert: param, ia-1_prm_3 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ia-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-1.a_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)"}],"parts":[{"id":"ia-1.a.1_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)"}],"parts":[{"id":"ia-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1]"}],"prose":"develops and documents an identification and authentication policy that addresses:","parts":[{"id":"ia-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ia-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ia-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ia-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ia-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ia-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ia-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ia-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the identification and authentication policy is to be disseminated; and"},{"id":"ia-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[3]"}],"prose":"disseminates the identification and authentication policy to organization-defined personnel or roles;"}]},{"id":"ia-1.a.2_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)"}],"parts":[{"id":"ia-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls;"},{"id":"ia-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ia-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ia-1.b_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)"}],"parts":[{"id":"ia-1.b.1_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)"}],"parts":[{"id":"ia-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current identification and authentication policy;"},{"id":"ia-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)[2]"}],"prose":"reviews and updates the current identification and authentication policy with the organization-defined frequency; and"}]},{"id":"ia-1.b.2_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)"}],"parts":[{"id":"ia-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current identification and authentication procedures; and"},{"id":"ia-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)[2]"}],"prose":"reviews and updates the current identification and authentication procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (organizational Users)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-2"},{"name":"sort-id","value":"ia-02"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference"},{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"}]},{"id":"ia-2_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for uniquely identifying and authenticating users\n\nautomated mechanisms supporting and\/or implementing identification and authentication capability"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts","props":[{"name":"label","value":"IA-2(1)"},{"name":"sort-id","value":"ia-02.01"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ia-2.1_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for network access to privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","props":[{"name":"label","value":"IA-2(12)"},{"name":"sort-id","value":"ia-02.12"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"ia-2.12_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"ia-2.12_obj.1","name":"objective","props":[{"name":"label","value":"IA-2(12)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials; and"},{"id":"ia-2.12_obj.2","name":"objective","props":[{"name":"label","value":"IA-2(12)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing acceptance and verification of PIV credentials"}]}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","params":[{"id":"ia-4_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-4_prm_2","label":"organization-defined time period"},{"id":"ia-4_prm_3","label":"organization-defined time period of inactivity"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-4"},{"name":"sort-id","value":"ia-04"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"The organization manages information system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ insert: param, ia-4_prm_1 }} to assign an individual, group, role, or device identifier;"},{"id":"ia-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, or device;"},{"id":"ia-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, or device;"},{"id":"ia-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ insert: param, ia-4_prm_2 }}; and"},{"id":"ia-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disabling the identifier after {{ insert: param, ia-4_prm_3 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#sc-37","rel":"related"}]},{"id":"ia-4_obj","name":"objective","prose":"Determine if the organization manages information system identifiers by:","parts":[{"id":"ia-4.a_obj","name":"objective","props":[{"name":"label","value":"IA-4(a)"}],"parts":[{"id":"ia-4.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(a)[1]"}],"prose":"defining personnel or roles from whom authorization must be received to assign:","parts":[{"id":"ia-4.a_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][c]"}],"prose":"a role identifier; and\/or"},{"id":"ia-4.a_obj.1.d","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][d]"}],"prose":"a device identifier;"}]},{"id":"ia-4.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(a)[2]"}],"prose":"receiving authorization from organization-defined personnel or roles to assign:","parts":[{"id":"ia-4.a_obj.2.a","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.2.b","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.2.c","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][c]"}],"prose":"a role identifier; and\/or"},{"id":"ia-4.a_obj.2.d","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][d]"}],"prose":"a device identifier;"}]}]},{"id":"ia-4.b_obj","name":"objective","props":[{"name":"label","value":"IA-4(b)"}],"prose":"selecting an identifier that identifies:","parts":[{"id":"ia-4.b_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(b)[1]"}],"prose":"an individual;"},{"id":"ia-4.b_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(b)[2]"}],"prose":"a group;"},{"id":"ia-4.b_obj.3","name":"objective","props":[{"name":"label","value":"IA-4(b)[3]"}],"prose":"a role; and\/or"},{"id":"ia-4.b_obj.4","name":"objective","props":[{"name":"label","value":"IA-4(b)[4]"}],"prose":"a device;"}]},{"id":"ia-4.c_obj","name":"objective","props":[{"name":"label","value":"IA-4(c)"}],"prose":"assigning the identifier to the intended:","parts":[{"id":"ia-4.c_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(c)[1]"}],"prose":"individual;"},{"id":"ia-4.c_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(c)[2]"}],"prose":"group;"},{"id":"ia-4.c_obj.3","name":"objective","props":[{"name":"label","value":"IA-4(c)[3]"}],"prose":"role; and\/or"},{"id":"ia-4.c_obj.4","name":"objective","props":[{"name":"label","value":"IA-4(c)[4]"}],"prose":"device;"}]},{"id":"ia-4.d_obj","name":"objective","props":[{"name":"label","value":"IA-4(d)"}],"parts":[{"id":"ia-4.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(d)[1]"}],"prose":"defining a time period for preventing reuse of identifiers;"},{"id":"ia-4.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(d)[2]"}],"prose":"preventing reuse of identifiers for the organization-defined time period;"}]},{"id":"ia-4.e_obj","name":"objective","props":[{"name":"label","value":"IA-4(e)"}],"parts":[{"id":"ia-4.e_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(e)[1]"}],"prose":"defining a time period of inactivity to disable the identifier; and"},{"id":"ia-4.e_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(e)[2]"}],"prose":"disabling the identifier after the organization-defined time period of inactivity."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","params":[{"id":"ia-5_prm_1","label":"organization-defined time period by authenticator type"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-5"},{"name":"sort-id","value":"ia-05"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"The organization manages information system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for authenticators defined by the organization;"},{"id":"ia-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost\/compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Changing default content of authenticators prior to information system installation;"},{"id":"ia-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;"},{"id":"ia-5_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Changing\/refreshing authenticators {{ insert: param, ia-5_prm_1 }};"},{"id":"ia-5_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and"},{"id":"ia-5_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Changing authenticators for group\/role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-28","rel":"related"}]},{"id":"ia-5_obj","name":"objective","prose":"Determine if the organization manages information system authenticators by:","parts":[{"id":"ia-5.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(a)"}],"prose":"verifying, as part of the initial authenticator distribution, the identity of:","parts":[{"id":"ia-5.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(a)[1]"}],"prose":"the individual receiving the authenticator;"},{"id":"ia-5.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(a)[2]"}],"prose":"the group receiving the authenticator;"},{"id":"ia-5.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(a)[3]"}],"prose":"the role receiving the authenticator; and\/or"},{"id":"ia-5.a_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(a)[4]"}],"prose":"the device receiving the authenticator;"}]},{"id":"ia-5.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(b)"}],"prose":"establishing initial authenticator content for authenticators defined by the organization;"},{"id":"ia-5.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(c)"}],"prose":"ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(d)"}],"parts":[{"id":"ia-5.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(d)[1]"}],"prose":"establishing and implementing administrative procedures for initial authenticator distribution;"},{"id":"ia-5.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(d)[2]"}],"prose":"establishing and implementing administrative procedures for lost\/compromised or damaged authenticators;"},{"id":"ia-5.d_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(d)[3]"}],"prose":"establishing and implementing administrative procedures for revoking authenticators;"}]},{"id":"ia-5.e_obj","name":"objective","props":[{"name":"label","value":"IA-5(e)"}],"prose":"changing default content of authenticators prior to information system installation;"},{"id":"ia-5.f_obj","name":"objective","props":[{"name":"label","value":"IA-5(f)"}],"parts":[{"id":"ia-5.f_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(f)[1]"}],"prose":"establishing minimum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(f)[2]"}],"prose":"establishing maximum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(f)[3]"}],"prose":"establishing reuse conditions for authenticators;"}]},{"id":"ia-5.g_obj","name":"objective","props":[{"name":"label","value":"IA-5(g)"}],"parts":[{"id":"ia-5.g_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(g)[1]"}],"prose":"defining a time period (by authenticator type) for changing\/refreshing authenticators;"},{"id":"ia-5.g_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(g)[2]"}],"prose":"changing\/refreshing authenticators with the organization-defined time period by authenticator type;"}]},{"id":"ia-5.h_obj","name":"objective","props":[{"name":"label","value":"IA-5(h)"}],"prose":"protecting authenticator content from unauthorized:","parts":[{"id":"ia-5.h_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(h)[1]"}],"prose":"disclosure;"},{"id":"ia-5.h_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(h)[2]"}],"prose":"modification;"}]},{"id":"ia-5.i_obj","name":"objective","props":[{"name":"label","value":"IA-5(i)"}],"parts":[{"id":"ia-5.i_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(i)[1]"}],"prose":"requiring individuals to take specific security safeguards to protect authenticators;"},{"id":"ia-5.i_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(i)[2]"}],"prose":"having devices implement specific security safeguards to protect authenticators; and"}]},{"id":"ia-5.j_obj","name":"objective","props":[{"name":"label","value":"IA-5(j)"}],"prose":"changing authenticators for group\/role accounts when membership to those accounts changes."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system authenticator types\n\nchange control records associated with managing information system authenticators\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing authenticator management capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","params":[{"id":"ia-5.1_prm_1","label":"organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type"},{"id":"ia-5.1_prm_2","label":"organization-defined number"},{"id":"ia-5.1_prm_3","label":"organization-defined numbers for lifetime minimum, lifetime maximum"},{"id":"ia-5.1_prm_4","label":"organization-defined number"}],"props":[{"name":"label","value":"IA-5(1)"},{"name":"sort-id","value":"ia-05.01"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"The information system, for password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Enforces minimum password complexity of {{ insert: param, ia-5.1_prm_1 }};"},{"id":"ia-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforces at least the following number of changed characters when new passwords are created: {{ insert: param, ia-5.1_prm_2 }};"},{"id":"ia-5.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Stores and transmits only cryptographically-protected passwords;"},{"id":"ia-5.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Enforces password minimum and maximum lifetime restrictions of {{ insert: param, ia-5.1_prm_3 }};"},{"id":"ia-5.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Prohibits password reuse for {{ insert: param, ia-5.1_prm_4 }} generations; and"},{"id":"ia-5.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Allows the use of a temporary password for system logons with an immediate change to a permanent password."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.","links":[{"href":"#ia-6","rel":"related"}]},{"id":"ia-5.1_obj","name":"objective","prose":"Determine if, for password-based authentication:","parts":[{"id":"ia-5.1.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)"}],"parts":[{"id":"ia-5.1.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[1]"}],"prose":"the organization defines requirements for case sensitivity;"},{"id":"ia-5.1.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[2]"}],"prose":"the organization defines requirements for number of characters;"},{"id":"ia-5.1.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[3]"}],"prose":"the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;"},{"id":"ia-5.1.a_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[4]"}],"prose":"the organization defines minimum requirements for each type of character;"},{"id":"ia-5.1.a_obj.5","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[5]"}],"prose":"the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;"}],"links":[{"href":"#ia-5.1_smt.a","rel":"corresp"}]},{"id":"ia-5.1.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)"}],"parts":[{"id":"ia-5.1.b_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)[1]"}],"prose":"the organization defines a minimum number of changed characters to be enforced when new passwords are created;"},{"id":"ia-5.1.b_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)[2]"}],"prose":"the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;"}],"links":[{"href":"#ia-5.1_smt.b","rel":"corresp"}]},{"id":"ia-5.1.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(c)"}],"prose":"the information system stores and transmits only encrypted representations of passwords;","links":[{"href":"#ia-5.1_smt.c","rel":"corresp"}]},{"id":"ia-5.1.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)"}],"parts":[{"id":"ia-5.1.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[1]"}],"prose":"the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;"},{"id":"ia-5.1.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[2]"}],"prose":"the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;"},{"id":"ia-5.1.d_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[3]"}],"prose":"the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;"},{"id":"ia-5.1.d_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[4]"}],"prose":"the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;"}],"links":[{"href":"#ia-5.1_smt.d","rel":"corresp"}]},{"id":"ia-5.1.e_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)"}],"parts":[{"id":"ia-5.1.e_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)[1]"}],"prose":"the organization defines the number of password generations to be prohibited from password reuse;"},{"id":"ia-5.1.e_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)[2]"}],"prose":"the information system prohibits password reuse for the organization-defined number of generations; and"}],"links":[{"href":"#ia-5.1_smt.e","rel":"corresp"}]},{"id":"ia-5.1.f_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(f)"}],"prose":"the information system allows the use of a temporary password for system logons with an immediate change to a permanent password.","links":[{"href":"#ia-5.1_smt.f","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing password-based authenticator management capability"}]}]},{"id":"ia-5.11","class":"SP800-53-enhancement","title":"Hardware Token-based Authentication","params":[{"id":"ia-5.11_prm_1","label":"organization-defined token quality requirements"}],"props":[{"name":"label","value":"IA-5(11)"},{"name":"sort-id","value":"ia-05.11"}],"parts":[{"id":"ia-5.11_smt","name":"statement","prose":"The information system, for hardware token-based authentication, employs mechanisms that satisfy {{ insert: param, ia-5.11_prm_1 }}."},{"id":"ia-5.11_gdn","name":"guidance","prose":"Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI."},{"id":"ia-5.11_obj","name":"objective","prose":"Determine if, for hardware token-based authentication:","parts":[{"id":"ia-5.11_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(11)[1]"}],"prose":"the organization defines token quality requirements to be satisfied; and"},{"id":"ia-5.11_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(11)[2]"}],"prose":"the information system employs mechanisms that satisfy organization-defined token quality requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\nautomated mechanisms employing hardware token-based authentication for the information system\n\nlist of token quality requirements\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing hardware token-based authenticator management capability"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authenticator Feedback","props":[{"name":"priority","value":"P2"},{"name":"label","value":"IA-6"},{"name":"sort-id","value":"ia-06"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation\/use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops\/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.","links":[{"href":"#pe-18","rel":"related"}]},{"id":"ia-6_obj","name":"objective","prose":"Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation\/use by unauthorized individuals."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator feedback\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing the obscuring of feedback of authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-7"},{"name":"sort-id","value":"ia-07"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference"},{"href":"#b09d1a31-d3c9-4138-a4f4-4c63816afd7d","rel":"reference"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.","links":[{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ia-7_obj","name":"objective","prose":"Determine if the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing cryptographic module authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic module authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (non-organizational Users)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-8"},{"name":"sort-id","value":"ia-08"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#599fe9ba-4750-4450-9eeb-b95bd19a5e8f","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference"},{"href":"#654f21e2-f3bc-43b2-abdc-60ab8d09744b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sc-8","rel":"related"}]},{"id":"ia-8_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","props":[{"name":"label","value":"IA-8(1)"},{"name":"sort-id","value":"ia-08.01"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.1_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"ia-8.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-8(1)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials from other agencies; and"},{"id":"ia-8.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-8(1)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials from other agencies."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of Third-party Credentials","props":[{"name":"label","value":"IA-8(2)"},{"name":"sort-id","value":"ia-08.02"}],"parts":[{"id":"ia-8.2_smt","name":"statement","prose":"The information system accepts only FICAM-approved third-party credentials."},{"id":"ia-8.2_gdn","name":"guidance","prose":"This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.","links":[{"href":"#au-2","rel":"related"}]},{"id":"ia-8.2_obj","name":"objective","prose":"Determine if the information system accepts only FICAM-approved third-party credentials."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of FICAM-approved third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms that accept FICAM-approved credentials"}]}]},{"id":"ia-8.3","class":"SP800-53-enhancement","title":"Use of Ficam-approved Products","params":[{"id":"ia-8.3_prm_1","label":"organization-defined information systems"}],"props":[{"name":"label","value":"IA-8(3)"},{"name":"sort-id","value":"ia-08.03"}],"parts":[{"id":"ia-8.3_smt","name":"statement","prose":"The organization employs only FICAM-approved information system components in {{ insert: param, ia-8.3_prm_1 }} to accept third-party credentials."},{"id":"ia-8.3_gdn","name":"guidance","prose":"This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.","links":[{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-8.3_obj.1","name":"objective","props":[{"name":"label","value":"IA-8(3)[1]"}],"prose":"defines information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials; and"},{"id":"ia-8.3_obj.2","name":"objective","props":[{"name":"label","value":"IA-8(3)[2]"}],"prose":"employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nthird-party credential validations\n\nthird-party credential authorizations\n\nthird-party credential records\n\nlist of FICAM-approved information system components procured and implemented by organization\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information system security, acquisition, and contracting responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Ficam-issued Profiles","props":[{"name":"label","value":"IA-8(4)"},{"name":"sort-id","value":"ia-08.04"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"The information system conforms to FICAM-issued profiles."},{"id":"ia-8.4_gdn","name":"guidance","prose":"This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange).","links":[{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.4_obj","name":"objective","prose":"Determine if the information system conforms to FICAM-issued profiles."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-issued profiles and associated, approved protocols\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms supporting and\/or implementing conformance with FICAM-issued profiles"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Incident Response Policy and Procedures","params":[{"id":"ir-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-1_prm_2","label":"organization-defined frequency"},{"id":"ir-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-1"},{"name":"sort-id","value":"ir-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ir-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ir-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Incident response policy {{ insert: param, ir-1_prm_2 }}; and"},{"id":"ir-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Incident response procedures {{ insert: param, ir-1_prm_3 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ir-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-1.a_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)"}],"parts":[{"id":"ir-1.a.1_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)"}],"parts":[{"id":"ir-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1]"}],"prose":"develops and documents an incident response policy that addresses:","parts":[{"id":"ir-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ir-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ir-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ir-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ir-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ir-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ir-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ir-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the incident response policy is to be disseminated;"},{"id":"ir-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[3]"}],"prose":"disseminates the incident response policy to organization-defined personnel or roles;"}]},{"id":"ir-1.a.2_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)"}],"parts":[{"id":"ir-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls;"},{"id":"ir-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ir-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ir-1.b_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)"}],"parts":[{"id":"ir-1.b.1_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)"}],"parts":[{"id":"ir-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current incident response policy;"},{"id":"ir-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)[2]"}],"prose":"reviews and updates the current incident response policy with the organization-defined frequency;"}]},{"id":"ir-1.b.2_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)"}],"parts":[{"id":"ir-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current incident response procedures; and"},{"id":"ir-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)[2]"}],"prose":"reviews and updates the current incident response procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-2_prm_1","label":"organization-defined time period"},{"id":"ir-2_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-2"},{"name":"sort-id","value":"ir-02"}],"links":[{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"ir-2_smt","name":"statement","prose":"The organization provides incident response training to information system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Within {{ insert: param, ir-2_prm_1 }} of assuming an incident response role or responsibility;"},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"ir-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, ir-2_prm_2 }} thereafter."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle\/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources.","links":[{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-2.a_obj","name":"objective","props":[{"name":"label","value":"IR-2(a)"}],"parts":[{"id":"ir-2.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-2(a)[1]"}],"prose":"defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility;"},{"id":"ir-2.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-2(a)[2]"}],"prose":"provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility;"}]},{"id":"ir-2.b_obj","name":"objective","props":[{"name":"label","value":"IR-2(b)"}],"prose":"provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes;"},{"id":"ir-2.c_obj","name":"objective","props":[{"name":"label","value":"IR-2(c)"}],"parts":[{"id":"ir-2.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-2(c)[1]"}],"prose":"defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities; and"},{"id":"ir-2.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-2(c)[2]"}],"prose":"after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nsecurity plan\n\nincident response plan\n\nsecurity plan\n\nincident response training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-4"},{"name":"sort-id","value":"ir-04"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinates incident handling activities with contingency planning activities; and"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission\/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission\/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user\/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission\/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).","links":[{"href":"#au-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ir-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-4.a_obj","name":"objective","props":[{"name":"label","value":"IR-4(a)"}],"prose":"implements an incident handling capability for security incidents that includes:","parts":[{"id":"ir-4.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-4(a)[1]"}],"prose":"preparation;"},{"id":"ir-4.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-4(a)[2]"}],"prose":"detection and analysis;"},{"id":"ir-4.a_obj.3","name":"objective","props":[{"name":"label","value":"IR-4(a)[3]"}],"prose":"containment;"},{"id":"ir-4.a_obj.4","name":"objective","props":[{"name":"label","value":"IR-4(a)[4]"}],"prose":"eradication;"},{"id":"ir-4.a_obj.5","name":"objective","props":[{"name":"label","value":"IR-4(a)[5]"}],"prose":"recovery;"}]},{"id":"ir-4.b_obj","name":"objective","props":[{"name":"label","value":"IR-4(b)"}],"prose":"coordinates incident handling activities with contingency planning activities;"},{"id":"ir-4.c_obj","name":"objective","props":[{"name":"label","value":"IR-4(c)"}],"parts":[{"id":"ir-4.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-4(c)[1]"}],"prose":"incorporates lessons learned from ongoing incident handling activities into:","parts":[{"id":"ir-4.c_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][b]"}],"prose":"training;"},{"id":"ir-4.c_obj.1.c","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][c]"}],"prose":"testing\/exercises;"}]},{"id":"ir-4.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-4(c)[2]"}],"prose":"implements the resulting changes accordingly to:","parts":[{"id":"ir-4.c_obj.2.a","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.2.b","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][b]"}],"prose":"training; and"},{"id":"ir-4.c_obj.2.c","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][c]"}],"prose":"testing\/exercises."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident handling capability for the organization"}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-5"},{"name":"sort-id","value":"ir-05"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"The organization tracks and documents information system security incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user\/administrator reports.","links":[{"href":"#au-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ir-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-5_obj.1","name":"objective","props":[{"name":"label","value":"IR-5[1]"}],"prose":"tracks information system security incidents; and"},{"id":"ir-5_obj.2","name":"objective","props":[{"name":"label","value":"IR-5[2]"}],"prose":"documents information system security incidents."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident monitoring capability for the organization\n\nautomated mechanisms supporting and\/or implementing tracking and documenting of system security incidents"}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-6_prm_1","label":"organization-defined time period"},{"id":"ir-6_prm_2","label":"organization-defined authorities"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-6"},{"name":"sort-id","value":"ir-06"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#02631467-668b-4233-989b-3dfded2fd184","rel":"reference"}],"parts":[{"id":"ir-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Requires personnel to report suspected security incidents to the organizational incident response capability within {{ insert: param, ir-6_prm_1 }}; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reports security incident information to {{ insert: param, ir-6_prm_2 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling.","links":[{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-6.a_obj","name":"objective","props":[{"name":"label","value":"IR-6(a)"}],"parts":[{"id":"ir-6.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-6(a)[1]"}],"prose":"defines the time period within which personnel report suspected security incidents to the organizational incident response capability;"},{"id":"ir-6.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-6(a)[2]"}],"prose":"requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;"}]},{"id":"ir-6.b_obj","name":"objective","props":[{"name":"label","value":"IR-6(b)"}],"parts":[{"id":"ir-6.b_obj.1","name":"objective","props":[{"name":"label","value":"IR-6(b)[1]"}],"prose":"defines authorities to whom security incident information is to be reported; and"},{"id":"ir-6.b_obj.2","name":"objective","props":[{"name":"label","value":"IR-6(b)[2]"}],"prose":"reports security incident information to organization-defined authorities."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing incident reporting"}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-7"},{"name":"sort-id","value":"ir-07"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required.","links":[{"href":"#at-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"ir-7_obj","name":"objective","prose":"Determine if the organization provides an incident response support resource:","parts":[{"id":"ir-7_obj.1","name":"objective","props":[{"name":"label","value":"IR-7[1]"}],"prose":"that is integral to the organizational incident response capability; and"},{"id":"ir-7_obj.2","name":"objective","props":[{"name":"label","value":"IR-7[2]"}],"prose":"that offers advice and assistance to users of the information system for the handling and reporting of security incidents."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing incident response assistance"}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-8_prm_2","label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-8_prm_3","label":"organization-defined frequency"},{"id":"ir-8_prm_4","label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-8"},{"name":"sort-id","value":"ir-08"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability; and"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Is reviewed and approved by {{ insert: param, ir-8_prm_1 }};"}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the incident response plan to {{ insert: param, ir-8_prm_2 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the incident response plan {{ insert: param, ir-8_prm_3 }};"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Updates the incident response plan to address system\/organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Communicates incident response plan changes to {{ insert: param, ir-8_prm_4 }}; and"},{"id":"ir-8_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Protects the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.","links":[{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}]},{"id":"ir-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-8.a_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)"}],"prose":"develops an incident response plan that:","parts":[{"id":"ir-8.a.1_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(1)"}],"prose":"provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8.a.2_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(2)"}],"prose":"describes the structure and organization of the incident response capability;"},{"id":"ir-8.a.3_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(3)"}],"prose":"provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8.a.4_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)"}],"prose":"meets the unique requirements of the organization, which relate to:","parts":[{"id":"ir-8.a.4_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[1]"}],"prose":"mission;"},{"id":"ir-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[2]"}],"prose":"size;"},{"id":"ir-8.a.4_obj.3","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[3]"}],"prose":"structure;"},{"id":"ir-8.a.4_obj.4","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[4]"}],"prose":"functions;"}]},{"id":"ir-8.a.5_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(5)"}],"prose":"defines reportable incidents;"},{"id":"ir-8.a.6_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(6)"}],"prose":"provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8.a.7_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(7)"}],"prose":"defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8.a.8_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)"}],"parts":[{"id":"ir-8.a.8_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)[1]"}],"prose":"defines personnel or roles to review and approve the incident response plan;"},{"id":"ir-8.a.8_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"ir-8.b_obj","name":"objective","props":[{"name":"label","value":"IR-8(b)"}],"parts":[{"id":"ir-8.b_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(b)[1]"}],"parts":[{"id":"ir-8.b_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-8(b)[1][a]"}],"prose":"defines incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed;"},{"id":"ir-8.b_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-8(b)[1][b]"}],"prose":"defines organizational elements to whom copies of the incident response plan are to be distributed;"}]},{"id":"ir-8.b_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(b)[2]"}],"prose":"distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and\/or by role) and organizational elements;"}]},{"id":"ir-8.c_obj","name":"objective","props":[{"name":"label","value":"IR-8(c)"}],"parts":[{"id":"ir-8.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(c)[1]"}],"prose":"defines the frequency to review the incident response plan;"},{"id":"ir-8.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(c)[2]"}],"prose":"reviews the incident response plan with the organization-defined frequency;"}]},{"id":"ir-8.d_obj","name":"objective","props":[{"name":"label","value":"IR-8(d)"}],"prose":"updates the incident response plan to address system\/organizational changes or problems encountered during plan:","parts":[{"id":"ir-8.d_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(d)[1]"}],"prose":"implementation;"},{"id":"ir-8.d_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(d)[2]"}],"prose":"execution; or"},{"id":"ir-8.d_obj.3","name":"objective","props":[{"name":"label","value":"IR-8(d)[3]"}],"prose":"testing;"}]},{"id":"ir-8.e_obj","name":"objective","props":[{"name":"label","value":"IR-8(e)"}],"parts":[{"id":"ir-8.e_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(e)[1]"}],"parts":[{"id":"ir-8.e_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-8(e)[1][a]"}],"prose":"defines incident response personnel (identified by name and\/or by role) to whom incident response plan changes are to be communicated;"},{"id":"ir-8.e_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-8(e)[1][b]"}],"prose":"defines organizational elements to whom incident response plan changes are to be communicated;"}]},{"id":"ir-8.e_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(e)[2]"}],"prose":"communicates incident response plan changes to organization-defined incident response personnel (identified by name and\/or by role) and organizational elements; and"}]},{"id":"ir-8.f_obj","name":"objective","props":[{"name":"label","value":"IR-8(f)"}],"prose":"protects the incident response plan from unauthorized disclosure and modification."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"System Maintenance Policy and Procedures","params":[{"id":"ma-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-1_prm_2","label":"organization-defined frequency"},{"id":"ma-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MA-1"},{"name":"sort-id","value":"ma-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ma-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and"}]},{"id":"ma-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ma-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System maintenance policy {{ insert: param, ma-1_prm_2 }}; and"},{"id":"ma-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System maintenance procedures {{ insert: param, ma-1_prm_3 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ma-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-1.a_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)"}],"parts":[{"id":"ma-1.a.1_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)"}],"parts":[{"id":"ma-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1]"}],"prose":"develops and documents a system maintenance policy that addresses:","parts":[{"id":"ma-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ma-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ma-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ma-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ma-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ma-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ma-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ma-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system maintenance policy is to be disseminated;"},{"id":"ma-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[3]"}],"prose":"disseminates the system maintenance policy to organization-defined personnel or roles;"}]},{"id":"ma-1.a.2_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)"}],"parts":[{"id":"ma-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls;"},{"id":"ma-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ma-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ma-1.b_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)"}],"parts":[{"id":"ma-1.b.1_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)"}],"parts":[{"id":"ma-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system maintenance policy;"},{"id":"ma-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)[2]"}],"prose":"reviews and updates the current system maintenance policy with the organization-defined frequency;"}]},{"id":"ma-1.b.2_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)"}],"parts":[{"id":"ma-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system maintenance procedures; and"},{"id":"ma-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)[2]"}],"prose":"reviews and updates the current system maintenance procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Maintenance policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","params":[{"id":"ma-2_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-2_prm_2","label":"organization-defined maintenance-related information"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-2"},{"name":"sort-id","value":"ma-02"}],"parts":[{"id":"ma-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Requires that {{ insert: param, ma-2_prm_1 }} explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and"},{"id":"ma-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Includes {{ insert: param, ma-2_prm_2 }} in organizational maintenance records."}]},{"id":"ma-2_gdn","name":"guidance","prose":"This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and\/or data\/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components\/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"ma-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-2.a_obj","name":"objective","props":[{"name":"label","value":"MA-2(a)"}],"parts":[{"id":"ma-2.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(a)[1]"}],"prose":"schedules maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.1.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[1][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.1.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[1][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(a)[2]"}],"prose":"performs maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.2.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[2][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.2.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[2][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.3","name":"objective","props":[{"name":"label","value":"MA-2(a)[3]"}],"prose":"documents maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.3.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[3][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.3.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[3][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.4","name":"objective","props":[{"name":"label","value":"MA-2(a)[4]"}],"prose":"reviews records of maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.4.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[4][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.4.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[4][b]"}],"prose":"organizational requirements;"}]}]},{"id":"ma-2.b_obj","name":"objective","props":[{"name":"label","value":"MA-2(b)"}],"parts":[{"id":"ma-2.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(b)[1]"}],"prose":"approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(b)[2]"}],"prose":"monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"}]},{"id":"ma-2.c_obj","name":"objective","props":[{"name":"label","value":"MA-2(c)"}],"parts":[{"id":"ma-2.c_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(c)[1]"}],"prose":"defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.c_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(c)[2]"}],"prose":"requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"}]},{"id":"ma-2.d_obj","name":"objective","props":[{"name":"label","value":"MA-2(d)"}],"prose":"sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.e_obj","name":"objective","props":[{"name":"label","value":"MA-2(e)"}],"prose":"checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;"},{"id":"ma-2.f_obj","name":"objective","props":[{"name":"label","value":"MA-2(f)"}],"parts":[{"id":"ma-2.f_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(f)[1]"}],"prose":"defines maintenance-related information to be included in organizational maintenance records; and"},{"id":"ma-2.f_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(f)[2]"}],"prose":"includes organization-defined maintenance-related information in organizational maintenance records."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing controlled information system maintenance\n\nmaintenance records\n\nmanufacturer\/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system\n\norganizational processes for sanitizing information system components\n\nautomated mechanisms supporting and\/or implementing controlled maintenance\n\nautomated mechanisms implementing sanitization of information system components"}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-4"},{"name":"sort-id","value":"ma-04"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference"}],"parts":[{"id":"ma-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approves and monitors nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;"},{"id":"ma-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Maintains records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Terminates session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-17","rel":"related"}]},{"id":"ma-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-4.a_obj","name":"objective","props":[{"name":"label","value":"MA-4(a)"}],"parts":[{"id":"ma-4.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(a)[1]"}],"prose":"approves nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(a)[2]"}],"prose":"monitors nonlocal maintenance and diagnostic activities;"}]},{"id":"ma-4.b_obj","name":"objective","props":[{"name":"label","value":"MA-4(b)"}],"prose":"allows the use of nonlocal maintenance and diagnostic tools only:","parts":[{"id":"ma-4.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(b)[1]"}],"prose":"as consistent with organizational policy;"},{"id":"ma-4.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(b)[2]"}],"prose":"as documented in the security plan for the information system;"}]},{"id":"ma-4.c_obj","name":"objective","props":[{"name":"label","value":"MA-4(c)"}],"prose":"employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4.d_obj","name":"objective","props":[{"name":"label","value":"MA-4(d)"}],"prose":"maintains records for nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.e_obj","name":"objective","props":[{"name":"label","value":"MA-4(e)"}],"parts":[{"id":"ma-4.e_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(e)[1]"}],"prose":"terminates sessions when nonlocal maintenance or diagnostics is completed; and"},{"id":"ma-4.e_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(e)[2]"}],"prose":"terminates network connections when nonlocal maintenance or diagnostics is completed."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing nonlocal information system maintenance\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing nonlocal maintenance\n\nautomated mechanisms implementing, supporting, and\/or managing nonlocal maintenance\n\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nautomated mechanisms for terminating nonlocal maintenance sessions and network connections"}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-5"},{"name":"sort-id","value":"ma-05"}],"parts":[{"id":"ma-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"ma-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-5.a_obj","name":"objective","props":[{"name":"label","value":"MA-5(a)"}],"parts":[{"id":"ma-5.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-5(a)[1]"}],"prose":"establishes a process for maintenance personnel authorization;"},{"id":"ma-5.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-5(a)[2]"}],"prose":"maintains a list of authorized maintenance organizations or personnel;"}]},{"id":"ma-5.b_obj","name":"objective","props":[{"name":"label","value":"MA-5(b)"}],"prose":"ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"},{"id":"ma-5.c_obj","name":"objective","props":[{"name":"label","value":"MA-5(c)"}],"prose":"designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for authorizing and managing maintenance personnel\n\nautomated mechanisms supporting and\/or implementing authorization of maintenance personnel"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Media Protection Policy and Procedures","params":[{"id":"mp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"mp-1_prm_2","label":"organization-defined frequency"},{"id":"mp-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-1"},{"name":"sort-id","value":"mp-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"mp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"mp-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Media protection policy {{ insert: param, mp-1_prm_2 }}; and"},{"id":"mp-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Media protection procedures {{ insert: param, mp-1_prm_3 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"mp-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-1.a_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)"}],"parts":[{"id":"mp-1.a.1_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)"}],"parts":[{"id":"mp-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1]"}],"prose":"develops and documents a media protection policy that addresses:","parts":[{"id":"mp-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"mp-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"mp-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"mp-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"mp-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"mp-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"mp-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"mp-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the media protection policy is to be disseminated;"},{"id":"mp-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[3]"}],"prose":"disseminates the media protection policy to organization-defined personnel or roles;"}]},{"id":"mp-1.a.2_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)"}],"parts":[{"id":"mp-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls;"},{"id":"mp-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"mp-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"mp-1.b_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)"}],"parts":[{"id":"mp-1.b.1_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)"}],"parts":[{"id":"mp-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current media protection policy;"},{"id":"mp-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)[2]"}],"prose":"reviews and updates the current media protection policy with the organization-defined frequency;"}]},{"id":"mp-1.b.2_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)"}],"parts":[{"id":"mp-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current media protection procedures; and"},{"id":"mp-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)[2]"}],"prose":"reviews and updates the current media protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Media protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","params":[{"id":"mp-2_prm_1","label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-2_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-2"},{"name":"sort-id","value":"mp-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"The organization restricts access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"}]},{"id":"mp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-2_obj.1","name":"objective","props":[{"name":"label","value":"MP-2[1]"}],"prose":"defines types of digital and\/or non-digital media requiring restricted access;"},{"id":"mp-2_obj.2","name":"objective","props":[{"name":"label","value":"MP-2[2]"}],"prose":"defines personnel or roles authorized to access organization-defined types of digital and\/or non-digital media; and"},{"id":"mp-2_obj.3","name":"objective","props":[{"name":"label","value":"MP-2[3]"}],"prose":"restricts access to organization-defined types of digital and\/or non-digital media to organization-defined personnel or roles."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for restricting information media\n\nautomated mechanisms supporting and\/or implementing media access restrictions"}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","label":"organization-defined information system media"},{"id":"mp-6_prm_2","label":"organization-defined sanitization techniques and procedures"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-6"},{"name":"sort-id","value":"mp-06"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"},{"href":"#a47466c4-c837-4f06-a39f-e68412a5f73d","rel":"reference"}],"parts":[{"id":"mp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitizes {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} in accordance with applicable federal and organizational standards and policies; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections\/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information.","links":[{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-4","rel":"related"}]},{"id":"mp-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-6.a_obj","name":"objective","props":[{"name":"label","value":"MP-6(a)"}],"parts":[{"id":"mp-6.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-6(a)[1]"}],"prose":"defines information system media to be sanitized prior to:","parts":[{"id":"mp-6.a_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.1.c","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-6(a)[2]"}],"prose":"defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:","parts":[{"id":"mp-6.a_obj.2.a","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.2.b","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.2.c","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-6(a)[3]"}],"prose":"sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and"}]},{"id":"mp-6.b_obj","name":"objective","props":[{"name":"label","value":"MP-6(b)"}],"prose":"employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization\n\nmedia sanitization records\n\naudit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization"}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","params":[{"id":"mp-7_prm_1","select":{"choice":["restricts","prohibits"]}},{"id":"mp-7_prm_2","label":"organization-defined types of information system media"},{"id":"mp-7_prm_3","label":"organization-defined information systems or system components"},{"id":"mp-7_prm_4","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-7"},{"name":"sort-id","value":"mp-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-7_smt","name":"statement","prose":"The organization {{ insert: param, mp-7_prm_1 }} the use of {{ insert: param, mp-7_prm_2 }} on {{ insert: param, mp-7_prm_3 }} using {{ insert: param, mp-7_prm_4 }}."},{"id":"mp-7_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting\/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling\/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.","links":[{"href":"#ac-19","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"mp-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-7_obj.1","name":"objective","props":[{"name":"label","value":"MP-7[1]"}],"prose":"defines types of information system media to be:","parts":[{"id":"mp-7_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-7[1][a]"}],"prose":"restricted on information systems or system components; or"},{"id":"mp-7_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-7[1][b]"}],"prose":"prohibited from use on information systems or system components;"}]},{"id":"mp-7_obj.2","name":"objective","props":[{"name":"label","value":"MP-7[2]"}],"prose":"defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:","parts":[{"id":"mp-7_obj.2.a","name":"objective","props":[{"name":"label","value":"MP-7[2][a]"}],"prose":"restricted; or"},{"id":"mp-7_obj.2.b","name":"objective","props":[{"name":"label","value":"MP-7[2][b]"}],"prose":"prohibited;"}]},{"id":"mp-7_obj.3","name":"objective","props":[{"name":"label","value":"MP-7[3]"}],"prose":"defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and"},{"id":"mp-7_obj.4","name":"objective","props":[{"name":"label","value":"MP-7[4]"}],"prose":"restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\n\nautomated mechanisms restricting or prohibiting use of information system media on information systems or system components"}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Physical and Environmental Protection Policy and Procedures","params":[{"id":"pe-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-1_prm_2","label":"organization-defined frequency"},{"id":"pe-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-1"},{"name":"sort-id","value":"pe-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"pe-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and"}]},{"id":"pe-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pe-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Physical and environmental protection policy {{ insert: param, pe-1_prm_2 }}; and"},{"id":"pe-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Physical and environmental protection procedures {{ insert: param, pe-1_prm_3 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"pe-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-1.a_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)"}],"parts":[{"id":"pe-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)"}],"parts":[{"id":"pe-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1]"}],"prose":"develops and documents a physical and environmental protection policy that addresses:","parts":[{"id":"pe-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pe-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pe-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pe-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pe-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pe-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pe-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pe-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the physical and environmental protection policy is to be disseminated;"},{"id":"pe-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[3]"}],"prose":"disseminates the physical and environmental protection policy to organization-defined personnel or roles;"}]},{"id":"pe-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)"}],"parts":[{"id":"pe-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls;"},{"id":"pe-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"pe-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pe-1.b_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)"}],"parts":[{"id":"pe-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)"}],"parts":[{"id":"pe-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current physical and environmental protection policy;"},{"id":"pe-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)[2]"}],"prose":"reviews and updates the current physical and environmental protection policy with the organization-defined frequency;"}]},{"id":"pe-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)"}],"parts":[{"id":"pe-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current physical and environmental protection procedures; and"},{"id":"pe-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)[2]"}],"prose":"reviews and updates the current physical and environmental protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","params":[{"id":"pe-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-2"},{"name":"sort-id","value":"pe-02"}],"parts":[{"id":"pe-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Issues authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the access list detailing authorized facility access by individuals {{ insert: param, pe-2_prm_1 }}; and"},{"id":"pe-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Removes individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible.","links":[{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ps-3","rel":"related"}]},{"id":"pe-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-2.a_obj","name":"objective","props":[{"name":"label","value":"PE-2(a)"}],"parts":[{"id":"pe-2.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-2(a)[1]"}],"prose":"develops a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-2(a)[2]"}],"prose":"approves a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2.a_obj.3","name":"objective","props":[{"name":"label","value":"PE-2(a)[3]"}],"prose":"maintains a list of individuals with authorized access to the facility where the information system resides;"}]},{"id":"pe-2.b_obj","name":"objective","props":[{"name":"label","value":"PE-2(b)"}],"prose":"issues authorization credentials for facility access;"},{"id":"pe-2.c_obj","name":"objective","props":[{"name":"label","value":"PE-2(c)"}],"parts":[{"id":"pe-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PE-2(c)[1]"}],"prose":"defines the frequency to review the access list detailing authorized facility access by individuals;"},{"id":"pe-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PE-2(c)[2]"}],"prose":"reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and"}]},{"id":"pe-2.d_obj","name":"objective","props":[{"name":"label","value":"PE-2(d)"}],"prose":"removes individuals from the facility access list when access is no longer required."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nsecurity plan\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to information system facility\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations\n\nautomated mechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","params":[{"id":"pe-3_prm_1","label":"organization-defined entry\/exit points to the facility where the information system resides"},{"id":"pe-3_prm_2","select":{"how-many":"one-or-more","choice":[" {{ insert: param, pe-3_prm_3 }} ","guards"]}},{"id":"pe-3_prm_3","depends-on":"pe-3_prm_2","label":"organization-defined physical access control systems\/devices"},{"id":"pe-3_prm_4","label":"organization-defined entry\/exit points"},{"id":"pe-3_prm_5","label":"organization-defined security safeguards"},{"id":"pe-3_prm_6","label":"organization-defined circumstances requiring visitor escorts and monitoring"},{"id":"pe-3_prm_7","label":"organization-defined physical access devices"},{"id":"pe-3_prm_8","label":"organization-defined frequency"},{"id":"pe-3_prm_9","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-3"},{"name":"sort-id","value":"pe-03"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference"},{"href":"#398e33fd-f404-4e5c-b90e-2d50d3181244","rel":"reference"},{"href":"#61081e7f-041d-4033-96a7-44a439071683","rel":"reference"},{"href":"#dd2f5acd-08f1-435a-9837-f8203088dc1a","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference"}],"parts":[{"id":"pe-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforces physical access authorizations at {{ insert: param, pe-3_prm_1 }} by;","parts":[{"id":"pe-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Controlling ingress\/egress to the facility using {{ insert: param, pe-3_prm_2 }};"}]},{"id":"pe-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintains physical access audit logs for {{ insert: param, pe-3_prm_4 }};"},{"id":"pe-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides {{ insert: param, pe-3_prm_5 }} to control access to areas within the facility officially designated as publicly accessible;"},{"id":"pe-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Escorts visitors and monitors visitor activity {{ insert: param, pe-3_prm_6 }};"},{"id":"pe-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Secures keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Inventories {{ insert: param, pe-3_prm_7 }} every {{ insert: param, pe-3_prm_8 }}; and"},{"id":"pe-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Changes combinations and keys {{ insert: param, pe-3_prm_9 }} and\/or when keys are lost, combinations are compromised, or individuals are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and\/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and\/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"pe-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-3.a_obj","name":"objective","props":[{"name":"label","value":"PE-3(a)"}],"parts":[{"id":"pe-3.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(a)[1]"}],"prose":"defines entry\/exit points to the facility where the information system resides;"},{"id":"pe-3.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2]"}],"prose":"enforces physical access authorizations at organization-defined entry\/exit points to the facility where the information system resides by:","parts":[{"id":"pe-3.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](1)"}],"prose":"verifying individual access authorizations before granting access to the facility;"},{"id":"pe-3.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)"}],"parts":[{"id":"pe-3.a.2_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[a]"}],"prose":"defining physical access control systems\/devices to be employed to control ingress\/egress to the facility where the information system resides;"},{"id":"pe-3.a.2_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b]"}],"prose":"using one or more of the following ways to control ingress\/egress to the facility:","parts":[{"id":"pe-3.a.2_obj.2.b.1","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b][1]"}],"prose":"organization-defined physical access control systems\/devices; and\/or"},{"id":"pe-3.a.2_obj.2.b.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b][2]"}],"prose":"guards;"}]}]}]}]},{"id":"pe-3.b_obj","name":"objective","props":[{"name":"label","value":"PE-3(b)"}],"parts":[{"id":"pe-3.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(b)[1]"}],"prose":"defines entry\/exit points for which physical access audit logs are to be maintained;"},{"id":"pe-3.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(b)[2]"}],"prose":"maintains physical access audit logs for organization-defined entry\/exit points;"}]},{"id":"pe-3.c_obj","name":"objective","props":[{"name":"label","value":"PE-3(c)"}],"parts":[{"id":"pe-3.c_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(c)[1]"}],"prose":"defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;"},{"id":"pe-3.c_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(c)[2]"}],"prose":"provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;"}]},{"id":"pe-3.d_obj","name":"objective","props":[{"name":"label","value":"PE-3(d)"}],"parts":[{"id":"pe-3.d_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(d)[1]"}],"prose":"defines circumstances requiring visitor:","parts":[{"id":"pe-3.d_obj.1.a","name":"objective","props":[{"name":"label","value":"PE-3(d)[1][a]"}],"prose":"escorts;"},{"id":"pe-3.d_obj.1.b","name":"objective","props":[{"name":"label","value":"PE-3(d)[1][b]"}],"prose":"monitoring;"}]},{"id":"pe-3.d_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(d)[2]"}],"prose":"in accordance with organization-defined circumstances requiring visitor escorts and monitoring:","parts":[{"id":"pe-3.d_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(d)[2][a]"}],"prose":"escorts visitors;"},{"id":"pe-3.d_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(d)[2][b]"}],"prose":"monitors visitor activities;"}]}]},{"id":"pe-3.e_obj","name":"objective","props":[{"name":"label","value":"PE-3(e)"}],"parts":[{"id":"pe-3.e_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(e)[1]"}],"prose":"secures keys;"},{"id":"pe-3.e_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(e)[2]"}],"prose":"secures combinations;"},{"id":"pe-3.e_obj.3","name":"objective","props":[{"name":"label","value":"PE-3(e)[3]"}],"prose":"secures other physical access devices;"}]},{"id":"pe-3.f_obj","name":"objective","props":[{"name":"label","value":"PE-3(f)"}],"parts":[{"id":"pe-3.f_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(f)[1]"}],"prose":"defines physical access devices to be inventoried;"},{"id":"pe-3.f_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(f)[2]"}],"prose":"defines the frequency to inventory organization-defined physical access devices;"},{"id":"pe-3.f_obj.3","name":"objective","props":[{"name":"label","value":"PE-3(f)[3]"}],"prose":"inventories the organization-defined physical access devices with the organization-defined frequency;"}]},{"id":"pe-3.g_obj","name":"objective","props":[{"name":"label","value":"PE-3(g)"}],"parts":[{"id":"pe-3.g_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(g)[1]"}],"prose":"defines the frequency to change combinations and keys; and"},{"id":"pe-3.g_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(g)[2]"}],"prose":"changes combinations and keys with the organization-defined frequency and\/or when:","parts":[{"id":"pe-3.g_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][a]"}],"prose":"keys are lost;"},{"id":"pe-3.g_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][b]"}],"prose":"combinations are compromised;"},{"id":"pe-3.g_obj.2.c","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][c]"}],"prose":"individuals are transferred or terminated."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nsecurity plan\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\ninformation system entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access control\n\nautomated mechanisms supporting and\/or implementing physical access control\n\nphysical access control devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","params":[{"id":"pe-6_prm_1","label":"organization-defined frequency"},{"id":"pe-6_prm_2","label":"organization-defined events or potential indications of events"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-6"},{"name":"sort-id","value":"pe-06"}],"parts":[{"id":"pe-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews physical access logs {{ insert: param, pe-6_prm_1 }} and upon occurrence of {{ insert: param, pe-6_prm_2 }}; and"},{"id":"pe-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinates results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.","links":[{"href":"#ca-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"pe-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-6.a_obj","name":"objective","props":[{"name":"label","value":"PE-6(a)"}],"prose":"monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"},{"id":"pe-6.b_obj","name":"objective","props":[{"name":"label","value":"PE-6(b)"}],"parts":[{"id":"pe-6.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-6(b)[1]"}],"prose":"defines the frequency to review physical access logs;"},{"id":"pe-6.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-6(b)[2]"}],"prose":"defines events or potential indication of events requiring physical access logs to be reviewed;"},{"id":"pe-6.b_obj.3","name":"objective","props":[{"name":"label","value":"PE-6(b)[3]"}],"prose":"reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and"}]},{"id":"pe-6.c_obj","name":"objective","props":[{"name":"label","value":"PE-6(c)"}],"prose":"coordinates results of reviews and investigations with the organizational incident response capability."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical access\n\nautomated mechanisms supporting and\/or implementing physical access monitoring\n\nautomated mechanisms supporting and\/or implementing reviewing of physical access logs"}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-8_prm_1","label":"organization-defined time period"},{"id":"pe-8_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PE-8"},{"name":"sort-id","value":"pe-08"}],"parts":[{"id":"pe-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintains visitor access records to the facility where the information system resides for {{ insert: param, pe-8_prm_1 }}; and"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews visitor access records {{ insert: param, pe-8_prm_2 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-8.a_obj","name":"objective","props":[{"name":"label","value":"PE-8(a)"}],"parts":[{"id":"pe-8.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-8(a)[1]"}],"prose":"defines the time period to maintain visitor access records to the facility where the information system resides;"},{"id":"pe-8.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-8(a)[2]"}],"prose":"maintains visitor access records to the facility where the information system resides for the organization-defined time period;"}]},{"id":"pe-8.b_obj","name":"objective","props":[{"name":"label","value":"PE-8(b)"}],"parts":[{"id":"pe-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-8(b)[1]"}],"prose":"defines the frequency to review visitor access records; and"},{"id":"pe-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-8(b)[2]"}],"prose":"reviews visitor access records with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nsecurity plan\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and\/or implementing maintenance and review of visitor access records"}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-12"},{"name":"sort-id","value":"pe-12"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"pe-12_obj","name":"objective","prose":"Determine if the organization employs and maintains automatic emergency lighting for the information system that:","parts":[{"id":"pe-12_obj.1","name":"objective","props":[{"name":"label","value":"PE-12[1]"}],"prose":"activates in the event of a power outage or disruption; and"},{"id":"pe-12_obj.2","name":"objective","props":[{"name":"label","value":"PE-12[2]"}],"prose":"covers emergency exits and evacuation routes within the facility."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing emergency lighting capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-13"},{"name":"sort-id","value":"pe-13"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"The organization employs and maintains fire suppression and detection devices\/systems for the information system that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices\/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors."},{"id":"pe-13_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-13_obj.1","name":"objective","props":[{"name":"label","value":"PE-13[1]"}],"prose":"employs fire suppression and detection devices\/systems for the information system that are supported by an independent energy source; and"},{"id":"pe-13_obj.2","name":"objective","props":[{"name":"label","value":"PE-13[2]"}],"prose":"maintains fire suppression and detection devices\/systems for the information system that are supported by an independent energy source."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\ntest records of fire suppression and detection devices\/systems\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression\/detection devices\/systems"}]}]},{"id":"pe-14","class":"SP800-53","title":"Temperature and Humidity Controls","params":[{"id":"pe-14_prm_1","label":"organization-defined acceptable levels"},{"id":"pe-14_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-14"},{"name":"sort-id","value":"pe-14"}],"parts":[{"id":"pe-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintains temperature and humidity levels within the facility where the information system resides at {{ insert: param, pe-14_prm_1 }}; and"},{"id":"pe-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Monitors temperature and humidity levels {{ insert: param, pe-14_prm_2 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#at-3","rel":"related"}]},{"id":"pe-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-14.a_obj","name":"objective","props":[{"name":"label","value":"PE-14(a)"}],"parts":[{"id":"pe-14.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-14(a)[1]"}],"prose":"defines acceptable temperature levels to be maintained within the facility where the information system resides;"},{"id":"pe-14.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-14(a)[2]"}],"prose":"defines acceptable humidity levels to be maintained within the facility where the information system resides;"},{"id":"pe-14.a_obj.3","name":"objective","props":[{"name":"label","value":"PE-14(a)[3]"}],"prose":"maintains temperature levels within the facility where the information system resides at the organization-defined levels;"},{"id":"pe-14.a_obj.4","name":"objective","props":[{"name":"label","value":"PE-14(a)[4]"}],"prose":"maintains humidity levels within the facility where the information system resides at the organization-defined levels;"}]},{"id":"pe-14.b_obj","name":"objective","props":[{"name":"label","value":"PE-14(b)"}],"parts":[{"id":"pe-14.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-14(b)[1]"}],"prose":"defines the frequency to monitor temperature levels;"},{"id":"pe-14.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-14(b)[2]"}],"prose":"defines the frequency to monitor humidity levels;"},{"id":"pe-14.b_obj.3","name":"objective","props":[{"name":"label","value":"PE-14(b)[3]"}],"prose":"monitors temperature levels with the organization-defined frequency; and"},{"id":"pe-14.b_obj.4","name":"objective","props":[{"name":"label","value":"PE-14(b)[4]"}],"prose":"monitors humidity levels with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\nsecurity plan\n\ntemperature and humidity controls\n\nfacility housing the information system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing maintenance and monitoring of temperature and humidity levels"}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-15"},{"name":"sort-id","value":"pe-15"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.","links":[{"href":"#at-3","rel":"related"}]},{"id":"pe-15_obj","name":"objective","prose":"Determine if the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are:","parts":[{"id":"pe-15_obj.1","name":"objective","props":[{"name":"label","value":"PE-15[1]"}],"prose":"accessible;"},{"id":"pe-15_obj.2","name":"objective","props":[{"name":"label","value":"PE-15[2]"}],"prose":"working properly; and"},{"id":"pe-15_obj.3","name":"objective","props":[{"name":"label","value":"PE-15[3]"}],"prose":"known to key personnel."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the information system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Master water-shutoff valves\n\norganizational process for activating master water-shutoff"}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","params":[{"id":"pe-16_prm_1","label":"organization-defined types of information system components"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PE-16"},{"name":"sort-id","value":"pe-16"}],"parts":[{"id":"pe-16_smt","name":"statement","prose":"The organization authorizes, monitors, and controls {{ insert: param, pe-16_prm_1 }} entering and exiting the facility and maintains records of those items."},{"id":"pe-16_gdn","name":"guidance","prose":"Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries.","links":[{"href":"#cm-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-12","rel":"related"}]},{"id":"pe-16_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-16_obj.1","name":"objective","props":[{"name":"label","value":"PE-16[1]"}],"prose":"defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;"},{"id":"pe-16_obj.2","name":"objective","props":[{"name":"label","value":"PE-16[2]"}],"prose":"authorizes organization-defined information system components entering the facility;"},{"id":"pe-16_obj.3","name":"objective","props":[{"name":"label","value":"PE-16[3]"}],"prose":"monitors organization-defined information system components entering the facility;"},{"id":"pe-16_obj.4","name":"objective","props":[{"name":"label","value":"PE-16[4]"}],"prose":"controls organization-defined information system components entering the facility;"},{"id":"pe-16_obj.5","name":"objective","props":[{"name":"label","value":"PE-16[5]"}],"prose":"authorizes organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.6","name":"objective","props":[{"name":"label","value":"PE-16[6]"}],"prose":"monitors organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.7","name":"objective","props":[{"name":"label","value":"PE-16[7]"}],"prose":"controls organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.8","name":"objective","props":[{"name":"label","value":"PE-16[8]"}],"prose":"maintains records of information system components entering the facility; and"},{"id":"pe-16_obj.9","name":"objective","props":[{"name":"label","value":"PE-16[9]"}],"prose":"maintains records of information system components exiting the facility."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing delivery and removal of information system components from the facility\n\nsecurity plan\n\nfacility housing the information system\n\nrecords of items entering and exiting the facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for controlling information system components entering and exiting the facility\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling information system-related items entering and exiting the facility\n\nautomated mechanisms supporting and\/or implementing authorizing, monitoring, and controlling information system-related items entering and exiting the facility"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Security Planning Policy and Procedures","params":[{"id":"pl-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-1_prm_2","label":"organization-defined frequency"},{"id":"pl-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-1"},{"name":"sort-id","value":"pl-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"pl-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pl-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security planning policy {{ insert: param, pl-1_prm_2 }}; and"},{"id":"pl-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security planning procedures {{ insert: param, pl-1_prm_3 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"pl-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-1.a_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)"}],"parts":[{"id":"pl-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)"}],"parts":[{"id":"pl-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1]"}],"prose":"develops and documents a planning policy that addresses:","parts":[{"id":"pl-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pl-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pl-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pl-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pl-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pl-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pl-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pl-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the planning policy is to be disseminated;"},{"id":"pl-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[3]"}],"prose":"disseminates the planning policy to organization-defined personnel or roles;"}]},{"id":"pl-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)"}],"parts":[{"id":"pl-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls;"},{"id":"pl-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"pl-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pl-1.b_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)"}],"parts":[{"id":"pl-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)"}],"parts":[{"id":"pl-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current planning policy;"},{"id":"pl-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)[2]"}],"prose":"reviews and updates the current planning policy with the organization-defined frequency;"}]},{"id":"pl-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)"}],"parts":[{"id":"pl-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current planning procedures; and"},{"id":"pl-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)[2]"}],"prose":"reviews and updates the current planning procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Planning policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security Plan","params":[{"id":"pl-2_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-2_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-2"},{"name":"sort-id","value":"pl-02"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"}],"parts":[{"id":"pl-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a security plan for the information system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly defines the authorization boundary for the system;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describes the operational context of the information system in terms of missions and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Provides the security categorization of the information system including supporting rationale;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Describes the operational environment for the information system and relationships with or connections to other information systems;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides an overview of the security requirements for the system;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Identifies any relevant overlays, if applicable;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the security plan and communicates subsequent changes to the plan to {{ insert: param, pl-2_prm_1 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the security plan for the information system {{ insert: param, pl-2_prm_2 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Updates the plan to address changes to the information system\/environment of operation or problems identified during plan implementation or security control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protects the security plan from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls\/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions\/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management\/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"}]},{"id":"pl-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-2.a_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)"}],"prose":"develops a security plan for the information system that:","parts":[{"id":"pl-2.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(1)"}],"prose":"is consistent with the organization’s enterprise architecture;"},{"id":"pl-2.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(2)"}],"prose":"explicitly defines the authorization boundary for the system;"},{"id":"pl-2.a.3_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(3)"}],"prose":"describes the operational context of the information system in terms of missions and business processes;"},{"id":"pl-2.a.4_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(4)"}],"prose":"provides the security categorization of the information system including supporting rationale;"},{"id":"pl-2.a.5_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(5)"}],"prose":"describes the operational environment for the information system and relationships with or connections to other information systems;"},{"id":"pl-2.a.6_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(6)"}],"prose":"provides an overview of the security requirements for the system;"},{"id":"pl-2.a.7_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(7)"}],"prose":"identifies any relevant overlays, if applicable;"},{"id":"pl-2.a.8_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(8)"}],"prose":"describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions;"},{"id":"pl-2.a.9_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(9)"}],"prose":"is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"}]},{"id":"pl-2.b_obj","name":"objective","props":[{"name":"label","value":"PL-2(b)"}],"parts":[{"id":"pl-2.b_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(b)[1]"}],"prose":"defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated;"},{"id":"pl-2.b_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(b)[2]"}],"prose":"distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles;"}]},{"id":"pl-2.c_obj","name":"objective","props":[{"name":"label","value":"PL-2(c)"}],"parts":[{"id":"pl-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(c)[1]"}],"prose":"defines the frequency to review the security plan for the information system;"},{"id":"pl-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(c)[2]"}],"prose":"reviews the security plan for the information system with the organization-defined frequency;"}]},{"id":"pl-2.d_obj","name":"objective","props":[{"name":"label","value":"PL-2(d)"}],"prose":"updates the plan to address:","parts":[{"id":"pl-2.d_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(d)[1]"}],"prose":"changes to the information system\/environment of operation;"},{"id":"pl-2.d_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(d)[2]"}],"prose":"problems identified during plan implementation;"},{"id":"pl-2.d_obj.3","name":"objective","props":[{"name":"label","value":"PL-2(d)[3]"}],"prose":"problems identified during security control assessments;"}]},{"id":"pl-2.e_obj","name":"objective","props":[{"name":"label","value":"PL-2(e)"}],"prose":"protects the security plan from unauthorized:","parts":[{"id":"pl-2.e_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(e)[1]"}],"prose":"disclosure; and"},{"id":"pl-2.e_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(e)[2]"}],"prose":"modification."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing security plan development and implementation\n\nprocedures addressing security plan reviews and updates\n\nenterprise architecture documentation\n\nsecurity plan for the information system\n\nrecords of security plan reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security plan development\/review\/update\/approval\n\nautomated mechanisms supporting the information system security plan"}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PL-4"},{"name":"sort-id","value":"pl-04"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"}],"parts":[{"id":"pl-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates the rules of behavior {{ insert: param, pl-4_prm_1 }}; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised\/updated."}]},{"id":"pl-4_gdn","name":"guidance","prose":"This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data\/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"}]},{"id":"pl-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-4.a_obj","name":"objective","props":[{"name":"label","value":"PL-4(a)"}],"parts":[{"id":"pl-4.a_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(a)[1]"}],"prose":"establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"},{"id":"pl-4.a_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(a)[2]"}],"prose":"makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"}]},{"id":"pl-4.b_obj","name":"objective","props":[{"name":"label","value":"PL-4(b)"}],"prose":"receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"},{"id":"pl-4.c_obj","name":"objective","props":[{"name":"label","value":"PL-4(c)"}],"parts":[{"id":"pl-4.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(c)[1]"}],"prose":"defines the frequency to review and update the rules of behavior;"},{"id":"pl-4.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(c)[2]"}],"prose":"reviews and updates the rules of behavior with the organization-defined frequency; and"}]},{"id":"pl-4.d_obj","name":"objective","props":[{"name":"label","value":"PL-4(d)"}],"prose":"requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised\/updated."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel who are authorized users of the information system and have signed and resigned rules of behavior\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nautomated mechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Personnel Security Policy and Procedures","params":[{"id":"ps-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-1_prm_2","label":"organization-defined frequency"},{"id":"ps-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-1"},{"name":"sort-id","value":"ps-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ps-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and"}]},{"id":"ps-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ps-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Personnel security policy {{ insert: param, ps-1_prm_2 }}; and"},{"id":"ps-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Personnel security procedures {{ insert: param, ps-1_prm_3 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ps-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-1.a_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)"}],"parts":[{"id":"ps-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)"}],"parts":[{"id":"ps-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1]"}],"prose":"develops and documents an personnel security policy that addresses:","parts":[{"id":"ps-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ps-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ps-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ps-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ps-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ps-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ps-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ps-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the personnel security policy is to be disseminated;"},{"id":"ps-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[3]"}],"prose":"disseminates the personnel security policy to organization-defined personnel or roles;"}]},{"id":"ps-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)"}],"parts":[{"id":"ps-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls;"},{"id":"ps-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ps-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ps-1.b_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)"}],"parts":[{"id":"ps-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)"}],"parts":[{"id":"ps-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current personnel security policy;"},{"id":"ps-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)[2]"}],"prose":"reviews and updates the current personnel security policy with the organization-defined frequency;"}]},{"id":"ps-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)"}],"parts":[{"id":"ps-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current personnel security procedures; and"},{"id":"ps-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)[2]"}],"prose":"reviews and updates the current personnel security procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","params":[{"id":"ps-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-2"},{"name":"sort-id","value":"ps-02"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference"}],"parts":[{"id":"ps-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assigns a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates position risk designations {{ insert: param, ps-2_prm_1 }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances).","links":[{"href":"#at-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-3","rel":"related"}]},{"id":"ps-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-2.a_obj","name":"objective","props":[{"name":"label","value":"PS-2(a)"}],"prose":"assigns a risk designation to all organizational positions;"},{"id":"ps-2.b_obj","name":"objective","props":[{"name":"label","value":"PS-2(b)"}],"prose":"establishes screening criteria for individuals filling those positions;"},{"id":"ps-2.c_obj","name":"objective","props":[{"name":"label","value":"PS-2(c)"}],"parts":[{"id":"ps-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PS-2(c)[1]"}],"prose":"defines the frequency to review and update position risk designations; and"},{"id":"ps-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PS-2(c)[2]"}],"prose":"reviews and updates position risk designations with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nsecurity plan\n\nrecords of position risk designation reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","params":[{"id":"ps-3_prm_1","label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-3"},{"name":"sort-id","value":"ps-03"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference"}],"parts":[{"id":"ps-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Screens individuals prior to authorizing access to the information system; and"},{"id":"ps-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Rescreens individuals according to {{ insert: param, ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-2","rel":"related"}]},{"id":"ps-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-3.a_obj","name":"objective","props":[{"name":"label","value":"PS-3(a)"}],"prose":"screens individuals prior to authorizing access to the information system;"},{"id":"ps-3.b_obj","name":"objective","props":[{"name":"label","value":"PS-3(b)"}],"parts":[{"id":"ps-3.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-3(b)[1]"}],"prose":"defines conditions requiring re-screening;"},{"id":"ps-3.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-3(b)[2]"}],"prose":"defines the frequency of re-screening where it is so indicated; and"},{"id":"ps-3.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-3(b)[3]"}],"prose":"re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel screening"}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","params":[{"id":"ps-4_prm_1","label":"organization-defined time period"},{"id":"ps-4_prm_2","label":"organization-defined information security topics"},{"id":"ps-4_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-4_prm_4","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-4"},{"name":"sort-id","value":"ps-04"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"The organization, upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Disables information system access within {{ insert: param, ps-4_prm_1 }};"},{"id":"ps-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Terminates\/revokes any authenticators\/credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conducts exit interviews that include a discussion of {{ insert: param, ps-4_prm_2 }};"},{"id":"ps-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Retrieves all security-related organizational information system-related property;"},{"id":"ps-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retains access to organizational information and information systems formerly controlled by terminated individual; and"},{"id":"ps-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Notifies {{ insert: param, ps-4_prm_3 }} within {{ insert: param, ps-4_prm_4 }}."}]},{"id":"ps-4_gdn","name":"guidance","prose":"Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"ps-4_obj","name":"objective","prose":"Determine if the organization, upon termination of individual employment,:","parts":[{"id":"ps-4.a_obj","name":"objective","props":[{"name":"label","value":"PS-4(a)"}],"parts":[{"id":"ps-4.a_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(a)[1]"}],"prose":"defines a time period within which to disable information system access;"},{"id":"ps-4.a_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(a)[2]"}],"prose":"disables information system access within the organization-defined time period;"}]},{"id":"ps-4.b_obj","name":"objective","props":[{"name":"label","value":"PS-4(b)"}],"prose":"terminates\/revokes any authenticators\/credentials associated with the individual;"},{"id":"ps-4.c_obj","name":"objective","props":[{"name":"label","value":"PS-4(c)"}],"parts":[{"id":"ps-4.c_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(c)[1]"}],"prose":"defines information security topics to be discussed when conducting exit interviews;"},{"id":"ps-4.c_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(c)[2]"}],"prose":"conducts exit interviews that include a discussion of organization-defined information security topics;"}]},{"id":"ps-4.d_obj","name":"objective","props":[{"name":"label","value":"PS-4(d)"}],"prose":"retrieves all security-related organizational information system-related property;"},{"id":"ps-4.e_obj","name":"objective","props":[{"name":"label","value":"PS-4(e)"}],"prose":"retains access to organizational information and information systems formerly controlled by the terminated individual;"},{"id":"ps-4.f_obj","name":"objective","props":[{"name":"label","value":"PS-4(f)"}],"parts":[{"id":"ps-4.f_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(f)[1]"}],"prose":"defines personnel or roles to be notified of the termination;"},{"id":"ps-4.f_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(f)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel or roles; and"},{"id":"ps-4.f_obj.3","name":"objective","props":[{"name":"label","value":"PS-4(f)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of information system accounts\n\nrecords of terminated or revoked authenticators\/credentials\n\nrecords of exit interviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel termination\n\nautomated mechanisms supporting and\/or implementing personnel termination notifications\n\nautomated mechanisms for disabling information system access\/revoking authenticators"}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","params":[{"id":"ps-5_prm_1","label":"organization-defined transfer or reassignment actions"},{"id":"ps-5_prm_2","label":"organization-defined time period following the formal transfer action"},{"id":"ps-5_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-5_prm_4","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PS-5"},{"name":"sort-id","value":"ps-05"}],"parts":[{"id":"ps-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems\/facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiates {{ insert: param, ps-5_prm_1 }} within {{ insert: param, ps-5_prm_2 }};"},{"id":"ps-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Notifies {{ insert: param, ps-5_prm_3 }} within {{ insert: param, ps-5_prm_4 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-4","rel":"related"}]},{"id":"ps-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-5.a_obj","name":"objective","props":[{"name":"label","value":"PS-5(a)"}],"prose":"when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current:","parts":[{"id":"ps-5.a_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(a)[1]"}],"prose":"logical access authorizations to information systems;"},{"id":"ps-5.a_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(a)[2]"}],"prose":"physical access authorizations to information systems and facilities;"}]},{"id":"ps-5.b_obj","name":"objective","props":[{"name":"label","value":"PS-5(b)"}],"parts":[{"id":"ps-5.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(b)[1]"}],"prose":"defines transfer or reassignment actions to be initiated following transfer or reassignment;"},{"id":"ps-5.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(b)[2]"}],"prose":"defines the time period within which transfer or reassignment actions must occur following transfer or reassignment;"},{"id":"ps-5.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-5(b)[3]"}],"prose":"initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment;"}]},{"id":"ps-5.c_obj","name":"objective","props":[{"name":"label","value":"PS-5(c)"}],"prose":"modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer;"},{"id":"ps-5.d_obj","name":"objective","props":[{"name":"label","value":"PS-5(d)"}],"parts":[{"id":"ps-5.d_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(d)[1]"}],"prose":"defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5.d_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(d)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; and"},{"id":"ps-5.d_obj.3","name":"objective","props":[{"name":"label","value":"PS-5(d)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel transfer\n\nsecurity plan\n\nrecords of personnel transfer actions\n\nlist of information system and facility access authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel transfer\n\nautomated mechanisms supporting and\/or implementing personnel transfer notifications\n\nautomated mechanisms for disabling information system access\/revoking authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-6_prm_1","label":"organization-defined frequency"},{"id":"ps-6_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PS-6"},{"name":"sort-id","value":"ps-06"}],"parts":[{"id":"ps-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops and documents access agreements for organizational information systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the access agreements {{ insert: param, ps-6_prm_1 }}; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that individuals requiring access to organizational information and information systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or {{ insert: param, ps-6_prm_2 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.","links":[{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-8","rel":"related"}]},{"id":"ps-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-6.a_obj","name":"objective","props":[{"name":"label","value":"PS-6(a)"}],"prose":"develops and documents access agreements for organizational information systems;"},{"id":"ps-6.b_obj","name":"objective","props":[{"name":"label","value":"PS-6(b)"}],"parts":[{"id":"ps-6.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-6(b)[1]"}],"prose":"defines the frequency to review and update the access agreements;"},{"id":"ps-6.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-6(b)[2]"}],"prose":"reviews and updates the access agreements with the organization-defined frequency;"}]},{"id":"ps-6.c_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)"}],"parts":[{"id":"ps-6.c.1_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)(1)"}],"prose":"ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;"},{"id":"ps-6.c.2_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)"}],"parts":[{"id":"ps-6.c.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)[1]"}],"prose":"defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated;"},{"id":"ps-6.c.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)[2]"}],"prose":"ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing access agreements for organizational information and information systems\n\nsecurity plan\n\naccess agreements\n\nrecords of access agreement reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access agreements\n\nautomated mechanisms supporting access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"Third-party Personnel Security","params":[{"id":"ps-7_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-7_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-7"},{"name":"sort-id","value":"ps-07"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"}],"parts":[{"id":"ps-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes personnel security requirements including security roles and responsibilities for third-party providers;"},{"id":"ps-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Requires third-party providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Requires third-party providers to notify {{ insert: param, ps-7_prm_1 }} of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges within {{ insert: param, ps-7_prm_2 }}; and"},{"id":"ps-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Monitors provider compliance."}]},{"id":"ps-7_gdn","name":"guidance","prose":"Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials\/privileges associated with individuals transferred or terminated.","links":[{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-21","rel":"related"}]},{"id":"ps-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-7.a_obj","name":"objective","props":[{"name":"label","value":"PS-7(a)"}],"prose":"establishes personnel security requirements, including security roles and responsibilities, for third-party providers;"},{"id":"ps-7.b_obj","name":"objective","props":[{"name":"label","value":"PS-7(b)"}],"prose":"requires third-party providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7.c_obj","name":"objective","props":[{"name":"label","value":"PS-7(c)"}],"prose":"documents personnel security requirements;"},{"id":"ps-7.d_obj","name":"objective","props":[{"name":"label","value":"PS-7(d)"}],"parts":[{"id":"ps-7.d_obj.1","name":"objective","props":[{"name":"label","value":"PS-7(d)[1]"}],"prose":"defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.2","name":"objective","props":[{"name":"label","value":"PS-7(d)[2]"}],"prose":"defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.3","name":"objective","props":[{"name":"label","value":"PS-7(d)[3]"}],"prose":"requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges; and"}]},{"id":"ps-7.e_obj","name":"objective","props":[{"name":"label","value":"PS-7(e)"}],"prose":"monitors provider compliance."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing third-party personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\nthird-party providers\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing and monitoring third-party personnel security\n\nautomated mechanisms supporting and\/or implementing monitoring of provider compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","params":[{"id":"ps-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-8_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PS-8"},{"name":"sort-id","value":"ps-08"}],"parts":[{"id":"ps-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Notifies {{ insert: param, ps-8_prm_1 }} within {{ insert: param, ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.","links":[{"href":"#pl-4","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"ps-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-8.a_obj","name":"objective","props":[{"name":"label","value":"PS-8(a)"}],"prose":"employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;"},{"id":"ps-8.b_obj","name":"objective","props":[{"name":"label","value":"PS-8(b)"}],"parts":[{"id":"ps-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-8(b)[1]"}],"prose":"defines personnel or roles to be notified when a formal employee sanctions process is initiated;"},{"id":"ps-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-8(b)[2]"}],"prose":"defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and"},{"id":"ps-8.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-8(b)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel sanctions\n\nrules of behavior\n\nrecords of formal sanctions\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing personnel sanctions\n\nautomated mechanisms supporting and\/or implementing notifications"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Risk Assessment Policy and Procedures","params":[{"id":"ra-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ra-1_prm_2","label":"organization-defined frequency"},{"id":"ra-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-1"},{"name":"sort-id","value":"ra-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ra-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ra-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Risk assessment policy {{ insert: param, ra-1_prm_2 }}; and"},{"id":"ra-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Risk assessment procedures {{ insert: param, ra-1_prm_3 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ra-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-1.a_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)"}],"parts":[{"id":"ra-1.a.1_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)"}],"parts":[{"id":"ra-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1]"}],"prose":"develops and documents a risk assessment policy that addresses:","parts":[{"id":"ra-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ra-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ra-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ra-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ra-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ra-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ra-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ra-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the risk assessment policy is to be disseminated;"},{"id":"ra-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[3]"}],"prose":"disseminates the risk assessment policy to organization-defined personnel or roles;"}]},{"id":"ra-1.a.2_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)"}],"parts":[{"id":"ra-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls;"},{"id":"ra-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ra-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ra-1.b_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)"}],"parts":[{"id":"ra-1.b.1_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)"}],"parts":[{"id":"ra-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current risk assessment policy;"},{"id":"ra-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)[2]"}],"prose":"reviews and updates the current risk assessment policy with the organization-defined frequency;"}]},{"id":"ra-1.b.2_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)"}],"parts":[{"id":"ra-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current risk assessment procedures; and"},{"id":"ra-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)[2]"}],"prose":"reviews and updates the current risk assessment procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"risk assessment policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-2"},{"name":"sort-id","value":"ra-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"}],"parts":[{"id":"ra-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"ra-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents the security categorization results (including supporting rationale) in the security plan for the information system; and"},{"id":"ra-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission\/business owners, and information owners\/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted.","links":[{"href":"#cm-8","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"ra-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-2.a_obj","name":"objective","props":[{"name":"label","value":"RA-2(a)"}],"prose":"categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"ra-2.b_obj","name":"objective","props":[{"name":"label","value":"RA-2(b)"}],"prose":"documents the security categorization results (including supporting rationale) in the security plan for the information system; and"},{"id":"ra-2.c_obj","name":"objective","props":[{"name":"label","value":"RA-2(c)"}],"prose":"ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and information systems\n\nsecurity plan\n\nsecurity categorization documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-3_prm_1","select":{"choice":["security plan","risk assessment report"," {{ insert: param, ra-3_prm_2 }} "]}},{"id":"ra-3_prm_2","depends-on":"ra-3_prm_1","label":"organization-defined document"},{"id":"ra-3_prm_3","label":"organization-defined frequency"},{"id":"ra-3_prm_4","label":"organization-defined personnel or roles"},{"id":"ra-3_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-3"},{"name":"sort-id","value":"ra-03"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ra-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;"},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents risk assessment results in {{ insert: param, ra-3_prm_1 }};"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews risk assessment results {{ insert: param, ra-3_prm_3 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Disseminates risk assessment results to {{ insert: param, ra-3_prm_4 }}; and"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Updates the risk assessment {{ insert: param, ra-3_prm_5 }} or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.","links":[{"href":"#ra-2","rel":"related"},{"href":"#pm-9","rel":"related"}]},{"id":"ra-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-3.a_obj","name":"objective","props":[{"name":"label","value":"RA-3(a)"}],"prose":"conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:","parts":[{"id":"ra-3.a_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(a)[1]"}],"prose":"the information system;"},{"id":"ra-3.a_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(a)[2]"}],"prose":"the information the system processes, stores, or transmits;"}]},{"id":"ra-3.b_obj","name":"objective","props":[{"name":"label","value":"RA-3(b)"}],"parts":[{"id":"ra-3.b_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(b)[1]"}],"prose":"defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report);"},{"id":"ra-3.b_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(b)[2]"}],"prose":"documents risk assessment results in one of the following:","parts":[{"id":"ra-3.b_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][a]"}],"prose":"the security plan;"},{"id":"ra-3.b_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][b]"}],"prose":"the risk assessment report; or"},{"id":"ra-3.b_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][c]"}],"prose":"the organization-defined document;"}]}]},{"id":"ra-3.c_obj","name":"objective","props":[{"name":"label","value":"RA-3(c)"}],"parts":[{"id":"ra-3.c_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(c)[1]"}],"prose":"defines the frequency to review risk assessment results;"},{"id":"ra-3.c_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(c)[2]"}],"prose":"reviews risk assessment results with the organization-defined frequency;"}]},{"id":"ra-3.d_obj","name":"objective","props":[{"name":"label","value":"RA-3(d)"}],"parts":[{"id":"ra-3.d_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(d)[1]"}],"prose":"defines personnel or roles to whom risk assessment results are to be disseminated;"},{"id":"ra-3.d_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(d)[2]"}],"prose":"disseminates risk assessment results to organization-defined personnel or roles;"}]},{"id":"ra-3.e_obj","name":"objective","props":[{"name":"label","value":"RA-3(e)"}],"parts":[{"id":"ra-3.e_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(e)[1]"}],"prose":"defines the frequency to update the risk assessment;"},{"id":"ra-3.e_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(e)[2]"}],"prose":"updates the risk assessment:","parts":[{"id":"ra-3.e_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-3.e_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][b]"}],"prose":"whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and"},{"id":"ra-3.e_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][c]"}],"prose":"whenever there are other conditions that may impact the security state of the system."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nsecurity plan\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for risk assessment\n\nautomated mechanisms supporting and\/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Scanning","params":[{"id":"ra-5_prm_1","label":"organization-defined frequency and\/or randomly in accordance with organization-defined process"},{"id":"ra-5_prm_2","label":"organization-defined response times"},{"id":"ra-5_prm_3","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-5"},{"name":"sort-id","value":"ra-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"}],"parts":[{"id":"ra-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Scans for vulnerabilities in the information system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system\/applications are identified and reported;"},{"id":"ra-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Analyzes vulnerability scan reports and results from security control assessments;"},{"id":"ra-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remediates legitimate vulnerabilities {{ insert: param, ra-5_prm_2 }} in accordance with an organizational assessment of risk; and"},{"id":"ra-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Shares information obtained from the vulnerability scanning process and security control assessments with {{ insert: param, ra-5_prm_3 }} to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine\/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"ra-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.a_obj","name":"objective","props":[{"name":"label","value":"RA-5(a)"}],"parts":[{"id":"ra-5.a_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(a)[1]"}],"parts":[{"id":"ra-5.a_obj.1.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[1][a]"}],"prose":"defines the frequency for conducting vulnerability scans on the information system and hosted applications; and\/or"},{"id":"ra-5.a_obj.1.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[1][b]"}],"prose":"defines the process for conducting random vulnerability scans on the information system and hosted applications;"}]},{"id":"ra-5.a_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(a)[2]"}],"prose":"in accordance with the organization-defined frequency and\/or organization-defined process for conducting random scans, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[2][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[2][b]"}],"prose":"hosted applications;"}]},{"id":"ra-5.a_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(a)[3]"}],"prose":"when new vulnerabilities potentially affecting the system\/applications are identified and reported, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.3.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[3][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.3.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[3][b]"}],"prose":"hosted applications;"}]}]},{"id":"ra-5.b_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)"}],"prose":"employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5.b.1_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)"}],"parts":[{"id":"ra-5.b.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[1]"}],"prose":"enumerating platforms;"},{"id":"ra-5.b.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[2]"}],"prose":"enumerating software flaws;"},{"id":"ra-5.b.1_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[3]"}],"prose":"enumerating improper configurations;"}]},{"id":"ra-5.b.2_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)"}],"parts":[{"id":"ra-5.b.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)[1]"}],"prose":"formatting checklists;"},{"id":"ra-5.b.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)[2]"}],"prose":"formatting test procedures;"}]},{"id":"ra-5.b.3_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(3)"}],"prose":"measuring vulnerability impact;"}]},{"id":"ra-5.c_obj","name":"objective","props":[{"name":"label","value":"RA-5(c)"}],"parts":[{"id":"ra-5.c_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(c)[1]"}],"prose":"analyzes vulnerability scan reports;"},{"id":"ra-5.c_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(c)[2]"}],"prose":"analyzes results from security control assessments;"}]},{"id":"ra-5.d_obj","name":"objective","props":[{"name":"label","value":"RA-5(d)"}],"parts":[{"id":"ra-5.d_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(d)[1]"}],"prose":"defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;"},{"id":"ra-5.d_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(d)[2]"}],"prose":"remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk;"}]},{"id":"ra-5.e_obj","name":"objective","props":[{"name":"label","value":"RA-5(e)"}],"parts":[{"id":"ra-5.e_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(e)[1]"}],"prose":"defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared;"},{"id":"ra-5.e_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(e)[2]"}],"prose":"shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); and"},{"id":"ra-5.e_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(e)[3]"}],"prose":"shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nautomated mechanisms supporting and\/or implementing vulnerability scanning, analysis, remediation, and information sharing"}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"System and Services Acquisition Policy and Procedures","params":[{"id":"sa-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sa-1_prm_2","label":"organization-defined frequency"},{"id":"sa-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-1"},{"name":"sort-id","value":"sa-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"sa-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sa-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and services acquisition policy {{ insert: param, sa-1_prm_2 }}; and"},{"id":"sa-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and services acquisition procedures {{ insert: param, sa-1_prm_3 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"sa-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-1.a_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)"}],"parts":[{"id":"sa-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)"}],"parts":[{"id":"sa-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1]"}],"prose":"develops and documents a system and services acquisition policy that addresses:","parts":[{"id":"sa-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sa-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sa-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sa-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sa-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sa-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sa-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sa-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and services acquisition policy is to be disseminated;"},{"id":"sa-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[3]"}],"prose":"disseminates the system and services acquisition policy to organization-defined personnel or roles;"}]},{"id":"sa-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)"}],"parts":[{"id":"sa-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls;"},{"id":"sa-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"sa-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sa-1.b_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)"}],"parts":[{"id":"sa-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)"}],"parts":[{"id":"sa-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and services acquisition policy;"},{"id":"sa-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)[2]"}],"prose":"reviews and updates the current system and services acquisition policy with the organization-defined frequency;"}]},{"id":"sa-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)"}],"parts":[{"id":"sa-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and services acquisition procedures; and"},{"id":"sa-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)[2]"}],"prose":"reviews and updates the current system and services acquisition procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-2"},{"name":"sort-id","value":"sa-02"}],"links":[{"href":"#29fcfe59-33cd-494a-8756-5907ae3a8f92","rel":"reference"}],"parts":[{"id":"sa-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines information security requirements for the information system or information system service in mission\/business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establishes a discrete line item for information security in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system\/service.","links":[{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"}]},{"id":"sa-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-2.a_obj","name":"objective","props":[{"name":"label","value":"SA-2(a)"}],"prose":"determines information security requirements for the information system or information system service in mission\/business process planning;"},{"id":"sa-2.b_obj","name":"objective","props":[{"name":"label","value":"SA-2(b)"}],"prose":"to protect the information system or information system service as part of its capital planning and investment control process:","parts":[{"id":"sa-2.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-2(b)[1]"}],"prose":"determines the resources required;"},{"id":"sa-2.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-2(b)[2]"}],"prose":"documents the resources required;"},{"id":"sa-2.b_obj.3","name":"objective","props":[{"name":"label","value":"SA-2(b)[3]"}],"prose":"allocates the resources required; and"}]},{"id":"sa-2.c_obj","name":"objective","props":[{"name":"label","value":"SA-2(c)"}],"prose":"establishes a discrete line item for information security in organizational programming and budgeting documentation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the allocation of resources to information security requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities\n\norganizational personnel responsible for determining information security requirements for information systems\/services\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information security requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nautomated mechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-3_prm_1","label":"organization-defined system development life cycle"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-3"},{"name":"sort-id","value":"sa-03"}],"links":[{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference"}],"parts":[{"id":"sa-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Manages the information system using {{ insert: param, sa-3_prm_1 }} that incorporates information security considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Defines and documents information security roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies individuals having information security roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrates the organizational information security risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions\/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission\/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies.","links":[{"href":"#at-3","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-8","rel":"related"}]},{"id":"sa-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-3.a_obj","name":"objective","props":[{"name":"label","value":"SA-3(a)"}],"parts":[{"id":"sa-3.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-3(a)[1]"}],"prose":"defines a system development life cycle that incorporates information security considerations to be used to manage the information system;"},{"id":"sa-3.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-3(a)[2]"}],"prose":"manages the information system using the organization-defined system development life cycle;"}]},{"id":"sa-3.b_obj","name":"objective","props":[{"name":"label","value":"SA-3(b)"}],"prose":"defines and documents information security roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3.c_obj","name":"objective","props":[{"name":"label","value":"SA-3(c)"}],"prose":"identifies individuals having information security roles and responsibilities; and"},{"id":"sa-3.d_obj","name":"objective","props":[{"name":"label","value":"SA-3(d)"}],"prose":"integrates the organizational information security risk management process into system development life cycle activities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security into the system development life cycle process\n\ninformation system development life cycle documentation\n\ninformation security risk management strategy\/program documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security and system life cycle development responsibilities\n\norganizational personnel with information security risk management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining and documenting the SDLC\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational process for integrating information security risk management into the SDLC\n\nautomated mechanisms supporting and\/or implementing the SDLC"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-4"},{"name":"sort-id","value":"sa-04"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference"},{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference"},{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#0a5db899-f033-467f-8631-f5a8ba971475","rel":"reference"},{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"},{"href":"#d818efd3-db31-4953-8afa-9e76afe83ce2","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"},{"href":"#56d671da-6b7b-4abf-8296-84b61980390a","rel":"reference"},{"href":"#c95a9986-3cd6-4a98-931b-ccfc56cb11e5","rel":"reference"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference"},{"href":"#bbd50dd1-54ce-4432-959d-63ea564b1bb4","rel":"reference"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission\/business needs:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Security strength requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Security-related documentation requirements;"},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Requirements for protecting security-related documentation;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Description of the information system development environment and environment in which the system is intended to operate; and"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.","links":[{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"}]},{"id":"sa-4_obj","name":"objective","prose":"Determine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission\/business needs:","parts":[{"id":"sa-4.a_obj","name":"objective","props":[{"name":"label","value":"SA-4(a)"}],"prose":"security functional requirements;"},{"id":"sa-4.b_obj","name":"objective","props":[{"name":"label","value":"SA-4(b)"}],"prose":"security strength requirements;"},{"id":"sa-4.c_obj","name":"objective","props":[{"name":"label","value":"SA-4(c)"}],"prose":"security assurance requirements;"},{"id":"sa-4.d_obj","name":"objective","props":[{"name":"label","value":"SA-4(d)"}],"prose":"security-related documentation requirements;"},{"id":"sa-4.e_obj","name":"objective","props":[{"name":"label","value":"SA-4(e)"}],"prose":"requirements for protecting security-related documentation;"},{"id":"sa-4.f_obj","name":"objective","props":[{"name":"label","value":"SA-4(f)"}],"prose":"description of:","parts":[{"id":"sa-4.f_obj.1","name":"objective","props":[{"name":"label","value":"SA-4(f)[1]"}],"prose":"the information system development environment;"},{"id":"sa-4.f_obj.2","name":"objective","props":[{"name":"label","value":"SA-4(f)[2]"}],"prose":"the environment in which the system is intended to operate; and"}]},{"id":"sa-4.g_obj","name":"objective","props":[{"name":"label","value":"SA-4(g)"}],"prose":"acceptance criteria."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nacquisition contracts for the information system, system component, or information system service\n\ninformation system design documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security functional, strength, and assurance requirements\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and\/or implementing acquisitions and inclusion of security requirements in contracts"}]}],"controls":[{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","props":[{"name":"label","value":"SA-4(10)"},{"name":"sort-id","value":"sa-04.10"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."},{"id":"sa-4.10_gdn","name":"guidance","links":[{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"}]},{"id":"sa-4.10_obj","name":"objective","prose":"Determine if the organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or information system service\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\norganizational personnel with responsibility for ensuring only FIPS 201-approved products are implemented\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for selecting and employing FIPS 201-approved products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"Information System Documentation","params":[{"id":"sa-5_prm_1","label":"organization-defined actions"},{"id":"sa-5_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SA-5"},{"name":"sort-id","value":"sa-05"}],"parts":[{"id":"sa-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtains administrator documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security functions\/mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"}]},{"id":"sa-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Obtains user documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"User-accessible security functions\/mechanisms and how to effectively use those security functions\/mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and"},{"id":"sa-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service;"}]},{"id":"sa-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes {{ insert: param, sa-5_prm_1 }} in response;"},{"id":"sa-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects documentation as required, in accordance with the risk management strategy; and"},{"id":"sa-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Distributes documentation to {{ insert: param, sa-5_prm_2 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality\/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system\/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation.","links":[{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"sa-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-5.a_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)"}],"prose":"obtains administrator documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5.a.1_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)"}],"parts":[{"id":"sa-5.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[1]"}],"prose":"secure configuration of the system, system component, or service;"},{"id":"sa-5.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[2]"}],"prose":"secure installation of the system, system component, or service;"},{"id":"sa-5.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[3]"}],"prose":"secure operation of the system, system component, or service;"}]},{"id":"sa-5.a.2_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)"}],"parts":[{"id":"sa-5.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)[1]"}],"prose":"effective use of the security features\/mechanisms;"},{"id":"sa-5.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)[2]"}],"prose":"effective maintenance of the security features\/mechanisms;"}]},{"id":"sa-5.a.3_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(3)"}],"prose":"known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"}]},{"id":"sa-5.b_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)"}],"prose":"obtains user documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5.b.1_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)"}],"parts":[{"id":"sa-5.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)[1]"}],"prose":"user-accessible security functions\/mechanisms;"},{"id":"sa-5.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)[2]"}],"prose":"how to effectively use those functions\/mechanisms;"}]},{"id":"sa-5.b.2_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(2)"}],"prose":"methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner;"},{"id":"sa-5.b.3_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(3)"}],"prose":"user responsibilities in maintaining the security of the system, component, or service;"}]},{"id":"sa-5.c_obj","name":"objective","props":[{"name":"label","value":"SA-5(c)"}],"parts":[{"id":"sa-5.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(c)[1]"}],"prose":"defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(c)[2]"}],"prose":"documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.3","name":"objective","props":[{"name":"label","value":"SA-5(c)[3]"}],"prose":"takes organization-defined actions in response;"}]},{"id":"sa-5.d_obj","name":"objective","props":[{"name":"label","value":"SA-5(d)"}],"prose":"protects documentation as required, in accordance with the risk management strategy;"},{"id":"sa-5.e_obj","name":"objective","props":[{"name":"label","value":"SA-5(e)"}],"parts":[{"id":"sa-5.e_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(e)[1]"}],"prose":"defines personnel or roles to whom documentation is to be distributed; and"},{"id":"sa-5.e_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(e)[2]"}],"prose":"distributes documentation to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing information system documentation\n\ninformation system documentation including administrator and user guides\n\nrecords documenting attempts to obtain unavailable or nonexistent information system documentation\n\nlist of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation\n\nrisk management strategy documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\nsystem administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\ninformation system developers\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation"}]}]},{"id":"sa-9","class":"SP800-53","title":"External Information System Services","params":[{"id":"sa-9_prm_1","label":"organization-defined security controls"},{"id":"sa-9_prm_2","label":"organization-defined processes, methods, and techniques"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-9"},{"name":"sort-id","value":"sa-09"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"}],"parts":[{"id":"sa-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Requires that providers of external information system services comply with organizational information security requirements and employ {{ insert: param, sa-9_prm_1 }} in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs {{ insert: param, sa-9_prm_2 }} to monitor security control compliance by external service providers on an ongoing basis."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.","links":[{"href":"#ca-3","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ps-7","rel":"related"}]},{"id":"sa-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.a_obj","name":"objective","props":[{"name":"label","value":"SA-9(a)"}],"parts":[{"id":"sa-9.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(a)[1]"}],"prose":"defines security controls to be employed by providers of external information system services;"},{"id":"sa-9.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(a)[2]"}],"prose":"requires that providers of external information system services comply with organizational information security requirements;"},{"id":"sa-9.a_obj.3","name":"objective","props":[{"name":"label","value":"SA-9(a)[3]"}],"prose":"requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"}]},{"id":"sa-9.b_obj","name":"objective","props":[{"name":"label","value":"SA-9(b)"}],"parts":[{"id":"sa-9.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(b)[1]"}],"prose":"defines and documents government oversight with regard to external information system services;"},{"id":"sa-9.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(b)[2]"}],"prose":"defines and documents user roles and responsibilities with regard to external information system services;"}]},{"id":"sa-9.c_obj","name":"objective","props":[{"name":"label","value":"SA-9(c)"}],"parts":[{"id":"sa-9.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(c)[1]"}],"prose":"defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; and"},{"id":"sa-9.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(c)[2]"}],"prose":"employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing external information system services\n\nprocedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services\n\nacquisition contracts, service-level agreements\n\norganizational security requirements and security specifications for external provider services\n\nsecurity control assessment evidence from external providers of information system services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\nexternal providers of information system services\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring security control compliance by external service providers on an ongoing basis\n\nautomated mechanisms for monitoring security control compliance by external service providers on an ongoing basis"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"System and Communications Protection Policy and Procedures","params":[{"id":"sc-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sc-1_prm_2","label":"organization-defined frequency"},{"id":"sc-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-1"},{"name":"sort-id","value":"sc-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"sc-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and"}]},{"id":"sc-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sc-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and communications protection policy {{ insert: param, sc-1_prm_2 }}; and"},{"id":"sc-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and communications protection procedures {{ insert: param, sc-1_prm_3 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"sc-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-1.a_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)"}],"parts":[{"id":"sc-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)"}],"parts":[{"id":"sc-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1]"}],"prose":"develops and documents a system and communications protection policy that addresses:","parts":[{"id":"sc-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sc-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sc-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sc-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sc-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sc-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sc-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sc-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and communications protection policy is to be disseminated;"},{"id":"sc-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[3]"}],"prose":"disseminates the system and communications protection policy to organization-defined personnel or roles;"}]},{"id":"sc-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)"}],"parts":[{"id":"sc-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;"},{"id":"sc-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"sc-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sc-1.b_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)"}],"parts":[{"id":"sc-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)"}],"parts":[{"id":"sc-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and communications protection policy;"},{"id":"sc-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)[2]"}],"prose":"reviews and updates the current system and communications protection policy with the organization-defined frequency;"}]},{"id":"sc-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)"}],"parts":[{"id":"sc-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and communications protection procedures; and"},{"id":"sc-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)[2]"}],"prose":"reviews and updates the current system and communications protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial of Service Protection","params":[{"id":"sc-5_prm_1","label":"organization-defined types of denial of service attacks or references to sources for such information"},{"id":"sc-5_prm_2","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-5"},{"name":"sort-id","value":"sc-05"}],"parts":[{"id":"sc-5_smt","name":"statement","prose":"The information system protects against or limits the effects of the following types of denial of service attacks: {{ insert: param, sc-5_prm_1 }} by employing {{ insert: param, sc-5_prm_2 }}."},{"id":"sc-5_gdn","name":"guidance","prose":"A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.","links":[{"href":"#sc-6","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"sc-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-5_obj.1","name":"objective","props":[{"name":"label","value":"SC-5[1]"}],"prose":"the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects;"},{"id":"sc-5_obj.2","name":"objective","props":[{"name":"label","value":"SC-5[2]"}],"prose":"the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks; and"},{"id":"sc-5_obj.3","name":"objective","props":[{"name":"label","value":"SC-5[3]"}],"prose":"the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing denial of service protection\n\ninformation system design documentation\n\nsecurity plan\n\nlist of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial of service attacks\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms protecting against or limiting the effects of denial of service attacks"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-7_prm_1","select":{"choice":["physically","logically"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-7"},{"name":"sort-id","value":"sc-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#756a8e86-57d5-4701-8382-f7a40439665a","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"}],"parts":[{"id":"sc-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implements subnetworks for publicly accessible system components that are {{ insert: param, sc-7_prm_1 }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.","links":[{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"sc-7_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-7.a_obj","name":"objective","props":[{"name":"label","value":"SC-7(a)"}],"parts":[{"id":"sc-7.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(a)[1]"}],"prose":"monitors communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(a)[2]"}],"prose":"monitors communications at key internal boundaries within the system;"},{"id":"sc-7.a_obj.3","name":"objective","props":[{"name":"label","value":"SC-7(a)[3]"}],"prose":"controls communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.4","name":"objective","props":[{"name":"label","value":"SC-7(a)[4]"}],"prose":"controls communications at key internal boundaries within the system;"}]},{"id":"sc-7.b_obj","name":"objective","props":[{"name":"label","value":"SC-7(b)"}],"prose":"implements subnetworks for publicly accessible system components that are either:","parts":[{"id":"sc-7.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(b)[1]"}],"prose":"physically separated from internal organizational networks; and\/or"},{"id":"sc-7.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(b)[2]"}],"prose":"logically separated from internal organizational networks; and"}]},{"id":"sc-7.c_obj","name":"objective","props":[{"name":"label","value":"SC-7(c)"}],"prose":"connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the information system\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system configuration settings and associated documentation\n\nenterprise security architecture documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","params":[{"id":"sc-12_prm_1","label":"organization-defined requirements for key generation, distribution, storage, access, and destruction"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-12"},{"name":"sort-id","value":"sc-12"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with {{ insert: param, sc-12_prm_1 }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.","links":[{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"}]},{"id":"sc-12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-12_obj.1","name":"objective","props":[{"name":"label","value":"SC-12[1]"}],"prose":"defines requirements for cryptographic key:","parts":[{"id":"sc-12_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-12[1][a]"}],"prose":"generation;"},{"id":"sc-12_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-12[1][b]"}],"prose":"distribution;"},{"id":"sc-12_obj.1.c","name":"objective","props":[{"name":"label","value":"SC-12[1][c]"}],"prose":"storage;"},{"id":"sc-12_obj.1.d","name":"objective","props":[{"name":"label","value":"SC-12[1][d]"}],"prose":"access;"},{"id":"sc-12_obj.1.e","name":"objective","props":[{"name":"label","value":"SC-12[1][e]"}],"prose":"destruction; and"}]},{"id":"sc-12_obj.2","name":"objective","props":[{"name":"label","value":"SC-12[2]"}],"prose":"establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\ninformation system design documentation\n\ncryptographic mechanisms\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","params":[{"id":"sc-13_prm_1","label":"organization-defined cryptographic uses and type of cryptography required for each use"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-13"},{"name":"sort-id","value":"sc-13"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference"},{"href":"#6a1041fc-054e-4230-946b-2e6f4f3731bb","rel":"reference"},{"href":"#9b97ed27-3dd6-4f9a-ade5-1b43e9669794","rel":"reference"}],"parts":[{"id":"sc-13_smt","name":"statement","prose":"The information system implements {{ insert: param, sc-13_prm_1 }} in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"sc-13_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-13_obj.1","name":"objective","props":[{"name":"label","value":"SC-13[1]"}],"prose":"the organization defines cryptographic uses; and"},{"id":"sc-13_obj.2","name":"objective","props":[{"name":"label","value":"SC-13[2]"}],"prose":"the organization defines the type of cryptography required for each use; and"},{"id":"sc-13_obj.3","name":"objective","props":[{"name":"label","value":"SC-13[3]"}],"prose":"the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS validated cryptographic modules\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices","params":[{"id":"sc-15_prm_1","label":"organization-defined exceptions where remote activation is to be allowed"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-15"},{"name":"sort-id","value":"sc-15"}],"parts":[{"id":"sc-15_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibits remote activation of collaborative computing devices with the following exceptions: {{ insert: param, sc-15_prm_1 }}; and"},{"id":"sc-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provides an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated.","links":[{"href":"#ac-21","rel":"related"}]},{"id":"sc-15_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-15.a_obj","name":"objective","props":[{"name":"label","value":"SC-15(a)"}],"parts":[{"id":"sc-15.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-15(a)[1]"}],"prose":"the organization defines exceptions where remote activation of collaborative computing devices is to be allowed;"},{"id":"sc-15.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-15(a)[2]"}],"prose":"the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed; and"}]},{"id":"sc-15.b_obj","name":"objective","props":[{"name":"label","value":"SC-15(b)"}],"prose":"the information system provides an explicit indication of use to users physically present at the devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing management of remote activation of collaborative computing devices\n\nautomated mechanisms providing an indication of use of collaborative computing devices"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name \/ Address Resolution Service (authoritative Source)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-20"},{"name":"sort-id","value":"sc-20"}],"links":[{"href":"#28115a56-da6b-4d44-b1df-51dd7f048a3e","rel":"reference"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-20_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host\/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host\/service names and network addresses provide other means to assure the authenticity and integrity of response data.","links":[{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}]},{"id":"sc-20_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-20.a_obj","name":"objective","props":[{"name":"label","value":"SC-20(a)"}],"prose":"provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries;"},{"id":"sc-20.b_obj","name":"objective","props":[{"name":"label","value":"SC-20(b)"}],"prose":"provides the means to, when operating as part of a distributed, hierarchical namespace:","parts":[{"id":"sc-20.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-20(b)[1]"}],"prose":"indicate the security status of child zones; and"},{"id":"sc-20.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-20(b)[2]"}],"prose":"enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services)."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution service (authoritative source)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing secure name\/address resolution service"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name \/ Address Resolution Service (recursive or Caching Resolver)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-21"},{"name":"sort-id","value":"sc-21"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"The information system requests and performs data origin authentication and data integrity verification on the name\/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host\/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.","links":[{"href":"#sc-20","rel":"related"},{"href":"#sc-22","rel":"related"}]},{"id":"sc-21_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-21_obj.1","name":"objective","props":[{"name":"label","value":"SC-21[1]"}],"prose":"requests data origin authentication on the name\/address resolution responses the system receives from authoritative sources;"},{"id":"sc-21_obj.2","name":"objective","props":[{"name":"label","value":"SC-21[2]"}],"prose":"requests data integrity verification on the name\/address resolution responses the system receives from authoritative sources;"},{"id":"sc-21_obj.3","name":"objective","props":[{"name":"label","value":"SC-21[3]"}],"prose":"performs data origin authentication on the name\/address resolution responses the system receives from authoritative sources; and"},{"id":"sc-21_obj.4","name":"objective","props":[{"name":"label","value":"SC-21[4]"}],"prose":"performs data integrity verification on the name\/address resolution responses the system receives from authoritative sources."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution service (recursive or caching resolver)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing data origin authentication and data integrity verification for name\/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name \/ Address Resolution Service","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-22"},{"name":"sort-id","value":"sc-22"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"The information systems that collectively provide name\/address resolution service for an organization are fault-tolerant and implement internal\/external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).","links":[{"href":"#sc-2","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-24","rel":"related"}]},{"id":"sc-22_obj","name":"objective","prose":"Determine if the information systems that collectively provide name\/address resolution service for an organization:","parts":[{"id":"sc-22_obj.1","name":"objective","props":[{"name":"label","value":"SC-22[1]"}],"prose":"are fault tolerant; and"},{"id":"sc-22_obj.2","name":"objective","props":[{"name":"label","value":"SC-22[2]"}],"prose":"implement internal\/external role separation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing architecture and provisioning for name\/address resolution service\n\naccess control policy and procedures\n\ninformation system design documentation\n\nassessment results from independent, testing organizations\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing name\/address resolution service for fault tolerance and role separation"}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-39"},{"name":"sort-id","value":"sc-39"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"The information system maintains a separate execution domain for each executing process."},{"id":"sc-39_gdn","name":"guidance","prose":"Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sc-39_obj","name":"objective","prose":"Determine if the information system maintains a separate execution domain for each executing process."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system design documentation\n\ninformation system architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation, other relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Information system developers\/integrators\n\ninformation system security architect"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing separate execution domains for each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"System and Information Integrity Policy and Procedures","params":[{"id":"si-1_prm_1","label":"organization-defined personnel or roles"},{"id":"si-1_prm_2","label":"organization-defined frequency"},{"id":"si-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-1"},{"name":"sort-id","value":"si-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"si-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"si-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and information integrity policy {{ insert: param, si-1_prm_2 }}; and"},{"id":"si-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and information integrity procedures {{ insert: param, si-1_prm_3 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"si-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-1.a_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)"}],"parts":[{"id":"si-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)"}],"parts":[{"id":"si-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1]"}],"prose":"develops and documents a system and information integrity policy that addresses:","parts":[{"id":"si-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"si-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"si-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"si-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"si-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"si-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"si-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"si-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and information integrity policy is to be disseminated;"},{"id":"si-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[3]"}],"prose":"disseminates the system and information integrity policy to organization-defined personnel or roles;"}]},{"id":"si-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)"}],"parts":[{"id":"si-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls;"},{"id":"si-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"si-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"si-1.b_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)"}],"parts":[{"id":"si-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)"}],"parts":[{"id":"si-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and information integrity policy;"},{"id":"si-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)[2]"}],"prose":"reviews and updates the current system and information integrity policy with the organization-defined frequency;"}]},{"id":"si-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)"}],"parts":[{"id":"si-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and information integrity procedures; and"},{"id":"si-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)[2]"}],"prose":"reviews and updates the current system and information integrity procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","params":[{"id":"si-2_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-2"},{"name":"sort-id","value":"si-02"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"si-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies, reports, and corrects information system flaws;"},{"id":"si-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Installs security-relevant software and firmware updates within {{ insert: param, si-2_prm_1 }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporates flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required\/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and\/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-11","rel":"related"}]},{"id":"si-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.a_obj","name":"objective","props":[{"name":"label","value":"SI-2(a)"}],"parts":[{"id":"si-2.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(a)[1]"}],"prose":"identifies information system flaws;"},{"id":"si-2.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(a)[2]"}],"prose":"reports information system flaws;"},{"id":"si-2.a_obj.3","name":"objective","props":[{"name":"label","value":"SI-2(a)[3]"}],"prose":"corrects information system flaws;"}]},{"id":"si-2.b_obj","name":"objective","props":[{"name":"label","value":"SI-2(b)"}],"parts":[{"id":"si-2.b_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(b)[1]"}],"prose":"tests software updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2.b_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(b)[2]"}],"prose":"tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"}]},{"id":"si-2.c_obj","name":"objective","props":[{"name":"label","value":"SI-2(c)"}],"parts":[{"id":"si-2.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(c)[1]"}],"prose":"defines the time period within which to install security-relevant software updates after the release of the updates;"},{"id":"si-2.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(c)[2]"}],"prose":"defines the time period within which to install security-relevant firmware updates after the release of the updates;"},{"id":"si-2.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-2(c)[3]"}],"prose":"installs software updates within the organization-defined time period of the release of the updates;"},{"id":"si-2.c_obj.4","name":"objective","props":[{"name":"label","value":"SI-2(c)[4]"}],"prose":"installs firmware updates within the organization-defined time period of the release of the updates; and"}]},{"id":"si-2.d_obj","name":"objective","props":[{"name":"label","value":"SI-2(d)"}],"prose":"incorporates flaw remediation into the organizational configuration management process."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the information system\n\nlist of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws)\n\ntest results from the installation of software and firmware updates to correct information system flaws\n\ninstallation\/change control records for security-relevant software and firmware updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for flaw remediation\n\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for identifying, reporting, and correcting information system flaws\n\norganizational process for installing software and firmware updates\n\nautomated mechanisms supporting and\/or implementing reporting, and correcting information system flaws\n\nautomated mechanisms supporting and\/or implementing testing software and firmware updates"}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","params":[{"id":"si-3_prm_1","label":"organization-defined frequency"},{"id":"si-3_prm_2","select":{"how-many":"one-or-more","choice":["endpoint","network entry\/exit points"]}},{"id":"si-3_prm_3","select":{"how-many":"one-or-more","choice":["block malicious code","quarantine malicious code","send alert to administrator"," {{ insert: param, si-3_prm_4 }} "]}},{"id":"si-3_prm_4","depends-on":"si-3_prm_3","label":"organization-defined action"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-3"},{"name":"sort-id","value":"si-03"}],"links":[{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"}],"parts":[{"id":"si-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Configures malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the information system {{ insert: param, si-3_prm_1 }} and real-time scans of files from external sources at {{ insert: param, si-3_prm_2 }} as the files are downloaded, opened, or executed in accordance with organizational security policy; and"},{"id":"si-3_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, si-3_prm_3 }} in response to malicious code detection; and"}]},{"id":"si-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system."}]},{"id":"si-3_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions\/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and\/or actions in response to detection of maliciousness when attempting to open or execute files.","links":[{"href":"#cm-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sa-13","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-3.a_obj","name":"objective","props":[{"name":"label","value":"SI-3(a)"}],"prose":"employs malicious code protection mechanisms to detect and eradicate malicious code at information system:","parts":[{"id":"si-3.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(a)[1]"}],"prose":"entry points;"},{"id":"si-3.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(a)[2]"}],"prose":"exit points;"}]},{"id":"si-3.b_obj","name":"objective","props":[{"name":"label","value":"SI-3(b)"}],"prose":"updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1);"},{"id":"si-3.c_obj","name":"objective","props":[{"name":"label","value":"SI-3(c)"}],"parts":[{"id":"si-3.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(c)[1]"}],"prose":"defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system;"},{"id":"si-3.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(c)[2]"}],"prose":"defines action to be initiated by malicious protection mechanisms in response to malicious code detection;"},{"id":"si-3.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3]"}],"parts":[{"id":"si-3.c.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)"}],"prose":"configures malicious code protection mechanisms to:","parts":[{"id":"si-3.c.1_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)[a]"}],"prose":"perform periodic scans of the information system with the organization-defined frequency;"},{"id":"si-3.c.1_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)[b]"}],"prose":"perform real-time scans of files from external sources at endpoint and\/or network entry\/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy;"}]},{"id":"si-3.c.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)"}],"prose":"configures malicious code protection mechanisms to do one or more of the following:","parts":[{"id":"si-3.c.2_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[a]"}],"prose":"block malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[b]"}],"prose":"quarantine malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.c","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[c]"}],"prose":"send alert to administrator in response to malicious code detection; and\/or"},{"id":"si-3.c.2_obj.3.d","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[d]"}],"prose":"initiate organization-defined action in response to malicious code detection;"}]}]}]},{"id":"si-3.d_obj","name":"objective","props":[{"name":"label","value":"SI-3(d)"}],"parts":[{"id":"si-3.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(d)[1]"}],"prose":"addresses the receipt of false positives during malicious code detection and eradication; and"},{"id":"si-3.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(d)[2]"}],"prose":"addresses the resulting potential impact on the availability of the information system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for malicious code protection\n\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational process for addressing false positives and resulting potential impact\n\nautomated mechanisms supporting and\/or implementing employing, updating, and configuring malicious code protection mechanisms\n\nautomated mechanisms supporting and\/or implementing malicious code scanning and subsequent actions"}]}]},{"id":"si-4","class":"SP800-53","title":"Information System Monitoring","params":[{"id":"si-4_prm_1","label":"organization-defined monitoring objectives"},{"id":"si-4_prm_2","label":"organization-defined techniques and methods"},{"id":"si-4_prm_3","label":"organization-defined information system monitoring information"},{"id":"si-4_prm_4","label":"organization-defined personnel or roles"},{"id":"si-4_prm_5","select":{"how-many":"one-or-more","choice":["as needed"," {{ insert: param, si-4_prm_6 }} "]}},{"id":"si-4_prm_6","depends-on":"si-4_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-4"},{"name":"sort-id","value":"si-04"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"},{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"si-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors the information system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with {{ insert: param, si-4_prm_1 }}; and"},{"id":"si-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identifies unauthorized use of the information system through {{ insert: param, si-4_prm_2 }};"},{"id":"si-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Deploys monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Strategically within the information system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;"},{"id":"si-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"},{"id":"si-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and"},{"id":"si-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Provides {{ insert: param, si-4_prm_3 }} to {{ insert: param, si-4_prm_4 }} {{ insert: param, si-4_prm_5 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.a_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)"}],"parts":[{"id":"si-4.a.1_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)"}],"parts":[{"id":"si-4.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[1]"}],"prose":"defines monitoring objectives to detect attacks and indicators of potential attacks on the information system;"},{"id":"si-4.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2]"}],"prose":"monitors the information system to detect, in accordance with organization-defined monitoring objectives,:","parts":[{"id":"si-4.a.1_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2][a]"}],"prose":"attacks;"},{"id":"si-4.a.1_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2][b]"}],"prose":"indicators of potential attacks;"}]}]},{"id":"si-4.a.2_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)"}],"prose":"monitors the information system to detect unauthorized:","parts":[{"id":"si-4.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[1]"}],"prose":"local connections;"},{"id":"si-4.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[2]"}],"prose":"network connections;"},{"id":"si-4.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[3]"}],"prose":"remote connections;"}]}]},{"id":"si-4.b_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)"}],"parts":[{"id":"si-4.b.1_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)(1)"}],"prose":"defines techniques and methods to identify unauthorized use of the information system;"},{"id":"si-4.b.2_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)(2)"}],"prose":"identifies unauthorized use of the information system through organization-defined techniques and methods;"}]},{"id":"si-4.c_obj","name":"objective","props":[{"name":"label","value":"SI-4(c)"}],"prose":"deploys monitoring devices:","parts":[{"id":"si-4.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(c)[1]"}],"prose":"strategically within the information system to collect organization-determined essential information;"},{"id":"si-4.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(c)[2]"}],"prose":"at ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4.d_obj","name":"objective","props":[{"name":"label","value":"SI-4(d)"}],"prose":"protects information obtained from intrusion-monitoring tools from unauthorized:","parts":[{"id":"si-4.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(d)[1]"}],"prose":"access;"},{"id":"si-4.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(d)[2]"}],"prose":"modification;"},{"id":"si-4.d_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(d)[3]"}],"prose":"deletion;"}]},{"id":"si-4.e_obj","name":"objective","props":[{"name":"label","value":"SI-4(e)"}],"prose":"heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"},{"id":"si-4.f_obj","name":"objective","props":[{"name":"label","value":"SI-4(f)"}],"prose":"obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations;"},{"id":"si-4.g_obj","name":"objective","props":[{"name":"label","value":"SI-4(g)"}],"parts":[{"id":"si-4.g_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(g)[1]"}],"prose":"defines personnel or roles to whom information system monitoring information is to be provided;"},{"id":"si-4.g_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(g)[2]"}],"prose":"defines information system monitoring information to be provided to organization-defined personnel or roles;"},{"id":"si-4.g_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(g)[3]"}],"prose":"defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles;"},{"id":"si-4.g_obj.4","name":"objective","props":[{"name":"label","value":"SI-4(g)[4]"}],"prose":"provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:","parts":[{"id":"si-4.g_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-4(g)[4][a]"}],"prose":"as needed; and\/or"},{"id":"si-4.g_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-4(g)[4][b]"}],"prose":"with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Continuous monitoring strategy\n\nsystem and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\nfacility diagram\/layout\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\nlocations within information system where monitoring devices are deployed\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility monitoring the information system"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\n\nautomated mechanisms supporting and\/or implementing information system monitoring capability"}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","params":[{"id":"si-5_prm_1","label":"organization-defined external organizations"},{"id":"si-5_prm_2","select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-5_prm_3 }} "," {{ insert: param, si-5_prm_4 }} "," {{ insert: param, si-5_prm_5 }} "]}},{"id":"si-5_prm_3","depends-on":"si-5_prm_2","label":"organization-defined personnel or roles"},{"id":"si-5_prm_4","depends-on":"si-5_prm_2","label":"organization-defined elements within the organization"},{"id":"si-5_prm_5","depends-on":"si-5_prm_2","label":"organization-defined external organizations"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-5"},{"name":"sort-id","value":"si-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"}],"parts":[{"id":"si-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receives information system security alerts, advisories, and directives from {{ insert: param, si-5_prm_1 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Generates internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminates security alerts, advisories, and directives to: {{ insert: param, si-5_prm_2 }}; and"},{"id":"si-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission\/business partners, supply chain partners, external service providers, and other peer\/supporting organizations.","links":[{"href":"#si-2","rel":"related"}]},{"id":"si-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-5.a_obj","name":"objective","props":[{"name":"label","value":"SI-5(a)"}],"parts":[{"id":"si-5.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(a)[1]"}],"prose":"defines external organizations from whom information system security alerts, advisories and directives are to be received;"},{"id":"si-5.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(a)[2]"}],"prose":"receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;"}]},{"id":"si-5.b_obj","name":"objective","props":[{"name":"label","value":"SI-5(b)"}],"prose":"generates internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5.c_obj","name":"objective","props":[{"name":"label","value":"SI-5(c)"}],"parts":[{"id":"si-5.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(c)[1]"}],"prose":"defines personnel or roles to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(c)[2]"}],"prose":"defines elements within the organization to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-5(c)[3]"}],"prose":"defines external organizations to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.4","name":"objective","props":[{"name":"label","value":"SI-5(c)[4]"}],"prose":"disseminates security alerts, advisories, and directives to one or more of the following:","parts":[{"id":"si-5.c_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][a]"}],"prose":"organization-defined personnel or roles;"},{"id":"si-5.c_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][b]"}],"prose":"organization-defined elements within the organization; and\/or"},{"id":"si-5.c_obj.4.c","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][c]"}],"prose":"organization-defined external organizations; and"}]}]},{"id":"si-5.d_obj","name":"objective","props":[{"name":"label","value":"SI-5(d)"}],"parts":[{"id":"si-5.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(d)[1]"}],"prose":"implements security directives in accordance with established time frames; or"},{"id":"si-5.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(d)[2]"}],"prose":"notifies the issuing organization of the degree of noncompliance."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the information system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nautomated mechanisms supporting and\/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nautomated mechanisms supporting and\/or implementing security directives"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Handling and Retention","props":[{"name":"priority","value":"P2"},{"name":"label","value":"SI-12"},{"name":"sort-id","value":"si-12"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention.","links":[{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"}]},{"id":"si-12_obj","name":"objective","prose":"Determine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements:","parts":[{"id":"si-12_obj.1","name":"objective","props":[{"name":"label","value":"SI-12[1]"}],"prose":"handles information within the information system;"},{"id":"si-12_obj.2","name":"objective","props":[{"name":"label","value":"SI-12[2]"}],"prose":"handles output from the information system;"},{"id":"si-12_obj.3","name":"objective","props":[{"name":"label","value":"SI-12[3]"}],"prose":"retains information within the information system; and"},{"id":"si-12_obj.4","name":"objective","props":[{"name":"label","value":"SI-12[4]"}],"prose":"retains output from the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention\n\nmedia protection policy and procedures\n\nprocedures addressing information system output handling and retention\n\ninformation retention records, other relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information handling and retention\n\norganizational personnel with information security responsibilities\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information handling and retention\n\nautomated mechanisms supporting and\/or implementing information handling and retention"}]}]}]}],"back-matter":{"resources":[{"uuid":"0c97e60b-325a-4efa-ba2b-90f20ccd5abc","title":"5 C.F.R. 731.106","citation":{"text":"Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106, Designation of Public Trust Positions and Investigative Requirements (5 C.F.R. 731.106)."},"rlinks":[{"href":"http:\/\/www.gpo.gov\/fdsys\/granule\/CFR-2012-title5-vol2\/CFR-2012-title5-vol2-sec731-106\/content-detail.html"}]},{"uuid":"bb61234b-46c3-4211-8c2b-9869222a720d","title":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)","citation":{"text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},"rlinks":[{"href":"http:\/\/www.gpo.gov\/fdsys\/granule\/CFR-2009-title5-vol2\/CFR-2009-title5-vol2-sec930-301\/content-detail.html"}]},{"uuid":"a4aa9645-9a8a-4b51-90a9-e223250f9a75","title":"CNSS Policy 15","citation":{"text":"CNSS Policy 15"},"rlinks":[{"href":"https:\/\/www.cnss.gov\/policies.html"}]},{"uuid":"2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","title":"DoD Information Assurance Vulnerability Alerts","citation":{"text":"DoD Information Assurance Vulnerability Alerts"}},{"uuid":"61081e7f-041d-4033-96a7-44a439071683","title":"DoD Instruction 5200.39","citation":{"text":"DoD Instruction 5200.39"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"e42b2099-3e1c-415b-952c-61c96533c12e","title":"DoD Instruction 8551.01","citation":{"text":"DoD Instruction 8551.01"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"c5034e0c-eba6-4ecd-a541-79f0678f4ba4","title":"Executive Order 13587","citation":{"text":"Executive Order 13587"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/the-press-office\/2011\/10\/07\/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"56d671da-6b7b-4abf-8296-84b61980390a","title":"Federal Acquisition Regulation","citation":{"text":"Federal Acquisition Regulation"},"rlinks":[{"href":"https:\/\/acquisition.gov\/far"}]},{"uuid":"023104bc-6f75-4cd5-b7d0-fc92326f8007","title":"Federal Continuity Directive 1","citation":{"text":"Federal Continuity Directive 1"},"rlinks":[{"href":"http:\/\/www.fema.gov\/pdf\/about\/offices\/fcd1.pdf"}]},{"uuid":"ba557c91-ba3e-4792-adc6-a4ae479b39ff","title":"FICAM Roadmap and Implementation Guidance","citation":{"text":"FICAM Roadmap and Implementation Guidance"},"rlinks":[{"href":"http:\/\/www.idmanagement.gov\/documents\/ficam-roadmap-and-implementation-guidance"}]},{"uuid":"39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","title":"FIPS Publication 140","citation":{"text":"FIPS Publication 140"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html"}]},{"uuid":"d715b234-9b5b-4e07-b1ed-99836727664d","title":"FIPS Publication 140-2","citation":{"text":"FIPS Publication 140-2"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#140-2"}]},{"uuid":"f2dbd4ec-c413-4714-b85b-6b7184d1c195","title":"FIPS Publication 197","citation":{"text":"FIPS Publication 197"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#197"}]},{"uuid":"e85cdb3f-7f0a-4083-8639-f13f70d3760b","title":"FIPS Publication 199","citation":{"text":"FIPS Publication 199"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#199"}]},{"uuid":"c80c10b3-1294-4984-a4cc-d1733ca432b9","title":"FIPS Publication 201","citation":{"text":"FIPS Publication 201"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#201"}]},{"uuid":"ad733a42-a7ed-4774-b988-4930c28852f3","title":"HSPD-12","citation":{"text":"HSPD-12"},"rlinks":[{"href":"http:\/\/www.dhs.gov\/homeland-security-presidential-directive-12"}]},{"uuid":"e95dd121-2733-413e-bf1e-f1eb49f20a98","title":"http:\/\/checklists.nist.gov","citation":{"text":"http:\/\/checklists.nist.gov"},"rlinks":[{"href":"http:\/\/checklists.nist.gov"}]},{"uuid":"6a1041fc-054e-4230-946b-2e6f4f3731bb","title":"http:\/\/csrc.nist.gov\/cryptval","citation":{"text":"http:\/\/csrc.nist.gov\/cryptval"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/cryptval"}]},{"uuid":"b09d1a31-d3c9-4138-a4f4-4c63816afd7d","title":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html","citation":{"text":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html"}]},{"uuid":"15522e92-9192-463d-9646-6a01982db8ca","title":"http:\/\/cwe.mitre.org","citation":{"text":"http:\/\/cwe.mitre.org"},"rlinks":[{"href":"http:\/\/cwe.mitre.org"}]},{"uuid":"5ed1f4d5-1494-421b-97ed-39d3c88ab51f","title":"http:\/\/fips201ep.cio.gov","citation":{"text":"http:\/\/fips201ep.cio.gov"},"rlinks":[{"href":"http:\/\/fips201ep.cio.gov"}]},{"uuid":"85280698-0417-489d-b214-12bb935fb939","title":"http:\/\/idmanagement.gov","citation":{"text":"http:\/\/idmanagement.gov"},"rlinks":[{"href":"http:\/\/idmanagement.gov"}]},{"uuid":"275cc052-0f7f-423c-bdb6-ed503dc36228","title":"http:\/\/nvd.nist.gov","citation":{"text":"http:\/\/nvd.nist.gov"},"rlinks":[{"href":"http:\/\/nvd.nist.gov"}]},{"uuid":"bbd50dd1-54ce-4432-959d-63ea564b1bb4","title":"http:\/\/www.acquisition.gov\/far","citation":{"text":"http:\/\/www.acquisition.gov\/far"},"rlinks":[{"href":"http:\/\/www.acquisition.gov\/far"}]},{"uuid":"9b97ed27-3dd6-4f9a-ade5-1b43e9669794","title":"http:\/\/www.cnss.gov","citation":{"text":"http:\/\/www.cnss.gov"},"rlinks":[{"href":"http:\/\/www.cnss.gov"}]},{"uuid":"c95a9986-3cd6-4a98-931b-ccfc56cb11e5","title":"http:\/\/www.niap-ccevs.org","citation":{"text":"http:\/\/www.niap-ccevs.org"},"rlinks":[{"href":"http:\/\/www.niap-ccevs.org"}]},{"uuid":"647b6de3-81d0-4d22-bec1-5f1333e34380","title":"http:\/\/www.nsa.gov","citation":{"text":"http:\/\/www.nsa.gov"},"rlinks":[{"href":"http:\/\/www.nsa.gov"}]},{"uuid":"a47466c4-c837-4f06-a39f-e68412a5f73d","title":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml","citation":{"text":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml"},"rlinks":[{"href":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml"}]},{"uuid":"02631467-668b-4233-989b-3dfded2fd184","title":"http:\/\/www.us-cert.gov","citation":{"text":"http:\/\/www.us-cert.gov"},"rlinks":[{"href":"http:\/\/www.us-cert.gov"}]},{"uuid":"6caa237b-531b-43ac-9711-d8f6b97b0377","title":"ICD 704","citation":{"text":"ICD 704"},"rlinks":[{"href":"http:\/\/www.dni.gov\/index.php\/intelligence-community\/ic-policies-reports\/intelligence-community-directives"}]},{"uuid":"398e33fd-f404-4e5c-b90e-2d50d3181244","title":"ICD 705","citation":{"text":"ICD 705"},"rlinks":[{"href":"http:\/\/www.dni.gov\/index.php\/intelligence-community\/ic-policies-reports\/intelligence-community-directives"}]},{"uuid":"1737a687-52fb-4008-b900-cbfa836f7b65","title":"ISO\/IEC 15408","citation":{"text":"ISO\/IEC 15408"},"rlinks":[{"href":"http:\/\/www.iso.org\/iso\/iso_catalog\/catalog_tc\/catalog_detail.htm?csnumber=50341"}]},{"uuid":"654f21e2-f3bc-43b2-abdc-60ab8d09744b","title":"National Strategy for Trusted Identities in Cyberspace","citation":{"text":"National Strategy for Trusted Identities in Cyberspace"},"rlinks":[{"href":"http:\/\/www.nist.gov\/nstic"}]},{"uuid":"9cb3d8fe-2127-48ba-821e-cdd2d7aee921","title":"NIST Special Publication 800-100","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-100"}],"citation":{"text":"NIST Special Publication 800-100"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","title":"NIST Special Publication 800-111","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-111"}],"citation":{"text":"NIST Special Publication 800-111"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-111"}]},{"uuid":"349fe082-502d-464a-aa0c-1443c6a5cf40","title":"NIST Special Publication 800-113","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-113"}],"citation":{"text":"NIST Special Publication 800-113"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-113"}]},{"uuid":"1201fcf3-afb1-4675-915a-fb4ae0435717","title":"NIST Special Publication 800-114 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-114r1"}],"citation":{"text":"NIST Special Publication 800-114 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-114r1"}]},{"uuid":"c4691b88-57d1-463b-9053-2d0087913f31","title":"NIST Special Publication 800-115","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-115"}],"citation":{"text":"NIST Special Publication 800-115"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"2157bb7e-192c-4eaa-877f-93ef6b0a3292","title":"NIST Special Publication 800-116 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-116r1"}],"citation":{"text":"NIST Special Publication 800-116 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-116r1"}]},{"uuid":"5c201b63-0768-417b-ac22-3f014e3941b2","title":"NIST Special Publication 800-12 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-12r1"}],"citation":{"text":"NIST Special Publication 800-12 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"d1a4e2a9-e512-4132-8795-5357aba29254","title":"NIST Special Publication 800-121","citation":{"text":"NIST Special Publication 800-121"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-121"}]},{"uuid":"0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","title":"NIST Special Publication 800-124","citation":{"text":"NIST Special Publication 800-124"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-124"}]},{"uuid":"080f8068-5e3e-435e-9790-d22ba4722693","title":"NIST Special Publication 800-128","citation":{"text":"NIST Special Publication 800-128"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-128"}]},{"uuid":"cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","title":"NIST Special Publication 800-137","citation":{"text":"NIST Special Publication 800-137"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-137"}]},{"uuid":"825438c3-248d-4e30-a51e-246473ce6ada","title":"NIST Special Publication 800-16","citation":{"text":"NIST Special Publication 800-16"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-16"}]},{"uuid":"6513e480-fada-4876-abba-1397084dfb26","title":"NIST Special Publication 800-164","citation":{"text":"NIST Special Publication 800-164"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-164"}]},{"uuid":"9c5c9e8c-dc81-4f55-a11c-d71d7487790f","title":"NIST Special Publication 800-18","citation":{"text":"NIST Special Publication 800-18"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-18"}]},{"uuid":"0a5db899-f033-467f-8631-f5a8ba971475","title":"NIST Special Publication 800-23","citation":{"text":"NIST Special Publication 800-23"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-23"}]},{"uuid":"a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","title":"NIST Special Publication 800-30","citation":{"text":"NIST Special Publication 800-30"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-30"}]},{"uuid":"748a81b9-9cad-463f-abde-8b368167e70d","title":"NIST Special Publication 800-34","citation":{"text":"NIST Special Publication 800-34"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-34"}]},{"uuid":"0c775bc3-bfc3-42c7-a382-88949f503171","title":"NIST Special Publication 800-35","citation":{"text":"NIST Special Publication 800-35"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-35"}]},{"uuid":"d818efd3-db31-4953-8afa-9e76afe83ce2","title":"NIST Special Publication 800-36","citation":{"text":"NIST Special Publication 800-36"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-36"}]},{"uuid":"0a0c26b6-fd44-4274-8b36-93442d49d998","title":"NIST Special Publication 800-37","citation":{"text":"NIST Special Publication 800-37"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-37"}]},{"uuid":"d480aa6a-7a88-424e-a10c-ad1c7870354b","title":"NIST Special Publication 800-39","citation":{"text":"NIST Special Publication 800-39"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-39"}]},{"uuid":"bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","title":"NIST Special Publication 800-40","citation":{"text":"NIST Special Publication 800-40"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-40"}]},{"uuid":"756a8e86-57d5-4701-8382-f7a40439665a","title":"NIST Special Publication 800-41","citation":{"text":"NIST Special Publication 800-41"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-41"}]},{"uuid":"5309d4d0-46f8-4213-a749-e7584164e5e8","title":"NIST Special Publication 800-46","citation":{"text":"NIST Special Publication 800-46"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-46"}]},{"uuid":"2711f068-734e-4afd-94ba-0b22247fbc88","title":"NIST Special Publication 800-47","citation":{"text":"NIST Special Publication 800-47"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-47"}]},{"uuid":"238ed479-eccb-49f6-82ec-ab74a7a428cf","title":"NIST Special Publication 800-48","citation":{"text":"NIST Special Publication 800-48"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-48"}]},{"uuid":"e12b5738-de74-4fb3-8317-a3995a8a1898","title":"NIST Special Publication 800-50","citation":{"text":"NIST Special Publication 800-50"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-50"}]},{"uuid":"cd4cf751-3312-4a55-b1a9-fad2f1db9119","title":"NIST Special Publication 800-53A","citation":{"text":"NIST Special Publication 800-53A"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-53A"}]},{"uuid":"81f09e01-d0b0-4ae2-aa6a-064ed9950070","title":"NIST Special Publication 800-56","citation":{"text":"NIST Special Publication 800-56"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-56"}]},{"uuid":"a6c774c0-bf50-4590-9841-2a5c1c91ac6f","title":"NIST Special Publication 800-57","citation":{"text":"NIST Special Publication 800-57"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-57"}]},{"uuid":"f152844f-b1ef-4836-8729-6277078ebee1","title":"NIST Special Publication 800-60","citation":{"text":"NIST Special Publication 800-60"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-60"}]},{"uuid":"be95fb85-a53f-4624-bdbb-140075500aa3","title":"NIST Special Publication 800-61","citation":{"text":"NIST Special Publication 800-61"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-61"}]},{"uuid":"644f44a9-a2de-4494-9c04-cd37fba45471","title":"NIST Special Publication 800-63","citation":{"text":"NIST Special Publication 800-63"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-63"}]},{"uuid":"abd950ae-092f-4b7a-b374-1c7c67fe9350","title":"NIST Special Publication 800-64","citation":{"text":"NIST Special Publication 800-64"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-64"}]},{"uuid":"29fcfe59-33cd-494a-8756-5907ae3a8f92","title":"NIST Special Publication 800-65","citation":{"text":"NIST Special Publication 800-65"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-65"}]},{"uuid":"84a37532-6db6-477b-9ea8-f9085ebca0fc","title":"NIST Special Publication 800-70","citation":{"text":"NIST Special Publication 800-70"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-70"}]},{"uuid":"ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","title":"NIST Special Publication 800-73","citation":{"text":"NIST Special Publication 800-73"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-73"}]},{"uuid":"2a71298a-ee90-490e-80ff-48c967173a47","title":"NIST Special Publication 800-76","citation":{"text":"NIST Special Publication 800-76"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-76"}]},{"uuid":"99f331f2-a9f0-46c2-9856-a3cbb9b89442","title":"NIST Special Publication 800-77","citation":{"text":"NIST Special Publication 800-77"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-77"}]},{"uuid":"2042d97b-f7f6-4c74-84f8-981867684659","title":"NIST Special Publication 800-78","citation":{"text":"NIST Special Publication 800-78"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-78"}]},{"uuid":"6af1e841-672c-46c4-b121-96f603d04be3","title":"NIST Special Publication 800-81","citation":{"text":"NIST Special Publication 800-81"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-81"}]},{"uuid":"6d431fee-658f-4a0e-9f2e-a38b5d398fab","title":"NIST Special Publication 800-83","citation":{"text":"NIST Special Publication 800-83"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-83"}]},{"uuid":"0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","title":"NIST Special Publication 800-84","citation":{"text":"NIST Special Publication 800-84"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-84"}]},{"uuid":"263823e0-a971-4b00-959d-315b26278b22","title":"NIST Special Publication 800-88","citation":{"text":"NIST Special Publication 800-88"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-88"}]},{"uuid":"672fd561-b92b-4713-b9cf-6c9d9456728b","title":"NIST Special Publication 800-92","citation":{"text":"NIST Special Publication 800-92"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-92"}]},{"uuid":"d1b1d689-0f66-4474-9924-c81119758dc1","title":"NIST Special Publication 800-94","citation":{"text":"NIST Special Publication 800-94"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-94"}]},{"uuid":"6f336ecd-f2a0-4c84-9699-0491d81b6e0d","title":"NIST Special Publication 800-97","citation":{"text":"NIST Special Publication 800-97"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-97"}]},{"uuid":"9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","title":"OMB Circular A-130","citation":{"text":"OMB Circular A-130"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/omb\/circulars_a130_a130trans4"}]},{"uuid":"2c5884cd-7b96-425c-862a-99877e1cf909","title":"OMB Memorandum 02-01","citation":{"text":"OMB Memorandum 02-01"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/omb\/memoranda_m02-01"}]},{"uuid":"ff3bfb02-79b2-411f-8735-98dfe5af2ab0","title":"OMB Memorandum 04-04","citation":{"text":"OMB Memorandum 04-04"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy04\/m04-04.pdf"}]},{"uuid":"4da24a96-6cf8-435d-9d1f-c73247cad109","title":"OMB Memorandum 06-16","citation":{"text":"OMB Memorandum 06-16"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2006\/m06-16.pdf"}]},{"uuid":"990268bf-f4a9-4c81-91ae-dc7d3115f4b1","title":"OMB Memorandum 07-11","citation":{"text":"OMB Memorandum 07-11"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2007\/m07-11.pdf"}]},{"uuid":"0b3d8ba9-051f-498d-81ea-97f0f018c612","title":"OMB Memorandum 07-18","citation":{"text":"OMB Memorandum 07-18"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2007\/m07-18.pdf"}]},{"uuid":"0916ef02-3618-411b-a525-565c088849a6","title":"OMB Memorandum 08-22","citation":{"text":"OMB Memorandum 08-22"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2008\/m08-22.pdf"}]},{"uuid":"28115a56-da6b-4d44-b1df-51dd7f048a3e","title":"OMB Memorandum 08-23","citation":{"text":"OMB Memorandum 08-23"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2008\/m08-23.pdf"}]},{"uuid":"599fe9ba-4750-4450-9eeb-b95bd19a5e8f","title":"OMB Memorandum 10-06-2011","citation":{"text":"OMB Memorandum 10-06-2011"}},{"uuid":"74e740a4-c45d-49f3-a86e-eb747c549e01","title":"OMB Memorandum 11-11","citation":{"text":"OMB Memorandum 11-11"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/memoranda\/2011\/m11-11.pdf"}]},{"uuid":"bedb15b7-ec5c-4a68-807f-385125751fcd","title":"OMB Memorandum 11-33","citation":{"text":"OMB Memorandum 11-33"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/memoranda\/2011\/m11-33.pdf"}]},{"uuid":"dd2f5acd-08f1-435a-9837-f8203088dc1a","title":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)","citation":{"text":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)"}},{"uuid":"8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","title":"US-CERT Technical Cyber Security Alerts","citation":{"text":"US-CERT Technical Cyber Security Alerts"},"rlinks":[{"href":"http:\/\/www.us-cert.gov\/ncas\/alerts"}]}]}}}
\ No newline at end of file
diff --git a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.json b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.json
index 758e26eb..00a30fa6 100644
--- a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.json
+++ b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.json
@@ -1,9 +1,9 @@
 {
   "catalog": {
-    "uuid": "bec68292-6541-40e5-bc3b-5fcfee922bd9",
+    "uuid": "90cfe612-52c5-4daa-8ec1-9a6c223fa571",
     "metadata": {
       "title": "NIST Special Publication 800-53 Revision 4 LOW IMPACT BASELINE",
-      "last-modified": "2023-11-02T11:49:37.69093-04:00",
+      "last-modified": "2023-12-05T21:54:40.489331Z",
       "version": "2015-01-22",
       "oscal-version": "1.1.1",
       "props": [
diff --git a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog-min.json b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog-min.json
index 0d9833ab..4ac96299 100644
--- a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog-min.json
+++ b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog-min.json
@@ -1 +1 @@
-{"catalog":{"uuid":"975aa476-c834-4b62-9e8b-f5d28a23962c","metadata":{"title":"NIST Special Publication 800-53 Revision 4 MODERATE IMPACT BASELINE","last-modified":"2023-11-02T11:49:43.964173-04:00","version":"2015-01-22","oscal-version":"1.1.1","props":[{"name":"resolution-tool","value":"OSCAL Profile Resolver XSLT Pipeline OPRXP"}],"links":[{"href":"NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml","rel":"source-profile"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"29dd471e-7206-4388-857b-47673c04c4c9","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["316876e2-5c7b-4a60-a488-2ed977238f04"]},{"role-id":"contact","party-uuids":["316876e2-5c7b-4a60-a488-2ed977238f04"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Access Control Policy and Procedures","params":[{"id":"ac-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ac-1_prm_2","label":"organization-defined frequency"},{"id":"ac-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-1"},{"name":"sort-id","value":"ac-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ac-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and associated access controls; and"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ac-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Access control policy {{ insert: param, ac-1_prm_2 }}; and"},{"id":"ac-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Access control procedures {{ insert: param, ac-1_prm_3 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ac-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-1.a_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)"}],"parts":[{"id":"ac-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)"}],"parts":[{"id":"ac-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1]"}],"prose":"develops and documents an access control policy that addresses:","parts":[{"id":"ac-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ac-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ac-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ac-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ac-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ac-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ac-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ac-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the access control policy are to be disseminated;"},{"id":"ac-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[3]"}],"prose":"disseminates the access control policy to organization-defined personnel or roles;"}]},{"id":"ac-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)"}],"parts":[{"id":"ac-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls;"},{"id":"ac-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ac-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ac-1.b_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)"}],"parts":[{"id":"ac-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)"}],"parts":[{"id":"ac-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current access control policy;"},{"id":"ac-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)[2]"}],"prose":"reviews and updates the current access control policy with the organization-defined frequency;"}]},{"id":"ac-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)"}],"parts":[{"id":"ac-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current access control procedures; and"},{"id":"ac-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)[2]"}],"prose":"reviews and updates the current access control procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","params":[{"id":"ac-2_prm_1","label":"organization-defined information system account types"},{"id":"ac-2_prm_2","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_3","label":"organization-defined procedures or conditions"},{"id":"ac-2_prm_4","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-2"},{"name":"sort-id","value":"ac-02"}],"parts":[{"id":"ac-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies and selects the following types of information system accounts to support organizational missions\/business functions: {{ insert: param, ac-2_prm_1 }};"},{"id":"ac-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assigns account managers for information system accounts;"},{"id":"ac-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establishes conditions for group and role membership;"},{"id":"ac-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;"},{"id":"ac-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Requires approvals by {{ insert: param, ac-2_prm_2 }} for requests to create information system accounts;"},{"id":"ac-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Creates, enables, modifies, disables, and removes information system accounts in accordance with {{ insert: param, ac-2_prm_3 }};"},{"id":"ac-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Monitors the use of information system accounts;"},{"id":"ac-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Notifies account managers:","parts":[{"id":"ac-2_smt.h.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"When accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"When individual information system usage or need-to-know changes;"}]},{"id":"ac-2_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Authorizes access to the information system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Other attributes as required by the organization or associated missions\/business functions;"}]},{"id":"ac-2_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Reviews accounts for compliance with account management requirements {{ insert: param, ac-2_prm_4 }}; and"},{"id":"ac-2_smt.k","name":"item","props":[{"name":"label","value":"k."}],"prose":"Establishes a process for reissuing shared\/group account credentials (if deployed) when individuals are removed from the group."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Information system account types include, for example, individual, shared, group, system, guest\/anonymous, emergency, developer\/manufacturer\/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission\/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission\/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared\/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-10","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ac-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.a_obj","name":"objective","props":[{"name":"label","value":"AC-2(a)"}],"parts":[{"id":"ac-2.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(a)[1]"}],"prose":"defines information system account types to be identified and selected to support organizational missions\/business functions;"},{"id":"ac-2.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(a)[2]"}],"prose":"identifies and selects organization-defined information system account types to support organizational missions\/business functions;"}]},{"id":"ac-2.b_obj","name":"objective","props":[{"name":"label","value":"AC-2(b)"}],"prose":"assigns account managers for information system accounts;"},{"id":"ac-2.c_obj","name":"objective","props":[{"name":"label","value":"AC-2(c)"}],"prose":"establishes conditions for group and role membership;"},{"id":"ac-2.d_obj","name":"objective","props":[{"name":"label","value":"AC-2(d)"}],"prose":"specifies for each account (as required):","parts":[{"id":"ac-2.d_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(d)[1]"}],"prose":"authorized users of the information system;"},{"id":"ac-2.d_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(d)[2]"}],"prose":"group and role membership;"},{"id":"ac-2.d_obj.3","name":"objective","props":[{"name":"label","value":"AC-2(d)[3]"}],"prose":"access authorizations (i.e., privileges);"},{"id":"ac-2.d_obj.4","name":"objective","props":[{"name":"label","value":"AC-2(d)[4]"}],"prose":"other attributes;"}]},{"id":"ac-2.e_obj","name":"objective","props":[{"name":"label","value":"AC-2(e)"}],"parts":[{"id":"ac-2.e_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(e)[1]"}],"prose":"defines personnel or roles required to approve requests to create information system accounts;"},{"id":"ac-2.e_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(e)[2]"}],"prose":"requires approvals by organization-defined personnel or roles for requests to create information system accounts;"}]},{"id":"ac-2.f_obj","name":"objective","props":[{"name":"label","value":"AC-2(f)"}],"parts":[{"id":"ac-2.f_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(f)[1]"}],"prose":"defines procedures or conditions to:","parts":[{"id":"ac-2.f_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][a]"}],"prose":"create information system accounts;"},{"id":"ac-2.f_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][b]"}],"prose":"enable information system accounts;"},{"id":"ac-2.f_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][c]"}],"prose":"modify information system accounts;"},{"id":"ac-2.f_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][d]"}],"prose":"disable information system accounts;"},{"id":"ac-2.f_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][e]"}],"prose":"remove information system accounts;"}]},{"id":"ac-2.f_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(f)[2]"}],"prose":"in accordance with organization-defined procedures or conditions:","parts":[{"id":"ac-2.f_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][a]"}],"prose":"creates information system accounts;"},{"id":"ac-2.f_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][b]"}],"prose":"enables information system accounts;"},{"id":"ac-2.f_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][c]"}],"prose":"modifies information system accounts;"},{"id":"ac-2.f_obj.2.d","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][d]"}],"prose":"disables information system accounts;"},{"id":"ac-2.f_obj.2.e","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][e]"}],"prose":"removes information system accounts;"}]}]},{"id":"ac-2.g_obj","name":"objective","props":[{"name":"label","value":"AC-2(g)"}],"prose":"monitors the use of information system accounts;"},{"id":"ac-2.h_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)"}],"prose":"notifies account managers:","parts":[{"id":"ac-2.h.1_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(1)"}],"prose":"when accounts are no longer required;"},{"id":"ac-2.h.2_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(2)"}],"prose":"when users are terminated or transferred;"},{"id":"ac-2.h.3_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(3)"}],"prose":"when individual information system usage or need to know changes;"}]},{"id":"ac-2.i_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)"}],"prose":"authorizes access to the information system based on;","parts":[{"id":"ac-2.i.1_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(1)"}],"prose":"a valid access authorization;"},{"id":"ac-2.i.2_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(2)"}],"prose":"intended system usage;"},{"id":"ac-2.i.3_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(3)"}],"prose":"other attributes as required by the organization or associated missions\/business functions;"}]},{"id":"ac-2.j_obj","name":"objective","props":[{"name":"label","value":"AC-2(j)"}],"parts":[{"id":"ac-2.j_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(j)[1]"}],"prose":"defines the frequency to review accounts for compliance with account management requirements;"},{"id":"ac-2.j_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(j)[2]"}],"prose":"reviews accounts for compliance with account management requirements with the organization-defined frequency; and"}]},{"id":"ac-2.k_obj","name":"objective","props":[{"name":"label","value":"AC-2(k)"}],"prose":"establishes a process for reissuing shared\/group account credentials (if deployed) when individuals are removed from the group."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications or records of recently transferred, separated, or terminated employees\n\nlist of recently disabled information system accounts along with the name of the individual associated with each account\n\naccess authorization records\n\naccount management compliance reviews\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes account management on the information system\n\nautomated mechanisms for implementing account management"}]}],"controls":[{"id":"ac-2.1","class":"SP800-53-enhancement","title":"Automated System Account Management","props":[{"name":"label","value":"AC-2(1)"},{"name":"sort-id","value":"ac-02.01"}],"parts":[{"id":"ac-2.1_smt","name":"statement","prose":"The organization employs automated mechanisms to support the management of information system accounts."},{"id":"ac-2.1_gdn","name":"guidance","prose":"The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using telephonic notification to report atypical system account usage."},{"id":"ac-2.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to support the management of information system accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.2","class":"SP800-53-enhancement","title":"Removal of Temporary \/ Emergency Accounts","params":[{"id":"ac-2.2_prm_1","select":{"choice":["removes","disables"]}},{"id":"ac-2.2_prm_2","label":"organization-defined time period for each type of account"}],"props":[{"name":"label","value":"AC-2(2)"},{"name":"sort-id","value":"ac-02.02"}],"parts":[{"id":"ac-2.2_smt","name":"statement","prose":"The information system automatically {{ insert: param, ac-2.2_prm_1 }} temporary and emergency accounts after {{ insert: param, ac-2.2_prm_2 }}."},{"id":"ac-2.2_gdn","name":"guidance","prose":"This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator."},{"id":"ac-2.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(2)[1]"}],"prose":"the organization defines the time period after which the information system automatically removes or disables temporary and emergency accounts; and"},{"id":"ac-2.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(2)[2]"}],"prose":"the information system automatically removes or disables temporary and emergency accounts after the organization-defined time period for each type of account."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system-generated list of temporary accounts removed and\/or disabled\n\ninformation system-generated list of emergency accounts removed and\/or disabled\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.3","class":"SP800-53-enhancement","title":"Disable Inactive Accounts","params":[{"id":"ac-2.3_prm_1","label":"organization-defined time period"}],"props":[{"name":"label","value":"AC-2(3)"},{"name":"sort-id","value":"ac-02.03"}],"parts":[{"id":"ac-2.3_smt","name":"statement","prose":"The information system automatically disables inactive accounts after {{ insert: param, ac-2.3_prm_1 }}."},{"id":"ac-2.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.3_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(3)[1]"}],"prose":"the organization defines the time period after which the information system automatically disables inactive accounts; and"},{"id":"ac-2.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(3)[2]"}],"prose":"the information system automatically disables inactive accounts after the organization-defined time period."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system-generated list of temporary accounts removed and\/or disabled\n\ninformation system-generated list of emergency accounts removed and\/or disabled\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.4","class":"SP800-53-enhancement","title":"Automated Audit Actions","params":[{"id":"ac-2.4_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"AC-2(4)"},{"name":"sort-id","value":"ac-02.04"}],"parts":[{"id":"ac-2.4_smt","name":"statement","prose":"The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies {{ insert: param, ac-2.4_prm_1 }}."},{"id":"ac-2.4_gdn","name":"guidance","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"ac-2.4_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.4_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(4)[1]"}],"prose":"the information system automatically audits the following account actions:","parts":[{"id":"ac-2.4_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][d]"}],"prose":"disabling;"},{"id":"ac-2.4_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][e]"}],"prose":"removal;"}]},{"id":"ac-2.4_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(4)[2]"}],"prose":"the organization defines personnel or roles to be notified of the following account actions:","parts":[{"id":"ac-2.4_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.2.d","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][d]"}],"prose":"disabling;"},{"id":"ac-2.4_obj.2.e","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][e]"}],"prose":"removal;"}]},{"id":"ac-2.4_obj.3","name":"objective","props":[{"name":"label","value":"AC-2(4)[3]"}],"prose":"the information system notifies organization-defined personnel or roles of the following account actions:","parts":[{"id":"ac-2.4_obj.3.a","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.3.b","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.3.c","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.3.d","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][d]"}],"prose":"disabling; and"},{"id":"ac-2.4_obj.3.e","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][e]"}],"prose":"removal."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nnotifications\/alerts of account creation, modification, enabling, disabling, and removal actions\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-3"},{"name":"sort-id","value":"ac-03"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"}]},{"id":"ac-3_obj","name":"objective","prose":"Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy"}]}]},{"id":"ac-4","class":"SP800-53","title":"Information Flow Enforcement","params":[{"id":"ac-4_prm_1","label":"organization-defined information flow control policies"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-4"},{"name":"sort-id","value":"ac-04"}],"parts":[{"id":"ac-4_smt","name":"statement","prose":"The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on {{ insert: param, ac-4_prm_1 }}."},{"id":"ac-4_gdn","name":"guidance","prose":"Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners\/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and\/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering\/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"}]},{"id":"ac-4_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-4_obj.1","name":"objective","props":[{"name":"label","value":"AC-4[1]"}],"prose":"the organization defines information flow control policies to control the flow of information within the system and between interconnected systems; and"},{"id":"ac-4_obj.2","name":"objective","props":[{"name":"label","value":"AC-4[2]"}],"prose":"the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system baseline configuration\n\nlist of information flow authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-5","class":"SP800-53","title":"Separation of Duties","params":[{"id":"ac-5_prm_1","label":"organization-defined duties of individuals"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-5"},{"name":"sort-id","value":"ac-05"}],"parts":[{"id":"ac-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Separates {{ insert: param, ac-5_prm_1 }};"},{"id":"ac-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents separation of duties of individuals; and"},{"id":"ac-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Defines information system access authorizations to support separation of duties."}]},{"id":"ac-5_gdn","name":"guidance","prose":"Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and\/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ps-2","rel":"related"}]},{"id":"ac-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-5.a_obj","name":"objective","props":[{"name":"label","value":"AC-5(a)"}],"parts":[{"id":"ac-5.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-5(a)[1]"}],"prose":"defines duties of individuals to be separated;"},{"id":"ac-5.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-5(a)[2]"}],"prose":"separates organization-defined duties of individuals;"}]},{"id":"ac-5.b_obj","name":"objective","props":[{"name":"label","value":"AC-5(b)"}],"prose":"documents separation of duties; and"},{"id":"ac-5.c_obj","name":"objective","props":[{"name":"label","value":"AC-5(c)"}],"prose":"defines information system access authorizations to support separation of duties."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\ninformation system configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\ninformation system access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing separation of duties policy"}]}]},{"id":"ac-6","class":"SP800-53","title":"Least Privilege","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-6"},{"name":"sort-id","value":"ac-06"}],"parts":[{"id":"ac-6_smt","name":"statement","prose":"The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions."},{"id":"ac-6_gdn","name":"guidance","prose":"Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions\/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-2","rel":"related"}]},{"id":"ac-6_obj","name":"objective","prose":"Determine if the organization employs the principle of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}],"controls":[{"id":"ac-6.1","class":"SP800-53-enhancement","title":"Authorize Access to Security Functions","params":[{"id":"ac-6.1_prm_1","label":"organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information"}],"props":[{"name":"label","value":"AC-6(1)"},{"name":"sort-id","value":"ac-06.01"}],"parts":[{"id":"ac-6.1_smt","name":"statement","prose":"The organization explicitly authorizes access to {{ insert: param, ac-6.1_prm_1 }}."},{"id":"ac-6.1_gdn","name":"guidance","prose":"Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers\/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users.","links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"}]},{"id":"ac-6.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(1)[1]"}],"prose":"defines security-relevant information for which access must be explicitly authorized;"},{"id":"ac-6.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(1)[2]"}],"prose":"defines security functions deployed in:","parts":[{"id":"ac-6.1_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-6(1)[2][a]"}],"prose":"hardware;"},{"id":"ac-6.1_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-6(1)[2][b]"}],"prose":"software;"},{"id":"ac-6.1_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-6(1)[2][c]"}],"prose":"firmware;"}]},{"id":"ac-6.1_obj.3","name":"objective","props":[{"name":"label","value":"AC-6(1)[3]"}],"prose":"explicitly authorizes access to:","parts":[{"id":"ac-6.1_obj.3.a","name":"objective","props":[{"name":"label","value":"AC-6(1)[3][a]"}],"prose":"organization-defined security functions; and"},{"id":"ac-6.1_obj.3.b","name":"objective","props":[{"name":"label","value":"AC-6(1)[3][b]"}],"prose":"security-relevant information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.2","class":"SP800-53-enhancement","title":"Non-privileged Access for Nonsecurity Functions","params":[{"id":"ac-6.2_prm_1","label":"organization-defined security functions or security-relevant information"}],"props":[{"name":"label","value":"AC-6(2)"},{"name":"sort-id","value":"ac-06.02"}],"parts":[{"id":"ac-6.2_smt","name":"statement","prose":"The organization requires that users of information system accounts, or roles, with access to {{ insert: param, ac-6.2_prm_1 }}, use non-privileged accounts or roles, when accessing nonsecurity functions."},{"id":"ac-6.2_gdn","name":"guidance","prose":"This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.","links":[{"href":"#pl-4","rel":"related"}]},{"id":"ac-6.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(2)[1]"}],"prose":"defines security functions or security-relevant information to which users of information system accounts, or roles, have access; and"},{"id":"ac-6.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(2)[2]"}],"prose":"requires that users of information system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to information system accounts or roles\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.5","class":"SP800-53-enhancement","title":"Privileged Accounts","params":[{"id":"ac-6.5_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"AC-6(5)"},{"name":"sort-id","value":"ac-06.05"}],"parts":[{"id":"ac-6.5_smt","name":"statement","prose":"The organization restricts privileged accounts on the information system to {{ insert: param, ac-6.5_prm_1 }}."},{"id":"ac-6.5_gdn","name":"guidance","prose":"Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information\/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.","links":[{"href":"#cm-6","rel":"related"}]},{"id":"ac-6.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.5_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(5)[1]"}],"prose":"defines personnel or roles for which privileged accounts on the information system are to be restricted; and"},{"id":"ac-6.5_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(5)[2]"}],"prose":"restricts privileged accounts on the information system to organization-defined personnel or roles."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.9","class":"SP800-53-enhancement","title":"Auditing Use of Privileged Functions","props":[{"name":"label","value":"AC-6(9)"},{"name":"sort-id","value":"ac-06.09"}],"parts":[{"id":"ac-6.9_smt","name":"statement","prose":"The information system audits the execution of privileged functions."},{"id":"ac-6.9_gdn","name":"guidance","prose":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT).","links":[{"href":"#au-2","rel":"related"}]},{"id":"ac-6.9_obj","name":"objective","prose":"Determine if the information system audits the execution of privileged functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms auditing the execution of least privilege functions"}]}]},{"id":"ac-6.10","class":"SP800-53-enhancement","title":"Prohibit Non-privileged Users from Executing Privileged Functions","props":[{"name":"label","value":"AC-6(10)"},{"name":"sort-id","value":"ac-06.10"}],"parts":[{"id":"ac-6.10_smt","name":"statement","prose":"The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards\/countermeasures."},{"id":"ac-6.10_gdn","name":"guidance","prose":"Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users."},{"id":"ac-6.10_obj","name":"objective","prose":"Determine if the information system prevents non-privileged users from executing privileged functions to include:","parts":[{"id":"ac-6.10_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(10)[1]"}],"prose":"disabling implemented security safeguards\/countermeasures;"},{"id":"ac-6.10_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(10)[2]"}],"prose":"circumventing security safeguards\/countermeasures; or"},{"id":"ac-6.10_obj.3","name":"objective","props":[{"name":"label","value":"AC-6(10)[3]"}],"prose":"altering implemented security safeguards\/countermeasures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions for non-privileged users"}]}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","params":[{"id":"ac-7_prm_1","label":"organization-defined number"},{"id":"ac-7_prm_2","label":"organization-defined time period"},{"id":"ac-7_prm_3","select":{"choice":["locks the account\/node for an {{ insert: param, ac-7_prm_4 }} ","locks the account\/node until released by an administrator","delays next logon prompt according to {{ insert: param, ac-7_prm_5 }} "]}},{"id":"ac-7_prm_4","depends-on":"ac-7_prm_3","label":"organization-defined time period"},{"id":"ac-7_prm_5","depends-on":"ac-7_prm_3","label":"organization-defined delay algorithm"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AC-7"},{"name":"sort-id","value":"ac-07"}],"parts":[{"id":"ac-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforces a limit of {{ insert: param, ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-7_prm_2 }}; and"},{"id":"ac-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically {{ insert: param, ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ia-5","rel":"related"}]},{"id":"ac-7_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-7.a_obj","name":"objective","props":[{"name":"label","value":"AC-7(a)"}],"parts":[{"id":"ac-7.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-7(a)[1]"}],"prose":"the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;"},{"id":"ac-7.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-7(a)[2]"}],"prose":"the organization defines the time period allowed by a user of the information system for an organization-defined number of consecutive invalid logon attempts;"},{"id":"ac-7.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-7(a)[3]"}],"prose":"the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;"}]},{"id":"ac-7.b_obj","name":"objective","props":[{"name":"label","value":"AC-7(b)"}],"parts":[{"id":"ac-7.b_obj.1","name":"objective","props":[{"name":"label","value":"AC-7(b)[1]"}],"prose":"the organization defines account\/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;"},{"id":"ac-7.b_obj.2","name":"objective","props":[{"name":"label","value":"AC-7(b)[2]"}],"prose":"the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:","parts":[{"id":"ac-7.b_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][a]"}],"prose":"locks the account\/node for the organization-defined time period;"},{"id":"ac-7.b_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][b]"}],"prose":"locks the account\/node until released by an administrator; or"},{"id":"ac-7.b_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][c]"}],"prose":"delays next logon prompt according to the organization-defined delay algorithm."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for unsuccessful logon attempts"}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","params":[{"id":"ac-8_prm_1","label":"organization-defined system use notification message or banner"},{"id":"ac-8_prm_2","label":"organization-defined conditions"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-8"},{"name":"sort-id","value":"ac-08"}],"parts":[{"id":"ac-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Displays to users {{ insert: param, ac-8_prm_1 }} before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:","parts":[{"id":"ac-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government information system;"},{"id":"ac-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Use of the information system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and"},{"id":"ac-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Displays system use information {{ insert: param, ac-8_prm_2 }}, before granting further access;"},{"id":"ac-8_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Includes a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages\/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content."},{"id":"ac-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-8.a_obj","name":"objective","props":[{"name":"label","value":"AC-8(a)"}],"parts":[{"id":"ac-8.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-8(a)[1]"}],"prose":"the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system;"},{"id":"ac-8.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2]"}],"prose":"the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that:","parts":[{"id":"ac-8.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](1)"}],"prose":"users are accessing a U.S. Government information system;"},{"id":"ac-8.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](2)"}],"prose":"information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8.a.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](3)"}],"prose":"unauthorized use of the information system is prohibited and subject to criminal and civil penalties;"},{"id":"ac-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](4)"}],"prose":"use of the information system indicates consent to monitoring and recording;"}]}]},{"id":"ac-8.b_obj","name":"objective","props":[{"name":"label","value":"AC-8(b)"}],"prose":"the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system;"},{"id":"ac-8.c_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)"}],"prose":"for publicly accessible systems:","parts":[{"id":"ac-8.c.1_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)"}],"parts":[{"id":"ac-8.c.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)[1]"}],"prose":"the organization defines conditions for system use to be displayed by the information system before granting further access;"},{"id":"ac-8.c.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)[2]"}],"prose":"the information system displays organization-defined conditions before granting further access;"}]},{"id":"ac-8.c.2_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(2)"}],"prose":"the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8.c.3_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(3)"}],"prose":"the information system includes a description of the authorized uses of the system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of information system use notification messages or banners\n\ninformation system audit records\n\nuser acknowledgements of notification message or banner\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system use notification messages\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for providing legal advice\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing system use notification"}]}]},{"id":"ac-11","class":"SP800-53","title":"Session Lock","params":[{"id":"ac-11_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-11"},{"name":"sort-id","value":"ac-11"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"}],"parts":[{"id":"ac-11_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prevents further access to the system by initiating a session lock after {{ insert: param, ac-11_prm_1 }} of inactivity or upon receiving a request from a user; and"},{"id":"ac-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains the session lock until the user reestablishes access using established identification and authentication procedures."}]},{"id":"ac-11_gdn","name":"guidance","prose":"Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.","links":[{"href":"#ac-7","rel":"related"}]},{"id":"ac-11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-11.a_obj","name":"objective","props":[{"name":"label","value":"AC-11(a)"}],"parts":[{"id":"ac-11.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-11(a)[1]"}],"prose":"the organization defines the time period of user inactivity after which the information system initiates a session lock;"},{"id":"ac-11.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-11(a)[2]"}],"prose":"the information system prevents further access to the system by initiating a session lock after organization-defined time period of user inactivity or upon receiving a request from a user; and"}]},{"id":"ac-11.b_obj","name":"objective","props":[{"name":"label","value":"AC-11(b)"}],"prose":"the information system retains the session lock until the user reestablishes access using established identification and authentication procedures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for session lock"}]}],"controls":[{"id":"ac-11.1","class":"SP800-53-enhancement","title":"Pattern-hiding Displays","props":[{"name":"label","value":"AC-11(1)"},{"name":"sort-id","value":"ac-11.01"}],"parts":[{"id":"ac-11.1_smt","name":"statement","prose":"The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."},{"id":"ac-11.1_gdn","name":"guidance","prose":"Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information."},{"id":"ac-11.1_obj","name":"objective","prose":"Determine if the information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system session lock mechanisms"}]}]}]},{"id":"ac-12","class":"SP800-53","title":"Session Termination","params":[{"id":"ac-12_prm_1","label":"organization-defined conditions or trigger events requiring session disconnect"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AC-12"},{"name":"sort-id","value":"ac-12"}],"parts":[{"id":"ac-12_smt","name":"statement","prose":"The information system automatically terminates a user session after {{ insert: param, ac-12_prm_1 }}."},{"id":"ac-12_gdn","name":"guidance","prose":"This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use.","links":[{"href":"#sc-10","rel":"related"},{"href":"#sc-23","rel":"related"}]},{"id":"ac-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-12_obj.1","name":"objective","props":[{"name":"label","value":"AC-12[1]"}],"prose":"the organization defines conditions or trigger events requiring session disconnect; and"},{"id":"ac-12_obj.2","name":"objective","props":[{"name":"label","value":"AC-12[2]"}],"prose":"the information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect occurs."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing session termination\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing user session termination"}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","params":[{"id":"ac-14_prm_1","label":"organization-defined user actions"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-14"},{"name":"sort-id","value":"ac-14"}],"parts":[{"id":"ac-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies {{ insert: param, ac-14_prm_1 }} that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions; and"},{"id":"ac-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none.","links":[{"href":"#cp-2","rel":"related"},{"href":"#ia-2","rel":"related"}]},{"id":"ac-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-14.a_obj","name":"objective","props":[{"name":"label","value":"AC-14(a)"}],"parts":[{"id":"ac-14.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-14(a)[1]"}],"prose":"defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions;"},{"id":"ac-14.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-14(a)[2]"}],"prose":"identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions; and"}]},{"id":"ac-14.b_obj","name":"objective","props":[{"name":"label","value":"AC-14(b)"}],"prose":"documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-17"},{"name":"sort-id","value":"ac-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference"},{"href":"#d1a4e2a9-e512-4132-8795-5357aba29254","rel":"reference"}],"parts":[{"id":"ac-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and documents usage restrictions, configuration\/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes remote access to the information system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.a_obj","name":"objective","props":[{"name":"label","value":"AC-17(a)"}],"parts":[{"id":"ac-17.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-17(a)[1]"}],"prose":"identifies the types of remote access allowed to the information system;"},{"id":"ac-17.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-17(a)[2]"}],"prose":"establishes for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][b]"}],"prose":"configuration\/connection requirements;"},{"id":"ac-17.a_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][c]"}],"prose":"implementation guidance;"}]},{"id":"ac-17.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-17(a)[3]"}],"prose":"documents for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.3.a","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.3.b","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][b]"}],"prose":"configuration\/connection requirements;"},{"id":"ac-17.a_obj.3.c","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][c]"}],"prose":"implementation guidance; and"}]}]},{"id":"ac-17.b_obj","name":"objective","props":[{"name":"label","value":"AC-17(b)"}],"prose":"authorizes remote access to the information system prior to allowing such connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nremote access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing remote access connections\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Remote access management capability for the information system"}]}],"controls":[{"id":"ac-17.1","class":"SP800-53-enhancement","title":"Automated Monitoring \/ Control","props":[{"name":"label","value":"AC-17(1)"},{"name":"sort-id","value":"ac-17.01"}],"parts":[{"id":"ac-17.1_smt","name":"statement","prose":"The information system monitors and controls remote access methods."},{"id":"ac-17.1_gdn","name":"guidance","prose":"Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"ac-17.1_obj","name":"objective","prose":"Determine if the information system monitors and controls remote access methods."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system monitoring records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms monitoring and controlling remote access methods"}]}]},{"id":"ac-17.2","class":"SP800-53-enhancement","title":"Protection of Confidentiality \/ Integrity Using Encryption","props":[{"name":"label","value":"AC-17(2)"},{"name":"sort-id","value":"ac-17.02"}],"parts":[{"id":"ac-17.2_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_gdn","name":"guidance","prose":"The encryption strength of mechanism is selected based on the security categorization of the information.","links":[{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ac-17.2_obj","name":"objective","prose":"Determine if the information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions"}]}]},{"id":"ac-17.3","class":"SP800-53-enhancement","title":"Managed Access Control Points","params":[{"id":"ac-17.3_prm_1","label":"organization-defined number"}],"props":[{"name":"label","value":"AC-17(3)"},{"name":"sort-id","value":"ac-17.03"}],"parts":[{"id":"ac-17.3_smt","name":"statement","prose":"The information system routes all remote accesses through {{ insert: param, ac-17.3_prm_1 }} managed network access control points."},{"id":"ac-17.3_gdn","name":"guidance","prose":"Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections.","links":[{"href":"#sc-7","rel":"related"}]},{"id":"ac-17.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-17.3_obj.1","name":"objective","props":[{"name":"label","value":"AC-17(3)[1]"}],"prose":"the organization defines the number of managed network access control points through which all remote accesses are to be routed; and"},{"id":"ac-17.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-17(3)[2]"}],"prose":"the information system routes all remote accesses through the organization-defined number of managed network access control points."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\nlist of all managed network access control points\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms routing all remote accesses through managed network access control points"}]}]},{"id":"ac-17.4","class":"SP800-53-enhancement","title":"Privileged Commands \/ Access","params":[{"id":"ac-17.4_prm_1","label":"organization-defined needs"}],"props":[{"name":"label","value":"AC-17(4)"},{"name":"sort-id","value":"ac-17.04"}],"parts":[{"id":"ac-17.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Authorizes the execution of privileged commands and access to security-relevant information via remote access only for {{ insert: param, ac-17.4_prm_1 }}; and"},{"id":"ac-17.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Documents the rationale for such access in the security plan for the information system."}]},{"id":"ac-17.4_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ac-17.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.4.a_obj","name":"objective","props":[{"name":"label","value":"AC-17(4)(a)"}],"parts":[{"id":"ac-17.4.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-17(4)(a)[1]"}],"prose":"defines needs to authorize the execution of privileged commands and access to security-relevant information via remote access;"},{"id":"ac-17.4.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-17(4)(a)[2]"}],"prose":"authorizes the execution of privileged commands and access to security-relevant information via remote access only for organization-defined needs; and"}],"links":[{"href":"#ac-17.4_smt.a","rel":"corresp"}]},{"id":"ac-17.4.b_obj","name":"objective","props":[{"name":"label","value":"AC-17(4)(b)"}],"prose":"documents the rationale for such access in the information system security plan.","links":[{"href":"#ac-17.4_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing remote access management"}]}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-18"},{"name":"sort-id","value":"ac-18"}],"links":[{"href":"#238ed479-eccb-49f6-82ec-ab74a7a428cf","rel":"reference"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference"},{"href":"#6f336ecd-f2a0-4c84-9699-0491d81b6e0d","rel":"reference"}],"parts":[{"id":"ac-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration\/connection requirements, and implementation guidance for wireless access; and"},{"id":"ac-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes wireless access to the information system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include, for example, microwave, packet radio (UHF\/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP\/TLS, PEAP), which provide credential protection and mutual authentication.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.a_obj","name":"objective","props":[{"name":"label","value":"AC-18(a)"}],"prose":"establishes for wireless access:","parts":[{"id":"ac-18.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-18(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-18.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-18(a)[2]"}],"prose":"configuration\/connection requirement;"},{"id":"ac-18.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-18(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-18.b_obj","name":"objective","props":[{"name":"label","value":"AC-18(b)"}],"prose":"authorizes wireless access to the information system prior to allowing such connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nwireless access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Wireless access management capability for the information system"}]}],"controls":[{"id":"ac-18.1","class":"SP800-53-enhancement","title":"Authentication and Encryption","params":[{"id":"ac-18.1_prm_1","select":{"how-many":"one-or-more","choice":["users","devices"]}}],"props":[{"name":"label","value":"AC-18(1)"},{"name":"sort-id","value":"ac-18.01"}],"parts":[{"id":"ac-18.1_smt","name":"statement","prose":"The information system protects wireless access to the system using authentication of {{ insert: param, ac-18.1_prm_1 }} and encryption."},{"id":"ac-18.1_gdn","name":"guidance","links":[{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ac-18.1_obj","name":"objective","prose":"Determine if the information system protects wireless access to the system using encryption and one or more of the following:","parts":[{"id":"ac-18.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-18(1)[1]"}],"prose":"authentication of users; and\/or"},{"id":"ac-18.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-18(1)[2]"}],"prose":"authentication of devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing wireless access protections to the information system"}]}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-19"},{"name":"sort-id","value":"ac-19"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference"},{"href":"#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","rel":"reference"},{"href":"#6513e480-fada-4876-abba-1397084dfb26","rel":"reference"}],"parts":[{"id":"ac-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and"},{"id":"ac-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes the connection of mobile devices to organizational information systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes\/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.a_obj","name":"objective","props":[{"name":"label","value":"AC-19(a)"}],"prose":"establishes for organization-controlled mobile devices:","parts":[{"id":"ac-19.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-19(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-19.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-19(a)[2]"}],"prose":"configuration\/connection requirement;"},{"id":"ac-19.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-19(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-19.b_obj","name":"objective","props":[{"name":"label","value":"AC-19(b)"}],"prose":"authorizes the connection of mobile devices to organizational information systems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational information systems\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel using mobile devices to access organizational information systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Access control capability authorizing mobile device connections to organizational information systems"}]}],"controls":[{"id":"ac-19.5","class":"SP800-53-enhancement","title":"Full Device \/ Container-based Encryption","params":[{"id":"ac-19.5_prm_1","select":{"choice":["full-device encryption","container encryption"]}},{"id":"ac-19.5_prm_2","label":"organization-defined mobile devices"}],"props":[{"name":"label","value":"AC-19(5)"},{"name":"sort-id","value":"ac-19.05"}],"parts":[{"id":"ac-19.5_smt","name":"statement","prose":"The organization employs {{ insert: param, ac-19.5_prm_1 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.5_prm_2 }}."},{"id":"ac-19.5_gdn","name":"guidance","prose":"Container-based encryption provides a more fine-grained approach to the encryption of data\/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields.","links":[{"href":"#mp-5","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}]},{"id":"ac-19.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.5_obj.1","name":"objective","props":[{"name":"label","value":"AC-19(5)[1]"}],"prose":"defines mobile devices for which full-device encryption or container encryption is required to protect the confidentiality and integrity of information on such devices; and"},{"id":"ac-19.5_obj.2","name":"objective","props":[{"name":"label","value":"AC-19(5)[2]"}],"prose":"employs full-device encryption or container encryption to protect the confidentiality and integrity of information on organization-defined mobile devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access control for mobile devices\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nencryption mechanism s and associated configuration documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities for mobile devices\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Encryption mechanisms protecting confidentiality and integrity of information on mobile devices"}]}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Information Systems","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-20"},{"name":"sort-id","value":"ac-20"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"}],"parts":[{"id":"ac-20_smt","name":"statement","prose":"The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and\/or maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Access the information system from external information systems; and"},{"id":"ac-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Process, store, or transmit organization-controlled information using external information systems."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems\/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing\/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"ac-20_obj","name":"objective","prose":"Determine if the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and\/or maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20.a_obj","name":"objective","props":[{"name":"label","value":"AC-20(a)"}],"prose":"access the information system from the external information systems; and"},{"id":"ac-20.b_obj","name":"objective","props":[{"name":"label","value":"AC-20(b)"}],"prose":"process, store, or transmit organization-controlled information using external information systems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing the use of external information systems\n\nexternal information systems terms and conditions\n\nlist of types of applications accessible from external information systems\n\nmaximum security categorization for information processed, stored, or transmitted on external information systems\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing terms and conditions on use of external information systems"}]}],"controls":[{"id":"ac-20.1","class":"SP800-53-enhancement","title":"Limits On Authorized Use","props":[{"name":"label","value":"AC-20(1)"},{"name":"sort-id","value":"ac-20.01"}],"parts":[{"id":"ac-20.1_smt","name":"statement","prose":"The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:","parts":[{"id":"ac-20.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or"},{"id":"ac-20.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Retains approved information system connection or processing agreements with the organizational entity hosting the external information system."}]},{"id":"ac-20.1_gdn","name":"guidance","prose":"This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations.","links":[{"href":"#ca-2","rel":"related"}]},{"id":"ac-20.1_obj","name":"objective","prose":"Determine if the organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:","parts":[{"id":"ac-20.1.a_obj","name":"objective","props":[{"name":"label","value":"AC-20(1)(a)"}],"prose":"verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or","links":[{"href":"#ac-20.1_smt.a","rel":"corresp"}]},{"id":"ac-20.1.b_obj","name":"objective","props":[{"name":"label","value":"AC-20(1)(b)"}],"prose":"retains approved information system connection or processing agreements with the organizational entity hosting the external information system.","links":[{"href":"#ac-20.1_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing the use of external information systems\n\nsecurity plan\n\ninformation system connection or processing agreements\n\naccount management documents\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing limits on use of external information systems"}]}]},{"id":"ac-20.2","class":"SP800-53-enhancement","title":"Portable Storage Devices","params":[{"id":"ac-20.2_prm_1","select":{"choice":["restricts","prohibits"]}}],"props":[{"name":"label","value":"AC-20(2)"},{"name":"sort-id","value":"ac-20.02"}],"parts":[{"id":"ac-20.2_smt","name":"statement","prose":"The organization {{ insert: param, ac-20.2_prm_1 }} the use of organization-controlled portable storage devices by authorized individuals on external information systems."},{"id":"ac-20.2_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used."},{"id":"ac-20.2_obj","name":"objective","prose":"Determine if the organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing the use of external information systems\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system connection or processing agreements\n\naccount management documents\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for restricting or prohibiting use of organization-controlled storage devices on external information systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing restrictions on use of portable storage devices"}]}]}]},{"id":"ac-21","class":"SP800-53","title":"Information Sharing","params":[{"id":"ac-21_prm_1","label":"organization-defined information sharing circumstances where user discretion is required"},{"id":"ac-21_prm_2","label":"organization-defined automated mechanisms or manual processes"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AC-21"},{"name":"sort-id","value":"ac-21"}],"parts":[{"id":"ac-21_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for {{ insert: param, ac-21_prm_1 }}; and"},{"id":"ac-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs {{ insert: param, ac-21_prm_2 }} to assist users in making information sharing\/collaboration decisions."}]},{"id":"ac-21_gdn","name":"guidance","prose":"This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program\/compartment.","links":[{"href":"#ac-3","rel":"related"}]},{"id":"ac-21_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-21.a_obj","name":"objective","props":[{"name":"label","value":"AC-21(a)"}],"parts":[{"id":"ac-21.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-21(a)[1]"}],"prose":"defines information sharing circumstances where user discretion is required;"},{"id":"ac-21.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-21(a)[2]"}],"prose":"facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information sharing circumstances;"}]},{"id":"ac-21.b_obj","name":"objective","props":[{"name":"label","value":"AC-21(b)"}],"parts":[{"id":"ac-21.b_obj.1","name":"objective","props":[{"name":"label","value":"AC-21(b)[1]"}],"prose":"defines automated mechanisms or manual processes to be employed to assist users in making information sharing\/collaboration decisions; and"},{"id":"ac-21.b_obj.2","name":"objective","props":[{"name":"label","value":"AC-21(b)[2]"}],"prose":"employs organization-defined automated mechanisms or manual processes to assist users in making information sharing\/collaboration decisions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of users authorized to make information sharing\/collaboration decisions\n\nlist of information sharing circumstances requiring user discretion\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel responsible for making information sharing\/collaboration decisions\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms or manual process implementing access authorizations supporting information sharing\/user collaboration decisions"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","params":[{"id":"ac-22_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-22"},{"name":"sort-id","value":"ac-22"}],"parts":[{"id":"ac-22_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Designates individuals authorized to post information onto a publicly accessible information system;"},{"id":"ac-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Reviews the content on the publicly accessible information system for nonpublic information {{ insert: param, ac-22_prm_1 }} and removes such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and\/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-13","rel":"related"}]},{"id":"ac-22_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-22.a_obj","name":"objective","props":[{"name":"label","value":"AC-22(a)"}],"prose":"designates individuals authorized to post information onto a publicly accessible information system;"},{"id":"ac-22.b_obj","name":"objective","props":[{"name":"label","value":"AC-22(b)"}],"prose":"trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22.c_obj","name":"objective","props":[{"name":"label","value":"AC-22(c)"}],"prose":"reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;"},{"id":"ac-22.d_obj","name":"objective","props":[{"name":"label","value":"AC-22(d)"}],"parts":[{"id":"ac-22.d_obj.1","name":"objective","props":[{"name":"label","value":"AC-22(d)[1]"}],"prose":"defines the frequency to review the content on the publicly accessible information system for nonpublic information;"},{"id":"ac-22.d_obj.2","name":"objective","props":[{"name":"label","value":"AC-22(d)[2]"}],"prose":"reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; and"},{"id":"ac-22.d_obj.3","name":"objective","props":[{"name":"label","value":"AC-22(d)[3]"}],"prose":"removes nonpublic information from the publicly accessible information system, if discovered."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational information systems\n\ntraining materials and\/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to nonpublic information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Security Awareness and Training Policy and Procedures","params":[{"id":"at-1_prm_1","label":"organization-defined personnel or roles"},{"id":"at-1_prm_2","label":"organization-defined frequency"},{"id":"at-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-1"},{"name":"sort-id","value":"at-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"at-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"at-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security awareness and training policy {{ insert: param, at-1_prm_2 }}; and"},{"id":"at-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security awareness and training procedures {{ insert: param, at-1_prm_3 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"at-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-1.a_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)"}],"parts":[{"id":"at-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)"}],"parts":[{"id":"at-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1]"}],"prose":"develops and documents an security awareness and training policy that addresses:","parts":[{"id":"at-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"at-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"at-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"at-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"at-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"at-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"at-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"at-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security awareness and training policy are to be disseminated;"},{"id":"at-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[3]"}],"prose":"disseminates the security awareness and training policy to organization-defined personnel or roles;"}]},{"id":"at-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)"}],"parts":[{"id":"at-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;"},{"id":"at-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"at-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"at-1.b_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)"}],"parts":[{"id":"at-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)"}],"parts":[{"id":"at-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security awareness and training policy;"},{"id":"at-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)[2]"}],"prose":"reviews and updates the current security awareness and training policy with the organization-defined frequency;"}]},{"id":"at-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)"}],"parts":[{"id":"at-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security awareness and training procedures; and"},{"id":"at-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)[2]"}],"prose":"reviews and updates the current security awareness and training procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security awareness and training responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Security Awareness Training","params":[{"id":"at-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-2"},{"name":"sort-id","value":"at-02"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference"},{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"at-2_smt","name":"statement","prose":"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"As part of initial training for new users;"},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, at-2_prm_1 }} thereafter."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories\/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.","links":[{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"at-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-2.a_obj","name":"objective","props":[{"name":"label","value":"AT-2(a)"}],"prose":"provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2.b_obj","name":"objective","props":[{"name":"label","value":"AT-2(b)"}],"prose":"provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes; and"},{"id":"at-2.c_obj","name":"objective","props":[{"name":"label","value":"AT-2(c)"}],"parts":[{"id":"at-2.c_obj.1","name":"objective","props":[{"name":"label","value":"AT-2(c)[1]"}],"prose":"defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors); and"},{"id":"at-2.c_obj.2","name":"objective","props":[{"name":"label","value":"AT-2(c)[2]"}],"prose":"provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nappropriate codes of federal regulations\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for security awareness training\n\norganizational personnel with information security responsibilities\n\norganizational personnel comprising the general information system user community"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing security awareness training"}]}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","props":[{"name":"label","value":"AT-2(2)"},{"name":"sort-id","value":"at-02.02"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"The organization includes security awareness training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures.","links":[{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"at-2.2_obj","name":"objective","prose":"Determine if the organization includes security awareness training on recognizing and reporting potential indicators of insider threat."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel that participate in security awareness training\n\norganizational personnel with responsibilities for basic security awareness training\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Security Training","params":[{"id":"at-3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-3"},{"name":"sort-id","value":"at-03"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"at-3_smt","name":"statement","prose":"The organization provides role-based security training to personnel with assigned security roles and responsibilities:","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Before authorizing access to the information system or performing assigned duties;"},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, at-3_prm_1 }} thereafter."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition\/procurement officials, information system managers, system\/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sa-16","rel":"related"}]},{"id":"at-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-3.a_obj","name":"objective","props":[{"name":"label","value":"AT-3(a)"}],"prose":"provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties;"},{"id":"at-3.b_obj","name":"objective","props":[{"name":"label","value":"AT-3(b)"}],"prose":"provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes; and"},{"id":"at-3.c_obj","name":"objective","props":[{"name":"label","value":"AT-3(c)"}],"parts":[{"id":"at-3.c_obj.1","name":"objective","props":[{"name":"label","value":"AT-3(c)[1]"}],"prose":"defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities; and"},{"id":"at-3.c_obj.2","name":"objective","props":[{"name":"label","value":"AT-3(c)[2]"}],"prose":"provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security training implementation\n\ncodes of federal regulations\n\nsecurity training curriculum\n\nsecurity training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for role-based security training\n\norganizational personnel with assigned information system security roles and responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing role-based security training"}]}]},{"id":"at-4","class":"SP800-53","title":"Security Training Records","params":[{"id":"at-4_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AT-4"},{"name":"sort-id","value":"at-04"}],"parts":[{"id":"at-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains individual training records for {{ insert: param, at-4_prm_1 }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the option of the organization.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pm-14","rel":"related"}]},{"id":"at-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-4.a_obj","name":"objective","props":[{"name":"label","value":"AT-4(a)"}],"parts":[{"id":"at-4.a_obj.1","name":"objective","props":[{"name":"label","value":"AT-4(a)[1]"}],"prose":"documents individual information system security training activities including:","parts":[{"id":"at-4.a_obj.1.a","name":"objective","props":[{"name":"label","value":"AT-4(a)[1][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.1.b","name":"objective","props":[{"name":"label","value":"AT-4(a)[1][b]"}],"prose":"specific role-based information system security training;"}]},{"id":"at-4.a_obj.2","name":"objective","props":[{"name":"label","value":"AT-4(a)[2]"}],"prose":"monitors individual information system security training activities including:","parts":[{"id":"at-4.a_obj.2.a","name":"objective","props":[{"name":"label","value":"AT-4(a)[2][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.2.b","name":"objective","props":[{"name":"label","value":"AT-4(a)[2][b]"}],"prose":"specific role-based information system security training;"}]}]},{"id":"at-4.b_obj","name":"objective","props":[{"name":"label","value":"AT-4(b)"}],"parts":[{"id":"at-4.b_obj.1","name":"objective","props":[{"name":"label","value":"AT-4(b)[1]"}],"prose":"defines a time period to retain individual training records; and"},{"id":"at-4.b_obj.2","name":"objective","props":[{"name":"label","value":"AT-4(b)[2]"}],"prose":"retains individual training records for the organization-defined time period."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security training records\n\nsecurity awareness and training records\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security training record retention responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting management of security training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Audit and Accountability Policy and Procedures","params":[{"id":"au-1_prm_1","label":"organization-defined personnel or roles"},{"id":"au-1_prm_2","label":"organization-defined frequency"},{"id":"au-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-1"},{"name":"sort-id","value":"au-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"au-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"au-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Audit and accountability policy {{ insert: param, au-1_prm_2 }}; and"},{"id":"au-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Audit and accountability procedures {{ insert: param, au-1_prm_3 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"au-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-1.a_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)"}],"parts":[{"id":"au-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)"}],"parts":[{"id":"au-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1]"}],"prose":"develops and documents an audit and accountability policy that addresses:","parts":[{"id":"au-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"au-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"au-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"au-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"au-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"au-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"au-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"au-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the audit and accountability policy are to be disseminated;"},{"id":"au-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[3]"}],"prose":"disseminates the audit and accountability policy to organization-defined personnel or roles;"}]},{"id":"au-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)"}],"parts":[{"id":"au-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;"},{"id":"au-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"au-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"au-1.b_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)"}],"parts":[{"id":"au-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)"}],"parts":[{"id":"au-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current audit and accountability policy;"},{"id":"au-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)[2]"}],"prose":"reviews and updates the current audit and accountability policy with the organization-defined frequency;"}]},{"id":"au-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)"}],"parts":[{"id":"au-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current audit and accountability procedures; and"},{"id":"au-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)[2]"}],"prose":"reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Audit Events","params":[{"id":"au-2_prm_1","label":"organization-defined auditable events"},{"id":"au-2_prm_2","label":"organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-2"},{"name":"sort-id","value":"au-02"}],"links":[{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"au-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines that the information system is capable of auditing the following events: {{ insert: param, au-2_prm_1 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Determines that the following events are to be audited within the information system: {{ insert: param, au-2_prm_2 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.","links":[{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"au-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.a_obj","name":"objective","props":[{"name":"label","value":"AU-2(a)"}],"parts":[{"id":"au-2.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(a)[1]"}],"prose":"defines the auditable events that the information system must be capable of auditing;"},{"id":"au-2.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(a)[2]"}],"prose":"determines that the information system is capable of auditing organization-defined auditable events;"}]},{"id":"au-2.b_obj","name":"objective","props":[{"name":"label","value":"AU-2(b)"}],"prose":"coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"},{"id":"au-2.c_obj","name":"objective","props":[{"name":"label","value":"AU-2(c)"}],"prose":"provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;"},{"id":"au-2.d_obj","name":"objective","props":[{"name":"label","value":"AU-2(d)"}],"parts":[{"id":"au-2.d_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(d)[1]"}],"prose":"defines the subset of auditable events defined in AU-2a that are to be audited within the information system;"},{"id":"au-2.d_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(d)[2]"}],"prose":"determines that the subset of auditable events defined in AU-2a are to be audited within the information system; and"},{"id":"au-2.d_obj.3","name":"objective","props":[{"name":"label","value":"AU-2(d)[3]"}],"prose":"determines the frequency of (or situation requiring) auditing for each identified event."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system auditable events\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing"}]}],"controls":[{"id":"au-2.3","class":"SP800-53-enhancement","title":"Reviews and Updates","params":[{"id":"au-2.3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"AU-2(3)"},{"name":"sort-id","value":"au-02.03"}],"parts":[{"id":"au-2.3_smt","name":"statement","prose":"The organization reviews and updates the audited events {{ insert: param, au-2.3_prm_1 }}."},{"id":"au-2.3_gdn","name":"guidance","prose":"Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient."},{"id":"au-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.3_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(3)[1]"}],"prose":"defines the frequency to review and update the audited events; and"},{"id":"au-2.3_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(3)[2]"}],"prose":"reviews and updates the auditable events with organization-defined frequency."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\nlist of organization-defined auditable events\n\nauditable events review and update records\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting review and update of auditable events"}]}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-3"},{"name":"sort-id","value":"au-03"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event."},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user\/process identifiers, event descriptions, success\/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred).","links":[{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#si-11","rel":"related"}]},{"id":"au-3_obj","name":"objective","prose":"Determine if the information system generates audit records containing information that establishes:","parts":[{"id":"au-3_obj.1","name":"objective","props":[{"name":"label","value":"AU-3[1]"}],"prose":"what type of event occurred;"},{"id":"au-3_obj.2","name":"objective","props":[{"name":"label","value":"AU-3[2]"}],"prose":"when the event occurred;"},{"id":"au-3_obj.3","name":"objective","props":[{"name":"label","value":"AU-3[3]"}],"prose":"where the event occurred;"},{"id":"au-3_obj.4","name":"objective","props":[{"name":"label","value":"AU-3[4]"}],"prose":"the source of the event;"},{"id":"au-3_obj.5","name":"objective","props":[{"name":"label","value":"AU-3[5]"}],"prose":"the outcome of the event; and"},{"id":"au-3_obj.6","name":"objective","props":[{"name":"label","value":"AU-3[6]"}],"prose":"the identity of any individuals or subjects associated with the event."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing of auditable events"}]}],"controls":[{"id":"au-3.1","class":"SP800-53-enhancement","title":"Additional Audit Information","params":[{"id":"au-3.1_prm_1","label":"organization-defined additional, more detailed information"}],"props":[{"name":"label","value":"AU-3(1)"},{"name":"sort-id","value":"au-03.01"}],"parts":[{"id":"au-3.1_smt","name":"statement","prose":"The information system generates audit records containing the following additional information: {{ insert: param, au-3.1_prm_1 }}."},{"id":"au-3.1_gdn","name":"guidance","prose":"Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest."},{"id":"au-3.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-3.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-3(1)[1]"}],"prose":"the organization defines additional, more detailed information to be contained in audit records that the information system generates; and"},{"id":"au-3.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-3(1)[2]"}],"prose":"the information system generates audit records containing the organization-defined additional, more detailed information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system audit capability"}]}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Storage Capacity","params":[{"id":"au-4_prm_1","label":"organization-defined audit record storage requirements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-4"},{"name":"sort-id","value":"au-04"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"The organization allocates audit record storage capacity in accordance with {{ insert: param, au-4_prm_1 }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"au-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-4_obj.1","name":"objective","props":[{"name":"label","value":"AU-4[1]"}],"prose":"defines audit record storage requirements; and"},{"id":"au-4_obj.2","name":"objective","props":[{"name":"label","value":"AU-4[2]"}],"prose":"allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for information system components\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Processing Failures","params":[{"id":"au-5_prm_1","label":"organization-defined personnel or roles"},{"id":"au-5_prm_2","label":"organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-5"},{"name":"sort-id","value":"au-05"}],"parts":[{"id":"au-5_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Alerts {{ insert: param, au-5_prm_1 }} in the event of an audit processing failure; and"},{"id":"au-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Takes the following additional actions: {{ insert: param, au-5_prm_2 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit processing failures include, for example, software\/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.","links":[{"href":"#au-4","rel":"related"},{"href":"#si-12","rel":"related"}]},{"id":"au-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.a_obj","name":"objective","props":[{"name":"label","value":"AU-5(a)"}],"parts":[{"id":"au-5.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(a)[1]"}],"prose":"the organization defines the personnel or roles to be alerted in the event of an audit processing failure;"},{"id":"au-5.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(a)[2]"}],"prose":"the information system alerts the organization-defined personnel or roles in the event of an audit processing failure;"}]},{"id":"au-5.b_obj","name":"objective","props":[{"name":"label","value":"AU-5(b)"}],"parts":[{"id":"au-5.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(b)[1]"}],"prose":"the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure; and"},{"id":"au-5.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(b)[2]"}],"prose":"the information system takes the additional organization-defined actions in the event of an audit processing failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system response to audit processing failures"}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Review, Analysis, and Reporting","params":[{"id":"au-6_prm_1","label":"organization-defined frequency"},{"id":"au-6_prm_2","label":"organization-defined inappropriate or unusual activity"},{"id":"au-6_prm_3","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-6"},{"name":"sort-id","value":"au-06"}],"parts":[{"id":"au-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviews and analyzes information system audit records {{ insert: param, au-6_prm_1 }} for indications of {{ insert: param, au-6_prm_2 }}; and"},{"id":"au-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reports findings to {{ insert: param, au-6_prm_3 }}."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group\/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review\/analysis may be carried out by other organizations granted such authority.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-19","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"au-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.a_obj","name":"objective","props":[{"name":"label","value":"AU-6(a)"}],"parts":[{"id":"au-6.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(a)[1]"}],"prose":"defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;"},{"id":"au-6.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(a)[2]"}],"prose":"defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;"},{"id":"au-6.a_obj.3","name":"objective","props":[{"name":"label","value":"AU-6(a)[3]"}],"prose":"reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;"}]},{"id":"au-6.b_obj","name":"objective","props":[{"name":"label","value":"AU-6(b)"}],"parts":[{"id":"au-6.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(b)[1]"}],"prose":"defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; and"},{"id":"au-6.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(b)[2]"}],"prose":"reports findings to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews\/analyses of audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"au-6.1","class":"SP800-53-enhancement","title":"Process Integration","props":[{"name":"label","value":"AU-6(1)"},{"name":"sort-id","value":"au-06.01"}],"parts":[{"id":"au-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities."},{"id":"au-6.1_gdn","name":"guidance","prose":"Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits.","links":[{"href":"#au-12","rel":"related"},{"href":"#pm-7","rel":"related"}]},{"id":"au-6.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(1)[1]"}],"prose":"employs automated mechanisms to integrate:","parts":[{"id":"au-6.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-6(1)[1][a]"}],"prose":"audit review;"},{"id":"au-6.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-6(1)[1][b]"}],"prose":"analysis;"},{"id":"au-6.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-6(1)[1][c]"}],"prose":"reporting processes;"}]},{"id":"au-6.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(1)[2]"}],"prose":"uses integrated audit review, analysis and reporting processes to support organizational processes for:","parts":[{"id":"au-6.1_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-6(1)[2][a]"}],"prose":"investigation of suspicious activities; and"},{"id":"au-6.1_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-6(1)[2][b]"}],"prose":"response to suspicious activities."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms integrating audit review, analysis, and reporting processes"}]}]},{"id":"au-6.3","class":"SP800-53-enhancement","title":"Correlate Audit Repositories","props":[{"name":"label","value":"AU-6(3)"},{"name":"sort-id","value":"au-06.03"}],"parts":[{"id":"au-6.3_smt","name":"statement","prose":"The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness."},{"id":"au-6.3_gdn","name":"guidance","prose":"Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission\/business process, and information system) and supports cross-organization awareness.","links":[{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"}]},{"id":"au-6.3_obj","name":"objective","prose":"Determine if the organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records across different repositories\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting analysis and correlation of audit records"}]}]}]},{"id":"au-7","class":"SP800-53","title":"Audit Reduction and Report Generation","props":[{"name":"priority","value":"P2"},{"name":"label","value":"AU-7"},{"name":"sort-id","value":"au-07"}],"parts":[{"id":"au-7_smt","name":"statement","prose":"The information system provides an audit reduction and report generation capability that:","parts":[{"id":"au-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and"},{"id":"au-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Does not alter the original content or time ordering of audit records."}]},{"id":"au-7_gdn","name":"guidance","prose":"Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient.","links":[{"href":"#au-6","rel":"related"}]},{"id":"au-7_obj","name":"objective","prose":"Determine if the information system provides an audit reduction and report generation capability that supports:","parts":[{"id":"au-7.a_obj","name":"objective","props":[{"name":"label","value":"AU-7(a)"}],"parts":[{"id":"au-7.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-7(a)[1]"}],"prose":"on-demand audit review;"},{"id":"au-7.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-7(a)[2]"}],"prose":"analysis;"},{"id":"au-7.a_obj.3","name":"objective","props":[{"name":"label","value":"AU-7(a)[3]"}],"prose":"reporting requirements;"},{"id":"au-7.a_obj.4","name":"objective","props":[{"name":"label","value":"AU-7(a)[4]"}],"prose":"after-the-fact investigations of security incidents; and"}]},{"id":"au-7.b_obj","name":"objective","props":[{"name":"label","value":"AU-7(b)"}],"prose":"does not alter the original content or time ordering of audit records."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit reduction and report generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit reduction and report generation capability"}]}],"controls":[{"id":"au-7.1","class":"SP800-53-enhancement","title":"Automatic Processing","params":[{"id":"au-7.1_prm_1","label":"organization-defined audit fields within audit records"}],"props":[{"name":"label","value":"AU-7(1)"},{"name":"sort-id","value":"au-07.01"}],"parts":[{"id":"au-7.1_smt","name":"statement","prose":"The information system provides the capability to process audit records for events of interest based on {{ insert: param, au-7.1_prm_1 }}."},{"id":"au-7.1_gdn","name":"guidance","prose":"Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"au-7.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-7.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-7(1)[1]"}],"prose":"the organization defines audit fields within audit records in order to process audit records for events of interest; and"},{"id":"au-7.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-7(1)[2]"}],"prose":"the information system provides the capability to process audit records for events of interest based on the organization-defined audit fields within audit records."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit reduction and report generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit reduction and report generation capability"}]}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","params":[{"id":"au-8_prm_1","label":"organization-defined granularity of time measurement"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-8"},{"name":"sort-id","value":"au-08"}],"parts":[{"id":"au-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Uses internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets {{ insert: param, au-8_prm_1 }}."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.","links":[{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"au-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-8.a_obj","name":"objective","props":[{"name":"label","value":"AU-8(a)"}],"prose":"the information system uses internal system clocks to generate time stamps for audit records;"},{"id":"au-8.b_obj","name":"objective","props":[{"name":"label","value":"AU-8(b)"}],"parts":[{"id":"au-8.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-8(b)[1]"}],"prose":"the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);"},{"id":"au-8.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-8(b)[2]"}],"prose":"the organization defines the granularity of time measurement to be met when recording time stamps for audit records; and"},{"id":"au-8.b_obj.3","name":"objective","props":[{"name":"label","value":"AU-8(b)[3]"}],"prose":"the organization records time stamps for audit records that meet the organization-defined granularity of time measurement."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing time stamp generation"}]}],"controls":[{"id":"au-8.1","class":"SP800-53-enhancement","title":"Synchronization with Authoritative Time Source","params":[{"id":"au-8.1_prm_1","label":"organization-defined frequency"},{"id":"au-8.1_prm_2","label":"organization-defined authoritative time source"},{"id":"au-8.1_prm_3","label":"organization-defined time period"}],"props":[{"name":"label","value":"AU-8(1)"},{"name":"sort-id","value":"au-08.01"}],"parts":[{"id":"au-8.1_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Compares the internal information system clocks {{ insert: param, au-8.1_prm_1 }} with {{ insert: param, au-8.1_prm_2 }}; and"},{"id":"au-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than {{ insert: param, au-8.1_prm_3 }}."}]},{"id":"au-8.1_gdn","name":"guidance","prose":"This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network."},{"id":"au-8.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-8.1.a_obj","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)"}],"parts":[{"id":"au-8.1.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)[1]"}],"prose":"the organization defines the authoritative time source to which internal information system clocks are to be compared;"},{"id":"au-8.1.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)[2]"}],"prose":"the organization defines the frequency to compare the internal information system clocks with the organization-defined authoritative time source; and"},{"id":"au-8.1.a_obj.3","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)[3]"}],"prose":"the information system compares the internal information system clocks with the organization-defined authoritative time source with organization-defined frequency; and"}],"links":[{"href":"#au-8.1_smt.a","rel":"corresp"}]},{"id":"au-8.1.b_obj","name":"objective","props":[{"name":"label","value":"AU-8(1)(b)"}],"parts":[{"id":"au-8.1.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-8(1)(b)[1]"}],"prose":"the organization defines the time period that, if exceeded by the time difference between the internal system clocks and the authoritative time source, will result in the internal system clocks being synchronized to the authoritative time source; and"},{"id":"au-8.1.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-8(1)(b)[2]"}],"prose":"the information system synchronizes the internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period."}],"links":[{"href":"#au-8.1_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing internal information system clock synchronization"}]}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-9"},{"name":"sort-id","value":"au-09"}],"parts":[{"id":"au-9_smt","name":"statement","prose":"The information system protects audit information and audit tools from unauthorized access, modification, and deletion."},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}]},{"id":"au-9_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-9_obj.1","name":"objective","props":[{"name":"label","value":"AU-9[1]"}],"prose":"the information system protects audit information from unauthorized:","parts":[{"id":"au-9_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-9[1][a]"}],"prose":"access;"},{"id":"au-9_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-9[1][b]"}],"prose":"modification;"},{"id":"au-9_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-9[1][c]"}],"prose":"deletion;"}]},{"id":"au-9_obj.2","name":"objective","props":[{"name":"label","value":"AU-9[2]"}],"prose":"the information system protects audit tools from unauthorized:","parts":[{"id":"au-9_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-9[2][a]"}],"prose":"access;"},{"id":"au-9_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-9[2][b]"}],"prose":"modification; and"},{"id":"au-9_obj.2.c","name":"objective","props":[{"name":"label","value":"AU-9[2][c]"}],"prose":"deletion."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation, information system audit records\n\naudit tools\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit information protection"}]}],"controls":[{"id":"au-9.4","class":"SP800-53-enhancement","title":"Access by Subset of Privileged Users","params":[{"id":"au-9.4_prm_1","label":"organization-defined subset of privileged users"}],"props":[{"name":"label","value":"AU-9(4)"},{"name":"sort-id","value":"au-09.04"}],"parts":[{"id":"au-9.4_smt","name":"statement","prose":"The organization authorizes access to management of audit functionality to only {{ insert: param, au-9.4_prm_1 }}."},{"id":"au-9.4_gdn","name":"guidance","prose":"Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.","links":[{"href":"#ac-5","rel":"related"}]},{"id":"au-9.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-9.4_obj.1","name":"objective","props":[{"name":"label","value":"AU-9(4)[1]"}],"prose":"defines a subset of privileged users to be authorized access to management of audit functionality; and"},{"id":"au-9.4_obj.2","name":"objective","props":[{"name":"label","value":"AU-9(4)[2]"}],"prose":"authorizes access to management of audit functionality to only the organization-defined subset of privileged users."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation, system-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing access to audit functionality"}]}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_prm_1","label":"organization-defined time period consistent with records retention policy"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AU-11"},{"name":"sort-id","value":"au-11"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"The organization retains audit records for {{ insert: param, au-11_prm_1 }} to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.","links":[{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#mp-6","rel":"related"}]},{"id":"au-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-11_obj.1","name":"objective","props":[{"name":"label","value":"AU-11[1]"}],"prose":"defines a time period to retain audit records that is consistent with records retention policy;"},{"id":"au-11_obj.2","name":"objective","props":[{"name":"label","value":"AU-11[2]"}],"prose":"retains audit records for the organization-defined time period consistent with records retention policy to:","parts":[{"id":"au-11_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-11[2][a]"}],"prose":"provide support for after-the-fact investigations of security incidents; and"},{"id":"au-11_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-11[2][b]"}],"prose":"meet regulatory and organizational information retention requirements."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Generation","params":[{"id":"au-12_prm_1","label":"organization-defined information system components"},{"id":"au-12_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-12"},{"name":"sort-id","value":"au-12"}],"parts":[{"id":"au-12_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides audit record generation capability for the auditable events defined in AU-2 a. at {{ insert: param, au-12_prm_1 }};"},{"id":"au-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allows {{ insert: param, au-12_prm_2 }} to select which auditable events are to be audited by specific components of the information system; and"},{"id":"au-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Generates audit records for the events defined in AU-2 d. with the content defined in AU-3."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records.","links":[{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"}]},{"id":"au-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.a_obj","name":"objective","props":[{"name":"label","value":"AU-12(a)"}],"parts":[{"id":"au-12.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(a)[1]"}],"prose":"the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a;"},{"id":"au-12.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(a)[2]"}],"prose":"the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components;"}]},{"id":"au-12.b_obj","name":"objective","props":[{"name":"label","value":"AU-12(b)"}],"parts":[{"id":"au-12.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(b)[1]"}],"prose":"the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system;"},{"id":"au-12.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(b)[2]"}],"prose":"the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system; and"}]},{"id":"au-12.c_obj","name":"objective","props":[{"name":"label","value":"AU-12(c)"}],"prose":"the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of auditable events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}]}]},{"id":"ca","class":"family","title":"Security Assessment and Authorization","controls":[{"id":"ca-1","class":"SP800-53","title":"Security Assessment and Authorization Policy and Procedures","params":[{"id":"ca-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ca-1_prm_2","label":"organization-defined frequency"},{"id":"ca-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CA-1"},{"name":"sort-id","value":"ca-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ca-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ca-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security assessment and authorization policy {{ insert: param, ca-1_prm_2 }}; and"},{"id":"ca-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security assessment and authorization procedures {{ insert: param, ca-1_prm_3 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ca-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-1.a_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)"}],"parts":[{"id":"ca-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)"}],"parts":[{"id":"ca-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1]"}],"prose":"develops and documents a security assessment and authorization policy that addresses:","parts":[{"id":"ca-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ca-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ca-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ca-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ca-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ca-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ca-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ca-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;"},{"id":"ca-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[3]"}],"prose":"disseminates the security assessment and authorization policy to organization-defined personnel or roles;"}]},{"id":"ca-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)"}],"parts":[{"id":"ca-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;"},{"id":"ca-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ca-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ca-1.b_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)"}],"parts":[{"id":"ca-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)"}],"parts":[{"id":"ca-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security assessment and authorization policy;"},{"id":"ca-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)[2]"}],"prose":"reviews and updates the current security assessment and authorization policy with the organization-defined frequency;"}]},{"id":"ca-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)"}],"parts":[{"id":"ca-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security assessment and authorization procedures; and"},{"id":"ca-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)[2]"}],"prose":"reviews and updates the current security assessment and authorization procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment and authorization responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Security Assessments","params":[{"id":"ca-2_prm_1","label":"organization-defined frequency"},{"id":"ca-2_prm_2","label":"organization-defined individuals or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-2"},{"name":"sort-id","value":"ca-02"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"ca-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a security assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security controls and control enhancements under assessment;"},{"id":"ca-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine security control effectiveness; and"},{"id":"ca-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assesses the security controls in the information system and its environment of operation {{ insert: param, ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produces a security assessment report that documents the results of the assessment; and"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provides the results of the security control assessment to {{ insert: param, ca-2_prm_2 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.","links":[{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.a_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)"}],"prose":"develops a security assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2.a.1_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(1)"}],"prose":"security controls and control enhancements under assessment;"},{"id":"ca-2.a.2_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(2)"}],"prose":"assessment procedures to be used to determine security control effectiveness;"},{"id":"ca-2.a.3_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)"}],"parts":[{"id":"ca-2.a.3_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[1]"}],"prose":"assessment environment;"},{"id":"ca-2.a.3_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[2]"}],"prose":"assessment team;"},{"id":"ca-2.a.3_obj.3","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[3]"}],"prose":"assessment roles and responsibilities;"}]}]},{"id":"ca-2.b_obj","name":"objective","props":[{"name":"label","value":"CA-2(b)"}],"parts":[{"id":"ca-2.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(b)[1]"}],"prose":"defines the frequency to assess the security controls in the information system and its environment of operation;"},{"id":"ca-2.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(b)[2]"}],"prose":"assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"}]},{"id":"ca-2.c_obj","name":"objective","props":[{"name":"label","value":"CA-2(c)"}],"prose":"produces a security assessment report that documents the results of the assessment;"},{"id":"ca-2.d_obj","name":"objective","props":[{"name":"label","value":"CA-2(d)"}],"parts":[{"id":"ca-2.d_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(d)[1]"}],"prose":"defines individuals or roles to whom the results of the security control assessment are to be provided; and"},{"id":"ca-2.d_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(d)[2]"}],"prose":"provides the results of the security control assessment to organization-defined individuals or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security assessment planning\n\nprocedures addressing security assessments\n\nsecurity assessment plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting security assessment, security assessment plan development, and\/or security assessment reporting"}]}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","params":[{"id":"ca-2.1_prm_1","label":"organization-defined level of independence"}],"props":[{"name":"label","value":"CA-2(1)"},{"name":"sort-id","value":"ca-02.01"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"The organization employs assessors or assessment teams with {{ insert: param, ca-2.1_prm_1 }} to conduct security control assessments."},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and\/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments."},{"id":"ca-2.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(1)[1]"}],"prose":"defines the level of independence to be employed to conduct security control assessments; and"},{"id":"ca-2.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(1)[2]"}],"prose":"employs assessors or assessment teams with the organization-defined level of independence to conduct security control assessments."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security assessments\n\nsecurity authorization package (including security plan, security assessment plan, security assessment report, plan of action and milestones, authorization statement)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ca-3","class":"SP800-53","title":"System Interconnections","params":[{"id":"ca-3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CA-3"},{"name":"sort-id","value":"ca-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#2711f068-734e-4afd-94ba-0b22247fbc88","rel":"reference"}],"parts":[{"id":"ca-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"},{"id":"ca-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates Interconnection Security Agreements {{ insert: param, ca-3_prm_1 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.a_obj","name":"objective","props":[{"name":"label","value":"CA-3(a)"}],"prose":"authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"},{"id":"ca-3.b_obj","name":"objective","props":[{"name":"label","value":"CA-3(b)"}],"prose":"documents, for each interconnection:","parts":[{"id":"ca-3.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-3.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(b)[2]"}],"prose":"the security requirements;"},{"id":"ca-3.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-3(b)[3]"}],"prose":"the nature of the information communicated;"}]},{"id":"ca-3.c_obj","name":"objective","props":[{"name":"label","value":"CA-3(c)"}],"parts":[{"id":"ca-3.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(c)[1]"}],"prose":"defines the frequency to review and update Interconnection Security Agreements; and"},{"id":"ca-3.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(c)[2]"}],"prose":"reviews and updates Interconnection Security Agreements with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system Interconnection Security Agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements\n\norganizational personnel with information security responsibilities\n\npersonnel managing the system(s) to which the Interconnection Security Agreement applies"}]}],"controls":[{"id":"ca-3.5","class":"SP800-53-enhancement","title":"Restrictions On External System Connections","params":[{"id":"ca-3.5_prm_1","select":{"choice":["allow-all, deny-by-exception","deny-all, permit-by-exception"]}},{"id":"ca-3.5_prm_2","label":"organization-defined information systems"}],"props":[{"name":"label","value":"CA-3(5)"},{"name":"sort-id","value":"ca-03.05"}],"parts":[{"id":"ca-3.5_smt","name":"statement","prose":"The organization employs {{ insert: param, ca-3.5_prm_1 }} policy for allowing {{ insert: param, ca-3.5_prm_2 }} to connect to external information systems."},{"id":"ca-3.5_gdn","name":"guidance","prose":"Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.","links":[{"href":"#cm-7","rel":"related"}]},{"id":"ca-3.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.5_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(5)[1]"}],"prose":"defines information systems to be allowed to connect to external information systems;"},{"id":"ca-3.5_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(5)[2]"}],"prose":"employs one of the following policies for allowing organization-defined information systems to connect to external information systems:","parts":[{"id":"ca-3.5_obj.2.a","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][a]"}],"prose":"allow-all policy;"},{"id":"ca-3.5_obj.2.b","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][b]"}],"prose":"deny-by-exception policy;"},{"id":"ca-3.5_obj.2.c","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][c]"}],"prose":"deny-all policy; or"},{"id":"ca-3.5_obj.2.d","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][d]"}],"prose":"permit-by-exception policy."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system interconnection agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for managing connections to external information systems\n\nnetwork administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing restrictions on external system connections"}]}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-5_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"CA-5"},{"name":"sort-id","value":"ca-05"}],"links":[{"href":"#2c5884cd-7b96-425c-862a-99877e1cf909","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"}],"parts":[{"id":"ca-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates existing plan of action and milestones {{ insert: param, ca-5_prm_1 }} based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#pm-4","rel":"related"}]},{"id":"ca-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-5.a_obj","name":"objective","props":[{"name":"label","value":"CA-5(a)"}],"prose":"develops a plan of action and milestones for the information system to:","parts":[{"id":"ca-5.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-5(a)[1]"}],"prose":"document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;"},{"id":"ca-5.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-5(a)[2]"}],"prose":"reduce or eliminate known vulnerabilities in the system;"}]},{"id":"ca-5.b_obj","name":"objective","props":[{"name":"label","value":"CA-5(b)"}],"parts":[{"id":"ca-5.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-5(b)[1]"}],"prose":"defines the frequency to update the existing plan of action and milestones;"},{"id":"ca-5.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-5(b)[2]"}],"prose":"updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:","parts":[{"id":"ca-5.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][a]"}],"prose":"security controls assessments;"},{"id":"ca-5.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][b]"}],"prose":"security impact analyses; and"},{"id":"ca-5.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][c]"}],"prose":"continuous monitoring activities."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing plan of action and milestones\n\nsecurity plan\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nplan of action and milestones\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Security Authorization","params":[{"id":"ca-6_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-6"},{"name":"sort-id","value":"ca-06"}],"links":[{"href":"#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","rel":"reference"},{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"ca-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assigns a senior-level executive or manager as the authorizing official for the information system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that the authorizing official authorizes the information system for processing before commencing operations; and"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Updates the security authorization {{ insert: param, ca-6_prm_1 }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission\/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"}]},{"id":"ca-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-6.a_obj","name":"objective","props":[{"name":"label","value":"CA-6(a)"}],"prose":"assigns a senior-level executive or manager as the authorizing official for the information system;"},{"id":"ca-6.b_obj","name":"objective","props":[{"name":"label","value":"CA-6(b)"}],"prose":"ensures that the authorizing official authorizes the information system for processing before commencing operations;"},{"id":"ca-6.c_obj","name":"objective","props":[{"name":"label","value":"CA-6(c)"}],"parts":[{"id":"ca-6.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-6(c)[1]"}],"prose":"defines the frequency to update the security authorization; and"},{"id":"ca-6.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-6(c)[2]"}],"prose":"updates the security authorization with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security authorization\n\nsecurity authorization package (including security plan\n\nsecurity assessment report\n\nplan of action and milestones\n\nauthorization statement)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security authorization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that facilitate security authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_1","label":"organization-defined metrics"},{"id":"ca-7_prm_2","label":"organization-defined frequencies"},{"id":"ca-7_prm_3","label":"organization-defined frequencies"},{"id":"ca-7_prm_4","label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-7"},{"name":"sort-id","value":"ca-07"}],"links":[{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"},{"href":"#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","rel":"reference"},{"href":"#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","rel":"reference"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishment of {{ insert: param, ca-7_prm_1 }} to be monitored;"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishment of {{ insert: param, ca-7_prm_2 }} for monitoring and {{ insert: param, ca-7_prm_3 }} for assessments supporting such monitoring;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of security-related information generated by assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of security-related information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security status of organization and the information system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess\/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission\/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports\/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware\/software\/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-7.a_obj","name":"objective","props":[{"name":"label","value":"CA-7(a)"}],"parts":[{"id":"ca-7.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(a)[1]"}],"prose":"develops a continuous monitoring strategy that defines metrics to be monitored;"},{"id":"ca-7.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(a)[2]"}],"prose":"develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;"},{"id":"ca-7.a_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(a)[3]"}],"prose":"implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.b_obj","name":"objective","props":[{"name":"label","value":"CA-7(b)"}],"parts":[{"id":"ca-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(b)[1]"}],"prose":"develops a continuous monitoring strategy that defines frequencies for monitoring;"},{"id":"ca-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(b)[2]"}],"prose":"defines frequencies for assessments supporting monitoring;"},{"id":"ca-7.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(b)[3]"}],"prose":"develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;"},{"id":"ca-7.b_obj.4","name":"objective","props":[{"name":"label","value":"CA-7(b)[4]"}],"prose":"implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.c_obj","name":"objective","props":[{"name":"label","value":"CA-7(c)"}],"parts":[{"id":"ca-7.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(c)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security control assessments;"},{"id":"ca-7.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(c)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.d_obj","name":"objective","props":[{"name":"label","value":"CA-7(d)"}],"parts":[{"id":"ca-7.d_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(d)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;"},{"id":"ca-7.d_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(d)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.e_obj","name":"objective","props":[{"name":"label","value":"CA-7(e)"}],"parts":[{"id":"ca-7.e_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(e)[1]"}],"prose":"develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;"},{"id":"ca-7.e_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(e)[2]"}],"prose":"implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.f_obj","name":"objective","props":[{"name":"label","value":"CA-7(f)"}],"parts":[{"id":"ca-7.f_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(f)[1]"}],"prose":"develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;"},{"id":"ca-7.f_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(f)[2]"}],"prose":"implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.g_obj","name":"objective","props":[{"name":"label","value":"CA-7(g)"}],"parts":[{"id":"ca-7.g_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(g)[1]"}],"prose":"develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;"},{"id":"ca-7.g_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(g)[2]"}],"prose":"develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;"},{"id":"ca-7.g_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(g)[3]"}],"prose":"develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; and"},{"id":"ca-7.g_obj.4","name":"objective","props":[{"name":"label","value":"CA-7(g)[4]"}],"prose":"implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security controls\n\nprocedures addressing configuration management\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nconfiguration management records, security impact analyses\n\nstatus reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Mechanisms implementing continuous monitoring"}]}],"controls":[{"id":"ca-7.1","class":"SP800-53-enhancement","title":"Independent Assessment","params":[{"id":"ca-7.1_prm_1","label":"organization-defined level of independence"}],"props":[{"name":"label","value":"CA-7(1)"},{"name":"sort-id","value":"ca-07.01"}],"parts":[{"id":"ca-7.1_smt","name":"statement","prose":"The organization employs assessors or assessment teams with {{ insert: param, ca-7.1_prm_1 }} to monitor the security controls in the information system on an ongoing basis."},{"id":"ca-7.1_gdn","name":"guidance","prose":"Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services."},{"id":"ca-7.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-7.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(1)[1]"}],"prose":"defines a level of independence to be employed to monitor the security controls in the information system on an ongoing basis; and"},{"id":"ca-7.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(1)[2]"}],"prose":"employs assessors or assessment teams with the organization-defined level of independence to monitor the security controls in the information system on an ongoing basis."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security controls\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nsecurity impact analyses\n\nstatus reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","params":[{"id":"ca-9_prm_1","label":"organization-defined information system components or classes of components"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-9"},{"name":"sort-id","value":"ca-09"}],"parts":[{"id":"ca-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorizes internal connections of {{ insert: param, ca-9_prm_1 }} to the information system; and"},{"id":"ca-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated."}]},{"id":"ca-9_gdn","name":"guidance","prose":"This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook\/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and\/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-9.a_obj","name":"objective","props":[{"name":"label","value":"CA-9(a)"}],"parts":[{"id":"ca-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-9(a)[1]"}],"prose":"defines information system components or classes of components to be authorized as internal connections to the information system;"},{"id":"ca-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-9(a)[2]"}],"prose":"authorizes internal connections of organization-defined information system components or classes of components to the information system;"}]},{"id":"ca-9.b_obj","name":"objective","props":[{"name":"label","value":"CA-9(b)"}],"prose":"documents, for each internal connection:","parts":[{"id":"ca-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-9(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-9(b)[2]"}],"prose":"the security requirements; and"},{"id":"ca-9.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-9(b)[3]"}],"prose":"the nature of the information communicated."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Configuration Management Policy and Procedures","params":[{"id":"cm-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cm-1_prm_2","label":"organization-defined frequency"},{"id":"cm-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-1"},{"name":"sort-id","value":"cm-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"cm-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cm-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Configuration management policy {{ insert: param, cm-1_prm_2 }}; and"},{"id":"cm-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Configuration management procedures {{ insert: param, cm-1_prm_3 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"cm-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-1.a_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)"}],"parts":[{"id":"cm-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)"}],"parts":[{"id":"cm-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1]"}],"prose":"develops and documents a configuration management policy that addresses:","parts":[{"id":"cm-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cm-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cm-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cm-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cm-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cm-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cm-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cm-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the configuration management policy is to be disseminated;"},{"id":"cm-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[3]"}],"prose":"disseminates the configuration management policy to organization-defined personnel or roles;"}]},{"id":"cm-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)"}],"parts":[{"id":"cm-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls;"},{"id":"cm-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"cm-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cm-1.b_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)"}],"parts":[{"id":"cm-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)"}],"parts":[{"id":"cm-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current configuration management policy;"},{"id":"cm-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)[2]"}],"prose":"reviews and updates the current configuration management policy with the organization-defined frequency;"}]},{"id":"cm-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)"}],"parts":[{"id":"cm-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current configuration management procedures; and"},{"id":"cm-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)[2]"}],"prose":"reviews and updates the current configuration management procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-2"},{"name":"sort-id","value":"cm-02"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-2_smt","name":"statement","prose":"The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system."},{"id":"cm-2_gdn","name":"guidance","prose":"This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and\/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings\/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-7","rel":"related"}]},{"id":"cm-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2_obj.1","name":"objective","props":[{"name":"label","value":"CM-2[1]"}],"prose":"develops and documents a current baseline configuration of the information system; and"},{"id":"cm-2_obj.2","name":"objective","props":[{"name":"label","value":"CM-2[2]"}],"prose":"maintains, under configuration control, a current baseline configuration of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting configuration control of the baseline configuration"}]}],"controls":[{"id":"cm-2.1","class":"SP800-53-enhancement","title":"Reviews and Updates","params":[{"id":"cm-2.1_prm_1","label":"organization-defined frequency"},{"id":"cm-2.1_prm_2","label":"Assignment organization-defined circumstances"}],"props":[{"name":"label","value":"CM-2(1)"},{"name":"sort-id","value":"cm-02.01"}],"parts":[{"id":"cm-2.1_smt","name":"statement","prose":"The organization reviews and updates the baseline configuration of the information system:","parts":[{"id":"cm-2.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":" {{ insert: param, cm-2.1_prm_1 }};"},{"id":"cm-2.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"When required due to {{ insert: param, cm-2.1_prm_2 }}; and"},{"id":"cm-2.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"As an integral part of information system component installations and upgrades."}]},{"id":"cm-2.1_gdn","name":"guidance","links":[{"href":"#cm-5","rel":"related"}]},{"id":"cm-2.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.1.a_obj","name":"objective","props":[{"name":"label","value":"CM-2(1)(a)"}],"parts":[{"id":"cm-2.1.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(1)(a)[1]"}],"prose":"defines the frequency to review and update the baseline configuration of the information system;"},{"id":"cm-2.1.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(1)(a)[2]"}],"prose":"reviews and updates the baseline configuration of the information system with the organization-defined frequency;"}],"links":[{"href":"#cm-2.1_smt.a","rel":"corresp"}]},{"id":"cm-2.1.b_obj","name":"objective","props":[{"name":"label","value":"CM-2(1)(b)"}],"parts":[{"id":"cm-2.1.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(1)(b)[1]"}],"prose":"defines circumstances that require the baseline configuration of the information system to be reviewed and updated;"},{"id":"cm-2.1.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(1)(b)[2]"}],"prose":"reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances; and"}],"links":[{"href":"#cm-2.1_smt.b","rel":"corresp"}]},{"id":"cm-2.1.c_obj","name":"objective","props":[{"name":"label","value":"CM-2(1)(c)"}],"prose":"reviews and updates the baseline configuration of the information system as an integral part of information system component installations and upgrades.","links":[{"href":"#cm-2.1_smt.c","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the information system\n\nprocedures addressing information system component installations and upgrades\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of information system baseline configuration reviews and updates\n\ninformation system component installations\/upgrades and associated records\n\nchange control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting review and update of the baseline configuration"}]}]},{"id":"cm-2.3","class":"SP800-53-enhancement","title":"Retention of Previous Configurations","params":[{"id":"cm-2.3_prm_1","label":"organization-defined previous versions of baseline configurations of the information system"}],"props":[{"name":"label","value":"CM-2(3)"},{"name":"sort-id","value":"cm-02.03"}],"parts":[{"id":"cm-2.3_smt","name":"statement","prose":"The organization retains {{ insert: param, cm-2.3_prm_1 }} to support rollback."},{"id":"cm-2.3_gdn","name":"guidance","prose":"Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records."},{"id":"cm-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.3_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(3)[1]"}],"prose":"defines previous versions of baseline configurations of the information system to be retained to support rollback; and"},{"id":"cm-2.3_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(3)[2]"}],"prose":"retains organization-defined previous versions of baseline configurations of the information system to support rollback."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations"}]}]},{"id":"cm-2.7","class":"SP800-53-enhancement","title":"Configure Systems, Components, or Devices for High-risk Areas","params":[{"id":"cm-2.7_prm_1","label":"organization-defined information systems, system components, or devices"},{"id":"cm-2.7_prm_2","label":"organization-defined configurations"},{"id":"cm-2.7_prm_3","label":"organization-defined security safeguards"}],"props":[{"name":"label","value":"CM-2(7)"},{"name":"sort-id","value":"cm-02.07"}],"parts":[{"id":"cm-2.7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-2.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Issues {{ insert: param, cm-2.7_prm_1 }} with {{ insert: param, cm-2.7_prm_2 }} to individuals traveling to locations that the organization deems to be of significant risk; and"},{"id":"cm-2.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Applies {{ insert: param, cm-2.7_prm_3 }} to the devices when the individuals return."}]},{"id":"cm-2.7_gdn","name":"guidance","prose":"When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging\/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family."},{"id":"cm-2.7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.7.a_obj","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)"}],"parts":[{"id":"cm-2.7.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)[1]"}],"prose":"defines information systems, system components, or devices to be issued to individuals traveling to locations that the organization deems to be of significant risk;"},{"id":"cm-2.7.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)[2]"}],"prose":"defines configurations to be employed on organization-defined information systems, system components, or devices issued to individuals traveling to such locations;"},{"id":"cm-2.7.a_obj.3","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)[3]"}],"prose":"issues organization-defined information systems, system components, or devices with organization-defined configurations to individuals traveling to locations that the organization deems to be of significant risk;"}],"links":[{"href":"#cm-2.7_smt.a","rel":"corresp"}]},{"id":"cm-2.7.b_obj","name":"objective","props":[{"name":"label","value":"CM-2(7)(b)"}],"parts":[{"id":"cm-2.7.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(7)(b)[1]"}],"prose":"defines security safeguards to be applied to the devices when the individuals return; and"},{"id":"cm-2.7.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(7)(b)[2]"}],"prose":"applies organization-defined safeguards to the devices when the individuals return."}],"links":[{"href":"#cm-2.7_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the information system\n\nprocedures addressing information system component installations and upgrades\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of information system baseline configuration reviews and updates\n\ninformation system component installations\/upgrades and associated records\n\nchange control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations"}]}]}]},{"id":"cm-3","class":"SP800-53","title":"Configuration Change Control","params":[{"id":"cm-3_prm_1","label":"organization-defined time period"},{"id":"cm-3_prm_2","label":"organization-defined configuration change control element (e.g., committee, board)"},{"id":"cm-3_prm_3","select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-3_prm_4 }} "," {{ insert: param, cm-3_prm_5 }} "]}},{"id":"cm-3_prm_4","depends-on":"cm-3_prm_3","label":"organization-defined frequency"},{"id":"cm-3_prm_5","depends-on":"cm-3_prm_3","label":"organization-defined configuration change conditions"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-3"},{"name":"sort-id","value":"cm-03"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines the types of changes to the information system that are configuration-controlled;"},{"id":"cm-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;"},{"id":"cm-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents configuration change decisions associated with the information system;"},{"id":"cm-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implements approved configuration-controlled changes to the information system;"},{"id":"cm-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retains records of configuration-controlled changes to the information system for {{ insert: param, cm-3_prm_1 }};"},{"id":"cm-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Audits and reviews activities associated with configuration-controlled changes to the information system; and"},{"id":"cm-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Coordinates and provides oversight for configuration change control activities through {{ insert: param, cm-3_prm_2 }} that convenes {{ insert: param, cm-3_prm_3 }}."}]},{"id":"cm-3_gdn","name":"guidance","prose":"Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled\/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.","links":[{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-12","rel":"related"}]},{"id":"cm-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-3.a_obj","name":"objective","props":[{"name":"label","value":"CM-3(a)"}],"prose":"determines the type of changes to the information system that must be configuration-controlled;"},{"id":"cm-3.b_obj","name":"objective","props":[{"name":"label","value":"CM-3(b)"}],"prose":"reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;"},{"id":"cm-3.c_obj","name":"objective","props":[{"name":"label","value":"CM-3(c)"}],"prose":"documents configuration change decisions associated with the information system;"},{"id":"cm-3.d_obj","name":"objective","props":[{"name":"label","value":"CM-3(d)"}],"prose":"implements approved configuration-controlled changes to the information system;"},{"id":"cm-3.e_obj","name":"objective","props":[{"name":"label","value":"CM-3(e)"}],"parts":[{"id":"cm-3.e_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(e)[1]"}],"prose":"defines a time period to retain records of configuration-controlled changes to the information system;"},{"id":"cm-3.e_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(e)[2]"}],"prose":"retains records of configuration-controlled changes to the information system for the organization-defined time period;"}]},{"id":"cm-3.f_obj","name":"objective","props":[{"name":"label","value":"CM-3(f)"}],"prose":"audits and reviews activities associated with configuration-controlled changes to the information system;"},{"id":"cm-3.g_obj","name":"objective","props":[{"name":"label","value":"CM-3(g)"}],"parts":[{"id":"cm-3.g_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(g)[1]"}],"prose":"defines a configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities;"},{"id":"cm-3.g_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(g)[2]"}],"prose":"defines the frequency with which the configuration change control element must convene; and\/or"},{"id":"cm-3.g_obj.3","name":"objective","props":[{"name":"label","value":"CM-3(g)[3]"}],"prose":"defines configuration change conditions that prompt the configuration change control element to convene; and"},{"id":"cm-3.g_obj.4","name":"objective","props":[{"name":"label","value":"CM-3(g)[4]"}],"prose":"coordinates and provides oversight for configuration change control activities through organization-defined configuration change control element that convenes at organization-defined frequency and\/or for any organization-defined configuration change conditions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system configuration change control\n\nconfiguration management plan\n\ninformation system architecture and configuration documentation\n\nsecurity plan\n\nchange control records\n\ninformation system audit records\n\nchange control audit and review reports\n\nagenda \/minutes from configuration change control oversight meetings\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms that implement configuration change control"}]}],"controls":[{"id":"cm-3.2","class":"SP800-53-enhancement","title":"Test \/ Validate \/ Document Changes","props":[{"name":"label","value":"CM-3(2)"},{"name":"sort-id","value":"cm-03.02"}],"parts":[{"id":"cm-3.2_smt","name":"statement","prose":"The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system."},{"id":"cm-3.2_gdn","name":"guidance","prose":"Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals\/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities\/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems)."},{"id":"cm-3.2_obj","name":"objective","prose":"Determine if the organization, before implementing changes on the operational system:","parts":[{"id":"cm-3.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(2)[1]"}],"prose":"tests changes to the information system;"},{"id":"cm-3.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(2)[2]"}],"prose":"validates changes to the information system; and"},{"id":"cm-3.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-3(2)[3]"}],"prose":"documents changes to the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing information system configuration change control\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms supporting and\/or implementing testing, validating, and documenting information system changes"}]}]}]},{"id":"cm-4","class":"SP800-53","title":"Security Impact Analysis","props":[{"name":"priority","value":"P2"},{"name":"label","value":"CM-4"},{"name":"sort-id","value":"cm-04"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"The organization analyzes changes to the information system to determine potential security impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills\/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"cm-4_obj","name":"objective","prose":"Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing security impact analysis for changes to the information system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for conducting security impact analysis\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security impact analysis"}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-5"},{"name":"sort-id","value":"cm-05"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system."},{"id":"cm-5_gdn","name":"guidance","prose":"Any changes to the hardware, software, and\/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#pe-3","rel":"related"}]},{"id":"cm-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-5_obj.1","name":"objective","props":[{"name":"label","value":"CM-5[1]"}],"prose":"defines physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.2","name":"objective","props":[{"name":"label","value":"CM-5[2]"}],"prose":"documents physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.3","name":"objective","props":[{"name":"label","value":"CM-5[3]"}],"prose":"approves physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.4","name":"objective","props":[{"name":"label","value":"CM-5[4]"}],"prose":"enforces physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.5","name":"objective","props":[{"name":"label","value":"CM-5[5]"}],"prose":"defines logical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.6","name":"objective","props":[{"name":"label","value":"CM-5[6]"}],"prose":"documents logical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.7","name":"objective","props":[{"name":"label","value":"CM-5[7]"}],"prose":"approves logical access restrictions associated with changes to the information system; and"},{"id":"cm-5_obj.8","name":"objective","props":[{"name":"label","value":"CM-5[8]"}],"prose":"enforces logical access restrictions associated with changes to the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\n\nautomated mechanisms supporting\/implementing\/enforcing access restrictions associated with changes to the information system"}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","params":[{"id":"cm-6_prm_1","label":"organization-defined security configuration checklists"},{"id":"cm-6_prm_2","label":"organization-defined information system components"},{"id":"cm-6_prm_3","label":"organization-defined operational requirements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-6"},{"name":"sort-id","value":"cm-06"}],"links":[{"href":"#990268bf-f4a9-4c81-91ae-dc7d3115f4b1","rel":"reference"},{"href":"#0b3d8ba9-051f-498d-81ea-97f0f018c612","rel":"reference"},{"href":"#0916ef02-3618-411b-a525-565c088849a6","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"},{"href":"#e95dd121-2733-413e-bf1e-f1eb49f20a98","rel":"reference"},{"href":"#647b6de3-81d0-4d22-bec1-5f1333e34380","rel":"reference"}],"parts":[{"id":"cm-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and documents configuration settings for information technology products employed within the information system using {{ insert: param, cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implements the configuration settings;"},{"id":"cm-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies, documents, and approves any deviations from established configuration settings for {{ insert: param, cm-6_prm_2 }} based on {{ insert: param, cm-6_prm_3 }}; and"},{"id":"cm-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and\/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input\/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms\/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems.","links":[{"href":"#ac-19","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"cm-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.a_obj","name":"objective","props":[{"name":"label","value":"CM-6(a)"}],"parts":[{"id":"cm-6.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(a)[1]"}],"prose":"defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed;"},{"id":"cm-6.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(a)[2]"}],"prose":"ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6.a_obj.3","name":"objective","props":[{"name":"label","value":"CM-6(a)[3]"}],"prose":"establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;"}]},{"id":"cm-6.b_obj","name":"objective","props":[{"name":"label","value":"CM-6(b)"}],"prose":"implements the configuration settings established\/documented in CM-6(a);;"},{"id":"cm-6.c_obj","name":"objective","props":[{"name":"label","value":"CM-6(c)"}],"parts":[{"id":"cm-6.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(c)[1]"}],"prose":"defines information system components for which any deviations from established configuration settings must be:","parts":[{"id":"cm-6.c_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][a]"}],"prose":"identified;"},{"id":"cm-6.c_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][b]"}],"prose":"documented;"},{"id":"cm-6.c_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][c]"}],"prose":"approved;"}]},{"id":"cm-6.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(c)[2]"}],"prose":"defines operational requirements to support:","parts":[{"id":"cm-6.c_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][a]"}],"prose":"the identification of any deviations from established configuration settings;"},{"id":"cm-6.c_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][b]"}],"prose":"the documentation of any deviations from established configuration settings;"},{"id":"cm-6.c_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][c]"}],"prose":"the approval of any deviations from established configuration settings;"}]},{"id":"cm-6.c_obj.3","name":"objective","props":[{"name":"label","value":"CM-6(c)[3]"}],"prose":"identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"},{"id":"cm-6.c_obj.4","name":"objective","props":[{"name":"label","value":"CM-6(c)[4]"}],"prose":"documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"},{"id":"cm-6.c_obj.5","name":"objective","props":[{"name":"label","value":"CM-6(c)[5]"}],"prose":"approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"}]},{"id":"cm-6.d_obj","name":"objective","props":[{"name":"label","value":"CM-6(d)"}],"parts":[{"id":"cm-6.d_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(d)[1]"}],"prose":"monitors changes to the configuration settings in accordance with organizational policies and procedures; and"},{"id":"cm-6.d_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(d)[2]"}],"prose":"controls changes to the configuration settings in accordance with organizational policies and procedures."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings\n\nautomated mechanisms that implement, monitor, and\/or control information system configuration settings\n\nautomated mechanisms that identify and\/or document deviations from established configuration settings"}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","params":[{"id":"cm-7_prm_1","label":"organization-defined prohibited or restricted functions, ports, protocols, and\/or services"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-7"},{"name":"sort-id","value":"cm-07"}],"links":[{"href":"#e42b2099-3e1c-415b-952c-61c96533c12e","rel":"reference"}],"parts":[{"id":"cm-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Configures the information system to provide only essential capabilities; and"},{"id":"cm-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibits or restricts the use of the following functions, ports, protocols, and\/or services: {{ insert: param, cm-7_prm_1 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports\/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.","links":[{"href":"#ac-6","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"cm-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.a_obj","name":"objective","props":[{"name":"label","value":"CM-7(a)"}],"prose":"configures the information system to provide only essential capabilities;"},{"id":"cm-7.b_obj","name":"objective","props":[{"name":"label","value":"CM-7(b)"}],"parts":[{"id":"cm-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(b)[1]"}],"prose":"defines prohibited or restricted:","parts":[{"id":"cm-7.b_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.b_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(b)[2]"}],"prose":"prohibits or restricts the use of organization-defined:","parts":[{"id":"cm-7.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.b_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][d]"}],"prose":"services."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing least functionality in the information system\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols, and\/or services\n\nautomated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and\/or services"}]}],"controls":[{"id":"cm-7.1","class":"SP800-53-enhancement","title":"Periodic Review","params":[{"id":"cm-7.1_prm_1","label":"organization-defined frequency"},{"id":"cm-7.1_prm_2","label":"organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and\/or nonsecure"}],"props":[{"name":"label","value":"CM-7(1)"},{"name":"sort-id","value":"cm-07.01"}],"parts":[{"id":"cm-7.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Reviews the information system {{ insert: param, cm-7.1_prm_1 }} to identify unnecessary and\/or nonsecure functions, ports, protocols, and services; and"},{"id":"cm-7.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Disables {{ insert: param, cm-7.1_prm_2 }}."}]},{"id":"cm-7.1_gdn","name":"guidance","prose":"The organization can either make a determination of the relative security of the function, port, protocol, and\/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols.","links":[{"href":"#ac-18","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ia-2","rel":"related"}]},{"id":"cm-7.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.1.a_obj","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)"}],"parts":[{"id":"cm-7.1.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1]"}],"prose":"defines the frequency to review the information system to identify unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.a_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][a]"}],"prose":"functions;"},{"id":"cm-7.1.a_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][b]"}],"prose":"ports;"},{"id":"cm-7.1.a_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.a_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.1.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2]"}],"prose":"reviews the information system with the organization-defined frequency to identify unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.a_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][a]"}],"prose":"functions;"},{"id":"cm-7.1.a_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][b]"}],"prose":"ports;"},{"id":"cm-7.1.a_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.a_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][d]"}],"prose":"services;"}]}],"links":[{"href":"#cm-7.1_smt.a","rel":"corresp"}]},{"id":"cm-7.1.b_obj","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)"}],"parts":[{"id":"cm-7.1.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1]"}],"prose":"defines, within the information system, unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.b_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.1.b_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.1.b_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.b_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.1.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2]"}],"prose":"disables organization-defined unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.1.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.1.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.b_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][d]"}],"prose":"services."}]}],"links":[{"href":"#cm-7.1_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\ndocumented reviews of functions, ports, protocols, and\/or services\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the information system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for reviewing\/disabling nonsecure functions, ports, protocols, and\/or services\n\nautomated mechanisms implementing review and disabling of nonsecure functions, ports, protocols, and\/or services"}]}]},{"id":"cm-7.2","class":"SP800-53-enhancement","title":"Prevent Program Execution","params":[{"id":"cm-7.2_prm_1","select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-7.2_prm_2 }} ","rules authorizing the terms and conditions of software program usage"]}},{"id":"cm-7.2_prm_2","depends-on":"cm-7.2_prm_1","label":"organization-defined policies regarding software program usage and restrictions"}],"props":[{"name":"label","value":"CM-7(2)"},{"name":"sort-id","value":"cm-07.02"}],"parts":[{"id":"cm-7.2_smt","name":"statement","prose":"The information system prevents program execution in accordance with {{ insert: param, cm-7.2_prm_1 }}."},{"id":"cm-7.2_gdn","name":"guidance","links":[{"href":"#cm-8","rel":"related"},{"href":"#pm-5","rel":"related"}]},{"id":"cm-7.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cm-7.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(2)[1]"}],"prose":"the organization defines policies regarding software program usage and restrictions;"},{"id":"cm-7.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(2)[2]"}],"prose":"the information system prevents program execution in accordance with one or more of the following:","parts":[{"id":"cm-7.2_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(2)[2][a]"}],"prose":"organization-defined policies regarding program usage and restrictions; and\/or"},{"id":"cm-7.2_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(2)[2][b]"}],"prose":"rules authorizing the terms and conditions of software program usage."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\nspecifications for preventing software program execution\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes preventing program execution on the information system\n\norganizational processes for software program usage and restrictions\n\nautomated mechanisms preventing program execution on the information system\n\nautomated mechanisms supporting and\/or implementing software program usage and restrictions"}]}]},{"id":"cm-7.4","class":"SP800-53-enhancement","title":"Unauthorized Software \/ Blacklisting","params":[{"id":"cm-7.4_prm_1","label":"organization-defined software programs not authorized to execute on the information system"},{"id":"cm-7.4_prm_2","label":"organization-defined frequency"}],"props":[{"name":"label","value":"CM-7(4)"},{"name":"sort-id","value":"cm-07.04"}],"parts":[{"id":"cm-7.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identifies {{ insert: param, cm-7.4_prm_1 }};"},{"id":"cm-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and"},{"id":"cm-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Reviews and updates the list of unauthorized software programs {{ insert: param, cm-7.4_prm_2 }}."}]},{"id":"cm-7.4_gdn","name":"guidance","prose":"The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution.","links":[{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-5","rel":"related"}]},{"id":"cm-7.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.4.a_obj","name":"objective","props":[{"name":"label","value":"CM-7(4)(a)"}],"prose":"Identifies\/defines software programs not authorized to execute on the information system;","links":[{"href":"#cm-7.4_smt.a","rel":"corresp"}]},{"id":"cm-7.4.b_obj","name":"objective","props":[{"name":"label","value":"CM-7(4)(b)"}],"prose":"employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system;","links":[{"href":"#cm-7.4_smt.b","rel":"corresp"}]},{"id":"cm-7.4.c_obj","name":"objective","props":[{"name":"label","value":"CM-7(4)(c)"}],"parts":[{"id":"cm-7.4.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(4)(c)[1]"}],"prose":"defines the frequency to review and update the list of unauthorized software programs on the information system; and"},{"id":"cm-7.4.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(4)(c)[2]"}],"prose":"reviews and updates the list of unauthorized software programs with the organization-defined frequency."}],"links":[{"href":"#cm-7.4_smt.c","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of software programs not authorized to execute on the information system\n\nsecurity configuration checklists\n\nreview and update records associated with list of unauthorized software programs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for identifying software not authorized to execute on the information system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for identifying, reviewing, and updating programs not authorized to execute on the information system\n\norganizational process for implementing blacklisting\n\nautomated mechanisms supporting and\/or implementing blacklisting"}]}]}]},{"id":"cm-8","class":"SP800-53","title":"Information System Component Inventory","params":[{"id":"cm-8_prm_1","label":"organization-defined information deemed necessary to achieve effective information system component accountability"},{"id":"cm-8_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-8"},{"name":"sort-id","value":"cm-08"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops and documents an inventory of information system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accurately reflects the current information system;"},{"id":"cm-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes all components within the authorization boundary of the information system;"},{"id":"cm-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Includes {{ insert: param, cm-8_prm_1 }}; and"}]},{"id":"cm-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information system component inventory {{ insert: param, cm-8_prm_2 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pm-5","rel":"related"}]},{"id":"cm-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.a_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)"}],"parts":[{"id":"cm-8.a.1_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(1)"}],"prose":"develops and documents an inventory of information system components that accurately reflects the current information system;"},{"id":"cm-8.a.2_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(2)"}],"prose":"develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;"},{"id":"cm-8.a.3_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(3)"}],"prose":"develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;"},{"id":"cm-8.a.4_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)"}],"parts":[{"id":"cm-8.a.4_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)[1]"}],"prose":"defines the information deemed necessary to achieve effective information system component accountability;"},{"id":"cm-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)[2]"}],"prose":"develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;"}]}]},{"id":"cm-8.b_obj","name":"objective","props":[{"name":"label","value":"CM-8(b)"}],"parts":[{"id":"cm-8.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(b)[1]"}],"prose":"defines the frequency to review and update the information system component inventory; and"},{"id":"cm-8.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(b)[2]"}],"prose":"reviews and updates the information system component inventory with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting an inventory of information system components\n\nautomated mechanisms supporting and\/or implementing the information system component inventory"}]}],"controls":[{"id":"cm-8.1","class":"SP800-53-enhancement","title":"Updates During Installations \/ Removals","props":[{"name":"label","value":"CM-8(1)"},{"name":"sort-id","value":"cm-08.01"}],"parts":[{"id":"cm-8.1_smt","name":"statement","prose":"The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates."},{"id":"cm-8.1_obj","name":"objective","prose":"Determine if the organization updates the inventory of information system components as an integral part of:","parts":[{"id":"cm-8.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(1)[1]"}],"prose":"component installations;"},{"id":"cm-8.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(1)[2]"}],"prose":"component removals; and"},{"id":"cm-8.1_obj.3","name":"objective","props":[{"name":"label","value":"CM-8(1)[3]"}],"prose":"information system updates."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\ncomponent installation records\n\ncomponent removal records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for updating the information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for updating inventory of information system components\n\nautomated mechanisms implementing updating of the information system component inventory"}]}]},{"id":"cm-8.3","class":"SP800-53-enhancement","title":"Automated Unauthorized Component Detection","params":[{"id":"cm-8.3_prm_1","label":"organization-defined frequency"},{"id":"cm-8.3_prm_2","select":{"how-many":"one-or-more","choice":["disables network access by such components","isolates the components","notifies {{ insert: param, cm-8.3_prm_3 }} "]}},{"id":"cm-8.3_prm_3","depends-on":"cm-8.3_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"CM-8(3)"},{"name":"sort-id","value":"cm-08.03"}],"parts":[{"id":"cm-8.3_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employs automated mechanisms {{ insert: param, cm-8.3_prm_1 }} to detect the presence of unauthorized hardware, software, and firmware components within the information system; and"},{"id":"cm-8.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Takes the following actions when unauthorized components are detected: {{ insert: param, cm-8.3_prm_2 }}."}]},{"id":"cm-8.3_gdn","name":"guidance","prose":"This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing.","links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#ra-5","rel":"related"}]},{"id":"cm-8.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.3.a_obj","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)"}],"parts":[{"id":"cm-8.3.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1]"}],"prose":"defines the frequency to employ automated mechanisms to detect the presence of unauthorized:","parts":[{"id":"cm-8.3.a_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1][a]"}],"prose":"hardware components within the information system;"},{"id":"cm-8.3.a_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1][b]"}],"prose":"software components within the information system;"},{"id":"cm-8.3.a_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1][c]"}],"prose":"firmware components within the information system;"}]},{"id":"cm-8.3.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2]"}],"prose":"employs automated mechanisms with the organization-defined frequency to detect the presence of unauthorized:","parts":[{"id":"cm-8.3.a_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2][a]"}],"prose":"hardware components within the information system;"},{"id":"cm-8.3.a_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2][b]"}],"prose":"software components within the information system;"},{"id":"cm-8.3.a_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2][c]"}],"prose":"firmware components within the information system;"}]}],"links":[{"href":"#cm-8.3_smt.a","rel":"corresp"}]},{"id":"cm-8.3.b_obj","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)"}],"parts":[{"id":"cm-8.3.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[1]"}],"prose":"defines personnel or roles to be notified when unauthorized components are detected;"},{"id":"cm-8.3.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2]"}],"prose":"takes one or more of the following actions when unauthorized components are detected:","parts":[{"id":"cm-8.3.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2][a]"}],"prose":"disables network access by such components;"},{"id":"cm-8.3.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2][b]"}],"prose":"isolates the components; and\/or"},{"id":"cm-8.3.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2][c]"}],"prose":"notifies organization-defined personnel or roles."}]}],"links":[{"href":"#cm-8.3_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system inventory records\n\nalerts\/notifications of unauthorized components within the information system\n\ninformation system monitoring records\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized information system component detection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for detection of unauthorized information system components\n\nautomated mechanisms implementing the detection of unauthorized information system components"}]}]},{"id":"cm-8.5","class":"SP800-53-enhancement","title":"No Duplicate Accounting of Components","props":[{"name":"label","value":"CM-8(5)"},{"name":"sort-id","value":"cm-08.05"}],"parts":[{"id":"cm-8.5_smt","name":"statement","prose":"The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories."},{"id":"cm-8.5_gdn","name":"guidance","prose":"This control enhancement addresses the potential problem of duplicate accounting of information system components in large or complex interconnected systems."},{"id":"cm-8.5_obj","name":"objective","prose":"Determine if the organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system inventory responsibilities\n\norganizational personnel with responsibilities for defining information system components within the authorization boundary of the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining the inventory of information system components\n\nautomated mechanisms implementing the information system component inventory"}]}]}]},{"id":"cm-9","class":"SP800-53","title":"Configuration Management Plan","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-9"},{"name":"sort-id","value":"cm-09"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-9_smt","name":"statement","prose":"The organization develops, documents, and implements a configuration management plan for the information system that:","parts":[{"id":"cm-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Addresses roles, responsibilities, and configuration management processes and procedures;"},{"id":"cm-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"},{"id":"cm-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Defines the configuration items for the information system and places the configuration items under configuration management; and"},{"id":"cm-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects the configuration management plan from unauthorized disclosure and modification."}]},{"id":"cm-9_gdn","name":"guidance","prose":"Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development\/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#sa-10","rel":"related"}]},{"id":"cm-9_obj","name":"objective","prose":"Determine if the organization develops, documents, and implements a configuration management plan for the information system that:","parts":[{"id":"cm-9.a_obj","name":"objective","props":[{"name":"label","value":"CM-9(a)"}],"parts":[{"id":"cm-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(a)[1]"}],"prose":"addresses roles;"},{"id":"cm-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(a)[2]"}],"prose":"addresses responsibilities;"},{"id":"cm-9.a_obj.3","name":"objective","props":[{"name":"label","value":"CM-9(a)[3]"}],"prose":"addresses configuration management processes and procedures;"}]},{"id":"cm-9.b_obj","name":"objective","props":[{"name":"label","value":"CM-9(b)"}],"prose":"establishes a process for:","parts":[{"id":"cm-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(b)[1]"}],"prose":"identifying configuration items throughout the SDLC;"},{"id":"cm-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(b)[2]"}],"prose":"managing the configuration of the configuration items;"}]},{"id":"cm-9.c_obj","name":"objective","props":[{"name":"label","value":"CM-9(c)"}],"parts":[{"id":"cm-9.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(c)[1]"}],"prose":"defines the configuration items for the information system;"},{"id":"cm-9.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(c)[2]"}],"prose":"places the configuration items under configuration management;"}]},{"id":"cm-9.d_obj","name":"objective","props":[{"name":"label","value":"CM-9(d)"}],"prose":"protects the configuration management plan from unauthorized:","parts":[{"id":"cm-9.d_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(d)[1]"}],"prose":"disclosure; and"},{"id":"cm-9.d_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(d)[2]"}],"prose":"modification."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nautomated mechanisms implementing the configuration management plan\n\nautomated mechanisms for managing configuration items\n\nautomated mechanisms for protecting the configuration management plan"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"priority","value":"P2"},{"name":"label","value":"CM-10"},{"name":"sort-id","value":"cm-10"}],"parts":[{"id":"cm-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Uses software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs.","links":[{"href":"#ac-17","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"cm-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-10.a_obj","name":"objective","props":[{"name":"label","value":"CM-10(a)"}],"prose":"uses software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10.b_obj","name":"objective","props":[{"name":"label","value":"CM-10(b)"}],"prose":"tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10.c_obj","name":"objective","props":[{"name":"label","value":"CM-10(c)"}],"prose":"controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing software usage restrictions\n\nconfiguration management plan\n\nsecurity plan\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\norganizational personnel with software license management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for tracking the use of software protected by quantity licenses\n\norganization process for controlling\/documenting the use of peer-to-peer file sharing technology\n\nautomated mechanisms implementing software license tracking\n\nautomated mechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","params":[{"id":"cm-11_prm_1","label":"organization-defined policies"},{"id":"cm-11_prm_2","label":"organization-defined methods"},{"id":"cm-11_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-11"},{"name":"sort-id","value":"cm-11"}],"parts":[{"id":"cm-11_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes {{ insert: param, cm-11_prm_1 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Enforces software installation policies through {{ insert: param, cm-11_prm_2 }}; and"},{"id":"cm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Monitors policy compliance at {{ insert: param, cm-11_prm_3 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.","links":[{"href":"#ac-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"cm-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-11.a_obj","name":"objective","props":[{"name":"label","value":"CM-11(a)"}],"parts":[{"id":"cm-11.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(a)[1]"}],"prose":"defines policies to govern the installation of software by users;"},{"id":"cm-11.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(a)[2]"}],"prose":"establishes organization-defined policies governing the installation of software by users;"}]},{"id":"cm-11.b_obj","name":"objective","props":[{"name":"label","value":"CM-11(b)"}],"parts":[{"id":"cm-11.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(b)[1]"}],"prose":"defines methods to enforce software installation policies;"},{"id":"cm-11.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(b)[2]"}],"prose":"enforces software installation policies through organization-defined methods;"}]},{"id":"cm-11.c_obj","name":"objective","props":[{"name":"label","value":"CM-11(c)"}],"parts":[{"id":"cm-11.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(c)[1]"}],"prose":"defines frequency to monitor policy compliance; and"},{"id":"cm-11.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(c)[2]"}],"prose":"monitors policy compliance at organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing user installed software\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of rules governing user installed software\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records\n\ncontinuous monitoring strategy"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the information system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes governing user-installed software on the information system\n\nautomated mechanisms enforcing rules\/methods for governing the installation of software by users\n\nautomated mechanisms monitoring policy compliance"}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Contingency Planning Policy and Procedures","params":[{"id":"cp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-1_prm_2","label":"organization-defined frequency"},{"id":"cp-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-1"},{"name":"sort-id","value":"cp-01"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"cp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and"}]},{"id":"cp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cp-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Contingency planning policy {{ insert: param, cp-1_prm_2 }}; and"},{"id":"cp-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Contingency planning procedures {{ insert: param, cp-1_prm_3 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"cp-1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cp-1.a_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)"}],"parts":[{"id":"cp-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)"}],"parts":[{"id":"cp-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1]"}],"prose":"the organization develops and documents a contingency planning policy that addresses:","parts":[{"id":"cp-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cp-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cp-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cp-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cp-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cp-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cp-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cp-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[2]"}],"prose":"the organization defines personnel or roles to whom the contingency planning policy is to be disseminated;"},{"id":"cp-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[3]"}],"prose":"the organization disseminates the contingency planning policy to organization-defined personnel or roles;"}]},{"id":"cp-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)"}],"parts":[{"id":"cp-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[1]"}],"prose":"the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls;"},{"id":"cp-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[2]"}],"prose":"the organization defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"cp-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[3]"}],"prose":"the organization disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cp-1.b_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)"}],"parts":[{"id":"cp-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)"}],"parts":[{"id":"cp-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)[1]"}],"prose":"the organization defines the frequency to review and update the current contingency planning policy;"},{"id":"cp-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)[2]"}],"prose":"the organization reviews and updates the current contingency planning with the organization-defined frequency;"}]},{"id":"cp-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)"}],"parts":[{"id":"cp-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)[1]"}],"prose":"the organization defines the frequency to review and update the current contingency planning procedures; and"},{"id":"cp-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)[2]"}],"prose":"the organization reviews and updates the current contingency planning procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","params":[{"id":"cp-2_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-2_prm_3","label":"organization-defined frequency"},{"id":"cp-2_prm_4","label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-2"},{"name":"sort-id","value":"cp-02"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a contingency plan for the information system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and"},{"id":"cp-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Reviews the contingency plan for the information system {{ insert: param, cp-2_prm_3 }};"},{"id":"cp-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Communicates contingency plan changes to {{ insert: param, cp-2_prm_4 }}; and"},{"id":"cp-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Protects the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission\/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission\/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and\/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly\/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.","links":[{"href":"#ac-14","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-11","rel":"related"}]},{"id":"cp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.a_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)"}],"prose":"develops and documents a contingency plan for the information system that:","parts":[{"id":"cp-2.a.1_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(1)"}],"prose":"identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2.a.2_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)"}],"parts":[{"id":"cp-2.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[1]"}],"prose":"provides recovery objectives;"},{"id":"cp-2.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[2]"}],"prose":"provides restoration priorities;"},{"id":"cp-2.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[3]"}],"prose":"provides metrics;"}]},{"id":"cp-2.a.3_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)"}],"parts":[{"id":"cp-2.a.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[1]"}],"prose":"addresses contingency roles;"},{"id":"cp-2.a.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[2]"}],"prose":"addresses contingency responsibilities;"},{"id":"cp-2.a.3_obj.3","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[3]"}],"prose":"addresses assigned individuals with contact information;"}]},{"id":"cp-2.a.4_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(4)"}],"prose":"addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;"},{"id":"cp-2.a.5_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(5)"}],"prose":"addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;"},{"id":"cp-2.a.6_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)"}],"parts":[{"id":"cp-2.a.6_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)[1]"}],"prose":"defines personnel or roles to review and approve the contingency plan for the information system;"},{"id":"cp-2.a.6_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"cp-2.b_obj","name":"objective","props":[{"name":"label","value":"CP-2(b)"}],"parts":[{"id":"cp-2.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(b)[1]"}],"prose":"defines key contingency personnel (identified by name and\/or by role) and organizational elements to whom copies of the contingency plan are to be distributed;"},{"id":"cp-2.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(b)[2]"}],"prose":"distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements;"}]},{"id":"cp-2.c_obj","name":"objective","props":[{"name":"label","value":"CP-2(c)"}],"prose":"coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2.d_obj","name":"objective","props":[{"name":"label","value":"CP-2(d)"}],"parts":[{"id":"cp-2.d_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(d)[1]"}],"prose":"defines a frequency to review the contingency plan for the information system;"},{"id":"cp-2.d_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(d)[2]"}],"prose":"reviews the contingency plan with the organization-defined frequency;"}]},{"id":"cp-2.e_obj","name":"objective","props":[{"name":"label","value":"CP-2(e)"}],"prose":"updates the contingency plan to address:","parts":[{"id":"cp-2.e_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(e)[1]"}],"prose":"changes to the organization, information system, or environment of operation;"},{"id":"cp-2.e_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(e)[2]"}],"prose":"problems encountered during plan implementation, execution, and testing;"}]},{"id":"cp-2.f_obj","name":"objective","props":[{"name":"label","value":"CP-2(f)"}],"parts":[{"id":"cp-2.f_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(f)[1]"}],"prose":"defines key contingency personnel (identified by name and\/or by role) and organizational elements to whom contingency plan changes are to be communicated;"},{"id":"cp-2.f_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(f)[2]"}],"prose":"communicates contingency plan changes to organization-defined key contingency personnel and organizational elements; and"}]},{"id":"cp-2.g_obj","name":"objective","props":[{"name":"label","value":"CP-2(g)"}],"prose":"protects the contingency plan from unauthorized disclosure and modification."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nevidence of contingency plan reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan development, review, update, and protection\n\nautomated mechanisms for developing, reviewing, updating and\/or protecting the contingency plan"}]}],"controls":[{"id":"cp-2.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-2(1)"},{"name":"sort-id","value":"cp-02.01"}],"parts":[{"id":"cp-2.1_smt","name":"statement","prose":"The organization coordinates contingency plan development with organizational elements responsible for related plans."},{"id":"cp-2.1_gdn","name":"guidance","prose":"Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans."},{"id":"cp-2.1_obj","name":"objective","prose":"Determine if the organization coordinates contingency plan development with organizational elements responsible for related plans."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans"}]}]},{"id":"cp-2.3","class":"SP800-53-enhancement","title":"Resume Essential Missions \/ Business Functions","params":[{"id":"cp-2.3_prm_1","label":"organization-defined time period"}],"props":[{"name":"label","value":"CP-2(3)"},{"name":"sort-id","value":"cp-02.03"}],"parts":[{"id":"cp-2.3_smt","name":"statement","prose":"The organization plans for the resumption of essential missions and business functions within {{ insert: param, cp-2.3_prm_1 }} of contingency plan activation."},{"id":"cp-2.3_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions\/business functions may be dependent on the severity\/extent of disruptions to the information system and its supporting infrastructure.","links":[{"href":"#pe-12","rel":"related"}]},{"id":"cp-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(3)[1]"}],"prose":"defines the time period to plan for the resumption of essential missions and business functions as a result of contingency plan activation; and"},{"id":"cp-2.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(3)[2]"}],"prose":"plans for the resumption of essential missions and business functions within organization-defined time period of contingency plan activation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nbusiness impact assessment\n\nother related plans\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.8","class":"SP800-53-enhancement","title":"Identify Critical Assets","props":[{"name":"label","value":"CP-2(8)"},{"name":"sort-id","value":"cp-02.08"}],"parts":[{"id":"cp-2.8_smt","name":"statement","prose":"The organization identifies critical information system assets supporting essential missions and business functions."},{"id":"cp-2.8_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions\/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and\/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets.","links":[{"href":"#sa-14","rel":"related"},{"href":"#sa-15","rel":"related"}]},{"id":"cp-2.8_obj","name":"objective","prose":"Determine if the organization identifies critical information system assets supporting essential missions and business functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness impact assessment\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","params":[{"id":"cp-3_prm_1","label":"organization-defined time period"},{"id":"cp-3_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CP-3"},{"name":"sort-id","value":"cp-03"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"cp-3_smt","name":"statement","prose":"The organization provides contingency training to information system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Within {{ insert: param, cp-3_prm_1 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"cp-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, cp-3_prm_2 }} thereafter."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers\/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles\/responsibilities reflects the specific continuity requirements in the contingency plan.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-2","rel":"related"}]},{"id":"cp-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-3.a_obj","name":"objective","props":[{"name":"label","value":"CP-3(a)"}],"parts":[{"id":"cp-3.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-3(a)[1]"}],"prose":"defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility;"},{"id":"cp-3.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-3(a)[2]"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility;"}]},{"id":"cp-3.b_obj","name":"objective","props":[{"name":"label","value":"CP-3(b)"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes;"},{"id":"cp-3.c_obj","name":"objective","props":[{"name":"label","value":"CP-3(c)"}],"parts":[{"id":"cp-3.c_obj.1","name":"objective","props":[{"name":"label","value":"CP-3(c)[1]"}],"prose":"defines the frequency for contingency training thereafter; and"},{"id":"cp-3.c_obj.2","name":"objective","props":[{"name":"label","value":"CP-3(c)[2]"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsecurity plan\n\ncontingency training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency training"}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","params":[{"id":"cp-4_prm_1","label":"organization-defined frequency"},{"id":"cp-4_prm_2","label":"organization-defined tests"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CP-4"},{"name":"sort-id","value":"cp-04"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference"}],"parts":[{"id":"cp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Tests the contingency plan for the information system {{ insert: param, cp-4_prm_1 }} using {{ insert: param, cp-4_prm_2 }} to determine the effectiveness of the plan and the organizational readiness to execute the plan;"},{"id":"cp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Initiates corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"}]},{"id":"cp-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-4.a_obj","name":"objective","props":[{"name":"label","value":"CP-4(a)"}],"parts":[{"id":"cp-4.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-4(a)[1]"}],"prose":"defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan;"},{"id":"cp-4.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-4(a)[2]"}],"prose":"defines a frequency to test the contingency plan for the information system;"},{"id":"cp-4.a_obj.3","name":"objective","props":[{"name":"label","value":"CP-4(a)[3]"}],"prose":"tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan;"}]},{"id":"cp-4.b_obj","name":"objective","props":[{"name":"label","value":"CP-4(b)"}],"prose":"reviews the contingency plan test results; and"},{"id":"cp-4.c_obj","name":"objective","props":[{"name":"label","value":"CP-4(c)"}],"prose":"initiates corrective actions, if needed."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\nsecurity plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency plan testing, reviewing or responding to contingency plan tests\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\n\nautomated mechanisms supporting the contingency plan and\/or contingency plan testing"}]}],"controls":[{"id":"cp-4.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-4(1)"},{"name":"sort-id","value":"cp-04.01"}],"parts":[{"id":"cp-4.1_smt","name":"statement","prose":"The organization coordinates contingency plan testing with organizational elements responsible for related plans."},{"id":"cp-4.1_gdn","name":"guidance","prose":"Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements.","links":[{"href":"#ir-8","rel":"related"},{"href":"#pm-8","rel":"related"}]},{"id":"cp-4.1_obj","name":"objective","prose":"Determine if the organization coordinates contingency plan testing with organizational elements responsible for related plans."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-6","class":"SP800-53","title":"Alternate Storage Site","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-6"},{"name":"sort-id","value":"cp-06"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and"},{"id":"cp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site."}]},{"id":"cp-6_gdn","name":"guidance","prose":"Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery\/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions\/business functions despite disruption, compromise, or failure in organizational information systems.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"}]},{"id":"cp-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-6_obj.1","name":"objective","props":[{"name":"label","value":"CP-6[1]"}],"prose":"establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and"},{"id":"cp-6_obj.2","name":"objective","props":[{"name":"label","value":"CP-6[2]"}],"prose":"ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing and retrieving information system backup information at the alternate storage site\n\nautomated mechanisms supporting and\/or implementing storage and retrieval of information system backup information at the alternate storage site"}]}],"controls":[{"id":"cp-6.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-6(1)"},{"name":"sort-id","value":"cp-06.01"}],"parts":[{"id":"cp-6.1_smt","name":"statement","prose":"The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats."},{"id":"cp-6.1_gdn","name":"guidance","prose":"Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission\/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-6.1_obj","name":"objective","prose":"Determine if the organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-6.3","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-6(3)"},{"name":"sort-id","value":"cp-06.03"}],"parts":[{"id":"cp-6.3_smt","name":"statement","prose":"The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-6.3_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-6.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-6.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-6(3)[1]"}],"prose":"identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster; and"},{"id":"cp-6.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-6(3)[2]"}],"prose":"outlines explicit mitigation actions for such potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-7","class":"SP800-53","title":"Alternate Processing Site","params":[{"id":"cp-7_prm_1","label":"organization-defined information system operations"},{"id":"cp-7_prm_2","label":"organization-defined time period consistent with recovery time and recovery point objectives"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-7"},{"name":"sort-id","value":"cp-07"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-7_prm_1 }} for essential missions\/business functions within {{ insert: param, cp-7_prm_2 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer\/resumption; and"},{"id":"cp-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site."}]},{"id":"cp-7_gdn","name":"guidance","prose":"Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer\/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions\/business functions despite disruption, compromise, or failure in organizational information systems.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-6","rel":"related"}]},{"id":"cp-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-7.a_obj","name":"objective","props":[{"name":"label","value":"CP-7(a)"}],"parts":[{"id":"cp-7.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-7(a)[1]"}],"prose":"defines information system operations requiring an alternate processing site to be established to permit the transfer and resumption of such operations;"},{"id":"cp-7.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-7(a)[2]"}],"prose":"defines the time period consistent with recovery time objectives and recovery point objectives (as specified in the information system contingency plan) for transfer\/resumption of organization-defined information system operations for essential missions\/business functions;"},{"id":"cp-7.a_obj.3","name":"objective","props":[{"name":"label","value":"CP-7(a)[3]"}],"prose":"establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions\/business functions, within the organization-defined time period, when the primary processing capabilities are unavailable;"}]},{"id":"cp-7.b_obj","name":"objective","props":[{"name":"label","value":"CP-7(b)"}],"parts":[{"id":"cp-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-7(b)[1]"}],"prose":"ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site; or"},{"id":"cp-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-7(b)[2]"}],"prose":"ensures that contracts are in place to support delivery to the site within the organization-defined time period for transfer\/resumption; and"}]},{"id":"cp-7.c_obj","name":"objective","props":[{"name":"label","value":"CP-7(c)"}],"prose":"ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency planning and\/or alternate site arrangements\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for recovery at the alternate site\n\nautomated mechanisms supporting and\/or implementing recovery at the alternate processing site"}]}],"controls":[{"id":"cp-7.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-7(1)"},{"name":"sort-id","value":"cp-07.01"}],"parts":[{"id":"cp-7.1_smt","name":"statement","prose":"The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats."},{"id":"cp-7.1_gdn","name":"guidance","prose":"Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission\/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-7.1_obj","name":"objective","prose":"Determine if the organization identifies an alternate processing site that is separated from the primary storage site to reduce susceptibility to the same threats."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.2","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-7(2)"},{"name":"sort-id","value":"cp-07.02"}],"parts":[{"id":"cp-7.2_smt","name":"statement","prose":"The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-7.2_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-7.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-7.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-7(2)[1]"}],"prose":"identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; and"},{"id":"cp-7.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-7(2)[2]"}],"prose":"outlines explicit mitigation actions for such potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.3","class":"SP800-53-enhancement","title":"Priority of Service","props":[{"name":"label","value":"CP-7(3)"},{"name":"sort-id","value":"cp-07.03"}],"parts":[{"id":"cp-7.3_smt","name":"statement","prose":"The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives)."},{"id":"cp-7.3_gdn","name":"guidance","prose":"Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site."},{"id":"cp-7.3_obj","name":"objective","prose":"Determine if the organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]}]},{"id":"cp-8","class":"SP800-53","title":"Telecommunications Services","params":[{"id":"cp-8_prm_1","label":"organization-defined information system operations"},{"id":"cp-8_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-8"},{"name":"sort-id","value":"cp-08"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#fb5844de-ff96-47c0-b258-4f52bcc2f30d","rel":"reference"},{"href":"#3ac12e79-f54f-4a63-9f4b-ee4bcd4df604","rel":"reference"}],"parts":[{"id":"cp-8_smt","name":"statement","prose":"The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of {{ insert: param, cp-8_prm_1 }} for essential missions and business functions within {{ insert: param, cp-8_prm_2 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_gdn","name":"guidance","prose":"This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions\/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary\/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits\/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"cp-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-8_obj.1","name":"objective","props":[{"name":"label","value":"CP-8[1]"}],"prose":"defines information system operations requiring alternate telecommunications services to be established to permit the resumption of such operations;"},{"id":"cp-8_obj.2","name":"objective","props":[{"name":"label","value":"CP-8[2]"}],"prose":"defines the time period to permit resumption of organization-defined information system operations for essential missions and business functions; and"},{"id":"cp-8_obj.3","name":"objective","props":[{"name":"label","value":"CP-8[3]"}],"prose":"establishes alternate telecommunications services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions and business functions, within the organization-defined time period, when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting telecommunications"}]}],"controls":[{"id":"cp-8.1","class":"SP800-53-enhancement","title":"Priority of Service Provisions","props":[{"name":"label","value":"CP-8(1)"},{"name":"sort-id","value":"cp-08.01"}],"parts":[{"id":"cp-8.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and"},{"id":"cp-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_gdn","name":"guidance","prose":"Organizations consider the potential mission\/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions."},{"id":"cp-8.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-8.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-8(1)[1]"}],"prose":"develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan); and"},{"id":"cp-8.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-8(1)[2]"}],"prose":"requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting telecommunications"}]}]},{"id":"cp-8.2","class":"SP800-53-enhancement","title":"Single Points of Failure","props":[{"name":"label","value":"CP-8(2)"},{"name":"sort-id","value":"cp-08.02"}],"parts":[{"id":"cp-8.2_smt","name":"statement","prose":"The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"id":"cp-8.2_obj","name":"objective","prose":"Determine if the organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with information system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-9","class":"SP800-53","title":"Information System Backup","params":[{"id":"cp-9_prm_1","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_2","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_3","label":"organization-defined frequency consistent with recovery time and recovery point objectives"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-9"},{"name":"sort-id","value":"cp-09"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conducts backups of user-level information contained in the information system {{ insert: param, cp-9_prm_1 }};"},{"id":"cp-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conducts backups of system-level information contained in the information system {{ insert: param, cp-9_prm_2 }};"},{"id":"cp-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conducts backups of information system documentation including security-related documentation {{ insert: param, cp-9_prm_3 }}; and"},{"id":"cp-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects the confidentiality, integrity, and availability of backup information at storage locations."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"cp-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-9.a_obj","name":"objective","props":[{"name":"label","value":"CP-9(a)"}],"parts":[{"id":"cp-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(a)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;"},{"id":"cp-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(a)[2]"}],"prose":"conducts backups of user-level information contained in the information system with the organization-defined frequency;"}]},{"id":"cp-9.b_obj","name":"objective","props":[{"name":"label","value":"CP-9(b)"}],"parts":[{"id":"cp-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(b)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;"},{"id":"cp-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(b)[2]"}],"prose":"conducts backups of system-level information contained in the information system with the organization-defined frequency;"}]},{"id":"cp-9.c_obj","name":"objective","props":[{"name":"label","value":"CP-9(c)"}],"parts":[{"id":"cp-9.c_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(c)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;"},{"id":"cp-9.c_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(c)[2]"}],"prose":"conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and"}]},{"id":"cp-9.d_obj","name":"objective","props":[{"name":"label","value":"CP-9(d)"}],"prose":"protects the confidentiality, integrity, and availability of backup information at storage locations."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\nbackup storage location(s)\n\ninformation system backup logs or records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and\/or implementing information system backups"}]}],"controls":[{"id":"cp-9.1","class":"SP800-53-enhancement","title":"Testing for Reliability \/ Integrity","params":[{"id":"cp-9.1_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"CP-9(1)"},{"name":"sort-id","value":"cp-09.01"}],"parts":[{"id":"cp-9.1_smt","name":"statement","prose":"The organization tests backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity."},{"id":"cp-9.1_gdn","name":"guidance","links":[{"href":"#cp-4","rel":"related"}]},{"id":"cp-9.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-9.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(1)[1]"}],"prose":"defines the frequency to test backup information to verify media reliability and information integrity; and"},{"id":"cp-9.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(1)[2]"}],"prose":"tests backup information with the organization-defined frequency to verify media reliability and information integrity."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and\/or implementing information system backups"}]}]}]},{"id":"cp-10","class":"SP800-53","title":"Information System Recovery and Reconstitution","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-10"},{"name":"sort-id","value":"cp-10"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing information system contingency plan activities to restore organizational missions\/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point\/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery\/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#sc-24","rel":"related"}]},{"id":"cp-10_obj","name":"objective","prose":"Determine if the organization provides for:","parts":[{"id":"cp-10_obj.1","name":"objective","props":[{"name":"label","value":"CP-10[1]"}],"prose":"the recovery of the information system to a known state after:","parts":[{"id":"cp-10_obj.1.a","name":"objective","props":[{"name":"label","value":"CP-10[1][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.1.b","name":"objective","props":[{"name":"label","value":"CP-10[1][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.1.c","name":"objective","props":[{"name":"label","value":"CP-10[1][c]"}],"prose":"a failure;"}]},{"id":"cp-10_obj.2","name":"objective","props":[{"name":"label","value":"CP-10[2]"}],"prose":"the reconstitution of the information system to a known state after:","parts":[{"id":"cp-10_obj.2.a","name":"objective","props":[{"name":"label","value":"CP-10[2][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.2.b","name":"objective","props":[{"name":"label","value":"CP-10[2][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.2.c","name":"objective","props":[{"name":"label","value":"CP-10[2][c]"}],"prose":"a failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for information system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, recovery, and\/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes implementing information system recovery and reconstitution operations\n\nautomated mechanisms supporting and\/or implementing information system recovery and reconstitution operations"}]}],"controls":[{"id":"cp-10.2","class":"SP800-53-enhancement","title":"Transaction Recovery","props":[{"name":"label","value":"CP-10(2)"},{"name":"sort-id","value":"cp-10.02"}],"parts":[{"id":"cp-10.2_smt","name":"statement","prose":"The information system implements transaction recovery for systems that are transaction-based."},{"id":"cp-10.2_gdn","name":"guidance","prose":"Transaction-based information systems include, for example, database management systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, transaction rollback and transaction journaling."},{"id":"cp-10.2_obj","name":"objective","prose":"Determine if the information system implements transaction recovery for systems that are transaction-based."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system recovery and reconstitution\n\ncontingency plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\ninformation system transaction recovery records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing transaction recovery capability"}]}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Identification and Authentication Policy and Procedures","params":[{"id":"ia-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-1_prm_2","label":"organization-defined frequency"},{"id":"ia-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-1"},{"name":"sort-id","value":"ia-01"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ia-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ia-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and"}]},{"id":"ia-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ia-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identification and authentication policy {{ insert: param, ia-1_prm_2 }}; and"},{"id":"ia-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Identification and authentication procedures {{ insert: param, ia-1_prm_3 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ia-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-1.a_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)"}],"parts":[{"id":"ia-1.a.1_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)"}],"parts":[{"id":"ia-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1]"}],"prose":"develops and documents an identification and authentication policy that addresses:","parts":[{"id":"ia-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ia-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ia-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ia-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ia-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ia-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ia-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ia-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the identification and authentication policy is to be disseminated; and"},{"id":"ia-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[3]"}],"prose":"disseminates the identification and authentication policy to organization-defined personnel or roles;"}]},{"id":"ia-1.a.2_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)"}],"parts":[{"id":"ia-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls;"},{"id":"ia-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ia-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ia-1.b_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)"}],"parts":[{"id":"ia-1.b.1_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)"}],"parts":[{"id":"ia-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current identification and authentication policy;"},{"id":"ia-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)[2]"}],"prose":"reviews and updates the current identification and authentication policy with the organization-defined frequency; and"}]},{"id":"ia-1.b.2_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)"}],"parts":[{"id":"ia-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current identification and authentication procedures; and"},{"id":"ia-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)[2]"}],"prose":"reviews and updates the current identification and authentication procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (organizational Users)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-2"},{"name":"sort-id","value":"ia-02"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference"},{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"}]},{"id":"ia-2_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for uniquely identifying and authenticating users\n\nautomated mechanisms supporting and\/or implementing identification and authentication capability"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts","props":[{"name":"label","value":"IA-2(1)"},{"name":"sort-id","value":"ia-02.01"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ia-2.1_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for network access to privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Network Access to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(2)"},{"name":"sort-id","value":"ia-02.02"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to non-privileged accounts."},{"id":"ia-2.2_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for network access to non-privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.3","class":"SP800-53-enhancement","title":"Local Access to Privileged Accounts","props":[{"name":"label","value":"IA-2(3)"},{"name":"sort-id","value":"ia-02.03"}],"parts":[{"id":"ia-2.3_smt","name":"statement","prose":"The information system implements multifactor authentication for local access to privileged accounts."},{"id":"ia-2.3_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ia-2.3_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for local access to privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts - Replay Resistant","props":[{"name":"label","value":"IA-2(8)"},{"name":"sort-id","value":"ia-02.08"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"The information system implements replay-resistant authentication mechanisms for network access to privileged accounts."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators."},{"id":"ia-2.8_obj","name":"objective","prose":"Determine if the information system implements replay-resistant authentication mechanisms for network access to privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of privileged information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms supporting and\/or implementing replay resistant authentication mechanisms"}]}]},{"id":"ia-2.11","class":"SP800-53-enhancement","title":"Remote Access - Separate Device","params":[{"id":"ia-2.11_prm_1","label":"organization-defined strength of mechanism requirements"}],"props":[{"name":"label","value":"IA-2(11)"},{"name":"sort-id","value":"ia-02.11"}],"parts":[{"id":"ia-2.11_smt","name":"statement","prose":"The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets {{ insert: param, ia-2.11_prm_1 }}."},{"id":"ia-2.11_gdn","name":"guidance","prose":"For remote access to privileged\/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ia-2.11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ia-2.11_obj.1","name":"objective","props":[{"name":"label","value":"IA-2(11)[1]"}],"prose":"the information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access;"},{"id":"ia-2.11_obj.2","name":"objective","props":[{"name":"label","value":"IA-2(11)[2]"}],"prose":"the information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access;"},{"id":"ia-2.11_obj.3","name":"objective","props":[{"name":"label","value":"IA-2(11)[3]"}],"prose":"the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to privileged accounts;"},{"id":"ia-2.11_obj.4","name":"objective","props":[{"name":"label","value":"IA-2(11)[4]"}],"prose":"the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to non-privileged accounts;"},{"id":"ia-2.11_obj.5","name":"objective","props":[{"name":"label","value":"IA-2(11)[5]"}],"prose":"the information system implements multifactor authentication for remote access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements; and"},{"id":"ia-2.11_obj.6","name":"objective","props":[{"name":"label","value":"IA-2(11)[6]"}],"prose":"the information system implements multifactor authentication for remote access to non-privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of privileged and non-privileged information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","props":[{"name":"label","value":"IA-2(12)"},{"name":"sort-id","value":"ia-02.12"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"ia-2.12_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"ia-2.12_obj.1","name":"objective","props":[{"name":"label","value":"IA-2(12)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials; and"},{"id":"ia-2.12_obj.2","name":"objective","props":[{"name":"label","value":"IA-2(12)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing acceptance and verification of PIV credentials"}]}]}]},{"id":"ia-3","class":"SP800-53","title":"Device Identification and Authentication","params":[{"id":"ia-3_prm_1","label":"organization-defined specific and\/or types of devices"},{"id":"ia-3_prm_2","select":{"how-many":"one-or-more","choice":["local","remote","network"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-3"},{"name":"sort-id","value":"ia-03"}],"parts":[{"id":"ia-3_smt","name":"statement","prose":"The information system uniquely identifies and authenticates {{ insert: param, ia-3_prm_1 }} before establishing a {{ insert: param, ia-3_prm_2 }} connection."},{"id":"ia-3_gdn","name":"guidance","prose":"Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type\/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol\/Internet Protocol [TCP\/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify\/authenticate devices on local and\/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability.","links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"}]},{"id":"ia-3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ia-3_obj.1","name":"objective","props":[{"name":"label","value":"IA-3[1]"}],"prose":"the organization defines specific and\/or types of devices that the information system uniquely identifies and authenticates before establishing one or more of the following:","parts":[{"id":"ia-3_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-3[1][a]"}],"prose":"a local connection;"},{"id":"ia-3_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-3[1][b]"}],"prose":"a remote connection; and\/or"},{"id":"ia-3_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-3[1][c]"}],"prose":"a network connection; and"}]},{"id":"ia-3_obj.2","name":"objective","props":[{"name":"label","value":"IA-3[2]"}],"prose":"the information system uniquely identifies and authenticates organization-defined devices before establishing one or more of the following:","parts":[{"id":"ia-3_obj.2.a","name":"objective","props":[{"name":"label","value":"IA-3[2][a]"}],"prose":"a local connection;"},{"id":"ia-3_obj.2.b","name":"objective","props":[{"name":"label","value":"IA-3[2][b]"}],"prose":"a remote connection; and\/or"},{"id":"ia-3_obj.2.c","name":"objective","props":[{"name":"label","value":"IA-3[2][c]"}],"prose":"a network connection."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing device identification and authentication\n\ninformation system design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing device identification and authentication capability"}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","params":[{"id":"ia-4_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-4_prm_2","label":"organization-defined time period"},{"id":"ia-4_prm_3","label":"organization-defined time period of inactivity"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-4"},{"name":"sort-id","value":"ia-04"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"The organization manages information system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ insert: param, ia-4_prm_1 }} to assign an individual, group, role, or device identifier;"},{"id":"ia-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, or device;"},{"id":"ia-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, or device;"},{"id":"ia-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ insert: param, ia-4_prm_2 }}; and"},{"id":"ia-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disabling the identifier after {{ insert: param, ia-4_prm_3 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#sc-37","rel":"related"}]},{"id":"ia-4_obj","name":"objective","prose":"Determine if the organization manages information system identifiers by:","parts":[{"id":"ia-4.a_obj","name":"objective","props":[{"name":"label","value":"IA-4(a)"}],"parts":[{"id":"ia-4.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(a)[1]"}],"prose":"defining personnel or roles from whom authorization must be received to assign:","parts":[{"id":"ia-4.a_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][c]"}],"prose":"a role identifier; and\/or"},{"id":"ia-4.a_obj.1.d","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][d]"}],"prose":"a device identifier;"}]},{"id":"ia-4.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(a)[2]"}],"prose":"receiving authorization from organization-defined personnel or roles to assign:","parts":[{"id":"ia-4.a_obj.2.a","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.2.b","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.2.c","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][c]"}],"prose":"a role identifier; and\/or"},{"id":"ia-4.a_obj.2.d","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][d]"}],"prose":"a device identifier;"}]}]},{"id":"ia-4.b_obj","name":"objective","props":[{"name":"label","value":"IA-4(b)"}],"prose":"selecting an identifier that identifies:","parts":[{"id":"ia-4.b_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(b)[1]"}],"prose":"an individual;"},{"id":"ia-4.b_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(b)[2]"}],"prose":"a group;"},{"id":"ia-4.b_obj.3","name":"objective","props":[{"name":"label","value":"IA-4(b)[3]"}],"prose":"a role; and\/or"},{"id":"ia-4.b_obj.4","name":"objective","props":[{"name":"label","value":"IA-4(b)[4]"}],"prose":"a device;"}]},{"id":"ia-4.c_obj","name":"objective","props":[{"name":"label","value":"IA-4(c)"}],"prose":"assigning the identifier to the intended:","parts":[{"id":"ia-4.c_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(c)[1]"}],"prose":"individual;"},{"id":"ia-4.c_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(c)[2]"}],"prose":"group;"},{"id":"ia-4.c_obj.3","name":"objective","props":[{"name":"label","value":"IA-4(c)[3]"}],"prose":"role; and\/or"},{"id":"ia-4.c_obj.4","name":"objective","props":[{"name":"label","value":"IA-4(c)[4]"}],"prose":"device;"}]},{"id":"ia-4.d_obj","name":"objective","props":[{"name":"label","value":"IA-4(d)"}],"parts":[{"id":"ia-4.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(d)[1]"}],"prose":"defining a time period for preventing reuse of identifiers;"},{"id":"ia-4.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(d)[2]"}],"prose":"preventing reuse of identifiers for the organization-defined time period;"}]},{"id":"ia-4.e_obj","name":"objective","props":[{"name":"label","value":"IA-4(e)"}],"parts":[{"id":"ia-4.e_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(e)[1]"}],"prose":"defining a time period of inactivity to disable the identifier; and"},{"id":"ia-4.e_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(e)[2]"}],"prose":"disabling the identifier after the organization-defined time period of inactivity."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","params":[{"id":"ia-5_prm_1","label":"organization-defined time period by authenticator type"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-5"},{"name":"sort-id","value":"ia-05"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"The organization manages information system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for authenticators defined by the organization;"},{"id":"ia-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost\/compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Changing default content of authenticators prior to information system installation;"},{"id":"ia-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;"},{"id":"ia-5_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Changing\/refreshing authenticators {{ insert: param, ia-5_prm_1 }};"},{"id":"ia-5_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and"},{"id":"ia-5_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Changing authenticators for group\/role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-28","rel":"related"}]},{"id":"ia-5_obj","name":"objective","prose":"Determine if the organization manages information system authenticators by:","parts":[{"id":"ia-5.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(a)"}],"prose":"verifying, as part of the initial authenticator distribution, the identity of:","parts":[{"id":"ia-5.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(a)[1]"}],"prose":"the individual receiving the authenticator;"},{"id":"ia-5.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(a)[2]"}],"prose":"the group receiving the authenticator;"},{"id":"ia-5.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(a)[3]"}],"prose":"the role receiving the authenticator; and\/or"},{"id":"ia-5.a_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(a)[4]"}],"prose":"the device receiving the authenticator;"}]},{"id":"ia-5.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(b)"}],"prose":"establishing initial authenticator content for authenticators defined by the organization;"},{"id":"ia-5.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(c)"}],"prose":"ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(d)"}],"parts":[{"id":"ia-5.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(d)[1]"}],"prose":"establishing and implementing administrative procedures for initial authenticator distribution;"},{"id":"ia-5.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(d)[2]"}],"prose":"establishing and implementing administrative procedures for lost\/compromised or damaged authenticators;"},{"id":"ia-5.d_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(d)[3]"}],"prose":"establishing and implementing administrative procedures for revoking authenticators;"}]},{"id":"ia-5.e_obj","name":"objective","props":[{"name":"label","value":"IA-5(e)"}],"prose":"changing default content of authenticators prior to information system installation;"},{"id":"ia-5.f_obj","name":"objective","props":[{"name":"label","value":"IA-5(f)"}],"parts":[{"id":"ia-5.f_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(f)[1]"}],"prose":"establishing minimum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(f)[2]"}],"prose":"establishing maximum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(f)[3]"}],"prose":"establishing reuse conditions for authenticators;"}]},{"id":"ia-5.g_obj","name":"objective","props":[{"name":"label","value":"IA-5(g)"}],"parts":[{"id":"ia-5.g_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(g)[1]"}],"prose":"defining a time period (by authenticator type) for changing\/refreshing authenticators;"},{"id":"ia-5.g_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(g)[2]"}],"prose":"changing\/refreshing authenticators with the organization-defined time period by authenticator type;"}]},{"id":"ia-5.h_obj","name":"objective","props":[{"name":"label","value":"IA-5(h)"}],"prose":"protecting authenticator content from unauthorized:","parts":[{"id":"ia-5.h_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(h)[1]"}],"prose":"disclosure;"},{"id":"ia-5.h_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(h)[2]"}],"prose":"modification;"}]},{"id":"ia-5.i_obj","name":"objective","props":[{"name":"label","value":"IA-5(i)"}],"parts":[{"id":"ia-5.i_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(i)[1]"}],"prose":"requiring individuals to take specific security safeguards to protect authenticators;"},{"id":"ia-5.i_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(i)[2]"}],"prose":"having devices implement specific security safeguards to protect authenticators; and"}]},{"id":"ia-5.j_obj","name":"objective","props":[{"name":"label","value":"IA-5(j)"}],"prose":"changing authenticators for group\/role accounts when membership to those accounts changes."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system authenticator types\n\nchange control records associated with managing information system authenticators\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing authenticator management capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","params":[{"id":"ia-5.1_prm_1","label":"organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type"},{"id":"ia-5.1_prm_2","label":"organization-defined number"},{"id":"ia-5.1_prm_3","label":"organization-defined numbers for lifetime minimum, lifetime maximum"},{"id":"ia-5.1_prm_4","label":"organization-defined number"}],"props":[{"name":"label","value":"IA-5(1)"},{"name":"sort-id","value":"ia-05.01"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"The information system, for password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Enforces minimum password complexity of {{ insert: param, ia-5.1_prm_1 }};"},{"id":"ia-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforces at least the following number of changed characters when new passwords are created: {{ insert: param, ia-5.1_prm_2 }};"},{"id":"ia-5.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Stores and transmits only cryptographically-protected passwords;"},{"id":"ia-5.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Enforces password minimum and maximum lifetime restrictions of {{ insert: param, ia-5.1_prm_3 }};"},{"id":"ia-5.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Prohibits password reuse for {{ insert: param, ia-5.1_prm_4 }} generations; and"},{"id":"ia-5.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Allows the use of a temporary password for system logons with an immediate change to a permanent password."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.","links":[{"href":"#ia-6","rel":"related"}]},{"id":"ia-5.1_obj","name":"objective","prose":"Determine if, for password-based authentication:","parts":[{"id":"ia-5.1.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)"}],"parts":[{"id":"ia-5.1.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[1]"}],"prose":"the organization defines requirements for case sensitivity;"},{"id":"ia-5.1.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[2]"}],"prose":"the organization defines requirements for number of characters;"},{"id":"ia-5.1.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[3]"}],"prose":"the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;"},{"id":"ia-5.1.a_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[4]"}],"prose":"the organization defines minimum requirements for each type of character;"},{"id":"ia-5.1.a_obj.5","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[5]"}],"prose":"the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;"}],"links":[{"href":"#ia-5.1_smt.a","rel":"corresp"}]},{"id":"ia-5.1.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)"}],"parts":[{"id":"ia-5.1.b_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)[1]"}],"prose":"the organization defines a minimum number of changed characters to be enforced when new passwords are created;"},{"id":"ia-5.1.b_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)[2]"}],"prose":"the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;"}],"links":[{"href":"#ia-5.1_smt.b","rel":"corresp"}]},{"id":"ia-5.1.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(c)"}],"prose":"the information system stores and transmits only encrypted representations of passwords;","links":[{"href":"#ia-5.1_smt.c","rel":"corresp"}]},{"id":"ia-5.1.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)"}],"parts":[{"id":"ia-5.1.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[1]"}],"prose":"the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;"},{"id":"ia-5.1.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[2]"}],"prose":"the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;"},{"id":"ia-5.1.d_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[3]"}],"prose":"the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;"},{"id":"ia-5.1.d_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[4]"}],"prose":"the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;"}],"links":[{"href":"#ia-5.1_smt.d","rel":"corresp"}]},{"id":"ia-5.1.e_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)"}],"parts":[{"id":"ia-5.1.e_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)[1]"}],"prose":"the organization defines the number of password generations to be prohibited from password reuse;"},{"id":"ia-5.1.e_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)[2]"}],"prose":"the information system prohibits password reuse for the organization-defined number of generations; and"}],"links":[{"href":"#ia-5.1_smt.e","rel":"corresp"}]},{"id":"ia-5.1.f_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(f)"}],"prose":"the information system allows the use of a temporary password for system logons with an immediate change to a permanent password.","links":[{"href":"#ia-5.1_smt.f","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing password-based authenticator management capability"}]}]},{"id":"ia-5.2","class":"SP800-53-enhancement","title":"Pki-based Authentication","props":[{"name":"label","value":"IA-5(2)"},{"name":"sort-id","value":"ia-05.02"}],"parts":[{"id":"ia-5.2_smt","name":"statement","prose":"The information system, for PKI-based authentication:","parts":[{"id":"ia-5.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;"},{"id":"ia-5.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforces authorized access to the corresponding private key;"},{"id":"ia-5.2_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Maps the authenticated identity to the account of the individual or group; and"},{"id":"ia-5.2_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network."}]},{"id":"ia-5.2_gdn","name":"guidance","prose":"Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.","links":[{"href":"#ia-6","rel":"related"}]},{"id":"ia-5.2_obj","name":"objective","prose":"Determine if the information system, for PKI-based authentication:","parts":[{"id":"ia-5.2.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)"}],"parts":[{"id":"ia-5.2.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)[1]"}],"prose":"validates certifications by constructing a certification path to an accepted trust anchor;"},{"id":"ia-5.2.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)[2]"}],"prose":"validates certifications by verifying a certification path to an accepted trust anchor;"},{"id":"ia-5.2.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)[3]"}],"prose":"includes checking certificate status information when constructing and verifying the certification path;"}],"links":[{"href":"#ia-5.2_smt.a","rel":"corresp"}]},{"id":"ia-5.2.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(b)"}],"prose":"enforces authorized access to the corresponding private key;","links":[{"href":"#ia-5.2_smt.b","rel":"corresp"}]},{"id":"ia-5.2.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(c)"}],"prose":"maps the authenticated identity to the account of the individual or group; and","links":[{"href":"#ia-5.2_smt.c","rel":"corresp"}]},{"id":"ia-5.2.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(d)"}],"prose":"implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.","links":[{"href":"#ia-5.2_smt.d","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing PKI-based, authenticator management capability"}]}]},{"id":"ia-5.3","class":"SP800-53-enhancement","title":"In-person or Trusted Third-party Registration","params":[{"id":"ia-5.3_prm_1","label":"organization-defined types of and\/or specific authenticators"},{"id":"ia-5.3_prm_2","select":{"choice":["in person","by a trusted third party"]}},{"id":"ia-5.3_prm_3","label":"organization-defined registration authority"},{"id":"ia-5.3_prm_4","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"IA-5(3)"},{"name":"sort-id","value":"ia-05.03"}],"parts":[{"id":"ia-5.3_smt","name":"statement","prose":"The organization requires that the registration process to receive {{ insert: param, ia-5.3_prm_1 }} be conducted {{ insert: param, ia-5.3_prm_2 }} before {{ insert: param, ia-5.3_prm_3 }} with authorization by {{ insert: param, ia-5.3_prm_4 }}."},{"id":"ia-5.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-5.3_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(3)[1]"}],"prose":"defines types of and\/or specific authenticators to be received in person or by a trusted third party;"},{"id":"ia-5.3_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(3)[2]"}],"prose":"defines the registration authority with oversight of the registration process for receipt of organization-defined types of and\/or specific authenticators;"},{"id":"ia-5.3_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(3)[3]"}],"prose":"defines personnel or roles responsible for authorizing organization-defined registration authority;"},{"id":"ia-5.3_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(3)[4]"}],"prose":"defines if the registration process is to be conducted:","parts":[{"id":"ia-5.3_obj.4.a","name":"objective","props":[{"name":"label","value":"IA-5(3)[4][a]"}],"prose":"in person; or"},{"id":"ia-5.3_obj.4.b","name":"objective","props":[{"name":"label","value":"IA-5(3)[4][b]"}],"prose":"by a trusted third party; and"}]},{"id":"ia-5.3_obj.5","name":"objective","props":[{"name":"label","value":"IA-5(3)[5]"}],"prose":"requires that the registration process to receive organization-defined types of and\/or specific authenticators be conducted in person or by a trusted third party before organization-defined registration authority with authorization by organization-defined personnel or roles."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nregistration process for receiving information system authenticators\n\nlist of authenticators requiring in-person registration\n\nlist of authenticators requiring trusted third party registration\n\nauthenticator registration documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\nregistration authority\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-5.11","class":"SP800-53-enhancement","title":"Hardware Token-based Authentication","params":[{"id":"ia-5.11_prm_1","label":"organization-defined token quality requirements"}],"props":[{"name":"label","value":"IA-5(11)"},{"name":"sort-id","value":"ia-05.11"}],"parts":[{"id":"ia-5.11_smt","name":"statement","prose":"The information system, for hardware token-based authentication, employs mechanisms that satisfy {{ insert: param, ia-5.11_prm_1 }}."},{"id":"ia-5.11_gdn","name":"guidance","prose":"Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI."},{"id":"ia-5.11_obj","name":"objective","prose":"Determine if, for hardware token-based authentication:","parts":[{"id":"ia-5.11_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(11)[1]"}],"prose":"the organization defines token quality requirements to be satisfied; and"},{"id":"ia-5.11_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(11)[2]"}],"prose":"the information system employs mechanisms that satisfy organization-defined token quality requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\nautomated mechanisms employing hardware token-based authentication for the information system\n\nlist of token quality requirements\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing hardware token-based authenticator management capability"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authenticator Feedback","props":[{"name":"priority","value":"P2"},{"name":"label","value":"IA-6"},{"name":"sort-id","value":"ia-06"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation\/use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops\/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.","links":[{"href":"#pe-18","rel":"related"}]},{"id":"ia-6_obj","name":"objective","prose":"Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation\/use by unauthorized individuals."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator feedback\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing the obscuring of feedback of authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-7"},{"name":"sort-id","value":"ia-07"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference"},{"href":"#b09d1a31-d3c9-4138-a4f4-4c63816afd7d","rel":"reference"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.","links":[{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ia-7_obj","name":"objective","prose":"Determine if the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing cryptographic module authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic module authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (non-organizational Users)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-8"},{"name":"sort-id","value":"ia-08"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#599fe9ba-4750-4450-9eeb-b95bd19a5e8f","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference"},{"href":"#654f21e2-f3bc-43b2-abdc-60ab8d09744b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sc-8","rel":"related"}]},{"id":"ia-8_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","props":[{"name":"label","value":"IA-8(1)"},{"name":"sort-id","value":"ia-08.01"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.1_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"ia-8.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-8(1)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials from other agencies; and"},{"id":"ia-8.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-8(1)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials from other agencies."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of Third-party Credentials","props":[{"name":"label","value":"IA-8(2)"},{"name":"sort-id","value":"ia-08.02"}],"parts":[{"id":"ia-8.2_smt","name":"statement","prose":"The information system accepts only FICAM-approved third-party credentials."},{"id":"ia-8.2_gdn","name":"guidance","prose":"This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.","links":[{"href":"#au-2","rel":"related"}]},{"id":"ia-8.2_obj","name":"objective","prose":"Determine if the information system accepts only FICAM-approved third-party credentials."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of FICAM-approved third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms that accept FICAM-approved credentials"}]}]},{"id":"ia-8.3","class":"SP800-53-enhancement","title":"Use of Ficam-approved Products","params":[{"id":"ia-8.3_prm_1","label":"organization-defined information systems"}],"props":[{"name":"label","value":"IA-8(3)"},{"name":"sort-id","value":"ia-08.03"}],"parts":[{"id":"ia-8.3_smt","name":"statement","prose":"The organization employs only FICAM-approved information system components in {{ insert: param, ia-8.3_prm_1 }} to accept third-party credentials."},{"id":"ia-8.3_gdn","name":"guidance","prose":"This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.","links":[{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-8.3_obj.1","name":"objective","props":[{"name":"label","value":"IA-8(3)[1]"}],"prose":"defines information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials; and"},{"id":"ia-8.3_obj.2","name":"objective","props":[{"name":"label","value":"IA-8(3)[2]"}],"prose":"employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nthird-party credential validations\n\nthird-party credential authorizations\n\nthird-party credential records\n\nlist of FICAM-approved information system components procured and implemented by organization\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information system security, acquisition, and contracting responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Ficam-issued Profiles","props":[{"name":"label","value":"IA-8(4)"},{"name":"sort-id","value":"ia-08.04"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"The information system conforms to FICAM-issued profiles."},{"id":"ia-8.4_gdn","name":"guidance","prose":"This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange).","links":[{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.4_obj","name":"objective","prose":"Determine if the information system conforms to FICAM-issued profiles."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-issued profiles and associated, approved protocols\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms supporting and\/or implementing conformance with FICAM-issued profiles"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Incident Response Policy and Procedures","params":[{"id":"ir-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-1_prm_2","label":"organization-defined frequency"},{"id":"ir-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-1"},{"name":"sort-id","value":"ir-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ir-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ir-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Incident response policy {{ insert: param, ir-1_prm_2 }}; and"},{"id":"ir-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Incident response procedures {{ insert: param, ir-1_prm_3 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ir-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-1.a_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)"}],"parts":[{"id":"ir-1.a.1_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)"}],"parts":[{"id":"ir-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1]"}],"prose":"develops and documents an incident response policy that addresses:","parts":[{"id":"ir-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ir-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ir-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ir-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ir-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ir-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ir-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ir-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the incident response policy is to be disseminated;"},{"id":"ir-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[3]"}],"prose":"disseminates the incident response policy to organization-defined personnel or roles;"}]},{"id":"ir-1.a.2_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)"}],"parts":[{"id":"ir-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls;"},{"id":"ir-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ir-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ir-1.b_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)"}],"parts":[{"id":"ir-1.b.1_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)"}],"parts":[{"id":"ir-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current incident response policy;"},{"id":"ir-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)[2]"}],"prose":"reviews and updates the current incident response policy with the organization-defined frequency;"}]},{"id":"ir-1.b.2_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)"}],"parts":[{"id":"ir-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current incident response procedures; and"},{"id":"ir-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)[2]"}],"prose":"reviews and updates the current incident response procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-2_prm_1","label":"organization-defined time period"},{"id":"ir-2_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-2"},{"name":"sort-id","value":"ir-02"}],"links":[{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"ir-2_smt","name":"statement","prose":"The organization provides incident response training to information system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Within {{ insert: param, ir-2_prm_1 }} of assuming an incident response role or responsibility;"},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"ir-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, ir-2_prm_2 }} thereafter."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle\/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources.","links":[{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-2.a_obj","name":"objective","props":[{"name":"label","value":"IR-2(a)"}],"parts":[{"id":"ir-2.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-2(a)[1]"}],"prose":"defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility;"},{"id":"ir-2.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-2(a)[2]"}],"prose":"provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility;"}]},{"id":"ir-2.b_obj","name":"objective","props":[{"name":"label","value":"IR-2(b)"}],"prose":"provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes;"},{"id":"ir-2.c_obj","name":"objective","props":[{"name":"label","value":"IR-2(c)"}],"parts":[{"id":"ir-2.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-2(c)[1]"}],"prose":"defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities; and"},{"id":"ir-2.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-2(c)[2]"}],"prose":"after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nsecurity plan\n\nincident response plan\n\nsecurity plan\n\nincident response training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","params":[{"id":"ir-3_prm_1","label":"organization-defined frequency"},{"id":"ir-3_prm_2","label":"organization-defined tests"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-3"},{"name":"sort-id","value":"ir-03"}],"links":[{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"The organization tests the incident response capability for the information system {{ insert: param, ir-3_prm_1 }} using {{ insert: param, ir-3_prm_2 }} to determine the incident response effectiveness and documents the results."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel\/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response.","links":[{"href":"#cp-4","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-3_obj.1","name":"objective","props":[{"name":"label","value":"IR-3[1]"}],"prose":"defines incident response tests to test the incident response capability for the information system;"},{"id":"ir-3_obj.2","name":"objective","props":[{"name":"label","value":"IR-3[2]"}],"prose":"defines the frequency to test the incident response capability for the information system; and"},{"id":"ir-3_obj.3","name":"objective","props":[{"name":"label","value":"IR-3[3]"}],"prose":"tests the incident response capability for the information system with the organization-defined frequency, using organization-defined tests to determine the incident response effectiveness and documents the results."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"ir-3.2","class":"SP800-53-enhancement","title":"Coordination with Related Plans","props":[{"name":"label","value":"IR-3(2)"},{"name":"sort-id","value":"ir-03.02"}],"parts":[{"id":"ir-3.2_smt","name":"statement","prose":"The organization coordinates incident response testing with organizational elements responsible for related plans."},{"id":"ir-3.2_gdn","name":"guidance","prose":"Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans."},{"id":"ir-3.2_obj","name":"objective","prose":"Determine if the organization coordinates incident response testing with organizational elements responsible for related plans."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-4"},{"name":"sort-id","value":"ir-04"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinates incident handling activities with contingency planning activities; and"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission\/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission\/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user\/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission\/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).","links":[{"href":"#au-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ir-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-4.a_obj","name":"objective","props":[{"name":"label","value":"IR-4(a)"}],"prose":"implements an incident handling capability for security incidents that includes:","parts":[{"id":"ir-4.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-4(a)[1]"}],"prose":"preparation;"},{"id":"ir-4.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-4(a)[2]"}],"prose":"detection and analysis;"},{"id":"ir-4.a_obj.3","name":"objective","props":[{"name":"label","value":"IR-4(a)[3]"}],"prose":"containment;"},{"id":"ir-4.a_obj.4","name":"objective","props":[{"name":"label","value":"IR-4(a)[4]"}],"prose":"eradication;"},{"id":"ir-4.a_obj.5","name":"objective","props":[{"name":"label","value":"IR-4(a)[5]"}],"prose":"recovery;"}]},{"id":"ir-4.b_obj","name":"objective","props":[{"name":"label","value":"IR-4(b)"}],"prose":"coordinates incident handling activities with contingency planning activities;"},{"id":"ir-4.c_obj","name":"objective","props":[{"name":"label","value":"IR-4(c)"}],"parts":[{"id":"ir-4.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-4(c)[1]"}],"prose":"incorporates lessons learned from ongoing incident handling activities into:","parts":[{"id":"ir-4.c_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][b]"}],"prose":"training;"},{"id":"ir-4.c_obj.1.c","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][c]"}],"prose":"testing\/exercises;"}]},{"id":"ir-4.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-4(c)[2]"}],"prose":"implements the resulting changes accordingly to:","parts":[{"id":"ir-4.c_obj.2.a","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.2.b","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][b]"}],"prose":"training; and"},{"id":"ir-4.c_obj.2.c","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][c]"}],"prose":"testing\/exercises."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident handling capability for the organization"}]}],"controls":[{"id":"ir-4.1","class":"SP800-53-enhancement","title":"Automated Incident Handling Processes","props":[{"name":"label","value":"IR-4(1)"},{"name":"sort-id","value":"ir-04.01"}],"parts":[{"id":"ir-4.1_smt","name":"statement","prose":"The organization employs automated mechanisms to support the incident handling process."},{"id":"ir-4.1_gdn","name":"guidance","prose":"Automated mechanisms supporting incident handling processes include, for example, online incident management systems."},{"id":"ir-4.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to support the incident handling process."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that support and\/or implement the incident handling process"}]}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-5"},{"name":"sort-id","value":"ir-05"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"The organization tracks and documents information system security incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user\/administrator reports.","links":[{"href":"#au-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ir-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-5_obj.1","name":"objective","props":[{"name":"label","value":"IR-5[1]"}],"prose":"tracks information system security incidents; and"},{"id":"ir-5_obj.2","name":"objective","props":[{"name":"label","value":"IR-5[2]"}],"prose":"documents information system security incidents."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident monitoring capability for the organization\n\nautomated mechanisms supporting and\/or implementing tracking and documenting of system security incidents"}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-6_prm_1","label":"organization-defined time period"},{"id":"ir-6_prm_2","label":"organization-defined authorities"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-6"},{"name":"sort-id","value":"ir-06"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#02631467-668b-4233-989b-3dfded2fd184","rel":"reference"}],"parts":[{"id":"ir-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Requires personnel to report suspected security incidents to the organizational incident response capability within {{ insert: param, ir-6_prm_1 }}; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reports security incident information to {{ insert: param, ir-6_prm_2 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling.","links":[{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-6.a_obj","name":"objective","props":[{"name":"label","value":"IR-6(a)"}],"parts":[{"id":"ir-6.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-6(a)[1]"}],"prose":"defines the time period within which personnel report suspected security incidents to the organizational incident response capability;"},{"id":"ir-6.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-6(a)[2]"}],"prose":"requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;"}]},{"id":"ir-6.b_obj","name":"objective","props":[{"name":"label","value":"IR-6(b)"}],"parts":[{"id":"ir-6.b_obj.1","name":"objective","props":[{"name":"label","value":"IR-6(b)[1]"}],"prose":"defines authorities to whom security incident information is to be reported; and"},{"id":"ir-6.b_obj.2","name":"objective","props":[{"name":"label","value":"IR-6(b)[2]"}],"prose":"reports security incident information to organization-defined authorities."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing incident reporting"}]}],"controls":[{"id":"ir-6.1","class":"SP800-53-enhancement","title":"Automated Reporting","props":[{"name":"label","value":"IR-6(1)"},{"name":"sort-id","value":"ir-06.01"}],"parts":[{"id":"ir-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to assist in the reporting of security incidents."},{"id":"ir-6.1_gdn","name":"guidance","links":[{"href":"#ir-7","rel":"related"}]},{"id":"ir-6.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to assist in the reporting of security incidents."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing reporting of security incidents"}]}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-7"},{"name":"sort-id","value":"ir-07"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required.","links":[{"href":"#at-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"ir-7_obj","name":"objective","prose":"Determine if the organization provides an incident response support resource:","parts":[{"id":"ir-7_obj.1","name":"objective","props":[{"name":"label","value":"IR-7[1]"}],"prose":"that is integral to the organizational incident response capability; and"},{"id":"ir-7_obj.2","name":"objective","props":[{"name":"label","value":"IR-7[2]"}],"prose":"that offers advice and assistance to users of the information system for the handling and reporting of security incidents."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing incident response assistance"}]}],"controls":[{"id":"ir-7.1","class":"SP800-53-enhancement","title":"Automation Support for Availability of Information \/ Support","props":[{"name":"label","value":"IR-7(1)"},{"name":"sort-id","value":"ir-07.01"}],"parts":[{"id":"ir-7.1_smt","name":"statement","prose":"The organization employs automated mechanisms to increase the availability of incident response-related information and support."},{"id":"ir-7.1_gdn","name":"guidance","prose":"Automated mechanisms can provide a push and\/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support."},{"id":"ir-7.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to increase the availability of incident response-related information and support."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing an increase in the availability of incident response information and support"}]}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-8_prm_2","label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-8_prm_3","label":"organization-defined frequency"},{"id":"ir-8_prm_4","label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-8"},{"name":"sort-id","value":"ir-08"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability; and"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Is reviewed and approved by {{ insert: param, ir-8_prm_1 }};"}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the incident response plan to {{ insert: param, ir-8_prm_2 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the incident response plan {{ insert: param, ir-8_prm_3 }};"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Updates the incident response plan to address system\/organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Communicates incident response plan changes to {{ insert: param, ir-8_prm_4 }}; and"},{"id":"ir-8_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Protects the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.","links":[{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}]},{"id":"ir-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-8.a_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)"}],"prose":"develops an incident response plan that:","parts":[{"id":"ir-8.a.1_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(1)"}],"prose":"provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8.a.2_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(2)"}],"prose":"describes the structure and organization of the incident response capability;"},{"id":"ir-8.a.3_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(3)"}],"prose":"provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8.a.4_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)"}],"prose":"meets the unique requirements of the organization, which relate to:","parts":[{"id":"ir-8.a.4_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[1]"}],"prose":"mission;"},{"id":"ir-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[2]"}],"prose":"size;"},{"id":"ir-8.a.4_obj.3","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[3]"}],"prose":"structure;"},{"id":"ir-8.a.4_obj.4","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[4]"}],"prose":"functions;"}]},{"id":"ir-8.a.5_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(5)"}],"prose":"defines reportable incidents;"},{"id":"ir-8.a.6_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(6)"}],"prose":"provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8.a.7_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(7)"}],"prose":"defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8.a.8_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)"}],"parts":[{"id":"ir-8.a.8_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)[1]"}],"prose":"defines personnel or roles to review and approve the incident response plan;"},{"id":"ir-8.a.8_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"ir-8.b_obj","name":"objective","props":[{"name":"label","value":"IR-8(b)"}],"parts":[{"id":"ir-8.b_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(b)[1]"}],"parts":[{"id":"ir-8.b_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-8(b)[1][a]"}],"prose":"defines incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed;"},{"id":"ir-8.b_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-8(b)[1][b]"}],"prose":"defines organizational elements to whom copies of the incident response plan are to be distributed;"}]},{"id":"ir-8.b_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(b)[2]"}],"prose":"distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and\/or by role) and organizational elements;"}]},{"id":"ir-8.c_obj","name":"objective","props":[{"name":"label","value":"IR-8(c)"}],"parts":[{"id":"ir-8.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(c)[1]"}],"prose":"defines the frequency to review the incident response plan;"},{"id":"ir-8.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(c)[2]"}],"prose":"reviews the incident response plan with the organization-defined frequency;"}]},{"id":"ir-8.d_obj","name":"objective","props":[{"name":"label","value":"IR-8(d)"}],"prose":"updates the incident response plan to address system\/organizational changes or problems encountered during plan:","parts":[{"id":"ir-8.d_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(d)[1]"}],"prose":"implementation;"},{"id":"ir-8.d_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(d)[2]"}],"prose":"execution; or"},{"id":"ir-8.d_obj.3","name":"objective","props":[{"name":"label","value":"IR-8(d)[3]"}],"prose":"testing;"}]},{"id":"ir-8.e_obj","name":"objective","props":[{"name":"label","value":"IR-8(e)"}],"parts":[{"id":"ir-8.e_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(e)[1]"}],"parts":[{"id":"ir-8.e_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-8(e)[1][a]"}],"prose":"defines incident response personnel (identified by name and\/or by role) to whom incident response plan changes are to be communicated;"},{"id":"ir-8.e_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-8(e)[1][b]"}],"prose":"defines organizational elements to whom incident response plan changes are to be communicated;"}]},{"id":"ir-8.e_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(e)[2]"}],"prose":"communicates incident response plan changes to organization-defined incident response personnel (identified by name and\/or by role) and organizational elements; and"}]},{"id":"ir-8.f_obj","name":"objective","props":[{"name":"label","value":"IR-8(f)"}],"prose":"protects the incident response plan from unauthorized disclosure and modification."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"System Maintenance Policy and Procedures","params":[{"id":"ma-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-1_prm_2","label":"organization-defined frequency"},{"id":"ma-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MA-1"},{"name":"sort-id","value":"ma-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ma-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and"}]},{"id":"ma-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ma-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System maintenance policy {{ insert: param, ma-1_prm_2 }}; and"},{"id":"ma-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System maintenance procedures {{ insert: param, ma-1_prm_3 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ma-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-1.a_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)"}],"parts":[{"id":"ma-1.a.1_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)"}],"parts":[{"id":"ma-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1]"}],"prose":"develops and documents a system maintenance policy that addresses:","parts":[{"id":"ma-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ma-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ma-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ma-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ma-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ma-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ma-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ma-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system maintenance policy is to be disseminated;"},{"id":"ma-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[3]"}],"prose":"disseminates the system maintenance policy to organization-defined personnel or roles;"}]},{"id":"ma-1.a.2_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)"}],"parts":[{"id":"ma-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls;"},{"id":"ma-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ma-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ma-1.b_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)"}],"parts":[{"id":"ma-1.b.1_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)"}],"parts":[{"id":"ma-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system maintenance policy;"},{"id":"ma-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)[2]"}],"prose":"reviews and updates the current system maintenance policy with the organization-defined frequency;"}]},{"id":"ma-1.b.2_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)"}],"parts":[{"id":"ma-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system maintenance procedures; and"},{"id":"ma-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)[2]"}],"prose":"reviews and updates the current system maintenance procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Maintenance policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","params":[{"id":"ma-2_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-2_prm_2","label":"organization-defined maintenance-related information"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-2"},{"name":"sort-id","value":"ma-02"}],"parts":[{"id":"ma-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Requires that {{ insert: param, ma-2_prm_1 }} explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and"},{"id":"ma-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Includes {{ insert: param, ma-2_prm_2 }} in organizational maintenance records."}]},{"id":"ma-2_gdn","name":"guidance","prose":"This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and\/or data\/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components\/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"ma-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-2.a_obj","name":"objective","props":[{"name":"label","value":"MA-2(a)"}],"parts":[{"id":"ma-2.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(a)[1]"}],"prose":"schedules maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.1.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[1][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.1.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[1][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(a)[2]"}],"prose":"performs maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.2.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[2][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.2.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[2][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.3","name":"objective","props":[{"name":"label","value":"MA-2(a)[3]"}],"prose":"documents maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.3.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[3][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.3.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[3][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.4","name":"objective","props":[{"name":"label","value":"MA-2(a)[4]"}],"prose":"reviews records of maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.4.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[4][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.4.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[4][b]"}],"prose":"organizational requirements;"}]}]},{"id":"ma-2.b_obj","name":"objective","props":[{"name":"label","value":"MA-2(b)"}],"parts":[{"id":"ma-2.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(b)[1]"}],"prose":"approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(b)[2]"}],"prose":"monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"}]},{"id":"ma-2.c_obj","name":"objective","props":[{"name":"label","value":"MA-2(c)"}],"parts":[{"id":"ma-2.c_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(c)[1]"}],"prose":"defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.c_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(c)[2]"}],"prose":"requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"}]},{"id":"ma-2.d_obj","name":"objective","props":[{"name":"label","value":"MA-2(d)"}],"prose":"sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.e_obj","name":"objective","props":[{"name":"label","value":"MA-2(e)"}],"prose":"checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;"},{"id":"ma-2.f_obj","name":"objective","props":[{"name":"label","value":"MA-2(f)"}],"parts":[{"id":"ma-2.f_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(f)[1]"}],"prose":"defines maintenance-related information to be included in organizational maintenance records; and"},{"id":"ma-2.f_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(f)[2]"}],"prose":"includes organization-defined maintenance-related information in organizational maintenance records."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing controlled information system maintenance\n\nmaintenance records\n\nmanufacturer\/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system\n\norganizational processes for sanitizing information system components\n\nautomated mechanisms supporting and\/or implementing controlled maintenance\n\nautomated mechanisms implementing sanitization of information system components"}]}]},{"id":"ma-3","class":"SP800-53","title":"Maintenance Tools","props":[{"name":"priority","value":"P3"},{"name":"label","value":"MA-3"},{"name":"sort-id","value":"ma-03"}],"links":[{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"}],"parts":[{"id":"ma-3_smt","name":"statement","prose":"The organization approves, controls, and monitors information system maintenance tools."},{"id":"ma-3_gdn","name":"guidance","prose":"This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware\/software diagnostic test equipment and hardware\/software packet sniffers. This control does not cover hardware\/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig, or the hardware and software implementing the monitoring port of an Ethernet switch.","links":[{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-6","rel":"related"}]},{"id":"ma-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-3_obj.1","name":"objective","props":[{"name":"label","value":"MA-3[1]"}],"prose":"approves information system maintenance tools;"},{"id":"ma-3_obj.2","name":"objective","props":[{"name":"label","value":"MA-3[2]"}],"prose":"controls information system maintenance tools; and"},{"id":"ma-3_obj.3","name":"objective","props":[{"name":"label","value":"MA-3[3]"}],"prose":"monitors information system maintenance tools."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for approving, controlling, and monitoring maintenance tools\n\nautomated mechanisms supporting and\/or implementing approval, control, and\/or monitoring of maintenance tools"}]}],"controls":[{"id":"ma-3.1","class":"SP800-53-enhancement","title":"Inspect Tools","props":[{"name":"label","value":"MA-3(1)"},{"name":"sort-id","value":"ma-03.01"}],"parts":[{"id":"ma-3.1_smt","name":"statement","prose":"The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications."},{"id":"ma-3.1_gdn","name":"guidance","prose":"If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper\/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.","links":[{"href":"#si-7","rel":"related"}]},{"id":"ma-3.1_obj","name":"objective","prose":"Determine if the organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for inspecting maintenance tools\n\nautomated mechanisms supporting and\/or implementing inspection of maintenance tools"}]}]},{"id":"ma-3.2","class":"SP800-53-enhancement","title":"Inspect Media","props":[{"name":"label","value":"MA-3(2)"},{"name":"sort-id","value":"ma-03.02"}],"parts":[{"id":"ma-3.2_smt","name":"statement","prose":"The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system."},{"id":"ma-3.2_gdn","name":"guidance","prose":"If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures.","links":[{"href":"#si-3","rel":"related"}]},{"id":"ma-3.2_obj","name":"objective","prose":"Determine if the organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for inspecting media for malicious code\n\nautomated mechanisms supporting and\/or implementing inspection of media used for maintenance"}]}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-4"},{"name":"sort-id","value":"ma-04"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference"}],"parts":[{"id":"ma-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approves and monitors nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;"},{"id":"ma-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Maintains records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Terminates session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-17","rel":"related"}]},{"id":"ma-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-4.a_obj","name":"objective","props":[{"name":"label","value":"MA-4(a)"}],"parts":[{"id":"ma-4.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(a)[1]"}],"prose":"approves nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(a)[2]"}],"prose":"monitors nonlocal maintenance and diagnostic activities;"}]},{"id":"ma-4.b_obj","name":"objective","props":[{"name":"label","value":"MA-4(b)"}],"prose":"allows the use of nonlocal maintenance and diagnostic tools only:","parts":[{"id":"ma-4.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(b)[1]"}],"prose":"as consistent with organizational policy;"},{"id":"ma-4.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(b)[2]"}],"prose":"as documented in the security plan for the information system;"}]},{"id":"ma-4.c_obj","name":"objective","props":[{"name":"label","value":"MA-4(c)"}],"prose":"employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4.d_obj","name":"objective","props":[{"name":"label","value":"MA-4(d)"}],"prose":"maintains records for nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.e_obj","name":"objective","props":[{"name":"label","value":"MA-4(e)"}],"parts":[{"id":"ma-4.e_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(e)[1]"}],"prose":"terminates sessions when nonlocal maintenance or diagnostics is completed; and"},{"id":"ma-4.e_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(e)[2]"}],"prose":"terminates network connections when nonlocal maintenance or diagnostics is completed."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing nonlocal information system maintenance\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing nonlocal maintenance\n\nautomated mechanisms implementing, supporting, and\/or managing nonlocal maintenance\n\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nautomated mechanisms for terminating nonlocal maintenance sessions and network connections"}]}],"controls":[{"id":"ma-4.2","class":"SP800-53-enhancement","title":"Document Nonlocal Maintenance","props":[{"name":"label","value":"MA-4(2)"},{"name":"sort-id","value":"ma-04.02"}],"parts":[{"id":"ma-4.2_smt","name":"statement","prose":"The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections."},{"id":"ma-4.2_obj","name":"objective","prose":"Determine if the organization documents in the security plan for the information system:","parts":[{"id":"ma-4.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(2)[1]"}],"prose":"the policies for the establishment and use of nonlocal maintenance and diagnostic connections; and"},{"id":"ma-4.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(2)[2]"}],"prose":"the procedures for the establishment and use of nonlocal maintenance and diagnostic connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing non-local information system maintenance\n\nsecurity plan\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-5"},{"name":"sort-id","value":"ma-05"}],"parts":[{"id":"ma-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"ma-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-5.a_obj","name":"objective","props":[{"name":"label","value":"MA-5(a)"}],"parts":[{"id":"ma-5.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-5(a)[1]"}],"prose":"establishes a process for maintenance personnel authorization;"},{"id":"ma-5.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-5(a)[2]"}],"prose":"maintains a list of authorized maintenance organizations or personnel;"}]},{"id":"ma-5.b_obj","name":"objective","props":[{"name":"label","value":"MA-5(b)"}],"prose":"ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"},{"id":"ma-5.c_obj","name":"objective","props":[{"name":"label","value":"MA-5(c)"}],"prose":"designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for authorizing and managing maintenance personnel\n\nautomated mechanisms supporting and\/or implementing authorization of maintenance personnel"}]}]},{"id":"ma-6","class":"SP800-53","title":"Timely Maintenance","params":[{"id":"ma-6_prm_1","label":"organization-defined information system components"},{"id":"ma-6_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-6"},{"name":"sort-id","value":"ma-06"}],"parts":[{"id":"ma-6_smt","name":"statement","prose":"The organization obtains maintenance support and\/or spare parts for {{ insert: param, ma-6_prm_1 }} within {{ insert: param, ma-6_prm_2 }} of failure."},{"id":"ma-6_gdn","name":"guidance","prose":"Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place.","links":[{"href":"#cm-8","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#sa-14","rel":"related"},{"href":"#sa-15","rel":"related"}]},{"id":"ma-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-6_obj.1","name":"objective","props":[{"name":"label","value":"MA-6[1]"}],"prose":"defines information system components for which maintenance support and\/or spare parts are to be obtained;"},{"id":"ma-6_obj.2","name":"objective","props":[{"name":"label","value":"MA-6[2]"}],"prose":"defines the time period within which maintenance support and\/or spare parts are to be obtained after a failure;"},{"id":"ma-6_obj.3","name":"objective","props":[{"name":"label","value":"MA-6[3]"}],"parts":[{"id":"ma-6_obj.3.a","name":"objective","props":[{"name":"label","value":"MA-6[3][a]"}],"prose":"obtains maintenance support for organization-defined information system components within the organization-defined time period of failure; and\/or"},{"id":"ma-6_obj.3.b","name":"objective","props":[{"name":"label","value":"MA-6[3][b]"}],"prose":"obtains spare parts for organization-defined information system components within the organization-defined time period of failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for ensuring timely maintenance"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Media Protection Policy and Procedures","params":[{"id":"mp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"mp-1_prm_2","label":"organization-defined frequency"},{"id":"mp-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-1"},{"name":"sort-id","value":"mp-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"mp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"mp-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Media protection policy {{ insert: param, mp-1_prm_2 }}; and"},{"id":"mp-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Media protection procedures {{ insert: param, mp-1_prm_3 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"mp-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-1.a_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)"}],"parts":[{"id":"mp-1.a.1_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)"}],"parts":[{"id":"mp-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1]"}],"prose":"develops and documents a media protection policy that addresses:","parts":[{"id":"mp-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"mp-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"mp-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"mp-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"mp-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"mp-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"mp-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"mp-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the media protection policy is to be disseminated;"},{"id":"mp-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[3]"}],"prose":"disseminates the media protection policy to organization-defined personnel or roles;"}]},{"id":"mp-1.a.2_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)"}],"parts":[{"id":"mp-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls;"},{"id":"mp-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"mp-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"mp-1.b_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)"}],"parts":[{"id":"mp-1.b.1_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)"}],"parts":[{"id":"mp-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current media protection policy;"},{"id":"mp-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)[2]"}],"prose":"reviews and updates the current media protection policy with the organization-defined frequency;"}]},{"id":"mp-1.b.2_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)"}],"parts":[{"id":"mp-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current media protection procedures; and"},{"id":"mp-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)[2]"}],"prose":"reviews and updates the current media protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Media protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","params":[{"id":"mp-2_prm_1","label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-2_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-2"},{"name":"sort-id","value":"mp-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"The organization restricts access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"}]},{"id":"mp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-2_obj.1","name":"objective","props":[{"name":"label","value":"MP-2[1]"}],"prose":"defines types of digital and\/or non-digital media requiring restricted access;"},{"id":"mp-2_obj.2","name":"objective","props":[{"name":"label","value":"MP-2[2]"}],"prose":"defines personnel or roles authorized to access organization-defined types of digital and\/or non-digital media; and"},{"id":"mp-2_obj.3","name":"objective","props":[{"name":"label","value":"MP-2[3]"}],"prose":"restricts access to organization-defined types of digital and\/or non-digital media to organization-defined personnel or roles."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for restricting information media\n\nautomated mechanisms supporting and\/or implementing media access restrictions"}]}]},{"id":"mp-3","class":"SP800-53","title":"Media Marking","params":[{"id":"mp-3_prm_1","label":"organization-defined types of information system media"},{"id":"mp-3_prm_2","label":"organization-defined controlled areas"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"MP-3"},{"name":"sort-id","value":"mp-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"}],"parts":[{"id":"mp-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"},{"id":"mp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Exempts {{ insert: param, mp-3_prm_1 }} from marking as long as the media remain within {{ insert: param, mp-3_prm_2 }}."}]},{"id":"mp-3_gdn","name":"guidance","prose":"The term security marking refers to the application\/use of human-readable security attributes. The term security labeling refers to the application\/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.","links":[{"href":"#ac-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"mp-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-3.a_obj","name":"objective","props":[{"name":"label","value":"MP-3(a)"}],"prose":"marks information system media indicating the:","parts":[{"id":"mp-3.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-3(a)[1]"}],"prose":"distribution limitations of the information;"},{"id":"mp-3.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-3(a)[2]"}],"prose":"handling caveats of the information;"},{"id":"mp-3.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-3(a)[3]"}],"prose":"applicable security markings (if any) of the information;"}]},{"id":"mp-3.b_obj","name":"objective","props":[{"name":"label","value":"MP-3(b)"}],"parts":[{"id":"mp-3.b_obj.1","name":"objective","props":[{"name":"label","value":"MP-3(b)[1]"}],"prose":"defines types of information system media to be exempted from marking as long as the media remain in designated controlled areas;"},{"id":"mp-3.b_obj.2","name":"objective","props":[{"name":"label","value":"MP-3(b)[2]"}],"prose":"defines controlled areas where organization-defined types of information system media exempt from marking are to be retained; and"},{"id":"mp-3.b_obj.3","name":"objective","props":[{"name":"label","value":"MP-3(b)[3]"}],"prose":"exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nsecurity plan\n\nlist of information system media marking security attributes\n\ndesignated controlled areas\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for marking information media\n\nautomated mechanisms supporting and\/or implementing media marking"}]}]},{"id":"mp-4","class":"SP800-53","title":"Media Storage","params":[{"id":"mp-4_prm_1","label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-4_prm_2","label":"organization-defined controlled areas"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-4"},{"name":"sort-id","value":"mp-04"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Physically controls and securely stores {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }}; and"},{"id":"mp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and\/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and\/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection.","links":[{"href":"#cp-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pe-3","rel":"related"}]},{"id":"mp-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-4.a_obj","name":"objective","props":[{"name":"label","value":"MP-4(a)"}],"parts":[{"id":"mp-4.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-4(a)[1]"}],"prose":"defines types of digital and\/or non-digital media to be physically controlled and securely stored within designated controlled areas;"},{"id":"mp-4.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-4(a)[2]"}],"prose":"defines controlled areas designated to physically control and securely store organization-defined types of digital and\/or non-digital media;"},{"id":"mp-4.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-4(a)[3]"}],"prose":"physically controls organization-defined types of digital and\/or non-digital media within organization-defined controlled areas;"},{"id":"mp-4.a_obj.4","name":"objective","props":[{"name":"label","value":"MP-4(a)[4]"}],"prose":"securely stores organization-defined types of digital and\/or non-digital media within organization-defined controlled areas; and"}]},{"id":"mp-4.b_obj","name":"objective","props":[{"name":"label","value":"MP-4(b)"}],"prose":"protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsecurity plan\n\ninformation system media\n\ndesignated controlled areas\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing information media\n\nautomated mechanisms supporting and\/or implementing secure media storage\/media protection"}]}]},{"id":"mp-5","class":"SP800-53","title":"Media Transport","params":[{"id":"mp-5_prm_1","label":"organization-defined types of information system media"},{"id":"mp-5_prm_2","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-5"},{"name":"sort-id","value":"mp-05"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"}],"parts":[{"id":"mp-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protects and controls {{ insert: param, mp-5_prm_1 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};"},{"id":"mp-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintains accountability for information system media during transport outside of controlled areas;"},{"id":"mp-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents activities associated with the transport of information system media; and"},{"id":"mp-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Restricts the activities associated with the transport of information system media to authorized personnel."}]},{"id":"mp-5_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and\/or procedural safeguards to meet the requirements established for protecting information and\/or information systems. Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and\/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records.","links":[{"href":"#ac-19","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}]},{"id":"mp-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-5.a_obj","name":"objective","props":[{"name":"label","value":"MP-5(a)"}],"parts":[{"id":"mp-5.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-5(a)[1]"}],"prose":"defines types of information system media to be protected and controlled during transport outside of controlled areas;"},{"id":"mp-5.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-5(a)[2]"}],"prose":"defines security safeguards to protect and control organization-defined information system media during transport outside of controlled areas;"},{"id":"mp-5.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-5(a)[3]"}],"prose":"protects and controls organization-defined information system media during transport outside of controlled areas using organization-defined security safeguards;"}]},{"id":"mp-5.b_obj","name":"objective","props":[{"name":"label","value":"MP-5(b)"}],"prose":"maintains accountability for information system media during transport outside of controlled areas;"},{"id":"mp-5.c_obj","name":"objective","props":[{"name":"label","value":"MP-5(c)"}],"prose":"documents activities associated with the transport of information system media; and"},{"id":"mp-5.d_obj","name":"objective","props":[{"name":"label","value":"MP-5(d)"}],"prose":"restricts the activities associated with transport of information system media to authorized personnel."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsecurity plan\n\ninformation system media\n\ndesignated controlled areas\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing information media\n\nautomated mechanisms supporting and\/or implementing media storage\/media protection"}]}],"controls":[{"id":"mp-5.4","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"MP-5(4)"},{"name":"sort-id","value":"mp-05.04"}],"parts":[{"id":"mp-5.4_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas."},{"id":"mp-5.4_gdn","name":"guidance","prose":"This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external\/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers).","links":[{"href":"#mp-2","rel":"related"}]},{"id":"mp-5.4_obj","name":"objective","prose":"Determine if the organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media transport\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system media transport records\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media transport responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas"}]}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","label":"organization-defined information system media"},{"id":"mp-6_prm_2","label":"organization-defined sanitization techniques and procedures"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-6"},{"name":"sort-id","value":"mp-06"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"},{"href":"#a47466c4-c837-4f06-a39f-e68412a5f73d","rel":"reference"}],"parts":[{"id":"mp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitizes {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} in accordance with applicable federal and organizational standards and policies; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections\/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information.","links":[{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-4","rel":"related"}]},{"id":"mp-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-6.a_obj","name":"objective","props":[{"name":"label","value":"MP-6(a)"}],"parts":[{"id":"mp-6.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-6(a)[1]"}],"prose":"defines information system media to be sanitized prior to:","parts":[{"id":"mp-6.a_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.1.c","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-6(a)[2]"}],"prose":"defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:","parts":[{"id":"mp-6.a_obj.2.a","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.2.b","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.2.c","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-6(a)[3]"}],"prose":"sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and"}]},{"id":"mp-6.b_obj","name":"objective","props":[{"name":"label","value":"MP-6(b)"}],"prose":"employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization\n\nmedia sanitization records\n\naudit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization"}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","params":[{"id":"mp-7_prm_1","select":{"choice":["restricts","prohibits"]}},{"id":"mp-7_prm_2","label":"organization-defined types of information system media"},{"id":"mp-7_prm_3","label":"organization-defined information systems or system components"},{"id":"mp-7_prm_4","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-7"},{"name":"sort-id","value":"mp-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-7_smt","name":"statement","prose":"The organization {{ insert: param, mp-7_prm_1 }} the use of {{ insert: param, mp-7_prm_2 }} on {{ insert: param, mp-7_prm_3 }} using {{ insert: param, mp-7_prm_4 }}."},{"id":"mp-7_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting\/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling\/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.","links":[{"href":"#ac-19","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"mp-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-7_obj.1","name":"objective","props":[{"name":"label","value":"MP-7[1]"}],"prose":"defines types of information system media to be:","parts":[{"id":"mp-7_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-7[1][a]"}],"prose":"restricted on information systems or system components; or"},{"id":"mp-7_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-7[1][b]"}],"prose":"prohibited from use on information systems or system components;"}]},{"id":"mp-7_obj.2","name":"objective","props":[{"name":"label","value":"MP-7[2]"}],"prose":"defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:","parts":[{"id":"mp-7_obj.2.a","name":"objective","props":[{"name":"label","value":"MP-7[2][a]"}],"prose":"restricted; or"},{"id":"mp-7_obj.2.b","name":"objective","props":[{"name":"label","value":"MP-7[2][b]"}],"prose":"prohibited;"}]},{"id":"mp-7_obj.3","name":"objective","props":[{"name":"label","value":"MP-7[3]"}],"prose":"defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and"},{"id":"mp-7_obj.4","name":"objective","props":[{"name":"label","value":"MP-7[4]"}],"prose":"restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\n\nautomated mechanisms restricting or prohibiting use of information system media on information systems or system components"}]}],"controls":[{"id":"mp-7.1","class":"SP800-53-enhancement","title":"Prohibit Use Without Owner","props":[{"name":"label","value":"MP-7(1)"},{"name":"sort-id","value":"mp-07.01"}],"parts":[{"id":"mp-7.1_smt","name":"statement","prose":"The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner."},{"id":"mp-7.1_gdn","name":"guidance","prose":"Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion).","links":[{"href":"#pl-4","rel":"related"}]},{"id":"mp-7.1_obj","name":"objective","prose":"Determine if the organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\n\nautomated mechanisms prohibiting use of media on information systems or system components"}]}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Physical and Environmental Protection Policy and Procedures","params":[{"id":"pe-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-1_prm_2","label":"organization-defined frequency"},{"id":"pe-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-1"},{"name":"sort-id","value":"pe-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"pe-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and"}]},{"id":"pe-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pe-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Physical and environmental protection policy {{ insert: param, pe-1_prm_2 }}; and"},{"id":"pe-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Physical and environmental protection procedures {{ insert: param, pe-1_prm_3 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"pe-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-1.a_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)"}],"parts":[{"id":"pe-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)"}],"parts":[{"id":"pe-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1]"}],"prose":"develops and documents a physical and environmental protection policy that addresses:","parts":[{"id":"pe-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pe-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pe-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pe-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pe-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pe-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pe-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pe-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the physical and environmental protection policy is to be disseminated;"},{"id":"pe-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[3]"}],"prose":"disseminates the physical and environmental protection policy to organization-defined personnel or roles;"}]},{"id":"pe-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)"}],"parts":[{"id":"pe-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls;"},{"id":"pe-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"pe-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pe-1.b_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)"}],"parts":[{"id":"pe-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)"}],"parts":[{"id":"pe-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current physical and environmental protection policy;"},{"id":"pe-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)[2]"}],"prose":"reviews and updates the current physical and environmental protection policy with the organization-defined frequency;"}]},{"id":"pe-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)"}],"parts":[{"id":"pe-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current physical and environmental protection procedures; and"},{"id":"pe-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)[2]"}],"prose":"reviews and updates the current physical and environmental protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","params":[{"id":"pe-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-2"},{"name":"sort-id","value":"pe-02"}],"parts":[{"id":"pe-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Issues authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the access list detailing authorized facility access by individuals {{ insert: param, pe-2_prm_1 }}; and"},{"id":"pe-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Removes individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible.","links":[{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ps-3","rel":"related"}]},{"id":"pe-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-2.a_obj","name":"objective","props":[{"name":"label","value":"PE-2(a)"}],"parts":[{"id":"pe-2.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-2(a)[1]"}],"prose":"develops a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-2(a)[2]"}],"prose":"approves a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2.a_obj.3","name":"objective","props":[{"name":"label","value":"PE-2(a)[3]"}],"prose":"maintains a list of individuals with authorized access to the facility where the information system resides;"}]},{"id":"pe-2.b_obj","name":"objective","props":[{"name":"label","value":"PE-2(b)"}],"prose":"issues authorization credentials for facility access;"},{"id":"pe-2.c_obj","name":"objective","props":[{"name":"label","value":"PE-2(c)"}],"parts":[{"id":"pe-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PE-2(c)[1]"}],"prose":"defines the frequency to review the access list detailing authorized facility access by individuals;"},{"id":"pe-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PE-2(c)[2]"}],"prose":"reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and"}]},{"id":"pe-2.d_obj","name":"objective","props":[{"name":"label","value":"PE-2(d)"}],"prose":"removes individuals from the facility access list when access is no longer required."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nsecurity plan\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to information system facility\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations\n\nautomated mechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","params":[{"id":"pe-3_prm_1","label":"organization-defined entry\/exit points to the facility where the information system resides"},{"id":"pe-3_prm_2","select":{"how-many":"one-or-more","choice":[" {{ insert: param, pe-3_prm_3 }} ","guards"]}},{"id":"pe-3_prm_3","depends-on":"pe-3_prm_2","label":"organization-defined physical access control systems\/devices"},{"id":"pe-3_prm_4","label":"organization-defined entry\/exit points"},{"id":"pe-3_prm_5","label":"organization-defined security safeguards"},{"id":"pe-3_prm_6","label":"organization-defined circumstances requiring visitor escorts and monitoring"},{"id":"pe-3_prm_7","label":"organization-defined physical access devices"},{"id":"pe-3_prm_8","label":"organization-defined frequency"},{"id":"pe-3_prm_9","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-3"},{"name":"sort-id","value":"pe-03"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference"},{"href":"#398e33fd-f404-4e5c-b90e-2d50d3181244","rel":"reference"},{"href":"#61081e7f-041d-4033-96a7-44a439071683","rel":"reference"},{"href":"#dd2f5acd-08f1-435a-9837-f8203088dc1a","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference"}],"parts":[{"id":"pe-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforces physical access authorizations at {{ insert: param, pe-3_prm_1 }} by;","parts":[{"id":"pe-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Controlling ingress\/egress to the facility using {{ insert: param, pe-3_prm_2 }};"}]},{"id":"pe-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintains physical access audit logs for {{ insert: param, pe-3_prm_4 }};"},{"id":"pe-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides {{ insert: param, pe-3_prm_5 }} to control access to areas within the facility officially designated as publicly accessible;"},{"id":"pe-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Escorts visitors and monitors visitor activity {{ insert: param, pe-3_prm_6 }};"},{"id":"pe-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Secures keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Inventories {{ insert: param, pe-3_prm_7 }} every {{ insert: param, pe-3_prm_8 }}; and"},{"id":"pe-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Changes combinations and keys {{ insert: param, pe-3_prm_9 }} and\/or when keys are lost, combinations are compromised, or individuals are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and\/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and\/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"pe-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-3.a_obj","name":"objective","props":[{"name":"label","value":"PE-3(a)"}],"parts":[{"id":"pe-3.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(a)[1]"}],"prose":"defines entry\/exit points to the facility where the information system resides;"},{"id":"pe-3.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2]"}],"prose":"enforces physical access authorizations at organization-defined entry\/exit points to the facility where the information system resides by:","parts":[{"id":"pe-3.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](1)"}],"prose":"verifying individual access authorizations before granting access to the facility;"},{"id":"pe-3.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)"}],"parts":[{"id":"pe-3.a.2_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[a]"}],"prose":"defining physical access control systems\/devices to be employed to control ingress\/egress to the facility where the information system resides;"},{"id":"pe-3.a.2_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b]"}],"prose":"using one or more of the following ways to control ingress\/egress to the facility:","parts":[{"id":"pe-3.a.2_obj.2.b.1","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b][1]"}],"prose":"organization-defined physical access control systems\/devices; and\/or"},{"id":"pe-3.a.2_obj.2.b.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b][2]"}],"prose":"guards;"}]}]}]}]},{"id":"pe-3.b_obj","name":"objective","props":[{"name":"label","value":"PE-3(b)"}],"parts":[{"id":"pe-3.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(b)[1]"}],"prose":"defines entry\/exit points for which physical access audit logs are to be maintained;"},{"id":"pe-3.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(b)[2]"}],"prose":"maintains physical access audit logs for organization-defined entry\/exit points;"}]},{"id":"pe-3.c_obj","name":"objective","props":[{"name":"label","value":"PE-3(c)"}],"parts":[{"id":"pe-3.c_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(c)[1]"}],"prose":"defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;"},{"id":"pe-3.c_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(c)[2]"}],"prose":"provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;"}]},{"id":"pe-3.d_obj","name":"objective","props":[{"name":"label","value":"PE-3(d)"}],"parts":[{"id":"pe-3.d_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(d)[1]"}],"prose":"defines circumstances requiring visitor:","parts":[{"id":"pe-3.d_obj.1.a","name":"objective","props":[{"name":"label","value":"PE-3(d)[1][a]"}],"prose":"escorts;"},{"id":"pe-3.d_obj.1.b","name":"objective","props":[{"name":"label","value":"PE-3(d)[1][b]"}],"prose":"monitoring;"}]},{"id":"pe-3.d_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(d)[2]"}],"prose":"in accordance with organization-defined circumstances requiring visitor escorts and monitoring:","parts":[{"id":"pe-3.d_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(d)[2][a]"}],"prose":"escorts visitors;"},{"id":"pe-3.d_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(d)[2][b]"}],"prose":"monitors visitor activities;"}]}]},{"id":"pe-3.e_obj","name":"objective","props":[{"name":"label","value":"PE-3(e)"}],"parts":[{"id":"pe-3.e_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(e)[1]"}],"prose":"secures keys;"},{"id":"pe-3.e_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(e)[2]"}],"prose":"secures combinations;"},{"id":"pe-3.e_obj.3","name":"objective","props":[{"name":"label","value":"PE-3(e)[3]"}],"prose":"secures other physical access devices;"}]},{"id":"pe-3.f_obj","name":"objective","props":[{"name":"label","value":"PE-3(f)"}],"parts":[{"id":"pe-3.f_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(f)[1]"}],"prose":"defines physical access devices to be inventoried;"},{"id":"pe-3.f_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(f)[2]"}],"prose":"defines the frequency to inventory organization-defined physical access devices;"},{"id":"pe-3.f_obj.3","name":"objective","props":[{"name":"label","value":"PE-3(f)[3]"}],"prose":"inventories the organization-defined physical access devices with the organization-defined frequency;"}]},{"id":"pe-3.g_obj","name":"objective","props":[{"name":"label","value":"PE-3(g)"}],"parts":[{"id":"pe-3.g_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(g)[1]"}],"prose":"defines the frequency to change combinations and keys; and"},{"id":"pe-3.g_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(g)[2]"}],"prose":"changes combinations and keys with the organization-defined frequency and\/or when:","parts":[{"id":"pe-3.g_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][a]"}],"prose":"keys are lost;"},{"id":"pe-3.g_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][b]"}],"prose":"combinations are compromised;"},{"id":"pe-3.g_obj.2.c","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][c]"}],"prose":"individuals are transferred or terminated."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nsecurity plan\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\ninformation system entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access control\n\nautomated mechanisms supporting and\/or implementing physical access control\n\nphysical access control devices"}]}]},{"id":"pe-4","class":"SP800-53","title":"Access Control for Transmission Medium","params":[{"id":"pe-4_prm_1","label":"organization-defined information system distribution and transmission lines"},{"id":"pe-4_prm_2","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-4"},{"name":"sort-id","value":"pe-04"}],"links":[{"href":"#06dff0ea-3848-4945-8d91-e955ee69f05d","rel":"reference"}],"parts":[{"id":"pe-4_smt","name":"statement","prose":"The organization controls physical access to {{ insert: param, pe-4_prm_1 }} within organizational facilities using {{ insert: param, pe-4_prm_2 }}."},{"id":"pe-4_gdn","name":"guidance","prose":"Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and\/or (iii) protection of cabling by conduit or cable trays.","links":[{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-8","rel":"related"}]},{"id":"pe-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-4_obj.1","name":"objective","props":[{"name":"label","value":"PE-4[1]"}],"prose":"defines information system distribution and transmission lines requiring physical access controls;"},{"id":"pe-4_obj.2","name":"objective","props":[{"name":"label","value":"PE-4[2]"}],"prose":"defines security safeguards to be employed to control physical access to organization-defined information system distribution and transmission lines within organizational facilities; and"},{"id":"pe-4_obj.3","name":"objective","props":[{"name":"label","value":"PE-4[3]"}],"prose":"controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for transmission medium\n\ninformation system design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to information system distribution and transmission lines\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access control to distribution and transmission lines\n\nautomated mechanisms\/security safeguards supporting and\/or implementing access control to distribution and transmission lines"}]}]},{"id":"pe-5","class":"SP800-53","title":"Access Control for Output Devices","props":[{"name":"priority","value":"P2"},{"name":"label","value":"PE-5"},{"name":"sort-id","value":"pe-05"}],"parts":[{"id":"pe-5_smt","name":"statement","prose":"The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_gdn","name":"guidance","prose":"Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices.","links":[{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-18","rel":"related"}]},{"id":"pe-5_obj","name":"objective","prose":"Determine if the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of information system components\n\nactual displays from information system components\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access control to output devices\n\nautomated mechanisms supporting and\/or implementing access control to output devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","params":[{"id":"pe-6_prm_1","label":"organization-defined frequency"},{"id":"pe-6_prm_2","label":"organization-defined events or potential indications of events"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-6"},{"name":"sort-id","value":"pe-06"}],"parts":[{"id":"pe-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews physical access logs {{ insert: param, pe-6_prm_1 }} and upon occurrence of {{ insert: param, pe-6_prm_2 }}; and"},{"id":"pe-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinates results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.","links":[{"href":"#ca-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"pe-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-6.a_obj","name":"objective","props":[{"name":"label","value":"PE-6(a)"}],"prose":"monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"},{"id":"pe-6.b_obj","name":"objective","props":[{"name":"label","value":"PE-6(b)"}],"parts":[{"id":"pe-6.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-6(b)[1]"}],"prose":"defines the frequency to review physical access logs;"},{"id":"pe-6.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-6(b)[2]"}],"prose":"defines events or potential indication of events requiring physical access logs to be reviewed;"},{"id":"pe-6.b_obj.3","name":"objective","props":[{"name":"label","value":"PE-6(b)[3]"}],"prose":"reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and"}]},{"id":"pe-6.c_obj","name":"objective","props":[{"name":"label","value":"PE-6(c)"}],"prose":"coordinates results of reviews and investigations with the organizational incident response capability."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical access\n\nautomated mechanisms supporting and\/or implementing physical access monitoring\n\nautomated mechanisms supporting and\/or implementing reviewing of physical access logs"}]}],"controls":[{"id":"pe-6.1","class":"SP800-53-enhancement","title":"Intrusion Alarms \/ Surveillance Equipment","props":[{"name":"label","value":"PE-6(1)"},{"name":"sort-id","value":"pe-06.01"}],"parts":[{"id":"pe-6.1_smt","name":"statement","prose":"The organization monitors physical intrusion alarms and surveillance equipment."},{"id":"pe-6.1_obj","name":"objective","prose":"Determine if the organization monitors physical intrusion alarms and surveillance equipment."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nautomated mechanisms supporting and\/or implementing physical access monitoring\n\nautomated mechanisms supporting and\/or implementing physical intrusion alarms and surveillance equipment"}]}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-8_prm_1","label":"organization-defined time period"},{"id":"pe-8_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PE-8"},{"name":"sort-id","value":"pe-08"}],"parts":[{"id":"pe-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintains visitor access records to the facility where the information system resides for {{ insert: param, pe-8_prm_1 }}; and"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews visitor access records {{ insert: param, pe-8_prm_2 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-8.a_obj","name":"objective","props":[{"name":"label","value":"PE-8(a)"}],"parts":[{"id":"pe-8.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-8(a)[1]"}],"prose":"defines the time period to maintain visitor access records to the facility where the information system resides;"},{"id":"pe-8.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-8(a)[2]"}],"prose":"maintains visitor access records to the facility where the information system resides for the organization-defined time period;"}]},{"id":"pe-8.b_obj","name":"objective","props":[{"name":"label","value":"PE-8(b)"}],"parts":[{"id":"pe-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-8(b)[1]"}],"prose":"defines the frequency to review visitor access records; and"},{"id":"pe-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-8(b)[2]"}],"prose":"reviews visitor access records with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nsecurity plan\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and\/or implementing maintenance and review of visitor access records"}]}]},{"id":"pe-9","class":"SP800-53","title":"Power Equipment and Cabling","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-9"},{"name":"sort-id","value":"pe-09"}],"parts":[{"id":"pe-9_smt","name":"statement","prose":"The organization protects power equipment and power cabling for the information system from damage and destruction."},{"id":"pe-9_gdn","name":"guidance","prose":"Organizations determine the types of protection necessary for power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. This includes, for example, generators and power cabling outside of buildings, internal cabling and uninterruptable power sources within an office or data center, and power sources for self-contained entities such as vehicles and satellites.","links":[{"href":"#pe-4","rel":"related"}]},{"id":"pe-9_obj","name":"objective","prose":"Determine if the organization protects power equipment and power cabling for the information system from damage and destruction."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power equipment\/cabling protection\n\nfacilities housing power equipment\/cabling\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for protecting power equipment\/cabling\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing protection of power equipment\/cabling"}]}]},{"id":"pe-10","class":"SP800-53","title":"Emergency Shutoff","params":[{"id":"pe-10_prm_1","label":"organization-defined location by information system or system component"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-10"},{"name":"sort-id","value":"pe-10"}],"parts":[{"id":"pe-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides the capability of shutting off power to the information system or individual system components in emergency situations;"},{"id":"pe-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Places emergency shutoff switches or devices in {{ insert: param, pe-10_prm_1 }} to facilitate safe and easy access for personnel; and"},{"id":"pe-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protects emergency power shutoff capability from unauthorized activation."}]},{"id":"pe-10_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#pe-15","rel":"related"}]},{"id":"pe-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-10.a_obj","name":"objective","props":[{"name":"label","value":"PE-10(a)"}],"prose":"provides the capability of shutting off power to the information system or individual system components in emergency situations;"},{"id":"pe-10.b_obj","name":"objective","props":[{"name":"label","value":"PE-10(b)"}],"parts":[{"id":"pe-10.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-10(b)[1]"}],"prose":"defines the location of emergency shutoff switches or devices by information system or system component;"},{"id":"pe-10.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-10(b)[2]"}],"prose":"places emergency shutoff switches or devices in the organization-defined location by information system or system component to facilitate safe and easy access for personnel; and"}]},{"id":"pe-10.c_obj","name":"objective","props":[{"name":"label","value":"PE-10(c)"}],"prose":"protects emergency power shutoff capability from unauthorized activation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nsecurity plan\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting emergency power shutoff capability from unauthorized activation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing emergency power shutoff"}]}]},{"id":"pe-11","class":"SP800-53","title":"Emergency Power","params":[{"id":"pe-11_prm_1","select":{"how-many":"one-or-more","choice":["an orderly shutdown of the information system","transition of the information system to long-term alternate power"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-11"},{"name":"sort-id","value":"pe-11"}],"parts":[{"id":"pe-11_smt","name":"statement","prose":"The organization provides a short-term uninterruptible power supply to facilitate {{ insert: param, pe-11_prm_1 }} in the event of a primary power source loss."},{"id":"pe-11_gdn","name":"guidance","links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"pe-11_obj","name":"objective","prose":"Determine if the organization provides a short-term uninterruptible power supply to facilitate one or more of the following in the event of a primary power source loss:","parts":[{"id":"pe-11_obj.1","name":"objective","props":[{"name":"label","value":"PE-11[1]"}],"prose":"an orderly shutdown of the information system; and\/or"},{"id":"pe-11_obj.2","name":"objective","props":[{"name":"label","value":"PE-11[2]"}],"prose":"transition of the information system to long-term alternate power."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing uninterruptible power supply\n\nthe uninterruptable power supply"}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-12"},{"name":"sort-id","value":"pe-12"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"pe-12_obj","name":"objective","prose":"Determine if the organization employs and maintains automatic emergency lighting for the information system that:","parts":[{"id":"pe-12_obj.1","name":"objective","props":[{"name":"label","value":"PE-12[1]"}],"prose":"activates in the event of a power outage or disruption; and"},{"id":"pe-12_obj.2","name":"objective","props":[{"name":"label","value":"PE-12[2]"}],"prose":"covers emergency exits and evacuation routes within the facility."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing emergency lighting capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-13"},{"name":"sort-id","value":"pe-13"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"The organization employs and maintains fire suppression and detection devices\/systems for the information system that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices\/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors."},{"id":"pe-13_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-13_obj.1","name":"objective","props":[{"name":"label","value":"PE-13[1]"}],"prose":"employs fire suppression and detection devices\/systems for the information system that are supported by an independent energy source; and"},{"id":"pe-13_obj.2","name":"objective","props":[{"name":"label","value":"PE-13[2]"}],"prose":"maintains fire suppression and detection devices\/systems for the information system that are supported by an independent energy source."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\ntest records of fire suppression and detection devices\/systems\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression\/detection devices\/systems"}]}],"controls":[{"id":"pe-13.3","class":"SP800-53-enhancement","title":"Automatic Fire Suppression","props":[{"name":"label","value":"PE-13(3)"},{"name":"sort-id","value":"pe-13.03"}],"parts":[{"id":"pe-13.3_smt","name":"statement","prose":"The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis."},{"id":"pe-13.3_obj","name":"objective","prose":"Determine if the organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems documentation\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices\/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression devices\/systems\n\nactivation of fire suppression devices\/systems (simulated)"}]}]}]},{"id":"pe-14","class":"SP800-53","title":"Temperature and Humidity Controls","params":[{"id":"pe-14_prm_1","label":"organization-defined acceptable levels"},{"id":"pe-14_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-14"},{"name":"sort-id","value":"pe-14"}],"parts":[{"id":"pe-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintains temperature and humidity levels within the facility where the information system resides at {{ insert: param, pe-14_prm_1 }}; and"},{"id":"pe-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Monitors temperature and humidity levels {{ insert: param, pe-14_prm_2 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#at-3","rel":"related"}]},{"id":"pe-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-14.a_obj","name":"objective","props":[{"name":"label","value":"PE-14(a)"}],"parts":[{"id":"pe-14.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-14(a)[1]"}],"prose":"defines acceptable temperature levels to be maintained within the facility where the information system resides;"},{"id":"pe-14.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-14(a)[2]"}],"prose":"defines acceptable humidity levels to be maintained within the facility where the information system resides;"},{"id":"pe-14.a_obj.3","name":"objective","props":[{"name":"label","value":"PE-14(a)[3]"}],"prose":"maintains temperature levels within the facility where the information system resides at the organization-defined levels;"},{"id":"pe-14.a_obj.4","name":"objective","props":[{"name":"label","value":"PE-14(a)[4]"}],"prose":"maintains humidity levels within the facility where the information system resides at the organization-defined levels;"}]},{"id":"pe-14.b_obj","name":"objective","props":[{"name":"label","value":"PE-14(b)"}],"parts":[{"id":"pe-14.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-14(b)[1]"}],"prose":"defines the frequency to monitor temperature levels;"},{"id":"pe-14.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-14(b)[2]"}],"prose":"defines the frequency to monitor humidity levels;"},{"id":"pe-14.b_obj.3","name":"objective","props":[{"name":"label","value":"PE-14(b)[3]"}],"prose":"monitors temperature levels with the organization-defined frequency; and"},{"id":"pe-14.b_obj.4","name":"objective","props":[{"name":"label","value":"PE-14(b)[4]"}],"prose":"monitors humidity levels with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\nsecurity plan\n\ntemperature and humidity controls\n\nfacility housing the information system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing maintenance and monitoring of temperature and humidity levels"}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-15"},{"name":"sort-id","value":"pe-15"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.","links":[{"href":"#at-3","rel":"related"}]},{"id":"pe-15_obj","name":"objective","prose":"Determine if the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are:","parts":[{"id":"pe-15_obj.1","name":"objective","props":[{"name":"label","value":"PE-15[1]"}],"prose":"accessible;"},{"id":"pe-15_obj.2","name":"objective","props":[{"name":"label","value":"PE-15[2]"}],"prose":"working properly; and"},{"id":"pe-15_obj.3","name":"objective","props":[{"name":"label","value":"PE-15[3]"}],"prose":"known to key personnel."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the information system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Master water-shutoff valves\n\norganizational process for activating master water-shutoff"}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","params":[{"id":"pe-16_prm_1","label":"organization-defined types of information system components"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PE-16"},{"name":"sort-id","value":"pe-16"}],"parts":[{"id":"pe-16_smt","name":"statement","prose":"The organization authorizes, monitors, and controls {{ insert: param, pe-16_prm_1 }} entering and exiting the facility and maintains records of those items."},{"id":"pe-16_gdn","name":"guidance","prose":"Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries.","links":[{"href":"#cm-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-12","rel":"related"}]},{"id":"pe-16_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-16_obj.1","name":"objective","props":[{"name":"label","value":"PE-16[1]"}],"prose":"defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;"},{"id":"pe-16_obj.2","name":"objective","props":[{"name":"label","value":"PE-16[2]"}],"prose":"authorizes organization-defined information system components entering the facility;"},{"id":"pe-16_obj.3","name":"objective","props":[{"name":"label","value":"PE-16[3]"}],"prose":"monitors organization-defined information system components entering the facility;"},{"id":"pe-16_obj.4","name":"objective","props":[{"name":"label","value":"PE-16[4]"}],"prose":"controls organization-defined information system components entering the facility;"},{"id":"pe-16_obj.5","name":"objective","props":[{"name":"label","value":"PE-16[5]"}],"prose":"authorizes organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.6","name":"objective","props":[{"name":"label","value":"PE-16[6]"}],"prose":"monitors organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.7","name":"objective","props":[{"name":"label","value":"PE-16[7]"}],"prose":"controls organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.8","name":"objective","props":[{"name":"label","value":"PE-16[8]"}],"prose":"maintains records of information system components entering the facility; and"},{"id":"pe-16_obj.9","name":"objective","props":[{"name":"label","value":"PE-16[9]"}],"prose":"maintains records of information system components exiting the facility."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing delivery and removal of information system components from the facility\n\nsecurity plan\n\nfacility housing the information system\n\nrecords of items entering and exiting the facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for controlling information system components entering and exiting the facility\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling information system-related items entering and exiting the facility\n\nautomated mechanisms supporting and\/or implementing authorizing, monitoring, and controlling information system-related items entering and exiting the facility"}]}]},{"id":"pe-17","class":"SP800-53","title":"Alternate Work Site","params":[{"id":"pe-17_prm_1","label":"organization-defined security controls"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PE-17"},{"name":"sort-id","value":"pe-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference"}],"parts":[{"id":"pe-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs {{ insert: param, pe-17_prm_1 }} at alternate work sites;"},{"id":"pe-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assesses as feasible, the effectiveness of security controls at alternate work sites; and"},{"id":"pe-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides a means for employees to communicate with information security personnel in case of security incidents or problems."}]},{"id":"pe-17_gdn","name":"guidance","prose":"Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative.","links":[{"href":"#ac-17","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"pe-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-17.a_obj","name":"objective","props":[{"name":"label","value":"PE-17(a)"}],"parts":[{"id":"pe-17.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-17(a)[1]"}],"prose":"defines security controls to be employed at alternate work sites;"},{"id":"pe-17.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-17(a)[2]"}],"prose":"employs organization-defined security controls at alternate work sites;"}]},{"id":"pe-17.b_obj","name":"objective","props":[{"name":"label","value":"PE-17(b)"}],"prose":"assesses, as feasible, the effectiveness of security controls at alternate work sites; and"},{"id":"pe-17.c_obj","name":"objective","props":[{"name":"label","value":"PE-17(c)"}],"prose":"provides a means for employees to communicate with information security personnel in case of security incidents or problems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nsecurity plan\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel approving use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security at alternate work sites\n\nautomated mechanisms supporting alternate work sites\n\nsecurity controls employed at alternate work sites\n\nmeans of communications between personnel at alternate work sites and security personnel"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Security Planning Policy and Procedures","params":[{"id":"pl-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-1_prm_2","label":"organization-defined frequency"},{"id":"pl-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-1"},{"name":"sort-id","value":"pl-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"pl-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pl-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security planning policy {{ insert: param, pl-1_prm_2 }}; and"},{"id":"pl-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security planning procedures {{ insert: param, pl-1_prm_3 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"pl-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-1.a_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)"}],"parts":[{"id":"pl-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)"}],"parts":[{"id":"pl-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1]"}],"prose":"develops and documents a planning policy that addresses:","parts":[{"id":"pl-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pl-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pl-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pl-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pl-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pl-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pl-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pl-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the planning policy is to be disseminated;"},{"id":"pl-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[3]"}],"prose":"disseminates the planning policy to organization-defined personnel or roles;"}]},{"id":"pl-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)"}],"parts":[{"id":"pl-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls;"},{"id":"pl-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"pl-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pl-1.b_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)"}],"parts":[{"id":"pl-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)"}],"parts":[{"id":"pl-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current planning policy;"},{"id":"pl-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)[2]"}],"prose":"reviews and updates the current planning policy with the organization-defined frequency;"}]},{"id":"pl-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)"}],"parts":[{"id":"pl-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current planning procedures; and"},{"id":"pl-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)[2]"}],"prose":"reviews and updates the current planning procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Planning policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security Plan","params":[{"id":"pl-2_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-2_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-2"},{"name":"sort-id","value":"pl-02"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"}],"parts":[{"id":"pl-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a security plan for the information system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly defines the authorization boundary for the system;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describes the operational context of the information system in terms of missions and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Provides the security categorization of the information system including supporting rationale;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Describes the operational environment for the information system and relationships with or connections to other information systems;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides an overview of the security requirements for the system;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Identifies any relevant overlays, if applicable;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the security plan and communicates subsequent changes to the plan to {{ insert: param, pl-2_prm_1 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the security plan for the information system {{ insert: param, pl-2_prm_2 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Updates the plan to address changes to the information system\/environment of operation or problems identified during plan implementation or security control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protects the security plan from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls\/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions\/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management\/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"}]},{"id":"pl-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-2.a_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)"}],"prose":"develops a security plan for the information system that:","parts":[{"id":"pl-2.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(1)"}],"prose":"is consistent with the organization’s enterprise architecture;"},{"id":"pl-2.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(2)"}],"prose":"explicitly defines the authorization boundary for the system;"},{"id":"pl-2.a.3_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(3)"}],"prose":"describes the operational context of the information system in terms of missions and business processes;"},{"id":"pl-2.a.4_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(4)"}],"prose":"provides the security categorization of the information system including supporting rationale;"},{"id":"pl-2.a.5_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(5)"}],"prose":"describes the operational environment for the information system and relationships with or connections to other information systems;"},{"id":"pl-2.a.6_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(6)"}],"prose":"provides an overview of the security requirements for the system;"},{"id":"pl-2.a.7_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(7)"}],"prose":"identifies any relevant overlays, if applicable;"},{"id":"pl-2.a.8_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(8)"}],"prose":"describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions;"},{"id":"pl-2.a.9_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(9)"}],"prose":"is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"}]},{"id":"pl-2.b_obj","name":"objective","props":[{"name":"label","value":"PL-2(b)"}],"parts":[{"id":"pl-2.b_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(b)[1]"}],"prose":"defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated;"},{"id":"pl-2.b_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(b)[2]"}],"prose":"distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles;"}]},{"id":"pl-2.c_obj","name":"objective","props":[{"name":"label","value":"PL-2(c)"}],"parts":[{"id":"pl-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(c)[1]"}],"prose":"defines the frequency to review the security plan for the information system;"},{"id":"pl-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(c)[2]"}],"prose":"reviews the security plan for the information system with the organization-defined frequency;"}]},{"id":"pl-2.d_obj","name":"objective","props":[{"name":"label","value":"PL-2(d)"}],"prose":"updates the plan to address:","parts":[{"id":"pl-2.d_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(d)[1]"}],"prose":"changes to the information system\/environment of operation;"},{"id":"pl-2.d_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(d)[2]"}],"prose":"problems identified during plan implementation;"},{"id":"pl-2.d_obj.3","name":"objective","props":[{"name":"label","value":"PL-2(d)[3]"}],"prose":"problems identified during security control assessments;"}]},{"id":"pl-2.e_obj","name":"objective","props":[{"name":"label","value":"PL-2(e)"}],"prose":"protects the security plan from unauthorized:","parts":[{"id":"pl-2.e_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(e)[1]"}],"prose":"disclosure; and"},{"id":"pl-2.e_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(e)[2]"}],"prose":"modification."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing security plan development and implementation\n\nprocedures addressing security plan reviews and updates\n\nenterprise architecture documentation\n\nsecurity plan for the information system\n\nrecords of security plan reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security plan development\/review\/update\/approval\n\nautomated mechanisms supporting the information system security plan"}]}],"controls":[{"id":"pl-2.3","class":"SP800-53-enhancement","title":"Plan \/ Coordinate with Other Organizational Entities","params":[{"id":"pl-2.3_prm_1","label":"organization-defined individuals or groups"}],"props":[{"name":"label","value":"PL-2(3)"},{"name":"sort-id","value":"pl-02.03"}],"parts":[{"id":"pl-2.3_smt","name":"statement","prose":"The organization plans and coordinates security-related activities affecting the information system with {{ insert: param, pl-2.3_prm_1 }} before conducting such activities in order to reduce the impact on other organizational entities."},{"id":"pl-2.3_gdn","name":"guidance","prose":"Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate.","links":[{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"}]},{"id":"pl-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-2.3_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(3)[1]"}],"prose":"defines individuals or groups with whom security-related activities affecting the information system are to be planned and coordinated before conducting such activities in order to reduce the impact on other organizational entities; and"},{"id":"pl-2.3_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(3)[2]"}],"prose":"plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\naccess control policy\n\ncontingency planning policy\n\nprocedures addressing security-related activity planning for the information system\n\nsecurity plan for the information system\n\ncontingency plan for the information system\n\ninformation system design documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities\n\norganizational individuals or groups with whom security-related activities are to be planned and coordinated\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PL-4"},{"name":"sort-id","value":"pl-04"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"}],"parts":[{"id":"pl-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates the rules of behavior {{ insert: param, pl-4_prm_1 }}; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised\/updated."}]},{"id":"pl-4_gdn","name":"guidance","prose":"This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data\/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"}]},{"id":"pl-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-4.a_obj","name":"objective","props":[{"name":"label","value":"PL-4(a)"}],"parts":[{"id":"pl-4.a_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(a)[1]"}],"prose":"establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"},{"id":"pl-4.a_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(a)[2]"}],"prose":"makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"}]},{"id":"pl-4.b_obj","name":"objective","props":[{"name":"label","value":"PL-4(b)"}],"prose":"receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"},{"id":"pl-4.c_obj","name":"objective","props":[{"name":"label","value":"PL-4(c)"}],"parts":[{"id":"pl-4.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(c)[1]"}],"prose":"defines the frequency to review and update the rules of behavior;"},{"id":"pl-4.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(c)[2]"}],"prose":"reviews and updates the rules of behavior with the organization-defined frequency; and"}]},{"id":"pl-4.d_obj","name":"objective","props":[{"name":"label","value":"PL-4(d)"}],"prose":"requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised\/updated."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel who are authorized users of the information system and have signed and resigned rules of behavior\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nautomated mechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and Networking Restrictions","props":[{"name":"label","value":"PL-4(1)"},{"name":"sort-id","value":"pl-04.01"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"The organization includes in the rules of behavior, explicit restrictions on the use of social media\/networking sites and posting organizational information on public websites."},{"id":"pl-4.1_gdn","name":"guidance","prose":"This control enhancement addresses rules of behavior related to the use of social media\/networking sites: (i) when organizational personnel are using such sites for official duties or in the conduct of official business; (ii) when organizational information is involved in social media\/networking transactions; and (iii) when personnel are accessing social media\/networking sites from organizational information systems. Organizations also address specific rules that prevent unauthorized entities from obtaining and\/or inferring non-public organizational information (e.g., system account information, personally identifiable information) from social media\/networking sites."},{"id":"pl-4.1_obj","name":"objective","prose":"Determine if the organization includes the following in the rules of behavior:","parts":[{"id":"pl-4.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(1)[1]"}],"prose":"explicit restrictions on the use of social media\/networking sites; and"},{"id":"pl-4.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(1)[2]"}],"prose":"posting organizational information on public websites."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel who are authorized users of the information system and have signed rules of behavior\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing rules of behavior\n\nautomated mechanisms supporting and\/or implementing the establishment of rules of behavior"}]}]}]},{"id":"pl-8","class":"SP800-53","title":"Information Security Architecture","params":[{"id":"pl-8_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-8"},{"name":"sort-id","value":"pl-08"}],"parts":[{"id":"pl-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops an information security architecture for the information system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes how the information security architecture is integrated into and supports the enterprise architecture; and"},{"id":"pl-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describes any information security assumptions about, and dependencies on, external services;"}]},{"id":"pl-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information security architecture {{ insert: param, pl-8_prm_1 }} to reflect updates in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements\/acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement\/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs. In today’s modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission\/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)\/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product\/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate\/show consistency with the organization’s enterprise architecture and information security architecture.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53r4","rel":"related"}]},{"id":"pl-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-8.a_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)"}],"prose":"develops an information security architecture for the information system that describes:","parts":[{"id":"pl-8.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)(1)"}],"prose":"the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)(2)"}],"prose":"how the information security architecture is integrated into and supports the enterprise architecture;"},{"id":"pl-8.a.3_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)(3)"}],"prose":"any information security assumptions about, and dependencies on, external services;"}]},{"id":"pl-8.b_obj","name":"objective","props":[{"name":"label","value":"PL-8(b)"}],"parts":[{"id":"pl-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PL-8(b)[1]"}],"prose":"defines the frequency to review and update the information security architecture;"},{"id":"pl-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PL-8(b)[2]"}],"prose":"reviews and updates the information security architecture with the organization-defined frequency to reflect updates in the enterprise architecture;"}]},{"id":"pl-8.c_obj","name":"objective","props":[{"name":"label","value":"PL-8(c)"}],"prose":"ensures that planned information security architecture changes are reflected in:","parts":[{"id":"pl-8.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-8(c)[1]"}],"prose":"the security plan;"},{"id":"pl-8.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-8(c)[2]"}],"prose":"the security Concept of Operations (CONOPS); and"},{"id":"pl-8.c_obj.3","name":"objective","props":[{"name":"label","value":"PL-8(c)[3]"}],"prose":"the organizational procurements\/acquisitions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing information security architecture development\n\nprocedures addressing information security architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security architecture documentation\n\nsecurity plan for the information system\n\nsecurity CONOPS for the information system\n\nrecords of information security architecture reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities\n\norganizational personnel with information security architecture development responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing, reviewing, and updating the information security architecture\n\nautomated mechanisms supporting and\/or implementing the development, review, and update of the information security architecture"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Personnel Security Policy and Procedures","params":[{"id":"ps-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-1_prm_2","label":"organization-defined frequency"},{"id":"ps-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-1"},{"name":"sort-id","value":"ps-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ps-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and"}]},{"id":"ps-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ps-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Personnel security policy {{ insert: param, ps-1_prm_2 }}; and"},{"id":"ps-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Personnel security procedures {{ insert: param, ps-1_prm_3 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ps-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-1.a_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)"}],"parts":[{"id":"ps-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)"}],"parts":[{"id":"ps-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1]"}],"prose":"develops and documents an personnel security policy that addresses:","parts":[{"id":"ps-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ps-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ps-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ps-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ps-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ps-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ps-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ps-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the personnel security policy is to be disseminated;"},{"id":"ps-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[3]"}],"prose":"disseminates the personnel security policy to organization-defined personnel or roles;"}]},{"id":"ps-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)"}],"parts":[{"id":"ps-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls;"},{"id":"ps-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ps-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ps-1.b_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)"}],"parts":[{"id":"ps-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)"}],"parts":[{"id":"ps-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current personnel security policy;"},{"id":"ps-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)[2]"}],"prose":"reviews and updates the current personnel security policy with the organization-defined frequency;"}]},{"id":"ps-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)"}],"parts":[{"id":"ps-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current personnel security procedures; and"},{"id":"ps-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)[2]"}],"prose":"reviews and updates the current personnel security procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","params":[{"id":"ps-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-2"},{"name":"sort-id","value":"ps-02"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference"}],"parts":[{"id":"ps-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assigns a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates position risk designations {{ insert: param, ps-2_prm_1 }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances).","links":[{"href":"#at-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-3","rel":"related"}]},{"id":"ps-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-2.a_obj","name":"objective","props":[{"name":"label","value":"PS-2(a)"}],"prose":"assigns a risk designation to all organizational positions;"},{"id":"ps-2.b_obj","name":"objective","props":[{"name":"label","value":"PS-2(b)"}],"prose":"establishes screening criteria for individuals filling those positions;"},{"id":"ps-2.c_obj","name":"objective","props":[{"name":"label","value":"PS-2(c)"}],"parts":[{"id":"ps-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PS-2(c)[1]"}],"prose":"defines the frequency to review and update position risk designations; and"},{"id":"ps-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PS-2(c)[2]"}],"prose":"reviews and updates position risk designations with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nsecurity plan\n\nrecords of position risk designation reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","params":[{"id":"ps-3_prm_1","label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-3"},{"name":"sort-id","value":"ps-03"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference"}],"parts":[{"id":"ps-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Screens individuals prior to authorizing access to the information system; and"},{"id":"ps-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Rescreens individuals according to {{ insert: param, ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-2","rel":"related"}]},{"id":"ps-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-3.a_obj","name":"objective","props":[{"name":"label","value":"PS-3(a)"}],"prose":"screens individuals prior to authorizing access to the information system;"},{"id":"ps-3.b_obj","name":"objective","props":[{"name":"label","value":"PS-3(b)"}],"parts":[{"id":"ps-3.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-3(b)[1]"}],"prose":"defines conditions requiring re-screening;"},{"id":"ps-3.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-3(b)[2]"}],"prose":"defines the frequency of re-screening where it is so indicated; and"},{"id":"ps-3.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-3(b)[3]"}],"prose":"re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel screening"}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","params":[{"id":"ps-4_prm_1","label":"organization-defined time period"},{"id":"ps-4_prm_2","label":"organization-defined information security topics"},{"id":"ps-4_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-4_prm_4","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-4"},{"name":"sort-id","value":"ps-04"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"The organization, upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Disables information system access within {{ insert: param, ps-4_prm_1 }};"},{"id":"ps-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Terminates\/revokes any authenticators\/credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conducts exit interviews that include a discussion of {{ insert: param, ps-4_prm_2 }};"},{"id":"ps-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Retrieves all security-related organizational information system-related property;"},{"id":"ps-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retains access to organizational information and information systems formerly controlled by terminated individual; and"},{"id":"ps-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Notifies {{ insert: param, ps-4_prm_3 }} within {{ insert: param, ps-4_prm_4 }}."}]},{"id":"ps-4_gdn","name":"guidance","prose":"Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"ps-4_obj","name":"objective","prose":"Determine if the organization, upon termination of individual employment,:","parts":[{"id":"ps-4.a_obj","name":"objective","props":[{"name":"label","value":"PS-4(a)"}],"parts":[{"id":"ps-4.a_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(a)[1]"}],"prose":"defines a time period within which to disable information system access;"},{"id":"ps-4.a_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(a)[2]"}],"prose":"disables information system access within the organization-defined time period;"}]},{"id":"ps-4.b_obj","name":"objective","props":[{"name":"label","value":"PS-4(b)"}],"prose":"terminates\/revokes any authenticators\/credentials associated with the individual;"},{"id":"ps-4.c_obj","name":"objective","props":[{"name":"label","value":"PS-4(c)"}],"parts":[{"id":"ps-4.c_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(c)[1]"}],"prose":"defines information security topics to be discussed when conducting exit interviews;"},{"id":"ps-4.c_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(c)[2]"}],"prose":"conducts exit interviews that include a discussion of organization-defined information security topics;"}]},{"id":"ps-4.d_obj","name":"objective","props":[{"name":"label","value":"PS-4(d)"}],"prose":"retrieves all security-related organizational information system-related property;"},{"id":"ps-4.e_obj","name":"objective","props":[{"name":"label","value":"PS-4(e)"}],"prose":"retains access to organizational information and information systems formerly controlled by the terminated individual;"},{"id":"ps-4.f_obj","name":"objective","props":[{"name":"label","value":"PS-4(f)"}],"parts":[{"id":"ps-4.f_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(f)[1]"}],"prose":"defines personnel or roles to be notified of the termination;"},{"id":"ps-4.f_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(f)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel or roles; and"},{"id":"ps-4.f_obj.3","name":"objective","props":[{"name":"label","value":"PS-4(f)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of information system accounts\n\nrecords of terminated or revoked authenticators\/credentials\n\nrecords of exit interviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel termination\n\nautomated mechanisms supporting and\/or implementing personnel termination notifications\n\nautomated mechanisms for disabling information system access\/revoking authenticators"}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","params":[{"id":"ps-5_prm_1","label":"organization-defined transfer or reassignment actions"},{"id":"ps-5_prm_2","label":"organization-defined time period following the formal transfer action"},{"id":"ps-5_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-5_prm_4","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PS-5"},{"name":"sort-id","value":"ps-05"}],"parts":[{"id":"ps-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems\/facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiates {{ insert: param, ps-5_prm_1 }} within {{ insert: param, ps-5_prm_2 }};"},{"id":"ps-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Notifies {{ insert: param, ps-5_prm_3 }} within {{ insert: param, ps-5_prm_4 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-4","rel":"related"}]},{"id":"ps-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-5.a_obj","name":"objective","props":[{"name":"label","value":"PS-5(a)"}],"prose":"when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current:","parts":[{"id":"ps-5.a_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(a)[1]"}],"prose":"logical access authorizations to information systems;"},{"id":"ps-5.a_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(a)[2]"}],"prose":"physical access authorizations to information systems and facilities;"}]},{"id":"ps-5.b_obj","name":"objective","props":[{"name":"label","value":"PS-5(b)"}],"parts":[{"id":"ps-5.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(b)[1]"}],"prose":"defines transfer or reassignment actions to be initiated following transfer or reassignment;"},{"id":"ps-5.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(b)[2]"}],"prose":"defines the time period within which transfer or reassignment actions must occur following transfer or reassignment;"},{"id":"ps-5.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-5(b)[3]"}],"prose":"initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment;"}]},{"id":"ps-5.c_obj","name":"objective","props":[{"name":"label","value":"PS-5(c)"}],"prose":"modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer;"},{"id":"ps-5.d_obj","name":"objective","props":[{"name":"label","value":"PS-5(d)"}],"parts":[{"id":"ps-5.d_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(d)[1]"}],"prose":"defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5.d_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(d)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; and"},{"id":"ps-5.d_obj.3","name":"objective","props":[{"name":"label","value":"PS-5(d)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel transfer\n\nsecurity plan\n\nrecords of personnel transfer actions\n\nlist of information system and facility access authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel transfer\n\nautomated mechanisms supporting and\/or implementing personnel transfer notifications\n\nautomated mechanisms for disabling information system access\/revoking authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-6_prm_1","label":"organization-defined frequency"},{"id":"ps-6_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PS-6"},{"name":"sort-id","value":"ps-06"}],"parts":[{"id":"ps-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops and documents access agreements for organizational information systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the access agreements {{ insert: param, ps-6_prm_1 }}; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that individuals requiring access to organizational information and information systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or {{ insert: param, ps-6_prm_2 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.","links":[{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-8","rel":"related"}]},{"id":"ps-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-6.a_obj","name":"objective","props":[{"name":"label","value":"PS-6(a)"}],"prose":"develops and documents access agreements for organizational information systems;"},{"id":"ps-6.b_obj","name":"objective","props":[{"name":"label","value":"PS-6(b)"}],"parts":[{"id":"ps-6.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-6(b)[1]"}],"prose":"defines the frequency to review and update the access agreements;"},{"id":"ps-6.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-6(b)[2]"}],"prose":"reviews and updates the access agreements with the organization-defined frequency;"}]},{"id":"ps-6.c_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)"}],"parts":[{"id":"ps-6.c.1_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)(1)"}],"prose":"ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;"},{"id":"ps-6.c.2_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)"}],"parts":[{"id":"ps-6.c.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)[1]"}],"prose":"defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated;"},{"id":"ps-6.c.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)[2]"}],"prose":"ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing access agreements for organizational information and information systems\n\nsecurity plan\n\naccess agreements\n\nrecords of access agreement reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access agreements\n\nautomated mechanisms supporting access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"Third-party Personnel Security","params":[{"id":"ps-7_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-7_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-7"},{"name":"sort-id","value":"ps-07"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"}],"parts":[{"id":"ps-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes personnel security requirements including security roles and responsibilities for third-party providers;"},{"id":"ps-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Requires third-party providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Requires third-party providers to notify {{ insert: param, ps-7_prm_1 }} of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges within {{ insert: param, ps-7_prm_2 }}; and"},{"id":"ps-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Monitors provider compliance."}]},{"id":"ps-7_gdn","name":"guidance","prose":"Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials\/privileges associated with individuals transferred or terminated.","links":[{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-21","rel":"related"}]},{"id":"ps-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-7.a_obj","name":"objective","props":[{"name":"label","value":"PS-7(a)"}],"prose":"establishes personnel security requirements, including security roles and responsibilities, for third-party providers;"},{"id":"ps-7.b_obj","name":"objective","props":[{"name":"label","value":"PS-7(b)"}],"prose":"requires third-party providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7.c_obj","name":"objective","props":[{"name":"label","value":"PS-7(c)"}],"prose":"documents personnel security requirements;"},{"id":"ps-7.d_obj","name":"objective","props":[{"name":"label","value":"PS-7(d)"}],"parts":[{"id":"ps-7.d_obj.1","name":"objective","props":[{"name":"label","value":"PS-7(d)[1]"}],"prose":"defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.2","name":"objective","props":[{"name":"label","value":"PS-7(d)[2]"}],"prose":"defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.3","name":"objective","props":[{"name":"label","value":"PS-7(d)[3]"}],"prose":"requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges; and"}]},{"id":"ps-7.e_obj","name":"objective","props":[{"name":"label","value":"PS-7(e)"}],"prose":"monitors provider compliance."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing third-party personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\nthird-party providers\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing and monitoring third-party personnel security\n\nautomated mechanisms supporting and\/or implementing monitoring of provider compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","params":[{"id":"ps-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-8_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PS-8"},{"name":"sort-id","value":"ps-08"}],"parts":[{"id":"ps-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Notifies {{ insert: param, ps-8_prm_1 }} within {{ insert: param, ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.","links":[{"href":"#pl-4","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"ps-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-8.a_obj","name":"objective","props":[{"name":"label","value":"PS-8(a)"}],"prose":"employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;"},{"id":"ps-8.b_obj","name":"objective","props":[{"name":"label","value":"PS-8(b)"}],"parts":[{"id":"ps-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-8(b)[1]"}],"prose":"defines personnel or roles to be notified when a formal employee sanctions process is initiated;"},{"id":"ps-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-8(b)[2]"}],"prose":"defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and"},{"id":"ps-8.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-8(b)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel sanctions\n\nrules of behavior\n\nrecords of formal sanctions\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing personnel sanctions\n\nautomated mechanisms supporting and\/or implementing notifications"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Risk Assessment Policy and Procedures","params":[{"id":"ra-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ra-1_prm_2","label":"organization-defined frequency"},{"id":"ra-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-1"},{"name":"sort-id","value":"ra-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ra-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ra-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Risk assessment policy {{ insert: param, ra-1_prm_2 }}; and"},{"id":"ra-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Risk assessment procedures {{ insert: param, ra-1_prm_3 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ra-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-1.a_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)"}],"parts":[{"id":"ra-1.a.1_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)"}],"parts":[{"id":"ra-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1]"}],"prose":"develops and documents a risk assessment policy that addresses:","parts":[{"id":"ra-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ra-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ra-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ra-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ra-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ra-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ra-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ra-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the risk assessment policy is to be disseminated;"},{"id":"ra-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[3]"}],"prose":"disseminates the risk assessment policy to organization-defined personnel or roles;"}]},{"id":"ra-1.a.2_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)"}],"parts":[{"id":"ra-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls;"},{"id":"ra-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ra-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ra-1.b_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)"}],"parts":[{"id":"ra-1.b.1_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)"}],"parts":[{"id":"ra-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current risk assessment policy;"},{"id":"ra-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)[2]"}],"prose":"reviews and updates the current risk assessment policy with the organization-defined frequency;"}]},{"id":"ra-1.b.2_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)"}],"parts":[{"id":"ra-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current risk assessment procedures; and"},{"id":"ra-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)[2]"}],"prose":"reviews and updates the current risk assessment procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"risk assessment policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-2"},{"name":"sort-id","value":"ra-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"}],"parts":[{"id":"ra-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"ra-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents the security categorization results (including supporting rationale) in the security plan for the information system; and"},{"id":"ra-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission\/business owners, and information owners\/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted.","links":[{"href":"#cm-8","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"ra-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-2.a_obj","name":"objective","props":[{"name":"label","value":"RA-2(a)"}],"prose":"categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"ra-2.b_obj","name":"objective","props":[{"name":"label","value":"RA-2(b)"}],"prose":"documents the security categorization results (including supporting rationale) in the security plan for the information system; and"},{"id":"ra-2.c_obj","name":"objective","props":[{"name":"label","value":"RA-2(c)"}],"prose":"ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and information systems\n\nsecurity plan\n\nsecurity categorization documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-3_prm_1","select":{"choice":["security plan","risk assessment report"," {{ insert: param, ra-3_prm_2 }} "]}},{"id":"ra-3_prm_2","depends-on":"ra-3_prm_1","label":"organization-defined document"},{"id":"ra-3_prm_3","label":"organization-defined frequency"},{"id":"ra-3_prm_4","label":"organization-defined personnel or roles"},{"id":"ra-3_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-3"},{"name":"sort-id","value":"ra-03"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ra-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;"},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents risk assessment results in {{ insert: param, ra-3_prm_1 }};"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews risk assessment results {{ insert: param, ra-3_prm_3 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Disseminates risk assessment results to {{ insert: param, ra-3_prm_4 }}; and"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Updates the risk assessment {{ insert: param, ra-3_prm_5 }} or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.","links":[{"href":"#ra-2","rel":"related"},{"href":"#pm-9","rel":"related"}]},{"id":"ra-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-3.a_obj","name":"objective","props":[{"name":"label","value":"RA-3(a)"}],"prose":"conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:","parts":[{"id":"ra-3.a_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(a)[1]"}],"prose":"the information system;"},{"id":"ra-3.a_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(a)[2]"}],"prose":"the information the system processes, stores, or transmits;"}]},{"id":"ra-3.b_obj","name":"objective","props":[{"name":"label","value":"RA-3(b)"}],"parts":[{"id":"ra-3.b_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(b)[1]"}],"prose":"defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report);"},{"id":"ra-3.b_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(b)[2]"}],"prose":"documents risk assessment results in one of the following:","parts":[{"id":"ra-3.b_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][a]"}],"prose":"the security plan;"},{"id":"ra-3.b_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][b]"}],"prose":"the risk assessment report; or"},{"id":"ra-3.b_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][c]"}],"prose":"the organization-defined document;"}]}]},{"id":"ra-3.c_obj","name":"objective","props":[{"name":"label","value":"RA-3(c)"}],"parts":[{"id":"ra-3.c_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(c)[1]"}],"prose":"defines the frequency to review risk assessment results;"},{"id":"ra-3.c_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(c)[2]"}],"prose":"reviews risk assessment results with the organization-defined frequency;"}]},{"id":"ra-3.d_obj","name":"objective","props":[{"name":"label","value":"RA-3(d)"}],"parts":[{"id":"ra-3.d_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(d)[1]"}],"prose":"defines personnel or roles to whom risk assessment results are to be disseminated;"},{"id":"ra-3.d_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(d)[2]"}],"prose":"disseminates risk assessment results to organization-defined personnel or roles;"}]},{"id":"ra-3.e_obj","name":"objective","props":[{"name":"label","value":"RA-3(e)"}],"parts":[{"id":"ra-3.e_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(e)[1]"}],"prose":"defines the frequency to update the risk assessment;"},{"id":"ra-3.e_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(e)[2]"}],"prose":"updates the risk assessment:","parts":[{"id":"ra-3.e_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-3.e_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][b]"}],"prose":"whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and"},{"id":"ra-3.e_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][c]"}],"prose":"whenever there are other conditions that may impact the security state of the system."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nsecurity plan\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for risk assessment\n\nautomated mechanisms supporting and\/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Scanning","params":[{"id":"ra-5_prm_1","label":"organization-defined frequency and\/or randomly in accordance with organization-defined process"},{"id":"ra-5_prm_2","label":"organization-defined response times"},{"id":"ra-5_prm_3","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-5"},{"name":"sort-id","value":"ra-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"}],"parts":[{"id":"ra-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Scans for vulnerabilities in the information system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system\/applications are identified and reported;"},{"id":"ra-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Analyzes vulnerability scan reports and results from security control assessments;"},{"id":"ra-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remediates legitimate vulnerabilities {{ insert: param, ra-5_prm_2 }} in accordance with an organizational assessment of risk; and"},{"id":"ra-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Shares information obtained from the vulnerability scanning process and security control assessments with {{ insert: param, ra-5_prm_3 }} to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine\/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"ra-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.a_obj","name":"objective","props":[{"name":"label","value":"RA-5(a)"}],"parts":[{"id":"ra-5.a_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(a)[1]"}],"parts":[{"id":"ra-5.a_obj.1.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[1][a]"}],"prose":"defines the frequency for conducting vulnerability scans on the information system and hosted applications; and\/or"},{"id":"ra-5.a_obj.1.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[1][b]"}],"prose":"defines the process for conducting random vulnerability scans on the information system and hosted applications;"}]},{"id":"ra-5.a_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(a)[2]"}],"prose":"in accordance with the organization-defined frequency and\/or organization-defined process for conducting random scans, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[2][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[2][b]"}],"prose":"hosted applications;"}]},{"id":"ra-5.a_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(a)[3]"}],"prose":"when new vulnerabilities potentially affecting the system\/applications are identified and reported, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.3.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[3][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.3.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[3][b]"}],"prose":"hosted applications;"}]}]},{"id":"ra-5.b_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)"}],"prose":"employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5.b.1_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)"}],"parts":[{"id":"ra-5.b.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[1]"}],"prose":"enumerating platforms;"},{"id":"ra-5.b.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[2]"}],"prose":"enumerating software flaws;"},{"id":"ra-5.b.1_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[3]"}],"prose":"enumerating improper configurations;"}]},{"id":"ra-5.b.2_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)"}],"parts":[{"id":"ra-5.b.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)[1]"}],"prose":"formatting checklists;"},{"id":"ra-5.b.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)[2]"}],"prose":"formatting test procedures;"}]},{"id":"ra-5.b.3_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(3)"}],"prose":"measuring vulnerability impact;"}]},{"id":"ra-5.c_obj","name":"objective","props":[{"name":"label","value":"RA-5(c)"}],"parts":[{"id":"ra-5.c_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(c)[1]"}],"prose":"analyzes vulnerability scan reports;"},{"id":"ra-5.c_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(c)[2]"}],"prose":"analyzes results from security control assessments;"}]},{"id":"ra-5.d_obj","name":"objective","props":[{"name":"label","value":"RA-5(d)"}],"parts":[{"id":"ra-5.d_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(d)[1]"}],"prose":"defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;"},{"id":"ra-5.d_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(d)[2]"}],"prose":"remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk;"}]},{"id":"ra-5.e_obj","name":"objective","props":[{"name":"label","value":"RA-5(e)"}],"parts":[{"id":"ra-5.e_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(e)[1]"}],"prose":"defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared;"},{"id":"ra-5.e_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(e)[2]"}],"prose":"shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); and"},{"id":"ra-5.e_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(e)[3]"}],"prose":"shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nautomated mechanisms supporting and\/or implementing vulnerability scanning, analysis, remediation, and information sharing"}]}],"controls":[{"id":"ra-5.1","class":"SP800-53-enhancement","title":"Update Tool Capability","props":[{"name":"label","value":"RA-5(1)"},{"name":"sort-id","value":"ra-05.01"}],"parts":[{"id":"ra-5.1_smt","name":"statement","prose":"The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned."},{"id":"ra-5.1_gdn","name":"guidance","prose":"The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible.","links":[{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ra-5.1_obj","name":"objective","prose":"Determine if the organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update by Frequency \/ Prior to New Scan \/ When Identified","params":[{"id":"ra-5.2_prm_1","select":{"how-many":"one-or-more","choice":[" {{ insert: param, ra-5.2_prm_2 }} ","prior to a new scan","when new vulnerabilities are identified and reported"]}},{"id":"ra-5.2_prm_2","depends-on":"ra-5.2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"RA-5(2)"},{"name":"sort-id","value":"ra-05.02"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"The organization updates the information system vulnerabilities scanned {{ insert: param, ra-5.2_prm_1 }}."},{"id":"ra-5.2_gdn","name":"guidance","links":[{"href":"#si-3","rel":"related"},{"href":"#si-5","rel":"related"}]},{"id":"ra-5.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(2)[1]"}],"prose":"defines the frequency to update the information system vulnerabilities scanned;"},{"id":"ra-5.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(2)[2]"}],"prose":"updates the information system vulnerabilities scanned one or more of the following:","parts":[{"id":"ra-5.2_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-5(2)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-5.2_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-5(2)[2][b]"}],"prose":"prior to a new scan; and\/or"},{"id":"ra-5.2_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-5(2)[2][c]"}],"prose":"when new vulnerabilities are identified and reported."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.5","class":"SP800-53-enhancement","title":"Privileged Access","params":[{"id":"ra-5.5_prm_1","label":"organization-identified information system components"},{"id":"ra-5.5_prm_2","label":"organization-defined vulnerability scanning activities"}],"props":[{"name":"label","value":"RA-5(5)"},{"name":"sort-id","value":"ra-05.05"}],"parts":[{"id":"ra-5.5_smt","name":"statement","prose":"The information system implements privileged access authorization to {{ insert: param, ra-5.5_prm_1 }} for selected {{ insert: param, ra-5.5_prm_2 }}."},{"id":"ra-5.5_gdn","name":"guidance","prose":"In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning."},{"id":"ra-5.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ra-5.5_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(5)[1]"}],"prose":"the organization defines information system components to which privileged access is authorized for selected vulnerability scanning activities;"},{"id":"ra-5.5_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(5)[2]"}],"prose":"the organization defines vulnerability scanning activities selected for privileged access authorization to organization-defined information system components; and"},{"id":"ra-5.5_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(5)[3]"}],"prose":"the information system implements privileged access authorization to organization-defined information system components for selected organization-defined vulnerability scanning activities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\nsystem\/network administrators\n\norganizational personnel responsible for access control to the information system\n\norganizational personnel responsible for configuration management of the information system\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nautomated mechanisms supporting and\/or implementing access control\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"System and Services Acquisition Policy and Procedures","params":[{"id":"sa-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sa-1_prm_2","label":"organization-defined frequency"},{"id":"sa-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-1"},{"name":"sort-id","value":"sa-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"sa-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sa-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and services acquisition policy {{ insert: param, sa-1_prm_2 }}; and"},{"id":"sa-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and services acquisition procedures {{ insert: param, sa-1_prm_3 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"sa-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-1.a_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)"}],"parts":[{"id":"sa-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)"}],"parts":[{"id":"sa-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1]"}],"prose":"develops and documents a system and services acquisition policy that addresses:","parts":[{"id":"sa-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sa-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sa-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sa-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sa-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sa-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sa-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sa-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and services acquisition policy is to be disseminated;"},{"id":"sa-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[3]"}],"prose":"disseminates the system and services acquisition policy to organization-defined personnel or roles;"}]},{"id":"sa-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)"}],"parts":[{"id":"sa-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls;"},{"id":"sa-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"sa-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sa-1.b_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)"}],"parts":[{"id":"sa-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)"}],"parts":[{"id":"sa-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and services acquisition policy;"},{"id":"sa-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)[2]"}],"prose":"reviews and updates the current system and services acquisition policy with the organization-defined frequency;"}]},{"id":"sa-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)"}],"parts":[{"id":"sa-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and services acquisition procedures; and"},{"id":"sa-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)[2]"}],"prose":"reviews and updates the current system and services acquisition procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-2"},{"name":"sort-id","value":"sa-02"}],"links":[{"href":"#29fcfe59-33cd-494a-8756-5907ae3a8f92","rel":"reference"}],"parts":[{"id":"sa-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines information security requirements for the information system or information system service in mission\/business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establishes a discrete line item for information security in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system\/service.","links":[{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"}]},{"id":"sa-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-2.a_obj","name":"objective","props":[{"name":"label","value":"SA-2(a)"}],"prose":"determines information security requirements for the information system or information system service in mission\/business process planning;"},{"id":"sa-2.b_obj","name":"objective","props":[{"name":"label","value":"SA-2(b)"}],"prose":"to protect the information system or information system service as part of its capital planning and investment control process:","parts":[{"id":"sa-2.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-2(b)[1]"}],"prose":"determines the resources required;"},{"id":"sa-2.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-2(b)[2]"}],"prose":"documents the resources required;"},{"id":"sa-2.b_obj.3","name":"objective","props":[{"name":"label","value":"SA-2(b)[3]"}],"prose":"allocates the resources required; and"}]},{"id":"sa-2.c_obj","name":"objective","props":[{"name":"label","value":"SA-2(c)"}],"prose":"establishes a discrete line item for information security in organizational programming and budgeting documentation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the allocation of resources to information security requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities\n\norganizational personnel responsible for determining information security requirements for information systems\/services\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information security requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nautomated mechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-3_prm_1","label":"organization-defined system development life cycle"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-3"},{"name":"sort-id","value":"sa-03"}],"links":[{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference"}],"parts":[{"id":"sa-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Manages the information system using {{ insert: param, sa-3_prm_1 }} that incorporates information security considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Defines and documents information security roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies individuals having information security roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrates the organizational information security risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions\/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission\/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies.","links":[{"href":"#at-3","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-8","rel":"related"}]},{"id":"sa-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-3.a_obj","name":"objective","props":[{"name":"label","value":"SA-3(a)"}],"parts":[{"id":"sa-3.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-3(a)[1]"}],"prose":"defines a system development life cycle that incorporates information security considerations to be used to manage the information system;"},{"id":"sa-3.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-3(a)[2]"}],"prose":"manages the information system using the organization-defined system development life cycle;"}]},{"id":"sa-3.b_obj","name":"objective","props":[{"name":"label","value":"SA-3(b)"}],"prose":"defines and documents information security roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3.c_obj","name":"objective","props":[{"name":"label","value":"SA-3(c)"}],"prose":"identifies individuals having information security roles and responsibilities; and"},{"id":"sa-3.d_obj","name":"objective","props":[{"name":"label","value":"SA-3(d)"}],"prose":"integrates the organizational information security risk management process into system development life cycle activities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security into the system development life cycle process\n\ninformation system development life cycle documentation\n\ninformation security risk management strategy\/program documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security and system life cycle development responsibilities\n\norganizational personnel with information security risk management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining and documenting the SDLC\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational process for integrating information security risk management into the SDLC\n\nautomated mechanisms supporting and\/or implementing the SDLC"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-4"},{"name":"sort-id","value":"sa-04"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference"},{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference"},{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#0a5db899-f033-467f-8631-f5a8ba971475","rel":"reference"},{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"},{"href":"#d818efd3-db31-4953-8afa-9e76afe83ce2","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"},{"href":"#56d671da-6b7b-4abf-8296-84b61980390a","rel":"reference"},{"href":"#c95a9986-3cd6-4a98-931b-ccfc56cb11e5","rel":"reference"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference"},{"href":"#bbd50dd1-54ce-4432-959d-63ea564b1bb4","rel":"reference"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission\/business needs:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Security strength requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Security-related documentation requirements;"},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Requirements for protecting security-related documentation;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Description of the information system development environment and environment in which the system is intended to operate; and"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.","links":[{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"}]},{"id":"sa-4_obj","name":"objective","prose":"Determine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission\/business needs:","parts":[{"id":"sa-4.a_obj","name":"objective","props":[{"name":"label","value":"SA-4(a)"}],"prose":"security functional requirements;"},{"id":"sa-4.b_obj","name":"objective","props":[{"name":"label","value":"SA-4(b)"}],"prose":"security strength requirements;"},{"id":"sa-4.c_obj","name":"objective","props":[{"name":"label","value":"SA-4(c)"}],"prose":"security assurance requirements;"},{"id":"sa-4.d_obj","name":"objective","props":[{"name":"label","value":"SA-4(d)"}],"prose":"security-related documentation requirements;"},{"id":"sa-4.e_obj","name":"objective","props":[{"name":"label","value":"SA-4(e)"}],"prose":"requirements for protecting security-related documentation;"},{"id":"sa-4.f_obj","name":"objective","props":[{"name":"label","value":"SA-4(f)"}],"prose":"description of:","parts":[{"id":"sa-4.f_obj.1","name":"objective","props":[{"name":"label","value":"SA-4(f)[1]"}],"prose":"the information system development environment;"},{"id":"sa-4.f_obj.2","name":"objective","props":[{"name":"label","value":"SA-4(f)[2]"}],"prose":"the environment in which the system is intended to operate; and"}]},{"id":"sa-4.g_obj","name":"objective","props":[{"name":"label","value":"SA-4(g)"}],"prose":"acceptance criteria."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nacquisition contracts for the information system, system component, or information system service\n\ninformation system design documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security functional, strength, and assurance requirements\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and\/or implementing acquisitions and inclusion of security requirements in contracts"}]}],"controls":[{"id":"sa-4.1","class":"SP800-53-enhancement","title":"Functional Properties of Security Controls","props":[{"name":"label","value":"SA-4(1)"},{"name":"sort-id","value":"sa-04.01"}],"parts":[{"id":"sa-4.1_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed."},{"id":"sa-4.1_gdn","name":"guidance","prose":"Functional properties of security controls describe the functionality (i.e., security capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.","links":[{"href":"#sa-5","rel":"related"}]},{"id":"sa-4.1_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or information system services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security functional requirements\n\ninformation system developer or service provider\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security functional, requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and\/or implementing acquisitions and inclusion of security requirements in contracts"}]}]},{"id":"sa-4.2","class":"SP800-53-enhancement","title":"Design \/ Implementation Information for Security Controls","params":[{"id":"sa-4.2_prm_1","select":{"how-many":"one-or-more","choice":["security-relevant external system interfaces","high-level design","low-level design","source code or hardware schematics"," {{ insert: param, sa-4.2_prm_2 }} "]}},{"id":"sa-4.2_prm_2","depends-on":"sa-4.2_prm_1","label":"organization-defined design\/implementation information"},{"id":"sa-4.2_prm_3","label":"organization-defined level of detail"}],"props":[{"name":"label","value":"SA-4(2)"},{"name":"sort-id","value":"sa-04.02"}],"parts":[{"id":"sa-4.2_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {{ insert: param, sa-4.2_prm_1 }} at {{ insert: param, sa-4.2_prm_3 }}."},{"id":"sa-4.2_gdn","name":"guidance","prose":"Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission\/business requirements, requirements for trustworthiness\/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system.","links":[{"href":"#sa-5","rel":"related"}]},{"id":"sa-4.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-4.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-4(2)[1]"}],"prose":"defines level of detail that the developer is required to provide in design and implementation information for the security controls to be employed in the information system, system component, or information system service;"},{"id":"sa-4.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-4(2)[2]"}],"prose":"defines design\/implementation information that the developer is to provide for the security controls to be employed (if selected);"},{"id":"sa-4.2_obj.3","name":"objective","props":[{"name":"label","value":"SA-4(2)[3]"}],"prose":"requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes, at the organization-defined level of detail, one or more of the following:","parts":[{"id":"sa-4.2_obj.3.a","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][a]"}],"prose":"security-relevant external system interfaces;"},{"id":"sa-4.2_obj.3.b","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][b]"}],"prose":"high-level design;"},{"id":"sa-4.2_obj.3.c","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][c]"}],"prose":"low-level design;"},{"id":"sa-4.2_obj.3.d","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][d]"}],"prose":"source code;"},{"id":"sa-4.2_obj.3.e","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][e]"}],"prose":"hardware schematics; and\/or"},{"id":"sa-4.2_obj.3.f","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][f]"}],"prose":"organization-defined design\/implementation information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the information system, system components, or information system services\n\ndesign and implementation information for security controls employed in the information system, system component, or information system service\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\ninformation system developer or service provider\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining level of detail for system design and security controls\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and\/or implementing development of system design details"}]}]},{"id":"sa-4.9","class":"SP800-53-enhancement","title":"Functions \/ Ports \/ Protocols \/ Services in Use","props":[{"name":"label","value":"SA-4(9)"},{"name":"sort-id","value":"sa-04.09"}],"parts":[{"id":"sa-4.9_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use."},{"id":"sa-4.9_gdn","name":"guidance","prose":"The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources.","links":[{"href":"#cm-7","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"sa-4.9_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle:","parts":[{"id":"sa-4.9_obj.1","name":"objective","props":[{"name":"label","value":"SA-4(9)[1]"}],"prose":"the functions intended for organizational use;"},{"id":"sa-4.9_obj.2","name":"objective","props":[{"name":"label","value":"SA-4(9)[2]"}],"prose":"the ports intended for organizational use;"},{"id":"sa-4.9_obj.3","name":"objective","props":[{"name":"label","value":"SA-4(9)[3]"}],"prose":"the protocols intended for organizational use; and"},{"id":"sa-4.9_obj.4","name":"objective","props":[{"name":"label","value":"SA-4(9)[4]"}],"prose":"the services intended for organizational use."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\ninformation system design documentation\n\ninformation system documentation including functions, ports, protocols, and services intended for organizational use\n\nacquisition contracts for information systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice-level agreements\n\norganizational security requirements, descriptions, and criteria for developers of information systems, system components, and information system services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\ninformation system developers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","props":[{"name":"label","value":"SA-4(10)"},{"name":"sort-id","value":"sa-04.10"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."},{"id":"sa-4.10_gdn","name":"guidance","links":[{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"}]},{"id":"sa-4.10_obj","name":"objective","prose":"Determine if the organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or information system service\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\norganizational personnel with responsibility for ensuring only FIPS 201-approved products are implemented\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for selecting and employing FIPS 201-approved products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"Information System Documentation","params":[{"id":"sa-5_prm_1","label":"organization-defined actions"},{"id":"sa-5_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SA-5"},{"name":"sort-id","value":"sa-05"}],"parts":[{"id":"sa-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtains administrator documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security functions\/mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"}]},{"id":"sa-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Obtains user documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"User-accessible security functions\/mechanisms and how to effectively use those security functions\/mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and"},{"id":"sa-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service;"}]},{"id":"sa-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes {{ insert: param, sa-5_prm_1 }} in response;"},{"id":"sa-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects documentation as required, in accordance with the risk management strategy; and"},{"id":"sa-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Distributes documentation to {{ insert: param, sa-5_prm_2 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality\/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system\/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation.","links":[{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"sa-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-5.a_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)"}],"prose":"obtains administrator documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5.a.1_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)"}],"parts":[{"id":"sa-5.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[1]"}],"prose":"secure configuration of the system, system component, or service;"},{"id":"sa-5.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[2]"}],"prose":"secure installation of the system, system component, or service;"},{"id":"sa-5.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[3]"}],"prose":"secure operation of the system, system component, or service;"}]},{"id":"sa-5.a.2_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)"}],"parts":[{"id":"sa-5.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)[1]"}],"prose":"effective use of the security features\/mechanisms;"},{"id":"sa-5.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)[2]"}],"prose":"effective maintenance of the security features\/mechanisms;"}]},{"id":"sa-5.a.3_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(3)"}],"prose":"known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"}]},{"id":"sa-5.b_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)"}],"prose":"obtains user documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5.b.1_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)"}],"parts":[{"id":"sa-5.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)[1]"}],"prose":"user-accessible security functions\/mechanisms;"},{"id":"sa-5.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)[2]"}],"prose":"how to effectively use those functions\/mechanisms;"}]},{"id":"sa-5.b.2_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(2)"}],"prose":"methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner;"},{"id":"sa-5.b.3_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(3)"}],"prose":"user responsibilities in maintaining the security of the system, component, or service;"}]},{"id":"sa-5.c_obj","name":"objective","props":[{"name":"label","value":"SA-5(c)"}],"parts":[{"id":"sa-5.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(c)[1]"}],"prose":"defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(c)[2]"}],"prose":"documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.3","name":"objective","props":[{"name":"label","value":"SA-5(c)[3]"}],"prose":"takes organization-defined actions in response;"}]},{"id":"sa-5.d_obj","name":"objective","props":[{"name":"label","value":"SA-5(d)"}],"prose":"protects documentation as required, in accordance with the risk management strategy;"},{"id":"sa-5.e_obj","name":"objective","props":[{"name":"label","value":"SA-5(e)"}],"parts":[{"id":"sa-5.e_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(e)[1]"}],"prose":"defines personnel or roles to whom documentation is to be distributed; and"},{"id":"sa-5.e_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(e)[2]"}],"prose":"distributes documentation to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing information system documentation\n\ninformation system documentation including administrator and user guides\n\nrecords documenting attempts to obtain unavailable or nonexistent information system documentation\n\nlist of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation\n\nrisk management strategy documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\nsystem administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\ninformation system developers\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation"}]}]},{"id":"sa-8","class":"SP800-53","title":"Security Engineering Principles","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-8"},{"name":"sort-id","value":"sa-08"}],"links":[{"href":"#21b1ed35-56d2-40a8-bdfe-b461fffe322f","rel":"reference"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system."},{"id":"sa-8_gdn","name":"guidance","prose":"Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions.","links":[{"href":"#pm-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sa-8_obj","name":"objective","prose":"Determine if the organization applies information system security engineering principles in:","parts":[{"id":"sa-8_obj.1","name":"objective","props":[{"name":"label","value":"SA-8[1]"}],"prose":"the specification of the information system;"},{"id":"sa-8_obj.2","name":"objective","props":[{"name":"label","value":"SA-8[2]"}],"prose":"the design of the information system;"},{"id":"sa-8_obj.3","name":"objective","props":[{"name":"label","value":"SA-8[3]"}],"prose":"the development of the information system;"},{"id":"sa-8_obj.4","name":"objective","props":[{"name":"label","value":"SA-8[4]"}],"prose":"the implementation of the information system; and"},{"id":"sa-8_obj.5","name":"objective","props":[{"name":"label","value":"SA-8[5]"}],"prose":"the modification of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing security engineering principles used in the specification, design, development, implementation, and modification of the information system\n\ninformation system design documentation\n\ninformation security requirements and specifications for the information system\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\norganizational personnel with information system specification, design, development, implementation, and modification responsibilities\n\ninformation system developers\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for applying security engineering principles in information system specification, design, development, implementation, and modification\n\nautomated mechanisms supporting the application of security engineering principles in information system specification, design, development, implementation, and modification"}]}]},{"id":"sa-9","class":"SP800-53","title":"External Information System Services","params":[{"id":"sa-9_prm_1","label":"organization-defined security controls"},{"id":"sa-9_prm_2","label":"organization-defined processes, methods, and techniques"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-9"},{"name":"sort-id","value":"sa-09"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"}],"parts":[{"id":"sa-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Requires that providers of external information system services comply with organizational information security requirements and employ {{ insert: param, sa-9_prm_1 }} in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs {{ insert: param, sa-9_prm_2 }} to monitor security control compliance by external service providers on an ongoing basis."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.","links":[{"href":"#ca-3","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ps-7","rel":"related"}]},{"id":"sa-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.a_obj","name":"objective","props":[{"name":"label","value":"SA-9(a)"}],"parts":[{"id":"sa-9.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(a)[1]"}],"prose":"defines security controls to be employed by providers of external information system services;"},{"id":"sa-9.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(a)[2]"}],"prose":"requires that providers of external information system services comply with organizational information security requirements;"},{"id":"sa-9.a_obj.3","name":"objective","props":[{"name":"label","value":"SA-9(a)[3]"}],"prose":"requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"}]},{"id":"sa-9.b_obj","name":"objective","props":[{"name":"label","value":"SA-9(b)"}],"parts":[{"id":"sa-9.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(b)[1]"}],"prose":"defines and documents government oversight with regard to external information system services;"},{"id":"sa-9.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(b)[2]"}],"prose":"defines and documents user roles and responsibilities with regard to external information system services;"}]},{"id":"sa-9.c_obj","name":"objective","props":[{"name":"label","value":"SA-9(c)"}],"parts":[{"id":"sa-9.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(c)[1]"}],"prose":"defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; and"},{"id":"sa-9.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(c)[2]"}],"prose":"employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing external information system services\n\nprocedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services\n\nacquisition contracts, service-level agreements\n\norganizational security requirements and security specifications for external provider services\n\nsecurity control assessment evidence from external providers of information system services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\nexternal providers of information system services\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring security control compliance by external service providers on an ongoing basis\n\nautomated mechanisms for monitoring security control compliance by external service providers on an ongoing basis"}]}],"controls":[{"id":"sa-9.2","class":"SP800-53-enhancement","title":"Identification of Functions \/ Ports \/ Protocols \/ Services","params":[{"id":"sa-9.2_prm_1","label":"organization-defined external information system services"}],"props":[{"name":"label","value":"SA-9(2)"},{"name":"sort-id","value":"sa-09.02"}],"parts":[{"id":"sa-9.2_smt","name":"statement","prose":"The organization requires providers of {{ insert: param, sa-9.2_prm_1 }} to identify the functions, ports, protocols, and other services required for the use of such services."},{"id":"sa-9.2_gdn","name":"guidance","prose":"Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions\/services or blocking certain ports\/protocols.","links":[{"href":"#cm-7","rel":"related"}]},{"id":"sa-9.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(2)[1]"}],"prose":"defines external information system services for which providers of such services are to identify the functions, ports, protocols, and other services required for the use of such services;"},{"id":"sa-9.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(2)[2]"}],"prose":"requires providers of organization-defined external information system services to identify:","parts":[{"id":"sa-9.2_obj.2.a","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][a]"}],"prose":"the functions required for the use of such services;"},{"id":"sa-9.2_obj.2.b","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][b]"}],"prose":"the ports required for the use of such services;"},{"id":"sa-9.2_obj.2.c","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][c]"}],"prose":"the protocols required for the use of such services; and"},{"id":"sa-9.2_obj.2.d","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][d]"}],"prose":"the other services required for the use of such services."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing external information system services\n\nacquisition contracts for the information system, system component, or information system service\n\nacquisition documentation\n\nsolicitation documentation, service-level agreements\n\norganizational security requirements and security specifications for external service providers\n\nlist of required functions, ports, protocols, and other services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nexternal providers of information system services"}]}]}]},{"id":"sa-10","class":"SP800-53","title":"Developer Configuration Management","params":[{"id":"sa-10_prm_1","select":{"how-many":"one-or-more","choice":["design","development","implementation","operation"]}},{"id":"sa-10_prm_2","label":"organization-defined configuration items under configuration management"},{"id":"sa-10_prm_3","label":"organization-defined personnel"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-10"},{"name":"sort-id","value":"sa-10"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"sa-10_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Perform configuration management during system, component, or service {{ insert: param, sa-10_prm_1 }};"},{"id":"sa-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, manage, and control the integrity of changes to {{ insert: param, sa-10_prm_2 }};"},{"id":"sa-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Document approved changes to the system, component, or service and the potential security impacts of such changes; and"},{"id":"sa-10_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_prm_3 }}."}]},{"id":"sa-10_gdn","name":"guidance","prose":"This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence\/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software\/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission\/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"sa-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-10.a_obj","name":"objective","props":[{"name":"label","value":"SA-10(a)"}],"prose":"requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following:","parts":[{"id":"sa-10.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(a)[1]"}],"prose":"system, component, or service design;"},{"id":"sa-10.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(a)[2]"}],"prose":"system, component, or service development;"},{"id":"sa-10.a_obj.3","name":"objective","props":[{"name":"label","value":"SA-10(a)[3]"}],"prose":"system, component, or service implementation; and\/or"},{"id":"sa-10.a_obj.4","name":"objective","props":[{"name":"label","value":"SA-10(a)[4]"}],"prose":"system, component, or service operation;"}]},{"id":"sa-10.b_obj","name":"objective","props":[{"name":"label","value":"SA-10(b)"}],"parts":[{"id":"sa-10.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(b)[1]"}],"prose":"defines configuration items to be placed under configuration management;"},{"id":"sa-10.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(b)[2]"}],"prose":"requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-10.b_obj.2.a","name":"objective","props":[{"name":"label","value":"SA-10(b)[2][a]"}],"prose":"document the integrity of changes to organization-defined items under configuration management;"},{"id":"sa-10.b_obj.2.b","name":"objective","props":[{"name":"label","value":"SA-10(b)[2][b]"}],"prose":"manage the integrity of changes to organization-defined items under configuration management;"},{"id":"sa-10.b_obj.2.c","name":"objective","props":[{"name":"label","value":"SA-10(b)[2][c]"}],"prose":"control the integrity of changes to organization-defined items under configuration management;"}]}]},{"id":"sa-10.c_obj","name":"objective","props":[{"name":"label","value":"SA-10(c)"}],"prose":"requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10.d_obj","name":"objective","props":[{"name":"label","value":"SA-10(d)"}],"prose":"requires the developer of the information system, system component, or information system service to document:","parts":[{"id":"sa-10.d_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(d)[1]"}],"prose":"approved changes to the system, component, or service;"},{"id":"sa-10.d_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(d)[2]"}],"prose":"the potential security impacts of such changes;"}]},{"id":"sa-10.e_obj","name":"objective","props":[{"name":"label","value":"SA-10(e)"}],"parts":[{"id":"sa-10.e_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(e)[1]"}],"prose":"defines personnel to whom findings, resulting from security flaws and flaw resolution tracked within the system, component, or service, are to be reported;"},{"id":"sa-10.e_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(e)[2]"}],"prose":"requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-10.e_obj.2.a","name":"objective","props":[{"name":"label","value":"SA-10(e)[2][a]"}],"prose":"track security flaws within the system, component, or service;"},{"id":"sa-10.e_obj.2.b","name":"objective","props":[{"name":"label","value":"SA-10(e)[2][b]"}],"prose":"track security flaw resolution within the system, component, or service; and"},{"id":"sa-10.e_obj.2.c","name":"objective","props":[{"name":"label","value":"SA-10(e)[2][c]"}],"prose":"report findings to organization-defined personnel."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer configuration management\n\nautomated mechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-11","class":"SP800-53","title":"Developer Security Testing and Evaluation","params":[{"id":"sa-11_prm_1","select":{"how-many":"one-or-more","choice":["unit","integration","system","regression"]}},{"id":"sa-11_prm_2","label":"organization-defined depth and coverage"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-11"},{"name":"sort-id","value":"sa-11"}],"links":[{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference"},{"href":"#0931209f-00ae-4132-b92c-bc645847e8f9","rel":"reference"},{"href":"#4ef539ba-b767-4666-b0d3-168c53005fa3","rel":"reference"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Create and implement a security assessment plan;"},{"id":"sa-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform {{ insert: param, sa-11_prm_1 }} testing\/evaluation at {{ insert: param, sa-11_prm_2 }};"},{"id":"sa-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the security assessment plan and the results of the security testing\/evaluation;"},{"id":"sa-11_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during security testing\/evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental security testing\/evaluation occurs at all post-design phases of the system development life cycle. Such testing\/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing\/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing\/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing\/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans\/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.","links":[{"href":"#ca-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"sa-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-11.a_obj","name":"objective","props":[{"name":"label","value":"SA-11(a)"}],"prose":"requires the developer of the information system, system component, or information system service to create and implement a security plan;"},{"id":"sa-11.b_obj","name":"objective","props":[{"name":"label","value":"SA-11(b)"}],"parts":[{"id":"sa-11.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-11(b)[1]"}],"prose":"defines the depth of testing\/evaluation to be performed by the developer of the information system, system component, or information system service;"},{"id":"sa-11.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-11(b)[2]"}],"prose":"defines the coverage of testing\/evaluation to be performed by the developer of the information system, system component, or information system service;"},{"id":"sa-11.b_obj.3","name":"objective","props":[{"name":"label","value":"SA-11(b)[3]"}],"prose":"requires the developer of the information system, system component, or information system service to perform one or more of the following testing\/evaluation at the organization-defined depth and coverage:","parts":[{"id":"sa-11.b_obj.3.a","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][a]"}],"prose":"unit testing\/evaluation;"},{"id":"sa-11.b_obj.3.b","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][b]"}],"prose":"integration testing\/evaluation;"},{"id":"sa-11.b_obj.3.c","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][c]"}],"prose":"system testing\/evaluation; and\/or"},{"id":"sa-11.b_obj.3.d","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][d]"}],"prose":"regression testing\/evaluation;"}]}]},{"id":"sa-11.c_obj","name":"objective","props":[{"name":"label","value":"SA-11(c)"}],"prose":"requires the developer of the information system, system component, or information system service to produce evidence of:","parts":[{"id":"sa-11.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-11(c)[1]"}],"prose":"the execution of the security assessment plan;"},{"id":"sa-11.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-11(c)[2]"}],"prose":"the results of the security testing\/evaluation;"}]},{"id":"sa-11.d_obj","name":"objective","props":[{"name":"label","value":"SA-11(d)"}],"prose":"requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process; and"},{"id":"sa-11.e_obj","name":"objective","props":[{"name":"label","value":"SA-11(e)"}],"prose":"requires the developer of the information system, system component, or information system service to correct flaws identified during security testing\/evaluation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\nsystem developer security test plans\n\nrecords of developer security testing results for the information system, system component, or information system service\n\nsecurity flaw and remediation tracking records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nautomated mechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"System and Communications Protection Policy and Procedures","params":[{"id":"sc-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sc-1_prm_2","label":"organization-defined frequency"},{"id":"sc-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-1"},{"name":"sort-id","value":"sc-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"sc-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and"}]},{"id":"sc-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sc-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and communications protection policy {{ insert: param, sc-1_prm_2 }}; and"},{"id":"sc-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and communications protection procedures {{ insert: param, sc-1_prm_3 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"sc-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-1.a_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)"}],"parts":[{"id":"sc-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)"}],"parts":[{"id":"sc-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1]"}],"prose":"develops and documents a system and communications protection policy that addresses:","parts":[{"id":"sc-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sc-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sc-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sc-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sc-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sc-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sc-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sc-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and communications protection policy is to be disseminated;"},{"id":"sc-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[3]"}],"prose":"disseminates the system and communications protection policy to organization-defined personnel or roles;"}]},{"id":"sc-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)"}],"parts":[{"id":"sc-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;"},{"id":"sc-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"sc-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sc-1.b_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)"}],"parts":[{"id":"sc-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)"}],"parts":[{"id":"sc-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and communications protection policy;"},{"id":"sc-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)[2]"}],"prose":"reviews and updates the current system and communications protection policy with the organization-defined frequency;"}]},{"id":"sc-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)"}],"parts":[{"id":"sc-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and communications protection procedures; and"},{"id":"sc-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)[2]"}],"prose":"reviews and updates the current system and communications protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sc-2","class":"SP800-53","title":"Application Partitioning","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-2"},{"name":"sort-id","value":"sc-02"}],"parts":[{"id":"sc-2_smt","name":"statement","prose":"The information system separates user functionality (including user interface services) from information system management functionality."},{"id":"sc-2_gdn","name":"guidance","prose":"Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.","links":[{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sc-2_obj","name":"objective","prose":"Determine if the information system separates user functionality (including user interface services) from information system management functionality."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing application partitioning\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Separation of user functionality from information system management functionality"}]}]},{"id":"sc-4","class":"SP800-53","title":"Information in Shared Resources","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-4"},{"name":"sort-id","value":"sc-04"}],"parts":[{"id":"sc-4_smt","name":"statement","prose":"The information system prevents unauthorized and unintended information transfer via shared system resources."},{"id":"sc-4_gdn","name":"guidance","prose":"This control prevents information, including encrypted representations of information, produced by the actions of prior users\/roles (or the actions of processes acting on behalf of prior users\/roles) from being available to any current users\/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and\/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users\/roles.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#mp-6","rel":"related"}]},{"id":"sc-4_obj","name":"objective","prose":"Determine if the information system prevents unauthorized and unintended information transfer via shared system resources."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms preventing unauthorized and unintended transfer of information via shared system resources"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial of Service Protection","params":[{"id":"sc-5_prm_1","label":"organization-defined types of denial of service attacks or references to sources for such information"},{"id":"sc-5_prm_2","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-5"},{"name":"sort-id","value":"sc-05"}],"parts":[{"id":"sc-5_smt","name":"statement","prose":"The information system protects against or limits the effects of the following types of denial of service attacks: {{ insert: param, sc-5_prm_1 }} by employing {{ insert: param, sc-5_prm_2 }}."},{"id":"sc-5_gdn","name":"guidance","prose":"A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.","links":[{"href":"#sc-6","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"sc-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-5_obj.1","name":"objective","props":[{"name":"label","value":"SC-5[1]"}],"prose":"the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects;"},{"id":"sc-5_obj.2","name":"objective","props":[{"name":"label","value":"SC-5[2]"}],"prose":"the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks; and"},{"id":"sc-5_obj.3","name":"objective","props":[{"name":"label","value":"SC-5[3]"}],"prose":"the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing denial of service protection\n\ninformation system design documentation\n\nsecurity plan\n\nlist of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial of service attacks\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms protecting against or limiting the effects of denial of service attacks"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-7_prm_1","select":{"choice":["physically","logically"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-7"},{"name":"sort-id","value":"sc-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#756a8e86-57d5-4701-8382-f7a40439665a","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"}],"parts":[{"id":"sc-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implements subnetworks for publicly accessible system components that are {{ insert: param, sc-7_prm_1 }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.","links":[{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"sc-7_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-7.a_obj","name":"objective","props":[{"name":"label","value":"SC-7(a)"}],"parts":[{"id":"sc-7.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(a)[1]"}],"prose":"monitors communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(a)[2]"}],"prose":"monitors communications at key internal boundaries within the system;"},{"id":"sc-7.a_obj.3","name":"objective","props":[{"name":"label","value":"SC-7(a)[3]"}],"prose":"controls communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.4","name":"objective","props":[{"name":"label","value":"SC-7(a)[4]"}],"prose":"controls communications at key internal boundaries within the system;"}]},{"id":"sc-7.b_obj","name":"objective","props":[{"name":"label","value":"SC-7(b)"}],"prose":"implements subnetworks for publicly accessible system components that are either:","parts":[{"id":"sc-7.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(b)[1]"}],"prose":"physically separated from internal organizational networks; and\/or"},{"id":"sc-7.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(b)[2]"}],"prose":"logically separated from internal organizational networks; and"}]},{"id":"sc-7.c_obj","name":"objective","props":[{"name":"label","value":"SC-7(c)"}],"prose":"connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the information system\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system configuration settings and associated documentation\n\nenterprise security architecture documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability"}]}],"controls":[{"id":"sc-7.3","class":"SP800-53-enhancement","title":"Access Points","props":[{"name":"label","value":"SC-7(3)"},{"name":"sort-id","value":"sc-07.03"}],"parts":[{"id":"sc-7.3_smt","name":"statement","prose":"The organization limits the number of external network connections to the information system."},{"id":"sc-7.3_gdn","name":"guidance","prose":"Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections."},{"id":"sc-7.3_obj","name":"objective","prose":"Determine if the organization limits the number of external network connections to the information system."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability\n\nautomated mechanisms limiting the number of external network connections to the information system"}]}]},{"id":"sc-7.4","class":"SP800-53-enhancement","title":"External Telecommunications Services","params":[{"id":"sc-7.4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SC-7(4)"},{"name":"sort-id","value":"sc-07.04"}],"parts":[{"id":"sc-7.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implements a managed interface for each external telecommunication service;"},{"id":"sc-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Establishes a traffic flow policy for each managed interface;"},{"id":"sc-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Protects the confidentiality and integrity of the information being transmitted across each interface;"},{"id":"sc-7.4_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Documents each exception to the traffic flow policy with a supporting mission\/business need and duration of that need; and"},{"id":"sc-7.4_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Reviews exceptions to the traffic flow policy {{ insert: param, sc-7.4_prm_1 }} and removes exceptions that are no longer supported by an explicit mission\/business need."}]},{"id":"sc-7.4_gdn","name":"guidance","links":[{"href":"#sc-8","rel":"related"}]},{"id":"sc-7.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-7.4.a_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(a)"}],"prose":"implements a managed interface for each external telecommunication service;","links":[{"href":"#sc-7.4_smt.a","rel":"corresp"}]},{"id":"sc-7.4.b_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(b)"}],"prose":"establishes a traffic flow policy for each managed interface;","links":[{"href":"#sc-7.4_smt.b","rel":"corresp"}]},{"id":"sc-7.4.c_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(c)"}],"prose":"protects the confidentiality and integrity of the information being transmitted across each interface;","links":[{"href":"#sc-7.4_smt.c","rel":"corresp"}]},{"id":"sc-7.4.d_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(d)"}],"prose":"documents each exception to the traffic flow policy with:","parts":[{"id":"sc-7.4.d_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(4)(d)[1]"}],"prose":"a supporting mission\/business need;"},{"id":"sc-7.4.d_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(4)(d)[2]"}],"prose":"duration of that need;"}],"links":[{"href":"#sc-7.4_smt.d","rel":"corresp"}]},{"id":"sc-7.4.e_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)"}],"parts":[{"id":"sc-7.4.e_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)[1]"}],"prose":"defines a frequency to review exceptions to traffic flow policy;"},{"id":"sc-7.4.e_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)[2]"}],"prose":"reviews exceptions to the traffic flow policy with the organization-defined frequency; and"},{"id":"sc-7.4.e_obj.3","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)[3]"}],"prose":"removes traffic flow policy exceptions that are no longer supported by an explicit mission\/business need"}],"links":[{"href":"#sc-7.4_smt.e","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\ninformation system security architecture\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for documenting and reviewing exceptions to the traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nautomated mechanisms implementing boundary protection capability\n\nmanaged interfaces implementing traffic flow policy"}]}]},{"id":"sc-7.5","class":"SP800-53-enhancement","title":"Deny by Default \/ Allow by Exception","props":[{"name":"label","value":"SC-7(5)"},{"name":"sort-id","value":"sc-07.05"}],"parts":[{"id":"sc-7.5_smt","name":"statement","prose":"The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception)."},{"id":"sc-7.5_gdn","name":"guidance","prose":"This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed."},{"id":"sc-7.5_obj","name":"objective","prose":"Determine if the information system, at managed interfaces:","parts":[{"id":"sc-7.5_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(5)[1]"}],"prose":"denies network traffic by default; and"},{"id":"sc-7.5_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(5)[2]"}],"prose":"allows network traffic by exception."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing traffic management at managed interfaces"}]}]},{"id":"sc-7.7","class":"SP800-53-enhancement","title":"Prevent Split Tunneling for Remote Devices","props":[{"name":"label","value":"SC-7(7)"},{"name":"sort-id","value":"sc-07.07"}],"parts":[{"id":"sc-7.7_smt","name":"statement","prose":"The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."},{"id":"sc-7.7_gdn","name":"guidance","prose":"This control enhancement is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local information system resources such as printers\/file servers. However, split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling."},{"id":"sc-7.7_obj","name":"objective","prose":"Determine if the information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability\n\nautomated mechanisms supporting\/restricting non-remote connections"}]}]}]},{"id":"sc-8","class":"SP800-53","title":"Transmission Confidentiality and Integrity","params":[{"id":"sc-8_prm_1","select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-8"},{"name":"sort-id","value":"sc-08"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference"},{"href":"#90c5bc98-f9c4-44c9-98b7-787422f0999c","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference"},{"href":"#06dff0ea-3848-4945-8d91-e955ee69f05d","rel":"reference"}],"parts":[{"id":"sc-8_smt","name":"statement","prose":"The information system protects the {{ insert: param, sc-8_prm_1 }} of transmitted information."},{"id":"sc-8_gdn","name":"guidance","prose":"This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and\/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality\/integrity. In such situations, organizations determine what types of confidentiality\/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk.","links":[{"href":"#ac-17","rel":"related"},{"href":"#pe-4","rel":"related"}]},{"id":"sc-8_obj","name":"objective","prose":"Determine if the information system protects one or more of the following:","parts":[{"id":"sc-8_obj.1","name":"objective","props":[{"name":"label","value":"SC-8[1]"}],"prose":"confidentiality of transmitted information; and\/or"},{"id":"sc-8_obj.2","name":"objective","props":[{"name":"label","value":"SC-8[2]"}],"prose":"integrity of transmitted information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity"}]}],"controls":[{"id":"sc-8.1","class":"SP800-53-enhancement","title":"Cryptographic or Alternate Physical Protection","params":[{"id":"sc-8.1_prm_1","select":{"how-many":"one-or-more","choice":["prevent unauthorized disclosure of information","detect changes to information"]}},{"id":"sc-8.1_prm_2","label":"organization-defined alternative physical safeguards"}],"props":[{"name":"label","value":"SC-8(1)"},{"name":"sort-id","value":"sc-08.01"}],"parts":[{"id":"sc-8.1_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to {{ insert: param, sc-8.1_prm_1 }} during transmission unless otherwise protected by {{ insert: param, sc-8.1_prm_2 }}."},{"id":"sc-8.1_gdn","name":"guidance","prose":"Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems.","links":[{"href":"#sc-13","rel":"related"}]},{"id":"sc-8.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-8.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-8(1)[1]"}],"prose":"the organization defines physical safeguards to be implemented to protect information during transmission when cryptographic mechanisms are not implemented; and"},{"id":"sc-8.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-8(1)[2]"}],"prose":"the information system implements cryptographic mechanisms to do one or more of the following during transmission unless otherwise protected by organization-defined alternative physical safeguards:","parts":[{"id":"sc-8.1_obj.2.a","name":"objective","props":[{"name":"label","value":"SC-8(1)[2][a]"}],"prose":"prevent unauthorized disclosure of information; and\/or"},{"id":"sc-8.1_obj.2.b","name":"objective","props":[{"name":"label","value":"SC-8(1)[2][b]"}],"prose":"detect changes to information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity\n\nautomated mechanisms supporting and\/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards"}]}]}]},{"id":"sc-10","class":"SP800-53","title":"Network Disconnect","params":[{"id":"sc-10_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SC-10"},{"name":"sort-id","value":"sc-10"}],"parts":[{"id":"sc-10_smt","name":"statement","prose":"The information system terminates the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_prm_1 }} of inactivity."},{"id":"sc-10_gdn","name":"guidance","prose":"This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP\/IP address\/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses."},{"id":"sc-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-10_obj.1","name":"objective","props":[{"name":"label","value":"SC-10[1]"}],"prose":"the organization defines a time period of inactivity after which the information system terminates a network connection associated with a communications session; and"},{"id":"sc-10_obj.2","name":"objective","props":[{"name":"label","value":"SC-10[2]"}],"prose":"the information system terminates the network connection associated with a communication session at the end of the session or after the organization-defined time period of inactivity."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing network disconnect\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing network disconnect capability"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","params":[{"id":"sc-12_prm_1","label":"organization-defined requirements for key generation, distribution, storage, access, and destruction"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-12"},{"name":"sort-id","value":"sc-12"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with {{ insert: param, sc-12_prm_1 }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.","links":[{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"}]},{"id":"sc-12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-12_obj.1","name":"objective","props":[{"name":"label","value":"SC-12[1]"}],"prose":"defines requirements for cryptographic key:","parts":[{"id":"sc-12_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-12[1][a]"}],"prose":"generation;"},{"id":"sc-12_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-12[1][b]"}],"prose":"distribution;"},{"id":"sc-12_obj.1.c","name":"objective","props":[{"name":"label","value":"SC-12[1][c]"}],"prose":"storage;"},{"id":"sc-12_obj.1.d","name":"objective","props":[{"name":"label","value":"SC-12[1][d]"}],"prose":"access;"},{"id":"sc-12_obj.1.e","name":"objective","props":[{"name":"label","value":"SC-12[1][e]"}],"prose":"destruction; and"}]},{"id":"sc-12_obj.2","name":"objective","props":[{"name":"label","value":"SC-12[2]"}],"prose":"establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\ninformation system design documentation\n\ncryptographic mechanisms\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","params":[{"id":"sc-13_prm_1","label":"organization-defined cryptographic uses and type of cryptography required for each use"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-13"},{"name":"sort-id","value":"sc-13"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference"},{"href":"#6a1041fc-054e-4230-946b-2e6f4f3731bb","rel":"reference"},{"href":"#9b97ed27-3dd6-4f9a-ade5-1b43e9669794","rel":"reference"}],"parts":[{"id":"sc-13_smt","name":"statement","prose":"The information system implements {{ insert: param, sc-13_prm_1 }} in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"sc-13_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-13_obj.1","name":"objective","props":[{"name":"label","value":"SC-13[1]"}],"prose":"the organization defines cryptographic uses; and"},{"id":"sc-13_obj.2","name":"objective","props":[{"name":"label","value":"SC-13[2]"}],"prose":"the organization defines the type of cryptography required for each use; and"},{"id":"sc-13_obj.3","name":"objective","props":[{"name":"label","value":"SC-13[3]"}],"prose":"the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS validated cryptographic modules\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices","params":[{"id":"sc-15_prm_1","label":"organization-defined exceptions where remote activation is to be allowed"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-15"},{"name":"sort-id","value":"sc-15"}],"parts":[{"id":"sc-15_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibits remote activation of collaborative computing devices with the following exceptions: {{ insert: param, sc-15_prm_1 }}; and"},{"id":"sc-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provides an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated.","links":[{"href":"#ac-21","rel":"related"}]},{"id":"sc-15_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-15.a_obj","name":"objective","props":[{"name":"label","value":"SC-15(a)"}],"parts":[{"id":"sc-15.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-15(a)[1]"}],"prose":"the organization defines exceptions where remote activation of collaborative computing devices is to be allowed;"},{"id":"sc-15.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-15(a)[2]"}],"prose":"the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed; and"}]},{"id":"sc-15.b_obj","name":"objective","props":[{"name":"label","value":"SC-15(b)"}],"prose":"the information system provides an explicit indication of use to users physically present at the devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing management of remote activation of collaborative computing devices\n\nautomated mechanisms providing an indication of use of collaborative computing devices"}]}]},{"id":"sc-17","class":"SP800-53","title":"Public Key Infrastructure Certificates","params":[{"id":"sc-17_prm_1","label":"organization-defined certificate policy"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-17"},{"name":"sort-id","value":"sc-17"}],"links":[{"href":"#58ad6f27-af99-429f-86a8-8bb767b014b9","rel":"reference"},{"href":"#8f174e91-844e-4cf1-a72a-45c119a3a8dd","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"}],"parts":[{"id":"sc-17_smt","name":"statement","prose":"The organization issues public key certificates under an {{ insert: param, sc-17_prm_1 }} or obtains public key certificates from an approved service provider."},{"id":"sc-17_gdn","name":"guidance","prose":"For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services.","links":[{"href":"#sc-12","rel":"related"}]},{"id":"sc-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-17_obj.1","name":"objective","props":[{"name":"label","value":"SC-17[1]"}],"prose":"defines a certificate policy for issuing public key certificates;"},{"id":"sc-17_obj.2","name":"objective","props":[{"name":"label","value":"SC-17[2]"}],"prose":"issues public key certificates:","parts":[{"id":"sc-17_obj.2.a","name":"objective","props":[{"name":"label","value":"SC-17[2][a]"}],"prose":"under an organization-defined certificate policy: or"},{"id":"sc-17_obj.2.b","name":"objective","props":[{"name":"label","value":"SC-17[2][b]"}],"prose":"obtains public key certificates from an approved service provider."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key certificates\n\nservice providers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing the management of public key infrastructure certificates"}]}]},{"id":"sc-18","class":"SP800-53","title":"Mobile Code","props":[{"name":"priority","value":"P2"},{"name":"label","value":"SC-18"},{"name":"sort-id","value":"sc-18"}],"links":[{"href":"#e716cd51-d1d5-4c6a-967a-22e9fbbc42f1","rel":"reference"},{"href":"#e6522953-6714-435d-a0d3-140df554c186","rel":"reference"}],"parts":[{"id":"sc-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Defines acceptable and unacceptable mobile code and mobile code technologies;"},{"id":"sc-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and"},{"id":"sc-18_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Authorizes, monitors, and controls the use of mobile code within the information system."}]},{"id":"sc-18_gdn","name":"guidance","prose":"Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#si-3","rel":"related"}]},{"id":"sc-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-18.a_obj","name":"objective","props":[{"name":"label","value":"SC-18(a)"}],"prose":"defines acceptable and unacceptable mobile code and mobile code technologies;"},{"id":"sc-18.b_obj","name":"objective","props":[{"name":"label","value":"SC-18(b)"}],"parts":[{"id":"sc-18.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-18(b)[1]"}],"prose":"establishes usage restrictions for acceptable mobile code and mobile code technologies;"},{"id":"sc-18.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-18(b)[2]"}],"prose":"establishes implementation guidance for acceptable mobile code and mobile code technologies;"}]},{"id":"sc-18.c_obj","name":"objective","props":[{"name":"label","value":"SC-18(c)"}],"parts":[{"id":"sc-18.c_obj.1","name":"objective","props":[{"name":"label","value":"SC-18(c)[1]"}],"prose":"authorizes the use of mobile code within the information system;"},{"id":"sc-18.c_obj.2","name":"objective","props":[{"name":"label","value":"SC-18(c)[2]"}],"prose":"monitors the use of mobile code within the information system; and"},{"id":"sc-18.c_obj.3","name":"objective","props":[{"name":"label","value":"SC-18(c)[3]"}],"prose":"controls the use of mobile code within the information system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code usage restrictions, mobile code implementation policy and procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for controlling, authorizing, monitoring, and restricting mobile code\n\nautomated mechanisms supporting and\/or implementing the management of mobile code\n\nautomated mechanisms supporting and\/or implementing the monitoring of mobile code"}]}]},{"id":"sc-19","class":"SP800-53","title":"Voice Over Internet Protocol","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-19"},{"name":"sort-id","value":"sc-19"}],"links":[{"href":"#7783f3e7-09b3-478b-9aa2-4a76dfd0ea90","rel":"reference"}],"parts":[{"id":"sc-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and"},{"id":"sc-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes, monitors, and controls the use of VoIP within the information system."}]},{"id":"sc-19_gdn","name":"guidance","links":[{"href":"#cm-6","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-15","rel":"related"}]},{"id":"sc-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-19.a_obj","name":"objective","props":[{"name":"label","value":"SC-19(a)"}],"parts":[{"id":"sc-19.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-19(a)[1]"}],"prose":"establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;"},{"id":"sc-19.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-19(a)[2]"}],"prose":"establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;"}]},{"id":"sc-19.b_obj","name":"objective","props":[{"name":"label","value":"SC-19(b)"}],"parts":[{"id":"sc-19.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-19(b)[1]"}],"prose":"authorizes the use of VoIP within the information system;"},{"id":"sc-19.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-19(b)[2]"}],"prose":"monitors the use of VoIP within the information system; and"},{"id":"sc-19.b_obj.3","name":"objective","props":[{"name":"label","value":"SC-19(b)[3]"}],"prose":"controls the use of VoIP within the information system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing VoIP\n\nVoIP usage restrictions\n\nVoIP implementation guidance\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing VoIP"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling VoIP\n\nautomated mechanisms supporting and\/or implementing authorizing, monitoring, and controlling VoIP"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name \/ Address Resolution Service (authoritative Source)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-20"},{"name":"sort-id","value":"sc-20"}],"links":[{"href":"#28115a56-da6b-4d44-b1df-51dd7f048a3e","rel":"reference"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-20_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host\/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host\/service names and network addresses provide other means to assure the authenticity and integrity of response data.","links":[{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}]},{"id":"sc-20_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-20.a_obj","name":"objective","props":[{"name":"label","value":"SC-20(a)"}],"prose":"provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries;"},{"id":"sc-20.b_obj","name":"objective","props":[{"name":"label","value":"SC-20(b)"}],"prose":"provides the means to, when operating as part of a distributed, hierarchical namespace:","parts":[{"id":"sc-20.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-20(b)[1]"}],"prose":"indicate the security status of child zones; and"},{"id":"sc-20.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-20(b)[2]"}],"prose":"enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services)."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution service (authoritative source)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing secure name\/address resolution service"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name \/ Address Resolution Service (recursive or Caching Resolver)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-21"},{"name":"sort-id","value":"sc-21"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"The information system requests and performs data origin authentication and data integrity verification on the name\/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host\/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.","links":[{"href":"#sc-20","rel":"related"},{"href":"#sc-22","rel":"related"}]},{"id":"sc-21_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-21_obj.1","name":"objective","props":[{"name":"label","value":"SC-21[1]"}],"prose":"requests data origin authentication on the name\/address resolution responses the system receives from authoritative sources;"},{"id":"sc-21_obj.2","name":"objective","props":[{"name":"label","value":"SC-21[2]"}],"prose":"requests data integrity verification on the name\/address resolution responses the system receives from authoritative sources;"},{"id":"sc-21_obj.3","name":"objective","props":[{"name":"label","value":"SC-21[3]"}],"prose":"performs data origin authentication on the name\/address resolution responses the system receives from authoritative sources; and"},{"id":"sc-21_obj.4","name":"objective","props":[{"name":"label","value":"SC-21[4]"}],"prose":"performs data integrity verification on the name\/address resolution responses the system receives from authoritative sources."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution service (recursive or caching resolver)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing data origin authentication and data integrity verification for name\/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name \/ Address Resolution Service","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-22"},{"name":"sort-id","value":"sc-22"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"The information systems that collectively provide name\/address resolution service for an organization are fault-tolerant and implement internal\/external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).","links":[{"href":"#sc-2","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-24","rel":"related"}]},{"id":"sc-22_obj","name":"objective","prose":"Determine if the information systems that collectively provide name\/address resolution service for an organization:","parts":[{"id":"sc-22_obj.1","name":"objective","props":[{"name":"label","value":"SC-22[1]"}],"prose":"are fault tolerant; and"},{"id":"sc-22_obj.2","name":"objective","props":[{"name":"label","value":"SC-22[2]"}],"prose":"implement internal\/external role separation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing architecture and provisioning for name\/address resolution service\n\naccess control policy and procedures\n\ninformation system design documentation\n\nassessment results from independent, testing organizations\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing name\/address resolution service for fault tolerance and role separation"}]}]},{"id":"sc-23","class":"SP800-53","title":"Session Authenticity","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-23"},{"name":"sort-id","value":"sc-23"}],"links":[{"href":"#90c5bc98-f9c4-44c9-98b7-787422f0999c","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"},{"href":"#1ebdf782-d95d-4a7b-8ec7-ee860951eced","rel":"reference"}],"parts":[{"id":"sc-23_smt","name":"statement","prose":"The information system protects the authenticity of communications sessions."},{"id":"sc-23_gdn","name":"guidance","prose":"This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks\/session hijacking and the insertion of false information into sessions.","links":[{"href":"#sc-8","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-11","rel":"related"}]},{"id":"sc-23_obj","name":"objective","prose":"Determine if the information system protects the authenticity of communications sessions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing session authenticity"}]}]},{"id":"sc-28","class":"SP800-53","title":"Protection of Information at Rest","params":[{"id":"sc-28_prm_1","select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}},{"id":"sc-28_prm_2","label":"organization-defined information at rest"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-28"},{"name":"sort-id","value":"sc-28"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"sc-28_smt","name":"statement","prose":"The information system protects the {{ insert: param, sc-28_prm_1 }} of {{ insert: param, sc-28_prm_2 }}."},{"id":"sc-28_gdn","name":"guidance","prose":"This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection\/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and\/or continuous monitoring to identify malicious code at rest.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"sc-28_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-28_obj.1","name":"objective","props":[{"name":"label","value":"SC-28[1]"}],"prose":"the organization defines information at rest requiring one or more of the following:","parts":[{"id":"sc-28_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-28[1][a]"}],"prose":"confidentiality protection; and\/or"},{"id":"sc-28_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-28[1][b]"}],"prose":"integrity protection;"}]},{"id":"sc-28_obj.2","name":"objective","props":[{"name":"label","value":"SC-28[2]"}],"prose":"the information system protects:","parts":[{"id":"sc-28_obj.2.a","name":"objective","props":[{"name":"label","value":"SC-28[2][a]"}],"prose":"the confidentiality of organization-defined information at rest; and\/or"},{"id":"sc-28_obj.2.b","name":"objective","props":[{"name":"label","value":"SC-28[2][b]"}],"prose":"the integrity of organization-defined information at rest."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing protection of information at rest\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing confidentiality and integrity protections for information at rest"}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-39"},{"name":"sort-id","value":"sc-39"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"The information system maintains a separate execution domain for each executing process."},{"id":"sc-39_gdn","name":"guidance","prose":"Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sc-39_obj","name":"objective","prose":"Determine if the information system maintains a separate execution domain for each executing process."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system design documentation\n\ninformation system architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation, other relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Information system developers\/integrators\n\ninformation system security architect"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing separate execution domains for each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"System and Information Integrity Policy and Procedures","params":[{"id":"si-1_prm_1","label":"organization-defined personnel or roles"},{"id":"si-1_prm_2","label":"organization-defined frequency"},{"id":"si-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-1"},{"name":"sort-id","value":"si-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"si-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"si-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and information integrity policy {{ insert: param, si-1_prm_2 }}; and"},{"id":"si-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and information integrity procedures {{ insert: param, si-1_prm_3 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"si-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-1.a_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)"}],"parts":[{"id":"si-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)"}],"parts":[{"id":"si-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1]"}],"prose":"develops and documents a system and information integrity policy that addresses:","parts":[{"id":"si-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"si-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"si-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"si-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"si-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"si-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"si-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"si-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and information integrity policy is to be disseminated;"},{"id":"si-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[3]"}],"prose":"disseminates the system and information integrity policy to organization-defined personnel or roles;"}]},{"id":"si-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)"}],"parts":[{"id":"si-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls;"},{"id":"si-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"si-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"si-1.b_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)"}],"parts":[{"id":"si-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)"}],"parts":[{"id":"si-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and information integrity policy;"},{"id":"si-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)[2]"}],"prose":"reviews and updates the current system and information integrity policy with the organization-defined frequency;"}]},{"id":"si-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)"}],"parts":[{"id":"si-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and information integrity procedures; and"},{"id":"si-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)[2]"}],"prose":"reviews and updates the current system and information integrity procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","params":[{"id":"si-2_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-2"},{"name":"sort-id","value":"si-02"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"si-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies, reports, and corrects information system flaws;"},{"id":"si-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Installs security-relevant software and firmware updates within {{ insert: param, si-2_prm_1 }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporates flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required\/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and\/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-11","rel":"related"}]},{"id":"si-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.a_obj","name":"objective","props":[{"name":"label","value":"SI-2(a)"}],"parts":[{"id":"si-2.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(a)[1]"}],"prose":"identifies information system flaws;"},{"id":"si-2.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(a)[2]"}],"prose":"reports information system flaws;"},{"id":"si-2.a_obj.3","name":"objective","props":[{"name":"label","value":"SI-2(a)[3]"}],"prose":"corrects information system flaws;"}]},{"id":"si-2.b_obj","name":"objective","props":[{"name":"label","value":"SI-2(b)"}],"parts":[{"id":"si-2.b_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(b)[1]"}],"prose":"tests software updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2.b_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(b)[2]"}],"prose":"tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"}]},{"id":"si-2.c_obj","name":"objective","props":[{"name":"label","value":"SI-2(c)"}],"parts":[{"id":"si-2.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(c)[1]"}],"prose":"defines the time period within which to install security-relevant software updates after the release of the updates;"},{"id":"si-2.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(c)[2]"}],"prose":"defines the time period within which to install security-relevant firmware updates after the release of the updates;"},{"id":"si-2.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-2(c)[3]"}],"prose":"installs software updates within the organization-defined time period of the release of the updates;"},{"id":"si-2.c_obj.4","name":"objective","props":[{"name":"label","value":"SI-2(c)[4]"}],"prose":"installs firmware updates within the organization-defined time period of the release of the updates; and"}]},{"id":"si-2.d_obj","name":"objective","props":[{"name":"label","value":"SI-2(d)"}],"prose":"incorporates flaw remediation into the organizational configuration management process."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the information system\n\nlist of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws)\n\ntest results from the installation of software and firmware updates to correct information system flaws\n\ninstallation\/change control records for security-relevant software and firmware updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for flaw remediation\n\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for identifying, reporting, and correcting information system flaws\n\norganizational process for installing software and firmware updates\n\nautomated mechanisms supporting and\/or implementing reporting, and correcting information system flaws\n\nautomated mechanisms supporting and\/or implementing testing software and firmware updates"}]}],"controls":[{"id":"si-2.2","class":"SP800-53-enhancement","title":"Automated Flaw Remediation Status","params":[{"id":"si-2.2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SI-2(2)"},{"name":"sort-id","value":"si-02.02"}],"parts":[{"id":"si-2.2_smt","name":"statement","prose":"The organization employs automated mechanisms {{ insert: param, si-2.2_prm_1 }} to determine the state of information system components with regard to flaw remediation."},{"id":"si-2.2_gdn","name":"guidance","links":[{"href":"#cm-6","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"si-2.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(2)[1]"}],"prose":"defines a frequency to employ automated mechanisms to determine the state of information system components with regard to flaw remediation; and"},{"id":"si-2.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(2)[2]"}],"prose":"employs automated mechanisms with the organization-defined frequency to determine the state of information system components with regard to flaw remediation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for flaw remediation"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms used to determine the state of information system components with regard to flaw remediation"}]}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","params":[{"id":"si-3_prm_1","label":"organization-defined frequency"},{"id":"si-3_prm_2","select":{"how-many":"one-or-more","choice":["endpoint","network entry\/exit points"]}},{"id":"si-3_prm_3","select":{"how-many":"one-or-more","choice":["block malicious code","quarantine malicious code","send alert to administrator"," {{ insert: param, si-3_prm_4 }} "]}},{"id":"si-3_prm_4","depends-on":"si-3_prm_3","label":"organization-defined action"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-3"},{"name":"sort-id","value":"si-03"}],"links":[{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"}],"parts":[{"id":"si-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Configures malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the information system {{ insert: param, si-3_prm_1 }} and real-time scans of files from external sources at {{ insert: param, si-3_prm_2 }} as the files are downloaded, opened, or executed in accordance with organizational security policy; and"},{"id":"si-3_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, si-3_prm_3 }} in response to malicious code detection; and"}]},{"id":"si-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system."}]},{"id":"si-3_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions\/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and\/or actions in response to detection of maliciousness when attempting to open or execute files.","links":[{"href":"#cm-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sa-13","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-3.a_obj","name":"objective","props":[{"name":"label","value":"SI-3(a)"}],"prose":"employs malicious code protection mechanisms to detect and eradicate malicious code at information system:","parts":[{"id":"si-3.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(a)[1]"}],"prose":"entry points;"},{"id":"si-3.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(a)[2]"}],"prose":"exit points;"}]},{"id":"si-3.b_obj","name":"objective","props":[{"name":"label","value":"SI-3(b)"}],"prose":"updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1);"},{"id":"si-3.c_obj","name":"objective","props":[{"name":"label","value":"SI-3(c)"}],"parts":[{"id":"si-3.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(c)[1]"}],"prose":"defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system;"},{"id":"si-3.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(c)[2]"}],"prose":"defines action to be initiated by malicious protection mechanisms in response to malicious code detection;"},{"id":"si-3.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3]"}],"parts":[{"id":"si-3.c.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)"}],"prose":"configures malicious code protection mechanisms to:","parts":[{"id":"si-3.c.1_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)[a]"}],"prose":"perform periodic scans of the information system with the organization-defined frequency;"},{"id":"si-3.c.1_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)[b]"}],"prose":"perform real-time scans of files from external sources at endpoint and\/or network entry\/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy;"}]},{"id":"si-3.c.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)"}],"prose":"configures malicious code protection mechanisms to do one or more of the following:","parts":[{"id":"si-3.c.2_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[a]"}],"prose":"block malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[b]"}],"prose":"quarantine malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.c","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[c]"}],"prose":"send alert to administrator in response to malicious code detection; and\/or"},{"id":"si-3.c.2_obj.3.d","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[d]"}],"prose":"initiate organization-defined action in response to malicious code detection;"}]}]}]},{"id":"si-3.d_obj","name":"objective","props":[{"name":"label","value":"SI-3(d)"}],"parts":[{"id":"si-3.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(d)[1]"}],"prose":"addresses the receipt of false positives during malicious code detection and eradication; and"},{"id":"si-3.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(d)[2]"}],"prose":"addresses the resulting potential impact on the availability of the information system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for malicious code protection\n\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational process for addressing false positives and resulting potential impact\n\nautomated mechanisms supporting and\/or implementing employing, updating, and configuring malicious code protection mechanisms\n\nautomated mechanisms supporting and\/or implementing malicious code scanning and subsequent actions"}]}],"controls":[{"id":"si-3.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-3(1)"},{"name":"sort-id","value":"si-03.01"}],"parts":[{"id":"si-3.1_smt","name":"statement","prose":"The organization centrally manages malicious code protection mechanisms."},{"id":"si-3.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls.","links":[{"href":"#au-2","rel":"related"},{"href":"#si-8","rel":"related"}]},{"id":"si-3.1_obj","name":"objective","prose":"Determine if the organization centrally manages malicious code protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing malicious code protection\n\nautomated mechanisms supporting centralized management of malicious code protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for malicious code protection"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of malicious code protection mechanisms\n\nautomated mechanisms supporting and\/or implementing central management of malicious code protection mechanisms"}]}]},{"id":"si-3.2","class":"SP800-53-enhancement","title":"Automatic Updates","props":[{"name":"label","value":"SI-3(2)"},{"name":"sort-id","value":"si-03.02"}],"parts":[{"id":"si-3.2_smt","name":"statement","prose":"The information system automatically updates malicious code protection mechanisms."},{"id":"si-3.2_gdn","name":"guidance","prose":"Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates.","links":[{"href":"#si-8","rel":"related"}]},{"id":"si-3.2_obj","name":"objective","prose":"Determine if the information system automatically updates malicious code protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing malicious code protection\n\nautomated mechanisms supporting centralized management of malicious code protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for malicious code protection"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing automatic updates to malicious code protection capability"}]}]}]},{"id":"si-4","class":"SP800-53","title":"Information System Monitoring","params":[{"id":"si-4_prm_1","label":"organization-defined monitoring objectives"},{"id":"si-4_prm_2","label":"organization-defined techniques and methods"},{"id":"si-4_prm_3","label":"organization-defined information system monitoring information"},{"id":"si-4_prm_4","label":"organization-defined personnel or roles"},{"id":"si-4_prm_5","select":{"how-many":"one-or-more","choice":["as needed"," {{ insert: param, si-4_prm_6 }} "]}},{"id":"si-4_prm_6","depends-on":"si-4_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-4"},{"name":"sort-id","value":"si-04"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"},{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"si-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors the information system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with {{ insert: param, si-4_prm_1 }}; and"},{"id":"si-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identifies unauthorized use of the information system through {{ insert: param, si-4_prm_2 }};"},{"id":"si-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Deploys monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Strategically within the information system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;"},{"id":"si-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"},{"id":"si-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and"},{"id":"si-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Provides {{ insert: param, si-4_prm_3 }} to {{ insert: param, si-4_prm_4 }} {{ insert: param, si-4_prm_5 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.a_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)"}],"parts":[{"id":"si-4.a.1_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)"}],"parts":[{"id":"si-4.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[1]"}],"prose":"defines monitoring objectives to detect attacks and indicators of potential attacks on the information system;"},{"id":"si-4.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2]"}],"prose":"monitors the information system to detect, in accordance with organization-defined monitoring objectives,:","parts":[{"id":"si-4.a.1_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2][a]"}],"prose":"attacks;"},{"id":"si-4.a.1_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2][b]"}],"prose":"indicators of potential attacks;"}]}]},{"id":"si-4.a.2_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)"}],"prose":"monitors the information system to detect unauthorized:","parts":[{"id":"si-4.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[1]"}],"prose":"local connections;"},{"id":"si-4.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[2]"}],"prose":"network connections;"},{"id":"si-4.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[3]"}],"prose":"remote connections;"}]}]},{"id":"si-4.b_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)"}],"parts":[{"id":"si-4.b.1_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)(1)"}],"prose":"defines techniques and methods to identify unauthorized use of the information system;"},{"id":"si-4.b.2_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)(2)"}],"prose":"identifies unauthorized use of the information system through organization-defined techniques and methods;"}]},{"id":"si-4.c_obj","name":"objective","props":[{"name":"label","value":"SI-4(c)"}],"prose":"deploys monitoring devices:","parts":[{"id":"si-4.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(c)[1]"}],"prose":"strategically within the information system to collect organization-determined essential information;"},{"id":"si-4.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(c)[2]"}],"prose":"at ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4.d_obj","name":"objective","props":[{"name":"label","value":"SI-4(d)"}],"prose":"protects information obtained from intrusion-monitoring tools from unauthorized:","parts":[{"id":"si-4.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(d)[1]"}],"prose":"access;"},{"id":"si-4.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(d)[2]"}],"prose":"modification;"},{"id":"si-4.d_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(d)[3]"}],"prose":"deletion;"}]},{"id":"si-4.e_obj","name":"objective","props":[{"name":"label","value":"SI-4(e)"}],"prose":"heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"},{"id":"si-4.f_obj","name":"objective","props":[{"name":"label","value":"SI-4(f)"}],"prose":"obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations;"},{"id":"si-4.g_obj","name":"objective","props":[{"name":"label","value":"SI-4(g)"}],"parts":[{"id":"si-4.g_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(g)[1]"}],"prose":"defines personnel or roles to whom information system monitoring information is to be provided;"},{"id":"si-4.g_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(g)[2]"}],"prose":"defines information system monitoring information to be provided to organization-defined personnel or roles;"},{"id":"si-4.g_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(g)[3]"}],"prose":"defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles;"},{"id":"si-4.g_obj.4","name":"objective","props":[{"name":"label","value":"SI-4(g)[4]"}],"prose":"provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:","parts":[{"id":"si-4.g_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-4(g)[4][a]"}],"prose":"as needed; and\/or"},{"id":"si-4.g_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-4(g)[4][b]"}],"prose":"with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Continuous monitoring strategy\n\nsystem and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\nfacility diagram\/layout\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\nlocations within information system where monitoring devices are deployed\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility monitoring the information system"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\n\nautomated mechanisms supporting and\/or implementing information system monitoring capability"}]}],"controls":[{"id":"si-4.2","class":"SP800-53-enhancement","title":"Automated Tools for Real-time Analysis","props":[{"name":"label","value":"SI-4(2)"},{"name":"sort-id","value":"si-04.02"}],"parts":[{"id":"si-4.2_smt","name":"statement","prose":"The organization employs automated tools to support near real-time analysis of events."},{"id":"si-4.2_gdn","name":"guidance","prose":"Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and\/or notifications generated by organizational information systems."},{"id":"si-4.2_obj","name":"objective","prose":"Determine if the organization employs automated tools to support near real-time analysis of events."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for monitoring the information system\n\norganizational personnel with responsibility for incident response\/management"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for near real-time analysis of events\n\norganizational processes for information system monitoring\n\nautomated mechanisms supporting and\/or implementing information system monitoring\n\nautomated mechanisms\/tools supporting and\/or implementing analysis of events"}]}]},{"id":"si-4.4","class":"SP800-53-enhancement","title":"Inbound and Outbound Communications Traffic","params":[{"id":"si-4.4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SI-4(4)"},{"name":"sort-id","value":"si-04.04"}],"parts":[{"id":"si-4.4_smt","name":"statement","prose":"The information system monitors inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for unusual or unauthorized activities or conditions."},{"id":"si-4.4_gdn","name":"guidance","prose":"Unusual\/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components."},{"id":"si-4.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.4_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(4)[1]"}],"prose":"defines a frequency to monitor:","parts":[{"id":"si-4.4_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-4(4)[1][a]"}],"prose":"inbound communications traffic for unusual or unauthorized activities or conditions;"},{"id":"si-4.4_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-4(4)[1][b]"}],"prose":"outbound communications traffic for unusual or unauthorized activities or conditions;"}]},{"id":"si-4.4_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(4)[2]"}],"prose":"monitors, with the organization-defined frequency:","parts":[{"id":"si-4.4_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-4(4)[2][a]"}],"prose":"inbound communications traffic for unusual or unauthorized activities or conditions; and"},{"id":"si-4.4_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-4(4)[2][b]"}],"prose":"outbound communications traffic for unusual or unauthorized activities or conditions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system protocols\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for monitoring the information system\n\norganizational personnel with responsibility for the intrusion detection system"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection\/information system monitoring\n\nautomated mechanisms supporting and\/or implementing intrusion detection capability\/information system monitoring\n\nautomated mechanisms supporting and\/or implementing monitoring of inbound\/outbound communications traffic"}]}]},{"id":"si-4.5","class":"SP800-53-enhancement","title":"System-generated Alerts","params":[{"id":"si-4.5_prm_1","label":"organization-defined personnel or roles"},{"id":"si-4.5_prm_2","label":"organization-defined compromise indicators"}],"props":[{"name":"label","value":"SI-4(5)"},{"name":"sort-id","value":"si-04.05"}],"parts":[{"id":"si-4.5_smt","name":"statement","prose":"The information system alerts {{ insert: param, si-4.5_prm_1 }} when the following indications of compromise or potential compromise occur: {{ insert: param, si-4.5_prm_2 }}."},{"id":"si-4.5_gdn","name":"guidance","prose":"Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission\/business owners, system owners, or information system security officers.","links":[{"href":"#au-5","rel":"related"},{"href":"#pe-6","rel":"related"}]},{"id":"si-4.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-4.5_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(5)[1]"}],"prose":"the organization defines compromise indicators for the information system;"},{"id":"si-4.5_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(5)[2]"}],"prose":"the organization defines personnel or roles to be alerted when indications of compromise or potential compromise occur; and"},{"id":"si-4.5_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(5)[3]"}],"prose":"the information system alerts organization-defined personnel or roles when organization-defined compromise indicators occur."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\nalerts\/notifications generated based on compromise indicators\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for monitoring the information system\n\norganizational personnel with responsibility for the intrusion detection system"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection\/information system monitoring\n\nautomated mechanisms supporting and\/or implementing intrusion detection\/information system monitoring capability\n\nautomated mechanisms supporting and\/or implementing alerts for compromise indicators"}]}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","params":[{"id":"si-5_prm_1","label":"organization-defined external organizations"},{"id":"si-5_prm_2","select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-5_prm_3 }} "," {{ insert: param, si-5_prm_4 }} "," {{ insert: param, si-5_prm_5 }} "]}},{"id":"si-5_prm_3","depends-on":"si-5_prm_2","label":"organization-defined personnel or roles"},{"id":"si-5_prm_4","depends-on":"si-5_prm_2","label":"organization-defined elements within the organization"},{"id":"si-5_prm_5","depends-on":"si-5_prm_2","label":"organization-defined external organizations"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-5"},{"name":"sort-id","value":"si-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"}],"parts":[{"id":"si-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receives information system security alerts, advisories, and directives from {{ insert: param, si-5_prm_1 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Generates internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminates security alerts, advisories, and directives to: {{ insert: param, si-5_prm_2 }}; and"},{"id":"si-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission\/business partners, supply chain partners, external service providers, and other peer\/supporting organizations.","links":[{"href":"#si-2","rel":"related"}]},{"id":"si-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-5.a_obj","name":"objective","props":[{"name":"label","value":"SI-5(a)"}],"parts":[{"id":"si-5.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(a)[1]"}],"prose":"defines external organizations from whom information system security alerts, advisories and directives are to be received;"},{"id":"si-5.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(a)[2]"}],"prose":"receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;"}]},{"id":"si-5.b_obj","name":"objective","props":[{"name":"label","value":"SI-5(b)"}],"prose":"generates internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5.c_obj","name":"objective","props":[{"name":"label","value":"SI-5(c)"}],"parts":[{"id":"si-5.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(c)[1]"}],"prose":"defines personnel or roles to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(c)[2]"}],"prose":"defines elements within the organization to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-5(c)[3]"}],"prose":"defines external organizations to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.4","name":"objective","props":[{"name":"label","value":"SI-5(c)[4]"}],"prose":"disseminates security alerts, advisories, and directives to one or more of the following:","parts":[{"id":"si-5.c_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][a]"}],"prose":"organization-defined personnel or roles;"},{"id":"si-5.c_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][b]"}],"prose":"organization-defined elements within the organization; and\/or"},{"id":"si-5.c_obj.4.c","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][c]"}],"prose":"organization-defined external organizations; and"}]}]},{"id":"si-5.d_obj","name":"objective","props":[{"name":"label","value":"SI-5(d)"}],"parts":[{"id":"si-5.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(d)[1]"}],"prose":"implements security directives in accordance with established time frames; or"},{"id":"si-5.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(d)[2]"}],"prose":"notifies the issuing organization of the degree of noncompliance."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the information system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nautomated mechanisms supporting and\/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nautomated mechanisms supporting and\/or implementing security directives"}]}]},{"id":"si-7","class":"SP800-53","title":"Software, Firmware, and Information Integrity","params":[{"id":"si-7_prm_1","label":"organization-defined software, firmware, and information"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-7"},{"name":"sort-id","value":"si-07"}],"links":[{"href":"#6bf8d24a-78dc-4727-a2ac-0e64d71c495c","rel":"reference"},{"href":"#3878cc04-144a-483e-af62-8fe6f4ad6c7a","rel":"reference"}],"parts":[{"id":"si-7_smt","name":"statement","prose":"The organization employs integrity verification tools to detect unauthorized changes to {{ insert: param, si-7_prm_1 }}."},{"id":"si-7_gdn","name":"guidance","prose":"Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.","links":[{"href":"#sa-12","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-3","rel":"related"}]},{"id":"si-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7_obj.1","name":"objective","props":[{"name":"label","value":"SI-7[1]"}],"parts":[{"id":"si-7_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-7[1][a]"}],"prose":"defines software requiring integrity verification tools to be employed to detect unauthorized changes;"},{"id":"si-7_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-7[1][b]"}],"prose":"defines firmware requiring integrity verification tools to be employed to detect unauthorized changes;"},{"id":"si-7_obj.1.c","name":"objective","props":[{"name":"label","value":"SI-7[1][c]"}],"prose":"defines information requiring integrity verification tools to be employed to detect unauthorized changes;"}]},{"id":"si-7_obj.2","name":"objective","props":[{"name":"label","value":"SI-7[2]"}],"prose":"employs integrity verification tools to detect unauthorized changes to organization-defined:","parts":[{"id":"si-7_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-7[2][a]"}],"prose":"software;"},{"id":"si-7_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-7[2][b]"}],"prose":"firmware; and"},{"id":"si-7_obj.2.c","name":"objective","props":[{"name":"label","value":"SI-7[2][c]"}],"prose":"information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated\/triggered from integrity verification tools regarding unauthorized software, firmware, and information changes\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools"}]}],"controls":[{"id":"si-7.1","class":"SP800-53-enhancement","title":"Integrity Checks","params":[{"id":"si-7.1_prm_1","label":"organization-defined software, firmware, and information"},{"id":"si-7.1_prm_2","select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-7.1_prm_3 }} "," {{ insert: param, si-7.1_prm_4 }} "]}},{"id":"si-7.1_prm_3","depends-on":"si-7.1_prm_2","label":"organization-defined transitional states or security-relevant events"},{"id":"si-7.1_prm_4","depends-on":"si-7.1_prm_2","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SI-7(1)"},{"name":"sort-id","value":"si-07.01"}],"parts":[{"id":"si-7.1_smt","name":"statement","prose":"The information system performs an integrity check of {{ insert: param, si-7.1_prm_1 }} {{ insert: param, si-7.1_prm_2 }}."},{"id":"si-7.1_gdn","name":"guidance","prose":"Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort."},{"id":"si-7.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-7.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(1)[1]"}],"prose":"the organization defines:","parts":[{"id":"si-7.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[1][a]"}],"prose":"software requiring integrity checks to be performed;"},{"id":"si-7.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[1][b]"}],"prose":"firmware requiring integrity checks to be performed;"},{"id":"si-7.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[1][c]"}],"prose":"information requiring integrity checks to be performed;"}]},{"id":"si-7.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(1)[2]"}],"prose":"the organization defines transitional states or security-relevant events requiring integrity checks of organization-defined:","parts":[{"id":"si-7.1_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[2][a]"}],"prose":"software;"},{"id":"si-7.1_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[2][b]"}],"prose":"firmware;"},{"id":"si-7.1_obj.2.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[2][c]"}],"prose":"information;"}]},{"id":"si-7.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-7(1)[3]"}],"prose":"the organization defines a frequency with which to perform an integrity check of organization-defined:","parts":[{"id":"si-7.1_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[3][a]"}],"prose":"software;"},{"id":"si-7.1_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[3][b]"}],"prose":"firmware;"},{"id":"si-7.1_obj.3.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[3][c]"}],"prose":"information;"}]},{"id":"si-7.1_obj.4","name":"objective","props":[{"name":"label","value":"SI-7(1)[4]"}],"prose":"the information system performs an integrity check of organization-defined software, firmware, and information one or more of the following:","parts":[{"id":"si-7.1_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[4][a]"}],"prose":"at startup;"},{"id":"si-7.1_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[4][b]"}],"prose":"at organization-defined transitional states or security-relevant events; and\/or"},{"id":"si-7.1_obj.4.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[4][c]"}],"prose":"with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools"}]}]},{"id":"si-7.7","class":"SP800-53-enhancement","title":"Integration of Detection and Response","params":[{"id":"si-7.7_prm_1","label":"organization-defined security-relevant changes to the information system"}],"props":[{"name":"label","value":"SI-7(7)"},{"name":"sort-id","value":"si-07.07"}],"parts":[{"id":"si-7.7_smt","name":"statement","prose":"The organization incorporates the detection of unauthorized {{ insert: param, si-7.7_prm_1 }} into the organizational incident response capability."},{"id":"si-7.7_gdn","name":"guidance","prose":"This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges.","links":[{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"si-7.7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7.7_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(7)[1]"}],"prose":"defines unauthorized security-relevant changes to the information system; and"},{"id":"si-7.7_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(7)[2]"}],"prose":"incorporates the detection of unauthorized organization-defined security-relevant changes to the information system into the organizational incident response capability."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response records\n\ninformation audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incorporating detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nautomated mechanisms supporting and\/or implementing incorporation of detection of unauthorized security-relevant changes into the incident response capability"}]}]}]},{"id":"si-8","class":"SP800-53","title":"Spam Protection","props":[{"name":"priority","value":"P2"},{"name":"label","value":"SI-8"},{"name":"sort-id","value":"si-08"}],"links":[{"href":"#c6e95ca0-5828-420e-b095-00895b72b5e8","rel":"reference"}],"parts":[{"id":"si-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and"},{"id":"si-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"id":"si-8_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook\/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"}]},{"id":"si-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-8.a_obj","name":"objective","props":[{"name":"label","value":"SI-8(a)"}],"prose":"employs spam protection mechanisms:","parts":[{"id":"si-8.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-8(a)[1]"}],"prose":"at information system entry points to detect unsolicited messages;"},{"id":"si-8.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-8(a)[2]"}],"prose":"at information system entry points to take action on unsolicited messages;"},{"id":"si-8.a_obj.3","name":"objective","props":[{"name":"label","value":"SI-8(a)[3]"}],"prose":"at information system exit points to detect unsolicited messages;"},{"id":"si-8.a_obj.4","name":"objective","props":[{"name":"label","value":"SI-8(a)[4]"}],"prose":"at information system exit points to take action on unsolicited messages; and"}]},{"id":"si-8.b_obj","name":"objective","props":[{"name":"label","value":"SI-8(b)"}],"prose":"updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nconfiguration management policy and procedures (CM-1)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for implementing spam protection\n\nautomated mechanisms supporting and\/or implementing spam protection"}]}],"controls":[{"id":"si-8.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-8(1)"},{"name":"sort-id","value":"si-08.01"}],"parts":[{"id":"si-8.1_smt","name":"statement","prose":"The organization centrally manages spam protection mechanisms."},{"id":"si-8.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection security controls.","links":[{"href":"#au-3","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-8.1_obj","name":"objective","prose":"Determine if the organization centrally manages spam protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of spam protection\n\nautomated mechanisms supporting and\/or implementing central management of spam protection"}]}]},{"id":"si-8.2","class":"SP800-53-enhancement","title":"Automatic Updates","props":[{"name":"label","value":"SI-8(2)"},{"name":"sort-id","value":"si-08.02"}],"parts":[{"id":"si-8.2_smt","name":"statement","prose":"The information system automatically updates spam protection mechanisms."},{"id":"si-8.2_obj","name":"objective","prose":"Determine if the information system automatically updates spam protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for spam protection\n\nautomated mechanisms supporting and\/or implementing automatic updates to spam protection mechanisms"}]}]}]},{"id":"si-10","class":"SP800-53","title":"Information Input Validation","params":[{"id":"si-10_prm_1","label":"organization-defined information inputs"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-10"},{"name":"sort-id","value":"si-10"}],"parts":[{"id":"si-10_smt","name":"statement","prose":"The information system checks the validity of {{ insert: param, si-10_prm_1 }}."},{"id":"si-10_gdn","name":"guidance","prose":"Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks."},{"id":"si-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-10_obj.1","name":"objective","props":[{"name":"label","value":"SI-10[1]"}],"prose":"the organization defines information inputs requiring validity checks; and"},{"id":"si-10_obj.2","name":"objective","props":[{"name":"label","value":"SI-10[2]"}],"prose":"the information system checks the validity of organization-defined information inputs."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify validity of information\n\nlist of information inputs requiring validity checks\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing validity checks on information inputs"}]}]},{"id":"si-11","class":"SP800-53","title":"Error Handling","params":[{"id":"si-11_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SI-11"},{"name":"sort-id","value":"si-11"}],"parts":[{"id":"si-11_smt","name":"statement","prose":"The information system:","parts":[{"id":"si-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and"},{"id":"si-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reveals error messages only to {{ insert: param, si-11_prm_1 }}."}]},{"id":"si-11_gdn","name":"guidance","prose":"Organizations carefully consider the structure\/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission\/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#sc-31","rel":"related"}]},{"id":"si-11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-11.a_obj","name":"objective","props":[{"name":"label","value":"SI-11(a)"}],"prose":"the information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries;"},{"id":"si-11.b_obj","name":"objective","props":[{"name":"label","value":"SI-11(b)"}],"parts":[{"id":"si-11.b_obj.1","name":"objective","props":[{"name":"label","value":"SI-11(b)[1]"}],"prose":"the organization defines personnel or roles to whom error messages are to be revealed; and"},{"id":"si-11.b_obj.2","name":"objective","props":[{"name":"label","value":"SI-11(b)[2]"}],"prose":"the information system reveals error messages only to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system error handling\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ndocumentation providing structure\/content of error messages\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for error handling\n\nautomated mechanisms supporting and\/or implementing error handling\n\nautomated mechanisms supporting and\/or implementing management of error messages"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Handling and Retention","props":[{"name":"priority","value":"P2"},{"name":"label","value":"SI-12"},{"name":"sort-id","value":"si-12"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention.","links":[{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"}]},{"id":"si-12_obj","name":"objective","prose":"Determine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements:","parts":[{"id":"si-12_obj.1","name":"objective","props":[{"name":"label","value":"SI-12[1]"}],"prose":"handles information within the information system;"},{"id":"si-12_obj.2","name":"objective","props":[{"name":"label","value":"SI-12[2]"}],"prose":"handles output from the information system;"},{"id":"si-12_obj.3","name":"objective","props":[{"name":"label","value":"SI-12[3]"}],"prose":"retains information within the information system; and"},{"id":"si-12_obj.4","name":"objective","props":[{"name":"label","value":"SI-12[4]"}],"prose":"retains output from the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention\n\nmedia protection policy and procedures\n\nprocedures addressing information system output handling and retention\n\ninformation retention records, other relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information handling and retention\n\norganizational personnel with information security responsibilities\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information handling and retention\n\nautomated mechanisms supporting and\/or implementing information handling and retention"}]}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","params":[{"id":"si-16_prm_1","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-16"},{"name":"sort-id","value":"si-16"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"The information system implements {{ insert: param, si-16_prm_1 }} to protect its memory from unauthorized code execution."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.","links":[{"href":"#ac-25","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"si-16_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-16_obj.1","name":"objective","props":[{"name":"label","value":"SI-16[1]"}],"prose":"the organization defines security safeguards to be implemented to protect information system memory from unauthorized code execution; and"},{"id":"si-16_obj.2","name":"objective","props":[{"name":"label","value":"SI-16[2]"}],"prose":"the information system implements organization-defined security safeguards to protect its memory from unauthorized code execution."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing memory protection for the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of security safeguards protecting information system memory from unauthorized code execution\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing safeguards to protect information system memory from unauthorized code execution"}]}]}]}],"back-matter":{"resources":[{"uuid":"0c97e60b-325a-4efa-ba2b-90f20ccd5abc","title":"5 C.F.R. 731.106","citation":{"text":"Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106, Designation of Public Trust Positions and Investigative Requirements (5 C.F.R. 731.106)."},"rlinks":[{"href":"http:\/\/www.gpo.gov\/fdsys\/granule\/CFR-2012-title5-vol2\/CFR-2012-title5-vol2-sec731-106\/content-detail.html"}]},{"uuid":"bb61234b-46c3-4211-8c2b-9869222a720d","title":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)","citation":{"text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},"rlinks":[{"href":"http:\/\/www.gpo.gov\/fdsys\/granule\/CFR-2009-title5-vol2\/CFR-2009-title5-vol2-sec930-301\/content-detail.html"}]},{"uuid":"a4aa9645-9a8a-4b51-90a9-e223250f9a75","title":"CNSS Policy 15","citation":{"text":"CNSS Policy 15"},"rlinks":[{"href":"https:\/\/www.cnss.gov\/policies.html"}]},{"uuid":"2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","title":"DoD Information Assurance Vulnerability Alerts","citation":{"text":"DoD Information Assurance Vulnerability Alerts"}},{"uuid":"61081e7f-041d-4033-96a7-44a439071683","title":"DoD Instruction 5200.39","citation":{"text":"DoD Instruction 5200.39"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"e42b2099-3e1c-415b-952c-61c96533c12e","title":"DoD Instruction 8551.01","citation":{"text":"DoD Instruction 8551.01"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"e6522953-6714-435d-a0d3-140df554c186","title":"DoD Instruction 8552.01","citation":{"text":"DoD Instruction 8552.01"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"c5034e0c-eba6-4ecd-a541-79f0678f4ba4","title":"Executive Order 13587","citation":{"text":"Executive Order 13587"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/the-press-office\/2011\/10\/07\/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"56d671da-6b7b-4abf-8296-84b61980390a","title":"Federal Acquisition Regulation","citation":{"text":"Federal Acquisition Regulation"},"rlinks":[{"href":"https:\/\/acquisition.gov\/far"}]},{"uuid":"023104bc-6f75-4cd5-b7d0-fc92326f8007","title":"Federal Continuity Directive 1","citation":{"text":"Federal Continuity Directive 1"},"rlinks":[{"href":"http:\/\/www.fema.gov\/pdf\/about\/offices\/fcd1.pdf"}]},{"uuid":"ba557c91-ba3e-4792-adc6-a4ae479b39ff","title":"FICAM Roadmap and Implementation Guidance","citation":{"text":"FICAM Roadmap and Implementation Guidance"},"rlinks":[{"href":"http:\/\/www.idmanagement.gov\/documents\/ficam-roadmap-and-implementation-guidance"}]},{"uuid":"39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","title":"FIPS Publication 140","citation":{"text":"FIPS Publication 140"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html"}]},{"uuid":"d715b234-9b5b-4e07-b1ed-99836727664d","title":"FIPS Publication 140-2","citation":{"text":"FIPS Publication 140-2"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#140-2"}]},{"uuid":"f2dbd4ec-c413-4714-b85b-6b7184d1c195","title":"FIPS Publication 197","citation":{"text":"FIPS Publication 197"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#197"}]},{"uuid":"e85cdb3f-7f0a-4083-8639-f13f70d3760b","title":"FIPS Publication 199","citation":{"text":"FIPS Publication 199"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#199"}]},{"uuid":"c80c10b3-1294-4984-a4cc-d1733ca432b9","title":"FIPS Publication 201","citation":{"text":"FIPS Publication 201"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#201"}]},{"uuid":"ad733a42-a7ed-4774-b988-4930c28852f3","title":"HSPD-12","citation":{"text":"HSPD-12"},"rlinks":[{"href":"http:\/\/www.dhs.gov\/homeland-security-presidential-directive-12"}]},{"uuid":"4ef539ba-b767-4666-b0d3-168c53005fa3","title":"http:\/\/capec.mitre.org","citation":{"text":"http:\/\/capec.mitre.org"},"rlinks":[{"href":"http:\/\/capec.mitre.org"}]},{"uuid":"e95dd121-2733-413e-bf1e-f1eb49f20a98","title":"http:\/\/checklists.nist.gov","citation":{"text":"http:\/\/checklists.nist.gov"},"rlinks":[{"href":"http:\/\/checklists.nist.gov"}]},{"uuid":"6a1041fc-054e-4230-946b-2e6f4f3731bb","title":"http:\/\/csrc.nist.gov\/cryptval","citation":{"text":"http:\/\/csrc.nist.gov\/cryptval"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/cryptval"}]},{"uuid":"b09d1a31-d3c9-4138-a4f4-4c63816afd7d","title":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html","citation":{"text":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html"}]},{"uuid":"0931209f-00ae-4132-b92c-bc645847e8f9","title":"http:\/\/cve.mitre.org","citation":{"text":"http:\/\/cve.mitre.org"},"rlinks":[{"href":"http:\/\/cve.mitre.org"}]},{"uuid":"15522e92-9192-463d-9646-6a01982db8ca","title":"http:\/\/cwe.mitre.org","citation":{"text":"http:\/\/cwe.mitre.org"},"rlinks":[{"href":"http:\/\/cwe.mitre.org"}]},{"uuid":"5ed1f4d5-1494-421b-97ed-39d3c88ab51f","title":"http:\/\/fips201ep.cio.gov","citation":{"text":"http:\/\/fips201ep.cio.gov"},"rlinks":[{"href":"http:\/\/fips201ep.cio.gov"}]},{"uuid":"85280698-0417-489d-b214-12bb935fb939","title":"http:\/\/idmanagement.gov","citation":{"text":"http:\/\/idmanagement.gov"},"rlinks":[{"href":"http:\/\/idmanagement.gov"}]},{"uuid":"275cc052-0f7f-423c-bdb6-ed503dc36228","title":"http:\/\/nvd.nist.gov","citation":{"text":"http:\/\/nvd.nist.gov"},"rlinks":[{"href":"http:\/\/nvd.nist.gov"}]},{"uuid":"bbd50dd1-54ce-4432-959d-63ea564b1bb4","title":"http:\/\/www.acquisition.gov\/far","citation":{"text":"http:\/\/www.acquisition.gov\/far"},"rlinks":[{"href":"http:\/\/www.acquisition.gov\/far"}]},{"uuid":"9b97ed27-3dd6-4f9a-ade5-1b43e9669794","title":"http:\/\/www.cnss.gov","citation":{"text":"http:\/\/www.cnss.gov"},"rlinks":[{"href":"http:\/\/www.cnss.gov"}]},{"uuid":"3ac12e79-f54f-4a63-9f4b-ee4bcd4df604","title":"http:\/\/www.dhs.gov\/telecommunications-service-priority-tsp","citation":{"text":"http:\/\/www.dhs.gov\/telecommunications-service-priority-tsp"},"rlinks":[{"href":"http:\/\/www.dhs.gov\/telecommunications-service-priority-tsp"}]},{"uuid":"c95a9986-3cd6-4a98-931b-ccfc56cb11e5","title":"http:\/\/www.niap-ccevs.org","citation":{"text":"http:\/\/www.niap-ccevs.org"},"rlinks":[{"href":"http:\/\/www.niap-ccevs.org"}]},{"uuid":"647b6de3-81d0-4d22-bec1-5f1333e34380","title":"http:\/\/www.nsa.gov","citation":{"text":"http:\/\/www.nsa.gov"},"rlinks":[{"href":"http:\/\/www.nsa.gov"}]},{"uuid":"a47466c4-c837-4f06-a39f-e68412a5f73d","title":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml","citation":{"text":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml"},"rlinks":[{"href":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml"}]},{"uuid":"02631467-668b-4233-989b-3dfded2fd184","title":"http:\/\/www.us-cert.gov","citation":{"text":"http:\/\/www.us-cert.gov"},"rlinks":[{"href":"http:\/\/www.us-cert.gov"}]},{"uuid":"6caa237b-531b-43ac-9711-d8f6b97b0377","title":"ICD 704","citation":{"text":"ICD 704"},"rlinks":[{"href":"http:\/\/www.dni.gov\/index.php\/intelligence-community\/ic-policies-reports\/intelligence-community-directives"}]},{"uuid":"398e33fd-f404-4e5c-b90e-2d50d3181244","title":"ICD 705","citation":{"text":"ICD 705"},"rlinks":[{"href":"http:\/\/www.dni.gov\/index.php\/intelligence-community\/ic-policies-reports\/intelligence-community-directives"}]},{"uuid":"1737a687-52fb-4008-b900-cbfa836f7b65","title":"ISO\/IEC 15408","citation":{"text":"ISO\/IEC 15408"},"rlinks":[{"href":"http:\/\/www.iso.org\/iso\/iso_catalog\/catalog_tc\/catalog_detail.htm?csnumber=50341"}]},{"uuid":"fb5844de-ff96-47c0-b258-4f52bcc2f30d","title":"National Communications Systems Directive 3-10","citation":{"text":"National Communications Systems Directive 3-10"}},{"uuid":"654f21e2-f3bc-43b2-abdc-60ab8d09744b","title":"National Strategy for Trusted Identities in Cyberspace","citation":{"text":"National Strategy for Trusted Identities in Cyberspace"},"rlinks":[{"href":"http:\/\/www.nist.gov\/nstic"}]},{"uuid":"9cb3d8fe-2127-48ba-821e-cdd2d7aee921","title":"NIST Special Publication 800-100","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-100"}],"citation":{"text":"NIST Special Publication 800-100"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","title":"NIST Special Publication 800-111","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-111"}],"citation":{"text":"NIST Special Publication 800-111"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-111"}]},{"uuid":"349fe082-502d-464a-aa0c-1443c6a5cf40","title":"NIST Special Publication 800-113","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-113"}],"citation":{"text":"NIST Special Publication 800-113"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-113"}]},{"uuid":"1201fcf3-afb1-4675-915a-fb4ae0435717","title":"NIST Special Publication 800-114 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-114r1"}],"citation":{"text":"NIST Special Publication 800-114 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-114r1"}]},{"uuid":"c4691b88-57d1-463b-9053-2d0087913f31","title":"NIST Special Publication 800-115","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-115"}],"citation":{"text":"NIST Special Publication 800-115"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"2157bb7e-192c-4eaa-877f-93ef6b0a3292","title":"NIST Special Publication 800-116 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-116r1"}],"citation":{"text":"NIST Special Publication 800-116 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-116r1"}]},{"uuid":"5c201b63-0768-417b-ac22-3f014e3941b2","title":"NIST Special Publication 800-12 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-12r1"}],"citation":{"text":"NIST Special Publication 800-12 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"d1a4e2a9-e512-4132-8795-5357aba29254","title":"NIST Special Publication 800-121","citation":{"text":"NIST Special Publication 800-121"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-121"}]},{"uuid":"0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","title":"NIST Special Publication 800-124","citation":{"text":"NIST Special Publication 800-124"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-124"}]},{"uuid":"080f8068-5e3e-435e-9790-d22ba4722693","title":"NIST Special Publication 800-128","citation":{"text":"NIST Special Publication 800-128"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-128"}]},{"uuid":"cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","title":"NIST Special Publication 800-137","citation":{"text":"NIST Special Publication 800-137"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-137"}]},{"uuid":"6bf8d24a-78dc-4727-a2ac-0e64d71c495c","title":"NIST Special Publication 800-147","citation":{"text":"NIST Special Publication 800-147"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-147"}]},{"uuid":"3878cc04-144a-483e-af62-8fe6f4ad6c7a","title":"NIST Special Publication 800-155","citation":{"text":"NIST Special Publication 800-155"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-155"}]},{"uuid":"825438c3-248d-4e30-a51e-246473ce6ada","title":"NIST Special Publication 800-16","citation":{"text":"NIST Special Publication 800-16"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-16"}]},{"uuid":"6513e480-fada-4876-abba-1397084dfb26","title":"NIST Special Publication 800-164","citation":{"text":"NIST Special Publication 800-164"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-164"}]},{"uuid":"9c5c9e8c-dc81-4f55-a11c-d71d7487790f","title":"NIST Special Publication 800-18","citation":{"text":"NIST Special Publication 800-18"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-18"}]},{"uuid":"0a5db899-f033-467f-8631-f5a8ba971475","title":"NIST Special Publication 800-23","citation":{"text":"NIST Special Publication 800-23"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-23"}]},{"uuid":"21b1ed35-56d2-40a8-bdfe-b461fffe322f","title":"NIST Special Publication 800-27","citation":{"text":"NIST Special Publication 800-27"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-27"}]},{"uuid":"e716cd51-d1d5-4c6a-967a-22e9fbbc42f1","title":"NIST Special Publication 800-28","citation":{"text":"NIST Special Publication 800-28"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-28"}]},{"uuid":"a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","title":"NIST Special Publication 800-30","citation":{"text":"NIST Special Publication 800-30"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-30"}]},{"uuid":"8f174e91-844e-4cf1-a72a-45c119a3a8dd","title":"NIST Special Publication 800-32","citation":{"text":"NIST Special Publication 800-32"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-32"}]},{"uuid":"748a81b9-9cad-463f-abde-8b368167e70d","title":"NIST Special Publication 800-34","citation":{"text":"NIST Special Publication 800-34"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-34"}]},{"uuid":"0c775bc3-bfc3-42c7-a382-88949f503171","title":"NIST Special Publication 800-35","citation":{"text":"NIST Special Publication 800-35"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-35"}]},{"uuid":"d818efd3-db31-4953-8afa-9e76afe83ce2","title":"NIST Special Publication 800-36","citation":{"text":"NIST Special Publication 800-36"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-36"}]},{"uuid":"0a0c26b6-fd44-4274-8b36-93442d49d998","title":"NIST Special Publication 800-37","citation":{"text":"NIST Special Publication 800-37"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-37"}]},{"uuid":"d480aa6a-7a88-424e-a10c-ad1c7870354b","title":"NIST Special Publication 800-39","citation":{"text":"NIST Special Publication 800-39"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-39"}]},{"uuid":"bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","title":"NIST Special Publication 800-40","citation":{"text":"NIST Special Publication 800-40"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-40"}]},{"uuid":"756a8e86-57d5-4701-8382-f7a40439665a","title":"NIST Special Publication 800-41","citation":{"text":"NIST Special Publication 800-41"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-41"}]},{"uuid":"c6e95ca0-5828-420e-b095-00895b72b5e8","title":"NIST Special Publication 800-45","citation":{"text":"NIST Special Publication 800-45"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-45"}]},{"uuid":"5309d4d0-46f8-4213-a749-e7584164e5e8","title":"NIST Special Publication 800-46","citation":{"text":"NIST Special Publication 800-46"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-46"}]},{"uuid":"2711f068-734e-4afd-94ba-0b22247fbc88","title":"NIST Special Publication 800-47","citation":{"text":"NIST Special Publication 800-47"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-47"}]},{"uuid":"238ed479-eccb-49f6-82ec-ab74a7a428cf","title":"NIST Special Publication 800-48","citation":{"text":"NIST Special Publication 800-48"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-48"}]},{"uuid":"e12b5738-de74-4fb3-8317-a3995a8a1898","title":"NIST Special Publication 800-50","citation":{"text":"NIST Special Publication 800-50"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-50"}]},{"uuid":"90c5bc98-f9c4-44c9-98b7-787422f0999c","title":"NIST Special Publication 800-52","citation":{"text":"NIST Special Publication 800-52"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-52"}]},{"uuid":"cd4cf751-3312-4a55-b1a9-fad2f1db9119","title":"NIST Special Publication 800-53A","citation":{"text":"NIST Special Publication 800-53A"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-53A"}]},{"uuid":"81f09e01-d0b0-4ae2-aa6a-064ed9950070","title":"NIST Special Publication 800-56","citation":{"text":"NIST Special Publication 800-56"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-56"}]},{"uuid":"a6c774c0-bf50-4590-9841-2a5c1c91ac6f","title":"NIST Special Publication 800-57","citation":{"text":"NIST Special Publication 800-57"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-57"}]},{"uuid":"7783f3e7-09b3-478b-9aa2-4a76dfd0ea90","title":"NIST Special Publication 800-58","citation":{"text":"NIST Special Publication 800-58"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-58"}]},{"uuid":"f152844f-b1ef-4836-8729-6277078ebee1","title":"NIST Special Publication 800-60","citation":{"text":"NIST Special Publication 800-60"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-60"}]},{"uuid":"be95fb85-a53f-4624-bdbb-140075500aa3","title":"NIST Special Publication 800-61","citation":{"text":"NIST Special Publication 800-61"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-61"}]},{"uuid":"644f44a9-a2de-4494-9c04-cd37fba45471","title":"NIST Special Publication 800-63","citation":{"text":"NIST Special Publication 800-63"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-63"}]},{"uuid":"abd950ae-092f-4b7a-b374-1c7c67fe9350","title":"NIST Special Publication 800-64","citation":{"text":"NIST Special Publication 800-64"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-64"}]},{"uuid":"29fcfe59-33cd-494a-8756-5907ae3a8f92","title":"NIST Special Publication 800-65","citation":{"text":"NIST Special Publication 800-65"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-65"}]},{"uuid":"84a37532-6db6-477b-9ea8-f9085ebca0fc","title":"NIST Special Publication 800-70","citation":{"text":"NIST Special Publication 800-70"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-70"}]},{"uuid":"ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","title":"NIST Special Publication 800-73","citation":{"text":"NIST Special Publication 800-73"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-73"}]},{"uuid":"2a71298a-ee90-490e-80ff-48c967173a47","title":"NIST Special Publication 800-76","citation":{"text":"NIST Special Publication 800-76"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-76"}]},{"uuid":"99f331f2-a9f0-46c2-9856-a3cbb9b89442","title":"NIST Special Publication 800-77","citation":{"text":"NIST Special Publication 800-77"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-77"}]},{"uuid":"2042d97b-f7f6-4c74-84f8-981867684659","title":"NIST Special Publication 800-78","citation":{"text":"NIST Special Publication 800-78"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-78"}]},{"uuid":"6af1e841-672c-46c4-b121-96f603d04be3","title":"NIST Special Publication 800-81","citation":{"text":"NIST Special Publication 800-81"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-81"}]},{"uuid":"6d431fee-658f-4a0e-9f2e-a38b5d398fab","title":"NIST Special Publication 800-83","citation":{"text":"NIST Special Publication 800-83"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-83"}]},{"uuid":"0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","title":"NIST Special Publication 800-84","citation":{"text":"NIST Special Publication 800-84"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-84"}]},{"uuid":"263823e0-a971-4b00-959d-315b26278b22","title":"NIST Special Publication 800-88","citation":{"text":"NIST Special Publication 800-88"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-88"}]},{"uuid":"672fd561-b92b-4713-b9cf-6c9d9456728b","title":"NIST Special Publication 800-92","citation":{"text":"NIST Special Publication 800-92"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-92"}]},{"uuid":"d1b1d689-0f66-4474-9924-c81119758dc1","title":"NIST Special Publication 800-94","citation":{"text":"NIST Special Publication 800-94"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-94"}]},{"uuid":"1ebdf782-d95d-4a7b-8ec7-ee860951eced","title":"NIST Special Publication 800-95","citation":{"text":"NIST Special Publication 800-95"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-95"}]},{"uuid":"6f336ecd-f2a0-4c84-9699-0491d81b6e0d","title":"NIST Special Publication 800-97","citation":{"text":"NIST Special Publication 800-97"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-97"}]},{"uuid":"06dff0ea-3848-4945-8d91-e955ee69f05d","title":"NSTISSI No. 7003","citation":{"text":"NSTISSI No. 7003"},"rlinks":[{"href":"http:\/\/www.cnss.gov\/Assets\/pdf\/nstissi_7003.pdf"}]},{"uuid":"9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","title":"OMB Circular A-130","citation":{"text":"OMB Circular A-130"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/omb\/circulars_a130_a130trans4"}]},{"uuid":"2c5884cd-7b96-425c-862a-99877e1cf909","title":"OMB Memorandum 02-01","citation":{"text":"OMB Memorandum 02-01"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/omb\/memoranda_m02-01"}]},{"uuid":"ff3bfb02-79b2-411f-8735-98dfe5af2ab0","title":"OMB Memorandum 04-04","citation":{"text":"OMB Memorandum 04-04"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy04\/m04-04.pdf"}]},{"uuid":"58ad6f27-af99-429f-86a8-8bb767b014b9","title":"OMB Memorandum 05-24","citation":{"text":"OMB Memorandum 05-24"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2005\/m05-24.pdf"}]},{"uuid":"4da24a96-6cf8-435d-9d1f-c73247cad109","title":"OMB Memorandum 06-16","citation":{"text":"OMB Memorandum 06-16"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2006\/m06-16.pdf"}]},{"uuid":"990268bf-f4a9-4c81-91ae-dc7d3115f4b1","title":"OMB Memorandum 07-11","citation":{"text":"OMB Memorandum 07-11"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2007\/m07-11.pdf"}]},{"uuid":"0b3d8ba9-051f-498d-81ea-97f0f018c612","title":"OMB Memorandum 07-18","citation":{"text":"OMB Memorandum 07-18"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2007\/m07-18.pdf"}]},{"uuid":"0916ef02-3618-411b-a525-565c088849a6","title":"OMB Memorandum 08-22","citation":{"text":"OMB Memorandum 08-22"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2008\/m08-22.pdf"}]},{"uuid":"28115a56-da6b-4d44-b1df-51dd7f048a3e","title":"OMB Memorandum 08-23","citation":{"text":"OMB Memorandum 08-23"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2008\/m08-23.pdf"}]},{"uuid":"599fe9ba-4750-4450-9eeb-b95bd19a5e8f","title":"OMB Memorandum 10-06-2011","citation":{"text":"OMB Memorandum 10-06-2011"}},{"uuid":"74e740a4-c45d-49f3-a86e-eb747c549e01","title":"OMB Memorandum 11-11","citation":{"text":"OMB Memorandum 11-11"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/memoranda\/2011\/m11-11.pdf"}]},{"uuid":"bedb15b7-ec5c-4a68-807f-385125751fcd","title":"OMB Memorandum 11-33","citation":{"text":"OMB Memorandum 11-33"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/memoranda\/2011\/m11-33.pdf"}]},{"uuid":"dd2f5acd-08f1-435a-9837-f8203088dc1a","title":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)","citation":{"text":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)"}},{"uuid":"8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","title":"US-CERT Technical Cyber Security Alerts","citation":{"text":"US-CERT Technical Cyber Security Alerts"},"rlinks":[{"href":"http:\/\/www.us-cert.gov\/ncas\/alerts"}]}]}}}
\ No newline at end of file
+{"catalog":{"uuid":"4f3ed81e-6a9c-4b14-ac07-7d02ec09f643","metadata":{"title":"NIST Special Publication 800-53 Revision 4 MODERATE IMPACT BASELINE","last-modified":"2023-12-05T21:54:48.24154Z","version":"2015-01-22","oscal-version":"1.1.1","props":[{"name":"resolution-tool","value":"OSCAL Profile Resolver XSLT Pipeline OPRXP"}],"links":[{"href":"NIST_SP-800-53_rev4_MODERATE-baseline_profile.xml","rel":"source-profile"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"29dd471e-7206-4388-857b-47673c04c4c9","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["316876e2-5c7b-4a60-a488-2ed977238f04"]},{"role-id":"contact","party-uuids":["316876e2-5c7b-4a60-a488-2ed977238f04"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Access Control Policy and Procedures","params":[{"id":"ac-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ac-1_prm_2","label":"organization-defined frequency"},{"id":"ac-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-1"},{"name":"sort-id","value":"ac-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ac-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and associated access controls; and"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ac-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Access control policy {{ insert: param, ac-1_prm_2 }}; and"},{"id":"ac-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Access control procedures {{ insert: param, ac-1_prm_3 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ac-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-1.a_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)"}],"parts":[{"id":"ac-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)"}],"parts":[{"id":"ac-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1]"}],"prose":"develops and documents an access control policy that addresses:","parts":[{"id":"ac-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ac-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ac-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ac-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ac-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ac-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ac-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ac-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the access control policy are to be disseminated;"},{"id":"ac-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AC-1(a)(1)[3]"}],"prose":"disseminates the access control policy to organization-defined personnel or roles;"}]},{"id":"ac-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)"}],"parts":[{"id":"ac-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the access control policy and associated access control controls;"},{"id":"ac-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ac-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ac-1.b_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)"}],"parts":[{"id":"ac-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)"}],"parts":[{"id":"ac-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current access control policy;"},{"id":"ac-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(b)(1)[2]"}],"prose":"reviews and updates the current access control policy with the organization-defined frequency;"}]},{"id":"ac-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)"}],"parts":[{"id":"ac-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current access control procedures; and"},{"id":"ac-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-1(b)(2)[2]"}],"prose":"reviews and updates the current access control procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","params":[{"id":"ac-2_prm_1","label":"organization-defined information system account types"},{"id":"ac-2_prm_2","label":"organization-defined personnel or roles"},{"id":"ac-2_prm_3","label":"organization-defined procedures or conditions"},{"id":"ac-2_prm_4","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-2"},{"name":"sort-id","value":"ac-02"}],"parts":[{"id":"ac-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies and selects the following types of information system accounts to support organizational missions\/business functions: {{ insert: param, ac-2_prm_1 }};"},{"id":"ac-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assigns account managers for information system accounts;"},{"id":"ac-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establishes conditions for group and role membership;"},{"id":"ac-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;"},{"id":"ac-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Requires approvals by {{ insert: param, ac-2_prm_2 }} for requests to create information system accounts;"},{"id":"ac-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Creates, enables, modifies, disables, and removes information system accounts in accordance with {{ insert: param, ac-2_prm_3 }};"},{"id":"ac-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Monitors the use of information system accounts;"},{"id":"ac-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Notifies account managers:","parts":[{"id":"ac-2_smt.h.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"When accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"When individual information system usage or need-to-know changes;"}]},{"id":"ac-2_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Authorizes access to the information system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Other attributes as required by the organization or associated missions\/business functions;"}]},{"id":"ac-2_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Reviews accounts for compliance with account management requirements {{ insert: param, ac-2_prm_4 }}; and"},{"id":"ac-2_smt.k","name":"item","props":[{"name":"label","value":"k."}],"prose":"Establishes a process for reissuing shared\/group account credentials (if deployed) when individuals are removed from the group."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Information system account types include, for example, individual, shared, group, system, guest\/anonymous, emergency, developer\/manufacturer\/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission\/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission\/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared\/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-10","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ac-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-2.a_obj","name":"objective","props":[{"name":"label","value":"AC-2(a)"}],"parts":[{"id":"ac-2.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(a)[1]"}],"prose":"defines information system account types to be identified and selected to support organizational missions\/business functions;"},{"id":"ac-2.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(a)[2]"}],"prose":"identifies and selects organization-defined information system account types to support organizational missions\/business functions;"}]},{"id":"ac-2.b_obj","name":"objective","props":[{"name":"label","value":"AC-2(b)"}],"prose":"assigns account managers for information system accounts;"},{"id":"ac-2.c_obj","name":"objective","props":[{"name":"label","value":"AC-2(c)"}],"prose":"establishes conditions for group and role membership;"},{"id":"ac-2.d_obj","name":"objective","props":[{"name":"label","value":"AC-2(d)"}],"prose":"specifies for each account (as required):","parts":[{"id":"ac-2.d_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(d)[1]"}],"prose":"authorized users of the information system;"},{"id":"ac-2.d_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(d)[2]"}],"prose":"group and role membership;"},{"id":"ac-2.d_obj.3","name":"objective","props":[{"name":"label","value":"AC-2(d)[3]"}],"prose":"access authorizations (i.e., privileges);"},{"id":"ac-2.d_obj.4","name":"objective","props":[{"name":"label","value":"AC-2(d)[4]"}],"prose":"other attributes;"}]},{"id":"ac-2.e_obj","name":"objective","props":[{"name":"label","value":"AC-2(e)"}],"parts":[{"id":"ac-2.e_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(e)[1]"}],"prose":"defines personnel or roles required to approve requests to create information system accounts;"},{"id":"ac-2.e_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(e)[2]"}],"prose":"requires approvals by organization-defined personnel or roles for requests to create information system accounts;"}]},{"id":"ac-2.f_obj","name":"objective","props":[{"name":"label","value":"AC-2(f)"}],"parts":[{"id":"ac-2.f_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(f)[1]"}],"prose":"defines procedures or conditions to:","parts":[{"id":"ac-2.f_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][a]"}],"prose":"create information system accounts;"},{"id":"ac-2.f_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][b]"}],"prose":"enable information system accounts;"},{"id":"ac-2.f_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][c]"}],"prose":"modify information system accounts;"},{"id":"ac-2.f_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][d]"}],"prose":"disable information system accounts;"},{"id":"ac-2.f_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-2(f)[1][e]"}],"prose":"remove information system accounts;"}]},{"id":"ac-2.f_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(f)[2]"}],"prose":"in accordance with organization-defined procedures or conditions:","parts":[{"id":"ac-2.f_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][a]"}],"prose":"creates information system accounts;"},{"id":"ac-2.f_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][b]"}],"prose":"enables information system accounts;"},{"id":"ac-2.f_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][c]"}],"prose":"modifies information system accounts;"},{"id":"ac-2.f_obj.2.d","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][d]"}],"prose":"disables information system accounts;"},{"id":"ac-2.f_obj.2.e","name":"objective","props":[{"name":"label","value":"AC-2(f)[2][e]"}],"prose":"removes information system accounts;"}]}]},{"id":"ac-2.g_obj","name":"objective","props":[{"name":"label","value":"AC-2(g)"}],"prose":"monitors the use of information system accounts;"},{"id":"ac-2.h_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)"}],"prose":"notifies account managers:","parts":[{"id":"ac-2.h.1_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(1)"}],"prose":"when accounts are no longer required;"},{"id":"ac-2.h.2_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(2)"}],"prose":"when users are terminated or transferred;"},{"id":"ac-2.h.3_obj","name":"objective","props":[{"name":"label","value":"AC-2(h)(3)"}],"prose":"when individual information system usage or need to know changes;"}]},{"id":"ac-2.i_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)"}],"prose":"authorizes access to the information system based on;","parts":[{"id":"ac-2.i.1_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(1)"}],"prose":"a valid access authorization;"},{"id":"ac-2.i.2_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(2)"}],"prose":"intended system usage;"},{"id":"ac-2.i.3_obj","name":"objective","props":[{"name":"label","value":"AC-2(i)(3)"}],"prose":"other attributes as required by the organization or associated missions\/business functions;"}]},{"id":"ac-2.j_obj","name":"objective","props":[{"name":"label","value":"AC-2(j)"}],"parts":[{"id":"ac-2.j_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(j)[1]"}],"prose":"defines the frequency to review accounts for compliance with account management requirements;"},{"id":"ac-2.j_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(j)[2]"}],"prose":"reviews accounts for compliance with account management requirements with the organization-defined frequency; and"}]},{"id":"ac-2.k_obj","name":"objective","props":[{"name":"label","value":"AC-2(k)"}],"prose":"establishes a process for reissuing shared\/group account credentials (if deployed) when individuals are removed from the group."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications or records of recently transferred, separated, or terminated employees\n\nlist of recently disabled information system accounts along with the name of the individual associated with each account\n\naccess authorization records\n\naccount management compliance reviews\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes account management on the information system\n\nautomated mechanisms for implementing account management"}]}],"controls":[{"id":"ac-2.1","class":"SP800-53-enhancement","title":"Automated System Account Management","props":[{"name":"label","value":"AC-2(1)"},{"name":"sort-id","value":"ac-02.01"}],"parts":[{"id":"ac-2.1_smt","name":"statement","prose":"The organization employs automated mechanisms to support the management of information system accounts."},{"id":"ac-2.1_gdn","name":"guidance","prose":"The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using telephonic notification to report atypical system account usage."},{"id":"ac-2.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to support the management of information system accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.2","class":"SP800-53-enhancement","title":"Removal of Temporary \/ Emergency Accounts","params":[{"id":"ac-2.2_prm_1","select":{"choice":["removes","disables"]}},{"id":"ac-2.2_prm_2","label":"organization-defined time period for each type of account"}],"props":[{"name":"label","value":"AC-2(2)"},{"name":"sort-id","value":"ac-02.02"}],"parts":[{"id":"ac-2.2_smt","name":"statement","prose":"The information system automatically {{ insert: param, ac-2.2_prm_1 }} temporary and emergency accounts after {{ insert: param, ac-2.2_prm_2 }}."},{"id":"ac-2.2_gdn","name":"guidance","prose":"This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator."},{"id":"ac-2.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(2)[1]"}],"prose":"the organization defines the time period after which the information system automatically removes or disables temporary and emergency accounts; and"},{"id":"ac-2.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(2)[2]"}],"prose":"the information system automatically removes or disables temporary and emergency accounts after the organization-defined time period for each type of account."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system-generated list of temporary accounts removed and\/or disabled\n\ninformation system-generated list of emergency accounts removed and\/or disabled\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.3","class":"SP800-53-enhancement","title":"Disable Inactive Accounts","params":[{"id":"ac-2.3_prm_1","label":"organization-defined time period"}],"props":[{"name":"label","value":"AC-2(3)"},{"name":"sort-id","value":"ac-02.03"}],"parts":[{"id":"ac-2.3_smt","name":"statement","prose":"The information system automatically disables inactive accounts after {{ insert: param, ac-2.3_prm_1 }}."},{"id":"ac-2.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.3_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(3)[1]"}],"prose":"the organization defines the time period after which the information system automatically disables inactive accounts; and"},{"id":"ac-2.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(3)[2]"}],"prose":"the information system automatically disables inactive accounts after the organization-defined time period."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system-generated list of temporary accounts removed and\/or disabled\n\ninformation system-generated list of emergency accounts removed and\/or disabled\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.4","class":"SP800-53-enhancement","title":"Automated Audit Actions","params":[{"id":"ac-2.4_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"AC-2(4)"},{"name":"sort-id","value":"ac-02.04"}],"parts":[{"id":"ac-2.4_smt","name":"statement","prose":"The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies {{ insert: param, ac-2.4_prm_1 }}."},{"id":"ac-2.4_gdn","name":"guidance","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"ac-2.4_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-2.4_obj.1","name":"objective","props":[{"name":"label","value":"AC-2(4)[1]"}],"prose":"the information system automatically audits the following account actions:","parts":[{"id":"ac-2.4_obj.1.a","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.1.b","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.1.c","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.1.d","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][d]"}],"prose":"disabling;"},{"id":"ac-2.4_obj.1.e","name":"objective","props":[{"name":"label","value":"AC-2(4)[1][e]"}],"prose":"removal;"}]},{"id":"ac-2.4_obj.2","name":"objective","props":[{"name":"label","value":"AC-2(4)[2]"}],"prose":"the organization defines personnel or roles to be notified of the following account actions:","parts":[{"id":"ac-2.4_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.2.d","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][d]"}],"prose":"disabling;"},{"id":"ac-2.4_obj.2.e","name":"objective","props":[{"name":"label","value":"AC-2(4)[2][e]"}],"prose":"removal;"}]},{"id":"ac-2.4_obj.3","name":"objective","props":[{"name":"label","value":"AC-2(4)[3]"}],"prose":"the information system notifies organization-defined personnel or roles of the following account actions:","parts":[{"id":"ac-2.4_obj.3.a","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][a]"}],"prose":"creation;"},{"id":"ac-2.4_obj.3.b","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][b]"}],"prose":"modification;"},{"id":"ac-2.4_obj.3.c","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][c]"}],"prose":"enabling;"},{"id":"ac-2.4_obj.3.d","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][d]"}],"prose":"disabling; and"},{"id":"ac-2.4_obj.3.e","name":"objective","props":[{"name":"label","value":"AC-2(4)[3][e]"}],"prose":"removal."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing account management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nnotifications\/alerts of account creation, modification, enabling, disabling, and removal actions\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing account management functions"}]}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-3"},{"name":"sort-id","value":"ac-03"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"}]},{"id":"ac-3_obj","name":"objective","prose":"Determine if the information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy"}]}]},{"id":"ac-4","class":"SP800-53","title":"Information Flow Enforcement","params":[{"id":"ac-4_prm_1","label":"organization-defined information flow control policies"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-4"},{"name":"sort-id","value":"ac-04"}],"parts":[{"id":"ac-4_smt","name":"statement","prose":"The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on {{ insert: param, ac-4_prm_1 }}."},{"id":"ac-4_gdn","name":"guidance","prose":"Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners\/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and\/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering\/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"}]},{"id":"ac-4_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-4_obj.1","name":"objective","props":[{"name":"label","value":"AC-4[1]"}],"prose":"the organization defines information flow control policies to control the flow of information within the system and between interconnected systems; and"},{"id":"ac-4_obj.2","name":"objective","props":[{"name":"label","value":"AC-4[2]"}],"prose":"the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on organization-defined information flow control policies."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system baseline configuration\n\nlist of information flow authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-5","class":"SP800-53","title":"Separation of Duties","params":[{"id":"ac-5_prm_1","label":"organization-defined duties of individuals"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-5"},{"name":"sort-id","value":"ac-05"}],"parts":[{"id":"ac-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Separates {{ insert: param, ac-5_prm_1 }};"},{"id":"ac-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents separation of duties of individuals; and"},{"id":"ac-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Defines information system access authorizations to support separation of duties."}]},{"id":"ac-5_gdn","name":"guidance","prose":"Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and\/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ps-2","rel":"related"}]},{"id":"ac-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-5.a_obj","name":"objective","props":[{"name":"label","value":"AC-5(a)"}],"parts":[{"id":"ac-5.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-5(a)[1]"}],"prose":"defines duties of individuals to be separated;"},{"id":"ac-5.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-5(a)[2]"}],"prose":"separates organization-defined duties of individuals;"}]},{"id":"ac-5.b_obj","name":"objective","props":[{"name":"label","value":"AC-5(b)"}],"prose":"documents separation of duties; and"},{"id":"ac-5.c_obj","name":"objective","props":[{"name":"label","value":"AC-5(c)"}],"prose":"defines information system access authorizations to support separation of duties."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\ninformation system configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\ninformation system access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing separation of duties policy"}]}]},{"id":"ac-6","class":"SP800-53","title":"Least Privilege","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-6"},{"name":"sort-id","value":"ac-06"}],"parts":[{"id":"ac-6_smt","name":"statement","prose":"The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions."},{"id":"ac-6_gdn","name":"guidance","prose":"Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions\/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-2","rel":"related"}]},{"id":"ac-6_obj","name":"objective","prose":"Determine if the organization employs the principle of least privilege, allowing only authorized access for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}],"controls":[{"id":"ac-6.1","class":"SP800-53-enhancement","title":"Authorize Access to Security Functions","params":[{"id":"ac-6.1_prm_1","label":"organization-defined security functions (deployed in hardware, software, and firmware) and security-relevant information"}],"props":[{"name":"label","value":"AC-6(1)"},{"name":"sort-id","value":"ac-06.01"}],"parts":[{"id":"ac-6.1_smt","name":"statement","prose":"The organization explicitly authorizes access to {{ insert: param, ac-6.1_prm_1 }}."},{"id":"ac-6.1_gdn","name":"guidance","prose":"Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers\/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users.","links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"}]},{"id":"ac-6.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(1)[1]"}],"prose":"defines security-relevant information for which access must be explicitly authorized;"},{"id":"ac-6.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(1)[2]"}],"prose":"defines security functions deployed in:","parts":[{"id":"ac-6.1_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-6(1)[2][a]"}],"prose":"hardware;"},{"id":"ac-6.1_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-6(1)[2][b]"}],"prose":"software;"},{"id":"ac-6.1_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-6(1)[2][c]"}],"prose":"firmware;"}]},{"id":"ac-6.1_obj.3","name":"objective","props":[{"name":"label","value":"AC-6(1)[3]"}],"prose":"explicitly authorizes access to:","parts":[{"id":"ac-6.1_obj.3.a","name":"objective","props":[{"name":"label","value":"AC-6(1)[3][a]"}],"prose":"organization-defined security functions; and"},{"id":"ac-6.1_obj.3.b","name":"objective","props":[{"name":"label","value":"AC-6(1)[3][b]"}],"prose":"security-relevant information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.2","class":"SP800-53-enhancement","title":"Non-privileged Access for Nonsecurity Functions","params":[{"id":"ac-6.2_prm_1","label":"organization-defined security functions or security-relevant information"}],"props":[{"name":"label","value":"AC-6(2)"},{"name":"sort-id","value":"ac-06.02"}],"parts":[{"id":"ac-6.2_smt","name":"statement","prose":"The organization requires that users of information system accounts, or roles, with access to {{ insert: param, ac-6.2_prm_1 }}, use non-privileged accounts or roles, when accessing nonsecurity functions."},{"id":"ac-6.2_gdn","name":"guidance","prose":"This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.","links":[{"href":"#pl-4","rel":"related"}]},{"id":"ac-6.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.2_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(2)[1]"}],"prose":"defines security functions or security-relevant information to which users of information system accounts, or roles, have access; and"},{"id":"ac-6.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(2)[2]"}],"prose":"requires that users of information system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to information system accounts or roles\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.5","class":"SP800-53-enhancement","title":"Privileged Accounts","params":[{"id":"ac-6.5_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"AC-6(5)"},{"name":"sort-id","value":"ac-06.05"}],"parts":[{"id":"ac-6.5_smt","name":"statement","prose":"The organization restricts privileged accounts on the information system to {{ insert: param, ac-6.5_prm_1 }}."},{"id":"ac-6.5_gdn","name":"guidance","prose":"Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information\/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk.","links":[{"href":"#cm-6","rel":"related"}]},{"id":"ac-6.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-6.5_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(5)[1]"}],"prose":"defines personnel or roles for which privileged accounts on the information system are to be restricted; and"},{"id":"ac-6.5_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(5)[2]"}],"prose":"restricts privileged accounts on the information system to organization-defined personnel or roles."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.9","class":"SP800-53-enhancement","title":"Auditing Use of Privileged Functions","props":[{"name":"label","value":"AC-6(9)"},{"name":"sort-id","value":"ac-06.09"}],"parts":[{"id":"ac-6.9_smt","name":"statement","prose":"The information system audits the execution of privileged functions."},{"id":"ac-6.9_gdn","name":"guidance","prose":"Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT).","links":[{"href":"#au-2","rel":"related"}]},{"id":"ac-6.9_obj","name":"objective","prose":"Determine if the information system audits the execution of privileged functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms auditing the execution of least privilege functions"}]}]},{"id":"ac-6.10","class":"SP800-53-enhancement","title":"Prohibit Non-privileged Users from Executing Privileged Functions","props":[{"name":"label","value":"AC-6(10)"},{"name":"sort-id","value":"ac-06.10"}],"parts":[{"id":"ac-6.10_smt","name":"statement","prose":"The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards\/countermeasures."},{"id":"ac-6.10_gdn","name":"guidance","prose":"Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users."},{"id":"ac-6.10_obj","name":"objective","prose":"Determine if the information system prevents non-privileged users from executing privileged functions to include:","parts":[{"id":"ac-6.10_obj.1","name":"objective","props":[{"name":"label","value":"AC-6(10)[1]"}],"prose":"disabling implemented security safeguards\/countermeasures;"},{"id":"ac-6.10_obj.2","name":"objective","props":[{"name":"label","value":"AC-6(10)[2]"}],"prose":"circumventing security safeguards\/countermeasures; or"},{"id":"ac-6.10_obj.3","name":"objective","props":[{"name":"label","value":"AC-6(10)[3]"}],"prose":"altering implemented security safeguards\/countermeasures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing least privilege functions for non-privileged users"}]}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","params":[{"id":"ac-7_prm_1","label":"organization-defined number"},{"id":"ac-7_prm_2","label":"organization-defined time period"},{"id":"ac-7_prm_3","select":{"choice":["locks the account\/node for an {{ insert: param, ac-7_prm_4 }} ","locks the account\/node until released by an administrator","delays next logon prompt according to {{ insert: param, ac-7_prm_5 }} "]}},{"id":"ac-7_prm_4","depends-on":"ac-7_prm_3","label":"organization-defined time period"},{"id":"ac-7_prm_5","depends-on":"ac-7_prm_3","label":"organization-defined delay algorithm"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AC-7"},{"name":"sort-id","value":"ac-07"}],"parts":[{"id":"ac-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforces a limit of {{ insert: param, ac-7_prm_1 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-7_prm_2 }}; and"},{"id":"ac-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically {{ insert: param, ac-7_prm_3 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ia-5","rel":"related"}]},{"id":"ac-7_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-7.a_obj","name":"objective","props":[{"name":"label","value":"AC-7(a)"}],"parts":[{"id":"ac-7.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-7(a)[1]"}],"prose":"the organization defines the number of consecutive invalid logon attempts allowed to the information system by a user during an organization-defined time period;"},{"id":"ac-7.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-7(a)[2]"}],"prose":"the organization defines the time period allowed by a user of the information system for an organization-defined number of consecutive invalid logon attempts;"},{"id":"ac-7.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-7(a)[3]"}],"prose":"the information system enforces a limit of organization-defined number of consecutive invalid logon attempts by a user during an organization-defined time period;"}]},{"id":"ac-7.b_obj","name":"objective","props":[{"name":"label","value":"AC-7(b)"}],"parts":[{"id":"ac-7.b_obj.1","name":"objective","props":[{"name":"label","value":"AC-7(b)[1]"}],"prose":"the organization defines account\/node lockout time period or logon delay algorithm to be automatically enforced by the information system when the maximum number of unsuccessful logon attempts is exceeded;"},{"id":"ac-7.b_obj.2","name":"objective","props":[{"name":"label","value":"AC-7(b)[2]"}],"prose":"the information system, when the maximum number of unsuccessful logon attempts is exceeded, automatically:","parts":[{"id":"ac-7.b_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][a]"}],"prose":"locks the account\/node for the organization-defined time period;"},{"id":"ac-7.b_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][b]"}],"prose":"locks the account\/node until released by an administrator; or"},{"id":"ac-7.b_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-7(b)[2][c]"}],"prose":"delays next logon prompt according to the organization-defined delay algorithm."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for unsuccessful logon attempts"}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","params":[{"id":"ac-8_prm_1","label":"organization-defined system use notification message or banner"},{"id":"ac-8_prm_2","label":"organization-defined conditions"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-8"},{"name":"sort-id","value":"ac-08"}],"parts":[{"id":"ac-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Displays to users {{ insert: param, ac-8_prm_1 }} before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:","parts":[{"id":"ac-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government information system;"},{"id":"ac-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Use of the information system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and"},{"id":"ac-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Displays system use information {{ insert: param, ac-8_prm_2 }}, before granting further access;"},{"id":"ac-8_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Includes a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Organizations consider system use notification messages\/banners displayed in multiple languages based on specific organizational needs and the demographics of information system users. Organizations also consult with the Office of the General Counsel for legal review and approval of warning banner content."},{"id":"ac-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-8.a_obj","name":"objective","props":[{"name":"label","value":"AC-8(a)"}],"parts":[{"id":"ac-8.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-8(a)[1]"}],"prose":"the organization defines a system use notification message or banner to be displayed by the information system to users before granting access to the system;"},{"id":"ac-8.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2]"}],"prose":"the information system displays to users the organization-defined system use notification message or banner before granting access to the information system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance, and states that:","parts":[{"id":"ac-8.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](1)"}],"prose":"users are accessing a U.S. Government information system;"},{"id":"ac-8.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](2)"}],"prose":"information system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8.a.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](3)"}],"prose":"unauthorized use of the information system is prohibited and subject to criminal and civil penalties;"},{"id":"ac-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(a)[2](4)"}],"prose":"use of the information system indicates consent to monitoring and recording;"}]}]},{"id":"ac-8.b_obj","name":"objective","props":[{"name":"label","value":"AC-8(b)"}],"prose":"the information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system;"},{"id":"ac-8.c_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)"}],"prose":"for publicly accessible systems:","parts":[{"id":"ac-8.c.1_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)"}],"parts":[{"id":"ac-8.c.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)[1]"}],"prose":"the organization defines conditions for system use to be displayed by the information system before granting further access;"},{"id":"ac-8.c.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-8(c)(1)[2]"}],"prose":"the information system displays organization-defined conditions before granting further access;"}]},{"id":"ac-8.c.2_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(2)"}],"prose":"the information system displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8.c.3_obj","name":"objective","props":[{"name":"label","value":"AC-8(c)(3)"}],"prose":"the information system includes a description of the authorized uses of the system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of information system use notification messages or banners\n\ninformation system audit records\n\nuser acknowledgements of notification message or banner\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system use notification messages\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for providing legal advice\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing system use notification"}]}]},{"id":"ac-11","class":"SP800-53","title":"Session Lock","params":[{"id":"ac-11_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-11"},{"name":"sort-id","value":"ac-11"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"}],"parts":[{"id":"ac-11_smt","name":"statement","prose":"The information system:","parts":[{"id":"ac-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prevents further access to the system by initiating a session lock after {{ insert: param, ac-11_prm_1 }} of inactivity or upon receiving a request from a user; and"},{"id":"ac-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains the session lock until the user reestablishes access using established identification and authentication procedures."}]},{"id":"ac-11_gdn","name":"guidance","prose":"Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays.","links":[{"href":"#ac-7","rel":"related"}]},{"id":"ac-11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-11.a_obj","name":"objective","props":[{"name":"label","value":"AC-11(a)"}],"parts":[{"id":"ac-11.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-11(a)[1]"}],"prose":"the organization defines the time period of user inactivity after which the information system initiates a session lock;"},{"id":"ac-11.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-11(a)[2]"}],"prose":"the information system prevents further access to the system by initiating a session lock after organization-defined time period of user inactivity or upon receiving a request from a user; and"}]},{"id":"ac-11.b_obj","name":"objective","props":[{"name":"label","value":"AC-11(b)"}],"prose":"the information system retains the session lock until the user reestablishes access using established identification and authentication procedures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing access control policy for session lock"}]}],"controls":[{"id":"ac-11.1","class":"SP800-53-enhancement","title":"Pattern-hiding Displays","props":[{"name":"label","value":"AC-11(1)"},{"name":"sort-id","value":"ac-11.01"}],"parts":[{"id":"ac-11.1_smt","name":"statement","prose":"The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."},{"id":"ac-11.1_gdn","name":"guidance","prose":"Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information."},{"id":"ac-11.1_obj","name":"objective","prose":"Determine if the information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system session lock mechanisms"}]}]}]},{"id":"ac-12","class":"SP800-53","title":"Session Termination","params":[{"id":"ac-12_prm_1","label":"organization-defined conditions or trigger events requiring session disconnect"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AC-12"},{"name":"sort-id","value":"ac-12"}],"parts":[{"id":"ac-12_smt","name":"statement","prose":"The information system automatically terminates a user session after {{ insert: param, ac-12_prm_1 }}."},{"id":"ac-12_gdn","name":"guidance","prose":"This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user’s logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use.","links":[{"href":"#sc-10","rel":"related"},{"href":"#sc-23","rel":"related"}]},{"id":"ac-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-12_obj.1","name":"objective","props":[{"name":"label","value":"AC-12[1]"}],"prose":"the organization defines conditions or trigger events requiring session disconnect; and"},{"id":"ac-12_obj.2","name":"objective","props":[{"name":"label","value":"AC-12[2]"}],"prose":"the information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect occurs."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing session termination\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing user session termination"}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","params":[{"id":"ac-14_prm_1","label":"organization-defined user actions"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-14"},{"name":"sort-id","value":"ac-14"}],"parts":[{"id":"ac-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies {{ insert: param, ac-14_prm_1 }} that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions; and"},{"id":"ac-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none.","links":[{"href":"#cp-2","rel":"related"},{"href":"#ia-2","rel":"related"}]},{"id":"ac-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-14.a_obj","name":"objective","props":[{"name":"label","value":"AC-14(a)"}],"parts":[{"id":"ac-14.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-14(a)[1]"}],"prose":"defines user actions that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions;"},{"id":"ac-14.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-14(a)[2]"}],"prose":"identifies organization-defined user actions that can be performed on the information system without identification or authentication consistent with organizational missions\/business functions; and"}]},{"id":"ac-14.b_obj","name":"objective","props":[{"name":"label","value":"AC-14(b)"}],"prose":"documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-17"},{"name":"sort-id","value":"ac-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference"},{"href":"#d1a4e2a9-e512-4132-8795-5357aba29254","rel":"reference"}],"parts":[{"id":"ac-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and documents usage restrictions, configuration\/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes remote access to the information system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.a_obj","name":"objective","props":[{"name":"label","value":"AC-17(a)"}],"parts":[{"id":"ac-17.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-17(a)[1]"}],"prose":"identifies the types of remote access allowed to the information system;"},{"id":"ac-17.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-17(a)[2]"}],"prose":"establishes for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.2.a","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.2.b","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][b]"}],"prose":"configuration\/connection requirements;"},{"id":"ac-17.a_obj.2.c","name":"objective","props":[{"name":"label","value":"AC-17(a)[2][c]"}],"prose":"implementation guidance;"}]},{"id":"ac-17.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-17(a)[3]"}],"prose":"documents for each type of remote access allowed:","parts":[{"id":"ac-17.a_obj.3.a","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][a]"}],"prose":"usage restrictions;"},{"id":"ac-17.a_obj.3.b","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][b]"}],"prose":"configuration\/connection requirements;"},{"id":"ac-17.a_obj.3.c","name":"objective","props":[{"name":"label","value":"AC-17(a)[3][c]"}],"prose":"implementation guidance; and"}]}]},{"id":"ac-17.b_obj","name":"objective","props":[{"name":"label","value":"AC-17(b)"}],"prose":"authorizes remote access to the information system prior to allowing such connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nremote access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing remote access connections\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Remote access management capability for the information system"}]}],"controls":[{"id":"ac-17.1","class":"SP800-53-enhancement","title":"Automated Monitoring \/ Control","props":[{"name":"label","value":"AC-17(1)"},{"name":"sort-id","value":"ac-17.01"}],"parts":[{"id":"ac-17.1_smt","name":"statement","prose":"The information system monitors and controls remote access methods."},{"id":"ac-17.1_gdn","name":"guidance","prose":"Automated monitoring and control of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote users on a variety of information system components (e.g., servers, workstations, notebook computers, smart phones, and tablets).","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"ac-17.1_obj","name":"objective","prose":"Determine if the information system monitors and controls remote access methods."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system monitoring records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms monitoring and controlling remote access methods"}]}]},{"id":"ac-17.2","class":"SP800-53-enhancement","title":"Protection of Confidentiality \/ Integrity Using Encryption","props":[{"name":"label","value":"AC-17(2)"},{"name":"sort-id","value":"ac-17.02"}],"parts":[{"id":"ac-17.2_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_gdn","name":"guidance","prose":"The encryption strength of mechanism is selected based on the security categorization of the information.","links":[{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ac-17.2_obj","name":"objective","prose":"Determine if the information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions"}]}]},{"id":"ac-17.3","class":"SP800-53-enhancement","title":"Managed Access Control Points","params":[{"id":"ac-17.3_prm_1","label":"organization-defined number"}],"props":[{"name":"label","value":"AC-17(3)"},{"name":"sort-id","value":"ac-17.03"}],"parts":[{"id":"ac-17.3_smt","name":"statement","prose":"The information system routes all remote accesses through {{ insert: param, ac-17.3_prm_1 }} managed network access control points."},{"id":"ac-17.3_gdn","name":"guidance","prose":"Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections.","links":[{"href":"#sc-7","rel":"related"}]},{"id":"ac-17.3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ac-17.3_obj.1","name":"objective","props":[{"name":"label","value":"AC-17(3)[1]"}],"prose":"the organization defines the number of managed network access control points through which all remote accesses are to be routed; and"},{"id":"ac-17.3_obj.2","name":"objective","props":[{"name":"label","value":"AC-17(3)[2]"}],"prose":"the information system routes all remote accesses through the organization-defined number of managed network access control points."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system design documentation\n\nlist of all managed network access control points\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms routing all remote accesses through managed network access control points"}]}]},{"id":"ac-17.4","class":"SP800-53-enhancement","title":"Privileged Commands \/ Access","params":[{"id":"ac-17.4_prm_1","label":"organization-defined needs"}],"props":[{"name":"label","value":"AC-17(4)"},{"name":"sort-id","value":"ac-17.04"}],"parts":[{"id":"ac-17.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-17.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Authorizes the execution of privileged commands and access to security-relevant information via remote access only for {{ insert: param, ac-17.4_prm_1 }}; and"},{"id":"ac-17.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Documents the rationale for such access in the security plan for the information system."}]},{"id":"ac-17.4_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ac-17.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-17.4.a_obj","name":"objective","props":[{"name":"label","value":"AC-17(4)(a)"}],"parts":[{"id":"ac-17.4.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-17(4)(a)[1]"}],"prose":"defines needs to authorize the execution of privileged commands and access to security-relevant information via remote access;"},{"id":"ac-17.4.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-17(4)(a)[2]"}],"prose":"authorizes the execution of privileged commands and access to security-relevant information via remote access only for organization-defined needs; and"}],"links":[{"href":"#ac-17.4_smt.a","rel":"corresp"}]},{"id":"ac-17.4.b_obj","name":"objective","props":[{"name":"label","value":"AC-17(4)(b)"}],"prose":"documents the rationale for such access in the information system security plan.","links":[{"href":"#ac-17.4_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing remote access to the information system\n\ninformation system configuration settings and associated documentation\n\nsecurity plan\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing remote access management"}]}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-18"},{"name":"sort-id","value":"ac-18"}],"links":[{"href":"#238ed479-eccb-49f6-82ec-ab74a7a428cf","rel":"reference"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference"},{"href":"#6f336ecd-f2a0-4c84-9699-0491d81b6e0d","rel":"reference"}],"parts":[{"id":"ac-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration\/connection requirements, and implementation guidance for wireless access; and"},{"id":"ac-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes wireless access to the information system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include, for example, microwave, packet radio (UHF\/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP\/TLS, PEAP), which provide credential protection and mutual authentication.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-18.a_obj","name":"objective","props":[{"name":"label","value":"AC-18(a)"}],"prose":"establishes for wireless access:","parts":[{"id":"ac-18.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-18(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-18.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-18(a)[2]"}],"prose":"configuration\/connection requirement;"},{"id":"ac-18.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-18(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-18.b_obj","name":"objective","props":[{"name":"label","value":"AC-18(b)"}],"prose":"authorizes wireless access to the information system prior to allowing such connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nwireless access authorizations\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Wireless access management capability for the information system"}]}],"controls":[{"id":"ac-18.1","class":"SP800-53-enhancement","title":"Authentication and Encryption","params":[{"id":"ac-18.1_prm_1","select":{"how-many":"one-or-more","choice":["users","devices"]}}],"props":[{"name":"label","value":"AC-18(1)"},{"name":"sort-id","value":"ac-18.01"}],"parts":[{"id":"ac-18.1_smt","name":"statement","prose":"The information system protects wireless access to the system using authentication of {{ insert: param, ac-18.1_prm_1 }} and encryption."},{"id":"ac-18.1_gdn","name":"guidance","links":[{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ac-18.1_obj","name":"objective","prose":"Determine if the information system protects wireless access to the system using encryption and one or more of the following:","parts":[{"id":"ac-18.1_obj.1","name":"objective","props":[{"name":"label","value":"AC-18(1)[1]"}],"prose":"authentication of users; and\/or"},{"id":"ac-18.1_obj.2","name":"objective","props":[{"name":"label","value":"AC-18(1)[2]"}],"prose":"authentication of devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing wireless access protections to the information system"}]}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-19"},{"name":"sort-id","value":"ac-19"}],"links":[{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"},{"href":"#1201fcf3-afb1-4675-915a-fb4ae0435717","rel":"reference"},{"href":"#0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","rel":"reference"},{"href":"#6513e480-fada-4876-abba-1397084dfb26","rel":"reference"}],"parts":[{"id":"ac-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and"},{"id":"ac-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes the connection of mobile devices to organizational information systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones, E-readers, and tablets. Mobile devices are typically associated with a single individual and the device is usually in close proximity to the individual; however, the degree of proximity can vary depending upon on the form factor and size of the device. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of desktop systems, depending upon the nature and intended purpose of the device. Due to the large variety of mobile devices with different technical characteristics and capabilities, organizational restrictions may vary for the different classes\/types of such devices. Usage restrictions and specific implementation guidance for mobile devices include, for example, configuration management, device identification and authentication, implementation of mandatory protective software (e.g., malicious code detection, firewall), scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware (e.g., wireless, infrared). Organizations are cautioned that the need to provide adequate security for mobile devices goes beyond the requirements in this control. Many safeguards and countermeasures for mobile devices are reflected in other security controls in the catalog allocated in the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some degree of overlap in the requirements articulated by the security controls within the different families of controls. AC-20 addresses mobile devices that are not organization-controlled.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ac-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.a_obj","name":"objective","props":[{"name":"label","value":"AC-19(a)"}],"prose":"establishes for organization-controlled mobile devices:","parts":[{"id":"ac-19.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-19(a)[1]"}],"prose":"usage restrictions;"},{"id":"ac-19.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-19(a)[2]"}],"prose":"configuration\/connection requirement;"},{"id":"ac-19.a_obj.3","name":"objective","props":[{"name":"label","value":"AC-19(a)[3]"}],"prose":"implementation guidance; and"}]},{"id":"ac-19.b_obj","name":"objective","props":[{"name":"label","value":"AC-19(b)"}],"prose":"authorizes the connection of mobile devices to organizational information systems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational information systems\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel using mobile devices to access organizational information systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Access control capability authorizing mobile device connections to organizational information systems"}]}],"controls":[{"id":"ac-19.5","class":"SP800-53-enhancement","title":"Full Device \/ Container-based Encryption","params":[{"id":"ac-19.5_prm_1","select":{"choice":["full-device encryption","container encryption"]}},{"id":"ac-19.5_prm_2","label":"organization-defined mobile devices"}],"props":[{"name":"label","value":"AC-19(5)"},{"name":"sort-id","value":"ac-19.05"}],"parts":[{"id":"ac-19.5_smt","name":"statement","prose":"The organization employs {{ insert: param, ac-19.5_prm_1 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.5_prm_2 }}."},{"id":"ac-19.5_gdn","name":"guidance","prose":"Container-based encryption provides a more fine-grained approach to the encryption of data\/information on mobile devices, including for example, encrypting selected data structures such as files, records, or fields.","links":[{"href":"#mp-5","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}]},{"id":"ac-19.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-19.5_obj.1","name":"objective","props":[{"name":"label","value":"AC-19(5)[1]"}],"prose":"defines mobile devices for which full-device encryption or container encryption is required to protect the confidentiality and integrity of information on such devices; and"},{"id":"ac-19.5_obj.2","name":"objective","props":[{"name":"label","value":"AC-19(5)[2]"}],"prose":"employs full-device encryption or container encryption to protect the confidentiality and integrity of information on organization-defined mobile devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing access control for mobile devices\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nencryption mechanism s and associated configuration documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities for mobile devices\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Encryption mechanisms protecting confidentiality and integrity of information on mobile devices"}]}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Information Systems","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AC-20"},{"name":"sort-id","value":"ac-20"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"}],"parts":[{"id":"ac-20_smt","name":"statement","prose":"The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and\/or maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Access the information system from external information systems; and"},{"id":"ac-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Process, store, or transmit organization-controlled information using external information systems."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External information systems are information systems or components of information systems that are outside of the authorization boundary established by organizations and for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness. External information systems include, for example: (i) personally owned information systems\/devices (e.g., notebook computers, smart phones, tablets, personal digital assistants); (ii) privately owned computing and communications devices resident in commercial or public facilities (e.g., hotels, train stations, convention centers, shopping malls, or airports); (iii) information systems owned or controlled by nonfederal governmental organizations; and (iv) federal information systems that are not owned by, operated by, or under the direct supervision and authority of organizations. This control also addresses the use of external information systems for the processing, storage, or transmission of organizational information, including, for example, accessing cloud services (e.g., infrastructure as a service, platform as a service, or software as a service) from organizational information systems. For some external information systems (i.e., information systems operated by other federal agencies, including organizations subordinate to those agencies), the trust relationships that have been established between those organizations and the originating organization may be such, that no explicit terms and conditions are required. Information systems within these organizations would not be considered external. These situations occur when, for example, there are pre-existing sharing\/trust agreements (either implicit or explicit) established between federal agencies or organizations subordinate to those agencies, or when such trust agreements are specified by applicable laws, Executive Orders, directives, or policies. Authorized individuals include, for example, organizational personnel, contractors, or other individuals with authorized access to organizational information systems and over which organizations have the authority to impose rules of behavior with regard to system access. Restrictions that organizations impose on authorized individuals need not be uniform, as those restrictions may vary depending upon the trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments. This control does not apply to the use of external information systems to access public interfaces to organizational information systems (e.g., individuals accessing federal information through www.usa.gov). Organizations establish terms and conditions for the use of external information systems in accordance with organizational security policies and procedures. Terms and conditions address as a minimum: types of applications that can be accessed on organizational information systems from external information systems; and the highest security category of information that can be processed, stored, or transmitted on external information systems. If terms and conditions with the owners of external information systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"ac-20_obj","name":"objective","prose":"Determine if the organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and\/or maintaining external information systems, allowing authorized individuals to:","parts":[{"id":"ac-20.a_obj","name":"objective","props":[{"name":"label","value":"AC-20(a)"}],"prose":"access the information system from the external information systems; and"},{"id":"ac-20.b_obj","name":"objective","props":[{"name":"label","value":"AC-20(b)"}],"prose":"process, store, or transmit organization-controlled information using external information systems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing the use of external information systems\n\nexternal information systems terms and conditions\n\nlist of types of applications accessible from external information systems\n\nmaximum security categorization for information processed, stored, or transmitted on external information systems\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for defining terms and conditions for use of external information systems to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing terms and conditions on use of external information systems"}]}],"controls":[{"id":"ac-20.1","class":"SP800-53-enhancement","title":"Limits On Authorized Use","props":[{"name":"label","value":"AC-20(1)"},{"name":"sort-id","value":"ac-20.01"}],"parts":[{"id":"ac-20.1_smt","name":"statement","prose":"The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:","parts":[{"id":"ac-20.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or"},{"id":"ac-20.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Retains approved information system connection or processing agreements with the organizational entity hosting the external information system."}]},{"id":"ac-20.1_gdn","name":"guidance","prose":"This control enhancement recognizes that there are circumstances where individuals using external information systems (e.g., contractors, coalition partners) need to access organizational information systems. In those situations, organizations need confidence that the external information systems contain the necessary security safeguards (i.e., security controls), so as not to compromise, damage, or otherwise harm organizational information systems. Verification that the required security controls have been implemented can be achieved, for example, by third-party, independent assessments, attestations, or other means, depending on the confidence level required by organizations.","links":[{"href":"#ca-2","rel":"related"}]},{"id":"ac-20.1_obj","name":"objective","prose":"Determine if the organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:","parts":[{"id":"ac-20.1.a_obj","name":"objective","props":[{"name":"label","value":"AC-20(1)(a)"}],"prose":"verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or","links":[{"href":"#ac-20.1_smt.a","rel":"corresp"}]},{"id":"ac-20.1.b_obj","name":"objective","props":[{"name":"label","value":"AC-20(1)(b)"}],"prose":"retains approved information system connection or processing agreements with the organizational entity hosting the external information system.","links":[{"href":"#ac-20.1_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing the use of external information systems\n\nsecurity plan\n\ninformation system connection or processing agreements\n\naccount management documents\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing limits on use of external information systems"}]}]},{"id":"ac-20.2","class":"SP800-53-enhancement","title":"Portable Storage Devices","params":[{"id":"ac-20.2_prm_1","select":{"choice":["restricts","prohibits"]}}],"props":[{"name":"label","value":"AC-20(2)"},{"name":"sort-id","value":"ac-20.02"}],"parts":[{"id":"ac-20.2_smt","name":"statement","prose":"The organization {{ insert: param, ac-20.2_prm_1 }} the use of organization-controlled portable storage devices by authorized individuals on external information systems."},{"id":"ac-20.2_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used."},{"id":"ac-20.2_obj","name":"objective","prose":"Determine if the organization restricts or prohibits the use of organization-controlled portable storage devices by authorized individuals on external information systems."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing the use of external information systems\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system connection or processing agreements\n\naccount management documents\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for restricting or prohibiting use of organization-controlled storage devices on external information systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing restrictions on use of portable storage devices"}]}]}]},{"id":"ac-21","class":"SP800-53","title":"Information Sharing","params":[{"id":"ac-21_prm_1","label":"organization-defined information sharing circumstances where user discretion is required"},{"id":"ac-21_prm_2","label":"organization-defined automated mechanisms or manual processes"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"AC-21"},{"name":"sort-id","value":"ac-21"}],"parts":[{"id":"ac-21_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for {{ insert: param, ac-21_prm_1 }}; and"},{"id":"ac-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs {{ insert: param, ac-21_prm_2 }} to assist users in making information sharing\/collaboration decisions."}]},{"id":"ac-21_gdn","name":"guidance","prose":"This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program\/compartment.","links":[{"href":"#ac-3","rel":"related"}]},{"id":"ac-21_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-21.a_obj","name":"objective","props":[{"name":"label","value":"AC-21(a)"}],"parts":[{"id":"ac-21.a_obj.1","name":"objective","props":[{"name":"label","value":"AC-21(a)[1]"}],"prose":"defines information sharing circumstances where user discretion is required;"},{"id":"ac-21.a_obj.2","name":"objective","props":[{"name":"label","value":"AC-21(a)[2]"}],"prose":"facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information sharing circumstances;"}]},{"id":"ac-21.b_obj","name":"objective","props":[{"name":"label","value":"AC-21(b)"}],"parts":[{"id":"ac-21.b_obj.1","name":"objective","props":[{"name":"label","value":"AC-21(b)[1]"}],"prose":"defines automated mechanisms or manual processes to be employed to assist users in making information sharing\/collaboration decisions; and"},{"id":"ac-21.b_obj.2","name":"objective","props":[{"name":"label","value":"AC-21(b)[2]"}],"prose":"employs organization-defined automated mechanisms or manual processes to assist users in making information sharing\/collaboration decisions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of users authorized to make information sharing\/collaboration decisions\n\nlist of information sharing circumstances requiring user discretion\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel responsible for making information sharing\/collaboration decisions\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms or manual process implementing access authorizations supporting information sharing\/user collaboration decisions"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","params":[{"id":"ac-22_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AC-22"},{"name":"sort-id","value":"ac-22"}],"parts":[{"id":"ac-22_smt","name":"statement","prose":"The organization:","parts":[{"id":"ac-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Designates individuals authorized to post information onto a publicly accessible information system;"},{"id":"ac-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Reviews the content on the publicly accessible information system for nonpublic information {{ insert: param, ac-22_prm_1 }} and removes such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with federal laws, Executive Orders, directives, policies, regulations, standards, and\/or guidance, the general public is not authorized access to nonpublic information (e.g., information protected under the Privacy Act and proprietary information). This control addresses information systems that are controlled by the organization and accessible to the general public, typically without identification or authentication. The posting of information on non-organization information systems is covered by organizational policy.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-13","rel":"related"}]},{"id":"ac-22_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ac-22.a_obj","name":"objective","props":[{"name":"label","value":"AC-22(a)"}],"prose":"designates individuals authorized to post information onto a publicly accessible information system;"},{"id":"ac-22.b_obj","name":"objective","props":[{"name":"label","value":"AC-22(b)"}],"prose":"trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22.c_obj","name":"objective","props":[{"name":"label","value":"AC-22(c)"}],"prose":"reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included;"},{"id":"ac-22.d_obj","name":"objective","props":[{"name":"label","value":"AC-22(d)"}],"parts":[{"id":"ac-22.d_obj.1","name":"objective","props":[{"name":"label","value":"AC-22(d)[1]"}],"prose":"defines the frequency to review the content on the publicly accessible information system for nonpublic information;"},{"id":"ac-22.d_obj.2","name":"objective","props":[{"name":"label","value":"AC-22(d)[2]"}],"prose":"reviews the content on the publicly accessible information system for nonpublic information with the organization-defined frequency; and"},{"id":"ac-22.d_obj.3","name":"objective","props":[{"name":"label","value":"AC-22(d)[3]"}],"prose":"removes nonpublic information from the publicly accessible information system, if discovered."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational information systems\n\ntraining materials and\/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to nonpublic information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational information systems\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Security Awareness and Training Policy and Procedures","params":[{"id":"at-1_prm_1","label":"organization-defined personnel or roles"},{"id":"at-1_prm_2","label":"organization-defined frequency"},{"id":"at-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-1"},{"name":"sort-id","value":"at-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"at-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"at-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security awareness and training policy {{ insert: param, at-1_prm_2 }}; and"},{"id":"at-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security awareness and training procedures {{ insert: param, at-1_prm_3 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AT family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"at-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-1.a_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)"}],"parts":[{"id":"at-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)"}],"parts":[{"id":"at-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1]"}],"prose":"develops and documents an security awareness and training policy that addresses:","parts":[{"id":"at-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"at-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"at-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"at-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"at-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"at-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"at-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"at-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security awareness and training policy are to be disseminated;"},{"id":"at-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AT-1(a)(1)[3]"}],"prose":"disseminates the security awareness and training policy to organization-defined personnel or roles;"}]},{"id":"at-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)"}],"parts":[{"id":"at-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the security awareness and training policy and associated awareness and training controls;"},{"id":"at-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"at-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AT-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"at-1.b_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)"}],"parts":[{"id":"at-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)"}],"parts":[{"id":"at-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security awareness and training policy;"},{"id":"at-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(b)(1)[2]"}],"prose":"reviews and updates the current security awareness and training policy with the organization-defined frequency;"}]},{"id":"at-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)"}],"parts":[{"id":"at-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security awareness and training procedures; and"},{"id":"at-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AT-1(b)(2)[2]"}],"prose":"reviews and updates the current security awareness and training procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security awareness and training responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Security Awareness Training","params":[{"id":"at-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-2"},{"name":"sort-id","value":"at-02"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference"},{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"at-2_smt","name":"statement","prose":"The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"As part of initial training for new users;"},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, at-2_prm_1 }} thereafter."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories\/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.","links":[{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"at-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-2.a_obj","name":"objective","props":[{"name":"label","value":"AT-2(a)"}],"prose":"provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2.b_obj","name":"objective","props":[{"name":"label","value":"AT-2(b)"}],"prose":"provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes; and"},{"id":"at-2.c_obj","name":"objective","props":[{"name":"label","value":"AT-2(c)"}],"parts":[{"id":"at-2.c_obj.1","name":"objective","props":[{"name":"label","value":"AT-2(c)[1]"}],"prose":"defines the frequency to provide refresher security awareness training thereafter to information system users (including managers, senior executives, and contractors); and"},{"id":"at-2.c_obj.2","name":"objective","props":[{"name":"label","value":"AT-2(c)[2]"}],"prose":"provides refresher security awareness training to information users (including managers, senior executives, and contractors) with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nappropriate codes of federal regulations\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for security awareness training\n\norganizational personnel with information security responsibilities\n\norganizational personnel comprising the general information system user community"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing security awareness training"}]}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","props":[{"name":"label","value":"AT-2(2)"},{"name":"sort-id","value":"at-02.02"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"The organization includes security awareness training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures.","links":[{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"at-2.2_obj","name":"objective","prose":"Determine if the organization includes security awareness training on recognizing and reporting potential indicators of insider threat."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel that participate in security awareness training\n\norganizational personnel with responsibilities for basic security awareness training\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Security Training","params":[{"id":"at-3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AT-3"},{"name":"sort-id","value":"at-03"}],"links":[{"href":"#bb61234b-46c3-4211-8c2b-9869222a720d","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"at-3_smt","name":"statement","prose":"The organization provides role-based security training to personnel with assigned security roles and responsibilities:","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Before authorizing access to the information system or performing assigned duties;"},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, at-3_prm_1 }} thereafter."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition\/procurement officials, information system managers, system\/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sa-16","rel":"related"}]},{"id":"at-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-3.a_obj","name":"objective","props":[{"name":"label","value":"AT-3(a)"}],"prose":"provides role-based security training to personnel with assigned security roles and responsibilities before authorizing access to the information system or performing assigned duties;"},{"id":"at-3.b_obj","name":"objective","props":[{"name":"label","value":"AT-3(b)"}],"prose":"provides role-based security training to personnel with assigned security roles and responsibilities when required by information system changes; and"},{"id":"at-3.c_obj","name":"objective","props":[{"name":"label","value":"AT-3(c)"}],"parts":[{"id":"at-3.c_obj.1","name":"objective","props":[{"name":"label","value":"AT-3(c)[1]"}],"prose":"defines the frequency to provide refresher role-based security training thereafter to personnel with assigned security roles and responsibilities; and"},{"id":"at-3.c_obj.2","name":"objective","props":[{"name":"label","value":"AT-3(c)[2]"}],"prose":"provides refresher role-based security training to personnel with assigned security roles and responsibilities with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security training implementation\n\ncodes of federal regulations\n\nsecurity training curriculum\n\nsecurity training materials\n\nsecurity plan\n\ntraining records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for role-based security training\n\norganizational personnel with assigned information system security roles and responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing role-based security training"}]}]},{"id":"at-4","class":"SP800-53","title":"Security Training Records","params":[{"id":"at-4_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AT-4"},{"name":"sort-id","value":"at-04"}],"parts":[{"id":"at-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retains individual training records for {{ insert: param, at-4_prm_1 }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the option of the organization.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pm-14","rel":"related"}]},{"id":"at-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"at-4.a_obj","name":"objective","props":[{"name":"label","value":"AT-4(a)"}],"parts":[{"id":"at-4.a_obj.1","name":"objective","props":[{"name":"label","value":"AT-4(a)[1]"}],"prose":"documents individual information system security training activities including:","parts":[{"id":"at-4.a_obj.1.a","name":"objective","props":[{"name":"label","value":"AT-4(a)[1][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.1.b","name":"objective","props":[{"name":"label","value":"AT-4(a)[1][b]"}],"prose":"specific role-based information system security training;"}]},{"id":"at-4.a_obj.2","name":"objective","props":[{"name":"label","value":"AT-4(a)[2]"}],"prose":"monitors individual information system security training activities including:","parts":[{"id":"at-4.a_obj.2.a","name":"objective","props":[{"name":"label","value":"AT-4(a)[2][a]"}],"prose":"basic security awareness training;"},{"id":"at-4.a_obj.2.b","name":"objective","props":[{"name":"label","value":"AT-4(a)[2][b]"}],"prose":"specific role-based information system security training;"}]}]},{"id":"at-4.b_obj","name":"objective","props":[{"name":"label","value":"AT-4(b)"}],"parts":[{"id":"at-4.b_obj.1","name":"objective","props":[{"name":"label","value":"AT-4(b)[1]"}],"prose":"defines a time period to retain individual training records; and"},{"id":"at-4.b_obj.2","name":"objective","props":[{"name":"label","value":"AT-4(b)[2]"}],"prose":"retains individual training records for the organization-defined time period."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security awareness and training policy\n\nprocedures addressing security training records\n\nsecurity awareness and training records\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security training record retention responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting management of security training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Audit and Accountability Policy and Procedures","params":[{"id":"au-1_prm_1","label":"organization-defined personnel or roles"},{"id":"au-1_prm_2","label":"organization-defined frequency"},{"id":"au-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-1"},{"name":"sort-id","value":"au-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"au-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"au-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Audit and accountability policy {{ insert: param, au-1_prm_2 }}; and"},{"id":"au-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Audit and accountability procedures {{ insert: param, au-1_prm_3 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"au-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-1.a_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)"}],"parts":[{"id":"au-1.a.1_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)"}],"parts":[{"id":"au-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1]"}],"prose":"develops and documents an audit and accountability policy that addresses:","parts":[{"id":"au-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"au-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"au-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"au-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"au-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"au-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"au-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"au-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the audit and accountability policy are to be disseminated;"},{"id":"au-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"AU-1(a)(1)[3]"}],"prose":"disseminates the audit and accountability policy to organization-defined personnel or roles;"}]},{"id":"au-1.a.2_obj","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)"}],"parts":[{"id":"au-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls;"},{"id":"au-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"au-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"AU-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"au-1.b_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)"}],"parts":[{"id":"au-1.b.1_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)"}],"parts":[{"id":"au-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current audit and accountability policy;"},{"id":"au-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(b)(1)[2]"}],"prose":"reviews and updates the current audit and accountability policy with the organization-defined frequency;"}]},{"id":"au-1.b.2_obj","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)"}],"parts":[{"id":"au-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current audit and accountability procedures; and"},{"id":"au-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"AU-1(b)(2)[2]"}],"prose":"reviews and updates the current audit and accountability procedures in accordance with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Audit Events","params":[{"id":"au-2_prm_1","label":"organization-defined auditable events"},{"id":"au-2_prm_2","label":"organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-2"},{"name":"sort-id","value":"au-02"}],"links":[{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"au-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines that the information system is capable of auditing the following events: {{ insert: param, au-2_prm_1 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Determines that the following events are to be audited within the information system: {{ insert: param, au-2_prm_2 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is any observable occurrence in an organizational information system. Organizations identify audit events as those events which are significant and relevant to the security of information systems and the environments in which those systems operate in order to meet specific and ongoing audit needs. Audit events can include, for example, password changes, failed logons, or failed accesses related to information systems, administrative privilege usage, PIV credential usage, or third-party credential usage. In determining the set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implemented. To balance auditing requirements with other information system needs, this control also requires identifying that subset of auditable events that are audited at a given point in time. For example, organizations may determine that information systems must have the capability to log every file access both successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. Auditing requirements, including the need for auditable events, may be referenced in other security controls and control enhancements. Organizations also include auditable events that are required by applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Audit records can be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of auditable events, the auditing necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented architectures.","links":[{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"au-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.a_obj","name":"objective","props":[{"name":"label","value":"AU-2(a)"}],"parts":[{"id":"au-2.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(a)[1]"}],"prose":"defines the auditable events that the information system must be capable of auditing;"},{"id":"au-2.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(a)[2]"}],"prose":"determines that the information system is capable of auditing organization-defined auditable events;"}]},{"id":"au-2.b_obj","name":"objective","props":[{"name":"label","value":"AU-2(b)"}],"prose":"coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;"},{"id":"au-2.c_obj","name":"objective","props":[{"name":"label","value":"AU-2(c)"}],"prose":"provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents;"},{"id":"au-2.d_obj","name":"objective","props":[{"name":"label","value":"AU-2(d)"}],"parts":[{"id":"au-2.d_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(d)[1]"}],"prose":"defines the subset of auditable events defined in AU-2a that are to be audited within the information system;"},{"id":"au-2.d_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(d)[2]"}],"prose":"determines that the subset of auditable events defined in AU-2a are to be audited within the information system; and"},{"id":"au-2.d_obj.3","name":"objective","props":[{"name":"label","value":"AU-2(d)[3]"}],"prose":"determines the frequency of (or situation requiring) auditing for each identified event."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\ninformation system auditable events\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing"}]}],"controls":[{"id":"au-2.3","class":"SP800-53-enhancement","title":"Reviews and Updates","params":[{"id":"au-2.3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"AU-2(3)"},{"name":"sort-id","value":"au-02.03"}],"parts":[{"id":"au-2.3_smt","name":"statement","prose":"The organization reviews and updates the audited events {{ insert: param, au-2.3_prm_1 }}."},{"id":"au-2.3_gdn","name":"guidance","prose":"Over time, the events that organizations believe should be audited may change. Reviewing and updating the set of audited events periodically is necessary to ensure that the current set is still necessary and sufficient."},{"id":"au-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-2.3_obj.1","name":"objective","props":[{"name":"label","value":"AU-2(3)[1]"}],"prose":"defines the frequency to review and update the audited events; and"},{"id":"au-2.3_obj.2","name":"objective","props":[{"name":"label","value":"AU-2(3)[2]"}],"prose":"reviews and updates the auditable events with organization-defined frequency."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsecurity plan\n\nlist of organization-defined auditable events\n\nauditable events review and update records\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting review and update of auditable events"}]}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-3"},{"name":"sort-id","value":"au-03"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event."},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user\/process identifiers, event descriptions, success\/fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred).","links":[{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#si-11","rel":"related"}]},{"id":"au-3_obj","name":"objective","prose":"Determine if the information system generates audit records containing information that establishes:","parts":[{"id":"au-3_obj.1","name":"objective","props":[{"name":"label","value":"AU-3[1]"}],"prose":"what type of event occurred;"},{"id":"au-3_obj.2","name":"objective","props":[{"name":"label","value":"AU-3[2]"}],"prose":"when the event occurred;"},{"id":"au-3_obj.3","name":"objective","props":[{"name":"label","value":"AU-3[3]"}],"prose":"where the event occurred;"},{"id":"au-3_obj.4","name":"objective","props":[{"name":"label","value":"AU-3[4]"}],"prose":"the source of the event;"},{"id":"au-3_obj.5","name":"objective","props":[{"name":"label","value":"AU-3[5]"}],"prose":"the outcome of the event; and"},{"id":"au-3_obj.6","name":"objective","props":[{"name":"label","value":"AU-3[6]"}],"prose":"the identity of any individuals or subjects associated with the event."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\ninformation system incident reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system auditing of auditable events"}]}],"controls":[{"id":"au-3.1","class":"SP800-53-enhancement","title":"Additional Audit Information","params":[{"id":"au-3.1_prm_1","label":"organization-defined additional, more detailed information"}],"props":[{"name":"label","value":"AU-3(1)"},{"name":"sort-id","value":"au-03.01"}],"parts":[{"id":"au-3.1_smt","name":"statement","prose":"The information system generates audit records containing the following additional information: {{ insert: param, au-3.1_prm_1 }}."},{"id":"au-3.1_gdn","name":"guidance","prose":"Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest."},{"id":"au-3.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-3.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-3(1)[1]"}],"prose":"the organization defines additional, more detailed information to be contained in audit records that the information system generates; and"},{"id":"au-3.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-3(1)[2]"}],"prose":"the information system generates audit records containing the organization-defined additional, more detailed information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Information system audit capability"}]}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Storage Capacity","params":[{"id":"au-4_prm_1","label":"organization-defined audit record storage requirements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-4"},{"name":"sort-id","value":"au-04"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"The organization allocates audit record storage capacity in accordance with {{ insert: param, au-4_prm_1 }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of auditing to be performed and the audit processing requirements when allocating audit storage capacity. Allocating sufficient audit storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of auditing capability.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"au-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-4_obj.1","name":"objective","props":[{"name":"label","value":"AU-4[1]"}],"prose":"defines audit record storage requirements; and"},{"id":"au-4_obj.2","name":"objective","props":[{"name":"label","value":"AU-4[2]"}],"prose":"allocates audit record storage capacity in accordance with the organization-defined audit record storage requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for information system components\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Processing Failures","params":[{"id":"au-5_prm_1","label":"organization-defined personnel or roles"},{"id":"au-5_prm_2","label":"organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-5"},{"name":"sort-id","value":"au-05"}],"parts":[{"id":"au-5_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Alerts {{ insert: param, au-5_prm_1 }} in the event of an audit processing failure; and"},{"id":"au-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Takes the following additional actions: {{ insert: param, au-5_prm_2 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit processing failures include, for example, software\/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for different audit processing failures (e.g., by type, by location, by severity, or a combination of such factors). This control applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.","links":[{"href":"#au-4","rel":"related"},{"href":"#si-12","rel":"related"}]},{"id":"au-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-5.a_obj","name":"objective","props":[{"name":"label","value":"AU-5(a)"}],"parts":[{"id":"au-5.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(a)[1]"}],"prose":"the organization defines the personnel or roles to be alerted in the event of an audit processing failure;"},{"id":"au-5.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(a)[2]"}],"prose":"the information system alerts the organization-defined personnel or roles in the event of an audit processing failure;"}]},{"id":"au-5.b_obj","name":"objective","props":[{"name":"label","value":"AU-5(b)"}],"parts":[{"id":"au-5.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-5(b)[1]"}],"prose":"the organization defines additional actions to be taken (e.g., shutdown information system, overwrite oldest audit records, stop generating audit records) in the event of an audit processing failure; and"},{"id":"au-5.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-5(b)[2]"}],"prose":"the information system takes the additional organization-defined actions in the event of an audit processing failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing information system response to audit processing failures"}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Review, Analysis, and Reporting","params":[{"id":"au-6_prm_1","label":"organization-defined frequency"},{"id":"au-6_prm_2","label":"organization-defined inappropriate or unusual activity"},{"id":"au-6_prm_3","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-6"},{"name":"sort-id","value":"au-06"}],"parts":[{"id":"au-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"au-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviews and analyzes information system audit records {{ insert: param, au-6_prm_1 }} for indications of {{ insert: param, au-6_prm_2 }}; and"},{"id":"au-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reports findings to {{ insert: param, au-6_prm_3 }}."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit review, analysis, and reporting covers information security-related auditing performed by organizations including, for example, auditing that results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and nonlocal maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at the information system boundaries, use of mobile code, and use of VoIP. Findings can be reported to organizational entities that include, for example, incident response team, help desk, information security group\/department. If organizations are prohibited from reviewing and analyzing audit information or unable to conduct such activities (e.g., in certain national security applications or systems), the review\/analysis may be carried out by other organizations granted such authority.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-19","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"au-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.a_obj","name":"objective","props":[{"name":"label","value":"AU-6(a)"}],"parts":[{"id":"au-6.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(a)[1]"}],"prose":"defines the types of inappropriate or unusual activity to look for when information system audit records are reviewed and analyzed;"},{"id":"au-6.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(a)[2]"}],"prose":"defines the frequency to review and analyze information system audit records for indications of organization-defined inappropriate or unusual activity;"},{"id":"au-6.a_obj.3","name":"objective","props":[{"name":"label","value":"AU-6(a)[3]"}],"prose":"reviews and analyzes information system audit records for indications of organization-defined inappropriate or unusual activity with the organization-defined frequency;"}]},{"id":"au-6.b_obj","name":"objective","props":[{"name":"label","value":"AU-6(b)"}],"parts":[{"id":"au-6.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(b)[1]"}],"prose":"defines personnel or roles to whom findings resulting from reviews and analysis of information system audit records are to be reported; and"},{"id":"au-6.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(b)[2]"}],"prose":"reports findings to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews\/analyses of audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"au-6.1","class":"SP800-53-enhancement","title":"Process Integration","props":[{"name":"label","value":"AU-6(1)"},{"name":"sort-id","value":"au-06.01"}],"parts":[{"id":"au-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities."},{"id":"au-6.1_gdn","name":"guidance","prose":"Organizational processes benefiting from integrated audit review, analysis, and reporting include, for example, incident response, continuous monitoring, contingency planning, and Inspector General audits.","links":[{"href":"#au-12","rel":"related"},{"href":"#pm-7","rel":"related"}]},{"id":"au-6.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-6.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-6(1)[1]"}],"prose":"employs automated mechanisms to integrate:","parts":[{"id":"au-6.1_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-6(1)[1][a]"}],"prose":"audit review;"},{"id":"au-6.1_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-6(1)[1][b]"}],"prose":"analysis;"},{"id":"au-6.1_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-6(1)[1][c]"}],"prose":"reporting processes;"}]},{"id":"au-6.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-6(1)[2]"}],"prose":"uses integrated audit review, analysis and reporting processes to support organizational processes for:","parts":[{"id":"au-6.1_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-6(1)[2][a]"}],"prose":"investigation of suspicious activities; and"},{"id":"au-6.1_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-6(1)[2][b]"}],"prose":"response to suspicious activities."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms integrating audit review, analysis, and reporting processes"}]}]},{"id":"au-6.3","class":"SP800-53-enhancement","title":"Correlate Audit Repositories","props":[{"name":"label","value":"AU-6(3)"},{"name":"sort-id","value":"au-06.03"}],"parts":[{"id":"au-6.3_smt","name":"statement","prose":"The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness."},{"id":"au-6.3_gdn","name":"guidance","prose":"Organization-wide situational awareness includes awareness across all three tiers of risk management (i.e., organizational, mission\/business process, and information system) and supports cross-organization awareness.","links":[{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"}]},{"id":"au-6.3_obj","name":"objective","prose":"Determine if the organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records across different repositories\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting analysis and correlation of audit records"}]}]}]},{"id":"au-7","class":"SP800-53","title":"Audit Reduction and Report Generation","props":[{"name":"priority","value":"P2"},{"name":"label","value":"AU-7"},{"name":"sort-id","value":"au-07"}],"parts":[{"id":"au-7_smt","name":"statement","prose":"The information system provides an audit reduction and report generation capability that:","parts":[{"id":"au-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and"},{"id":"au-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Does not alter the original content or time ordering of audit records."}]},{"id":"au-7_gdn","name":"guidance","prose":"Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient.","links":[{"href":"#au-6","rel":"related"}]},{"id":"au-7_obj","name":"objective","prose":"Determine if the information system provides an audit reduction and report generation capability that supports:","parts":[{"id":"au-7.a_obj","name":"objective","props":[{"name":"label","value":"AU-7(a)"}],"parts":[{"id":"au-7.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-7(a)[1]"}],"prose":"on-demand audit review;"},{"id":"au-7.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-7(a)[2]"}],"prose":"analysis;"},{"id":"au-7.a_obj.3","name":"objective","props":[{"name":"label","value":"AU-7(a)[3]"}],"prose":"reporting requirements;"},{"id":"au-7.a_obj.4","name":"objective","props":[{"name":"label","value":"AU-7(a)[4]"}],"prose":"after-the-fact investigations of security incidents; and"}]},{"id":"au-7.b_obj","name":"objective","props":[{"name":"label","value":"AU-7(b)"}],"prose":"does not alter the original content or time ordering of audit records."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit reduction and report generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit reduction and report generation capability"}]}],"controls":[{"id":"au-7.1","class":"SP800-53-enhancement","title":"Automatic Processing","params":[{"id":"au-7.1_prm_1","label":"organization-defined audit fields within audit records"}],"props":[{"name":"label","value":"AU-7(1)"},{"name":"sort-id","value":"au-07.01"}],"parts":[{"id":"au-7.1_smt","name":"statement","prose":"The information system provides the capability to process audit records for events of interest based on {{ insert: param, au-7.1_prm_1 }}."},{"id":"au-7.1_gdn","name":"guidance","prose":"Events of interest can be identified by the content of specific audit record fields including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"au-7.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-7.1_obj.1","name":"objective","props":[{"name":"label","value":"AU-7(1)[1]"}],"prose":"the organization defines audit fields within audit records in order to process audit records for events of interest; and"},{"id":"au-7.1_obj.2","name":"objective","props":[{"name":"label","value":"AU-7(1)[2]"}],"prose":"the information system provides the capability to process audit records for events of interest based on the organization-defined audit fields within audit records."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit reduction and report generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Audit reduction and report generation capability"}]}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","params":[{"id":"au-8_prm_1","label":"organization-defined granularity of time measurement"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-8"},{"name":"sort-id","value":"au-08"}],"parts":[{"id":"au-8_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Uses internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets {{ insert: param, au-8_prm_1 }}."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the information system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.","links":[{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"}]},{"id":"au-8_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-8.a_obj","name":"objective","props":[{"name":"label","value":"AU-8(a)"}],"prose":"the information system uses internal system clocks to generate time stamps for audit records;"},{"id":"au-8.b_obj","name":"objective","props":[{"name":"label","value":"AU-8(b)"}],"parts":[{"id":"au-8.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-8(b)[1]"}],"prose":"the information system records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT);"},{"id":"au-8.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-8(b)[2]"}],"prose":"the organization defines the granularity of time measurement to be met when recording time stamps for audit records; and"},{"id":"au-8.b_obj.3","name":"objective","props":[{"name":"label","value":"AU-8(b)[3]"}],"prose":"the organization records time stamps for audit records that meet the organization-defined granularity of time measurement."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing time stamp generation"}]}],"controls":[{"id":"au-8.1","class":"SP800-53-enhancement","title":"Synchronization with Authoritative Time Source","params":[{"id":"au-8.1_prm_1","label":"organization-defined frequency"},{"id":"au-8.1_prm_2","label":"organization-defined authoritative time source"},{"id":"au-8.1_prm_3","label":"organization-defined time period"}],"props":[{"name":"label","value":"AU-8(1)"},{"name":"sort-id","value":"au-08.01"}],"parts":[{"id":"au-8.1_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Compares the internal information system clocks {{ insert: param, au-8.1_prm_1 }} with {{ insert: param, au-8.1_prm_2 }}; and"},{"id":"au-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than {{ insert: param, au-8.1_prm_3 }}."}]},{"id":"au-8.1_gdn","name":"guidance","prose":"This control enhancement provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network."},{"id":"au-8.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-8.1.a_obj","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)"}],"parts":[{"id":"au-8.1.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)[1]"}],"prose":"the organization defines the authoritative time source to which internal information system clocks are to be compared;"},{"id":"au-8.1.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)[2]"}],"prose":"the organization defines the frequency to compare the internal information system clocks with the organization-defined authoritative time source; and"},{"id":"au-8.1.a_obj.3","name":"objective","props":[{"name":"label","value":"AU-8(1)(a)[3]"}],"prose":"the information system compares the internal information system clocks with the organization-defined authoritative time source with organization-defined frequency; and"}],"links":[{"href":"#au-8.1_smt.a","rel":"corresp"}]},{"id":"au-8.1.b_obj","name":"objective","props":[{"name":"label","value":"AU-8(1)(b)"}],"parts":[{"id":"au-8.1.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-8(1)(b)[1]"}],"prose":"the organization defines the time period that, if exceeded by the time difference between the internal system clocks and the authoritative time source, will result in the internal system clocks being synchronized to the authoritative time source; and"},{"id":"au-8.1.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-8(1)(b)[2]"}],"prose":"the information system synchronizes the internal information system clocks to the authoritative time source when the time difference is greater than the organization-defined time period."}],"links":[{"href":"#au-8.1_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing time stamp generation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing internal information system clock synchronization"}]}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-9"},{"name":"sort-id","value":"au-09"}],"parts":[{"id":"au-9_smt","name":"statement","prose":"The information system protects audit information and audit tools from unauthorized access, modification, and deletion."},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This control focuses on technical protection of audit information. Physical protection of audit information is addressed by media protection controls and physical and environmental protection controls.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}]},{"id":"au-9_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-9_obj.1","name":"objective","props":[{"name":"label","value":"AU-9[1]"}],"prose":"the information system protects audit information from unauthorized:","parts":[{"id":"au-9_obj.1.a","name":"objective","props":[{"name":"label","value":"AU-9[1][a]"}],"prose":"access;"},{"id":"au-9_obj.1.b","name":"objective","props":[{"name":"label","value":"AU-9[1][b]"}],"prose":"modification;"},{"id":"au-9_obj.1.c","name":"objective","props":[{"name":"label","value":"AU-9[1][c]"}],"prose":"deletion;"}]},{"id":"au-9_obj.2","name":"objective","props":[{"name":"label","value":"AU-9[2]"}],"prose":"the information system protects audit tools from unauthorized:","parts":[{"id":"au-9_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-9[2][a]"}],"prose":"access;"},{"id":"au-9_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-9[2][b]"}],"prose":"modification; and"},{"id":"au-9_obj.2.c","name":"objective","props":[{"name":"label","value":"AU-9[2][c]"}],"prose":"deletion."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation, information system audit records\n\naudit tools\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit information protection"}]}],"controls":[{"id":"au-9.4","class":"SP800-53-enhancement","title":"Access by Subset of Privileged Users","params":[{"id":"au-9.4_prm_1","label":"organization-defined subset of privileged users"}],"props":[{"name":"label","value":"AU-9(4)"},{"name":"sort-id","value":"au-09.04"}],"parts":[{"id":"au-9.4_smt","name":"statement","prose":"The organization authorizes access to management of audit functionality to only {{ insert: param, au-9.4_prm_1 }}."},{"id":"au-9.4_gdn","name":"guidance","prose":"Individuals with privileged access to an information system and who are also the subject of an audit by that system, may affect the reliability of audit information by inhibiting audit activities or modifying audit records. This control enhancement requires that privileged access be further defined between audit-related privileges and other privileges, thus limiting the users with audit-related privileges.","links":[{"href":"#ac-5","rel":"related"}]},{"id":"au-9.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-9.4_obj.1","name":"objective","props":[{"name":"label","value":"AU-9(4)[1]"}],"prose":"defines a subset of privileged users to be authorized access to management of audit functionality; and"},{"id":"au-9.4_obj.2","name":"objective","props":[{"name":"label","value":"AU-9(4)[2]"}],"prose":"authorizes access to management of audit functionality to only the organization-defined subset of privileged users."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation, system-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms managing access to audit functionality"}]}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_prm_1","label":"organization-defined time period consistent with records retention policy"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"AU-11"},{"name":"sort-id","value":"au-11"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"The organization retains audit records for {{ insert: param, au-11_prm_1 }} to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that they are no longer needed for administrative, legal, audit, or other operational purposes. This includes, for example, retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on record retention.","links":[{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#mp-6","rel":"related"}]},{"id":"au-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"au-11_obj.1","name":"objective","props":[{"name":"label","value":"AU-11[1]"}],"prose":"defines a time period to retain audit records that is consistent with records retention policy;"},{"id":"au-11_obj.2","name":"objective","props":[{"name":"label","value":"AU-11[2]"}],"prose":"retains audit records for the organization-defined time period consistent with records retention policy to:","parts":[{"id":"au-11_obj.2.a","name":"objective","props":[{"name":"label","value":"AU-11[2][a]"}],"prose":"provide support for after-the-fact investigations of security incidents; and"},{"id":"au-11_obj.2.b","name":"objective","props":[{"name":"label","value":"AU-11[2][b]"}],"prose":"meet regulatory and organizational information retention requirements."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Generation","params":[{"id":"au-12_prm_1","label":"organization-defined information system components"},{"id":"au-12_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"AU-12"},{"name":"sort-id","value":"au-12"}],"parts":[{"id":"au-12_smt","name":"statement","prose":"The information system:","parts":[{"id":"au-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides audit record generation capability for the auditable events defined in AU-2 a. at {{ insert: param, au-12_prm_1 }};"},{"id":"au-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allows {{ insert: param, au-12_prm_2 }} to select which auditable events are to be audited by specific components of the information system; and"},{"id":"au-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Generates audit records for the events defined in AU-2 d. with the content defined in AU-3."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records.","links":[{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"}]},{"id":"au-12_obj","name":"objective","prose":"Determine if:","parts":[{"id":"au-12.a_obj","name":"objective","props":[{"name":"label","value":"AU-12(a)"}],"parts":[{"id":"au-12.a_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(a)[1]"}],"prose":"the organization defines the information system components which are to provide audit record generation capability for the auditable events defined in AU-2a;"},{"id":"au-12.a_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(a)[2]"}],"prose":"the information system provides audit record generation capability, for the auditable events defined in AU-2a, at organization-defined information system components;"}]},{"id":"au-12.b_obj","name":"objective","props":[{"name":"label","value":"AU-12(b)"}],"parts":[{"id":"au-12.b_obj.1","name":"objective","props":[{"name":"label","value":"AU-12(b)[1]"}],"prose":"the organization defines the personnel or roles allowed to select which auditable events are to be audited by specific components of the information system;"},{"id":"au-12.b_obj.2","name":"objective","props":[{"name":"label","value":"AU-12(b)[2]"}],"prose":"the information system allows the organization-defined personnel or roles to select which auditable events are to be audited by specific components of the system; and"}]},{"id":"au-12.c_obj","name":"objective","props":[{"name":"label","value":"AU-12(c)"}],"prose":"the information system generates audit records for the events defined in AU-2d with the content in defined in AU-3."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of auditable events\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing audit record generation capability"}]}]}]},{"id":"ca","class":"family","title":"Security Assessment and Authorization","controls":[{"id":"ca-1","class":"SP800-53","title":"Security Assessment and Authorization Policy and Procedures","params":[{"id":"ca-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ca-1_prm_2","label":"organization-defined frequency"},{"id":"ca-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CA-1"},{"name":"sort-id","value":"ca-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ca-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ca-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security assessment and authorization policy {{ insert: param, ca-1_prm_2 }}; and"},{"id":"ca-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security assessment and authorization procedures {{ insert: param, ca-1_prm_3 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ca-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-1.a_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)"}],"parts":[{"id":"ca-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)"}],"parts":[{"id":"ca-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1]"}],"prose":"develops and documents a security assessment and authorization policy that addresses:","parts":[{"id":"ca-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ca-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ca-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ca-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ca-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ca-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ca-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ca-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the security assessment and authorization policy is to be disseminated;"},{"id":"ca-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CA-1(a)(1)[3]"}],"prose":"disseminates the security assessment and authorization policy to organization-defined personnel or roles;"}]},{"id":"ca-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)"}],"parts":[{"id":"ca-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the security assessment and authorization policy and associated assessment and authorization controls;"},{"id":"ca-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ca-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ca-1.b_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)"}],"parts":[{"id":"ca-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)"}],"parts":[{"id":"ca-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current security assessment and authorization policy;"},{"id":"ca-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(b)(1)[2]"}],"prose":"reviews and updates the current security assessment and authorization policy with the organization-defined frequency;"}]},{"id":"ca-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)"}],"parts":[{"id":"ca-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current security assessment and authorization procedures; and"},{"id":"ca-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CA-1(b)(2)[2]"}],"prose":"reviews and updates the current security assessment and authorization procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment and authorization responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Security Assessments","params":[{"id":"ca-2_prm_1","label":"organization-defined frequency"},{"id":"ca-2_prm_2","label":"organization-defined individuals or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-2"},{"name":"sort-id","value":"ca-02"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"ca-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a security assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security controls and control enhancements under assessment;"},{"id":"ca-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine security control effectiveness; and"},{"id":"ca-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assesses the security controls in the information system and its environment of operation {{ insert: param, ca-2_prm_1 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produces a security assessment report that documents the results of the assessment; and"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provides the results of the security control assessment to {{ insert: param, ca-2_prm_2 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.","links":[{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.a_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)"}],"prose":"develops a security assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2.a.1_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(1)"}],"prose":"security controls and control enhancements under assessment;"},{"id":"ca-2.a.2_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(2)"}],"prose":"assessment procedures to be used to determine security control effectiveness;"},{"id":"ca-2.a.3_obj","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)"}],"parts":[{"id":"ca-2.a.3_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[1]"}],"prose":"assessment environment;"},{"id":"ca-2.a.3_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[2]"}],"prose":"assessment team;"},{"id":"ca-2.a.3_obj.3","name":"objective","props":[{"name":"label","value":"CA-2(a)(3)[3]"}],"prose":"assessment roles and responsibilities;"}]}]},{"id":"ca-2.b_obj","name":"objective","props":[{"name":"label","value":"CA-2(b)"}],"parts":[{"id":"ca-2.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(b)[1]"}],"prose":"defines the frequency to assess the security controls in the information system and its environment of operation;"},{"id":"ca-2.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(b)[2]"}],"prose":"assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"}]},{"id":"ca-2.c_obj","name":"objective","props":[{"name":"label","value":"CA-2(c)"}],"prose":"produces a security assessment report that documents the results of the assessment;"},{"id":"ca-2.d_obj","name":"objective","props":[{"name":"label","value":"CA-2(d)"}],"parts":[{"id":"ca-2.d_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(d)[1]"}],"prose":"defines individuals or roles to whom the results of the security control assessment are to be provided; and"},{"id":"ca-2.d_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(d)[2]"}],"prose":"provides the results of the security control assessment to organization-defined individuals or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security assessment planning\n\nprocedures addressing security assessments\n\nsecurity assessment plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting security assessment, security assessment plan development, and\/or security assessment reporting"}]}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","params":[{"id":"ca-2.1_prm_1","label":"organization-defined level of independence"}],"props":[{"name":"label","value":"CA-2(1)"},{"name":"sort-id","value":"ca-02.01"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"The organization employs assessors or assessment teams with {{ insert: param, ca-2.1_prm_1 }} to conduct security control assessments."},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and\/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations, for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to repeat assessments."},{"id":"ca-2.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-2.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-2(1)[1]"}],"prose":"defines the level of independence to be employed to conduct security control assessments; and"},{"id":"ca-2.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-2(1)[2]"}],"prose":"employs assessors or assessment teams with the organization-defined level of independence to conduct security control assessments."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security assessments\n\nsecurity authorization package (including security plan, security assessment plan, security assessment report, plan of action and milestones, authorization statement)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ca-3","class":"SP800-53","title":"System Interconnections","params":[{"id":"ca-3_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CA-3"},{"name":"sort-id","value":"ca-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#2711f068-734e-4afd-94ba-0b22247fbc88","rel":"reference"}],"parts":[{"id":"ca-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"},{"id":"ca-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates Interconnection Security Agreements {{ insert: param, ca-3_prm_1 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"This control applies to dedicated connections between information systems (i.e., system interconnections) and does not apply to transitory, user-controlled connections such as email and website browsing. Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls, both within organizations and external to organizations. Authorizing officials determine the risk associated with information system connections and the appropriate controls employed. If interconnecting systems have the same authorizing official, organizations do not need to develop Interconnection Security Agreements. Instead, organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing officials within the same organization, organizations can either develop Interconnection Security Agreements or describe the interface characteristics between systems in the security plans for the respective systems. Organizations may also incorporate Interconnection Security Agreement information into formal contracts, especially for interconnections established between federal agencies and nonfederal (i.e., private sector) organizations. Risk considerations also include information systems sharing the same networks. For certain technologies (e.g., space, unmanned aerial vehicles, and medical devices), there may be specialized connections in place during preoperational testing. Such connections may require Interconnection Security Agreements and be subject to additional security controls.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.a_obj","name":"objective","props":[{"name":"label","value":"CA-3(a)"}],"prose":"authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;"},{"id":"ca-3.b_obj","name":"objective","props":[{"name":"label","value":"CA-3(b)"}],"prose":"documents, for each interconnection:","parts":[{"id":"ca-3.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-3.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(b)[2]"}],"prose":"the security requirements;"},{"id":"ca-3.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-3(b)[3]"}],"prose":"the nature of the information communicated;"}]},{"id":"ca-3.c_obj","name":"objective","props":[{"name":"label","value":"CA-3(c)"}],"parts":[{"id":"ca-3.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(c)[1]"}],"prose":"defines the frequency to review and update Interconnection Security Agreements; and"},{"id":"ca-3.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(c)[2]"}],"prose":"reviews and updates Interconnection Security Agreements with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system Interconnection Security Agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or approving information system interconnection agreements\n\norganizational personnel with information security responsibilities\n\npersonnel managing the system(s) to which the Interconnection Security Agreement applies"}]}],"controls":[{"id":"ca-3.5","class":"SP800-53-enhancement","title":"Restrictions On External System Connections","params":[{"id":"ca-3.5_prm_1","select":{"choice":["allow-all, deny-by-exception","deny-all, permit-by-exception"]}},{"id":"ca-3.5_prm_2","label":"organization-defined information systems"}],"props":[{"name":"label","value":"CA-3(5)"},{"name":"sort-id","value":"ca-03.05"}],"parts":[{"id":"ca-3.5_smt","name":"statement","prose":"The organization employs {{ insert: param, ca-3.5_prm_1 }} policy for allowing {{ insert: param, ca-3.5_prm_2 }} to connect to external information systems."},{"id":"ca-3.5_gdn","name":"guidance","prose":"Organizations can constrain information system connectivity to external domains (e.g., websites) by employing one of two policies with regard to such connectivity: (i) allow-all, deny by exception, also known as blacklisting (the weaker of the two policies); or (ii) deny-all, allow by exception, also known as whitelisting (the stronger of the two policies). For either policy, organizations determine what exceptions, if any, are acceptable.","links":[{"href":"#cm-7","rel":"related"}]},{"id":"ca-3.5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-3.5_obj.1","name":"objective","props":[{"name":"label","value":"CA-3(5)[1]"}],"prose":"defines information systems to be allowed to connect to external information systems;"},{"id":"ca-3.5_obj.2","name":"objective","props":[{"name":"label","value":"CA-3(5)[2]"}],"prose":"employs one of the following policies for allowing organization-defined information systems to connect to external information systems:","parts":[{"id":"ca-3.5_obj.2.a","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][a]"}],"prose":"allow-all policy;"},{"id":"ca-3.5_obj.2.b","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][b]"}],"prose":"deny-by-exception policy;"},{"id":"ca-3.5_obj.2.c","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][c]"}],"prose":"deny-all policy; or"},{"id":"ca-3.5_obj.2.d","name":"objective","props":[{"name":"label","value":"CA-3(5)[2][d]"}],"prose":"permit-by-exception policy."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\ninformation system interconnection agreements\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for managing connections to external information systems\n\nnetwork administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing restrictions on external system connections"}]}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-5_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"CA-5"},{"name":"sort-id","value":"ca-05"}],"links":[{"href":"#2c5884cd-7b96-425c-862a-99877e1cf909","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"}],"parts":[{"id":"ca-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates existing plan of action and milestones {{ insert: param, ca-5_prm_1 }} based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are key documents in security authorization packages and are subject to federal reporting requirements established by OMB.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#pm-4","rel":"related"}]},{"id":"ca-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-5.a_obj","name":"objective","props":[{"name":"label","value":"CA-5(a)"}],"prose":"develops a plan of action and milestones for the information system to:","parts":[{"id":"ca-5.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-5(a)[1]"}],"prose":"document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls;"},{"id":"ca-5.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-5(a)[2]"}],"prose":"reduce or eliminate known vulnerabilities in the system;"}]},{"id":"ca-5.b_obj","name":"objective","props":[{"name":"label","value":"CA-5(b)"}],"parts":[{"id":"ca-5.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-5(b)[1]"}],"prose":"defines the frequency to update the existing plan of action and milestones;"},{"id":"ca-5.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-5(b)[2]"}],"prose":"updates the existing plan of action and milestones with the organization-defined frequency based on the findings from:","parts":[{"id":"ca-5.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][a]"}],"prose":"security controls assessments;"},{"id":"ca-5.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][b]"}],"prose":"security impact analyses; and"},{"id":"ca-5.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CA-5(b)[2][c]"}],"prose":"continuous monitoring activities."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing plan of action and milestones\n\nsecurity plan\n\nsecurity assessment plan\n\nsecurity assessment report\n\nsecurity assessment evidence\n\nplan of action and milestones\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Security Authorization","params":[{"id":"ca-6_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-6"},{"name":"sort-id","value":"ca-06"}],"links":[{"href":"#9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","rel":"reference"},{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"ca-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assigns a senior-level executive or manager as the authorizing official for the information system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that the authorizing official authorizes the information system for processing before commencing operations; and"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Updates the security authorization {{ insert: param, ca-6_prm_1 }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Security authorizations are official management decisions, conveyed through authorization decision documents, by senior organizational officials or executives (i.e., authorizing officials) to authorize operation of information systems and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon security controls. Authorizing officials provide budgetary oversight for organizational information systems or assume responsibility for the mission\/business operations supported by those systems. The security authorization process is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials assume responsibility and are accountable for security risks associated with the operation and use of organizational information systems. Accordingly, authorizing officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organizations conduct ongoing authorizations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorization requirements, so separate reauthorization processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorization packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorizing officials and information system owners with an up-to-date status of the security state of organizational information systems and environments of operation. To reduce the administrative cost of security reauthorization, authorizing officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"}]},{"id":"ca-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-6.a_obj","name":"objective","props":[{"name":"label","value":"CA-6(a)"}],"prose":"assigns a senior-level executive or manager as the authorizing official for the information system;"},{"id":"ca-6.b_obj","name":"objective","props":[{"name":"label","value":"CA-6(b)"}],"prose":"ensures that the authorizing official authorizes the information system for processing before commencing operations;"},{"id":"ca-6.c_obj","name":"objective","props":[{"name":"label","value":"CA-6(c)"}],"parts":[{"id":"ca-6.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-6(c)[1]"}],"prose":"defines the frequency to update the security authorization; and"},{"id":"ca-6.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-6(c)[2]"}],"prose":"updates the security authorization with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing security authorization\n\nsecurity authorization package (including security plan\n\nsecurity assessment report\n\nplan of action and milestones\n\nauthorization statement)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security authorization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that facilitate security authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_1","label":"organization-defined metrics"},{"id":"ca-7_prm_2","label":"organization-defined frequencies"},{"id":"ca-7_prm_3","label":"organization-defined frequencies"},{"id":"ca-7_prm_4","label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-7"},{"name":"sort-id","value":"ca-07"}],"links":[{"href":"#bedb15b7-ec5c-4a68-807f-385125751fcd","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"},{"href":"#8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","rel":"reference"},{"href":"#2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","rel":"reference"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishment of {{ insert: param, ca-7_prm_1 }} to be monitored;"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishment of {{ insert: param, ca-7_prm_2 }} for monitoring and {{ insert: param, ca-7_prm_3 }} for assessments supporting such monitoring;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of security-related information generated by assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of security-related information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security status of organization and the information system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess\/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission\/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports\/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware\/software\/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-7.a_obj","name":"objective","props":[{"name":"label","value":"CA-7(a)"}],"parts":[{"id":"ca-7.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(a)[1]"}],"prose":"develops a continuous monitoring strategy that defines metrics to be monitored;"},{"id":"ca-7.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(a)[2]"}],"prose":"develops a continuous monitoring strategy that includes monitoring of organization-defined metrics;"},{"id":"ca-7.a_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(a)[3]"}],"prose":"implements a continuous monitoring program that includes monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.b_obj","name":"objective","props":[{"name":"label","value":"CA-7(b)"}],"parts":[{"id":"ca-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(b)[1]"}],"prose":"develops a continuous monitoring strategy that defines frequencies for monitoring;"},{"id":"ca-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(b)[2]"}],"prose":"defines frequencies for assessments supporting monitoring;"},{"id":"ca-7.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(b)[3]"}],"prose":"develops a continuous monitoring strategy that includes establishment of the organization-defined frequencies for monitoring and for assessments supporting monitoring;"},{"id":"ca-7.b_obj.4","name":"objective","props":[{"name":"label","value":"CA-7(b)[4]"}],"prose":"implements a continuous monitoring program that includes establishment of organization-defined frequencies for monitoring and for assessments supporting such monitoring in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.c_obj","name":"objective","props":[{"name":"label","value":"CA-7(c)"}],"parts":[{"id":"ca-7.c_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(c)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security control assessments;"},{"id":"ca-7.c_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(c)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.d_obj","name":"objective","props":[{"name":"label","value":"CA-7(d)"}],"parts":[{"id":"ca-7.d_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(d)[1]"}],"prose":"develops a continuous monitoring strategy that includes ongoing security status monitoring of organization-defined metrics;"},{"id":"ca-7.d_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(d)[2]"}],"prose":"implements a continuous monitoring program that includes ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.e_obj","name":"objective","props":[{"name":"label","value":"CA-7(e)"}],"parts":[{"id":"ca-7.e_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(e)[1]"}],"prose":"develops a continuous monitoring strategy that includes correlation and analysis of security-related information generated by assessments and monitoring;"},{"id":"ca-7.e_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(e)[2]"}],"prose":"implements a continuous monitoring program that includes correlation and analysis of security-related information generated by assessments and monitoring in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.f_obj","name":"objective","props":[{"name":"label","value":"CA-7(f)"}],"parts":[{"id":"ca-7.f_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(f)[1]"}],"prose":"develops a continuous monitoring strategy that includes response actions to address results of the analysis of security-related information;"},{"id":"ca-7.f_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(f)[2]"}],"prose":"implements a continuous monitoring program that includes response actions to address results of the analysis of security-related information in accordance with the organizational continuous monitoring strategy;"}]},{"id":"ca-7.g_obj","name":"objective","props":[{"name":"label","value":"CA-7(g)"}],"parts":[{"id":"ca-7.g_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(g)[1]"}],"prose":"develops a continuous monitoring strategy that defines the personnel or roles to whom the security status of the organization and information system are to be reported;"},{"id":"ca-7.g_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(g)[2]"}],"prose":"develops a continuous monitoring strategy that defines the frequency to report the security status of the organization and information system to organization-defined personnel or roles;"},{"id":"ca-7.g_obj.3","name":"objective","props":[{"name":"label","value":"CA-7(g)[3]"}],"prose":"develops a continuous monitoring strategy that includes reporting the security status of the organization or information system to organizational-defined personnel or roles with the organization-defined frequency; and"},{"id":"ca-7.g_obj.4","name":"objective","props":[{"name":"label","value":"CA-7(g)[4]"}],"prose":"implements a continuous monitoring program that includes reporting the security status of the organization and information system to organization-defined personnel or roles with the organization-defined frequency in accordance with the organizational continuous monitoring strategy."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security controls\n\nprocedures addressing configuration management\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nconfiguration management records, security impact analyses\n\nstatus reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Mechanisms implementing continuous monitoring"}]}],"controls":[{"id":"ca-7.1","class":"SP800-53-enhancement","title":"Independent Assessment","params":[{"id":"ca-7.1_prm_1","label":"organization-defined level of independence"}],"props":[{"name":"label","value":"CA-7(1)"},{"name":"sort-id","value":"ca-07.01"}],"parts":[{"id":"ca-7.1_smt","name":"statement","prose":"The organization employs assessors or assessment teams with {{ insert: param, ca-7.1_prm_1 }} to monitor the security controls in the information system on an ongoing basis."},{"id":"ca-7.1_gdn","name":"guidance","prose":"Organizations can maximize the value of assessments of security controls during the continuous monitoring process by requiring that such assessments be conducted by assessors or assessment teams with appropriate levels of independence based on continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in advocacy positions for the organizations acquiring their services."},{"id":"ca-7.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-7.1_obj.1","name":"objective","props":[{"name":"label","value":"CA-7(1)[1]"}],"prose":"defines a level of independence to be employed to monitor the security controls in the information system on an ongoing basis; and"},{"id":"ca-7.1_obj.2","name":"objective","props":[{"name":"label","value":"CA-7(1)[2]"}],"prose":"employs assessors or assessment teams with the organization-defined level of independence to monitor the security controls in the information system on an ongoing basis."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security assessment and authorization policy\n\nprocedures addressing continuous monitoring of information system security controls\n\nsecurity plan\n\nsecurity assessment report\n\nplan of action and milestones\n\ninformation system monitoring records\n\nsecurity impact analyses\n\nstatus reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","params":[{"id":"ca-9_prm_1","label":"organization-defined information system components or classes of components"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CA-9"},{"name":"sort-id","value":"ca-09"}],"parts":[{"id":"ca-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"ca-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorizes internal connections of {{ insert: param, ca-9_prm_1 }} to the information system; and"},{"id":"ca-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated."}]},{"id":"ca-9_gdn","name":"guidance","prose":"This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook\/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and\/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"ca-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ca-9.a_obj","name":"objective","props":[{"name":"label","value":"CA-9(a)"}],"parts":[{"id":"ca-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CA-9(a)[1]"}],"prose":"defines information system components or classes of components to be authorized as internal connections to the information system;"},{"id":"ca-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CA-9(a)[2]"}],"prose":"authorizes internal connections of organization-defined information system components or classes of components to the information system;"}]},{"id":"ca-9.b_obj","name":"objective","props":[{"name":"label","value":"CA-9(b)"}],"prose":"documents, for each internal connection:","parts":[{"id":"ca-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CA-9(b)[1]"}],"prose":"the interface characteristics;"},{"id":"ca-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CA-9(b)[2]"}],"prose":"the security requirements; and"},{"id":"ca-9.b_obj.3","name":"objective","props":[{"name":"label","value":"CA-9(b)[3]"}],"prose":"the nature of the information communicated."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Access control policy\n\nprocedures addressing information system connections\n\nsystem and communications protection policy\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nsecurity assessment report\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Configuration Management Policy and Procedures","params":[{"id":"cm-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cm-1_prm_2","label":"organization-defined frequency"},{"id":"cm-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-1"},{"name":"sort-id","value":"cm-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"cm-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cm-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Configuration management policy {{ insert: param, cm-1_prm_2 }}; and"},{"id":"cm-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Configuration management procedures {{ insert: param, cm-1_prm_3 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"cm-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-1.a_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)"}],"parts":[{"id":"cm-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)"}],"parts":[{"id":"cm-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1]"}],"prose":"develops and documents a configuration management policy that addresses:","parts":[{"id":"cm-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cm-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cm-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cm-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cm-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cm-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cm-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cm-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the configuration management policy is to be disseminated;"},{"id":"cm-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CM-1(a)(1)[3]"}],"prose":"disseminates the configuration management policy to organization-defined personnel or roles;"}]},{"id":"cm-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)"}],"parts":[{"id":"cm-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the configuration management policy and associated configuration management controls;"},{"id":"cm-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"cm-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cm-1.b_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)"}],"parts":[{"id":"cm-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)"}],"parts":[{"id":"cm-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current configuration management policy;"},{"id":"cm-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(b)(1)[2]"}],"prose":"reviews and updates the current configuration management policy with the organization-defined frequency;"}]},{"id":"cm-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)"}],"parts":[{"id":"cm-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current configuration management procedures; and"},{"id":"cm-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-1(b)(2)[2]"}],"prose":"reviews and updates the current configuration management procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-2"},{"name":"sort-id","value":"cm-02"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-2_smt","name":"statement","prose":"The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system."},{"id":"cm-2_gdn","name":"guidance","prose":"This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and\/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings\/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-7","rel":"related"}]},{"id":"cm-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2_obj.1","name":"objective","props":[{"name":"label","value":"CM-2[1]"}],"prose":"develops and documents a current baseline configuration of the information system; and"},{"id":"cm-2_obj.2","name":"objective","props":[{"name":"label","value":"CM-2[2]"}],"prose":"maintains, under configuration control, a current baseline configuration of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting configuration control of the baseline configuration"}]}],"controls":[{"id":"cm-2.1","class":"SP800-53-enhancement","title":"Reviews and Updates","params":[{"id":"cm-2.1_prm_1","label":"organization-defined frequency"},{"id":"cm-2.1_prm_2","label":"Assignment organization-defined circumstances"}],"props":[{"name":"label","value":"CM-2(1)"},{"name":"sort-id","value":"cm-02.01"}],"parts":[{"id":"cm-2.1_smt","name":"statement","prose":"The organization reviews and updates the baseline configuration of the information system:","parts":[{"id":"cm-2.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":" {{ insert: param, cm-2.1_prm_1 }};"},{"id":"cm-2.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"When required due to {{ insert: param, cm-2.1_prm_2 }}; and"},{"id":"cm-2.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"As an integral part of information system component installations and upgrades."}]},{"id":"cm-2.1_gdn","name":"guidance","links":[{"href":"#cm-5","rel":"related"}]},{"id":"cm-2.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.1.a_obj","name":"objective","props":[{"name":"label","value":"CM-2(1)(a)"}],"parts":[{"id":"cm-2.1.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(1)(a)[1]"}],"prose":"defines the frequency to review and update the baseline configuration of the information system;"},{"id":"cm-2.1.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(1)(a)[2]"}],"prose":"reviews and updates the baseline configuration of the information system with the organization-defined frequency;"}],"links":[{"href":"#cm-2.1_smt.a","rel":"corresp"}]},{"id":"cm-2.1.b_obj","name":"objective","props":[{"name":"label","value":"CM-2(1)(b)"}],"parts":[{"id":"cm-2.1.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(1)(b)[1]"}],"prose":"defines circumstances that require the baseline configuration of the information system to be reviewed and updated;"},{"id":"cm-2.1.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(1)(b)[2]"}],"prose":"reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances; and"}],"links":[{"href":"#cm-2.1_smt.b","rel":"corresp"}]},{"id":"cm-2.1.c_obj","name":"objective","props":[{"name":"label","value":"CM-2(1)(c)"}],"prose":"reviews and updates the baseline configuration of the information system as an integral part of information system component installations and upgrades.","links":[{"href":"#cm-2.1_smt.c","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the information system\n\nprocedures addressing information system component installations and upgrades\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of information system baseline configuration reviews and updates\n\ninformation system component installations\/upgrades and associated records\n\nchange control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms supporting review and update of the baseline configuration"}]}]},{"id":"cm-2.3","class":"SP800-53-enhancement","title":"Retention of Previous Configurations","params":[{"id":"cm-2.3_prm_1","label":"organization-defined previous versions of baseline configurations of the information system"}],"props":[{"name":"label","value":"CM-2(3)"},{"name":"sort-id","value":"cm-02.03"}],"parts":[{"id":"cm-2.3_smt","name":"statement","prose":"The organization retains {{ insert: param, cm-2.3_prm_1 }} to support rollback."},{"id":"cm-2.3_gdn","name":"guidance","prose":"Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records."},{"id":"cm-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.3_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(3)[1]"}],"prose":"defines previous versions of baseline configurations of the information system to be retained to support rollback; and"},{"id":"cm-2.3_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(3)[2]"}],"prose":"retains organization-defined previous versions of baseline configurations of the information system to support rollback."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the information system\n\nconfiguration management plan\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations"}]}]},{"id":"cm-2.7","class":"SP800-53-enhancement","title":"Configure Systems, Components, or Devices for High-risk Areas","params":[{"id":"cm-2.7_prm_1","label":"organization-defined information systems, system components, or devices"},{"id":"cm-2.7_prm_2","label":"organization-defined configurations"},{"id":"cm-2.7_prm_3","label":"organization-defined security safeguards"}],"props":[{"name":"label","value":"CM-2(7)"},{"name":"sort-id","value":"cm-02.07"}],"parts":[{"id":"cm-2.7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-2.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Issues {{ insert: param, cm-2.7_prm_1 }} with {{ insert: param, cm-2.7_prm_2 }} to individuals traveling to locations that the organization deems to be of significant risk; and"},{"id":"cm-2.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Applies {{ insert: param, cm-2.7_prm_3 }} to the devices when the individuals return."}]},{"id":"cm-2.7_gdn","name":"guidance","prose":"When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging\/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family."},{"id":"cm-2.7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-2.7.a_obj","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)"}],"parts":[{"id":"cm-2.7.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)[1]"}],"prose":"defines information systems, system components, or devices to be issued to individuals traveling to locations that the organization deems to be of significant risk;"},{"id":"cm-2.7.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)[2]"}],"prose":"defines configurations to be employed on organization-defined information systems, system components, or devices issued to individuals traveling to such locations;"},{"id":"cm-2.7.a_obj.3","name":"objective","props":[{"name":"label","value":"CM-2(7)(a)[3]"}],"prose":"issues organization-defined information systems, system components, or devices with organization-defined configurations to individuals traveling to locations that the organization deems to be of significant risk;"}],"links":[{"href":"#cm-2.7_smt.a","rel":"corresp"}]},{"id":"cm-2.7.b_obj","name":"objective","props":[{"name":"label","value":"CM-2(7)(b)"}],"parts":[{"id":"cm-2.7.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-2(7)(b)[1]"}],"prose":"defines security safeguards to be applied to the devices when the individuals return; and"},{"id":"cm-2.7.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-2(7)(b)[2]"}],"prose":"applies organization-defined safeguards to the devices when the individuals return."}],"links":[{"href":"#cm-2.7_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the information system\n\nprocedures addressing information system component installations and upgrades\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of information system baseline configuration reviews and updates\n\ninformation system component installations\/upgrades and associated records\n\nchange control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing baseline configurations"}]}]}]},{"id":"cm-3","class":"SP800-53","title":"Configuration Change Control","params":[{"id":"cm-3_prm_1","label":"organization-defined time period"},{"id":"cm-3_prm_2","label":"organization-defined configuration change control element (e.g., committee, board)"},{"id":"cm-3_prm_3","select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-3_prm_4 }} "," {{ insert: param, cm-3_prm_5 }} "]}},{"id":"cm-3_prm_4","depends-on":"cm-3_prm_3","label":"organization-defined frequency"},{"id":"cm-3_prm_5","depends-on":"cm-3_prm_3","label":"organization-defined configuration change conditions"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-3"},{"name":"sort-id","value":"cm-03"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines the types of changes to the information system that are configuration-controlled;"},{"id":"cm-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;"},{"id":"cm-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents configuration change decisions associated with the information system;"},{"id":"cm-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implements approved configuration-controlled changes to the information system;"},{"id":"cm-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retains records of configuration-controlled changes to the information system for {{ insert: param, cm-3_prm_1 }};"},{"id":"cm-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Audits and reviews activities associated with configuration-controlled changes to the information system; and"},{"id":"cm-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Coordinates and provides oversight for configuration change control activities through {{ insert: param, cm-3_prm_2 }} that convenes {{ insert: param, cm-3_prm_3 }}."}]},{"id":"cm-3_gdn","name":"guidance","prose":"Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled\/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.","links":[{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-12","rel":"related"}]},{"id":"cm-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-3.a_obj","name":"objective","props":[{"name":"label","value":"CM-3(a)"}],"prose":"determines the type of changes to the information system that must be configuration-controlled;"},{"id":"cm-3.b_obj","name":"objective","props":[{"name":"label","value":"CM-3(b)"}],"prose":"reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;"},{"id":"cm-3.c_obj","name":"objective","props":[{"name":"label","value":"CM-3(c)"}],"prose":"documents configuration change decisions associated with the information system;"},{"id":"cm-3.d_obj","name":"objective","props":[{"name":"label","value":"CM-3(d)"}],"prose":"implements approved configuration-controlled changes to the information system;"},{"id":"cm-3.e_obj","name":"objective","props":[{"name":"label","value":"CM-3(e)"}],"parts":[{"id":"cm-3.e_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(e)[1]"}],"prose":"defines a time period to retain records of configuration-controlled changes to the information system;"},{"id":"cm-3.e_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(e)[2]"}],"prose":"retains records of configuration-controlled changes to the information system for the organization-defined time period;"}]},{"id":"cm-3.f_obj","name":"objective","props":[{"name":"label","value":"CM-3(f)"}],"prose":"audits and reviews activities associated with configuration-controlled changes to the information system;"},{"id":"cm-3.g_obj","name":"objective","props":[{"name":"label","value":"CM-3(g)"}],"parts":[{"id":"cm-3.g_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(g)[1]"}],"prose":"defines a configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities;"},{"id":"cm-3.g_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(g)[2]"}],"prose":"defines the frequency with which the configuration change control element must convene; and\/or"},{"id":"cm-3.g_obj.3","name":"objective","props":[{"name":"label","value":"CM-3(g)[3]"}],"prose":"defines configuration change conditions that prompt the configuration change control element to convene; and"},{"id":"cm-3.g_obj.4","name":"objective","props":[{"name":"label","value":"CM-3(g)[4]"}],"prose":"coordinates and provides oversight for configuration change control activities through organization-defined configuration change control element that convenes at organization-defined frequency and\/or for any organization-defined configuration change conditions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system configuration change control\n\nconfiguration management plan\n\ninformation system architecture and configuration documentation\n\nsecurity plan\n\nchange control records\n\ninformation system audit records\n\nchange control audit and review reports\n\nagenda \/minutes from configuration change control oversight meetings\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms that implement configuration change control"}]}],"controls":[{"id":"cm-3.2","class":"SP800-53-enhancement","title":"Test \/ Validate \/ Document Changes","props":[{"name":"label","value":"CM-3(2)"},{"name":"sort-id","value":"cm-03.02"}],"parts":[{"id":"cm-3.2_smt","name":"statement","prose":"The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system."},{"id":"cm-3.2_gdn","name":"guidance","prose":"Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals\/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities\/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems)."},{"id":"cm-3.2_obj","name":"objective","prose":"Determine if the organization, before implementing changes on the operational system:","parts":[{"id":"cm-3.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-3(2)[1]"}],"prose":"tests changes to the information system;"},{"id":"cm-3.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-3(2)[2]"}],"prose":"validates changes to the information system; and"},{"id":"cm-3.2_obj.3","name":"objective","props":[{"name":"label","value":"CM-3(2)[3]"}],"prose":"documents changes to the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing information system configuration change control\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms supporting and\/or implementing testing, validating, and documenting information system changes"}]}]}]},{"id":"cm-4","class":"SP800-53","title":"Security Impact Analysis","props":[{"name":"priority","value":"P2"},{"name":"label","value":"CM-4"},{"name":"sort-id","value":"cm-04"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"The organization analyzes changes to the information system to determine potential security impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills\/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"cm-4_obj","name":"objective","prose":"Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing security impact analysis for changes to the information system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for conducting security impact analysis\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security impact analysis"}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-5"},{"name":"sort-id","value":"cm-05"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system."},{"id":"cm-5_gdn","name":"guidance","prose":"Any changes to the hardware, software, and\/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#pe-3","rel":"related"}]},{"id":"cm-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-5_obj.1","name":"objective","props":[{"name":"label","value":"CM-5[1]"}],"prose":"defines physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.2","name":"objective","props":[{"name":"label","value":"CM-5[2]"}],"prose":"documents physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.3","name":"objective","props":[{"name":"label","value":"CM-5[3]"}],"prose":"approves physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.4","name":"objective","props":[{"name":"label","value":"CM-5[4]"}],"prose":"enforces physical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.5","name":"objective","props":[{"name":"label","value":"CM-5[5]"}],"prose":"defines logical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.6","name":"objective","props":[{"name":"label","value":"CM-5[6]"}],"prose":"documents logical access restrictions associated with changes to the information system;"},{"id":"cm-5_obj.7","name":"objective","props":[{"name":"label","value":"CM-5[7]"}],"prose":"approves logical access restrictions associated with changes to the information system; and"},{"id":"cm-5_obj.8","name":"objective","props":[{"name":"label","value":"CM-5[8]"}],"prose":"enforces logical access restrictions associated with changes to the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing access restrictions to change\n\nautomated mechanisms supporting\/implementing\/enforcing access restrictions associated with changes to the information system"}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","params":[{"id":"cm-6_prm_1","label":"organization-defined security configuration checklists"},{"id":"cm-6_prm_2","label":"organization-defined information system components"},{"id":"cm-6_prm_3","label":"organization-defined operational requirements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-6"},{"name":"sort-id","value":"cm-06"}],"links":[{"href":"#990268bf-f4a9-4c81-91ae-dc7d3115f4b1","rel":"reference"},{"href":"#0b3d8ba9-051f-498d-81ea-97f0f018c612","rel":"reference"},{"href":"#0916ef02-3618-411b-a525-565c088849a6","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"},{"href":"#e95dd121-2733-413e-bf1e-f1eb49f20a98","rel":"reference"},{"href":"#647b6de3-81d0-4d22-bec1-5f1333e34380","rel":"reference"}],"parts":[{"id":"cm-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and documents configuration settings for information technology products employed within the information system using {{ insert: param, cm-6_prm_1 }} that reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implements the configuration settings;"},{"id":"cm-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies, documents, and approves any deviations from established configuration settings for {{ insert: param, cm-6_prm_2 }} based on {{ insert: param, cm-6_prm_3 }}; and"},{"id":"cm-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and\/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input\/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms\/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems.","links":[{"href":"#ac-19","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"cm-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-6.a_obj","name":"objective","props":[{"name":"label","value":"CM-6(a)"}],"parts":[{"id":"cm-6.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(a)[1]"}],"prose":"defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed;"},{"id":"cm-6.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(a)[2]"}],"prose":"ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements;"},{"id":"cm-6.a_obj.3","name":"objective","props":[{"name":"label","value":"CM-6(a)[3]"}],"prose":"establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists;"}]},{"id":"cm-6.b_obj","name":"objective","props":[{"name":"label","value":"CM-6(b)"}],"prose":"implements the configuration settings established\/documented in CM-6(a);;"},{"id":"cm-6.c_obj","name":"objective","props":[{"name":"label","value":"CM-6(c)"}],"parts":[{"id":"cm-6.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(c)[1]"}],"prose":"defines information system components for which any deviations from established configuration settings must be:","parts":[{"id":"cm-6.c_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][a]"}],"prose":"identified;"},{"id":"cm-6.c_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][b]"}],"prose":"documented;"},{"id":"cm-6.c_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-6(c)[1][c]"}],"prose":"approved;"}]},{"id":"cm-6.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(c)[2]"}],"prose":"defines operational requirements to support:","parts":[{"id":"cm-6.c_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][a]"}],"prose":"the identification of any deviations from established configuration settings;"},{"id":"cm-6.c_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][b]"}],"prose":"the documentation of any deviations from established configuration settings;"},{"id":"cm-6.c_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-6(c)[2][c]"}],"prose":"the approval of any deviations from established configuration settings;"}]},{"id":"cm-6.c_obj.3","name":"objective","props":[{"name":"label","value":"CM-6(c)[3]"}],"prose":"identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"},{"id":"cm-6.c_obj.4","name":"objective","props":[{"name":"label","value":"CM-6(c)[4]"}],"prose":"documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"},{"id":"cm-6.c_obj.5","name":"objective","props":[{"name":"label","value":"CM-6(c)[5]"}],"prose":"approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements;"}]},{"id":"cm-6.d_obj","name":"objective","props":[{"name":"label","value":"CM-6(d)"}],"parts":[{"id":"cm-6.d_obj.1","name":"objective","props":[{"name":"label","value":"CM-6(d)[1]"}],"prose":"monitors changes to the configuration settings in accordance with organizational policies and procedures; and"},{"id":"cm-6.d_obj.2","name":"objective","props":[{"name":"label","value":"CM-6(d)[2]"}],"prose":"controls changes to the configuration settings in accordance with organizational policies and procedures."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing configuration settings\n\nautomated mechanisms that implement, monitor, and\/or control information system configuration settings\n\nautomated mechanisms that identify and\/or document deviations from established configuration settings"}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","params":[{"id":"cm-7_prm_1","label":"organization-defined prohibited or restricted functions, ports, protocols, and\/or services"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-7"},{"name":"sort-id","value":"cm-07"}],"links":[{"href":"#e42b2099-3e1c-415b-952c-61c96533c12e","rel":"reference"}],"parts":[{"id":"cm-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Configures the information system to provide only essential capabilities; and"},{"id":"cm-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibits or restricts the use of the following functions, ports, protocols, and\/or services: {{ insert: param, cm-7_prm_1 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Information systems can provide a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from single information system components, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email servers or web servers, but not both). Organizations review functions and services provided by information systems or individual components of information systems, to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, and file sharing). Organizations consider disabling unused or unnecessary physical and logical ports\/protocols (e.g., Universal Serial Bus, File Transfer Protocol, and Hyper Text Transfer Protocol) on information systems to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.","links":[{"href":"#ac-6","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"cm-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.a_obj","name":"objective","props":[{"name":"label","value":"CM-7(a)"}],"prose":"configures the information system to provide only essential capabilities;"},{"id":"cm-7.b_obj","name":"objective","props":[{"name":"label","value":"CM-7(b)"}],"parts":[{"id":"cm-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(b)[1]"}],"prose":"defines prohibited or restricted:","parts":[{"id":"cm-7.b_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.b_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-7(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(b)[2]"}],"prose":"prohibits or restricts the use of organization-defined:","parts":[{"id":"cm-7.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.b_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-7(b)[2][d]"}],"prose":"services."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing least functionality in the information system\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols, and\/or services\n\nautomated mechanisms implementing restrictions or prohibition of functions, ports, protocols, and\/or services"}]}],"controls":[{"id":"cm-7.1","class":"SP800-53-enhancement","title":"Periodic Review","params":[{"id":"cm-7.1_prm_1","label":"organization-defined frequency"},{"id":"cm-7.1_prm_2","label":"organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and\/or nonsecure"}],"props":[{"name":"label","value":"CM-7(1)"},{"name":"sort-id","value":"cm-07.01"}],"parts":[{"id":"cm-7.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Reviews the information system {{ insert: param, cm-7.1_prm_1 }} to identify unnecessary and\/or nonsecure functions, ports, protocols, and services; and"},{"id":"cm-7.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Disables {{ insert: param, cm-7.1_prm_2 }}."}]},{"id":"cm-7.1_gdn","name":"guidance","prose":"The organization can either make a determination of the relative security of the function, port, protocol, and\/or service or base the security decision on the assessment of other entities. Bluetooth, FTP, and peer-to-peer networking are examples of less than secure protocols.","links":[{"href":"#ac-18","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ia-2","rel":"related"}]},{"id":"cm-7.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.1.a_obj","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)"}],"parts":[{"id":"cm-7.1.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1]"}],"prose":"defines the frequency to review the information system to identify unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.a_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][a]"}],"prose":"functions;"},{"id":"cm-7.1.a_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][b]"}],"prose":"ports;"},{"id":"cm-7.1.a_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.a_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.1.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2]"}],"prose":"reviews the information system with the organization-defined frequency to identify unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.a_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][a]"}],"prose":"functions;"},{"id":"cm-7.1.a_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][b]"}],"prose":"ports;"},{"id":"cm-7.1.a_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.a_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(a)[2][d]"}],"prose":"services;"}]}],"links":[{"href":"#cm-7.1_smt.a","rel":"corresp"}]},{"id":"cm-7.1.b_obj","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)"}],"parts":[{"id":"cm-7.1.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1]"}],"prose":"defines, within the information system, unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.b_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][a]"}],"prose":"functions;"},{"id":"cm-7.1.b_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][b]"}],"prose":"ports;"},{"id":"cm-7.1.b_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.b_obj.1.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[1][d]"}],"prose":"services;"}]},{"id":"cm-7.1.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2]"}],"prose":"disables organization-defined unnecessary and\/or nonsecure:","parts":[{"id":"cm-7.1.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][a]"}],"prose":"functions;"},{"id":"cm-7.1.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][b]"}],"prose":"ports;"},{"id":"cm-7.1.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][c]"}],"prose":"protocols; and\/or"},{"id":"cm-7.1.b_obj.2.d","name":"objective","props":[{"name":"label","value":"CM-7(1)(b)[2][d]"}],"prose":"services."}]}],"links":[{"href":"#cm-7.1_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nsecurity configuration checklists\n\ndocumented reviews of functions, ports, protocols, and\/or services\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the information system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for reviewing\/disabling nonsecure functions, ports, protocols, and\/or services\n\nautomated mechanisms implementing review and disabling of nonsecure functions, ports, protocols, and\/or services"}]}]},{"id":"cm-7.2","class":"SP800-53-enhancement","title":"Prevent Program Execution","params":[{"id":"cm-7.2_prm_1","select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-7.2_prm_2 }} ","rules authorizing the terms and conditions of software program usage"]}},{"id":"cm-7.2_prm_2","depends-on":"cm-7.2_prm_1","label":"organization-defined policies regarding software program usage and restrictions"}],"props":[{"name":"label","value":"CM-7(2)"},{"name":"sort-id","value":"cm-07.02"}],"parts":[{"id":"cm-7.2_smt","name":"statement","prose":"The information system prevents program execution in accordance with {{ insert: param, cm-7.2_prm_1 }}."},{"id":"cm-7.2_gdn","name":"guidance","links":[{"href":"#cm-8","rel":"related"},{"href":"#pm-5","rel":"related"}]},{"id":"cm-7.2_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cm-7.2_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(2)[1]"}],"prose":"the organization defines policies regarding software program usage and restrictions;"},{"id":"cm-7.2_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(2)[2]"}],"prose":"the information system prevents program execution in accordance with one or more of the following:","parts":[{"id":"cm-7.2_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-7(2)[2][a]"}],"prose":"organization-defined policies regarding program usage and restrictions; and\/or"},{"id":"cm-7.2_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-7(2)[2][b]"}],"prose":"rules authorizing the terms and conditions of software program usage."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\nspecifications for preventing software program execution\n\ninformation system configuration settings and associated documentation\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes preventing program execution on the information system\n\norganizational processes for software program usage and restrictions\n\nautomated mechanisms preventing program execution on the information system\n\nautomated mechanisms supporting and\/or implementing software program usage and restrictions"}]}]},{"id":"cm-7.4","class":"SP800-53-enhancement","title":"Unauthorized Software \/ Blacklisting","params":[{"id":"cm-7.4_prm_1","label":"organization-defined software programs not authorized to execute on the information system"},{"id":"cm-7.4_prm_2","label":"organization-defined frequency"}],"props":[{"name":"label","value":"CM-7(4)"},{"name":"sort-id","value":"cm-07.04"}],"parts":[{"id":"cm-7.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identifies {{ insert: param, cm-7.4_prm_1 }};"},{"id":"cm-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and"},{"id":"cm-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Reviews and updates the list of unauthorized software programs {{ insert: param, cm-7.4_prm_2 }}."}]},{"id":"cm-7.4_gdn","name":"guidance","prose":"The process used to identify software programs that are not authorized to execute on organizational information systems is commonly referred to as blacklisting. Organizations can implement CM-7 (5) instead of this control enhancement if whitelisting (the stronger of the two policies) is the preferred approach for restricting software program execution.","links":[{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-5","rel":"related"}]},{"id":"cm-7.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-7.4.a_obj","name":"objective","props":[{"name":"label","value":"CM-7(4)(a)"}],"prose":"Identifies\/defines software programs not authorized to execute on the information system;","links":[{"href":"#cm-7.4_smt.a","rel":"corresp"}]},{"id":"cm-7.4.b_obj","name":"objective","props":[{"name":"label","value":"CM-7(4)(b)"}],"prose":"employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system;","links":[{"href":"#cm-7.4_smt.b","rel":"corresp"}]},{"id":"cm-7.4.c_obj","name":"objective","props":[{"name":"label","value":"CM-7(4)(c)"}],"parts":[{"id":"cm-7.4.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-7(4)(c)[1]"}],"prose":"defines the frequency to review and update the list of unauthorized software programs on the information system; and"},{"id":"cm-7.4.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-7(4)(c)[2]"}],"prose":"reviews and updates the list of unauthorized software programs with the organization-defined frequency."}],"links":[{"href":"#cm-7.4_smt.c","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the information system\n\nconfiguration management plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of software programs not authorized to execute on the information system\n\nsecurity configuration checklists\n\nreview and update records associated with list of unauthorized software programs\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for identifying software not authorized to execute on the information system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for identifying, reviewing, and updating programs not authorized to execute on the information system\n\norganizational process for implementing blacklisting\n\nautomated mechanisms supporting and\/or implementing blacklisting"}]}]}]},{"id":"cm-8","class":"SP800-53","title":"Information System Component Inventory","params":[{"id":"cm-8_prm_1","label":"organization-defined information deemed necessary to achieve effective information system component accountability"},{"id":"cm-8_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-8"},{"name":"sort-id","value":"cm-08"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops and documents an inventory of information system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accurately reflects the current information system;"},{"id":"cm-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes all components within the authorization boundary of the information system;"},{"id":"cm-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Includes {{ insert: param, cm-8_prm_1 }}; and"}]},{"id":"cm-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information system component inventory {{ insert: param, cm-8_prm_2 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pm-5","rel":"related"}]},{"id":"cm-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.a_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)"}],"parts":[{"id":"cm-8.a.1_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(1)"}],"prose":"develops and documents an inventory of information system components that accurately reflects the current information system;"},{"id":"cm-8.a.2_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(2)"}],"prose":"develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;"},{"id":"cm-8.a.3_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(3)"}],"prose":"develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;"},{"id":"cm-8.a.4_obj","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)"}],"parts":[{"id":"cm-8.a.4_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)[1]"}],"prose":"defines the information deemed necessary to achieve effective information system component accountability;"},{"id":"cm-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(a)(4)[2]"}],"prose":"develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;"}]}]},{"id":"cm-8.b_obj","name":"objective","props":[{"name":"label","value":"CM-8(b)"}],"parts":[{"id":"cm-8.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(b)[1]"}],"prose":"defines the frequency to review and update the information system component inventory; and"},{"id":"cm-8.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(b)[2]"}],"prose":"reviews and updates the information system component inventory with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting an inventory of information system components\n\nautomated mechanisms supporting and\/or implementing the information system component inventory"}]}],"controls":[{"id":"cm-8.1","class":"SP800-53-enhancement","title":"Updates During Installations \/ Removals","props":[{"name":"label","value":"CM-8(1)"},{"name":"sort-id","value":"cm-08.01"}],"parts":[{"id":"cm-8.1_smt","name":"statement","prose":"The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates."},{"id":"cm-8.1_obj","name":"objective","prose":"Determine if the organization updates the inventory of information system components as an integral part of:","parts":[{"id":"cm-8.1_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(1)[1]"}],"prose":"component installations;"},{"id":"cm-8.1_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(1)[2]"}],"prose":"component removals; and"},{"id":"cm-8.1_obj.3","name":"objective","props":[{"name":"label","value":"CM-8(1)[3]"}],"prose":"information system updates."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\ninventory reviews and update records\n\ncomponent installation records\n\ncomponent removal records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for updating the information system component inventory\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for updating inventory of information system components\n\nautomated mechanisms implementing updating of the information system component inventory"}]}]},{"id":"cm-8.3","class":"SP800-53-enhancement","title":"Automated Unauthorized Component Detection","params":[{"id":"cm-8.3_prm_1","label":"organization-defined frequency"},{"id":"cm-8.3_prm_2","select":{"how-many":"one-or-more","choice":["disables network access by such components","isolates the components","notifies {{ insert: param, cm-8.3_prm_3 }} "]}},{"id":"cm-8.3_prm_3","depends-on":"cm-8.3_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"CM-8(3)"},{"name":"sort-id","value":"cm-08.03"}],"parts":[{"id":"cm-8.3_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-8.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employs automated mechanisms {{ insert: param, cm-8.3_prm_1 }} to detect the presence of unauthorized hardware, software, and firmware components within the information system; and"},{"id":"cm-8.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Takes the following actions when unauthorized components are detected: {{ insert: param, cm-8.3_prm_2 }}."}]},{"id":"cm-8.3_gdn","name":"guidance","prose":"This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing.","links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#ra-5","rel":"related"}]},{"id":"cm-8.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-8.3.a_obj","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)"}],"parts":[{"id":"cm-8.3.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1]"}],"prose":"defines the frequency to employ automated mechanisms to detect the presence of unauthorized:","parts":[{"id":"cm-8.3.a_obj.1.a","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1][a]"}],"prose":"hardware components within the information system;"},{"id":"cm-8.3.a_obj.1.b","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1][b]"}],"prose":"software components within the information system;"},{"id":"cm-8.3.a_obj.1.c","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[1][c]"}],"prose":"firmware components within the information system;"}]},{"id":"cm-8.3.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2]"}],"prose":"employs automated mechanisms with the organization-defined frequency to detect the presence of unauthorized:","parts":[{"id":"cm-8.3.a_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2][a]"}],"prose":"hardware components within the information system;"},{"id":"cm-8.3.a_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2][b]"}],"prose":"software components within the information system;"},{"id":"cm-8.3.a_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-8(3)(a)[2][c]"}],"prose":"firmware components within the information system;"}]}],"links":[{"href":"#cm-8.3_smt.a","rel":"corresp"}]},{"id":"cm-8.3.b_obj","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)"}],"parts":[{"id":"cm-8.3.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[1]"}],"prose":"defines personnel or roles to be notified when unauthorized components are detected;"},{"id":"cm-8.3.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2]"}],"prose":"takes one or more of the following actions when unauthorized components are detected:","parts":[{"id":"cm-8.3.b_obj.2.a","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2][a]"}],"prose":"disables network access by such components;"},{"id":"cm-8.3.b_obj.2.b","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2][b]"}],"prose":"isolates the components; and\/or"},{"id":"cm-8.3.b_obj.2.c","name":"objective","props":[{"name":"label","value":"CM-8(3)(b)[2][c]"}],"prose":"notifies organization-defined personnel or roles."}]}],"links":[{"href":"#cm-8.3_smt.b","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system inventory records\n\nalerts\/notifications of unauthorized components within the information system\n\ninformation system monitoring records\n\nchange control records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized information system component detection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for detection of unauthorized information system components\n\nautomated mechanisms implementing the detection of unauthorized information system components"}]}]},{"id":"cm-8.5","class":"SP800-53-enhancement","title":"No Duplicate Accounting of Components","props":[{"name":"label","value":"CM-8(5)"},{"name":"sort-id","value":"cm-08.05"}],"parts":[{"id":"cm-8.5_smt","name":"statement","prose":"The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories."},{"id":"cm-8.5_gdn","name":"guidance","prose":"This control enhancement addresses the potential problem of duplicate accounting of information system components in large or complex interconnected systems."},{"id":"cm-8.5_obj","name":"objective","prose":"Determine if the organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing information system component inventory\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system inventory records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system inventory responsibilities\n\norganizational personnel with responsibilities for defining information system components within the authorization boundary of the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining the inventory of information system components\n\nautomated mechanisms implementing the information system component inventory"}]}]}]},{"id":"cm-9","class":"SP800-53","title":"Configuration Management Plan","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-9"},{"name":"sort-id","value":"cm-09"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"cm-9_smt","name":"statement","prose":"The organization develops, documents, and implements a configuration management plan for the information system that:","parts":[{"id":"cm-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Addresses roles, responsibilities, and configuration management processes and procedures;"},{"id":"cm-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"},{"id":"cm-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Defines the configuration items for the information system and places the configuration items under configuration management; and"},{"id":"cm-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects the configuration management plan from unauthorized disclosure and modification."}]},{"id":"cm-9_gdn","name":"guidance","prose":"Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development\/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#sa-10","rel":"related"}]},{"id":"cm-9_obj","name":"objective","prose":"Determine if the organization develops, documents, and implements a configuration management plan for the information system that:","parts":[{"id":"cm-9.a_obj","name":"objective","props":[{"name":"label","value":"CM-9(a)"}],"parts":[{"id":"cm-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(a)[1]"}],"prose":"addresses roles;"},{"id":"cm-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(a)[2]"}],"prose":"addresses responsibilities;"},{"id":"cm-9.a_obj.3","name":"objective","props":[{"name":"label","value":"CM-9(a)[3]"}],"prose":"addresses configuration management processes and procedures;"}]},{"id":"cm-9.b_obj","name":"objective","props":[{"name":"label","value":"CM-9(b)"}],"prose":"establishes a process for:","parts":[{"id":"cm-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(b)[1]"}],"prose":"identifying configuration items throughout the SDLC;"},{"id":"cm-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(b)[2]"}],"prose":"managing the configuration of the configuration items;"}]},{"id":"cm-9.c_obj","name":"objective","props":[{"name":"label","value":"CM-9(c)"}],"parts":[{"id":"cm-9.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(c)[1]"}],"prose":"defines the configuration items for the information system;"},{"id":"cm-9.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(c)[2]"}],"prose":"places the configuration items under configuration management;"}]},{"id":"cm-9.d_obj","name":"objective","props":[{"name":"label","value":"CM-9(d)"}],"prose":"protects the configuration management plan from unauthorized:","parts":[{"id":"cm-9.d_obj.1","name":"objective","props":[{"name":"label","value":"CM-9(d)[1]"}],"prose":"disclosure; and"},{"id":"cm-9.d_obj.2","name":"objective","props":[{"name":"label","value":"CM-9(d)[2]"}],"prose":"modification."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nautomated mechanisms implementing the configuration management plan\n\nautomated mechanisms for managing configuration items\n\nautomated mechanisms for protecting the configuration management plan"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"priority","value":"P2"},{"name":"label","value":"CM-10"},{"name":"sort-id","value":"cm-10"}],"parts":[{"id":"cm-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Uses software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual methods (e.g., simple spreadsheets) or automated methods (e.g., specialized tracking applications) depending on organizational needs.","links":[{"href":"#ac-17","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"cm-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-10.a_obj","name":"objective","props":[{"name":"label","value":"CM-10(a)"}],"prose":"uses software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10.b_obj","name":"objective","props":[{"name":"label","value":"CM-10(b)"}],"prose":"tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10.c_obj","name":"objective","props":[{"name":"label","value":"CM-10(c)"}],"prose":"controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing software usage restrictions\n\nconfiguration management plan\n\nsecurity plan\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\norganizational personnel with software license management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for tracking the use of software protected by quantity licenses\n\norganization process for controlling\/documenting the use of peer-to-peer file sharing technology\n\nautomated mechanisms implementing software license tracking\n\nautomated mechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","params":[{"id":"cm-11_prm_1","label":"organization-defined policies"},{"id":"cm-11_prm_2","label":"organization-defined methods"},{"id":"cm-11_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CM-11"},{"name":"sort-id","value":"cm-11"}],"parts":[{"id":"cm-11_smt","name":"statement","prose":"The organization:","parts":[{"id":"cm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes {{ insert: param, cm-11_prm_1 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Enforces software installation policies through {{ insert: param, cm-11_prm_2 }}; and"},{"id":"cm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Monitors policy compliance at {{ insert: param, cm-11_prm_3 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users have the ability to install software in organizational information systems. To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations may include, for example, updates and security patches to existing software and downloading applications from organization-approved “app stores” Prohibited software installations may include, for example, software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both.","links":[{"href":"#ac-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"cm-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cm-11.a_obj","name":"objective","props":[{"name":"label","value":"CM-11(a)"}],"parts":[{"id":"cm-11.a_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(a)[1]"}],"prose":"defines policies to govern the installation of software by users;"},{"id":"cm-11.a_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(a)[2]"}],"prose":"establishes organization-defined policies governing the installation of software by users;"}]},{"id":"cm-11.b_obj","name":"objective","props":[{"name":"label","value":"CM-11(b)"}],"parts":[{"id":"cm-11.b_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(b)[1]"}],"prose":"defines methods to enforce software installation policies;"},{"id":"cm-11.b_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(b)[2]"}],"prose":"enforces software installation policies through organization-defined methods;"}]},{"id":"cm-11.c_obj","name":"objective","props":[{"name":"label","value":"CM-11(c)"}],"parts":[{"id":"cm-11.c_obj.1","name":"objective","props":[{"name":"label","value":"CM-11(c)[1]"}],"prose":"defines frequency to monitor policy compliance; and"},{"id":"cm-11.c_obj.2","name":"objective","props":[{"name":"label","value":"CM-11(c)[2]"}],"prose":"monitors policy compliance at organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Configuration management policy\n\nprocedures addressing user installed software\n\nconfiguration management plan\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of rules governing user installed software\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records\n\ncontinuous monitoring strategy"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the information system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes governing user-installed software on the information system\n\nautomated mechanisms enforcing rules\/methods for governing the installation of software by users\n\nautomated mechanisms monitoring policy compliance"}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Contingency Planning Policy and Procedures","params":[{"id":"cp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-1_prm_2","label":"organization-defined frequency"},{"id":"cp-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-1"},{"name":"sort-id","value":"cp-01"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"cp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and"}]},{"id":"cp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"cp-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Contingency planning policy {{ insert: param, cp-1_prm_2 }}; and"},{"id":"cp-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Contingency planning procedures {{ insert: param, cp-1_prm_3 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"cp-1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"cp-1.a_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)"}],"parts":[{"id":"cp-1.a.1_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)"}],"parts":[{"id":"cp-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1]"}],"prose":"the organization develops and documents a contingency planning policy that addresses:","parts":[{"id":"cp-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"cp-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"cp-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"cp-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"cp-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"cp-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"cp-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"cp-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[2]"}],"prose":"the organization defines personnel or roles to whom the contingency planning policy is to be disseminated;"},{"id":"cp-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"CP-1(a)(1)[3]"}],"prose":"the organization disseminates the contingency planning policy to organization-defined personnel or roles;"}]},{"id":"cp-1.a.2_obj","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)"}],"parts":[{"id":"cp-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[1]"}],"prose":"the organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls;"},{"id":"cp-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[2]"}],"prose":"the organization defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"cp-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CP-1(a)(2)[3]"}],"prose":"the organization disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"cp-1.b_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)"}],"parts":[{"id":"cp-1.b.1_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)"}],"parts":[{"id":"cp-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)[1]"}],"prose":"the organization defines the frequency to review and update the current contingency planning policy;"},{"id":"cp-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(b)(1)[2]"}],"prose":"the organization reviews and updates the current contingency planning with the organization-defined frequency;"}]},{"id":"cp-1.b.2_obj","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)"}],"parts":[{"id":"cp-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)[1]"}],"prose":"the organization defines the frequency to review and update the current contingency planning procedures; and"},{"id":"cp-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-1(b)(2)[2]"}],"prose":"the organization reviews and updates the current contingency planning procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","params":[{"id":"cp-2_prm_1","label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-2_prm_3","label":"organization-defined frequency"},{"id":"cp-2_prm_4","label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-2"},{"name":"sort-id","value":"cp-02"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a contingency plan for the information system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and"},{"id":"cp-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Reviews the contingency plan for the information system {{ insert: param, cp-2_prm_3 }};"},{"id":"cp-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Communicates contingency plan changes to {{ insert: param, cp-2_prm_4 }}; and"},{"id":"cp-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Protects the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission\/business functions. Contingency planning addresses both information system restoration and implementation of alternative mission\/business processes when systems are compromised. The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle. Performing contingency planning on hardware, software, and firmware development can be an effective means of achieving information system resiliency. Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws, Executive Orders, directives, policies, standards, regulations, and guidelines. In addition to information system availability, contingency plans also address other security-related events resulting in a reduction in mission and\/or business effectiveness, such as malicious attacks compromising the confidentiality or integrity of information systems. Actions addressed in contingency plans include, for example, orderly\/graceful degradation, information system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By closely coordinating contingency planning with incident handling activities, organizations can ensure that the necessary contingency planning activities are in place and activated in the event of a security incident.","links":[{"href":"#ac-14","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-11","rel":"related"}]},{"id":"cp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.a_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)"}],"prose":"develops and documents a contingency plan for the information system that:","parts":[{"id":"cp-2.a.1_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(1)"}],"prose":"identifies essential missions and business functions and associated contingency requirements;"},{"id":"cp-2.a.2_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)"}],"parts":[{"id":"cp-2.a.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[1]"}],"prose":"provides recovery objectives;"},{"id":"cp-2.a.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[2]"}],"prose":"provides restoration priorities;"},{"id":"cp-2.a.2_obj.3","name":"objective","props":[{"name":"label","value":"CP-2(a)(2)[3]"}],"prose":"provides metrics;"}]},{"id":"cp-2.a.3_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)"}],"parts":[{"id":"cp-2.a.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[1]"}],"prose":"addresses contingency roles;"},{"id":"cp-2.a.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[2]"}],"prose":"addresses contingency responsibilities;"},{"id":"cp-2.a.3_obj.3","name":"objective","props":[{"name":"label","value":"CP-2(a)(3)[3]"}],"prose":"addresses assigned individuals with contact information;"}]},{"id":"cp-2.a.4_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(4)"}],"prose":"addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;"},{"id":"cp-2.a.5_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(5)"}],"prose":"addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented;"},{"id":"cp-2.a.6_obj","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)"}],"parts":[{"id":"cp-2.a.6_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)[1]"}],"prose":"defines personnel or roles to review and approve the contingency plan for the information system;"},{"id":"cp-2.a.6_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(a)(6)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"cp-2.b_obj","name":"objective","props":[{"name":"label","value":"CP-2(b)"}],"parts":[{"id":"cp-2.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(b)[1]"}],"prose":"defines key contingency personnel (identified by name and\/or by role) and organizational elements to whom copies of the contingency plan are to be distributed;"},{"id":"cp-2.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(b)[2]"}],"prose":"distributes copies of the contingency plan to organization-defined key contingency personnel and organizational elements;"}]},{"id":"cp-2.c_obj","name":"objective","props":[{"name":"label","value":"CP-2(c)"}],"prose":"coordinates contingency planning activities with incident handling activities;"},{"id":"cp-2.d_obj","name":"objective","props":[{"name":"label","value":"CP-2(d)"}],"parts":[{"id":"cp-2.d_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(d)[1]"}],"prose":"defines a frequency to review the contingency plan for the information system;"},{"id":"cp-2.d_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(d)[2]"}],"prose":"reviews the contingency plan with the organization-defined frequency;"}]},{"id":"cp-2.e_obj","name":"objective","props":[{"name":"label","value":"CP-2(e)"}],"prose":"updates the contingency plan to address:","parts":[{"id":"cp-2.e_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(e)[1]"}],"prose":"changes to the organization, information system, or environment of operation;"},{"id":"cp-2.e_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(e)[2]"}],"prose":"problems encountered during plan implementation, execution, and testing;"}]},{"id":"cp-2.f_obj","name":"objective","props":[{"name":"label","value":"CP-2(f)"}],"parts":[{"id":"cp-2.f_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(f)[1]"}],"prose":"defines key contingency personnel (identified by name and\/or by role) and organizational elements to whom contingency plan changes are to be communicated;"},{"id":"cp-2.f_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(f)[2]"}],"prose":"communicates contingency plan changes to organization-defined key contingency personnel and organizational elements; and"}]},{"id":"cp-2.g_obj","name":"objective","props":[{"name":"label","value":"CP-2(g)"}],"prose":"protects the contingency plan from unauthorized disclosure and modification."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nevidence of contingency plan reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan development, review, update, and protection\n\nautomated mechanisms for developing, reviewing, updating and\/or protecting the contingency plan"}]}],"controls":[{"id":"cp-2.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-2(1)"},{"name":"sort-id","value":"cp-02.01"}],"parts":[{"id":"cp-2.1_smt","name":"statement","prose":"The organization coordinates contingency plan development with organizational elements responsible for related plans."},{"id":"cp-2.1_gdn","name":"guidance","prose":"Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, Insider Threat Implementation Plan, and Occupant Emergency Plans."},{"id":"cp-2.1_obj","name":"objective","prose":"Determine if the organization coordinates contingency plan development with organizational elements responsible for related plans."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans"}]}]},{"id":"cp-2.3","class":"SP800-53-enhancement","title":"Resume Essential Missions \/ Business Functions","params":[{"id":"cp-2.3_prm_1","label":"organization-defined time period"}],"props":[{"name":"label","value":"CP-2(3)"},{"name":"sort-id","value":"cp-02.03"}],"parts":[{"id":"cp-2.3_smt","name":"statement","prose":"The organization plans for the resumption of essential missions and business functions within {{ insert: param, cp-2.3_prm_1 }} of contingency plan activation."},{"id":"cp-2.3_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. The time period for resumption of essential missions\/business functions may be dependent on the severity\/extent of disruptions to the information system and its supporting infrastructure.","links":[{"href":"#pe-12","rel":"related"}]},{"id":"cp-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-2.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-2(3)[1]"}],"prose":"defines the time period to plan for the resumption of essential missions and business functions as a result of contingency plan activation; and"},{"id":"cp-2.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-2(3)[2]"}],"prose":"plans for the resumption of essential missions and business functions within organization-defined time period of contingency plan activation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nsecurity plan\n\nbusiness impact assessment\n\nother related plans\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.8","class":"SP800-53-enhancement","title":"Identify Critical Assets","props":[{"name":"label","value":"CP-2(8)"},{"name":"sort-id","value":"cp-02.08"}],"parts":[{"id":"cp-2.8_smt","name":"statement","prose":"The organization identifies critical information system assets supporting essential missions and business functions."},{"id":"cp-2.8_gdn","name":"guidance","prose":"Organizations may choose to carry out the contingency planning activities in this control enhancement as part of organizational business continuity planning including, for example, as part of business impact analyses. Organizations identify critical information system assets so that additional safeguards and countermeasures can be employed (above and beyond those safeguards and countermeasures routinely implemented) to help ensure that organizational missions\/business functions can continue to be conducted during contingency operations. In addition, the identification of critical information assets facilitates the prioritization of organizational resources. Critical information system assets include technical and operational aspects. Technical aspects include, for example, information technology services, information system components, information technology products, and mechanisms. Operational aspects include, for example, procedures (manually executed operations) and personnel (individuals operating technical safeguards and\/or executing manual procedures). Organizational program protection plans can provide assistance in identifying critical assets.","links":[{"href":"#sa-14","rel":"related"},{"href":"#sa-15","rel":"related"}]},{"id":"cp-2.8_obj","name":"objective","prose":"Determine if the organization identifies critical information system assets supporting essential missions and business functions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the information system\n\ncontingency plan\n\nbusiness impact assessment\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","params":[{"id":"cp-3_prm_1","label":"organization-defined time period"},{"id":"cp-3_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CP-3"},{"name":"sort-id","value":"cp-03"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"cp-3_smt","name":"statement","prose":"The organization provides contingency training to information system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Within {{ insert: param, cp-3_prm_1 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"cp-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, cp-3_prm_2 }} thereafter."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, regular users may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to set up information systems at alternate processing and storage sites; and managers\/senior leaders may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles\/responsibilities reflects the specific continuity requirements in the contingency plan.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-2","rel":"related"}]},{"id":"cp-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-3.a_obj","name":"objective","props":[{"name":"label","value":"CP-3(a)"}],"parts":[{"id":"cp-3.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-3(a)[1]"}],"prose":"defines a time period within which contingency training is to be provided to information system users assuming a contingency role or responsibility;"},{"id":"cp-3.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-3(a)[2]"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming a contingency role or responsibility;"}]},{"id":"cp-3.b_obj","name":"objective","props":[{"name":"label","value":"CP-3(b)"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities when required by information system changes;"},{"id":"cp-3.c_obj","name":"objective","props":[{"name":"label","value":"CP-3(c)"}],"parts":[{"id":"cp-3.c_obj.1","name":"objective","props":[{"name":"label","value":"CP-3(c)[1]"}],"prose":"defines the frequency for contingency training thereafter; and"},{"id":"cp-3.c_obj.2","name":"objective","props":[{"name":"label","value":"CP-3(c)[2]"}],"prose":"provides contingency training to information system users consistent with assigned roles and responsibilities with the organization-defined frequency thereafter."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsecurity plan\n\ncontingency training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency training"}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","params":[{"id":"cp-4_prm_1","label":"organization-defined frequency"},{"id":"cp-4_prm_2","label":"organization-defined tests"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"CP-4"},{"name":"sort-id","value":"cp-04"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference"}],"parts":[{"id":"cp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Tests the contingency plan for the information system {{ insert: param, cp-4_prm_1 }} using {{ insert: param, cp-4_prm_2 }} to determine the effectiveness of the plan and the organizational readiness to execute the plan;"},{"id":"cp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Initiates corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and to identify potential weaknesses in the plans include, for example, walk-through and tabletop exercises, checklists, simulations (parallel, full interrupt), and comprehensive exercises. Organizations conduct testing based on the continuity requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals arising due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"}]},{"id":"cp-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-4.a_obj","name":"objective","props":[{"name":"label","value":"CP-4(a)"}],"parts":[{"id":"cp-4.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-4(a)[1]"}],"prose":"defines tests to determine the effectiveness of the contingency plan and the organizational readiness to execute the plan;"},{"id":"cp-4.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-4(a)[2]"}],"prose":"defines a frequency to test the contingency plan for the information system;"},{"id":"cp-4.a_obj.3","name":"objective","props":[{"name":"label","value":"CP-4(a)[3]"}],"prose":"tests the contingency plan for the information system with the organization-defined frequency, using organization-defined tests to determine the effectiveness of the plan and the organizational readiness to execute the plan;"}]},{"id":"cp-4.b_obj","name":"objective","props":[{"name":"label","value":"CP-4(b)"}],"prose":"reviews the contingency plan test results; and"},{"id":"cp-4.c_obj","name":"objective","props":[{"name":"label","value":"CP-4(c)"}],"prose":"initiates corrective actions, if needed."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\nsecurity plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency plan testing, reviewing or responding to contingency plan tests\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for contingency plan testing\n\nautomated mechanisms supporting the contingency plan and\/or contingency plan testing"}]}],"controls":[{"id":"cp-4.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-4(1)"},{"name":"sort-id","value":"cp-04.01"}],"parts":[{"id":"cp-4.1_smt","name":"statement","prose":"The organization coordinates contingency plan testing with organizational elements responsible for related plans."},{"id":"cp-4.1_gdn","name":"guidance","prose":"Plans related to contingency plans for organizational information systems include, for example, Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. This control enhancement does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. It does require, however, that if such organizational elements are responsible for related plans, organizations should coordinate with those elements.","links":[{"href":"#ir-8","rel":"related"},{"href":"#pm-8","rel":"related"}]},{"id":"cp-4.1_obj","name":"objective","prose":"Determine if the organization coordinates contingency plan testing with organizational elements responsible for related plans."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-6","class":"SP800-53","title":"Alternate Storage Site","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-6"},{"name":"sort-id","value":"cp-06"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and"},{"id":"cp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site."}]},{"id":"cp-6_gdn","name":"guidance","prose":"Alternate storage sites are sites that are geographically distinct from primary storage sites. An alternate storage site maintains duplicate copies of information and data in the event that the primary storage site is not available. Items covered by alternate storage site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination of delivery\/retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential missions\/business functions despite disruption, compromise, or failure in organizational information systems.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"}]},{"id":"cp-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-6_obj.1","name":"objective","props":[{"name":"label","value":"CP-6[1]"}],"prose":"establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and"},{"id":"cp-6_obj.2","name":"objective","props":[{"name":"label","value":"CP-6[2]"}],"prose":"ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing and retrieving information system backup information at the alternate storage site\n\nautomated mechanisms supporting and\/or implementing storage and retrieval of information system backup information at the alternate storage site"}]}],"controls":[{"id":"cp-6.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-6(1)"},{"name":"sort-id","value":"cp-06.01"}],"parts":[{"id":"cp-6.1_smt","name":"statement","prose":"The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats."},{"id":"cp-6.1_gdn","name":"guidance","prose":"Threats that affect alternate storage sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission\/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-6.1_obj","name":"objective","prose":"Determine if the organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-6.3","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-6(3)"},{"name":"sort-id","value":"cp-06.03"}],"parts":[{"id":"cp-6.3_smt","name":"statement","prose":"The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-6.3_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include, for example: (i) duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites; or (ii) planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-6.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-6.3_obj.1","name":"objective","props":[{"name":"label","value":"CP-6(3)[1]"}],"prose":"identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster; and"},{"id":"cp-6.3_obj.2","name":"objective","props":[{"name":"label","value":"CP-6(3)[2]"}],"prose":"outlines explicit mitigation actions for such potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-7","class":"SP800-53","title":"Alternate Processing Site","params":[{"id":"cp-7_prm_1","label":"organization-defined information system operations"},{"id":"cp-7_prm_2","label":"organization-defined time period consistent with recovery time and recovery point objectives"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-7"},{"name":"sort-id","value":"cp-07"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-7_prm_1 }} for essential missions\/business functions within {{ insert: param, cp-7_prm_2 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer\/resumption; and"},{"id":"cp-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site."}]},{"id":"cp-7_gdn","name":"guidance","prose":"Alternate processing sites are sites that are geographically distinct from primary processing sites. An alternate processing site provides processing capability in the event that the primary processing site is not available. Items covered by alternate processing site agreements include, for example, environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and coordination for the transfer\/assignment of personnel. Requirements are specifically allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential missions\/business functions despite disruption, compromise, or failure in organizational information systems.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-6","rel":"related"}]},{"id":"cp-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-7.a_obj","name":"objective","props":[{"name":"label","value":"CP-7(a)"}],"parts":[{"id":"cp-7.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-7(a)[1]"}],"prose":"defines information system operations requiring an alternate processing site to be established to permit the transfer and resumption of such operations;"},{"id":"cp-7.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-7(a)[2]"}],"prose":"defines the time period consistent with recovery time objectives and recovery point objectives (as specified in the information system contingency plan) for transfer\/resumption of organization-defined information system operations for essential missions\/business functions;"},{"id":"cp-7.a_obj.3","name":"objective","props":[{"name":"label","value":"CP-7(a)[3]"}],"prose":"establishes an alternate processing site including necessary agreements to permit the transfer and resumption of organization-defined information system operations for essential missions\/business functions, within the organization-defined time period, when the primary processing capabilities are unavailable;"}]},{"id":"cp-7.b_obj","name":"objective","props":[{"name":"label","value":"CP-7(b)"}],"parts":[{"id":"cp-7.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-7(b)[1]"}],"prose":"ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site; or"},{"id":"cp-7.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-7(b)[2]"}],"prose":"ensures that contracts are in place to support delivery to the site within the organization-defined time period for transfer\/resumption; and"}]},{"id":"cp-7.c_obj","name":"objective","props":[{"name":"label","value":"CP-7(c)"}],"prose":"ensures that the alternate processing site provides information security safeguards equivalent to those of the primary site."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for contingency planning and\/or alternate site arrangements\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for recovery at the alternate site\n\nautomated mechanisms supporting and\/or implementing recovery at the alternate processing site"}]}],"controls":[{"id":"cp-7.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-7(1)"},{"name":"sort-id","value":"cp-07.01"}],"parts":[{"id":"cp-7.1_smt","name":"statement","prose":"The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats."},{"id":"cp-7.1_gdn","name":"guidance","prose":"Threats that affect alternate processing sites are typically defined in organizational assessments of risk and include, for example, natural disasters, structural failures, hostile cyber attacks, and errors of omission\/commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For one particular type of threat (i.e., hostile cyber attack), the degree of separation between sites is less relevant.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-7.1_obj","name":"objective","prose":"Determine if the organization identifies an alternate processing site that is separated from the primary storage site to reduce susceptibility to the same threats."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.2","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-7(2)"},{"name":"sort-id","value":"cp-07.02"}],"parts":[{"id":"cp-7.2_smt","name":"statement","prose":"The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-7.2_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope (e.g., hurricane, regional power outage) with such determinations made by organizations based on organizational assessments of risk.","links":[{"href":"#ra-3","rel":"related"}]},{"id":"cp-7.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-7.2_obj.1","name":"objective","props":[{"name":"label","value":"CP-7(2)[1]"}],"prose":"identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster; and"},{"id":"cp-7.2_obj.2","name":"objective","props":[{"name":"label","value":"CP-7(2)[2]"}],"prose":"outlines explicit mitigation actions for such potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.3","class":"SP800-53-enhancement","title":"Priority of Service","props":[{"name":"label","value":"CP-7(3)"},{"name":"sort-id","value":"cp-07.03"}],"parts":[{"id":"cp-7.3_smt","name":"statement","prose":"The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives)."},{"id":"cp-7.3_gdn","name":"guidance","prose":"Priority-of-service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources at the alternate processing site."},{"id":"cp-7.3_obj","name":"objective","prose":"Determine if the organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]}]},{"id":"cp-8","class":"SP800-53","title":"Telecommunications Services","params":[{"id":"cp-8_prm_1","label":"organization-defined information system operations"},{"id":"cp-8_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-8"},{"name":"sort-id","value":"cp-08"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"},{"href":"#fb5844de-ff96-47c0-b258-4f52bcc2f30d","rel":"reference"},{"href":"#3ac12e79-f54f-4a63-9f4b-ee4bcd4df604","rel":"reference"}],"parts":[{"id":"cp-8_smt","name":"statement","prose":"The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of {{ insert: param, cp-8_prm_1 }} for essential missions and business functions within {{ insert: param, cp-8_prm_2 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_gdn","name":"guidance","prose":"This control applies to telecommunications services (data and voice) for primary and alternate processing and storage sites. Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential missions\/business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary\/alternate sites. Alternate telecommunications services include, for example, additional organizational or commercial ground-based circuits\/lines or satellites in lieu of ground-based communications. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"cp-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-8_obj.1","name":"objective","props":[{"name":"label","value":"CP-8[1]"}],"prose":"defines information system operations requiring alternate telecommunications services to be established to permit the resumption of such operations;"},{"id":"cp-8_obj.2","name":"objective","props":[{"name":"label","value":"CP-8[2]"}],"prose":"defines the time period to permit resumption of organization-defined information system operations for essential missions and business functions; and"},{"id":"cp-8_obj.3","name":"objective","props":[{"name":"label","value":"CP-8[3]"}],"prose":"establishes alternate telecommunications services including necessary agreements to permit the resumption of organization-defined information system operations for essential missions and business functions, within the organization-defined time period, when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting telecommunications"}]}],"controls":[{"id":"cp-8.1","class":"SP800-53-enhancement","title":"Priority of Service Provisions","props":[{"name":"label","value":"CP-8(1)"},{"name":"sort-id","value":"cp-08.01"}],"parts":[{"id":"cp-8.1_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and"},{"id":"cp-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_gdn","name":"guidance","prose":"Organizations consider the potential mission\/business impact in situations where telecommunications service providers are servicing other organizations with similar priority-of-service provisions."},{"id":"cp-8.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-8.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-8(1)[1]"}],"prose":"develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives as specified in the information system contingency plan); and"},{"id":"cp-8.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-8(1)[2]"}],"prose":"requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with information system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting telecommunications"}]}]},{"id":"cp-8.2","class":"SP800-53-enhancement","title":"Single Points of Failure","props":[{"name":"label","value":"CP-8(2)"},{"name":"sort-id","value":"cp-08.02"}],"parts":[{"id":"cp-8.2_smt","name":"statement","prose":"The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"id":"cp-8.2_obj","name":"objective","prose":"Determine if the organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with information system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-9","class":"SP800-53","title":"Information System Backup","params":[{"id":"cp-9_prm_1","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_2","label":"organization-defined frequency consistent with recovery time and recovery point objectives"},{"id":"cp-9_prm_3","label":"organization-defined frequency consistent with recovery time and recovery point objectives"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-9"},{"name":"sort-id","value":"cp-09"}],"links":[{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"cp-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conducts backups of user-level information contained in the information system {{ insert: param, cp-9_prm_1 }};"},{"id":"cp-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conducts backups of system-level information contained in the information system {{ insert: param, cp-9_prm_2 }};"},{"id":"cp-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conducts backups of information system documentation including security-related documentation {{ insert: param, cp-9_prm_3 }}; and"},{"id":"cp-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects the confidentiality, integrity, and availability of backup information at storage locations."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes, for example, system-state information, operating system and application software, and licenses. User-level information includes any information other than system-level information. Mechanisms employed by organizations to protect the integrity of information system backups include, for example, digital signatures and cryptographic hashes. Protection of system backup information while in transit is beyond the scope of this control. Information system backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"cp-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-9.a_obj","name":"objective","props":[{"name":"label","value":"CP-9(a)"}],"parts":[{"id":"cp-9.a_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(a)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of user-level information contained in the information system;"},{"id":"cp-9.a_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(a)[2]"}],"prose":"conducts backups of user-level information contained in the information system with the organization-defined frequency;"}]},{"id":"cp-9.b_obj","name":"objective","props":[{"name":"label","value":"CP-9(b)"}],"parts":[{"id":"cp-9.b_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(b)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of system-level information contained in the information system;"},{"id":"cp-9.b_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(b)[2]"}],"prose":"conducts backups of system-level information contained in the information system with the organization-defined frequency;"}]},{"id":"cp-9.c_obj","name":"objective","props":[{"name":"label","value":"CP-9(c)"}],"parts":[{"id":"cp-9.c_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(c)[1]"}],"prose":"defines a frequency, consistent with recovery time objectives and recovery point objectives as specified in the information system contingency plan, to conduct backups of information system documentation including security-related documentation;"},{"id":"cp-9.c_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(c)[2]"}],"prose":"conducts backups of information system documentation, including security-related documentation, with the organization-defined frequency; and"}]},{"id":"cp-9.d_obj","name":"objective","props":[{"name":"label","value":"CP-9(d)"}],"prose":"protects the confidentiality, integrity, and availability of backup information at storage locations."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\nbackup storage location(s)\n\ninformation system backup logs or records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and\/or implementing information system backups"}]}],"controls":[{"id":"cp-9.1","class":"SP800-53-enhancement","title":"Testing for Reliability \/ Integrity","params":[{"id":"cp-9.1_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"CP-9(1)"},{"name":"sort-id","value":"cp-09.01"}],"parts":[{"id":"cp-9.1_smt","name":"statement","prose":"The organization tests backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity."},{"id":"cp-9.1_gdn","name":"guidance","links":[{"href":"#cp-4","rel":"related"}]},{"id":"cp-9.1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"cp-9.1_obj.1","name":"objective","props":[{"name":"label","value":"CP-9(1)[1]"}],"prose":"defines the frequency to test backup information to verify media reliability and information integrity; and"},{"id":"cp-9.1_obj.2","name":"objective","props":[{"name":"label","value":"CP-9(1)[2]"}],"prose":"tests backup information with the organization-defined frequency to verify media reliability and information integrity."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for conducting information system backups\n\nautomated mechanisms supporting and\/or implementing information system backups"}]}]}]},{"id":"cp-10","class":"SP800-53","title":"Information System Recovery and Reconstitution","props":[{"name":"priority","value":"P1"},{"name":"label","value":"CP-10"},{"name":"sort-id","value":"cp-10"}],"links":[{"href":"#023104bc-6f75-4cd5-b7d0-fc92326f8007","rel":"reference"},{"href":"#748a81b9-9cad-463f-abde-8b368167e70d","rel":"reference"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing information system contingency plan activities to restore organizational missions\/business functions. Reconstitution takes place following recovery and includes activities for returning organizational information systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities, recovery point\/time and reconstitution objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of any interim information system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored information system capabilities, reestablishment of continuous monitoring activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions, compromises, or failures. Recovery\/reconstitution capabilities employed by organizations can include both automated mechanisms and manual procedures.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#sc-24","rel":"related"}]},{"id":"cp-10_obj","name":"objective","prose":"Determine if the organization provides for:","parts":[{"id":"cp-10_obj.1","name":"objective","props":[{"name":"label","value":"CP-10[1]"}],"prose":"the recovery of the information system to a known state after:","parts":[{"id":"cp-10_obj.1.a","name":"objective","props":[{"name":"label","value":"CP-10[1][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.1.b","name":"objective","props":[{"name":"label","value":"CP-10[1][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.1.c","name":"objective","props":[{"name":"label","value":"CP-10[1][c]"}],"prose":"a failure;"}]},{"id":"cp-10_obj.2","name":"objective","props":[{"name":"label","value":"CP-10[2]"}],"prose":"the reconstitution of the information system to a known state after:","parts":[{"id":"cp-10_obj.2.a","name":"objective","props":[{"name":"label","value":"CP-10[2][a]"}],"prose":"a disruption;"},{"id":"cp-10_obj.2.b","name":"objective","props":[{"name":"label","value":"CP-10[2][b]"}],"prose":"a compromise; or"},{"id":"cp-10_obj.2.c","name":"objective","props":[{"name":"label","value":"CP-10[2][c]"}],"prose":"a failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system backup\n\ncontingency plan\n\ninformation system backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for information system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with contingency planning, recovery, and\/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes implementing information system recovery and reconstitution operations\n\nautomated mechanisms supporting and\/or implementing information system recovery and reconstitution operations"}]}],"controls":[{"id":"cp-10.2","class":"SP800-53-enhancement","title":"Transaction Recovery","props":[{"name":"label","value":"CP-10(2)"},{"name":"sort-id","value":"cp-10.02"}],"parts":[{"id":"cp-10.2_smt","name":"statement","prose":"The information system implements transaction recovery for systems that are transaction-based."},{"id":"cp-10.2_gdn","name":"guidance","prose":"Transaction-based information systems include, for example, database management systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, transaction rollback and transaction journaling."},{"id":"cp-10.2_obj","name":"objective","prose":"Determine if the information system implements transaction recovery for systems that are transaction-based."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Contingency planning policy\n\nprocedures addressing information system recovery and reconstitution\n\ncontingency plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\ninformation system transaction recovery records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing transaction recovery capability"}]}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Identification and Authentication Policy and Procedures","params":[{"id":"ia-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-1_prm_2","label":"organization-defined frequency"},{"id":"ia-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-1"},{"name":"sort-id","value":"ia-01"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ia-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ia-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and"}]},{"id":"ia-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ia-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identification and authentication policy {{ insert: param, ia-1_prm_2 }}; and"},{"id":"ia-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Identification and authentication procedures {{ insert: param, ia-1_prm_3 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ia-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-1.a_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)"}],"parts":[{"id":"ia-1.a.1_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)"}],"parts":[{"id":"ia-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1]"}],"prose":"develops and documents an identification and authentication policy that addresses:","parts":[{"id":"ia-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ia-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ia-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ia-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ia-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ia-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ia-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ia-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the identification and authentication policy is to be disseminated; and"},{"id":"ia-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"IA-1(a)(1)[3]"}],"prose":"disseminates the identification and authentication policy to organization-defined personnel or roles;"}]},{"id":"ia-1.a.2_obj","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)"}],"parts":[{"id":"ia-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls;"},{"id":"ia-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ia-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"IA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ia-1.b_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)"}],"parts":[{"id":"ia-1.b.1_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)"}],"parts":[{"id":"ia-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current identification and authentication policy;"},{"id":"ia-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(b)(1)[2]"}],"prose":"reviews and updates the current identification and authentication policy with the organization-defined frequency; and"}]},{"id":"ia-1.b.2_obj","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)"}],"parts":[{"id":"ia-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current identification and authentication procedures; and"},{"id":"ia-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"IA-1(b)(2)[2]"}],"prose":"reviews and updates the current identification and authentication procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (organizational Users)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-2"},{"name":"sort-id","value":"ia-02"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference"},{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#4da24a96-6cf8-435d-9d1f-c73247cad109","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization-controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network. Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level (i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"}]},{"id":"ia-2_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for uniquely identifying and authenticating users\n\nautomated mechanisms supporting and\/or implementing identification and authentication capability"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts","props":[{"name":"label","value":"IA-2(1)"},{"name":"sort-id","value":"ia-02.01"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ia-2.1_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for network access to privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Network Access to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(2)"},{"name":"sort-id","value":"ia-02.02"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"The information system implements multifactor authentication for network access to non-privileged accounts."},{"id":"ia-2.2_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for network access to non-privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.3","class":"SP800-53-enhancement","title":"Local Access to Privileged Accounts","props":[{"name":"label","value":"IA-2(3)"},{"name":"sort-id","value":"ia-02.03"}],"parts":[{"id":"ia-2.3_smt","name":"statement","prose":"The information system implements multifactor authentication for local access to privileged accounts."},{"id":"ia-2.3_gdn","name":"guidance","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ia-2.3_obj","name":"objective","prose":"Determine if the information system implements multifactor authentication for local access to privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing multifactor authentication capability"}]}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Network Access to Privileged Accounts - Replay Resistant","props":[{"name":"label","value":"IA-2(8)"},{"name":"sort-id","value":"ia-02.08"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"The information system implements replay-resistant authentication mechanisms for network access to privileged accounts."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators."},{"id":"ia-2.8_obj","name":"objective","prose":"Determine if the information system implements replay-resistant authentication mechanisms for network access to privileged accounts."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of privileged information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms supporting and\/or implementing replay resistant authentication mechanisms"}]}]},{"id":"ia-2.11","class":"SP800-53-enhancement","title":"Remote Access - Separate Device","params":[{"id":"ia-2.11_prm_1","label":"organization-defined strength of mechanism requirements"}],"props":[{"name":"label","value":"IA-2(11)"},{"name":"sort-id","value":"ia-02.11"}],"parts":[{"id":"ia-2.11_smt","name":"statement","prose":"The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets {{ insert: param, ia-2.11_prm_1 }}."},{"id":"ia-2.11_gdn","name":"guidance","prose":"For remote access to privileged\/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.","links":[{"href":"#ac-6","rel":"related"}]},{"id":"ia-2.11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ia-2.11_obj.1","name":"objective","props":[{"name":"label","value":"IA-2(11)[1]"}],"prose":"the information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access;"},{"id":"ia-2.11_obj.2","name":"objective","props":[{"name":"label","value":"IA-2(11)[2]"}],"prose":"the information system implements multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access;"},{"id":"ia-2.11_obj.3","name":"objective","props":[{"name":"label","value":"IA-2(11)[3]"}],"prose":"the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to privileged accounts;"},{"id":"ia-2.11_obj.4","name":"objective","props":[{"name":"label","value":"IA-2(11)[4]"}],"prose":"the organization defines strength of mechanism requirements to be enforced by a device separate from the system gaining remote access to non-privileged accounts;"},{"id":"ia-2.11_obj.5","name":"objective","props":[{"name":"label","value":"IA-2(11)[5]"}],"prose":"the information system implements multifactor authentication for remote access to privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements; and"},{"id":"ia-2.11_obj.6","name":"objective","props":[{"name":"label","value":"IA-2(11)[6]"}],"prose":"the information system implements multifactor authentication for remote access to non-privileged accounts such that a device, separate from the system gaining access, meets organization-defined strength of mechanism requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of privileged and non-privileged information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","props":[{"name":"label","value":"IA-2(12)"},{"name":"sort-id","value":"ia-02.12"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"ia-2.12_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"ia-2.12_obj.1","name":"objective","props":[{"name":"label","value":"IA-2(12)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials; and"},{"id":"ia-2.12_obj.2","name":"objective","props":[{"name":"label","value":"IA-2(12)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing acceptance and verification of PIV credentials"}]}]}]},{"id":"ia-3","class":"SP800-53","title":"Device Identification and Authentication","params":[{"id":"ia-3_prm_1","label":"organization-defined specific and\/or types of devices"},{"id":"ia-3_prm_2","select":{"how-many":"one-or-more","choice":["local","remote","network"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-3"},{"name":"sort-id","value":"ia-03"}],"parts":[{"id":"ia-3_smt","name":"statement","prose":"The information system uniquely identifies and authenticates {{ insert: param, ia-3_prm_1 }} before establishing a {{ insert: param, ia-3_prm_2 }} connection."},{"id":"ia-3_gdn","name":"guidance","prose":"Organizational devices requiring unique device-to-device identification and authentication may be defined by type, by device, or by a combination of type\/device. Information systems typically use either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol\/Internet Protocol [TCP\/IP] addresses) for device identification or organizational authentication solutions (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify\/authenticate devices on local and\/or wide area networks. Organizations determine the required strength of authentication mechanisms by the security categories of information systems. Because of the challenges of applying this control on large scale, organizations are encouraged to only apply the control to those limited number (and type) of devices that truly need to support this capability.","links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"}]},{"id":"ia-3_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ia-3_obj.1","name":"objective","props":[{"name":"label","value":"IA-3[1]"}],"prose":"the organization defines specific and\/or types of devices that the information system uniquely identifies and authenticates before establishing one or more of the following:","parts":[{"id":"ia-3_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-3[1][a]"}],"prose":"a local connection;"},{"id":"ia-3_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-3[1][b]"}],"prose":"a remote connection; and\/or"},{"id":"ia-3_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-3[1][c]"}],"prose":"a network connection; and"}]},{"id":"ia-3_obj.2","name":"objective","props":[{"name":"label","value":"IA-3[2]"}],"prose":"the information system uniquely identifies and authenticates organization-defined devices before establishing one or more of the following:","parts":[{"id":"ia-3_obj.2.a","name":"objective","props":[{"name":"label","value":"IA-3[2][a]"}],"prose":"a local connection;"},{"id":"ia-3_obj.2.b","name":"objective","props":[{"name":"label","value":"IA-3[2][b]"}],"prose":"a remote connection; and\/or"},{"id":"ia-3_obj.2.c","name":"objective","props":[{"name":"label","value":"IA-3[2][c]"}],"prose":"a network connection."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing device identification and authentication\n\ninformation system design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing device identification and authentication capability"}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","params":[{"id":"ia-4_prm_1","label":"organization-defined personnel or roles"},{"id":"ia-4_prm_2","label":"organization-defined time period"},{"id":"ia-4_prm_3","label":"organization-defined time period of inactivity"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-4"},{"name":"sort-id","value":"ia-04"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"The organization manages information system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ insert: param, ia-4_prm_1 }} to assign an individual, group, role, or device identifier;"},{"id":"ia-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, or device;"},{"id":"ia-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, or device;"},{"id":"ia-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ insert: param, ia-4_prm_2 }}; and"},{"id":"ia-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disabling the identifier after {{ insert: param, ia-4_prm_3 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include, for example, media access control (MAC), Internet protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). Typically, individual identifiers are the user names of the information system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4. This control also addresses individual identifiers not necessarily associated with information system accounts (e.g., identifiers used in physical security control databases accessed by badge reader systems for access to information systems). Preventing reuse of identifiers implies preventing the assignment of previously used individual, group, role, or device identifiers to different individuals, groups, roles, or devices.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#sc-37","rel":"related"}]},{"id":"ia-4_obj","name":"objective","prose":"Determine if the organization manages information system identifiers by:","parts":[{"id":"ia-4.a_obj","name":"objective","props":[{"name":"label","value":"IA-4(a)"}],"parts":[{"id":"ia-4.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(a)[1]"}],"prose":"defining personnel or roles from whom authorization must be received to assign:","parts":[{"id":"ia-4.a_obj.1.a","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.1.b","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.1.c","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][c]"}],"prose":"a role identifier; and\/or"},{"id":"ia-4.a_obj.1.d","name":"objective","props":[{"name":"label","value":"IA-4(a)[1][d]"}],"prose":"a device identifier;"}]},{"id":"ia-4.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(a)[2]"}],"prose":"receiving authorization from organization-defined personnel or roles to assign:","parts":[{"id":"ia-4.a_obj.2.a","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][a]"}],"prose":"an individual identifier;"},{"id":"ia-4.a_obj.2.b","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][b]"}],"prose":"a group identifier;"},{"id":"ia-4.a_obj.2.c","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][c]"}],"prose":"a role identifier; and\/or"},{"id":"ia-4.a_obj.2.d","name":"objective","props":[{"name":"label","value":"IA-4(a)[2][d]"}],"prose":"a device identifier;"}]}]},{"id":"ia-4.b_obj","name":"objective","props":[{"name":"label","value":"IA-4(b)"}],"prose":"selecting an identifier that identifies:","parts":[{"id":"ia-4.b_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(b)[1]"}],"prose":"an individual;"},{"id":"ia-4.b_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(b)[2]"}],"prose":"a group;"},{"id":"ia-4.b_obj.3","name":"objective","props":[{"name":"label","value":"IA-4(b)[3]"}],"prose":"a role; and\/or"},{"id":"ia-4.b_obj.4","name":"objective","props":[{"name":"label","value":"IA-4(b)[4]"}],"prose":"a device;"}]},{"id":"ia-4.c_obj","name":"objective","props":[{"name":"label","value":"IA-4(c)"}],"prose":"assigning the identifier to the intended:","parts":[{"id":"ia-4.c_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(c)[1]"}],"prose":"individual;"},{"id":"ia-4.c_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(c)[2]"}],"prose":"group;"},{"id":"ia-4.c_obj.3","name":"objective","props":[{"name":"label","value":"IA-4(c)[3]"}],"prose":"role; and\/or"},{"id":"ia-4.c_obj.4","name":"objective","props":[{"name":"label","value":"IA-4(c)[4]"}],"prose":"device;"}]},{"id":"ia-4.d_obj","name":"objective","props":[{"name":"label","value":"IA-4(d)"}],"parts":[{"id":"ia-4.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(d)[1]"}],"prose":"defining a time period for preventing reuse of identifiers;"},{"id":"ia-4.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(d)[2]"}],"prose":"preventing reuse of identifiers for the organization-defined time period;"}]},{"id":"ia-4.e_obj","name":"objective","props":[{"name":"label","value":"IA-4(e)"}],"parts":[{"id":"ia-4.e_obj.1","name":"objective","props":[{"name":"label","value":"IA-4(e)[1]"}],"prose":"defining a time period of inactivity to disable the identifier; and"},{"id":"ia-4.e_obj.2","name":"objective","props":[{"name":"label","value":"IA-4(e)[2]"}],"prose":"disabling the identifier after the organization-defined time period of inactivity."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","params":[{"id":"ia-5_prm_1","label":"organization-defined time period by authenticator type"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-5"},{"name":"sort-id","value":"ia-05"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"The organization manages information system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for authenticators defined by the organization;"},{"id":"ia-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost\/compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Changing default content of authenticators prior to information system installation;"},{"id":"ia-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;"},{"id":"ia-5_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Changing\/refreshing authenticators {{ insert: param, ia-5_prm_1 }};"},{"id":"ia-5_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and"},{"id":"ia-5_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Changing authenticators for group\/role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Individual authenticators include, for example, passwords, tokens, biometrics, PKI certificates, and key cards. Initial authenticator content is the actual content (e.g., the initial password) as opposed to requirements about authenticator content (e.g., minimum password length). In many cases, developers ship information system components with factory default authentication credentials to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant security risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored within organizational information systems (e.g., passwords stored in hashed or encrypted formats, files containing encrypted or hashed passwords accessible with administrator privileges). Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including, for example, minimum password length, password composition, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication. Specific actions that can be taken to safeguard authenticators include, for example, maintaining possession of individual authenticators, not loaning or sharing individual authenticators with others, and reporting lost, stolen, or compromised authenticators immediately. Authenticator management includes issuing and revoking, when no longer needed, authenticators for temporary access such as that required for remote maintenance. Device authenticators include, for example, certificates and passwords.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-28","rel":"related"}]},{"id":"ia-5_obj","name":"objective","prose":"Determine if the organization manages information system authenticators by:","parts":[{"id":"ia-5.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(a)"}],"prose":"verifying, as part of the initial authenticator distribution, the identity of:","parts":[{"id":"ia-5.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(a)[1]"}],"prose":"the individual receiving the authenticator;"},{"id":"ia-5.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(a)[2]"}],"prose":"the group receiving the authenticator;"},{"id":"ia-5.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(a)[3]"}],"prose":"the role receiving the authenticator; and\/or"},{"id":"ia-5.a_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(a)[4]"}],"prose":"the device receiving the authenticator;"}]},{"id":"ia-5.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(b)"}],"prose":"establishing initial authenticator content for authenticators defined by the organization;"},{"id":"ia-5.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(c)"}],"prose":"ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(d)"}],"parts":[{"id":"ia-5.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(d)[1]"}],"prose":"establishing and implementing administrative procedures for initial authenticator distribution;"},{"id":"ia-5.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(d)[2]"}],"prose":"establishing and implementing administrative procedures for lost\/compromised or damaged authenticators;"},{"id":"ia-5.d_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(d)[3]"}],"prose":"establishing and implementing administrative procedures for revoking authenticators;"}]},{"id":"ia-5.e_obj","name":"objective","props":[{"name":"label","value":"IA-5(e)"}],"prose":"changing default content of authenticators prior to information system installation;"},{"id":"ia-5.f_obj","name":"objective","props":[{"name":"label","value":"IA-5(f)"}],"parts":[{"id":"ia-5.f_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(f)[1]"}],"prose":"establishing minimum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(f)[2]"}],"prose":"establishing maximum lifetime restrictions for authenticators;"},{"id":"ia-5.f_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(f)[3]"}],"prose":"establishing reuse conditions for authenticators;"}]},{"id":"ia-5.g_obj","name":"objective","props":[{"name":"label","value":"IA-5(g)"}],"parts":[{"id":"ia-5.g_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(g)[1]"}],"prose":"defining a time period (by authenticator type) for changing\/refreshing authenticators;"},{"id":"ia-5.g_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(g)[2]"}],"prose":"changing\/refreshing authenticators with the organization-defined time period by authenticator type;"}]},{"id":"ia-5.h_obj","name":"objective","props":[{"name":"label","value":"IA-5(h)"}],"prose":"protecting authenticator content from unauthorized:","parts":[{"id":"ia-5.h_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(h)[1]"}],"prose":"disclosure;"},{"id":"ia-5.h_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(h)[2]"}],"prose":"modification;"}]},{"id":"ia-5.i_obj","name":"objective","props":[{"name":"label","value":"IA-5(i)"}],"parts":[{"id":"ia-5.i_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(i)[1]"}],"prose":"requiring individuals to take specific security safeguards to protect authenticators;"},{"id":"ia-5.i_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(i)[2]"}],"prose":"having devices implement specific security safeguards to protect authenticators; and"}]},{"id":"ia-5.j_obj","name":"objective","props":[{"name":"label","value":"IA-5(j)"}],"prose":"changing authenticators for group\/role accounts when membership to those accounts changes."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system authenticator types\n\nchange control records associated with managing information system authenticators\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing authenticator management capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","params":[{"id":"ia-5.1_prm_1","label":"organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type"},{"id":"ia-5.1_prm_2","label":"organization-defined number"},{"id":"ia-5.1_prm_3","label":"organization-defined numbers for lifetime minimum, lifetime maximum"},{"id":"ia-5.1_prm_4","label":"organization-defined number"}],"props":[{"name":"label","value":"IA-5(1)"},{"name":"sort-id","value":"ia-05.01"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"The information system, for password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Enforces minimum password complexity of {{ insert: param, ia-5.1_prm_1 }};"},{"id":"ia-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforces at least the following number of changed characters when new passwords are created: {{ insert: param, ia-5.1_prm_2 }};"},{"id":"ia-5.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Stores and transmits only cryptographically-protected passwords;"},{"id":"ia-5.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Enforces password minimum and maximum lifetime restrictions of {{ insert: param, ia-5.1_prm_3 }};"},{"id":"ia-5.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Prohibits password reuse for {{ insert: param, ia-5.1_prm_4 }} generations; and"},{"id":"ia-5.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Allows the use of a temporary password for system logons with an immediate change to a permanent password."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords.","links":[{"href":"#ia-6","rel":"related"}]},{"id":"ia-5.1_obj","name":"objective","prose":"Determine if, for password-based authentication:","parts":[{"id":"ia-5.1.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)"}],"parts":[{"id":"ia-5.1.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[1]"}],"prose":"the organization defines requirements for case sensitivity;"},{"id":"ia-5.1.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[2]"}],"prose":"the organization defines requirements for number of characters;"},{"id":"ia-5.1.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[3]"}],"prose":"the organization defines requirements for the mix of upper-case letters, lower-case letters, numbers and special characters;"},{"id":"ia-5.1.a_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[4]"}],"prose":"the organization defines minimum requirements for each type of character;"},{"id":"ia-5.1.a_obj.5","name":"objective","props":[{"name":"label","value":"IA-5(1)(a)[5]"}],"prose":"the information system enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;"}],"links":[{"href":"#ia-5.1_smt.a","rel":"corresp"}]},{"id":"ia-5.1.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)"}],"parts":[{"id":"ia-5.1.b_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)[1]"}],"prose":"the organization defines a minimum number of changed characters to be enforced when new passwords are created;"},{"id":"ia-5.1.b_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(b)[2]"}],"prose":"the information system enforces at least the organization-defined minimum number of characters that must be changed when new passwords are created;"}],"links":[{"href":"#ia-5.1_smt.b","rel":"corresp"}]},{"id":"ia-5.1.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(c)"}],"prose":"the information system stores and transmits only encrypted representations of passwords;","links":[{"href":"#ia-5.1_smt.c","rel":"corresp"}]},{"id":"ia-5.1.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)"}],"parts":[{"id":"ia-5.1.d_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[1]"}],"prose":"the organization defines numbers for password minimum lifetime restrictions to be enforced for passwords;"},{"id":"ia-5.1.d_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[2]"}],"prose":"the organization defines numbers for password maximum lifetime restrictions to be enforced for passwords;"},{"id":"ia-5.1.d_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[3]"}],"prose":"the information system enforces password minimum lifetime restrictions of organization-defined numbers for lifetime minimum;"},{"id":"ia-5.1.d_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(1)(d)[4]"}],"prose":"the information system enforces password maximum lifetime restrictions of organization-defined numbers for lifetime maximum;"}],"links":[{"href":"#ia-5.1_smt.d","rel":"corresp"}]},{"id":"ia-5.1.e_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)"}],"parts":[{"id":"ia-5.1.e_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)[1]"}],"prose":"the organization defines the number of password generations to be prohibited from password reuse;"},{"id":"ia-5.1.e_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(1)(e)[2]"}],"prose":"the information system prohibits password reuse for the organization-defined number of generations; and"}],"links":[{"href":"#ia-5.1_smt.e","rel":"corresp"}]},{"id":"ia-5.1.f_obj","name":"objective","props":[{"name":"label","value":"IA-5(1)(f)"}],"prose":"the information system allows the use of a temporary password for system logons with an immediate change to a permanent password.","links":[{"href":"#ia-5.1_smt.f","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing password-based authenticator management capability"}]}]},{"id":"ia-5.2","class":"SP800-53-enhancement","title":"Pki-based Authentication","props":[{"name":"label","value":"IA-5(2)"},{"name":"sort-id","value":"ia-05.02"}],"parts":[{"id":"ia-5.2_smt","name":"statement","prose":"The information system, for PKI-based authentication:","parts":[{"id":"ia-5.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;"},{"id":"ia-5.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforces authorized access to the corresponding private key;"},{"id":"ia-5.2_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Maps the authenticated identity to the account of the individual or group; and"},{"id":"ia-5.2_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network."}]},{"id":"ia-5.2_gdn","name":"guidance","prose":"Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.","links":[{"href":"#ia-6","rel":"related"}]},{"id":"ia-5.2_obj","name":"objective","prose":"Determine if the information system, for PKI-based authentication:","parts":[{"id":"ia-5.2.a_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)"}],"parts":[{"id":"ia-5.2.a_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)[1]"}],"prose":"validates certifications by constructing a certification path to an accepted trust anchor;"},{"id":"ia-5.2.a_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)[2]"}],"prose":"validates certifications by verifying a certification path to an accepted trust anchor;"},{"id":"ia-5.2.a_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(2)(a)[3]"}],"prose":"includes checking certificate status information when constructing and verifying the certification path;"}],"links":[{"href":"#ia-5.2_smt.a","rel":"corresp"}]},{"id":"ia-5.2.b_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(b)"}],"prose":"enforces authorized access to the corresponding private key;","links":[{"href":"#ia-5.2_smt.b","rel":"corresp"}]},{"id":"ia-5.2.c_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(c)"}],"prose":"maps the authenticated identity to the account of the individual or group; and","links":[{"href":"#ia-5.2_smt.c","rel":"corresp"}]},{"id":"ia-5.2.d_obj","name":"objective","props":[{"name":"label","value":"IA-5(2)(d)"}],"prose":"implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.","links":[{"href":"#ia-5.2_smt.d","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing PKI-based, authenticator management capability"}]}]},{"id":"ia-5.3","class":"SP800-53-enhancement","title":"In-person or Trusted Third-party Registration","params":[{"id":"ia-5.3_prm_1","label":"organization-defined types of and\/or specific authenticators"},{"id":"ia-5.3_prm_2","select":{"choice":["in person","by a trusted third party"]}},{"id":"ia-5.3_prm_3","label":"organization-defined registration authority"},{"id":"ia-5.3_prm_4","label":"organization-defined personnel or roles"}],"props":[{"name":"label","value":"IA-5(3)"},{"name":"sort-id","value":"ia-05.03"}],"parts":[{"id":"ia-5.3_smt","name":"statement","prose":"The organization requires that the registration process to receive {{ insert: param, ia-5.3_prm_1 }} be conducted {{ insert: param, ia-5.3_prm_2 }} before {{ insert: param, ia-5.3_prm_3 }} with authorization by {{ insert: param, ia-5.3_prm_4 }}."},{"id":"ia-5.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-5.3_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(3)[1]"}],"prose":"defines types of and\/or specific authenticators to be received in person or by a trusted third party;"},{"id":"ia-5.3_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(3)[2]"}],"prose":"defines the registration authority with oversight of the registration process for receipt of organization-defined types of and\/or specific authenticators;"},{"id":"ia-5.3_obj.3","name":"objective","props":[{"name":"label","value":"IA-5(3)[3]"}],"prose":"defines personnel or roles responsible for authorizing organization-defined registration authority;"},{"id":"ia-5.3_obj.4","name":"objective","props":[{"name":"label","value":"IA-5(3)[4]"}],"prose":"defines if the registration process is to be conducted:","parts":[{"id":"ia-5.3_obj.4.a","name":"objective","props":[{"name":"label","value":"IA-5(3)[4][a]"}],"prose":"in person; or"},{"id":"ia-5.3_obj.4.b","name":"objective","props":[{"name":"label","value":"IA-5(3)[4][b]"}],"prose":"by a trusted third party; and"}]},{"id":"ia-5.3_obj.5","name":"objective","props":[{"name":"label","value":"IA-5(3)[5]"}],"prose":"requires that the registration process to receive organization-defined types of and\/or specific authenticators be conducted in person or by a trusted third party before organization-defined registration authority with authorization by organization-defined personnel or roles."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nregistration process for receiving information system authenticators\n\nlist of authenticators requiring in-person registration\n\nlist of authenticators requiring trusted third party registration\n\nauthenticator registration documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\nregistration authority\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ia-5.11","class":"SP800-53-enhancement","title":"Hardware Token-based Authentication","params":[{"id":"ia-5.11_prm_1","label":"organization-defined token quality requirements"}],"props":[{"name":"label","value":"IA-5(11)"},{"name":"sort-id","value":"ia-05.11"}],"parts":[{"id":"ia-5.11_smt","name":"statement","prose":"The information system, for hardware token-based authentication, employs mechanisms that satisfy {{ insert: param, ia-5.11_prm_1 }}."},{"id":"ia-5.11_gdn","name":"guidance","prose":"Hardware token-based authentication typically refers to the use of PKI-based tokens, such as the U.S. Government Personal Identity Verification (PIV) card. Organizations define specific requirements for tokens, such as working with a particular PKI."},{"id":"ia-5.11_obj","name":"objective","prose":"Determine if, for hardware token-based authentication:","parts":[{"id":"ia-5.11_obj.1","name":"objective","props":[{"name":"label","value":"IA-5(11)[1]"}],"prose":"the organization defines token quality requirements to be satisfied; and"},{"id":"ia-5.11_obj.2","name":"objective","props":[{"name":"label","value":"IA-5(11)[2]"}],"prose":"the information system employs mechanisms that satisfy organization-defined token quality requirements."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity plan\n\ninformation system design documentation\n\nautomated mechanisms employing hardware token-based authentication for the information system\n\nlist of token quality requirements\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing hardware token-based authenticator management capability"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authenticator Feedback","props":[{"name":"priority","value":"P2"},{"name":"label","value":"IA-6"},{"name":"sort-id","value":"ia-06"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation\/use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops\/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.","links":[{"href":"#pe-18","rel":"related"}]},{"id":"ia-6_obj","name":"objective","prose":"Determine if the information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation\/use by unauthorized individuals."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator feedback\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing the obscuring of feedback of authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-7"},{"name":"sort-id","value":"ia-07"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference"},{"href":"#b09d1a31-d3c9-4138-a4f4-4c63816afd7d","rel":"reference"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.","links":[{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"ia-7_obj","name":"objective","prose":"Determine if the information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing cryptographic module authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic module authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (non-organizational Users)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IA-8"},{"name":"sort-id","value":"ia-08"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#74e740a4-c45d-49f3-a86e-eb747c549e01","rel":"reference"},{"href":"#599fe9ba-4750-4450-9eeb-b95bd19a5e8f","rel":"reference"},{"href":"#ba557c91-ba3e-4792-adc6-a4ae479b39ff","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference"},{"href":"#654f21e2-f3bc-43b2-abdc-60ab8d09744b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include information system users other than organizational users explicitly covered by IA-2. These individuals are uniquely identified and authenticated for accesses other than those accesses explicitly identified and documented in AC-14. In accordance with the E-Authentication E-Government initiative, authentication of non-organizational users accessing federal information systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations use risk assessments to determine authentication needs and consider scalability, practicality, and security in balancing the need to ensure ease of use for access to federal information and information systems with the need to protect and adequately mitigate risk. IA-2 addresses identification and authentication requirements for access to information systems by organizational users.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sc-8","rel":"related"}]},{"id":"ia-8_obj","name":"objective","prose":"Determine if the information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of information system accounts\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","props":[{"name":"label","value":"IA-8(1)"},{"name":"sort-id","value":"ia-08.01"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"This control enhancement applies to logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials.","links":[{"href":"#au-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.1_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"ia-8.1_obj.1","name":"objective","props":[{"name":"label","value":"IA-8(1)[1]"}],"prose":"accepts Personal Identity Verification (PIV) credentials from other agencies; and"},{"id":"ia-8.1_obj.2","name":"objective","props":[{"name":"label","value":"IA-8(1)[2]"}],"prose":"electronically verifies Personal Identity Verification (PIV) credentials from other agencies."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of Third-party Credentials","props":[{"name":"label","value":"IA-8(2)"},{"name":"sort-id","value":"ia-08.02"}],"parts":[{"id":"ia-8.2_smt","name":"statement","prose":"The information system accepts only FICAM-approved third-party credentials."},{"id":"ia-8.2_gdn","name":"guidance","prose":"This control enhancement typically applies to organizational information systems that are accessible to the general public, for example, public-facing websites. Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements. This allows federal government relying parties to trust such credentials at their approved assurance levels.","links":[{"href":"#au-2","rel":"related"}]},{"id":"ia-8.2_obj","name":"objective","prose":"Determine if the information system accepts only FICAM-approved third-party credentials."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-approved, third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of FICAM-approved third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms that accept FICAM-approved credentials"}]}]},{"id":"ia-8.3","class":"SP800-53-enhancement","title":"Use of Ficam-approved Products","params":[{"id":"ia-8.3_prm_1","label":"organization-defined information systems"}],"props":[{"name":"label","value":"IA-8(3)"},{"name":"sort-id","value":"ia-08.03"}],"parts":[{"id":"ia-8.3_smt","name":"statement","prose":"The organization employs only FICAM-approved information system components in {{ insert: param, ia-8.3_prm_1 }} to accept third-party credentials."},{"id":"ia-8.3_gdn","name":"guidance","prose":"This control enhancement typically applies to information systems that are accessible to the general public, for example, public-facing websites. FICAM-approved information system components include, for example, information technology products and software libraries that have been approved by the Federal Identity, Credential, and Access Management conformance program.","links":[{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ia-8.3_obj.1","name":"objective","props":[{"name":"label","value":"IA-8(3)[1]"}],"prose":"defines information systems in which only FICAM-approved information system components are to be employed to accept third-party credentials; and"},{"id":"ia-8.3_obj.2","name":"objective","props":[{"name":"label","value":"IA-8(3)[2]"}],"prose":"employs only FICAM-approved information system components in organization-defined information systems to accept third-party credentials."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nthird-party credential validations\n\nthird-party credential authorizations\n\nthird-party credential records\n\nlist of FICAM-approved information system components procured and implemented by organization\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information system security, acquisition, and contracting responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Ficam-issued Profiles","props":[{"name":"label","value":"IA-8(4)"},{"name":"sort-id","value":"ia-08.04"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"The information system conforms to FICAM-issued profiles."},{"id":"ia-8.4_gdn","name":"guidance","prose":"This control enhancement addresses open identity management standards. To ensure that these standards are viable, robust, reliable, sustainable (e.g., available in commercial information technology products), and interoperable as documented, the United States Government assesses and scopes identity management standards and technology implementations against applicable federal legislation, directives, policies, and requirements. The result is FICAM-issued implementation profiles of approved protocols (e.g., FICAM authentication protocols such as SAML 2.0 and OpenID 2.0, as well as other protocols such as the FICAM Backend Attribute Exchange).","links":[{"href":"#sa-4","rel":"related"}]},{"id":"ia-8.4_obj","name":"objective","prose":"Determine if the information system conforms to FICAM-issued profiles."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Identification and authentication policy\n\nsystem and services acquisition policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the integration of security requirements into the acquisition process\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nlist of FICAM-issued profiles and associated, approved protocols\n\nacquisition documentation\n\nacquisition contracts for information system procurements or services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing identification and authentication capability\n\nautomated mechanisms supporting and\/or implementing conformance with FICAM-issued profiles"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Incident Response Policy and Procedures","params":[{"id":"ir-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-1_prm_2","label":"organization-defined frequency"},{"id":"ir-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-1"},{"name":"sort-id","value":"ir-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ir-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ir-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Incident response policy {{ insert: param, ir-1_prm_2 }}; and"},{"id":"ir-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Incident response procedures {{ insert: param, ir-1_prm_3 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the IR family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ir-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-1.a_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)"}],"parts":[{"id":"ir-1.a.1_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)"}],"parts":[{"id":"ir-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1]"}],"prose":"develops and documents an incident response policy that addresses:","parts":[{"id":"ir-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ir-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ir-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ir-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ir-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ir-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ir-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ir-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the incident response policy is to be disseminated;"},{"id":"ir-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"IR-1(a)(1)[3]"}],"prose":"disseminates the incident response policy to organization-defined personnel or roles;"}]},{"id":"ir-1.a.2_obj","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)"}],"parts":[{"id":"ir-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the incident response policy and associated incident response controls;"},{"id":"ir-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ir-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"IR-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ir-1.b_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)"}],"parts":[{"id":"ir-1.b.1_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)"}],"parts":[{"id":"ir-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current incident response policy;"},{"id":"ir-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(b)(1)[2]"}],"prose":"reviews and updates the current incident response policy with the organization-defined frequency;"}]},{"id":"ir-1.b.2_obj","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)"}],"parts":[{"id":"ir-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current incident response procedures; and"},{"id":"ir-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"IR-1(b)(2)[2]"}],"prose":"reviews and updates the current incident response procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-2_prm_1","label":"organization-defined time period"},{"id":"ir-2_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-2"},{"name":"sort-id","value":"ir-02"}],"links":[{"href":"#825438c3-248d-4e30-a51e-246473ce6ada","rel":"reference"},{"href":"#e12b5738-de74-4fb3-8317-a3995a8a1898","rel":"reference"}],"parts":[{"id":"ir-2_smt","name":"statement","prose":"The organization provides incident response training to information system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Within {{ insert: param, ir-2_prm_1 }} of assuming an incident response role or responsibility;"},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When required by information system changes; and"},{"id":"ir-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":" {{ insert: param, ir-2_prm_2 }} thereafter."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure the appropriate content and level of detail is included in such training. For example, regular users may only need to know who to call or how to recognize an incident on the information system; system administrators may require additional training on how to handle\/remediate incidents; and incident responders may receive more specific training on forensics, reporting, system recovery, and restoration. Incident response training includes user training in the identification and reporting of suspicious activities, both from external and internal sources.","links":[{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-2.a_obj","name":"objective","props":[{"name":"label","value":"IR-2(a)"}],"parts":[{"id":"ir-2.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-2(a)[1]"}],"prose":"defines a time period within which incident response training is to be provided to information system users assuming an incident response role or responsibility;"},{"id":"ir-2.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-2(a)[2]"}],"prose":"provides incident response training to information system users consistent with assigned roles and responsibilities within the organization-defined time period of assuming an incident response role or responsibility;"}]},{"id":"ir-2.b_obj","name":"objective","props":[{"name":"label","value":"IR-2(b)"}],"prose":"provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes;"},{"id":"ir-2.c_obj","name":"objective","props":[{"name":"label","value":"IR-2(c)"}],"parts":[{"id":"ir-2.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-2(c)[1]"}],"prose":"defines the frequency to provide refresher incident response training to information system users consistent with assigned roles or responsibilities; and"},{"id":"ir-2.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-2(c)[2]"}],"prose":"after the initial incident response training, provides refresher incident response training to information system users consistent with assigned roles and responsibilities in accordance with the organization-defined frequency to provide refresher training."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nsecurity plan\n\nincident response plan\n\nsecurity plan\n\nincident response training records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","params":[{"id":"ir-3_prm_1","label":"organization-defined frequency"},{"id":"ir-3_prm_2","label":"organization-defined tests"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-3"},{"name":"sort-id","value":"ir-03"}],"links":[{"href":"#0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"The organization tests the incident response capability for the information system {{ insert: param, ir-3_prm_1 }} using {{ insert: param, ir-3_prm_2 }} to determine the incident response effectiveness and documents the results."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine the overall effectiveness of the capabilities and to identify potential weaknesses or deficiencies. Incident response testing includes, for example, the use of checklists, walk-through or tabletop exercises, simulations (parallel\/full interrupt), and comprehensive exercises. Incident response testing can also include a determination of the effects on organizational operations (e.g., reduction in mission capabilities), organizational assets, and individuals due to incident response.","links":[{"href":"#cp-4","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-3_obj.1","name":"objective","props":[{"name":"label","value":"IR-3[1]"}],"prose":"defines incident response tests to test the incident response capability for the information system;"},{"id":"ir-3_obj.2","name":"objective","props":[{"name":"label","value":"IR-3[2]"}],"prose":"defines the frequency to test the incident response capability for the information system; and"},{"id":"ir-3_obj.3","name":"objective","props":[{"name":"label","value":"IR-3[3]"}],"prose":"tests the incident response capability for the information system with the organization-defined frequency, using organization-defined tests to determine the incident response effectiveness and documents the results."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"ir-3.2","class":"SP800-53-enhancement","title":"Coordination with Related Plans","props":[{"name":"label","value":"IR-3(2)"},{"name":"sort-id","value":"ir-03.02"}],"parts":[{"id":"ir-3.2_smt","name":"statement","prose":"The organization coordinates incident response testing with organizational elements responsible for related plans."},{"id":"ir-3.2_gdn","name":"guidance","prose":"Organizational plans related to incident response testing include, for example, Business Continuity Plans, Contingency Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, and Occupant Emergency Plans."},{"id":"ir-3.2_obj","name":"objective","prose":"Determine if the organization coordinates incident response testing with organizational elements responsible for related plans."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-4"},{"name":"sort-id","value":"ir-04"}],"links":[{"href":"#c5034e0c-eba6-4ecd-a541-79f0678f4ba4","rel":"reference"},{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinates incident handling activities with contingency planning activities; and"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capability is dependent on the capabilities of organizational information systems and the mission\/business processes being supported by those systems. Therefore, organizations consider incident response as part of the definition, design, and development of mission\/business processes and information systems. Incident-related information can be obtained from a variety of sources including, for example, audit monitoring, network monitoring, physical access monitoring, user\/administrator reports, and reported supply chain events. Effective incident handling capability includes coordination among many organizational entities including, for example, mission\/business owners, information system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive (function).","links":[{"href":"#au-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ir-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-4.a_obj","name":"objective","props":[{"name":"label","value":"IR-4(a)"}],"prose":"implements an incident handling capability for security incidents that includes:","parts":[{"id":"ir-4.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-4(a)[1]"}],"prose":"preparation;"},{"id":"ir-4.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-4(a)[2]"}],"prose":"detection and analysis;"},{"id":"ir-4.a_obj.3","name":"objective","props":[{"name":"label","value":"IR-4(a)[3]"}],"prose":"containment;"},{"id":"ir-4.a_obj.4","name":"objective","props":[{"name":"label","value":"IR-4(a)[4]"}],"prose":"eradication;"},{"id":"ir-4.a_obj.5","name":"objective","props":[{"name":"label","value":"IR-4(a)[5]"}],"prose":"recovery;"}]},{"id":"ir-4.b_obj","name":"objective","props":[{"name":"label","value":"IR-4(b)"}],"prose":"coordinates incident handling activities with contingency planning activities;"},{"id":"ir-4.c_obj","name":"objective","props":[{"name":"label","value":"IR-4(c)"}],"parts":[{"id":"ir-4.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-4(c)[1]"}],"prose":"incorporates lessons learned from ongoing incident handling activities into:","parts":[{"id":"ir-4.c_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][b]"}],"prose":"training;"},{"id":"ir-4.c_obj.1.c","name":"objective","props":[{"name":"label","value":"IR-4(c)[1][c]"}],"prose":"testing\/exercises;"}]},{"id":"ir-4.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-4(c)[2]"}],"prose":"implements the resulting changes accordingly to:","parts":[{"id":"ir-4.c_obj.2.a","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][a]"}],"prose":"incident response procedures;"},{"id":"ir-4.c_obj.2.b","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][b]"}],"prose":"training; and"},{"id":"ir-4.c_obj.2.c","name":"objective","props":[{"name":"label","value":"IR-4(c)[2][c]"}],"prose":"testing\/exercises."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident handling capability for the organization"}]}],"controls":[{"id":"ir-4.1","class":"SP800-53-enhancement","title":"Automated Incident Handling Processes","props":[{"name":"label","value":"IR-4(1)"},{"name":"sort-id","value":"ir-04.01"}],"parts":[{"id":"ir-4.1_smt","name":"statement","prose":"The organization employs automated mechanisms to support the incident handling process."},{"id":"ir-4.1_gdn","name":"guidance","prose":"Automated mechanisms supporting incident handling processes include, for example, online incident management systems."},{"id":"ir-4.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to support the incident handling process."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms that support and\/or implement the incident handling process"}]}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-5"},{"name":"sort-id","value":"ir-05"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"The organization tracks and documents information system security incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting information system security incidents includes, for example, maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics, evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources including, for example, incident reports, incident response teams, audit monitoring, network monitoring, physical access monitoring, and user\/administrator reports.","links":[{"href":"#au-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ir-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-5_obj.1","name":"objective","props":[{"name":"label","value":"IR-5[1]"}],"prose":"tracks information system security incidents; and"},{"id":"ir-5_obj.2","name":"objective","props":[{"name":"label","value":"IR-5[2]"}],"prose":"documents information system security incidents."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Incident monitoring capability for the organization\n\nautomated mechanisms supporting and\/or implementing tracking and documenting of system security incidents"}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-6_prm_1","label":"organization-defined time period"},{"id":"ir-6_prm_2","label":"organization-defined authorities"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-6"},{"name":"sort-id","value":"ir-06"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#02631467-668b-4233-989b-3dfded2fd184","rel":"reference"}],"parts":[{"id":"ir-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Requires personnel to report suspected security incidents to the organizational incident response capability within {{ insert: param, ir-6_prm_1 }}; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reports security incident information to {{ insert: param, ir-6_prm_2 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The intent of this control is to address both specific incident reporting requirements within an organization and the formal incident reporting requirements for federal agencies and their subordinate organizations. Suspected security incidents include, for example, the receipt of suspicious email communications that can potentially contain malicious code. The types of security incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Current federal policy requires that all federal agencies (unless specifically exempted from such requirements) report security incidents to the United States Computer Emergency Readiness Team (US-CERT) within specified time frames designated in the US-CERT Concept of Operations for Federal Cyber Security Incident Handling.","links":[{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"ir-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-6.a_obj","name":"objective","props":[{"name":"label","value":"IR-6(a)"}],"parts":[{"id":"ir-6.a_obj.1","name":"objective","props":[{"name":"label","value":"IR-6(a)[1]"}],"prose":"defines the time period within which personnel report suspected security incidents to the organizational incident response capability;"},{"id":"ir-6.a_obj.2","name":"objective","props":[{"name":"label","value":"IR-6(a)[2]"}],"prose":"requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period;"}]},{"id":"ir-6.b_obj","name":"objective","props":[{"name":"label","value":"IR-6(b)"}],"parts":[{"id":"ir-6.b_obj.1","name":"objective","props":[{"name":"label","value":"IR-6(b)[1]"}],"prose":"defines authorities to whom security incident information is to be reported; and"},{"id":"ir-6.b_obj.2","name":"objective","props":[{"name":"label","value":"IR-6(b)[2]"}],"prose":"reports security incident information to organization-defined authorities."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing incident reporting"}]}],"controls":[{"id":"ir-6.1","class":"SP800-53-enhancement","title":"Automated Reporting","props":[{"name":"label","value":"IR-6(1)"},{"name":"sort-id","value":"ir-06.01"}],"parts":[{"id":"ir-6.1_smt","name":"statement","prose":"The organization employs automated mechanisms to assist in the reporting of security incidents."},{"id":"ir-6.1_gdn","name":"guidance","links":[{"href":"#ir-7","rel":"related"}]},{"id":"ir-6.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to assist in the reporting of security incidents."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing reporting of security incidents"}]}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"priority","value":"P2"},{"name":"label","value":"IR-7"},{"name":"sort-id","value":"ir-07"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include, for example, help desks, assistance groups, and access to forensics services, when required.","links":[{"href":"#at-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"ir-7_obj","name":"objective","prose":"Determine if the organization provides an incident response support resource:","parts":[{"id":"ir-7_obj.1","name":"objective","props":[{"name":"label","value":"IR-7[1]"}],"prose":"that is integral to the organizational incident response capability; and"},{"id":"ir-7_obj.2","name":"objective","props":[{"name":"label","value":"IR-7[2]"}],"prose":"that offers advice and assistance to users of the information system for the handling and reporting of security incidents."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing incident response assistance"}]}],"controls":[{"id":"ir-7.1","class":"SP800-53-enhancement","title":"Automation Support for Availability of Information \/ Support","props":[{"name":"label","value":"IR-7(1)"},{"name":"sort-id","value":"ir-07.01"}],"parts":[{"id":"ir-7.1_smt","name":"statement","prose":"The organization employs automated mechanisms to increase the availability of incident response-related information and support."},{"id":"ir-7.1_gdn","name":"guidance","prose":"Automated mechanisms can provide a push and\/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support."},{"id":"ir-7.1_obj","name":"objective","prose":"Determine if the organization employs automated mechanisms to increase the availability of incident response-related information and support."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response plan\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing an increase in the availability of incident response information and support"}]}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ir-8_prm_2","label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-8_prm_3","label":"organization-defined frequency"},{"id":"ir-8_prm_4","label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"IR-8"},{"name":"sort-id","value":"ir-08"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"}],"parts":[{"id":"ir-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability; and"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Is reviewed and approved by {{ insert: param, ir-8_prm_1 }};"}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the incident response plan to {{ insert: param, ir-8_prm_2 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the incident response plan {{ insert: param, ir-8_prm_3 }};"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Updates the incident response plan to address system\/organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Communicates incident response plan changes to {{ insert: param, ir-8_prm_4 }}; and"},{"id":"ir-8_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Protects the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational missions, business functions, strategies, goals, and objectives for incident response help to determine the structure of incident response capabilities. As part of a comprehensive incident response capability, organizations consider the coordination and sharing of information with external organizations, including, for example, external service providers and organizations involved in the supply chain for organizational information systems.","links":[{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}]},{"id":"ir-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ir-8.a_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)"}],"prose":"develops an incident response plan that:","parts":[{"id":"ir-8.a.1_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(1)"}],"prose":"provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8.a.2_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(2)"}],"prose":"describes the structure and organization of the incident response capability;"},{"id":"ir-8.a.3_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(3)"}],"prose":"provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8.a.4_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)"}],"prose":"meets the unique requirements of the organization, which relate to:","parts":[{"id":"ir-8.a.4_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[1]"}],"prose":"mission;"},{"id":"ir-8.a.4_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[2]"}],"prose":"size;"},{"id":"ir-8.a.4_obj.3","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[3]"}],"prose":"structure;"},{"id":"ir-8.a.4_obj.4","name":"objective","props":[{"name":"label","value":"IR-8(a)(4)[4]"}],"prose":"functions;"}]},{"id":"ir-8.a.5_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(5)"}],"prose":"defines reportable incidents;"},{"id":"ir-8.a.6_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(6)"}],"prose":"provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8.a.7_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(7)"}],"prose":"defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8.a.8_obj","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)"}],"parts":[{"id":"ir-8.a.8_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)[1]"}],"prose":"defines personnel or roles to review and approve the incident response plan;"},{"id":"ir-8.a.8_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(a)(8)[2]"}],"prose":"is reviewed and approved by organization-defined personnel or roles;"}]}]},{"id":"ir-8.b_obj","name":"objective","props":[{"name":"label","value":"IR-8(b)"}],"parts":[{"id":"ir-8.b_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(b)[1]"}],"parts":[{"id":"ir-8.b_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-8(b)[1][a]"}],"prose":"defines incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed;"},{"id":"ir-8.b_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-8(b)[1][b]"}],"prose":"defines organizational elements to whom copies of the incident response plan are to be distributed;"}]},{"id":"ir-8.b_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(b)[2]"}],"prose":"distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and\/or by role) and organizational elements;"}]},{"id":"ir-8.c_obj","name":"objective","props":[{"name":"label","value":"IR-8(c)"}],"parts":[{"id":"ir-8.c_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(c)[1]"}],"prose":"defines the frequency to review the incident response plan;"},{"id":"ir-8.c_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(c)[2]"}],"prose":"reviews the incident response plan with the organization-defined frequency;"}]},{"id":"ir-8.d_obj","name":"objective","props":[{"name":"label","value":"IR-8(d)"}],"prose":"updates the incident response plan to address system\/organizational changes or problems encountered during plan:","parts":[{"id":"ir-8.d_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(d)[1]"}],"prose":"implementation;"},{"id":"ir-8.d_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(d)[2]"}],"prose":"execution; or"},{"id":"ir-8.d_obj.3","name":"objective","props":[{"name":"label","value":"IR-8(d)[3]"}],"prose":"testing;"}]},{"id":"ir-8.e_obj","name":"objective","props":[{"name":"label","value":"IR-8(e)"}],"parts":[{"id":"ir-8.e_obj.1","name":"objective","props":[{"name":"label","value":"IR-8(e)[1]"}],"parts":[{"id":"ir-8.e_obj.1.a","name":"objective","props":[{"name":"label","value":"IR-8(e)[1][a]"}],"prose":"defines incident response personnel (identified by name and\/or by role) to whom incident response plan changes are to be communicated;"},{"id":"ir-8.e_obj.1.b","name":"objective","props":[{"name":"label","value":"IR-8(e)[1][b]"}],"prose":"defines organizational elements to whom incident response plan changes are to be communicated;"}]},{"id":"ir-8.e_obj.2","name":"objective","props":[{"name":"label","value":"IR-8(e)[2]"}],"prose":"communicates incident response plan changes to organization-defined incident response personnel (identified by name and\/or by role) and organizational elements; and"}]},{"id":"ir-8.f_obj","name":"objective","props":[{"name":"label","value":"IR-8(f)"}],"prose":"protects the incident response plan from unauthorized disclosure and modification."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"System Maintenance Policy and Procedures","params":[{"id":"ma-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-1_prm_2","label":"organization-defined frequency"},{"id":"ma-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MA-1"},{"name":"sort-id","value":"ma-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ma-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and"}]},{"id":"ma-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ma-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System maintenance policy {{ insert: param, ma-1_prm_2 }}; and"},{"id":"ma-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System maintenance procedures {{ insert: param, ma-1_prm_3 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ma-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-1.a_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)"}],"parts":[{"id":"ma-1.a.1_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)"}],"parts":[{"id":"ma-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1]"}],"prose":"develops and documents a system maintenance policy that addresses:","parts":[{"id":"ma-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ma-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ma-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ma-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ma-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ma-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ma-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ma-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system maintenance policy is to be disseminated;"},{"id":"ma-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"MA-1(a)(1)[3]"}],"prose":"disseminates the system maintenance policy to organization-defined personnel or roles;"}]},{"id":"ma-1.a.2_obj","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)"}],"parts":[{"id":"ma-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the maintenance policy and associated system maintenance controls;"},{"id":"ma-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ma-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"MA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ma-1.b_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)"}],"parts":[{"id":"ma-1.b.1_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)"}],"parts":[{"id":"ma-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system maintenance policy;"},{"id":"ma-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(b)(1)[2]"}],"prose":"reviews and updates the current system maintenance policy with the organization-defined frequency;"}]},{"id":"ma-1.b.2_obj","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)"}],"parts":[{"id":"ma-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system maintenance procedures; and"},{"id":"ma-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-1(b)(2)[2]"}],"prose":"reviews and updates the current system maintenance procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Maintenance policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","params":[{"id":"ma-2_prm_1","label":"organization-defined personnel or roles"},{"id":"ma-2_prm_2","label":"organization-defined maintenance-related information"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-2"},{"name":"sort-id","value":"ma-02"}],"parts":[{"id":"ma-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Requires that {{ insert: param, ma-2_prm_1 }} explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and"},{"id":"ma-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Includes {{ insert: param, ma-2_prm_2 }} in organizational maintenance records."}]},{"id":"ma-2_gdn","name":"guidance","prose":"This control addresses the information security aspects of the information system maintenance program and applies to all types of maintenance to any system component (including applications) conducted by any local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). System maintenance also includes those components not directly associated with information processing and\/or data\/information retention such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes, for example: (i) date and time of maintenance; (ii) name of individuals or group performing the maintenance; (iii) name of escort, if necessary; (iv) a description of the maintenance performed; and (v) information system components\/equipment removed or replaced (including identification numbers, if applicable). The level of detail included in maintenance records can be informed by the security categories of organizational information systems. Organizations consider supply chain issues associated with replacement components for information systems.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"ma-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-2.a_obj","name":"objective","props":[{"name":"label","value":"MA-2(a)"}],"parts":[{"id":"ma-2.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(a)[1]"}],"prose":"schedules maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.1.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[1][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.1.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[1][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(a)[2]"}],"prose":"performs maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.2.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[2][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.2.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[2][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.3","name":"objective","props":[{"name":"label","value":"MA-2(a)[3]"}],"prose":"documents maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.3.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[3][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.3.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[3][b]"}],"prose":"organizational requirements;"}]},{"id":"ma-2.a_obj.4","name":"objective","props":[{"name":"label","value":"MA-2(a)[4]"}],"prose":"reviews records of maintenance and repairs on information system components in accordance with:","parts":[{"id":"ma-2.a_obj.4.a","name":"objective","props":[{"name":"label","value":"MA-2(a)[4][a]"}],"prose":"manufacturer or vendor specifications; and\/or"},{"id":"ma-2.a_obj.4.b","name":"objective","props":[{"name":"label","value":"MA-2(a)[4][b]"}],"prose":"organizational requirements;"}]}]},{"id":"ma-2.b_obj","name":"objective","props":[{"name":"label","value":"MA-2(b)"}],"parts":[{"id":"ma-2.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(b)[1]"}],"prose":"approves all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"},{"id":"ma-2.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(b)[2]"}],"prose":"monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;"}]},{"id":"ma-2.c_obj","name":"objective","props":[{"name":"label","value":"MA-2(c)"}],"parts":[{"id":"ma-2.c_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(c)[1]"}],"prose":"defines personnel or roles required to explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.c_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(c)[2]"}],"prose":"requires that organization-defined personnel or roles explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;"}]},{"id":"ma-2.d_obj","name":"objective","props":[{"name":"label","value":"MA-2(d)"}],"prose":"sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;"},{"id":"ma-2.e_obj","name":"objective","props":[{"name":"label","value":"MA-2(e)"}],"prose":"checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions;"},{"id":"ma-2.f_obj","name":"objective","props":[{"name":"label","value":"MA-2(f)"}],"parts":[{"id":"ma-2.f_obj.1","name":"objective","props":[{"name":"label","value":"MA-2(f)[1]"}],"prose":"defines maintenance-related information to be included in organizational maintenance records; and"},{"id":"ma-2.f_obj.2","name":"objective","props":[{"name":"label","value":"MA-2(f)[2]"}],"prose":"includes organization-defined maintenance-related information in organizational maintenance records."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing controlled information system maintenance\n\nmaintenance records\n\nmanufacturer\/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the information system\n\norganizational processes for sanitizing information system components\n\nautomated mechanisms supporting and\/or implementing controlled maintenance\n\nautomated mechanisms implementing sanitization of information system components"}]}]},{"id":"ma-3","class":"SP800-53","title":"Maintenance Tools","props":[{"name":"priority","value":"P3"},{"name":"label","value":"MA-3"},{"name":"sort-id","value":"ma-03"}],"links":[{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"}],"parts":[{"id":"ma-3_smt","name":"statement","prose":"The organization approves, controls, and monitors information system maintenance tools."},{"id":"ma-3_gdn","name":"guidance","prose":"This control addresses security-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Maintenance tools can include hardware, software, and firmware items. Maintenance tools are potential vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into organizational information systems. Maintenance tools can include, for example, hardware\/software diagnostic test equipment and hardware\/software packet sniffers. This control does not cover hardware\/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing “ping,” “ls,” “ipconfig, or the hardware and software implementing the monitoring port of an Ethernet switch.","links":[{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-6","rel":"related"}]},{"id":"ma-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-3_obj.1","name":"objective","props":[{"name":"label","value":"MA-3[1]"}],"prose":"approves information system maintenance tools;"},{"id":"ma-3_obj.2","name":"objective","props":[{"name":"label","value":"MA-3[2]"}],"prose":"controls information system maintenance tools; and"},{"id":"ma-3_obj.3","name":"objective","props":[{"name":"label","value":"MA-3[3]"}],"prose":"monitors information system maintenance tools."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for approving, controlling, and monitoring maintenance tools\n\nautomated mechanisms supporting and\/or implementing approval, control, and\/or monitoring of maintenance tools"}]}],"controls":[{"id":"ma-3.1","class":"SP800-53-enhancement","title":"Inspect Tools","props":[{"name":"label","value":"MA-3(1)"},{"name":"sort-id","value":"ma-03.01"}],"parts":[{"id":"ma-3.1_smt","name":"statement","prose":"The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications."},{"id":"ma-3.1_gdn","name":"guidance","prose":"If, upon inspection of maintenance tools, organizations determine that the tools have been modified in an improper\/unauthorized manner or contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling.","links":[{"href":"#si-7","rel":"related"}]},{"id":"ma-3.1_obj","name":"objective","prose":"Determine if the organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for inspecting maintenance tools\n\nautomated mechanisms supporting and\/or implementing inspection of maintenance tools"}]}]},{"id":"ma-3.2","class":"SP800-53-enhancement","title":"Inspect Media","props":[{"name":"label","value":"MA-3(2)"},{"name":"sort-id","value":"ma-03.02"}],"parts":[{"id":"ma-3.2_smt","name":"statement","prose":"The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system."},{"id":"ma-3.2_gdn","name":"guidance","prose":"If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures.","links":[{"href":"#si-3","rel":"related"}]},{"id":"ma-3.2_obj","name":"objective","prose":"Determine if the organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance tools\n\ninformation system maintenance tools and associated documentation\n\nmaintenance records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for inspecting media for malicious code\n\nautomated mechanisms supporting and\/or implementing inspection of media used for maintenance"}]}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-4"},{"name":"sort-id","value":"ma-04"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference"}],"parts":[{"id":"ma-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approves and monitors nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;"},{"id":"ma-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Maintains records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Terminates session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-17","rel":"related"}]},{"id":"ma-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-4.a_obj","name":"objective","props":[{"name":"label","value":"MA-4(a)"}],"parts":[{"id":"ma-4.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(a)[1]"}],"prose":"approves nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(a)[2]"}],"prose":"monitors nonlocal maintenance and diagnostic activities;"}]},{"id":"ma-4.b_obj","name":"objective","props":[{"name":"label","value":"MA-4(b)"}],"prose":"allows the use of nonlocal maintenance and diagnostic tools only:","parts":[{"id":"ma-4.b_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(b)[1]"}],"prose":"as consistent with organizational policy;"},{"id":"ma-4.b_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(b)[2]"}],"prose":"as documented in the security plan for the information system;"}]},{"id":"ma-4.c_obj","name":"objective","props":[{"name":"label","value":"MA-4(c)"}],"prose":"employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4.d_obj","name":"objective","props":[{"name":"label","value":"MA-4(d)"}],"prose":"maintains records for nonlocal maintenance and diagnostic activities;"},{"id":"ma-4.e_obj","name":"objective","props":[{"name":"label","value":"MA-4(e)"}],"parts":[{"id":"ma-4.e_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(e)[1]"}],"prose":"terminates sessions when nonlocal maintenance or diagnostics is completed; and"},{"id":"ma-4.e_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(e)[2]"}],"prose":"terminates network connections when nonlocal maintenance or diagnostics is completed."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing nonlocal information system maintenance\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing nonlocal maintenance\n\nautomated mechanisms implementing, supporting, and\/or managing nonlocal maintenance\n\nautomated mechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nautomated mechanisms for terminating nonlocal maintenance sessions and network connections"}]}],"controls":[{"id":"ma-4.2","class":"SP800-53-enhancement","title":"Document Nonlocal Maintenance","props":[{"name":"label","value":"MA-4(2)"},{"name":"sort-id","value":"ma-04.02"}],"parts":[{"id":"ma-4.2_smt","name":"statement","prose":"The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections."},{"id":"ma-4.2_obj","name":"objective","prose":"Determine if the organization documents in the security plan for the information system:","parts":[{"id":"ma-4.2_obj.1","name":"objective","props":[{"name":"label","value":"MA-4(2)[1]"}],"prose":"the policies for the establishment and use of nonlocal maintenance and diagnostic connections; and"},{"id":"ma-4.2_obj.2","name":"objective","props":[{"name":"label","value":"MA-4(2)[2]"}],"prose":"the procedures for the establishment and use of nonlocal maintenance and diagnostic connections."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing non-local information system maintenance\n\nsecurity plan\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-5"},{"name":"sort-id","value":"ma-05"}],"parts":[{"id":"ma-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ma-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"This control applies to individuals performing hardware or software maintenance on organizational information systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems (e.g., custodial staff, physical plant maintenance personnel). Technical competence of supervising individuals relates to the maintenance performed on the information systems while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel, such as information technology manufacturers, vendors, systems integrators, and consultants, may require privileged access to organizational information systems, for example, when required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"ma-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-5.a_obj","name":"objective","props":[{"name":"label","value":"MA-5(a)"}],"parts":[{"id":"ma-5.a_obj.1","name":"objective","props":[{"name":"label","value":"MA-5(a)[1]"}],"prose":"establishes a process for maintenance personnel authorization;"},{"id":"ma-5.a_obj.2","name":"objective","props":[{"name":"label","value":"MA-5(a)[2]"}],"prose":"maintains a list of authorized maintenance organizations or personnel;"}]},{"id":"ma-5.b_obj","name":"objective","props":[{"name":"label","value":"MA-5(b)"}],"prose":"ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and"},{"id":"ma-5.c_obj","name":"objective","props":[{"name":"label","value":"MA-5(c)"}],"prose":"designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for authorizing and managing maintenance personnel\n\nautomated mechanisms supporting and\/or implementing authorization of maintenance personnel"}]}]},{"id":"ma-6","class":"SP800-53","title":"Timely Maintenance","params":[{"id":"ma-6_prm_1","label":"organization-defined information system components"},{"id":"ma-6_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"MA-6"},{"name":"sort-id","value":"ma-06"}],"parts":[{"id":"ma-6_smt","name":"statement","prose":"The organization obtains maintenance support and\/or spare parts for {{ insert: param, ma-6_prm_1 }} within {{ insert: param, ma-6_prm_2 }} of failure."},{"id":"ma-6_gdn","name":"guidance","prose":"Organizations specify the information system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support typically include having appropriate contracts in place.","links":[{"href":"#cm-8","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#sa-14","rel":"related"},{"href":"#sa-15","rel":"related"}]},{"id":"ma-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ma-6_obj.1","name":"objective","props":[{"name":"label","value":"MA-6[1]"}],"prose":"defines information system components for which maintenance support and\/or spare parts are to be obtained;"},{"id":"ma-6_obj.2","name":"objective","props":[{"name":"label","value":"MA-6[2]"}],"prose":"defines the time period within which maintenance support and\/or spare parts are to be obtained after a failure;"},{"id":"ma-6_obj.3","name":"objective","props":[{"name":"label","value":"MA-6[3]"}],"parts":[{"id":"ma-6_obj.3.a","name":"objective","props":[{"name":"label","value":"MA-6[3][a]"}],"prose":"obtains maintenance support for organization-defined information system components within the organization-defined time period of failure; and\/or"},{"id":"ma-6_obj.3.b","name":"objective","props":[{"name":"label","value":"MA-6[3][b]"}],"prose":"obtains spare parts for organization-defined information system components within the organization-defined time period of failure."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system maintenance policy\n\nprocedures addressing information system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for ensuring timely maintenance"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Media Protection Policy and Procedures","params":[{"id":"mp-1_prm_1","label":"organization-defined personnel or roles"},{"id":"mp-1_prm_2","label":"organization-defined frequency"},{"id":"mp-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-1"},{"name":"sort-id","value":"mp-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"mp-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"mp-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Media protection policy {{ insert: param, mp-1_prm_2 }}; and"},{"id":"mp-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Media protection procedures {{ insert: param, mp-1_prm_3 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the MP family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"mp-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-1.a_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)"}],"parts":[{"id":"mp-1.a.1_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)"}],"parts":[{"id":"mp-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1]"}],"prose":"develops and documents a media protection policy that addresses:","parts":[{"id":"mp-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"mp-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"mp-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"mp-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"mp-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"mp-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"mp-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"mp-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the media protection policy is to be disseminated;"},{"id":"mp-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"MP-1(a)(1)[3]"}],"prose":"disseminates the media protection policy to organization-defined personnel or roles;"}]},{"id":"mp-1.a.2_obj","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)"}],"parts":[{"id":"mp-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls;"},{"id":"mp-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"mp-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"MP-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"mp-1.b_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)"}],"parts":[{"id":"mp-1.b.1_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)"}],"parts":[{"id":"mp-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current media protection policy;"},{"id":"mp-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(b)(1)[2]"}],"prose":"reviews and updates the current media protection policy with the organization-defined frequency;"}]},{"id":"mp-1.b.2_obj","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)"}],"parts":[{"id":"mp-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current media protection procedures; and"},{"id":"mp-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"MP-1(b)(2)[2]"}],"prose":"reviews and updates the current media protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Media protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","params":[{"id":"mp-2_prm_1","label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-2_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-2"},{"name":"sort-id","value":"mp-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"The organization restricts access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Restricting non-digital media access includes, for example, denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers. Restricting access to digital media includes, for example, limiting access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"}]},{"id":"mp-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-2_obj.1","name":"objective","props":[{"name":"label","value":"MP-2[1]"}],"prose":"defines types of digital and\/or non-digital media requiring restricted access;"},{"id":"mp-2_obj.2","name":"objective","props":[{"name":"label","value":"MP-2[2]"}],"prose":"defines personnel or roles authorized to access organization-defined types of digital and\/or non-digital media; and"},{"id":"mp-2_obj.3","name":"objective","props":[{"name":"label","value":"MP-2[3]"}],"prose":"restricts access to organization-defined types of digital and\/or non-digital media to organization-defined personnel or roles."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for restricting information media\n\nautomated mechanisms supporting and\/or implementing media access restrictions"}]}]},{"id":"mp-3","class":"SP800-53","title":"Media Marking","params":[{"id":"mp-3_prm_1","label":"organization-defined types of information system media"},{"id":"mp-3_prm_2","label":"organization-defined controlled areas"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"MP-3"},{"name":"sort-id","value":"mp-03"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"}],"parts":[{"id":"mp-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"},{"id":"mp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Exempts {{ insert: param, mp-3_prm_1 }} from marking as long as the media remain within {{ insert: param, mp-3_prm_2 }}."}]},{"id":"mp-3_gdn","name":"guidance","prose":"The term security marking refers to the application\/use of human-readable security attributes. The term security labeling refers to the application\/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.","links":[{"href":"#ac-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"mp-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-3.a_obj","name":"objective","props":[{"name":"label","value":"MP-3(a)"}],"prose":"marks information system media indicating the:","parts":[{"id":"mp-3.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-3(a)[1]"}],"prose":"distribution limitations of the information;"},{"id":"mp-3.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-3(a)[2]"}],"prose":"handling caveats of the information;"},{"id":"mp-3.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-3(a)[3]"}],"prose":"applicable security markings (if any) of the information;"}]},{"id":"mp-3.b_obj","name":"objective","props":[{"name":"label","value":"MP-3(b)"}],"parts":[{"id":"mp-3.b_obj.1","name":"objective","props":[{"name":"label","value":"MP-3(b)[1]"}],"prose":"defines types of information system media to be exempted from marking as long as the media remain in designated controlled areas;"},{"id":"mp-3.b_obj.2","name":"objective","props":[{"name":"label","value":"MP-3(b)[2]"}],"prose":"defines controlled areas where organization-defined types of information system media exempt from marking are to be retained; and"},{"id":"mp-3.b_obj.3","name":"objective","props":[{"name":"label","value":"MP-3(b)[3]"}],"prose":"exempts organization-defined types of information system media from marking as long as the media remain within organization-defined controlled areas."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nsecurity plan\n\nlist of information system media marking security attributes\n\ndesignated controlled areas\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for marking information media\n\nautomated mechanisms supporting and\/or implementing media marking"}]}]},{"id":"mp-4","class":"SP800-53","title":"Media Storage","params":[{"id":"mp-4_prm_1","label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-4_prm_2","label":"organization-defined controlled areas"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-4"},{"name":"sort-id","value":"mp-04"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Physically controls and securely stores {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }}; and"},{"id":"mp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Physically controlling information system media includes, for example, conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the media library, and maintaining accountability for all stored media. Secure storage includes, for example, a locked drawer, desk, or cabinet, or a controlled media library. The type of media storage is commensurate with the security category and\/or classification of the information residing on the media. Controlled areas are areas for which organizations provide sufficient physical and procedural safeguards to meet the requirements established for protecting information and\/or information systems. For media containing information determined by organizations to be in the public domain, to be publicly releasable, or to have limited or no adverse impact on organizations or individuals if accessed by other than authorized personnel, fewer safeguards may be needed. In these situations, physical access controls provide adequate protection.","links":[{"href":"#cp-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pe-3","rel":"related"}]},{"id":"mp-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-4.a_obj","name":"objective","props":[{"name":"label","value":"MP-4(a)"}],"parts":[{"id":"mp-4.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-4(a)[1]"}],"prose":"defines types of digital and\/or non-digital media to be physically controlled and securely stored within designated controlled areas;"},{"id":"mp-4.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-4(a)[2]"}],"prose":"defines controlled areas designated to physically control and securely store organization-defined types of digital and\/or non-digital media;"},{"id":"mp-4.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-4(a)[3]"}],"prose":"physically controls organization-defined types of digital and\/or non-digital media within organization-defined controlled areas;"},{"id":"mp-4.a_obj.4","name":"objective","props":[{"name":"label","value":"MP-4(a)[4]"}],"prose":"securely stores organization-defined types of digital and\/or non-digital media within organization-defined controlled areas; and"}]},{"id":"mp-4.b_obj","name":"objective","props":[{"name":"label","value":"MP-4(b)"}],"prose":"protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsecurity plan\n\ninformation system media\n\ndesignated controlled areas\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing information media\n\nautomated mechanisms supporting and\/or implementing secure media storage\/media protection"}]}]},{"id":"mp-5","class":"SP800-53","title":"Media Transport","params":[{"id":"mp-5_prm_1","label":"organization-defined types of information system media"},{"id":"mp-5_prm_2","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-5"},{"name":"sort-id","value":"mp-05"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"}],"parts":[{"id":"mp-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protects and controls {{ insert: param, mp-5_prm_1 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};"},{"id":"mp-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintains accountability for information system media during transport outside of controlled areas;"},{"id":"mp-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents activities associated with the transport of information system media; and"},{"id":"mp-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Restricts the activities associated with the transport of information system media to authorized personnel."}]},{"id":"mp-5_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers), that are transported outside of controlled areas. Controlled areas are areas or spaces for which organizations provide sufficient physical and\/or procedural safeguards to meet the requirements established for protecting information and\/or information systems. Physical and technical safeguards for media are commensurate with the security category or classification of the information residing on the media. Safeguards to protect media during transport include, for example, locked containers and cryptography. Cryptographic mechanisms can provide confidentiality and integrity protections depending upon the mechanisms used. Activities associated with transport include the actual transport as well as those activities such as releasing media for transport and ensuring that media enters the appropriate transport processes. For the actual transport, authorized transport and courier personnel may include individuals from outside the organization (e.g., U.S. Postal Service or a commercial transport or delivery service). Maintaining accountability of media during transport includes, for example, restricting transport activities to authorized personnel, and tracking and\/or obtaining explicit records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of information system media in accordance with organizational assessments of risk to include the flexibility to define different record-keeping methods for the different types of media transport as part of an overall system of transport-related records.","links":[{"href":"#ac-19","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}]},{"id":"mp-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-5.a_obj","name":"objective","props":[{"name":"label","value":"MP-5(a)"}],"parts":[{"id":"mp-5.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-5(a)[1]"}],"prose":"defines types of information system media to be protected and controlled during transport outside of controlled areas;"},{"id":"mp-5.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-5(a)[2]"}],"prose":"defines security safeguards to protect and control organization-defined information system media during transport outside of controlled areas;"},{"id":"mp-5.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-5(a)[3]"}],"prose":"protects and controls organization-defined information system media during transport outside of controlled areas using organization-defined security safeguards;"}]},{"id":"mp-5.b_obj","name":"objective","props":[{"name":"label","value":"MP-5(b)"}],"prose":"maintains accountability for information system media during transport outside of controlled areas;"},{"id":"mp-5.c_obj","name":"objective","props":[{"name":"label","value":"MP-5(c)"}],"prose":"documents activities associated with the transport of information system media; and"},{"id":"mp-5.d_obj","name":"objective","props":[{"name":"label","value":"MP-5(d)"}],"prose":"restricts the activities associated with transport of information system media to authorized personnel."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsecurity plan\n\ninformation system media\n\ndesignated controlled areas\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for storing information media\n\nautomated mechanisms supporting and\/or implementing media storage\/media protection"}]}],"controls":[{"id":"mp-5.4","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"MP-5(4)"},{"name":"sort-id","value":"mp-05.04"}],"parts":[{"id":"mp-5.4_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas."},{"id":"mp-5.4_gdn","name":"guidance","prose":"This control enhancement applies to both portable storage devices (e.g., USB memory sticks, compact disks, digital video disks, external\/removable hard disk drives) and mobile devices with storage capability (e.g., smart phones, tablets, E-readers).","links":[{"href":"#mp-2","rel":"related"}]},{"id":"mp-5.4_obj","name":"objective","prose":"Determine if the organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media transport\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system media transport records\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media transport responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas"}]}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","label":"organization-defined information system media"},{"id":"mp-6_prm_2","label":"organization-defined sanitization techniques and procedures"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-6"},{"name":"sort-id","value":"mp-06"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"},{"href":"#263823e0-a971-4b00-959d-315b26278b22","rel":"reference"},{"href":"#a47466c4-c837-4f06-a39f-e68412a5f73d","rel":"reference"}],"parts":[{"id":"mp-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitizes {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} in accordance with applicable federal and organizational standards and policies; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections\/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information.","links":[{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-4","rel":"related"}]},{"id":"mp-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-6.a_obj","name":"objective","props":[{"name":"label","value":"MP-6(a)"}],"parts":[{"id":"mp-6.a_obj.1","name":"objective","props":[{"name":"label","value":"MP-6(a)[1]"}],"prose":"defines information system media to be sanitized prior to:","parts":[{"id":"mp-6.a_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.1.c","name":"objective","props":[{"name":"label","value":"MP-6(a)[1][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.2","name":"objective","props":[{"name":"label","value":"MP-6(a)[2]"}],"prose":"defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:","parts":[{"id":"mp-6.a_obj.2.a","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][a]"}],"prose":"disposal;"},{"id":"mp-6.a_obj.2.b","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][b]"}],"prose":"release out of organizational control; or"},{"id":"mp-6.a_obj.2.c","name":"objective","props":[{"name":"label","value":"MP-6(a)[2][c]"}],"prose":"release for reuse;"}]},{"id":"mp-6.a_obj.3","name":"objective","props":[{"name":"label","value":"MP-6(a)[3]"}],"prose":"sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and"}]},{"id":"mp-6.b_obj","name":"objective","props":[{"name":"label","value":"MP-6(b)"}],"prose":"employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization\n\nmedia sanitization records\n\naudit records\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization"}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","params":[{"id":"mp-7_prm_1","select":{"choice":["restricts","prohibits"]}},{"id":"mp-7_prm_2","label":"organization-defined types of information system media"},{"id":"mp-7_prm_3","label":"organization-defined information systems or system components"},{"id":"mp-7_prm_4","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"MP-7"},{"name":"sort-id","value":"mp-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"mp-7_smt","name":"statement","prose":"The organization {{ insert: param, mp-7_prm_1 }} the use of {{ insert: param, mp-7_prm_2 }} on {{ insert: param, mp-7_prm_3 }} using {{ insert: param, mp-7_prm_4 }}."},{"id":"mp-7_gdn","name":"guidance","prose":"Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external\/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. This control also applies to mobile devices with information storage capability (e.g., smart phones, tablets, E-readers). In contrast to MP-2, which restricts user access to media, this control restricts the use of certain types of media on information systems, for example, restricting\/prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical safeguards (e.g., policies, procedures, rules of behavior) to restrict the use of information system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling\/removing the ability to insert, read or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including, for example, devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, for example, prohibiting the use of writeable, portable storage devices, and implementing this restriction by disabling or removing the capability to write to such devices.","links":[{"href":"#ac-19","rel":"related"},{"href":"#pl-4","rel":"related"}]},{"id":"mp-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"mp-7_obj.1","name":"objective","props":[{"name":"label","value":"MP-7[1]"}],"prose":"defines types of information system media to be:","parts":[{"id":"mp-7_obj.1.a","name":"objective","props":[{"name":"label","value":"MP-7[1][a]"}],"prose":"restricted on information systems or system components; or"},{"id":"mp-7_obj.1.b","name":"objective","props":[{"name":"label","value":"MP-7[1][b]"}],"prose":"prohibited from use on information systems or system components;"}]},{"id":"mp-7_obj.2","name":"objective","props":[{"name":"label","value":"MP-7[2]"}],"prose":"defines information systems or system components on which the use of organization-defined types of information system media is to be one of the following:","parts":[{"id":"mp-7_obj.2.a","name":"objective","props":[{"name":"label","value":"MP-7[2][a]"}],"prose":"restricted; or"},{"id":"mp-7_obj.2.b","name":"objective","props":[{"name":"label","value":"MP-7[2][b]"}],"prose":"prohibited;"}]},{"id":"mp-7_obj.3","name":"objective","props":[{"name":"label","value":"MP-7[3]"}],"prose":"defines security safeguards to be employed to restrict or prohibit the use of organization-defined types of information system media on organization-defined information systems or system components; and"},{"id":"mp-7_obj.4","name":"objective","props":[{"name":"label","value":"MP-7[4]"}],"prose":"restricts or prohibits the use of organization-defined information system media on organization-defined information systems or system components using organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\n\nautomated mechanisms restricting or prohibiting use of information system media on information systems or system components"}]}],"controls":[{"id":"mp-7.1","class":"SP800-53-enhancement","title":"Prohibit Use Without Owner","props":[{"name":"label","value":"MP-7(1)"},{"name":"sort-id","value":"mp-07.01"}],"parts":[{"id":"mp-7.1_smt","name":"statement","prose":"The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner."},{"id":"mp-7.1_gdn","name":"guidance","prose":"Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion).","links":[{"href":"#pl-4","rel":"related"}]},{"id":"mp-7.1_obj","name":"objective","prose":"Determine if the organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nsecurity plan\n\nrules of behavior\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\naudit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for media use\n\nautomated mechanisms prohibiting use of media on information systems or system components"}]}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Physical and Environmental Protection Policy and Procedures","params":[{"id":"pe-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pe-1_prm_2","label":"organization-defined frequency"},{"id":"pe-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-1"},{"name":"sort-id","value":"pe-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"pe-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and"}]},{"id":"pe-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pe-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Physical and environmental protection policy {{ insert: param, pe-1_prm_2 }}; and"},{"id":"pe-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Physical and environmental protection procedures {{ insert: param, pe-1_prm_3 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"pe-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-1.a_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)"}],"parts":[{"id":"pe-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)"}],"parts":[{"id":"pe-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1]"}],"prose":"develops and documents a physical and environmental protection policy that addresses:","parts":[{"id":"pe-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pe-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pe-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pe-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pe-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pe-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pe-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pe-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the physical and environmental protection policy is to be disseminated;"},{"id":"pe-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PE-1(a)(1)[3]"}],"prose":"disseminates the physical and environmental protection policy to organization-defined personnel or roles;"}]},{"id":"pe-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)"}],"parts":[{"id":"pe-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls;"},{"id":"pe-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"pe-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PE-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pe-1.b_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)"}],"parts":[{"id":"pe-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)"}],"parts":[{"id":"pe-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current physical and environmental protection policy;"},{"id":"pe-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(b)(1)[2]"}],"prose":"reviews and updates the current physical and environmental protection policy with the organization-defined frequency;"}]},{"id":"pe-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)"}],"parts":[{"id":"pe-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current physical and environmental protection procedures; and"},{"id":"pe-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-1(b)(2)[2]"}],"prose":"reviews and updates the current physical and environmental protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","params":[{"id":"pe-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-2"},{"name":"sort-id","value":"pe-02"}],"parts":[{"id":"pe-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Issues authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the access list detailing authorized facility access by individuals {{ insert: param, pe-2_prm_1 }}; and"},{"id":"pe-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Removes individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed (including level of forge-proof badges, smart cards, or identification cards) consistent with federal standards, policies, and procedures. This control only applies to areas within facilities that have not been designated as publicly accessible.","links":[{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#ps-3","rel":"related"}]},{"id":"pe-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-2.a_obj","name":"objective","props":[{"name":"label","value":"PE-2(a)"}],"parts":[{"id":"pe-2.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-2(a)[1]"}],"prose":"develops a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-2(a)[2]"}],"prose":"approves a list of individuals with authorized access to the facility where the information system resides;"},{"id":"pe-2.a_obj.3","name":"objective","props":[{"name":"label","value":"PE-2(a)[3]"}],"prose":"maintains a list of individuals with authorized access to the facility where the information system resides;"}]},{"id":"pe-2.b_obj","name":"objective","props":[{"name":"label","value":"PE-2(b)"}],"prose":"issues authorization credentials for facility access;"},{"id":"pe-2.c_obj","name":"objective","props":[{"name":"label","value":"PE-2(c)"}],"parts":[{"id":"pe-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PE-2(c)[1]"}],"prose":"defines the frequency to review the access list detailing authorized facility access by individuals;"},{"id":"pe-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PE-2(c)[2]"}],"prose":"reviews the access list detailing authorized facility access by individuals with the organization-defined frequency; and"}]},{"id":"pe-2.d_obj","name":"objective","props":[{"name":"label","value":"PE-2(d)"}],"prose":"removes individuals from the facility access list when access is no longer required."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nsecurity plan\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to information system facility\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access authorizations\n\nautomated mechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","params":[{"id":"pe-3_prm_1","label":"organization-defined entry\/exit points to the facility where the information system resides"},{"id":"pe-3_prm_2","select":{"how-many":"one-or-more","choice":[" {{ insert: param, pe-3_prm_3 }} ","guards"]}},{"id":"pe-3_prm_3","depends-on":"pe-3_prm_2","label":"organization-defined physical access control systems\/devices"},{"id":"pe-3_prm_4","label":"organization-defined entry\/exit points"},{"id":"pe-3_prm_5","label":"organization-defined security safeguards"},{"id":"pe-3_prm_6","label":"organization-defined circumstances requiring visitor escorts and monitoring"},{"id":"pe-3_prm_7","label":"organization-defined physical access devices"},{"id":"pe-3_prm_8","label":"organization-defined frequency"},{"id":"pe-3_prm_9","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-3"},{"name":"sort-id","value":"pe-03"}],"links":[{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#2157bb7e-192c-4eaa-877f-93ef6b0a3292","rel":"reference"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference"},{"href":"#398e33fd-f404-4e5c-b90e-2d50d3181244","rel":"reference"},{"href":"#61081e7f-041d-4033-96a7-44a439071683","rel":"reference"},{"href":"#dd2f5acd-08f1-435a-9837-f8203088dc1a","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference"}],"parts":[{"id":"pe-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforces physical access authorizations at {{ insert: param, pe-3_prm_1 }} by;","parts":[{"id":"pe-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Controlling ingress\/egress to the facility using {{ insert: param, pe-3_prm_2 }};"}]},{"id":"pe-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintains physical access audit logs for {{ insert: param, pe-3_prm_4 }};"},{"id":"pe-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides {{ insert: param, pe-3_prm_5 }} to control access to areas within the facility officially designated as publicly accessible;"},{"id":"pe-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Escorts visitors and monitors visitor activity {{ insert: param, pe-3_prm_6 }};"},{"id":"pe-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Secures keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Inventories {{ insert: param, pe-3_prm_7 }} every {{ insert: param, pe-3_prm_8 }}; and"},{"id":"pe-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Changes combinations and keys {{ insert: param, pe-3_prm_9 }} and\/or when keys are lost, combinations are compromised, or individuals are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Organizations determine the types of facility guards needed including, for example, professional physical security staff or other personnel such as administrative staff or information system users. Physical access devices include, for example, keys, locks, combinations, and card readers. Safeguards for publicly accessible areas within organizational facilities include, for example, cameras, monitoring by guards, and isolating selected information systems and\/or system components in secured areas. Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The Federal Identity, Credential, and Access Management Program provides implementation guidance for identity, credential, and access management capabilities for physical access control systems. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural (e.g., a written log of individuals accessing the facility and when such access occurred), automated (e.g., capturing ID provided by a PIV card), or some combination thereof. Physical access points can include facility access points, interior access points to information systems and\/or components requiring supplemental access controls, or both. Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ra-3","rel":"related"}]},{"id":"pe-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-3.a_obj","name":"objective","props":[{"name":"label","value":"PE-3(a)"}],"parts":[{"id":"pe-3.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(a)[1]"}],"prose":"defines entry\/exit points to the facility where the information system resides;"},{"id":"pe-3.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2]"}],"prose":"enforces physical access authorizations at organization-defined entry\/exit points to the facility where the information system resides by:","parts":[{"id":"pe-3.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](1)"}],"prose":"verifying individual access authorizations before granting access to the facility;"},{"id":"pe-3.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)"}],"parts":[{"id":"pe-3.a.2_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[a]"}],"prose":"defining physical access control systems\/devices to be employed to control ingress\/egress to the facility where the information system resides;"},{"id":"pe-3.a.2_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b]"}],"prose":"using one or more of the following ways to control ingress\/egress to the facility:","parts":[{"id":"pe-3.a.2_obj.2.b.1","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b][1]"}],"prose":"organization-defined physical access control systems\/devices; and\/or"},{"id":"pe-3.a.2_obj.2.b.2","name":"objective","props":[{"name":"label","value":"PE-3(a)[2](2)[b][2]"}],"prose":"guards;"}]}]}]}]},{"id":"pe-3.b_obj","name":"objective","props":[{"name":"label","value":"PE-3(b)"}],"parts":[{"id":"pe-3.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(b)[1]"}],"prose":"defines entry\/exit points for which physical access audit logs are to be maintained;"},{"id":"pe-3.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(b)[2]"}],"prose":"maintains physical access audit logs for organization-defined entry\/exit points;"}]},{"id":"pe-3.c_obj","name":"objective","props":[{"name":"label","value":"PE-3(c)"}],"parts":[{"id":"pe-3.c_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(c)[1]"}],"prose":"defines security safeguards to be employed to control access to areas within the facility officially designated as publicly accessible;"},{"id":"pe-3.c_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(c)[2]"}],"prose":"provides organization-defined security safeguards to control access to areas within the facility officially designated as publicly accessible;"}]},{"id":"pe-3.d_obj","name":"objective","props":[{"name":"label","value":"PE-3(d)"}],"parts":[{"id":"pe-3.d_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(d)[1]"}],"prose":"defines circumstances requiring visitor:","parts":[{"id":"pe-3.d_obj.1.a","name":"objective","props":[{"name":"label","value":"PE-3(d)[1][a]"}],"prose":"escorts;"},{"id":"pe-3.d_obj.1.b","name":"objective","props":[{"name":"label","value":"PE-3(d)[1][b]"}],"prose":"monitoring;"}]},{"id":"pe-3.d_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(d)[2]"}],"prose":"in accordance with organization-defined circumstances requiring visitor escorts and monitoring:","parts":[{"id":"pe-3.d_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(d)[2][a]"}],"prose":"escorts visitors;"},{"id":"pe-3.d_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(d)[2][b]"}],"prose":"monitors visitor activities;"}]}]},{"id":"pe-3.e_obj","name":"objective","props":[{"name":"label","value":"PE-3(e)"}],"parts":[{"id":"pe-3.e_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(e)[1]"}],"prose":"secures keys;"},{"id":"pe-3.e_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(e)[2]"}],"prose":"secures combinations;"},{"id":"pe-3.e_obj.3","name":"objective","props":[{"name":"label","value":"PE-3(e)[3]"}],"prose":"secures other physical access devices;"}]},{"id":"pe-3.f_obj","name":"objective","props":[{"name":"label","value":"PE-3(f)"}],"parts":[{"id":"pe-3.f_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(f)[1]"}],"prose":"defines physical access devices to be inventoried;"},{"id":"pe-3.f_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(f)[2]"}],"prose":"defines the frequency to inventory organization-defined physical access devices;"},{"id":"pe-3.f_obj.3","name":"objective","props":[{"name":"label","value":"PE-3(f)[3]"}],"prose":"inventories the organization-defined physical access devices with the organization-defined frequency;"}]},{"id":"pe-3.g_obj","name":"objective","props":[{"name":"label","value":"PE-3(g)"}],"parts":[{"id":"pe-3.g_obj.1","name":"objective","props":[{"name":"label","value":"PE-3(g)[1]"}],"prose":"defines the frequency to change combinations and keys; and"},{"id":"pe-3.g_obj.2","name":"objective","props":[{"name":"label","value":"PE-3(g)[2]"}],"prose":"changes combinations and keys with the organization-defined frequency and\/or when:","parts":[{"id":"pe-3.g_obj.2.a","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][a]"}],"prose":"keys are lost;"},{"id":"pe-3.g_obj.2.b","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][b]"}],"prose":"combinations are compromised;"},{"id":"pe-3.g_obj.2.c","name":"objective","props":[{"name":"label","value":"PE-3(g)[2][c]"}],"prose":"individuals are transferred or terminated."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nsecurity plan\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\ninformation system entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for physical access control\n\nautomated mechanisms supporting and\/or implementing physical access control\n\nphysical access control devices"}]}]},{"id":"pe-4","class":"SP800-53","title":"Access Control for Transmission Medium","params":[{"id":"pe-4_prm_1","label":"organization-defined information system distribution and transmission lines"},{"id":"pe-4_prm_2","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-4"},{"name":"sort-id","value":"pe-04"}],"links":[{"href":"#06dff0ea-3848-4945-8d91-e955ee69f05d","rel":"reference"}],"parts":[{"id":"pe-4_smt","name":"statement","prose":"The organization controls physical access to {{ insert: param, pe-4_prm_1 }} within organizational facilities using {{ insert: param, pe-4_prm_2 }}."},{"id":"pe-4_gdn","name":"guidance","prose":"Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. In addition, physical safeguards may be necessary to help prevent eavesdropping or in transit modification of unencrypted transmissions. Security safeguards to control physical access to system distribution and transmission lines include, for example: (i) locked wiring closets; (ii) disconnected or locked spare jacks; and\/or (iii) protection of cabling by conduit or cable trays.","links":[{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-8","rel":"related"}]},{"id":"pe-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-4_obj.1","name":"objective","props":[{"name":"label","value":"PE-4[1]"}],"prose":"defines information system distribution and transmission lines requiring physical access controls;"},{"id":"pe-4_obj.2","name":"objective","props":[{"name":"label","value":"PE-4[2]"}],"prose":"defines security safeguards to be employed to control physical access to organization-defined information system distribution and transmission lines within organizational facilities; and"},{"id":"pe-4_obj.3","name":"objective","props":[{"name":"label","value":"PE-4[3]"}],"prose":"controls physical access to organization-defined information system distribution and transmission lines within organizational facilities using organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for transmission medium\n\ninformation system design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to information system distribution and transmission lines\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access control to distribution and transmission lines\n\nautomated mechanisms\/security safeguards supporting and\/or implementing access control to distribution and transmission lines"}]}]},{"id":"pe-5","class":"SP800-53","title":"Access Control for Output Devices","props":[{"name":"priority","value":"P2"},{"name":"label","value":"PE-5"},{"name":"sort-id","value":"pe-05"}],"parts":[{"id":"pe-5_smt","name":"statement","prose":"The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_gdn","name":"guidance","prose":"Controlling physical access to output devices includes, for example, placing output devices in locked rooms or other secured areas and allowing access to authorized individuals only, and placing output devices in locations that can be monitored by organizational personnel. Monitors, printers, copiers, scanners, facsimile machines, and audio devices are examples of information system output devices.","links":[{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-18","rel":"related"}]},{"id":"pe-5_obj","name":"objective","prose":"Determine if the organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of information system components\n\nactual displays from information system components\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access control to output devices\n\nautomated mechanisms supporting and\/or implementing access control to output devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","params":[{"id":"pe-6_prm_1","label":"organization-defined frequency"},{"id":"pe-6_prm_2","label":"organization-defined events or potential indications of events"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-6"},{"name":"sort-id","value":"pe-06"}],"parts":[{"id":"pe-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews physical access logs {{ insert: param, pe-6_prm_1 }} and upon occurrence of {{ insert: param, pe-6_prm_2 }}; and"},{"id":"pe-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinates results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Suspicious physical access activities include, for example: (i) accesses outside of normal work hours; (ii) repeated accesses to areas not normally accessed; (iii) accesses for unusual lengths of time; and (iv) out-of-sequence accesses.","links":[{"href":"#ca-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"}]},{"id":"pe-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-6.a_obj","name":"objective","props":[{"name":"label","value":"PE-6(a)"}],"prose":"monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;"},{"id":"pe-6.b_obj","name":"objective","props":[{"name":"label","value":"PE-6(b)"}],"parts":[{"id":"pe-6.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-6(b)[1]"}],"prose":"defines the frequency to review physical access logs;"},{"id":"pe-6.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-6(b)[2]"}],"prose":"defines events or potential indication of events requiring physical access logs to be reviewed;"},{"id":"pe-6.b_obj.3","name":"objective","props":[{"name":"label","value":"PE-6(b)[3]"}],"prose":"reviews physical access logs with the organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and"}]},{"id":"pe-6.c_obj","name":"objective","props":[{"name":"label","value":"PE-6(c)"}],"prose":"coordinates results of reviews and investigations with the organizational incident response capability."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical access\n\nautomated mechanisms supporting and\/or implementing physical access monitoring\n\nautomated mechanisms supporting and\/or implementing reviewing of physical access logs"}]}],"controls":[{"id":"pe-6.1","class":"SP800-53-enhancement","title":"Intrusion Alarms \/ Surveillance Equipment","props":[{"name":"label","value":"PE-6(1)"},{"name":"sort-id","value":"pe-06.01"}],"parts":[{"id":"pe-6.1_smt","name":"statement","prose":"The organization monitors physical intrusion alarms and surveillance equipment."},{"id":"pe-6.1_obj","name":"objective","prose":"Determine if the organization monitors physical intrusion alarms and surveillance equipment."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsecurity plan\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nautomated mechanisms supporting and\/or implementing physical access monitoring\n\nautomated mechanisms supporting and\/or implementing physical intrusion alarms and surveillance equipment"}]}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-8_prm_1","label":"organization-defined time period"},{"id":"pe-8_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PE-8"},{"name":"sort-id","value":"pe-08"}],"parts":[{"id":"pe-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintains visitor access records to the facility where the information system resides for {{ insert: param, pe-8_prm_1 }}; and"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews visitor access records {{ insert: param, pe-8_prm_2 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include, for example, names and organizations of persons visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purposes of visits, and names and organizations of persons visited. Visitor access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-8.a_obj","name":"objective","props":[{"name":"label","value":"PE-8(a)"}],"parts":[{"id":"pe-8.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-8(a)[1]"}],"prose":"defines the time period to maintain visitor access records to the facility where the information system resides;"},{"id":"pe-8.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-8(a)[2]"}],"prose":"maintains visitor access records to the facility where the information system resides for the organization-defined time period;"}]},{"id":"pe-8.b_obj","name":"objective","props":[{"name":"label","value":"PE-8(b)"}],"parts":[{"id":"pe-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-8(b)[1]"}],"prose":"defines the frequency to review visitor access records; and"},{"id":"pe-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-8(b)[2]"}],"prose":"reviews visitor access records with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nsecurity plan\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and\/or implementing maintenance and review of visitor access records"}]}]},{"id":"pe-9","class":"SP800-53","title":"Power Equipment and Cabling","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-9"},{"name":"sort-id","value":"pe-09"}],"parts":[{"id":"pe-9_smt","name":"statement","prose":"The organization protects power equipment and power cabling for the information system from damage and destruction."},{"id":"pe-9_gdn","name":"guidance","prose":"Organizations determine the types of protection necessary for power equipment and cabling employed at different locations both internal and external to organizational facilities and environments of operation. This includes, for example, generators and power cabling outside of buildings, internal cabling and uninterruptable power sources within an office or data center, and power sources for self-contained entities such as vehicles and satellites.","links":[{"href":"#pe-4","rel":"related"}]},{"id":"pe-9_obj","name":"objective","prose":"Determine if the organization protects power equipment and power cabling for the information system from damage and destruction."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power equipment\/cabling protection\n\nfacilities housing power equipment\/cabling\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for protecting power equipment\/cabling\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing protection of power equipment\/cabling"}]}]},{"id":"pe-10","class":"SP800-53","title":"Emergency Shutoff","params":[{"id":"pe-10_prm_1","label":"organization-defined location by information system or system component"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-10"},{"name":"sort-id","value":"pe-10"}],"parts":[{"id":"pe-10_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides the capability of shutting off power to the information system or individual system components in emergency situations;"},{"id":"pe-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Places emergency shutoff switches or devices in {{ insert: param, pe-10_prm_1 }} to facilitate safe and easy access for personnel; and"},{"id":"pe-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protects emergency power shutoff capability from unauthorized activation."}]},{"id":"pe-10_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#pe-15","rel":"related"}]},{"id":"pe-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-10.a_obj","name":"objective","props":[{"name":"label","value":"PE-10(a)"}],"prose":"provides the capability of shutting off power to the information system or individual system components in emergency situations;"},{"id":"pe-10.b_obj","name":"objective","props":[{"name":"label","value":"PE-10(b)"}],"parts":[{"id":"pe-10.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-10(b)[1]"}],"prose":"defines the location of emergency shutoff switches or devices by information system or system component;"},{"id":"pe-10.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-10(b)[2]"}],"prose":"places emergency shutoff switches or devices in the organization-defined location by information system or system component to facilitate safe and easy access for personnel; and"}]},{"id":"pe-10.c_obj","name":"objective","props":[{"name":"label","value":"PE-10(c)"}],"prose":"protects emergency power shutoff capability from unauthorized activation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nsecurity plan\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting emergency power shutoff capability from unauthorized activation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing emergency power shutoff"}]}]},{"id":"pe-11","class":"SP800-53","title":"Emergency Power","params":[{"id":"pe-11_prm_1","select":{"how-many":"one-or-more","choice":["an orderly shutdown of the information system","transition of the information system to long-term alternate power"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-11"},{"name":"sort-id","value":"pe-11"}],"parts":[{"id":"pe-11_smt","name":"statement","prose":"The organization provides a short-term uninterruptible power supply to facilitate {{ insert: param, pe-11_prm_1 }} in the event of a primary power source loss."},{"id":"pe-11_gdn","name":"guidance","links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"pe-11_obj","name":"objective","prose":"Determine if the organization provides a short-term uninterruptible power supply to facilitate one or more of the following in the event of a primary power source loss:","parts":[{"id":"pe-11_obj.1","name":"objective","props":[{"name":"label","value":"PE-11[1]"}],"prose":"an orderly shutdown of the information system; and\/or"},{"id":"pe-11_obj.2","name":"objective","props":[{"name":"label","value":"PE-11[2]"}],"prose":"transition of the information system to long-term alternate power."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing uninterruptible power supply\n\nthe uninterruptable power supply"}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-12"},{"name":"sort-id","value":"pe-12"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"pe-12_obj","name":"objective","prose":"Determine if the organization employs and maintains automatic emergency lighting for the information system that:","parts":[{"id":"pe-12_obj.1","name":"objective","props":[{"name":"label","value":"PE-12[1]"}],"prose":"activates in the event of a power outage or disruption; and"},{"id":"pe-12_obj.2","name":"objective","props":[{"name":"label","value":"PE-12[2]"}],"prose":"covers emergency exits and evacuation routes within the facility."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing emergency lighting capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-13"},{"name":"sort-id","value":"pe-13"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"The organization employs and maintains fire suppression and detection devices\/systems for the information system that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Fire suppression and detection devices\/systems include, for example, sprinkler systems, handheld fire extinguishers, fixed fire hoses, and smoke detectors."},{"id":"pe-13_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-13_obj.1","name":"objective","props":[{"name":"label","value":"PE-13[1]"}],"prose":"employs fire suppression and detection devices\/systems for the information system that are supported by an independent energy source; and"},{"id":"pe-13_obj.2","name":"objective","props":[{"name":"label","value":"PE-13[2]"}],"prose":"maintains fire suppression and detection devices\/systems for the information system that are supported by an independent energy source."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\ntest records of fire suppression and detection devices\/systems\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression\/detection devices\/systems"}]}],"controls":[{"id":"pe-13.3","class":"SP800-53-enhancement","title":"Automatic Fire Suppression","props":[{"name":"label","value":"PE-13(3)"},{"name":"sort-id","value":"pe-13.03"}],"parts":[{"id":"pe-13.3_smt","name":"statement","prose":"The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis."},{"id":"pe-13.3_obj","name":"objective","prose":"Determine if the organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems documentation\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices\/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression devices\/systems\n\nactivation of fire suppression devices\/systems (simulated)"}]}]}]},{"id":"pe-14","class":"SP800-53","title":"Temperature and Humidity Controls","params":[{"id":"pe-14_prm_1","label":"organization-defined acceptable levels"},{"id":"pe-14_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-14"},{"name":"sort-id","value":"pe-14"}],"parts":[{"id":"pe-14_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintains temperature and humidity levels within the facility where the information system resides at {{ insert: param, pe-14_prm_1 }}; and"},{"id":"pe-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Monitors temperature and humidity levels {{ insert: param, pe-14_prm_2 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources, for example, data centers, server rooms, and mainframe computer rooms.","links":[{"href":"#at-3","rel":"related"}]},{"id":"pe-14_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-14.a_obj","name":"objective","props":[{"name":"label","value":"PE-14(a)"}],"parts":[{"id":"pe-14.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-14(a)[1]"}],"prose":"defines acceptable temperature levels to be maintained within the facility where the information system resides;"},{"id":"pe-14.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-14(a)[2]"}],"prose":"defines acceptable humidity levels to be maintained within the facility where the information system resides;"},{"id":"pe-14.a_obj.3","name":"objective","props":[{"name":"label","value":"PE-14(a)[3]"}],"prose":"maintains temperature levels within the facility where the information system resides at the organization-defined levels;"},{"id":"pe-14.a_obj.4","name":"objective","props":[{"name":"label","value":"PE-14(a)[4]"}],"prose":"maintains humidity levels within the facility where the information system resides at the organization-defined levels;"}]},{"id":"pe-14.b_obj","name":"objective","props":[{"name":"label","value":"PE-14(b)"}],"parts":[{"id":"pe-14.b_obj.1","name":"objective","props":[{"name":"label","value":"PE-14(b)[1]"}],"prose":"defines the frequency to monitor temperature levels;"},{"id":"pe-14.b_obj.2","name":"objective","props":[{"name":"label","value":"PE-14(b)[2]"}],"prose":"defines the frequency to monitor humidity levels;"},{"id":"pe-14.b_obj.3","name":"objective","props":[{"name":"label","value":"PE-14(b)[3]"}],"prose":"monitors temperature levels with the organization-defined frequency; and"},{"id":"pe-14.b_obj.4","name":"objective","props":[{"name":"label","value":"PE-14(b)[4]"}],"prose":"monitors humidity levels with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\nsecurity plan\n\ntemperature and humidity controls\n\nfacility housing the information system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing maintenance and monitoring of temperature and humidity levels"}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","props":[{"name":"priority","value":"P1"},{"name":"label","value":"PE-15"},{"name":"sort-id","value":"pe-15"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"This control applies primarily to facilities containing concentrations of information system resources including, for example, data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern, without affecting entire organizations.","links":[{"href":"#at-3","rel":"related"}]},{"id":"pe-15_obj","name":"objective","prose":"Determine if the organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are:","parts":[{"id":"pe-15_obj.1","name":"objective","props":[{"name":"label","value":"PE-15[1]"}],"prose":"accessible;"},{"id":"pe-15_obj.2","name":"objective","props":[{"name":"label","value":"PE-15[2]"}],"prose":"working properly; and"},{"id":"pe-15_obj.3","name":"objective","props":[{"name":"label","value":"PE-15[3]"}],"prose":"known to key personnel."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the information system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for information system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Master water-shutoff valves\n\norganizational process for activating master water-shutoff"}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","params":[{"id":"pe-16_prm_1","label":"organization-defined types of information system components"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PE-16"},{"name":"sort-id","value":"pe-16"}],"parts":[{"id":"pe-16_smt","name":"statement","prose":"The organization authorizes, monitors, and controls {{ insert: param, pe-16_prm_1 }} entering and exiting the facility and maintains records of those items."},{"id":"pe-16_gdn","name":"guidance","prose":"Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries.","links":[{"href":"#cm-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-12","rel":"related"}]},{"id":"pe-16_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-16_obj.1","name":"objective","props":[{"name":"label","value":"PE-16[1]"}],"prose":"defines types of information system components to be authorized, monitored, and controlled as such components are entering and exiting the facility;"},{"id":"pe-16_obj.2","name":"objective","props":[{"name":"label","value":"PE-16[2]"}],"prose":"authorizes organization-defined information system components entering the facility;"},{"id":"pe-16_obj.3","name":"objective","props":[{"name":"label","value":"PE-16[3]"}],"prose":"monitors organization-defined information system components entering the facility;"},{"id":"pe-16_obj.4","name":"objective","props":[{"name":"label","value":"PE-16[4]"}],"prose":"controls organization-defined information system components entering the facility;"},{"id":"pe-16_obj.5","name":"objective","props":[{"name":"label","value":"PE-16[5]"}],"prose":"authorizes organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.6","name":"objective","props":[{"name":"label","value":"PE-16[6]"}],"prose":"monitors organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.7","name":"objective","props":[{"name":"label","value":"PE-16[7]"}],"prose":"controls organization-defined information system components exiting the facility;"},{"id":"pe-16_obj.8","name":"objective","props":[{"name":"label","value":"PE-16[8]"}],"prose":"maintains records of information system components entering the facility; and"},{"id":"pe-16_obj.9","name":"objective","props":[{"name":"label","value":"PE-16[9]"}],"prose":"maintains records of information system components exiting the facility."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing delivery and removal of information system components from the facility\n\nsecurity plan\n\nfacility housing the information system\n\nrecords of items entering and exiting the facility\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibilities for controlling information system components entering and exiting the facility\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling information system-related items entering and exiting the facility\n\nautomated mechanisms supporting and\/or implementing authorizing, monitoring, and controlling information system-related items entering and exiting the facility"}]}]},{"id":"pe-17","class":"SP800-53","title":"Alternate Work Site","params":[{"id":"pe-17_prm_1","label":"organization-defined security controls"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PE-17"},{"name":"sort-id","value":"pe-17"}],"links":[{"href":"#5309d4d0-46f8-4213-a749-e7584164e5e8","rel":"reference"}],"parts":[{"id":"pe-17_smt","name":"statement","prose":"The organization:","parts":[{"id":"pe-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs {{ insert: param, pe-17_prm_1 }} at alternate work sites;"},{"id":"pe-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assesses as feasible, the effectiveness of security controls at alternate work sites; and"},{"id":"pe-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provides a means for employees to communicate with information security personnel in case of security incidents or problems."}]},{"id":"pe-17_gdn","name":"guidance","prose":"Alternate work sites may include, for example, government facilities or private residences of employees. While commonly distinct from alternative processing sites, alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative.","links":[{"href":"#ac-17","rel":"related"},{"href":"#cp-7","rel":"related"}]},{"id":"pe-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pe-17.a_obj","name":"objective","props":[{"name":"label","value":"PE-17(a)"}],"parts":[{"id":"pe-17.a_obj.1","name":"objective","props":[{"name":"label","value":"PE-17(a)[1]"}],"prose":"defines security controls to be employed at alternate work sites;"},{"id":"pe-17.a_obj.2","name":"objective","props":[{"name":"label","value":"PE-17(a)[2]"}],"prose":"employs organization-defined security controls at alternate work sites;"}]},{"id":"pe-17.b_obj","name":"objective","props":[{"name":"label","value":"PE-17(b)"}],"prose":"assesses, as feasible, the effectiveness of security controls at alternate work sites; and"},{"id":"pe-17.c_obj","name":"objective","props":[{"name":"label","value":"PE-17(c)"}],"prose":"provides a means for employees to communicate with information security personnel in case of security incidents or problems."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nsecurity plan\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel approving use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security at alternate work sites\n\nautomated mechanisms supporting alternate work sites\n\nsecurity controls employed at alternate work sites\n\nmeans of communications between personnel at alternate work sites and security personnel"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Security Planning Policy and Procedures","params":[{"id":"pl-1_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-1_prm_2","label":"organization-defined frequency"},{"id":"pl-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-1"},{"name":"sort-id","value":"pl-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"pl-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"pl-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security planning policy {{ insert: param, pl-1_prm_2 }}; and"},{"id":"pl-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Security planning procedures {{ insert: param, pl-1_prm_3 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PL family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"pl-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-1.a_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)"}],"parts":[{"id":"pl-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)"}],"parts":[{"id":"pl-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1]"}],"prose":"develops and documents a planning policy that addresses:","parts":[{"id":"pl-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"pl-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"pl-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"pl-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"pl-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"pl-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"pl-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"pl-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the planning policy is to be disseminated;"},{"id":"pl-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PL-1(a)(1)[3]"}],"prose":"disseminates the planning policy to organization-defined personnel or roles;"}]},{"id":"pl-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)"}],"parts":[{"id":"pl-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the planning policy and associated planning controls;"},{"id":"pl-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"pl-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PL-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"pl-1.b_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)"}],"parts":[{"id":"pl-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)"}],"parts":[{"id":"pl-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current planning policy;"},{"id":"pl-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(b)(1)[2]"}],"prose":"reviews and updates the current planning policy with the organization-defined frequency;"}]},{"id":"pl-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)"}],"parts":[{"id":"pl-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current planning procedures; and"},{"id":"pl-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PL-1(b)(2)[2]"}],"prose":"reviews and updates the current planning procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Planning policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security Plan","params":[{"id":"pl-2_prm_1","label":"organization-defined personnel or roles"},{"id":"pl-2_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-2"},{"name":"sort-id","value":"pl-02"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"}],"parts":[{"id":"pl-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a security plan for the information system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly defines the authorization boundary for the system;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describes the operational context of the information system in terms of missions and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Provides the security categorization of the information system including supporting rationale;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Describes the operational environment for the information system and relationships with or connections to other information systems;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides an overview of the security requirements for the system;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Identifies any relevant overlays, if applicable;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions; and"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distributes copies of the security plan and communicates subsequent changes to the plan to {{ insert: param, pl-2_prm_1 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews the security plan for the information system {{ insert: param, pl-2_prm_2 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Updates the plan to address changes to the information system\/environment of operation or problems identified during plan implementation or security control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protects the security plan from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls\/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended. Organizations can also apply tailoring guidance to the security control baselines in Appendix D and CNSS Instruction 1253 to develop overlays for community-wide use or to address specialized requirements, technologies, or missions\/environments of operation (e.g., DoD-tactical, Federal Public Key Infrastructure, or Federal Identity, Credential, and Access Management, space operations). Appendix I provides guidance on developing overlays. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management\/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"}]},{"id":"pl-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-2.a_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)"}],"prose":"develops a security plan for the information system that:","parts":[{"id":"pl-2.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(1)"}],"prose":"is consistent with the organization’s enterprise architecture;"},{"id":"pl-2.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(2)"}],"prose":"explicitly defines the authorization boundary for the system;"},{"id":"pl-2.a.3_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(3)"}],"prose":"describes the operational context of the information system in terms of missions and business processes;"},{"id":"pl-2.a.4_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(4)"}],"prose":"provides the security categorization of the information system including supporting rationale;"},{"id":"pl-2.a.5_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(5)"}],"prose":"describes the operational environment for the information system and relationships with or connections to other information systems;"},{"id":"pl-2.a.6_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(6)"}],"prose":"provides an overview of the security requirements for the system;"},{"id":"pl-2.a.7_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(7)"}],"prose":"identifies any relevant overlays, if applicable;"},{"id":"pl-2.a.8_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(8)"}],"prose":"describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplemental decisions;"},{"id":"pl-2.a.9_obj","name":"objective","props":[{"name":"label","value":"PL-2(a)(9)"}],"prose":"is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"}]},{"id":"pl-2.b_obj","name":"objective","props":[{"name":"label","value":"PL-2(b)"}],"parts":[{"id":"pl-2.b_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(b)[1]"}],"prose":"defines personnel or roles to whom copies of the security plan are to be distributed and subsequent changes to the plan are to be communicated;"},{"id":"pl-2.b_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(b)[2]"}],"prose":"distributes copies of the security plan and communicates subsequent changes to the plan to organization-defined personnel or roles;"}]},{"id":"pl-2.c_obj","name":"objective","props":[{"name":"label","value":"PL-2(c)"}],"parts":[{"id":"pl-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(c)[1]"}],"prose":"defines the frequency to review the security plan for the information system;"},{"id":"pl-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(c)[2]"}],"prose":"reviews the security plan for the information system with the organization-defined frequency;"}]},{"id":"pl-2.d_obj","name":"objective","props":[{"name":"label","value":"PL-2(d)"}],"prose":"updates the plan to address:","parts":[{"id":"pl-2.d_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(d)[1]"}],"prose":"changes to the information system\/environment of operation;"},{"id":"pl-2.d_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(d)[2]"}],"prose":"problems identified during plan implementation;"},{"id":"pl-2.d_obj.3","name":"objective","props":[{"name":"label","value":"PL-2(d)[3]"}],"prose":"problems identified during security control assessments;"}]},{"id":"pl-2.e_obj","name":"objective","props":[{"name":"label","value":"PL-2(e)"}],"prose":"protects the security plan from unauthorized:","parts":[{"id":"pl-2.e_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(e)[1]"}],"prose":"disclosure; and"},{"id":"pl-2.e_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(e)[2]"}],"prose":"modification."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing security plan development and implementation\n\nprocedures addressing security plan reviews and updates\n\nenterprise architecture documentation\n\nsecurity plan for the information system\n\nrecords of security plan reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security plan development\/review\/update\/approval\n\nautomated mechanisms supporting the information system security plan"}]}],"controls":[{"id":"pl-2.3","class":"SP800-53-enhancement","title":"Plan \/ Coordinate with Other Organizational Entities","params":[{"id":"pl-2.3_prm_1","label":"organization-defined individuals or groups"}],"props":[{"name":"label","value":"PL-2(3)"},{"name":"sort-id","value":"pl-02.03"}],"parts":[{"id":"pl-2.3_smt","name":"statement","prose":"The organization plans and coordinates security-related activities affecting the information system with {{ insert: param, pl-2.3_prm_1 }} before conducting such activities in order to reduce the impact on other organizational entities."},{"id":"pl-2.3_gdn","name":"guidance","prose":"Security-related activities include, for example, security assessments, audits, hardware and software maintenance, patch management, and contingency plan testing. Advance planning and coordination includes emergency and nonemergency (i.e., planned or nonurgent unplanned) situations. The process defined by organizations to plan and coordinate security-related activities can be included in security plans for information systems or other documents, as appropriate.","links":[{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"}]},{"id":"pl-2.3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-2.3_obj.1","name":"objective","props":[{"name":"label","value":"PL-2(3)[1]"}],"prose":"defines individuals or groups with whom security-related activities affecting the information system are to be planned and coordinated before conducting such activities in order to reduce the impact on other organizational entities; and"},{"id":"pl-2.3_obj.2","name":"objective","props":[{"name":"label","value":"PL-2(3)[2]"}],"prose":"plans and coordinates security-related activities affecting the information system with organization-defined individuals or groups before conducting such activities in order to reduce the impact on other organizational entities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\naccess control policy\n\ncontingency planning policy\n\nprocedures addressing security-related activity planning for the information system\n\nsecurity plan for the information system\n\ncontingency plan for the information system\n\ninformation system design documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities\n\norganizational individuals or groups with whom security-related activities are to be planned and coordinated\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PL-4"},{"name":"sort-id","value":"pl-04"}],"links":[{"href":"#9c5c9e8c-dc81-4f55-a11c-d71d7487790f","rel":"reference"}],"parts":[{"id":"pl-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates the rules of behavior {{ insert: param, pl-4_prm_1 }}; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Requires individuals who have signed a previous version of the rules of behavior to read and re-sign when the rules of behavior are revised\/updated."}]},{"id":"pl-4_gdn","name":"guidance","prose":"This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data\/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"}]},{"id":"pl-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-4.a_obj","name":"objective","props":[{"name":"label","value":"PL-4(a)"}],"parts":[{"id":"pl-4.a_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(a)[1]"}],"prose":"establishes, for individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"},{"id":"pl-4.a_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(a)[2]"}],"prose":"makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;"}]},{"id":"pl-4.b_obj","name":"objective","props":[{"name":"label","value":"PL-4(b)"}],"prose":"receives a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;"},{"id":"pl-4.c_obj","name":"objective","props":[{"name":"label","value":"PL-4(c)"}],"parts":[{"id":"pl-4.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(c)[1]"}],"prose":"defines the frequency to review and update the rules of behavior;"},{"id":"pl-4.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(c)[2]"}],"prose":"reviews and updates the rules of behavior with the organization-defined frequency; and"}]},{"id":"pl-4.d_obj","name":"objective","props":[{"name":"label","value":"PL-4(d)"}],"prose":"requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised\/updated."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel who are authorized users of the information system and have signed and resigned rules of behavior\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nautomated mechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and Networking Restrictions","props":[{"name":"label","value":"PL-4(1)"},{"name":"sort-id","value":"pl-04.01"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"The organization includes in the rules of behavior, explicit restrictions on the use of social media\/networking sites and posting organizational information on public websites."},{"id":"pl-4.1_gdn","name":"guidance","prose":"This control enhancement addresses rules of behavior related to the use of social media\/networking sites: (i) when organizational personnel are using such sites for official duties or in the conduct of official business; (ii) when organizational information is involved in social media\/networking transactions; and (iii) when personnel are accessing social media\/networking sites from organizational information systems. Organizations also address specific rules that prevent unauthorized entities from obtaining and\/or inferring non-public organizational information (e.g., system account information, personally identifiable information) from social media\/networking sites."},{"id":"pl-4.1_obj","name":"objective","prose":"Determine if the organization includes the following in the rules of behavior:","parts":[{"id":"pl-4.1_obj.1","name":"objective","props":[{"name":"label","value":"PL-4(1)[1]"}],"prose":"explicit restrictions on the use of social media\/networking sites; and"},{"id":"pl-4.1_obj.2","name":"objective","props":[{"name":"label","value":"PL-4(1)[2]"}],"prose":"posting organizational information on public websites."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing rules of behavior for information system users\n\nrules of behavior\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel who are authorized users of the information system and have signed rules of behavior\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for establishing rules of behavior\n\nautomated mechanisms supporting and\/or implementing the establishment of rules of behavior"}]}]}]},{"id":"pl-8","class":"SP800-53","title":"Information Security Architecture","params":[{"id":"pl-8_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PL-8"},{"name":"sort-id","value":"pl-08"}],"parts":[{"id":"pl-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"pl-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops an information security architecture for the information system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes how the information security architecture is integrated into and supports the enterprise architecture; and"},{"id":"pl-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describes any information security assumptions about, and dependencies on, external services;"}]},{"id":"pl-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the information security architecture {{ insert: param, pl-8_prm_1 }} to reflect updates in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements\/acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement\/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs. In today’s modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission\/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)\/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product\/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate\/show consistency with the organization’s enterprise architecture and information security architecture.","links":[{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53r4","rel":"related"}]},{"id":"pl-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"pl-8.a_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)"}],"prose":"develops an information security architecture for the information system that describes:","parts":[{"id":"pl-8.a.1_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)(1)"}],"prose":"the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8.a.2_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)(2)"}],"prose":"how the information security architecture is integrated into and supports the enterprise architecture;"},{"id":"pl-8.a.3_obj","name":"objective","props":[{"name":"label","value":"PL-8(a)(3)"}],"prose":"any information security assumptions about, and dependencies on, external services;"}]},{"id":"pl-8.b_obj","name":"objective","props":[{"name":"label","value":"PL-8(b)"}],"parts":[{"id":"pl-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PL-8(b)[1]"}],"prose":"defines the frequency to review and update the information security architecture;"},{"id":"pl-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PL-8(b)[2]"}],"prose":"reviews and updates the information security architecture with the organization-defined frequency to reflect updates in the enterprise architecture;"}]},{"id":"pl-8.c_obj","name":"objective","props":[{"name":"label","value":"PL-8(c)"}],"prose":"ensures that planned information security architecture changes are reflected in:","parts":[{"id":"pl-8.c_obj.1","name":"objective","props":[{"name":"label","value":"PL-8(c)[1]"}],"prose":"the security plan;"},{"id":"pl-8.c_obj.2","name":"objective","props":[{"name":"label","value":"PL-8(c)[2]"}],"prose":"the security Concept of Operations (CONOPS); and"},{"id":"pl-8.c_obj.3","name":"objective","props":[{"name":"label","value":"PL-8(c)[3]"}],"prose":"the organizational procurements\/acquisitions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Security planning policy\n\nprocedures addressing information security architecture development\n\nprocedures addressing information security architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security architecture documentation\n\nsecurity plan for the information system\n\nsecurity CONOPS for the information system\n\nrecords of information security architecture reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security planning and plan implementation responsibilities\n\norganizational personnel with information security architecture development responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for developing, reviewing, and updating the information security architecture\n\nautomated mechanisms supporting and\/or implementing the development, review, and update of the information security architecture"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Personnel Security Policy and Procedures","params":[{"id":"ps-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-1_prm_2","label":"organization-defined frequency"},{"id":"ps-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-1"},{"name":"sort-id","value":"ps-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ps-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and"}]},{"id":"ps-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ps-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Personnel security policy {{ insert: param, ps-1_prm_2 }}; and"},{"id":"ps-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Personnel security procedures {{ insert: param, ps-1_prm_3 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PS family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ps-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-1.a_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)"}],"parts":[{"id":"ps-1.a.1_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)"}],"parts":[{"id":"ps-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1]"}],"prose":"develops and documents an personnel security policy that addresses:","parts":[{"id":"ps-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ps-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ps-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ps-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ps-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ps-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ps-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ps-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the personnel security policy is to be disseminated;"},{"id":"ps-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"PS-1(a)(1)[3]"}],"prose":"disseminates the personnel security policy to organization-defined personnel or roles;"}]},{"id":"ps-1.a.2_obj","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)"}],"parts":[{"id":"ps-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the personnel security policy and associated personnel security controls;"},{"id":"ps-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ps-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"PS-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ps-1.b_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)"}],"parts":[{"id":"ps-1.b.1_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)"}],"parts":[{"id":"ps-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current personnel security policy;"},{"id":"ps-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(b)(1)[2]"}],"prose":"reviews and updates the current personnel security policy with the organization-defined frequency;"}]},{"id":"ps-1.b.2_obj","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)"}],"parts":[{"id":"ps-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current personnel security procedures; and"},{"id":"ps-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-1(b)(2)[2]"}],"prose":"reviews and updates the current personnel security procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","params":[{"id":"ps-2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-2"},{"name":"sort-id","value":"ps-02"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference"}],"parts":[{"id":"ps-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assigns a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews and updates position risk designations {{ insert: param, ps-2_prm_1 }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management policy and guidance. Risk designations can guide and inform the types of authorizations individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements (e.g., training, security clearances).","links":[{"href":"#at-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-3","rel":"related"}]},{"id":"ps-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-2.a_obj","name":"objective","props":[{"name":"label","value":"PS-2(a)"}],"prose":"assigns a risk designation to all organizational positions;"},{"id":"ps-2.b_obj","name":"objective","props":[{"name":"label","value":"PS-2(b)"}],"prose":"establishes screening criteria for individuals filling those positions;"},{"id":"ps-2.c_obj","name":"objective","props":[{"name":"label","value":"PS-2(c)"}],"parts":[{"id":"ps-2.c_obj.1","name":"objective","props":[{"name":"label","value":"PS-2(c)[1]"}],"prose":"defines the frequency to review and update position risk designations; and"},{"id":"ps-2.c_obj.2","name":"objective","props":[{"name":"label","value":"PS-2(c)[2]"}],"prose":"reviews and updates position risk designations with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nsecurity plan\n\nrecords of position risk designation reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","params":[{"id":"ps-3_prm_1","label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-3"},{"name":"sort-id","value":"ps-03"}],"links":[{"href":"#0c97e60b-325a-4efa-ba2b-90f20ccd5abc","rel":"reference"},{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"},{"href":"#ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","rel":"reference"},{"href":"#2a71298a-ee90-490e-80ff-48c967173a47","rel":"reference"},{"href":"#2042d97b-f7f6-4c74-84f8-981867684659","rel":"reference"},{"href":"#6caa237b-531b-43ac-9711-d8f6b97b0377","rel":"reference"}],"parts":[{"id":"ps-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Screens individuals prior to authorizing access to the information system; and"},{"id":"ps-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Rescreens individuals according to {{ insert: param, ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, guidance, and specific criteria established for the risk designations of assigned positions. Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information processed, stored, or transmitted by the systems.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-2","rel":"related"}]},{"id":"ps-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-3.a_obj","name":"objective","props":[{"name":"label","value":"PS-3(a)"}],"prose":"screens individuals prior to authorizing access to the information system;"},{"id":"ps-3.b_obj","name":"objective","props":[{"name":"label","value":"PS-3(b)"}],"parts":[{"id":"ps-3.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-3(b)[1]"}],"prose":"defines conditions requiring re-screening;"},{"id":"ps-3.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-3(b)[2]"}],"prose":"defines the frequency of re-screening where it is so indicated; and"},{"id":"ps-3.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-3(b)[3]"}],"prose":"re-screens individuals in accordance with organization-defined conditions requiring re-screening and, where re-screening is so indicated, with the organization-defined frequency of such re-screening."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsecurity plan\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel screening"}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","params":[{"id":"ps-4_prm_1","label":"organization-defined time period"},{"id":"ps-4_prm_2","label":"organization-defined information security topics"},{"id":"ps-4_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-4_prm_4","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-4"},{"name":"sort-id","value":"ps-04"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"The organization, upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Disables information system access within {{ insert: param, ps-4_prm_1 }};"},{"id":"ps-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Terminates\/revokes any authenticators\/credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conducts exit interviews that include a discussion of {{ insert: param, ps-4_prm_2 }};"},{"id":"ps-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Retrieves all security-related organizational information system-related property;"},{"id":"ps-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retains access to organizational information and information systems formerly controlled by terminated individual; and"},{"id":"ps-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Notifies {{ insert: param, ps-4_prm_3 }} within {{ insert: param, ps-4_prm_4 }}."}]},{"id":"ps-4_gdn","name":"guidance","prose":"Information system-related property includes, for example, hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for information system-related property. Security topics of interest at exit interviews can include, for example, reminding terminated individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not be possible for some terminated individuals, for example, in cases related to job abandonment, illnesses, and nonavailability of supervisors. Exit interviews are important for individuals with security clearances. Timely execution of termination actions is essential for individuals terminated for cause. In certain situations, organizations consider disabling the information system accounts of individuals that are being terminated prior to the individuals being notified.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"ps-4_obj","name":"objective","prose":"Determine if the organization, upon termination of individual employment,:","parts":[{"id":"ps-4.a_obj","name":"objective","props":[{"name":"label","value":"PS-4(a)"}],"parts":[{"id":"ps-4.a_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(a)[1]"}],"prose":"defines a time period within which to disable information system access;"},{"id":"ps-4.a_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(a)[2]"}],"prose":"disables information system access within the organization-defined time period;"}]},{"id":"ps-4.b_obj","name":"objective","props":[{"name":"label","value":"PS-4(b)"}],"prose":"terminates\/revokes any authenticators\/credentials associated with the individual;"},{"id":"ps-4.c_obj","name":"objective","props":[{"name":"label","value":"PS-4(c)"}],"parts":[{"id":"ps-4.c_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(c)[1]"}],"prose":"defines information security topics to be discussed when conducting exit interviews;"},{"id":"ps-4.c_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(c)[2]"}],"prose":"conducts exit interviews that include a discussion of organization-defined information security topics;"}]},{"id":"ps-4.d_obj","name":"objective","props":[{"name":"label","value":"PS-4(d)"}],"prose":"retrieves all security-related organizational information system-related property;"},{"id":"ps-4.e_obj","name":"objective","props":[{"name":"label","value":"PS-4(e)"}],"prose":"retains access to organizational information and information systems formerly controlled by the terminated individual;"},{"id":"ps-4.f_obj","name":"objective","props":[{"name":"label","value":"PS-4(f)"}],"parts":[{"id":"ps-4.f_obj.1","name":"objective","props":[{"name":"label","value":"PS-4(f)[1]"}],"prose":"defines personnel or roles to be notified of the termination;"},{"id":"ps-4.f_obj.2","name":"objective","props":[{"name":"label","value":"PS-4(f)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel or roles; and"},{"id":"ps-4.f_obj.3","name":"objective","props":[{"name":"label","value":"PS-4(f)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of information system accounts\n\nrecords of terminated or revoked authenticators\/credentials\n\nrecords of exit interviews\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel termination\n\nautomated mechanisms supporting and\/or implementing personnel termination notifications\n\nautomated mechanisms for disabling information system access\/revoking authenticators"}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","params":[{"id":"ps-5_prm_1","label":"organization-defined transfer or reassignment actions"},{"id":"ps-5_prm_2","label":"organization-defined time period following the formal transfer action"},{"id":"ps-5_prm_3","label":"organization-defined personnel or roles"},{"id":"ps-5_prm_4","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"PS-5"},{"name":"sort-id","value":"ps-05"}],"parts":[{"id":"ps-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems\/facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiates {{ insert: param, ps-5_prm_1 }} within {{ insert: param, ps-5_prm_2 }};"},{"id":"ps-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Notifies {{ insert: param, ps-5_prm_3 }} within {{ insert: param, ps-5_prm_4 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"This control applies when reassignments or transfers of individuals are permanent or of such extended durations as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include, for example: (i) returning old and issuing new keys, identification cards, and building passes; (ii) closing information system accounts and establishing new accounts; (iii) changing information system access authorizations (i.e., privileges); and (iv) providing for access to official records to which individuals had access at previous work locations and in previous information system accounts.","links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#ps-4","rel":"related"}]},{"id":"ps-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-5.a_obj","name":"objective","props":[{"name":"label","value":"PS-5(a)"}],"prose":"when individuals are reassigned or transferred to other positions within the organization, reviews and confirms ongoing operational need for current:","parts":[{"id":"ps-5.a_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(a)[1]"}],"prose":"logical access authorizations to information systems;"},{"id":"ps-5.a_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(a)[2]"}],"prose":"physical access authorizations to information systems and facilities;"}]},{"id":"ps-5.b_obj","name":"objective","props":[{"name":"label","value":"PS-5(b)"}],"parts":[{"id":"ps-5.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(b)[1]"}],"prose":"defines transfer or reassignment actions to be initiated following transfer or reassignment;"},{"id":"ps-5.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(b)[2]"}],"prose":"defines the time period within which transfer or reassignment actions must occur following transfer or reassignment;"},{"id":"ps-5.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-5(b)[3]"}],"prose":"initiates organization-defined transfer or reassignment actions within the organization-defined time period following transfer or reassignment;"}]},{"id":"ps-5.c_obj","name":"objective","props":[{"name":"label","value":"PS-5(c)"}],"prose":"modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer;"},{"id":"ps-5.d_obj","name":"objective","props":[{"name":"label","value":"PS-5(d)"}],"parts":[{"id":"ps-5.d_obj.1","name":"objective","props":[{"name":"label","value":"PS-5(d)[1]"}],"prose":"defines personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5.d_obj.2","name":"objective","props":[{"name":"label","value":"PS-5(d)[2]"}],"prose":"defines the time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization; and"},{"id":"ps-5.d_obj.3","name":"objective","props":[{"name":"label","value":"PS-5(d)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period when individuals are reassigned or transferred to other positions within the organization."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel transfer\n\nsecurity plan\n\nrecords of personnel transfer actions\n\nlist of information system and facility access authorizations\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for personnel transfer\n\nautomated mechanisms supporting and\/or implementing personnel transfer notifications\n\nautomated mechanisms for disabling information system access\/revoking authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-6_prm_1","label":"organization-defined frequency"},{"id":"ps-6_prm_2","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PS-6"},{"name":"sort-id","value":"ps-06"}],"parts":[{"id":"ps-6_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops and documents access agreements for organizational information systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the access agreements {{ insert: param, ps-6_prm_1 }}; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that individuals requiring access to organizational information and information systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or {{ insert: param, ps-6_prm_2 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.","links":[{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-8","rel":"related"}]},{"id":"ps-6_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-6.a_obj","name":"objective","props":[{"name":"label","value":"PS-6(a)"}],"prose":"develops and documents access agreements for organizational information systems;"},{"id":"ps-6.b_obj","name":"objective","props":[{"name":"label","value":"PS-6(b)"}],"parts":[{"id":"ps-6.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-6(b)[1]"}],"prose":"defines the frequency to review and update the access agreements;"},{"id":"ps-6.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-6(b)[2]"}],"prose":"reviews and updates the access agreements with the organization-defined frequency;"}]},{"id":"ps-6.c_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)"}],"parts":[{"id":"ps-6.c.1_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)(1)"}],"prose":"ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access;"},{"id":"ps-6.c.2_obj","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)"}],"parts":[{"id":"ps-6.c.2_obj.1","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)[1]"}],"prose":"defines the frequency to re-sign access agreements to maintain access to organizational information systems when access agreements have been updated;"},{"id":"ps-6.c.2_obj.2","name":"objective","props":[{"name":"label","value":"PS-6(c)(2)[2]"}],"prose":"ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing access agreements for organizational information and information systems\n\nsecurity plan\n\naccess agreements\n\nrecords of access agreement reviews and updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for access agreements\n\nautomated mechanisms supporting access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"Third-party Personnel Security","params":[{"id":"ps-7_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-7_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"PS-7"},{"name":"sort-id","value":"ps-07"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"}],"parts":[{"id":"ps-7_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes personnel security requirements including security roles and responsibilities for third-party providers;"},{"id":"ps-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Requires third-party providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Requires third-party providers to notify {{ insert: param, ps-7_prm_1 }} of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges within {{ insert: param, ps-7_prm_2 }}; and"},{"id":"ps-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Monitors provider compliance."}]},{"id":"ps-7_gdn","name":"guidance","prose":"Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations. Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include, for example, functions, roles, and nature of credentials\/privileges associated with individuals transferred or terminated.","links":[{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-21","rel":"related"}]},{"id":"ps-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-7.a_obj","name":"objective","props":[{"name":"label","value":"PS-7(a)"}],"prose":"establishes personnel security requirements, including security roles and responsibilities, for third-party providers;"},{"id":"ps-7.b_obj","name":"objective","props":[{"name":"label","value":"PS-7(b)"}],"prose":"requires third-party providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7.c_obj","name":"objective","props":[{"name":"label","value":"PS-7(c)"}],"prose":"documents personnel security requirements;"},{"id":"ps-7.d_obj","name":"objective","props":[{"name":"label","value":"PS-7(d)"}],"parts":[{"id":"ps-7.d_obj.1","name":"objective","props":[{"name":"label","value":"PS-7(d)[1]"}],"prose":"defines personnel or roles to be notified of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.2","name":"objective","props":[{"name":"label","value":"PS-7(d)[2]"}],"prose":"defines the time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges;"},{"id":"ps-7.d_obj.3","name":"objective","props":[{"name":"label","value":"PS-7(d)[3]"}],"prose":"requires third-party providers to notify organization-defined personnel or roles within the organization-defined time period of any personnel transfers or terminations of third-party personnel who possess organizational credentials and\/or badges, or who have information system privileges; and"}]},{"id":"ps-7.e_obj","name":"objective","props":[{"name":"label","value":"PS-7(e)"}],"prose":"monitors provider compliance."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing third-party personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\nthird-party providers\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing and monitoring third-party personnel security\n\nautomated mechanisms supporting and\/or implementing monitoring of provider compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","params":[{"id":"ps-8_prm_1","label":"organization-defined personnel or roles"},{"id":"ps-8_prm_2","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P3"},{"name":"label","value":"PS-8"},{"name":"sort-id","value":"ps-08"}],"parts":[{"id":"ps-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"ps-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Notifies {{ insert: param, ps-8_prm_1 }} within {{ insert: param, ps-8_prm_2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.","links":[{"href":"#pl-4","rel":"related"},{"href":"#ps-6","rel":"related"}]},{"id":"ps-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ps-8.a_obj","name":"objective","props":[{"name":"label","value":"PS-8(a)"}],"prose":"employs a formal sanctions process for individuals failing to comply with established information security policies and procedures;"},{"id":"ps-8.b_obj","name":"objective","props":[{"name":"label","value":"PS-8(b)"}],"parts":[{"id":"ps-8.b_obj.1","name":"objective","props":[{"name":"label","value":"PS-8(b)[1]"}],"prose":"defines personnel or roles to be notified when a formal employee sanctions process is initiated;"},{"id":"ps-8.b_obj.2","name":"objective","props":[{"name":"label","value":"PS-8(b)[2]"}],"prose":"defines the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated; and"},{"id":"ps-8.b_obj.3","name":"objective","props":[{"name":"label","value":"PS-8(b)[3]"}],"prose":"notifies organization-defined personnel or roles within the organization-defined time period when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Personnel security policy\n\nprocedures addressing personnel sanctions\n\nrules of behavior\n\nrecords of formal sanctions\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for managing personnel sanctions\n\nautomated mechanisms supporting and\/or implementing notifications"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Risk Assessment Policy and Procedures","params":[{"id":"ra-1_prm_1","label":"organization-defined personnel or roles"},{"id":"ra-1_prm_2","label":"organization-defined frequency"},{"id":"ra-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-1"},{"name":"sort-id","value":"ra-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"ra-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"ra-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Risk assessment policy {{ insert: param, ra-1_prm_2 }}; and"},{"id":"ra-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Risk assessment procedures {{ insert: param, ra-1_prm_3 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the RA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"ra-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-1.a_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)"}],"parts":[{"id":"ra-1.a.1_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)"}],"parts":[{"id":"ra-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1]"}],"prose":"develops and documents a risk assessment policy that addresses:","parts":[{"id":"ra-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"ra-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"ra-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"ra-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"ra-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"ra-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"ra-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"ra-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the risk assessment policy is to be disseminated;"},{"id":"ra-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"RA-1(a)(1)[3]"}],"prose":"disseminates the risk assessment policy to organization-defined personnel or roles;"}]},{"id":"ra-1.a.2_obj","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)"}],"parts":[{"id":"ra-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls;"},{"id":"ra-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"ra-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"RA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"ra-1.b_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)"}],"parts":[{"id":"ra-1.b.1_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)"}],"parts":[{"id":"ra-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current risk assessment policy;"},{"id":"ra-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(b)(1)[2]"}],"prose":"reviews and updates the current risk assessment policy with the organization-defined frequency;"}]},{"id":"ra-1.b.2_obj","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)"}],"parts":[{"id":"ra-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current risk assessment procedures; and"},{"id":"ra-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-1(b)(2)[2]"}],"prose":"reviews and updates the current risk assessment procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"risk assessment policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-2"},{"name":"sort-id","value":"ra-02"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#f152844f-b1ef-4836-8729-6277078ebee1","rel":"reference"}],"parts":[{"id":"ra-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"ra-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents the security categorization results (including supporting rationale) in the security plan for the information system; and"},{"id":"ra-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensures that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission\/business owners, and information owners\/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted.","links":[{"href":"#cm-8","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"ra-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-2.a_obj","name":"objective","props":[{"name":"label","value":"RA-2(a)"}],"prose":"categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"ra-2.b_obj","name":"objective","props":[{"name":"label","value":"RA-2(b)"}],"prose":"documents the security categorization results (including supporting rationale) in the security plan for the information system; and"},{"id":"ra-2.c_obj","name":"objective","props":[{"name":"label","value":"RA-2(c)"}],"prose":"ensures the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and information systems\n\nsecurity plan\n\nsecurity categorization documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-3_prm_1","select":{"choice":["security plan","risk assessment report"," {{ insert: param, ra-3_prm_2 }} "]}},{"id":"ra-3_prm_2","depends-on":"ra-3_prm_1","label":"organization-defined document"},{"id":"ra-3_prm_3","label":"organization-defined frequency"},{"id":"ra-3_prm_4","label":"organization-defined personnel or roles"},{"id":"ra-3_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-3"},{"name":"sort-id","value":"ra-03"}],"links":[{"href":"#ff3bfb02-79b2-411f-8735-98dfe5af2ab0","rel":"reference"},{"href":"#a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","rel":"reference"},{"href":"#d480aa6a-7a88-424e-a10c-ad1c7870354b","rel":"reference"},{"href":"#85280698-0417-489d-b214-12bb935fb939","rel":"reference"}],"parts":[{"id":"ra-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;"},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Documents risk assessment results in {{ insert: param, ra-3_prm_1 }};"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reviews risk assessment results {{ insert: param, ra-3_prm_3 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Disseminates risk assessment results to {{ insert: param, ra-3_prm_4 }}; and"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Updates the risk assessment {{ insert: param, ra-3_prm_5 }} or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Clearly defined authorization boundaries are a prerequisite for effective risk assessments. Risk assessments take into account threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation based on the operation and use of information systems. Risk assessments also take into account risk from external parties (e.g., service providers, contractors operating information systems on behalf of the organization, individuals accessing organizational information systems, outsourcing entities). In accordance with OMB policy and related E-authentication initiatives, authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related information. As such, organizational assessments of risk also address public access to federal information systems. Risk assessments (either formal or informal) can be conducted at all three tiers in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any phase in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring. RA-3 is noteworthy in that the control must be partially implemented prior to the implementation of other controls in order to complete the first two steps in the Risk Management Framework. Risk assessments can play an important role in security control selection processes, particularly during the application of tailoring guidance, which includes security control supplementation.","links":[{"href":"#ra-2","rel":"related"},{"href":"#pm-9","rel":"related"}]},{"id":"ra-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-3.a_obj","name":"objective","props":[{"name":"label","value":"RA-3(a)"}],"prose":"conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of:","parts":[{"id":"ra-3.a_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(a)[1]"}],"prose":"the information system;"},{"id":"ra-3.a_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(a)[2]"}],"prose":"the information the system processes, stores, or transmits;"}]},{"id":"ra-3.b_obj","name":"objective","props":[{"name":"label","value":"RA-3(b)"}],"parts":[{"id":"ra-3.b_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(b)[1]"}],"prose":"defines a document in which risk assessment results are to be documented (if not documented in the security plan or risk assessment report);"},{"id":"ra-3.b_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(b)[2]"}],"prose":"documents risk assessment results in one of the following:","parts":[{"id":"ra-3.b_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][a]"}],"prose":"the security plan;"},{"id":"ra-3.b_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][b]"}],"prose":"the risk assessment report; or"},{"id":"ra-3.b_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-3(b)[2][c]"}],"prose":"the organization-defined document;"}]}]},{"id":"ra-3.c_obj","name":"objective","props":[{"name":"label","value":"RA-3(c)"}],"parts":[{"id":"ra-3.c_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(c)[1]"}],"prose":"defines the frequency to review risk assessment results;"},{"id":"ra-3.c_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(c)[2]"}],"prose":"reviews risk assessment results with the organization-defined frequency;"}]},{"id":"ra-3.d_obj","name":"objective","props":[{"name":"label","value":"RA-3(d)"}],"parts":[{"id":"ra-3.d_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(d)[1]"}],"prose":"defines personnel or roles to whom risk assessment results are to be disseminated;"},{"id":"ra-3.d_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(d)[2]"}],"prose":"disseminates risk assessment results to organization-defined personnel or roles;"}]},{"id":"ra-3.e_obj","name":"objective","props":[{"name":"label","value":"RA-3(e)"}],"parts":[{"id":"ra-3.e_obj.1","name":"objective","props":[{"name":"label","value":"RA-3(e)[1]"}],"prose":"defines the frequency to update the risk assessment;"},{"id":"ra-3.e_obj.2","name":"objective","props":[{"name":"label","value":"RA-3(e)[2]"}],"prose":"updates the risk assessment:","parts":[{"id":"ra-3.e_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-3.e_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][b]"}],"prose":"whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities); and"},{"id":"ra-3.e_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-3(e)[2][c]"}],"prose":"whenever there are other conditions that may impact the security state of the system."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nsecurity plan\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for risk assessment\n\nautomated mechanisms supporting and\/or for conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Scanning","params":[{"id":"ra-5_prm_1","label":"organization-defined frequency and\/or randomly in accordance with organization-defined process"},{"id":"ra-5_prm_2","label":"organization-defined response times"},{"id":"ra-5_prm_3","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"RA-5"},{"name":"sort-id","value":"ra-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#c4691b88-57d1-463b-9053-2d0087913f31","rel":"reference"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"}],"parts":[{"id":"ra-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"ra-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Scans for vulnerabilities in the information system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system\/applications are identified and reported;"},{"id":"ra-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Analyzes vulnerability scan reports and results from security control assessments;"},{"id":"ra-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remediates legitimate vulnerabilities {{ insert: param, ra-5_prm_2 }} in accordance with an organizational assessment of risk; and"},{"id":"ra-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Shares information obtained from the vulnerability scanning process and security control assessments with {{ insert: param, ra-5_prm_3 }} to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans. Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms. Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine\/test for the presence of vulnerabilities. Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"ra-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.a_obj","name":"objective","props":[{"name":"label","value":"RA-5(a)"}],"parts":[{"id":"ra-5.a_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(a)[1]"}],"parts":[{"id":"ra-5.a_obj.1.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[1][a]"}],"prose":"defines the frequency for conducting vulnerability scans on the information system and hosted applications; and\/or"},{"id":"ra-5.a_obj.1.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[1][b]"}],"prose":"defines the process for conducting random vulnerability scans on the information system and hosted applications;"}]},{"id":"ra-5.a_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(a)[2]"}],"prose":"in accordance with the organization-defined frequency and\/or organization-defined process for conducting random scans, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[2][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[2][b]"}],"prose":"hosted applications;"}]},{"id":"ra-5.a_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(a)[3]"}],"prose":"when new vulnerabilities potentially affecting the system\/applications are identified and reported, scans for vulnerabilities in:","parts":[{"id":"ra-5.a_obj.3.a","name":"objective","props":[{"name":"label","value":"RA-5(a)[3][a]"}],"prose":"the information system;"},{"id":"ra-5.a_obj.3.b","name":"objective","props":[{"name":"label","value":"RA-5(a)[3][b]"}],"prose":"hosted applications;"}]}]},{"id":"ra-5.b_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)"}],"prose":"employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5.b.1_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)"}],"parts":[{"id":"ra-5.b.1_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[1]"}],"prose":"enumerating platforms;"},{"id":"ra-5.b.1_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[2]"}],"prose":"enumerating software flaws;"},{"id":"ra-5.b.1_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(b)(1)[3]"}],"prose":"enumerating improper configurations;"}]},{"id":"ra-5.b.2_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)"}],"parts":[{"id":"ra-5.b.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)[1]"}],"prose":"formatting checklists;"},{"id":"ra-5.b.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(b)(2)[2]"}],"prose":"formatting test procedures;"}]},{"id":"ra-5.b.3_obj","name":"objective","props":[{"name":"label","value":"RA-5(b)(3)"}],"prose":"measuring vulnerability impact;"}]},{"id":"ra-5.c_obj","name":"objective","props":[{"name":"label","value":"RA-5(c)"}],"parts":[{"id":"ra-5.c_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(c)[1]"}],"prose":"analyzes vulnerability scan reports;"},{"id":"ra-5.c_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(c)[2]"}],"prose":"analyzes results from security control assessments;"}]},{"id":"ra-5.d_obj","name":"objective","props":[{"name":"label","value":"RA-5(d)"}],"parts":[{"id":"ra-5.d_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(d)[1]"}],"prose":"defines response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;"},{"id":"ra-5.d_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(d)[2]"}],"prose":"remediates legitimate vulnerabilities within the organization-defined response times in accordance with an organizational assessment of risk;"}]},{"id":"ra-5.e_obj","name":"objective","props":[{"name":"label","value":"RA-5(e)"}],"parts":[{"id":"ra-5.e_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(e)[1]"}],"prose":"defines personnel or roles with whom information obtained from the vulnerability scanning process and security control assessments is to be shared;"},{"id":"ra-5.e_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(e)[2]"}],"prose":"shares information obtained from the vulnerability scanning process with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies); and"},{"id":"ra-5.e_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(e)[3]"}],"prose":"shares information obtained from security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with risk assessment, security control assessment and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nautomated mechanisms supporting and\/or implementing vulnerability scanning, analysis, remediation, and information sharing"}]}],"controls":[{"id":"ra-5.1","class":"SP800-53-enhancement","title":"Update Tool Capability","props":[{"name":"label","value":"RA-5(1)"},{"name":"sort-id","value":"ra-05.01"}],"parts":[{"id":"ra-5.1_smt","name":"statement","prose":"The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned."},{"id":"ra-5.1_gdn","name":"guidance","prose":"The vulnerabilities to be scanned need to be readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This updating process helps to ensure that potential vulnerabilities in the information system are identified and addressed as quickly as possible.","links":[{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"ra-5.1_obj","name":"objective","prose":"Determine if the organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update by Frequency \/ Prior to New Scan \/ When Identified","params":[{"id":"ra-5.2_prm_1","select":{"how-many":"one-or-more","choice":[" {{ insert: param, ra-5.2_prm_2 }} ","prior to a new scan","when new vulnerabilities are identified and reported"]}},{"id":"ra-5.2_prm_2","depends-on":"ra-5.2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"RA-5(2)"},{"name":"sort-id","value":"ra-05.02"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"The organization updates the information system vulnerabilities scanned {{ insert: param, ra-5.2_prm_1 }}."},{"id":"ra-5.2_gdn","name":"guidance","links":[{"href":"#si-3","rel":"related"},{"href":"#si-5","rel":"related"}]},{"id":"ra-5.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"ra-5.2_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(2)[1]"}],"prose":"defines the frequency to update the information system vulnerabilities scanned;"},{"id":"ra-5.2_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(2)[2]"}],"prose":"updates the information system vulnerabilities scanned one or more of the following:","parts":[{"id":"ra-5.2_obj.2.a","name":"objective","props":[{"name":"label","value":"RA-5(2)[2][a]"}],"prose":"with the organization-defined frequency;"},{"id":"ra-5.2_obj.2.b","name":"objective","props":[{"name":"label","value":"RA-5(2)[2][b]"}],"prose":"prior to a new scan; and\/or"},{"id":"ra-5.2_obj.2.c","name":"objective","props":[{"name":"label","value":"RA-5(2)[2][c]"}],"prose":"when new vulnerabilities are identified and reported."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Procedures addressing vulnerability scanning\n\nsecurity plan\n\nsecurity assessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.5","class":"SP800-53-enhancement","title":"Privileged Access","params":[{"id":"ra-5.5_prm_1","label":"organization-identified information system components"},{"id":"ra-5.5_prm_2","label":"organization-defined vulnerability scanning activities"}],"props":[{"name":"label","value":"RA-5(5)"},{"name":"sort-id","value":"ra-05.05"}],"parts":[{"id":"ra-5.5_smt","name":"statement","prose":"The information system implements privileged access authorization to {{ insert: param, ra-5.5_prm_1 }} for selected {{ insert: param, ra-5.5_prm_2 }}."},{"id":"ra-5.5_gdn","name":"guidance","prose":"In certain situations, the nature of the vulnerability scanning may be more intrusive or the information system component that is the subject of the scanning may contain highly sensitive information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and also protects the sensitive nature of such scanning."},{"id":"ra-5.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"ra-5.5_obj.1","name":"objective","props":[{"name":"label","value":"RA-5(5)[1]"}],"prose":"the organization defines information system components to which privileged access is authorized for selected vulnerability scanning activities;"},{"id":"ra-5.5_obj.2","name":"objective","props":[{"name":"label","value":"RA-5(5)[2]"}],"prose":"the organization defines vulnerability scanning activities selected for privileged access authorization to organization-defined information system components; and"},{"id":"ra-5.5_obj.3","name":"objective","props":[{"name":"label","value":"RA-5(5)[3]"}],"prose":"the information system implements privileged access authorization to organization-defined information system components for selected organization-defined vulnerability scanning activities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsecurity plan\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of information system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\nsystem\/network administrators\n\norganizational personnel responsible for access control to the information system\n\norganizational personnel responsible for configuration management of the information system\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nautomated mechanisms supporting and\/or implementing access control\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"System and Services Acquisition Policy and Procedures","params":[{"id":"sa-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sa-1_prm_2","label":"organization-defined frequency"},{"id":"sa-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-1"},{"name":"sort-id","value":"sa-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"sa-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sa-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and services acquisition policy {{ insert: param, sa-1_prm_2 }}; and"},{"id":"sa-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and services acquisition procedures {{ insert: param, sa-1_prm_3 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SA family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"sa-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-1.a_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)"}],"parts":[{"id":"sa-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)"}],"parts":[{"id":"sa-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1]"}],"prose":"develops and documents a system and services acquisition policy that addresses:","parts":[{"id":"sa-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sa-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sa-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sa-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sa-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sa-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sa-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sa-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and services acquisition policy is to be disseminated;"},{"id":"sa-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SA-1(a)(1)[3]"}],"prose":"disseminates the system and services acquisition policy to organization-defined personnel or roles;"}]},{"id":"sa-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)"}],"parts":[{"id":"sa-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls;"},{"id":"sa-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"sa-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SA-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sa-1.b_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)"}],"parts":[{"id":"sa-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)"}],"parts":[{"id":"sa-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and services acquisition policy;"},{"id":"sa-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(b)(1)[2]"}],"prose":"reviews and updates the current system and services acquisition policy with the organization-defined frequency;"}]},{"id":"sa-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)"}],"parts":[{"id":"sa-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and services acquisition procedures; and"},{"id":"sa-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-1(b)(2)[2]"}],"prose":"reviews and updates the current system and services acquisition procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-2"},{"name":"sort-id","value":"sa-02"}],"links":[{"href":"#29fcfe59-33cd-494a-8756-5907ae3a8f92","rel":"reference"}],"parts":[{"id":"sa-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determines information security requirements for the information system or information system service in mission\/business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establishes a discrete line item for information security in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security includes funding for the initial information system or information system service acquisition and funding for the sustainment of the system\/service.","links":[{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"}]},{"id":"sa-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-2.a_obj","name":"objective","props":[{"name":"label","value":"SA-2(a)"}],"prose":"determines information security requirements for the information system or information system service in mission\/business process planning;"},{"id":"sa-2.b_obj","name":"objective","props":[{"name":"label","value":"SA-2(b)"}],"prose":"to protect the information system or information system service as part of its capital planning and investment control process:","parts":[{"id":"sa-2.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-2(b)[1]"}],"prose":"determines the resources required;"},{"id":"sa-2.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-2(b)[2]"}],"prose":"documents the resources required;"},{"id":"sa-2.b_obj.3","name":"objective","props":[{"name":"label","value":"SA-2(b)[3]"}],"prose":"allocates the resources required; and"}]},{"id":"sa-2.c_obj","name":"objective","props":[{"name":"label","value":"SA-2(c)"}],"prose":"establishes a discrete line item for information security in organizational programming and budgeting documentation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the allocation of resources to information security requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with capital planning, investment control, organizational programming and budgeting responsibilities\n\norganizational personnel responsible for determining information security requirements for information systems\/services\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information security requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nautomated mechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-3_prm_1","label":"organization-defined system development life cycle"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-3"},{"name":"sort-id","value":"sa-03"}],"links":[{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference"}],"parts":[{"id":"sa-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Manages the information system using {{ insert: param, sa-3_prm_1 }} that incorporates information security considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Defines and documents information security roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies individuals having information security roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrates the organizational information security risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A well-defined system development life cycle provides the foundation for the successful development, implementation, and operation of organizational information systems. To apply the required security controls within the system development life cycle requires a basic understanding of information security, threats, vulnerabilities, adverse impacts, and risk to critical missions\/business functions. The security engineering principles in SA-8 cannot be properly applied if individuals that design, code, and test information systems and system components (including information technology products) do not understand security. Therefore, organizations include qualified personnel, for example, chief information security officers, security architects, security engineers, and information system security officers in system development life cycle activities to ensure that security requirements are incorporated into organizational information systems. It is equally important that developers include individuals on the development team that possess the requisite security expertise and skills to ensure that needed security capabilities are effectively integrated into the information system. Security awareness and training programs can help ensure that individuals having key security roles and responsibilities have the appropriate experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security requirements into enterprise architecture also helps to ensure that important security considerations are addressed early in the system development life cycle and that those considerations are directly related to the organizational mission\/business processes. This process also facilitates the integration of the information security architecture into the enterprise architecture, consistent with organizational risk management and information security strategies.","links":[{"href":"#at-3","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-8","rel":"related"}]},{"id":"sa-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-3.a_obj","name":"objective","props":[{"name":"label","value":"SA-3(a)"}],"parts":[{"id":"sa-3.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-3(a)[1]"}],"prose":"defines a system development life cycle that incorporates information security considerations to be used to manage the information system;"},{"id":"sa-3.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-3(a)[2]"}],"prose":"manages the information system using the organization-defined system development life cycle;"}]},{"id":"sa-3.b_obj","name":"objective","props":[{"name":"label","value":"SA-3(b)"}],"prose":"defines and documents information security roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3.c_obj","name":"objective","props":[{"name":"label","value":"SA-3(c)"}],"prose":"identifies individuals having information security roles and responsibilities; and"},{"id":"sa-3.d_obj","name":"objective","props":[{"name":"label","value":"SA-3(d)"}],"prose":"integrates the organizational information security risk management process into system development life cycle activities."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security into the system development life cycle process\n\ninformation system development life cycle documentation\n\ninformation security risk management strategy\/program documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with information security and system life cycle development responsibilities\n\norganizational personnel with information security risk management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining and documenting the SDLC\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational process for integrating information security risk management into the SDLC\n\nautomated mechanisms supporting and\/or implementing the SDLC"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-4"},{"name":"sort-id","value":"sa-04"}],"links":[{"href":"#ad733a42-a7ed-4774-b988-4930c28852f3","rel":"reference"},{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference"},{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#c80c10b3-1294-4984-a4cc-d1733ca432b9","rel":"reference"},{"href":"#0a5db899-f033-467f-8631-f5a8ba971475","rel":"reference"},{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"},{"href":"#d818efd3-db31-4953-8afa-9e76afe83ce2","rel":"reference"},{"href":"#0a0c26b6-fd44-4274-8b36-93442d49d998","rel":"reference"},{"href":"#abd950ae-092f-4b7a-b374-1c7c67fe9350","rel":"reference"},{"href":"#84a37532-6db6-477b-9ea8-f9085ebca0fc","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"},{"href":"#56d671da-6b7b-4abf-8296-84b61980390a","rel":"reference"},{"href":"#c95a9986-3cd6-4a98-931b-ccfc56cb11e5","rel":"reference"},{"href":"#5ed1f4d5-1494-421b-97ed-39d3c88ab51f","rel":"reference"},{"href":"#bbd50dd1-54ce-4432-959d-63ea564b1bb4","rel":"reference"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission\/business needs:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Security strength requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Security-related documentation requirements;"},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Requirements for protecting security-related documentation;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Description of the information system development environment and environment in which the system is intended to operate; and"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA.","links":[{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-12","rel":"related"}]},{"id":"sa-4_obj","name":"objective","prose":"Determine if the organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contracts for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission\/business needs:","parts":[{"id":"sa-4.a_obj","name":"objective","props":[{"name":"label","value":"SA-4(a)"}],"prose":"security functional requirements;"},{"id":"sa-4.b_obj","name":"objective","props":[{"name":"label","value":"SA-4(b)"}],"prose":"security strength requirements;"},{"id":"sa-4.c_obj","name":"objective","props":[{"name":"label","value":"SA-4(c)"}],"prose":"security assurance requirements;"},{"id":"sa-4.d_obj","name":"objective","props":[{"name":"label","value":"SA-4(d)"}],"prose":"security-related documentation requirements;"},{"id":"sa-4.e_obj","name":"objective","props":[{"name":"label","value":"SA-4(e)"}],"prose":"requirements for protecting security-related documentation;"},{"id":"sa-4.f_obj","name":"objective","props":[{"name":"label","value":"SA-4(f)"}],"prose":"description of:","parts":[{"id":"sa-4.f_obj.1","name":"objective","props":[{"name":"label","value":"SA-4(f)[1]"}],"prose":"the information system development environment;"},{"id":"sa-4.f_obj.2","name":"objective","props":[{"name":"label","value":"SA-4(f)[2]"}],"prose":"the environment in which the system is intended to operate; and"}]},{"id":"sa-4.g_obj","name":"objective","props":[{"name":"label","value":"SA-4(g)"}],"prose":"acceptance criteria."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nacquisition contracts for the information system, system component, or information system service\n\ninformation system design documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security functional, strength, and assurance requirements\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and\/or implementing acquisitions and inclusion of security requirements in contracts"}]}],"controls":[{"id":"sa-4.1","class":"SP800-53-enhancement","title":"Functional Properties of Security Controls","props":[{"name":"label","value":"SA-4(1)"},{"name":"sort-id","value":"sa-04.01"}],"parts":[{"id":"sa-4.1_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed."},{"id":"sa-4.1_gdn","name":"guidance","prose":"Functional properties of security controls describe the functionality (i.e., security capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls.","links":[{"href":"#sa-5","rel":"related"}]},{"id":"sa-4.1_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or information system services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security functional requirements\n\ninformation system developer or service provider\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining information system security functional, requirements\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and\/or implementing acquisitions and inclusion of security requirements in contracts"}]}]},{"id":"sa-4.2","class":"SP800-53-enhancement","title":"Design \/ Implementation Information for Security Controls","params":[{"id":"sa-4.2_prm_1","select":{"how-many":"one-or-more","choice":["security-relevant external system interfaces","high-level design","low-level design","source code or hardware schematics"," {{ insert: param, sa-4.2_prm_2 }} "]}},{"id":"sa-4.2_prm_2","depends-on":"sa-4.2_prm_1","label":"organization-defined design\/implementation information"},{"id":"sa-4.2_prm_3","label":"organization-defined level of detail"}],"props":[{"name":"label","value":"SA-4(2)"},{"name":"sort-id","value":"sa-04.02"}],"parts":[{"id":"sa-4.2_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: {{ insert: param, sa-4.2_prm_1 }} at {{ insert: param, sa-4.2_prm_3 }}."},{"id":"sa-4.2_gdn","name":"guidance","prose":"Organizations may require different levels of detail in design and implementation documentation for security controls employed in organizational information systems, system components, or information system services based on mission\/business requirements, requirements for trustworthiness\/resiliency, and requirements for analysis and testing. Information systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of multiple subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules with particular emphasis on software and firmware (but not excluding hardware) and the interfaces between modules providing security-relevant functionality. Source code and hardware schematics are typically referred to as the implementation representation of the information system.","links":[{"href":"#sa-5","rel":"related"}]},{"id":"sa-4.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-4.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-4(2)[1]"}],"prose":"defines level of detail that the developer is required to provide in design and implementation information for the security controls to be employed in the information system, system component, or information system service;"},{"id":"sa-4.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-4(2)[2]"}],"prose":"defines design\/implementation information that the developer is to provide for the security controls to be employed (if selected);"},{"id":"sa-4.2_obj.3","name":"objective","props":[{"name":"label","value":"SA-4(2)[3]"}],"prose":"requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes, at the organization-defined level of detail, one or more of the following:","parts":[{"id":"sa-4.2_obj.3.a","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][a]"}],"prose":"security-relevant external system interfaces;"},{"id":"sa-4.2_obj.3.b","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][b]"}],"prose":"high-level design;"},{"id":"sa-4.2_obj.3.c","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][c]"}],"prose":"low-level design;"},{"id":"sa-4.2_obj.3.d","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][d]"}],"prose":"source code;"},{"id":"sa-4.2_obj.3.e","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][e]"}],"prose":"hardware schematics; and\/or"},{"id":"sa-4.2_obj.3.f","name":"objective","props":[{"name":"label","value":"SA-4(2)[3][f]"}],"prose":"organization-defined design\/implementation information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the information system, system components, or information system services\n\ndesign and implementation information for security controls employed in the information system, system component, or information system service\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\ninformation system developer or service provider\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for determining level of detail for system design and security controls\n\norganizational processes for developing acquisition contracts\n\nautomated mechanisms supporting and\/or implementing development of system design details"}]}]},{"id":"sa-4.9","class":"SP800-53-enhancement","title":"Functions \/ Ports \/ Protocols \/ Services in Use","props":[{"name":"label","value":"SA-4(9)"},{"name":"sort-id","value":"sa-04.09"}],"parts":[{"id":"sa-4.9_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use."},{"id":"sa-4.9_gdn","name":"guidance","prose":"The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources.","links":[{"href":"#cm-7","rel":"related"},{"href":"#sa-9","rel":"related"}]},{"id":"sa-4.9_obj","name":"objective","prose":"Determine if the organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle:","parts":[{"id":"sa-4.9_obj.1","name":"objective","props":[{"name":"label","value":"SA-4(9)[1]"}],"prose":"the functions intended for organizational use;"},{"id":"sa-4.9_obj.2","name":"objective","props":[{"name":"label","value":"SA-4(9)[2]"}],"prose":"the ports intended for organizational use;"},{"id":"sa-4.9_obj.3","name":"objective","props":[{"name":"label","value":"SA-4(9)[3]"}],"prose":"the protocols intended for organizational use; and"},{"id":"sa-4.9_obj.4","name":"objective","props":[{"name":"label","value":"SA-4(9)[4]"}],"prose":"the services intended for organizational use."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\ninformation system design documentation\n\ninformation system documentation including functions, ports, protocols, and services intended for organizational use\n\nacquisition contracts for information systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice-level agreements\n\norganizational security requirements, descriptions, and criteria for developers of information systems, system components, and information system services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\ninformation system developers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","props":[{"name":"label","value":"SA-4(10)"},{"name":"sort-id","value":"sa-04.10"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."},{"id":"sa-4.10_gdn","name":"guidance","links":[{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"}]},{"id":"sa-4.10_obj","name":"objective","prose":"Determine if the organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of information security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the information system, system component, or information system service\n\nservice-level agreements\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\norganizational personnel with responsibility for ensuring only FIPS 201-approved products are implemented\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for selecting and employing FIPS 201-approved products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"Information System Documentation","params":[{"id":"sa-5_prm_1","label":"organization-defined actions"},{"id":"sa-5_prm_2","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SA-5"},{"name":"sort-id","value":"sa-05"}],"parts":[{"id":"sa-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtains administrator documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security functions\/mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"}]},{"id":"sa-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Obtains user documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"User-accessible security functions\/mechanisms and how to effectively use those security functions\/mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and"},{"id":"sa-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service;"}]},{"id":"sa-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and takes {{ insert: param, sa-5_prm_1 }} in response;"},{"id":"sa-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects documentation as required, in accordance with the risk management strategy; and"},{"id":"sa-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Distributes documentation to {{ insert: param, sa-5_prm_2 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"This control helps organizational personnel understand the implementation and operation of security controls associated with information systems, system components, and information system services. Organizations consider establishing specific measures to determine the quality\/completeness of the content provided. The inability to obtain needed documentation may occur, for example, due to the age of the information system\/component or lack of support from developers and contractors. In those situations, organizations may need to recreate selected documentation if such documentation is essential to the effective implementation or operation of security controls. The level of protection provided for selected information system, component, or service documentation is commensurate with the security category or classification of the system. For example, documentation associated with a key DoD weapons system or command and control system would typically require a higher level of protection than a routine administrative system. Documentation that addresses information system vulnerabilities may also require an increased level of protection. Secure operation of the information system, includes, for example, initially starting the system and resuming secure system operation after any lapse in system operation.","links":[{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"}]},{"id":"sa-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-5.a_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)"}],"prose":"obtains administrator documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5.a.1_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)"}],"parts":[{"id":"sa-5.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[1]"}],"prose":"secure configuration of the system, system component, or service;"},{"id":"sa-5.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[2]"}],"prose":"secure installation of the system, system component, or service;"},{"id":"sa-5.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SA-5(a)(1)[3]"}],"prose":"secure operation of the system, system component, or service;"}]},{"id":"sa-5.a.2_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)"}],"parts":[{"id":"sa-5.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)[1]"}],"prose":"effective use of the security features\/mechanisms;"},{"id":"sa-5.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(a)(2)[2]"}],"prose":"effective maintenance of the security features\/mechanisms;"}]},{"id":"sa-5.a.3_obj","name":"objective","props":[{"name":"label","value":"SA-5(a)(3)"}],"prose":"known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;"}]},{"id":"sa-5.b_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)"}],"prose":"obtains user documentation for the information system, system component, or information system service that describes:","parts":[{"id":"sa-5.b.1_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)"}],"parts":[{"id":"sa-5.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)[1]"}],"prose":"user-accessible security functions\/mechanisms;"},{"id":"sa-5.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(b)(1)[2]"}],"prose":"how to effectively use those functions\/mechanisms;"}]},{"id":"sa-5.b.2_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(2)"}],"prose":"methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner;"},{"id":"sa-5.b.3_obj","name":"objective","props":[{"name":"label","value":"SA-5(b)(3)"}],"prose":"user responsibilities in maintaining the security of the system, component, or service;"}]},{"id":"sa-5.c_obj","name":"objective","props":[{"name":"label","value":"SA-5(c)"}],"parts":[{"id":"sa-5.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(c)[1]"}],"prose":"defines actions to be taken after documented attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(c)[2]"}],"prose":"documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent;"},{"id":"sa-5.c_obj.3","name":"objective","props":[{"name":"label","value":"SA-5(c)[3]"}],"prose":"takes organization-defined actions in response;"}]},{"id":"sa-5.d_obj","name":"objective","props":[{"name":"label","value":"SA-5(d)"}],"prose":"protects documentation as required, in accordance with the risk management strategy;"},{"id":"sa-5.e_obj","name":"objective","props":[{"name":"label","value":"SA-5(e)"}],"parts":[{"id":"sa-5.e_obj.1","name":"objective","props":[{"name":"label","value":"SA-5(e)[1]"}],"prose":"defines personnel or roles to whom documentation is to be distributed; and"},{"id":"sa-5.e_obj.2","name":"objective","props":[{"name":"label","value":"SA-5(e)[2]"}],"prose":"distributes documentation to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing information system documentation\n\ninformation system documentation including administrator and user guides\n\nrecords documenting attempts to obtain unavailable or nonexistent information system documentation\n\nlist of actions to be taken in response to documented attempts to obtain information system, system component, or information system service documentation\n\nrisk management strategy documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\nsystem administrators\n\norganizational personnel operating, using, and\/or maintaining the information system\n\ninformation system developers\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for obtaining, protecting, and distributing information system administrator and user documentation"}]}]},{"id":"sa-8","class":"SP800-53","title":"Security Engineering Principles","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-8"},{"name":"sort-id","value":"sa-08"}],"links":[{"href":"#21b1ed35-56d2-40a8-bdfe-b461fffe322f","rel":"reference"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system."},{"id":"sa-8_gdn","name":"guidance","prose":"Organizations apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example: (i) developing layered protections; (ii) establishing sound security policy, architecture, and controls as the foundation for design; (iii) incorporating security requirements into the system development life cycle; (iv) delineating physical and logical security boundaries; (v) ensuring that system developers are trained on how to build secure software; (vi) tailoring security controls to meet organizational and operational needs; (vii) performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and (viii) reducing risk to acceptable levels, thus enabling informed risk management decisions.","links":[{"href":"#pm-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sa-8_obj","name":"objective","prose":"Determine if the organization applies information system security engineering principles in:","parts":[{"id":"sa-8_obj.1","name":"objective","props":[{"name":"label","value":"SA-8[1]"}],"prose":"the specification of the information system;"},{"id":"sa-8_obj.2","name":"objective","props":[{"name":"label","value":"SA-8[2]"}],"prose":"the design of the information system;"},{"id":"sa-8_obj.3","name":"objective","props":[{"name":"label","value":"SA-8[3]"}],"prose":"the development of the information system;"},{"id":"sa-8_obj.4","name":"objective","props":[{"name":"label","value":"SA-8[4]"}],"prose":"the implementation of the information system; and"},{"id":"sa-8_obj.5","name":"objective","props":[{"name":"label","value":"SA-8[5]"}],"prose":"the modification of the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing security engineering principles used in the specification, design, development, implementation, and modification of the information system\n\ninformation system design documentation\n\ninformation security requirements and specifications for the information system\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with responsibility for determining information system security requirements\n\norganizational personnel with information system specification, design, development, implementation, and modification responsibilities\n\ninformation system developers\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for applying security engineering principles in information system specification, design, development, implementation, and modification\n\nautomated mechanisms supporting the application of security engineering principles in information system specification, design, development, implementation, and modification"}]}]},{"id":"sa-9","class":"SP800-53","title":"External Information System Services","params":[{"id":"sa-9_prm_1","label":"organization-defined security controls"},{"id":"sa-9_prm_2","label":"organization-defined processes, methods, and techniques"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-9"},{"name":"sort-id","value":"sa-09"}],"links":[{"href":"#0c775bc3-bfc3-42c7-a382-88949f503171","rel":"reference"}],"parts":[{"id":"sa-9_smt","name":"statement","prose":"The organization:","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Requires that providers of external information system services comply with organizational information security requirements and employ {{ insert: param, sa-9_prm_1 }} in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs {{ insert: param, sa-9_prm_2 }} to monitor security control compliance by external service providers on an ongoing basis."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.","links":[{"href":"#ca-3","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ps-7","rel":"related"}]},{"id":"sa-9_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.a_obj","name":"objective","props":[{"name":"label","value":"SA-9(a)"}],"parts":[{"id":"sa-9.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(a)[1]"}],"prose":"defines security controls to be employed by providers of external information system services;"},{"id":"sa-9.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(a)[2]"}],"prose":"requires that providers of external information system services comply with organizational information security requirements;"},{"id":"sa-9.a_obj.3","name":"objective","props":[{"name":"label","value":"SA-9(a)[3]"}],"prose":"requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;"}]},{"id":"sa-9.b_obj","name":"objective","props":[{"name":"label","value":"SA-9(b)"}],"parts":[{"id":"sa-9.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(b)[1]"}],"prose":"defines and documents government oversight with regard to external information system services;"},{"id":"sa-9.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(b)[2]"}],"prose":"defines and documents user roles and responsibilities with regard to external information system services;"}]},{"id":"sa-9.c_obj","name":"objective","props":[{"name":"label","value":"SA-9(c)"}],"parts":[{"id":"sa-9.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(c)[1]"}],"prose":"defines processes, methods, and techniques to be employed to monitor security control compliance by external service providers; and"},{"id":"sa-9.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(c)[2]"}],"prose":"employs organization-defined processes, methods, and techniques to monitor security control compliance by external service providers on an ongoing basis."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing external information system services\n\nprocedures addressing methods and techniques for monitoring security control compliance by external service providers of information system services\n\nacquisition contracts, service-level agreements\n\norganizational security requirements and security specifications for external provider services\n\nsecurity control assessment evidence from external providers of information system services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\nexternal providers of information system services\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring security control compliance by external service providers on an ongoing basis\n\nautomated mechanisms for monitoring security control compliance by external service providers on an ongoing basis"}]}],"controls":[{"id":"sa-9.2","class":"SP800-53-enhancement","title":"Identification of Functions \/ Ports \/ Protocols \/ Services","params":[{"id":"sa-9.2_prm_1","label":"organization-defined external information system services"}],"props":[{"name":"label","value":"SA-9(2)"},{"name":"sort-id","value":"sa-09.02"}],"parts":[{"id":"sa-9.2_smt","name":"statement","prose":"The organization requires providers of {{ insert: param, sa-9.2_prm_1 }} to identify the functions, ports, protocols, and other services required for the use of such services."},{"id":"sa-9.2_gdn","name":"guidance","prose":"Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be particularly useful when the need arises to understand the trade-offs involved in restricting certain functions\/services or blocking certain ports\/protocols.","links":[{"href":"#cm-7","rel":"related"}]},{"id":"sa-9.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-9.2_obj.1","name":"objective","props":[{"name":"label","value":"SA-9(2)[1]"}],"prose":"defines external information system services for which providers of such services are to identify the functions, ports, protocols, and other services required for the use of such services;"},{"id":"sa-9.2_obj.2","name":"objective","props":[{"name":"label","value":"SA-9(2)[2]"}],"prose":"requires providers of organization-defined external information system services to identify:","parts":[{"id":"sa-9.2_obj.2.a","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][a]"}],"prose":"the functions required for the use of such services;"},{"id":"sa-9.2_obj.2.b","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][b]"}],"prose":"the ports required for the use of such services;"},{"id":"sa-9.2_obj.2.c","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][c]"}],"prose":"the protocols required for the use of such services; and"},{"id":"sa-9.2_obj.2.d","name":"objective","props":[{"name":"label","value":"SA-9(2)[2][d]"}],"prose":"the other services required for the use of such services."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing external information system services\n\nacquisition contracts for the information system, system component, or information system service\n\nacquisition documentation\n\nsolicitation documentation, service-level agreements\n\norganizational security requirements and security specifications for external service providers\n\nlist of required functions, ports, protocols, and other services\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nexternal providers of information system services"}]}]}]},{"id":"sa-10","class":"SP800-53","title":"Developer Configuration Management","params":[{"id":"sa-10_prm_1","select":{"how-many":"one-or-more","choice":["design","development","implementation","operation"]}},{"id":"sa-10_prm_2","label":"organization-defined configuration items under configuration management"},{"id":"sa-10_prm_3","label":"organization-defined personnel"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-10"},{"name":"sort-id","value":"sa-10"}],"links":[{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"sa-10_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Perform configuration management during system, component, or service {{ insert: param, sa-10_prm_1 }};"},{"id":"sa-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, manage, and control the integrity of changes to {{ insert: param, sa-10_prm_2 }};"},{"id":"sa-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Document approved changes to the system, component, or service and the potential security impacts of such changes; and"},{"id":"sa-10_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_prm_3 }}."}]},{"id":"sa-10_gdn","name":"guidance","prose":"This control also applies to organizations conducting internal information systems development and integration. Organizations consider the quality and completeness of the configuration management activities conducted by developers as evidence of applying effective security safeguards. Safeguards include, for example, protecting from unauthorized modification or destruction, the master copies of all material used to generate security-relevant portions of the system hardware, software, and firmware. Maintaining the integrity of changes to the information system, information system component, or information system service requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes. Configuration items that are placed under configuration management (if existence\/use is required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and software\/firmware source code with previous versions; and test fixtures and documentation. Depending on the mission\/business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance phases of the life cycle.","links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"sa-10_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-10.a_obj","name":"objective","props":[{"name":"label","value":"SA-10(a)"}],"prose":"requires the developer of the information system, system component, or information system service to perform configuration management during one or more of the following:","parts":[{"id":"sa-10.a_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(a)[1]"}],"prose":"system, component, or service design;"},{"id":"sa-10.a_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(a)[2]"}],"prose":"system, component, or service development;"},{"id":"sa-10.a_obj.3","name":"objective","props":[{"name":"label","value":"SA-10(a)[3]"}],"prose":"system, component, or service implementation; and\/or"},{"id":"sa-10.a_obj.4","name":"objective","props":[{"name":"label","value":"SA-10(a)[4]"}],"prose":"system, component, or service operation;"}]},{"id":"sa-10.b_obj","name":"objective","props":[{"name":"label","value":"SA-10(b)"}],"parts":[{"id":"sa-10.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(b)[1]"}],"prose":"defines configuration items to be placed under configuration management;"},{"id":"sa-10.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(b)[2]"}],"prose":"requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-10.b_obj.2.a","name":"objective","props":[{"name":"label","value":"SA-10(b)[2][a]"}],"prose":"document the integrity of changes to organization-defined items under configuration management;"},{"id":"sa-10.b_obj.2.b","name":"objective","props":[{"name":"label","value":"SA-10(b)[2][b]"}],"prose":"manage the integrity of changes to organization-defined items under configuration management;"},{"id":"sa-10.b_obj.2.c","name":"objective","props":[{"name":"label","value":"SA-10(b)[2][c]"}],"prose":"control the integrity of changes to organization-defined items under configuration management;"}]}]},{"id":"sa-10.c_obj","name":"objective","props":[{"name":"label","value":"SA-10(c)"}],"prose":"requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10.d_obj","name":"objective","props":[{"name":"label","value":"SA-10(d)"}],"prose":"requires the developer of the information system, system component, or information system service to document:","parts":[{"id":"sa-10.d_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(d)[1]"}],"prose":"approved changes to the system, component, or service;"},{"id":"sa-10.d_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(d)[2]"}],"prose":"the potential security impacts of such changes;"}]},{"id":"sa-10.e_obj","name":"objective","props":[{"name":"label","value":"SA-10(e)"}],"parts":[{"id":"sa-10.e_obj.1","name":"objective","props":[{"name":"label","value":"SA-10(e)[1]"}],"prose":"defines personnel to whom findings, resulting from security flaws and flaw resolution tracked within the system, component, or service, are to be reported;"},{"id":"sa-10.e_obj.2","name":"objective","props":[{"name":"label","value":"SA-10(e)[2]"}],"prose":"requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-10.e_obj.2.a","name":"objective","props":[{"name":"label","value":"SA-10(e)[2][a]"}],"prose":"track security flaws within the system, component, or service;"},{"id":"sa-10.e_obj.2.b","name":"objective","props":[{"name":"label","value":"SA-10(e)[2][b]"}],"prose":"track security flaw resolution within the system, component, or service; and"},{"id":"sa-10.e_obj.2.c","name":"objective","props":[{"name":"label","value":"SA-10(e)[2][c]"}],"prose":"report findings to organization-defined personnel."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer configuration management\n\nautomated mechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-11","class":"SP800-53","title":"Developer Security Testing and Evaluation","params":[{"id":"sa-11_prm_1","select":{"how-many":"one-or-more","choice":["unit","integration","system","regression"]}},{"id":"sa-11_prm_2","label":"organization-defined depth and coverage"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SA-11"},{"name":"sort-id","value":"sa-11"}],"links":[{"href":"#1737a687-52fb-4008-b900-cbfa836f7b65","rel":"reference"},{"href":"#cd4cf751-3312-4a55-b1a9-fad2f1db9119","rel":"reference"},{"href":"#275cc052-0f7f-423c-bdb6-ed503dc36228","rel":"reference"},{"href":"#15522e92-9192-463d-9646-6a01982db8ca","rel":"reference"},{"href":"#0931209f-00ae-4132-b92c-bc645847e8f9","rel":"reference"},{"href":"#4ef539ba-b767-4666-b0d3-168c53005fa3","rel":"reference"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"The organization requires the developer of the information system, system component, or information system service to:","parts":[{"id":"sa-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Create and implement a security assessment plan;"},{"id":"sa-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform {{ insert: param, sa-11_prm_1 }} testing\/evaluation at {{ insert: param, sa-11_prm_2 }};"},{"id":"sa-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the security assessment plan and the results of the security testing\/evaluation;"},{"id":"sa-11_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during security testing\/evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental security testing\/evaluation occurs at all post-design phases of the system development life cycle. Such testing\/evaluation confirms that the required security controls are implemented correctly, operating as intended, enforcing the desired security policy, and meeting established security requirements. Security properties of information systems may be affected by the interconnection of system components or changes to those components. These interconnections or changes (e.g., upgrading or replacing applications and operating systems) may adversely affect previously implemented security controls. This control provides additional types of security testing\/evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Developers can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews. Security assessment plans provide the specific activities that developers plan to carry out including the types of analyses, testing, evaluation, and reviews of software and firmware components, the degree of rigor to be applied, and the types of artifacts produced during those processes. The depth of security testing\/evaluation refers to the rigor and level of detail associated with the assessment process (e.g., black box, gray box, or white box testing). The coverage of security testing\/evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security assessment plans, flaw remediation processes, and the evidence that the plans\/processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the information system. Contracts may specify documentation protection requirements.","links":[{"href":"#ca-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-2","rel":"related"}]},{"id":"sa-11_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sa-11.a_obj","name":"objective","props":[{"name":"label","value":"SA-11(a)"}],"prose":"requires the developer of the information system, system component, or information system service to create and implement a security plan;"},{"id":"sa-11.b_obj","name":"objective","props":[{"name":"label","value":"SA-11(b)"}],"parts":[{"id":"sa-11.b_obj.1","name":"objective","props":[{"name":"label","value":"SA-11(b)[1]"}],"prose":"defines the depth of testing\/evaluation to be performed by the developer of the information system, system component, or information system service;"},{"id":"sa-11.b_obj.2","name":"objective","props":[{"name":"label","value":"SA-11(b)[2]"}],"prose":"defines the coverage of testing\/evaluation to be performed by the developer of the information system, system component, or information system service;"},{"id":"sa-11.b_obj.3","name":"objective","props":[{"name":"label","value":"SA-11(b)[3]"}],"prose":"requires the developer of the information system, system component, or information system service to perform one or more of the following testing\/evaluation at the organization-defined depth and coverage:","parts":[{"id":"sa-11.b_obj.3.a","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][a]"}],"prose":"unit testing\/evaluation;"},{"id":"sa-11.b_obj.3.b","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][b]"}],"prose":"integration testing\/evaluation;"},{"id":"sa-11.b_obj.3.c","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][c]"}],"prose":"system testing\/evaluation; and\/or"},{"id":"sa-11.b_obj.3.d","name":"objective","props":[{"name":"label","value":"SA-11(b)[3][d]"}],"prose":"regression testing\/evaluation;"}]}]},{"id":"sa-11.c_obj","name":"objective","props":[{"name":"label","value":"SA-11(c)"}],"prose":"requires the developer of the information system, system component, or information system service to produce evidence of:","parts":[{"id":"sa-11.c_obj.1","name":"objective","props":[{"name":"label","value":"SA-11(c)[1]"}],"prose":"the execution of the security assessment plan;"},{"id":"sa-11.c_obj.2","name":"objective","props":[{"name":"label","value":"SA-11(c)[2]"}],"prose":"the results of the security testing\/evaluation;"}]},{"id":"sa-11.d_obj","name":"objective","props":[{"name":"label","value":"SA-11(d)"}],"prose":"requires the developer of the information system, system component, or information system service to implement a verifiable flaw remediation process; and"},{"id":"sa-11.e_obj","name":"objective","props":[{"name":"label","value":"SA-11(e)"}],"prose":"requires the developer of the information system, system component, or information system service to correct flaws identified during security testing\/evaluation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice-level agreements\n\nacquisition contracts for the information system, system component, or information system service\n\nsystem developer security test plans\n\nrecords of developer security testing results for the information system, system component, or information system service\n\nsecurity flaw and remediation tracking records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nautomated mechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"System and Communications Protection Policy and Procedures","params":[{"id":"sc-1_prm_1","label":"organization-defined personnel or roles"},{"id":"sc-1_prm_2","label":"organization-defined frequency"},{"id":"sc-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-1"},{"name":"sort-id","value":"sc-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"sc-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and"}]},{"id":"sc-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"sc-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and communications protection policy {{ insert: param, sc-1_prm_2 }}; and"},{"id":"sc-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and communications protection procedures {{ insert: param, sc-1_prm_3 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"sc-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-1.a_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)"}],"parts":[{"id":"sc-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)"}],"parts":[{"id":"sc-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1]"}],"prose":"develops and documents a system and communications protection policy that addresses:","parts":[{"id":"sc-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"sc-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"sc-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"sc-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"sc-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"sc-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"sc-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"sc-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and communications protection policy is to be disseminated;"},{"id":"sc-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SC-1(a)(1)[3]"}],"prose":"disseminates the system and communications protection policy to organization-defined personnel or roles;"}]},{"id":"sc-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)"}],"parts":[{"id":"sc-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls;"},{"id":"sc-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"sc-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SC-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"sc-1.b_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)"}],"parts":[{"id":"sc-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)"}],"parts":[{"id":"sc-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and communications protection policy;"},{"id":"sc-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(b)(1)[2]"}],"prose":"reviews and updates the current system and communications protection policy with the organization-defined frequency;"}]},{"id":"sc-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)"}],"parts":[{"id":"sc-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and communications protection procedures; and"},{"id":"sc-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SC-1(b)(2)[2]"}],"prose":"reviews and updates the current system and communications protection procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sc-2","class":"SP800-53","title":"Application Partitioning","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-2"},{"name":"sort-id","value":"sc-02"}],"parts":[{"id":"sc-2_smt","name":"statement","prose":"The information system separates user functionality (including user interface services) from information system management functionality."},{"id":"sc-2_gdn","name":"guidance","prose":"Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.","links":[{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sc-2_obj","name":"objective","prose":"Determine if the information system separates user functionality (including user interface services) from information system management functionality."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing application partitioning\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Separation of user functionality from information system management functionality"}]}]},{"id":"sc-4","class":"SP800-53","title":"Information in Shared Resources","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-4"},{"name":"sort-id","value":"sc-04"}],"parts":[{"id":"sc-4_smt","name":"statement","prose":"The information system prevents unauthorized and unintended information transfer via shared system resources."},{"id":"sc-4_gdn","name":"guidance","prose":"This control prevents information, including encrypted representations of information, produced by the actions of prior users\/roles (or the actions of processes acting on behalf of prior users\/roles) from being available to any current users\/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and\/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users\/roles.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#mp-6","rel":"related"}]},{"id":"sc-4_obj","name":"objective","prose":"Determine if the information system prevents unauthorized and unintended information transfer via shared system resources."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms preventing unauthorized and unintended transfer of information via shared system resources"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial of Service Protection","params":[{"id":"sc-5_prm_1","label":"organization-defined types of denial of service attacks or references to sources for such information"},{"id":"sc-5_prm_2","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-5"},{"name":"sort-id","value":"sc-05"}],"parts":[{"id":"sc-5_smt","name":"statement","prose":"The information system protects against or limits the effects of the following types of denial of service attacks: {{ insert: param, sc-5_prm_1 }} by employing {{ insert: param, sc-5_prm_2 }}."},{"id":"sc-5_gdn","name":"guidance","prose":"A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.","links":[{"href":"#sc-6","rel":"related"},{"href":"#sc-7","rel":"related"}]},{"id":"sc-5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-5_obj.1","name":"objective","props":[{"name":"label","value":"SC-5[1]"}],"prose":"the organization defines types of denial of service attacks or reference to source of such information for the information system to protect against or limit the effects;"},{"id":"sc-5_obj.2","name":"objective","props":[{"name":"label","value":"SC-5[2]"}],"prose":"the organization defines security safeguards to be employed by the information system to protect against or limit the effects of organization-defined types of denial of service attacks; and"},{"id":"sc-5_obj.3","name":"objective","props":[{"name":"label","value":"SC-5[3]"}],"prose":"the information system protects against or limits the effects of the organization-defined denial or service attacks (or reference to source for such information) by employing organization-defined security safeguards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing denial of service protection\n\ninformation system design documentation\n\nsecurity plan\n\nlist of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial of service attacks\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms protecting against or limiting the effects of denial of service attacks"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-7_prm_1","select":{"choice":["physically","logically"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-7"},{"name":"sort-id","value":"sc-07"}],"links":[{"href":"#e85cdb3f-7f0a-4083-8639-f13f70d3760b","rel":"reference"},{"href":"#756a8e86-57d5-4701-8382-f7a40439665a","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"}],"parts":[{"id":"sc-7_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implements subnetworks for publicly accessible system components that are {{ insert: param, sc-7_prm_1 }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.","links":[{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-13","rel":"related"}]},{"id":"sc-7_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-7.a_obj","name":"objective","props":[{"name":"label","value":"SC-7(a)"}],"parts":[{"id":"sc-7.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(a)[1]"}],"prose":"monitors communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(a)[2]"}],"prose":"monitors communications at key internal boundaries within the system;"},{"id":"sc-7.a_obj.3","name":"objective","props":[{"name":"label","value":"SC-7(a)[3]"}],"prose":"controls communications at the external boundary of the information system;"},{"id":"sc-7.a_obj.4","name":"objective","props":[{"name":"label","value":"SC-7(a)[4]"}],"prose":"controls communications at key internal boundaries within the system;"}]},{"id":"sc-7.b_obj","name":"objective","props":[{"name":"label","value":"SC-7(b)"}],"prose":"implements subnetworks for publicly accessible system components that are either:","parts":[{"id":"sc-7.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(b)[1]"}],"prose":"physically separated from internal organizational networks; and\/or"},{"id":"sc-7.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(b)[2]"}],"prose":"logically separated from internal organizational networks; and"}]},{"id":"sc-7.c_obj","name":"objective","props":[{"name":"label","value":"SC-7(c)"}],"prose":"connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the information system\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system configuration settings and associated documentation\n\nenterprise security architecture documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability"}]}],"controls":[{"id":"sc-7.3","class":"SP800-53-enhancement","title":"Access Points","props":[{"name":"label","value":"SC-7(3)"},{"name":"sort-id","value":"sc-07.03"}],"parts":[{"id":"sc-7.3_smt","name":"statement","prose":"The organization limits the number of external network connections to the information system."},{"id":"sc-7.3_gdn","name":"guidance","prose":"Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections."},{"id":"sc-7.3_obj","name":"objective","prose":"Determine if the organization limits the number of external network connections to the information system."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability\n\nautomated mechanisms limiting the number of external network connections to the information system"}]}]},{"id":"sc-7.4","class":"SP800-53-enhancement","title":"External Telecommunications Services","params":[{"id":"sc-7.4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SC-7(4)"},{"name":"sort-id","value":"sc-07.04"}],"parts":[{"id":"sc-7.4_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implements a managed interface for each external telecommunication service;"},{"id":"sc-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Establishes a traffic flow policy for each managed interface;"},{"id":"sc-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Protects the confidentiality and integrity of the information being transmitted across each interface;"},{"id":"sc-7.4_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Documents each exception to the traffic flow policy with a supporting mission\/business need and duration of that need; and"},{"id":"sc-7.4_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Reviews exceptions to the traffic flow policy {{ insert: param, sc-7.4_prm_1 }} and removes exceptions that are no longer supported by an explicit mission\/business need."}]},{"id":"sc-7.4_gdn","name":"guidance","links":[{"href":"#sc-8","rel":"related"}]},{"id":"sc-7.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-7.4.a_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(a)"}],"prose":"implements a managed interface for each external telecommunication service;","links":[{"href":"#sc-7.4_smt.a","rel":"corresp"}]},{"id":"sc-7.4.b_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(b)"}],"prose":"establishes a traffic flow policy for each managed interface;","links":[{"href":"#sc-7.4_smt.b","rel":"corresp"}]},{"id":"sc-7.4.c_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(c)"}],"prose":"protects the confidentiality and integrity of the information being transmitted across each interface;","links":[{"href":"#sc-7.4_smt.c","rel":"corresp"}]},{"id":"sc-7.4.d_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(d)"}],"prose":"documents each exception to the traffic flow policy with:","parts":[{"id":"sc-7.4.d_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(4)(d)[1]"}],"prose":"a supporting mission\/business need;"},{"id":"sc-7.4.d_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(4)(d)[2]"}],"prose":"duration of that need;"}],"links":[{"href":"#sc-7.4_smt.d","rel":"corresp"}]},{"id":"sc-7.4.e_obj","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)"}],"parts":[{"id":"sc-7.4.e_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)[1]"}],"prose":"defines a frequency to review exceptions to traffic flow policy;"},{"id":"sc-7.4.e_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)[2]"}],"prose":"reviews exceptions to the traffic flow policy with the organization-defined frequency; and"},{"id":"sc-7.4.e_obj.3","name":"objective","props":[{"name":"label","value":"SC-7(4)(e)[3]"}],"prose":"removes traffic flow policy exceptions that are no longer supported by an explicit mission\/business need"}],"links":[{"href":"#sc-7.4_smt.e","rel":"corresp"}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\ninformation system security architecture\n\ninformation system design documentation\n\nboundary protection hardware and software\n\ninformation system architecture and configuration documentation\n\ninformation system configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for documenting and reviewing exceptions to the traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nautomated mechanisms implementing boundary protection capability\n\nmanaged interfaces implementing traffic flow policy"}]}]},{"id":"sc-7.5","class":"SP800-53-enhancement","title":"Deny by Default \/ Allow by Exception","props":[{"name":"label","value":"SC-7(5)"},{"name":"sort-id","value":"sc-07.05"}],"parts":[{"id":"sc-7.5_smt","name":"statement","prose":"The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception)."},{"id":"sc-7.5_gdn","name":"guidance","prose":"This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed."},{"id":"sc-7.5_obj","name":"objective","prose":"Determine if the information system, at managed interfaces:","parts":[{"id":"sc-7.5_obj.1","name":"objective","props":[{"name":"label","value":"SC-7(5)[1]"}],"prose":"denies network traffic by default; and"},{"id":"sc-7.5_obj.2","name":"objective","props":[{"name":"label","value":"SC-7(5)[2]"}],"prose":"allows network traffic by exception."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing traffic management at managed interfaces"}]}]},{"id":"sc-7.7","class":"SP800-53-enhancement","title":"Prevent Split Tunneling for Remote Devices","props":[{"name":"label","value":"SC-7(7)"},{"name":"sort-id","value":"sc-07.07"}],"parts":[{"id":"sc-7.7_smt","name":"statement","prose":"The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."},{"id":"sc-7.7_gdn","name":"guidance","prose":"This control enhancement is implemented within remote devices (e.g., notebook computers) through configuration settings to disable split tunneling in those devices, and by preventing those configuration settings from being readily configurable by users. This control enhancement is implemented within the information system by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. Split tunneling might be desirable by remote users to communicate with local information system resources such as printers\/file servers. However, split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling."},{"id":"sc-7.7_obj","name":"objective","prose":"Determine if the information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\ninformation system design documentation\n\ninformation system hardware and software\n\ninformation system architecture\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms implementing boundary protection capability\n\nautomated mechanisms supporting\/restricting non-remote connections"}]}]}]},{"id":"sc-8","class":"SP800-53","title":"Transmission Confidentiality and Integrity","params":[{"id":"sc-8_prm_1","select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-8"},{"name":"sort-id","value":"sc-08"}],"links":[{"href":"#d715b234-9b5b-4e07-b1ed-99836727664d","rel":"reference"},{"href":"#f2dbd4ec-c413-4714-b85b-6b7184d1c195","rel":"reference"},{"href":"#90c5bc98-f9c4-44c9-98b7-787422f0999c","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"},{"href":"#349fe082-502d-464a-aa0c-1443c6a5cf40","rel":"reference"},{"href":"#a4aa9645-9a8a-4b51-90a9-e223250f9a75","rel":"reference"},{"href":"#06dff0ea-3848-4945-8d91-e955ee69f05d","rel":"reference"}],"parts":[{"id":"sc-8_smt","name":"statement","prose":"The information system protects the {{ insert: param, sc-8_prm_1 }} of transmitted information."},{"id":"sc-8_gdn","name":"guidance","prose":"This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and\/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected distribution systems) or by logical means (e.g., employing encryption techniques). Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission confidentiality\/integrity. In such situations, organizations determine what types of confidentiality\/integrity services are available in standard, commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, organizations implement appropriate compensating security controls or explicitly accept the additional risk.","links":[{"href":"#ac-17","rel":"related"},{"href":"#pe-4","rel":"related"}]},{"id":"sc-8_obj","name":"objective","prose":"Determine if the information system protects one or more of the following:","parts":[{"id":"sc-8_obj.1","name":"objective","props":[{"name":"label","value":"SC-8[1]"}],"prose":"confidentiality of transmitted information; and\/or"},{"id":"sc-8_obj.2","name":"objective","props":[{"name":"label","value":"SC-8[2]"}],"prose":"integrity of transmitted information."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity"}]}],"controls":[{"id":"sc-8.1","class":"SP800-53-enhancement","title":"Cryptographic or Alternate Physical Protection","params":[{"id":"sc-8.1_prm_1","select":{"how-many":"one-or-more","choice":["prevent unauthorized disclosure of information","detect changes to information"]}},{"id":"sc-8.1_prm_2","label":"organization-defined alternative physical safeguards"}],"props":[{"name":"label","value":"SC-8(1)"},{"name":"sort-id","value":"sc-08.01"}],"parts":[{"id":"sc-8.1_smt","name":"statement","prose":"The information system implements cryptographic mechanisms to {{ insert: param, sc-8.1_prm_1 }} during transmission unless otherwise protected by {{ insert: param, sc-8.1_prm_2 }}."},{"id":"sc-8.1_gdn","name":"guidance","prose":"Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. Alternative physical security safeguards include, for example, protected distribution systems.","links":[{"href":"#sc-13","rel":"related"}]},{"id":"sc-8.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-8.1_obj.1","name":"objective","props":[{"name":"label","value":"SC-8(1)[1]"}],"prose":"the organization defines physical safeguards to be implemented to protect information during transmission when cryptographic mechanisms are not implemented; and"},{"id":"sc-8.1_obj.2","name":"objective","props":[{"name":"label","value":"SC-8(1)[2]"}],"prose":"the information system implements cryptographic mechanisms to do one or more of the following during transmission unless otherwise protected by organization-defined alternative physical safeguards:","parts":[{"id":"sc-8.1_obj.2.a","name":"objective","props":[{"name":"label","value":"SC-8(1)[2][a]"}],"prose":"prevent unauthorized disclosure of information; and\/or"},{"id":"sc-8.1_obj.2.b","name":"objective","props":[{"name":"label","value":"SC-8(1)[2][b]"}],"prose":"detect changes to information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Cryptographic mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity\n\nautomated mechanisms supporting and\/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards"}]}]}]},{"id":"sc-10","class":"SP800-53","title":"Network Disconnect","params":[{"id":"sc-10_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SC-10"},{"name":"sort-id","value":"sc-10"}],"parts":[{"id":"sc-10_smt","name":"statement","prose":"The information system terminates the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_prm_1 }} of inactivity."},{"id":"sc-10_gdn","name":"guidance","prose":"This control applies to both internal and external networks. Terminating network connections associated with communications sessions include, for example, de-allocating associated TCP\/IP address\/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of inactivity may be established by organizations and include, for example, time periods by type of network access or for specific network accesses."},{"id":"sc-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-10_obj.1","name":"objective","props":[{"name":"label","value":"SC-10[1]"}],"prose":"the organization defines a time period of inactivity after which the information system terminates a network connection associated with a communications session; and"},{"id":"sc-10_obj.2","name":"objective","props":[{"name":"label","value":"SC-10[2]"}],"prose":"the information system terminates the network connection associated with a communication session at the end of the session or after the organization-defined time period of inactivity."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing network disconnect\n\ninformation system design documentation\n\nsecurity plan\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing network disconnect capability"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","params":[{"id":"sc-12_prm_1","label":"organization-defined requirements for key generation, distribution, storage, access, and destruction"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-12"},{"name":"sort-id","value":"sc-12"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with {{ insert: param, sc-12_prm_1 }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.","links":[{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"}]},{"id":"sc-12_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-12_obj.1","name":"objective","props":[{"name":"label","value":"SC-12[1]"}],"prose":"defines requirements for cryptographic key:","parts":[{"id":"sc-12_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-12[1][a]"}],"prose":"generation;"},{"id":"sc-12_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-12[1][b]"}],"prose":"distribution;"},{"id":"sc-12_obj.1.c","name":"objective","props":[{"name":"label","value":"SC-12[1][c]"}],"prose":"storage;"},{"id":"sc-12_obj.1.d","name":"objective","props":[{"name":"label","value":"SC-12[1][d]"}],"prose":"access;"},{"id":"sc-12_obj.1.e","name":"objective","props":[{"name":"label","value":"SC-12[1][e]"}],"prose":"destruction; and"}]},{"id":"sc-12_obj.2","name":"objective","props":[{"name":"label","value":"SC-12[2]"}],"prose":"establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key generation, distribution, storage, access, and destruction."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\ninformation system design documentation\n\ncryptographic mechanisms\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","params":[{"id":"sc-13_prm_1","label":"organization-defined cryptographic uses and type of cryptography required for each use"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-13"},{"name":"sort-id","value":"sc-13"}],"links":[{"href":"#39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","rel":"reference"},{"href":"#6a1041fc-054e-4230-946b-2e6f4f3731bb","rel":"reference"},{"href":"#9b97ed27-3dd6-4f9a-ade5-1b43e9669794","rel":"reference"}],"parts":[{"id":"sc-13_smt","name":"statement","prose":"The information system implements {{ insert: param, sc-13_prm_1 }} in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography).","links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"sc-13_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-13_obj.1","name":"objective","props":[{"name":"label","value":"SC-13[1]"}],"prose":"the organization defines cryptographic uses; and"},{"id":"sc-13_obj.2","name":"objective","props":[{"name":"label","value":"SC-13[2]"}],"prose":"the organization defines the type of cryptography required for each use; and"},{"id":"sc-13_obj.3","name":"objective","props":[{"name":"label","value":"SC-13[3]"}],"prose":"the information system implements the organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic protection\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS validated cryptographic modules\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices","params":[{"id":"sc-15_prm_1","label":"organization-defined exceptions where remote activation is to be allowed"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-15"},{"name":"sort-id","value":"sc-15"}],"parts":[{"id":"sc-15_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibits remote activation of collaborative computing devices with the following exceptions: {{ insert: param, sc-15_prm_1 }}; and"},{"id":"sc-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provides an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated.","links":[{"href":"#ac-21","rel":"related"}]},{"id":"sc-15_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-15.a_obj","name":"objective","props":[{"name":"label","value":"SC-15(a)"}],"parts":[{"id":"sc-15.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-15(a)[1]"}],"prose":"the organization defines exceptions where remote activation of collaborative computing devices is to be allowed;"},{"id":"sc-15.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-15(a)[2]"}],"prose":"the information system prohibits remote activation of collaborative computing devices, except for organization-defined exceptions where remote activation is to be allowed; and"}]},{"id":"sc-15.b_obj","name":"objective","props":[{"name":"label","value":"SC-15(b)"}],"prose":"the information system provides an explicit indication of use to users physically present at the devices."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing management of remote activation of collaborative computing devices\n\nautomated mechanisms providing an indication of use of collaborative computing devices"}]}]},{"id":"sc-17","class":"SP800-53","title":"Public Key Infrastructure Certificates","params":[{"id":"sc-17_prm_1","label":"organization-defined certificate policy"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-17"},{"name":"sort-id","value":"sc-17"}],"links":[{"href":"#58ad6f27-af99-429f-86a8-8bb767b014b9","rel":"reference"},{"href":"#8f174e91-844e-4cf1-a72a-45c119a3a8dd","rel":"reference"},{"href":"#644f44a9-a2de-4494-9c04-cd37fba45471","rel":"reference"}],"parts":[{"id":"sc-17_smt","name":"statement","prose":"The organization issues public key certificates under an {{ insert: param, sc-17_prm_1 }} or obtains public key certificates from an approved service provider."},{"id":"sc-17_gdn","name":"guidance","prose":"For all certificates, organizations manage information system trust stores to ensure only approved trust anchors are in the trust stores. This control addresses both certificates with visibility external to organizational information systems and certificates related to the internal operations of systems, for example, application-specific time services.","links":[{"href":"#sc-12","rel":"related"}]},{"id":"sc-17_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-17_obj.1","name":"objective","props":[{"name":"label","value":"SC-17[1]"}],"prose":"defines a certificate policy for issuing public key certificates;"},{"id":"sc-17_obj.2","name":"objective","props":[{"name":"label","value":"SC-17[2]"}],"prose":"issues public key certificates:","parts":[{"id":"sc-17_obj.2.a","name":"objective","props":[{"name":"label","value":"SC-17[2][a]"}],"prose":"under an organization-defined certificate policy: or"},{"id":"sc-17_obj.2.b","name":"objective","props":[{"name":"label","value":"SC-17[2][b]"}],"prose":"obtains public key certificates from an approved service provider."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key certificates\n\nservice providers"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing the management of public key infrastructure certificates"}]}]},{"id":"sc-18","class":"SP800-53","title":"Mobile Code","props":[{"name":"priority","value":"P2"},{"name":"label","value":"SC-18"},{"name":"sort-id","value":"sc-18"}],"links":[{"href":"#e716cd51-d1d5-4c6a-967a-22e9fbbc42f1","rel":"reference"},{"href":"#e6522953-6714-435d-a0d3-140df554c186","rel":"reference"}],"parts":[{"id":"sc-18_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Defines acceptable and unacceptable mobile code and mobile code technologies;"},{"id":"sc-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and"},{"id":"sc-18_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Authorizes, monitors, and controls the use of mobile code within the information system."}]},{"id":"sc-18_gdn","name":"guidance","prose":"Decisions regarding the employment of mobile code within organizational information systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices (e.g., smart phones). Mobile code policy and procedures address preventing the development, acquisition, or introduction of unacceptable mobile code within organizational information systems.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#si-3","rel":"related"}]},{"id":"sc-18_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-18.a_obj","name":"objective","props":[{"name":"label","value":"SC-18(a)"}],"prose":"defines acceptable and unacceptable mobile code and mobile code technologies;"},{"id":"sc-18.b_obj","name":"objective","props":[{"name":"label","value":"SC-18(b)"}],"parts":[{"id":"sc-18.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-18(b)[1]"}],"prose":"establishes usage restrictions for acceptable mobile code and mobile code technologies;"},{"id":"sc-18.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-18(b)[2]"}],"prose":"establishes implementation guidance for acceptable mobile code and mobile code technologies;"}]},{"id":"sc-18.c_obj","name":"objective","props":[{"name":"label","value":"SC-18(c)"}],"parts":[{"id":"sc-18.c_obj.1","name":"objective","props":[{"name":"label","value":"SC-18(c)[1]"}],"prose":"authorizes the use of mobile code within the information system;"},{"id":"sc-18.c_obj.2","name":"objective","props":[{"name":"label","value":"SC-18(c)[2]"}],"prose":"monitors the use of mobile code within the information system; and"},{"id":"sc-18.c_obj.3","name":"objective","props":[{"name":"label","value":"SC-18(c)[3]"}],"prose":"controls the use of mobile code within the information system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code usage restrictions, mobile code implementation policy and procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for controlling, authorizing, monitoring, and restricting mobile code\n\nautomated mechanisms supporting and\/or implementing the management of mobile code\n\nautomated mechanisms supporting and\/or implementing the monitoring of mobile code"}]}]},{"id":"sc-19","class":"SP800-53","title":"Voice Over Internet Protocol","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-19"},{"name":"sort-id","value":"sc-19"}],"links":[{"href":"#7783f3e7-09b3-478b-9aa2-4a76dfd0ea90","rel":"reference"}],"parts":[{"id":"sc-19_smt","name":"statement","prose":"The organization:","parts":[{"id":"sc-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and"},{"id":"sc-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorizes, monitors, and controls the use of VoIP within the information system."}]},{"id":"sc-19_gdn","name":"guidance","links":[{"href":"#cm-6","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-15","rel":"related"}]},{"id":"sc-19_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"sc-19.a_obj","name":"objective","props":[{"name":"label","value":"SC-19(a)"}],"parts":[{"id":"sc-19.a_obj.1","name":"objective","props":[{"name":"label","value":"SC-19(a)[1]"}],"prose":"establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;"},{"id":"sc-19.a_obj.2","name":"objective","props":[{"name":"label","value":"SC-19(a)[2]"}],"prose":"establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously;"}]},{"id":"sc-19.b_obj","name":"objective","props":[{"name":"label","value":"SC-19(b)"}],"parts":[{"id":"sc-19.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-19(b)[1]"}],"prose":"authorizes the use of VoIP within the information system;"},{"id":"sc-19.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-19(b)[2]"}],"prose":"monitors the use of VoIP within the information system; and"},{"id":"sc-19.b_obj.3","name":"objective","props":[{"name":"label","value":"SC-19(b)[3]"}],"prose":"controls the use of VoIP within the information system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing VoIP\n\nVoIP usage restrictions\n\nVoIP implementation guidance\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system monitoring records\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing VoIP"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational process for authorizing, monitoring, and controlling VoIP\n\nautomated mechanisms supporting and\/or implementing authorizing, monitoring, and controlling VoIP"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name \/ Address Resolution Service (authoritative Source)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-20"},{"name":"sort-id","value":"sc-20"}],"links":[{"href":"#28115a56-da6b-4d44-b1df-51dd7f048a3e","rel":"reference"},{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-20_smt","name":"statement","prose":"The information system:","parts":[{"id":"sc-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host\/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host\/service names and network addresses provide other means to assure the authenticity and integrity of response data.","links":[{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}]},{"id":"sc-20_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-20.a_obj","name":"objective","props":[{"name":"label","value":"SC-20(a)"}],"prose":"provides additional data origin and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries;"},{"id":"sc-20.b_obj","name":"objective","props":[{"name":"label","value":"SC-20(b)"}],"prose":"provides the means to, when operating as part of a distributed, hierarchical namespace:","parts":[{"id":"sc-20.b_obj.1","name":"objective","props":[{"name":"label","value":"SC-20(b)[1]"}],"prose":"indicate the security status of child zones; and"},{"id":"sc-20.b_obj.2","name":"objective","props":[{"name":"label","value":"SC-20(b)[2]"}],"prose":"enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services)."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution service (authoritative source)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing secure name\/address resolution service"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name \/ Address Resolution Service (recursive or Caching Resolver)","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-21"},{"name":"sort-id","value":"sc-21"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"The information system requests and performs data origin authentication and data integrity verification on the name\/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host\/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.","links":[{"href":"#sc-20","rel":"related"},{"href":"#sc-22","rel":"related"}]},{"id":"sc-21_obj","name":"objective","prose":"Determine if the information system:","parts":[{"id":"sc-21_obj.1","name":"objective","props":[{"name":"label","value":"SC-21[1]"}],"prose":"requests data origin authentication on the name\/address resolution responses the system receives from authoritative sources;"},{"id":"sc-21_obj.2","name":"objective","props":[{"name":"label","value":"SC-21[2]"}],"prose":"requests data integrity verification on the name\/address resolution responses the system receives from authoritative sources;"},{"id":"sc-21_obj.3","name":"objective","props":[{"name":"label","value":"SC-21[3]"}],"prose":"performs data origin authentication on the name\/address resolution responses the system receives from authoritative sources; and"},{"id":"sc-21_obj.4","name":"objective","props":[{"name":"label","value":"SC-21[4]"}],"prose":"performs data integrity verification on the name\/address resolution responses the system receives from authoritative sources."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution service (recursive or caching resolver)\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing data origin authentication and data integrity verification for name\/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name \/ Address Resolution Service","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-22"},{"name":"sort-id","value":"sc-22"}],"links":[{"href":"#6af1e841-672c-46c4-b121-96f603d04be3","rel":"reference"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"The information systems that collectively provide name\/address resolution service for an organization are fault-tolerant and implement internal\/external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists).","links":[{"href":"#sc-2","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-24","rel":"related"}]},{"id":"sc-22_obj","name":"objective","prose":"Determine if the information systems that collectively provide name\/address resolution service for an organization:","parts":[{"id":"sc-22_obj.1","name":"objective","props":[{"name":"label","value":"SC-22[1]"}],"prose":"are fault tolerant; and"},{"id":"sc-22_obj.2","name":"objective","props":[{"name":"label","value":"SC-22[2]"}],"prose":"implement internal\/external role separation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing architecture and provisioning for name\/address resolution service\n\naccess control policy and procedures\n\ninformation system design documentation\n\nassessment results from independent, testing organizations\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing name\/address resolution service for fault tolerance and role separation"}]}]},{"id":"sc-23","class":"SP800-53","title":"Session Authenticity","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-23"},{"name":"sort-id","value":"sc-23"}],"links":[{"href":"#90c5bc98-f9c4-44c9-98b7-787422f0999c","rel":"reference"},{"href":"#99f331f2-a9f0-46c2-9856-a3cbb9b89442","rel":"reference"},{"href":"#1ebdf782-d95d-4a7b-8ec7-ee860951eced","rel":"reference"}],"parts":[{"id":"sc-23_smt","name":"statement","prose":"The information system protects the authenticity of communications sessions."},{"id":"sc-23_gdn","name":"guidance","prose":"This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks\/session hijacking and the insertion of false information into sessions.","links":[{"href":"#sc-8","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-11","rel":"related"}]},{"id":"sc-23_obj","name":"objective","prose":"Determine if the information system protects the authenticity of communications sessions."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing session authenticity"}]}]},{"id":"sc-28","class":"SP800-53","title":"Protection of Information at Rest","params":[{"id":"sc-28_prm_1","select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}},{"id":"sc-28_prm_2","label":"organization-defined information at rest"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-28"},{"name":"sort-id","value":"sc-28"}],"links":[{"href":"#81f09e01-d0b0-4ae2-aa6a-064ed9950070","rel":"reference"},{"href":"#a6c774c0-bf50-4590-9841-2a5c1c91ac6f","rel":"reference"},{"href":"#3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","rel":"reference"}],"parts":[{"id":"sc-28_smt","name":"statement","prose":"The information system protects the {{ insert: param, sc-28_prm_1 }} of {{ insert: param, sc-28_prm_2 }}."},{"id":"sc-28_gdn","name":"guidance","prose":"This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at rest refers to the state of information when it is located on storage devices as specific components of information systems. System-related information requiring protection includes, for example, configurations or rule sets for firewalls, gateways, intrusion detection\/prevention systems, filtering routers, and authenticator content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing Write-Once-Read-Many (WORM) technologies. Organizations may also employ other security controls including, for example, secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved and\/or continuous monitoring to identify malicious code at rest.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"sc-28_obj","name":"objective","prose":"Determine if:","parts":[{"id":"sc-28_obj.1","name":"objective","props":[{"name":"label","value":"SC-28[1]"}],"prose":"the organization defines information at rest requiring one or more of the following:","parts":[{"id":"sc-28_obj.1.a","name":"objective","props":[{"name":"label","value":"SC-28[1][a]"}],"prose":"confidentiality protection; and\/or"},{"id":"sc-28_obj.1.b","name":"objective","props":[{"name":"label","value":"SC-28[1][b]"}],"prose":"integrity protection;"}]},{"id":"sc-28_obj.2","name":"objective","props":[{"name":"label","value":"SC-28[2]"}],"prose":"the information system protects:","parts":[{"id":"sc-28_obj.2.a","name":"objective","props":[{"name":"label","value":"SC-28[2][a]"}],"prose":"the confidentiality of organization-defined information at rest; and\/or"},{"id":"sc-28_obj.2.b","name":"objective","props":[{"name":"label","value":"SC-28[2][b]"}],"prose":"the integrity of organization-defined information at rest."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and communications protection policy\n\nprocedures addressing protection of information at rest\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing confidentiality and integrity protections for information at rest"}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","props":[{"name":"priority","value":"P1"},{"name":"label","value":"SC-39"},{"name":"sort-id","value":"sc-39"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"The information system maintains a separate execution domain for each executing process."},{"id":"sc-39_gdn","name":"guidance","prose":"Information systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each information system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. This capability is available in most commercial operating systems that employ multi-state processor technologies.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"sc-39_obj","name":"objective","prose":"Determine if the information system maintains a separate execution domain for each executing process."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Information system design documentation\n\ninformation system architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation, other relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Information system developers\/integrators\n\ninformation system security architect"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing separate execution domains for each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"System and Information Integrity Policy and Procedures","params":[{"id":"si-1_prm_1","label":"organization-defined personnel or roles"},{"id":"si-1_prm_2","label":"organization-defined frequency"},{"id":"si-1_prm_3","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-1"},{"name":"sort-id","value":"si-01"}],"links":[{"href":"#5c201b63-0768-417b-ac22-3f014e3941b2","rel":"reference"},{"href":"#9cb3d8fe-2127-48ba-821e-cdd2d7aee921","rel":"reference"}],"parts":[{"id":"si-1_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops, documents, and disseminates to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reviews and updates the current:","parts":[{"id":"si-1_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"System and information integrity policy {{ insert: param, si-1_prm_2 }}; and"},{"id":"si-1_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System and information integrity procedures {{ insert: param, si-1_prm_3 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SI family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures.","links":[{"href":"#pm-9","rel":"related"}]},{"id":"si-1_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-1.a_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)"}],"parts":[{"id":"si-1.a.1_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)"}],"parts":[{"id":"si-1.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1]"}],"prose":"develops and documents a system and information integrity policy that addresses:","parts":[{"id":"si-1.a.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][a]"}],"prose":"purpose;"},{"id":"si-1.a.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][b]"}],"prose":"scope;"},{"id":"si-1.a.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][c]"}],"prose":"roles;"},{"id":"si-1.a.1_obj.1.d","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][d]"}],"prose":"responsibilities;"},{"id":"si-1.a.1_obj.1.e","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][e]"}],"prose":"management commitment;"},{"id":"si-1.a.1_obj.1.f","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][f]"}],"prose":"coordination among organizational entities;"},{"id":"si-1.a.1_obj.1.g","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[1][g]"}],"prose":"compliance;"}]},{"id":"si-1.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[2]"}],"prose":"defines personnel or roles to whom the system and information integrity policy is to be disseminated;"},{"id":"si-1.a.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-1(a)(1)[3]"}],"prose":"disseminates the system and information integrity policy to organization-defined personnel or roles;"}]},{"id":"si-1.a.2_obj","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)"}],"parts":[{"id":"si-1.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[1]"}],"prose":"develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls;"},{"id":"si-1.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[2]"}],"prose":"defines personnel or roles to whom the procedures are to be disseminated;"},{"id":"si-1.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-1(a)(2)[3]"}],"prose":"disseminates the procedures to organization-defined personnel or roles;"}]}]},{"id":"si-1.b_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)"}],"parts":[{"id":"si-1.b.1_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)"}],"parts":[{"id":"si-1.b.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)[1]"}],"prose":"defines the frequency to review and update the current system and information integrity policy;"},{"id":"si-1.b.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(b)(1)[2]"}],"prose":"reviews and updates the current system and information integrity policy with the organization-defined frequency;"}]},{"id":"si-1.b.2_obj","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)"}],"parts":[{"id":"si-1.b.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)[1]"}],"prose":"defines the frequency to review and update the current system and information integrity procedures; and"},{"id":"si-1.b.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-1(b)(2)[2]"}],"prose":"reviews and updates the current system and information integrity procedures with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy and procedures\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","params":[{"id":"si-2_prm_1","label":"organization-defined time period"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-2"},{"name":"sort-id","value":"si-02"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"},{"href":"#080f8068-5e3e-435e-9790-d22ba4722693","rel":"reference"}],"parts":[{"id":"si-2_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identifies, reports, and corrects information system flaws;"},{"id":"si-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Installs security-relevant software and firmware updates within {{ insert: param, si-2_prm_1 }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporates flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"Organizations identify information systems affected by announced software flaws including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security responsibilities. Security-relevant software updates include, for example, patches, service packs, hot fixes, and anti-virus signatures. Organizations also address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational information systems. By incorporating flaw remediation into ongoing configuration management processes, required\/anticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example, determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types. Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software and\/or firmware updates is not necessary or practical, for example, when implementing simple anti-virus signature updates. Organizations may also consider in testing decisions, whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.","links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-11","rel":"related"}]},{"id":"si-2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.a_obj","name":"objective","props":[{"name":"label","value":"SI-2(a)"}],"parts":[{"id":"si-2.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(a)[1]"}],"prose":"identifies information system flaws;"},{"id":"si-2.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(a)[2]"}],"prose":"reports information system flaws;"},{"id":"si-2.a_obj.3","name":"objective","props":[{"name":"label","value":"SI-2(a)[3]"}],"prose":"corrects information system flaws;"}]},{"id":"si-2.b_obj","name":"objective","props":[{"name":"label","value":"SI-2(b)"}],"parts":[{"id":"si-2.b_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(b)[1]"}],"prose":"tests software updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2.b_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(b)[2]"}],"prose":"tests firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"}]},{"id":"si-2.c_obj","name":"objective","props":[{"name":"label","value":"SI-2(c)"}],"parts":[{"id":"si-2.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(c)[1]"}],"prose":"defines the time period within which to install security-relevant software updates after the release of the updates;"},{"id":"si-2.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(c)[2]"}],"prose":"defines the time period within which to install security-relevant firmware updates after the release of the updates;"},{"id":"si-2.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-2(c)[3]"}],"prose":"installs software updates within the organization-defined time period of the release of the updates;"},{"id":"si-2.c_obj.4","name":"objective","props":[{"name":"label","value":"SI-2(c)[4]"}],"prose":"installs firmware updates within the organization-defined time period of the release of the updates; and"}]},{"id":"si-2.d_obj","name":"objective","props":[{"name":"label","value":"SI-2(d)"}],"prose":"incorporates flaw remediation into the organizational configuration management process."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the information system\n\nlist of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws)\n\ntest results from the installation of software and firmware updates to correct information system flaws\n\ninstallation\/change control records for security-relevant software and firmware updates\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for flaw remediation\n\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for identifying, reporting, and correcting information system flaws\n\norganizational process for installing software and firmware updates\n\nautomated mechanisms supporting and\/or implementing reporting, and correcting information system flaws\n\nautomated mechanisms supporting and\/or implementing testing software and firmware updates"}]}],"controls":[{"id":"si-2.2","class":"SP800-53-enhancement","title":"Automated Flaw Remediation Status","params":[{"id":"si-2.2_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SI-2(2)"},{"name":"sort-id","value":"si-02.02"}],"parts":[{"id":"si-2.2_smt","name":"statement","prose":"The organization employs automated mechanisms {{ insert: param, si-2.2_prm_1 }} to determine the state of information system components with regard to flaw remediation."},{"id":"si-2.2_gdn","name":"guidance","links":[{"href":"#cm-6","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"si-2.2_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-2.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-2(2)[1]"}],"prose":"defines a frequency to employ automated mechanisms to determine the state of information system components with regard to flaw remediation; and"},{"id":"si-2.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-2(2)[2]"}],"prose":"employs automated mechanisms with the organization-defined frequency to determine the state of information system components with regard to flaw remediation."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for flaw remediation"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms used to determine the state of information system components with regard to flaw remediation"}]}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","params":[{"id":"si-3_prm_1","label":"organization-defined frequency"},{"id":"si-3_prm_2","select":{"how-many":"one-or-more","choice":["endpoint","network entry\/exit points"]}},{"id":"si-3_prm_3","select":{"how-many":"one-or-more","choice":["block malicious code","quarantine malicious code","send alert to administrator"," {{ insert: param, si-3_prm_4 }} "]}},{"id":"si-3_prm_4","depends-on":"si-3_prm_3","label":"organization-defined action"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-3"},{"name":"sort-id","value":"si-03"}],"links":[{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"}],"parts":[{"id":"si-3_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Configures malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the information system {{ insert: param, si-3_prm_1 }} and real-time scans of files from external sources at {{ insert: param, si-3_prm_2 }} as the files are downloaded, opened, or executed in accordance with organizational security policy; and"},{"id":"si-3_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, si-3_prm_3 }} in response to malicious code detection; and"}]},{"id":"si-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system."}]},{"id":"si-3_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, notebook computers, and mobile devices. Malicious code includes, for example, viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using steganography. Malicious code can be transported by different means including, for example, web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of information system vulnerabilities. Malicious code protection mechanisms include, for example, anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include, for example, logic bombs, back doors, and other types of cyber attacks that could affect organizational missions\/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including, for example, secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. Organizations may determine that in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, actions in response to detection of malicious downloads, and\/or actions in response to detection of maliciousness when attempting to open or execute files.","links":[{"href":"#cm-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-12","rel":"related"},{"href":"#sa-13","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-3_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-3.a_obj","name":"objective","props":[{"name":"label","value":"SI-3(a)"}],"prose":"employs malicious code protection mechanisms to detect and eradicate malicious code at information system:","parts":[{"id":"si-3.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(a)[1]"}],"prose":"entry points;"},{"id":"si-3.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(a)[2]"}],"prose":"exit points;"}]},{"id":"si-3.b_obj","name":"objective","props":[{"name":"label","value":"SI-3(b)"}],"prose":"updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures (as identified in CM-1);"},{"id":"si-3.c_obj","name":"objective","props":[{"name":"label","value":"SI-3(c)"}],"parts":[{"id":"si-3.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(c)[1]"}],"prose":"defines a frequency for malicious code protection mechanisms to perform periodic scans of the information system;"},{"id":"si-3.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(c)[2]"}],"prose":"defines action to be initiated by malicious protection mechanisms in response to malicious code detection;"},{"id":"si-3.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3]"}],"parts":[{"id":"si-3.c.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)"}],"prose":"configures malicious code protection mechanisms to:","parts":[{"id":"si-3.c.1_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)[a]"}],"prose":"perform periodic scans of the information system with the organization-defined frequency;"},{"id":"si-3.c.1_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](1)[b]"}],"prose":"perform real-time scans of files from external sources at endpoint and\/or network entry\/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy;"}]},{"id":"si-3.c.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)"}],"prose":"configures malicious code protection mechanisms to do one or more of the following:","parts":[{"id":"si-3.c.2_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[a]"}],"prose":"block malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[b]"}],"prose":"quarantine malicious code in response to malicious code detection;"},{"id":"si-3.c.2_obj.3.c","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[c]"}],"prose":"send alert to administrator in response to malicious code detection; and\/or"},{"id":"si-3.c.2_obj.3.d","name":"objective","props":[{"name":"label","value":"SI-3(c)[3](2)[d]"}],"prose":"initiate organization-defined action in response to malicious code detection;"}]}]}]},{"id":"si-3.d_obj","name":"objective","props":[{"name":"label","value":"SI-3(d)"}],"parts":[{"id":"si-3.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-3(d)[1]"}],"prose":"addresses the receipt of false positives during malicious code detection and eradication; and"},{"id":"si-3.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-3(d)[2]"}],"prose":"addresses the resulting potential impact on the availability of the information system."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for malicious code protection\n\norganizational personnel with configuration management responsibility"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational process for addressing false positives and resulting potential impact\n\nautomated mechanisms supporting and\/or implementing employing, updating, and configuring malicious code protection mechanisms\n\nautomated mechanisms supporting and\/or implementing malicious code scanning and subsequent actions"}]}],"controls":[{"id":"si-3.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-3(1)"},{"name":"sort-id","value":"si-03.01"}],"parts":[{"id":"si-3.1_smt","name":"statement","prose":"The organization centrally manages malicious code protection mechanisms."},{"id":"si-3.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of malicious code protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed flaw malicious code protection security controls.","links":[{"href":"#au-2","rel":"related"},{"href":"#si-8","rel":"related"}]},{"id":"si-3.1_obj","name":"objective","prose":"Determine if the organization centrally manages malicious code protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing malicious code protection\n\nautomated mechanisms supporting centralized management of malicious code protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for malicious code protection"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of malicious code protection mechanisms\n\nautomated mechanisms supporting and\/or implementing central management of malicious code protection mechanisms"}]}]},{"id":"si-3.2","class":"SP800-53-enhancement","title":"Automatic Updates","props":[{"name":"label","value":"SI-3(2)"},{"name":"sort-id","value":"si-03.02"}],"parts":[{"id":"si-3.2_smt","name":"statement","prose":"The information system automatically updates malicious code protection mechanisms."},{"id":"si-3.2_gdn","name":"guidance","prose":"Malicious code protection mechanisms include, for example, signature definitions. Due to information system integrity and availability concerns, organizations give careful consideration to the methodology used to carry out automatic updates.","links":[{"href":"#si-8","rel":"related"}]},{"id":"si-3.2_obj","name":"objective","prose":"Determine if the information system automatically updates malicious code protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing malicious code protection\n\nautomated mechanisms supporting centralized management of malicious code protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for malicious code protection"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing automatic updates to malicious code protection capability"}]}]}]},{"id":"si-4","class":"SP800-53","title":"Information System Monitoring","params":[{"id":"si-4_prm_1","label":"organization-defined monitoring objectives"},{"id":"si-4_prm_2","label":"organization-defined techniques and methods"},{"id":"si-4_prm_3","label":"organization-defined information system monitoring information"},{"id":"si-4_prm_4","label":"organization-defined personnel or roles"},{"id":"si-4_prm_5","select":{"how-many":"one-or-more","choice":["as needed"," {{ insert: param, si-4_prm_6 }} "]}},{"id":"si-4_prm_6","depends-on":"si-4_prm_5","label":"organization-defined frequency"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-4"},{"name":"sort-id","value":"si-04"}],"links":[{"href":"#be95fb85-a53f-4624-bdbb-140075500aa3","rel":"reference"},{"href":"#6d431fee-658f-4a0e-9f2e-a38b5d398fab","rel":"reference"},{"href":"#672fd561-b92b-4713-b9cf-6c9d9456728b","rel":"reference"},{"href":"#d1b1d689-0f66-4474-9924-c81119758dc1","rel":"reference"},{"href":"#cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","rel":"reference"}],"parts":[{"id":"si-4_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitors the information system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with {{ insert: param, si-4_prm_1 }}; and"},{"id":"si-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identifies unauthorized use of the information system through {{ insert: param, si-4_prm_2 }};"},{"id":"si-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Deploys monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Strategically within the information system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;"},{"id":"si-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"},{"id":"si-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and"},{"id":"si-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Provides {{ insert: param, si-4_prm_3 }} to {{ insert: param, si-4_prm_4 }} {{ insert: param, si-4_prm_5 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.","links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.a_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)"}],"parts":[{"id":"si-4.a.1_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)"}],"parts":[{"id":"si-4.a.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[1]"}],"prose":"defines monitoring objectives to detect attacks and indicators of potential attacks on the information system;"},{"id":"si-4.a.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2]"}],"prose":"monitors the information system to detect, in accordance with organization-defined monitoring objectives,:","parts":[{"id":"si-4.a.1_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2][a]"}],"prose":"attacks;"},{"id":"si-4.a.1_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-4(a)(1)[2][b]"}],"prose":"indicators of potential attacks;"}]}]},{"id":"si-4.a.2_obj","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)"}],"prose":"monitors the information system to detect unauthorized:","parts":[{"id":"si-4.a.2_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[1]"}],"prose":"local connections;"},{"id":"si-4.a.2_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[2]"}],"prose":"network connections;"},{"id":"si-4.a.2_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(a)(2)[3]"}],"prose":"remote connections;"}]}]},{"id":"si-4.b_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)"}],"parts":[{"id":"si-4.b.1_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)(1)"}],"prose":"defines techniques and methods to identify unauthorized use of the information system;"},{"id":"si-4.b.2_obj","name":"objective","props":[{"name":"label","value":"SI-4(b)(2)"}],"prose":"identifies unauthorized use of the information system through organization-defined techniques and methods;"}]},{"id":"si-4.c_obj","name":"objective","props":[{"name":"label","value":"SI-4(c)"}],"prose":"deploys monitoring devices:","parts":[{"id":"si-4.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(c)[1]"}],"prose":"strategically within the information system to collect organization-determined essential information;"},{"id":"si-4.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(c)[2]"}],"prose":"at ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4.d_obj","name":"objective","props":[{"name":"label","value":"SI-4(d)"}],"prose":"protects information obtained from intrusion-monitoring tools from unauthorized:","parts":[{"id":"si-4.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(d)[1]"}],"prose":"access;"},{"id":"si-4.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(d)[2]"}],"prose":"modification;"},{"id":"si-4.d_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(d)[3]"}],"prose":"deletion;"}]},{"id":"si-4.e_obj","name":"objective","props":[{"name":"label","value":"SI-4(e)"}],"prose":"heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;"},{"id":"si-4.f_obj","name":"objective","props":[{"name":"label","value":"SI-4(f)"}],"prose":"obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations;"},{"id":"si-4.g_obj","name":"objective","props":[{"name":"label","value":"SI-4(g)"}],"parts":[{"id":"si-4.g_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(g)[1]"}],"prose":"defines personnel or roles to whom information system monitoring information is to be provided;"},{"id":"si-4.g_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(g)[2]"}],"prose":"defines information system monitoring information to be provided to organization-defined personnel or roles;"},{"id":"si-4.g_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(g)[3]"}],"prose":"defines a frequency to provide organization-defined information system monitoring to organization-defined personnel or roles;"},{"id":"si-4.g_obj.4","name":"objective","props":[{"name":"label","value":"SI-4(g)[4]"}],"prose":"provides organization-defined information system monitoring information to organization-defined personnel or roles one or more of the following:","parts":[{"id":"si-4.g_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-4(g)[4][a]"}],"prose":"as needed; and\/or"},{"id":"si-4.g_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-4(g)[4][b]"}],"prose":"with the organization-defined frequency."}]}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"Continuous monitoring strategy\n\nsystem and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\nfacility diagram\/layout\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\nlocations within information system where monitoring devices are deployed\n\ninformation system configuration settings and associated documentation\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility monitoring the information system"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information system monitoring\n\nautomated mechanisms supporting and\/or implementing information system monitoring capability"}]}],"controls":[{"id":"si-4.2","class":"SP800-53-enhancement","title":"Automated Tools for Real-time Analysis","props":[{"name":"label","value":"SI-4(2)"},{"name":"sort-id","value":"si-04.02"}],"parts":[{"id":"si-4.2_smt","name":"statement","prose":"The organization employs automated tools to support near real-time analysis of events."},{"id":"si-4.2_gdn","name":"guidance","prose":"Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and\/or notifications generated by organizational information systems."},{"id":"si-4.2_obj","name":"objective","prose":"Determine if the organization employs automated tools to support near real-time analysis of events."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for monitoring the information system\n\norganizational personnel with responsibility for incident response\/management"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for near real-time analysis of events\n\norganizational processes for information system monitoring\n\nautomated mechanisms supporting and\/or implementing information system monitoring\n\nautomated mechanisms\/tools supporting and\/or implementing analysis of events"}]}]},{"id":"si-4.4","class":"SP800-53-enhancement","title":"Inbound and Outbound Communications Traffic","params":[{"id":"si-4.4_prm_1","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SI-4(4)"},{"name":"sort-id","value":"si-04.04"}],"parts":[{"id":"si-4.4_smt","name":"statement","prose":"The information system monitors inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for unusual or unauthorized activities or conditions."},{"id":"si-4.4_gdn","name":"guidance","prose":"Unusual\/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components."},{"id":"si-4.4_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-4.4_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(4)[1]"}],"prose":"defines a frequency to monitor:","parts":[{"id":"si-4.4_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-4(4)[1][a]"}],"prose":"inbound communications traffic for unusual or unauthorized activities or conditions;"},{"id":"si-4.4_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-4(4)[1][b]"}],"prose":"outbound communications traffic for unusual or unauthorized activities or conditions;"}]},{"id":"si-4.4_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(4)[2]"}],"prose":"monitors, with the organization-defined frequency:","parts":[{"id":"si-4.4_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-4(4)[2][a]"}],"prose":"inbound communications traffic for unusual or unauthorized activities or conditions; and"},{"id":"si-4.4_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-4(4)[2][b]"}],"prose":"outbound communications traffic for unusual or unauthorized activities or conditions."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system design documentation\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system protocols\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for monitoring the information system\n\norganizational personnel with responsibility for the intrusion detection system"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection\/information system monitoring\n\nautomated mechanisms supporting and\/or implementing intrusion detection capability\/information system monitoring\n\nautomated mechanisms supporting and\/or implementing monitoring of inbound\/outbound communications traffic"}]}]},{"id":"si-4.5","class":"SP800-53-enhancement","title":"System-generated Alerts","params":[{"id":"si-4.5_prm_1","label":"organization-defined personnel or roles"},{"id":"si-4.5_prm_2","label":"organization-defined compromise indicators"}],"props":[{"name":"label","value":"SI-4(5)"},{"name":"sort-id","value":"si-04.05"}],"parts":[{"id":"si-4.5_smt","name":"statement","prose":"The information system alerts {{ insert: param, si-4.5_prm_1 }} when the following indications of compromise or potential compromise occur: {{ insert: param, si-4.5_prm_2 }}."},{"id":"si-4.5_gdn","name":"guidance","prose":"Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission\/business owners, system owners, or information system security officers.","links":[{"href":"#au-5","rel":"related"},{"href":"#pe-6","rel":"related"}]},{"id":"si-4.5_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-4.5_obj.1","name":"objective","props":[{"name":"label","value":"SI-4(5)[1]"}],"prose":"the organization defines compromise indicators for the information system;"},{"id":"si-4.5_obj.2","name":"objective","props":[{"name":"label","value":"SI-4(5)[2]"}],"prose":"the organization defines personnel or roles to be alerted when indications of compromise or potential compromise occur; and"},{"id":"si-4.5_obj.3","name":"objective","props":[{"name":"label","value":"SI-4(5)[3]"}],"prose":"the information system alerts organization-defined personnel or roles when organization-defined compromise indicators occur."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system monitoring tools and techniques\n\ninformation system monitoring tools and techniques documentation\n\ninformation system configuration settings and associated documentation\n\nalerts\/notifications generated based on compromise indicators\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the information system\n\norganizational personnel with responsibility for monitoring the information system\n\norganizational personnel with responsibility for the intrusion detection system"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for intrusion detection\/information system monitoring\n\nautomated mechanisms supporting and\/or implementing intrusion detection\/information system monitoring capability\n\nautomated mechanisms supporting and\/or implementing alerts for compromise indicators"}]}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","params":[{"id":"si-5_prm_1","label":"organization-defined external organizations"},{"id":"si-5_prm_2","select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-5_prm_3 }} "," {{ insert: param, si-5_prm_4 }} "," {{ insert: param, si-5_prm_5 }} "]}},{"id":"si-5_prm_3","depends-on":"si-5_prm_2","label":"organization-defined personnel or roles"},{"id":"si-5_prm_4","depends-on":"si-5_prm_2","label":"organization-defined elements within the organization"},{"id":"si-5_prm_5","depends-on":"si-5_prm_2","label":"organization-defined external organizations"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-5"},{"name":"sort-id","value":"si-05"}],"links":[{"href":"#bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","rel":"reference"}],"parts":[{"id":"si-5_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receives information system security alerts, advisories, and directives from {{ insert: param, si-5_prm_1 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Generates internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminates security alerts, advisories, and directives to: {{ insert: param, si-5_prm_2 }}; and"},{"id":"si-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance to security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include, for example, external mission\/business partners, supply chain partners, external service providers, and other peer\/supporting organizations.","links":[{"href":"#si-2","rel":"related"}]},{"id":"si-5_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-5.a_obj","name":"objective","props":[{"name":"label","value":"SI-5(a)"}],"parts":[{"id":"si-5.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(a)[1]"}],"prose":"defines external organizations from whom information system security alerts, advisories and directives are to be received;"},{"id":"si-5.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(a)[2]"}],"prose":"receives information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis;"}]},{"id":"si-5.b_obj","name":"objective","props":[{"name":"label","value":"SI-5(b)"}],"prose":"generates internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5.c_obj","name":"objective","props":[{"name":"label","value":"SI-5(c)"}],"parts":[{"id":"si-5.c_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(c)[1]"}],"prose":"defines personnel or roles to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(c)[2]"}],"prose":"defines elements within the organization to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.3","name":"objective","props":[{"name":"label","value":"SI-5(c)[3]"}],"prose":"defines external organizations to whom security alerts, advisories, and directives are to be provided;"},{"id":"si-5.c_obj.4","name":"objective","props":[{"name":"label","value":"SI-5(c)[4]"}],"prose":"disseminates security alerts, advisories, and directives to one or more of the following:","parts":[{"id":"si-5.c_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][a]"}],"prose":"organization-defined personnel or roles;"},{"id":"si-5.c_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][b]"}],"prose":"organization-defined elements within the organization; and\/or"},{"id":"si-5.c_obj.4.c","name":"objective","props":[{"name":"label","value":"SI-5(c)[4][c]"}],"prose":"organization-defined external organizations; and"}]}]},{"id":"si-5.d_obj","name":"objective","props":[{"name":"label","value":"SI-5(d)"}],"parts":[{"id":"si-5.d_obj.1","name":"objective","props":[{"name":"label","value":"SI-5(d)[1]"}],"prose":"implements security directives in accordance with established time frames; or"},{"id":"si-5.d_obj.2","name":"objective","props":[{"name":"label","value":"SI-5(d)[2]"}],"prose":"notifies the issuing organization of the degree of noncompliance."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the information system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nautomated mechanisms supporting and\/or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nautomated mechanisms supporting and\/or implementing security directives"}]}]},{"id":"si-7","class":"SP800-53","title":"Software, Firmware, and Information Integrity","params":[{"id":"si-7_prm_1","label":"organization-defined software, firmware, and information"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-7"},{"name":"sort-id","value":"si-07"}],"links":[{"href":"#6bf8d24a-78dc-4727-a2ac-0e64d71c495c","rel":"reference"},{"href":"#3878cc04-144a-483e-af62-8fe6f4ad6c7a","rel":"reference"}],"parts":[{"id":"si-7_smt","name":"statement","prose":"The organization employs integrity verification tools to detect unauthorized changes to {{ insert: param, si-7_prm_1 }}."},{"id":"si-7_gdn","name":"guidance","prose":"Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity (e.g., tampering). Software includes, for example, operating systems (with key internal components such as kernels, drivers), middleware, and applications. Firmware includes, for example, the Basic Input Output System (BIOS). Information includes metadata such as security attributes associated with information. State-of-the-practice integrity-checking mechanisms (e.g., parity checks, cyclical redundancy checks, cryptographic hashes) and associated tools can automatically monitor the integrity of information systems and hosted applications.","links":[{"href":"#sa-12","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-3","rel":"related"}]},{"id":"si-7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7_obj.1","name":"objective","props":[{"name":"label","value":"SI-7[1]"}],"parts":[{"id":"si-7_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-7[1][a]"}],"prose":"defines software requiring integrity verification tools to be employed to detect unauthorized changes;"},{"id":"si-7_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-7[1][b]"}],"prose":"defines firmware requiring integrity verification tools to be employed to detect unauthorized changes;"},{"id":"si-7_obj.1.c","name":"objective","props":[{"name":"label","value":"SI-7[1][c]"}],"prose":"defines information requiring integrity verification tools to be employed to detect unauthorized changes;"}]},{"id":"si-7_obj.2","name":"objective","props":[{"name":"label","value":"SI-7[2]"}],"prose":"employs integrity verification tools to detect unauthorized changes to organization-defined:","parts":[{"id":"si-7_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-7[2][a]"}],"prose":"software;"},{"id":"si-7_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-7[2][b]"}],"prose":"firmware; and"},{"id":"si-7_obj.2.c","name":"objective","props":[{"name":"label","value":"SI-7[2][c]"}],"prose":"information."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated\/triggered from integrity verification tools regarding unauthorized software, firmware, and information changes\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools"}]}],"controls":[{"id":"si-7.1","class":"SP800-53-enhancement","title":"Integrity Checks","params":[{"id":"si-7.1_prm_1","label":"organization-defined software, firmware, and information"},{"id":"si-7.1_prm_2","select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-7.1_prm_3 }} "," {{ insert: param, si-7.1_prm_4 }} "]}},{"id":"si-7.1_prm_3","depends-on":"si-7.1_prm_2","label":"organization-defined transitional states or security-relevant events"},{"id":"si-7.1_prm_4","depends-on":"si-7.1_prm_2","label":"organization-defined frequency"}],"props":[{"name":"label","value":"SI-7(1)"},{"name":"sort-id","value":"si-07.01"}],"parts":[{"id":"si-7.1_smt","name":"statement","prose":"The information system performs an integrity check of {{ insert: param, si-7.1_prm_1 }} {{ insert: param, si-7.1_prm_2 }}."},{"id":"si-7.1_gdn","name":"guidance","prose":"Security-relevant events include, for example, the identification of a new threat to which organizational information systems are susceptible, and the installation of new hardware, software, or firmware. Transitional states include, for example, system startup, restart, shutdown, and abort."},{"id":"si-7.1_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-7.1_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(1)[1]"}],"prose":"the organization defines:","parts":[{"id":"si-7.1_obj.1.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[1][a]"}],"prose":"software requiring integrity checks to be performed;"},{"id":"si-7.1_obj.1.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[1][b]"}],"prose":"firmware requiring integrity checks to be performed;"},{"id":"si-7.1_obj.1.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[1][c]"}],"prose":"information requiring integrity checks to be performed;"}]},{"id":"si-7.1_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(1)[2]"}],"prose":"the organization defines transitional states or security-relevant events requiring integrity checks of organization-defined:","parts":[{"id":"si-7.1_obj.2.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[2][a]"}],"prose":"software;"},{"id":"si-7.1_obj.2.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[2][b]"}],"prose":"firmware;"},{"id":"si-7.1_obj.2.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[2][c]"}],"prose":"information;"}]},{"id":"si-7.1_obj.3","name":"objective","props":[{"name":"label","value":"SI-7(1)[3]"}],"prose":"the organization defines a frequency with which to perform an integrity check of organization-defined:","parts":[{"id":"si-7.1_obj.3.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[3][a]"}],"prose":"software;"},{"id":"si-7.1_obj.3.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[3][b]"}],"prose":"firmware;"},{"id":"si-7.1_obj.3.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[3][c]"}],"prose":"information;"}]},{"id":"si-7.1_obj.4","name":"objective","props":[{"name":"label","value":"SI-7(1)[4]"}],"prose":"the information system performs an integrity check of organization-defined software, firmware, and information one or more of the following:","parts":[{"id":"si-7.1_obj.4.a","name":"objective","props":[{"name":"label","value":"SI-7(1)[4][a]"}],"prose":"at startup;"},{"id":"si-7.1_obj.4.b","name":"objective","props":[{"name":"label","value":"SI-7(1)[4][b]"}],"prose":"at organization-defined transitional states or security-relevant events; and\/or"},{"id":"si-7.1_obj.4.c","name":"objective","props":[{"name":"label","value":"SI-7(1)[4][c]"}],"prose":"with the organization-defined frequency."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Software, firmware, and information integrity verification tools"}]}]},{"id":"si-7.7","class":"SP800-53-enhancement","title":"Integration of Detection and Response","params":[{"id":"si-7.7_prm_1","label":"organization-defined security-relevant changes to the information system"}],"props":[{"name":"label","value":"SI-7(7)"},{"name":"sort-id","value":"si-07.07"}],"parts":[{"id":"si-7.7_smt","name":"statement","prose":"The organization incorporates the detection of unauthorized {{ insert: param, si-7.7_prm_1 }} into the organizational incident response capability."},{"id":"si-7.7_gdn","name":"guidance","prose":"This control enhancement helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important both for being able to identify and discern adversary actions over an extended period of time and for possible legal actions. Security-relevant changes include, for example, unauthorized changes to established configuration settings or unauthorized elevation of information system privileges.","links":[{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#si-4","rel":"related"}]},{"id":"si-7.7_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-7.7_obj.1","name":"objective","props":[{"name":"label","value":"SI-7(7)[1]"}],"prose":"defines unauthorized security-relevant changes to the information system; and"},{"id":"si-7.7_obj.2","name":"objective","props":[{"name":"label","value":"SI-7(7)[2]"}],"prose":"incorporates the detection of unauthorized organization-defined security-relevant changes to the information system into the organizational incident response capability."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nincident response records\n\ninformation audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for incorporating detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nautomated mechanisms supporting and\/or implementing incorporation of detection of unauthorized security-relevant changes into the incident response capability"}]}]}]},{"id":"si-8","class":"SP800-53","title":"Spam Protection","props":[{"name":"priority","value":"P2"},{"name":"label","value":"SI-8"},{"name":"sort-id","value":"si-08"}],"links":[{"href":"#c6e95ca0-5828-420e-b095-00895b72b5e8","rel":"reference"}],"parts":[{"id":"si-8_smt","name":"statement","prose":"The organization:","parts":[{"id":"si-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and"},{"id":"si-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"id":"si-8_gdn","name":"guidance","prose":"Information system entry and exit points include, for example, firewalls, electronic mail servers, web servers, proxy servers, remote-access servers, workstations, mobile devices, and notebook\/laptop computers. Spam can be transported by different means including, for example, electronic mail, electronic mail attachments, and web accesses. Spam protection mechanisms include, for example, signature definitions.","links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"}]},{"id":"si-8_obj","name":"objective","prose":"Determine if the organization:","parts":[{"id":"si-8.a_obj","name":"objective","props":[{"name":"label","value":"SI-8(a)"}],"prose":"employs spam protection mechanisms:","parts":[{"id":"si-8.a_obj.1","name":"objective","props":[{"name":"label","value":"SI-8(a)[1]"}],"prose":"at information system entry points to detect unsolicited messages;"},{"id":"si-8.a_obj.2","name":"objective","props":[{"name":"label","value":"SI-8(a)[2]"}],"prose":"at information system entry points to take action on unsolicited messages;"},{"id":"si-8.a_obj.3","name":"objective","props":[{"name":"label","value":"SI-8(a)[3]"}],"prose":"at information system exit points to detect unsolicited messages;"},{"id":"si-8.a_obj.4","name":"objective","props":[{"name":"label","value":"SI-8(a)[4]"}],"prose":"at information system exit points to take action on unsolicited messages; and"}]},{"id":"si-8.b_obj","name":"objective","props":[{"name":"label","value":"SI-8(b)"}],"prose":"updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nconfiguration management policy and procedures (CM-1)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for implementing spam protection\n\nautomated mechanisms supporting and\/or implementing spam protection"}]}],"controls":[{"id":"si-8.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-8(1)"},{"name":"sort-id","value":"si-08.01"}],"parts":[{"id":"si-8.1_smt","name":"statement","prose":"The organization centrally manages spam protection mechanisms."},{"id":"si-8.1_gdn","name":"guidance","prose":"Central management is the organization-wide management and implementation of spam protection mechanisms. Central management includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed spam protection security controls.","links":[{"href":"#au-3","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-7","rel":"related"}]},{"id":"si-8.1_obj","name":"objective","prose":"Determine if the organization centrally manages spam protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for central management of spam protection\n\nautomated mechanisms supporting and\/or implementing central management of spam protection"}]}]},{"id":"si-8.2","class":"SP800-53-enhancement","title":"Automatic Updates","props":[{"name":"label","value":"SI-8(2)"},{"name":"sort-id","value":"si-08.02"}],"parts":[{"id":"si-8.2_smt","name":"statement","prose":"The information system automatically updates spam protection mechanisms."},{"id":"si-8.2_obj","name":"objective","prose":"Determine if the information system automatically updates spam protection mechanisms."},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for spam protection\n\nautomated mechanisms supporting and\/or implementing automatic updates to spam protection mechanisms"}]}]}]},{"id":"si-10","class":"SP800-53","title":"Information Input Validation","params":[{"id":"si-10_prm_1","label":"organization-defined information inputs"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-10"},{"name":"sort-id","value":"si-10"}],"parts":[{"id":"si-10_smt","name":"statement","prose":"The information system checks the validity of {{ insert: param, si-10_prm_1 }}."},{"id":"si-10_gdn","name":"guidance","prose":"Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks."},{"id":"si-10_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-10_obj.1","name":"objective","props":[{"name":"label","value":"SI-10[1]"}],"prose":"the organization defines information inputs requiring validity checks; and"},{"id":"si-10_obj.2","name":"objective","props":[{"name":"label","value":"SI-10[2]"}],"prose":"the information system checks the validity of organization-defined information inputs."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify validity of information\n\nlist of information inputs requiring validity checks\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing validity checks on information inputs"}]}]},{"id":"si-11","class":"SP800-53","title":"Error Handling","params":[{"id":"si-11_prm_1","label":"organization-defined personnel or roles"}],"props":[{"name":"priority","value":"P2"},{"name":"label","value":"SI-11"},{"name":"sort-id","value":"si-11"}],"parts":[{"id":"si-11_smt","name":"statement","prose":"The information system:","parts":[{"id":"si-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and"},{"id":"si-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reveals error messages only to {{ insert: param, si-11_prm_1 }}."}]},{"id":"si-11_gdn","name":"guidance","prose":"Organizations carefully consider the structure\/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission\/business information that can be derived from (if not stated explicitly by) information recorded, and personal information such as account numbers, social security numbers, and credit card numbers. In addition, error messages may provide a covert channel for transmitting information.","links":[{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#sc-31","rel":"related"}]},{"id":"si-11_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-11.a_obj","name":"objective","props":[{"name":"label","value":"SI-11(a)"}],"prose":"the information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries;"},{"id":"si-11.b_obj","name":"objective","props":[{"name":"label","value":"SI-11(b)"}],"parts":[{"id":"si-11.b_obj.1","name":"objective","props":[{"name":"label","value":"SI-11(b)[1]"}],"prose":"the organization defines personnel or roles to whom error messages are to be revealed; and"},{"id":"si-11.b_obj.2","name":"objective","props":[{"name":"label","value":"SI-11(b)[2]"}],"prose":"the information system reveals error messages only to organization-defined personnel or roles."}]}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing information system error handling\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\ndocumentation providing structure\/content of error messages\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for error handling\n\nautomated mechanisms supporting and\/or implementing error handling\n\nautomated mechanisms supporting and\/or implementing management of error messages"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Handling and Retention","props":[{"name":"priority","value":"P2"},{"name":"label","value":"SI-12"},{"name":"sort-id","value":"si-12"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information handling and retention requirements cover the full life cycle of information, in some cases extending beyond the disposal of information systems. The National Archives and Records Administration provides guidance on records retention.","links":[{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"}]},{"id":"si-12_obj","name":"objective","prose":"Determine if the organization, in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements:","parts":[{"id":"si-12_obj.1","name":"objective","props":[{"name":"label","value":"SI-12[1]"}],"prose":"handles information within the information system;"},{"id":"si-12_obj.2","name":"objective","props":[{"name":"label","value":"SI-12[2]"}],"prose":"handles output from the information system;"},{"id":"si-12_obj.3","name":"objective","props":[{"name":"label","value":"SI-12[3]"}],"prose":"retains information within the information system; and"},{"id":"si-12_obj.4","name":"objective","props":[{"name":"label","value":"SI-12[4]"}],"prose":"retains output from the information system."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention\n\nmedia protection policy and procedures\n\nprocedures addressing information system output handling and retention\n\ninformation retention records, other relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for information handling and retention\n\norganizational personnel with information security responsibilities\/network administrators"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Organizational processes for information handling and retention\n\nautomated mechanisms supporting and\/or implementing information handling and retention"}]}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","params":[{"id":"si-16_prm_1","label":"organization-defined security safeguards"}],"props":[{"name":"priority","value":"P1"},{"name":"label","value":"SI-16"},{"name":"sort-id","value":"si-16"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"The information system implements {{ insert: param, si-16_prm_1 }} to protect its memory from unauthorized code execution."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism.","links":[{"href":"#ac-25","rel":"related"},{"href":"#sc-3","rel":"related"}]},{"id":"si-16_obj","name":"objective","prose":"Determine if:","parts":[{"id":"si-16_obj.1","name":"objective","props":[{"name":"label","value":"SI-16[1]"}],"prose":"the organization defines security safeguards to be implemented to protect information system memory from unauthorized code execution; and"},{"id":"si-16_obj.2","name":"objective","props":[{"name":"label","value":"SI-16[2]"}],"prose":"the information system implements organization-defined security safeguards to protect its memory from unauthorized code execution."}]},{"name":"assessment","props":[{"name":"method","value":"EXAMINE"}],"parts":[{"name":"objects","prose":"System and information integrity policy\n\nprocedures addressing memory protection for the information system\n\ninformation system design documentation\n\ninformation system configuration settings and associated documentation\n\nlist of security safeguards protecting information system memory from unauthorized code execution\n\ninformation system audit records\n\nother relevant documents or records"}]},{"name":"assessment","props":[{"name":"method","value":"INTERVIEW"}],"parts":[{"name":"objects","prose":"Organizational personnel with responsibility for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"name":"assessment","props":[{"name":"method","value":"TEST"}],"parts":[{"name":"objects","prose":"Automated mechanisms supporting and\/or implementing safeguards to protect information system memory from unauthorized code execution"}]}]}]}],"back-matter":{"resources":[{"uuid":"0c97e60b-325a-4efa-ba2b-90f20ccd5abc","title":"5 C.F.R. 731.106","citation":{"text":"Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106, Designation of Public Trust Positions and Investigative Requirements (5 C.F.R. 731.106)."},"rlinks":[{"href":"http:\/\/www.gpo.gov\/fdsys\/granule\/CFR-2012-title5-vol2\/CFR-2012-title5-vol2-sec731-106\/content-detail.html"}]},{"uuid":"bb61234b-46c3-4211-8c2b-9869222a720d","title":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)","citation":{"text":"C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)"},"rlinks":[{"href":"http:\/\/www.gpo.gov\/fdsys\/granule\/CFR-2009-title5-vol2\/CFR-2009-title5-vol2-sec930-301\/content-detail.html"}]},{"uuid":"a4aa9645-9a8a-4b51-90a9-e223250f9a75","title":"CNSS Policy 15","citation":{"text":"CNSS Policy 15"},"rlinks":[{"href":"https:\/\/www.cnss.gov\/policies.html"}]},{"uuid":"2d8b14e9-c8b5-4d3d-8bdc-155078f3281b","title":"DoD Information Assurance Vulnerability Alerts","citation":{"text":"DoD Information Assurance Vulnerability Alerts"}},{"uuid":"61081e7f-041d-4033-96a7-44a439071683","title":"DoD Instruction 5200.39","citation":{"text":"DoD Instruction 5200.39"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"e42b2099-3e1c-415b-952c-61c96533c12e","title":"DoD Instruction 8551.01","citation":{"text":"DoD Instruction 8551.01"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"e6522953-6714-435d-a0d3-140df554c186","title":"DoD Instruction 8552.01","citation":{"text":"DoD Instruction 8552.01"},"rlinks":[{"href":"http:\/\/www.dtic.mil\/whs\/directives\/corres\/ins1.html"}]},{"uuid":"c5034e0c-eba6-4ecd-a541-79f0678f4ba4","title":"Executive Order 13587","citation":{"text":"Executive Order 13587"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/the-press-office\/2011\/10\/07\/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"56d671da-6b7b-4abf-8296-84b61980390a","title":"Federal Acquisition Regulation","citation":{"text":"Federal Acquisition Regulation"},"rlinks":[{"href":"https:\/\/acquisition.gov\/far"}]},{"uuid":"023104bc-6f75-4cd5-b7d0-fc92326f8007","title":"Federal Continuity Directive 1","citation":{"text":"Federal Continuity Directive 1"},"rlinks":[{"href":"http:\/\/www.fema.gov\/pdf\/about\/offices\/fcd1.pdf"}]},{"uuid":"ba557c91-ba3e-4792-adc6-a4ae479b39ff","title":"FICAM Roadmap and Implementation Guidance","citation":{"text":"FICAM Roadmap and Implementation Guidance"},"rlinks":[{"href":"http:\/\/www.idmanagement.gov\/documents\/ficam-roadmap-and-implementation-guidance"}]},{"uuid":"39f9087d-7687-46d2-8eda-b6f4b7a4d8a9","title":"FIPS Publication 140","citation":{"text":"FIPS Publication 140"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html"}]},{"uuid":"d715b234-9b5b-4e07-b1ed-99836727664d","title":"FIPS Publication 140-2","citation":{"text":"FIPS Publication 140-2"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#140-2"}]},{"uuid":"f2dbd4ec-c413-4714-b85b-6b7184d1c195","title":"FIPS Publication 197","citation":{"text":"FIPS Publication 197"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#197"}]},{"uuid":"e85cdb3f-7f0a-4083-8639-f13f70d3760b","title":"FIPS Publication 199","citation":{"text":"FIPS Publication 199"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#199"}]},{"uuid":"c80c10b3-1294-4984-a4cc-d1733ca432b9","title":"FIPS Publication 201","citation":{"text":"FIPS Publication 201"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsFIPS.html#201"}]},{"uuid":"ad733a42-a7ed-4774-b988-4930c28852f3","title":"HSPD-12","citation":{"text":"HSPD-12"},"rlinks":[{"href":"http:\/\/www.dhs.gov\/homeland-security-presidential-directive-12"}]},{"uuid":"4ef539ba-b767-4666-b0d3-168c53005fa3","title":"http:\/\/capec.mitre.org","citation":{"text":"http:\/\/capec.mitre.org"},"rlinks":[{"href":"http:\/\/capec.mitre.org"}]},{"uuid":"e95dd121-2733-413e-bf1e-f1eb49f20a98","title":"http:\/\/checklists.nist.gov","citation":{"text":"http:\/\/checklists.nist.gov"},"rlinks":[{"href":"http:\/\/checklists.nist.gov"}]},{"uuid":"6a1041fc-054e-4230-946b-2e6f4f3731bb","title":"http:\/\/csrc.nist.gov\/cryptval","citation":{"text":"http:\/\/csrc.nist.gov\/cryptval"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/cryptval"}]},{"uuid":"b09d1a31-d3c9-4138-a4f4-4c63816afd7d","title":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html","citation":{"text":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/groups\/STM\/cmvp\/index.html"}]},{"uuid":"0931209f-00ae-4132-b92c-bc645847e8f9","title":"http:\/\/cve.mitre.org","citation":{"text":"http:\/\/cve.mitre.org"},"rlinks":[{"href":"http:\/\/cve.mitre.org"}]},{"uuid":"15522e92-9192-463d-9646-6a01982db8ca","title":"http:\/\/cwe.mitre.org","citation":{"text":"http:\/\/cwe.mitre.org"},"rlinks":[{"href":"http:\/\/cwe.mitre.org"}]},{"uuid":"5ed1f4d5-1494-421b-97ed-39d3c88ab51f","title":"http:\/\/fips201ep.cio.gov","citation":{"text":"http:\/\/fips201ep.cio.gov"},"rlinks":[{"href":"http:\/\/fips201ep.cio.gov"}]},{"uuid":"85280698-0417-489d-b214-12bb935fb939","title":"http:\/\/idmanagement.gov","citation":{"text":"http:\/\/idmanagement.gov"},"rlinks":[{"href":"http:\/\/idmanagement.gov"}]},{"uuid":"275cc052-0f7f-423c-bdb6-ed503dc36228","title":"http:\/\/nvd.nist.gov","citation":{"text":"http:\/\/nvd.nist.gov"},"rlinks":[{"href":"http:\/\/nvd.nist.gov"}]},{"uuid":"bbd50dd1-54ce-4432-959d-63ea564b1bb4","title":"http:\/\/www.acquisition.gov\/far","citation":{"text":"http:\/\/www.acquisition.gov\/far"},"rlinks":[{"href":"http:\/\/www.acquisition.gov\/far"}]},{"uuid":"9b97ed27-3dd6-4f9a-ade5-1b43e9669794","title":"http:\/\/www.cnss.gov","citation":{"text":"http:\/\/www.cnss.gov"},"rlinks":[{"href":"http:\/\/www.cnss.gov"}]},{"uuid":"3ac12e79-f54f-4a63-9f4b-ee4bcd4df604","title":"http:\/\/www.dhs.gov\/telecommunications-service-priority-tsp","citation":{"text":"http:\/\/www.dhs.gov\/telecommunications-service-priority-tsp"},"rlinks":[{"href":"http:\/\/www.dhs.gov\/telecommunications-service-priority-tsp"}]},{"uuid":"c95a9986-3cd6-4a98-931b-ccfc56cb11e5","title":"http:\/\/www.niap-ccevs.org","citation":{"text":"http:\/\/www.niap-ccevs.org"},"rlinks":[{"href":"http:\/\/www.niap-ccevs.org"}]},{"uuid":"647b6de3-81d0-4d22-bec1-5f1333e34380","title":"http:\/\/www.nsa.gov","citation":{"text":"http:\/\/www.nsa.gov"},"rlinks":[{"href":"http:\/\/www.nsa.gov"}]},{"uuid":"a47466c4-c837-4f06-a39f-e68412a5f73d","title":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml","citation":{"text":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml"},"rlinks":[{"href":"http:\/\/www.nsa.gov\/ia\/mitigation_guidance\/media_destruction_guidance\/index.shtml"}]},{"uuid":"02631467-668b-4233-989b-3dfded2fd184","title":"http:\/\/www.us-cert.gov","citation":{"text":"http:\/\/www.us-cert.gov"},"rlinks":[{"href":"http:\/\/www.us-cert.gov"}]},{"uuid":"6caa237b-531b-43ac-9711-d8f6b97b0377","title":"ICD 704","citation":{"text":"ICD 704"},"rlinks":[{"href":"http:\/\/www.dni.gov\/index.php\/intelligence-community\/ic-policies-reports\/intelligence-community-directives"}]},{"uuid":"398e33fd-f404-4e5c-b90e-2d50d3181244","title":"ICD 705","citation":{"text":"ICD 705"},"rlinks":[{"href":"http:\/\/www.dni.gov\/index.php\/intelligence-community\/ic-policies-reports\/intelligence-community-directives"}]},{"uuid":"1737a687-52fb-4008-b900-cbfa836f7b65","title":"ISO\/IEC 15408","citation":{"text":"ISO\/IEC 15408"},"rlinks":[{"href":"http:\/\/www.iso.org\/iso\/iso_catalog\/catalog_tc\/catalog_detail.htm?csnumber=50341"}]},{"uuid":"fb5844de-ff96-47c0-b258-4f52bcc2f30d","title":"National Communications Systems Directive 3-10","citation":{"text":"National Communications Systems Directive 3-10"}},{"uuid":"654f21e2-f3bc-43b2-abdc-60ab8d09744b","title":"National Strategy for Trusted Identities in Cyberspace","citation":{"text":"National Strategy for Trusted Identities in Cyberspace"},"rlinks":[{"href":"http:\/\/www.nist.gov\/nstic"}]},{"uuid":"9cb3d8fe-2127-48ba-821e-cdd2d7aee921","title":"NIST Special Publication 800-100","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-100"}],"citation":{"text":"NIST Special Publication 800-100"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"3cac5e7b-9ebf-4bbb-9af5-ae032de78e8e","title":"NIST Special Publication 800-111","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-111"}],"citation":{"text":"NIST Special Publication 800-111"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-111"}]},{"uuid":"349fe082-502d-464a-aa0c-1443c6a5cf40","title":"NIST Special Publication 800-113","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-113"}],"citation":{"text":"NIST Special Publication 800-113"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-113"}]},{"uuid":"1201fcf3-afb1-4675-915a-fb4ae0435717","title":"NIST Special Publication 800-114 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-114r1"}],"citation":{"text":"NIST Special Publication 800-114 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-114r1"}]},{"uuid":"c4691b88-57d1-463b-9053-2d0087913f31","title":"NIST Special Publication 800-115","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-115"}],"citation":{"text":"NIST Special Publication 800-115"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"2157bb7e-192c-4eaa-877f-93ef6b0a3292","title":"NIST Special Publication 800-116 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-116r1"}],"citation":{"text":"NIST Special Publication 800-116 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-116r1"}]},{"uuid":"5c201b63-0768-417b-ac22-3f014e3941b2","title":"NIST Special Publication 800-12 Rev. 1","document-ids":[{"scheme":"https:\/\/www.doi.org\/","identifier":"10.6028\/NIST.SP.800-12r1"}],"citation":{"text":"NIST Special Publication 800-12 Rev. 1"},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"d1a4e2a9-e512-4132-8795-5357aba29254","title":"NIST Special Publication 800-121","citation":{"text":"NIST Special Publication 800-121"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-121"}]},{"uuid":"0293a393-fbe8-4ed1-b0b4-f6fbd3ae1589","title":"NIST Special Publication 800-124","citation":{"text":"NIST Special Publication 800-124"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-124"}]},{"uuid":"080f8068-5e3e-435e-9790-d22ba4722693","title":"NIST Special Publication 800-128","citation":{"text":"NIST Special Publication 800-128"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-128"}]},{"uuid":"cee2c6ca-0261-4a6f-b630-e41d8ffdd82b","title":"NIST Special Publication 800-137","citation":{"text":"NIST Special Publication 800-137"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-137"}]},{"uuid":"6bf8d24a-78dc-4727-a2ac-0e64d71c495c","title":"NIST Special Publication 800-147","citation":{"text":"NIST Special Publication 800-147"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-147"}]},{"uuid":"3878cc04-144a-483e-af62-8fe6f4ad6c7a","title":"NIST Special Publication 800-155","citation":{"text":"NIST Special Publication 800-155"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-155"}]},{"uuid":"825438c3-248d-4e30-a51e-246473ce6ada","title":"NIST Special Publication 800-16","citation":{"text":"NIST Special Publication 800-16"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-16"}]},{"uuid":"6513e480-fada-4876-abba-1397084dfb26","title":"NIST Special Publication 800-164","citation":{"text":"NIST Special Publication 800-164"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-164"}]},{"uuid":"9c5c9e8c-dc81-4f55-a11c-d71d7487790f","title":"NIST Special Publication 800-18","citation":{"text":"NIST Special Publication 800-18"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-18"}]},{"uuid":"0a5db899-f033-467f-8631-f5a8ba971475","title":"NIST Special Publication 800-23","citation":{"text":"NIST Special Publication 800-23"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-23"}]},{"uuid":"21b1ed35-56d2-40a8-bdfe-b461fffe322f","title":"NIST Special Publication 800-27","citation":{"text":"NIST Special Publication 800-27"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-27"}]},{"uuid":"e716cd51-d1d5-4c6a-967a-22e9fbbc42f1","title":"NIST Special Publication 800-28","citation":{"text":"NIST Special Publication 800-28"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-28"}]},{"uuid":"a466121b-f0e2-41f0-a5f9-deb0b5fe6b15","title":"NIST Special Publication 800-30","citation":{"text":"NIST Special Publication 800-30"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-30"}]},{"uuid":"8f174e91-844e-4cf1-a72a-45c119a3a8dd","title":"NIST Special Publication 800-32","citation":{"text":"NIST Special Publication 800-32"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-32"}]},{"uuid":"748a81b9-9cad-463f-abde-8b368167e70d","title":"NIST Special Publication 800-34","citation":{"text":"NIST Special Publication 800-34"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-34"}]},{"uuid":"0c775bc3-bfc3-42c7-a382-88949f503171","title":"NIST Special Publication 800-35","citation":{"text":"NIST Special Publication 800-35"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-35"}]},{"uuid":"d818efd3-db31-4953-8afa-9e76afe83ce2","title":"NIST Special Publication 800-36","citation":{"text":"NIST Special Publication 800-36"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-36"}]},{"uuid":"0a0c26b6-fd44-4274-8b36-93442d49d998","title":"NIST Special Publication 800-37","citation":{"text":"NIST Special Publication 800-37"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-37"}]},{"uuid":"d480aa6a-7a88-424e-a10c-ad1c7870354b","title":"NIST Special Publication 800-39","citation":{"text":"NIST Special Publication 800-39"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-39"}]},{"uuid":"bdd14f6c-41ab-4277-8d74-a0ce75a0eb1d","title":"NIST Special Publication 800-40","citation":{"text":"NIST Special Publication 800-40"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-40"}]},{"uuid":"756a8e86-57d5-4701-8382-f7a40439665a","title":"NIST Special Publication 800-41","citation":{"text":"NIST Special Publication 800-41"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-41"}]},{"uuid":"c6e95ca0-5828-420e-b095-00895b72b5e8","title":"NIST Special Publication 800-45","citation":{"text":"NIST Special Publication 800-45"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-45"}]},{"uuid":"5309d4d0-46f8-4213-a749-e7584164e5e8","title":"NIST Special Publication 800-46","citation":{"text":"NIST Special Publication 800-46"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-46"}]},{"uuid":"2711f068-734e-4afd-94ba-0b22247fbc88","title":"NIST Special Publication 800-47","citation":{"text":"NIST Special Publication 800-47"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-47"}]},{"uuid":"238ed479-eccb-49f6-82ec-ab74a7a428cf","title":"NIST Special Publication 800-48","citation":{"text":"NIST Special Publication 800-48"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-48"}]},{"uuid":"e12b5738-de74-4fb3-8317-a3995a8a1898","title":"NIST Special Publication 800-50","citation":{"text":"NIST Special Publication 800-50"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-50"}]},{"uuid":"90c5bc98-f9c4-44c9-98b7-787422f0999c","title":"NIST Special Publication 800-52","citation":{"text":"NIST Special Publication 800-52"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-52"}]},{"uuid":"cd4cf751-3312-4a55-b1a9-fad2f1db9119","title":"NIST Special Publication 800-53A","citation":{"text":"NIST Special Publication 800-53A"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-53A"}]},{"uuid":"81f09e01-d0b0-4ae2-aa6a-064ed9950070","title":"NIST Special Publication 800-56","citation":{"text":"NIST Special Publication 800-56"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-56"}]},{"uuid":"a6c774c0-bf50-4590-9841-2a5c1c91ac6f","title":"NIST Special Publication 800-57","citation":{"text":"NIST Special Publication 800-57"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-57"}]},{"uuid":"7783f3e7-09b3-478b-9aa2-4a76dfd0ea90","title":"NIST Special Publication 800-58","citation":{"text":"NIST Special Publication 800-58"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-58"}]},{"uuid":"f152844f-b1ef-4836-8729-6277078ebee1","title":"NIST Special Publication 800-60","citation":{"text":"NIST Special Publication 800-60"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-60"}]},{"uuid":"be95fb85-a53f-4624-bdbb-140075500aa3","title":"NIST Special Publication 800-61","citation":{"text":"NIST Special Publication 800-61"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-61"}]},{"uuid":"644f44a9-a2de-4494-9c04-cd37fba45471","title":"NIST Special Publication 800-63","citation":{"text":"NIST Special Publication 800-63"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-63"}]},{"uuid":"abd950ae-092f-4b7a-b374-1c7c67fe9350","title":"NIST Special Publication 800-64","citation":{"text":"NIST Special Publication 800-64"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-64"}]},{"uuid":"29fcfe59-33cd-494a-8756-5907ae3a8f92","title":"NIST Special Publication 800-65","citation":{"text":"NIST Special Publication 800-65"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-65"}]},{"uuid":"84a37532-6db6-477b-9ea8-f9085ebca0fc","title":"NIST Special Publication 800-70","citation":{"text":"NIST Special Publication 800-70"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-70"}]},{"uuid":"ead74ea9-4c9c-446d-9b92-bcbf0ad4b655","title":"NIST Special Publication 800-73","citation":{"text":"NIST Special Publication 800-73"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-73"}]},{"uuid":"2a71298a-ee90-490e-80ff-48c967173a47","title":"NIST Special Publication 800-76","citation":{"text":"NIST Special Publication 800-76"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-76"}]},{"uuid":"99f331f2-a9f0-46c2-9856-a3cbb9b89442","title":"NIST Special Publication 800-77","citation":{"text":"NIST Special Publication 800-77"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-77"}]},{"uuid":"2042d97b-f7f6-4c74-84f8-981867684659","title":"NIST Special Publication 800-78","citation":{"text":"NIST Special Publication 800-78"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-78"}]},{"uuid":"6af1e841-672c-46c4-b121-96f603d04be3","title":"NIST Special Publication 800-81","citation":{"text":"NIST Special Publication 800-81"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-81"}]},{"uuid":"6d431fee-658f-4a0e-9f2e-a38b5d398fab","title":"NIST Special Publication 800-83","citation":{"text":"NIST Special Publication 800-83"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-83"}]},{"uuid":"0243a05a-e8a3-4d51-9364-4a9d20b0dcdf","title":"NIST Special Publication 800-84","citation":{"text":"NIST Special Publication 800-84"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-84"}]},{"uuid":"263823e0-a971-4b00-959d-315b26278b22","title":"NIST Special Publication 800-88","citation":{"text":"NIST Special Publication 800-88"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-88"}]},{"uuid":"672fd561-b92b-4713-b9cf-6c9d9456728b","title":"NIST Special Publication 800-92","citation":{"text":"NIST Special Publication 800-92"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-92"}]},{"uuid":"d1b1d689-0f66-4474-9924-c81119758dc1","title":"NIST Special Publication 800-94","citation":{"text":"NIST Special Publication 800-94"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-94"}]},{"uuid":"1ebdf782-d95d-4a7b-8ec7-ee860951eced","title":"NIST Special Publication 800-95","citation":{"text":"NIST Special Publication 800-95"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-95"}]},{"uuid":"6f336ecd-f2a0-4c84-9699-0491d81b6e0d","title":"NIST Special Publication 800-97","citation":{"text":"NIST Special Publication 800-97"},"rlinks":[{"href":"http:\/\/csrc.nist.gov\/publications\/PubsSPs.html#800-97"}]},{"uuid":"06dff0ea-3848-4945-8d91-e955ee69f05d","title":"NSTISSI No. 7003","citation":{"text":"NSTISSI No. 7003"},"rlinks":[{"href":"http:\/\/www.cnss.gov\/Assets\/pdf\/nstissi_7003.pdf"}]},{"uuid":"9f77f845-e3ea-4ca4-b2c0-aa9eedc214ab","title":"OMB Circular A-130","citation":{"text":"OMB Circular A-130"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/omb\/circulars_a130_a130trans4"}]},{"uuid":"2c5884cd-7b96-425c-862a-99877e1cf909","title":"OMB Memorandum 02-01","citation":{"text":"OMB Memorandum 02-01"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/omb\/memoranda_m02-01"}]},{"uuid":"ff3bfb02-79b2-411f-8735-98dfe5af2ab0","title":"OMB Memorandum 04-04","citation":{"text":"OMB Memorandum 04-04"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy04\/m04-04.pdf"}]},{"uuid":"58ad6f27-af99-429f-86a8-8bb767b014b9","title":"OMB Memorandum 05-24","citation":{"text":"OMB Memorandum 05-24"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2005\/m05-24.pdf"}]},{"uuid":"4da24a96-6cf8-435d-9d1f-c73247cad109","title":"OMB Memorandum 06-16","citation":{"text":"OMB Memorandum 06-16"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2006\/m06-16.pdf"}]},{"uuid":"990268bf-f4a9-4c81-91ae-dc7d3115f4b1","title":"OMB Memorandum 07-11","citation":{"text":"OMB Memorandum 07-11"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2007\/m07-11.pdf"}]},{"uuid":"0b3d8ba9-051f-498d-81ea-97f0f018c612","title":"OMB Memorandum 07-18","citation":{"text":"OMB Memorandum 07-18"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2007\/m07-18.pdf"}]},{"uuid":"0916ef02-3618-411b-a525-565c088849a6","title":"OMB Memorandum 08-22","citation":{"text":"OMB Memorandum 08-22"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2008\/m08-22.pdf"}]},{"uuid":"28115a56-da6b-4d44-b1df-51dd7f048a3e","title":"OMB Memorandum 08-23","citation":{"text":"OMB Memorandum 08-23"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2008\/m08-23.pdf"}]},{"uuid":"599fe9ba-4750-4450-9eeb-b95bd19a5e8f","title":"OMB Memorandum 10-06-2011","citation":{"text":"OMB Memorandum 10-06-2011"}},{"uuid":"74e740a4-c45d-49f3-a86e-eb747c549e01","title":"OMB Memorandum 11-11","citation":{"text":"OMB Memorandum 11-11"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/memoranda\/2011\/m11-11.pdf"}]},{"uuid":"bedb15b7-ec5c-4a68-807f-385125751fcd","title":"OMB Memorandum 11-33","citation":{"text":"OMB Memorandum 11-33"},"rlinks":[{"href":"http:\/\/www.whitehouse.gov\/sites\/default\/files\/omb\/memoranda\/2011\/m11-33.pdf"}]},{"uuid":"dd2f5acd-08f1-435a-9837-f8203088dc1a","title":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)","citation":{"text":"Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS)"}},{"uuid":"8ade2fbe-e468-4ca8-9a40-54d7f23c32bb","title":"US-CERT Technical Cyber Security Alerts","citation":{"text":"US-CERT Technical Cyber Security Alerts"},"rlinks":[{"href":"http:\/\/www.us-cert.gov\/ncas\/alerts"}]}]}}}
\ No newline at end of file
diff --git a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.json b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.json
index 96fba5b5..5485d5d3 100644
--- a/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.json
+++ b/nist.gov/SP800-53/rev4/json/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.json
@@ -1,9 +1,9 @@
 {
   "catalog": {
-    "uuid": "975aa476-c834-4b62-9e8b-f5d28a23962c",
+    "uuid": "4f3ed81e-6a9c-4b14-ac07-7d02ec09f643",
     "metadata": {
       "title": "NIST Special Publication 800-53 Revision 4 MODERATE IMPACT BASELINE",
-      "last-modified": "2023-11-02T11:49:43.964173-04:00",
+      "last-modified": "2023-12-05T21:54:48.24154Z",
       "version": "2015-01-22",
       "oscal-version": "1.1.1",
       "props": [
diff --git a/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.xml b/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.xml
index 6f6db6a1..366acdae 100644
--- a/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.xml
+++ b/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.xml
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-          uuid="d42ac376-bf01-4baf-bad5-d0b7ee2626d5">
+          uuid="d3d0fe20-8c66-4ead-a7bf-10455eada4ac">
    <metadata>
       <title>NIST Special Publication 800-53 Revision 4 HIGH IMPACT BASELINE</title>
-      <last-modified>2023-11-02T11:49:45.965719-04:00</last-modified>
+      <last-modified>2023-12-05T21:54:41.390821Z</last-modified>
       <version>2015-01-22</version>
       <oscal-version>1.1.1</oscal-version>
       <prop name="resolution-tool"
diff --git a/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.xml b/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.xml
index a98a9941..15b38981 100644
--- a/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.xml
+++ b/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.xml
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-          uuid="bec68292-6541-40e5-bc3b-5fcfee922bd9">
+          uuid="90cfe612-52c5-4daa-8ec1-9a6c223fa571">
    <metadata>
       <title>NIST Special Publication 800-53 Revision 4 LOW IMPACT BASELINE</title>
-      <last-modified>2023-11-02T11:49:37.69093-04:00</last-modified>
+      <last-modified>2023-12-05T21:54:40.489331Z</last-modified>
       <version>2015-01-22</version>
       <oscal-version>1.1.1</oscal-version>
       <prop name="resolution-tool"
diff --git a/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.xml b/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.xml
index 229ac0ef..7b81ffd3 100644
--- a/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.xml
+++ b/nist.gov/SP800-53/rev4/xml/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.xml
@@ -1,9 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-          uuid="975aa476-c834-4b62-9e8b-f5d28a23962c">
+          uuid="4f3ed81e-6a9c-4b14-ac07-7d02ec09f643">
    <metadata>
       <title>NIST Special Publication 800-53 Revision 4 MODERATE IMPACT BASELINE</title>
-      <last-modified>2023-11-02T11:49:43.964173-04:00</last-modified>
+      <last-modified>2023-12-05T21:54:48.24154Z</last-modified>
       <version>2015-01-22</version>
       <oscal-version>1.1.1</oscal-version>
       <prop name="resolution-tool"
diff --git a/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.yaml b/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.yaml
index 257d1eac..feb972ec 100644
--- a/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.yaml
+++ b/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_HIGH-baseline-resolved-profile_catalog.yaml
@@ -1,8 +1,8 @@
 catalog:
-  uuid: d42ac376-bf01-4baf-bad5-d0b7ee2626d5
+  uuid: d3d0fe20-8c66-4ead-a7bf-10455eada4ac
   metadata:
     title: NIST Special Publication 800-53 Revision 4 HIGH IMPACT BASELINE
-    last-modified: "2023-11-02T11:49:45.965719-04:00"
+    last-modified: "2023-12-05T21:54:41.390821Z"
     version: "2015-01-22"
     oscal-version: 1.1.1
     props:
diff --git a/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.yaml b/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.yaml
index ea418474..14f78057 100644
--- a/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.yaml
+++ b/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_LOW-baseline-resolved-profile_catalog.yaml
@@ -1,8 +1,8 @@
 catalog:
-  uuid: bec68292-6541-40e5-bc3b-5fcfee922bd9
+  uuid: 90cfe612-52c5-4daa-8ec1-9a6c223fa571
   metadata:
     title: NIST Special Publication 800-53 Revision 4 LOW IMPACT BASELINE
-    last-modified: "2023-11-02T11:49:37.69093-04:00"
+    last-modified: "2023-12-05T21:54:40.489331Z"
     version: "2015-01-22"
     oscal-version: 1.1.1
     props:
diff --git a/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.yaml b/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.yaml
index ac796d84..4aa0400f 100644
--- a/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.yaml
+++ b/nist.gov/SP800-53/rev4/yaml/NIST_SP-800-53_rev4_MODERATE-baseline-resolved-profile_catalog.yaml
@@ -1,8 +1,8 @@
 catalog:
-  uuid: 975aa476-c834-4b62-9e8b-f5d28a23962c
+  uuid: 4f3ed81e-6a9c-4b14-ac07-7d02ec09f643
   metadata:
     title: NIST Special Publication 800-53 Revision 4 MODERATE IMPACT BASELINE
-    last-modified: "2023-11-02T11:49:43.964173-04:00"
+    last-modified: "2023-12-05T21:54:48.24154Z"
     version: "2015-01-22"
     oscal-version: 1.1.1
     props:
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog-min.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog-min.json
index aa7a6ca4..7d1a156c 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog-min.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog-min.json
@@ -1 +1 @@
-{"catalog":{"uuid":"fa9322a2-ab84-423c-b677-8602000b4876","metadata":{"title":"NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE","last-modified":"2023-11-02T11:49:45.431064-04:00","version":"Final","oscal-version":"1.1.1","props":[{"name":"resolution-tool","value":"OSCAL Profile Resolver XSLT Pipeline OPRXP"}],"links":[{"href":"NIST_SP-800-53_rev5_HIGH-baseline_profile.xml","rel":"source-profile"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"c748c806-1d77-4695-bb40-e117b2afa82e","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["c748c806-1d77-4695-bb40-e117b2afa82e"]},{"role-id":"contact","party-uuids":["c748c806-1d77-4695-bb40-e117b2afa82e"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ac-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ac-01_odp.01","props":[{"name":"label","value":"AC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control policy is to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.02","props":[{"name":"label","value":"AC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control procedures are to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.03","props":[{"name":"alt-identifier","value":"ac-1_prm_2"},{"name":"label","value":"AC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ac-01_odp.04","props":[{"name":"alt-identifier","value":"ac-1_prm_3"},{"name":"label","value":"AC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the access control policy and procedures is defined;"}]},{"id":"ac-01_odp.05","props":[{"name":"alt-identifier","value":"ac-1_prm_4"},{"name":"label","value":"AC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control policy is reviewed and updated is defined;"}]},{"id":"ac-01_odp.06","props":[{"name":"alt-identifier","value":"ac-1_prm_5"},{"name":"label","value":"AC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current access control policy to be reviewed and updated are defined;"}]},{"id":"ac-01_odp.07","props":[{"name":"alt-identifier","value":"ac-1_prm_6"},{"name":"label","value":"AC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control procedures are reviewed and updated is defined;"}]},{"id":"ac-01_odp.08","props":[{"name":"alt-identifier","value":"ac-1_prm_7"},{"name":"label","value":"AC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AC-1"},{"name":"label","value":"AC-01","class":"sp800-53a"},{"name":"sort-id","value":"ac-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ia-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ac-1_smt","name":"statement","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ac-01_odp.03 }} access control policy that:","parts":[{"id":"ac-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and the associated access controls;"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and"},{"id":"ac-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current access control:","parts":[{"id":"ac-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and"},{"id":"ac-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ac-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[01]","class":"sp800-53a"}],"prose":"an access control policy is developed and documented;"},{"id":"ac-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[02]","class":"sp800-53a"}],"prose":"the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};"},{"id":"ac-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[03]","class":"sp800-53a"}],"prose":"access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;"},{"id":"ac-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[04]","class":"sp800-53a"}],"prose":"the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};"},{"id":"ac-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;"},{"id":"ac-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;"},{"id":"ac-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;"},{"id":"ac-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;"},{"id":"ac-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;"},{"id":"ac-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;"},{"id":"ac-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;"}]},{"id":"ac-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ac-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;"},{"id":"ac-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[01]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};"},{"id":"ac-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[02]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};"}]},{"id":"ac-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[01]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};"},{"id":"ac-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[02]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}."}]}]}]},{"id":"ac-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","params":[{"id":"ac-02_odp.01","props":[{"name":"alt-identifier","value":"ac-2_prm_1"},{"name":"label","value":"AC-02_ODP[01]","class":"sp800-53a"}],"label":"prerequisites and criteria","guidelines":[{"prose":"prerequisites and criteria for group and role membership are defined;"}]},{"id":"ac-02_odp.02","props":[{"name":"alt-identifier","value":"ac-2_prm_2"},{"name":"label","value":"AC-02_ODP[02]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes (as required) for each account are defined;"}]},{"id":"ac-02_odp.03","props":[{"name":"alt-identifier","value":"ac-2_prm_3"},{"name":"label","value":"AC-02_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to approve requests to create accounts is\/are defined;"}]},{"id":"ac-02_odp.04","props":[{"name":"alt-identifier","value":"ac-2_prm_4"},{"name":"label","value":"AC-02_ODP[04]","class":"sp800-53a"}],"label":"policy, procedures, prerequisites, and criteria","guidelines":[{"prose":"policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;"}]},{"id":"ac-02_odp.05","props":[{"name":"alt-identifier","value":"ac-2_prm_5"},{"name":"label","value":"AC-02_ODP[05]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified is\/are defined;"}]},{"id":"ac-02_odp.06","props":[{"name":"alt-identifier","value":"ac-2_prm_6"},{"name":"label","value":"AC-02_ODP[06]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when accounts are no longer required is defined;"}]},{"id":"ac-02_odp.07","props":[{"name":"alt-identifier","value":"ac-2_prm_7"},{"name":"label","value":"AC-02_ODP[07]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when users are terminated or transferred is defined; "}]},{"id":"ac-02_odp.08","props":[{"name":"alt-identifier","value":"ac-2_prm_8"},{"name":"label","value":"AC-02_ODP[08]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when system usage or the need to know changes for an individual is defined;"}]},{"id":"ac-02_odp.09","props":[{"name":"alt-identifier","value":"ac-2_prm_9"},{"name":"label","value":"AC-02_ODP[09]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes needed to authorize system access (as required) are defined;"}]},{"id":"ac-02_odp.10","props":[{"name":"alt-identifier","value":"ac-2_prm_10"},{"name":"label","value":"AC-02_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of account review is defined;"}]}],"props":[{"name":"label","value":"AC-2"},{"name":"label","value":"AC-02","class":"sp800-53a"},{"name":"sort-id","value":"ac-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#53df282b-8b3f-483a-bad1-6a8b8ac00114","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ac-2_smt","name":"statement","parts":[{"id":"ac-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define and document the types of accounts allowed and specifically prohibited for use within the system;"},{"id":"ac-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign account managers;"},{"id":"ac-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require {{ insert: param, ac-02_odp.01 }} for group and role membership;"},{"id":"ac-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Specify:","parts":[{"id":"ac-2_smt.d.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Authorized users of the system;"},{"id":"ac-2_smt.d.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Group and role membership; and"},{"id":"ac-2_smt.d.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;"}]},{"id":"ac-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"},{"id":"ac-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Monitor the use of accounts;"},{"id":"ac-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Notify account managers and {{ insert: param, ac-02_odp.05 }} within:","parts":[{"id":"ac-2_smt.h.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;"}]},{"id":"ac-2_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Authorize access to the system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ac-02_odp.09 }};"}]},{"id":"ac-2_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"},{"id":"ac-2_smt.k","name":"item","props":[{"name":"label","value":"k."}],"prose":"Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and"},{"id":"ac-2_smt.l","name":"item","props":[{"name":"label","value":"l."}],"prose":"Align account management processes with personnel termination and transfer processes."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission\/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared\/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared\/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training."},{"id":"ac-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[01]","class":"sp800-53a"}],"prose":"account types allowed for use within the system are defined and documented;"},{"id":"ac-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[02]","class":"sp800-53a"}],"prose":"account types specifically prohibited for use within the system are defined and documented;"}]},{"id":"ac-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02b.","class":"sp800-53a"}],"prose":"account managers are assigned;"},{"id":"ac-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02c.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-02_odp.01 }} for group and role membership are required;"},{"id":"ac-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.01","class":"sp800-53a"}],"prose":"authorized users of the system are specified;"},{"id":"ac-2_obj.d.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.02","class":"sp800-53a"}],"prose":"group and role membership are specified;"},{"id":"ac-2_obj.d.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.3-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[01]","class":"sp800-53a"}],"prose":"access authorizations (i.e., privileges) are specified for each account;"},{"id":"ac-2_obj.d.3-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[02]","class":"sp800-53a"}],"prose":" {{ insert: param, ac-02_odp.02 }} are specified for each account;"}]}]},{"id":"ac-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AC-02e.","class":"sp800-53a"}],"prose":"approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"},{"id":"ac-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[01]","class":"sp800-53a"}],"prose":"accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[02]","class":"sp800-53a"}],"prose":"accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[03]","class":"sp800-53a"}],"prose":"accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[04]","class":"sp800-53a"}],"prose":"accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-5","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[05]","class":"sp800-53a"}],"prose":"accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};"}]},{"id":"ac-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"AC-02g.","class":"sp800-53a"}],"prose":"the use of accounts is monitored; "},{"id":"ac-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.h.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.01","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"},{"id":"ac-2_obj.h.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.02","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;"},{"id":"ac-2_obj.h.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.03","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;"}]},{"id":"ac-2_obj.i","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.i.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.01","class":"sp800-53a"}],"prose":"access to the system is authorized based on a valid access authorization;"},{"id":"ac-2_obj.i.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.02","class":"sp800-53a"}],"prose":"access to the system is authorized based on intended system usage;"},{"id":"ac-2_obj.i.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.03","class":"sp800-53a"}],"prose":"access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};"}]},{"id":"ac-2_obj.j","name":"assessment-objective","props":[{"name":"label","value":"AC-02j.","class":"sp800-53a"}],"prose":"accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"},{"id":"ac-2_obj.k","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.k-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[01]","class":"sp800-53a"}],"prose":"a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"},{"id":"ac-2_obj.k-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[02]","class":"sp800-53a"}],"prose":"a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"}]},{"id":"ac-2_obj.l","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.l-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[01]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel termination processes;"},{"id":"ac-2_obj.l-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[02]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel transfer processes."}]}]},{"id":"ac-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities"}]},{"id":"ac-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for account management on the system\n\nmechanisms for implementing account management"}]}],"controls":[{"id":"ac-2.1","class":"SP800-53-enhancement","title":"Automated System Account Management","params":[{"id":"ac-02.01_odp","props":[{"name":"alt-identifier","value":"ac-2.1_prm_1"},{"name":"label","value":"AC-02(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to support the management of system accounts are defined; "}]}],"props":[{"name":"label","value":"AC-2(1)"},{"name":"label","value":"AC-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.1_smt","name":"statement","prose":"Support the management of system accounts using {{ insert: param, ac-02.01_odp }}."},{"id":"ac-2.1_gdn","name":"guidance","prose":"Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications."},{"id":"ac-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(01)","class":"sp800-53a"}],"prose":"the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}."},{"id":"ac-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for implementing account management functions"}]}]},{"id":"ac-2.2","class":"SP800-53-enhancement","title":"Automated Temporary and Emergency Account Management","params":[{"id":"ac-02.02_odp.01","props":[{"name":"alt-identifier","value":"ac-2.2_prm_1"},{"name":"label","value":"AC-02(02)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["remove","disable"]}},{"id":"ac-02.02_odp.02","props":[{"name":"alt-identifier","value":"ac-2.2_prm_2"},{"name":"alt-label","value":"time period for each type of account","class":"sp800-53"},{"name":"label","value":"AC-02(02)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period after which to automatically remove or disable temporary or emergency accounts is defined;"}]}],"props":[{"name":"label","value":"AC-2(2)"},{"name":"label","value":"AC-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.2_smt","name":"statement","prose":"Automatically {{ insert: param, ac-02.02_odp.01 }} temporary and emergency accounts after {{ insert: param, ac-02.02_odp.02 }}."},{"id":"ac-2.2_gdn","name":"guidance","prose":"Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation."},{"id":"ac-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(02)","class":"sp800-53a"}],"prose":"temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}."},{"id":"ac-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of temporary accounts removed and\/or disabled\n\nsystem-generated list of emergency accounts removed and\/or disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for implementing account management functions"}]}]},{"id":"ac-2.3","class":"SP800-53-enhancement","title":"Disable Accounts","params":[{"id":"ac-02.03_odp.01","props":[{"name":"alt-identifier","value":"ac-2.3_prm_1"},{"name":"label","value":"AC-02(03)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to disable accounts is defined;"}]},{"id":"ac-02.03_odp.02","props":[{"name":"alt-identifier","value":"ac-2.3_prm_2"},{"name":"label","value":"AC-02(03)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for account inactivity before disabling is defined;"}]}],"props":[{"name":"label","value":"AC-2(3)"},{"name":"label","value":"AC-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.3_smt","name":"statement","prose":"Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts:","parts":[{"id":"ac-2.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Have expired;"},{"id":"ac-2.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Are no longer associated with a user or individual;"},{"id":"ac-2.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Are in violation of organizational policy; or"},{"id":"ac-2.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Have been inactive for {{ insert: param, ac-02.03_odp.02 }}."}]},{"id":"ac-2.3_gdn","name":"guidance","prose":"Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system."},{"id":"ac-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)","class":"sp800-53a"}],"parts":[{"id":"ac-2.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(a)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;"},{"id":"ac-2.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(b)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;"},{"id":"ac-2.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(c)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;"},{"id":"ac-2.3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(d)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}."}]},{"id":"ac-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of accounts removed\n\nsystem-generated list of emergency accounts disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for implementing account management functions"}]}]},{"id":"ac-2.4","class":"SP800-53-enhancement","title":"Automated Audit Actions","props":[{"name":"label","value":"AC-2(4)"},{"name":"label","value":"AC-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"}],"parts":[{"id":"ac-2.4_smt","name":"statement","prose":"Automatically audit account creation, modification, enabling, disabling, and removal actions."},{"id":"ac-2.4_gdn","name":"guidance","prose":"Account management audit records are defined in accordance with [AU-2](#au-2) and reviewed, analyzed, and reported in accordance with [AU-6](#au-6)."},{"id":"ac-2.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)","class":"sp800-53a"}],"parts":[{"id":"ac-2.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[01]","class":"sp800-53a"}],"prose":"account creation is automatically audited;"},{"id":"ac-2.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[02]","class":"sp800-53a"}],"prose":"account modification is automatically audited;"},{"id":"ac-2.4_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[03]","class":"sp800-53a"}],"prose":"account enabling is automatically audited;"},{"id":"ac-2.4_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[04]","class":"sp800-53a"}],"prose":"account disabling is automatically audited;"},{"id":"ac-2.4_obj-5","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[05]","class":"sp800-53a"}],"prose":"account removal actions are automatically audited."}]},{"id":"ac-2.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nnotifications\/alerts of account creation, modification, enabling, disabling, and removal actions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.5","class":"SP800-53-enhancement","title":"Inactivity Logout","params":[{"id":"ac-02.05_odp","props":[{"name":"alt-identifier","value":"ac-2.5_prm_1"},{"name":"label","value":"AC-02(05)_ODP","class":"sp800-53a"}],"label":"time period of expected inactivity or description of when to log out","guidelines":[{"prose":"the time period of expected inactivity or description of when to log out is defined;"}]}],"props":[{"name":"label","value":"AC-2(5)"},{"name":"label","value":"AC-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#ac-11","rel":"related"}],"parts":[{"id":"ac-2.5_smt","name":"statement","prose":"Require that users log out when {{ insert: param, ac-02.05_odp }}."},{"id":"ac-2.5_gdn","name":"guidance","prose":"Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by [AC-11](#ac-11)."},{"id":"ac-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(05)","class":"sp800-53a"}],"prose":"users are required to log out when {{ insert: param, ac-02.05_odp }}."},{"id":"ac-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity violation reports\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy"}]}]},{"id":"ac-2.11","class":"SP800-53-enhancement","title":"Usage Conditions","params":[{"id":"ac-02.11_odp.01","props":[{"name":"alt-identifier","value":"ac-2.11_prm_1"},{"name":"label","value":"AC-02(11)_ODP[01]","class":"sp800-53a"}],"label":"circumstances and\/or usage conditions","guidelines":[{"prose":"circumstances and\/or usage conditions to be enforced for system accounts are defined;"}]},{"id":"ac-02.11_odp.02","props":[{"name":"alt-identifier","value":"ac-2.11_prm_2"},{"name":"label","value":"AC-02(11)_ODP[02]","class":"sp800-53a"}],"label":"system accounts","guidelines":[{"prose":"system accounts subject to enforcement of circumstances and\/or usage conditions are defined;"}]}],"props":[{"name":"label","value":"AC-2(11)"},{"name":"label","value":"AC-02(11)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.11_smt","name":"statement","prose":"Enforce {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }}."},{"id":"ac-2.11_gdn","name":"guidance","prose":"Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time."},{"id":"ac-2.11_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(11)","class":"sp800-53a"}],"prose":" {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }} are enforced."},{"id":"ac-2.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of system accounts and associated assignments of usage circumstances and\/or usage conditions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}]}]},{"id":"ac-2.12","class":"SP800-53-enhancement","title":"Account Monitoring for Atypical Usage","params":[{"id":"ac-02.12_odp.01","props":[{"name":"alt-identifier","value":"ac-2.12_prm_1"},{"name":"label","value":"AC-02(12)_ODP[01]","class":"sp800-53a"}],"label":"atypical usage","guidelines":[{"prose":"atypical usage for which to monitor system accounts is defined;"}]},{"id":"ac-02.12_odp.02","props":[{"name":"alt-identifier","value":"ac-2.12_prm_2"},{"name":"label","value":"AC-02(12)_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to report atypical usage is\/are defined;"}]}],"props":[{"name":"label","value":"AC-2(12)"},{"name":"label","value":"AC-02(12)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-2.12_smt","name":"statement","parts":[{"id":"ac-2.12_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Monitor system accounts for {{ insert: param, ac-02.12_odp.01 }} ; and"},{"id":"ac-2.12_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Report atypical usage of system accounts to {{ insert: param, ac-02.12_odp.02 }}."}]},{"id":"ac-2.12_gdn","name":"guidance","prose":"Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan."},{"id":"ac-2.12_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(12)","class":"sp800-53a"}],"parts":[{"id":"ac-2.12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02(12)(a)","class":"sp800-53a"}],"prose":"system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; "},{"id":"ac-2.12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02(12)(b)","class":"sp800-53a"}],"prose":"atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}."}]},{"id":"ac-2.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring records\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nprivacy impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-2.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}]}]},{"id":"ac-2.13","class":"SP800-53-enhancement","title":"Disable Accounts for High-risk Individuals","params":[{"id":"ac-02.13_odp.01","props":[{"name":"alt-identifier","value":"ac-2.13_prm_1"},{"name":"label","value":"AC-02(13)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;"}]},{"id":"ac-02.13_odp.02","props":[{"name":"alt-identifier","value":"ac-2.13_prm_2"},{"name":"label","value":"AC-02(13)_ODP[02]","class":"sp800-53a"}],"label":"significant risks","guidelines":[{"prose":"significant risks leading to disabling accounts are defined;"}]}],"props":[{"name":"label","value":"AC-2(13)"},{"name":"label","value":"AC-02(13)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-2.13_smt","name":"statement","prose":"Disable accounts of individuals within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}."},{"id":"ac-2.13_gdn","name":"guidance","prose":"Users who pose a significant security and\/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals."},{"id":"ac-2.13_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(13)","class":"sp800-53a"}],"prose":"accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}."},{"id":"ac-2.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of disabled accounts\n\nlist of user activities posing significant organizational risk\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}]}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"label","value":"AC-3"},{"name":"label","value":"AC-03","class":"sp800-53a"},{"name":"sort-id","value":"ac-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-8","rel":"related"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family."},{"id":"ac-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03","class":"sp800-53a"}],"prose":"approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies."},{"id":"ac-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy"}]}]},{"id":"ac-4","class":"SP800-53","title":"Information Flow Enforcement","params":[{"id":"ac-04_odp","props":[{"name":"alt-identifier","value":"ac-4_prm_1"},{"name":"label","value":"AC-04_ODP","class":"sp800-53a"}],"label":"information flow control policies","guidelines":[{"prose":"information flow control policies within the system and between connected systems are defined;"}]}],"props":[{"name":"label","value":"AC-4"},{"name":"label","value":"AC-04","class":"sp800-53a"},{"name":"sort-id","value":"ac-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-31","rel":"related"}],"parts":[{"id":"ac-4_smt","name":"statement","prose":"Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}."},{"id":"ac-4_gdn","name":"guidance","prose":"Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see [CA-3](#ca-3) ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners\/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.\n\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and\/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and\/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS)."},{"id":"ac-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04","class":"sp800-53a"}],"prose":"approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}."},{"id":"ac-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsecurity architecture documentation\n\nprivacy architecture documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem baseline configuration\n\nlist of information flow authorizations\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}],"controls":[{"id":"ac-4.4","class":"SP800-53-enhancement","title":"Flow Control of Encrypted Information","params":[{"id":"ac-04.04_odp.01","props":[{"name":"alt-identifier","value":"ac-4.4_prm_1"},{"name":"label","value":"AC-04(04)_ODP[01]","class":"sp800-53a"}],"label":"information flow control mechanisms","guidelines":[{"prose":"information flow control mechanisms that encrypted information is prevented from bypassing are defined;"}]},{"id":"ac-04.04_odp.02","props":[{"name":"alt-identifier","value":"ac-4.4_prm_2"},{"name":"label","value":"AC-04(04)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["decrypting the information","blocking the flow of the encrypted information","terminating communications sessions attempting to pass encrypted information"," {{ insert: param, ac-04.04_odp.03 }} "]}},{"id":"ac-04.04_odp.03","props":[{"name":"alt-identifier","value":"ac-4.4_prm_3"},{"name":"alt-label","value":"procedure or method","class":"sp800-53"},{"name":"label","value":"AC-04(04)_ODP[03]","class":"sp800-53a"}],"label":"organization-defined procedure or method","guidelines":[{"prose":"the organization-defined procedure or method used to prevent encrypted information from bypassing information flow control mechanisms is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-4(4)"},{"name":"label","value":"AC-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-4.4_smt","name":"statement","prose":"Prevent encrypted information from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}."},{"id":"ac-4.4_gdn","name":"guidance","prose":"Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms."},{"id":"ac-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(04)","class":"sp800-53a"}],"prose":"encrypted information is prevented from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}."},{"id":"ac-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]}]},{"id":"ac-5","class":"SP800-53","title":"Separation of Duties","params":[{"id":"ac-05_odp","props":[{"name":"alt-identifier","value":"ac-5_prm_1"},{"name":"alt-label","value":"duties of individuals requiring separation","class":"sp800-53"},{"name":"label","value":"AC-05_ODP","class":"sp800-53a"}],"label":"duties of individuals","guidelines":[{"prose":"duties of individuals requiring separation are defined;"}]}],"props":[{"name":"label","value":"AC-5"},{"name":"label","value":"AC-05","class":"sp800-53a"},{"name":"sort-id","value":"ac-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-12","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"}],"parts":[{"id":"ac-5_smt","name":"statement","parts":[{"id":"ac-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document {{ insert: param, ac-05_odp }} ; and"},{"id":"ac-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define system access authorizations to support separation of duties."}]},{"id":"ac-5_gdn","name":"guidance","prose":"Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in [AC-2](#ac-2) , access control mechanisms in [AC-3](#ac-3) , and identity management activities in [IA-2](#ia-2), [IA-4](#ia-4) , and [IA-12](#ia-12)."},{"id":"ac-5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-05","class":"sp800-53a"}],"parts":[{"id":"ac-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-05a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-05_odp }} are identified and documented;"},{"id":"ac-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-05b.","class":"sp800-53a"}],"prose":"system access authorizations to support separation of duties are defined."}]},{"id":"ac-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\nsystem configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\nsystem access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing separation of duties policy"}]}]},{"id":"ac-6","class":"SP800-53","title":"Least Privilege","props":[{"name":"label","value":"AC-6"},{"name":"label","value":"AC-06","class":"sp800-53a"},{"name":"sort-id","value":"ac-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-38","rel":"related"}],"parts":[{"id":"ac-6_smt","name":"statement","prose":"Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."},{"id":"ac-6_gdn","name":"guidance","prose":"Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems."},{"id":"ac-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06","class":"sp800-53a"}],"prose":"the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."},{"id":"ac-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}],"controls":[{"id":"ac-6.1","class":"SP800-53-enhancement","title":"Authorize Access to Security Functions","params":[{"id":"ac-6.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.04"}],"label":"organization-defined security functions (deployed in hardware, software, and firmware)"},{"id":"ac-06.01_odp.01","props":[{"name":"alt-identifier","value":"ac-6.1_prm_1"},{"name":"alt-label","value":"individuals or roles","class":"sp800-53"},{"name":"label","value":"AC-06(01)_ODP[01]","class":"sp800-53a"}],"label":"individuals and roles","guidelines":[{"prose":"individuals and roles with authorized access to security functions and security-relevant information are defined;"}]},{"id":"ac-06.01_odp.02","props":[{"name":"label","value":"AC-06(01)_ODP[02]","class":"sp800-53a"}],"label":"security functions (deployed in hardware)","guidelines":[{"prose":"security functions (deployed in hardware) for authorized access are defined;"}]},{"id":"ac-06.01_odp.03","props":[{"name":"label","value":"AC-06(01)_ODP[03]","class":"sp800-53a"}],"label":"security functions (deployed in software)","guidelines":[{"prose":"security functions (deployed in software) for authorized access are defined;"}]},{"id":"ac-06.01_odp.04","props":[{"name":"label","value":"AC-06(01)_ODP[04]","class":"sp800-53a"}],"label":"security functions (deployed in firmware)","guidelines":[{"prose":"security functions (deployed in firmware) for authorized access are defined;"}]},{"id":"ac-06.01_odp.05","props":[{"name":"alt-identifier","value":"ac-6.1_prm_3"},{"name":"label","value":"AC-06(01)_ODP[05]","class":"sp800-53a"}],"label":"security-relevant information","guidelines":[{"prose":"security-relevant information for authorized access is defined;"}]}],"props":[{"name":"label","value":"AC-6(1)"},{"name":"label","value":"AC-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#pe-2","rel":"related"}],"parts":[{"id":"ac-6.1_smt","name":"statement","prose":"Authorize access for {{ insert: param, ac-06.01_odp.01 }} to:","parts":[{"id":"ac-6.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":" {{ insert: param, ac-6.1_prm_2 }} ; and"},{"id":"ac-6.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":" {{ insert: param, ac-06.01_odp.05 }}."}]},{"id":"ac-6.1_gdn","name":"guidance","prose":"Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users."},{"id":"ac-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)","class":"sp800-53a"}],"parts":[{"id":"ac-6.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-6.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[01]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};"},{"id":"ac-6.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[02]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};"},{"id":"ac-6.1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[03]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};"}]},{"id":"ac-6.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(b)","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}."}]},{"id":"ac-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.2","class":"SP800-53-enhancement","title":"Non-privileged Access for Nonsecurity Functions","params":[{"id":"ac-06.02_odp","props":[{"name":"alt-identifier","value":"ac-6.2_prm_1"},{"name":"label","value":"AC-06(02)_ODP","class":"sp800-53a"}],"label":"security functions or security-relevant information","guidelines":[{"prose":"security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;"}]}],"props":[{"name":"label","value":"AC-6(2)"},{"name":"label","value":"AC-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#pl-4","rel":"related"}],"parts":[{"id":"ac-6.2_smt","name":"statement","prose":"Require that users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} use non-privileged accounts or roles, when accessing nonsecurity functions."},{"id":"ac-6.2_gdn","name":"guidance","prose":"Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account."},{"id":"ac-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(02)","class":"sp800-53a"}],"prose":"users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions."},{"id":"ac-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to system accounts or roles\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.3","class":"SP800-53-enhancement","title":"Network Access to Privileged Commands","params":[{"id":"ac-06.03_odp.01","props":[{"name":"alt-identifier","value":"ac-6.3_prm_1"},{"name":"label","value":"AC-06(03)_ODP[01]","class":"sp800-53a"}],"label":"privileged commands","guidelines":[{"prose":"privileged commands to which network access is to be authorized only for compelling operational needs are defined;"}]},{"id":"ac-06.03_odp.02","props":[{"name":"alt-identifier","value":"ac-6.3_prm_2"},{"name":"label","value":"AC-06(03)_ODP[02]","class":"sp800-53a"}],"label":"compelling operational needs","guidelines":[{"prose":"compelling operational needs necessitating network access to privileged commands are defined;"}]}],"props":[{"name":"label","value":"AC-6(3)"},{"name":"label","value":"AC-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"}],"parts":[{"id":"ac-6.3_smt","name":"statement","prose":"Authorize network access to {{ insert: param, ac-06.03_odp.01 }} only for {{ insert: param, ac-06.03_odp.02 }} and document the rationale for such access in the security plan for the system."},{"id":"ac-6.3_gdn","name":"guidance","prose":"Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device)."},{"id":"ac-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(03)","class":"sp800-53a"}],"parts":[{"id":"ac-6.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-06(03)[01]","class":"sp800-53a"}],"prose":"network access to {{ insert: param, ac-06.03_odp.01 }} is authorized only for {{ insert: param, ac-06.03_odp.02 }};"},{"id":"ac-6.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-06(03)[02]","class":"sp800-53a"}],"prose":"the rationale for authorizing network access to privileged commands is documented in the security plan for the system."}]},{"id":"ac-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of operational needs for authorizing network access to privileged commands\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.5","class":"SP800-53-enhancement","title":"Privileged Accounts","params":[{"id":"ac-06.05_odp","props":[{"name":"alt-identifier","value":"ac-6.5_prm_1"},{"name":"label","value":"AC-06(05)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to which privileged accounts on the system are to be restricted is\/are defined;"}]}],"props":[{"name":"label","value":"AC-6(5)"},{"name":"label","value":"AC-06(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"}],"parts":[{"id":"ac-6.5_smt","name":"statement","prose":"Restrict privileged accounts on the system to {{ insert: param, ac-06.05_odp }}."},{"id":"ac-6.5_gdn","name":"guidance","prose":"Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk."},{"id":"ac-6.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(05)","class":"sp800-53a"}],"prose":"privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}."},{"id":"ac-6.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.7","class":"SP800-53-enhancement","title":"Review of User Privileges","params":[{"id":"ac-06.07_odp.01","props":[{"name":"alt-identifier","value":"ac-6.7_prm_1"},{"name":"label","value":"AC-06(07)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the privileges assigned to roles or classes of users is defined;"}]},{"id":"ac-06.07_odp.02","props":[{"name":"alt-identifier","value":"ac-6.7_prm_2"},{"name":"alt-label","value":"roles or classes of users","class":"sp800-53"},{"name":"label","value":"AC-06(07)_ODP[02]","class":"sp800-53a"}],"label":"roles and classes","guidelines":[{"prose":"roles or classes of users to which privileges are assigned are defined;"}]}],"props":[{"name":"label","value":"AC-6(7)"},{"name":"label","value":"AC-06(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ca-7","rel":"related"}],"parts":[{"id":"ac-6.7_smt","name":"statement","parts":[{"id":"ac-6.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and"},{"id":"ac-6.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs."}]},{"id":"ac-6.7_gdn","name":"guidance","prose":"The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions."},{"id":"ac-6.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)","class":"sp800-53a"}],"parts":[{"id":"ac-6.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)(a)","class":"sp800-53a"}],"prose":"privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;"},{"id":"ac-6.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)(b)","class":"sp800-53a"}],"prose":"privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs."}]},{"id":"ac-6.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated roles or classes of users and assigned privileges\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation reviews of privileges assigned to roles or classes or users\n\nrecords of privilege removals or reassignments for roles or classes of users\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing review of user privileges"}]}]},{"id":"ac-6.9","class":"SP800-53-enhancement","title":"Log Use of Privileged Functions","props":[{"name":"label","value":"AC-6(9)"},{"name":"label","value":"AC-06(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"ac-6.9_smt","name":"statement","prose":"Log the execution of privileged functions."},{"id":"ac-6.9_gdn","name":"guidance","prose":"The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat."},{"id":"ac-6.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(09)","class":"sp800-53a"}],"prose":"the execution of privileged functions is logged."},{"id":"ac-6.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ac-6.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms auditing the execution of least privilege functions"}]}]},{"id":"ac-6.10","class":"SP800-53-enhancement","title":"Prohibit Non-privileged Users from Executing Privileged Functions","props":[{"name":"label","value":"AC-6(10)"},{"name":"label","value":"AC-06(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"}],"parts":[{"id":"ac-6.10_smt","name":"statement","prose":"Prevent non-privileged users from executing privileged functions."},{"id":"ac-6.10_gdn","name":"guidance","prose":"Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by [AC-3](#ac-3)."},{"id":"ac-6.10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(10)","class":"sp800-53a"}],"prose":"non-privileged users are prevented from executing privileged functions."},{"id":"ac-6.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-6.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions for non-privileged users"}]}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","params":[{"id":"ac-07_odp.01","props":[{"name":"alt-identifier","value":"ac-7_prm_1"},{"name":"label","value":"AC-07_ODP[01]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of consecutive invalid logon attempts by a user allowed during a time period is defined;"}]},{"id":"ac-07_odp.02","props":[{"name":"alt-identifier","value":"ac-7_prm_2"},{"name":"label","value":"AC-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;"}]},{"id":"ac-07_odp.03","props":[{"name":"alt-identifier","value":"ac-7_prm_3"},{"name":"label","value":"AC-07_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["lock the account or node for {{ insert: param, ac-07_odp.04 }} ","lock the account or node until released by an administrator","delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ","notify system administrator","take other {{ insert: param, ac-07_odp.06 }} "]}},{"id":"ac-07_odp.04","props":[{"name":"alt-identifier","value":"ac-7_prm_4"},{"name":"label","value":"AC-07_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for an account or node to be locked is defined (if selected);"}]},{"id":"ac-07_odp.05","props":[{"name":"alt-identifier","value":"ac-7_prm_5"},{"name":"label","value":"AC-07_ODP[05]","class":"sp800-53a"}],"label":"delay algorithm","guidelines":[{"prose":"delay algorithm for the next logon prompt is defined (if selected);"}]},{"id":"ac-07_odp.06","props":[{"name":"alt-identifier","value":"ac-7_prm_6"},{"name":"label","value":"AC-07_ODP[06]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-7"},{"name":"label","value":"AC-07","class":"sp800-53a"},{"name":"sort-id","value":"ac-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"ac-7_smt","name":"statement","parts":[{"id":"ac-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and"},{"id":"ac-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need."},{"id":"ac-7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-07","class":"sp800-53a"}],"parts":[{"id":"ac-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-07a.","class":"sp800-53a"}],"prose":"a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;"},{"id":"ac-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-07b.","class":"sp800-53a"}],"prose":"automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem\/network administrators"}]},{"id":"ac-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for unsuccessful logon attempts"}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","params":[{"id":"ac-08_odp.01","props":[{"name":"alt-identifier","value":"ac-8_prm_1"},{"name":"alt-label","value":"system use notification message or banner","class":"sp800-53"},{"name":"label","value":"AC-08_ODP[01]","class":"sp800-53a"}],"label":"system use notification","guidelines":[{"prose":"system use notification message or banner to be displayed by the system to users before granting access to the system is defined;"}]},{"id":"ac-08_odp.02","props":[{"name":"alt-identifier","value":"ac-8_prm_2"},{"name":"label","value":"AC-08_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions for system use to be displayed by the system before granting further access are defined;"}]}],"props":[{"name":"label","value":"AC-8"},{"name":"label","value":"AC-08","class":"sp800-53a"},{"name":"sort-id","value":"ac-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-14","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-8_smt","name":"statement","parts":[{"id":"ac-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:","parts":[{"id":"ac-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government system;"},{"id":"ac-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and"},{"id":"ac-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;"},{"id":"ac-8_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Include a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content."},{"id":"ac-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-08","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","parts":[{"id":"ac-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.01","class":"sp800-53a"}],"prose":"the system use notification states that users are accessing a U.S. Government system;"},{"id":"ac-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.02","class":"sp800-53a"}],"prose":"the system use notification states that system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.03","class":"sp800-53a"}],"prose":"the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.04","class":"sp800-53a"}],"prose":"the system use notification states that use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-08b.","class":"sp800-53a"}],"prose":"the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;"},{"id":"ac-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.01","class":"sp800-53a"}],"prose":"for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;"},{"id":"ac-8_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.02","class":"sp800-53a"}],"prose":"for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;"},{"id":"ac-8_obj.c.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.03","class":"sp800-53a"}],"prose":"for publicly accessible systems, a description of the authorized uses of the system is included."}]}]},{"id":"ac-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records"}]},{"id":"ac-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers"}]},{"id":"ac-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system use notification"}]}]},{"id":"ac-10","class":"SP800-53","title":"Concurrent Session Control","params":[{"id":"ac-10_odp.01","props":[{"name":"alt-identifier","value":"ac-10_prm_1"},{"name":"alt-label","value":"account and\/or account type","class":"sp800-53"},{"name":"label","value":"AC-10_ODP[01]","class":"sp800-53a"}],"label":"account and\/or account types","guidelines":[{"prose":"accounts and\/or account types for which to limit the number of concurrent sessions is defined;"}]},{"id":"ac-10_odp.02","props":[{"name":"alt-identifier","value":"ac-10_prm_2"},{"name":"label","value":"AC-10_ODP[02]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of concurrent sessions to be allowed for each account and\/or account type is defined;"}]}],"props":[{"name":"label","value":"AC-10"},{"name":"label","value":"AC-10","class":"sp800-53a"},{"name":"sort-id","value":"ac-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-23","rel":"related"}],"parts":[{"id":"ac-10_smt","name":"statement","prose":"Limit the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} to {{ insert: param, ac-10_odp.02 }}."},{"id":"ac-10_gdn","name":"guidance","prose":"Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts."},{"id":"ac-10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-10","class":"sp800-53a"}],"prose":"the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}."},{"id":"ac-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing concurrent session control\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for concurrent session control"}]}]},{"id":"ac-11","class":"SP800-53","title":"Device Lock","params":[{"id":"ac-11_odp.01","props":[{"name":"alt-identifier","value":"ac-11_prm_1"},{"name":"label","value":"AC-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity","requiring the user to initiate a device lock before leaving the system unattended"]}},{"id":"ac-11_odp.02","props":[{"name":"alt-identifier","value":"ac-11_prm_2"},{"name":"label","value":"AC-11_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period of inactivity after which a device lock is initiated is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-11"},{"name":"label","value":"AC-11","class":"sp800-53a"},{"name":"sort-id","value":"ac-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#pl-4","rel":"related"}],"parts":[{"id":"ac-11_smt","name":"statement","parts":[{"id":"ac-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and"},{"id":"ac-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the device lock until the user reestablishes access using established identification and authentication procedures."}]},{"id":"ac-11_gdn","name":"guidance","prose":"Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays."},{"id":"ac-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-11","class":"sp800-53a"}],"parts":[{"id":"ac-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-11a.","class":"sp800-53a"}],"prose":"further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};"},{"id":"ac-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-11b.","class":"sp800-53a"}],"prose":"device lock is retained until the user re-establishes access using established identification and authentication procedures."}]},{"id":"ac-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for session lock"}]}],"controls":[{"id":"ac-11.1","class":"SP800-53-enhancement","title":"Pattern-hiding Displays","props":[{"name":"label","value":"AC-11(1)"},{"name":"label","value":"AC-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-11","rel":"required"}],"parts":[{"id":"ac-11.1_smt","name":"statement","prose":"Conceal, via the device lock, information previously visible on the display with a publicly viewable image."},{"id":"ac-11.1_gdn","name":"guidance","prose":"The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed."},{"id":"ac-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-11(01)","class":"sp800-53a"}],"prose":"information previously visible on the display is concealed, via device lock, with a publicly viewable image."},{"id":"ac-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System session lock mechanisms"}]}]}]},{"id":"ac-12","class":"SP800-53","title":"Session Termination","params":[{"id":"ac-12_odp","props":[{"name":"alt-identifier","value":"ac-12_prm_1"},{"name":"alt-label","value":"conditions or trigger events requiring session disconnect","class":"sp800-53"},{"name":"label","value":"AC-12_ODP","class":"sp800-53a"}],"label":"conditions or trigger events","guidelines":[{"prose":"conditions or trigger events requiring session disconnect are defined;"}]}],"props":[{"name":"label","value":"AC-12"},{"name":"label","value":"AC-12","class":"sp800-53a"},{"name":"sort-id","value":"ac-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"ac-12_smt","name":"statement","prose":"Automatically terminate a user session after {{ insert: param, ac-12_odp }}."},{"id":"ac-12_gdn","name":"guidance","prose":"Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use."},{"id":"ac-12_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-12","class":"sp800-53a"}],"prose":"a user session is automatically terminated after {{ insert: param, ac-12_odp }}."},{"id":"ac-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing user session termination"}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","params":[{"id":"ac-14_odp","props":[{"name":"alt-identifier","value":"ac-14_prm_1"},{"name":"label","value":"AC-14_ODP","class":"sp800-53a"}],"label":"user actions","guidelines":[{"prose":"user actions that can be performed on the system without identification or authentication are defined;"}]}],"props":[{"name":"label","value":"AC-14"},{"name":"label","value":"AC-14","class":"sp800-53a"},{"name":"sort-id","value":"ac-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"ac-14_smt","name":"statement","parts":[{"id":"ac-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and"},{"id":"ac-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" "},{"id":"ac-14_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-14","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-14a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;"},{"id":"ac-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[01]","class":"sp800-53a"}],"prose":"user actions not requiring identification or authentication are documented in the security plan for the system;"},{"id":"ac-14_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[02]","class":"sp800-53a"}],"prose":"a rationale for user actions not requiring identification or authentication is provided in the security plan for the system."}]}]},{"id":"ac-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","props":[{"name":"label","value":"AC-17"},{"name":"label","value":"AC-17","class":"sp800-53a"},{"name":"sort-id","value":"ac-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#83b9d63b-66b1-467c-9f3b-3a0b108771e9","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#d17ebd7a-ffab-499d-bfff-e705bbb01fa6","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-17_smt","name":"statement","parts":[{"id":"ac-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document usage restrictions, configuration\/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of remote access to the system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)."},{"id":"ac-17_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[01]","class":"sp800-53a"}],"prose":"usage restrictions are established and documented for each type of remote access allowed;"},{"id":"ac-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[02]","class":"sp800-53a"}],"prose":"configuration\/connection requirements are established and documented for each type of remote access allowed;"},{"id":"ac-17_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established and documented for each type of remote access allowed;"}]},{"id":"ac-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-17b.","class":"sp800-53a"}],"prose":"each type of remote access to the system is authorized prior to allowing such connections."}]},{"id":"ac-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing remote access connections\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Remote access management capability for the system"}]}],"controls":[{"id":"ac-17.1","class":"SP800-53-enhancement","title":"Monitoring and Control","props":[{"name":"label","value":"AC-17(1)"},{"name":"label","value":"AC-17(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"}],"parts":[{"id":"ac-17.1_smt","name":"statement","prose":"Employ automated mechanisms to monitor and control remote access methods."},{"id":"ac-17.1_gdn","name":"guidance","prose":"Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a)."},{"id":"ac-17.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)","class":"sp800-53a"}],"parts":[{"id":"ac-17.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)[01]","class":"sp800-53a"}],"prose":"automated mechanisms are employed to monitor remote access methods;"},{"id":"ac-17.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)[02]","class":"sp800-53a"}],"prose":"automated mechanisms are employed to control remote access methods."}]},{"id":"ac-17.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms monitoring and controlling remote access methods"}]}]},{"id":"ac-17.2","class":"SP800-53-enhancement","title":"Protection of Confidentiality and Integrity Using Encryption","props":[{"name":"label","value":"AC-17(2)"},{"name":"label","value":"AC-17(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-17.2_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_gdn","name":"guidance","prose":"Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions."},{"id":"ac-17.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(02)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions"}]}]},{"id":"ac-17.3","class":"SP800-53-enhancement","title":"Managed Access Control Points","props":[{"name":"label","value":"AC-17(3)"},{"name":"label","value":"AC-17(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-17.3_smt","name":"statement","prose":"Route remote accesses through authorized and managed network access control points."},{"id":"ac-17.3_gdn","name":"guidance","prose":"Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces."},{"id":"ac-17.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(03)","class":"sp800-53a"}],"prose":"remote accesses are routed through authorized and managed network access control points."},{"id":"ac-17.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nlist of all managed network access control points\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms routing all remote accesses through managed network access control points"}]}]},{"id":"ac-17.4","class":"SP800-53-enhancement","title":"Privileged Commands and Access","params":[{"id":"ac-17.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-17.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-17.04_odp.02"}],"label":"organization-defined needs"},{"id":"ac-17.04_odp.01","props":[{"name":"label","value":"AC-17(04)_ODP[01]","class":"sp800-53a"}],"label":"needs requiring remote access","guidelines":[{"prose":"needs requiring execution of privileged commands via remote access are defined;"}]},{"id":"ac-17.04_odp.02","props":[{"name":"label","value":"AC-17(04)_ODP[02]","class":"sp800-53a"}],"label":"needs requiring remote access","guidelines":[{"prose":"needs requiring access to security-relevant information via remote access are defined;"}]}],"props":[{"name":"label","value":"AC-17(4)"},{"name":"label","value":"AC-17(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#ac-6","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-17.4_smt","name":"statement","parts":[{"id":"ac-17.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ insert: param, ac-17.4_prm_1 }} ; and"},{"id":"ac-17.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Document the rationale for remote access in the security plan for the system."}]},{"id":"ac-17.4_gdn","name":"guidance","prose":"Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability."},{"id":"ac-17.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)","class":"sp800-53a"}],"parts":[{"id":"ac-17.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-17.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[01]","class":"sp800-53a"}],"prose":"the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;"},{"id":"ac-17.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[02]","class":"sp800-53a"}],"prose":"access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;"},{"id":"ac-17.4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[03]","class":"sp800-53a"}],"prose":"the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};"},{"id":"ac-17.4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[04]","class":"sp800-53a"}],"prose":"access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};"}]},{"id":"ac-17.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(b)","class":"sp800-53a"}],"prose":"the rationale for remote access is documented in the security plan for the system."}]},{"id":"ac-17.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing remote access management"}]}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","props":[{"name":"label","value":"AC-18"},{"name":"label","value":"AC-18","class":"sp800-53a"},{"name":"sort-id","value":"ac-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#03fb73bc-1b12-4182-bd96-e5719254ea61","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-18_smt","name":"statement","parts":[{"id":"ac-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and"},{"id":"ac-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of wireless access to the system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication."},{"id":"ac-18_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for each type of wireless access;"},{"id":"ac-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for each type of wireless access;"},{"id":"ac-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for each type of wireless access;"}]},{"id":"ac-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-18b.","class":"sp800-53a"}],"prose":"each type of wireless access to the system is authorized prior to allowing such connections."}]},{"id":"ac-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Wireless access management capability for the system"}]}],"controls":[{"id":"ac-18.1","class":"SP800-53-enhancement","title":"Authentication and Encryption","params":[{"id":"ac-18.01_odp","props":[{"name":"alt-identifier","value":"ac-18.1_prm_1"},{"name":"label","value":"AC-18(01)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["users","devices"]}}],"props":[{"name":"label","value":"AC-18(1)"},{"name":"label","value":"AC-18(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-18","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-18.1_smt","name":"statement","prose":"Protect wireless access to the system using authentication of {{ insert: param, ac-18.01_odp }} and encryption."},{"id":"ac-18.1_gdn","name":"guidance","prose":"Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies."},{"id":"ac-18.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)","class":"sp800-53a"}],"parts":[{"id":"ac-18.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)[01]","class":"sp800-53a"}],"prose":"wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};"},{"id":"ac-18.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)[02]","class":"sp800-53a"}],"prose":"wireless access to the system is protected using encryption."}]},{"id":"ac-18.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-18.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing wireless access protections to the system"}]}]},{"id":"ac-18.3","class":"SP800-53-enhancement","title":"Disable Wireless Networking","props":[{"name":"label","value":"AC-18(3)"},{"name":"label","value":"AC-18(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-18","rel":"required"}],"parts":[{"id":"ac-18.3_smt","name":"statement","prose":"Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment."},{"id":"ac-18.3_gdn","name":"guidance","prose":"Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies."},{"id":"ac-18.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(03)","class":"sp800-53a"}],"prose":"when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment."},{"id":"ac-18.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components"}]}]},{"id":"ac-18.4","class":"SP800-53-enhancement","title":"Restrict Configurations by Users","props":[{"name":"label","value":"AC-18(4)"},{"name":"label","value":"AC-18(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-18","rel":"required"},{"href":"#sc-7","rel":"related"},{"href":"#sc-15","rel":"related"}],"parts":[{"id":"ac-18.4_smt","name":"statement","prose":"Identify and explicitly authorize users allowed to independently configure wireless networking capabilities."},{"id":"ac-18.4_gdn","name":"guidance","prose":"Organizational authorizations to allow selected users to configure wireless networking capabilities are enforced, in part, by the access enforcement mechanisms employed within organizational systems."},{"id":"ac-18.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(04)","class":"sp800-53a"}],"parts":[{"id":"ac-18.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18(04)[01]","class":"sp800-53a"}],"prose":"users allowed to independently configure wireless networking capabilities are identified;"},{"id":"ac-18.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18(04)[02]","class":"sp800-53a"}],"prose":"users allowed to independently configure wireless networking capabilities are explicitly authorized."}]},{"id":"ac-18.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms authorizing independent user configuration of wireless networking capabilities"}]}]},{"id":"ac-18.5","class":"SP800-53-enhancement","title":"Antennas and Transmission Power Levels","props":[{"name":"label","value":"AC-18(5)"},{"name":"label","value":"AC-18(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-18","rel":"required"},{"href":"#pe-19","rel":"related"}],"parts":[{"id":"ac-18.5_smt","name":"statement","prose":"Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries."},{"id":"ac-18.5_gdn","name":"guidance","prose":"Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization, employing measures such as emissions security to control wireless emanations, and using directional or beamforming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area."},{"id":"ac-18.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(05)","class":"sp800-53a"}],"parts":[{"id":"ac-18.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18(05)[01]","class":"sp800-53a"}],"prose":"radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;"},{"id":"ac-18.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18(05)[02]","class":"sp800-53a"}],"prose":"transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries."}]},{"id":"ac-18.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Calibration of transmission power levels for wireless access\n\nradio antenna signals for wireless access\n\nwireless access reception outside of organization-controlled boundaries"}]}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","props":[{"name":"label","value":"AC-19"},{"name":"label","value":"AC-19","class":"sp800-53a"},{"name":"sort-id","value":"ac-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-19_smt","name":"statement","parts":[{"id":"ac-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and"},{"id":"ac-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize the connection of mobile devices to organizational systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook\/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled."},{"id":"ac-19_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"},{"id":"ac-19_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"},{"id":"ac-19_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"}]},{"id":"ac-19_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-19b.","class":"sp800-53a"}],"prose":"the connection of mobile devices to organizational systems is authorized."}]},{"id":"ac-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel using mobile devices to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices"}]}],"controls":[{"id":"ac-19.5","class":"SP800-53-enhancement","title":"Full Device or Container-based Encryption","params":[{"id":"ac-19.05_odp.01","props":[{"name":"alt-identifier","value":"ac-19.5_prm_1"},{"name":"label","value":"AC-19(05)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["full-device encryption","container-based encryption"]}},{"id":"ac-19.05_odp.02","props":[{"name":"alt-identifier","value":"ac-19.5_prm_2"},{"name":"label","value":"AC-19(05)_ODP[02]","class":"sp800-53a"}],"label":"mobile devices","guidelines":[{"prose":"mobile devices on which to employ encryption are defined;"}]}],"props":[{"name":"label","value":"AC-19(5)"},{"name":"label","value":"AC-19(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-19.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-19","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"ac-19.5_smt","name":"statement","prose":"Employ {{ insert: param, ac-19.05_odp.01 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}."},{"id":"ac-19.5_gdn","name":"guidance","prose":"Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields."},{"id":"ac-19.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19(05)","class":"sp800-53a"}],"prose":" {{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}."},{"id":"ac-19.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control for mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nencryption mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities for mobile devices\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Encryption mechanisms protecting confidentiality and integrity of information on mobile devices"}]}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Systems","params":[{"id":"ac-20_odp.01","props":[{"name":"alt-identifier","value":"ac-20_prm_1"},{"name":"label","value":"AC-20_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["establish {{ insert: param, ac-20_odp.02 }} ","identify {{ insert: param, ac-20_odp.03 }} "]}},{"id":"ac-20_odp.02","props":[{"name":"alt-identifier","value":"ac-20_prm_2"},{"name":"label","value":"AC-20_ODP[02]","class":"sp800-53a"}],"label":"terms and conditions","guidelines":[{"prose":"terms and conditions consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.03","props":[{"name":"alt-identifier","value":"ac-20_prm_3"},{"name":"alt-label","value":"controls asserted to be implemented on external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[03]","class":"sp800-53a"}],"label":"controls asserted","guidelines":[{"prose":"controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.04","props":[{"name":"alt-identifier","value":"ac-20_prm_4"},{"name":"alt-label","value":"organizationally-defined types of external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[04]","class":"sp800-53a"}],"label":"prohibited types of external systems","guidelines":[{"prose":"types of external systems prohibited from use are defined;"}]}],"props":[{"name":"label","value":"AC-20"},{"name":"label","value":"AC-20","class":"sp800-53a"},{"name":"sort-id","value":"ac-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-20_smt","name":"statement","parts":[{"id":"ac-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Access the system from external systems; and"},{"id":"ac-20_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Process, store, or transmit organization-controlled information using external systems; or"}]},{"id":"ac-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of {{ insert: param, ac-20_odp.04 }}."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems."},{"id":"ac-20_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.1","class":"sp800-53a"}],"prose":" {{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);"},{"id":"ac-20_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.2","class":"sp800-53a"}],"prose":" {{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);"}]},{"id":"ac-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-20b.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable)."}]},{"id":"ac-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing terms and conditions on the use of external systems"}]}],"controls":[{"id":"ac-20.1","class":"SP800-53-enhancement","title":"Limits on Authorized Use","props":[{"name":"label","value":"AC-20(1)"},{"name":"label","value":"AC-20(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"},{"href":"#ca-2","rel":"related"}],"parts":[{"id":"ac-20.1_smt","name":"statement","prose":"Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:","parts":[{"id":"ac-20.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or"},{"id":"ac-20.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Retention of approved system connection or processing agreements with the organizational entity hosting the external system."}]},{"id":"ac-20.1_gdn","name":"guidance","prose":"Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations."},{"id":"ac-20.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)","class":"sp800-53a"}],"parts":[{"id":"ac-20.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)(a)","class":"sp800-53a"}],"prose":"authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);"},{"id":"ac-20.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)(b)","class":"sp800-53a"}],"prose":"authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable)."}]},{"id":"ac-20.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing limits on use of external systems"}]}]},{"id":"ac-20.2","class":"SP800-53-enhancement","title":"Portable Storage Devices — Restricted Use","params":[{"id":"ac-20.02_odp","props":[{"name":"alt-identifier","value":"ac-20.2_prm_1"},{"name":"label","value":"AC-20(02)_ODP","class":"sp800-53a"}],"label":"restrictions","guidelines":[{"prose":"restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;"}]}],"props":[{"name":"label","value":"AC-20(2)"},{"name":"label","value":"AC-20(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"},{"href":"#mp-7","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"ac-20.2_smt","name":"statement","prose":"Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ insert: param, ac-20.02_odp }}."},{"id":"ac-20.2_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used."},{"id":"ac-20.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(02)","class":"sp800-53a"}],"prose":"the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}."},{"id":"ac-20.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on the use of portable storage devices"}]}]}]},{"id":"ac-21","class":"SP800-53","title":"Information Sharing","params":[{"id":"ac-21_odp.01","props":[{"name":"alt-identifier","value":"ac-21_prm_1"},{"name":"alt-label","value":"information sharing circumstances where user discretion is required","class":"sp800-53"},{"name":"label","value":"AC-21_ODP[01]","class":"sp800-53a"}],"label":"information-sharing circumstances","guidelines":[{"prose":"information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;"}]},{"id":"ac-21_odp.02","props":[{"name":"alt-identifier","value":"ac-21_prm_2"},{"name":"alt-label","value":"automated mechanisms or manual processes","class":"sp800-53"},{"name":"label","value":"AC-21_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;"}]}],"props":[{"name":"label","value":"AC-21"},{"name":"label","value":"AC-21","class":"sp800-53a"},{"name":"sort-id","value":"ac-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-15","rel":"related"}],"parts":[{"id":"ac-21_smt","name":"statement","parts":[{"id":"ac-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and"},{"id":"ac-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions."}]},{"id":"ac-21_gdn","name":"guidance","prose":"Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions."},{"id":"ac-21_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-21","class":"sp800-53a"}],"parts":[{"id":"ac-21_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-21a.","class":"sp800-53a"}],"prose":"authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};"},{"id":"ac-21_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-21b.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions."}]},{"id":"ac-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of users authorized to make information-sharing\/collaboration decisions\n\nlist of information-sharing circumstances requiring user discretion\n\nnon-disclosure agreements\n\nacquisitions\/contractual agreements\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nsecurity and privacy risk assessments\n\nother relevant documents or records"}]},{"id":"ac-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information-sharing\/collaboration decisions\n\norganizational personnel with responsibility for acquisitions\/contractual agreements\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ac-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms or manual process implementing access authorizations supporting information-sharing\/user collaboration decisions"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","params":[{"id":"ac-22_odp","props":[{"name":"alt-identifier","value":"ac-22_prm_1"},{"name":"label","value":"AC-22_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the content on the publicly accessible system for non-public information is defined;"}]}],"props":[{"name":"label","value":"AC-22"},{"name":"label","value":"AC-22","class":"sp800-53a"},{"name":"sort-id","value":"ac-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"ac-22_smt","name":"statement","parts":[{"id":"ac-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Designate individuals authorized to make information publicly accessible;"},{"id":"ac-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible."},{"id":"ac-22_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-22","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-22a.","class":"sp800-53a"}],"prose":"designated individuals are authorized to make information publicly accessible;"},{"id":"ac-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-22b.","class":"sp800-53a"}],"prose":"authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;"},{"id":"ac-22_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-22c.","class":"sp800-53a"}],"prose":"the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;"},{"id":"ac-22_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[01]","class":"sp800-53a"}],"prose":"the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};"},{"id":"ac-22_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[02]","class":"sp800-53a"}],"prose":"non-public information is removed from the publicly accessible system, if discovered."}]}]},{"id":"ac-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and\/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"at-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"at-01_odp.01","props":[{"name":"label","value":"AT-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training policy is to be disseminated is\/are defined;"}]},{"id":"at-01_odp.02","props":[{"name":"label","value":"AT-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training procedures are to be disseminated is\/are defined;"}]},{"id":"at-01_odp.03","props":[{"name":"alt-identifier","value":"at-1_prm_2"},{"name":"label","value":"AT-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"at-01_odp.04","props":[{"name":"alt-identifier","value":"at-1_prm_3"},{"name":"label","value":"AT-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the awareness and training policy and procedures is defined;"}]},{"id":"at-01_odp.05","props":[{"name":"alt-identifier","value":"at-1_prm_4"},{"name":"label","value":"AT-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training policy is reviewed and updated is defined;"}]},{"id":"at-01_odp.06","props":[{"name":"alt-identifier","value":"at-1_prm_5"},{"name":"label","value":"AT-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current awareness and training policy to be reviewed and updated are defined;"}]},{"id":"at-01_odp.07","props":[{"name":"alt-identifier","value":"at-1_prm_6"},{"name":"label","value":"AT-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training procedures are reviewed and updated is defined;"}]},{"id":"at-01_odp.08","props":[{"name":"alt-identifier","value":"at-1_prm_7"},{"name":"label","value":"AT-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AT-1"},{"name":"label","value":"AT-01","class":"sp800-53a"},{"name":"sort-id","value":"at-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-1_smt","name":"statement","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, at-01_odp.03 }} awareness and training policy that:","parts":[{"id":"at-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and"},{"id":"at-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current awareness and training:","parts":[{"id":"at-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and"},{"id":"at-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"at-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[01]","class":"sp800-53a"}],"prose":"an awareness and training policy is developed and documented; "},{"id":"at-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[02]","class":"sp800-53a"}],"prose":"the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};"},{"id":"at-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[03]","class":"sp800-53a"}],"prose":"awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;"},{"id":"at-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[04]","class":"sp800-53a"}],"prose":"the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}."},{"id":"at-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;"},{"id":"at-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;"},{"id":"at-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;"},{"id":"at-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;"},{"id":"at-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;"},{"id":"at-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;"},{"id":"at-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and"}]},{"id":"at-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and"}]}]},{"id":"at-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;"},{"id":"at-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[01]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; "},{"id":"at-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[02]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};"}]},{"id":"at-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[01]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};"},{"id":"at-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[02]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}."}]}]}]},{"id":"at-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records"}]},{"id":"at-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Literacy Training and Awareness","params":[{"id":"at-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.02"}],"label":"organization-defined frequency"},{"id":"at-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.04"}],"label":"organization-defined events"},{"id":"at-02_odp.01","props":[{"name":"label","value":"AT-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.02","props":[{"name":"label","value":"AT-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.03","props":[{"name":"label","value":"AT-02_ODP[03]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require security literacy training for system users are defined;"}]},{"id":"at-02_odp.04","props":[{"name":"label","value":"AT-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require privacy literacy training for system users are defined;"}]},{"id":"at-02_odp.05","props":[{"name":"alt-identifier","value":"at-2_prm_3"},{"name":"label","value":"AT-02_ODP[05]","class":"sp800-53a"}],"label":"awareness techniques","guidelines":[{"prose":"techniques to be employed to increase the security and privacy awareness of system users are defined;"}]},{"id":"at-02_odp.06","props":[{"name":"alt-identifier","value":"at-2_prm_4"},{"name":"label","value":"AT-02_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update literacy training and awareness content is defined;"}]},{"id":"at-02_odp.07","props":[{"name":"alt-identifier","value":"at-2_prm_5"},{"name":"label","value":"AT-02_ODP[07]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require literacy training and awareness content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-2"},{"name":"label","value":"AT-02","class":"sp800-53a"},{"name":"sort-id","value":"at-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#89f2a08d-fc49-46d0-856e-bf974c9b1573","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-16","rel":"related"}],"parts":[{"id":"at-2_smt","name":"statement","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and"},{"id":"at-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes or following {{ insert: param, at-2_prm_2 }};"}]},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and"},{"id":"at-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[03]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;"},{"id":"at-2_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[04]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;"}]},{"id":"at-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};"},{"id":"at-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};"}]}]},{"id":"at-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-02b.","class":"sp800-53a"}],"prose":" {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;"},{"id":"at-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[01]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};"},{"id":"at-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[02]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};"}]},{"id":"at-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AT-02d.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques."}]},{"id":"at-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community"}]},{"id":"at-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing information security and privacy literacy training"}]}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","props":[{"name":"label","value":"AT-2(2)"},{"name":"label","value":"AT-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"},{"href":"#pm-12","rel":"related"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"Provide literacy training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations."},{"id":"at-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)","class":"sp800-53a"}],"parts":[{"id":"at-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[01]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential indicators of insider threat is provided;"},{"id":"at-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[02]","class":"sp800-53a"}],"prose":"literacy training on reporting potential indicators of insider threat is provided."}]},{"id":"at-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2.3","class":"SP800-53-enhancement","title":"Social Engineering and Mining","props":[{"name":"label","value":"AT-2(3)"},{"name":"label","value":"AT-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"}],"parts":[{"id":"at-2.3_smt","name":"statement","prose":"Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining."},{"id":"at-2.3_gdn","name":"guidance","prose":"Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures."},{"id":"at-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)","class":"sp800-53a"}],"parts":[{"id":"at-2.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[01]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential and actual instances of social engineering is provided;"},{"id":"at-2.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[02]","class":"sp800-53a"}],"prose":"literacy training on reporting potential and actual instances of social engineering is provided;"},{"id":"at-2.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[03]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential and actual instances of social mining is provided;"},{"id":"at-2.3_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[04]","class":"sp800-53a"}],"prose":"literacy training on reporting potential and actual instances of social mining is provided."}]},{"id":"at-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Training","params":[{"id":"at-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.02"}],"label":"organization-defined roles and responsibilities"},{"id":"at-03_odp.01","props":[{"name":"label","value":"AT-03_ODP[01]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based security training are defined;"}]},{"id":"at-03_odp.02","props":[{"name":"label","value":"AT-03_ODP[02]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based privacy training are defined;"}]},{"id":"at-03_odp.03","props":[{"name":"alt-identifier","value":"at-3_prm_2"},{"name":"label","value":"AT-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;"}]},{"id":"at-03_odp.04","props":[{"name":"alt-identifier","value":"at-3_prm_3"},{"name":"label","value":"AT-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update role-based training content is defined;"}]},{"id":"at-03_odp.05","props":[{"name":"alt-identifier","value":"at-3_prm_4"},{"name":"label","value":"AT-03_ODP[05]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require role-based training content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-3"},{"name":"label","value":"AT-03","class":"sp800-53a"},{"name":"sort-id","value":"at-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"at-3_smt","name":"statement","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:","parts":[{"id":"at-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and"},{"id":"at-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes;"}]},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into role-based training."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency\/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;"},{"id":"at-3_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;"},{"id":"at-3_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[03]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;"},{"id":"at-3_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[04]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;"}]},{"id":"at-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;"},{"id":"at-3_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;"}]}]},{"id":"at-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[01]","class":"sp800-53a"}],"prose":"role-based training content is updated {{ insert: param, at-03_odp.04 }};"},{"id":"at-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[02]","class":"sp800-53a"}],"prose":"role-based training content is updated following {{ insert: param, at-03_odp.05 }};"}]},{"id":"at-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-03c.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into role-based training."}]},{"id":"at-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities"}]},{"id":"at-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing role-based security and privacy training"}]}]},{"id":"at-4","class":"SP800-53","title":"Training Records","params":[{"id":"at-04_odp","props":[{"name":"alt-identifier","value":"at-4_prm_1"},{"name":"label","value":"AT-04_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for retaining individual training records is defined;"}]}],"props":[{"name":"label","value":"AT-4"},{"name":"label","value":"AT-04","class":"sp800-53a"},{"name":"sort-id","value":"at-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-4_smt","name":"statement","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain individual training records for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies."},{"id":"at-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-04","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[01]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;"},{"id":"at-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[02]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;"}]},{"id":"at-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-04b.","class":"sp800-53a"}],"prose":"individual training records are retained for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"at-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy training record retention responsibilities"}]},{"id":"at-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the management of security and privacy training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"au-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"au-01_odp.01","props":[{"name":"label","value":"AU-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability policy is to be disseminated is\/are defined;"}]},{"id":"au-01_odp.02","props":[{"name":"label","value":"AU-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability procedures are to be disseminated is\/are defined;"}]},{"id":"au-01_odp.03","props":[{"name":"alt-identifier","value":"au-1_prm_2"},{"name":"label","value":"AU-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"au-01_odp.04","props":[{"name":"alt-identifier","value":"au-1_prm_3"},{"name":"label","value":"AU-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the audit and accountability policy and procedures is defined;"}]},{"id":"au-01_odp.05","props":[{"name":"alt-identifier","value":"au-1_prm_4"},{"name":"label","value":"AU-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability policy is reviewed and updated is defined;"}]},{"id":"au-01_odp.06","props":[{"name":"alt-identifier","value":"au-1_prm_5"},{"name":"label","value":"AU-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current audit and accountability policy to be reviewed and updated are defined;"}]},{"id":"au-01_odp.07","props":[{"name":"alt-identifier","value":"au-1_prm_6"},{"name":"label","value":"AU-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability procedures are reviewed and updated is defined;"}]},{"id":"au-01_odp.08","props":[{"name":"alt-identifier","value":"au-1_prm_7"},{"name":"label","value":"AU-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require audit and accountability procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AU-1"},{"name":"label","value":"AU-01","class":"sp800-53a"},{"name":"sort-id","value":"au-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-1_smt","name":"statement","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, au-01_odp.03 }} audit and accountability policy that:","parts":[{"id":"au-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and"},{"id":"au-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current audit and accountability:","parts":[{"id":"au-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and"},{"id":"au-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"au-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[01]","class":"sp800-53a"}],"prose":"an audit and accountability policy is developed and documented;"},{"id":"au-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[02]","class":"sp800-53a"}],"prose":"the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};"},{"id":"au-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[03]","class":"sp800-53a"}],"prose":"audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;"},{"id":"au-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[04]","class":"sp800-53a"}],"prose":"the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};"},{"id":"au-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;"},{"id":"au-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;"},{"id":"au-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;"},{"id":"au-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;"},{"id":"au-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;"},{"id":"au-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;"},{"id":"au-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;"}]},{"id":"au-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"au-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;"},{"id":"au-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[01]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};"},{"id":"au-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[02]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};"}]},{"id":"au-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[01]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};"},{"id":"au-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[02]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}."}]}]}]},{"id":"au-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Event Logging","params":[{"id":"au-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.03"}],"label":"organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type"},{"id":"au-02_odp.01","props":[{"name":"alt-identifier","value":"au-2_prm_1"},{"name":"alt-label","value":"event types that the system is capable of logging","class":"sp800-53"},{"name":"label","value":"AU-02_ODP[01]","class":"sp800-53a"}],"label":"event types","guidelines":[{"prose":"the event types that the system is capable of logging in support of the audit function are defined;"}]},{"id":"au-02_odp.02","props":[{"name":"label","value":"AU-02_ODP[02]","class":"sp800-53a"}],"label":"event types (subset of AU-02_ODP[01])","guidelines":[{"prose":"the event types (subset of AU-02_ODP[01]) for logging within the system are defined;"}]},{"id":"au-02_odp.03","props":[{"name":"label","value":"AU-02_ODP[03]","class":"sp800-53a"}],"label":"frequency or situation","guidelines":[{"prose":"the frequency or situation requiring logging for each specified event type is defined;"}]},{"id":"au-02_odp.04","props":[{"name":"alt-identifier","value":"au-2_prm_3"},{"name":"label","value":"AU-02_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of event types selected for logging are reviewed and updated;"}]}],"props":[{"name":"label","value":"AU-2"},{"name":"label","value":"AU-02","class":"sp800-53a"},{"name":"sort-id","value":"au-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-2_smt","name":"statement","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and"},{"id":"au-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures."},{"id":"au-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-02","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-02a.","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;"},{"id":"au-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-02b.","class":"sp800-53a"}],"prose":"the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.02 }} are specified for logging within the system;"},{"id":"au-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[02]","class":"sp800-53a"}],"prose":"the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};"}]},{"id":"au-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-02d.","class":"sp800-53a"}],"prose":"a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;"},{"id":"au-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-02e.","class":"sp800-53a"}],"prose":"the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records"}]},{"id":"au-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing"}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"label","value":"AU-3"},{"name":"label","value":"AU-03","class":"sp800-53a"},{"name":"sort-id","value":"au-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"Ensure that audit records contain information that establishes the following:","parts":[{"id":"au-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"What type of event occurred;"},{"id":"au-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When the event occurred;"},{"id":"au-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Where the event occurred;"},{"id":"au-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Source of the event;"},{"id":"au-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Outcome of the event; and"},{"id":"au-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage."},{"id":"au-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03","class":"sp800-53a"}],"parts":[{"id":"au-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-03a.","class":"sp800-53a"}],"prose":"audit records contain information that establishes what type of event occurred;"},{"id":"au-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-03b.","class":"sp800-53a"}],"prose":"audit records contain information that establishes when the event occurred;"},{"id":"au-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-03c.","class":"sp800-53a"}],"prose":"audit records contain information that establishes where the event occurred;"},{"id":"au-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-03d.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the source of the event;"},{"id":"au-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-03e.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the outcome of the event;"},{"id":"au-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AU-03f.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records"}]},{"id":"au-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing of auditable events"}]}],"controls":[{"id":"au-3.1","class":"SP800-53-enhancement","title":"Additional Audit Information","params":[{"id":"au-03.01_odp","props":[{"name":"alt-identifier","value":"au-3.1_prm_1"},{"name":"label","value":"AU-03(01)_ODP","class":"sp800-53a"}],"label":"additional information","guidelines":[{"prose":"additional information to be included in audit records is defined;"}]}],"props":[{"name":"label","value":"AU-3(1)"},{"name":"label","value":"AU-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-3","rel":"required"}],"parts":[{"id":"au-3.1_smt","name":"statement","prose":"Generate audit records containing the following additional information: {{ insert: param, au-03.01_odp }}."},{"id":"au-3.1_gdn","name":"guidance","prose":"The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy."},{"id":"au-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03(01)","class":"sp800-53a"}],"prose":"generated audit records contain the following {{ insert: param, au-03.01_odp }}."},{"id":"au-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"system audit capability"}]}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Log Storage Capacity","params":[{"id":"au-04_odp","props":[{"name":"alt-identifier","value":"au-4_prm_1"},{"name":"label","value":"AU-04_ODP","class":"sp800-53a"}],"label":"audit log retention requirements","guidelines":[{"prose":"audit log retention requirements are defined;"}]}],"props":[{"name":"label","value":"AU-4"},{"name":"label","value":"AU-04","class":"sp800-53a"},{"name":"sort-id","value":"au-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability."},{"id":"au-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-04","class":"sp800-53a"}],"prose":"audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}."},{"id":"au-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Logging Process Failures","params":[{"id":"au-05_odp.01","props":[{"name":"alt-identifier","value":"au-5_prm_1"},{"name":"label","value":"AU-05_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles receiving audit logging process failure alerts are defined;"}]},{"id":"au-05_odp.02","props":[{"name":"alt-identifier","value":"au-5_prm_2"},{"name":"label","value":"AU-05_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel or roles receiving audit logging process failure alerts is defined;"}]},{"id":"au-05_odp.03","props":[{"name":"alt-identifier","value":"au-5_prm_3"},{"name":"label","value":"AU-05_ODP[03]","class":"sp800-53a"}],"label":"additional actions","guidelines":[{"prose":"additional actions to be taken in the event of an audit logging process failure are defined;"}]}],"props":[{"name":"label","value":"AU-5"},{"name":"label","value":"AU-05","class":"sp800-53a"},{"name":"sort-id","value":"au-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-5_smt","name":"statement","parts":[{"id":"au-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and"},{"id":"au-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Take the following additional actions: {{ insert: param, au-05_odp.03 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel."},{"id":"au-5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05","class":"sp800-53a"}],"parts":[{"id":"au-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-05a.","class":"sp800-53a"}],"prose":" {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};"},{"id":"au-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure."}]},{"id":"au-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system response to audit processing failures"}]}],"controls":[{"id":"au-5.1","class":"SP800-53-enhancement","title":"Storage Capacity Warning","params":[{"id":"au-05.01_odp.01","props":[{"name":"alt-identifier","value":"au-5.1_prm_1"},{"name":"label","value":"AU-05(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel, roles, and\/or locations","guidelines":[{"prose":"personnel, roles, and\/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity."}]},{"id":"au-05.01_odp.02","props":[{"name":"alt-identifier","value":"au-5.1_prm_2"},{"name":"label","value":"AU-05(01)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for defined personnel, roles, and\/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined;"}]},{"id":"au-05.01_odp.03","props":[{"name":"alt-identifier","value":"au-5.1_prm_3"},{"name":"label","value":"AU-05(01)_ODP[03]","class":"sp800-53a"}],"label":"percentage","guidelines":[{"prose":"percentage of repository maximum audit log storage capacity is defined;"}]}],"props":[{"name":"label","value":"AU-5(1)"},{"name":"label","value":"AU-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-5","rel":"required"}],"parts":[{"id":"au-5.1_smt","name":"statement","prose":"Provide a warning to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity."},{"id":"au-5.1_gdn","name":"guidance","prose":"Organizations may have multiple audit log storage repositories distributed across multiple system components with each repository having different storage volume capacities."},{"id":"au-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05(01)","class":"sp800-53a"}],"prose":"a warning is provided to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity."},{"id":"au-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy system configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit storage limit warnings"}]}]},{"id":"au-5.2","class":"SP800-53-enhancement","title":"Real-time Alerts","params":[{"id":"au-05.02_odp.01","props":[{"name":"alt-identifier","value":"au-5.2_prm_1"},{"name":"label","value":"AU-05(02)_ODP[01]","class":"sp800-53a"}],"label":"real-time period","guidelines":[{"prose":"real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined;"}]},{"id":"au-05.02_odp.02","props":[{"name":"alt-identifier","value":"au-5.2_prm_2"},{"name":"label","value":"AU-05(02)_ODP[02]","class":"sp800-53a"}],"label":"personnel, roles, and\/or locations","guidelines":[{"prose":"personnel, roles, and\/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is\/are defined;"}]},{"id":"au-05.02_odp.03","props":[{"name":"alt-identifier","value":"au-5.2_prm_3"},{"name":"label","value":"AU-05(02)_ODP[03]","class":"sp800-53a"}],"label":"audit logging failure events requiring real-time alerts","guidelines":[{"prose":"audit logging failure events requiring real-time alerts are defined;"}]}],"props":[{"name":"label","value":"AU-5(2)"},{"name":"label","value":"AU-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-5","rel":"required"}],"parts":[{"id":"au-5.2_smt","name":"statement","prose":"Provide an alert within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when the following audit failure events occur: {{ insert: param, au-05.02_odp.03 }}."},{"id":"au-5.2_gdn","name":"guidance","prose":"Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less)."},{"id":"au-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05(02)","class":"sp800-53a"}],"prose":"an alert is provided within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when {{ insert: param, au-05.02_odp.03 }} occur."},{"id":"au-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Record Review, Analysis, and Reporting","params":[{"id":"au-06_odp.01","props":[{"name":"alt-identifier","value":"au-6_prm_1"},{"name":"label","value":"AU-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which system audit records are reviewed and analyzed is defined;"}]},{"id":"au-06_odp.02","props":[{"name":"alt-identifier","value":"au-6_prm_2"},{"name":"label","value":"AU-06_ODP[02]","class":"sp800-53a"}],"label":"inappropriate or unusual activity","guidelines":[{"prose":"inappropriate or unusual activity is defined;"}]},{"id":"au-06_odp.03","props":[{"name":"alt-identifier","value":"au-6_prm_3"},{"name":"label","value":"AU-06_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive findings from reviews and analyses of system records is\/are defined;"}]}],"props":[{"name":"label","value":"AU-6"},{"name":"label","value":"AU-06","class":"sp800-53a"},{"name":"sort-id","value":"au-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"au-6_smt","name":"statement","parts":[{"id":"au-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"},{"id":"au-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report findings to {{ insert: param, au-06_odp.03 }} ; and"},{"id":"au-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and\/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received."},{"id":"au-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06","class":"sp800-53a"}],"parts":[{"id":"au-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-06a.","class":"sp800-53a"}],"prose":"system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"},{"id":"au-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-06b.","class":"sp800-53a"}],"prose":"findings are reported to {{ insert: param, au-06_odp.03 }};"},{"id":"au-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-06c.","class":"sp800-53a"}],"prose":"the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews\/analyses of audit records\n\nother relevant documents or records"}]},{"id":"au-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"au-6.1","class":"SP800-53-enhancement","title":"Automated Process Integration","params":[{"id":"au-06.01_odp","props":[{"name":"alt-identifier","value":"au-6.1_prm_1"},{"name":"label","value":"AU-06(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;"}]}],"props":[{"name":"label","value":"AU-6(1)"},{"name":"label","value":"AU-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#pm-7","rel":"related"}],"parts":[{"id":"au-6.1_smt","name":"statement","prose":"Integrate audit record review, analysis, and reporting processes using {{ insert: param, au-06.01_odp }}."},{"id":"au-6.1_gdn","name":"guidance","prose":"Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits."},{"id":"au-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(01)","class":"sp800-53a"}],"prose":"audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}."},{"id":"au-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms integrating audit review, analysis, and reporting processes"}]}]},{"id":"au-6.3","class":"SP800-53-enhancement","title":"Correlate Audit Record Repositories","props":[{"name":"label","value":"AU-6(3)"},{"name":"label","value":"AU-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"}],"parts":[{"id":"au-6.3_smt","name":"statement","prose":"Analyze and correlate audit records across different repositories to gain organization-wide situational awareness."},{"id":"au-6.3_gdn","name":"guidance","prose":"Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission\/business process level, and information system level) and supports cross-organization awareness."},{"id":"au-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(03)","class":"sp800-53a"}],"prose":"audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness."},{"id":"au-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records across different repositories\n\nother relevant documents or records"}]},{"id":"au-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the analysis and correlation of audit records"}]}]},{"id":"au-6.5","class":"SP800-53-enhancement","title":"Integrated Analysis of Audit Records","params":[{"id":"au-06.05_odp.01","props":[{"name":"alt-identifier","value":"au-6.5_prm_1"},{"name":"label","value":"AU-06(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["vulnerability scanning information","performance data","system monitoring information"," {{ insert: param, au-06.05_odp.02 }} "]}},{"id":"au-06.05_odp.02","props":[{"name":"alt-identifier","value":"au-6.5_prm_2"},{"name":"label","value":"AU-06(05)_ODP[02]","class":"sp800-53a"}],"label":"data\/information collected from other sources","guidelines":[{"prose":"data\/information collected from other sources to be analyzed is defined (if selected);"}]}],"props":[{"name":"label","value":"AU-6(5)"},{"name":"label","value":"AU-06(05)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"}],"parts":[{"id":"au-6.5_smt","name":"statement","prose":"Integrate analysis of audit records with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity."},{"id":"au-6.5_gdn","name":"guidance","prose":"Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial-of-service attacks or other types of attacks that result in the unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations."},{"id":"au-6.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(05)","class":"sp800-53a"}],"prose":"analysis of audit records is integrated with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity."},{"id":"au-6.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information, and associated documentation\n\nother relevant documents or records"}]},{"id":"au-6.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the capability to integrate analysis of audit records with analysis of data\/information sources"}]}]},{"id":"au-6.6","class":"SP800-53-enhancement","title":"Correlation with Physical Monitoring","props":[{"name":"label","value":"AU-6(6)"},{"name":"label","value":"AU-06(06)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"}],"parts":[{"id":"au-6.6_smt","name":"statement","prose":"Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."},{"id":"au-6.6_gdn","name":"guidance","prose":"The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred may be useful in investigations."},{"id":"au-6.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(06)","class":"sp800-53a"}],"prose":"information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."},{"id":"au-6.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing physical access monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing evidence of correlated information obtained from audit records and physical access monitoring records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-6.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the capability to correlate information from audit records with information from monitoring physical access"}]}]}]},{"id":"au-7","class":"SP800-53","title":"Audit Record Reduction and Report Generation","props":[{"name":"label","value":"AU-7"},{"name":"label","value":"AU-07","class":"sp800-53a"},{"name":"sort-id","value":"au-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-7_smt","name":"statement","prose":"Provide and implement an audit record reduction and report generation capability that:","parts":[{"id":"au-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and"},{"id":"au-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Does not alter the original content or time ordering of audit records."}]},{"id":"au-7_gdn","name":"guidance","prose":"Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient."},{"id":"au-7_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-07","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.[01]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;"},{"id":"au-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.[02]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;"}]},{"id":"au-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.[01]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;"},{"id":"au-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.[02]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records."}]}]},{"id":"au-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit reduction and report generation capability"}]}],"controls":[{"id":"au-7.1","class":"SP800-53-enhancement","title":"Automatic Processing","params":[{"id":"au-07.01_odp","props":[{"name":"alt-identifier","value":"au-7.1_prm_1"},{"name":"label","value":"AU-07(01)_ODP","class":"sp800-53a"}],"label":"fields within audit records","guidelines":[{"prose":"fields within audit records that can be processed, sorted, or searched are defined;"}]}],"props":[{"name":"label","value":"AU-7(1)"},{"name":"label","value":"AU-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-7","rel":"required"}],"parts":[{"id":"au-7.1_smt","name":"statement","prose":"Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ insert: param, au-07.01_odp }}."},{"id":"au-7.1_gdn","name":"guidance","prose":"Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component."},{"id":"au-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)","class":"sp800-53a"}],"parts":[{"id":"au-7.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)[01]","class":"sp800-53a"}],"prose":"the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;"},{"id":"au-7.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)[02]","class":"sp800-53a"}],"prose":"the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented."}]},{"id":"au-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"au-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit reduction and report generation capability"}]}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","params":[{"id":"au-08_odp","props":[{"name":"alt-identifier","value":"au-8_prm_1"},{"name":"label","value":"AU-08_ODP","class":"sp800-53a"}],"label":"granularity of time measurement","guidelines":[{"prose":"granularity of time measurement for audit record timestamps is defined;"}]}],"props":[{"name":"label","value":"AU-8"},{"name":"label","value":"AU-08","class":"sp800-53a"},{"name":"sort-id","value":"au-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#sc-45","rel":"related"}],"parts":[{"id":"au-8_smt","name":"statement","parts":[{"id":"au-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities."},{"id":"au-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-08","class":"sp800-53a"}],"parts":[{"id":"au-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-08a.","class":"sp800-53a"}],"prose":"internal system clocks are used to generate timestamps for audit records;"},{"id":"au-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-08b.","class":"sp800-53a"}],"prose":"timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp."}]},{"id":"au-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing timestamp generation"}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","params":[{"id":"au-09_odp","props":[{"name":"alt-identifier","value":"au-9_prm_1"},{"name":"label","value":"AU-09_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is\/are defined;"}]}],"props":[{"name":"label","value":"AU-9"},{"name":"label","value":"AU-09","class":"sp800-53a"},{"name":"sort-id","value":"au-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#au-15","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-9_smt","name":"statement","parts":[{"id":"au-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and"},{"id":"au-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information."}]},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls."},{"id":"au-9_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09","class":"sp800-53a"}],"parts":[{"id":"au-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-09a.","class":"sp800-53a"}],"prose":"audit information and audit logging tools are protected from unauthorized access, modification, and deletion;"},{"id":"au-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-09b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information."}]},{"id":"au-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records"}]},{"id":"au-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit information protection"}]}],"controls":[{"id":"au-9.2","class":"SP800-53-enhancement","title":"Store on Separate Physical Systems or Components","params":[{"id":"au-09.02_odp","props":[{"name":"alt-identifier","value":"au-9.2_prm_1"},{"name":"label","value":"AU-09(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of storing audit records in a repository is defined;"}]}],"props":[{"name":"label","value":"AU-9(2)"},{"name":"label","value":"AU-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"}],"parts":[{"id":"au-9.2_smt","name":"statement","prose":"Store audit records {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited."},{"id":"au-9.2_gdn","name":"guidance","prose":"Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records."},{"id":"au-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(02)","class":"sp800-53a"}],"prose":"audit records are stored {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited."},{"id":"au-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem or media storing backups of system audit records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the backing up of audit records"}]}]},{"id":"au-9.3","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"AU-9(3)"},{"name":"label","value":"AU-09(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#au-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"au-9.3_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect the integrity of audit information and audit tools."},{"id":"au-9.3_gdn","name":"guidance","prose":"Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash."},{"id":"au-9.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(03)","class":"sp800-53a"}],"prose":"cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented."},{"id":"au-9.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem hardware settings\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms protecting the integrity of audit information and tools"}]}]},{"id":"au-9.4","class":"SP800-53-enhancement","title":"Access by Subset of Privileged Users","params":[{"id":"au-09.04_odp","props":[{"name":"alt-identifier","value":"au-9.4_prm_1"},{"name":"label","value":"AU-09(04)_ODP","class":"sp800-53a"}],"label":"subset of privileged users or roles","guidelines":[{"prose":"a subset of privileged users or roles authorized to access management of audit logging functionality is defined;"}]}],"props":[{"name":"label","value":"AU-9(4)"},{"name":"label","value":"AU-09(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"au-9.4_smt","name":"statement","prose":"Authorize access to management of audit logging functionality to only {{ insert: param, au-09.04_odp }}."},{"id":"au-9.4_gdn","name":"guidance","prose":"Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges."},{"id":"au-9.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(04)","class":"sp800-53a"}],"prose":"access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}."},{"id":"au-9.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-9.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing access to audit functionality"}]}]}]},{"id":"au-10","class":"SP800-53","title":"Non-repudiation","params":[{"id":"au-10_odp","props":[{"name":"alt-identifier","value":"au-10_prm_1"},{"name":"alt-label","value":"actions to be covered by non-repudiation","class":"sp800-53"},{"name":"label","value":"AU-10_ODP","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be covered by non-repudiation are defined;"}]}],"props":[{"name":"label","value":"AU-10"},{"name":"label","value":"AU-10","class":"sp800-53a"},{"name":"sort-id","value":"au-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#au-9","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"au-10_smt","name":"statement","prose":"Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}."},{"id":"au-10_gdn","name":"guidance","prose":"Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts."},{"id":"au-10_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-10","class":"sp800-53a"}],"prose":"irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}."},{"id":"au-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing non-repudiation capability"}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_odp","props":[{"name":"alt-identifier","value":"au-11_prm_1"},{"name":"alt-label","value":"time period consistent with records retention policy","class":"sp800-53"},{"name":"label","value":"AU-11_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period to retain audit records that is consistent with the records retention policy is defined;"}]}],"props":[{"name":"label","value":"AU-11"},{"name":"label","value":"AU-11","class":"sp800-53a"},{"name":"sort-id","value":"au-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention."},{"id":"au-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-11","class":"sp800-53a"}],"prose":"audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"id":"au-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Record Generation","params":[{"id":"au-12_odp.01","props":[{"name":"alt-identifier","value":"au-12_prm_1"},{"name":"label","value":"AU-12_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;"}]},{"id":"au-12_odp.02","props":[{"name":"alt-identifier","value":"au-12_prm_2"},{"name":"label","value":"AU-12_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles allowed to select the event types that are to be logged by specific components of the system is\/are defined;"}]}],"props":[{"name":"label","value":"AU-12"},{"name":"label","value":"AU-12","class":"sp800-53a"},{"name":"sort-id","value":"au-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"au-12_smt","name":"statement","parts":[{"id":"au-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};"},{"id":"au-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and"},{"id":"au-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records."},{"id":"au-12_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12","class":"sp800-53a"}],"parts":[{"id":"au-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-12a.","class":"sp800-53a"}],"prose":"audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};"},{"id":"au-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-12b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-12_odp.02 }} is\/are allowed to select the event types that are to be logged by specific components of the system;"},{"id":"au-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-12c.","class":"sp800-53a"}],"prose":"audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated."}]},{"id":"au-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}],"controls":[{"id":"au-12.1","class":"SP800-53-enhancement","title":"System-wide and Time-correlated Audit Trail","params":[{"id":"au-12.01_odp.01","props":[{"name":"alt-identifier","value":"au-12.1_prm_1"},{"name":"label","value":"AU-12(01)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined;"}]},{"id":"au-12.01_odp.02","props":[{"name":"alt-identifier","value":"au-12.1_prm_2"},{"name":"alt-label","value":"level of tolerance for the relationship between time stamps of individual records in the audit trail","class":"sp800-53"},{"name":"label","value":"AU-12(01)_ODP[02]","class":"sp800-53a"}],"label":"level of tolerance","guidelines":[{"prose":"level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;"}]}],"props":[{"name":"label","value":"AU-12(1)"},{"name":"label","value":"AU-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-12","rel":"required"},{"href":"#au-8","rel":"related"},{"href":"#sc-45","rel":"related"}],"parts":[{"id":"au-12.1_smt","name":"statement","prose":"Compile audit records from {{ insert: param, au-12.01_odp.01 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}."},{"id":"au-12.1_gdn","name":"guidance","prose":"Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances."},{"id":"au-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12(01)","class":"sp800-53a"}],"prose":"audit records from {{ insert: param, au-12.01_odp.01 }} are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}."},{"id":"au-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-wide audit trail (logical or physical)\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]},{"id":"au-12.3","class":"SP800-53-enhancement","title":"Changes by Authorized Individuals","params":[{"id":"au-12.03_odp.01","props":[{"name":"alt-identifier","value":"au-12.3_prm_1"},{"name":"label","value":"AU-12(03)_ODP[01]","class":"sp800-53a"}],"label":"individuals or roles","guidelines":[{"prose":"individuals or roles authorized to change the logging on system components are defined;"}]},{"id":"au-12.03_odp.02","props":[{"name":"alt-identifier","value":"au-12.3_prm_2"},{"name":"label","value":"AU-12(03)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components on which logging is to be performed are defined;"}]},{"id":"au-12.03_odp.03","props":[{"name":"alt-identifier","value":"au-12.3_prm_3"},{"name":"label","value":"AU-12(03)_ODP[03]","class":"sp800-53a"}],"label":"selectable event criteria","guidelines":[{"prose":"selectable event criteria with which change logging is to be performed are defined;"}]},{"id":"au-12.03_odp.04","props":[{"name":"alt-identifier","value":"au-12.3_prm_4"},{"name":"label","value":"AU-12(03)_ODP[04]","class":"sp800-53a"}],"label":"time thresholds","guidelines":[{"prose":"time thresholds in which logging actions are to change is defined;"}]}],"props":[{"name":"label","value":"AU-12(3)"},{"name":"label","value":"AU-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-12","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"au-12.3_smt","name":"statement","prose":"Provide and implement the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }}."},{"id":"au-12.3_gdn","name":"guidance","prose":"Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours)."},{"id":"au-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12(03)","class":"sp800-53a"}],"parts":[{"id":"au-12.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-12(03)[01]","class":"sp800-53a"}],"prose":"the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is provided;"},{"id":"au-12.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-12(03)[02]","class":"sp800-53a"}],"prose":"the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is implemented."}]},{"id":"au-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of individuals or roles authorized to change auditing to be performed\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]}]}]},{"id":"ca","class":"family","title":"Assessment, Authorization, and Monitoring","controls":[{"id":"ca-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ca-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ca-01_odp.01","props":[{"name":"label","value":"CA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.02","props":[{"name":"label","value":"CA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.03","props":[{"name":"alt-identifier","value":"ca-1_prm_2"},{"name":"label","value":"CA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ca-01_odp.04","props":[{"name":"alt-identifier","value":"ca-1_prm_3"},{"name":"label","value":"CA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the assessment, authorization, and monitoring policy and procedures is defined;"}]},{"id":"ca-01_odp.05","props":[{"name":"alt-identifier","value":"ca-1_prm_4"},{"name":"label","value":"CA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;"}]},{"id":"ca-01_odp.06","props":[{"name":"alt-identifier","value":"ca-1_prm_5"},{"name":"label","value":"CA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;"}]},{"id":"ca-01_odp.07","props":[{"name":"alt-identifier","value":"ca-1_prm_6"},{"name":"label","value":"CA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;"}]},{"id":"ca-01_odp.08","props":[{"name":"alt-identifier","value":"ca-1_prm_7"},{"name":"label","value":"CA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CA-1"},{"name":"label","value":"CA-01","class":"sp800-53a"},{"name":"sort-id","value":"ca-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#62ea77ca-e450-4323-b210-e0d75390e785","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-1_smt","name":"statement","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:","parts":[{"id":"ca-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and"},{"id":"ca-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current assessment, authorization, and monitoring:","parts":[{"id":"ca-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and"},{"id":"ca-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ca-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[01]","class":"sp800-53a"}],"prose":"an assessment, authorization, and monitoring policy is developed and documented;"},{"id":"ca-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[02]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};"},{"id":"ca-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[03]","class":"sp800-53a"}],"prose":"assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;"},{"id":"ca-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[04]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};"},{"id":"ca-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;"},{"id":"ca-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;"},{"id":"ca-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;"},{"id":"ca-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;"},{"id":"ca-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;"},{"id":"ca-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;"},{"id":"ca-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;"}]},{"id":"ca-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ca-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;"},{"id":"ca-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; "},{"id":"ca-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};"}]},{"id":"ca-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; "},{"id":"ca-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}."}]}]}]},{"id":"ca-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Control Assessments","params":[{"id":"ca-02_odp.01","props":[{"name":"alt-identifier","value":"ca-2_prm_1"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"CA-02_ODP[01]","class":"sp800-53a"}],"label":"assessment frequency","guidelines":[{"prose":"the frequency at which to assess controls in the system and its environment of operation is defined;"}]},{"id":"ca-02_odp.02","props":[{"name":"alt-identifier","value":"ca-2_prm_2"},{"name":"label","value":"CA-02_ODP[02]","class":"sp800-53a"}],"label":"individuals or roles","guidelines":[{"prose":"individuals or roles to whom control assessment results are to be provided are defined;"}]}],"props":[{"name":"label","value":"CA-2"},{"name":"label","value":"CA-02","class":"sp800-53a"},{"name":"sort-id","value":"ca-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"ca-2_smt","name":"statement","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Select the appropriate assessor or assessment team for the type of assessment to be conducted;"},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop a control assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Controls and control enhancements under assessment;"},{"id":"ca-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine control effectiveness; and"},{"id":"ca-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;"},{"id":"ca-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Produce a control assessment report that document the results of the assessment; and"},{"id":"ca-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)."},{"id":"ca-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-02a.","class":"sp800-53a"}],"prose":"an appropriate assessor or assessment team is selected for the type of assessment to be conducted;"},{"id":"ca-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.01","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;"},{"id":"ca-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.02","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;"},{"id":"ca-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[01]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;"},{"id":"ca-2_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[02]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment team;"},{"id":"ca-2_obj.b.3-3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[03]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;"}]}]},{"id":"ca-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-02c.","class":"sp800-53a"}],"prose":"the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[01]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[02]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;"}]},{"id":"ca-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-02e.","class":"sp800-53a"}],"prose":"a control assessment report is produced that documents the results of the assessment;"},{"id":"ca-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-02f.","class":"sp800-53a"}],"prose":"the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting control assessment, control assessment plan development, and\/or control assessment reporting"}]}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","props":[{"name":"label","value":"CA-2(1)"},{"name":"label","value":"CA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-2","rel":"required"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to conduct control assessments."},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and\/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments."},{"id":"ca-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02(01)","class":"sp800-53a"}],"prose":"independent assessors or assessment teams are employed to conduct control assessments."},{"id":"ca-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\nprevious control assessment plan\n\nprevious control assessment report\n\nplan of action and milestones\n\nexisting authorization statement\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-2.2","class":"SP800-53-enhancement","title":"Specialized Assessments","params":[{"id":"ca-02.02_odp.01","props":[{"name":"alt-identifier","value":"ca-2.2_prm_1"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"CA-02(02)_ODP[01]","class":"sp800-53a"}],"label":"specialized assessment frequency","guidelines":[{"prose":"frequency at which to include specialized assessments as part of the control assessment is defined;"}]},{"id":"ca-02.02_odp.02","props":[{"name":"alt-identifier","value":"ca-2.2_prm_2"},{"name":"label","value":"CA-02(02)_ODP[02]","class":"sp800-53a"}],"select":{"choice":["announced","unannounced"]}},{"id":"ca-02.02_odp.03","props":[{"name":"alt-identifier","value":"ca-2.2_prm_3"},{"name":"label","value":"CA-02(02)_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["in-depth monitoring","security instrumentation","automated security test cases","vulnerability scanning","malicious user testing","insider threat assessment","performance and load testing","data leakage or data loss assessment"," {{ insert: param, ca-02.02_odp.04 }} "]}},{"id":"ca-02.02_odp.04","props":[{"name":"alt-identifier","value":"ca-2.2_prm_4"},{"name":"label","value":"CA-02(02)_ODP[04]","class":"sp800-53a"}],"label":"other forms of assessment","guidelines":[{"prose":"other forms of assessment are defined (if selected);"}]}],"props":[{"name":"label","value":"CA-2(2)"},{"name":"label","value":"CA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ca-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-2","rel":"required"},{"href":"#pe-3","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"ca-2.2_smt","name":"statement","prose":"Include as part of control assessments, {{ insert: param, ca-02.02_odp.01 }}, {{ insert: param, ca-02.02_odp.02 }}, {{ insert: param, ca-02.02_odp.03 }}."},{"id":"ca-2.2_gdn","name":"guidance","prose":"Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle (e.g., during initial design, development, and unit testing)."},{"id":"ca-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02(02)","class":"sp800-53a"}],"prose":" {{ insert: param, ca-02.02_odp.01 }} {{ insert: param, ca-02.02_odp.02 }} {{ insert: param, ca-02.02_odp.03 }} are included as part of control assessments."},{"id":"ca-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting control assessment"}]}]}]},{"id":"ca-3","class":"SP800-53","title":"Information Exchange","params":[{"id":"ca-03_odp.01","props":[{"name":"alt-identifier","value":"ca-3_prm_1"},{"name":"label","value":"CA-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["interconnection security agreements","information exchange security agreements","memoranda of understanding or agreement","service level agreements","user agreements","non-disclosure agreements"," {{ insert: param, ca-03_odp.02 }} "]}},{"id":"ca-03_odp.02","props":[{"name":"alt-identifier","value":"ca-3_prm_2"},{"name":"label","value":"CA-03_ODP[02]","class":"sp800-53a"}],"label":"type of agreement","guidelines":[{"prose":"the type of agreement used to approve and manage the exchange of information is defined (if selected);"}]},{"id":"ca-03_odp.03","props":[{"name":"alt-identifier","value":"ca-3_prm_3"},{"name":"label","value":"CA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update agreements is defined;"}]}],"props":[{"name":"label","value":"CA-3"},{"name":"label","value":"CA-03","class":"sp800-53a"},{"name":"sort-id","value":"ca-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#c3a76872-e160-4267-99e8-6952de967d04","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-3_smt","name":"statement","parts":[{"id":"ca-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};"},{"id":"ca-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the agreements {{ insert: param, ca-03_odp.03 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks."},{"id":"ca-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-03","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-03a.","class":"sp800-53a"}],"prose":"the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};"},{"id":"ca-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[01]","class":"sp800-53a"}],"prose":"the interface characteristics are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[02]","class":"sp800-53a"}],"prose":"security requirements are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[03]","class":"sp800-53a"}],"prose":"privacy requirements are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[04]","class":"sp800-53a"}],"prose":"controls are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[05]","class":"sp800-53a"}],"prose":"responsibilities for each system are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-6","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[06]","class":"sp800-53a"}],"prose":"the impact level of the information communicated is documented as part of each exchange agreement;"}]},{"id":"ca-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-03c.","class":"sp800-53a"}],"prose":"agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}."}]},{"id":"ca-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies"}]}],"controls":[{"id":"ca-3.6","class":"SP800-53-enhancement","title":"Transfer Authorizations","props":[{"name":"label","value":"CA-3(6)"},{"name":"label","value":"CA-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-3","rel":"required"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"}],"parts":[{"id":"ca-3.6_smt","name":"statement","prose":"Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data."},{"id":"ca-3.6_gdn","name":"guidance","prose":"To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies—via independent means— whether the individual or system attempting to transfer information is authorized to do so. Verification of the authorization to transfer information also applies to control plane traffic (e.g., routing and DNS) and services (e.g., authenticated SMTP relays)."},{"id":"ca-3.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-03(06)","class":"sp800-53a"}],"prose":"individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data."},{"id":"ca-3.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-03(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontrol assessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-3.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-03(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing connections to external systems\n\nnetwork administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-3.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-03(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on external system connections"}]}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-05_odp","props":[{"name":"alt-identifier","value":"ca-5_prm_1"},{"name":"label","value":"CA-05_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;"}]}],"props":[{"name":"label","value":"CA-5"},{"name":"label","value":"CA-05","class":"sp800-53a"},{"name":"sort-id","value":"ca-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-5_smt","name":"statement","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB."},{"id":"ca-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-05","class":"sp800-53a"}],"parts":[{"id":"ca-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-05a.","class":"sp800-53a"}],"prose":"a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;"},{"id":"ca-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-05b.","class":"sp800-53a"}],"prose":"existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Authorization","params":[{"id":"ca-06_odp","props":[{"name":"alt-identifier","value":"ca-6_prm_1"},{"name":"label","value":"CA-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to update the authorizations is defined;"}]}],"props":[{"name":"label","value":"CA-6"},{"name":"label","value":"CA-06","class":"sp800-53a"},{"name":"sort-id","value":"ca-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-6_smt","name":"statement","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a senior official as the authorizing official for the system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure that the authorizing official for the system, before commencing operations:","parts":[{"id":"ca-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accepts the use of common controls inherited by the system; and"},{"id":"ca-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Authorizes the system to operate;"}]},{"id":"ca-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the authorizations {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions."},{"id":"ca-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-06","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-06a.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for the system;"},{"id":"ca-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-06b.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.01","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;"},{"id":"ca-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.02","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system authorizes the system to operate;"}]},{"id":"ca-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-06d.","class":"sp800-53a"}],"prose":"the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-06e.","class":"sp800-53a"}],"prose":"the authorizations are updated {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records"}]},{"id":"ca-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that facilitate authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.06"}],"label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.07"}],"label":"organization-defined frequency"},{"id":"ca-07_odp.01","props":[{"name":"alt-identifier","value":"ca-7_prm_1"},{"name":"label","value":"CA-07_ODP[01]","class":"sp800-53a"}],"label":"system-level metrics","guidelines":[{"prose":"system-level metrics to be monitored are defined;"}]},{"id":"ca-07_odp.02","props":[{"name":"alt-identifier","value":"ca-7_prm_2"},{"name":"label","value":"CA-07_ODP[02]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to monitor control effectiveness are defined;"}]},{"id":"ca-07_odp.03","props":[{"name":"alt-identifier","value":"ca-7_prm_3"},{"name":"label","value":"CA-07_ODP[03]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to assess control effectiveness are defined;"}]},{"id":"ca-07_odp.04","props":[{"name":"label","value":"CA-07_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the security status of the system is reported are defined;"}]},{"id":"ca-07_odp.05","props":[{"name":"label","value":"CA-07_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the security status of the system is reported is defined;"}]},{"id":"ca-07_odp.06","props":[{"name":"label","value":"CA-07_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the privacy status of the system is reported are defined;"}]},{"id":"ca-07_odp.07","props":[{"name":"label","value":"CA-07_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the privacy status of the system is reported is defined;"}]}],"props":[{"name":"label","value":"CA-7"},{"name":"label","value":"CA-07","class":"sp800-53a"},{"name":"sort-id","value":"ca-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pm-31","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)."},{"id":"ca-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07[01]","class":"sp800-53a"}],"prose":"a system-level continuous monitoring strategy is developed;"},{"id":"ca-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;"},{"id":"ca-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07a.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;"},{"id":"ca-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"}]},{"id":"ca-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07c.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-07d.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-07e.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-07f.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;"},{"id":"ca-7_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};"},{"id":"ca-7_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}."}]}]},{"id":"ca-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting"}]}],"controls":[{"id":"ca-7.1","class":"SP800-53-enhancement","title":"Independent Assessment","props":[{"name":"label","value":"CA-7(1)"},{"name":"label","value":"CA-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis."},{"id":"ca-7.1_gdn","name":"guidance","prose":"Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services."},{"id":"ca-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(01)","class":"sp800-53a"}],"prose":"independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis."},{"id":"ca-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-7.4","class":"SP800-53-enhancement","title":"Risk Monitoring","props":[{"name":"label","value":"CA-7(4)"},{"name":"label","value":"CA-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.4_smt","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:","parts":[{"id":"ca-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Effectiveness monitoring;"},{"id":"ca-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Compliance monitoring; and"},{"id":"ca-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Change monitoring."}]},{"id":"ca-7.4_gdn","name":"guidance","prose":"Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk."},{"id":"ca-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)","class":"sp800-53a"}],"prose":"risk monitoring is an integral part of the continuous monitoring strategy;","parts":[{"id":"ca-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(a)","class":"sp800-53a"}],"prose":"effectiveness monitoring is included in risk monitoring;"},{"id":"ca-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(b)","class":"sp800-53a"}],"prose":"compliance monitoring is included in risk monitoring;"},{"id":"ca-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(c)","class":"sp800-53a"}],"prose":"change monitoring is included in risk monitoring."}]},{"id":"ca-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting risk monitoring"}]}]}]},{"id":"ca-8","class":"SP800-53","title":"Penetration Testing","params":[{"id":"ca-08_odp.01","props":[{"name":"alt-identifier","value":"ca-8_prm_1"},{"name":"label","value":"CA-08_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct penetration testing on systems or system components is defined;"}]},{"id":"ca-08_odp.02","props":[{"name":"alt-identifier","value":"ca-8_prm_2"},{"name":"alt-label","value":"systems or system components","class":"sp800-53"},{"name":"label","value":"CA-08_ODP[02]","class":"sp800-53a"}],"label":"system(s) or system components","guidelines":[{"prose":"systems or system components on which penetration testing is to be conducted are defined;"}]}],"props":[{"name":"label","value":"CA-8"},{"name":"label","value":"CA-08","class":"sp800-53a"},{"name":"sort-id","value":"ca-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"ca-8_smt","name":"statement","prose":"Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}."},{"id":"ca-8_gdn","name":"guidance","prose":"Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and\/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\n\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing."},{"id":"ca-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-08","class":"sp800-53a"}],"prose":"penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}."},{"id":"ca-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting penetration testing"}]}],"controls":[{"id":"ca-8.1","class":"SP800-53-enhancement","title":"Independent Penetration Testing Agent or Team","props":[{"name":"label","value":"CA-8(1)"},{"name":"label","value":"CA-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-8","rel":"required"},{"href":"#ca-2","rel":"related"}],"parts":[{"id":"ca-8.1_smt","name":"statement","prose":"Employ an independent penetration testing agent or team to perform penetration testing on the system or system components."},{"id":"ca-8.1_gdn","name":"guidance","prose":"Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. [CA-2(1)](#ca-2.1) provides additional information on independent assessments that can be applied to penetration testing."},{"id":"ca-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-08(01)","class":"sp800-53a"}],"prose":"an independent penetration testing agent or team is employed to perform penetration testing on the system or system components."},{"id":"ca-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nsecurity assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","params":[{"id":"ca-09_odp.01","props":[{"name":"alt-identifier","value":"ca-9_prm_1"},{"name":"alt-label","value":"system components or classes of components","class":"sp800-53"},{"name":"label","value":"CA-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components or classes of components requiring internal connections to the system are defined;"}]},{"id":"ca-09_odp.02","props":[{"name":"alt-identifier","value":"ca-9_prm_2"},{"name":"label","value":"CA-09_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions requiring termination of internal connections are defined;"}]},{"id":"ca-09_odp.03","props":[{"name":"alt-identifier","value":"ca-9_prm_3"},{"name":"label","value":"CA-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the continued need for each internal connection is defined;"}]}],"props":[{"name":"label","value":"CA-9"},{"name":"label","value":"CA-09","class":"sp800-53a"},{"name":"sort-id","value":"ca-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-9_smt","name":"statement","parts":[{"id":"ca-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;"},{"id":"ca-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;"},{"id":"ca-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and"},{"id":"ca-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection."}]},{"id":"ca-9_gdn","name":"guidance","prose":"Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and\/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions."},{"id":"ca-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-09","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-09a.","class":"sp800-53a"}],"prose":"internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;"},{"id":"ca-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[01]","class":"sp800-53a"}],"prose":"for each internal connection, the interface characteristics are documented;"},{"id":"ca-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[02]","class":"sp800-53a"}],"prose":"for each internal connection, the security requirements are documented;"},{"id":"ca-9_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[03]","class":"sp800-53a"}],"prose":"for each internal connection, the privacy requirements are documented;"},{"id":"ca-9_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[04]","class":"sp800-53a"}],"prose":"for each internal connection, the nature of the information communicated is documented;"}]},{"id":"ca-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-09c.","class":"sp800-53a"}],"prose":"internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};"},{"id":"ca-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-09d.","class":"sp800-53a"}],"prose":"the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}."}]},{"id":"ca-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting internal system connections"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cm-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cm-01_odp.01","props":[{"name":"label","value":"CM-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management policy is to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.02","props":[{"name":"label","value":"CM-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management procedures are to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.03","props":[{"name":"alt-identifier","value":"cm-1_prm_2"},{"name":"label","value":"CM-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cm-01_odp.04","props":[{"name":"alt-identifier","value":"cm-1_prm_3"},{"name":"label","value":"CM-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the configuration management policy and procedures is defined;"}]},{"id":"cm-01_odp.05","props":[{"name":"alt-identifier","value":"cm-1_prm_4"},{"name":"label","value":"CM-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management policy is reviewed and updated is defined;"}]},{"id":"cm-01_odp.06","props":[{"name":"alt-identifier","value":"cm-1_prm_5"},{"name":"label","value":"CM-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current configuration management policy to be reviewed and updated are defined;"}]},{"id":"cm-01_odp.07","props":[{"name":"alt-identifier","value":"cm-1_prm_6"},{"name":"label","value":"CM-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management procedures are reviewed and updated is defined;"}]},{"id":"cm-01_odp.08","props":[{"name":"alt-identifier","value":"cm-1_prm_7"},{"name":"label","value":"CM-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require configuration management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CM-1"},{"name":"label","value":"CM-01","class":"sp800-53a"},{"name":"sort-id","value":"cm-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-1_smt","name":"statement","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cm-01_odp.03 }} configuration management policy that:","parts":[{"id":"cm-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and"},{"id":"cm-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current configuration management:","parts":[{"id":"cm-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and"},{"id":"cm-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cm-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[01]","class":"sp800-53a"}],"prose":"a configuration management policy is developed and documented;"},{"id":"cm-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[02]","class":"sp800-53a"}],"prose":"the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};"},{"id":"cm-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[03]","class":"sp800-53a"}],"prose":"configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;"},{"id":"cm-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[04]","class":"sp800-53a"}],"prose":"the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};"},{"id":"cm-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;"},{"id":"cm-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;"},{"id":"cm-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;"},{"id":"cm-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;"},{"id":"cm-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;"},{"id":"cm-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;"},{"id":"cm-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;"}]},{"id":"cm-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(b)","class":"sp800-53a"}],"prose":"the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"cm-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;"},{"id":"cm-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[01]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; "},{"id":"cm-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[02]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};"}]},{"id":"cm-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[01]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; "},{"id":"cm-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[02]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}."}]}]}]},{"id":"cm-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records"}]},{"id":"cm-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","params":[{"id":"cm-02_odp.01","props":[{"name":"alt-identifier","value":"cm-2_prm_1"},{"name":"label","value":"CM-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of baseline configuration review and update is defined;"}]},{"id":"cm-02_odp.02","props":[{"name":"alt-identifier","value":"cm-2_prm_2"},{"name":"label","value":"CM-02_ODP[02]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"the circumstances requiring baseline configuration review and update are defined;"}]}],"props":[{"name":"label","value":"CM-2"},{"name":"label","value":"CM-02","class":"sp800-53a"},{"name":"sort-id","value":"cm-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-1","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-18","rel":"related"}],"parts":[{"id":"cm-2_smt","name":"statement","parts":[{"id":"cm-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and maintain under configuration control, a current baseline configuration of the system; and"},{"id":"cm-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the baseline configuration of the system:","parts":[{"id":"cm-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cm-02_odp.01 }};"},{"id":"cm-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required due to {{ insert: param, cm-02_odp.02 }} ; and"},{"id":"cm-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"When system components are installed or upgraded."}]}]},{"id":"cm-2_gdn","name":"guidance","prose":"Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture."},{"id":"cm-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[01]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is developed and documented;"},{"id":"cm-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[02]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is maintained under configuration control;"}]},{"id":"cm-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.01","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};"},{"id":"cm-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.02","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};"},{"id":"cm-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.03","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when system components are installed or upgraded."}]}]},{"id":"cm-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records"}]},{"id":"cm-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration"}]}],"controls":[{"id":"cm-2.2","class":"SP800-53-enhancement","title":"Automation Support for Accuracy and Currency","params":[{"id":"cm-02.02_odp","props":[{"name":"alt-identifier","value":"cm-2.2_prm_1"},{"name":"label","value":"CM-02(02)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms for maintaining baseline configuration of the system are defined;"}]}],"props":[{"name":"label","value":"CM-2(2)"},{"name":"label","value":"CM-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"},{"href":"#cm-7","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ra-5","rel":"related"}],"parts":[{"id":"cm-2.2_smt","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ insert: param, cm-02.02_odp }}."},{"id":"cm-2.2_gdn","name":"guidance","prose":"Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of [CM-8(2)](#cm-8.2) for organizations that combine system component inventory and baseline configuration activities."},{"id":"cm-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)","class":"sp800-53a"}],"parts":[{"id":"cm-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[01]","class":"sp800-53a"}],"prose":"the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"},{"id":"cm-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[02]","class":"sp800-53a"}],"prose":"the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"},{"id":"cm-2.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[03]","class":"sp800-53a"}],"prose":"the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"},{"id":"cm-2.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[04]","class":"sp800-53a"}],"prose":"the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}."}]},{"id":"cm-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nconfiguration change control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance"}]}]},{"id":"cm-2.3","class":"SP800-53-enhancement","title":"Retention of Previous Configurations","params":[{"id":"cm-02.03_odp","props":[{"name":"alt-identifier","value":"cm-2.3_prm_1"},{"name":"label","value":"CM-02(03)_ODP","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of previous baseline configuration versions to be retained is defined;"}]}],"props":[{"name":"label","value":"CM-2(3)"},{"name":"label","value":"CM-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"}],"parts":[{"id":"cm-2.3_smt","name":"statement","prose":"Retain {{ insert: param, cm-02.03_odp }} of previous versions of baseline configurations of the system to support rollback."},{"id":"cm-2.3_gdn","name":"guidance","prose":"Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation."},{"id":"cm-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(03)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is\/are retained to support rollback."},{"id":"cm-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations"}]}]},{"id":"cm-2.7","class":"SP800-53-enhancement","title":"Configure Systems and Components for High-risk Areas","params":[{"id":"cm-02.07_odp.01","props":[{"name":"alt-identifier","value":"cm-2.7_prm_1"},{"name":"label","value":"CM-02(07)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"the systems or system components to be issued when individuals travel to high-risk areas are defined;"}]},{"id":"cm-02.07_odp.02","props":[{"name":"alt-identifier","value":"cm-2.7_prm_2"},{"name":"label","value":"CM-02(07)_ODP[02]","class":"sp800-53a"}],"label":"configurations","guidelines":[{"prose":"configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;"}]},{"id":"cm-02.07_odp.03","props":[{"name":"alt-identifier","value":"cm-2.7_prm_3"},{"name":"label","value":"CM-02(07)_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"the controls to be applied when the individuals return from travel are defined;"}]}],"props":[{"name":"label","value":"CM-2(7)"},{"name":"label","value":"CM-02(07)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}],"parts":[{"id":"cm-2.7_smt","name":"statement","parts":[{"id":"cm-2.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} to individuals traveling to locations that the organization deems to be of significant risk; and"},{"id":"cm-2.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Apply the following controls to the systems or components when the individuals return from travel: {{ insert: param, cm-02.07_odp.03 }}."}]},{"id":"cm-2.7_gdn","name":"guidance","prose":"When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the [MP](#mp) (Media Protection) family."},{"id":"cm-2.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)","class":"sp800-53a"}],"parts":[{"id":"cm-2.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)(a)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;"},{"id":"cm-2.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)(b)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel."}]},{"id":"cm-2.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the system\n\nprocedures addressing system component installations and upgrades\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nrecords of system baseline configuration reviews and updates\n\nsystem component installations\/upgrades and associated records\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations"}]}]}]},{"id":"cm-3","class":"SP800-53","title":"Configuration Change Control","params":[{"id":"cm-03_odp.01","props":[{"name":"alt-identifier","value":"cm-3_prm_1"},{"name":"label","value":"CM-03_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to retain records of configuration-controlled changes is defined;"}]},{"id":"cm-03_odp.02","props":[{"name":"alt-identifier","value":"cm-3_prm_2"},{"name":"label","value":"CM-03_ODP[02]","class":"sp800-53a"}],"label":"configuration change control element","guidelines":[{"prose":"the configuration change control element responsible for coordinating and overseeing change control activities is defined;"}]},{"id":"cm-03_odp.03","props":[{"name":"alt-identifier","value":"cm-3_prm_3"},{"name":"label","value":"CM-03_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-03_odp.04 }} ","when {{ insert: param, cm-03_odp.05 }} "]}},{"id":"cm-03_odp.04","props":[{"name":"alt-identifier","value":"cm-3_prm_4"},{"name":"label","value":"CM-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the configuration control element convenes is defined (if selected);"}]},{"id":"cm-03_odp.05","props":[{"name":"alt-identifier","value":"cm-3_prm_5"},{"name":"label","value":"CM-03_ODP[05]","class":"sp800-53a"}],"label":"configuration change conditions","guidelines":[{"prose":"configuration change conditions that prompt the configuration control element to convene are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-3"},{"name":"label","value":"CM-03","class":"sp800-53a"},{"name":"sort-id","value":"cm-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"cm-3_smt","name":"statement","parts":[{"id":"cm-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the types of changes to the system that are configuration-controlled;"},{"id":"cm-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;"},{"id":"cm-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document configuration change decisions associated with the system;"},{"id":"cm-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement approved configuration-controlled changes to the system;"},{"id":"cm-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }};"},{"id":"cm-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Monitor and review activities associated with configuration-controlled changes to the system; and"},{"id":"cm-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: param, cm-03_odp.03 }}."}]},{"id":"cm-3_gdn","name":"guidance","prose":"Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also [SA-10](#sa-10)."},{"id":"cm-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-03a.","class":"sp800-53a"}],"prose":"the types of changes to the system that are configuration-controlled are determined and documented;"},{"id":"cm-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.[01]","class":"sp800-53a"}],"prose":"proposed configuration-controlled changes to the system are reviewed;"},{"id":"cm-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.[02]","class":"sp800-53a"}],"prose":"proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;"}]},{"id":"cm-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-03c.","class":"sp800-53a"}],"prose":"configuration change decisions associated with the system are documented;"},{"id":"cm-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-03d.","class":"sp800-53a"}],"prose":"approved configuration-controlled changes to the system are implemented;"},{"id":"cm-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-03e.","class":"sp800-53a"}],"prose":"records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};"},{"id":"cm-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.[01]","class":"sp800-53a"}],"prose":"activities associated with configuration-controlled changes to the system are monitored;"},{"id":"cm-3_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.[02]","class":"sp800-53a"}],"prose":"activities associated with configuration-controlled changes to the system are reviewed;"}]},{"id":"cm-3_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.[01]","class":"sp800-53a"}],"prose":"configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};"},{"id":"cm-3_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.[02]","class":"sp800-53a"}],"prose":"the configuration control element convenes {{ insert: param, cm-03_odp.03 }}."}]}]},{"id":"cm-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nchange control records\n\nsystem audit records\n\nchange control audit and review reports\n\nagenda\/minutes\/documentation from configuration change control oversight meetings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessments\n\nsystem of records notices\n\nother relevant documents or records"}]},{"id":"cm-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nmechanisms that implement configuration change control"}]}],"controls":[{"id":"cm-3.1","class":"SP800-53-enhancement","title":"Automated Documentation, Notification, and Prohibition of Changes","params":[{"id":"cm-03.01_odp.01","props":[{"name":"alt-identifier","value":"cm-3.1_prm_1"},{"name":"label","value":"CM-03(01)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"mechanisms used to automate configuration change control are defined;"}]},{"id":"cm-03.01_odp.02","props":[{"name":"alt-identifier","value":"cm-3.1_prm_2"},{"name":"label","value":"CM-03(01)_ODP[02]","class":"sp800-53a"}],"label":"approval authorities","guidelines":[{"prose":"approval authorities to be notified of and request approval for proposed changes to the system are defined;"}]},{"id":"cm-03.01_odp.03","props":[{"name":"alt-identifier","value":"cm-3.1_prm_3"},{"name":"label","value":"CM-03(01)_ODP[03]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period after which to highlight changes that have not been approved or disapproved is defined;"}]},{"id":"cm-03.01_odp.04","props":[{"name":"alt-identifier","value":"cm-3.1_prm_4"},{"name":"label","value":"CM-03(01)_ODP[04]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to be notified when approved changes are complete is\/are defined;"}]}],"props":[{"name":"label","value":"CM-3(1)"},{"name":"label","value":"CM-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.1_smt","name":"statement","prose":"Use {{ insert: param, cm-03.01_odp.01 }} to:","parts":[{"id":"cm-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Document proposed changes to the system;"},{"id":"cm-3.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;"},{"id":"cm-3.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};"},{"id":"cm-3.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Prohibit changes to the system until designated approvals are received;"},{"id":"cm-3.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Document all changes to the system; and"},{"id":"cm-3.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed."}]},{"id":"cm-3.1_gdn","name":"guidance","prose":"None."},{"id":"cm-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)","class":"sp800-53a"}],"parts":[{"id":"cm-3.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(a)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.01_odp.01 }} are used to document proposed changes to the system;"},{"id":"cm-3.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(b)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;"},{"id":"cm-3.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(c)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.01_odp.01 }} are used to highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};"},{"id":"cm-3.1_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(d)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.01_odp.01 }} are used to prohibit changes to the system until designated approvals are received;"},{"id":"cm-3.1_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(e)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.01_odp.01 }} are used to document all changes to the system;"},{"id":"cm-3.1_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(f)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed."}]},{"id":"cm-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nautomated configuration control mechanisms\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nchange approval requests\n\nchange approvals\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms implementing configuration change control activities"}]}]},{"id":"cm-3.2","class":"SP800-53-enhancement","title":"Testing, Validation, and Documentation of Changes","props":[{"name":"label","value":"CM-3(2)"},{"name":"label","value":"CM-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.2_smt","name":"statement","prose":"Test, validate, and document changes to the system before finalizing the implementation of the changes."},{"id":"cm-3.2_gdn","name":"guidance","prose":"Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in [CM-6](#cm-6) . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls."},{"id":"cm-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)","class":"sp800-53a"}],"parts":[{"id":"cm-3.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[01]","class":"sp800-53a"}],"prose":"changes to the system are tested before finalizing the implementation of the changes;"},{"id":"cm-3.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[02]","class":"sp800-53a"}],"prose":"changes to the system are validated before finalizing the implementation of the changes;"},{"id":"cm-3.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[03]","class":"sp800-53a"}],"prose":"changes to the system are documented before finalizing the implementation of the changes."}]},{"id":"cm-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nmechanisms supporting and\/or implementing, testing, validating, and documenting system changes"}]}]},{"id":"cm-3.4","class":"SP800-53-enhancement","title":"Security and Privacy Representatives","params":[{"id":"cm-3.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-03.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-03.04_odp.02"}],"label":"organization-defined security and privacy representatives"},{"id":"cm-03.04_odp.01","props":[{"name":"label","value":"CM-03(04)_ODP[01]","class":"sp800-53a"}],"label":"security representatives","guidelines":[{"prose":"security representatives required to be members of the change control element are defined;"}]},{"id":"cm-03.04_odp.02","props":[{"name":"label","value":"CM-03(04)_ODP[02]","class":"sp800-53a"}],"label":"privacy representatives","guidelines":[{"prose":"privacy representatives required to be members of the change control element are defined;"}]},{"id":"cm-03.04_odp.03","props":[{"name":"alt-identifier","value":"cm-3.4_prm_2"},{"name":"label","value":"CM-03(04)_ODP[03]","class":"sp800-53a"}],"label":"configuration change control element","guidelines":[{"prose":"the configuration change control element of which the security and privacy representatives are to be members is defined;"}]}],"props":[{"name":"label","value":"CM-3(4)"},{"name":"label","value":"CM-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.4_smt","name":"statement","prose":"Require {{ insert: param, cm-3.4_prm_1 }} to be members of the {{ insert: param, cm-03.04_odp.03 }}."},{"id":"cm-3.4_gdn","name":"guidance","prose":"Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in [CM-3g](#cm-3_smt.g)."},{"id":"cm-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)","class":"sp800-53a"}],"parts":[{"id":"cm-3.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};"},{"id":"cm-3.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}."}]},{"id":"cm-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of change control board or similar"}]},{"id":"cm-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control"}]}]},{"id":"cm-3.6","class":"SP800-53-enhancement","title":"Cryptography Management","params":[{"id":"cm-03.06_odp","props":[{"name":"alt-identifier","value":"cm-3.6_prm_1"},{"name":"label","value":"CM-03(06)_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls provided by cryptographic mechanisms that are to be under configuration management are defined;"}]}],"props":[{"name":"label","value":"CM-3(6)"},{"name":"label","value":"CM-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"required"},{"href":"#sc-12","rel":"related"}],"parts":[{"id":"cm-3.6_smt","name":"statement","prose":"Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: {{ insert: param, cm-03.06_odp }}."},{"id":"cm-3.6_gdn","name":"guidance","prose":"The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates."},{"id":"cm-3.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(06)","class":"sp800-53a"}],"prose":"cryptographic mechanisms used to provide {{ insert: param, cm-03.06_odp }} are under configuration management."},{"id":"cm-3.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\ncryptographic mechanisms implementing organizational security safeguards (controls)"}]}]}]},{"id":"cm-4","class":"SP800-53","title":"Impact Analyses","props":[{"name":"label","value":"CM-4"},{"name":"label","value":"CM-04","class":"sp800-53a"},{"name":"sort-id","value":"cm-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required."},{"id":"cm-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04","class":"sp800-53a"}],"parts":[{"id":"cm-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04[01]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential security impacts prior to change implementation;"},{"id":"cm-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04[02]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential privacy impacts prior to change implementation."}]},{"id":"cm-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses"}]}],"controls":[{"id":"cm-4.1","class":"SP800-53-enhancement","title":"Separate Test Environments","props":[{"name":"label","value":"CM-4(1)"},{"name":"label","value":"CM-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-4","rel":"required"},{"href":"#sa-11","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cm-4.1_smt","name":"statement","prose":"Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice."},{"id":"cm-4.1_gdn","name":"guidance","prose":"A separate test environment requires an environment that is physically or logically separate and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment and that information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not implemented, organizations determine the strength of mechanism required when implementing logical separation."},{"id":"cm-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)","class":"sp800-53a"}],"parts":[{"id":"cm-4.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[01]","class":"sp800-53a"}],"prose":"changes to the system are analyzed in a separate test environment before implementation in an operational environment;"},{"id":"cm-4.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[02]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to flaws;"},{"id":"cm-4.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[03]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to flaws;"},{"id":"cm-4.1_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[04]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to weaknesses;"},{"id":"cm-4.1_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[05]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to weaknesses;"},{"id":"cm-4.1_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[06]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to incompatibility;"},{"id":"cm-4.1_obj-7","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[07]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to incompatibility;"},{"id":"cm-4.1_obj-8","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[08]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to intentional malice;"},{"id":"cm-4.1_obj-9","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[09]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to intentional malice."}]},{"id":"cm-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nanalysis tools and associated outputs system design documentation\n\nsystem architecture and configuration documentation\n\nchange control records\n\nprocedures addressing the authority to test with PII\n\nsystem audit records\n\ndocumentation of separate test and operational environments\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and\/or implementing security and privacy impact analyses of changes"}]}]},{"id":"cm-4.2","class":"SP800-53-enhancement","title":"Verification of Controls","props":[{"name":"label","value":"CM-4(2)"},{"name":"label","value":"CM-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-4","rel":"required"},{"href":"#sa-11","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"cm-4.2_smt","name":"statement","prose":"After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system."},{"id":"cm-4.2_gdn","name":"guidance","prose":"Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls."},{"id":"cm-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)","class":"sp800-53a"}],"parts":[{"id":"cm-4.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[01]","class":"sp800-53a"}],"prose":"the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;"},{"id":"cm-4.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[02]","class":"sp800-53a"}],"prose":"the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;"},{"id":"cm-4.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[03]","class":"sp800-53a"}],"prose":"the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;"},{"id":"cm-4.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[04]","class":"sp800-53a"}],"prose":"the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;"},{"id":"cm-4.2_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[05]","class":"sp800-53a"}],"prose":"the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;"},{"id":"cm-4.2_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[06]","class":"sp800-53a"}],"prose":"the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes."}]},{"id":"cm-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nprivacy risk assessment documentation\n\nconfiguration management plan\n\nsecurity and privacy impact analysis documentation\n\nprivacy impact assessment\n\nanalysis tools and associated outputs\n\nchange control records\n\ncontrol assessment results\n\nsystem audit records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsecurity and privacy assessors"}]},{"id":"cm-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and\/or implementing security and privacy impact analyses of changes"}]}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","props":[{"name":"label","value":"CM-5"},{"name":"label","value":"CM-05","class":"sp800-53a"},{"name":"sort-id","value":"cm-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system."},{"id":"cm-5_gdn","name":"guidance","prose":"Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)."},{"id":"cm-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05","class":"sp800-53a"}],"parts":[{"id":"cm-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-05[01]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are defined and documented;"},{"id":"cm-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-05[02]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are approved;"},{"id":"cm-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-05[03]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are enforced;"},{"id":"cm-5_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-05[04]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are defined and documented;"},{"id":"cm-5_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-05[05]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are approved;"},{"id":"cm-5_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-05[06]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are enforced."}]},{"id":"cm-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system"}]}],"controls":[{"id":"cm-5.1","class":"SP800-53-enhancement","title":"Automated Access Enforcement and Audit Records","params":[{"id":"cm-05.01_odp","props":[{"name":"alt-identifier","value":"cm-5.1_prm_1"},{"name":"label","value":"CM-05(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"mechanisms used to automate the enforcement of access restrictions are defined;"}]}],"props":[{"name":"label","value":"CM-5(1)"},{"name":"label","value":"CM-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-5","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-5.1_smt","name":"statement","parts":[{"id":"cm-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Enforce access restrictions using {{ insert: param, cm-05.01_odp }} ; and"},{"id":"cm-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Automatically generate audit records of the enforcement actions."}]},{"id":"cm-5.1_gdn","name":"guidance","prose":"Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes."},{"id":"cm-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05(01)","class":"sp800-53a"}],"parts":[{"id":"cm-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-05(01)(a)","class":"sp800-53a"}],"prose":"access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};"},{"id":"cm-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-05(01)(b)","class":"sp800-53a"}],"prose":"audit records of enforcement actions are automatically generated."}]},{"id":"cm-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nautomated mechanisms implementing the enforcement of access restrictions for changes to the system\n\nautomated mechanisms supporting auditing of enforcement actions"}]}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","params":[{"id":"cm-06_odp.01","props":[{"name":"alt-identifier","value":"cm-6_prm_1"},{"name":"label","value":"CM-06_ODP[01]","class":"sp800-53a"}],"label":"common secure configurations","guidelines":[{"prose":"common secure configurations to establish and document configuration settings for components employed within the system are defined;"}]},{"id":"cm-06_odp.02","props":[{"name":"alt-identifier","value":"cm-6_prm_2"},{"name":"label","value":"CM-06_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which approval of deviations is needed are defined;"}]},{"id":"cm-06_odp.03","props":[{"name":"alt-identifier","value":"cm-6_prm_3"},{"name":"label","value":"CM-06_ODP[03]","class":"sp800-53a"}],"label":"operational requirements","guidelines":[{"prose":"operational requirements necessitating approval of deviations are defined;"}]}],"props":[{"name":"label","value":"CM-6"},{"name":"label","value":"CM-06","class":"sp800-53a"},{"name":"sort-id","value":"cm-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#98498928-3ca3-44b3-8b1e-f48685373087","rel":"reference"},{"href":"#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","rel":"reference"},{"href":"#aa66e14f-e7cb-4a37-99d2-07578dfd4608","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"cm-6_smt","name":"statement","parts":[{"id":"cm-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};"},{"id":"cm-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the configuration settings;"},{"id":"cm-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and"},{"id":"cm-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitor and control changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input\/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings."},{"id":"cm-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-06a.","class":"sp800-53a"}],"prose":"configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};"},{"id":"cm-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-06b.","class":"sp800-53a"}],"prose":"the configuration settings documented in CM-06a are implemented;"},{"id":"cm-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[01]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};"},{"id":"cm-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[02]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;"}]},{"id":"cm-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[01]","class":"sp800-53a"}],"prose":"changes to the configuration settings are monitored in accordance with organizational policies and procedures;"},{"id":"cm-6_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[02]","class":"sp800-53a"}],"prose":"changes to the configuration settings are controlled in accordance with organizational policies and procedures."}]}]},{"id":"cm-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and\/or control system configuration settings\n\nmechanisms that identify and\/or document deviations from established configuration settings"}]}],"controls":[{"id":"cm-6.1","class":"SP800-53-enhancement","title":"Automated Management, Application, and Verification","params":[{"id":"cm-6.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-06.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-06.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-06.01_odp.04"}],"label":"organization-defined automated mechanisms"},{"id":"cm-06.01_odp.01","props":[{"name":"alt-identifier","value":"cm-6.1_prm_1"},{"name":"label","value":"CM-06(01)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which to manage, apply, and verify configuration settings are defined;"}]},{"id":"cm-06.01_odp.02","props":[{"name":"label","value":"CM-06(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to manage configuration settings are defined;"}]},{"id":"cm-06.01_odp.03","props":[{"name":"label","value":"CM-06(01)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to apply configuration settings are defined;"}]},{"id":"cm-06.01_odp.04","props":[{"name":"label","value":"CM-06(01)_ODP[04]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to verify configuration settings are defined;"}]}],"props":[{"name":"label","value":"CM-6(1)"},{"name":"label","value":"CM-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-6","rel":"required"},{"href":"#ca-7","rel":"related"}],"parts":[{"id":"cm-6.1_smt","name":"statement","prose":"Manage, apply, and verify configuration settings for {{ insert: param, cm-06.01_odp.01 }} using {{ insert: param, cm-6.1_prm_2 }}."},{"id":"cm-6.1_gdn","name":"guidance","prose":"Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization."},{"id":"cm-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)","class":"sp800-53a"}],"parts":[{"id":"cm-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)[01]","class":"sp800-53a"}],"prose":"configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};"},{"id":"cm-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)[02]","class":"sp800-53a"}],"prose":"configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};"},{"id":"cm-6.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)[03]","class":"sp800-53a"}],"prose":"configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}."}]},{"id":"cm-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing configuration settings\n\nautomated mechanisms implemented to manage, apply, and verify system configuration settings"}]}]},{"id":"cm-6.2","class":"SP800-53-enhancement","title":"Respond to Unauthorized Changes","params":[{"id":"cm-06.02_odp.01","props":[{"name":"alt-identifier","value":"cm-6.2_prm_2"},{"name":"label","value":"CM-06(02)_ODP[01]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken upon an unauthorized change are defined;"}]},{"id":"cm-06.02_odp.02","props":[{"name":"alt-identifier","value":"cm-6.2_prm_1"},{"name":"label","value":"CM-06(02)_ODP[02]","class":"sp800-53a"}],"label":"configuration settings","guidelines":[{"prose":"configuration settings requiring action upon an unauthorized change are defined;"}]}],"props":[{"name":"label","value":"CM-6(2)"},{"name":"label","value":"CM-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-6","rel":"required"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-6.2_smt","name":"statement","prose":"Take the following actions in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}: {{ insert: param, cm-06.02_odp.01 }}."},{"id":"cm-6.2_gdn","name":"guidance","prose":"Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or—in extreme cases—halting affected system processing."},{"id":"cm-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06(02)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-06.02_odp.01 }} are taken in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}."},{"id":"cm-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nconfiguration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts\/notifications of unauthorized changes to system configuration settings\n\nsystem component inventory\n\ndocumented responses to unauthorized changes to system configuration settings\n\nchange control records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"cm-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for responding to unauthorized changes to system configuration settings\n\nmechanisms supporting and\/or implementing actions in response to unauthorized changes"}]}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","params":[{"id":"cm-7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.06"}],"label":"organization-defined prohibited or restricted functions, system ports, protocols, software, and\/or services"},{"id":"cm-07_odp.01","props":[{"name":"alt-identifier","value":"cm-7_prm_1"},{"name":"alt-label","value":"mission essential capabilities","class":"sp800-53"},{"name":"label","value":"CM-07_ODP[01]","class":"sp800-53a"}],"label":"mission-essential capabilities","guidelines":[{"prose":"mission-essential capabilities for the system are defined;"}]},{"id":"cm-07_odp.02","props":[{"name":"label","value":"CM-07_ODP[02]","class":"sp800-53a"}],"label":"functions","guidelines":[{"prose":"functions to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.03","props":[{"name":"label","value":"CM-07_ODP[03]","class":"sp800-53a"}],"label":"ports","guidelines":[{"prose":"ports to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.04","props":[{"name":"label","value":"CM-07_ODP[04]","class":"sp800-53a"}],"label":"protocols","guidelines":[{"prose":"protocols to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.05","props":[{"name":"label","value":"CM-07_ODP[05]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be prohibited or restricted is defined;"}]},{"id":"cm-07_odp.06","props":[{"name":"label","value":"CM-07_ODP[06]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services to be prohibited or restricted are defined;"}]}],"props":[{"name":"label","value":"CM-7"},{"name":"label","value":"CM-07","class":"sp800-53a"},{"name":"sort-id","value":"cm-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#38f39739-1ebd-43b1-8b8c-00f591d89ebd","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"cm-7_smt","name":"statement","parts":[{"id":"cm-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and"},{"id":"cm-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit or restrict the use of the following functions, ports, protocols, software, and\/or services: {{ insert: param, cm-7_prm_2 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))."},{"id":"cm-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07a.","class":"sp800-53a"}],"prose":"the system is configured to provide only {{ insert: param, cm-07_odp.01 }};"},{"id":"cm-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[01]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[02]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[03]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[04]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[05]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted."}]}]},{"id":"cm-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols, software, and\/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and\/or services"}]}],"controls":[{"id":"cm-7.1","class":"SP800-53-enhancement","title":"Periodic Review","params":[{"id":"cm-7.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.06"}],"label":"organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and\/or nonsecure"},{"id":"cm-07.01_odp.01","props":[{"name":"alt-identifier","value":"cm-7.1_prm_1"},{"name":"label","value":"CM-07(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the system to identify unnecessary and\/or non-secure functions, ports, protocols, software, and\/or services is defined;"}]},{"id":"cm-07.01_odp.02","props":[{"name":"label","value":"CM-07(01)_ODP[02]","class":"sp800-53a"}],"label":"functions","guidelines":[{"prose":"functions to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.03","props":[{"name":"label","value":"CM-07(01)_ODP[03]","class":"sp800-53a"}],"label":"ports","guidelines":[{"prose":"ports to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.04","props":[{"name":"label","value":"CM-07(01)_ODP[04]","class":"sp800-53a"}],"label":"protocols","guidelines":[{"prose":"protocols to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.05","props":[{"name":"label","value":"CM-07(01)_ODP[05]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be disabled or removed when deemed unnecessary or non-secure is defined;"}]},{"id":"cm-07.01_odp.06","props":[{"name":"label","value":"CM-07(01)_ODP[06]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services to be disabled or removed when deemed unnecessary or non-secure are defined;"}]}],"props":[{"name":"label","value":"CM-7(1)"},{"name":"label","value":"CM-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"cm-7.1_smt","name":"statement","parts":[{"id":"cm-7.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and\/or nonsecure functions, ports, protocols, software, and services; and"},{"id":"cm-7.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Disable or remove {{ insert: param, cm-7.1_prm_2 }}."}]},{"id":"cm-7.1_gdn","name":"guidance","prose":"Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and\/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking."},{"id":"cm-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)","class":"sp800-53a"}],"parts":[{"id":"cm-7.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(a)","class":"sp800-53a"}],"prose":"the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and\/or non-secure functions, ports, protocols, software, and services:"},{"id":"cm-7.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-7.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and\/or non-secure are disabled or removed;"},{"id":"cm-7.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and\/or non-secure are disabled or removed;"},{"id":"cm-7.1_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and\/or non-secure are disabled or removed;"},{"id":"cm-7.1_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[04]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and\/or non-secure is disabled or removed;"},{"id":"cm-7.1_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[05]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and\/or non-secure are disabled or removed."}]}]},{"id":"cm-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\ndocumented reviews of functions, ports, protocols, and\/or services\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system\n\nmechanisms implementing review and disabling of functions, ports, protocols, and\/or services"}]}]},{"id":"cm-7.2","class":"SP800-53-enhancement","title":"Prevent Program Execution","params":[{"id":"cm-07.02_odp.01","props":[{"name":"alt-identifier","value":"cm-7.2_prm_1"},{"name":"label","value":"CM-07(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-07.02_odp.02 }} ","rules authorizing the terms and conditions of software program usage"]}},{"id":"cm-07.02_odp.02","props":[{"name":"alt-identifier","value":"cm-7.2_prm_2"},{"name":"label","value":"CM-07(02)_ODP[02]","class":"sp800-53a"}],"label":"policies, rules of behavior, and\/or access agreements regarding software program usage and restrictions","guidelines":[{"prose":"policies, rules of behavior, and\/or access agreements regarding software program usage and restrictions are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-7(2)"},{"name":"label","value":"CM-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"cm-7.2_smt","name":"statement","prose":"Prevent program execution in accordance with {{ insert: param, cm-07.02_odp.01 }}."},{"id":"cm-7.2_gdn","name":"guidance","prose":"Prevention of program execution addresses organizational policies, rules of behavior, and\/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time."},{"id":"cm-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(02)","class":"sp800-53a"}],"prose":"program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}."},{"id":"cm-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nspecifications for preventing software program execution\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes preventing program execution on the system\n\norganizational processes for software program usage and restrictions\n\nmechanisms preventing program execution on the system\n\nmechanisms supporting and\/or implementing software program usage and restrictions"}]}]},{"id":"cm-7.5","class":"SP800-53-enhancement","title":"Authorized Software — Allow-by-exception","params":[{"id":"cm-07.05_odp.01","props":[{"name":"alt-identifier","value":"cm-7.5_prm_1"},{"name":"alt-label","value":"software programs authorized to execute on the system","class":"sp800-53"},{"name":"label","value":"CM-07(05)_ODP[01]","class":"sp800-53a"}],"label":"software programs","guidelines":[{"prose":"software programs authorized to execute on the system are defined;"}]},{"id":"cm-07.05_odp.02","props":[{"name":"alt-identifier","value":"cm-7.5_prm_2"},{"name":"label","value":"CM-07(05)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the list of authorized software programs is defined;"}]}],"props":[{"name":"label","value":"CM-7(5)"},{"name":"label","value":"CM-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-7.5_smt","name":"statement","parts":[{"id":"cm-7.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identify {{ insert: param, cm-07.05_odp.01 }};"},{"id":"cm-7.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and"},{"id":"cm-7.5_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Review and update the list of authorized software programs {{ insert: param, cm-07.05_odp.02 }}."}]},{"id":"cm-7.5_gdn","name":"guidance","prose":"Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses\/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in [CA-3(5)](#ca-3.5) and [SC-7](#sc-7)."},{"id":"cm-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)","class":"sp800-53a"}],"parts":[{"id":"cm-7.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(a)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.05_odp.01 }} are identified;"},{"id":"cm-7.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(b)","class":"sp800-53a"}],"prose":"a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;"},{"id":"cm-7.5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(c)","class":"sp800-53a"}],"prose":"the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}."}]},{"id":"cm-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software programs authorized to execute on the system\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nreview and update records associated with list of authorized software programs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for identifying software authorized to execute on the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for identifying, reviewing, and updating programs authorized to execute on the system\n\norganizational process for implementing authorized software policy\n\nmechanisms supporting and\/or implementing authorized software policy"}]}]}]},{"id":"cm-8","class":"SP800-53","title":"System Component Inventory","params":[{"id":"cm-08_odp.01","props":[{"name":"alt-identifier","value":"cm-8_prm_1"},{"name":"alt-label","value":"information deemed necessary to achieve effective system component accountability","class":"sp800-53"},{"name":"label","value":"CM-08_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information deemed necessary to achieve effective system component accountability is defined;"}]},{"id":"cm-08_odp.02","props":[{"name":"alt-identifier","value":"cm-8_prm_2"},{"name":"label","value":"CM-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the system component inventory is defined;"}]}],"props":[{"name":"label","value":"CM-8"},{"name":"label","value":"CM-08","class":"sp800-53a"},{"name":"sort-id","value":"cm-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#70402863-5078-43af-9a6c-e11b0f3ec370","rel":"reference"},{"href":"#996241f8-f692-42d5-91f1-ce8b752e39e6","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"cm-8_smt","name":"statement","parts":[{"id":"cm-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document an inventory of system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accurately reflects the system;"},{"id":"cm-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes all components within the system;"},{"id":"cm-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Does not include duplicate accounting of components or components assigned to any other system;"},{"id":"cm-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and"}]},{"id":"cm-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components."},{"id":"cm-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.01","class":"sp800-53a"}],"prose":"an inventory of system components that accurately reflects the system is developed and documented;"},{"id":"cm-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.02","class":"sp800-53a"}],"prose":"an inventory of system components that includes all components within the system is developed and documented;"},{"id":"cm-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.03","class":"sp800-53a"}],"prose":"an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;"},{"id":"cm-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.04","class":"sp800-53a"}],"prose":"an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;"},{"id":"cm-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.05","class":"sp800-53a"}],"prose":"an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;"}]},{"id":"cm-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08b.","class":"sp800-53a"}],"prose":"the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}."}]},{"id":"cm-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory"}]}],"controls":[{"id":"cm-8.1","class":"SP800-53-enhancement","title":"Updates During Installation and Removal","props":[{"name":"label","value":"CM-8(1)"},{"name":"label","value":"CM-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#pm-16","rel":"related"}],"parts":[{"id":"cm-8.1_smt","name":"statement","prose":"Update the inventory of system components as part of component installations, removals, and system updates."},{"id":"cm-8.1_gdn","name":"guidance","prose":"Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components."},{"id":"cm-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)","class":"sp800-53a"}],"parts":[{"id":"cm-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[01]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of component installations;"},{"id":"cm-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[02]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of component removals;"},{"id":"cm-8.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[03]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of system updates."}]},{"id":"cm-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\ninventory reviews and update records\n\nchange control records\n\ncomponent installation records\n\ncomponent removal records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory updating responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for updating the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory updates"}]}]},{"id":"cm-8.2","class":"SP800-53-enhancement","title":"Automated Maintenance","params":[{"id":"cm-8.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.04"}],"label":"organization-defined automated mechanisms"},{"id":"cm-08.02_odp.01","props":[{"name":"label","value":"CM-08(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the currency of the system component inventory are defined;"}]},{"id":"cm-08.02_odp.02","props":[{"name":"label","value":"CM-08(02)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the completeness of the system component inventory are defined;"}]},{"id":"cm-08.02_odp.03","props":[{"name":"label","value":"CM-08(02)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the accuracy of the system component inventory are defined;"}]},{"id":"cm-08.02_odp.04","props":[{"name":"label","value":"CM-08(02)_ODP[04]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the availability of the system component inventory are defined;"}]}],"props":[{"name":"label","value":"CM-8(2)"},{"name":"label","value":"CM-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"}],"parts":[{"id":"cm-8.2_smt","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the inventory of system components using {{ insert: param, cm-8.2_prm_1 }}."},{"id":"cm-8.2_gdn","name":"guidance","prose":"Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of [CM-2(2)](#cm-2.2) for organizations that combine system component inventory and baseline configuration activities."},{"id":"cm-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)","class":"sp800-53a"}],"parts":[{"id":"cm-8.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.02_odp.01 }} are used to maintain the currency of the system component inventory;"},{"id":"cm-8.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.02_odp.02 }} are used to maintain the completeness of the system component inventory;"},{"id":"cm-8.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.02_odp.03 }} are used to maintain the accuracy of the system component inventory;"},{"id":"cm-8.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[04]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.02_odp.04 }} are used to maintain the availability of the system component inventory."}]},{"id":"cm-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining the system component inventory\n\nautomated mechanisms supporting and\/or implementing the system component inventory"}]}]},{"id":"cm-8.3","class":"SP800-53-enhancement","title":"Automated Unauthorized Component Detection","params":[{"id":"cm-8.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"cm-08.03_odp.01","props":[{"name":"label","value":"CM-08(03)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;"}]},{"id":"cm-08.03_odp.02","props":[{"name":"label","value":"CM-08(03)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized software within the system are defined;"}]},{"id":"cm-08.03_odp.03","props":[{"name":"label","value":"CM-08(03)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;"}]},{"id":"cm-08.03_odp.04","props":[{"name":"alt-identifier","value":"cm-8.3_prm_2"},{"name":"label","value":"CM-08(03)_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;"}]},{"id":"cm-08.03_odp.05","props":[{"name":"alt-identifier","value":"cm-8.3_prm_3"},{"name":"label","value":"CM-08(03)_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["disable network access by unauthorized components","isolate unauthorized components","notify {{ insert: param, cm-08.03_odp.06 }} "]}},{"id":"cm-08.03_odp.06","props":[{"name":"alt-identifier","value":"cm-8.3_prm_4"},{"name":"label","value":"CM-08(03)_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when unauthorized components are detected is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-8(3)"},{"name":"label","value":"CM-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-8.3_smt","name":"statement","parts":[{"id":"cm-8.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ insert: param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04 }} ; and"},{"id":"cm-8.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Take the following actions when unauthorized components are detected: {{ insert: param, cm-08.03_odp.05 }}."}]},{"id":"cm-8.3_gdn","name":"guidance","prose":"Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see [CM-7(9)](#cm-7.9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as \"sandboxing.\" "},{"id":"cm-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[01]","class":"sp800-53a"}],"prose":"the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};"},{"id":"cm-8.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[02]","class":"sp800-53a"}],"prose":"the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};"},{"id":"cm-8.3_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[03]","class":"sp800-53a"}],"prose":"the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};"}]},{"id":"cm-8.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;"},{"id":"cm-8.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;"},{"id":"cm-8.3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected."}]}]},{"id":"cm-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nalerts\/notifications of unauthorized components within the system\n\nsystem monitoring records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized system component detection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for detection of unauthorized system components\n\norganizational processes for taking action when unauthorized system components are detected\n\nautomated mechanisms supporting and\/or implementing the detection of unauthorized system components\n\nautomated mechanisms supporting and\/or implementing actions taken when unauthorized system components are detected"}]}]},{"id":"cm-8.4","class":"SP800-53-enhancement","title":"Accountability Information","params":[{"id":"cm-08.04_odp","props":[{"name":"alt-identifier","value":"cm-8.4_prm_1"},{"name":"label","value":"CM-08(04)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["name","position","role"]}}],"props":[{"name":"label","value":"CM-8(4)"},{"name":"label","value":"CM-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"cm-8.4_smt","name":"statement","prose":"Include in the system component inventory information, a means for identifying by {{ insert: param, cm-08.04_odp }} , individuals responsible and accountable for administering those components."},{"id":"cm-8.4_gdn","name":"guidance","prose":"Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required (e.g., when the component is determined to be the source of a breach, needs to be recalled or replaced, or needs to be relocated)."},{"id":"cm-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(04)","class":"sp800-53a"}],"prose":"individuals responsible and accountable for administering system components are identified by {{ insert: param, cm-08.04_odp }} in the system component inventory."},{"id":"cm-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing the system component inventory"}]}]}]},{"id":"cm-9","class":"SP800-53","title":"Configuration Management Plan","params":[{"id":"cm-09_odp","props":[{"name":"alt-identifier","value":"cm-9_prm_1"},{"name":"label","value":"CM-09_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to review and approve the configuration management plan is\/are defined;"}]}],"props":[{"name":"label","value":"CM-9"},{"name":"label","value":"CM-09","class":"sp800-53a"},{"name":"sort-id","value":"cm-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-9_smt","name":"statement","prose":"Develop, document, and implement a configuration management plan for the system that:","parts":[{"id":"cm-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Addresses roles, responsibilities, and configuration management processes and procedures;"},{"id":"cm-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"},{"id":"cm-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Defines the configuration items for the system and places the configuration items under configuration management;"},{"id":"cm-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and"},{"id":"cm-9_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protects the configuration management plan from unauthorized disclosure and modification."}]},{"id":"cm-9_gdn","name":"guidance","prose":"Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\n\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.\n\nOrganizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control."},{"id":"cm-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-09","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09[01]","class":"sp800-53a"}],"prose":"a configuration management plan for the system is developed and documented;"},{"id":"cm-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09[02]","class":"sp800-53a"}],"prose":"a configuration management plan for the system is implemented;"},{"id":"cm-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[01]","class":"sp800-53a"}],"prose":"the configuration management plan addresses roles;"},{"id":"cm-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[02]","class":"sp800-53a"}],"prose":"the configuration management plan addresses responsibilities;"},{"id":"cm-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[03]","class":"sp800-53a"}],"prose":"the configuration management plan addresses configuration management processes and procedures;"}]},{"id":"cm-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.[01]","class":"sp800-53a"}],"prose":"the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;"},{"id":"cm-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.[02]","class":"sp800-53a"}],"prose":"the configuration management plan establishes a process for managing the configuration of the configuration items;"}]},{"id":"cm-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.[01]","class":"sp800-53a"}],"prose":"the configuration management plan defines the configuration items for the system;"},{"id":"cm-9_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.[02]","class":"sp800-53a"}],"prose":"the configuration management plan places the configuration items under configuration management;"}]},{"id":"cm-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-09d.","class":"sp800-53a"}],"prose":"the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};"},{"id":"cm-9_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.[01]","class":"sp800-53a"}],"prose":"the configuration management plan is protected from unauthorized disclosure;"},{"id":"cm-9_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.[02]","class":"sp800-53a"}],"prose":"the configuration management plan is protected from unauthorized modification."}]}]},{"id":"cm-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nmechanisms implementing the configuration management plan\n\nmechanisms for managing configuration items\n\nmechanisms for protecting the configuration management plan"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"label","value":"CM-10"},{"name":"label","value":"CM-10","class":"sp800-53a"},{"name":"sort-id","value":"cm-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cm-10_smt","name":"statement","parts":[{"id":"cm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements."},{"id":"cm-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-10","class":"sp800-53a"}],"parts":[{"id":"cm-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-10a.","class":"sp800-53a"}],"prose":"software and associated documentation are used in accordance with contract agreements and copyright laws;"},{"id":"cm-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-10b.","class":"sp800-53a"}],"prose":"the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;"},{"id":"cm-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-10c.","class":"sp800-53a"}],"prose":"the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling\/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","params":[{"id":"cm-11_odp.01","props":[{"name":"alt-identifier","value":"cm-11_prm_1"},{"name":"label","value":"CM-11_ODP[01]","class":"sp800-53a"}],"label":"policies","guidelines":[{"prose":"policies governing the installation of software by users are defined;"}]},{"id":"cm-11_odp.02","props":[{"name":"alt-identifier","value":"cm-11_prm_2"},{"name":"label","value":"CM-11_ODP[02]","class":"sp800-53a"}],"label":"methods","guidelines":[{"prose":"methods used to enforce software installation policies are defined;"}]},{"id":"cm-11_odp.03","props":[{"name":"alt-identifier","value":"cm-11_prm_3"},{"name":"label","value":"CM-11_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to monitor compliance is defined;"}]}],"props":[{"name":"label","value":"CM-11"},{"name":"label","value":"CM-11","class":"sp800-53a"},{"name":"sort-id","value":"cm-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-11_smt","name":"statement","parts":[{"id":"cm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and"},{"id":"cm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Monitor policy compliance {{ insert: param, cm-11_odp.03 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods."},{"id":"cm-11_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-11","class":"sp800-53a"}],"parts":[{"id":"cm-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-11a.","class":"sp800-53a"}],"prose":" {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;"},{"id":"cm-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-11b.","class":"sp800-53a"}],"prose":"software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};"},{"id":"cm-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-11c.","class":"sp800-53a"}],"prose":"compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}."}]},{"id":"cm-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance"}]}]},{"id":"cm-12","class":"SP800-53","title":"Information Location","params":[{"id":"cm-12_odp","props":[{"name":"alt-identifier","value":"cm-12_prm_1"},{"name":"label","value":"CM-12_ODP","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information for which the location is to be identified and documented is defined;"}]}],"props":[{"name":"label","value":"CM-12"},{"name":"label","value":"CM-12","class":"sp800-53a"},{"name":"sort-id","value":"cm-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-23","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-12_smt","name":"statement","parts":[{"id":"cm-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and stored;"},{"id":"cm-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identify and document the users who have access to the system and system components where the information is processed and stored; and"},{"id":"cm-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document changes to the location (i.e., system or system components) where the information is processed and stored."}]},{"id":"cm-12_gdn","name":"guidance","prose":"Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see [SA-4](#sa-4), [SA-8](#sa-8), [SA-17](#sa-17))."},{"id":"cm-12_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-12","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[01]","class":"sp800-53a"}],"prose":"the location of {{ insert: param, cm-12_odp }} is identified and documented;"},{"id":"cm-12_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[02]","class":"sp800-53a"}],"prose":"the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;"},{"id":"cm-12_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[03]","class":"sp800-53a"}],"prose":"the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;"}]},{"id":"cm-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.[01]","class":"sp800-53a"}],"prose":"the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;"},{"id":"cm-12_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.[02]","class":"sp800-53a"}],"prose":"the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;"}]},{"id":"cm-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.[01]","class":"sp800-53a"}],"prose":"changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;"},{"id":"cm-12_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.[02]","class":"sp800-53a"}],"prose":"changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented."}]}]},{"id":"cm-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\naudit records\n\nlist of users with system and system component access\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing information location and user access to information\n\norganizational personnel with responsibilities for operating, using, and\/or maintaining the system\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location"}]}],"controls":[{"id":"cm-12.1","class":"SP800-53-enhancement","title":"Automated Tools to Support Information Location","params":[{"id":"cm-12.01_odp.01","props":[{"name":"alt-identifier","value":"cm-12.1_prm_1"},{"name":"label","value":"CM-12(01)_ODP[01]","class":"sp800-53a"}],"label":"information by information type","guidelines":[{"prose":"information to be protected is defined by information type;"}]},{"id":"cm-12.01_odp.02","props":[{"name":"alt-identifier","value":"cm-12.1_prm_2"},{"name":"label","value":"CM-12(01)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components where the information is located are defined;"}]}],"props":[{"name":"label","value":"CM-12(1)"},{"name":"label","value":"CM-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-12","rel":"required"}],"parts":[{"id":"cm-12.1_smt","name":"statement","prose":"Use automated tools to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure controls are in place to protect organizational information and individual privacy."},{"id":"cm-12.1_gdn","name":"guidance","prose":"The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions."},{"id":"cm-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-12(01)","class":"sp800-53a"}],"prose":"automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy."},{"id":"cm-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing information location\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nautomated mechanisms enforcing policies and methods for governing information location\n\nautomated tools used to identify information on system components"}]}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-01_odp.01","props":[{"name":"label","value":"CP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning policy is to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.02","props":[{"name":"label","value":"CP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning procedures are to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.03","props":[{"name":"alt-identifier","value":"cp-1_prm_2"},{"name":"label","value":"CP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cp-01_odp.04","props":[{"name":"alt-identifier","value":"cp-1_prm_3"},{"name":"label","value":"CP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the contingency planning policy and procedures is defined;"}]},{"id":"cp-01_odp.05","props":[{"name":"alt-identifier","value":"cp-1_prm_4"},{"name":"label","value":"CP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning policy is reviewed and updated is defined;"}]},{"id":"cp-01_odp.06","props":[{"name":"alt-identifier","value":"cp-1_prm_5"},{"name":"label","value":"CP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current contingency planning policy to be reviewed and updated are defined;"}]},{"id":"cp-01_odp.07","props":[{"name":"alt-identifier","value":"cp-1_prm_6"},{"name":"label","value":"CP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning procedures are reviewed and updated is defined;"}]},{"id":"cp-01_odp.08","props":[{"name":"alt-identifier","value":"cp-1_prm_7"},{"name":"label","value":"CP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CP-1"},{"name":"label","value":"CP-01","class":"sp800-53a"},{"name":"sort-id","value":"cp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-1_smt","name":"statement","parts":[{"id":"cp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cp-01_odp.03 }} contingency planning policy that:","parts":[{"id":"cp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;"}]},{"id":"cp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and"},{"id":"cp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current contingency planning:","parts":[{"id":"cp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and"},{"id":"cp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[01]","class":"sp800-53a"}],"prose":"a contingency planning policy is developed and documented;"},{"id":"cp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[02]","class":"sp800-53a"}],"prose":"the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};"},{"id":"cp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[03]","class":"sp800-53a"}],"prose":"contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;"},{"id":"cp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[04]","class":"sp800-53a"}],"prose":"the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};"},{"id":"cp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;"},{"id":"cp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;"},{"id":"cp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;"},{"id":"cp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;"},{"id":"cp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;"},{"id":"cp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;"},{"id":"cp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;"}]},{"id":"cp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"cp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;"},{"id":"cp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[01]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};"},{"id":"cp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[02]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};"}]},{"id":"cp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[01]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};"},{"id":"cp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[02]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}."}]}]}]},{"id":"cp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","params":[{"id":"cp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.04"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-2_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.07"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-02_odp.01","props":[{"name":"label","value":"CP-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to review a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.02","props":[{"name":"label","value":"CP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to approve a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.03","props":[{"name":"label","value":"CP-02_ODP[03]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to whom copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.04","props":[{"name":"label","value":"CP-02_ODP[04]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to which copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.05","props":[{"name":"alt-identifier","value":"cp-2_prm_3"},{"name":"label","value":"CP-02_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of contingency plan review is defined;"}]},{"id":"cp-02_odp.06","props":[{"name":"label","value":"CP-02_ODP[06]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to communicate changes to are defined;"}]},{"id":"cp-02_odp.07","props":[{"name":"label","value":"CP-02_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to communicate changes to are defined;"}]}],"props":[{"name":"label","value":"CP-2"},{"name":"label","value":"CP-02","class":"sp800-53a"},{"name":"sort-id","value":"cp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#cp-13","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-2_smt","name":"statement","parts":[{"id":"cp-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a contingency plan for the system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifies essential mission and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;"},{"id":"cp-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Addresses the sharing of contingency information; and"},{"id":"cp-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};"},{"id":"cp-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};"},{"id":"cp-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and"},{"id":"cp-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Protect the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family."},{"id":"cp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.01","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;"},{"id":"cp-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides recovery objectives;"},{"id":"cp-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides restoration priorities;"},{"id":"cp-2_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides metrics;"}]},{"id":"cp-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency roles;"},{"id":"cp-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency responsibilities;"},{"id":"cp-2_obj.a.3-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses assigned individuals with contact information;"}]},{"id":"cp-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.04","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.05","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;"},{"id":"cp-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.06","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses the sharing of contingency information;"},{"id":"cp-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};"},{"id":"cp-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};"}]}]},{"id":"cp-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[01]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};"},{"id":"cp-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[02]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};"}]},{"id":"cp-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-02c.","class":"sp800-53a"}],"prose":"contingency planning activities are coordinated with incident handling activities;"},{"id":"cp-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-02d.","class":"sp800-53a"}],"prose":"the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};"},{"id":"cp-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[01]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address changes to the organization, system, or environment of operation;"},{"id":"cp-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[02]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;"}]},{"id":"cp-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[01]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};"},{"id":"cp-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[02]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};"}]},{"id":"cp-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[01]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;"},{"id":"cp-2_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[02]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;"}]},{"id":"cp-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[01]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized disclosure;"},{"id":"cp-2_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[02]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized modification."}]}]},{"id":"cp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and\/or protecting the contingency plan"}]}],"controls":[{"id":"cp-2.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-2(1)"},{"name":"label","value":"CP-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.1_smt","name":"statement","prose":"Coordinate contingency plan development with organizational elements responsible for related plans."},{"id":"cp-2.1_gdn","name":"guidance","prose":"Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans."},{"id":"cp-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(01)","class":"sp800-53a"}],"prose":"contingency plan development is coordinated with organizational elements responsible for related plans."},{"id":"cp-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans"}]}]},{"id":"cp-2.2","class":"SP800-53-enhancement","title":"Capacity Planning","props":[{"name":"label","value":"CP-2(2)"},{"name":"label","value":"CP-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"},{"href":"#pe-11","rel":"related"},{"href":"#pe-12","rel":"related"},{"href":"#pe-13","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#sc-5","rel":"related"}],"parts":[{"id":"cp-2.2_smt","name":"statement","prose":"Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations."},{"id":"cp-2.2_gdn","name":"guidance","prose":"Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential mission and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance."},{"id":"cp-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)","class":"sp800-53a"}],"parts":[{"id":"cp-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)[01]","class":"sp800-53a"}],"prose":"capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;"},{"id":"cp-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)[02]","class":"sp800-53a"}],"prose":"capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;"},{"id":"cp-2.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)[03]","class":"sp800-53a"}],"prose":"capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support."}]},{"id":"cp-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\ncapacity planning documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel responsible for capacity planning\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2.3","class":"SP800-53-enhancement","title":"Resume Mission and Business Functions","params":[{"id":"cp-02.03_odp.01","props":[{"name":"alt-identifier","value":"cp-2.3_prm_1"},{"name":"label","value":"CP-02(03)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["all","essential"]}},{"id":"cp-02.03_odp.02","props":[{"name":"alt-identifier","value":"cp-2.3_prm_2"},{"name":"label","value":"CP-02(03)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the contingency plan activation time period within which to resume mission and business functions is defined;"}]}],"props":[{"name":"label","value":"CP-2(3)"},{"name":"label","value":"CP-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.3_smt","name":"statement","prose":"Plan for the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation."},{"id":"cp-2.3_gdn","name":"guidance","prose":"Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure."},{"id":"cp-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(03)","class":"sp800-53a"}],"prose":"the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation."},{"id":"cp-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother related plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions"}]},{"id":"cp-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.5","class":"SP800-53-enhancement","title":"Continue Mission and Business Functions","params":[{"id":"cp-02.05_odp","props":[{"name":"alt-identifier","value":"cp-2.5_prm_1"},{"name":"label","value":"CP-02(05)_ODP","class":"sp800-53a"}],"select":{"choice":["all","essential"]}}],"props":[{"name":"label","value":"CP-2(5)"},{"name":"label","value":"CP-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.5_smt","name":"statement","prose":"Plan for the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and\/or storage sites."},{"id":"cp-2.5_gdn","name":"guidance","prose":"Organizations may choose to conduct the contingency planning activities to continue mission and business functions as part of business continuity planning or business impact analyses. Primary processing and\/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency."},{"id":"cp-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(05)","class":"sp800-53a"}],"parts":[{"id":"cp-2.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02(05)[01]","class":"sp800-53a"}],"prose":"the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity is planned for;"},{"id":"cp-2.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02(05)[02]","class":"sp800-53a"}],"prose":"continuity is sustained until full system restoration at primary processing and\/or storage sites."}]},{"id":"cp-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nprimary processing site agreements\n\nprimary storage site agreements\n\nalternate processing site agreements\n\nalternate storage site agreements\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-2.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for continuing missions and business functions"}]}]},{"id":"cp-2.8","class":"SP800-53-enhancement","title":"Identify Critical Assets","params":[{"id":"cp-02.08_odp","props":[{"name":"alt-identifier","value":"cp-2.8_prm_1"},{"name":"label","value":"CP-02(08)_ODP","class":"sp800-53a"}],"select":{"choice":["all","essential"]}}],"props":[{"name":"label","value":"CP-2(8)"},{"name":"label","value":"CP-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"cp-2.8_smt","name":"statement","prose":"Identify critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions."},{"id":"cp-2.8_gdn","name":"guidance","prose":"Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and\/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing [CP-2(7)](#cp-2.7) as a control enhancement."},{"id":"cp-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(08)","class":"sp800-53a"}],"prose":"critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified."},{"id":"cp-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","params":[{"id":"cp-03_odp.01","props":[{"name":"alt-identifier","value":"cp-3_prm_1"},{"name":"label","value":"CP-03_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.02","props":[{"name":"alt-identifier","value":"cp-3_prm_2"},{"name":"label","value":"CP-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide training to system users with a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.03","props":[{"name":"alt-identifier","value":"cp-3_prm_3"},{"name":"label","value":"CP-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update contingency training content is defined;"}]},{"id":"cp-03_odp.04","props":[{"name":"alt-identifier","value":"cp-3_prm_4"},{"name":"label","value":"CP-03_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events necessitating review and update of contingency training are defined;"}]}],"props":[{"name":"label","value":"CP-3"},{"name":"label","value":"CP-03","class":"sp800-53a"},{"name":"sort-id","value":"cp-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"cp-3_smt","name":"statement","parts":[{"id":"cp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide contingency training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"cp-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, cp-03_odp.02 }} thereafter; and"}]},{"id":"cp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements."},{"id":"cp-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-03","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.01","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.02","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"},{"id":"cp-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.03","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;"}]},{"id":"cp-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[01]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};"},{"id":"cp-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[02]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}."}]}]},{"id":"cp-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency training"}]}],"controls":[{"id":"cp-3.1","class":"SP800-53-enhancement","title":"Simulated Events","props":[{"name":"label","value":"CP-3(1)"},{"name":"label","value":"CP-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-3","rel":"required"}],"parts":[{"id":"cp-3.1_smt","name":"statement","prose":"Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations."},{"id":"cp-3.1_gdn","name":"guidance","prose":"The use of simulated events creates an environment for personnel to experience actual threat events, including cyber-attacks that disable websites, ransomware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures."},{"id":"cp-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-03(01)","class":"sp800-53a"}],"prose":"simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations."},{"id":"cp-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency training\n\nmechanisms for simulating contingency events"}]}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","params":[{"id":"cp-4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.03"}],"label":"organization-defined tests"},{"id":"cp-04_odp.01","props":[{"name":"alt-identifier","value":"cp-4_prm_1"},{"name":"label","value":"CP-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of testing the contingency plan for the system is defined;"}]},{"id":"cp-04_odp.02","props":[{"name":"label","value":"CP-04_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining the effectiveness of the contingency plan are defined;"}]},{"id":"cp-04_odp.03","props":[{"name":"label","value":"CP-04_ODP[03]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining readiness to execute the contingency plan are defined;"}]}],"props":[{"name":"label","value":"CP-4"},{"name":"label","value":"CP-04","class":"sp800-53a"},{"name":"sort-id","value":"cp-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"cp-4_smt","name":"statement","parts":[{"id":"cp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}."},{"id":"cp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Initiate corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions."},{"id":"cp-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[01]","class":"sp800-53a"}],"prose":"the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};"},{"id":"cp-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;"},{"id":"cp-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;"}]},{"id":"cp-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-04b.","class":"sp800-53a"}],"prose":"the contingency plan test results are reviewed;"},{"id":"cp-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-04c.","class":"sp800-53a"}],"prose":"corrective actions are initiated, if needed."}]},{"id":"cp-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and\/or contingency plan testing"}]}],"controls":[{"id":"cp-4.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-4(1)"},{"name":"label","value":"CP-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"},{"href":"#ir-8","rel":"related"},{"href":"#pm-8","rel":"related"}],"parts":[{"id":"cp-4.1_smt","name":"statement","prose":"Coordinate contingency plan testing with organizational elements responsible for related plans."},{"id":"cp-4.1_gdn","name":"guidance","prose":"Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements."},{"id":"cp-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(01)","class":"sp800-53a"}],"prose":"contingency plan testing is coordinated with organizational elements responsible for related plans."},{"id":"cp-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-4.2","class":"SP800-53-enhancement","title":"Alternate Processing Site","props":[{"name":"label","value":"CP-4(2)"},{"name":"label","value":"CP-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"cp-4.2_smt","name":"statement","prose":"Test the contingency plan at the alternate processing site:","parts":[{"id":"cp-4.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"To familiarize contingency personnel with the facility and available resources; and"},{"id":"cp-4.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"To evaluate the capabilities of the alternate processing site to support contingency operations."}]},{"id":"cp-4.2_gdn","name":"guidance","prose":"Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational mission and business functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing."},{"id":"cp-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(02)","class":"sp800-53a"}],"parts":[{"id":"cp-4.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-04(02)(a)","class":"sp800-53a"}],"prose":"the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;"},{"id":"cp-4.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-04(02)(b)","class":"sp800-53a"}],"prose":"the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations."}]},{"id":"cp-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and\/or contingency plan testing"}]}]}]},{"id":"cp-6","class":"SP800-53","title":"Alternate Storage Site","props":[{"name":"label","value":"CP-6"},{"name":"label","value":"CP-06","class":"sp800-53a"},{"name":"sort-id","value":"cp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-6_smt","name":"statement","parts":[{"id":"cp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and"},{"id":"cp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensure that the alternate storage site provides controls equivalent to that of the primary site."}]},{"id":"cp-6_gdn","name":"guidance","prose":"Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems."},{"id":"cp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06","class":"sp800-53a"}],"parts":[{"id":"cp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.","class":"sp800-53a"}],"parts":[{"id":"cp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.[01]","class":"sp800-53a"}],"prose":"an alternate storage site is established;"},{"id":"cp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.[02]","class":"sp800-53a"}],"prose":"establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;"}]},{"id":"cp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-06b.","class":"sp800-53a"}],"prose":"the alternate storage site provides controls equivalent to that of the primary site."}]},{"id":"cp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing and retrieving system backup information at the alternate storage site\n\nmechanisms supporting and\/or implementing the storage and retrieval of system backup information at the alternate storage site"}]}],"controls":[{"id":"cp-6.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-6(1)"},{"name":"label","value":"CP-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-6.1_smt","name":"statement","prose":"Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats."},{"id":"cp-6.1_gdn","name":"guidance","prose":"Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."},{"id":"cp-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(01)","class":"sp800-53a"}],"prose":"an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats."},{"id":"cp-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-6.2","class":"SP800-53-enhancement","title":"Recovery Time and Recovery Point Objectives","props":[{"name":"label","value":"CP-6(2)"},{"name":"label","value":"CP-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"}],"parts":[{"id":"cp-6.2_smt","name":"statement","prose":"Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives."},{"id":"cp-6.2_gdn","name":"guidance","prose":"Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations that ensure accessibility and correct execution."},{"id":"cp-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(02)","class":"sp800-53a"}],"parts":[{"id":"cp-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06(02)[01]","class":"sp800-53a"}],"prose":"the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;"},{"id":"cp-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06(02)[02]","class":"sp800-53a"}],"prose":"the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives."}]},{"id":"cp-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nalternate storage site configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with responsibilities for testing related plans\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting recovery time and point objectives"}]}]},{"id":"cp-6.3","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-6(3)"},{"name":"label","value":"CP-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-6.3_smt","name":"statement","prose":"Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions."},{"id":"cp-6.3_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted."},{"id":"cp-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)","class":"sp800-53a"}],"parts":[{"id":"cp-6.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)[01]","class":"sp800-53a"}],"prose":"potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;"},{"id":"cp-6.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)[02]","class":"sp800-53a"}],"prose":"explicit mitigation actions to address identified accessibility problems are outlined."}]},{"id":"cp-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-7","class":"SP800-53","title":"Alternate Processing Site","params":[{"id":"cp-07_odp.01","props":[{"name":"alt-identifier","value":"cp-7_prm_1"},{"name":"label","value":"CP-07_ODP[01]","class":"sp800-53a"}],"label":"system operations","guidelines":[{"prose":"system operations for essential mission and business functions are defined;"}]},{"id":"cp-07_odp.02","props":[{"name":"alt-identifier","value":"cp-7_prm_2"},{"name":"alt-label","value":"time period consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-7"},{"name":"label","value":"CP-07","class":"sp800-53a"},{"name":"sort-id","value":"cp-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-11","rel":"related"},{"href":"#pe-12","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-7_smt","name":"statement","parts":[{"id":"cp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and"},{"id":"cp-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provide controls at the alternate processing site that are equivalent to those at the primary site."}]},{"id":"cp-7_gdn","name":"guidance","prose":"Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems."},{"id":"cp-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07","class":"sp800-53a"}],"parts":[{"id":"cp-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-07a.","class":"sp800-53a"}],"prose":"an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.","class":"sp800-53a"}],"parts":[{"id":"cp-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.[01]","class":"sp800-53a"}],"prose":"the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;"},{"id":"cp-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.[02]","class":"sp800-53a"}],"prose":"the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;"}]},{"id":"cp-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-07c.","class":"sp800-53a"}],"prose":"controls provided at the alternate processing site are equivalent to those at the primary site."}]},{"id":"cp-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for contingency planning and\/or alternate site arrangements\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for recovery at the alternate site\n\nmechanisms supporting and\/or implementing recovery at the alternate processing site"}]}],"controls":[{"id":"cp-7.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-7(1)"},{"name":"label","value":"CP-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-7.1_smt","name":"statement","prose":"Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats."},{"id":"cp-7.1_gdn","name":"guidance","prose":"Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."},{"id":"cp-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(01)","class":"sp800-53a"}],"prose":"an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified."},{"id":"cp-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.2","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-7(2)"},{"name":"label","value":"CP-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-7.2_smt","name":"statement","prose":"Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-7.2_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk."},{"id":"cp-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)","class":"sp800-53a"}],"parts":[{"id":"cp-7.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)[01]","class":"sp800-53a"}],"prose":"potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;"},{"id":"cp-7.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)[02]","class":"sp800-53a"}],"prose":"explicit mitigation actions to address identified accessibility problems are outlined."}]},{"id":"cp-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.3","class":"SP800-53-enhancement","title":"Priority of Service","props":[{"name":"label","value":"CP-7(3)"},{"name":"label","value":"CP-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"}],"parts":[{"id":"cp-7.3_smt","name":"statement","prose":"Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)."},{"id":"cp-7.3_gdn","name":"guidance","prose":"Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and\/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning."},{"id":"cp-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(03)","class":"sp800-53a"}],"prose":"alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed."},{"id":"cp-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]},{"id":"cp-7.4","class":"SP800-53-enhancement","title":"Preparation for Use","props":[{"name":"label","value":"CP-7(4)"},{"name":"label","value":"CP-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-7.4_smt","name":"statement","prose":"Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions."},{"id":"cp-7.4_gdn","name":"guidance","prose":"Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place."},{"id":"cp-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(04)","class":"sp800-53a"}],"prose":"the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions."},{"id":"cp-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nalternate processing site configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing recovery at the alternate processing site"}]}]}]},{"id":"cp-8","class":"SP800-53","title":"Telecommunications Services","params":[{"id":"cp-08_odp.01","props":[{"name":"alt-identifier","value":"cp-8_prm_1"},{"name":"label","value":"CP-08_ODP[01]","class":"sp800-53a"}],"label":"system operations","guidelines":[{"prose":"system operations to be resumed for essential mission and business functions are defined;"}]},{"id":"cp-08_odp.02","props":[{"name":"alt-identifier","value":"cp-8_prm_2"},{"name":"label","value":"CP-08_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;"}]}],"props":[{"name":"label","value":"CP-8"},{"name":"label","value":"CP-08","class":"sp800-53a"},{"name":"sort-id","value":"cp-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cp-8_smt","name":"statement","prose":"Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_gdn","name":"guidance","prose":"Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for [CP-8](#cp-8) . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements."},{"id":"cp-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08","class":"sp800-53a"}],"prose":"alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"id":"cp-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting telecommunications"}]}],"controls":[{"id":"cp-8.1","class":"SP800-53-enhancement","title":"Priority of Service Provisions","props":[{"name":"label","value":"CP-8(1)"},{"name":"label","value":"CP-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.1_smt","name":"statement","parts":[{"id":"cp-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and"},{"id":"cp-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_gdn","name":"guidance","prose":"Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program."},{"id":"cp-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)","class":"sp800-53a"}],"parts":[{"id":"cp-8.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)","class":"sp800-53a"}],"parts":[{"id":"cp-8.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)[01]","class":"sp800-53a"}],"prose":"primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;"},{"id":"cp-8.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)[02]","class":"sp800-53a"}],"prose":"alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;"}]},{"id":"cp-8.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(b)","class":"sp800-53a"}],"prose":"Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"id":"cp-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting telecommunications"}]}]},{"id":"cp-8.2","class":"SP800-53-enhancement","title":"Single Points of Failure","props":[{"name":"label","value":"CP-8(2)"},{"name":"label","value":"CP-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.2_smt","name":"statement","prose":"Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"id":"cp-8.2_gdn","name":"guidance","prose":"In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services."},{"id":"cp-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(02)","class":"sp800-53a"}],"prose":"alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained."},{"id":"cp-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-8.3","class":"SP800-53-enhancement","title":"Separation of Primary and Alternate Providers","props":[{"name":"label","value":"CP-8(3)"},{"name":"label","value":"CP-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.3_smt","name":"statement","prose":"Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats."},{"id":"cp-8.3_gdn","name":"guidance","prose":"Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services that meet the separation needs addressed in the risk assessment."},{"id":"cp-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(03)","class":"sp800-53a"}],"prose":"alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats."},{"id":"cp-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nalternate telecommunications service provider site\n\nprimary telecommunications service provider site\n\nother relevant documents or records"}]},{"id":"cp-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-8.4","class":"SP800-53-enhancement","title":"Provider Contingency Plan","params":[{"id":"cp-8.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-08.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-08.04_odp.02"}],"label":"organization-defined frequency"},{"id":"cp-08.04_odp.01","props":[{"name":"label","value":"CP-08(04)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to obtain evidence of contingency testing by providers is defined;"}]},{"id":"cp-08.04_odp.02","props":[{"name":"label","value":"CP-08(04)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to obtain evidence of contingency training by providers is defined;"}]}],"props":[{"name":"label","value":"CP-8(4)"},{"name":"label","value":"CP-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-8.4_smt","name":"statement","parts":[{"id":"cp-8.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Require primary and alternate telecommunications service providers to have contingency plans;"},{"id":"cp-8.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and"},{"id":"cp-8.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Obtain evidence of contingency testing and training by providers {{ insert: param, cp-8.4_prm_1 }}."}]},{"id":"cp-8.4_gdn","name":"guidance","prose":"Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training."},{"id":"cp-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)","class":"sp800-53a"}],"parts":[{"id":"cp-8.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(a)","class":"sp800-53a"}],"parts":[{"id":"cp-8.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(a)[01]","class":"sp800-53a"}],"prose":"primary telecommunications service providers are required to have contingency plans;"},{"id":"cp-8.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(a)[02]","class":"sp800-53a"}],"prose":"alternate telecommunications service providers are required to have contingency plans;"}]},{"id":"cp-8.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(b)","class":"sp800-53a"}],"prose":"provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;"},{"id":"cp-8.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(c)","class":"sp800-53a"}],"parts":[{"id":"cp-8.4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(c)[01]","class":"sp800-53a"}],"prose":"evidence of contingency testing by providers is obtained {{ insert: param, cp-08.04_odp.01 }}."},{"id":"cp-8.4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(c)[02]","class":"sp800-53a"}],"prose":"evidence of contingency training by providers is obtained {{ insert: param, cp-08.04_odp.02 }}."}]}]},{"id":"cp-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprovider contingency plans\n\nevidence of contingency testing\/training by providers\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and testing responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]}]},{"id":"cp-9","class":"SP800-53","title":"System Backup","params":[{"id":"cp-09_odp.01","props":[{"name":"alt-identifier","value":"cp-9_prm_1"},{"name":"label","value":"CP-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which to conduct backups of user-level information is defined;"}]},{"id":"cp-09_odp.02","props":[{"name":"alt-identifier","value":"cp-9_prm_2"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.03","props":[{"name":"alt-identifier","value":"cp-9_prm_3"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.04","props":[{"name":"alt-identifier","value":"cp-9_prm_4"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-9"},{"name":"label","value":"CP-09","class":"sp800-53a"},{"name":"sort-id","value":"cp-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#3653e316-8923-430e-8943-b3b2b2562fc6","rel":"reference"},{"href":"#2494df28-9049-4196-b233-540e7440993f","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-9_smt","name":"statement","parts":[{"id":"cp-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};"},{"id":"cp-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};"},{"id":"cp-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and"},{"id":"cp-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protect the confidentiality, integrity, and availability of backup information."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"cp-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-09a.","class":"sp800-53a"}],"prose":"backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};"},{"id":"cp-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-09b.","class":"sp800-53a"}],"prose":"backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};"},{"id":"cp-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-09c.","class":"sp800-53a"}],"prose":"backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};"},{"id":"cp-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[01]","class":"sp800-53a"}],"prose":"the confidentiality of backup information is protected;"},{"id":"cp-9_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[02]","class":"sp800-53a"}],"prose":"the integrity of backup information is protected;"},{"id":"cp-9_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[03]","class":"sp800-53a"}],"prose":"the availability of backup information is protected."}]}]},{"id":"cp-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"cp-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}],"controls":[{"id":"cp-9.1","class":"SP800-53-enhancement","title":"Testing for Reliability and Integrity","params":[{"id":"cp-9.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.01_odp.02"}],"label":"organization-defined frequency"},{"id":"cp-09.01_odp.01","props":[{"name":"label","value":"CP-09(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test backup information for media reliability is defined;"}]},{"id":"cp-09.01_odp.02","props":[{"name":"label","value":"CP-09(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test backup information for information integrity is defined;"}]}],"props":[{"name":"label","value":"CP-9(1)"},{"name":"label","value":"CP-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-9.1_smt","name":"statement","prose":"Test backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity."},{"id":"cp-9.1_gdn","name":"guidance","prose":"Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance."},{"id":"cp-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)","class":"sp800-53a"}],"parts":[{"id":"cp-9.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)[01]","class":"sp800-53a"}],"prose":"backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;"},{"id":"cp-9.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)[02]","class":"sp800-53a"}],"prose":"backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity."}]},{"id":"cp-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}]},{"id":"cp-9.2","class":"SP800-53-enhancement","title":"Test Restoration Using Sampling","props":[{"name":"label","value":"CP-9(2)"},{"name":"label","value":"CP-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-9.2_smt","name":"statement","prose":"Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing."},{"id":"cp-9.2_gdn","name":"guidance","prose":"Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is retrieved to determine whether the functions are operating as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed."},{"id":"cp-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(02)","class":"sp800-53a"}],"prose":"a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing."},{"id":"cp-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with contingency planning\/contingency plan testing responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}]},{"id":"cp-9.3","class":"SP800-53-enhancement","title":"Separate Storage for Critical Information","params":[{"id":"cp-09.03_odp","props":[{"name":"alt-identifier","value":"cp-9.3_prm_1"},{"name":"label","value":"CP-09(03)_ODP","class":"sp800-53a"}],"label":"critical system software and other security-related information","guidelines":[{"prose":"critical system software and other security-related information backups to be stored in a separate facility are defined;"}]}],"props":[{"name":"label","value":"CP-9(3)"},{"name":"label","value":"CP-09(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"}],"parts":[{"id":"cp-9.3_smt","name":"statement","prose":"Store backup copies of {{ insert: param, cp-09.03_odp }} in a separate facility or in a fire rated container that is not collocated with the operational system."},{"id":"cp-9.3_gdn","name":"guidance","prose":"Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire rated containers."},{"id":"cp-9.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(03)","class":"sp800-53a"}],"prose":"backup copies of {{ insert: param, cp-09.03_odp }} are stored in a separate facility or in a fire rated container that is not collocated with the operational system."},{"id":"cp-9.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup configurations and associated documentation\n\nsystem backup logs or records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-9.5","class":"SP800-53-enhancement","title":"Transfer to Alternate Storage Site","params":[{"id":"cp-9.5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.05_odp.02"}],"label":"organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives"},{"id":"cp-09.05_odp.01","props":[{"name":"label","value":"CP-09(05)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09.05_odp.02","props":[{"name":"label","value":"CP-09(05)_ODP[02]","class":"sp800-53a"}],"label":"transfer rate","guidelines":[{"prose":"transfer rate consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-9(5)"},{"name":"label","value":"CP-09(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-7","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}],"parts":[{"id":"cp-9.5_smt","name":"statement","prose":"Transfer system backup information to the alternate storage site {{ insert: param, cp-9.5_prm_1 }}."},{"id":"cp-9.5_gdn","name":"guidance","prose":"System backup information can be transferred to alternate storage sites either electronically or by the physical shipment of storage media."},{"id":"cp-9.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(05)","class":"sp800-53a"}],"parts":[{"id":"cp-9.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09(05)[01]","class":"sp800-53a"}],"prose":"system backup information is transferred to the alternate storage site for {{ insert: param, cp-09.05_odp.01 }};"},{"id":"cp-9.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09(05)[02]","class":"sp800-53a"}],"prose":"system backup information is transferred to the alternate storage site {{ insert: param, cp-09.05_odp.02 }}."}]},{"id":"cp-9.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup logs or records\n\nevidence of system backup information transferred to alternate storage site\n\nalternate storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for transferring system backups to the alternate storage site\n\nmechanisms supporting and\/or implementing system backups\n\nmechanisms supporting and\/or implementing information transfer to the alternate storage site"}]}]},{"id":"cp-9.8","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"cp-09.08_odp","props":[{"name":"alt-identifier","value":"cp-9.8_prm_1"},{"name":"label","value":"CP-09(08)_ODP","class":"sp800-53a"}],"label":"backup information","guidelines":[{"prose":"backup information to protect against unauthorized disclosure and modification is defined;"}]}],"props":[{"name":"label","value":"CP-9(8)"},{"name":"label","value":"CP-09(08)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"cp-9.8_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}."},{"id":"cp-9.8_gdn","name":"guidance","prose":"The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions."},{"id":"cp-9.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(08)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}."},{"id":"cp-9.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic protection of backup information"}]}]}]},{"id":"cp-10","class":"SP800-53","title":"System Recovery and Reconstitution","params":[{"id":"cp-10_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.02"}],"label":"organization-defined time period consistent with recovery time and recovery point objectives"},{"id":"cp-10_odp.01","props":[{"name":"label","value":"CP-10_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;"}]},{"id":"cp-10_odp.02","props":[{"name":"label","value":"CP-10_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;"}]}],"props":[{"name":"label","value":"CP-10"},{"name":"label","value":"CP-10","class":"sp800-53a"},{"name":"sort-id","value":"cp-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-24","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning."},{"id":"cp-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10","class":"sp800-53a"}],"parts":[{"id":"cp-10_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-10[01]","class":"sp800-53a"}],"prose":"the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;"},{"id":"cp-10_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-10[02]","class":"sp800-53a"}],"prose":"a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure."}]},{"id":"cp-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, recovery, and\/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and\/or implementing system recovery and reconstitution operations"}]}],"controls":[{"id":"cp-10.2","class":"SP800-53-enhancement","title":"Transaction Recovery","props":[{"name":"label","value":"CP-10(2)"},{"name":"label","value":"CP-10(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-10","rel":"required"}],"parts":[{"id":"cp-10.2_smt","name":"statement","prose":"Implement transaction recovery for systems that are transaction-based."},{"id":"cp-10.2_gdn","name":"guidance","prose":"Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling."},{"id":"cp-10.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10(02)","class":"sp800-53a"}],"prose":"transaction recovery is implemented for systems that are transaction-based."},{"id":"cp-10.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem transaction recovery records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing transaction recovery capability"}]}]},{"id":"cp-10.4","class":"SP800-53-enhancement","title":"Restore Within Time Period","params":[{"id":"cp-10.04_odp","props":[{"name":"alt-identifier","value":"cp-10.4_prm_1"},{"name":"label","value":"CP-10(04)_ODP","class":"sp800-53a"}],"label":"restoration time periods","guidelines":[{"prose":"restoration time period within which to restore system components to a known, operational state is defined;"}]}],"props":[{"name":"label","value":"CP-10(4)"},{"name":"label","value":"CP-10(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-10","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"}],"parts":[{"id":"cp-10.4_smt","name":"statement","prose":"Provide the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components."},{"id":"cp-10.4_gdn","name":"guidance","prose":"Restoration of system components includes reimaging, which restores the components to known, operational states."},{"id":"cp-10.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10(04)","class":"sp800-53a"}],"prose":"the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided."},{"id":"cp-10.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nevidence of system recovery and reconstitution operations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the recovery\/reconstitution of system information"}]}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ia-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ia-01_odp.01","props":[{"name":"label","value":"IA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication policy is to be disseminated are defined;"}]},{"id":"ia-01_odp.02","props":[{"name":"label","value":"IA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication procedures are to be disseminated is\/are defined;"}]},{"id":"ia-01_odp.03","props":[{"name":"alt-identifier","value":"ia-1_prm_2"},{"name":"label","value":"IA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ia-01_odp.04","props":[{"name":"alt-identifier","value":"ia-1_prm_3"},{"name":"label","value":"IA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the identification and authentication policy and procedures is defined;"}]},{"id":"ia-01_odp.05","props":[{"name":"alt-identifier","value":"ia-1_prm_4"},{"name":"label","value":"IA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication policy is reviewed and updated is defined;"}]},{"id":"ia-01_odp.06","props":[{"name":"alt-identifier","value":"ia-1_prm_5"},{"name":"label","value":"IA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current identification and authentication policy to be reviewed and updated are defined;"}]},{"id":"ia-01_odp.07","props":[{"name":"alt-identifier","value":"ia-1_prm_6"},{"name":"label","value":"IA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication procedures are reviewed and updated is defined;"}]},{"id":"ia-01_odp.08","props":[{"name":"alt-identifier","value":"ia-1_prm_7"},{"name":"label","value":"IA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require identification and authentication procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IA-1"},{"name":"label","value":"IA-01","class":"sp800-53a"},{"name":"sort-id","value":"ia-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ia-1_smt","name":"statement","parts":[{"id":"ia-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:","parts":[{"id":"ia-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ia-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;"}]},{"id":"ia-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and"},{"id":"ia-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current identification and authentication:","parts":[{"id":"ia-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and"},{"id":"ia-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ia-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[01]","class":"sp800-53a"}],"prose":"an identification and authentication policy is developed and documented;"},{"id":"ia-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[02]","class":"sp800-53a"}],"prose":"the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};"},{"id":"ia-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[03]","class":"sp800-53a"}],"prose":"identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;"},{"id":"ia-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[04]","class":"sp800-53a"}],"prose":"the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};"},{"id":"ia-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;"},{"id":"ia-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;"},{"id":"ia-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;"},{"id":"ia-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;"},{"id":"ia-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;"},{"id":"ia-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;"},{"id":"ia-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;"}]},{"id":"ia-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ia-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;"},{"id":"ia-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[01]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};"},{"id":"ia-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[02]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};"}]},{"id":"ia-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[01]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};"},{"id":"ia-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[02]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}."}]}]}]},{"id":"ia-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records"}]},{"id":"ia-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (Organizational Users)","props":[{"name":"label","value":"IA-2"},{"name":"label","value":"IA-02","class":"sp800-53a"},{"name":"sort-id","value":"ia-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#d9e036ba-6eec-46a6-9340-b0bf1fea23b4","rel":"reference"},{"href":"#e8552d48-cf41-40aa-8b06-f45f7fb4706c","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-1","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)."},{"id":"ia-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02","class":"sp800-53a"}],"parts":[{"id":"ia-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-02[01]","class":"sp800-53a"}],"prose":"organizational users are uniquely identified and authenticated;"},{"id":"ia-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-02[02]","class":"sp800-53a"}],"prose":"the unique identification of authenticated organizational users is associated with processes acting on behalf of those users."}]},{"id":"ia-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}]},{"id":"ia-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Privileged Accounts","props":[{"name":"label","value":"IA-2(1)"},{"name":"label","value":"IA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"Implement multi-factor authentication for access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(01)","class":"sp800-53a"}],"prose":"multi-factor authentication is implemented for access to privileged accounts."},{"id":"ia-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(2)"},{"name":"label","value":"IA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"Implement multi-factor authentication for access to non-privileged accounts."},{"id":"ia-2.2_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(02)","class":"sp800-53a"}],"prose":"multi-factor authentication for access to non-privileged accounts is implemented."},{"id":"ia-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.5","class":"SP800-53-enhancement","title":"Individual Authentication with Group Authentication","props":[{"name":"label","value":"IA-2(5)"},{"name":"label","value":"IA-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.5_smt","name":"statement","prose":"When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources."},{"id":"ia-2.5_gdn","name":"guidance","prose":"Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators."},{"id":"ia-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(05)","class":"sp800-53a"}],"prose":"users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed."},{"id":"ia-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an authentication capability for group accounts"}]}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Access to Accounts — Replay Resistant","params":[{"id":"ia-02.08_odp","props":[{"name":"alt-identifier","value":"ia-2.8_prm_1"},{"name":"label","value":"IA-02(08)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["privileged accounts","non-privileged accounts"]}}],"props":[{"name":"label","value":"IA-2(8)"},{"name":"label","value":"IA-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators."},{"id":"ia-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(08)","class":"sp800-53a"}],"prose":"replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented."},{"id":"ia-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nMechanisms supporting and\/or implementing replay-resistant authentication mechanisms"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","props":[{"name":"label","value":"IA-2(12)"},{"name":"label","value":"IA-02(12)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential."},{"id":"ia-2.12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(12)","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials are accepted and electronically verified."},{"id":"ia-2.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-2.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing acceptance and verification of PIV credentials"}]}]}]},{"id":"ia-3","class":"SP800-53","title":"Device Identification and Authentication","params":[{"id":"ia-03_odp.01","props":[{"name":"alt-identifier","value":"ia-3_prm_1"},{"name":"label","value":"IA-03_ODP[01]","class":"sp800-53a"}],"label":"devices and\/or types of devices","guidelines":[{"prose":"devices and\/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;"}]},{"id":"ia-03_odp.02","props":[{"name":"alt-identifier","value":"ia-3_prm_2"},{"name":"label","value":"IA-03_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["local","remote","network"]}}],"props":[{"name":"label","value":"IA-3"},{"name":"label","value":"IA-03","class":"sp800-53a"},{"name":"sort-id","value":"ia-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ia-3_smt","name":"statement","prose":"Uniquely identify and authenticate {{ insert: param, ia-03_odp.01 }} before establishing a {{ insert: param, ia-03_odp.02 }} connection."},{"id":"ia-3_gdn","name":"guidance","prose":"Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol\/Internet Protocol [TCP\/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number\/type of devices based on mission or business needs."},{"id":"ia-3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-03","class":"sp800-53a"}],"prose":" {{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection."},{"id":"ia-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing device identification and authentication capabilities"}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","params":[{"id":"ia-04_odp.01","props":[{"name":"alt-identifier","value":"ia-4_prm_1"},{"name":"label","value":"IA-04_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles from whom authorization must be received to assign an identifier are defined;"}]},{"id":"ia-04_odp.02","props":[{"name":"alt-identifier","value":"ia-4_prm_2"},{"name":"label","value":"IA-04_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period for preventing reuse of identifiers is defined;"}]}],"props":[{"name":"label","value":"IA-4"},{"name":"label","value":"IA-04","class":"sp800-53a"},{"name":"sort-id","value":"ia-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-12","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"Manage system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;"},{"id":"ia-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, service, or device; and"},{"id":"ia-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices."},{"id":"ia-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04","class":"sp800-53a"}],"parts":[{"id":"ia-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-04a.","class":"sp800-53a"}],"prose":"system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;"},{"id":"ia-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-04b.","class":"sp800-53a"}],"prose":"system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-04c.","class":"sp800-53a"}],"prose":"system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;"},{"id":"ia-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-04d.","class":"sp800-53a"}],"prose":"system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."}]},{"id":"ia-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records"}]},{"id":"ia-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}],"controls":[{"id":"ia-4.4","class":"SP800-53-enhancement","title":"Identify User Status","params":[{"id":"ia-04.04_odp","props":[{"name":"alt-identifier","value":"ia-4.4_prm_1"},{"name":"alt-label","value":"characteristic identifying individual status","class":"sp800-53"},{"name":"label","value":"IA-04(04)_ODP","class":"sp800-53a"}],"label":"characteristics","guidelines":[{"prose":"characteristics used to identify individual status is defined;"}]}],"props":[{"name":"label","value":"IA-4(4)"},{"name":"label","value":"IA-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-4","rel":"required"}],"parts":[{"id":"ia-4.4_smt","name":"statement","prose":"Manage individual identifiers by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}."},{"id":"ia-4.4_gdn","name":"guidance","prose":"Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor."},{"id":"ia-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(04)","class":"sp800-53a"}],"prose":"individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}."},{"id":"ia-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nlist of characteristics identifying individual status\n\nother relevant documents or records"}]},{"id":"ia-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","params":[{"id":"ia-05_odp.01","props":[{"name":"alt-identifier","value":"ia-5_prm_1"},{"name":"label","value":"IA-05_ODP[01]","class":"sp800-53a"}],"label":"time period by authenticator type","guidelines":[{"prose":"a time period for changing or refreshing authenticators by authenticator type is defined;"}]},{"id":"ia-05_odp.02","props":[{"name":"alt-identifier","value":"ia-5_prm_2"},{"name":"label","value":"IA-05_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that trigger the change or refreshment of authenticators are defined;"}]}],"props":[{"name":"label","value":"IA-5"},{"name":"label","value":"IA-05","class":"sp800-53a"},{"name":"sort-id","value":"ia-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"Manage system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Changing default authenticators prior to first use;"},{"id":"ia-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"},{"id":"ia-5_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and"},{"id":"ia-5_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Changing authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed."},{"id":"ia-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05a.","class":"sp800-53a"}],"prose":"system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;"},{"id":"ia-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05b.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05c.","class":"sp800-53a"}],"prose":"system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05d.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;"},{"id":"ia-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05e.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of default authenticators prior to first use;"},{"id":"ia-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05f.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"},{"id":"ia-5_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05g.","class":"sp800-53a"}],"prose":"system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[01]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;"},{"id":"ia-5_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[02]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;"}]},{"id":"ia-5_obj.i","name":"assessment-objective","props":[{"name":"label","value":"IA-05i.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","params":[{"id":"ia-05.01_odp.01","props":[{"name":"alt-identifier","value":"ia-5.1_prm_1"},{"name":"label","value":"IA-05(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;"}]},{"id":"ia-05.01_odp.02","props":[{"name":"alt-identifier","value":"ia-5.1_prm_2"},{"name":"label","value":"IA-05(01)_ODP[02]","class":"sp800-53a"}],"label":"composition and complexity rules","guidelines":[{"prose":"authenticator composition and complexity rules are defined;"}]}],"props":[{"name":"label","value":"IA-5(1)"},{"name":"label","value":"IA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-6","rel":"related"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"For password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);"},{"id":"ia-5.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Transmit passwords only over cryptographically-protected channels;"},{"id":"ia-5.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Store passwords using an approved salted key derivation function, preferably using a keyed hash;"},{"id":"ia-5.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Require immediate selection of a new password upon account recovery;"},{"id":"ia-5.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Allow user selection of long passwords and passphrases, including spaces and all printable characters;"},{"id":"ia-5.1_smt.g","name":"item","props":[{"name":"label","value":"(g)"}],"prose":"Employ automated tools to assist the user in selecting strong password authenticators; and"},{"id":"ia-5.1_smt.h","name":"item","props":[{"name":"label","value":"(h)"}],"prose":"Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof."},{"id":"ia-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)","class":"sp800-53a"}],"parts":[{"id":"ia-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(a)","class":"sp800-53a"}],"prose":"for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(b)","class":"sp800-53a"}],"prose":"for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);"},{"id":"ia-5.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(c)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are only transmitted over cryptographically protected channels;"},{"id":"ia-5.1_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(d)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;"},{"id":"ia-5.1_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(e)","class":"sp800-53a"}],"prose":"for password-based authentication, immediate selection of a new password is required upon account recovery;"},{"id":"ia-5.1_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(f)","class":"sp800-53a"}],"prose":"for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;"},{"id":"ia-5.1_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(g)","class":"sp800-53a"}],"prose":"for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;"},{"id":"ia-5.1_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(h)","class":"sp800-53a"}],"prose":"for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced."}]},{"id":"ia-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing password-based authenticator management capability"}]}]},{"id":"ia-5.2","class":"SP800-53-enhancement","title":"Public Key-based Authentication","props":[{"name":"label","value":"IA-5(2)"},{"name":"label","value":"IA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-3","rel":"related"},{"href":"#sc-17","rel":"related"}],"parts":[{"id":"ia-5.2_smt","name":"statement","parts":[{"id":"ia-5.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"For public key-based authentication:","parts":[{"id":"ia-5.2_smt.a.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Enforce authorized access to the corresponding private key; and"},{"id":"ia-5.2_smt.a.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Map the authenticated identity to the account of the individual or group; and"}]},{"id":"ia-5.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"When public key infrastructure (PKI) is used:","parts":[{"id":"ia-5.2_smt.b.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and"},{"id":"ia-5.2_smt.b.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Implement a local cache of revocation data to support path discovery and validation."}]}]},{"id":"ia-5.2_gdn","name":"guidance","prose":"Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network."},{"id":"ia-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)(01)","class":"sp800-53a"}],"prose":"authorized access to the corresponding private key is enforced for public key-based authentication;"},{"id":"ia-5.2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)(02)","class":"sp800-53a"}],"prose":"the authenticated identity is mapped to the account of the individual or group for public key-based authentication;"}]},{"id":"ia-5.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)(01)","class":"sp800-53a"}],"prose":"when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;"},{"id":"ia-5.2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)(02)","class":"sp800-53a"}],"prose":"when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation."}]}]},{"id":"ia-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records"}]},{"id":"ia-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing PKI-based, authenticator management capability"}]}]},{"id":"ia-5.6","class":"SP800-53-enhancement","title":"Protection of Authenticators","props":[{"name":"label","value":"IA-5(6)"},{"name":"label","value":"IA-05(06)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ra-2","rel":"related"}],"parts":[{"id":"ia-5.6_smt","name":"statement","prose":"Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access."},{"id":"ia-5.6_gdn","name":"guidance","prose":"For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process."},{"id":"ia-5.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(06)","class":"sp800-53a"}],"prose":"authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access."},{"id":"ia-5.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity categorization documentation for the system\n\nsecurity assessments of authenticator protections\n\nrisk assessment results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-5.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel implementing and\/or maintaining authenticator protections\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability\n\nmechanisms protecting authenticators"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authentication Feedback","props":[{"name":"label","value":"IA-6"},{"name":"label","value":"IA-06","class":"sp800-53a"},{"name":"sort-id","value":"ia-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it."},{"id":"ia-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-06","class":"sp800-53a"}],"prose":"the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the obscuring of feedback of authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","props":[{"name":"label","value":"IA-7"},{"name":"label","value":"IA-07","class":"sp800-53a"},{"name":"sort-id","value":"ia-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role."},{"id":"ia-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-07","class":"sp800-53a"}],"prose":"mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic module authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (Non-organizational Users)","props":[{"name":"label","value":"IA-8"},{"name":"label","value":"IA-08","class":"sp800-53a"},{"name":"sort-id","value":"ia-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a1555677-2b9d-4868-a97b-a1363aff32f5","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk."},{"id":"ia-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08","class":"sp800-53a"}],"prose":"non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated."},{"id":"ia-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","props":[{"name":"label","value":"IA-8(1)"},{"name":"label","value":"IA-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"},{"href":"#pe-3","rel":"related"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)."},{"id":"ia-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)","class":"sp800-53a"}],"parts":[{"id":"ia-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[01]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are accepted;"},{"id":"ia-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[02]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are electronically verified."}]},{"id":"ia-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of External Authenticators","props":[{"name":"label","value":"IA-8(2)"},{"name":"label","value":"IA-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.2_smt","name":"statement","parts":[{"id":"ia-8.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Accept only external authenticators that are NIST-compliant; and"},{"id":"ia-8.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Document and maintain a list of accepted external authenticators."}]},{"id":"ia-8.2_gdn","name":"guidance","prose":"Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level."},{"id":"ia-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(a)","class":"sp800-53a"}],"prose":"only external authenticators that are NIST-compliant are accepted;"},{"id":"ia-8.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[01]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is documented;"},{"id":"ia-8.2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[02]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is maintained."}]}]},{"id":"ia-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Defined Profiles","params":[{"id":"ia-08.04_odp","props":[{"name":"alt-identifier","value":"ia-8.4_prm_1"},{"name":"label","value":"IA-08(04)_ODP","class":"sp800-53a"}],"label":"identity management profiles","guidelines":[{"prose":"identity management profiles are defined;"}]}],"props":[{"name":"label","value":"IA-8(4)"},{"name":"label","value":"IA-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}."},{"id":"ia-8.4_gdn","name":"guidance","prose":"Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"ia-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(04)","class":"sp800-53a"}],"prose":"there is conformance with {{ insert: param, ia-08.04_odp }} for identity management."},{"id":"ia-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms supporting and\/or implementing conformance with profiles"}]}]}]},{"id":"ia-11","class":"SP800-53","title":"Re-authentication","params":[{"id":"ia-11_odp","props":[{"name":"alt-identifier","value":"ia-11_prm_1"},{"name":"alt-label","value":"circumstances or situations requiring re-authentication","class":"sp800-53"},{"name":"label","value":"IA-11_ODP","class":"sp800-53a"}],"label":"circumstances or situations","guidelines":[{"prose":"circumstances or situations requiring re-authentication are defined;"}]}],"props":[{"name":"label","value":"IA-11"},{"name":"label","value":"IA-11","class":"sp800-53a"},{"name":"sort-id","value":"ia-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-11_smt","name":"statement","prose":"Require users to re-authenticate when {{ insert: param, ia-11_odp }}."},{"id":"ia-11_gdn","name":"guidance","prose":"In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically."},{"id":"ia-11_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-11","class":"sp800-53a"}],"prose":"users are required to re-authenticate when {{ insert: param, ia-11_odp }}."},{"id":"ia-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12","class":"SP800-53","title":"Identity Proofing","props":[{"name":"label","value":"IA-12"},{"name":"label","value":"IA-12","class":"sp800-53a"},{"name":"sort-id","value":"ia-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#9099ed2c-922a-493d-bcb4-d896192243ff","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#ia-1","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-12_smt","name":"statement","parts":[{"id":"ia-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;"},{"id":"ia-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Resolve user identities to a unique individual; and"},{"id":"ia-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Collect, validate, and verify identity evidence."}]},{"id":"ia-12_gdn","name":"guidance","prose":"Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3](#737513fa-6758-403f-831d-5ddab5e23cb3) and [SP 800-63A](#9099ed2c-922a-493d-bcb4-d896192243ff) . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"ia-12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12","class":"sp800-53a"}],"parts":[{"id":"ia-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-12a.","class":"sp800-53a"}],"prose":"users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;"},{"id":"ia-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-12b.","class":"sp800-53a"}],"prose":"user identities are resolved to a unique individual;"},{"id":"ia-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.","class":"sp800-53a"}],"parts":[{"id":"ia-12_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[01]","class":"sp800-53a"}],"prose":"identity evidence is collected;"},{"id":"ia-12_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[02]","class":"sp800-53a"}],"prose":"identity evidence is validated;"},{"id":"ia-12_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[03]","class":"sp800-53a"}],"prose":"identity evidence is verified."}]}]},{"id":"ia-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ia-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-12.2","class":"SP800-53-enhancement","title":"Identity Evidence","props":[{"name":"label","value":"IA-12(2)"},{"name":"label","value":"IA-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.2_smt","name":"statement","prose":"Require evidence of individual identification be presented to the registration authority."},{"id":"ia-12.2_gdn","name":"guidance","prose":"Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risks to the systems, roles, and privileges associated with the user’s account."},{"id":"ia-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(02)","class":"sp800-53a"}],"prose":"evidence of individual identification is presented to the registration authority."},{"id":"ia-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.3","class":"SP800-53-enhancement","title":"Identity Evidence Validation and Verification","params":[{"id":"ia-12.03_odp","props":[{"name":"alt-identifier","value":"ia-12.3_prm_1"},{"name":"alt-label","value":"organizational defined methods of validation and verification","class":"sp800-53"},{"name":"label","value":"IA-12(03)_ODP","class":"sp800-53a"}],"label":"methods of validation and verification","guidelines":[{"prose":"methods of validation and verification of identity evidence are defined;"}]}],"props":[{"name":"label","value":"IA-12(3)"},{"name":"label","value":"IA-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.3_smt","name":"statement","prose":"Require that the presented identity evidence be validated and verified through {{ insert: param, ia-12.03_odp }}."},{"id":"ia-12.3_gdn","name":"guidance","prose":"Validation and verification of identity evidence increases the assurance that accounts and identifiers are being established for the correct user and authenticators are being bound to that user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risks to the systems, roles, and privileges associated with the users account."},{"id":"ia-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(03)","class":"sp800-53a"}],"prose":"the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}."},{"id":"ia-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.4","class":"SP800-53-enhancement","title":"In-person Validation and Verification","props":[{"name":"label","value":"IA-12(4)"},{"name":"label","value":"IA-12(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.4_smt","name":"statement","prose":"Require that the validation and verification of identity evidence be conducted in person before a designated registration authority."},{"id":"ia-12.4_gdn","name":"guidance","prose":"In-person proofing reduces the likelihood of fraudulent credentials being issued because it requires the physical presence of individuals, the presentation of physical identity documents, and actual face-to-face interactions with designated registration authorities."},{"id":"ia-12.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(04)","class":"sp800-53a"}],"prose":"the validation and verification of identity evidence is conducted in person before a designated registration authority."},{"id":"ia-12.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.5","class":"SP800-53-enhancement","title":"Address Confirmation","params":[{"id":"ia-12.05_odp","props":[{"name":"alt-identifier","value":"ia-12.5_prm_1"},{"name":"label","value":"IA-12(05)_ODP","class":"sp800-53a"}],"select":{"choice":["registration code","notice of proofing"]}}],"props":[{"name":"label","value":"IA-12(5)"},{"name":"label","value":"IA-12(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"},{"href":"#ia-12","rel":"related"}],"parts":[{"id":"ia-12.5_smt","name":"statement","prose":"Require that a {{ insert: param, ia-12.05_odp }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record."},{"id":"ia-12.5_gdn","name":"guidance","prose":"To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses."},{"id":"ia-12.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(05)","class":"sp800-53a"}],"prose":"a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record."},{"id":"ia-12.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ir-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ir-01_odp.01","props":[{"name":"label","value":"IR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response policy is to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.02","props":[{"name":"label","value":"IR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response procedures are to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.03","props":[{"name":"alt-identifier","value":"ir-1_prm_2"},{"name":"label","value":"IR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ir-01_odp.04","props":[{"name":"alt-identifier","value":"ir-1_prm_3"},{"name":"label","value":"IR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the incident response policy and procedures is defined;"}]},{"id":"ir-01_odp.05","props":[{"name":"alt-identifier","value":"ir-1_prm_4"},{"name":"label","value":"IR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response policy is reviewed and updated is defined;"}]},{"id":"ir-01_odp.06","props":[{"name":"alt-identifier","value":"ir-1_prm_5"},{"name":"label","value":"IR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current incident response policy to be reviewed and updated are defined;"}]},{"id":"ir-01_odp.07","props":[{"name":"alt-identifier","value":"ir-1_prm_6"},{"name":"label","value":"IR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response procedures are reviewed and updated is defined;"}]},{"id":"ir-01_odp.08","props":[{"name":"alt-identifier","value":"ir-1_prm_7"},{"name":"label","value":"IR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the incident response procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IR-1"},{"name":"label","value":"IR-01","class":"sp800-53a"},{"name":"sort-id","value":"ir-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ir-1_smt","name":"statement","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ir-01_odp.03 }} incident response policy that:","parts":[{"id":"ir-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and"},{"id":"ir-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current incident response:","parts":[{"id":"ir-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and"},{"id":"ir-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ir-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[01]","class":"sp800-53a"}],"prose":"an incident response policy is developed and documented;"},{"id":"ir-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[02]","class":"sp800-53a"}],"prose":"the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};"},{"id":"ir-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[03]","class":"sp800-53a"}],"prose":"incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;"},{"id":"ir-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[04]","class":"sp800-53a"}],"prose":"the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};"},{"id":"ir-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;"},{"id":"ir-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;"},{"id":"ir-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;"},{"id":"ir-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;"},{"id":"ir-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;"},{"id":"ir-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;"},{"id":"ir-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;"}]},{"id":"ir-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ir-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;"},{"id":"ir-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[01]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};"},{"id":"ir-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[02]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};"}]},{"id":"ir-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[01]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};"},{"id":"ir-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[02]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}."}]}]}]},{"id":"ir-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-02_odp.01","props":[{"name":"alt-identifier","value":"ir-2_prm_1"},{"name":"label","value":"IR-02_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;"}]},{"id":"ir-02_odp.02","props":[{"name":"alt-identifier","value":"ir-2_prm_2"},{"name":"label","value":"IR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide incident response training to users is defined;"}]},{"id":"ir-02_odp.03","props":[{"name":"alt-identifier","value":"ir-2_prm_3"},{"name":"label","value":"IR-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update incident response training content is defined;"}]},{"id":"ir-02_odp.04","props":[{"name":"alt-identifier","value":"ir-2_prm_4"},{"name":"label","value":"IR-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that initiate a review of the incident response training content are defined;"}]}],"props":[{"name":"label","value":"IR-2"},{"name":"label","value":"IR-02","class":"sp800-53a"},{"name":"sort-id","value":"ir-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-2_smt","name":"statement","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide incident response training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"ir-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ir-02_odp.02 }} thereafter; and"}]},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"ir-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.01","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.02","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"},{"id":"ir-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.03","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;"}]},{"id":"ir-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[01]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};"},{"id":"ir-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[02]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}."}]}]},{"id":"ir-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"ir-2.1","class":"SP800-53-enhancement","title":"Simulated Events","props":[{"name":"label","value":"IR-2(1)"},{"name":"label","value":"IR-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-2","rel":"required"}],"parts":[{"id":"ir-2.1_smt","name":"statement","prose":"Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations."},{"id":"ir-2.1_gdn","name":"guidance","prose":"Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations."},{"id":"ir-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02(01)","class":"sp800-53a"}],"prose":"simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations."},{"id":"ir-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that support and\/or implement simulated events for incident response training"}]}]},{"id":"ir-2.2","class":"SP800-53-enhancement","title":"Automated Training Environments","params":[{"id":"ir-02.02_odp","props":[{"name":"alt-identifier","value":"ir-2.2_prm_1"},{"name":"label","value":"IR-02(02)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used in an incident response training environment are defined;"}]}],"props":[{"name":"label","value":"IR-2(2)"},{"name":"label","value":"IR-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-2","rel":"required"}],"parts":[{"id":"ir-2.2_smt","name":"statement","prose":"Provide an incident response training environment using {{ insert: param, ir-02.02_odp }}."},{"id":"ir-2.2_gdn","name":"guidance","prose":"Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues, selecting more realistic training scenarios and environments, and stressing the response capability."},{"id":"ir-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02(02)","class":"sp800-53a"}],"prose":"an incident response training environment is provided using {{ insert: param, ir-02.02_odp }}."},{"id":"ir-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nautomated mechanisms supporting incident response training\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms that provide a thorough and realistic incident response training environment"}]}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","params":[{"id":"ir-03_odp.01","props":[{"name":"alt-identifier","value":"ir-3_prm_1"},{"name":"label","value":"IR-03_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test the effectiveness of the incident response capability for the system is defined;"}]},{"id":"ir-03_odp.02","props":[{"name":"alt-identifier","value":"ir-3_prm_2"},{"name":"label","value":"IR-03_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests used to test the effectiveness of the incident response capability for the system are defined;"}]}],"props":[{"name":"label","value":"IR-3"},{"name":"label","value":"IR-03","class":"sp800-53a"},{"name":"sort-id","value":"ir-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-14","rel":"related"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes."},{"id":"ir-3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03","class":"sp800-53a"}],"prose":"the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}."},{"id":"ir-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"ir-3.2","class":"SP800-53-enhancement","title":"Coordination with Related Plans","props":[{"name":"label","value":"IR-3(2)"},{"name":"label","value":"IR-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-3","rel":"required"}],"parts":[{"id":"ir-3.2_smt","name":"statement","prose":"Coordinate incident response testing with organizational elements responsible for related plans."},{"id":"ir-3.2_gdn","name":"guidance","prose":"Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans."},{"id":"ir-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03(02)","class":"sp800-53a"}],"prose":"incident response testing is coordinated with organizational elements responsible for related plans."},{"id":"ir-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"label","value":"IR-4"},{"name":"label","value":"IR-04","class":"sp800-53a"},{"name":"sort-id","value":"ir-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#31ae65ab-3f26-46b7-9d64-f25a4dac5778","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-4_smt","name":"statement","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate incident handling activities with contingency planning activities;"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and"},{"id":"ir-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes."},{"id":"ir-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[01]","class":"sp800-53a"}],"prose":"an incident handling capability for incidents is implemented that is consistent with the incident response plan;"},{"id":"ir-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[02]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes preparation;"},{"id":"ir-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[03]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes detection and analysis;"},{"id":"ir-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[04]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes containment;"},{"id":"ir-4_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[05]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes eradication;"},{"id":"ir-4_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[06]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes recovery;"}]},{"id":"ir-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-04b.","class":"sp800-53a"}],"prose":"incident handling activities are coordinated with contingency planning activities;"},{"id":"ir-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[01]","class":"sp800-53a"}],"prose":"lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;"},{"id":"ir-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[02]","class":"sp800-53a"}],"prose":"the changes resulting from the incorporated lessons learned are implemented accordingly;"}]},{"id":"ir-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[01]","class":"sp800-53a"}],"prose":"the rigor of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[02]","class":"sp800-53a"}],"prose":"the intensity of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[03]","class":"sp800-53a"}],"prose":"the scope of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[04]","class":"sp800-53a"}],"prose":"the results of incident handling activities are comparable and predictable across the organization."}]}]},{"id":"ir-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident handling capability for the organization"}]}],"controls":[{"id":"ir-4.1","class":"SP800-53-enhancement","title":"Automated Incident Handling Processes","params":[{"id":"ir-04.01_odp","props":[{"name":"alt-identifier","value":"ir-4.1_prm_1"},{"name":"label","value":"IR-04(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to support the incident handling process are defined;"}]}],"props":[{"name":"label","value":"IR-4(1)"},{"name":"label","value":"IR-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.1_smt","name":"statement","prose":"Support the incident handling process using {{ insert: param, ir-04.01_odp }}."},{"id":"ir-4.1_gdn","name":"guidance","prose":"Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis."},{"id":"ir-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(01)","class":"sp800-53a"}],"prose":"the incident handling process is supported using {{ insert: param, ir-04.01_odp }}."},{"id":"ir-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms that support and\/or implement the incident handling process"}]}]},{"id":"ir-4.4","class":"SP800-53-enhancement","title":"Information Correlation","props":[{"name":"label","value":"IR-4(4)"},{"name":"label","value":"IR-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.4_smt","name":"statement","prose":"Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response."},{"id":"ir-4.4_gdn","name":"guidance","prose":"Sometimes, a threat event, such as a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations."},{"id":"ir-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(04)","class":"sp800-53a"}],"prose":"incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response."},{"id":"ir-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\nprivacy plan\n\nmechanisms supporting incident and event correlation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nincident management correlation logs\n\nevent management correlation logs\n\nsecurity information and event management logs\n\nincident management correlation reports\n\nevent management correlation reports\n\nsecurity information and event management reports\n\naudit records\n\nother relevant documents or records"}]},{"id":"ir-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with whom incident information and individual incident responses are to be correlated"}]},{"id":"ir-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for correlating incident information and individual incident responses\n\nmechanisms that support and or implement the correlation of incident response information with individual incident responses"}]}]},{"id":"ir-4.11","class":"SP800-53-enhancement","title":"Integrated Incident Response Team","params":[{"id":"ir-04.11_odp","props":[{"name":"alt-identifier","value":"ir-4.11_prm_1"},{"name":"label","value":"IR-04(11)_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which an integrated incident response team can be deployed is defined;"}]}],"props":[{"name":"label","value":"IR-4(11)"},{"name":"label","value":"IR-04(11)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"ir-4.11_smt","name":"statement","prose":"Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}."},{"id":"ir-4.11_gdn","name":"guidance","prose":"An integrated incident response team is a team of experts that assesses, documents, and responds to incidents so that organizational systems and networks can recover quickly and implement the necessary controls to avoid future incidents. Incident response team personnel include forensic and malicious code analysts, tool developers, systems security and privacy engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. For some organizations, the incident response team can be a cross-organizational entity.\n\nAn integrated incident response team facilitates information sharing and allows organizational personnel (e.g., developers, implementers, and operators) to leverage team knowledge of the threat and implement defensive measures that enable organizations to deter intrusions more effectively. Moreover, integrated teams promote the rapid detection of intrusions, the development of appropriate mitigations, and the deployment of effective defensive measures. For example, when an intrusion is detected, the integrated team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing cyber intelligence development. Integrated incident response teams are better able to identify adversary tactics, techniques, and procedures that are linked to the operations tempo or specific mission and business functions and to define responsive actions in a way that does not disrupt those mission and business functions. Incident response teams can be distributed within organizations to make the capability resilient."},{"id":"ir-4.11_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(11)","class":"sp800-53a"}],"parts":[{"id":"ir-4.11_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04(11)[01]","class":"sp800-53a"}],"prose":"an integrated incident response team is established and maintained;"},{"id":"ir-4.11_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04(11)[02]","class":"sp800-53a"}],"prose":"the integrated incident response team can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}."}]},{"id":"ir-4.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of the integrated incident response team"}]}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"label","value":"IR-5"},{"name":"label","value":"IR-05","class":"sp800-53a"},{"name":"sort-id","value":"ir-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"Track and document incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring."},{"id":"ir-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-05","class":"sp800-53a"}],"parts":[{"id":"ir-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-05[01]","class":"sp800-53a"}],"prose":"incidents are tracked;"},{"id":"ir-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-05[02]","class":"sp800-53a"}],"prose":"incidents are documented."}]},{"id":"ir-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nmechanisms supporting and\/or implementing the tracking and documenting of system security incidents"}]}],"controls":[{"id":"ir-5.1","class":"SP800-53-enhancement","title":"Automated Tracking, Data Collection, and Analysis","params":[{"id":"ir-5.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-05.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-05.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-05.01_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"ir-05.01_odp.01","props":[{"name":"label","value":"IR-05(01)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to track incidents are defined;"}]},{"id":"ir-05.01_odp.02","props":[{"name":"label","value":"IR-05(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to collect incident information are defined;"}]},{"id":"ir-05.01_odp.03","props":[{"name":"label","value":"IR-05(01)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to analyze incident information are defined;"}]}],"props":[{"name":"label","value":"IR-5(1)"},{"name":"label","value":"IR-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-5","rel":"required"}],"parts":[{"id":"ir-5.1_smt","name":"statement","prose":"Track incidents and collect and analyze incident information using {{ insert: param, ir-5.1_prm_1 }}."},{"id":"ir-5.1_gdn","name":"guidance","prose":"Automated mechanisms for tracking incidents and collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices."},{"id":"ir-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)","class":"sp800-53a"}],"parts":[{"id":"ir-5.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)[01]","class":"sp800-53a"}],"prose":"incidents are tracked using {{ insert: param, ir-05.01_odp.01 }};"},{"id":"ir-5.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)[02]","class":"sp800-53a"}],"prose":"incident information is collected using {{ insert: param, ir-05.01_odp.02 }};"},{"id":"ir-5.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)[03]","class":"sp800-53a"}],"prose":"incident information is analyzed using {{ insert: param, ir-05.01_odp.03 }}."}]},{"id":"ir-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nsystem security plan\n\nincident response plan\n\nother relevant documents or records"}]},{"id":"ir-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nautomated mechanisms supporting and\/or implementing the tracking and documenting of system security incidents"}]}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-06_odp.01","props":[{"name":"alt-identifier","value":"ir-6_prm_1"},{"name":"label","value":"IR-06_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel to report suspected incidents to the organizational incident response capability is defined;"}]},{"id":"ir-06_odp.02","props":[{"name":"alt-identifier","value":"ir-6_prm_2"},{"name":"label","value":"IR-06_ODP[02]","class":"sp800-53a"}],"label":"authorities","guidelines":[{"prose":"authorities to whom incident information is to be reported are defined;"}]}],"props":[{"name":"label","value":"IR-6"},{"name":"label","value":"IR-06","class":"sp800-53a"},{"name":"sort-id","value":"ir-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#40b78258-c892-480e-9af8-77ac36648301","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-6_smt","name":"statement","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report incident information to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products."},{"id":"ir-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06","class":"sp800-53a"}],"parts":[{"id":"ir-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-06a.","class":"sp800-53a"}],"prose":"personnel is\/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};"},{"id":"ir-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-06b.","class":"sp800-53a"}],"prose":"incident information is reported to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users"}]},{"id":"ir-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nmechanisms supporting and\/or implementing incident reporting"}]}],"controls":[{"id":"ir-6.1","class":"SP800-53-enhancement","title":"Automated Reporting","params":[{"id":"ir-06.01_odp","props":[{"name":"alt-identifier","value":"ir-6.1_prm_1"},{"name":"label","value":"IR-06(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used for reporting incidents are defined;"}]}],"props":[{"name":"label","value":"IR-6(1)"},{"name":"label","value":"IR-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-6","rel":"required"},{"href":"#ir-7","rel":"related"}],"parts":[{"id":"ir-6.1_smt","name":"statement","prose":"Report incidents using {{ insert: param, ir-06.01_odp }}."},{"id":"ir-6.1_gdn","name":"guidance","prose":"The recipients of incident reports are specified in [IR-6b](#ir-6_smt.b) . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs."},{"id":"ir-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06(01)","class":"sp800-53a"}],"prose":"incidents are reported using {{ insert: param, ir-06.01_odp }}."},{"id":"ir-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing the reporting of security incidents"}]}]},{"id":"ir-6.3","class":"SP800-53-enhancement","title":"Supply Chain Coordination","props":[{"name":"label","value":"IR-6(3)"},{"name":"label","value":"IR-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-6","rel":"required"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-6.3_smt","name":"statement","prose":"Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident."},{"id":"ir-6.3_gdn","name":"guidance","prose":"Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident."},{"id":"ir-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06(03)","class":"sp800-53a"}],"prose":"incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident."},{"id":"ir-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council\n\nacquisition policy\n\nacquisition contracts\n\nservice-level agreements\n\nincident response plan\n\nsupply chain risk management plan\n\nsystem security plan\n\nplans of other organizations involved in supply chain activities\n\nother relevant documents or records"}]},{"id":"ir-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganization personnel with acquisition responsibilities"}]},{"id":"ir-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\norganizational processes for supply chain risk information sharing\n\nmechanisms supporting and\/or implementing the reporting of incident information involved in the supply chain"}]}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"label","value":"IR-7"},{"name":"label","value":"IR-07","class":"sp800-53a"},{"name":"sort-id","value":"ir-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-26","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required."},{"id":"ir-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07","class":"sp800-53a"}],"parts":[{"id":"ir-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-07[01]","class":"sp800-53a"}],"prose":"an incident response support resource, integral to the organizational incident response capability, is provided;"},{"id":"ir-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-07[02]","class":"sp800-53a"}],"prose":"the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents."}]},{"id":"ir-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nmechanisms supporting and\/or implementing incident response assistance"}]}],"controls":[{"id":"ir-7.1","class":"SP800-53-enhancement","title":"Automation Support for Availability of Information and Support","params":[{"id":"ir-07.01_odp","props":[{"name":"alt-identifier","value":"ir-7.1_prm_1"},{"name":"label","value":"IR-07(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to increase the availability of incident response information and support are defined;"}]}],"props":[{"name":"label","value":"IR-7(1)"},{"name":"label","value":"IR-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-7","rel":"required"}],"parts":[{"id":"ir-7.1_smt","name":"statement","prose":"Increase the availability of incident response information and support using {{ insert: param, ir-07.01_odp }}."},{"id":"ir-7.1_gdn","name":"guidance","prose":"Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support."},{"id":"ir-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07(01)","class":"sp800-53a"}],"prose":"the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}."},{"id":"ir-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing an increase in the availability of incident response information and support"}]}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.07"}],"label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-08_odp.01","props":[{"name":"alt-identifier","value":"ir-8_prm_1"},{"name":"label","value":"IR-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles that review and approve the incident response plan is\/are identified;"}]},{"id":"ir-08_odp.02","props":[{"name":"alt-identifier","value":"ir-8_prm_2"},{"name":"label","value":"IR-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and approve the incident response plan is defined;"}]},{"id":"ir-08_odp.03","props":[{"name":"alt-identifier","value":"ir-8_prm_3"},{"name":"label","value":"IR-08_ODP[03]","class":"sp800-53a"}],"label":"entities, personnel, or roles","guidelines":[{"prose":"entities, personnel, or roles with designated responsibility for incident response are defined;"}]},{"id":"ir-08_odp.04","props":[{"name":"alt-identifier","value":"ir-8_prm_4"},{"name":"alt-label","value":"incident response personnel (identified by name and\/or by role) and organizational elements","class":"sp800-53"},{"name":"label","value":"IR-08_ODP[04]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed is\/are defined;"}]},{"id":"ir-08_odp.05","props":[{"name":"label","value":"IR-08_ODP[05]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which copies of the incident response plan are to be distributed are defined;"}]},{"id":"ir-08_odp.06","props":[{"name":"label","value":"IR-08_ODP[06]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom changes to the incident response plan is\/are communicated are defined;"}]},{"id":"ir-08_odp.07","props":[{"name":"label","value":"IR-08_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which changes to the incident response plan are communicated are defined;"}]}],"props":[{"name":"label","value":"IR-8"},{"name":"label","value":"IR-08","class":"sp800-53a"},{"name":"sort-id","value":"ir-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-8_smt","name":"statement","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Addresses the sharing of incident information;"},{"id":"ir-8_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and"},{"id":"ir-8_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly."},{"id":"ir-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-08","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.01","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.02","class":"sp800-53a"}],"prose":"an incident response plan is developed that describes the structure and organization of the incident response capability;"},{"id":"ir-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.03","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.04","class":"sp800-53a"}],"prose":"an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;"},{"id":"ir-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.05","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines reportable incidents;"},{"id":"ir-8_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.06","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.07","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.08","class":"sp800-53a"}],"prose":"an incident response plan is developed that addresses the sharing of incident information;"},{"id":"ir-8_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.09","class":"sp800-53a"}],"prose":"an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};"},{"id":"ir-8_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.10","class":"sp800-53a"}],"prose":"an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[01]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[02]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};"}]},{"id":"ir-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-08c.","class":"sp800-53a"}],"prose":"the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[01]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};"},{"id":"ir-8_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[02]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};"}]},{"id":"ir-8_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[01]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized disclosure;"},{"id":"ir-8_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[02]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized modification."}]}]},{"id":"ir-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"id":"ir-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ma-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ma-01_odp.01","props":[{"name":"label","value":"MA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance policy is to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.02","props":[{"name":"label","value":"MA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance procedures are to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.03","props":[{"name":"alt-identifier","value":"ma-1_prm_2"},{"name":"label","value":"MA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ma-01_odp.04","props":[{"name":"alt-identifier","value":"ma-1_prm_3"},{"name":"label","value":"MA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the maintenance policy and procedures is defined;"}]},{"id":"ma-01_odp.05","props":[{"name":"alt-identifier","value":"ma-1_prm_4"},{"name":"label","value":"MA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance policy is reviewed and updated is defined;"}]},{"id":"ma-01_odp.06","props":[{"name":"alt-identifier","value":"ma-1_prm_5"},{"name":"label","value":"MA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current maintenance policy to be reviewed and updated are defined;"}]},{"id":"ma-01_odp.07","props":[{"name":"alt-identifier","value":"ma-1_prm_6"},{"name":"label","value":"MA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance procedures are reviewed and updated is defined;"}]},{"id":"ma-01_odp.08","props":[{"name":"alt-identifier","value":"ma-1_prm_7"},{"name":"label","value":"MA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the maintenance procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MA-1"},{"name":"label","value":"MA-01","class":"sp800-53a"},{"name":"sort-id","value":"ma-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ma-1_smt","name":"statement","parts":[{"id":"ma-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ma-01_odp.03 }} maintenance policy that:","parts":[{"id":"ma-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ma-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;"}]},{"id":"ma-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and"},{"id":"ma-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current maintenance:","parts":[{"id":"ma-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and"},{"id":"ma-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ma-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[01]","class":"sp800-53a"}],"prose":"a maintenance policy is developed and documented;"},{"id":"ma-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[02]","class":"sp800-53a"}],"prose":"the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};"},{"id":"ma-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[03]","class":"sp800-53a"}],"prose":"maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;"},{"id":"ma-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[04]","class":"sp800-53a"}],"prose":"the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};"},{"id":"ma-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;"},{"id":"ma-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;"},{"id":"ma-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;"},{"id":"ma-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;"},{"id":"ma-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;"},{"id":"ma-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;"},{"id":"ma-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;"}]},{"id":"ma-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ma-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;"},{"id":"ma-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[01]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};"},{"id":"ma-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[02]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};"}]},{"id":"ma-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[01]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};"},{"id":"ma-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[02]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}."}]}]}]},{"id":"ma-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"ma-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","params":[{"id":"ma-02_odp.01","props":[{"name":"alt-identifier","value":"ma-2_prm_1"},{"name":"label","value":"MA-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is\/are defined;"}]},{"id":"ma-02_odp.02","props":[{"name":"alt-identifier","value":"ma-2_prm_2"},{"name":"label","value":"MA-02_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;"}]},{"id":"ma-02_odp.03","props":[{"name":"alt-identifier","value":"ma-2_prm_3"},{"name":"label","value":"MA-02_ODP[03]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be included in organizational maintenance records is defined;"}]}],"props":[{"name":"label","value":"MA-2"},{"name":"label","value":"MA-02","class":"sp800-53a"},{"name":"sort-id","value":"ma-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ma-2_smt","name":"statement","parts":[{"id":"ma-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};"},{"id":"ma-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and"},{"id":"ma-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}."}]},{"id":"ma-2_gdn","name":"guidance","prose":"Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems."},{"id":"ma-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-02","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[01]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[02]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[03]","class":"sp800-53a"}],"prose":"records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and\/or organizational requirements;"}]},{"id":"ma-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[01]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;"},{"id":"ma-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[02]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;"}]},{"id":"ma-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-02c.","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02_odp.01 }} is\/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-02d.","class":"sp800-53a"}],"prose":"equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-02e.","class":"sp800-53a"}],"prose":"all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;"},{"id":"ma-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"MA-02f.","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records."}]},{"id":"ma-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer\/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and\/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components"}]}],"controls":[{"id":"ma-2.2","class":"SP800-53-enhancement","title":"Automated Maintenance Activities","params":[{"id":"ma-2.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-02.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-02.02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-02.02_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"ma-02.02_odp.01","props":[{"name":"label","value":"MA-02(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to schedule maintenance, repair, and replacement actions for the system are defined;"}]},{"id":"ma-02.02_odp.02","props":[{"name":"label","value":"MA-02(02)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to conduct maintenance, repair, and replacement actions for the system are defined;"}]},{"id":"ma-02.02_odp.03","props":[{"name":"label","value":"MA-02(02)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to document maintenance, repair, and replacement actions for the system are defined;"}]}],"props":[{"name":"label","value":"MA-2(2)"},{"name":"label","value":"MA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-2","rel":"required"},{"href":"#ma-3","rel":"related"}],"parts":[{"id":"ma-2.2_smt","name":"statement","parts":[{"id":"ma-2.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Schedule, conduct, and document maintenance, repair, and replacement actions for the system using {{ insert: param, ma-2.2_prm_1 }} ; and"},{"id":"ma-2.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed."}]},{"id":"ma-2.2_gdn","name":"guidance","prose":"The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records."},{"id":"ma-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)","class":"sp800-53a"}],"parts":[{"id":"ma-2.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)","class":"sp800-53a"}],"parts":[{"id":"ma-2.2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02.02_odp.01 }} are used to schedule maintenance, repair, and replacement actions for the system;"},{"id":"ma-2.2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02.02_odp.02 }} are used to conduct maintenance, repair, and replacement actions for the system;"},{"id":"ma-2.2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02.02_odp.03 }} are used to document maintenance, repair, and replacement actions for the system;"}]},{"id":"ma-2.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ma-2.2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)[01]","class":"sp800-53a"}],"prose":"up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced."},{"id":"ma-2.2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)[02]","class":"sp800-53a"}],"prose":"up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced."},{"id":"ma-2.2_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)[03]","class":"sp800-53a"}],"prose":"up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced."}]}]},{"id":"ma-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nautomated mechanisms supporting system maintenance activities\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing controlled maintenance\n\nautomated mechanisms supporting and\/or implementing the production of records of maintenance and repair actions"}]}]}]},{"id":"ma-3","class":"SP800-53","title":"Maintenance Tools","params":[{"id":"ma-03_odp","props":[{"name":"alt-identifier","value":"ma-3_prm_1"},{"name":"label","value":"MA-03_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review previously approved system maintenance tools is defined;"}]}],"props":[{"name":"label","value":"MA-3"},{"name":"label","value":"MA-03","class":"sp800-53a"},{"name":"sort-id","value":"ma-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#ma-2","rel":"related"},{"href":"#pe-16","rel":"related"}],"parts":[{"id":"ma-3_smt","name":"statement","parts":[{"id":"ma-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve, control, and monitor the use of system maintenance tools; and"},{"id":"ma-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review previously approved system maintenance tools {{ insert: param, ma-03_odp }}."}]},{"id":"ma-3_gdn","name":"guidance","prose":"Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools."},{"id":"ma-3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03","class":"sp800-53a"}],"parts":[{"id":"ma-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.","class":"sp800-53a"}],"parts":[{"id":"ma-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[01]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is approved;"},{"id":"ma-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[02]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is controlled;"},{"id":"ma-3_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[03]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is monitored;"}]},{"id":"ma-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-03b.","class":"sp800-53a"}],"prose":"previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}."}]},{"id":"ma-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for approving, controlling, and monitoring maintenance tools\n\nmechanisms supporting and\/or implementing the approval, control, and\/or monitoring of maintenance tools"}]}],"controls":[{"id":"ma-3.1","class":"SP800-53-enhancement","title":"Inspect Tools","props":[{"name":"label","value":"MA-3(1)"},{"name":"label","value":"MA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ma-3.1_smt","name":"statement","prose":"Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications."},{"id":"ma-3.1_gdn","name":"guidance","prose":"Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling."},{"id":"ma-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(01)","class":"sp800-53a"}],"prose":"maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications."},{"id":"ma-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for inspecting maintenance tools\n\nmechanisms supporting and\/or implementing the inspection of maintenance tools"}]}]},{"id":"ma-3.2","class":"SP800-53-enhancement","title":"Inspect Media","props":[{"name":"label","value":"MA-3(2)"},{"name":"label","value":"MA-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"ma-3.2_smt","name":"statement","prose":"Check media containing diagnostic and test programs for malicious code before the media are used in the system."},{"id":"ma-3.2_gdn","name":"guidance","prose":"If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures."},{"id":"ma-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(02)","class":"sp800-53a"}],"prose":"media containing diagnostic and test programs are checked for malicious code before the media are used in the system."},{"id":"ma-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for inspecting media for malicious code\n\nmechanisms supporting and\/or implementing the inspection of media used for maintenance"}]}]},{"id":"ma-3.3","class":"SP800-53-enhancement","title":"Prevent Unauthorized Removal","params":[{"id":"ma-03.03_odp","props":[{"name":"alt-identifier","value":"ma-3.3_prm_1"},{"name":"label","value":"MA-03(03)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles who can authorize removal of equipment from the facility is\/are defined;"}]}],"props":[{"name":"label","value":"MA-3(3)"},{"name":"label","value":"MA-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#mp-6","rel":"related"}],"parts":[{"id":"ma-3.3_smt","name":"statement","prose":"Prevent the removal of maintenance equipment containing organizational information by:","parts":[{"id":"ma-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verifying that there is no organizational information contained on the equipment;"},{"id":"ma-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Sanitizing or destroying the equipment;"},{"id":"ma-3.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Retaining the equipment within the facility; or"},{"id":"ma-3.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_gdn","name":"guidance","prose":"Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards."},{"id":"ma-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)","class":"sp800-53a"}],"parts":[{"id":"ma-3.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(a)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or"},{"id":"ma-3.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(b)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or"},{"id":"ma-3.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(c)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or"},{"id":"ma-3.3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(d)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization"}]},{"id":"ma-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for preventing unauthorized removal of information\n\nmechanisms supporting media sanitization or destruction of equipment\n\nmechanisms supporting verification of media sanitization"}]}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","props":[{"name":"label","value":"MA-4"},{"name":"label","value":"MA-04","class":"sp800-53a"},{"name":"sort-id","value":"ma-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#736d6310-e403-4b57-a79d-9967970c66d7","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-10","rel":"related"}],"parts":[{"id":"ma-4_smt","name":"statement","parts":[{"id":"ma-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and monitor nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;"},{"id":"ma-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Maintain records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Terminate session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators."},{"id":"ma-4_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[01]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are approved;"},{"id":"ma-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[02]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are monitored;"}]},{"id":"ma-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[01]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;"},{"id":"ma-4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[02]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;"}]},{"id":"ma-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-04c.","class":"sp800-53a"}],"prose":"strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-04d.","class":"sp800-53a"}],"prose":"records for nonlocal maintenance and diagnostic activities are maintained;"},{"id":"ma-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[01]","class":"sp800-53a"}],"prose":"session connections are terminated when nonlocal maintenance is completed;"},{"id":"ma-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[02]","class":"sp800-53a"}],"prose":"network connections are terminated when nonlocal maintenance is completed."}]}]},{"id":"ma-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and\/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections"}]}],"controls":[{"id":"ma-4.3","class":"SP800-53-enhancement","title":"Comparable Security and Sanitization","props":[{"name":"label","value":"MA-4(3)"},{"name":"label","value":"MA-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-4","rel":"required"},{"href":"#mp-6","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ma-4.3_smt","name":"statement","parts":[{"id":"ma-4.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or"},{"id":"ma-4.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system."}]},{"id":"ma-4.3_gdn","name":"guidance","prose":"Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced."},{"id":"ma-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)","class":"sp800-53a"}],"parts":[{"id":"ma-4.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(a)","class":"sp800-53a"}],"parts":[{"id":"ma-4.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(a)[01]","class":"sp800-53a"}],"prose":"nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;"},{"id":"ma-4.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(a)[02]","class":"sp800-53a"}],"prose":"nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or"}]},{"id":"ma-4.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)","class":"sp800-53a"}],"parts":[{"id":"ma-4.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)[01]","class":"sp800-53a"}],"prose":"the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;"},{"id":"ma-4.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)[02]","class":"sp800-53a"}],"prose":"the component to be serviced is sanitized (for organizational information);"},{"id":"ma-4.3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)[03]","class":"sp800-53a"}],"prose":"the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system."}]}]},{"id":"ma-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nservice provider contracts and\/or service-level agreements\n\nmaintenance records\n\ninspection records\n\naudit records\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\nsystem maintenance provider\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for comparable security and sanitization for nonlocal maintenance\n\norganizational processes for the removal, sanitization, and inspection of components serviced via nonlocal maintenance\n\nmechanisms supporting and\/or implementing component sanitization and inspection"}]}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","props":[{"name":"label","value":"MA-5"},{"name":"label","value":"MA-05","class":"sp800-53a"},{"name":"sort-id","value":"ma-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"ma-5_smt","name":"statement","parts":[{"id":"ma-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods."},{"id":"ma-5_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[01]","class":"sp800-53a"}],"prose":"a process for maintenance personnel authorization is established;"},{"id":"ma-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[02]","class":"sp800-53a"}],"prose":"a list of authorized maintenance organizations or personnel is maintained;"}]},{"id":"ma-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-05b.","class":"sp800-53a"}],"prose":"non-escorted personnel performing maintenance on the system possess the required access authorizations;"},{"id":"ma-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-05c.","class":"sp800-53a"}],"prose":"organizational personnel with required access authorizations and technical competence is\/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and\/or implementing authorization of maintenance personnel"}]}],"controls":[{"id":"ma-5.1","class":"SP800-53-enhancement","title":"Individuals Without Appropriate Access","params":[{"id":"ma-05.01_odp","props":[{"name":"alt-identifier","value":"ma-5.1_prm_1"},{"name":"label","value":"MA-05(01)_ODP","class":"sp800-53a"}],"label":"alternate controls","guidelines":[{"prose":"alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined;"}]}],"props":[{"name":"label","value":"MA-5(1)"},{"name":"label","value":"MA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-5","rel":"required"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"ma-5.1_smt","name":"statement","parts":[{"id":"ma-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:","parts":[{"id":"ma-5.1_smt.a.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and"},{"id":"ma-5.1_smt.a.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and"}]},{"id":"ma-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Develop and implement {{ insert: param, ma-05.01_odp }} in the event a system component cannot be sanitized, removed, or disconnected from the system."}]},{"id":"ma-5.1_gdn","name":"guidance","prose":"Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems."},{"id":"ma-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)","class":"sp800-53a"}],"parts":[{"id":"ma-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(a)","class":"sp800-53a"}],"parts":[{"id":"ma-5.1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(a)(01)","class":"sp800-53a"}],"prose":"procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;"},{"id":"ma-5.1_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(a)(02)","class":"sp800-53a"}],"prose":"procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;"}]},{"id":"ma-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(b)","class":"sp800-53a"}],"prose":" {{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system."}]},{"id":"ma-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\nphysical and environmental protection policy\n\nlist of maintenance personnel requiring escort\/supervision\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing maintenance personnel without appropriate access\n\nmechanisms supporting and\/or implementing alternative security safeguards\n\nmechanisms supporting and\/or implementing information storage component sanitization"}]}]}]},{"id":"ma-6","class":"SP800-53","title":"Timely Maintenance","params":[{"id":"ma-06_odp.01","props":[{"name":"alt-identifier","value":"ma-6_prm_1"},{"name":"label","value":"MA-06_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which maintenance support and\/or spare parts are obtained are defined;"}]},{"id":"ma-06_odp.02","props":[{"name":"alt-identifier","value":"ma-6_prm_2"},{"name":"label","value":"MA-06_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which maintenance support and\/or spare parts are to be obtained after a failure are defined;"}]}],"props":[{"name":"label","value":"MA-6"},{"name":"label","value":"MA-06","class":"sp800-53a"},{"name":"sort-id","value":"ma-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-8","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-13","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"ma-6_smt","name":"statement","prose":"Obtain maintenance support and\/or spare parts for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure."},{"id":"ma-6_gdn","name":"guidance","prose":"Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place."},{"id":"ma-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-06","class":"sp800-53a"}],"prose":"maintenance support and\/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure."},{"id":"ma-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for ensuring timely maintenance"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"mp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"mp-01_odp.01","props":[{"name":"label","value":"MP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection policy is to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.02","props":[{"name":"label","value":"MP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection procedures are to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.03","props":[{"name":"alt-identifier","value":"mp-1_prm_2"},{"name":"label","value":"MP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"mp-01_odp.04","props":[{"name":"alt-identifier","value":"mp-1_prm_3"},{"name":"label","value":"MP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the media protection policy and procedures is defined;"}]},{"id":"mp-01_odp.05","props":[{"name":"alt-identifier","value":"mp-1_prm_4"},{"name":"label","value":"MP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection policy is reviewed and updated is defined;"}]},{"id":"mp-01_odp.06","props":[{"name":"alt-identifier","value":"mp-1_prm_5"},{"name":"label","value":"MP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current media protection policy to be reviewed and updated are defined;"}]},{"id":"mp-01_odp.07","props":[{"name":"alt-identifier","value":"mp-1_prm_6"},{"name":"label","value":"MP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection procedures are reviewed and updated is defined;"}]},{"id":"mp-01_odp.08","props":[{"name":"alt-identifier","value":"mp-1_prm_7"},{"name":"label","value":"MP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require media protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MP-1"},{"name":"label","value":"MP-01","class":"sp800-53a"},{"name":"sort-id","value":"mp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-1_smt","name":"statement","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, mp-01_odp.03 }} media protection policy that:","parts":[{"id":"mp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and"},{"id":"mp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current media protection:","parts":[{"id":"mp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and"},{"id":"mp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"mp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[01]","class":"sp800-53a"}],"prose":"a media protection policy is developed and documented;"},{"id":"mp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[02]","class":"sp800-53a"}],"prose":"the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};"},{"id":"mp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[03]","class":"sp800-53a"}],"prose":"media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;"},{"id":"mp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[04]","class":"sp800-53a"}],"prose":"the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};"},{"id":"mp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;"},{"id":"mp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;"},{"id":"mp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;"},{"id":"mp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;"},{"id":"mp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;"},{"id":"mp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;"},{"id":"mp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;"}]},{"id":"mp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(b)","class":"sp800-53a"}],"prose":"the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"mp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures."},{"id":"mp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[01]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; "},{"id":"mp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[02]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};"}]},{"id":"mp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[01]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; "},{"id":"mp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[02]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}."}]}]}]},{"id":"mp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","params":[{"id":"mp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.03"}],"label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.04"}],"label":"organization-defined personnel or roles"},{"id":"mp-02_odp.01","props":[{"name":"label","value":"MP-02_ODP[01]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.02","props":[{"name":"label","value":"MP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access digital media is\/are defined;"}]},{"id":"mp-02_odp.03","props":[{"name":"label","value":"MP-02_ODP[03]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.04","props":[{"name":"label","value":"MP-02_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access non-digital media is\/are defined;"}]}],"props":[{"name":"label","value":"MP-2"},{"name":"label","value":"MP-02","class":"sp800-53a"},{"name":"sort-id","value":"mp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media."},{"id":"mp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-02","class":"sp800-53a"}],"parts":[{"id":"mp-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-02[01]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};"},{"id":"mp-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-02[02]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}."}]},{"id":"mp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for restricting information media\n\nmechanisms supporting and\/or implementing media access restrictions"}]}]},{"id":"mp-3","class":"SP800-53","title":"Media Marking","params":[{"id":"mp-03_odp.01","props":[{"name":"alt-identifier","value":"mp-3_prm_1"},{"name":"alt-label","value":"types of system media","class":"sp800-53"},{"name":"label","value":"MP-03_ODP[01]","class":"sp800-53a"}],"label":"types of media exempted from marking","guidelines":[{"prose":"types of system media exempt from marking when remaining in controlled areas are defined;"}]},{"id":"mp-03_odp.02","props":[{"name":"alt-identifier","value":"mp-3_prm_2"},{"name":"label","value":"MP-03_ODP[02]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas where media is exempt from marking are defined;"}]}],"props":[{"name":"label","value":"MP-3"},{"name":"label","value":"MP-03","class":"sp800-53a"},{"name":"sort-id","value":"mp-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#34a5571f-e252-4309-a8a1-2fdb2faefbcd","rel":"reference"},{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-22","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-3_smt","name":"statement","parts":[{"id":"mp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"},{"id":"mp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Exempt {{ insert: param, mp-03_odp.01 }} from marking if the media remain within {{ insert: param, mp-03_odp.02 }}."}]},{"id":"mp-3_gdn","name":"guidance","prose":"Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"mp-3_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-03","class":"sp800-53a"}],"parts":[{"id":"mp-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-03a.","class":"sp800-53a"}],"prose":"system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;"},{"id":"mp-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-03b.","class":"sp800-53a"}],"prose":" {{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}."}]},{"id":"mp-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nlist of system media marking security attributes\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for marking information media\n\nmechanisms supporting and\/or implementing media marking"}]}]},{"id":"mp-4","class":"SP800-53","title":"Media Storage","params":[{"id":"mp-4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.04"}],"label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.06"}],"label":"organization-defined controlled areas"},{"id":"mp-04_odp.01","props":[{"name":"label","value":"MP-04_ODP[01]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to be physically controlled are defined (if selected);"}]},{"id":"mp-04_odp.02","props":[{"name":"label","value":"MP-04_ODP[02]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to be physically controlled are defined (if selected);"}]},{"id":"mp-04_odp.03","props":[{"name":"label","value":"MP-04_ODP[03]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to be securely stored are defined (if selected);"}]},{"id":"mp-04_odp.04","props":[{"name":"label","value":"MP-04_ODP[04]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to be securely stored are defined (if selected);"}]},{"id":"mp-04_odp.05","props":[{"name":"label","value":"MP-04_ODP[05]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas within which to securely store digital media are defined;"}]},{"id":"mp-04_odp.06","props":[{"name":"label","value":"MP-04_ODP[06]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas within which to securely store non-digital media are defined;"}]}],"props":[{"name":"label","value":"MP-4"},{"name":"label","value":"MP-04","class":"sp800-53a"},{"name":"sort-id","value":"mp-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-4_smt","name":"statement","parts":[{"id":"mp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and"},{"id":"mp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection."},{"id":"mp-4_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-04","class":"sp800-53a"}],"parts":[{"id":"mp-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.","class":"sp800-53a"}],"parts":[{"id":"mp-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.01 }} are physically controlled;"},{"id":"mp-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.02 }} are physically controlled;"},{"id":"mp-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};"},{"id":"mp-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[04]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};"}]},{"id":"mp-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-04b.","class":"sp800-53a"}],"prose":"system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing information media\n\nmechanisms supporting and\/or implementing secure media storage\/media protection"}]}]},{"id":"mp-5","class":"SP800-53","title":"Media Transport","params":[{"id":"mp-5_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-05_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-05_odp.03"}],"label":"organization-defined controls"},{"id":"mp-05_odp.01","props":[{"name":"alt-identifier","value":"mp-5_prm_1"},{"name":"label","value":"MP-05_ODP[01]","class":"sp800-53a"}],"label":"types of system media","guidelines":[{"prose":"types of system media to protect and control during transport outside of controlled areas are defined;"}]},{"id":"mp-05_odp.02","props":[{"name":"label","value":"MP-05_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls used to protect system media outside of controlled areas are defined;"}]},{"id":"mp-05_odp.03","props":[{"name":"label","value":"MP-05_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls used to control system media outside of controlled areas are defined;"}]}],"props":[{"name":"label","value":"MP-5"},{"name":"label","value":"MP-05","class":"sp800-53a"},{"name":"sort-id","value":"mp-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#ac-7","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"}],"parts":[{"id":"mp-5_smt","name":"statement","parts":[{"id":"mp-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protect and control {{ insert: param, mp-05_odp.01 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};"},{"id":"mp-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain accountability for system media during transport outside of controlled areas;"},{"id":"mp-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document activities associated with the transport of system media; and"},{"id":"mp-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Restrict the activities associated with the transport of system media to authorized personnel."}]},{"id":"mp-5_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and\/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records."},{"id":"mp-5_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-05","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};"},{"id":"mp-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};"}]},{"id":"mp-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-05b.","class":"sp800-53a"}],"prose":"accountability for system media is maintained during transport outside of controlled areas;"},{"id":"mp-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-05c.","class":"sp800-53a"}],"prose":"activities associated with the transport of system media are documented;"},{"id":"mp-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.[01]","class":"sp800-53a"}],"prose":"personnel authorized to conduct media transport activities is\/are identified;"},{"id":"mp-5_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.[02]","class":"sp800-53a"}],"prose":"activities associated with the transport of system media are restricted to identified authorized personnel."}]}]},{"id":"mp-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nauthorized personnel list\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing information media\n\nmechanisms supporting and\/or implementing media storage\/media protection"}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.03"}],"label":"organization-defined system media"},{"id":"mp-6_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.06"}],"label":"organization-defined sanitization techniques and procedures"},{"id":"mp-06_odp.01","props":[{"name":"label","value":"MP-06_ODP[01]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to disposal is defined;"}]},{"id":"mp-06_odp.02","props":[{"name":"label","value":"MP-06_ODP[02]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release from organizational control is defined;"}]},{"id":"mp-06_odp.03","props":[{"name":"label","value":"MP-06_ODP[03]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release for reuse is defined;"}]},{"id":"mp-06_odp.04","props":[{"name":"label","value":"MP-06_ODP[04]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to disposal are defined;"}]},{"id":"mp-06_odp.05","props":[{"name":"label","value":"MP-06_ODP[05]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;"}]},{"id":"mp-06_odp.06","props":[{"name":"label","value":"MP-06_ODP[06]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;"}]}],"props":[{"name":"label","value":"MP-6"},{"name":"label","value":"MP-06","class":"sp800-53a"},{"name":"sort-id","value":"mp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"},{"href":"#si-19","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"mp-6_smt","name":"statement","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information."},{"id":"mp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;"},{"id":"mp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;"},{"id":"mp-6_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;"}]},{"id":"mp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-06b.","class":"sp800-53a"}],"prose":"sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed."}]},{"id":"mp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization"}]}],"controls":[{"id":"mp-6.1","class":"SP800-53-enhancement","title":"Review, Approve, Track, Document, and Verify","props":[{"name":"label","value":"MP-6(1)"},{"name":"label","value":"MP-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"}],"parts":[{"id":"mp-6.1_smt","name":"statement","prose":"Review, approve, track, document, and verify media sanitization and disposal actions."},{"id":"mp-6.1_gdn","name":"guidance","prose":"Organizations review and approve media to be sanitized to ensure compliance with records retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken and personnel who performed the verification, and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal."},{"id":"mp-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)","class":"sp800-53a"}],"parts":[{"id":"mp-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[01]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are reviewed;"},{"id":"mp-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[02]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are approved;"},{"id":"mp-6.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[03]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are tracked;"},{"id":"mp-6.1_obj-4","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[04]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are documented;"},{"id":"mp-6.1_obj-5","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[05]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are verified."}]},{"id":"mp-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nmedia sanitization and disposal records\n\nreview records for media sanitization and disposal actions\n\napprovals for media sanitization and disposal actions\n\ntracking records\n\nverification records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization and disposal responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization\n\nmechanisms supporting and\/or implementing verification of media sanitization"}]}]},{"id":"mp-6.2","class":"SP800-53-enhancement","title":"Equipment Testing","params":[{"id":"mp-6.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06.02_odp.02"}],"label":"organization-defined frequency"},{"id":"mp-06.02_odp.01","props":[{"name":"label","value":"MP-06(02)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to test sanitization equipment is defined;"}]},{"id":"mp-06.02_odp.02","props":[{"name":"label","value":"MP-06(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to test sanitization procedures is defined;"}]}],"props":[{"name":"label","value":"MP-6(2)"},{"name":"label","value":"MP-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"}],"parts":[{"id":"mp-6.2_smt","name":"statement","prose":"Test sanitization equipment and procedures {{ insert: param, mp-6.2_prm_1 }} to ensure that the intended sanitization is being achieved."},{"id":"mp-6.2_gdn","name":"guidance","prose":"Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers."},{"id":"mp-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(02)","class":"sp800-53a"}],"parts":[{"id":"mp-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06(02)[01]","class":"sp800-53a"}],"prose":"sanitization equipment is tested {{ insert: param, mp-06.02_odp.01 }} to ensure that the intended sanitization is being achieved;"},{"id":"mp-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06(02)[02]","class":"sp800-53a"}],"prose":"sanitization procedures are tested {{ insert: param, mp-06.02_odp.02 }} to ensure that the intended sanitization is being achieved."}]},{"id":"mp-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nprocedures addressing testing of media sanitization equipment\n\nresults of media sanitization equipment and procedures testing\n\nsystem audit records\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"mp-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization procedures\n\nsanitization equipment"}]}]},{"id":"mp-6.3","class":"SP800-53-enhancement","title":"Nondestructive Techniques","params":[{"id":"mp-06.03_odp","props":[{"name":"alt-identifier","value":"mp-6.3_prm_1"},{"name":"alt-label","value":"circumstances requiring sanitization of portable storage devices","class":"sp800-53"},{"name":"label","value":"MP-06(03)_ODP","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances requiring sanitization of portable storage devices are defined;"}]}],"props":[{"name":"label","value":"MP-6(3)"},{"name":"label","value":"MP-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"}],"parts":[{"id":"mp-6.3_smt","name":"statement","prose":"Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: {{ insert: param, mp-06.03_odp }}."},{"id":"mp-6.3_gdn","name":"guidance","prose":"Portable storage devices include external or removable hard disk drives (e.g., solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices."},{"id":"mp-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(03)","class":"sp800-53a"}],"prose":"non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under {{ insert: param, mp-06.03_odp }}."},{"id":"mp-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\ninformation on portable storage devices for the system\n\nlist of circumstances requiring sanitization of portable storage devices\n\nmedia sanitization records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization of portable storage devices\n\nmechanisms supporting and\/or implementing media sanitization"}]}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","params":[{"id":"mp-07_odp.01","props":[{"name":"alt-identifier","value":"mp-7_prm_2"},{"name":"label","value":"MP-07_ODP[01]","class":"sp800-53a"}],"label":"types of system media","guidelines":[{"prose":"types of system media to be restricted or prohibited from use on systems or system components are defined;"}]},{"id":"mp-07_odp.02","props":[{"name":"alt-identifier","value":"mp-7_prm_1"},{"name":"label","value":"MP-07_ODP[02]","class":"sp800-53a"}],"select":{"choice":["restrict","prohibit"]}},{"id":"mp-07_odp.03","props":[{"name":"alt-identifier","value":"mp-7_prm_3"},{"name":"label","value":"MP-07_ODP[03]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;"}]},{"id":"mp-07_odp.04","props":[{"name":"alt-identifier","value":"mp-7_prm_4"},{"name":"label","value":"MP-07_ODP[04]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;"}]}],"props":[{"name":"label","value":"MP-7"},{"name":"label","value":"MP-07","class":"sp800-53a"},{"name":"sort-id","value":"mp-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"mp-7_smt","name":"statement","parts":[{"id":"mp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and"},{"id":"mp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner."}]},{"id":"mp-7_gdn","name":"guidance","prose":"System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices."},{"id":"mp-7_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-07","class":"sp800-53a"}],"parts":[{"id":"mp-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-07a.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};"},{"id":"mp-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-07b.","class":"sp800-53a"}],"prose":"the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner."}]},{"id":"mp-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components"}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pe-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pe-01_odp.01","props":[{"name":"label","value":"PE-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection policy is to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.02","props":[{"name":"label","value":"PE-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection procedures are to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.03","props":[{"name":"alt-identifier","value":"pe-1_prm_2"},{"name":"label","value":"PE-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pe-01_odp.04","props":[{"name":"alt-identifier","value":"pe-1_prm_3"},{"name":"label","value":"PE-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the physical and environmental protection policy and procedures is defined;"}]},{"id":"pe-01_odp.05","props":[{"name":"alt-identifier","value":"pe-1_prm_4"},{"name":"label","value":"PE-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;"}]},{"id":"pe-01_odp.06","props":[{"name":"alt-identifier","value":"pe-1_prm_5"},{"name":"label","value":"PE-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current physical and environmental protection policy to be reviewed and updated are defined;"}]},{"id":"pe-01_odp.07","props":[{"name":"alt-identifier","value":"pe-1_prm_6"},{"name":"label","value":"PE-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;"}]},{"id":"pe-01_odp.08","props":[{"name":"alt-identifier","value":"pe-1_prm_7"},{"name":"label","value":"PE-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the physical and environmental protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PE-1"},{"name":"label","value":"PE-01","class":"sp800-53a"},{"name":"sort-id","value":"pe-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pe-1_smt","name":"statement","parts":[{"id":"pe-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:","parts":[{"id":"pe-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pe-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;"}]},{"id":"pe-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and"},{"id":"pe-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current physical and environmental protection:","parts":[{"id":"pe-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and"},{"id":"pe-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pe-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[01]","class":"sp800-53a"}],"prose":"a physical and environmental protection policy is developed and documented;"},{"id":"pe-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[02]","class":"sp800-53a"}],"prose":"the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};"},{"id":"pe-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[03]","class":"sp800-53a"}],"prose":"physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;"},{"id":"pe-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[04]","class":"sp800-53a"}],"prose":"the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};"},{"id":"pe-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;"},{"id":"pe-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;"},{"id":"pe-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;"},{"id":"pe-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;"},{"id":"pe-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;"},{"id":"pe-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;"},{"id":"pe-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;"}]},{"id":"pe-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"pe-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;"},{"id":"pe-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};"},{"id":"pe-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};"}]},{"id":"pe-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};"},{"id":"pe-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}."}]}]}]},{"id":"pe-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"pe-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","params":[{"id":"pe-02_odp","props":[{"name":"alt-identifier","value":"pe-2_prm_1"},{"name":"label","value":"PE-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the access list detailing authorized facility access by individuals is defined;"}]}],"props":[{"name":"label","value":"PE-2"},{"name":"label","value":"PE-02","class":"sp800-53a"},{"name":"sort-id","value":"pe-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"pe-2_smt","name":"statement","parts":[{"id":"pe-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;"},{"id":"pe-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Issue authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and"},{"id":"pe-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remove individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible."},{"id":"pe-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-02","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[01]","class":"sp800-53a"}],"prose":"a list of individuals with authorized access to the facility where the system resides has been developed;"},{"id":"pe-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[02]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been approved;"},{"id":"pe-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[03]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been maintained;"}]},{"id":"pe-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-02b.","class":"sp800-53a"}],"prose":"authorization credentials are issued for facility access;"},{"id":"pe-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-02c.","class":"sp800-53a"}],"prose":"the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};"},{"id":"pe-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-02d.","class":"sp800-53a"}],"prose":"individuals are removed from the facility access list when access is no longer required."}]},{"id":"pe-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access authorizations\n\nmechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","params":[{"id":"pe-3_prm_9","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.09"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.10"}],"label":"organization-defined frequency"},{"id":"pe-03_odp.01","props":[{"name":"alt-identifier","value":"pe-3_prm_1"},{"name":"alt-label","value":"entry and exit points to the facility where the system resides","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[01]","class":"sp800-53a"}],"label":"entry and exit points","guidelines":[{"prose":"entry and exit points to the facility in which the system resides are defined;"}]},{"id":"pe-03_odp.02","props":[{"name":"alt-identifier","value":"pe-3_prm_2"},{"name":"label","value":"PE-03_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, pe-03_odp.03 }} ","guards"]}},{"id":"pe-03_odp.03","props":[{"name":"alt-identifier","value":"pe-3_prm_3"},{"name":"alt-label","value":"physical access control systems or devices","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[03]","class":"sp800-53a"}],"label":"systems or devices","guidelines":[{"prose":"physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);"}]},{"id":"pe-03_odp.04","props":[{"name":"alt-identifier","value":"pe-3_prm_4"},{"name":"label","value":"PE-03_ODP[04]","class":"sp800-53a"}],"label":"entry or exit points","guidelines":[{"prose":"entry or exit points for which physical access logs are maintained are defined;"}]},{"id":"pe-03_odp.05","props":[{"name":"alt-identifier","value":"pe-3_prm_5"},{"name":"label","value":"PE-03_ODP[05]","class":"sp800-53a"}],"label":"physical access controls","guidelines":[{"prose":"physical access controls to control access to areas within the facility designated as publicly accessible are defined;"}]},{"id":"pe-03_odp.06","props":[{"name":"alt-identifier","value":"pe-3_prm_6"},{"name":"alt-label","value":"circumstances requiring visitor escorts and control of visitor activity","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[06]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances requiring visitor escorts and control of visitor activity are defined;"}]},{"id":"pe-03_odp.07","props":[{"name":"alt-identifier","value":"pe-3_prm_7"},{"name":"label","value":"PE-03_ODP[07]","class":"sp800-53a"}],"label":"physical access devices","guidelines":[{"prose":"physical access devices to be inventoried are defined;"}]},{"id":"pe-03_odp.08","props":[{"name":"alt-identifier","value":"pe-3_prm_8"},{"name":"label","value":"PE-03_ODP[08]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inventory physical access devices is defined;"}]},{"id":"pe-03_odp.09","props":[{"name":"label","value":"PE-03_ODP[09]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change combinations is defined;"}]},{"id":"pe-03_odp.10","props":[{"name":"label","value":"PE-03_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change keys is defined;"}]}],"props":[{"name":"label","value":"PE-3"},{"name":"label","value":"PE-03","class":"sp800-53a"},{"name":"sort-id","value":"pe-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"pe-3_smt","name":"statement","parts":[{"id":"pe-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:","parts":[{"id":"pe-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"}]},{"id":"pe-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};"},{"id":"pe-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};"},{"id":"pe-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};"},{"id":"pe-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Secure keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and"},{"id":"pe-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Change combinations and keys {{ insert: param, pe-3_prm_9 }} and\/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs\/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components."},{"id":"pe-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.01","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;"},{"id":"pe-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.02","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"}]},{"id":"pe-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-03b.","class":"sp800-53a"}],"prose":"physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};"},{"id":"pe-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-03c.","class":"sp800-53a"}],"prose":"access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};"},{"id":"pe-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[01]","class":"sp800-53a"}],"prose":"visitors are escorted;"},{"id":"pe-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[02]","class":"sp800-53a"}],"prose":"visitor activity is controlled {{ insert: param, pe-03_odp.06 }};"}]},{"id":"pe-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[01]","class":"sp800-53a"}],"prose":"keys are secured;"},{"id":"pe-3_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[02]","class":"sp800-53a"}],"prose":"combinations are secured;"},{"id":"pe-3_obj.e-3","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[03]","class":"sp800-53a"}],"prose":"other physical access devices are secured;"}]},{"id":"pe-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"PE-03f.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};"},{"id":"pe-3_obj.g","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[01]","class":"sp800-53a"}],"prose":"combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;"},{"id":"pe-3_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[02]","class":"sp800-53a"}],"prose":"keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated."}]}]},{"id":"pe-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control\n\nmechanisms supporting and\/or implementing physical access control\n\nphysical access control devices"}]}],"controls":[{"id":"pe-3.1","class":"SP800-53-enhancement","title":"System Access","params":[{"id":"pe-03.01_odp","props":[{"name":"alt-identifier","value":"pe-3.1_prm_1"},{"name":"alt-label","value":"physical spaces containing one or more components of the system","class":"sp800-53"},{"name":"label","value":"PE-03(01)_ODP","class":"sp800-53a"}],"label":"physical spaces","guidelines":[{"prose":"physical spaces containing one or more components of the system are defined;"}]}],"props":[{"name":"label","value":"PE-3(1)"},{"name":"label","value":"PE-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"}],"parts":[{"id":"pe-3.1_smt","name":"statement","prose":"Enforce physical access authorizations to the system in addition to the physical access controls for the facility at {{ insert: param, pe-03.01_odp }}."},{"id":"pe-3.1_gdn","name":"guidance","prose":"Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components."},{"id":"pe-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(01)","class":"sp800-53a"}],"parts":[{"id":"pe-3.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03(01)[01]","class":"sp800-53a"}],"prose":"physical access authorizations to the system are enforced;"},{"id":"pe-3.1_obj.2","name":"assessment-objective","props":[{"name":"label","value":"PE-03(01)[02]","class":"sp800-53a"}],"prose":"physical access controls are enforced for the facility at {{ insert: param, pe-03.01_odp }}."}]},{"id":"pe-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nsystem entry and exit points\n\nlist of areas within the facility containing concentrations of system components or system components requiring additional physical protection\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control to the information system\/components\n\nmechanisms supporting and\/or implementing physical access control for facility areas containing system components"}]}]}]},{"id":"pe-4","class":"SP800-53","title":"Access Control for Transmission","params":[{"id":"pe-04_odp.01","props":[{"name":"alt-identifier","value":"pe-4_prm_1"},{"name":"label","value":"PE-04_ODP[01]","class":"sp800-53a"}],"label":"system distribution and transmission lines","guidelines":[{"prose":"system distribution and transmission lines requiring physical access controls are defined;"}]},{"id":"pe-04_odp.02","props":[{"name":"alt-identifier","value":"pe-4_prm_2"},{"name":"label","value":"PE-04_ODP[02]","class":"sp800-53a"}],"label":"security controls","guidelines":[{"prose":"security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;"}]}],"props":[{"name":"label","value":"PE-4"},{"name":"label","value":"PE-04","class":"sp800-53a"},{"name":"sort-id","value":"pe-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"pe-4_smt","name":"statement","prose":"Control physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities using {{ insert: param, pe-04_odp.02 }}."},{"id":"pe-4_gdn","name":"guidance","prose":"Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors."},{"id":"pe-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-04","class":"sp800-53a"}],"prose":"physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}."},{"id":"pe-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for transmission mediums\n\nsystem design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to system distribution and transmission lines\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access control to distribution and transmission lines\n\nmechanisms\/security safeguards supporting and\/or implementing access control to distribution and transmission lines"}]}]},{"id":"pe-5","class":"SP800-53","title":"Access Control for Output Devices","params":[{"id":"pe-05_odp","props":[{"name":"alt-identifier","value":"pe-5_prm_1"},{"name":"label","value":"PE-05_ODP","class":"sp800-53a"}],"label":"output devices","guidelines":[{"prose":"output devices that require physical access control to output are defined;"}]}],"props":[{"name":"label","value":"PE-5"},{"name":"label","value":"PE-05","class":"sp800-53a"},{"name":"sort-id","value":"pe-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-18","rel":"related"}],"parts":[{"id":"pe-5_smt","name":"statement","prose":"Control physical access to output from {{ insert: param, pe-05_odp }} to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_gdn","name":"guidance","prose":"Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers."},{"id":"pe-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-05","class":"sp800-53a"}],"prose":"physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of system components\n\nactual displays from system components\n\nlist of output devices and associated outputs requiring physical access controls\n\nphysical access control logs or records for areas containing output devices and related outputs\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access control to output devices\n\nmechanisms supporting and\/or implementing access control to output devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","params":[{"id":"pe-06_odp.01","props":[{"name":"alt-identifier","value":"pe-6_prm_1"},{"name":"label","value":"PE-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review physical access logs is defined;"}]},{"id":"pe-06_odp.02","props":[{"name":"alt-identifier","value":"pe-6_prm_2"},{"name":"alt-label","value":"events or potential indications of events","class":"sp800-53"},{"name":"label","value":"PE-06_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events or potential indication of events requiring physical access logs to be reviewed are defined;"}]}],"props":[{"name":"label","value":"PE-6"},{"name":"label","value":"PE-06","class":"sp800-53a"},{"name":"sort-id","value":"pe-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"pe-6_smt","name":"statement","parts":[{"id":"pe-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and"},{"id":"pe-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses."},{"id":"pe-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-06a.","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;"},{"id":"pe-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[01]","class":"sp800-53a"}],"prose":"physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};"},{"id":"pe-6_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[02]","class":"sp800-53a"}],"prose":"physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};"}]},{"id":"pe-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[01]","class":"sp800-53a"}],"prose":"results of reviews are coordinated with organizational incident response capabilities;"},{"id":"pe-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[02]","class":"sp800-53a"}],"prose":"results of investigations are coordinated with organizational incident response capabilities."}]}]},{"id":"pe-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing the review of physical access logs"}]}],"controls":[{"id":"pe-6.1","class":"SP800-53-enhancement","title":"Intrusion Alarms and Surveillance Equipment","props":[{"name":"label","value":"PE-6(1)"},{"name":"label","value":"PE-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-6","rel":"required"}],"parts":[{"id":"pe-6.1_smt","name":"statement","prose":"Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment."},{"id":"pe-6.1_gdn","name":"guidance","prose":"Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility."},{"id":"pe-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)","class":"sp800-53a"}],"parts":[{"id":"pe-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)[01]","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored using physical intrusion alarms;"},{"id":"pe-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)[02]","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored using physical surveillance equipment."}]},{"id":"pe-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing physical intrusion alarms and surveillance equipment"}]}]},{"id":"pe-6.4","class":"SP800-53-enhancement","title":"Monitoring Physical Access to Systems","params":[{"id":"pe-06.04_odp","props":[{"name":"alt-identifier","value":"pe-6.4_prm_1"},{"name":"alt-label","value":"physical spaces containing one or more components of the system","class":"sp800-53"},{"name":"label","value":"PE-06(04)_ODP","class":"sp800-53a"}],"label":"physical spaces","guidelines":[{"prose":"physical spaces containing one or more components of the system are defined;"}]}],"props":[{"name":"label","value":"PE-6(4)"},{"name":"label","value":"PE-06(04)","class":"sp800-53a"},{"name":"sort-id","value":"pe-06.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-6","rel":"required"}],"parts":[{"id":"pe-6.4_smt","name":"statement","prose":"Monitor physical access to the system in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}."},{"id":"pe-6.4_gdn","name":"guidance","prose":"Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization."},{"id":"pe-6.4_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06(04)","class":"sp800-53a"}],"prose":"physical access to the system is monitored in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}."},{"id":"pe-6.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nlist of areas within the facility containing concentrations of system components or system components requiring additional physical access monitoring\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-6.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-6.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access to the system\n\nmechanisms supporting and\/or implementing physical access monitoring for facility areas containing system components"}]}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-08_odp.01","props":[{"name":"alt-identifier","value":"pe-8_prm_1"},{"name":"label","value":"PE-08_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for which to maintain visitor access records for the facility where the system resides is defined;"}]},{"id":"pe-08_odp.02","props":[{"name":"alt-identifier","value":"pe-8_prm_2"},{"name":"label","value":"PE-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review visitor access records is defined;"}]},{"id":"pe-08_odp.03","props":[{"name":"alt-identifier","value":"pe-8_prm_3"},{"name":"label","value":"PE-08_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom visitor access records anomalies are reported to is\/are defined;"}]}],"props":[{"name":"label","value":"PE-8"},{"name":"label","value":"PE-08","class":"sp800-53a"},{"name":"sort-id","value":"pe-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"pe-8_smt","name":"statement","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and"},{"id":"pe-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08","class":"sp800-53a"}],"parts":[{"id":"pe-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-08a.","class":"sp800-53a"}],"prose":"visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-08b.","class":"sp800-53a"}],"prose":"visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};"},{"id":"pe-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-08c.","class":"sp800-53a"}],"prose":"visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and\/or implementing the maintenance and review of visitor access records"}]}],"controls":[{"id":"pe-8.1","class":"SP800-53-enhancement","title":"Automated Records Maintenance and Review","params":[{"id":"pe-8.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-08.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-08.01_odp.02"}],"label":"organization-defined automated mechanisms"},{"id":"pe-08.01_odp.01","props":[{"name":"label","value":"PE-08(01)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain visitor access records are defined;"}]},{"id":"pe-08.01_odp.02","props":[{"name":"label","value":"PE-08(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to review visitor access records are defined;"}]}],"props":[{"name":"label","value":"PE-8(1)"},{"name":"label","value":"PE-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-8","rel":"required"}],"parts":[{"id":"pe-8.1_smt","name":"statement","prose":"Maintain and review visitor access records using {{ insert: param, pe-8.1_prm_1 }}."},{"id":"pe-8.1_gdn","name":"guidance","prose":"Visitor access records may be stored and maintained in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on a regular basis to determine if access authorizations are current and still required to support organizational mission and business functions."},{"id":"pe-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08(01)","class":"sp800-53a"}],"parts":[{"id":"pe-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-08(01)[01]","class":"sp800-53a"}],"prose":"visitor access records are maintained using {{ insert: param, pe-08.01_odp.01 }};"},{"id":"pe-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-08(01)[02]","class":"sp800-53a"}],"prose":"visitor access records are reviewed using {{ insert: param, pe-08.01_odp.02 }}."}]},{"id":"pe-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nautomated mechanisms supporting management of visitor access records\n\nvisitor access control logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and\/or implementing the maintenance and review of visitor access records"}]}]}]},{"id":"pe-9","class":"SP800-53","title":"Power Equipment and Cabling","props":[{"name":"label","value":"PE-9"},{"name":"label","value":"PE-09","class":"sp800-53a"},{"name":"sort-id","value":"pe-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-4","rel":"related"}],"parts":[{"id":"pe-9_smt","name":"statement","prose":"Protect power equipment and power cabling for the system from damage and destruction."},{"id":"pe-9_gdn","name":"guidance","prose":"Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems."},{"id":"pe-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-09","class":"sp800-53a"}],"parts":[{"id":"pe-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-09[01]","class":"sp800-53a"}],"prose":"power equipment for the system is protected from damage and destruction;"},{"id":"pe-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-09[02]","class":"sp800-53a"}],"prose":"power cabling for the system is protected from damage and destruction."}]},{"id":"pe-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power equipment\/cabling protection\n\nfacilities housing power equipment\/cabling\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility to protect power equipment\/cabling\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the protection of power equipment\/cabling"}]}]},{"id":"pe-10","class":"SP800-53","title":"Emergency Shutoff","params":[{"id":"pe-10_odp.01","props":[{"name":"alt-identifier","value":"pe-10_prm_1"},{"name":"label","value":"PE-10_ODP[01]","class":"sp800-53a"}],"label":"system or individual system components","guidelines":[{"prose":"system or individual system components that require the capability to shut off power in emergency situations is\/are defined;"}]},{"id":"pe-10_odp.02","props":[{"name":"alt-identifier","value":"pe-10_prm_2"},{"name":"alt-label","value":"location by system or system component","class":"sp800-53"},{"name":"label","value":"PE-10_ODP[02]","class":"sp800-53a"}],"label":"location","guidelines":[{"prose":"location of emergency shutoff switches or devices by system or system component is defined;"}]}],"props":[{"name":"label","value":"PE-10"},{"name":"label","value":"PE-10","class":"sp800-53a"},{"name":"sort-id","value":"pe-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-15","rel":"related"}],"parts":[{"id":"pe-10_smt","name":"statement","parts":[{"id":"pe-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide the capability of shutting off power to {{ insert: param, pe-10_odp.01 }} in emergency situations;"},{"id":"pe-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Place emergency shutoff switches or devices in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel; and"},{"id":"pe-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect emergency power shutoff capability from unauthorized activation."}]},{"id":"pe-10_gdn","name":"guidance","prose":"Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery."},{"id":"pe-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-10","class":"sp800-53a"}],"parts":[{"id":"pe-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-10a.","class":"sp800-53a"}],"prose":"the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;"},{"id":"pe-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-10b.","class":"sp800-53a"}],"prose":"emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;"},{"id":"pe-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-10c.","class":"sp800-53a"}],"prose":"the emergency power shutoff capability is protected from unauthorized activation."}]},{"id":"pe-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting the emergency power shutoff capability from unauthorized activation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing emergency power shutoff"}]}]},{"id":"pe-11","class":"SP800-53","title":"Emergency Power","params":[{"id":"pe-11_odp","props":[{"name":"alt-identifier","value":"pe-11_prm_1"},{"name":"label","value":"PE-11_ODP","class":"sp800-53a"}],"select":{"choice":["an orderly shutdown of the system","transition of the system to long-term alternate power"]}}],"props":[{"name":"label","value":"PE-11"},{"name":"label","value":"PE-11","class":"sp800-53a"},{"name":"sort-id","value":"pe-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-11_smt","name":"statement","prose":"Provide an uninterruptible power supply to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss."},{"id":"pe-11_gdn","name":"guidance","prose":"An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system."},{"id":"pe-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-11","class":"sp800-53a"}],"prose":"an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss."},{"id":"pe-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an uninterruptible power supply\n\nthe uninterruptable power supply"}]}],"controls":[{"id":"pe-11.1","class":"SP800-53-enhancement","title":"Alternate Power Supply — Minimal Operational Capability","params":[{"id":"pe-11.01_odp","props":[{"name":"alt-identifier","value":"pe-11.1_prm_1"},{"name":"label","value":"PE-11(01)_ODP","class":"sp800-53a"}],"select":{"choice":["manually","automatically"]}}],"props":[{"name":"label","value":"PE-11(1)"},{"name":"label","value":"PE-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-11","rel":"required"}],"parts":[{"id":"pe-11.1_smt","name":"statement","prose":"Provide an alternate power supply for the system that is activated {{ insert: param, pe-11.01_odp }} and that can maintain minimally required operational capability in the event of an extended loss of the primary power source."},{"id":"pe-11.1_gdn","name":"guidance","prose":"Provision of an alternate power supply with minimal operating capability can be satisfied by accessing a secondary commercial power supply or other external power supply."},{"id":"pe-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-11(01)","class":"sp800-53a"}],"parts":[{"id":"pe-11.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-11(01)[01]","class":"sp800-53a"}],"prose":"an alternate power supply provided for the system is activated {{ insert: param, pe-11.01_odp }};"},{"id":"pe-11.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-11(01)[02]","class":"sp800-53a"}],"prose":"the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source."}]},{"id":"pe-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nalternate power supply\n\nalternate power supply documentation\n\nalternate power supply test records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an alternate power supply\n\nthe alternate power supply"}]}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","props":[{"name":"label","value":"PE-12"},{"name":"label","value":"PE-12","class":"sp800-53a"},{"name":"sort-id","value":"pe-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies."},{"id":"pe-12_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-12","class":"sp800-53a"}],"parts":[{"id":"pe-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-12[01]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;"},{"id":"pe-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-12[02]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;"},{"id":"pe-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-12[03]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers emergency exits within the facility;"},{"id":"pe-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-12[04]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers evacuation routes within the facility."}]},{"id":"pe-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an emergency lighting capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","props":[{"name":"label","value":"PE-13"},{"name":"label","value":"PE-13","class":"sp800-53a"},{"name":"sort-id","value":"pe-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"Employ and maintain fire detection and suppression systems that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility."},{"id":"pe-13_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13","class":"sp800-53a"}],"parts":[{"id":"pe-13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13[01]","class":"sp800-53a"}],"prose":"fire detection systems are employed;"},{"id":"pe-13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13[02]","class":"sp800-53a"}],"prose":"employed fire detection systems are supported by an independent energy source;"},{"id":"pe-13_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13[03]","class":"sp800-53a"}],"prose":"employed fire detection systems are maintained;"},{"id":"pe-13_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-13[04]","class":"sp800-53a"}],"prose":"fire suppression systems are employed;"},{"id":"pe-13_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PE-13[05]","class":"sp800-53a"}],"prose":"employed fire suppression systems are supported by an independent energy source;"},{"id":"pe-13_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PE-13[06]","class":"sp800-53a"}],"prose":"employed fire suppression systems are maintained."}]},{"id":"pe-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\ntest records of fire suppression and detection devices\/systems\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing fire suppression\/detection devices\/systems"}]}],"controls":[{"id":"pe-13.1","class":"SP800-53-enhancement","title":"Detection Systems — Automatic Activation and Notification","params":[{"id":"pe-13.01_odp.01","props":[{"name":"alt-identifier","value":"pe-13.1_prm_1"},{"name":"label","value":"PE-13(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified in the event of a fire is\/are defined;"}]},{"id":"pe-13.01_odp.02","props":[{"name":"alt-identifier","value":"pe-13.1_prm_2"},{"name":"label","value":"PE-13(01)_ODP[02]","class":"sp800-53a"}],"label":"emergency responders","guidelines":[{"prose":"emergency responders to be notified in the event of a fire are defined;"}]}],"props":[{"name":"label","value":"PE-13(1)"},{"name":"label","value":"PE-13(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-13.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-13","rel":"required"}],"parts":[{"id":"pe-13.1_smt","name":"statement","prose":"Employ fire detection systems that activate automatically and notify {{ insert: param, pe-13.01_odp.01 }} and {{ insert: param, pe-13.01_odp.02 }} in the event of a fire."},{"id":"pe-13.1_gdn","name":"guidance","prose":"Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire."},{"id":"pe-13.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)","class":"sp800-53a"}],"parts":[{"id":"pe-13.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[01]","class":"sp800-53a"}],"prose":"fire detection systems that activate automatically are employed in the event of a fire;"},{"id":"pe-13.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[02]","class":"sp800-53a"}],"prose":"fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;"},{"id":"pe-13.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[03]","class":"sp800-53a"}],"prose":"fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire."}]},{"id":"pe-13.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\nalerts\/notifications of fire events\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing fire detection devices\/systems\n\nactivation of fire detection devices\/systems (simulated)\n\nautomated notifications"}]}]},{"id":"pe-13.2","class":"SP800-53-enhancement","title":"Suppression Systems — Automatic Activation and Notification","params":[{"id":"pe-13.02_odp.01","props":[{"name":"alt-identifier","value":"pe-13.2_prm_1"},{"name":"label","value":"PE-13(02)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified in the event of a fire is\/are defined;"}]},{"id":"pe-13.02_odp.02","props":[{"name":"alt-identifier","value":"pe-13.2_prm_2"},{"name":"label","value":"PE-13(02)_ODP[02]","class":"sp800-53a"}],"label":"emergency responders","guidelines":[{"prose":"emergency responders to be notified in the event of a fire are defined;"}]}],"props":[{"name":"label","value":"PE-13(2)"},{"name":"label","value":"PE-13(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-13.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-13","rel":"required"}],"parts":[{"id":"pe-13.2_smt","name":"statement","parts":[{"id":"pe-13.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ fire suppression systems that activate automatically and notify {{ insert: param, pe-13.02_odp.01 }} and {{ insert: param, pe-13.02_odp.02 }} ; and"},{"id":"pe-13.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis."}]},{"id":"pe-13.2_gdn","name":"guidance","prose":"Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and\/or clearances (e.g., to enter to facilities where access is restricted due to the impact level or classification of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire."},{"id":"pe-13.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)","class":"sp800-53a"}],"parts":[{"id":"pe-13.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)","class":"sp800-53a"}],"parts":[{"id":"pe-13.2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)[01]","class":"sp800-53a"}],"prose":"fire suppression systems that activate automatically are employed;"},{"id":"pe-13.2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)[02]","class":"sp800-53a"}],"prose":"fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;"},{"id":"pe-13.2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)[03]","class":"sp800-53a"}],"prose":"fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;"}]},{"id":"pe-13.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(b)","class":"sp800-53a"}],"prose":"an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis."}]},{"id":"pe-13.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems documentation\n\nfacility housing the system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices\/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression devices\/systems\n\nactivation of fire suppression devices\/systems (simulated)\n\nautomated notifications"}]}]}]},{"id":"pe-14","class":"SP800-53","title":"Environmental Controls","params":[{"id":"pe-14_odp.01","props":[{"name":"alt-identifier","value":"pe-14_prm_1"},{"name":"label","value":"PE-14_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["temperature","humidity","pressure","radiation"," {{ insert: param, pe-14_odp.02 }} "]}},{"id":"pe-14_odp.02","props":[{"name":"alt-identifier","value":"pe-14_prm_2"},{"name":"label","value":"PE-14_ODP[02]","class":"sp800-53a"}],"label":"environmental control","guidelines":[{"prose":"environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);"}]},{"id":"pe-14_odp.03","props":[{"name":"alt-identifier","value":"pe-14_prm_3"},{"name":"label","value":"PE-14_ODP[03]","class":"sp800-53a"}],"label":"acceptable levels","guidelines":[{"prose":"acceptable levels for environmental controls are defined;"}]},{"id":"pe-14_odp.04","props":[{"name":"alt-identifier","value":"pe-14_prm_4"},{"name":"label","value":"PE-14_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to monitor environmental control levels is defined;"}]}],"props":[{"name":"label","value":"PE-14"},{"name":"label","value":"PE-14","class":"sp800-53a"},{"name":"sort-id","value":"pe-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"}],"parts":[{"id":"pe-14_smt","name":"statement","parts":[{"id":"pe-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and"},{"id":"pe-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions."},{"id":"pe-14_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-14","class":"sp800-53a"}],"parts":[{"id":"pe-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-14a.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;"},{"id":"pe-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-14b.","class":"sp800-53a"}],"prose":"environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}."}]},{"id":"pe-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the maintenance and monitoring of temperature and humidity levels"}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","props":[{"name":"label","value":"PE-15"},{"name":"label","value":"PE-15","class":"sp800-53a"},{"name":"sort-id","value":"pe-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#pe-10","rel":"related"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations."},{"id":"pe-15_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-15","class":"sp800-53a"}],"parts":[{"id":"pe-15_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-15[01]","class":"sp800-53a"}],"prose":"the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;"},{"id":"pe-15_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-15[02]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are accessible;"},{"id":"pe-15_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-15[03]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are working properly;"},{"id":"pe-15_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-15[04]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are known to key personnel."}]},{"id":"pe-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Master water-shutoff valves\n\norganizational process for activating master water shutoff"}]}],"controls":[{"id":"pe-15.1","class":"SP800-53-enhancement","title":"Automation Support","params":[{"id":"pe-15.01_odp.01","props":[{"name":"alt-identifier","value":"pe-15.1_prm_1"},{"name":"label","value":"PE-15(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when the presence of water is detected near the system is\/are defined;"}]},{"id":"pe-15.01_odp.02","props":[{"name":"alt-identifier","value":"pe-15.1_prm_2"},{"name":"label","value":"PE-15(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of water near the system are defined;"}]}],"props":[{"name":"label","value":"PE-15(1)"},{"name":"label","value":"PE-15(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-15.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-15","rel":"required"}],"parts":[{"id":"pe-15.1_smt","name":"statement","prose":"Detect the presence of water near the system and alert {{ insert: param, pe-15.01_odp.01 }} using {{ insert: param, pe-15.01_odp.02 }}."},{"id":"pe-15.1_gdn","name":"guidance","prose":"Automated mechanisms include notification systems, water detection sensors, and alarms."},{"id":"pe-15.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-15(01)","class":"sp800-53a"}],"parts":[{"id":"pe-15.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-15(01)[01]","class":"sp800-53a"}],"prose":"the presence of water near the system can be detected automatically;"},{"id":"pe-15.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-15(01)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-15.01_odp.01 }} is\/are alerted using {{ insert: param, pe-15.01_odp.02 }}."}]},{"id":"pe-15.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-15(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nautomated mechanisms for water shutoff valves\n\nautomated mechanisms for detecting the presence of water in the vicinity of the system\n\nalerts\/notifications of water detection in system facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-15.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-15(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-15.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-15(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing water detection capabilities and alerts for the system"}]}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","params":[{"id":"pe-16_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.02"}],"label":"organization-defined types of system components"},{"id":"pe-16_odp.01","props":[{"name":"label","value":"PE-16_ODP[01]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when entering the facility are defined;"}]},{"id":"pe-16_odp.02","props":[{"name":"label","value":"PE-16_ODP[02]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when exiting the facility are defined;"}]}],"props":[{"name":"label","value":"PE-16"},{"name":"label","value":"PE-16","class":"sp800-53a"},{"name":"sort-id","value":"pe-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"pe-16_smt","name":"statement","parts":[{"id":"pe-16_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and"},{"id":"pe-16_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain records of the system components."}]},{"id":"pe-16_gdn","name":"guidance","prose":"Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries."},{"id":"pe-16_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-16","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;"},{"id":"pe-16_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;"},{"id":"pe-16_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;"},{"id":"pe-16_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[04]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;"}]},{"id":"pe-16_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-16b.","class":"sp800-53a"}],"prose":"records of the system components are maintained."}]},{"id":"pe-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and\/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility"}]}]},{"id":"pe-17","class":"SP800-53","title":"Alternate Work Site","params":[{"id":"pe-17_odp.01","props":[{"name":"alt-identifier","value":"pe-17_prm_1"},{"name":"label","value":"PE-17_ODP[01]","class":"sp800-53a"}],"label":"alternate work sites","guidelines":[{"prose":"alternate work sites allowed for use by employees are defined;"}]},{"id":"pe-17_odp.02","props":[{"name":"alt-identifier","value":"pe-17_prm_2"},{"name":"label","value":"PE-17_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed at alternate work sites are defined;"}]}],"props":[{"name":"label","value":"PE-17"},{"name":"label","value":"PE-17","class":"sp800-53a"},{"name":"sort-id","value":"pe-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#83b9d63b-66b1-467c-9f3b-3a0b108771e9","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-17_smt","name":"statement","parts":[{"id":"pe-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the {{ insert: param, pe-17_odp.01 }} allowed for use by employees;"},{"id":"pe-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls at alternate work sites: {{ insert: param, pe-17_odp.02 }};"},{"id":"pe-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assess the effectiveness of controls at alternate work sites; and"},{"id":"pe-17_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a means for employees to communicate with information security and privacy personnel in case of incidents."}]},{"id":"pe-17_gdn","name":"guidance","prose":"Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations."},{"id":"pe-17_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-17","class":"sp800-53a"}],"parts":[{"id":"pe-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-17a.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-17_odp.01 }} are determined and documented;"},{"id":"pe-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-17b.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;"},{"id":"pe-17_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-17c.","class":"sp800-53a"}],"prose":"the effectiveness of controls at alternate work sites is assessed;"},{"id":"pe-17_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-17d.","class":"sp800-53a"}],"prose":"a means for employees to communicate with information security and privacy personnel in case of incidents is provided."}]},{"id":"pe-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel approving the use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy at alternate work sites\n\nmechanisms supporting alternate work sites\n\nsecurity and privacy controls employed at alternate work sites\n\nmeans of communication between personnel at alternate work sites and security and privacy personnel"}]}]},{"id":"pe-18","class":"SP800-53","title":"Location of System Components","params":[{"id":"pe-18_odp","props":[{"name":"alt-identifier","value":"pe-18_prm_1"},{"name":"label","value":"PE-18_ODP","class":"sp800-53a"}],"label":"physical and environmental hazards","guidelines":[{"prose":"physical and environmental hazards that could result in potential damage to system components within the facility are defined;"}]}],"props":[{"name":"label","value":"PE-18"},{"name":"label","value":"PE-18","class":"sp800-53a"},{"name":"sort-id","value":"pe-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-19","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"pe-18_smt","name":"statement","prose":"Position system components within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access."},{"id":"pe-18_gdn","name":"guidance","prose":"Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information."},{"id":"pe-18_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-18","class":"sp800-53a"}],"prose":"system components are positioned within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access."},{"id":"pe-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing the positioning of system components\n\ndocumentation providing the location and position of system components within the facility\n\nlocations housing system components within the facility\n\nlist of physical and environmental hazards with the potential to damage system components within the facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for positioning system components\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for positioning system components"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pl-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pl-01_odp.01","props":[{"name":"label","value":"PL-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning policy is to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.02","props":[{"name":"label","value":"PL-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning procedures are to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.03","props":[{"name":"alt-identifier","value":"pl-1_prm_2"},{"name":"label","value":"PL-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pl-01_odp.04","props":[{"name":"alt-identifier","value":"pl-1_prm_3"},{"name":"label","value":"PL-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the planning policy and procedures is defined;"}]},{"id":"pl-01_odp.05","props":[{"name":"alt-identifier","value":"pl-1_prm_4"},{"name":"label","value":"PL-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning policy is reviewed and updated is defined;"}]},{"id":"pl-01_odp.06","props":[{"name":"alt-identifier","value":"pl-1_prm_5"},{"name":"label","value":"PL-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current planning policy to be reviewed and updated are defined;"}]},{"id":"pl-01_odp.07","props":[{"name":"alt-identifier","value":"pl-1_prm_6"},{"name":"label","value":"PL-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning procedures are reviewed and updated is defined;"}]},{"id":"pl-01_odp.08","props":[{"name":"alt-identifier","value":"pl-1_prm_7"},{"name":"label","value":"PL-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PL-1"},{"name":"label","value":"PL-01","class":"sp800-53a"},{"name":"sort-id","value":"pl-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-1_smt","name":"statement","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pl-01_odp.03 }} planning policy that:","parts":[{"id":"pl-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the planning policy and the associated planning controls;"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and"},{"id":"pl-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current planning:","parts":[{"id":"pl-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and"},{"id":"pl-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pl-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[01]","class":"sp800-53a"}],"prose":"a planning policy is developed and documented."},{"id":"pl-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[02]","class":"sp800-53a"}],"prose":"the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};"},{"id":"pl-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[03]","class":"sp800-53a"}],"prose":"planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;"},{"id":"pl-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[04]","class":"sp800-53a"}],"prose":"the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};"},{"id":"pl-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;"},{"id":"pl-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;"},{"id":"pl-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;"},{"id":"pl-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;"},{"id":"pl-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;"},{"id":"pl-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;"},{"id":"pl-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;"}]},{"id":"pl-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"pl-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;"},{"id":"pl-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[01]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};"},{"id":"pl-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[02]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};"}]},{"id":"pl-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[01]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};"},{"id":"pl-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[02]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}."}]}]}]},{"id":"pl-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security and Privacy Plans","params":[{"id":"pl-02_odp.01","props":[{"name":"alt-identifier","value":"pl-2_prm_1"},{"name":"label","value":"PL-02_ODP[01]","class":"sp800-53a"}],"label":"individuals or groups","guidelines":[{"prose":"individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is\/are assigned;"}]},{"id":"pl-02_odp.02","props":[{"name":"alt-identifier","value":"pl-2_prm_2"},{"name":"label","value":"PL-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive distributed copies of the system security and privacy plans is\/are assigned;"}]},{"id":"pl-02_odp.03","props":[{"name":"alt-identifier","value":"pl-2_prm_3"},{"name":"label","value":"PL-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency to review system security and privacy plans is defined;"}]}],"props":[{"name":"label","value":"PL-2"},{"name":"label","value":"PL-02","class":"sp800-53a"},{"name":"sort-id","value":"pl-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"pl-2_smt","name":"statement","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy plans for the system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly define the constituent system components;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Identify the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Identify the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provide the security categorization of the system, including supporting rationale;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Describe any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Provide the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Describe the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Provide an overview of the security and privacy requirements for the system;"},{"id":"pl-2_smt.a.11","name":"item","props":[{"name":"label","value":"11."}],"prose":"Identify any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_smt.a.12","name":"item","props":[{"name":"label","value":"12."}],"prose":"Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;"},{"id":"pl-2_smt.a.13","name":"item","props":[{"name":"label","value":"13."}],"prose":"Include risk determinations for security and privacy architecture and design decisions;"},{"id":"pl-2_smt.a.14","name":"item","props":[{"name":"label","value":"14."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and"},{"id":"pl-2_smt.a.15","name":"item","props":[{"name":"label","value":"15."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the plans {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the plans from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate."},{"id":"pl-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;"}]},{"id":"pl-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that explicitly defines the constituent system components;"},{"id":"pl-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that explicitly defines the constituent system components;"}]},{"id":"pl-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"}]},{"id":"pl-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"}]},{"id":"pl-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.5-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_obj.a.5-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"}]},{"id":"pl-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.6-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;"},{"id":"pl-2_obj.a.6-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;"}]},{"id":"pl-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"}]},{"id":"pl-2_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.8-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_obj.a.8-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"}]},{"id":"pl-2_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.9-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_obj.a.9-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"}]},{"id":"pl-2_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.10-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides an overview of the security requirements for the system;"},{"id":"pl-2_obj.a.10-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;"}]},{"id":"pl-2_obj.a.11","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.11-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_obj.a.11-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"}]},{"id":"pl-2_obj.a.12","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.12-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;"},{"id":"pl-2_obj.a.12-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;"}]},{"id":"pl-2_obj.a.13","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.13-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes risk determinations for security architecture and design decisions;"},{"id":"pl-2_obj.a.13-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;"}]},{"id":"pl-2_obj.a.14","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.14-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"},{"id":"pl-2_obj.a.14-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"}]},{"id":"pl-2_obj.a.15","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.15-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"},{"id":"pl-2_obj.a.15-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]}]},{"id":"pl-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[01]","class":"sp800-53a"}],"prose":"copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[02]","class":"sp800-53a"}],"prose":"subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};"}]},{"id":"pl-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-02c.","class":"sp800-53a"}],"prose":"plans are reviewed {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[01]","class":"sp800-53a"}],"prose":"plans are updated to address changes to the system and environment of operations;"},{"id":"pl-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[02]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during the plan implementation;"},{"id":"pl-2_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[03]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during control assessments;"}]},{"id":"pl-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[01]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized disclosure;"},{"id":"pl-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[02]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized modification."}]}]},{"id":"pl-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records"}]},{"id":"pl-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan"}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-04_odp.01","props":[{"name":"alt-identifier","value":"pl-4_prm_1"},{"name":"label","value":"PL-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for reviewing and updating the rules of behavior is defined;"}]},{"id":"pl-04_odp.02","props":[{"name":"alt-identifier","value":"pl-4_prm_2"},{"name":"label","value":"PL-04_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, pl-04_odp.03 }} ","when the rules are revised or updated"]}},{"id":"pl-04_odp.03","props":[{"name":"alt-identifier","value":"pl-4_prm_3"},{"name":"label","value":"PL-04_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);"}]}],"props":[{"name":"label","value":"PL-4"},{"name":"label","value":"PL-04","class":"sp800-53a"},{"name":"sort-id","value":"pl-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-4_smt","name":"statement","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_gdn","name":"guidance","prose":"Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons."},{"id":"pl-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[01]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;"},{"id":"pl-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[02]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;"}]},{"id":"pl-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04b.","class":"sp800-53a"}],"prose":"before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;"},{"id":"pl-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04c.","class":"sp800-53a"}],"prose":"rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};"},{"id":"pl-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-04d.","class":"sp800-53a"}],"prose":"individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and External Site\/Application Usage Restrictions","props":[{"name":"label","value":"PL-4(1)"},{"name":"label","value":"PL-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"pl-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-4","rel":"required"},{"href":"#ac-22","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"Include in the rules of behavior, restrictions on:","parts":[{"id":"pl-4.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Posting organizational information on public websites; and"},{"id":"pl-4.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_gdn","name":"guidance","prose":"Social media, social networking, and external site\/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information."},{"id":"pl-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)","class":"sp800-53a"}],"parts":[{"id":"pl-4.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(a)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(b)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on posting organizational information on public websites;"},{"id":"pl-4.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(c)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records"}]},{"id":"pl-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing rules of behavior\n\nmechanisms supporting and\/or implementing the establishment of rules of behavior"}]}]}]},{"id":"pl-8","class":"SP800-53","title":"Security and Privacy Architectures","params":[{"id":"pl-08_odp","props":[{"name":"alt-identifier","value":"pl-8_prm_1"},{"name":"label","value":"PL-08_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for review and update to reflect changes in the enterprise architecture;"}]}],"props":[{"name":"label","value":"PL-8"},{"name":"label","value":"PL-08","class":"sp800-53a"},{"name":"sort-id","value":"pl-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"pl-8_smt","name":"statement","parts":[{"id":"pl-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy architectures for the system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe how the architectures are integrated into and support the enterprise architecture; and"},{"id":"pl-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Describe any assumptions about, and dependencies on, external systems and services;"}]},{"id":"pl-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures."},{"id":"pl-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-08","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.01","class":"sp800-53a"}],"prose":"a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.02","class":"sp800-53a"}],"prose":"a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"},{"id":"pl-8_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"}]},{"id":"pl-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes any assumptions about and dependencies on external systems and services;"},{"id":"pl-8_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;"}]}]},{"id":"pl-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-08b.","class":"sp800-53a"}],"prose":"changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;"},{"id":"pl-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[01]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the security plan;"},{"id":"pl-8_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[02]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the privacy plan;"},{"id":"pl-8_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[03]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the Concept of Operations (CONOPS);"},{"id":"pl-8_obj.c-4","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[04]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in criticality analysis;"},{"id":"pl-8_obj.c-5","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[05]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in organizational procedures;"},{"id":"pl-8_obj.c-6","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[06]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in procurements and acquisitions."}]}]},{"id":"pl-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and\/or implementing the development, review, and update of the information security and privacy architecture"}]}]},{"id":"pl-10","class":"SP800-53","title":"Baseline Selection","props":[{"name":"label","value":"PL-10"},{"name":"label","value":"PL-10","class":"sp800-53a"},{"name":"sort-id","value":"pl-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-10_smt","name":"statement","prose":"Select a control baseline for the system."},{"id":"pl-10_gdn","name":"guidance","prose":"Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems."},{"id":"pl-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-10","class":"sp800-53a"}],"prose":"a control baseline for the system is selected."},{"id":"pl-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities"}]}]},{"id":"pl-11","class":"SP800-53","title":"Baseline Tailoring","props":[{"name":"label","value":"PL-11"},{"name":"label","value":"PL-11","class":"sp800-53a"},{"name":"sort-id","value":"pl-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-10","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-11_smt","name":"statement","prose":"Tailor the selected control baseline by applying specified tailoring actions."},{"id":"pl-11_gdn","name":"guidance","prose":"The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities."},{"id":"pl-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-11","class":"sp800-53a"}],"prose":"the selected control baseline is tailored by applying specified tailoring actions."},{"id":"pl-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ps-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ps-01_odp.01","props":[{"name":"label","value":"PS-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security policy is to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.02","props":[{"name":"label","value":"PS-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security procedures are to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.03","props":[{"name":"alt-identifier","value":"ps-1_prm_2"},{"name":"label","value":"PS-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ps-01_odp.04","props":[{"name":"alt-identifier","value":"ps-1_prm_3"},{"name":"label","value":"PS-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the personnel security policy and procedures is defined;"}]},{"id":"ps-01_odp.05","props":[{"name":"alt-identifier","value":"ps-1_prm_4"},{"name":"label","value":"PS-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security policy is reviewed and updated is defined;"}]},{"id":"ps-01_odp.06","props":[{"name":"alt-identifier","value":"ps-1_prm_5"},{"name":"label","value":"PS-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current personnel security policy to be reviewed and updated are defined;"}]},{"id":"ps-01_odp.07","props":[{"name":"alt-identifier","value":"ps-1_prm_6"},{"name":"label","value":"PS-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security procedures are reviewed and updated is defined;"}]},{"id":"ps-01_odp.08","props":[{"name":"alt-identifier","value":"ps-1_prm_7"},{"name":"label","value":"PS-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the personnel security procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PS-1"},{"name":"label","value":"PS-01","class":"sp800-53a"},{"name":"sort-id","value":"ps-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-1_smt","name":"statement","parts":[{"id":"ps-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ps-01_odp.03 }} personnel security policy that:","parts":[{"id":"ps-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ps-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;"}]},{"id":"ps-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and"},{"id":"ps-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current personnel security:","parts":[{"id":"ps-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and"},{"id":"ps-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ps-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[01]","class":"sp800-53a"}],"prose":"a personnel security policy is developed and documented;"},{"id":"ps-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[02]","class":"sp800-53a"}],"prose":"the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};"},{"id":"ps-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[03]","class":"sp800-53a"}],"prose":"personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;"},{"id":"ps-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[04]","class":"sp800-53a"}],"prose":"the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};"},{"id":"ps-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;"},{"id":"ps-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;"},{"id":"ps-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;"},{"id":"ps-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;"},{"id":"ps-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;"},{"id":"ps-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;"},{"id":"ps-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;"}]},{"id":"ps-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ps-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;"},{"id":"ps-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[01]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};"},{"id":"ps-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[02]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};"}]},{"id":"ps-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[01]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};"},{"id":"ps-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[02]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}."}]}]}]},{"id":"ps-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"ps-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","params":[{"id":"ps-02_odp","props":[{"name":"alt-identifier","value":"ps-2_prm_1"},{"name":"label","value":"PS-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update position risk designations is defined;"}]}],"props":[{"name":"label","value":"PS-2"},{"name":"label","value":"PS-02","class":"sp800-53a"},{"name":"sort-id","value":"ps-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#a5ef5e56-5c1a-4911-b419-37dddc1b3581","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-2_smt","name":"statement","parts":[{"id":"ps-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establish screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update position risk designations {{ insert: param, ps-02_odp }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions."},{"id":"ps-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-02","class":"sp800-53a"}],"parts":[{"id":"ps-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-02a.","class":"sp800-53a"}],"prose":"a risk designation is assigned to all organizational positions;"},{"id":"ps-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-02b.","class":"sp800-53a"}],"prose":"screening criteria are established for individuals filling organizational positions;"},{"id":"ps-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-02c.","class":"sp800-53a"}],"prose":"position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}."}]},{"id":"ps-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","params":[{"id":"ps-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.02"}],"label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening"},{"id":"ps-03_odp.01","props":[{"name":"label","value":"PS-03_ODP[01]","class":"sp800-53a"}],"label":"conditions requiring rescreening","guidelines":[{"prose":"conditions requiring rescreening of individuals are defined;"}]},{"id":"ps-03_odp.02","props":[{"name":"label","value":"PS-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of rescreening individuals where it is so indicated is defined;"}]}],"props":[{"name":"label","value":"PS-3"},{"name":"label","value":"PS-03","class":"sp800-53a"},{"name":"sort-id","value":"ps-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#55b0c93a-5e48-457a-baa6-5ce81c239c49","rel":"reference"},{"href":"#0af071a6-cf8e-48ee-8c82-fe91efa20f94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-3_smt","name":"statement","parts":[{"id":"ps-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Screen individuals prior to authorizing access to the system; and"},{"id":"ps-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems."},{"id":"ps-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-03a.","class":"sp800-53a"}],"prose":"individuals are screened prior to authorizing access to the system;"},{"id":"ps-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[01]","class":"sp800-53a"}],"prose":"individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};"},{"id":"ps-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[02]","class":"sp800-53a"}],"prose":"where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}."}]}]},{"id":"ps-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel screening"}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","params":[{"id":"ps-04_odp.01","props":[{"name":"alt-identifier","value":"ps-4_prm_1"},{"name":"label","value":"PS-04_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which to disable system access is defined;"}]},{"id":"ps-04_odp.02","props":[{"name":"alt-identifier","value":"ps-4_prm_2"},{"name":"label","value":"PS-04_ODP[02]","class":"sp800-53a"}],"label":"information security topics","guidelines":[{"prose":"information security topics to be discussed when conducting exit interviews are defined;"}]}],"props":[{"name":"label","value":"PS-4"},{"name":"label","value":"PS-04","class":"sp800-53a"},{"name":"sort-id","value":"ps-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"Upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Disable system access within {{ insert: param, ps-04_odp.01 }};"},{"id":"ps-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Terminate or revoke any authenticators and credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};"},{"id":"ps-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Retrieve all security-related organizational system-related property; and"},{"id":"ps-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retain access to organizational information and systems formerly controlled by terminated individual."}]},{"id":"ps-4_gdn","name":"guidance","prose":"System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified."},{"id":"ps-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-04","class":"sp800-53a"}],"parts":[{"id":"ps-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-04a.","class":"sp800-53a"}],"prose":"upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};"},{"id":"ps-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-04b.","class":"sp800-53a"}],"prose":"upon termination of individual employment, any authenticators and credentials are terminated or revoked;"},{"id":"ps-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-04c.","class":"sp800-53a"}],"prose":"upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;"},{"id":"ps-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-04d.","class":"sp800-53a"}],"prose":"upon termination of individual employment, all security-related organizational system-related property is retrieved;"},{"id":"ps-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-04e.","class":"sp800-53a"}],"prose":"upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained."}]},{"id":"ps-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators\/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel termination\n\nmechanisms supporting and\/or implementing personnel termination notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}],"controls":[{"id":"ps-4.2","class":"SP800-53-enhancement","title":"Automated Actions","params":[{"id":"ps-04.02_odp.01","props":[{"name":"alt-identifier","value":"ps-4.2_prm_1"},{"name":"label","value":"PS-04(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to notify personnel or roles of individual termination actions and\/or to disable access to system resources are defined;"}]},{"id":"ps-04.02_odp.02","props":[{"name":"alt-identifier","value":"ps-4.2_prm_2"},{"name":"label","value":"PS-04(02)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["notify {{ insert: param, ps-04.02_odp.03 }} of individual termination actions","disable access to system resources"]}},{"id":"ps-04.02_odp.03","props":[{"name":"alt-identifier","value":"ps-4.2_prm_3"},{"name":"label","value":"PS-04(02)_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified upon termination of an individual is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"PS-4(2)"},{"name":"label","value":"PS-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"ps-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ps-4","rel":"required"}],"parts":[{"id":"ps-4.2_smt","name":"statement","prose":"Use {{ insert: param, ps-04.02_odp.01 }} to {{ insert: param, ps-04.02_odp.02 }}."},{"id":"ps-4.2_gdn","name":"guidance","prose":"In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications, or if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including via telephone, electronic mail, text message, or websites. Automated mechanisms can also be employed to quickly and thoroughly disable access to system resources after an employee is terminated."},{"id":"ps-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-04(02)","class":"sp800-53a"}],"prose":" {{ insert: param, ps-04.02_odp.01 }} are used to {{ insert: param, ps-04.02_odp.02 }}."},{"id":"ps-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of personnel termination actions\n\nautomated notifications of employee terminations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel termination\n\nautomated mechanisms supporting and\/or implementing personnel termination notifications"}]}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","params":[{"id":"ps-05_odp.01","props":[{"name":"alt-identifier","value":"ps-5_prm_1"},{"name":"label","value":"PS-05_ODP[01]","class":"sp800-53a"}],"label":"transfer or reassignment actions","guidelines":[{"prose":"transfer or reassignment actions to be initiated following transfer or reassignment are defined;"}]},{"id":"ps-05_odp.02","props":[{"name":"alt-identifier","value":"ps-5_prm_2"},{"name":"label","value":"PS-05_ODP[02]","class":"sp800-53a"}],"label":"time period following the formal transfer action","guidelines":[{"prose":"the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;"}]},{"id":"ps-05_odp.03","props":[{"name":"alt-identifier","value":"ps-5_prm_3"},{"name":"label","value":"PS-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is\/are defined;"}]},{"id":"ps-05_odp.04","props":[{"name":"alt-identifier","value":"ps-5_prm_4"},{"name":"label","value":"PS-05_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;"}]}],"props":[{"name":"label","value":"PS-5"},{"name":"label","value":"PS-05","class":"sp800-53a"},{"name":"sort-id","value":"ps-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-5_smt","name":"statement","parts":[{"id":"ps-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};"},{"id":"ps-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts."},{"id":"ps-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-05","class":"sp800-53a"}],"parts":[{"id":"ps-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-05a.","class":"sp800-53a"}],"prose":"the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};"},{"id":"ps-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-05c.","class":"sp800-53a"}],"prose":"access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;"},{"id":"ps-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-05d.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}."}]},{"id":"ps-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel transfer\n\nmechanisms supporting and\/or implementing personnel transfer notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-06_odp.01","props":[{"name":"alt-identifier","value":"ps-6_prm_1"},{"name":"label","value":"PS-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update access agreements is defined;"}]},{"id":"ps-06_odp.02","props":[{"name":"alt-identifier","value":"ps-6_prm_2"},{"name":"label","value":"PS-06_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to re-sign access agreements to maintain access to organizational information is defined;"}]}],"props":[{"name":"label","value":"PS-6"},{"name":"label","value":"PS-06","class":"sp800-53a"},{"name":"sort-id","value":"ps-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-6_smt","name":"statement","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document access agreements for organizational systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that individuals requiring access to organizational information and systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy."},{"id":"ps-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-06","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-06a.","class":"sp800-53a"}],"prose":"access agreements are developed and documented for organizational systems;"},{"id":"ps-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-06b.","class":"sp800-53a"}],"prose":"the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};"},{"id":"ps-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.01","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;"},{"id":"ps-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.02","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ps-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"External Personnel Security","params":[{"id":"ps-07_odp.01","props":[{"name":"alt-identifier","value":"ps-7_prm_1"},{"name":"label","value":"PS-07_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is\/are defined;"}]},{"id":"ps-07_odp.02","props":[{"name":"alt-identifier","value":"ps-7_prm_2"},{"name":"label","value":"PS-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is defined;"}]}],"props":[{"name":"label","value":"PS-7"},{"name":"label","value":"PS-07","class":"sp800-53a"},{"name":"sort-id","value":"ps-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-7_smt","name":"statement","parts":[{"id":"ps-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish personnel security requirements, including security roles and responsibilities for external providers;"},{"id":"ps-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Require external providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and"},{"id":"ps-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Monitor provider compliance with personnel security requirements."}]},{"id":"ps-7_gdn","name":"guidance","prose":"External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network\/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals."},{"id":"ps-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-07","class":"sp800-53a"}],"parts":[{"id":"ps-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-07a.","class":"sp800-53a"}],"prose":"personnel security requirements are established, including security roles and responsibilities for external providers;"},{"id":"ps-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-07b.","class":"sp800-53a"}],"prose":"external providers are required to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-07c.","class":"sp800-53a"}],"prose":"personnel security requirements are documented;"},{"id":"ps-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-07d.","class":"sp800-53a"}],"prose":"external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};"},{"id":"ps-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-07e.","class":"sp800-53a"}],"prose":"provider compliance with personnel security requirements is monitored."}]},{"id":"ps-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and\/or implementing the monitoring of provider compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","params":[{"id":"ps-08_odp.01","props":[{"name":"alt-identifier","value":"ps-8_prm_1"},{"name":"label","value":"PS-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when a formal employee sanctions process is initiated is\/are defined;"}]},{"id":"ps-08_odp.02","props":[{"name":"alt-identifier","value":"ps-8_prm_2"},{"name":"label","value":"PS-08_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;"}]}],"props":[{"name":"label","value":"PS-8"},{"name":"label","value":"PS-08","class":"sp800-53a"},{"name":"sort-id","value":"ps-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-1","rel":"related"}],"parts":[{"id":"ps-8_smt","name":"statement","parts":[{"id":"ps-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and\/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions."},{"id":"ps-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-08","class":"sp800-53a"}],"parts":[{"id":"ps-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-08a.","class":"sp800-53a"}],"prose":"a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;"},{"id":"ps-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-08b.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-08_odp.01 }} is\/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records"}]},{"id":"ps-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and\/or implementing formal employee sanctions notifications"}]}]},{"id":"ps-9","class":"SP800-53","title":"Position Descriptions","props":[{"name":"label","value":"PS-9"},{"name":"label","value":"PS-09","class":"sp800-53a"},{"name":"sort-id","value":"ps-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"}],"parts":[{"id":"ps-9_smt","name":"statement","prose":"Incorporate security and privacy roles and responsibilities into organizational position descriptions."},{"id":"ps-9_gdn","name":"guidance","prose":"Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles."},{"id":"ps-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-09","class":"sp800-53a"}],"parts":[{"id":"ps-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PS-09[01]","class":"sp800-53a"}],"prose":"security roles and responsibilities are incorporated into organizational position descriptions;"},{"id":"ps-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PS-09[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are incorporated into organizational position descriptions."}]},{"id":"ps-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"ps-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities"}]},{"id":"ps-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing position descriptions"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ra-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ra-01_odp.01","props":[{"name":"label","value":"RA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment policy is to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.02","props":[{"name":"label","value":"RA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment procedures are to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.03","props":[{"name":"alt-identifier","value":"ra-1_prm_2"},{"name":"label","value":"RA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ra-01_odp.04","props":[{"name":"alt-identifier","value":"ra-1_prm_3"},{"name":"label","value":"RA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the risk assessment policy and procedures is defined;"}]},{"id":"ra-01_odp.05","props":[{"name":"alt-identifier","value":"ra-1_prm_4"},{"name":"label","value":"RA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment policy is reviewed and updated is defined;"}]},{"id":"ra-01_odp.06","props":[{"name":"alt-identifier","value":"ra-1_prm_5"},{"name":"label","value":"RA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current risk assessment policy to be reviewed and updated are defined;"}]},{"id":"ra-01_odp.07","props":[{"name":"alt-identifier","value":"ra-1_prm_6"},{"name":"label","value":"RA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment procedures are reviewed and updated is defined;"}]},{"id":"ra-01_odp.08","props":[{"name":"alt-identifier","value":"ra-1_prm_7"},{"name":"label","value":"RA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require risk assessment procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"RA-1"},{"name":"label","value":"RA-01","class":"sp800-53a"},{"name":"sort-id","value":"ra-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-1_smt","name":"statement","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ra-01_odp.03 }} risk assessment policy that:","parts":[{"id":"ra-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and"},{"id":"ra-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current risk assessment:","parts":[{"id":"ra-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and"},{"id":"ra-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ra-1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[01]","class":"sp800-53a"}],"prose":"a risk assessment policy is developed and documented;"},{"id":"ra-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[02]","class":"sp800-53a"}],"prose":"the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};"},{"id":"ra-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[03]","class":"sp800-53a"}],"prose":"risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;"},{"id":"ra-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[04]","class":"sp800-53a"}],"prose":"the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};"},{"id":"ra-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;"},{"id":"ra-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;"},{"id":"ra-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;"},{"id":"ra-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;"},{"id":"ra-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;"},{"id":"ra-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;"},{"id":"ra-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;"}]},{"id":"ra-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ra-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;"},{"id":"ra-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[01]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};"},{"id":"ra-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[02]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};"}]},{"id":"ra-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[01]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};"},{"id":"ra-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[02]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}."}]}]}]},{"id":"ra-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","props":[{"name":"label","value":"RA-2"},{"name":"label","value":"RA-02","class":"sp800-53a"},{"name":"sort-id","value":"ra-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#cm-8","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-2_smt","name":"statement","parts":[{"id":"ra-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Categorize the system and information it processes, stores, and transmits;"},{"id":"ra-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document the security categorization results, including supporting rationale, in the security plan for the system; and"},{"id":"ra-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant."},{"id":"ra-2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-02","class":"sp800-53a"}],"parts":[{"id":"ra-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-02a.","class":"sp800-53a"}],"prose":"the system and the information it processes, stores, and transmits are categorized;"},{"id":"ra-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-02b.","class":"sp800-53a"}],"prose":"the security categorization results, including supporting rationale, are documented in the security plan for the system;"},{"id":"ra-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-02c.","class":"sp800-53a"}],"prose":"the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-03_odp.01","props":[{"name":"alt-identifier","value":"ra-3_prm_1"},{"name":"label","value":"RA-03_ODP[01]","class":"sp800-53a"}],"select":{"choice":["security and privacy plans","risk assessment report"," {{ insert: param, ra-03_odp.02 }} "]}},{"id":"ra-03_odp.02","props":[{"name":"alt-identifier","value":"ra-3_prm_2"},{"name":"label","value":"RA-03_ODP[02]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);"}]},{"id":"ra-03_odp.03","props":[{"name":"alt-identifier","value":"ra-3_prm_3"},{"name":"label","value":"RA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to review risk assessment results is defined;"}]},{"id":"ra-03_odp.04","props":[{"name":"alt-identifier","value":"ra-3_prm_4"},{"name":"label","value":"RA-03_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom risk assessment results are to be disseminated is\/are defined;"}]},{"id":"ra-03_odp.05","props":[{"name":"alt-identifier","value":"ra-3_prm_5"},{"name":"label","value":"RA-03_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to update the risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3"},{"name":"label","value":"RA-03","class":"sp800-53a"},{"name":"sort-id","value":"ra-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-3","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-3_smt","name":"statement","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct a risk assessment, including:","parts":[{"id":"ra-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifying threats to and vulnerabilities in the system;"},{"id":"ra-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and"},{"id":"ra-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document risk assessment results in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review risk assessment results {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and"},{"id":"ra-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination."},{"id":"ra-3_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.01","class":"sp800-53a"}],"prose":"a risk assessment is conducted to identify threats to and vulnerabilities in the system;"},{"id":"ra-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.02","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;"},{"id":"ra-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.03","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03b.","class":"sp800-53a"}],"prose":"risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;"},{"id":"ra-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-03c.","class":"sp800-53a"}],"prose":"risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-03d.","class":"sp800-53a"}],"prose":"risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-03e.","class":"sp800-53a"}],"prose":"risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};"},{"id":"ra-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-03f.","class":"sp800-53a"}],"prose":"the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}],"controls":[{"id":"ra-3.1","class":"SP800-53-enhancement","title":"Supply Chain Risk Assessment","params":[{"id":"ra-03.01_odp.01","props":[{"name":"alt-identifier","value":"ra-3.1_prm_1"},{"name":"label","value":"RA-03(01)_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, and system services","guidelines":[{"prose":"systems, system components, and system services to assess supply chain risks are defined;"}]},{"id":"ra-03.01_odp.02","props":[{"name":"alt-identifier","value":"ra-3.1_prm_2"},{"name":"label","value":"RA-03(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the supply chain risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3(1)"},{"name":"label","value":"RA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ra-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-3","rel":"required"},{"href":"#ra-2","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#pm-17","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-3.1_smt","name":"statement","parts":[{"id":"ra-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and"},{"id":"ra-3.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_gdn","name":"guidance","prose":"Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required."},{"id":"ra-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)","class":"sp800-53a"}],"parts":[{"id":"ra-3.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(a)","class":"sp800-53a"}],"prose":"supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;"},{"id":"ra-3.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(b)","class":"sp800-53a"}],"prose":"the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"ra-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"ra-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment"}]}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Monitoring and Scanning","params":[{"id":"ra-5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.02"}],"label":"organization-defined frequency and\/or randomly in accordance with organization-defined process"},{"id":"ra-05_odp.01","props":[{"name":"label","value":"RA-05_ODP[01]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for monitoring systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.02","props":[{"name":"label","value":"RA-05_ODP[02]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for scanning systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.03","props":[{"name":"alt-identifier","value":"ra-5_prm_2"},{"name":"label","value":"RA-05_ODP[03]","class":"sp800-53a"}],"label":"response times","guidelines":[{"prose":"response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;"}]},{"id":"ra-05_odp.04","props":[{"name":"alt-identifier","value":"ra-5_prm_3"},{"name":"label","value":"RA-05_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;"}]}],"props":[{"name":"label","value":"RA-5"},{"name":"label","value":"RA-05","class":"sp800-53a"},{"name":"sort-id","value":"ra-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#8df72805-2e5c-4731-a73e-81db0f0318d0","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#d2ebec9b-f868-4ee1-a2bd-0b2282aed248","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-8","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ra-5_smt","name":"statement","parts":[{"id":"ra-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Analyze vulnerability scan reports and results from vulnerability monitoring;"},{"id":"ra-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and"},{"id":"ra-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points."},{"id":"ra-5_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[01]","class":"sp800-53a"}],"prose":"systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[02]","class":"sp800-53a"}],"prose":"systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;"}]},{"id":"ra-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;","parts":[{"id":"ra-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.01","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.02","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;"},{"id":"ra-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.03","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;"}]},{"id":"ra-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-05c.","class":"sp800-53a"}],"prose":"vulnerability scan reports and results from vulnerability monitoring are analyzed;"},{"id":"ra-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-05d.","class":"sp800-53a"}],"prose":"legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-05e.","class":"sp800-53a"}],"prose":"information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;"},{"id":"ra-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-05f.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed."}]},{"id":"ra-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and\/or implementing vulnerability scanning, analysis, remediation, and information sharing"}]}],"controls":[{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update Vulnerabilities to Be Scanned","params":[{"id":"ra-05.02_odp.01","props":[{"name":"alt-identifier","value":"ra-5.2_prm_1"},{"name":"label","value":"RA-05(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, ra-05.02_odp.02 }} ","prior to a new scan","when new vulnerabilities are identified and reported"]}},{"id":"ra-05.02_odp.02","props":[{"name":"alt-identifier","value":"ra-5.2_prm_2"},{"name":"label","value":"RA-05(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating the system vulnerabilities to be scanned is defined (if selected);"}]}],"props":[{"name":"label","value":"RA-5(2)"},{"name":"label","value":"RA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"},{"href":"#si-5","rel":"related"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}."},{"id":"ra-5.2_gdn","name":"guidance","prose":"Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner."},{"id":"ra-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(02)","class":"sp800-53a"}],"prose":"the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}."},{"id":"ra-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.4","class":"SP800-53-enhancement","title":"Discoverable Information","params":[{"id":"ra-05.04_odp","props":[{"name":"alt-identifier","value":"ra-5.4_prm_1"},{"name":"label","value":"RA-05(04)_ODP","class":"sp800-53a"}],"label":"corrective actions","guidelines":[{"prose":"corrective actions to be taken if information about the system is discoverable are defined;"}]}],"props":[{"name":"label","value":"RA-5(4)"},{"name":"label","value":"RA-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"},{"href":"#au-13","rel":"related"},{"href":"#sc-26","rel":"related"}],"parts":[{"id":"ra-5.4_smt","name":"statement","prose":"Determine information about the system that is discoverable and take {{ insert: param, ra-05.04_odp }}."},{"id":"ra-5.4_gdn","name":"guidance","prose":"Discoverable information includes information that adversaries could obtain without compromising or breaching the system, such as by collecting information that the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization."},{"id":"ra-5.4_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(04)","class":"sp800-53a"}],"parts":[{"id":"ra-5.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-05(04)[01]","class":"sp800-53a"}],"prose":"information about the system is discoverable;"},{"id":"ra-5.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-05(04)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, ra-05.04_odp }} are taken when information about the system is confirmed as discoverable."}]},{"id":"ra-5.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\npenetration test results\n\nvulnerability scanning results\n\nrisk assessment report\n\nrecords of corrective actions taken\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning and\/or penetration testing responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel responsible for risk response\n\norganizational personnel responsible for incident management and response\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for risk response\n\norganizational processes for incident management and response\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms supporting and\/or implementing risk response\n\nmechanisms supporting and\/or implementing incident management and response"}]}]},{"id":"ra-5.5","class":"SP800-53-enhancement","title":"Privileged Access","params":[{"id":"ra-05.05_odp.01","props":[{"name":"alt-identifier","value":"ra-5.5_prm_1"},{"name":"label","value":"RA-05(05)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to which privileged access is authorized for selected vulnerability scanning activities are defined;"}]},{"id":"ra-05.05_odp.02","props":[{"name":"alt-identifier","value":"ra-5.5_prm_2"},{"name":"label","value":"RA-05(05)_ODP[02]","class":"sp800-53a"}],"label":"vulnerability scanning activities","guidelines":[{"prose":"vulnerability scanning activities selected for privileged access authorization to system components are defined;"}]}],"props":[{"name":"label","value":"RA-5(5)"},{"name":"label","value":"RA-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.5_smt","name":"statement","prose":"Implement privileged access authorization to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}."},{"id":"ra-5.5_gdn","name":"guidance","prose":"In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning."},{"id":"ra-5.5_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(05)","class":"sp800-53a"}],"prose":"privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}."},{"id":"ra-5.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\nsystem\/network administrators\n\norganizational personnel responsible for access control to the system\n\norganizational personnel responsible for configuration management of the system\n\nsystem developers\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nmechanisms supporting and\/or implementing access control\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.11","class":"SP800-53-enhancement","title":"Public Disclosure Program","props":[{"name":"label","value":"RA-5(11)"},{"name":"label","value":"RA-05(11)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.11_smt","name":"statement","prose":"Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components."},{"id":"ra-5.11_gdn","name":"guidance","prose":"The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability."},{"id":"ra-5.11_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(11)","class":"sp800-53a"}],"prose":"a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components."},{"id":"ra-5.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities"}]}]}]},{"id":"ra-7","class":"SP800-53","title":"Risk Response","props":[{"name":"label","value":"RA-7"},{"name":"label","value":"RA-07","class":"sp800-53a"},{"name":"sort-id","value":"ra-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-7_smt","name":"statement","prose":"Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."},{"id":"ra-7_gdn","name":"guidance","prose":"Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated."},{"id":"ra-7_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-07","class":"sp800-53a"}],"parts":[{"id":"ra-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-07[01]","class":"sp800-53a"}],"prose":"findings from security assessments are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-07[02]","class":"sp800-53a"}],"prose":"findings from privacy assessments are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"RA-07[03]","class":"sp800-53a"}],"prose":"findings from monitoring are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-4","name":"assessment-objective","props":[{"name":"label","value":"RA-07[04]","class":"sp800-53a"}],"prose":"findings from audits are responded to in accordance with organizational risk tolerance."}]},{"id":"ra-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\naudit records\/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]},{"id":"ra-9","class":"SP800-53","title":"Criticality Analysis","params":[{"id":"ra-09_odp.01","props":[{"name":"alt-identifier","value":"ra-9_prm_1"},{"name":"label","value":"RA-09_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services to be analyzed for criticality are defined;"}]},{"id":"ra-09_odp.02","props":[{"name":"alt-identifier","value":"ra-9_prm_2"},{"name":"label","value":"RA-09_ODP[02]","class":"sp800-53a"}],"label":"decision points in the system development life cycle","guidelines":[{"prose":"decision points in the system development life cycle when a criticality analysis is to be performed are defined;"}]}],"props":[{"name":"label","value":"RA-9"},{"name":"label","value":"RA-09","class":"sp800-53a"},{"name":"sort-id","value":"ra-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"ra-9_smt","name":"statement","prose":"Identify critical system components and functions by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}."},{"id":"ra-9_gdn","name":"guidance","prose":"Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.\n\nThe operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.\n\nCriticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in [RA-2](#ra-2)."},{"id":"ra-9_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-09","class":"sp800-53a"}],"prose":"critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}."},{"id":"ra-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\ncriticality analysis\/finalized criticality for each component\/subcomponent\n\naudit records\/event logs\n\nanalysis reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\norganizational personnel with criticality analysis responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security responsibilities"}]},{"id":"ra-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sa-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sa-01_odp.01","props":[{"name":"label","value":"SA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition policy is to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.02","props":[{"name":"label","value":"SA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition procedures are to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.03","props":[{"name":"alt-identifier","value":"sa-1_prm_2"},{"name":"label","value":"SA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sa-01_odp.04","props":[{"name":"alt-identifier","value":"sa-1_prm_3"},{"name":"label","value":"SA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and services acquisition policy and procedures is defined;"}]},{"id":"sa-01_odp.05","props":[{"name":"alt-identifier","value":"sa-1_prm_4"},{"name":"label","value":"SA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition policy is reviewed and updated is defined;"}]},{"id":"sa-01_odp.06","props":[{"name":"alt-identifier","value":"sa-1_prm_5"},{"name":"label","value":"SA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and services acquisition policy to be reviewed and updated are defined;"}]},{"id":"sa-01_odp.07","props":[{"name":"alt-identifier","value":"sa-1_prm_6"},{"name":"label","value":"SA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;"}]},{"id":"sa-01_odp.08","props":[{"name":"alt-identifier","value":"sa-1_prm_7"},{"name":"label","value":"SA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and services acquisition procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SA-1"},{"name":"label","value":"SA-01","class":"sp800-53a"},{"name":"sort-id","value":"sa-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sa-1_smt","name":"statement","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:","parts":[{"id":"sa-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and"},{"id":"sa-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and services acquisition:","parts":[{"id":"sa-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and"},{"id":"sa-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sa-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[01]","class":"sp800-53a"}],"prose":"a system and services acquisition policy is developed and documented;"},{"id":"sa-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[02]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};"},{"id":"sa-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[03]","class":"sp800-53a"}],"prose":"system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;"},{"id":"sa-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[04]","class":"sp800-53a"}],"prose":"the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};"},{"id":"sa-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;"},{"id":"sa-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;"},{"id":"sa-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;"},{"id":"sa-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;"},{"id":"sa-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;"},{"id":"sa-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;"},{"id":"sa-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;"}]},{"id":"sa-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"sa-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;"},{"id":"sa-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[01]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};"},{"id":"sa-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};"}]},{"id":"sa-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};"},{"id":"sa-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}."}]}]}]},{"id":"sa-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"label","value":"SA-2"},{"name":"label","value":"SA-02","class":"sp800-53a"},{"name":"sort-id","value":"sa-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pl-7","rel":"related"},{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-2_smt","name":"statement","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle."},{"id":"sa-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-02","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[01]","class":"sp800-53a"}],"prose":"the high-level information security requirements for the system or system service are determined in mission and business process planning;"},{"id":"sa-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[02]","class":"sp800-53a"}],"prose":"the high-level privacy requirements for the system or system service are determined in mission and business process planning;"}]},{"id":"sa-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[01]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;"},{"id":"sa-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[02]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;"}]},{"id":"sa-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[01]","class":"sp800-53a"}],"prose":"a discrete line item for information security is established in organizational programming and budgeting documentation;"},{"id":"sa-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[02]","class":"sp800-53a"}],"prose":"a discrete line item for privacy is established in organizational programming and budgeting documentation."}]}]},{"id":"sa-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records"}]},{"id":"sa-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-03_odp","props":[{"name":"alt-identifier","value":"sa-3_prm_1"},{"name":"alt-label","value":"system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-03_ODP","class":"sp800-53a"}],"label":"system-development life cycle","guidelines":[{"prose":"system development life cycle is defined;"}]}],"props":[{"name":"label","value":"SA-3"},{"name":"label","value":"SA-03","class":"sp800-53a"},{"name":"sort-id","value":"sa-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-3_smt","name":"statement","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document information security and privacy roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify individuals having information security and privacy roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrate the organizational information security and privacy risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle."},{"id":"sa-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[01]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;"},{"id":"sa-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[02]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;"}]},{"id":"sa-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[01]","class":"sp800-53a"}],"prose":"information security roles and responsibilities are defined and documented throughout the system development life cycle;"},{"id":"sa-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are defined and documented throughout the system development life cycle;"}]},{"id":"sa-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[01]","class":"sp800-53a"}],"prose":"individuals with information security roles and responsibilities are identified;"},{"id":"sa-3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[02]","class":"sp800-53a"}],"prose":"individuals with privacy roles and responsibilities are identified;"}]},{"id":"sa-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[01]","class":"sp800-53a"}],"prose":"organizational information security risk management processes are integrated into system development life cycle activities;"},{"id":"sa-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[02]","class":"sp800-53a"}],"prose":"organizational privacy risk management processes are integrated into system development life cycle activities."}]}]},{"id":"sa-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"sa-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and\/or implementing the system development life cycle"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","params":[{"id":"sa-04_odp.01","props":[{"name":"alt-identifier","value":"sa-4_prm_1"},{"name":"label","value":"SA-04_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["standardized contract language"," {{ insert: param, sa-04_odp.02 }} "]}},{"id":"sa-04_odp.02","props":[{"name":"alt-identifier","value":"sa-4_prm_2"},{"name":"label","value":"SA-04_ODP[02]","class":"sp800-53a"}],"label":"contract language","guidelines":[{"prose":"contract language is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-4"},{"name":"label","value":"SA-04","class":"sp800-53a"},{"name":"sort-id","value":"sa-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","rel":"reference"},{"href":"#87087451-2af5-43d4-88c1-d66ad850f614","rel":"reference"},{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#06ce9216-bd54-4054-a422-94f358b50a5d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#795aff72-3e6c-4b6b-a80a-b14d84b7f544","rel":"reference"},{"href":"#3d575737-98cb-459d-b41c-d7e82b73ad78","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security and privacy functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Strength of mechanism requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security and privacy assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Controls needed to satisfy the security and privacy requirements."},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Security and privacy documentation requirements;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Requirements for protecting security and privacy documentation;"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Description of the system development environment and environment in which the system is intended to operate;"},{"id":"sa-4_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and"},{"id":"sa-4_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement."},{"id":"sa-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[01]","class":"sp800-53a"}],"prose":"security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[02]","class":"sp800-53a"}],"prose":"privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04b.","class":"sp800-53a"}],"prose":"strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[01]","class":"sp800-53a"}],"prose":"security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[02]","class":"sp800-53a"}],"prose":"privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[01]","class":"sp800-53a"}],"prose":"controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[02]","class":"sp800-53a"}],"prose":"controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[01]","class":"sp800-53a"}],"prose":"security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[02]","class":"sp800-53a"}],"prose":"privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[01]","class":"sp800-53a"}],"prose":"requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[02]","class":"sp800-53a"}],"prose":"requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SA-04g.","class":"sp800-53a"}],"prose":"the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[01]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[02]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"},{"id":"sa-4_obj.h-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[03]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"}]},{"id":"sa-4_obj.i","name":"assessment-objective","props":[{"name":"label","value":"SA-04i.","class":"sp800-53a"}],"prose":"acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service."}]},{"id":"sa-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}],"controls":[{"id":"sa-4.1","class":"SP800-53-enhancement","title":"Functional Properties of Controls","props":[{"name":"label","value":"SA-4(1)"},{"name":"label","value":"SA-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented."},{"id":"sa-4.1_gdn","name":"guidance","prose":"Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls."},{"id":"sa-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(01)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented."},{"id":"sa-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system services\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"sa-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security functional requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}]},{"id":"sa-4.2","class":"SP800-53-enhancement","title":"Design and Implementation Information for Controls","params":[{"id":"sa-04.02_odp.01","props":[{"name":"alt-identifier","value":"sa-4.2_prm_1"},{"name":"label","value":"SA-04(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security-relevant external system interfaces","high-level design","low-level design","source code or hardware schematics"," {{ insert: param, sa-04.02_odp.02 }} "]}},{"id":"sa-04.02_odp.02","props":[{"name":"alt-identifier","value":"sa-4.2_prm_2"},{"name":"label","value":"SA-04(02)_ODP[02]","class":"sp800-53a"}],"label":"design and implementation information","guidelines":[{"prose":"design and implementation information is defined (if selected);"}]},{"id":"sa-04.02_odp.03","props":[{"name":"alt-identifier","value":"sa-4.2_prm_3"},{"name":"label","value":"SA-04(02)_ODP[03]","class":"sp800-53a"}],"label":"level of detail","guidelines":[{"prose":"level of detail is defined;"}]}],"props":[{"name":"label","value":"SA-4(2)"},{"name":"label","value":"SA-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.2_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}."},{"id":"sa-4.2_gdn","name":"guidance","prose":"Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system."},{"id":"sa-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(02)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}."},{"id":"sa-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system components, or system services\n\ndesign and implementation information for controls employed in the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining the level of detail for system design and controls\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing the development of system design details"}]}]},{"id":"sa-4.5","class":"SP800-53-enhancement","title":"System, Component, and Service Configurations","params":[{"id":"sa-04.05_odp","props":[{"name":"alt-identifier","value":"sa-4.5_prm_1"},{"name":"label","value":"SA-04(05)_ODP","class":"sp800-53a"}],"label":"security configurations","guidelines":[{"prose":"security configurations for the system, component, or service are defined;"}]}],"props":[{"name":"label","value":"SA-4(5)"},{"name":"label","value":"SA-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.5_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-4.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented; and"},{"id":"sa-4.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade."}]},{"id":"sa-4.5_gdn","name":"guidance","prose":"Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed."},{"id":"sa-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(05)","class":"sp800-53a"}],"parts":[{"id":"sa-4.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04(05)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented;"},{"id":"sa-4.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04(05)(b)","class":"sp800-53a"}],"prose":"the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade."}]},{"id":"sa-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nsecurity configurations to be implemented by the developer of the system, system component, or system service\n\nservice level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms used to verify that the configuration of the system, component, or service is delivered as specified"}]}]},{"id":"sa-4.9","class":"SP800-53-enhancement","title":"Functions, Ports, Protocols, and Services in Use","props":[{"name":"label","value":"SA-4(9)"},{"name":"label","value":"SA-04(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#cm-7","rel":"related"},{"href":"#sa-9","rel":"related"}],"parts":[{"id":"sa-4.9_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use."},{"id":"sa-4.9_gdn","name":"guidance","prose":"The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. [SA-9](#sa-9) describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources."},{"id":"sa-4.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)","class":"sp800-53a"}],"parts":[{"id":"sa-4.9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the functions intended for organizational use;"},{"id":"sa-4.9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the ports intended for organizational use;"},{"id":"sa-4.9_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;"},{"id":"sa-4.9_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the services intended for organizational use."}]},{"id":"sa-4.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsystem design documentation\n\nsystem documentation, including functions, ports, protocols, and services intended for organizational use\n\nacquisition contracts for systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements, descriptions, and criteria for developers of systems, system components, and system services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the system\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","props":[{"name":"label","value":"SA-4(10)"},{"name":"label","value":"SA-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems."},{"id":"sa-4.10_gdn","name":"guidance","prose":"Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations."},{"id":"sa-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(10)","class":"sp800-53a"}],"prose":"only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed."},{"id":"sa-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for selecting and employing FIPS 201-approved products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"System Documentation","params":[{"id":"sa-05_odp.01","props":[{"name":"alt-identifier","value":"sa-5_prm_1"},{"name":"label","value":"SA-05_ODP[01]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;"}]},{"id":"sa-05_odp.02","props":[{"name":"alt-identifier","value":"sa-5_prm_2"},{"name":"label","value":"SA-05_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to distribute system documentation to is\/are defined;"}]}],"props":[{"name":"label","value":"SA-5"},{"name":"label","value":"SA-05","class":"sp800-53a"},{"name":"sort-id","value":"sa-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"sa-5_smt","name":"statement","parts":[{"id":"sa-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtain or develop administrator documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security and privacy functions and mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative or privileged functions;"}]},{"id":"sa-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Obtain or develop user documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and"},{"id":"sa-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;"}]},{"id":"sa-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and"},{"id":"sa-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Distribute documentation to {{ insert: param, sa-05_odp.02 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation."},{"id":"sa-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-05","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;"},{"id":"sa-5_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;"},{"id":"sa-5_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;"}]},{"id":"sa-5_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.a.2-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[04]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;"}]},{"id":"sa-5_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;"},{"id":"sa-5_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;"}]}]},{"id":"sa-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.b.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.b.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[03]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.b.1-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[04]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;"}]},{"id":"sa-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;"},{"id":"sa-5_obj.b.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;"}]},{"id":"sa-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;"},{"id":"sa-5_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;"}]}]},{"id":"sa-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[01]","class":"sp800-53a"}],"prose":"attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;"},{"id":"sa-5_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[02]","class":"sp800-53a"}],"prose":"after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;"}]},{"id":"sa-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-05d.","class":"sp800-53a"}],"prose":"documentation is distributed to {{ insert: param, sa-05_odp.02 }}."}]},{"id":"sa-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and\/or maintaining the system\n\nsystem developers"}]},{"id":"sa-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for obtaining, protecting, and distributing system administrator and user documentation"}]}]},{"id":"sa-8","class":"SP800-53","title":"Security and Privacy Engineering Principles","params":[{"id":"sa-8_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.02"}],"label":"organization-defined systems security and privacy engineering principles"},{"id":"sa-08_odp.01","props":[{"name":"label","value":"SA-08_ODP[01]","class":"sp800-53a"}],"label":"systems security engineering principles","guidelines":[{"prose":"systems security engineering principles are defined;"}]},{"id":"sa-08_odp.02","props":[{"name":"label","value":"SA-08_ODP[02]","class":"sp800-53a"}],"label":"privacy engineering principles","guidelines":[{"prose":"privacy engineering principles are defined;"}]}],"props":[{"name":"label","value":"SA-8"},{"name":"label","value":"SA-08","class":"sp800-53a"},{"name":"sort-id","value":"sa-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}."},{"id":"sa-8_gdn","name":"guidance","prose":"Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design."},{"id":"sa-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08","class":"sp800-53a"}],"parts":[{"id":"sa-8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08[01]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;"},{"id":"sa-8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08[02]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;"},{"id":"sa-8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-08[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;"},{"id":"sa-8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-08[04]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;"},{"id":"sa-8_obj-5","name":"assessment-objective","props":[{"name":"label","value":"SA-08[05]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;"},{"id":"sa-8_obj-6","name":"assessment-objective","props":[{"name":"label","value":"SA-08[06]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;"},{"id":"sa-8_obj-7","name":"assessment-objective","props":[{"name":"label","value":"SA-08[07]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;"},{"id":"sa-8_obj-8","name":"assessment-objective","props":[{"name":"label","value":"SA-08[08]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;"},{"id":"sa-8_obj-9","name":"assessment-objective","props":[{"name":"label","value":"SA-08[09]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;"},{"id":"sa-8_obj-10","name":"assessment-objective","props":[{"name":"label","value":"SA-08[10]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components."}]},{"id":"sa-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-9","class":"SP800-53","title":"External System Services","params":[{"id":"sa-09_odp.01","props":[{"name":"alt-identifier","value":"sa-9_prm_1"},{"name":"label","value":"SA-09_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed by external system service providers are defined;"}]},{"id":"sa-09_odp.02","props":[{"name":"alt-identifier","value":"sa-9_prm_2"},{"name":"label","value":"SA-09_ODP[02]","class":"sp800-53a"}],"label":"processes, methods, and techniques","guidelines":[{"prose":"processes, methods, and techniques employed to monitor control compliance by external service providers are defined;"}]}],"props":[{"name":"label","value":"SA-9"},{"name":"label","value":"SA-09","class":"sp800-53a"},{"name":"sort-id","value":"sa-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-9_smt","name":"statement","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document organizational oversight and user roles and responsibilities with regard to external system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance."},{"id":"sa-9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[01]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational security requirements;"},{"id":"sa-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[02]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational privacy requirements;"},{"id":"sa-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[03]","class":"sp800-53a"}],"prose":"providers of external system services employ {{ insert: param, sa-09_odp.01 }};"}]},{"id":"sa-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[01]","class":"sp800-53a"}],"prose":"organizational oversight with regard to external system services are defined and documented;"},{"id":"sa-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[02]","class":"sp800-53a"}],"prose":"user roles and responsibilities with regard to external system services are defined and documented;"}]},{"id":"sa-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-09c.","class":"sp800-53a"}],"prose":" {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis."}]},{"id":"sa-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis"}]}],"controls":[{"id":"sa-9.2","class":"SP800-53-enhancement","title":"Identification of Functions, Ports, Protocols, and Services","params":[{"id":"sa-09.02_odp","props":[{"name":"alt-identifier","value":"sa-9.2_prm_1"},{"name":"label","value":"SA-09(02)_ODP","class":"sp800-53a"}],"label":"external system services","guidelines":[{"prose":"external system services that require the identification of functions, ports, protocols, and other services are defined;"}]}],"props":[{"name":"label","value":"SA-9(2)"},{"name":"label","value":"SA-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"}],"parts":[{"id":"sa-9.2_smt","name":"statement","prose":"Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ insert: param, sa-09.02_odp }}."},{"id":"sa-9.2_gdn","name":"guidance","prose":"Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols."},{"id":"sa-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(02)","class":"sp800-53a"}],"prose":"providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services."},{"id":"sa-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements and security specifications for external service providers\n\nlist of required functions, ports, protocols, and other services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nexternal providers of system services"}]}]}]},{"id":"sa-10","class":"SP800-53","title":"Developer Configuration Management","params":[{"id":"sa-10_odp.01","props":[{"name":"alt-identifier","value":"sa-10_prm_1"},{"name":"label","value":"SA-10_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["design","development","implementation","operation","disposal"]}},{"id":"sa-10_odp.02","props":[{"name":"alt-identifier","value":"sa-10_prm_2"},{"name":"alt-label","value":"configuration items under configuration management","class":"sp800-53"},{"name":"label","value":"SA-10_ODP[02]","class":"sp800-53a"}],"label":"configuration items","guidelines":[{"prose":"configuration items under configuration management are defined;"}]},{"id":"sa-10_odp.03","props":[{"name":"alt-identifier","value":"sa-10_prm_3"},{"name":"label","value":"SA-10_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is\/are defined;"}]}],"props":[{"name":"label","value":"SA-10"},{"name":"label","value":"SA-10","class":"sp800-53a"},{"name":"sort-id","value":"sa-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"sa-10_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};"},{"id":"sa-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, manage, and control the integrity of changes to {{ insert: param, sa-10_odp.02 }};"},{"id":"sa-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and"},{"id":"sa-10_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_odp.03 }}."}]},{"id":"sa-10_gdn","name":"guidance","prose":"Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.\n\nThe configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle."},{"id":"sa-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-10a.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};"},{"id":"sa-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};"},{"id":"sa-10_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};"},{"id":"sa-10_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};"}]},{"id":"sa-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-10c.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;"},{"id":"sa-10_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;"},{"id":"sa-10_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;"}]},{"id":"sa-10_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;"},{"id":"sa-10_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;"},{"id":"sa-10_obj.e-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}."}]}]},{"id":"sa-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-11","class":"SP800-53","title":"Developer Testing and Evaluation","params":[{"id":"sa-11_odp.01","props":[{"name":"alt-identifier","value":"sa-11_prm_1"},{"name":"label","value":"SA-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["unit","integration","system","regression"]}},{"id":"sa-11_odp.02","props":[{"name":"alt-identifier","value":"sa-11_prm_2"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"SA-11_ODP[02]","class":"sp800-53a"}],"label":"frequency to conduct","guidelines":[{"prose":"frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]},{"id":"sa-11_odp.03","props":[{"name":"alt-identifier","value":"sa-11_prm_3"},{"name":"label","value":"SA-11_ODP[03]","class":"sp800-53a"}],"label":"depth and coverage","guidelines":[{"prose":"depth and coverage of {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]}],"props":[{"name":"label","value":"SA-11"},{"name":"label","value":"SA-11","class":"sp800-53a"},{"name":"sort-id","value":"sa-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#708b94e1-3d5e-4b22-ab43-1c69f3a97e37","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-7","rel":"related"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:","parts":[{"id":"sa-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement a plan for ongoing security and privacy control assessments;"},{"id":"sa-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"},{"id":"sa-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;"},{"id":"sa-11_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during testing and evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\n\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation."},{"id":"sa-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;"},{"id":"sa-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;"},{"id":"sa-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;"},{"id":"sa-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;"}]},{"id":"sa-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-11b.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"},{"id":"sa-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;"},{"id":"sa-11_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;"}]},{"id":"sa-11_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-11d.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;"},{"id":"sa-11_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-11e.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation."}]},{"id":"sa-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security and privacy testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of developer security and privacy assessments for the system, system component, or system service\n\nsecurity and privacy flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\nsystem developers"}]},{"id":"sa-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security and privacy testing and evaluation"}]}]},{"id":"sa-15","class":"SP800-53","title":"Development Process, Standards, and Tools","params":[{"id":"sa-15_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15_odp.03"}],"label":"organization-defined security and privacy requirements"},{"id":"sa-15_odp.01","props":[{"name":"alt-identifier","value":"sa-15_prm_1"},{"name":"label","value":"SA-15_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;"}]},{"id":"sa-15_odp.02","props":[{"name":"label","value":"SA-15_ODP[02]","class":"sp800-53a"}],"label":"security requirements","guidelines":[{"prose":"security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;"}]},{"id":"sa-15_odp.03","props":[{"name":"label","value":"SA-15_ODP[03]","class":"sp800-53a"}],"label":"privacy requirements","guidelines":[{"prose":"privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;"}]}],"props":[{"name":"label","value":"SA-15"},{"name":"label","value":"SA-15","class":"sp800-53a"},{"name":"sort-id","value":"sa-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#ma-6","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-15_smt","name":"statement","parts":[{"id":"sa-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require the developer of the system, system component, or system service to follow a documented development process that:","parts":[{"id":"sa-15_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Explicitly addresses security and privacy requirements;"},{"id":"sa-15_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Identifies the standards and tools used in the development process;"},{"id":"sa-15_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Documents the specific tool options and tool configurations used in the development process; and"},{"id":"sa-15_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Documents, manages, and ensures the integrity of changes to the process and\/or tools used in development; and"}]},{"id":"sa-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ insert: param, sa-15_prm_2 }}."}]},{"id":"sa-15_gdn","name":"guidance","prose":"Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes."},{"id":"sa-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;"},{"id":"sa-15_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;"}]},{"id":"sa-15_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;"},{"id":"sa-15_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;"}]},{"id":"sa-15_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;"},{"id":"sa-15_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;"}]},{"id":"sa-15_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.04","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and\/or tools used in development;"}]},{"id":"sa-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};"},{"id":"sa-15_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}."}]}]},{"id":"sa-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security and privacy requirements during the development process\n\nsolicitation documentation\n\nacquisition documentation\n\ncritical component inventory documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer documentation listing tool options\/configuration guides\n\nconfiguration management policy\n\nconfiguration management records\n\ndocumentation of development process reviews using maturity models\n\nchange control records\n\nconfiguration control records\n\ndocumented reviews of the development process, standards, tools, and tool options\/configurations\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]}],"controls":[{"id":"sa-15.3","class":"SP800-53-enhancement","title":"Criticality Analysis","params":[{"id":"sa-15.3_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15.03_odp.03"}],"label":"organization-defined breadth and depth of criticality analysis"},{"id":"sa-15.03_odp.01","props":[{"name":"alt-identifier","value":"sa-15.3_prm_1"},{"name":"alt-label","value":"decision points in the system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-15(03)_ODP[01]","class":"sp800-53a"}],"label":"decision points","guidelines":[{"prose":"decision points in the system development life cycle are defined;"}]},{"id":"sa-15.03_odp.02","props":[{"name":"label","value":"SA-15(03)_ODP[02]","class":"sp800-53a"}],"label":"breadth","guidelines":[{"prose":"the breadth of criticality analysis is defined;"}]},{"id":"sa-15.03_odp.03","props":[{"name":"label","value":"SA-15(03)_ODP[03]","class":"sp800-53a"}],"label":"depth","guidelines":[{"prose":"the depth of criticality analysis is defined;"}]}],"props":[{"name":"label","value":"SA-15(3)"},{"name":"label","value":"SA-15(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"sa-15.3_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform a criticality analysis:","parts":[{"id":"sa-15.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"At the following decision points in the system development life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and"},{"id":"sa-15.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"At the following level of rigor: {{ insert: param, sa-15.3_prm_2 }}."}]},{"id":"sa-15.3_gdn","name":"guidance","prose":"Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses."},{"id":"sa-15.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)","class":"sp800-53a"}],"parts":[{"id":"sa-15.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;"},{"id":"sa-15.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)","class":"sp800-53a"}],"parts":[{"id":"sa-15.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};"},{"id":"sa-15.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} ."}]}]},{"id":"sa-15.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing criticality analysis requirements for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ncriticality analysis documentation\n\nbusiness impact analysis documentation\n\nsoftware development life cycle documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-15.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for performing criticality analysis\n\nsystem developer\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-15.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-15(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for performing criticality analysis\n\nmechanisms supporting and\/or implementing criticality analysis"}]}]}]},{"id":"sa-16","class":"SP800-53","title":"Developer-provided Training","params":[{"id":"sa-16_odp","props":[{"name":"alt-identifier","value":"sa-16_prm_1"},{"name":"label","value":"SA-16_ODP","class":"sp800-53a"}],"label":"training","guidelines":[{"prose":"training on the correct use and operation of the implemented security and privacy functions, controls, and\/or mechanisms provided by the developer of the system, system component, or system service is defined;"}]}],"props":[{"name":"label","value":"SA-16"},{"name":"label","value":"SA-16","class":"sp800-53a"},{"name":"sort-id","value":"sa-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"}],"parts":[{"id":"sa-16_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and\/or mechanisms: {{ insert: param, sa-16_odp }}."},{"id":"sa-16_gdn","name":"guidance","prose":"Developer-provided training applies to external and internal (in-house) developers. Training personnel is essential to ensuring the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms."},{"id":"sa-16_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-16","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide {{ insert: param, sa-16_odp }} on the correct use and operation of the implemented security and privacy functions, controls, and\/or mechanisms."},{"id":"sa-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing developer-provided training\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\norganizational security and privacy training policy\n\ndeveloper-provided training materials\n\ntraining records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nexternal or internal (in-house) developers with training responsibilities for the system, system component, or information system service"}]}]},{"id":"sa-17","class":"SP800-53","title":"Developer Security and Privacy Architecture and Design","props":[{"name":"label","value":"SA-17"},{"name":"label","value":"SA-17","class":"sp800-53a"},{"name":"sort-id","value":"sa-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#87087451-2af5-43d4-88c1-d66ad850f614","rel":"reference"},{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"sa-17_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:","parts":[{"id":"sa-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture;"},{"id":"sa-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and"},{"id":"sa-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection."}]},{"id":"sa-17_gdn","name":"guidance","prose":"Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, [PL-8](#pl-8) is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and [PL-8](#pl-8) is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. [ISO 15408-2](#87087451-2af5-43d4-88c1-d66ad850f614), [ISO 15408-3](#4452efc0-e79e-47b8-aa30-b54f3ef61c2f) , and [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing."},{"id":"sa-17_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-17(a)","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(a)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;"},{"id":"sa-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(a)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;"}]},{"id":"sa-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-17(b)","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(b)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;"},{"id":"sa-17_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(b)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;"}]},{"id":"sa-17_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-17(c)","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(c)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;"},{"id":"sa-17_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(c)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection."}]}]},{"id":"sa-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nenterprise architecture policy\n\nenterprise architecture documentation\n\nprocedures addressing developer security and privacy architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]}]},{"id":"sa-21","class":"SP800-53","title":"Developer Screening","params":[{"id":"sa-21_odp.01","props":[{"name":"alt-identifier","value":"sa-21_prm_1"},{"name":"alt-label","value":"system, system component, or system service","class":"sp800-53"},{"name":"label","value":"SA-21_ODP[01]","class":"sp800-53a"}],"label":"system, systems component, or system service","guidelines":[{"prose":"the system, systems component, or system service that the developer has access to is\/are defined;"}]},{"id":"sa-21_odp.02","props":[{"name":"alt-identifier","value":"sa-21_prm_2"},{"name":"label","value":"SA-21_ODP[02]","class":"sp800-53a"}],"label":"official government duties","guidelines":[{"prose":"official government duties assigned to the developer are defined;"}]},{"id":"sa-21_odp.03","props":[{"name":"alt-identifier","value":"sa-21_prm_3"},{"name":"label","value":"SA-21_ODP[03]","class":"sp800-53a"}],"label":"additional personnel screening criteria","guidelines":[{"prose":"additional personnel screening criteria for the developer are defined;"}]}],"props":[{"name":"label","value":"SA-21"},{"name":"label","value":"SA-21","class":"sp800-53a"},{"name":"sort-id","value":"sa-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"sa-21_smt","name":"statement","prose":"Require that the developer of {{ insert: param, sa-21_odp.01 }}:","parts":[{"id":"sa-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Has appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }} ; and"},{"id":"sa-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Satisfies the following additional personnel screening criteria: {{ insert: param, sa-21_odp.03 }}."}]},{"id":"sa-21_gdn","name":"guidance","prose":"Developer screening is directed at external developers. Internal developer screening is addressed by [PS-3](#ps-3) . Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals who access the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships that the company has with entities that may potentially affect the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements."},{"id":"sa-21_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-21","class":"sp800-53a"}],"parts":[{"id":"sa-21_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-21a.","class":"sp800-53a"}],"prose":"the developer of {{ insert: param, sa-21_odp.01 }} is required to have appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }};"},{"id":"sa-21_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-21b.","class":"sp800-53a"}],"prose":"the developer of {{ insert: param, sa-21_odp.01 }} is required to satisfy {{ insert: param, sa-21_odp.03 }}."}]},{"id":"sa-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\npersonnel security policy and procedures\n\nprocedures addressing personnel screening\n\nsystem design documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for developer services\n\nsystem configuration settings and associated documentation\n\nlist of appropriate access authorizations required by the developers of the system\n\npersonnel screening criteria and associated documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for developer screening"}]},{"id":"sa-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developer screening\n\nmechanisms supporting developer screening"}]}]},{"id":"sa-22","class":"SP800-53","title":"Unsupported System Components","params":[{"id":"sa-22_odp.01","props":[{"name":"alt-identifier","value":"sa-22_prm_1"},{"name":"label","value":"SA-22_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["in-house support"," {{ insert: param, sa-22_odp.02 }} "]}},{"id":"sa-22_odp.02","props":[{"name":"alt-identifier","value":"sa-22_prm_2"},{"name":"label","value":"SA-22_ODP[02]","class":"sp800-53a"}],"label":"support from external providers","guidelines":[{"prose":"support from external providers is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-22"},{"name":"label","value":"SA-22","class":"sp800-53a"},{"name":"sort-id","value":"sa-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-2","rel":"related"},{"href":"#sa-3","rel":"related"}],"parts":[{"id":"sa-22_smt","name":"statement","parts":[{"id":"sa-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or"},{"id":"sa-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}."}]},{"id":"sa-22_gdn","name":"guidance","prose":"Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation."},{"id":"sa-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-22","class":"sp800-53a"}],"parts":[{"id":"sa-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-22a.","class":"sp800-53a"}],"prose":"system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;"},{"id":"sa-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-22b.","class":"sp800-53a"}],"prose":" {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components."}]},{"id":"sa-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement"}]},{"id":"sa-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for replacing unsupported system components\n\nmechanisms supporting and\/or implementing the replacement of unsupported system components"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sc-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sc-01_odp.01","props":[{"name":"label","value":"SC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection policy is to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.02","props":[{"name":"label","value":"SC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection procedures are to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.03","props":[{"name":"alt-identifier","value":"sc-1_prm_2"},{"name":"label","value":"SC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business-process-level","system-level"]}},{"id":"sc-01_odp.04","props":[{"name":"alt-identifier","value":"sc-1_prm_3"},{"name":"label","value":"SC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and communications protection policy and procedures is defined;"}]},{"id":"sc-01_odp.05","props":[{"name":"alt-identifier","value":"sc-1_prm_4"},{"name":"label","value":"SC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection policy is reviewed and updated is defined;"}]},{"id":"sc-01_odp.06","props":[{"name":"alt-identifier","value":"sc-1_prm_5"},{"name":"label","value":"SC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and communications protection policy to be reviewed and updated are defined;"}]},{"id":"sc-01_odp.07","props":[{"name":"alt-identifier","value":"sc-1_prm_6"},{"name":"label","value":"SC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection procedures are reviewed and updated is defined;"}]},{"id":"sc-01_odp.08","props":[{"name":"alt-identifier","value":"sc-1_prm_7"},{"name":"label","value":"SC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and communications protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SC-1"},{"name":"label","value":"SC-01","class":"sp800-53a"},{"name":"sort-id","value":"sc-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sc-1_smt","name":"statement","parts":[{"id":"sc-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:","parts":[{"id":"sc-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sc-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;"}]},{"id":"sc-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and"},{"id":"sc-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and communications protection:","parts":[{"id":"sc-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and"},{"id":"sc-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sc-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[01]","class":"sp800-53a"}],"prose":"a system and communications protection policy is developed and documented;"},{"id":"sc-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[02]","class":"sp800-53a"}],"prose":"the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};"},{"id":"sc-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[03]","class":"sp800-53a"}],"prose":"system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;"},{"id":"sc-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[04]","class":"sp800-53a"}],"prose":"the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};"},{"id":"sc-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;"},{"id":"sc-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;"},{"id":"sc-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;"},{"id":"sc-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;"},{"id":"sc-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;"},{"id":"sc-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;"},{"id":"sc-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;"}]},{"id":"sc-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"sc-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;"},{"id":"sc-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};"},{"id":"sc-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};"}]},{"id":"sc-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};"},{"id":"sc-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}."}]}]}]},{"id":"sc-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"sc-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"sc-2","class":"SP800-53","title":"Separation of System and User Functionality","props":[{"name":"label","value":"SC-2"},{"name":"label","value":"SC-02","class":"sp800-53a"},{"name":"sort-id","value":"sc-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-22","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"}],"parts":[{"id":"sc-2_smt","name":"statement","prose":"Separate user functionality, including user interface services, from system management functionality."},{"id":"sc-2_gdn","name":"guidance","prose":"System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)."},{"id":"sc-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-02","class":"sp800-53a"}],"prose":"user functionality, including user interface services, is separated from system management functionality."},{"id":"sc-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing application partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of user functionality from system management functionality"}]}]},{"id":"sc-3","class":"SP800-53","title":"Security Function Isolation","props":[{"name":"label","value":"SC-3"},{"name":"label","value":"SC-03","class":"sp800-53a"},{"name":"sort-id","value":"sc-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-3_smt","name":"statement","prose":"Isolate security functions from nonsecurity functions."},{"id":"sc-3_gdn","name":"guidance","prose":"Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform system security functions. Systems implement code separation in many ways, such as through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)."},{"id":"sc-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-03","class":"sp800-53a"}],"prose":"security functions are isolated from non-security functions."},{"id":"sc-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nlist of security functions to be isolated from non-security functions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of security functions from non-security functions within the system"}]}]},{"id":"sc-4","class":"SP800-53","title":"Information in Shared System Resources","props":[{"name":"label","value":"SC-4"},{"name":"label","value":"SC-04","class":"sp800-53a"},{"name":"sort-id","value":"sc-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"sc-4_smt","name":"statement","prose":"Prevent unauthorized and unintended information transfer via shared system resources."},{"id":"sc-4_gdn","name":"guidance","prose":"Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles."},{"id":"sc-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-04","class":"sp800-53a"}],"parts":[{"id":"sc-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-04[01]","class":"sp800-53a"}],"prose":"unauthorized information transfer via shared system resources is prevented;"},{"id":"sc-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-04[02]","class":"sp800-53a"}],"prose":"unintended information transfer via shared system resources is prevented."}]},{"id":"sc-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms preventing the unauthorized and unintended transfer of information via shared system resources"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial-of-service Protection","params":[{"id":"sc-05_odp.01","props":[{"name":"alt-identifier","value":"sc-5_prm_2"},{"name":"label","value":"SC-05_ODP[01]","class":"sp800-53a"}],"label":"types of denial-of-service events","guidelines":[{"prose":"types of denial-of-service events to be protected against or limited are defined;"}]},{"id":"sc-05_odp.02","props":[{"name":"alt-identifier","value":"sc-5_prm_1"},{"name":"label","value":"SC-05_ODP[02]","class":"sp800-53a"}],"select":{"choice":["protect against","limit"]}},{"id":"sc-05_odp.03","props":[{"name":"alt-identifier","value":"sc-5_prm_3"},{"name":"label","value":"SC-05_ODP[03]","class":"sp800-53a"}],"label":"controls by type of denial-of-service event","guidelines":[{"prose":"controls to achieve the denial-of-service objective by type of denial-of-service event are defined;"}]}],"props":[{"name":"label","value":"SC-5"},{"name":"label","value":"SC-05","class":"sp800-53a"},{"name":"sort-id","value":"sc-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sc-6","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-40","rel":"related"}],"parts":[{"id":"sc-5_smt","name":"statement","parts":[{"id":"sc-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and"},{"id":"sc-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}."}]},{"id":"sc-5_gdn","name":"guidance","prose":"Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events."},{"id":"sc-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-05","class":"sp800-53a"}],"parts":[{"id":"sc-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-05a.","class":"sp800-53a"}],"prose":"the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};"},{"id":"sc-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective."}]},{"id":"sc-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"id":"sc-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms protecting against or limiting the effects of denial-of-service attacks"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-07_odp","props":[{"name":"alt-identifier","value":"sc-7_prm_1"},{"name":"label","value":"SC-07_ODP","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}}],"props":[{"name":"label","value":"SC-7"},{"name":"label","value":"SC-07","class":"sp800-53a"},{"name":"sort-id","value":"sc-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a7f0e897-29a3-45c4-bd88-40dfef0e034a","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-43","rel":"related"}],"parts":[{"id":"sc-7_smt","name":"statement","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)."},{"id":"sc-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[01]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are monitored;"},{"id":"sc-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[02]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are controlled;"},{"id":"sc-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[03]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are monitored;"},{"id":"sc-7_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[04]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are controlled;"}]},{"id":"sc-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07b.","class":"sp800-53a"}],"prose":"subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;"},{"id":"sc-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07c.","class":"sp800-53a"}],"prose":"external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities"}]}],"controls":[{"id":"sc-7.3","class":"SP800-53-enhancement","title":"Access Points","props":[{"name":"label","value":"SC-7(3)"},{"name":"label","value":"SC-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.3_smt","name":"statement","prose":"Limit the number of external network connections to the system."},{"id":"sc-7.3_gdn","name":"guidance","prose":"Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system."},{"id":"sc-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(03)","class":"sp800-53a"}],"prose":"the number of external network connections to the system is limited."},{"id":"sc-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities\n\nmechanisms limiting the number of external network connections to the system"}]}]},{"id":"sc-7.4","class":"SP800-53-enhancement","title":"External Telecommunications Services","params":[{"id":"sc-07.04_odp","props":[{"name":"alt-identifier","value":"sc-7.4_prm_1"},{"name":"label","value":"SC-07(04)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review exceptions to traffic flow policy is defined;"}]}],"props":[{"name":"label","value":"SC-7(4)"},{"name":"label","value":"SC-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-7.4_smt","name":"statement","parts":[{"id":"sc-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implement a managed interface for each external telecommunication service;"},{"id":"sc-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Establish a traffic flow policy for each managed interface;"},{"id":"sc-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Protect the confidentiality and integrity of the information being transmitted across each interface;"},{"id":"sc-7.4_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;"},{"id":"sc-7.4_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Review exceptions to the traffic flow policy {{ insert: param, sc-07.04_odp }} and remove exceptions that are no longer supported by an explicit mission or business need;"},{"id":"sc-7.4_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Prevent unauthorized exchange of control plane traffic with external networks;"},{"id":"sc-7.4_smt.g","name":"item","props":[{"name":"label","value":"(g)"}],"prose":"Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and"},{"id":"sc-7.4_smt.h","name":"item","props":[{"name":"label","value":"(h)"}],"prose":"Filter unauthorized control plane traffic from external networks."}]},{"id":"sc-7.4_gdn","name":"guidance","prose":"External telecommunications services can provide data and\/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements."},{"id":"sc-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(a)","class":"sp800-53a"}],"prose":"a managed interface is implemented for each external telecommunication service;"},{"id":"sc-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(b)","class":"sp800-53a"}],"prose":"a traffic flow policy is established for each managed interface;"},{"id":"sc-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)[01]","class":"sp800-53a"}],"prose":"the confidentiality of the information being transmitted across each interface is protected;"},{"id":"sc-7.4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)[02]","class":"sp800-53a"}],"prose":"the integrity of the information being transmitted across each interface is protected;"}]},{"id":"sc-7.4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(d)","class":"sp800-53a"}],"prose":"each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;"},{"id":"sc-7.4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)[01]","class":"sp800-53a"}],"prose":"exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};"},{"id":"sc-7.4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)[02]","class":"sp800-53a"}],"prose":"exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;"}]},{"id":"sc-7.4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(f)","class":"sp800-53a"}],"prose":"unauthorized exchanges of control plan traffic with external networks are prevented;"},{"id":"sc-7.4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(g)","class":"sp800-53a"}],"prose":"information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;"},{"id":"sc-7.4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(h)","class":"sp800-53a"}],"prose":"unauthorized control plane traffic is filtered from external networks."}]},{"id":"sc-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\nsystem security architecture\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for documenting and reviewing exceptions to the traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nmechanisms implementing boundary protection capabilities\n\nmanaged interfaces implementing traffic flow policy"}]}]},{"id":"sc-7.5","class":"SP800-53-enhancement","title":"Deny by Default — Allow by Exception","params":[{"id":"sc-07.05_odp.01","props":[{"name":"alt-identifier","value":"sc-7.5_prm_1"},{"name":"label","value":"SC-07(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at managed interfaces","for {{ insert: param, sc-07.05_odp.02 }} "]}},{"id":"sc-07.05_odp.02","props":[{"name":"alt-identifier","value":"sc-7.5_prm_2"},{"name":"label","value":"SC-07(05)_ODP[02]","class":"sp800-53a"}],"label":"systems","guidelines":[{"prose":"systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected)."}]}],"props":[{"name":"label","value":"SC-7(5)"},{"name":"label","value":"SC-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.5_smt","name":"statement","prose":"Deny network communications traffic by default and allow network communications traffic by exception {{ insert: param, sc-07.05_odp.01 }}."},{"id":"sc-7.5_gdn","name":"guidance","prose":"Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system."},{"id":"sc-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)","class":"sp800-53a"}],"parts":[{"id":"sc-7.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)[01]","class":"sp800-53a"}],"prose":"network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};"},{"id":"sc-7.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)[02]","class":"sp800-53a"}],"prose":"network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}."}]},{"id":"sc-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing traffic management at managed interfaces"}]}]},{"id":"sc-7.7","class":"SP800-53-enhancement","title":"Split Tunneling for Remote Devices","params":[{"id":"sc-07.07_odp","props":[{"name":"alt-identifier","value":"sc-7.7_prm_1"},{"name":"label","value":"SC-07(07)_ODP","class":"sp800-53a"}],"label":"safeguards","guidelines":[{"prose":"safeguards to securely provision split tunneling are defined;"}]}],"props":[{"name":"label","value":"SC-7(7)"},{"name":"label","value":"SC-07(07)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.7_smt","name":"statement","prose":"Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}."},{"id":"sc-7.7_gdn","name":"guidance","prose":"Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control."},{"id":"sc-7.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(07)","class":"sp800-53a"}],"prose":"split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}."},{"id":"sc-7.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities\n\nmechanisms supporting\/restricting non-remote connections"}]}]},{"id":"sc-7.8","class":"SP800-53-enhancement","title":"Route Traffic to Authenticated Proxy Servers","params":[{"id":"sc-07.08_odp.01","props":[{"name":"alt-identifier","value":"sc-7.8_prm_1"},{"name":"label","value":"SC-07(08)_ODP[01]","class":"sp800-53a"}],"label":"internal communications traffic","guidelines":[{"prose":"internal communications traffic to be routed to external networks is defined;"}]},{"id":"sc-07.08_odp.02","props":[{"name":"alt-identifier","value":"sc-7.8_prm_2"},{"name":"label","value":"SC-07(08)_ODP[02]","class":"sp800-53a"}],"label":"external networks","guidelines":[{"prose":"external networks to which internal communications traffic is to be routed are defined;"}]}],"props":[{"name":"label","value":"SC-7(8)"},{"name":"label","value":"SC-07(08)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"sc-7.8_smt","name":"statement","prose":"Route {{ insert: param, sc-07.08_odp.01 }} to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces."},{"id":"sc-7.8_gdn","name":"guidance","prose":"External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for \"man-in-the-middle\" attacks (depending on the implementation)."},{"id":"sc-7.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(08)","class":"sp800-53a"}],"prose":" {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces."},{"id":"sc-7.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing traffic management through authenticated proxy servers at managed interfaces"}]}]},{"id":"sc-7.18","class":"SP800-53-enhancement","title":"Fail Secure","props":[{"name":"label","value":"SC-7(18)"},{"name":"label","value":"SC-07(18)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#cp-2","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#sc-24","rel":"related"}],"parts":[{"id":"sc-7.18_smt","name":"statement","prose":"Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device."},{"id":"sc-7.18_gdn","name":"guidance","prose":"Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways that reside on protected subnetworks (commonly referred to as demilitarized zones). Failures of boundary protection devices cannot lead to or cause information external to the devices to enter the devices nor can failures permit unauthorized information releases."},{"id":"sc-7.18_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(18)","class":"sp800-53a"}],"prose":"systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device."},{"id":"sc-7.18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(18)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(18)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(18)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing secure failure"}]}]},{"id":"sc-7.21","class":"SP800-53-enhancement","title":"Isolation of System Components","params":[{"id":"sc-07.21_odp.01","props":[{"name":"alt-identifier","value":"sc-7.21_prm_1"},{"name":"label","value":"SC-07(21)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to be isolated by boundary protection mechanisms are defined;"}]},{"id":"sc-07.21_odp.02","props":[{"name":"alt-identifier","value":"sc-7.21_prm_2"},{"name":"label","value":"SC-07(21)_ODP[02]","class":"sp800-53a"}],"label":"missions and\/or business functions","guidelines":[{"prose":"missions and\/or business functions to be supported by system components isolated by boundary protection mechanisms are defined;"}]}],"props":[{"name":"label","value":"SC-7(21)"},{"name":"label","value":"SC-07(21)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ca-9","rel":"related"}],"parts":[{"id":"sc-7.21_smt","name":"statement","prose":"Employ boundary protection mechanisms to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}."},{"id":"sc-7.21_gdn","name":"guidance","prose":"Organizations can isolate system components that perform different mission or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber-attacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls that separate system components into physically separate networks or subnetworks; cross-domain devices that separate subnetworks; virtualization techniques; and the encryption of information flows among system components using distinct encryption keys."},{"id":"sc-7.21_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(21)","class":"sp800-53a"}],"prose":"boundary protection mechanisms are employed to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}."},{"id":"sc-7.21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(21)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nenterprise architecture documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(21)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(21)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the capability to separate system components supporting organizational missions and\/or business functions"}]}]}]},{"id":"sc-8","class":"SP800-53","title":"Transmission Confidentiality and Integrity","params":[{"id":"sc-08_odp","props":[{"name":"alt-identifier","value":"sc-8_prm_1"},{"name":"label","value":"SC-08_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}}],"props":[{"name":"label","value":"SC-8"},{"name":"label","value":"SC-08","class":"sp800-53a"},{"name":"sort-id","value":"sc-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#736d6310-e403-4b57-a79d-9967970c66d7","rel":"reference"},{"href":"#7537638e-2837-407d-844b-40fb3fafdd99","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"sc-8_smt","name":"statement","prose":"Protect the {{ insert: param, sc-08_odp }} of transmitted information."},{"id":"sc-8_gdn","name":"guidance","prose":"Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls."},{"id":"sc-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-08_odp }} of transmitted information is\/are protected."},{"id":"sc-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity"}]}],"controls":[{"id":"sc-8.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"sc-08.01_odp","props":[{"name":"alt-identifier","value":"sc-8.1_prm_1"},{"name":"label","value":"SC-08(01)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["prevent unauthorized disclosure of information","detect changes to information"]}}],"props":[{"name":"label","value":"SC-8(1)"},{"name":"label","value":"SC-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-8","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-8.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission."},{"id":"sc-8.1_gdn","name":"guidance","prose":"Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes."},{"id":"sc-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08(01)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission."},{"id":"sc-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity\n\nmechanisms supporting and\/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards"}]}]}]},{"id":"sc-10","class":"SP800-53","title":"Network Disconnect","params":[{"id":"sc-10_odp","props":[{"name":"alt-identifier","value":"sc-10_prm_1"},{"name":"label","value":"SC-10_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period of inactivity after which the system terminates a network connection associated with a communication session is defined;"}]}],"props":[{"name":"label","value":"SC-10"},{"name":"label","value":"SC-10","class":"sp800-53a"},{"name":"sort-id","value":"sc-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"sc-10_smt","name":"statement","prose":"Terminate the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity."},{"id":"sc-10_gdn","name":"guidance","prose":"Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP\/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses."},{"id":"sc-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-10","class":"sp800-53a"}],"prose":"the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity."},{"id":"sc-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing network disconnect\n\nsystem design documentation\n\nsecurity plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a network disconnect capability"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","params":[{"id":"sc-12_odp","props":[{"name":"alt-identifier","value":"sc-12_prm_1"},{"name":"alt-label","value":"requirements for key generation, distribution, storage, access, and destruction","class":"sp800-53"},{"name":"label","value":"SC-12_ODP","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements for key generation, distribution, storage, access, and destruction are defined;"}]}],"props":[{"name":"label","value":"SC-12"},{"name":"label","value":"SC-12","class":"sp800-53a"},{"name":"sort-id","value":"sc-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#849b2358-683f-4d97-b111-1cc3d522ded5","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-11","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment."},{"id":"sc-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12","class":"sp800-53a"}],"parts":[{"id":"sc-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-12[01]","class":"sp800-53a"}],"prose":"cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};"},{"id":"sc-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-12[02]","class":"sp800-53a"}],"prose":"cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}."}]},{"id":"sc-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"id":"sc-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}],"controls":[{"id":"sc-12.1","class":"SP800-53-enhancement","title":"Availability","props":[{"name":"label","value":"SC-12(1)"},{"name":"label","value":"SC-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-12","rel":"required"}],"parts":[{"id":"sc-12.1_smt","name":"statement","prose":"Maintain availability of information in the event of the loss of cryptographic keys by users."},{"id":"sc-12.1_gdn","name":"guidance","prose":"Escrowing of encryption keys is a common practice for ensuring availability in the event of key loss. A forgotten passphrase is an example of losing a cryptographic key."},{"id":"sc-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12(01)","class":"sp800-53a"}],"prose":"information availability is maintained in the event of the loss of cryptographic keys by users."},{"id":"sc-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment, management, and recovery\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment or management"}]},{"id":"sc-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","params":[{"id":"sc-13_odp.01","props":[{"name":"alt-identifier","value":"sc-13_prm_1"},{"name":"label","value":"SC-13_ODP[01]","class":"sp800-53a"}],"label":"cryptographic uses","guidelines":[{"prose":"cryptographic uses are defined;"}]},{"id":"sc-13_odp.02","props":[{"name":"alt-identifier","value":"sc-13_prm_2"},{"name":"alt-label","value":"types of cryptography for each specified cryptographic use","class":"sp800-53"},{"name":"label","value":"SC-13_ODP[02]","class":"sp800-53a"}],"label":"types of cryptography","guidelines":[{"prose":"types of cryptography for each specified cryptographic use are defined;"}]}],"props":[{"name":"label","value":"SC-13"},{"name":"label","value":"SC-13","class":"sp800-53a"},{"name":"sort-id","value":"sc-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-13_smt","name":"statement","parts":[{"id":"sc-13_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the {{ insert: param, sc-13_odp.01 }} ; and"},{"id":"sc-13_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}."}]},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"sc-13_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-13","class":"sp800-53a"}],"parts":[{"id":"sc-13_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-13a.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-13_odp.01 }} are identified;"},{"id":"sc-13_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-13b.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented."}]},{"id":"sc-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection"}]},{"id":"sc-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices and Applications","params":[{"id":"sc-15_odp","props":[{"name":"alt-identifier","value":"sc-15_prm_1"},{"name":"label","value":"SC-15_ODP","class":"sp800-53a"}],"label":"exceptions where remote activation is to be allowed","guidelines":[{"prose":"exceptions where remote activation is to be allowed are defined;"}]}],"props":[{"name":"label","value":"SC-15"},{"name":"label","value":"SC-15","class":"sp800-53a"},{"name":"sort-id","value":"sc-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-21","rel":"related"},{"href":"#sc-42","rel":"related"}],"parts":[{"id":"sc-15_smt","name":"statement","parts":[{"id":"sc-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and"},{"id":"sc-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated."},{"id":"sc-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-15","class":"sp800-53a"}],"parts":[{"id":"sc-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-15a.","class":"sp800-53a"}],"prose":"remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};"},{"id":"sc-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-15b.","class":"sp800-53a"}],"prose":"an explicit indication of use is provided to users physically present at the devices."}]},{"id":"sc-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"id":"sc-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices"}]}]},{"id":"sc-17","class":"SP800-53","title":"Public Key Infrastructure Certificates","params":[{"id":"sc-17_odp","props":[{"name":"alt-identifier","value":"sc-17_prm_1"},{"name":"label","value":"SC-17_ODP","class":"sp800-53a"}],"label":"certificate policy","guidelines":[{"prose":"a certificate policy for issuing public key certificates is defined;"}]}],"props":[{"name":"label","value":"SC-17"},{"name":"label","value":"SC-17","class":"sp800-53a"},{"name":"sort-id","value":"sc-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#8cb338a4-e493-4177-818f-3af18983ddc5","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sc-12","rel":"related"}],"parts":[{"id":"sc-17_smt","name":"statement","parts":[{"id":"sc-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and"},{"id":"sc-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Include only approved trust anchors in trust stores or certificate stores managed by the organization."}]},{"id":"sc-17_gdn","name":"guidance","prose":"Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates."},{"id":"sc-17_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-17","class":"sp800-53a"}],"parts":[{"id":"sc-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-17a.","class":"sp800-53a"}],"prose":"public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;"},{"id":"sc-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-17b.","class":"sp800-53a"}],"prose":"only approved trust anchors are included in trust stores or certificate stores managed by the organization."}]},{"id":"sc-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key certificates\n\nservice providers"}]},{"id":"sc-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of public key infrastructure certificates"}]}]},{"id":"sc-18","class":"SP800-53","title":"Mobile Code","props":[{"name":"label","value":"SC-18"},{"name":"label","value":"SC-18","class":"sp800-53a"},{"name":"sort-id","value":"sc-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#f641309f-a3ad-48be-8c67-2b318648b2f5","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"sc-18_smt","name":"statement","parts":[{"id":"sc-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define acceptable and unacceptable mobile code and mobile code technologies; and"},{"id":"sc-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize, monitor, and control the use of mobile code within the system."}]},{"id":"sc-18_gdn","name":"guidance","prose":"Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."},{"id":"sc-18_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[01]","class":"sp800-53a"}],"prose":"acceptable mobile code is defined;"},{"id":"sc-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[02]","class":"sp800-53a"}],"prose":"unacceptable mobile code is defined;"},{"id":"sc-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[03]","class":"sp800-53a"}],"prose":"acceptable mobile code technologies are defined;"},{"id":"sc-18_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[04]","class":"sp800-53a"}],"prose":"unacceptable mobile code technologies are defined;"}]},{"id":"sc-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[01]","class":"sp800-53a"}],"prose":"the use of mobile code is authorized within the system;"},{"id":"sc-18_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[02]","class":"sp800-53a"}],"prose":"the use of mobile code is monitored within the system;"},{"id":"sc-18_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[03]","class":"sp800-53a"}],"prose":"the use of mobile code is controlled within the system."}]}]},{"id":"sc-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code implementation policy and procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code"}]},{"id":"sc-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for authorizing, monitoring, and controlling mobile code\n\nmechanisms supporting and\/or implementing the management of mobile code\n\nmechanisms supporting and\/or implementing the monitoring of mobile code"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Authoritative Source)","props":[{"name":"label","value":"SC-20"},{"name":"label","value":"SC-20","class":"sp800-53a"},{"name":"sort-id","value":"sc-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-20_smt","name":"statement","parts":[{"id":"sc-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host\/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data."},{"id":"sc-20_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-20","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[01]","class":"sp800-53a"}],"prose":"additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;"},{"id":"sc-20_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[02]","class":"sp800-53a"}],"prose":"integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;"}]},{"id":"sc-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[01]","class":"sp800-53a"}],"prose":"the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;"},{"id":"sc-20_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[02]","class":"sp800-53a"}],"prose":"the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided."}]}]},{"id":"sc-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing secure name\/address resolution services"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Recursive or Caching Resolver)","props":[{"name":"label","value":"SC-21"},{"name":"label","value":"SC-21","class":"sp800-53a"},{"name":"sort-id","value":"sc-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-20","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"Request and perform data origin authentication and data integrity verification on the name\/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data."},{"id":"sc-21_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-21","class":"sp800-53a"}],"parts":[{"id":"sc-21_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-21[01]","class":"sp800-53a"}],"prose":"data origin authentication is requested for the name\/address resolution responses that the system receives from authoritative sources;"},{"id":"sc-21_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-21[02]","class":"sp800-53a"}],"prose":"data origin authentication is performed on the name\/address resolution responses that the system receives from authoritative sources;"},{"id":"sc-21_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-21[03]","class":"sp800-53a"}],"prose":"data integrity verification is requested for the name\/address resolution responses that the system receives from authoritative sources;"},{"id":"sc-21_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SC-21[04]","class":"sp800-53a"}],"prose":"data integrity verification is performed on the name\/address resolution responses that the system receives from authoritative sources."}]},{"id":"sc-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing data origin authentication and data integrity verification for name\/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name\/Address Resolution Service","props":[{"name":"label","value":"SC-22"},{"name":"label","value":"SC-22","class":"sp800-53a"},{"name":"sort-id","value":"sc-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-2","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-24","rel":"related"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"Ensure the systems that collectively provide name\/address resolution service for an organization are fault-tolerant and implement internal and external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)."},{"id":"sc-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-22","class":"sp800-53a"}],"parts":[{"id":"sc-22_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-22[01]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization are fault-tolerant;"},{"id":"sc-22_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-22[02]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement internal role separation;"},{"id":"sc-22_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-22[03]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement external role separation."}]},{"id":"sc-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing architecture and provisioning for name\/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing name\/address resolution services for fault tolerance and role separation"}]}]},{"id":"sc-23","class":"SP800-53","title":"Session Authenticity","props":[{"name":"label","value":"SC-23"},{"name":"label","value":"SC-23","class":"sp800-53a"},{"name":"sort-id","value":"sc-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#7537638e-2837-407d-844b-40fb3fafdd99","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#a6b9907a-2a14-4bb4-a142-d4c73026a8b4","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-11","rel":"related"}],"parts":[{"id":"sc-23_smt","name":"statement","prose":"Protect the authenticity of communications sessions."},{"id":"sc-23_gdn","name":"guidance","prose":"Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against \"man-in-the-middle\" attacks, session hijacking, and the insertion of false information into sessions."},{"id":"sc-23_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-23","class":"sp800-53a"}],"prose":"the authenticity of communication sessions is protected."},{"id":"sc-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-23-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing session authenticity"}]}]},{"id":"sc-24","class":"SP800-53","title":"Fail in Known State","params":[{"id":"sc-24_odp.01","props":[{"name":"alt-identifier","value":"sc-24_prm_3"},{"name":"alt-label","value":"list of organization-defined types of system failures on organization-defined system components","class":"sp800-53"},{"name":"label","value":"SC-24_ODP[01]","class":"sp800-53a"}],"label":"types of system failures on system components","guidelines":[{"prose":"types of system failures for which the system components fail to a known state are defined;"}]},{"id":"sc-24_odp.02","props":[{"name":"alt-identifier","value":"sc-24_prm_1"},{"name":"label","value":"SC-24_ODP[02]","class":"sp800-53a"}],"label":"known system state","guidelines":[{"prose":"known system state to which system components fail in the event of a system failure is defined;"}]},{"id":"sc-24_odp.03","props":[{"name":"alt-identifier","value":"sc-24_prm_2"},{"name":"label","value":"SC-24_ODP[03]","class":"sp800-53a"}],"label":"system state information","guidelines":[{"prose":"system state information to be preserved in the event of a system failure is defined;"}]}],"props":[{"name":"label","value":"SC-24"},{"name":"label","value":"SC-24","class":"sp800-53a"},{"name":"sort-id","value":"sc-24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-22","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"sc-24_smt","name":"statement","prose":"Fail to a {{ insert: param, sc-24_odp.02 }} for the following failures on the indicated components while preserving {{ insert: param, sc-24_odp.03 }} in failure: {{ insert: param, sc-24_odp.01 }}."},{"id":"sc-24_gdn","name":"guidance","prose":"Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes."},{"id":"sc-24_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-24","class":"sp800-53a"}],"prose":" {{ insert: param, sc-24_odp.01 }} fail to a {{ insert: param, sc-24_odp.02 }} while preserving {{ insert: param, sc-24_odp.03 }} in failure."},{"id":"sc-24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-24-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing system failure to known state\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of failures requiring system to fail in a known state\n\nstate information to be preserved in system failure\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-24-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-24-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the fail in known state capability\n\nmechanisms preserving system state information in the event of a system failure"}]}]},{"id":"sc-28","class":"SP800-53","title":"Protection of Information at Rest","params":[{"id":"sc-28_odp.01","props":[{"name":"alt-identifier","value":"sc-28_prm_1"},{"name":"label","value":"SC-28_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}},{"id":"sc-28_odp.02","props":[{"name":"alt-identifier","value":"sc-28_prm_2"},{"name":"label","value":"SC-28_ODP[02]","class":"sp800-53a"}],"label":"information at rest","guidelines":[{"prose":"information at rest requiring protection is defined;"}]}],"props":[{"name":"label","value":"SC-28"},{"name":"label","value":"SC-28","class":"sp800-53a"},{"name":"sort-id","value":"sc-28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-28_smt","name":"statement","prose":"Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}."},{"id":"sc-28_gdn","name":"guidance","prose":"Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage."},{"id":"sc-28_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is\/are protected."},{"id":"sc-28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing confidentiality and integrity protections for information at rest"}]}],"controls":[{"id":"sc-28.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"sc-28.01_odp.01","props":[{"name":"alt-identifier","value":"sc-28.1_prm_2"},{"name":"label","value":"SC-28(01)_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information requiring cryptographic protection is defined;"}]},{"id":"sc-28.01_odp.02","props":[{"name":"alt-identifier","value":"sc-28.1_prm_1"},{"name":"label","value":"SC-28(01)_ODP[02]","class":"sp800-53a"}],"label":"system components or media","guidelines":[{"prose":"system components or media requiring cryptographic protection is\/are defined;"}]}],"props":[{"name":"label","value":"SC-28(1)"},{"name":"label","value":"SC-28(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-28.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-28","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-28.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}."},{"id":"sc-28.1_gdn","name":"guidance","prose":"The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields."},{"id":"sc-28.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)","class":"sp800-53a"}],"parts":[{"id":"sc-28.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)[01]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};"},{"id":"sc-28.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)[02]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}."}]},{"id":"sc-28.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-28.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest"}]}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","props":[{"name":"label","value":"SC-39"},{"name":"label","value":"SC-39","class":"sp800-53a"},{"name":"sort-id","value":"sc-39"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"Maintain a separate execution domain for each executing system process."},{"id":"sc-39_gdn","name":"guidance","prose":"Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies."},{"id":"sc-39_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-39","class":"sp800-53a"}],"prose":"a separate execution domain is maintained for each executing system process."},{"id":"sc-39_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-39-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records"}]},{"id":"sc-39_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-39-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System developers\/integrators\n\nsystem security architect"}]},{"id":"sc-39_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-39-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing separate execution domains for each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"si-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"si-01_odp.01","props":[{"name":"label","value":"SI-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity policy is to be disseminated is\/are defined;"}]},{"id":"si-01_odp.02","props":[{"name":"label","value":"SI-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity procedures are to be disseminated is\/are defined;"}]},{"id":"si-01_odp.03","props":[{"name":"alt-identifier","value":"si-1_prm_2"},{"name":"label","value":"SI-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"si-01_odp.04","props":[{"name":"alt-identifier","value":"si-1_prm_3"},{"name":"label","value":"SI-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and information integrity policy and procedures is defined;"}]},{"id":"si-01_odp.05","props":[{"name":"alt-identifier","value":"si-1_prm_4"},{"name":"label","value":"SI-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity policy is reviewed and updated is defined;"}]},{"id":"si-01_odp.06","props":[{"name":"alt-identifier","value":"si-1_prm_5"},{"name":"label","value":"SI-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and information integrity policy to be reviewed and updated are defined;"}]},{"id":"si-01_odp.07","props":[{"name":"alt-identifier","value":"si-1_prm_6"},{"name":"label","value":"SI-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity procedures are reviewed and updated is defined;"}]},{"id":"si-01_odp.08","props":[{"name":"alt-identifier","value":"si-1_prm_7"},{"name":"label","value":"SI-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and information integrity procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SI-1"},{"name":"label","value":"SI-01","class":"sp800-53a"},{"name":"sort-id","value":"si-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"si-1_smt","name":"statement","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, si-01_odp.03 }} system and information integrity policy that:","parts":[{"id":"si-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and"},{"id":"si-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and information integrity:","parts":[{"id":"si-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and"},{"id":"si-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"si-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[01]","class":"sp800-53a"}],"prose":"a system and information integrity policy is developed and documented;"},{"id":"si-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[02]","class":"sp800-53a"}],"prose":"the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};"},{"id":"si-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[03]","class":"sp800-53a"}],"prose":"system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;"},{"id":"si-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[04]","class":"sp800-53a"}],"prose":"the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};"},{"id":"si-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;"},{"id":"si-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;"},{"id":"si-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;"},{"id":"si-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;"},{"id":"si-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;"},{"id":"si-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;"},{"id":"si-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;"}]},{"id":"si-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"si-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;"},{"id":"si-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};"},{"id":"si-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};"}]},{"id":"si-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};"},{"id":"si-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}."}]}]}]},{"id":"si-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","params":[{"id":"si-02_odp","props":[{"name":"alt-identifier","value":"si-2_prm_1"},{"name":"label","value":"SI-02_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to install security-relevant software updates after the release of the updates is defined;"}]}],"props":[{"name":"label","value":"SI-2"},{"name":"label","value":"SI-02","class":"sp800-53a"},{"name":"sort-id","value":"si-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-5","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"si-2_smt","name":"statement","parts":[{"id":"si-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify, report, and correct system flaws;"},{"id":"si-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures."},{"id":"si-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[01]","class":"sp800-53a"}],"prose":"system flaws are identified;"},{"id":"si-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[02]","class":"sp800-53a"}],"prose":"system flaws are reported;"},{"id":"si-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[03]","class":"sp800-53a"}],"prose":"system flaws are corrected;"}]},{"id":"si-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[01]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for effectiveness before installation;"},{"id":"si-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[02]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for potential side effects before installation;"},{"id":"si-2_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[03]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for effectiveness before installation;"},{"id":"si-2_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[04]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for potential side effects before installation;"}]},{"id":"si-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[01]","class":"sp800-53a"}],"prose":"security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"},{"id":"si-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[02]","class":"sp800-53a"}],"prose":"security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"}]},{"id":"si-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-02d.","class":"sp800-53a"}],"prose":"flaw remediation is incorporated into the organizational configuration management process."}]},{"id":"si-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation\/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and\/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and\/or implementing testing software and firmware updates"}]}],"controls":[{"id":"si-2.2","class":"SP800-53-enhancement","title":"Automated Flaw Remediation Status","params":[{"id":"si-02.02_odp.01","props":[{"name":"alt-identifier","value":"si-2.2_prm_1"},{"name":"label","value":"SI-02(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;"}]},{"id":"si-02.02_odp.02","props":[{"name":"alt-identifier","value":"si-2.2_prm_2"},{"name":"label","value":"SI-02(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;"}]}],"props":[{"name":"label","value":"SI-2(2)"},{"name":"label","value":"SI-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-2","rel":"required"},{"href":"#ca-7","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-2.2_smt","name":"statement","prose":"Determine if system components have applicable security-relevant software and firmware updates installed using {{ insert: param, si-02.02_odp.01 }} {{ insert: param, si-02.02_odp.02 }}."},{"id":"si-2.2_gdn","name":"guidance","prose":"Automated mechanisms can track and determine the status of known flaws for system components."},{"id":"si-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02(02)","class":"sp800-53a"}],"prose":"system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}."},{"id":"si-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation"}]},{"id":"si-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms used to determine the state of system components with regard to flaw remediation"}]}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","params":[{"id":"si-03_odp.01","props":[{"name":"alt-identifier","value":"si-3_prm_1"},{"name":"label","value":"SI-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["signature-based","non-signature-based"]}},{"id":"si-03_odp.02","props":[{"name":"alt-identifier","value":"si-3_prm_2"},{"name":"label","value":"SI-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which malicious code protection mechanisms perform scans is defined;"}]},{"id":"si-03_odp.03","props":[{"name":"alt-identifier","value":"si-3_prm_3"},{"name":"label","value":"SI-03_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["endpoint","network entry and exit points"]}},{"id":"si-03_odp.04","props":[{"name":"alt-identifier","value":"si-3_prm_4"},{"name":"label","value":"SI-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["block malicious code","quarantine malicious code","take {{ insert: param, si-03_odp.05 }} "]}},{"id":"si-03_odp.05","props":[{"name":"alt-identifier","value":"si-3_prm_5"},{"name":"label","value":"SI-03_ODP[05]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"action to be taken in response to malicious code detection are defined (if selected);"}]},{"id":"si-03_odp.06","props":[{"name":"alt-identifier","value":"si-3_prm_6"},{"name":"label","value":"SI-03_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when malicious code is detected is\/are defined;"}]}],"props":[{"name":"label","value":"SI-3"},{"name":"label","value":"SI-03","class":"sp800-53a"},{"name":"sort-id","value":"si-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#88660532-2dcf-442e-845c-03340ce48999","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-8","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"si-3_smt","name":"statement","parts":[{"id":"si-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Configure malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and"},{"id":"si-3_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and"}]},{"id":"si-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system."}]},{"id":"si-3_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files."},{"id":"si-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;"},{"id":"si-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;"}]},{"id":"si-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-03b.","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};"},{"id":"si-3_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;"}]},{"id":"si-3_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;"},{"id":"si-3_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;"}]}]},{"id":"si-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-03d.","class":"sp800-53a"}],"prose":"the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed."}]},{"id":"si-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and\/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and\/or implementing malicious code scanning and subsequent actions"}]}]},{"id":"si-4","class":"SP800-53","title":"System Monitoring","params":[{"id":"si-04_odp.01","props":[{"name":"alt-identifier","value":"si-4_prm_1"},{"name":"label","value":"SI-04_ODP[01]","class":"sp800-53a"}],"label":"monitoring objectives","guidelines":[{"prose":"monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;"}]},{"id":"si-04_odp.02","props":[{"name":"alt-identifier","value":"si-4_prm_2"},{"name":"label","value":"SI-04_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods used to identify unauthorized use of the system are defined;"}]},{"id":"si-04_odp.03","props":[{"name":"alt-identifier","value":"si-4_prm_3"},{"name":"label","value":"SI-04_ODP[03]","class":"sp800-53a"}],"label":"system monitoring information","guidelines":[{"prose":"system monitoring information to be provided to personnel or roles is defined;"}]},{"id":"si-04_odp.04","props":[{"name":"alt-identifier","value":"si-4_prm_4"},{"name":"label","value":"SI-04_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom system monitoring information is to be provided is\/are defined;"}]},{"id":"si-04_odp.05","props":[{"name":"alt-identifier","value":"si-4_prm_5"},{"name":"label","value":"SI-04_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["as needed"," {{ insert: param, si-04_odp.06 }} "]}},{"id":"si-04_odp.06","props":[{"name":"alt-identifier","value":"si-4_prm_6"},{"name":"label","value":"SI-04_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"a frequency for providing system monitoring to personnel or roles is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-4"},{"name":"label","value":"SI-04","class":"sp800-53a"},{"name":"sort-id","value":"si-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-6","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"si-4_smt","name":"statement","parts":[{"id":"si-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor the system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and"},{"id":"si-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};"},{"id":"si-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Invoke internal monitoring capabilities or deploy monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Strategically within the system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Analyze detected events and anomalies;"},{"id":"si-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Obtain legal opinion regarding system monitoring activities; and"},{"id":"si-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"si-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.01","class":"sp800-53a"}],"prose":"the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};"},{"id":"si-4_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[01]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized local connections;"},{"id":"si-4_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[02]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized network connections;"},{"id":"si-4_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[03]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized remote connections;"}]}]},{"id":"si-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04b.","class":"sp800-53a"}],"prose":"unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};"},{"id":"si-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.01","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;"},{"id":"si-4_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.02","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[01]","class":"sp800-53a"}],"prose":"detected events are analyzed;"},{"id":"si-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[02]","class":"sp800-53a"}],"prose":"detected anomalies are analyzed;"}]},{"id":"si-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SI-04e.","class":"sp800-53a"}],"prose":"the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SI-04f.","class":"sp800-53a"}],"prose":"a legal opinion regarding system monitoring activities is obtained;"},{"id":"si-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SI-04g.","class":"sp800-53a"}],"prose":" {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."}]},{"id":"si-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram\/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing system monitoring capabilities"}]}],"controls":[{"id":"si-4.2","class":"SP800-53-enhancement","title":"Automated Tools and Mechanisms for Real-time Analysis","props":[{"name":"label","value":"SI-4(2)"},{"name":"label","value":"SI-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#pm-23","rel":"related"},{"href":"#pm-25","rel":"related"}],"parts":[{"id":"si-4.2_smt","name":"statement","prose":"Employ automated tools and mechanisms to support near real-time analysis of events."},{"id":"si-4.2_gdn","name":"guidance","prose":"Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan."},{"id":"si-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(02)","class":"sp800-53a"}],"prose":"automated tools and mechanisms are employed to support a near real-time analysis of events."},{"id":"si-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk management documentation\n\nother relevant documents or records"}]},{"id":"si-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for incident response\/management"}]},{"id":"si-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the near real-time analysis of events\n\norganizational processes for system monitoring\n\nmechanisms supporting and\/or implementing system monitoring\n\nmechanisms\/tools supporting and\/or implementing an analysis of events"}]}]},{"id":"si-4.4","class":"SP800-53-enhancement","title":"Inbound and Outbound Communications Traffic","params":[{"id":"si-4.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.03"}],"label":"organization-defined frequency"},{"id":"si-4.4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.04"}],"label":"organization-defined unusual or unauthorized activities or conditions"},{"id":"si-04.04_odp.01","props":[{"name":"label","value":"SI-04(04)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;"}]},{"id":"si-04.04_odp.02","props":[{"name":"label","value":"SI-04(04)_ODP[02]","class":"sp800-53a"}],"label":"unusual or unauthorized activities or conditions","guidelines":[{"prose":"unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;"}]},{"id":"si-04.04_odp.03","props":[{"name":"label","value":"SI-04(04)_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;"}]},{"id":"si-04.04_odp.04","props":[{"name":"label","value":"SI-04(04)_ODP[04]","class":"sp800-53a"}],"label":"unusual or unauthorized activities or conditions","guidelines":[{"prose":"unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;"}]}],"props":[{"name":"label","value":"SI-4(4)"},{"name":"label","value":"SI-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.4_smt","name":"statement","parts":[{"id":"si-4.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;"},{"id":"si-4.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Monitor inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for {{ insert: param, si-4.4_prm_2 }}."}]},{"id":"si-4.4_gdn","name":"guidance","prose":"Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components."},{"id":"si-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)[01]","class":"sp800-53a"}],"prose":"criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;"},{"id":"si-4.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)[02]","class":"sp800-53a"}],"prose":"criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;"}]},{"id":"si-4.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)[01]","class":"sp800-53a"}],"prose":"inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};"},{"id":"si-4.4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)[02]","class":"sp800-53a"}],"prose":"outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}."}]}]},{"id":"si-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the monitoring of inbound and outbound communications traffic"}]}]},{"id":"si-4.5","class":"SP800-53-enhancement","title":"System-generated Alerts","params":[{"id":"si-04.05_odp.01","props":[{"name":"alt-identifier","value":"si-4.5_prm_1"},{"name":"label","value":"SI-04(05)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when indications of compromise or potential compromise occur is\/are defined;"}]},{"id":"si-04.05_odp.02","props":[{"name":"alt-identifier","value":"si-4.5_prm_2"},{"name":"label","value":"SI-04(05)_ODP[02]","class":"sp800-53a"}],"label":"compromise indicators","guidelines":[{"prose":"compromise indicators are defined;"}]}],"props":[{"name":"label","value":"SI-4(5)"},{"name":"label","value":"SI-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"si-4.5_smt","name":"statement","prose":"Alert {{ insert: param, si-04.05_odp.01 }} when the following system-generated indications of compromise or potential compromise occur: {{ insert: param, si-04.05_odp.02 }}."},{"id":"si-4.5_gdn","name":"guidance","prose":"Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners\/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in [SI-4(12)](#si-4.12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats."},{"id":"si-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(05)","class":"sp800-53a"}],"prose":" {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur."},{"id":"si-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of personnel selected to receive alerts\n\ndocumentation of alerts generated based on compromise indicators\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel on the system alert notification list\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing alerts for compromise indicators"}]}]},{"id":"si-4.10","class":"SP800-53-enhancement","title":"Visibility of Encrypted Communications","params":[{"id":"si-04.10_odp.01","props":[{"name":"alt-identifier","value":"si-4.10_prm_1"},{"name":"label","value":"SI-04(10)_ODP[01]","class":"sp800-53a"}],"label":"encrypted communications traffic","guidelines":[{"prose":"encrypted communications traffic to be made visible to system monitoring tools and mechanisms is defined;"}]},{"id":"si-04.10_odp.02","props":[{"name":"alt-identifier","value":"si-4.10_prm_2"},{"name":"label","value":"SI-04(10)_ODP[02]","class":"sp800-53a"}],"label":"system monitoring tools and mechanisms","guidelines":[{"prose":"system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined;"}]}],"props":[{"name":"label","value":"SI-4(10)"},{"name":"label","value":"SI-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.10_smt","name":"statement","prose":"Make provisions so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}."},{"id":"si-4.10_gdn","name":"guidance","prose":"Organizations balance the need to encrypt communications traffic to protect data confidentiality with the need to maintain visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types."},{"id":"si-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(10)","class":"sp800-53a"}],"prose":"provisions are made so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}."},{"id":"si-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the visibility of encrypted communications traffic to monitoring tools"}]}]},{"id":"si-4.12","class":"SP800-53-enhancement","title":"Automated Organization-generated Alerts","params":[{"id":"si-04.12_odp.01","props":[{"name":"alt-identifier","value":"si-4.12_prm_1"},{"name":"label","value":"SI-04(12)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when indications of inappropriate or unusual activity with security or privacy implications occur is\/are defined;"}]},{"id":"si-04.12_odp.02","props":[{"name":"alt-identifier","value":"si-4.12_prm_2"},{"name":"label","value":"SI-04(12)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to alert personnel or roles are defined;"}]},{"id":"si-04.12_odp.03","props":[{"name":"alt-identifier","value":"si-4.12_prm_3"},{"name":"label","value":"SI-04(12)_ODP[03]","class":"sp800-53a"}],"label":"activities that trigger alerts","guidelines":[{"prose":"activities that trigger alerts to personnel or are defined;"}]}],"props":[{"name":"label","value":"SI-4(12)"},{"name":"label","value":"SI-04(12)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.12_smt","name":"statement","prose":"Alert {{ insert: param, si-04.12_odp.01 }} using {{ insert: param, si-04.12_odp.02 }} when the following indications of inappropriate or unusual activities with security or privacy implications occur: {{ insert: param, si-04.12_odp.03 }}."},{"id":"si-4.12_gdn","name":"guidance","prose":"Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. Automated organization-generated alerts are the security alerts generated by organizations and transmitted using automated means. The sources for organization-generated alerts are focused on other entities such as suspicious activity reports and reports on potential insider threats. In contrast to alerts generated by the organization, alerts generated by the system in [SI-4(5)](#si-4.5) focus on information sources that are internal to the systems, such as audit records."},{"id":"si-4.12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(12)","class":"sp800-53a"}],"prose":" {{ insert: param, si-04.12_odp.01 }} is\/are alerted using {{ insert: param, si-04.12_odp.02 }} when {{ insert: param, si-04.12_odp.03 }} indicate inappropriate or unusual activities with security or privacy implications."},{"id":"si-4.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of inappropriate or unusual activities with security and privacy implications that trigger alerts\n\nsuspicious activity reports\n\nalerts provided to security and privacy personnel\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-4.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nautomated mechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nautomated mechanisms supporting and\/or implementing automated alerts to security personnel"}]}]},{"id":"si-4.14","class":"SP800-53-enhancement","title":"Wireless Intrusion Detection","props":[{"name":"label","value":"SI-4(14)"},{"name":"label","value":"SI-04(14)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"},{"href":"#ia-3","rel":"related"}],"parts":[{"id":"si-4.14_smt","name":"statement","prose":"Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system."},{"id":"si-4.14_gdn","name":"guidance","prose":"Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems."},{"id":"si-4.14_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)","class":"sp800-53a"}],"parts":[{"id":"si-4.14_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)[01]","class":"sp800-53a"}],"prose":"a wireless intrusion detection system is employed to identify rogue wireless devices;"},{"id":"si-4.14_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)[02]","class":"sp800-53a"}],"prose":"a wireless intrusion detection system is employed to detect attack attempts on the system;"},{"id":"si-4.14_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)[03]","class":"sp800-53a"}],"prose":"a wireless intrusion detection system is employed to detect potential compromises or breaches to the system."}]},{"id":"si-4.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection\n\nmechanisms supporting and\/or implementing a wireless intrusion detection capability"}]}]},{"id":"si-4.20","class":"SP800-53-enhancement","title":"Privileged Users","params":[{"id":"si-04.20_odp","props":[{"name":"alt-identifier","value":"si-4.20_prm_1"},{"name":"label","value":"SI-04(20)_ODP","class":"sp800-53a"}],"label":"additional monitoring","guidelines":[{"prose":"additional monitoring of privileged users is defined;"}]}],"props":[{"name":"label","value":"SI-4(20)"},{"name":"label","value":"SI-04(20)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"si-4.20_smt","name":"statement","prose":"Implement the following additional monitoring of privileged users: {{ insert: param, si-04.20_odp }}."},{"id":"si-4.20_gdn","name":"guidance","prose":"Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions."},{"id":"si-4.20_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(20)","class":"sp800-53a"}],"prose":" {{ insert: param, si-04.20_odp }} of privileged users is implemented."},{"id":"si-4.20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(20)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(20)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4.20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(20)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing a system monitoring capability"}]}]},{"id":"si-4.22","class":"SP800-53-enhancement","title":"Unauthorized Network Services","params":[{"id":"si-04.22_odp.01","props":[{"name":"alt-identifier","value":"si-4.22_prm_1"},{"name":"label","value":"SI-04(22)_ODP[01]","class":"sp800-53a"}],"label":"authorization or approval processes","guidelines":[{"prose":"authorization or approval processes for network services are defined;"}]},{"id":"si-04.22_odp.02","props":[{"name":"alt-identifier","value":"si-4.22_prm_2"},{"name":"label","value":"SI-04(22)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["audit","alert {{ insert: param, si-04.22_odp.03 }} "]}},{"id":"si-04.22_odp.03","props":[{"name":"alt-identifier","value":"si-4.22_prm_3"},{"name":"label","value":"SI-04(22)_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-4(22)"},{"name":"label","value":"SI-04(22)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#cm-7","rel":"related"}],"parts":[{"id":"si-4.22_smt","name":"statement","parts":[{"id":"si-4.22_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Detect network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} ; and"},{"id":"si-4.22_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":" {{ insert: param, si-04.22_odp.02 }} when detected."}]},{"id":"si-4.22_gdn","name":"guidance","prose":"Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and may therefore be unreliable or serve as malicious rogues for valid services."},{"id":"si-4.22_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(22)","class":"sp800-53a"}],"parts":[{"id":"si-4.22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04(22)(a)","class":"sp800-53a"}],"prose":"network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} are detected;"},{"id":"si-4.22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04(22)(b)","class":"sp800-53a"}],"prose":" {{ insert: param, si-04.22_odp.02 }} is\/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected."}]},{"id":"si-4.22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(22)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\ndocumented authorization\/approval of network services\n\nnotifications or alerts of unauthorized network services\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(22)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4.22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(22)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing a system monitoring capability\n\nmechanisms for auditing network services\n\nmechanisms for providing alerts"}]}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","params":[{"id":"si-05_odp.01","props":[{"name":"alt-identifier","value":"si-5_prm_1"},{"name":"label","value":"SI-05_ODP[01]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;"}]},{"id":"si-05_odp.02","props":[{"name":"alt-identifier","value":"si-5_prm_2"},{"name":"label","value":"SI-05_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-05_odp.03 }} "," {{ insert: param, si-05_odp.04 }} "," {{ insert: param, si-05_odp.05 }} "]}},{"id":"si-05_odp.03","props":[{"name":"alt-identifier","value":"si-5_prm_3"},{"name":"label","value":"SI-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom security alerts, advisories, and directives are to be disseminated is\/are defined (if selected);"}]},{"id":"si-05_odp.04","props":[{"name":"alt-identifier","value":"si-5_prm_4"},{"name":"alt-label","value":"elements within the organization","class":"sp800-53"},{"name":"label","value":"SI-05_ODP[04]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]},{"id":"si-05_odp.05","props":[{"name":"alt-identifier","value":"si-5_prm_5"},{"name":"label","value":"SI-05_ODP[05]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-5"},{"name":"label","value":"SI-05","class":"sp800-53a"},{"name":"sort-id","value":"si-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#pm-15","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"si-5_smt","name":"statement","parts":[{"id":"si-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Generate internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and"},{"id":"si-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations."},{"id":"si-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-05","class":"sp800-53a"}],"parts":[{"id":"si-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-05a.","class":"sp800-53a"}],"prose":"system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"},{"id":"si-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-05b.","class":"sp800-53a"}],"prose":"internal security alerts, advisories, and directives are generated as deemed necessary;"},{"id":"si-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-05c.","class":"sp800-53a"}],"prose":"security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};"},{"id":"si-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-05d.","class":"sp800-53a"}],"prose":"security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance."}]},{"id":"si-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"si-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing security directives"}]}],"controls":[{"id":"si-5.1","class":"SP800-53-enhancement","title":"Automated Alerts and Advisories","params":[{"id":"si-05.01_odp","props":[{"name":"alt-identifier","value":"si-5.1_prm_1"},{"name":"label","value":"SI-05(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined;"}]}],"props":[{"name":"label","value":"SI-5(1)"},{"name":"label","value":"SI-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-5","rel":"required"}],"parts":[{"id":"si-5.1_smt","name":"statement","prose":"Broadcast security alert and advisory information throughout the organization using {{ insert: param, si-05.01_odp }}."},{"id":"si-5.1_gdn","name":"guidance","prose":"The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational mission and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of risk, including the governance level, mission and business process level, and the information system level."},{"id":"si-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-05(01)","class":"sp800-53a"}],"prose":" {{ insert: param, si-05.01_odp }} are used to broadcast security alert and advisory information throughout the organization."},{"id":"si-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nautomated mechanisms supporting the distribution of security alert and advisory information\n\nrecords of security alerts and advisories\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts and advisories are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"si-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories\n\nautomated mechanisms supporting and\/or implementing the dissemination of security alerts and advisories"}]}]}]},{"id":"si-6","class":"SP800-53","title":"Security and Privacy Function Verification","params":[{"id":"si-6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-06_odp.02"}],"label":"organization-defined security and privacy functions"},{"id":"si-06_odp.01","props":[{"name":"label","value":"SI-06_ODP[01]","class":"sp800-53a"}],"label":"security functions","guidelines":[{"prose":"security functions to be verified for correct operation are defined;"}]},{"id":"si-06_odp.02","props":[{"name":"label","value":"SI-06_ODP[02]","class":"sp800-53a"}],"label":"privacy functions","guidelines":[{"prose":"privacy functions to be verified for correct operation are defined;"}]},{"id":"si-06_odp.03","props":[{"name":"alt-identifier","value":"si-6_prm_2"},{"name":"label","value":"SI-06_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-06_odp.04 }} ","upon command by user with appropriate privilege"," {{ insert: param, si-06_odp.05 }} "]}},{"id":"si-06_odp.04","props":[{"name":"alt-identifier","value":"si-6_prm_3"},{"name":"label","value":"SI-06_ODP[04]","class":"sp800-53a"}],"label":"system transitional states","guidelines":[{"prose":"system transitional states requiring the verification of security and privacy functions are defined; (if selected)"}]},{"id":"si-06_odp.05","props":[{"name":"alt-identifier","value":"si-6_prm_4"},{"name":"label","value":"SI-06_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to verify the correct operation of security and privacy functions is defined; (if selected)"}]},{"id":"si-06_odp.06","props":[{"name":"alt-identifier","value":"si-6_prm_5"},{"name":"label","value":"SI-06_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted of failed security and privacy verification tests is\/are defined;"}]},{"id":"si-06_odp.07","props":[{"name":"alt-identifier","value":"si-6_prm_6"},{"name":"label","value":"SI-06_ODP[07]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["shut the system down","restart the system"," {{ insert: param, si-06_odp.08 }} "]}},{"id":"si-06_odp.08","props":[{"name":"alt-identifier","value":"si-6_prm_7"},{"name":"label","value":"SI-06_ODP[08]","class":"sp800-53a"}],"label":"alternative action(s)","guidelines":[{"prose":"alternative action(s) to be performed when anomalies are discovered are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-6"},{"name":"label","value":"SI-06","class":"sp800-53a"},{"name":"sort-id","value":"si-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"si-6_smt","name":"statement","parts":[{"id":"si-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verify the correct operation of {{ insert: param, si-6_prm_1 }};"},{"id":"si-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform the verification of the functions specified in SI-6a {{ insert: param, si-06_odp.03 }};"},{"id":"si-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Alert {{ insert: param, si-06_odp.06 }} to failed security and privacy verification tests; and"},{"id":"si-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":" {{ insert: param, si-06_odp.07 }} when anomalies are discovered."}]},{"id":"si-6_gdn","name":"guidance","prose":"Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected."},{"id":"si-6_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-06","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-06a.","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-06_odp.01 }} are verified to be operating correctly;"},{"id":"si-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-06_odp.02 }} are verified to be operating correctly;"}]},{"id":"si-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-06b.","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06b.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-06_odp.01 }} are verified {{ insert: param, si-06_odp.03 }};"},{"id":"si-6_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06b.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-06_odp.02 }} are verified {{ insert: param, si-06_odp.03 }};"}]},{"id":"si-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-06c.","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06c.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-06_odp.06 }} is\/are alerted to failed security verification tests;"},{"id":"si-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06c.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-06_odp.06 }} is\/are alerted to failed privacy verification tests;"}]},{"id":"si-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-06d.","class":"sp800-53a"}],"prose":" {{ insert: param, si-06_odp.07 }} is\/are initiated when anomalies are discovered."}]},{"id":"si-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security and privacy function verification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts\/notifications of failed security verification tests\n\nlist of system transition states requiring security functionality verification\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy function verification responsibilities\n\norganizational personnel implementing, operating, and maintaining the system\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]},{"id":"si-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy function verification\n\nmechanisms supporting and\/or implementing the security and privacy function verification capability"}]}]},{"id":"si-7","class":"SP800-53","title":"Software, Firmware, and Information Integrity","params":[{"id":"si-7_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.03"}],"label":"organization-defined software, firmware, and information"},{"id":"si-7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.06"}],"label":"organization-defined actions"},{"id":"si-07_odp.01","props":[{"name":"label","value":"SI-07_ODP[01]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.02","props":[{"name":"label","value":"SI-07_ODP[02]","class":"sp800-53a"}],"label":"firmware","guidelines":[{"prose":"firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.03","props":[{"name":"label","value":"SI-07_ODP[03]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.04","props":[{"name":"label","value":"SI-07_ODP[04]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to software are detected are defined;"}]},{"id":"si-07_odp.05","props":[{"name":"label","value":"SI-07_ODP[05]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to firmware are detected are defined;"}]},{"id":"si-07_odp.06","props":[{"name":"label","value":"SI-07_ODP[06]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to information are detected are defined;"}]}],"props":[{"name":"label","value":"SI-7"},{"name":"label","value":"SI-07","class":"sp800-53a"},{"name":"sort-id","value":"si-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#e47ee630-9cbc-4133-880e-e013f83ccd51","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"si-7_smt","name":"statement","parts":[{"id":"si-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ insert: param, si-7_prm_1 }} ; and"},{"id":"si-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ insert: param, si-7_prm_2 }}."}]},{"id":"si-7_gdn","name":"guidance","prose":"Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input\/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications."},{"id":"si-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[01]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};"},{"id":"si-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[02]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};"},{"id":"si-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[03]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};"}]},{"id":"si-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;"},{"id":"si-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;"},{"id":"si-7_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected."}]}]},{"id":"si-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"si-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools"}]}],"controls":[{"id":"si-7.1","class":"SP800-53-enhancement","title":"Integrity Checks","params":[{"id":"si-7.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.09"}],"label":"organization-defined software, firmware, and information"},{"id":"si-7.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.10"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-7.1_prm_3 }} "," {{ insert: param, si-7.1_prm_4 }} "]}},{"id":"si-7.1_prm_3","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.11"}],"label":"organization-defined transitional states or security-relevant events"},{"id":"si-7.1_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.08"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.12"}],"label":"organization-defined frequency"},{"id":"si-07.01_odp.01","props":[{"name":"label","value":"SI-07(01)_ODP[01]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.02","props":[{"name":"label","value":"SI-07(01)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.03 }} "," {{ insert: param, si-07.01_odp.04 }} "]}},{"id":"si-07.01_odp.03","props":[{"name":"label","value":"SI-07(01)_ODP[03]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);"}]},{"id":"si-07.01_odp.04","props":[{"name":"label","value":"SI-07(01)_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (on software) is defined (if selected);"}]},{"id":"si-07.01_odp.05","props":[{"name":"label","value":"SI-07(01)_ODP[05]","class":"sp800-53a"}],"label":"firmware","guidelines":[{"prose":"firmware on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.06","props":[{"name":"label","value":"SI-07(01)_ODP[06]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.07 }} "," {{ insert: param, si-07.01_odp.08 }} "]}},{"id":"si-07.01_odp.07","props":[{"name":"label","value":"SI-07(01)_ODP[07]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);"}]},{"id":"si-07.01_odp.08","props":[{"name":"label","value":"SI-07(01)_ODP[08]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (on firmware) is defined (if selected);"}]},{"id":"si-07.01_odp.09","props":[{"name":"label","value":"SI-07(01)_ODP[09]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.10","props":[{"name":"label","value":"SI-07(01)_ODP[10]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.11 }} "," {{ insert: param, si-07.01_odp.12 }} "]}},{"id":"si-07.01_odp.11","props":[{"name":"label","value":"SI-07(01)_ODP[11]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);"}]},{"id":"si-07.01_odp.12","props":[{"name":"label","value":"SI-07(01)_ODP[12]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (of information) is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-7(1)"},{"name":"label","value":"SI-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.1_smt","name":"statement","prose":"Perform an integrity check of {{ insert: param, si-7.1_prm_1 }} {{ insert: param, si-7.1_prm_2 }}."},{"id":"si-7.1_gdn","name":"guidance","prose":"Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort."},{"id":"si-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)","class":"sp800-53a"}],"parts":[{"id":"si-7.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[01]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};"},{"id":"si-7.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[02]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};"},{"id":"si-7.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[03]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}."}]},{"id":"si-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity testing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools"}]}]},{"id":"si-7.2","class":"SP800-53-enhancement","title":"Automated Notifications of Integrity Violations","params":[{"id":"si-07.02_odp","props":[{"name":"alt-identifier","value":"si-7.2_prm_1"},{"name":"label","value":"SI-07(02)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is\/are defined;"}]}],"props":[{"name":"label","value":"SI-7(2)"},{"name":"label","value":"SI-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.2_smt","name":"statement","prose":"Employ automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification."},{"id":"si-7.2_gdn","name":"guidance","prose":"The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel with an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, system administrators, software developers, systems integrators, information security officers, and privacy officers."},{"id":"si-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(02)","class":"sp800-53a"}],"prose":"automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification are employed."},{"id":"si-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nautomated tools supporting alerts and notifications for integrity discrepancies\n\nnotifications provided upon discovering discrepancies during integrity verifications\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\nsoftware developers"}]},{"id":"si-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms providing integrity discrepancy notifications"}]}]},{"id":"si-7.5","class":"SP800-53-enhancement","title":"Automated Response to Integrity Violations","params":[{"id":"si-07.05_odp.01","props":[{"name":"alt-identifier","value":"si-7.5_prm_1"},{"name":"label","value":"SI-07(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["shut down the system","restart the system","implement {{ insert: param, si-07.05_odp.02 }} "]}},{"id":"si-07.05_odp.02","props":[{"name":"alt-identifier","value":"si-7.5_prm_2"},{"name":"label","value":"SI-07(05)_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be implemented automatically when integrity violations are discovered are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-7(5)"},{"name":"label","value":"SI-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.5_smt","name":"statement","prose":"Automatically {{ insert: param, si-07.05_odp.01 }} when integrity violations are discovered."},{"id":"si-7.5_gdn","name":"guidance","prose":"Organizations may define different integrity-checking responses by type of information, specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur."},{"id":"si-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(05)","class":"sp800-53a"}],"prose":" {{ insert: param, si-07.05_odp.01 }} are automatically performed when integrity violations are discovered."},{"id":"si-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nrecords of integrity checks and responses to integrity violations\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms providing an automated response to integrity violations\n\nmechanisms supporting and\/or implementing security safeguards to be implemented when integrity violations are discovered"}]}]},{"id":"si-7.7","class":"SP800-53-enhancement","title":"Integration of Detection and Response","params":[{"id":"si-07.07_odp","props":[{"name":"alt-identifier","value":"si-7.7_prm_1"},{"name":"alt-label","value":"security-relevant changes to the system","class":"sp800-53"},{"name":"label","value":"SI-07(07)_ODP","class":"sp800-53a"}],"label":"changes","guidelines":[{"prose":"security-relevant changes to the system are defined;"}]}],"props":[{"name":"label","value":"SI-7(7)"},{"name":"label","value":"SI-07(07)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-7.7_smt","name":"statement","prose":"Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ insert: param, si-07.07_odp }}."},{"id":"si-7.7_gdn","name":"guidance","prose":"Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges."},{"id":"si-7.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(07)","class":"sp800-53a"}],"prose":"the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability."},{"id":"si-7.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities"}]},{"id":"si-7.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability"}]}]},{"id":"si-7.15","class":"SP800-53-enhancement","title":"Code Authentication","params":[{"id":"si-07.15_odp","props":[{"name":"alt-identifier","value":"si-7.15_prm_1"},{"name":"label","value":"SI-07(15)_ODP","class":"sp800-53a"}],"label":"software or firmware components","guidelines":[{"prose":"software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined;"}]}],"props":[{"name":"label","value":"SI-7(15)"},{"name":"label","value":"SI-07(15)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#cm-5","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"si-7.15_smt","name":"statement","prose":"Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: {{ insert: param, si-07.15_odp }}."},{"id":"si-7.15_gdn","name":"guidance","prose":"Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions."},{"id":"si-7.15_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(15)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to authenticate {{ insert: param, si-07.15_odp }} prior to installation."},{"id":"si-7.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms authenticating software and firmware prior to installation"}]}]}]},{"id":"si-8","class":"SP800-53","title":"Spam Protection","props":[{"name":"label","value":"SI-8"},{"name":"label","value":"SI-08","class":"sp800-53a"},{"name":"sort-id","value":"si-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#314e33cb-3681-4b50-a2a2-3fae9604accd","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#pl-9","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-8_smt","name":"statement","parts":[{"id":"si-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and"},{"id":"si-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"id":"si-8_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions."},{"id":"si-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-08","class":"sp800-53a"}],"parts":[{"id":"si-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.","class":"sp800-53a"}],"parts":[{"id":"si-8_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[01]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system entry points to detect unsolicited messages;"},{"id":"si-8_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[02]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system exit points to detect unsolicited messages;"},{"id":"si-8_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[03]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system entry points to act on unsolicited messages;"},{"id":"si-8_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[04]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system exit points to act on unsolicited messages;"}]},{"id":"si-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-08b.","class":"sp800-53a"}],"prose":"spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures."}]},{"id":"si-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policies and procedures (CM-01)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing spam protection\n\nmechanisms supporting and\/or implementing spam protection"}]}],"controls":[{"id":"si-8.2","class":"SP800-53-enhancement","title":"Automatic Updates","params":[{"id":"si-08.02_odp","props":[{"name":"alt-identifier","value":"si-8.2_prm_1"},{"name":"label","value":"SI-08(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to automatically update spam protection mechanisms is defined;"}]}],"props":[{"name":"label","value":"SI-8(2)"},{"name":"label","value":"SI-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-8","rel":"required"}],"parts":[{"id":"si-8.2_smt","name":"statement","prose":"Automatically update spam protection mechanisms {{ insert: param, si-08.02_odp }}."},{"id":"si-8.2_gdn","name":"guidance","prose":"Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities."},{"id":"si-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-08(02)","class":"sp800-53a"}],"prose":"spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}."},{"id":"si-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for spam protection\n\nmechanisms supporting and\/or implementing automatic updates to spam protection mechanisms"}]}]}]},{"id":"si-10","class":"SP800-53","title":"Information Input Validation","params":[{"id":"si-10_odp","props":[{"name":"alt-identifier","value":"si-10_prm_1"},{"name":"alt-identifier","value":"si-10.1_prm_1"},{"name":"alt-label","value":"information inputs to the system","class":"sp800-53"},{"name":"label","value":"SI-10_ODP","class":"sp800-53a"}],"label":"information inputs","guidelines":[{"prose":"information inputs to the system requiring validity checks are defined;"}]}],"props":[{"name":"label","value":"SI-10"},{"name":"label","value":"SI-10","class":"sp800-53a"},{"name":"sort-id","value":"si-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"}],"parts":[{"id":"si-10_smt","name":"statement","prose":"Check the validity of the following information inputs: {{ insert: param, si-10_odp }}."},{"id":"si-10_gdn","name":"guidance","prose":"Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of \"387,\" \"abc,\" or \"%K%\" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks."},{"id":"si-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10","class":"sp800-53a"}],"prose":"the validity of the {{ insert: param, si-10_odp }} is checked."},{"id":"si-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify the validity of information\n\nlist of information inputs requiring validity checks\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing validity checks on information inputs"}]}]},{"id":"si-11","class":"SP800-53","title":"Error Handling","params":[{"id":"si-11_odp","props":[{"name":"alt-identifier","value":"si-11_prm_1"},{"name":"label","value":"SI-11_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom error messages are to be revealed is\/are defined;"}]}],"props":[{"name":"label","value":"SI-11"},{"name":"label","value":"SI-11","class":"sp800-53a"},{"name":"sort-id","value":"si-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"si-11_smt","name":"statement","parts":[{"id":"si-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and"},{"id":"si-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reveal error messages only to {{ insert: param, si-11_odp }}."}]},{"id":"si-11_gdn","name":"guidance","prose":"Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information."},{"id":"si-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-11","class":"sp800-53a"}],"parts":[{"id":"si-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-11a.","class":"sp800-53a"}],"prose":"error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;"},{"id":"si-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-11b.","class":"sp800-53a"}],"prose":"error messages are revealed only to {{ insert: param, si-11_odp }}."}]},{"id":"si-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system error handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing the structure and content of error messages\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for error handling\n\nautomated mechanisms supporting and\/or implementing error handling\n\nautomated mechanisms supporting and\/or implementing the management of error messages"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Management and Retention","props":[{"name":"label","value":"SI-12"},{"name":"label","value":"SI-12","class":"sp800-53a"},{"name":"sort-id","value":"si-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#e922fc50-b1f9-469f-92ef-ed7d9803611c","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)."},{"id":"si-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12","class":"sp800-53a"}],"parts":[{"id":"si-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12[01]","class":"sp800-53a"}],"prose":"information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12[02]","class":"sp800-53a"}],"prose":"information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12[03]","class":"sp800-53a"}],"prose":"information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SI-12[04]","class":"sp800-53a"}],"prose":"information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements."}]},{"id":"si-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and\/or implementing information management, retention, and disposition"}]}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","params":[{"id":"si-16_odp","props":[{"name":"alt-identifier","value":"si-16_prm_1"},{"name":"label","value":"SI-16_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be implemented to protect the system memory from unauthorized code execution are defined;"}]}],"props":[{"name":"label","value":"SI-16"},{"name":"label","value":"SI-16","class":"sp800-53a"},{"name":"sort-id","value":"si-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-25","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"Implement the following controls to protect the system memory from unauthorized code execution: {{ insert: param, si-16_odp }}."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism."},{"id":"si-16_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-16","class":"sp800-53a"}],"prose":" {{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution."},{"id":"si-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing memory protection for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards protecting system memory from unauthorized code execution\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing safeguards to protect the system memory from unauthorized code execution"}]}]}]},{"id":"sr","class":"family","title":"Supply Chain Risk Management","controls":[{"id":"sr-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sr-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sr-01_odp.01","props":[{"name":"label","value":"SR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management policy is to be disseminated to is\/are defined;"}]},{"id":"sr-01_odp.02","props":[{"name":"label","value":"SR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management procedures are disseminated to is\/are defined;"}]},{"id":"sr-01_odp.03","props":[{"name":"alt-identifier","value":"sr-1_prm_2"},{"name":"label","value":"SR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sr-01_odp.04","props":[{"name":"alt-identifier","value":"sr-1_prm_3"},{"name":"label","value":"SR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;"}]},{"id":"sr-01_odp.05","props":[{"name":"alt-identifier","value":"sr-1_prm_4"},{"name":"label","value":"SR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management policy is reviewed and updated is defined;"}]},{"id":"sr-01_odp.06","props":[{"name":"alt-identifier","value":"sr-1_prm_5"},{"name":"label","value":"SR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the current supply chain risk management policy to be reviewed and updated are defined;"}]},{"id":"sr-01_odp.07","props":[{"name":"alt-identifier","value":"sr-1_prm_6"},{"name":"label","value":"SR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;"}]},{"id":"sr-01_odp.08","props":[{"name":"alt-identifier","value":"sr-1_prm_7"},{"name":"label","value":"SR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the supply chain risk management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SR-1"},{"name":"label","value":"SR-01","class":"sp800-53a"},{"name":"sort-id","value":"sr-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sr-1_smt","name":"statement","parts":[{"id":"sr-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:","parts":[{"id":"sr-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:","parts":[{"id":"sr-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sr-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sr-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;"}]},{"id":"sr-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and"},{"id":"sr-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current supply chain risk management:","parts":[{"id":"sr-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and"},{"id":"sr-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}."}]}]},{"id":"sr-1_gdn","name":"guidance","prose":"Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sr-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[01]","class":"sp800-53a"}],"prose":"a supply chain risk management policy is developed and documented;"},{"id":"sr-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};"},{"id":"sr-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[03]","class":"sp800-53a"}],"prose":"supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;"},{"id":"sr-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}."},{"id":"sr-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;"},{"id":"sr-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; "},{"id":"sr-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;"},{"id":"sr-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;"},{"id":"sr-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;"},{"id":"sr-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;"},{"id":"sr-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance."}]},{"id":"sr-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"sr-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;"},{"id":"sr-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};"},{"id":"sr-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};"}]},{"id":"sr-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};"},{"id":"sr-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}."}]}]}]},{"id":"sr-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities"}]}]},{"id":"sr-2","class":"SP800-53","title":"Supply Chain Risk Management Plan","params":[{"id":"sr-02_odp.01","props":[{"name":"alt-identifier","value":"sr-2_prm_1"},{"name":"label","value":"SR-02_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services for which a supply chain risk management plan is developed are defined;"}]},{"id":"sr-02_odp.02","props":[{"name":"alt-identifier","value":"sr-2_prm_2"},{"name":"label","value":"SR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the supply chain risk management plan is defined;"}]}],"props":[{"name":"label","value":"SR-2"},{"name":"label","value":"SR-02","class":"sp800-53a"},{"name":"sort-id","value":"sr-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sr-2_smt","name":"statement","parts":[{"id":"sr-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and"},{"id":"sr-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect the supply chain risk management plan from unauthorized disclosure and modification."}]},{"id":"sr-2_gdn","name":"guidance","prose":"The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development\/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))."},{"id":"sr-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[01]","class":"sp800-53a"}],"prose":"a plan for managing supply chain risks is developed;"},{"id":"sr-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[03]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[05]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[06]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[07]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[08]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-9","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[09]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};"}]},{"id":"sr-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-02b.","class":"sp800-53a"}],"prose":"the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;"},{"id":"sr-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[01]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized disclosure;"},{"id":"sr-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized modification."}]}]},{"id":"sr-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"sr-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and\/or implementing the SDLC"}]}],"controls":[{"id":"sr-2.1","class":"SP800-53-enhancement","title":"Establish SCRM Team","params":[{"id":"sr-02.01_odp.01","props":[{"name":"alt-identifier","value":"sr-2.1_prm_1"},{"name":"alt-label","value":"personnel, roles, and responsibilities","class":"sp800-53"},{"name":"label","value":"SR-02(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel, roles and responsibilities","guidelines":[{"prose":"the personnel, roles, and responsibilities of the supply chain risk management team are defined;"}]},{"id":"sr-02.01_odp.02","props":[{"name":"alt-identifier","value":"sr-2.1_prm_2"},{"name":"label","value":"SR-02(01)_ODP[02]","class":"sp800-53a"}],"label":"supply chain risk management activities","guidelines":[{"prose":"supply chain risk management activities are defined;"}]}],"props":[{"name":"label","value":"SR-2(1)"},{"name":"label","value":"SR-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-2","rel":"required"}],"parts":[{"id":"sr-2.1_smt","name":"statement","prose":"Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}."},{"id":"sr-2.1_gdn","name":"guidance","prose":"To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team."},{"id":"sr-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02(01)","class":"sp800-53a"}],"prose":"a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}."},{"id":"sr-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities"}]}]}]},{"id":"sr-3","class":"SP800-53","title":"Supply Chain Controls and Processes","params":[{"id":"sr-03_odp.01","props":[{"name":"alt-identifier","value":"sr-3_prm_1"},{"name":"label","value":"SR-03_ODP[01]","class":"sp800-53a"}],"label":"system or system component","guidelines":[{"prose":"the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;"}]},{"id":"sr-03_odp.02","props":[{"name":"alt-identifier","value":"sr-3_prm_2"},{"name":"label","value":"SR-03_ODP[02]","class":"sp800-53a"}],"label":"supply chain personnel","guidelines":[{"prose":"supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is\/are defined;"}]},{"id":"sr-03_odp.03","props":[{"name":"alt-identifier","value":"sr-3_prm_3"},{"name":"label","value":"SR-03_ODP[03]","class":"sp800-53a"}],"label":"supply chain controls","guidelines":[{"prose":"supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;"}]},{"id":"sr-03_odp.04","props":[{"name":"alt-identifier","value":"sr-3_prm_4"},{"name":"label","value":"SR-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security and privacy plans","supply chain risk management plan"," {{ insert: param, sr-03_odp.05 }} "]}},{"id":"sr-03_odp.05","props":[{"name":"alt-identifier","value":"sr-3_prm_5"},{"name":"label","value":"SR-03_ODP[05]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"the document identifying the selected and implemented supply chain processes and controls is defined (if selected);"}]}],"props":[{"name":"label","value":"SR-3"},{"name":"label","value":"SR-03","class":"sp800-53a"},{"name":"sort-id","value":"sr-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-29","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-3_smt","name":"statement","parts":[{"id":"sr-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};"},{"id":"sr-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and"},{"id":"sr-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}."}]},{"id":"sr-3_gdn","name":"guidance","prose":"Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain."},{"id":"sr-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-03","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[01]","class":"sp800-53a"}],"prose":"a process or processes is\/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};"},{"id":"sr-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[02]","class":"sp800-53a"}],"prose":"the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is\/are coordinated with {{ insert: param, sr-03_odp.02 }};"}]},{"id":"sr-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-03b.","class":"sp800-53a"}],"prose":" {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;"},{"id":"sr-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-03c.","class":"sp800-53a"}],"prose":"the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}."}]},{"id":"sr-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying and addressing supply chain element and process deficiencies"}]}]},{"id":"sr-5","class":"SP800-53","title":"Acquisition Strategies, Tools, and Methods","params":[{"id":"sr-05_odp","props":[{"name":"alt-identifier","value":"sr-5_prm_1"},{"name":"alt-label","value":"acquisition strategies, contract tools, and procurement methods","class":"sp800-53"},{"name":"label","value":"SR-05_ODP","class":"sp800-53a"}],"label":"strategies, tools, and methods","guidelines":[{"prose":"acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;"}]}],"props":[{"name":"label","value":"SR-5"},{"name":"label","value":"SR-05","class":"sp800-53a"},{"name":"sort-id","value":"sr-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-5_smt","name":"statement","prose":"Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}."},{"id":"sr-5_gdn","name":"guidance","prose":"The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements."},{"id":"sr-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-05","class":"sp800-53a"}],"parts":[{"id":"sr-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-05[01]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;"},{"id":"sr-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-05[02]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;"},{"id":"sr-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SR-05[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks."}]},{"id":"sr-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and\/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods"}]}]},{"id":"sr-6","class":"SP800-53","title":"Supplier Assessments and Reviews","params":[{"id":"sr-06_odp","props":[{"name":"alt-identifier","value":"sr-6_prm_1"},{"name":"label","value":"SR-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;"}]}],"props":[{"name":"label","value":"SR-6"},{"name":"label","value":"SR-06","class":"sp800-53a"},{"name":"sort-id","value":"sr-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sr-6_smt","name":"statement","prose":"Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ insert: param, sr-06_odp }}."},{"id":"sr-6_gdn","name":"guidance","prose":"An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts."},{"id":"sr-6_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-06","class":"sp800-53a"}],"prose":"the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}."},{"id":"sr-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nrecords of supplier due diligence reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting supplier reviews\n\nmechanisms supporting and\/or implementing supplier reviews"}]}]},{"id":"sr-8","class":"SP800-53","title":"Notification Agreements","params":[{"id":"sr-08_odp.01","props":[{"name":"alt-identifier","value":"sr-8_prm_1"},{"name":"label","value":"SR-08_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["notification of supply chain compromises"," {{ insert: param, sr-08_odp.02 }} "]}},{"id":"sr-08_odp.02","props":[{"name":"alt-identifier","value":"sr-8_prm_2"},{"name":"alt-label","value":"information","class":"sp800-53"},{"name":"label","value":"SR-08_ODP[02]","class":"sp800-53a"}],"label":"results of assessments or audits","guidelines":[{"prose":"information for which agreements and procedures are to be established are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-8"},{"name":"label","value":"SR-08","class":"sp800-53a"},{"name":"sort-id","value":"sr-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"sr-8_smt","name":"statement","prose":"Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}."},{"id":"sr-8_gdn","name":"guidance","prose":"The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes."},{"id":"sr-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-08","class":"sp800-53a"}],"prose":"agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}."},{"id":"sr-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities"}]}]},{"id":"sr-9","class":"SP800-53","title":"Tamper Resistance and Detection","props":[{"name":"label","value":"SR-9"},{"name":"label","value":"SR-09","class":"sp800-53a"},{"name":"sort-id","value":"sr-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#pe-3","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-9_smt","name":"statement","prose":"Implement a tamper protection program for the system, system component, or system service."},{"id":"sr-9_gdn","name":"guidance","prose":"Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and\/or tamper detection is essential to protecting systems and components during distribution and when in use."},{"id":"sr-9_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-09","class":"sp800-53a"}],"prose":"a tamper protection program is implemented for the system, system component, or system service."},{"id":"sr-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing tamper resistance and detection\n\ntamper protection program documentation\n\ntamper protection tools and techniques documentation\n\ntamper resistance and detection tools and techniques documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with tamper protection program responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the implementation of the tamper protection program\n\nmechanisms supporting and\/or implementing the tamper protection program"}]}],"controls":[{"id":"sr-9.1","class":"SP800-53-enhancement","title":"Multiple Stages of System Development Life Cycle","props":[{"name":"label","value":"SR-9(1)"},{"name":"label","value":"SR-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-9","rel":"required"},{"href":"#sa-3","rel":"related"}],"parts":[{"id":"sr-9.1_smt","name":"statement","prose":"Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle."},{"id":"sr-9.1_gdn","name":"guidance","prose":"The system development life cycle includes research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal. Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations use obfuscation and self-checking to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage."},{"id":"sr-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-09(01)","class":"sp800-53a"}],"prose":"anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle."},{"id":"sr-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing tamper resistance and detection\n\ntamper protection program documentation\n\ntamper protection tools and techniques documentation\n\ntamper resistance and detection tools (technologies) and techniques documentation\n\nsystem development life cycle documentation\n\nprocedures addressing supply chain protection\n\nsystem development life cycle procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with SDLC responsibilities"}]},{"id":"sr-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for employing anti-tamper technologies\n\nmechanisms supporting and\/or implementing anti-tamper technologies"}]}]}]},{"id":"sr-10","class":"SP800-53","title":"Inspection of Systems or Components","params":[{"id":"sr-10_odp.01","props":[{"name":"alt-identifier","value":"sr-10_prm_4"},{"name":"label","value":"SR-10_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that require inspection are defined;"}]},{"id":"sr-10_odp.02","props":[{"name":"alt-identifier","value":"sr-10_prm_1"},{"name":"label","value":"SR-10_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at random","at {{ insert: param, sr-10_odp.03 }} ","upon {{ insert: param, sr-10_odp.04 }} "]}},{"id":"sr-10_odp.03","props":[{"name":"alt-identifier","value":"sr-10_prm_2"},{"name":"label","value":"SR-10_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inspect systems or system components is defined (if selected);"}]},{"id":"sr-10_odp.04","props":[{"name":"alt-identifier","value":"sr-10_prm_3"},{"name":"label","value":"SR-10_ODP[04]","class":"sp800-53a"}],"label":"indications of need for inspection","guidelines":[{"prose":"indications of the need for an inspection of systems or system components are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-10"},{"name":"label","value":"SR-10","class":"sp800-53a"},{"name":"sort-id","value":"sr-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-10_smt","name":"statement","prose":"Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}."},{"id":"sr-10_gdn","name":"guidance","prose":"The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations."},{"id":"sr-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-10","class":"sp800-53a"}],"prose":" {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering."},{"id":"sr-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports\/results\n\nassessment reports\/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering"}]}]},{"id":"sr-11","class":"SP800-53","title":"Component Authenticity","params":[{"id":"sr-11_odp.01","props":[{"name":"alt-identifier","value":"sr-11_prm_1"},{"name":"label","value":"SR-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["source of counterfeit component"," {{ insert: param, sr-11_odp.02 }} "," {{ insert: param, sr-11_odp.03 }} "]}},{"id":"sr-11_odp.02","props":[{"name":"alt-identifier","value":"sr-11_prm_2"},{"name":"label","value":"SR-11_ODP[02]","class":"sp800-53a"}],"label":"external reporting organizations","guidelines":[{"prose":"external reporting organizations to whom counterfeit system components are to be reported is\/are defined (if selected);"}]},{"id":"sr-11_odp.03","props":[{"name":"alt-identifier","value":"sr-11_prm_3"},{"name":"label","value":"SR-11_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom counterfeit system components are to be reported is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-11"},{"name":"label","value":"SR-11","class":"sp800-53a"},{"name":"sort-id","value":"sr-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"sr-11_smt","name":"statement","parts":[{"id":"sr-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and"},{"id":"sr-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}."}]},{"id":"sr-11_gdn","name":"guidance","prose":"Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA."},{"id":"sr-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[01]","class":"sp800-53a"}],"prose":"an anti-counterfeit policy is developed and implemented;"},{"id":"sr-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[02]","class":"sp800-53a"}],"prose":"anti-counterfeit procedures are developed and implemented;"},{"id":"sr-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[03]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to detect counterfeit components entering the system;"},{"id":"sr-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[04]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;"}]},{"id":"sr-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-11b.","class":"sp800-53a"}],"prose":"counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}."}]},{"id":"sr-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and\/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting"}]},{"id":"sr-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and\/or implementing anti-counterfeit detection, prevention, and reporting"}]}],"controls":[{"id":"sr-11.1","class":"SP800-53-enhancement","title":"Anti-counterfeit Training","params":[{"id":"sr-11.01_odp","props":[{"name":"alt-identifier","value":"sr-11.1_prm_1"},{"name":"label","value":"SR-11(01)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is\/are defined;"}]}],"props":[{"name":"label","value":"SR-11(1)"},{"name":"label","value":"SR-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"sr-11.1_smt","name":"statement","prose":"Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_gdn","name":"guidance","prose":"None."},{"id":"sr-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(01)","class":"sp800-53a"}],"prose":" {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training"}]},{"id":"sr-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for anti-counterfeit training"}]}]},{"id":"sr-11.2","class":"SP800-53-enhancement","title":"Configuration Control for Component Service and Repair","params":[{"id":"sr-11.02_odp","props":[{"name":"alt-identifier","value":"sr-11.2_prm_1"},{"name":"label","value":"SR-11(02)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring configuration control are defined;"}]}],"props":[{"name":"label","value":"SR-11(2)"},{"name":"label","value":"SR-11(02)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#cm-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#sa-10","rel":"related"}],"parts":[{"id":"sr-11.2_smt","name":"statement","prose":"Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}."},{"id":"sr-11.2_gdn","name":"guidance","prose":"None."},{"id":"sr-11.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)","class":"sp800-53a"}],"parts":[{"id":"sr-11.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[01]","class":"sp800-53a"}],"prose":"configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;"},{"id":"sr-11.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[02]","class":"sp800-53a"}],"prose":"configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained."}]},{"id":"sr-11.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-11.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes"}]}]}]},{"id":"sr-12","class":"SP800-53","title":"Component Disposal","params":[{"id":"sr-12_odp.01","props":[{"name":"alt-identifier","value":"sr-12_prm_1"},{"name":"label","value":"SR-12_ODP[01]","class":"sp800-53a"}],"label":"data, documentation, tools, or system components","guidelines":[{"prose":"data, documentation, tools, or system components to be disposed of are defined;"}]},{"id":"sr-12_odp.02","props":[{"name":"alt-identifier","value":"sr-12_prm_2"},{"name":"label","value":"SR-12_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods for disposing of data, documentation, tools, or system components are defined;"}]}],"props":[{"name":"label","value":"SR-12"},{"name":"label","value":"SR-12","class":"sp800-53a"},{"name":"sort-id","value":"sr-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#mp-6","rel":"related"}],"parts":[{"id":"sr-12_smt","name":"statement","prose":"Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}."},{"id":"sr-12_gdn","name":"guidance","prose":"Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations\/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market."},{"id":"sr-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-12","class":"sp800-53a"}],"prose":" {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}."},{"id":"sr-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational techniques and methods for system component disposal\n\nmechanisms supporting and\/or implementing system component disposal"}]}]}]}],"back-matter":{"resources":[{"uuid":"91f992fb-f668-4c91-a50f-0f05b95ccee3","title":"32 CFR 2002","citation":{"text":"Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/documents\/2016\/09\/14\/2016-21665\/controlled-unclassified-information"}]},{"uuid":"0f963c17-ab5a-432a-a867-91eac550309b","title":"41 CFR 201","citation":{"text":" \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/d\/2020-18939"}]},{"uuid":"a5ef5e56-5c1a-4911-b419-37dddc1b3581","title":"5 CFR 731","citation":{"text":"Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/CFR-2012-title5-vol2\/pdf\/CFR-2012-title5-vol2-sec731-106.pdf"}]},{"uuid":"031cc4b7-9adf-4835-98f1-f1ca493519cf","title":"CNSSD 505","citation":{"text":"Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Directives.cfm"}]},{"uuid":"4e4fbc93-333d-45e6-a875-de36b878b6b9","title":"CNSSI 1253","citation":{"text":"Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Instructions.cfm"}]},{"uuid":"4f42ee6e-86cc-403b-a51f-76c2b4f81b54","title":"DHS TIC","citation":{"text":"Department of Homeland Security, *Trusted Internet Connections (TIC)*."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/trusted-internet-connections"}]},{"uuid":"aa66e14f-e7cb-4a37-99d2-07578dfd4608","title":"DOD STIG","citation":{"text":"Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*."},"rlinks":[{"href":"https:\/\/public.cyber.mil\/stigs"}]},{"uuid":"55b0c93a-5e48-457a-baa6-5ce81c239c49","title":"EO 13526","citation":{"text":"Executive Order 13526, *Classified National Security Information* , December 2009."},"rlinks":[{"href":"https:\/\/www.archives.gov\/isoo\/policy-documents\/cnsi-eo.html"}]},{"uuid":"34a5571f-e252-4309-a8a1-2fdb2faefbcd","title":"EO 13556","citation":{"text":"Executive Order 13556, *Controlled Unclassified Information* , November 2010."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2010\/11\/04\/executive-order-13556-controlled-unclassified-information"}]},{"uuid":"0af071a6-cf8e-48ee-8c82-fe91efa20f94","title":"EO 13587","citation":{"text":"Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2011\/10\/07\/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"21caa535-1154-4369-ba7b-32c309fee0f7","title":"EO 13873","citation":{"text":"Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/presidential-actions\/executive-order-securing-information-communications-technology-services-supply-chain"}]},{"uuid":"4ff10ed3-d8fe-4246-99e3-443045e27482","title":"FASC18","citation":{"text":"Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018."},"rlinks":[{"href":"https:\/\/www.congress.gov\/bill\/115th-congress\/senate-bill\/3085"}]},{"uuid":"a1555677-2b9d-4868-a97b-a1363aff32f5","title":"FED PKI","citation":{"text":"General Services Administration, *Federal Public Key Infrastructure*."},"rlinks":[{"href":"https:\/\/www.idmanagement.gov\/topics\/fpki"}]},{"uuid":"678e3d6c-150b-4393-aec5-6e3481eb1e00","title":"FIPS 140-3","citation":{"text":"National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. "},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.140-3"}]},{"uuid":"eea3c092-42ed-4382-a6f4-1adadef01b9d","title":"FIPS 180-4","citation":{"text":"National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.180-4"}]},{"uuid":"7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","title":"FIPS 186-4","citation":{"text":"National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.186-4"}]},{"uuid":"736d6310-e403-4b57-a79d-9967970c66d7","title":"FIPS 197","citation":{"text":"National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.197"}]},{"uuid":"628d22a1-6a11-4784-bc59-5cd9497b5445","title":"FIPS 199","citation":{"text":"National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.199"}]},{"uuid":"599fb53d-5041-444e-a7fe-640d6d30ad05","title":"FIPS 200","citation":{"text":"National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.200"}]},{"uuid":"7ba1d91c-3934-4d5a-8532-b32f864ad34c","title":"FIPS 201-2","citation":{"text":"National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.201-2"}]},{"uuid":"a295ca19-8c75-4b4c-8800-98024732e181","title":"FIPS 202","citation":{"text":"National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.202"}]},{"uuid":"0c67b2a9-bede-43d2-b86d-5f35b8be36e9","title":"FISMA","citation":{"text":"Federal Information Security Modernization Act (P.L. 113-283), December 2014."},"rlinks":[{"href":"https:\/\/www.congress.gov\/113\/plaws\/publ283\/PLAW-113publ283.pdf"}]},{"uuid":"f16e438e-7114-4144-bfe2-2dfcad8cb2d0","title":"HSPD 12","citation":{"text":"Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/homeland-security-presidential-directive-12"}]},{"uuid":"15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","title":"IR 7539","citation":{"text":"Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7539"}]},{"uuid":"2be7b163-e50a-435c-8906-f1162f2a457a","title":"IR 7559","citation":{"text":"Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7559"}]},{"uuid":"e24b06cc-9129-4998-a76a-65c3d7a576ba","title":"IR 7622","citation":{"text":"Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7622"}]},{"uuid":"4b38e961-1125-4a5b-aa35-1d6c02846dad","title":"IR 7676","citation":{"text":"Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7676"}]},{"uuid":"aa5d04e0-6090-4e17-84d4-b9963d55fc2c","title":"IR 7788","citation":{"text":"Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7788"}]},{"uuid":"91701292-8bcd-4d2e-a5bd-59ab61e34b3c","title":"IR 7817","citation":{"text":"Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7817"}]},{"uuid":"4f5f51ac-2b8d-4b90-a3c7-46f56e967617","title":"IR 7849","citation":{"text":"Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7849"}]},{"uuid":"604774da-9e1d-48eb-9c62-4e959dc80737","title":"IR 7870","citation":{"text":"Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7870"}]},{"uuid":"7f473f21-fdbf-4a6c-81a1-0ab95919609d","title":"IR 7874","citation":{"text":"Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7874"}]},{"uuid":"849b2358-683f-4d97-b111-1cc3d522ded5","title":"IR 7956","citation":{"text":"Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7956"}]},{"uuid":"3915a084-b87b-4f02-83d4-c369e746292f","title":"IR 7966","citation":{"text":"Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7966"}]},{"uuid":"bbac9fc2-df5b-4f2d-bf99-90d0ade45349","title":"IR 8011-1","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-1"}]},{"uuid":"70402863-5078-43af-9a6c-e11b0f3ec370","title":"IR 8011-2","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-2"}]},{"uuid":"996241f8-f692-42d5-91f1-ce8b752e39e6","title":"IR 8011-3","citation":{"text":"Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-3"}]},{"uuid":"d2ebec9b-f868-4ee1-a2bd-0b2282aed248","title":"IR 8011-4","citation":{"text":"Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-4"}]},{"uuid":"4c501da5-9d79-4cb6-ba80-97260e1ce327","title":"IR 8023","citation":{"text":"Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8023"}]},{"uuid":"81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","title":"IR 8040","citation":{"text":"Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8040"}]},{"uuid":"98d415ca-7281-4064-9931-0c366637e324","title":"IR 8062","citation":{"text":"Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8062"}]},{"uuid":"a2590922-82f3-4277-83c0-ca5bee06dba4","title":"IR 8112","citation":{"text":"Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8112"}]},{"uuid":"d4296805-2dca-4c63-a95f-eeccaa826aec","title":"IR 8179","citation":{"text":"Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8179"}]},{"uuid":"38ff38f0-1366-4f50-a4c9-26a39aacee16","title":"IR 8272","citation":{"text":"Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8272"}]},{"uuid":"6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","title":"ISO 15408-1","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART1V3.1R5.pdf"}]},{"uuid":"87087451-2af5-43d4-88c1-d66ad850f614","title":"ISO 15408-2","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART2V3.1R5.pdf"}]},{"uuid":"4452efc0-e79e-47b8-aa30-b54f3ef61c2f","title":"ISO 15408-3","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART3V3.1R5.pdf"}]},{"uuid":"15a95e24-65b6-4686-bc18-90855a10457d","title":"ISO 20243","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/74399.html"}]},{"uuid":"863caf2a-978a-4260-9e8d-4a8929bce40c","title":"ISO 27036","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/59648.html"}]},{"uuid":"8df72805-2e5c-4731-a73e-81db0f0318d0","title":"ISO 29147","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 29147:2018, *Information technology—Security techniques—Vulnerability disclosure* , October 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72311.html"}]},{"uuid":"06ce9216-bd54-4054-a422-94f358b50a5d","title":"ISO 29148","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission\/Institute of Electrical and Electronics Engineers (ISO\/IEC\/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72089.html"}]},{"uuid":"c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","title":"NARA CUI","citation":{"text":"National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry."},"rlinks":[{"href":"https:\/\/www.archives.gov\/cui"}]},{"uuid":"d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","title":"NCPR","citation":{"text":"National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at"},"rlinks":[{"href":"https:\/\/nvd.nist.gov\/ncp\/repository"}]},{"uuid":"795aff72-3e6c-4b6b-a80a-b14d84b7f544","title":"NIAP CCEVS","citation":{"text":"National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*."},"rlinks":[{"href":"https:\/\/www.niap-ccevs.org"}]},{"uuid":"84dc1b0c-acb7-4269-84c4-00dbabacd78c","title":"NIST CAVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-algorithm-validation-program"}]},{"uuid":"1acdc775-aafb-4d11-9341-dc6a822e9d38","title":"NIST CMVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-module-validation-program"}]},{"uuid":"3d575737-98cb-459d-b41c-d7e82b73ad78","title":"NSA CSFC","citation":{"text":"National Security Agency, *Commercial Solutions for Classified Program (CSfC)*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/csfc"}]},{"uuid":"df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","title":"NSA MEDIA","citation":{"text":"National Security Agency, *Media Destruction Guidance*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/media-destruction"}]},{"uuid":"89f2a08d-fc49-46d0-856e-bf974c9b1573","title":"ODNI CTF","citation":{"text":"Office of the Director of National Intelligence (ODNI) Cyber Threat Framework."},"rlinks":[{"href":"https:\/\/www.dni.gov\/index.php\/cyber-threat-framework"}]},{"uuid":"27847491-5ce1-4f6a-a1e4-9e483782f0ef","title":"OMB A-130","citation":{"text":"Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf"}]},{"uuid":"5f4705ac-8d17-438c-b23a-ac7f12362ae4","title":"OMB M-17-12","citation":{"text":"Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/sites\/default\/files\/omb\/memoranda\/2017\/m-17-12_0.pdf"}]},{"uuid":"c5e11048-1d38-4af3-b00b-0d88dc26860c","title":"OMB M-19-03","citation":{"text":"Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2018\/12\/M-19-03.pdf"}]},{"uuid":"18e71fec-c6fd-475a-925a-5d8495cf8455","title":"PRIVACT","citation":{"text":"Privacy Act (P.L. 93-579), December 1974."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-88\/pdf\/STATUTE-88-Pg1896.pdf"}]},{"uuid":"4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","title":"SP 800-100","citation":{"text":"Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"10cf2fad-a216-41f9-bb1a-531b7e3119e3","title":"SP 800-101","citation":{"text":"Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-101r1"}]},{"uuid":"22f2d4f0-4365-4e88-a30d-275c1f5473ea","title":"SP 800-111","citation":{"text":"Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-111"}]},{"uuid":"6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","title":"SP 800-113","citation":{"text":"Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-113"}]},{"uuid":"42e37e51-7cc0-4ffa-81c9-0ac942da7e99","title":"SP 800-114","citation":{"text":"Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-114r1"}]},{"uuid":"122177fa-c4ed-485d-8345-3082c0fb9a06","title":"SP 800-115","citation":{"text":"Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"2100332a-16a5-4598-bacf-7261baea9711","title":"SP 800-116","citation":{"text":"Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-116r1"}]},{"uuid":"d17ebd7a-ffab-499d-bfff-e705bbb01fa6","title":"SP 800-121","citation":{"text":"Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-121r2"}]},{"uuid":"0f66be67-85e7-4ca6-bd19-39453e9f4394","title":"SP 800-124","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-124r1"}]},{"uuid":"88660532-2dcf-442e-845c-03340ce48999","title":"SP 800-125B","citation":{"text":"Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-125B"}]},{"uuid":"8016d2ed-d30f-4416-9c45-0f42c7aa3232","title":"SP 800-126","citation":{"text":"Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-126r3"}]},{"uuid":"20db4e66-e257-450c-b2e4-2bb9a62a2c88","title":"SP 800-128","citation":{"text":"Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-128"}]},{"uuid":"c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","title":"SP 800-12","citation":{"text":"Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"3653e316-8923-430e-8943-b3b2b2562fc6","title":"SP 800-130","citation":{"text":"Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-130"}]},{"uuid":"62ea77ca-e450-4323-b210-e0d75390e785","title":"SP 800-137A","citation":{"text":"Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137A"}]},{"uuid":"067223d8-1ec7-45c5-b21b-c848da6de8fb","title":"SP 800-137","citation":{"text":"Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137"}]},{"uuid":"e47ee630-9cbc-4133-880e-e013f83ccd51","title":"SP 800-147","citation":{"text":"Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-147"}]},{"uuid":"9ef4b43c-42a4-4316-87dc-ffaf528bc05c","title":"SP 800-150","citation":{"text":"Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-150"}]},{"uuid":"2494df28-9049-4196-b233-540e7440993f","title":"SP 800-152","citation":{"text":"Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-152"}]},{"uuid":"708b94e1-3d5e-4b22-ab43-1c69f3a97e37","title":"SP 800-154","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154."},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-154\/draft"}]},{"uuid":"d9e036ba-6eec-46a6-9340-b0bf1fea23b4","title":"SP 800-156","citation":{"text":"Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-156"}]},{"uuid":"e3cc0520-a366-4fc9-abc2-5272db7e3564","title":"SP 800-160-1","citation":{"text":"Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v1"}]},{"uuid":"61ccf0f4-d3e7-42db-9796-ce6cb1c85989","title":"SP 800-160-2","citation":{"text":"Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v2"}]},{"uuid":"e8e84963-14fc-4c3a-be05-b412a5d37cd2","title":"SP 800-161","citation":{"text":"Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-161"}]},{"uuid":"2956e175-f674-43f4-b1b9-e074ad9fc39c","title":"SP 800-162","citation":{"text":"Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-162"}]},{"uuid":"e8552d48-cf41-40aa-8b06-f45f7fb4706c","title":"SP 800-166","citation":{"text":"Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-166"}]},{"uuid":"38f39739-1ebd-43b1-8b8c-00f591d89ebd","title":"SP 800-167","citation":{"text":"Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-167"}]},{"uuid":"7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","title":"SP 800-171","citation":{"text":"Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-171r2"}]},{"uuid":"f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","title":"SP 800-172","citation":{"text":"Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-172-draft"}]},{"uuid":"1c71b420-2bd9-4e52-9fc8-390f58b85b59","title":"SP 800-177","citation":{"text":"Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-177r1"}]},{"uuid":"388a3aa2-5d85-4bad-b8a3-77db80d63c4f","title":"SP 800-178","citation":{"text":"Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-178"}]},{"uuid":"276bd50a-7e58-48e5-a405-8c8cb91d7a5f","title":"SP 800-181","citation":{"text":"Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-181r1"}]},{"uuid":"31ae65ab-3f26-46b7-9d64-f25a4dac5778","title":"SP 800-184","citation":{"text":"Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-184"}]},{"uuid":"f5edfe51-d1f2-422e-9b27-5d0e90b49c72","title":"SP 800-189","citation":{"text":"Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-189"}]},{"uuid":"30eb758a-2707-4bca-90ad-949a74d4eb16","title":"SP 800-18","citation":{"text":"Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-18r1"}]},{"uuid":"53df282b-8b3f-483a-bad1-6a8b8ac00114","title":"SP 800-192","citation":{"text":"Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies\/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-192"}]},{"uuid":"f641309f-a3ad-48be-8c67-2b318648b2f5","title":"SP 800-28","citation":{"text":"Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-28ver2"}]},{"uuid":"08b07465-dbdc-48d6-8a0b-37279602ac16","title":"SP 800-30","citation":{"text":"Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-30r1"}]},{"uuid":"8cb338a4-e493-4177-818f-3af18983ddc5","title":"SP 800-32","citation":{"text":"Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-32"}]},{"uuid":"bc39f179-c735-4da2-b7a7-b2b622119755","title":"SP 800-34","citation":{"text":"Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-34r1"}]},{"uuid":"77faf0bc-c394-44ad-9154-bbac3b79c8ad","title":"SP 800-35","citation":{"text":"Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-35"}]},{"uuid":"482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","title":"SP 800-37","citation":{"text":"Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-37r2"}]},{"uuid":"cec037f3-8aba-4c97-84b4-4082f9e515d2","title":"SP 800-39","citation":{"text":"Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-39"}]},{"uuid":"155f941a-cba9-4afd-9ca6-5d040d697ba9","title":"SP 800-40","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-40r3"}]},{"uuid":"a7f0e897-29a3-45c4-bd88-40dfef0e034a","title":"SP 800-41","citation":{"text":"Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-41r1"}]},{"uuid":"314e33cb-3681-4b50-a2a2-3fae9604accd","title":"SP 800-45","citation":{"text":"Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-45ver2"}]},{"uuid":"83b9d63b-66b1-467c-9f3b-3a0b108771e9","title":"SP 800-46","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-46r2"}]},{"uuid":"c3a76872-e160-4267-99e8-6952de967d04","title":"SP 800-47","citation":{"text":"Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-47"}]},{"uuid":"511f6832-23ca-49a3-8c0f-ce493373cab8","title":"SP 800-50","citation":{"text":"Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-50"}]},{"uuid":"7537638e-2837-407d-844b-40fb3fafdd99","title":"SP 800-52","citation":{"text":"McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-52r2"}]},{"uuid":"a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","title":"SP 800-53A","citation":{"text":"Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53Ar4"}]},{"uuid":"46d9e201-840e-440e-987c-2c773333c752","title":"SP 800-53B","citation":{"text":"Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53B"}]},{"uuid":"20957dbb-6a1e-40a2-b38a-66f67d33ac2e","title":"SP 800-56A","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Ar3"}]},{"uuid":"0d083d8a-5cc6-46f1-8d79-3081d42bcb75","title":"SP 800-56B","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Br2"}]},{"uuid":"eef62b16-c796-4554-955c-505824135b8a","title":"SP 800-56C","citation":{"text":"Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Cr2"}]},{"uuid":"110e26af-4765-49e1-8740-6750f83fcda1","title":"SP 800-57-1","citation":{"text":"Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt1r5"}]},{"uuid":"e7942589-e267-4a5a-a3d9-f39a7aae81f0","title":"SP 800-57-2","citation":{"text":"Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt2r1"}]},{"uuid":"8306620b-1920-4d73-8b21-12008528595f","title":"SP 800-57-3","citation":{"text":"Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt3r1"}]},{"uuid":"e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","title":"SP 800-60-1","citation":{"text":"Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v1r1"}]},{"uuid":"9be5d661-421f-41ad-854e-86f98b811891","title":"SP 800-60-2","citation":{"text":"Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v2r1"}]},{"uuid":"49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","title":"SP 800-61","citation":{"text":"Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-61r2"}]},{"uuid":"737513fa-6758-403f-831d-5ddab5e23cb3","title":"SP 800-63-3","citation":{"text":"Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63-3"}]},{"uuid":"9099ed2c-922a-493d-bcb4-d896192243ff","title":"SP 800-63A","citation":{"text":"Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63a"}]},{"uuid":"e59c5a7c-8b1f-49ca-8de0-6ee0882180ce","title":"SP 800-63B","citation":{"text":"Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63b"}]},{"uuid":"4895b4cd-34c5-4667-bf8a-27d443c12047","title":"SP 800-70","citation":{"text":"Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-70r4"}]},{"uuid":"858705be-3c1f-48aa-a328-0ce398d95ef0","title":"SP 800-73-4","citation":{"text":"Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-73-4"}]},{"uuid":"7af2e6ec-9f7e-4232-ad3f-09888eb0793a","title":"SP 800-76-2","citation":{"text":"Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-76-2"}]},{"uuid":"d4d7c760-2907-403b-8b2a-767ca5370ecd","title":"SP 800-77","citation":{"text":"Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-77r1"}]},{"uuid":"828856bd-d7c4-427b-8b51-815517ec382d","title":"SP 800-78-4","citation":{"text":"Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-78-4"}]},{"uuid":"10963761-58fc-4b20-b3d6-b44a54daba03","title":"SP 800-79-2","citation":{"text":"Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-79-2"}]},{"uuid":"fe209006-bfd4-4033-a79a-9fee1adaf372","title":"SP 800-81-2","citation":{"text":"Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-81-2"}]},{"uuid":"3dd249b0-f57d-44ba-a03e-c3eab1b835ff","title":"SP 800-83","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-83r1"}]},{"uuid":"53be2fcf-cfd1-4bcb-896b-9a3b65c22098","title":"SP 800-84","citation":{"text":"Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-84"}]},{"uuid":"cfdb1858-c473-46b3-89f9-a700308d0be2","title":"SP 800-86","citation":{"text":"Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-86"}]},{"uuid":"a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","title":"SP 800-88","citation":{"text":"Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-88r1"}]},{"uuid":"5eee45d8-3313-4fdc-8d54-1742092bbdd6","title":"SP 800-92","citation":{"text":"Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-92"}]},{"uuid":"25e3e57b-dc2f-4934-af9b-050b020c6f0e","title":"SP 800-94","citation":{"text":"Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-94"}]},{"uuid":"a6b9907a-2a14-4bb4-a142-d4c73026a8b4","title":"SP 800-95","citation":{"text":"Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-95"}]},{"uuid":"03fb73bc-1b12-4182-bd96-e5719254ea61","title":"SP 800-97","citation":{"text":"Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-97"}]},{"uuid":"13f0c39d-eaf7-417a-baef-69a041878bb5","title":"USA PATRIOT","citation":{"text":"USA Patriot Act (P.L. 107-56), October 2001."},"rlinks":[{"href":"https:\/\/www.congress.gov\/107\/plaws\/publ56\/PLAW-107publ56.pdf"}]},{"uuid":"e922fc50-b1f9-469f-92ef-ed7d9803611c","title":"USC 2901","citation":{"text":"United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2011-title44\/pdf\/USCODE-2011-title44-chap29-sec2901.pdf"}]},{"uuid":"40b78258-c892-480e-9af8-77ac36648301","title":"USCERT IR","citation":{"text":"Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017."},"rlinks":[{"href":"https:\/\/us-cert.cisa.gov\/incident-notification-guidelines"}]},{"uuid":"98498928-3ca3-44b3-8b1e-f48685373087","title":"USGCB","citation":{"text":"National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/united-states-government-configuration-baseline"}]},{"uuid":"c3397cc9-83c6-4459-adb2-836739dc1b94","title":"NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)","rlinks":[{"href":"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf","media-type":"application\/pdf"}]}]}}}
\ No newline at end of file
+{"catalog":{"uuid":"283e5a73-1997-40fe-8d7e-38abfe6c6b2b","metadata":{"title":"NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE","last-modified":"2023-12-05T21:55:03.03012Z","version":"5.1.1+u2","oscal-version":"1.1.1","props":[{"name":"resolution-tool","value":"OSCAL Profile Resolver XSLT Pipeline OPRXP"}],"links":[{"href":"NIST_SP-800-53_rev5_HIGH-baseline_profile.xml","rel":"source-profile"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"c748c806-1d77-4695-bb40-e117b2afa82e","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["c748c806-1d77-4695-bb40-e117b2afa82e"]},{"role-id":"contact","party-uuids":["c748c806-1d77-4695-bb40-e117b2afa82e"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ac-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ac-01_odp.01","props":[{"name":"label","value":"AC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control policy is to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.02","props":[{"name":"label","value":"AC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control procedures are to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.03","props":[{"name":"alt-identifier","value":"ac-1_prm_2"},{"name":"label","value":"AC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ac-01_odp.04","props":[{"name":"alt-identifier","value":"ac-1_prm_3"},{"name":"label","value":"AC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the access control policy and procedures is defined;"}]},{"id":"ac-01_odp.05","props":[{"name":"alt-identifier","value":"ac-1_prm_4"},{"name":"label","value":"AC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control policy is reviewed and updated is defined;"}]},{"id":"ac-01_odp.06","props":[{"name":"alt-identifier","value":"ac-1_prm_5"},{"name":"label","value":"AC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current access control policy to be reviewed and updated are defined;"}]},{"id":"ac-01_odp.07","props":[{"name":"alt-identifier","value":"ac-1_prm_6"},{"name":"label","value":"AC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control procedures are reviewed and updated is defined;"}]},{"id":"ac-01_odp.08","props":[{"name":"alt-identifier","value":"ac-1_prm_7"},{"name":"label","value":"AC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AC-1"},{"name":"label","value":"AC-01","class":"sp800-53a"},{"name":"sort-id","value":"ac-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ia-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ac-1_smt","name":"statement","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ac-01_odp.03 }} access control policy that:","parts":[{"id":"ac-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and the associated access controls;"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and"},{"id":"ac-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current access control:","parts":[{"id":"ac-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and"},{"id":"ac-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ac-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[01]","class":"sp800-53a"}],"prose":"an access control policy is developed and documented;","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[02]","class":"sp800-53a"}],"prose":"the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[03]","class":"sp800-53a"}],"prose":"access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[04]","class":"sp800-53a"}],"prose":"the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ac-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;","links":[{"href":"#ac-1_smt.b","rel":"assessment-for"}]},{"id":"ac-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[01]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};","links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]},{"id":"ac-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[02]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};","links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]},{"id":"ac-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[01]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};","links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]},{"id":"ac-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[02]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.","links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt","rel":"assessment-for"}]},{"id":"ac-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","params":[{"id":"ac-02_odp.01","props":[{"name":"alt-identifier","value":"ac-2_prm_1"},{"name":"label","value":"AC-02_ODP[01]","class":"sp800-53a"}],"label":"prerequisites and criteria","guidelines":[{"prose":"prerequisites and criteria for group and role membership are defined;"}]},{"id":"ac-02_odp.02","props":[{"name":"alt-identifier","value":"ac-2_prm_2"},{"name":"label","value":"AC-02_ODP[02]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes (as required) for each account are defined;"}]},{"id":"ac-02_odp.03","props":[{"name":"alt-identifier","value":"ac-2_prm_3"},{"name":"label","value":"AC-02_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to approve requests to create accounts is\/are defined;"}]},{"id":"ac-02_odp.04","props":[{"name":"alt-identifier","value":"ac-2_prm_4"},{"name":"label","value":"AC-02_ODP[04]","class":"sp800-53a"}],"label":"policy, procedures, prerequisites, and criteria","guidelines":[{"prose":"policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;"}]},{"id":"ac-02_odp.05","props":[{"name":"alt-identifier","value":"ac-2_prm_5"},{"name":"label","value":"AC-02_ODP[05]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified is\/are defined;"}]},{"id":"ac-02_odp.06","props":[{"name":"alt-identifier","value":"ac-2_prm_6"},{"name":"label","value":"AC-02_ODP[06]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when accounts are no longer required is defined;"}]},{"id":"ac-02_odp.07","props":[{"name":"alt-identifier","value":"ac-2_prm_7"},{"name":"label","value":"AC-02_ODP[07]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when users are terminated or transferred is defined; "}]},{"id":"ac-02_odp.08","props":[{"name":"alt-identifier","value":"ac-2_prm_8"},{"name":"label","value":"AC-02_ODP[08]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when system usage or the need to know changes for an individual is defined;"}]},{"id":"ac-02_odp.09","props":[{"name":"alt-identifier","value":"ac-2_prm_9"},{"name":"label","value":"AC-02_ODP[09]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes needed to authorize system access (as required) are defined;"}]},{"id":"ac-02_odp.10","props":[{"name":"alt-identifier","value":"ac-2_prm_10"},{"name":"label","value":"AC-02_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of account review is defined;"}]}],"props":[{"name":"label","value":"AC-2"},{"name":"label","value":"AC-02","class":"sp800-53a"},{"name":"sort-id","value":"ac-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#53df282b-8b3f-483a-bad1-6a8b8ac00114","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ac-2_smt","name":"statement","parts":[{"id":"ac-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define and document the types of accounts allowed and specifically prohibited for use within the system;"},{"id":"ac-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign account managers;"},{"id":"ac-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require {{ insert: param, ac-02_odp.01 }} for group and role membership;"},{"id":"ac-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Specify:","parts":[{"id":"ac-2_smt.d.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Authorized users of the system;"},{"id":"ac-2_smt.d.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Group and role membership; and"},{"id":"ac-2_smt.d.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;"}]},{"id":"ac-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"},{"id":"ac-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Monitor the use of accounts;"},{"id":"ac-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Notify account managers and {{ insert: param, ac-02_odp.05 }} within:","parts":[{"id":"ac-2_smt.h.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;"}]},{"id":"ac-2_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Authorize access to the system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ac-02_odp.09 }};"}]},{"id":"ac-2_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"},{"id":"ac-2_smt.k","name":"item","props":[{"name":"label","value":"k."}],"prose":"Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and"},{"id":"ac-2_smt.l","name":"item","props":[{"name":"label","value":"l."}],"prose":"Align account management processes with personnel termination and transfer processes."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission\/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared\/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared\/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training."},{"id":"ac-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[01]","class":"sp800-53a"}],"prose":"account types allowed for use within the system are defined and documented;","links":[{"href":"#ac-2_smt.a","rel":"assessment-for"}]},{"id":"ac-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[02]","class":"sp800-53a"}],"prose":"account types specifically prohibited for use within the system are defined and documented;","links":[{"href":"#ac-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.a","rel":"assessment-for"}]},{"id":"ac-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02b.","class":"sp800-53a"}],"prose":"account managers are assigned;","links":[{"href":"#ac-2_smt.b","rel":"assessment-for"}]},{"id":"ac-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02c.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-02_odp.01 }} for group and role membership are required;","links":[{"href":"#ac-2_smt.c","rel":"assessment-for"}]},{"id":"ac-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.01","class":"sp800-53a"}],"prose":"authorized users of the system are specified;","links":[{"href":"#ac-2_smt.d.1","rel":"assessment-for"}]},{"id":"ac-2_obj.d.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.02","class":"sp800-53a"}],"prose":"group and role membership are specified;","links":[{"href":"#ac-2_smt.d.2","rel":"assessment-for"}]},{"id":"ac-2_obj.d.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.3-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[01]","class":"sp800-53a"}],"prose":"access authorizations (i.e., privileges) are specified for each account;","links":[{"href":"#ac-2_smt.d.3","rel":"assessment-for"}]},{"id":"ac-2_obj.d.3-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[02]","class":"sp800-53a"}],"prose":" {{ insert: param, ac-02_odp.02 }} are specified for each account;","links":[{"href":"#ac-2_smt.d.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.d.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.d","rel":"assessment-for"}]},{"id":"ac-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AC-02e.","class":"sp800-53a"}],"prose":"approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;","links":[{"href":"#ac-2_smt.e","rel":"assessment-for"}]},{"id":"ac-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[01]","class":"sp800-53a"}],"prose":"accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[02]","class":"sp800-53a"}],"prose":"accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[03]","class":"sp800-53a"}],"prose":"accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[04]","class":"sp800-53a"}],"prose":"accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-5","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[05]","class":"sp800-53a"}],"prose":"accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"AC-02g.","class":"sp800-53a"}],"prose":"the use of accounts is monitored; ","links":[{"href":"#ac-2_smt.g","rel":"assessment-for"}]},{"id":"ac-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.h.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.01","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;","links":[{"href":"#ac-2_smt.h.1","rel":"assessment-for"}]},{"id":"ac-2_obj.h.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.02","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;","links":[{"href":"#ac-2_smt.h.2","rel":"assessment-for"}]},{"id":"ac-2_obj.h.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.03","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;","links":[{"href":"#ac-2_smt.h.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.h","rel":"assessment-for"}]},{"id":"ac-2_obj.i","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.i.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.01","class":"sp800-53a"}],"prose":"access to the system is authorized based on a valid access authorization;","links":[{"href":"#ac-2_smt.i.1","rel":"assessment-for"}]},{"id":"ac-2_obj.i.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.02","class":"sp800-53a"}],"prose":"access to the system is authorized based on intended system usage;","links":[{"href":"#ac-2_smt.i.2","rel":"assessment-for"}]},{"id":"ac-2_obj.i.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.03","class":"sp800-53a"}],"prose":"access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};","links":[{"href":"#ac-2_smt.i.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.i","rel":"assessment-for"}]},{"id":"ac-2_obj.j","name":"assessment-objective","props":[{"name":"label","value":"AC-02j.","class":"sp800-53a"}],"prose":"accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};","links":[{"href":"#ac-2_smt.j","rel":"assessment-for"}]},{"id":"ac-2_obj.k","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.k-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[01]","class":"sp800-53a"}],"prose":"a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;","links":[{"href":"#ac-2_smt.k","rel":"assessment-for"}]},{"id":"ac-2_obj.k-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[02]","class":"sp800-53a"}],"prose":"a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;","links":[{"href":"#ac-2_smt.k","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.k","rel":"assessment-for"}]},{"id":"ac-2_obj.l","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.l-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[01]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel termination processes;","links":[{"href":"#ac-2_smt.l","rel":"assessment-for"}]},{"id":"ac-2_obj.l-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[02]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel transfer processes.","links":[{"href":"#ac-2_smt.l","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.l","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt","rel":"assessment-for"}]},{"id":"ac-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities"}]},{"id":"ac-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for account management on the system\n\nmechanisms for implementing account management"}]}],"controls":[{"id":"ac-2.1","class":"SP800-53-enhancement","title":"Automated System Account Management","params":[{"id":"ac-02.01_odp","props":[{"name":"alt-identifier","value":"ac-2.1_prm_1"},{"name":"label","value":"AC-02(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to support the management of system accounts are defined; "}]}],"props":[{"name":"label","value":"AC-2(1)"},{"name":"label","value":"AC-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.1_smt","name":"statement","prose":"Support the management of system accounts using {{ insert: param, ac-02.01_odp }}."},{"id":"ac-2.1_gdn","name":"guidance","prose":"Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications."},{"id":"ac-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(01)","class":"sp800-53a"}],"prose":"the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}.","links":[{"href":"#ac-2.1_smt","rel":"assessment-for"}]},{"id":"ac-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for implementing account management functions"}]}]},{"id":"ac-2.2","class":"SP800-53-enhancement","title":"Automated Temporary and Emergency Account Management","params":[{"id":"ac-02.02_odp.01","props":[{"name":"alt-identifier","value":"ac-2.2_prm_1"},{"name":"label","value":"AC-02(02)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["remove","disable"]}},{"id":"ac-02.02_odp.02","props":[{"name":"alt-identifier","value":"ac-2.2_prm_2"},{"name":"alt-label","value":"time period for each type of account","class":"sp800-53"},{"name":"label","value":"AC-02(02)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period after which to automatically remove or disable temporary or emergency accounts is defined;"}]}],"props":[{"name":"label","value":"AC-2(2)"},{"name":"label","value":"AC-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.2_smt","name":"statement","prose":"Automatically {{ insert: param, ac-02.02_odp.01 }} temporary and emergency accounts after {{ insert: param, ac-02.02_odp.02 }}."},{"id":"ac-2.2_gdn","name":"guidance","prose":"Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation."},{"id":"ac-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(02)","class":"sp800-53a"}],"prose":"temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}.","links":[{"href":"#ac-2.2_smt","rel":"assessment-for"}]},{"id":"ac-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of temporary accounts removed and\/or disabled\n\nsystem-generated list of emergency accounts removed and\/or disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for implementing account management functions"}]}]},{"id":"ac-2.3","class":"SP800-53-enhancement","title":"Disable Accounts","params":[{"id":"ac-02.03_odp.01","props":[{"name":"alt-identifier","value":"ac-2.3_prm_1"},{"name":"label","value":"AC-02(03)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to disable accounts is defined;"}]},{"id":"ac-02.03_odp.02","props":[{"name":"alt-identifier","value":"ac-2.3_prm_2"},{"name":"label","value":"AC-02(03)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for account inactivity before disabling is defined;"}]}],"props":[{"name":"label","value":"AC-2(3)"},{"name":"label","value":"AC-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.3_smt","name":"statement","prose":"Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts:","parts":[{"id":"ac-2.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Have expired;"},{"id":"ac-2.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Are no longer associated with a user or individual;"},{"id":"ac-2.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Are in violation of organizational policy; or"},{"id":"ac-2.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Have been inactive for {{ insert: param, ac-02.03_odp.02 }}."}]},{"id":"ac-2.3_gdn","name":"guidance","prose":"Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system."},{"id":"ac-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)","class":"sp800-53a"}],"parts":[{"id":"ac-2.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(a)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;","links":[{"href":"#ac-2.3_smt.a","rel":"assessment-for"}]},{"id":"ac-2.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(b)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;","links":[{"href":"#ac-2.3_smt.b","rel":"assessment-for"}]},{"id":"ac-2.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(c)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;","links":[{"href":"#ac-2.3_smt.c","rel":"assessment-for"}]},{"id":"ac-2.3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(d)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}.","links":[{"href":"#ac-2.3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ac-2.3_smt","rel":"assessment-for"}]},{"id":"ac-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of accounts removed\n\nsystem-generated list of emergency accounts disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for implementing account management functions"}]}]},{"id":"ac-2.4","class":"SP800-53-enhancement","title":"Automated Audit Actions","props":[{"name":"label","value":"AC-2(4)"},{"name":"label","value":"AC-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"}],"parts":[{"id":"ac-2.4_smt","name":"statement","prose":"Automatically audit account creation, modification, enabling, disabling, and removal actions."},{"id":"ac-2.4_gdn","name":"guidance","prose":"Account management audit records are defined in accordance with [AU-2](#au-2) and reviewed, analyzed, and reported in accordance with [AU-6](#au-6)."},{"id":"ac-2.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)","class":"sp800-53a"}],"parts":[{"id":"ac-2.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[01]","class":"sp800-53a"}],"prose":"account creation is automatically audited;","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[02]","class":"sp800-53a"}],"prose":"account modification is automatically audited;","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[03]","class":"sp800-53a"}],"prose":"account enabling is automatically audited;","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[04]","class":"sp800-53a"}],"prose":"account disabling is automatically audited;","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_obj-5","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[05]","class":"sp800-53a"}],"prose":"account removal actions are automatically audited.","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nnotifications\/alerts of account creation, modification, enabling, disabling, and removal actions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.5","class":"SP800-53-enhancement","title":"Inactivity Logout","params":[{"id":"ac-02.05_odp","props":[{"name":"alt-identifier","value":"ac-2.5_prm_1"},{"name":"label","value":"AC-02(05)_ODP","class":"sp800-53a"}],"label":"time period of expected inactivity or description of when to log out","guidelines":[{"prose":"the time period of expected inactivity or description of when to log out is defined;"}]}],"props":[{"name":"label","value":"AC-2(5)"},{"name":"label","value":"AC-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#ac-11","rel":"related"}],"parts":[{"id":"ac-2.5_smt","name":"statement","prose":"Require that users log out when {{ insert: param, ac-02.05_odp }}."},{"id":"ac-2.5_gdn","name":"guidance","prose":"Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by [AC-11](#ac-11)."},{"id":"ac-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(05)","class":"sp800-53a"}],"prose":"users are required to log out when {{ insert: param, ac-02.05_odp }}.","links":[{"href":"#ac-2.5_smt","rel":"assessment-for"}]},{"id":"ac-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity violation reports\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy"}]}]},{"id":"ac-2.11","class":"SP800-53-enhancement","title":"Usage Conditions","params":[{"id":"ac-02.11_odp.01","props":[{"name":"alt-identifier","value":"ac-2.11_prm_1"},{"name":"label","value":"AC-02(11)_ODP[01]","class":"sp800-53a"}],"label":"circumstances and\/or usage conditions","guidelines":[{"prose":"circumstances and\/or usage conditions to be enforced for system accounts are defined;"}]},{"id":"ac-02.11_odp.02","props":[{"name":"alt-identifier","value":"ac-2.11_prm_2"},{"name":"label","value":"AC-02(11)_ODP[02]","class":"sp800-53a"}],"label":"system accounts","guidelines":[{"prose":"system accounts subject to enforcement of circumstances and\/or usage conditions are defined;"}]}],"props":[{"name":"label","value":"AC-2(11)"},{"name":"label","value":"AC-02(11)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.11_smt","name":"statement","prose":"Enforce {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }}."},{"id":"ac-2.11_gdn","name":"guidance","prose":"Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time."},{"id":"ac-2.11_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(11)","class":"sp800-53a"}],"prose":" {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }} are enforced.","links":[{"href":"#ac-2.11_smt","rel":"assessment-for"}]},{"id":"ac-2.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of system accounts and associated assignments of usage circumstances and\/or usage conditions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}]}]},{"id":"ac-2.12","class":"SP800-53-enhancement","title":"Account Monitoring for Atypical Usage","params":[{"id":"ac-02.12_odp.01","props":[{"name":"alt-identifier","value":"ac-2.12_prm_1"},{"name":"label","value":"AC-02(12)_ODP[01]","class":"sp800-53a"}],"label":"atypical usage","guidelines":[{"prose":"atypical usage for which to monitor system accounts is defined;"}]},{"id":"ac-02.12_odp.02","props":[{"name":"alt-identifier","value":"ac-2.12_prm_2"},{"name":"label","value":"AC-02(12)_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to report atypical usage is\/are defined;"}]}],"props":[{"name":"label","value":"AC-2(12)"},{"name":"label","value":"AC-02(12)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-2.12_smt","name":"statement","parts":[{"id":"ac-2.12_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Monitor system accounts for {{ insert: param, ac-02.12_odp.01 }} ; and"},{"id":"ac-2.12_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Report atypical usage of system accounts to {{ insert: param, ac-02.12_odp.02 }}."}]},{"id":"ac-2.12_gdn","name":"guidance","prose":"Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan."},{"id":"ac-2.12_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(12)","class":"sp800-53a"}],"parts":[{"id":"ac-2.12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02(12)(a)","class":"sp800-53a"}],"prose":"system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; ","links":[{"href":"#ac-2.12_smt.a","rel":"assessment-for"}]},{"id":"ac-2.12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02(12)(b)","class":"sp800-53a"}],"prose":"atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}.","links":[{"href":"#ac-2.12_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-2.12_smt","rel":"assessment-for"}]},{"id":"ac-2.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring records\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nprivacy impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-2.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}]}]},{"id":"ac-2.13","class":"SP800-53-enhancement","title":"Disable Accounts for High-risk Individuals","params":[{"id":"ac-02.13_odp.01","props":[{"name":"alt-identifier","value":"ac-2.13_prm_1"},{"name":"label","value":"AC-02(13)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;"}]},{"id":"ac-02.13_odp.02","props":[{"name":"alt-identifier","value":"ac-2.13_prm_2"},{"name":"label","value":"AC-02(13)_ODP[02]","class":"sp800-53a"}],"label":"significant risks","guidelines":[{"prose":"significant risks leading to disabling accounts are defined;"}]}],"props":[{"name":"label","value":"AC-2(13)"},{"name":"label","value":"AC-02(13)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-2.13_smt","name":"statement","prose":"Disable accounts of individuals within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}."},{"id":"ac-2.13_gdn","name":"guidance","prose":"Users who pose a significant security and\/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals."},{"id":"ac-2.13_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(13)","class":"sp800-53a"}],"prose":"accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.","links":[{"href":"#ac-2.13_smt","rel":"assessment-for"}]},{"id":"ac-2.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of disabled accounts\n\nlist of user activities posing significant organizational risk\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}]}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"label","value":"AC-3"},{"name":"label","value":"AC-03","class":"sp800-53a"},{"name":"sort-id","value":"ac-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-8","rel":"related"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family."},{"id":"ac-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03","class":"sp800-53a"}],"prose":"approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.","links":[{"href":"#ac-3_smt","rel":"assessment-for"}]},{"id":"ac-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy"}]}]},{"id":"ac-4","class":"SP800-53","title":"Information Flow Enforcement","params":[{"id":"ac-04_odp","props":[{"name":"alt-identifier","value":"ac-4_prm_1"},{"name":"label","value":"AC-04_ODP","class":"sp800-53a"}],"label":"information flow control policies","guidelines":[{"prose":"information flow control policies within the system and between connected systems are defined;"}]}],"props":[{"name":"label","value":"AC-4"},{"name":"label","value":"AC-04","class":"sp800-53a"},{"name":"sort-id","value":"ac-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-31","rel":"related"}],"parts":[{"id":"ac-4_smt","name":"statement","prose":"Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}."},{"id":"ac-4_gdn","name":"guidance","prose":"Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see [CA-3](#ca-3) ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners\/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.\n\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and\/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and\/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS)."},{"id":"ac-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04","class":"sp800-53a"}],"prose":"approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.","links":[{"href":"#ac-4_smt","rel":"assessment-for"}]},{"id":"ac-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsecurity architecture documentation\n\nprivacy architecture documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem baseline configuration\n\nlist of information flow authorizations\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}],"controls":[{"id":"ac-4.4","class":"SP800-53-enhancement","title":"Flow Control of Encrypted Information","params":[{"id":"ac-04.04_odp.01","props":[{"name":"alt-identifier","value":"ac-4.4_prm_1"},{"name":"label","value":"AC-04(04)_ODP[01]","class":"sp800-53a"}],"label":"information flow control mechanisms","guidelines":[{"prose":"information flow control mechanisms that encrypted information is prevented from bypassing are defined;"}]},{"id":"ac-04.04_odp.02","props":[{"name":"alt-identifier","value":"ac-4.4_prm_2"},{"name":"label","value":"AC-04(04)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["decrypting the information","blocking the flow of the encrypted information","terminating communications sessions attempting to pass encrypted information"," {{ insert: param, ac-04.04_odp.03 }} "]}},{"id":"ac-04.04_odp.03","props":[{"name":"alt-identifier","value":"ac-4.4_prm_3"},{"name":"alt-label","value":"procedure or method","class":"sp800-53"},{"name":"label","value":"AC-04(04)_ODP[03]","class":"sp800-53a"}],"label":"organization-defined procedure or method","guidelines":[{"prose":"the organization-defined procedure or method used to prevent encrypted information from bypassing information flow control mechanisms is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-4(4)"},{"name":"label","value":"AC-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-4.4_smt","name":"statement","prose":"Prevent encrypted information from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}."},{"id":"ac-4.4_gdn","name":"guidance","prose":"Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms."},{"id":"ac-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(04)","class":"sp800-53a"}],"prose":"encrypted information is prevented from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.","links":[{"href":"#ac-4.4_smt","rel":"assessment-for"}]},{"id":"ac-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]}]},{"id":"ac-5","class":"SP800-53","title":"Separation of Duties","params":[{"id":"ac-05_odp","props":[{"name":"alt-identifier","value":"ac-5_prm_1"},{"name":"alt-label","value":"duties of individuals requiring separation","class":"sp800-53"},{"name":"label","value":"AC-05_ODP","class":"sp800-53a"}],"label":"duties of individuals","guidelines":[{"prose":"duties of individuals requiring separation are defined;"}]}],"props":[{"name":"label","value":"AC-5"},{"name":"label","value":"AC-05","class":"sp800-53a"},{"name":"sort-id","value":"ac-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-12","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"}],"parts":[{"id":"ac-5_smt","name":"statement","parts":[{"id":"ac-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document {{ insert: param, ac-05_odp }} ; and"},{"id":"ac-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define system access authorizations to support separation of duties."}]},{"id":"ac-5_gdn","name":"guidance","prose":"Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in [AC-2](#ac-2) , access control mechanisms in [AC-3](#ac-3) , and identity management activities in [IA-2](#ia-2), [IA-4](#ia-4) , and [IA-12](#ia-12)."},{"id":"ac-5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-05","class":"sp800-53a"}],"parts":[{"id":"ac-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-05a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-05_odp }} are identified and documented;","links":[{"href":"#ac-5_smt.a","rel":"assessment-for"}]},{"id":"ac-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-05b.","class":"sp800-53a"}],"prose":"system access authorizations to support separation of duties are defined.","links":[{"href":"#ac-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-5_smt","rel":"assessment-for"}]},{"id":"ac-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\nsystem configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\nsystem access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing separation of duties policy"}]}]},{"id":"ac-6","class":"SP800-53","title":"Least Privilege","props":[{"name":"label","value":"AC-6"},{"name":"label","value":"AC-06","class":"sp800-53a"},{"name":"sort-id","value":"ac-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-38","rel":"related"}],"parts":[{"id":"ac-6_smt","name":"statement","prose":"Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."},{"id":"ac-6_gdn","name":"guidance","prose":"Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems."},{"id":"ac-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06","class":"sp800-53a"}],"prose":"the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.","links":[{"href":"#ac-6_smt","rel":"assessment-for"}]},{"id":"ac-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}],"controls":[{"id":"ac-6.1","class":"SP800-53-enhancement","title":"Authorize Access to Security Functions","params":[{"id":"ac-6.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.04"}],"label":"organization-defined security functions (deployed in hardware, software, and firmware)"},{"id":"ac-06.01_odp.01","props":[{"name":"alt-identifier","value":"ac-6.1_prm_1"},{"name":"alt-label","value":"individuals or roles","class":"sp800-53"},{"name":"label","value":"AC-06(01)_ODP[01]","class":"sp800-53a"}],"label":"individuals and roles","guidelines":[{"prose":"individuals and roles with authorized access to security functions and security-relevant information are defined;"}]},{"id":"ac-06.01_odp.02","props":[{"name":"label","value":"AC-06(01)_ODP[02]","class":"sp800-53a"}],"label":"security functions (deployed in hardware)","guidelines":[{"prose":"security functions (deployed in hardware) for authorized access are defined;"}]},{"id":"ac-06.01_odp.03","props":[{"name":"label","value":"AC-06(01)_ODP[03]","class":"sp800-53a"}],"label":"security functions (deployed in software)","guidelines":[{"prose":"security functions (deployed in software) for authorized access are defined;"}]},{"id":"ac-06.01_odp.04","props":[{"name":"label","value":"AC-06(01)_ODP[04]","class":"sp800-53a"}],"label":"security functions (deployed in firmware)","guidelines":[{"prose":"security functions (deployed in firmware) for authorized access are defined;"}]},{"id":"ac-06.01_odp.05","props":[{"name":"alt-identifier","value":"ac-6.1_prm_3"},{"name":"label","value":"AC-06(01)_ODP[05]","class":"sp800-53a"}],"label":"security-relevant information","guidelines":[{"prose":"security-relevant information for authorized access is defined;"}]}],"props":[{"name":"label","value":"AC-6(1)"},{"name":"label","value":"AC-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#pe-2","rel":"related"}],"parts":[{"id":"ac-6.1_smt","name":"statement","prose":"Authorize access for {{ insert: param, ac-06.01_odp.01 }} to:","parts":[{"id":"ac-6.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":" {{ insert: param, ac-6.1_prm_2 }} ; and"},{"id":"ac-6.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":" {{ insert: param, ac-06.01_odp.05 }}."}]},{"id":"ac-6.1_gdn","name":"guidance","prose":"Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users."},{"id":"ac-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)","class":"sp800-53a"}],"parts":[{"id":"ac-6.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-6.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[01]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};","links":[{"href":"#ac-6.1_smt.a","rel":"assessment-for"}]},{"id":"ac-6.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[02]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};","links":[{"href":"#ac-6.1_smt.a","rel":"assessment-for"}]},{"id":"ac-6.1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[03]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};","links":[{"href":"#ac-6.1_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-6.1_smt.a","rel":"assessment-for"}]},{"id":"ac-6.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(b)","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}.","links":[{"href":"#ac-6.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-6.1_smt","rel":"assessment-for"}]},{"id":"ac-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.2","class":"SP800-53-enhancement","title":"Non-privileged Access for Nonsecurity Functions","params":[{"id":"ac-06.02_odp","props":[{"name":"alt-identifier","value":"ac-6.2_prm_1"},{"name":"label","value":"AC-06(02)_ODP","class":"sp800-53a"}],"label":"security functions or security-relevant information","guidelines":[{"prose":"security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;"}]}],"props":[{"name":"label","value":"AC-6(2)"},{"name":"label","value":"AC-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#pl-4","rel":"related"}],"parts":[{"id":"ac-6.2_smt","name":"statement","prose":"Require that users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} use non-privileged accounts or roles, when accessing nonsecurity functions."},{"id":"ac-6.2_gdn","name":"guidance","prose":"Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account."},{"id":"ac-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(02)","class":"sp800-53a"}],"prose":"users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions.","links":[{"href":"#ac-6.2_smt","rel":"assessment-for"}]},{"id":"ac-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to system accounts or roles\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.3","class":"SP800-53-enhancement","title":"Network Access to Privileged Commands","params":[{"id":"ac-06.03_odp.01","props":[{"name":"alt-identifier","value":"ac-6.3_prm_1"},{"name":"label","value":"AC-06(03)_ODP[01]","class":"sp800-53a"}],"label":"privileged commands","guidelines":[{"prose":"privileged commands to which network access is to be authorized only for compelling operational needs are defined;"}]},{"id":"ac-06.03_odp.02","props":[{"name":"alt-identifier","value":"ac-6.3_prm_2"},{"name":"label","value":"AC-06(03)_ODP[02]","class":"sp800-53a"}],"label":"compelling operational needs","guidelines":[{"prose":"compelling operational needs necessitating network access to privileged commands are defined;"}]}],"props":[{"name":"label","value":"AC-6(3)"},{"name":"label","value":"AC-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"}],"parts":[{"id":"ac-6.3_smt","name":"statement","prose":"Authorize network access to {{ insert: param, ac-06.03_odp.01 }} only for {{ insert: param, ac-06.03_odp.02 }} and document the rationale for such access in the security plan for the system."},{"id":"ac-6.3_gdn","name":"guidance","prose":"Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device)."},{"id":"ac-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(03)","class":"sp800-53a"}],"parts":[{"id":"ac-6.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-06(03)[01]","class":"sp800-53a"}],"prose":"network access to {{ insert: param, ac-06.03_odp.01 }} is authorized only for {{ insert: param, ac-06.03_odp.02 }};","links":[{"href":"#ac-6.3_smt","rel":"assessment-for"}]},{"id":"ac-6.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-06(03)[02]","class":"sp800-53a"}],"prose":"the rationale for authorizing network access to privileged commands is documented in the security plan for the system.","links":[{"href":"#ac-6.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-6.3_smt","rel":"assessment-for"}]},{"id":"ac-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of operational needs for authorizing network access to privileged commands\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.5","class":"SP800-53-enhancement","title":"Privileged Accounts","params":[{"id":"ac-06.05_odp","props":[{"name":"alt-identifier","value":"ac-6.5_prm_1"},{"name":"label","value":"AC-06(05)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to which privileged accounts on the system are to be restricted is\/are defined;"}]}],"props":[{"name":"label","value":"AC-6(5)"},{"name":"label","value":"AC-06(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"}],"parts":[{"id":"ac-6.5_smt","name":"statement","prose":"Restrict privileged accounts on the system to {{ insert: param, ac-06.05_odp }}."},{"id":"ac-6.5_gdn","name":"guidance","prose":"Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk."},{"id":"ac-6.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(05)","class":"sp800-53a"}],"prose":"privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}.","links":[{"href":"#ac-6.5_smt","rel":"assessment-for"}]},{"id":"ac-6.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.7","class":"SP800-53-enhancement","title":"Review of User Privileges","params":[{"id":"ac-06.07_odp.01","props":[{"name":"alt-identifier","value":"ac-6.7_prm_1"},{"name":"label","value":"AC-06(07)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the privileges assigned to roles or classes of users is defined;"}]},{"id":"ac-06.07_odp.02","props":[{"name":"alt-identifier","value":"ac-6.7_prm_2"},{"name":"alt-label","value":"roles or classes of users","class":"sp800-53"},{"name":"label","value":"AC-06(07)_ODP[02]","class":"sp800-53a"}],"label":"roles and classes","guidelines":[{"prose":"roles or classes of users to which privileges are assigned are defined;"}]}],"props":[{"name":"label","value":"AC-6(7)"},{"name":"label","value":"AC-06(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ca-7","rel":"related"}],"parts":[{"id":"ac-6.7_smt","name":"statement","parts":[{"id":"ac-6.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and"},{"id":"ac-6.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs."}]},{"id":"ac-6.7_gdn","name":"guidance","prose":"The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions."},{"id":"ac-6.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)","class":"sp800-53a"}],"parts":[{"id":"ac-6.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)(a)","class":"sp800-53a"}],"prose":"privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;","links":[{"href":"#ac-6.7_smt.a","rel":"assessment-for"}]},{"id":"ac-6.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)(b)","class":"sp800-53a"}],"prose":"privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.","links":[{"href":"#ac-6.7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-6.7_smt","rel":"assessment-for"}]},{"id":"ac-6.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated roles or classes of users and assigned privileges\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation reviews of privileges assigned to roles or classes or users\n\nrecords of privilege removals or reassignments for roles or classes of users\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing review of user privileges"}]}]},{"id":"ac-6.9","class":"SP800-53-enhancement","title":"Log Use of Privileged Functions","props":[{"name":"label","value":"AC-6(9)"},{"name":"label","value":"AC-06(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"ac-6.9_smt","name":"statement","prose":"Log the execution of privileged functions."},{"id":"ac-6.9_gdn","name":"guidance","prose":"The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat."},{"id":"ac-6.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(09)","class":"sp800-53a"}],"prose":"the execution of privileged functions is logged.","links":[{"href":"#ac-6.9_smt","rel":"assessment-for"}]},{"id":"ac-6.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ac-6.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms auditing the execution of least privilege functions"}]}]},{"id":"ac-6.10","class":"SP800-53-enhancement","title":"Prohibit Non-privileged Users from Executing Privileged Functions","props":[{"name":"label","value":"AC-6(10)"},{"name":"label","value":"AC-06(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"}],"parts":[{"id":"ac-6.10_smt","name":"statement","prose":"Prevent non-privileged users from executing privileged functions."},{"id":"ac-6.10_gdn","name":"guidance","prose":"Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by [AC-3](#ac-3)."},{"id":"ac-6.10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(10)","class":"sp800-53a"}],"prose":"non-privileged users are prevented from executing privileged functions.","links":[{"href":"#ac-6.10_smt","rel":"assessment-for"}]},{"id":"ac-6.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-6.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions for non-privileged users"}]}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","params":[{"id":"ac-07_odp.01","props":[{"name":"alt-identifier","value":"ac-7_prm_1"},{"name":"label","value":"AC-07_ODP[01]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of consecutive invalid logon attempts by a user allowed during a time period is defined;"}]},{"id":"ac-07_odp.02","props":[{"name":"alt-identifier","value":"ac-7_prm_2"},{"name":"label","value":"AC-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;"}]},{"id":"ac-07_odp.03","props":[{"name":"alt-identifier","value":"ac-7_prm_3"},{"name":"label","value":"AC-07_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["lock the account or node for {{ insert: param, ac-07_odp.04 }} ","lock the account or node until released by an administrator","delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ","notify system administrator","take other {{ insert: param, ac-07_odp.06 }} "]}},{"id":"ac-07_odp.04","props":[{"name":"alt-identifier","value":"ac-7_prm_4"},{"name":"label","value":"AC-07_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for an account or node to be locked is defined (if selected);"}]},{"id":"ac-07_odp.05","props":[{"name":"alt-identifier","value":"ac-7_prm_5"},{"name":"label","value":"AC-07_ODP[05]","class":"sp800-53a"}],"label":"delay algorithm","guidelines":[{"prose":"delay algorithm for the next logon prompt is defined (if selected);"}]},{"id":"ac-07_odp.06","props":[{"name":"alt-identifier","value":"ac-7_prm_6"},{"name":"label","value":"AC-07_ODP[06]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-7"},{"name":"label","value":"AC-07","class":"sp800-53a"},{"name":"sort-id","value":"ac-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"ac-7_smt","name":"statement","parts":[{"id":"ac-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and"},{"id":"ac-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need."},{"id":"ac-7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-07","class":"sp800-53a"}],"parts":[{"id":"ac-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-07a.","class":"sp800-53a"}],"prose":"a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;","links":[{"href":"#ac-7_smt.a","rel":"assessment-for"}]},{"id":"ac-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-07b.","class":"sp800-53a"}],"prose":"automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.","links":[{"href":"#ac-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-7_smt","rel":"assessment-for"}]},{"id":"ac-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem\/network administrators"}]},{"id":"ac-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for unsuccessful logon attempts"}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","params":[{"id":"ac-08_odp.01","props":[{"name":"alt-identifier","value":"ac-8_prm_1"},{"name":"alt-label","value":"system use notification message or banner","class":"sp800-53"},{"name":"label","value":"AC-08_ODP[01]","class":"sp800-53a"}],"label":"system use notification","guidelines":[{"prose":"system use notification message or banner to be displayed by the system to users before granting access to the system is defined;"}]},{"id":"ac-08_odp.02","props":[{"name":"alt-identifier","value":"ac-8_prm_2"},{"name":"label","value":"AC-08_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions for system use to be displayed by the system before granting further access are defined;"}]}],"props":[{"name":"label","value":"AC-8"},{"name":"label","value":"AC-08","class":"sp800-53a"},{"name":"sort-id","value":"ac-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-14","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-8_smt","name":"statement","parts":[{"id":"ac-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:","parts":[{"id":"ac-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government system;"},{"id":"ac-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and"},{"id":"ac-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;"},{"id":"ac-8_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Include a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content."},{"id":"ac-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-08","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","parts":[{"id":"ac-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.01","class":"sp800-53a"}],"prose":"the system use notification states that users are accessing a U.S. Government system;","links":[{"href":"#ac-8_smt.a.1","rel":"assessment-for"}]},{"id":"ac-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.02","class":"sp800-53a"}],"prose":"the system use notification states that system usage may be monitored, recorded, and subject to audit;","links":[{"href":"#ac-8_smt.a.2","rel":"assessment-for"}]},{"id":"ac-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.03","class":"sp800-53a"}],"prose":"the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and","links":[{"href":"#ac-8_smt.a.3","rel":"assessment-for"}]},{"id":"ac-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.04","class":"sp800-53a"}],"prose":"the system use notification states that use of the system indicates consent to monitoring and recording;","links":[{"href":"#ac-8_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#ac-8_smt.a","rel":"assessment-for"}]},{"id":"ac-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-08b.","class":"sp800-53a"}],"prose":"the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;","links":[{"href":"#ac-8_smt.b","rel":"assessment-for"}]},{"id":"ac-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.01","class":"sp800-53a"}],"prose":"for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;","links":[{"href":"#ac-8_smt.c.1","rel":"assessment-for"}]},{"id":"ac-8_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.02","class":"sp800-53a"}],"prose":"for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;","links":[{"href":"#ac-8_smt.c.2","rel":"assessment-for"}]},{"id":"ac-8_obj.c.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.03","class":"sp800-53a"}],"prose":"for publicly accessible systems, a description of the authorized uses of the system is included.","links":[{"href":"#ac-8_smt.c.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ac-8_smt","rel":"assessment-for"}]},{"id":"ac-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records"}]},{"id":"ac-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers"}]},{"id":"ac-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system use notification"}]}]},{"id":"ac-10","class":"SP800-53","title":"Concurrent Session Control","params":[{"id":"ac-10_odp.01","props":[{"name":"alt-identifier","value":"ac-10_prm_1"},{"name":"alt-label","value":"account and\/or account type","class":"sp800-53"},{"name":"label","value":"AC-10_ODP[01]","class":"sp800-53a"}],"label":"account and\/or account types","guidelines":[{"prose":"accounts and\/or account types for which to limit the number of concurrent sessions is defined;"}]},{"id":"ac-10_odp.02","props":[{"name":"alt-identifier","value":"ac-10_prm_2"},{"name":"label","value":"AC-10_ODP[02]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of concurrent sessions to be allowed for each account and\/or account type is defined;"}]}],"props":[{"name":"label","value":"AC-10"},{"name":"label","value":"AC-10","class":"sp800-53a"},{"name":"sort-id","value":"ac-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-23","rel":"related"}],"parts":[{"id":"ac-10_smt","name":"statement","prose":"Limit the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} to {{ insert: param, ac-10_odp.02 }}."},{"id":"ac-10_gdn","name":"guidance","prose":"Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts."},{"id":"ac-10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-10","class":"sp800-53a"}],"prose":"the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}.","links":[{"href":"#ac-10_smt","rel":"assessment-for"}]},{"id":"ac-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing concurrent session control\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for concurrent session control"}]}]},{"id":"ac-11","class":"SP800-53","title":"Device Lock","params":[{"id":"ac-11_odp.01","props":[{"name":"alt-identifier","value":"ac-11_prm_1"},{"name":"label","value":"AC-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity","requiring the user to initiate a device lock before leaving the system unattended"]}},{"id":"ac-11_odp.02","props":[{"name":"alt-identifier","value":"ac-11_prm_2"},{"name":"label","value":"AC-11_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period of inactivity after which a device lock is initiated is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-11"},{"name":"label","value":"AC-11","class":"sp800-53a"},{"name":"sort-id","value":"ac-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#pl-4","rel":"related"}],"parts":[{"id":"ac-11_smt","name":"statement","parts":[{"id":"ac-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and"},{"id":"ac-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the device lock until the user reestablishes access using established identification and authentication procedures."}]},{"id":"ac-11_gdn","name":"guidance","prose":"Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays."},{"id":"ac-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-11","class":"sp800-53a"}],"parts":[{"id":"ac-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-11a.","class":"sp800-53a"}],"prose":"further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};","links":[{"href":"#ac-11_smt.a","rel":"assessment-for"}]},{"id":"ac-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-11b.","class":"sp800-53a"}],"prose":"device lock is retained until the user re-establishes access using established identification and authentication procedures.","links":[{"href":"#ac-11_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-11_smt","rel":"assessment-for"}]},{"id":"ac-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for session lock"}]}],"controls":[{"id":"ac-11.1","class":"SP800-53-enhancement","title":"Pattern-hiding Displays","props":[{"name":"label","value":"AC-11(1)"},{"name":"label","value":"AC-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-11","rel":"required"}],"parts":[{"id":"ac-11.1_smt","name":"statement","prose":"Conceal, via the device lock, information previously visible on the display with a publicly viewable image."},{"id":"ac-11.1_gdn","name":"guidance","prose":"The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed."},{"id":"ac-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-11(01)","class":"sp800-53a"}],"prose":"information previously visible on the display is concealed, via device lock, with a publicly viewable image.","links":[{"href":"#ac-11.1_smt","rel":"assessment-for"}]},{"id":"ac-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System session lock mechanisms"}]}]}]},{"id":"ac-12","class":"SP800-53","title":"Session Termination","params":[{"id":"ac-12_odp","props":[{"name":"alt-identifier","value":"ac-12_prm_1"},{"name":"alt-label","value":"conditions or trigger events requiring session disconnect","class":"sp800-53"},{"name":"label","value":"AC-12_ODP","class":"sp800-53a"}],"label":"conditions or trigger events","guidelines":[{"prose":"conditions or trigger events requiring session disconnect are defined;"}]}],"props":[{"name":"label","value":"AC-12"},{"name":"label","value":"AC-12","class":"sp800-53a"},{"name":"sort-id","value":"ac-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"ac-12_smt","name":"statement","prose":"Automatically terminate a user session after {{ insert: param, ac-12_odp }}."},{"id":"ac-12_gdn","name":"guidance","prose":"Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use."},{"id":"ac-12_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-12","class":"sp800-53a"}],"prose":"a user session is automatically terminated after {{ insert: param, ac-12_odp }}.","links":[{"href":"#ac-12_smt","rel":"assessment-for"}]},{"id":"ac-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing user session termination"}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","params":[{"id":"ac-14_odp","props":[{"name":"alt-identifier","value":"ac-14_prm_1"},{"name":"label","value":"AC-14_ODP","class":"sp800-53a"}],"label":"user actions","guidelines":[{"prose":"user actions that can be performed on the system without identification or authentication are defined;"}]}],"props":[{"name":"label","value":"AC-14"},{"name":"label","value":"AC-14","class":"sp800-53a"},{"name":"sort-id","value":"ac-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"ac-14_smt","name":"statement","parts":[{"id":"ac-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and"},{"id":"ac-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" "},{"id":"ac-14_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-14","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-14a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;","links":[{"href":"#ac-14_smt.a","rel":"assessment-for"}]},{"id":"ac-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[01]","class":"sp800-53a"}],"prose":"user actions not requiring identification or authentication are documented in the security plan for the system;","links":[{"href":"#ac-14_smt.b","rel":"assessment-for"}]},{"id":"ac-14_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[02]","class":"sp800-53a"}],"prose":"a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.","links":[{"href":"#ac-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-14_smt","rel":"assessment-for"}]},{"id":"ac-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","props":[{"name":"label","value":"AC-17"},{"name":"label","value":"AC-17","class":"sp800-53a"},{"name":"sort-id","value":"ac-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#83b9d63b-66b1-467c-9f3b-3a0b108771e9","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#d17ebd7a-ffab-499d-bfff-e705bbb01fa6","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-17_smt","name":"statement","parts":[{"id":"ac-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document usage restrictions, configuration\/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of remote access to the system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)."},{"id":"ac-17_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[01]","class":"sp800-53a"}],"prose":"usage restrictions are established and documented for each type of remote access allowed;","links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]},{"id":"ac-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[02]","class":"sp800-53a"}],"prose":"configuration\/connection requirements are established and documented for each type of remote access allowed;","links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]},{"id":"ac-17_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established and documented for each type of remote access allowed;","links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]},{"id":"ac-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-17b.","class":"sp800-53a"}],"prose":"each type of remote access to the system is authorized prior to allowing such connections.","links":[{"href":"#ac-17_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-17_smt","rel":"assessment-for"}]},{"id":"ac-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing remote access connections\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Remote access management capability for the system"}]}],"controls":[{"id":"ac-17.1","class":"SP800-53-enhancement","title":"Monitoring and Control","props":[{"name":"label","value":"AC-17(1)"},{"name":"label","value":"AC-17(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"}],"parts":[{"id":"ac-17.1_smt","name":"statement","prose":"Employ automated mechanisms to monitor and control remote access methods."},{"id":"ac-17.1_gdn","name":"guidance","prose":"Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a)."},{"id":"ac-17.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)","class":"sp800-53a"}],"parts":[{"id":"ac-17.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)[01]","class":"sp800-53a"}],"prose":"automated mechanisms are employed to monitor remote access methods;","links":[{"href":"#ac-17.1_smt","rel":"assessment-for"}]},{"id":"ac-17.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)[02]","class":"sp800-53a"}],"prose":"automated mechanisms are employed to control remote access methods.","links":[{"href":"#ac-17.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-17.1_smt","rel":"assessment-for"}]},{"id":"ac-17.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms monitoring and controlling remote access methods"}]}]},{"id":"ac-17.2","class":"SP800-53-enhancement","title":"Protection of Confidentiality and Integrity Using Encryption","props":[{"name":"label","value":"AC-17(2)"},{"name":"label","value":"AC-17(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-17.2_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_gdn","name":"guidance","prose":"Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions."},{"id":"ac-17.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(02)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.","links":[{"href":"#ac-17.2_smt","rel":"assessment-for"}]},{"id":"ac-17.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions"}]}]},{"id":"ac-17.3","class":"SP800-53-enhancement","title":"Managed Access Control Points","props":[{"name":"label","value":"AC-17(3)"},{"name":"label","value":"AC-17(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-17.3_smt","name":"statement","prose":"Route remote accesses through authorized and managed network access control points."},{"id":"ac-17.3_gdn","name":"guidance","prose":"Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces."},{"id":"ac-17.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(03)","class":"sp800-53a"}],"prose":"remote accesses are routed through authorized and managed network access control points.","links":[{"href":"#ac-17.3_smt","rel":"assessment-for"}]},{"id":"ac-17.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nlist of all managed network access control points\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms routing all remote accesses through managed network access control points"}]}]},{"id":"ac-17.4","class":"SP800-53-enhancement","title":"Privileged Commands and Access","params":[{"id":"ac-17.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-17.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-17.04_odp.02"}],"label":"organization-defined needs"},{"id":"ac-17.04_odp.01","props":[{"name":"label","value":"AC-17(04)_ODP[01]","class":"sp800-53a"}],"label":"needs requiring remote access","guidelines":[{"prose":"needs requiring execution of privileged commands via remote access are defined;"}]},{"id":"ac-17.04_odp.02","props":[{"name":"label","value":"AC-17(04)_ODP[02]","class":"sp800-53a"}],"label":"needs requiring remote access","guidelines":[{"prose":"needs requiring access to security-relevant information via remote access are defined;"}]}],"props":[{"name":"label","value":"AC-17(4)"},{"name":"label","value":"AC-17(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#ac-6","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-17.4_smt","name":"statement","parts":[{"id":"ac-17.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ insert: param, ac-17.4_prm_1 }} ; and"},{"id":"ac-17.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Document the rationale for remote access in the security plan for the system."}]},{"id":"ac-17.4_gdn","name":"guidance","prose":"Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability."},{"id":"ac-17.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)","class":"sp800-53a"}],"parts":[{"id":"ac-17.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-17.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[01]","class":"sp800-53a"}],"prose":"the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;","links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]},{"id":"ac-17.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[02]","class":"sp800-53a"}],"prose":"access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;","links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]},{"id":"ac-17.4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[03]","class":"sp800-53a"}],"prose":"the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};","links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]},{"id":"ac-17.4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[04]","class":"sp800-53a"}],"prose":"access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};","links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]},{"id":"ac-17.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(b)","class":"sp800-53a"}],"prose":"the rationale for remote access is documented in the security plan for the system.","links":[{"href":"#ac-17.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-17.4_smt","rel":"assessment-for"}]},{"id":"ac-17.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing remote access management"}]}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","props":[{"name":"label","value":"AC-18"},{"name":"label","value":"AC-18","class":"sp800-53a"},{"name":"sort-id","value":"ac-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#03fb73bc-1b12-4182-bd96-e5719254ea61","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-18_smt","name":"statement","parts":[{"id":"ac-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and"},{"id":"ac-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of wireless access to the system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication."},{"id":"ac-18_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for each type of wireless access;","links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]},{"id":"ac-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for each type of wireless access;","links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]},{"id":"ac-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for each type of wireless access;","links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]},{"id":"ac-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-18b.","class":"sp800-53a"}],"prose":"each type of wireless access to the system is authorized prior to allowing such connections.","links":[{"href":"#ac-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-18_smt","rel":"assessment-for"}]},{"id":"ac-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Wireless access management capability for the system"}]}],"controls":[{"id":"ac-18.1","class":"SP800-53-enhancement","title":"Authentication and Encryption","params":[{"id":"ac-18.01_odp","props":[{"name":"alt-identifier","value":"ac-18.1_prm_1"},{"name":"label","value":"AC-18(01)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["users","devices"]}}],"props":[{"name":"label","value":"AC-18(1)"},{"name":"label","value":"AC-18(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-18","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-18.1_smt","name":"statement","prose":"Protect wireless access to the system using authentication of {{ insert: param, ac-18.01_odp }} and encryption."},{"id":"ac-18.1_gdn","name":"guidance","prose":"Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies."},{"id":"ac-18.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)","class":"sp800-53a"}],"parts":[{"id":"ac-18.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)[01]","class":"sp800-53a"}],"prose":"wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};","links":[{"href":"#ac-18.1_smt","rel":"assessment-for"}]},{"id":"ac-18.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)[02]","class":"sp800-53a"}],"prose":"wireless access to the system is protected using encryption.","links":[{"href":"#ac-18.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-18.1_smt","rel":"assessment-for"}]},{"id":"ac-18.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-18.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing wireless access protections to the system"}]}]},{"id":"ac-18.3","class":"SP800-53-enhancement","title":"Disable Wireless Networking","props":[{"name":"label","value":"AC-18(3)"},{"name":"label","value":"AC-18(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-18","rel":"required"}],"parts":[{"id":"ac-18.3_smt","name":"statement","prose":"Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment."},{"id":"ac-18.3_gdn","name":"guidance","prose":"Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies."},{"id":"ac-18.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(03)","class":"sp800-53a"}],"prose":"when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.","links":[{"href":"#ac-18.3_smt","rel":"assessment-for"}]},{"id":"ac-18.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components"}]}]},{"id":"ac-18.4","class":"SP800-53-enhancement","title":"Restrict Configurations by Users","props":[{"name":"label","value":"AC-18(4)"},{"name":"label","value":"AC-18(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-18","rel":"required"},{"href":"#sc-7","rel":"related"},{"href":"#sc-15","rel":"related"}],"parts":[{"id":"ac-18.4_smt","name":"statement","prose":"Identify and explicitly authorize users allowed to independently configure wireless networking capabilities."},{"id":"ac-18.4_gdn","name":"guidance","prose":"Organizational authorizations to allow selected users to configure wireless networking capabilities are enforced, in part, by the access enforcement mechanisms employed within organizational systems."},{"id":"ac-18.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(04)","class":"sp800-53a"}],"parts":[{"id":"ac-18.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18(04)[01]","class":"sp800-53a"}],"prose":"users allowed to independently configure wireless networking capabilities are identified;","links":[{"href":"#ac-18.4_smt","rel":"assessment-for"}]},{"id":"ac-18.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18(04)[02]","class":"sp800-53a"}],"prose":"users allowed to independently configure wireless networking capabilities are explicitly authorized.","links":[{"href":"#ac-18.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-18.4_smt","rel":"assessment-for"}]},{"id":"ac-18.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms authorizing independent user configuration of wireless networking capabilities"}]}]},{"id":"ac-18.5","class":"SP800-53-enhancement","title":"Antennas and Transmission Power Levels","props":[{"name":"label","value":"AC-18(5)"},{"name":"label","value":"AC-18(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-18","rel":"required"},{"href":"#pe-19","rel":"related"}],"parts":[{"id":"ac-18.5_smt","name":"statement","prose":"Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries."},{"id":"ac-18.5_gdn","name":"guidance","prose":"Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization, employing measures such as emissions security to control wireless emanations, and using directional or beamforming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area."},{"id":"ac-18.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(05)","class":"sp800-53a"}],"parts":[{"id":"ac-18.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18(05)[01]","class":"sp800-53a"}],"prose":"radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;","links":[{"href":"#ac-18.5_smt","rel":"assessment-for"}]},{"id":"ac-18.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18(05)[02]","class":"sp800-53a"}],"prose":"transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.","links":[{"href":"#ac-18.5_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-18.5_smt","rel":"assessment-for"}]},{"id":"ac-18.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Calibration of transmission power levels for wireless access\n\nradio antenna signals for wireless access\n\nwireless access reception outside of organization-controlled boundaries"}]}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","props":[{"name":"label","value":"AC-19"},{"name":"label","value":"AC-19","class":"sp800-53a"},{"name":"sort-id","value":"ac-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-19_smt","name":"statement","parts":[{"id":"ac-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and"},{"id":"ac-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize the connection of mobile devices to organizational systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook\/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled."},{"id":"ac-19_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;","links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]},{"id":"ac-19_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;","links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]},{"id":"ac-19_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;","links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]},{"id":"ac-19_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-19b.","class":"sp800-53a"}],"prose":"the connection of mobile devices to organizational systems is authorized.","links":[{"href":"#ac-19_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-19_smt","rel":"assessment-for"}]},{"id":"ac-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel using mobile devices to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices"}]}],"controls":[{"id":"ac-19.5","class":"SP800-53-enhancement","title":"Full Device or Container-based Encryption","params":[{"id":"ac-19.05_odp.01","props":[{"name":"alt-identifier","value":"ac-19.5_prm_1"},{"name":"label","value":"AC-19(05)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["full-device encryption","container-based encryption"]}},{"id":"ac-19.05_odp.02","props":[{"name":"alt-identifier","value":"ac-19.5_prm_2"},{"name":"label","value":"AC-19(05)_ODP[02]","class":"sp800-53a"}],"label":"mobile devices","guidelines":[{"prose":"mobile devices on which to employ encryption are defined;"}]}],"props":[{"name":"label","value":"AC-19(5)"},{"name":"label","value":"AC-19(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-19.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-19","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"ac-19.5_smt","name":"statement","prose":"Employ {{ insert: param, ac-19.05_odp.01 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}."},{"id":"ac-19.5_gdn","name":"guidance","prose":"Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields."},{"id":"ac-19.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19(05)","class":"sp800-53a"}],"prose":" {{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.","links":[{"href":"#ac-19.5_smt","rel":"assessment-for"}]},{"id":"ac-19.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control for mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nencryption mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities for mobile devices\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Encryption mechanisms protecting confidentiality and integrity of information on mobile devices"}]}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Systems","params":[{"id":"ac-20_odp.01","props":[{"name":"alt-identifier","value":"ac-20_prm_1"},{"name":"label","value":"AC-20_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["establish {{ insert: param, ac-20_odp.02 }} ","identify {{ insert: param, ac-20_odp.03 }} "]}},{"id":"ac-20_odp.02","props":[{"name":"alt-identifier","value":"ac-20_prm_2"},{"name":"label","value":"AC-20_ODP[02]","class":"sp800-53a"}],"label":"terms and conditions","guidelines":[{"prose":"terms and conditions consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.03","props":[{"name":"alt-identifier","value":"ac-20_prm_3"},{"name":"alt-label","value":"controls asserted to be implemented on external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[03]","class":"sp800-53a"}],"label":"controls asserted","guidelines":[{"prose":"controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.04","props":[{"name":"alt-identifier","value":"ac-20_prm_4"},{"name":"alt-label","value":"organizationally-defined types of external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[04]","class":"sp800-53a"}],"label":"prohibited types of external systems","guidelines":[{"prose":"types of external systems prohibited from use are defined;"}]}],"props":[{"name":"label","value":"AC-20"},{"name":"label","value":"AC-20","class":"sp800-53a"},{"name":"sort-id","value":"ac-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-20_smt","name":"statement","parts":[{"id":"ac-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Access the system from external systems; and"},{"id":"ac-20_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Process, store, or transmit organization-controlled information using external systems; or"}]},{"id":"ac-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of {{ insert: param, ac-20_odp.04 }}."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems."},{"id":"ac-20_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.01","class":"sp800-53a"}],"prose":" {{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);","links":[{"href":"#ac-20_smt.a.1","rel":"assessment-for"}]},{"id":"ac-20_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.02","class":"sp800-53a"}],"prose":" {{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);","links":[{"href":"#ac-20_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#ac-20_smt.a","rel":"assessment-for"}]},{"id":"ac-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-20b.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).","links":[{"href":"#ac-20_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-20_smt","rel":"assessment-for"}]},{"id":"ac-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing terms and conditions on the use of external systems"}]}],"controls":[{"id":"ac-20.1","class":"SP800-53-enhancement","title":"Limits on Authorized Use","props":[{"name":"label","value":"AC-20(1)"},{"name":"label","value":"AC-20(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"},{"href":"#ca-2","rel":"related"}],"parts":[{"id":"ac-20.1_smt","name":"statement","prose":"Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:","parts":[{"id":"ac-20.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or"},{"id":"ac-20.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Retention of approved system connection or processing agreements with the organizational entity hosting the external system."}]},{"id":"ac-20.1_gdn","name":"guidance","prose":"Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations."},{"id":"ac-20.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)","class":"sp800-53a"}],"parts":[{"id":"ac-20.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)(a)","class":"sp800-53a"}],"prose":"authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);","links":[{"href":"#ac-20.1_smt.a","rel":"assessment-for"}]},{"id":"ac-20.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)(b)","class":"sp800-53a"}],"prose":"authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).","links":[{"href":"#ac-20.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-20.1_smt","rel":"assessment-for"}]},{"id":"ac-20.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing limits on use of external systems"}]}]},{"id":"ac-20.2","class":"SP800-53-enhancement","title":"Portable Storage Devices — Restricted Use","params":[{"id":"ac-20.02_odp","props":[{"name":"alt-identifier","value":"ac-20.2_prm_1"},{"name":"label","value":"AC-20(02)_ODP","class":"sp800-53a"}],"label":"restrictions","guidelines":[{"prose":"restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;"}]}],"props":[{"name":"label","value":"AC-20(2)"},{"name":"label","value":"AC-20(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"},{"href":"#mp-7","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"ac-20.2_smt","name":"statement","prose":"Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ insert: param, ac-20.02_odp }}."},{"id":"ac-20.2_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used."},{"id":"ac-20.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(02)","class":"sp800-53a"}],"prose":"the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}.","links":[{"href":"#ac-20.2_smt","rel":"assessment-for"}]},{"id":"ac-20.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on the use of portable storage devices"}]}]}]},{"id":"ac-21","class":"SP800-53","title":"Information Sharing","params":[{"id":"ac-21_odp.01","props":[{"name":"alt-identifier","value":"ac-21_prm_1"},{"name":"alt-label","value":"information sharing circumstances where user discretion is required","class":"sp800-53"},{"name":"label","value":"AC-21_ODP[01]","class":"sp800-53a"}],"label":"information-sharing circumstances","guidelines":[{"prose":"information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;"}]},{"id":"ac-21_odp.02","props":[{"name":"alt-identifier","value":"ac-21_prm_2"},{"name":"alt-label","value":"automated mechanisms or manual processes","class":"sp800-53"},{"name":"label","value":"AC-21_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;"}]}],"props":[{"name":"label","value":"AC-21"},{"name":"label","value":"AC-21","class":"sp800-53a"},{"name":"sort-id","value":"ac-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-15","rel":"related"}],"parts":[{"id":"ac-21_smt","name":"statement","parts":[{"id":"ac-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and"},{"id":"ac-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions."}]},{"id":"ac-21_gdn","name":"guidance","prose":"Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions."},{"id":"ac-21_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-21","class":"sp800-53a"}],"parts":[{"id":"ac-21_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-21a.","class":"sp800-53a"}],"prose":"authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};","links":[{"href":"#ac-21_smt.a","rel":"assessment-for"}]},{"id":"ac-21_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-21b.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions.","links":[{"href":"#ac-21_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-21_smt","rel":"assessment-for"}]},{"id":"ac-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of users authorized to make information-sharing\/collaboration decisions\n\nlist of information-sharing circumstances requiring user discretion\n\nnon-disclosure agreements\n\nacquisitions\/contractual agreements\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nsecurity and privacy risk assessments\n\nother relevant documents or records"}]},{"id":"ac-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information-sharing\/collaboration decisions\n\norganizational personnel with responsibility for acquisitions\/contractual agreements\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ac-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms or manual process implementing access authorizations supporting information-sharing\/user collaboration decisions"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","params":[{"id":"ac-22_odp","props":[{"name":"alt-identifier","value":"ac-22_prm_1"},{"name":"label","value":"AC-22_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the content on the publicly accessible system for non-public information is defined;"}]}],"props":[{"name":"label","value":"AC-22"},{"name":"label","value":"AC-22","class":"sp800-53a"},{"name":"sort-id","value":"ac-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"ac-22_smt","name":"statement","parts":[{"id":"ac-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Designate individuals authorized to make information publicly accessible;"},{"id":"ac-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible."},{"id":"ac-22_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-22","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-22a.","class":"sp800-53a"}],"prose":"designated individuals are authorized to make information publicly accessible;","links":[{"href":"#ac-22_smt.a","rel":"assessment-for"}]},{"id":"ac-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-22b.","class":"sp800-53a"}],"prose":"authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;","links":[{"href":"#ac-22_smt.b","rel":"assessment-for"}]},{"id":"ac-22_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-22c.","class":"sp800-53a"}],"prose":"the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;","links":[{"href":"#ac-22_smt.c","rel":"assessment-for"}]},{"id":"ac-22_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[01]","class":"sp800-53a"}],"prose":"the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};","links":[{"href":"#ac-22_smt.d","rel":"assessment-for"}]},{"id":"ac-22_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[02]","class":"sp800-53a"}],"prose":"non-public information is removed from the publicly accessible system, if discovered.","links":[{"href":"#ac-22_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ac-22_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ac-22_smt","rel":"assessment-for"}]},{"id":"ac-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and\/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"at-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"at-01_odp.01","props":[{"name":"label","value":"AT-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training policy is to be disseminated is\/are defined;"}]},{"id":"at-01_odp.02","props":[{"name":"label","value":"AT-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training procedures are to be disseminated is\/are defined;"}]},{"id":"at-01_odp.03","props":[{"name":"alt-identifier","value":"at-1_prm_2"},{"name":"label","value":"AT-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"at-01_odp.04","props":[{"name":"alt-identifier","value":"at-1_prm_3"},{"name":"label","value":"AT-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the awareness and training policy and procedures is defined;"}]},{"id":"at-01_odp.05","props":[{"name":"alt-identifier","value":"at-1_prm_4"},{"name":"label","value":"AT-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training policy is reviewed and updated is defined;"}]},{"id":"at-01_odp.06","props":[{"name":"alt-identifier","value":"at-1_prm_5"},{"name":"label","value":"AT-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current awareness and training policy to be reviewed and updated are defined;"}]},{"id":"at-01_odp.07","props":[{"name":"alt-identifier","value":"at-1_prm_6"},{"name":"label","value":"AT-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training procedures are reviewed and updated is defined;"}]},{"id":"at-01_odp.08","props":[{"name":"alt-identifier","value":"at-1_prm_7"},{"name":"label","value":"AT-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AT-1"},{"name":"label","value":"AT-01","class":"sp800-53a"},{"name":"sort-id","value":"at-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-1_smt","name":"statement","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, at-01_odp.03 }} awareness and training policy that:","parts":[{"id":"at-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and"},{"id":"at-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current awareness and training:","parts":[{"id":"at-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and"},{"id":"at-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"at-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[01]","class":"sp800-53a"}],"prose":"an awareness and training policy is developed and documented; ","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[02]","class":"sp800-53a"}],"prose":"the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[03]","class":"sp800-53a"}],"prose":"awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[04]","class":"sp800-53a"}],"prose":"the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and","links":[{"href":"#at-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;","links":[{"href":"#at-1_smt.b","rel":"assessment-for"}]},{"id":"at-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[01]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ","links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]},{"id":"at-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[02]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};","links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]},{"id":"at-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[01]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};","links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]},{"id":"at-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[02]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.","links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt","rel":"assessment-for"}]},{"id":"at-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records"}]},{"id":"at-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Literacy Training and Awareness","params":[{"id":"at-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.02"}],"label":"organization-defined frequency"},{"id":"at-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.04"}],"label":"organization-defined events"},{"id":"at-02_odp.01","props":[{"name":"label","value":"AT-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.02","props":[{"name":"label","value":"AT-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.03","props":[{"name":"label","value":"AT-02_ODP[03]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require security literacy training for system users are defined;"}]},{"id":"at-02_odp.04","props":[{"name":"label","value":"AT-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require privacy literacy training for system users are defined;"}]},{"id":"at-02_odp.05","props":[{"name":"alt-identifier","value":"at-2_prm_3"},{"name":"label","value":"AT-02_ODP[05]","class":"sp800-53a"}],"label":"awareness techniques","guidelines":[{"prose":"techniques to be employed to increase the security and privacy awareness of system users are defined;"}]},{"id":"at-02_odp.06","props":[{"name":"alt-identifier","value":"at-2_prm_4"},{"name":"label","value":"AT-02_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update literacy training and awareness content is defined;"}]},{"id":"at-02_odp.07","props":[{"name":"alt-identifier","value":"at-2_prm_5"},{"name":"label","value":"AT-02_ODP[07]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require literacy training and awareness content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-2"},{"name":"label","value":"AT-02","class":"sp800-53a"},{"name":"sort-id","value":"at-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#89f2a08d-fc49-46d0-856e-bf974c9b1573","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-16","rel":"related"}],"parts":[{"id":"at-2_smt","name":"statement","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and"},{"id":"at-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes or following {{ insert: param, at-2_prm_2 }};"}]},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and"},{"id":"at-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[03]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[04]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};","links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]},{"id":"at-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};","links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a","rel":"assessment-for"}]},{"id":"at-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-02b.","class":"sp800-53a"}],"prose":" {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;","links":[{"href":"#at-2_smt.b","rel":"assessment-for"}]},{"id":"at-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[01]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};","links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]},{"id":"at-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[02]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};","links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]},{"id":"at-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AT-02d.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.","links":[{"href":"#at-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt","rel":"assessment-for"}]},{"id":"at-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community"}]},{"id":"at-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing information security and privacy literacy training"}]}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","props":[{"name":"label","value":"AT-2(2)"},{"name":"label","value":"AT-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"},{"href":"#pm-12","rel":"related"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"Provide literacy training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations."},{"id":"at-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)","class":"sp800-53a"}],"parts":[{"id":"at-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[01]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential indicators of insider threat is provided;","links":[{"href":"#at-2.2_smt","rel":"assessment-for"}]},{"id":"at-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[02]","class":"sp800-53a"}],"prose":"literacy training on reporting potential indicators of insider threat is provided.","links":[{"href":"#at-2.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#at-2.2_smt","rel":"assessment-for"}]},{"id":"at-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2.3","class":"SP800-53-enhancement","title":"Social Engineering and Mining","props":[{"name":"label","value":"AT-2(3)"},{"name":"label","value":"AT-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"}],"parts":[{"id":"at-2.3_smt","name":"statement","prose":"Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining."},{"id":"at-2.3_gdn","name":"guidance","prose":"Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures."},{"id":"at-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)","class":"sp800-53a"}],"parts":[{"id":"at-2.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[01]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential and actual instances of social engineering is provided;","links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]},{"id":"at-2.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[02]","class":"sp800-53a"}],"prose":"literacy training on reporting potential and actual instances of social engineering is provided;","links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]},{"id":"at-2.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[03]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential and actual instances of social mining is provided;","links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]},{"id":"at-2.3_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[04]","class":"sp800-53a"}],"prose":"literacy training on reporting potential and actual instances of social mining is provided.","links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]},{"id":"at-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Training","params":[{"id":"at-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.02"}],"label":"organization-defined roles and responsibilities"},{"id":"at-03_odp.01","props":[{"name":"label","value":"AT-03_ODP[01]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based security training are defined;"}]},{"id":"at-03_odp.02","props":[{"name":"label","value":"AT-03_ODP[02]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based privacy training are defined;"}]},{"id":"at-03_odp.03","props":[{"name":"alt-identifier","value":"at-3_prm_2"},{"name":"label","value":"AT-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;"}]},{"id":"at-03_odp.04","props":[{"name":"alt-identifier","value":"at-3_prm_3"},{"name":"label","value":"AT-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update role-based training content is defined;"}]},{"id":"at-03_odp.05","props":[{"name":"alt-identifier","value":"at-3_prm_4"},{"name":"label","value":"AT-03_ODP[05]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require role-based training content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-3"},{"name":"label","value":"AT-03","class":"sp800-53a"},{"name":"sort-id","value":"at-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"at-3_smt","name":"statement","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:","parts":[{"id":"at-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and"},{"id":"at-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes;"}]},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into role-based training."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency\/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[03]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[04]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;","links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]},{"id":"at-3_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;","links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a","rel":"assessment-for"}]},{"id":"at-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[01]","class":"sp800-53a"}],"prose":"role-based training content is updated {{ insert: param, at-03_odp.04 }};","links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]},{"id":"at-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[02]","class":"sp800-53a"}],"prose":"role-based training content is updated following {{ insert: param, at-03_odp.05 }};","links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]},{"id":"at-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-03c.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into role-based training.","links":[{"href":"#at-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt","rel":"assessment-for"}]},{"id":"at-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities"}]},{"id":"at-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing role-based security and privacy training"}]}]},{"id":"at-4","class":"SP800-53","title":"Training Records","params":[{"id":"at-04_odp","props":[{"name":"alt-identifier","value":"at-4_prm_1"},{"name":"label","value":"AT-04_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for retaining individual training records is defined;"}]}],"props":[{"name":"label","value":"AT-4"},{"name":"label","value":"AT-04","class":"sp800-53a"},{"name":"sort-id","value":"at-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-4_smt","name":"statement","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain individual training records for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies."},{"id":"at-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-04","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[01]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;","links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]},{"id":"at-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[02]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;","links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]},{"id":"at-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-04b.","class":"sp800-53a"}],"prose":"individual training records are retained for {{ insert: param, at-04_odp }}.","links":[{"href":"#at-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#at-4_smt","rel":"assessment-for"}]},{"id":"at-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"at-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy training record retention responsibilities"}]},{"id":"at-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the management of security and privacy training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"au-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"au-01_odp.01","props":[{"name":"label","value":"AU-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability policy is to be disseminated is\/are defined;"}]},{"id":"au-01_odp.02","props":[{"name":"label","value":"AU-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability procedures are to be disseminated is\/are defined;"}]},{"id":"au-01_odp.03","props":[{"name":"alt-identifier","value":"au-1_prm_2"},{"name":"label","value":"AU-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"au-01_odp.04","props":[{"name":"alt-identifier","value":"au-1_prm_3"},{"name":"label","value":"AU-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the audit and accountability policy and procedures is defined;"}]},{"id":"au-01_odp.05","props":[{"name":"alt-identifier","value":"au-1_prm_4"},{"name":"label","value":"AU-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability policy is reviewed and updated is defined;"}]},{"id":"au-01_odp.06","props":[{"name":"alt-identifier","value":"au-1_prm_5"},{"name":"label","value":"AU-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current audit and accountability policy to be reviewed and updated are defined;"}]},{"id":"au-01_odp.07","props":[{"name":"alt-identifier","value":"au-1_prm_6"},{"name":"label","value":"AU-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability procedures are reviewed and updated is defined;"}]},{"id":"au-01_odp.08","props":[{"name":"alt-identifier","value":"au-1_prm_7"},{"name":"label","value":"AU-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require audit and accountability procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AU-1"},{"name":"label","value":"AU-01","class":"sp800-53a"},{"name":"sort-id","value":"au-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-1_smt","name":"statement","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, au-01_odp.03 }} audit and accountability policy that:","parts":[{"id":"au-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and"},{"id":"au-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current audit and accountability:","parts":[{"id":"au-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and"},{"id":"au-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"au-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[01]","class":"sp800-53a"}],"prose":"an audit and accountability policy is developed and documented;","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[02]","class":"sp800-53a"}],"prose":"the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[03]","class":"sp800-53a"}],"prose":"audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[04]","class":"sp800-53a"}],"prose":"the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#au-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;","links":[{"href":"#au-1_smt.b","rel":"assessment-for"}]},{"id":"au-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[01]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};","links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]},{"id":"au-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[02]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};","links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]},{"id":"au-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[01]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};","links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]},{"id":"au-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[02]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.","links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt","rel":"assessment-for"}]},{"id":"au-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Event Logging","params":[{"id":"au-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.03"}],"label":"organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type"},{"id":"au-02_odp.01","props":[{"name":"alt-identifier","value":"au-2_prm_1"},{"name":"alt-label","value":"event types that the system is capable of logging","class":"sp800-53"},{"name":"label","value":"AU-02_ODP[01]","class":"sp800-53a"}],"label":"event types","guidelines":[{"prose":"the event types that the system is capable of logging in support of the audit function are defined;"}]},{"id":"au-02_odp.02","props":[{"name":"label","value":"AU-02_ODP[02]","class":"sp800-53a"}],"label":"event types (subset of AU-02_ODP[01])","guidelines":[{"prose":"the event types (subset of AU-02_ODP[01]) for logging within the system are defined;"}]},{"id":"au-02_odp.03","props":[{"name":"label","value":"AU-02_ODP[03]","class":"sp800-53a"}],"label":"frequency or situation","guidelines":[{"prose":"the frequency or situation requiring logging for each specified event type is defined;"}]},{"id":"au-02_odp.04","props":[{"name":"alt-identifier","value":"au-2_prm_3"},{"name":"label","value":"AU-02_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of event types selected for logging are reviewed and updated;"}]}],"props":[{"name":"label","value":"AU-2"},{"name":"label","value":"AU-02","class":"sp800-53a"},{"name":"sort-id","value":"au-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-2_smt","name":"statement","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and"},{"id":"au-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures."},{"id":"au-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-02","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-02a.","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;","links":[{"href":"#au-2_smt.a","rel":"assessment-for"}]},{"id":"au-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-02b.","class":"sp800-53a"}],"prose":"the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;","links":[{"href":"#au-2_smt.b","rel":"assessment-for"}]},{"id":"au-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.02 }} are specified for logging within the system;","links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]},{"id":"au-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[02]","class":"sp800-53a"}],"prose":"the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};","links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]},{"id":"au-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-02d.","class":"sp800-53a"}],"prose":"a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;","links":[{"href":"#au-2_smt.d","rel":"assessment-for"}]},{"id":"au-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-02e.","class":"sp800-53a"}],"prose":"the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.","links":[{"href":"#au-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#au-2_smt","rel":"assessment-for"}]},{"id":"au-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records"}]},{"id":"au-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing"}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"label","value":"AU-3"},{"name":"label","value":"AU-03","class":"sp800-53a"},{"name":"sort-id","value":"au-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"Ensure that audit records contain information that establishes the following:","parts":[{"id":"au-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"What type of event occurred;"},{"id":"au-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When the event occurred;"},{"id":"au-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Where the event occurred;"},{"id":"au-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Source of the event;"},{"id":"au-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Outcome of the event; and"},{"id":"au-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage."},{"id":"au-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03","class":"sp800-53a"}],"parts":[{"id":"au-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-03a.","class":"sp800-53a"}],"prose":"audit records contain information that establishes what type of event occurred;","links":[{"href":"#au-3_smt.a","rel":"assessment-for"}]},{"id":"au-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-03b.","class":"sp800-53a"}],"prose":"audit records contain information that establishes when the event occurred;","links":[{"href":"#au-3_smt.b","rel":"assessment-for"}]},{"id":"au-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-03c.","class":"sp800-53a"}],"prose":"audit records contain information that establishes where the event occurred;","links":[{"href":"#au-3_smt.c","rel":"assessment-for"}]},{"id":"au-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-03d.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the source of the event;","links":[{"href":"#au-3_smt.d","rel":"assessment-for"}]},{"id":"au-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-03e.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the outcome of the event;","links":[{"href":"#au-3_smt.e","rel":"assessment-for"}]},{"id":"au-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AU-03f.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the identity of any individuals, subjects, or objects\/entities associated with the event.","links":[{"href":"#au-3_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#au-3_smt","rel":"assessment-for"}]},{"id":"au-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records"}]},{"id":"au-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing of auditable events"}]}],"controls":[{"id":"au-3.1","class":"SP800-53-enhancement","title":"Additional Audit Information","params":[{"id":"au-03.01_odp","props":[{"name":"alt-identifier","value":"au-3.1_prm_1"},{"name":"label","value":"AU-03(01)_ODP","class":"sp800-53a"}],"label":"additional information","guidelines":[{"prose":"additional information to be included in audit records is defined;"}]}],"props":[{"name":"label","value":"AU-3(1)"},{"name":"label","value":"AU-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-3","rel":"required"}],"parts":[{"id":"au-3.1_smt","name":"statement","prose":"Generate audit records containing the following additional information: {{ insert: param, au-03.01_odp }}."},{"id":"au-3.1_gdn","name":"guidance","prose":"The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy."},{"id":"au-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03(01)","class":"sp800-53a"}],"prose":"generated audit records contain the following {{ insert: param, au-03.01_odp }}.","links":[{"href":"#au-3.1_smt","rel":"assessment-for"}]},{"id":"au-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"system audit capability"}]}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Log Storage Capacity","params":[{"id":"au-04_odp","props":[{"name":"alt-identifier","value":"au-4_prm_1"},{"name":"label","value":"AU-04_ODP","class":"sp800-53a"}],"label":"audit log retention requirements","guidelines":[{"prose":"audit log retention requirements are defined;"}]}],"props":[{"name":"label","value":"AU-4"},{"name":"label","value":"AU-04","class":"sp800-53a"},{"name":"sort-id","value":"au-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability."},{"id":"au-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-04","class":"sp800-53a"}],"prose":"audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.","links":[{"href":"#au-4_smt","rel":"assessment-for"}]},{"id":"au-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Logging Process Failures","params":[{"id":"au-05_odp.01","props":[{"name":"alt-identifier","value":"au-5_prm_1"},{"name":"label","value":"AU-05_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles receiving audit logging process failure alerts are defined;"}]},{"id":"au-05_odp.02","props":[{"name":"alt-identifier","value":"au-5_prm_2"},{"name":"label","value":"AU-05_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel or roles receiving audit logging process failure alerts is defined;"}]},{"id":"au-05_odp.03","props":[{"name":"alt-identifier","value":"au-5_prm_3"},{"name":"label","value":"AU-05_ODP[03]","class":"sp800-53a"}],"label":"additional actions","guidelines":[{"prose":"additional actions to be taken in the event of an audit logging process failure are defined;"}]}],"props":[{"name":"label","value":"AU-5"},{"name":"label","value":"AU-05","class":"sp800-53a"},{"name":"sort-id","value":"au-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-5_smt","name":"statement","parts":[{"id":"au-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and"},{"id":"au-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Take the following additional actions: {{ insert: param, au-05_odp.03 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel."},{"id":"au-5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05","class":"sp800-53a"}],"parts":[{"id":"au-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-05a.","class":"sp800-53a"}],"prose":" {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};","links":[{"href":"#au-5_smt.a","rel":"assessment-for"}]},{"id":"au-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.","links":[{"href":"#au-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-5_smt","rel":"assessment-for"}]},{"id":"au-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system response to audit processing failures"}]}],"controls":[{"id":"au-5.1","class":"SP800-53-enhancement","title":"Storage Capacity Warning","params":[{"id":"au-05.01_odp.01","props":[{"name":"alt-identifier","value":"au-5.1_prm_1"},{"name":"label","value":"AU-05(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel, roles, and\/or locations","guidelines":[{"prose":"personnel, roles, and\/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity."}]},{"id":"au-05.01_odp.02","props":[{"name":"alt-identifier","value":"au-5.1_prm_2"},{"name":"label","value":"AU-05(01)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for defined personnel, roles, and\/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined;"}]},{"id":"au-05.01_odp.03","props":[{"name":"alt-identifier","value":"au-5.1_prm_3"},{"name":"label","value":"AU-05(01)_ODP[03]","class":"sp800-53a"}],"label":"percentage","guidelines":[{"prose":"percentage of repository maximum audit log storage capacity is defined;"}]}],"props":[{"name":"label","value":"AU-5(1)"},{"name":"label","value":"AU-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-5","rel":"required"}],"parts":[{"id":"au-5.1_smt","name":"statement","prose":"Provide a warning to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity."},{"id":"au-5.1_gdn","name":"guidance","prose":"Organizations may have multiple audit log storage repositories distributed across multiple system components with each repository having different storage volume capacities."},{"id":"au-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05(01)","class":"sp800-53a"}],"prose":"a warning is provided to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity.","links":[{"href":"#au-5.1_smt","rel":"assessment-for"}]},{"id":"au-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy system configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit storage limit warnings"}]}]},{"id":"au-5.2","class":"SP800-53-enhancement","title":"Real-time Alerts","params":[{"id":"au-05.02_odp.01","props":[{"name":"alt-identifier","value":"au-5.2_prm_1"},{"name":"label","value":"AU-05(02)_ODP[01]","class":"sp800-53a"}],"label":"real-time period","guidelines":[{"prose":"real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined;"}]},{"id":"au-05.02_odp.02","props":[{"name":"alt-identifier","value":"au-5.2_prm_2"},{"name":"label","value":"AU-05(02)_ODP[02]","class":"sp800-53a"}],"label":"personnel, roles, and\/or locations","guidelines":[{"prose":"personnel, roles, and\/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is\/are defined;"}]},{"id":"au-05.02_odp.03","props":[{"name":"alt-identifier","value":"au-5.2_prm_3"},{"name":"label","value":"AU-05(02)_ODP[03]","class":"sp800-53a"}],"label":"audit logging failure events requiring real-time alerts","guidelines":[{"prose":"audit logging failure events requiring real-time alerts are defined;"}]}],"props":[{"name":"label","value":"AU-5(2)"},{"name":"label","value":"AU-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-5","rel":"required"}],"parts":[{"id":"au-5.2_smt","name":"statement","prose":"Provide an alert within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when the following audit failure events occur: {{ insert: param, au-05.02_odp.03 }}."},{"id":"au-5.2_gdn","name":"guidance","prose":"Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less)."},{"id":"au-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05(02)","class":"sp800-53a"}],"prose":"an alert is provided within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when {{ insert: param, au-05.02_odp.03 }} occur.","links":[{"href":"#au-5.2_smt","rel":"assessment-for"}]},{"id":"au-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Record Review, Analysis, and Reporting","params":[{"id":"au-06_odp.01","props":[{"name":"alt-identifier","value":"au-6_prm_1"},{"name":"label","value":"AU-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which system audit records are reviewed and analyzed is defined;"}]},{"id":"au-06_odp.02","props":[{"name":"alt-identifier","value":"au-6_prm_2"},{"name":"label","value":"AU-06_ODP[02]","class":"sp800-53a"}],"label":"inappropriate or unusual activity","guidelines":[{"prose":"inappropriate or unusual activity is defined;"}]},{"id":"au-06_odp.03","props":[{"name":"alt-identifier","value":"au-6_prm_3"},{"name":"label","value":"AU-06_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive findings from reviews and analyses of system records is\/are defined;"}]}],"props":[{"name":"label","value":"AU-6"},{"name":"label","value":"AU-06","class":"sp800-53a"},{"name":"sort-id","value":"au-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"au-6_smt","name":"statement","parts":[{"id":"au-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"},{"id":"au-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report findings to {{ insert: param, au-06_odp.03 }} ; and"},{"id":"au-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and\/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received."},{"id":"au-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06","class":"sp800-53a"}],"parts":[{"id":"au-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-06a.","class":"sp800-53a"}],"prose":"system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;","links":[{"href":"#au-6_smt.a","rel":"assessment-for"}]},{"id":"au-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-06b.","class":"sp800-53a"}],"prose":"findings are reported to {{ insert: param, au-06_odp.03 }};","links":[{"href":"#au-6_smt.b","rel":"assessment-for"}]},{"id":"au-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-06c.","class":"sp800-53a"}],"prose":"the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.","links":[{"href":"#au-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-6_smt","rel":"assessment-for"}]},{"id":"au-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews\/analyses of audit records\n\nother relevant documents or records"}]},{"id":"au-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"au-6.1","class":"SP800-53-enhancement","title":"Automated Process Integration","params":[{"id":"au-06.01_odp","props":[{"name":"alt-identifier","value":"au-6.1_prm_1"},{"name":"label","value":"AU-06(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;"}]}],"props":[{"name":"label","value":"AU-6(1)"},{"name":"label","value":"AU-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#pm-7","rel":"related"}],"parts":[{"id":"au-6.1_smt","name":"statement","prose":"Integrate audit record review, analysis, and reporting processes using {{ insert: param, au-06.01_odp }}."},{"id":"au-6.1_gdn","name":"guidance","prose":"Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits."},{"id":"au-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(01)","class":"sp800-53a"}],"prose":"audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}.","links":[{"href":"#au-6.1_smt","rel":"assessment-for"}]},{"id":"au-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms integrating audit review, analysis, and reporting processes"}]}]},{"id":"au-6.3","class":"SP800-53-enhancement","title":"Correlate Audit Record Repositories","props":[{"name":"label","value":"AU-6(3)"},{"name":"label","value":"AU-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"}],"parts":[{"id":"au-6.3_smt","name":"statement","prose":"Analyze and correlate audit records across different repositories to gain organization-wide situational awareness."},{"id":"au-6.3_gdn","name":"guidance","prose":"Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission\/business process level, and information system level) and supports cross-organization awareness."},{"id":"au-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(03)","class":"sp800-53a"}],"prose":"audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.","links":[{"href":"#au-6.3_smt","rel":"assessment-for"}]},{"id":"au-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records across different repositories\n\nother relevant documents or records"}]},{"id":"au-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the analysis and correlation of audit records"}]}]},{"id":"au-6.5","class":"SP800-53-enhancement","title":"Integrated Analysis of Audit Records","params":[{"id":"au-06.05_odp.01","props":[{"name":"alt-identifier","value":"au-6.5_prm_1"},{"name":"label","value":"AU-06(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["vulnerability scanning information","performance data","system monitoring information"," {{ insert: param, au-06.05_odp.02 }} "]}},{"id":"au-06.05_odp.02","props":[{"name":"alt-identifier","value":"au-6.5_prm_2"},{"name":"label","value":"AU-06(05)_ODP[02]","class":"sp800-53a"}],"label":"data\/information collected from other sources","guidelines":[{"prose":"data\/information collected from other sources to be analyzed is defined (if selected);"}]}],"props":[{"name":"label","value":"AU-6(5)"},{"name":"label","value":"AU-06(05)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"}],"parts":[{"id":"au-6.5_smt","name":"statement","prose":"Integrate analysis of audit records with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity."},{"id":"au-6.5_gdn","name":"guidance","prose":"Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial-of-service attacks or other types of attacks that result in the unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations."},{"id":"au-6.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(05)","class":"sp800-53a"}],"prose":"analysis of audit records is integrated with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity.","links":[{"href":"#au-6.5_smt","rel":"assessment-for"}]},{"id":"au-6.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information, and associated documentation\n\nother relevant documents or records"}]},{"id":"au-6.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the capability to integrate analysis of audit records with analysis of data\/information sources"}]}]},{"id":"au-6.6","class":"SP800-53-enhancement","title":"Correlation with Physical Monitoring","props":[{"name":"label","value":"AU-6(6)"},{"name":"label","value":"AU-06(06)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"}],"parts":[{"id":"au-6.6_smt","name":"statement","prose":"Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."},{"id":"au-6.6_gdn","name":"guidance","prose":"The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred may be useful in investigations."},{"id":"au-6.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(06)","class":"sp800-53a"}],"prose":"information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.","links":[{"href":"#au-6.6_smt","rel":"assessment-for"}]},{"id":"au-6.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing physical access monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing evidence of correlated information obtained from audit records and physical access monitoring records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-6.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the capability to correlate information from audit records with information from monitoring physical access"}]}]}]},{"id":"au-7","class":"SP800-53","title":"Audit Record Reduction and Report Generation","props":[{"name":"label","value":"AU-7"},{"name":"label","value":"AU-07","class":"sp800-53a"},{"name":"sort-id","value":"au-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-7_smt","name":"statement","prose":"Provide and implement an audit record reduction and report generation capability that:","parts":[{"id":"au-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and"},{"id":"au-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Does not alter the original content or time ordering of audit records."}]},{"id":"au-7_gdn","name":"guidance","prose":"Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient."},{"id":"au-7_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-07","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.[01]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;","links":[{"href":"#au-7_smt.a","rel":"assessment-for"}]},{"id":"au-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.[02]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;","links":[{"href":"#au-7_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#au-7_smt.a","rel":"assessment-for"}]},{"id":"au-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.[01]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;","links":[{"href":"#au-7_smt.b","rel":"assessment-for"}]},{"id":"au-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.[02]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.","links":[{"href":"#au-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-7_smt","rel":"assessment-for"}]},{"id":"au-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit reduction and report generation capability"}]}],"controls":[{"id":"au-7.1","class":"SP800-53-enhancement","title":"Automatic Processing","params":[{"id":"au-07.01_odp","props":[{"name":"alt-identifier","value":"au-7.1_prm_1"},{"name":"label","value":"AU-07(01)_ODP","class":"sp800-53a"}],"label":"fields within audit records","guidelines":[{"prose":"fields within audit records that can be processed, sorted, or searched are defined;"}]}],"props":[{"name":"label","value":"AU-7(1)"},{"name":"label","value":"AU-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-7","rel":"required"}],"parts":[{"id":"au-7.1_smt","name":"statement","prose":"Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ insert: param, au-07.01_odp }}."},{"id":"au-7.1_gdn","name":"guidance","prose":"Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component."},{"id":"au-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)","class":"sp800-53a"}],"parts":[{"id":"au-7.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)[01]","class":"sp800-53a"}],"prose":"the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;","links":[{"href":"#au-7.1_smt","rel":"assessment-for"}]},{"id":"au-7.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)[02]","class":"sp800-53a"}],"prose":"the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented.","links":[{"href":"#au-7.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#au-7.1_smt","rel":"assessment-for"}]},{"id":"au-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"au-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit reduction and report generation capability"}]}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","params":[{"id":"au-08_odp","props":[{"name":"alt-identifier","value":"au-8_prm_1"},{"name":"label","value":"AU-08_ODP","class":"sp800-53a"}],"label":"granularity of time measurement","guidelines":[{"prose":"granularity of time measurement for audit record timestamps is defined;"}]}],"props":[{"name":"label","value":"AU-8"},{"name":"label","value":"AU-08","class":"sp800-53a"},{"name":"sort-id","value":"au-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#sc-45","rel":"related"}],"parts":[{"id":"au-8_smt","name":"statement","parts":[{"id":"au-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities."},{"id":"au-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-08","class":"sp800-53a"}],"parts":[{"id":"au-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-08a.","class":"sp800-53a"}],"prose":"internal system clocks are used to generate timestamps for audit records;","links":[{"href":"#au-8_smt.a","rel":"assessment-for"}]},{"id":"au-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-08b.","class":"sp800-53a"}],"prose":"timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.","links":[{"href":"#au-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-8_smt","rel":"assessment-for"}]},{"id":"au-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing timestamp generation"}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","params":[{"id":"au-09_odp","props":[{"name":"alt-identifier","value":"au-9_prm_1"},{"name":"label","value":"AU-09_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is\/are defined;"}]}],"props":[{"name":"label","value":"AU-9"},{"name":"label","value":"AU-09","class":"sp800-53a"},{"name":"sort-id","value":"au-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#au-15","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-9_smt","name":"statement","parts":[{"id":"au-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and"},{"id":"au-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information."}]},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls."},{"id":"au-9_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09","class":"sp800-53a"}],"parts":[{"id":"au-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-09a.","class":"sp800-53a"}],"prose":"audit information and audit logging tools are protected from unauthorized access, modification, and deletion;","links":[{"href":"#au-9_smt.a","rel":"assessment-for"}]},{"id":"au-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-09b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.","links":[{"href":"#au-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-9_smt","rel":"assessment-for"}]},{"id":"au-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records"}]},{"id":"au-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit information protection"}]}],"controls":[{"id":"au-9.2","class":"SP800-53-enhancement","title":"Store on Separate Physical Systems or Components","params":[{"id":"au-09.02_odp","props":[{"name":"alt-identifier","value":"au-9.2_prm_1"},{"name":"label","value":"AU-09(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of storing audit records in a repository is defined;"}]}],"props":[{"name":"label","value":"AU-9(2)"},{"name":"label","value":"AU-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"}],"parts":[{"id":"au-9.2_smt","name":"statement","prose":"Store audit records {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited."},{"id":"au-9.2_gdn","name":"guidance","prose":"Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records."},{"id":"au-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(02)","class":"sp800-53a"}],"prose":"audit records are stored {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited.","links":[{"href":"#au-9.2_smt","rel":"assessment-for"}]},{"id":"au-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem or media storing backups of system audit records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the backing up of audit records"}]}]},{"id":"au-9.3","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"AU-9(3)"},{"name":"label","value":"AU-09(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#au-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"au-9.3_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect the integrity of audit information and audit tools."},{"id":"au-9.3_gdn","name":"guidance","prose":"Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash."},{"id":"au-9.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(03)","class":"sp800-53a"}],"prose":"cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.","links":[{"href":"#au-9.3_smt","rel":"assessment-for"}]},{"id":"au-9.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem hardware settings\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms protecting the integrity of audit information and tools"}]}]},{"id":"au-9.4","class":"SP800-53-enhancement","title":"Access by Subset of Privileged Users","params":[{"id":"au-09.04_odp","props":[{"name":"alt-identifier","value":"au-9.4_prm_1"},{"name":"label","value":"AU-09(04)_ODP","class":"sp800-53a"}],"label":"subset of privileged users or roles","guidelines":[{"prose":"a subset of privileged users or roles authorized to access management of audit logging functionality is defined;"}]}],"props":[{"name":"label","value":"AU-9(4)"},{"name":"label","value":"AU-09(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"au-9.4_smt","name":"statement","prose":"Authorize access to management of audit logging functionality to only {{ insert: param, au-09.04_odp }}."},{"id":"au-9.4_gdn","name":"guidance","prose":"Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges."},{"id":"au-9.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(04)","class":"sp800-53a"}],"prose":"access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}.","links":[{"href":"#au-9.4_smt","rel":"assessment-for"}]},{"id":"au-9.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-9.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing access to audit functionality"}]}]}]},{"id":"au-10","class":"SP800-53","title":"Non-repudiation","params":[{"id":"au-10_odp","props":[{"name":"alt-identifier","value":"au-10_prm_1"},{"name":"alt-label","value":"actions to be covered by non-repudiation","class":"sp800-53"},{"name":"label","value":"AU-10_ODP","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be covered by non-repudiation are defined;"}]}],"props":[{"name":"label","value":"AU-10"},{"name":"label","value":"AU-10","class":"sp800-53a"},{"name":"sort-id","value":"au-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#au-9","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"au-10_smt","name":"statement","prose":"Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}."},{"id":"au-10_gdn","name":"guidance","prose":"Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts."},{"id":"au-10_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-10","class":"sp800-53a"}],"prose":"irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}.","links":[{"href":"#au-10_smt","rel":"assessment-for"}]},{"id":"au-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing non-repudiation capability"}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_odp","props":[{"name":"alt-identifier","value":"au-11_prm_1"},{"name":"alt-label","value":"time period consistent with records retention policy","class":"sp800-53"},{"name":"label","value":"AU-11_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period to retain audit records that is consistent with the records retention policy is defined;"}]}],"props":[{"name":"label","value":"AU-11"},{"name":"label","value":"AU-11","class":"sp800-53a"},{"name":"sort-id","value":"au-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention."},{"id":"au-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-11","class":"sp800-53a"}],"prose":"audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.","links":[{"href":"#au-11_smt","rel":"assessment-for"}]},{"id":"au-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"id":"au-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Record Generation","params":[{"id":"au-12_odp.01","props":[{"name":"alt-identifier","value":"au-12_prm_1"},{"name":"label","value":"AU-12_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;"}]},{"id":"au-12_odp.02","props":[{"name":"alt-identifier","value":"au-12_prm_2"},{"name":"label","value":"AU-12_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles allowed to select the event types that are to be logged by specific components of the system is\/are defined;"}]}],"props":[{"name":"label","value":"AU-12"},{"name":"label","value":"AU-12","class":"sp800-53a"},{"name":"sort-id","value":"au-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"au-12_smt","name":"statement","parts":[{"id":"au-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};"},{"id":"au-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and"},{"id":"au-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records."},{"id":"au-12_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12","class":"sp800-53a"}],"parts":[{"id":"au-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-12a.","class":"sp800-53a"}],"prose":"audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};","links":[{"href":"#au-12_smt.a","rel":"assessment-for"}]},{"id":"au-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-12b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-12_odp.02 }} is\/are allowed to select the event types that are to be logged by specific components of the system;","links":[{"href":"#au-12_smt.b","rel":"assessment-for"}]},{"id":"au-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-12c.","class":"sp800-53a"}],"prose":"audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.","links":[{"href":"#au-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-12_smt","rel":"assessment-for"}]},{"id":"au-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}],"controls":[{"id":"au-12.1","class":"SP800-53-enhancement","title":"System-wide and Time-correlated Audit Trail","params":[{"id":"au-12.01_odp.01","props":[{"name":"alt-identifier","value":"au-12.1_prm_1"},{"name":"label","value":"AU-12(01)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined;"}]},{"id":"au-12.01_odp.02","props":[{"name":"alt-identifier","value":"au-12.1_prm_2"},{"name":"alt-label","value":"level of tolerance for the relationship between time stamps of individual records in the audit trail","class":"sp800-53"},{"name":"label","value":"AU-12(01)_ODP[02]","class":"sp800-53a"}],"label":"level of tolerance","guidelines":[{"prose":"level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;"}]}],"props":[{"name":"label","value":"AU-12(1)"},{"name":"label","value":"AU-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-12","rel":"required"},{"href":"#au-8","rel":"related"},{"href":"#sc-45","rel":"related"}],"parts":[{"id":"au-12.1_smt","name":"statement","prose":"Compile audit records from {{ insert: param, au-12.01_odp.01 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}."},{"id":"au-12.1_gdn","name":"guidance","prose":"Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances."},{"id":"au-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12(01)","class":"sp800-53a"}],"prose":"audit records from {{ insert: param, au-12.01_odp.01 }} are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}.","links":[{"href":"#au-12.1_smt","rel":"assessment-for"}]},{"id":"au-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-wide audit trail (logical or physical)\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]},{"id":"au-12.3","class":"SP800-53-enhancement","title":"Changes by Authorized Individuals","params":[{"id":"au-12.03_odp.01","props":[{"name":"alt-identifier","value":"au-12.3_prm_1"},{"name":"label","value":"AU-12(03)_ODP[01]","class":"sp800-53a"}],"label":"individuals or roles","guidelines":[{"prose":"individuals or roles authorized to change the logging on system components are defined;"}]},{"id":"au-12.03_odp.02","props":[{"name":"alt-identifier","value":"au-12.3_prm_2"},{"name":"label","value":"AU-12(03)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components on which logging is to be performed are defined;"}]},{"id":"au-12.03_odp.03","props":[{"name":"alt-identifier","value":"au-12.3_prm_3"},{"name":"label","value":"AU-12(03)_ODP[03]","class":"sp800-53a"}],"label":"selectable event criteria","guidelines":[{"prose":"selectable event criteria with which change logging is to be performed are defined;"}]},{"id":"au-12.03_odp.04","props":[{"name":"alt-identifier","value":"au-12.3_prm_4"},{"name":"label","value":"AU-12(03)_ODP[04]","class":"sp800-53a"}],"label":"time thresholds","guidelines":[{"prose":"time thresholds in which logging actions are to change is defined;"}]}],"props":[{"name":"label","value":"AU-12(3)"},{"name":"label","value":"AU-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-12","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"au-12.3_smt","name":"statement","prose":"Provide and implement the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }}."},{"id":"au-12.3_gdn","name":"guidance","prose":"Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours)."},{"id":"au-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12(03)","class":"sp800-53a"}],"parts":[{"id":"au-12.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-12(03)[01]","class":"sp800-53a"}],"prose":"the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is provided;","links":[{"href":"#au-12.3_smt","rel":"assessment-for"}]},{"id":"au-12.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-12(03)[02]","class":"sp800-53a"}],"prose":"the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is implemented.","links":[{"href":"#au-12.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#au-12.3_smt","rel":"assessment-for"}]},{"id":"au-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of individuals or roles authorized to change auditing to be performed\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]}]}]},{"id":"ca","class":"family","title":"Assessment, Authorization, and Monitoring","controls":[{"id":"ca-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ca-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ca-01_odp.01","props":[{"name":"label","value":"CA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.02","props":[{"name":"label","value":"CA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.03","props":[{"name":"alt-identifier","value":"ca-1_prm_2"},{"name":"label","value":"CA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ca-01_odp.04","props":[{"name":"alt-identifier","value":"ca-1_prm_3"},{"name":"label","value":"CA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the assessment, authorization, and monitoring policy and procedures is defined;"}]},{"id":"ca-01_odp.05","props":[{"name":"alt-identifier","value":"ca-1_prm_4"},{"name":"label","value":"CA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;"}]},{"id":"ca-01_odp.06","props":[{"name":"alt-identifier","value":"ca-1_prm_5"},{"name":"label","value":"CA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;"}]},{"id":"ca-01_odp.07","props":[{"name":"alt-identifier","value":"ca-1_prm_6"},{"name":"label","value":"CA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;"}]},{"id":"ca-01_odp.08","props":[{"name":"alt-identifier","value":"ca-1_prm_7"},{"name":"label","value":"CA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CA-1"},{"name":"label","value":"CA-01","class":"sp800-53a"},{"name":"sort-id","value":"ca-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#62ea77ca-e450-4323-b210-e0d75390e785","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-1_smt","name":"statement","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:","parts":[{"id":"ca-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and"},{"id":"ca-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current assessment, authorization, and monitoring:","parts":[{"id":"ca-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and"},{"id":"ca-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ca-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[01]","class":"sp800-53a"}],"prose":"an assessment, authorization, and monitoring policy is developed and documented;","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[02]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[03]","class":"sp800-53a"}],"prose":"assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[04]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ca-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;","links":[{"href":"#ca-1_smt.b","rel":"assessment-for"}]},{"id":"ca-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ","links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]},{"id":"ca-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};","links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]},{"id":"ca-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ","links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]},{"id":"ca-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.","links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt","rel":"assessment-for"}]},{"id":"ca-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Control Assessments","params":[{"id":"ca-02_odp.01","props":[{"name":"alt-identifier","value":"ca-2_prm_1"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"CA-02_ODP[01]","class":"sp800-53a"}],"label":"assessment frequency","guidelines":[{"prose":"the frequency at which to assess controls in the system and its environment of operation is defined;"}]},{"id":"ca-02_odp.02","props":[{"name":"alt-identifier","value":"ca-2_prm_2"},{"name":"label","value":"CA-02_ODP[02]","class":"sp800-53a"}],"label":"individuals or roles","guidelines":[{"prose":"individuals or roles to whom control assessment results are to be provided are defined;"}]}],"props":[{"name":"label","value":"CA-2"},{"name":"label","value":"CA-02","class":"sp800-53a"},{"name":"sort-id","value":"ca-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"ca-2_smt","name":"statement","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Select the appropriate assessor or assessment team for the type of assessment to be conducted;"},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop a control assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Controls and control enhancements under assessment;"},{"id":"ca-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine control effectiveness; and"},{"id":"ca-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;"},{"id":"ca-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Produce a control assessment report that document the results of the assessment; and"},{"id":"ca-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)."},{"id":"ca-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-02a.","class":"sp800-53a"}],"prose":"an appropriate assessor or assessment team is selected for the type of assessment to be conducted;","links":[{"href":"#ca-2_smt.a","rel":"assessment-for"}]},{"id":"ca-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.01","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;","links":[{"href":"#ca-2_smt.b.1","rel":"assessment-for"}]},{"id":"ca-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.02","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;","links":[{"href":"#ca-2_smt.b.2","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[01]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[02]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment team;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3-3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[03]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.b","rel":"assessment-for"}]},{"id":"ca-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-02c.","class":"sp800-53a"}],"prose":"the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;","links":[{"href":"#ca-2_smt.c","rel":"assessment-for"}]},{"id":"ca-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[01]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;","links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]},{"id":"ca-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[02]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;","links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]},{"id":"ca-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-02e.","class":"sp800-53a"}],"prose":"a control assessment report is produced that documents the results of the assessment;","links":[{"href":"#ca-2_smt.e","rel":"assessment-for"}]},{"id":"ca-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-02f.","class":"sp800-53a"}],"prose":"the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.","links":[{"href":"#ca-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt","rel":"assessment-for"}]},{"id":"ca-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting control assessment, control assessment plan development, and\/or control assessment reporting"}]}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","props":[{"name":"label","value":"CA-2(1)"},{"name":"label","value":"CA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-2","rel":"required"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to conduct control assessments."},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and\/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments."},{"id":"ca-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02(01)","class":"sp800-53a"}],"prose":"independent assessors or assessment teams are employed to conduct control assessments.","links":[{"href":"#ca-2.1_smt","rel":"assessment-for"}]},{"id":"ca-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\nprevious control assessment plan\n\nprevious control assessment report\n\nplan of action and milestones\n\nexisting authorization statement\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-2.2","class":"SP800-53-enhancement","title":"Specialized Assessments","params":[{"id":"ca-02.02_odp.01","props":[{"name":"alt-identifier","value":"ca-2.2_prm_1"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"CA-02(02)_ODP[01]","class":"sp800-53a"}],"label":"specialized assessment frequency","guidelines":[{"prose":"frequency at which to include specialized assessments as part of the control assessment is defined;"}]},{"id":"ca-02.02_odp.02","props":[{"name":"alt-identifier","value":"ca-2.2_prm_2"},{"name":"label","value":"CA-02(02)_ODP[02]","class":"sp800-53a"}],"select":{"choice":["announced","unannounced"]}},{"id":"ca-02.02_odp.03","props":[{"name":"alt-identifier","value":"ca-2.2_prm_3"},{"name":"label","value":"CA-02(02)_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["in-depth monitoring","security instrumentation","automated security test cases","vulnerability scanning","malicious user testing","insider threat assessment","performance and load testing","data leakage or data loss assessment"," {{ insert: param, ca-02.02_odp.04 }} "]}},{"id":"ca-02.02_odp.04","props":[{"name":"alt-identifier","value":"ca-2.2_prm_4"},{"name":"label","value":"CA-02(02)_ODP[04]","class":"sp800-53a"}],"label":"other forms of assessment","guidelines":[{"prose":"other forms of assessment are defined (if selected);"}]}],"props":[{"name":"label","value":"CA-2(2)"},{"name":"label","value":"CA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ca-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-2","rel":"required"},{"href":"#pe-3","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"ca-2.2_smt","name":"statement","prose":"Include as part of control assessments, {{ insert: param, ca-02.02_odp.01 }}, {{ insert: param, ca-02.02_odp.02 }}, {{ insert: param, ca-02.02_odp.03 }}."},{"id":"ca-2.2_gdn","name":"guidance","prose":"Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle (e.g., during initial design, development, and unit testing)."},{"id":"ca-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02(02)","class":"sp800-53a"}],"prose":" {{ insert: param, ca-02.02_odp.01 }} {{ insert: param, ca-02.02_odp.02 }} {{ insert: param, ca-02.02_odp.03 }} are included as part of control assessments.","links":[{"href":"#ca-2.2_smt","rel":"assessment-for"}]},{"id":"ca-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting control assessment"}]}]}]},{"id":"ca-3","class":"SP800-53","title":"Information Exchange","params":[{"id":"ca-03_odp.01","props":[{"name":"alt-identifier","value":"ca-3_prm_1"},{"name":"label","value":"CA-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["interconnection security agreements","information exchange security agreements","memoranda of understanding or agreement","service level agreements","user agreements","non-disclosure agreements"," {{ insert: param, ca-03_odp.02 }} "]}},{"id":"ca-03_odp.02","props":[{"name":"alt-identifier","value":"ca-3_prm_2"},{"name":"label","value":"CA-03_ODP[02]","class":"sp800-53a"}],"label":"type of agreement","guidelines":[{"prose":"the type of agreement used to approve and manage the exchange of information is defined (if selected);"}]},{"id":"ca-03_odp.03","props":[{"name":"alt-identifier","value":"ca-3_prm_3"},{"name":"label","value":"CA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update agreements is defined;"}]}],"props":[{"name":"label","value":"CA-3"},{"name":"label","value":"CA-03","class":"sp800-53a"},{"name":"sort-id","value":"ca-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#c3a76872-e160-4267-99e8-6952de967d04","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-3_smt","name":"statement","parts":[{"id":"ca-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};"},{"id":"ca-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the agreements {{ insert: param, ca-03_odp.03 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks."},{"id":"ca-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-03","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-03a.","class":"sp800-53a"}],"prose":"the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};","links":[{"href":"#ca-3_smt.a","rel":"assessment-for"}]},{"id":"ca-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[01]","class":"sp800-53a"}],"prose":"the interface characteristics are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[02]","class":"sp800-53a"}],"prose":"security requirements are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[03]","class":"sp800-53a"}],"prose":"privacy requirements are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[04]","class":"sp800-53a"}],"prose":"controls are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[05]","class":"sp800-53a"}],"prose":"responsibilities for each system are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-6","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[06]","class":"sp800-53a"}],"prose":"the impact level of the information communicated is documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-03c.","class":"sp800-53a"}],"prose":"agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.","links":[{"href":"#ca-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ca-3_smt","rel":"assessment-for"}]},{"id":"ca-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies"}]}],"controls":[{"id":"ca-3.6","class":"SP800-53-enhancement","title":"Transfer Authorizations","props":[{"name":"label","value":"CA-3(6)"},{"name":"label","value":"CA-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-3","rel":"required"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"}],"parts":[{"id":"ca-3.6_smt","name":"statement","prose":"Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data."},{"id":"ca-3.6_gdn","name":"guidance","prose":"To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies—via independent means— whether the individual or system attempting to transfer information is authorized to do so. Verification of the authorization to transfer information also applies to control plane traffic (e.g., routing and DNS) and services (e.g., authenticated SMTP relays)."},{"id":"ca-3.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-03(06)","class":"sp800-53a"}],"prose":"individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.","links":[{"href":"#ca-3.6_smt","rel":"assessment-for"}]},{"id":"ca-3.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-03(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontrol assessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-3.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-03(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing connections to external systems\n\nnetwork administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-3.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-03(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on external system connections"}]}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-05_odp","props":[{"name":"alt-identifier","value":"ca-5_prm_1"},{"name":"label","value":"CA-05_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;"}]}],"props":[{"name":"label","value":"CA-5"},{"name":"label","value":"CA-05","class":"sp800-53a"},{"name":"sort-id","value":"ca-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-5_smt","name":"statement","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB."},{"id":"ca-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-05","class":"sp800-53a"}],"parts":[{"id":"ca-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-05a.","class":"sp800-53a"}],"prose":"a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;","links":[{"href":"#ca-5_smt.a","rel":"assessment-for"}]},{"id":"ca-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-05b.","class":"sp800-53a"}],"prose":"existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.","links":[{"href":"#ca-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-5_smt","rel":"assessment-for"}]},{"id":"ca-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Authorization","params":[{"id":"ca-06_odp","props":[{"name":"alt-identifier","value":"ca-6_prm_1"},{"name":"label","value":"CA-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to update the authorizations is defined;"}]}],"props":[{"name":"label","value":"CA-6"},{"name":"label","value":"CA-06","class":"sp800-53a"},{"name":"sort-id","value":"ca-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-6_smt","name":"statement","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a senior official as the authorizing official for the system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure that the authorizing official for the system, before commencing operations:","parts":[{"id":"ca-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accepts the use of common controls inherited by the system; and"},{"id":"ca-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Authorizes the system to operate;"}]},{"id":"ca-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the authorizations {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions."},{"id":"ca-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-06","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-06a.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for the system;","links":[{"href":"#ca-6_smt.a","rel":"assessment-for"}]},{"id":"ca-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-06b.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;","links":[{"href":"#ca-6_smt.b","rel":"assessment-for"}]},{"id":"ca-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.01","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;","links":[{"href":"#ca-6_smt.c.1","rel":"assessment-for"}]},{"id":"ca-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.02","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system authorizes the system to operate;","links":[{"href":"#ca-6_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-6_smt.c","rel":"assessment-for"}]},{"id":"ca-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-06d.","class":"sp800-53a"}],"prose":"the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;","links":[{"href":"#ca-6_smt.d","rel":"assessment-for"}]},{"id":"ca-6_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-06e.","class":"sp800-53a"}],"prose":"the authorizations are updated {{ insert: param, ca-06_odp }}.","links":[{"href":"#ca-6_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ca-6_smt","rel":"assessment-for"}]},{"id":"ca-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records"}]},{"id":"ca-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that facilitate authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.06"}],"label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.07"}],"label":"organization-defined frequency"},{"id":"ca-07_odp.01","props":[{"name":"alt-identifier","value":"ca-7_prm_1"},{"name":"label","value":"CA-07_ODP[01]","class":"sp800-53a"}],"label":"system-level metrics","guidelines":[{"prose":"system-level metrics to be monitored are defined;"}]},{"id":"ca-07_odp.02","props":[{"name":"alt-identifier","value":"ca-7_prm_2"},{"name":"label","value":"CA-07_ODP[02]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to monitor control effectiveness are defined;"}]},{"id":"ca-07_odp.03","props":[{"name":"alt-identifier","value":"ca-7_prm_3"},{"name":"label","value":"CA-07_ODP[03]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to assess control effectiveness are defined;"}]},{"id":"ca-07_odp.04","props":[{"name":"label","value":"CA-07_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the security status of the system is reported are defined;"}]},{"id":"ca-07_odp.05","props":[{"name":"label","value":"CA-07_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the security status of the system is reported is defined;"}]},{"id":"ca-07_odp.06","props":[{"name":"label","value":"CA-07_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the privacy status of the system is reported are defined;"}]},{"id":"ca-07_odp.07","props":[{"name":"label","value":"CA-07_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the privacy status of the system is reported is defined;"}]}],"props":[{"name":"label","value":"CA-7"},{"name":"label","value":"CA-07","class":"sp800-53a"},{"name":"sort-id","value":"ca-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pm-31","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)."},{"id":"ca-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07[01]","class":"sp800-53a"}],"prose":"a system-level continuous monitoring strategy is developed;","links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;","links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07a.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};","links":[{"href":"#ca-7_smt.a","rel":"assessment-for"}]},{"id":"ca-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;","links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]},{"id":"ca-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;","links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]},{"id":"ca-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07c.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;","links":[{"href":"#ca-7_smt.c","rel":"assessment-for"}]},{"id":"ca-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-07d.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;","links":[{"href":"#ca-7_smt.d","rel":"assessment-for"}]},{"id":"ca-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-07e.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;","links":[{"href":"#ca-7_smt.e","rel":"assessment-for"}]},{"id":"ca-7_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-07f.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;","links":[{"href":"#ca-7_smt.f","rel":"assessment-for"}]},{"id":"ca-7_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};","links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]},{"id":"ca-7_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.","links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting"}]}],"controls":[{"id":"ca-7.1","class":"SP800-53-enhancement","title":"Independent Assessment","props":[{"name":"label","value":"CA-7(1)"},{"name":"label","value":"CA-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis."},{"id":"ca-7.1_gdn","name":"guidance","prose":"Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services."},{"id":"ca-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(01)","class":"sp800-53a"}],"prose":"independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.","links":[{"href":"#ca-7.1_smt","rel":"assessment-for"}]},{"id":"ca-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-7.4","class":"SP800-53-enhancement","title":"Risk Monitoring","props":[{"name":"label","value":"CA-7(4)"},{"name":"label","value":"CA-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.4_smt","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:","parts":[{"id":"ca-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Effectiveness monitoring;"},{"id":"ca-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Compliance monitoring; and"},{"id":"ca-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Change monitoring."}]},{"id":"ca-7.4_gdn","name":"guidance","prose":"Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk."},{"id":"ca-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)","class":"sp800-53a"}],"prose":"risk monitoring is an integral part of the continuous monitoring strategy;","parts":[{"id":"ca-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(a)","class":"sp800-53a"}],"prose":"effectiveness monitoring is included in risk monitoring;","links":[{"href":"#ca-7.4_smt.a","rel":"assessment-for"}]},{"id":"ca-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(b)","class":"sp800-53a"}],"prose":"compliance monitoring is included in risk monitoring;","links":[{"href":"#ca-7.4_smt.b","rel":"assessment-for"}]},{"id":"ca-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(c)","class":"sp800-53a"}],"prose":"change monitoring is included in risk monitoring.","links":[{"href":"#ca-7.4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ca-7.4_smt","rel":"assessment-for"}]},{"id":"ca-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting risk monitoring"}]}]}]},{"id":"ca-8","class":"SP800-53","title":"Penetration Testing","params":[{"id":"ca-08_odp.01","props":[{"name":"alt-identifier","value":"ca-8_prm_1"},{"name":"label","value":"CA-08_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct penetration testing on systems or system components is defined;"}]},{"id":"ca-08_odp.02","props":[{"name":"alt-identifier","value":"ca-8_prm_2"},{"name":"alt-label","value":"systems or system components","class":"sp800-53"},{"name":"label","value":"CA-08_ODP[02]","class":"sp800-53a"}],"label":"system(s) or system components","guidelines":[{"prose":"systems or system components on which penetration testing is to be conducted are defined;"}]}],"props":[{"name":"label","value":"CA-8"},{"name":"label","value":"CA-08","class":"sp800-53a"},{"name":"sort-id","value":"ca-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"ca-8_smt","name":"statement","prose":"Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}."},{"id":"ca-8_gdn","name":"guidance","prose":"Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and\/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\n\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing."},{"id":"ca-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-08","class":"sp800-53a"}],"prose":"penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.","links":[{"href":"#ca-8_smt","rel":"assessment-for"}]},{"id":"ca-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting penetration testing"}]}],"controls":[{"id":"ca-8.1","class":"SP800-53-enhancement","title":"Independent Penetration Testing Agent or Team","props":[{"name":"label","value":"CA-8(1)"},{"name":"label","value":"CA-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-8","rel":"required"},{"href":"#ca-2","rel":"related"}],"parts":[{"id":"ca-8.1_smt","name":"statement","prose":"Employ an independent penetration testing agent or team to perform penetration testing on the system or system components."},{"id":"ca-8.1_gdn","name":"guidance","prose":"Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. [CA-2(1)](#ca-2.1) provides additional information on independent assessments that can be applied to penetration testing."},{"id":"ca-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-08(01)","class":"sp800-53a"}],"prose":"an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.","links":[{"href":"#ca-8.1_smt","rel":"assessment-for"}]},{"id":"ca-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nsecurity assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","params":[{"id":"ca-09_odp.01","props":[{"name":"alt-identifier","value":"ca-9_prm_1"},{"name":"alt-label","value":"system components or classes of components","class":"sp800-53"},{"name":"label","value":"CA-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components or classes of components requiring internal connections to the system are defined;"}]},{"id":"ca-09_odp.02","props":[{"name":"alt-identifier","value":"ca-9_prm_2"},{"name":"label","value":"CA-09_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions requiring termination of internal connections are defined;"}]},{"id":"ca-09_odp.03","props":[{"name":"alt-identifier","value":"ca-9_prm_3"},{"name":"label","value":"CA-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the continued need for each internal connection is defined;"}]}],"props":[{"name":"label","value":"CA-9"},{"name":"label","value":"CA-09","class":"sp800-53a"},{"name":"sort-id","value":"ca-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-9_smt","name":"statement","parts":[{"id":"ca-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;"},{"id":"ca-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;"},{"id":"ca-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and"},{"id":"ca-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection."}]},{"id":"ca-9_gdn","name":"guidance","prose":"Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and\/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions."},{"id":"ca-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-09","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-09a.","class":"sp800-53a"}],"prose":"internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;","links":[{"href":"#ca-9_smt.a","rel":"assessment-for"}]},{"id":"ca-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[01]","class":"sp800-53a"}],"prose":"for each internal connection, the interface characteristics are documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[02]","class":"sp800-53a"}],"prose":"for each internal connection, the security requirements are documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[03]","class":"sp800-53a"}],"prose":"for each internal connection, the privacy requirements are documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[04]","class":"sp800-53a"}],"prose":"for each internal connection, the nature of the information communicated is documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-09c.","class":"sp800-53a"}],"prose":"internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};","links":[{"href":"#ca-9_smt.c","rel":"assessment-for"}]},{"id":"ca-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-09d.","class":"sp800-53a"}],"prose":"the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.","links":[{"href":"#ca-9_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ca-9_smt","rel":"assessment-for"}]},{"id":"ca-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting internal system connections"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cm-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cm-01_odp.01","props":[{"name":"label","value":"CM-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management policy is to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.02","props":[{"name":"label","value":"CM-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management procedures are to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.03","props":[{"name":"alt-identifier","value":"cm-1_prm_2"},{"name":"label","value":"CM-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cm-01_odp.04","props":[{"name":"alt-identifier","value":"cm-1_prm_3"},{"name":"label","value":"CM-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the configuration management policy and procedures is defined;"}]},{"id":"cm-01_odp.05","props":[{"name":"alt-identifier","value":"cm-1_prm_4"},{"name":"label","value":"CM-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management policy is reviewed and updated is defined;"}]},{"id":"cm-01_odp.06","props":[{"name":"alt-identifier","value":"cm-1_prm_5"},{"name":"label","value":"CM-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current configuration management policy to be reviewed and updated are defined;"}]},{"id":"cm-01_odp.07","props":[{"name":"alt-identifier","value":"cm-1_prm_6"},{"name":"label","value":"CM-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management procedures are reviewed and updated is defined;"}]},{"id":"cm-01_odp.08","props":[{"name":"alt-identifier","value":"cm-1_prm_7"},{"name":"label","value":"CM-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require configuration management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CM-1"},{"name":"label","value":"CM-01","class":"sp800-53a"},{"name":"sort-id","value":"cm-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-1_smt","name":"statement","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cm-01_odp.03 }} configuration management policy that:","parts":[{"id":"cm-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and"},{"id":"cm-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current configuration management:","parts":[{"id":"cm-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and"},{"id":"cm-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cm-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[01]","class":"sp800-53a"}],"prose":"a configuration management policy is developed and documented;","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[02]","class":"sp800-53a"}],"prose":"the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[03]","class":"sp800-53a"}],"prose":"configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[04]","class":"sp800-53a"}],"prose":"the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(b)","class":"sp800-53a"}],"prose":"the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#cm-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;","links":[{"href":"#cm-1_smt.b","rel":"assessment-for"}]},{"id":"cm-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[01]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ","links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]},{"id":"cm-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[02]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};","links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]},{"id":"cm-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[01]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ","links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]},{"id":"cm-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[02]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.","links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt","rel":"assessment-for"}]},{"id":"cm-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records"}]},{"id":"cm-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","params":[{"id":"cm-02_odp.01","props":[{"name":"alt-identifier","value":"cm-2_prm_1"},{"name":"label","value":"CM-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of baseline configuration review and update is defined;"}]},{"id":"cm-02_odp.02","props":[{"name":"alt-identifier","value":"cm-2_prm_2"},{"name":"label","value":"CM-02_ODP[02]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"the circumstances requiring baseline configuration review and update are defined;"}]}],"props":[{"name":"label","value":"CM-2"},{"name":"label","value":"CM-02","class":"sp800-53a"},{"name":"sort-id","value":"cm-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-1","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-18","rel":"related"}],"parts":[{"id":"cm-2_smt","name":"statement","parts":[{"id":"cm-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and maintain under configuration control, a current baseline configuration of the system; and"},{"id":"cm-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the baseline configuration of the system:","parts":[{"id":"cm-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cm-02_odp.01 }};"},{"id":"cm-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required due to {{ insert: param, cm-02_odp.02 }} ; and"},{"id":"cm-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"When system components are installed or upgraded."}]}]},{"id":"cm-2_gdn","name":"guidance","prose":"Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture."},{"id":"cm-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[01]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is developed and documented;","links":[{"href":"#cm-2_smt.a","rel":"assessment-for"}]},{"id":"cm-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[02]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is maintained under configuration control;","links":[{"href":"#cm-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-2_smt.a","rel":"assessment-for"}]},{"id":"cm-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.01","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};","links":[{"href":"#cm-2_smt.b.1","rel":"assessment-for"}]},{"id":"cm-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.02","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};","links":[{"href":"#cm-2_smt.b.2","rel":"assessment-for"}]},{"id":"cm-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.03","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.","links":[{"href":"#cm-2_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#cm-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-2_smt","rel":"assessment-for"}]},{"id":"cm-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records"}]},{"id":"cm-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration"}]}],"controls":[{"id":"cm-2.2","class":"SP800-53-enhancement","title":"Automation Support for Accuracy and Currency","params":[{"id":"cm-02.02_odp","props":[{"name":"alt-identifier","value":"cm-2.2_prm_1"},{"name":"label","value":"CM-02(02)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms for maintaining baseline configuration of the system are defined;"}]}],"props":[{"name":"label","value":"CM-2(2)"},{"name":"label","value":"CM-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"},{"href":"#cm-7","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ra-5","rel":"related"}],"parts":[{"id":"cm-2.2_smt","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ insert: param, cm-02.02_odp }}."},{"id":"cm-2.2_gdn","name":"guidance","prose":"Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of [CM-8(2)](#cm-8.2) for organizations that combine system component inventory and baseline configuration activities."},{"id":"cm-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)","class":"sp800-53a"}],"parts":[{"id":"cm-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[01]","class":"sp800-53a"}],"prose":"the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};","links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]},{"id":"cm-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[02]","class":"sp800-53a"}],"prose":"the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};","links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]},{"id":"cm-2.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[03]","class":"sp800-53a"}],"prose":"the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};","links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]},{"id":"cm-2.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[04]","class":"sp800-53a"}],"prose":"the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}.","links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]},{"id":"cm-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nconfiguration change control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance"}]}]},{"id":"cm-2.3","class":"SP800-53-enhancement","title":"Retention of Previous Configurations","params":[{"id":"cm-02.03_odp","props":[{"name":"alt-identifier","value":"cm-2.3_prm_1"},{"name":"label","value":"CM-02(03)_ODP","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of previous baseline configuration versions to be retained is defined;"}]}],"props":[{"name":"label","value":"CM-2(3)"},{"name":"label","value":"CM-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"}],"parts":[{"id":"cm-2.3_smt","name":"statement","prose":"Retain {{ insert: param, cm-02.03_odp }} of previous versions of baseline configurations of the system to support rollback."},{"id":"cm-2.3_gdn","name":"guidance","prose":"Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation."},{"id":"cm-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(03)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is\/are retained to support rollback.","links":[{"href":"#cm-2.3_smt","rel":"assessment-for"}]},{"id":"cm-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations"}]}]},{"id":"cm-2.7","class":"SP800-53-enhancement","title":"Configure Systems and Components for High-risk Areas","params":[{"id":"cm-02.07_odp.01","props":[{"name":"alt-identifier","value":"cm-2.7_prm_1"},{"name":"label","value":"CM-02(07)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"the systems or system components to be issued when individuals travel to high-risk areas are defined;"}]},{"id":"cm-02.07_odp.02","props":[{"name":"alt-identifier","value":"cm-2.7_prm_2"},{"name":"label","value":"CM-02(07)_ODP[02]","class":"sp800-53a"}],"label":"configurations","guidelines":[{"prose":"configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;"}]},{"id":"cm-02.07_odp.03","props":[{"name":"alt-identifier","value":"cm-2.7_prm_3"},{"name":"label","value":"CM-02(07)_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"the controls to be applied when the individuals return from travel are defined;"}]}],"props":[{"name":"label","value":"CM-2(7)"},{"name":"label","value":"CM-02(07)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}],"parts":[{"id":"cm-2.7_smt","name":"statement","parts":[{"id":"cm-2.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} to individuals traveling to locations that the organization deems to be of significant risk; and"},{"id":"cm-2.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Apply the following controls to the systems or components when the individuals return from travel: {{ insert: param, cm-02.07_odp.03 }}."}]},{"id":"cm-2.7_gdn","name":"guidance","prose":"When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the [MP](#mp) (Media Protection) family."},{"id":"cm-2.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)","class":"sp800-53a"}],"parts":[{"id":"cm-2.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)(a)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;","links":[{"href":"#cm-2.7_smt.a","rel":"assessment-for"}]},{"id":"cm-2.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)(b)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel.","links":[{"href":"#cm-2.7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-2.7_smt","rel":"assessment-for"}]},{"id":"cm-2.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the system\n\nprocedures addressing system component installations and upgrades\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nrecords of system baseline configuration reviews and updates\n\nsystem component installations\/upgrades and associated records\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations"}]}]}]},{"id":"cm-3","class":"SP800-53","title":"Configuration Change Control","params":[{"id":"cm-03_odp.01","props":[{"name":"alt-identifier","value":"cm-3_prm_1"},{"name":"label","value":"CM-03_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to retain records of configuration-controlled changes is defined;"}]},{"id":"cm-03_odp.02","props":[{"name":"alt-identifier","value":"cm-3_prm_2"},{"name":"label","value":"CM-03_ODP[02]","class":"sp800-53a"}],"label":"configuration change control element","guidelines":[{"prose":"the configuration change control element responsible for coordinating and overseeing change control activities is defined;"}]},{"id":"cm-03_odp.03","props":[{"name":"alt-identifier","value":"cm-3_prm_3"},{"name":"label","value":"CM-03_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-03_odp.04 }} ","when {{ insert: param, cm-03_odp.05 }} "]}},{"id":"cm-03_odp.04","props":[{"name":"alt-identifier","value":"cm-3_prm_4"},{"name":"label","value":"CM-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the configuration control element convenes is defined (if selected);"}]},{"id":"cm-03_odp.05","props":[{"name":"alt-identifier","value":"cm-3_prm_5"},{"name":"label","value":"CM-03_ODP[05]","class":"sp800-53a"}],"label":"configuration change conditions","guidelines":[{"prose":"configuration change conditions that prompt the configuration control element to convene are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-3"},{"name":"label","value":"CM-03","class":"sp800-53a"},{"name":"sort-id","value":"cm-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"cm-3_smt","name":"statement","parts":[{"id":"cm-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the types of changes to the system that are configuration-controlled;"},{"id":"cm-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;"},{"id":"cm-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document configuration change decisions associated with the system;"},{"id":"cm-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement approved configuration-controlled changes to the system;"},{"id":"cm-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }};"},{"id":"cm-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Monitor and review activities associated with configuration-controlled changes to the system; and"},{"id":"cm-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: param, cm-03_odp.03 }}."}]},{"id":"cm-3_gdn","name":"guidance","prose":"Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also [SA-10](#sa-10)."},{"id":"cm-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-03a.","class":"sp800-53a"}],"prose":"the types of changes to the system that are configuration-controlled are determined and documented;","links":[{"href":"#cm-3_smt.a","rel":"assessment-for"}]},{"id":"cm-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.[01]","class":"sp800-53a"}],"prose":"proposed configuration-controlled changes to the system are reviewed;","links":[{"href":"#cm-3_smt.b","rel":"assessment-for"}]},{"id":"cm-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.[02]","class":"sp800-53a"}],"prose":"proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;","links":[{"href":"#cm-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-3_smt.b","rel":"assessment-for"}]},{"id":"cm-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-03c.","class":"sp800-53a"}],"prose":"configuration change decisions associated with the system are documented;","links":[{"href":"#cm-3_smt.c","rel":"assessment-for"}]},{"id":"cm-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-03d.","class":"sp800-53a"}],"prose":"approved configuration-controlled changes to the system are implemented;","links":[{"href":"#cm-3_smt.d","rel":"assessment-for"}]},{"id":"cm-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-03e.","class":"sp800-53a"}],"prose":"records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};","links":[{"href":"#cm-3_smt.e","rel":"assessment-for"}]},{"id":"cm-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.[01]","class":"sp800-53a"}],"prose":"activities associated with configuration-controlled changes to the system are monitored;","links":[{"href":"#cm-3_smt.f","rel":"assessment-for"}]},{"id":"cm-3_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.[02]","class":"sp800-53a"}],"prose":"activities associated with configuration-controlled changes to the system are reviewed;","links":[{"href":"#cm-3_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#cm-3_smt.f","rel":"assessment-for"}]},{"id":"cm-3_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.[01]","class":"sp800-53a"}],"prose":"configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};","links":[{"href":"#cm-3_smt.g","rel":"assessment-for"}]},{"id":"cm-3_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.[02]","class":"sp800-53a"}],"prose":"the configuration control element convenes {{ insert: param, cm-03_odp.03 }}.","links":[{"href":"#cm-3_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#cm-3_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#cm-3_smt","rel":"assessment-for"}]},{"id":"cm-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nchange control records\n\nsystem audit records\n\nchange control audit and review reports\n\nagenda\/minutes\/documentation from configuration change control oversight meetings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessments\n\nsystem of records notices\n\nother relevant documents or records"}]},{"id":"cm-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nmechanisms that implement configuration change control"}]}],"controls":[{"id":"cm-3.1","class":"SP800-53-enhancement","title":"Automated Documentation, Notification, and Prohibition of Changes","params":[{"id":"cm-03.01_odp.01","props":[{"name":"alt-identifier","value":"cm-3.1_prm_1"},{"name":"label","value":"CM-03(01)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"mechanisms used to automate configuration change control are defined;"}]},{"id":"cm-03.01_odp.02","props":[{"name":"alt-identifier","value":"cm-3.1_prm_2"},{"name":"label","value":"CM-03(01)_ODP[02]","class":"sp800-53a"}],"label":"approval authorities","guidelines":[{"prose":"approval authorities to be notified of and request approval for proposed changes to the system are defined;"}]},{"id":"cm-03.01_odp.03","props":[{"name":"alt-identifier","value":"cm-3.1_prm_3"},{"name":"label","value":"CM-03(01)_ODP[03]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period after which to highlight changes that have not been approved or disapproved is defined;"}]},{"id":"cm-03.01_odp.04","props":[{"name":"alt-identifier","value":"cm-3.1_prm_4"},{"name":"label","value":"CM-03(01)_ODP[04]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to be notified when approved changes are complete is\/are defined;"}]}],"props":[{"name":"label","value":"CM-3(1)"},{"name":"label","value":"CM-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.1_smt","name":"statement","prose":"Use {{ insert: param, cm-03.01_odp.01 }} to:","parts":[{"id":"cm-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Document proposed changes to the system;"},{"id":"cm-3.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;"},{"id":"cm-3.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};"},{"id":"cm-3.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Prohibit changes to the system until designated approvals are received;"},{"id":"cm-3.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Document all changes to the system; and"},{"id":"cm-3.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed."}]},{"id":"cm-3.1_gdn","name":"guidance","prose":"None."},{"id":"cm-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)","class":"sp800-53a"}],"parts":[{"id":"cm-3.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(a)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.01_odp.01 }} are used to document proposed changes to the system;","links":[{"href":"#cm-3.1_smt.a","rel":"assessment-for"}]},{"id":"cm-3.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(b)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;","links":[{"href":"#cm-3.1_smt.b","rel":"assessment-for"}]},{"id":"cm-3.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(c)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.01_odp.01 }} are used to highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};","links":[{"href":"#cm-3.1_smt.c","rel":"assessment-for"}]},{"id":"cm-3.1_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(d)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.01_odp.01 }} are used to prohibit changes to the system until designated approvals are received;","links":[{"href":"#cm-3.1_smt.d","rel":"assessment-for"}]},{"id":"cm-3.1_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(e)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.01_odp.01 }} are used to document all changes to the system;","links":[{"href":"#cm-3.1_smt.e","rel":"assessment-for"}]},{"id":"cm-3.1_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(f)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed.","links":[{"href":"#cm-3.1_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#cm-3.1_smt","rel":"assessment-for"}]},{"id":"cm-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nautomated configuration control mechanisms\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nchange approval requests\n\nchange approvals\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms implementing configuration change control activities"}]}]},{"id":"cm-3.2","class":"SP800-53-enhancement","title":"Testing, Validation, and Documentation of Changes","props":[{"name":"label","value":"CM-3(2)"},{"name":"label","value":"CM-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.2_smt","name":"statement","prose":"Test, validate, and document changes to the system before finalizing the implementation of the changes."},{"id":"cm-3.2_gdn","name":"guidance","prose":"Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in [CM-6](#cm-6) . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls."},{"id":"cm-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)","class":"sp800-53a"}],"parts":[{"id":"cm-3.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[01]","class":"sp800-53a"}],"prose":"changes to the system are tested before finalizing the implementation of the changes;","links":[{"href":"#cm-3.2_smt","rel":"assessment-for"}]},{"id":"cm-3.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[02]","class":"sp800-53a"}],"prose":"changes to the system are validated before finalizing the implementation of the changes;","links":[{"href":"#cm-3.2_smt","rel":"assessment-for"}]},{"id":"cm-3.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[03]","class":"sp800-53a"}],"prose":"changes to the system are documented before finalizing the implementation of the changes.","links":[{"href":"#cm-3.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-3.2_smt","rel":"assessment-for"}]},{"id":"cm-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nmechanisms supporting and\/or implementing, testing, validating, and documenting system changes"}]}]},{"id":"cm-3.4","class":"SP800-53-enhancement","title":"Security and Privacy Representatives","params":[{"id":"cm-3.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-03.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-03.04_odp.02"}],"label":"organization-defined security and privacy representatives"},{"id":"cm-03.04_odp.01","props":[{"name":"label","value":"CM-03(04)_ODP[01]","class":"sp800-53a"}],"label":"security representatives","guidelines":[{"prose":"security representatives required to be members of the change control element are defined;"}]},{"id":"cm-03.04_odp.02","props":[{"name":"label","value":"CM-03(04)_ODP[02]","class":"sp800-53a"}],"label":"privacy representatives","guidelines":[{"prose":"privacy representatives required to be members of the change control element are defined;"}]},{"id":"cm-03.04_odp.03","props":[{"name":"alt-identifier","value":"cm-3.4_prm_2"},{"name":"label","value":"CM-03(04)_ODP[03]","class":"sp800-53a"}],"label":"configuration change control element","guidelines":[{"prose":"the configuration change control element of which the security and privacy representatives are to be members is defined;"}]}],"props":[{"name":"label","value":"CM-3(4)"},{"name":"label","value":"CM-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.4_smt","name":"statement","prose":"Require {{ insert: param, cm-3.4_prm_1 }} to be members of the {{ insert: param, cm-03.04_odp.03 }}."},{"id":"cm-3.4_gdn","name":"guidance","prose":"Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in [CM-3g](#cm-3_smt.g)."},{"id":"cm-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)","class":"sp800-53a"}],"parts":[{"id":"cm-3.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};","links":[{"href":"#cm-3.4_smt","rel":"assessment-for"}]},{"id":"cm-3.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}.","links":[{"href":"#cm-3.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-3.4_smt","rel":"assessment-for"}]},{"id":"cm-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of change control board or similar"}]},{"id":"cm-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control"}]}]},{"id":"cm-3.6","class":"SP800-53-enhancement","title":"Cryptography Management","params":[{"id":"cm-03.06_odp","props":[{"name":"alt-identifier","value":"cm-3.6_prm_1"},{"name":"label","value":"CM-03(06)_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls provided by cryptographic mechanisms that are to be under configuration management are defined;"}]}],"props":[{"name":"label","value":"CM-3(6)"},{"name":"label","value":"CM-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"required"},{"href":"#sc-12","rel":"related"}],"parts":[{"id":"cm-3.6_smt","name":"statement","prose":"Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: {{ insert: param, cm-03.06_odp }}."},{"id":"cm-3.6_gdn","name":"guidance","prose":"The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates."},{"id":"cm-3.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(06)","class":"sp800-53a"}],"prose":"cryptographic mechanisms used to provide {{ insert: param, cm-03.06_odp }} are under configuration management.","links":[{"href":"#cm-3.6_smt","rel":"assessment-for"}]},{"id":"cm-3.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\ncryptographic mechanisms implementing organizational security safeguards (controls)"}]}]}]},{"id":"cm-4","class":"SP800-53","title":"Impact Analyses","props":[{"name":"label","value":"CM-4"},{"name":"label","value":"CM-04","class":"sp800-53a"},{"name":"sort-id","value":"cm-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required."},{"id":"cm-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04","class":"sp800-53a"}],"parts":[{"id":"cm-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04[01]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential security impacts prior to change implementation;","links":[{"href":"#cm-4_smt","rel":"assessment-for"}]},{"id":"cm-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04[02]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential privacy impacts prior to change implementation.","links":[{"href":"#cm-4_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-4_smt","rel":"assessment-for"}]},{"id":"cm-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses"}]}],"controls":[{"id":"cm-4.1","class":"SP800-53-enhancement","title":"Separate Test Environments","props":[{"name":"label","value":"CM-4(1)"},{"name":"label","value":"CM-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-4","rel":"required"},{"href":"#sa-11","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cm-4.1_smt","name":"statement","prose":"Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice."},{"id":"cm-4.1_gdn","name":"guidance","prose":"A separate test environment requires an environment that is physically or logically separate and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment and that information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not implemented, organizations determine the strength of mechanism required when implementing logical separation."},{"id":"cm-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)","class":"sp800-53a"}],"parts":[{"id":"cm-4.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[01]","class":"sp800-53a"}],"prose":"changes to the system are analyzed in a separate test environment before implementation in an operational environment;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[02]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to flaws;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[03]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to flaws;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[04]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to weaknesses;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[05]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to weaknesses;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[06]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to incompatibility;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-7","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[07]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to incompatibility;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-8","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[08]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to intentional malice;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-9","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[09]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to intentional malice.","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nanalysis tools and associated outputs system design documentation\n\nsystem architecture and configuration documentation\n\nchange control records\n\nprocedures addressing the authority to test with PII\n\nsystem audit records\n\ndocumentation of separate test and operational environments\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and\/or implementing security and privacy impact analyses of changes"}]}]},{"id":"cm-4.2","class":"SP800-53-enhancement","title":"Verification of Controls","props":[{"name":"label","value":"CM-4(2)"},{"name":"label","value":"CM-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-4","rel":"required"},{"href":"#sa-11","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"cm-4.2_smt","name":"statement","prose":"After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system."},{"id":"cm-4.2_gdn","name":"guidance","prose":"Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls."},{"id":"cm-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)","class":"sp800-53a"}],"parts":[{"id":"cm-4.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[01]","class":"sp800-53a"}],"prose":"the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[02]","class":"sp800-53a"}],"prose":"the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[03]","class":"sp800-53a"}],"prose":"the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[04]","class":"sp800-53a"}],"prose":"the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[05]","class":"sp800-53a"}],"prose":"the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[06]","class":"sp800-53a"}],"prose":"the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nprivacy risk assessment documentation\n\nconfiguration management plan\n\nsecurity and privacy impact analysis documentation\n\nprivacy impact assessment\n\nanalysis tools and associated outputs\n\nchange control records\n\ncontrol assessment results\n\nsystem audit records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsecurity and privacy assessors"}]},{"id":"cm-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and\/or implementing security and privacy impact analyses of changes"}]}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","props":[{"name":"label","value":"CM-5"},{"name":"label","value":"CM-05","class":"sp800-53a"},{"name":"sort-id","value":"cm-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system."},{"id":"cm-5_gdn","name":"guidance","prose":"Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)."},{"id":"cm-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05","class":"sp800-53a"}],"parts":[{"id":"cm-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-05[01]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are defined and documented;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-05[02]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are approved;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-05[03]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are enforced;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-05[04]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are defined and documented;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-05[05]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are approved;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-05[06]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are enforced.","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system"}]}],"controls":[{"id":"cm-5.1","class":"SP800-53-enhancement","title":"Automated Access Enforcement and Audit Records","params":[{"id":"cm-05.01_odp","props":[{"name":"alt-identifier","value":"cm-5.1_prm_1"},{"name":"label","value":"CM-05(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"mechanisms used to automate the enforcement of access restrictions are defined;"}]}],"props":[{"name":"label","value":"CM-5(1)"},{"name":"label","value":"CM-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-5","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-5.1_smt","name":"statement","parts":[{"id":"cm-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Enforce access restrictions using {{ insert: param, cm-05.01_odp }} ; and"},{"id":"cm-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Automatically generate audit records of the enforcement actions."}]},{"id":"cm-5.1_gdn","name":"guidance","prose":"Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes."},{"id":"cm-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05(01)","class":"sp800-53a"}],"parts":[{"id":"cm-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-05(01)(a)","class":"sp800-53a"}],"prose":"access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};","links":[{"href":"#cm-5.1_smt.a","rel":"assessment-for"}]},{"id":"cm-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-05(01)(b)","class":"sp800-53a"}],"prose":"audit records of enforcement actions are automatically generated.","links":[{"href":"#cm-5.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-5.1_smt","rel":"assessment-for"}]},{"id":"cm-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nautomated mechanisms implementing the enforcement of access restrictions for changes to the system\n\nautomated mechanisms supporting auditing of enforcement actions"}]}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","params":[{"id":"cm-06_odp.01","props":[{"name":"alt-identifier","value":"cm-6_prm_1"},{"name":"label","value":"CM-06_ODP[01]","class":"sp800-53a"}],"label":"common secure configurations","guidelines":[{"prose":"common secure configurations to establish and document configuration settings for components employed within the system are defined;"}]},{"id":"cm-06_odp.02","props":[{"name":"alt-identifier","value":"cm-6_prm_2"},{"name":"label","value":"CM-06_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which approval of deviations is needed are defined;"}]},{"id":"cm-06_odp.03","props":[{"name":"alt-identifier","value":"cm-6_prm_3"},{"name":"label","value":"CM-06_ODP[03]","class":"sp800-53a"}],"label":"operational requirements","guidelines":[{"prose":"operational requirements necessitating approval of deviations are defined;"}]}],"props":[{"name":"label","value":"CM-6"},{"name":"label","value":"CM-06","class":"sp800-53a"},{"name":"sort-id","value":"cm-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#98498928-3ca3-44b3-8b1e-f48685373087","rel":"reference"},{"href":"#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","rel":"reference"},{"href":"#aa66e14f-e7cb-4a37-99d2-07578dfd4608","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"cm-6_smt","name":"statement","parts":[{"id":"cm-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};"},{"id":"cm-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the configuration settings;"},{"id":"cm-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and"},{"id":"cm-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitor and control changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input\/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings."},{"id":"cm-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-06a.","class":"sp800-53a"}],"prose":"configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};","links":[{"href":"#cm-6_smt.a","rel":"assessment-for"}]},{"id":"cm-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-06b.","class":"sp800-53a"}],"prose":"the configuration settings documented in CM-06a are implemented;","links":[{"href":"#cm-6_smt.b","rel":"assessment-for"}]},{"id":"cm-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[01]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};","links":[{"href":"#cm-6_smt.c","rel":"assessment-for"}]},{"id":"cm-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[02]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;","links":[{"href":"#cm-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-6_smt.c","rel":"assessment-for"}]},{"id":"cm-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[01]","class":"sp800-53a"}],"prose":"changes to the configuration settings are monitored in accordance with organizational policies and procedures;","links":[{"href":"#cm-6_smt.d","rel":"assessment-for"}]},{"id":"cm-6_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[02]","class":"sp800-53a"}],"prose":"changes to the configuration settings are controlled in accordance with organizational policies and procedures.","links":[{"href":"#cm-6_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cm-6_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cm-6_smt","rel":"assessment-for"}]},{"id":"cm-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and\/or control system configuration settings\n\nmechanisms that identify and\/or document deviations from established configuration settings"}]}],"controls":[{"id":"cm-6.1","class":"SP800-53-enhancement","title":"Automated Management, Application, and Verification","params":[{"id":"cm-6.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-06.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-06.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-06.01_odp.04"}],"label":"organization-defined automated mechanisms"},{"id":"cm-06.01_odp.01","props":[{"name":"alt-identifier","value":"cm-6.1_prm_1"},{"name":"label","value":"CM-06(01)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which to manage, apply, and verify configuration settings are defined;"}]},{"id":"cm-06.01_odp.02","props":[{"name":"label","value":"CM-06(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to manage configuration settings are defined;"}]},{"id":"cm-06.01_odp.03","props":[{"name":"label","value":"CM-06(01)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to apply configuration settings are defined;"}]},{"id":"cm-06.01_odp.04","props":[{"name":"label","value":"CM-06(01)_ODP[04]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to verify configuration settings are defined;"}]}],"props":[{"name":"label","value":"CM-6(1)"},{"name":"label","value":"CM-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-6","rel":"required"},{"href":"#ca-7","rel":"related"}],"parts":[{"id":"cm-6.1_smt","name":"statement","prose":"Manage, apply, and verify configuration settings for {{ insert: param, cm-06.01_odp.01 }} using {{ insert: param, cm-6.1_prm_2 }}."},{"id":"cm-6.1_gdn","name":"guidance","prose":"Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization."},{"id":"cm-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)","class":"sp800-53a"}],"parts":[{"id":"cm-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)[01]","class":"sp800-53a"}],"prose":"configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};","links":[{"href":"#cm-6.1_smt","rel":"assessment-for"}]},{"id":"cm-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)[02]","class":"sp800-53a"}],"prose":"configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};","links":[{"href":"#cm-6.1_smt","rel":"assessment-for"}]},{"id":"cm-6.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)[03]","class":"sp800-53a"}],"prose":"configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}.","links":[{"href":"#cm-6.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-6.1_smt","rel":"assessment-for"}]},{"id":"cm-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing configuration settings\n\nautomated mechanisms implemented to manage, apply, and verify system configuration settings"}]}]},{"id":"cm-6.2","class":"SP800-53-enhancement","title":"Respond to Unauthorized Changes","params":[{"id":"cm-06.02_odp.01","props":[{"name":"alt-identifier","value":"cm-6.2_prm_2"},{"name":"label","value":"CM-06(02)_ODP[01]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken upon an unauthorized change are defined;"}]},{"id":"cm-06.02_odp.02","props":[{"name":"alt-identifier","value":"cm-6.2_prm_1"},{"name":"label","value":"CM-06(02)_ODP[02]","class":"sp800-53a"}],"label":"configuration settings","guidelines":[{"prose":"configuration settings requiring action upon an unauthorized change are defined;"}]}],"props":[{"name":"label","value":"CM-6(2)"},{"name":"label","value":"CM-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-6","rel":"required"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-6.2_smt","name":"statement","prose":"Take the following actions in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}: {{ insert: param, cm-06.02_odp.01 }}."},{"id":"cm-6.2_gdn","name":"guidance","prose":"Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or—in extreme cases—halting affected system processing."},{"id":"cm-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06(02)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-06.02_odp.01 }} are taken in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}.","links":[{"href":"#cm-6.2_smt","rel":"assessment-for"}]},{"id":"cm-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nconfiguration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts\/notifications of unauthorized changes to system configuration settings\n\nsystem component inventory\n\ndocumented responses to unauthorized changes to system configuration settings\n\nchange control records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"cm-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for responding to unauthorized changes to system configuration settings\n\nmechanisms supporting and\/or implementing actions in response to unauthorized changes"}]}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","params":[{"id":"cm-7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.06"}],"label":"organization-defined prohibited or restricted functions, system ports, protocols, software, and\/or services"},{"id":"cm-07_odp.01","props":[{"name":"alt-identifier","value":"cm-7_prm_1"},{"name":"alt-label","value":"mission essential capabilities","class":"sp800-53"},{"name":"label","value":"CM-07_ODP[01]","class":"sp800-53a"}],"label":"mission-essential capabilities","guidelines":[{"prose":"mission-essential capabilities for the system are defined;"}]},{"id":"cm-07_odp.02","props":[{"name":"label","value":"CM-07_ODP[02]","class":"sp800-53a"}],"label":"functions","guidelines":[{"prose":"functions to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.03","props":[{"name":"label","value":"CM-07_ODP[03]","class":"sp800-53a"}],"label":"ports","guidelines":[{"prose":"ports to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.04","props":[{"name":"label","value":"CM-07_ODP[04]","class":"sp800-53a"}],"label":"protocols","guidelines":[{"prose":"protocols to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.05","props":[{"name":"label","value":"CM-07_ODP[05]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be prohibited or restricted is defined;"}]},{"id":"cm-07_odp.06","props":[{"name":"label","value":"CM-07_ODP[06]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services to be prohibited or restricted are defined;"}]}],"props":[{"name":"label","value":"CM-7"},{"name":"label","value":"CM-07","class":"sp800-53a"},{"name":"sort-id","value":"cm-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#38f39739-1ebd-43b1-8b8c-00f591d89ebd","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"cm-7_smt","name":"statement","parts":[{"id":"cm-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and"},{"id":"cm-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit or restrict the use of the following functions, ports, protocols, software, and\/or services: {{ insert: param, cm-7_prm_2 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))."},{"id":"cm-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07a.","class":"sp800-53a"}],"prose":"the system is configured to provide only {{ insert: param, cm-07_odp.01 }};","links":[{"href":"#cm-7_smt.a","rel":"assessment-for"}]},{"id":"cm-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[01]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[02]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[03]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[04]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[05]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7_smt","rel":"assessment-for"}]},{"id":"cm-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols, software, and\/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and\/or services"}]}],"controls":[{"id":"cm-7.1","class":"SP800-53-enhancement","title":"Periodic Review","params":[{"id":"cm-7.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.06"}],"label":"organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and\/or nonsecure"},{"id":"cm-07.01_odp.01","props":[{"name":"alt-identifier","value":"cm-7.1_prm_1"},{"name":"label","value":"CM-07(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the system to identify unnecessary and\/or non-secure functions, ports, protocols, software, and\/or services is defined;"}]},{"id":"cm-07.01_odp.02","props":[{"name":"label","value":"CM-07(01)_ODP[02]","class":"sp800-53a"}],"label":"functions","guidelines":[{"prose":"functions to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.03","props":[{"name":"label","value":"CM-07(01)_ODP[03]","class":"sp800-53a"}],"label":"ports","guidelines":[{"prose":"ports to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.04","props":[{"name":"label","value":"CM-07(01)_ODP[04]","class":"sp800-53a"}],"label":"protocols","guidelines":[{"prose":"protocols to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.05","props":[{"name":"label","value":"CM-07(01)_ODP[05]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be disabled or removed when deemed unnecessary or non-secure is defined;"}]},{"id":"cm-07.01_odp.06","props":[{"name":"label","value":"CM-07(01)_ODP[06]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services to be disabled or removed when deemed unnecessary or non-secure are defined;"}]}],"props":[{"name":"label","value":"CM-7(1)"},{"name":"label","value":"CM-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"cm-7.1_smt","name":"statement","parts":[{"id":"cm-7.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and\/or nonsecure functions, ports, protocols, software, and services; and"},{"id":"cm-7.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Disable or remove {{ insert: param, cm-7.1_prm_2 }}."}]},{"id":"cm-7.1_gdn","name":"guidance","prose":"Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and\/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking."},{"id":"cm-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)","class":"sp800-53a"}],"parts":[{"id":"cm-7.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(a)","class":"sp800-53a"}],"prose":"the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and\/or non-secure functions, ports, protocols, software, and services:","links":[{"href":"#cm-7.1_smt.a","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-7.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and\/or non-secure are disabled or removed;","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and\/or non-secure are disabled or removed;","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and\/or non-secure are disabled or removed;","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[04]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and\/or non-secure is disabled or removed;","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[05]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and\/or non-secure are disabled or removed.","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7.1_smt","rel":"assessment-for"}]},{"id":"cm-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\ndocumented reviews of functions, ports, protocols, and\/or services\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system\n\nmechanisms implementing review and disabling of functions, ports, protocols, and\/or services"}]}]},{"id":"cm-7.2","class":"SP800-53-enhancement","title":"Prevent Program Execution","params":[{"id":"cm-07.02_odp.01","props":[{"name":"alt-identifier","value":"cm-7.2_prm_1"},{"name":"label","value":"CM-07(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-07.02_odp.02 }} ","rules authorizing the terms and conditions of software program usage"]}},{"id":"cm-07.02_odp.02","props":[{"name":"alt-identifier","value":"cm-7.2_prm_2"},{"name":"label","value":"CM-07(02)_ODP[02]","class":"sp800-53a"}],"label":"policies, rules of behavior, and\/or access agreements regarding software program usage and restrictions","guidelines":[{"prose":"policies, rules of behavior, and\/or access agreements regarding software program usage and restrictions are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-7(2)"},{"name":"label","value":"CM-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"cm-7.2_smt","name":"statement","prose":"Prevent program execution in accordance with {{ insert: param, cm-07.02_odp.01 }}."},{"id":"cm-7.2_gdn","name":"guidance","prose":"Prevention of program execution addresses organizational policies, rules of behavior, and\/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time."},{"id":"cm-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(02)","class":"sp800-53a"}],"prose":"program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}.","links":[{"href":"#cm-7.2_smt","rel":"assessment-for"}]},{"id":"cm-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nspecifications for preventing software program execution\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes preventing program execution on the system\n\norganizational processes for software program usage and restrictions\n\nmechanisms preventing program execution on the system\n\nmechanisms supporting and\/or implementing software program usage and restrictions"}]}]},{"id":"cm-7.5","class":"SP800-53-enhancement","title":"Authorized Software — Allow-by-exception","params":[{"id":"cm-07.05_odp.01","props":[{"name":"alt-identifier","value":"cm-7.5_prm_1"},{"name":"alt-label","value":"software programs authorized to execute on the system","class":"sp800-53"},{"name":"label","value":"CM-07(05)_ODP[01]","class":"sp800-53a"}],"label":"software programs","guidelines":[{"prose":"software programs authorized to execute on the system are defined;"}]},{"id":"cm-07.05_odp.02","props":[{"name":"alt-identifier","value":"cm-7.5_prm_2"},{"name":"label","value":"CM-07(05)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the list of authorized software programs is defined;"}]}],"props":[{"name":"label","value":"CM-7(5)"},{"name":"label","value":"CM-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-7.5_smt","name":"statement","parts":[{"id":"cm-7.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identify {{ insert: param, cm-07.05_odp.01 }};"},{"id":"cm-7.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and"},{"id":"cm-7.5_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Review and update the list of authorized software programs {{ insert: param, cm-07.05_odp.02 }}."}]},{"id":"cm-7.5_gdn","name":"guidance","prose":"Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses\/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in [CA-3(5)](#ca-3.5) and [SC-7](#sc-7)."},{"id":"cm-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)","class":"sp800-53a"}],"parts":[{"id":"cm-7.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(a)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.05_odp.01 }} are identified;","links":[{"href":"#cm-7.5_smt.a","rel":"assessment-for"}]},{"id":"cm-7.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(b)","class":"sp800-53a"}],"prose":"a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;","links":[{"href":"#cm-7.5_smt.b","rel":"assessment-for"}]},{"id":"cm-7.5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(c)","class":"sp800-53a"}],"prose":"the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}.","links":[{"href":"#cm-7.5_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-7.5_smt","rel":"assessment-for"}]},{"id":"cm-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software programs authorized to execute on the system\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nreview and update records associated with list of authorized software programs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for identifying software authorized to execute on the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for identifying, reviewing, and updating programs authorized to execute on the system\n\norganizational process for implementing authorized software policy\n\nmechanisms supporting and\/or implementing authorized software policy"}]}]}]},{"id":"cm-8","class":"SP800-53","title":"System Component Inventory","params":[{"id":"cm-08_odp.01","props":[{"name":"alt-identifier","value":"cm-8_prm_1"},{"name":"alt-label","value":"information deemed necessary to achieve effective system component accountability","class":"sp800-53"},{"name":"label","value":"CM-08_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information deemed necessary to achieve effective system component accountability is defined;"}]},{"id":"cm-08_odp.02","props":[{"name":"alt-identifier","value":"cm-8_prm_2"},{"name":"label","value":"CM-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the system component inventory is defined;"}]}],"props":[{"name":"label","value":"CM-8"},{"name":"label","value":"CM-08","class":"sp800-53a"},{"name":"sort-id","value":"cm-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#70402863-5078-43af-9a6c-e11b0f3ec370","rel":"reference"},{"href":"#996241f8-f692-42d5-91f1-ce8b752e39e6","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"cm-8_smt","name":"statement","parts":[{"id":"cm-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document an inventory of system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accurately reflects the system;"},{"id":"cm-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes all components within the system;"},{"id":"cm-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Does not include duplicate accounting of components or components assigned to any other system;"},{"id":"cm-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and"}]},{"id":"cm-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components."},{"id":"cm-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.01","class":"sp800-53a"}],"prose":"an inventory of system components that accurately reflects the system is developed and documented;","links":[{"href":"#cm-8_smt.a.1","rel":"assessment-for"}]},{"id":"cm-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.02","class":"sp800-53a"}],"prose":"an inventory of system components that includes all components within the system is developed and documented;","links":[{"href":"#cm-8_smt.a.2","rel":"assessment-for"}]},{"id":"cm-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.03","class":"sp800-53a"}],"prose":"an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;","links":[{"href":"#cm-8_smt.a.3","rel":"assessment-for"}]},{"id":"cm-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.04","class":"sp800-53a"}],"prose":"an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;","links":[{"href":"#cm-8_smt.a.4","rel":"assessment-for"}]},{"id":"cm-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.05","class":"sp800-53a"}],"prose":"an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;","links":[{"href":"#cm-8_smt.a.5","rel":"assessment-for"}]}],"links":[{"href":"#cm-8_smt.a","rel":"assessment-for"}]},{"id":"cm-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08b.","class":"sp800-53a"}],"prose":"the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.","links":[{"href":"#cm-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-8_smt","rel":"assessment-for"}]},{"id":"cm-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory"}]}],"controls":[{"id":"cm-8.1","class":"SP800-53-enhancement","title":"Updates During Installation and Removal","props":[{"name":"label","value":"CM-8(1)"},{"name":"label","value":"CM-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#pm-16","rel":"related"}],"parts":[{"id":"cm-8.1_smt","name":"statement","prose":"Update the inventory of system components as part of component installations, removals, and system updates."},{"id":"cm-8.1_gdn","name":"guidance","prose":"Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components."},{"id":"cm-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)","class":"sp800-53a"}],"parts":[{"id":"cm-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[01]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of component installations;","links":[{"href":"#cm-8.1_smt","rel":"assessment-for"}]},{"id":"cm-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[02]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of component removals;","links":[{"href":"#cm-8.1_smt","rel":"assessment-for"}]},{"id":"cm-8.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[03]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of system updates.","links":[{"href":"#cm-8.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.1_smt","rel":"assessment-for"}]},{"id":"cm-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\ninventory reviews and update records\n\nchange control records\n\ncomponent installation records\n\ncomponent removal records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory updating responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for updating the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory updates"}]}]},{"id":"cm-8.2","class":"SP800-53-enhancement","title":"Automated Maintenance","params":[{"id":"cm-8.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.04"}],"label":"organization-defined automated mechanisms"},{"id":"cm-08.02_odp.01","props":[{"name":"label","value":"CM-08(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the currency of the system component inventory are defined;"}]},{"id":"cm-08.02_odp.02","props":[{"name":"label","value":"CM-08(02)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the completeness of the system component inventory are defined;"}]},{"id":"cm-08.02_odp.03","props":[{"name":"label","value":"CM-08(02)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the accuracy of the system component inventory are defined;"}]},{"id":"cm-08.02_odp.04","props":[{"name":"label","value":"CM-08(02)_ODP[04]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the availability of the system component inventory are defined;"}]}],"props":[{"name":"label","value":"CM-8(2)"},{"name":"label","value":"CM-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"}],"parts":[{"id":"cm-8.2_smt","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the inventory of system components using {{ insert: param, cm-8.2_prm_1 }}."},{"id":"cm-8.2_gdn","name":"guidance","prose":"Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of [CM-2(2)](#cm-2.2) for organizations that combine system component inventory and baseline configuration activities."},{"id":"cm-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)","class":"sp800-53a"}],"parts":[{"id":"cm-8.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.02_odp.01 }} are used to maintain the currency of the system component inventory;","links":[{"href":"#cm-8.2_smt","rel":"assessment-for"}]},{"id":"cm-8.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.02_odp.02 }} are used to maintain the completeness of the system component inventory;","links":[{"href":"#cm-8.2_smt","rel":"assessment-for"}]},{"id":"cm-8.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.02_odp.03 }} are used to maintain the accuracy of the system component inventory;","links":[{"href":"#cm-8.2_smt","rel":"assessment-for"}]},{"id":"cm-8.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[04]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.02_odp.04 }} are used to maintain the availability of the system component inventory.","links":[{"href":"#cm-8.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.2_smt","rel":"assessment-for"}]},{"id":"cm-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining the system component inventory\n\nautomated mechanisms supporting and\/or implementing the system component inventory"}]}]},{"id":"cm-8.3","class":"SP800-53-enhancement","title":"Automated Unauthorized Component Detection","params":[{"id":"cm-8.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"cm-08.03_odp.01","props":[{"name":"label","value":"CM-08(03)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;"}]},{"id":"cm-08.03_odp.02","props":[{"name":"label","value":"CM-08(03)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized software within the system are defined;"}]},{"id":"cm-08.03_odp.03","props":[{"name":"label","value":"CM-08(03)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;"}]},{"id":"cm-08.03_odp.04","props":[{"name":"alt-identifier","value":"cm-8.3_prm_2"},{"name":"label","value":"CM-08(03)_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;"}]},{"id":"cm-08.03_odp.05","props":[{"name":"alt-identifier","value":"cm-8.3_prm_3"},{"name":"label","value":"CM-08(03)_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["disable network access by unauthorized components","isolate unauthorized components","notify {{ insert: param, cm-08.03_odp.06 }} "]}},{"id":"cm-08.03_odp.06","props":[{"name":"alt-identifier","value":"cm-8.3_prm_4"},{"name":"label","value":"CM-08(03)_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when unauthorized components are detected is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-8(3)"},{"name":"label","value":"CM-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-8.3_smt","name":"statement","parts":[{"id":"cm-8.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ insert: param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04 }} ; and"},{"id":"cm-8.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Take the following actions when unauthorized components are detected: {{ insert: param, cm-08.03_odp.05 }}."}]},{"id":"cm-8.3_gdn","name":"guidance","prose":"Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see [CM-7(9)](#cm-7.9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as \"sandboxing.\" "},{"id":"cm-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[01]","class":"sp800-53a"}],"prose":"the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};","links":[{"href":"#cm-8.3_smt.a","rel":"assessment-for"}]},{"id":"cm-8.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[02]","class":"sp800-53a"}],"prose":"the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};","links":[{"href":"#cm-8.3_smt.a","rel":"assessment-for"}]},{"id":"cm-8.3_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[03]","class":"sp800-53a"}],"prose":"the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};","links":[{"href":"#cm-8.3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.3_smt.a","rel":"assessment-for"}]},{"id":"cm-8.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;","links":[{"href":"#cm-8.3_smt.b","rel":"assessment-for"}]},{"id":"cm-8.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;","links":[{"href":"#cm-8.3_smt.b","rel":"assessment-for"}]},{"id":"cm-8.3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected.","links":[{"href":"#cm-8.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.3_smt","rel":"assessment-for"}]},{"id":"cm-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nalerts\/notifications of unauthorized components within the system\n\nsystem monitoring records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized system component detection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for detection of unauthorized system components\n\norganizational processes for taking action when unauthorized system components are detected\n\nautomated mechanisms supporting and\/or implementing the detection of unauthorized system components\n\nautomated mechanisms supporting and\/or implementing actions taken when unauthorized system components are detected"}]}]},{"id":"cm-8.4","class":"SP800-53-enhancement","title":"Accountability Information","params":[{"id":"cm-08.04_odp","props":[{"name":"alt-identifier","value":"cm-8.4_prm_1"},{"name":"label","value":"CM-08(04)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["name","position","role"]}}],"props":[{"name":"label","value":"CM-8(4)"},{"name":"label","value":"CM-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"cm-8.4_smt","name":"statement","prose":"Include in the system component inventory information, a means for identifying by {{ insert: param, cm-08.04_odp }} , individuals responsible and accountable for administering those components."},{"id":"cm-8.4_gdn","name":"guidance","prose":"Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required (e.g., when the component is determined to be the source of a breach, needs to be recalled or replaced, or needs to be relocated)."},{"id":"cm-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(04)","class":"sp800-53a"}],"prose":"individuals responsible and accountable for administering system components are identified by {{ insert: param, cm-08.04_odp }} in the system component inventory.","links":[{"href":"#cm-8.4_smt","rel":"assessment-for"}]},{"id":"cm-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing the system component inventory"}]}]}]},{"id":"cm-9","class":"SP800-53","title":"Configuration Management Plan","params":[{"id":"cm-09_odp","props":[{"name":"alt-identifier","value":"cm-9_prm_1"},{"name":"label","value":"CM-09_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to review and approve the configuration management plan is\/are defined;"}]}],"props":[{"name":"label","value":"CM-9"},{"name":"label","value":"CM-09","class":"sp800-53a"},{"name":"sort-id","value":"cm-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-9_smt","name":"statement","prose":"Develop, document, and implement a configuration management plan for the system that:","parts":[{"id":"cm-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Addresses roles, responsibilities, and configuration management processes and procedures;"},{"id":"cm-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"},{"id":"cm-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Defines the configuration items for the system and places the configuration items under configuration management;"},{"id":"cm-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and"},{"id":"cm-9_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protects the configuration management plan from unauthorized disclosure and modification."}]},{"id":"cm-9_gdn","name":"guidance","prose":"Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\n\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.\n\nOrganizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control."},{"id":"cm-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-09","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09[01]","class":"sp800-53a"}],"prose":"a configuration management plan for the system is developed and documented;","links":[{"href":"#cm-9_smt","rel":"assessment-for"}]},{"id":"cm-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09[02]","class":"sp800-53a"}],"prose":"a configuration management plan for the system is implemented;","links":[{"href":"#cm-9_smt","rel":"assessment-for"}]},{"id":"cm-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[01]","class":"sp800-53a"}],"prose":"the configuration management plan addresses roles;","links":[{"href":"#cm-9_smt.a","rel":"assessment-for"}]},{"id":"cm-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[02]","class":"sp800-53a"}],"prose":"the configuration management plan addresses responsibilities;","links":[{"href":"#cm-9_smt.a","rel":"assessment-for"}]},{"id":"cm-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[03]","class":"sp800-53a"}],"prose":"the configuration management plan addresses configuration management processes and procedures;","links":[{"href":"#cm-9_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt.a","rel":"assessment-for"}]},{"id":"cm-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.[01]","class":"sp800-53a"}],"prose":"the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;","links":[{"href":"#cm-9_smt.b","rel":"assessment-for"}]},{"id":"cm-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.[02]","class":"sp800-53a"}],"prose":"the configuration management plan establishes a process for managing the configuration of the configuration items;","links":[{"href":"#cm-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt.b","rel":"assessment-for"}]},{"id":"cm-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.[01]","class":"sp800-53a"}],"prose":"the configuration management plan defines the configuration items for the system;","links":[{"href":"#cm-9_smt.c","rel":"assessment-for"}]},{"id":"cm-9_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.[02]","class":"sp800-53a"}],"prose":"the configuration management plan places the configuration items under configuration management;","links":[{"href":"#cm-9_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt.c","rel":"assessment-for"}]},{"id":"cm-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-09d.","class":"sp800-53a"}],"prose":"the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};","links":[{"href":"#cm-9_smt.d","rel":"assessment-for"}]},{"id":"cm-9_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.[01]","class":"sp800-53a"}],"prose":"the configuration management plan is protected from unauthorized disclosure;","links":[{"href":"#cm-9_smt.e","rel":"assessment-for"}]},{"id":"cm-9_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.[02]","class":"sp800-53a"}],"prose":"the configuration management plan is protected from unauthorized modification.","links":[{"href":"#cm-9_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt","rel":"assessment-for"}]},{"id":"cm-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nmechanisms implementing the configuration management plan\n\nmechanisms for managing configuration items\n\nmechanisms for protecting the configuration management plan"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"label","value":"CM-10"},{"name":"label","value":"CM-10","class":"sp800-53a"},{"name":"sort-id","value":"cm-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cm-10_smt","name":"statement","parts":[{"id":"cm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements."},{"id":"cm-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-10","class":"sp800-53a"}],"parts":[{"id":"cm-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-10a.","class":"sp800-53a"}],"prose":"software and associated documentation are used in accordance with contract agreements and copyright laws;","links":[{"href":"#cm-10_smt.a","rel":"assessment-for"}]},{"id":"cm-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-10b.","class":"sp800-53a"}],"prose":"the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;","links":[{"href":"#cm-10_smt.b","rel":"assessment-for"}]},{"id":"cm-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-10c.","class":"sp800-53a"}],"prose":"the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.","links":[{"href":"#cm-10_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-10_smt","rel":"assessment-for"}]},{"id":"cm-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling\/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","params":[{"id":"cm-11_odp.01","props":[{"name":"alt-identifier","value":"cm-11_prm_1"},{"name":"label","value":"CM-11_ODP[01]","class":"sp800-53a"}],"label":"policies","guidelines":[{"prose":"policies governing the installation of software by users are defined;"}]},{"id":"cm-11_odp.02","props":[{"name":"alt-identifier","value":"cm-11_prm_2"},{"name":"label","value":"CM-11_ODP[02]","class":"sp800-53a"}],"label":"methods","guidelines":[{"prose":"methods used to enforce software installation policies are defined;"}]},{"id":"cm-11_odp.03","props":[{"name":"alt-identifier","value":"cm-11_prm_3"},{"name":"label","value":"CM-11_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to monitor compliance is defined;"}]}],"props":[{"name":"label","value":"CM-11"},{"name":"label","value":"CM-11","class":"sp800-53a"},{"name":"sort-id","value":"cm-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-11_smt","name":"statement","parts":[{"id":"cm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and"},{"id":"cm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Monitor policy compliance {{ insert: param, cm-11_odp.03 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods."},{"id":"cm-11_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-11","class":"sp800-53a"}],"parts":[{"id":"cm-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-11a.","class":"sp800-53a"}],"prose":" {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;","links":[{"href":"#cm-11_smt.a","rel":"assessment-for"}]},{"id":"cm-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-11b.","class":"sp800-53a"}],"prose":"software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};","links":[{"href":"#cm-11_smt.b","rel":"assessment-for"}]},{"id":"cm-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-11c.","class":"sp800-53a"}],"prose":"compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.","links":[{"href":"#cm-11_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-11_smt","rel":"assessment-for"}]},{"id":"cm-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance"}]}]},{"id":"cm-12","class":"SP800-53","title":"Information Location","params":[{"id":"cm-12_odp","props":[{"name":"alt-identifier","value":"cm-12_prm_1"},{"name":"label","value":"CM-12_ODP","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information for which the location is to be identified and documented is defined;"}]}],"props":[{"name":"label","value":"CM-12"},{"name":"label","value":"CM-12","class":"sp800-53a"},{"name":"sort-id","value":"cm-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-23","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-12_smt","name":"statement","parts":[{"id":"cm-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and stored;"},{"id":"cm-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identify and document the users who have access to the system and system components where the information is processed and stored; and"},{"id":"cm-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document changes to the location (i.e., system or system components) where the information is processed and stored."}]},{"id":"cm-12_gdn","name":"guidance","prose":"Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see [SA-4](#sa-4), [SA-8](#sa-8), [SA-17](#sa-17))."},{"id":"cm-12_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-12","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[01]","class":"sp800-53a"}],"prose":"the location of {{ insert: param, cm-12_odp }} is identified and documented;","links":[{"href":"#cm-12_smt.a","rel":"assessment-for"}]},{"id":"cm-12_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[02]","class":"sp800-53a"}],"prose":"the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;","links":[{"href":"#cm-12_smt.a","rel":"assessment-for"}]},{"id":"cm-12_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[03]","class":"sp800-53a"}],"prose":"the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;","links":[{"href":"#cm-12_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-12_smt.a","rel":"assessment-for"}]},{"id":"cm-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.[01]","class":"sp800-53a"}],"prose":"the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;","links":[{"href":"#cm-12_smt.b","rel":"assessment-for"}]},{"id":"cm-12_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.[02]","class":"sp800-53a"}],"prose":"the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;","links":[{"href":"#cm-12_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-12_smt.b","rel":"assessment-for"}]},{"id":"cm-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.[01]","class":"sp800-53a"}],"prose":"changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;","links":[{"href":"#cm-12_smt.c","rel":"assessment-for"}]},{"id":"cm-12_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.[02]","class":"sp800-53a"}],"prose":"changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented.","links":[{"href":"#cm-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-12_smt","rel":"assessment-for"}]},{"id":"cm-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\naudit records\n\nlist of users with system and system component access\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing information location and user access to information\n\norganizational personnel with responsibilities for operating, using, and\/or maintaining the system\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location"}]}],"controls":[{"id":"cm-12.1","class":"SP800-53-enhancement","title":"Automated Tools to Support Information Location","params":[{"id":"cm-12.01_odp.01","props":[{"name":"alt-identifier","value":"cm-12.1_prm_1"},{"name":"label","value":"CM-12(01)_ODP[01]","class":"sp800-53a"}],"label":"information by information type","guidelines":[{"prose":"information to be protected is defined by information type;"}]},{"id":"cm-12.01_odp.02","props":[{"name":"alt-identifier","value":"cm-12.1_prm_2"},{"name":"label","value":"CM-12(01)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components where the information is located are defined;"}]}],"props":[{"name":"label","value":"CM-12(1)"},{"name":"label","value":"CM-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-12","rel":"required"}],"parts":[{"id":"cm-12.1_smt","name":"statement","prose":"Use automated tools to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure controls are in place to protect organizational information and individual privacy."},{"id":"cm-12.1_gdn","name":"guidance","prose":"The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions."},{"id":"cm-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-12(01)","class":"sp800-53a"}],"prose":"automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy.","links":[{"href":"#cm-12.1_smt","rel":"assessment-for"}]},{"id":"cm-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing information location\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nautomated mechanisms enforcing policies and methods for governing information location\n\nautomated tools used to identify information on system components"}]}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-01_odp.01","props":[{"name":"label","value":"CP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning policy is to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.02","props":[{"name":"label","value":"CP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning procedures are to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.03","props":[{"name":"alt-identifier","value":"cp-1_prm_2"},{"name":"label","value":"CP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cp-01_odp.04","props":[{"name":"alt-identifier","value":"cp-1_prm_3"},{"name":"label","value":"CP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the contingency planning policy and procedures is defined;"}]},{"id":"cp-01_odp.05","props":[{"name":"alt-identifier","value":"cp-1_prm_4"},{"name":"label","value":"CP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning policy is reviewed and updated is defined;"}]},{"id":"cp-01_odp.06","props":[{"name":"alt-identifier","value":"cp-1_prm_5"},{"name":"label","value":"CP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current contingency planning policy to be reviewed and updated are defined;"}]},{"id":"cp-01_odp.07","props":[{"name":"alt-identifier","value":"cp-1_prm_6"},{"name":"label","value":"CP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning procedures are reviewed and updated is defined;"}]},{"id":"cp-01_odp.08","props":[{"name":"alt-identifier","value":"cp-1_prm_7"},{"name":"label","value":"CP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CP-1"},{"name":"label","value":"CP-01","class":"sp800-53a"},{"name":"sort-id","value":"cp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-1_smt","name":"statement","parts":[{"id":"cp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cp-01_odp.03 }} contingency planning policy that:","parts":[{"id":"cp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;"}]},{"id":"cp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and"},{"id":"cp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current contingency planning:","parts":[{"id":"cp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and"},{"id":"cp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[01]","class":"sp800-53a"}],"prose":"a contingency planning policy is developed and documented;","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[02]","class":"sp800-53a"}],"prose":"the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[03]","class":"sp800-53a"}],"prose":"contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[04]","class":"sp800-53a"}],"prose":"the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#cp-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;","links":[{"href":"#cp-1_smt.b","rel":"assessment-for"}]},{"id":"cp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[01]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};","links":[{"href":"#cp-1_smt.c.1","rel":"assessment-for"}]},{"id":"cp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[02]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};","links":[{"href":"#cp-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.c.1","rel":"assessment-for"}]},{"id":"cp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[01]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};","links":[{"href":"#cp-1_smt.c.2","rel":"assessment-for"}]},{"id":"cp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[02]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.","links":[{"href":"#cp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt","rel":"assessment-for"}]},{"id":"cp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","params":[{"id":"cp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.04"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-2_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.07"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-02_odp.01","props":[{"name":"label","value":"CP-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to review a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.02","props":[{"name":"label","value":"CP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to approve a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.03","props":[{"name":"label","value":"CP-02_ODP[03]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to whom copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.04","props":[{"name":"label","value":"CP-02_ODP[04]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to which copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.05","props":[{"name":"alt-identifier","value":"cp-2_prm_3"},{"name":"label","value":"CP-02_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of contingency plan review is defined;"}]},{"id":"cp-02_odp.06","props":[{"name":"label","value":"CP-02_ODP[06]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to communicate changes to are defined;"}]},{"id":"cp-02_odp.07","props":[{"name":"label","value":"CP-02_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to communicate changes to are defined;"}]}],"props":[{"name":"label","value":"CP-2"},{"name":"label","value":"CP-02","class":"sp800-53a"},{"name":"sort-id","value":"cp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#cp-13","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-2_smt","name":"statement","parts":[{"id":"cp-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a contingency plan for the system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifies essential mission and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;"},{"id":"cp-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Addresses the sharing of contingency information; and"},{"id":"cp-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};"},{"id":"cp-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};"},{"id":"cp-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and"},{"id":"cp-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Protect the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family."},{"id":"cp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.01","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;","links":[{"href":"#cp-2_smt.a.1","rel":"assessment-for"}]},{"id":"cp-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides recovery objectives;","links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]},{"id":"cp-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides restoration priorities;","links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]},{"id":"cp-2_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides metrics;","links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]},{"id":"cp-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency roles;","links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]},{"id":"cp-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency responsibilities;","links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]},{"id":"cp-2_obj.a.3-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses assigned individuals with contact information;","links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]},{"id":"cp-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.04","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;","links":[{"href":"#cp-2_smt.a.4","rel":"assessment-for"}]},{"id":"cp-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.05","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;","links":[{"href":"#cp-2_smt.a.5","rel":"assessment-for"}]},{"id":"cp-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.06","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses the sharing of contingency information;","links":[{"href":"#cp-2_smt.a.6","rel":"assessment-for"}]},{"id":"cp-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};","links":[{"href":"#cp-2_smt.a.7","rel":"assessment-for"}]},{"id":"cp-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};","links":[{"href":"#cp-2_smt.a.7","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a.7","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a","rel":"assessment-for"}]},{"id":"cp-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[01]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};","links":[{"href":"#cp-2_smt.b","rel":"assessment-for"}]},{"id":"cp-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[02]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};","links":[{"href":"#cp-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.b","rel":"assessment-for"}]},{"id":"cp-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-02c.","class":"sp800-53a"}],"prose":"contingency planning activities are coordinated with incident handling activities;","links":[{"href":"#cp-2_smt.c","rel":"assessment-for"}]},{"id":"cp-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-02d.","class":"sp800-53a"}],"prose":"the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};","links":[{"href":"#cp-2_smt.d","rel":"assessment-for"}]},{"id":"cp-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[01]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address changes to the organization, system, or environment of operation;","links":[{"href":"#cp-2_smt.e","rel":"assessment-for"}]},{"id":"cp-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[02]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;","links":[{"href":"#cp-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.e","rel":"assessment-for"}]},{"id":"cp-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[01]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};","links":[{"href":"#cp-2_smt.f","rel":"assessment-for"}]},{"id":"cp-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[02]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};","links":[{"href":"#cp-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.f","rel":"assessment-for"}]},{"id":"cp-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[01]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;","links":[{"href":"#cp-2_smt.g","rel":"assessment-for"}]},{"id":"cp-2_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[02]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;","links":[{"href":"#cp-2_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.g","rel":"assessment-for"}]},{"id":"cp-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[01]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized disclosure;","links":[{"href":"#cp-2_smt.h","rel":"assessment-for"}]},{"id":"cp-2_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[02]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized modification.","links":[{"href":"#cp-2_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt","rel":"assessment-for"}]},{"id":"cp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and\/or protecting the contingency plan"}]}],"controls":[{"id":"cp-2.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-2(1)"},{"name":"label","value":"CP-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.1_smt","name":"statement","prose":"Coordinate contingency plan development with organizational elements responsible for related plans."},{"id":"cp-2.1_gdn","name":"guidance","prose":"Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans."},{"id":"cp-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(01)","class":"sp800-53a"}],"prose":"contingency plan development is coordinated with organizational elements responsible for related plans.","links":[{"href":"#cp-2.1_smt","rel":"assessment-for"}]},{"id":"cp-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans"}]}]},{"id":"cp-2.2","class":"SP800-53-enhancement","title":"Capacity Planning","props":[{"name":"label","value":"CP-2(2)"},{"name":"label","value":"CP-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"},{"href":"#pe-11","rel":"related"},{"href":"#pe-12","rel":"related"},{"href":"#pe-13","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#sc-5","rel":"related"}],"parts":[{"id":"cp-2.2_smt","name":"statement","prose":"Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations."},{"id":"cp-2.2_gdn","name":"guidance","prose":"Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential mission and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance."},{"id":"cp-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)","class":"sp800-53a"}],"parts":[{"id":"cp-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)[01]","class":"sp800-53a"}],"prose":"capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;","links":[{"href":"#cp-2.2_smt","rel":"assessment-for"}]},{"id":"cp-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)[02]","class":"sp800-53a"}],"prose":"capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;","links":[{"href":"#cp-2.2_smt","rel":"assessment-for"}]},{"id":"cp-2.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)[03]","class":"sp800-53a"}],"prose":"capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.","links":[{"href":"#cp-2.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-2.2_smt","rel":"assessment-for"}]},{"id":"cp-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\ncapacity planning documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel responsible for capacity planning\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2.3","class":"SP800-53-enhancement","title":"Resume Mission and Business Functions","params":[{"id":"cp-02.03_odp.01","props":[{"name":"alt-identifier","value":"cp-2.3_prm_1"},{"name":"label","value":"CP-02(03)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["all","essential"]}},{"id":"cp-02.03_odp.02","props":[{"name":"alt-identifier","value":"cp-2.3_prm_2"},{"name":"label","value":"CP-02(03)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the contingency plan activation time period within which to resume mission and business functions is defined;"}]}],"props":[{"name":"label","value":"CP-2(3)"},{"name":"label","value":"CP-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.3_smt","name":"statement","prose":"Plan for the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation."},{"id":"cp-2.3_gdn","name":"guidance","prose":"Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure."},{"id":"cp-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(03)","class":"sp800-53a"}],"prose":"the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.","links":[{"href":"#cp-2.3_smt","rel":"assessment-for"}]},{"id":"cp-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother related plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions"}]},{"id":"cp-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.5","class":"SP800-53-enhancement","title":"Continue Mission and Business Functions","params":[{"id":"cp-02.05_odp","props":[{"name":"alt-identifier","value":"cp-2.5_prm_1"},{"name":"label","value":"CP-02(05)_ODP","class":"sp800-53a"}],"select":{"choice":["all","essential"]}}],"props":[{"name":"label","value":"CP-2(5)"},{"name":"label","value":"CP-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.5_smt","name":"statement","prose":"Plan for the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and\/or storage sites."},{"id":"cp-2.5_gdn","name":"guidance","prose":"Organizations may choose to conduct the contingency planning activities to continue mission and business functions as part of business continuity planning or business impact analyses. Primary processing and\/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency."},{"id":"cp-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(05)","class":"sp800-53a"}],"parts":[{"id":"cp-2.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02(05)[01]","class":"sp800-53a"}],"prose":"the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity is planned for;","links":[{"href":"#cp-2.5_smt","rel":"assessment-for"}]},{"id":"cp-2.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02(05)[02]","class":"sp800-53a"}],"prose":"continuity is sustained until full system restoration at primary processing and\/or storage sites.","links":[{"href":"#cp-2.5_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-2.5_smt","rel":"assessment-for"}]},{"id":"cp-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nprimary processing site agreements\n\nprimary storage site agreements\n\nalternate processing site agreements\n\nalternate storage site agreements\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-2.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for continuing missions and business functions"}]}]},{"id":"cp-2.8","class":"SP800-53-enhancement","title":"Identify Critical Assets","params":[{"id":"cp-02.08_odp","props":[{"name":"alt-identifier","value":"cp-2.8_prm_1"},{"name":"label","value":"CP-02(08)_ODP","class":"sp800-53a"}],"select":{"choice":["all","essential"]}}],"props":[{"name":"label","value":"CP-2(8)"},{"name":"label","value":"CP-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"cp-2.8_smt","name":"statement","prose":"Identify critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions."},{"id":"cp-2.8_gdn","name":"guidance","prose":"Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and\/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing [CP-2(7)](#cp-2.7) as a control enhancement."},{"id":"cp-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(08)","class":"sp800-53a"}],"prose":"critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified.","links":[{"href":"#cp-2.8_smt","rel":"assessment-for"}]},{"id":"cp-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","params":[{"id":"cp-03_odp.01","props":[{"name":"alt-identifier","value":"cp-3_prm_1"},{"name":"label","value":"CP-03_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.02","props":[{"name":"alt-identifier","value":"cp-3_prm_2"},{"name":"label","value":"CP-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide training to system users with a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.03","props":[{"name":"alt-identifier","value":"cp-3_prm_3"},{"name":"label","value":"CP-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update contingency training content is defined;"}]},{"id":"cp-03_odp.04","props":[{"name":"alt-identifier","value":"cp-3_prm_4"},{"name":"label","value":"CP-03_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events necessitating review and update of contingency training are defined;"}]}],"props":[{"name":"label","value":"CP-3"},{"name":"label","value":"CP-03","class":"sp800-53a"},{"name":"sort-id","value":"cp-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"cp-3_smt","name":"statement","parts":[{"id":"cp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide contingency training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"cp-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, cp-03_odp.02 }} thereafter; and"}]},{"id":"cp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements."},{"id":"cp-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-03","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.01","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;","links":[{"href":"#cp-3_smt.a.1","rel":"assessment-for"}]},{"id":"cp-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.02","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;","links":[{"href":"#cp-3_smt.a.2","rel":"assessment-for"}]},{"id":"cp-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.03","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;","links":[{"href":"#cp-3_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#cp-3_smt.a","rel":"assessment-for"}]},{"id":"cp-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[01]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};","links":[{"href":"#cp-3_smt.b","rel":"assessment-for"}]},{"id":"cp-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[02]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.","links":[{"href":"#cp-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-3_smt","rel":"assessment-for"}]},{"id":"cp-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency training"}]}],"controls":[{"id":"cp-3.1","class":"SP800-53-enhancement","title":"Simulated Events","props":[{"name":"label","value":"CP-3(1)"},{"name":"label","value":"CP-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-3","rel":"required"}],"parts":[{"id":"cp-3.1_smt","name":"statement","prose":"Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations."},{"id":"cp-3.1_gdn","name":"guidance","prose":"The use of simulated events creates an environment for personnel to experience actual threat events, including cyber-attacks that disable websites, ransomware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures."},{"id":"cp-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-03(01)","class":"sp800-53a"}],"prose":"simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.","links":[{"href":"#cp-3.1_smt","rel":"assessment-for"}]},{"id":"cp-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency training\n\nmechanisms for simulating contingency events"}]}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","params":[{"id":"cp-4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.03"}],"label":"organization-defined tests"},{"id":"cp-04_odp.01","props":[{"name":"alt-identifier","value":"cp-4_prm_1"},{"name":"label","value":"CP-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of testing the contingency plan for the system is defined;"}]},{"id":"cp-04_odp.02","props":[{"name":"label","value":"CP-04_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining the effectiveness of the contingency plan are defined;"}]},{"id":"cp-04_odp.03","props":[{"name":"label","value":"CP-04_ODP[03]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining readiness to execute the contingency plan are defined;"}]}],"props":[{"name":"label","value":"CP-4"},{"name":"label","value":"CP-04","class":"sp800-53a"},{"name":"sort-id","value":"cp-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"cp-4_smt","name":"statement","parts":[{"id":"cp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}."},{"id":"cp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Initiate corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions."},{"id":"cp-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[01]","class":"sp800-53a"}],"prose":"the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};","links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]},{"id":"cp-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;","links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]},{"id":"cp-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;","links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]},{"id":"cp-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-04b.","class":"sp800-53a"}],"prose":"the contingency plan test results are reviewed;","links":[{"href":"#cp-4_smt.b","rel":"assessment-for"}]},{"id":"cp-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-04c.","class":"sp800-53a"}],"prose":"corrective actions are initiated, if needed.","links":[{"href":"#cp-4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-4_smt","rel":"assessment-for"}]},{"id":"cp-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and\/or contingency plan testing"}]}],"controls":[{"id":"cp-4.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-4(1)"},{"name":"label","value":"CP-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"},{"href":"#ir-8","rel":"related"},{"href":"#pm-8","rel":"related"}],"parts":[{"id":"cp-4.1_smt","name":"statement","prose":"Coordinate contingency plan testing with organizational elements responsible for related plans."},{"id":"cp-4.1_gdn","name":"guidance","prose":"Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements."},{"id":"cp-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(01)","class":"sp800-53a"}],"prose":"contingency plan testing is coordinated with organizational elements responsible for related plans.","links":[{"href":"#cp-4.1_smt","rel":"assessment-for"}]},{"id":"cp-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-4.2","class":"SP800-53-enhancement","title":"Alternate Processing Site","props":[{"name":"label","value":"CP-4(2)"},{"name":"label","value":"CP-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"cp-4.2_smt","name":"statement","prose":"Test the contingency plan at the alternate processing site:","parts":[{"id":"cp-4.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"To familiarize contingency personnel with the facility and available resources; and"},{"id":"cp-4.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"To evaluate the capabilities of the alternate processing site to support contingency operations."}]},{"id":"cp-4.2_gdn","name":"guidance","prose":"Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational mission and business functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing."},{"id":"cp-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(02)","class":"sp800-53a"}],"parts":[{"id":"cp-4.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-04(02)(a)","class":"sp800-53a"}],"prose":"the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;","links":[{"href":"#cp-4.2_smt.a","rel":"assessment-for"}]},{"id":"cp-4.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-04(02)(b)","class":"sp800-53a"}],"prose":"the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.","links":[{"href":"#cp-4.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-4.2_smt","rel":"assessment-for"}]},{"id":"cp-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and\/or contingency plan testing"}]}]}]},{"id":"cp-6","class":"SP800-53","title":"Alternate Storage Site","props":[{"name":"label","value":"CP-6"},{"name":"label","value":"CP-06","class":"sp800-53a"},{"name":"sort-id","value":"cp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-6_smt","name":"statement","parts":[{"id":"cp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and"},{"id":"cp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensure that the alternate storage site provides controls equivalent to that of the primary site."}]},{"id":"cp-6_gdn","name":"guidance","prose":"Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems."},{"id":"cp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06","class":"sp800-53a"}],"parts":[{"id":"cp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.","class":"sp800-53a"}],"parts":[{"id":"cp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.[01]","class":"sp800-53a"}],"prose":"an alternate storage site is established;","links":[{"href":"#cp-6_smt.a","rel":"assessment-for"}]},{"id":"cp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.[02]","class":"sp800-53a"}],"prose":"establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;","links":[{"href":"#cp-6_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-6_smt.a","rel":"assessment-for"}]},{"id":"cp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-06b.","class":"sp800-53a"}],"prose":"the alternate storage site provides controls equivalent to that of the primary site.","links":[{"href":"#cp-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-6_smt","rel":"assessment-for"}]},{"id":"cp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing and retrieving system backup information at the alternate storage site\n\nmechanisms supporting and\/or implementing the storage and retrieval of system backup information at the alternate storage site"}]}],"controls":[{"id":"cp-6.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-6(1)"},{"name":"label","value":"CP-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-6.1_smt","name":"statement","prose":"Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats."},{"id":"cp-6.1_gdn","name":"guidance","prose":"Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."},{"id":"cp-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(01)","class":"sp800-53a"}],"prose":"an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.","links":[{"href":"#cp-6.1_smt","rel":"assessment-for"}]},{"id":"cp-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-6.2","class":"SP800-53-enhancement","title":"Recovery Time and Recovery Point Objectives","props":[{"name":"label","value":"CP-6(2)"},{"name":"label","value":"CP-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"}],"parts":[{"id":"cp-6.2_smt","name":"statement","prose":"Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives."},{"id":"cp-6.2_gdn","name":"guidance","prose":"Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations that ensure accessibility and correct execution."},{"id":"cp-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(02)","class":"sp800-53a"}],"parts":[{"id":"cp-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06(02)[01]","class":"sp800-53a"}],"prose":"the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;","links":[{"href":"#cp-6.2_smt","rel":"assessment-for"}]},{"id":"cp-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06(02)[02]","class":"sp800-53a"}],"prose":"the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.","links":[{"href":"#cp-6.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-6.2_smt","rel":"assessment-for"}]},{"id":"cp-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nalternate storage site configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with responsibilities for testing related plans\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting recovery time and point objectives"}]}]},{"id":"cp-6.3","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-6(3)"},{"name":"label","value":"CP-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-6.3_smt","name":"statement","prose":"Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions."},{"id":"cp-6.3_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted."},{"id":"cp-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)","class":"sp800-53a"}],"parts":[{"id":"cp-6.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)[01]","class":"sp800-53a"}],"prose":"potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;","links":[{"href":"#cp-6.3_smt","rel":"assessment-for"}]},{"id":"cp-6.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)[02]","class":"sp800-53a"}],"prose":"explicit mitigation actions to address identified accessibility problems are outlined.","links":[{"href":"#cp-6.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-6.3_smt","rel":"assessment-for"}]},{"id":"cp-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-7","class":"SP800-53","title":"Alternate Processing Site","params":[{"id":"cp-07_odp.01","props":[{"name":"alt-identifier","value":"cp-7_prm_1"},{"name":"label","value":"CP-07_ODP[01]","class":"sp800-53a"}],"label":"system operations","guidelines":[{"prose":"system operations for essential mission and business functions are defined;"}]},{"id":"cp-07_odp.02","props":[{"name":"alt-identifier","value":"cp-7_prm_2"},{"name":"alt-label","value":"time period consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-7"},{"name":"label","value":"CP-07","class":"sp800-53a"},{"name":"sort-id","value":"cp-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-11","rel":"related"},{"href":"#pe-12","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-7_smt","name":"statement","parts":[{"id":"cp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and"},{"id":"cp-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provide controls at the alternate processing site that are equivalent to those at the primary site."}]},{"id":"cp-7_gdn","name":"guidance","prose":"Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems."},{"id":"cp-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07","class":"sp800-53a"}],"parts":[{"id":"cp-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-07a.","class":"sp800-53a"}],"prose":"an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;","links":[{"href":"#cp-7_smt.a","rel":"assessment-for"}]},{"id":"cp-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.","class":"sp800-53a"}],"parts":[{"id":"cp-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.[01]","class":"sp800-53a"}],"prose":"the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;","links":[{"href":"#cp-7_smt.b","rel":"assessment-for"}]},{"id":"cp-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.[02]","class":"sp800-53a"}],"prose":"the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;","links":[{"href":"#cp-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-7_smt.b","rel":"assessment-for"}]},{"id":"cp-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-07c.","class":"sp800-53a"}],"prose":"controls provided at the alternate processing site are equivalent to those at the primary site.","links":[{"href":"#cp-7_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-7_smt","rel":"assessment-for"}]},{"id":"cp-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for contingency planning and\/or alternate site arrangements\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for recovery at the alternate site\n\nmechanisms supporting and\/or implementing recovery at the alternate processing site"}]}],"controls":[{"id":"cp-7.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-7(1)"},{"name":"label","value":"CP-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-7.1_smt","name":"statement","prose":"Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats."},{"id":"cp-7.1_gdn","name":"guidance","prose":"Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."},{"id":"cp-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(01)","class":"sp800-53a"}],"prose":"an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.","links":[{"href":"#cp-7.1_smt","rel":"assessment-for"}]},{"id":"cp-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.2","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-7(2)"},{"name":"label","value":"CP-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-7.2_smt","name":"statement","prose":"Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-7.2_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk."},{"id":"cp-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)","class":"sp800-53a"}],"parts":[{"id":"cp-7.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)[01]","class":"sp800-53a"}],"prose":"potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;","links":[{"href":"#cp-7.2_smt","rel":"assessment-for"}]},{"id":"cp-7.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)[02]","class":"sp800-53a"}],"prose":"explicit mitigation actions to address identified accessibility problems are outlined.","links":[{"href":"#cp-7.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-7.2_smt","rel":"assessment-for"}]},{"id":"cp-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.3","class":"SP800-53-enhancement","title":"Priority of Service","props":[{"name":"label","value":"CP-7(3)"},{"name":"label","value":"CP-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"}],"parts":[{"id":"cp-7.3_smt","name":"statement","prose":"Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)."},{"id":"cp-7.3_gdn","name":"guidance","prose":"Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and\/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning."},{"id":"cp-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(03)","class":"sp800-53a"}],"prose":"alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.","links":[{"href":"#cp-7.3_smt","rel":"assessment-for"}]},{"id":"cp-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]},{"id":"cp-7.4","class":"SP800-53-enhancement","title":"Preparation for Use","props":[{"name":"label","value":"CP-7(4)"},{"name":"label","value":"CP-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-7.4_smt","name":"statement","prose":"Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions."},{"id":"cp-7.4_gdn","name":"guidance","prose":"Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place."},{"id":"cp-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(04)","class":"sp800-53a"}],"prose":"the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.","links":[{"href":"#cp-7.4_smt","rel":"assessment-for"}]},{"id":"cp-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nalternate processing site configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing recovery at the alternate processing site"}]}]}]},{"id":"cp-8","class":"SP800-53","title":"Telecommunications Services","params":[{"id":"cp-08_odp.01","props":[{"name":"alt-identifier","value":"cp-8_prm_1"},{"name":"label","value":"CP-08_ODP[01]","class":"sp800-53a"}],"label":"system operations","guidelines":[{"prose":"system operations to be resumed for essential mission and business functions are defined;"}]},{"id":"cp-08_odp.02","props":[{"name":"alt-identifier","value":"cp-8_prm_2"},{"name":"label","value":"CP-08_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;"}]}],"props":[{"name":"label","value":"CP-8"},{"name":"label","value":"CP-08","class":"sp800-53a"},{"name":"sort-id","value":"cp-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cp-8_smt","name":"statement","prose":"Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_gdn","name":"guidance","prose":"Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for [CP-8](#cp-8) . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements."},{"id":"cp-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08","class":"sp800-53a"}],"prose":"alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.","links":[{"href":"#cp-8_smt","rel":"assessment-for"}]},{"id":"cp-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"id":"cp-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting telecommunications"}]}],"controls":[{"id":"cp-8.1","class":"SP800-53-enhancement","title":"Priority of Service Provisions","props":[{"name":"label","value":"CP-8(1)"},{"name":"label","value":"CP-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.1_smt","name":"statement","parts":[{"id":"cp-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and"},{"id":"cp-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_gdn","name":"guidance","prose":"Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program."},{"id":"cp-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)","class":"sp800-53a"}],"parts":[{"id":"cp-8.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)","class":"sp800-53a"}],"parts":[{"id":"cp-8.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)[01]","class":"sp800-53a"}],"prose":"primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;","links":[{"href":"#cp-8.1_smt.a","rel":"assessment-for"}]},{"id":"cp-8.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)[02]","class":"sp800-53a"}],"prose":"alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;","links":[{"href":"#cp-8.1_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-8.1_smt.a","rel":"assessment-for"}]},{"id":"cp-8.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(b)","class":"sp800-53a"}],"prose":"Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and\/or alternate telecommunications services are provided by a common carrier.","links":[{"href":"#cp-8.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-8.1_smt","rel":"assessment-for"}]},{"id":"cp-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"id":"cp-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting telecommunications"}]}]},{"id":"cp-8.2","class":"SP800-53-enhancement","title":"Single Points of Failure","props":[{"name":"label","value":"CP-8(2)"},{"name":"label","value":"CP-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.2_smt","name":"statement","prose":"Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"id":"cp-8.2_gdn","name":"guidance","prose":"In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services."},{"id":"cp-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(02)","class":"sp800-53a"}],"prose":"alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.","links":[{"href":"#cp-8.2_smt","rel":"assessment-for"}]},{"id":"cp-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-8.3","class":"SP800-53-enhancement","title":"Separation of Primary and Alternate Providers","props":[{"name":"label","value":"CP-8(3)"},{"name":"label","value":"CP-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.3_smt","name":"statement","prose":"Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats."},{"id":"cp-8.3_gdn","name":"guidance","prose":"Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services that meet the separation needs addressed in the risk assessment."},{"id":"cp-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(03)","class":"sp800-53a"}],"prose":"alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.","links":[{"href":"#cp-8.3_smt","rel":"assessment-for"}]},{"id":"cp-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nalternate telecommunications service provider site\n\nprimary telecommunications service provider site\n\nother relevant documents or records"}]},{"id":"cp-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-8.4","class":"SP800-53-enhancement","title":"Provider Contingency Plan","params":[{"id":"cp-8.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-08.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-08.04_odp.02"}],"label":"organization-defined frequency"},{"id":"cp-08.04_odp.01","props":[{"name":"label","value":"CP-08(04)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to obtain evidence of contingency testing by providers is defined;"}]},{"id":"cp-08.04_odp.02","props":[{"name":"label","value":"CP-08(04)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to obtain evidence of contingency training by providers is defined;"}]}],"props":[{"name":"label","value":"CP-8(4)"},{"name":"label","value":"CP-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-8.4_smt","name":"statement","parts":[{"id":"cp-8.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Require primary and alternate telecommunications service providers to have contingency plans;"},{"id":"cp-8.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and"},{"id":"cp-8.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Obtain evidence of contingency testing and training by providers {{ insert: param, cp-8.4_prm_1 }}."}]},{"id":"cp-8.4_gdn","name":"guidance","prose":"Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training."},{"id":"cp-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)","class":"sp800-53a"}],"parts":[{"id":"cp-8.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(a)","class":"sp800-53a"}],"parts":[{"id":"cp-8.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(a)[01]","class":"sp800-53a"}],"prose":"primary telecommunications service providers are required to have contingency plans;","links":[{"href":"#cp-8.4_smt.a","rel":"assessment-for"}]},{"id":"cp-8.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(a)[02]","class":"sp800-53a"}],"prose":"alternate telecommunications service providers are required to have contingency plans;","links":[{"href":"#cp-8.4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-8.4_smt.a","rel":"assessment-for"}]},{"id":"cp-8.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(b)","class":"sp800-53a"}],"prose":"provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;","links":[{"href":"#cp-8.4_smt.b","rel":"assessment-for"}]},{"id":"cp-8.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(c)","class":"sp800-53a"}],"parts":[{"id":"cp-8.4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(c)[01]","class":"sp800-53a"}],"prose":"evidence of contingency testing by providers is obtained {{ insert: param, cp-08.04_odp.01 }}.","links":[{"href":"#cp-8.4_smt.c","rel":"assessment-for"}]},{"id":"cp-8.4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(c)[02]","class":"sp800-53a"}],"prose":"evidence of contingency training by providers is obtained {{ insert: param, cp-08.04_odp.02 }}.","links":[{"href":"#cp-8.4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-8.4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-8.4_smt","rel":"assessment-for"}]},{"id":"cp-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprovider contingency plans\n\nevidence of contingency testing\/training by providers\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and testing responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]}]},{"id":"cp-9","class":"SP800-53","title":"System Backup","params":[{"id":"cp-09_odp.01","props":[{"name":"alt-identifier","value":"cp-9_prm_1"},{"name":"label","value":"CP-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which to conduct backups of user-level information is defined;"}]},{"id":"cp-09_odp.02","props":[{"name":"alt-identifier","value":"cp-9_prm_2"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.03","props":[{"name":"alt-identifier","value":"cp-9_prm_3"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.04","props":[{"name":"alt-identifier","value":"cp-9_prm_4"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-9"},{"name":"label","value":"CP-09","class":"sp800-53a"},{"name":"sort-id","value":"cp-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#3653e316-8923-430e-8943-b3b2b2562fc6","rel":"reference"},{"href":"#2494df28-9049-4196-b233-540e7440993f","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-9_smt","name":"statement","parts":[{"id":"cp-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};"},{"id":"cp-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};"},{"id":"cp-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and"},{"id":"cp-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protect the confidentiality, integrity, and availability of backup information."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"cp-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-09a.","class":"sp800-53a"}],"prose":"backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};","links":[{"href":"#cp-9_smt.a","rel":"assessment-for"}]},{"id":"cp-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-09b.","class":"sp800-53a"}],"prose":"backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};","links":[{"href":"#cp-9_smt.b","rel":"assessment-for"}]},{"id":"cp-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-09c.","class":"sp800-53a"}],"prose":"backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};","links":[{"href":"#cp-9_smt.c","rel":"assessment-for"}]},{"id":"cp-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[01]","class":"sp800-53a"}],"prose":"the confidentiality of backup information is protected;","links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]},{"id":"cp-9_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[02]","class":"sp800-53a"}],"prose":"the integrity of backup information is protected;","links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]},{"id":"cp-9_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[03]","class":"sp800-53a"}],"prose":"the availability of backup information is protected.","links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cp-9_smt","rel":"assessment-for"}]},{"id":"cp-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"cp-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}],"controls":[{"id":"cp-9.1","class":"SP800-53-enhancement","title":"Testing for Reliability and Integrity","params":[{"id":"cp-9.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.01_odp.02"}],"label":"organization-defined frequency"},{"id":"cp-09.01_odp.01","props":[{"name":"label","value":"CP-09(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test backup information for media reliability is defined;"}]},{"id":"cp-09.01_odp.02","props":[{"name":"label","value":"CP-09(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test backup information for information integrity is defined;"}]}],"props":[{"name":"label","value":"CP-9(1)"},{"name":"label","value":"CP-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-9.1_smt","name":"statement","prose":"Test backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity."},{"id":"cp-9.1_gdn","name":"guidance","prose":"Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance."},{"id":"cp-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)","class":"sp800-53a"}],"parts":[{"id":"cp-9.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)[01]","class":"sp800-53a"}],"prose":"backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;","links":[{"href":"#cp-9.1_smt","rel":"assessment-for"}]},{"id":"cp-9.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)[02]","class":"sp800-53a"}],"prose":"backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity.","links":[{"href":"#cp-9.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-9.1_smt","rel":"assessment-for"}]},{"id":"cp-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}]},{"id":"cp-9.2","class":"SP800-53-enhancement","title":"Test Restoration Using Sampling","props":[{"name":"label","value":"CP-9(2)"},{"name":"label","value":"CP-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-9.2_smt","name":"statement","prose":"Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing."},{"id":"cp-9.2_gdn","name":"guidance","prose":"Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is retrieved to determine whether the functions are operating as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed."},{"id":"cp-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(02)","class":"sp800-53a"}],"prose":"a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.","links":[{"href":"#cp-9.2_smt","rel":"assessment-for"}]},{"id":"cp-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with contingency planning\/contingency plan testing responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}]},{"id":"cp-9.3","class":"SP800-53-enhancement","title":"Separate Storage for Critical Information","params":[{"id":"cp-09.03_odp","props":[{"name":"alt-identifier","value":"cp-9.3_prm_1"},{"name":"label","value":"CP-09(03)_ODP","class":"sp800-53a"}],"label":"critical system software and other security-related information","guidelines":[{"prose":"critical system software and other security-related information backups to be stored in a separate facility are defined;"}]}],"props":[{"name":"label","value":"CP-9(3)"},{"name":"label","value":"CP-09(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"}],"parts":[{"id":"cp-9.3_smt","name":"statement","prose":"Store backup copies of {{ insert: param, cp-09.03_odp }} in a separate facility or in a fire rated container that is not collocated with the operational system."},{"id":"cp-9.3_gdn","name":"guidance","prose":"Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire rated containers."},{"id":"cp-9.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(03)","class":"sp800-53a"}],"prose":"backup copies of {{ insert: param, cp-09.03_odp }} are stored in a separate facility or in a fire rated container that is not collocated with the operational system.","links":[{"href":"#cp-9.3_smt","rel":"assessment-for"}]},{"id":"cp-9.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup configurations and associated documentation\n\nsystem backup logs or records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-9.5","class":"SP800-53-enhancement","title":"Transfer to Alternate Storage Site","params":[{"id":"cp-9.5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.05_odp.02"}],"label":"organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives"},{"id":"cp-09.05_odp.01","props":[{"name":"label","value":"CP-09(05)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09.05_odp.02","props":[{"name":"label","value":"CP-09(05)_ODP[02]","class":"sp800-53a"}],"label":"transfer rate","guidelines":[{"prose":"transfer rate consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-9(5)"},{"name":"label","value":"CP-09(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-7","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}],"parts":[{"id":"cp-9.5_smt","name":"statement","prose":"Transfer system backup information to the alternate storage site {{ insert: param, cp-9.5_prm_1 }}."},{"id":"cp-9.5_gdn","name":"guidance","prose":"System backup information can be transferred to alternate storage sites either electronically or by the physical shipment of storage media."},{"id":"cp-9.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(05)","class":"sp800-53a"}],"parts":[{"id":"cp-9.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09(05)[01]","class":"sp800-53a"}],"prose":"system backup information is transferred to the alternate storage site for {{ insert: param, cp-09.05_odp.01 }};","links":[{"href":"#cp-9.5_smt","rel":"assessment-for"}]},{"id":"cp-9.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09(05)[02]","class":"sp800-53a"}],"prose":"system backup information is transferred to the alternate storage site {{ insert: param, cp-09.05_odp.02 }}.","links":[{"href":"#cp-9.5_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-9.5_smt","rel":"assessment-for"}]},{"id":"cp-9.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup logs or records\n\nevidence of system backup information transferred to alternate storage site\n\nalternate storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for transferring system backups to the alternate storage site\n\nmechanisms supporting and\/or implementing system backups\n\nmechanisms supporting and\/or implementing information transfer to the alternate storage site"}]}]},{"id":"cp-9.8","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"cp-09.08_odp","props":[{"name":"alt-identifier","value":"cp-9.8_prm_1"},{"name":"label","value":"CP-09(08)_ODP","class":"sp800-53a"}],"label":"backup information","guidelines":[{"prose":"backup information to protect against unauthorized disclosure and modification is defined;"}]}],"props":[{"name":"label","value":"CP-9(8)"},{"name":"label","value":"CP-09(08)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"cp-9.8_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}."},{"id":"cp-9.8_gdn","name":"guidance","prose":"The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions."},{"id":"cp-9.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(08)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.","links":[{"href":"#cp-9.8_smt","rel":"assessment-for"}]},{"id":"cp-9.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic protection of backup information"}]}]}]},{"id":"cp-10","class":"SP800-53","title":"System Recovery and Reconstitution","params":[{"id":"cp-10_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.02"}],"label":"organization-defined time period consistent with recovery time and recovery point objectives"},{"id":"cp-10_odp.01","props":[{"name":"label","value":"CP-10_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;"}]},{"id":"cp-10_odp.02","props":[{"name":"label","value":"CP-10_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;"}]}],"props":[{"name":"label","value":"CP-10"},{"name":"label","value":"CP-10","class":"sp800-53a"},{"name":"sort-id","value":"cp-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-24","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning."},{"id":"cp-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10","class":"sp800-53a"}],"parts":[{"id":"cp-10_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-10[01]","class":"sp800-53a"}],"prose":"the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;","links":[{"href":"#cp-10_smt","rel":"assessment-for"}]},{"id":"cp-10_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-10[02]","class":"sp800-53a"}],"prose":"a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.","links":[{"href":"#cp-10_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-10_smt","rel":"assessment-for"}]},{"id":"cp-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, recovery, and\/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and\/or implementing system recovery and reconstitution operations"}]}],"controls":[{"id":"cp-10.2","class":"SP800-53-enhancement","title":"Transaction Recovery","props":[{"name":"label","value":"CP-10(2)"},{"name":"label","value":"CP-10(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-10","rel":"required"}],"parts":[{"id":"cp-10.2_smt","name":"statement","prose":"Implement transaction recovery for systems that are transaction-based."},{"id":"cp-10.2_gdn","name":"guidance","prose":"Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling."},{"id":"cp-10.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10(02)","class":"sp800-53a"}],"prose":"transaction recovery is implemented for systems that are transaction-based.","links":[{"href":"#cp-10.2_smt","rel":"assessment-for"}]},{"id":"cp-10.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem transaction recovery records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing transaction recovery capability"}]}]},{"id":"cp-10.4","class":"SP800-53-enhancement","title":"Restore Within Time Period","params":[{"id":"cp-10.04_odp","props":[{"name":"alt-identifier","value":"cp-10.4_prm_1"},{"name":"label","value":"CP-10(04)_ODP","class":"sp800-53a"}],"label":"restoration time periods","guidelines":[{"prose":"restoration time period within which to restore system components to a known, operational state is defined;"}]}],"props":[{"name":"label","value":"CP-10(4)"},{"name":"label","value":"CP-10(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-10","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"}],"parts":[{"id":"cp-10.4_smt","name":"statement","prose":"Provide the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components."},{"id":"cp-10.4_gdn","name":"guidance","prose":"Restoration of system components includes reimaging, which restores the components to known, operational states."},{"id":"cp-10.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10(04)","class":"sp800-53a"}],"prose":"the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.","links":[{"href":"#cp-10.4_smt","rel":"assessment-for"}]},{"id":"cp-10.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nevidence of system recovery and reconstitution operations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the recovery\/reconstitution of system information"}]}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ia-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ia-01_odp.01","props":[{"name":"label","value":"IA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication policy is to be disseminated are defined;"}]},{"id":"ia-01_odp.02","props":[{"name":"label","value":"IA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication procedures are to be disseminated is\/are defined;"}]},{"id":"ia-01_odp.03","props":[{"name":"alt-identifier","value":"ia-1_prm_2"},{"name":"label","value":"IA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ia-01_odp.04","props":[{"name":"alt-identifier","value":"ia-1_prm_3"},{"name":"label","value":"IA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the identification and authentication policy and procedures is defined;"}]},{"id":"ia-01_odp.05","props":[{"name":"alt-identifier","value":"ia-1_prm_4"},{"name":"label","value":"IA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication policy is reviewed and updated is defined;"}]},{"id":"ia-01_odp.06","props":[{"name":"alt-identifier","value":"ia-1_prm_5"},{"name":"label","value":"IA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current identification and authentication policy to be reviewed and updated are defined;"}]},{"id":"ia-01_odp.07","props":[{"name":"alt-identifier","value":"ia-1_prm_6"},{"name":"label","value":"IA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication procedures are reviewed and updated is defined;"}]},{"id":"ia-01_odp.08","props":[{"name":"alt-identifier","value":"ia-1_prm_7"},{"name":"label","value":"IA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require identification and authentication procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IA-1"},{"name":"label","value":"IA-01","class":"sp800-53a"},{"name":"sort-id","value":"ia-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ia-1_smt","name":"statement","parts":[{"id":"ia-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:","parts":[{"id":"ia-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ia-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;"}]},{"id":"ia-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and"},{"id":"ia-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current identification and authentication:","parts":[{"id":"ia-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and"},{"id":"ia-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ia-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[01]","class":"sp800-53a"}],"prose":"an identification and authentication policy is developed and documented;","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[02]","class":"sp800-53a"}],"prose":"the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[03]","class":"sp800-53a"}],"prose":"identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[04]","class":"sp800-53a"}],"prose":"the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ia-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;","links":[{"href":"#ia-1_smt.b","rel":"assessment-for"}]},{"id":"ia-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[01]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};","links":[{"href":"#ia-1_smt.c.1","rel":"assessment-for"}]},{"id":"ia-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[02]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};","links":[{"href":"#ia-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.c.1","rel":"assessment-for"}]},{"id":"ia-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[01]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};","links":[{"href":"#ia-1_smt.c.2","rel":"assessment-for"}]},{"id":"ia-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[02]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.","links":[{"href":"#ia-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt","rel":"assessment-for"}]},{"id":"ia-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records"}]},{"id":"ia-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (Organizational Users)","props":[{"name":"label","value":"IA-2"},{"name":"label","value":"IA-02","class":"sp800-53a"},{"name":"sort-id","value":"ia-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#d9e036ba-6eec-46a6-9340-b0bf1fea23b4","rel":"reference"},{"href":"#e8552d48-cf41-40aa-8b06-f45f7fb4706c","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-1","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)."},{"id":"ia-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02","class":"sp800-53a"}],"parts":[{"id":"ia-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-02[01]","class":"sp800-53a"}],"prose":"organizational users are uniquely identified and authenticated;","links":[{"href":"#ia-2_smt","rel":"assessment-for"}]},{"id":"ia-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-02[02]","class":"sp800-53a"}],"prose":"the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.","links":[{"href":"#ia-2_smt","rel":"assessment-for"}]}],"links":[{"href":"#ia-2_smt","rel":"assessment-for"}]},{"id":"ia-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}]},{"id":"ia-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Privileged Accounts","props":[{"name":"label","value":"IA-2(1)"},{"name":"label","value":"IA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"Implement multi-factor authentication for access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(01)","class":"sp800-53a"}],"prose":"multi-factor authentication is implemented for access to privileged accounts.","links":[{"href":"#ia-2.1_smt","rel":"assessment-for"}]},{"id":"ia-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(2)"},{"name":"label","value":"IA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"Implement multi-factor authentication for access to non-privileged accounts."},{"id":"ia-2.2_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(02)","class":"sp800-53a"}],"prose":"multi-factor authentication for access to non-privileged accounts is implemented.","links":[{"href":"#ia-2.2_smt","rel":"assessment-for"}]},{"id":"ia-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.5","class":"SP800-53-enhancement","title":"Individual Authentication with Group Authentication","props":[{"name":"label","value":"IA-2(5)"},{"name":"label","value":"IA-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.5_smt","name":"statement","prose":"When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources."},{"id":"ia-2.5_gdn","name":"guidance","prose":"Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators."},{"id":"ia-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(05)","class":"sp800-53a"}],"prose":"users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.","links":[{"href":"#ia-2.5_smt","rel":"assessment-for"}]},{"id":"ia-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an authentication capability for group accounts"}]}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Access to Accounts — Replay Resistant","params":[{"id":"ia-02.08_odp","props":[{"name":"alt-identifier","value":"ia-2.8_prm_1"},{"name":"label","value":"IA-02(08)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["privileged accounts","non-privileged accounts"]}}],"props":[{"name":"label","value":"IA-2(8)"},{"name":"label","value":"IA-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators."},{"id":"ia-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(08)","class":"sp800-53a"}],"prose":"replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.","links":[{"href":"#ia-2.8_smt","rel":"assessment-for"}]},{"id":"ia-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nMechanisms supporting and\/or implementing replay-resistant authentication mechanisms"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","props":[{"name":"label","value":"IA-2(12)"},{"name":"label","value":"IA-02(12)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential."},{"id":"ia-2.12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(12)","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials are accepted and electronically verified.","links":[{"href":"#ia-2.12_smt","rel":"assessment-for"}]},{"id":"ia-2.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-2.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing acceptance and verification of PIV credentials"}]}]}]},{"id":"ia-3","class":"SP800-53","title":"Device Identification and Authentication","params":[{"id":"ia-03_odp.01","props":[{"name":"alt-identifier","value":"ia-3_prm_1"},{"name":"label","value":"IA-03_ODP[01]","class":"sp800-53a"}],"label":"devices and\/or types of devices","guidelines":[{"prose":"devices and\/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;"}]},{"id":"ia-03_odp.02","props":[{"name":"alt-identifier","value":"ia-3_prm_2"},{"name":"label","value":"IA-03_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["local","remote","network"]}}],"props":[{"name":"label","value":"IA-3"},{"name":"label","value":"IA-03","class":"sp800-53a"},{"name":"sort-id","value":"ia-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ia-3_smt","name":"statement","prose":"Uniquely identify and authenticate {{ insert: param, ia-03_odp.01 }} before establishing a {{ insert: param, ia-03_odp.02 }} connection."},{"id":"ia-3_gdn","name":"guidance","prose":"Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol\/Internet Protocol [TCP\/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number\/type of devices based on mission or business needs."},{"id":"ia-3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-03","class":"sp800-53a"}],"prose":" {{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection.","links":[{"href":"#ia-3_smt","rel":"assessment-for"}]},{"id":"ia-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing device identification and authentication capabilities"}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","params":[{"id":"ia-04_odp.01","props":[{"name":"alt-identifier","value":"ia-4_prm_1"},{"name":"label","value":"IA-04_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles from whom authorization must be received to assign an identifier are defined;"}]},{"id":"ia-04_odp.02","props":[{"name":"alt-identifier","value":"ia-4_prm_2"},{"name":"label","value":"IA-04_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period for preventing reuse of identifiers is defined;"}]}],"props":[{"name":"label","value":"IA-4"},{"name":"label","value":"IA-04","class":"sp800-53a"},{"name":"sort-id","value":"ia-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-12","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"Manage system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;"},{"id":"ia-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, service, or device; and"},{"id":"ia-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices."},{"id":"ia-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04","class":"sp800-53a"}],"parts":[{"id":"ia-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-04a.","class":"sp800-53a"}],"prose":"system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;","links":[{"href":"#ia-4_smt.a","rel":"assessment-for"}]},{"id":"ia-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-04b.","class":"sp800-53a"}],"prose":"system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;","links":[{"href":"#ia-4_smt.b","rel":"assessment-for"}]},{"id":"ia-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-04c.","class":"sp800-53a"}],"prose":"system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;","links":[{"href":"#ia-4_smt.c","rel":"assessment-for"}]},{"id":"ia-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-04d.","class":"sp800-53a"}],"prose":"system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.","links":[{"href":"#ia-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ia-4_smt","rel":"assessment-for"}]},{"id":"ia-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records"}]},{"id":"ia-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}],"controls":[{"id":"ia-4.4","class":"SP800-53-enhancement","title":"Identify User Status","params":[{"id":"ia-04.04_odp","props":[{"name":"alt-identifier","value":"ia-4.4_prm_1"},{"name":"alt-label","value":"characteristic identifying individual status","class":"sp800-53"},{"name":"label","value":"IA-04(04)_ODP","class":"sp800-53a"}],"label":"characteristics","guidelines":[{"prose":"characteristics used to identify individual status is defined;"}]}],"props":[{"name":"label","value":"IA-4(4)"},{"name":"label","value":"IA-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-4","rel":"required"}],"parts":[{"id":"ia-4.4_smt","name":"statement","prose":"Manage individual identifiers by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}."},{"id":"ia-4.4_gdn","name":"guidance","prose":"Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor."},{"id":"ia-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(04)","class":"sp800-53a"}],"prose":"individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.","links":[{"href":"#ia-4.4_smt","rel":"assessment-for"}]},{"id":"ia-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nlist of characteristics identifying individual status\n\nother relevant documents or records"}]},{"id":"ia-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","params":[{"id":"ia-05_odp.01","props":[{"name":"alt-identifier","value":"ia-5_prm_1"},{"name":"label","value":"IA-05_ODP[01]","class":"sp800-53a"}],"label":"time period by authenticator type","guidelines":[{"prose":"a time period for changing or refreshing authenticators by authenticator type is defined;"}]},{"id":"ia-05_odp.02","props":[{"name":"alt-identifier","value":"ia-5_prm_2"},{"name":"label","value":"IA-05_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that trigger the change or refreshment of authenticators are defined;"}]}],"props":[{"name":"label","value":"IA-5"},{"name":"label","value":"IA-05","class":"sp800-53a"},{"name":"sort-id","value":"ia-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"Manage system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Changing default authenticators prior to first use;"},{"id":"ia-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"},{"id":"ia-5_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and"},{"id":"ia-5_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Changing authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed."},{"id":"ia-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05a.","class":"sp800-53a"}],"prose":"system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;","links":[{"href":"#ia-5_smt.a","rel":"assessment-for"}]},{"id":"ia-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05b.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;","links":[{"href":"#ia-5_smt.b","rel":"assessment-for"}]},{"id":"ia-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05c.","class":"sp800-53a"}],"prose":"system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;","links":[{"href":"#ia-5_smt.c","rel":"assessment-for"}]},{"id":"ia-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05d.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;","links":[{"href":"#ia-5_smt.d","rel":"assessment-for"}]},{"id":"ia-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05e.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of default authenticators prior to first use;","links":[{"href":"#ia-5_smt.e","rel":"assessment-for"}]},{"id":"ia-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05f.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;","links":[{"href":"#ia-5_smt.f","rel":"assessment-for"}]},{"id":"ia-5_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05g.","class":"sp800-53a"}],"prose":"system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;","links":[{"href":"#ia-5_smt.g","rel":"assessment-for"}]},{"id":"ia-5_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[01]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;","links":[{"href":"#ia-5_smt.h","rel":"assessment-for"}]},{"id":"ia-5_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[02]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;","links":[{"href":"#ia-5_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#ia-5_smt.h","rel":"assessment-for"}]},{"id":"ia-5_obj.i","name":"assessment-objective","props":[{"name":"label","value":"IA-05i.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.","links":[{"href":"#ia-5_smt.i","rel":"assessment-for"}]}],"links":[{"href":"#ia-5_smt","rel":"assessment-for"}]},{"id":"ia-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","params":[{"id":"ia-05.01_odp.01","props":[{"name":"alt-identifier","value":"ia-5.1_prm_1"},{"name":"label","value":"IA-05(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;"}]},{"id":"ia-05.01_odp.02","props":[{"name":"alt-identifier","value":"ia-5.1_prm_2"},{"name":"label","value":"IA-05(01)_ODP[02]","class":"sp800-53a"}],"label":"composition and complexity rules","guidelines":[{"prose":"authenticator composition and complexity rules are defined;"}]}],"props":[{"name":"label","value":"IA-5(1)"},{"name":"label","value":"IA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-6","rel":"related"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"For password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);"},{"id":"ia-5.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Transmit passwords only over cryptographically-protected channels;"},{"id":"ia-5.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Store passwords using an approved salted key derivation function, preferably using a keyed hash;"},{"id":"ia-5.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Require immediate selection of a new password upon account recovery;"},{"id":"ia-5.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Allow user selection of long passwords and passphrases, including spaces and all printable characters;"},{"id":"ia-5.1_smt.g","name":"item","props":[{"name":"label","value":"(g)"}],"prose":"Employ automated tools to assist the user in selecting strong password authenticators; and"},{"id":"ia-5.1_smt.h","name":"item","props":[{"name":"label","value":"(h)"}],"prose":"Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof."},{"id":"ia-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)","class":"sp800-53a"}],"parts":[{"id":"ia-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(a)","class":"sp800-53a"}],"prose":"for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;","links":[{"href":"#ia-5.1_smt.a","rel":"assessment-for"}]},{"id":"ia-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(b)","class":"sp800-53a"}],"prose":"for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);","links":[{"href":"#ia-5.1_smt.b","rel":"assessment-for"}]},{"id":"ia-5.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(c)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are only transmitted over cryptographically protected channels;","links":[{"href":"#ia-5.1_smt.c","rel":"assessment-for"}]},{"id":"ia-5.1_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(d)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;","links":[{"href":"#ia-5.1_smt.d","rel":"assessment-for"}]},{"id":"ia-5.1_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(e)","class":"sp800-53a"}],"prose":"for password-based authentication, immediate selection of a new password is required upon account recovery;","links":[{"href":"#ia-5.1_smt.e","rel":"assessment-for"}]},{"id":"ia-5.1_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(f)","class":"sp800-53a"}],"prose":"for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;","links":[{"href":"#ia-5.1_smt.f","rel":"assessment-for"}]},{"id":"ia-5.1_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(g)","class":"sp800-53a"}],"prose":"for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;","links":[{"href":"#ia-5.1_smt.g","rel":"assessment-for"}]},{"id":"ia-5.1_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(h)","class":"sp800-53a"}],"prose":"for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.","links":[{"href":"#ia-5.1_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#ia-5.1_smt","rel":"assessment-for"}]},{"id":"ia-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing password-based authenticator management capability"}]}]},{"id":"ia-5.2","class":"SP800-53-enhancement","title":"Public Key-based Authentication","props":[{"name":"label","value":"IA-5(2)"},{"name":"label","value":"IA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-3","rel":"related"},{"href":"#sc-17","rel":"related"}],"parts":[{"id":"ia-5.2_smt","name":"statement","parts":[{"id":"ia-5.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"For public key-based authentication:","parts":[{"id":"ia-5.2_smt.a.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Enforce authorized access to the corresponding private key; and"},{"id":"ia-5.2_smt.a.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Map the authenticated identity to the account of the individual or group; and"}]},{"id":"ia-5.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"When public key infrastructure (PKI) is used:","parts":[{"id":"ia-5.2_smt.b.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and"},{"id":"ia-5.2_smt.b.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Implement a local cache of revocation data to support path discovery and validation."}]}]},{"id":"ia-5.2_gdn","name":"guidance","prose":"Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network."},{"id":"ia-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)(01)","class":"sp800-53a"}],"prose":"authorized access to the corresponding private key is enforced for public key-based authentication;","links":[{"href":"#ia-5.2_smt.a.1","rel":"assessment-for"}]},{"id":"ia-5.2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)(02)","class":"sp800-53a"}],"prose":"the authenticated identity is mapped to the account of the individual or group for public key-based authentication;","links":[{"href":"#ia-5.2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#ia-5.2_smt.a","rel":"assessment-for"}]},{"id":"ia-5.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)(01)","class":"sp800-53a"}],"prose":"when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;","links":[{"href":"#ia-5.2_smt.b.1","rel":"assessment-for"}]},{"id":"ia-5.2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)(02)","class":"sp800-53a"}],"prose":"when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.","links":[{"href":"#ia-5.2_smt.b.2","rel":"assessment-for"}]}],"links":[{"href":"#ia-5.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-5.2_smt","rel":"assessment-for"}]},{"id":"ia-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records"}]},{"id":"ia-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing PKI-based, authenticator management capability"}]}]},{"id":"ia-5.6","class":"SP800-53-enhancement","title":"Protection of Authenticators","props":[{"name":"label","value":"IA-5(6)"},{"name":"label","value":"IA-05(06)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ra-2","rel":"related"}],"parts":[{"id":"ia-5.6_smt","name":"statement","prose":"Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access."},{"id":"ia-5.6_gdn","name":"guidance","prose":"For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process."},{"id":"ia-5.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(06)","class":"sp800-53a"}],"prose":"authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.","links":[{"href":"#ia-5.6_smt","rel":"assessment-for"}]},{"id":"ia-5.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity categorization documentation for the system\n\nsecurity assessments of authenticator protections\n\nrisk assessment results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-5.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel implementing and\/or maintaining authenticator protections\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability\n\nmechanisms protecting authenticators"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authentication Feedback","props":[{"name":"label","value":"IA-6"},{"name":"label","value":"IA-06","class":"sp800-53a"},{"name":"sort-id","value":"ia-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it."},{"id":"ia-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-06","class":"sp800-53a"}],"prose":"the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.","links":[{"href":"#ia-6_smt","rel":"assessment-for"}]},{"id":"ia-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the obscuring of feedback of authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","props":[{"name":"label","value":"IA-7"},{"name":"label","value":"IA-07","class":"sp800-53a"},{"name":"sort-id","value":"ia-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role."},{"id":"ia-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-07","class":"sp800-53a"}],"prose":"mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.","links":[{"href":"#ia-7_smt","rel":"assessment-for"}]},{"id":"ia-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic module authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (Non-organizational Users)","props":[{"name":"label","value":"IA-8"},{"name":"label","value":"IA-08","class":"sp800-53a"},{"name":"sort-id","value":"ia-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a1555677-2b9d-4868-a97b-a1363aff32f5","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk."},{"id":"ia-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08","class":"sp800-53a"}],"prose":"non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.","links":[{"href":"#ia-8_smt","rel":"assessment-for"}]},{"id":"ia-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","props":[{"name":"label","value":"IA-8(1)"},{"name":"label","value":"IA-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"},{"href":"#pe-3","rel":"related"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)."},{"id":"ia-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)","class":"sp800-53a"}],"parts":[{"id":"ia-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[01]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are accepted;","links":[{"href":"#ia-8.1_smt","rel":"assessment-for"}]},{"id":"ia-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[02]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.","links":[{"href":"#ia-8.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ia-8.1_smt","rel":"assessment-for"}]},{"id":"ia-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of External Authenticators","props":[{"name":"label","value":"IA-8(2)"},{"name":"label","value":"IA-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.2_smt","name":"statement","parts":[{"id":"ia-8.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Accept only external authenticators that are NIST-compliant; and"},{"id":"ia-8.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Document and maintain a list of accepted external authenticators."}]},{"id":"ia-8.2_gdn","name":"guidance","prose":"Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level."},{"id":"ia-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(a)","class":"sp800-53a"}],"prose":"only external authenticators that are NIST-compliant are accepted;","links":[{"href":"#ia-8.2_smt.a","rel":"assessment-for"}]},{"id":"ia-8.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[01]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is documented;","links":[{"href":"#ia-8.2_smt.b","rel":"assessment-for"}]},{"id":"ia-8.2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[02]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is maintained.","links":[{"href":"#ia-8.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-8.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-8.2_smt","rel":"assessment-for"}]},{"id":"ia-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Defined Profiles","params":[{"id":"ia-08.04_odp","props":[{"name":"alt-identifier","value":"ia-8.4_prm_1"},{"name":"label","value":"IA-08(04)_ODP","class":"sp800-53a"}],"label":"identity management profiles","guidelines":[{"prose":"identity management profiles are defined;"}]}],"props":[{"name":"label","value":"IA-8(4)"},{"name":"label","value":"IA-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}."},{"id":"ia-8.4_gdn","name":"guidance","prose":"Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"ia-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(04)","class":"sp800-53a"}],"prose":"there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.","links":[{"href":"#ia-8.4_smt","rel":"assessment-for"}]},{"id":"ia-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms supporting and\/or implementing conformance with profiles"}]}]}]},{"id":"ia-11","class":"SP800-53","title":"Re-authentication","params":[{"id":"ia-11_odp","props":[{"name":"alt-identifier","value":"ia-11_prm_1"},{"name":"alt-label","value":"circumstances or situations requiring re-authentication","class":"sp800-53"},{"name":"label","value":"IA-11_ODP","class":"sp800-53a"}],"label":"circumstances or situations","guidelines":[{"prose":"circumstances or situations requiring re-authentication are defined;"}]}],"props":[{"name":"label","value":"IA-11"},{"name":"label","value":"IA-11","class":"sp800-53a"},{"name":"sort-id","value":"ia-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-11_smt","name":"statement","prose":"Require users to re-authenticate when {{ insert: param, ia-11_odp }}."},{"id":"ia-11_gdn","name":"guidance","prose":"In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically."},{"id":"ia-11_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-11","class":"sp800-53a"}],"prose":"users are required to re-authenticate when {{ insert: param, ia-11_odp }}.","links":[{"href":"#ia-11_smt","rel":"assessment-for"}]},{"id":"ia-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12","class":"SP800-53","title":"Identity Proofing","props":[{"name":"label","value":"IA-12"},{"name":"label","value":"IA-12","class":"sp800-53a"},{"name":"sort-id","value":"ia-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#9099ed2c-922a-493d-bcb4-d896192243ff","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#ia-1","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-13","rel":"related"}],"parts":[{"id":"ia-12_smt","name":"statement","parts":[{"id":"ia-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;"},{"id":"ia-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Resolve user identities to a unique individual; and"},{"id":"ia-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Collect, validate, and verify identity evidence."}]},{"id":"ia-12_gdn","name":"guidance","prose":"Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3](#737513fa-6758-403f-831d-5ddab5e23cb3) and [SP 800-63A](#9099ed2c-922a-493d-bcb4-d896192243ff) . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"ia-12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12","class":"sp800-53a"}],"parts":[{"id":"ia-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-12a.","class":"sp800-53a"}],"prose":"users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;","links":[{"href":"#ia-12_smt.a","rel":"assessment-for"}]},{"id":"ia-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-12b.","class":"sp800-53a"}],"prose":"user identities are resolved to a unique individual;","links":[{"href":"#ia-12_smt.b","rel":"assessment-for"}]},{"id":"ia-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.","class":"sp800-53a"}],"parts":[{"id":"ia-12_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[01]","class":"sp800-53a"}],"prose":"identity evidence is collected;","links":[{"href":"#ia-12_smt.c","rel":"assessment-for"}]},{"id":"ia-12_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[02]","class":"sp800-53a"}],"prose":"identity evidence is validated;","links":[{"href":"#ia-12_smt.c","rel":"assessment-for"}]},{"id":"ia-12_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[03]","class":"sp800-53a"}],"prose":"identity evidence is verified.","links":[{"href":"#ia-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ia-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ia-12_smt","rel":"assessment-for"}]},{"id":"ia-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ia-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-12.2","class":"SP800-53-enhancement","title":"Identity Evidence","props":[{"name":"label","value":"IA-12(2)"},{"name":"label","value":"IA-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.2_smt","name":"statement","prose":"Require evidence of individual identification be presented to the registration authority."},{"id":"ia-12.2_gdn","name":"guidance","prose":"Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risks to the systems, roles, and privileges associated with the user’s account."},{"id":"ia-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(02)","class":"sp800-53a"}],"prose":"evidence of individual identification is presented to the registration authority.","links":[{"href":"#ia-12.2_smt","rel":"assessment-for"}]},{"id":"ia-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.3","class":"SP800-53-enhancement","title":"Identity Evidence Validation and Verification","params":[{"id":"ia-12.03_odp","props":[{"name":"alt-identifier","value":"ia-12.3_prm_1"},{"name":"alt-label","value":"organizational defined methods of validation and verification","class":"sp800-53"},{"name":"label","value":"IA-12(03)_ODP","class":"sp800-53a"}],"label":"methods of validation and verification","guidelines":[{"prose":"methods of validation and verification of identity evidence are defined;"}]}],"props":[{"name":"label","value":"IA-12(3)"},{"name":"label","value":"IA-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.3_smt","name":"statement","prose":"Require that the presented identity evidence be validated and verified through {{ insert: param, ia-12.03_odp }}."},{"id":"ia-12.3_gdn","name":"guidance","prose":"Validation and verification of identity evidence increases the assurance that accounts and identifiers are being established for the correct user and authenticators are being bound to that user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risks to the systems, roles, and privileges associated with the users account."},{"id":"ia-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(03)","class":"sp800-53a"}],"prose":"the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}.","links":[{"href":"#ia-12.3_smt","rel":"assessment-for"}]},{"id":"ia-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.4","class":"SP800-53-enhancement","title":"In-person Validation and Verification","props":[{"name":"label","value":"IA-12(4)"},{"name":"label","value":"IA-12(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.4_smt","name":"statement","prose":"Require that the validation and verification of identity evidence be conducted in person before a designated registration authority."},{"id":"ia-12.4_gdn","name":"guidance","prose":"In-person proofing reduces the likelihood of fraudulent credentials being issued because it requires the physical presence of individuals, the presentation of physical identity documents, and actual face-to-face interactions with designated registration authorities."},{"id":"ia-12.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(04)","class":"sp800-53a"}],"prose":"the validation and verification of identity evidence is conducted in person before a designated registration authority.","links":[{"href":"#ia-12.4_smt","rel":"assessment-for"}]},{"id":"ia-12.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.5","class":"SP800-53-enhancement","title":"Address Confirmation","params":[{"id":"ia-12.05_odp","props":[{"name":"alt-identifier","value":"ia-12.5_prm_1"},{"name":"label","value":"IA-12(05)_ODP","class":"sp800-53a"}],"select":{"choice":["registration code","notice of proofing"]}}],"props":[{"name":"label","value":"IA-12(5)"},{"name":"label","value":"IA-12(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"},{"href":"#ia-12","rel":"related"}],"parts":[{"id":"ia-12.5_smt","name":"statement","prose":"Require that a {{ insert: param, ia-12.05_odp }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record."},{"id":"ia-12.5_gdn","name":"guidance","prose":"To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses."},{"id":"ia-12.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(05)","class":"sp800-53a"}],"prose":"a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.","links":[{"href":"#ia-12.5_smt","rel":"assessment-for"}]},{"id":"ia-12.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ir-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ir-01_odp.01","props":[{"name":"label","value":"IR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response policy is to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.02","props":[{"name":"label","value":"IR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response procedures are to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.03","props":[{"name":"alt-identifier","value":"ir-1_prm_2"},{"name":"label","value":"IR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ir-01_odp.04","props":[{"name":"alt-identifier","value":"ir-1_prm_3"},{"name":"label","value":"IR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the incident response policy and procedures is defined;"}]},{"id":"ir-01_odp.05","props":[{"name":"alt-identifier","value":"ir-1_prm_4"},{"name":"label","value":"IR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response policy is reviewed and updated is defined;"}]},{"id":"ir-01_odp.06","props":[{"name":"alt-identifier","value":"ir-1_prm_5"},{"name":"label","value":"IR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current incident response policy to be reviewed and updated are defined;"}]},{"id":"ir-01_odp.07","props":[{"name":"alt-identifier","value":"ir-1_prm_6"},{"name":"label","value":"IR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response procedures are reviewed and updated is defined;"}]},{"id":"ir-01_odp.08","props":[{"name":"alt-identifier","value":"ir-1_prm_7"},{"name":"label","value":"IR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the incident response procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IR-1"},{"name":"label","value":"IR-01","class":"sp800-53a"},{"name":"sort-id","value":"ir-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ir-1_smt","name":"statement","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ir-01_odp.03 }} incident response policy that:","parts":[{"id":"ir-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and"},{"id":"ir-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current incident response:","parts":[{"id":"ir-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and"},{"id":"ir-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ir-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[01]","class":"sp800-53a"}],"prose":"an incident response policy is developed and documented;","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[02]","class":"sp800-53a"}],"prose":"the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[03]","class":"sp800-53a"}],"prose":"incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[04]","class":"sp800-53a"}],"prose":"the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ir-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;","links":[{"href":"#ir-1_smt.b","rel":"assessment-for"}]},{"id":"ir-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[01]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};","links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]},{"id":"ir-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[02]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};","links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]},{"id":"ir-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[01]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};","links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]},{"id":"ir-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[02]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.","links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt","rel":"assessment-for"}]},{"id":"ir-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-02_odp.01","props":[{"name":"alt-identifier","value":"ir-2_prm_1"},{"name":"label","value":"IR-02_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;"}]},{"id":"ir-02_odp.02","props":[{"name":"alt-identifier","value":"ir-2_prm_2"},{"name":"label","value":"IR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide incident response training to users is defined;"}]},{"id":"ir-02_odp.03","props":[{"name":"alt-identifier","value":"ir-2_prm_3"},{"name":"label","value":"IR-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update incident response training content is defined;"}]},{"id":"ir-02_odp.04","props":[{"name":"alt-identifier","value":"ir-2_prm_4"},{"name":"label","value":"IR-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that initiate a review of the incident response training content are defined;"}]}],"props":[{"name":"label","value":"IR-2"},{"name":"label","value":"IR-02","class":"sp800-53a"},{"name":"sort-id","value":"ir-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-2_smt","name":"statement","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide incident response training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"ir-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ir-02_odp.02 }} thereafter; and"}]},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"ir-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.01","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;","links":[{"href":"#ir-2_smt.a.1","rel":"assessment-for"}]},{"id":"ir-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.02","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;","links":[{"href":"#ir-2_smt.a.2","rel":"assessment-for"}]},{"id":"ir-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.03","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;","links":[{"href":"#ir-2_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt.a","rel":"assessment-for"}]},{"id":"ir-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[01]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};","links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]},{"id":"ir-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[02]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.","links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt","rel":"assessment-for"}]},{"id":"ir-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"ir-2.1","class":"SP800-53-enhancement","title":"Simulated Events","props":[{"name":"label","value":"IR-2(1)"},{"name":"label","value":"IR-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-2","rel":"required"}],"parts":[{"id":"ir-2.1_smt","name":"statement","prose":"Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations."},{"id":"ir-2.1_gdn","name":"guidance","prose":"Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations."},{"id":"ir-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02(01)","class":"sp800-53a"}],"prose":"simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.","links":[{"href":"#ir-2.1_smt","rel":"assessment-for"}]},{"id":"ir-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that support and\/or implement simulated events for incident response training"}]}]},{"id":"ir-2.2","class":"SP800-53-enhancement","title":"Automated Training Environments","params":[{"id":"ir-02.02_odp","props":[{"name":"alt-identifier","value":"ir-2.2_prm_1"},{"name":"label","value":"IR-02(02)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used in an incident response training environment are defined;"}]}],"props":[{"name":"label","value":"IR-2(2)"},{"name":"label","value":"IR-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-2","rel":"required"}],"parts":[{"id":"ir-2.2_smt","name":"statement","prose":"Provide an incident response training environment using {{ insert: param, ir-02.02_odp }}."},{"id":"ir-2.2_gdn","name":"guidance","prose":"Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues, selecting more realistic training scenarios and environments, and stressing the response capability."},{"id":"ir-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02(02)","class":"sp800-53a"}],"prose":"an incident response training environment is provided using {{ insert: param, ir-02.02_odp }}.","links":[{"href":"#ir-2.2_smt","rel":"assessment-for"}]},{"id":"ir-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nautomated mechanisms supporting incident response training\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms that provide a thorough and realistic incident response training environment"}]}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","params":[{"id":"ir-03_odp.01","props":[{"name":"alt-identifier","value":"ir-3_prm_1"},{"name":"label","value":"IR-03_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test the effectiveness of the incident response capability for the system is defined;"}]},{"id":"ir-03_odp.02","props":[{"name":"alt-identifier","value":"ir-3_prm_2"},{"name":"label","value":"IR-03_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests used to test the effectiveness of the incident response capability for the system are defined;"}]}],"props":[{"name":"label","value":"IR-3"},{"name":"label","value":"IR-03","class":"sp800-53a"},{"name":"sort-id","value":"ir-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-14","rel":"related"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes."},{"id":"ir-3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03","class":"sp800-53a"}],"prose":"the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.","links":[{"href":"#ir-3_smt","rel":"assessment-for"}]},{"id":"ir-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"ir-3.2","class":"SP800-53-enhancement","title":"Coordination with Related Plans","props":[{"name":"label","value":"IR-3(2)"},{"name":"label","value":"IR-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-3","rel":"required"}],"parts":[{"id":"ir-3.2_smt","name":"statement","prose":"Coordinate incident response testing with organizational elements responsible for related plans."},{"id":"ir-3.2_gdn","name":"guidance","prose":"Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans."},{"id":"ir-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03(02)","class":"sp800-53a"}],"prose":"incident response testing is coordinated with organizational elements responsible for related plans.","links":[{"href":"#ir-3.2_smt","rel":"assessment-for"}]},{"id":"ir-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"label","value":"IR-4"},{"name":"label","value":"IR-04","class":"sp800-53a"},{"name":"sort-id","value":"ir-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#31ae65ab-3f26-46b7-9d64-f25a4dac5778","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-4_smt","name":"statement","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate incident handling activities with contingency planning activities;"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and"},{"id":"ir-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes."},{"id":"ir-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[01]","class":"sp800-53a"}],"prose":"an incident handling capability for incidents is implemented that is consistent with the incident response plan;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[02]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes preparation;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[03]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes detection and analysis;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[04]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes containment;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[05]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes eradication;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[06]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes recovery;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-04b.","class":"sp800-53a"}],"prose":"incident handling activities are coordinated with contingency planning activities;","links":[{"href":"#ir-4_smt.b","rel":"assessment-for"}]},{"id":"ir-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[01]","class":"sp800-53a"}],"prose":"lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;","links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]},{"id":"ir-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[02]","class":"sp800-53a"}],"prose":"the changes resulting from the incorporated lessons learned are implemented accordingly;","links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]},{"id":"ir-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[01]","class":"sp800-53a"}],"prose":"the rigor of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[02]","class":"sp800-53a"}],"prose":"the intensity of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[03]","class":"sp800-53a"}],"prose":"the scope of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[04]","class":"sp800-53a"}],"prose":"the results of incident handling activities are comparable and predictable across the organization.","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt","rel":"assessment-for"}]},{"id":"ir-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident handling capability for the organization"}]}],"controls":[{"id":"ir-4.1","class":"SP800-53-enhancement","title":"Automated Incident Handling Processes","params":[{"id":"ir-04.01_odp","props":[{"name":"alt-identifier","value":"ir-4.1_prm_1"},{"name":"label","value":"IR-04(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to support the incident handling process are defined;"}]}],"props":[{"name":"label","value":"IR-4(1)"},{"name":"label","value":"IR-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.1_smt","name":"statement","prose":"Support the incident handling process using {{ insert: param, ir-04.01_odp }}."},{"id":"ir-4.1_gdn","name":"guidance","prose":"Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis."},{"id":"ir-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(01)","class":"sp800-53a"}],"prose":"the incident handling process is supported using {{ insert: param, ir-04.01_odp }}.","links":[{"href":"#ir-4.1_smt","rel":"assessment-for"}]},{"id":"ir-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms that support and\/or implement the incident handling process"}]}]},{"id":"ir-4.4","class":"SP800-53-enhancement","title":"Information Correlation","props":[{"name":"label","value":"IR-4(4)"},{"name":"label","value":"IR-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.4_smt","name":"statement","prose":"Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response."},{"id":"ir-4.4_gdn","name":"guidance","prose":"Sometimes, a threat event, such as a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations."},{"id":"ir-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(04)","class":"sp800-53a"}],"prose":"incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.","links":[{"href":"#ir-4.4_smt","rel":"assessment-for"}]},{"id":"ir-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\nprivacy plan\n\nmechanisms supporting incident and event correlation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nincident management correlation logs\n\nevent management correlation logs\n\nsecurity information and event management logs\n\nincident management correlation reports\n\nevent management correlation reports\n\nsecurity information and event management reports\n\naudit records\n\nother relevant documents or records"}]},{"id":"ir-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with whom incident information and individual incident responses are to be correlated"}]},{"id":"ir-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for correlating incident information and individual incident responses\n\nmechanisms that support and or implement the correlation of incident response information with individual incident responses"}]}]},{"id":"ir-4.11","class":"SP800-53-enhancement","title":"Integrated Incident Response Team","params":[{"id":"ir-04.11_odp","props":[{"name":"alt-identifier","value":"ir-4.11_prm_1"},{"name":"label","value":"IR-04(11)_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which an integrated incident response team can be deployed is defined;"}]}],"props":[{"name":"label","value":"IR-4(11)"},{"name":"label","value":"IR-04(11)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"ir-4.11_smt","name":"statement","prose":"Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}."},{"id":"ir-4.11_gdn","name":"guidance","prose":"An integrated incident response team is a team of experts that assesses, documents, and responds to incidents so that organizational systems and networks can recover quickly and implement the necessary controls to avoid future incidents. Incident response team personnel include forensic and malicious code analysts, tool developers, systems security and privacy engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. For some organizations, the incident response team can be a cross-organizational entity.\n\nAn integrated incident response team facilitates information sharing and allows organizational personnel (e.g., developers, implementers, and operators) to leverage team knowledge of the threat and implement defensive measures that enable organizations to deter intrusions more effectively. Moreover, integrated teams promote the rapid detection of intrusions, the development of appropriate mitigations, and the deployment of effective defensive measures. For example, when an intrusion is detected, the integrated team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing cyber intelligence development. Integrated incident response teams are better able to identify adversary tactics, techniques, and procedures that are linked to the operations tempo or specific mission and business functions and to define responsive actions in a way that does not disrupt those mission and business functions. Incident response teams can be distributed within organizations to make the capability resilient."},{"id":"ir-4.11_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(11)","class":"sp800-53a"}],"parts":[{"id":"ir-4.11_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04(11)[01]","class":"sp800-53a"}],"prose":"an integrated incident response team is established and maintained;","links":[{"href":"#ir-4.11_smt","rel":"assessment-for"}]},{"id":"ir-4.11_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04(11)[02]","class":"sp800-53a"}],"prose":"the integrated incident response team can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}.","links":[{"href":"#ir-4.11_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-4.11_smt","rel":"assessment-for"}]},{"id":"ir-4.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of the integrated incident response team"}]}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"label","value":"IR-5"},{"name":"label","value":"IR-05","class":"sp800-53a"},{"name":"sort-id","value":"ir-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"Track and document incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring."},{"id":"ir-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-05","class":"sp800-53a"}],"parts":[{"id":"ir-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-05[01]","class":"sp800-53a"}],"prose":"incidents are tracked;","links":[{"href":"#ir-5_smt","rel":"assessment-for"}]},{"id":"ir-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-05[02]","class":"sp800-53a"}],"prose":"incidents are documented.","links":[{"href":"#ir-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-5_smt","rel":"assessment-for"}]},{"id":"ir-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nmechanisms supporting and\/or implementing the tracking and documenting of system security incidents"}]}],"controls":[{"id":"ir-5.1","class":"SP800-53-enhancement","title":"Automated Tracking, Data Collection, and Analysis","params":[{"id":"ir-5.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-05.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-05.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-05.01_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"ir-05.01_odp.01","props":[{"name":"label","value":"IR-05(01)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to track incidents are defined;"}]},{"id":"ir-05.01_odp.02","props":[{"name":"label","value":"IR-05(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to collect incident information are defined;"}]},{"id":"ir-05.01_odp.03","props":[{"name":"label","value":"IR-05(01)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to analyze incident information are defined;"}]}],"props":[{"name":"label","value":"IR-5(1)"},{"name":"label","value":"IR-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-5","rel":"required"}],"parts":[{"id":"ir-5.1_smt","name":"statement","prose":"Track incidents and collect and analyze incident information using {{ insert: param, ir-5.1_prm_1 }}."},{"id":"ir-5.1_gdn","name":"guidance","prose":"Automated mechanisms for tracking incidents and collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices."},{"id":"ir-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)","class":"sp800-53a"}],"parts":[{"id":"ir-5.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)[01]","class":"sp800-53a"}],"prose":"incidents are tracked using {{ insert: param, ir-05.01_odp.01 }};","links":[{"href":"#ir-5.1_smt","rel":"assessment-for"}]},{"id":"ir-5.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)[02]","class":"sp800-53a"}],"prose":"incident information is collected using {{ insert: param, ir-05.01_odp.02 }};","links":[{"href":"#ir-5.1_smt","rel":"assessment-for"}]},{"id":"ir-5.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)[03]","class":"sp800-53a"}],"prose":"incident information is analyzed using {{ insert: param, ir-05.01_odp.03 }}.","links":[{"href":"#ir-5.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-5.1_smt","rel":"assessment-for"}]},{"id":"ir-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nsystem security plan\n\nincident response plan\n\nother relevant documents or records"}]},{"id":"ir-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nautomated mechanisms supporting and\/or implementing the tracking and documenting of system security incidents"}]}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-06_odp.01","props":[{"name":"alt-identifier","value":"ir-6_prm_1"},{"name":"label","value":"IR-06_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel to report suspected incidents to the organizational incident response capability is defined;"}]},{"id":"ir-06_odp.02","props":[{"name":"alt-identifier","value":"ir-6_prm_2"},{"name":"label","value":"IR-06_ODP[02]","class":"sp800-53a"}],"label":"authorities","guidelines":[{"prose":"authorities to whom incident information is to be reported are defined;"}]}],"props":[{"name":"label","value":"IR-6"},{"name":"label","value":"IR-06","class":"sp800-53a"},{"name":"sort-id","value":"ir-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#40b78258-c892-480e-9af8-77ac36648301","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-6_smt","name":"statement","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report incident information to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products."},{"id":"ir-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06","class":"sp800-53a"}],"parts":[{"id":"ir-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-06a.","class":"sp800-53a"}],"prose":"personnel is\/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};","links":[{"href":"#ir-6_smt.a","rel":"assessment-for"}]},{"id":"ir-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-06b.","class":"sp800-53a"}],"prose":"incident information is reported to {{ insert: param, ir-06_odp.02 }}.","links":[{"href":"#ir-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-6_smt","rel":"assessment-for"}]},{"id":"ir-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users"}]},{"id":"ir-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nmechanisms supporting and\/or implementing incident reporting"}]}],"controls":[{"id":"ir-6.1","class":"SP800-53-enhancement","title":"Automated Reporting","params":[{"id":"ir-06.01_odp","props":[{"name":"alt-identifier","value":"ir-6.1_prm_1"},{"name":"label","value":"IR-06(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used for reporting incidents are defined;"}]}],"props":[{"name":"label","value":"IR-6(1)"},{"name":"label","value":"IR-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-6","rel":"required"},{"href":"#ir-7","rel":"related"}],"parts":[{"id":"ir-6.1_smt","name":"statement","prose":"Report incidents using {{ insert: param, ir-06.01_odp }}."},{"id":"ir-6.1_gdn","name":"guidance","prose":"The recipients of incident reports are specified in [IR-6b](#ir-6_smt.b) . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs."},{"id":"ir-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06(01)","class":"sp800-53a"}],"prose":"incidents are reported using {{ insert: param, ir-06.01_odp }}.","links":[{"href":"#ir-6.1_smt","rel":"assessment-for"}]},{"id":"ir-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing the reporting of security incidents"}]}]},{"id":"ir-6.3","class":"SP800-53-enhancement","title":"Supply Chain Coordination","props":[{"name":"label","value":"IR-6(3)"},{"name":"label","value":"IR-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-6","rel":"required"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-6.3_smt","name":"statement","prose":"Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident."},{"id":"ir-6.3_gdn","name":"guidance","prose":"Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident."},{"id":"ir-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06(03)","class":"sp800-53a"}],"prose":"incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.","links":[{"href":"#ir-6.3_smt","rel":"assessment-for"}]},{"id":"ir-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council\n\nacquisition policy\n\nacquisition contracts\n\nservice-level agreements\n\nincident response plan\n\nsupply chain risk management plan\n\nsystem security plan\n\nplans of other organizations involved in supply chain activities\n\nother relevant documents or records"}]},{"id":"ir-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganization personnel with acquisition responsibilities"}]},{"id":"ir-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\norganizational processes for supply chain risk information sharing\n\nmechanisms supporting and\/or implementing the reporting of incident information involved in the supply chain"}]}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"label","value":"IR-7"},{"name":"label","value":"IR-07","class":"sp800-53a"},{"name":"sort-id","value":"ir-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-26","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required."},{"id":"ir-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07","class":"sp800-53a"}],"parts":[{"id":"ir-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-07[01]","class":"sp800-53a"}],"prose":"an incident response support resource, integral to the organizational incident response capability, is provided;","links":[{"href":"#ir-7_smt","rel":"assessment-for"}]},{"id":"ir-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-07[02]","class":"sp800-53a"}],"prose":"the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.","links":[{"href":"#ir-7_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-7_smt","rel":"assessment-for"}]},{"id":"ir-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nmechanisms supporting and\/or implementing incident response assistance"}]}],"controls":[{"id":"ir-7.1","class":"SP800-53-enhancement","title":"Automation Support for Availability of Information and Support","params":[{"id":"ir-07.01_odp","props":[{"name":"alt-identifier","value":"ir-7.1_prm_1"},{"name":"label","value":"IR-07(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to increase the availability of incident response information and support are defined;"}]}],"props":[{"name":"label","value":"IR-7(1)"},{"name":"label","value":"IR-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-7","rel":"required"}],"parts":[{"id":"ir-7.1_smt","name":"statement","prose":"Increase the availability of incident response information and support using {{ insert: param, ir-07.01_odp }}."},{"id":"ir-7.1_gdn","name":"guidance","prose":"Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support."},{"id":"ir-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07(01)","class":"sp800-53a"}],"prose":"the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}.","links":[{"href":"#ir-7.1_smt","rel":"assessment-for"}]},{"id":"ir-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing an increase in the availability of incident response information and support"}]}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.07"}],"label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-08_odp.01","props":[{"name":"alt-identifier","value":"ir-8_prm_1"},{"name":"label","value":"IR-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles that review and approve the incident response plan is\/are identified;"}]},{"id":"ir-08_odp.02","props":[{"name":"alt-identifier","value":"ir-8_prm_2"},{"name":"label","value":"IR-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and approve the incident response plan is defined;"}]},{"id":"ir-08_odp.03","props":[{"name":"alt-identifier","value":"ir-8_prm_3"},{"name":"label","value":"IR-08_ODP[03]","class":"sp800-53a"}],"label":"entities, personnel, or roles","guidelines":[{"prose":"entities, personnel, or roles with designated responsibility for incident response are defined;"}]},{"id":"ir-08_odp.04","props":[{"name":"alt-identifier","value":"ir-8_prm_4"},{"name":"alt-label","value":"incident response personnel (identified by name and\/or by role) and organizational elements","class":"sp800-53"},{"name":"label","value":"IR-08_ODP[04]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed is\/are defined;"}]},{"id":"ir-08_odp.05","props":[{"name":"label","value":"IR-08_ODP[05]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which copies of the incident response plan are to be distributed are defined;"}]},{"id":"ir-08_odp.06","props":[{"name":"label","value":"IR-08_ODP[06]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom changes to the incident response plan is\/are communicated are defined;"}]},{"id":"ir-08_odp.07","props":[{"name":"label","value":"IR-08_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which changes to the incident response plan are communicated are defined;"}]}],"props":[{"name":"label","value":"IR-8"},{"name":"label","value":"IR-08","class":"sp800-53a"},{"name":"sort-id","value":"ir-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-8_smt","name":"statement","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Addresses the sharing of incident information;"},{"id":"ir-8_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and"},{"id":"ir-8_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly."},{"id":"ir-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-08","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.01","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;","links":[{"href":"#ir-8_smt.a.1","rel":"assessment-for"}]},{"id":"ir-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.02","class":"sp800-53a"}],"prose":"an incident response plan is developed that describes the structure and organization of the incident response capability;","links":[{"href":"#ir-8_smt.a.2","rel":"assessment-for"}]},{"id":"ir-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.03","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;","links":[{"href":"#ir-8_smt.a.3","rel":"assessment-for"}]},{"id":"ir-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.04","class":"sp800-53a"}],"prose":"an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;","links":[{"href":"#ir-8_smt.a.4","rel":"assessment-for"}]},{"id":"ir-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.05","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines reportable incidents;","links":[{"href":"#ir-8_smt.a.5","rel":"assessment-for"}]},{"id":"ir-8_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.06","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;","links":[{"href":"#ir-8_smt.a.6","rel":"assessment-for"}]},{"id":"ir-8_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.07","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;","links":[{"href":"#ir-8_smt.a.7","rel":"assessment-for"}]},{"id":"ir-8_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.08","class":"sp800-53a"}],"prose":"an incident response plan is developed that addresses the sharing of incident information;","links":[{"href":"#ir-8_smt.a.8","rel":"assessment-for"}]},{"id":"ir-8_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.09","class":"sp800-53a"}],"prose":"an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};","links":[{"href":"#ir-8_smt.a.9","rel":"assessment-for"}]},{"id":"ir-8_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.10","class":"sp800-53a"}],"prose":"an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.","links":[{"href":"#ir-8_smt.a.10","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.a","rel":"assessment-for"}]},{"id":"ir-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[01]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};","links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]},{"id":"ir-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[02]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};","links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]},{"id":"ir-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-08c.","class":"sp800-53a"}],"prose":"the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;","links":[{"href":"#ir-8_smt.c","rel":"assessment-for"}]},{"id":"ir-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[01]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};","links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]},{"id":"ir-8_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[02]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};","links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]},{"id":"ir-8_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[01]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized disclosure;","links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]},{"id":"ir-8_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[02]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized modification.","links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt","rel":"assessment-for"}]},{"id":"ir-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"id":"ir-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ma-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ma-01_odp.01","props":[{"name":"label","value":"MA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance policy is to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.02","props":[{"name":"label","value":"MA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance procedures are to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.03","props":[{"name":"alt-identifier","value":"ma-1_prm_2"},{"name":"label","value":"MA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ma-01_odp.04","props":[{"name":"alt-identifier","value":"ma-1_prm_3"},{"name":"label","value":"MA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the maintenance policy and procedures is defined;"}]},{"id":"ma-01_odp.05","props":[{"name":"alt-identifier","value":"ma-1_prm_4"},{"name":"label","value":"MA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance policy is reviewed and updated is defined;"}]},{"id":"ma-01_odp.06","props":[{"name":"alt-identifier","value":"ma-1_prm_5"},{"name":"label","value":"MA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current maintenance policy to be reviewed and updated are defined;"}]},{"id":"ma-01_odp.07","props":[{"name":"alt-identifier","value":"ma-1_prm_6"},{"name":"label","value":"MA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance procedures are reviewed and updated is defined;"}]},{"id":"ma-01_odp.08","props":[{"name":"alt-identifier","value":"ma-1_prm_7"},{"name":"label","value":"MA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the maintenance procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MA-1"},{"name":"label","value":"MA-01","class":"sp800-53a"},{"name":"sort-id","value":"ma-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ma-1_smt","name":"statement","parts":[{"id":"ma-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ma-01_odp.03 }} maintenance policy that:","parts":[{"id":"ma-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ma-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;"}]},{"id":"ma-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and"},{"id":"ma-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current maintenance:","parts":[{"id":"ma-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and"},{"id":"ma-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ma-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[01]","class":"sp800-53a"}],"prose":"a maintenance policy is developed and documented;","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[02]","class":"sp800-53a"}],"prose":"the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[03]","class":"sp800-53a"}],"prose":"maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[04]","class":"sp800-53a"}],"prose":"the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ma-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;","links":[{"href":"#ma-1_smt.b","rel":"assessment-for"}]},{"id":"ma-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[01]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};","links":[{"href":"#ma-1_smt.c.1","rel":"assessment-for"}]},{"id":"ma-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[02]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};","links":[{"href":"#ma-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.c.1","rel":"assessment-for"}]},{"id":"ma-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[01]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};","links":[{"href":"#ma-1_smt.c.2","rel":"assessment-for"}]},{"id":"ma-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[02]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.","links":[{"href":"#ma-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt","rel":"assessment-for"}]},{"id":"ma-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"ma-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","params":[{"id":"ma-02_odp.01","props":[{"name":"alt-identifier","value":"ma-2_prm_1"},{"name":"label","value":"MA-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is\/are defined;"}]},{"id":"ma-02_odp.02","props":[{"name":"alt-identifier","value":"ma-2_prm_2"},{"name":"label","value":"MA-02_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;"}]},{"id":"ma-02_odp.03","props":[{"name":"alt-identifier","value":"ma-2_prm_3"},{"name":"label","value":"MA-02_ODP[03]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be included in organizational maintenance records is defined;"}]}],"props":[{"name":"label","value":"MA-2"},{"name":"label","value":"MA-02","class":"sp800-53a"},{"name":"sort-id","value":"ma-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ma-2_smt","name":"statement","parts":[{"id":"ma-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};"},{"id":"ma-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and"},{"id":"ma-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}."}]},{"id":"ma-2_gdn","name":"guidance","prose":"Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems."},{"id":"ma-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-02","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[01]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and\/or organizational requirements;","links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]},{"id":"ma-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[02]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and\/or organizational requirements;","links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]},{"id":"ma-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[03]","class":"sp800-53a"}],"prose":"records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and\/or organizational requirements;","links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]},{"id":"ma-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[01]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;","links":[{"href":"#ma-2_smt.b","rel":"assessment-for"}]},{"id":"ma-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[02]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;","links":[{"href":"#ma-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-2_smt.b","rel":"assessment-for"}]},{"id":"ma-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-02c.","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02_odp.01 }} is\/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;","links":[{"href":"#ma-2_smt.c","rel":"assessment-for"}]},{"id":"ma-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-02d.","class":"sp800-53a"}],"prose":"equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;","links":[{"href":"#ma-2_smt.d","rel":"assessment-for"}]},{"id":"ma-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-02e.","class":"sp800-53a"}],"prose":"all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;","links":[{"href":"#ma-2_smt.e","rel":"assessment-for"}]},{"id":"ma-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"MA-02f.","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.","links":[{"href":"#ma-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ma-2_smt","rel":"assessment-for"}]},{"id":"ma-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer\/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and\/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components"}]}],"controls":[{"id":"ma-2.2","class":"SP800-53-enhancement","title":"Automated Maintenance Activities","params":[{"id":"ma-2.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-02.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-02.02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-02.02_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"ma-02.02_odp.01","props":[{"name":"label","value":"MA-02(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to schedule maintenance, repair, and replacement actions for the system are defined;"}]},{"id":"ma-02.02_odp.02","props":[{"name":"label","value":"MA-02(02)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to conduct maintenance, repair, and replacement actions for the system are defined;"}]},{"id":"ma-02.02_odp.03","props":[{"name":"label","value":"MA-02(02)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to document maintenance, repair, and replacement actions for the system are defined;"}]}],"props":[{"name":"label","value":"MA-2(2)"},{"name":"label","value":"MA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-2","rel":"required"},{"href":"#ma-3","rel":"related"}],"parts":[{"id":"ma-2.2_smt","name":"statement","parts":[{"id":"ma-2.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Schedule, conduct, and document maintenance, repair, and replacement actions for the system using {{ insert: param, ma-2.2_prm_1 }} ; and"},{"id":"ma-2.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed."}]},{"id":"ma-2.2_gdn","name":"guidance","prose":"The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records."},{"id":"ma-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)","class":"sp800-53a"}],"parts":[{"id":"ma-2.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)","class":"sp800-53a"}],"parts":[{"id":"ma-2.2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02.02_odp.01 }} are used to schedule maintenance, repair, and replacement actions for the system;","links":[{"href":"#ma-2.2_smt.a","rel":"assessment-for"}]},{"id":"ma-2.2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02.02_odp.02 }} are used to conduct maintenance, repair, and replacement actions for the system;","links":[{"href":"#ma-2.2_smt.a","rel":"assessment-for"}]},{"id":"ma-2.2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02.02_odp.03 }} are used to document maintenance, repair, and replacement actions for the system;","links":[{"href":"#ma-2.2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-2.2_smt.a","rel":"assessment-for"}]},{"id":"ma-2.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ma-2.2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)[01]","class":"sp800-53a"}],"prose":"up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced.","links":[{"href":"#ma-2.2_smt.b","rel":"assessment-for"}]},{"id":"ma-2.2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)[02]","class":"sp800-53a"}],"prose":"up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced.","links":[{"href":"#ma-2.2_smt.b","rel":"assessment-for"}]},{"id":"ma-2.2_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)[03]","class":"sp800-53a"}],"prose":"up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced.","links":[{"href":"#ma-2.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-2.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-2.2_smt","rel":"assessment-for"}]},{"id":"ma-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nautomated mechanisms supporting system maintenance activities\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing controlled maintenance\n\nautomated mechanisms supporting and\/or implementing the production of records of maintenance and repair actions"}]}]}]},{"id":"ma-3","class":"SP800-53","title":"Maintenance Tools","params":[{"id":"ma-03_odp","props":[{"name":"alt-identifier","value":"ma-3_prm_1"},{"name":"label","value":"MA-03_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review previously approved system maintenance tools is defined;"}]}],"props":[{"name":"label","value":"MA-3"},{"name":"label","value":"MA-03","class":"sp800-53a"},{"name":"sort-id","value":"ma-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#ma-2","rel":"related"},{"href":"#pe-16","rel":"related"}],"parts":[{"id":"ma-3_smt","name":"statement","parts":[{"id":"ma-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve, control, and monitor the use of system maintenance tools; and"},{"id":"ma-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review previously approved system maintenance tools {{ insert: param, ma-03_odp }}."}]},{"id":"ma-3_gdn","name":"guidance","prose":"Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools."},{"id":"ma-3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03","class":"sp800-53a"}],"parts":[{"id":"ma-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.","class":"sp800-53a"}],"parts":[{"id":"ma-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[01]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is approved;","links":[{"href":"#ma-3_smt.a","rel":"assessment-for"}]},{"id":"ma-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[02]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is controlled;","links":[{"href":"#ma-3_smt.a","rel":"assessment-for"}]},{"id":"ma-3_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[03]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is monitored;","links":[{"href":"#ma-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-3_smt.a","rel":"assessment-for"}]},{"id":"ma-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-03b.","class":"sp800-53a"}],"prose":"previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}.","links":[{"href":"#ma-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-3_smt","rel":"assessment-for"}]},{"id":"ma-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for approving, controlling, and monitoring maintenance tools\n\nmechanisms supporting and\/or implementing the approval, control, and\/or monitoring of maintenance tools"}]}],"controls":[{"id":"ma-3.1","class":"SP800-53-enhancement","title":"Inspect Tools","props":[{"name":"label","value":"MA-3(1)"},{"name":"label","value":"MA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ma-3.1_smt","name":"statement","prose":"Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications."},{"id":"ma-3.1_gdn","name":"guidance","prose":"Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling."},{"id":"ma-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(01)","class":"sp800-53a"}],"prose":"maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.","links":[{"href":"#ma-3.1_smt","rel":"assessment-for"}]},{"id":"ma-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for inspecting maintenance tools\n\nmechanisms supporting and\/or implementing the inspection of maintenance tools"}]}]},{"id":"ma-3.2","class":"SP800-53-enhancement","title":"Inspect Media","props":[{"name":"label","value":"MA-3(2)"},{"name":"label","value":"MA-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"ma-3.2_smt","name":"statement","prose":"Check media containing diagnostic and test programs for malicious code before the media are used in the system."},{"id":"ma-3.2_gdn","name":"guidance","prose":"If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures."},{"id":"ma-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(02)","class":"sp800-53a"}],"prose":"media containing diagnostic and test programs are checked for malicious code before the media are used in the system.","links":[{"href":"#ma-3.2_smt","rel":"assessment-for"}]},{"id":"ma-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for inspecting media for malicious code\n\nmechanisms supporting and\/or implementing the inspection of media used for maintenance"}]}]},{"id":"ma-3.3","class":"SP800-53-enhancement","title":"Prevent Unauthorized Removal","params":[{"id":"ma-03.03_odp","props":[{"name":"alt-identifier","value":"ma-3.3_prm_1"},{"name":"label","value":"MA-03(03)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles who can authorize removal of equipment from the facility is\/are defined;"}]}],"props":[{"name":"label","value":"MA-3(3)"},{"name":"label","value":"MA-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#mp-6","rel":"related"}],"parts":[{"id":"ma-3.3_smt","name":"statement","prose":"Prevent the removal of maintenance equipment containing organizational information by:","parts":[{"id":"ma-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verifying that there is no organizational information contained on the equipment;"},{"id":"ma-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Sanitizing or destroying the equipment;"},{"id":"ma-3.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Retaining the equipment within the facility; or"},{"id":"ma-3.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_gdn","name":"guidance","prose":"Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards."},{"id":"ma-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)","class":"sp800-53a"}],"parts":[{"id":"ma-3.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(a)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or","links":[{"href":"#ma-3.3_smt.a","rel":"assessment-for"}]},{"id":"ma-3.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(b)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or","links":[{"href":"#ma-3.3_smt.b","rel":"assessment-for"}]},{"id":"ma-3.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(c)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or","links":[{"href":"#ma-3.3_smt.c","rel":"assessment-for"}]},{"id":"ma-3.3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(d)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.","links":[{"href":"#ma-3.3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ma-3.3_smt","rel":"assessment-for"}]},{"id":"ma-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization"}]},{"id":"ma-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for preventing unauthorized removal of information\n\nmechanisms supporting media sanitization or destruction of equipment\n\nmechanisms supporting verification of media sanitization"}]}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","props":[{"name":"label","value":"MA-4"},{"name":"label","value":"MA-04","class":"sp800-53a"},{"name":"sort-id","value":"ma-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#736d6310-e403-4b57-a79d-9967970c66d7","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-10","rel":"related"}],"parts":[{"id":"ma-4_smt","name":"statement","parts":[{"id":"ma-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and monitor nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;"},{"id":"ma-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Maintain records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Terminate session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators."},{"id":"ma-4_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[01]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are approved;","links":[{"href":"#ma-4_smt.a","rel":"assessment-for"}]},{"id":"ma-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[02]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are monitored;","links":[{"href":"#ma-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt.a","rel":"assessment-for"}]},{"id":"ma-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[01]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;","links":[{"href":"#ma-4_smt.b","rel":"assessment-for"}]},{"id":"ma-4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[02]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;","links":[{"href":"#ma-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt.b","rel":"assessment-for"}]},{"id":"ma-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-04c.","class":"sp800-53a"}],"prose":"strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;","links":[{"href":"#ma-4_smt.c","rel":"assessment-for"}]},{"id":"ma-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-04d.","class":"sp800-53a"}],"prose":"records for nonlocal maintenance and diagnostic activities are maintained;","links":[{"href":"#ma-4_smt.d","rel":"assessment-for"}]},{"id":"ma-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[01]","class":"sp800-53a"}],"prose":"session connections are terminated when nonlocal maintenance is completed;","links":[{"href":"#ma-4_smt.e","rel":"assessment-for"}]},{"id":"ma-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[02]","class":"sp800-53a"}],"prose":"network connections are terminated when nonlocal maintenance is completed.","links":[{"href":"#ma-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt","rel":"assessment-for"}]},{"id":"ma-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and\/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections"}]}],"controls":[{"id":"ma-4.3","class":"SP800-53-enhancement","title":"Comparable Security and Sanitization","props":[{"name":"label","value":"MA-4(3)"},{"name":"label","value":"MA-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-4","rel":"required"},{"href":"#mp-6","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ma-4.3_smt","name":"statement","parts":[{"id":"ma-4.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or"},{"id":"ma-4.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system."}]},{"id":"ma-4.3_gdn","name":"guidance","prose":"Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced."},{"id":"ma-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)","class":"sp800-53a"}],"parts":[{"id":"ma-4.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(a)","class":"sp800-53a"}],"parts":[{"id":"ma-4.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(a)[01]","class":"sp800-53a"}],"prose":"nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;","links":[{"href":"#ma-4.3_smt.a","rel":"assessment-for"}]},{"id":"ma-4.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(a)[02]","class":"sp800-53a"}],"prose":"nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or","links":[{"href":"#ma-4.3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-4.3_smt.a","rel":"assessment-for"}]},{"id":"ma-4.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)","class":"sp800-53a"}],"parts":[{"id":"ma-4.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)[01]","class":"sp800-53a"}],"prose":"the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;","links":[{"href":"#ma-4.3_smt.b","rel":"assessment-for"}]},{"id":"ma-4.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)[02]","class":"sp800-53a"}],"prose":"the component to be serviced is sanitized (for organizational information);","links":[{"href":"#ma-4.3_smt.b","rel":"assessment-for"}]},{"id":"ma-4.3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)[03]","class":"sp800-53a"}],"prose":"the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.","links":[{"href":"#ma-4.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-4.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-4.3_smt","rel":"assessment-for"}]},{"id":"ma-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nservice provider contracts and\/or service-level agreements\n\nmaintenance records\n\ninspection records\n\naudit records\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\nsystem maintenance provider\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for comparable security and sanitization for nonlocal maintenance\n\norganizational processes for the removal, sanitization, and inspection of components serviced via nonlocal maintenance\n\nmechanisms supporting and\/or implementing component sanitization and inspection"}]}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","props":[{"name":"label","value":"MA-5"},{"name":"label","value":"MA-05","class":"sp800-53a"},{"name":"sort-id","value":"ma-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"ma-5_smt","name":"statement","parts":[{"id":"ma-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods."},{"id":"ma-5_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[01]","class":"sp800-53a"}],"prose":"a process for maintenance personnel authorization is established;","links":[{"href":"#ma-5_smt.a","rel":"assessment-for"}]},{"id":"ma-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[02]","class":"sp800-53a"}],"prose":"a list of authorized maintenance organizations or personnel is maintained;","links":[{"href":"#ma-5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-5_smt.a","rel":"assessment-for"}]},{"id":"ma-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-05b.","class":"sp800-53a"}],"prose":"non-escorted personnel performing maintenance on the system possess the required access authorizations;","links":[{"href":"#ma-5_smt.b","rel":"assessment-for"}]},{"id":"ma-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-05c.","class":"sp800-53a"}],"prose":"organizational personnel with required access authorizations and technical competence is\/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.","links":[{"href":"#ma-5_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ma-5_smt","rel":"assessment-for"}]},{"id":"ma-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and\/or implementing authorization of maintenance personnel"}]}],"controls":[{"id":"ma-5.1","class":"SP800-53-enhancement","title":"Individuals Without Appropriate Access","params":[{"id":"ma-05.01_odp","props":[{"name":"alt-identifier","value":"ma-5.1_prm_1"},{"name":"label","value":"MA-05(01)_ODP","class":"sp800-53a"}],"label":"alternate controls","guidelines":[{"prose":"alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined;"}]}],"props":[{"name":"label","value":"MA-5(1)"},{"name":"label","value":"MA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-5","rel":"required"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"ma-5.1_smt","name":"statement","parts":[{"id":"ma-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:","parts":[{"id":"ma-5.1_smt.a.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and"},{"id":"ma-5.1_smt.a.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and"}]},{"id":"ma-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Develop and implement {{ insert: param, ma-05.01_odp }} in the event a system component cannot be sanitized, removed, or disconnected from the system."}]},{"id":"ma-5.1_gdn","name":"guidance","prose":"Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems."},{"id":"ma-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)","class":"sp800-53a"}],"parts":[{"id":"ma-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(a)","class":"sp800-53a"}],"parts":[{"id":"ma-5.1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(a)(01)","class":"sp800-53a"}],"prose":"procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;","links":[{"href":"#ma-5.1_smt.a.1","rel":"assessment-for"}]},{"id":"ma-5.1_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(a)(02)","class":"sp800-53a"}],"prose":"procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;","links":[{"href":"#ma-5.1_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#ma-5.1_smt.a","rel":"assessment-for"}]},{"id":"ma-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(b)","class":"sp800-53a"}],"prose":" {{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.","links":[{"href":"#ma-5.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-5.1_smt","rel":"assessment-for"}]},{"id":"ma-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\nphysical and environmental protection policy\n\nlist of maintenance personnel requiring escort\/supervision\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing maintenance personnel without appropriate access\n\nmechanisms supporting and\/or implementing alternative security safeguards\n\nmechanisms supporting and\/or implementing information storage component sanitization"}]}]}]},{"id":"ma-6","class":"SP800-53","title":"Timely Maintenance","params":[{"id":"ma-06_odp.01","props":[{"name":"alt-identifier","value":"ma-6_prm_1"},{"name":"label","value":"MA-06_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which maintenance support and\/or spare parts are obtained are defined;"}]},{"id":"ma-06_odp.02","props":[{"name":"alt-identifier","value":"ma-6_prm_2"},{"name":"label","value":"MA-06_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which maintenance support and\/or spare parts are to be obtained after a failure are defined;"}]}],"props":[{"name":"label","value":"MA-6"},{"name":"label","value":"MA-06","class":"sp800-53a"},{"name":"sort-id","value":"ma-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-8","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-13","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"ma-6_smt","name":"statement","prose":"Obtain maintenance support and\/or spare parts for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure."},{"id":"ma-6_gdn","name":"guidance","prose":"Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place."},{"id":"ma-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-06","class":"sp800-53a"}],"prose":"maintenance support and\/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.","links":[{"href":"#ma-6_smt","rel":"assessment-for"}]},{"id":"ma-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for ensuring timely maintenance"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"mp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"mp-01_odp.01","props":[{"name":"label","value":"MP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection policy is to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.02","props":[{"name":"label","value":"MP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection procedures are to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.03","props":[{"name":"alt-identifier","value":"mp-1_prm_2"},{"name":"label","value":"MP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"mp-01_odp.04","props":[{"name":"alt-identifier","value":"mp-1_prm_3"},{"name":"label","value":"MP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the media protection policy and procedures is defined;"}]},{"id":"mp-01_odp.05","props":[{"name":"alt-identifier","value":"mp-1_prm_4"},{"name":"label","value":"MP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection policy is reviewed and updated is defined;"}]},{"id":"mp-01_odp.06","props":[{"name":"alt-identifier","value":"mp-1_prm_5"},{"name":"label","value":"MP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current media protection policy to be reviewed and updated are defined;"}]},{"id":"mp-01_odp.07","props":[{"name":"alt-identifier","value":"mp-1_prm_6"},{"name":"label","value":"MP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection procedures are reviewed and updated is defined;"}]},{"id":"mp-01_odp.08","props":[{"name":"alt-identifier","value":"mp-1_prm_7"},{"name":"label","value":"MP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require media protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MP-1"},{"name":"label","value":"MP-01","class":"sp800-53a"},{"name":"sort-id","value":"mp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-1_smt","name":"statement","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, mp-01_odp.03 }} media protection policy that:","parts":[{"id":"mp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and"},{"id":"mp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current media protection:","parts":[{"id":"mp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and"},{"id":"mp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"mp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[01]","class":"sp800-53a"}],"prose":"a media protection policy is developed and documented;","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[02]","class":"sp800-53a"}],"prose":"the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[03]","class":"sp800-53a"}],"prose":"media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[04]","class":"sp800-53a"}],"prose":"the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(b)","class":"sp800-53a"}],"prose":"the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#mp-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.","links":[{"href":"#mp-1_smt.b","rel":"assessment-for"}]},{"id":"mp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[01]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ","links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]},{"id":"mp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[02]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};","links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]},{"id":"mp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[01]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ","links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]},{"id":"mp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[02]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.","links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt","rel":"assessment-for"}]},{"id":"mp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","params":[{"id":"mp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.03"}],"label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.04"}],"label":"organization-defined personnel or roles"},{"id":"mp-02_odp.01","props":[{"name":"label","value":"MP-02_ODP[01]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.02","props":[{"name":"label","value":"MP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access digital media is\/are defined;"}]},{"id":"mp-02_odp.03","props":[{"name":"label","value":"MP-02_ODP[03]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.04","props":[{"name":"label","value":"MP-02_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access non-digital media is\/are defined;"}]}],"props":[{"name":"label","value":"MP-2"},{"name":"label","value":"MP-02","class":"sp800-53a"},{"name":"sort-id","value":"mp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media."},{"id":"mp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-02","class":"sp800-53a"}],"parts":[{"id":"mp-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-02[01]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};","links":[{"href":"#mp-2_smt","rel":"assessment-for"}]},{"id":"mp-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-02[02]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.","links":[{"href":"#mp-2_smt","rel":"assessment-for"}]}],"links":[{"href":"#mp-2_smt","rel":"assessment-for"}]},{"id":"mp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for restricting information media\n\nmechanisms supporting and\/or implementing media access restrictions"}]}]},{"id":"mp-3","class":"SP800-53","title":"Media Marking","params":[{"id":"mp-03_odp.01","props":[{"name":"alt-identifier","value":"mp-3_prm_1"},{"name":"alt-label","value":"types of system media","class":"sp800-53"},{"name":"label","value":"MP-03_ODP[01]","class":"sp800-53a"}],"label":"types of media exempted from marking","guidelines":[{"prose":"types of system media exempt from marking when remaining in controlled areas are defined;"}]},{"id":"mp-03_odp.02","props":[{"name":"alt-identifier","value":"mp-3_prm_2"},{"name":"label","value":"MP-03_ODP[02]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas where media is exempt from marking are defined;"}]}],"props":[{"name":"label","value":"MP-3"},{"name":"label","value":"MP-03","class":"sp800-53a"},{"name":"sort-id","value":"mp-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#34a5571f-e252-4309-a8a1-2fdb2faefbcd","rel":"reference"},{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-22","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-3_smt","name":"statement","parts":[{"id":"mp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"},{"id":"mp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Exempt {{ insert: param, mp-03_odp.01 }} from marking if the media remain within {{ insert: param, mp-03_odp.02 }}."}]},{"id":"mp-3_gdn","name":"guidance","prose":"Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"mp-3_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-03","class":"sp800-53a"}],"parts":[{"id":"mp-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-03a.","class":"sp800-53a"}],"prose":"system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;","links":[{"href":"#mp-3_smt.a","rel":"assessment-for"}]},{"id":"mp-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-03b.","class":"sp800-53a"}],"prose":" {{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}.","links":[{"href":"#mp-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-3_smt","rel":"assessment-for"}]},{"id":"mp-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nlist of system media marking security attributes\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for marking information media\n\nmechanisms supporting and\/or implementing media marking"}]}]},{"id":"mp-4","class":"SP800-53","title":"Media Storage","params":[{"id":"mp-4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.04"}],"label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.06"}],"label":"organization-defined controlled areas"},{"id":"mp-04_odp.01","props":[{"name":"label","value":"MP-04_ODP[01]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to be physically controlled are defined (if selected);"}]},{"id":"mp-04_odp.02","props":[{"name":"label","value":"MP-04_ODP[02]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to be physically controlled are defined (if selected);"}]},{"id":"mp-04_odp.03","props":[{"name":"label","value":"MP-04_ODP[03]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to be securely stored are defined (if selected);"}]},{"id":"mp-04_odp.04","props":[{"name":"label","value":"MP-04_ODP[04]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to be securely stored are defined (if selected);"}]},{"id":"mp-04_odp.05","props":[{"name":"label","value":"MP-04_ODP[05]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas within which to securely store digital media are defined;"}]},{"id":"mp-04_odp.06","props":[{"name":"label","value":"MP-04_ODP[06]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas within which to securely store non-digital media are defined;"}]}],"props":[{"name":"label","value":"MP-4"},{"name":"label","value":"MP-04","class":"sp800-53a"},{"name":"sort-id","value":"mp-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-4_smt","name":"statement","parts":[{"id":"mp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and"},{"id":"mp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection."},{"id":"mp-4_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-04","class":"sp800-53a"}],"parts":[{"id":"mp-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.","class":"sp800-53a"}],"parts":[{"id":"mp-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.01 }} are physically controlled;","links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]},{"id":"mp-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.02 }} are physically controlled;","links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]},{"id":"mp-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};","links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]},{"id":"mp-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[04]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};","links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]},{"id":"mp-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-04b.","class":"sp800-53a"}],"prose":"system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.","links":[{"href":"#mp-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-4_smt","rel":"assessment-for"}]},{"id":"mp-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing information media\n\nmechanisms supporting and\/or implementing secure media storage\/media protection"}]}]},{"id":"mp-5","class":"SP800-53","title":"Media Transport","params":[{"id":"mp-5_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-05_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-05_odp.03"}],"label":"organization-defined controls"},{"id":"mp-05_odp.01","props":[{"name":"alt-identifier","value":"mp-5_prm_1"},{"name":"label","value":"MP-05_ODP[01]","class":"sp800-53a"}],"label":"types of system media","guidelines":[{"prose":"types of system media to protect and control during transport outside of controlled areas are defined;"}]},{"id":"mp-05_odp.02","props":[{"name":"label","value":"MP-05_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls used to protect system media outside of controlled areas are defined;"}]},{"id":"mp-05_odp.03","props":[{"name":"label","value":"MP-05_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls used to control system media outside of controlled areas are defined;"}]}],"props":[{"name":"label","value":"MP-5"},{"name":"label","value":"MP-05","class":"sp800-53a"},{"name":"sort-id","value":"mp-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#ac-7","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"}],"parts":[{"id":"mp-5_smt","name":"statement","parts":[{"id":"mp-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protect and control {{ insert: param, mp-05_odp.01 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};"},{"id":"mp-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain accountability for system media during transport outside of controlled areas;"},{"id":"mp-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document activities associated with the transport of system media; and"},{"id":"mp-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Restrict the activities associated with the transport of system media to authorized personnel."}]},{"id":"mp-5_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and\/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records."},{"id":"mp-5_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-05","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};","links":[{"href":"#mp-5_smt.a","rel":"assessment-for"}]},{"id":"mp-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};","links":[{"href":"#mp-5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-5_smt.a","rel":"assessment-for"}]},{"id":"mp-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-05b.","class":"sp800-53a"}],"prose":"accountability for system media is maintained during transport outside of controlled areas;","links":[{"href":"#mp-5_smt.b","rel":"assessment-for"}]},{"id":"mp-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-05c.","class":"sp800-53a"}],"prose":"activities associated with the transport of system media are documented;","links":[{"href":"#mp-5_smt.c","rel":"assessment-for"}]},{"id":"mp-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.[01]","class":"sp800-53a"}],"prose":"personnel authorized to conduct media transport activities is\/are identified;","links":[{"href":"#mp-5_smt.d","rel":"assessment-for"}]},{"id":"mp-5_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.[02]","class":"sp800-53a"}],"prose":"activities associated with the transport of system media are restricted to identified authorized personnel.","links":[{"href":"#mp-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#mp-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#mp-5_smt","rel":"assessment-for"}]},{"id":"mp-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nauthorized personnel list\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing information media\n\nmechanisms supporting and\/or implementing media storage\/media protection"}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.03"}],"label":"organization-defined system media"},{"id":"mp-6_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.06"}],"label":"organization-defined sanitization techniques and procedures"},{"id":"mp-06_odp.01","props":[{"name":"label","value":"MP-06_ODP[01]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to disposal is defined;"}]},{"id":"mp-06_odp.02","props":[{"name":"label","value":"MP-06_ODP[02]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release from organizational control is defined;"}]},{"id":"mp-06_odp.03","props":[{"name":"label","value":"MP-06_ODP[03]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release for reuse is defined;"}]},{"id":"mp-06_odp.04","props":[{"name":"label","value":"MP-06_ODP[04]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to disposal are defined;"}]},{"id":"mp-06_odp.05","props":[{"name":"label","value":"MP-06_ODP[05]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;"}]},{"id":"mp-06_odp.06","props":[{"name":"label","value":"MP-06_ODP[06]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;"}]}],"props":[{"name":"label","value":"MP-6"},{"name":"label","value":"MP-06","class":"sp800-53a"},{"name":"sort-id","value":"mp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"},{"href":"#si-19","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"mp-6_smt","name":"statement","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information."},{"id":"mp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-06b.","class":"sp800-53a"}],"prose":"sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.","links":[{"href":"#mp-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-6_smt","rel":"assessment-for"}]},{"id":"mp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization"}]}],"controls":[{"id":"mp-6.1","class":"SP800-53-enhancement","title":"Review, Approve, Track, Document, and Verify","props":[{"name":"label","value":"MP-6(1)"},{"name":"label","value":"MP-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"}],"parts":[{"id":"mp-6.1_smt","name":"statement","prose":"Review, approve, track, document, and verify media sanitization and disposal actions."},{"id":"mp-6.1_gdn","name":"guidance","prose":"Organizations review and approve media to be sanitized to ensure compliance with records retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken and personnel who performed the verification, and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal."},{"id":"mp-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)","class":"sp800-53a"}],"parts":[{"id":"mp-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[01]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are reviewed;","links":[{"href":"#mp-6.1_smt","rel":"assessment-for"}]},{"id":"mp-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[02]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are approved;","links":[{"href":"#mp-6.1_smt","rel":"assessment-for"}]},{"id":"mp-6.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[03]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are tracked;","links":[{"href":"#mp-6.1_smt","rel":"assessment-for"}]},{"id":"mp-6.1_obj-4","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[04]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are documented;","links":[{"href":"#mp-6.1_smt","rel":"assessment-for"}]},{"id":"mp-6.1_obj-5","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[05]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are verified.","links":[{"href":"#mp-6.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#mp-6.1_smt","rel":"assessment-for"}]},{"id":"mp-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nmedia sanitization and disposal records\n\nreview records for media sanitization and disposal actions\n\napprovals for media sanitization and disposal actions\n\ntracking records\n\nverification records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization and disposal responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization\n\nmechanisms supporting and\/or implementing verification of media sanitization"}]}]},{"id":"mp-6.2","class":"SP800-53-enhancement","title":"Equipment Testing","params":[{"id":"mp-6.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06.02_odp.02"}],"label":"organization-defined frequency"},{"id":"mp-06.02_odp.01","props":[{"name":"label","value":"MP-06(02)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to test sanitization equipment is defined;"}]},{"id":"mp-06.02_odp.02","props":[{"name":"label","value":"MP-06(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to test sanitization procedures is defined;"}]}],"props":[{"name":"label","value":"MP-6(2)"},{"name":"label","value":"MP-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"}],"parts":[{"id":"mp-6.2_smt","name":"statement","prose":"Test sanitization equipment and procedures {{ insert: param, mp-6.2_prm_1 }} to ensure that the intended sanitization is being achieved."},{"id":"mp-6.2_gdn","name":"guidance","prose":"Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers."},{"id":"mp-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(02)","class":"sp800-53a"}],"parts":[{"id":"mp-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06(02)[01]","class":"sp800-53a"}],"prose":"sanitization equipment is tested {{ insert: param, mp-06.02_odp.01 }} to ensure that the intended sanitization is being achieved;","links":[{"href":"#mp-6.2_smt","rel":"assessment-for"}]},{"id":"mp-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06(02)[02]","class":"sp800-53a"}],"prose":"sanitization procedures are tested {{ insert: param, mp-06.02_odp.02 }} to ensure that the intended sanitization is being achieved.","links":[{"href":"#mp-6.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#mp-6.2_smt","rel":"assessment-for"}]},{"id":"mp-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nprocedures addressing testing of media sanitization equipment\n\nresults of media sanitization equipment and procedures testing\n\nsystem audit records\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"mp-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization procedures\n\nsanitization equipment"}]}]},{"id":"mp-6.3","class":"SP800-53-enhancement","title":"Nondestructive Techniques","params":[{"id":"mp-06.03_odp","props":[{"name":"alt-identifier","value":"mp-6.3_prm_1"},{"name":"alt-label","value":"circumstances requiring sanitization of portable storage devices","class":"sp800-53"},{"name":"label","value":"MP-06(03)_ODP","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances requiring sanitization of portable storage devices are defined;"}]}],"props":[{"name":"label","value":"MP-6(3)"},{"name":"label","value":"MP-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"}],"parts":[{"id":"mp-6.3_smt","name":"statement","prose":"Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: {{ insert: param, mp-06.03_odp }}."},{"id":"mp-6.3_gdn","name":"guidance","prose":"Portable storage devices include external or removable hard disk drives (e.g., solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices."},{"id":"mp-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(03)","class":"sp800-53a"}],"prose":"non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under {{ insert: param, mp-06.03_odp }}.","links":[{"href":"#mp-6.3_smt","rel":"assessment-for"}]},{"id":"mp-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\ninformation on portable storage devices for the system\n\nlist of circumstances requiring sanitization of portable storage devices\n\nmedia sanitization records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization of portable storage devices\n\nmechanisms supporting and\/or implementing media sanitization"}]}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","params":[{"id":"mp-07_odp.01","props":[{"name":"alt-identifier","value":"mp-7_prm_2"},{"name":"label","value":"MP-07_ODP[01]","class":"sp800-53a"}],"label":"types of system media","guidelines":[{"prose":"types of system media to be restricted or prohibited from use on systems or system components are defined;"}]},{"id":"mp-07_odp.02","props":[{"name":"alt-identifier","value":"mp-7_prm_1"},{"name":"label","value":"MP-07_ODP[02]","class":"sp800-53a"}],"select":{"choice":["restrict","prohibit"]}},{"id":"mp-07_odp.03","props":[{"name":"alt-identifier","value":"mp-7_prm_3"},{"name":"label","value":"MP-07_ODP[03]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;"}]},{"id":"mp-07_odp.04","props":[{"name":"alt-identifier","value":"mp-7_prm_4"},{"name":"label","value":"MP-07_ODP[04]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;"}]}],"props":[{"name":"label","value":"MP-7"},{"name":"label","value":"MP-07","class":"sp800-53a"},{"name":"sort-id","value":"mp-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"mp-7_smt","name":"statement","parts":[{"id":"mp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and"},{"id":"mp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner."}]},{"id":"mp-7_gdn","name":"guidance","prose":"System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices."},{"id":"mp-7_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-07","class":"sp800-53a"}],"parts":[{"id":"mp-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-07a.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};","links":[{"href":"#mp-7_smt.a","rel":"assessment-for"}]},{"id":"mp-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-07b.","class":"sp800-53a"}],"prose":"the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.","links":[{"href":"#mp-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-7_smt","rel":"assessment-for"}]},{"id":"mp-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components"}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pe-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pe-01_odp.01","props":[{"name":"label","value":"PE-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection policy is to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.02","props":[{"name":"label","value":"PE-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection procedures are to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.03","props":[{"name":"alt-identifier","value":"pe-1_prm_2"},{"name":"label","value":"PE-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pe-01_odp.04","props":[{"name":"alt-identifier","value":"pe-1_prm_3"},{"name":"label","value":"PE-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the physical and environmental protection policy and procedures is defined;"}]},{"id":"pe-01_odp.05","props":[{"name":"alt-identifier","value":"pe-1_prm_4"},{"name":"label","value":"PE-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;"}]},{"id":"pe-01_odp.06","props":[{"name":"alt-identifier","value":"pe-1_prm_5"},{"name":"label","value":"PE-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current physical and environmental protection policy to be reviewed and updated are defined;"}]},{"id":"pe-01_odp.07","props":[{"name":"alt-identifier","value":"pe-1_prm_6"},{"name":"label","value":"PE-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;"}]},{"id":"pe-01_odp.08","props":[{"name":"alt-identifier","value":"pe-1_prm_7"},{"name":"label","value":"PE-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the physical and environmental protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PE-1"},{"name":"label","value":"PE-01","class":"sp800-53a"},{"name":"sort-id","value":"pe-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pe-1_smt","name":"statement","parts":[{"id":"pe-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:","parts":[{"id":"pe-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pe-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;"}]},{"id":"pe-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and"},{"id":"pe-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current physical and environmental protection:","parts":[{"id":"pe-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and"},{"id":"pe-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pe-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[01]","class":"sp800-53a"}],"prose":"a physical and environmental protection policy is developed and documented;","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[02]","class":"sp800-53a"}],"prose":"the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[03]","class":"sp800-53a"}],"prose":"physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[04]","class":"sp800-53a"}],"prose":"the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#pe-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;","links":[{"href":"#pe-1_smt.b","rel":"assessment-for"}]},{"id":"pe-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};","links":[{"href":"#pe-1_smt.c.1","rel":"assessment-for"}]},{"id":"pe-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};","links":[{"href":"#pe-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.c.1","rel":"assessment-for"}]},{"id":"pe-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};","links":[{"href":"#pe-1_smt.c.2","rel":"assessment-for"}]},{"id":"pe-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.","links":[{"href":"#pe-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt","rel":"assessment-for"}]},{"id":"pe-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"pe-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","params":[{"id":"pe-02_odp","props":[{"name":"alt-identifier","value":"pe-2_prm_1"},{"name":"label","value":"PE-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the access list detailing authorized facility access by individuals is defined;"}]}],"props":[{"name":"label","value":"PE-2"},{"name":"label","value":"PE-02","class":"sp800-53a"},{"name":"sort-id","value":"pe-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"pe-2_smt","name":"statement","parts":[{"id":"pe-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;"},{"id":"pe-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Issue authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and"},{"id":"pe-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remove individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible."},{"id":"pe-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-02","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[01]","class":"sp800-53a"}],"prose":"a list of individuals with authorized access to the facility where the system resides has been developed;","links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]},{"id":"pe-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[02]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been approved;","links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]},{"id":"pe-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[03]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been maintained;","links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]},{"id":"pe-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-02b.","class":"sp800-53a"}],"prose":"authorization credentials are issued for facility access;","links":[{"href":"#pe-2_smt.b","rel":"assessment-for"}]},{"id":"pe-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-02c.","class":"sp800-53a"}],"prose":"the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};","links":[{"href":"#pe-2_smt.c","rel":"assessment-for"}]},{"id":"pe-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-02d.","class":"sp800-53a"}],"prose":"individuals are removed from the facility access list when access is no longer required.","links":[{"href":"#pe-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pe-2_smt","rel":"assessment-for"}]},{"id":"pe-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access authorizations\n\nmechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","params":[{"id":"pe-3_prm_9","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.09"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.10"}],"label":"organization-defined frequency"},{"id":"pe-03_odp.01","props":[{"name":"alt-identifier","value":"pe-3_prm_1"},{"name":"alt-label","value":"entry and exit points to the facility where the system resides","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[01]","class":"sp800-53a"}],"label":"entry and exit points","guidelines":[{"prose":"entry and exit points to the facility in which the system resides are defined;"}]},{"id":"pe-03_odp.02","props":[{"name":"alt-identifier","value":"pe-3_prm_2"},{"name":"label","value":"PE-03_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, pe-03_odp.03 }} ","guards"]}},{"id":"pe-03_odp.03","props":[{"name":"alt-identifier","value":"pe-3_prm_3"},{"name":"alt-label","value":"physical access control systems or devices","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[03]","class":"sp800-53a"}],"label":"systems or devices","guidelines":[{"prose":"physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);"}]},{"id":"pe-03_odp.04","props":[{"name":"alt-identifier","value":"pe-3_prm_4"},{"name":"label","value":"PE-03_ODP[04]","class":"sp800-53a"}],"label":"entry or exit points","guidelines":[{"prose":"entry or exit points for which physical access logs are maintained are defined;"}]},{"id":"pe-03_odp.05","props":[{"name":"alt-identifier","value":"pe-3_prm_5"},{"name":"label","value":"PE-03_ODP[05]","class":"sp800-53a"}],"label":"physical access controls","guidelines":[{"prose":"physical access controls to control access to areas within the facility designated as publicly accessible are defined;"}]},{"id":"pe-03_odp.06","props":[{"name":"alt-identifier","value":"pe-3_prm_6"},{"name":"alt-label","value":"circumstances requiring visitor escorts and control of visitor activity","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[06]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances requiring visitor escorts and control of visitor activity are defined;"}]},{"id":"pe-03_odp.07","props":[{"name":"alt-identifier","value":"pe-3_prm_7"},{"name":"label","value":"PE-03_ODP[07]","class":"sp800-53a"}],"label":"physical access devices","guidelines":[{"prose":"physical access devices to be inventoried are defined;"}]},{"id":"pe-03_odp.08","props":[{"name":"alt-identifier","value":"pe-3_prm_8"},{"name":"label","value":"PE-03_ODP[08]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inventory physical access devices is defined;"}]},{"id":"pe-03_odp.09","props":[{"name":"label","value":"PE-03_ODP[09]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change combinations is defined;"}]},{"id":"pe-03_odp.10","props":[{"name":"label","value":"PE-03_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change keys is defined;"}]}],"props":[{"name":"label","value":"PE-3"},{"name":"label","value":"PE-03","class":"sp800-53a"},{"name":"sort-id","value":"pe-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"pe-3_smt","name":"statement","parts":[{"id":"pe-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:","parts":[{"id":"pe-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"}]},{"id":"pe-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};"},{"id":"pe-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};"},{"id":"pe-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};"},{"id":"pe-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Secure keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and"},{"id":"pe-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Change combinations and keys {{ insert: param, pe-3_prm_9 }} and\/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs\/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components."},{"id":"pe-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.01","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;","links":[{"href":"#pe-3_smt.a.1","rel":"assessment-for"}]},{"id":"pe-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.02","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};","links":[{"href":"#pe-3_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.a","rel":"assessment-for"}]},{"id":"pe-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-03b.","class":"sp800-53a"}],"prose":"physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};","links":[{"href":"#pe-3_smt.b","rel":"assessment-for"}]},{"id":"pe-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-03c.","class":"sp800-53a"}],"prose":"access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};","links":[{"href":"#pe-3_smt.c","rel":"assessment-for"}]},{"id":"pe-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[01]","class":"sp800-53a"}],"prose":"visitors are escorted;","links":[{"href":"#pe-3_smt.d","rel":"assessment-for"}]},{"id":"pe-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[02]","class":"sp800-53a"}],"prose":"visitor activity is controlled {{ insert: param, pe-03_odp.06 }};","links":[{"href":"#pe-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.d","rel":"assessment-for"}]},{"id":"pe-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[01]","class":"sp800-53a"}],"prose":"keys are secured;","links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]},{"id":"pe-3_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[02]","class":"sp800-53a"}],"prose":"combinations are secured;","links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]},{"id":"pe-3_obj.e-3","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[03]","class":"sp800-53a"}],"prose":"other physical access devices are secured;","links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]},{"id":"pe-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"PE-03f.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};","links":[{"href":"#pe-3_smt.f","rel":"assessment-for"}]},{"id":"pe-3_obj.g","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[01]","class":"sp800-53a"}],"prose":"combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;","links":[{"href":"#pe-3_smt.g","rel":"assessment-for"}]},{"id":"pe-3_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[02]","class":"sp800-53a"}],"prose":"keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.","links":[{"href":"#pe-3_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt","rel":"assessment-for"}]},{"id":"pe-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control\n\nmechanisms supporting and\/or implementing physical access control\n\nphysical access control devices"}]}],"controls":[{"id":"pe-3.1","class":"SP800-53-enhancement","title":"System Access","params":[{"id":"pe-03.01_odp","props":[{"name":"alt-identifier","value":"pe-3.1_prm_1"},{"name":"alt-label","value":"physical spaces containing one or more components of the system","class":"sp800-53"},{"name":"label","value":"PE-03(01)_ODP","class":"sp800-53a"}],"label":"physical spaces","guidelines":[{"prose":"physical spaces containing one or more components of the system are defined;"}]}],"props":[{"name":"label","value":"PE-3(1)"},{"name":"label","value":"PE-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"}],"parts":[{"id":"pe-3.1_smt","name":"statement","prose":"Enforce physical access authorizations to the system in addition to the physical access controls for the facility at {{ insert: param, pe-03.01_odp }}."},{"id":"pe-3.1_gdn","name":"guidance","prose":"Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components."},{"id":"pe-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(01)","class":"sp800-53a"}],"parts":[{"id":"pe-3.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03(01)[01]","class":"sp800-53a"}],"prose":"physical access authorizations to the system are enforced;","links":[{"href":"#pe-3.1_smt","rel":"assessment-for"}]},{"id":"pe-3.1_obj.2","name":"assessment-objective","props":[{"name":"label","value":"PE-03(01)[02]","class":"sp800-53a"}],"prose":"physical access controls are enforced for the facility at {{ insert: param, pe-03.01_odp }}.","links":[{"href":"#pe-3.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-3.1_smt","rel":"assessment-for"}]},{"id":"pe-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nsystem entry and exit points\n\nlist of areas within the facility containing concentrations of system components or system components requiring additional physical protection\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control to the information system\/components\n\nmechanisms supporting and\/or implementing physical access control for facility areas containing system components"}]}]}]},{"id":"pe-4","class":"SP800-53","title":"Access Control for Transmission","params":[{"id":"pe-04_odp.01","props":[{"name":"alt-identifier","value":"pe-4_prm_1"},{"name":"label","value":"PE-04_ODP[01]","class":"sp800-53a"}],"label":"system distribution and transmission lines","guidelines":[{"prose":"system distribution and transmission lines requiring physical access controls are defined;"}]},{"id":"pe-04_odp.02","props":[{"name":"alt-identifier","value":"pe-4_prm_2"},{"name":"label","value":"PE-04_ODP[02]","class":"sp800-53a"}],"label":"security controls","guidelines":[{"prose":"security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;"}]}],"props":[{"name":"label","value":"PE-4"},{"name":"label","value":"PE-04","class":"sp800-53a"},{"name":"sort-id","value":"pe-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"pe-4_smt","name":"statement","prose":"Control physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities using {{ insert: param, pe-04_odp.02 }}."},{"id":"pe-4_gdn","name":"guidance","prose":"Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors."},{"id":"pe-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-04","class":"sp800-53a"}],"prose":"physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}.","links":[{"href":"#pe-4_smt","rel":"assessment-for"}]},{"id":"pe-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for transmission mediums\n\nsystem design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to system distribution and transmission lines\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access control to distribution and transmission lines\n\nmechanisms\/security safeguards supporting and\/or implementing access control to distribution and transmission lines"}]}]},{"id":"pe-5","class":"SP800-53","title":"Access Control for Output Devices","params":[{"id":"pe-05_odp","props":[{"name":"alt-identifier","value":"pe-5_prm_1"},{"name":"label","value":"PE-05_ODP","class":"sp800-53a"}],"label":"output devices","guidelines":[{"prose":"output devices that require physical access control to output are defined;"}]}],"props":[{"name":"label","value":"PE-5"},{"name":"label","value":"PE-05","class":"sp800-53a"},{"name":"sort-id","value":"pe-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-18","rel":"related"}],"parts":[{"id":"pe-5_smt","name":"statement","prose":"Control physical access to output from {{ insert: param, pe-05_odp }} to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_gdn","name":"guidance","prose":"Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers."},{"id":"pe-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-05","class":"sp800-53a"}],"prose":"physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output.","links":[{"href":"#pe-5_smt","rel":"assessment-for"}]},{"id":"pe-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of system components\n\nactual displays from system components\n\nlist of output devices and associated outputs requiring physical access controls\n\nphysical access control logs or records for areas containing output devices and related outputs\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access control to output devices\n\nmechanisms supporting and\/or implementing access control to output devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","params":[{"id":"pe-06_odp.01","props":[{"name":"alt-identifier","value":"pe-6_prm_1"},{"name":"label","value":"PE-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review physical access logs is defined;"}]},{"id":"pe-06_odp.02","props":[{"name":"alt-identifier","value":"pe-6_prm_2"},{"name":"alt-label","value":"events or potential indications of events","class":"sp800-53"},{"name":"label","value":"PE-06_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events or potential indication of events requiring physical access logs to be reviewed are defined;"}]}],"props":[{"name":"label","value":"PE-6"},{"name":"label","value":"PE-06","class":"sp800-53a"},{"name":"sort-id","value":"pe-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"pe-6_smt","name":"statement","parts":[{"id":"pe-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and"},{"id":"pe-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses."},{"id":"pe-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-06a.","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;","links":[{"href":"#pe-6_smt.a","rel":"assessment-for"}]},{"id":"pe-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[01]","class":"sp800-53a"}],"prose":"physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};","links":[{"href":"#pe-6_smt.b","rel":"assessment-for"}]},{"id":"pe-6_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[02]","class":"sp800-53a"}],"prose":"physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};","links":[{"href":"#pe-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-6_smt.b","rel":"assessment-for"}]},{"id":"pe-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[01]","class":"sp800-53a"}],"prose":"results of reviews are coordinated with organizational incident response capabilities;","links":[{"href":"#pe-6_smt.c","rel":"assessment-for"}]},{"id":"pe-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[02]","class":"sp800-53a"}],"prose":"results of investigations are coordinated with organizational incident response capabilities.","links":[{"href":"#pe-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-6_smt","rel":"assessment-for"}]},{"id":"pe-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing the review of physical access logs"}]}],"controls":[{"id":"pe-6.1","class":"SP800-53-enhancement","title":"Intrusion Alarms and Surveillance Equipment","props":[{"name":"label","value":"PE-6(1)"},{"name":"label","value":"PE-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-6","rel":"required"}],"parts":[{"id":"pe-6.1_smt","name":"statement","prose":"Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment."},{"id":"pe-6.1_gdn","name":"guidance","prose":"Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility."},{"id":"pe-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)","class":"sp800-53a"}],"parts":[{"id":"pe-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)[01]","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored using physical intrusion alarms;","links":[{"href":"#pe-6.1_smt","rel":"assessment-for"}]},{"id":"pe-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)[02]","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored using physical surveillance equipment.","links":[{"href":"#pe-6.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-6.1_smt","rel":"assessment-for"}]},{"id":"pe-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing physical intrusion alarms and surveillance equipment"}]}]},{"id":"pe-6.4","class":"SP800-53-enhancement","title":"Monitoring Physical Access to Systems","params":[{"id":"pe-06.04_odp","props":[{"name":"alt-identifier","value":"pe-6.4_prm_1"},{"name":"alt-label","value":"physical spaces containing one or more components of the system","class":"sp800-53"},{"name":"label","value":"PE-06(04)_ODP","class":"sp800-53a"}],"label":"physical spaces","guidelines":[{"prose":"physical spaces containing one or more components of the system are defined;"}]}],"props":[{"name":"label","value":"PE-6(4)"},{"name":"label","value":"PE-06(04)","class":"sp800-53a"},{"name":"sort-id","value":"pe-06.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-6","rel":"required"}],"parts":[{"id":"pe-6.4_smt","name":"statement","prose":"Monitor physical access to the system in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}."},{"id":"pe-6.4_gdn","name":"guidance","prose":"Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization."},{"id":"pe-6.4_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06(04)","class":"sp800-53a"}],"prose":"physical access to the system is monitored in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}.","links":[{"href":"#pe-6.4_smt","rel":"assessment-for"}]},{"id":"pe-6.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nlist of areas within the facility containing concentrations of system components or system components requiring additional physical access monitoring\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-6.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-6.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access to the system\n\nmechanisms supporting and\/or implementing physical access monitoring for facility areas containing system components"}]}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-08_odp.01","props":[{"name":"alt-identifier","value":"pe-8_prm_1"},{"name":"label","value":"PE-08_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for which to maintain visitor access records for the facility where the system resides is defined;"}]},{"id":"pe-08_odp.02","props":[{"name":"alt-identifier","value":"pe-8_prm_2"},{"name":"label","value":"PE-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review visitor access records is defined;"}]},{"id":"pe-08_odp.03","props":[{"name":"alt-identifier","value":"pe-8_prm_3"},{"name":"label","value":"PE-08_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom visitor access records anomalies are reported to is\/are defined;"}]}],"props":[{"name":"label","value":"PE-8"},{"name":"label","value":"PE-08","class":"sp800-53a"},{"name":"sort-id","value":"pe-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"pe-8_smt","name":"statement","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and"},{"id":"pe-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08","class":"sp800-53a"}],"parts":[{"id":"pe-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-08a.","class":"sp800-53a"}],"prose":"visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};","links":[{"href":"#pe-8_smt.a","rel":"assessment-for"}]},{"id":"pe-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-08b.","class":"sp800-53a"}],"prose":"visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};","links":[{"href":"#pe-8_smt.b","rel":"assessment-for"}]},{"id":"pe-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-08c.","class":"sp800-53a"}],"prose":"visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.","links":[{"href":"#pe-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-8_smt","rel":"assessment-for"}]},{"id":"pe-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and\/or implementing the maintenance and review of visitor access records"}]}],"controls":[{"id":"pe-8.1","class":"SP800-53-enhancement","title":"Automated Records Maintenance and Review","params":[{"id":"pe-8.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-08.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-08.01_odp.02"}],"label":"organization-defined automated mechanisms"},{"id":"pe-08.01_odp.01","props":[{"name":"label","value":"PE-08(01)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain visitor access records are defined;"}]},{"id":"pe-08.01_odp.02","props":[{"name":"label","value":"PE-08(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to review visitor access records are defined;"}]}],"props":[{"name":"label","value":"PE-8(1)"},{"name":"label","value":"PE-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-8","rel":"required"}],"parts":[{"id":"pe-8.1_smt","name":"statement","prose":"Maintain and review visitor access records using {{ insert: param, pe-8.1_prm_1 }}."},{"id":"pe-8.1_gdn","name":"guidance","prose":"Visitor access records may be stored and maintained in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on a regular basis to determine if access authorizations are current and still required to support organizational mission and business functions."},{"id":"pe-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08(01)","class":"sp800-53a"}],"parts":[{"id":"pe-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-08(01)[01]","class":"sp800-53a"}],"prose":"visitor access records are maintained using {{ insert: param, pe-08.01_odp.01 }};","links":[{"href":"#pe-8.1_smt","rel":"assessment-for"}]},{"id":"pe-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-08(01)[02]","class":"sp800-53a"}],"prose":"visitor access records are reviewed using {{ insert: param, pe-08.01_odp.02 }}.","links":[{"href":"#pe-8.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-8.1_smt","rel":"assessment-for"}]},{"id":"pe-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nautomated mechanisms supporting management of visitor access records\n\nvisitor access control logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and\/or implementing the maintenance and review of visitor access records"}]}]}]},{"id":"pe-9","class":"SP800-53","title":"Power Equipment and Cabling","props":[{"name":"label","value":"PE-9"},{"name":"label","value":"PE-09","class":"sp800-53a"},{"name":"sort-id","value":"pe-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-4","rel":"related"}],"parts":[{"id":"pe-9_smt","name":"statement","prose":"Protect power equipment and power cabling for the system from damage and destruction."},{"id":"pe-9_gdn","name":"guidance","prose":"Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems."},{"id":"pe-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-09","class":"sp800-53a"}],"parts":[{"id":"pe-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-09[01]","class":"sp800-53a"}],"prose":"power equipment for the system is protected from damage and destruction;","links":[{"href":"#pe-9_smt","rel":"assessment-for"}]},{"id":"pe-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-09[02]","class":"sp800-53a"}],"prose":"power cabling for the system is protected from damage and destruction.","links":[{"href":"#pe-9_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-9_smt","rel":"assessment-for"}]},{"id":"pe-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power equipment\/cabling protection\n\nfacilities housing power equipment\/cabling\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility to protect power equipment\/cabling\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the protection of power equipment\/cabling"}]}]},{"id":"pe-10","class":"SP800-53","title":"Emergency Shutoff","params":[{"id":"pe-10_odp.01","props":[{"name":"alt-identifier","value":"pe-10_prm_1"},{"name":"label","value":"PE-10_ODP[01]","class":"sp800-53a"}],"label":"system or individual system components","guidelines":[{"prose":"system or individual system components that require the capability to shut off power in emergency situations is\/are defined;"}]},{"id":"pe-10_odp.02","props":[{"name":"alt-identifier","value":"pe-10_prm_2"},{"name":"alt-label","value":"location by system or system component","class":"sp800-53"},{"name":"label","value":"PE-10_ODP[02]","class":"sp800-53a"}],"label":"location","guidelines":[{"prose":"location of emergency shutoff switches or devices by system or system component is defined;"}]}],"props":[{"name":"label","value":"PE-10"},{"name":"label","value":"PE-10","class":"sp800-53a"},{"name":"sort-id","value":"pe-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-15","rel":"related"}],"parts":[{"id":"pe-10_smt","name":"statement","parts":[{"id":"pe-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide the capability of shutting off power to {{ insert: param, pe-10_odp.01 }} in emergency situations;"},{"id":"pe-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Place emergency shutoff switches or devices in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel; and"},{"id":"pe-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect emergency power shutoff capability from unauthorized activation."}]},{"id":"pe-10_gdn","name":"guidance","prose":"Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery."},{"id":"pe-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-10","class":"sp800-53a"}],"parts":[{"id":"pe-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-10a.","class":"sp800-53a"}],"prose":"the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;","links":[{"href":"#pe-10_smt.a","rel":"assessment-for"}]},{"id":"pe-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-10b.","class":"sp800-53a"}],"prose":"emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;","links":[{"href":"#pe-10_smt.b","rel":"assessment-for"}]},{"id":"pe-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-10c.","class":"sp800-53a"}],"prose":"the emergency power shutoff capability is protected from unauthorized activation.","links":[{"href":"#pe-10_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-10_smt","rel":"assessment-for"}]},{"id":"pe-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting the emergency power shutoff capability from unauthorized activation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing emergency power shutoff"}]}]},{"id":"pe-11","class":"SP800-53","title":"Emergency Power","params":[{"id":"pe-11_odp","props":[{"name":"alt-identifier","value":"pe-11_prm_1"},{"name":"label","value":"PE-11_ODP","class":"sp800-53a"}],"select":{"choice":["an orderly shutdown of the system","transition of the system to long-term alternate power"]}}],"props":[{"name":"label","value":"PE-11"},{"name":"label","value":"PE-11","class":"sp800-53a"},{"name":"sort-id","value":"pe-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-11_smt","name":"statement","prose":"Provide an uninterruptible power supply to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss."},{"id":"pe-11_gdn","name":"guidance","prose":"An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system."},{"id":"pe-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-11","class":"sp800-53a"}],"prose":"an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss.","links":[{"href":"#pe-11_smt","rel":"assessment-for"}]},{"id":"pe-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an uninterruptible power supply\n\nthe uninterruptable power supply"}]}],"controls":[{"id":"pe-11.1","class":"SP800-53-enhancement","title":"Alternate Power Supply — Minimal Operational Capability","params":[{"id":"pe-11.01_odp","props":[{"name":"alt-identifier","value":"pe-11.1_prm_1"},{"name":"label","value":"PE-11(01)_ODP","class":"sp800-53a"}],"select":{"choice":["manually","automatically"]}}],"props":[{"name":"label","value":"PE-11(1)"},{"name":"label","value":"PE-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-11","rel":"required"}],"parts":[{"id":"pe-11.1_smt","name":"statement","prose":"Provide an alternate power supply for the system that is activated {{ insert: param, pe-11.01_odp }} and that can maintain minimally required operational capability in the event of an extended loss of the primary power source."},{"id":"pe-11.1_gdn","name":"guidance","prose":"Provision of an alternate power supply with minimal operating capability can be satisfied by accessing a secondary commercial power supply or other external power supply."},{"id":"pe-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-11(01)","class":"sp800-53a"}],"parts":[{"id":"pe-11.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-11(01)[01]","class":"sp800-53a"}],"prose":"an alternate power supply provided for the system is activated {{ insert: param, pe-11.01_odp }};","links":[{"href":"#pe-11.1_smt","rel":"assessment-for"}]},{"id":"pe-11.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-11(01)[02]","class":"sp800-53a"}],"prose":"the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.","links":[{"href":"#pe-11.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-11.1_smt","rel":"assessment-for"}]},{"id":"pe-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nalternate power supply\n\nalternate power supply documentation\n\nalternate power supply test records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an alternate power supply\n\nthe alternate power supply"}]}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","props":[{"name":"label","value":"PE-12"},{"name":"label","value":"PE-12","class":"sp800-53a"},{"name":"sort-id","value":"pe-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies."},{"id":"pe-12_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-12","class":"sp800-53a"}],"parts":[{"id":"pe-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-12[01]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-12[02]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-12[03]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers emergency exits within the facility;","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-12[04]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers evacuation routes within the facility.","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an emergency lighting capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","props":[{"name":"label","value":"PE-13"},{"name":"label","value":"PE-13","class":"sp800-53a"},{"name":"sort-id","value":"pe-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"Employ and maintain fire detection and suppression systems that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility."},{"id":"pe-13_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13","class":"sp800-53a"}],"parts":[{"id":"pe-13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13[01]","class":"sp800-53a"}],"prose":"fire detection systems are employed;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13[02]","class":"sp800-53a"}],"prose":"employed fire detection systems are supported by an independent energy source;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13[03]","class":"sp800-53a"}],"prose":"employed fire detection systems are maintained;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-13[04]","class":"sp800-53a"}],"prose":"fire suppression systems are employed;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PE-13[05]","class":"sp800-53a"}],"prose":"employed fire suppression systems are supported by an independent energy source;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PE-13[06]","class":"sp800-53a"}],"prose":"employed fire suppression systems are maintained.","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\ntest records of fire suppression and detection devices\/systems\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing fire suppression\/detection devices\/systems"}]}],"controls":[{"id":"pe-13.1","class":"SP800-53-enhancement","title":"Detection Systems — Automatic Activation and Notification","params":[{"id":"pe-13.01_odp.01","props":[{"name":"alt-identifier","value":"pe-13.1_prm_1"},{"name":"label","value":"PE-13(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified in the event of a fire is\/are defined;"}]},{"id":"pe-13.01_odp.02","props":[{"name":"alt-identifier","value":"pe-13.1_prm_2"},{"name":"label","value":"PE-13(01)_ODP[02]","class":"sp800-53a"}],"label":"emergency responders","guidelines":[{"prose":"emergency responders to be notified in the event of a fire are defined;"}]}],"props":[{"name":"label","value":"PE-13(1)"},{"name":"label","value":"PE-13(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-13.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-13","rel":"required"}],"parts":[{"id":"pe-13.1_smt","name":"statement","prose":"Employ fire detection systems that activate automatically and notify {{ insert: param, pe-13.01_odp.01 }} and {{ insert: param, pe-13.01_odp.02 }} in the event of a fire."},{"id":"pe-13.1_gdn","name":"guidance","prose":"Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire."},{"id":"pe-13.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)","class":"sp800-53a"}],"parts":[{"id":"pe-13.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[01]","class":"sp800-53a"}],"prose":"fire detection systems that activate automatically are employed in the event of a fire;","links":[{"href":"#pe-13.1_smt","rel":"assessment-for"}]},{"id":"pe-13.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[02]","class":"sp800-53a"}],"prose":"fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;","links":[{"href":"#pe-13.1_smt","rel":"assessment-for"}]},{"id":"pe-13.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[03]","class":"sp800-53a"}],"prose":"fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire.","links":[{"href":"#pe-13.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-13.1_smt","rel":"assessment-for"}]},{"id":"pe-13.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\nalerts\/notifications of fire events\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing fire detection devices\/systems\n\nactivation of fire detection devices\/systems (simulated)\n\nautomated notifications"}]}]},{"id":"pe-13.2","class":"SP800-53-enhancement","title":"Suppression Systems — Automatic Activation and Notification","params":[{"id":"pe-13.02_odp.01","props":[{"name":"alt-identifier","value":"pe-13.2_prm_1"},{"name":"label","value":"PE-13(02)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified in the event of a fire is\/are defined;"}]},{"id":"pe-13.02_odp.02","props":[{"name":"alt-identifier","value":"pe-13.2_prm_2"},{"name":"label","value":"PE-13(02)_ODP[02]","class":"sp800-53a"}],"label":"emergency responders","guidelines":[{"prose":"emergency responders to be notified in the event of a fire are defined;"}]}],"props":[{"name":"label","value":"PE-13(2)"},{"name":"label","value":"PE-13(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-13.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-13","rel":"required"}],"parts":[{"id":"pe-13.2_smt","name":"statement","parts":[{"id":"pe-13.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ fire suppression systems that activate automatically and notify {{ insert: param, pe-13.02_odp.01 }} and {{ insert: param, pe-13.02_odp.02 }} ; and"},{"id":"pe-13.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis."}]},{"id":"pe-13.2_gdn","name":"guidance","prose":"Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and\/or clearances (e.g., to enter to facilities where access is restricted due to the impact level or classification of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire."},{"id":"pe-13.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)","class":"sp800-53a"}],"parts":[{"id":"pe-13.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)","class":"sp800-53a"}],"parts":[{"id":"pe-13.2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)[01]","class":"sp800-53a"}],"prose":"fire suppression systems that activate automatically are employed;","links":[{"href":"#pe-13.2_smt.a","rel":"assessment-for"}]},{"id":"pe-13.2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)[02]","class":"sp800-53a"}],"prose":"fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;","links":[{"href":"#pe-13.2_smt.a","rel":"assessment-for"}]},{"id":"pe-13.2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)[03]","class":"sp800-53a"}],"prose":"fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;","links":[{"href":"#pe-13.2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pe-13.2_smt.a","rel":"assessment-for"}]},{"id":"pe-13.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(b)","class":"sp800-53a"}],"prose":"an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.","links":[{"href":"#pe-13.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-13.2_smt","rel":"assessment-for"}]},{"id":"pe-13.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems documentation\n\nfacility housing the system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices\/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression devices\/systems\n\nactivation of fire suppression devices\/systems (simulated)\n\nautomated notifications"}]}]}]},{"id":"pe-14","class":"SP800-53","title":"Environmental Controls","params":[{"id":"pe-14_odp.01","props":[{"name":"alt-identifier","value":"pe-14_prm_1"},{"name":"label","value":"PE-14_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["temperature","humidity","pressure","radiation"," {{ insert: param, pe-14_odp.02 }} "]}},{"id":"pe-14_odp.02","props":[{"name":"alt-identifier","value":"pe-14_prm_2"},{"name":"label","value":"PE-14_ODP[02]","class":"sp800-53a"}],"label":"environmental control","guidelines":[{"prose":"environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);"}]},{"id":"pe-14_odp.03","props":[{"name":"alt-identifier","value":"pe-14_prm_3"},{"name":"label","value":"PE-14_ODP[03]","class":"sp800-53a"}],"label":"acceptable levels","guidelines":[{"prose":"acceptable levels for environmental controls are defined;"}]},{"id":"pe-14_odp.04","props":[{"name":"alt-identifier","value":"pe-14_prm_4"},{"name":"label","value":"PE-14_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to monitor environmental control levels is defined;"}]}],"props":[{"name":"label","value":"PE-14"},{"name":"label","value":"PE-14","class":"sp800-53a"},{"name":"sort-id","value":"pe-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"}],"parts":[{"id":"pe-14_smt","name":"statement","parts":[{"id":"pe-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and"},{"id":"pe-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions."},{"id":"pe-14_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-14","class":"sp800-53a"}],"parts":[{"id":"pe-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-14a.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;","links":[{"href":"#pe-14_smt.a","rel":"assessment-for"}]},{"id":"pe-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-14b.","class":"sp800-53a"}],"prose":"environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.","links":[{"href":"#pe-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-14_smt","rel":"assessment-for"}]},{"id":"pe-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the maintenance and monitoring of temperature and humidity levels"}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","props":[{"name":"label","value":"PE-15"},{"name":"label","value":"PE-15","class":"sp800-53a"},{"name":"sort-id","value":"pe-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#pe-10","rel":"related"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations."},{"id":"pe-15_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-15","class":"sp800-53a"}],"parts":[{"id":"pe-15_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-15[01]","class":"sp800-53a"}],"prose":"the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-15[02]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are accessible;","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-15[03]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are working properly;","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-15[04]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are known to key personnel.","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Master water-shutoff valves\n\norganizational process for activating master water shutoff"}]}],"controls":[{"id":"pe-15.1","class":"SP800-53-enhancement","title":"Automation Support","params":[{"id":"pe-15.01_odp.01","props":[{"name":"alt-identifier","value":"pe-15.1_prm_1"},{"name":"label","value":"PE-15(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when the presence of water is detected near the system is\/are defined;"}]},{"id":"pe-15.01_odp.02","props":[{"name":"alt-identifier","value":"pe-15.1_prm_2"},{"name":"label","value":"PE-15(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of water near the system are defined;"}]}],"props":[{"name":"label","value":"PE-15(1)"},{"name":"label","value":"PE-15(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-15.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-15","rel":"required"}],"parts":[{"id":"pe-15.1_smt","name":"statement","prose":"Detect the presence of water near the system and alert {{ insert: param, pe-15.01_odp.01 }} using {{ insert: param, pe-15.01_odp.02 }}."},{"id":"pe-15.1_gdn","name":"guidance","prose":"Automated mechanisms include notification systems, water detection sensors, and alarms."},{"id":"pe-15.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-15(01)","class":"sp800-53a"}],"parts":[{"id":"pe-15.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-15(01)[01]","class":"sp800-53a"}],"prose":"the presence of water near the system can be detected automatically;","links":[{"href":"#pe-15.1_smt","rel":"assessment-for"}]},{"id":"pe-15.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-15(01)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-15.01_odp.01 }} is\/are alerted using {{ insert: param, pe-15.01_odp.02 }}.","links":[{"href":"#pe-15.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-15.1_smt","rel":"assessment-for"}]},{"id":"pe-15.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-15(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nautomated mechanisms for water shutoff valves\n\nautomated mechanisms for detecting the presence of water in the vicinity of the system\n\nalerts\/notifications of water detection in system facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-15.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-15(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-15.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-15(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing water detection capabilities and alerts for the system"}]}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","params":[{"id":"pe-16_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.02"}],"label":"organization-defined types of system components"},{"id":"pe-16_odp.01","props":[{"name":"label","value":"PE-16_ODP[01]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when entering the facility are defined;"}]},{"id":"pe-16_odp.02","props":[{"name":"label","value":"PE-16_ODP[02]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when exiting the facility are defined;"}]}],"props":[{"name":"label","value":"PE-16"},{"name":"label","value":"PE-16","class":"sp800-53a"},{"name":"sort-id","value":"pe-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"pe-16_smt","name":"statement","parts":[{"id":"pe-16_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and"},{"id":"pe-16_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain records of the system components."}]},{"id":"pe-16_gdn","name":"guidance","prose":"Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries."},{"id":"pe-16_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-16","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[04]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-16b.","class":"sp800-53a"}],"prose":"records of the system components are maintained.","links":[{"href":"#pe-16_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-16_smt","rel":"assessment-for"}]},{"id":"pe-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and\/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility"}]}]},{"id":"pe-17","class":"SP800-53","title":"Alternate Work Site","params":[{"id":"pe-17_odp.01","props":[{"name":"alt-identifier","value":"pe-17_prm_1"},{"name":"label","value":"PE-17_ODP[01]","class":"sp800-53a"}],"label":"alternate work sites","guidelines":[{"prose":"alternate work sites allowed for use by employees are defined;"}]},{"id":"pe-17_odp.02","props":[{"name":"alt-identifier","value":"pe-17_prm_2"},{"name":"label","value":"PE-17_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed at alternate work sites are defined;"}]}],"props":[{"name":"label","value":"PE-17"},{"name":"label","value":"PE-17","class":"sp800-53a"},{"name":"sort-id","value":"pe-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#83b9d63b-66b1-467c-9f3b-3a0b108771e9","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-17_smt","name":"statement","parts":[{"id":"pe-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the {{ insert: param, pe-17_odp.01 }} allowed for use by employees;"},{"id":"pe-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls at alternate work sites: {{ insert: param, pe-17_odp.02 }};"},{"id":"pe-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assess the effectiveness of controls at alternate work sites; and"},{"id":"pe-17_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a means for employees to communicate with information security and privacy personnel in case of incidents."}]},{"id":"pe-17_gdn","name":"guidance","prose":"Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations."},{"id":"pe-17_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-17","class":"sp800-53a"}],"parts":[{"id":"pe-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-17a.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-17_odp.01 }} are determined and documented;","links":[{"href":"#pe-17_smt.a","rel":"assessment-for"}]},{"id":"pe-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-17b.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;","links":[{"href":"#pe-17_smt.b","rel":"assessment-for"}]},{"id":"pe-17_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-17c.","class":"sp800-53a"}],"prose":"the effectiveness of controls at alternate work sites is assessed;","links":[{"href":"#pe-17_smt.c","rel":"assessment-for"}]},{"id":"pe-17_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-17d.","class":"sp800-53a"}],"prose":"a means for employees to communicate with information security and privacy personnel in case of incidents is provided.","links":[{"href":"#pe-17_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pe-17_smt","rel":"assessment-for"}]},{"id":"pe-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel approving the use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy at alternate work sites\n\nmechanisms supporting alternate work sites\n\nsecurity and privacy controls employed at alternate work sites\n\nmeans of communication between personnel at alternate work sites and security and privacy personnel"}]}]},{"id":"pe-18","class":"SP800-53","title":"Location of System Components","params":[{"id":"pe-18_odp","props":[{"name":"alt-identifier","value":"pe-18_prm_1"},{"name":"label","value":"PE-18_ODP","class":"sp800-53a"}],"label":"physical and environmental hazards","guidelines":[{"prose":"physical and environmental hazards that could result in potential damage to system components within the facility are defined;"}]}],"props":[{"name":"label","value":"PE-18"},{"name":"label","value":"PE-18","class":"sp800-53a"},{"name":"sort-id","value":"pe-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-19","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"pe-18_smt","name":"statement","prose":"Position system components within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access."},{"id":"pe-18_gdn","name":"guidance","prose":"Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information."},{"id":"pe-18_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-18","class":"sp800-53a"}],"prose":"system components are positioned within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access.","links":[{"href":"#pe-18_smt","rel":"assessment-for"}]},{"id":"pe-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing the positioning of system components\n\ndocumentation providing the location and position of system components within the facility\n\nlocations housing system components within the facility\n\nlist of physical and environmental hazards with the potential to damage system components within the facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for positioning system components\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for positioning system components"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pl-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pl-01_odp.01","props":[{"name":"label","value":"PL-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning policy is to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.02","props":[{"name":"label","value":"PL-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning procedures are to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.03","props":[{"name":"alt-identifier","value":"pl-1_prm_2"},{"name":"label","value":"PL-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pl-01_odp.04","props":[{"name":"alt-identifier","value":"pl-1_prm_3"},{"name":"label","value":"PL-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the planning policy and procedures is defined;"}]},{"id":"pl-01_odp.05","props":[{"name":"alt-identifier","value":"pl-1_prm_4"},{"name":"label","value":"PL-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning policy is reviewed and updated is defined;"}]},{"id":"pl-01_odp.06","props":[{"name":"alt-identifier","value":"pl-1_prm_5"},{"name":"label","value":"PL-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current planning policy to be reviewed and updated are defined;"}]},{"id":"pl-01_odp.07","props":[{"name":"alt-identifier","value":"pl-1_prm_6"},{"name":"label","value":"PL-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning procedures are reviewed and updated is defined;"}]},{"id":"pl-01_odp.08","props":[{"name":"alt-identifier","value":"pl-1_prm_7"},{"name":"label","value":"PL-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PL-1"},{"name":"label","value":"PL-01","class":"sp800-53a"},{"name":"sort-id","value":"pl-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-1_smt","name":"statement","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pl-01_odp.03 }} planning policy that:","parts":[{"id":"pl-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the planning policy and the associated planning controls;"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and"},{"id":"pl-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current planning:","parts":[{"id":"pl-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and"},{"id":"pl-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pl-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[01]","class":"sp800-53a"}],"prose":"a planning policy is developed and documented.","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[02]","class":"sp800-53a"}],"prose":"the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[03]","class":"sp800-53a"}],"prose":"planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[04]","class":"sp800-53a"}],"prose":"the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#pl-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;","links":[{"href":"#pl-1_smt.b","rel":"assessment-for"}]},{"id":"pl-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[01]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};","links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]},{"id":"pl-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[02]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};","links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]},{"id":"pl-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[01]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};","links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]},{"id":"pl-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[02]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.","links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt","rel":"assessment-for"}]},{"id":"pl-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security and Privacy Plans","params":[{"id":"pl-02_odp.01","props":[{"name":"alt-identifier","value":"pl-2_prm_1"},{"name":"label","value":"PL-02_ODP[01]","class":"sp800-53a"}],"label":"individuals or groups","guidelines":[{"prose":"individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is\/are assigned;"}]},{"id":"pl-02_odp.02","props":[{"name":"alt-identifier","value":"pl-2_prm_2"},{"name":"label","value":"PL-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive distributed copies of the system security and privacy plans is\/are assigned;"}]},{"id":"pl-02_odp.03","props":[{"name":"alt-identifier","value":"pl-2_prm_3"},{"name":"label","value":"PL-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency to review system security and privacy plans is defined;"}]}],"props":[{"name":"label","value":"PL-2"},{"name":"label","value":"PL-02","class":"sp800-53a"},{"name":"sort-id","value":"pl-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"pl-2_smt","name":"statement","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy plans for the system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly define the constituent system components;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Identify the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Identify the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provide the security categorization of the system, including supporting rationale;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Describe any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Provide the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Describe the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Provide an overview of the security and privacy requirements for the system;"},{"id":"pl-2_smt.a.11","name":"item","props":[{"name":"label","value":"11."}],"prose":"Identify any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_smt.a.12","name":"item","props":[{"name":"label","value":"12."}],"prose":"Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;"},{"id":"pl-2_smt.a.13","name":"item","props":[{"name":"label","value":"13."}],"prose":"Include risk determinations for security and privacy architecture and design decisions;"},{"id":"pl-2_smt.a.14","name":"item","props":[{"name":"label","value":"14."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and"},{"id":"pl-2_smt.a.15","name":"item","props":[{"name":"label","value":"15."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the plans {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the plans from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate."},{"id":"pl-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is consistent with the organization’s enterprise architecture;","links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]},{"id":"pl-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;","links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]},{"id":"pl-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that explicitly defines the constituent system components;","links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]},{"id":"pl-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that explicitly defines the constituent system components;","links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]},{"id":"pl-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;","links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]},{"id":"pl-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;","links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]},{"id":"pl-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;","links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]},{"id":"pl-2_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;","links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]},{"id":"pl-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.5-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;","links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]},{"id":"pl-2_obj.a.5-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;","links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]},{"id":"pl-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.6-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;","links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]},{"id":"pl-2_obj.a.6-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;","links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]},{"id":"pl-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;","links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]},{"id":"pl-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;","links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]},{"id":"pl-2_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.8-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;","links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]},{"id":"pl-2_obj.a.8-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;","links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]},{"id":"pl-2_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.9-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;","links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]},{"id":"pl-2_obj.a.9-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;","links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]},{"id":"pl-2_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.10-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides an overview of the security requirements for the system;","links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]},{"id":"pl-2_obj.a.10-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;","links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]},{"id":"pl-2_obj.a.11","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.11-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;","links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]},{"id":"pl-2_obj.a.11-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;","links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]},{"id":"pl-2_obj.a.12","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.12-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;","links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]},{"id":"pl-2_obj.a.12-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;","links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]},{"id":"pl-2_obj.a.13","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.13-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes risk determinations for security architecture and design decisions;","links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]},{"id":"pl-2_obj.a.13-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;","links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]},{"id":"pl-2_obj.a.14","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.14-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};","links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]},{"id":"pl-2_obj.a.14-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};","links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]},{"id":"pl-2_obj.a.15","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.15-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;","links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]},{"id":"pl-2_obj.a.15-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.","links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a","rel":"assessment-for"}]},{"id":"pl-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[01]","class":"sp800-53a"}],"prose":"copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};","links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]},{"id":"pl-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[02]","class":"sp800-53a"}],"prose":"subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};","links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]},{"id":"pl-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-02c.","class":"sp800-53a"}],"prose":"plans are reviewed {{ insert: param, pl-02_odp.03 }};","links":[{"href":"#pl-2_smt.c","rel":"assessment-for"}]},{"id":"pl-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[01]","class":"sp800-53a"}],"prose":"plans are updated to address changes to the system and environment of operations;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[02]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during the plan implementation;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[03]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during control assessments;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[01]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized disclosure;","links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]},{"id":"pl-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[02]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized modification.","links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt","rel":"assessment-for"}]},{"id":"pl-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records"}]},{"id":"pl-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan"}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-04_odp.01","props":[{"name":"alt-identifier","value":"pl-4_prm_1"},{"name":"label","value":"PL-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for reviewing and updating the rules of behavior is defined;"}]},{"id":"pl-04_odp.02","props":[{"name":"alt-identifier","value":"pl-4_prm_2"},{"name":"label","value":"PL-04_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, pl-04_odp.03 }} ","when the rules are revised or updated"]}},{"id":"pl-04_odp.03","props":[{"name":"alt-identifier","value":"pl-4_prm_3"},{"name":"label","value":"PL-04_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);"}]}],"props":[{"name":"label","value":"PL-4"},{"name":"label","value":"PL-04","class":"sp800-53a"},{"name":"sort-id","value":"pl-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-4_smt","name":"statement","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_gdn","name":"guidance","prose":"Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons."},{"id":"pl-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[01]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;","links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]},{"id":"pl-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[02]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;","links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]},{"id":"pl-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04b.","class":"sp800-53a"}],"prose":"before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;","links":[{"href":"#pl-4_smt.b","rel":"assessment-for"}]},{"id":"pl-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04c.","class":"sp800-53a"}],"prose":"rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};","links":[{"href":"#pl-4_smt.c","rel":"assessment-for"}]},{"id":"pl-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-04d.","class":"sp800-53a"}],"prose":"individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.","links":[{"href":"#pl-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pl-4_smt","rel":"assessment-for"}]},{"id":"pl-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and External Site\/Application Usage Restrictions","props":[{"name":"label","value":"PL-4(1)"},{"name":"label","value":"PL-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"pl-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-4","rel":"required"},{"href":"#ac-22","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"Include in the rules of behavior, restrictions on:","parts":[{"id":"pl-4.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Posting organizational information on public websites; and"},{"id":"pl-4.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_gdn","name":"guidance","prose":"Social media, social networking, and external site\/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information."},{"id":"pl-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)","class":"sp800-53a"}],"parts":[{"id":"pl-4.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(a)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of social media, social networking sites, and external sites\/applications;","links":[{"href":"#pl-4.1_smt.a","rel":"assessment-for"}]},{"id":"pl-4.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(b)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on posting organizational information on public websites;","links":[{"href":"#pl-4.1_smt.b","rel":"assessment-for"}]},{"id":"pl-4.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(c)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications.","links":[{"href":"#pl-4.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-4.1_smt","rel":"assessment-for"}]},{"id":"pl-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records"}]},{"id":"pl-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing rules of behavior\n\nmechanisms supporting and\/or implementing the establishment of rules of behavior"}]}]}]},{"id":"pl-8","class":"SP800-53","title":"Security and Privacy Architectures","params":[{"id":"pl-08_odp","props":[{"name":"alt-identifier","value":"pl-8_prm_1"},{"name":"label","value":"PL-08_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for review and update to reflect changes in the enterprise architecture;"}]}],"props":[{"name":"label","value":"PL-8"},{"name":"label","value":"PL-08","class":"sp800-53a"},{"name":"sort-id","value":"pl-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"pl-8_smt","name":"statement","parts":[{"id":"pl-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy architectures for the system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe how the architectures are integrated into and support the enterprise architecture; and"},{"id":"pl-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Describe any assumptions about, and dependencies on, external systems and services;"}]},{"id":"pl-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures."},{"id":"pl-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-08","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.01","class":"sp800-53a"}],"prose":"a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;","links":[{"href":"#pl-8_smt.a.1","rel":"assessment-for"}]},{"id":"pl-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.02","class":"sp800-53a"}],"prose":"a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;","links":[{"href":"#pl-8_smt.a.2","rel":"assessment-for"}]},{"id":"pl-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;","links":[{"href":"#pl-8_smt.a.3","rel":"assessment-for"}]},{"id":"pl-8_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;","links":[{"href":"#pl-8_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.a.3","rel":"assessment-for"}]},{"id":"pl-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes any assumptions about and dependencies on external systems and services;","links":[{"href":"#pl-8_smt.a.4","rel":"assessment-for"}]},{"id":"pl-8_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;","links":[{"href":"#pl-8_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.a","rel":"assessment-for"}]},{"id":"pl-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-08b.","class":"sp800-53a"}],"prose":"changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;","links":[{"href":"#pl-8_smt.b","rel":"assessment-for"}]},{"id":"pl-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[01]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the security plan;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[02]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the privacy plan;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[03]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the Concept of Operations (CONOPS);","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-4","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[04]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in criticality analysis;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-5","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[05]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in organizational procedures;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-6","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[06]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in procurements and acquisitions.","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt","rel":"assessment-for"}]},{"id":"pl-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and\/or implementing the development, review, and update of the information security and privacy architecture"}]}]},{"id":"pl-10","class":"SP800-53","title":"Baseline Selection","props":[{"name":"label","value":"PL-10"},{"name":"label","value":"PL-10","class":"sp800-53a"},{"name":"sort-id","value":"pl-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-10_smt","name":"statement","prose":"Select a control baseline for the system."},{"id":"pl-10_gdn","name":"guidance","prose":"Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems."},{"id":"pl-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-10","class":"sp800-53a"}],"prose":"a control baseline for the system is selected.","links":[{"href":"#pl-10_smt","rel":"assessment-for"}]},{"id":"pl-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities"}]}]},{"id":"pl-11","class":"SP800-53","title":"Baseline Tailoring","props":[{"name":"label","value":"PL-11"},{"name":"label","value":"PL-11","class":"sp800-53a"},{"name":"sort-id","value":"pl-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-10","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-11_smt","name":"statement","prose":"Tailor the selected control baseline by applying specified tailoring actions."},{"id":"pl-11_gdn","name":"guidance","prose":"The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities."},{"id":"pl-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-11","class":"sp800-53a"}],"prose":"the selected control baseline is tailored by applying specified tailoring actions.","links":[{"href":"#pl-11_smt","rel":"assessment-for"}]},{"id":"pl-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ps-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ps-01_odp.01","props":[{"name":"label","value":"PS-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security policy is to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.02","props":[{"name":"label","value":"PS-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security procedures are to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.03","props":[{"name":"alt-identifier","value":"ps-1_prm_2"},{"name":"label","value":"PS-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ps-01_odp.04","props":[{"name":"alt-identifier","value":"ps-1_prm_3"},{"name":"label","value":"PS-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the personnel security policy and procedures is defined;"}]},{"id":"ps-01_odp.05","props":[{"name":"alt-identifier","value":"ps-1_prm_4"},{"name":"label","value":"PS-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security policy is reviewed and updated is defined;"}]},{"id":"ps-01_odp.06","props":[{"name":"alt-identifier","value":"ps-1_prm_5"},{"name":"label","value":"PS-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current personnel security policy to be reviewed and updated are defined;"}]},{"id":"ps-01_odp.07","props":[{"name":"alt-identifier","value":"ps-1_prm_6"},{"name":"label","value":"PS-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security procedures are reviewed and updated is defined;"}]},{"id":"ps-01_odp.08","props":[{"name":"alt-identifier","value":"ps-1_prm_7"},{"name":"label","value":"PS-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the personnel security procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PS-1"},{"name":"label","value":"PS-01","class":"sp800-53a"},{"name":"sort-id","value":"ps-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-1_smt","name":"statement","parts":[{"id":"ps-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ps-01_odp.03 }} personnel security policy that:","parts":[{"id":"ps-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ps-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;"}]},{"id":"ps-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and"},{"id":"ps-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current personnel security:","parts":[{"id":"ps-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and"},{"id":"ps-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ps-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[01]","class":"sp800-53a"}],"prose":"a personnel security policy is developed and documented;","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[02]","class":"sp800-53a"}],"prose":"the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[03]","class":"sp800-53a"}],"prose":"personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[04]","class":"sp800-53a"}],"prose":"the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ps-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;","links":[{"href":"#ps-1_smt.b","rel":"assessment-for"}]},{"id":"ps-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[01]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};","links":[{"href":"#ps-1_smt.c.1","rel":"assessment-for"}]},{"id":"ps-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[02]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};","links":[{"href":"#ps-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.c.1","rel":"assessment-for"}]},{"id":"ps-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[01]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};","links":[{"href":"#ps-1_smt.c.2","rel":"assessment-for"}]},{"id":"ps-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[02]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.","links":[{"href":"#ps-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt","rel":"assessment-for"}]},{"id":"ps-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"ps-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","params":[{"id":"ps-02_odp","props":[{"name":"alt-identifier","value":"ps-2_prm_1"},{"name":"label","value":"PS-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update position risk designations is defined;"}]}],"props":[{"name":"label","value":"PS-2"},{"name":"label","value":"PS-02","class":"sp800-53a"},{"name":"sort-id","value":"ps-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#a5ef5e56-5c1a-4911-b419-37dddc1b3581","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-2_smt","name":"statement","parts":[{"id":"ps-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establish screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update position risk designations {{ insert: param, ps-02_odp }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions."},{"id":"ps-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-02","class":"sp800-53a"}],"parts":[{"id":"ps-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-02a.","class":"sp800-53a"}],"prose":"a risk designation is assigned to all organizational positions;","links":[{"href":"#ps-2_smt.a","rel":"assessment-for"}]},{"id":"ps-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-02b.","class":"sp800-53a"}],"prose":"screening criteria are established for individuals filling organizational positions;","links":[{"href":"#ps-2_smt.b","rel":"assessment-for"}]},{"id":"ps-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-02c.","class":"sp800-53a"}],"prose":"position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.","links":[{"href":"#ps-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ps-2_smt","rel":"assessment-for"}]},{"id":"ps-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","params":[{"id":"ps-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.02"}],"label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening"},{"id":"ps-03_odp.01","props":[{"name":"label","value":"PS-03_ODP[01]","class":"sp800-53a"}],"label":"conditions requiring rescreening","guidelines":[{"prose":"conditions requiring rescreening of individuals are defined;"}]},{"id":"ps-03_odp.02","props":[{"name":"label","value":"PS-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of rescreening individuals where it is so indicated is defined;"}]}],"props":[{"name":"label","value":"PS-3"},{"name":"label","value":"PS-03","class":"sp800-53a"},{"name":"sort-id","value":"ps-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#55b0c93a-5e48-457a-baa6-5ce81c239c49","rel":"reference"},{"href":"#0af071a6-cf8e-48ee-8c82-fe91efa20f94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-3_smt","name":"statement","parts":[{"id":"ps-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Screen individuals prior to authorizing access to the system; and"},{"id":"ps-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems."},{"id":"ps-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-03a.","class":"sp800-53a"}],"prose":"individuals are screened prior to authorizing access to the system;","links":[{"href":"#ps-3_smt.a","rel":"assessment-for"}]},{"id":"ps-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[01]","class":"sp800-53a"}],"prose":"individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};","links":[{"href":"#ps-3_smt.b","rel":"assessment-for"}]},{"id":"ps-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[02]","class":"sp800-53a"}],"prose":"where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.","links":[{"href":"#ps-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-3_smt","rel":"assessment-for"}]},{"id":"ps-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel screening"}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","params":[{"id":"ps-04_odp.01","props":[{"name":"alt-identifier","value":"ps-4_prm_1"},{"name":"label","value":"PS-04_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which to disable system access is defined;"}]},{"id":"ps-04_odp.02","props":[{"name":"alt-identifier","value":"ps-4_prm_2"},{"name":"label","value":"PS-04_ODP[02]","class":"sp800-53a"}],"label":"information security topics","guidelines":[{"prose":"information security topics to be discussed when conducting exit interviews are defined;"}]}],"props":[{"name":"label","value":"PS-4"},{"name":"label","value":"PS-04","class":"sp800-53a"},{"name":"sort-id","value":"ps-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"Upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Disable system access within {{ insert: param, ps-04_odp.01 }};"},{"id":"ps-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Terminate or revoke any authenticators and credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};"},{"id":"ps-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Retrieve all security-related organizational system-related property; and"},{"id":"ps-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retain access to organizational information and systems formerly controlled by terminated individual."}]},{"id":"ps-4_gdn","name":"guidance","prose":"System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified."},{"id":"ps-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-04","class":"sp800-53a"}],"parts":[{"id":"ps-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-04a.","class":"sp800-53a"}],"prose":"upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};","links":[{"href":"#ps-4_smt.a","rel":"assessment-for"}]},{"id":"ps-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-04b.","class":"sp800-53a"}],"prose":"upon termination of individual employment, any authenticators and credentials are terminated or revoked;","links":[{"href":"#ps-4_smt.b","rel":"assessment-for"}]},{"id":"ps-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-04c.","class":"sp800-53a"}],"prose":"upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;","links":[{"href":"#ps-4_smt.c","rel":"assessment-for"}]},{"id":"ps-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-04d.","class":"sp800-53a"}],"prose":"upon termination of individual employment, all security-related organizational system-related property is retrieved;","links":[{"href":"#ps-4_smt.d","rel":"assessment-for"}]},{"id":"ps-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-04e.","class":"sp800-53a"}],"prose":"upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.","links":[{"href":"#ps-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ps-4_smt","rel":"assessment-for"}]},{"id":"ps-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators\/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel termination\n\nmechanisms supporting and\/or implementing personnel termination notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}],"controls":[{"id":"ps-4.2","class":"SP800-53-enhancement","title":"Automated Actions","params":[{"id":"ps-04.02_odp.01","props":[{"name":"alt-identifier","value":"ps-4.2_prm_1"},{"name":"label","value":"PS-04(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to notify personnel or roles of individual termination actions and\/or to disable access to system resources are defined;"}]},{"id":"ps-04.02_odp.02","props":[{"name":"alt-identifier","value":"ps-4.2_prm_2"},{"name":"label","value":"PS-04(02)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["notify {{ insert: param, ps-04.02_odp.03 }} of individual termination actions","disable access to system resources"]}},{"id":"ps-04.02_odp.03","props":[{"name":"alt-identifier","value":"ps-4.2_prm_3"},{"name":"label","value":"PS-04(02)_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified upon termination of an individual is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"PS-4(2)"},{"name":"label","value":"PS-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"ps-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ps-4","rel":"required"}],"parts":[{"id":"ps-4.2_smt","name":"statement","prose":"Use {{ insert: param, ps-04.02_odp.01 }} to {{ insert: param, ps-04.02_odp.02 }}."},{"id":"ps-4.2_gdn","name":"guidance","prose":"In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications, or if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including via telephone, electronic mail, text message, or websites. Automated mechanisms can also be employed to quickly and thoroughly disable access to system resources after an employee is terminated."},{"id":"ps-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-04(02)","class":"sp800-53a"}],"prose":" {{ insert: param, ps-04.02_odp.01 }} are used to {{ insert: param, ps-04.02_odp.02 }}.","links":[{"href":"#ps-4.2_smt","rel":"assessment-for"}]},{"id":"ps-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of personnel termination actions\n\nautomated notifications of employee terminations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel termination\n\nautomated mechanisms supporting and\/or implementing personnel termination notifications"}]}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","params":[{"id":"ps-05_odp.01","props":[{"name":"alt-identifier","value":"ps-5_prm_1"},{"name":"label","value":"PS-05_ODP[01]","class":"sp800-53a"}],"label":"transfer or reassignment actions","guidelines":[{"prose":"transfer or reassignment actions to be initiated following transfer or reassignment are defined;"}]},{"id":"ps-05_odp.02","props":[{"name":"alt-identifier","value":"ps-5_prm_2"},{"name":"label","value":"PS-05_ODP[02]","class":"sp800-53a"}],"label":"time period following the formal transfer action","guidelines":[{"prose":"the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;"}]},{"id":"ps-05_odp.03","props":[{"name":"alt-identifier","value":"ps-5_prm_3"},{"name":"label","value":"PS-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is\/are defined;"}]},{"id":"ps-05_odp.04","props":[{"name":"alt-identifier","value":"ps-5_prm_4"},{"name":"label","value":"PS-05_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;"}]}],"props":[{"name":"label","value":"PS-5"},{"name":"label","value":"PS-05","class":"sp800-53a"},{"name":"sort-id","value":"ps-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-5_smt","name":"statement","parts":[{"id":"ps-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};"},{"id":"ps-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts."},{"id":"ps-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-05","class":"sp800-53a"}],"parts":[{"id":"ps-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-05a.","class":"sp800-53a"}],"prose":"the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;","links":[{"href":"#ps-5_smt.a","rel":"assessment-for"}]},{"id":"ps-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};","links":[{"href":"#ps-5_smt.b","rel":"assessment-for"}]},{"id":"ps-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-05c.","class":"sp800-53a"}],"prose":"access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;","links":[{"href":"#ps-5_smt.c","rel":"assessment-for"}]},{"id":"ps-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-05d.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.","links":[{"href":"#ps-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ps-5_smt","rel":"assessment-for"}]},{"id":"ps-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel transfer\n\nmechanisms supporting and\/or implementing personnel transfer notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-06_odp.01","props":[{"name":"alt-identifier","value":"ps-6_prm_1"},{"name":"label","value":"PS-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update access agreements is defined;"}]},{"id":"ps-06_odp.02","props":[{"name":"alt-identifier","value":"ps-6_prm_2"},{"name":"label","value":"PS-06_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to re-sign access agreements to maintain access to organizational information is defined;"}]}],"props":[{"name":"label","value":"PS-6"},{"name":"label","value":"PS-06","class":"sp800-53a"},{"name":"sort-id","value":"ps-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-6_smt","name":"statement","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document access agreements for organizational systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that individuals requiring access to organizational information and systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy."},{"id":"ps-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-06","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-06a.","class":"sp800-53a"}],"prose":"access agreements are developed and documented for organizational systems;","links":[{"href":"#ps-6_smt.a","rel":"assessment-for"}]},{"id":"ps-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-06b.","class":"sp800-53a"}],"prose":"the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};","links":[{"href":"#ps-6_smt.b","rel":"assessment-for"}]},{"id":"ps-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.01","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;","links":[{"href":"#ps-6_smt.c.1","rel":"assessment-for"}]},{"id":"ps-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.02","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.","links":[{"href":"#ps-6_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ps-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ps-6_smt","rel":"assessment-for"}]},{"id":"ps-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ps-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"External Personnel Security","params":[{"id":"ps-07_odp.01","props":[{"name":"alt-identifier","value":"ps-7_prm_1"},{"name":"label","value":"PS-07_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is\/are defined;"}]},{"id":"ps-07_odp.02","props":[{"name":"alt-identifier","value":"ps-7_prm_2"},{"name":"label","value":"PS-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is defined;"}]}],"props":[{"name":"label","value":"PS-7"},{"name":"label","value":"PS-07","class":"sp800-53a"},{"name":"sort-id","value":"ps-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-7_smt","name":"statement","parts":[{"id":"ps-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish personnel security requirements, including security roles and responsibilities for external providers;"},{"id":"ps-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Require external providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and"},{"id":"ps-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Monitor provider compliance with personnel security requirements."}]},{"id":"ps-7_gdn","name":"guidance","prose":"External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network\/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals."},{"id":"ps-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-07","class":"sp800-53a"}],"parts":[{"id":"ps-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-07a.","class":"sp800-53a"}],"prose":"personnel security requirements are established, including security roles and responsibilities for external providers;","links":[{"href":"#ps-7_smt.a","rel":"assessment-for"}]},{"id":"ps-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-07b.","class":"sp800-53a"}],"prose":"external providers are required to comply with personnel security policies and procedures established by the organization;","links":[{"href":"#ps-7_smt.b","rel":"assessment-for"}]},{"id":"ps-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-07c.","class":"sp800-53a"}],"prose":"personnel security requirements are documented;","links":[{"href":"#ps-7_smt.c","rel":"assessment-for"}]},{"id":"ps-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-07d.","class":"sp800-53a"}],"prose":"external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};","links":[{"href":"#ps-7_smt.d","rel":"assessment-for"}]},{"id":"ps-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-07e.","class":"sp800-53a"}],"prose":"provider compliance with personnel security requirements is monitored.","links":[{"href":"#ps-7_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ps-7_smt","rel":"assessment-for"}]},{"id":"ps-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and\/or implementing the monitoring of provider compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","params":[{"id":"ps-08_odp.01","props":[{"name":"alt-identifier","value":"ps-8_prm_1"},{"name":"label","value":"PS-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when a formal employee sanctions process is initiated is\/are defined;"}]},{"id":"ps-08_odp.02","props":[{"name":"alt-identifier","value":"ps-8_prm_2"},{"name":"label","value":"PS-08_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;"}]}],"props":[{"name":"label","value":"PS-8"},{"name":"label","value":"PS-08","class":"sp800-53a"},{"name":"sort-id","value":"ps-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-1","rel":"related"}],"parts":[{"id":"ps-8_smt","name":"statement","parts":[{"id":"ps-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and\/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions."},{"id":"ps-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-08","class":"sp800-53a"}],"parts":[{"id":"ps-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-08a.","class":"sp800-53a"}],"prose":"a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;","links":[{"href":"#ps-8_smt.a","rel":"assessment-for"}]},{"id":"ps-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-08b.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-08_odp.01 }} is\/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.","links":[{"href":"#ps-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-8_smt","rel":"assessment-for"}]},{"id":"ps-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records"}]},{"id":"ps-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and\/or implementing formal employee sanctions notifications"}]}]},{"id":"ps-9","class":"SP800-53","title":"Position Descriptions","props":[{"name":"label","value":"PS-9"},{"name":"label","value":"PS-09","class":"sp800-53a"},{"name":"sort-id","value":"ps-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"}],"parts":[{"id":"ps-9_smt","name":"statement","prose":"Incorporate security and privacy roles and responsibilities into organizational position descriptions."},{"id":"ps-9_gdn","name":"guidance","prose":"Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles."},{"id":"ps-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-09","class":"sp800-53a"}],"parts":[{"id":"ps-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PS-09[01]","class":"sp800-53a"}],"prose":"security roles and responsibilities are incorporated into organizational position descriptions;","links":[{"href":"#ps-9_smt","rel":"assessment-for"}]},{"id":"ps-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PS-09[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are incorporated into organizational position descriptions.","links":[{"href":"#ps-9_smt","rel":"assessment-for"}]}],"links":[{"href":"#ps-9_smt","rel":"assessment-for"}]},{"id":"ps-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"ps-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities"}]},{"id":"ps-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing position descriptions"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ra-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ra-01_odp.01","props":[{"name":"label","value":"RA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment policy is to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.02","props":[{"name":"label","value":"RA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment procedures are to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.03","props":[{"name":"alt-identifier","value":"ra-1_prm_2"},{"name":"label","value":"RA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ra-01_odp.04","props":[{"name":"alt-identifier","value":"ra-1_prm_3"},{"name":"label","value":"RA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the risk assessment policy and procedures is defined;"}]},{"id":"ra-01_odp.05","props":[{"name":"alt-identifier","value":"ra-1_prm_4"},{"name":"label","value":"RA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment policy is reviewed and updated is defined;"}]},{"id":"ra-01_odp.06","props":[{"name":"alt-identifier","value":"ra-1_prm_5"},{"name":"label","value":"RA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current risk assessment policy to be reviewed and updated are defined;"}]},{"id":"ra-01_odp.07","props":[{"name":"alt-identifier","value":"ra-1_prm_6"},{"name":"label","value":"RA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment procedures are reviewed and updated is defined;"}]},{"id":"ra-01_odp.08","props":[{"name":"alt-identifier","value":"ra-1_prm_7"},{"name":"label","value":"RA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require risk assessment procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"RA-1"},{"name":"label","value":"RA-01","class":"sp800-53a"},{"name":"sort-id","value":"ra-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-1_smt","name":"statement","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ra-01_odp.03 }} risk assessment policy that:","parts":[{"id":"ra-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and"},{"id":"ra-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current risk assessment:","parts":[{"id":"ra-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and"},{"id":"ra-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ra-1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[01]","class":"sp800-53a"}],"prose":"a risk assessment policy is developed and documented;","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[02]","class":"sp800-53a"}],"prose":"the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[03]","class":"sp800-53a"}],"prose":"risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[04]","class":"sp800-53a"}],"prose":"the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ra-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;","links":[{"href":"#ra-1_smt.b","rel":"assessment-for"}]},{"id":"ra-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[01]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};","links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]},{"id":"ra-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[02]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};","links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]},{"id":"ra-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[01]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};","links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]},{"id":"ra-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[02]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.","links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt","rel":"assessment-for"}]},{"id":"ra-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","props":[{"name":"label","value":"RA-2"},{"name":"label","value":"RA-02","class":"sp800-53a"},{"name":"sort-id","value":"ra-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#cm-8","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-2_smt","name":"statement","parts":[{"id":"ra-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Categorize the system and information it processes, stores, and transmits;"},{"id":"ra-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document the security categorization results, including supporting rationale, in the security plan for the system; and"},{"id":"ra-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant."},{"id":"ra-2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-02","class":"sp800-53a"}],"parts":[{"id":"ra-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-02a.","class":"sp800-53a"}],"prose":"the system and the information it processes, stores, and transmits are categorized;","links":[{"href":"#ra-2_smt.a","rel":"assessment-for"}]},{"id":"ra-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-02b.","class":"sp800-53a"}],"prose":"the security categorization results, including supporting rationale, are documented in the security plan for the system;","links":[{"href":"#ra-2_smt.b","rel":"assessment-for"}]},{"id":"ra-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-02c.","class":"sp800-53a"}],"prose":"the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.","links":[{"href":"#ra-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ra-2_smt","rel":"assessment-for"}]},{"id":"ra-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-03_odp.01","props":[{"name":"alt-identifier","value":"ra-3_prm_1"},{"name":"label","value":"RA-03_ODP[01]","class":"sp800-53a"}],"select":{"choice":["security and privacy plans","risk assessment report"," {{ insert: param, ra-03_odp.02 }} "]}},{"id":"ra-03_odp.02","props":[{"name":"alt-identifier","value":"ra-3_prm_2"},{"name":"label","value":"RA-03_ODP[02]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);"}]},{"id":"ra-03_odp.03","props":[{"name":"alt-identifier","value":"ra-3_prm_3"},{"name":"label","value":"RA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to review risk assessment results is defined;"}]},{"id":"ra-03_odp.04","props":[{"name":"alt-identifier","value":"ra-3_prm_4"},{"name":"label","value":"RA-03_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom risk assessment results are to be disseminated is\/are defined;"}]},{"id":"ra-03_odp.05","props":[{"name":"alt-identifier","value":"ra-3_prm_5"},{"name":"label","value":"RA-03_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to update the risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3"},{"name":"label","value":"RA-03","class":"sp800-53a"},{"name":"sort-id","value":"ra-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-3","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-3_smt","name":"statement","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct a risk assessment, including:","parts":[{"id":"ra-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifying threats to and vulnerabilities in the system;"},{"id":"ra-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and"},{"id":"ra-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document risk assessment results in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review risk assessment results {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and"},{"id":"ra-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination."},{"id":"ra-3_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.01","class":"sp800-53a"}],"prose":"a risk assessment is conducted to identify threats to and vulnerabilities in the system;","links":[{"href":"#ra-3_smt.a.1","rel":"assessment-for"}]},{"id":"ra-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.02","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;","links":[{"href":"#ra-3_smt.a.2","rel":"assessment-for"}]},{"id":"ra-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.03","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;","links":[{"href":"#ra-3_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#ra-3_smt.a","rel":"assessment-for"}]},{"id":"ra-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03b.","class":"sp800-53a"}],"prose":"risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;","links":[{"href":"#ra-3_smt.b","rel":"assessment-for"}]},{"id":"ra-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-03c.","class":"sp800-53a"}],"prose":"risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};","links":[{"href":"#ra-3_smt.c","rel":"assessment-for"}]},{"id":"ra-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-03d.","class":"sp800-53a"}],"prose":"risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};","links":[{"href":"#ra-3_smt.d","rel":"assessment-for"}]},{"id":"ra-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-03e.","class":"sp800-53a"}],"prose":"risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};","links":[{"href":"#ra-3_smt.e","rel":"assessment-for"}]},{"id":"ra-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-03f.","class":"sp800-53a"}],"prose":"the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.","links":[{"href":"#ra-3_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ra-3_smt","rel":"assessment-for"}]},{"id":"ra-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}],"controls":[{"id":"ra-3.1","class":"SP800-53-enhancement","title":"Supply Chain Risk Assessment","params":[{"id":"ra-03.01_odp.01","props":[{"name":"alt-identifier","value":"ra-3.1_prm_1"},{"name":"label","value":"RA-03(01)_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, and system services","guidelines":[{"prose":"systems, system components, and system services to assess supply chain risks are defined;"}]},{"id":"ra-03.01_odp.02","props":[{"name":"alt-identifier","value":"ra-3.1_prm_2"},{"name":"label","value":"RA-03(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the supply chain risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3(1)"},{"name":"label","value":"RA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ra-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-3","rel":"required"},{"href":"#ra-2","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#pm-17","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-3.1_smt","name":"statement","parts":[{"id":"ra-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and"},{"id":"ra-3.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_gdn","name":"guidance","prose":"Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required."},{"id":"ra-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)","class":"sp800-53a"}],"parts":[{"id":"ra-3.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(a)","class":"sp800-53a"}],"prose":"supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;","links":[{"href":"#ra-3.1_smt.a","rel":"assessment-for"}]},{"id":"ra-3.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(b)","class":"sp800-53a"}],"prose":"the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.","links":[{"href":"#ra-3.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ra-3.1_smt","rel":"assessment-for"}]},{"id":"ra-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"ra-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"ra-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment"}]}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Monitoring and Scanning","params":[{"id":"ra-5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.02"}],"label":"organization-defined frequency and\/or randomly in accordance with organization-defined process"},{"id":"ra-05_odp.01","props":[{"name":"label","value":"RA-05_ODP[01]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for monitoring systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.02","props":[{"name":"label","value":"RA-05_ODP[02]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for scanning systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.03","props":[{"name":"alt-identifier","value":"ra-5_prm_2"},{"name":"label","value":"RA-05_ODP[03]","class":"sp800-53a"}],"label":"response times","guidelines":[{"prose":"response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;"}]},{"id":"ra-05_odp.04","props":[{"name":"alt-identifier","value":"ra-5_prm_3"},{"name":"label","value":"RA-05_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;"}]}],"props":[{"name":"label","value":"RA-5"},{"name":"label","value":"RA-05","class":"sp800-53a"},{"name":"sort-id","value":"ra-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#8df72805-2e5c-4731-a73e-81db0f0318d0","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#d2ebec9b-f868-4ee1-a2bd-0b2282aed248","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-8","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ra-5_smt","name":"statement","parts":[{"id":"ra-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Analyze vulnerability scan reports and results from vulnerability monitoring;"},{"id":"ra-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and"},{"id":"ra-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points."},{"id":"ra-5_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[01]","class":"sp800-53a"}],"prose":"systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;","links":[{"href":"#ra-5_smt.a","rel":"assessment-for"}]},{"id":"ra-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[02]","class":"sp800-53a"}],"prose":"systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;","links":[{"href":"#ra-5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ra-5_smt.a","rel":"assessment-for"}]},{"id":"ra-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;","parts":[{"id":"ra-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.01","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;","links":[{"href":"#ra-5_smt.b.1","rel":"assessment-for"}]},{"id":"ra-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.02","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;","links":[{"href":"#ra-5_smt.b.2","rel":"assessment-for"}]},{"id":"ra-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.03","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;","links":[{"href":"#ra-5_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#ra-5_smt.b","rel":"assessment-for"}]},{"id":"ra-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-05c.","class":"sp800-53a"}],"prose":"vulnerability scan reports and results from vulnerability monitoring are analyzed;","links":[{"href":"#ra-5_smt.c","rel":"assessment-for"}]},{"id":"ra-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-05d.","class":"sp800-53a"}],"prose":"legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;","links":[{"href":"#ra-5_smt.d","rel":"assessment-for"}]},{"id":"ra-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-05e.","class":"sp800-53a"}],"prose":"information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;","links":[{"href":"#ra-5_smt.e","rel":"assessment-for"}]},{"id":"ra-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-05f.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.","links":[{"href":"#ra-5_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ra-5_smt","rel":"assessment-for"}]},{"id":"ra-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and\/or implementing vulnerability scanning, analysis, remediation, and information sharing"}]}],"controls":[{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update Vulnerabilities to Be Scanned","params":[{"id":"ra-05.02_odp.01","props":[{"name":"alt-identifier","value":"ra-5.2_prm_1"},{"name":"label","value":"RA-05(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, ra-05.02_odp.02 }} ","prior to a new scan","when new vulnerabilities are identified and reported"]}},{"id":"ra-05.02_odp.02","props":[{"name":"alt-identifier","value":"ra-5.2_prm_2"},{"name":"label","value":"RA-05(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating the system vulnerabilities to be scanned is defined (if selected);"}]}],"props":[{"name":"label","value":"RA-5(2)"},{"name":"label","value":"RA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"},{"href":"#si-5","rel":"related"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}."},{"id":"ra-5.2_gdn","name":"guidance","prose":"Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner."},{"id":"ra-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(02)","class":"sp800-53a"}],"prose":"the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.","links":[{"href":"#ra-5.2_smt","rel":"assessment-for"}]},{"id":"ra-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.4","class":"SP800-53-enhancement","title":"Discoverable Information","params":[{"id":"ra-05.04_odp","props":[{"name":"alt-identifier","value":"ra-5.4_prm_1"},{"name":"label","value":"RA-05(04)_ODP","class":"sp800-53a"}],"label":"corrective actions","guidelines":[{"prose":"corrective actions to be taken if information about the system is discoverable are defined;"}]}],"props":[{"name":"label","value":"RA-5(4)"},{"name":"label","value":"RA-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"},{"href":"#au-13","rel":"related"},{"href":"#sc-26","rel":"related"}],"parts":[{"id":"ra-5.4_smt","name":"statement","prose":"Determine information about the system that is discoverable and take {{ insert: param, ra-05.04_odp }}."},{"id":"ra-5.4_gdn","name":"guidance","prose":"Discoverable information includes information that adversaries could obtain without compromising or breaching the system, such as by collecting information that the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization."},{"id":"ra-5.4_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(04)","class":"sp800-53a"}],"parts":[{"id":"ra-5.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-05(04)[01]","class":"sp800-53a"}],"prose":"information about the system is discoverable;","links":[{"href":"#ra-5.4_smt","rel":"assessment-for"}]},{"id":"ra-5.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-05(04)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, ra-05.04_odp }} are taken when information about the system is confirmed as discoverable.","links":[{"href":"#ra-5.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#ra-5.4_smt","rel":"assessment-for"}]},{"id":"ra-5.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\npenetration test results\n\nvulnerability scanning results\n\nrisk assessment report\n\nrecords of corrective actions taken\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning and\/or penetration testing responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel responsible for risk response\n\norganizational personnel responsible for incident management and response\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for risk response\n\norganizational processes for incident management and response\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms supporting and\/or implementing risk response\n\nmechanisms supporting and\/or implementing incident management and response"}]}]},{"id":"ra-5.5","class":"SP800-53-enhancement","title":"Privileged Access","params":[{"id":"ra-05.05_odp.01","props":[{"name":"alt-identifier","value":"ra-5.5_prm_1"},{"name":"label","value":"RA-05(05)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to which privileged access is authorized for selected vulnerability scanning activities are defined;"}]},{"id":"ra-05.05_odp.02","props":[{"name":"alt-identifier","value":"ra-5.5_prm_2"},{"name":"label","value":"RA-05(05)_ODP[02]","class":"sp800-53a"}],"label":"vulnerability scanning activities","guidelines":[{"prose":"vulnerability scanning activities selected for privileged access authorization to system components are defined;"}]}],"props":[{"name":"label","value":"RA-5(5)"},{"name":"label","value":"RA-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.5_smt","name":"statement","prose":"Implement privileged access authorization to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}."},{"id":"ra-5.5_gdn","name":"guidance","prose":"In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning."},{"id":"ra-5.5_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(05)","class":"sp800-53a"}],"prose":"privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.","links":[{"href":"#ra-5.5_smt","rel":"assessment-for"}]},{"id":"ra-5.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\nsystem\/network administrators\n\norganizational personnel responsible for access control to the system\n\norganizational personnel responsible for configuration management of the system\n\nsystem developers\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nmechanisms supporting and\/or implementing access control\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.11","class":"SP800-53-enhancement","title":"Public Disclosure Program","props":[{"name":"label","value":"RA-5(11)"},{"name":"label","value":"RA-05(11)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.11_smt","name":"statement","prose":"Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components."},{"id":"ra-5.11_gdn","name":"guidance","prose":"The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability."},{"id":"ra-5.11_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(11)","class":"sp800-53a"}],"prose":"a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.","links":[{"href":"#ra-5.11_smt","rel":"assessment-for"}]},{"id":"ra-5.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities"}]}]}]},{"id":"ra-7","class":"SP800-53","title":"Risk Response","props":[{"name":"label","value":"RA-7"},{"name":"label","value":"RA-07","class":"sp800-53a"},{"name":"sort-id","value":"ra-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-7_smt","name":"statement","prose":"Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."},{"id":"ra-7_gdn","name":"guidance","prose":"Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated."},{"id":"ra-7_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-07","class":"sp800-53a"}],"parts":[{"id":"ra-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-07[01]","class":"sp800-53a"}],"prose":"findings from security assessments are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-07[02]","class":"sp800-53a"}],"prose":"findings from privacy assessments are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"RA-07[03]","class":"sp800-53a"}],"prose":"findings from monitoring are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-4","name":"assessment-objective","props":[{"name":"label","value":"RA-07[04]","class":"sp800-53a"}],"prose":"findings from audits are responded to in accordance with organizational risk tolerance.","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]}],"links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\naudit records\/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]},{"id":"ra-9","class":"SP800-53","title":"Criticality Analysis","params":[{"id":"ra-09_odp.01","props":[{"name":"alt-identifier","value":"ra-9_prm_1"},{"name":"label","value":"RA-09_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services to be analyzed for criticality are defined;"}]},{"id":"ra-09_odp.02","props":[{"name":"alt-identifier","value":"ra-9_prm_2"},{"name":"label","value":"RA-09_ODP[02]","class":"sp800-53a"}],"label":"decision points in the system development life cycle","guidelines":[{"prose":"decision points in the system development life cycle when a criticality analysis is to be performed are defined;"}]}],"props":[{"name":"label","value":"RA-9"},{"name":"label","value":"RA-09","class":"sp800-53a"},{"name":"sort-id","value":"ra-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"ra-9_smt","name":"statement","prose":"Identify critical system components and functions by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}."},{"id":"ra-9_gdn","name":"guidance","prose":"Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.\n\nThe operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.\n\nCriticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in [RA-2](#ra-2)."},{"id":"ra-9_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-09","class":"sp800-53a"}],"prose":"critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.","links":[{"href":"#ra-9_smt","rel":"assessment-for"}]},{"id":"ra-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\ncriticality analysis\/finalized criticality for each component\/subcomponent\n\naudit records\/event logs\n\nanalysis reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\norganizational personnel with criticality analysis responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security responsibilities"}]},{"id":"ra-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sa-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sa-01_odp.01","props":[{"name":"label","value":"SA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition policy is to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.02","props":[{"name":"label","value":"SA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition procedures are to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.03","props":[{"name":"alt-identifier","value":"sa-1_prm_2"},{"name":"label","value":"SA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sa-01_odp.04","props":[{"name":"alt-identifier","value":"sa-1_prm_3"},{"name":"label","value":"SA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and services acquisition policy and procedures is defined;"}]},{"id":"sa-01_odp.05","props":[{"name":"alt-identifier","value":"sa-1_prm_4"},{"name":"label","value":"SA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition policy is reviewed and updated is defined;"}]},{"id":"sa-01_odp.06","props":[{"name":"alt-identifier","value":"sa-1_prm_5"},{"name":"label","value":"SA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and services acquisition policy to be reviewed and updated are defined;"}]},{"id":"sa-01_odp.07","props":[{"name":"alt-identifier","value":"sa-1_prm_6"},{"name":"label","value":"SA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;"}]},{"id":"sa-01_odp.08","props":[{"name":"alt-identifier","value":"sa-1_prm_7"},{"name":"label","value":"SA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and services acquisition procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SA-1"},{"name":"label","value":"SA-01","class":"sp800-53a"},{"name":"sort-id","value":"sa-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sa-1_smt","name":"statement","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:","parts":[{"id":"sa-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and"},{"id":"sa-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and services acquisition:","parts":[{"id":"sa-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and"},{"id":"sa-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sa-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[01]","class":"sp800-53a"}],"prose":"a system and services acquisition policy is developed and documented;","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[02]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[03]","class":"sp800-53a"}],"prose":"system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[04]","class":"sp800-53a"}],"prose":"the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#sa-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;","links":[{"href":"#sa-1_smt.b","rel":"assessment-for"}]},{"id":"sa-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[01]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};","links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]},{"id":"sa-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};","links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]},{"id":"sa-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};","links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]},{"id":"sa-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.","links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt","rel":"assessment-for"}]},{"id":"sa-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"label","value":"SA-2"},{"name":"label","value":"SA-02","class":"sp800-53a"},{"name":"sort-id","value":"sa-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pl-7","rel":"related"},{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-2_smt","name":"statement","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle."},{"id":"sa-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-02","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[01]","class":"sp800-53a"}],"prose":"the high-level information security requirements for the system or system service are determined in mission and business process planning;","links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]},{"id":"sa-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[02]","class":"sp800-53a"}],"prose":"the high-level privacy requirements for the system or system service are determined in mission and business process planning;","links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]},{"id":"sa-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[01]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;","links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]},{"id":"sa-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[02]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;","links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]},{"id":"sa-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[01]","class":"sp800-53a"}],"prose":"a discrete line item for information security is established in organizational programming and budgeting documentation;","links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]},{"id":"sa-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[02]","class":"sp800-53a"}],"prose":"a discrete line item for privacy is established in organizational programming and budgeting documentation.","links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt","rel":"assessment-for"}]},{"id":"sa-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records"}]},{"id":"sa-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-03_odp","props":[{"name":"alt-identifier","value":"sa-3_prm_1"},{"name":"alt-label","value":"system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-03_ODP","class":"sp800-53a"}],"label":"system-development life cycle","guidelines":[{"prose":"system development life cycle is defined;"}]}],"props":[{"name":"label","value":"SA-3"},{"name":"label","value":"SA-03","class":"sp800-53a"},{"name":"sort-id","value":"sa-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-3_smt","name":"statement","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document information security and privacy roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify individuals having information security and privacy roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrate the organizational information security and privacy risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle."},{"id":"sa-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[01]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;","links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]},{"id":"sa-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[02]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;","links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]},{"id":"sa-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[01]","class":"sp800-53a"}],"prose":"information security roles and responsibilities are defined and documented throughout the system development life cycle;","links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]},{"id":"sa-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are defined and documented throughout the system development life cycle;","links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]},{"id":"sa-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[01]","class":"sp800-53a"}],"prose":"individuals with information security roles and responsibilities are identified;","links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]},{"id":"sa-3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[02]","class":"sp800-53a"}],"prose":"individuals with privacy roles and responsibilities are identified;","links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]},{"id":"sa-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[01]","class":"sp800-53a"}],"prose":"organizational information security risk management processes are integrated into system development life cycle activities;","links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]},{"id":"sa-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[02]","class":"sp800-53a"}],"prose":"organizational privacy risk management processes are integrated into system development life cycle activities.","links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt","rel":"assessment-for"}]},{"id":"sa-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"sa-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and\/or implementing the system development life cycle"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","params":[{"id":"sa-04_odp.01","props":[{"name":"alt-identifier","value":"sa-4_prm_1"},{"name":"label","value":"SA-04_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["standardized contract language"," {{ insert: param, sa-04_odp.02 }} "]}},{"id":"sa-04_odp.02","props":[{"name":"alt-identifier","value":"sa-4_prm_2"},{"name":"label","value":"SA-04_ODP[02]","class":"sp800-53a"}],"label":"contract language","guidelines":[{"prose":"contract language is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-4"},{"name":"label","value":"SA-04","class":"sp800-53a"},{"name":"sort-id","value":"sa-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","rel":"reference"},{"href":"#87087451-2af5-43d4-88c1-d66ad850f614","rel":"reference"},{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#06ce9216-bd54-4054-a422-94f358b50a5d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#795aff72-3e6c-4b6b-a80a-b14d84b7f544","rel":"reference"},{"href":"#3d575737-98cb-459d-b41c-d7e82b73ad78","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security and privacy functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Strength of mechanism requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security and privacy assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Controls needed to satisfy the security and privacy requirements."},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Security and privacy documentation requirements;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Requirements for protecting security and privacy documentation;"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Description of the system development environment and environment in which the system is intended to operate;"},{"id":"sa-4_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and"},{"id":"sa-4_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement."},{"id":"sa-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[01]","class":"sp800-53a"}],"prose":"security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]},{"id":"sa-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[02]","class":"sp800-53a"}],"prose":"privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]},{"id":"sa-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04b.","class":"sp800-53a"}],"prose":"strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.b","rel":"assessment-for"}]},{"id":"sa-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[01]","class":"sp800-53a"}],"prose":"security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]},{"id":"sa-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[02]","class":"sp800-53a"}],"prose":"privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]},{"id":"sa-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[01]","class":"sp800-53a"}],"prose":"controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]},{"id":"sa-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[02]","class":"sp800-53a"}],"prose":"controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]},{"id":"sa-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[01]","class":"sp800-53a"}],"prose":"security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]},{"id":"sa-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[02]","class":"sp800-53a"}],"prose":"privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]},{"id":"sa-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[01]","class":"sp800-53a"}],"prose":"requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]},{"id":"sa-4_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[02]","class":"sp800-53a"}],"prose":"requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]},{"id":"sa-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SA-04g.","class":"sp800-53a"}],"prose":"the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.g","rel":"assessment-for"}]},{"id":"sa-4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[01]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[02]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.h-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[03]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.i","name":"assessment-objective","props":[{"name":"label","value":"SA-04i.","class":"sp800-53a"}],"prose":"acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.","links":[{"href":"#sa-4_smt.i","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt","rel":"assessment-for"}]},{"id":"sa-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}],"controls":[{"id":"sa-4.1","class":"SP800-53-enhancement","title":"Functional Properties of Controls","props":[{"name":"label","value":"SA-4(1)"},{"name":"label","value":"SA-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented."},{"id":"sa-4.1_gdn","name":"guidance","prose":"Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls."},{"id":"sa-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(01)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.","links":[{"href":"#sa-4.1_smt","rel":"assessment-for"}]},{"id":"sa-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system services\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"sa-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security functional requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}]},{"id":"sa-4.2","class":"SP800-53-enhancement","title":"Design and Implementation Information for Controls","params":[{"id":"sa-04.02_odp.01","props":[{"name":"alt-identifier","value":"sa-4.2_prm_1"},{"name":"label","value":"SA-04(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security-relevant external system interfaces","high-level design","low-level design","source code or hardware schematics"," {{ insert: param, sa-04.02_odp.02 }} "]}},{"id":"sa-04.02_odp.02","props":[{"name":"alt-identifier","value":"sa-4.2_prm_2"},{"name":"label","value":"SA-04(02)_ODP[02]","class":"sp800-53a"}],"label":"design and implementation information","guidelines":[{"prose":"design and implementation information is defined (if selected);"}]},{"id":"sa-04.02_odp.03","props":[{"name":"alt-identifier","value":"sa-4.2_prm_3"},{"name":"label","value":"SA-04(02)_ODP[03]","class":"sp800-53a"}],"label":"level of detail","guidelines":[{"prose":"level of detail is defined;"}]}],"props":[{"name":"label","value":"SA-4(2)"},{"name":"label","value":"SA-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.2_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}."},{"id":"sa-4.2_gdn","name":"guidance","prose":"Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system."},{"id":"sa-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(02)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}.","links":[{"href":"#sa-4.2_smt","rel":"assessment-for"}]},{"id":"sa-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system components, or system services\n\ndesign and implementation information for controls employed in the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining the level of detail for system design and controls\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing the development of system design details"}]}]},{"id":"sa-4.5","class":"SP800-53-enhancement","title":"System, Component, and Service Configurations","params":[{"id":"sa-04.05_odp","props":[{"name":"alt-identifier","value":"sa-4.5_prm_1"},{"name":"label","value":"SA-04(05)_ODP","class":"sp800-53a"}],"label":"security configurations","guidelines":[{"prose":"security configurations for the system, component, or service are defined;"}]}],"props":[{"name":"label","value":"SA-4(5)"},{"name":"label","value":"SA-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.5_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-4.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented; and"},{"id":"sa-4.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade."}]},{"id":"sa-4.5_gdn","name":"guidance","prose":"Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed."},{"id":"sa-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(05)","class":"sp800-53a"}],"parts":[{"id":"sa-4.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04(05)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented;","links":[{"href":"#sa-4.5_smt.a","rel":"assessment-for"}]},{"id":"sa-4.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04(05)(b)","class":"sp800-53a"}],"prose":"the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade.","links":[{"href":"#sa-4.5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-4.5_smt","rel":"assessment-for"}]},{"id":"sa-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nsecurity configurations to be implemented by the developer of the system, system component, or system service\n\nservice level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms used to verify that the configuration of the system, component, or service is delivered as specified"}]}]},{"id":"sa-4.9","class":"SP800-53-enhancement","title":"Functions, Ports, Protocols, and Services in Use","props":[{"name":"label","value":"SA-4(9)"},{"name":"label","value":"SA-04(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#cm-7","rel":"related"},{"href":"#sa-9","rel":"related"}],"parts":[{"id":"sa-4.9_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use."},{"id":"sa-4.9_gdn","name":"guidance","prose":"The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. [SA-9](#sa-9) describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources."},{"id":"sa-4.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)","class":"sp800-53a"}],"parts":[{"id":"sa-4.9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the functions intended for organizational use;","links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]},{"id":"sa-4.9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the ports intended for organizational use;","links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]},{"id":"sa-4.9_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;","links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]},{"id":"sa-4.9_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the services intended for organizational use.","links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]},{"id":"sa-4.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsystem design documentation\n\nsystem documentation, including functions, ports, protocols, and services intended for organizational use\n\nacquisition contracts for systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements, descriptions, and criteria for developers of systems, system components, and system services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the system\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","props":[{"name":"label","value":"SA-4(10)"},{"name":"label","value":"SA-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems."},{"id":"sa-4.10_gdn","name":"guidance","prose":"Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations."},{"id":"sa-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(10)","class":"sp800-53a"}],"prose":"only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.","links":[{"href":"#sa-4.10_smt","rel":"assessment-for"}]},{"id":"sa-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for selecting and employing FIPS 201-approved products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"System Documentation","params":[{"id":"sa-05_odp.01","props":[{"name":"alt-identifier","value":"sa-5_prm_1"},{"name":"label","value":"SA-05_ODP[01]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;"}]},{"id":"sa-05_odp.02","props":[{"name":"alt-identifier","value":"sa-5_prm_2"},{"name":"label","value":"SA-05_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to distribute system documentation to is\/are defined;"}]}],"props":[{"name":"label","value":"SA-5"},{"name":"label","value":"SA-05","class":"sp800-53a"},{"name":"sort-id","value":"sa-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"sa-5_smt","name":"statement","parts":[{"id":"sa-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtain or develop administrator documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security and privacy functions and mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative or privileged functions;"}]},{"id":"sa-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Obtain or develop user documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and"},{"id":"sa-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;"}]},{"id":"sa-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and"},{"id":"sa-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Distribute documentation to {{ insert: param, sa-05_odp.02 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation."},{"id":"sa-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-05","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]},{"id":"sa-5_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]},{"id":"sa-5_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[04]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;","links":[{"href":"#sa-5_smt.a.3","rel":"assessment-for"}]},{"id":"sa-5_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;","links":[{"href":"#sa-5_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a","rel":"assessment-for"}]},{"id":"sa-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[03]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.1-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[04]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;","links":[{"href":"#sa-5_smt.b.2","rel":"assessment-for"}]},{"id":"sa-5_obj.b.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;","links":[{"href":"#sa-5_smt.b.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b.2","rel":"assessment-for"}]},{"id":"sa-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.b.3","rel":"assessment-for"}]},{"id":"sa-5_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;","links":[{"href":"#sa-5_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b","rel":"assessment-for"}]},{"id":"sa-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[01]","class":"sp800-53a"}],"prose":"attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;","links":[{"href":"#sa-5_smt.c","rel":"assessment-for"}]},{"id":"sa-5_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[02]","class":"sp800-53a"}],"prose":"after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;","links":[{"href":"#sa-5_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.c","rel":"assessment-for"}]},{"id":"sa-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-05d.","class":"sp800-53a"}],"prose":"documentation is distributed to {{ insert: param, sa-05_odp.02 }}.","links":[{"href":"#sa-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt","rel":"assessment-for"}]},{"id":"sa-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and\/or maintaining the system\n\nsystem developers"}]},{"id":"sa-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for obtaining, protecting, and distributing system administrator and user documentation"}]}]},{"id":"sa-8","class":"SP800-53","title":"Security and Privacy Engineering Principles","params":[{"id":"sa-8_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.02"}],"label":"organization-defined systems security and privacy engineering principles"},{"id":"sa-08_odp.01","props":[{"name":"label","value":"SA-08_ODP[01]","class":"sp800-53a"}],"label":"systems security engineering principles","guidelines":[{"prose":"systems security engineering principles are defined;"}]},{"id":"sa-08_odp.02","props":[{"name":"label","value":"SA-08_ODP[02]","class":"sp800-53a"}],"label":"privacy engineering principles","guidelines":[{"prose":"privacy engineering principles are defined;"}]}],"props":[{"name":"label","value":"SA-8"},{"name":"label","value":"SA-08","class":"sp800-53a"},{"name":"sort-id","value":"sa-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}."},{"id":"sa-8_gdn","name":"guidance","prose":"Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design."},{"id":"sa-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08","class":"sp800-53a"}],"parts":[{"id":"sa-8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08[01]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08[02]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-08[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-08[04]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-5","name":"assessment-objective","props":[{"name":"label","value":"SA-08[05]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-6","name":"assessment-objective","props":[{"name":"label","value":"SA-08[06]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-7","name":"assessment-objective","props":[{"name":"label","value":"SA-08[07]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-8","name":"assessment-objective","props":[{"name":"label","value":"SA-08[08]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-9","name":"assessment-objective","props":[{"name":"label","value":"SA-08[09]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-10","name":"assessment-objective","props":[{"name":"label","value":"SA-08[10]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-9","class":"SP800-53","title":"External System Services","params":[{"id":"sa-09_odp.01","props":[{"name":"alt-identifier","value":"sa-9_prm_1"},{"name":"label","value":"SA-09_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed by external system service providers are defined;"}]},{"id":"sa-09_odp.02","props":[{"name":"alt-identifier","value":"sa-9_prm_2"},{"name":"label","value":"SA-09_ODP[02]","class":"sp800-53a"}],"label":"processes, methods, and techniques","guidelines":[{"prose":"processes, methods, and techniques employed to monitor control compliance by external service providers are defined;"}]}],"props":[{"name":"label","value":"SA-9"},{"name":"label","value":"SA-09","class":"sp800-53a"},{"name":"sort-id","value":"sa-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-9_smt","name":"statement","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document organizational oversight and user roles and responsibilities with regard to external system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance."},{"id":"sa-9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[01]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational security requirements;","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[02]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational privacy requirements;","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[03]","class":"sp800-53a"}],"prose":"providers of external system services employ {{ insert: param, sa-09_odp.01 }};","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[01]","class":"sp800-53a"}],"prose":"organizational oversight with regard to external system services are defined and documented;","links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]},{"id":"sa-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[02]","class":"sp800-53a"}],"prose":"user roles and responsibilities with regard to external system services are defined and documented;","links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]},{"id":"sa-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-09c.","class":"sp800-53a"}],"prose":" {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.","links":[{"href":"#sa-9_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt","rel":"assessment-for"}]},{"id":"sa-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis"}]}],"controls":[{"id":"sa-9.2","class":"SP800-53-enhancement","title":"Identification of Functions, Ports, Protocols, and Services","params":[{"id":"sa-09.02_odp","props":[{"name":"alt-identifier","value":"sa-9.2_prm_1"},{"name":"label","value":"SA-09(02)_ODP","class":"sp800-53a"}],"label":"external system services","guidelines":[{"prose":"external system services that require the identification of functions, ports, protocols, and other services are defined;"}]}],"props":[{"name":"label","value":"SA-9(2)"},{"name":"label","value":"SA-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"}],"parts":[{"id":"sa-9.2_smt","name":"statement","prose":"Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ insert: param, sa-09.02_odp }}."},{"id":"sa-9.2_gdn","name":"guidance","prose":"Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols."},{"id":"sa-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(02)","class":"sp800-53a"}],"prose":"providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services.","links":[{"href":"#sa-9.2_smt","rel":"assessment-for"}]},{"id":"sa-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements and security specifications for external service providers\n\nlist of required functions, ports, protocols, and other services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nexternal providers of system services"}]}]}]},{"id":"sa-10","class":"SP800-53","title":"Developer Configuration Management","params":[{"id":"sa-10_odp.01","props":[{"name":"alt-identifier","value":"sa-10_prm_1"},{"name":"label","value":"SA-10_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["design","development","implementation","operation","disposal"]}},{"id":"sa-10_odp.02","props":[{"name":"alt-identifier","value":"sa-10_prm_2"},{"name":"alt-label","value":"configuration items under configuration management","class":"sp800-53"},{"name":"label","value":"SA-10_ODP[02]","class":"sp800-53a"}],"label":"configuration items","guidelines":[{"prose":"configuration items under configuration management are defined;"}]},{"id":"sa-10_odp.03","props":[{"name":"alt-identifier","value":"sa-10_prm_3"},{"name":"label","value":"SA-10_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is\/are defined;"}]}],"props":[{"name":"label","value":"SA-10"},{"name":"label","value":"SA-10","class":"sp800-53a"},{"name":"sort-id","value":"sa-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"sa-10_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};"},{"id":"sa-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, manage, and control the integrity of changes to {{ insert: param, sa-10_odp.02 }};"},{"id":"sa-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and"},{"id":"sa-10_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_odp.03 }}."}]},{"id":"sa-10_gdn","name":"guidance","prose":"Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.\n\nThe configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle."},{"id":"sa-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-10a.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};","links":[{"href":"#sa-10_smt.a","rel":"assessment-for"}]},{"id":"sa-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};","links":[{"href":"#sa-10_smt.b","rel":"assessment-for"}]},{"id":"sa-10_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};","links":[{"href":"#sa-10_smt.b","rel":"assessment-for"}]},{"id":"sa-10_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};","links":[{"href":"#sa-10_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-10_smt.b","rel":"assessment-for"}]},{"id":"sa-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-10c.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;","links":[{"href":"#sa-10_smt.c","rel":"assessment-for"}]},{"id":"sa-10_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;","links":[{"href":"#sa-10_smt.d","rel":"assessment-for"}]},{"id":"sa-10_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;","links":[{"href":"#sa-10_smt.d","rel":"assessment-for"}]},{"id":"sa-10_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;","links":[{"href":"#sa-10_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-10_smt.d","rel":"assessment-for"}]},{"id":"sa-10_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;","links":[{"href":"#sa-10_smt.e","rel":"assessment-for"}]},{"id":"sa-10_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;","links":[{"href":"#sa-10_smt.e","rel":"assessment-for"}]},{"id":"sa-10_obj.e-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}.","links":[{"href":"#sa-10_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-10_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-10_smt","rel":"assessment-for"}]},{"id":"sa-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-11","class":"SP800-53","title":"Developer Testing and Evaluation","params":[{"id":"sa-11_odp.01","props":[{"name":"alt-identifier","value":"sa-11_prm_1"},{"name":"label","value":"SA-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["unit","integration","system","regression"]}},{"id":"sa-11_odp.02","props":[{"name":"alt-identifier","value":"sa-11_prm_2"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"SA-11_ODP[02]","class":"sp800-53a"}],"label":"frequency to conduct","guidelines":[{"prose":"frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]},{"id":"sa-11_odp.03","props":[{"name":"alt-identifier","value":"sa-11_prm_3"},{"name":"label","value":"SA-11_ODP[03]","class":"sp800-53a"}],"label":"depth and coverage","guidelines":[{"prose":"depth and coverage of {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]}],"props":[{"name":"label","value":"SA-11"},{"name":"label","value":"SA-11","class":"sp800-53a"},{"name":"sort-id","value":"sa-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#708b94e1-3d5e-4b22-ab43-1c69f3a97e37","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-7","rel":"related"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:","parts":[{"id":"sa-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement a plan for ongoing security and privacy control assessments;"},{"id":"sa-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"},{"id":"sa-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;"},{"id":"sa-11_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during testing and evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\n\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation."},{"id":"sa-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-11b.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};","links":[{"href":"#sa-11_smt.b","rel":"assessment-for"}]},{"id":"sa-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;","links":[{"href":"#sa-11_smt.c","rel":"assessment-for"}]},{"id":"sa-11_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;","links":[{"href":"#sa-11_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-11_smt.c","rel":"assessment-for"}]},{"id":"sa-11_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-11d.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;","links":[{"href":"#sa-11_smt.d","rel":"assessment-for"}]},{"id":"sa-11_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-11e.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.","links":[{"href":"#sa-11_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-11_smt","rel":"assessment-for"}]},{"id":"sa-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security and privacy testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of developer security and privacy assessments for the system, system component, or system service\n\nsecurity and privacy flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\nsystem developers"}]},{"id":"sa-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security and privacy testing and evaluation"}]}]},{"id":"sa-15","class":"SP800-53","title":"Development Process, Standards, and Tools","params":[{"id":"sa-15_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15_odp.03"}],"label":"organization-defined security and privacy requirements"},{"id":"sa-15_odp.01","props":[{"name":"alt-identifier","value":"sa-15_prm_1"},{"name":"label","value":"SA-15_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;"}]},{"id":"sa-15_odp.02","props":[{"name":"label","value":"SA-15_ODP[02]","class":"sp800-53a"}],"label":"security requirements","guidelines":[{"prose":"security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;"}]},{"id":"sa-15_odp.03","props":[{"name":"label","value":"SA-15_ODP[03]","class":"sp800-53a"}],"label":"privacy requirements","guidelines":[{"prose":"privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;"}]}],"props":[{"name":"label","value":"SA-15"},{"name":"label","value":"SA-15","class":"sp800-53a"},{"name":"sort-id","value":"sa-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#ma-6","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-15_smt","name":"statement","parts":[{"id":"sa-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require the developer of the system, system component, or system service to follow a documented development process that:","parts":[{"id":"sa-15_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Explicitly addresses security and privacy requirements;"},{"id":"sa-15_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Identifies the standards and tools used in the development process;"},{"id":"sa-15_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Documents the specific tool options and tool configurations used in the development process; and"},{"id":"sa-15_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Documents, manages, and ensures the integrity of changes to the process and\/or tools used in development; and"}]},{"id":"sa-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ insert: param, sa-15_prm_2 }}."}]},{"id":"sa-15_gdn","name":"guidance","prose":"Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes."},{"id":"sa-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;","links":[{"href":"#sa-15_smt.a.1","rel":"assessment-for"}]},{"id":"sa-15_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;","links":[{"href":"#sa-15_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.a.1","rel":"assessment-for"}]},{"id":"sa-15_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;","links":[{"href":"#sa-15_smt.a.2","rel":"assessment-for"}]},{"id":"sa-15_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;","links":[{"href":"#sa-15_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.a.2","rel":"assessment-for"}]},{"id":"sa-15_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;","links":[{"href":"#sa-15_smt.a.3","rel":"assessment-for"}]},{"id":"sa-15_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;","links":[{"href":"#sa-15_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.a.3","rel":"assessment-for"}]},{"id":"sa-15_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.04","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and\/or tools used in development;","links":[{"href":"#sa-15_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.a","rel":"assessment-for"}]},{"id":"sa-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};","links":[{"href":"#sa-15_smt.b","rel":"assessment-for"}]},{"id":"sa-15_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}.","links":[{"href":"#sa-15_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt","rel":"assessment-for"}]},{"id":"sa-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security and privacy requirements during the development process\n\nsolicitation documentation\n\nacquisition documentation\n\ncritical component inventory documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer documentation listing tool options\/configuration guides\n\nconfiguration management policy\n\nconfiguration management records\n\ndocumentation of development process reviews using maturity models\n\nchange control records\n\nconfiguration control records\n\ndocumented reviews of the development process, standards, tools, and tool options\/configurations\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]}],"controls":[{"id":"sa-15.3","class":"SP800-53-enhancement","title":"Criticality Analysis","params":[{"id":"sa-15.3_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15.03_odp.03"}],"label":"organization-defined breadth and depth of criticality analysis"},{"id":"sa-15.03_odp.01","props":[{"name":"alt-identifier","value":"sa-15.3_prm_1"},{"name":"alt-label","value":"decision points in the system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-15(03)_ODP[01]","class":"sp800-53a"}],"label":"decision points","guidelines":[{"prose":"decision points in the system development life cycle are defined;"}]},{"id":"sa-15.03_odp.02","props":[{"name":"label","value":"SA-15(03)_ODP[02]","class":"sp800-53a"}],"label":"breadth","guidelines":[{"prose":"the breadth of criticality analysis is defined;"}]},{"id":"sa-15.03_odp.03","props":[{"name":"label","value":"SA-15(03)_ODP[03]","class":"sp800-53a"}],"label":"depth","guidelines":[{"prose":"the depth of criticality analysis is defined;"}]}],"props":[{"name":"label","value":"SA-15(3)"},{"name":"label","value":"SA-15(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"sa-15.3_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform a criticality analysis:","parts":[{"id":"sa-15.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"At the following decision points in the system development life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and"},{"id":"sa-15.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"At the following level of rigor: {{ insert: param, sa-15.3_prm_2 }}."}]},{"id":"sa-15.3_gdn","name":"guidance","prose":"Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses."},{"id":"sa-15.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)","class":"sp800-53a"}],"parts":[{"id":"sa-15.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;","links":[{"href":"#sa-15.3_smt.a","rel":"assessment-for"}]},{"id":"sa-15.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)","class":"sp800-53a"}],"parts":[{"id":"sa-15.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};","links":[{"href":"#sa-15.3_smt.b","rel":"assessment-for"}]},{"id":"sa-15.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} .","links":[{"href":"#sa-15.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-15.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-15.3_smt","rel":"assessment-for"}]},{"id":"sa-15.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing criticality analysis requirements for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ncriticality analysis documentation\n\nbusiness impact analysis documentation\n\nsoftware development life cycle documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-15.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for performing criticality analysis\n\nsystem developer\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-15.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-15(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for performing criticality analysis\n\nmechanisms supporting and\/or implementing criticality analysis"}]}]}]},{"id":"sa-16","class":"SP800-53","title":"Developer-provided Training","params":[{"id":"sa-16_odp","props":[{"name":"alt-identifier","value":"sa-16_prm_1"},{"name":"label","value":"SA-16_ODP","class":"sp800-53a"}],"label":"training","guidelines":[{"prose":"training on the correct use and operation of the implemented security and privacy functions, controls, and\/or mechanisms provided by the developer of the system, system component, or system service is defined;"}]}],"props":[{"name":"label","value":"SA-16"},{"name":"label","value":"SA-16","class":"sp800-53a"},{"name":"sort-id","value":"sa-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"}],"parts":[{"id":"sa-16_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and\/or mechanisms: {{ insert: param, sa-16_odp }}."},{"id":"sa-16_gdn","name":"guidance","prose":"Developer-provided training applies to external and internal (in-house) developers. Training personnel is essential to ensuring the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms."},{"id":"sa-16_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-16","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide {{ insert: param, sa-16_odp }} on the correct use and operation of the implemented security and privacy functions, controls, and\/or mechanisms.","links":[{"href":"#sa-16_smt","rel":"assessment-for"}]},{"id":"sa-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing developer-provided training\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\norganizational security and privacy training policy\n\ndeveloper-provided training materials\n\ntraining records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nexternal or internal (in-house) developers with training responsibilities for the system, system component, or information system service"}]}]},{"id":"sa-17","class":"SP800-53","title":"Developer Security and Privacy Architecture and Design","props":[{"name":"label","value":"SA-17"},{"name":"label","value":"SA-17","class":"sp800-53a"},{"name":"sort-id","value":"sa-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#87087451-2af5-43d4-88c1-d66ad850f614","rel":"reference"},{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"sa-17_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:","parts":[{"id":"sa-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture;"},{"id":"sa-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and"},{"id":"sa-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection."}]},{"id":"sa-17_gdn","name":"guidance","prose":"Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, [PL-8](#pl-8) is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and [PL-8](#pl-8) is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. [ISO 15408-2](#87087451-2af5-43d4-88c1-d66ad850f614), [ISO 15408-3](#4452efc0-e79e-47b8-aa30-b54f3ef61c2f) , and [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing."},{"id":"sa-17_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-17(a)","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(a)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;","links":[{"href":"#sa-17_smt.a","rel":"assessment-for"}]},{"id":"sa-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(a)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;","links":[{"href":"#sa-17_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-17_smt.a","rel":"assessment-for"}]},{"id":"sa-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-17(b)","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(b)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;","links":[{"href":"#sa-17_smt.b","rel":"assessment-for"}]},{"id":"sa-17_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(b)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;","links":[{"href":"#sa-17_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-17_smt.b","rel":"assessment-for"}]},{"id":"sa-17_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-17(c)","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(c)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;","links":[{"href":"#sa-17_smt.c","rel":"assessment-for"}]},{"id":"sa-17_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(c)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.","links":[{"href":"#sa-17_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-17_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-17_smt","rel":"assessment-for"}]},{"id":"sa-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nenterprise architecture policy\n\nenterprise architecture documentation\n\nprocedures addressing developer security and privacy architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]}]},{"id":"sa-21","class":"SP800-53","title":"Developer Screening","params":[{"id":"sa-21_odp.01","props":[{"name":"alt-identifier","value":"sa-21_prm_1"},{"name":"alt-label","value":"system, system component, or system service","class":"sp800-53"},{"name":"label","value":"SA-21_ODP[01]","class":"sp800-53a"}],"label":"system, systems component, or system service","guidelines":[{"prose":"the system, systems component, or system service that the developer has access to is\/are defined;"}]},{"id":"sa-21_odp.02","props":[{"name":"alt-identifier","value":"sa-21_prm_2"},{"name":"label","value":"SA-21_ODP[02]","class":"sp800-53a"}],"label":"official government duties","guidelines":[{"prose":"official government duties assigned to the developer are defined;"}]},{"id":"sa-21_odp.03","props":[{"name":"alt-identifier","value":"sa-21_prm_3"},{"name":"label","value":"SA-21_ODP[03]","class":"sp800-53a"}],"label":"additional personnel screening criteria","guidelines":[{"prose":"additional personnel screening criteria for the developer are defined;"}]}],"props":[{"name":"label","value":"SA-21"},{"name":"label","value":"SA-21","class":"sp800-53a"},{"name":"sort-id","value":"sa-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"sa-21_smt","name":"statement","prose":"Require that the developer of {{ insert: param, sa-21_odp.01 }}:","parts":[{"id":"sa-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Has appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }} ; and"},{"id":"sa-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Satisfies the following additional personnel screening criteria: {{ insert: param, sa-21_odp.03 }}."}]},{"id":"sa-21_gdn","name":"guidance","prose":"Developer screening is directed at external developers. Internal developer screening is addressed by [PS-3](#ps-3) . Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals who access the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships that the company has with entities that may potentially affect the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements."},{"id":"sa-21_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-21","class":"sp800-53a"}],"parts":[{"id":"sa-21_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-21a.","class":"sp800-53a"}],"prose":"the developer of {{ insert: param, sa-21_odp.01 }} is required to have appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }};","links":[{"href":"#sa-21_smt.a","rel":"assessment-for"}]},{"id":"sa-21_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-21b.","class":"sp800-53a"}],"prose":"the developer of {{ insert: param, sa-21_odp.01 }} is required to satisfy {{ insert: param, sa-21_odp.03 }}.","links":[{"href":"#sa-21_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-21_smt","rel":"assessment-for"}]},{"id":"sa-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\npersonnel security policy and procedures\n\nprocedures addressing personnel screening\n\nsystem design documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for developer services\n\nsystem configuration settings and associated documentation\n\nlist of appropriate access authorizations required by the developers of the system\n\npersonnel screening criteria and associated documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for developer screening"}]},{"id":"sa-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developer screening\n\nmechanisms supporting developer screening"}]}]},{"id":"sa-22","class":"SP800-53","title":"Unsupported System Components","params":[{"id":"sa-22_odp.01","props":[{"name":"alt-identifier","value":"sa-22_prm_1"},{"name":"label","value":"SA-22_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["in-house support"," {{ insert: param, sa-22_odp.02 }} "]}},{"id":"sa-22_odp.02","props":[{"name":"alt-identifier","value":"sa-22_prm_2"},{"name":"label","value":"SA-22_ODP[02]","class":"sp800-53a"}],"label":"support from external providers","guidelines":[{"prose":"support from external providers is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-22"},{"name":"label","value":"SA-22","class":"sp800-53a"},{"name":"sort-id","value":"sa-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-2","rel":"related"},{"href":"#sa-3","rel":"related"}],"parts":[{"id":"sa-22_smt","name":"statement","parts":[{"id":"sa-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or"},{"id":"sa-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}."}]},{"id":"sa-22_gdn","name":"guidance","prose":"Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation."},{"id":"sa-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-22","class":"sp800-53a"}],"parts":[{"id":"sa-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-22a.","class":"sp800-53a"}],"prose":"system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;","links":[{"href":"#sa-22_smt.a","rel":"assessment-for"}]},{"id":"sa-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-22b.","class":"sp800-53a"}],"prose":" {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.","links":[{"href":"#sa-22_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-22_smt","rel":"assessment-for"}]},{"id":"sa-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement"}]},{"id":"sa-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for replacing unsupported system components\n\nmechanisms supporting and\/or implementing the replacement of unsupported system components"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sc-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sc-01_odp.01","props":[{"name":"label","value":"SC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection policy is to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.02","props":[{"name":"label","value":"SC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection procedures are to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.03","props":[{"name":"alt-identifier","value":"sc-1_prm_2"},{"name":"label","value":"SC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business-process-level","system-level"]}},{"id":"sc-01_odp.04","props":[{"name":"alt-identifier","value":"sc-1_prm_3"},{"name":"label","value":"SC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and communications protection policy and procedures is defined;"}]},{"id":"sc-01_odp.05","props":[{"name":"alt-identifier","value":"sc-1_prm_4"},{"name":"label","value":"SC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection policy is reviewed and updated is defined;"}]},{"id":"sc-01_odp.06","props":[{"name":"alt-identifier","value":"sc-1_prm_5"},{"name":"label","value":"SC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and communications protection policy to be reviewed and updated are defined;"}]},{"id":"sc-01_odp.07","props":[{"name":"alt-identifier","value":"sc-1_prm_6"},{"name":"label","value":"SC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection procedures are reviewed and updated is defined;"}]},{"id":"sc-01_odp.08","props":[{"name":"alt-identifier","value":"sc-1_prm_7"},{"name":"label","value":"SC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and communications protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SC-1"},{"name":"label","value":"SC-01","class":"sp800-53a"},{"name":"sort-id","value":"sc-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sc-1_smt","name":"statement","parts":[{"id":"sc-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:","parts":[{"id":"sc-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sc-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;"}]},{"id":"sc-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and"},{"id":"sc-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and communications protection:","parts":[{"id":"sc-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and"},{"id":"sc-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sc-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[01]","class":"sp800-53a"}],"prose":"a system and communications protection policy is developed and documented;","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[02]","class":"sp800-53a"}],"prose":"the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[03]","class":"sp800-53a"}],"prose":"system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[04]","class":"sp800-53a"}],"prose":"the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#sc-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;","links":[{"href":"#sc-1_smt.b","rel":"assessment-for"}]},{"id":"sc-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};","links":[{"href":"#sc-1_smt.c.1","rel":"assessment-for"}]},{"id":"sc-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};","links":[{"href":"#sc-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.c.1","rel":"assessment-for"}]},{"id":"sc-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};","links":[{"href":"#sc-1_smt.c.2","rel":"assessment-for"}]},{"id":"sc-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.","links":[{"href":"#sc-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt","rel":"assessment-for"}]},{"id":"sc-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"sc-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"sc-2","class":"SP800-53","title":"Separation of System and User Functionality","props":[{"name":"label","value":"SC-2"},{"name":"label","value":"SC-02","class":"sp800-53a"},{"name":"sort-id","value":"sc-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-22","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"}],"parts":[{"id":"sc-2_smt","name":"statement","prose":"Separate user functionality, including user interface services, from system management functionality."},{"id":"sc-2_gdn","name":"guidance","prose":"System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)."},{"id":"sc-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-02","class":"sp800-53a"}],"prose":"user functionality, including user interface services, is separated from system management functionality.","links":[{"href":"#sc-2_smt","rel":"assessment-for"}]},{"id":"sc-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing application partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of user functionality from system management functionality"}]}]},{"id":"sc-3","class":"SP800-53","title":"Security Function Isolation","props":[{"name":"label","value":"SC-3"},{"name":"label","value":"SC-03","class":"sp800-53a"},{"name":"sort-id","value":"sc-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-3_smt","name":"statement","prose":"Isolate security functions from nonsecurity functions."},{"id":"sc-3_gdn","name":"guidance","prose":"Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform system security functions. Systems implement code separation in many ways, such as through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)."},{"id":"sc-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-03","class":"sp800-53a"}],"prose":"security functions are isolated from non-security functions.","links":[{"href":"#sc-3_smt","rel":"assessment-for"}]},{"id":"sc-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nlist of security functions to be isolated from non-security functions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of security functions from non-security functions within the system"}]}]},{"id":"sc-4","class":"SP800-53","title":"Information in Shared System Resources","props":[{"name":"label","value":"SC-4"},{"name":"label","value":"SC-04","class":"sp800-53a"},{"name":"sort-id","value":"sc-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"sc-4_smt","name":"statement","prose":"Prevent unauthorized and unintended information transfer via shared system resources."},{"id":"sc-4_gdn","name":"guidance","prose":"Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles."},{"id":"sc-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-04","class":"sp800-53a"}],"parts":[{"id":"sc-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-04[01]","class":"sp800-53a"}],"prose":"unauthorized information transfer via shared system resources is prevented;","links":[{"href":"#sc-4_smt","rel":"assessment-for"}]},{"id":"sc-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-04[02]","class":"sp800-53a"}],"prose":"unintended information transfer via shared system resources is prevented.","links":[{"href":"#sc-4_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-4_smt","rel":"assessment-for"}]},{"id":"sc-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms preventing the unauthorized and unintended transfer of information via shared system resources"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial-of-service Protection","params":[{"id":"sc-05_odp.01","props":[{"name":"alt-identifier","value":"sc-5_prm_2"},{"name":"label","value":"SC-05_ODP[01]","class":"sp800-53a"}],"label":"types of denial-of-service events","guidelines":[{"prose":"types of denial-of-service events to be protected against or limited are defined;"}]},{"id":"sc-05_odp.02","props":[{"name":"alt-identifier","value":"sc-5_prm_1"},{"name":"label","value":"SC-05_ODP[02]","class":"sp800-53a"}],"select":{"choice":["protect against","limit"]}},{"id":"sc-05_odp.03","props":[{"name":"alt-identifier","value":"sc-5_prm_3"},{"name":"label","value":"SC-05_ODP[03]","class":"sp800-53a"}],"label":"controls by type of denial-of-service event","guidelines":[{"prose":"controls to achieve the denial-of-service objective by type of denial-of-service event are defined;"}]}],"props":[{"name":"label","value":"SC-5"},{"name":"label","value":"SC-05","class":"sp800-53a"},{"name":"sort-id","value":"sc-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sc-6","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-40","rel":"related"}],"parts":[{"id":"sc-5_smt","name":"statement","parts":[{"id":"sc-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and"},{"id":"sc-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}."}]},{"id":"sc-5_gdn","name":"guidance","prose":"Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events."},{"id":"sc-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-05","class":"sp800-53a"}],"parts":[{"id":"sc-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-05a.","class":"sp800-53a"}],"prose":"the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};","links":[{"href":"#sc-5_smt.a","rel":"assessment-for"}]},{"id":"sc-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.","links":[{"href":"#sc-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-5_smt","rel":"assessment-for"}]},{"id":"sc-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"id":"sc-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms protecting against or limiting the effects of denial-of-service attacks"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-07_odp","props":[{"name":"alt-identifier","value":"sc-7_prm_1"},{"name":"label","value":"SC-07_ODP","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}}],"props":[{"name":"label","value":"SC-7"},{"name":"label","value":"SC-07","class":"sp800-53a"},{"name":"sort-id","value":"sc-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a7f0e897-29a3-45c4-bd88-40dfef0e034a","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-43","rel":"related"}],"parts":[{"id":"sc-7_smt","name":"statement","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)."},{"id":"sc-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[01]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are monitored;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[02]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are controlled;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[03]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are monitored;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[04]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are controlled;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07b.","class":"sp800-53a"}],"prose":"subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;","links":[{"href":"#sc-7_smt.b","rel":"assessment-for"}]},{"id":"sc-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07c.","class":"sp800-53a"}],"prose":"external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.","links":[{"href":"#sc-7_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sc-7_smt","rel":"assessment-for"}]},{"id":"sc-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities"}]}],"controls":[{"id":"sc-7.3","class":"SP800-53-enhancement","title":"Access Points","props":[{"name":"label","value":"SC-7(3)"},{"name":"label","value":"SC-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.3_smt","name":"statement","prose":"Limit the number of external network connections to the system."},{"id":"sc-7.3_gdn","name":"guidance","prose":"Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system."},{"id":"sc-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(03)","class":"sp800-53a"}],"prose":"the number of external network connections to the system is limited.","links":[{"href":"#sc-7.3_smt","rel":"assessment-for"}]},{"id":"sc-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities\n\nmechanisms limiting the number of external network connections to the system"}]}]},{"id":"sc-7.4","class":"SP800-53-enhancement","title":"External Telecommunications Services","params":[{"id":"sc-07.04_odp","props":[{"name":"alt-identifier","value":"sc-7.4_prm_1"},{"name":"label","value":"SC-07(04)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review exceptions to traffic flow policy is defined;"}]}],"props":[{"name":"label","value":"SC-7(4)"},{"name":"label","value":"SC-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-7.4_smt","name":"statement","parts":[{"id":"sc-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implement a managed interface for each external telecommunication service;"},{"id":"sc-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Establish a traffic flow policy for each managed interface;"},{"id":"sc-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Protect the confidentiality and integrity of the information being transmitted across each interface;"},{"id":"sc-7.4_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;"},{"id":"sc-7.4_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Review exceptions to the traffic flow policy {{ insert: param, sc-07.04_odp }} and remove exceptions that are no longer supported by an explicit mission or business need;"},{"id":"sc-7.4_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Prevent unauthorized exchange of control plane traffic with external networks;"},{"id":"sc-7.4_smt.g","name":"item","props":[{"name":"label","value":"(g)"}],"prose":"Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and"},{"id":"sc-7.4_smt.h","name":"item","props":[{"name":"label","value":"(h)"}],"prose":"Filter unauthorized control plane traffic from external networks."}]},{"id":"sc-7.4_gdn","name":"guidance","prose":"External telecommunications services can provide data and\/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements."},{"id":"sc-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(a)","class":"sp800-53a"}],"prose":"a managed interface is implemented for each external telecommunication service;","links":[{"href":"#sc-7.4_smt.a","rel":"assessment-for"}]},{"id":"sc-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(b)","class":"sp800-53a"}],"prose":"a traffic flow policy is established for each managed interface;","links":[{"href":"#sc-7.4_smt.b","rel":"assessment-for"}]},{"id":"sc-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)[01]","class":"sp800-53a"}],"prose":"the confidentiality of the information being transmitted across each interface is protected;","links":[{"href":"#sc-7.4_smt.c","rel":"assessment-for"}]},{"id":"sc-7.4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)[02]","class":"sp800-53a"}],"prose":"the integrity of the information being transmitted across each interface is protected;","links":[{"href":"#sc-7.4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.4_smt.c","rel":"assessment-for"}]},{"id":"sc-7.4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(d)","class":"sp800-53a"}],"prose":"each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;","links":[{"href":"#sc-7.4_smt.d","rel":"assessment-for"}]},{"id":"sc-7.4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)[01]","class":"sp800-53a"}],"prose":"exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};","links":[{"href":"#sc-7.4_smt.e","rel":"assessment-for"}]},{"id":"sc-7.4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)[02]","class":"sp800-53a"}],"prose":"exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;","links":[{"href":"#sc-7.4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.4_smt.e","rel":"assessment-for"}]},{"id":"sc-7.4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(f)","class":"sp800-53a"}],"prose":"unauthorized exchanges of control plan traffic with external networks are prevented;","links":[{"href":"#sc-7.4_smt.f","rel":"assessment-for"}]},{"id":"sc-7.4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(g)","class":"sp800-53a"}],"prose":"information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;","links":[{"href":"#sc-7.4_smt.g","rel":"assessment-for"}]},{"id":"sc-7.4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(h)","class":"sp800-53a"}],"prose":"unauthorized control plane traffic is filtered from external networks.","links":[{"href":"#sc-7.4_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.4_smt","rel":"assessment-for"}]},{"id":"sc-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\nsystem security architecture\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for documenting and reviewing exceptions to the traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nmechanisms implementing boundary protection capabilities\n\nmanaged interfaces implementing traffic flow policy"}]}]},{"id":"sc-7.5","class":"SP800-53-enhancement","title":"Deny by Default — Allow by Exception","params":[{"id":"sc-07.05_odp.01","props":[{"name":"alt-identifier","value":"sc-7.5_prm_1"},{"name":"label","value":"SC-07(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at managed interfaces","for {{ insert: param, sc-07.05_odp.02 }} "]}},{"id":"sc-07.05_odp.02","props":[{"name":"alt-identifier","value":"sc-7.5_prm_2"},{"name":"label","value":"SC-07(05)_ODP[02]","class":"sp800-53a"}],"label":"systems","guidelines":[{"prose":"systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected)."}]}],"props":[{"name":"label","value":"SC-7(5)"},{"name":"label","value":"SC-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.5_smt","name":"statement","prose":"Deny network communications traffic by default and allow network communications traffic by exception {{ insert: param, sc-07.05_odp.01 }}."},{"id":"sc-7.5_gdn","name":"guidance","prose":"Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system."},{"id":"sc-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)","class":"sp800-53a"}],"parts":[{"id":"sc-7.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)[01]","class":"sp800-53a"}],"prose":"network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};","links":[{"href":"#sc-7.5_smt","rel":"assessment-for"}]},{"id":"sc-7.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)[02]","class":"sp800-53a"}],"prose":"network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}.","links":[{"href":"#sc-7.5_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.5_smt","rel":"assessment-for"}]},{"id":"sc-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing traffic management at managed interfaces"}]}]},{"id":"sc-7.7","class":"SP800-53-enhancement","title":"Split Tunneling for Remote Devices","params":[{"id":"sc-07.07_odp","props":[{"name":"alt-identifier","value":"sc-7.7_prm_1"},{"name":"label","value":"SC-07(07)_ODP","class":"sp800-53a"}],"label":"safeguards","guidelines":[{"prose":"safeguards to securely provision split tunneling are defined;"}]}],"props":[{"name":"label","value":"SC-7(7)"},{"name":"label","value":"SC-07(07)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.7_smt","name":"statement","prose":"Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}."},{"id":"sc-7.7_gdn","name":"guidance","prose":"Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control."},{"id":"sc-7.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(07)","class":"sp800-53a"}],"prose":"split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.","links":[{"href":"#sc-7.7_smt","rel":"assessment-for"}]},{"id":"sc-7.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities\n\nmechanisms supporting\/restricting non-remote connections"}]}]},{"id":"sc-7.8","class":"SP800-53-enhancement","title":"Route Traffic to Authenticated Proxy Servers","params":[{"id":"sc-07.08_odp.01","props":[{"name":"alt-identifier","value":"sc-7.8_prm_1"},{"name":"label","value":"SC-07(08)_ODP[01]","class":"sp800-53a"}],"label":"internal communications traffic","guidelines":[{"prose":"internal communications traffic to be routed to external networks is defined;"}]},{"id":"sc-07.08_odp.02","props":[{"name":"alt-identifier","value":"sc-7.8_prm_2"},{"name":"label","value":"SC-07(08)_ODP[02]","class":"sp800-53a"}],"label":"external networks","guidelines":[{"prose":"external networks to which internal communications traffic is to be routed are defined;"}]}],"props":[{"name":"label","value":"SC-7(8)"},{"name":"label","value":"SC-07(08)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"sc-7.8_smt","name":"statement","prose":"Route {{ insert: param, sc-07.08_odp.01 }} to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces."},{"id":"sc-7.8_gdn","name":"guidance","prose":"External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for \"man-in-the-middle\" attacks (depending on the implementation)."},{"id":"sc-7.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(08)","class":"sp800-53a"}],"prose":" {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.","links":[{"href":"#sc-7.8_smt","rel":"assessment-for"}]},{"id":"sc-7.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing traffic management through authenticated proxy servers at managed interfaces"}]}]},{"id":"sc-7.18","class":"SP800-53-enhancement","title":"Fail Secure","props":[{"name":"label","value":"SC-7(18)"},{"name":"label","value":"SC-07(18)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#cp-2","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#sc-24","rel":"related"}],"parts":[{"id":"sc-7.18_smt","name":"statement","prose":"Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device."},{"id":"sc-7.18_gdn","name":"guidance","prose":"Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways that reside on protected subnetworks (commonly referred to as demilitarized zones). Failures of boundary protection devices cannot lead to or cause information external to the devices to enter the devices nor can failures permit unauthorized information releases."},{"id":"sc-7.18_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(18)","class":"sp800-53a"}],"prose":"systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.","links":[{"href":"#sc-7.18_smt","rel":"assessment-for"}]},{"id":"sc-7.18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(18)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(18)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(18)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing secure failure"}]}]},{"id":"sc-7.21","class":"SP800-53-enhancement","title":"Isolation of System Components","params":[{"id":"sc-07.21_odp.01","props":[{"name":"alt-identifier","value":"sc-7.21_prm_1"},{"name":"label","value":"SC-07(21)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to be isolated by boundary protection mechanisms are defined;"}]},{"id":"sc-07.21_odp.02","props":[{"name":"alt-identifier","value":"sc-7.21_prm_2"},{"name":"label","value":"SC-07(21)_ODP[02]","class":"sp800-53a"}],"label":"missions and\/or business functions","guidelines":[{"prose":"missions and\/or business functions to be supported by system components isolated by boundary protection mechanisms are defined;"}]}],"props":[{"name":"label","value":"SC-7(21)"},{"name":"label","value":"SC-07(21)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ca-9","rel":"related"}],"parts":[{"id":"sc-7.21_smt","name":"statement","prose":"Employ boundary protection mechanisms to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}."},{"id":"sc-7.21_gdn","name":"guidance","prose":"Organizations can isolate system components that perform different mission or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber-attacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls that separate system components into physically separate networks or subnetworks; cross-domain devices that separate subnetworks; virtualization techniques; and the encryption of information flows among system components using distinct encryption keys."},{"id":"sc-7.21_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(21)","class":"sp800-53a"}],"prose":"boundary protection mechanisms are employed to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}.","links":[{"href":"#sc-7.21_smt","rel":"assessment-for"}]},{"id":"sc-7.21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(21)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nenterprise architecture documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(21)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(21)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the capability to separate system components supporting organizational missions and\/or business functions"}]}]}]},{"id":"sc-8","class":"SP800-53","title":"Transmission Confidentiality and Integrity","params":[{"id":"sc-08_odp","props":[{"name":"alt-identifier","value":"sc-8_prm_1"},{"name":"label","value":"SC-08_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}}],"props":[{"name":"label","value":"SC-8"},{"name":"label","value":"SC-08","class":"sp800-53a"},{"name":"sort-id","value":"sc-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#736d6310-e403-4b57-a79d-9967970c66d7","rel":"reference"},{"href":"#7537638e-2837-407d-844b-40fb3fafdd99","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"sc-8_smt","name":"statement","prose":"Protect the {{ insert: param, sc-08_odp }} of transmitted information."},{"id":"sc-8_gdn","name":"guidance","prose":"Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls."},{"id":"sc-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-08_odp }} of transmitted information is\/are protected.","links":[{"href":"#sc-8_smt","rel":"assessment-for"}]},{"id":"sc-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity"}]}],"controls":[{"id":"sc-8.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"sc-08.01_odp","props":[{"name":"alt-identifier","value":"sc-8.1_prm_1"},{"name":"label","value":"SC-08(01)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["prevent unauthorized disclosure of information","detect changes to information"]}}],"props":[{"name":"label","value":"SC-8(1)"},{"name":"label","value":"SC-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-8","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-8.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission."},{"id":"sc-8.1_gdn","name":"guidance","prose":"Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes."},{"id":"sc-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08(01)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.","links":[{"href":"#sc-8.1_smt","rel":"assessment-for"}]},{"id":"sc-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity\n\nmechanisms supporting and\/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards"}]}]}]},{"id":"sc-10","class":"SP800-53","title":"Network Disconnect","params":[{"id":"sc-10_odp","props":[{"name":"alt-identifier","value":"sc-10_prm_1"},{"name":"label","value":"SC-10_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period of inactivity after which the system terminates a network connection associated with a communication session is defined;"}]}],"props":[{"name":"label","value":"SC-10"},{"name":"label","value":"SC-10","class":"sp800-53a"},{"name":"sort-id","value":"sc-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"sc-10_smt","name":"statement","prose":"Terminate the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity."},{"id":"sc-10_gdn","name":"guidance","prose":"Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP\/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses."},{"id":"sc-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-10","class":"sp800-53a"}],"prose":"the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.","links":[{"href":"#sc-10_smt","rel":"assessment-for"}]},{"id":"sc-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing network disconnect\n\nsystem design documentation\n\nsecurity plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a network disconnect capability"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","params":[{"id":"sc-12_odp","props":[{"name":"alt-identifier","value":"sc-12_prm_1"},{"name":"alt-label","value":"requirements for key generation, distribution, storage, access, and destruction","class":"sp800-53"},{"name":"label","value":"SC-12_ODP","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements for key generation, distribution, storage, access, and destruction are defined;"}]}],"props":[{"name":"label","value":"SC-12"},{"name":"label","value":"SC-12","class":"sp800-53a"},{"name":"sort-id","value":"sc-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#849b2358-683f-4d97-b111-1cc3d522ded5","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-11","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment."},{"id":"sc-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12","class":"sp800-53a"}],"parts":[{"id":"sc-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-12[01]","class":"sp800-53a"}],"prose":"cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};","links":[{"href":"#sc-12_smt","rel":"assessment-for"}]},{"id":"sc-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-12[02]","class":"sp800-53a"}],"prose":"cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.","links":[{"href":"#sc-12_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-12_smt","rel":"assessment-for"}]},{"id":"sc-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"id":"sc-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}],"controls":[{"id":"sc-12.1","class":"SP800-53-enhancement","title":"Availability","props":[{"name":"label","value":"SC-12(1)"},{"name":"label","value":"SC-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-12","rel":"required"}],"parts":[{"id":"sc-12.1_smt","name":"statement","prose":"Maintain availability of information in the event of the loss of cryptographic keys by users."},{"id":"sc-12.1_gdn","name":"guidance","prose":"Escrowing of encryption keys is a common practice for ensuring availability in the event of key loss. A forgotten passphrase is an example of losing a cryptographic key."},{"id":"sc-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12(01)","class":"sp800-53a"}],"prose":"information availability is maintained in the event of the loss of cryptographic keys by users.","links":[{"href":"#sc-12.1_smt","rel":"assessment-for"}]},{"id":"sc-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment, management, and recovery\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment or management"}]},{"id":"sc-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","params":[{"id":"sc-13_odp.01","props":[{"name":"alt-identifier","value":"sc-13_prm_1"},{"name":"label","value":"SC-13_ODP[01]","class":"sp800-53a"}],"label":"cryptographic uses","guidelines":[{"prose":"cryptographic uses are defined;"}]},{"id":"sc-13_odp.02","props":[{"name":"alt-identifier","value":"sc-13_prm_2"},{"name":"alt-label","value":"types of cryptography for each specified cryptographic use","class":"sp800-53"},{"name":"label","value":"SC-13_ODP[02]","class":"sp800-53a"}],"label":"types of cryptography","guidelines":[{"prose":"types of cryptography for each specified cryptographic use are defined;"}]}],"props":[{"name":"label","value":"SC-13"},{"name":"label","value":"SC-13","class":"sp800-53a"},{"name":"sort-id","value":"sc-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-13_smt","name":"statement","parts":[{"id":"sc-13_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the {{ insert: param, sc-13_odp.01 }} ; and"},{"id":"sc-13_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}."}]},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"sc-13_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-13","class":"sp800-53a"}],"parts":[{"id":"sc-13_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-13a.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-13_odp.01 }} are identified;","links":[{"href":"#sc-13_smt.a","rel":"assessment-for"}]},{"id":"sc-13_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-13b.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.","links":[{"href":"#sc-13_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-13_smt","rel":"assessment-for"}]},{"id":"sc-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection"}]},{"id":"sc-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices and Applications","params":[{"id":"sc-15_odp","props":[{"name":"alt-identifier","value":"sc-15_prm_1"},{"name":"label","value":"SC-15_ODP","class":"sp800-53a"}],"label":"exceptions where remote activation is to be allowed","guidelines":[{"prose":"exceptions where remote activation is to be allowed are defined;"}]}],"props":[{"name":"label","value":"SC-15"},{"name":"label","value":"SC-15","class":"sp800-53a"},{"name":"sort-id","value":"sc-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-21","rel":"related"},{"href":"#sc-42","rel":"related"}],"parts":[{"id":"sc-15_smt","name":"statement","parts":[{"id":"sc-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and"},{"id":"sc-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated."},{"id":"sc-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-15","class":"sp800-53a"}],"parts":[{"id":"sc-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-15a.","class":"sp800-53a"}],"prose":"remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};","links":[{"href":"#sc-15_smt.a","rel":"assessment-for"}]},{"id":"sc-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-15b.","class":"sp800-53a"}],"prose":"an explicit indication of use is provided to users physically present at the devices.","links":[{"href":"#sc-15_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-15_smt","rel":"assessment-for"}]},{"id":"sc-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"id":"sc-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices"}]}]},{"id":"sc-17","class":"SP800-53","title":"Public Key Infrastructure Certificates","params":[{"id":"sc-17_odp","props":[{"name":"alt-identifier","value":"sc-17_prm_1"},{"name":"label","value":"SC-17_ODP","class":"sp800-53a"}],"label":"certificate policy","guidelines":[{"prose":"a certificate policy for issuing public key certificates is defined;"}]}],"props":[{"name":"label","value":"SC-17"},{"name":"label","value":"SC-17","class":"sp800-53a"},{"name":"sort-id","value":"sc-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#8cb338a4-e493-4177-818f-3af18983ddc5","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sc-12","rel":"related"}],"parts":[{"id":"sc-17_smt","name":"statement","parts":[{"id":"sc-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and"},{"id":"sc-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Include only approved trust anchors in trust stores or certificate stores managed by the organization."}]},{"id":"sc-17_gdn","name":"guidance","prose":"Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates."},{"id":"sc-17_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-17","class":"sp800-53a"}],"parts":[{"id":"sc-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-17a.","class":"sp800-53a"}],"prose":"public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;","links":[{"href":"#sc-17_smt.a","rel":"assessment-for"}]},{"id":"sc-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-17b.","class":"sp800-53a"}],"prose":"only approved trust anchors are included in trust stores or certificate stores managed by the organization.","links":[{"href":"#sc-17_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-17_smt","rel":"assessment-for"}]},{"id":"sc-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key certificates\n\nservice providers"}]},{"id":"sc-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of public key infrastructure certificates"}]}]},{"id":"sc-18","class":"SP800-53","title":"Mobile Code","props":[{"name":"label","value":"SC-18"},{"name":"label","value":"SC-18","class":"sp800-53a"},{"name":"sort-id","value":"sc-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#f641309f-a3ad-48be-8c67-2b318648b2f5","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"sc-18_smt","name":"statement","parts":[{"id":"sc-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define acceptable and unacceptable mobile code and mobile code technologies; and"},{"id":"sc-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize, monitor, and control the use of mobile code within the system."}]},{"id":"sc-18_gdn","name":"guidance","prose":"Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."},{"id":"sc-18_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[01]","class":"sp800-53a"}],"prose":"acceptable mobile code is defined;","links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]},{"id":"sc-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[02]","class":"sp800-53a"}],"prose":"unacceptable mobile code is defined;","links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]},{"id":"sc-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[03]","class":"sp800-53a"}],"prose":"acceptable mobile code technologies are defined;","links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]},{"id":"sc-18_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[04]","class":"sp800-53a"}],"prose":"unacceptable mobile code technologies are defined;","links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]},{"id":"sc-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[01]","class":"sp800-53a"}],"prose":"the use of mobile code is authorized within the system;","links":[{"href":"#sc-18_smt.b","rel":"assessment-for"}]},{"id":"sc-18_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[02]","class":"sp800-53a"}],"prose":"the use of mobile code is monitored within the system;","links":[{"href":"#sc-18_smt.b","rel":"assessment-for"}]},{"id":"sc-18_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[03]","class":"sp800-53a"}],"prose":"the use of mobile code is controlled within the system.","links":[{"href":"#sc-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-18_smt","rel":"assessment-for"}]},{"id":"sc-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code implementation policy and procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code"}]},{"id":"sc-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for authorizing, monitoring, and controlling mobile code\n\nmechanisms supporting and\/or implementing the management of mobile code\n\nmechanisms supporting and\/or implementing the monitoring of mobile code"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Authoritative Source)","props":[{"name":"label","value":"SC-20"},{"name":"label","value":"SC-20","class":"sp800-53a"},{"name":"sort-id","value":"sc-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-20_smt","name":"statement","parts":[{"id":"sc-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host\/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data."},{"id":"sc-20_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-20","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[01]","class":"sp800-53a"}],"prose":"additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;","links":[{"href":"#sc-20_smt.a","rel":"assessment-for"}]},{"id":"sc-20_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[02]","class":"sp800-53a"}],"prose":"integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;","links":[{"href":"#sc-20_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-20_smt.a","rel":"assessment-for"}]},{"id":"sc-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[01]","class":"sp800-53a"}],"prose":"the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;","links":[{"href":"#sc-20_smt.b","rel":"assessment-for"}]},{"id":"sc-20_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[02]","class":"sp800-53a"}],"prose":"the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.","links":[{"href":"#sc-20_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-20_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-20_smt","rel":"assessment-for"}]},{"id":"sc-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing secure name\/address resolution services"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Recursive or Caching Resolver)","props":[{"name":"label","value":"SC-21"},{"name":"label","value":"SC-21","class":"sp800-53a"},{"name":"sort-id","value":"sc-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-20","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"Request and perform data origin authentication and data integrity verification on the name\/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data."},{"id":"sc-21_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-21","class":"sp800-53a"}],"parts":[{"id":"sc-21_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-21[01]","class":"sp800-53a"}],"prose":"data origin authentication is requested for the name\/address resolution responses that the system receives from authoritative sources;","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-21[02]","class":"sp800-53a"}],"prose":"data origin authentication is performed on the name\/address resolution responses that the system receives from authoritative sources;","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-21[03]","class":"sp800-53a"}],"prose":"data integrity verification is requested for the name\/address resolution responses that the system receives from authoritative sources;","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SC-21[04]","class":"sp800-53a"}],"prose":"data integrity verification is performed on the name\/address resolution responses that the system receives from authoritative sources.","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing data origin authentication and data integrity verification for name\/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name\/Address Resolution Service","props":[{"name":"label","value":"SC-22"},{"name":"label","value":"SC-22","class":"sp800-53a"},{"name":"sort-id","value":"sc-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-2","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-24","rel":"related"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"Ensure the systems that collectively provide name\/address resolution service for an organization are fault-tolerant and implement internal and external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)."},{"id":"sc-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-22","class":"sp800-53a"}],"parts":[{"id":"sc-22_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-22[01]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization are fault-tolerant;","links":[{"href":"#sc-22_smt","rel":"assessment-for"}]},{"id":"sc-22_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-22[02]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement internal role separation;","links":[{"href":"#sc-22_smt","rel":"assessment-for"}]},{"id":"sc-22_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-22[03]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement external role separation.","links":[{"href":"#sc-22_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-22_smt","rel":"assessment-for"}]},{"id":"sc-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing architecture and provisioning for name\/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing name\/address resolution services for fault tolerance and role separation"}]}]},{"id":"sc-23","class":"SP800-53","title":"Session Authenticity","props":[{"name":"label","value":"SC-23"},{"name":"label","value":"SC-23","class":"sp800-53a"},{"name":"sort-id","value":"sc-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#7537638e-2837-407d-844b-40fb3fafdd99","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#a6b9907a-2a14-4bb4-a142-d4c73026a8b4","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-11","rel":"related"}],"parts":[{"id":"sc-23_smt","name":"statement","prose":"Protect the authenticity of communications sessions."},{"id":"sc-23_gdn","name":"guidance","prose":"Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against \"man-in-the-middle\" attacks, session hijacking, and the insertion of false information into sessions."},{"id":"sc-23_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-23","class":"sp800-53a"}],"prose":"the authenticity of communication sessions is protected.","links":[{"href":"#sc-23_smt","rel":"assessment-for"}]},{"id":"sc-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-23-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing session authenticity"}]}]},{"id":"sc-24","class":"SP800-53","title":"Fail in Known State","params":[{"id":"sc-24_odp.01","props":[{"name":"alt-identifier","value":"sc-24_prm_3"},{"name":"alt-label","value":"list of organization-defined types of system failures on organization-defined system components","class":"sp800-53"},{"name":"label","value":"SC-24_ODP[01]","class":"sp800-53a"}],"label":"types of system failures on system components","guidelines":[{"prose":"types of system failures for which the system components fail to a known state are defined;"}]},{"id":"sc-24_odp.02","props":[{"name":"alt-identifier","value":"sc-24_prm_1"},{"name":"label","value":"SC-24_ODP[02]","class":"sp800-53a"}],"label":"known system state","guidelines":[{"prose":"known system state to which system components fail in the event of a system failure is defined;"}]},{"id":"sc-24_odp.03","props":[{"name":"alt-identifier","value":"sc-24_prm_2"},{"name":"label","value":"SC-24_ODP[03]","class":"sp800-53a"}],"label":"system state information","guidelines":[{"prose":"system state information to be preserved in the event of a system failure is defined;"}]}],"props":[{"name":"label","value":"SC-24"},{"name":"label","value":"SC-24","class":"sp800-53a"},{"name":"sort-id","value":"sc-24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-22","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"sc-24_smt","name":"statement","prose":"Fail to a {{ insert: param, sc-24_odp.02 }} for the following failures on the indicated components while preserving {{ insert: param, sc-24_odp.03 }} in failure: {{ insert: param, sc-24_odp.01 }}."},{"id":"sc-24_gdn","name":"guidance","prose":"Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes."},{"id":"sc-24_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-24","class":"sp800-53a"}],"prose":" {{ insert: param, sc-24_odp.01 }} fail to a {{ insert: param, sc-24_odp.02 }} while preserving {{ insert: param, sc-24_odp.03 }} in failure.","links":[{"href":"#sc-24_smt","rel":"assessment-for"}]},{"id":"sc-24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-24-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing system failure to known state\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of failures requiring system to fail in a known state\n\nstate information to be preserved in system failure\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-24-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-24-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the fail in known state capability\n\nmechanisms preserving system state information in the event of a system failure"}]}]},{"id":"sc-28","class":"SP800-53","title":"Protection of Information at Rest","params":[{"id":"sc-28_odp.01","props":[{"name":"alt-identifier","value":"sc-28_prm_1"},{"name":"label","value":"SC-28_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}},{"id":"sc-28_odp.02","props":[{"name":"alt-identifier","value":"sc-28_prm_2"},{"name":"label","value":"SC-28_ODP[02]","class":"sp800-53a"}],"label":"information at rest","guidelines":[{"prose":"information at rest requiring protection is defined;"}]}],"props":[{"name":"label","value":"SC-28"},{"name":"label","value":"SC-28","class":"sp800-53a"},{"name":"sort-id","value":"sc-28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-28_smt","name":"statement","prose":"Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}."},{"id":"sc-28_gdn","name":"guidance","prose":"Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage."},{"id":"sc-28_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is\/are protected.","links":[{"href":"#sc-28_smt","rel":"assessment-for"}]},{"id":"sc-28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing confidentiality and integrity protections for information at rest"}]}],"controls":[{"id":"sc-28.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"sc-28.01_odp.01","props":[{"name":"alt-identifier","value":"sc-28.1_prm_2"},{"name":"label","value":"SC-28(01)_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information requiring cryptographic protection is defined;"}]},{"id":"sc-28.01_odp.02","props":[{"name":"alt-identifier","value":"sc-28.1_prm_1"},{"name":"label","value":"SC-28(01)_ODP[02]","class":"sp800-53a"}],"label":"system components or media","guidelines":[{"prose":"system components or media requiring cryptographic protection is\/are defined;"}]}],"props":[{"name":"label","value":"SC-28(1)"},{"name":"label","value":"SC-28(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-28.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-28","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-28.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}."},{"id":"sc-28.1_gdn","name":"guidance","prose":"The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields."},{"id":"sc-28.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)","class":"sp800-53a"}],"parts":[{"id":"sc-28.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)[01]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};","links":[{"href":"#sc-28.1_smt","rel":"assessment-for"}]},{"id":"sc-28.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)[02]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.","links":[{"href":"#sc-28.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-28.1_smt","rel":"assessment-for"}]},{"id":"sc-28.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-28.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest"}]}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","props":[{"name":"label","value":"SC-39"},{"name":"label","value":"SC-39","class":"sp800-53a"},{"name":"sort-id","value":"sc-39"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"Maintain a separate execution domain for each executing system process."},{"id":"sc-39_gdn","name":"guidance","prose":"Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies."},{"id":"sc-39_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-39","class":"sp800-53a"}],"prose":"a separate execution domain is maintained for each executing system process.","links":[{"href":"#sc-39_smt","rel":"assessment-for"}]},{"id":"sc-39_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-39-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records"}]},{"id":"sc-39_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-39-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System developers\/integrators\n\nsystem security architect"}]},{"id":"sc-39_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-39-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing separate execution domains for each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"si-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"si-01_odp.01","props":[{"name":"label","value":"SI-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity policy is to be disseminated is\/are defined;"}]},{"id":"si-01_odp.02","props":[{"name":"label","value":"SI-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity procedures are to be disseminated is\/are defined;"}]},{"id":"si-01_odp.03","props":[{"name":"alt-identifier","value":"si-1_prm_2"},{"name":"label","value":"SI-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"si-01_odp.04","props":[{"name":"alt-identifier","value":"si-1_prm_3"},{"name":"label","value":"SI-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and information integrity policy and procedures is defined;"}]},{"id":"si-01_odp.05","props":[{"name":"alt-identifier","value":"si-1_prm_4"},{"name":"label","value":"SI-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity policy is reviewed and updated is defined;"}]},{"id":"si-01_odp.06","props":[{"name":"alt-identifier","value":"si-1_prm_5"},{"name":"label","value":"SI-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and information integrity policy to be reviewed and updated are defined;"}]},{"id":"si-01_odp.07","props":[{"name":"alt-identifier","value":"si-1_prm_6"},{"name":"label","value":"SI-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity procedures are reviewed and updated is defined;"}]},{"id":"si-01_odp.08","props":[{"name":"alt-identifier","value":"si-1_prm_7"},{"name":"label","value":"SI-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and information integrity procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SI-1"},{"name":"label","value":"SI-01","class":"sp800-53a"},{"name":"sort-id","value":"si-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"si-1_smt","name":"statement","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, si-01_odp.03 }} system and information integrity policy that:","parts":[{"id":"si-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and"},{"id":"si-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and information integrity:","parts":[{"id":"si-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and"},{"id":"si-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"si-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[01]","class":"sp800-53a"}],"prose":"a system and information integrity policy is developed and documented;","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[02]","class":"sp800-53a"}],"prose":"the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[03]","class":"sp800-53a"}],"prose":"system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[04]","class":"sp800-53a"}],"prose":"the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#si-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;","links":[{"href":"#si-1_smt.b","rel":"assessment-for"}]},{"id":"si-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};","links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]},{"id":"si-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};","links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]},{"id":"si-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};","links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]},{"id":"si-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.","links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt","rel":"assessment-for"}]},{"id":"si-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","params":[{"id":"si-02_odp","props":[{"name":"alt-identifier","value":"si-2_prm_1"},{"name":"label","value":"SI-02_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to install security-relevant software updates after the release of the updates is defined;"}]}],"props":[{"name":"label","value":"SI-2"},{"name":"label","value":"SI-02","class":"sp800-53a"},{"name":"sort-id","value":"si-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-5","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"si-2_smt","name":"statement","parts":[{"id":"si-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify, report, and correct system flaws;"},{"id":"si-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures."},{"id":"si-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[01]","class":"sp800-53a"}],"prose":"system flaws are identified;","links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]},{"id":"si-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[02]","class":"sp800-53a"}],"prose":"system flaws are reported;","links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]},{"id":"si-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[03]","class":"sp800-53a"}],"prose":"system flaws are corrected;","links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]},{"id":"si-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[01]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for effectiveness before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[02]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for potential side effects before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[03]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for effectiveness before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[04]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for potential side effects before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[01]","class":"sp800-53a"}],"prose":"security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;","links":[{"href":"#si-2_smt.c","rel":"assessment-for"}]},{"id":"si-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[02]","class":"sp800-53a"}],"prose":"security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;","links":[{"href":"#si-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt.c","rel":"assessment-for"}]},{"id":"si-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-02d.","class":"sp800-53a"}],"prose":"flaw remediation is incorporated into the organizational configuration management process.","links":[{"href":"#si-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt","rel":"assessment-for"}]},{"id":"si-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation\/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and\/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and\/or implementing testing software and firmware updates"}]}],"controls":[{"id":"si-2.2","class":"SP800-53-enhancement","title":"Automated Flaw Remediation Status","params":[{"id":"si-02.02_odp.01","props":[{"name":"alt-identifier","value":"si-2.2_prm_1"},{"name":"label","value":"SI-02(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;"}]},{"id":"si-02.02_odp.02","props":[{"name":"alt-identifier","value":"si-2.2_prm_2"},{"name":"label","value":"SI-02(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;"}]}],"props":[{"name":"label","value":"SI-2(2)"},{"name":"label","value":"SI-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-2","rel":"required"},{"href":"#ca-7","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-2.2_smt","name":"statement","prose":"Determine if system components have applicable security-relevant software and firmware updates installed using {{ insert: param, si-02.02_odp.01 }} {{ insert: param, si-02.02_odp.02 }}."},{"id":"si-2.2_gdn","name":"guidance","prose":"Automated mechanisms can track and determine the status of known flaws for system components."},{"id":"si-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02(02)","class":"sp800-53a"}],"prose":"system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}.","links":[{"href":"#si-2.2_smt","rel":"assessment-for"}]},{"id":"si-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation"}]},{"id":"si-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms used to determine the state of system components with regard to flaw remediation"}]}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","params":[{"id":"si-03_odp.01","props":[{"name":"alt-identifier","value":"si-3_prm_1"},{"name":"label","value":"SI-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["signature-based","non-signature-based"]}},{"id":"si-03_odp.02","props":[{"name":"alt-identifier","value":"si-3_prm_2"},{"name":"label","value":"SI-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which malicious code protection mechanisms perform scans is defined;"}]},{"id":"si-03_odp.03","props":[{"name":"alt-identifier","value":"si-3_prm_3"},{"name":"label","value":"SI-03_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["endpoint","network entry and exit points"]}},{"id":"si-03_odp.04","props":[{"name":"alt-identifier","value":"si-3_prm_4"},{"name":"label","value":"SI-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["block malicious code","quarantine malicious code","take {{ insert: param, si-03_odp.05 }} "]}},{"id":"si-03_odp.05","props":[{"name":"alt-identifier","value":"si-3_prm_5"},{"name":"label","value":"SI-03_ODP[05]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"action to be taken in response to malicious code detection are defined (if selected);"}]},{"id":"si-03_odp.06","props":[{"name":"alt-identifier","value":"si-3_prm_6"},{"name":"label","value":"SI-03_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when malicious code is detected is\/are defined;"}]}],"props":[{"name":"label","value":"SI-3"},{"name":"label","value":"SI-03","class":"sp800-53a"},{"name":"sort-id","value":"si-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#88660532-2dcf-442e-845c-03340ce48999","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-8","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"si-3_smt","name":"statement","parts":[{"id":"si-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Configure malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and"},{"id":"si-3_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and"}]},{"id":"si-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system."}]},{"id":"si-3_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files."},{"id":"si-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;","links":[{"href":"#si-3_smt.a","rel":"assessment-for"}]},{"id":"si-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;","links":[{"href":"#si-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.a","rel":"assessment-for"}]},{"id":"si-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-03b.","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;","links":[{"href":"#si-3_smt.b","rel":"assessment-for"}]},{"id":"si-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};","links":[{"href":"#si-3_smt.c.1","rel":"assessment-for"}]},{"id":"si-3_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;","links":[{"href":"#si-3_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.c.1","rel":"assessment-for"}]},{"id":"si-3_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;","links":[{"href":"#si-3_smt.c.2","rel":"assessment-for"}]},{"id":"si-3_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;","links":[{"href":"#si-3_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.c","rel":"assessment-for"}]},{"id":"si-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-03d.","class":"sp800-53a"}],"prose":"the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.","links":[{"href":"#si-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt","rel":"assessment-for"}]},{"id":"si-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and\/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and\/or implementing malicious code scanning and subsequent actions"}]}]},{"id":"si-4","class":"SP800-53","title":"System Monitoring","params":[{"id":"si-04_odp.01","props":[{"name":"alt-identifier","value":"si-4_prm_1"},{"name":"label","value":"SI-04_ODP[01]","class":"sp800-53a"}],"label":"monitoring objectives","guidelines":[{"prose":"monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;"}]},{"id":"si-04_odp.02","props":[{"name":"alt-identifier","value":"si-4_prm_2"},{"name":"label","value":"SI-04_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods used to identify unauthorized use of the system are defined;"}]},{"id":"si-04_odp.03","props":[{"name":"alt-identifier","value":"si-4_prm_3"},{"name":"label","value":"SI-04_ODP[03]","class":"sp800-53a"}],"label":"system monitoring information","guidelines":[{"prose":"system monitoring information to be provided to personnel or roles is defined;"}]},{"id":"si-04_odp.04","props":[{"name":"alt-identifier","value":"si-4_prm_4"},{"name":"label","value":"SI-04_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom system monitoring information is to be provided is\/are defined;"}]},{"id":"si-04_odp.05","props":[{"name":"alt-identifier","value":"si-4_prm_5"},{"name":"label","value":"SI-04_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["as needed"," {{ insert: param, si-04_odp.06 }} "]}},{"id":"si-04_odp.06","props":[{"name":"alt-identifier","value":"si-4_prm_6"},{"name":"label","value":"SI-04_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"a frequency for providing system monitoring to personnel or roles is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-4"},{"name":"label","value":"SI-04","class":"sp800-53a"},{"name":"sort-id","value":"si-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-6","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"si-4_smt","name":"statement","parts":[{"id":"si-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor the system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and"},{"id":"si-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};"},{"id":"si-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Invoke internal monitoring capabilities or deploy monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Strategically within the system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Analyze detected events and anomalies;"},{"id":"si-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Obtain legal opinion regarding system monitoring activities; and"},{"id":"si-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"si-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.01","class":"sp800-53a"}],"prose":"the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};","links":[{"href":"#si-4_smt.a.1","rel":"assessment-for"}]},{"id":"si-4_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[01]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized local connections;","links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]},{"id":"si-4_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[02]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized network connections;","links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]},{"id":"si-4_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[03]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized remote connections;","links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.a","rel":"assessment-for"}]},{"id":"si-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04b.","class":"sp800-53a"}],"prose":"unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};","links":[{"href":"#si-4_smt.b","rel":"assessment-for"}]},{"id":"si-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.01","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;","links":[{"href":"#si-4_smt.c.1","rel":"assessment-for"}]},{"id":"si-4_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.02","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;","links":[{"href":"#si-4_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.c","rel":"assessment-for"}]},{"id":"si-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[01]","class":"sp800-53a"}],"prose":"detected events are analyzed;","links":[{"href":"#si-4_smt.d","rel":"assessment-for"}]},{"id":"si-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[02]","class":"sp800-53a"}],"prose":"detected anomalies are analyzed;","links":[{"href":"#si-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.d","rel":"assessment-for"}]},{"id":"si-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SI-04e.","class":"sp800-53a"}],"prose":"the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;","links":[{"href":"#si-4_smt.e","rel":"assessment-for"}]},{"id":"si-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SI-04f.","class":"sp800-53a"}],"prose":"a legal opinion regarding system monitoring activities is obtained;","links":[{"href":"#si-4_smt.f","rel":"assessment-for"}]},{"id":"si-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SI-04g.","class":"sp800-53a"}],"prose":" {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.","links":[{"href":"#si-4_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt","rel":"assessment-for"}]},{"id":"si-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram\/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing system monitoring capabilities"}]}],"controls":[{"id":"si-4.2","class":"SP800-53-enhancement","title":"Automated Tools and Mechanisms for Real-time Analysis","props":[{"name":"label","value":"SI-4(2)"},{"name":"label","value":"SI-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#pm-23","rel":"related"},{"href":"#pm-25","rel":"related"}],"parts":[{"id":"si-4.2_smt","name":"statement","prose":"Employ automated tools and mechanisms to support near real-time analysis of events."},{"id":"si-4.2_gdn","name":"guidance","prose":"Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan."},{"id":"si-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(02)","class":"sp800-53a"}],"prose":"automated tools and mechanisms are employed to support a near real-time analysis of events.","links":[{"href":"#si-4.2_smt","rel":"assessment-for"}]},{"id":"si-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk management documentation\n\nother relevant documents or records"}]},{"id":"si-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for incident response\/management"}]},{"id":"si-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the near real-time analysis of events\n\norganizational processes for system monitoring\n\nmechanisms supporting and\/or implementing system monitoring\n\nmechanisms\/tools supporting and\/or implementing an analysis of events"}]}]},{"id":"si-4.4","class":"SP800-53-enhancement","title":"Inbound and Outbound Communications Traffic","params":[{"id":"si-4.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.03"}],"label":"organization-defined frequency"},{"id":"si-4.4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.04"}],"label":"organization-defined unusual or unauthorized activities or conditions"},{"id":"si-04.04_odp.01","props":[{"name":"label","value":"SI-04(04)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;"}]},{"id":"si-04.04_odp.02","props":[{"name":"label","value":"SI-04(04)_ODP[02]","class":"sp800-53a"}],"label":"unusual or unauthorized activities or conditions","guidelines":[{"prose":"unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;"}]},{"id":"si-04.04_odp.03","props":[{"name":"label","value":"SI-04(04)_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;"}]},{"id":"si-04.04_odp.04","props":[{"name":"label","value":"SI-04(04)_ODP[04]","class":"sp800-53a"}],"label":"unusual or unauthorized activities or conditions","guidelines":[{"prose":"unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;"}]}],"props":[{"name":"label","value":"SI-4(4)"},{"name":"label","value":"SI-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.4_smt","name":"statement","parts":[{"id":"si-4.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;"},{"id":"si-4.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Monitor inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for {{ insert: param, si-4.4_prm_2 }}."}]},{"id":"si-4.4_gdn","name":"guidance","prose":"Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components."},{"id":"si-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)[01]","class":"sp800-53a"}],"prose":"criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;","links":[{"href":"#si-4.4_smt.a","rel":"assessment-for"}]},{"id":"si-4.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)[02]","class":"sp800-53a"}],"prose":"criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;","links":[{"href":"#si-4.4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-4.4_smt.a","rel":"assessment-for"}]},{"id":"si-4.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)[01]","class":"sp800-53a"}],"prose":"inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};","links":[{"href":"#si-4.4_smt.b","rel":"assessment-for"}]},{"id":"si-4.4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)[02]","class":"sp800-53a"}],"prose":"outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}.","links":[{"href":"#si-4.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-4.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-4.4_smt","rel":"assessment-for"}]},{"id":"si-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the monitoring of inbound and outbound communications traffic"}]}]},{"id":"si-4.5","class":"SP800-53-enhancement","title":"System-generated Alerts","params":[{"id":"si-04.05_odp.01","props":[{"name":"alt-identifier","value":"si-4.5_prm_1"},{"name":"label","value":"SI-04(05)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when indications of compromise or potential compromise occur is\/are defined;"}]},{"id":"si-04.05_odp.02","props":[{"name":"alt-identifier","value":"si-4.5_prm_2"},{"name":"label","value":"SI-04(05)_ODP[02]","class":"sp800-53a"}],"label":"compromise indicators","guidelines":[{"prose":"compromise indicators are defined;"}]}],"props":[{"name":"label","value":"SI-4(5)"},{"name":"label","value":"SI-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"si-4.5_smt","name":"statement","prose":"Alert {{ insert: param, si-04.05_odp.01 }} when the following system-generated indications of compromise or potential compromise occur: {{ insert: param, si-04.05_odp.02 }}."},{"id":"si-4.5_gdn","name":"guidance","prose":"Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners\/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in [SI-4(12)](#si-4.12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats."},{"id":"si-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(05)","class":"sp800-53a"}],"prose":" {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur.","links":[{"href":"#si-4.5_smt","rel":"assessment-for"}]},{"id":"si-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of personnel selected to receive alerts\n\ndocumentation of alerts generated based on compromise indicators\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel on the system alert notification list\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing alerts for compromise indicators"}]}]},{"id":"si-4.10","class":"SP800-53-enhancement","title":"Visibility of Encrypted Communications","params":[{"id":"si-04.10_odp.01","props":[{"name":"alt-identifier","value":"si-4.10_prm_1"},{"name":"label","value":"SI-04(10)_ODP[01]","class":"sp800-53a"}],"label":"encrypted communications traffic","guidelines":[{"prose":"encrypted communications traffic to be made visible to system monitoring tools and mechanisms is defined;"}]},{"id":"si-04.10_odp.02","props":[{"name":"alt-identifier","value":"si-4.10_prm_2"},{"name":"label","value":"SI-04(10)_ODP[02]","class":"sp800-53a"}],"label":"system monitoring tools and mechanisms","guidelines":[{"prose":"system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined;"}]}],"props":[{"name":"label","value":"SI-4(10)"},{"name":"label","value":"SI-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.10_smt","name":"statement","prose":"Make provisions so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}."},{"id":"si-4.10_gdn","name":"guidance","prose":"Organizations balance the need to encrypt communications traffic to protect data confidentiality with the need to maintain visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types."},{"id":"si-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(10)","class":"sp800-53a"}],"prose":"provisions are made so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}.","links":[{"href":"#si-4.10_smt","rel":"assessment-for"}]},{"id":"si-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the visibility of encrypted communications traffic to monitoring tools"}]}]},{"id":"si-4.12","class":"SP800-53-enhancement","title":"Automated Organization-generated Alerts","params":[{"id":"si-04.12_odp.01","props":[{"name":"alt-identifier","value":"si-4.12_prm_1"},{"name":"label","value":"SI-04(12)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when indications of inappropriate or unusual activity with security or privacy implications occur is\/are defined;"}]},{"id":"si-04.12_odp.02","props":[{"name":"alt-identifier","value":"si-4.12_prm_2"},{"name":"label","value":"SI-04(12)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to alert personnel or roles are defined;"}]},{"id":"si-04.12_odp.03","props":[{"name":"alt-identifier","value":"si-4.12_prm_3"},{"name":"label","value":"SI-04(12)_ODP[03]","class":"sp800-53a"}],"label":"activities that trigger alerts","guidelines":[{"prose":"activities that trigger alerts to personnel or are defined;"}]}],"props":[{"name":"label","value":"SI-4(12)"},{"name":"label","value":"SI-04(12)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.12_smt","name":"statement","prose":"Alert {{ insert: param, si-04.12_odp.01 }} using {{ insert: param, si-04.12_odp.02 }} when the following indications of inappropriate or unusual activities with security or privacy implications occur: {{ insert: param, si-04.12_odp.03 }}."},{"id":"si-4.12_gdn","name":"guidance","prose":"Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. Automated organization-generated alerts are the security alerts generated by organizations and transmitted using automated means. The sources for organization-generated alerts are focused on other entities such as suspicious activity reports and reports on potential insider threats. In contrast to alerts generated by the organization, alerts generated by the system in [SI-4(5)](#si-4.5) focus on information sources that are internal to the systems, such as audit records."},{"id":"si-4.12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(12)","class":"sp800-53a"}],"prose":" {{ insert: param, si-04.12_odp.01 }} is\/are alerted using {{ insert: param, si-04.12_odp.02 }} when {{ insert: param, si-04.12_odp.03 }} indicate inappropriate or unusual activities with security or privacy implications.","links":[{"href":"#si-4.12_smt","rel":"assessment-for"}]},{"id":"si-4.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of inappropriate or unusual activities with security and privacy implications that trigger alerts\n\nsuspicious activity reports\n\nalerts provided to security and privacy personnel\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-4.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nautomated mechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nautomated mechanisms supporting and\/or implementing automated alerts to security personnel"}]}]},{"id":"si-4.14","class":"SP800-53-enhancement","title":"Wireless Intrusion Detection","props":[{"name":"label","value":"SI-4(14)"},{"name":"label","value":"SI-04(14)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"},{"href":"#ia-3","rel":"related"}],"parts":[{"id":"si-4.14_smt","name":"statement","prose":"Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system."},{"id":"si-4.14_gdn","name":"guidance","prose":"Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems."},{"id":"si-4.14_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)","class":"sp800-53a"}],"parts":[{"id":"si-4.14_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)[01]","class":"sp800-53a"}],"prose":"a wireless intrusion detection system is employed to identify rogue wireless devices;","links":[{"href":"#si-4.14_smt","rel":"assessment-for"}]},{"id":"si-4.14_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)[02]","class":"sp800-53a"}],"prose":"a wireless intrusion detection system is employed to detect attack attempts on the system;","links":[{"href":"#si-4.14_smt","rel":"assessment-for"}]},{"id":"si-4.14_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)[03]","class":"sp800-53a"}],"prose":"a wireless intrusion detection system is employed to detect potential compromises or breaches to the system.","links":[{"href":"#si-4.14_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-4.14_smt","rel":"assessment-for"}]},{"id":"si-4.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection\n\nmechanisms supporting and\/or implementing a wireless intrusion detection capability"}]}]},{"id":"si-4.20","class":"SP800-53-enhancement","title":"Privileged Users","params":[{"id":"si-04.20_odp","props":[{"name":"alt-identifier","value":"si-4.20_prm_1"},{"name":"label","value":"SI-04(20)_ODP","class":"sp800-53a"}],"label":"additional monitoring","guidelines":[{"prose":"additional monitoring of privileged users is defined;"}]}],"props":[{"name":"label","value":"SI-4(20)"},{"name":"label","value":"SI-04(20)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"si-4.20_smt","name":"statement","prose":"Implement the following additional monitoring of privileged users: {{ insert: param, si-04.20_odp }}."},{"id":"si-4.20_gdn","name":"guidance","prose":"Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions."},{"id":"si-4.20_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(20)","class":"sp800-53a"}],"prose":" {{ insert: param, si-04.20_odp }} of privileged users is implemented.","links":[{"href":"#si-4.20_smt","rel":"assessment-for"}]},{"id":"si-4.20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(20)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(20)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4.20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(20)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing a system monitoring capability"}]}]},{"id":"si-4.22","class":"SP800-53-enhancement","title":"Unauthorized Network Services","params":[{"id":"si-04.22_odp.01","props":[{"name":"alt-identifier","value":"si-4.22_prm_1"},{"name":"label","value":"SI-04(22)_ODP[01]","class":"sp800-53a"}],"label":"authorization or approval processes","guidelines":[{"prose":"authorization or approval processes for network services are defined;"}]},{"id":"si-04.22_odp.02","props":[{"name":"alt-identifier","value":"si-4.22_prm_2"},{"name":"label","value":"SI-04(22)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["audit","alert {{ insert: param, si-04.22_odp.03 }} "]}},{"id":"si-04.22_odp.03","props":[{"name":"alt-identifier","value":"si-4.22_prm_3"},{"name":"label","value":"SI-04(22)_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-4(22)"},{"name":"label","value":"SI-04(22)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#cm-7","rel":"related"}],"parts":[{"id":"si-4.22_smt","name":"statement","parts":[{"id":"si-4.22_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Detect network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} ; and"},{"id":"si-4.22_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":" {{ insert: param, si-04.22_odp.02 }} when detected."}]},{"id":"si-4.22_gdn","name":"guidance","prose":"Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and may therefore be unreliable or serve as malicious rogues for valid services."},{"id":"si-4.22_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(22)","class":"sp800-53a"}],"parts":[{"id":"si-4.22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04(22)(a)","class":"sp800-53a"}],"prose":"network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} are detected;","links":[{"href":"#si-4.22_smt.a","rel":"assessment-for"}]},{"id":"si-4.22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04(22)(b)","class":"sp800-53a"}],"prose":" {{ insert: param, si-04.22_odp.02 }} is\/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.","links":[{"href":"#si-4.22_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-4.22_smt","rel":"assessment-for"}]},{"id":"si-4.22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(22)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\ndocumented authorization\/approval of network services\n\nnotifications or alerts of unauthorized network services\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(22)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4.22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(22)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing a system monitoring capability\n\nmechanisms for auditing network services\n\nmechanisms for providing alerts"}]}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","params":[{"id":"si-05_odp.01","props":[{"name":"alt-identifier","value":"si-5_prm_1"},{"name":"label","value":"SI-05_ODP[01]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;"}]},{"id":"si-05_odp.02","props":[{"name":"alt-identifier","value":"si-5_prm_2"},{"name":"label","value":"SI-05_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-05_odp.03 }} "," {{ insert: param, si-05_odp.04 }} "," {{ insert: param, si-05_odp.05 }} "]}},{"id":"si-05_odp.03","props":[{"name":"alt-identifier","value":"si-5_prm_3"},{"name":"label","value":"SI-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom security alerts, advisories, and directives are to be disseminated is\/are defined (if selected);"}]},{"id":"si-05_odp.04","props":[{"name":"alt-identifier","value":"si-5_prm_4"},{"name":"alt-label","value":"elements within the organization","class":"sp800-53"},{"name":"label","value":"SI-05_ODP[04]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]},{"id":"si-05_odp.05","props":[{"name":"alt-identifier","value":"si-5_prm_5"},{"name":"label","value":"SI-05_ODP[05]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-5"},{"name":"label","value":"SI-05","class":"sp800-53a"},{"name":"sort-id","value":"si-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#pm-15","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"si-5_smt","name":"statement","parts":[{"id":"si-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Generate internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and"},{"id":"si-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations."},{"id":"si-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-05","class":"sp800-53a"}],"parts":[{"id":"si-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-05a.","class":"sp800-53a"}],"prose":"system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;","links":[{"href":"#si-5_smt.a","rel":"assessment-for"}]},{"id":"si-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-05b.","class":"sp800-53a"}],"prose":"internal security alerts, advisories, and directives are generated as deemed necessary;","links":[{"href":"#si-5_smt.b","rel":"assessment-for"}]},{"id":"si-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-05c.","class":"sp800-53a"}],"prose":"security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};","links":[{"href":"#si-5_smt.c","rel":"assessment-for"}]},{"id":"si-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-05d.","class":"sp800-53a"}],"prose":"security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.","links":[{"href":"#si-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-5_smt","rel":"assessment-for"}]},{"id":"si-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"si-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing security directives"}]}],"controls":[{"id":"si-5.1","class":"SP800-53-enhancement","title":"Automated Alerts and Advisories","params":[{"id":"si-05.01_odp","props":[{"name":"alt-identifier","value":"si-5.1_prm_1"},{"name":"label","value":"SI-05(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined;"}]}],"props":[{"name":"label","value":"SI-5(1)"},{"name":"label","value":"SI-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-5","rel":"required"}],"parts":[{"id":"si-5.1_smt","name":"statement","prose":"Broadcast security alert and advisory information throughout the organization using {{ insert: param, si-05.01_odp }}."},{"id":"si-5.1_gdn","name":"guidance","prose":"The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational mission and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of risk, including the governance level, mission and business process level, and the information system level."},{"id":"si-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-05(01)","class":"sp800-53a"}],"prose":" {{ insert: param, si-05.01_odp }} are used to broadcast security alert and advisory information throughout the organization.","links":[{"href":"#si-5.1_smt","rel":"assessment-for"}]},{"id":"si-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nautomated mechanisms supporting the distribution of security alert and advisory information\n\nrecords of security alerts and advisories\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts and advisories are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"si-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories\n\nautomated mechanisms supporting and\/or implementing the dissemination of security alerts and advisories"}]}]}]},{"id":"si-6","class":"SP800-53","title":"Security and Privacy Function Verification","params":[{"id":"si-6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-06_odp.02"}],"label":"organization-defined security and privacy functions"},{"id":"si-06_odp.01","props":[{"name":"label","value":"SI-06_ODP[01]","class":"sp800-53a"}],"label":"security functions","guidelines":[{"prose":"security functions to be verified for correct operation are defined;"}]},{"id":"si-06_odp.02","props":[{"name":"label","value":"SI-06_ODP[02]","class":"sp800-53a"}],"label":"privacy functions","guidelines":[{"prose":"privacy functions to be verified for correct operation are defined;"}]},{"id":"si-06_odp.03","props":[{"name":"alt-identifier","value":"si-6_prm_2"},{"name":"label","value":"SI-06_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-06_odp.04 }} ","upon command by user with appropriate privilege"," {{ insert: param, si-06_odp.05 }} "]}},{"id":"si-06_odp.04","props":[{"name":"alt-identifier","value":"si-6_prm_3"},{"name":"label","value":"SI-06_ODP[04]","class":"sp800-53a"}],"label":"system transitional states","guidelines":[{"prose":"system transitional states requiring the verification of security and privacy functions are defined; (if selected)"}]},{"id":"si-06_odp.05","props":[{"name":"alt-identifier","value":"si-6_prm_4"},{"name":"label","value":"SI-06_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to verify the correct operation of security and privacy functions is defined; (if selected)"}]},{"id":"si-06_odp.06","props":[{"name":"alt-identifier","value":"si-6_prm_5"},{"name":"label","value":"SI-06_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted of failed security and privacy verification tests is\/are defined;"}]},{"id":"si-06_odp.07","props":[{"name":"alt-identifier","value":"si-6_prm_6"},{"name":"label","value":"SI-06_ODP[07]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["shut the system down","restart the system"," {{ insert: param, si-06_odp.08 }} "]}},{"id":"si-06_odp.08","props":[{"name":"alt-identifier","value":"si-6_prm_7"},{"name":"label","value":"SI-06_ODP[08]","class":"sp800-53a"}],"label":"alternative action(s)","guidelines":[{"prose":"alternative action(s) to be performed when anomalies are discovered are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-6"},{"name":"label","value":"SI-06","class":"sp800-53a"},{"name":"sort-id","value":"si-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"si-6_smt","name":"statement","parts":[{"id":"si-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verify the correct operation of {{ insert: param, si-6_prm_1 }};"},{"id":"si-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform the verification of the functions specified in SI-6a {{ insert: param, si-06_odp.03 }};"},{"id":"si-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Alert {{ insert: param, si-06_odp.06 }} to failed security and privacy verification tests; and"},{"id":"si-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":" {{ insert: param, si-06_odp.07 }} when anomalies are discovered."}]},{"id":"si-6_gdn","name":"guidance","prose":"Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected."},{"id":"si-6_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-06","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-06a.","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-06_odp.01 }} are verified to be operating correctly;","links":[{"href":"#si-6_smt.a","rel":"assessment-for"}]},{"id":"si-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-06_odp.02 }} are verified to be operating correctly;","links":[{"href":"#si-6_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-6_smt.a","rel":"assessment-for"}]},{"id":"si-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-06b.","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06b.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-06_odp.01 }} are verified {{ insert: param, si-06_odp.03 }};","links":[{"href":"#si-6_smt.b","rel":"assessment-for"}]},{"id":"si-6_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06b.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-06_odp.02 }} are verified {{ insert: param, si-06_odp.03 }};","links":[{"href":"#si-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-6_smt.b","rel":"assessment-for"}]},{"id":"si-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-06c.","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06c.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-06_odp.06 }} is\/are alerted to failed security verification tests;","links":[{"href":"#si-6_smt.c","rel":"assessment-for"}]},{"id":"si-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06c.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-06_odp.06 }} is\/are alerted to failed privacy verification tests;","links":[{"href":"#si-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#si-6_smt.c","rel":"assessment-for"}]},{"id":"si-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-06d.","class":"sp800-53a"}],"prose":" {{ insert: param, si-06_odp.07 }} is\/are initiated when anomalies are discovered.","links":[{"href":"#si-6_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-6_smt","rel":"assessment-for"}]},{"id":"si-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security and privacy function verification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts\/notifications of failed security verification tests\n\nlist of system transition states requiring security functionality verification\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy function verification responsibilities\n\norganizational personnel implementing, operating, and maintaining the system\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]},{"id":"si-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy function verification\n\nmechanisms supporting and\/or implementing the security and privacy function verification capability"}]}]},{"id":"si-7","class":"SP800-53","title":"Software, Firmware, and Information Integrity","params":[{"id":"si-7_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.03"}],"label":"organization-defined software, firmware, and information"},{"id":"si-7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.06"}],"label":"organization-defined actions"},{"id":"si-07_odp.01","props":[{"name":"label","value":"SI-07_ODP[01]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.02","props":[{"name":"label","value":"SI-07_ODP[02]","class":"sp800-53a"}],"label":"firmware","guidelines":[{"prose":"firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.03","props":[{"name":"label","value":"SI-07_ODP[03]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.04","props":[{"name":"label","value":"SI-07_ODP[04]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to software are detected are defined;"}]},{"id":"si-07_odp.05","props":[{"name":"label","value":"SI-07_ODP[05]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to firmware are detected are defined;"}]},{"id":"si-07_odp.06","props":[{"name":"label","value":"SI-07_ODP[06]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to information are detected are defined;"}]}],"props":[{"name":"label","value":"SI-7"},{"name":"label","value":"SI-07","class":"sp800-53a"},{"name":"sort-id","value":"si-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#e47ee630-9cbc-4133-880e-e013f83ccd51","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"si-7_smt","name":"statement","parts":[{"id":"si-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ insert: param, si-7_prm_1 }} ; and"},{"id":"si-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ insert: param, si-7_prm_2 }}."}]},{"id":"si-7_gdn","name":"guidance","prose":"Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input\/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications."},{"id":"si-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[01]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};","links":[{"href":"#si-7_smt.a","rel":"assessment-for"}]},{"id":"si-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[02]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};","links":[{"href":"#si-7_smt.a","rel":"assessment-for"}]},{"id":"si-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[03]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};","links":[{"href":"#si-7_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-7_smt.a","rel":"assessment-for"}]},{"id":"si-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;","links":[{"href":"#si-7_smt.b","rel":"assessment-for"}]},{"id":"si-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;","links":[{"href":"#si-7_smt.b","rel":"assessment-for"}]},{"id":"si-7_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected.","links":[{"href":"#si-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-7_smt","rel":"assessment-for"}]},{"id":"si-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"si-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools"}]}],"controls":[{"id":"si-7.1","class":"SP800-53-enhancement","title":"Integrity Checks","params":[{"id":"si-7.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.09"}],"label":"organization-defined software, firmware, and information"},{"id":"si-7.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.10"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-7.1_prm_3 }} "," {{ insert: param, si-7.1_prm_4 }} "]}},{"id":"si-7.1_prm_3","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.11"}],"label":"organization-defined transitional states or security-relevant events"},{"id":"si-7.1_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.08"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.12"}],"label":"organization-defined frequency"},{"id":"si-07.01_odp.01","props":[{"name":"label","value":"SI-07(01)_ODP[01]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.02","props":[{"name":"label","value":"SI-07(01)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.03 }} "," {{ insert: param, si-07.01_odp.04 }} "]}},{"id":"si-07.01_odp.03","props":[{"name":"label","value":"SI-07(01)_ODP[03]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);"}]},{"id":"si-07.01_odp.04","props":[{"name":"label","value":"SI-07(01)_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (on software) is defined (if selected);"}]},{"id":"si-07.01_odp.05","props":[{"name":"label","value":"SI-07(01)_ODP[05]","class":"sp800-53a"}],"label":"firmware","guidelines":[{"prose":"firmware on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.06","props":[{"name":"label","value":"SI-07(01)_ODP[06]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.07 }} "," {{ insert: param, si-07.01_odp.08 }} "]}},{"id":"si-07.01_odp.07","props":[{"name":"label","value":"SI-07(01)_ODP[07]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);"}]},{"id":"si-07.01_odp.08","props":[{"name":"label","value":"SI-07(01)_ODP[08]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (on firmware) is defined (if selected);"}]},{"id":"si-07.01_odp.09","props":[{"name":"label","value":"SI-07(01)_ODP[09]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.10","props":[{"name":"label","value":"SI-07(01)_ODP[10]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.11 }} "," {{ insert: param, si-07.01_odp.12 }} "]}},{"id":"si-07.01_odp.11","props":[{"name":"label","value":"SI-07(01)_ODP[11]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);"}]},{"id":"si-07.01_odp.12","props":[{"name":"label","value":"SI-07(01)_ODP[12]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (of information) is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-7(1)"},{"name":"label","value":"SI-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.1_smt","name":"statement","prose":"Perform an integrity check of {{ insert: param, si-7.1_prm_1 }} {{ insert: param, si-7.1_prm_2 }}."},{"id":"si-7.1_gdn","name":"guidance","prose":"Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort."},{"id":"si-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)","class":"sp800-53a"}],"parts":[{"id":"si-7.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[01]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};","links":[{"href":"#si-7.1_smt","rel":"assessment-for"}]},{"id":"si-7.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[02]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};","links":[{"href":"#si-7.1_smt","rel":"assessment-for"}]},{"id":"si-7.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[03]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}.","links":[{"href":"#si-7.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-7.1_smt","rel":"assessment-for"}]},{"id":"si-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity testing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools"}]}]},{"id":"si-7.2","class":"SP800-53-enhancement","title":"Automated Notifications of Integrity Violations","params":[{"id":"si-07.02_odp","props":[{"name":"alt-identifier","value":"si-7.2_prm_1"},{"name":"label","value":"SI-07(02)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is\/are defined;"}]}],"props":[{"name":"label","value":"SI-7(2)"},{"name":"label","value":"SI-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.2_smt","name":"statement","prose":"Employ automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification."},{"id":"si-7.2_gdn","name":"guidance","prose":"The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel with an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, system administrators, software developers, systems integrators, information security officers, and privacy officers."},{"id":"si-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(02)","class":"sp800-53a"}],"prose":"automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification are employed.","links":[{"href":"#si-7.2_smt","rel":"assessment-for"}]},{"id":"si-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nautomated tools supporting alerts and notifications for integrity discrepancies\n\nnotifications provided upon discovering discrepancies during integrity verifications\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\nsoftware developers"}]},{"id":"si-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms providing integrity discrepancy notifications"}]}]},{"id":"si-7.5","class":"SP800-53-enhancement","title":"Automated Response to Integrity Violations","params":[{"id":"si-07.05_odp.01","props":[{"name":"alt-identifier","value":"si-7.5_prm_1"},{"name":"label","value":"SI-07(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["shut down the system","restart the system","implement {{ insert: param, si-07.05_odp.02 }} "]}},{"id":"si-07.05_odp.02","props":[{"name":"alt-identifier","value":"si-7.5_prm_2"},{"name":"label","value":"SI-07(05)_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be implemented automatically when integrity violations are discovered are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-7(5)"},{"name":"label","value":"SI-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.5_smt","name":"statement","prose":"Automatically {{ insert: param, si-07.05_odp.01 }} when integrity violations are discovered."},{"id":"si-7.5_gdn","name":"guidance","prose":"Organizations may define different integrity-checking responses by type of information, specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur."},{"id":"si-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(05)","class":"sp800-53a"}],"prose":" {{ insert: param, si-07.05_odp.01 }} are automatically performed when integrity violations are discovered.","links":[{"href":"#si-7.5_smt","rel":"assessment-for"}]},{"id":"si-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nrecords of integrity checks and responses to integrity violations\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms providing an automated response to integrity violations\n\nmechanisms supporting and\/or implementing security safeguards to be implemented when integrity violations are discovered"}]}]},{"id":"si-7.7","class":"SP800-53-enhancement","title":"Integration of Detection and Response","params":[{"id":"si-07.07_odp","props":[{"name":"alt-identifier","value":"si-7.7_prm_1"},{"name":"alt-label","value":"security-relevant changes to the system","class":"sp800-53"},{"name":"label","value":"SI-07(07)_ODP","class":"sp800-53a"}],"label":"changes","guidelines":[{"prose":"security-relevant changes to the system are defined;"}]}],"props":[{"name":"label","value":"SI-7(7)"},{"name":"label","value":"SI-07(07)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-7.7_smt","name":"statement","prose":"Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ insert: param, si-07.07_odp }}."},{"id":"si-7.7_gdn","name":"guidance","prose":"Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges."},{"id":"si-7.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(07)","class":"sp800-53a"}],"prose":"the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability.","links":[{"href":"#si-7.7_smt","rel":"assessment-for"}]},{"id":"si-7.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities"}]},{"id":"si-7.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability"}]}]},{"id":"si-7.15","class":"SP800-53-enhancement","title":"Code Authentication","params":[{"id":"si-07.15_odp","props":[{"name":"alt-identifier","value":"si-7.15_prm_1"},{"name":"label","value":"SI-07(15)_ODP","class":"sp800-53a"}],"label":"software or firmware components","guidelines":[{"prose":"software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined;"}]}],"props":[{"name":"label","value":"SI-7(15)"},{"name":"label","value":"SI-07(15)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#cm-5","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"si-7.15_smt","name":"statement","prose":"Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: {{ insert: param, si-07.15_odp }}."},{"id":"si-7.15_gdn","name":"guidance","prose":"Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions."},{"id":"si-7.15_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(15)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to authenticate {{ insert: param, si-07.15_odp }} prior to installation.","links":[{"href":"#si-7.15_smt","rel":"assessment-for"}]},{"id":"si-7.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms authenticating software and firmware prior to installation"}]}]}]},{"id":"si-8","class":"SP800-53","title":"Spam Protection","props":[{"name":"label","value":"SI-8"},{"name":"label","value":"SI-08","class":"sp800-53a"},{"name":"sort-id","value":"si-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#314e33cb-3681-4b50-a2a2-3fae9604accd","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#pl-9","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-8_smt","name":"statement","parts":[{"id":"si-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and"},{"id":"si-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"id":"si-8_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions."},{"id":"si-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-08","class":"sp800-53a"}],"parts":[{"id":"si-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.","class":"sp800-53a"}],"parts":[{"id":"si-8_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[01]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system entry points to detect unsolicited messages;","links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]},{"id":"si-8_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[02]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system exit points to detect unsolicited messages;","links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]},{"id":"si-8_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[03]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system entry points to act on unsolicited messages;","links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]},{"id":"si-8_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[04]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system exit points to act on unsolicited messages;","links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]},{"id":"si-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-08b.","class":"sp800-53a"}],"prose":"spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.","links":[{"href":"#si-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-8_smt","rel":"assessment-for"}]},{"id":"si-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policies and procedures (CM-01)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing spam protection\n\nmechanisms supporting and\/or implementing spam protection"}]}],"controls":[{"id":"si-8.2","class":"SP800-53-enhancement","title":"Automatic Updates","params":[{"id":"si-08.02_odp","props":[{"name":"alt-identifier","value":"si-8.2_prm_1"},{"name":"label","value":"SI-08(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to automatically update spam protection mechanisms is defined;"}]}],"props":[{"name":"label","value":"SI-8(2)"},{"name":"label","value":"SI-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-8","rel":"required"}],"parts":[{"id":"si-8.2_smt","name":"statement","prose":"Automatically update spam protection mechanisms {{ insert: param, si-08.02_odp }}."},{"id":"si-8.2_gdn","name":"guidance","prose":"Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities."},{"id":"si-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-08(02)","class":"sp800-53a"}],"prose":"spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}.","links":[{"href":"#si-8.2_smt","rel":"assessment-for"}]},{"id":"si-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for spam protection\n\nmechanisms supporting and\/or implementing automatic updates to spam protection mechanisms"}]}]}]},{"id":"si-10","class":"SP800-53","title":"Information Input Validation","params":[{"id":"si-10_odp","props":[{"name":"alt-identifier","value":"si-10_prm_1"},{"name":"alt-identifier","value":"si-10.1_prm_1"},{"name":"alt-label","value":"information inputs to the system","class":"sp800-53"},{"name":"label","value":"SI-10_ODP","class":"sp800-53a"}],"label":"information inputs","guidelines":[{"prose":"information inputs to the system requiring validity checks are defined;"}]}],"props":[{"name":"label","value":"SI-10"},{"name":"label","value":"SI-10","class":"sp800-53a"},{"name":"sort-id","value":"si-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"}],"parts":[{"id":"si-10_smt","name":"statement","prose":"Check the validity of the following information inputs: {{ insert: param, si-10_odp }}."},{"id":"si-10_gdn","name":"guidance","prose":"Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of \"387,\" \"abc,\" or \"%K%\" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks."},{"id":"si-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10","class":"sp800-53a"}],"prose":"the validity of the {{ insert: param, si-10_odp }} is checked.","links":[{"href":"#si-10_smt","rel":"assessment-for"}]},{"id":"si-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify the validity of information\n\nlist of information inputs requiring validity checks\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing validity checks on information inputs"}]}]},{"id":"si-11","class":"SP800-53","title":"Error Handling","params":[{"id":"si-11_odp","props":[{"name":"alt-identifier","value":"si-11_prm_1"},{"name":"label","value":"SI-11_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom error messages are to be revealed is\/are defined;"}]}],"props":[{"name":"label","value":"SI-11"},{"name":"label","value":"SI-11","class":"sp800-53a"},{"name":"sort-id","value":"si-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"si-11_smt","name":"statement","parts":[{"id":"si-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and"},{"id":"si-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reveal error messages only to {{ insert: param, si-11_odp }}."}]},{"id":"si-11_gdn","name":"guidance","prose":"Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information."},{"id":"si-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-11","class":"sp800-53a"}],"parts":[{"id":"si-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-11a.","class":"sp800-53a"}],"prose":"error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;","links":[{"href":"#si-11_smt.a","rel":"assessment-for"}]},{"id":"si-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-11b.","class":"sp800-53a"}],"prose":"error messages are revealed only to {{ insert: param, si-11_odp }}.","links":[{"href":"#si-11_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-11_smt","rel":"assessment-for"}]},{"id":"si-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system error handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing the structure and content of error messages\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for error handling\n\nautomated mechanisms supporting and\/or implementing error handling\n\nautomated mechanisms supporting and\/or implementing the management of error messages"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Management and Retention","props":[{"name":"label","value":"SI-12"},{"name":"label","value":"SI-12","class":"sp800-53a"},{"name":"sort-id","value":"si-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#e922fc50-b1f9-469f-92ef-ed7d9803611c","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)."},{"id":"si-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12","class":"sp800-53a"}],"parts":[{"id":"si-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12[01]","class":"sp800-53a"}],"prose":"information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12[02]","class":"sp800-53a"}],"prose":"information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12[03]","class":"sp800-53a"}],"prose":"information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SI-12[04]","class":"sp800-53a"}],"prose":"information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.","links":[{"href":"#si-12_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and\/or implementing information management, retention, and disposition"}]}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","params":[{"id":"si-16_odp","props":[{"name":"alt-identifier","value":"si-16_prm_1"},{"name":"label","value":"SI-16_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be implemented to protect the system memory from unauthorized code execution are defined;"}]}],"props":[{"name":"label","value":"SI-16"},{"name":"label","value":"SI-16","class":"sp800-53a"},{"name":"sort-id","value":"si-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-25","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"Implement the following controls to protect the system memory from unauthorized code execution: {{ insert: param, si-16_odp }}."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism."},{"id":"si-16_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-16","class":"sp800-53a"}],"prose":" {{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution.","links":[{"href":"#si-16_smt","rel":"assessment-for"}]},{"id":"si-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing memory protection for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards protecting system memory from unauthorized code execution\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing safeguards to protect the system memory from unauthorized code execution"}]}]}]},{"id":"sr","class":"family","title":"Supply Chain Risk Management","controls":[{"id":"sr-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sr-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sr-01_odp.01","props":[{"name":"label","value":"SR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management policy is to be disseminated to is\/are defined;"}]},{"id":"sr-01_odp.02","props":[{"name":"label","value":"SR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management procedures are disseminated to is\/are defined;"}]},{"id":"sr-01_odp.03","props":[{"name":"alt-identifier","value":"sr-1_prm_2"},{"name":"label","value":"SR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sr-01_odp.04","props":[{"name":"alt-identifier","value":"sr-1_prm_3"},{"name":"label","value":"SR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;"}]},{"id":"sr-01_odp.05","props":[{"name":"alt-identifier","value":"sr-1_prm_4"},{"name":"label","value":"SR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management policy is reviewed and updated is defined;"}]},{"id":"sr-01_odp.06","props":[{"name":"alt-identifier","value":"sr-1_prm_5"},{"name":"label","value":"SR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the current supply chain risk management policy to be reviewed and updated are defined;"}]},{"id":"sr-01_odp.07","props":[{"name":"alt-identifier","value":"sr-1_prm_6"},{"name":"label","value":"SR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;"}]},{"id":"sr-01_odp.08","props":[{"name":"alt-identifier","value":"sr-1_prm_7"},{"name":"label","value":"SR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the supply chain risk management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SR-1"},{"name":"label","value":"SR-01","class":"sp800-53a"},{"name":"sort-id","value":"sr-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sr-1_smt","name":"statement","parts":[{"id":"sr-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:","parts":[{"id":"sr-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:","parts":[{"id":"sr-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sr-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sr-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;"}]},{"id":"sr-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and"},{"id":"sr-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current supply chain risk management:","parts":[{"id":"sr-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and"},{"id":"sr-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}."}]}]},{"id":"sr-1_gdn","name":"guidance","prose":"Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sr-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[01]","class":"sp800-53a"}],"prose":"a supply chain risk management policy is developed and documented;","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[03]","class":"sp800-53a"}],"prose":"supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#sr-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;","links":[{"href":"#sr-1_smt.b","rel":"assessment-for"}]},{"id":"sr-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};","links":[{"href":"#sr-1_smt.c.1","rel":"assessment-for"}]},{"id":"sr-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};","links":[{"href":"#sr-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.c.1","rel":"assessment-for"}]},{"id":"sr-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};","links":[{"href":"#sr-1_smt.c.2","rel":"assessment-for"}]},{"id":"sr-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.","links":[{"href":"#sr-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt","rel":"assessment-for"}]},{"id":"sr-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities"}]}]},{"id":"sr-2","class":"SP800-53","title":"Supply Chain Risk Management Plan","params":[{"id":"sr-02_odp.01","props":[{"name":"alt-identifier","value":"sr-2_prm_1"},{"name":"label","value":"SR-02_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services for which a supply chain risk management plan is developed are defined;"}]},{"id":"sr-02_odp.02","props":[{"name":"alt-identifier","value":"sr-2_prm_2"},{"name":"label","value":"SR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the supply chain risk management plan is defined;"}]}],"props":[{"name":"label","value":"SR-2"},{"name":"label","value":"SR-02","class":"sp800-53a"},{"name":"sort-id","value":"sr-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sr-2_smt","name":"statement","parts":[{"id":"sr-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and"},{"id":"sr-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect the supply chain risk management plan from unauthorized disclosure and modification."}]},{"id":"sr-2_gdn","name":"guidance","prose":"The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development\/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))."},{"id":"sr-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[01]","class":"sp800-53a"}],"prose":"a plan for managing supply chain risks is developed;","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[03]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[05]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[06]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[07]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[08]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-9","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[09]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-02b.","class":"sp800-53a"}],"prose":"the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;","links":[{"href":"#sr-2_smt.b","rel":"assessment-for"}]},{"id":"sr-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[01]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized disclosure;","links":[{"href":"#sr-2_smt.c","rel":"assessment-for"}]},{"id":"sr-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized modification.","links":[{"href":"#sr-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-2_smt","rel":"assessment-for"}]},{"id":"sr-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"sr-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and\/or implementing the SDLC"}]}],"controls":[{"id":"sr-2.1","class":"SP800-53-enhancement","title":"Establish SCRM Team","params":[{"id":"sr-02.01_odp.01","props":[{"name":"alt-identifier","value":"sr-2.1_prm_1"},{"name":"alt-label","value":"personnel, roles, and responsibilities","class":"sp800-53"},{"name":"label","value":"SR-02(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel, roles and responsibilities","guidelines":[{"prose":"the personnel, roles, and responsibilities of the supply chain risk management team are defined;"}]},{"id":"sr-02.01_odp.02","props":[{"name":"alt-identifier","value":"sr-2.1_prm_2"},{"name":"label","value":"SR-02(01)_ODP[02]","class":"sp800-53a"}],"label":"supply chain risk management activities","guidelines":[{"prose":"supply chain risk management activities are defined;"}]}],"props":[{"name":"label","value":"SR-2(1)"},{"name":"label","value":"SR-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-2","rel":"required"}],"parts":[{"id":"sr-2.1_smt","name":"statement","prose":"Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}."},{"id":"sr-2.1_gdn","name":"guidance","prose":"To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team."},{"id":"sr-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02(01)","class":"sp800-53a"}],"prose":"a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.","links":[{"href":"#sr-2.1_smt","rel":"assessment-for"}]},{"id":"sr-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities"}]}]}]},{"id":"sr-3","class":"SP800-53","title":"Supply Chain Controls and Processes","params":[{"id":"sr-03_odp.01","props":[{"name":"alt-identifier","value":"sr-3_prm_1"},{"name":"label","value":"SR-03_ODP[01]","class":"sp800-53a"}],"label":"system or system component","guidelines":[{"prose":"the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;"}]},{"id":"sr-03_odp.02","props":[{"name":"alt-identifier","value":"sr-3_prm_2"},{"name":"label","value":"SR-03_ODP[02]","class":"sp800-53a"}],"label":"supply chain personnel","guidelines":[{"prose":"supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is\/are defined;"}]},{"id":"sr-03_odp.03","props":[{"name":"alt-identifier","value":"sr-3_prm_3"},{"name":"label","value":"SR-03_ODP[03]","class":"sp800-53a"}],"label":"supply chain controls","guidelines":[{"prose":"supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;"}]},{"id":"sr-03_odp.04","props":[{"name":"alt-identifier","value":"sr-3_prm_4"},{"name":"label","value":"SR-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security and privacy plans","supply chain risk management plan"," {{ insert: param, sr-03_odp.05 }} "]}},{"id":"sr-03_odp.05","props":[{"name":"alt-identifier","value":"sr-3_prm_5"},{"name":"label","value":"SR-03_ODP[05]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"the document identifying the selected and implemented supply chain processes and controls is defined (if selected);"}]}],"props":[{"name":"label","value":"SR-3"},{"name":"label","value":"SR-03","class":"sp800-53a"},{"name":"sort-id","value":"sr-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-29","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-3_smt","name":"statement","parts":[{"id":"sr-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};"},{"id":"sr-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and"},{"id":"sr-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}."}]},{"id":"sr-3_gdn","name":"guidance","prose":"Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain."},{"id":"sr-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-03","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[01]","class":"sp800-53a"}],"prose":"a process or processes is\/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};","links":[{"href":"#sr-3_smt.a","rel":"assessment-for"}]},{"id":"sr-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[02]","class":"sp800-53a"}],"prose":"the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is\/are coordinated with {{ insert: param, sr-03_odp.02 }};","links":[{"href":"#sr-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-3_smt.a","rel":"assessment-for"}]},{"id":"sr-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-03b.","class":"sp800-53a"}],"prose":" {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;","links":[{"href":"#sr-3_smt.b","rel":"assessment-for"}]},{"id":"sr-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-03c.","class":"sp800-53a"}],"prose":"the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.","links":[{"href":"#sr-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-3_smt","rel":"assessment-for"}]},{"id":"sr-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying and addressing supply chain element and process deficiencies"}]}]},{"id":"sr-5","class":"SP800-53","title":"Acquisition Strategies, Tools, and Methods","params":[{"id":"sr-05_odp","props":[{"name":"alt-identifier","value":"sr-5_prm_1"},{"name":"alt-label","value":"acquisition strategies, contract tools, and procurement methods","class":"sp800-53"},{"name":"label","value":"SR-05_ODP","class":"sp800-53a"}],"label":"strategies, tools, and methods","guidelines":[{"prose":"acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;"}]}],"props":[{"name":"label","value":"SR-5"},{"name":"label","value":"SR-05","class":"sp800-53a"},{"name":"sort-id","value":"sr-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-5_smt","name":"statement","prose":"Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}."},{"id":"sr-5_gdn","name":"guidance","prose":"The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements."},{"id":"sr-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-05","class":"sp800-53a"}],"parts":[{"id":"sr-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-05[01]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;","links":[{"href":"#sr-5_smt","rel":"assessment-for"}]},{"id":"sr-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-05[02]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;","links":[{"href":"#sr-5_smt","rel":"assessment-for"}]},{"id":"sr-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SR-05[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.","links":[{"href":"#sr-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-5_smt","rel":"assessment-for"}]},{"id":"sr-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and\/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods"}]}]},{"id":"sr-6","class":"SP800-53","title":"Supplier Assessments and Reviews","params":[{"id":"sr-06_odp","props":[{"name":"alt-identifier","value":"sr-6_prm_1"},{"name":"label","value":"SR-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;"}]}],"props":[{"name":"label","value":"SR-6"},{"name":"label","value":"SR-06","class":"sp800-53a"},{"name":"sort-id","value":"sr-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sr-6_smt","name":"statement","prose":"Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ insert: param, sr-06_odp }}."},{"id":"sr-6_gdn","name":"guidance","prose":"An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts."},{"id":"sr-6_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-06","class":"sp800-53a"}],"prose":"the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}.","links":[{"href":"#sr-6_smt","rel":"assessment-for"}]},{"id":"sr-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nrecords of supplier due diligence reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting supplier reviews\n\nmechanisms supporting and\/or implementing supplier reviews"}]}]},{"id":"sr-8","class":"SP800-53","title":"Notification Agreements","params":[{"id":"sr-08_odp.01","props":[{"name":"alt-identifier","value":"sr-8_prm_1"},{"name":"label","value":"SR-08_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["notification of supply chain compromises"," {{ insert: param, sr-08_odp.02 }} "]}},{"id":"sr-08_odp.02","props":[{"name":"alt-identifier","value":"sr-8_prm_2"},{"name":"alt-label","value":"information","class":"sp800-53"},{"name":"label","value":"SR-08_ODP[02]","class":"sp800-53a"}],"label":"results of assessments or audits","guidelines":[{"prose":"information for which agreements and procedures are to be established are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-8"},{"name":"label","value":"SR-08","class":"sp800-53a"},{"name":"sort-id","value":"sr-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"sr-8_smt","name":"statement","prose":"Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}."},{"id":"sr-8_gdn","name":"guidance","prose":"The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes."},{"id":"sr-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-08","class":"sp800-53a"}],"prose":"agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.","links":[{"href":"#sr-8_smt","rel":"assessment-for"}]},{"id":"sr-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities"}]}]},{"id":"sr-9","class":"SP800-53","title":"Tamper Resistance and Detection","props":[{"name":"label","value":"SR-9"},{"name":"label","value":"SR-09","class":"sp800-53a"},{"name":"sort-id","value":"sr-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#pe-3","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-9_smt","name":"statement","prose":"Implement a tamper protection program for the system, system component, or system service."},{"id":"sr-9_gdn","name":"guidance","prose":"Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and\/or tamper detection is essential to protecting systems and components during distribution and when in use."},{"id":"sr-9_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-09","class":"sp800-53a"}],"prose":"a tamper protection program is implemented for the system, system component, or system service.","links":[{"href":"#sr-9_smt","rel":"assessment-for"}]},{"id":"sr-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing tamper resistance and detection\n\ntamper protection program documentation\n\ntamper protection tools and techniques documentation\n\ntamper resistance and detection tools and techniques documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with tamper protection program responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the implementation of the tamper protection program\n\nmechanisms supporting and\/or implementing the tamper protection program"}]}],"controls":[{"id":"sr-9.1","class":"SP800-53-enhancement","title":"Multiple Stages of System Development Life Cycle","props":[{"name":"label","value":"SR-9(1)"},{"name":"label","value":"SR-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-9","rel":"required"},{"href":"#sa-3","rel":"related"}],"parts":[{"id":"sr-9.1_smt","name":"statement","prose":"Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle."},{"id":"sr-9.1_gdn","name":"guidance","prose":"The system development life cycle includes research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal. Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations use obfuscation and self-checking to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage."},{"id":"sr-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-09(01)","class":"sp800-53a"}],"prose":"anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle.","links":[{"href":"#sr-9.1_smt","rel":"assessment-for"}]},{"id":"sr-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing tamper resistance and detection\n\ntamper protection program documentation\n\ntamper protection tools and techniques documentation\n\ntamper resistance and detection tools (technologies) and techniques documentation\n\nsystem development life cycle documentation\n\nprocedures addressing supply chain protection\n\nsystem development life cycle procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with SDLC responsibilities"}]},{"id":"sr-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for employing anti-tamper technologies\n\nmechanisms supporting and\/or implementing anti-tamper technologies"}]}]}]},{"id":"sr-10","class":"SP800-53","title":"Inspection of Systems or Components","params":[{"id":"sr-10_odp.01","props":[{"name":"alt-identifier","value":"sr-10_prm_4"},{"name":"label","value":"SR-10_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that require inspection are defined;"}]},{"id":"sr-10_odp.02","props":[{"name":"alt-identifier","value":"sr-10_prm_1"},{"name":"label","value":"SR-10_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at random","at {{ insert: param, sr-10_odp.03 }} ","upon {{ insert: param, sr-10_odp.04 }} "]}},{"id":"sr-10_odp.03","props":[{"name":"alt-identifier","value":"sr-10_prm_2"},{"name":"label","value":"SR-10_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inspect systems or system components is defined (if selected);"}]},{"id":"sr-10_odp.04","props":[{"name":"alt-identifier","value":"sr-10_prm_3"},{"name":"label","value":"SR-10_ODP[04]","class":"sp800-53a"}],"label":"indications of need for inspection","guidelines":[{"prose":"indications of the need for an inspection of systems or system components are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-10"},{"name":"label","value":"SR-10","class":"sp800-53a"},{"name":"sort-id","value":"sr-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-10_smt","name":"statement","prose":"Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}."},{"id":"sr-10_gdn","name":"guidance","prose":"The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations."},{"id":"sr-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-10","class":"sp800-53a"}],"prose":" {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.","links":[{"href":"#sr-10_smt","rel":"assessment-for"}]},{"id":"sr-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports\/results\n\nassessment reports\/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering"}]}]},{"id":"sr-11","class":"SP800-53","title":"Component Authenticity","params":[{"id":"sr-11_odp.01","props":[{"name":"alt-identifier","value":"sr-11_prm_1"},{"name":"label","value":"SR-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["source of counterfeit component"," {{ insert: param, sr-11_odp.02 }} "," {{ insert: param, sr-11_odp.03 }} "]}},{"id":"sr-11_odp.02","props":[{"name":"alt-identifier","value":"sr-11_prm_2"},{"name":"label","value":"SR-11_ODP[02]","class":"sp800-53a"}],"label":"external reporting organizations","guidelines":[{"prose":"external reporting organizations to whom counterfeit system components are to be reported is\/are defined (if selected);"}]},{"id":"sr-11_odp.03","props":[{"name":"alt-identifier","value":"sr-11_prm_3"},{"name":"label","value":"SR-11_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom counterfeit system components are to be reported is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-11"},{"name":"label","value":"SR-11","class":"sp800-53a"},{"name":"sort-id","value":"sr-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"sr-11_smt","name":"statement","parts":[{"id":"sr-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and"},{"id":"sr-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}."}]},{"id":"sr-11_gdn","name":"guidance","prose":"Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA."},{"id":"sr-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[01]","class":"sp800-53a"}],"prose":"an anti-counterfeit policy is developed and implemented;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[02]","class":"sp800-53a"}],"prose":"anti-counterfeit procedures are developed and implemented;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[03]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to detect counterfeit components entering the system;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[04]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-11b.","class":"sp800-53a"}],"prose":"counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.","links":[{"href":"#sr-11_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sr-11_smt","rel":"assessment-for"}]},{"id":"sr-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and\/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting"}]},{"id":"sr-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and\/or implementing anti-counterfeit detection, prevention, and reporting"}]}],"controls":[{"id":"sr-11.1","class":"SP800-53-enhancement","title":"Anti-counterfeit Training","params":[{"id":"sr-11.01_odp","props":[{"name":"alt-identifier","value":"sr-11.1_prm_1"},{"name":"label","value":"SR-11(01)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is\/are defined;"}]}],"props":[{"name":"label","value":"SR-11(1)"},{"name":"label","value":"SR-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"sr-11.1_smt","name":"statement","prose":"Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_gdn","name":"guidance","prose":"None."},{"id":"sr-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(01)","class":"sp800-53a"}],"prose":" {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).","links":[{"href":"#sr-11.1_smt","rel":"assessment-for"}]},{"id":"sr-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training"}]},{"id":"sr-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for anti-counterfeit training"}]}]},{"id":"sr-11.2","class":"SP800-53-enhancement","title":"Configuration Control for Component Service and Repair","params":[{"id":"sr-11.02_odp","props":[{"name":"alt-identifier","value":"sr-11.2_prm_1"},{"name":"label","value":"SR-11(02)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring configuration control are defined;"}]}],"props":[{"name":"label","value":"SR-11(2)"},{"name":"label","value":"SR-11(02)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#cm-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#sa-10","rel":"related"}],"parts":[{"id":"sr-11.2_smt","name":"statement","prose":"Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}."},{"id":"sr-11.2_gdn","name":"guidance","prose":"None."},{"id":"sr-11.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)","class":"sp800-53a"}],"parts":[{"id":"sr-11.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[01]","class":"sp800-53a"}],"prose":"configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;","links":[{"href":"#sr-11.2_smt","rel":"assessment-for"}]},{"id":"sr-11.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[02]","class":"sp800-53a"}],"prose":"configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.","links":[{"href":"#sr-11.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-11.2_smt","rel":"assessment-for"}]},{"id":"sr-11.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-11.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes"}]}]}]},{"id":"sr-12","class":"SP800-53","title":"Component Disposal","params":[{"id":"sr-12_odp.01","props":[{"name":"alt-identifier","value":"sr-12_prm_1"},{"name":"label","value":"SR-12_ODP[01]","class":"sp800-53a"}],"label":"data, documentation, tools, or system components","guidelines":[{"prose":"data, documentation, tools, or system components to be disposed of are defined;"}]},{"id":"sr-12_odp.02","props":[{"name":"alt-identifier","value":"sr-12_prm_2"},{"name":"label","value":"SR-12_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods for disposing of data, documentation, tools, or system components are defined;"}]}],"props":[{"name":"label","value":"SR-12"},{"name":"label","value":"SR-12","class":"sp800-53a"},{"name":"sort-id","value":"sr-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#mp-6","rel":"related"}],"parts":[{"id":"sr-12_smt","name":"statement","prose":"Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}."},{"id":"sr-12_gdn","name":"guidance","prose":"Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations\/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market."},{"id":"sr-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-12","class":"sp800-53a"}],"prose":" {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.","links":[{"href":"#sr-12_smt","rel":"assessment-for"}]},{"id":"sr-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational techniques and methods for system component disposal\n\nmechanisms supporting and\/or implementing system component disposal"}]}]}]}],"back-matter":{"resources":[{"uuid":"91f992fb-f668-4c91-a50f-0f05b95ccee3","title":"32 CFR 2002","citation":{"text":"Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/documents\/2016\/09\/14\/2016-21665\/controlled-unclassified-information"}]},{"uuid":"0f963c17-ab5a-432a-a867-91eac550309b","title":"41 CFR 201","citation":{"text":" \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/d\/2020-18939"}]},{"uuid":"a5ef5e56-5c1a-4911-b419-37dddc1b3581","title":"5 CFR 731","citation":{"text":"Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/CFR-2012-title5-vol2\/pdf\/CFR-2012-title5-vol2-sec731-106.pdf"}]},{"uuid":"031cc4b7-9adf-4835-98f1-f1ca493519cf","title":"CNSSD 505","citation":{"text":"Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Directives.cfm"}]},{"uuid":"4e4fbc93-333d-45e6-a875-de36b878b6b9","title":"CNSSI 1253","citation":{"text":"Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Instructions.cfm"}]},{"uuid":"4f42ee6e-86cc-403b-a51f-76c2b4f81b54","title":"DHS TIC","citation":{"text":"Department of Homeland Security, *Trusted Internet Connections (TIC)*."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/trusted-internet-connections"}]},{"uuid":"aa66e14f-e7cb-4a37-99d2-07578dfd4608","title":"DOD STIG","citation":{"text":"Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*."},"rlinks":[{"href":"https:\/\/public.cyber.mil\/stigs"}]},{"uuid":"55b0c93a-5e48-457a-baa6-5ce81c239c49","title":"EO 13526","citation":{"text":"Executive Order 13526, *Classified National Security Information* , December 2009."},"rlinks":[{"href":"https:\/\/www.archives.gov\/isoo\/policy-documents\/cnsi-eo.html"}]},{"uuid":"34a5571f-e252-4309-a8a1-2fdb2faefbcd","title":"EO 13556","citation":{"text":"Executive Order 13556, *Controlled Unclassified Information* , November 2010."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2010\/11\/04\/executive-order-13556-controlled-unclassified-information"}]},{"uuid":"0af071a6-cf8e-48ee-8c82-fe91efa20f94","title":"EO 13587","citation":{"text":"Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2011\/10\/07\/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"21caa535-1154-4369-ba7b-32c309fee0f7","title":"EO 13873","citation":{"text":"Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/presidential-actions\/executive-order-securing-information-communications-technology-services-supply-chain"}]},{"uuid":"4ff10ed3-d8fe-4246-99e3-443045e27482","title":"FASC18","citation":{"text":"Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018."},"rlinks":[{"href":"https:\/\/www.congress.gov\/bill\/115th-congress\/senate-bill\/3085"}]},{"uuid":"a1555677-2b9d-4868-a97b-a1363aff32f5","title":"FED PKI","citation":{"text":"General Services Administration, *Federal Public Key Infrastructure*."},"rlinks":[{"href":"https:\/\/www.idmanagement.gov\/topics\/fpki"}]},{"uuid":"678e3d6c-150b-4393-aec5-6e3481eb1e00","title":"FIPS 140-3","citation":{"text":"National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. "},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.140-3"}]},{"uuid":"eea3c092-42ed-4382-a6f4-1adadef01b9d","title":"FIPS 180-4","citation":{"text":"National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.180-4"}]},{"uuid":"7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","title":"FIPS 186-4","citation":{"text":"National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.186-4"}]},{"uuid":"736d6310-e403-4b57-a79d-9967970c66d7","title":"FIPS 197","citation":{"text":"National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.197"}]},{"uuid":"628d22a1-6a11-4784-bc59-5cd9497b5445","title":"FIPS 199","citation":{"text":"National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.199"}]},{"uuid":"599fb53d-5041-444e-a7fe-640d6d30ad05","title":"FIPS 200","citation":{"text":"National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.200"}]},{"uuid":"7ba1d91c-3934-4d5a-8532-b32f864ad34c","title":"FIPS 201-2","citation":{"text":"National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.201-2"}]},{"uuid":"a295ca19-8c75-4b4c-8800-98024732e181","title":"FIPS 202","citation":{"text":"National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.202"}]},{"uuid":"0c67b2a9-bede-43d2-b86d-5f35b8be36e9","title":"FISMA","citation":{"text":"Federal Information Security Modernization Act (P.L. 113-283), December 2014."},"rlinks":[{"href":"https:\/\/www.congress.gov\/113\/plaws\/publ283\/PLAW-113publ283.pdf"}]},{"uuid":"f16e438e-7114-4144-bfe2-2dfcad8cb2d0","title":"HSPD 12","citation":{"text":"Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/homeland-security-presidential-directive-12"}]},{"uuid":"15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","title":"IR 7539","citation":{"text":"Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7539"}]},{"uuid":"2be7b163-e50a-435c-8906-f1162f2a457a","title":"IR 7559","citation":{"text":"Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7559"}]},{"uuid":"e24b06cc-9129-4998-a76a-65c3d7a576ba","title":"IR 7622","citation":{"text":"Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7622"}]},{"uuid":"4b38e961-1125-4a5b-aa35-1d6c02846dad","title":"IR 7676","citation":{"text":"Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7676"}]},{"uuid":"aa5d04e0-6090-4e17-84d4-b9963d55fc2c","title":"IR 7788","citation":{"text":"Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7788"}]},{"uuid":"91701292-8bcd-4d2e-a5bd-59ab61e34b3c","title":"IR 7817","citation":{"text":"Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7817"}]},{"uuid":"4f5f51ac-2b8d-4b90-a3c7-46f56e967617","title":"IR 7849","citation":{"text":"Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7849"}]},{"uuid":"604774da-9e1d-48eb-9c62-4e959dc80737","title":"IR 7870","citation":{"text":"Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7870"}]},{"uuid":"7f473f21-fdbf-4a6c-81a1-0ab95919609d","title":"IR 7874","citation":{"text":"Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7874"}]},{"uuid":"849b2358-683f-4d97-b111-1cc3d522ded5","title":"IR 7956","citation":{"text":"Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7956"}]},{"uuid":"3915a084-b87b-4f02-83d4-c369e746292f","title":"IR 7966","citation":{"text":"Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7966"}]},{"uuid":"bbac9fc2-df5b-4f2d-bf99-90d0ade45349","title":"IR 8011-1","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-1"}]},{"uuid":"70402863-5078-43af-9a6c-e11b0f3ec370","title":"IR 8011-2","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-2"}]},{"uuid":"996241f8-f692-42d5-91f1-ce8b752e39e6","title":"IR 8011-3","citation":{"text":"Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-3"}]},{"uuid":"d2ebec9b-f868-4ee1-a2bd-0b2282aed248","title":"IR 8011-4","citation":{"text":"Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-4"}]},{"uuid":"4c501da5-9d79-4cb6-ba80-97260e1ce327","title":"IR 8023","citation":{"text":"Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8023"}]},{"uuid":"81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","title":"IR 8040","citation":{"text":"Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8040"}]},{"uuid":"98d415ca-7281-4064-9931-0c366637e324","title":"IR 8062","citation":{"text":"Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8062"}]},{"uuid":"a2590922-82f3-4277-83c0-ca5bee06dba4","title":"IR 8112","citation":{"text":"Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8112"}]},{"uuid":"d4296805-2dca-4c63-a95f-eeccaa826aec","title":"IR 8179","citation":{"text":"Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8179"}]},{"uuid":"38ff38f0-1366-4f50-a4c9-26a39aacee16","title":"IR 8272","citation":{"text":"Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8272"}]},{"uuid":"6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","title":"ISO 15408-1","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART1V3.1R5.pdf"}]},{"uuid":"87087451-2af5-43d4-88c1-d66ad850f614","title":"ISO 15408-2","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART2V3.1R5.pdf"}]},{"uuid":"4452efc0-e79e-47b8-aa30-b54f3ef61c2f","title":"ISO 15408-3","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART3V3.1R5.pdf"}]},{"uuid":"15a95e24-65b6-4686-bc18-90855a10457d","title":"ISO 20243","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/74399.html"}]},{"uuid":"863caf2a-978a-4260-9e8d-4a8929bce40c","title":"ISO 27036","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/59648.html"}]},{"uuid":"8df72805-2e5c-4731-a73e-81db0f0318d0","title":"ISO 29147","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 29147:2018, *Information technology—Security techniques—Vulnerability disclosure* , October 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72311.html"}]},{"uuid":"06ce9216-bd54-4054-a422-94f358b50a5d","title":"ISO 29148","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission\/Institute of Electrical and Electronics Engineers (ISO\/IEC\/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72089.html"}]},{"uuid":"c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","title":"NARA CUI","citation":{"text":"National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry."},"rlinks":[{"href":"https:\/\/www.archives.gov\/cui"}]},{"uuid":"d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","title":"NCPR","citation":{"text":"National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at"},"rlinks":[{"href":"https:\/\/nvd.nist.gov\/ncp\/repository"}]},{"uuid":"795aff72-3e6c-4b6b-a80a-b14d84b7f544","title":"NIAP CCEVS","citation":{"text":"National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*."},"rlinks":[{"href":"https:\/\/www.niap-ccevs.org"}]},{"uuid":"84dc1b0c-acb7-4269-84c4-00dbabacd78c","title":"NIST CAVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-algorithm-validation-program"}]},{"uuid":"1acdc775-aafb-4d11-9341-dc6a822e9d38","title":"NIST CMVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-module-validation-program"}]},{"uuid":"3d575737-98cb-459d-b41c-d7e82b73ad78","title":"NSA CSFC","citation":{"text":"National Security Agency, *Commercial Solutions for Classified Program (CSfC)*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/csfc"}]},{"uuid":"df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","title":"NSA MEDIA","citation":{"text":"National Security Agency, *Media Destruction Guidance*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/media-destruction"}]},{"uuid":"89f2a08d-fc49-46d0-856e-bf974c9b1573","title":"ODNI CTF","citation":{"text":"Office of the Director of National Intelligence (ODNI) Cyber Threat Framework."},"rlinks":[{"href":"https:\/\/www.dni.gov\/index.php\/cyber-threat-framework"}]},{"uuid":"27847491-5ce1-4f6a-a1e4-9e483782f0ef","title":"OMB A-130","citation":{"text":"Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf"}]},{"uuid":"5f4705ac-8d17-438c-b23a-ac7f12362ae4","title":"OMB M-17-12","citation":{"text":"Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/sites\/default\/files\/omb\/memoranda\/2017\/m-17-12_0.pdf"}]},{"uuid":"c5e11048-1d38-4af3-b00b-0d88dc26860c","title":"OMB M-19-03","citation":{"text":"Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2018\/12\/M-19-03.pdf"}]},{"uuid":"18e71fec-c6fd-475a-925a-5d8495cf8455","title":"PRIVACT","citation":{"text":"Privacy Act (P.L. 93-579), December 1974."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-88\/pdf\/STATUTE-88-Pg1896.pdf"}]},{"uuid":"4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","title":"SP 800-100","citation":{"text":"Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"10cf2fad-a216-41f9-bb1a-531b7e3119e3","title":"SP 800-101","citation":{"text":"Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-101r1"}]},{"uuid":"22f2d4f0-4365-4e88-a30d-275c1f5473ea","title":"SP 800-111","citation":{"text":"Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-111"}]},{"uuid":"6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","title":"SP 800-113","citation":{"text":"Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-113"}]},{"uuid":"42e37e51-7cc0-4ffa-81c9-0ac942da7e99","title":"SP 800-114","citation":{"text":"Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-114r1"}]},{"uuid":"122177fa-c4ed-485d-8345-3082c0fb9a06","title":"SP 800-115","citation":{"text":"Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"2100332a-16a5-4598-bacf-7261baea9711","title":"SP 800-116","citation":{"text":"Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-116r1"}]},{"uuid":"d17ebd7a-ffab-499d-bfff-e705bbb01fa6","title":"SP 800-121","citation":{"text":"Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-121r2"}]},{"uuid":"0f66be67-85e7-4ca6-bd19-39453e9f4394","title":"SP 800-124","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-124r1"}]},{"uuid":"88660532-2dcf-442e-845c-03340ce48999","title":"SP 800-125B","citation":{"text":"Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-125B"}]},{"uuid":"8016d2ed-d30f-4416-9c45-0f42c7aa3232","title":"SP 800-126","citation":{"text":"Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-126r3"}]},{"uuid":"20db4e66-e257-450c-b2e4-2bb9a62a2c88","title":"SP 800-128","citation":{"text":"Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-128"}]},{"uuid":"c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","title":"SP 800-12","citation":{"text":"Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"3653e316-8923-430e-8943-b3b2b2562fc6","title":"SP 800-130","citation":{"text":"Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-130"}]},{"uuid":"62ea77ca-e450-4323-b210-e0d75390e785","title":"SP 800-137A","citation":{"text":"Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137A"}]},{"uuid":"067223d8-1ec7-45c5-b21b-c848da6de8fb","title":"SP 800-137","citation":{"text":"Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137"}]},{"uuid":"e47ee630-9cbc-4133-880e-e013f83ccd51","title":"SP 800-147","citation":{"text":"Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-147"}]},{"uuid":"9ef4b43c-42a4-4316-87dc-ffaf528bc05c","title":"SP 800-150","citation":{"text":"Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-150"}]},{"uuid":"2494df28-9049-4196-b233-540e7440993f","title":"SP 800-152","citation":{"text":"Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-152"}]},{"uuid":"708b94e1-3d5e-4b22-ab43-1c69f3a97e37","title":"SP 800-154","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154."},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-154\/draft"}]},{"uuid":"d9e036ba-6eec-46a6-9340-b0bf1fea23b4","title":"SP 800-156","citation":{"text":"Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-156"}]},{"uuid":"e3cc0520-a366-4fc9-abc2-5272db7e3564","title":"SP 800-160-1","citation":{"text":"Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v1"}]},{"uuid":"61ccf0f4-d3e7-42db-9796-ce6cb1c85989","title":"SP 800-160-2","citation":{"text":"Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v2"}]},{"uuid":"e8e84963-14fc-4c3a-be05-b412a5d37cd2","title":"SP 800-161","citation":{"text":"Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-161"}]},{"uuid":"2956e175-f674-43f4-b1b9-e074ad9fc39c","title":"SP 800-162","citation":{"text":"Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-162"}]},{"uuid":"e8552d48-cf41-40aa-8b06-f45f7fb4706c","title":"SP 800-166","citation":{"text":"Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-166"}]},{"uuid":"38f39739-1ebd-43b1-8b8c-00f591d89ebd","title":"SP 800-167","citation":{"text":"Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-167"}]},{"uuid":"7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","title":"SP 800-171","citation":{"text":"Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-171r2"}]},{"uuid":"f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","title":"SP 800-172","citation":{"text":"Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-172-draft"}]},{"uuid":"1c71b420-2bd9-4e52-9fc8-390f58b85b59","title":"SP 800-177","citation":{"text":"Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-177r1"}]},{"uuid":"388a3aa2-5d85-4bad-b8a3-77db80d63c4f","title":"SP 800-178","citation":{"text":"Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-178"}]},{"uuid":"276bd50a-7e58-48e5-a405-8c8cb91d7a5f","title":"SP 800-181","citation":{"text":"Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-181r1"}]},{"uuid":"31ae65ab-3f26-46b7-9d64-f25a4dac5778","title":"SP 800-184","citation":{"text":"Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-184"}]},{"uuid":"f5edfe51-d1f2-422e-9b27-5d0e90b49c72","title":"SP 800-189","citation":{"text":"Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-189"}]},{"uuid":"30eb758a-2707-4bca-90ad-949a74d4eb16","title":"SP 800-18","citation":{"text":"Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-18r1"}]},{"uuid":"53df282b-8b3f-483a-bad1-6a8b8ac00114","title":"SP 800-192","citation":{"text":"Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies\/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-192"}]},{"uuid":"f641309f-a3ad-48be-8c67-2b318648b2f5","title":"SP 800-28","citation":{"text":"Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-28ver2"}]},{"uuid":"08b07465-dbdc-48d6-8a0b-37279602ac16","title":"SP 800-30","citation":{"text":"Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-30r1"}]},{"uuid":"8cb338a4-e493-4177-818f-3af18983ddc5","title":"SP 800-32","citation":{"text":"Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-32"}]},{"uuid":"bc39f179-c735-4da2-b7a7-b2b622119755","title":"SP 800-34","citation":{"text":"Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-34r1"}]},{"uuid":"77faf0bc-c394-44ad-9154-bbac3b79c8ad","title":"SP 800-35","citation":{"text":"Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-35"}]},{"uuid":"482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","title":"SP 800-37","citation":{"text":"Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-37r2"}]},{"uuid":"cec037f3-8aba-4c97-84b4-4082f9e515d2","title":"SP 800-39","citation":{"text":"Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-39"}]},{"uuid":"155f941a-cba9-4afd-9ca6-5d040d697ba9","title":"SP 800-40","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-40r3"}]},{"uuid":"a7f0e897-29a3-45c4-bd88-40dfef0e034a","title":"SP 800-41","citation":{"text":"Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-41r1"}]},{"uuid":"314e33cb-3681-4b50-a2a2-3fae9604accd","title":"SP 800-45","citation":{"text":"Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-45ver2"}]},{"uuid":"83b9d63b-66b1-467c-9f3b-3a0b108771e9","title":"SP 800-46","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-46r2"}]},{"uuid":"c3a76872-e160-4267-99e8-6952de967d04","title":"SP 800-47","citation":{"text":"Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-47"}]},{"uuid":"511f6832-23ca-49a3-8c0f-ce493373cab8","title":"SP 800-50","citation":{"text":"Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-50"}]},{"uuid":"7537638e-2837-407d-844b-40fb3fafdd99","title":"SP 800-52","citation":{"text":"McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-52r2"}]},{"uuid":"a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","title":"SP 800-53A","citation":{"text":"Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53Ar4"}]},{"uuid":"46d9e201-840e-440e-987c-2c773333c752","title":"SP 800-53B","citation":{"text":"Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53B"}]},{"uuid":"20957dbb-6a1e-40a2-b38a-66f67d33ac2e","title":"SP 800-56A","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Ar3"}]},{"uuid":"0d083d8a-5cc6-46f1-8d79-3081d42bcb75","title":"SP 800-56B","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Br2"}]},{"uuid":"eef62b16-c796-4554-955c-505824135b8a","title":"SP 800-56C","citation":{"text":"Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Cr2"}]},{"uuid":"110e26af-4765-49e1-8740-6750f83fcda1","title":"SP 800-57-1","citation":{"text":"Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt1r5"}]},{"uuid":"e7942589-e267-4a5a-a3d9-f39a7aae81f0","title":"SP 800-57-2","citation":{"text":"Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt2r1"}]},{"uuid":"8306620b-1920-4d73-8b21-12008528595f","title":"SP 800-57-3","citation":{"text":"Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt3r1"}]},{"uuid":"e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","title":"SP 800-60-1","citation":{"text":"Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v1r1"}]},{"uuid":"9be5d661-421f-41ad-854e-86f98b811891","title":"SP 800-60-2","citation":{"text":"Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v2r1"}]},{"uuid":"49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","title":"SP 800-61","citation":{"text":"Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-61r2"}]},{"uuid":"737513fa-6758-403f-831d-5ddab5e23cb3","title":"SP 800-63-3","citation":{"text":"Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63-3"}]},{"uuid":"9099ed2c-922a-493d-bcb4-d896192243ff","title":"SP 800-63A","citation":{"text":"Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63a"}]},{"uuid":"e59c5a7c-8b1f-49ca-8de0-6ee0882180ce","title":"SP 800-63B","citation":{"text":"Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63b"}]},{"uuid":"4895b4cd-34c5-4667-bf8a-27d443c12047","title":"SP 800-70","citation":{"text":"Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-70r4"}]},{"uuid":"858705be-3c1f-48aa-a328-0ce398d95ef0","title":"SP 800-73-4","citation":{"text":"Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-73-4"}]},{"uuid":"7af2e6ec-9f7e-4232-ad3f-09888eb0793a","title":"SP 800-76-2","citation":{"text":"Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-76-2"}]},{"uuid":"d4d7c760-2907-403b-8b2a-767ca5370ecd","title":"SP 800-77","citation":{"text":"Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-77r1"}]},{"uuid":"828856bd-d7c4-427b-8b51-815517ec382d","title":"SP 800-78-4","citation":{"text":"Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-78-4"}]},{"uuid":"10963761-58fc-4b20-b3d6-b44a54daba03","title":"SP 800-79-2","citation":{"text":"Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-79-2"}]},{"uuid":"fe209006-bfd4-4033-a79a-9fee1adaf372","title":"SP 800-81-2","citation":{"text":"Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-81-2"}]},{"uuid":"3dd249b0-f57d-44ba-a03e-c3eab1b835ff","title":"SP 800-83","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-83r1"}]},{"uuid":"53be2fcf-cfd1-4bcb-896b-9a3b65c22098","title":"SP 800-84","citation":{"text":"Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-84"}]},{"uuid":"cfdb1858-c473-46b3-89f9-a700308d0be2","title":"SP 800-86","citation":{"text":"Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-86"}]},{"uuid":"a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","title":"SP 800-88","citation":{"text":"Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-88r1"}]},{"uuid":"5eee45d8-3313-4fdc-8d54-1742092bbdd6","title":"SP 800-92","citation":{"text":"Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-92"}]},{"uuid":"25e3e57b-dc2f-4934-af9b-050b020c6f0e","title":"SP 800-94","citation":{"text":"Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-94"}]},{"uuid":"a6b9907a-2a14-4bb4-a142-d4c73026a8b4","title":"SP 800-95","citation":{"text":"Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-95"}]},{"uuid":"03fb73bc-1b12-4182-bd96-e5719254ea61","title":"SP 800-97","citation":{"text":"Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-97"}]},{"uuid":"13f0c39d-eaf7-417a-baef-69a041878bb5","title":"USA PATRIOT","citation":{"text":"USA Patriot Act (P.L. 107-56), October 2001."},"rlinks":[{"href":"https:\/\/www.congress.gov\/107\/plaws\/publ56\/PLAW-107publ56.pdf"}]},{"uuid":"e922fc50-b1f9-469f-92ef-ed7d9803611c","title":"USC 2901","citation":{"text":"United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2011-title44\/pdf\/USCODE-2011-title44-chap29-sec2901.pdf"}]},{"uuid":"40b78258-c892-480e-9af8-77ac36648301","title":"USCERT IR","citation":{"text":"Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017."},"rlinks":[{"href":"https:\/\/us-cert.cisa.gov\/incident-notification-guidelines"}]},{"uuid":"98498928-3ca3-44b3-8b1e-f48685373087","title":"USGCB","citation":{"text":"National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/united-states-government-configuration-baseline"}]},{"uuid":"c3397cc9-83c6-4459-adb2-836739dc1b94","title":"NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)","rlinks":[{"href":"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf","media-type":"application\/pdf"}]}]}}}
\ No newline at end of file
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.json
index 582821f1..19d6c232 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.json
@@ -1,10 +1,10 @@
 {
   "catalog": {
-    "uuid": "fa9322a2-ab84-423c-b677-8602000b4876",
+    "uuid": "283e5a73-1997-40fe-8d7e-38abfe6c6b2b",
     "metadata": {
-      "title": "NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE",
-      "last-modified": "2023-11-02T11:49:45.431064-04:00",
-      "version": "Final",
+      "title": "NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE",
+      "last-modified": "2023-12-05T21:55:03.03012Z",
+      "version": "5.1.1+u2",
       "oscal-version": "1.1.1",
       "props": [
         {
@@ -468,7 +468,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an access control policy is developed and documented;"
+                        "prose": "an access control policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-2",
@@ -480,7 +486,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};"
+                        "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-3",
@@ -492,7 +504,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;"
+                        "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-4",
@@ -504,7 +522,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};"
+                        "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a.1",
@@ -538,7 +562,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-2",
@@ -550,7 +580,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-3",
@@ -562,7 +598,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-4",
@@ -574,7 +616,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-5",
@@ -586,7 +634,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-6",
@@ -598,7 +652,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-7",
@@ -610,7 +670,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -624,10 +696,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -640,7 +730,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;"
+                    "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-1_obj.c",
@@ -674,7 +770,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};"
+                            "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-1_obj.c.1-2",
@@ -686,7 +788,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};"
+                            "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -711,7 +825,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};"
+                            "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-1_obj.c.2-2",
@@ -723,12 +843,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}."
+                            "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -1410,7 +1554,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account types allowed for use within the system are defined and documented;"
+                        "prose": "account types allowed for use within the system are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.a-2",
@@ -1422,7 +1572,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account types specifically prohibited for use within the system are defined and documented;"
+                        "prose": "account types specifically prohibited for use within the system are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1436,7 +1598,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "account managers are assigned;"
+                    "prose": "account managers are assigned;",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.c",
@@ -1448,7 +1616,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ac-02_odp.01 }} for group and role membership are required;"
+                    "prose": " {{ insert: param, ac-02_odp.01 }} for group and role membership are required;",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.d",
@@ -1471,7 +1645,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized users of the system are specified;"
+                        "prose": "authorized users of the system are specified;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.d.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.d.2",
@@ -1483,7 +1663,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "group and role membership are specified;"
+                        "prose": "group and role membership are specified;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.d.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.d.3",
@@ -1506,7 +1692,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access authorizations (i.e., privileges) are specified for each account;"
+                            "prose": "access authorizations (i.e., privileges) are specified for each account;",
+                            "links": [
+                              {
+                                "href": "#ac-2_smt.d.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-2_obj.d.3-2",
@@ -1518,10 +1710,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, ac-02_odp.02 }} are specified for each account;"
+                            "prose": " {{ insert: param, ac-02_odp.02 }} are specified for each account;",
+                            "links": [
+                              {
+                                "href": "#ac-2_smt.d.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.d.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.d",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -1534,7 +1744,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"
+                    "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.f",
@@ -1557,7 +1773,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-2",
@@ -1569,7 +1791,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-3",
@@ -1581,7 +1809,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-4",
@@ -1593,7 +1827,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-5",
@@ -1605,7 +1845,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1619,7 +1871,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of accounts is monitored; "
+                    "prose": "the use of accounts is monitored; ",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.h",
@@ -1642,7 +1900,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"
+                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.h.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.h.2",
@@ -1654,7 +1918,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;"
+                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.h.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.h.3",
@@ -1666,7 +1936,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;"
+                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.h.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1691,7 +1973,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to the system is authorized based on a valid access authorization;"
+                        "prose": "access to the system is authorized based on a valid access authorization;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.i.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.i.2",
@@ -1703,7 +1991,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to the system is authorized based on intended system usage;"
+                        "prose": "access to the system is authorized based on intended system usage;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.i.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.i.3",
@@ -1715,7 +2009,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};"
+                        "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.i.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.i",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1729,7 +2035,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"
+                    "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.j",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.k",
@@ -1752,7 +2064,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"
+                        "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.k",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.k-2",
@@ -1764,7 +2082,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"
+                        "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.k",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.k",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1789,7 +2119,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account management processes are aligned with personnel termination processes;"
+                        "prose": "account management processes are aligned with personnel termination processes;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.l",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.l-2",
@@ -1801,10 +2137,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account management processes are aligned with personnel transfer processes."
+                        "prose": "account management processes are aligned with personnel transfer processes.",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.l",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.l",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -1948,7 +2302,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}."
+                    "prose": "the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.1_asm-examine",
@@ -2116,7 +2476,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}."
+                    "prose": "temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.2_asm-examine",
@@ -2336,7 +2702,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;"
+                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;",
+                        "links": [
+                          {
+                            "href": "#ac-2.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.3_obj.b",
@@ -2348,7 +2720,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;"
+                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;",
+                        "links": [
+                          {
+                            "href": "#ac-2.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.3_obj.c",
@@ -2360,7 +2738,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;"
+                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;",
+                        "links": [
+                          {
+                            "href": "#ac-2.3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.3_obj.d",
@@ -2372,7 +2756,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}."
+                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-2.3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -2514,7 +2910,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account creation is automatically audited;"
+                        "prose": "account creation is automatically audited;",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.4_obj-2",
@@ -2526,7 +2928,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account modification is automatically audited;"
+                        "prose": "account modification is automatically audited;",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.4_obj-3",
@@ -2538,7 +2946,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account enabling is automatically audited;"
+                        "prose": "account enabling is automatically audited;",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.4_obj-4",
@@ -2550,7 +2964,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account disabling is automatically audited;"
+                        "prose": "account disabling is automatically audited;",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.4_obj-5",
@@ -2562,7 +2982,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account removal actions are automatically audited."
+                        "prose": "account removal actions are automatically audited.",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -2716,7 +3148,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "users are required to log out when {{ insert: param, ac-02.05_odp }}."
+                    "prose": "users are required to log out when {{ insert: param, ac-02.05_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-2.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.5_asm-examine",
@@ -2857,7 +3295,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }} are enforced."
+                    "prose": " {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }} are enforced.",
+                    "links": [
+                      {
+                        "href": "#ac-2.11_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.11_asm-examine",
@@ -3079,7 +3523,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; "
+                        "prose": "system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; ",
+                        "links": [
+                          {
+                            "href": "#ac-2.12_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.12_obj.b",
@@ -3091,7 +3541,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}."
+                        "prose": "atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-2.12_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2.12_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -3264,7 +3726,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}."
+                    "prose": "accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-2.13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.13_asm-examine",
@@ -3489,6 +3957,10 @@
                 "href": "#ia-11",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-3",
                 "rel": "related"
@@ -3587,7 +4059,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies."
+                "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.",
+                "links": [
+                  {
+                    "href": "#ac-3_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-3_asm-examine",
@@ -3810,7 +4288,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}."
+                "prose": "approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.",
+                "links": [
+                  {
+                    "href": "#ac-4_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-4_asm-examine",
@@ -4005,7 +4489,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "encrypted information is prevented from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}."
+                    "prose": "encrypted information is prevented from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-4.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.4_asm-examine",
@@ -4249,7 +4739,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ac-05_odp }} are identified and documented;"
+                    "prose": " {{ insert: param, ac-05_odp }} are identified and documented;",
+                    "links": [
+                      {
+                        "href": "#ac-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-5_obj.b",
@@ -4261,7 +4757,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system access authorizations to support separation of duties are defined."
+                    "prose": "system access authorizations to support separation of duties are defined.",
+                    "links": [
+                      {
+                        "href": "#ac-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -4428,7 +4936,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."
+                "prose": "the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.",
+                "links": [
+                  {
+                    "href": "#ac-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-6_asm-examine",
@@ -4731,7 +5245,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};"
+                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#ac-6.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-6.1_obj.a-2",
@@ -4743,7 +5263,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};"
+                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};",
+                            "links": [
+                              {
+                                "href": "#ac-6.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-6.1_obj.a-3",
@@ -4755,7 +5281,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};"
+                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#ac-6.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-6.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -4769,7 +5307,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}."
+                        "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-6.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-6.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -4930,7 +5480,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions."
+                    "prose": "users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions.",
+                    "links": [
+                      {
+                        "href": "#ac-6.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.2_asm-examine",
@@ -5116,7 +5672,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network access to {{ insert: param, ac-06.03_odp.01 }} is authorized only for {{ insert: param, ac-06.03_odp.02 }};"
+                        "prose": "network access to {{ insert: param, ac-06.03_odp.01 }} is authorized only for {{ insert: param, ac-06.03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ac-6.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-6.3_obj-2",
@@ -5128,7 +5690,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rationale for authorizing network access to privileged commands is documented in the security plan for the system."
+                        "prose": "the rationale for authorizing network access to privileged commands is documented in the security plan for the system.",
+                        "links": [
+                          {
+                            "href": "#ac-6.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-6.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -5285,7 +5859,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}."
+                    "prose": "privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-6.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.5_asm-examine",
@@ -5491,7 +6071,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;"
+                        "prose": "privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;",
+                        "links": [
+                          {
+                            "href": "#ac-6.7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-6.7_obj.b",
@@ -5503,7 +6089,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs."
+                        "prose": "privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.",
+                        "links": [
+                          {
+                            "href": "#ac-6.7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-6.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -5638,7 +6236,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the execution of privileged functions is logged."
+                    "prose": "the execution of privileged functions is logged.",
+                    "links": [
+                      {
+                        "href": "#ac-6.9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.9_asm-examine",
@@ -5759,7 +6363,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "non-privileged users are prevented from executing privileged functions."
+                    "prose": "non-privileged users are prevented from executing privileged functions.",
+                    "links": [
+                      {
+                        "href": "#ac-6.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.10_asm-examine",
@@ -6066,7 +6676,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;"
+                    "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;",
+                    "links": [
+                      {
+                        "href": "#ac-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-7_obj.b",
@@ -6078,7 +6694,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."
+                    "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.",
+                    "links": [
+                      {
+                        "href": "#ac-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -6399,7 +7027,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that users are accessing a U.S. Government system;"
+                        "prose": "the system use notification states that users are accessing a U.S. Government system;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.a.2",
@@ -6411,7 +7045,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;"
+                        "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.a.3",
@@ -6423,7 +7063,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"
+                        "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.a.4",
@@ -6435,7 +7081,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;"
+                        "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -6449,7 +7107,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;"
+                    "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;",
+                    "links": [
+                      {
+                        "href": "#ac-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-8_obj.c",
@@ -6472,7 +7136,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;"
+                        "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.c.2",
@@ -6484,7 +7154,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;"
+                        "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.c.3",
@@ -6496,10 +7172,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for publicly accessible systems, a description of the authorized uses of the system is included."
+                        "prose": "for publicly accessible systems, a description of the authorized uses of the system is included.",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.c.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-8_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -6668,7 +7362,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}."
+                "prose": "the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#ac-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-10_asm-examine",
@@ -6878,7 +7578,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};"
+                    "prose": "further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ac-11_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-11_obj.b",
@@ -6890,7 +7596,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "device lock is retained until the user re-establishes access using established identification and authentication procedures."
+                    "prose": "device lock is retained until the user re-establishes access using established identification and authentication procedures.",
+                    "links": [
+                      {
+                        "href": "#ac-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -7013,7 +7731,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information previously visible on the display is concealed, via device lock, with a publicly viewable image."
+                    "prose": "information previously visible on the display is concealed, via device lock, with a publicly viewable image.",
+                    "links": [
+                      {
+                        "href": "#ac-11.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-11.1_asm-examine",
@@ -7171,7 +7895,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a user session is automatically terminated after {{ insert: param, ac-12_odp }}."
+                "prose": "a user session is automatically terminated after {{ insert: param, ac-12_odp }}.",
+                "links": [
+                  {
+                    "href": "#ac-12_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-12_asm-examine",
@@ -7356,7 +8086,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;"
+                    "prose": " {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;",
+                    "links": [
+                      {
+                        "href": "#ac-14_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-14_obj.b",
@@ -7379,7 +8115,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;"
+                        "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;",
+                        "links": [
+                          {
+                            "href": "#ac-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-14_obj.b-2",
@@ -7391,10 +8133,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system."
+                        "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.",
+                        "links": [
+                          {
+                            "href": "#ac-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-14_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-14_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -7635,7 +8395,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "usage restrictions are established and documented for each type of remote access allowed;"
+                        "prose": "usage restrictions are established and documented for each type of remote access allowed;",
+                        "links": [
+                          {
+                            "href": "#ac-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-17_obj.a-2",
@@ -7647,7 +8413,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;"
+                        "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;",
+                        "links": [
+                          {
+                            "href": "#ac-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-17_obj.a-3",
@@ -7659,7 +8431,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "implementation guidance is established and documented for each type of remote access allowed;"
+                        "prose": "implementation guidance is established and documented for each type of remote access allowed;",
+                        "links": [
+                          {
+                            "href": "#ac-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-17_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -7673,7 +8457,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "each type of remote access to the system is authorized prior to allowing such connections."
+                    "prose": "each type of remote access to the system is authorized prior to allowing such connections.",
+                    "links": [
+                      {
+                        "href": "#ac-17_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-17_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -7828,7 +8624,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "automated mechanisms are employed to monitor remote access methods;"
+                        "prose": "automated mechanisms are employed to monitor remote access methods;",
+                        "links": [
+                          {
+                            "href": "#ac-17.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-17.1_obj-2",
@@ -7840,7 +8642,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "automated mechanisms are employed to control remote access methods."
+                        "prose": "automated mechanisms are employed to control remote access methods.",
+                        "links": [
+                          {
+                            "href": "#ac-17.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-17.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -7975,7 +8789,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions."
+                    "prose": "cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.",
+                    "links": [
+                      {
+                        "href": "#ac-17.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-17.2_asm-examine",
@@ -8100,7 +8920,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "remote accesses are routed through authorized and managed network access control points."
+                    "prose": "remote accesses are routed through authorized and managed network access control points.",
+                    "links": [
+                      {
+                        "href": "#ac-17.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-17.3_asm-examine",
@@ -8328,7 +9154,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;"
+                            "prose": "the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;",
+                            "links": [
+                              {
+                                "href": "#ac-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-17.4_obj.a-2",
@@ -8340,7 +9172,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;"
+                            "prose": "access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;",
+                            "links": [
+                              {
+                                "href": "#ac-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-17.4_obj.a-3",
@@ -8352,7 +9190,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};"
+                            "prose": "the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#ac-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-17.4_obj.a-4",
@@ -8364,7 +9208,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};"
+                            "prose": "access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#ac-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-17.4_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -8378,7 +9234,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rationale for remote access is documented in the security plan for the system."
+                        "prose": "the rationale for remote access is documented in the security plan for the system.",
+                        "links": [
+                          {
+                            "href": "#ac-17.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-17.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -8604,7 +9472,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration requirements are established for each type of wireless access;"
+                        "prose": "configuration requirements are established for each type of wireless access;",
+                        "links": [
+                          {
+                            "href": "#ac-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18_obj.a-2",
@@ -8616,7 +9490,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "connection requirements are established for each type of wireless access;"
+                        "prose": "connection requirements are established for each type of wireless access;",
+                        "links": [
+                          {
+                            "href": "#ac-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18_obj.a-3",
@@ -8628,7 +9508,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "implementation guidance is established for each type of wireless access;"
+                        "prose": "implementation guidance is established for each type of wireless access;",
+                        "links": [
+                          {
+                            "href": "#ac-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-18_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -8642,7 +9534,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "each type of wireless access to the system is authorized prior to allowing such connections."
+                    "prose": "each type of wireless access to the system is authorized prior to allowing such connections.",
+                    "links": [
+                      {
+                        "href": "#ac-18_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-18_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -8811,7 +9715,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};"
+                        "prose": "wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};",
+                        "links": [
+                          {
+                            "href": "#ac-18.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18.1_obj-2",
@@ -8823,7 +9733,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "wireless access to the system is protected using encryption."
+                        "prose": "wireless access to the system is protected using encryption.",
+                        "links": [
+                          {
+                            "href": "#ac-18.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-18.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -8951,7 +9873,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment."
+                    "prose": "when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.",
+                    "links": [
+                      {
+                        "href": "#ac-18.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-18.3_asm-examine",
@@ -9091,7 +10019,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "users allowed to independently configure wireless networking capabilities are identified;"
+                        "prose": "users allowed to independently configure wireless networking capabilities are identified;",
+                        "links": [
+                          {
+                            "href": "#ac-18.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18.4_obj-2",
@@ -9103,7 +10037,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "users allowed to independently configure wireless networking capabilities are explicitly authorized."
+                        "prose": "users allowed to independently configure wireless networking capabilities are explicitly authorized.",
+                        "links": [
+                          {
+                            "href": "#ac-18.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-18.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -9241,7 +10187,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;"
+                        "prose": "radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;",
+                        "links": [
+                          {
+                            "href": "#ac-18.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18.5_obj-2",
@@ -9253,7 +10205,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries."
+                        "prose": "transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.",
+                        "links": [
+                          {
+                            "href": "#ac-18.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-18.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -9515,7 +10479,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"
+                        "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;",
+                        "links": [
+                          {
+                            "href": "#ac-19_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-19_obj.a-2",
@@ -9527,7 +10497,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"
+                        "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;",
+                        "links": [
+                          {
+                            "href": "#ac-19_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-19_obj.a-3",
@@ -9539,7 +10515,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"
+                        "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;",
+                        "links": [
+                          {
+                            "href": "#ac-19_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-19_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -9553,7 +10541,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the connection of mobile devices to organizational systems is authorized."
+                    "prose": "the connection of mobile devices to organizational systems is authorized.",
+                    "links": [
+                      {
+                        "href": "#ac-19_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-19_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -9730,7 +10730,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}."
+                    "prose": " {{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-19.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-19.5_asm-examine",
@@ -10055,11 +11061,17 @@
                         "props": [
                           {
                             "name": "label",
-                            "value": "AC-20a.1",
+                            "value": "AC-20a.01",
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);"
+                        "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);",
+                        "links": [
+                          {
+                            "href": "#ac-20_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-20_obj.a.2",
@@ -10067,11 +11079,23 @@
                         "props": [
                           {
                             "name": "label",
-                            "value": "AC-20a.2",
+                            "value": "AC-20a.02",
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);"
+                        "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);",
+                        "links": [
+                          {
+                            "href": "#ac-20_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-20_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -10085,7 +11109,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable)."
+                    "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).",
+                    "links": [
+                      {
+                        "href": "#ac-20_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-20_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -10247,7 +11283,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);"
+                        "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);",
+                        "links": [
+                          {
+                            "href": "#ac-20.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-20.1_obj.b",
@@ -10259,7 +11301,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable)."
+                        "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).",
+                        "links": [
+                          {
+                            "href": "#ac-20.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-20.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -10412,7 +11466,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}."
+                    "prose": "the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-20.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-20.2_asm-examine",
@@ -10657,7 +11717,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};"
+                    "prose": "authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ac-21_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-21_obj.b",
@@ -10669,7 +11735,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions."
+                    "prose": " {{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions.",
+                    "links": [
+                      {
+                        "href": "#ac-21_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-21_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -10886,7 +11964,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "designated individuals are authorized to make information publicly accessible;"
+                    "prose": "designated individuals are authorized to make information publicly accessible;",
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-22_obj.b",
@@ -10898,7 +11982,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;"
+                    "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;",
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-22_obj.c",
@@ -10910,7 +12000,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;"
+                    "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;",
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-22_obj.d",
@@ -10933,7 +12029,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};"
+                        "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};",
+                        "links": [
+                          {
+                            "href": "#ac-22_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-22_obj.d-2",
@@ -10945,10 +12047,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "non-public information is removed from the publicly accessible system, if discovered."
+                        "prose": "non-public information is removed from the publicly accessible system, if discovered.",
+                        "links": [
+                          {
+                            "href": "#ac-22_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-22_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -11414,7 +12534,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an awareness and training policy is developed and documented; "
+                        "prose": "an awareness and training policy is developed and documented; ",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-2",
@@ -11426,7 +12552,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};"
+                        "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-3",
@@ -11438,7 +12570,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;"
+                        "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-4",
@@ -11450,7 +12588,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}."
+                        "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a.1",
@@ -11484,7 +12628,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-2",
@@ -11496,7 +12646,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-3",
@@ -11508,7 +12664,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-4",
@@ -11520,7 +12682,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-5",
@@ -11532,7 +12700,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-6",
@@ -11544,7 +12718,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-7",
@@ -11556,7 +12736,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#at-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -11570,10 +12762,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and"
+                            "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -11586,7 +12796,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;"
+                    "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#at-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-1_obj.c",
@@ -11620,7 +12836,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; "
+                            "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-1_obj.c.1-2",
@@ -11632,7 +12854,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};"
+                            "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -11657,7 +12891,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};"
+                            "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-1_obj.c.2-2",
@@ -11669,12 +12909,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}."
+                            "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#at-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -12123,7 +13387,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-2",
@@ -12135,7 +13405,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-3",
@@ -12147,7 +13423,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-4",
@@ -12159,7 +13441,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-2_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -12184,7 +13478,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.2-2",
@@ -12196,10 +13496,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-2_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -12212,7 +13530,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;"
+                    "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;",
+                    "links": [
+                      {
+                        "href": "#at-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-2_obj.c",
@@ -12235,7 +13559,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};"
+                        "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#at-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2_obj.c-2",
@@ -12247,7 +13577,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};"
+                        "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#at-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -12261,7 +13603,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques."
+                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.",
+                    "links": [
+                      {
+                        "href": "#at-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -12404,7 +13758,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on recognizing potential indicators of insider threat is provided;"
+                        "prose": "literacy training on recognizing potential indicators of insider threat is provided;",
+                        "links": [
+                          {
+                            "href": "#at-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2.2_obj-2",
@@ -12416,7 +13776,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on reporting potential indicators of insider threat is provided."
+                        "prose": "literacy training on reporting potential indicators of insider threat is provided.",
+                        "links": [
+                          {
+                            "href": "#at-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -12533,7 +13905,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on recognizing potential and actual instances of social engineering is provided;"
+                        "prose": "literacy training on recognizing potential and actual instances of social engineering is provided;",
+                        "links": [
+                          {
+                            "href": "#at-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2.3_obj-2",
@@ -12545,7 +13923,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on reporting potential and actual instances of social engineering is provided;"
+                        "prose": "literacy training on reporting potential and actual instances of social engineering is provided;",
+                        "links": [
+                          {
+                            "href": "#at-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2.3_obj-3",
@@ -12557,7 +13941,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on recognizing potential and actual instances of social mining is provided;"
+                        "prose": "literacy training on recognizing potential and actual instances of social mining is provided;",
+                        "links": [
+                          {
+                            "href": "#at-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2.3_obj-4",
@@ -12569,7 +13959,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on reporting potential and actual instances of social mining is provided."
+                        "prose": "literacy training on reporting potential and actual instances of social mining is provided.",
+                        "links": [
+                          {
+                            "href": "#at-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -12974,7 +14376,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;"
+                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-2",
@@ -12986,7 +14394,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;"
+                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-3",
@@ -12998,7 +14412,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;"
+                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-4",
@@ -13010,7 +14430,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;"
+                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-3_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -13035,7 +14467,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;"
+                            "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.2-2",
@@ -13047,10 +14485,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;"
+                            "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-3_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-3_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -13074,7 +14530,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};"
+                        "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#at-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-3_obj.b-2",
@@ -13086,7 +14548,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};"
+                        "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#at-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -13100,7 +14574,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training."
+                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training.",
+                    "links": [
+                      {
+                        "href": "#at-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -13319,7 +14805,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;"
+                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;",
+                        "links": [
+                          {
+                            "href": "#at-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-4_obj.a-2",
@@ -13331,7 +14823,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;"
+                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;",
+                        "links": [
+                          {
+                            "href": "#at-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -13345,7 +14849,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individual training records are retained for {{ insert: param, at-04_odp }}."
+                    "prose": "individual training records are retained for {{ insert: param, at-04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#at-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -13804,7 +15320,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit and accountability policy is developed and documented;"
+                        "prose": "an audit and accountability policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-2",
@@ -13816,7 +15338,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};"
+                        "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-3",
@@ -13828,7 +15356,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;"
+                        "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-4",
@@ -13840,7 +15374,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};"
+                        "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a.1",
@@ -13874,7 +15414,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-2",
@@ -13886,7 +15432,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-3",
@@ -13898,7 +15450,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-4",
@@ -13910,7 +15468,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-5",
@@ -13922,7 +15486,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-6",
@@ -13934,7 +15504,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-7",
@@ -13946,7 +15522,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#au-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -13960,10 +15548,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -13976,7 +15582,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;"
+                    "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#au-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-1_obj.c",
@@ -14010,7 +15622,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};"
+                            "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "au-1_obj.c.1-2",
@@ -14022,7 +15640,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};"
+                            "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -14047,7 +15677,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};"
+                            "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "au-1_obj.c.2-2",
@@ -14059,12 +15695,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}."
+                            "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#au-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -14466,7 +16126,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;"
+                    "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.b",
@@ -14478,7 +16144,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"
+                    "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.c",
@@ -14501,7 +16173,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;"
+                        "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;",
+                        "links": [
+                          {
+                            "href": "#au-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-2_obj.c-2",
@@ -14513,7 +16191,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};"
+                        "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#au-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -14527,7 +16217,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;"
+                    "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.e",
@@ -14539,7 +16235,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}."
+                    "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -14781,7 +16489,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes what type of event occurred;"
+                    "prose": "audit records contain information that establishes what type of event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.b",
@@ -14793,7 +16507,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes when the event occurred;"
+                    "prose": "audit records contain information that establishes when the event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.c",
@@ -14805,7 +16525,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes where the event occurred;"
+                    "prose": "audit records contain information that establishes where the event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.d",
@@ -14817,7 +16543,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the source of the event;"
+                    "prose": "audit records contain information that establishes the source of the event;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.e",
@@ -14829,7 +16561,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the outcome of the event;"
+                    "prose": "audit records contain information that establishes the outcome of the event;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.f",
@@ -14841,7 +16579,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event."
+                    "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -14986,7 +16736,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "generated audit records contain the following {{ insert: param, au-03.01_odp }}."
+                    "prose": "generated audit records contain the following {{ insert: param, au-03.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#au-3.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3.1_asm-examine",
@@ -15168,7 +16924,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}."
+                "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.",
+                "links": [
+                  {
+                    "href": "#au-4_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "au-4_asm-examine",
@@ -15417,7 +17179,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};"
+                    "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#au-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-5_obj.b",
@@ -15429,7 +17197,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure."
+                    "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.",
+                    "links": [
+                      {
+                        "href": "#au-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -15614,7 +17394,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a warning is provided to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity."
+                    "prose": "a warning is provided to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity.",
+                    "links": [
+                      {
+                        "href": "#au-5.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-5.1_asm-examine",
@@ -15797,7 +17583,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an alert is provided within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when {{ insert: param, au-05.02_odp.03 }} occur."
+                    "prose": "an alert is provided within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when {{ insert: param, au-05.02_odp.03 }} occur.",
+                    "links": [
+                      {
+                        "href": "#au-5.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-5.2_asm-examine",
@@ -16134,7 +17926,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"
+                    "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;",
+                    "links": [
+                      {
+                        "href": "#au-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6_obj.b",
@@ -16146,7 +17944,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};"
+                    "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#au-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6_obj.c",
@@ -16158,7 +17962,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."
+                    "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.",
+                    "links": [
+                      {
+                        "href": "#au-6_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -16290,7 +18106,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}."
+                    "prose": "audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#au-6.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6.1_asm-examine",
@@ -16424,7 +18246,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness."
+                    "prose": "audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.",
+                    "links": [
+                      {
+                        "href": "#au-6.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6.3_asm-examine",
@@ -16603,7 +18431,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "analysis of audit records is integrated with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity."
+                    "prose": "analysis of audit records is integrated with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity.",
+                    "links": [
+                      {
+                        "href": "#au-6.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6.5_asm-examine",
@@ -16729,7 +18563,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."
+                    "prose": "information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.",
+                    "links": [
+                      {
+                        "href": "#au-6.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6.6_asm-examine",
@@ -16951,7 +18791,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;"
+                        "prose": "an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;",
+                        "links": [
+                          {
+                            "href": "#au-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-7_obj.a-2",
@@ -16963,7 +18809,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;"
+                        "prose": "an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;",
+                        "links": [
+                          {
+                            "href": "#au-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-7_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -16988,7 +18846,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;"
+                        "prose": "an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;",
+                        "links": [
+                          {
+                            "href": "#au-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-7_obj.b-2",
@@ -17000,10 +18864,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records."
+                        "prose": "an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.",
+                        "links": [
+                          {
+                            "href": "#au-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#au-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -17163,7 +19045,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;"
+                        "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;",
+                        "links": [
+                          {
+                            "href": "#au-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-7.1_obj-2",
@@ -17175,7 +19063,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented."
+                        "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented.",
+                        "links": [
+                          {
+                            "href": "#au-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-7.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -17368,7 +19268,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal system clocks are used to generate timestamps for audit records;"
+                    "prose": "internal system clocks are used to generate timestamps for audit records;",
+                    "links": [
+                      {
+                        "href": "#au-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-8_obj.b",
@@ -17380,7 +19286,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp."
+                    "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.",
+                    "links": [
+                      {
+                        "href": "#au-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -17623,7 +19541,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;"
+                    "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;",
+                    "links": [
+                      {
+                        "href": "#au-9_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9_obj.b",
@@ -17635,7 +19559,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information."
+                    "prose": " {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.",
+                    "links": [
+                      {
+                        "href": "#au-9_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -17788,7 +19724,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records are stored {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited."
+                    "prose": "audit records are stored {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited.",
+                    "links": [
+                      {
+                        "href": "#au-9.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9.2_asm-examine",
@@ -17921,7 +19863,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented."
+                    "prose": "cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.",
+                    "links": [
+                      {
+                        "href": "#au-9.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9.3_asm-examine",
@@ -18068,7 +20016,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}."
+                    "prose": "access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#au-9.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9.4_asm-examine",
@@ -18275,7 +20229,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}."
+                "prose": "irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}.",
+                "links": [
+                  {
+                    "href": "#au-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "au-10_asm-examine",
@@ -18459,7 +20419,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."
+                "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.",
+                "links": [
+                  {
+                    "href": "#au-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "au-11_asm-examine",
@@ -18717,7 +20683,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};"
+                    "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#au-12_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-12_obj.b",
@@ -18729,7 +20701,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;"
+                    "prose": " {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;",
+                    "links": [
+                      {
+                        "href": "#au-12_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-12_obj.c",
@@ -18741,7 +20719,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated."
+                    "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.",
+                    "links": [
+                      {
+                        "href": "#au-12_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -18919,7 +20909,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records from {{ insert: param, au-12.01_odp.01 }} are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}."
+                    "prose": "audit records from {{ insert: param, au-12.01_odp.01 }} are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#au-12.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-12.1_asm-examine",
@@ -19137,7 +21133,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is provided;"
+                        "prose": "the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is provided;",
+                        "links": [
+                          {
+                            "href": "#au-12.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-12.3_obj-2",
@@ -19149,7 +21151,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is implemented."
+                        "prose": "the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is implemented.",
+                        "links": [
+                          {
+                            "href": "#au-12.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-12.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -19634,7 +21648,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an assessment, authorization, and monitoring policy is developed and documented;"
+                        "prose": "an assessment, authorization, and monitoring policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-2",
@@ -19646,7 +21666,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};"
+                        "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-3",
@@ -19658,7 +21684,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;"
+                        "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-4",
@@ -19670,7 +21702,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};"
+                        "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a.1",
@@ -19704,7 +21742,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-2",
@@ -19716,7 +21760,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-3",
@@ -19728,7 +21778,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-4",
@@ -19740,7 +21796,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-5",
@@ -19752,7 +21814,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-6",
@@ -19764,7 +21832,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-7",
@@ -19776,7 +21850,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -19790,10 +21876,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -19806,7 +21910,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;"
+                    "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-1_obj.c",
@@ -19840,7 +21950,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; "
+                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-1_obj.c.1-2",
@@ -19852,7 +21968,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};"
+                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -19877,7 +22005,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; "
+                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-1_obj.c.2-2",
@@ -19889,12 +22023,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}."
+                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -20247,7 +22405,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;"
+                    "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.b",
@@ -20270,7 +22434,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;"
+                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.b.2",
@@ -20282,7 +22452,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;"
+                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.b.3",
@@ -20305,7 +22481,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-2_obj.b.3-2",
@@ -20317,7 +22499,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-2_obj.b.3-3",
@@ -20329,10 +22517,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.b",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -20345,7 +22551,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"
+                    "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.d",
@@ -20368,7 +22580,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"
+                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.d-2",
@@ -20380,7 +22598,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;"
+                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -20394,7 +22624,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a control assessment report is produced that documents the results of the assessment;"
+                    "prose": "a control assessment report is produced that documents the results of the assessment;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.f",
@@ -20406,7 +22642,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}."
+                    "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -20534,7 +22782,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "independent assessors or assessment teams are employed to conduct control assessments."
+                    "prose": "independent assessors or assessment teams are employed to conduct control assessments.",
+                    "links": [
+                      {
+                        "href": "#ca-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2.1_asm-examine",
@@ -20741,7 +22995,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ca-02.02_odp.01 }} {{ insert: param, ca-02.02_odp.02 }} {{ insert: param, ca-02.02_odp.03 }} are included as part of control assessments."
+                    "prose": " {{ insert: param, ca-02.02_odp.01 }} {{ insert: param, ca-02.02_odp.02 }} {{ insert: param, ca-02.02_odp.03 }} are included as part of control assessments.",
+                    "links": [
+                      {
+                        "href": "#ca-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2.2_asm-examine",
@@ -21038,7 +23298,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};"
+                    "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ca-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-3_obj.b",
@@ -21061,7 +23327,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the interface characteristics are documented as part of each exchange agreement;"
+                        "prose": "the interface characteristics are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-2",
@@ -21073,7 +23345,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security requirements are documented as part of each exchange agreement;"
+                        "prose": "security requirements are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-3",
@@ -21085,7 +23363,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy requirements are documented as part of each exchange agreement;"
+                        "prose": "privacy requirements are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-4",
@@ -21097,7 +23381,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls are documented as part of each exchange agreement;"
+                        "prose": "controls are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-5",
@@ -21109,7 +23399,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "responsibilities for each system are documented as part of each exchange agreement;"
+                        "prose": "responsibilities for each system are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-6",
@@ -21121,7 +23417,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impact level of the information communicated is documented as part of each exchange agreement;"
+                        "prose": "the impact level of the information communicated is documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -21135,7 +23443,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}."
+                    "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#ca-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -21258,7 +23578,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data."
+                    "prose": "individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.",
+                    "links": [
+                      {
+                        "href": "#ca-3.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-3.6_asm-examine",
@@ -21474,7 +23800,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;"
+                    "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;",
+                    "links": [
+                      {
+                        "href": "#ca-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-5_obj.b",
@@ -21486,7 +23818,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."
+                    "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.",
+                    "links": [
+                      {
+                        "href": "#ca-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -21767,7 +24111,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a senior official is assigned as the authorizing official for the system;"
+                    "prose": "a senior official is assigned as the authorizing official for the system;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.b",
@@ -21779,7 +24129,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;"
+                    "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.c",
@@ -21802,7 +24158,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;"
+                        "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;",
+                        "links": [
+                          {
+                            "href": "#ca-6_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-6_obj.c.2",
@@ -21814,7 +24176,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;"
+                        "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;",
+                        "links": [
+                          {
+                            "href": "#ca-6_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -21828,7 +24202,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"
+                    "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.e",
@@ -21840,7 +24220,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}."
+                    "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -22448,7 +24840,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a system-level continuous monitoring strategy is developed;"
+                    "prose": "a system-level continuous monitoring strategy is developed;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj-2",
@@ -22460,7 +24858,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.a",
@@ -22472,7 +24876,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"
+                    "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.b",
@@ -22495,7 +24905,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;"
+                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7_obj.b-2",
@@ -22507,7 +24923,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"
+                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22521,7 +24949,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.d",
@@ -22533,7 +24967,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.e",
@@ -22545,7 +24985,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;"
+                    "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.f",
@@ -22557,7 +25003,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;"
+                    "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.g",
@@ -22580,7 +25032,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};"
+                        "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7_obj.g-2",
@@ -22592,10 +25050,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}."
+                        "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -22722,7 +25198,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis."
+                    "prose": "independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.",
+                    "links": [
+                      {
+                        "href": "#ca-7.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7.1_asm-examine",
@@ -22878,7 +25360,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "effectiveness monitoring is included in risk monitoring;"
+                        "prose": "effectiveness monitoring is included in risk monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7.4_obj.b",
@@ -22890,7 +25378,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "compliance monitoring is included in risk monitoring;"
+                        "prose": "compliance monitoring is included in risk monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7.4_obj.c",
@@ -22902,7 +25396,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "change monitoring is included in risk monitoring."
+                        "prose": "change monitoring is included in risk monitoring.",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -23095,7 +25601,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}."
+                "prose": "penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#ca-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ca-8_asm-examine",
@@ -23225,7 +25737,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an independent penetration testing agent or team is employed to perform penetration testing on the system or system components."
+                    "prose": "an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.",
+                    "links": [
+                      {
+                        "href": "#ca-8.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-8.1_asm-examine",
@@ -23490,7 +26008,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;"
+                    "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;",
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-9_obj.b",
@@ -23513,7 +26037,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the interface characteristics are documented;"
+                        "prose": "for each internal connection, the interface characteristics are documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-9_obj.b-2",
@@ -23525,7 +26055,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the security requirements are documented;"
+                        "prose": "for each internal connection, the security requirements are documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-9_obj.b-3",
@@ -23537,7 +26073,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the privacy requirements are documented;"
+                        "prose": "for each internal connection, the privacy requirements are documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-9_obj.b-4",
@@ -23549,7 +26091,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the nature of the information communicated is documented;"
+                        "prose": "for each internal connection, the nature of the information communicated is documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -23563,7 +26117,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};"
+                    "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-9_obj.d",
@@ -23575,7 +26135,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}."
+                    "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -24042,7 +26614,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a configuration management policy is developed and documented;"
+                        "prose": "a configuration management policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-2",
@@ -24054,7 +26632,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};"
+                        "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-3",
@@ -24066,7 +26650,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;"
+                        "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-4",
@@ -24078,7 +26668,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};"
+                        "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a.1",
@@ -24112,7 +26708,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-2",
@@ -24124,7 +26726,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-3",
@@ -24136,7 +26744,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-4",
@@ -24148,7 +26762,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-5",
@@ -24160,7 +26780,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-6",
@@ -24172,7 +26798,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-7",
@@ -24184,7 +26816,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -24198,10 +26842,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -24214,7 +26876,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;"
+                    "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-1_obj.c",
@@ -24248,7 +26916,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; "
+                            "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-1_obj.c.1-2",
@@ -24260,7 +26934,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};"
+                            "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -24285,7 +26971,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; "
+                            "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-1_obj.c.2-2",
@@ -24297,12 +26989,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}."
+                            "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -24609,7 +27325,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a current baseline configuration of the system is developed and documented;"
+                        "prose": "a current baseline configuration of the system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2_obj.a-2",
@@ -24621,7 +27343,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a current baseline configuration of the system is maintained under configuration control;"
+                        "prose": "a current baseline configuration of the system is maintained under configuration control;",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -24646,7 +27380,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};"
+                        "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.b.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2_obj.b.2",
@@ -24658,7 +27398,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};"
+                        "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.b.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2_obj.b.3",
@@ -24670,10 +27416,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded."
+                        "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.b.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -24845,7 +27609,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"
+                        "prose": "the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};",
+                        "links": [
+                          {
+                            "href": "#cm-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2.2_obj-2",
@@ -24857,7 +27627,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"
+                        "prose": "the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};",
+                        "links": [
+                          {
+                            "href": "#cm-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2.2_obj-3",
@@ -24869,7 +27645,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"
+                        "prose": "the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};",
+                        "links": [
+                          {
+                            "href": "#cm-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2.2_obj-4",
@@ -24881,7 +27663,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}."
+                        "prose": "the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}.",
+                        "links": [
+                          {
+                            "href": "#cm-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -25031,7 +27825,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is/are retained to support rollback."
+                    "prose": " {{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is/are retained to support rollback.",
+                    "links": [
+                      {
+                        "href": "#cm-2.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-2.3_asm-examine",
@@ -25261,7 +28061,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;"
+                        "prose": " {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;",
+                        "links": [
+                          {
+                            "href": "#cm-2.7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2.7_obj.b",
@@ -25273,7 +28079,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel."
+                        "prose": " {{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel.",
+                        "links": [
+                          {
+                            "href": "#cm-2.7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -25695,7 +28513,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the types of changes to the system that are configuration-controlled are determined and documented;"
+                    "prose": "the types of changes to the system that are configuration-controlled are determined and documented;",
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3_obj.b",
@@ -25718,7 +28542,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "proposed configuration-controlled changes to the system are reviewed;"
+                        "prose": "proposed configuration-controlled changes to the system are reviewed;",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3_obj.b-2",
@@ -25730,7 +28560,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;"
+                        "prose": "proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -25744,7 +28586,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "configuration change decisions associated with the system are documented;"
+                    "prose": "configuration change decisions associated with the system are documented;",
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3_obj.d",
@@ -25756,7 +28604,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "approved configuration-controlled changes to the system are implemented;"
+                    "prose": "approved configuration-controlled changes to the system are implemented;",
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3_obj.e",
@@ -25768,7 +28622,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};"
+                    "prose": "records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3_obj.f",
@@ -25791,7 +28651,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "activities associated with configuration-controlled changes to the system are monitored;"
+                        "prose": "activities associated with configuration-controlled changes to the system are monitored;",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3_obj.f-2",
@@ -25803,7 +28669,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "activities associated with configuration-controlled changes to the system are reviewed;"
+                        "prose": "activities associated with configuration-controlled changes to the system are reviewed;",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -25828,7 +28706,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};"
+                        "prose": "configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3_obj.g-2",
@@ -25840,10 +28724,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration control element convenes {{ insert: param, cm-03_odp.03 }}."
+                        "prose": "the configuration control element convenes {{ insert: param, cm-03_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -26131,7 +29033,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to document proposed changes to the system;"
+                        "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to document proposed changes to the system;",
+                        "links": [
+                          {
+                            "href": "#cm-3.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.1_obj.b",
@@ -26143,7 +29051,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;"
+                        "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;",
+                        "links": [
+                          {
+                            "href": "#cm-3.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.1_obj.c",
@@ -26155,7 +29069,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};"
+                        "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cm-3.1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.1_obj.d",
@@ -26167,7 +29087,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to prohibit changes to the system until designated approvals are received;"
+                        "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to prohibit changes to the system until designated approvals are received;",
+                        "links": [
+                          {
+                            "href": "#cm-3.1_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.1_obj.e",
@@ -26179,7 +29105,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to document all changes to the system;"
+                        "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to document all changes to the system;",
+                        "links": [
+                          {
+                            "href": "#cm-3.1_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.1_obj.f",
@@ -26191,7 +29123,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed."
+                        "prose": " {{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed.",
+                        "links": [
+                          {
+                            "href": "#cm-3.1_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -26330,7 +29274,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are tested before finalizing the implementation of the changes;"
+                        "prose": "changes to the system are tested before finalizing the implementation of the changes;",
+                        "links": [
+                          {
+                            "href": "#cm-3.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.2_obj-2",
@@ -26342,7 +29292,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are validated before finalizing the implementation of the changes;"
+                        "prose": "changes to the system are validated before finalizing the implementation of the changes;",
+                        "links": [
+                          {
+                            "href": "#cm-3.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.2_obj-3",
@@ -26354,7 +29310,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are documented before finalizing the implementation of the changes."
+                        "prose": "changes to the system are documented before finalizing the implementation of the changes.",
+                        "links": [
+                          {
+                            "href": "#cm-3.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -26558,7 +29526,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};"
+                        "prose": " {{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cm-3.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.4_obj-2",
@@ -26570,7 +29544,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}."
+                        "prose": " {{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#cm-3.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -26719,7 +29705,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms used to provide {{ insert: param, cm-03.06_odp }} are under configuration management."
+                    "prose": "cryptographic mechanisms used to provide {{ insert: param, cm-03.06_odp }} are under configuration management.",
+                    "links": [
+                      {
+                        "href": "#cm-3.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3.6_asm-examine",
@@ -26906,7 +29898,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;"
+                    "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;",
+                    "links": [
+                      {
+                        "href": "#cm-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-4_obj-2",
@@ -26918,7 +29916,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation."
+                    "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.",
+                    "links": [
+                      {
+                        "href": "#cm-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -27065,7 +30075,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed in a separate test environment before implementation in an operational environment;"
+                        "prose": "changes to the system are analyzed in a separate test environment before implementation in an operational environment;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-2",
@@ -27077,7 +30093,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for security impacts due to flaws;"
+                        "prose": "changes to the system are analyzed for security impacts due to flaws;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-3",
@@ -27089,7 +30111,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for privacy impacts due to flaws;"
+                        "prose": "changes to the system are analyzed for privacy impacts due to flaws;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-4",
@@ -27101,7 +30129,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for security impacts due to weaknesses;"
+                        "prose": "changes to the system are analyzed for security impacts due to weaknesses;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-5",
@@ -27113,7 +30147,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for privacy impacts due to weaknesses;"
+                        "prose": "changes to the system are analyzed for privacy impacts due to weaknesses;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-6",
@@ -27125,7 +30165,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for security impacts due to incompatibility;"
+                        "prose": "changes to the system are analyzed for security impacts due to incompatibility;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-7",
@@ -27137,7 +30183,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for privacy impacts due to incompatibility;"
+                        "prose": "changes to the system are analyzed for privacy impacts due to incompatibility;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-8",
@@ -27149,7 +30201,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for security impacts due to intentional malice;"
+                        "prose": "changes to the system are analyzed for security impacts due to intentional malice;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-9",
@@ -27161,7 +30219,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for privacy impacts due to intentional malice."
+                        "prose": "changes to the system are analyzed for privacy impacts due to intentional malice.",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-4.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -27312,7 +30382,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;"
+                        "prose": "the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-2",
@@ -27324,7 +30400,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;"
+                        "prose": "the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-3",
@@ -27336,7 +30418,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;"
+                        "prose": "the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-4",
@@ -27348,7 +30436,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;"
+                        "prose": "the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-5",
@@ -27360,7 +30454,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;"
+                        "prose": "the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-6",
@@ -27372,7 +30472,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes."
+                        "prose": "the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-4.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -27552,7 +30664,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access restrictions associated with changes to the system are defined and documented;"
+                    "prose": "physical access restrictions associated with changes to the system are defined and documented;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-2",
@@ -27564,7 +30682,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access restrictions associated with changes to the system are approved;"
+                    "prose": "physical access restrictions associated with changes to the system are approved;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-3",
@@ -27576,7 +30700,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access restrictions associated with changes to the system are enforced;"
+                    "prose": "physical access restrictions associated with changes to the system are enforced;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-4",
@@ -27588,7 +30718,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "logical access restrictions associated with changes to the system are defined and documented;"
+                    "prose": "logical access restrictions associated with changes to the system are defined and documented;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-5",
@@ -27600,7 +30736,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "logical access restrictions associated with changes to the system are approved;"
+                    "prose": "logical access restrictions associated with changes to the system are approved;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-6",
@@ -27612,7 +30754,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "logical access restrictions associated with changes to the system are enforced."
+                    "prose": "logical access restrictions associated with changes to the system are enforced.",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -27819,7 +30973,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};"
+                        "prose": "access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};",
+                        "links": [
+                          {
+                            "href": "#cm-5.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-5.1_obj.b",
@@ -27831,7 +30991,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "audit records of enforcement actions are automatically generated."
+                        "prose": "audit records of enforcement actions are automatically generated.",
+                        "links": [
+                          {
+                            "href": "#cm-5.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-5.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -28211,7 +31383,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};"
+                    "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-6_obj.b",
@@ -28223,7 +31401,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the configuration settings documented in CM-06a are implemented;"
+                    "prose": "the configuration settings documented in CM-06a are implemented;",
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-6_obj.c",
@@ -28246,7 +31430,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};"
+                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-6_obj.c-2",
@@ -28258,7 +31448,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;"
+                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -28283,7 +31485,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;"
+                        "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-6_obj.d-2",
@@ -28295,10 +31503,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures."
+                        "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-6_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -28526,7 +31752,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};"
+                        "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cm-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-6.1_obj-2",
@@ -28538,7 +31770,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};"
+                        "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cm-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-6.1_obj-3",
@@ -28550,7 +31788,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}."
+                        "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#cm-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-6.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -28727,7 +31977,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, cm-06.02_odp.01 }} are taken in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}."
+                    "prose": " {{ insert: param, cm-06.02_odp.01 }} are taken in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#cm-6.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-6.2_asm-examine",
@@ -29111,7 +32367,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};"
+                    "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#cm-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-7_obj.b",
@@ -29134,7 +32396,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-2",
@@ -29146,7 +32414,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-3",
@@ -29158,7 +32432,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-4",
@@ -29170,7 +32450,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-5",
@@ -29182,10 +32468,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted."
+                        "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -29483,7 +32787,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:"
+                        "prose": "the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:",
+                        "links": [
+                          {
+                            "href": "#cm-7.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.1_obj.b",
@@ -29506,7 +32816,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and/or non-secure are disabled or removed;"
+                            "prose": " {{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and/or non-secure are disabled or removed;",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-7.1_obj.b-2",
@@ -29518,7 +32834,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and/or non-secure are disabled or removed;"
+                            "prose": " {{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and/or non-secure are disabled or removed;",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-7.1_obj.b-3",
@@ -29530,7 +32852,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and/or non-secure are disabled or removed;"
+                            "prose": " {{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and/or non-secure are disabled or removed;",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-7.1_obj.b-4",
@@ -29542,7 +32870,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and/or non-secure is disabled or removed;"
+                            "prose": " {{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and/or non-secure is disabled or removed;",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-7.1_obj.b-5",
@@ -29554,10 +32888,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and/or non-secure are disabled or removed."
+                            "prose": " {{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and/or non-secure are disabled or removed.",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-7.1_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-7.1_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -29742,7 +33094,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}."
+                    "prose": "program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#cm-7.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-7.2_asm-examine",
@@ -29996,7 +33354,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-07.05_odp.01 }} are identified;"
+                        "prose": " {{ insert: param, cm-07.05_odp.01 }} are identified;",
+                        "links": [
+                          {
+                            "href": "#cm-7.5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.5_obj.b",
@@ -30008,7 +33372,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;"
+                        "prose": "a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;",
+                        "links": [
+                          {
+                            "href": "#cm-7.5_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.5_obj.c",
@@ -30020,7 +33390,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}."
+                        "prose": "the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#cm-7.5_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-7.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -30391,7 +33773,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that accurately reflects the system is developed and documented;"
+                        "prose": "an inventory of system components that accurately reflects the system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.2",
@@ -30403,7 +33791,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that includes all components within the system is developed and documented;"
+                        "prose": "an inventory of system components that includes all components within the system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.3",
@@ -30415,7 +33809,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;"
+                        "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.4",
@@ -30427,7 +33827,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;"
+                        "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.5",
@@ -30439,7 +33845,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;"
+                        "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -30453,7 +33871,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}."
+                    "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#cm-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -30596,7 +34026,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the inventory of system components is updated as part of component installations;"
+                        "prose": "the inventory of system components is updated as part of component installations;",
+                        "links": [
+                          {
+                            "href": "#cm-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8.1_obj-2",
@@ -30608,7 +34044,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the inventory of system components is updated as part of component removals;"
+                        "prose": "the inventory of system components is updated as part of component removals;",
+                        "links": [
+                          {
+                            "href": "#cm-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8.1_obj-3",
@@ -30620,7 +34062,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the inventory of system components is updated as part of system updates."
+                        "prose": "the inventory of system components is updated as part of system updates.",
+                        "links": [
+                          {
+                            "href": "#cm-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-8.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -30851,7 +34305,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-08.02_odp.01 }} are used to maintain the currency of the system component inventory;"
+                        "prose": " {{ insert: param, cm-08.02_odp.01 }} are used to maintain the currency of the system component inventory;",
+                        "links": [
+                          {
+                            "href": "#cm-8.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8.2_obj-2",
@@ -30863,7 +34323,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-08.02_odp.02 }} are used to maintain the completeness of the system component inventory;"
+                        "prose": " {{ insert: param, cm-08.02_odp.02 }} are used to maintain the completeness of the system component inventory;",
+                        "links": [
+                          {
+                            "href": "#cm-8.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8.2_obj-3",
@@ -30875,7 +34341,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-08.02_odp.03 }} are used to maintain the accuracy of the system component inventory;"
+                        "prose": " {{ insert: param, cm-08.02_odp.03 }} are used to maintain the accuracy of the system component inventory;",
+                        "links": [
+                          {
+                            "href": "#cm-8.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8.2_obj-4",
@@ -30887,7 +34359,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-08.02_odp.04 }} are used to maintain the availability of the system component inventory."
+                        "prose": " {{ insert: param, cm-08.02_odp.04 }} are used to maintain the availability of the system component inventory.",
+                        "links": [
+                          {
+                            "href": "#cm-8.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-8.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -31229,7 +34713,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};"
+                            "prose": "the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-8.3_obj.a-2",
@@ -31241,7 +34731,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};"
+                            "prose": "the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-8.3_obj.a-3",
@@ -31253,7 +34749,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};"
+                            "prose": "the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-8.3_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -31278,7 +34786,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;"
+                            "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-8.3_obj.b-2",
@@ -31290,7 +34804,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;"
+                            "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-8.3_obj.b-3",
@@ -31302,10 +34822,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected."
+                            "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected.",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-8.3_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-8.3_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -31460,7 +34998,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals responsible and accountable for administering system components are identified by {{ insert: param, cm-08.04_odp }} in the system component inventory."
+                    "prose": "individuals responsible and accountable for administering system components are identified by {{ insert: param, cm-08.04_odp }} in the system component inventory.",
+                    "links": [
+                      {
+                        "href": "#cm-8.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-8.4_asm-examine",
@@ -31709,7 +35253,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a configuration management plan for the system is developed and documented;"
+                    "prose": "a configuration management plan for the system is developed and documented;",
+                    "links": [
+                      {
+                        "href": "#cm-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-9_obj-2",
@@ -31721,7 +35271,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a configuration management plan for the system is implemented;"
+                    "prose": "a configuration management plan for the system is implemented;",
+                    "links": [
+                      {
+                        "href": "#cm-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-9_obj.a",
@@ -31744,7 +35300,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan addresses roles;"
+                        "prose": "the configuration management plan addresses roles;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.a-2",
@@ -31756,7 +35318,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan addresses responsibilities;"
+                        "prose": "the configuration management plan addresses responsibilities;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.a-3",
@@ -31768,7 +35336,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan addresses configuration management processes and procedures;"
+                        "prose": "the configuration management plan addresses configuration management processes and procedures;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -31793,7 +35373,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;"
+                        "prose": "the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.b-2",
@@ -31805,7 +35391,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan establishes a process for managing the configuration of the configuration items;"
+                        "prose": "the configuration management plan establishes a process for managing the configuration of the configuration items;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -31830,7 +35428,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan defines the configuration items for the system;"
+                        "prose": "the configuration management plan defines the configuration items for the system;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.c-2",
@@ -31842,7 +35446,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan places the configuration items under configuration management;"
+                        "prose": "the configuration management plan places the configuration items under configuration management;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -31856,7 +35472,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};"
+                    "prose": "the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};",
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-9_obj.e",
@@ -31879,7 +35501,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan is protected from unauthorized disclosure;"
+                        "prose": "the configuration management plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.e-2",
@@ -31891,10 +35519,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan is protected from unauthorized modification."
+                        "prose": "the configuration management plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-9_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -32081,7 +35727,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;"
+                    "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;",
+                    "links": [
+                      {
+                        "href": "#cm-10_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-10_obj.b",
@@ -32093,7 +35745,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;"
+                    "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;",
+                    "links": [
+                      {
+                        "href": "#cm-10_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-10_obj.c",
@@ -32105,7 +35763,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."
+                    "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.",
+                    "links": [
+                      {
+                        "href": "#cm-10_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-10_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -32375,7 +36045,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;"
+                    "prose": " {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;",
+                    "links": [
+                      {
+                        "href": "#cm-11_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-11_obj.b",
@@ -32387,7 +36063,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};"
+                    "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#cm-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-11_obj.c",
@@ -32399,7 +36081,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}."
+                    "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#cm-11_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -32677,7 +36371,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the location of {{ insert: param, cm-12_odp }} is identified and documented;"
+                        "prose": "the location of {{ insert: param, cm-12_odp }} is identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-12_obj.a-2",
@@ -32689,7 +36389,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;"
+                        "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-12_obj.a-3",
@@ -32701,7 +36407,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;"
+                        "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-12_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -32726,7 +36444,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;"
+                        "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-12_obj.b-2",
@@ -32738,7 +36462,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;"
+                        "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-12_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -32763,7 +36499,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;"
+                        "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-12_obj.c-2",
@@ -32775,10 +36517,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented."
+                        "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented.",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-12_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-12_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -32947,7 +36707,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy."
+                    "prose": "automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy.",
+                    "links": [
+                      {
+                        "href": "#cm-12.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-12.1_asm-examine",
@@ -33414,7 +37180,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency planning policy is developed and documented;"
+                        "prose": "a contingency planning policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a-2",
@@ -33426,7 +37198,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};"
+                        "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a-3",
@@ -33438,7 +37216,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;"
+                        "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a-4",
@@ -33450,7 +37234,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};"
+                        "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a.1",
@@ -33484,7 +37274,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-2",
@@ -33496,7 +37292,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-3",
@@ -33508,7 +37310,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-4",
@@ -33520,7 +37328,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-5",
@@ -33532,7 +37346,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-6",
@@ -33544,7 +37364,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-7",
@@ -33556,7 +37382,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -33570,10 +37408,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -33586,7 +37442,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;"
+                    "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#cp-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-1_obj.c",
@@ -33620,7 +37482,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};"
+                            "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-1_obj.c.1-2",
@@ -33632,7 +37500,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};"
+                            "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -33657,7 +37537,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};"
+                            "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-1_obj.c.2-2",
@@ -33669,12 +37555,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}."
+                            "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -34234,7 +38144,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;"
+                        "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.2",
@@ -34257,7 +38173,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that provides recovery objectives;"
+                            "prose": "a contingency plan for the system is developed that provides recovery objectives;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.2-2",
@@ -34269,7 +38191,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that provides restoration priorities;"
+                            "prose": "a contingency plan for the system is developed that provides restoration priorities;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.2-3",
@@ -34281,7 +38209,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that provides metrics;"
+                            "prose": "a contingency plan for the system is developed that provides metrics;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -34306,7 +38246,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that addresses contingency roles;"
+                            "prose": "a contingency plan for the system is developed that addresses contingency roles;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.3-2",
@@ -34318,7 +38264,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;"
+                            "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.3-3",
@@ -34330,7 +38282,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;"
+                            "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -34344,7 +38308,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"
+                        "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.5",
@@ -34356,7 +38326,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;"
+                        "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.6",
@@ -34368,7 +38344,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;"
+                        "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.6",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.7",
@@ -34391,7 +38373,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};"
+                            "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.7-2",
@@ -34403,10 +38391,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};"
+                            "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.7",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -34430,7 +38436,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};"
+                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.b-2",
@@ -34442,7 +38454,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};"
+                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -34456,7 +38480,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "contingency planning activities are coordinated with incident handling activities;"
+                    "prose": "contingency planning activities are coordinated with incident handling activities;",
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2_obj.d",
@@ -34468,7 +38498,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};"
+                    "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};",
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2_obj.e",
@@ -34491,7 +38527,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;"
+                        "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.e-2",
@@ -34503,7 +38545,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;"
+                        "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -34528,7 +38582,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};"
+                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.f-2",
@@ -34540,7 +38600,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};"
+                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -34565,7 +38637,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;"
+                        "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.g-2",
@@ -34577,7 +38655,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;"
+                        "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -34602,7 +38692,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is protected from unauthorized disclosure;"
+                        "prose": "the contingency plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.h-2",
@@ -34614,10 +38710,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is protected from unauthorized modification."
+                        "prose": "the contingency plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -34739,7 +38853,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "contingency plan development is coordinated with organizational elements responsible for related plans."
+                    "prose": "contingency plan development is coordinated with organizational elements responsible for related plans.",
+                    "links": [
+                      {
+                        "href": "#cp-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2.1_asm-examine",
@@ -34873,7 +38993,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;"
+                        "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;",
+                        "links": [
+                          {
+                            "href": "#cp-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2.2_obj-2",
@@ -34885,7 +39011,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;"
+                        "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;",
+                        "links": [
+                          {
+                            "href": "#cp-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2.2_obj-3",
@@ -34897,7 +39029,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support."
+                        "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.",
+                        "links": [
+                          {
+                            "href": "#cp-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -35040,7 +39184,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation."
+                    "prose": "the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.",
+                    "links": [
+                      {
+                        "href": "#cp-2.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2.3_asm-examine",
@@ -35194,7 +39344,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity is planned for;"
+                        "prose": "the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity is planned for;",
+                        "links": [
+                          {
+                            "href": "#cp-2.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2.5_obj-2",
@@ -35206,7 +39362,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuity is sustained until full system restoration at primary processing and/or storage sites."
+                        "prose": "continuity is sustained until full system restoration at primary processing and/or storage sites.",
+                        "links": [
+                          {
+                            "href": "#cp-2.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -35359,7 +39527,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified."
+                    "prose": "critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified.",
+                    "links": [
+                      {
+                        "href": "#cp-2.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2.8_asm-examine",
@@ -35663,7 +39837,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"
+                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-3_obj.a.2",
@@ -35675,7 +39855,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"
+                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-3_obj.a.3",
@@ -35687,7 +39873,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;"
+                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -35712,7 +39910,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};"
+                        "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-3_obj.b-2",
@@ -35724,10 +39928,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}."
+                        "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -35854,7 +40076,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations."
+                    "prose": "simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.",
+                    "links": [
+                      {
+                        "href": "#cp-3.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-3.1_asm-examine",
@@ -36160,7 +40388,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};"
+                        "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-4_obj.a-2",
@@ -36172,7 +40406,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;"
+                        "prose": " {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;",
+                        "links": [
+                          {
+                            "href": "#cp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-4_obj.a-3",
@@ -36184,7 +40424,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;"
+                        "prose": " {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;",
+                        "links": [
+                          {
+                            "href": "#cp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -36198,7 +40450,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the contingency plan test results are reviewed;"
+                    "prose": "the contingency plan test results are reviewed;",
+                    "links": [
+                      {
+                        "href": "#cp-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-4_obj.c",
@@ -36210,7 +40468,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "corrective actions are initiated, if needed."
+                    "prose": "corrective actions are initiated, if needed.",
+                    "links": [
+                      {
+                        "href": "#cp-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -36346,7 +40616,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "contingency plan testing is coordinated with organizational elements responsible for related plans."
+                    "prose": "contingency plan testing is coordinated with organizational elements responsible for related plans.",
+                    "links": [
+                      {
+                        "href": "#cp-4.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-4.1_asm-examine",
@@ -36489,7 +40765,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;"
+                        "prose": "the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;",
+                        "links": [
+                          {
+                            "href": "#cp-4.2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-4.2_obj.b",
@@ -36501,7 +40783,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations."
+                        "prose": "the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.",
+                        "links": [
+                          {
+                            "href": "#cp-4.2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-4.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -36711,7 +41005,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an alternate storage site is established;"
+                        "prose": "an alternate storage site is established;",
+                        "links": [
+                          {
+                            "href": "#cp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-6_obj.a-2",
@@ -36723,7 +41023,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;"
+                        "prose": "establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;",
+                        "links": [
+                          {
+                            "href": "#cp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-6_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -36737,7 +41049,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the alternate storage site provides controls equivalent to that of the primary site."
+                    "prose": "the alternate storage site provides controls equivalent to that of the primary site.",
+                    "links": [
+                      {
+                        "href": "#cp-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -36864,7 +41188,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats."
+                    "prose": "an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.",
+                    "links": [
+                      {
+                        "href": "#cp-6.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-6.1_asm-examine",
@@ -36974,7 +41304,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;"
+                        "prose": "the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;",
+                        "links": [
+                          {
+                            "href": "#cp-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-6.2_obj-2",
@@ -36986,7 +41322,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives."
+                        "prose": "the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.",
+                        "links": [
+                          {
+                            "href": "#cp-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-6.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -37124,7 +41472,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;"
+                        "prose": "potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;",
+                        "links": [
+                          {
+                            "href": "#cp-6.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-6.3_obj-2",
@@ -37136,7 +41490,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "explicit mitigation actions to address identified accessibility problems are outlined."
+                        "prose": "explicit mitigation actions to address identified accessibility problems are outlined.",
+                        "links": [
+                          {
+                            "href": "#cp-6.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-6.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -37379,7 +41745,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;"
+                    "prose": "an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;",
+                    "links": [
+                      {
+                        "href": "#cp-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-7_obj.b",
@@ -37402,7 +41774,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;"
+                        "prose": "the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;",
+                        "links": [
+                          {
+                            "href": "#cp-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-7_obj.b-2",
@@ -37414,7 +41792,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;"
+                        "prose": "the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;",
+                        "links": [
+                          {
+                            "href": "#cp-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -37428,7 +41818,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "controls provided at the alternate processing site are equivalent to those at the primary site."
+                    "prose": "controls provided at the alternate processing site are equivalent to those at the primary site.",
+                    "links": [
+                      {
+                        "href": "#cp-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -37555,7 +41957,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified."
+                    "prose": "an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.",
+                    "links": [
+                      {
+                        "href": "#cp-7.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-7.1_asm-examine",
@@ -37669,7 +42077,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;"
+                        "prose": "potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;",
+                        "links": [
+                          {
+                            "href": "#cp-7.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-7.2_obj-2",
@@ -37681,7 +42095,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "explicit mitigation actions to address identified accessibility problems are outlined."
+                        "prose": "explicit mitigation actions to address identified accessibility problems are outlined.",
+                        "links": [
+                          {
+                            "href": "#cp-7.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-7.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -37782,7 +42208,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed."
+                    "prose": "alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.",
+                    "links": [
+                      {
+                        "href": "#cp-7.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-7.3_asm-examine",
@@ -37893,7 +42325,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions."
+                    "prose": "the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.",
+                    "links": [
+                      {
+                        "href": "#cp-7.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-7.4_asm-examine",
@@ -38078,7 +42516,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."
+                "prose": "alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.",
+                "links": [
+                  {
+                    "href": "#cp-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "cp-8_asm-examine",
@@ -38244,7 +42688,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;"
+                            "prose": "primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;",
+                            "links": [
+                              {
+                                "href": "#cp-8.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-8.1_obj.a-2",
@@ -38256,7 +42706,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;"
+                            "prose": "alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;",
+                            "links": [
+                              {
+                                "href": "#cp-8.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-8.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -38270,7 +42732,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier."
+                        "prose": "Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.",
+                        "links": [
+                          {
+                            "href": "#cp-8.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-8.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -38393,7 +42867,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained."
+                    "prose": "alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.",
+                    "links": [
+                      {
+                        "href": "#cp-8.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-8.2_asm-examine",
@@ -38492,7 +42972,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats."
+                    "prose": "alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.",
+                    "links": [
+                      {
+                        "href": "#cp-8.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-8.3_asm-examine",
@@ -38705,7 +43191,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "primary telecommunications service providers are required to have contingency plans;"
+                            "prose": "primary telecommunications service providers are required to have contingency plans;",
+                            "links": [
+                              {
+                                "href": "#cp-8.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-8.4_obj.a-2",
@@ -38717,7 +43209,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "alternate telecommunications service providers are required to have contingency plans;"
+                            "prose": "alternate telecommunications service providers are required to have contingency plans;",
+                            "links": [
+                              {
+                                "href": "#cp-8.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-8.4_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -38731,7 +43235,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;"
+                        "prose": "provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;",
+                        "links": [
+                          {
+                            "href": "#cp-8.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-8.4_obj.c",
@@ -38754,7 +43264,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "evidence of contingency testing by providers is obtained {{ insert: param, cp-08.04_odp.01 }}."
+                            "prose": "evidence of contingency testing by providers is obtained {{ insert: param, cp-08.04_odp.01 }}.",
+                            "links": [
+                              {
+                                "href": "#cp-8.4_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-8.4_obj.c-2",
@@ -38766,10 +43282,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "evidence of contingency training by providers is obtained {{ insert: param, cp-08.04_odp.02 }}."
+                            "prose": "evidence of contingency training by providers is obtained {{ insert: param, cp-08.04_odp.02 }}.",
+                            "links": [
+                              {
+                                "href": "#cp-8.4_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-8.4_smt.c",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-8.4_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -39080,7 +43614,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};"
+                    "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9_obj.b",
@@ -39092,7 +43632,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};"
+                    "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9_obj.c",
@@ -39104,7 +43650,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};"
+                    "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9_obj.d",
@@ -39127,7 +43679,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the confidentiality of backup information is protected;"
+                        "prose": "the confidentiality of backup information is protected;",
+                        "links": [
+                          {
+                            "href": "#cp-9_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-9_obj.d-2",
@@ -39139,7 +43697,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the integrity of backup information is protected;"
+                        "prose": "the integrity of backup information is protected;",
+                        "links": [
+                          {
+                            "href": "#cp-9_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-9_obj.d-3",
@@ -39151,10 +43715,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the availability of backup information is protected."
+                        "prose": "the availability of backup information is protected.",
+                        "links": [
+                          {
+                            "href": "#cp-9_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-9_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -39341,7 +43923,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;"
+                        "prose": "backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;",
+                        "links": [
+                          {
+                            "href": "#cp-9.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-9.1_obj-2",
@@ -39353,7 +43941,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity."
+                        "prose": "backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity.",
+                        "links": [
+                          {
+                            "href": "#cp-9.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-9.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -39480,7 +44080,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing."
+                    "prose": "a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.",
+                    "links": [
+                      {
+                        "href": "#cp-9.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9.2_asm-examine",
@@ -39635,7 +44241,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "backup copies of {{ insert: param, cp-09.03_odp }} are stored in a separate facility or in a fire rated container that is not collocated with the operational system."
+                    "prose": "backup copies of {{ insert: param, cp-09.03_odp }} are stored in a separate facility or in a fire rated container that is not collocated with the operational system.",
+                    "links": [
+                      {
+                        "href": "#cp-9.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9.3_asm-examine",
@@ -39811,7 +44423,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system backup information is transferred to the alternate storage site for {{ insert: param, cp-09.05_odp.01 }};"
+                        "prose": "system backup information is transferred to the alternate storage site for {{ insert: param, cp-09.05_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cp-9.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-9.5_obj-2",
@@ -39823,7 +44441,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system backup information is transferred to the alternate storage site {{ insert: param, cp-09.05_odp.02 }}."
+                        "prose": "system backup information is transferred to the alternate storage site {{ insert: param, cp-09.05_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#cp-9.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-9.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -39980,7 +44610,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}."
+                    "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.",
+                    "links": [
+                      {
+                        "href": "#cp-9.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9.8_asm-examine",
@@ -40200,7 +44836,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;"
+                    "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;",
+                    "links": [
+                      {
+                        "href": "#cp-10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-10_obj-2",
@@ -40212,7 +44854,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure."
+                    "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.",
+                    "links": [
+                      {
+                        "href": "#cp-10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-10_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -40335,7 +44989,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "transaction recovery is implemented for systems that are transaction-based."
+                    "prose": "transaction recovery is implemented for systems that are transaction-based.",
+                    "links": [
+                      {
+                        "href": "#cp-10.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-10.2_asm-examine",
@@ -40486,7 +45146,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided."
+                    "prose": "the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.",
+                    "links": [
+                      {
+                        "href": "#cp-10.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-10.4_asm-examine",
@@ -40977,7 +45643,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an identification and authentication policy is developed and documented;"
+                        "prose": "an identification and authentication policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a-2",
@@ -40989,7 +45661,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};"
+                        "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a-3",
@@ -41001,7 +45679,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;"
+                        "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a-4",
@@ -41013,7 +45697,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};"
+                        "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a.1",
@@ -41047,7 +45737,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-2",
@@ -41059,7 +45755,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-3",
@@ -41071,7 +45773,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-4",
@@ -41083,7 +45791,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-5",
@@ -41095,7 +45809,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-6",
@@ -41107,7 +45827,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-7",
@@ -41119,7 +45845,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -41133,10 +45871,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -41149,7 +45905,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;"
+                    "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ia-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-1_obj.c",
@@ -41183,7 +45945,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};"
+                            "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-1_obj.c.1-2",
@@ -41195,7 +45963,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};"
+                            "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -41220,7 +46000,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};"
+                            "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-1_obj.c.2-2",
@@ -41232,12 +46018,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}."
+                            "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -41428,6 +46238,10 @@
                 "href": "#ia-8",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-4",
                 "rel": "related"
@@ -41485,7 +46299,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "organizational users are uniquely identified and authenticated;"
+                    "prose": "organizational users are uniquely identified and authenticated;",
+                    "links": [
+                      {
+                        "href": "#ia-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2_obj-2",
@@ -41497,7 +46317,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users."
+                    "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.",
+                    "links": [
+                      {
+                        "href": "#ia-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -41628,7 +46460,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "multi-factor authentication is implemented for access to privileged accounts."
+                    "prose": "multi-factor authentication is implemented for access to privileged accounts.",
+                    "links": [
+                      {
+                        "href": "#ia-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.1_asm-examine",
@@ -41753,7 +46591,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "multi-factor authentication for access to non-privileged accounts is implemented."
+                    "prose": "multi-factor authentication for access to non-privileged accounts is implemented.",
+                    "links": [
+                      {
+                        "href": "#ia-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.2_asm-examine",
@@ -41879,7 +46723,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed."
+                    "prose": "users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.",
+                    "links": [
+                      {
+                        "href": "#ia-2.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.5_asm-examine",
@@ -42023,7 +46873,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented."
+                    "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.",
+                    "links": [
+                      {
+                        "href": "#ia-2.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.8_asm-examine",
@@ -42144,7 +47000,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified."
+                    "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified.",
+                    "links": [
+                      {
+                        "href": "#ia-2.12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.12_asm-examine",
@@ -42325,6 +47187,10 @@
                 "href": "#ia-11",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#si-4",
                 "rel": "related"
@@ -42351,7 +47217,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": " {{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection."
+                "prose": " {{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection.",
+                "links": [
+                  {
+                    "href": "#ia-3_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-3_asm-examine",
@@ -42655,7 +47527,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;"
+                    "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4_obj.b",
@@ -42667,7 +47545,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;"
+                    "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4_obj.c",
@@ -42679,7 +47563,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;"
+                    "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4_obj.d",
@@ -42691,7 +47581,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."
+                    "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -42841,7 +47743,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}."
+                    "prose": "individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ia-4.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4.4_asm-examine",
@@ -43223,7 +48131,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;"
+                    "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.b",
@@ -43235,7 +48149,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;"
+                    "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.c",
@@ -43247,7 +48167,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;"
+                    "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.d",
@@ -43259,7 +48185,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;"
+                    "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.e",
@@ -43271,7 +48203,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the change of default authenticators prior to first use;"
+                    "prose": "system authenticators are managed through the change of default authenticators prior to first use;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.f",
@@ -43283,7 +48221,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"
+                    "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.g",
@@ -43295,7 +48239,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;"
+                    "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.h",
@@ -43318,7 +48268,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;"
+                        "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;",
+                        "links": [
+                          {
+                            "href": "#ia-5_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5_obj.h-2",
@@ -43330,7 +48286,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;"
+                        "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;",
+                        "links": [
+                          {
+                            "href": "#ia-5_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -43344,7 +48312,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes."
+                    "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.i",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -43619,7 +48599,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"
+                        "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.b",
@@ -43631,7 +48617,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);"
+                        "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.c",
@@ -43643,7 +48635,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;"
+                        "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.d",
@@ -43655,7 +48653,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;"
+                        "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.e",
@@ -43667,7 +48671,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;"
+                        "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.f",
@@ -43679,7 +48689,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;"
+                        "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.g",
@@ -43691,7 +48707,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;"
+                        "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.h",
@@ -43703,7 +48725,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced."
+                        "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-5.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -43927,7 +48961,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "authorized access to the corresponding private key is enforced for public key-based authentication;"
+                            "prose": "authorized access to the corresponding private key is enforced for public key-based authentication;",
+                            "links": [
+                              {
+                                "href": "#ia-5.2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-5.2_obj.a.2",
@@ -43939,7 +48979,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the authenticated identity is mapped to the account of the individual or group for public key-based authentication;"
+                            "prose": "the authenticated identity is mapped to the account of the individual or group for public key-based authentication;",
+                            "links": [
+                              {
+                                "href": "#ia-5.2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-5.2_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -43964,7 +49016,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;"
+                            "prose": "when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;",
+                            "links": [
+                              {
+                                "href": "#ia-5.2_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-5.2_obj.b.2",
@@ -43976,10 +49034,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation."
+                            "prose": "when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.",
+                            "links": [
+                              {
+                                "href": "#ia-5.2_smt.b.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-5.2_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-5.2_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -44105,7 +49181,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access."
+                    "prose": "authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.",
+                    "links": [
+                      {
+                        "href": "#ia-5.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5.6_asm-examine",
@@ -44228,7 +49310,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."
+                "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.",
+                "links": [
+                  {
+                    "href": "#ia-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-6_asm-examine",
@@ -44369,7 +49457,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."
+                "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.",
+                "links": [
+                  {
+                    "href": "#ia-7_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-7_asm-examine",
@@ -44536,6 +49630,10 @@
                 "href": "#ia-11",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-4",
                 "rel": "related"
@@ -44574,7 +49672,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated."
+                "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.",
+                "links": [
+                  {
+                    "href": "#ia-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-8_asm-examine",
@@ -44710,7 +49814,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;"
+                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;",
+                        "links": [
+                          {
+                            "href": "#ia-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-8.1_obj-2",
@@ -44722,7 +49832,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified."
+                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.",
+                        "links": [
+                          {
+                            "href": "#ia-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-8.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -44879,7 +50001,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "only external authenticators that are NIST-compliant are accepted;"
+                        "prose": "only external authenticators that are NIST-compliant are accepted;",
+                        "links": [
+                          {
+                            "href": "#ia-8.2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-8.2_obj.b",
@@ -44902,7 +50030,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a list of accepted external authenticators is documented;"
+                            "prose": "a list of accepted external authenticators is documented;",
+                            "links": [
+                              {
+                                "href": "#ia-8.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-8.2_obj.b-2",
@@ -44914,10 +50048,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a list of accepted external authenticators is maintained."
+                            "prose": "a list of accepted external authenticators is maintained.",
+                            "links": [
+                              {
+                                "href": "#ia-8.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-8.2_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-8.2_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -45061,7 +50213,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management."
+                    "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.",
+                    "links": [
+                      {
+                        "href": "#ia-8.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-8.4_asm-examine",
@@ -45236,7 +50394,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}."
+                "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}.",
+                "links": [
+                  {
+                    "href": "#ia-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-11_asm-examine",
@@ -45378,6 +50542,10 @@
               {
                 "href": "#ia-8",
                 "rel": "related"
+              },
+              {
+                "href": "#ia-13",
+                "rel": "related"
               }
             ],
             "parts": [
@@ -45446,7 +50614,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;"
+                    "prose": "users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;",
+                    "links": [
+                      {
+                        "href": "#ia-12_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12_obj.b",
@@ -45458,7 +50632,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "user identities are resolved to a unique individual;"
+                    "prose": "user identities are resolved to a unique individual;",
+                    "links": [
+                      {
+                        "href": "#ia-12_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12_obj.c",
@@ -45481,7 +50661,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "identity evidence is collected;"
+                        "prose": "identity evidence is collected;",
+                        "links": [
+                          {
+                            "href": "#ia-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-12_obj.c-2",
@@ -45493,7 +50679,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "identity evidence is validated;"
+                        "prose": "identity evidence is validated;",
+                        "links": [
+                          {
+                            "href": "#ia-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-12_obj.c-3",
@@ -45505,10 +50697,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "identity evidence is verified."
+                        "prose": "identity evidence is verified.",
+                        "links": [
+                          {
+                            "href": "#ia-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-12_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-12_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -45630,7 +50840,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "evidence of individual identification is presented to the registration authority."
+                    "prose": "evidence of individual identification is presented to the registration authority.",
+                    "links": [
+                      {
+                        "href": "#ia-12.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12.2_asm-examine",
@@ -45778,7 +50994,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}."
+                    "prose": "the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ia-12.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12.3_asm-examine",
@@ -45899,7 +51121,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the validation and verification of identity evidence is conducted in person before a designated registration authority."
+                    "prose": "the validation and verification of identity evidence is conducted in person before a designated registration authority.",
+                    "links": [
+                      {
+                        "href": "#ia-12.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12.4_asm-examine",
@@ -46046,7 +51274,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record."
+                    "prose": "a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.",
+                    "links": [
+                      {
+                        "href": "#ia-12.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12.5_asm-examine",
@@ -46521,7 +51755,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response policy is developed and documented;"
+                        "prose": "an incident response policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-2",
@@ -46533,7 +51773,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};"
+                        "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-3",
@@ -46545,7 +51791,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;"
+                        "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-4",
@@ -46557,7 +51809,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};"
+                        "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a.1",
@@ -46591,7 +51849,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-2",
@@ -46603,7 +51867,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-3",
@@ -46615,7 +51885,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-4",
@@ -46627,7 +51903,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-5",
@@ -46639,7 +51921,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-6",
@@ -46651,7 +51939,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-7",
@@ -46663,7 +51957,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -46677,10 +51983,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -46693,7 +52017,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;"
+                    "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-1_obj.c",
@@ -46727,7 +52057,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};"
+                            "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-1_obj.c.1-2",
@@ -46739,7 +52075,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};"
+                            "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -46764,7 +52112,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};"
+                            "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-1_obj.c.2-2",
@@ -46776,12 +52130,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}."
+                            "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -47084,7 +52462,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.a.2",
@@ -47096,7 +52480,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.a.3",
@@ -47108,7 +52498,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -47133,7 +52535,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};"
+                        "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.b-2",
@@ -47145,10 +52553,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}."
+                        "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -47253,7 +52679,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations."
+                    "prose": "simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.",
+                    "links": [
+                      {
+                        "href": "#ir-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-2.1_asm-examine",
@@ -47401,7 +52833,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an incident response training environment is provided using {{ insert: param, ir-02.02_odp }}."
+                    "prose": "an incident response training environment is provided using {{ insert: param, ir-02.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ir-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-2.2_asm-examine",
@@ -47603,7 +53041,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}."
+                "prose": "the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#ir-3_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ir-3_asm-examine",
@@ -47707,7 +53151,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident response testing is coordinated with organizational elements responsible for related plans."
+                    "prose": "incident response testing is coordinated with organizational elements responsible for related plans.",
+                    "links": [
+                      {
+                        "href": "#ir-3.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-3.2_asm-examine",
@@ -47995,7 +53445,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;"
+                        "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-2",
@@ -48007,7 +53463,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes preparation;"
+                        "prose": "the incident handling capability for incidents includes preparation;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-3",
@@ -48019,7 +53481,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes detection and analysis;"
+                        "prose": "the incident handling capability for incidents includes detection and analysis;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-4",
@@ -48031,7 +53499,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes containment;"
+                        "prose": "the incident handling capability for incidents includes containment;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-5",
@@ -48043,7 +53517,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes eradication;"
+                        "prose": "the incident handling capability for incidents includes eradication;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-6",
@@ -48055,7 +53535,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes recovery;"
+                        "prose": "the incident handling capability for incidents includes recovery;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -48069,7 +53561,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident handling activities are coordinated with contingency planning activities;"
+                    "prose": "incident handling activities are coordinated with contingency planning activities;",
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4_obj.c",
@@ -48092,7 +53590,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;"
+                        "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.c-2",
@@ -48104,7 +53608,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;"
+                        "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -48129,7 +53645,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rigor of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the rigor of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-2",
@@ -48141,7 +53663,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the intensity of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the intensity of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-3",
@@ -48153,7 +53681,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the scope of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the scope of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-4",
@@ -48165,10 +53699,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the results of incident handling activities are comparable and predictable across the organization."
+                        "prose": "the results of incident handling activities are comparable and predictable across the organization.",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-4_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -48312,7 +53864,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the incident handling process is supported using {{ insert: param, ir-04.01_odp }}."
+                    "prose": "the incident handling process is supported using {{ insert: param, ir-04.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ir-4.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4.1_asm-examine",
@@ -48433,7 +53991,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response."
+                    "prose": "incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.",
+                    "links": [
+                      {
+                        "href": "#ir-4.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4.4_asm-examine",
@@ -48591,7 +54155,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an integrated incident response team is established and maintained;"
+                        "prose": "an integrated incident response team is established and maintained;",
+                        "links": [
+                          {
+                            "href": "#ir-4.11_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4.11_obj-2",
@@ -48603,7 +54173,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the integrated incident response team can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}."
+                        "prose": "the integrated incident response team can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}.",
+                        "links": [
+                          {
+                            "href": "#ir-4.11_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4.11_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -48770,7 +54352,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incidents are tracked;"
+                    "prose": "incidents are tracked;",
+                    "links": [
+                      {
+                        "href": "#ir-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-5_obj-2",
@@ -48782,7 +54370,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incidents are documented."
+                    "prose": "incidents are documented.",
+                    "links": [
+                      {
+                        "href": "#ir-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -48992,7 +54592,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incidents are tracked using {{ insert: param, ir-05.01_odp.01 }};"
+                        "prose": "incidents are tracked using {{ insert: param, ir-05.01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ir-5.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-5.1_obj-2",
@@ -49004,7 +54610,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident information is collected using {{ insert: param, ir-05.01_odp.02 }};"
+                        "prose": "incident information is collected using {{ insert: param, ir-05.01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ir-5.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-5.1_obj-3",
@@ -49016,7 +54628,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident information is analyzed using {{ insert: param, ir-05.01_odp.03 }}."
+                        "prose": "incident information is analyzed using {{ insert: param, ir-05.01_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#ir-5.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-5.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -49253,7 +54877,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};"
+                    "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ir-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-6_obj.b",
@@ -49265,7 +54895,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}."
+                    "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ir-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -49414,7 +55056,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incidents are reported using {{ insert: param, ir-06.01_odp }}."
+                    "prose": "incidents are reported using {{ insert: param, ir-06.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ir-6.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-6.1_asm-examine",
@@ -49539,7 +55187,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident."
+                    "prose": "incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.",
+                    "links": [
+                      {
+                        "href": "#ir-6.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-6.3_asm-examine",
@@ -49713,7 +55367,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;"
+                    "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;",
+                    "links": [
+                      {
+                        "href": "#ir-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-7_obj-2",
@@ -49725,7 +55385,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents."
+                    "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.",
+                    "links": [
+                      {
+                        "href": "#ir-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -49870,7 +55542,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}."
+                    "prose": "the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ir-7.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-7.1_asm-examine",
@@ -50391,7 +56069,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;"
+                        "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.2",
@@ -50403,7 +56087,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;"
+                        "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.3",
@@ -50415,7 +56105,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;"
+                        "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.4",
@@ -50427,7 +56123,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;"
+                        "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.5",
@@ -50439,7 +56141,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that defines reportable incidents;"
+                        "prose": "an incident response plan is developed that defines reportable incidents;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.6",
@@ -50451,7 +56159,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;"
+                        "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.6",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.7",
@@ -50463,7 +56177,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;"
+                        "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.7",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.8",
@@ -50475,7 +56195,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that addresses the sharing of incident information;"
+                        "prose": "an incident response plan is developed that addresses the sharing of incident information;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.8",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.9",
@@ -50487,7 +56213,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};"
+                        "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.9",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.10",
@@ -50499,7 +56231,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."
+                        "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.10",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -50524,7 +56268,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};"
+                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.b-2",
@@ -50536,7 +56286,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};"
+                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -50550,7 +56312,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"
+                    "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;",
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-8_obj.d",
@@ -50573,7 +56341,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};"
+                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.d-2",
@@ -50585,7 +56359,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};"
+                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -50610,7 +56396,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan is protected from unauthorized disclosure;"
+                        "prose": "the incident response plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.e-2",
@@ -50622,10 +56414,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan is protected from unauthorized modification."
+                        "prose": "the incident response plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -51087,7 +56897,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a maintenance policy is developed and documented;"
+                        "prose": "a maintenance policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a-2",
@@ -51099,7 +56915,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};"
+                        "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a-3",
@@ -51111,7 +56933,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;"
+                        "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a-4",
@@ -51123,7 +56951,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};"
+                        "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a.1",
@@ -51157,7 +56991,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-2",
@@ -51169,7 +57009,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-3",
@@ -51181,7 +57027,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-4",
@@ -51193,7 +57045,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-5",
@@ -51205,7 +57063,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-6",
@@ -51217,7 +57081,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-7",
@@ -51229,7 +57099,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -51243,10 +57125,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -51259,7 +57159,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;"
+                    "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ma-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-1_obj.c",
@@ -51293,7 +57199,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};"
+                            "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-1_obj.c.1-2",
@@ -51305,7 +57217,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};"
+                            "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -51330,7 +57254,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};"
+                            "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-1_obj.c.2-2",
@@ -51342,12 +57272,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}."
+                            "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -51650,7 +57604,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;"
+                        "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-2_obj.a-2",
@@ -51662,7 +57622,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;"
+                        "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-2_obj.a-3",
@@ -51674,7 +57640,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;"
+                        "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -51699,7 +57677,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;"
+                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-2_obj.b-2",
@@ -51711,7 +57695,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;"
+                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -51725,7 +57721,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"
+                    "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-2_obj.d",
@@ -51737,7 +57739,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;"
+                    "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-2_obj.e",
@@ -51749,7 +57757,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;"
+                    "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-2_obj.f",
@@ -51761,7 +57775,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records."
+                    "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -52004,7 +58030,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, ma-02.02_odp.01 }} are used to schedule maintenance, repair, and replacement actions for the system;"
+                            "prose": " {{ insert: param, ma-02.02_odp.01 }} are used to schedule maintenance, repair, and replacement actions for the system;",
+                            "links": [
+                              {
+                                "href": "#ma-2.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-2.2_obj.a-2",
@@ -52016,7 +58048,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, ma-02.02_odp.02 }} are used to conduct maintenance, repair, and replacement actions for the system;"
+                            "prose": " {{ insert: param, ma-02.02_odp.02 }} are used to conduct maintenance, repair, and replacement actions for the system;",
+                            "links": [
+                              {
+                                "href": "#ma-2.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-2.2_obj.a-3",
@@ -52028,7 +58066,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, ma-02.02_odp.03 }} are used to document maintenance, repair, and replacement actions for the system;"
+                            "prose": " {{ insert: param, ma-02.02_odp.03 }} are used to document maintenance, repair, and replacement actions for the system;",
+                            "links": [
+                              {
+                                "href": "#ma-2.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-2.2_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -52053,7 +58103,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced."
+                            "prose": "up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced.",
+                            "links": [
+                              {
+                                "href": "#ma-2.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-2.2_obj.b-2",
@@ -52065,7 +58121,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced."
+                            "prose": "up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced.",
+                            "links": [
+                              {
+                                "href": "#ma-2.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-2.2_obj.b-3",
@@ -52077,10 +58139,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced."
+                            "prose": "up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced.",
+                            "links": [
+                              {
+                                "href": "#ma-2.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-2.2_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-2.2_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -52279,7 +58359,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of system maintenance tools is approved;"
+                        "prose": "the use of system maintenance tools is approved;",
+                        "links": [
+                          {
+                            "href": "#ma-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3_obj.a-2",
@@ -52291,7 +58377,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of system maintenance tools is controlled;"
+                        "prose": "the use of system maintenance tools is controlled;",
+                        "links": [
+                          {
+                            "href": "#ma-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3_obj.a-3",
@@ -52303,7 +58395,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of system maintenance tools is monitored;"
+                        "prose": "the use of system maintenance tools is monitored;",
+                        "links": [
+                          {
+                            "href": "#ma-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -52317,7 +58421,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}."
+                    "prose": "previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ma-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -52444,7 +58560,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications."
+                    "prose": "maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.",
+                    "links": [
+                      {
+                        "href": "#ma-3.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-3.1_asm-examine",
@@ -52569,7 +58691,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "media containing diagnostic and test programs are checked for malicious code before the media are used in the system."
+                    "prose": "media containing diagnostic and test programs are checked for malicious code before the media are used in the system.",
+                    "links": [
+                      {
+                        "href": "#ma-3.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-3.2_asm-examine",
@@ -52773,7 +58901,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or"
+                        "prose": "the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or",
+                        "links": [
+                          {
+                            "href": "#ma-3.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3.3_obj.b",
@@ -52785,7 +58919,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or"
+                        "prose": "the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or",
+                        "links": [
+                          {
+                            "href": "#ma-3.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3.3_obj.c",
@@ -52797,7 +58937,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or"
+                        "prose": "the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or",
+                        "links": [
+                          {
+                            "href": "#ma-3.3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3.3_obj.d",
@@ -52809,7 +58955,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility."
+                        "prose": "the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.",
+                        "links": [
+                          {
+                            "href": "#ma-3.3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-3.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -53088,7 +59246,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "nonlocal maintenance and diagnostic activities are approved;"
+                        "prose": "nonlocal maintenance and diagnostic activities are approved;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4_obj.a-2",
@@ -53100,7 +59264,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "nonlocal maintenance and diagnostic activities are monitored;"
+                        "prose": "nonlocal maintenance and diagnostic activities are monitored;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -53125,7 +59301,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;"
+                        "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4_obj.b-2",
@@ -53137,7 +59319,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;"
+                        "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -53151,7 +59345,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;"
+                    "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;",
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-4_obj.d",
@@ -53163,7 +59363,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "records for nonlocal maintenance and diagnostic activities are maintained;"
+                    "prose": "records for nonlocal maintenance and diagnostic activities are maintained;",
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-4_obj.e",
@@ -53186,7 +59392,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "session connections are terminated when nonlocal maintenance is completed;"
+                        "prose": "session connections are terminated when nonlocal maintenance is completed;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4_obj.e-2",
@@ -53198,10 +59410,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network connections are terminated when nonlocal maintenance is completed."
+                        "prose": "network connections are terminated when nonlocal maintenance is completed.",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-4_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -53380,7 +59610,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;"
+                            "prose": "nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;",
+                            "links": [
+                              {
+                                "href": "#ma-4.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-4.3_obj.a-2",
@@ -53392,7 +59628,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or"
+                            "prose": "nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or",
+                            "links": [
+                              {
+                                "href": "#ma-4.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-4.3_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -53417,7 +59665,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;"
+                            "prose": "the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;",
+                            "links": [
+                              {
+                                "href": "#ma-4.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-4.3_obj.b-2",
@@ -53429,7 +59683,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the component to be serviced is sanitized (for organizational information);"
+                            "prose": "the component to be serviced is sanitized (for organizational information);",
+                            "links": [
+                              {
+                                "href": "#ma-4.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-4.3_obj.b-3",
@@ -53441,10 +59701,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system."
+                            "prose": "the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.",
+                            "links": [
+                              {
+                                "href": "#ma-4.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-4.3_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4.3_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -53668,7 +59946,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process for maintenance personnel authorization is established;"
+                        "prose": "a process for maintenance personnel authorization is established;",
+                        "links": [
+                          {
+                            "href": "#ma-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-5_obj.a-2",
@@ -53680,7 +59964,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a list of authorized maintenance organizations or personnel is maintained;"
+                        "prose": "a list of authorized maintenance organizations or personnel is maintained;",
+                        "links": [
+                          {
+                            "href": "#ma-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-5_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -53694,7 +59990,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;"
+                    "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;",
+                    "links": [
+                      {
+                        "href": "#ma-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-5_obj.c",
@@ -53706,7 +60008,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations."
+                    "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.",
+                    "links": [
+                      {
+                        "href": "#ma-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -53928,7 +60242,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;"
+                            "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;",
+                            "links": [
+                              {
+                                "href": "#ma-5.1_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-5.1_obj.a.2",
@@ -53940,7 +60260,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;"
+                            "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;",
+                            "links": [
+                              {
+                                "href": "#ma-5.1_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-5.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -53954,7 +60286,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system."
+                        "prose": " {{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.",
+                        "links": [
+                          {
+                            "href": "#ma-5.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-5.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -54153,7 +60497,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "maintenance support and/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure."
+                "prose": "maintenance support and/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.",
+                "links": [
+                  {
+                    "href": "#ma-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ma-6_asm-examine",
@@ -54614,7 +60964,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a media protection policy is developed and documented;"
+                        "prose": "a media protection policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-2",
@@ -54626,7 +60982,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};"
+                        "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-3",
@@ -54638,7 +61000,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;"
+                        "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-4",
@@ -54650,7 +61018,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};"
+                        "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a.1",
@@ -54684,7 +61058,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-2",
@@ -54696,7 +61076,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-3",
@@ -54708,7 +61094,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-4",
@@ -54720,7 +61112,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-5",
@@ -54732,7 +61130,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-6",
@@ -54744,7 +61148,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-7",
@@ -54756,7 +61166,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -54770,10 +61192,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -54786,7 +61226,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures."
+                    "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.",
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-1_obj.c",
@@ -54820,7 +61266,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; "
+                            "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "mp-1_obj.c.1-2",
@@ -54832,7 +61284,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};"
+                            "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54857,7 +61321,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; "
+                            "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "mp-1_obj.c.2-2",
@@ -54869,12 +61339,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}."
+                            "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -55147,7 +61641,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};"
+                    "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#mp-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-2_obj-2",
@@ -55159,7 +61659,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}."
+                    "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#mp-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -55391,7 +61903,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;"
+                    "prose": "system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;",
+                    "links": [
+                      {
+                        "href": "#mp-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-3_obj.b",
@@ -55403,7 +61921,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}."
+                    "prose": " {{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#mp-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -55795,7 +62325,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-04_odp.01 }} are physically controlled;"
+                        "prose": " {{ insert: param, mp-04_odp.01 }} are physically controlled;",
+                        "links": [
+                          {
+                            "href": "#mp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-4_obj.a-2",
@@ -55807,7 +62343,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-04_odp.02 }} are physically controlled;"
+                        "prose": " {{ insert: param, mp-04_odp.02 }} are physically controlled;",
+                        "links": [
+                          {
+                            "href": "#mp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-4_obj.a-3",
@@ -55819,7 +62361,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};"
+                        "prose": " {{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#mp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-4_obj.a-4",
@@ -55831,7 +62379,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};"
+                        "prose": " {{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#mp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -55845,7 +62405,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures."
+                    "prose": "system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.",
+                    "links": [
+                      {
+                        "href": "#mp-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -56161,7 +62733,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};"
+                        "prose": " {{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#mp-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-5_obj.a-2",
@@ -56173,7 +62751,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};"
+                        "prose": " {{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#mp-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-5_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -56187,7 +62777,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "accountability for system media is maintained during transport outside of controlled areas;"
+                    "prose": "accountability for system media is maintained during transport outside of controlled areas;",
+                    "links": [
+                      {
+                        "href": "#mp-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-5_obj.c",
@@ -56199,7 +62795,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "activities associated with the transport of system media are documented;"
+                    "prose": "activities associated with the transport of system media are documented;",
+                    "links": [
+                      {
+                        "href": "#mp-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-5_obj.d",
@@ -56222,7 +62824,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personnel authorized to conduct media transport activities is/are identified;"
+                        "prose": "personnel authorized to conduct media transport activities is/are identified;",
+                        "links": [
+                          {
+                            "href": "#mp-5_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-5_obj.d-2",
@@ -56234,10 +62842,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "activities associated with the transport of system media are restricted to identified authorized personnel."
+                        "prose": "activities associated with the transport of system media are restricted to identified authorized personnel.",
+                        "links": [
+                          {
+                            "href": "#mp-5_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-5_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-5_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -56628,7 +63254,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;"
+                        "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6_obj.a-2",
@@ -56640,7 +63272,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;"
+                        "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6_obj.a-3",
@@ -56652,7 +63290,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;"
+                        "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-6_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -56666,7 +63316,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed."
+                    "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.",
+                    "links": [
+                      {
+                        "href": "#mp-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -56800,7 +63462,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media sanitization and disposal actions are reviewed;"
+                        "prose": "media sanitization and disposal actions are reviewed;",
+                        "links": [
+                          {
+                            "href": "#mp-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6.1_obj-2",
@@ -56812,7 +63480,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media sanitization and disposal actions are approved;"
+                        "prose": "media sanitization and disposal actions are approved;",
+                        "links": [
+                          {
+                            "href": "#mp-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6.1_obj-3",
@@ -56824,7 +63498,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media sanitization and disposal actions are tracked;"
+                        "prose": "media sanitization and disposal actions are tracked;",
+                        "links": [
+                          {
+                            "href": "#mp-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6.1_obj-4",
@@ -56836,7 +63516,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media sanitization and disposal actions are documented;"
+                        "prose": "media sanitization and disposal actions are documented;",
+                        "links": [
+                          {
+                            "href": "#mp-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6.1_obj-5",
@@ -56848,7 +63534,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media sanitization and disposal actions are verified."
+                        "prose": "media sanitization and disposal actions are verified.",
+                        "links": [
+                          {
+                            "href": "#mp-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-6.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -57032,7 +63730,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "sanitization equipment is tested {{ insert: param, mp-06.02_odp.01 }} to ensure that the intended sanitization is being achieved;"
+                        "prose": "sanitization equipment is tested {{ insert: param, mp-06.02_odp.01 }} to ensure that the intended sanitization is being achieved;",
+                        "links": [
+                          {
+                            "href": "#mp-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6.2_obj-2",
@@ -57044,7 +63748,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "sanitization procedures are tested {{ insert: param, mp-06.02_odp.02 }} to ensure that the intended sanitization is being achieved."
+                        "prose": "sanitization procedures are tested {{ insert: param, mp-06.02_odp.02 }} to ensure that the intended sanitization is being achieved.",
+                        "links": [
+                          {
+                            "href": "#mp-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-6.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -57194,7 +63910,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under {{ insert: param, mp-06.03_odp }}."
+                    "prose": "non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under {{ insert: param, mp-06.03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#mp-6.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-6.3_asm-examine",
@@ -57461,7 +64183,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};"
+                    "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#mp-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-7_obj.b",
@@ -57473,7 +64201,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner."
+                    "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.",
+                    "links": [
+                      {
+                        "href": "#mp-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -57936,7 +64676,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a physical and environmental protection policy is developed and documented;"
+                        "prose": "a physical and environmental protection policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a-2",
@@ -57948,7 +64694,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};"
+                        "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a-3",
@@ -57960,7 +64712,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;"
+                        "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a-4",
@@ -57972,7 +64730,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};"
+                        "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a.1",
@@ -58006,7 +64770,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-2",
@@ -58018,7 +64788,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-3",
@@ -58030,7 +64806,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-4",
@@ -58042,7 +64824,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-5",
@@ -58054,7 +64842,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-6",
@@ -58066,7 +64860,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-7",
@@ -58078,7 +64878,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -58092,10 +64904,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -58108,7 +64938,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;"
+                    "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#pe-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-1_obj.c",
@@ -58142,7 +64978,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};"
+                            "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pe-1_obj.c.1-2",
@@ -58154,7 +64996,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};"
+                            "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -58179,7 +65033,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};"
+                            "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pe-1_obj.c.2-2",
@@ -58191,12 +65051,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}."
+                            "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -58453,7 +65337,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;"
+                        "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;",
+                        "links": [
+                          {
+                            "href": "#pe-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-2_obj.a-2",
@@ -58465,7 +65355,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;"
+                        "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;",
+                        "links": [
+                          {
+                            "href": "#pe-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-2_obj.a-3",
@@ -58477,7 +65373,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;"
+                        "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;",
+                        "links": [
+                          {
+                            "href": "#pe-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -58491,7 +65399,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "authorization credentials are issued for facility access;"
+                    "prose": "authorization credentials are issued for facility access;",
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-2_obj.c",
@@ -58503,7 +65417,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};"
+                    "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};",
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-2_obj.d",
@@ -58515,7 +65435,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals are removed from the facility access list when access is no longer required."
+                    "prose": "individuals are removed from the facility access list when access is no longer required.",
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -59096,7 +66028,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;"
+                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.a.2",
@@ -59108,7 +66046,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"
+                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -59122,7 +66072,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};"
+                    "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3_obj.c",
@@ -59134,7 +66090,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};"
+                    "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};",
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3_obj.d",
@@ -59157,7 +66119,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "visitors are escorted;"
+                        "prose": "visitors are escorted;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.d-2",
@@ -59169,7 +66137,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};"
+                        "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -59194,7 +66174,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "keys are secured;"
+                        "prose": "keys are secured;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.e-2",
@@ -59206,7 +66192,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "combinations are secured;"
+                        "prose": "combinations are secured;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.e-3",
@@ -59218,7 +66210,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "other physical access devices are secured;"
+                        "prose": "other physical access devices are secured;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -59232,7 +66236,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};"
+                    "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};",
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3_obj.g",
@@ -59255,7 +66265,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;"
+                        "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.g-2",
@@ -59267,10 +66283,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated."
+                        "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -59430,7 +66464,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access authorizations to the system are enforced;"
+                        "prose": "physical access authorizations to the system are enforced;",
+                        "links": [
+                          {
+                            "href": "#pe-3.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3.1_obj.2",
@@ -59442,7 +66482,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access controls are enforced for the facility at {{ insert: param, pe-03.01_odp }}."
+                        "prose": "physical access controls are enforced for the facility at {{ insert: param, pe-03.01_odp }}.",
+                        "links": [
+                          {
+                            "href": "#pe-3.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -59645,7 +66697,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}."
+                "prose": "physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#pe-4_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-4_asm-examine",
@@ -59804,7 +66862,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output."
+                "prose": "physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output.",
+                "links": [
+                  {
+                    "href": "#pe-5_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-5_asm-examine",
@@ -60050,7 +67114,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;"
+                    "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;",
+                    "links": [
+                      {
+                        "href": "#pe-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-6_obj.b",
@@ -60073,7 +67143,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};"
+                        "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-6_obj.b-2",
@@ -60085,7 +67161,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};"
+                        "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-6_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -60110,7 +67198,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "results of reviews are coordinated with organizational incident response capabilities;"
+                        "prose": "results of reviews are coordinated with organizational incident response capabilities;",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-6_obj.c-2",
@@ -60122,10 +67216,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "results of investigations are coordinated with organizational incident response capabilities."
+                        "prose": "results of investigations are coordinated with organizational incident response capabilities.",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-6_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -60263,7 +67375,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access to the facility where the system resides is monitored using physical intrusion alarms;"
+                        "prose": "physical access to the facility where the system resides is monitored using physical intrusion alarms;",
+                        "links": [
+                          {
+                            "href": "#pe-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-6.1_obj-2",
@@ -60275,7 +67393,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access to the facility where the system resides is monitored using physical surveillance equipment."
+                        "prose": "physical access to the facility where the system resides is monitored using physical surveillance equipment.",
+                        "links": [
+                          {
+                            "href": "#pe-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-6.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -60430,7 +67560,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access to the system is monitored in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}."
+                    "prose": "physical access to the system is monitored in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#pe-6.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-6.4_asm-examine",
@@ -60673,7 +67809,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};"
+                    "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-8_obj.b",
@@ -60685,7 +67827,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};"
+                    "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-8_obj.c",
@@ -60697,7 +67845,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}."
+                    "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -60881,7 +68041,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "visitor access records are maintained using {{ insert: param, pe-08.01_odp.01 }};"
+                        "prose": "visitor access records are maintained using {{ insert: param, pe-08.01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pe-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-8.1_obj-2",
@@ -60893,7 +68059,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "visitor access records are reviewed using {{ insert: param, pe-08.01_odp.02 }}."
+                        "prose": "visitor access records are reviewed using {{ insert: param, pe-08.01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#pe-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-8.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -61029,7 +68207,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "power equipment for the system is protected from damage and destruction;"
+                    "prose": "power equipment for the system is protected from damage and destruction;",
+                    "links": [
+                      {
+                        "href": "#pe-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-9_obj-2",
@@ -61041,7 +68225,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "power cabling for the system is protected from damage and destruction."
+                    "prose": "power cabling for the system is protected from damage and destruction.",
+                    "links": [
+                      {
+                        "href": "#pe-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -61256,7 +68452,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;"
+                    "prose": "the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;",
+                    "links": [
+                      {
+                        "href": "#pe-10_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-10_obj.b",
@@ -61268,7 +68470,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;"
+                    "prose": "emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;",
+                    "links": [
+                      {
+                        "href": "#pe-10_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-10_obj.c",
@@ -61280,7 +68488,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the emergency power shutoff capability is protected from unauthorized activation."
+                    "prose": "the emergency power shutoff capability is protected from unauthorized activation.",
+                    "links": [
+                      {
+                        "href": "#pe-10_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-10_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -61433,7 +68653,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss."
+                "prose": "an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss.",
+                "links": [
+                  {
+                    "href": "#pe-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-11_asm-examine",
@@ -61587,7 +68813,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an alternate power supply provided for the system is activated {{ insert: param, pe-11.01_odp }};"
+                        "prose": "an alternate power supply provided for the system is activated {{ insert: param, pe-11.01_odp }};",
+                        "links": [
+                          {
+                            "href": "#pe-11.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-11.1_obj-2",
@@ -61599,7 +68831,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source."
+                        "prose": "the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.",
+                        "links": [
+                          {
+                            "href": "#pe-11.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-11.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -61739,7 +68983,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;"
+                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-12_obj-2",
@@ -61751,7 +69001,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;"
+                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-12_obj-3",
@@ -61763,7 +69019,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting for the system covers emergency exits within the facility;"
+                    "prose": "automatic emergency lighting for the system covers emergency exits within the facility;",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-12_obj-4",
@@ -61775,7 +69037,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting for the system covers evacuation routes within the facility."
+                    "prose": "automatic emergency lighting for the system covers evacuation routes within the facility.",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -61909,7 +69183,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "fire detection systems are employed;"
+                    "prose": "fire detection systems are employed;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-2",
@@ -61921,7 +69201,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire detection systems are supported by an independent energy source;"
+                    "prose": "employed fire detection systems are supported by an independent energy source;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-3",
@@ -61933,7 +69219,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire detection systems are maintained;"
+                    "prose": "employed fire detection systems are maintained;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-4",
@@ -61945,7 +69237,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "fire suppression systems are employed;"
+                    "prose": "fire suppression systems are employed;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-5",
@@ -61957,7 +69255,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire suppression systems are supported by an independent energy source;"
+                    "prose": "employed fire suppression systems are supported by an independent energy source;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-6",
@@ -61969,7 +69273,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire suppression systems are maintained."
+                    "prose": "employed fire suppression systems are maintained.",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-13_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -62145,7 +69461,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "fire detection systems that activate automatically are employed in the event of a fire;"
+                        "prose": "fire detection systems that activate automatically are employed in the event of a fire;",
+                        "links": [
+                          {
+                            "href": "#pe-13.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-13.1_obj-2",
@@ -62157,7 +69479,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;"
+                        "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;",
+                        "links": [
+                          {
+                            "href": "#pe-13.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-13.1_obj-3",
@@ -62169,7 +69497,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire."
+                        "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire.",
+                        "links": [
+                          {
+                            "href": "#pe-13.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-13.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -62379,7 +69719,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "fire suppression systems that activate automatically are employed;"
+                            "prose": "fire suppression systems that activate automatically are employed;",
+                            "links": [
+                              {
+                                "href": "#pe-13.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pe-13.2_obj.a-2",
@@ -62391,7 +69737,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;"
+                            "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;",
+                            "links": [
+                              {
+                                "href": "#pe-13.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pe-13.2_obj.a-3",
@@ -62403,7 +69755,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;"
+                            "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;",
+                            "links": [
+                              {
+                                "href": "#pe-13.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pe-13.2_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -62417,7 +69781,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis."
+                        "prose": "an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.",
+                        "links": [
+                          {
+                            "href": "#pe-13.2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-13.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -62666,7 +70042,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;"
+                    "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;",
+                    "links": [
+                      {
+                        "href": "#pe-14_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-14_obj.b",
@@ -62678,7 +70060,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}."
+                    "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#pe-14_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-14_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -62816,7 +70210,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;"
+                    "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-15_obj-2",
@@ -62828,7 +70228,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the master shutoff or isolation valves are accessible;"
+                    "prose": "the master shutoff or isolation valves are accessible;",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-15_obj-3",
@@ -62840,7 +70246,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the master shutoff or isolation valves are working properly;"
+                    "prose": "the master shutoff or isolation valves are working properly;",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-15_obj-4",
@@ -62852,7 +70264,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the master shutoff or isolation valves are known to key personnel."
+                    "prose": "the master shutoff or isolation valves are known to key personnel.",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-15_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -63028,7 +70452,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the presence of water near the system can be detected automatically;"
+                        "prose": "the presence of water near the system can be detected automatically;",
+                        "links": [
+                          {
+                            "href": "#pe-15.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-15.1_obj-2",
@@ -63040,7 +70470,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, pe-15.01_odp.01 }} is/are alerted using {{ insert: param, pe-15.01_odp.02 }}."
+                        "prose": " {{ insert: param, pe-15.01_odp.01 }} is/are alerted using {{ insert: param, pe-15.01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#pe-15.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-15.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -63296,7 +70738,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;"
+                        "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-16_obj.a-2",
@@ -63308,7 +70756,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;"
+                        "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-16_obj.a-3",
@@ -63320,7 +70774,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;"
+                        "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-16_obj.a-4",
@@ -63332,7 +70792,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;"
+                        "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-16_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -63346,7 +70818,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "records of the system components are maintained."
+                    "prose": "records of the system components are maintained.",
+                    "links": [
+                      {
+                        "href": "#pe-16_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-16_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -63579,7 +71063,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, pe-17_odp.01 }} are determined and documented;"
+                    "prose": " {{ insert: param, pe-17_odp.01 }} are determined and documented;",
+                    "links": [
+                      {
+                        "href": "#pe-17_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-17_obj.b",
@@ -63591,7 +71081,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;"
+                    "prose": " {{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;",
+                    "links": [
+                      {
+                        "href": "#pe-17_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-17_obj.c",
@@ -63603,7 +71099,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the effectiveness of controls at alternate work sites is assessed;"
+                    "prose": "the effectiveness of controls at alternate work sites is assessed;",
+                    "links": [
+                      {
+                        "href": "#pe-17_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-17_obj.d",
@@ -63615,7 +71117,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a means for employees to communicate with information security and privacy personnel in case of incidents is provided."
+                    "prose": "a means for employees to communicate with information security and privacy personnel in case of incidents is provided.",
+                    "links": [
+                      {
+                        "href": "#pe-17_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-17_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -63776,7 +71290,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "system components are positioned within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access."
+                "prose": "system components are positioned within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access.",
+                "links": [
+                  {
+                    "href": "#pe-18_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-18_asm-examine",
@@ -64241,7 +71761,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a planning policy is developed and documented."
+                        "prose": "a planning policy is developed and documented.",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-2",
@@ -64253,7 +71779,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};"
+                        "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-3",
@@ -64265,7 +71797,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;"
+                        "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-4",
@@ -64277,7 +71815,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};"
+                        "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a.1",
@@ -64311,7 +71855,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-2",
@@ -64323,7 +71873,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-3",
@@ -64335,7 +71891,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-4",
@@ -64347,7 +71909,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-5",
@@ -64359,7 +71927,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-6",
@@ -64371,7 +71945,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-7",
@@ -64383,7 +71963,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -64397,10 +71989,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -64413,7 +72023,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;"
+                    "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-1_obj.c",
@@ -64447,7 +72063,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};"
+                            "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-1_obj.c.1-2",
@@ -64459,7 +72081,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};"
+                            "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -64484,7 +72118,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};"
+                            "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-1_obj.c.2-2",
@@ -64496,12 +72136,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}."
+                            "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -65088,7 +72752,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;"
+                            "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.1-2",
@@ -65100,7 +72770,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;"
+                            "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65125,7 +72807,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that explicitly defines the constituent system components;"
+                            "prose": "a security plan for the system is developed that explicitly defines the constituent system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.2-2",
@@ -65137,7 +72825,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;"
+                            "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65162,7 +72862,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"
+                            "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.3-2",
@@ -65174,7 +72880,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"
+                            "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65199,7 +72917,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"
+                            "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.4-2",
@@ -65211,7 +72935,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"
+                            "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.4",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65236,7 +72972,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"
+                            "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.5",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.5-2",
@@ -65248,7 +72990,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"
+                            "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.5",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.5",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65273,7 +73027,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;"
+                            "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.6",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.6-2",
@@ -65285,7 +73045,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;"
+                            "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.6",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.6",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65310,7 +73082,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"
+                            "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.7-2",
@@ -65322,7 +73100,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"
+                            "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.7",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65347,7 +73137,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"
+                            "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.8",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.8-2",
@@ -65359,7 +73155,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"
+                            "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.8",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.8",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65384,7 +73192,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"
+                            "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.9",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.9-2",
@@ -65396,7 +73210,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"
+                            "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.9",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.9",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65421,7 +73247,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;"
+                            "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.10",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.10-2",
@@ -65433,7 +73265,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;"
+                            "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.10",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.10",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65458,7 +73302,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"
+                            "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.11",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.11-2",
@@ -65470,7 +73320,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"
+                            "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.11",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.11",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65495,7 +73357,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;"
+                            "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.12",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.12-2",
@@ -65507,7 +73375,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;"
+                            "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.12",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.12",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65532,7 +73412,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;"
+                            "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.13",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.13-2",
@@ -65544,7 +73430,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;"
+                            "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.13",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.13",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65569,7 +73467,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"
+                            "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.14",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.14-2",
@@ -65581,7 +73485,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"
+                            "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.14",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.14",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65606,7 +73522,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"
+                            "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.15",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.15-2",
@@ -65618,10 +73540,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation."
+                            "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.15",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.15",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -65645,7 +73585,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};"
+                        "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.b-2",
@@ -65657,7 +73603,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};"
+                        "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -65671,7 +73629,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};"
+                    "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-2_obj.d",
@@ -65694,7 +73658,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address changes to the system and environment of operations;"
+                        "prose": "plans are updated to address changes to the system and environment of operations;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.d-2",
@@ -65706,7 +73676,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address problems identified during the plan implementation;"
+                        "prose": "plans are updated to address problems identified during the plan implementation;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.d-3",
@@ -65718,7 +73694,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address problems identified during control assessments;"
+                        "prose": "plans are updated to address problems identified during control assessments;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -65743,7 +73731,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are protected from unauthorized disclosure;"
+                        "prose": "plans are protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.e-2",
@@ -65755,10 +73749,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are protected from unauthorized modification."
+                        "prose": "plans are protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -66095,7 +74107,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;"
+                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;",
+                        "links": [
+                          {
+                            "href": "#pl-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4_obj.a-2",
@@ -66107,7 +74125,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;"
+                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;",
+                        "links": [
+                          {
+                            "href": "#pl-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -66121,7 +74151,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;"
+                    "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-4_obj.c",
@@ -66133,7 +74169,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};"
+                    "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-4_obj.d",
@@ -66145,7 +74187,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}."
+                    "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -66327,7 +74381,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;"
+                        "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4.1_obj.b",
@@ -66339,7 +74399,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on posting organizational information on public websites;"
+                        "prose": "the rules of behavior include restrictions on posting organizational information on public websites;",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4.1_obj.c",
@@ -66351,7 +74417,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications."
+                        "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-4.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -66665,7 +74743,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"
+                        "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.a.2",
@@ -66677,7 +74761,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"
+                        "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.a.3",
@@ -66700,7 +74790,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"
+                            "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-8_obj.a.3-2",
@@ -66712,7 +74808,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"
+                            "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -66737,7 +74845,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;"
+                            "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-8_obj.a.4-2",
@@ -66749,10 +74863,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;"
+                            "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.4",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-8_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -66765,7 +74897,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;"
+                    "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;",
+                    "links": [
+                      {
+                        "href": "#pl-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-8_obj.c",
@@ -66788,7 +74926,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in the security plan;"
+                        "prose": "planned architecture changes are reflected in the security plan;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-2",
@@ -66800,7 +74944,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in the privacy plan;"
+                        "prose": "planned architecture changes are reflected in the privacy plan;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-3",
@@ -66812,7 +74962,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);"
+                        "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-4",
@@ -66824,7 +74980,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in criticality analysis;"
+                        "prose": "planned architecture changes are reflected in criticality analysis;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-5",
@@ -66836,7 +74998,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in organizational procedures;"
+                        "prose": "planned architecture changes are reflected in organizational procedures;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-6",
@@ -66848,10 +75016,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in procurements and acquisitions."
+                        "prose": "planned architecture changes are reflected in procurements and acquisitions.",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-8_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -67029,7 +75215,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a control baseline for the system is selected."
+                "prose": "a control baseline for the system is selected.",
+                "links": [
+                  {
+                    "href": "#pl-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pl-10_asm-examine",
@@ -67184,7 +75376,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the selected control baseline is tailored by applying specified tailoring actions."
+                "prose": "the selected control baseline is tailored by applying specified tailoring actions.",
+                "links": [
+                  {
+                    "href": "#pl-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pl-11_asm-examine",
@@ -67619,7 +75817,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a personnel security policy is developed and documented;"
+                        "prose": "a personnel security policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a-2",
@@ -67631,7 +75835,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};"
+                        "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a-3",
@@ -67643,7 +75853,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;"
+                        "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a-4",
@@ -67655,7 +75871,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};"
+                        "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a.1",
@@ -67689,7 +75911,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-2",
@@ -67701,7 +75929,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-3",
@@ -67713,7 +75947,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-4",
@@ -67725,7 +75965,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-5",
@@ -67737,7 +75983,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-6",
@@ -67749,7 +76001,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-7",
@@ -67761,7 +76019,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -67775,10 +76045,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -67791,7 +76079,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;"
+                    "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ps-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-1_obj.c",
@@ -67825,7 +76119,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};"
+                            "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ps-1_obj.c.1-2",
@@ -67837,7 +76137,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};"
+                            "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -67862,7 +76174,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};"
+                            "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ps-1_obj.c.2-2",
@@ -67874,12 +76192,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}."
+                            "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -68090,7 +76432,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a risk designation is assigned to all organizational positions;"
+                    "prose": "a risk designation is assigned to all organizational positions;",
+                    "links": [
+                      {
+                        "href": "#ps-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-2_obj.b",
@@ -68102,7 +76450,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "screening criteria are established for individuals filling organizational positions;"
+                    "prose": "screening criteria are established for individuals filling organizational positions;",
+                    "links": [
+                      {
+                        "href": "#ps-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-2_obj.c",
@@ -68114,7 +76468,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}."
+                    "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ps-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -68389,7 +76755,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals are screened prior to authorizing access to the system;"
+                    "prose": "individuals are screened prior to authorizing access to the system;",
+                    "links": [
+                      {
+                        "href": "#ps-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-3_obj.b",
@@ -68412,7 +76784,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};"
+                        "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ps-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-3_obj.b-2",
@@ -68424,10 +76802,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}."
+                        "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ps-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -68679,7 +77075,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};"
+                    "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.b",
@@ -68691,7 +77093,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;"
+                    "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.c",
@@ -68703,7 +77111,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;"
+                    "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.d",
@@ -68715,7 +77129,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;"
+                    "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.e",
@@ -68727,7 +77147,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained."
+                    "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -68913,7 +77345,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ps-04.02_odp.01 }} are used to {{ insert: param, ps-04.02_odp.02 }}."
+                    "prose": " {{ insert: param, ps-04.02_odp.01 }} are used to {{ insert: param, ps-04.02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ps-4.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4.2_asm-examine",
@@ -69194,7 +77632,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;"
+                    "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-5_obj.b",
@@ -69206,7 +77650,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};"
+                    "prose": " {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-5_obj.c",
@@ -69218,7 +77668,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;"
+                    "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-5_obj.d",
@@ -69230,7 +77686,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}."
+                    "prose": " {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -69505,7 +77973,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access agreements are developed and documented for organizational systems;"
+                    "prose": "access agreements are developed and documented for organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-6_obj.b",
@@ -69517,7 +77991,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};"
+                    "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-6_obj.c",
@@ -69540,7 +78020,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;"
+                        "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;",
+                        "links": [
+                          {
+                            "href": "#ps-6_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-6_obj.c.2",
@@ -69552,10 +78038,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."
+                        "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ps-6_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-6_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -69843,7 +78347,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;"
+                    "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.b",
@@ -69855,7 +78365,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;"
+                    "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.c",
@@ -69867,7 +78383,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personnel security requirements are documented;"
+                    "prose": "personnel security requirements are documented;",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.d",
@@ -69879,7 +78401,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};"
+                    "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.e",
@@ -69891,7 +78419,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "provider compliance with personnel security requirements is monitored."
+                    "prose": "provider compliance with personnel security requirements is monitored.",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -70102,7 +78642,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;"
+                    "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;",
+                    "links": [
+                      {
+                        "href": "#ps-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-8_obj.b",
@@ -70114,7 +78660,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."
+                    "prose": " {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.",
+                    "links": [
+                      {
+                        "href": "#ps-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -70248,7 +78806,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "security roles and responsibilities are incorporated into organizational position descriptions;"
+                    "prose": "security roles and responsibilities are incorporated into organizational position descriptions;",
+                    "links": [
+                      {
+                        "href": "#ps-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-9_obj-2",
@@ -70260,7 +78824,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions."
+                    "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions.",
+                    "links": [
+                      {
+                        "href": "#ps-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -70723,7 +79299,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment policy is developed and documented;"
+                        "prose": "a risk assessment policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-2",
@@ -70735,7 +79317,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};"
+                        "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-3",
@@ -70747,7 +79335,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;"
+                        "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-4",
@@ -70759,7 +79353,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};"
+                        "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a.1",
@@ -70793,7 +79393,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-2",
@@ -70805,7 +79411,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-3",
@@ -70817,7 +79429,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-4",
@@ -70829,7 +79447,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-5",
@@ -70841,7 +79465,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-6",
@@ -70853,7 +79483,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-7",
@@ -70865,7 +79501,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -70879,10 +79527,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -70895,7 +79561,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;"
+                    "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-1_obj.c",
@@ -70929,7 +79601,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};"
+                            "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ra-1_obj.c.1-2",
@@ -70941,7 +79619,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};"
+                            "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -70966,7 +79656,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};"
+                            "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ra-1_obj.c.2-2",
@@ -70978,12 +79674,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}."
+                            "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -71220,7 +79940,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system and the information it processes, stores, and transmits are categorized;"
+                    "prose": "the system and the information it processes, stores, and transmits are categorized;",
+                    "links": [
+                      {
+                        "href": "#ra-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-2_obj.b",
@@ -71232,7 +79958,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;"
+                    "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;",
+                    "links": [
+                      {
+                        "href": "#ra-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-2_obj.c",
@@ -71244,7 +79976,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."
+                    "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.",
+                    "links": [
+                      {
+                        "href": "#ra-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -71727,7 +80471,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;"
+                        "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3_obj.a.2",
@@ -71739,7 +80489,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;"
+                        "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3_obj.a.3",
@@ -71751,7 +80507,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"
+                        "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -71765,7 +80533,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;"
+                    "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.c",
@@ -71777,7 +80551,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};"
+                    "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.d",
@@ -71789,7 +80569,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};"
+                    "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.e",
@@ -71801,7 +80587,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};"
+                    "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.f",
@@ -71813,7 +80605,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."
+                    "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -72037,7 +80841,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;"
+                        "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;",
+                        "links": [
+                          {
+                            "href": "#ra-3.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3.1_obj.b",
@@ -72049,7 +80859,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."
+                        "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.",
+                        "links": [
+                          {
+                            "href": "#ra-3.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-3.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -72493,7 +81315,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;"
+                        "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-5_obj.a-2",
@@ -72505,7 +81333,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;"
+                        "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -72531,7 +81371,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;"
+                        "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.b.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-5_obj.b.2",
@@ -72543,7 +81389,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;"
+                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.b.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-5_obj.b.3",
@@ -72555,7 +81407,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;"
+                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.b.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -72569,7 +81433,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;"
+                    "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5_obj.d",
@@ -72581,7 +81451,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"
+                    "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5_obj.e",
@@ -72593,7 +81469,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;"
+                    "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5_obj.f",
@@ -72605,7 +81487,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed."
+                    "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -72781,7 +81675,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}."
+                    "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#ra-5.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.2_asm-examine",
@@ -72948,7 +81848,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information about the system is discoverable;"
+                        "prose": "information about the system is discoverable;",
+                        "links": [
+                          {
+                            "href": "#ra-5.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-5.4_obj-2",
@@ -72960,7 +81866,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, ra-05.04_odp }} are taken when information about the system is confirmed as discoverable."
+                        "prose": " {{ insert: param, ra-05.04_odp }} are taken when information about the system is confirmed as discoverable.",
+                        "links": [
+                          {
+                            "href": "#ra-5.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-5.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -73130,7 +82048,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}."
+                    "prose": "privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ra-5.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.5_asm-examine",
@@ -73256,7 +82180,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components."
+                    "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.",
+                    "links": [
+                      {
+                        "href": "#ra-5.11_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.11_asm-examine",
@@ -73443,7 +82373,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-2",
@@ -73455,7 +82391,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-3",
@@ -73467,7 +82409,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-4",
@@ -73479,7 +82427,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from audits are responded to in accordance with organizational risk tolerance."
+                    "prose": "findings from audits are responded to in accordance with organizational risk tolerance.",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -73688,7 +82648,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}."
+                "prose": "critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#ra-9_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ra-9_asm-examine",
@@ -74157,7 +83123,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a system and services acquisition policy is developed and documented;"
+                        "prose": "a system and services acquisition policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-2",
@@ -74169,7 +83141,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};"
+                        "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-3",
@@ -74181,7 +83159,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;"
+                        "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-4",
@@ -74193,7 +83177,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};"
+                        "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a.1",
@@ -74227,7 +83217,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-2",
@@ -74239,7 +83235,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-3",
@@ -74251,7 +83253,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-4",
@@ -74263,7 +83271,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-5",
@@ -74275,7 +83289,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-6",
@@ -74287,7 +83307,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-7",
@@ -74299,7 +83325,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -74313,10 +83351,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -74329,7 +83385,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;"
+                    "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-1_obj.c",
@@ -74363,7 +83425,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};"
+                            "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-1_obj.c.1-2",
@@ -74375,7 +83443,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};"
+                            "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -74400,7 +83480,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};"
+                            "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-1_obj.c.2-2",
@@ -74412,12 +83498,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}."
+                            "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -74610,7 +83720,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;"
+                        "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.a-2",
@@ -74622,7 +83738,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;"
+                        "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -74647,7 +83775,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;"
+                        "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.b-2",
@@ -74659,7 +83793,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;"
+                        "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -74684,7 +83830,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;"
+                        "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.c-2",
@@ -74696,10 +83848,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation."
+                        "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation.",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -74996,7 +84166,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;"
+                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.a-2",
@@ -75008,7 +84184,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;"
+                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -75033,7 +84221,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;"
+                        "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.b-2",
@@ -75045,7 +84239,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;"
+                        "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -75070,7 +84276,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals with information security roles and responsibilities are identified;"
+                        "prose": "individuals with information security roles and responsibilities are identified;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.c-2",
@@ -75082,7 +84294,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals with privacy roles and responsibilities are identified;"
+                        "prose": "individuals with privacy roles and responsibilities are identified;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -75107,7 +84331,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational information security risk management processes are integrated into system development life cycle activities;"
+                        "prose": "organizational information security risk management processes are integrated into system development life cycle activities;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.d-2",
@@ -75119,10 +84349,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational privacy risk management processes are integrated into system development life cycle activities."
+                        "prose": "organizational privacy risk management processes are integrated into system development life cycle activities.",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -75551,7 +84799,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.a-2",
@@ -75563,7 +84817,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -75577,7 +84843,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                    "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4_obj.c",
@@ -75600,7 +84872,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.c-2",
@@ -75612,7 +84890,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -75637,7 +84927,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.d-2",
@@ -75649,7 +84945,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -75674,7 +84982,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.e-2",
@@ -75686,7 +85000,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -75711,7 +85037,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.f-2",
@@ -75723,7 +85055,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -75737,7 +85081,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                    "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4_obj.h",
@@ -75760,7 +85110,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.h-2",
@@ -75772,7 +85128,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"
+                        "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.h-3",
@@ -75784,7 +85146,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"
+                        "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -75798,7 +85172,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service."
+                    "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.i",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -75926,7 +85312,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented."
+                    "prose": "the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.",
+                    "links": [
+                      {
+                        "href": "#sa-4.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4.1_asm-examine",
@@ -76118,7 +85510,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}."
+                    "prose": "the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#sa-4.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4.2_asm-examine",
@@ -76301,7 +85699,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented;"
+                        "prose": "the developer of the system, system component, or system service is required to deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented;",
+                        "links": [
+                          {
+                            "href": "#sa-4.5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.5_obj.b",
@@ -76313,7 +85717,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade."
+                        "prose": "the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade.",
+                        "links": [
+                          {
+                            "href": "#sa-4.5_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -76460,7 +85876,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to identify the functions intended for organizational use;"
+                        "prose": "the developer of the system, system component, or system service is required to identify the functions intended for organizational use;",
+                        "links": [
+                          {
+                            "href": "#sa-4.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.9_obj-2",
@@ -76472,7 +85894,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to identify the ports intended for organizational use;"
+                        "prose": "the developer of the system, system component, or system service is required to identify the ports intended for organizational use;",
+                        "links": [
+                          {
+                            "href": "#sa-4.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.9_obj-3",
@@ -76484,7 +85912,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;"
+                        "prose": "the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;",
+                        "links": [
+                          {
+                            "href": "#sa-4.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.9_obj-4",
@@ -76496,7 +85930,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to identify the services intended for organizational use."
+                        "prose": "the developer of the system, system component, or system service is required to identify the services intended for organizational use.",
+                        "links": [
+                          {
+                            "href": "#sa-4.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4.9_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -76614,7 +86060,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed."
+                    "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.",
+                    "links": [
+                      {
+                        "href": "#sa-4.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4.10_asm-examine",
@@ -77008,7 +86460,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.1-2",
@@ -77020,7 +86478,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.1-3",
@@ -77032,7 +86496,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -77057,7 +86533,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.2-2",
@@ -77069,7 +86551,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.2-3",
@@ -77081,7 +86569,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.2-4",
@@ -77093,7 +86587,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -77118,7 +86624,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.3-2",
@@ -77130,10 +86642,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -77168,7 +86698,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.1-2",
@@ -77180,7 +86716,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.1-3",
@@ -77192,7 +86734,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.1-4",
@@ -77204,7 +86752,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.b.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -77229,7 +86789,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.2-2",
@@ -77241,7 +86807,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.b.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -77266,7 +86844,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.3-2",
@@ -77278,10 +86862,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.b.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.b",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -77305,7 +86907,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;"
+                        "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;",
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-5_obj.c-2",
@@ -77317,7 +86925,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;"
+                        "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;",
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -77331,7 +86951,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}."
+                    "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -77628,7 +87260,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-2",
@@ -77640,7 +87278,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-3",
@@ -77652,7 +87296,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-4",
@@ -77664,7 +87314,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-5",
@@ -77676,7 +87332,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-6",
@@ -77688,7 +87350,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-7",
@@ -77700,7 +87368,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-8",
@@ -77712,7 +87386,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-9",
@@ -77724,7 +87404,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-10",
@@ -77736,7 +87422,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components."
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -78026,7 +87724,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services comply with organizational security requirements;"
+                        "prose": "providers of external system services comply with organizational security requirements;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.a-2",
@@ -78038,7 +87742,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services comply with organizational privacy requirements;"
+                        "prose": "providers of external system services comply with organizational privacy requirements;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.a-3",
@@ -78050,7 +87760,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};"
+                        "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -78075,7 +87797,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational oversight with regard to external system services are defined and documented;"
+                        "prose": "organizational oversight with regard to external system services are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.b-2",
@@ -78087,7 +87815,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "user roles and responsibilities with regard to external system services are defined and documented;"
+                        "prose": "user roles and responsibilities with regard to external system services are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -78101,7 +87841,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis."
+                    "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.",
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -78259,7 +88011,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services."
+                    "prose": "providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services.",
+                    "links": [
+                      {
+                        "href": "#sa-9.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-9.2_asm-examine",
@@ -78576,7 +88334,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};"
+                    "prose": "the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-10_obj.b",
@@ -78599,7 +88363,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};"
+                        "prose": "the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.b-2",
@@ -78611,7 +88381,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};"
+                        "prose": "the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.b-3",
@@ -78623,7 +88399,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};"
+                        "prose": "the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -78637,7 +88425,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;"
+                    "prose": "the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;",
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-10_obj.d",
@@ -78660,7 +88454,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;"
+                        "prose": "the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.d-2",
@@ -78672,7 +88472,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;"
+                        "prose": "the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.d-3",
@@ -78684,7 +88490,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;"
+                        "prose": "the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -78709,7 +88527,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;"
+                        "prose": "the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.e-2",
@@ -78721,7 +88545,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;"
+                        "prose": "the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.e-3",
@@ -78733,10 +88563,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}."
+                        "prose": "the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-10_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -79080,7 +88928,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.a-2",
@@ -79092,7 +88946,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.a-3",
@@ -79104,7 +88964,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.a-4",
@@ -79116,7 +88982,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -79130,7 +89008,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"
+                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-11_obj.c",
@@ -79153,7 +89037,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.c-2",
@@ -79165,7 +89055,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -79179,7 +89081,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;"
+                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;",
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-11_obj.e",
@@ -79191,7 +89099,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation."
+                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.",
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -79539,7 +89459,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-15_obj.a.1-2",
@@ -79551,7 +89477,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -79576,7 +89514,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-15_obj.a.2-2",
@@ -79588,7 +89532,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -79613,7 +89569,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-15_obj.a.3-2",
@@ -79625,7 +89587,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -79639,7 +89613,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;"
+                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;",
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-15_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -79664,7 +89650,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};"
+                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-15_obj.b-2",
@@ -79676,10 +89668,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}."
+                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-15_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-15_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -79898,7 +89908,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;"
+                        "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#sa-15.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-15.3_obj.b",
@@ -79921,7 +89937,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#sa-15.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-15.3_obj.b-2",
@@ -79933,10 +89955,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} ."
+                            "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} .",
+                            "links": [
+                              {
+                                "href": "#sa-15.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-15.3_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-15.3_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -80103,7 +90143,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the developer of the system, system component, or system service is required to provide {{ insert: param, sa-16_odp }} on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms."
+                "prose": "the developer of the system, system component, or system service is required to provide {{ insert: param, sa-16_odp }} on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.",
+                "links": [
+                  {
+                    "href": "#sa-16_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sa-16_asm-examine",
@@ -80300,7 +90346,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;"
+                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;",
+                        "links": [
+                          {
+                            "href": "#sa-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-17_obj.a-2",
@@ -80312,7 +90364,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;"
+                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;",
+                        "links": [
+                          {
+                            "href": "#sa-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-17_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -80337,7 +90401,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;"
+                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;",
+                        "links": [
+                          {
+                            "href": "#sa-17_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-17_obj.b-2",
@@ -80349,7 +90419,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;"
+                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;",
+                        "links": [
+                          {
+                            "href": "#sa-17_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-17_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -80374,7 +90456,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;"
+                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;",
+                        "links": [
+                          {
+                            "href": "#sa-17_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-17_obj.c-2",
@@ -80386,10 +90474,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection."
+                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.",
+                        "links": [
+                          {
+                            "href": "#sa-17_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-17_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-17_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -80616,7 +90722,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of {{ insert: param, sa-21_odp.01 }} is required to have appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }};"
+                    "prose": "the developer of {{ insert: param, sa-21_odp.01 }} is required to have appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#sa-21_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-21_obj.b",
@@ -80628,7 +90740,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of {{ insert: param, sa-21_odp.01 }} is required to satisfy {{ insert: param, sa-21_odp.03 }}."
+                    "prose": "the developer of {{ insert: param, sa-21_odp.01 }} is required to satisfy {{ insert: param, sa-21_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#sa-21_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-21_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -80837,7 +90961,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;"
+                    "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;",
+                    "links": [
+                      {
+                        "href": "#sa-22_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-22_obj.b",
@@ -80849,7 +90979,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components."
+                    "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.",
+                    "links": [
+                      {
+                        "href": "#sa-22_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-22_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -81308,7 +91450,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a system and communications protection policy is developed and documented;"
+                        "prose": "a system and communications protection policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a-2",
@@ -81320,7 +91468,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};"
+                        "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a-3",
@@ -81332,7 +91486,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;"
+                        "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a-4",
@@ -81344,7 +91504,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};"
+                        "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a.1",
@@ -81378,7 +91544,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-2",
@@ -81390,7 +91562,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-3",
@@ -81402,7 +91580,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-4",
@@ -81414,7 +91598,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-5",
@@ -81426,7 +91616,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-6",
@@ -81438,7 +91634,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-7",
@@ -81450,7 +91652,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -81464,10 +91678,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -81480,7 +91712,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;"
+                    "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#sc-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-1_obj.c",
@@ -81514,7 +91752,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};"
+                            "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-1_obj.c.1-2",
@@ -81526,7 +91770,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};"
+                            "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -81551,7 +91807,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};"
+                            "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-1_obj.c.2-2",
@@ -81563,12 +91825,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}."
+                            "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -81701,7 +91987,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "user functionality, including user interface services, is separated from system management functionality."
+                "prose": "user functionality, including user interface services, is separated from system management functionality.",
+                "links": [
+                  {
+                    "href": "#sc-2_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-2_asm-examine",
@@ -81883,7 +92175,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "security functions are isolated from non-security functions."
+                "prose": "security functions are isolated from non-security functions.",
+                "links": [
+                  {
+                    "href": "#sc-3_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-3_asm-examine",
@@ -82023,7 +92321,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "unauthorized information transfer via shared system resources is prevented;"
+                    "prose": "unauthorized information transfer via shared system resources is prevented;",
+                    "links": [
+                      {
+                        "href": "#sc-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-4_obj-2",
@@ -82035,7 +92339,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "unintended information transfer via shared system resources is prevented."
+                    "prose": "unintended information transfer via shared system resources is prevented.",
+                    "links": [
+                      {
+                        "href": "#sc-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -82274,7 +92590,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};"
+                    "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#sc-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-5_obj.b",
@@ -82286,7 +92608,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective."
+                    "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.",
+                    "links": [
+                      {
+                        "href": "#sc-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -82607,7 +92941,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at external managed interfaces to the system are monitored;"
+                        "prose": "communications at external managed interfaces to the system are monitored;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-2",
@@ -82619,7 +92959,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at external managed interfaces to the system are controlled;"
+                        "prose": "communications at external managed interfaces to the system are controlled;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-3",
@@ -82631,7 +92977,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at key internal managed interfaces within the system are monitored;"
+                        "prose": "communications at key internal managed interfaces within the system are monitored;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-4",
@@ -82643,7 +92995,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at key internal managed interfaces within the system are controlled;"
+                        "prose": "communications at key internal managed interfaces within the system are controlled;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -82657,7 +93021,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;"
+                    "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;",
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7_obj.c",
@@ -82669,7 +93039,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."
+                    "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.",
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -82792,7 +93174,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the number of external network connections to the system is limited."
+                    "prose": "the number of external network connections to the system is limited.",
+                    "links": [
+                      {
+                        "href": "#sc-7.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.3_asm-examine",
@@ -83055,7 +93443,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a managed interface is implemented for each external telecommunication service;"
+                        "prose": "a managed interface is implemented for each external telecommunication service;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.b",
@@ -83067,7 +93461,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a traffic flow policy is established for each managed interface;"
+                        "prose": "a traffic flow policy is established for each managed interface;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.c",
@@ -83090,7 +93490,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the confidentiality of the information being transmitted across each interface is protected;"
+                            "prose": "the confidentiality of the information being transmitted across each interface is protected;",
+                            "links": [
+                              {
+                                "href": "#sc-7.4_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-7.4_obj.c-2",
@@ -83102,7 +93508,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the integrity of the information being transmitted across each interface is protected;"
+                            "prose": "the integrity of the information being transmitted across each interface is protected;",
+                            "links": [
+                              {
+                                "href": "#sc-7.4_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.c",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -83116,7 +93534,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;"
+                        "prose": "each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.e",
@@ -83139,7 +93563,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};"
+                            "prose": "exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};",
+                            "links": [
+                              {
+                                "href": "#sc-7.4_smt.e",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-7.4_obj.e-2",
@@ -83151,7 +93581,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;"
+                            "prose": "exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;",
+                            "links": [
+                              {
+                                "href": "#sc-7.4_smt.e",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.e",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -83165,7 +93607,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "unauthorized exchanges of control plan traffic with external networks are prevented;"
+                        "prose": "unauthorized exchanges of control plan traffic with external networks are prevented;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.g",
@@ -83177,7 +93625,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;"
+                        "prose": "information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.h",
@@ -83189,7 +93643,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "unauthorized control plane traffic is filtered from external networks."
+                        "prose": "unauthorized control plane traffic is filtered from external networks.",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -83366,7 +93832,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};"
+                        "prose": "network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sc-7.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.5_obj-2",
@@ -83378,7 +93850,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}."
+                        "prose": "network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}.",
+                        "links": [
+                          {
+                            "href": "#sc-7.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -83523,7 +94007,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}."
+                    "prose": "split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sc-7.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.7_asm-examine",
@@ -83690,7 +94180,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces."
+                    "prose": " {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.",
+                    "links": [
+                      {
+                        "href": "#sc-7.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.8_asm-examine",
@@ -83828,7 +94324,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device."
+                    "prose": "systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.",
+                    "links": [
+                      {
+                        "href": "#sc-7.18_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.18_asm-examine",
@@ -84005,7 +94507,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "boundary protection mechanisms are employed to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}."
+                    "prose": "boundary protection mechanisms are employed to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-7.21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.21_asm-examine",
@@ -84239,7 +94747,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected."
+                "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.",
+                "links": [
+                  {
+                    "href": "#sc-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-8_asm-examine",
@@ -84391,7 +94905,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission."
+                    "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.",
+                    "links": [
+                      {
+                        "href": "#sc-8.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-8.1_asm-examine",
@@ -84540,7 +95060,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity."
+                "prose": "the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.",
+                "links": [
+                  {
+                    "href": "#sc-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-10_asm-examine",
@@ -84731,6 +95257,10 @@
                 "href": "#ia-7",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#sa-4",
                 "rel": "related"
@@ -84816,7 +95346,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};"
+                    "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};",
+                    "links": [
+                      {
+                        "href": "#sc-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-12_obj-2",
@@ -84828,7 +95364,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}."
+                    "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sc-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -84956,7 +95504,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information availability is maintained in the event of the loss of cryptographic keys by users."
+                    "prose": "information availability is maintained in the event of the loss of cryptographic keys by users.",
+                    "links": [
+                      {
+                        "href": "#sc-12.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-12.1_asm-examine",
@@ -85156,6 +95710,10 @@
                 "href": "#ia-7",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-4",
                 "rel": "related"
@@ -85272,7 +95830,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sc-13_odp.01 }} are identified;"
+                    "prose": " {{ insert: param, sc-13_odp.01 }} are identified;",
+                    "links": [
+                      {
+                        "href": "#sc-13_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-13_obj.b",
@@ -85284,7 +95848,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented."
+                    "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.",
+                    "links": [
+                      {
+                        "href": "#sc-13_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-13_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -85467,7 +96043,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};"
+                    "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};",
+                    "links": [
+                      {
+                        "href": "#sc-15_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-15_obj.b",
@@ -85479,7 +96061,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an explicit indication of use is provided to users physically present at the devices."
+                    "prose": "an explicit indication of use is provided to users physically present at the devices.",
+                    "links": [
+                      {
+                        "href": "#sc-15_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-15_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -85691,7 +96285,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;"
+                    "prose": "public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;",
+                    "links": [
+                      {
+                        "href": "#sc-17_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-17_obj.b",
@@ -85703,7 +96303,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "only approved trust anchors are included in trust stores or certificate stores managed by the organization."
+                    "prose": "only approved trust anchors are included in trust stores or certificate stores managed by the organization.",
+                    "links": [
+                      {
+                        "href": "#sc-17_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-17_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -85891,7 +96503,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "acceptable mobile code is defined;"
+                        "prose": "acceptable mobile code is defined;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.a-2",
@@ -85903,7 +96521,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "unacceptable mobile code is defined;"
+                        "prose": "unacceptable mobile code is defined;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.a-3",
@@ -85915,7 +96539,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "acceptable mobile code technologies are defined;"
+                        "prose": "acceptable mobile code technologies are defined;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.a-4",
@@ -85927,7 +96557,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "unacceptable mobile code technologies are defined;"
+                        "prose": "unacceptable mobile code technologies are defined;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-18_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -85952,7 +96594,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of mobile code is authorized within the system;"
+                        "prose": "the use of mobile code is authorized within the system;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.b-2",
@@ -85964,7 +96612,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of mobile code is monitored within the system;"
+                        "prose": "the use of mobile code is monitored within the system;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.b-3",
@@ -85976,10 +96630,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of mobile code is controlled within the system."
+                        "prose": "the use of mobile code is controlled within the system.",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-18_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-18_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -86178,7 +96850,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;"
+                        "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-20_obj.a-2",
@@ -86190,7 +96868,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;"
+                        "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-20_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -86215,7 +96905,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;"
+                        "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-20_obj.b-2",
@@ -86227,10 +96923,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided."
+                        "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-20_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-20_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -86371,7 +97085,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;"
+                    "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-21_obj-2",
@@ -86383,7 +97103,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;"
+                    "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-21_obj-3",
@@ -86395,7 +97121,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;"
+                    "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-21_obj-4",
@@ -86407,7 +97139,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources."
+                    "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-21_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -86557,7 +97301,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;"
+                    "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;",
+                    "links": [
+                      {
+                        "href": "#sc-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-22_obj-2",
@@ -86569,7 +97319,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;"
+                    "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;",
+                    "links": [
+                      {
+                        "href": "#sc-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-22_obj-3",
@@ -86581,7 +97337,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation."
+                    "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation.",
+                    "links": [
+                      {
+                        "href": "#sc-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-22_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -86732,7 +97500,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the authenticity of communication sessions is protected."
+                "prose": "the authenticity of communication sessions is protected.",
+                "links": [
+                  {
+                    "href": "#sc-23_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-23_asm-examine",
@@ -86953,7 +97727,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": " {{ insert: param, sc-24_odp.01 }} fail to a {{ insert: param, sc-24_odp.02 }} while preserving {{ insert: param, sc-24_odp.03 }} in failure."
+                "prose": " {{ insert: param, sc-24_odp.01 }} fail to a {{ insert: param, sc-24_odp.02 }} while preserving {{ insert: param, sc-24_odp.03 }} in failure.",
+                "links": [
+                  {
+                    "href": "#sc-24_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-24_asm-examine",
@@ -87225,7 +98005,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected."
+                "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.",
+                "links": [
+                  {
+                    "href": "#sc-28_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-28_asm-examine",
@@ -87411,7 +98197,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};"
+                        "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sc-28.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-28.1_obj-2",
@@ -87423,7 +98215,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}."
+                        "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#sc-28.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-28.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -87585,7 +98389,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a separate execution domain is maintained for each executing system process."
+                "prose": "a separate execution domain is maintained for each executing system process.",
+                "links": [
+                  {
+                    "href": "#sc-39_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-39_asm-examine",
@@ -88042,7 +98852,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a system and information integrity policy is developed and documented;"
+                        "prose": "a system and information integrity policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-2",
@@ -88054,7 +98870,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};"
+                        "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-3",
@@ -88066,7 +98888,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;"
+                        "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-4",
@@ -88078,7 +98906,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};"
+                        "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a.1",
@@ -88112,7 +98946,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-2",
@@ -88124,7 +98964,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-3",
@@ -88136,7 +98982,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-4",
@@ -88148,7 +99000,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-5",
@@ -88160,7 +99018,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-6",
@@ -88172,7 +99036,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-7",
@@ -88184,7 +99054,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#si-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -88198,10 +99080,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -88214,7 +99114,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;"
+                    "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#si-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-1_obj.c",
@@ -88248,7 +99154,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};"
+                            "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-1_obj.c.1-2",
@@ -88260,7 +99172,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};"
+                            "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -88285,7 +99209,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};"
+                            "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-1_obj.c.2-2",
@@ -88297,12 +99227,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}."
+                            "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#si-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -88575,7 +99529,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system flaws are identified;"
+                        "prose": "system flaws are identified;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.a-2",
@@ -88587,7 +99547,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system flaws are reported;"
+                        "prose": "system flaws are reported;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.a-3",
@@ -88599,7 +99565,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system flaws are corrected;"
+                        "prose": "system flaws are corrected;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -88624,7 +99602,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "software updates related to flaw remediation are tested for effectiveness before installation;"
+                        "prose": "software updates related to flaw remediation are tested for effectiveness before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.b-2",
@@ -88636,7 +99620,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "software updates related to flaw remediation are tested for potential side effects before installation;"
+                        "prose": "software updates related to flaw remediation are tested for potential side effects before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.b-3",
@@ -88648,7 +99638,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;"
+                        "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.b-4",
@@ -88660,7 +99656,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;"
+                        "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -88685,7 +99693,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"
+                        "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.c-2",
@@ -88697,7 +99711,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"
+                        "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -88711,7 +99737,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "flaw remediation is incorporated into the organizational configuration management process."
+                    "prose": "flaw remediation is incorporated into the organizational configuration management process.",
+                    "links": [
+                      {
+                        "href": "#si-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -88884,7 +99922,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}."
+                    "prose": "system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#si-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-2.2_asm-examine",
@@ -89313,7 +100357,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;"
+                        "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;",
+                        "links": [
+                          {
+                            "href": "#si-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-3_obj.a-2",
@@ -89325,7 +100375,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;"
+                        "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;",
+                        "links": [
+                          {
+                            "href": "#si-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -89339,7 +100401,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;"
+                    "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#si-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-3_obj.c",
@@ -89373,7 +100441,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};"
+                            "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-3_obj.c.1-2",
@@ -89385,7 +100459,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;"
+                            "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-3_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -89410,7 +100496,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;"
+                            "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-3_obj.c.2-2",
@@ -89422,10 +100514,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;"
+                            "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-3_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-3_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -89438,7 +100548,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed."
+                    "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.",
+                    "links": [
+                      {
+                        "href": "#si-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -90022,7 +101144,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};"
+                        "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4_obj.a.2",
@@ -90045,7 +101173,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system is monitored to detect unauthorized local connections;"
+                            "prose": "the system is monitored to detect unauthorized local connections;",
+                            "links": [
+                              {
+                                "href": "#si-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4_obj.a.2-2",
@@ -90057,7 +101191,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system is monitored to detect unauthorized network connections;"
+                            "prose": "the system is monitored to detect unauthorized network connections;",
+                            "links": [
+                              {
+                                "href": "#si-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4_obj.a.2-3",
@@ -90069,10 +101209,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system is monitored to detect unauthorized remote connections;"
+                            "prose": "the system is monitored to detect unauthorized remote connections;",
+                            "links": [
+                              {
+                                "href": "#si-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-4_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -90085,7 +101243,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};"
+                    "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4_obj.c",
@@ -90108,7 +101272,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;"
+                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4_obj.c.2",
@@ -90120,7 +101290,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;"
+                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -90145,7 +101327,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "detected events are analyzed;"
+                        "prose": "detected events are analyzed;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4_obj.d-2",
@@ -90157,7 +101345,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "detected anomalies are analyzed;"
+                        "prose": "detected anomalies are analyzed;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -90171,7 +101371,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"
+                    "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4_obj.f",
@@ -90183,7 +101389,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a legal opinion regarding system monitoring activities is obtained;"
+                    "prose": "a legal opinion regarding system monitoring activities is obtained;",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4_obj.g",
@@ -90195,7 +101407,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."
+                    "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -90331,7 +101555,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automated tools and mechanisms are employed to support a near real-time analysis of events."
+                    "prose": "automated tools and mechanisms are employed to support a near real-time analysis of events.",
+                    "links": [
+                      {
+                        "href": "#si-4.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.2_asm-examine",
@@ -90600,7 +101830,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;"
+                            "prose": "criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;",
+                            "links": [
+                              {
+                                "href": "#si-4.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4.4_obj.a-2",
@@ -90612,7 +101848,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;"
+                            "prose": "criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;",
+                            "links": [
+                              {
+                                "href": "#si-4.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-4.4_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -90637,7 +101885,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};"
+                            "prose": "inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#si-4.4_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4.4_obj.b-2",
@@ -90649,10 +101903,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}."
+                            "prose": "outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}.",
+                            "links": [
+                              {
+                                "href": "#si-4.4_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-4.4_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.4_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -90833,7 +102105,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur."
+                    "prose": " {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur.",
+                    "links": [
+                      {
+                        "href": "#si-4.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.5_asm-examine",
@@ -91001,7 +102279,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "provisions are made so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}."
+                    "prose": "provisions are made so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#si-4.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.10_asm-examine",
@@ -91194,7 +102478,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, si-04.12_odp.01 }} is/are alerted using {{ insert: param, si-04.12_odp.02 }} when {{ insert: param, si-04.12_odp.03 }} indicate inappropriate or unusual activities with security or privacy implications."
+                    "prose": " {{ insert: param, si-04.12_odp.01 }} is/are alerted using {{ insert: param, si-04.12_odp.02 }} when {{ insert: param, si-04.12_odp.03 }} indicate inappropriate or unusual activities with security or privacy implications.",
+                    "links": [
+                      {
+                        "href": "#si-4.12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.12_asm-examine",
@@ -91339,7 +102629,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a wireless intrusion detection system is employed to identify rogue wireless devices;"
+                        "prose": "a wireless intrusion detection system is employed to identify rogue wireless devices;",
+                        "links": [
+                          {
+                            "href": "#si-4.14_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4.14_obj-2",
@@ -91351,7 +102647,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a wireless intrusion detection system is employed to detect attack attempts on the system;"
+                        "prose": "a wireless intrusion detection system is employed to detect attack attempts on the system;",
+                        "links": [
+                          {
+                            "href": "#si-4.14_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4.14_obj-3",
@@ -91363,7 +102665,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a wireless intrusion detection system is employed to detect potential compromises or breaches to the system."
+                        "prose": "a wireless intrusion detection system is employed to detect potential compromises or breaches to the system.",
+                        "links": [
+                          {
+                            "href": "#si-4.14_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.14_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -91517,7 +102831,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, si-04.20_odp }} of privileged users is implemented."
+                    "prose": " {{ insert: param, si-04.20_odp }} of privileged users is implemented.",
+                    "links": [
+                      {
+                        "href": "#si-4.20_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.20_asm-examine",
@@ -91744,7 +103064,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} are detected;"
+                        "prose": "network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} are detected;",
+                        "links": [
+                          {
+                            "href": "#si-4.22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4.22_obj.b",
@@ -91756,7 +103082,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-04.22_odp.02 }} is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected."
+                        "prose": " {{ insert: param, si-04.22_odp.02 }} is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.",
+                        "links": [
+                          {
+                            "href": "#si-4.22_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.22_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -92063,7 +103401,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"
+                    "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-5_obj.b",
@@ -92075,7 +103419,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;"
+                    "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-5_obj.c",
@@ -92087,7 +103437,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};"
+                    "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-5_obj.d",
@@ -92099,7 +103455,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance."
+                    "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -92249,7 +103617,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, si-05.01_odp }} are used to broadcast security alert and advisory information throughout the organization."
+                    "prose": " {{ insert: param, si-05.01_odp }} are used to broadcast security alert and advisory information throughout the organization.",
+                    "links": [
+                      {
+                        "href": "#si-5.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-5.1_asm-examine",
@@ -92634,7 +104008,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-06_odp.01 }} are verified to be operating correctly;"
+                        "prose": " {{ insert: param, si-06_odp.01 }} are verified to be operating correctly;",
+                        "links": [
+                          {
+                            "href": "#si-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-6_obj.a-2",
@@ -92646,7 +104026,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-06_odp.02 }} are verified to be operating correctly;"
+                        "prose": " {{ insert: param, si-06_odp.02 }} are verified to be operating correctly;",
+                        "links": [
+                          {
+                            "href": "#si-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-6_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -92671,7 +104063,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-06_odp.01 }} are verified {{ insert: param, si-06_odp.03 }};"
+                        "prose": " {{ insert: param, si-06_odp.01 }} are verified {{ insert: param, si-06_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#si-6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-6_obj.b-2",
@@ -92683,7 +104081,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-06_odp.02 }} are verified {{ insert: param, si-06_odp.03 }};"
+                        "prose": " {{ insert: param, si-06_odp.02 }} are verified {{ insert: param, si-06_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#si-6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-6_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -92708,7 +104118,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-06_odp.06 }} is/are alerted to failed security verification tests;"
+                        "prose": " {{ insert: param, si-06_odp.06 }} is/are alerted to failed security verification tests;",
+                        "links": [
+                          {
+                            "href": "#si-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-6_obj.c-2",
@@ -92720,7 +104136,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-06_odp.06 }} is/are alerted to failed privacy verification tests;"
+                        "prose": " {{ insert: param, si-06_odp.06 }} is/are alerted to failed privacy verification tests;",
+                        "links": [
+                          {
+                            "href": "#si-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -92734,7 +104162,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, si-06_odp.07 }} is/are initiated when anomalies are discovered."
+                    "prose": " {{ insert: param, si-06_odp.07 }} is/are initiated when anomalies are discovered.",
+                    "links": [
+                      {
+                        "href": "#si-6_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -93168,7 +104608,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};"
+                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7_obj.a-2",
@@ -93180,7 +104626,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};"
+                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7_obj.a-3",
@@ -93192,7 +104644,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};"
+                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-7_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -93217,7 +104681,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;"
+                        "prose": " {{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7_obj.b-2",
@@ -93229,7 +104699,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;"
+                        "prose": " {{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7_obj.b-3",
@@ -93241,10 +104717,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected."
+                        "prose": " {{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected.",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#si-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -93673,7 +105167,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};"
+                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#si-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7.1_obj-2",
@@ -93685,7 +105185,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};"
+                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#si-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7.1_obj-3",
@@ -93697,7 +105203,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}."
+                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}.",
+                        "links": [
+                          {
+                            "href": "#si-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-7.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -93847,7 +105365,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification are employed."
+                    "prose": "automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification are employed.",
+                    "links": [
+                      {
+                        "href": "#si-7.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.2_asm-examine",
@@ -94017,7 +105541,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, si-07.05_odp.01 }} are automatically performed when integrity violations are discovered."
+                    "prose": " {{ insert: param, si-07.05_odp.01 }} are automatically performed when integrity violations are discovered.",
+                    "links": [
+                      {
+                        "href": "#si-7.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.5_asm-examine",
@@ -94190,7 +105720,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability."
+                    "prose": "the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability.",
+                    "links": [
+                      {
+                        "href": "#si-7.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.7_asm-examine",
@@ -94350,7 +105886,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to authenticate {{ insert: param, si-07.15_odp }} prior to installation."
+                    "prose": "cryptographic mechanisms are implemented to authenticate {{ insert: param, si-07.15_odp }} prior to installation.",
+                    "links": [
+                      {
+                        "href": "#si-7.15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.15_asm-examine",
@@ -94546,7 +106088,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "spam protection mechanisms are employed at system entry points to detect unsolicited messages;"
+                        "prose": "spam protection mechanisms are employed at system entry points to detect unsolicited messages;",
+                        "links": [
+                          {
+                            "href": "#si-8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-8_obj.a-2",
@@ -94558,7 +106106,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "spam protection mechanisms are employed at system exit points to detect unsolicited messages;"
+                        "prose": "spam protection mechanisms are employed at system exit points to detect unsolicited messages;",
+                        "links": [
+                          {
+                            "href": "#si-8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-8_obj.a-3",
@@ -94570,7 +106124,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "spam protection mechanisms are employed at system entry points to act on unsolicited messages;"
+                        "prose": "spam protection mechanisms are employed at system entry points to act on unsolicited messages;",
+                        "links": [
+                          {
+                            "href": "#si-8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-8_obj.a-4",
@@ -94582,7 +106142,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "spam protection mechanisms are employed at system exit points to act on unsolicited messages;"
+                        "prose": "spam protection mechanisms are employed at system exit points to act on unsolicited messages;",
+                        "links": [
+                          {
+                            "href": "#si-8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -94596,7 +106168,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures."
+                    "prose": "spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.",
+                    "links": [
+                      {
+                        "href": "#si-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -94741,7 +106325,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}."
+                    "prose": "spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#si-8.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-8.2_asm-examine",
@@ -94900,7 +106490,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the validity of the {{ insert: param, si-10_odp }} is checked."
+                "prose": "the validity of the {{ insert: param, si-10_odp }} is checked.",
+                "links": [
+                  {
+                    "href": "#si-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "si-10_asm-examine",
@@ -95093,7 +106689,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;"
+                    "prose": "error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;",
+                    "links": [
+                      {
+                        "href": "#si-11_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-11_obj.b",
@@ -95105,7 +106707,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "error messages are revealed only to {{ insert: param, si-11_odp }}."
+                    "prose": "error messages are revealed only to {{ insert: param, si-11_odp }}.",
+                    "links": [
+                      {
+                        "href": "#si-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -95367,7 +106981,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-2",
@@ -95379,7 +106999,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-3",
@@ -95391,7 +107017,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-4",
@@ -95403,7 +107035,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements."
+                    "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -95561,7 +107205,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": " {{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution."
+                "prose": " {{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution.",
+                "links": [
+                  {
+                    "href": "#si-16_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "si-16_asm-examine",
@@ -96042,7 +107692,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a supply chain risk management policy is developed and documented;"
+                        "prose": "a supply chain risk management policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a-2",
@@ -96054,7 +107710,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};"
+                        "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a-3",
@@ -96066,7 +107728,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;"
+                        "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a-4",
@@ -96078,7 +107746,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}."
+                        "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a.1",
@@ -96112,7 +107786,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-2",
@@ -96124,7 +107804,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; "
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-3",
@@ -96136,7 +107822,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;"
+                                "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-4",
@@ -96148,7 +107840,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-5",
@@ -96160,7 +107858,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-6",
@@ -96172,7 +107876,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-7",
@@ -96184,7 +107894,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance."
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -96198,10 +107920,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -96214,7 +107954,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;"
+                    "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#sr-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-1_obj.c",
@@ -96248,7 +107994,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};"
+                            "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sr-1_obj.c.1-2",
@@ -96260,7 +108012,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};"
+                            "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -96285,7 +108049,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};"
+                            "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sr-1_obj.c.2-2",
@@ -96297,12 +108067,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}."
+                            "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -96597,7 +108391,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a plan for managing supply chain risks is developed;"
+                        "prose": "a plan for managing supply chain risks is developed;",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-2",
@@ -96609,7 +108409,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-3",
@@ -96621,7 +108427,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-4",
@@ -96633,7 +108445,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-5",
@@ -96645,7 +108463,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-6",
@@ -96657,7 +108481,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-7",
@@ -96669,7 +108499,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-8",
@@ -96681,7 +108517,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-9",
@@ -96693,7 +108535,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -96707,7 +108561,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;"
+                    "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;",
+                    "links": [
+                      {
+                        "href": "#sr-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-2_obj.c",
@@ -96730,7 +108590,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan is protected from unauthorized disclosure;"
+                        "prose": "the supply chain risk management plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.c-2",
@@ -96742,10 +108608,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan is protected from unauthorized modification."
+                        "prose": "the supply chain risk management plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -96919,7 +108803,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}."
+                    "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sr-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-2.1_asm-examine",
@@ -97306,7 +109196,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};"
+                        "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-3_obj.a-2",
@@ -97318,7 +109214,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};"
+                        "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sr-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -97332,7 +109240,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;"
+                    "prose": " {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;",
+                    "links": [
+                      {
+                        "href": "#sr-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-3_obj.c",
@@ -97344,7 +109258,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}."
+                    "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#sr-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -97594,7 +109520,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;"
+                    "prose": " {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;",
+                    "links": [
+                      {
+                        "href": "#sr-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-5_obj-2",
@@ -97606,7 +109538,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;"
+                    "prose": " {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;",
+                    "links": [
+                      {
+                        "href": "#sr-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-5_obj-3",
@@ -97618,7 +109556,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks."
+                    "prose": " {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.",
+                    "links": [
+                      {
+                        "href": "#sr-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -97824,7 +109774,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}."
+                "prose": "the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}.",
+                "links": [
+                  {
+                    "href": "#sr-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-6_asm-examine",
@@ -98034,7 +109990,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}."
+                "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.",
+                "links": [
+                  {
+                    "href": "#sr-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-8_asm-examine",
@@ -98200,7 +110162,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a tamper protection program is implemented for the system, system component, or system service."
+                "prose": "a tamper protection program is implemented for the system, system component, or system service.",
+                "links": [
+                  {
+                    "href": "#sr-9_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-9_asm-examine",
@@ -98330,7 +110298,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle."
+                    "prose": "anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle.",
+                    "links": [
+                      {
+                        "href": "#sr-9.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-9.1_asm-examine",
@@ -98578,7 +110552,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering."
+                "prose": " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.",
+                "links": [
+                  {
+                    "href": "#sr-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-10_asm-examine",
@@ -98833,7 +110813,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an anti-counterfeit policy is developed and implemented;"
+                        "prose": "an anti-counterfeit policy is developed and implemented;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11_obj.a-2",
@@ -98845,7 +110831,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "anti-counterfeit procedures are developed and implemented;"
+                        "prose": "anti-counterfeit procedures are developed and implemented;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11_obj.a-3",
@@ -98857,7 +110849,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;"
+                        "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11_obj.a-4",
@@ -98869,7 +110867,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;"
+                        "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-11_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -98883,7 +110893,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}."
+                    "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#sr-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -99037,7 +111059,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware)."
+                    "prose": " {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).",
+                    "links": [
+                      {
+                        "href": "#sr-11.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-11.1_asm-examine",
@@ -99212,7 +111240,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;"
+                        "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;",
+                        "links": [
+                          {
+                            "href": "#sr-11.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11.2_obj-2",
@@ -99224,7 +111258,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained."
+                        "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.",
+                        "links": [
+                          {
+                            "href": "#sr-11.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-11.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -99396,7 +111442,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": " {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}."
+                "prose": " {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#sr-12_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-12_asm-examine",
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile-min.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile-min.json
index 846a13b9..d35b52ed 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile-min.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile-min.json
@@ -1 +1 @@
-{"profile":{"uuid":"beade175-48ad-47c0-ac38-e9c2514cba22","metadata":{"title":"NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE","last-modified":"2023-10-12T00:00:00.000000-04:00","version":"Final","oscal-version":"1.1.1","roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"c748c806-1d77-4695-bb40-e117b2afa82e","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["c748c806-1d77-4695-bb40-e117b2afa82e"]},{"role-id":"contact","party-uuids":["c748c806-1d77-4695-bb40-e117b2afa82e"]}]},"imports":[{"href":"#84cbf061-eb87-4ec1-8112-1f529232e907","include-controls":[{"with-ids":["ac-1","ac-2","ac-2.1","ac-2.2","ac-2.3","ac-2.4","ac-2.5","ac-2.11","ac-2.12","ac-2.13","ac-3","ac-4","ac-4.4","ac-5","ac-6","ac-6.1","ac-6.2","ac-6.3","ac-6.5","ac-6.7","ac-6.9","ac-6.10","ac-7","ac-8","ac-10","ac-11","ac-11.1","ac-12","ac-14","ac-17","ac-17.1","ac-17.2","ac-17.3","ac-17.4","ac-18","ac-18.1","ac-18.3","ac-18.4","ac-18.5","ac-19","ac-19.5","ac-20","ac-20.1","ac-20.2","ac-21","ac-22","at-1","at-2","at-2.2","at-2.3","at-3","at-4","au-1","au-2","au-3","au-3.1","au-4","au-5","au-5.1","au-5.2","au-6","au-6.1","au-6.3","au-6.5","au-6.6","au-7","au-7.1","au-8","au-9","au-9.2","au-9.3","au-9.4","au-10","au-11","au-12","au-12.1","au-12.3","ca-1","ca-2","ca-2.1","ca-2.2","ca-3","ca-3.6","ca-5","ca-6","ca-7","ca-7.1","ca-7.4","ca-8","ca-8.1","ca-9","cm-1","cm-2","cm-2.2","cm-2.3","cm-2.7","cm-3","cm-3.1","cm-3.2","cm-3.4","cm-3.6","cm-4","cm-4.1","cm-4.2","cm-5","cm-5.1","cm-6","cm-6.1","cm-6.2","cm-7","cm-7.1","cm-7.2","cm-7.5","cm-8","cm-8.1","cm-8.2","cm-8.3","cm-8.4","cm-9","cm-10","cm-11","cm-12","cm-12.1","cp-1","cp-2","cp-2.1","cp-2.2","cp-2.3","cp-2.5","cp-2.8","cp-3","cp-3.1","cp-4","cp-4.1","cp-4.2","cp-6","cp-6.1","cp-6.2","cp-6.3","cp-7","cp-7.1","cp-7.2","cp-7.3","cp-7.4","cp-8","cp-8.1","cp-8.2","cp-8.3","cp-8.4","cp-9","cp-9.1","cp-9.2","cp-9.3","cp-9.5","cp-9.8","cp-10","cp-10.2","cp-10.4","ia-1","ia-2","ia-2.1","ia-2.2","ia-2.5","ia-2.8","ia-2.12","ia-3","ia-4","ia-4.4","ia-5","ia-5.1","ia-5.2","ia-5.6","ia-6","ia-7","ia-8","ia-8.1","ia-8.2","ia-8.4","ia-11","ia-12","ia-12.2","ia-12.3","ia-12.4","ia-12.5","ir-1","ir-2","ir-2.1","ir-2.2","ir-3","ir-3.2","ir-4","ir-4.1","ir-4.4","ir-4.11","ir-5","ir-5.1","ir-6","ir-6.1","ir-6.3","ir-7","ir-7.1","ir-8","ma-1","ma-2","ma-2.2","ma-3","ma-3.1","ma-3.2","ma-3.3","ma-4","ma-4.3","ma-5","ma-5.1","ma-6","mp-1","mp-2","mp-3","mp-4","mp-5","mp-6","mp-6.1","mp-6.2","mp-6.3","mp-7","pe-1","pe-2","pe-3","pe-3.1","pe-4","pe-5","pe-6","pe-6.1","pe-6.4","pe-8","pe-8.1","pe-9","pe-10","pe-11","pe-11.1","pe-12","pe-13","pe-13.1","pe-13.2","pe-14","pe-15","pe-15.1","pe-16","pe-17","pe-18","pl-1","pl-2","pl-4","pl-4.1","pl-8","pl-10","pl-11","ps-1","ps-2","ps-3","ps-4","ps-4.2","ps-5","ps-6","ps-7","ps-8","ps-9","ra-1","ra-2","ra-3","ra-3.1","ra-5","ra-5.2","ra-5.4","ra-5.5","ra-5.11","ra-7","ra-9","sa-1","sa-2","sa-3","sa-4","sa-4.1","sa-4.2","sa-4.5","sa-4.9","sa-4.10","sa-5","sa-8","sa-9","sa-9.2","sa-10","sa-11","sa-15","sa-15.3","sa-16","sa-17","sa-21","sa-22","sc-1","sc-2","sc-3","sc-4","sc-5","sc-7","sc-7.3","sc-7.4","sc-7.5","sc-7.7","sc-7.8","sc-7.18","sc-7.21","sc-8","sc-8.1","sc-10","sc-12","sc-12.1","sc-13","sc-15","sc-17","sc-18","sc-20","sc-21","sc-22","sc-23","sc-24","sc-28","sc-28.1","sc-39","si-1","si-2","si-2.2","si-3","si-4","si-4.2","si-4.4","si-4.5","si-4.10","si-4.12","si-4.14","si-4.20","si-4.22","si-5","si-5.1","si-6","si-7","si-7.1","si-7.2","si-7.5","si-7.7","si-7.15","si-8","si-8.2","si-10","si-11","si-12","si-16","sr-1","sr-2","sr-2.1","sr-3","sr-5","sr-6","sr-8","sr-9","sr-9.1","sr-10","sr-11","sr-11.1","sr-11.2","sr-12"]}]}],"merge":{"as-is":true},"back-matter":{"resources":[{"uuid":"84cbf061-eb87-4ec1-8112-1f529232e907","description":"NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations","rlinks":[{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/xml\/NIST_SP-800-53_rev5_catalog.xml","media-type":"application\/oscal.catalog+xml"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/json\/NIST_SP-800-53_rev5_catalog.json","media-type":"application\/oscal.catalog+json"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/yaml\/NIST_SP-800-53_rev5_catalog.yaml","media-type":"application\/oscal.catalog+yaml"}]}]}}}
\ No newline at end of file
+{"profile":{"uuid":"cd073316-7c58-4c34-9f5c-9eb5aa722683","metadata":{"title":"NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE","last-modified":"2023-12-04T14:55:00.000000-04:00","version":"5.1.1+u2","oscal-version":"1.1.1","roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"c748c806-1d77-4695-bb40-e117b2afa82e","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["c748c806-1d77-4695-bb40-e117b2afa82e"]},{"role-id":"contact","party-uuids":["c748c806-1d77-4695-bb40-e117b2afa82e"]}]},"imports":[{"href":"#84cbf061-eb87-4ec1-8112-1f529232e907","include-controls":[{"with-ids":["ac-1","ac-2","ac-2.1","ac-2.2","ac-2.3","ac-2.4","ac-2.5","ac-2.11","ac-2.12","ac-2.13","ac-3","ac-4","ac-4.4","ac-5","ac-6","ac-6.1","ac-6.2","ac-6.3","ac-6.5","ac-6.7","ac-6.9","ac-6.10","ac-7","ac-8","ac-10","ac-11","ac-11.1","ac-12","ac-14","ac-17","ac-17.1","ac-17.2","ac-17.3","ac-17.4","ac-18","ac-18.1","ac-18.3","ac-18.4","ac-18.5","ac-19","ac-19.5","ac-20","ac-20.1","ac-20.2","ac-21","ac-22","at-1","at-2","at-2.2","at-2.3","at-3","at-4","au-1","au-2","au-3","au-3.1","au-4","au-5","au-5.1","au-5.2","au-6","au-6.1","au-6.3","au-6.5","au-6.6","au-7","au-7.1","au-8","au-9","au-9.2","au-9.3","au-9.4","au-10","au-11","au-12","au-12.1","au-12.3","ca-1","ca-2","ca-2.1","ca-2.2","ca-3","ca-3.6","ca-5","ca-6","ca-7","ca-7.1","ca-7.4","ca-8","ca-8.1","ca-9","cm-1","cm-2","cm-2.2","cm-2.3","cm-2.7","cm-3","cm-3.1","cm-3.2","cm-3.4","cm-3.6","cm-4","cm-4.1","cm-4.2","cm-5","cm-5.1","cm-6","cm-6.1","cm-6.2","cm-7","cm-7.1","cm-7.2","cm-7.5","cm-8","cm-8.1","cm-8.2","cm-8.3","cm-8.4","cm-9","cm-10","cm-11","cm-12","cm-12.1","cp-1","cp-2","cp-2.1","cp-2.2","cp-2.3","cp-2.5","cp-2.8","cp-3","cp-3.1","cp-4","cp-4.1","cp-4.2","cp-6","cp-6.1","cp-6.2","cp-6.3","cp-7","cp-7.1","cp-7.2","cp-7.3","cp-7.4","cp-8","cp-8.1","cp-8.2","cp-8.3","cp-8.4","cp-9","cp-9.1","cp-9.2","cp-9.3","cp-9.5","cp-9.8","cp-10","cp-10.2","cp-10.4","ia-1","ia-2","ia-2.1","ia-2.2","ia-2.5","ia-2.8","ia-2.12","ia-3","ia-4","ia-4.4","ia-5","ia-5.1","ia-5.2","ia-5.6","ia-6","ia-7","ia-8","ia-8.1","ia-8.2","ia-8.4","ia-11","ia-12","ia-12.2","ia-12.3","ia-12.4","ia-12.5","ir-1","ir-2","ir-2.1","ir-2.2","ir-3","ir-3.2","ir-4","ir-4.1","ir-4.4","ir-4.11","ir-5","ir-5.1","ir-6","ir-6.1","ir-6.3","ir-7","ir-7.1","ir-8","ma-1","ma-2","ma-2.2","ma-3","ma-3.1","ma-3.2","ma-3.3","ma-4","ma-4.3","ma-5","ma-5.1","ma-6","mp-1","mp-2","mp-3","mp-4","mp-5","mp-6","mp-6.1","mp-6.2","mp-6.3","mp-7","pe-1","pe-2","pe-3","pe-3.1","pe-4","pe-5","pe-6","pe-6.1","pe-6.4","pe-8","pe-8.1","pe-9","pe-10","pe-11","pe-11.1","pe-12","pe-13","pe-13.1","pe-13.2","pe-14","pe-15","pe-15.1","pe-16","pe-17","pe-18","pl-1","pl-2","pl-4","pl-4.1","pl-8","pl-10","pl-11","ps-1","ps-2","ps-3","ps-4","ps-4.2","ps-5","ps-6","ps-7","ps-8","ps-9","ra-1","ra-2","ra-3","ra-3.1","ra-5","ra-5.2","ra-5.4","ra-5.5","ra-5.11","ra-7","ra-9","sa-1","sa-2","sa-3","sa-4","sa-4.1","sa-4.2","sa-4.5","sa-4.9","sa-4.10","sa-5","sa-8","sa-9","sa-9.2","sa-10","sa-11","sa-15","sa-15.3","sa-16","sa-17","sa-21","sa-22","sc-1","sc-2","sc-3","sc-4","sc-5","sc-7","sc-7.3","sc-7.4","sc-7.5","sc-7.7","sc-7.8","sc-7.18","sc-7.21","sc-8","sc-8.1","sc-10","sc-12","sc-12.1","sc-13","sc-15","sc-17","sc-18","sc-20","sc-21","sc-22","sc-23","sc-24","sc-28","sc-28.1","sc-39","si-1","si-2","si-2.2","si-3","si-4","si-4.2","si-4.4","si-4.5","si-4.10","si-4.12","si-4.14","si-4.20","si-4.22","si-5","si-5.1","si-6","si-7","si-7.1","si-7.2","si-7.5","si-7.7","si-7.15","si-8","si-8.2","si-10","si-11","si-12","si-16","sr-1","sr-2","sr-2.1","sr-3","sr-5","sr-6","sr-8","sr-9","sr-9.1","sr-10","sr-11","sr-11.1","sr-11.2","sr-12"]}]}],"merge":{"as-is":true},"back-matter":{"resources":[{"uuid":"84cbf061-eb87-4ec1-8112-1f529232e907","description":"NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations","rlinks":[{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/xml\/NIST_SP-800-53_rev5_catalog.xml","media-type":"application\/oscal.catalog+xml"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/json\/NIST_SP-800-53_rev5_catalog.json","media-type":"application\/oscal.catalog+json"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/yaml\/NIST_SP-800-53_rev5_catalog.yaml","media-type":"application\/oscal.catalog+yaml"}]}]}}}
\ No newline at end of file
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json
index a581caa1..d40fae99 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json
@@ -1,10 +1,10 @@
 {
   "profile": {
-    "uuid": "beade175-48ad-47c0-ac38-e9c2514cba22",
+    "uuid": "cd073316-7c58-4c34-9f5c-9eb5aa722683",
     "metadata": {
-      "title": "NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE",
-      "last-modified": "2023-10-12T00:00:00.000000-04:00",
-      "version": "Final",
+      "title": "NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE",
+      "last-modified": "2023-12-04T14:55:00.000000-04:00",
+      "version": "5.1.1+u2",
       "oscal-version": "1.1.1",
       "roles": [
         {
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog-min.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog-min.json
index f55b5b35..5385227c 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog-min.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog-min.json
@@ -1 +1 @@
-{"catalog":{"uuid":"8a6a307c-2c1d-47ef-9bcb-6362480d31cb","metadata":{"title":"NIST Special Publication 800-53 Revision 5 LOW IMPACT BASELINE","last-modified":"2023-11-02T11:49:44.518316-04:00","version":"Final","oscal-version":"1.1.1","props":[{"name":"resolution-tool","value":"OSCAL Profile Resolver XSLT Pipeline OPRXP"}],"links":[{"href":"NIST_SP-800-53_rev5_LOW-baseline_profile.xml","rel":"source-profile"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"984e6c07-b5b6-4ab6-b22b-283609c325e6","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["984e6c07-b5b6-4ab6-b22b-283609c325e6"]},{"role-id":"contact","party-uuids":["984e6c07-b5b6-4ab6-b22b-283609c325e6"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ac-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ac-01_odp.01","props":[{"name":"label","value":"AC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control policy is to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.02","props":[{"name":"label","value":"AC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control procedures are to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.03","props":[{"name":"alt-identifier","value":"ac-1_prm_2"},{"name":"label","value":"AC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ac-01_odp.04","props":[{"name":"alt-identifier","value":"ac-1_prm_3"},{"name":"label","value":"AC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the access control policy and procedures is defined;"}]},{"id":"ac-01_odp.05","props":[{"name":"alt-identifier","value":"ac-1_prm_4"},{"name":"label","value":"AC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control policy is reviewed and updated is defined;"}]},{"id":"ac-01_odp.06","props":[{"name":"alt-identifier","value":"ac-1_prm_5"},{"name":"label","value":"AC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current access control policy to be reviewed and updated are defined;"}]},{"id":"ac-01_odp.07","props":[{"name":"alt-identifier","value":"ac-1_prm_6"},{"name":"label","value":"AC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control procedures are reviewed and updated is defined;"}]},{"id":"ac-01_odp.08","props":[{"name":"alt-identifier","value":"ac-1_prm_7"},{"name":"label","value":"AC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AC-1"},{"name":"label","value":"AC-01","class":"sp800-53a"},{"name":"sort-id","value":"ac-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ia-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ac-1_smt","name":"statement","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ac-01_odp.03 }} access control policy that:","parts":[{"id":"ac-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and the associated access controls;"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and"},{"id":"ac-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current access control:","parts":[{"id":"ac-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and"},{"id":"ac-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ac-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[01]","class":"sp800-53a"}],"prose":"an access control policy is developed and documented;"},{"id":"ac-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[02]","class":"sp800-53a"}],"prose":"the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};"},{"id":"ac-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[03]","class":"sp800-53a"}],"prose":"access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;"},{"id":"ac-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[04]","class":"sp800-53a"}],"prose":"the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};"},{"id":"ac-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;"},{"id":"ac-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;"},{"id":"ac-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;"},{"id":"ac-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;"},{"id":"ac-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;"},{"id":"ac-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;"},{"id":"ac-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;"}]},{"id":"ac-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ac-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;"},{"id":"ac-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[01]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};"},{"id":"ac-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[02]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};"}]},{"id":"ac-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[01]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};"},{"id":"ac-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[02]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}."}]}]}]},{"id":"ac-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","params":[{"id":"ac-02_odp.01","props":[{"name":"alt-identifier","value":"ac-2_prm_1"},{"name":"label","value":"AC-02_ODP[01]","class":"sp800-53a"}],"label":"prerequisites and criteria","guidelines":[{"prose":"prerequisites and criteria for group and role membership are defined;"}]},{"id":"ac-02_odp.02","props":[{"name":"alt-identifier","value":"ac-2_prm_2"},{"name":"label","value":"AC-02_ODP[02]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes (as required) for each account are defined;"}]},{"id":"ac-02_odp.03","props":[{"name":"alt-identifier","value":"ac-2_prm_3"},{"name":"label","value":"AC-02_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to approve requests to create accounts is\/are defined;"}]},{"id":"ac-02_odp.04","props":[{"name":"alt-identifier","value":"ac-2_prm_4"},{"name":"label","value":"AC-02_ODP[04]","class":"sp800-53a"}],"label":"policy, procedures, prerequisites, and criteria","guidelines":[{"prose":"policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;"}]},{"id":"ac-02_odp.05","props":[{"name":"alt-identifier","value":"ac-2_prm_5"},{"name":"label","value":"AC-02_ODP[05]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified is\/are defined;"}]},{"id":"ac-02_odp.06","props":[{"name":"alt-identifier","value":"ac-2_prm_6"},{"name":"label","value":"AC-02_ODP[06]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when accounts are no longer required is defined;"}]},{"id":"ac-02_odp.07","props":[{"name":"alt-identifier","value":"ac-2_prm_7"},{"name":"label","value":"AC-02_ODP[07]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when users are terminated or transferred is defined; "}]},{"id":"ac-02_odp.08","props":[{"name":"alt-identifier","value":"ac-2_prm_8"},{"name":"label","value":"AC-02_ODP[08]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when system usage or the need to know changes for an individual is defined;"}]},{"id":"ac-02_odp.09","props":[{"name":"alt-identifier","value":"ac-2_prm_9"},{"name":"label","value":"AC-02_ODP[09]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes needed to authorize system access (as required) are defined;"}]},{"id":"ac-02_odp.10","props":[{"name":"alt-identifier","value":"ac-2_prm_10"},{"name":"label","value":"AC-02_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of account review is defined;"}]}],"props":[{"name":"label","value":"AC-2"},{"name":"label","value":"AC-02","class":"sp800-53a"},{"name":"sort-id","value":"ac-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#53df282b-8b3f-483a-bad1-6a8b8ac00114","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ac-2_smt","name":"statement","parts":[{"id":"ac-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define and document the types of accounts allowed and specifically prohibited for use within the system;"},{"id":"ac-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign account managers;"},{"id":"ac-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require {{ insert: param, ac-02_odp.01 }} for group and role membership;"},{"id":"ac-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Specify:","parts":[{"id":"ac-2_smt.d.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Authorized users of the system;"},{"id":"ac-2_smt.d.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Group and role membership; and"},{"id":"ac-2_smt.d.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;"}]},{"id":"ac-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"},{"id":"ac-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Monitor the use of accounts;"},{"id":"ac-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Notify account managers and {{ insert: param, ac-02_odp.05 }} within:","parts":[{"id":"ac-2_smt.h.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;"}]},{"id":"ac-2_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Authorize access to the system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ac-02_odp.09 }};"}]},{"id":"ac-2_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"},{"id":"ac-2_smt.k","name":"item","props":[{"name":"label","value":"k."}],"prose":"Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and"},{"id":"ac-2_smt.l","name":"item","props":[{"name":"label","value":"l."}],"prose":"Align account management processes with personnel termination and transfer processes."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission\/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared\/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared\/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training."},{"id":"ac-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[01]","class":"sp800-53a"}],"prose":"account types allowed for use within the system are defined and documented;"},{"id":"ac-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[02]","class":"sp800-53a"}],"prose":"account types specifically prohibited for use within the system are defined and documented;"}]},{"id":"ac-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02b.","class":"sp800-53a"}],"prose":"account managers are assigned;"},{"id":"ac-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02c.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-02_odp.01 }} for group and role membership are required;"},{"id":"ac-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.01","class":"sp800-53a"}],"prose":"authorized users of the system are specified;"},{"id":"ac-2_obj.d.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.02","class":"sp800-53a"}],"prose":"group and role membership are specified;"},{"id":"ac-2_obj.d.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.3-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[01]","class":"sp800-53a"}],"prose":"access authorizations (i.e., privileges) are specified for each account;"},{"id":"ac-2_obj.d.3-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[02]","class":"sp800-53a"}],"prose":" {{ insert: param, ac-02_odp.02 }} are specified for each account;"}]}]},{"id":"ac-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AC-02e.","class":"sp800-53a"}],"prose":"approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"},{"id":"ac-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[01]","class":"sp800-53a"}],"prose":"accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[02]","class":"sp800-53a"}],"prose":"accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[03]","class":"sp800-53a"}],"prose":"accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[04]","class":"sp800-53a"}],"prose":"accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-5","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[05]","class":"sp800-53a"}],"prose":"accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};"}]},{"id":"ac-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"AC-02g.","class":"sp800-53a"}],"prose":"the use of accounts is monitored; "},{"id":"ac-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.h.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.01","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"},{"id":"ac-2_obj.h.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.02","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;"},{"id":"ac-2_obj.h.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.03","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;"}]},{"id":"ac-2_obj.i","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.i.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.01","class":"sp800-53a"}],"prose":"access to the system is authorized based on a valid access authorization;"},{"id":"ac-2_obj.i.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.02","class":"sp800-53a"}],"prose":"access to the system is authorized based on intended system usage;"},{"id":"ac-2_obj.i.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.03","class":"sp800-53a"}],"prose":"access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};"}]},{"id":"ac-2_obj.j","name":"assessment-objective","props":[{"name":"label","value":"AC-02j.","class":"sp800-53a"}],"prose":"accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"},{"id":"ac-2_obj.k","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.k-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[01]","class":"sp800-53a"}],"prose":"a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"},{"id":"ac-2_obj.k-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[02]","class":"sp800-53a"}],"prose":"a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"}]},{"id":"ac-2_obj.l","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.l-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[01]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel termination processes;"},{"id":"ac-2_obj.l-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[02]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel transfer processes."}]}]},{"id":"ac-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities"}]},{"id":"ac-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for account management on the system\n\nmechanisms for implementing account management"}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"label","value":"AC-3"},{"name":"label","value":"AC-03","class":"sp800-53a"},{"name":"sort-id","value":"ac-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-8","rel":"related"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family."},{"id":"ac-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03","class":"sp800-53a"}],"prose":"approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies."},{"id":"ac-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy"}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","params":[{"id":"ac-07_odp.01","props":[{"name":"alt-identifier","value":"ac-7_prm_1"},{"name":"label","value":"AC-07_ODP[01]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of consecutive invalid logon attempts by a user allowed during a time period is defined;"}]},{"id":"ac-07_odp.02","props":[{"name":"alt-identifier","value":"ac-7_prm_2"},{"name":"label","value":"AC-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;"}]},{"id":"ac-07_odp.03","props":[{"name":"alt-identifier","value":"ac-7_prm_3"},{"name":"label","value":"AC-07_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["lock the account or node for {{ insert: param, ac-07_odp.04 }} ","lock the account or node until released by an administrator","delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ","notify system administrator","take other {{ insert: param, ac-07_odp.06 }} "]}},{"id":"ac-07_odp.04","props":[{"name":"alt-identifier","value":"ac-7_prm_4"},{"name":"label","value":"AC-07_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for an account or node to be locked is defined (if selected);"}]},{"id":"ac-07_odp.05","props":[{"name":"alt-identifier","value":"ac-7_prm_5"},{"name":"label","value":"AC-07_ODP[05]","class":"sp800-53a"}],"label":"delay algorithm","guidelines":[{"prose":"delay algorithm for the next logon prompt is defined (if selected);"}]},{"id":"ac-07_odp.06","props":[{"name":"alt-identifier","value":"ac-7_prm_6"},{"name":"label","value":"AC-07_ODP[06]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-7"},{"name":"label","value":"AC-07","class":"sp800-53a"},{"name":"sort-id","value":"ac-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"ac-7_smt","name":"statement","parts":[{"id":"ac-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and"},{"id":"ac-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need."},{"id":"ac-7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-07","class":"sp800-53a"}],"parts":[{"id":"ac-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-07a.","class":"sp800-53a"}],"prose":"a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;"},{"id":"ac-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-07b.","class":"sp800-53a"}],"prose":"automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem\/network administrators"}]},{"id":"ac-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for unsuccessful logon attempts"}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","params":[{"id":"ac-08_odp.01","props":[{"name":"alt-identifier","value":"ac-8_prm_1"},{"name":"alt-label","value":"system use notification message or banner","class":"sp800-53"},{"name":"label","value":"AC-08_ODP[01]","class":"sp800-53a"}],"label":"system use notification","guidelines":[{"prose":"system use notification message or banner to be displayed by the system to users before granting access to the system is defined;"}]},{"id":"ac-08_odp.02","props":[{"name":"alt-identifier","value":"ac-8_prm_2"},{"name":"label","value":"AC-08_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions for system use to be displayed by the system before granting further access are defined;"}]}],"props":[{"name":"label","value":"AC-8"},{"name":"label","value":"AC-08","class":"sp800-53a"},{"name":"sort-id","value":"ac-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-14","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-8_smt","name":"statement","parts":[{"id":"ac-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:","parts":[{"id":"ac-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government system;"},{"id":"ac-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and"},{"id":"ac-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;"},{"id":"ac-8_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Include a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content."},{"id":"ac-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-08","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","parts":[{"id":"ac-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.01","class":"sp800-53a"}],"prose":"the system use notification states that users are accessing a U.S. Government system;"},{"id":"ac-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.02","class":"sp800-53a"}],"prose":"the system use notification states that system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.03","class":"sp800-53a"}],"prose":"the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.04","class":"sp800-53a"}],"prose":"the system use notification states that use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-08b.","class":"sp800-53a"}],"prose":"the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;"},{"id":"ac-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.01","class":"sp800-53a"}],"prose":"for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;"},{"id":"ac-8_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.02","class":"sp800-53a"}],"prose":"for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;"},{"id":"ac-8_obj.c.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.03","class":"sp800-53a"}],"prose":"for publicly accessible systems, a description of the authorized uses of the system is included."}]}]},{"id":"ac-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records"}]},{"id":"ac-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers"}]},{"id":"ac-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system use notification"}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","params":[{"id":"ac-14_odp","props":[{"name":"alt-identifier","value":"ac-14_prm_1"},{"name":"label","value":"AC-14_ODP","class":"sp800-53a"}],"label":"user actions","guidelines":[{"prose":"user actions that can be performed on the system without identification or authentication are defined;"}]}],"props":[{"name":"label","value":"AC-14"},{"name":"label","value":"AC-14","class":"sp800-53a"},{"name":"sort-id","value":"ac-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"ac-14_smt","name":"statement","parts":[{"id":"ac-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and"},{"id":"ac-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" "},{"id":"ac-14_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-14","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-14a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;"},{"id":"ac-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[01]","class":"sp800-53a"}],"prose":"user actions not requiring identification or authentication are documented in the security plan for the system;"},{"id":"ac-14_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[02]","class":"sp800-53a"}],"prose":"a rationale for user actions not requiring identification or authentication is provided in the security plan for the system."}]}]},{"id":"ac-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","props":[{"name":"label","value":"AC-17"},{"name":"label","value":"AC-17","class":"sp800-53a"},{"name":"sort-id","value":"ac-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#83b9d63b-66b1-467c-9f3b-3a0b108771e9","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#d17ebd7a-ffab-499d-bfff-e705bbb01fa6","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-17_smt","name":"statement","parts":[{"id":"ac-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document usage restrictions, configuration\/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of remote access to the system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)."},{"id":"ac-17_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[01]","class":"sp800-53a"}],"prose":"usage restrictions are established and documented for each type of remote access allowed;"},{"id":"ac-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[02]","class":"sp800-53a"}],"prose":"configuration\/connection requirements are established and documented for each type of remote access allowed;"},{"id":"ac-17_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established and documented for each type of remote access allowed;"}]},{"id":"ac-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-17b.","class":"sp800-53a"}],"prose":"each type of remote access to the system is authorized prior to allowing such connections."}]},{"id":"ac-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing remote access connections\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Remote access management capability for the system"}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","props":[{"name":"label","value":"AC-18"},{"name":"label","value":"AC-18","class":"sp800-53a"},{"name":"sort-id","value":"ac-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#03fb73bc-1b12-4182-bd96-e5719254ea61","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-18_smt","name":"statement","parts":[{"id":"ac-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and"},{"id":"ac-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of wireless access to the system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication."},{"id":"ac-18_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for each type of wireless access;"},{"id":"ac-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for each type of wireless access;"},{"id":"ac-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for each type of wireless access;"}]},{"id":"ac-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-18b.","class":"sp800-53a"}],"prose":"each type of wireless access to the system is authorized prior to allowing such connections."}]},{"id":"ac-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Wireless access management capability for the system"}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","props":[{"name":"label","value":"AC-19"},{"name":"label","value":"AC-19","class":"sp800-53a"},{"name":"sort-id","value":"ac-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-19_smt","name":"statement","parts":[{"id":"ac-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and"},{"id":"ac-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize the connection of mobile devices to organizational systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook\/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled."},{"id":"ac-19_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"},{"id":"ac-19_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"},{"id":"ac-19_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"}]},{"id":"ac-19_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-19b.","class":"sp800-53a"}],"prose":"the connection of mobile devices to organizational systems is authorized."}]},{"id":"ac-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel using mobile devices to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices"}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Systems","params":[{"id":"ac-20_odp.01","props":[{"name":"alt-identifier","value":"ac-20_prm_1"},{"name":"label","value":"AC-20_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["establish {{ insert: param, ac-20_odp.02 }} ","identify {{ insert: param, ac-20_odp.03 }} "]}},{"id":"ac-20_odp.02","props":[{"name":"alt-identifier","value":"ac-20_prm_2"},{"name":"label","value":"AC-20_ODP[02]","class":"sp800-53a"}],"label":"terms and conditions","guidelines":[{"prose":"terms and conditions consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.03","props":[{"name":"alt-identifier","value":"ac-20_prm_3"},{"name":"alt-label","value":"controls asserted to be implemented on external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[03]","class":"sp800-53a"}],"label":"controls asserted","guidelines":[{"prose":"controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.04","props":[{"name":"alt-identifier","value":"ac-20_prm_4"},{"name":"alt-label","value":"organizationally-defined types of external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[04]","class":"sp800-53a"}],"label":"prohibited types of external systems","guidelines":[{"prose":"types of external systems prohibited from use are defined;"}]}],"props":[{"name":"label","value":"AC-20"},{"name":"label","value":"AC-20","class":"sp800-53a"},{"name":"sort-id","value":"ac-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-20_smt","name":"statement","parts":[{"id":"ac-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Access the system from external systems; and"},{"id":"ac-20_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Process, store, or transmit organization-controlled information using external systems; or"}]},{"id":"ac-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of {{ insert: param, ac-20_odp.04 }}."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems."},{"id":"ac-20_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.1","class":"sp800-53a"}],"prose":" {{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);"},{"id":"ac-20_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.2","class":"sp800-53a"}],"prose":" {{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);"}]},{"id":"ac-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-20b.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable)."}]},{"id":"ac-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing terms and conditions on the use of external systems"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","params":[{"id":"ac-22_odp","props":[{"name":"alt-identifier","value":"ac-22_prm_1"},{"name":"label","value":"AC-22_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the content on the publicly accessible system for non-public information is defined;"}]}],"props":[{"name":"label","value":"AC-22"},{"name":"label","value":"AC-22","class":"sp800-53a"},{"name":"sort-id","value":"ac-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"ac-22_smt","name":"statement","parts":[{"id":"ac-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Designate individuals authorized to make information publicly accessible;"},{"id":"ac-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible."},{"id":"ac-22_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-22","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-22a.","class":"sp800-53a"}],"prose":"designated individuals are authorized to make information publicly accessible;"},{"id":"ac-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-22b.","class":"sp800-53a"}],"prose":"authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;"},{"id":"ac-22_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-22c.","class":"sp800-53a"}],"prose":"the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;"},{"id":"ac-22_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[01]","class":"sp800-53a"}],"prose":"the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};"},{"id":"ac-22_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[02]","class":"sp800-53a"}],"prose":"non-public information is removed from the publicly accessible system, if discovered."}]}]},{"id":"ac-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and\/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"at-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"at-01_odp.01","props":[{"name":"label","value":"AT-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training policy is to be disseminated is\/are defined;"}]},{"id":"at-01_odp.02","props":[{"name":"label","value":"AT-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training procedures are to be disseminated is\/are defined;"}]},{"id":"at-01_odp.03","props":[{"name":"alt-identifier","value":"at-1_prm_2"},{"name":"label","value":"AT-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"at-01_odp.04","props":[{"name":"alt-identifier","value":"at-1_prm_3"},{"name":"label","value":"AT-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the awareness and training policy and procedures is defined;"}]},{"id":"at-01_odp.05","props":[{"name":"alt-identifier","value":"at-1_prm_4"},{"name":"label","value":"AT-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training policy is reviewed and updated is defined;"}]},{"id":"at-01_odp.06","props":[{"name":"alt-identifier","value":"at-1_prm_5"},{"name":"label","value":"AT-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current awareness and training policy to be reviewed and updated are defined;"}]},{"id":"at-01_odp.07","props":[{"name":"alt-identifier","value":"at-1_prm_6"},{"name":"label","value":"AT-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training procedures are reviewed and updated is defined;"}]},{"id":"at-01_odp.08","props":[{"name":"alt-identifier","value":"at-1_prm_7"},{"name":"label","value":"AT-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AT-1"},{"name":"label","value":"AT-01","class":"sp800-53a"},{"name":"sort-id","value":"at-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-1_smt","name":"statement","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, at-01_odp.03 }} awareness and training policy that:","parts":[{"id":"at-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and"},{"id":"at-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current awareness and training:","parts":[{"id":"at-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and"},{"id":"at-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"at-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[01]","class":"sp800-53a"}],"prose":"an awareness and training policy is developed and documented; "},{"id":"at-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[02]","class":"sp800-53a"}],"prose":"the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};"},{"id":"at-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[03]","class":"sp800-53a"}],"prose":"awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;"},{"id":"at-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[04]","class":"sp800-53a"}],"prose":"the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}."},{"id":"at-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;"},{"id":"at-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;"},{"id":"at-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;"},{"id":"at-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;"},{"id":"at-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;"},{"id":"at-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;"},{"id":"at-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and"}]},{"id":"at-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and"}]}]},{"id":"at-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;"},{"id":"at-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[01]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; "},{"id":"at-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[02]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};"}]},{"id":"at-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[01]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};"},{"id":"at-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[02]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}."}]}]}]},{"id":"at-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records"}]},{"id":"at-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Literacy Training and Awareness","params":[{"id":"at-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.02"}],"label":"organization-defined frequency"},{"id":"at-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.04"}],"label":"organization-defined events"},{"id":"at-02_odp.01","props":[{"name":"label","value":"AT-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.02","props":[{"name":"label","value":"AT-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.03","props":[{"name":"label","value":"AT-02_ODP[03]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require security literacy training for system users are defined;"}]},{"id":"at-02_odp.04","props":[{"name":"label","value":"AT-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require privacy literacy training for system users are defined;"}]},{"id":"at-02_odp.05","props":[{"name":"alt-identifier","value":"at-2_prm_3"},{"name":"label","value":"AT-02_ODP[05]","class":"sp800-53a"}],"label":"awareness techniques","guidelines":[{"prose":"techniques to be employed to increase the security and privacy awareness of system users are defined;"}]},{"id":"at-02_odp.06","props":[{"name":"alt-identifier","value":"at-2_prm_4"},{"name":"label","value":"AT-02_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update literacy training and awareness content is defined;"}]},{"id":"at-02_odp.07","props":[{"name":"alt-identifier","value":"at-2_prm_5"},{"name":"label","value":"AT-02_ODP[07]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require literacy training and awareness content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-2"},{"name":"label","value":"AT-02","class":"sp800-53a"},{"name":"sort-id","value":"at-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#89f2a08d-fc49-46d0-856e-bf974c9b1573","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-16","rel":"related"}],"parts":[{"id":"at-2_smt","name":"statement","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and"},{"id":"at-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes or following {{ insert: param, at-2_prm_2 }};"}]},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and"},{"id":"at-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[03]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;"},{"id":"at-2_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[04]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;"}]},{"id":"at-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};"},{"id":"at-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};"}]}]},{"id":"at-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-02b.","class":"sp800-53a"}],"prose":" {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;"},{"id":"at-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[01]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};"},{"id":"at-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[02]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};"}]},{"id":"at-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AT-02d.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques."}]},{"id":"at-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community"}]},{"id":"at-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing information security and privacy literacy training"}]}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","props":[{"name":"label","value":"AT-2(2)"},{"name":"label","value":"AT-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"},{"href":"#pm-12","rel":"related"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"Provide literacy training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations."},{"id":"at-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)","class":"sp800-53a"}],"parts":[{"id":"at-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[01]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential indicators of insider threat is provided;"},{"id":"at-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[02]","class":"sp800-53a"}],"prose":"literacy training on reporting potential indicators of insider threat is provided."}]},{"id":"at-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Training","params":[{"id":"at-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.02"}],"label":"organization-defined roles and responsibilities"},{"id":"at-03_odp.01","props":[{"name":"label","value":"AT-03_ODP[01]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based security training are defined;"}]},{"id":"at-03_odp.02","props":[{"name":"label","value":"AT-03_ODP[02]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based privacy training are defined;"}]},{"id":"at-03_odp.03","props":[{"name":"alt-identifier","value":"at-3_prm_2"},{"name":"label","value":"AT-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;"}]},{"id":"at-03_odp.04","props":[{"name":"alt-identifier","value":"at-3_prm_3"},{"name":"label","value":"AT-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update role-based training content is defined;"}]},{"id":"at-03_odp.05","props":[{"name":"alt-identifier","value":"at-3_prm_4"},{"name":"label","value":"AT-03_ODP[05]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require role-based training content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-3"},{"name":"label","value":"AT-03","class":"sp800-53a"},{"name":"sort-id","value":"at-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"at-3_smt","name":"statement","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:","parts":[{"id":"at-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and"},{"id":"at-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes;"}]},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into role-based training."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency\/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;"},{"id":"at-3_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;"},{"id":"at-3_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[03]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;"},{"id":"at-3_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[04]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;"}]},{"id":"at-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;"},{"id":"at-3_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;"}]}]},{"id":"at-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[01]","class":"sp800-53a"}],"prose":"role-based training content is updated {{ insert: param, at-03_odp.04 }};"},{"id":"at-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[02]","class":"sp800-53a"}],"prose":"role-based training content is updated following {{ insert: param, at-03_odp.05 }};"}]},{"id":"at-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-03c.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into role-based training."}]},{"id":"at-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities"}]},{"id":"at-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing role-based security and privacy training"}]}]},{"id":"at-4","class":"SP800-53","title":"Training Records","params":[{"id":"at-04_odp","props":[{"name":"alt-identifier","value":"at-4_prm_1"},{"name":"label","value":"AT-04_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for retaining individual training records is defined;"}]}],"props":[{"name":"label","value":"AT-4"},{"name":"label","value":"AT-04","class":"sp800-53a"},{"name":"sort-id","value":"at-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-4_smt","name":"statement","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain individual training records for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies."},{"id":"at-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-04","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[01]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;"},{"id":"at-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[02]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;"}]},{"id":"at-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-04b.","class":"sp800-53a"}],"prose":"individual training records are retained for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"at-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy training record retention responsibilities"}]},{"id":"at-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the management of security and privacy training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"au-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"au-01_odp.01","props":[{"name":"label","value":"AU-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability policy is to be disseminated is\/are defined;"}]},{"id":"au-01_odp.02","props":[{"name":"label","value":"AU-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability procedures are to be disseminated is\/are defined;"}]},{"id":"au-01_odp.03","props":[{"name":"alt-identifier","value":"au-1_prm_2"},{"name":"label","value":"AU-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"au-01_odp.04","props":[{"name":"alt-identifier","value":"au-1_prm_3"},{"name":"label","value":"AU-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the audit and accountability policy and procedures is defined;"}]},{"id":"au-01_odp.05","props":[{"name":"alt-identifier","value":"au-1_prm_4"},{"name":"label","value":"AU-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability policy is reviewed and updated is defined;"}]},{"id":"au-01_odp.06","props":[{"name":"alt-identifier","value":"au-1_prm_5"},{"name":"label","value":"AU-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current audit and accountability policy to be reviewed and updated are defined;"}]},{"id":"au-01_odp.07","props":[{"name":"alt-identifier","value":"au-1_prm_6"},{"name":"label","value":"AU-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability procedures are reviewed and updated is defined;"}]},{"id":"au-01_odp.08","props":[{"name":"alt-identifier","value":"au-1_prm_7"},{"name":"label","value":"AU-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require audit and accountability procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AU-1"},{"name":"label","value":"AU-01","class":"sp800-53a"},{"name":"sort-id","value":"au-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-1_smt","name":"statement","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, au-01_odp.03 }} audit and accountability policy that:","parts":[{"id":"au-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and"},{"id":"au-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current audit and accountability:","parts":[{"id":"au-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and"},{"id":"au-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"au-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[01]","class":"sp800-53a"}],"prose":"an audit and accountability policy is developed and documented;"},{"id":"au-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[02]","class":"sp800-53a"}],"prose":"the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};"},{"id":"au-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[03]","class":"sp800-53a"}],"prose":"audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;"},{"id":"au-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[04]","class":"sp800-53a"}],"prose":"the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};"},{"id":"au-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;"},{"id":"au-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;"},{"id":"au-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;"},{"id":"au-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;"},{"id":"au-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;"},{"id":"au-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;"},{"id":"au-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;"}]},{"id":"au-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"au-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;"},{"id":"au-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[01]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};"},{"id":"au-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[02]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};"}]},{"id":"au-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[01]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};"},{"id":"au-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[02]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}."}]}]}]},{"id":"au-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Event Logging","params":[{"id":"au-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.03"}],"label":"organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type"},{"id":"au-02_odp.01","props":[{"name":"alt-identifier","value":"au-2_prm_1"},{"name":"alt-label","value":"event types that the system is capable of logging","class":"sp800-53"},{"name":"label","value":"AU-02_ODP[01]","class":"sp800-53a"}],"label":"event types","guidelines":[{"prose":"the event types that the system is capable of logging in support of the audit function are defined;"}]},{"id":"au-02_odp.02","props":[{"name":"label","value":"AU-02_ODP[02]","class":"sp800-53a"}],"label":"event types (subset of AU-02_ODP[01])","guidelines":[{"prose":"the event types (subset of AU-02_ODP[01]) for logging within the system are defined;"}]},{"id":"au-02_odp.03","props":[{"name":"label","value":"AU-02_ODP[03]","class":"sp800-53a"}],"label":"frequency or situation","guidelines":[{"prose":"the frequency or situation requiring logging for each specified event type is defined;"}]},{"id":"au-02_odp.04","props":[{"name":"alt-identifier","value":"au-2_prm_3"},{"name":"label","value":"AU-02_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of event types selected for logging are reviewed and updated;"}]}],"props":[{"name":"label","value":"AU-2"},{"name":"label","value":"AU-02","class":"sp800-53a"},{"name":"sort-id","value":"au-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-2_smt","name":"statement","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and"},{"id":"au-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures."},{"id":"au-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-02","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-02a.","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;"},{"id":"au-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-02b.","class":"sp800-53a"}],"prose":"the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.02 }} are specified for logging within the system;"},{"id":"au-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[02]","class":"sp800-53a"}],"prose":"the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};"}]},{"id":"au-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-02d.","class":"sp800-53a"}],"prose":"a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;"},{"id":"au-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-02e.","class":"sp800-53a"}],"prose":"the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records"}]},{"id":"au-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing"}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"label","value":"AU-3"},{"name":"label","value":"AU-03","class":"sp800-53a"},{"name":"sort-id","value":"au-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"Ensure that audit records contain information that establishes the following:","parts":[{"id":"au-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"What type of event occurred;"},{"id":"au-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When the event occurred;"},{"id":"au-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Where the event occurred;"},{"id":"au-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Source of the event;"},{"id":"au-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Outcome of the event; and"},{"id":"au-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage."},{"id":"au-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03","class":"sp800-53a"}],"parts":[{"id":"au-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-03a.","class":"sp800-53a"}],"prose":"audit records contain information that establishes what type of event occurred;"},{"id":"au-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-03b.","class":"sp800-53a"}],"prose":"audit records contain information that establishes when the event occurred;"},{"id":"au-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-03c.","class":"sp800-53a"}],"prose":"audit records contain information that establishes where the event occurred;"},{"id":"au-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-03d.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the source of the event;"},{"id":"au-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-03e.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the outcome of the event;"},{"id":"au-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AU-03f.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records"}]},{"id":"au-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing of auditable events"}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Log Storage Capacity","params":[{"id":"au-04_odp","props":[{"name":"alt-identifier","value":"au-4_prm_1"},{"name":"label","value":"AU-04_ODP","class":"sp800-53a"}],"label":"audit log retention requirements","guidelines":[{"prose":"audit log retention requirements are defined;"}]}],"props":[{"name":"label","value":"AU-4"},{"name":"label","value":"AU-04","class":"sp800-53a"},{"name":"sort-id","value":"au-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability."},{"id":"au-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-04","class":"sp800-53a"}],"prose":"audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}."},{"id":"au-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Logging Process Failures","params":[{"id":"au-05_odp.01","props":[{"name":"alt-identifier","value":"au-5_prm_1"},{"name":"label","value":"AU-05_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles receiving audit logging process failure alerts are defined;"}]},{"id":"au-05_odp.02","props":[{"name":"alt-identifier","value":"au-5_prm_2"},{"name":"label","value":"AU-05_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel or roles receiving audit logging process failure alerts is defined;"}]},{"id":"au-05_odp.03","props":[{"name":"alt-identifier","value":"au-5_prm_3"},{"name":"label","value":"AU-05_ODP[03]","class":"sp800-53a"}],"label":"additional actions","guidelines":[{"prose":"additional actions to be taken in the event of an audit logging process failure are defined;"}]}],"props":[{"name":"label","value":"AU-5"},{"name":"label","value":"AU-05","class":"sp800-53a"},{"name":"sort-id","value":"au-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-5_smt","name":"statement","parts":[{"id":"au-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and"},{"id":"au-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Take the following additional actions: {{ insert: param, au-05_odp.03 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel."},{"id":"au-5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05","class":"sp800-53a"}],"parts":[{"id":"au-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-05a.","class":"sp800-53a"}],"prose":" {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};"},{"id":"au-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure."}]},{"id":"au-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system response to audit processing failures"}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Record Review, Analysis, and Reporting","params":[{"id":"au-06_odp.01","props":[{"name":"alt-identifier","value":"au-6_prm_1"},{"name":"label","value":"AU-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which system audit records are reviewed and analyzed is defined;"}]},{"id":"au-06_odp.02","props":[{"name":"alt-identifier","value":"au-6_prm_2"},{"name":"label","value":"AU-06_ODP[02]","class":"sp800-53a"}],"label":"inappropriate or unusual activity","guidelines":[{"prose":"inappropriate or unusual activity is defined;"}]},{"id":"au-06_odp.03","props":[{"name":"alt-identifier","value":"au-6_prm_3"},{"name":"label","value":"AU-06_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive findings from reviews and analyses of system records is\/are defined;"}]}],"props":[{"name":"label","value":"AU-6"},{"name":"label","value":"AU-06","class":"sp800-53a"},{"name":"sort-id","value":"au-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"au-6_smt","name":"statement","parts":[{"id":"au-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"},{"id":"au-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report findings to {{ insert: param, au-06_odp.03 }} ; and"},{"id":"au-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and\/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received."},{"id":"au-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06","class":"sp800-53a"}],"parts":[{"id":"au-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-06a.","class":"sp800-53a"}],"prose":"system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"},{"id":"au-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-06b.","class":"sp800-53a"}],"prose":"findings are reported to {{ insert: param, au-06_odp.03 }};"},{"id":"au-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-06c.","class":"sp800-53a"}],"prose":"the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews\/analyses of audit records\n\nother relevant documents or records"}]},{"id":"au-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","params":[{"id":"au-08_odp","props":[{"name":"alt-identifier","value":"au-8_prm_1"},{"name":"label","value":"AU-08_ODP","class":"sp800-53a"}],"label":"granularity of time measurement","guidelines":[{"prose":"granularity of time measurement for audit record timestamps is defined;"}]}],"props":[{"name":"label","value":"AU-8"},{"name":"label","value":"AU-08","class":"sp800-53a"},{"name":"sort-id","value":"au-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#sc-45","rel":"related"}],"parts":[{"id":"au-8_smt","name":"statement","parts":[{"id":"au-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities."},{"id":"au-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-08","class":"sp800-53a"}],"parts":[{"id":"au-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-08a.","class":"sp800-53a"}],"prose":"internal system clocks are used to generate timestamps for audit records;"},{"id":"au-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-08b.","class":"sp800-53a"}],"prose":"timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp."}]},{"id":"au-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing timestamp generation"}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","params":[{"id":"au-09_odp","props":[{"name":"alt-identifier","value":"au-9_prm_1"},{"name":"label","value":"AU-09_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is\/are defined;"}]}],"props":[{"name":"label","value":"AU-9"},{"name":"label","value":"AU-09","class":"sp800-53a"},{"name":"sort-id","value":"au-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#au-15","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-9_smt","name":"statement","parts":[{"id":"au-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and"},{"id":"au-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information."}]},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls."},{"id":"au-9_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09","class":"sp800-53a"}],"parts":[{"id":"au-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-09a.","class":"sp800-53a"}],"prose":"audit information and audit logging tools are protected from unauthorized access, modification, and deletion;"},{"id":"au-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-09b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information."}]},{"id":"au-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records"}]},{"id":"au-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit information protection"}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_odp","props":[{"name":"alt-identifier","value":"au-11_prm_1"},{"name":"alt-label","value":"time period consistent with records retention policy","class":"sp800-53"},{"name":"label","value":"AU-11_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period to retain audit records that is consistent with the records retention policy is defined;"}]}],"props":[{"name":"label","value":"AU-11"},{"name":"label","value":"AU-11","class":"sp800-53a"},{"name":"sort-id","value":"au-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention."},{"id":"au-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-11","class":"sp800-53a"}],"prose":"audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"id":"au-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Record Generation","params":[{"id":"au-12_odp.01","props":[{"name":"alt-identifier","value":"au-12_prm_1"},{"name":"label","value":"AU-12_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;"}]},{"id":"au-12_odp.02","props":[{"name":"alt-identifier","value":"au-12_prm_2"},{"name":"label","value":"AU-12_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles allowed to select the event types that are to be logged by specific components of the system is\/are defined;"}]}],"props":[{"name":"label","value":"AU-12"},{"name":"label","value":"AU-12","class":"sp800-53a"},{"name":"sort-id","value":"au-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"au-12_smt","name":"statement","parts":[{"id":"au-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};"},{"id":"au-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and"},{"id":"au-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records."},{"id":"au-12_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12","class":"sp800-53a"}],"parts":[{"id":"au-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-12a.","class":"sp800-53a"}],"prose":"audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};"},{"id":"au-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-12b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-12_odp.02 }} is\/are allowed to select the event types that are to be logged by specific components of the system;"},{"id":"au-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-12c.","class":"sp800-53a"}],"prose":"audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated."}]},{"id":"au-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]}]},{"id":"ca","class":"family","title":"Assessment, Authorization, and Monitoring","controls":[{"id":"ca-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ca-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ca-01_odp.01","props":[{"name":"label","value":"CA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.02","props":[{"name":"label","value":"CA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.03","props":[{"name":"alt-identifier","value":"ca-1_prm_2"},{"name":"label","value":"CA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ca-01_odp.04","props":[{"name":"alt-identifier","value":"ca-1_prm_3"},{"name":"label","value":"CA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the assessment, authorization, and monitoring policy and procedures is defined;"}]},{"id":"ca-01_odp.05","props":[{"name":"alt-identifier","value":"ca-1_prm_4"},{"name":"label","value":"CA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;"}]},{"id":"ca-01_odp.06","props":[{"name":"alt-identifier","value":"ca-1_prm_5"},{"name":"label","value":"CA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;"}]},{"id":"ca-01_odp.07","props":[{"name":"alt-identifier","value":"ca-1_prm_6"},{"name":"label","value":"CA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;"}]},{"id":"ca-01_odp.08","props":[{"name":"alt-identifier","value":"ca-1_prm_7"},{"name":"label","value":"CA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CA-1"},{"name":"label","value":"CA-01","class":"sp800-53a"},{"name":"sort-id","value":"ca-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#62ea77ca-e450-4323-b210-e0d75390e785","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-1_smt","name":"statement","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:","parts":[{"id":"ca-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and"},{"id":"ca-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current assessment, authorization, and monitoring:","parts":[{"id":"ca-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and"},{"id":"ca-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ca-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[01]","class":"sp800-53a"}],"prose":"an assessment, authorization, and monitoring policy is developed and documented;"},{"id":"ca-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[02]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};"},{"id":"ca-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[03]","class":"sp800-53a"}],"prose":"assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;"},{"id":"ca-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[04]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};"},{"id":"ca-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;"},{"id":"ca-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;"},{"id":"ca-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;"},{"id":"ca-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;"},{"id":"ca-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;"},{"id":"ca-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;"},{"id":"ca-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;"}]},{"id":"ca-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ca-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;"},{"id":"ca-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; "},{"id":"ca-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};"}]},{"id":"ca-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; "},{"id":"ca-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}."}]}]}]},{"id":"ca-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Control Assessments","params":[{"id":"ca-02_odp.01","props":[{"name":"alt-identifier","value":"ca-2_prm_1"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"CA-02_ODP[01]","class":"sp800-53a"}],"label":"assessment frequency","guidelines":[{"prose":"the frequency at which to assess controls in the system and its environment of operation is defined;"}]},{"id":"ca-02_odp.02","props":[{"name":"alt-identifier","value":"ca-2_prm_2"},{"name":"label","value":"CA-02_ODP[02]","class":"sp800-53a"}],"label":"individuals or roles","guidelines":[{"prose":"individuals or roles to whom control assessment results are to be provided are defined;"}]}],"props":[{"name":"label","value":"CA-2"},{"name":"label","value":"CA-02","class":"sp800-53a"},{"name":"sort-id","value":"ca-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"ca-2_smt","name":"statement","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Select the appropriate assessor or assessment team for the type of assessment to be conducted;"},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop a control assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Controls and control enhancements under assessment;"},{"id":"ca-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine control effectiveness; and"},{"id":"ca-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;"},{"id":"ca-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Produce a control assessment report that document the results of the assessment; and"},{"id":"ca-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)."},{"id":"ca-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-02a.","class":"sp800-53a"}],"prose":"an appropriate assessor or assessment team is selected for the type of assessment to be conducted;"},{"id":"ca-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.01","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;"},{"id":"ca-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.02","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;"},{"id":"ca-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[01]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;"},{"id":"ca-2_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[02]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment team;"},{"id":"ca-2_obj.b.3-3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[03]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;"}]}]},{"id":"ca-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-02c.","class":"sp800-53a"}],"prose":"the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[01]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[02]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;"}]},{"id":"ca-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-02e.","class":"sp800-53a"}],"prose":"a control assessment report is produced that documents the results of the assessment;"},{"id":"ca-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-02f.","class":"sp800-53a"}],"prose":"the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting control assessment, control assessment plan development, and\/or control assessment reporting"}]}]},{"id":"ca-3","class":"SP800-53","title":"Information Exchange","params":[{"id":"ca-03_odp.01","props":[{"name":"alt-identifier","value":"ca-3_prm_1"},{"name":"label","value":"CA-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["interconnection security agreements","information exchange security agreements","memoranda of understanding or agreement","service level agreements","user agreements","non-disclosure agreements"," {{ insert: param, ca-03_odp.02 }} "]}},{"id":"ca-03_odp.02","props":[{"name":"alt-identifier","value":"ca-3_prm_2"},{"name":"label","value":"CA-03_ODP[02]","class":"sp800-53a"}],"label":"type of agreement","guidelines":[{"prose":"the type of agreement used to approve and manage the exchange of information is defined (if selected);"}]},{"id":"ca-03_odp.03","props":[{"name":"alt-identifier","value":"ca-3_prm_3"},{"name":"label","value":"CA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update agreements is defined;"}]}],"props":[{"name":"label","value":"CA-3"},{"name":"label","value":"CA-03","class":"sp800-53a"},{"name":"sort-id","value":"ca-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#c3a76872-e160-4267-99e8-6952de967d04","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-3_smt","name":"statement","parts":[{"id":"ca-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};"},{"id":"ca-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the agreements {{ insert: param, ca-03_odp.03 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks."},{"id":"ca-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-03","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-03a.","class":"sp800-53a"}],"prose":"the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};"},{"id":"ca-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[01]","class":"sp800-53a"}],"prose":"the interface characteristics are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[02]","class":"sp800-53a"}],"prose":"security requirements are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[03]","class":"sp800-53a"}],"prose":"privacy requirements are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[04]","class":"sp800-53a"}],"prose":"controls are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[05]","class":"sp800-53a"}],"prose":"responsibilities for each system are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-6","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[06]","class":"sp800-53a"}],"prose":"the impact level of the information communicated is documented as part of each exchange agreement;"}]},{"id":"ca-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-03c.","class":"sp800-53a"}],"prose":"agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}."}]},{"id":"ca-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies"}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-05_odp","props":[{"name":"alt-identifier","value":"ca-5_prm_1"},{"name":"label","value":"CA-05_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;"}]}],"props":[{"name":"label","value":"CA-5"},{"name":"label","value":"CA-05","class":"sp800-53a"},{"name":"sort-id","value":"ca-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-5_smt","name":"statement","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB."},{"id":"ca-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-05","class":"sp800-53a"}],"parts":[{"id":"ca-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-05a.","class":"sp800-53a"}],"prose":"a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;"},{"id":"ca-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-05b.","class":"sp800-53a"}],"prose":"existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Authorization","params":[{"id":"ca-06_odp","props":[{"name":"alt-identifier","value":"ca-6_prm_1"},{"name":"label","value":"CA-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to update the authorizations is defined;"}]}],"props":[{"name":"label","value":"CA-6"},{"name":"label","value":"CA-06","class":"sp800-53a"},{"name":"sort-id","value":"ca-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-6_smt","name":"statement","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a senior official as the authorizing official for the system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure that the authorizing official for the system, before commencing operations:","parts":[{"id":"ca-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accepts the use of common controls inherited by the system; and"},{"id":"ca-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Authorizes the system to operate;"}]},{"id":"ca-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the authorizations {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions."},{"id":"ca-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-06","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-06a.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for the system;"},{"id":"ca-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-06b.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.01","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;"},{"id":"ca-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.02","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system authorizes the system to operate;"}]},{"id":"ca-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-06d.","class":"sp800-53a"}],"prose":"the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-06e.","class":"sp800-53a"}],"prose":"the authorizations are updated {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records"}]},{"id":"ca-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that facilitate authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.06"}],"label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.07"}],"label":"organization-defined frequency"},{"id":"ca-07_odp.01","props":[{"name":"alt-identifier","value":"ca-7_prm_1"},{"name":"label","value":"CA-07_ODP[01]","class":"sp800-53a"}],"label":"system-level metrics","guidelines":[{"prose":"system-level metrics to be monitored are defined;"}]},{"id":"ca-07_odp.02","props":[{"name":"alt-identifier","value":"ca-7_prm_2"},{"name":"label","value":"CA-07_ODP[02]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to monitor control effectiveness are defined;"}]},{"id":"ca-07_odp.03","props":[{"name":"alt-identifier","value":"ca-7_prm_3"},{"name":"label","value":"CA-07_ODP[03]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to assess control effectiveness are defined;"}]},{"id":"ca-07_odp.04","props":[{"name":"label","value":"CA-07_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the security status of the system is reported are defined;"}]},{"id":"ca-07_odp.05","props":[{"name":"label","value":"CA-07_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the security status of the system is reported is defined;"}]},{"id":"ca-07_odp.06","props":[{"name":"label","value":"CA-07_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the privacy status of the system is reported are defined;"}]},{"id":"ca-07_odp.07","props":[{"name":"label","value":"CA-07_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the privacy status of the system is reported is defined;"}]}],"props":[{"name":"label","value":"CA-7"},{"name":"label","value":"CA-07","class":"sp800-53a"},{"name":"sort-id","value":"ca-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pm-31","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)."},{"id":"ca-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07[01]","class":"sp800-53a"}],"prose":"a system-level continuous monitoring strategy is developed;"},{"id":"ca-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;"},{"id":"ca-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07a.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;"},{"id":"ca-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"}]},{"id":"ca-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07c.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-07d.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-07e.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-07f.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;"},{"id":"ca-7_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};"},{"id":"ca-7_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}."}]}]},{"id":"ca-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting"}]}],"controls":[{"id":"ca-7.4","class":"SP800-53-enhancement","title":"Risk Monitoring","props":[{"name":"label","value":"CA-7(4)"},{"name":"label","value":"CA-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.4_smt","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:","parts":[{"id":"ca-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Effectiveness monitoring;"},{"id":"ca-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Compliance monitoring; and"},{"id":"ca-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Change monitoring."}]},{"id":"ca-7.4_gdn","name":"guidance","prose":"Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk."},{"id":"ca-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)","class":"sp800-53a"}],"prose":"risk monitoring is an integral part of the continuous monitoring strategy;","parts":[{"id":"ca-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(a)","class":"sp800-53a"}],"prose":"effectiveness monitoring is included in risk monitoring;"},{"id":"ca-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(b)","class":"sp800-53a"}],"prose":"compliance monitoring is included in risk monitoring;"},{"id":"ca-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(c)","class":"sp800-53a"}],"prose":"change monitoring is included in risk monitoring."}]},{"id":"ca-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting risk monitoring"}]}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","params":[{"id":"ca-09_odp.01","props":[{"name":"alt-identifier","value":"ca-9_prm_1"},{"name":"alt-label","value":"system components or classes of components","class":"sp800-53"},{"name":"label","value":"CA-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components or classes of components requiring internal connections to the system are defined;"}]},{"id":"ca-09_odp.02","props":[{"name":"alt-identifier","value":"ca-9_prm_2"},{"name":"label","value":"CA-09_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions requiring termination of internal connections are defined;"}]},{"id":"ca-09_odp.03","props":[{"name":"alt-identifier","value":"ca-9_prm_3"},{"name":"label","value":"CA-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the continued need for each internal connection is defined;"}]}],"props":[{"name":"label","value":"CA-9"},{"name":"label","value":"CA-09","class":"sp800-53a"},{"name":"sort-id","value":"ca-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-9_smt","name":"statement","parts":[{"id":"ca-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;"},{"id":"ca-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;"},{"id":"ca-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and"},{"id":"ca-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection."}]},{"id":"ca-9_gdn","name":"guidance","prose":"Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and\/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions."},{"id":"ca-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-09","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-09a.","class":"sp800-53a"}],"prose":"internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;"},{"id":"ca-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[01]","class":"sp800-53a"}],"prose":"for each internal connection, the interface characteristics are documented;"},{"id":"ca-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[02]","class":"sp800-53a"}],"prose":"for each internal connection, the security requirements are documented;"},{"id":"ca-9_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[03]","class":"sp800-53a"}],"prose":"for each internal connection, the privacy requirements are documented;"},{"id":"ca-9_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[04]","class":"sp800-53a"}],"prose":"for each internal connection, the nature of the information communicated is documented;"}]},{"id":"ca-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-09c.","class":"sp800-53a"}],"prose":"internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};"},{"id":"ca-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-09d.","class":"sp800-53a"}],"prose":"the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}."}]},{"id":"ca-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting internal system connections"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cm-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cm-01_odp.01","props":[{"name":"label","value":"CM-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management policy is to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.02","props":[{"name":"label","value":"CM-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management procedures are to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.03","props":[{"name":"alt-identifier","value":"cm-1_prm_2"},{"name":"label","value":"CM-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cm-01_odp.04","props":[{"name":"alt-identifier","value":"cm-1_prm_3"},{"name":"label","value":"CM-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the configuration management policy and procedures is defined;"}]},{"id":"cm-01_odp.05","props":[{"name":"alt-identifier","value":"cm-1_prm_4"},{"name":"label","value":"CM-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management policy is reviewed and updated is defined;"}]},{"id":"cm-01_odp.06","props":[{"name":"alt-identifier","value":"cm-1_prm_5"},{"name":"label","value":"CM-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current configuration management policy to be reviewed and updated are defined;"}]},{"id":"cm-01_odp.07","props":[{"name":"alt-identifier","value":"cm-1_prm_6"},{"name":"label","value":"CM-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management procedures are reviewed and updated is defined;"}]},{"id":"cm-01_odp.08","props":[{"name":"alt-identifier","value":"cm-1_prm_7"},{"name":"label","value":"CM-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require configuration management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CM-1"},{"name":"label","value":"CM-01","class":"sp800-53a"},{"name":"sort-id","value":"cm-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-1_smt","name":"statement","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cm-01_odp.03 }} configuration management policy that:","parts":[{"id":"cm-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and"},{"id":"cm-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current configuration management:","parts":[{"id":"cm-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and"},{"id":"cm-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cm-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[01]","class":"sp800-53a"}],"prose":"a configuration management policy is developed and documented;"},{"id":"cm-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[02]","class":"sp800-53a"}],"prose":"the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};"},{"id":"cm-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[03]","class":"sp800-53a"}],"prose":"configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;"},{"id":"cm-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[04]","class":"sp800-53a"}],"prose":"the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};"},{"id":"cm-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;"},{"id":"cm-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;"},{"id":"cm-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;"},{"id":"cm-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;"},{"id":"cm-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;"},{"id":"cm-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;"},{"id":"cm-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;"}]},{"id":"cm-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(b)","class":"sp800-53a"}],"prose":"the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"cm-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;"},{"id":"cm-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[01]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; "},{"id":"cm-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[02]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};"}]},{"id":"cm-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[01]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; "},{"id":"cm-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[02]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}."}]}]}]},{"id":"cm-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records"}]},{"id":"cm-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","params":[{"id":"cm-02_odp.01","props":[{"name":"alt-identifier","value":"cm-2_prm_1"},{"name":"label","value":"CM-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of baseline configuration review and update is defined;"}]},{"id":"cm-02_odp.02","props":[{"name":"alt-identifier","value":"cm-2_prm_2"},{"name":"label","value":"CM-02_ODP[02]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"the circumstances requiring baseline configuration review and update are defined;"}]}],"props":[{"name":"label","value":"CM-2"},{"name":"label","value":"CM-02","class":"sp800-53a"},{"name":"sort-id","value":"cm-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-1","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-18","rel":"related"}],"parts":[{"id":"cm-2_smt","name":"statement","parts":[{"id":"cm-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and maintain under configuration control, a current baseline configuration of the system; and"},{"id":"cm-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the baseline configuration of the system:","parts":[{"id":"cm-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cm-02_odp.01 }};"},{"id":"cm-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required due to {{ insert: param, cm-02_odp.02 }} ; and"},{"id":"cm-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"When system components are installed or upgraded."}]}]},{"id":"cm-2_gdn","name":"guidance","prose":"Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture."},{"id":"cm-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[01]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is developed and documented;"},{"id":"cm-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[02]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is maintained under configuration control;"}]},{"id":"cm-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.01","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};"},{"id":"cm-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.02","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};"},{"id":"cm-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.03","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when system components are installed or upgraded."}]}]},{"id":"cm-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records"}]},{"id":"cm-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration"}]}]},{"id":"cm-4","class":"SP800-53","title":"Impact Analyses","props":[{"name":"label","value":"CM-4"},{"name":"label","value":"CM-04","class":"sp800-53a"},{"name":"sort-id","value":"cm-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required."},{"id":"cm-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04","class":"sp800-53a"}],"parts":[{"id":"cm-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04[01]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential security impacts prior to change implementation;"},{"id":"cm-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04[02]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential privacy impacts prior to change implementation."}]},{"id":"cm-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses"}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","props":[{"name":"label","value":"CM-5"},{"name":"label","value":"CM-05","class":"sp800-53a"},{"name":"sort-id","value":"cm-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system."},{"id":"cm-5_gdn","name":"guidance","prose":"Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)."},{"id":"cm-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05","class":"sp800-53a"}],"parts":[{"id":"cm-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-05[01]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are defined and documented;"},{"id":"cm-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-05[02]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are approved;"},{"id":"cm-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-05[03]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are enforced;"},{"id":"cm-5_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-05[04]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are defined and documented;"},{"id":"cm-5_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-05[05]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are approved;"},{"id":"cm-5_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-05[06]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are enforced."}]},{"id":"cm-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system"}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","params":[{"id":"cm-06_odp.01","props":[{"name":"alt-identifier","value":"cm-6_prm_1"},{"name":"label","value":"CM-06_ODP[01]","class":"sp800-53a"}],"label":"common secure configurations","guidelines":[{"prose":"common secure configurations to establish and document configuration settings for components employed within the system are defined;"}]},{"id":"cm-06_odp.02","props":[{"name":"alt-identifier","value":"cm-6_prm_2"},{"name":"label","value":"CM-06_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which approval of deviations is needed are defined;"}]},{"id":"cm-06_odp.03","props":[{"name":"alt-identifier","value":"cm-6_prm_3"},{"name":"label","value":"CM-06_ODP[03]","class":"sp800-53a"}],"label":"operational requirements","guidelines":[{"prose":"operational requirements necessitating approval of deviations are defined;"}]}],"props":[{"name":"label","value":"CM-6"},{"name":"label","value":"CM-06","class":"sp800-53a"},{"name":"sort-id","value":"cm-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#98498928-3ca3-44b3-8b1e-f48685373087","rel":"reference"},{"href":"#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","rel":"reference"},{"href":"#aa66e14f-e7cb-4a37-99d2-07578dfd4608","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"cm-6_smt","name":"statement","parts":[{"id":"cm-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};"},{"id":"cm-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the configuration settings;"},{"id":"cm-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and"},{"id":"cm-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitor and control changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input\/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings."},{"id":"cm-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-06a.","class":"sp800-53a"}],"prose":"configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};"},{"id":"cm-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-06b.","class":"sp800-53a"}],"prose":"the configuration settings documented in CM-06a are implemented;"},{"id":"cm-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[01]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};"},{"id":"cm-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[02]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;"}]},{"id":"cm-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[01]","class":"sp800-53a"}],"prose":"changes to the configuration settings are monitored in accordance with organizational policies and procedures;"},{"id":"cm-6_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[02]","class":"sp800-53a"}],"prose":"changes to the configuration settings are controlled in accordance with organizational policies and procedures."}]}]},{"id":"cm-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and\/or control system configuration settings\n\nmechanisms that identify and\/or document deviations from established configuration settings"}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","params":[{"id":"cm-7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.06"}],"label":"organization-defined prohibited or restricted functions, system ports, protocols, software, and\/or services"},{"id":"cm-07_odp.01","props":[{"name":"alt-identifier","value":"cm-7_prm_1"},{"name":"alt-label","value":"mission essential capabilities","class":"sp800-53"},{"name":"label","value":"CM-07_ODP[01]","class":"sp800-53a"}],"label":"mission-essential capabilities","guidelines":[{"prose":"mission-essential capabilities for the system are defined;"}]},{"id":"cm-07_odp.02","props":[{"name":"label","value":"CM-07_ODP[02]","class":"sp800-53a"}],"label":"functions","guidelines":[{"prose":"functions to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.03","props":[{"name":"label","value":"CM-07_ODP[03]","class":"sp800-53a"}],"label":"ports","guidelines":[{"prose":"ports to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.04","props":[{"name":"label","value":"CM-07_ODP[04]","class":"sp800-53a"}],"label":"protocols","guidelines":[{"prose":"protocols to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.05","props":[{"name":"label","value":"CM-07_ODP[05]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be prohibited or restricted is defined;"}]},{"id":"cm-07_odp.06","props":[{"name":"label","value":"CM-07_ODP[06]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services to be prohibited or restricted are defined;"}]}],"props":[{"name":"label","value":"CM-7"},{"name":"label","value":"CM-07","class":"sp800-53a"},{"name":"sort-id","value":"cm-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#38f39739-1ebd-43b1-8b8c-00f591d89ebd","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"cm-7_smt","name":"statement","parts":[{"id":"cm-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and"},{"id":"cm-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit or restrict the use of the following functions, ports, protocols, software, and\/or services: {{ insert: param, cm-7_prm_2 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))."},{"id":"cm-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07a.","class":"sp800-53a"}],"prose":"the system is configured to provide only {{ insert: param, cm-07_odp.01 }};"},{"id":"cm-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[01]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[02]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[03]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[04]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[05]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted."}]}]},{"id":"cm-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols, software, and\/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and\/or services"}]}]},{"id":"cm-8","class":"SP800-53","title":"System Component Inventory","params":[{"id":"cm-08_odp.01","props":[{"name":"alt-identifier","value":"cm-8_prm_1"},{"name":"alt-label","value":"information deemed necessary to achieve effective system component accountability","class":"sp800-53"},{"name":"label","value":"CM-08_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information deemed necessary to achieve effective system component accountability is defined;"}]},{"id":"cm-08_odp.02","props":[{"name":"alt-identifier","value":"cm-8_prm_2"},{"name":"label","value":"CM-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the system component inventory is defined;"}]}],"props":[{"name":"label","value":"CM-8"},{"name":"label","value":"CM-08","class":"sp800-53a"},{"name":"sort-id","value":"cm-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#70402863-5078-43af-9a6c-e11b0f3ec370","rel":"reference"},{"href":"#996241f8-f692-42d5-91f1-ce8b752e39e6","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"cm-8_smt","name":"statement","parts":[{"id":"cm-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document an inventory of system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accurately reflects the system;"},{"id":"cm-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes all components within the system;"},{"id":"cm-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Does not include duplicate accounting of components or components assigned to any other system;"},{"id":"cm-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and"}]},{"id":"cm-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components."},{"id":"cm-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.01","class":"sp800-53a"}],"prose":"an inventory of system components that accurately reflects the system is developed and documented;"},{"id":"cm-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.02","class":"sp800-53a"}],"prose":"an inventory of system components that includes all components within the system is developed and documented;"},{"id":"cm-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.03","class":"sp800-53a"}],"prose":"an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;"},{"id":"cm-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.04","class":"sp800-53a"}],"prose":"an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;"},{"id":"cm-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.05","class":"sp800-53a"}],"prose":"an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;"}]},{"id":"cm-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08b.","class":"sp800-53a"}],"prose":"the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}."}]},{"id":"cm-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"label","value":"CM-10"},{"name":"label","value":"CM-10","class":"sp800-53a"},{"name":"sort-id","value":"cm-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cm-10_smt","name":"statement","parts":[{"id":"cm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements."},{"id":"cm-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-10","class":"sp800-53a"}],"parts":[{"id":"cm-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-10a.","class":"sp800-53a"}],"prose":"software and associated documentation are used in accordance with contract agreements and copyright laws;"},{"id":"cm-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-10b.","class":"sp800-53a"}],"prose":"the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;"},{"id":"cm-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-10c.","class":"sp800-53a"}],"prose":"the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling\/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","params":[{"id":"cm-11_odp.01","props":[{"name":"alt-identifier","value":"cm-11_prm_1"},{"name":"label","value":"CM-11_ODP[01]","class":"sp800-53a"}],"label":"policies","guidelines":[{"prose":"policies governing the installation of software by users are defined;"}]},{"id":"cm-11_odp.02","props":[{"name":"alt-identifier","value":"cm-11_prm_2"},{"name":"label","value":"CM-11_ODP[02]","class":"sp800-53a"}],"label":"methods","guidelines":[{"prose":"methods used to enforce software installation policies are defined;"}]},{"id":"cm-11_odp.03","props":[{"name":"alt-identifier","value":"cm-11_prm_3"},{"name":"label","value":"CM-11_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to monitor compliance is defined;"}]}],"props":[{"name":"label","value":"CM-11"},{"name":"label","value":"CM-11","class":"sp800-53a"},{"name":"sort-id","value":"cm-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-11_smt","name":"statement","parts":[{"id":"cm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and"},{"id":"cm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Monitor policy compliance {{ insert: param, cm-11_odp.03 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods."},{"id":"cm-11_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-11","class":"sp800-53a"}],"parts":[{"id":"cm-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-11a.","class":"sp800-53a"}],"prose":" {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;"},{"id":"cm-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-11b.","class":"sp800-53a"}],"prose":"software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};"},{"id":"cm-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-11c.","class":"sp800-53a"}],"prose":"compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}."}]},{"id":"cm-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance"}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-01_odp.01","props":[{"name":"label","value":"CP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning policy is to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.02","props":[{"name":"label","value":"CP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning procedures are to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.03","props":[{"name":"alt-identifier","value":"cp-1_prm_2"},{"name":"label","value":"CP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cp-01_odp.04","props":[{"name":"alt-identifier","value":"cp-1_prm_3"},{"name":"label","value":"CP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the contingency planning policy and procedures is defined;"}]},{"id":"cp-01_odp.05","props":[{"name":"alt-identifier","value":"cp-1_prm_4"},{"name":"label","value":"CP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning policy is reviewed and updated is defined;"}]},{"id":"cp-01_odp.06","props":[{"name":"alt-identifier","value":"cp-1_prm_5"},{"name":"label","value":"CP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current contingency planning policy to be reviewed and updated are defined;"}]},{"id":"cp-01_odp.07","props":[{"name":"alt-identifier","value":"cp-1_prm_6"},{"name":"label","value":"CP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning procedures are reviewed and updated is defined;"}]},{"id":"cp-01_odp.08","props":[{"name":"alt-identifier","value":"cp-1_prm_7"},{"name":"label","value":"CP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CP-1"},{"name":"label","value":"CP-01","class":"sp800-53a"},{"name":"sort-id","value":"cp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-1_smt","name":"statement","parts":[{"id":"cp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cp-01_odp.03 }} contingency planning policy that:","parts":[{"id":"cp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;"}]},{"id":"cp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and"},{"id":"cp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current contingency planning:","parts":[{"id":"cp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and"},{"id":"cp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[01]","class":"sp800-53a"}],"prose":"a contingency planning policy is developed and documented;"},{"id":"cp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[02]","class":"sp800-53a"}],"prose":"the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};"},{"id":"cp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[03]","class":"sp800-53a"}],"prose":"contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;"},{"id":"cp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[04]","class":"sp800-53a"}],"prose":"the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};"},{"id":"cp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;"},{"id":"cp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;"},{"id":"cp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;"},{"id":"cp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;"},{"id":"cp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;"},{"id":"cp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;"},{"id":"cp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;"}]},{"id":"cp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"cp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;"},{"id":"cp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[01]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};"},{"id":"cp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[02]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};"}]},{"id":"cp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[01]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};"},{"id":"cp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[02]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}."}]}]}]},{"id":"cp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","params":[{"id":"cp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.04"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-2_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.07"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-02_odp.01","props":[{"name":"label","value":"CP-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to review a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.02","props":[{"name":"label","value":"CP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to approve a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.03","props":[{"name":"label","value":"CP-02_ODP[03]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to whom copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.04","props":[{"name":"label","value":"CP-02_ODP[04]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to which copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.05","props":[{"name":"alt-identifier","value":"cp-2_prm_3"},{"name":"label","value":"CP-02_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of contingency plan review is defined;"}]},{"id":"cp-02_odp.06","props":[{"name":"label","value":"CP-02_ODP[06]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to communicate changes to are defined;"}]},{"id":"cp-02_odp.07","props":[{"name":"label","value":"CP-02_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to communicate changes to are defined;"}]}],"props":[{"name":"label","value":"CP-2"},{"name":"label","value":"CP-02","class":"sp800-53a"},{"name":"sort-id","value":"cp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#cp-13","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-2_smt","name":"statement","parts":[{"id":"cp-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a contingency plan for the system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifies essential mission and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;"},{"id":"cp-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Addresses the sharing of contingency information; and"},{"id":"cp-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};"},{"id":"cp-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};"},{"id":"cp-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and"},{"id":"cp-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Protect the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family."},{"id":"cp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.01","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;"},{"id":"cp-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides recovery objectives;"},{"id":"cp-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides restoration priorities;"},{"id":"cp-2_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides metrics;"}]},{"id":"cp-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency roles;"},{"id":"cp-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency responsibilities;"},{"id":"cp-2_obj.a.3-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses assigned individuals with contact information;"}]},{"id":"cp-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.04","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.05","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;"},{"id":"cp-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.06","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses the sharing of contingency information;"},{"id":"cp-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};"},{"id":"cp-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};"}]}]},{"id":"cp-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[01]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};"},{"id":"cp-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[02]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};"}]},{"id":"cp-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-02c.","class":"sp800-53a"}],"prose":"contingency planning activities are coordinated with incident handling activities;"},{"id":"cp-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-02d.","class":"sp800-53a"}],"prose":"the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};"},{"id":"cp-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[01]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address changes to the organization, system, or environment of operation;"},{"id":"cp-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[02]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;"}]},{"id":"cp-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[01]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};"},{"id":"cp-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[02]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};"}]},{"id":"cp-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[01]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;"},{"id":"cp-2_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[02]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;"}]},{"id":"cp-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[01]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized disclosure;"},{"id":"cp-2_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[02]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized modification."}]}]},{"id":"cp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and\/or protecting the contingency plan"}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","params":[{"id":"cp-03_odp.01","props":[{"name":"alt-identifier","value":"cp-3_prm_1"},{"name":"label","value":"CP-03_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.02","props":[{"name":"alt-identifier","value":"cp-3_prm_2"},{"name":"label","value":"CP-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide training to system users with a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.03","props":[{"name":"alt-identifier","value":"cp-3_prm_3"},{"name":"label","value":"CP-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update contingency training content is defined;"}]},{"id":"cp-03_odp.04","props":[{"name":"alt-identifier","value":"cp-3_prm_4"},{"name":"label","value":"CP-03_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events necessitating review and update of contingency training are defined;"}]}],"props":[{"name":"label","value":"CP-3"},{"name":"label","value":"CP-03","class":"sp800-53a"},{"name":"sort-id","value":"cp-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"cp-3_smt","name":"statement","parts":[{"id":"cp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide contingency training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"cp-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, cp-03_odp.02 }} thereafter; and"}]},{"id":"cp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements."},{"id":"cp-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-03","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.01","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.02","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"},{"id":"cp-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.03","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;"}]},{"id":"cp-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[01]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};"},{"id":"cp-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[02]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}."}]}]},{"id":"cp-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency training"}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","params":[{"id":"cp-4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.03"}],"label":"organization-defined tests"},{"id":"cp-04_odp.01","props":[{"name":"alt-identifier","value":"cp-4_prm_1"},{"name":"label","value":"CP-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of testing the contingency plan for the system is defined;"}]},{"id":"cp-04_odp.02","props":[{"name":"label","value":"CP-04_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining the effectiveness of the contingency plan are defined;"}]},{"id":"cp-04_odp.03","props":[{"name":"label","value":"CP-04_ODP[03]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining readiness to execute the contingency plan are defined;"}]}],"props":[{"name":"label","value":"CP-4"},{"name":"label","value":"CP-04","class":"sp800-53a"},{"name":"sort-id","value":"cp-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"cp-4_smt","name":"statement","parts":[{"id":"cp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}."},{"id":"cp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Initiate corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions."},{"id":"cp-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[01]","class":"sp800-53a"}],"prose":"the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};"},{"id":"cp-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;"},{"id":"cp-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;"}]},{"id":"cp-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-04b.","class":"sp800-53a"}],"prose":"the contingency plan test results are reviewed;"},{"id":"cp-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-04c.","class":"sp800-53a"}],"prose":"corrective actions are initiated, if needed."}]},{"id":"cp-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and\/or contingency plan testing"}]}]},{"id":"cp-9","class":"SP800-53","title":"System Backup","params":[{"id":"cp-09_odp.01","props":[{"name":"alt-identifier","value":"cp-9_prm_1"},{"name":"label","value":"CP-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which to conduct backups of user-level information is defined;"}]},{"id":"cp-09_odp.02","props":[{"name":"alt-identifier","value":"cp-9_prm_2"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.03","props":[{"name":"alt-identifier","value":"cp-9_prm_3"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.04","props":[{"name":"alt-identifier","value":"cp-9_prm_4"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-9"},{"name":"label","value":"CP-09","class":"sp800-53a"},{"name":"sort-id","value":"cp-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#3653e316-8923-430e-8943-b3b2b2562fc6","rel":"reference"},{"href":"#2494df28-9049-4196-b233-540e7440993f","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-9_smt","name":"statement","parts":[{"id":"cp-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};"},{"id":"cp-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};"},{"id":"cp-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and"},{"id":"cp-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protect the confidentiality, integrity, and availability of backup information."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"cp-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-09a.","class":"sp800-53a"}],"prose":"backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};"},{"id":"cp-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-09b.","class":"sp800-53a"}],"prose":"backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};"},{"id":"cp-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-09c.","class":"sp800-53a"}],"prose":"backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};"},{"id":"cp-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[01]","class":"sp800-53a"}],"prose":"the confidentiality of backup information is protected;"},{"id":"cp-9_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[02]","class":"sp800-53a"}],"prose":"the integrity of backup information is protected;"},{"id":"cp-9_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[03]","class":"sp800-53a"}],"prose":"the availability of backup information is protected."}]}]},{"id":"cp-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"cp-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}]},{"id":"cp-10","class":"SP800-53","title":"System Recovery and Reconstitution","params":[{"id":"cp-10_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.02"}],"label":"organization-defined time period consistent with recovery time and recovery point objectives"},{"id":"cp-10_odp.01","props":[{"name":"label","value":"CP-10_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;"}]},{"id":"cp-10_odp.02","props":[{"name":"label","value":"CP-10_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;"}]}],"props":[{"name":"label","value":"CP-10"},{"name":"label","value":"CP-10","class":"sp800-53a"},{"name":"sort-id","value":"cp-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-24","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning."},{"id":"cp-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10","class":"sp800-53a"}],"parts":[{"id":"cp-10_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-10[01]","class":"sp800-53a"}],"prose":"the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;"},{"id":"cp-10_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-10[02]","class":"sp800-53a"}],"prose":"a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure."}]},{"id":"cp-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, recovery, and\/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and\/or implementing system recovery and reconstitution operations"}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ia-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ia-01_odp.01","props":[{"name":"label","value":"IA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication policy is to be disseminated are defined;"}]},{"id":"ia-01_odp.02","props":[{"name":"label","value":"IA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication procedures are to be disseminated is\/are defined;"}]},{"id":"ia-01_odp.03","props":[{"name":"alt-identifier","value":"ia-1_prm_2"},{"name":"label","value":"IA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ia-01_odp.04","props":[{"name":"alt-identifier","value":"ia-1_prm_3"},{"name":"label","value":"IA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the identification and authentication policy and procedures is defined;"}]},{"id":"ia-01_odp.05","props":[{"name":"alt-identifier","value":"ia-1_prm_4"},{"name":"label","value":"IA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication policy is reviewed and updated is defined;"}]},{"id":"ia-01_odp.06","props":[{"name":"alt-identifier","value":"ia-1_prm_5"},{"name":"label","value":"IA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current identification and authentication policy to be reviewed and updated are defined;"}]},{"id":"ia-01_odp.07","props":[{"name":"alt-identifier","value":"ia-1_prm_6"},{"name":"label","value":"IA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication procedures are reviewed and updated is defined;"}]},{"id":"ia-01_odp.08","props":[{"name":"alt-identifier","value":"ia-1_prm_7"},{"name":"label","value":"IA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require identification and authentication procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IA-1"},{"name":"label","value":"IA-01","class":"sp800-53a"},{"name":"sort-id","value":"ia-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ia-1_smt","name":"statement","parts":[{"id":"ia-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:","parts":[{"id":"ia-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ia-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;"}]},{"id":"ia-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and"},{"id":"ia-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current identification and authentication:","parts":[{"id":"ia-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and"},{"id":"ia-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ia-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[01]","class":"sp800-53a"}],"prose":"an identification and authentication policy is developed and documented;"},{"id":"ia-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[02]","class":"sp800-53a"}],"prose":"the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};"},{"id":"ia-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[03]","class":"sp800-53a"}],"prose":"identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;"},{"id":"ia-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[04]","class":"sp800-53a"}],"prose":"the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};"},{"id":"ia-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;"},{"id":"ia-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;"},{"id":"ia-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;"},{"id":"ia-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;"},{"id":"ia-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;"},{"id":"ia-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;"},{"id":"ia-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;"}]},{"id":"ia-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ia-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;"},{"id":"ia-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[01]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};"},{"id":"ia-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[02]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};"}]},{"id":"ia-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[01]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};"},{"id":"ia-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[02]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}."}]}]}]},{"id":"ia-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records"}]},{"id":"ia-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (Organizational Users)","props":[{"name":"label","value":"IA-2"},{"name":"label","value":"IA-02","class":"sp800-53a"},{"name":"sort-id","value":"ia-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#d9e036ba-6eec-46a6-9340-b0bf1fea23b4","rel":"reference"},{"href":"#e8552d48-cf41-40aa-8b06-f45f7fb4706c","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-1","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)."},{"id":"ia-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02","class":"sp800-53a"}],"parts":[{"id":"ia-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-02[01]","class":"sp800-53a"}],"prose":"organizational users are uniquely identified and authenticated;"},{"id":"ia-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-02[02]","class":"sp800-53a"}],"prose":"the unique identification of authenticated organizational users is associated with processes acting on behalf of those users."}]},{"id":"ia-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}]},{"id":"ia-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Privileged Accounts","props":[{"name":"label","value":"IA-2(1)"},{"name":"label","value":"IA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"Implement multi-factor authentication for access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(01)","class":"sp800-53a"}],"prose":"multi-factor authentication is implemented for access to privileged accounts."},{"id":"ia-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(2)"},{"name":"label","value":"IA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"Implement multi-factor authentication for access to non-privileged accounts."},{"id":"ia-2.2_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(02)","class":"sp800-53a"}],"prose":"multi-factor authentication for access to non-privileged accounts is implemented."},{"id":"ia-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Access to Accounts — Replay Resistant","params":[{"id":"ia-02.08_odp","props":[{"name":"alt-identifier","value":"ia-2.8_prm_1"},{"name":"label","value":"IA-02(08)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["privileged accounts","non-privileged accounts"]}}],"props":[{"name":"label","value":"IA-2(8)"},{"name":"label","value":"IA-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators."},{"id":"ia-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(08)","class":"sp800-53a"}],"prose":"replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented."},{"id":"ia-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nMechanisms supporting and\/or implementing replay-resistant authentication mechanisms"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","props":[{"name":"label","value":"IA-2(12)"},{"name":"label","value":"IA-02(12)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential."},{"id":"ia-2.12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(12)","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials are accepted and electronically verified."},{"id":"ia-2.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-2.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing acceptance and verification of PIV credentials"}]}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","params":[{"id":"ia-04_odp.01","props":[{"name":"alt-identifier","value":"ia-4_prm_1"},{"name":"label","value":"IA-04_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles from whom authorization must be received to assign an identifier are defined;"}]},{"id":"ia-04_odp.02","props":[{"name":"alt-identifier","value":"ia-4_prm_2"},{"name":"label","value":"IA-04_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period for preventing reuse of identifiers is defined;"}]}],"props":[{"name":"label","value":"IA-4"},{"name":"label","value":"IA-04","class":"sp800-53a"},{"name":"sort-id","value":"ia-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-12","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"Manage system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;"},{"id":"ia-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, service, or device; and"},{"id":"ia-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices."},{"id":"ia-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04","class":"sp800-53a"}],"parts":[{"id":"ia-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-04a.","class":"sp800-53a"}],"prose":"system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;"},{"id":"ia-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-04b.","class":"sp800-53a"}],"prose":"system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-04c.","class":"sp800-53a"}],"prose":"system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;"},{"id":"ia-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-04d.","class":"sp800-53a"}],"prose":"system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."}]},{"id":"ia-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records"}]},{"id":"ia-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","params":[{"id":"ia-05_odp.01","props":[{"name":"alt-identifier","value":"ia-5_prm_1"},{"name":"label","value":"IA-05_ODP[01]","class":"sp800-53a"}],"label":"time period by authenticator type","guidelines":[{"prose":"a time period for changing or refreshing authenticators by authenticator type is defined;"}]},{"id":"ia-05_odp.02","props":[{"name":"alt-identifier","value":"ia-5_prm_2"},{"name":"label","value":"IA-05_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that trigger the change or refreshment of authenticators are defined;"}]}],"props":[{"name":"label","value":"IA-5"},{"name":"label","value":"IA-05","class":"sp800-53a"},{"name":"sort-id","value":"ia-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"Manage system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Changing default authenticators prior to first use;"},{"id":"ia-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"},{"id":"ia-5_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and"},{"id":"ia-5_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Changing authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed."},{"id":"ia-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05a.","class":"sp800-53a"}],"prose":"system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;"},{"id":"ia-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05b.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05c.","class":"sp800-53a"}],"prose":"system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05d.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;"},{"id":"ia-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05e.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of default authenticators prior to first use;"},{"id":"ia-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05f.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"},{"id":"ia-5_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05g.","class":"sp800-53a"}],"prose":"system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[01]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;"},{"id":"ia-5_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[02]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;"}]},{"id":"ia-5_obj.i","name":"assessment-objective","props":[{"name":"label","value":"IA-05i.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","params":[{"id":"ia-05.01_odp.01","props":[{"name":"alt-identifier","value":"ia-5.1_prm_1"},{"name":"label","value":"IA-05(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;"}]},{"id":"ia-05.01_odp.02","props":[{"name":"alt-identifier","value":"ia-5.1_prm_2"},{"name":"label","value":"IA-05(01)_ODP[02]","class":"sp800-53a"}],"label":"composition and complexity rules","guidelines":[{"prose":"authenticator composition and complexity rules are defined;"}]}],"props":[{"name":"label","value":"IA-5(1)"},{"name":"label","value":"IA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-6","rel":"related"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"For password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);"},{"id":"ia-5.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Transmit passwords only over cryptographically-protected channels;"},{"id":"ia-5.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Store passwords using an approved salted key derivation function, preferably using a keyed hash;"},{"id":"ia-5.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Require immediate selection of a new password upon account recovery;"},{"id":"ia-5.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Allow user selection of long passwords and passphrases, including spaces and all printable characters;"},{"id":"ia-5.1_smt.g","name":"item","props":[{"name":"label","value":"(g)"}],"prose":"Employ automated tools to assist the user in selecting strong password authenticators; and"},{"id":"ia-5.1_smt.h","name":"item","props":[{"name":"label","value":"(h)"}],"prose":"Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof."},{"id":"ia-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)","class":"sp800-53a"}],"parts":[{"id":"ia-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(a)","class":"sp800-53a"}],"prose":"for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(b)","class":"sp800-53a"}],"prose":"for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);"},{"id":"ia-5.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(c)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are only transmitted over cryptographically protected channels;"},{"id":"ia-5.1_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(d)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;"},{"id":"ia-5.1_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(e)","class":"sp800-53a"}],"prose":"for password-based authentication, immediate selection of a new password is required upon account recovery;"},{"id":"ia-5.1_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(f)","class":"sp800-53a"}],"prose":"for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;"},{"id":"ia-5.1_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(g)","class":"sp800-53a"}],"prose":"for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;"},{"id":"ia-5.1_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(h)","class":"sp800-53a"}],"prose":"for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced."}]},{"id":"ia-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing password-based authenticator management capability"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authentication Feedback","props":[{"name":"label","value":"IA-6"},{"name":"label","value":"IA-06","class":"sp800-53a"},{"name":"sort-id","value":"ia-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it."},{"id":"ia-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-06","class":"sp800-53a"}],"prose":"the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the obscuring of feedback of authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","props":[{"name":"label","value":"IA-7"},{"name":"label","value":"IA-07","class":"sp800-53a"},{"name":"sort-id","value":"ia-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role."},{"id":"ia-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-07","class":"sp800-53a"}],"prose":"mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic module authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (Non-organizational Users)","props":[{"name":"label","value":"IA-8"},{"name":"label","value":"IA-08","class":"sp800-53a"},{"name":"sort-id","value":"ia-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a1555677-2b9d-4868-a97b-a1363aff32f5","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk."},{"id":"ia-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08","class":"sp800-53a"}],"prose":"non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated."},{"id":"ia-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","props":[{"name":"label","value":"IA-8(1)"},{"name":"label","value":"IA-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"},{"href":"#pe-3","rel":"related"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)."},{"id":"ia-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)","class":"sp800-53a"}],"parts":[{"id":"ia-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[01]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are accepted;"},{"id":"ia-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[02]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are electronically verified."}]},{"id":"ia-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of External Authenticators","props":[{"name":"label","value":"IA-8(2)"},{"name":"label","value":"IA-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.2_smt","name":"statement","parts":[{"id":"ia-8.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Accept only external authenticators that are NIST-compliant; and"},{"id":"ia-8.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Document and maintain a list of accepted external authenticators."}]},{"id":"ia-8.2_gdn","name":"guidance","prose":"Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level."},{"id":"ia-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(a)","class":"sp800-53a"}],"prose":"only external authenticators that are NIST-compliant are accepted;"},{"id":"ia-8.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[01]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is documented;"},{"id":"ia-8.2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[02]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is maintained."}]}]},{"id":"ia-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Defined Profiles","params":[{"id":"ia-08.04_odp","props":[{"name":"alt-identifier","value":"ia-8.4_prm_1"},{"name":"label","value":"IA-08(04)_ODP","class":"sp800-53a"}],"label":"identity management profiles","guidelines":[{"prose":"identity management profiles are defined;"}]}],"props":[{"name":"label","value":"IA-8(4)"},{"name":"label","value":"IA-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}."},{"id":"ia-8.4_gdn","name":"guidance","prose":"Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"ia-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(04)","class":"sp800-53a"}],"prose":"there is conformance with {{ insert: param, ia-08.04_odp }} for identity management."},{"id":"ia-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms supporting and\/or implementing conformance with profiles"}]}]}]},{"id":"ia-11","class":"SP800-53","title":"Re-authentication","params":[{"id":"ia-11_odp","props":[{"name":"alt-identifier","value":"ia-11_prm_1"},{"name":"alt-label","value":"circumstances or situations requiring re-authentication","class":"sp800-53"},{"name":"label","value":"IA-11_ODP","class":"sp800-53a"}],"label":"circumstances or situations","guidelines":[{"prose":"circumstances or situations requiring re-authentication are defined;"}]}],"props":[{"name":"label","value":"IA-11"},{"name":"label","value":"IA-11","class":"sp800-53a"},{"name":"sort-id","value":"ia-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-11_smt","name":"statement","prose":"Require users to re-authenticate when {{ insert: param, ia-11_odp }}."},{"id":"ia-11_gdn","name":"guidance","prose":"In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically."},{"id":"ia-11_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-11","class":"sp800-53a"}],"prose":"users are required to re-authenticate when {{ insert: param, ia-11_odp }}."},{"id":"ia-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ir-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ir-01_odp.01","props":[{"name":"label","value":"IR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response policy is to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.02","props":[{"name":"label","value":"IR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response procedures are to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.03","props":[{"name":"alt-identifier","value":"ir-1_prm_2"},{"name":"label","value":"IR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ir-01_odp.04","props":[{"name":"alt-identifier","value":"ir-1_prm_3"},{"name":"label","value":"IR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the incident response policy and procedures is defined;"}]},{"id":"ir-01_odp.05","props":[{"name":"alt-identifier","value":"ir-1_prm_4"},{"name":"label","value":"IR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response policy is reviewed and updated is defined;"}]},{"id":"ir-01_odp.06","props":[{"name":"alt-identifier","value":"ir-1_prm_5"},{"name":"label","value":"IR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current incident response policy to be reviewed and updated are defined;"}]},{"id":"ir-01_odp.07","props":[{"name":"alt-identifier","value":"ir-1_prm_6"},{"name":"label","value":"IR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response procedures are reviewed and updated is defined;"}]},{"id":"ir-01_odp.08","props":[{"name":"alt-identifier","value":"ir-1_prm_7"},{"name":"label","value":"IR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the incident response procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IR-1"},{"name":"label","value":"IR-01","class":"sp800-53a"},{"name":"sort-id","value":"ir-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ir-1_smt","name":"statement","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ir-01_odp.03 }} incident response policy that:","parts":[{"id":"ir-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and"},{"id":"ir-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current incident response:","parts":[{"id":"ir-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and"},{"id":"ir-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ir-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[01]","class":"sp800-53a"}],"prose":"an incident response policy is developed and documented;"},{"id":"ir-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[02]","class":"sp800-53a"}],"prose":"the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};"},{"id":"ir-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[03]","class":"sp800-53a"}],"prose":"incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;"},{"id":"ir-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[04]","class":"sp800-53a"}],"prose":"the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};"},{"id":"ir-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;"},{"id":"ir-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;"},{"id":"ir-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;"},{"id":"ir-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;"},{"id":"ir-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;"},{"id":"ir-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;"},{"id":"ir-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;"}]},{"id":"ir-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ir-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;"},{"id":"ir-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[01]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};"},{"id":"ir-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[02]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};"}]},{"id":"ir-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[01]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};"},{"id":"ir-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[02]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}."}]}]}]},{"id":"ir-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-02_odp.01","props":[{"name":"alt-identifier","value":"ir-2_prm_1"},{"name":"label","value":"IR-02_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;"}]},{"id":"ir-02_odp.02","props":[{"name":"alt-identifier","value":"ir-2_prm_2"},{"name":"label","value":"IR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide incident response training to users is defined;"}]},{"id":"ir-02_odp.03","props":[{"name":"alt-identifier","value":"ir-2_prm_3"},{"name":"label","value":"IR-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update incident response training content is defined;"}]},{"id":"ir-02_odp.04","props":[{"name":"alt-identifier","value":"ir-2_prm_4"},{"name":"label","value":"IR-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that initiate a review of the incident response training content are defined;"}]}],"props":[{"name":"label","value":"IR-2"},{"name":"label","value":"IR-02","class":"sp800-53a"},{"name":"sort-id","value":"ir-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-2_smt","name":"statement","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide incident response training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"ir-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ir-02_odp.02 }} thereafter; and"}]},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"ir-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.01","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.02","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"},{"id":"ir-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.03","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;"}]},{"id":"ir-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[01]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};"},{"id":"ir-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[02]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}."}]}]},{"id":"ir-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"label","value":"IR-4"},{"name":"label","value":"IR-04","class":"sp800-53a"},{"name":"sort-id","value":"ir-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#31ae65ab-3f26-46b7-9d64-f25a4dac5778","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-4_smt","name":"statement","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate incident handling activities with contingency planning activities;"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and"},{"id":"ir-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes."},{"id":"ir-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[01]","class":"sp800-53a"}],"prose":"an incident handling capability for incidents is implemented that is consistent with the incident response plan;"},{"id":"ir-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[02]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes preparation;"},{"id":"ir-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[03]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes detection and analysis;"},{"id":"ir-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[04]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes containment;"},{"id":"ir-4_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[05]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes eradication;"},{"id":"ir-4_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[06]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes recovery;"}]},{"id":"ir-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-04b.","class":"sp800-53a"}],"prose":"incident handling activities are coordinated with contingency planning activities;"},{"id":"ir-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[01]","class":"sp800-53a"}],"prose":"lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;"},{"id":"ir-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[02]","class":"sp800-53a"}],"prose":"the changes resulting from the incorporated lessons learned are implemented accordingly;"}]},{"id":"ir-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[01]","class":"sp800-53a"}],"prose":"the rigor of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[02]","class":"sp800-53a"}],"prose":"the intensity of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[03]","class":"sp800-53a"}],"prose":"the scope of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[04]","class":"sp800-53a"}],"prose":"the results of incident handling activities are comparable and predictable across the organization."}]}]},{"id":"ir-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident handling capability for the organization"}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"label","value":"IR-5"},{"name":"label","value":"IR-05","class":"sp800-53a"},{"name":"sort-id","value":"ir-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"Track and document incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring."},{"id":"ir-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-05","class":"sp800-53a"}],"parts":[{"id":"ir-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-05[01]","class":"sp800-53a"}],"prose":"incidents are tracked;"},{"id":"ir-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-05[02]","class":"sp800-53a"}],"prose":"incidents are documented."}]},{"id":"ir-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nmechanisms supporting and\/or implementing the tracking and documenting of system security incidents"}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-06_odp.01","props":[{"name":"alt-identifier","value":"ir-6_prm_1"},{"name":"label","value":"IR-06_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel to report suspected incidents to the organizational incident response capability is defined;"}]},{"id":"ir-06_odp.02","props":[{"name":"alt-identifier","value":"ir-6_prm_2"},{"name":"label","value":"IR-06_ODP[02]","class":"sp800-53a"}],"label":"authorities","guidelines":[{"prose":"authorities to whom incident information is to be reported are defined;"}]}],"props":[{"name":"label","value":"IR-6"},{"name":"label","value":"IR-06","class":"sp800-53a"},{"name":"sort-id","value":"ir-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#40b78258-c892-480e-9af8-77ac36648301","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-6_smt","name":"statement","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report incident information to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products."},{"id":"ir-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06","class":"sp800-53a"}],"parts":[{"id":"ir-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-06a.","class":"sp800-53a"}],"prose":"personnel is\/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};"},{"id":"ir-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-06b.","class":"sp800-53a"}],"prose":"incident information is reported to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users"}]},{"id":"ir-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nmechanisms supporting and\/or implementing incident reporting"}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"label","value":"IR-7"},{"name":"label","value":"IR-07","class":"sp800-53a"},{"name":"sort-id","value":"ir-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-26","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required."},{"id":"ir-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07","class":"sp800-53a"}],"parts":[{"id":"ir-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-07[01]","class":"sp800-53a"}],"prose":"an incident response support resource, integral to the organizational incident response capability, is provided;"},{"id":"ir-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-07[02]","class":"sp800-53a"}],"prose":"the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents."}]},{"id":"ir-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nmechanisms supporting and\/or implementing incident response assistance"}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.07"}],"label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-08_odp.01","props":[{"name":"alt-identifier","value":"ir-8_prm_1"},{"name":"label","value":"IR-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles that review and approve the incident response plan is\/are identified;"}]},{"id":"ir-08_odp.02","props":[{"name":"alt-identifier","value":"ir-8_prm_2"},{"name":"label","value":"IR-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and approve the incident response plan is defined;"}]},{"id":"ir-08_odp.03","props":[{"name":"alt-identifier","value":"ir-8_prm_3"},{"name":"label","value":"IR-08_ODP[03]","class":"sp800-53a"}],"label":"entities, personnel, or roles","guidelines":[{"prose":"entities, personnel, or roles with designated responsibility for incident response are defined;"}]},{"id":"ir-08_odp.04","props":[{"name":"alt-identifier","value":"ir-8_prm_4"},{"name":"alt-label","value":"incident response personnel (identified by name and\/or by role) and organizational elements","class":"sp800-53"},{"name":"label","value":"IR-08_ODP[04]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed is\/are defined;"}]},{"id":"ir-08_odp.05","props":[{"name":"label","value":"IR-08_ODP[05]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which copies of the incident response plan are to be distributed are defined;"}]},{"id":"ir-08_odp.06","props":[{"name":"label","value":"IR-08_ODP[06]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom changes to the incident response plan is\/are communicated are defined;"}]},{"id":"ir-08_odp.07","props":[{"name":"label","value":"IR-08_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which changes to the incident response plan are communicated are defined;"}]}],"props":[{"name":"label","value":"IR-8"},{"name":"label","value":"IR-08","class":"sp800-53a"},{"name":"sort-id","value":"ir-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-8_smt","name":"statement","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Addresses the sharing of incident information;"},{"id":"ir-8_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and"},{"id":"ir-8_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly."},{"id":"ir-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-08","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.01","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.02","class":"sp800-53a"}],"prose":"an incident response plan is developed that describes the structure and organization of the incident response capability;"},{"id":"ir-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.03","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.04","class":"sp800-53a"}],"prose":"an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;"},{"id":"ir-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.05","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines reportable incidents;"},{"id":"ir-8_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.06","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.07","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.08","class":"sp800-53a"}],"prose":"an incident response plan is developed that addresses the sharing of incident information;"},{"id":"ir-8_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.09","class":"sp800-53a"}],"prose":"an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};"},{"id":"ir-8_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.10","class":"sp800-53a"}],"prose":"an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[01]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[02]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};"}]},{"id":"ir-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-08c.","class":"sp800-53a"}],"prose":"the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[01]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};"},{"id":"ir-8_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[02]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};"}]},{"id":"ir-8_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[01]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized disclosure;"},{"id":"ir-8_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[02]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized modification."}]}]},{"id":"ir-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"id":"ir-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ma-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ma-01_odp.01","props":[{"name":"label","value":"MA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance policy is to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.02","props":[{"name":"label","value":"MA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance procedures are to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.03","props":[{"name":"alt-identifier","value":"ma-1_prm_2"},{"name":"label","value":"MA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ma-01_odp.04","props":[{"name":"alt-identifier","value":"ma-1_prm_3"},{"name":"label","value":"MA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the maintenance policy and procedures is defined;"}]},{"id":"ma-01_odp.05","props":[{"name":"alt-identifier","value":"ma-1_prm_4"},{"name":"label","value":"MA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance policy is reviewed and updated is defined;"}]},{"id":"ma-01_odp.06","props":[{"name":"alt-identifier","value":"ma-1_prm_5"},{"name":"label","value":"MA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current maintenance policy to be reviewed and updated are defined;"}]},{"id":"ma-01_odp.07","props":[{"name":"alt-identifier","value":"ma-1_prm_6"},{"name":"label","value":"MA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance procedures are reviewed and updated is defined;"}]},{"id":"ma-01_odp.08","props":[{"name":"alt-identifier","value":"ma-1_prm_7"},{"name":"label","value":"MA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the maintenance procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MA-1"},{"name":"label","value":"MA-01","class":"sp800-53a"},{"name":"sort-id","value":"ma-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ma-1_smt","name":"statement","parts":[{"id":"ma-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ma-01_odp.03 }} maintenance policy that:","parts":[{"id":"ma-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ma-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;"}]},{"id":"ma-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and"},{"id":"ma-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current maintenance:","parts":[{"id":"ma-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and"},{"id":"ma-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ma-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[01]","class":"sp800-53a"}],"prose":"a maintenance policy is developed and documented;"},{"id":"ma-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[02]","class":"sp800-53a"}],"prose":"the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};"},{"id":"ma-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[03]","class":"sp800-53a"}],"prose":"maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;"},{"id":"ma-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[04]","class":"sp800-53a"}],"prose":"the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};"},{"id":"ma-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;"},{"id":"ma-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;"},{"id":"ma-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;"},{"id":"ma-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;"},{"id":"ma-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;"},{"id":"ma-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;"},{"id":"ma-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;"}]},{"id":"ma-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ma-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;"},{"id":"ma-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[01]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};"},{"id":"ma-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[02]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};"}]},{"id":"ma-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[01]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};"},{"id":"ma-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[02]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}."}]}]}]},{"id":"ma-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"ma-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","params":[{"id":"ma-02_odp.01","props":[{"name":"alt-identifier","value":"ma-2_prm_1"},{"name":"label","value":"MA-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is\/are defined;"}]},{"id":"ma-02_odp.02","props":[{"name":"alt-identifier","value":"ma-2_prm_2"},{"name":"label","value":"MA-02_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;"}]},{"id":"ma-02_odp.03","props":[{"name":"alt-identifier","value":"ma-2_prm_3"},{"name":"label","value":"MA-02_ODP[03]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be included in organizational maintenance records is defined;"}]}],"props":[{"name":"label","value":"MA-2"},{"name":"label","value":"MA-02","class":"sp800-53a"},{"name":"sort-id","value":"ma-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ma-2_smt","name":"statement","parts":[{"id":"ma-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};"},{"id":"ma-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and"},{"id":"ma-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}."}]},{"id":"ma-2_gdn","name":"guidance","prose":"Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems."},{"id":"ma-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-02","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[01]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[02]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[03]","class":"sp800-53a"}],"prose":"records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and\/or organizational requirements;"}]},{"id":"ma-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[01]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;"},{"id":"ma-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[02]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;"}]},{"id":"ma-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-02c.","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02_odp.01 }} is\/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-02d.","class":"sp800-53a"}],"prose":"equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-02e.","class":"sp800-53a"}],"prose":"all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;"},{"id":"ma-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"MA-02f.","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records."}]},{"id":"ma-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer\/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and\/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components"}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","props":[{"name":"label","value":"MA-4"},{"name":"label","value":"MA-04","class":"sp800-53a"},{"name":"sort-id","value":"ma-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#736d6310-e403-4b57-a79d-9967970c66d7","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-10","rel":"related"}],"parts":[{"id":"ma-4_smt","name":"statement","parts":[{"id":"ma-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and monitor nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;"},{"id":"ma-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Maintain records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Terminate session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators."},{"id":"ma-4_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[01]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are approved;"},{"id":"ma-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[02]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are monitored;"}]},{"id":"ma-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[01]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;"},{"id":"ma-4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[02]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;"}]},{"id":"ma-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-04c.","class":"sp800-53a"}],"prose":"strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-04d.","class":"sp800-53a"}],"prose":"records for nonlocal maintenance and diagnostic activities are maintained;"},{"id":"ma-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[01]","class":"sp800-53a"}],"prose":"session connections are terminated when nonlocal maintenance is completed;"},{"id":"ma-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[02]","class":"sp800-53a"}],"prose":"network connections are terminated when nonlocal maintenance is completed."}]}]},{"id":"ma-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and\/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections"}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","props":[{"name":"label","value":"MA-5"},{"name":"label","value":"MA-05","class":"sp800-53a"},{"name":"sort-id","value":"ma-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"ma-5_smt","name":"statement","parts":[{"id":"ma-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods."},{"id":"ma-5_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[01]","class":"sp800-53a"}],"prose":"a process for maintenance personnel authorization is established;"},{"id":"ma-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[02]","class":"sp800-53a"}],"prose":"a list of authorized maintenance organizations or personnel is maintained;"}]},{"id":"ma-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-05b.","class":"sp800-53a"}],"prose":"non-escorted personnel performing maintenance on the system possess the required access authorizations;"},{"id":"ma-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-05c.","class":"sp800-53a"}],"prose":"organizational personnel with required access authorizations and technical competence is\/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and\/or implementing authorization of maintenance personnel"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"mp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"mp-01_odp.01","props":[{"name":"label","value":"MP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection policy is to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.02","props":[{"name":"label","value":"MP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection procedures are to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.03","props":[{"name":"alt-identifier","value":"mp-1_prm_2"},{"name":"label","value":"MP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"mp-01_odp.04","props":[{"name":"alt-identifier","value":"mp-1_prm_3"},{"name":"label","value":"MP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the media protection policy and procedures is defined;"}]},{"id":"mp-01_odp.05","props":[{"name":"alt-identifier","value":"mp-1_prm_4"},{"name":"label","value":"MP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection policy is reviewed and updated is defined;"}]},{"id":"mp-01_odp.06","props":[{"name":"alt-identifier","value":"mp-1_prm_5"},{"name":"label","value":"MP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current media protection policy to be reviewed and updated are defined;"}]},{"id":"mp-01_odp.07","props":[{"name":"alt-identifier","value":"mp-1_prm_6"},{"name":"label","value":"MP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection procedures are reviewed and updated is defined;"}]},{"id":"mp-01_odp.08","props":[{"name":"alt-identifier","value":"mp-1_prm_7"},{"name":"label","value":"MP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require media protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MP-1"},{"name":"label","value":"MP-01","class":"sp800-53a"},{"name":"sort-id","value":"mp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-1_smt","name":"statement","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, mp-01_odp.03 }} media protection policy that:","parts":[{"id":"mp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and"},{"id":"mp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current media protection:","parts":[{"id":"mp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and"},{"id":"mp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"mp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[01]","class":"sp800-53a"}],"prose":"a media protection policy is developed and documented;"},{"id":"mp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[02]","class":"sp800-53a"}],"prose":"the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};"},{"id":"mp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[03]","class":"sp800-53a"}],"prose":"media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;"},{"id":"mp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[04]","class":"sp800-53a"}],"prose":"the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};"},{"id":"mp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;"},{"id":"mp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;"},{"id":"mp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;"},{"id":"mp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;"},{"id":"mp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;"},{"id":"mp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;"},{"id":"mp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;"}]},{"id":"mp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(b)","class":"sp800-53a"}],"prose":"the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"mp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures."},{"id":"mp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[01]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; "},{"id":"mp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[02]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};"}]},{"id":"mp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[01]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; "},{"id":"mp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[02]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}."}]}]}]},{"id":"mp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","params":[{"id":"mp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.03"}],"label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.04"}],"label":"organization-defined personnel or roles"},{"id":"mp-02_odp.01","props":[{"name":"label","value":"MP-02_ODP[01]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.02","props":[{"name":"label","value":"MP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access digital media is\/are defined;"}]},{"id":"mp-02_odp.03","props":[{"name":"label","value":"MP-02_ODP[03]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.04","props":[{"name":"label","value":"MP-02_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access non-digital media is\/are defined;"}]}],"props":[{"name":"label","value":"MP-2"},{"name":"label","value":"MP-02","class":"sp800-53a"},{"name":"sort-id","value":"mp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media."},{"id":"mp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-02","class":"sp800-53a"}],"parts":[{"id":"mp-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-02[01]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};"},{"id":"mp-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-02[02]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}."}]},{"id":"mp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for restricting information media\n\nmechanisms supporting and\/or implementing media access restrictions"}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.03"}],"label":"organization-defined system media"},{"id":"mp-6_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.06"}],"label":"organization-defined sanitization techniques and procedures"},{"id":"mp-06_odp.01","props":[{"name":"label","value":"MP-06_ODP[01]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to disposal is defined;"}]},{"id":"mp-06_odp.02","props":[{"name":"label","value":"MP-06_ODP[02]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release from organizational control is defined;"}]},{"id":"mp-06_odp.03","props":[{"name":"label","value":"MP-06_ODP[03]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release for reuse is defined;"}]},{"id":"mp-06_odp.04","props":[{"name":"label","value":"MP-06_ODP[04]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to disposal are defined;"}]},{"id":"mp-06_odp.05","props":[{"name":"label","value":"MP-06_ODP[05]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;"}]},{"id":"mp-06_odp.06","props":[{"name":"label","value":"MP-06_ODP[06]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;"}]}],"props":[{"name":"label","value":"MP-6"},{"name":"label","value":"MP-06","class":"sp800-53a"},{"name":"sort-id","value":"mp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"},{"href":"#si-19","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"mp-6_smt","name":"statement","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information."},{"id":"mp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;"},{"id":"mp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;"},{"id":"mp-6_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;"}]},{"id":"mp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-06b.","class":"sp800-53a"}],"prose":"sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed."}]},{"id":"mp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization"}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","params":[{"id":"mp-07_odp.01","props":[{"name":"alt-identifier","value":"mp-7_prm_2"},{"name":"label","value":"MP-07_ODP[01]","class":"sp800-53a"}],"label":"types of system media","guidelines":[{"prose":"types of system media to be restricted or prohibited from use on systems or system components are defined;"}]},{"id":"mp-07_odp.02","props":[{"name":"alt-identifier","value":"mp-7_prm_1"},{"name":"label","value":"MP-07_ODP[02]","class":"sp800-53a"}],"select":{"choice":["restrict","prohibit"]}},{"id":"mp-07_odp.03","props":[{"name":"alt-identifier","value":"mp-7_prm_3"},{"name":"label","value":"MP-07_ODP[03]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;"}]},{"id":"mp-07_odp.04","props":[{"name":"alt-identifier","value":"mp-7_prm_4"},{"name":"label","value":"MP-07_ODP[04]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;"}]}],"props":[{"name":"label","value":"MP-7"},{"name":"label","value":"MP-07","class":"sp800-53a"},{"name":"sort-id","value":"mp-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"mp-7_smt","name":"statement","parts":[{"id":"mp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and"},{"id":"mp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner."}]},{"id":"mp-7_gdn","name":"guidance","prose":"System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices."},{"id":"mp-7_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-07","class":"sp800-53a"}],"parts":[{"id":"mp-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-07a.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};"},{"id":"mp-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-07b.","class":"sp800-53a"}],"prose":"the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner."}]},{"id":"mp-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components"}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pe-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pe-01_odp.01","props":[{"name":"label","value":"PE-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection policy is to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.02","props":[{"name":"label","value":"PE-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection procedures are to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.03","props":[{"name":"alt-identifier","value":"pe-1_prm_2"},{"name":"label","value":"PE-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pe-01_odp.04","props":[{"name":"alt-identifier","value":"pe-1_prm_3"},{"name":"label","value":"PE-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the physical and environmental protection policy and procedures is defined;"}]},{"id":"pe-01_odp.05","props":[{"name":"alt-identifier","value":"pe-1_prm_4"},{"name":"label","value":"PE-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;"}]},{"id":"pe-01_odp.06","props":[{"name":"alt-identifier","value":"pe-1_prm_5"},{"name":"label","value":"PE-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current physical and environmental protection policy to be reviewed and updated are defined;"}]},{"id":"pe-01_odp.07","props":[{"name":"alt-identifier","value":"pe-1_prm_6"},{"name":"label","value":"PE-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;"}]},{"id":"pe-01_odp.08","props":[{"name":"alt-identifier","value":"pe-1_prm_7"},{"name":"label","value":"PE-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the physical and environmental protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PE-1"},{"name":"label","value":"PE-01","class":"sp800-53a"},{"name":"sort-id","value":"pe-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pe-1_smt","name":"statement","parts":[{"id":"pe-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:","parts":[{"id":"pe-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pe-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;"}]},{"id":"pe-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and"},{"id":"pe-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current physical and environmental protection:","parts":[{"id":"pe-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and"},{"id":"pe-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pe-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[01]","class":"sp800-53a"}],"prose":"a physical and environmental protection policy is developed and documented;"},{"id":"pe-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[02]","class":"sp800-53a"}],"prose":"the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};"},{"id":"pe-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[03]","class":"sp800-53a"}],"prose":"physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;"},{"id":"pe-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[04]","class":"sp800-53a"}],"prose":"the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};"},{"id":"pe-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;"},{"id":"pe-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;"},{"id":"pe-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;"},{"id":"pe-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;"},{"id":"pe-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;"},{"id":"pe-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;"},{"id":"pe-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;"}]},{"id":"pe-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"pe-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;"},{"id":"pe-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};"},{"id":"pe-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};"}]},{"id":"pe-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};"},{"id":"pe-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}."}]}]}]},{"id":"pe-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"pe-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","params":[{"id":"pe-02_odp","props":[{"name":"alt-identifier","value":"pe-2_prm_1"},{"name":"label","value":"PE-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the access list detailing authorized facility access by individuals is defined;"}]}],"props":[{"name":"label","value":"PE-2"},{"name":"label","value":"PE-02","class":"sp800-53a"},{"name":"sort-id","value":"pe-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"pe-2_smt","name":"statement","parts":[{"id":"pe-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;"},{"id":"pe-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Issue authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and"},{"id":"pe-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remove individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible."},{"id":"pe-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-02","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[01]","class":"sp800-53a"}],"prose":"a list of individuals with authorized access to the facility where the system resides has been developed;"},{"id":"pe-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[02]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been approved;"},{"id":"pe-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[03]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been maintained;"}]},{"id":"pe-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-02b.","class":"sp800-53a"}],"prose":"authorization credentials are issued for facility access;"},{"id":"pe-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-02c.","class":"sp800-53a"}],"prose":"the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};"},{"id":"pe-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-02d.","class":"sp800-53a"}],"prose":"individuals are removed from the facility access list when access is no longer required."}]},{"id":"pe-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access authorizations\n\nmechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","params":[{"id":"pe-3_prm_9","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.09"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.10"}],"label":"organization-defined frequency"},{"id":"pe-03_odp.01","props":[{"name":"alt-identifier","value":"pe-3_prm_1"},{"name":"alt-label","value":"entry and exit points to the facility where the system resides","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[01]","class":"sp800-53a"}],"label":"entry and exit points","guidelines":[{"prose":"entry and exit points to the facility in which the system resides are defined;"}]},{"id":"pe-03_odp.02","props":[{"name":"alt-identifier","value":"pe-3_prm_2"},{"name":"label","value":"PE-03_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, pe-03_odp.03 }} ","guards"]}},{"id":"pe-03_odp.03","props":[{"name":"alt-identifier","value":"pe-3_prm_3"},{"name":"alt-label","value":"physical access control systems or devices","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[03]","class":"sp800-53a"}],"label":"systems or devices","guidelines":[{"prose":"physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);"}]},{"id":"pe-03_odp.04","props":[{"name":"alt-identifier","value":"pe-3_prm_4"},{"name":"label","value":"PE-03_ODP[04]","class":"sp800-53a"}],"label":"entry or exit points","guidelines":[{"prose":"entry or exit points for which physical access logs are maintained are defined;"}]},{"id":"pe-03_odp.05","props":[{"name":"alt-identifier","value":"pe-3_prm_5"},{"name":"label","value":"PE-03_ODP[05]","class":"sp800-53a"}],"label":"physical access controls","guidelines":[{"prose":"physical access controls to control access to areas within the facility designated as publicly accessible are defined;"}]},{"id":"pe-03_odp.06","props":[{"name":"alt-identifier","value":"pe-3_prm_6"},{"name":"alt-label","value":"circumstances requiring visitor escorts and control of visitor activity","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[06]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances requiring visitor escorts and control of visitor activity are defined;"}]},{"id":"pe-03_odp.07","props":[{"name":"alt-identifier","value":"pe-3_prm_7"},{"name":"label","value":"PE-03_ODP[07]","class":"sp800-53a"}],"label":"physical access devices","guidelines":[{"prose":"physical access devices to be inventoried are defined;"}]},{"id":"pe-03_odp.08","props":[{"name":"alt-identifier","value":"pe-3_prm_8"},{"name":"label","value":"PE-03_ODP[08]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inventory physical access devices is defined;"}]},{"id":"pe-03_odp.09","props":[{"name":"label","value":"PE-03_ODP[09]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change combinations is defined;"}]},{"id":"pe-03_odp.10","props":[{"name":"label","value":"PE-03_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change keys is defined;"}]}],"props":[{"name":"label","value":"PE-3"},{"name":"label","value":"PE-03","class":"sp800-53a"},{"name":"sort-id","value":"pe-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"pe-3_smt","name":"statement","parts":[{"id":"pe-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:","parts":[{"id":"pe-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"}]},{"id":"pe-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};"},{"id":"pe-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};"},{"id":"pe-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};"},{"id":"pe-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Secure keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and"},{"id":"pe-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Change combinations and keys {{ insert: param, pe-3_prm_9 }} and\/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs\/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components."},{"id":"pe-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.01","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;"},{"id":"pe-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.02","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"}]},{"id":"pe-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-03b.","class":"sp800-53a"}],"prose":"physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};"},{"id":"pe-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-03c.","class":"sp800-53a"}],"prose":"access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};"},{"id":"pe-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[01]","class":"sp800-53a"}],"prose":"visitors are escorted;"},{"id":"pe-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[02]","class":"sp800-53a"}],"prose":"visitor activity is controlled {{ insert: param, pe-03_odp.06 }};"}]},{"id":"pe-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[01]","class":"sp800-53a"}],"prose":"keys are secured;"},{"id":"pe-3_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[02]","class":"sp800-53a"}],"prose":"combinations are secured;"},{"id":"pe-3_obj.e-3","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[03]","class":"sp800-53a"}],"prose":"other physical access devices are secured;"}]},{"id":"pe-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"PE-03f.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};"},{"id":"pe-3_obj.g","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[01]","class":"sp800-53a"}],"prose":"combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;"},{"id":"pe-3_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[02]","class":"sp800-53a"}],"prose":"keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated."}]}]},{"id":"pe-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control\n\nmechanisms supporting and\/or implementing physical access control\n\nphysical access control devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","params":[{"id":"pe-06_odp.01","props":[{"name":"alt-identifier","value":"pe-6_prm_1"},{"name":"label","value":"PE-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review physical access logs is defined;"}]},{"id":"pe-06_odp.02","props":[{"name":"alt-identifier","value":"pe-6_prm_2"},{"name":"alt-label","value":"events or potential indications of events","class":"sp800-53"},{"name":"label","value":"PE-06_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events or potential indication of events requiring physical access logs to be reviewed are defined;"}]}],"props":[{"name":"label","value":"PE-6"},{"name":"label","value":"PE-06","class":"sp800-53a"},{"name":"sort-id","value":"pe-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"pe-6_smt","name":"statement","parts":[{"id":"pe-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and"},{"id":"pe-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses."},{"id":"pe-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-06a.","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;"},{"id":"pe-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[01]","class":"sp800-53a"}],"prose":"physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};"},{"id":"pe-6_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[02]","class":"sp800-53a"}],"prose":"physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};"}]},{"id":"pe-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[01]","class":"sp800-53a"}],"prose":"results of reviews are coordinated with organizational incident response capabilities;"},{"id":"pe-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[02]","class":"sp800-53a"}],"prose":"results of investigations are coordinated with organizational incident response capabilities."}]}]},{"id":"pe-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing the review of physical access logs"}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-08_odp.01","props":[{"name":"alt-identifier","value":"pe-8_prm_1"},{"name":"label","value":"PE-08_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for which to maintain visitor access records for the facility where the system resides is defined;"}]},{"id":"pe-08_odp.02","props":[{"name":"alt-identifier","value":"pe-8_prm_2"},{"name":"label","value":"PE-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review visitor access records is defined;"}]},{"id":"pe-08_odp.03","props":[{"name":"alt-identifier","value":"pe-8_prm_3"},{"name":"label","value":"PE-08_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom visitor access records anomalies are reported to is\/are defined;"}]}],"props":[{"name":"label","value":"PE-8"},{"name":"label","value":"PE-08","class":"sp800-53a"},{"name":"sort-id","value":"pe-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"pe-8_smt","name":"statement","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and"},{"id":"pe-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08","class":"sp800-53a"}],"parts":[{"id":"pe-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-08a.","class":"sp800-53a"}],"prose":"visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-08b.","class":"sp800-53a"}],"prose":"visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};"},{"id":"pe-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-08c.","class":"sp800-53a"}],"prose":"visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and\/or implementing the maintenance and review of visitor access records"}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","props":[{"name":"label","value":"PE-12"},{"name":"label","value":"PE-12","class":"sp800-53a"},{"name":"sort-id","value":"pe-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies."},{"id":"pe-12_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-12","class":"sp800-53a"}],"parts":[{"id":"pe-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-12[01]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;"},{"id":"pe-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-12[02]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;"},{"id":"pe-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-12[03]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers emergency exits within the facility;"},{"id":"pe-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-12[04]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers evacuation routes within the facility."}]},{"id":"pe-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an emergency lighting capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","props":[{"name":"label","value":"PE-13"},{"name":"label","value":"PE-13","class":"sp800-53a"},{"name":"sort-id","value":"pe-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"Employ and maintain fire detection and suppression systems that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility."},{"id":"pe-13_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13","class":"sp800-53a"}],"parts":[{"id":"pe-13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13[01]","class":"sp800-53a"}],"prose":"fire detection systems are employed;"},{"id":"pe-13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13[02]","class":"sp800-53a"}],"prose":"employed fire detection systems are supported by an independent energy source;"},{"id":"pe-13_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13[03]","class":"sp800-53a"}],"prose":"employed fire detection systems are maintained;"},{"id":"pe-13_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-13[04]","class":"sp800-53a"}],"prose":"fire suppression systems are employed;"},{"id":"pe-13_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PE-13[05]","class":"sp800-53a"}],"prose":"employed fire suppression systems are supported by an independent energy source;"},{"id":"pe-13_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PE-13[06]","class":"sp800-53a"}],"prose":"employed fire suppression systems are maintained."}]},{"id":"pe-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\ntest records of fire suppression and detection devices\/systems\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing fire suppression\/detection devices\/systems"}]}]},{"id":"pe-14","class":"SP800-53","title":"Environmental Controls","params":[{"id":"pe-14_odp.01","props":[{"name":"alt-identifier","value":"pe-14_prm_1"},{"name":"label","value":"PE-14_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["temperature","humidity","pressure","radiation"," {{ insert: param, pe-14_odp.02 }} "]}},{"id":"pe-14_odp.02","props":[{"name":"alt-identifier","value":"pe-14_prm_2"},{"name":"label","value":"PE-14_ODP[02]","class":"sp800-53a"}],"label":"environmental control","guidelines":[{"prose":"environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);"}]},{"id":"pe-14_odp.03","props":[{"name":"alt-identifier","value":"pe-14_prm_3"},{"name":"label","value":"PE-14_ODP[03]","class":"sp800-53a"}],"label":"acceptable levels","guidelines":[{"prose":"acceptable levels for environmental controls are defined;"}]},{"id":"pe-14_odp.04","props":[{"name":"alt-identifier","value":"pe-14_prm_4"},{"name":"label","value":"PE-14_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to monitor environmental control levels is defined;"}]}],"props":[{"name":"label","value":"PE-14"},{"name":"label","value":"PE-14","class":"sp800-53a"},{"name":"sort-id","value":"pe-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"}],"parts":[{"id":"pe-14_smt","name":"statement","parts":[{"id":"pe-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and"},{"id":"pe-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions."},{"id":"pe-14_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-14","class":"sp800-53a"}],"parts":[{"id":"pe-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-14a.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;"},{"id":"pe-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-14b.","class":"sp800-53a"}],"prose":"environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}."}]},{"id":"pe-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the maintenance and monitoring of temperature and humidity levels"}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","props":[{"name":"label","value":"PE-15"},{"name":"label","value":"PE-15","class":"sp800-53a"},{"name":"sort-id","value":"pe-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#pe-10","rel":"related"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations."},{"id":"pe-15_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-15","class":"sp800-53a"}],"parts":[{"id":"pe-15_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-15[01]","class":"sp800-53a"}],"prose":"the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;"},{"id":"pe-15_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-15[02]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are accessible;"},{"id":"pe-15_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-15[03]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are working properly;"},{"id":"pe-15_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-15[04]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are known to key personnel."}]},{"id":"pe-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Master water-shutoff valves\n\norganizational process for activating master water shutoff"}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","params":[{"id":"pe-16_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.02"}],"label":"organization-defined types of system components"},{"id":"pe-16_odp.01","props":[{"name":"label","value":"PE-16_ODP[01]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when entering the facility are defined;"}]},{"id":"pe-16_odp.02","props":[{"name":"label","value":"PE-16_ODP[02]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when exiting the facility are defined;"}]}],"props":[{"name":"label","value":"PE-16"},{"name":"label","value":"PE-16","class":"sp800-53a"},{"name":"sort-id","value":"pe-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"pe-16_smt","name":"statement","parts":[{"id":"pe-16_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and"},{"id":"pe-16_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain records of the system components."}]},{"id":"pe-16_gdn","name":"guidance","prose":"Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries."},{"id":"pe-16_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-16","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;"},{"id":"pe-16_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;"},{"id":"pe-16_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;"},{"id":"pe-16_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[04]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;"}]},{"id":"pe-16_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-16b.","class":"sp800-53a"}],"prose":"records of the system components are maintained."}]},{"id":"pe-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and\/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pl-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pl-01_odp.01","props":[{"name":"label","value":"PL-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning policy is to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.02","props":[{"name":"label","value":"PL-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning procedures are to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.03","props":[{"name":"alt-identifier","value":"pl-1_prm_2"},{"name":"label","value":"PL-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pl-01_odp.04","props":[{"name":"alt-identifier","value":"pl-1_prm_3"},{"name":"label","value":"PL-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the planning policy and procedures is defined;"}]},{"id":"pl-01_odp.05","props":[{"name":"alt-identifier","value":"pl-1_prm_4"},{"name":"label","value":"PL-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning policy is reviewed and updated is defined;"}]},{"id":"pl-01_odp.06","props":[{"name":"alt-identifier","value":"pl-1_prm_5"},{"name":"label","value":"PL-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current planning policy to be reviewed and updated are defined;"}]},{"id":"pl-01_odp.07","props":[{"name":"alt-identifier","value":"pl-1_prm_6"},{"name":"label","value":"PL-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning procedures are reviewed and updated is defined;"}]},{"id":"pl-01_odp.08","props":[{"name":"alt-identifier","value":"pl-1_prm_7"},{"name":"label","value":"PL-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PL-1"},{"name":"label","value":"PL-01","class":"sp800-53a"},{"name":"sort-id","value":"pl-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-1_smt","name":"statement","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pl-01_odp.03 }} planning policy that:","parts":[{"id":"pl-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the planning policy and the associated planning controls;"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and"},{"id":"pl-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current planning:","parts":[{"id":"pl-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and"},{"id":"pl-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pl-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[01]","class":"sp800-53a"}],"prose":"a planning policy is developed and documented."},{"id":"pl-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[02]","class":"sp800-53a"}],"prose":"the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};"},{"id":"pl-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[03]","class":"sp800-53a"}],"prose":"planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;"},{"id":"pl-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[04]","class":"sp800-53a"}],"prose":"the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};"},{"id":"pl-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;"},{"id":"pl-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;"},{"id":"pl-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;"},{"id":"pl-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;"},{"id":"pl-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;"},{"id":"pl-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;"},{"id":"pl-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;"}]},{"id":"pl-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"pl-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;"},{"id":"pl-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[01]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};"},{"id":"pl-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[02]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};"}]},{"id":"pl-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[01]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};"},{"id":"pl-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[02]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}."}]}]}]},{"id":"pl-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security and Privacy Plans","params":[{"id":"pl-02_odp.01","props":[{"name":"alt-identifier","value":"pl-2_prm_1"},{"name":"label","value":"PL-02_ODP[01]","class":"sp800-53a"}],"label":"individuals or groups","guidelines":[{"prose":"individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is\/are assigned;"}]},{"id":"pl-02_odp.02","props":[{"name":"alt-identifier","value":"pl-2_prm_2"},{"name":"label","value":"PL-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive distributed copies of the system security and privacy plans is\/are assigned;"}]},{"id":"pl-02_odp.03","props":[{"name":"alt-identifier","value":"pl-2_prm_3"},{"name":"label","value":"PL-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency to review system security and privacy plans is defined;"}]}],"props":[{"name":"label","value":"PL-2"},{"name":"label","value":"PL-02","class":"sp800-53a"},{"name":"sort-id","value":"pl-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"pl-2_smt","name":"statement","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy plans for the system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly define the constituent system components;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Identify the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Identify the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provide the security categorization of the system, including supporting rationale;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Describe any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Provide the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Describe the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Provide an overview of the security and privacy requirements for the system;"},{"id":"pl-2_smt.a.11","name":"item","props":[{"name":"label","value":"11."}],"prose":"Identify any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_smt.a.12","name":"item","props":[{"name":"label","value":"12."}],"prose":"Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;"},{"id":"pl-2_smt.a.13","name":"item","props":[{"name":"label","value":"13."}],"prose":"Include risk determinations for security and privacy architecture and design decisions;"},{"id":"pl-2_smt.a.14","name":"item","props":[{"name":"label","value":"14."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and"},{"id":"pl-2_smt.a.15","name":"item","props":[{"name":"label","value":"15."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the plans {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the plans from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate."},{"id":"pl-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;"}]},{"id":"pl-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that explicitly defines the constituent system components;"},{"id":"pl-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that explicitly defines the constituent system components;"}]},{"id":"pl-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"}]},{"id":"pl-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"}]},{"id":"pl-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.5-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_obj.a.5-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"}]},{"id":"pl-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.6-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;"},{"id":"pl-2_obj.a.6-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;"}]},{"id":"pl-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"}]},{"id":"pl-2_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.8-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_obj.a.8-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"}]},{"id":"pl-2_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.9-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_obj.a.9-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"}]},{"id":"pl-2_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.10-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides an overview of the security requirements for the system;"},{"id":"pl-2_obj.a.10-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;"}]},{"id":"pl-2_obj.a.11","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.11-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_obj.a.11-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"}]},{"id":"pl-2_obj.a.12","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.12-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;"},{"id":"pl-2_obj.a.12-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;"}]},{"id":"pl-2_obj.a.13","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.13-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes risk determinations for security architecture and design decisions;"},{"id":"pl-2_obj.a.13-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;"}]},{"id":"pl-2_obj.a.14","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.14-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"},{"id":"pl-2_obj.a.14-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"}]},{"id":"pl-2_obj.a.15","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.15-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"},{"id":"pl-2_obj.a.15-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]}]},{"id":"pl-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[01]","class":"sp800-53a"}],"prose":"copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[02]","class":"sp800-53a"}],"prose":"subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};"}]},{"id":"pl-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-02c.","class":"sp800-53a"}],"prose":"plans are reviewed {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[01]","class":"sp800-53a"}],"prose":"plans are updated to address changes to the system and environment of operations;"},{"id":"pl-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[02]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during the plan implementation;"},{"id":"pl-2_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[03]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during control assessments;"}]},{"id":"pl-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[01]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized disclosure;"},{"id":"pl-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[02]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized modification."}]}]},{"id":"pl-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records"}]},{"id":"pl-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan"}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-04_odp.01","props":[{"name":"alt-identifier","value":"pl-4_prm_1"},{"name":"label","value":"PL-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for reviewing and updating the rules of behavior is defined;"}]},{"id":"pl-04_odp.02","props":[{"name":"alt-identifier","value":"pl-4_prm_2"},{"name":"label","value":"PL-04_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, pl-04_odp.03 }} ","when the rules are revised or updated"]}},{"id":"pl-04_odp.03","props":[{"name":"alt-identifier","value":"pl-4_prm_3"},{"name":"label","value":"PL-04_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);"}]}],"props":[{"name":"label","value":"PL-4"},{"name":"label","value":"PL-04","class":"sp800-53a"},{"name":"sort-id","value":"pl-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-4_smt","name":"statement","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_gdn","name":"guidance","prose":"Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons."},{"id":"pl-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[01]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;"},{"id":"pl-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[02]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;"}]},{"id":"pl-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04b.","class":"sp800-53a"}],"prose":"before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;"},{"id":"pl-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04c.","class":"sp800-53a"}],"prose":"rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};"},{"id":"pl-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-04d.","class":"sp800-53a"}],"prose":"individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and External Site\/Application Usage Restrictions","props":[{"name":"label","value":"PL-4(1)"},{"name":"label","value":"PL-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"pl-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-4","rel":"required"},{"href":"#ac-22","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"Include in the rules of behavior, restrictions on:","parts":[{"id":"pl-4.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Posting organizational information on public websites; and"},{"id":"pl-4.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_gdn","name":"guidance","prose":"Social media, social networking, and external site\/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information."},{"id":"pl-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)","class":"sp800-53a"}],"parts":[{"id":"pl-4.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(a)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(b)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on posting organizational information on public websites;"},{"id":"pl-4.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(c)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records"}]},{"id":"pl-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing rules of behavior\n\nmechanisms supporting and\/or implementing the establishment of rules of behavior"}]}]}]},{"id":"pl-10","class":"SP800-53","title":"Baseline Selection","props":[{"name":"label","value":"PL-10"},{"name":"label","value":"PL-10","class":"sp800-53a"},{"name":"sort-id","value":"pl-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-10_smt","name":"statement","prose":"Select a control baseline for the system."},{"id":"pl-10_gdn","name":"guidance","prose":"Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems."},{"id":"pl-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-10","class":"sp800-53a"}],"prose":"a control baseline for the system is selected."},{"id":"pl-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities"}]}]},{"id":"pl-11","class":"SP800-53","title":"Baseline Tailoring","props":[{"name":"label","value":"PL-11"},{"name":"label","value":"PL-11","class":"sp800-53a"},{"name":"sort-id","value":"pl-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-10","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-11_smt","name":"statement","prose":"Tailor the selected control baseline by applying specified tailoring actions."},{"id":"pl-11_gdn","name":"guidance","prose":"The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities."},{"id":"pl-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-11","class":"sp800-53a"}],"prose":"the selected control baseline is tailored by applying specified tailoring actions."},{"id":"pl-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ps-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ps-01_odp.01","props":[{"name":"label","value":"PS-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security policy is to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.02","props":[{"name":"label","value":"PS-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security procedures are to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.03","props":[{"name":"alt-identifier","value":"ps-1_prm_2"},{"name":"label","value":"PS-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ps-01_odp.04","props":[{"name":"alt-identifier","value":"ps-1_prm_3"},{"name":"label","value":"PS-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the personnel security policy and procedures is defined;"}]},{"id":"ps-01_odp.05","props":[{"name":"alt-identifier","value":"ps-1_prm_4"},{"name":"label","value":"PS-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security policy is reviewed and updated is defined;"}]},{"id":"ps-01_odp.06","props":[{"name":"alt-identifier","value":"ps-1_prm_5"},{"name":"label","value":"PS-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current personnel security policy to be reviewed and updated are defined;"}]},{"id":"ps-01_odp.07","props":[{"name":"alt-identifier","value":"ps-1_prm_6"},{"name":"label","value":"PS-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security procedures are reviewed and updated is defined;"}]},{"id":"ps-01_odp.08","props":[{"name":"alt-identifier","value":"ps-1_prm_7"},{"name":"label","value":"PS-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the personnel security procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PS-1"},{"name":"label","value":"PS-01","class":"sp800-53a"},{"name":"sort-id","value":"ps-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-1_smt","name":"statement","parts":[{"id":"ps-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ps-01_odp.03 }} personnel security policy that:","parts":[{"id":"ps-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ps-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;"}]},{"id":"ps-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and"},{"id":"ps-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current personnel security:","parts":[{"id":"ps-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and"},{"id":"ps-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ps-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[01]","class":"sp800-53a"}],"prose":"a personnel security policy is developed and documented;"},{"id":"ps-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[02]","class":"sp800-53a"}],"prose":"the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};"},{"id":"ps-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[03]","class":"sp800-53a"}],"prose":"personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;"},{"id":"ps-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[04]","class":"sp800-53a"}],"prose":"the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};"},{"id":"ps-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;"},{"id":"ps-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;"},{"id":"ps-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;"},{"id":"ps-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;"},{"id":"ps-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;"},{"id":"ps-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;"},{"id":"ps-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;"}]},{"id":"ps-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ps-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;"},{"id":"ps-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[01]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};"},{"id":"ps-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[02]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};"}]},{"id":"ps-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[01]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};"},{"id":"ps-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[02]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}."}]}]}]},{"id":"ps-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"ps-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","params":[{"id":"ps-02_odp","props":[{"name":"alt-identifier","value":"ps-2_prm_1"},{"name":"label","value":"PS-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update position risk designations is defined;"}]}],"props":[{"name":"label","value":"PS-2"},{"name":"label","value":"PS-02","class":"sp800-53a"},{"name":"sort-id","value":"ps-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#a5ef5e56-5c1a-4911-b419-37dddc1b3581","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-2_smt","name":"statement","parts":[{"id":"ps-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establish screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update position risk designations {{ insert: param, ps-02_odp }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions."},{"id":"ps-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-02","class":"sp800-53a"}],"parts":[{"id":"ps-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-02a.","class":"sp800-53a"}],"prose":"a risk designation is assigned to all organizational positions;"},{"id":"ps-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-02b.","class":"sp800-53a"}],"prose":"screening criteria are established for individuals filling organizational positions;"},{"id":"ps-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-02c.","class":"sp800-53a"}],"prose":"position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}."}]},{"id":"ps-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","params":[{"id":"ps-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.02"}],"label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening"},{"id":"ps-03_odp.01","props":[{"name":"label","value":"PS-03_ODP[01]","class":"sp800-53a"}],"label":"conditions requiring rescreening","guidelines":[{"prose":"conditions requiring rescreening of individuals are defined;"}]},{"id":"ps-03_odp.02","props":[{"name":"label","value":"PS-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of rescreening individuals where it is so indicated is defined;"}]}],"props":[{"name":"label","value":"PS-3"},{"name":"label","value":"PS-03","class":"sp800-53a"},{"name":"sort-id","value":"ps-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#55b0c93a-5e48-457a-baa6-5ce81c239c49","rel":"reference"},{"href":"#0af071a6-cf8e-48ee-8c82-fe91efa20f94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-3_smt","name":"statement","parts":[{"id":"ps-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Screen individuals prior to authorizing access to the system; and"},{"id":"ps-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems."},{"id":"ps-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-03a.","class":"sp800-53a"}],"prose":"individuals are screened prior to authorizing access to the system;"},{"id":"ps-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[01]","class":"sp800-53a"}],"prose":"individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};"},{"id":"ps-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[02]","class":"sp800-53a"}],"prose":"where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}."}]}]},{"id":"ps-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel screening"}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","params":[{"id":"ps-04_odp.01","props":[{"name":"alt-identifier","value":"ps-4_prm_1"},{"name":"label","value":"PS-04_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which to disable system access is defined;"}]},{"id":"ps-04_odp.02","props":[{"name":"alt-identifier","value":"ps-4_prm_2"},{"name":"label","value":"PS-04_ODP[02]","class":"sp800-53a"}],"label":"information security topics","guidelines":[{"prose":"information security topics to be discussed when conducting exit interviews are defined;"}]}],"props":[{"name":"label","value":"PS-4"},{"name":"label","value":"PS-04","class":"sp800-53a"},{"name":"sort-id","value":"ps-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"Upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Disable system access within {{ insert: param, ps-04_odp.01 }};"},{"id":"ps-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Terminate or revoke any authenticators and credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};"},{"id":"ps-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Retrieve all security-related organizational system-related property; and"},{"id":"ps-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retain access to organizational information and systems formerly controlled by terminated individual."}]},{"id":"ps-4_gdn","name":"guidance","prose":"System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified."},{"id":"ps-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-04","class":"sp800-53a"}],"parts":[{"id":"ps-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-04a.","class":"sp800-53a"}],"prose":"upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};"},{"id":"ps-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-04b.","class":"sp800-53a"}],"prose":"upon termination of individual employment, any authenticators and credentials are terminated or revoked;"},{"id":"ps-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-04c.","class":"sp800-53a"}],"prose":"upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;"},{"id":"ps-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-04d.","class":"sp800-53a"}],"prose":"upon termination of individual employment, all security-related organizational system-related property is retrieved;"},{"id":"ps-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-04e.","class":"sp800-53a"}],"prose":"upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained."}]},{"id":"ps-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators\/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel termination\n\nmechanisms supporting and\/or implementing personnel termination notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","params":[{"id":"ps-05_odp.01","props":[{"name":"alt-identifier","value":"ps-5_prm_1"},{"name":"label","value":"PS-05_ODP[01]","class":"sp800-53a"}],"label":"transfer or reassignment actions","guidelines":[{"prose":"transfer or reassignment actions to be initiated following transfer or reassignment are defined;"}]},{"id":"ps-05_odp.02","props":[{"name":"alt-identifier","value":"ps-5_prm_2"},{"name":"label","value":"PS-05_ODP[02]","class":"sp800-53a"}],"label":"time period following the formal transfer action","guidelines":[{"prose":"the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;"}]},{"id":"ps-05_odp.03","props":[{"name":"alt-identifier","value":"ps-5_prm_3"},{"name":"label","value":"PS-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is\/are defined;"}]},{"id":"ps-05_odp.04","props":[{"name":"alt-identifier","value":"ps-5_prm_4"},{"name":"label","value":"PS-05_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;"}]}],"props":[{"name":"label","value":"PS-5"},{"name":"label","value":"PS-05","class":"sp800-53a"},{"name":"sort-id","value":"ps-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-5_smt","name":"statement","parts":[{"id":"ps-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};"},{"id":"ps-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts."},{"id":"ps-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-05","class":"sp800-53a"}],"parts":[{"id":"ps-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-05a.","class":"sp800-53a"}],"prose":"the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};"},{"id":"ps-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-05c.","class":"sp800-53a"}],"prose":"access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;"},{"id":"ps-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-05d.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}."}]},{"id":"ps-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel transfer\n\nmechanisms supporting and\/or implementing personnel transfer notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-06_odp.01","props":[{"name":"alt-identifier","value":"ps-6_prm_1"},{"name":"label","value":"PS-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update access agreements is defined;"}]},{"id":"ps-06_odp.02","props":[{"name":"alt-identifier","value":"ps-6_prm_2"},{"name":"label","value":"PS-06_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to re-sign access agreements to maintain access to organizational information is defined;"}]}],"props":[{"name":"label","value":"PS-6"},{"name":"label","value":"PS-06","class":"sp800-53a"},{"name":"sort-id","value":"ps-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-6_smt","name":"statement","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document access agreements for organizational systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that individuals requiring access to organizational information and systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy."},{"id":"ps-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-06","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-06a.","class":"sp800-53a"}],"prose":"access agreements are developed and documented for organizational systems;"},{"id":"ps-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-06b.","class":"sp800-53a"}],"prose":"the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};"},{"id":"ps-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.01","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;"},{"id":"ps-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.02","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ps-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"External Personnel Security","params":[{"id":"ps-07_odp.01","props":[{"name":"alt-identifier","value":"ps-7_prm_1"},{"name":"label","value":"PS-07_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is\/are defined;"}]},{"id":"ps-07_odp.02","props":[{"name":"alt-identifier","value":"ps-7_prm_2"},{"name":"label","value":"PS-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is defined;"}]}],"props":[{"name":"label","value":"PS-7"},{"name":"label","value":"PS-07","class":"sp800-53a"},{"name":"sort-id","value":"ps-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-7_smt","name":"statement","parts":[{"id":"ps-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish personnel security requirements, including security roles and responsibilities for external providers;"},{"id":"ps-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Require external providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and"},{"id":"ps-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Monitor provider compliance with personnel security requirements."}]},{"id":"ps-7_gdn","name":"guidance","prose":"External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network\/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals."},{"id":"ps-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-07","class":"sp800-53a"}],"parts":[{"id":"ps-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-07a.","class":"sp800-53a"}],"prose":"personnel security requirements are established, including security roles and responsibilities for external providers;"},{"id":"ps-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-07b.","class":"sp800-53a"}],"prose":"external providers are required to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-07c.","class":"sp800-53a"}],"prose":"personnel security requirements are documented;"},{"id":"ps-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-07d.","class":"sp800-53a"}],"prose":"external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};"},{"id":"ps-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-07e.","class":"sp800-53a"}],"prose":"provider compliance with personnel security requirements is monitored."}]},{"id":"ps-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and\/or implementing the monitoring of provider compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","params":[{"id":"ps-08_odp.01","props":[{"name":"alt-identifier","value":"ps-8_prm_1"},{"name":"label","value":"PS-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when a formal employee sanctions process is initiated is\/are defined;"}]},{"id":"ps-08_odp.02","props":[{"name":"alt-identifier","value":"ps-8_prm_2"},{"name":"label","value":"PS-08_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;"}]}],"props":[{"name":"label","value":"PS-8"},{"name":"label","value":"PS-08","class":"sp800-53a"},{"name":"sort-id","value":"ps-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-1","rel":"related"}],"parts":[{"id":"ps-8_smt","name":"statement","parts":[{"id":"ps-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and\/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions."},{"id":"ps-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-08","class":"sp800-53a"}],"parts":[{"id":"ps-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-08a.","class":"sp800-53a"}],"prose":"a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;"},{"id":"ps-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-08b.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-08_odp.01 }} is\/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records"}]},{"id":"ps-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and\/or implementing formal employee sanctions notifications"}]}]},{"id":"ps-9","class":"SP800-53","title":"Position Descriptions","props":[{"name":"label","value":"PS-9"},{"name":"label","value":"PS-09","class":"sp800-53a"},{"name":"sort-id","value":"ps-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"}],"parts":[{"id":"ps-9_smt","name":"statement","prose":"Incorporate security and privacy roles and responsibilities into organizational position descriptions."},{"id":"ps-9_gdn","name":"guidance","prose":"Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles."},{"id":"ps-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-09","class":"sp800-53a"}],"parts":[{"id":"ps-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PS-09[01]","class":"sp800-53a"}],"prose":"security roles and responsibilities are incorporated into organizational position descriptions;"},{"id":"ps-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PS-09[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are incorporated into organizational position descriptions."}]},{"id":"ps-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"ps-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities"}]},{"id":"ps-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing position descriptions"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ra-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ra-01_odp.01","props":[{"name":"label","value":"RA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment policy is to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.02","props":[{"name":"label","value":"RA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment procedures are to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.03","props":[{"name":"alt-identifier","value":"ra-1_prm_2"},{"name":"label","value":"RA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ra-01_odp.04","props":[{"name":"alt-identifier","value":"ra-1_prm_3"},{"name":"label","value":"RA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the risk assessment policy and procedures is defined;"}]},{"id":"ra-01_odp.05","props":[{"name":"alt-identifier","value":"ra-1_prm_4"},{"name":"label","value":"RA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment policy is reviewed and updated is defined;"}]},{"id":"ra-01_odp.06","props":[{"name":"alt-identifier","value":"ra-1_prm_5"},{"name":"label","value":"RA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current risk assessment policy to be reviewed and updated are defined;"}]},{"id":"ra-01_odp.07","props":[{"name":"alt-identifier","value":"ra-1_prm_6"},{"name":"label","value":"RA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment procedures are reviewed and updated is defined;"}]},{"id":"ra-01_odp.08","props":[{"name":"alt-identifier","value":"ra-1_prm_7"},{"name":"label","value":"RA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require risk assessment procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"RA-1"},{"name":"label","value":"RA-01","class":"sp800-53a"},{"name":"sort-id","value":"ra-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-1_smt","name":"statement","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ra-01_odp.03 }} risk assessment policy that:","parts":[{"id":"ra-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and"},{"id":"ra-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current risk assessment:","parts":[{"id":"ra-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and"},{"id":"ra-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ra-1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[01]","class":"sp800-53a"}],"prose":"a risk assessment policy is developed and documented;"},{"id":"ra-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[02]","class":"sp800-53a"}],"prose":"the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};"},{"id":"ra-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[03]","class":"sp800-53a"}],"prose":"risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;"},{"id":"ra-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[04]","class":"sp800-53a"}],"prose":"the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};"},{"id":"ra-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;"},{"id":"ra-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;"},{"id":"ra-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;"},{"id":"ra-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;"},{"id":"ra-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;"},{"id":"ra-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;"},{"id":"ra-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;"}]},{"id":"ra-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ra-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;"},{"id":"ra-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[01]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};"},{"id":"ra-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[02]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};"}]},{"id":"ra-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[01]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};"},{"id":"ra-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[02]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}."}]}]}]},{"id":"ra-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","props":[{"name":"label","value":"RA-2"},{"name":"label","value":"RA-02","class":"sp800-53a"},{"name":"sort-id","value":"ra-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#cm-8","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-2_smt","name":"statement","parts":[{"id":"ra-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Categorize the system and information it processes, stores, and transmits;"},{"id":"ra-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document the security categorization results, including supporting rationale, in the security plan for the system; and"},{"id":"ra-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant."},{"id":"ra-2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-02","class":"sp800-53a"}],"parts":[{"id":"ra-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-02a.","class":"sp800-53a"}],"prose":"the system and the information it processes, stores, and transmits are categorized;"},{"id":"ra-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-02b.","class":"sp800-53a"}],"prose":"the security categorization results, including supporting rationale, are documented in the security plan for the system;"},{"id":"ra-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-02c.","class":"sp800-53a"}],"prose":"the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-03_odp.01","props":[{"name":"alt-identifier","value":"ra-3_prm_1"},{"name":"label","value":"RA-03_ODP[01]","class":"sp800-53a"}],"select":{"choice":["security and privacy plans","risk assessment report"," {{ insert: param, ra-03_odp.02 }} "]}},{"id":"ra-03_odp.02","props":[{"name":"alt-identifier","value":"ra-3_prm_2"},{"name":"label","value":"RA-03_ODP[02]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);"}]},{"id":"ra-03_odp.03","props":[{"name":"alt-identifier","value":"ra-3_prm_3"},{"name":"label","value":"RA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to review risk assessment results is defined;"}]},{"id":"ra-03_odp.04","props":[{"name":"alt-identifier","value":"ra-3_prm_4"},{"name":"label","value":"RA-03_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom risk assessment results are to be disseminated is\/are defined;"}]},{"id":"ra-03_odp.05","props":[{"name":"alt-identifier","value":"ra-3_prm_5"},{"name":"label","value":"RA-03_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to update the risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3"},{"name":"label","value":"RA-03","class":"sp800-53a"},{"name":"sort-id","value":"ra-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-3","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-3_smt","name":"statement","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct a risk assessment, including:","parts":[{"id":"ra-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifying threats to and vulnerabilities in the system;"},{"id":"ra-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and"},{"id":"ra-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document risk assessment results in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review risk assessment results {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and"},{"id":"ra-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination."},{"id":"ra-3_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.01","class":"sp800-53a"}],"prose":"a risk assessment is conducted to identify threats to and vulnerabilities in the system;"},{"id":"ra-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.02","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;"},{"id":"ra-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.03","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03b.","class":"sp800-53a"}],"prose":"risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;"},{"id":"ra-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-03c.","class":"sp800-53a"}],"prose":"risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-03d.","class":"sp800-53a"}],"prose":"risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-03e.","class":"sp800-53a"}],"prose":"risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};"},{"id":"ra-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-03f.","class":"sp800-53a"}],"prose":"the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}],"controls":[{"id":"ra-3.1","class":"SP800-53-enhancement","title":"Supply Chain Risk Assessment","params":[{"id":"ra-03.01_odp.01","props":[{"name":"alt-identifier","value":"ra-3.1_prm_1"},{"name":"label","value":"RA-03(01)_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, and system services","guidelines":[{"prose":"systems, system components, and system services to assess supply chain risks are defined;"}]},{"id":"ra-03.01_odp.02","props":[{"name":"alt-identifier","value":"ra-3.1_prm_2"},{"name":"label","value":"RA-03(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the supply chain risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3(1)"},{"name":"label","value":"RA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ra-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-3","rel":"required"},{"href":"#ra-2","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#pm-17","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-3.1_smt","name":"statement","parts":[{"id":"ra-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and"},{"id":"ra-3.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_gdn","name":"guidance","prose":"Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required."},{"id":"ra-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)","class":"sp800-53a"}],"parts":[{"id":"ra-3.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(a)","class":"sp800-53a"}],"prose":"supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;"},{"id":"ra-3.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(b)","class":"sp800-53a"}],"prose":"the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"ra-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"ra-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment"}]}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Monitoring and Scanning","params":[{"id":"ra-5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.02"}],"label":"organization-defined frequency and\/or randomly in accordance with organization-defined process"},{"id":"ra-05_odp.01","props":[{"name":"label","value":"RA-05_ODP[01]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for monitoring systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.02","props":[{"name":"label","value":"RA-05_ODP[02]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for scanning systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.03","props":[{"name":"alt-identifier","value":"ra-5_prm_2"},{"name":"label","value":"RA-05_ODP[03]","class":"sp800-53a"}],"label":"response times","guidelines":[{"prose":"response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;"}]},{"id":"ra-05_odp.04","props":[{"name":"alt-identifier","value":"ra-5_prm_3"},{"name":"label","value":"RA-05_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;"}]}],"props":[{"name":"label","value":"RA-5"},{"name":"label","value":"RA-05","class":"sp800-53a"},{"name":"sort-id","value":"ra-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#8df72805-2e5c-4731-a73e-81db0f0318d0","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#d2ebec9b-f868-4ee1-a2bd-0b2282aed248","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-8","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ra-5_smt","name":"statement","parts":[{"id":"ra-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Analyze vulnerability scan reports and results from vulnerability monitoring;"},{"id":"ra-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and"},{"id":"ra-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points."},{"id":"ra-5_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[01]","class":"sp800-53a"}],"prose":"systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[02]","class":"sp800-53a"}],"prose":"systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;"}]},{"id":"ra-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;","parts":[{"id":"ra-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.01","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.02","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;"},{"id":"ra-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.03","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;"}]},{"id":"ra-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-05c.","class":"sp800-53a"}],"prose":"vulnerability scan reports and results from vulnerability monitoring are analyzed;"},{"id":"ra-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-05d.","class":"sp800-53a"}],"prose":"legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-05e.","class":"sp800-53a"}],"prose":"information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;"},{"id":"ra-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-05f.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed."}]},{"id":"ra-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and\/or implementing vulnerability scanning, analysis, remediation, and information sharing"}]}],"controls":[{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update Vulnerabilities to Be Scanned","params":[{"id":"ra-05.02_odp.01","props":[{"name":"alt-identifier","value":"ra-5.2_prm_1"},{"name":"label","value":"RA-05(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, ra-05.02_odp.02 }} ","prior to a new scan","when new vulnerabilities are identified and reported"]}},{"id":"ra-05.02_odp.02","props":[{"name":"alt-identifier","value":"ra-5.2_prm_2"},{"name":"label","value":"RA-05(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating the system vulnerabilities to be scanned is defined (if selected);"}]}],"props":[{"name":"label","value":"RA-5(2)"},{"name":"label","value":"RA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"},{"href":"#si-5","rel":"related"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}."},{"id":"ra-5.2_gdn","name":"guidance","prose":"Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner."},{"id":"ra-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(02)","class":"sp800-53a"}],"prose":"the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}."},{"id":"ra-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.11","class":"SP800-53-enhancement","title":"Public Disclosure Program","props":[{"name":"label","value":"RA-5(11)"},{"name":"label","value":"RA-05(11)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.11_smt","name":"statement","prose":"Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components."},{"id":"ra-5.11_gdn","name":"guidance","prose":"The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability."},{"id":"ra-5.11_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(11)","class":"sp800-53a"}],"prose":"a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components."},{"id":"ra-5.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities"}]}]}]},{"id":"ra-7","class":"SP800-53","title":"Risk Response","props":[{"name":"label","value":"RA-7"},{"name":"label","value":"RA-07","class":"sp800-53a"},{"name":"sort-id","value":"ra-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-7_smt","name":"statement","prose":"Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."},{"id":"ra-7_gdn","name":"guidance","prose":"Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated."},{"id":"ra-7_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-07","class":"sp800-53a"}],"parts":[{"id":"ra-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-07[01]","class":"sp800-53a"}],"prose":"findings from security assessments are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-07[02]","class":"sp800-53a"}],"prose":"findings from privacy assessments are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"RA-07[03]","class":"sp800-53a"}],"prose":"findings from monitoring are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-4","name":"assessment-objective","props":[{"name":"label","value":"RA-07[04]","class":"sp800-53a"}],"prose":"findings from audits are responded to in accordance with organizational risk tolerance."}]},{"id":"ra-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\naudit records\/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sa-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sa-01_odp.01","props":[{"name":"label","value":"SA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition policy is to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.02","props":[{"name":"label","value":"SA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition procedures are to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.03","props":[{"name":"alt-identifier","value":"sa-1_prm_2"},{"name":"label","value":"SA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sa-01_odp.04","props":[{"name":"alt-identifier","value":"sa-1_prm_3"},{"name":"label","value":"SA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and services acquisition policy and procedures is defined;"}]},{"id":"sa-01_odp.05","props":[{"name":"alt-identifier","value":"sa-1_prm_4"},{"name":"label","value":"SA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition policy is reviewed and updated is defined;"}]},{"id":"sa-01_odp.06","props":[{"name":"alt-identifier","value":"sa-1_prm_5"},{"name":"label","value":"SA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and services acquisition policy to be reviewed and updated are defined;"}]},{"id":"sa-01_odp.07","props":[{"name":"alt-identifier","value":"sa-1_prm_6"},{"name":"label","value":"SA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;"}]},{"id":"sa-01_odp.08","props":[{"name":"alt-identifier","value":"sa-1_prm_7"},{"name":"label","value":"SA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and services acquisition procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SA-1"},{"name":"label","value":"SA-01","class":"sp800-53a"},{"name":"sort-id","value":"sa-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sa-1_smt","name":"statement","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:","parts":[{"id":"sa-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and"},{"id":"sa-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and services acquisition:","parts":[{"id":"sa-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and"},{"id":"sa-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sa-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[01]","class":"sp800-53a"}],"prose":"a system and services acquisition policy is developed and documented;"},{"id":"sa-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[02]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};"},{"id":"sa-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[03]","class":"sp800-53a"}],"prose":"system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;"},{"id":"sa-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[04]","class":"sp800-53a"}],"prose":"the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};"},{"id":"sa-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;"},{"id":"sa-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;"},{"id":"sa-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;"},{"id":"sa-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;"},{"id":"sa-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;"},{"id":"sa-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;"},{"id":"sa-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;"}]},{"id":"sa-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"sa-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;"},{"id":"sa-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[01]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};"},{"id":"sa-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};"}]},{"id":"sa-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};"},{"id":"sa-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}."}]}]}]},{"id":"sa-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"label","value":"SA-2"},{"name":"label","value":"SA-02","class":"sp800-53a"},{"name":"sort-id","value":"sa-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pl-7","rel":"related"},{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-2_smt","name":"statement","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle."},{"id":"sa-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-02","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[01]","class":"sp800-53a"}],"prose":"the high-level information security requirements for the system or system service are determined in mission and business process planning;"},{"id":"sa-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[02]","class":"sp800-53a"}],"prose":"the high-level privacy requirements for the system or system service are determined in mission and business process planning;"}]},{"id":"sa-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[01]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;"},{"id":"sa-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[02]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;"}]},{"id":"sa-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[01]","class":"sp800-53a"}],"prose":"a discrete line item for information security is established in organizational programming and budgeting documentation;"},{"id":"sa-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[02]","class":"sp800-53a"}],"prose":"a discrete line item for privacy is established in organizational programming and budgeting documentation."}]}]},{"id":"sa-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records"}]},{"id":"sa-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-03_odp","props":[{"name":"alt-identifier","value":"sa-3_prm_1"},{"name":"alt-label","value":"system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-03_ODP","class":"sp800-53a"}],"label":"system-development life cycle","guidelines":[{"prose":"system development life cycle is defined;"}]}],"props":[{"name":"label","value":"SA-3"},{"name":"label","value":"SA-03","class":"sp800-53a"},{"name":"sort-id","value":"sa-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-3_smt","name":"statement","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document information security and privacy roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify individuals having information security and privacy roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrate the organizational information security and privacy risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle."},{"id":"sa-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[01]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;"},{"id":"sa-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[02]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;"}]},{"id":"sa-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[01]","class":"sp800-53a"}],"prose":"information security roles and responsibilities are defined and documented throughout the system development life cycle;"},{"id":"sa-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are defined and documented throughout the system development life cycle;"}]},{"id":"sa-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[01]","class":"sp800-53a"}],"prose":"individuals with information security roles and responsibilities are identified;"},{"id":"sa-3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[02]","class":"sp800-53a"}],"prose":"individuals with privacy roles and responsibilities are identified;"}]},{"id":"sa-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[01]","class":"sp800-53a"}],"prose":"organizational information security risk management processes are integrated into system development life cycle activities;"},{"id":"sa-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[02]","class":"sp800-53a"}],"prose":"organizational privacy risk management processes are integrated into system development life cycle activities."}]}]},{"id":"sa-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"sa-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and\/or implementing the system development life cycle"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","params":[{"id":"sa-04_odp.01","props":[{"name":"alt-identifier","value":"sa-4_prm_1"},{"name":"label","value":"SA-04_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["standardized contract language"," {{ insert: param, sa-04_odp.02 }} "]}},{"id":"sa-04_odp.02","props":[{"name":"alt-identifier","value":"sa-4_prm_2"},{"name":"label","value":"SA-04_ODP[02]","class":"sp800-53a"}],"label":"contract language","guidelines":[{"prose":"contract language is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-4"},{"name":"label","value":"SA-04","class":"sp800-53a"},{"name":"sort-id","value":"sa-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","rel":"reference"},{"href":"#87087451-2af5-43d4-88c1-d66ad850f614","rel":"reference"},{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#06ce9216-bd54-4054-a422-94f358b50a5d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#795aff72-3e6c-4b6b-a80a-b14d84b7f544","rel":"reference"},{"href":"#3d575737-98cb-459d-b41c-d7e82b73ad78","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security and privacy functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Strength of mechanism requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security and privacy assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Controls needed to satisfy the security and privacy requirements."},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Security and privacy documentation requirements;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Requirements for protecting security and privacy documentation;"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Description of the system development environment and environment in which the system is intended to operate;"},{"id":"sa-4_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and"},{"id":"sa-4_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement."},{"id":"sa-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[01]","class":"sp800-53a"}],"prose":"security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[02]","class":"sp800-53a"}],"prose":"privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04b.","class":"sp800-53a"}],"prose":"strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[01]","class":"sp800-53a"}],"prose":"security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[02]","class":"sp800-53a"}],"prose":"privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[01]","class":"sp800-53a"}],"prose":"controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[02]","class":"sp800-53a"}],"prose":"controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[01]","class":"sp800-53a"}],"prose":"security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[02]","class":"sp800-53a"}],"prose":"privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[01]","class":"sp800-53a"}],"prose":"requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[02]","class":"sp800-53a"}],"prose":"requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SA-04g.","class":"sp800-53a"}],"prose":"the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[01]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[02]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"},{"id":"sa-4_obj.h-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[03]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"}]},{"id":"sa-4_obj.i","name":"assessment-objective","props":[{"name":"label","value":"SA-04i.","class":"sp800-53a"}],"prose":"acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service."}]},{"id":"sa-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}],"controls":[{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","props":[{"name":"label","value":"SA-4(10)"},{"name":"label","value":"SA-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems."},{"id":"sa-4.10_gdn","name":"guidance","prose":"Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations."},{"id":"sa-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(10)","class":"sp800-53a"}],"prose":"only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed."},{"id":"sa-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for selecting and employing FIPS 201-approved products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"System Documentation","params":[{"id":"sa-05_odp.01","props":[{"name":"alt-identifier","value":"sa-5_prm_1"},{"name":"label","value":"SA-05_ODP[01]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;"}]},{"id":"sa-05_odp.02","props":[{"name":"alt-identifier","value":"sa-5_prm_2"},{"name":"label","value":"SA-05_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to distribute system documentation to is\/are defined;"}]}],"props":[{"name":"label","value":"SA-5"},{"name":"label","value":"SA-05","class":"sp800-53a"},{"name":"sort-id","value":"sa-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"sa-5_smt","name":"statement","parts":[{"id":"sa-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtain or develop administrator documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security and privacy functions and mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative or privileged functions;"}]},{"id":"sa-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Obtain or develop user documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and"},{"id":"sa-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;"}]},{"id":"sa-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and"},{"id":"sa-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Distribute documentation to {{ insert: param, sa-05_odp.02 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation."},{"id":"sa-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-05","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;"},{"id":"sa-5_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;"},{"id":"sa-5_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;"}]},{"id":"sa-5_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.a.2-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[04]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;"}]},{"id":"sa-5_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;"},{"id":"sa-5_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;"}]}]},{"id":"sa-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.b.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.b.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[03]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.b.1-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[04]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;"}]},{"id":"sa-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;"},{"id":"sa-5_obj.b.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;"}]},{"id":"sa-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;"},{"id":"sa-5_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;"}]}]},{"id":"sa-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[01]","class":"sp800-53a"}],"prose":"attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;"},{"id":"sa-5_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[02]","class":"sp800-53a"}],"prose":"after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;"}]},{"id":"sa-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-05d.","class":"sp800-53a"}],"prose":"documentation is distributed to {{ insert: param, sa-05_odp.02 }}."}]},{"id":"sa-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and\/or maintaining the system\n\nsystem developers"}]},{"id":"sa-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for obtaining, protecting, and distributing system administrator and user documentation"}]}]},{"id":"sa-8","class":"SP800-53","title":"Security and Privacy Engineering Principles","params":[{"id":"sa-8_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.02"}],"label":"organization-defined systems security and privacy engineering principles"},{"id":"sa-08_odp.01","props":[{"name":"label","value":"SA-08_ODP[01]","class":"sp800-53a"}],"label":"systems security engineering principles","guidelines":[{"prose":"systems security engineering principles are defined;"}]},{"id":"sa-08_odp.02","props":[{"name":"label","value":"SA-08_ODP[02]","class":"sp800-53a"}],"label":"privacy engineering principles","guidelines":[{"prose":"privacy engineering principles are defined;"}]}],"props":[{"name":"label","value":"SA-8"},{"name":"label","value":"SA-08","class":"sp800-53a"},{"name":"sort-id","value":"sa-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}."},{"id":"sa-8_gdn","name":"guidance","prose":"Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design."},{"id":"sa-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08","class":"sp800-53a"}],"parts":[{"id":"sa-8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08[01]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;"},{"id":"sa-8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08[02]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;"},{"id":"sa-8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-08[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;"},{"id":"sa-8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-08[04]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;"},{"id":"sa-8_obj-5","name":"assessment-objective","props":[{"name":"label","value":"SA-08[05]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;"},{"id":"sa-8_obj-6","name":"assessment-objective","props":[{"name":"label","value":"SA-08[06]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;"},{"id":"sa-8_obj-7","name":"assessment-objective","props":[{"name":"label","value":"SA-08[07]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;"},{"id":"sa-8_obj-8","name":"assessment-objective","props":[{"name":"label","value":"SA-08[08]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;"},{"id":"sa-8_obj-9","name":"assessment-objective","props":[{"name":"label","value":"SA-08[09]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;"},{"id":"sa-8_obj-10","name":"assessment-objective","props":[{"name":"label","value":"SA-08[10]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components."}]},{"id":"sa-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-9","class":"SP800-53","title":"External System Services","params":[{"id":"sa-09_odp.01","props":[{"name":"alt-identifier","value":"sa-9_prm_1"},{"name":"label","value":"SA-09_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed by external system service providers are defined;"}]},{"id":"sa-09_odp.02","props":[{"name":"alt-identifier","value":"sa-9_prm_2"},{"name":"label","value":"SA-09_ODP[02]","class":"sp800-53a"}],"label":"processes, methods, and techniques","guidelines":[{"prose":"processes, methods, and techniques employed to monitor control compliance by external service providers are defined;"}]}],"props":[{"name":"label","value":"SA-9"},{"name":"label","value":"SA-09","class":"sp800-53a"},{"name":"sort-id","value":"sa-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-9_smt","name":"statement","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document organizational oversight and user roles and responsibilities with regard to external system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance."},{"id":"sa-9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[01]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational security requirements;"},{"id":"sa-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[02]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational privacy requirements;"},{"id":"sa-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[03]","class":"sp800-53a"}],"prose":"providers of external system services employ {{ insert: param, sa-09_odp.01 }};"}]},{"id":"sa-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[01]","class":"sp800-53a"}],"prose":"organizational oversight with regard to external system services are defined and documented;"},{"id":"sa-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[02]","class":"sp800-53a"}],"prose":"user roles and responsibilities with regard to external system services are defined and documented;"}]},{"id":"sa-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-09c.","class":"sp800-53a"}],"prose":" {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis."}]},{"id":"sa-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis"}]}]},{"id":"sa-22","class":"SP800-53","title":"Unsupported System Components","params":[{"id":"sa-22_odp.01","props":[{"name":"alt-identifier","value":"sa-22_prm_1"},{"name":"label","value":"SA-22_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["in-house support"," {{ insert: param, sa-22_odp.02 }} "]}},{"id":"sa-22_odp.02","props":[{"name":"alt-identifier","value":"sa-22_prm_2"},{"name":"label","value":"SA-22_ODP[02]","class":"sp800-53a"}],"label":"support from external providers","guidelines":[{"prose":"support from external providers is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-22"},{"name":"label","value":"SA-22","class":"sp800-53a"},{"name":"sort-id","value":"sa-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-2","rel":"related"},{"href":"#sa-3","rel":"related"}],"parts":[{"id":"sa-22_smt","name":"statement","parts":[{"id":"sa-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or"},{"id":"sa-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}."}]},{"id":"sa-22_gdn","name":"guidance","prose":"Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation."},{"id":"sa-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-22","class":"sp800-53a"}],"parts":[{"id":"sa-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-22a.","class":"sp800-53a"}],"prose":"system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;"},{"id":"sa-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-22b.","class":"sp800-53a"}],"prose":" {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components."}]},{"id":"sa-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement"}]},{"id":"sa-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for replacing unsupported system components\n\nmechanisms supporting and\/or implementing the replacement of unsupported system components"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sc-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sc-01_odp.01","props":[{"name":"label","value":"SC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection policy is to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.02","props":[{"name":"label","value":"SC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection procedures are to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.03","props":[{"name":"alt-identifier","value":"sc-1_prm_2"},{"name":"label","value":"SC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business-process-level","system-level"]}},{"id":"sc-01_odp.04","props":[{"name":"alt-identifier","value":"sc-1_prm_3"},{"name":"label","value":"SC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and communications protection policy and procedures is defined;"}]},{"id":"sc-01_odp.05","props":[{"name":"alt-identifier","value":"sc-1_prm_4"},{"name":"label","value":"SC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection policy is reviewed and updated is defined;"}]},{"id":"sc-01_odp.06","props":[{"name":"alt-identifier","value":"sc-1_prm_5"},{"name":"label","value":"SC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and communications protection policy to be reviewed and updated are defined;"}]},{"id":"sc-01_odp.07","props":[{"name":"alt-identifier","value":"sc-1_prm_6"},{"name":"label","value":"SC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection procedures are reviewed and updated is defined;"}]},{"id":"sc-01_odp.08","props":[{"name":"alt-identifier","value":"sc-1_prm_7"},{"name":"label","value":"SC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and communications protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SC-1"},{"name":"label","value":"SC-01","class":"sp800-53a"},{"name":"sort-id","value":"sc-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sc-1_smt","name":"statement","parts":[{"id":"sc-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:","parts":[{"id":"sc-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sc-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;"}]},{"id":"sc-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and"},{"id":"sc-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and communications protection:","parts":[{"id":"sc-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and"},{"id":"sc-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sc-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[01]","class":"sp800-53a"}],"prose":"a system and communications protection policy is developed and documented;"},{"id":"sc-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[02]","class":"sp800-53a"}],"prose":"the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};"},{"id":"sc-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[03]","class":"sp800-53a"}],"prose":"system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;"},{"id":"sc-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[04]","class":"sp800-53a"}],"prose":"the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};"},{"id":"sc-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;"},{"id":"sc-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;"},{"id":"sc-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;"},{"id":"sc-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;"},{"id":"sc-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;"},{"id":"sc-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;"},{"id":"sc-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;"}]},{"id":"sc-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"sc-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;"},{"id":"sc-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};"},{"id":"sc-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};"}]},{"id":"sc-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};"},{"id":"sc-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}."}]}]}]},{"id":"sc-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"sc-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial-of-service Protection","params":[{"id":"sc-05_odp.01","props":[{"name":"alt-identifier","value":"sc-5_prm_2"},{"name":"label","value":"SC-05_ODP[01]","class":"sp800-53a"}],"label":"types of denial-of-service events","guidelines":[{"prose":"types of denial-of-service events to be protected against or limited are defined;"}]},{"id":"sc-05_odp.02","props":[{"name":"alt-identifier","value":"sc-5_prm_1"},{"name":"label","value":"SC-05_ODP[02]","class":"sp800-53a"}],"select":{"choice":["protect against","limit"]}},{"id":"sc-05_odp.03","props":[{"name":"alt-identifier","value":"sc-5_prm_3"},{"name":"label","value":"SC-05_ODP[03]","class":"sp800-53a"}],"label":"controls by type of denial-of-service event","guidelines":[{"prose":"controls to achieve the denial-of-service objective by type of denial-of-service event are defined;"}]}],"props":[{"name":"label","value":"SC-5"},{"name":"label","value":"SC-05","class":"sp800-53a"},{"name":"sort-id","value":"sc-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sc-6","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-40","rel":"related"}],"parts":[{"id":"sc-5_smt","name":"statement","parts":[{"id":"sc-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and"},{"id":"sc-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}."}]},{"id":"sc-5_gdn","name":"guidance","prose":"Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events."},{"id":"sc-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-05","class":"sp800-53a"}],"parts":[{"id":"sc-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-05a.","class":"sp800-53a"}],"prose":"the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};"},{"id":"sc-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective."}]},{"id":"sc-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"id":"sc-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms protecting against or limiting the effects of denial-of-service attacks"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-07_odp","props":[{"name":"alt-identifier","value":"sc-7_prm_1"},{"name":"label","value":"SC-07_ODP","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}}],"props":[{"name":"label","value":"SC-7"},{"name":"label","value":"SC-07","class":"sp800-53a"},{"name":"sort-id","value":"sc-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a7f0e897-29a3-45c4-bd88-40dfef0e034a","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-43","rel":"related"}],"parts":[{"id":"sc-7_smt","name":"statement","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)."},{"id":"sc-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[01]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are monitored;"},{"id":"sc-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[02]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are controlled;"},{"id":"sc-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[03]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are monitored;"},{"id":"sc-7_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[04]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are controlled;"}]},{"id":"sc-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07b.","class":"sp800-53a"}],"prose":"subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;"},{"id":"sc-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07c.","class":"sp800-53a"}],"prose":"external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","params":[{"id":"sc-12_odp","props":[{"name":"alt-identifier","value":"sc-12_prm_1"},{"name":"alt-label","value":"requirements for key generation, distribution, storage, access, and destruction","class":"sp800-53"},{"name":"label","value":"SC-12_ODP","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements for key generation, distribution, storage, access, and destruction are defined;"}]}],"props":[{"name":"label","value":"SC-12"},{"name":"label","value":"SC-12","class":"sp800-53a"},{"name":"sort-id","value":"sc-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#849b2358-683f-4d97-b111-1cc3d522ded5","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-11","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment."},{"id":"sc-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12","class":"sp800-53a"}],"parts":[{"id":"sc-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-12[01]","class":"sp800-53a"}],"prose":"cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};"},{"id":"sc-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-12[02]","class":"sp800-53a"}],"prose":"cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}."}]},{"id":"sc-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"id":"sc-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","params":[{"id":"sc-13_odp.01","props":[{"name":"alt-identifier","value":"sc-13_prm_1"},{"name":"label","value":"SC-13_ODP[01]","class":"sp800-53a"}],"label":"cryptographic uses","guidelines":[{"prose":"cryptographic uses are defined;"}]},{"id":"sc-13_odp.02","props":[{"name":"alt-identifier","value":"sc-13_prm_2"},{"name":"alt-label","value":"types of cryptography for each specified cryptographic use","class":"sp800-53"},{"name":"label","value":"SC-13_ODP[02]","class":"sp800-53a"}],"label":"types of cryptography","guidelines":[{"prose":"types of cryptography for each specified cryptographic use are defined;"}]}],"props":[{"name":"label","value":"SC-13"},{"name":"label","value":"SC-13","class":"sp800-53a"},{"name":"sort-id","value":"sc-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-13_smt","name":"statement","parts":[{"id":"sc-13_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the {{ insert: param, sc-13_odp.01 }} ; and"},{"id":"sc-13_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}."}]},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"sc-13_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-13","class":"sp800-53a"}],"parts":[{"id":"sc-13_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-13a.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-13_odp.01 }} are identified;"},{"id":"sc-13_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-13b.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented."}]},{"id":"sc-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection"}]},{"id":"sc-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices and Applications","params":[{"id":"sc-15_odp","props":[{"name":"alt-identifier","value":"sc-15_prm_1"},{"name":"label","value":"SC-15_ODP","class":"sp800-53a"}],"label":"exceptions where remote activation is to be allowed","guidelines":[{"prose":"exceptions where remote activation is to be allowed are defined;"}]}],"props":[{"name":"label","value":"SC-15"},{"name":"label","value":"SC-15","class":"sp800-53a"},{"name":"sort-id","value":"sc-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-21","rel":"related"},{"href":"#sc-42","rel":"related"}],"parts":[{"id":"sc-15_smt","name":"statement","parts":[{"id":"sc-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and"},{"id":"sc-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated."},{"id":"sc-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-15","class":"sp800-53a"}],"parts":[{"id":"sc-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-15a.","class":"sp800-53a"}],"prose":"remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};"},{"id":"sc-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-15b.","class":"sp800-53a"}],"prose":"an explicit indication of use is provided to users physically present at the devices."}]},{"id":"sc-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"id":"sc-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Authoritative Source)","props":[{"name":"label","value":"SC-20"},{"name":"label","value":"SC-20","class":"sp800-53a"},{"name":"sort-id","value":"sc-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-20_smt","name":"statement","parts":[{"id":"sc-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host\/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data."},{"id":"sc-20_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-20","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[01]","class":"sp800-53a"}],"prose":"additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;"},{"id":"sc-20_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[02]","class":"sp800-53a"}],"prose":"integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;"}]},{"id":"sc-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[01]","class":"sp800-53a"}],"prose":"the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;"},{"id":"sc-20_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[02]","class":"sp800-53a"}],"prose":"the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided."}]}]},{"id":"sc-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing secure name\/address resolution services"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Recursive or Caching Resolver)","props":[{"name":"label","value":"SC-21"},{"name":"label","value":"SC-21","class":"sp800-53a"},{"name":"sort-id","value":"sc-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-20","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"Request and perform data origin authentication and data integrity verification on the name\/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data."},{"id":"sc-21_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-21","class":"sp800-53a"}],"parts":[{"id":"sc-21_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-21[01]","class":"sp800-53a"}],"prose":"data origin authentication is requested for the name\/address resolution responses that the system receives from authoritative sources;"},{"id":"sc-21_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-21[02]","class":"sp800-53a"}],"prose":"data origin authentication is performed on the name\/address resolution responses that the system receives from authoritative sources;"},{"id":"sc-21_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-21[03]","class":"sp800-53a"}],"prose":"data integrity verification is requested for the name\/address resolution responses that the system receives from authoritative sources;"},{"id":"sc-21_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SC-21[04]","class":"sp800-53a"}],"prose":"data integrity verification is performed on the name\/address resolution responses that the system receives from authoritative sources."}]},{"id":"sc-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing data origin authentication and data integrity verification for name\/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name\/Address Resolution Service","props":[{"name":"label","value":"SC-22"},{"name":"label","value":"SC-22","class":"sp800-53a"},{"name":"sort-id","value":"sc-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-2","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-24","rel":"related"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"Ensure the systems that collectively provide name\/address resolution service for an organization are fault-tolerant and implement internal and external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)."},{"id":"sc-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-22","class":"sp800-53a"}],"parts":[{"id":"sc-22_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-22[01]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization are fault-tolerant;"},{"id":"sc-22_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-22[02]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement internal role separation;"},{"id":"sc-22_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-22[03]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement external role separation."}]},{"id":"sc-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing architecture and provisioning for name\/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing name\/address resolution services for fault tolerance and role separation"}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","props":[{"name":"label","value":"SC-39"},{"name":"label","value":"SC-39","class":"sp800-53a"},{"name":"sort-id","value":"sc-39"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"Maintain a separate execution domain for each executing system process."},{"id":"sc-39_gdn","name":"guidance","prose":"Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies."},{"id":"sc-39_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-39","class":"sp800-53a"}],"prose":"a separate execution domain is maintained for each executing system process."},{"id":"sc-39_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-39-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records"}]},{"id":"sc-39_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-39-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System developers\/integrators\n\nsystem security architect"}]},{"id":"sc-39_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-39-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing separate execution domains for each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"si-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"si-01_odp.01","props":[{"name":"label","value":"SI-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity policy is to be disseminated is\/are defined;"}]},{"id":"si-01_odp.02","props":[{"name":"label","value":"SI-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity procedures are to be disseminated is\/are defined;"}]},{"id":"si-01_odp.03","props":[{"name":"alt-identifier","value":"si-1_prm_2"},{"name":"label","value":"SI-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"si-01_odp.04","props":[{"name":"alt-identifier","value":"si-1_prm_3"},{"name":"label","value":"SI-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and information integrity policy and procedures is defined;"}]},{"id":"si-01_odp.05","props":[{"name":"alt-identifier","value":"si-1_prm_4"},{"name":"label","value":"SI-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity policy is reviewed and updated is defined;"}]},{"id":"si-01_odp.06","props":[{"name":"alt-identifier","value":"si-1_prm_5"},{"name":"label","value":"SI-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and information integrity policy to be reviewed and updated are defined;"}]},{"id":"si-01_odp.07","props":[{"name":"alt-identifier","value":"si-1_prm_6"},{"name":"label","value":"SI-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity procedures are reviewed and updated is defined;"}]},{"id":"si-01_odp.08","props":[{"name":"alt-identifier","value":"si-1_prm_7"},{"name":"label","value":"SI-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and information integrity procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SI-1"},{"name":"label","value":"SI-01","class":"sp800-53a"},{"name":"sort-id","value":"si-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"si-1_smt","name":"statement","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, si-01_odp.03 }} system and information integrity policy that:","parts":[{"id":"si-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and"},{"id":"si-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and information integrity:","parts":[{"id":"si-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and"},{"id":"si-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"si-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[01]","class":"sp800-53a"}],"prose":"a system and information integrity policy is developed and documented;"},{"id":"si-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[02]","class":"sp800-53a"}],"prose":"the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};"},{"id":"si-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[03]","class":"sp800-53a"}],"prose":"system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;"},{"id":"si-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[04]","class":"sp800-53a"}],"prose":"the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};"},{"id":"si-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;"},{"id":"si-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;"},{"id":"si-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;"},{"id":"si-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;"},{"id":"si-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;"},{"id":"si-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;"},{"id":"si-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;"}]},{"id":"si-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"si-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;"},{"id":"si-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};"},{"id":"si-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};"}]},{"id":"si-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};"},{"id":"si-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}."}]}]}]},{"id":"si-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","params":[{"id":"si-02_odp","props":[{"name":"alt-identifier","value":"si-2_prm_1"},{"name":"label","value":"SI-02_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to install security-relevant software updates after the release of the updates is defined;"}]}],"props":[{"name":"label","value":"SI-2"},{"name":"label","value":"SI-02","class":"sp800-53a"},{"name":"sort-id","value":"si-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-5","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"si-2_smt","name":"statement","parts":[{"id":"si-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify, report, and correct system flaws;"},{"id":"si-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures."},{"id":"si-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[01]","class":"sp800-53a"}],"prose":"system flaws are identified;"},{"id":"si-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[02]","class":"sp800-53a"}],"prose":"system flaws are reported;"},{"id":"si-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[03]","class":"sp800-53a"}],"prose":"system flaws are corrected;"}]},{"id":"si-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[01]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for effectiveness before installation;"},{"id":"si-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[02]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for potential side effects before installation;"},{"id":"si-2_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[03]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for effectiveness before installation;"},{"id":"si-2_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[04]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for potential side effects before installation;"}]},{"id":"si-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[01]","class":"sp800-53a"}],"prose":"security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"},{"id":"si-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[02]","class":"sp800-53a"}],"prose":"security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"}]},{"id":"si-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-02d.","class":"sp800-53a"}],"prose":"flaw remediation is incorporated into the organizational configuration management process."}]},{"id":"si-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation\/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and\/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and\/or implementing testing software and firmware updates"}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","params":[{"id":"si-03_odp.01","props":[{"name":"alt-identifier","value":"si-3_prm_1"},{"name":"label","value":"SI-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["signature-based","non-signature-based"]}},{"id":"si-03_odp.02","props":[{"name":"alt-identifier","value":"si-3_prm_2"},{"name":"label","value":"SI-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which malicious code protection mechanisms perform scans is defined;"}]},{"id":"si-03_odp.03","props":[{"name":"alt-identifier","value":"si-3_prm_3"},{"name":"label","value":"SI-03_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["endpoint","network entry and exit points"]}},{"id":"si-03_odp.04","props":[{"name":"alt-identifier","value":"si-3_prm_4"},{"name":"label","value":"SI-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["block malicious code","quarantine malicious code","take {{ insert: param, si-03_odp.05 }} "]}},{"id":"si-03_odp.05","props":[{"name":"alt-identifier","value":"si-3_prm_5"},{"name":"label","value":"SI-03_ODP[05]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"action to be taken in response to malicious code detection are defined (if selected);"}]},{"id":"si-03_odp.06","props":[{"name":"alt-identifier","value":"si-3_prm_6"},{"name":"label","value":"SI-03_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when malicious code is detected is\/are defined;"}]}],"props":[{"name":"label","value":"SI-3"},{"name":"label","value":"SI-03","class":"sp800-53a"},{"name":"sort-id","value":"si-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#88660532-2dcf-442e-845c-03340ce48999","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-8","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"si-3_smt","name":"statement","parts":[{"id":"si-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Configure malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and"},{"id":"si-3_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and"}]},{"id":"si-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system."}]},{"id":"si-3_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files."},{"id":"si-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;"},{"id":"si-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;"}]},{"id":"si-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-03b.","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};"},{"id":"si-3_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;"}]},{"id":"si-3_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;"},{"id":"si-3_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;"}]}]},{"id":"si-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-03d.","class":"sp800-53a"}],"prose":"the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed."}]},{"id":"si-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and\/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and\/or implementing malicious code scanning and subsequent actions"}]}]},{"id":"si-4","class":"SP800-53","title":"System Monitoring","params":[{"id":"si-04_odp.01","props":[{"name":"alt-identifier","value":"si-4_prm_1"},{"name":"label","value":"SI-04_ODP[01]","class":"sp800-53a"}],"label":"monitoring objectives","guidelines":[{"prose":"monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;"}]},{"id":"si-04_odp.02","props":[{"name":"alt-identifier","value":"si-4_prm_2"},{"name":"label","value":"SI-04_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods used to identify unauthorized use of the system are defined;"}]},{"id":"si-04_odp.03","props":[{"name":"alt-identifier","value":"si-4_prm_3"},{"name":"label","value":"SI-04_ODP[03]","class":"sp800-53a"}],"label":"system monitoring information","guidelines":[{"prose":"system monitoring information to be provided to personnel or roles is defined;"}]},{"id":"si-04_odp.04","props":[{"name":"alt-identifier","value":"si-4_prm_4"},{"name":"label","value":"SI-04_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom system monitoring information is to be provided is\/are defined;"}]},{"id":"si-04_odp.05","props":[{"name":"alt-identifier","value":"si-4_prm_5"},{"name":"label","value":"SI-04_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["as needed"," {{ insert: param, si-04_odp.06 }} "]}},{"id":"si-04_odp.06","props":[{"name":"alt-identifier","value":"si-4_prm_6"},{"name":"label","value":"SI-04_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"a frequency for providing system monitoring to personnel or roles is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-4"},{"name":"label","value":"SI-04","class":"sp800-53a"},{"name":"sort-id","value":"si-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-6","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"si-4_smt","name":"statement","parts":[{"id":"si-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor the system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and"},{"id":"si-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};"},{"id":"si-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Invoke internal monitoring capabilities or deploy monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Strategically within the system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Analyze detected events and anomalies;"},{"id":"si-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Obtain legal opinion regarding system monitoring activities; and"},{"id":"si-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"si-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.01","class":"sp800-53a"}],"prose":"the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};"},{"id":"si-4_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[01]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized local connections;"},{"id":"si-4_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[02]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized network connections;"},{"id":"si-4_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[03]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized remote connections;"}]}]},{"id":"si-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04b.","class":"sp800-53a"}],"prose":"unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};"},{"id":"si-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.01","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;"},{"id":"si-4_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.02","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[01]","class":"sp800-53a"}],"prose":"detected events are analyzed;"},{"id":"si-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[02]","class":"sp800-53a"}],"prose":"detected anomalies are analyzed;"}]},{"id":"si-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SI-04e.","class":"sp800-53a"}],"prose":"the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SI-04f.","class":"sp800-53a"}],"prose":"a legal opinion regarding system monitoring activities is obtained;"},{"id":"si-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SI-04g.","class":"sp800-53a"}],"prose":" {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."}]},{"id":"si-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram\/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing system monitoring capabilities"}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","params":[{"id":"si-05_odp.01","props":[{"name":"alt-identifier","value":"si-5_prm_1"},{"name":"label","value":"SI-05_ODP[01]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;"}]},{"id":"si-05_odp.02","props":[{"name":"alt-identifier","value":"si-5_prm_2"},{"name":"label","value":"SI-05_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-05_odp.03 }} "," {{ insert: param, si-05_odp.04 }} "," {{ insert: param, si-05_odp.05 }} "]}},{"id":"si-05_odp.03","props":[{"name":"alt-identifier","value":"si-5_prm_3"},{"name":"label","value":"SI-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom security alerts, advisories, and directives are to be disseminated is\/are defined (if selected);"}]},{"id":"si-05_odp.04","props":[{"name":"alt-identifier","value":"si-5_prm_4"},{"name":"alt-label","value":"elements within the organization","class":"sp800-53"},{"name":"label","value":"SI-05_ODP[04]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]},{"id":"si-05_odp.05","props":[{"name":"alt-identifier","value":"si-5_prm_5"},{"name":"label","value":"SI-05_ODP[05]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-5"},{"name":"label","value":"SI-05","class":"sp800-53a"},{"name":"sort-id","value":"si-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#pm-15","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"si-5_smt","name":"statement","parts":[{"id":"si-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Generate internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and"},{"id":"si-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations."},{"id":"si-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-05","class":"sp800-53a"}],"parts":[{"id":"si-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-05a.","class":"sp800-53a"}],"prose":"system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"},{"id":"si-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-05b.","class":"sp800-53a"}],"prose":"internal security alerts, advisories, and directives are generated as deemed necessary;"},{"id":"si-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-05c.","class":"sp800-53a"}],"prose":"security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};"},{"id":"si-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-05d.","class":"sp800-53a"}],"prose":"security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance."}]},{"id":"si-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"si-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing security directives"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Management and Retention","props":[{"name":"label","value":"SI-12"},{"name":"label","value":"SI-12","class":"sp800-53a"},{"name":"sort-id","value":"si-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#e922fc50-b1f9-469f-92ef-ed7d9803611c","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)."},{"id":"si-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12","class":"sp800-53a"}],"parts":[{"id":"si-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12[01]","class":"sp800-53a"}],"prose":"information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12[02]","class":"sp800-53a"}],"prose":"information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12[03]","class":"sp800-53a"}],"prose":"information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SI-12[04]","class":"sp800-53a"}],"prose":"information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements."}]},{"id":"si-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and\/or implementing information management, retention, and disposition"}]}]}]},{"id":"sr","class":"family","title":"Supply Chain Risk Management","controls":[{"id":"sr-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sr-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sr-01_odp.01","props":[{"name":"label","value":"SR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management policy is to be disseminated to is\/are defined;"}]},{"id":"sr-01_odp.02","props":[{"name":"label","value":"SR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management procedures are disseminated to is\/are defined;"}]},{"id":"sr-01_odp.03","props":[{"name":"alt-identifier","value":"sr-1_prm_2"},{"name":"label","value":"SR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sr-01_odp.04","props":[{"name":"alt-identifier","value":"sr-1_prm_3"},{"name":"label","value":"SR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;"}]},{"id":"sr-01_odp.05","props":[{"name":"alt-identifier","value":"sr-1_prm_4"},{"name":"label","value":"SR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management policy is reviewed and updated is defined;"}]},{"id":"sr-01_odp.06","props":[{"name":"alt-identifier","value":"sr-1_prm_5"},{"name":"label","value":"SR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the current supply chain risk management policy to be reviewed and updated are defined;"}]},{"id":"sr-01_odp.07","props":[{"name":"alt-identifier","value":"sr-1_prm_6"},{"name":"label","value":"SR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;"}]},{"id":"sr-01_odp.08","props":[{"name":"alt-identifier","value":"sr-1_prm_7"},{"name":"label","value":"SR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the supply chain risk management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SR-1"},{"name":"label","value":"SR-01","class":"sp800-53a"},{"name":"sort-id","value":"sr-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sr-1_smt","name":"statement","parts":[{"id":"sr-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:","parts":[{"id":"sr-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:","parts":[{"id":"sr-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sr-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sr-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;"}]},{"id":"sr-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and"},{"id":"sr-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current supply chain risk management:","parts":[{"id":"sr-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and"},{"id":"sr-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}."}]}]},{"id":"sr-1_gdn","name":"guidance","prose":"Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sr-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[01]","class":"sp800-53a"}],"prose":"a supply chain risk management policy is developed and documented;"},{"id":"sr-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};"},{"id":"sr-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[03]","class":"sp800-53a"}],"prose":"supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;"},{"id":"sr-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}."},{"id":"sr-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;"},{"id":"sr-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; "},{"id":"sr-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;"},{"id":"sr-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;"},{"id":"sr-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;"},{"id":"sr-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;"},{"id":"sr-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance."}]},{"id":"sr-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"sr-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;"},{"id":"sr-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};"},{"id":"sr-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};"}]},{"id":"sr-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};"},{"id":"sr-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}."}]}]}]},{"id":"sr-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities"}]}]},{"id":"sr-2","class":"SP800-53","title":"Supply Chain Risk Management Plan","params":[{"id":"sr-02_odp.01","props":[{"name":"alt-identifier","value":"sr-2_prm_1"},{"name":"label","value":"SR-02_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services for which a supply chain risk management plan is developed are defined;"}]},{"id":"sr-02_odp.02","props":[{"name":"alt-identifier","value":"sr-2_prm_2"},{"name":"label","value":"SR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the supply chain risk management plan is defined;"}]}],"props":[{"name":"label","value":"SR-2"},{"name":"label","value":"SR-02","class":"sp800-53a"},{"name":"sort-id","value":"sr-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sr-2_smt","name":"statement","parts":[{"id":"sr-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and"},{"id":"sr-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect the supply chain risk management plan from unauthorized disclosure and modification."}]},{"id":"sr-2_gdn","name":"guidance","prose":"The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development\/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))."},{"id":"sr-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[01]","class":"sp800-53a"}],"prose":"a plan for managing supply chain risks is developed;"},{"id":"sr-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[03]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[05]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[06]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[07]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[08]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-9","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[09]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};"}]},{"id":"sr-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-02b.","class":"sp800-53a"}],"prose":"the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;"},{"id":"sr-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[01]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized disclosure;"},{"id":"sr-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized modification."}]}]},{"id":"sr-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"sr-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and\/or implementing the SDLC"}]}],"controls":[{"id":"sr-2.1","class":"SP800-53-enhancement","title":"Establish SCRM Team","params":[{"id":"sr-02.01_odp.01","props":[{"name":"alt-identifier","value":"sr-2.1_prm_1"},{"name":"alt-label","value":"personnel, roles, and responsibilities","class":"sp800-53"},{"name":"label","value":"SR-02(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel, roles and responsibilities","guidelines":[{"prose":"the personnel, roles, and responsibilities of the supply chain risk management team are defined;"}]},{"id":"sr-02.01_odp.02","props":[{"name":"alt-identifier","value":"sr-2.1_prm_2"},{"name":"label","value":"SR-02(01)_ODP[02]","class":"sp800-53a"}],"label":"supply chain risk management activities","guidelines":[{"prose":"supply chain risk management activities are defined;"}]}],"props":[{"name":"label","value":"SR-2(1)"},{"name":"label","value":"SR-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-2","rel":"required"}],"parts":[{"id":"sr-2.1_smt","name":"statement","prose":"Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}."},{"id":"sr-2.1_gdn","name":"guidance","prose":"To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team."},{"id":"sr-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02(01)","class":"sp800-53a"}],"prose":"a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}."},{"id":"sr-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities"}]}]}]},{"id":"sr-3","class":"SP800-53","title":"Supply Chain Controls and Processes","params":[{"id":"sr-03_odp.01","props":[{"name":"alt-identifier","value":"sr-3_prm_1"},{"name":"label","value":"SR-03_ODP[01]","class":"sp800-53a"}],"label":"system or system component","guidelines":[{"prose":"the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;"}]},{"id":"sr-03_odp.02","props":[{"name":"alt-identifier","value":"sr-3_prm_2"},{"name":"label","value":"SR-03_ODP[02]","class":"sp800-53a"}],"label":"supply chain personnel","guidelines":[{"prose":"supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is\/are defined;"}]},{"id":"sr-03_odp.03","props":[{"name":"alt-identifier","value":"sr-3_prm_3"},{"name":"label","value":"SR-03_ODP[03]","class":"sp800-53a"}],"label":"supply chain controls","guidelines":[{"prose":"supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;"}]},{"id":"sr-03_odp.04","props":[{"name":"alt-identifier","value":"sr-3_prm_4"},{"name":"label","value":"SR-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security and privacy plans","supply chain risk management plan"," {{ insert: param, sr-03_odp.05 }} "]}},{"id":"sr-03_odp.05","props":[{"name":"alt-identifier","value":"sr-3_prm_5"},{"name":"label","value":"SR-03_ODP[05]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"the document identifying the selected and implemented supply chain processes and controls is defined (if selected);"}]}],"props":[{"name":"label","value":"SR-3"},{"name":"label","value":"SR-03","class":"sp800-53a"},{"name":"sort-id","value":"sr-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-29","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-3_smt","name":"statement","parts":[{"id":"sr-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};"},{"id":"sr-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and"},{"id":"sr-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}."}]},{"id":"sr-3_gdn","name":"guidance","prose":"Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain."},{"id":"sr-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-03","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[01]","class":"sp800-53a"}],"prose":"a process or processes is\/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};"},{"id":"sr-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[02]","class":"sp800-53a"}],"prose":"the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is\/are coordinated with {{ insert: param, sr-03_odp.02 }};"}]},{"id":"sr-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-03b.","class":"sp800-53a"}],"prose":" {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;"},{"id":"sr-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-03c.","class":"sp800-53a"}],"prose":"the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}."}]},{"id":"sr-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying and addressing supply chain element and process deficiencies"}]}]},{"id":"sr-5","class":"SP800-53","title":"Acquisition Strategies, Tools, and Methods","params":[{"id":"sr-05_odp","props":[{"name":"alt-identifier","value":"sr-5_prm_1"},{"name":"alt-label","value":"acquisition strategies, contract tools, and procurement methods","class":"sp800-53"},{"name":"label","value":"SR-05_ODP","class":"sp800-53a"}],"label":"strategies, tools, and methods","guidelines":[{"prose":"acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;"}]}],"props":[{"name":"label","value":"SR-5"},{"name":"label","value":"SR-05","class":"sp800-53a"},{"name":"sort-id","value":"sr-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-5_smt","name":"statement","prose":"Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}."},{"id":"sr-5_gdn","name":"guidance","prose":"The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements."},{"id":"sr-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-05","class":"sp800-53a"}],"parts":[{"id":"sr-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-05[01]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;"},{"id":"sr-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-05[02]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;"},{"id":"sr-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SR-05[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks."}]},{"id":"sr-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and\/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods"}]}]},{"id":"sr-8","class":"SP800-53","title":"Notification Agreements","params":[{"id":"sr-08_odp.01","props":[{"name":"alt-identifier","value":"sr-8_prm_1"},{"name":"label","value":"SR-08_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["notification of supply chain compromises"," {{ insert: param, sr-08_odp.02 }} "]}},{"id":"sr-08_odp.02","props":[{"name":"alt-identifier","value":"sr-8_prm_2"},{"name":"alt-label","value":"information","class":"sp800-53"},{"name":"label","value":"SR-08_ODP[02]","class":"sp800-53a"}],"label":"results of assessments or audits","guidelines":[{"prose":"information for which agreements and procedures are to be established are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-8"},{"name":"label","value":"SR-08","class":"sp800-53a"},{"name":"sort-id","value":"sr-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"sr-8_smt","name":"statement","prose":"Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}."},{"id":"sr-8_gdn","name":"guidance","prose":"The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes."},{"id":"sr-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-08","class":"sp800-53a"}],"prose":"agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}."},{"id":"sr-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities"}]}]},{"id":"sr-10","class":"SP800-53","title":"Inspection of Systems or Components","params":[{"id":"sr-10_odp.01","props":[{"name":"alt-identifier","value":"sr-10_prm_4"},{"name":"label","value":"SR-10_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that require inspection are defined;"}]},{"id":"sr-10_odp.02","props":[{"name":"alt-identifier","value":"sr-10_prm_1"},{"name":"label","value":"SR-10_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at random","at {{ insert: param, sr-10_odp.03 }} ","upon {{ insert: param, sr-10_odp.04 }} "]}},{"id":"sr-10_odp.03","props":[{"name":"alt-identifier","value":"sr-10_prm_2"},{"name":"label","value":"SR-10_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inspect systems or system components is defined (if selected);"}]},{"id":"sr-10_odp.04","props":[{"name":"alt-identifier","value":"sr-10_prm_3"},{"name":"label","value":"SR-10_ODP[04]","class":"sp800-53a"}],"label":"indications of need for inspection","guidelines":[{"prose":"indications of the need for an inspection of systems or system components are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-10"},{"name":"label","value":"SR-10","class":"sp800-53a"},{"name":"sort-id","value":"sr-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-10_smt","name":"statement","prose":"Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}."},{"id":"sr-10_gdn","name":"guidance","prose":"The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations."},{"id":"sr-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-10","class":"sp800-53a"}],"prose":" {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering."},{"id":"sr-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports\/results\n\nassessment reports\/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering"}]}]},{"id":"sr-11","class":"SP800-53","title":"Component Authenticity","params":[{"id":"sr-11_odp.01","props":[{"name":"alt-identifier","value":"sr-11_prm_1"},{"name":"label","value":"SR-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["source of counterfeit component"," {{ insert: param, sr-11_odp.02 }} "," {{ insert: param, sr-11_odp.03 }} "]}},{"id":"sr-11_odp.02","props":[{"name":"alt-identifier","value":"sr-11_prm_2"},{"name":"label","value":"SR-11_ODP[02]","class":"sp800-53a"}],"label":"external reporting organizations","guidelines":[{"prose":"external reporting organizations to whom counterfeit system components are to be reported is\/are defined (if selected);"}]},{"id":"sr-11_odp.03","props":[{"name":"alt-identifier","value":"sr-11_prm_3"},{"name":"label","value":"SR-11_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom counterfeit system components are to be reported is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-11"},{"name":"label","value":"SR-11","class":"sp800-53a"},{"name":"sort-id","value":"sr-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"sr-11_smt","name":"statement","parts":[{"id":"sr-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and"},{"id":"sr-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}."}]},{"id":"sr-11_gdn","name":"guidance","prose":"Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA."},{"id":"sr-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[01]","class":"sp800-53a"}],"prose":"an anti-counterfeit policy is developed and implemented;"},{"id":"sr-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[02]","class":"sp800-53a"}],"prose":"anti-counterfeit procedures are developed and implemented;"},{"id":"sr-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[03]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to detect counterfeit components entering the system;"},{"id":"sr-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[04]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;"}]},{"id":"sr-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-11b.","class":"sp800-53a"}],"prose":"counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}."}]},{"id":"sr-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and\/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting"}]},{"id":"sr-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and\/or implementing anti-counterfeit detection, prevention, and reporting"}]}],"controls":[{"id":"sr-11.1","class":"SP800-53-enhancement","title":"Anti-counterfeit Training","params":[{"id":"sr-11.01_odp","props":[{"name":"alt-identifier","value":"sr-11.1_prm_1"},{"name":"label","value":"SR-11(01)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is\/are defined;"}]}],"props":[{"name":"label","value":"SR-11(1)"},{"name":"label","value":"SR-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"sr-11.1_smt","name":"statement","prose":"Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_gdn","name":"guidance","prose":"None."},{"id":"sr-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(01)","class":"sp800-53a"}],"prose":" {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training"}]},{"id":"sr-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for anti-counterfeit training"}]}]},{"id":"sr-11.2","class":"SP800-53-enhancement","title":"Configuration Control for Component Service and Repair","params":[{"id":"sr-11.02_odp","props":[{"name":"alt-identifier","value":"sr-11.2_prm_1"},{"name":"label","value":"SR-11(02)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring configuration control are defined;"}]}],"props":[{"name":"label","value":"SR-11(2)"},{"name":"label","value":"SR-11(02)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#cm-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#sa-10","rel":"related"}],"parts":[{"id":"sr-11.2_smt","name":"statement","prose":"Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}."},{"id":"sr-11.2_gdn","name":"guidance","prose":"None."},{"id":"sr-11.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)","class":"sp800-53a"}],"parts":[{"id":"sr-11.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[01]","class":"sp800-53a"}],"prose":"configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;"},{"id":"sr-11.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[02]","class":"sp800-53a"}],"prose":"configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained."}]},{"id":"sr-11.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-11.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes"}]}]}]},{"id":"sr-12","class":"SP800-53","title":"Component Disposal","params":[{"id":"sr-12_odp.01","props":[{"name":"alt-identifier","value":"sr-12_prm_1"},{"name":"label","value":"SR-12_ODP[01]","class":"sp800-53a"}],"label":"data, documentation, tools, or system components","guidelines":[{"prose":"data, documentation, tools, or system components to be disposed of are defined;"}]},{"id":"sr-12_odp.02","props":[{"name":"alt-identifier","value":"sr-12_prm_2"},{"name":"label","value":"SR-12_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods for disposing of data, documentation, tools, or system components are defined;"}]}],"props":[{"name":"label","value":"SR-12"},{"name":"label","value":"SR-12","class":"sp800-53a"},{"name":"sort-id","value":"sr-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#mp-6","rel":"related"}],"parts":[{"id":"sr-12_smt","name":"statement","prose":"Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}."},{"id":"sr-12_gdn","name":"guidance","prose":"Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations\/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market."},{"id":"sr-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-12","class":"sp800-53a"}],"prose":" {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}."},{"id":"sr-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational techniques and methods for system component disposal\n\nmechanisms supporting and\/or implementing system component disposal"}]}]}]}],"back-matter":{"resources":[{"uuid":"91f992fb-f668-4c91-a50f-0f05b95ccee3","title":"32 CFR 2002","citation":{"text":"Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/documents\/2016\/09\/14\/2016-21665\/controlled-unclassified-information"}]},{"uuid":"0f963c17-ab5a-432a-a867-91eac550309b","title":"41 CFR 201","citation":{"text":" \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/d\/2020-18939"}]},{"uuid":"a5ef5e56-5c1a-4911-b419-37dddc1b3581","title":"5 CFR 731","citation":{"text":"Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/CFR-2012-title5-vol2\/pdf\/CFR-2012-title5-vol2-sec731-106.pdf"}]},{"uuid":"031cc4b7-9adf-4835-98f1-f1ca493519cf","title":"CNSSD 505","citation":{"text":"Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Directives.cfm"}]},{"uuid":"4e4fbc93-333d-45e6-a875-de36b878b6b9","title":"CNSSI 1253","citation":{"text":"Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Instructions.cfm"}]},{"uuid":"aa66e14f-e7cb-4a37-99d2-07578dfd4608","title":"DOD STIG","citation":{"text":"Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*."},"rlinks":[{"href":"https:\/\/public.cyber.mil\/stigs"}]},{"uuid":"55b0c93a-5e48-457a-baa6-5ce81c239c49","title":"EO 13526","citation":{"text":"Executive Order 13526, *Classified National Security Information* , December 2009."},"rlinks":[{"href":"https:\/\/www.archives.gov\/isoo\/policy-documents\/cnsi-eo.html"}]},{"uuid":"0af071a6-cf8e-48ee-8c82-fe91efa20f94","title":"EO 13587","citation":{"text":"Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2011\/10\/07\/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"21caa535-1154-4369-ba7b-32c309fee0f7","title":"EO 13873","citation":{"text":"Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/presidential-actions\/executive-order-securing-information-communications-technology-services-supply-chain"}]},{"uuid":"4ff10ed3-d8fe-4246-99e3-443045e27482","title":"FASC18","citation":{"text":"Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018."},"rlinks":[{"href":"https:\/\/www.congress.gov\/bill\/115th-congress\/senate-bill\/3085"}]},{"uuid":"a1555677-2b9d-4868-a97b-a1363aff32f5","title":"FED PKI","citation":{"text":"General Services Administration, *Federal Public Key Infrastructure*."},"rlinks":[{"href":"https:\/\/www.idmanagement.gov\/topics\/fpki"}]},{"uuid":"678e3d6c-150b-4393-aec5-6e3481eb1e00","title":"FIPS 140-3","citation":{"text":"National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. "},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.140-3"}]},{"uuid":"eea3c092-42ed-4382-a6f4-1adadef01b9d","title":"FIPS 180-4","citation":{"text":"National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.180-4"}]},{"uuid":"7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","title":"FIPS 186-4","citation":{"text":"National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.186-4"}]},{"uuid":"736d6310-e403-4b57-a79d-9967970c66d7","title":"FIPS 197","citation":{"text":"National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.197"}]},{"uuid":"628d22a1-6a11-4784-bc59-5cd9497b5445","title":"FIPS 199","citation":{"text":"National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.199"}]},{"uuid":"599fb53d-5041-444e-a7fe-640d6d30ad05","title":"FIPS 200","citation":{"text":"National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.200"}]},{"uuid":"7ba1d91c-3934-4d5a-8532-b32f864ad34c","title":"FIPS 201-2","citation":{"text":"National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.201-2"}]},{"uuid":"a295ca19-8c75-4b4c-8800-98024732e181","title":"FIPS 202","citation":{"text":"National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.202"}]},{"uuid":"0c67b2a9-bede-43d2-b86d-5f35b8be36e9","title":"FISMA","citation":{"text":"Federal Information Security Modernization Act (P.L. 113-283), December 2014."},"rlinks":[{"href":"https:\/\/www.congress.gov\/113\/plaws\/publ283\/PLAW-113publ283.pdf"}]},{"uuid":"f16e438e-7114-4144-bfe2-2dfcad8cb2d0","title":"HSPD 12","citation":{"text":"Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/homeland-security-presidential-directive-12"}]},{"uuid":"15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","title":"IR 7539","citation":{"text":"Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7539"}]},{"uuid":"2be7b163-e50a-435c-8906-f1162f2a457a","title":"IR 7559","citation":{"text":"Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7559"}]},{"uuid":"e24b06cc-9129-4998-a76a-65c3d7a576ba","title":"IR 7622","citation":{"text":"Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7622"}]},{"uuid":"4b38e961-1125-4a5b-aa35-1d6c02846dad","title":"IR 7676","citation":{"text":"Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7676"}]},{"uuid":"aa5d04e0-6090-4e17-84d4-b9963d55fc2c","title":"IR 7788","citation":{"text":"Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7788"}]},{"uuid":"91701292-8bcd-4d2e-a5bd-59ab61e34b3c","title":"IR 7817","citation":{"text":"Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7817"}]},{"uuid":"4f5f51ac-2b8d-4b90-a3c7-46f56e967617","title":"IR 7849","citation":{"text":"Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7849"}]},{"uuid":"604774da-9e1d-48eb-9c62-4e959dc80737","title":"IR 7870","citation":{"text":"Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7870"}]},{"uuid":"7f473f21-fdbf-4a6c-81a1-0ab95919609d","title":"IR 7874","citation":{"text":"Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7874"}]},{"uuid":"849b2358-683f-4d97-b111-1cc3d522ded5","title":"IR 7956","citation":{"text":"Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7956"}]},{"uuid":"3915a084-b87b-4f02-83d4-c369e746292f","title":"IR 7966","citation":{"text":"Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7966"}]},{"uuid":"bbac9fc2-df5b-4f2d-bf99-90d0ade45349","title":"IR 8011-1","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-1"}]},{"uuid":"70402863-5078-43af-9a6c-e11b0f3ec370","title":"IR 8011-2","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-2"}]},{"uuid":"996241f8-f692-42d5-91f1-ce8b752e39e6","title":"IR 8011-3","citation":{"text":"Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-3"}]},{"uuid":"d2ebec9b-f868-4ee1-a2bd-0b2282aed248","title":"IR 8011-4","citation":{"text":"Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-4"}]},{"uuid":"4c501da5-9d79-4cb6-ba80-97260e1ce327","title":"IR 8023","citation":{"text":"Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8023"}]},{"uuid":"81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","title":"IR 8040","citation":{"text":"Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8040"}]},{"uuid":"98d415ca-7281-4064-9931-0c366637e324","title":"IR 8062","citation":{"text":"Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8062"}]},{"uuid":"d4296805-2dca-4c63-a95f-eeccaa826aec","title":"IR 8179","citation":{"text":"Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8179"}]},{"uuid":"38ff38f0-1366-4f50-a4c9-26a39aacee16","title":"IR 8272","citation":{"text":"Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8272"}]},{"uuid":"6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","title":"ISO 15408-1","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART1V3.1R5.pdf"}]},{"uuid":"87087451-2af5-43d4-88c1-d66ad850f614","title":"ISO 15408-2","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART2V3.1R5.pdf"}]},{"uuid":"4452efc0-e79e-47b8-aa30-b54f3ef61c2f","title":"ISO 15408-3","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART3V3.1R5.pdf"}]},{"uuid":"15a95e24-65b6-4686-bc18-90855a10457d","title":"ISO 20243","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/74399.html"}]},{"uuid":"863caf2a-978a-4260-9e8d-4a8929bce40c","title":"ISO 27036","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/59648.html"}]},{"uuid":"8df72805-2e5c-4731-a73e-81db0f0318d0","title":"ISO 29147","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 29147:2018, *Information technology—Security techniques—Vulnerability disclosure* , October 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72311.html"}]},{"uuid":"06ce9216-bd54-4054-a422-94f358b50a5d","title":"ISO 29148","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission\/Institute of Electrical and Electronics Engineers (ISO\/IEC\/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72089.html"}]},{"uuid":"c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","title":"NARA CUI","citation":{"text":"National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry."},"rlinks":[{"href":"https:\/\/www.archives.gov\/cui"}]},{"uuid":"d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","title":"NCPR","citation":{"text":"National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at"},"rlinks":[{"href":"https:\/\/nvd.nist.gov\/ncp\/repository"}]},{"uuid":"795aff72-3e6c-4b6b-a80a-b14d84b7f544","title":"NIAP CCEVS","citation":{"text":"National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*."},"rlinks":[{"href":"https:\/\/www.niap-ccevs.org"}]},{"uuid":"84dc1b0c-acb7-4269-84c4-00dbabacd78c","title":"NIST CAVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-algorithm-validation-program"}]},{"uuid":"1acdc775-aafb-4d11-9341-dc6a822e9d38","title":"NIST CMVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-module-validation-program"}]},{"uuid":"3d575737-98cb-459d-b41c-d7e82b73ad78","title":"NSA CSFC","citation":{"text":"National Security Agency, *Commercial Solutions for Classified Program (CSfC)*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/csfc"}]},{"uuid":"df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","title":"NSA MEDIA","citation":{"text":"National Security Agency, *Media Destruction Guidance*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/media-destruction"}]},{"uuid":"89f2a08d-fc49-46d0-856e-bf974c9b1573","title":"ODNI CTF","citation":{"text":"Office of the Director of National Intelligence (ODNI) Cyber Threat Framework."},"rlinks":[{"href":"https:\/\/www.dni.gov\/index.php\/cyber-threat-framework"}]},{"uuid":"27847491-5ce1-4f6a-a1e4-9e483782f0ef","title":"OMB A-130","citation":{"text":"Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf"}]},{"uuid":"5f4705ac-8d17-438c-b23a-ac7f12362ae4","title":"OMB M-17-12","citation":{"text":"Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/sites\/default\/files\/omb\/memoranda\/2017\/m-17-12_0.pdf"}]},{"uuid":"18e71fec-c6fd-475a-925a-5d8495cf8455","title":"PRIVACT","citation":{"text":"Privacy Act (P.L. 93-579), December 1974."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-88\/pdf\/STATUTE-88-Pg1896.pdf"}]},{"uuid":"4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","title":"SP 800-100","citation":{"text":"Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"10cf2fad-a216-41f9-bb1a-531b7e3119e3","title":"SP 800-101","citation":{"text":"Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-101r1"}]},{"uuid":"22f2d4f0-4365-4e88-a30d-275c1f5473ea","title":"SP 800-111","citation":{"text":"Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-111"}]},{"uuid":"6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","title":"SP 800-113","citation":{"text":"Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-113"}]},{"uuid":"42e37e51-7cc0-4ffa-81c9-0ac942da7e99","title":"SP 800-114","citation":{"text":"Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-114r1"}]},{"uuid":"122177fa-c4ed-485d-8345-3082c0fb9a06","title":"SP 800-115","citation":{"text":"Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"2100332a-16a5-4598-bacf-7261baea9711","title":"SP 800-116","citation":{"text":"Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-116r1"}]},{"uuid":"d17ebd7a-ffab-499d-bfff-e705bbb01fa6","title":"SP 800-121","citation":{"text":"Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-121r2"}]},{"uuid":"0f66be67-85e7-4ca6-bd19-39453e9f4394","title":"SP 800-124","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-124r1"}]},{"uuid":"88660532-2dcf-442e-845c-03340ce48999","title":"SP 800-125B","citation":{"text":"Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-125B"}]},{"uuid":"8016d2ed-d30f-4416-9c45-0f42c7aa3232","title":"SP 800-126","citation":{"text":"Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-126r3"}]},{"uuid":"20db4e66-e257-450c-b2e4-2bb9a62a2c88","title":"SP 800-128","citation":{"text":"Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-128"}]},{"uuid":"c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","title":"SP 800-12","citation":{"text":"Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"3653e316-8923-430e-8943-b3b2b2562fc6","title":"SP 800-130","citation":{"text":"Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-130"}]},{"uuid":"62ea77ca-e450-4323-b210-e0d75390e785","title":"SP 800-137A","citation":{"text":"Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137A"}]},{"uuid":"067223d8-1ec7-45c5-b21b-c848da6de8fb","title":"SP 800-137","citation":{"text":"Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137"}]},{"uuid":"9ef4b43c-42a4-4316-87dc-ffaf528bc05c","title":"SP 800-150","citation":{"text":"Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-150"}]},{"uuid":"2494df28-9049-4196-b233-540e7440993f","title":"SP 800-152","citation":{"text":"Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-152"}]},{"uuid":"d9e036ba-6eec-46a6-9340-b0bf1fea23b4","title":"SP 800-156","citation":{"text":"Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-156"}]},{"uuid":"e3cc0520-a366-4fc9-abc2-5272db7e3564","title":"SP 800-160-1","citation":{"text":"Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v1"}]},{"uuid":"61ccf0f4-d3e7-42db-9796-ce6cb1c85989","title":"SP 800-160-2","citation":{"text":"Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v2"}]},{"uuid":"e8e84963-14fc-4c3a-be05-b412a5d37cd2","title":"SP 800-161","citation":{"text":"Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-161"}]},{"uuid":"2956e175-f674-43f4-b1b9-e074ad9fc39c","title":"SP 800-162","citation":{"text":"Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-162"}]},{"uuid":"e8552d48-cf41-40aa-8b06-f45f7fb4706c","title":"SP 800-166","citation":{"text":"Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-166"}]},{"uuid":"38f39739-1ebd-43b1-8b8c-00f591d89ebd","title":"SP 800-167","citation":{"text":"Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-167"}]},{"uuid":"7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","title":"SP 800-171","citation":{"text":"Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-171r2"}]},{"uuid":"f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","title":"SP 800-172","citation":{"text":"Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-172-draft"}]},{"uuid":"1c71b420-2bd9-4e52-9fc8-390f58b85b59","title":"SP 800-177","citation":{"text":"Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-177r1"}]},{"uuid":"388a3aa2-5d85-4bad-b8a3-77db80d63c4f","title":"SP 800-178","citation":{"text":"Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-178"}]},{"uuid":"276bd50a-7e58-48e5-a405-8c8cb91d7a5f","title":"SP 800-181","citation":{"text":"Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-181r1"}]},{"uuid":"31ae65ab-3f26-46b7-9d64-f25a4dac5778","title":"SP 800-184","citation":{"text":"Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-184"}]},{"uuid":"f5edfe51-d1f2-422e-9b27-5d0e90b49c72","title":"SP 800-189","citation":{"text":"Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-189"}]},{"uuid":"30eb758a-2707-4bca-90ad-949a74d4eb16","title":"SP 800-18","citation":{"text":"Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-18r1"}]},{"uuid":"53df282b-8b3f-483a-bad1-6a8b8ac00114","title":"SP 800-192","citation":{"text":"Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies\/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-192"}]},{"uuid":"08b07465-dbdc-48d6-8a0b-37279602ac16","title":"SP 800-30","citation":{"text":"Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-30r1"}]},{"uuid":"bc39f179-c735-4da2-b7a7-b2b622119755","title":"SP 800-34","citation":{"text":"Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-34r1"}]},{"uuid":"77faf0bc-c394-44ad-9154-bbac3b79c8ad","title":"SP 800-35","citation":{"text":"Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-35"}]},{"uuid":"482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","title":"SP 800-37","citation":{"text":"Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-37r2"}]},{"uuid":"cec037f3-8aba-4c97-84b4-4082f9e515d2","title":"SP 800-39","citation":{"text":"Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-39"}]},{"uuid":"155f941a-cba9-4afd-9ca6-5d040d697ba9","title":"SP 800-40","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-40r3"}]},{"uuid":"a7f0e897-29a3-45c4-bd88-40dfef0e034a","title":"SP 800-41","citation":{"text":"Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-41r1"}]},{"uuid":"83b9d63b-66b1-467c-9f3b-3a0b108771e9","title":"SP 800-46","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-46r2"}]},{"uuid":"c3a76872-e160-4267-99e8-6952de967d04","title":"SP 800-47","citation":{"text":"Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-47"}]},{"uuid":"511f6832-23ca-49a3-8c0f-ce493373cab8","title":"SP 800-50","citation":{"text":"Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-50"}]},{"uuid":"a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","title":"SP 800-53A","citation":{"text":"Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53Ar4"}]},{"uuid":"46d9e201-840e-440e-987c-2c773333c752","title":"SP 800-53B","citation":{"text":"Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53B"}]},{"uuid":"20957dbb-6a1e-40a2-b38a-66f67d33ac2e","title":"SP 800-56A","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Ar3"}]},{"uuid":"0d083d8a-5cc6-46f1-8d79-3081d42bcb75","title":"SP 800-56B","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Br2"}]},{"uuid":"eef62b16-c796-4554-955c-505824135b8a","title":"SP 800-56C","citation":{"text":"Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Cr2"}]},{"uuid":"110e26af-4765-49e1-8740-6750f83fcda1","title":"SP 800-57-1","citation":{"text":"Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt1r5"}]},{"uuid":"e7942589-e267-4a5a-a3d9-f39a7aae81f0","title":"SP 800-57-2","citation":{"text":"Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt2r1"}]},{"uuid":"8306620b-1920-4d73-8b21-12008528595f","title":"SP 800-57-3","citation":{"text":"Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt3r1"}]},{"uuid":"e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","title":"SP 800-60-1","citation":{"text":"Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v1r1"}]},{"uuid":"9be5d661-421f-41ad-854e-86f98b811891","title":"SP 800-60-2","citation":{"text":"Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v2r1"}]},{"uuid":"49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","title":"SP 800-61","citation":{"text":"Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-61r2"}]},{"uuid":"737513fa-6758-403f-831d-5ddab5e23cb3","title":"SP 800-63-3","citation":{"text":"Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63-3"}]},{"uuid":"e59c5a7c-8b1f-49ca-8de0-6ee0882180ce","title":"SP 800-63B","citation":{"text":"Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63b"}]},{"uuid":"4895b4cd-34c5-4667-bf8a-27d443c12047","title":"SP 800-70","citation":{"text":"Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-70r4"}]},{"uuid":"858705be-3c1f-48aa-a328-0ce398d95ef0","title":"SP 800-73-4","citation":{"text":"Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-73-4"}]},{"uuid":"7af2e6ec-9f7e-4232-ad3f-09888eb0793a","title":"SP 800-76-2","citation":{"text":"Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-76-2"}]},{"uuid":"d4d7c760-2907-403b-8b2a-767ca5370ecd","title":"SP 800-77","citation":{"text":"Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-77r1"}]},{"uuid":"828856bd-d7c4-427b-8b51-815517ec382d","title":"SP 800-78-4","citation":{"text":"Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-78-4"}]},{"uuid":"10963761-58fc-4b20-b3d6-b44a54daba03","title":"SP 800-79-2","citation":{"text":"Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-79-2"}]},{"uuid":"fe209006-bfd4-4033-a79a-9fee1adaf372","title":"SP 800-81-2","citation":{"text":"Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-81-2"}]},{"uuid":"3dd249b0-f57d-44ba-a03e-c3eab1b835ff","title":"SP 800-83","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-83r1"}]},{"uuid":"53be2fcf-cfd1-4bcb-896b-9a3b65c22098","title":"SP 800-84","citation":{"text":"Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-84"}]},{"uuid":"cfdb1858-c473-46b3-89f9-a700308d0be2","title":"SP 800-86","citation":{"text":"Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-86"}]},{"uuid":"a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","title":"SP 800-88","citation":{"text":"Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-88r1"}]},{"uuid":"5eee45d8-3313-4fdc-8d54-1742092bbdd6","title":"SP 800-92","citation":{"text":"Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-92"}]},{"uuid":"25e3e57b-dc2f-4934-af9b-050b020c6f0e","title":"SP 800-94","citation":{"text":"Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-94"}]},{"uuid":"03fb73bc-1b12-4182-bd96-e5719254ea61","title":"SP 800-97","citation":{"text":"Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-97"}]},{"uuid":"13f0c39d-eaf7-417a-baef-69a041878bb5","title":"USA PATRIOT","citation":{"text":"USA Patriot Act (P.L. 107-56), October 2001."},"rlinks":[{"href":"https:\/\/www.congress.gov\/107\/plaws\/publ56\/PLAW-107publ56.pdf"}]},{"uuid":"e922fc50-b1f9-469f-92ef-ed7d9803611c","title":"USC 2901","citation":{"text":"United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2011-title44\/pdf\/USCODE-2011-title44-chap29-sec2901.pdf"}]},{"uuid":"40b78258-c892-480e-9af8-77ac36648301","title":"USCERT IR","citation":{"text":"Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017."},"rlinks":[{"href":"https:\/\/us-cert.cisa.gov\/incident-notification-guidelines"}]},{"uuid":"98498928-3ca3-44b3-8b1e-f48685373087","title":"USGCB","citation":{"text":"National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/united-states-government-configuration-baseline"}]},{"uuid":"c3397cc9-83c6-4459-adb2-836739dc1b94","title":"NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)","rlinks":[{"href":"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf","media-type":"application\/pdf"}]}]}}}
\ No newline at end of file
+{"catalog":{"uuid":"64d89a61-c70c-49bc-9e1b-b620e2b3d855","metadata":{"title":"NIST Special Publication 800-53 Revision 5.1.1 LOW IMPACT BASELINE","last-modified":"2023-12-05T21:54:50.284874Z","version":"5.1.1+u2","oscal-version":"1.1.1","props":[{"name":"resolution-tool","value":"OSCAL Profile Resolver XSLT Pipeline OPRXP"}],"links":[{"href":"NIST_SP-800-53_rev5_LOW-baseline_profile.xml","rel":"source-profile"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"984e6c07-b5b6-4ab6-b22b-283609c325e6","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["984e6c07-b5b6-4ab6-b22b-283609c325e6"]},{"role-id":"contact","party-uuids":["984e6c07-b5b6-4ab6-b22b-283609c325e6"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ac-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ac-01_odp.01","props":[{"name":"label","value":"AC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control policy is to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.02","props":[{"name":"label","value":"AC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control procedures are to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.03","props":[{"name":"alt-identifier","value":"ac-1_prm_2"},{"name":"label","value":"AC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ac-01_odp.04","props":[{"name":"alt-identifier","value":"ac-1_prm_3"},{"name":"label","value":"AC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the access control policy and procedures is defined;"}]},{"id":"ac-01_odp.05","props":[{"name":"alt-identifier","value":"ac-1_prm_4"},{"name":"label","value":"AC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control policy is reviewed and updated is defined;"}]},{"id":"ac-01_odp.06","props":[{"name":"alt-identifier","value":"ac-1_prm_5"},{"name":"label","value":"AC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current access control policy to be reviewed and updated are defined;"}]},{"id":"ac-01_odp.07","props":[{"name":"alt-identifier","value":"ac-1_prm_6"},{"name":"label","value":"AC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control procedures are reviewed and updated is defined;"}]},{"id":"ac-01_odp.08","props":[{"name":"alt-identifier","value":"ac-1_prm_7"},{"name":"label","value":"AC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AC-1"},{"name":"label","value":"AC-01","class":"sp800-53a"},{"name":"sort-id","value":"ac-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ia-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ac-1_smt","name":"statement","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ac-01_odp.03 }} access control policy that:","parts":[{"id":"ac-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and the associated access controls;"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and"},{"id":"ac-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current access control:","parts":[{"id":"ac-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and"},{"id":"ac-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ac-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[01]","class":"sp800-53a"}],"prose":"an access control policy is developed and documented;","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[02]","class":"sp800-53a"}],"prose":"the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[03]","class":"sp800-53a"}],"prose":"access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[04]","class":"sp800-53a"}],"prose":"the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ac-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;","links":[{"href":"#ac-1_smt.b","rel":"assessment-for"}]},{"id":"ac-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[01]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};","links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]},{"id":"ac-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[02]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};","links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]},{"id":"ac-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[01]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};","links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]},{"id":"ac-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[02]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.","links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt","rel":"assessment-for"}]},{"id":"ac-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","params":[{"id":"ac-02_odp.01","props":[{"name":"alt-identifier","value":"ac-2_prm_1"},{"name":"label","value":"AC-02_ODP[01]","class":"sp800-53a"}],"label":"prerequisites and criteria","guidelines":[{"prose":"prerequisites and criteria for group and role membership are defined;"}]},{"id":"ac-02_odp.02","props":[{"name":"alt-identifier","value":"ac-2_prm_2"},{"name":"label","value":"AC-02_ODP[02]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes (as required) for each account are defined;"}]},{"id":"ac-02_odp.03","props":[{"name":"alt-identifier","value":"ac-2_prm_3"},{"name":"label","value":"AC-02_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to approve requests to create accounts is\/are defined;"}]},{"id":"ac-02_odp.04","props":[{"name":"alt-identifier","value":"ac-2_prm_4"},{"name":"label","value":"AC-02_ODP[04]","class":"sp800-53a"}],"label":"policy, procedures, prerequisites, and criteria","guidelines":[{"prose":"policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;"}]},{"id":"ac-02_odp.05","props":[{"name":"alt-identifier","value":"ac-2_prm_5"},{"name":"label","value":"AC-02_ODP[05]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified is\/are defined;"}]},{"id":"ac-02_odp.06","props":[{"name":"alt-identifier","value":"ac-2_prm_6"},{"name":"label","value":"AC-02_ODP[06]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when accounts are no longer required is defined;"}]},{"id":"ac-02_odp.07","props":[{"name":"alt-identifier","value":"ac-2_prm_7"},{"name":"label","value":"AC-02_ODP[07]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when users are terminated or transferred is defined; "}]},{"id":"ac-02_odp.08","props":[{"name":"alt-identifier","value":"ac-2_prm_8"},{"name":"label","value":"AC-02_ODP[08]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when system usage or the need to know changes for an individual is defined;"}]},{"id":"ac-02_odp.09","props":[{"name":"alt-identifier","value":"ac-2_prm_9"},{"name":"label","value":"AC-02_ODP[09]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes needed to authorize system access (as required) are defined;"}]},{"id":"ac-02_odp.10","props":[{"name":"alt-identifier","value":"ac-2_prm_10"},{"name":"label","value":"AC-02_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of account review is defined;"}]}],"props":[{"name":"label","value":"AC-2"},{"name":"label","value":"AC-02","class":"sp800-53a"},{"name":"sort-id","value":"ac-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#53df282b-8b3f-483a-bad1-6a8b8ac00114","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ac-2_smt","name":"statement","parts":[{"id":"ac-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define and document the types of accounts allowed and specifically prohibited for use within the system;"},{"id":"ac-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign account managers;"},{"id":"ac-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require {{ insert: param, ac-02_odp.01 }} for group and role membership;"},{"id":"ac-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Specify:","parts":[{"id":"ac-2_smt.d.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Authorized users of the system;"},{"id":"ac-2_smt.d.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Group and role membership; and"},{"id":"ac-2_smt.d.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;"}]},{"id":"ac-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"},{"id":"ac-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Monitor the use of accounts;"},{"id":"ac-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Notify account managers and {{ insert: param, ac-02_odp.05 }} within:","parts":[{"id":"ac-2_smt.h.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;"}]},{"id":"ac-2_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Authorize access to the system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ac-02_odp.09 }};"}]},{"id":"ac-2_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"},{"id":"ac-2_smt.k","name":"item","props":[{"name":"label","value":"k."}],"prose":"Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and"},{"id":"ac-2_smt.l","name":"item","props":[{"name":"label","value":"l."}],"prose":"Align account management processes with personnel termination and transfer processes."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission\/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared\/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared\/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training."},{"id":"ac-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[01]","class":"sp800-53a"}],"prose":"account types allowed for use within the system are defined and documented;","links":[{"href":"#ac-2_smt.a","rel":"assessment-for"}]},{"id":"ac-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[02]","class":"sp800-53a"}],"prose":"account types specifically prohibited for use within the system are defined and documented;","links":[{"href":"#ac-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.a","rel":"assessment-for"}]},{"id":"ac-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02b.","class":"sp800-53a"}],"prose":"account managers are assigned;","links":[{"href":"#ac-2_smt.b","rel":"assessment-for"}]},{"id":"ac-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02c.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-02_odp.01 }} for group and role membership are required;","links":[{"href":"#ac-2_smt.c","rel":"assessment-for"}]},{"id":"ac-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.01","class":"sp800-53a"}],"prose":"authorized users of the system are specified;","links":[{"href":"#ac-2_smt.d.1","rel":"assessment-for"}]},{"id":"ac-2_obj.d.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.02","class":"sp800-53a"}],"prose":"group and role membership are specified;","links":[{"href":"#ac-2_smt.d.2","rel":"assessment-for"}]},{"id":"ac-2_obj.d.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.3-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[01]","class":"sp800-53a"}],"prose":"access authorizations (i.e., privileges) are specified for each account;","links":[{"href":"#ac-2_smt.d.3","rel":"assessment-for"}]},{"id":"ac-2_obj.d.3-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[02]","class":"sp800-53a"}],"prose":" {{ insert: param, ac-02_odp.02 }} are specified for each account;","links":[{"href":"#ac-2_smt.d.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.d.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.d","rel":"assessment-for"}]},{"id":"ac-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AC-02e.","class":"sp800-53a"}],"prose":"approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;","links":[{"href":"#ac-2_smt.e","rel":"assessment-for"}]},{"id":"ac-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[01]","class":"sp800-53a"}],"prose":"accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[02]","class":"sp800-53a"}],"prose":"accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[03]","class":"sp800-53a"}],"prose":"accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[04]","class":"sp800-53a"}],"prose":"accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-5","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[05]","class":"sp800-53a"}],"prose":"accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"AC-02g.","class":"sp800-53a"}],"prose":"the use of accounts is monitored; ","links":[{"href":"#ac-2_smt.g","rel":"assessment-for"}]},{"id":"ac-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.h.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.01","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;","links":[{"href":"#ac-2_smt.h.1","rel":"assessment-for"}]},{"id":"ac-2_obj.h.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.02","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;","links":[{"href":"#ac-2_smt.h.2","rel":"assessment-for"}]},{"id":"ac-2_obj.h.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.03","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;","links":[{"href":"#ac-2_smt.h.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.h","rel":"assessment-for"}]},{"id":"ac-2_obj.i","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.i.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.01","class":"sp800-53a"}],"prose":"access to the system is authorized based on a valid access authorization;","links":[{"href":"#ac-2_smt.i.1","rel":"assessment-for"}]},{"id":"ac-2_obj.i.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.02","class":"sp800-53a"}],"prose":"access to the system is authorized based on intended system usage;","links":[{"href":"#ac-2_smt.i.2","rel":"assessment-for"}]},{"id":"ac-2_obj.i.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.03","class":"sp800-53a"}],"prose":"access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};","links":[{"href":"#ac-2_smt.i.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.i","rel":"assessment-for"}]},{"id":"ac-2_obj.j","name":"assessment-objective","props":[{"name":"label","value":"AC-02j.","class":"sp800-53a"}],"prose":"accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};","links":[{"href":"#ac-2_smt.j","rel":"assessment-for"}]},{"id":"ac-2_obj.k","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.k-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[01]","class":"sp800-53a"}],"prose":"a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;","links":[{"href":"#ac-2_smt.k","rel":"assessment-for"}]},{"id":"ac-2_obj.k-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[02]","class":"sp800-53a"}],"prose":"a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;","links":[{"href":"#ac-2_smt.k","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.k","rel":"assessment-for"}]},{"id":"ac-2_obj.l","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.l-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[01]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel termination processes;","links":[{"href":"#ac-2_smt.l","rel":"assessment-for"}]},{"id":"ac-2_obj.l-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[02]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel transfer processes.","links":[{"href":"#ac-2_smt.l","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.l","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt","rel":"assessment-for"}]},{"id":"ac-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities"}]},{"id":"ac-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for account management on the system\n\nmechanisms for implementing account management"}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"label","value":"AC-3"},{"name":"label","value":"AC-03","class":"sp800-53a"},{"name":"sort-id","value":"ac-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-8","rel":"related"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family."},{"id":"ac-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03","class":"sp800-53a"}],"prose":"approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.","links":[{"href":"#ac-3_smt","rel":"assessment-for"}]},{"id":"ac-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy"}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","params":[{"id":"ac-07_odp.01","props":[{"name":"alt-identifier","value":"ac-7_prm_1"},{"name":"label","value":"AC-07_ODP[01]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of consecutive invalid logon attempts by a user allowed during a time period is defined;"}]},{"id":"ac-07_odp.02","props":[{"name":"alt-identifier","value":"ac-7_prm_2"},{"name":"label","value":"AC-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;"}]},{"id":"ac-07_odp.03","props":[{"name":"alt-identifier","value":"ac-7_prm_3"},{"name":"label","value":"AC-07_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["lock the account or node for {{ insert: param, ac-07_odp.04 }} ","lock the account or node until released by an administrator","delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ","notify system administrator","take other {{ insert: param, ac-07_odp.06 }} "]}},{"id":"ac-07_odp.04","props":[{"name":"alt-identifier","value":"ac-7_prm_4"},{"name":"label","value":"AC-07_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for an account or node to be locked is defined (if selected);"}]},{"id":"ac-07_odp.05","props":[{"name":"alt-identifier","value":"ac-7_prm_5"},{"name":"label","value":"AC-07_ODP[05]","class":"sp800-53a"}],"label":"delay algorithm","guidelines":[{"prose":"delay algorithm for the next logon prompt is defined (if selected);"}]},{"id":"ac-07_odp.06","props":[{"name":"alt-identifier","value":"ac-7_prm_6"},{"name":"label","value":"AC-07_ODP[06]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-7"},{"name":"label","value":"AC-07","class":"sp800-53a"},{"name":"sort-id","value":"ac-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"ac-7_smt","name":"statement","parts":[{"id":"ac-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and"},{"id":"ac-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need."},{"id":"ac-7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-07","class":"sp800-53a"}],"parts":[{"id":"ac-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-07a.","class":"sp800-53a"}],"prose":"a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;","links":[{"href":"#ac-7_smt.a","rel":"assessment-for"}]},{"id":"ac-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-07b.","class":"sp800-53a"}],"prose":"automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.","links":[{"href":"#ac-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-7_smt","rel":"assessment-for"}]},{"id":"ac-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem\/network administrators"}]},{"id":"ac-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for unsuccessful logon attempts"}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","params":[{"id":"ac-08_odp.01","props":[{"name":"alt-identifier","value":"ac-8_prm_1"},{"name":"alt-label","value":"system use notification message or banner","class":"sp800-53"},{"name":"label","value":"AC-08_ODP[01]","class":"sp800-53a"}],"label":"system use notification","guidelines":[{"prose":"system use notification message or banner to be displayed by the system to users before granting access to the system is defined;"}]},{"id":"ac-08_odp.02","props":[{"name":"alt-identifier","value":"ac-8_prm_2"},{"name":"label","value":"AC-08_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions for system use to be displayed by the system before granting further access are defined;"}]}],"props":[{"name":"label","value":"AC-8"},{"name":"label","value":"AC-08","class":"sp800-53a"},{"name":"sort-id","value":"ac-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-14","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-8_smt","name":"statement","parts":[{"id":"ac-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:","parts":[{"id":"ac-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government system;"},{"id":"ac-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and"},{"id":"ac-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;"},{"id":"ac-8_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Include a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content."},{"id":"ac-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-08","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","parts":[{"id":"ac-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.01","class":"sp800-53a"}],"prose":"the system use notification states that users are accessing a U.S. Government system;","links":[{"href":"#ac-8_smt.a.1","rel":"assessment-for"}]},{"id":"ac-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.02","class":"sp800-53a"}],"prose":"the system use notification states that system usage may be monitored, recorded, and subject to audit;","links":[{"href":"#ac-8_smt.a.2","rel":"assessment-for"}]},{"id":"ac-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.03","class":"sp800-53a"}],"prose":"the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and","links":[{"href":"#ac-8_smt.a.3","rel":"assessment-for"}]},{"id":"ac-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.04","class":"sp800-53a"}],"prose":"the system use notification states that use of the system indicates consent to monitoring and recording;","links":[{"href":"#ac-8_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#ac-8_smt.a","rel":"assessment-for"}]},{"id":"ac-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-08b.","class":"sp800-53a"}],"prose":"the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;","links":[{"href":"#ac-8_smt.b","rel":"assessment-for"}]},{"id":"ac-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.01","class":"sp800-53a"}],"prose":"for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;","links":[{"href":"#ac-8_smt.c.1","rel":"assessment-for"}]},{"id":"ac-8_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.02","class":"sp800-53a"}],"prose":"for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;","links":[{"href":"#ac-8_smt.c.2","rel":"assessment-for"}]},{"id":"ac-8_obj.c.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.03","class":"sp800-53a"}],"prose":"for publicly accessible systems, a description of the authorized uses of the system is included.","links":[{"href":"#ac-8_smt.c.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ac-8_smt","rel":"assessment-for"}]},{"id":"ac-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records"}]},{"id":"ac-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers"}]},{"id":"ac-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system use notification"}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","params":[{"id":"ac-14_odp","props":[{"name":"alt-identifier","value":"ac-14_prm_1"},{"name":"label","value":"AC-14_ODP","class":"sp800-53a"}],"label":"user actions","guidelines":[{"prose":"user actions that can be performed on the system without identification or authentication are defined;"}]}],"props":[{"name":"label","value":"AC-14"},{"name":"label","value":"AC-14","class":"sp800-53a"},{"name":"sort-id","value":"ac-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"ac-14_smt","name":"statement","parts":[{"id":"ac-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and"},{"id":"ac-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" "},{"id":"ac-14_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-14","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-14a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;","links":[{"href":"#ac-14_smt.a","rel":"assessment-for"}]},{"id":"ac-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[01]","class":"sp800-53a"}],"prose":"user actions not requiring identification or authentication are documented in the security plan for the system;","links":[{"href":"#ac-14_smt.b","rel":"assessment-for"}]},{"id":"ac-14_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[02]","class":"sp800-53a"}],"prose":"a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.","links":[{"href":"#ac-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-14_smt","rel":"assessment-for"}]},{"id":"ac-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","props":[{"name":"label","value":"AC-17"},{"name":"label","value":"AC-17","class":"sp800-53a"},{"name":"sort-id","value":"ac-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#83b9d63b-66b1-467c-9f3b-3a0b108771e9","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#d17ebd7a-ffab-499d-bfff-e705bbb01fa6","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-17_smt","name":"statement","parts":[{"id":"ac-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document usage restrictions, configuration\/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of remote access to the system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)."},{"id":"ac-17_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[01]","class":"sp800-53a"}],"prose":"usage restrictions are established and documented for each type of remote access allowed;","links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]},{"id":"ac-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[02]","class":"sp800-53a"}],"prose":"configuration\/connection requirements are established and documented for each type of remote access allowed;","links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]},{"id":"ac-17_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established and documented for each type of remote access allowed;","links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]},{"id":"ac-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-17b.","class":"sp800-53a"}],"prose":"each type of remote access to the system is authorized prior to allowing such connections.","links":[{"href":"#ac-17_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-17_smt","rel":"assessment-for"}]},{"id":"ac-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing remote access connections\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Remote access management capability for the system"}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","props":[{"name":"label","value":"AC-18"},{"name":"label","value":"AC-18","class":"sp800-53a"},{"name":"sort-id","value":"ac-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#03fb73bc-1b12-4182-bd96-e5719254ea61","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-18_smt","name":"statement","parts":[{"id":"ac-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and"},{"id":"ac-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of wireless access to the system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication."},{"id":"ac-18_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for each type of wireless access;","links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]},{"id":"ac-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for each type of wireless access;","links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]},{"id":"ac-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for each type of wireless access;","links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]},{"id":"ac-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-18b.","class":"sp800-53a"}],"prose":"each type of wireless access to the system is authorized prior to allowing such connections.","links":[{"href":"#ac-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-18_smt","rel":"assessment-for"}]},{"id":"ac-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Wireless access management capability for the system"}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","props":[{"name":"label","value":"AC-19"},{"name":"label","value":"AC-19","class":"sp800-53a"},{"name":"sort-id","value":"ac-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-19_smt","name":"statement","parts":[{"id":"ac-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and"},{"id":"ac-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize the connection of mobile devices to organizational systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook\/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled."},{"id":"ac-19_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;","links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]},{"id":"ac-19_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;","links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]},{"id":"ac-19_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;","links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]},{"id":"ac-19_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-19b.","class":"sp800-53a"}],"prose":"the connection of mobile devices to organizational systems is authorized.","links":[{"href":"#ac-19_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-19_smt","rel":"assessment-for"}]},{"id":"ac-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel using mobile devices to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices"}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Systems","params":[{"id":"ac-20_odp.01","props":[{"name":"alt-identifier","value":"ac-20_prm_1"},{"name":"label","value":"AC-20_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["establish {{ insert: param, ac-20_odp.02 }} ","identify {{ insert: param, ac-20_odp.03 }} "]}},{"id":"ac-20_odp.02","props":[{"name":"alt-identifier","value":"ac-20_prm_2"},{"name":"label","value":"AC-20_ODP[02]","class":"sp800-53a"}],"label":"terms and conditions","guidelines":[{"prose":"terms and conditions consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.03","props":[{"name":"alt-identifier","value":"ac-20_prm_3"},{"name":"alt-label","value":"controls asserted to be implemented on external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[03]","class":"sp800-53a"}],"label":"controls asserted","guidelines":[{"prose":"controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.04","props":[{"name":"alt-identifier","value":"ac-20_prm_4"},{"name":"alt-label","value":"organizationally-defined types of external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[04]","class":"sp800-53a"}],"label":"prohibited types of external systems","guidelines":[{"prose":"types of external systems prohibited from use are defined;"}]}],"props":[{"name":"label","value":"AC-20"},{"name":"label","value":"AC-20","class":"sp800-53a"},{"name":"sort-id","value":"ac-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-20_smt","name":"statement","parts":[{"id":"ac-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Access the system from external systems; and"},{"id":"ac-20_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Process, store, or transmit organization-controlled information using external systems; or"}]},{"id":"ac-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of {{ insert: param, ac-20_odp.04 }}."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems."},{"id":"ac-20_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.01","class":"sp800-53a"}],"prose":" {{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);","links":[{"href":"#ac-20_smt.a.1","rel":"assessment-for"}]},{"id":"ac-20_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.02","class":"sp800-53a"}],"prose":" {{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);","links":[{"href":"#ac-20_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#ac-20_smt.a","rel":"assessment-for"}]},{"id":"ac-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-20b.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).","links":[{"href":"#ac-20_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-20_smt","rel":"assessment-for"}]},{"id":"ac-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing terms and conditions on the use of external systems"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","params":[{"id":"ac-22_odp","props":[{"name":"alt-identifier","value":"ac-22_prm_1"},{"name":"label","value":"AC-22_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the content on the publicly accessible system for non-public information is defined;"}]}],"props":[{"name":"label","value":"AC-22"},{"name":"label","value":"AC-22","class":"sp800-53a"},{"name":"sort-id","value":"ac-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"ac-22_smt","name":"statement","parts":[{"id":"ac-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Designate individuals authorized to make information publicly accessible;"},{"id":"ac-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible."},{"id":"ac-22_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-22","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-22a.","class":"sp800-53a"}],"prose":"designated individuals are authorized to make information publicly accessible;","links":[{"href":"#ac-22_smt.a","rel":"assessment-for"}]},{"id":"ac-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-22b.","class":"sp800-53a"}],"prose":"authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;","links":[{"href":"#ac-22_smt.b","rel":"assessment-for"}]},{"id":"ac-22_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-22c.","class":"sp800-53a"}],"prose":"the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;","links":[{"href":"#ac-22_smt.c","rel":"assessment-for"}]},{"id":"ac-22_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[01]","class":"sp800-53a"}],"prose":"the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};","links":[{"href":"#ac-22_smt.d","rel":"assessment-for"}]},{"id":"ac-22_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[02]","class":"sp800-53a"}],"prose":"non-public information is removed from the publicly accessible system, if discovered.","links":[{"href":"#ac-22_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ac-22_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ac-22_smt","rel":"assessment-for"}]},{"id":"ac-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and\/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"at-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"at-01_odp.01","props":[{"name":"label","value":"AT-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training policy is to be disseminated is\/are defined;"}]},{"id":"at-01_odp.02","props":[{"name":"label","value":"AT-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training procedures are to be disseminated is\/are defined;"}]},{"id":"at-01_odp.03","props":[{"name":"alt-identifier","value":"at-1_prm_2"},{"name":"label","value":"AT-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"at-01_odp.04","props":[{"name":"alt-identifier","value":"at-1_prm_3"},{"name":"label","value":"AT-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the awareness and training policy and procedures is defined;"}]},{"id":"at-01_odp.05","props":[{"name":"alt-identifier","value":"at-1_prm_4"},{"name":"label","value":"AT-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training policy is reviewed and updated is defined;"}]},{"id":"at-01_odp.06","props":[{"name":"alt-identifier","value":"at-1_prm_5"},{"name":"label","value":"AT-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current awareness and training policy to be reviewed and updated are defined;"}]},{"id":"at-01_odp.07","props":[{"name":"alt-identifier","value":"at-1_prm_6"},{"name":"label","value":"AT-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training procedures are reviewed and updated is defined;"}]},{"id":"at-01_odp.08","props":[{"name":"alt-identifier","value":"at-1_prm_7"},{"name":"label","value":"AT-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AT-1"},{"name":"label","value":"AT-01","class":"sp800-53a"},{"name":"sort-id","value":"at-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-1_smt","name":"statement","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, at-01_odp.03 }} awareness and training policy that:","parts":[{"id":"at-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and"},{"id":"at-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current awareness and training:","parts":[{"id":"at-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and"},{"id":"at-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"at-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[01]","class":"sp800-53a"}],"prose":"an awareness and training policy is developed and documented; ","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[02]","class":"sp800-53a"}],"prose":"the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[03]","class":"sp800-53a"}],"prose":"awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[04]","class":"sp800-53a"}],"prose":"the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and","links":[{"href":"#at-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;","links":[{"href":"#at-1_smt.b","rel":"assessment-for"}]},{"id":"at-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[01]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ","links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]},{"id":"at-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[02]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};","links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]},{"id":"at-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[01]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};","links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]},{"id":"at-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[02]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.","links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt","rel":"assessment-for"}]},{"id":"at-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records"}]},{"id":"at-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Literacy Training and Awareness","params":[{"id":"at-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.02"}],"label":"organization-defined frequency"},{"id":"at-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.04"}],"label":"organization-defined events"},{"id":"at-02_odp.01","props":[{"name":"label","value":"AT-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.02","props":[{"name":"label","value":"AT-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.03","props":[{"name":"label","value":"AT-02_ODP[03]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require security literacy training for system users are defined;"}]},{"id":"at-02_odp.04","props":[{"name":"label","value":"AT-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require privacy literacy training for system users are defined;"}]},{"id":"at-02_odp.05","props":[{"name":"alt-identifier","value":"at-2_prm_3"},{"name":"label","value":"AT-02_ODP[05]","class":"sp800-53a"}],"label":"awareness techniques","guidelines":[{"prose":"techniques to be employed to increase the security and privacy awareness of system users are defined;"}]},{"id":"at-02_odp.06","props":[{"name":"alt-identifier","value":"at-2_prm_4"},{"name":"label","value":"AT-02_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update literacy training and awareness content is defined;"}]},{"id":"at-02_odp.07","props":[{"name":"alt-identifier","value":"at-2_prm_5"},{"name":"label","value":"AT-02_ODP[07]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require literacy training and awareness content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-2"},{"name":"label","value":"AT-02","class":"sp800-53a"},{"name":"sort-id","value":"at-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#89f2a08d-fc49-46d0-856e-bf974c9b1573","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-16","rel":"related"}],"parts":[{"id":"at-2_smt","name":"statement","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and"},{"id":"at-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes or following {{ insert: param, at-2_prm_2 }};"}]},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and"},{"id":"at-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[03]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[04]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};","links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]},{"id":"at-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};","links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a","rel":"assessment-for"}]},{"id":"at-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-02b.","class":"sp800-53a"}],"prose":" {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;","links":[{"href":"#at-2_smt.b","rel":"assessment-for"}]},{"id":"at-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[01]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};","links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]},{"id":"at-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[02]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};","links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]},{"id":"at-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AT-02d.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.","links":[{"href":"#at-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt","rel":"assessment-for"}]},{"id":"at-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community"}]},{"id":"at-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing information security and privacy literacy training"}]}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","props":[{"name":"label","value":"AT-2(2)"},{"name":"label","value":"AT-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"},{"href":"#pm-12","rel":"related"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"Provide literacy training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations."},{"id":"at-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)","class":"sp800-53a"}],"parts":[{"id":"at-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[01]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential indicators of insider threat is provided;","links":[{"href":"#at-2.2_smt","rel":"assessment-for"}]},{"id":"at-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[02]","class":"sp800-53a"}],"prose":"literacy training on reporting potential indicators of insider threat is provided.","links":[{"href":"#at-2.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#at-2.2_smt","rel":"assessment-for"}]},{"id":"at-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Training","params":[{"id":"at-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.02"}],"label":"organization-defined roles and responsibilities"},{"id":"at-03_odp.01","props":[{"name":"label","value":"AT-03_ODP[01]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based security training are defined;"}]},{"id":"at-03_odp.02","props":[{"name":"label","value":"AT-03_ODP[02]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based privacy training are defined;"}]},{"id":"at-03_odp.03","props":[{"name":"alt-identifier","value":"at-3_prm_2"},{"name":"label","value":"AT-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;"}]},{"id":"at-03_odp.04","props":[{"name":"alt-identifier","value":"at-3_prm_3"},{"name":"label","value":"AT-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update role-based training content is defined;"}]},{"id":"at-03_odp.05","props":[{"name":"alt-identifier","value":"at-3_prm_4"},{"name":"label","value":"AT-03_ODP[05]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require role-based training content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-3"},{"name":"label","value":"AT-03","class":"sp800-53a"},{"name":"sort-id","value":"at-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"at-3_smt","name":"statement","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:","parts":[{"id":"at-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and"},{"id":"at-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes;"}]},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into role-based training."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency\/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[03]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[04]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;","links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]},{"id":"at-3_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;","links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a","rel":"assessment-for"}]},{"id":"at-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[01]","class":"sp800-53a"}],"prose":"role-based training content is updated {{ insert: param, at-03_odp.04 }};","links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]},{"id":"at-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[02]","class":"sp800-53a"}],"prose":"role-based training content is updated following {{ insert: param, at-03_odp.05 }};","links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]},{"id":"at-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-03c.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into role-based training.","links":[{"href":"#at-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt","rel":"assessment-for"}]},{"id":"at-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities"}]},{"id":"at-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing role-based security and privacy training"}]}]},{"id":"at-4","class":"SP800-53","title":"Training Records","params":[{"id":"at-04_odp","props":[{"name":"alt-identifier","value":"at-4_prm_1"},{"name":"label","value":"AT-04_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for retaining individual training records is defined;"}]}],"props":[{"name":"label","value":"AT-4"},{"name":"label","value":"AT-04","class":"sp800-53a"},{"name":"sort-id","value":"at-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-4_smt","name":"statement","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain individual training records for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies."},{"id":"at-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-04","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[01]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;","links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]},{"id":"at-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[02]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;","links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]},{"id":"at-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-04b.","class":"sp800-53a"}],"prose":"individual training records are retained for {{ insert: param, at-04_odp }}.","links":[{"href":"#at-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#at-4_smt","rel":"assessment-for"}]},{"id":"at-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"at-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy training record retention responsibilities"}]},{"id":"at-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the management of security and privacy training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"au-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"au-01_odp.01","props":[{"name":"label","value":"AU-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability policy is to be disseminated is\/are defined;"}]},{"id":"au-01_odp.02","props":[{"name":"label","value":"AU-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability procedures are to be disseminated is\/are defined;"}]},{"id":"au-01_odp.03","props":[{"name":"alt-identifier","value":"au-1_prm_2"},{"name":"label","value":"AU-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"au-01_odp.04","props":[{"name":"alt-identifier","value":"au-1_prm_3"},{"name":"label","value":"AU-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the audit and accountability policy and procedures is defined;"}]},{"id":"au-01_odp.05","props":[{"name":"alt-identifier","value":"au-1_prm_4"},{"name":"label","value":"AU-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability policy is reviewed and updated is defined;"}]},{"id":"au-01_odp.06","props":[{"name":"alt-identifier","value":"au-1_prm_5"},{"name":"label","value":"AU-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current audit and accountability policy to be reviewed and updated are defined;"}]},{"id":"au-01_odp.07","props":[{"name":"alt-identifier","value":"au-1_prm_6"},{"name":"label","value":"AU-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability procedures are reviewed and updated is defined;"}]},{"id":"au-01_odp.08","props":[{"name":"alt-identifier","value":"au-1_prm_7"},{"name":"label","value":"AU-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require audit and accountability procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AU-1"},{"name":"label","value":"AU-01","class":"sp800-53a"},{"name":"sort-id","value":"au-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-1_smt","name":"statement","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, au-01_odp.03 }} audit and accountability policy that:","parts":[{"id":"au-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and"},{"id":"au-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current audit and accountability:","parts":[{"id":"au-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and"},{"id":"au-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"au-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[01]","class":"sp800-53a"}],"prose":"an audit and accountability policy is developed and documented;","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[02]","class":"sp800-53a"}],"prose":"the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[03]","class":"sp800-53a"}],"prose":"audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[04]","class":"sp800-53a"}],"prose":"the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#au-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;","links":[{"href":"#au-1_smt.b","rel":"assessment-for"}]},{"id":"au-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[01]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};","links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]},{"id":"au-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[02]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};","links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]},{"id":"au-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[01]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};","links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]},{"id":"au-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[02]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.","links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt","rel":"assessment-for"}]},{"id":"au-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Event Logging","params":[{"id":"au-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.03"}],"label":"organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type"},{"id":"au-02_odp.01","props":[{"name":"alt-identifier","value":"au-2_prm_1"},{"name":"alt-label","value":"event types that the system is capable of logging","class":"sp800-53"},{"name":"label","value":"AU-02_ODP[01]","class":"sp800-53a"}],"label":"event types","guidelines":[{"prose":"the event types that the system is capable of logging in support of the audit function are defined;"}]},{"id":"au-02_odp.02","props":[{"name":"label","value":"AU-02_ODP[02]","class":"sp800-53a"}],"label":"event types (subset of AU-02_ODP[01])","guidelines":[{"prose":"the event types (subset of AU-02_ODP[01]) for logging within the system are defined;"}]},{"id":"au-02_odp.03","props":[{"name":"label","value":"AU-02_ODP[03]","class":"sp800-53a"}],"label":"frequency or situation","guidelines":[{"prose":"the frequency or situation requiring logging for each specified event type is defined;"}]},{"id":"au-02_odp.04","props":[{"name":"alt-identifier","value":"au-2_prm_3"},{"name":"label","value":"AU-02_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of event types selected for logging are reviewed and updated;"}]}],"props":[{"name":"label","value":"AU-2"},{"name":"label","value":"AU-02","class":"sp800-53a"},{"name":"sort-id","value":"au-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-2_smt","name":"statement","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and"},{"id":"au-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures."},{"id":"au-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-02","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-02a.","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;","links":[{"href":"#au-2_smt.a","rel":"assessment-for"}]},{"id":"au-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-02b.","class":"sp800-53a"}],"prose":"the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;","links":[{"href":"#au-2_smt.b","rel":"assessment-for"}]},{"id":"au-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.02 }} are specified for logging within the system;","links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]},{"id":"au-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[02]","class":"sp800-53a"}],"prose":"the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};","links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]},{"id":"au-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-02d.","class":"sp800-53a"}],"prose":"a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;","links":[{"href":"#au-2_smt.d","rel":"assessment-for"}]},{"id":"au-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-02e.","class":"sp800-53a"}],"prose":"the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.","links":[{"href":"#au-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#au-2_smt","rel":"assessment-for"}]},{"id":"au-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records"}]},{"id":"au-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing"}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"label","value":"AU-3"},{"name":"label","value":"AU-03","class":"sp800-53a"},{"name":"sort-id","value":"au-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"Ensure that audit records contain information that establishes the following:","parts":[{"id":"au-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"What type of event occurred;"},{"id":"au-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When the event occurred;"},{"id":"au-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Where the event occurred;"},{"id":"au-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Source of the event;"},{"id":"au-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Outcome of the event; and"},{"id":"au-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage."},{"id":"au-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03","class":"sp800-53a"}],"parts":[{"id":"au-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-03a.","class":"sp800-53a"}],"prose":"audit records contain information that establishes what type of event occurred;","links":[{"href":"#au-3_smt.a","rel":"assessment-for"}]},{"id":"au-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-03b.","class":"sp800-53a"}],"prose":"audit records contain information that establishes when the event occurred;","links":[{"href":"#au-3_smt.b","rel":"assessment-for"}]},{"id":"au-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-03c.","class":"sp800-53a"}],"prose":"audit records contain information that establishes where the event occurred;","links":[{"href":"#au-3_smt.c","rel":"assessment-for"}]},{"id":"au-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-03d.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the source of the event;","links":[{"href":"#au-3_smt.d","rel":"assessment-for"}]},{"id":"au-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-03e.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the outcome of the event;","links":[{"href":"#au-3_smt.e","rel":"assessment-for"}]},{"id":"au-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AU-03f.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the identity of any individuals, subjects, or objects\/entities associated with the event.","links":[{"href":"#au-3_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#au-3_smt","rel":"assessment-for"}]},{"id":"au-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records"}]},{"id":"au-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing of auditable events"}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Log Storage Capacity","params":[{"id":"au-04_odp","props":[{"name":"alt-identifier","value":"au-4_prm_1"},{"name":"label","value":"AU-04_ODP","class":"sp800-53a"}],"label":"audit log retention requirements","guidelines":[{"prose":"audit log retention requirements are defined;"}]}],"props":[{"name":"label","value":"AU-4"},{"name":"label","value":"AU-04","class":"sp800-53a"},{"name":"sort-id","value":"au-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability."},{"id":"au-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-04","class":"sp800-53a"}],"prose":"audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.","links":[{"href":"#au-4_smt","rel":"assessment-for"}]},{"id":"au-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Logging Process Failures","params":[{"id":"au-05_odp.01","props":[{"name":"alt-identifier","value":"au-5_prm_1"},{"name":"label","value":"AU-05_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles receiving audit logging process failure alerts are defined;"}]},{"id":"au-05_odp.02","props":[{"name":"alt-identifier","value":"au-5_prm_2"},{"name":"label","value":"AU-05_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel or roles receiving audit logging process failure alerts is defined;"}]},{"id":"au-05_odp.03","props":[{"name":"alt-identifier","value":"au-5_prm_3"},{"name":"label","value":"AU-05_ODP[03]","class":"sp800-53a"}],"label":"additional actions","guidelines":[{"prose":"additional actions to be taken in the event of an audit logging process failure are defined;"}]}],"props":[{"name":"label","value":"AU-5"},{"name":"label","value":"AU-05","class":"sp800-53a"},{"name":"sort-id","value":"au-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-5_smt","name":"statement","parts":[{"id":"au-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and"},{"id":"au-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Take the following additional actions: {{ insert: param, au-05_odp.03 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel."},{"id":"au-5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05","class":"sp800-53a"}],"parts":[{"id":"au-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-05a.","class":"sp800-53a"}],"prose":" {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};","links":[{"href":"#au-5_smt.a","rel":"assessment-for"}]},{"id":"au-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.","links":[{"href":"#au-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-5_smt","rel":"assessment-for"}]},{"id":"au-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system response to audit processing failures"}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Record Review, Analysis, and Reporting","params":[{"id":"au-06_odp.01","props":[{"name":"alt-identifier","value":"au-6_prm_1"},{"name":"label","value":"AU-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which system audit records are reviewed and analyzed is defined;"}]},{"id":"au-06_odp.02","props":[{"name":"alt-identifier","value":"au-6_prm_2"},{"name":"label","value":"AU-06_ODP[02]","class":"sp800-53a"}],"label":"inappropriate or unusual activity","guidelines":[{"prose":"inappropriate or unusual activity is defined;"}]},{"id":"au-06_odp.03","props":[{"name":"alt-identifier","value":"au-6_prm_3"},{"name":"label","value":"AU-06_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive findings from reviews and analyses of system records is\/are defined;"}]}],"props":[{"name":"label","value":"AU-6"},{"name":"label","value":"AU-06","class":"sp800-53a"},{"name":"sort-id","value":"au-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"au-6_smt","name":"statement","parts":[{"id":"au-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"},{"id":"au-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report findings to {{ insert: param, au-06_odp.03 }} ; and"},{"id":"au-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and\/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received."},{"id":"au-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06","class":"sp800-53a"}],"parts":[{"id":"au-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-06a.","class":"sp800-53a"}],"prose":"system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;","links":[{"href":"#au-6_smt.a","rel":"assessment-for"}]},{"id":"au-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-06b.","class":"sp800-53a"}],"prose":"findings are reported to {{ insert: param, au-06_odp.03 }};","links":[{"href":"#au-6_smt.b","rel":"assessment-for"}]},{"id":"au-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-06c.","class":"sp800-53a"}],"prose":"the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.","links":[{"href":"#au-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-6_smt","rel":"assessment-for"}]},{"id":"au-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews\/analyses of audit records\n\nother relevant documents or records"}]},{"id":"au-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","params":[{"id":"au-08_odp","props":[{"name":"alt-identifier","value":"au-8_prm_1"},{"name":"label","value":"AU-08_ODP","class":"sp800-53a"}],"label":"granularity of time measurement","guidelines":[{"prose":"granularity of time measurement for audit record timestamps is defined;"}]}],"props":[{"name":"label","value":"AU-8"},{"name":"label","value":"AU-08","class":"sp800-53a"},{"name":"sort-id","value":"au-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#sc-45","rel":"related"}],"parts":[{"id":"au-8_smt","name":"statement","parts":[{"id":"au-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities."},{"id":"au-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-08","class":"sp800-53a"}],"parts":[{"id":"au-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-08a.","class":"sp800-53a"}],"prose":"internal system clocks are used to generate timestamps for audit records;","links":[{"href":"#au-8_smt.a","rel":"assessment-for"}]},{"id":"au-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-08b.","class":"sp800-53a"}],"prose":"timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.","links":[{"href":"#au-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-8_smt","rel":"assessment-for"}]},{"id":"au-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing timestamp generation"}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","params":[{"id":"au-09_odp","props":[{"name":"alt-identifier","value":"au-9_prm_1"},{"name":"label","value":"AU-09_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is\/are defined;"}]}],"props":[{"name":"label","value":"AU-9"},{"name":"label","value":"AU-09","class":"sp800-53a"},{"name":"sort-id","value":"au-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#au-15","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-9_smt","name":"statement","parts":[{"id":"au-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and"},{"id":"au-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information."}]},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls."},{"id":"au-9_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09","class":"sp800-53a"}],"parts":[{"id":"au-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-09a.","class":"sp800-53a"}],"prose":"audit information and audit logging tools are protected from unauthorized access, modification, and deletion;","links":[{"href":"#au-9_smt.a","rel":"assessment-for"}]},{"id":"au-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-09b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.","links":[{"href":"#au-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-9_smt","rel":"assessment-for"}]},{"id":"au-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records"}]},{"id":"au-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit information protection"}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_odp","props":[{"name":"alt-identifier","value":"au-11_prm_1"},{"name":"alt-label","value":"time period consistent with records retention policy","class":"sp800-53"},{"name":"label","value":"AU-11_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period to retain audit records that is consistent with the records retention policy is defined;"}]}],"props":[{"name":"label","value":"AU-11"},{"name":"label","value":"AU-11","class":"sp800-53a"},{"name":"sort-id","value":"au-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention."},{"id":"au-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-11","class":"sp800-53a"}],"prose":"audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.","links":[{"href":"#au-11_smt","rel":"assessment-for"}]},{"id":"au-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"id":"au-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Record Generation","params":[{"id":"au-12_odp.01","props":[{"name":"alt-identifier","value":"au-12_prm_1"},{"name":"label","value":"AU-12_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;"}]},{"id":"au-12_odp.02","props":[{"name":"alt-identifier","value":"au-12_prm_2"},{"name":"label","value":"AU-12_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles allowed to select the event types that are to be logged by specific components of the system is\/are defined;"}]}],"props":[{"name":"label","value":"AU-12"},{"name":"label","value":"AU-12","class":"sp800-53a"},{"name":"sort-id","value":"au-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"au-12_smt","name":"statement","parts":[{"id":"au-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};"},{"id":"au-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and"},{"id":"au-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records."},{"id":"au-12_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12","class":"sp800-53a"}],"parts":[{"id":"au-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-12a.","class":"sp800-53a"}],"prose":"audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};","links":[{"href":"#au-12_smt.a","rel":"assessment-for"}]},{"id":"au-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-12b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-12_odp.02 }} is\/are allowed to select the event types that are to be logged by specific components of the system;","links":[{"href":"#au-12_smt.b","rel":"assessment-for"}]},{"id":"au-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-12c.","class":"sp800-53a"}],"prose":"audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.","links":[{"href":"#au-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-12_smt","rel":"assessment-for"}]},{"id":"au-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]}]},{"id":"ca","class":"family","title":"Assessment, Authorization, and Monitoring","controls":[{"id":"ca-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ca-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ca-01_odp.01","props":[{"name":"label","value":"CA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.02","props":[{"name":"label","value":"CA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.03","props":[{"name":"alt-identifier","value":"ca-1_prm_2"},{"name":"label","value":"CA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ca-01_odp.04","props":[{"name":"alt-identifier","value":"ca-1_prm_3"},{"name":"label","value":"CA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the assessment, authorization, and monitoring policy and procedures is defined;"}]},{"id":"ca-01_odp.05","props":[{"name":"alt-identifier","value":"ca-1_prm_4"},{"name":"label","value":"CA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;"}]},{"id":"ca-01_odp.06","props":[{"name":"alt-identifier","value":"ca-1_prm_5"},{"name":"label","value":"CA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;"}]},{"id":"ca-01_odp.07","props":[{"name":"alt-identifier","value":"ca-1_prm_6"},{"name":"label","value":"CA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;"}]},{"id":"ca-01_odp.08","props":[{"name":"alt-identifier","value":"ca-1_prm_7"},{"name":"label","value":"CA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CA-1"},{"name":"label","value":"CA-01","class":"sp800-53a"},{"name":"sort-id","value":"ca-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#62ea77ca-e450-4323-b210-e0d75390e785","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-1_smt","name":"statement","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:","parts":[{"id":"ca-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and"},{"id":"ca-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current assessment, authorization, and monitoring:","parts":[{"id":"ca-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and"},{"id":"ca-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ca-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[01]","class":"sp800-53a"}],"prose":"an assessment, authorization, and monitoring policy is developed and documented;","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[02]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[03]","class":"sp800-53a"}],"prose":"assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[04]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ca-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;","links":[{"href":"#ca-1_smt.b","rel":"assessment-for"}]},{"id":"ca-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ","links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]},{"id":"ca-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};","links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]},{"id":"ca-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ","links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]},{"id":"ca-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.","links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt","rel":"assessment-for"}]},{"id":"ca-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Control Assessments","params":[{"id":"ca-02_odp.01","props":[{"name":"alt-identifier","value":"ca-2_prm_1"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"CA-02_ODP[01]","class":"sp800-53a"}],"label":"assessment frequency","guidelines":[{"prose":"the frequency at which to assess controls in the system and its environment of operation is defined;"}]},{"id":"ca-02_odp.02","props":[{"name":"alt-identifier","value":"ca-2_prm_2"},{"name":"label","value":"CA-02_ODP[02]","class":"sp800-53a"}],"label":"individuals or roles","guidelines":[{"prose":"individuals or roles to whom control assessment results are to be provided are defined;"}]}],"props":[{"name":"label","value":"CA-2"},{"name":"label","value":"CA-02","class":"sp800-53a"},{"name":"sort-id","value":"ca-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"ca-2_smt","name":"statement","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Select the appropriate assessor or assessment team for the type of assessment to be conducted;"},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop a control assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Controls and control enhancements under assessment;"},{"id":"ca-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine control effectiveness; and"},{"id":"ca-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;"},{"id":"ca-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Produce a control assessment report that document the results of the assessment; and"},{"id":"ca-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)."},{"id":"ca-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-02a.","class":"sp800-53a"}],"prose":"an appropriate assessor or assessment team is selected for the type of assessment to be conducted;","links":[{"href":"#ca-2_smt.a","rel":"assessment-for"}]},{"id":"ca-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.01","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;","links":[{"href":"#ca-2_smt.b.1","rel":"assessment-for"}]},{"id":"ca-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.02","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;","links":[{"href":"#ca-2_smt.b.2","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[01]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[02]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment team;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3-3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[03]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.b","rel":"assessment-for"}]},{"id":"ca-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-02c.","class":"sp800-53a"}],"prose":"the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;","links":[{"href":"#ca-2_smt.c","rel":"assessment-for"}]},{"id":"ca-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[01]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;","links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]},{"id":"ca-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[02]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;","links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]},{"id":"ca-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-02e.","class":"sp800-53a"}],"prose":"a control assessment report is produced that documents the results of the assessment;","links":[{"href":"#ca-2_smt.e","rel":"assessment-for"}]},{"id":"ca-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-02f.","class":"sp800-53a"}],"prose":"the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.","links":[{"href":"#ca-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt","rel":"assessment-for"}]},{"id":"ca-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting control assessment, control assessment plan development, and\/or control assessment reporting"}]}]},{"id":"ca-3","class":"SP800-53","title":"Information Exchange","params":[{"id":"ca-03_odp.01","props":[{"name":"alt-identifier","value":"ca-3_prm_1"},{"name":"label","value":"CA-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["interconnection security agreements","information exchange security agreements","memoranda of understanding or agreement","service level agreements","user agreements","non-disclosure agreements"," {{ insert: param, ca-03_odp.02 }} "]}},{"id":"ca-03_odp.02","props":[{"name":"alt-identifier","value":"ca-3_prm_2"},{"name":"label","value":"CA-03_ODP[02]","class":"sp800-53a"}],"label":"type of agreement","guidelines":[{"prose":"the type of agreement used to approve and manage the exchange of information is defined (if selected);"}]},{"id":"ca-03_odp.03","props":[{"name":"alt-identifier","value":"ca-3_prm_3"},{"name":"label","value":"CA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update agreements is defined;"}]}],"props":[{"name":"label","value":"CA-3"},{"name":"label","value":"CA-03","class":"sp800-53a"},{"name":"sort-id","value":"ca-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#c3a76872-e160-4267-99e8-6952de967d04","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-3_smt","name":"statement","parts":[{"id":"ca-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};"},{"id":"ca-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the agreements {{ insert: param, ca-03_odp.03 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks."},{"id":"ca-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-03","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-03a.","class":"sp800-53a"}],"prose":"the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};","links":[{"href":"#ca-3_smt.a","rel":"assessment-for"}]},{"id":"ca-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[01]","class":"sp800-53a"}],"prose":"the interface characteristics are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[02]","class":"sp800-53a"}],"prose":"security requirements are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[03]","class":"sp800-53a"}],"prose":"privacy requirements are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[04]","class":"sp800-53a"}],"prose":"controls are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[05]","class":"sp800-53a"}],"prose":"responsibilities for each system are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-6","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[06]","class":"sp800-53a"}],"prose":"the impact level of the information communicated is documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-03c.","class":"sp800-53a"}],"prose":"agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.","links":[{"href":"#ca-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ca-3_smt","rel":"assessment-for"}]},{"id":"ca-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies"}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-05_odp","props":[{"name":"alt-identifier","value":"ca-5_prm_1"},{"name":"label","value":"CA-05_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;"}]}],"props":[{"name":"label","value":"CA-5"},{"name":"label","value":"CA-05","class":"sp800-53a"},{"name":"sort-id","value":"ca-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-5_smt","name":"statement","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB."},{"id":"ca-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-05","class":"sp800-53a"}],"parts":[{"id":"ca-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-05a.","class":"sp800-53a"}],"prose":"a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;","links":[{"href":"#ca-5_smt.a","rel":"assessment-for"}]},{"id":"ca-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-05b.","class":"sp800-53a"}],"prose":"existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.","links":[{"href":"#ca-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-5_smt","rel":"assessment-for"}]},{"id":"ca-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Authorization","params":[{"id":"ca-06_odp","props":[{"name":"alt-identifier","value":"ca-6_prm_1"},{"name":"label","value":"CA-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to update the authorizations is defined;"}]}],"props":[{"name":"label","value":"CA-6"},{"name":"label","value":"CA-06","class":"sp800-53a"},{"name":"sort-id","value":"ca-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-6_smt","name":"statement","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a senior official as the authorizing official for the system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure that the authorizing official for the system, before commencing operations:","parts":[{"id":"ca-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accepts the use of common controls inherited by the system; and"},{"id":"ca-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Authorizes the system to operate;"}]},{"id":"ca-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the authorizations {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions."},{"id":"ca-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-06","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-06a.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for the system;","links":[{"href":"#ca-6_smt.a","rel":"assessment-for"}]},{"id":"ca-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-06b.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;","links":[{"href":"#ca-6_smt.b","rel":"assessment-for"}]},{"id":"ca-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.01","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;","links":[{"href":"#ca-6_smt.c.1","rel":"assessment-for"}]},{"id":"ca-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.02","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system authorizes the system to operate;","links":[{"href":"#ca-6_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-6_smt.c","rel":"assessment-for"}]},{"id":"ca-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-06d.","class":"sp800-53a"}],"prose":"the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;","links":[{"href":"#ca-6_smt.d","rel":"assessment-for"}]},{"id":"ca-6_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-06e.","class":"sp800-53a"}],"prose":"the authorizations are updated {{ insert: param, ca-06_odp }}.","links":[{"href":"#ca-6_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ca-6_smt","rel":"assessment-for"}]},{"id":"ca-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records"}]},{"id":"ca-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that facilitate authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.06"}],"label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.07"}],"label":"organization-defined frequency"},{"id":"ca-07_odp.01","props":[{"name":"alt-identifier","value":"ca-7_prm_1"},{"name":"label","value":"CA-07_ODP[01]","class":"sp800-53a"}],"label":"system-level metrics","guidelines":[{"prose":"system-level metrics to be monitored are defined;"}]},{"id":"ca-07_odp.02","props":[{"name":"alt-identifier","value":"ca-7_prm_2"},{"name":"label","value":"CA-07_ODP[02]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to monitor control effectiveness are defined;"}]},{"id":"ca-07_odp.03","props":[{"name":"alt-identifier","value":"ca-7_prm_3"},{"name":"label","value":"CA-07_ODP[03]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to assess control effectiveness are defined;"}]},{"id":"ca-07_odp.04","props":[{"name":"label","value":"CA-07_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the security status of the system is reported are defined;"}]},{"id":"ca-07_odp.05","props":[{"name":"label","value":"CA-07_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the security status of the system is reported is defined;"}]},{"id":"ca-07_odp.06","props":[{"name":"label","value":"CA-07_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the privacy status of the system is reported are defined;"}]},{"id":"ca-07_odp.07","props":[{"name":"label","value":"CA-07_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the privacy status of the system is reported is defined;"}]}],"props":[{"name":"label","value":"CA-7"},{"name":"label","value":"CA-07","class":"sp800-53a"},{"name":"sort-id","value":"ca-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pm-31","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)."},{"id":"ca-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07[01]","class":"sp800-53a"}],"prose":"a system-level continuous monitoring strategy is developed;","links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;","links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07a.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};","links":[{"href":"#ca-7_smt.a","rel":"assessment-for"}]},{"id":"ca-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;","links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]},{"id":"ca-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;","links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]},{"id":"ca-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07c.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;","links":[{"href":"#ca-7_smt.c","rel":"assessment-for"}]},{"id":"ca-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-07d.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;","links":[{"href":"#ca-7_smt.d","rel":"assessment-for"}]},{"id":"ca-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-07e.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;","links":[{"href":"#ca-7_smt.e","rel":"assessment-for"}]},{"id":"ca-7_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-07f.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;","links":[{"href":"#ca-7_smt.f","rel":"assessment-for"}]},{"id":"ca-7_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};","links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]},{"id":"ca-7_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.","links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting"}]}],"controls":[{"id":"ca-7.4","class":"SP800-53-enhancement","title":"Risk Monitoring","props":[{"name":"label","value":"CA-7(4)"},{"name":"label","value":"CA-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.4_smt","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:","parts":[{"id":"ca-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Effectiveness monitoring;"},{"id":"ca-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Compliance monitoring; and"},{"id":"ca-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Change monitoring."}]},{"id":"ca-7.4_gdn","name":"guidance","prose":"Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk."},{"id":"ca-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)","class":"sp800-53a"}],"prose":"risk monitoring is an integral part of the continuous monitoring strategy;","parts":[{"id":"ca-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(a)","class":"sp800-53a"}],"prose":"effectiveness monitoring is included in risk monitoring;","links":[{"href":"#ca-7.4_smt.a","rel":"assessment-for"}]},{"id":"ca-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(b)","class":"sp800-53a"}],"prose":"compliance monitoring is included in risk monitoring;","links":[{"href":"#ca-7.4_smt.b","rel":"assessment-for"}]},{"id":"ca-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(c)","class":"sp800-53a"}],"prose":"change monitoring is included in risk monitoring.","links":[{"href":"#ca-7.4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ca-7.4_smt","rel":"assessment-for"}]},{"id":"ca-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting risk monitoring"}]}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","params":[{"id":"ca-09_odp.01","props":[{"name":"alt-identifier","value":"ca-9_prm_1"},{"name":"alt-label","value":"system components or classes of components","class":"sp800-53"},{"name":"label","value":"CA-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components or classes of components requiring internal connections to the system are defined;"}]},{"id":"ca-09_odp.02","props":[{"name":"alt-identifier","value":"ca-9_prm_2"},{"name":"label","value":"CA-09_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions requiring termination of internal connections are defined;"}]},{"id":"ca-09_odp.03","props":[{"name":"alt-identifier","value":"ca-9_prm_3"},{"name":"label","value":"CA-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the continued need for each internal connection is defined;"}]}],"props":[{"name":"label","value":"CA-9"},{"name":"label","value":"CA-09","class":"sp800-53a"},{"name":"sort-id","value":"ca-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-9_smt","name":"statement","parts":[{"id":"ca-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;"},{"id":"ca-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;"},{"id":"ca-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and"},{"id":"ca-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection."}]},{"id":"ca-9_gdn","name":"guidance","prose":"Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and\/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions."},{"id":"ca-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-09","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-09a.","class":"sp800-53a"}],"prose":"internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;","links":[{"href":"#ca-9_smt.a","rel":"assessment-for"}]},{"id":"ca-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[01]","class":"sp800-53a"}],"prose":"for each internal connection, the interface characteristics are documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[02]","class":"sp800-53a"}],"prose":"for each internal connection, the security requirements are documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[03]","class":"sp800-53a"}],"prose":"for each internal connection, the privacy requirements are documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[04]","class":"sp800-53a"}],"prose":"for each internal connection, the nature of the information communicated is documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-09c.","class":"sp800-53a"}],"prose":"internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};","links":[{"href":"#ca-9_smt.c","rel":"assessment-for"}]},{"id":"ca-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-09d.","class":"sp800-53a"}],"prose":"the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.","links":[{"href":"#ca-9_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ca-9_smt","rel":"assessment-for"}]},{"id":"ca-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting internal system connections"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cm-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cm-01_odp.01","props":[{"name":"label","value":"CM-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management policy is to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.02","props":[{"name":"label","value":"CM-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management procedures are to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.03","props":[{"name":"alt-identifier","value":"cm-1_prm_2"},{"name":"label","value":"CM-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cm-01_odp.04","props":[{"name":"alt-identifier","value":"cm-1_prm_3"},{"name":"label","value":"CM-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the configuration management policy and procedures is defined;"}]},{"id":"cm-01_odp.05","props":[{"name":"alt-identifier","value":"cm-1_prm_4"},{"name":"label","value":"CM-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management policy is reviewed and updated is defined;"}]},{"id":"cm-01_odp.06","props":[{"name":"alt-identifier","value":"cm-1_prm_5"},{"name":"label","value":"CM-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current configuration management policy to be reviewed and updated are defined;"}]},{"id":"cm-01_odp.07","props":[{"name":"alt-identifier","value":"cm-1_prm_6"},{"name":"label","value":"CM-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management procedures are reviewed and updated is defined;"}]},{"id":"cm-01_odp.08","props":[{"name":"alt-identifier","value":"cm-1_prm_7"},{"name":"label","value":"CM-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require configuration management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CM-1"},{"name":"label","value":"CM-01","class":"sp800-53a"},{"name":"sort-id","value":"cm-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-1_smt","name":"statement","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cm-01_odp.03 }} configuration management policy that:","parts":[{"id":"cm-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and"},{"id":"cm-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current configuration management:","parts":[{"id":"cm-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and"},{"id":"cm-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cm-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[01]","class":"sp800-53a"}],"prose":"a configuration management policy is developed and documented;","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[02]","class":"sp800-53a"}],"prose":"the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[03]","class":"sp800-53a"}],"prose":"configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[04]","class":"sp800-53a"}],"prose":"the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(b)","class":"sp800-53a"}],"prose":"the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#cm-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;","links":[{"href":"#cm-1_smt.b","rel":"assessment-for"}]},{"id":"cm-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[01]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ","links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]},{"id":"cm-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[02]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};","links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]},{"id":"cm-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[01]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ","links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]},{"id":"cm-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[02]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.","links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt","rel":"assessment-for"}]},{"id":"cm-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records"}]},{"id":"cm-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","params":[{"id":"cm-02_odp.01","props":[{"name":"alt-identifier","value":"cm-2_prm_1"},{"name":"label","value":"CM-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of baseline configuration review and update is defined;"}]},{"id":"cm-02_odp.02","props":[{"name":"alt-identifier","value":"cm-2_prm_2"},{"name":"label","value":"CM-02_ODP[02]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"the circumstances requiring baseline configuration review and update are defined;"}]}],"props":[{"name":"label","value":"CM-2"},{"name":"label","value":"CM-02","class":"sp800-53a"},{"name":"sort-id","value":"cm-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-1","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-18","rel":"related"}],"parts":[{"id":"cm-2_smt","name":"statement","parts":[{"id":"cm-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and maintain under configuration control, a current baseline configuration of the system; and"},{"id":"cm-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the baseline configuration of the system:","parts":[{"id":"cm-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cm-02_odp.01 }};"},{"id":"cm-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required due to {{ insert: param, cm-02_odp.02 }} ; and"},{"id":"cm-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"When system components are installed or upgraded."}]}]},{"id":"cm-2_gdn","name":"guidance","prose":"Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture."},{"id":"cm-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[01]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is developed and documented;","links":[{"href":"#cm-2_smt.a","rel":"assessment-for"}]},{"id":"cm-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[02]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is maintained under configuration control;","links":[{"href":"#cm-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-2_smt.a","rel":"assessment-for"}]},{"id":"cm-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.01","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};","links":[{"href":"#cm-2_smt.b.1","rel":"assessment-for"}]},{"id":"cm-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.02","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};","links":[{"href":"#cm-2_smt.b.2","rel":"assessment-for"}]},{"id":"cm-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.03","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.","links":[{"href":"#cm-2_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#cm-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-2_smt","rel":"assessment-for"}]},{"id":"cm-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records"}]},{"id":"cm-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration"}]}]},{"id":"cm-4","class":"SP800-53","title":"Impact Analyses","props":[{"name":"label","value":"CM-4"},{"name":"label","value":"CM-04","class":"sp800-53a"},{"name":"sort-id","value":"cm-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required."},{"id":"cm-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04","class":"sp800-53a"}],"parts":[{"id":"cm-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04[01]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential security impacts prior to change implementation;","links":[{"href":"#cm-4_smt","rel":"assessment-for"}]},{"id":"cm-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04[02]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential privacy impacts prior to change implementation.","links":[{"href":"#cm-4_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-4_smt","rel":"assessment-for"}]},{"id":"cm-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses"}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","props":[{"name":"label","value":"CM-5"},{"name":"label","value":"CM-05","class":"sp800-53a"},{"name":"sort-id","value":"cm-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system."},{"id":"cm-5_gdn","name":"guidance","prose":"Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)."},{"id":"cm-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05","class":"sp800-53a"}],"parts":[{"id":"cm-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-05[01]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are defined and documented;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-05[02]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are approved;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-05[03]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are enforced;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-05[04]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are defined and documented;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-05[05]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are approved;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-05[06]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are enforced.","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system"}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","params":[{"id":"cm-06_odp.01","props":[{"name":"alt-identifier","value":"cm-6_prm_1"},{"name":"label","value":"CM-06_ODP[01]","class":"sp800-53a"}],"label":"common secure configurations","guidelines":[{"prose":"common secure configurations to establish and document configuration settings for components employed within the system are defined;"}]},{"id":"cm-06_odp.02","props":[{"name":"alt-identifier","value":"cm-6_prm_2"},{"name":"label","value":"CM-06_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which approval of deviations is needed are defined;"}]},{"id":"cm-06_odp.03","props":[{"name":"alt-identifier","value":"cm-6_prm_3"},{"name":"label","value":"CM-06_ODP[03]","class":"sp800-53a"}],"label":"operational requirements","guidelines":[{"prose":"operational requirements necessitating approval of deviations are defined;"}]}],"props":[{"name":"label","value":"CM-6"},{"name":"label","value":"CM-06","class":"sp800-53a"},{"name":"sort-id","value":"cm-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#98498928-3ca3-44b3-8b1e-f48685373087","rel":"reference"},{"href":"#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","rel":"reference"},{"href":"#aa66e14f-e7cb-4a37-99d2-07578dfd4608","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"cm-6_smt","name":"statement","parts":[{"id":"cm-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};"},{"id":"cm-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the configuration settings;"},{"id":"cm-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and"},{"id":"cm-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitor and control changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input\/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings."},{"id":"cm-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-06a.","class":"sp800-53a"}],"prose":"configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};","links":[{"href":"#cm-6_smt.a","rel":"assessment-for"}]},{"id":"cm-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-06b.","class":"sp800-53a"}],"prose":"the configuration settings documented in CM-06a are implemented;","links":[{"href":"#cm-6_smt.b","rel":"assessment-for"}]},{"id":"cm-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[01]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};","links":[{"href":"#cm-6_smt.c","rel":"assessment-for"}]},{"id":"cm-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[02]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;","links":[{"href":"#cm-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-6_smt.c","rel":"assessment-for"}]},{"id":"cm-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[01]","class":"sp800-53a"}],"prose":"changes to the configuration settings are monitored in accordance with organizational policies and procedures;","links":[{"href":"#cm-6_smt.d","rel":"assessment-for"}]},{"id":"cm-6_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[02]","class":"sp800-53a"}],"prose":"changes to the configuration settings are controlled in accordance with organizational policies and procedures.","links":[{"href":"#cm-6_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cm-6_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cm-6_smt","rel":"assessment-for"}]},{"id":"cm-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and\/or control system configuration settings\n\nmechanisms that identify and\/or document deviations from established configuration settings"}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","params":[{"id":"cm-7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.06"}],"label":"organization-defined prohibited or restricted functions, system ports, protocols, software, and\/or services"},{"id":"cm-07_odp.01","props":[{"name":"alt-identifier","value":"cm-7_prm_1"},{"name":"alt-label","value":"mission essential capabilities","class":"sp800-53"},{"name":"label","value":"CM-07_ODP[01]","class":"sp800-53a"}],"label":"mission-essential capabilities","guidelines":[{"prose":"mission-essential capabilities for the system are defined;"}]},{"id":"cm-07_odp.02","props":[{"name":"label","value":"CM-07_ODP[02]","class":"sp800-53a"}],"label":"functions","guidelines":[{"prose":"functions to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.03","props":[{"name":"label","value":"CM-07_ODP[03]","class":"sp800-53a"}],"label":"ports","guidelines":[{"prose":"ports to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.04","props":[{"name":"label","value":"CM-07_ODP[04]","class":"sp800-53a"}],"label":"protocols","guidelines":[{"prose":"protocols to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.05","props":[{"name":"label","value":"CM-07_ODP[05]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be prohibited or restricted is defined;"}]},{"id":"cm-07_odp.06","props":[{"name":"label","value":"CM-07_ODP[06]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services to be prohibited or restricted are defined;"}]}],"props":[{"name":"label","value":"CM-7"},{"name":"label","value":"CM-07","class":"sp800-53a"},{"name":"sort-id","value":"cm-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#38f39739-1ebd-43b1-8b8c-00f591d89ebd","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"cm-7_smt","name":"statement","parts":[{"id":"cm-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and"},{"id":"cm-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit or restrict the use of the following functions, ports, protocols, software, and\/or services: {{ insert: param, cm-7_prm_2 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))."},{"id":"cm-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07a.","class":"sp800-53a"}],"prose":"the system is configured to provide only {{ insert: param, cm-07_odp.01 }};","links":[{"href":"#cm-7_smt.a","rel":"assessment-for"}]},{"id":"cm-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[01]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[02]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[03]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[04]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[05]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7_smt","rel":"assessment-for"}]},{"id":"cm-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols, software, and\/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and\/or services"}]}]},{"id":"cm-8","class":"SP800-53","title":"System Component Inventory","params":[{"id":"cm-08_odp.01","props":[{"name":"alt-identifier","value":"cm-8_prm_1"},{"name":"alt-label","value":"information deemed necessary to achieve effective system component accountability","class":"sp800-53"},{"name":"label","value":"CM-08_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information deemed necessary to achieve effective system component accountability is defined;"}]},{"id":"cm-08_odp.02","props":[{"name":"alt-identifier","value":"cm-8_prm_2"},{"name":"label","value":"CM-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the system component inventory is defined;"}]}],"props":[{"name":"label","value":"CM-8"},{"name":"label","value":"CM-08","class":"sp800-53a"},{"name":"sort-id","value":"cm-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#70402863-5078-43af-9a6c-e11b0f3ec370","rel":"reference"},{"href":"#996241f8-f692-42d5-91f1-ce8b752e39e6","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"cm-8_smt","name":"statement","parts":[{"id":"cm-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document an inventory of system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accurately reflects the system;"},{"id":"cm-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes all components within the system;"},{"id":"cm-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Does not include duplicate accounting of components or components assigned to any other system;"},{"id":"cm-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and"}]},{"id":"cm-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components."},{"id":"cm-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.01","class":"sp800-53a"}],"prose":"an inventory of system components that accurately reflects the system is developed and documented;","links":[{"href":"#cm-8_smt.a.1","rel":"assessment-for"}]},{"id":"cm-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.02","class":"sp800-53a"}],"prose":"an inventory of system components that includes all components within the system is developed and documented;","links":[{"href":"#cm-8_smt.a.2","rel":"assessment-for"}]},{"id":"cm-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.03","class":"sp800-53a"}],"prose":"an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;","links":[{"href":"#cm-8_smt.a.3","rel":"assessment-for"}]},{"id":"cm-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.04","class":"sp800-53a"}],"prose":"an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;","links":[{"href":"#cm-8_smt.a.4","rel":"assessment-for"}]},{"id":"cm-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.05","class":"sp800-53a"}],"prose":"an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;","links":[{"href":"#cm-8_smt.a.5","rel":"assessment-for"}]}],"links":[{"href":"#cm-8_smt.a","rel":"assessment-for"}]},{"id":"cm-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08b.","class":"sp800-53a"}],"prose":"the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.","links":[{"href":"#cm-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-8_smt","rel":"assessment-for"}]},{"id":"cm-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"label","value":"CM-10"},{"name":"label","value":"CM-10","class":"sp800-53a"},{"name":"sort-id","value":"cm-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cm-10_smt","name":"statement","parts":[{"id":"cm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements."},{"id":"cm-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-10","class":"sp800-53a"}],"parts":[{"id":"cm-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-10a.","class":"sp800-53a"}],"prose":"software and associated documentation are used in accordance with contract agreements and copyright laws;","links":[{"href":"#cm-10_smt.a","rel":"assessment-for"}]},{"id":"cm-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-10b.","class":"sp800-53a"}],"prose":"the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;","links":[{"href":"#cm-10_smt.b","rel":"assessment-for"}]},{"id":"cm-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-10c.","class":"sp800-53a"}],"prose":"the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.","links":[{"href":"#cm-10_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-10_smt","rel":"assessment-for"}]},{"id":"cm-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling\/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","params":[{"id":"cm-11_odp.01","props":[{"name":"alt-identifier","value":"cm-11_prm_1"},{"name":"label","value":"CM-11_ODP[01]","class":"sp800-53a"}],"label":"policies","guidelines":[{"prose":"policies governing the installation of software by users are defined;"}]},{"id":"cm-11_odp.02","props":[{"name":"alt-identifier","value":"cm-11_prm_2"},{"name":"label","value":"CM-11_ODP[02]","class":"sp800-53a"}],"label":"methods","guidelines":[{"prose":"methods used to enforce software installation policies are defined;"}]},{"id":"cm-11_odp.03","props":[{"name":"alt-identifier","value":"cm-11_prm_3"},{"name":"label","value":"CM-11_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to monitor compliance is defined;"}]}],"props":[{"name":"label","value":"CM-11"},{"name":"label","value":"CM-11","class":"sp800-53a"},{"name":"sort-id","value":"cm-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-11_smt","name":"statement","parts":[{"id":"cm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and"},{"id":"cm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Monitor policy compliance {{ insert: param, cm-11_odp.03 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods."},{"id":"cm-11_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-11","class":"sp800-53a"}],"parts":[{"id":"cm-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-11a.","class":"sp800-53a"}],"prose":" {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;","links":[{"href":"#cm-11_smt.a","rel":"assessment-for"}]},{"id":"cm-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-11b.","class":"sp800-53a"}],"prose":"software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};","links":[{"href":"#cm-11_smt.b","rel":"assessment-for"}]},{"id":"cm-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-11c.","class":"sp800-53a"}],"prose":"compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.","links":[{"href":"#cm-11_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-11_smt","rel":"assessment-for"}]},{"id":"cm-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance"}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-01_odp.01","props":[{"name":"label","value":"CP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning policy is to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.02","props":[{"name":"label","value":"CP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning procedures are to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.03","props":[{"name":"alt-identifier","value":"cp-1_prm_2"},{"name":"label","value":"CP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cp-01_odp.04","props":[{"name":"alt-identifier","value":"cp-1_prm_3"},{"name":"label","value":"CP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the contingency planning policy and procedures is defined;"}]},{"id":"cp-01_odp.05","props":[{"name":"alt-identifier","value":"cp-1_prm_4"},{"name":"label","value":"CP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning policy is reviewed and updated is defined;"}]},{"id":"cp-01_odp.06","props":[{"name":"alt-identifier","value":"cp-1_prm_5"},{"name":"label","value":"CP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current contingency planning policy to be reviewed and updated are defined;"}]},{"id":"cp-01_odp.07","props":[{"name":"alt-identifier","value":"cp-1_prm_6"},{"name":"label","value":"CP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning procedures are reviewed and updated is defined;"}]},{"id":"cp-01_odp.08","props":[{"name":"alt-identifier","value":"cp-1_prm_7"},{"name":"label","value":"CP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CP-1"},{"name":"label","value":"CP-01","class":"sp800-53a"},{"name":"sort-id","value":"cp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-1_smt","name":"statement","parts":[{"id":"cp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cp-01_odp.03 }} contingency planning policy that:","parts":[{"id":"cp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;"}]},{"id":"cp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and"},{"id":"cp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current contingency planning:","parts":[{"id":"cp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and"},{"id":"cp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[01]","class":"sp800-53a"}],"prose":"a contingency planning policy is developed and documented;","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[02]","class":"sp800-53a"}],"prose":"the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[03]","class":"sp800-53a"}],"prose":"contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[04]","class":"sp800-53a"}],"prose":"the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#cp-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;","links":[{"href":"#cp-1_smt.b","rel":"assessment-for"}]},{"id":"cp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[01]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};","links":[{"href":"#cp-1_smt.c.1","rel":"assessment-for"}]},{"id":"cp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[02]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};","links":[{"href":"#cp-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.c.1","rel":"assessment-for"}]},{"id":"cp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[01]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};","links":[{"href":"#cp-1_smt.c.2","rel":"assessment-for"}]},{"id":"cp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[02]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.","links":[{"href":"#cp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt","rel":"assessment-for"}]},{"id":"cp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","params":[{"id":"cp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.04"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-2_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.07"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-02_odp.01","props":[{"name":"label","value":"CP-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to review a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.02","props":[{"name":"label","value":"CP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to approve a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.03","props":[{"name":"label","value":"CP-02_ODP[03]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to whom copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.04","props":[{"name":"label","value":"CP-02_ODP[04]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to which copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.05","props":[{"name":"alt-identifier","value":"cp-2_prm_3"},{"name":"label","value":"CP-02_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of contingency plan review is defined;"}]},{"id":"cp-02_odp.06","props":[{"name":"label","value":"CP-02_ODP[06]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to communicate changes to are defined;"}]},{"id":"cp-02_odp.07","props":[{"name":"label","value":"CP-02_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to communicate changes to are defined;"}]}],"props":[{"name":"label","value":"CP-2"},{"name":"label","value":"CP-02","class":"sp800-53a"},{"name":"sort-id","value":"cp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#cp-13","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-2_smt","name":"statement","parts":[{"id":"cp-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a contingency plan for the system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifies essential mission and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;"},{"id":"cp-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Addresses the sharing of contingency information; and"},{"id":"cp-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};"},{"id":"cp-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};"},{"id":"cp-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and"},{"id":"cp-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Protect the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family."},{"id":"cp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.01","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;","links":[{"href":"#cp-2_smt.a.1","rel":"assessment-for"}]},{"id":"cp-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides recovery objectives;","links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]},{"id":"cp-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides restoration priorities;","links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]},{"id":"cp-2_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides metrics;","links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]},{"id":"cp-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency roles;","links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]},{"id":"cp-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency responsibilities;","links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]},{"id":"cp-2_obj.a.3-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses assigned individuals with contact information;","links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]},{"id":"cp-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.04","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;","links":[{"href":"#cp-2_smt.a.4","rel":"assessment-for"}]},{"id":"cp-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.05","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;","links":[{"href":"#cp-2_smt.a.5","rel":"assessment-for"}]},{"id":"cp-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.06","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses the sharing of contingency information;","links":[{"href":"#cp-2_smt.a.6","rel":"assessment-for"}]},{"id":"cp-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};","links":[{"href":"#cp-2_smt.a.7","rel":"assessment-for"}]},{"id":"cp-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};","links":[{"href":"#cp-2_smt.a.7","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a.7","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a","rel":"assessment-for"}]},{"id":"cp-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[01]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};","links":[{"href":"#cp-2_smt.b","rel":"assessment-for"}]},{"id":"cp-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[02]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};","links":[{"href":"#cp-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.b","rel":"assessment-for"}]},{"id":"cp-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-02c.","class":"sp800-53a"}],"prose":"contingency planning activities are coordinated with incident handling activities;","links":[{"href":"#cp-2_smt.c","rel":"assessment-for"}]},{"id":"cp-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-02d.","class":"sp800-53a"}],"prose":"the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};","links":[{"href":"#cp-2_smt.d","rel":"assessment-for"}]},{"id":"cp-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[01]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address changes to the organization, system, or environment of operation;","links":[{"href":"#cp-2_smt.e","rel":"assessment-for"}]},{"id":"cp-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[02]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;","links":[{"href":"#cp-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.e","rel":"assessment-for"}]},{"id":"cp-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[01]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};","links":[{"href":"#cp-2_smt.f","rel":"assessment-for"}]},{"id":"cp-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[02]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};","links":[{"href":"#cp-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.f","rel":"assessment-for"}]},{"id":"cp-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[01]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;","links":[{"href":"#cp-2_smt.g","rel":"assessment-for"}]},{"id":"cp-2_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[02]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;","links":[{"href":"#cp-2_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.g","rel":"assessment-for"}]},{"id":"cp-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[01]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized disclosure;","links":[{"href":"#cp-2_smt.h","rel":"assessment-for"}]},{"id":"cp-2_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[02]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized modification.","links":[{"href":"#cp-2_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt","rel":"assessment-for"}]},{"id":"cp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and\/or protecting the contingency plan"}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","params":[{"id":"cp-03_odp.01","props":[{"name":"alt-identifier","value":"cp-3_prm_1"},{"name":"label","value":"CP-03_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.02","props":[{"name":"alt-identifier","value":"cp-3_prm_2"},{"name":"label","value":"CP-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide training to system users with a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.03","props":[{"name":"alt-identifier","value":"cp-3_prm_3"},{"name":"label","value":"CP-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update contingency training content is defined;"}]},{"id":"cp-03_odp.04","props":[{"name":"alt-identifier","value":"cp-3_prm_4"},{"name":"label","value":"CP-03_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events necessitating review and update of contingency training are defined;"}]}],"props":[{"name":"label","value":"CP-3"},{"name":"label","value":"CP-03","class":"sp800-53a"},{"name":"sort-id","value":"cp-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"cp-3_smt","name":"statement","parts":[{"id":"cp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide contingency training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"cp-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, cp-03_odp.02 }} thereafter; and"}]},{"id":"cp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements."},{"id":"cp-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-03","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.01","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;","links":[{"href":"#cp-3_smt.a.1","rel":"assessment-for"}]},{"id":"cp-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.02","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;","links":[{"href":"#cp-3_smt.a.2","rel":"assessment-for"}]},{"id":"cp-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.03","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;","links":[{"href":"#cp-3_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#cp-3_smt.a","rel":"assessment-for"}]},{"id":"cp-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[01]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};","links":[{"href":"#cp-3_smt.b","rel":"assessment-for"}]},{"id":"cp-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[02]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.","links":[{"href":"#cp-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-3_smt","rel":"assessment-for"}]},{"id":"cp-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency training"}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","params":[{"id":"cp-4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.03"}],"label":"organization-defined tests"},{"id":"cp-04_odp.01","props":[{"name":"alt-identifier","value":"cp-4_prm_1"},{"name":"label","value":"CP-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of testing the contingency plan for the system is defined;"}]},{"id":"cp-04_odp.02","props":[{"name":"label","value":"CP-04_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining the effectiveness of the contingency plan are defined;"}]},{"id":"cp-04_odp.03","props":[{"name":"label","value":"CP-04_ODP[03]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining readiness to execute the contingency plan are defined;"}]}],"props":[{"name":"label","value":"CP-4"},{"name":"label","value":"CP-04","class":"sp800-53a"},{"name":"sort-id","value":"cp-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"cp-4_smt","name":"statement","parts":[{"id":"cp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}."},{"id":"cp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Initiate corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions."},{"id":"cp-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[01]","class":"sp800-53a"}],"prose":"the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};","links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]},{"id":"cp-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;","links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]},{"id":"cp-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;","links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]},{"id":"cp-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-04b.","class":"sp800-53a"}],"prose":"the contingency plan test results are reviewed;","links":[{"href":"#cp-4_smt.b","rel":"assessment-for"}]},{"id":"cp-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-04c.","class":"sp800-53a"}],"prose":"corrective actions are initiated, if needed.","links":[{"href":"#cp-4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-4_smt","rel":"assessment-for"}]},{"id":"cp-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and\/or contingency plan testing"}]}]},{"id":"cp-9","class":"SP800-53","title":"System Backup","params":[{"id":"cp-09_odp.01","props":[{"name":"alt-identifier","value":"cp-9_prm_1"},{"name":"label","value":"CP-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which to conduct backups of user-level information is defined;"}]},{"id":"cp-09_odp.02","props":[{"name":"alt-identifier","value":"cp-9_prm_2"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.03","props":[{"name":"alt-identifier","value":"cp-9_prm_3"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.04","props":[{"name":"alt-identifier","value":"cp-9_prm_4"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-9"},{"name":"label","value":"CP-09","class":"sp800-53a"},{"name":"sort-id","value":"cp-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#3653e316-8923-430e-8943-b3b2b2562fc6","rel":"reference"},{"href":"#2494df28-9049-4196-b233-540e7440993f","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-9_smt","name":"statement","parts":[{"id":"cp-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};"},{"id":"cp-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};"},{"id":"cp-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and"},{"id":"cp-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protect the confidentiality, integrity, and availability of backup information."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"cp-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-09a.","class":"sp800-53a"}],"prose":"backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};","links":[{"href":"#cp-9_smt.a","rel":"assessment-for"}]},{"id":"cp-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-09b.","class":"sp800-53a"}],"prose":"backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};","links":[{"href":"#cp-9_smt.b","rel":"assessment-for"}]},{"id":"cp-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-09c.","class":"sp800-53a"}],"prose":"backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};","links":[{"href":"#cp-9_smt.c","rel":"assessment-for"}]},{"id":"cp-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[01]","class":"sp800-53a"}],"prose":"the confidentiality of backup information is protected;","links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]},{"id":"cp-9_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[02]","class":"sp800-53a"}],"prose":"the integrity of backup information is protected;","links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]},{"id":"cp-9_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[03]","class":"sp800-53a"}],"prose":"the availability of backup information is protected.","links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cp-9_smt","rel":"assessment-for"}]},{"id":"cp-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"cp-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}]},{"id":"cp-10","class":"SP800-53","title":"System Recovery and Reconstitution","params":[{"id":"cp-10_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.02"}],"label":"organization-defined time period consistent with recovery time and recovery point objectives"},{"id":"cp-10_odp.01","props":[{"name":"label","value":"CP-10_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;"}]},{"id":"cp-10_odp.02","props":[{"name":"label","value":"CP-10_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;"}]}],"props":[{"name":"label","value":"CP-10"},{"name":"label","value":"CP-10","class":"sp800-53a"},{"name":"sort-id","value":"cp-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-24","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning."},{"id":"cp-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10","class":"sp800-53a"}],"parts":[{"id":"cp-10_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-10[01]","class":"sp800-53a"}],"prose":"the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;","links":[{"href":"#cp-10_smt","rel":"assessment-for"}]},{"id":"cp-10_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-10[02]","class":"sp800-53a"}],"prose":"a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.","links":[{"href":"#cp-10_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-10_smt","rel":"assessment-for"}]},{"id":"cp-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, recovery, and\/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and\/or implementing system recovery and reconstitution operations"}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ia-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ia-01_odp.01","props":[{"name":"label","value":"IA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication policy is to be disseminated are defined;"}]},{"id":"ia-01_odp.02","props":[{"name":"label","value":"IA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication procedures are to be disseminated is\/are defined;"}]},{"id":"ia-01_odp.03","props":[{"name":"alt-identifier","value":"ia-1_prm_2"},{"name":"label","value":"IA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ia-01_odp.04","props":[{"name":"alt-identifier","value":"ia-1_prm_3"},{"name":"label","value":"IA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the identification and authentication policy and procedures is defined;"}]},{"id":"ia-01_odp.05","props":[{"name":"alt-identifier","value":"ia-1_prm_4"},{"name":"label","value":"IA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication policy is reviewed and updated is defined;"}]},{"id":"ia-01_odp.06","props":[{"name":"alt-identifier","value":"ia-1_prm_5"},{"name":"label","value":"IA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current identification and authentication policy to be reviewed and updated are defined;"}]},{"id":"ia-01_odp.07","props":[{"name":"alt-identifier","value":"ia-1_prm_6"},{"name":"label","value":"IA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication procedures are reviewed and updated is defined;"}]},{"id":"ia-01_odp.08","props":[{"name":"alt-identifier","value":"ia-1_prm_7"},{"name":"label","value":"IA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require identification and authentication procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IA-1"},{"name":"label","value":"IA-01","class":"sp800-53a"},{"name":"sort-id","value":"ia-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ia-1_smt","name":"statement","parts":[{"id":"ia-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:","parts":[{"id":"ia-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ia-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;"}]},{"id":"ia-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and"},{"id":"ia-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current identification and authentication:","parts":[{"id":"ia-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and"},{"id":"ia-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ia-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[01]","class":"sp800-53a"}],"prose":"an identification and authentication policy is developed and documented;","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[02]","class":"sp800-53a"}],"prose":"the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[03]","class":"sp800-53a"}],"prose":"identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[04]","class":"sp800-53a"}],"prose":"the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ia-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;","links":[{"href":"#ia-1_smt.b","rel":"assessment-for"}]},{"id":"ia-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[01]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};","links":[{"href":"#ia-1_smt.c.1","rel":"assessment-for"}]},{"id":"ia-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[02]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};","links":[{"href":"#ia-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.c.1","rel":"assessment-for"}]},{"id":"ia-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[01]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};","links":[{"href":"#ia-1_smt.c.2","rel":"assessment-for"}]},{"id":"ia-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[02]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.","links":[{"href":"#ia-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt","rel":"assessment-for"}]},{"id":"ia-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records"}]},{"id":"ia-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (Organizational Users)","props":[{"name":"label","value":"IA-2"},{"name":"label","value":"IA-02","class":"sp800-53a"},{"name":"sort-id","value":"ia-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#d9e036ba-6eec-46a6-9340-b0bf1fea23b4","rel":"reference"},{"href":"#e8552d48-cf41-40aa-8b06-f45f7fb4706c","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-1","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)."},{"id":"ia-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02","class":"sp800-53a"}],"parts":[{"id":"ia-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-02[01]","class":"sp800-53a"}],"prose":"organizational users are uniquely identified and authenticated;","links":[{"href":"#ia-2_smt","rel":"assessment-for"}]},{"id":"ia-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-02[02]","class":"sp800-53a"}],"prose":"the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.","links":[{"href":"#ia-2_smt","rel":"assessment-for"}]}],"links":[{"href":"#ia-2_smt","rel":"assessment-for"}]},{"id":"ia-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}]},{"id":"ia-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Privileged Accounts","props":[{"name":"label","value":"IA-2(1)"},{"name":"label","value":"IA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"Implement multi-factor authentication for access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(01)","class":"sp800-53a"}],"prose":"multi-factor authentication is implemented for access to privileged accounts.","links":[{"href":"#ia-2.1_smt","rel":"assessment-for"}]},{"id":"ia-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(2)"},{"name":"label","value":"IA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"Implement multi-factor authentication for access to non-privileged accounts."},{"id":"ia-2.2_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(02)","class":"sp800-53a"}],"prose":"multi-factor authentication for access to non-privileged accounts is implemented.","links":[{"href":"#ia-2.2_smt","rel":"assessment-for"}]},{"id":"ia-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Access to Accounts — Replay Resistant","params":[{"id":"ia-02.08_odp","props":[{"name":"alt-identifier","value":"ia-2.8_prm_1"},{"name":"label","value":"IA-02(08)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["privileged accounts","non-privileged accounts"]}}],"props":[{"name":"label","value":"IA-2(8)"},{"name":"label","value":"IA-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators."},{"id":"ia-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(08)","class":"sp800-53a"}],"prose":"replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.","links":[{"href":"#ia-2.8_smt","rel":"assessment-for"}]},{"id":"ia-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nMechanisms supporting and\/or implementing replay-resistant authentication mechanisms"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","props":[{"name":"label","value":"IA-2(12)"},{"name":"label","value":"IA-02(12)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential."},{"id":"ia-2.12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(12)","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials are accepted and electronically verified.","links":[{"href":"#ia-2.12_smt","rel":"assessment-for"}]},{"id":"ia-2.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-2.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing acceptance and verification of PIV credentials"}]}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","params":[{"id":"ia-04_odp.01","props":[{"name":"alt-identifier","value":"ia-4_prm_1"},{"name":"label","value":"IA-04_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles from whom authorization must be received to assign an identifier are defined;"}]},{"id":"ia-04_odp.02","props":[{"name":"alt-identifier","value":"ia-4_prm_2"},{"name":"label","value":"IA-04_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period for preventing reuse of identifiers is defined;"}]}],"props":[{"name":"label","value":"IA-4"},{"name":"label","value":"IA-04","class":"sp800-53a"},{"name":"sort-id","value":"ia-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-12","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"Manage system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;"},{"id":"ia-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, service, or device; and"},{"id":"ia-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices."},{"id":"ia-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04","class":"sp800-53a"}],"parts":[{"id":"ia-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-04a.","class":"sp800-53a"}],"prose":"system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;","links":[{"href":"#ia-4_smt.a","rel":"assessment-for"}]},{"id":"ia-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-04b.","class":"sp800-53a"}],"prose":"system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;","links":[{"href":"#ia-4_smt.b","rel":"assessment-for"}]},{"id":"ia-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-04c.","class":"sp800-53a"}],"prose":"system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;","links":[{"href":"#ia-4_smt.c","rel":"assessment-for"}]},{"id":"ia-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-04d.","class":"sp800-53a"}],"prose":"system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.","links":[{"href":"#ia-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ia-4_smt","rel":"assessment-for"}]},{"id":"ia-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records"}]},{"id":"ia-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","params":[{"id":"ia-05_odp.01","props":[{"name":"alt-identifier","value":"ia-5_prm_1"},{"name":"label","value":"IA-05_ODP[01]","class":"sp800-53a"}],"label":"time period by authenticator type","guidelines":[{"prose":"a time period for changing or refreshing authenticators by authenticator type is defined;"}]},{"id":"ia-05_odp.02","props":[{"name":"alt-identifier","value":"ia-5_prm_2"},{"name":"label","value":"IA-05_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that trigger the change or refreshment of authenticators are defined;"}]}],"props":[{"name":"label","value":"IA-5"},{"name":"label","value":"IA-05","class":"sp800-53a"},{"name":"sort-id","value":"ia-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"Manage system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Changing default authenticators prior to first use;"},{"id":"ia-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"},{"id":"ia-5_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and"},{"id":"ia-5_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Changing authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed."},{"id":"ia-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05a.","class":"sp800-53a"}],"prose":"system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;","links":[{"href":"#ia-5_smt.a","rel":"assessment-for"}]},{"id":"ia-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05b.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;","links":[{"href":"#ia-5_smt.b","rel":"assessment-for"}]},{"id":"ia-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05c.","class":"sp800-53a"}],"prose":"system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;","links":[{"href":"#ia-5_smt.c","rel":"assessment-for"}]},{"id":"ia-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05d.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;","links":[{"href":"#ia-5_smt.d","rel":"assessment-for"}]},{"id":"ia-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05e.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of default authenticators prior to first use;","links":[{"href":"#ia-5_smt.e","rel":"assessment-for"}]},{"id":"ia-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05f.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;","links":[{"href":"#ia-5_smt.f","rel":"assessment-for"}]},{"id":"ia-5_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05g.","class":"sp800-53a"}],"prose":"system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;","links":[{"href":"#ia-5_smt.g","rel":"assessment-for"}]},{"id":"ia-5_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[01]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;","links":[{"href":"#ia-5_smt.h","rel":"assessment-for"}]},{"id":"ia-5_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[02]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;","links":[{"href":"#ia-5_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#ia-5_smt.h","rel":"assessment-for"}]},{"id":"ia-5_obj.i","name":"assessment-objective","props":[{"name":"label","value":"IA-05i.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.","links":[{"href":"#ia-5_smt.i","rel":"assessment-for"}]}],"links":[{"href":"#ia-5_smt","rel":"assessment-for"}]},{"id":"ia-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","params":[{"id":"ia-05.01_odp.01","props":[{"name":"alt-identifier","value":"ia-5.1_prm_1"},{"name":"label","value":"IA-05(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;"}]},{"id":"ia-05.01_odp.02","props":[{"name":"alt-identifier","value":"ia-5.1_prm_2"},{"name":"label","value":"IA-05(01)_ODP[02]","class":"sp800-53a"}],"label":"composition and complexity rules","guidelines":[{"prose":"authenticator composition and complexity rules are defined;"}]}],"props":[{"name":"label","value":"IA-5(1)"},{"name":"label","value":"IA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-6","rel":"related"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"For password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);"},{"id":"ia-5.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Transmit passwords only over cryptographically-protected channels;"},{"id":"ia-5.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Store passwords using an approved salted key derivation function, preferably using a keyed hash;"},{"id":"ia-5.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Require immediate selection of a new password upon account recovery;"},{"id":"ia-5.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Allow user selection of long passwords and passphrases, including spaces and all printable characters;"},{"id":"ia-5.1_smt.g","name":"item","props":[{"name":"label","value":"(g)"}],"prose":"Employ automated tools to assist the user in selecting strong password authenticators; and"},{"id":"ia-5.1_smt.h","name":"item","props":[{"name":"label","value":"(h)"}],"prose":"Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof."},{"id":"ia-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)","class":"sp800-53a"}],"parts":[{"id":"ia-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(a)","class":"sp800-53a"}],"prose":"for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;","links":[{"href":"#ia-5.1_smt.a","rel":"assessment-for"}]},{"id":"ia-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(b)","class":"sp800-53a"}],"prose":"for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);","links":[{"href":"#ia-5.1_smt.b","rel":"assessment-for"}]},{"id":"ia-5.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(c)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are only transmitted over cryptographically protected channels;","links":[{"href":"#ia-5.1_smt.c","rel":"assessment-for"}]},{"id":"ia-5.1_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(d)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;","links":[{"href":"#ia-5.1_smt.d","rel":"assessment-for"}]},{"id":"ia-5.1_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(e)","class":"sp800-53a"}],"prose":"for password-based authentication, immediate selection of a new password is required upon account recovery;","links":[{"href":"#ia-5.1_smt.e","rel":"assessment-for"}]},{"id":"ia-5.1_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(f)","class":"sp800-53a"}],"prose":"for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;","links":[{"href":"#ia-5.1_smt.f","rel":"assessment-for"}]},{"id":"ia-5.1_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(g)","class":"sp800-53a"}],"prose":"for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;","links":[{"href":"#ia-5.1_smt.g","rel":"assessment-for"}]},{"id":"ia-5.1_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(h)","class":"sp800-53a"}],"prose":"for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.","links":[{"href":"#ia-5.1_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#ia-5.1_smt","rel":"assessment-for"}]},{"id":"ia-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing password-based authenticator management capability"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authentication Feedback","props":[{"name":"label","value":"IA-6"},{"name":"label","value":"IA-06","class":"sp800-53a"},{"name":"sort-id","value":"ia-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it."},{"id":"ia-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-06","class":"sp800-53a"}],"prose":"the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.","links":[{"href":"#ia-6_smt","rel":"assessment-for"}]},{"id":"ia-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the obscuring of feedback of authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","props":[{"name":"label","value":"IA-7"},{"name":"label","value":"IA-07","class":"sp800-53a"},{"name":"sort-id","value":"ia-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role."},{"id":"ia-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-07","class":"sp800-53a"}],"prose":"mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.","links":[{"href":"#ia-7_smt","rel":"assessment-for"}]},{"id":"ia-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic module authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (Non-organizational Users)","props":[{"name":"label","value":"IA-8"},{"name":"label","value":"IA-08","class":"sp800-53a"},{"name":"sort-id","value":"ia-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a1555677-2b9d-4868-a97b-a1363aff32f5","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk."},{"id":"ia-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08","class":"sp800-53a"}],"prose":"non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.","links":[{"href":"#ia-8_smt","rel":"assessment-for"}]},{"id":"ia-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","props":[{"name":"label","value":"IA-8(1)"},{"name":"label","value":"IA-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"},{"href":"#pe-3","rel":"related"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)."},{"id":"ia-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)","class":"sp800-53a"}],"parts":[{"id":"ia-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[01]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are accepted;","links":[{"href":"#ia-8.1_smt","rel":"assessment-for"}]},{"id":"ia-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[02]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.","links":[{"href":"#ia-8.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ia-8.1_smt","rel":"assessment-for"}]},{"id":"ia-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of External Authenticators","props":[{"name":"label","value":"IA-8(2)"},{"name":"label","value":"IA-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.2_smt","name":"statement","parts":[{"id":"ia-8.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Accept only external authenticators that are NIST-compliant; and"},{"id":"ia-8.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Document and maintain a list of accepted external authenticators."}]},{"id":"ia-8.2_gdn","name":"guidance","prose":"Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level."},{"id":"ia-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(a)","class":"sp800-53a"}],"prose":"only external authenticators that are NIST-compliant are accepted;","links":[{"href":"#ia-8.2_smt.a","rel":"assessment-for"}]},{"id":"ia-8.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[01]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is documented;","links":[{"href":"#ia-8.2_smt.b","rel":"assessment-for"}]},{"id":"ia-8.2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[02]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is maintained.","links":[{"href":"#ia-8.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-8.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-8.2_smt","rel":"assessment-for"}]},{"id":"ia-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Defined Profiles","params":[{"id":"ia-08.04_odp","props":[{"name":"alt-identifier","value":"ia-8.4_prm_1"},{"name":"label","value":"IA-08(04)_ODP","class":"sp800-53a"}],"label":"identity management profiles","guidelines":[{"prose":"identity management profiles are defined;"}]}],"props":[{"name":"label","value":"IA-8(4)"},{"name":"label","value":"IA-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}."},{"id":"ia-8.4_gdn","name":"guidance","prose":"Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"ia-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(04)","class":"sp800-53a"}],"prose":"there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.","links":[{"href":"#ia-8.4_smt","rel":"assessment-for"}]},{"id":"ia-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms supporting and\/or implementing conformance with profiles"}]}]}]},{"id":"ia-11","class":"SP800-53","title":"Re-authentication","params":[{"id":"ia-11_odp","props":[{"name":"alt-identifier","value":"ia-11_prm_1"},{"name":"alt-label","value":"circumstances or situations requiring re-authentication","class":"sp800-53"},{"name":"label","value":"IA-11_ODP","class":"sp800-53a"}],"label":"circumstances or situations","guidelines":[{"prose":"circumstances or situations requiring re-authentication are defined;"}]}],"props":[{"name":"label","value":"IA-11"},{"name":"label","value":"IA-11","class":"sp800-53a"},{"name":"sort-id","value":"ia-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-11_smt","name":"statement","prose":"Require users to re-authenticate when {{ insert: param, ia-11_odp }}."},{"id":"ia-11_gdn","name":"guidance","prose":"In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically."},{"id":"ia-11_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-11","class":"sp800-53a"}],"prose":"users are required to re-authenticate when {{ insert: param, ia-11_odp }}.","links":[{"href":"#ia-11_smt","rel":"assessment-for"}]},{"id":"ia-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ir-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ir-01_odp.01","props":[{"name":"label","value":"IR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response policy is to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.02","props":[{"name":"label","value":"IR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response procedures are to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.03","props":[{"name":"alt-identifier","value":"ir-1_prm_2"},{"name":"label","value":"IR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ir-01_odp.04","props":[{"name":"alt-identifier","value":"ir-1_prm_3"},{"name":"label","value":"IR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the incident response policy and procedures is defined;"}]},{"id":"ir-01_odp.05","props":[{"name":"alt-identifier","value":"ir-1_prm_4"},{"name":"label","value":"IR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response policy is reviewed and updated is defined;"}]},{"id":"ir-01_odp.06","props":[{"name":"alt-identifier","value":"ir-1_prm_5"},{"name":"label","value":"IR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current incident response policy to be reviewed and updated are defined;"}]},{"id":"ir-01_odp.07","props":[{"name":"alt-identifier","value":"ir-1_prm_6"},{"name":"label","value":"IR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response procedures are reviewed and updated is defined;"}]},{"id":"ir-01_odp.08","props":[{"name":"alt-identifier","value":"ir-1_prm_7"},{"name":"label","value":"IR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the incident response procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IR-1"},{"name":"label","value":"IR-01","class":"sp800-53a"},{"name":"sort-id","value":"ir-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ir-1_smt","name":"statement","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ir-01_odp.03 }} incident response policy that:","parts":[{"id":"ir-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and"},{"id":"ir-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current incident response:","parts":[{"id":"ir-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and"},{"id":"ir-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ir-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[01]","class":"sp800-53a"}],"prose":"an incident response policy is developed and documented;","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[02]","class":"sp800-53a"}],"prose":"the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[03]","class":"sp800-53a"}],"prose":"incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[04]","class":"sp800-53a"}],"prose":"the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ir-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;","links":[{"href":"#ir-1_smt.b","rel":"assessment-for"}]},{"id":"ir-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[01]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};","links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]},{"id":"ir-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[02]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};","links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]},{"id":"ir-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[01]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};","links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]},{"id":"ir-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[02]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.","links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt","rel":"assessment-for"}]},{"id":"ir-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-02_odp.01","props":[{"name":"alt-identifier","value":"ir-2_prm_1"},{"name":"label","value":"IR-02_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;"}]},{"id":"ir-02_odp.02","props":[{"name":"alt-identifier","value":"ir-2_prm_2"},{"name":"label","value":"IR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide incident response training to users is defined;"}]},{"id":"ir-02_odp.03","props":[{"name":"alt-identifier","value":"ir-2_prm_3"},{"name":"label","value":"IR-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update incident response training content is defined;"}]},{"id":"ir-02_odp.04","props":[{"name":"alt-identifier","value":"ir-2_prm_4"},{"name":"label","value":"IR-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that initiate a review of the incident response training content are defined;"}]}],"props":[{"name":"label","value":"IR-2"},{"name":"label","value":"IR-02","class":"sp800-53a"},{"name":"sort-id","value":"ir-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-2_smt","name":"statement","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide incident response training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"ir-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ir-02_odp.02 }} thereafter; and"}]},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"ir-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.01","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;","links":[{"href":"#ir-2_smt.a.1","rel":"assessment-for"}]},{"id":"ir-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.02","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;","links":[{"href":"#ir-2_smt.a.2","rel":"assessment-for"}]},{"id":"ir-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.03","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;","links":[{"href":"#ir-2_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt.a","rel":"assessment-for"}]},{"id":"ir-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[01]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};","links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]},{"id":"ir-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[02]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.","links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt","rel":"assessment-for"}]},{"id":"ir-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"label","value":"IR-4"},{"name":"label","value":"IR-04","class":"sp800-53a"},{"name":"sort-id","value":"ir-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#31ae65ab-3f26-46b7-9d64-f25a4dac5778","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-4_smt","name":"statement","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate incident handling activities with contingency planning activities;"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and"},{"id":"ir-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes."},{"id":"ir-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[01]","class":"sp800-53a"}],"prose":"an incident handling capability for incidents is implemented that is consistent with the incident response plan;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[02]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes preparation;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[03]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes detection and analysis;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[04]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes containment;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[05]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes eradication;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[06]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes recovery;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-04b.","class":"sp800-53a"}],"prose":"incident handling activities are coordinated with contingency planning activities;","links":[{"href":"#ir-4_smt.b","rel":"assessment-for"}]},{"id":"ir-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[01]","class":"sp800-53a"}],"prose":"lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;","links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]},{"id":"ir-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[02]","class":"sp800-53a"}],"prose":"the changes resulting from the incorporated lessons learned are implemented accordingly;","links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]},{"id":"ir-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[01]","class":"sp800-53a"}],"prose":"the rigor of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[02]","class":"sp800-53a"}],"prose":"the intensity of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[03]","class":"sp800-53a"}],"prose":"the scope of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[04]","class":"sp800-53a"}],"prose":"the results of incident handling activities are comparable and predictable across the organization.","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt","rel":"assessment-for"}]},{"id":"ir-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident handling capability for the organization"}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"label","value":"IR-5"},{"name":"label","value":"IR-05","class":"sp800-53a"},{"name":"sort-id","value":"ir-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"Track and document incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring."},{"id":"ir-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-05","class":"sp800-53a"}],"parts":[{"id":"ir-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-05[01]","class":"sp800-53a"}],"prose":"incidents are tracked;","links":[{"href":"#ir-5_smt","rel":"assessment-for"}]},{"id":"ir-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-05[02]","class":"sp800-53a"}],"prose":"incidents are documented.","links":[{"href":"#ir-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-5_smt","rel":"assessment-for"}]},{"id":"ir-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nmechanisms supporting and\/or implementing the tracking and documenting of system security incidents"}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-06_odp.01","props":[{"name":"alt-identifier","value":"ir-6_prm_1"},{"name":"label","value":"IR-06_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel to report suspected incidents to the organizational incident response capability is defined;"}]},{"id":"ir-06_odp.02","props":[{"name":"alt-identifier","value":"ir-6_prm_2"},{"name":"label","value":"IR-06_ODP[02]","class":"sp800-53a"}],"label":"authorities","guidelines":[{"prose":"authorities to whom incident information is to be reported are defined;"}]}],"props":[{"name":"label","value":"IR-6"},{"name":"label","value":"IR-06","class":"sp800-53a"},{"name":"sort-id","value":"ir-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#40b78258-c892-480e-9af8-77ac36648301","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-6_smt","name":"statement","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report incident information to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products."},{"id":"ir-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06","class":"sp800-53a"}],"parts":[{"id":"ir-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-06a.","class":"sp800-53a"}],"prose":"personnel is\/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};","links":[{"href":"#ir-6_smt.a","rel":"assessment-for"}]},{"id":"ir-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-06b.","class":"sp800-53a"}],"prose":"incident information is reported to {{ insert: param, ir-06_odp.02 }}.","links":[{"href":"#ir-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-6_smt","rel":"assessment-for"}]},{"id":"ir-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users"}]},{"id":"ir-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nmechanisms supporting and\/or implementing incident reporting"}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"label","value":"IR-7"},{"name":"label","value":"IR-07","class":"sp800-53a"},{"name":"sort-id","value":"ir-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-26","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required."},{"id":"ir-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07","class":"sp800-53a"}],"parts":[{"id":"ir-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-07[01]","class":"sp800-53a"}],"prose":"an incident response support resource, integral to the organizational incident response capability, is provided;","links":[{"href":"#ir-7_smt","rel":"assessment-for"}]},{"id":"ir-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-07[02]","class":"sp800-53a"}],"prose":"the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.","links":[{"href":"#ir-7_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-7_smt","rel":"assessment-for"}]},{"id":"ir-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nmechanisms supporting and\/or implementing incident response assistance"}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.07"}],"label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-08_odp.01","props":[{"name":"alt-identifier","value":"ir-8_prm_1"},{"name":"label","value":"IR-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles that review and approve the incident response plan is\/are identified;"}]},{"id":"ir-08_odp.02","props":[{"name":"alt-identifier","value":"ir-8_prm_2"},{"name":"label","value":"IR-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and approve the incident response plan is defined;"}]},{"id":"ir-08_odp.03","props":[{"name":"alt-identifier","value":"ir-8_prm_3"},{"name":"label","value":"IR-08_ODP[03]","class":"sp800-53a"}],"label":"entities, personnel, or roles","guidelines":[{"prose":"entities, personnel, or roles with designated responsibility for incident response are defined;"}]},{"id":"ir-08_odp.04","props":[{"name":"alt-identifier","value":"ir-8_prm_4"},{"name":"alt-label","value":"incident response personnel (identified by name and\/or by role) and organizational elements","class":"sp800-53"},{"name":"label","value":"IR-08_ODP[04]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed is\/are defined;"}]},{"id":"ir-08_odp.05","props":[{"name":"label","value":"IR-08_ODP[05]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which copies of the incident response plan are to be distributed are defined;"}]},{"id":"ir-08_odp.06","props":[{"name":"label","value":"IR-08_ODP[06]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom changes to the incident response plan is\/are communicated are defined;"}]},{"id":"ir-08_odp.07","props":[{"name":"label","value":"IR-08_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which changes to the incident response plan are communicated are defined;"}]}],"props":[{"name":"label","value":"IR-8"},{"name":"label","value":"IR-08","class":"sp800-53a"},{"name":"sort-id","value":"ir-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-8_smt","name":"statement","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Addresses the sharing of incident information;"},{"id":"ir-8_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and"},{"id":"ir-8_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly."},{"id":"ir-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-08","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.01","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;","links":[{"href":"#ir-8_smt.a.1","rel":"assessment-for"}]},{"id":"ir-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.02","class":"sp800-53a"}],"prose":"an incident response plan is developed that describes the structure and organization of the incident response capability;","links":[{"href":"#ir-8_smt.a.2","rel":"assessment-for"}]},{"id":"ir-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.03","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;","links":[{"href":"#ir-8_smt.a.3","rel":"assessment-for"}]},{"id":"ir-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.04","class":"sp800-53a"}],"prose":"an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;","links":[{"href":"#ir-8_smt.a.4","rel":"assessment-for"}]},{"id":"ir-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.05","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines reportable incidents;","links":[{"href":"#ir-8_smt.a.5","rel":"assessment-for"}]},{"id":"ir-8_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.06","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;","links":[{"href":"#ir-8_smt.a.6","rel":"assessment-for"}]},{"id":"ir-8_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.07","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;","links":[{"href":"#ir-8_smt.a.7","rel":"assessment-for"}]},{"id":"ir-8_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.08","class":"sp800-53a"}],"prose":"an incident response plan is developed that addresses the sharing of incident information;","links":[{"href":"#ir-8_smt.a.8","rel":"assessment-for"}]},{"id":"ir-8_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.09","class":"sp800-53a"}],"prose":"an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};","links":[{"href":"#ir-8_smt.a.9","rel":"assessment-for"}]},{"id":"ir-8_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.10","class":"sp800-53a"}],"prose":"an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.","links":[{"href":"#ir-8_smt.a.10","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.a","rel":"assessment-for"}]},{"id":"ir-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[01]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};","links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]},{"id":"ir-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[02]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};","links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]},{"id":"ir-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-08c.","class":"sp800-53a"}],"prose":"the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;","links":[{"href":"#ir-8_smt.c","rel":"assessment-for"}]},{"id":"ir-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[01]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};","links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]},{"id":"ir-8_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[02]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};","links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]},{"id":"ir-8_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[01]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized disclosure;","links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]},{"id":"ir-8_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[02]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized modification.","links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt","rel":"assessment-for"}]},{"id":"ir-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"id":"ir-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ma-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ma-01_odp.01","props":[{"name":"label","value":"MA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance policy is to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.02","props":[{"name":"label","value":"MA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance procedures are to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.03","props":[{"name":"alt-identifier","value":"ma-1_prm_2"},{"name":"label","value":"MA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ma-01_odp.04","props":[{"name":"alt-identifier","value":"ma-1_prm_3"},{"name":"label","value":"MA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the maintenance policy and procedures is defined;"}]},{"id":"ma-01_odp.05","props":[{"name":"alt-identifier","value":"ma-1_prm_4"},{"name":"label","value":"MA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance policy is reviewed and updated is defined;"}]},{"id":"ma-01_odp.06","props":[{"name":"alt-identifier","value":"ma-1_prm_5"},{"name":"label","value":"MA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current maintenance policy to be reviewed and updated are defined;"}]},{"id":"ma-01_odp.07","props":[{"name":"alt-identifier","value":"ma-1_prm_6"},{"name":"label","value":"MA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance procedures are reviewed and updated is defined;"}]},{"id":"ma-01_odp.08","props":[{"name":"alt-identifier","value":"ma-1_prm_7"},{"name":"label","value":"MA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the maintenance procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MA-1"},{"name":"label","value":"MA-01","class":"sp800-53a"},{"name":"sort-id","value":"ma-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ma-1_smt","name":"statement","parts":[{"id":"ma-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ma-01_odp.03 }} maintenance policy that:","parts":[{"id":"ma-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ma-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;"}]},{"id":"ma-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and"},{"id":"ma-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current maintenance:","parts":[{"id":"ma-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and"},{"id":"ma-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ma-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[01]","class":"sp800-53a"}],"prose":"a maintenance policy is developed and documented;","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[02]","class":"sp800-53a"}],"prose":"the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[03]","class":"sp800-53a"}],"prose":"maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[04]","class":"sp800-53a"}],"prose":"the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ma-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;","links":[{"href":"#ma-1_smt.b","rel":"assessment-for"}]},{"id":"ma-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[01]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};","links":[{"href":"#ma-1_smt.c.1","rel":"assessment-for"}]},{"id":"ma-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[02]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};","links":[{"href":"#ma-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.c.1","rel":"assessment-for"}]},{"id":"ma-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[01]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};","links":[{"href":"#ma-1_smt.c.2","rel":"assessment-for"}]},{"id":"ma-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[02]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.","links":[{"href":"#ma-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt","rel":"assessment-for"}]},{"id":"ma-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"ma-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","params":[{"id":"ma-02_odp.01","props":[{"name":"alt-identifier","value":"ma-2_prm_1"},{"name":"label","value":"MA-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is\/are defined;"}]},{"id":"ma-02_odp.02","props":[{"name":"alt-identifier","value":"ma-2_prm_2"},{"name":"label","value":"MA-02_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;"}]},{"id":"ma-02_odp.03","props":[{"name":"alt-identifier","value":"ma-2_prm_3"},{"name":"label","value":"MA-02_ODP[03]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be included in organizational maintenance records is defined;"}]}],"props":[{"name":"label","value":"MA-2"},{"name":"label","value":"MA-02","class":"sp800-53a"},{"name":"sort-id","value":"ma-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ma-2_smt","name":"statement","parts":[{"id":"ma-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};"},{"id":"ma-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and"},{"id":"ma-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}."}]},{"id":"ma-2_gdn","name":"guidance","prose":"Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems."},{"id":"ma-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-02","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[01]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and\/or organizational requirements;","links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]},{"id":"ma-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[02]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and\/or organizational requirements;","links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]},{"id":"ma-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[03]","class":"sp800-53a"}],"prose":"records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and\/or organizational requirements;","links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]},{"id":"ma-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[01]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;","links":[{"href":"#ma-2_smt.b","rel":"assessment-for"}]},{"id":"ma-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[02]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;","links":[{"href":"#ma-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-2_smt.b","rel":"assessment-for"}]},{"id":"ma-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-02c.","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02_odp.01 }} is\/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;","links":[{"href":"#ma-2_smt.c","rel":"assessment-for"}]},{"id":"ma-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-02d.","class":"sp800-53a"}],"prose":"equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;","links":[{"href":"#ma-2_smt.d","rel":"assessment-for"}]},{"id":"ma-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-02e.","class":"sp800-53a"}],"prose":"all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;","links":[{"href":"#ma-2_smt.e","rel":"assessment-for"}]},{"id":"ma-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"MA-02f.","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.","links":[{"href":"#ma-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ma-2_smt","rel":"assessment-for"}]},{"id":"ma-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer\/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and\/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components"}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","props":[{"name":"label","value":"MA-4"},{"name":"label","value":"MA-04","class":"sp800-53a"},{"name":"sort-id","value":"ma-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#736d6310-e403-4b57-a79d-9967970c66d7","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-10","rel":"related"}],"parts":[{"id":"ma-4_smt","name":"statement","parts":[{"id":"ma-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and monitor nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;"},{"id":"ma-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Maintain records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Terminate session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators."},{"id":"ma-4_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[01]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are approved;","links":[{"href":"#ma-4_smt.a","rel":"assessment-for"}]},{"id":"ma-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[02]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are monitored;","links":[{"href":"#ma-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt.a","rel":"assessment-for"}]},{"id":"ma-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[01]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;","links":[{"href":"#ma-4_smt.b","rel":"assessment-for"}]},{"id":"ma-4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[02]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;","links":[{"href":"#ma-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt.b","rel":"assessment-for"}]},{"id":"ma-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-04c.","class":"sp800-53a"}],"prose":"strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;","links":[{"href":"#ma-4_smt.c","rel":"assessment-for"}]},{"id":"ma-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-04d.","class":"sp800-53a"}],"prose":"records for nonlocal maintenance and diagnostic activities are maintained;","links":[{"href":"#ma-4_smt.d","rel":"assessment-for"}]},{"id":"ma-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[01]","class":"sp800-53a"}],"prose":"session connections are terminated when nonlocal maintenance is completed;","links":[{"href":"#ma-4_smt.e","rel":"assessment-for"}]},{"id":"ma-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[02]","class":"sp800-53a"}],"prose":"network connections are terminated when nonlocal maintenance is completed.","links":[{"href":"#ma-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt","rel":"assessment-for"}]},{"id":"ma-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and\/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections"}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","props":[{"name":"label","value":"MA-5"},{"name":"label","value":"MA-05","class":"sp800-53a"},{"name":"sort-id","value":"ma-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"ma-5_smt","name":"statement","parts":[{"id":"ma-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods."},{"id":"ma-5_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[01]","class":"sp800-53a"}],"prose":"a process for maintenance personnel authorization is established;","links":[{"href":"#ma-5_smt.a","rel":"assessment-for"}]},{"id":"ma-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[02]","class":"sp800-53a"}],"prose":"a list of authorized maintenance organizations or personnel is maintained;","links":[{"href":"#ma-5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-5_smt.a","rel":"assessment-for"}]},{"id":"ma-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-05b.","class":"sp800-53a"}],"prose":"non-escorted personnel performing maintenance on the system possess the required access authorizations;","links":[{"href":"#ma-5_smt.b","rel":"assessment-for"}]},{"id":"ma-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-05c.","class":"sp800-53a"}],"prose":"organizational personnel with required access authorizations and technical competence is\/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.","links":[{"href":"#ma-5_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ma-5_smt","rel":"assessment-for"}]},{"id":"ma-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and\/or implementing authorization of maintenance personnel"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"mp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"mp-01_odp.01","props":[{"name":"label","value":"MP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection policy is to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.02","props":[{"name":"label","value":"MP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection procedures are to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.03","props":[{"name":"alt-identifier","value":"mp-1_prm_2"},{"name":"label","value":"MP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"mp-01_odp.04","props":[{"name":"alt-identifier","value":"mp-1_prm_3"},{"name":"label","value":"MP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the media protection policy and procedures is defined;"}]},{"id":"mp-01_odp.05","props":[{"name":"alt-identifier","value":"mp-1_prm_4"},{"name":"label","value":"MP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection policy is reviewed and updated is defined;"}]},{"id":"mp-01_odp.06","props":[{"name":"alt-identifier","value":"mp-1_prm_5"},{"name":"label","value":"MP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current media protection policy to be reviewed and updated are defined;"}]},{"id":"mp-01_odp.07","props":[{"name":"alt-identifier","value":"mp-1_prm_6"},{"name":"label","value":"MP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection procedures are reviewed and updated is defined;"}]},{"id":"mp-01_odp.08","props":[{"name":"alt-identifier","value":"mp-1_prm_7"},{"name":"label","value":"MP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require media protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MP-1"},{"name":"label","value":"MP-01","class":"sp800-53a"},{"name":"sort-id","value":"mp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-1_smt","name":"statement","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, mp-01_odp.03 }} media protection policy that:","parts":[{"id":"mp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and"},{"id":"mp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current media protection:","parts":[{"id":"mp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and"},{"id":"mp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"mp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[01]","class":"sp800-53a"}],"prose":"a media protection policy is developed and documented;","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[02]","class":"sp800-53a"}],"prose":"the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[03]","class":"sp800-53a"}],"prose":"media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[04]","class":"sp800-53a"}],"prose":"the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(b)","class":"sp800-53a"}],"prose":"the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#mp-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.","links":[{"href":"#mp-1_smt.b","rel":"assessment-for"}]},{"id":"mp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[01]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ","links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]},{"id":"mp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[02]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};","links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]},{"id":"mp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[01]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ","links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]},{"id":"mp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[02]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.","links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt","rel":"assessment-for"}]},{"id":"mp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","params":[{"id":"mp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.03"}],"label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.04"}],"label":"organization-defined personnel or roles"},{"id":"mp-02_odp.01","props":[{"name":"label","value":"MP-02_ODP[01]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.02","props":[{"name":"label","value":"MP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access digital media is\/are defined;"}]},{"id":"mp-02_odp.03","props":[{"name":"label","value":"MP-02_ODP[03]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.04","props":[{"name":"label","value":"MP-02_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access non-digital media is\/are defined;"}]}],"props":[{"name":"label","value":"MP-2"},{"name":"label","value":"MP-02","class":"sp800-53a"},{"name":"sort-id","value":"mp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media."},{"id":"mp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-02","class":"sp800-53a"}],"parts":[{"id":"mp-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-02[01]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};","links":[{"href":"#mp-2_smt","rel":"assessment-for"}]},{"id":"mp-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-02[02]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.","links":[{"href":"#mp-2_smt","rel":"assessment-for"}]}],"links":[{"href":"#mp-2_smt","rel":"assessment-for"}]},{"id":"mp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for restricting information media\n\nmechanisms supporting and\/or implementing media access restrictions"}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.03"}],"label":"organization-defined system media"},{"id":"mp-6_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.06"}],"label":"organization-defined sanitization techniques and procedures"},{"id":"mp-06_odp.01","props":[{"name":"label","value":"MP-06_ODP[01]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to disposal is defined;"}]},{"id":"mp-06_odp.02","props":[{"name":"label","value":"MP-06_ODP[02]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release from organizational control is defined;"}]},{"id":"mp-06_odp.03","props":[{"name":"label","value":"MP-06_ODP[03]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release for reuse is defined;"}]},{"id":"mp-06_odp.04","props":[{"name":"label","value":"MP-06_ODP[04]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to disposal are defined;"}]},{"id":"mp-06_odp.05","props":[{"name":"label","value":"MP-06_ODP[05]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;"}]},{"id":"mp-06_odp.06","props":[{"name":"label","value":"MP-06_ODP[06]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;"}]}],"props":[{"name":"label","value":"MP-6"},{"name":"label","value":"MP-06","class":"sp800-53a"},{"name":"sort-id","value":"mp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"},{"href":"#si-19","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"mp-6_smt","name":"statement","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information."},{"id":"mp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-06b.","class":"sp800-53a"}],"prose":"sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.","links":[{"href":"#mp-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-6_smt","rel":"assessment-for"}]},{"id":"mp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization"}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","params":[{"id":"mp-07_odp.01","props":[{"name":"alt-identifier","value":"mp-7_prm_2"},{"name":"label","value":"MP-07_ODP[01]","class":"sp800-53a"}],"label":"types of system media","guidelines":[{"prose":"types of system media to be restricted or prohibited from use on systems or system components are defined;"}]},{"id":"mp-07_odp.02","props":[{"name":"alt-identifier","value":"mp-7_prm_1"},{"name":"label","value":"MP-07_ODP[02]","class":"sp800-53a"}],"select":{"choice":["restrict","prohibit"]}},{"id":"mp-07_odp.03","props":[{"name":"alt-identifier","value":"mp-7_prm_3"},{"name":"label","value":"MP-07_ODP[03]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;"}]},{"id":"mp-07_odp.04","props":[{"name":"alt-identifier","value":"mp-7_prm_4"},{"name":"label","value":"MP-07_ODP[04]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;"}]}],"props":[{"name":"label","value":"MP-7"},{"name":"label","value":"MP-07","class":"sp800-53a"},{"name":"sort-id","value":"mp-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"mp-7_smt","name":"statement","parts":[{"id":"mp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and"},{"id":"mp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner."}]},{"id":"mp-7_gdn","name":"guidance","prose":"System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices."},{"id":"mp-7_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-07","class":"sp800-53a"}],"parts":[{"id":"mp-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-07a.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};","links":[{"href":"#mp-7_smt.a","rel":"assessment-for"}]},{"id":"mp-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-07b.","class":"sp800-53a"}],"prose":"the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.","links":[{"href":"#mp-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-7_smt","rel":"assessment-for"}]},{"id":"mp-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components"}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pe-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pe-01_odp.01","props":[{"name":"label","value":"PE-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection policy is to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.02","props":[{"name":"label","value":"PE-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection procedures are to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.03","props":[{"name":"alt-identifier","value":"pe-1_prm_2"},{"name":"label","value":"PE-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pe-01_odp.04","props":[{"name":"alt-identifier","value":"pe-1_prm_3"},{"name":"label","value":"PE-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the physical and environmental protection policy and procedures is defined;"}]},{"id":"pe-01_odp.05","props":[{"name":"alt-identifier","value":"pe-1_prm_4"},{"name":"label","value":"PE-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;"}]},{"id":"pe-01_odp.06","props":[{"name":"alt-identifier","value":"pe-1_prm_5"},{"name":"label","value":"PE-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current physical and environmental protection policy to be reviewed and updated are defined;"}]},{"id":"pe-01_odp.07","props":[{"name":"alt-identifier","value":"pe-1_prm_6"},{"name":"label","value":"PE-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;"}]},{"id":"pe-01_odp.08","props":[{"name":"alt-identifier","value":"pe-1_prm_7"},{"name":"label","value":"PE-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the physical and environmental protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PE-1"},{"name":"label","value":"PE-01","class":"sp800-53a"},{"name":"sort-id","value":"pe-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pe-1_smt","name":"statement","parts":[{"id":"pe-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:","parts":[{"id":"pe-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pe-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;"}]},{"id":"pe-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and"},{"id":"pe-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current physical and environmental protection:","parts":[{"id":"pe-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and"},{"id":"pe-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pe-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[01]","class":"sp800-53a"}],"prose":"a physical and environmental protection policy is developed and documented;","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[02]","class":"sp800-53a"}],"prose":"the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[03]","class":"sp800-53a"}],"prose":"physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[04]","class":"sp800-53a"}],"prose":"the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#pe-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;","links":[{"href":"#pe-1_smt.b","rel":"assessment-for"}]},{"id":"pe-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};","links":[{"href":"#pe-1_smt.c.1","rel":"assessment-for"}]},{"id":"pe-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};","links":[{"href":"#pe-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.c.1","rel":"assessment-for"}]},{"id":"pe-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};","links":[{"href":"#pe-1_smt.c.2","rel":"assessment-for"}]},{"id":"pe-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.","links":[{"href":"#pe-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt","rel":"assessment-for"}]},{"id":"pe-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"pe-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","params":[{"id":"pe-02_odp","props":[{"name":"alt-identifier","value":"pe-2_prm_1"},{"name":"label","value":"PE-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the access list detailing authorized facility access by individuals is defined;"}]}],"props":[{"name":"label","value":"PE-2"},{"name":"label","value":"PE-02","class":"sp800-53a"},{"name":"sort-id","value":"pe-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"pe-2_smt","name":"statement","parts":[{"id":"pe-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;"},{"id":"pe-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Issue authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and"},{"id":"pe-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remove individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible."},{"id":"pe-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-02","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[01]","class":"sp800-53a"}],"prose":"a list of individuals with authorized access to the facility where the system resides has been developed;","links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]},{"id":"pe-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[02]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been approved;","links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]},{"id":"pe-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[03]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been maintained;","links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]},{"id":"pe-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-02b.","class":"sp800-53a"}],"prose":"authorization credentials are issued for facility access;","links":[{"href":"#pe-2_smt.b","rel":"assessment-for"}]},{"id":"pe-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-02c.","class":"sp800-53a"}],"prose":"the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};","links":[{"href":"#pe-2_smt.c","rel":"assessment-for"}]},{"id":"pe-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-02d.","class":"sp800-53a"}],"prose":"individuals are removed from the facility access list when access is no longer required.","links":[{"href":"#pe-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pe-2_smt","rel":"assessment-for"}]},{"id":"pe-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access authorizations\n\nmechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","params":[{"id":"pe-3_prm_9","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.09"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.10"}],"label":"organization-defined frequency"},{"id":"pe-03_odp.01","props":[{"name":"alt-identifier","value":"pe-3_prm_1"},{"name":"alt-label","value":"entry and exit points to the facility where the system resides","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[01]","class":"sp800-53a"}],"label":"entry and exit points","guidelines":[{"prose":"entry and exit points to the facility in which the system resides are defined;"}]},{"id":"pe-03_odp.02","props":[{"name":"alt-identifier","value":"pe-3_prm_2"},{"name":"label","value":"PE-03_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, pe-03_odp.03 }} ","guards"]}},{"id":"pe-03_odp.03","props":[{"name":"alt-identifier","value":"pe-3_prm_3"},{"name":"alt-label","value":"physical access control systems or devices","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[03]","class":"sp800-53a"}],"label":"systems or devices","guidelines":[{"prose":"physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);"}]},{"id":"pe-03_odp.04","props":[{"name":"alt-identifier","value":"pe-3_prm_4"},{"name":"label","value":"PE-03_ODP[04]","class":"sp800-53a"}],"label":"entry or exit points","guidelines":[{"prose":"entry or exit points for which physical access logs are maintained are defined;"}]},{"id":"pe-03_odp.05","props":[{"name":"alt-identifier","value":"pe-3_prm_5"},{"name":"label","value":"PE-03_ODP[05]","class":"sp800-53a"}],"label":"physical access controls","guidelines":[{"prose":"physical access controls to control access to areas within the facility designated as publicly accessible are defined;"}]},{"id":"pe-03_odp.06","props":[{"name":"alt-identifier","value":"pe-3_prm_6"},{"name":"alt-label","value":"circumstances requiring visitor escorts and control of visitor activity","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[06]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances requiring visitor escorts and control of visitor activity are defined;"}]},{"id":"pe-03_odp.07","props":[{"name":"alt-identifier","value":"pe-3_prm_7"},{"name":"label","value":"PE-03_ODP[07]","class":"sp800-53a"}],"label":"physical access devices","guidelines":[{"prose":"physical access devices to be inventoried are defined;"}]},{"id":"pe-03_odp.08","props":[{"name":"alt-identifier","value":"pe-3_prm_8"},{"name":"label","value":"PE-03_ODP[08]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inventory physical access devices is defined;"}]},{"id":"pe-03_odp.09","props":[{"name":"label","value":"PE-03_ODP[09]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change combinations is defined;"}]},{"id":"pe-03_odp.10","props":[{"name":"label","value":"PE-03_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change keys is defined;"}]}],"props":[{"name":"label","value":"PE-3"},{"name":"label","value":"PE-03","class":"sp800-53a"},{"name":"sort-id","value":"pe-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"pe-3_smt","name":"statement","parts":[{"id":"pe-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:","parts":[{"id":"pe-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"}]},{"id":"pe-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};"},{"id":"pe-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};"},{"id":"pe-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};"},{"id":"pe-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Secure keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and"},{"id":"pe-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Change combinations and keys {{ insert: param, pe-3_prm_9 }} and\/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs\/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components."},{"id":"pe-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.01","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;","links":[{"href":"#pe-3_smt.a.1","rel":"assessment-for"}]},{"id":"pe-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.02","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};","links":[{"href":"#pe-3_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.a","rel":"assessment-for"}]},{"id":"pe-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-03b.","class":"sp800-53a"}],"prose":"physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};","links":[{"href":"#pe-3_smt.b","rel":"assessment-for"}]},{"id":"pe-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-03c.","class":"sp800-53a"}],"prose":"access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};","links":[{"href":"#pe-3_smt.c","rel":"assessment-for"}]},{"id":"pe-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[01]","class":"sp800-53a"}],"prose":"visitors are escorted;","links":[{"href":"#pe-3_smt.d","rel":"assessment-for"}]},{"id":"pe-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[02]","class":"sp800-53a"}],"prose":"visitor activity is controlled {{ insert: param, pe-03_odp.06 }};","links":[{"href":"#pe-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.d","rel":"assessment-for"}]},{"id":"pe-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[01]","class":"sp800-53a"}],"prose":"keys are secured;","links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]},{"id":"pe-3_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[02]","class":"sp800-53a"}],"prose":"combinations are secured;","links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]},{"id":"pe-3_obj.e-3","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[03]","class":"sp800-53a"}],"prose":"other physical access devices are secured;","links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]},{"id":"pe-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"PE-03f.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};","links":[{"href":"#pe-3_smt.f","rel":"assessment-for"}]},{"id":"pe-3_obj.g","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[01]","class":"sp800-53a"}],"prose":"combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;","links":[{"href":"#pe-3_smt.g","rel":"assessment-for"}]},{"id":"pe-3_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[02]","class":"sp800-53a"}],"prose":"keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.","links":[{"href":"#pe-3_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt","rel":"assessment-for"}]},{"id":"pe-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control\n\nmechanisms supporting and\/or implementing physical access control\n\nphysical access control devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","params":[{"id":"pe-06_odp.01","props":[{"name":"alt-identifier","value":"pe-6_prm_1"},{"name":"label","value":"PE-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review physical access logs is defined;"}]},{"id":"pe-06_odp.02","props":[{"name":"alt-identifier","value":"pe-6_prm_2"},{"name":"alt-label","value":"events or potential indications of events","class":"sp800-53"},{"name":"label","value":"PE-06_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events or potential indication of events requiring physical access logs to be reviewed are defined;"}]}],"props":[{"name":"label","value":"PE-6"},{"name":"label","value":"PE-06","class":"sp800-53a"},{"name":"sort-id","value":"pe-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"pe-6_smt","name":"statement","parts":[{"id":"pe-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and"},{"id":"pe-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses."},{"id":"pe-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-06a.","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;","links":[{"href":"#pe-6_smt.a","rel":"assessment-for"}]},{"id":"pe-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[01]","class":"sp800-53a"}],"prose":"physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};","links":[{"href":"#pe-6_smt.b","rel":"assessment-for"}]},{"id":"pe-6_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[02]","class":"sp800-53a"}],"prose":"physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};","links":[{"href":"#pe-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-6_smt.b","rel":"assessment-for"}]},{"id":"pe-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[01]","class":"sp800-53a"}],"prose":"results of reviews are coordinated with organizational incident response capabilities;","links":[{"href":"#pe-6_smt.c","rel":"assessment-for"}]},{"id":"pe-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[02]","class":"sp800-53a"}],"prose":"results of investigations are coordinated with organizational incident response capabilities.","links":[{"href":"#pe-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-6_smt","rel":"assessment-for"}]},{"id":"pe-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing the review of physical access logs"}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-08_odp.01","props":[{"name":"alt-identifier","value":"pe-8_prm_1"},{"name":"label","value":"PE-08_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for which to maintain visitor access records for the facility where the system resides is defined;"}]},{"id":"pe-08_odp.02","props":[{"name":"alt-identifier","value":"pe-8_prm_2"},{"name":"label","value":"PE-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review visitor access records is defined;"}]},{"id":"pe-08_odp.03","props":[{"name":"alt-identifier","value":"pe-8_prm_3"},{"name":"label","value":"PE-08_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom visitor access records anomalies are reported to is\/are defined;"}]}],"props":[{"name":"label","value":"PE-8"},{"name":"label","value":"PE-08","class":"sp800-53a"},{"name":"sort-id","value":"pe-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"pe-8_smt","name":"statement","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and"},{"id":"pe-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08","class":"sp800-53a"}],"parts":[{"id":"pe-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-08a.","class":"sp800-53a"}],"prose":"visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};","links":[{"href":"#pe-8_smt.a","rel":"assessment-for"}]},{"id":"pe-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-08b.","class":"sp800-53a"}],"prose":"visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};","links":[{"href":"#pe-8_smt.b","rel":"assessment-for"}]},{"id":"pe-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-08c.","class":"sp800-53a"}],"prose":"visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.","links":[{"href":"#pe-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-8_smt","rel":"assessment-for"}]},{"id":"pe-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and\/or implementing the maintenance and review of visitor access records"}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","props":[{"name":"label","value":"PE-12"},{"name":"label","value":"PE-12","class":"sp800-53a"},{"name":"sort-id","value":"pe-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies."},{"id":"pe-12_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-12","class":"sp800-53a"}],"parts":[{"id":"pe-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-12[01]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-12[02]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-12[03]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers emergency exits within the facility;","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-12[04]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers evacuation routes within the facility.","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an emergency lighting capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","props":[{"name":"label","value":"PE-13"},{"name":"label","value":"PE-13","class":"sp800-53a"},{"name":"sort-id","value":"pe-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"Employ and maintain fire detection and suppression systems that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility."},{"id":"pe-13_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13","class":"sp800-53a"}],"parts":[{"id":"pe-13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13[01]","class":"sp800-53a"}],"prose":"fire detection systems are employed;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13[02]","class":"sp800-53a"}],"prose":"employed fire detection systems are supported by an independent energy source;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13[03]","class":"sp800-53a"}],"prose":"employed fire detection systems are maintained;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-13[04]","class":"sp800-53a"}],"prose":"fire suppression systems are employed;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PE-13[05]","class":"sp800-53a"}],"prose":"employed fire suppression systems are supported by an independent energy source;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PE-13[06]","class":"sp800-53a"}],"prose":"employed fire suppression systems are maintained.","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\ntest records of fire suppression and detection devices\/systems\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing fire suppression\/detection devices\/systems"}]}]},{"id":"pe-14","class":"SP800-53","title":"Environmental Controls","params":[{"id":"pe-14_odp.01","props":[{"name":"alt-identifier","value":"pe-14_prm_1"},{"name":"label","value":"PE-14_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["temperature","humidity","pressure","radiation"," {{ insert: param, pe-14_odp.02 }} "]}},{"id":"pe-14_odp.02","props":[{"name":"alt-identifier","value":"pe-14_prm_2"},{"name":"label","value":"PE-14_ODP[02]","class":"sp800-53a"}],"label":"environmental control","guidelines":[{"prose":"environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);"}]},{"id":"pe-14_odp.03","props":[{"name":"alt-identifier","value":"pe-14_prm_3"},{"name":"label","value":"PE-14_ODP[03]","class":"sp800-53a"}],"label":"acceptable levels","guidelines":[{"prose":"acceptable levels for environmental controls are defined;"}]},{"id":"pe-14_odp.04","props":[{"name":"alt-identifier","value":"pe-14_prm_4"},{"name":"label","value":"PE-14_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to monitor environmental control levels is defined;"}]}],"props":[{"name":"label","value":"PE-14"},{"name":"label","value":"PE-14","class":"sp800-53a"},{"name":"sort-id","value":"pe-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"}],"parts":[{"id":"pe-14_smt","name":"statement","parts":[{"id":"pe-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and"},{"id":"pe-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions."},{"id":"pe-14_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-14","class":"sp800-53a"}],"parts":[{"id":"pe-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-14a.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;","links":[{"href":"#pe-14_smt.a","rel":"assessment-for"}]},{"id":"pe-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-14b.","class":"sp800-53a"}],"prose":"environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.","links":[{"href":"#pe-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-14_smt","rel":"assessment-for"}]},{"id":"pe-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the maintenance and monitoring of temperature and humidity levels"}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","props":[{"name":"label","value":"PE-15"},{"name":"label","value":"PE-15","class":"sp800-53a"},{"name":"sort-id","value":"pe-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#pe-10","rel":"related"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations."},{"id":"pe-15_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-15","class":"sp800-53a"}],"parts":[{"id":"pe-15_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-15[01]","class":"sp800-53a"}],"prose":"the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-15[02]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are accessible;","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-15[03]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are working properly;","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-15[04]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are known to key personnel.","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Master water-shutoff valves\n\norganizational process for activating master water shutoff"}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","params":[{"id":"pe-16_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.02"}],"label":"organization-defined types of system components"},{"id":"pe-16_odp.01","props":[{"name":"label","value":"PE-16_ODP[01]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when entering the facility are defined;"}]},{"id":"pe-16_odp.02","props":[{"name":"label","value":"PE-16_ODP[02]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when exiting the facility are defined;"}]}],"props":[{"name":"label","value":"PE-16"},{"name":"label","value":"PE-16","class":"sp800-53a"},{"name":"sort-id","value":"pe-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"pe-16_smt","name":"statement","parts":[{"id":"pe-16_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and"},{"id":"pe-16_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain records of the system components."}]},{"id":"pe-16_gdn","name":"guidance","prose":"Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries."},{"id":"pe-16_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-16","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[04]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-16b.","class":"sp800-53a"}],"prose":"records of the system components are maintained.","links":[{"href":"#pe-16_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-16_smt","rel":"assessment-for"}]},{"id":"pe-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and\/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pl-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pl-01_odp.01","props":[{"name":"label","value":"PL-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning policy is to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.02","props":[{"name":"label","value":"PL-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning procedures are to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.03","props":[{"name":"alt-identifier","value":"pl-1_prm_2"},{"name":"label","value":"PL-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pl-01_odp.04","props":[{"name":"alt-identifier","value":"pl-1_prm_3"},{"name":"label","value":"PL-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the planning policy and procedures is defined;"}]},{"id":"pl-01_odp.05","props":[{"name":"alt-identifier","value":"pl-1_prm_4"},{"name":"label","value":"PL-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning policy is reviewed and updated is defined;"}]},{"id":"pl-01_odp.06","props":[{"name":"alt-identifier","value":"pl-1_prm_5"},{"name":"label","value":"PL-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current planning policy to be reviewed and updated are defined;"}]},{"id":"pl-01_odp.07","props":[{"name":"alt-identifier","value":"pl-1_prm_6"},{"name":"label","value":"PL-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning procedures are reviewed and updated is defined;"}]},{"id":"pl-01_odp.08","props":[{"name":"alt-identifier","value":"pl-1_prm_7"},{"name":"label","value":"PL-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PL-1"},{"name":"label","value":"PL-01","class":"sp800-53a"},{"name":"sort-id","value":"pl-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-1_smt","name":"statement","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pl-01_odp.03 }} planning policy that:","parts":[{"id":"pl-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the planning policy and the associated planning controls;"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and"},{"id":"pl-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current planning:","parts":[{"id":"pl-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and"},{"id":"pl-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pl-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[01]","class":"sp800-53a"}],"prose":"a planning policy is developed and documented.","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[02]","class":"sp800-53a"}],"prose":"the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[03]","class":"sp800-53a"}],"prose":"planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[04]","class":"sp800-53a"}],"prose":"the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#pl-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;","links":[{"href":"#pl-1_smt.b","rel":"assessment-for"}]},{"id":"pl-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[01]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};","links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]},{"id":"pl-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[02]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};","links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]},{"id":"pl-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[01]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};","links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]},{"id":"pl-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[02]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.","links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt","rel":"assessment-for"}]},{"id":"pl-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security and Privacy Plans","params":[{"id":"pl-02_odp.01","props":[{"name":"alt-identifier","value":"pl-2_prm_1"},{"name":"label","value":"PL-02_ODP[01]","class":"sp800-53a"}],"label":"individuals or groups","guidelines":[{"prose":"individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is\/are assigned;"}]},{"id":"pl-02_odp.02","props":[{"name":"alt-identifier","value":"pl-2_prm_2"},{"name":"label","value":"PL-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive distributed copies of the system security and privacy plans is\/are assigned;"}]},{"id":"pl-02_odp.03","props":[{"name":"alt-identifier","value":"pl-2_prm_3"},{"name":"label","value":"PL-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency to review system security and privacy plans is defined;"}]}],"props":[{"name":"label","value":"PL-2"},{"name":"label","value":"PL-02","class":"sp800-53a"},{"name":"sort-id","value":"pl-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"pl-2_smt","name":"statement","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy plans for the system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly define the constituent system components;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Identify the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Identify the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provide the security categorization of the system, including supporting rationale;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Describe any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Provide the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Describe the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Provide an overview of the security and privacy requirements for the system;"},{"id":"pl-2_smt.a.11","name":"item","props":[{"name":"label","value":"11."}],"prose":"Identify any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_smt.a.12","name":"item","props":[{"name":"label","value":"12."}],"prose":"Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;"},{"id":"pl-2_smt.a.13","name":"item","props":[{"name":"label","value":"13."}],"prose":"Include risk determinations for security and privacy architecture and design decisions;"},{"id":"pl-2_smt.a.14","name":"item","props":[{"name":"label","value":"14."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and"},{"id":"pl-2_smt.a.15","name":"item","props":[{"name":"label","value":"15."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the plans {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the plans from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate."},{"id":"pl-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is consistent with the organization’s enterprise architecture;","links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]},{"id":"pl-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;","links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]},{"id":"pl-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that explicitly defines the constituent system components;","links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]},{"id":"pl-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that explicitly defines the constituent system components;","links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]},{"id":"pl-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;","links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]},{"id":"pl-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;","links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]},{"id":"pl-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;","links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]},{"id":"pl-2_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;","links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]},{"id":"pl-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.5-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;","links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]},{"id":"pl-2_obj.a.5-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;","links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]},{"id":"pl-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.6-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;","links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]},{"id":"pl-2_obj.a.6-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;","links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]},{"id":"pl-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;","links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]},{"id":"pl-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;","links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]},{"id":"pl-2_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.8-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;","links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]},{"id":"pl-2_obj.a.8-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;","links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]},{"id":"pl-2_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.9-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;","links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]},{"id":"pl-2_obj.a.9-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;","links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]},{"id":"pl-2_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.10-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides an overview of the security requirements for the system;","links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]},{"id":"pl-2_obj.a.10-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;","links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]},{"id":"pl-2_obj.a.11","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.11-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;","links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]},{"id":"pl-2_obj.a.11-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;","links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]},{"id":"pl-2_obj.a.12","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.12-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;","links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]},{"id":"pl-2_obj.a.12-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;","links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]},{"id":"pl-2_obj.a.13","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.13-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes risk determinations for security architecture and design decisions;","links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]},{"id":"pl-2_obj.a.13-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;","links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]},{"id":"pl-2_obj.a.14","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.14-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};","links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]},{"id":"pl-2_obj.a.14-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};","links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]},{"id":"pl-2_obj.a.15","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.15-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;","links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]},{"id":"pl-2_obj.a.15-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.","links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a","rel":"assessment-for"}]},{"id":"pl-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[01]","class":"sp800-53a"}],"prose":"copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};","links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]},{"id":"pl-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[02]","class":"sp800-53a"}],"prose":"subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};","links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]},{"id":"pl-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-02c.","class":"sp800-53a"}],"prose":"plans are reviewed {{ insert: param, pl-02_odp.03 }};","links":[{"href":"#pl-2_smt.c","rel":"assessment-for"}]},{"id":"pl-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[01]","class":"sp800-53a"}],"prose":"plans are updated to address changes to the system and environment of operations;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[02]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during the plan implementation;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[03]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during control assessments;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[01]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized disclosure;","links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]},{"id":"pl-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[02]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized modification.","links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt","rel":"assessment-for"}]},{"id":"pl-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records"}]},{"id":"pl-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan"}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-04_odp.01","props":[{"name":"alt-identifier","value":"pl-4_prm_1"},{"name":"label","value":"PL-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for reviewing and updating the rules of behavior is defined;"}]},{"id":"pl-04_odp.02","props":[{"name":"alt-identifier","value":"pl-4_prm_2"},{"name":"label","value":"PL-04_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, pl-04_odp.03 }} ","when the rules are revised or updated"]}},{"id":"pl-04_odp.03","props":[{"name":"alt-identifier","value":"pl-4_prm_3"},{"name":"label","value":"PL-04_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);"}]}],"props":[{"name":"label","value":"PL-4"},{"name":"label","value":"PL-04","class":"sp800-53a"},{"name":"sort-id","value":"pl-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-4_smt","name":"statement","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_gdn","name":"guidance","prose":"Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons."},{"id":"pl-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[01]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;","links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]},{"id":"pl-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[02]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;","links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]},{"id":"pl-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04b.","class":"sp800-53a"}],"prose":"before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;","links":[{"href":"#pl-4_smt.b","rel":"assessment-for"}]},{"id":"pl-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04c.","class":"sp800-53a"}],"prose":"rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};","links":[{"href":"#pl-4_smt.c","rel":"assessment-for"}]},{"id":"pl-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-04d.","class":"sp800-53a"}],"prose":"individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.","links":[{"href":"#pl-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pl-4_smt","rel":"assessment-for"}]},{"id":"pl-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and External Site\/Application Usage Restrictions","props":[{"name":"label","value":"PL-4(1)"},{"name":"label","value":"PL-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"pl-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-4","rel":"required"},{"href":"#ac-22","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"Include in the rules of behavior, restrictions on:","parts":[{"id":"pl-4.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Posting organizational information on public websites; and"},{"id":"pl-4.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_gdn","name":"guidance","prose":"Social media, social networking, and external site\/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information."},{"id":"pl-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)","class":"sp800-53a"}],"parts":[{"id":"pl-4.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(a)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of social media, social networking sites, and external sites\/applications;","links":[{"href":"#pl-4.1_smt.a","rel":"assessment-for"}]},{"id":"pl-4.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(b)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on posting organizational information on public websites;","links":[{"href":"#pl-4.1_smt.b","rel":"assessment-for"}]},{"id":"pl-4.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(c)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications.","links":[{"href":"#pl-4.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-4.1_smt","rel":"assessment-for"}]},{"id":"pl-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records"}]},{"id":"pl-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing rules of behavior\n\nmechanisms supporting and\/or implementing the establishment of rules of behavior"}]}]}]},{"id":"pl-10","class":"SP800-53","title":"Baseline Selection","props":[{"name":"label","value":"PL-10"},{"name":"label","value":"PL-10","class":"sp800-53a"},{"name":"sort-id","value":"pl-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-10_smt","name":"statement","prose":"Select a control baseline for the system."},{"id":"pl-10_gdn","name":"guidance","prose":"Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems."},{"id":"pl-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-10","class":"sp800-53a"}],"prose":"a control baseline for the system is selected.","links":[{"href":"#pl-10_smt","rel":"assessment-for"}]},{"id":"pl-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities"}]}]},{"id":"pl-11","class":"SP800-53","title":"Baseline Tailoring","props":[{"name":"label","value":"PL-11"},{"name":"label","value":"PL-11","class":"sp800-53a"},{"name":"sort-id","value":"pl-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-10","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-11_smt","name":"statement","prose":"Tailor the selected control baseline by applying specified tailoring actions."},{"id":"pl-11_gdn","name":"guidance","prose":"The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities."},{"id":"pl-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-11","class":"sp800-53a"}],"prose":"the selected control baseline is tailored by applying specified tailoring actions.","links":[{"href":"#pl-11_smt","rel":"assessment-for"}]},{"id":"pl-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ps-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ps-01_odp.01","props":[{"name":"label","value":"PS-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security policy is to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.02","props":[{"name":"label","value":"PS-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security procedures are to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.03","props":[{"name":"alt-identifier","value":"ps-1_prm_2"},{"name":"label","value":"PS-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ps-01_odp.04","props":[{"name":"alt-identifier","value":"ps-1_prm_3"},{"name":"label","value":"PS-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the personnel security policy and procedures is defined;"}]},{"id":"ps-01_odp.05","props":[{"name":"alt-identifier","value":"ps-1_prm_4"},{"name":"label","value":"PS-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security policy is reviewed and updated is defined;"}]},{"id":"ps-01_odp.06","props":[{"name":"alt-identifier","value":"ps-1_prm_5"},{"name":"label","value":"PS-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current personnel security policy to be reviewed and updated are defined;"}]},{"id":"ps-01_odp.07","props":[{"name":"alt-identifier","value":"ps-1_prm_6"},{"name":"label","value":"PS-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security procedures are reviewed and updated is defined;"}]},{"id":"ps-01_odp.08","props":[{"name":"alt-identifier","value":"ps-1_prm_7"},{"name":"label","value":"PS-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the personnel security procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PS-1"},{"name":"label","value":"PS-01","class":"sp800-53a"},{"name":"sort-id","value":"ps-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-1_smt","name":"statement","parts":[{"id":"ps-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ps-01_odp.03 }} personnel security policy that:","parts":[{"id":"ps-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ps-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;"}]},{"id":"ps-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and"},{"id":"ps-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current personnel security:","parts":[{"id":"ps-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and"},{"id":"ps-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ps-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[01]","class":"sp800-53a"}],"prose":"a personnel security policy is developed and documented;","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[02]","class":"sp800-53a"}],"prose":"the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[03]","class":"sp800-53a"}],"prose":"personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[04]","class":"sp800-53a"}],"prose":"the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ps-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;","links":[{"href":"#ps-1_smt.b","rel":"assessment-for"}]},{"id":"ps-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[01]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};","links":[{"href":"#ps-1_smt.c.1","rel":"assessment-for"}]},{"id":"ps-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[02]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};","links":[{"href":"#ps-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.c.1","rel":"assessment-for"}]},{"id":"ps-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[01]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};","links":[{"href":"#ps-1_smt.c.2","rel":"assessment-for"}]},{"id":"ps-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[02]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.","links":[{"href":"#ps-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt","rel":"assessment-for"}]},{"id":"ps-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"ps-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","params":[{"id":"ps-02_odp","props":[{"name":"alt-identifier","value":"ps-2_prm_1"},{"name":"label","value":"PS-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update position risk designations is defined;"}]}],"props":[{"name":"label","value":"PS-2"},{"name":"label","value":"PS-02","class":"sp800-53a"},{"name":"sort-id","value":"ps-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#a5ef5e56-5c1a-4911-b419-37dddc1b3581","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-2_smt","name":"statement","parts":[{"id":"ps-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establish screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update position risk designations {{ insert: param, ps-02_odp }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions."},{"id":"ps-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-02","class":"sp800-53a"}],"parts":[{"id":"ps-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-02a.","class":"sp800-53a"}],"prose":"a risk designation is assigned to all organizational positions;","links":[{"href":"#ps-2_smt.a","rel":"assessment-for"}]},{"id":"ps-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-02b.","class":"sp800-53a"}],"prose":"screening criteria are established for individuals filling organizational positions;","links":[{"href":"#ps-2_smt.b","rel":"assessment-for"}]},{"id":"ps-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-02c.","class":"sp800-53a"}],"prose":"position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.","links":[{"href":"#ps-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ps-2_smt","rel":"assessment-for"}]},{"id":"ps-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","params":[{"id":"ps-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.02"}],"label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening"},{"id":"ps-03_odp.01","props":[{"name":"label","value":"PS-03_ODP[01]","class":"sp800-53a"}],"label":"conditions requiring rescreening","guidelines":[{"prose":"conditions requiring rescreening of individuals are defined;"}]},{"id":"ps-03_odp.02","props":[{"name":"label","value":"PS-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of rescreening individuals where it is so indicated is defined;"}]}],"props":[{"name":"label","value":"PS-3"},{"name":"label","value":"PS-03","class":"sp800-53a"},{"name":"sort-id","value":"ps-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#55b0c93a-5e48-457a-baa6-5ce81c239c49","rel":"reference"},{"href":"#0af071a6-cf8e-48ee-8c82-fe91efa20f94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-3_smt","name":"statement","parts":[{"id":"ps-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Screen individuals prior to authorizing access to the system; and"},{"id":"ps-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems."},{"id":"ps-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-03a.","class":"sp800-53a"}],"prose":"individuals are screened prior to authorizing access to the system;","links":[{"href":"#ps-3_smt.a","rel":"assessment-for"}]},{"id":"ps-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[01]","class":"sp800-53a"}],"prose":"individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};","links":[{"href":"#ps-3_smt.b","rel":"assessment-for"}]},{"id":"ps-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[02]","class":"sp800-53a"}],"prose":"where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.","links":[{"href":"#ps-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-3_smt","rel":"assessment-for"}]},{"id":"ps-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel screening"}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","params":[{"id":"ps-04_odp.01","props":[{"name":"alt-identifier","value":"ps-4_prm_1"},{"name":"label","value":"PS-04_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which to disable system access is defined;"}]},{"id":"ps-04_odp.02","props":[{"name":"alt-identifier","value":"ps-4_prm_2"},{"name":"label","value":"PS-04_ODP[02]","class":"sp800-53a"}],"label":"information security topics","guidelines":[{"prose":"information security topics to be discussed when conducting exit interviews are defined;"}]}],"props":[{"name":"label","value":"PS-4"},{"name":"label","value":"PS-04","class":"sp800-53a"},{"name":"sort-id","value":"ps-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"Upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Disable system access within {{ insert: param, ps-04_odp.01 }};"},{"id":"ps-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Terminate or revoke any authenticators and credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};"},{"id":"ps-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Retrieve all security-related organizational system-related property; and"},{"id":"ps-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retain access to organizational information and systems formerly controlled by terminated individual."}]},{"id":"ps-4_gdn","name":"guidance","prose":"System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified."},{"id":"ps-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-04","class":"sp800-53a"}],"parts":[{"id":"ps-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-04a.","class":"sp800-53a"}],"prose":"upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};","links":[{"href":"#ps-4_smt.a","rel":"assessment-for"}]},{"id":"ps-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-04b.","class":"sp800-53a"}],"prose":"upon termination of individual employment, any authenticators and credentials are terminated or revoked;","links":[{"href":"#ps-4_smt.b","rel":"assessment-for"}]},{"id":"ps-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-04c.","class":"sp800-53a"}],"prose":"upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;","links":[{"href":"#ps-4_smt.c","rel":"assessment-for"}]},{"id":"ps-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-04d.","class":"sp800-53a"}],"prose":"upon termination of individual employment, all security-related organizational system-related property is retrieved;","links":[{"href":"#ps-4_smt.d","rel":"assessment-for"}]},{"id":"ps-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-04e.","class":"sp800-53a"}],"prose":"upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.","links":[{"href":"#ps-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ps-4_smt","rel":"assessment-for"}]},{"id":"ps-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators\/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel termination\n\nmechanisms supporting and\/or implementing personnel termination notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","params":[{"id":"ps-05_odp.01","props":[{"name":"alt-identifier","value":"ps-5_prm_1"},{"name":"label","value":"PS-05_ODP[01]","class":"sp800-53a"}],"label":"transfer or reassignment actions","guidelines":[{"prose":"transfer or reassignment actions to be initiated following transfer or reassignment are defined;"}]},{"id":"ps-05_odp.02","props":[{"name":"alt-identifier","value":"ps-5_prm_2"},{"name":"label","value":"PS-05_ODP[02]","class":"sp800-53a"}],"label":"time period following the formal transfer action","guidelines":[{"prose":"the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;"}]},{"id":"ps-05_odp.03","props":[{"name":"alt-identifier","value":"ps-5_prm_3"},{"name":"label","value":"PS-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is\/are defined;"}]},{"id":"ps-05_odp.04","props":[{"name":"alt-identifier","value":"ps-5_prm_4"},{"name":"label","value":"PS-05_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;"}]}],"props":[{"name":"label","value":"PS-5"},{"name":"label","value":"PS-05","class":"sp800-53a"},{"name":"sort-id","value":"ps-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-5_smt","name":"statement","parts":[{"id":"ps-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};"},{"id":"ps-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts."},{"id":"ps-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-05","class":"sp800-53a"}],"parts":[{"id":"ps-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-05a.","class":"sp800-53a"}],"prose":"the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;","links":[{"href":"#ps-5_smt.a","rel":"assessment-for"}]},{"id":"ps-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};","links":[{"href":"#ps-5_smt.b","rel":"assessment-for"}]},{"id":"ps-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-05c.","class":"sp800-53a"}],"prose":"access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;","links":[{"href":"#ps-5_smt.c","rel":"assessment-for"}]},{"id":"ps-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-05d.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.","links":[{"href":"#ps-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ps-5_smt","rel":"assessment-for"}]},{"id":"ps-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel transfer\n\nmechanisms supporting and\/or implementing personnel transfer notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-06_odp.01","props":[{"name":"alt-identifier","value":"ps-6_prm_1"},{"name":"label","value":"PS-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update access agreements is defined;"}]},{"id":"ps-06_odp.02","props":[{"name":"alt-identifier","value":"ps-6_prm_2"},{"name":"label","value":"PS-06_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to re-sign access agreements to maintain access to organizational information is defined;"}]}],"props":[{"name":"label","value":"PS-6"},{"name":"label","value":"PS-06","class":"sp800-53a"},{"name":"sort-id","value":"ps-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-6_smt","name":"statement","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document access agreements for organizational systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that individuals requiring access to organizational information and systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy."},{"id":"ps-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-06","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-06a.","class":"sp800-53a"}],"prose":"access agreements are developed and documented for organizational systems;","links":[{"href":"#ps-6_smt.a","rel":"assessment-for"}]},{"id":"ps-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-06b.","class":"sp800-53a"}],"prose":"the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};","links":[{"href":"#ps-6_smt.b","rel":"assessment-for"}]},{"id":"ps-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.01","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;","links":[{"href":"#ps-6_smt.c.1","rel":"assessment-for"}]},{"id":"ps-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.02","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.","links":[{"href":"#ps-6_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ps-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ps-6_smt","rel":"assessment-for"}]},{"id":"ps-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ps-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"External Personnel Security","params":[{"id":"ps-07_odp.01","props":[{"name":"alt-identifier","value":"ps-7_prm_1"},{"name":"label","value":"PS-07_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is\/are defined;"}]},{"id":"ps-07_odp.02","props":[{"name":"alt-identifier","value":"ps-7_prm_2"},{"name":"label","value":"PS-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is defined;"}]}],"props":[{"name":"label","value":"PS-7"},{"name":"label","value":"PS-07","class":"sp800-53a"},{"name":"sort-id","value":"ps-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-7_smt","name":"statement","parts":[{"id":"ps-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish personnel security requirements, including security roles and responsibilities for external providers;"},{"id":"ps-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Require external providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and"},{"id":"ps-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Monitor provider compliance with personnel security requirements."}]},{"id":"ps-7_gdn","name":"guidance","prose":"External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network\/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals."},{"id":"ps-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-07","class":"sp800-53a"}],"parts":[{"id":"ps-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-07a.","class":"sp800-53a"}],"prose":"personnel security requirements are established, including security roles and responsibilities for external providers;","links":[{"href":"#ps-7_smt.a","rel":"assessment-for"}]},{"id":"ps-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-07b.","class":"sp800-53a"}],"prose":"external providers are required to comply with personnel security policies and procedures established by the organization;","links":[{"href":"#ps-7_smt.b","rel":"assessment-for"}]},{"id":"ps-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-07c.","class":"sp800-53a"}],"prose":"personnel security requirements are documented;","links":[{"href":"#ps-7_smt.c","rel":"assessment-for"}]},{"id":"ps-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-07d.","class":"sp800-53a"}],"prose":"external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};","links":[{"href":"#ps-7_smt.d","rel":"assessment-for"}]},{"id":"ps-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-07e.","class":"sp800-53a"}],"prose":"provider compliance with personnel security requirements is monitored.","links":[{"href":"#ps-7_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ps-7_smt","rel":"assessment-for"}]},{"id":"ps-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and\/or implementing the monitoring of provider compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","params":[{"id":"ps-08_odp.01","props":[{"name":"alt-identifier","value":"ps-8_prm_1"},{"name":"label","value":"PS-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when a formal employee sanctions process is initiated is\/are defined;"}]},{"id":"ps-08_odp.02","props":[{"name":"alt-identifier","value":"ps-8_prm_2"},{"name":"label","value":"PS-08_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;"}]}],"props":[{"name":"label","value":"PS-8"},{"name":"label","value":"PS-08","class":"sp800-53a"},{"name":"sort-id","value":"ps-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-1","rel":"related"}],"parts":[{"id":"ps-8_smt","name":"statement","parts":[{"id":"ps-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and\/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions."},{"id":"ps-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-08","class":"sp800-53a"}],"parts":[{"id":"ps-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-08a.","class":"sp800-53a"}],"prose":"a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;","links":[{"href":"#ps-8_smt.a","rel":"assessment-for"}]},{"id":"ps-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-08b.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-08_odp.01 }} is\/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.","links":[{"href":"#ps-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-8_smt","rel":"assessment-for"}]},{"id":"ps-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records"}]},{"id":"ps-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and\/or implementing formal employee sanctions notifications"}]}]},{"id":"ps-9","class":"SP800-53","title":"Position Descriptions","props":[{"name":"label","value":"PS-9"},{"name":"label","value":"PS-09","class":"sp800-53a"},{"name":"sort-id","value":"ps-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"}],"parts":[{"id":"ps-9_smt","name":"statement","prose":"Incorporate security and privacy roles and responsibilities into organizational position descriptions."},{"id":"ps-9_gdn","name":"guidance","prose":"Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles."},{"id":"ps-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-09","class":"sp800-53a"}],"parts":[{"id":"ps-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PS-09[01]","class":"sp800-53a"}],"prose":"security roles and responsibilities are incorporated into organizational position descriptions;","links":[{"href":"#ps-9_smt","rel":"assessment-for"}]},{"id":"ps-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PS-09[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are incorporated into organizational position descriptions.","links":[{"href":"#ps-9_smt","rel":"assessment-for"}]}],"links":[{"href":"#ps-9_smt","rel":"assessment-for"}]},{"id":"ps-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"ps-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities"}]},{"id":"ps-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing position descriptions"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ra-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ra-01_odp.01","props":[{"name":"label","value":"RA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment policy is to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.02","props":[{"name":"label","value":"RA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment procedures are to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.03","props":[{"name":"alt-identifier","value":"ra-1_prm_2"},{"name":"label","value":"RA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ra-01_odp.04","props":[{"name":"alt-identifier","value":"ra-1_prm_3"},{"name":"label","value":"RA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the risk assessment policy and procedures is defined;"}]},{"id":"ra-01_odp.05","props":[{"name":"alt-identifier","value":"ra-1_prm_4"},{"name":"label","value":"RA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment policy is reviewed and updated is defined;"}]},{"id":"ra-01_odp.06","props":[{"name":"alt-identifier","value":"ra-1_prm_5"},{"name":"label","value":"RA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current risk assessment policy to be reviewed and updated are defined;"}]},{"id":"ra-01_odp.07","props":[{"name":"alt-identifier","value":"ra-1_prm_6"},{"name":"label","value":"RA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment procedures are reviewed and updated is defined;"}]},{"id":"ra-01_odp.08","props":[{"name":"alt-identifier","value":"ra-1_prm_7"},{"name":"label","value":"RA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require risk assessment procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"RA-1"},{"name":"label","value":"RA-01","class":"sp800-53a"},{"name":"sort-id","value":"ra-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-1_smt","name":"statement","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ra-01_odp.03 }} risk assessment policy that:","parts":[{"id":"ra-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and"},{"id":"ra-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current risk assessment:","parts":[{"id":"ra-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and"},{"id":"ra-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ra-1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[01]","class":"sp800-53a"}],"prose":"a risk assessment policy is developed and documented;","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[02]","class":"sp800-53a"}],"prose":"the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[03]","class":"sp800-53a"}],"prose":"risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[04]","class":"sp800-53a"}],"prose":"the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ra-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;","links":[{"href":"#ra-1_smt.b","rel":"assessment-for"}]},{"id":"ra-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[01]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};","links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]},{"id":"ra-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[02]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};","links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]},{"id":"ra-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[01]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};","links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]},{"id":"ra-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[02]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.","links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt","rel":"assessment-for"}]},{"id":"ra-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","props":[{"name":"label","value":"RA-2"},{"name":"label","value":"RA-02","class":"sp800-53a"},{"name":"sort-id","value":"ra-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#cm-8","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-2_smt","name":"statement","parts":[{"id":"ra-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Categorize the system and information it processes, stores, and transmits;"},{"id":"ra-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document the security categorization results, including supporting rationale, in the security plan for the system; and"},{"id":"ra-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant."},{"id":"ra-2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-02","class":"sp800-53a"}],"parts":[{"id":"ra-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-02a.","class":"sp800-53a"}],"prose":"the system and the information it processes, stores, and transmits are categorized;","links":[{"href":"#ra-2_smt.a","rel":"assessment-for"}]},{"id":"ra-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-02b.","class":"sp800-53a"}],"prose":"the security categorization results, including supporting rationale, are documented in the security plan for the system;","links":[{"href":"#ra-2_smt.b","rel":"assessment-for"}]},{"id":"ra-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-02c.","class":"sp800-53a"}],"prose":"the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.","links":[{"href":"#ra-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ra-2_smt","rel":"assessment-for"}]},{"id":"ra-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-03_odp.01","props":[{"name":"alt-identifier","value":"ra-3_prm_1"},{"name":"label","value":"RA-03_ODP[01]","class":"sp800-53a"}],"select":{"choice":["security and privacy plans","risk assessment report"," {{ insert: param, ra-03_odp.02 }} "]}},{"id":"ra-03_odp.02","props":[{"name":"alt-identifier","value":"ra-3_prm_2"},{"name":"label","value":"RA-03_ODP[02]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);"}]},{"id":"ra-03_odp.03","props":[{"name":"alt-identifier","value":"ra-3_prm_3"},{"name":"label","value":"RA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to review risk assessment results is defined;"}]},{"id":"ra-03_odp.04","props":[{"name":"alt-identifier","value":"ra-3_prm_4"},{"name":"label","value":"RA-03_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom risk assessment results are to be disseminated is\/are defined;"}]},{"id":"ra-03_odp.05","props":[{"name":"alt-identifier","value":"ra-3_prm_5"},{"name":"label","value":"RA-03_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to update the risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3"},{"name":"label","value":"RA-03","class":"sp800-53a"},{"name":"sort-id","value":"ra-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-3","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-3_smt","name":"statement","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct a risk assessment, including:","parts":[{"id":"ra-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifying threats to and vulnerabilities in the system;"},{"id":"ra-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and"},{"id":"ra-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document risk assessment results in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review risk assessment results {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and"},{"id":"ra-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination."},{"id":"ra-3_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.01","class":"sp800-53a"}],"prose":"a risk assessment is conducted to identify threats to and vulnerabilities in the system;","links":[{"href":"#ra-3_smt.a.1","rel":"assessment-for"}]},{"id":"ra-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.02","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;","links":[{"href":"#ra-3_smt.a.2","rel":"assessment-for"}]},{"id":"ra-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.03","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;","links":[{"href":"#ra-3_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#ra-3_smt.a","rel":"assessment-for"}]},{"id":"ra-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03b.","class":"sp800-53a"}],"prose":"risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;","links":[{"href":"#ra-3_smt.b","rel":"assessment-for"}]},{"id":"ra-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-03c.","class":"sp800-53a"}],"prose":"risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};","links":[{"href":"#ra-3_smt.c","rel":"assessment-for"}]},{"id":"ra-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-03d.","class":"sp800-53a"}],"prose":"risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};","links":[{"href":"#ra-3_smt.d","rel":"assessment-for"}]},{"id":"ra-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-03e.","class":"sp800-53a"}],"prose":"risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};","links":[{"href":"#ra-3_smt.e","rel":"assessment-for"}]},{"id":"ra-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-03f.","class":"sp800-53a"}],"prose":"the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.","links":[{"href":"#ra-3_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ra-3_smt","rel":"assessment-for"}]},{"id":"ra-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}],"controls":[{"id":"ra-3.1","class":"SP800-53-enhancement","title":"Supply Chain Risk Assessment","params":[{"id":"ra-03.01_odp.01","props":[{"name":"alt-identifier","value":"ra-3.1_prm_1"},{"name":"label","value":"RA-03(01)_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, and system services","guidelines":[{"prose":"systems, system components, and system services to assess supply chain risks are defined;"}]},{"id":"ra-03.01_odp.02","props":[{"name":"alt-identifier","value":"ra-3.1_prm_2"},{"name":"label","value":"RA-03(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the supply chain risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3(1)"},{"name":"label","value":"RA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ra-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-3","rel":"required"},{"href":"#ra-2","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#pm-17","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-3.1_smt","name":"statement","parts":[{"id":"ra-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and"},{"id":"ra-3.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_gdn","name":"guidance","prose":"Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required."},{"id":"ra-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)","class":"sp800-53a"}],"parts":[{"id":"ra-3.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(a)","class":"sp800-53a"}],"prose":"supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;","links":[{"href":"#ra-3.1_smt.a","rel":"assessment-for"}]},{"id":"ra-3.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(b)","class":"sp800-53a"}],"prose":"the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.","links":[{"href":"#ra-3.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ra-3.1_smt","rel":"assessment-for"}]},{"id":"ra-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"ra-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"ra-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment"}]}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Monitoring and Scanning","params":[{"id":"ra-5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.02"}],"label":"organization-defined frequency and\/or randomly in accordance with organization-defined process"},{"id":"ra-05_odp.01","props":[{"name":"label","value":"RA-05_ODP[01]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for monitoring systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.02","props":[{"name":"label","value":"RA-05_ODP[02]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for scanning systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.03","props":[{"name":"alt-identifier","value":"ra-5_prm_2"},{"name":"label","value":"RA-05_ODP[03]","class":"sp800-53a"}],"label":"response times","guidelines":[{"prose":"response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;"}]},{"id":"ra-05_odp.04","props":[{"name":"alt-identifier","value":"ra-5_prm_3"},{"name":"label","value":"RA-05_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;"}]}],"props":[{"name":"label","value":"RA-5"},{"name":"label","value":"RA-05","class":"sp800-53a"},{"name":"sort-id","value":"ra-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#8df72805-2e5c-4731-a73e-81db0f0318d0","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#d2ebec9b-f868-4ee1-a2bd-0b2282aed248","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-8","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ra-5_smt","name":"statement","parts":[{"id":"ra-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Analyze vulnerability scan reports and results from vulnerability monitoring;"},{"id":"ra-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and"},{"id":"ra-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points."},{"id":"ra-5_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[01]","class":"sp800-53a"}],"prose":"systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;","links":[{"href":"#ra-5_smt.a","rel":"assessment-for"}]},{"id":"ra-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[02]","class":"sp800-53a"}],"prose":"systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;","links":[{"href":"#ra-5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ra-5_smt.a","rel":"assessment-for"}]},{"id":"ra-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;","parts":[{"id":"ra-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.01","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;","links":[{"href":"#ra-5_smt.b.1","rel":"assessment-for"}]},{"id":"ra-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.02","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;","links":[{"href":"#ra-5_smt.b.2","rel":"assessment-for"}]},{"id":"ra-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.03","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;","links":[{"href":"#ra-5_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#ra-5_smt.b","rel":"assessment-for"}]},{"id":"ra-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-05c.","class":"sp800-53a"}],"prose":"vulnerability scan reports and results from vulnerability monitoring are analyzed;","links":[{"href":"#ra-5_smt.c","rel":"assessment-for"}]},{"id":"ra-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-05d.","class":"sp800-53a"}],"prose":"legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;","links":[{"href":"#ra-5_smt.d","rel":"assessment-for"}]},{"id":"ra-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-05e.","class":"sp800-53a"}],"prose":"information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;","links":[{"href":"#ra-5_smt.e","rel":"assessment-for"}]},{"id":"ra-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-05f.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.","links":[{"href":"#ra-5_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ra-5_smt","rel":"assessment-for"}]},{"id":"ra-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and\/or implementing vulnerability scanning, analysis, remediation, and information sharing"}]}],"controls":[{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update Vulnerabilities to Be Scanned","params":[{"id":"ra-05.02_odp.01","props":[{"name":"alt-identifier","value":"ra-5.2_prm_1"},{"name":"label","value":"RA-05(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, ra-05.02_odp.02 }} ","prior to a new scan","when new vulnerabilities are identified and reported"]}},{"id":"ra-05.02_odp.02","props":[{"name":"alt-identifier","value":"ra-5.2_prm_2"},{"name":"label","value":"RA-05(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating the system vulnerabilities to be scanned is defined (if selected);"}]}],"props":[{"name":"label","value":"RA-5(2)"},{"name":"label","value":"RA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"},{"href":"#si-5","rel":"related"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}."},{"id":"ra-5.2_gdn","name":"guidance","prose":"Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner."},{"id":"ra-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(02)","class":"sp800-53a"}],"prose":"the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.","links":[{"href":"#ra-5.2_smt","rel":"assessment-for"}]},{"id":"ra-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.11","class":"SP800-53-enhancement","title":"Public Disclosure Program","props":[{"name":"label","value":"RA-5(11)"},{"name":"label","value":"RA-05(11)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.11_smt","name":"statement","prose":"Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components."},{"id":"ra-5.11_gdn","name":"guidance","prose":"The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability."},{"id":"ra-5.11_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(11)","class":"sp800-53a"}],"prose":"a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.","links":[{"href":"#ra-5.11_smt","rel":"assessment-for"}]},{"id":"ra-5.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities"}]}]}]},{"id":"ra-7","class":"SP800-53","title":"Risk Response","props":[{"name":"label","value":"RA-7"},{"name":"label","value":"RA-07","class":"sp800-53a"},{"name":"sort-id","value":"ra-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-7_smt","name":"statement","prose":"Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."},{"id":"ra-7_gdn","name":"guidance","prose":"Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated."},{"id":"ra-7_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-07","class":"sp800-53a"}],"parts":[{"id":"ra-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-07[01]","class":"sp800-53a"}],"prose":"findings from security assessments are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-07[02]","class":"sp800-53a"}],"prose":"findings from privacy assessments are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"RA-07[03]","class":"sp800-53a"}],"prose":"findings from monitoring are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-4","name":"assessment-objective","props":[{"name":"label","value":"RA-07[04]","class":"sp800-53a"}],"prose":"findings from audits are responded to in accordance with organizational risk tolerance.","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]}],"links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\naudit records\/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sa-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sa-01_odp.01","props":[{"name":"label","value":"SA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition policy is to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.02","props":[{"name":"label","value":"SA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition procedures are to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.03","props":[{"name":"alt-identifier","value":"sa-1_prm_2"},{"name":"label","value":"SA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sa-01_odp.04","props":[{"name":"alt-identifier","value":"sa-1_prm_3"},{"name":"label","value":"SA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and services acquisition policy and procedures is defined;"}]},{"id":"sa-01_odp.05","props":[{"name":"alt-identifier","value":"sa-1_prm_4"},{"name":"label","value":"SA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition policy is reviewed and updated is defined;"}]},{"id":"sa-01_odp.06","props":[{"name":"alt-identifier","value":"sa-1_prm_5"},{"name":"label","value":"SA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and services acquisition policy to be reviewed and updated are defined;"}]},{"id":"sa-01_odp.07","props":[{"name":"alt-identifier","value":"sa-1_prm_6"},{"name":"label","value":"SA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;"}]},{"id":"sa-01_odp.08","props":[{"name":"alt-identifier","value":"sa-1_prm_7"},{"name":"label","value":"SA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and services acquisition procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SA-1"},{"name":"label","value":"SA-01","class":"sp800-53a"},{"name":"sort-id","value":"sa-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sa-1_smt","name":"statement","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:","parts":[{"id":"sa-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and"},{"id":"sa-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and services acquisition:","parts":[{"id":"sa-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and"},{"id":"sa-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sa-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[01]","class":"sp800-53a"}],"prose":"a system and services acquisition policy is developed and documented;","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[02]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[03]","class":"sp800-53a"}],"prose":"system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[04]","class":"sp800-53a"}],"prose":"the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#sa-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;","links":[{"href":"#sa-1_smt.b","rel":"assessment-for"}]},{"id":"sa-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[01]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};","links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]},{"id":"sa-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};","links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]},{"id":"sa-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};","links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]},{"id":"sa-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.","links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt","rel":"assessment-for"}]},{"id":"sa-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"label","value":"SA-2"},{"name":"label","value":"SA-02","class":"sp800-53a"},{"name":"sort-id","value":"sa-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pl-7","rel":"related"},{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-2_smt","name":"statement","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle."},{"id":"sa-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-02","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[01]","class":"sp800-53a"}],"prose":"the high-level information security requirements for the system or system service are determined in mission and business process planning;","links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]},{"id":"sa-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[02]","class":"sp800-53a"}],"prose":"the high-level privacy requirements for the system or system service are determined in mission and business process planning;","links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]},{"id":"sa-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[01]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;","links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]},{"id":"sa-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[02]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;","links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]},{"id":"sa-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[01]","class":"sp800-53a"}],"prose":"a discrete line item for information security is established in organizational programming and budgeting documentation;","links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]},{"id":"sa-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[02]","class":"sp800-53a"}],"prose":"a discrete line item for privacy is established in organizational programming and budgeting documentation.","links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt","rel":"assessment-for"}]},{"id":"sa-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records"}]},{"id":"sa-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-03_odp","props":[{"name":"alt-identifier","value":"sa-3_prm_1"},{"name":"alt-label","value":"system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-03_ODP","class":"sp800-53a"}],"label":"system-development life cycle","guidelines":[{"prose":"system development life cycle is defined;"}]}],"props":[{"name":"label","value":"SA-3"},{"name":"label","value":"SA-03","class":"sp800-53a"},{"name":"sort-id","value":"sa-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-3_smt","name":"statement","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document information security and privacy roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify individuals having information security and privacy roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrate the organizational information security and privacy risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle."},{"id":"sa-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[01]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;","links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]},{"id":"sa-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[02]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;","links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]},{"id":"sa-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[01]","class":"sp800-53a"}],"prose":"information security roles and responsibilities are defined and documented throughout the system development life cycle;","links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]},{"id":"sa-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are defined and documented throughout the system development life cycle;","links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]},{"id":"sa-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[01]","class":"sp800-53a"}],"prose":"individuals with information security roles and responsibilities are identified;","links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]},{"id":"sa-3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[02]","class":"sp800-53a"}],"prose":"individuals with privacy roles and responsibilities are identified;","links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]},{"id":"sa-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[01]","class":"sp800-53a"}],"prose":"organizational information security risk management processes are integrated into system development life cycle activities;","links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]},{"id":"sa-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[02]","class":"sp800-53a"}],"prose":"organizational privacy risk management processes are integrated into system development life cycle activities.","links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt","rel":"assessment-for"}]},{"id":"sa-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"sa-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and\/or implementing the system development life cycle"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","params":[{"id":"sa-04_odp.01","props":[{"name":"alt-identifier","value":"sa-4_prm_1"},{"name":"label","value":"SA-04_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["standardized contract language"," {{ insert: param, sa-04_odp.02 }} "]}},{"id":"sa-04_odp.02","props":[{"name":"alt-identifier","value":"sa-4_prm_2"},{"name":"label","value":"SA-04_ODP[02]","class":"sp800-53a"}],"label":"contract language","guidelines":[{"prose":"contract language is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-4"},{"name":"label","value":"SA-04","class":"sp800-53a"},{"name":"sort-id","value":"sa-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","rel":"reference"},{"href":"#87087451-2af5-43d4-88c1-d66ad850f614","rel":"reference"},{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#06ce9216-bd54-4054-a422-94f358b50a5d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#795aff72-3e6c-4b6b-a80a-b14d84b7f544","rel":"reference"},{"href":"#3d575737-98cb-459d-b41c-d7e82b73ad78","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security and privacy functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Strength of mechanism requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security and privacy assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Controls needed to satisfy the security and privacy requirements."},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Security and privacy documentation requirements;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Requirements for protecting security and privacy documentation;"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Description of the system development environment and environment in which the system is intended to operate;"},{"id":"sa-4_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and"},{"id":"sa-4_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement."},{"id":"sa-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[01]","class":"sp800-53a"}],"prose":"security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]},{"id":"sa-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[02]","class":"sp800-53a"}],"prose":"privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]},{"id":"sa-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04b.","class":"sp800-53a"}],"prose":"strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.b","rel":"assessment-for"}]},{"id":"sa-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[01]","class":"sp800-53a"}],"prose":"security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]},{"id":"sa-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[02]","class":"sp800-53a"}],"prose":"privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]},{"id":"sa-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[01]","class":"sp800-53a"}],"prose":"controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]},{"id":"sa-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[02]","class":"sp800-53a"}],"prose":"controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]},{"id":"sa-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[01]","class":"sp800-53a"}],"prose":"security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]},{"id":"sa-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[02]","class":"sp800-53a"}],"prose":"privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]},{"id":"sa-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[01]","class":"sp800-53a"}],"prose":"requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]},{"id":"sa-4_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[02]","class":"sp800-53a"}],"prose":"requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]},{"id":"sa-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SA-04g.","class":"sp800-53a"}],"prose":"the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.g","rel":"assessment-for"}]},{"id":"sa-4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[01]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[02]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.h-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[03]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.i","name":"assessment-objective","props":[{"name":"label","value":"SA-04i.","class":"sp800-53a"}],"prose":"acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.","links":[{"href":"#sa-4_smt.i","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt","rel":"assessment-for"}]},{"id":"sa-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}],"controls":[{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","props":[{"name":"label","value":"SA-4(10)"},{"name":"label","value":"SA-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems."},{"id":"sa-4.10_gdn","name":"guidance","prose":"Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations."},{"id":"sa-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(10)","class":"sp800-53a"}],"prose":"only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.","links":[{"href":"#sa-4.10_smt","rel":"assessment-for"}]},{"id":"sa-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for selecting and employing FIPS 201-approved products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"System Documentation","params":[{"id":"sa-05_odp.01","props":[{"name":"alt-identifier","value":"sa-5_prm_1"},{"name":"label","value":"SA-05_ODP[01]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;"}]},{"id":"sa-05_odp.02","props":[{"name":"alt-identifier","value":"sa-5_prm_2"},{"name":"label","value":"SA-05_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to distribute system documentation to is\/are defined;"}]}],"props":[{"name":"label","value":"SA-5"},{"name":"label","value":"SA-05","class":"sp800-53a"},{"name":"sort-id","value":"sa-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"sa-5_smt","name":"statement","parts":[{"id":"sa-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtain or develop administrator documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security and privacy functions and mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative or privileged functions;"}]},{"id":"sa-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Obtain or develop user documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and"},{"id":"sa-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;"}]},{"id":"sa-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and"},{"id":"sa-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Distribute documentation to {{ insert: param, sa-05_odp.02 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation."},{"id":"sa-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-05","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]},{"id":"sa-5_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]},{"id":"sa-5_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[04]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;","links":[{"href":"#sa-5_smt.a.3","rel":"assessment-for"}]},{"id":"sa-5_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;","links":[{"href":"#sa-5_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a","rel":"assessment-for"}]},{"id":"sa-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[03]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.1-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[04]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;","links":[{"href":"#sa-5_smt.b.2","rel":"assessment-for"}]},{"id":"sa-5_obj.b.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;","links":[{"href":"#sa-5_smt.b.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b.2","rel":"assessment-for"}]},{"id":"sa-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.b.3","rel":"assessment-for"}]},{"id":"sa-5_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;","links":[{"href":"#sa-5_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b","rel":"assessment-for"}]},{"id":"sa-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[01]","class":"sp800-53a"}],"prose":"attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;","links":[{"href":"#sa-5_smt.c","rel":"assessment-for"}]},{"id":"sa-5_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[02]","class":"sp800-53a"}],"prose":"after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;","links":[{"href":"#sa-5_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.c","rel":"assessment-for"}]},{"id":"sa-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-05d.","class":"sp800-53a"}],"prose":"documentation is distributed to {{ insert: param, sa-05_odp.02 }}.","links":[{"href":"#sa-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt","rel":"assessment-for"}]},{"id":"sa-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and\/or maintaining the system\n\nsystem developers"}]},{"id":"sa-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for obtaining, protecting, and distributing system administrator and user documentation"}]}]},{"id":"sa-8","class":"SP800-53","title":"Security and Privacy Engineering Principles","params":[{"id":"sa-8_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.02"}],"label":"organization-defined systems security and privacy engineering principles"},{"id":"sa-08_odp.01","props":[{"name":"label","value":"SA-08_ODP[01]","class":"sp800-53a"}],"label":"systems security engineering principles","guidelines":[{"prose":"systems security engineering principles are defined;"}]},{"id":"sa-08_odp.02","props":[{"name":"label","value":"SA-08_ODP[02]","class":"sp800-53a"}],"label":"privacy engineering principles","guidelines":[{"prose":"privacy engineering principles are defined;"}]}],"props":[{"name":"label","value":"SA-8"},{"name":"label","value":"SA-08","class":"sp800-53a"},{"name":"sort-id","value":"sa-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}."},{"id":"sa-8_gdn","name":"guidance","prose":"Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design."},{"id":"sa-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08","class":"sp800-53a"}],"parts":[{"id":"sa-8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08[01]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08[02]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-08[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-08[04]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-5","name":"assessment-objective","props":[{"name":"label","value":"SA-08[05]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-6","name":"assessment-objective","props":[{"name":"label","value":"SA-08[06]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-7","name":"assessment-objective","props":[{"name":"label","value":"SA-08[07]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-8","name":"assessment-objective","props":[{"name":"label","value":"SA-08[08]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-9","name":"assessment-objective","props":[{"name":"label","value":"SA-08[09]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-10","name":"assessment-objective","props":[{"name":"label","value":"SA-08[10]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-9","class":"SP800-53","title":"External System Services","params":[{"id":"sa-09_odp.01","props":[{"name":"alt-identifier","value":"sa-9_prm_1"},{"name":"label","value":"SA-09_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed by external system service providers are defined;"}]},{"id":"sa-09_odp.02","props":[{"name":"alt-identifier","value":"sa-9_prm_2"},{"name":"label","value":"SA-09_ODP[02]","class":"sp800-53a"}],"label":"processes, methods, and techniques","guidelines":[{"prose":"processes, methods, and techniques employed to monitor control compliance by external service providers are defined;"}]}],"props":[{"name":"label","value":"SA-9"},{"name":"label","value":"SA-09","class":"sp800-53a"},{"name":"sort-id","value":"sa-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-9_smt","name":"statement","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document organizational oversight and user roles and responsibilities with regard to external system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance."},{"id":"sa-9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[01]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational security requirements;","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[02]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational privacy requirements;","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[03]","class":"sp800-53a"}],"prose":"providers of external system services employ {{ insert: param, sa-09_odp.01 }};","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[01]","class":"sp800-53a"}],"prose":"organizational oversight with regard to external system services are defined and documented;","links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]},{"id":"sa-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[02]","class":"sp800-53a"}],"prose":"user roles and responsibilities with regard to external system services are defined and documented;","links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]},{"id":"sa-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-09c.","class":"sp800-53a"}],"prose":" {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.","links":[{"href":"#sa-9_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt","rel":"assessment-for"}]},{"id":"sa-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis"}]}]},{"id":"sa-22","class":"SP800-53","title":"Unsupported System Components","params":[{"id":"sa-22_odp.01","props":[{"name":"alt-identifier","value":"sa-22_prm_1"},{"name":"label","value":"SA-22_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["in-house support"," {{ insert: param, sa-22_odp.02 }} "]}},{"id":"sa-22_odp.02","props":[{"name":"alt-identifier","value":"sa-22_prm_2"},{"name":"label","value":"SA-22_ODP[02]","class":"sp800-53a"}],"label":"support from external providers","guidelines":[{"prose":"support from external providers is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-22"},{"name":"label","value":"SA-22","class":"sp800-53a"},{"name":"sort-id","value":"sa-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-2","rel":"related"},{"href":"#sa-3","rel":"related"}],"parts":[{"id":"sa-22_smt","name":"statement","parts":[{"id":"sa-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or"},{"id":"sa-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}."}]},{"id":"sa-22_gdn","name":"guidance","prose":"Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation."},{"id":"sa-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-22","class":"sp800-53a"}],"parts":[{"id":"sa-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-22a.","class":"sp800-53a"}],"prose":"system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;","links":[{"href":"#sa-22_smt.a","rel":"assessment-for"}]},{"id":"sa-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-22b.","class":"sp800-53a"}],"prose":" {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.","links":[{"href":"#sa-22_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-22_smt","rel":"assessment-for"}]},{"id":"sa-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement"}]},{"id":"sa-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for replacing unsupported system components\n\nmechanisms supporting and\/or implementing the replacement of unsupported system components"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sc-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sc-01_odp.01","props":[{"name":"label","value":"SC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection policy is to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.02","props":[{"name":"label","value":"SC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection procedures are to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.03","props":[{"name":"alt-identifier","value":"sc-1_prm_2"},{"name":"label","value":"SC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business-process-level","system-level"]}},{"id":"sc-01_odp.04","props":[{"name":"alt-identifier","value":"sc-1_prm_3"},{"name":"label","value":"SC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and communications protection policy and procedures is defined;"}]},{"id":"sc-01_odp.05","props":[{"name":"alt-identifier","value":"sc-1_prm_4"},{"name":"label","value":"SC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection policy is reviewed and updated is defined;"}]},{"id":"sc-01_odp.06","props":[{"name":"alt-identifier","value":"sc-1_prm_5"},{"name":"label","value":"SC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and communications protection policy to be reviewed and updated are defined;"}]},{"id":"sc-01_odp.07","props":[{"name":"alt-identifier","value":"sc-1_prm_6"},{"name":"label","value":"SC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection procedures are reviewed and updated is defined;"}]},{"id":"sc-01_odp.08","props":[{"name":"alt-identifier","value":"sc-1_prm_7"},{"name":"label","value":"SC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and communications protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SC-1"},{"name":"label","value":"SC-01","class":"sp800-53a"},{"name":"sort-id","value":"sc-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sc-1_smt","name":"statement","parts":[{"id":"sc-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:","parts":[{"id":"sc-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sc-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;"}]},{"id":"sc-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and"},{"id":"sc-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and communications protection:","parts":[{"id":"sc-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and"},{"id":"sc-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sc-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[01]","class":"sp800-53a"}],"prose":"a system and communications protection policy is developed and documented;","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[02]","class":"sp800-53a"}],"prose":"the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[03]","class":"sp800-53a"}],"prose":"system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[04]","class":"sp800-53a"}],"prose":"the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#sc-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;","links":[{"href":"#sc-1_smt.b","rel":"assessment-for"}]},{"id":"sc-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};","links":[{"href":"#sc-1_smt.c.1","rel":"assessment-for"}]},{"id":"sc-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};","links":[{"href":"#sc-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.c.1","rel":"assessment-for"}]},{"id":"sc-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};","links":[{"href":"#sc-1_smt.c.2","rel":"assessment-for"}]},{"id":"sc-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.","links":[{"href":"#sc-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt","rel":"assessment-for"}]},{"id":"sc-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"sc-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial-of-service Protection","params":[{"id":"sc-05_odp.01","props":[{"name":"alt-identifier","value":"sc-5_prm_2"},{"name":"label","value":"SC-05_ODP[01]","class":"sp800-53a"}],"label":"types of denial-of-service events","guidelines":[{"prose":"types of denial-of-service events to be protected against or limited are defined;"}]},{"id":"sc-05_odp.02","props":[{"name":"alt-identifier","value":"sc-5_prm_1"},{"name":"label","value":"SC-05_ODP[02]","class":"sp800-53a"}],"select":{"choice":["protect against","limit"]}},{"id":"sc-05_odp.03","props":[{"name":"alt-identifier","value":"sc-5_prm_3"},{"name":"label","value":"SC-05_ODP[03]","class":"sp800-53a"}],"label":"controls by type of denial-of-service event","guidelines":[{"prose":"controls to achieve the denial-of-service objective by type of denial-of-service event are defined;"}]}],"props":[{"name":"label","value":"SC-5"},{"name":"label","value":"SC-05","class":"sp800-53a"},{"name":"sort-id","value":"sc-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sc-6","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-40","rel":"related"}],"parts":[{"id":"sc-5_smt","name":"statement","parts":[{"id":"sc-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and"},{"id":"sc-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}."}]},{"id":"sc-5_gdn","name":"guidance","prose":"Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events."},{"id":"sc-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-05","class":"sp800-53a"}],"parts":[{"id":"sc-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-05a.","class":"sp800-53a"}],"prose":"the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};","links":[{"href":"#sc-5_smt.a","rel":"assessment-for"}]},{"id":"sc-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.","links":[{"href":"#sc-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-5_smt","rel":"assessment-for"}]},{"id":"sc-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"id":"sc-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms protecting against or limiting the effects of denial-of-service attacks"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-07_odp","props":[{"name":"alt-identifier","value":"sc-7_prm_1"},{"name":"label","value":"SC-07_ODP","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}}],"props":[{"name":"label","value":"SC-7"},{"name":"label","value":"SC-07","class":"sp800-53a"},{"name":"sort-id","value":"sc-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a7f0e897-29a3-45c4-bd88-40dfef0e034a","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-43","rel":"related"}],"parts":[{"id":"sc-7_smt","name":"statement","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)."},{"id":"sc-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[01]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are monitored;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[02]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are controlled;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[03]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are monitored;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[04]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are controlled;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07b.","class":"sp800-53a"}],"prose":"subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;","links":[{"href":"#sc-7_smt.b","rel":"assessment-for"}]},{"id":"sc-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07c.","class":"sp800-53a"}],"prose":"external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.","links":[{"href":"#sc-7_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sc-7_smt","rel":"assessment-for"}]},{"id":"sc-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","params":[{"id":"sc-12_odp","props":[{"name":"alt-identifier","value":"sc-12_prm_1"},{"name":"alt-label","value":"requirements for key generation, distribution, storage, access, and destruction","class":"sp800-53"},{"name":"label","value":"SC-12_ODP","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements for key generation, distribution, storage, access, and destruction are defined;"}]}],"props":[{"name":"label","value":"SC-12"},{"name":"label","value":"SC-12","class":"sp800-53a"},{"name":"sort-id","value":"sc-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#849b2358-683f-4d97-b111-1cc3d522ded5","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-11","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment."},{"id":"sc-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12","class":"sp800-53a"}],"parts":[{"id":"sc-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-12[01]","class":"sp800-53a"}],"prose":"cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};","links":[{"href":"#sc-12_smt","rel":"assessment-for"}]},{"id":"sc-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-12[02]","class":"sp800-53a"}],"prose":"cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.","links":[{"href":"#sc-12_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-12_smt","rel":"assessment-for"}]},{"id":"sc-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"id":"sc-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","params":[{"id":"sc-13_odp.01","props":[{"name":"alt-identifier","value":"sc-13_prm_1"},{"name":"label","value":"SC-13_ODP[01]","class":"sp800-53a"}],"label":"cryptographic uses","guidelines":[{"prose":"cryptographic uses are defined;"}]},{"id":"sc-13_odp.02","props":[{"name":"alt-identifier","value":"sc-13_prm_2"},{"name":"alt-label","value":"types of cryptography for each specified cryptographic use","class":"sp800-53"},{"name":"label","value":"SC-13_ODP[02]","class":"sp800-53a"}],"label":"types of cryptography","guidelines":[{"prose":"types of cryptography for each specified cryptographic use are defined;"}]}],"props":[{"name":"label","value":"SC-13"},{"name":"label","value":"SC-13","class":"sp800-53a"},{"name":"sort-id","value":"sc-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-13_smt","name":"statement","parts":[{"id":"sc-13_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the {{ insert: param, sc-13_odp.01 }} ; and"},{"id":"sc-13_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}."}]},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"sc-13_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-13","class":"sp800-53a"}],"parts":[{"id":"sc-13_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-13a.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-13_odp.01 }} are identified;","links":[{"href":"#sc-13_smt.a","rel":"assessment-for"}]},{"id":"sc-13_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-13b.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.","links":[{"href":"#sc-13_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-13_smt","rel":"assessment-for"}]},{"id":"sc-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection"}]},{"id":"sc-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices and Applications","params":[{"id":"sc-15_odp","props":[{"name":"alt-identifier","value":"sc-15_prm_1"},{"name":"label","value":"SC-15_ODP","class":"sp800-53a"}],"label":"exceptions where remote activation is to be allowed","guidelines":[{"prose":"exceptions where remote activation is to be allowed are defined;"}]}],"props":[{"name":"label","value":"SC-15"},{"name":"label","value":"SC-15","class":"sp800-53a"},{"name":"sort-id","value":"sc-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-21","rel":"related"},{"href":"#sc-42","rel":"related"}],"parts":[{"id":"sc-15_smt","name":"statement","parts":[{"id":"sc-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and"},{"id":"sc-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated."},{"id":"sc-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-15","class":"sp800-53a"}],"parts":[{"id":"sc-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-15a.","class":"sp800-53a"}],"prose":"remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};","links":[{"href":"#sc-15_smt.a","rel":"assessment-for"}]},{"id":"sc-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-15b.","class":"sp800-53a"}],"prose":"an explicit indication of use is provided to users physically present at the devices.","links":[{"href":"#sc-15_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-15_smt","rel":"assessment-for"}]},{"id":"sc-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"id":"sc-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Authoritative Source)","props":[{"name":"label","value":"SC-20"},{"name":"label","value":"SC-20","class":"sp800-53a"},{"name":"sort-id","value":"sc-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-20_smt","name":"statement","parts":[{"id":"sc-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host\/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data."},{"id":"sc-20_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-20","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[01]","class":"sp800-53a"}],"prose":"additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;","links":[{"href":"#sc-20_smt.a","rel":"assessment-for"}]},{"id":"sc-20_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[02]","class":"sp800-53a"}],"prose":"integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;","links":[{"href":"#sc-20_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-20_smt.a","rel":"assessment-for"}]},{"id":"sc-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[01]","class":"sp800-53a"}],"prose":"the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;","links":[{"href":"#sc-20_smt.b","rel":"assessment-for"}]},{"id":"sc-20_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[02]","class":"sp800-53a"}],"prose":"the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.","links":[{"href":"#sc-20_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-20_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-20_smt","rel":"assessment-for"}]},{"id":"sc-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing secure name\/address resolution services"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Recursive or Caching Resolver)","props":[{"name":"label","value":"SC-21"},{"name":"label","value":"SC-21","class":"sp800-53a"},{"name":"sort-id","value":"sc-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-20","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"Request and perform data origin authentication and data integrity verification on the name\/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data."},{"id":"sc-21_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-21","class":"sp800-53a"}],"parts":[{"id":"sc-21_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-21[01]","class":"sp800-53a"}],"prose":"data origin authentication is requested for the name\/address resolution responses that the system receives from authoritative sources;","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-21[02]","class":"sp800-53a"}],"prose":"data origin authentication is performed on the name\/address resolution responses that the system receives from authoritative sources;","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-21[03]","class":"sp800-53a"}],"prose":"data integrity verification is requested for the name\/address resolution responses that the system receives from authoritative sources;","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SC-21[04]","class":"sp800-53a"}],"prose":"data integrity verification is performed on the name\/address resolution responses that the system receives from authoritative sources.","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing data origin authentication and data integrity verification for name\/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name\/Address Resolution Service","props":[{"name":"label","value":"SC-22"},{"name":"label","value":"SC-22","class":"sp800-53a"},{"name":"sort-id","value":"sc-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-2","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-24","rel":"related"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"Ensure the systems that collectively provide name\/address resolution service for an organization are fault-tolerant and implement internal and external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)."},{"id":"sc-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-22","class":"sp800-53a"}],"parts":[{"id":"sc-22_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-22[01]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization are fault-tolerant;","links":[{"href":"#sc-22_smt","rel":"assessment-for"}]},{"id":"sc-22_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-22[02]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement internal role separation;","links":[{"href":"#sc-22_smt","rel":"assessment-for"}]},{"id":"sc-22_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-22[03]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement external role separation.","links":[{"href":"#sc-22_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-22_smt","rel":"assessment-for"}]},{"id":"sc-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing architecture and provisioning for name\/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing name\/address resolution services for fault tolerance and role separation"}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","props":[{"name":"label","value":"SC-39"},{"name":"label","value":"SC-39","class":"sp800-53a"},{"name":"sort-id","value":"sc-39"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"Maintain a separate execution domain for each executing system process."},{"id":"sc-39_gdn","name":"guidance","prose":"Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies."},{"id":"sc-39_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-39","class":"sp800-53a"}],"prose":"a separate execution domain is maintained for each executing system process.","links":[{"href":"#sc-39_smt","rel":"assessment-for"}]},{"id":"sc-39_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-39-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records"}]},{"id":"sc-39_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-39-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System developers\/integrators\n\nsystem security architect"}]},{"id":"sc-39_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-39-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing separate execution domains for each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"si-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"si-01_odp.01","props":[{"name":"label","value":"SI-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity policy is to be disseminated is\/are defined;"}]},{"id":"si-01_odp.02","props":[{"name":"label","value":"SI-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity procedures are to be disseminated is\/are defined;"}]},{"id":"si-01_odp.03","props":[{"name":"alt-identifier","value":"si-1_prm_2"},{"name":"label","value":"SI-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"si-01_odp.04","props":[{"name":"alt-identifier","value":"si-1_prm_3"},{"name":"label","value":"SI-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and information integrity policy and procedures is defined;"}]},{"id":"si-01_odp.05","props":[{"name":"alt-identifier","value":"si-1_prm_4"},{"name":"label","value":"SI-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity policy is reviewed and updated is defined;"}]},{"id":"si-01_odp.06","props":[{"name":"alt-identifier","value":"si-1_prm_5"},{"name":"label","value":"SI-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and information integrity policy to be reviewed and updated are defined;"}]},{"id":"si-01_odp.07","props":[{"name":"alt-identifier","value":"si-1_prm_6"},{"name":"label","value":"SI-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity procedures are reviewed and updated is defined;"}]},{"id":"si-01_odp.08","props":[{"name":"alt-identifier","value":"si-1_prm_7"},{"name":"label","value":"SI-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and information integrity procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SI-1"},{"name":"label","value":"SI-01","class":"sp800-53a"},{"name":"sort-id","value":"si-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"si-1_smt","name":"statement","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, si-01_odp.03 }} system and information integrity policy that:","parts":[{"id":"si-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and"},{"id":"si-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and information integrity:","parts":[{"id":"si-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and"},{"id":"si-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"si-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[01]","class":"sp800-53a"}],"prose":"a system and information integrity policy is developed and documented;","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[02]","class":"sp800-53a"}],"prose":"the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[03]","class":"sp800-53a"}],"prose":"system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[04]","class":"sp800-53a"}],"prose":"the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#si-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;","links":[{"href":"#si-1_smt.b","rel":"assessment-for"}]},{"id":"si-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};","links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]},{"id":"si-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};","links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]},{"id":"si-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};","links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]},{"id":"si-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.","links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt","rel":"assessment-for"}]},{"id":"si-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","params":[{"id":"si-02_odp","props":[{"name":"alt-identifier","value":"si-2_prm_1"},{"name":"label","value":"SI-02_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to install security-relevant software updates after the release of the updates is defined;"}]}],"props":[{"name":"label","value":"SI-2"},{"name":"label","value":"SI-02","class":"sp800-53a"},{"name":"sort-id","value":"si-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-5","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"si-2_smt","name":"statement","parts":[{"id":"si-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify, report, and correct system flaws;"},{"id":"si-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures."},{"id":"si-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[01]","class":"sp800-53a"}],"prose":"system flaws are identified;","links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]},{"id":"si-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[02]","class":"sp800-53a"}],"prose":"system flaws are reported;","links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]},{"id":"si-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[03]","class":"sp800-53a"}],"prose":"system flaws are corrected;","links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]},{"id":"si-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[01]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for effectiveness before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[02]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for potential side effects before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[03]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for effectiveness before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[04]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for potential side effects before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[01]","class":"sp800-53a"}],"prose":"security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;","links":[{"href":"#si-2_smt.c","rel":"assessment-for"}]},{"id":"si-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[02]","class":"sp800-53a"}],"prose":"security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;","links":[{"href":"#si-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt.c","rel":"assessment-for"}]},{"id":"si-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-02d.","class":"sp800-53a"}],"prose":"flaw remediation is incorporated into the organizational configuration management process.","links":[{"href":"#si-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt","rel":"assessment-for"}]},{"id":"si-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation\/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and\/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and\/or implementing testing software and firmware updates"}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","params":[{"id":"si-03_odp.01","props":[{"name":"alt-identifier","value":"si-3_prm_1"},{"name":"label","value":"SI-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["signature-based","non-signature-based"]}},{"id":"si-03_odp.02","props":[{"name":"alt-identifier","value":"si-3_prm_2"},{"name":"label","value":"SI-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which malicious code protection mechanisms perform scans is defined;"}]},{"id":"si-03_odp.03","props":[{"name":"alt-identifier","value":"si-3_prm_3"},{"name":"label","value":"SI-03_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["endpoint","network entry and exit points"]}},{"id":"si-03_odp.04","props":[{"name":"alt-identifier","value":"si-3_prm_4"},{"name":"label","value":"SI-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["block malicious code","quarantine malicious code","take {{ insert: param, si-03_odp.05 }} "]}},{"id":"si-03_odp.05","props":[{"name":"alt-identifier","value":"si-3_prm_5"},{"name":"label","value":"SI-03_ODP[05]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"action to be taken in response to malicious code detection are defined (if selected);"}]},{"id":"si-03_odp.06","props":[{"name":"alt-identifier","value":"si-3_prm_6"},{"name":"label","value":"SI-03_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when malicious code is detected is\/are defined;"}]}],"props":[{"name":"label","value":"SI-3"},{"name":"label","value":"SI-03","class":"sp800-53a"},{"name":"sort-id","value":"si-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#88660532-2dcf-442e-845c-03340ce48999","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-8","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"si-3_smt","name":"statement","parts":[{"id":"si-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Configure malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and"},{"id":"si-3_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and"}]},{"id":"si-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system."}]},{"id":"si-3_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files."},{"id":"si-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;","links":[{"href":"#si-3_smt.a","rel":"assessment-for"}]},{"id":"si-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;","links":[{"href":"#si-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.a","rel":"assessment-for"}]},{"id":"si-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-03b.","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;","links":[{"href":"#si-3_smt.b","rel":"assessment-for"}]},{"id":"si-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};","links":[{"href":"#si-3_smt.c.1","rel":"assessment-for"}]},{"id":"si-3_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;","links":[{"href":"#si-3_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.c.1","rel":"assessment-for"}]},{"id":"si-3_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;","links":[{"href":"#si-3_smt.c.2","rel":"assessment-for"}]},{"id":"si-3_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;","links":[{"href":"#si-3_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.c","rel":"assessment-for"}]},{"id":"si-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-03d.","class":"sp800-53a"}],"prose":"the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.","links":[{"href":"#si-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt","rel":"assessment-for"}]},{"id":"si-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and\/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and\/or implementing malicious code scanning and subsequent actions"}]}]},{"id":"si-4","class":"SP800-53","title":"System Monitoring","params":[{"id":"si-04_odp.01","props":[{"name":"alt-identifier","value":"si-4_prm_1"},{"name":"label","value":"SI-04_ODP[01]","class":"sp800-53a"}],"label":"monitoring objectives","guidelines":[{"prose":"monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;"}]},{"id":"si-04_odp.02","props":[{"name":"alt-identifier","value":"si-4_prm_2"},{"name":"label","value":"SI-04_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods used to identify unauthorized use of the system are defined;"}]},{"id":"si-04_odp.03","props":[{"name":"alt-identifier","value":"si-4_prm_3"},{"name":"label","value":"SI-04_ODP[03]","class":"sp800-53a"}],"label":"system monitoring information","guidelines":[{"prose":"system monitoring information to be provided to personnel or roles is defined;"}]},{"id":"si-04_odp.04","props":[{"name":"alt-identifier","value":"si-4_prm_4"},{"name":"label","value":"SI-04_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom system monitoring information is to be provided is\/are defined;"}]},{"id":"si-04_odp.05","props":[{"name":"alt-identifier","value":"si-4_prm_5"},{"name":"label","value":"SI-04_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["as needed"," {{ insert: param, si-04_odp.06 }} "]}},{"id":"si-04_odp.06","props":[{"name":"alt-identifier","value":"si-4_prm_6"},{"name":"label","value":"SI-04_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"a frequency for providing system monitoring to personnel or roles is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-4"},{"name":"label","value":"SI-04","class":"sp800-53a"},{"name":"sort-id","value":"si-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-6","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"si-4_smt","name":"statement","parts":[{"id":"si-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor the system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and"},{"id":"si-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};"},{"id":"si-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Invoke internal monitoring capabilities or deploy monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Strategically within the system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Analyze detected events and anomalies;"},{"id":"si-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Obtain legal opinion regarding system monitoring activities; and"},{"id":"si-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"si-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.01","class":"sp800-53a"}],"prose":"the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};","links":[{"href":"#si-4_smt.a.1","rel":"assessment-for"}]},{"id":"si-4_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[01]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized local connections;","links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]},{"id":"si-4_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[02]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized network connections;","links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]},{"id":"si-4_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[03]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized remote connections;","links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.a","rel":"assessment-for"}]},{"id":"si-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04b.","class":"sp800-53a"}],"prose":"unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};","links":[{"href":"#si-4_smt.b","rel":"assessment-for"}]},{"id":"si-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.01","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;","links":[{"href":"#si-4_smt.c.1","rel":"assessment-for"}]},{"id":"si-4_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.02","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;","links":[{"href":"#si-4_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.c","rel":"assessment-for"}]},{"id":"si-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[01]","class":"sp800-53a"}],"prose":"detected events are analyzed;","links":[{"href":"#si-4_smt.d","rel":"assessment-for"}]},{"id":"si-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[02]","class":"sp800-53a"}],"prose":"detected anomalies are analyzed;","links":[{"href":"#si-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.d","rel":"assessment-for"}]},{"id":"si-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SI-04e.","class":"sp800-53a"}],"prose":"the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;","links":[{"href":"#si-4_smt.e","rel":"assessment-for"}]},{"id":"si-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SI-04f.","class":"sp800-53a"}],"prose":"a legal opinion regarding system monitoring activities is obtained;","links":[{"href":"#si-4_smt.f","rel":"assessment-for"}]},{"id":"si-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SI-04g.","class":"sp800-53a"}],"prose":" {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.","links":[{"href":"#si-4_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt","rel":"assessment-for"}]},{"id":"si-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram\/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing system monitoring capabilities"}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","params":[{"id":"si-05_odp.01","props":[{"name":"alt-identifier","value":"si-5_prm_1"},{"name":"label","value":"SI-05_ODP[01]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;"}]},{"id":"si-05_odp.02","props":[{"name":"alt-identifier","value":"si-5_prm_2"},{"name":"label","value":"SI-05_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-05_odp.03 }} "," {{ insert: param, si-05_odp.04 }} "," {{ insert: param, si-05_odp.05 }} "]}},{"id":"si-05_odp.03","props":[{"name":"alt-identifier","value":"si-5_prm_3"},{"name":"label","value":"SI-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom security alerts, advisories, and directives are to be disseminated is\/are defined (if selected);"}]},{"id":"si-05_odp.04","props":[{"name":"alt-identifier","value":"si-5_prm_4"},{"name":"alt-label","value":"elements within the organization","class":"sp800-53"},{"name":"label","value":"SI-05_ODP[04]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]},{"id":"si-05_odp.05","props":[{"name":"alt-identifier","value":"si-5_prm_5"},{"name":"label","value":"SI-05_ODP[05]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-5"},{"name":"label","value":"SI-05","class":"sp800-53a"},{"name":"sort-id","value":"si-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#pm-15","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"si-5_smt","name":"statement","parts":[{"id":"si-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Generate internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and"},{"id":"si-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations."},{"id":"si-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-05","class":"sp800-53a"}],"parts":[{"id":"si-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-05a.","class":"sp800-53a"}],"prose":"system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;","links":[{"href":"#si-5_smt.a","rel":"assessment-for"}]},{"id":"si-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-05b.","class":"sp800-53a"}],"prose":"internal security alerts, advisories, and directives are generated as deemed necessary;","links":[{"href":"#si-5_smt.b","rel":"assessment-for"}]},{"id":"si-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-05c.","class":"sp800-53a"}],"prose":"security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};","links":[{"href":"#si-5_smt.c","rel":"assessment-for"}]},{"id":"si-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-05d.","class":"sp800-53a"}],"prose":"security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.","links":[{"href":"#si-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-5_smt","rel":"assessment-for"}]},{"id":"si-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"si-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing security directives"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Management and Retention","props":[{"name":"label","value":"SI-12"},{"name":"label","value":"SI-12","class":"sp800-53a"},{"name":"sort-id","value":"si-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#e922fc50-b1f9-469f-92ef-ed7d9803611c","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)."},{"id":"si-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12","class":"sp800-53a"}],"parts":[{"id":"si-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12[01]","class":"sp800-53a"}],"prose":"information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12[02]","class":"sp800-53a"}],"prose":"information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12[03]","class":"sp800-53a"}],"prose":"information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SI-12[04]","class":"sp800-53a"}],"prose":"information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.","links":[{"href":"#si-12_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and\/or implementing information management, retention, and disposition"}]}]}]},{"id":"sr","class":"family","title":"Supply Chain Risk Management","controls":[{"id":"sr-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sr-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sr-01_odp.01","props":[{"name":"label","value":"SR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management policy is to be disseminated to is\/are defined;"}]},{"id":"sr-01_odp.02","props":[{"name":"label","value":"SR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management procedures are disseminated to is\/are defined;"}]},{"id":"sr-01_odp.03","props":[{"name":"alt-identifier","value":"sr-1_prm_2"},{"name":"label","value":"SR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sr-01_odp.04","props":[{"name":"alt-identifier","value":"sr-1_prm_3"},{"name":"label","value":"SR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;"}]},{"id":"sr-01_odp.05","props":[{"name":"alt-identifier","value":"sr-1_prm_4"},{"name":"label","value":"SR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management policy is reviewed and updated is defined;"}]},{"id":"sr-01_odp.06","props":[{"name":"alt-identifier","value":"sr-1_prm_5"},{"name":"label","value":"SR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the current supply chain risk management policy to be reviewed and updated are defined;"}]},{"id":"sr-01_odp.07","props":[{"name":"alt-identifier","value":"sr-1_prm_6"},{"name":"label","value":"SR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;"}]},{"id":"sr-01_odp.08","props":[{"name":"alt-identifier","value":"sr-1_prm_7"},{"name":"label","value":"SR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the supply chain risk management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SR-1"},{"name":"label","value":"SR-01","class":"sp800-53a"},{"name":"sort-id","value":"sr-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sr-1_smt","name":"statement","parts":[{"id":"sr-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:","parts":[{"id":"sr-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:","parts":[{"id":"sr-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sr-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sr-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;"}]},{"id":"sr-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and"},{"id":"sr-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current supply chain risk management:","parts":[{"id":"sr-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and"},{"id":"sr-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}."}]}]},{"id":"sr-1_gdn","name":"guidance","prose":"Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sr-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[01]","class":"sp800-53a"}],"prose":"a supply chain risk management policy is developed and documented;","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[03]","class":"sp800-53a"}],"prose":"supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#sr-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;","links":[{"href":"#sr-1_smt.b","rel":"assessment-for"}]},{"id":"sr-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};","links":[{"href":"#sr-1_smt.c.1","rel":"assessment-for"}]},{"id":"sr-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};","links":[{"href":"#sr-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.c.1","rel":"assessment-for"}]},{"id":"sr-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};","links":[{"href":"#sr-1_smt.c.2","rel":"assessment-for"}]},{"id":"sr-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.","links":[{"href":"#sr-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt","rel":"assessment-for"}]},{"id":"sr-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities"}]}]},{"id":"sr-2","class":"SP800-53","title":"Supply Chain Risk Management Plan","params":[{"id":"sr-02_odp.01","props":[{"name":"alt-identifier","value":"sr-2_prm_1"},{"name":"label","value":"SR-02_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services for which a supply chain risk management plan is developed are defined;"}]},{"id":"sr-02_odp.02","props":[{"name":"alt-identifier","value":"sr-2_prm_2"},{"name":"label","value":"SR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the supply chain risk management plan is defined;"}]}],"props":[{"name":"label","value":"SR-2"},{"name":"label","value":"SR-02","class":"sp800-53a"},{"name":"sort-id","value":"sr-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sr-2_smt","name":"statement","parts":[{"id":"sr-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and"},{"id":"sr-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect the supply chain risk management plan from unauthorized disclosure and modification."}]},{"id":"sr-2_gdn","name":"guidance","prose":"The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development\/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))."},{"id":"sr-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[01]","class":"sp800-53a"}],"prose":"a plan for managing supply chain risks is developed;","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[03]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[05]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[06]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[07]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[08]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-9","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[09]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-02b.","class":"sp800-53a"}],"prose":"the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;","links":[{"href":"#sr-2_smt.b","rel":"assessment-for"}]},{"id":"sr-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[01]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized disclosure;","links":[{"href":"#sr-2_smt.c","rel":"assessment-for"}]},{"id":"sr-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized modification.","links":[{"href":"#sr-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-2_smt","rel":"assessment-for"}]},{"id":"sr-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"sr-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and\/or implementing the SDLC"}]}],"controls":[{"id":"sr-2.1","class":"SP800-53-enhancement","title":"Establish SCRM Team","params":[{"id":"sr-02.01_odp.01","props":[{"name":"alt-identifier","value":"sr-2.1_prm_1"},{"name":"alt-label","value":"personnel, roles, and responsibilities","class":"sp800-53"},{"name":"label","value":"SR-02(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel, roles and responsibilities","guidelines":[{"prose":"the personnel, roles, and responsibilities of the supply chain risk management team are defined;"}]},{"id":"sr-02.01_odp.02","props":[{"name":"alt-identifier","value":"sr-2.1_prm_2"},{"name":"label","value":"SR-02(01)_ODP[02]","class":"sp800-53a"}],"label":"supply chain risk management activities","guidelines":[{"prose":"supply chain risk management activities are defined;"}]}],"props":[{"name":"label","value":"SR-2(1)"},{"name":"label","value":"SR-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-2","rel":"required"}],"parts":[{"id":"sr-2.1_smt","name":"statement","prose":"Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}."},{"id":"sr-2.1_gdn","name":"guidance","prose":"To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team."},{"id":"sr-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02(01)","class":"sp800-53a"}],"prose":"a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.","links":[{"href":"#sr-2.1_smt","rel":"assessment-for"}]},{"id":"sr-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities"}]}]}]},{"id":"sr-3","class":"SP800-53","title":"Supply Chain Controls and Processes","params":[{"id":"sr-03_odp.01","props":[{"name":"alt-identifier","value":"sr-3_prm_1"},{"name":"label","value":"SR-03_ODP[01]","class":"sp800-53a"}],"label":"system or system component","guidelines":[{"prose":"the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;"}]},{"id":"sr-03_odp.02","props":[{"name":"alt-identifier","value":"sr-3_prm_2"},{"name":"label","value":"SR-03_ODP[02]","class":"sp800-53a"}],"label":"supply chain personnel","guidelines":[{"prose":"supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is\/are defined;"}]},{"id":"sr-03_odp.03","props":[{"name":"alt-identifier","value":"sr-3_prm_3"},{"name":"label","value":"SR-03_ODP[03]","class":"sp800-53a"}],"label":"supply chain controls","guidelines":[{"prose":"supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;"}]},{"id":"sr-03_odp.04","props":[{"name":"alt-identifier","value":"sr-3_prm_4"},{"name":"label","value":"SR-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security and privacy plans","supply chain risk management plan"," {{ insert: param, sr-03_odp.05 }} "]}},{"id":"sr-03_odp.05","props":[{"name":"alt-identifier","value":"sr-3_prm_5"},{"name":"label","value":"SR-03_ODP[05]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"the document identifying the selected and implemented supply chain processes and controls is defined (if selected);"}]}],"props":[{"name":"label","value":"SR-3"},{"name":"label","value":"SR-03","class":"sp800-53a"},{"name":"sort-id","value":"sr-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-29","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-3_smt","name":"statement","parts":[{"id":"sr-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};"},{"id":"sr-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and"},{"id":"sr-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}."}]},{"id":"sr-3_gdn","name":"guidance","prose":"Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain."},{"id":"sr-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-03","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[01]","class":"sp800-53a"}],"prose":"a process or processes is\/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};","links":[{"href":"#sr-3_smt.a","rel":"assessment-for"}]},{"id":"sr-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[02]","class":"sp800-53a"}],"prose":"the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is\/are coordinated with {{ insert: param, sr-03_odp.02 }};","links":[{"href":"#sr-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-3_smt.a","rel":"assessment-for"}]},{"id":"sr-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-03b.","class":"sp800-53a"}],"prose":" {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;","links":[{"href":"#sr-3_smt.b","rel":"assessment-for"}]},{"id":"sr-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-03c.","class":"sp800-53a"}],"prose":"the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.","links":[{"href":"#sr-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-3_smt","rel":"assessment-for"}]},{"id":"sr-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying and addressing supply chain element and process deficiencies"}]}]},{"id":"sr-5","class":"SP800-53","title":"Acquisition Strategies, Tools, and Methods","params":[{"id":"sr-05_odp","props":[{"name":"alt-identifier","value":"sr-5_prm_1"},{"name":"alt-label","value":"acquisition strategies, contract tools, and procurement methods","class":"sp800-53"},{"name":"label","value":"SR-05_ODP","class":"sp800-53a"}],"label":"strategies, tools, and methods","guidelines":[{"prose":"acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;"}]}],"props":[{"name":"label","value":"SR-5"},{"name":"label","value":"SR-05","class":"sp800-53a"},{"name":"sort-id","value":"sr-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-5_smt","name":"statement","prose":"Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}."},{"id":"sr-5_gdn","name":"guidance","prose":"The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements."},{"id":"sr-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-05","class":"sp800-53a"}],"parts":[{"id":"sr-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-05[01]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;","links":[{"href":"#sr-5_smt","rel":"assessment-for"}]},{"id":"sr-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-05[02]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;","links":[{"href":"#sr-5_smt","rel":"assessment-for"}]},{"id":"sr-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SR-05[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.","links":[{"href":"#sr-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-5_smt","rel":"assessment-for"}]},{"id":"sr-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and\/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods"}]}]},{"id":"sr-8","class":"SP800-53","title":"Notification Agreements","params":[{"id":"sr-08_odp.01","props":[{"name":"alt-identifier","value":"sr-8_prm_1"},{"name":"label","value":"SR-08_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["notification of supply chain compromises"," {{ insert: param, sr-08_odp.02 }} "]}},{"id":"sr-08_odp.02","props":[{"name":"alt-identifier","value":"sr-8_prm_2"},{"name":"alt-label","value":"information","class":"sp800-53"},{"name":"label","value":"SR-08_ODP[02]","class":"sp800-53a"}],"label":"results of assessments or audits","guidelines":[{"prose":"information for which agreements and procedures are to be established are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-8"},{"name":"label","value":"SR-08","class":"sp800-53a"},{"name":"sort-id","value":"sr-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"sr-8_smt","name":"statement","prose":"Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}."},{"id":"sr-8_gdn","name":"guidance","prose":"The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes."},{"id":"sr-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-08","class":"sp800-53a"}],"prose":"agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.","links":[{"href":"#sr-8_smt","rel":"assessment-for"}]},{"id":"sr-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities"}]}]},{"id":"sr-10","class":"SP800-53","title":"Inspection of Systems or Components","params":[{"id":"sr-10_odp.01","props":[{"name":"alt-identifier","value":"sr-10_prm_4"},{"name":"label","value":"SR-10_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that require inspection are defined;"}]},{"id":"sr-10_odp.02","props":[{"name":"alt-identifier","value":"sr-10_prm_1"},{"name":"label","value":"SR-10_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at random","at {{ insert: param, sr-10_odp.03 }} ","upon {{ insert: param, sr-10_odp.04 }} "]}},{"id":"sr-10_odp.03","props":[{"name":"alt-identifier","value":"sr-10_prm_2"},{"name":"label","value":"SR-10_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inspect systems or system components is defined (if selected);"}]},{"id":"sr-10_odp.04","props":[{"name":"alt-identifier","value":"sr-10_prm_3"},{"name":"label","value":"SR-10_ODP[04]","class":"sp800-53a"}],"label":"indications of need for inspection","guidelines":[{"prose":"indications of the need for an inspection of systems or system components are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-10"},{"name":"label","value":"SR-10","class":"sp800-53a"},{"name":"sort-id","value":"sr-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-10_smt","name":"statement","prose":"Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}."},{"id":"sr-10_gdn","name":"guidance","prose":"The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations."},{"id":"sr-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-10","class":"sp800-53a"}],"prose":" {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.","links":[{"href":"#sr-10_smt","rel":"assessment-for"}]},{"id":"sr-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports\/results\n\nassessment reports\/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering"}]}]},{"id":"sr-11","class":"SP800-53","title":"Component Authenticity","params":[{"id":"sr-11_odp.01","props":[{"name":"alt-identifier","value":"sr-11_prm_1"},{"name":"label","value":"SR-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["source of counterfeit component"," {{ insert: param, sr-11_odp.02 }} "," {{ insert: param, sr-11_odp.03 }} "]}},{"id":"sr-11_odp.02","props":[{"name":"alt-identifier","value":"sr-11_prm_2"},{"name":"label","value":"SR-11_ODP[02]","class":"sp800-53a"}],"label":"external reporting organizations","guidelines":[{"prose":"external reporting organizations to whom counterfeit system components are to be reported is\/are defined (if selected);"}]},{"id":"sr-11_odp.03","props":[{"name":"alt-identifier","value":"sr-11_prm_3"},{"name":"label","value":"SR-11_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom counterfeit system components are to be reported is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-11"},{"name":"label","value":"SR-11","class":"sp800-53a"},{"name":"sort-id","value":"sr-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"sr-11_smt","name":"statement","parts":[{"id":"sr-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and"},{"id":"sr-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}."}]},{"id":"sr-11_gdn","name":"guidance","prose":"Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA."},{"id":"sr-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[01]","class":"sp800-53a"}],"prose":"an anti-counterfeit policy is developed and implemented;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[02]","class":"sp800-53a"}],"prose":"anti-counterfeit procedures are developed and implemented;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[03]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to detect counterfeit components entering the system;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[04]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-11b.","class":"sp800-53a"}],"prose":"counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.","links":[{"href":"#sr-11_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sr-11_smt","rel":"assessment-for"}]},{"id":"sr-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and\/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting"}]},{"id":"sr-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and\/or implementing anti-counterfeit detection, prevention, and reporting"}]}],"controls":[{"id":"sr-11.1","class":"SP800-53-enhancement","title":"Anti-counterfeit Training","params":[{"id":"sr-11.01_odp","props":[{"name":"alt-identifier","value":"sr-11.1_prm_1"},{"name":"label","value":"SR-11(01)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is\/are defined;"}]}],"props":[{"name":"label","value":"SR-11(1)"},{"name":"label","value":"SR-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"sr-11.1_smt","name":"statement","prose":"Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_gdn","name":"guidance","prose":"None."},{"id":"sr-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(01)","class":"sp800-53a"}],"prose":" {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).","links":[{"href":"#sr-11.1_smt","rel":"assessment-for"}]},{"id":"sr-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training"}]},{"id":"sr-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for anti-counterfeit training"}]}]},{"id":"sr-11.2","class":"SP800-53-enhancement","title":"Configuration Control for Component Service and Repair","params":[{"id":"sr-11.02_odp","props":[{"name":"alt-identifier","value":"sr-11.2_prm_1"},{"name":"label","value":"SR-11(02)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring configuration control are defined;"}]}],"props":[{"name":"label","value":"SR-11(2)"},{"name":"label","value":"SR-11(02)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#cm-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#sa-10","rel":"related"}],"parts":[{"id":"sr-11.2_smt","name":"statement","prose":"Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}."},{"id":"sr-11.2_gdn","name":"guidance","prose":"None."},{"id":"sr-11.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)","class":"sp800-53a"}],"parts":[{"id":"sr-11.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[01]","class":"sp800-53a"}],"prose":"configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;","links":[{"href":"#sr-11.2_smt","rel":"assessment-for"}]},{"id":"sr-11.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[02]","class":"sp800-53a"}],"prose":"configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.","links":[{"href":"#sr-11.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-11.2_smt","rel":"assessment-for"}]},{"id":"sr-11.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-11.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes"}]}]}]},{"id":"sr-12","class":"SP800-53","title":"Component Disposal","params":[{"id":"sr-12_odp.01","props":[{"name":"alt-identifier","value":"sr-12_prm_1"},{"name":"label","value":"SR-12_ODP[01]","class":"sp800-53a"}],"label":"data, documentation, tools, or system components","guidelines":[{"prose":"data, documentation, tools, or system components to be disposed of are defined;"}]},{"id":"sr-12_odp.02","props":[{"name":"alt-identifier","value":"sr-12_prm_2"},{"name":"label","value":"SR-12_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods for disposing of data, documentation, tools, or system components are defined;"}]}],"props":[{"name":"label","value":"SR-12"},{"name":"label","value":"SR-12","class":"sp800-53a"},{"name":"sort-id","value":"sr-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#mp-6","rel":"related"}],"parts":[{"id":"sr-12_smt","name":"statement","prose":"Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}."},{"id":"sr-12_gdn","name":"guidance","prose":"Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations\/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market."},{"id":"sr-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-12","class":"sp800-53a"}],"prose":" {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.","links":[{"href":"#sr-12_smt","rel":"assessment-for"}]},{"id":"sr-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational techniques and methods for system component disposal\n\nmechanisms supporting and\/or implementing system component disposal"}]}]}]}],"back-matter":{"resources":[{"uuid":"91f992fb-f668-4c91-a50f-0f05b95ccee3","title":"32 CFR 2002","citation":{"text":"Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/documents\/2016\/09\/14\/2016-21665\/controlled-unclassified-information"}]},{"uuid":"0f963c17-ab5a-432a-a867-91eac550309b","title":"41 CFR 201","citation":{"text":" \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/d\/2020-18939"}]},{"uuid":"a5ef5e56-5c1a-4911-b419-37dddc1b3581","title":"5 CFR 731","citation":{"text":"Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/CFR-2012-title5-vol2\/pdf\/CFR-2012-title5-vol2-sec731-106.pdf"}]},{"uuid":"031cc4b7-9adf-4835-98f1-f1ca493519cf","title":"CNSSD 505","citation":{"text":"Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Directives.cfm"}]},{"uuid":"4e4fbc93-333d-45e6-a875-de36b878b6b9","title":"CNSSI 1253","citation":{"text":"Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Instructions.cfm"}]},{"uuid":"aa66e14f-e7cb-4a37-99d2-07578dfd4608","title":"DOD STIG","citation":{"text":"Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*."},"rlinks":[{"href":"https:\/\/public.cyber.mil\/stigs"}]},{"uuid":"55b0c93a-5e48-457a-baa6-5ce81c239c49","title":"EO 13526","citation":{"text":"Executive Order 13526, *Classified National Security Information* , December 2009."},"rlinks":[{"href":"https:\/\/www.archives.gov\/isoo\/policy-documents\/cnsi-eo.html"}]},{"uuid":"0af071a6-cf8e-48ee-8c82-fe91efa20f94","title":"EO 13587","citation":{"text":"Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2011\/10\/07\/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"21caa535-1154-4369-ba7b-32c309fee0f7","title":"EO 13873","citation":{"text":"Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/presidential-actions\/executive-order-securing-information-communications-technology-services-supply-chain"}]},{"uuid":"4ff10ed3-d8fe-4246-99e3-443045e27482","title":"FASC18","citation":{"text":"Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018."},"rlinks":[{"href":"https:\/\/www.congress.gov\/bill\/115th-congress\/senate-bill\/3085"}]},{"uuid":"a1555677-2b9d-4868-a97b-a1363aff32f5","title":"FED PKI","citation":{"text":"General Services Administration, *Federal Public Key Infrastructure*."},"rlinks":[{"href":"https:\/\/www.idmanagement.gov\/topics\/fpki"}]},{"uuid":"678e3d6c-150b-4393-aec5-6e3481eb1e00","title":"FIPS 140-3","citation":{"text":"National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. "},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.140-3"}]},{"uuid":"eea3c092-42ed-4382-a6f4-1adadef01b9d","title":"FIPS 180-4","citation":{"text":"National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.180-4"}]},{"uuid":"7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","title":"FIPS 186-4","citation":{"text":"National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.186-4"}]},{"uuid":"736d6310-e403-4b57-a79d-9967970c66d7","title":"FIPS 197","citation":{"text":"National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.197"}]},{"uuid":"628d22a1-6a11-4784-bc59-5cd9497b5445","title":"FIPS 199","citation":{"text":"National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.199"}]},{"uuid":"599fb53d-5041-444e-a7fe-640d6d30ad05","title":"FIPS 200","citation":{"text":"National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.200"}]},{"uuid":"7ba1d91c-3934-4d5a-8532-b32f864ad34c","title":"FIPS 201-2","citation":{"text":"National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.201-2"}]},{"uuid":"a295ca19-8c75-4b4c-8800-98024732e181","title":"FIPS 202","citation":{"text":"National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.202"}]},{"uuid":"0c67b2a9-bede-43d2-b86d-5f35b8be36e9","title":"FISMA","citation":{"text":"Federal Information Security Modernization Act (P.L. 113-283), December 2014."},"rlinks":[{"href":"https:\/\/www.congress.gov\/113\/plaws\/publ283\/PLAW-113publ283.pdf"}]},{"uuid":"f16e438e-7114-4144-bfe2-2dfcad8cb2d0","title":"HSPD 12","citation":{"text":"Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/homeland-security-presidential-directive-12"}]},{"uuid":"15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","title":"IR 7539","citation":{"text":"Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7539"}]},{"uuid":"2be7b163-e50a-435c-8906-f1162f2a457a","title":"IR 7559","citation":{"text":"Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7559"}]},{"uuid":"e24b06cc-9129-4998-a76a-65c3d7a576ba","title":"IR 7622","citation":{"text":"Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7622"}]},{"uuid":"4b38e961-1125-4a5b-aa35-1d6c02846dad","title":"IR 7676","citation":{"text":"Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7676"}]},{"uuid":"aa5d04e0-6090-4e17-84d4-b9963d55fc2c","title":"IR 7788","citation":{"text":"Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7788"}]},{"uuid":"91701292-8bcd-4d2e-a5bd-59ab61e34b3c","title":"IR 7817","citation":{"text":"Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7817"}]},{"uuid":"4f5f51ac-2b8d-4b90-a3c7-46f56e967617","title":"IR 7849","citation":{"text":"Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7849"}]},{"uuid":"604774da-9e1d-48eb-9c62-4e959dc80737","title":"IR 7870","citation":{"text":"Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7870"}]},{"uuid":"7f473f21-fdbf-4a6c-81a1-0ab95919609d","title":"IR 7874","citation":{"text":"Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7874"}]},{"uuid":"849b2358-683f-4d97-b111-1cc3d522ded5","title":"IR 7956","citation":{"text":"Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7956"}]},{"uuid":"3915a084-b87b-4f02-83d4-c369e746292f","title":"IR 7966","citation":{"text":"Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7966"}]},{"uuid":"bbac9fc2-df5b-4f2d-bf99-90d0ade45349","title":"IR 8011-1","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-1"}]},{"uuid":"70402863-5078-43af-9a6c-e11b0f3ec370","title":"IR 8011-2","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-2"}]},{"uuid":"996241f8-f692-42d5-91f1-ce8b752e39e6","title":"IR 8011-3","citation":{"text":"Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-3"}]},{"uuid":"d2ebec9b-f868-4ee1-a2bd-0b2282aed248","title":"IR 8011-4","citation":{"text":"Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-4"}]},{"uuid":"4c501da5-9d79-4cb6-ba80-97260e1ce327","title":"IR 8023","citation":{"text":"Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8023"}]},{"uuid":"81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","title":"IR 8040","citation":{"text":"Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8040"}]},{"uuid":"98d415ca-7281-4064-9931-0c366637e324","title":"IR 8062","citation":{"text":"Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8062"}]},{"uuid":"d4296805-2dca-4c63-a95f-eeccaa826aec","title":"IR 8179","citation":{"text":"Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8179"}]},{"uuid":"38ff38f0-1366-4f50-a4c9-26a39aacee16","title":"IR 8272","citation":{"text":"Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8272"}]},{"uuid":"6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","title":"ISO 15408-1","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART1V3.1R5.pdf"}]},{"uuid":"87087451-2af5-43d4-88c1-d66ad850f614","title":"ISO 15408-2","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART2V3.1R5.pdf"}]},{"uuid":"4452efc0-e79e-47b8-aa30-b54f3ef61c2f","title":"ISO 15408-3","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART3V3.1R5.pdf"}]},{"uuid":"15a95e24-65b6-4686-bc18-90855a10457d","title":"ISO 20243","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/74399.html"}]},{"uuid":"863caf2a-978a-4260-9e8d-4a8929bce40c","title":"ISO 27036","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/59648.html"}]},{"uuid":"8df72805-2e5c-4731-a73e-81db0f0318d0","title":"ISO 29147","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 29147:2018, *Information technology—Security techniques—Vulnerability disclosure* , October 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72311.html"}]},{"uuid":"06ce9216-bd54-4054-a422-94f358b50a5d","title":"ISO 29148","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission\/Institute of Electrical and Electronics Engineers (ISO\/IEC\/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72089.html"}]},{"uuid":"c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","title":"NARA CUI","citation":{"text":"National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry."},"rlinks":[{"href":"https:\/\/www.archives.gov\/cui"}]},{"uuid":"d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","title":"NCPR","citation":{"text":"National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at"},"rlinks":[{"href":"https:\/\/nvd.nist.gov\/ncp\/repository"}]},{"uuid":"795aff72-3e6c-4b6b-a80a-b14d84b7f544","title":"NIAP CCEVS","citation":{"text":"National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*."},"rlinks":[{"href":"https:\/\/www.niap-ccevs.org"}]},{"uuid":"84dc1b0c-acb7-4269-84c4-00dbabacd78c","title":"NIST CAVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-algorithm-validation-program"}]},{"uuid":"1acdc775-aafb-4d11-9341-dc6a822e9d38","title":"NIST CMVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-module-validation-program"}]},{"uuid":"3d575737-98cb-459d-b41c-d7e82b73ad78","title":"NSA CSFC","citation":{"text":"National Security Agency, *Commercial Solutions for Classified Program (CSfC)*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/csfc"}]},{"uuid":"df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","title":"NSA MEDIA","citation":{"text":"National Security Agency, *Media Destruction Guidance*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/media-destruction"}]},{"uuid":"89f2a08d-fc49-46d0-856e-bf974c9b1573","title":"ODNI CTF","citation":{"text":"Office of the Director of National Intelligence (ODNI) Cyber Threat Framework."},"rlinks":[{"href":"https:\/\/www.dni.gov\/index.php\/cyber-threat-framework"}]},{"uuid":"27847491-5ce1-4f6a-a1e4-9e483782f0ef","title":"OMB A-130","citation":{"text":"Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf"}]},{"uuid":"5f4705ac-8d17-438c-b23a-ac7f12362ae4","title":"OMB M-17-12","citation":{"text":"Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/sites\/default\/files\/omb\/memoranda\/2017\/m-17-12_0.pdf"}]},{"uuid":"18e71fec-c6fd-475a-925a-5d8495cf8455","title":"PRIVACT","citation":{"text":"Privacy Act (P.L. 93-579), December 1974."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-88\/pdf\/STATUTE-88-Pg1896.pdf"}]},{"uuid":"4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","title":"SP 800-100","citation":{"text":"Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"10cf2fad-a216-41f9-bb1a-531b7e3119e3","title":"SP 800-101","citation":{"text":"Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-101r1"}]},{"uuid":"22f2d4f0-4365-4e88-a30d-275c1f5473ea","title":"SP 800-111","citation":{"text":"Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-111"}]},{"uuid":"6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","title":"SP 800-113","citation":{"text":"Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-113"}]},{"uuid":"42e37e51-7cc0-4ffa-81c9-0ac942da7e99","title":"SP 800-114","citation":{"text":"Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-114r1"}]},{"uuid":"122177fa-c4ed-485d-8345-3082c0fb9a06","title":"SP 800-115","citation":{"text":"Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"2100332a-16a5-4598-bacf-7261baea9711","title":"SP 800-116","citation":{"text":"Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-116r1"}]},{"uuid":"d17ebd7a-ffab-499d-bfff-e705bbb01fa6","title":"SP 800-121","citation":{"text":"Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-121r2"}]},{"uuid":"0f66be67-85e7-4ca6-bd19-39453e9f4394","title":"SP 800-124","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-124r1"}]},{"uuid":"88660532-2dcf-442e-845c-03340ce48999","title":"SP 800-125B","citation":{"text":"Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-125B"}]},{"uuid":"8016d2ed-d30f-4416-9c45-0f42c7aa3232","title":"SP 800-126","citation":{"text":"Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-126r3"}]},{"uuid":"20db4e66-e257-450c-b2e4-2bb9a62a2c88","title":"SP 800-128","citation":{"text":"Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-128"}]},{"uuid":"c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","title":"SP 800-12","citation":{"text":"Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"3653e316-8923-430e-8943-b3b2b2562fc6","title":"SP 800-130","citation":{"text":"Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-130"}]},{"uuid":"62ea77ca-e450-4323-b210-e0d75390e785","title":"SP 800-137A","citation":{"text":"Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137A"}]},{"uuid":"067223d8-1ec7-45c5-b21b-c848da6de8fb","title":"SP 800-137","citation":{"text":"Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137"}]},{"uuid":"9ef4b43c-42a4-4316-87dc-ffaf528bc05c","title":"SP 800-150","citation":{"text":"Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-150"}]},{"uuid":"2494df28-9049-4196-b233-540e7440993f","title":"SP 800-152","citation":{"text":"Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-152"}]},{"uuid":"d9e036ba-6eec-46a6-9340-b0bf1fea23b4","title":"SP 800-156","citation":{"text":"Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-156"}]},{"uuid":"e3cc0520-a366-4fc9-abc2-5272db7e3564","title":"SP 800-160-1","citation":{"text":"Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v1"}]},{"uuid":"61ccf0f4-d3e7-42db-9796-ce6cb1c85989","title":"SP 800-160-2","citation":{"text":"Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v2"}]},{"uuid":"e8e84963-14fc-4c3a-be05-b412a5d37cd2","title":"SP 800-161","citation":{"text":"Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-161"}]},{"uuid":"2956e175-f674-43f4-b1b9-e074ad9fc39c","title":"SP 800-162","citation":{"text":"Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-162"}]},{"uuid":"e8552d48-cf41-40aa-8b06-f45f7fb4706c","title":"SP 800-166","citation":{"text":"Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-166"}]},{"uuid":"38f39739-1ebd-43b1-8b8c-00f591d89ebd","title":"SP 800-167","citation":{"text":"Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-167"}]},{"uuid":"7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","title":"SP 800-171","citation":{"text":"Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-171r2"}]},{"uuid":"f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","title":"SP 800-172","citation":{"text":"Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-172-draft"}]},{"uuid":"1c71b420-2bd9-4e52-9fc8-390f58b85b59","title":"SP 800-177","citation":{"text":"Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-177r1"}]},{"uuid":"388a3aa2-5d85-4bad-b8a3-77db80d63c4f","title":"SP 800-178","citation":{"text":"Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-178"}]},{"uuid":"276bd50a-7e58-48e5-a405-8c8cb91d7a5f","title":"SP 800-181","citation":{"text":"Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-181r1"}]},{"uuid":"31ae65ab-3f26-46b7-9d64-f25a4dac5778","title":"SP 800-184","citation":{"text":"Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-184"}]},{"uuid":"f5edfe51-d1f2-422e-9b27-5d0e90b49c72","title":"SP 800-189","citation":{"text":"Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-189"}]},{"uuid":"30eb758a-2707-4bca-90ad-949a74d4eb16","title":"SP 800-18","citation":{"text":"Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-18r1"}]},{"uuid":"53df282b-8b3f-483a-bad1-6a8b8ac00114","title":"SP 800-192","citation":{"text":"Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies\/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-192"}]},{"uuid":"08b07465-dbdc-48d6-8a0b-37279602ac16","title":"SP 800-30","citation":{"text":"Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-30r1"}]},{"uuid":"bc39f179-c735-4da2-b7a7-b2b622119755","title":"SP 800-34","citation":{"text":"Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-34r1"}]},{"uuid":"77faf0bc-c394-44ad-9154-bbac3b79c8ad","title":"SP 800-35","citation":{"text":"Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-35"}]},{"uuid":"482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","title":"SP 800-37","citation":{"text":"Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-37r2"}]},{"uuid":"cec037f3-8aba-4c97-84b4-4082f9e515d2","title":"SP 800-39","citation":{"text":"Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-39"}]},{"uuid":"155f941a-cba9-4afd-9ca6-5d040d697ba9","title":"SP 800-40","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-40r3"}]},{"uuid":"a7f0e897-29a3-45c4-bd88-40dfef0e034a","title":"SP 800-41","citation":{"text":"Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-41r1"}]},{"uuid":"83b9d63b-66b1-467c-9f3b-3a0b108771e9","title":"SP 800-46","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-46r2"}]},{"uuid":"c3a76872-e160-4267-99e8-6952de967d04","title":"SP 800-47","citation":{"text":"Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-47"}]},{"uuid":"511f6832-23ca-49a3-8c0f-ce493373cab8","title":"SP 800-50","citation":{"text":"Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-50"}]},{"uuid":"a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","title":"SP 800-53A","citation":{"text":"Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53Ar4"}]},{"uuid":"46d9e201-840e-440e-987c-2c773333c752","title":"SP 800-53B","citation":{"text":"Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53B"}]},{"uuid":"20957dbb-6a1e-40a2-b38a-66f67d33ac2e","title":"SP 800-56A","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Ar3"}]},{"uuid":"0d083d8a-5cc6-46f1-8d79-3081d42bcb75","title":"SP 800-56B","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Br2"}]},{"uuid":"eef62b16-c796-4554-955c-505824135b8a","title":"SP 800-56C","citation":{"text":"Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Cr2"}]},{"uuid":"110e26af-4765-49e1-8740-6750f83fcda1","title":"SP 800-57-1","citation":{"text":"Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt1r5"}]},{"uuid":"e7942589-e267-4a5a-a3d9-f39a7aae81f0","title":"SP 800-57-2","citation":{"text":"Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt2r1"}]},{"uuid":"8306620b-1920-4d73-8b21-12008528595f","title":"SP 800-57-3","citation":{"text":"Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt3r1"}]},{"uuid":"e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","title":"SP 800-60-1","citation":{"text":"Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v1r1"}]},{"uuid":"9be5d661-421f-41ad-854e-86f98b811891","title":"SP 800-60-2","citation":{"text":"Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v2r1"}]},{"uuid":"49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","title":"SP 800-61","citation":{"text":"Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-61r2"}]},{"uuid":"737513fa-6758-403f-831d-5ddab5e23cb3","title":"SP 800-63-3","citation":{"text":"Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63-3"}]},{"uuid":"e59c5a7c-8b1f-49ca-8de0-6ee0882180ce","title":"SP 800-63B","citation":{"text":"Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63b"}]},{"uuid":"4895b4cd-34c5-4667-bf8a-27d443c12047","title":"SP 800-70","citation":{"text":"Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-70r4"}]},{"uuid":"858705be-3c1f-48aa-a328-0ce398d95ef0","title":"SP 800-73-4","citation":{"text":"Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-73-4"}]},{"uuid":"7af2e6ec-9f7e-4232-ad3f-09888eb0793a","title":"SP 800-76-2","citation":{"text":"Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-76-2"}]},{"uuid":"d4d7c760-2907-403b-8b2a-767ca5370ecd","title":"SP 800-77","citation":{"text":"Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-77r1"}]},{"uuid":"828856bd-d7c4-427b-8b51-815517ec382d","title":"SP 800-78-4","citation":{"text":"Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-78-4"}]},{"uuid":"10963761-58fc-4b20-b3d6-b44a54daba03","title":"SP 800-79-2","citation":{"text":"Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-79-2"}]},{"uuid":"fe209006-bfd4-4033-a79a-9fee1adaf372","title":"SP 800-81-2","citation":{"text":"Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-81-2"}]},{"uuid":"3dd249b0-f57d-44ba-a03e-c3eab1b835ff","title":"SP 800-83","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-83r1"}]},{"uuid":"53be2fcf-cfd1-4bcb-896b-9a3b65c22098","title":"SP 800-84","citation":{"text":"Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-84"}]},{"uuid":"cfdb1858-c473-46b3-89f9-a700308d0be2","title":"SP 800-86","citation":{"text":"Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-86"}]},{"uuid":"a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","title":"SP 800-88","citation":{"text":"Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-88r1"}]},{"uuid":"5eee45d8-3313-4fdc-8d54-1742092bbdd6","title":"SP 800-92","citation":{"text":"Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-92"}]},{"uuid":"25e3e57b-dc2f-4934-af9b-050b020c6f0e","title":"SP 800-94","citation":{"text":"Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-94"}]},{"uuid":"03fb73bc-1b12-4182-bd96-e5719254ea61","title":"SP 800-97","citation":{"text":"Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-97"}]},{"uuid":"13f0c39d-eaf7-417a-baef-69a041878bb5","title":"USA PATRIOT","citation":{"text":"USA Patriot Act (P.L. 107-56), October 2001."},"rlinks":[{"href":"https:\/\/www.congress.gov\/107\/plaws\/publ56\/PLAW-107publ56.pdf"}]},{"uuid":"e922fc50-b1f9-469f-92ef-ed7d9803611c","title":"USC 2901","citation":{"text":"United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2011-title44\/pdf\/USCODE-2011-title44-chap29-sec2901.pdf"}]},{"uuid":"40b78258-c892-480e-9af8-77ac36648301","title":"USCERT IR","citation":{"text":"Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017."},"rlinks":[{"href":"https:\/\/us-cert.cisa.gov\/incident-notification-guidelines"}]},{"uuid":"98498928-3ca3-44b3-8b1e-f48685373087","title":"USGCB","citation":{"text":"National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/united-states-government-configuration-baseline"}]},{"uuid":"c3397cc9-83c6-4459-adb2-836739dc1b94","title":"NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)","rlinks":[{"href":"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf","media-type":"application\/pdf"}]}]}}}
\ No newline at end of file
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.json
index d806f45c..0890c6df 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.json
@@ -1,10 +1,10 @@
 {
   "catalog": {
-    "uuid": "8a6a307c-2c1d-47ef-9bcb-6362480d31cb",
+    "uuid": "64d89a61-c70c-49bc-9e1b-b620e2b3d855",
     "metadata": {
-      "title": "NIST Special Publication 800-53 Revision 5 LOW IMPACT BASELINE",
-      "last-modified": "2023-11-02T11:49:44.518316-04:00",
-      "version": "Final",
+      "title": "NIST Special Publication 800-53 Revision 5.1.1 LOW IMPACT BASELINE",
+      "last-modified": "2023-12-05T21:54:50.284874Z",
+      "version": "5.1.1+u2",
       "oscal-version": "1.1.1",
       "props": [
         {
@@ -468,7 +468,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an access control policy is developed and documented;"
+                        "prose": "an access control policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-2",
@@ -480,7 +486,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};"
+                        "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-3",
@@ -492,7 +504,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;"
+                        "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-4",
@@ -504,7 +522,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};"
+                        "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a.1",
@@ -538,7 +562,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-2",
@@ -550,7 +580,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-3",
@@ -562,7 +598,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-4",
@@ -574,7 +616,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-5",
@@ -586,7 +634,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-6",
@@ -598,7 +652,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-7",
@@ -610,7 +670,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -624,10 +696,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -640,7 +730,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;"
+                    "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-1_obj.c",
@@ -674,7 +770,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};"
+                            "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-1_obj.c.1-2",
@@ -686,7 +788,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};"
+                            "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -711,7 +825,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};"
+                            "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-1_obj.c.2-2",
@@ -723,12 +843,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}."
+                            "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -1410,7 +1554,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account types allowed for use within the system are defined and documented;"
+                        "prose": "account types allowed for use within the system are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.a-2",
@@ -1422,7 +1572,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account types specifically prohibited for use within the system are defined and documented;"
+                        "prose": "account types specifically prohibited for use within the system are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1436,7 +1598,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "account managers are assigned;"
+                    "prose": "account managers are assigned;",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.c",
@@ -1448,7 +1616,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ac-02_odp.01 }} for group and role membership are required;"
+                    "prose": " {{ insert: param, ac-02_odp.01 }} for group and role membership are required;",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.d",
@@ -1471,7 +1645,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized users of the system are specified;"
+                        "prose": "authorized users of the system are specified;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.d.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.d.2",
@@ -1483,7 +1663,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "group and role membership are specified;"
+                        "prose": "group and role membership are specified;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.d.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.d.3",
@@ -1506,7 +1692,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access authorizations (i.e., privileges) are specified for each account;"
+                            "prose": "access authorizations (i.e., privileges) are specified for each account;",
+                            "links": [
+                              {
+                                "href": "#ac-2_smt.d.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-2_obj.d.3-2",
@@ -1518,10 +1710,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, ac-02_odp.02 }} are specified for each account;"
+                            "prose": " {{ insert: param, ac-02_odp.02 }} are specified for each account;",
+                            "links": [
+                              {
+                                "href": "#ac-2_smt.d.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.d.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.d",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -1534,7 +1744,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"
+                    "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.f",
@@ -1557,7 +1773,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-2",
@@ -1569,7 +1791,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-3",
@@ -1581,7 +1809,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-4",
@@ -1593,7 +1827,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-5",
@@ -1605,7 +1845,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1619,7 +1871,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of accounts is monitored; "
+                    "prose": "the use of accounts is monitored; ",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.h",
@@ -1642,7 +1900,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"
+                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.h.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.h.2",
@@ -1654,7 +1918,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;"
+                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.h.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.h.3",
@@ -1666,7 +1936,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;"
+                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.h.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1691,7 +1973,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to the system is authorized based on a valid access authorization;"
+                        "prose": "access to the system is authorized based on a valid access authorization;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.i.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.i.2",
@@ -1703,7 +1991,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to the system is authorized based on intended system usage;"
+                        "prose": "access to the system is authorized based on intended system usage;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.i.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.i.3",
@@ -1715,7 +2009,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};"
+                        "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.i.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.i",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1729,7 +2035,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"
+                    "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.j",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.k",
@@ -1752,7 +2064,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"
+                        "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.k",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.k-2",
@@ -1764,7 +2082,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"
+                        "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.k",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.k",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1789,7 +2119,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account management processes are aligned with personnel termination processes;"
+                        "prose": "account management processes are aligned with personnel termination processes;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.l",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.l-2",
@@ -1801,10 +2137,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account management processes are aligned with personnel transfer processes."
+                        "prose": "account management processes are aligned with personnel transfer processes.",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.l",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.l",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -2028,6 +2382,10 @@
                 "href": "#ia-11",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-3",
                 "rel": "related"
@@ -2126,7 +2484,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies."
+                "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.",
+                "links": [
+                  {
+                    "href": "#ac-3_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-3_asm-examine",
@@ -2431,7 +2795,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;"
+                    "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;",
+                    "links": [
+                      {
+                        "href": "#ac-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-7_obj.b",
@@ -2443,7 +2813,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."
+                    "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.",
+                    "links": [
+                      {
+                        "href": "#ac-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -2764,7 +3146,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that users are accessing a U.S. Government system;"
+                        "prose": "the system use notification states that users are accessing a U.S. Government system;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.a.2",
@@ -2776,7 +3164,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;"
+                        "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.a.3",
@@ -2788,7 +3182,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"
+                        "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.a.4",
@@ -2800,7 +3200,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;"
+                        "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -2814,7 +3226,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;"
+                    "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;",
+                    "links": [
+                      {
+                        "href": "#ac-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-8_obj.c",
@@ -2837,7 +3255,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;"
+                        "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.c.2",
@@ -2849,7 +3273,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;"
+                        "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.c.3",
@@ -2861,10 +3291,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for publicly accessible systems, a description of the authorized uses of the system is included."
+                        "prose": "for publicly accessible systems, a description of the authorized uses of the system is included.",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.c.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-8_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -3050,7 +3498,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;"
+                    "prose": " {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;",
+                    "links": [
+                      {
+                        "href": "#ac-14_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-14_obj.b",
@@ -3073,7 +3527,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;"
+                        "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;",
+                        "links": [
+                          {
+                            "href": "#ac-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-14_obj.b-2",
@@ -3085,10 +3545,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system."
+                        "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.",
+                        "links": [
+                          {
+                            "href": "#ac-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-14_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-14_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -3329,7 +3807,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "usage restrictions are established and documented for each type of remote access allowed;"
+                        "prose": "usage restrictions are established and documented for each type of remote access allowed;",
+                        "links": [
+                          {
+                            "href": "#ac-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-17_obj.a-2",
@@ -3341,7 +3825,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;"
+                        "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;",
+                        "links": [
+                          {
+                            "href": "#ac-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-17_obj.a-3",
@@ -3353,7 +3843,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "implementation guidance is established and documented for each type of remote access allowed;"
+                        "prose": "implementation guidance is established and documented for each type of remote access allowed;",
+                        "links": [
+                          {
+                            "href": "#ac-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-17_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -3367,7 +3869,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "each type of remote access to the system is authorized prior to allowing such connections."
+                    "prose": "each type of remote access to the system is authorized prior to allowing such connections.",
+                    "links": [
+                      {
+                        "href": "#ac-17_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-17_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -3591,7 +4105,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration requirements are established for each type of wireless access;"
+                        "prose": "configuration requirements are established for each type of wireless access;",
+                        "links": [
+                          {
+                            "href": "#ac-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18_obj.a-2",
@@ -3603,7 +4123,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "connection requirements are established for each type of wireless access;"
+                        "prose": "connection requirements are established for each type of wireless access;",
+                        "links": [
+                          {
+                            "href": "#ac-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18_obj.a-3",
@@ -3615,7 +4141,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "implementation guidance is established for each type of wireless access;"
+                        "prose": "implementation guidance is established for each type of wireless access;",
+                        "links": [
+                          {
+                            "href": "#ac-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-18_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -3629,7 +4167,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "each type of wireless access to the system is authorized prior to allowing such connections."
+                    "prose": "each type of wireless access to the system is authorized prior to allowing such connections.",
+                    "links": [
+                      {
+                        "href": "#ac-18_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-18_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -3889,7 +4439,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"
+                        "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;",
+                        "links": [
+                          {
+                            "href": "#ac-19_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-19_obj.a-2",
@@ -3901,7 +4457,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"
+                        "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;",
+                        "links": [
+                          {
+                            "href": "#ac-19_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-19_obj.a-3",
@@ -3913,7 +4475,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"
+                        "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;",
+                        "links": [
+                          {
+                            "href": "#ac-19_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-19_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -3927,7 +4501,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the connection of mobile devices to organizational systems is authorized."
+                    "prose": "the connection of mobile devices to organizational systems is authorized.",
+                    "links": [
+                      {
+                        "href": "#ac-19_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-19_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -4252,11 +4838,17 @@
                         "props": [
                           {
                             "name": "label",
-                            "value": "AC-20a.1",
+                            "value": "AC-20a.01",
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);"
+                        "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);",
+                        "links": [
+                          {
+                            "href": "#ac-20_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-20_obj.a.2",
@@ -4264,11 +4856,23 @@
                         "props": [
                           {
                             "name": "label",
-                            "value": "AC-20a.2",
+                            "value": "AC-20a.02",
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);"
+                        "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);",
+                        "links": [
+                          {
+                            "href": "#ac-20_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-20_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -4282,7 +4886,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable)."
+                    "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).",
+                    "links": [
+                      {
+                        "href": "#ac-20_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-20_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -4499,7 +5115,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "designated individuals are authorized to make information publicly accessible;"
+                    "prose": "designated individuals are authorized to make information publicly accessible;",
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-22_obj.b",
@@ -4511,7 +5133,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;"
+                    "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;",
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-22_obj.c",
@@ -4523,7 +5151,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;"
+                    "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;",
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-22_obj.d",
@@ -4546,7 +5180,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};"
+                        "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};",
+                        "links": [
+                          {
+                            "href": "#ac-22_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-22_obj.d-2",
@@ -4558,10 +5198,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "non-public information is removed from the publicly accessible system, if discovered."
+                        "prose": "non-public information is removed from the publicly accessible system, if discovered.",
+                        "links": [
+                          {
+                            "href": "#ac-22_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-22_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -5027,7 +5685,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an awareness and training policy is developed and documented; "
+                        "prose": "an awareness and training policy is developed and documented; ",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-2",
@@ -5039,7 +5703,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};"
+                        "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-3",
@@ -5051,7 +5721,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;"
+                        "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-4",
@@ -5063,7 +5739,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}."
+                        "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a.1",
@@ -5097,7 +5779,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-2",
@@ -5109,7 +5797,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-3",
@@ -5121,7 +5815,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-4",
@@ -5133,7 +5833,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-5",
@@ -5145,7 +5851,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-6",
@@ -5157,7 +5869,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-7",
@@ -5169,7 +5887,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#at-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -5183,10 +5913,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and"
+                            "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -5199,7 +5947,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;"
+                    "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#at-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-1_obj.c",
@@ -5233,7 +5987,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; "
+                            "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-1_obj.c.1-2",
@@ -5245,7 +6005,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};"
+                            "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -5270,7 +6042,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};"
+                            "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-1_obj.c.2-2",
@@ -5282,12 +6060,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}."
+                            "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#at-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -5736,7 +6538,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-2",
@@ -5748,7 +6556,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-3",
@@ -5760,7 +6574,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-4",
@@ -5772,7 +6592,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-2_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -5797,7 +6629,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.2-2",
@@ -5809,10 +6647,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-2_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -5825,7 +6681,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;"
+                    "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;",
+                    "links": [
+                      {
+                        "href": "#at-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-2_obj.c",
@@ -5848,7 +6710,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};"
+                        "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#at-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2_obj.c-2",
@@ -5860,7 +6728,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};"
+                        "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#at-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -5874,7 +6754,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques."
+                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.",
+                    "links": [
+                      {
+                        "href": "#at-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -6017,7 +6909,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on recognizing potential indicators of insider threat is provided;"
+                        "prose": "literacy training on recognizing potential indicators of insider threat is provided;",
+                        "links": [
+                          {
+                            "href": "#at-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2.2_obj-2",
@@ -6029,7 +6927,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on reporting potential indicators of insider threat is provided."
+                        "prose": "literacy training on reporting potential indicators of insider threat is provided.",
+                        "links": [
+                          {
+                            "href": "#at-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -6434,7 +7344,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;"
+                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-2",
@@ -6446,7 +7362,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;"
+                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-3",
@@ -6458,7 +7380,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;"
+                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-4",
@@ -6470,7 +7398,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;"
+                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-3_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -6495,7 +7435,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;"
+                            "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.2-2",
@@ -6507,10 +7453,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;"
+                            "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-3_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-3_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -6534,7 +7498,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};"
+                        "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#at-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-3_obj.b-2",
@@ -6546,7 +7516,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};"
+                        "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#at-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -6560,7 +7542,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training."
+                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training.",
+                    "links": [
+                      {
+                        "href": "#at-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -6779,7 +7773,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;"
+                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;",
+                        "links": [
+                          {
+                            "href": "#at-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-4_obj.a-2",
@@ -6791,7 +7791,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;"
+                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;",
+                        "links": [
+                          {
+                            "href": "#at-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -6805,7 +7817,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individual training records are retained for {{ insert: param, at-04_odp }}."
+                    "prose": "individual training records are retained for {{ insert: param, at-04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#at-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -7264,7 +8288,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit and accountability policy is developed and documented;"
+                        "prose": "an audit and accountability policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-2",
@@ -7276,7 +8306,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};"
+                        "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-3",
@@ -7288,7 +8324,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;"
+                        "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-4",
@@ -7300,7 +8342,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};"
+                        "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a.1",
@@ -7334,7 +8382,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-2",
@@ -7346,7 +8400,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-3",
@@ -7358,7 +8418,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-4",
@@ -7370,7 +8436,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-5",
@@ -7382,7 +8454,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-6",
@@ -7394,7 +8472,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-7",
@@ -7406,7 +8490,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#au-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -7420,10 +8516,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -7436,7 +8550,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;"
+                    "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#au-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-1_obj.c",
@@ -7470,7 +8590,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};"
+                            "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "au-1_obj.c.1-2",
@@ -7482,7 +8608,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};"
+                            "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -7507,7 +8645,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};"
+                            "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "au-1_obj.c.2-2",
@@ -7519,12 +8663,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}."
+                            "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#au-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -7926,7 +9094,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;"
+                    "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.b",
@@ -7938,7 +9112,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"
+                    "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.c",
@@ -7961,7 +9141,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;"
+                        "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;",
+                        "links": [
+                          {
+                            "href": "#au-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-2_obj.c-2",
@@ -7973,7 +9159,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};"
+                        "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#au-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -7987,7 +9185,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;"
+                    "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.e",
@@ -7999,7 +9203,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}."
+                    "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -8241,7 +9457,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes what type of event occurred;"
+                    "prose": "audit records contain information that establishes what type of event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.b",
@@ -8253,7 +9475,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes when the event occurred;"
+                    "prose": "audit records contain information that establishes when the event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.c",
@@ -8265,7 +9493,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes where the event occurred;"
+                    "prose": "audit records contain information that establishes where the event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.d",
@@ -8277,7 +9511,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the source of the event;"
+                    "prose": "audit records contain information that establishes the source of the event;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.e",
@@ -8289,7 +9529,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the outcome of the event;"
+                    "prose": "audit records contain information that establishes the outcome of the event;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.f",
@@ -8301,7 +9547,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event."
+                    "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -8483,7 +9741,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}."
+                "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.",
+                "links": [
+                  {
+                    "href": "#au-4_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "au-4_asm-examine",
@@ -8732,7 +9996,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};"
+                    "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#au-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-5_obj.b",
@@ -8744,7 +10014,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure."
+                    "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.",
+                    "links": [
+                      {
+                        "href": "#au-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -9103,7 +10385,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"
+                    "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;",
+                    "links": [
+                      {
+                        "href": "#au-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6_obj.b",
@@ -9115,7 +10403,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};"
+                    "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#au-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6_obj.c",
@@ -9127,7 +10421,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."
+                    "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.",
+                    "links": [
+                      {
+                        "href": "#au-6_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -9296,7 +10602,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal system clocks are used to generate timestamps for audit records;"
+                    "prose": "internal system clocks are used to generate timestamps for audit records;",
+                    "links": [
+                      {
+                        "href": "#au-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-8_obj.b",
@@ -9308,7 +10620,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp."
+                    "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.",
+                    "links": [
+                      {
+                        "href": "#au-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -9551,7 +10875,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;"
+                    "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;",
+                    "links": [
+                      {
+                        "href": "#au-9_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9_obj.b",
@@ -9563,7 +10893,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information."
+                    "prose": " {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.",
+                    "links": [
+                      {
+                        "href": "#au-9_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -9749,7 +11091,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."
+                "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.",
+                "links": [
+                  {
+                    "href": "#au-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "au-11_asm-examine",
@@ -10007,7 +11355,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};"
+                    "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#au-12_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-12_obj.b",
@@ -10019,7 +11373,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;"
+                    "prose": " {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;",
+                    "links": [
+                      {
+                        "href": "#au-12_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-12_obj.c",
@@ -10031,7 +11391,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated."
+                    "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.",
+                    "links": [
+                      {
+                        "href": "#au-12_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -10514,7 +11886,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an assessment, authorization, and monitoring policy is developed and documented;"
+                        "prose": "an assessment, authorization, and monitoring policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-2",
@@ -10526,7 +11904,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};"
+                        "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-3",
@@ -10538,7 +11922,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;"
+                        "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-4",
@@ -10550,7 +11940,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};"
+                        "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a.1",
@@ -10584,7 +11980,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-2",
@@ -10596,7 +11998,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-3",
@@ -10608,7 +12016,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-4",
@@ -10620,7 +12034,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-5",
@@ -10632,7 +12052,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-6",
@@ -10644,7 +12070,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-7",
@@ -10656,7 +12088,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -10670,10 +12114,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -10686,7 +12148,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;"
+                    "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-1_obj.c",
@@ -10720,7 +12188,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; "
+                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-1_obj.c.1-2",
@@ -10732,7 +12206,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};"
+                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -10757,7 +12243,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; "
+                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-1_obj.c.2-2",
@@ -10769,12 +12261,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}."
+                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -11127,7 +12643,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;"
+                    "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.b",
@@ -11150,7 +12672,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;"
+                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.b.2",
@@ -11162,7 +12690,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;"
+                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.b.3",
@@ -11185,7 +12719,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-2_obj.b.3-2",
@@ -11197,7 +12737,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-2_obj.b.3-3",
@@ -11209,10 +12755,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.b",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -11225,7 +12789,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"
+                    "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.d",
@@ -11248,7 +12818,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"
+                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.d-2",
@@ -11260,7 +12836,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;"
+                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -11274,7 +12862,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a control assessment report is produced that documents the results of the assessment;"
+                    "prose": "a control assessment report is produced that documents the results of the assessment;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.f",
@@ -11286,7 +12880,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}."
+                    "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -11583,7 +13189,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};"
+                    "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ca-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-3_obj.b",
@@ -11606,7 +13218,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the interface characteristics are documented as part of each exchange agreement;"
+                        "prose": "the interface characteristics are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-2",
@@ -11618,7 +13236,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security requirements are documented as part of each exchange agreement;"
+                        "prose": "security requirements are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-3",
@@ -11630,7 +13254,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy requirements are documented as part of each exchange agreement;"
+                        "prose": "privacy requirements are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-4",
@@ -11642,7 +13272,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls are documented as part of each exchange agreement;"
+                        "prose": "controls are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-5",
@@ -11654,7 +13290,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "responsibilities for each system are documented as part of each exchange agreement;"
+                        "prose": "responsibilities for each system are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-6",
@@ -11666,7 +13308,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impact level of the information communicated is documented as part of each exchange agreement;"
+                        "prose": "the impact level of the information communicated is documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -11680,7 +13334,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}."
+                    "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#ca-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -11874,7 +13540,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;"
+                    "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;",
+                    "links": [
+                      {
+                        "href": "#ca-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-5_obj.b",
@@ -11886,7 +13558,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."
+                    "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.",
+                    "links": [
+                      {
+                        "href": "#ca-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -12167,7 +13851,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a senior official is assigned as the authorizing official for the system;"
+                    "prose": "a senior official is assigned as the authorizing official for the system;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.b",
@@ -12179,7 +13869,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;"
+                    "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.c",
@@ -12202,7 +13898,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;"
+                        "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;",
+                        "links": [
+                          {
+                            "href": "#ca-6_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-6_obj.c.2",
@@ -12214,7 +13916,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;"
+                        "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;",
+                        "links": [
+                          {
+                            "href": "#ca-6_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -12228,7 +13942,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"
+                    "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.e",
@@ -12240,7 +13960,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}."
+                    "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -12848,7 +14580,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a system-level continuous monitoring strategy is developed;"
+                    "prose": "a system-level continuous monitoring strategy is developed;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj-2",
@@ -12860,7 +14598,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.a",
@@ -12872,7 +14616,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"
+                    "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.b",
@@ -12895,7 +14645,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;"
+                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7_obj.b-2",
@@ -12907,7 +14663,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"
+                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -12921,7 +14689,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.d",
@@ -12933,7 +14707,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.e",
@@ -12945,7 +14725,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;"
+                    "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.f",
@@ -12957,7 +14743,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;"
+                    "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.g",
@@ -12980,7 +14772,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};"
+                        "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7_obj.g-2",
@@ -12992,10 +14790,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}."
+                        "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -13174,7 +14990,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "effectiveness monitoring is included in risk monitoring;"
+                        "prose": "effectiveness monitoring is included in risk monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7.4_obj.b",
@@ -13186,7 +15008,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "compliance monitoring is included in risk monitoring;"
+                        "prose": "compliance monitoring is included in risk monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7.4_obj.c",
@@ -13198,7 +15026,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "change monitoring is included in risk monitoring."
+                        "prose": "change monitoring is included in risk monitoring.",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -13487,7 +15327,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;"
+                    "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;",
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-9_obj.b",
@@ -13510,7 +15356,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the interface characteristics are documented;"
+                        "prose": "for each internal connection, the interface characteristics are documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-9_obj.b-2",
@@ -13522,7 +15374,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the security requirements are documented;"
+                        "prose": "for each internal connection, the security requirements are documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-9_obj.b-3",
@@ -13534,7 +15392,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the privacy requirements are documented;"
+                        "prose": "for each internal connection, the privacy requirements are documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-9_obj.b-4",
@@ -13546,7 +15410,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the nature of the information communicated is documented;"
+                        "prose": "for each internal connection, the nature of the information communicated is documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -13560,7 +15436,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};"
+                    "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-9_obj.d",
@@ -13572,7 +15454,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}."
+                    "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -14039,7 +15933,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a configuration management policy is developed and documented;"
+                        "prose": "a configuration management policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-2",
@@ -14051,7 +15951,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};"
+                        "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-3",
@@ -14063,7 +15969,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;"
+                        "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-4",
@@ -14075,7 +15987,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};"
+                        "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a.1",
@@ -14109,7 +16027,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-2",
@@ -14121,7 +16045,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-3",
@@ -14133,7 +16063,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-4",
@@ -14145,7 +16081,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-5",
@@ -14157,7 +16099,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-6",
@@ -14169,7 +16117,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-7",
@@ -14181,7 +16135,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -14195,10 +16161,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -14211,7 +16195,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;"
+                    "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-1_obj.c",
@@ -14245,7 +16235,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; "
+                            "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-1_obj.c.1-2",
@@ -14257,7 +16253,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};"
+                            "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -14282,7 +16290,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; "
+                            "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-1_obj.c.2-2",
@@ -14294,12 +16308,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}."
+                            "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -14606,7 +16644,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a current baseline configuration of the system is developed and documented;"
+                        "prose": "a current baseline configuration of the system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2_obj.a-2",
@@ -14618,7 +16662,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a current baseline configuration of the system is maintained under configuration control;"
+                        "prose": "a current baseline configuration of the system is maintained under configuration control;",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -14643,7 +16699,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};"
+                        "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.b.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2_obj.b.2",
@@ -14655,7 +16717,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};"
+                        "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.b.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2_obj.b.3",
@@ -14667,10 +16735,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded."
+                        "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.b.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -14856,7 +16942,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;"
+                    "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;",
+                    "links": [
+                      {
+                        "href": "#cm-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-4_obj-2",
@@ -14868,7 +16960,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation."
+                    "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.",
+                    "links": [
+                      {
+                        "href": "#cm-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -15046,7 +17150,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access restrictions associated with changes to the system are defined and documented;"
+                    "prose": "physical access restrictions associated with changes to the system are defined and documented;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-2",
@@ -15058,7 +17168,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access restrictions associated with changes to the system are approved;"
+                    "prose": "physical access restrictions associated with changes to the system are approved;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-3",
@@ -15070,7 +17186,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access restrictions associated with changes to the system are enforced;"
+                    "prose": "physical access restrictions associated with changes to the system are enforced;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-4",
@@ -15082,7 +17204,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "logical access restrictions associated with changes to the system are defined and documented;"
+                    "prose": "logical access restrictions associated with changes to the system are defined and documented;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-5",
@@ -15094,7 +17222,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "logical access restrictions associated with changes to the system are approved;"
+                    "prose": "logical access restrictions associated with changes to the system are approved;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-6",
@@ -15106,7 +17240,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "logical access restrictions associated with changes to the system are enforced."
+                    "prose": "logical access restrictions associated with changes to the system are enforced.",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -15484,7 +17630,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};"
+                    "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-6_obj.b",
@@ -15496,7 +17648,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the configuration settings documented in CM-06a are implemented;"
+                    "prose": "the configuration settings documented in CM-06a are implemented;",
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-6_obj.c",
@@ -15519,7 +17677,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};"
+                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-6_obj.c-2",
@@ -15531,7 +17695,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;"
+                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -15556,7 +17732,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;"
+                        "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-6_obj.d-2",
@@ -15568,10 +17750,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures."
+                        "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-6_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -15954,7 +18154,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};"
+                    "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#cm-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-7_obj.b",
@@ -15977,7 +18183,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-2",
@@ -15989,7 +18201,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-3",
@@ -16001,7 +18219,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-4",
@@ -16013,7 +18237,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-5",
@@ -16025,10 +18255,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted."
+                        "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -16396,7 +18644,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that accurately reflects the system is developed and documented;"
+                        "prose": "an inventory of system components that accurately reflects the system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.2",
@@ -16408,7 +18662,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that includes all components within the system is developed and documented;"
+                        "prose": "an inventory of system components that includes all components within the system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.3",
@@ -16420,7 +18680,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;"
+                        "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.4",
@@ -16432,7 +18698,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;"
+                        "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.5",
@@ -16444,7 +18716,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;"
+                        "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -16458,7 +18742,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}."
+                    "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#cm-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -16646,7 +18942,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;"
+                    "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;",
+                    "links": [
+                      {
+                        "href": "#cm-10_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-10_obj.b",
@@ -16658,7 +18960,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;"
+                    "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;",
+                    "links": [
+                      {
+                        "href": "#cm-10_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-10_obj.c",
@@ -16670,7 +18978,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."
+                    "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.",
+                    "links": [
+                      {
+                        "href": "#cm-10_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-10_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -16940,7 +19260,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;"
+                    "prose": " {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;",
+                    "links": [
+                      {
+                        "href": "#cm-11_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-11_obj.b",
@@ -16952,7 +19278,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};"
+                    "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#cm-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-11_obj.c",
@@ -16964,7 +19296,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}."
+                    "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#cm-11_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -17431,7 +19775,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency planning policy is developed and documented;"
+                        "prose": "a contingency planning policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a-2",
@@ -17443,7 +19793,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};"
+                        "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a-3",
@@ -17455,7 +19811,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;"
+                        "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a-4",
@@ -17467,7 +19829,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};"
+                        "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a.1",
@@ -17501,7 +19869,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-2",
@@ -17513,7 +19887,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-3",
@@ -17525,7 +19905,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-4",
@@ -17537,7 +19923,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-5",
@@ -17549,7 +19941,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-6",
@@ -17561,7 +19959,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-7",
@@ -17573,7 +19977,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -17587,10 +20003,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -17603,7 +20037,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;"
+                    "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#cp-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-1_obj.c",
@@ -17637,7 +20077,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};"
+                            "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-1_obj.c.1-2",
@@ -17649,7 +20095,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};"
+                            "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -17674,7 +20132,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};"
+                            "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-1_obj.c.2-2",
@@ -17686,12 +20150,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}."
+                            "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -18251,7 +20739,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;"
+                        "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.2",
@@ -18274,7 +20768,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that provides recovery objectives;"
+                            "prose": "a contingency plan for the system is developed that provides recovery objectives;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.2-2",
@@ -18286,7 +20786,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that provides restoration priorities;"
+                            "prose": "a contingency plan for the system is developed that provides restoration priorities;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.2-3",
@@ -18298,7 +20804,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that provides metrics;"
+                            "prose": "a contingency plan for the system is developed that provides metrics;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -18323,7 +20841,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that addresses contingency roles;"
+                            "prose": "a contingency plan for the system is developed that addresses contingency roles;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.3-2",
@@ -18335,7 +20859,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;"
+                            "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.3-3",
@@ -18347,7 +20877,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;"
+                            "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -18361,7 +20903,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"
+                        "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.5",
@@ -18373,7 +20921,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;"
+                        "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.6",
@@ -18385,7 +20939,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;"
+                        "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.6",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.7",
@@ -18408,7 +20968,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};"
+                            "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.7-2",
@@ -18420,10 +20986,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};"
+                            "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.7",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -18447,7 +21031,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};"
+                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.b-2",
@@ -18459,7 +21049,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};"
+                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -18473,7 +21075,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "contingency planning activities are coordinated with incident handling activities;"
+                    "prose": "contingency planning activities are coordinated with incident handling activities;",
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2_obj.d",
@@ -18485,7 +21093,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};"
+                    "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};",
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2_obj.e",
@@ -18508,7 +21122,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;"
+                        "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.e-2",
@@ -18520,7 +21140,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;"
+                        "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -18545,7 +21177,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};"
+                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.f-2",
@@ -18557,7 +21195,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};"
+                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -18582,7 +21232,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;"
+                        "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.g-2",
@@ -18594,7 +21250,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;"
+                        "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -18619,7 +21287,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is protected from unauthorized disclosure;"
+                        "prose": "the contingency plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.h-2",
@@ -18631,10 +21305,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is protected from unauthorized modification."
+                        "prose": "the contingency plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -18959,7 +21651,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"
+                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-3_obj.a.2",
@@ -18971,7 +21669,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"
+                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-3_obj.a.3",
@@ -18983,7 +21687,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;"
+                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -19008,7 +21724,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};"
+                        "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-3_obj.b-2",
@@ -19020,10 +21742,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}."
+                        "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -19328,7 +22068,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};"
+                        "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-4_obj.a-2",
@@ -19340,7 +22086,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;"
+                        "prose": " {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;",
+                        "links": [
+                          {
+                            "href": "#cp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-4_obj.a-3",
@@ -19352,7 +22104,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;"
+                        "prose": " {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;",
+                        "links": [
+                          {
+                            "href": "#cp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -19366,7 +22130,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the contingency plan test results are reviewed;"
+                    "prose": "the contingency plan test results are reviewed;",
+                    "links": [
+                      {
+                        "href": "#cp-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-4_obj.c",
@@ -19378,7 +22148,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "corrective actions are initiated, if needed."
+                    "prose": "corrective actions are initiated, if needed.",
+                    "links": [
+                      {
+                        "href": "#cp-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -19710,7 +22492,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};"
+                    "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9_obj.b",
@@ -19722,7 +22510,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};"
+                    "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9_obj.c",
@@ -19734,7 +22528,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};"
+                    "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9_obj.d",
@@ -19757,7 +22557,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the confidentiality of backup information is protected;"
+                        "prose": "the confidentiality of backup information is protected;",
+                        "links": [
+                          {
+                            "href": "#cp-9_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-9_obj.d-2",
@@ -19769,7 +22575,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the integrity of backup information is protected;"
+                        "prose": "the integrity of backup information is protected;",
+                        "links": [
+                          {
+                            "href": "#cp-9_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-9_obj.d-3",
@@ -19781,10 +22593,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the availability of backup information is protected."
+                        "prose": "the availability of backup information is protected.",
+                        "links": [
+                          {
+                            "href": "#cp-9_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-9_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -20003,7 +22833,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;"
+                    "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;",
+                    "links": [
+                      {
+                        "href": "#cp-10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-10_obj-2",
@@ -20015,7 +22851,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure."
+                    "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.",
+                    "links": [
+                      {
+                        "href": "#cp-10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-10_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -20506,7 +23354,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an identification and authentication policy is developed and documented;"
+                        "prose": "an identification and authentication policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a-2",
@@ -20518,7 +23372,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};"
+                        "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a-3",
@@ -20530,7 +23390,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;"
+                        "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a-4",
@@ -20542,7 +23408,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};"
+                        "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a.1",
@@ -20576,7 +23448,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-2",
@@ -20588,7 +23466,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-3",
@@ -20600,7 +23484,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-4",
@@ -20612,7 +23502,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-5",
@@ -20624,7 +23520,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-6",
@@ -20636,7 +23538,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-7",
@@ -20648,7 +23556,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -20662,10 +23582,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -20678,7 +23616,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;"
+                    "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ia-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-1_obj.c",
@@ -20712,7 +23656,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};"
+                            "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-1_obj.c.1-2",
@@ -20724,7 +23674,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};"
+                            "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -20749,7 +23711,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};"
+                            "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-1_obj.c.2-2",
@@ -20761,12 +23729,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}."
+                            "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -20957,6 +23949,10 @@
                 "href": "#ia-8",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-4",
                 "rel": "related"
@@ -21014,7 +24010,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "organizational users are uniquely identified and authenticated;"
+                    "prose": "organizational users are uniquely identified and authenticated;",
+                    "links": [
+                      {
+                        "href": "#ia-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2_obj-2",
@@ -21026,7 +24028,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users."
+                    "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.",
+                    "links": [
+                      {
+                        "href": "#ia-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -21157,7 +24171,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "multi-factor authentication is implemented for access to privileged accounts."
+                    "prose": "multi-factor authentication is implemented for access to privileged accounts.",
+                    "links": [
+                      {
+                        "href": "#ia-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.1_asm-examine",
@@ -21282,7 +24302,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "multi-factor authentication for access to non-privileged accounts is implemented."
+                    "prose": "multi-factor authentication for access to non-privileged accounts is implemented.",
+                    "links": [
+                      {
+                        "href": "#ia-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.2_asm-examine",
@@ -21426,7 +24452,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented."
+                    "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.",
+                    "links": [
+                      {
+                        "href": "#ia-2.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.8_asm-examine",
@@ -21547,7 +24579,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified."
+                    "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified.",
+                    "links": [
+                      {
+                        "href": "#ia-2.12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.12_asm-examine",
@@ -21853,7 +24891,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;"
+                    "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4_obj.b",
@@ -21865,7 +24909,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;"
+                    "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4_obj.c",
@@ -21877,7 +24927,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;"
+                    "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4_obj.d",
@@ -21889,7 +24945,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."
+                    "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -22271,7 +25339,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;"
+                    "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.b",
@@ -22283,7 +25357,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;"
+                    "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.c",
@@ -22295,7 +25375,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;"
+                    "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.d",
@@ -22307,7 +25393,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;"
+                    "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.e",
@@ -22319,7 +25411,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the change of default authenticators prior to first use;"
+                    "prose": "system authenticators are managed through the change of default authenticators prior to first use;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.f",
@@ -22331,7 +25429,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"
+                    "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.g",
@@ -22343,7 +25447,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;"
+                    "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.h",
@@ -22366,7 +25476,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;"
+                        "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;",
+                        "links": [
+                          {
+                            "href": "#ia-5_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5_obj.h-2",
@@ -22378,7 +25494,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;"
+                        "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;",
+                        "links": [
+                          {
+                            "href": "#ia-5_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22392,7 +25520,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes."
+                    "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.i",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -22667,7 +25807,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"
+                        "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.b",
@@ -22679,7 +25825,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);"
+                        "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.c",
@@ -22691,7 +25843,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;"
+                        "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.d",
@@ -22703,7 +25861,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;"
+                        "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.e",
@@ -22715,7 +25879,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;"
+                        "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.f",
@@ -22727,7 +25897,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;"
+                        "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.g",
@@ -22739,7 +25915,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;"
+                        "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.h",
@@ -22751,7 +25933,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced."
+                        "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-5.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22876,7 +26070,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."
+                "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.",
+                "links": [
+                  {
+                    "href": "#ia-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-6_asm-examine",
@@ -23017,7 +26217,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."
+                "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.",
+                "links": [
+                  {
+                    "href": "#ia-7_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-7_asm-examine",
@@ -23184,6 +26390,10 @@
                 "href": "#ia-11",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-4",
                 "rel": "related"
@@ -23222,7 +26432,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated."
+                "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.",
+                "links": [
+                  {
+                    "href": "#ia-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-8_asm-examine",
@@ -23358,7 +26574,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;"
+                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;",
+                        "links": [
+                          {
+                            "href": "#ia-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-8.1_obj-2",
@@ -23370,7 +26592,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified."
+                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.",
+                        "links": [
+                          {
+                            "href": "#ia-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-8.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -23527,7 +26761,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "only external authenticators that are NIST-compliant are accepted;"
+                        "prose": "only external authenticators that are NIST-compliant are accepted;",
+                        "links": [
+                          {
+                            "href": "#ia-8.2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-8.2_obj.b",
@@ -23550,7 +26790,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a list of accepted external authenticators is documented;"
+                            "prose": "a list of accepted external authenticators is documented;",
+                            "links": [
+                              {
+                                "href": "#ia-8.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-8.2_obj.b-2",
@@ -23562,10 +26808,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a list of accepted external authenticators is maintained."
+                            "prose": "a list of accepted external authenticators is maintained.",
+                            "links": [
+                              {
+                                "href": "#ia-8.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-8.2_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-8.2_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -23709,7 +26973,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management."
+                    "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.",
+                    "links": [
+                      {
+                        "href": "#ia-8.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-8.4_asm-examine",
@@ -23884,7 +27154,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}."
+                "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}.",
+                "links": [
+                  {
+                    "href": "#ia-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-11_asm-examine",
@@ -24357,7 +27633,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response policy is developed and documented;"
+                        "prose": "an incident response policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-2",
@@ -24369,7 +27651,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};"
+                        "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-3",
@@ -24381,7 +27669,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;"
+                        "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-4",
@@ -24393,7 +27687,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};"
+                        "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a.1",
@@ -24427,7 +27727,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-2",
@@ -24439,7 +27745,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-3",
@@ -24451,7 +27763,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-4",
@@ -24463,7 +27781,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-5",
@@ -24475,7 +27799,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-6",
@@ -24487,7 +27817,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-7",
@@ -24499,7 +27835,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -24513,10 +27861,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -24529,7 +27895,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;"
+                    "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-1_obj.c",
@@ -24563,7 +27935,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};"
+                            "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-1_obj.c.1-2",
@@ -24575,7 +27953,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};"
+                            "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -24600,7 +27990,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};"
+                            "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-1_obj.c.2-2",
@@ -24612,12 +28008,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}."
+                            "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -24920,7 +28340,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.a.2",
@@ -24932,7 +28358,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.a.3",
@@ -24944,7 +28376,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -24969,7 +28413,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};"
+                        "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.b-2",
@@ -24981,10 +28431,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}."
+                        "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -25271,7 +28739,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;"
+                        "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-2",
@@ -25283,7 +28757,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes preparation;"
+                        "prose": "the incident handling capability for incidents includes preparation;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-3",
@@ -25295,7 +28775,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes detection and analysis;"
+                        "prose": "the incident handling capability for incidents includes detection and analysis;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-4",
@@ -25307,7 +28793,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes containment;"
+                        "prose": "the incident handling capability for incidents includes containment;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-5",
@@ -25319,7 +28811,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes eradication;"
+                        "prose": "the incident handling capability for incidents includes eradication;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-6",
@@ -25331,7 +28829,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes recovery;"
+                        "prose": "the incident handling capability for incidents includes recovery;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -25345,7 +28855,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident handling activities are coordinated with contingency planning activities;"
+                    "prose": "incident handling activities are coordinated with contingency planning activities;",
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4_obj.c",
@@ -25368,7 +28884,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;"
+                        "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.c-2",
@@ -25380,7 +28902,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;"
+                        "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -25405,7 +28939,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rigor of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the rigor of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-2",
@@ -25417,7 +28957,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the intensity of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the intensity of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-3",
@@ -25429,7 +28975,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the scope of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the scope of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-4",
@@ -25441,10 +28993,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the results of incident handling activities are comparable and predictable across the organization."
+                        "prose": "the results of incident handling activities are comparable and predictable across the organization.",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-4_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -25630,7 +29200,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incidents are tracked;"
+                    "prose": "incidents are tracked;",
+                    "links": [
+                      {
+                        "href": "#ir-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-5_obj-2",
@@ -25642,7 +29218,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incidents are documented."
+                    "prose": "incidents are documented.",
+                    "links": [
+                      {
+                        "href": "#ir-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -25877,7 +29465,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};"
+                    "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ir-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-6_obj.b",
@@ -25889,7 +29483,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}."
+                    "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ir-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -26063,7 +29669,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;"
+                    "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;",
+                    "links": [
+                      {
+                        "href": "#ir-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-7_obj-2",
@@ -26075,7 +29687,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents."
+                    "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.",
+                    "links": [
+                      {
+                        "href": "#ir-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -26596,7 +30220,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;"
+                        "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.2",
@@ -26608,7 +30238,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;"
+                        "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.3",
@@ -26620,7 +30256,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;"
+                        "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.4",
@@ -26632,7 +30274,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;"
+                        "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.5",
@@ -26644,7 +30292,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that defines reportable incidents;"
+                        "prose": "an incident response plan is developed that defines reportable incidents;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.6",
@@ -26656,7 +30310,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;"
+                        "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.6",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.7",
@@ -26668,7 +30328,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;"
+                        "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.7",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.8",
@@ -26680,7 +30346,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that addresses the sharing of incident information;"
+                        "prose": "an incident response plan is developed that addresses the sharing of incident information;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.8",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.9",
@@ -26692,7 +30364,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};"
+                        "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.9",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.10",
@@ -26704,7 +30382,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."
+                        "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.10",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -26729,7 +30419,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};"
+                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.b-2",
@@ -26741,7 +30437,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};"
+                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -26755,7 +30463,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"
+                    "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;",
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-8_obj.d",
@@ -26778,7 +30492,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};"
+                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.d-2",
@@ -26790,7 +30510,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};"
+                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -26815,7 +30547,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan is protected from unauthorized disclosure;"
+                        "prose": "the incident response plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.e-2",
@@ -26827,10 +30565,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan is protected from unauthorized modification."
+                        "prose": "the incident response plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -27292,7 +31048,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a maintenance policy is developed and documented;"
+                        "prose": "a maintenance policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a-2",
@@ -27304,7 +31066,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};"
+                        "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a-3",
@@ -27316,7 +31084,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;"
+                        "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a-4",
@@ -27328,7 +31102,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};"
+                        "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a.1",
@@ -27362,7 +31142,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-2",
@@ -27374,7 +31160,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-3",
@@ -27386,7 +31178,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-4",
@@ -27398,7 +31196,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-5",
@@ -27410,7 +31214,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-6",
@@ -27422,7 +31232,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-7",
@@ -27434,7 +31250,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -27448,10 +31276,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -27464,7 +31310,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;"
+                    "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ma-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-1_obj.c",
@@ -27498,7 +31350,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};"
+                            "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-1_obj.c.1-2",
@@ -27510,7 +31368,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};"
+                            "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -27535,7 +31405,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};"
+                            "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-1_obj.c.2-2",
@@ -27547,12 +31423,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}."
+                            "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -27855,7 +31755,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;"
+                        "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-2_obj.a-2",
@@ -27867,7 +31773,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;"
+                        "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-2_obj.a-3",
@@ -27879,7 +31791,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;"
+                        "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -27904,7 +31828,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;"
+                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-2_obj.b-2",
@@ -27916,7 +31846,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;"
+                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -27930,7 +31872,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"
+                    "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-2_obj.d",
@@ -27942,7 +31890,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;"
+                    "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-2_obj.e",
@@ -27954,7 +31908,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;"
+                    "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-2_obj.f",
@@ -27966,7 +31926,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records."
+                    "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -28243,7 +32215,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "nonlocal maintenance and diagnostic activities are approved;"
+                        "prose": "nonlocal maintenance and diagnostic activities are approved;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4_obj.a-2",
@@ -28255,7 +32233,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "nonlocal maintenance and diagnostic activities are monitored;"
+                        "prose": "nonlocal maintenance and diagnostic activities are monitored;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -28280,7 +32270,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;"
+                        "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4_obj.b-2",
@@ -28292,7 +32288,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;"
+                        "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -28306,7 +32314,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;"
+                    "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;",
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-4_obj.d",
@@ -28318,7 +32332,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "records for nonlocal maintenance and diagnostic activities are maintained;"
+                    "prose": "records for nonlocal maintenance and diagnostic activities are maintained;",
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-4_obj.e",
@@ -28341,7 +32361,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "session connections are terminated when nonlocal maintenance is completed;"
+                        "prose": "session connections are terminated when nonlocal maintenance is completed;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4_obj.e-2",
@@ -28353,10 +32379,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network connections are terminated when nonlocal maintenance is completed."
+                        "prose": "network connections are terminated when nonlocal maintenance is completed.",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-4_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -28578,7 +32622,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process for maintenance personnel authorization is established;"
+                        "prose": "a process for maintenance personnel authorization is established;",
+                        "links": [
+                          {
+                            "href": "#ma-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-5_obj.a-2",
@@ -28590,7 +32640,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a list of authorized maintenance organizations or personnel is maintained;"
+                        "prose": "a list of authorized maintenance organizations or personnel is maintained;",
+                        "links": [
+                          {
+                            "href": "#ma-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-5_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -28604,7 +32666,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;"
+                    "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;",
+                    "links": [
+                      {
+                        "href": "#ma-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-5_obj.c",
@@ -28616,7 +32684,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations."
+                    "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.",
+                    "links": [
+                      {
+                        "href": "#ma-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -29079,7 +33159,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a media protection policy is developed and documented;"
+                        "prose": "a media protection policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-2",
@@ -29091,7 +33177,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};"
+                        "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-3",
@@ -29103,7 +33195,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;"
+                        "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-4",
@@ -29115,7 +33213,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};"
+                        "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a.1",
@@ -29149,7 +33253,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-2",
@@ -29161,7 +33271,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-3",
@@ -29173,7 +33289,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-4",
@@ -29185,7 +33307,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-5",
@@ -29197,7 +33325,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-6",
@@ -29209,7 +33343,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-7",
@@ -29221,7 +33361,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -29235,10 +33387,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -29251,7 +33421,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures."
+                    "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.",
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-1_obj.c",
@@ -29285,7 +33461,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; "
+                            "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "mp-1_obj.c.1-2",
@@ -29297,7 +33479,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};"
+                            "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -29322,7 +33516,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; "
+                            "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "mp-1_obj.c.2-2",
@@ -29334,12 +33534,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}."
+                            "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -29612,7 +33836,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};"
+                    "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#mp-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-2_obj-2",
@@ -29624,7 +33854,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}."
+                    "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#mp-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -30016,7 +34258,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;"
+                        "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6_obj.a-2",
@@ -30028,7 +34276,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;"
+                        "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6_obj.a-3",
@@ -30040,7 +34294,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;"
+                        "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-6_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -30054,7 +34320,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed."
+                    "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.",
+                    "links": [
+                      {
+                        "href": "#mp-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -30321,7 +34599,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};"
+                    "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#mp-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-7_obj.b",
@@ -30333,7 +34617,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner."
+                    "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.",
+                    "links": [
+                      {
+                        "href": "#mp-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -30796,7 +35092,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a physical and environmental protection policy is developed and documented;"
+                        "prose": "a physical and environmental protection policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a-2",
@@ -30808,7 +35110,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};"
+                        "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a-3",
@@ -30820,7 +35128,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;"
+                        "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a-4",
@@ -30832,7 +35146,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};"
+                        "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a.1",
@@ -30866,7 +35186,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-2",
@@ -30878,7 +35204,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-3",
@@ -30890,7 +35222,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-4",
@@ -30902,7 +35240,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-5",
@@ -30914,7 +35258,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-6",
@@ -30926,7 +35276,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-7",
@@ -30938,7 +35294,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -30952,10 +35320,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -30968,7 +35354,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;"
+                    "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#pe-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-1_obj.c",
@@ -31002,7 +35394,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};"
+                            "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pe-1_obj.c.1-2",
@@ -31014,7 +35412,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};"
+                            "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -31039,7 +35449,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};"
+                            "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pe-1_obj.c.2-2",
@@ -31051,12 +35467,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}."
+                            "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -31313,7 +35753,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;"
+                        "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;",
+                        "links": [
+                          {
+                            "href": "#pe-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-2_obj.a-2",
@@ -31325,7 +35771,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;"
+                        "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;",
+                        "links": [
+                          {
+                            "href": "#pe-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-2_obj.a-3",
@@ -31337,7 +35789,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;"
+                        "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;",
+                        "links": [
+                          {
+                            "href": "#pe-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -31351,7 +35815,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "authorization credentials are issued for facility access;"
+                    "prose": "authorization credentials are issued for facility access;",
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-2_obj.c",
@@ -31363,7 +35833,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};"
+                    "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};",
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-2_obj.d",
@@ -31375,7 +35851,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals are removed from the facility access list when access is no longer required."
+                    "prose": "individuals are removed from the facility access list when access is no longer required.",
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -31956,7 +36444,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;"
+                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.a.2",
@@ -31968,7 +36462,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"
+                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -31982,7 +36488,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};"
+                    "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3_obj.c",
@@ -31994,7 +36506,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};"
+                    "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};",
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3_obj.d",
@@ -32017,7 +36535,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "visitors are escorted;"
+                        "prose": "visitors are escorted;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.d-2",
@@ -32029,7 +36553,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};"
+                        "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -32054,7 +36590,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "keys are secured;"
+                        "prose": "keys are secured;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.e-2",
@@ -32066,7 +36608,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "combinations are secured;"
+                        "prose": "combinations are secured;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.e-3",
@@ -32078,7 +36626,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "other physical access devices are secured;"
+                        "prose": "other physical access devices are secured;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -32092,7 +36652,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};"
+                    "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};",
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3_obj.g",
@@ -32115,7 +36681,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;"
+                        "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.g-2",
@@ -32127,10 +36699,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated."
+                        "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -32377,7 +36967,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;"
+                    "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;",
+                    "links": [
+                      {
+                        "href": "#pe-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-6_obj.b",
@@ -32400,7 +36996,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};"
+                        "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-6_obj.b-2",
@@ -32412,7 +37014,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};"
+                        "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-6_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -32437,7 +37051,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "results of reviews are coordinated with organizational incident response capabilities;"
+                        "prose": "results of reviews are coordinated with organizational incident response capabilities;",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-6_obj.c-2",
@@ -32449,10 +37069,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "results of investigations are coordinated with organizational incident response capabilities."
+                        "prose": "results of investigations are coordinated with organizational incident response capabilities.",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-6_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -32694,7 +37332,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};"
+                    "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-8_obj.b",
@@ -32706,7 +37350,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};"
+                    "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-8_obj.c",
@@ -32718,7 +37368,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}."
+                    "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -32856,7 +37518,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;"
+                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-12_obj-2",
@@ -32868,7 +37536,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;"
+                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-12_obj-3",
@@ -32880,7 +37554,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting for the system covers emergency exits within the facility;"
+                    "prose": "automatic emergency lighting for the system covers emergency exits within the facility;",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-12_obj-4",
@@ -32892,7 +37572,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting for the system covers evacuation routes within the facility."
+                    "prose": "automatic emergency lighting for the system covers evacuation routes within the facility.",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -33026,7 +37718,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "fire detection systems are employed;"
+                    "prose": "fire detection systems are employed;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-2",
@@ -33038,7 +37736,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire detection systems are supported by an independent energy source;"
+                    "prose": "employed fire detection systems are supported by an independent energy source;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-3",
@@ -33050,7 +37754,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire detection systems are maintained;"
+                    "prose": "employed fire detection systems are maintained;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-4",
@@ -33062,7 +37772,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "fire suppression systems are employed;"
+                    "prose": "fire suppression systems are employed;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-5",
@@ -33074,7 +37790,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire suppression systems are supported by an independent energy source;"
+                    "prose": "employed fire suppression systems are supported by an independent energy source;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-6",
@@ -33086,7 +37808,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire suppression systems are maintained."
+                    "prose": "employed fire suppression systems are maintained.",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-13_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -33333,7 +38067,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;"
+                    "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;",
+                    "links": [
+                      {
+                        "href": "#pe-14_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-14_obj.b",
@@ -33345,7 +38085,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}."
+                    "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#pe-14_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-14_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -33483,7 +38235,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;"
+                    "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-15_obj-2",
@@ -33495,7 +38253,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the master shutoff or isolation valves are accessible;"
+                    "prose": "the master shutoff or isolation valves are accessible;",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-15_obj-3",
@@ -33507,7 +38271,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the master shutoff or isolation valves are working properly;"
+                    "prose": "the master shutoff or isolation valves are working properly;",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-15_obj-4",
@@ -33519,7 +38289,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the master shutoff or isolation valves are known to key personnel."
+                    "prose": "the master shutoff or isolation valves are known to key personnel.",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-15_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -33773,7 +38555,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;"
+                        "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-16_obj.a-2",
@@ -33785,7 +38573,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;"
+                        "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-16_obj.a-3",
@@ -33797,7 +38591,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;"
+                        "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-16_obj.a-4",
@@ -33809,7 +38609,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;"
+                        "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-16_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -33823,7 +38635,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "records of the system components are maintained."
+                    "prose": "records of the system components are maintained.",
+                    "links": [
+                      {
+                        "href": "#pe-16_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-16_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -34290,7 +39114,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a planning policy is developed and documented."
+                        "prose": "a planning policy is developed and documented.",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-2",
@@ -34302,7 +39132,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};"
+                        "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-3",
@@ -34314,7 +39150,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;"
+                        "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-4",
@@ -34326,7 +39168,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};"
+                        "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a.1",
@@ -34360,7 +39208,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-2",
@@ -34372,7 +39226,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-3",
@@ -34384,7 +39244,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-4",
@@ -34396,7 +39262,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-5",
@@ -34408,7 +39280,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-6",
@@ -34420,7 +39298,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-7",
@@ -34432,7 +39316,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -34446,10 +39342,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -34462,7 +39376,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;"
+                    "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-1_obj.c",
@@ -34496,7 +39416,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};"
+                            "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-1_obj.c.1-2",
@@ -34508,7 +39434,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};"
+                            "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -34533,7 +39471,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};"
+                            "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-1_obj.c.2-2",
@@ -34545,12 +39489,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}."
+                            "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -35137,7 +40105,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;"
+                            "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.1-2",
@@ -35149,7 +40123,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;"
+                            "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35174,7 +40160,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that explicitly defines the constituent system components;"
+                            "prose": "a security plan for the system is developed that explicitly defines the constituent system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.2-2",
@@ -35186,7 +40178,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;"
+                            "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35211,7 +40215,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"
+                            "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.3-2",
@@ -35223,7 +40233,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"
+                            "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35248,7 +40270,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"
+                            "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.4-2",
@@ -35260,7 +40288,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"
+                            "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.4",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35285,7 +40325,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"
+                            "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.5",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.5-2",
@@ -35297,7 +40343,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"
+                            "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.5",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.5",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35322,7 +40380,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;"
+                            "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.6",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.6-2",
@@ -35334,7 +40398,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;"
+                            "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.6",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.6",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35359,7 +40435,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"
+                            "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.7-2",
@@ -35371,7 +40453,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"
+                            "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.7",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35396,7 +40490,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"
+                            "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.8",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.8-2",
@@ -35408,7 +40508,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"
+                            "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.8",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.8",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35433,7 +40545,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"
+                            "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.9",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.9-2",
@@ -35445,7 +40563,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"
+                            "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.9",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.9",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35470,7 +40600,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;"
+                            "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.10",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.10-2",
@@ -35482,7 +40618,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;"
+                            "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.10",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.10",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35507,7 +40655,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"
+                            "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.11",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.11-2",
@@ -35519,7 +40673,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"
+                            "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.11",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.11",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35544,7 +40710,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;"
+                            "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.12",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.12-2",
@@ -35556,7 +40728,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;"
+                            "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.12",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.12",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35581,7 +40765,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;"
+                            "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.13",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.13-2",
@@ -35593,7 +40783,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;"
+                            "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.13",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.13",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35618,7 +40820,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"
+                            "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.14",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.14-2",
@@ -35630,7 +40838,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"
+                            "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.14",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.14",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35655,7 +40875,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"
+                            "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.15",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.15-2",
@@ -35667,10 +40893,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation."
+                            "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.15",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.15",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -35694,7 +40938,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};"
+                        "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.b-2",
@@ -35706,7 +40956,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};"
+                        "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -35720,7 +40982,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};"
+                    "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-2_obj.d",
@@ -35743,7 +41011,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address changes to the system and environment of operations;"
+                        "prose": "plans are updated to address changes to the system and environment of operations;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.d-2",
@@ -35755,7 +41029,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address problems identified during the plan implementation;"
+                        "prose": "plans are updated to address problems identified during the plan implementation;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.d-3",
@@ -35767,7 +41047,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address problems identified during control assessments;"
+                        "prose": "plans are updated to address problems identified during control assessments;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -35792,7 +41084,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are protected from unauthorized disclosure;"
+                        "prose": "plans are protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.e-2",
@@ -35804,10 +41102,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are protected from unauthorized modification."
+                        "prose": "plans are protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -36144,7 +41460,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;"
+                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;",
+                        "links": [
+                          {
+                            "href": "#pl-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4_obj.a-2",
@@ -36156,7 +41478,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;"
+                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;",
+                        "links": [
+                          {
+                            "href": "#pl-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -36170,7 +41504,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;"
+                    "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-4_obj.c",
@@ -36182,7 +41522,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};"
+                    "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-4_obj.d",
@@ -36194,7 +41540,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}."
+                    "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -36376,7 +41734,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;"
+                        "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4.1_obj.b",
@@ -36388,7 +41752,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on posting organizational information on public websites;"
+                        "prose": "the rules of behavior include restrictions on posting organizational information on public websites;",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4.1_obj.c",
@@ -36400,7 +41770,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications."
+                        "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-4.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -36581,7 +41963,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a control baseline for the system is selected."
+                "prose": "a control baseline for the system is selected.",
+                "links": [
+                  {
+                    "href": "#pl-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pl-10_asm-examine",
@@ -36736,7 +42124,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the selected control baseline is tailored by applying specified tailoring actions."
+                "prose": "the selected control baseline is tailored by applying specified tailoring actions.",
+                "links": [
+                  {
+                    "href": "#pl-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pl-11_asm-examine",
@@ -37171,7 +42565,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a personnel security policy is developed and documented;"
+                        "prose": "a personnel security policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a-2",
@@ -37183,7 +42583,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};"
+                        "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a-3",
@@ -37195,7 +42601,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;"
+                        "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a-4",
@@ -37207,7 +42619,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};"
+                        "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a.1",
@@ -37241,7 +42659,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-2",
@@ -37253,7 +42677,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-3",
@@ -37265,7 +42695,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-4",
@@ -37277,7 +42713,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-5",
@@ -37289,7 +42731,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-6",
@@ -37301,7 +42749,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-7",
@@ -37313,7 +42767,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -37327,10 +42793,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -37343,7 +42827,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;"
+                    "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ps-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-1_obj.c",
@@ -37377,7 +42867,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};"
+                            "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ps-1_obj.c.1-2",
@@ -37389,7 +42885,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};"
+                            "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -37414,7 +42922,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};"
+                            "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ps-1_obj.c.2-2",
@@ -37426,12 +42940,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}."
+                            "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -37642,7 +43180,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a risk designation is assigned to all organizational positions;"
+                    "prose": "a risk designation is assigned to all organizational positions;",
+                    "links": [
+                      {
+                        "href": "#ps-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-2_obj.b",
@@ -37654,7 +43198,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "screening criteria are established for individuals filling organizational positions;"
+                    "prose": "screening criteria are established for individuals filling organizational positions;",
+                    "links": [
+                      {
+                        "href": "#ps-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-2_obj.c",
@@ -37666,7 +43216,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}."
+                    "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ps-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -37941,7 +43503,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals are screened prior to authorizing access to the system;"
+                    "prose": "individuals are screened prior to authorizing access to the system;",
+                    "links": [
+                      {
+                        "href": "#ps-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-3_obj.b",
@@ -37964,7 +43532,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};"
+                        "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ps-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-3_obj.b-2",
@@ -37976,10 +43550,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}."
+                        "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ps-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -38231,7 +43823,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};"
+                    "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.b",
@@ -38243,7 +43841,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;"
+                    "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.c",
@@ -38255,7 +43859,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;"
+                    "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.d",
@@ -38267,7 +43877,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;"
+                    "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.e",
@@ -38279,7 +43895,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained."
+                    "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -38560,7 +44188,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;"
+                    "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-5_obj.b",
@@ -38572,7 +44206,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};"
+                    "prose": " {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-5_obj.c",
@@ -38584,7 +44224,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;"
+                    "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-5_obj.d",
@@ -38596,7 +44242,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}."
+                    "prose": " {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -38871,7 +44529,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access agreements are developed and documented for organizational systems;"
+                    "prose": "access agreements are developed and documented for organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-6_obj.b",
@@ -38883,7 +44547,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};"
+                    "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-6_obj.c",
@@ -38906,7 +44576,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;"
+                        "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;",
+                        "links": [
+                          {
+                            "href": "#ps-6_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-6_obj.c.2",
@@ -38918,10 +44594,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."
+                        "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ps-6_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-6_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -39209,7 +44903,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;"
+                    "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.b",
@@ -39221,7 +44921,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;"
+                    "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.c",
@@ -39233,7 +44939,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personnel security requirements are documented;"
+                    "prose": "personnel security requirements are documented;",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.d",
@@ -39245,7 +44957,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};"
+                    "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.e",
@@ -39257,7 +44975,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "provider compliance with personnel security requirements is monitored."
+                    "prose": "provider compliance with personnel security requirements is monitored.",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -39468,7 +45198,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;"
+                    "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;",
+                    "links": [
+                      {
+                        "href": "#ps-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-8_obj.b",
@@ -39480,7 +45216,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."
+                    "prose": " {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.",
+                    "links": [
+                      {
+                        "href": "#ps-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -39614,7 +45362,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "security roles and responsibilities are incorporated into organizational position descriptions;"
+                    "prose": "security roles and responsibilities are incorporated into organizational position descriptions;",
+                    "links": [
+                      {
+                        "href": "#ps-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-9_obj-2",
@@ -39626,7 +45380,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions."
+                    "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions.",
+                    "links": [
+                      {
+                        "href": "#ps-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -40089,7 +45855,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment policy is developed and documented;"
+                        "prose": "a risk assessment policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-2",
@@ -40101,7 +45873,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};"
+                        "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-3",
@@ -40113,7 +45891,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;"
+                        "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-4",
@@ -40125,7 +45909,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};"
+                        "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a.1",
@@ -40159,7 +45949,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-2",
@@ -40171,7 +45967,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-3",
@@ -40183,7 +45985,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-4",
@@ -40195,7 +46003,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-5",
@@ -40207,7 +46021,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-6",
@@ -40219,7 +46039,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-7",
@@ -40231,7 +46057,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -40245,10 +46083,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -40261,7 +46117,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;"
+                    "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-1_obj.c",
@@ -40295,7 +46157,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};"
+                            "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ra-1_obj.c.1-2",
@@ -40307,7 +46175,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};"
+                            "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -40332,7 +46212,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};"
+                            "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ra-1_obj.c.2-2",
@@ -40344,12 +46230,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}."
+                            "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -40586,7 +46496,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system and the information it processes, stores, and transmits are categorized;"
+                    "prose": "the system and the information it processes, stores, and transmits are categorized;",
+                    "links": [
+                      {
+                        "href": "#ra-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-2_obj.b",
@@ -40598,7 +46514,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;"
+                    "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;",
+                    "links": [
+                      {
+                        "href": "#ra-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-2_obj.c",
@@ -40610,7 +46532,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."
+                    "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.",
+                    "links": [
+                      {
+                        "href": "#ra-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -41093,7 +47027,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;"
+                        "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3_obj.a.2",
@@ -41105,7 +47045,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;"
+                        "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3_obj.a.3",
@@ -41117,7 +47063,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"
+                        "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -41131,7 +47089,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;"
+                    "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.c",
@@ -41143,7 +47107,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};"
+                    "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.d",
@@ -41155,7 +47125,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};"
+                    "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.e",
@@ -41167,7 +47143,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};"
+                    "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.f",
@@ -41179,7 +47161,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."
+                    "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -41403,7 +47397,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;"
+                        "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;",
+                        "links": [
+                          {
+                            "href": "#ra-3.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3.1_obj.b",
@@ -41415,7 +47415,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."
+                        "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.",
+                        "links": [
+                          {
+                            "href": "#ra-3.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-3.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -41859,7 +47871,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;"
+                        "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-5_obj.a-2",
@@ -41871,7 +47889,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;"
+                        "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -41897,7 +47927,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;"
+                        "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.b.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-5_obj.b.2",
@@ -41909,7 +47945,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;"
+                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.b.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-5_obj.b.3",
@@ -41921,7 +47963,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;"
+                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.b.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -41935,7 +47989,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;"
+                    "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5_obj.d",
@@ -41947,7 +48007,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"
+                    "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5_obj.e",
@@ -41959,7 +48025,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;"
+                    "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5_obj.f",
@@ -41971,7 +48043,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed."
+                    "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -42147,7 +48231,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}."
+                    "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#ra-5.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.2_asm-examine",
@@ -42273,7 +48363,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components."
+                    "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.",
+                    "links": [
+                      {
+                        "href": "#ra-5.11_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.11_asm-examine",
@@ -42460,7 +48556,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-2",
@@ -42472,7 +48574,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-3",
@@ -42484,7 +48592,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-4",
@@ -42496,7 +48610,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from audits are responded to in accordance with organizational risk tolerance."
+                    "prose": "findings from audits are responded to in accordance with organizational risk tolerance.",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -42967,7 +49093,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a system and services acquisition policy is developed and documented;"
+                        "prose": "a system and services acquisition policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-2",
@@ -42979,7 +49111,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};"
+                        "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-3",
@@ -42991,7 +49129,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;"
+                        "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-4",
@@ -43003,7 +49147,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};"
+                        "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a.1",
@@ -43037,7 +49187,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-2",
@@ -43049,7 +49205,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-3",
@@ -43061,7 +49223,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-4",
@@ -43073,7 +49241,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-5",
@@ -43085,7 +49259,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-6",
@@ -43097,7 +49277,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-7",
@@ -43109,7 +49295,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -43123,10 +49321,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -43139,7 +49355,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;"
+                    "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-1_obj.c",
@@ -43173,7 +49395,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};"
+                            "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-1_obj.c.1-2",
@@ -43185,7 +49413,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};"
+                            "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -43210,7 +49450,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};"
+                            "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-1_obj.c.2-2",
@@ -43222,12 +49468,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}."
+                            "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -43420,7 +49690,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;"
+                        "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.a-2",
@@ -43432,7 +49708,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;"
+                        "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -43457,7 +49745,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;"
+                        "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.b-2",
@@ -43469,7 +49763,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;"
+                        "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -43494,7 +49800,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;"
+                        "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.c-2",
@@ -43506,10 +49818,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation."
+                        "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation.",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -43806,7 +50136,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;"
+                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.a-2",
@@ -43818,7 +50154,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;"
+                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -43843,7 +50191,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;"
+                        "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.b-2",
@@ -43855,7 +50209,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;"
+                        "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -43880,7 +50246,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals with information security roles and responsibilities are identified;"
+                        "prose": "individuals with information security roles and responsibilities are identified;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.c-2",
@@ -43892,7 +50264,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals with privacy roles and responsibilities are identified;"
+                        "prose": "individuals with privacy roles and responsibilities are identified;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -43917,7 +50301,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational information security risk management processes are integrated into system development life cycle activities;"
+                        "prose": "organizational information security risk management processes are integrated into system development life cycle activities;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.d-2",
@@ -43929,10 +50319,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational privacy risk management processes are integrated into system development life cycle activities."
+                        "prose": "organizational privacy risk management processes are integrated into system development life cycle activities.",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -44361,7 +50769,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.a-2",
@@ -44373,7 +50787,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -44387,7 +50813,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                    "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4_obj.c",
@@ -44410,7 +50842,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.c-2",
@@ -44422,7 +50860,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -44447,7 +50897,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.d-2",
@@ -44459,7 +50915,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -44484,7 +50952,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.e-2",
@@ -44496,7 +50970,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -44521,7 +51007,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.f-2",
@@ -44533,7 +51025,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -44547,7 +51051,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                    "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4_obj.h",
@@ -44570,7 +51080,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.h-2",
@@ -44582,7 +51098,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"
+                        "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.h-3",
@@ -44594,7 +51116,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"
+                        "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -44608,7 +51142,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service."
+                    "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.i",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -44748,7 +51294,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed."
+                    "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.",
+                    "links": [
+                      {
+                        "href": "#sa-4.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4.10_asm-examine",
@@ -45142,7 +51694,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.1-2",
@@ -45154,7 +51712,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.1-3",
@@ -45166,7 +51730,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -45191,7 +51767,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.2-2",
@@ -45203,7 +51785,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.2-3",
@@ -45215,7 +51803,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.2-4",
@@ -45227,7 +51821,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -45252,7 +51858,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.3-2",
@@ -45264,10 +51876,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -45302,7 +51932,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.1-2",
@@ -45314,7 +51950,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.1-3",
@@ -45326,7 +51968,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.1-4",
@@ -45338,7 +51986,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.b.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -45363,7 +52023,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.2-2",
@@ -45375,7 +52041,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.b.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -45400,7 +52078,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.3-2",
@@ -45412,10 +52096,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.b.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.b",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -45439,7 +52141,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;"
+                        "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;",
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-5_obj.c-2",
@@ -45451,7 +52159,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;"
+                        "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;",
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -45465,7 +52185,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}."
+                    "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -45762,7 +52494,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-2",
@@ -45774,7 +52512,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-3",
@@ -45786,7 +52530,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-4",
@@ -45798,7 +52548,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-5",
@@ -45810,7 +52566,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-6",
@@ -45822,7 +52584,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-7",
@@ -45834,7 +52602,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-8",
@@ -45846,7 +52620,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-9",
@@ -45858,7 +52638,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-10",
@@ -45870,7 +52656,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components."
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -46160,7 +52958,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services comply with organizational security requirements;"
+                        "prose": "providers of external system services comply with organizational security requirements;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.a-2",
@@ -46172,7 +52976,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services comply with organizational privacy requirements;"
+                        "prose": "providers of external system services comply with organizational privacy requirements;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.a-3",
@@ -46184,7 +52994,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};"
+                        "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -46209,7 +53031,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational oversight with regard to external system services are defined and documented;"
+                        "prose": "organizational oversight with regard to external system services are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.b-2",
@@ -46221,7 +53049,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "user roles and responsibilities with regard to external system services are defined and documented;"
+                        "prose": "user roles and responsibilities with regard to external system services are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -46235,7 +53075,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis."
+                    "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.",
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -46444,7 +53296,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;"
+                    "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;",
+                    "links": [
+                      {
+                        "href": "#sa-22_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-22_obj.b",
@@ -46456,7 +53314,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components."
+                    "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.",
+                    "links": [
+                      {
+                        "href": "#sa-22_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-22_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -46915,7 +53785,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a system and communications protection policy is developed and documented;"
+                        "prose": "a system and communications protection policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a-2",
@@ -46927,7 +53803,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};"
+                        "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a-3",
@@ -46939,7 +53821,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;"
+                        "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a-4",
@@ -46951,7 +53839,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};"
+                        "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a.1",
@@ -46985,7 +53879,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-2",
@@ -46997,7 +53897,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-3",
@@ -47009,7 +53915,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-4",
@@ -47021,7 +53933,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-5",
@@ -47033,7 +53951,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-6",
@@ -47045,7 +53969,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-7",
@@ -47057,7 +53987,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -47071,10 +54013,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -47087,7 +54047,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;"
+                    "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#sc-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-1_obj.c",
@@ -47121,7 +54087,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};"
+                            "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-1_obj.c.1-2",
@@ -47133,7 +54105,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};"
+                            "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -47158,7 +54142,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};"
+                            "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-1_obj.c.2-2",
@@ -47170,12 +54160,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}."
+                            "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -47391,7 +54405,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};"
+                    "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#sc-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-5_obj.b",
@@ -47403,7 +54423,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective."
+                    "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.",
+                    "links": [
+                      {
+                        "href": "#sc-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -47724,7 +54756,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at external managed interfaces to the system are monitored;"
+                        "prose": "communications at external managed interfaces to the system are monitored;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-2",
@@ -47736,7 +54774,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at external managed interfaces to the system are controlled;"
+                        "prose": "communications at external managed interfaces to the system are controlled;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-3",
@@ -47748,7 +54792,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at key internal managed interfaces within the system are monitored;"
+                        "prose": "communications at key internal managed interfaces within the system are monitored;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-4",
@@ -47760,7 +54810,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at key internal managed interfaces within the system are controlled;"
+                        "prose": "communications at key internal managed interfaces within the system are controlled;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -47774,7 +54836,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;"
+                    "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;",
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7_obj.c",
@@ -47786,7 +54854,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."
+                    "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.",
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -47979,6 +55059,10 @@
                 "href": "#ia-7",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#sa-4",
                 "rel": "related"
@@ -48064,7 +55148,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};"
+                    "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};",
+                    "links": [
+                      {
+                        "href": "#sc-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-12_obj-2",
@@ -48076,7 +55166,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}."
+                    "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sc-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -48276,6 +55378,10 @@
                 "href": "#ia-7",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-4",
                 "rel": "related"
@@ -48392,7 +55498,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sc-13_odp.01 }} are identified;"
+                    "prose": " {{ insert: param, sc-13_odp.01 }} are identified;",
+                    "links": [
+                      {
+                        "href": "#sc-13_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-13_obj.b",
@@ -48404,7 +55516,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented."
+                    "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.",
+                    "links": [
+                      {
+                        "href": "#sc-13_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-13_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -48587,7 +55711,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};"
+                    "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};",
+                    "links": [
+                      {
+                        "href": "#sc-15_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-15_obj.b",
@@ -48599,7 +55729,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an explicit indication of use is provided to users physically present at the devices."
+                    "prose": "an explicit indication of use is provided to users physically present at the devices.",
+                    "links": [
+                      {
+                        "href": "#sc-15_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-15_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -48799,7 +55941,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;"
+                        "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-20_obj.a-2",
@@ -48811,7 +55959,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;"
+                        "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-20_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -48836,7 +55996,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;"
+                        "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-20_obj.b-2",
@@ -48848,10 +56014,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided."
+                        "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-20_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-20_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -48992,7 +56176,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;"
+                    "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-21_obj-2",
@@ -49004,7 +56194,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;"
+                    "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-21_obj-3",
@@ -49016,7 +56212,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;"
+                    "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-21_obj-4",
@@ -49028,7 +56230,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources."
+                    "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-21_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -49178,7 +56392,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;"
+                    "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;",
+                    "links": [
+                      {
+                        "href": "#sc-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-22_obj-2",
@@ -49190,7 +56410,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;"
+                    "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;",
+                    "links": [
+                      {
+                        "href": "#sc-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-22_obj-3",
@@ -49202,7 +56428,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation."
+                    "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation.",
+                    "links": [
+                      {
+                        "href": "#sc-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-22_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -49362,7 +56600,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a separate execution domain is maintained for each executing system process."
+                "prose": "a separate execution domain is maintained for each executing system process.",
+                "links": [
+                  {
+                    "href": "#sc-39_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-39_asm-examine",
@@ -49819,7 +57063,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a system and information integrity policy is developed and documented;"
+                        "prose": "a system and information integrity policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-2",
@@ -49831,7 +57081,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};"
+                        "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-3",
@@ -49843,7 +57099,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;"
+                        "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-4",
@@ -49855,7 +57117,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};"
+                        "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a.1",
@@ -49889,7 +57157,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-2",
@@ -49901,7 +57175,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-3",
@@ -49913,7 +57193,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-4",
@@ -49925,7 +57211,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-5",
@@ -49937,7 +57229,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-6",
@@ -49949,7 +57247,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-7",
@@ -49961,7 +57265,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#si-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -49975,10 +57291,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -49991,7 +57325,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;"
+                    "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#si-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-1_obj.c",
@@ -50025,7 +57365,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};"
+                            "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-1_obj.c.1-2",
@@ -50037,7 +57383,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};"
+                            "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -50062,7 +57420,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};"
+                            "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-1_obj.c.2-2",
@@ -50074,12 +57438,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}."
+                            "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#si-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -50352,7 +57740,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system flaws are identified;"
+                        "prose": "system flaws are identified;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.a-2",
@@ -50364,7 +57758,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system flaws are reported;"
+                        "prose": "system flaws are reported;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.a-3",
@@ -50376,7 +57776,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system flaws are corrected;"
+                        "prose": "system flaws are corrected;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -50401,7 +57813,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "software updates related to flaw remediation are tested for effectiveness before installation;"
+                        "prose": "software updates related to flaw remediation are tested for effectiveness before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.b-2",
@@ -50413,7 +57831,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "software updates related to flaw remediation are tested for potential side effects before installation;"
+                        "prose": "software updates related to flaw remediation are tested for potential side effects before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.b-3",
@@ -50425,7 +57849,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;"
+                        "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.b-4",
@@ -50437,7 +57867,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;"
+                        "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -50462,7 +57904,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"
+                        "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.c-2",
@@ -50474,7 +57922,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"
+                        "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -50488,7 +57948,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "flaw remediation is incorporated into the organizational configuration management process."
+                    "prose": "flaw remediation is incorporated into the organizational configuration management process.",
+                    "links": [
+                      {
+                        "href": "#si-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -50917,7 +58389,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;"
+                        "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;",
+                        "links": [
+                          {
+                            "href": "#si-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-3_obj.a-2",
@@ -50929,7 +58407,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;"
+                        "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;",
+                        "links": [
+                          {
+                            "href": "#si-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -50943,7 +58433,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;"
+                    "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#si-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-3_obj.c",
@@ -50977,7 +58473,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};"
+                            "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-3_obj.c.1-2",
@@ -50989,7 +58491,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;"
+                            "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-3_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -51014,7 +58528,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;"
+                            "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-3_obj.c.2-2",
@@ -51026,10 +58546,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;"
+                            "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-3_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-3_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -51042,7 +58580,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed."
+                    "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.",
+                    "links": [
+                      {
+                        "href": "#si-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -51626,7 +59176,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};"
+                        "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4_obj.a.2",
@@ -51649,7 +59205,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system is monitored to detect unauthorized local connections;"
+                            "prose": "the system is monitored to detect unauthorized local connections;",
+                            "links": [
+                              {
+                                "href": "#si-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4_obj.a.2-2",
@@ -51661,7 +59223,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system is monitored to detect unauthorized network connections;"
+                            "prose": "the system is monitored to detect unauthorized network connections;",
+                            "links": [
+                              {
+                                "href": "#si-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4_obj.a.2-3",
@@ -51673,10 +59241,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system is monitored to detect unauthorized remote connections;"
+                            "prose": "the system is monitored to detect unauthorized remote connections;",
+                            "links": [
+                              {
+                                "href": "#si-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-4_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -51689,7 +59275,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};"
+                    "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4_obj.c",
@@ -51712,7 +59304,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;"
+                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4_obj.c.2",
@@ -51724,7 +59322,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;"
+                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -51749,7 +59359,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "detected events are analyzed;"
+                        "prose": "detected events are analyzed;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4_obj.d-2",
@@ -51761,7 +59377,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "detected anomalies are analyzed;"
+                        "prose": "detected anomalies are analyzed;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -51775,7 +59403,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"
+                    "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4_obj.f",
@@ -51787,7 +59421,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a legal opinion regarding system monitoring activities is obtained;"
+                    "prose": "a legal opinion regarding system monitoring activities is obtained;",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4_obj.g",
@@ -51799,7 +59439,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."
+                    "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -52104,7 +59756,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"
+                    "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-5_obj.b",
@@ -52116,7 +59774,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;"
+                    "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-5_obj.c",
@@ -52128,7 +59792,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};"
+                    "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-5_obj.d",
@@ -52140,7 +59810,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance."
+                    "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -52402,7 +60084,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-2",
@@ -52414,7 +60102,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-3",
@@ -52426,7 +60120,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-4",
@@ -52438,7 +60138,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements."
+                    "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -52921,7 +60633,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a supply chain risk management policy is developed and documented;"
+                        "prose": "a supply chain risk management policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a-2",
@@ -52933,7 +60651,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};"
+                        "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a-3",
@@ -52945,7 +60669,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;"
+                        "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a-4",
@@ -52957,7 +60687,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}."
+                        "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a.1",
@@ -52991,7 +60727,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-2",
@@ -53003,7 +60745,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; "
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-3",
@@ -53015,7 +60763,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;"
+                                "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-4",
@@ -53027,7 +60781,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-5",
@@ -53039,7 +60799,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-6",
@@ -53051,7 +60817,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-7",
@@ -53063,7 +60835,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance."
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -53077,10 +60861,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -53093,7 +60895,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;"
+                    "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#sr-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-1_obj.c",
@@ -53127,7 +60935,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};"
+                            "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sr-1_obj.c.1-2",
@@ -53139,7 +60953,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};"
+                            "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -53164,7 +60990,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};"
+                            "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sr-1_obj.c.2-2",
@@ -53176,12 +61008,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}."
+                            "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -53476,7 +61332,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a plan for managing supply chain risks is developed;"
+                        "prose": "a plan for managing supply chain risks is developed;",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-2",
@@ -53488,7 +61350,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-3",
@@ -53500,7 +61368,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-4",
@@ -53512,7 +61386,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-5",
@@ -53524,7 +61404,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-6",
@@ -53536,7 +61422,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-7",
@@ -53548,7 +61440,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-8",
@@ -53560,7 +61458,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-9",
@@ -53572,7 +61476,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -53586,7 +61502,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;"
+                    "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;",
+                    "links": [
+                      {
+                        "href": "#sr-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-2_obj.c",
@@ -53609,7 +61531,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan is protected from unauthorized disclosure;"
+                        "prose": "the supply chain risk management plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.c-2",
@@ -53621,10 +61549,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan is protected from unauthorized modification."
+                        "prose": "the supply chain risk management plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -53798,7 +61744,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}."
+                    "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sr-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-2.1_asm-examine",
@@ -54185,7 +62137,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};"
+                        "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-3_obj.a-2",
@@ -54197,7 +62155,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};"
+                        "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sr-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -54211,7 +62181,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;"
+                    "prose": " {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;",
+                    "links": [
+                      {
+                        "href": "#sr-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-3_obj.c",
@@ -54223,7 +62199,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}."
+                    "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#sr-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -54473,7 +62461,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;"
+                    "prose": " {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;",
+                    "links": [
+                      {
+                        "href": "#sr-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-5_obj-2",
@@ -54485,7 +62479,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;"
+                    "prose": " {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;",
+                    "links": [
+                      {
+                        "href": "#sr-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-5_obj-3",
@@ -54497,7 +62497,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks."
+                    "prose": " {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.",
+                    "links": [
+                      {
+                        "href": "#sr-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -54709,7 +62721,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}."
+                "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.",
+                "links": [
+                  {
+                    "href": "#sr-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-8_asm-examine",
@@ -54955,7 +62973,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering."
+                "prose": " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.",
+                "links": [
+                  {
+                    "href": "#sr-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-10_asm-examine",
@@ -55210,7 +63234,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an anti-counterfeit policy is developed and implemented;"
+                        "prose": "an anti-counterfeit policy is developed and implemented;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11_obj.a-2",
@@ -55222,7 +63252,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "anti-counterfeit procedures are developed and implemented;"
+                        "prose": "anti-counterfeit procedures are developed and implemented;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11_obj.a-3",
@@ -55234,7 +63270,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;"
+                        "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11_obj.a-4",
@@ -55246,7 +63288,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;"
+                        "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-11_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -55260,7 +63314,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}."
+                    "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#sr-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -55414,7 +63480,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware)."
+                    "prose": " {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).",
+                    "links": [
+                      {
+                        "href": "#sr-11.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-11.1_asm-examine",
@@ -55589,7 +63661,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;"
+                        "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;",
+                        "links": [
+                          {
+                            "href": "#sr-11.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11.2_obj-2",
@@ -55601,7 +63679,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained."
+                        "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.",
+                        "links": [
+                          {
+                            "href": "#sr-11.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-11.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -55773,7 +63863,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": " {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}."
+                "prose": " {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#sr-12_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-12_asm-examine",
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline_profile-min.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline_profile-min.json
index b0b12b01..68de3e92 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline_profile-min.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline_profile-min.json
@@ -1 +1 @@
-{"profile":{"uuid":"8742196d-86ba-4e72-a411-28867dab43bb","metadata":{"title":"NIST Special Publication 800-53 Revision 5 LOW IMPACT BASELINE","last-modified":"2023-10-12T00:00:00.000000-04:00","version":"Final","oscal-version":"1.1.1","roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"984e6c07-b5b6-4ab6-b22b-283609c325e6","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["984e6c07-b5b6-4ab6-b22b-283609c325e6"]},{"role-id":"contact","party-uuids":["984e6c07-b5b6-4ab6-b22b-283609c325e6"]}]},"imports":[{"href":"#84cbf061-eb87-4ec1-8112-1f529232e907","include-controls":[{"with-ids":["ac-1","ac-2","ac-3","ac-7","ac-8","ac-14","ac-17","ac-18","ac-19","ac-20","ac-22","at-1","at-2","at-2.2","at-3","at-4","au-1","au-2","au-3","au-4","au-5","au-6","au-8","au-9","au-11","au-12","ca-1","ca-2","ca-3","ca-5","ca-6","ca-7","ca-7.4","ca-9","cm-1","cm-2","cm-4","cm-5","cm-6","cm-7","cm-8","cm-10","cm-11","cp-1","cp-2","cp-3","cp-4","cp-9","cp-10","ia-1","ia-2","ia-2.1","ia-2.2","ia-2.8","ia-2.12","ia-4","ia-5","ia-5.1","ia-6","ia-7","ia-8","ia-8.1","ia-8.2","ia-8.4","ia-11","ir-1","ir-2","ir-4","ir-5","ir-6","ir-7","ir-8","ma-1","ma-2","ma-4","ma-5","mp-1","mp-2","mp-6","mp-7","pe-1","pe-2","pe-3","pe-6","pe-8","pe-12","pe-13","pe-14","pe-15","pe-16","pl-1","pl-2","pl-4","pl-4.1","pl-10","pl-11","ps-1","ps-2","ps-3","ps-4","ps-5","ps-6","ps-7","ps-8","ps-9","ra-1","ra-2","ra-3","ra-3.1","ra-5","ra-5.2","ra-5.11","ra-7","sa-1","sa-2","sa-3","sa-4","sa-4.10","sa-5","sa-8","sa-9","sa-22","sc-1","sc-5","sc-7","sc-12","sc-13","sc-15","sc-20","sc-21","sc-22","sc-39","si-1","si-2","si-3","si-4","si-5","si-12","sr-1","sr-2","sr-2.1","sr-3","sr-5","sr-8","sr-10","sr-11","sr-11.1","sr-11.2","sr-12"]}]}],"merge":{"as-is":true},"back-matter":{"resources":[{"uuid":"84cbf061-eb87-4ec1-8112-1f529232e907","description":"NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations","rlinks":[{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/xml\/NIST_SP-800-53_rev5_catalog.xml","media-type":"application\/oscal.catalog+xml"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/json\/NIST_SP-800-53_rev5_catalog.json","media-type":"application\/oscal.catalog+json"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/yaml\/NIST_SP-800-53_rev5_catalog.yaml","media-type":"application\/oscal.catalog+yaml"}]}]}}}
\ No newline at end of file
+{"profile":{"uuid":"b648ca9e-da6d-4159-b28d-f2df9a044137","metadata":{"title":"NIST Special Publication 800-53 Revision 5.1.1 LOW IMPACT BASELINE","last-modified":"2023-12-04T14:55:00.000000-04:00","version":"5.1.1+u2","oscal-version":"1.1.1","roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"984e6c07-b5b6-4ab6-b22b-283609c325e6","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["984e6c07-b5b6-4ab6-b22b-283609c325e6"]},{"role-id":"contact","party-uuids":["984e6c07-b5b6-4ab6-b22b-283609c325e6"]}]},"imports":[{"href":"#84cbf061-eb87-4ec1-8112-1f529232e907","include-controls":[{"with-ids":["ac-1","ac-2","ac-3","ac-7","ac-8","ac-14","ac-17","ac-18","ac-19","ac-20","ac-22","at-1","at-2","at-2.2","at-3","at-4","au-1","au-2","au-3","au-4","au-5","au-6","au-8","au-9","au-11","au-12","ca-1","ca-2","ca-3","ca-5","ca-6","ca-7","ca-7.4","ca-9","cm-1","cm-2","cm-4","cm-5","cm-6","cm-7","cm-8","cm-10","cm-11","cp-1","cp-2","cp-3","cp-4","cp-9","cp-10","ia-1","ia-2","ia-2.1","ia-2.2","ia-2.8","ia-2.12","ia-4","ia-5","ia-5.1","ia-6","ia-7","ia-8","ia-8.1","ia-8.2","ia-8.4","ia-11","ir-1","ir-2","ir-4","ir-5","ir-6","ir-7","ir-8","ma-1","ma-2","ma-4","ma-5","mp-1","mp-2","mp-6","mp-7","pe-1","pe-2","pe-3","pe-6","pe-8","pe-12","pe-13","pe-14","pe-15","pe-16","pl-1","pl-2","pl-4","pl-4.1","pl-10","pl-11","ps-1","ps-2","ps-3","ps-4","ps-5","ps-6","ps-7","ps-8","ps-9","ra-1","ra-2","ra-3","ra-3.1","ra-5","ra-5.2","ra-5.11","ra-7","sa-1","sa-2","sa-3","sa-4","sa-4.10","sa-5","sa-8","sa-9","sa-22","sc-1","sc-5","sc-7","sc-12","sc-13","sc-15","sc-20","sc-21","sc-22","sc-39","si-1","si-2","si-3","si-4","si-5","si-12","sr-1","sr-2","sr-2.1","sr-3","sr-5","sr-8","sr-10","sr-11","sr-11.1","sr-11.2","sr-12"]}]}],"merge":{"as-is":true},"back-matter":{"resources":[{"uuid":"84cbf061-eb87-4ec1-8112-1f529232e907","description":"NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations","rlinks":[{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/xml\/NIST_SP-800-53_rev5_catalog.xml","media-type":"application\/oscal.catalog+xml"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/json\/NIST_SP-800-53_rev5_catalog.json","media-type":"application\/oscal.catalog+json"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/yaml\/NIST_SP-800-53_rev5_catalog.yaml","media-type":"application\/oscal.catalog+yaml"}]}]}}}
\ No newline at end of file
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline_profile.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline_profile.json
index fbd45cac..61c9ff6b 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline_profile.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_LOW-baseline_profile.json
@@ -1,10 +1,10 @@
 {
   "profile": {
-    "uuid": "8742196d-86ba-4e72-a411-28867dab43bb",
+    "uuid": "b648ca9e-da6d-4159-b28d-f2df9a044137",
     "metadata": {
-      "title": "NIST Special Publication 800-53 Revision 5 LOW IMPACT BASELINE",
-      "last-modified": "2023-10-12T00:00:00.000000-04:00",
-      "version": "Final",
+      "title": "NIST Special Publication 800-53 Revision 5.1.1 LOW IMPACT BASELINE",
+      "last-modified": "2023-12-04T14:55:00.000000-04:00",
+      "version": "5.1.1+u2",
       "oscal-version": "1.1.1",
       "roles": [
         {
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog-min.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog-min.json
index 8a5fae36..00a53c34 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog-min.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog-min.json
@@ -1 +1 @@
-{"catalog":{"uuid":"64dd932d-a3d3-4369-8fa3-09c7b202e580","metadata":{"title":"NIST Special Publication 800-53 Revision 5 MODERATE IMPACT BASELINE","last-modified":"2023-11-02T11:49:44.380433-04:00","version":"Final","oscal-version":"1.1.1","props":[{"name":"resolution-tool","value":"OSCAL Profile Resolver XSLT Pipeline OPRXP"}],"links":[{"href":"NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml","rel":"source-profile"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"cde369ce-57f8-4ec1-847f-2681a9a881e7","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["cde369ce-57f8-4ec1-847f-2681a9a881e7"]},{"role-id":"contact","party-uuids":["cde369ce-57f8-4ec1-847f-2681a9a881e7"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ac-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ac-01_odp.01","props":[{"name":"label","value":"AC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control policy is to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.02","props":[{"name":"label","value":"AC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control procedures are to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.03","props":[{"name":"alt-identifier","value":"ac-1_prm_2"},{"name":"label","value":"AC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ac-01_odp.04","props":[{"name":"alt-identifier","value":"ac-1_prm_3"},{"name":"label","value":"AC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the access control policy and procedures is defined;"}]},{"id":"ac-01_odp.05","props":[{"name":"alt-identifier","value":"ac-1_prm_4"},{"name":"label","value":"AC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control policy is reviewed and updated is defined;"}]},{"id":"ac-01_odp.06","props":[{"name":"alt-identifier","value":"ac-1_prm_5"},{"name":"label","value":"AC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current access control policy to be reviewed and updated are defined;"}]},{"id":"ac-01_odp.07","props":[{"name":"alt-identifier","value":"ac-1_prm_6"},{"name":"label","value":"AC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control procedures are reviewed and updated is defined;"}]},{"id":"ac-01_odp.08","props":[{"name":"alt-identifier","value":"ac-1_prm_7"},{"name":"label","value":"AC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AC-1"},{"name":"label","value":"AC-01","class":"sp800-53a"},{"name":"sort-id","value":"ac-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ia-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ac-1_smt","name":"statement","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ac-01_odp.03 }} access control policy that:","parts":[{"id":"ac-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and the associated access controls;"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and"},{"id":"ac-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current access control:","parts":[{"id":"ac-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and"},{"id":"ac-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ac-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[01]","class":"sp800-53a"}],"prose":"an access control policy is developed and documented;"},{"id":"ac-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[02]","class":"sp800-53a"}],"prose":"the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};"},{"id":"ac-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[03]","class":"sp800-53a"}],"prose":"access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;"},{"id":"ac-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[04]","class":"sp800-53a"}],"prose":"the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};"},{"id":"ac-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;"},{"id":"ac-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;"},{"id":"ac-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;"},{"id":"ac-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;"},{"id":"ac-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;"},{"id":"ac-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;"},{"id":"ac-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;"}]},{"id":"ac-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ac-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;"},{"id":"ac-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[01]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};"},{"id":"ac-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[02]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};"}]},{"id":"ac-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[01]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};"},{"id":"ac-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[02]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}."}]}]}]},{"id":"ac-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","params":[{"id":"ac-02_odp.01","props":[{"name":"alt-identifier","value":"ac-2_prm_1"},{"name":"label","value":"AC-02_ODP[01]","class":"sp800-53a"}],"label":"prerequisites and criteria","guidelines":[{"prose":"prerequisites and criteria for group and role membership are defined;"}]},{"id":"ac-02_odp.02","props":[{"name":"alt-identifier","value":"ac-2_prm_2"},{"name":"label","value":"AC-02_ODP[02]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes (as required) for each account are defined;"}]},{"id":"ac-02_odp.03","props":[{"name":"alt-identifier","value":"ac-2_prm_3"},{"name":"label","value":"AC-02_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to approve requests to create accounts is\/are defined;"}]},{"id":"ac-02_odp.04","props":[{"name":"alt-identifier","value":"ac-2_prm_4"},{"name":"label","value":"AC-02_ODP[04]","class":"sp800-53a"}],"label":"policy, procedures, prerequisites, and criteria","guidelines":[{"prose":"policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;"}]},{"id":"ac-02_odp.05","props":[{"name":"alt-identifier","value":"ac-2_prm_5"},{"name":"label","value":"AC-02_ODP[05]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified is\/are defined;"}]},{"id":"ac-02_odp.06","props":[{"name":"alt-identifier","value":"ac-2_prm_6"},{"name":"label","value":"AC-02_ODP[06]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when accounts are no longer required is defined;"}]},{"id":"ac-02_odp.07","props":[{"name":"alt-identifier","value":"ac-2_prm_7"},{"name":"label","value":"AC-02_ODP[07]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when users are terminated or transferred is defined; "}]},{"id":"ac-02_odp.08","props":[{"name":"alt-identifier","value":"ac-2_prm_8"},{"name":"label","value":"AC-02_ODP[08]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when system usage or the need to know changes for an individual is defined;"}]},{"id":"ac-02_odp.09","props":[{"name":"alt-identifier","value":"ac-2_prm_9"},{"name":"label","value":"AC-02_ODP[09]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes needed to authorize system access (as required) are defined;"}]},{"id":"ac-02_odp.10","props":[{"name":"alt-identifier","value":"ac-2_prm_10"},{"name":"label","value":"AC-02_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of account review is defined;"}]}],"props":[{"name":"label","value":"AC-2"},{"name":"label","value":"AC-02","class":"sp800-53a"},{"name":"sort-id","value":"ac-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#53df282b-8b3f-483a-bad1-6a8b8ac00114","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ac-2_smt","name":"statement","parts":[{"id":"ac-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define and document the types of accounts allowed and specifically prohibited for use within the system;"},{"id":"ac-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign account managers;"},{"id":"ac-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require {{ insert: param, ac-02_odp.01 }} for group and role membership;"},{"id":"ac-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Specify:","parts":[{"id":"ac-2_smt.d.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Authorized users of the system;"},{"id":"ac-2_smt.d.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Group and role membership; and"},{"id":"ac-2_smt.d.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;"}]},{"id":"ac-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"},{"id":"ac-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Monitor the use of accounts;"},{"id":"ac-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Notify account managers and {{ insert: param, ac-02_odp.05 }} within:","parts":[{"id":"ac-2_smt.h.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;"}]},{"id":"ac-2_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Authorize access to the system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ac-02_odp.09 }};"}]},{"id":"ac-2_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"},{"id":"ac-2_smt.k","name":"item","props":[{"name":"label","value":"k."}],"prose":"Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and"},{"id":"ac-2_smt.l","name":"item","props":[{"name":"label","value":"l."}],"prose":"Align account management processes with personnel termination and transfer processes."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission\/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared\/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared\/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training."},{"id":"ac-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[01]","class":"sp800-53a"}],"prose":"account types allowed for use within the system are defined and documented;"},{"id":"ac-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[02]","class":"sp800-53a"}],"prose":"account types specifically prohibited for use within the system are defined and documented;"}]},{"id":"ac-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02b.","class":"sp800-53a"}],"prose":"account managers are assigned;"},{"id":"ac-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02c.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-02_odp.01 }} for group and role membership are required;"},{"id":"ac-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.01","class":"sp800-53a"}],"prose":"authorized users of the system are specified;"},{"id":"ac-2_obj.d.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.02","class":"sp800-53a"}],"prose":"group and role membership are specified;"},{"id":"ac-2_obj.d.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.3-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[01]","class":"sp800-53a"}],"prose":"access authorizations (i.e., privileges) are specified for each account;"},{"id":"ac-2_obj.d.3-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[02]","class":"sp800-53a"}],"prose":" {{ insert: param, ac-02_odp.02 }} are specified for each account;"}]}]},{"id":"ac-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AC-02e.","class":"sp800-53a"}],"prose":"approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"},{"id":"ac-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[01]","class":"sp800-53a"}],"prose":"accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[02]","class":"sp800-53a"}],"prose":"accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[03]","class":"sp800-53a"}],"prose":"accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[04]","class":"sp800-53a"}],"prose":"accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-5","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[05]","class":"sp800-53a"}],"prose":"accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};"}]},{"id":"ac-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"AC-02g.","class":"sp800-53a"}],"prose":"the use of accounts is monitored; "},{"id":"ac-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.h.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.01","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"},{"id":"ac-2_obj.h.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.02","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;"},{"id":"ac-2_obj.h.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.03","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;"}]},{"id":"ac-2_obj.i","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.i.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.01","class":"sp800-53a"}],"prose":"access to the system is authorized based on a valid access authorization;"},{"id":"ac-2_obj.i.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.02","class":"sp800-53a"}],"prose":"access to the system is authorized based on intended system usage;"},{"id":"ac-2_obj.i.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.03","class":"sp800-53a"}],"prose":"access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};"}]},{"id":"ac-2_obj.j","name":"assessment-objective","props":[{"name":"label","value":"AC-02j.","class":"sp800-53a"}],"prose":"accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"},{"id":"ac-2_obj.k","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.k-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[01]","class":"sp800-53a"}],"prose":"a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"},{"id":"ac-2_obj.k-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[02]","class":"sp800-53a"}],"prose":"a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"}]},{"id":"ac-2_obj.l","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.l-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[01]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel termination processes;"},{"id":"ac-2_obj.l-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[02]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel transfer processes."}]}]},{"id":"ac-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities"}]},{"id":"ac-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for account management on the system\n\nmechanisms for implementing account management"}]}],"controls":[{"id":"ac-2.1","class":"SP800-53-enhancement","title":"Automated System Account Management","params":[{"id":"ac-02.01_odp","props":[{"name":"alt-identifier","value":"ac-2.1_prm_1"},{"name":"label","value":"AC-02(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to support the management of system accounts are defined; "}]}],"props":[{"name":"label","value":"AC-2(1)"},{"name":"label","value":"AC-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.1_smt","name":"statement","prose":"Support the management of system accounts using {{ insert: param, ac-02.01_odp }}."},{"id":"ac-2.1_gdn","name":"guidance","prose":"Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications."},{"id":"ac-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(01)","class":"sp800-53a"}],"prose":"the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}."},{"id":"ac-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for implementing account management functions"}]}]},{"id":"ac-2.2","class":"SP800-53-enhancement","title":"Automated Temporary and Emergency Account Management","params":[{"id":"ac-02.02_odp.01","props":[{"name":"alt-identifier","value":"ac-2.2_prm_1"},{"name":"label","value":"AC-02(02)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["remove","disable"]}},{"id":"ac-02.02_odp.02","props":[{"name":"alt-identifier","value":"ac-2.2_prm_2"},{"name":"alt-label","value":"time period for each type of account","class":"sp800-53"},{"name":"label","value":"AC-02(02)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period after which to automatically remove or disable temporary or emergency accounts is defined;"}]}],"props":[{"name":"label","value":"AC-2(2)"},{"name":"label","value":"AC-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.2_smt","name":"statement","prose":"Automatically {{ insert: param, ac-02.02_odp.01 }} temporary and emergency accounts after {{ insert: param, ac-02.02_odp.02 }}."},{"id":"ac-2.2_gdn","name":"guidance","prose":"Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation."},{"id":"ac-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(02)","class":"sp800-53a"}],"prose":"temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}."},{"id":"ac-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of temporary accounts removed and\/or disabled\n\nsystem-generated list of emergency accounts removed and\/or disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for implementing account management functions"}]}]},{"id":"ac-2.3","class":"SP800-53-enhancement","title":"Disable Accounts","params":[{"id":"ac-02.03_odp.01","props":[{"name":"alt-identifier","value":"ac-2.3_prm_1"},{"name":"label","value":"AC-02(03)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to disable accounts is defined;"}]},{"id":"ac-02.03_odp.02","props":[{"name":"alt-identifier","value":"ac-2.3_prm_2"},{"name":"label","value":"AC-02(03)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for account inactivity before disabling is defined;"}]}],"props":[{"name":"label","value":"AC-2(3)"},{"name":"label","value":"AC-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.3_smt","name":"statement","prose":"Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts:","parts":[{"id":"ac-2.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Have expired;"},{"id":"ac-2.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Are no longer associated with a user or individual;"},{"id":"ac-2.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Are in violation of organizational policy; or"},{"id":"ac-2.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Have been inactive for {{ insert: param, ac-02.03_odp.02 }}."}]},{"id":"ac-2.3_gdn","name":"guidance","prose":"Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system."},{"id":"ac-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)","class":"sp800-53a"}],"parts":[{"id":"ac-2.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(a)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;"},{"id":"ac-2.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(b)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;"},{"id":"ac-2.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(c)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;"},{"id":"ac-2.3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(d)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}."}]},{"id":"ac-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of accounts removed\n\nsystem-generated list of emergency accounts disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for implementing account management functions"}]}]},{"id":"ac-2.4","class":"SP800-53-enhancement","title":"Automated Audit Actions","props":[{"name":"label","value":"AC-2(4)"},{"name":"label","value":"AC-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"}],"parts":[{"id":"ac-2.4_smt","name":"statement","prose":"Automatically audit account creation, modification, enabling, disabling, and removal actions."},{"id":"ac-2.4_gdn","name":"guidance","prose":"Account management audit records are defined in accordance with [AU-2](#au-2) and reviewed, analyzed, and reported in accordance with [AU-6](#au-6)."},{"id":"ac-2.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)","class":"sp800-53a"}],"parts":[{"id":"ac-2.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[01]","class":"sp800-53a"}],"prose":"account creation is automatically audited;"},{"id":"ac-2.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[02]","class":"sp800-53a"}],"prose":"account modification is automatically audited;"},{"id":"ac-2.4_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[03]","class":"sp800-53a"}],"prose":"account enabling is automatically audited;"},{"id":"ac-2.4_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[04]","class":"sp800-53a"}],"prose":"account disabling is automatically audited;"},{"id":"ac-2.4_obj-5","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[05]","class":"sp800-53a"}],"prose":"account removal actions are automatically audited."}]},{"id":"ac-2.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nnotifications\/alerts of account creation, modification, enabling, disabling, and removal actions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.5","class":"SP800-53-enhancement","title":"Inactivity Logout","params":[{"id":"ac-02.05_odp","props":[{"name":"alt-identifier","value":"ac-2.5_prm_1"},{"name":"label","value":"AC-02(05)_ODP","class":"sp800-53a"}],"label":"time period of expected inactivity or description of when to log out","guidelines":[{"prose":"the time period of expected inactivity or description of when to log out is defined;"}]}],"props":[{"name":"label","value":"AC-2(5)"},{"name":"label","value":"AC-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#ac-11","rel":"related"}],"parts":[{"id":"ac-2.5_smt","name":"statement","prose":"Require that users log out when {{ insert: param, ac-02.05_odp }}."},{"id":"ac-2.5_gdn","name":"guidance","prose":"Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by [AC-11](#ac-11)."},{"id":"ac-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(05)","class":"sp800-53a"}],"prose":"users are required to log out when {{ insert: param, ac-02.05_odp }}."},{"id":"ac-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity violation reports\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy"}]}]},{"id":"ac-2.13","class":"SP800-53-enhancement","title":"Disable Accounts for High-risk Individuals","params":[{"id":"ac-02.13_odp.01","props":[{"name":"alt-identifier","value":"ac-2.13_prm_1"},{"name":"label","value":"AC-02(13)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;"}]},{"id":"ac-02.13_odp.02","props":[{"name":"alt-identifier","value":"ac-2.13_prm_2"},{"name":"label","value":"AC-02(13)_ODP[02]","class":"sp800-53a"}],"label":"significant risks","guidelines":[{"prose":"significant risks leading to disabling accounts are defined;"}]}],"props":[{"name":"label","value":"AC-2(13)"},{"name":"label","value":"AC-02(13)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-2.13_smt","name":"statement","prose":"Disable accounts of individuals within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}."},{"id":"ac-2.13_gdn","name":"guidance","prose":"Users who pose a significant security and\/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals."},{"id":"ac-2.13_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(13)","class":"sp800-53a"}],"prose":"accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}."},{"id":"ac-2.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of disabled accounts\n\nlist of user activities posing significant organizational risk\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}]}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"label","value":"AC-3"},{"name":"label","value":"AC-03","class":"sp800-53a"},{"name":"sort-id","value":"ac-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-8","rel":"related"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family."},{"id":"ac-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03","class":"sp800-53a"}],"prose":"approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies."},{"id":"ac-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy"}]}]},{"id":"ac-4","class":"SP800-53","title":"Information Flow Enforcement","params":[{"id":"ac-04_odp","props":[{"name":"alt-identifier","value":"ac-4_prm_1"},{"name":"label","value":"AC-04_ODP","class":"sp800-53a"}],"label":"information flow control policies","guidelines":[{"prose":"information flow control policies within the system and between connected systems are defined;"}]}],"props":[{"name":"label","value":"AC-4"},{"name":"label","value":"AC-04","class":"sp800-53a"},{"name":"sort-id","value":"ac-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-31","rel":"related"}],"parts":[{"id":"ac-4_smt","name":"statement","prose":"Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}."},{"id":"ac-4_gdn","name":"guidance","prose":"Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see [CA-3](#ca-3) ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners\/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.\n\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and\/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and\/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS)."},{"id":"ac-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04","class":"sp800-53a"}],"prose":"approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}."},{"id":"ac-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsecurity architecture documentation\n\nprivacy architecture documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem baseline configuration\n\nlist of information flow authorizations\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-5","class":"SP800-53","title":"Separation of Duties","params":[{"id":"ac-05_odp","props":[{"name":"alt-identifier","value":"ac-5_prm_1"},{"name":"alt-label","value":"duties of individuals requiring separation","class":"sp800-53"},{"name":"label","value":"AC-05_ODP","class":"sp800-53a"}],"label":"duties of individuals","guidelines":[{"prose":"duties of individuals requiring separation are defined;"}]}],"props":[{"name":"label","value":"AC-5"},{"name":"label","value":"AC-05","class":"sp800-53a"},{"name":"sort-id","value":"ac-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-12","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"}],"parts":[{"id":"ac-5_smt","name":"statement","parts":[{"id":"ac-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document {{ insert: param, ac-05_odp }} ; and"},{"id":"ac-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define system access authorizations to support separation of duties."}]},{"id":"ac-5_gdn","name":"guidance","prose":"Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in [AC-2](#ac-2) , access control mechanisms in [AC-3](#ac-3) , and identity management activities in [IA-2](#ia-2), [IA-4](#ia-4) , and [IA-12](#ia-12)."},{"id":"ac-5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-05","class":"sp800-53a"}],"parts":[{"id":"ac-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-05a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-05_odp }} are identified and documented;"},{"id":"ac-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-05b.","class":"sp800-53a"}],"prose":"system access authorizations to support separation of duties are defined."}]},{"id":"ac-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\nsystem configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\nsystem access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing separation of duties policy"}]}]},{"id":"ac-6","class":"SP800-53","title":"Least Privilege","props":[{"name":"label","value":"AC-6"},{"name":"label","value":"AC-06","class":"sp800-53a"},{"name":"sort-id","value":"ac-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-38","rel":"related"}],"parts":[{"id":"ac-6_smt","name":"statement","prose":"Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."},{"id":"ac-6_gdn","name":"guidance","prose":"Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems."},{"id":"ac-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06","class":"sp800-53a"}],"prose":"the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."},{"id":"ac-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}],"controls":[{"id":"ac-6.1","class":"SP800-53-enhancement","title":"Authorize Access to Security Functions","params":[{"id":"ac-6.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.04"}],"label":"organization-defined security functions (deployed in hardware, software, and firmware)"},{"id":"ac-06.01_odp.01","props":[{"name":"alt-identifier","value":"ac-6.1_prm_1"},{"name":"alt-label","value":"individuals or roles","class":"sp800-53"},{"name":"label","value":"AC-06(01)_ODP[01]","class":"sp800-53a"}],"label":"individuals and roles","guidelines":[{"prose":"individuals and roles with authorized access to security functions and security-relevant information are defined;"}]},{"id":"ac-06.01_odp.02","props":[{"name":"label","value":"AC-06(01)_ODP[02]","class":"sp800-53a"}],"label":"security functions (deployed in hardware)","guidelines":[{"prose":"security functions (deployed in hardware) for authorized access are defined;"}]},{"id":"ac-06.01_odp.03","props":[{"name":"label","value":"AC-06(01)_ODP[03]","class":"sp800-53a"}],"label":"security functions (deployed in software)","guidelines":[{"prose":"security functions (deployed in software) for authorized access are defined;"}]},{"id":"ac-06.01_odp.04","props":[{"name":"label","value":"AC-06(01)_ODP[04]","class":"sp800-53a"}],"label":"security functions (deployed in firmware)","guidelines":[{"prose":"security functions (deployed in firmware) for authorized access are defined;"}]},{"id":"ac-06.01_odp.05","props":[{"name":"alt-identifier","value":"ac-6.1_prm_3"},{"name":"label","value":"AC-06(01)_ODP[05]","class":"sp800-53a"}],"label":"security-relevant information","guidelines":[{"prose":"security-relevant information for authorized access is defined;"}]}],"props":[{"name":"label","value":"AC-6(1)"},{"name":"label","value":"AC-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#pe-2","rel":"related"}],"parts":[{"id":"ac-6.1_smt","name":"statement","prose":"Authorize access for {{ insert: param, ac-06.01_odp.01 }} to:","parts":[{"id":"ac-6.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":" {{ insert: param, ac-6.1_prm_2 }} ; and"},{"id":"ac-6.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":" {{ insert: param, ac-06.01_odp.05 }}."}]},{"id":"ac-6.1_gdn","name":"guidance","prose":"Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users."},{"id":"ac-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)","class":"sp800-53a"}],"parts":[{"id":"ac-6.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-6.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[01]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};"},{"id":"ac-6.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[02]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};"},{"id":"ac-6.1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[03]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};"}]},{"id":"ac-6.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(b)","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}."}]},{"id":"ac-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.2","class":"SP800-53-enhancement","title":"Non-privileged Access for Nonsecurity Functions","params":[{"id":"ac-06.02_odp","props":[{"name":"alt-identifier","value":"ac-6.2_prm_1"},{"name":"label","value":"AC-06(02)_ODP","class":"sp800-53a"}],"label":"security functions or security-relevant information","guidelines":[{"prose":"security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;"}]}],"props":[{"name":"label","value":"AC-6(2)"},{"name":"label","value":"AC-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#pl-4","rel":"related"}],"parts":[{"id":"ac-6.2_smt","name":"statement","prose":"Require that users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} use non-privileged accounts or roles, when accessing nonsecurity functions."},{"id":"ac-6.2_gdn","name":"guidance","prose":"Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account."},{"id":"ac-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(02)","class":"sp800-53a"}],"prose":"users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions."},{"id":"ac-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to system accounts or roles\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.5","class":"SP800-53-enhancement","title":"Privileged Accounts","params":[{"id":"ac-06.05_odp","props":[{"name":"alt-identifier","value":"ac-6.5_prm_1"},{"name":"label","value":"AC-06(05)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to which privileged accounts on the system are to be restricted is\/are defined;"}]}],"props":[{"name":"label","value":"AC-6(5)"},{"name":"label","value":"AC-06(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"}],"parts":[{"id":"ac-6.5_smt","name":"statement","prose":"Restrict privileged accounts on the system to {{ insert: param, ac-06.05_odp }}."},{"id":"ac-6.5_gdn","name":"guidance","prose":"Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk."},{"id":"ac-6.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(05)","class":"sp800-53a"}],"prose":"privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}."},{"id":"ac-6.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.7","class":"SP800-53-enhancement","title":"Review of User Privileges","params":[{"id":"ac-06.07_odp.01","props":[{"name":"alt-identifier","value":"ac-6.7_prm_1"},{"name":"label","value":"AC-06(07)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the privileges assigned to roles or classes of users is defined;"}]},{"id":"ac-06.07_odp.02","props":[{"name":"alt-identifier","value":"ac-6.7_prm_2"},{"name":"alt-label","value":"roles or classes of users","class":"sp800-53"},{"name":"label","value":"AC-06(07)_ODP[02]","class":"sp800-53a"}],"label":"roles and classes","guidelines":[{"prose":"roles or classes of users to which privileges are assigned are defined;"}]}],"props":[{"name":"label","value":"AC-6(7)"},{"name":"label","value":"AC-06(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ca-7","rel":"related"}],"parts":[{"id":"ac-6.7_smt","name":"statement","parts":[{"id":"ac-6.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and"},{"id":"ac-6.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs."}]},{"id":"ac-6.7_gdn","name":"guidance","prose":"The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions."},{"id":"ac-6.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)","class":"sp800-53a"}],"parts":[{"id":"ac-6.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)(a)","class":"sp800-53a"}],"prose":"privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;"},{"id":"ac-6.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)(b)","class":"sp800-53a"}],"prose":"privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs."}]},{"id":"ac-6.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated roles or classes of users and assigned privileges\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation reviews of privileges assigned to roles or classes or users\n\nrecords of privilege removals or reassignments for roles or classes of users\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing review of user privileges"}]}]},{"id":"ac-6.9","class":"SP800-53-enhancement","title":"Log Use of Privileged Functions","props":[{"name":"label","value":"AC-6(9)"},{"name":"label","value":"AC-06(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"ac-6.9_smt","name":"statement","prose":"Log the execution of privileged functions."},{"id":"ac-6.9_gdn","name":"guidance","prose":"The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat."},{"id":"ac-6.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(09)","class":"sp800-53a"}],"prose":"the execution of privileged functions is logged."},{"id":"ac-6.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ac-6.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms auditing the execution of least privilege functions"}]}]},{"id":"ac-6.10","class":"SP800-53-enhancement","title":"Prohibit Non-privileged Users from Executing Privileged Functions","props":[{"name":"label","value":"AC-6(10)"},{"name":"label","value":"AC-06(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"}],"parts":[{"id":"ac-6.10_smt","name":"statement","prose":"Prevent non-privileged users from executing privileged functions."},{"id":"ac-6.10_gdn","name":"guidance","prose":"Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by [AC-3](#ac-3)."},{"id":"ac-6.10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(10)","class":"sp800-53a"}],"prose":"non-privileged users are prevented from executing privileged functions."},{"id":"ac-6.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-6.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions for non-privileged users"}]}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","params":[{"id":"ac-07_odp.01","props":[{"name":"alt-identifier","value":"ac-7_prm_1"},{"name":"label","value":"AC-07_ODP[01]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of consecutive invalid logon attempts by a user allowed during a time period is defined;"}]},{"id":"ac-07_odp.02","props":[{"name":"alt-identifier","value":"ac-7_prm_2"},{"name":"label","value":"AC-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;"}]},{"id":"ac-07_odp.03","props":[{"name":"alt-identifier","value":"ac-7_prm_3"},{"name":"label","value":"AC-07_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["lock the account or node for {{ insert: param, ac-07_odp.04 }} ","lock the account or node until released by an administrator","delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ","notify system administrator","take other {{ insert: param, ac-07_odp.06 }} "]}},{"id":"ac-07_odp.04","props":[{"name":"alt-identifier","value":"ac-7_prm_4"},{"name":"label","value":"AC-07_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for an account or node to be locked is defined (if selected);"}]},{"id":"ac-07_odp.05","props":[{"name":"alt-identifier","value":"ac-7_prm_5"},{"name":"label","value":"AC-07_ODP[05]","class":"sp800-53a"}],"label":"delay algorithm","guidelines":[{"prose":"delay algorithm for the next logon prompt is defined (if selected);"}]},{"id":"ac-07_odp.06","props":[{"name":"alt-identifier","value":"ac-7_prm_6"},{"name":"label","value":"AC-07_ODP[06]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-7"},{"name":"label","value":"AC-07","class":"sp800-53a"},{"name":"sort-id","value":"ac-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"ac-7_smt","name":"statement","parts":[{"id":"ac-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and"},{"id":"ac-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need."},{"id":"ac-7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-07","class":"sp800-53a"}],"parts":[{"id":"ac-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-07a.","class":"sp800-53a"}],"prose":"a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;"},{"id":"ac-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-07b.","class":"sp800-53a"}],"prose":"automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem\/network administrators"}]},{"id":"ac-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for unsuccessful logon attempts"}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","params":[{"id":"ac-08_odp.01","props":[{"name":"alt-identifier","value":"ac-8_prm_1"},{"name":"alt-label","value":"system use notification message or banner","class":"sp800-53"},{"name":"label","value":"AC-08_ODP[01]","class":"sp800-53a"}],"label":"system use notification","guidelines":[{"prose":"system use notification message or banner to be displayed by the system to users before granting access to the system is defined;"}]},{"id":"ac-08_odp.02","props":[{"name":"alt-identifier","value":"ac-8_prm_2"},{"name":"label","value":"AC-08_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions for system use to be displayed by the system before granting further access are defined;"}]}],"props":[{"name":"label","value":"AC-8"},{"name":"label","value":"AC-08","class":"sp800-53a"},{"name":"sort-id","value":"ac-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-14","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-8_smt","name":"statement","parts":[{"id":"ac-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:","parts":[{"id":"ac-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government system;"},{"id":"ac-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and"},{"id":"ac-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;"},{"id":"ac-8_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Include a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content."},{"id":"ac-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-08","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","parts":[{"id":"ac-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.01","class":"sp800-53a"}],"prose":"the system use notification states that users are accessing a U.S. Government system;"},{"id":"ac-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.02","class":"sp800-53a"}],"prose":"the system use notification states that system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.03","class":"sp800-53a"}],"prose":"the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.04","class":"sp800-53a"}],"prose":"the system use notification states that use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-08b.","class":"sp800-53a"}],"prose":"the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;"},{"id":"ac-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.01","class":"sp800-53a"}],"prose":"for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;"},{"id":"ac-8_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.02","class":"sp800-53a"}],"prose":"for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;"},{"id":"ac-8_obj.c.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.03","class":"sp800-53a"}],"prose":"for publicly accessible systems, a description of the authorized uses of the system is included."}]}]},{"id":"ac-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records"}]},{"id":"ac-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers"}]},{"id":"ac-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system use notification"}]}]},{"id":"ac-11","class":"SP800-53","title":"Device Lock","params":[{"id":"ac-11_odp.01","props":[{"name":"alt-identifier","value":"ac-11_prm_1"},{"name":"label","value":"AC-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity","requiring the user to initiate a device lock before leaving the system unattended"]}},{"id":"ac-11_odp.02","props":[{"name":"alt-identifier","value":"ac-11_prm_2"},{"name":"label","value":"AC-11_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period of inactivity after which a device lock is initiated is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-11"},{"name":"label","value":"AC-11","class":"sp800-53a"},{"name":"sort-id","value":"ac-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#pl-4","rel":"related"}],"parts":[{"id":"ac-11_smt","name":"statement","parts":[{"id":"ac-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and"},{"id":"ac-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the device lock until the user reestablishes access using established identification and authentication procedures."}]},{"id":"ac-11_gdn","name":"guidance","prose":"Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays."},{"id":"ac-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-11","class":"sp800-53a"}],"parts":[{"id":"ac-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-11a.","class":"sp800-53a"}],"prose":"further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};"},{"id":"ac-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-11b.","class":"sp800-53a"}],"prose":"device lock is retained until the user re-establishes access using established identification and authentication procedures."}]},{"id":"ac-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for session lock"}]}],"controls":[{"id":"ac-11.1","class":"SP800-53-enhancement","title":"Pattern-hiding Displays","props":[{"name":"label","value":"AC-11(1)"},{"name":"label","value":"AC-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-11","rel":"required"}],"parts":[{"id":"ac-11.1_smt","name":"statement","prose":"Conceal, via the device lock, information previously visible on the display with a publicly viewable image."},{"id":"ac-11.1_gdn","name":"guidance","prose":"The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed."},{"id":"ac-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-11(01)","class":"sp800-53a"}],"prose":"information previously visible on the display is concealed, via device lock, with a publicly viewable image."},{"id":"ac-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System session lock mechanisms"}]}]}]},{"id":"ac-12","class":"SP800-53","title":"Session Termination","params":[{"id":"ac-12_odp","props":[{"name":"alt-identifier","value":"ac-12_prm_1"},{"name":"alt-label","value":"conditions or trigger events requiring session disconnect","class":"sp800-53"},{"name":"label","value":"AC-12_ODP","class":"sp800-53a"}],"label":"conditions or trigger events","guidelines":[{"prose":"conditions or trigger events requiring session disconnect are defined;"}]}],"props":[{"name":"label","value":"AC-12"},{"name":"label","value":"AC-12","class":"sp800-53a"},{"name":"sort-id","value":"ac-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"ac-12_smt","name":"statement","prose":"Automatically terminate a user session after {{ insert: param, ac-12_odp }}."},{"id":"ac-12_gdn","name":"guidance","prose":"Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use."},{"id":"ac-12_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-12","class":"sp800-53a"}],"prose":"a user session is automatically terminated after {{ insert: param, ac-12_odp }}."},{"id":"ac-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing user session termination"}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","params":[{"id":"ac-14_odp","props":[{"name":"alt-identifier","value":"ac-14_prm_1"},{"name":"label","value":"AC-14_ODP","class":"sp800-53a"}],"label":"user actions","guidelines":[{"prose":"user actions that can be performed on the system without identification or authentication are defined;"}]}],"props":[{"name":"label","value":"AC-14"},{"name":"label","value":"AC-14","class":"sp800-53a"},{"name":"sort-id","value":"ac-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"ac-14_smt","name":"statement","parts":[{"id":"ac-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and"},{"id":"ac-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" "},{"id":"ac-14_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-14","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-14a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;"},{"id":"ac-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[01]","class":"sp800-53a"}],"prose":"user actions not requiring identification or authentication are documented in the security plan for the system;"},{"id":"ac-14_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[02]","class":"sp800-53a"}],"prose":"a rationale for user actions not requiring identification or authentication is provided in the security plan for the system."}]}]},{"id":"ac-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","props":[{"name":"label","value":"AC-17"},{"name":"label","value":"AC-17","class":"sp800-53a"},{"name":"sort-id","value":"ac-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#83b9d63b-66b1-467c-9f3b-3a0b108771e9","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#d17ebd7a-ffab-499d-bfff-e705bbb01fa6","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-17_smt","name":"statement","parts":[{"id":"ac-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document usage restrictions, configuration\/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of remote access to the system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)."},{"id":"ac-17_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[01]","class":"sp800-53a"}],"prose":"usage restrictions are established and documented for each type of remote access allowed;"},{"id":"ac-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[02]","class":"sp800-53a"}],"prose":"configuration\/connection requirements are established and documented for each type of remote access allowed;"},{"id":"ac-17_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established and documented for each type of remote access allowed;"}]},{"id":"ac-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-17b.","class":"sp800-53a"}],"prose":"each type of remote access to the system is authorized prior to allowing such connections."}]},{"id":"ac-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing remote access connections\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Remote access management capability for the system"}]}],"controls":[{"id":"ac-17.1","class":"SP800-53-enhancement","title":"Monitoring and Control","props":[{"name":"label","value":"AC-17(1)"},{"name":"label","value":"AC-17(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"}],"parts":[{"id":"ac-17.1_smt","name":"statement","prose":"Employ automated mechanisms to monitor and control remote access methods."},{"id":"ac-17.1_gdn","name":"guidance","prose":"Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a)."},{"id":"ac-17.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)","class":"sp800-53a"}],"parts":[{"id":"ac-17.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)[01]","class":"sp800-53a"}],"prose":"automated mechanisms are employed to monitor remote access methods;"},{"id":"ac-17.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)[02]","class":"sp800-53a"}],"prose":"automated mechanisms are employed to control remote access methods."}]},{"id":"ac-17.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms monitoring and controlling remote access methods"}]}]},{"id":"ac-17.2","class":"SP800-53-enhancement","title":"Protection of Confidentiality and Integrity Using Encryption","props":[{"name":"label","value":"AC-17(2)"},{"name":"label","value":"AC-17(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-17.2_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_gdn","name":"guidance","prose":"Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions."},{"id":"ac-17.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(02)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions"}]}]},{"id":"ac-17.3","class":"SP800-53-enhancement","title":"Managed Access Control Points","props":[{"name":"label","value":"AC-17(3)"},{"name":"label","value":"AC-17(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-17.3_smt","name":"statement","prose":"Route remote accesses through authorized and managed network access control points."},{"id":"ac-17.3_gdn","name":"guidance","prose":"Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces."},{"id":"ac-17.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(03)","class":"sp800-53a"}],"prose":"remote accesses are routed through authorized and managed network access control points."},{"id":"ac-17.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nlist of all managed network access control points\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms routing all remote accesses through managed network access control points"}]}]},{"id":"ac-17.4","class":"SP800-53-enhancement","title":"Privileged Commands and Access","params":[{"id":"ac-17.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-17.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-17.04_odp.02"}],"label":"organization-defined needs"},{"id":"ac-17.04_odp.01","props":[{"name":"label","value":"AC-17(04)_ODP[01]","class":"sp800-53a"}],"label":"needs requiring remote access","guidelines":[{"prose":"needs requiring execution of privileged commands via remote access are defined;"}]},{"id":"ac-17.04_odp.02","props":[{"name":"label","value":"AC-17(04)_ODP[02]","class":"sp800-53a"}],"label":"needs requiring remote access","guidelines":[{"prose":"needs requiring access to security-relevant information via remote access are defined;"}]}],"props":[{"name":"label","value":"AC-17(4)"},{"name":"label","value":"AC-17(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#ac-6","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-17.4_smt","name":"statement","parts":[{"id":"ac-17.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ insert: param, ac-17.4_prm_1 }} ; and"},{"id":"ac-17.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Document the rationale for remote access in the security plan for the system."}]},{"id":"ac-17.4_gdn","name":"guidance","prose":"Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability."},{"id":"ac-17.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)","class":"sp800-53a"}],"parts":[{"id":"ac-17.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-17.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[01]","class":"sp800-53a"}],"prose":"the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;"},{"id":"ac-17.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[02]","class":"sp800-53a"}],"prose":"access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;"},{"id":"ac-17.4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[03]","class":"sp800-53a"}],"prose":"the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};"},{"id":"ac-17.4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[04]","class":"sp800-53a"}],"prose":"access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};"}]},{"id":"ac-17.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(b)","class":"sp800-53a"}],"prose":"the rationale for remote access is documented in the security plan for the system."}]},{"id":"ac-17.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing remote access management"}]}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","props":[{"name":"label","value":"AC-18"},{"name":"label","value":"AC-18","class":"sp800-53a"},{"name":"sort-id","value":"ac-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#03fb73bc-1b12-4182-bd96-e5719254ea61","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-18_smt","name":"statement","parts":[{"id":"ac-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and"},{"id":"ac-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of wireless access to the system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication."},{"id":"ac-18_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for each type of wireless access;"},{"id":"ac-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for each type of wireless access;"},{"id":"ac-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for each type of wireless access;"}]},{"id":"ac-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-18b.","class":"sp800-53a"}],"prose":"each type of wireless access to the system is authorized prior to allowing such connections."}]},{"id":"ac-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Wireless access management capability for the system"}]}],"controls":[{"id":"ac-18.1","class":"SP800-53-enhancement","title":"Authentication and Encryption","params":[{"id":"ac-18.01_odp","props":[{"name":"alt-identifier","value":"ac-18.1_prm_1"},{"name":"label","value":"AC-18(01)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["users","devices"]}}],"props":[{"name":"label","value":"AC-18(1)"},{"name":"label","value":"AC-18(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-18","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-18.1_smt","name":"statement","prose":"Protect wireless access to the system using authentication of {{ insert: param, ac-18.01_odp }} and encryption."},{"id":"ac-18.1_gdn","name":"guidance","prose":"Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies."},{"id":"ac-18.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)","class":"sp800-53a"}],"parts":[{"id":"ac-18.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)[01]","class":"sp800-53a"}],"prose":"wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};"},{"id":"ac-18.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)[02]","class":"sp800-53a"}],"prose":"wireless access to the system is protected using encryption."}]},{"id":"ac-18.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-18.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing wireless access protections to the system"}]}]},{"id":"ac-18.3","class":"SP800-53-enhancement","title":"Disable Wireless Networking","props":[{"name":"label","value":"AC-18(3)"},{"name":"label","value":"AC-18(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-18","rel":"required"}],"parts":[{"id":"ac-18.3_smt","name":"statement","prose":"Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment."},{"id":"ac-18.3_gdn","name":"guidance","prose":"Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies."},{"id":"ac-18.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(03)","class":"sp800-53a"}],"prose":"when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment."},{"id":"ac-18.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components"}]}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","props":[{"name":"label","value":"AC-19"},{"name":"label","value":"AC-19","class":"sp800-53a"},{"name":"sort-id","value":"ac-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-19_smt","name":"statement","parts":[{"id":"ac-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and"},{"id":"ac-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize the connection of mobile devices to organizational systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook\/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled."},{"id":"ac-19_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"},{"id":"ac-19_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"},{"id":"ac-19_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"}]},{"id":"ac-19_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-19b.","class":"sp800-53a"}],"prose":"the connection of mobile devices to organizational systems is authorized."}]},{"id":"ac-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel using mobile devices to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices"}]}],"controls":[{"id":"ac-19.5","class":"SP800-53-enhancement","title":"Full Device or Container-based Encryption","params":[{"id":"ac-19.05_odp.01","props":[{"name":"alt-identifier","value":"ac-19.5_prm_1"},{"name":"label","value":"AC-19(05)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["full-device encryption","container-based encryption"]}},{"id":"ac-19.05_odp.02","props":[{"name":"alt-identifier","value":"ac-19.5_prm_2"},{"name":"label","value":"AC-19(05)_ODP[02]","class":"sp800-53a"}],"label":"mobile devices","guidelines":[{"prose":"mobile devices on which to employ encryption are defined;"}]}],"props":[{"name":"label","value":"AC-19(5)"},{"name":"label","value":"AC-19(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-19.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-19","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"ac-19.5_smt","name":"statement","prose":"Employ {{ insert: param, ac-19.05_odp.01 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}."},{"id":"ac-19.5_gdn","name":"guidance","prose":"Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields."},{"id":"ac-19.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19(05)","class":"sp800-53a"}],"prose":" {{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}."},{"id":"ac-19.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control for mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nencryption mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities for mobile devices\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Encryption mechanisms protecting confidentiality and integrity of information on mobile devices"}]}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Systems","params":[{"id":"ac-20_odp.01","props":[{"name":"alt-identifier","value":"ac-20_prm_1"},{"name":"label","value":"AC-20_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["establish {{ insert: param, ac-20_odp.02 }} ","identify {{ insert: param, ac-20_odp.03 }} "]}},{"id":"ac-20_odp.02","props":[{"name":"alt-identifier","value":"ac-20_prm_2"},{"name":"label","value":"AC-20_ODP[02]","class":"sp800-53a"}],"label":"terms and conditions","guidelines":[{"prose":"terms and conditions consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.03","props":[{"name":"alt-identifier","value":"ac-20_prm_3"},{"name":"alt-label","value":"controls asserted to be implemented on external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[03]","class":"sp800-53a"}],"label":"controls asserted","guidelines":[{"prose":"controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.04","props":[{"name":"alt-identifier","value":"ac-20_prm_4"},{"name":"alt-label","value":"organizationally-defined types of external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[04]","class":"sp800-53a"}],"label":"prohibited types of external systems","guidelines":[{"prose":"types of external systems prohibited from use are defined;"}]}],"props":[{"name":"label","value":"AC-20"},{"name":"label","value":"AC-20","class":"sp800-53a"},{"name":"sort-id","value":"ac-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-20_smt","name":"statement","parts":[{"id":"ac-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Access the system from external systems; and"},{"id":"ac-20_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Process, store, or transmit organization-controlled information using external systems; or"}]},{"id":"ac-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of {{ insert: param, ac-20_odp.04 }}."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems."},{"id":"ac-20_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.1","class":"sp800-53a"}],"prose":" {{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);"},{"id":"ac-20_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.2","class":"sp800-53a"}],"prose":" {{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);"}]},{"id":"ac-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-20b.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable)."}]},{"id":"ac-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing terms and conditions on the use of external systems"}]}],"controls":[{"id":"ac-20.1","class":"SP800-53-enhancement","title":"Limits on Authorized Use","props":[{"name":"label","value":"AC-20(1)"},{"name":"label","value":"AC-20(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"},{"href":"#ca-2","rel":"related"}],"parts":[{"id":"ac-20.1_smt","name":"statement","prose":"Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:","parts":[{"id":"ac-20.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or"},{"id":"ac-20.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Retention of approved system connection or processing agreements with the organizational entity hosting the external system."}]},{"id":"ac-20.1_gdn","name":"guidance","prose":"Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations."},{"id":"ac-20.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)","class":"sp800-53a"}],"parts":[{"id":"ac-20.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)(a)","class":"sp800-53a"}],"prose":"authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);"},{"id":"ac-20.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)(b)","class":"sp800-53a"}],"prose":"authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable)."}]},{"id":"ac-20.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing limits on use of external systems"}]}]},{"id":"ac-20.2","class":"SP800-53-enhancement","title":"Portable Storage Devices — Restricted Use","params":[{"id":"ac-20.02_odp","props":[{"name":"alt-identifier","value":"ac-20.2_prm_1"},{"name":"label","value":"AC-20(02)_ODP","class":"sp800-53a"}],"label":"restrictions","guidelines":[{"prose":"restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;"}]}],"props":[{"name":"label","value":"AC-20(2)"},{"name":"label","value":"AC-20(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"},{"href":"#mp-7","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"ac-20.2_smt","name":"statement","prose":"Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ insert: param, ac-20.02_odp }}."},{"id":"ac-20.2_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used."},{"id":"ac-20.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(02)","class":"sp800-53a"}],"prose":"the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}."},{"id":"ac-20.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on the use of portable storage devices"}]}]}]},{"id":"ac-21","class":"SP800-53","title":"Information Sharing","params":[{"id":"ac-21_odp.01","props":[{"name":"alt-identifier","value":"ac-21_prm_1"},{"name":"alt-label","value":"information sharing circumstances where user discretion is required","class":"sp800-53"},{"name":"label","value":"AC-21_ODP[01]","class":"sp800-53a"}],"label":"information-sharing circumstances","guidelines":[{"prose":"information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;"}]},{"id":"ac-21_odp.02","props":[{"name":"alt-identifier","value":"ac-21_prm_2"},{"name":"alt-label","value":"automated mechanisms or manual processes","class":"sp800-53"},{"name":"label","value":"AC-21_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;"}]}],"props":[{"name":"label","value":"AC-21"},{"name":"label","value":"AC-21","class":"sp800-53a"},{"name":"sort-id","value":"ac-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-15","rel":"related"}],"parts":[{"id":"ac-21_smt","name":"statement","parts":[{"id":"ac-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and"},{"id":"ac-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions."}]},{"id":"ac-21_gdn","name":"guidance","prose":"Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions."},{"id":"ac-21_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-21","class":"sp800-53a"}],"parts":[{"id":"ac-21_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-21a.","class":"sp800-53a"}],"prose":"authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};"},{"id":"ac-21_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-21b.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions."}]},{"id":"ac-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of users authorized to make information-sharing\/collaboration decisions\n\nlist of information-sharing circumstances requiring user discretion\n\nnon-disclosure agreements\n\nacquisitions\/contractual agreements\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nsecurity and privacy risk assessments\n\nother relevant documents or records"}]},{"id":"ac-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information-sharing\/collaboration decisions\n\norganizational personnel with responsibility for acquisitions\/contractual agreements\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ac-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms or manual process implementing access authorizations supporting information-sharing\/user collaboration decisions"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","params":[{"id":"ac-22_odp","props":[{"name":"alt-identifier","value":"ac-22_prm_1"},{"name":"label","value":"AC-22_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the content on the publicly accessible system for non-public information is defined;"}]}],"props":[{"name":"label","value":"AC-22"},{"name":"label","value":"AC-22","class":"sp800-53a"},{"name":"sort-id","value":"ac-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"ac-22_smt","name":"statement","parts":[{"id":"ac-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Designate individuals authorized to make information publicly accessible;"},{"id":"ac-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible."},{"id":"ac-22_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-22","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-22a.","class":"sp800-53a"}],"prose":"designated individuals are authorized to make information publicly accessible;"},{"id":"ac-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-22b.","class":"sp800-53a"}],"prose":"authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;"},{"id":"ac-22_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-22c.","class":"sp800-53a"}],"prose":"the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;"},{"id":"ac-22_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[01]","class":"sp800-53a"}],"prose":"the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};"},{"id":"ac-22_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[02]","class":"sp800-53a"}],"prose":"non-public information is removed from the publicly accessible system, if discovered."}]}]},{"id":"ac-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and\/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"at-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"at-01_odp.01","props":[{"name":"label","value":"AT-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training policy is to be disseminated is\/are defined;"}]},{"id":"at-01_odp.02","props":[{"name":"label","value":"AT-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training procedures are to be disseminated is\/are defined;"}]},{"id":"at-01_odp.03","props":[{"name":"alt-identifier","value":"at-1_prm_2"},{"name":"label","value":"AT-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"at-01_odp.04","props":[{"name":"alt-identifier","value":"at-1_prm_3"},{"name":"label","value":"AT-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the awareness and training policy and procedures is defined;"}]},{"id":"at-01_odp.05","props":[{"name":"alt-identifier","value":"at-1_prm_4"},{"name":"label","value":"AT-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training policy is reviewed and updated is defined;"}]},{"id":"at-01_odp.06","props":[{"name":"alt-identifier","value":"at-1_prm_5"},{"name":"label","value":"AT-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current awareness and training policy to be reviewed and updated are defined;"}]},{"id":"at-01_odp.07","props":[{"name":"alt-identifier","value":"at-1_prm_6"},{"name":"label","value":"AT-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training procedures are reviewed and updated is defined;"}]},{"id":"at-01_odp.08","props":[{"name":"alt-identifier","value":"at-1_prm_7"},{"name":"label","value":"AT-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AT-1"},{"name":"label","value":"AT-01","class":"sp800-53a"},{"name":"sort-id","value":"at-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-1_smt","name":"statement","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, at-01_odp.03 }} awareness and training policy that:","parts":[{"id":"at-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and"},{"id":"at-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current awareness and training:","parts":[{"id":"at-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and"},{"id":"at-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"at-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[01]","class":"sp800-53a"}],"prose":"an awareness and training policy is developed and documented; "},{"id":"at-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[02]","class":"sp800-53a"}],"prose":"the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};"},{"id":"at-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[03]","class":"sp800-53a"}],"prose":"awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;"},{"id":"at-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[04]","class":"sp800-53a"}],"prose":"the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}."},{"id":"at-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;"},{"id":"at-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;"},{"id":"at-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;"},{"id":"at-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;"},{"id":"at-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;"},{"id":"at-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;"},{"id":"at-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and"}]},{"id":"at-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and"}]}]},{"id":"at-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;"},{"id":"at-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[01]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; "},{"id":"at-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[02]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};"}]},{"id":"at-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[01]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};"},{"id":"at-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[02]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}."}]}]}]},{"id":"at-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records"}]},{"id":"at-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Literacy Training and Awareness","params":[{"id":"at-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.02"}],"label":"organization-defined frequency"},{"id":"at-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.04"}],"label":"organization-defined events"},{"id":"at-02_odp.01","props":[{"name":"label","value":"AT-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.02","props":[{"name":"label","value":"AT-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.03","props":[{"name":"label","value":"AT-02_ODP[03]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require security literacy training for system users are defined;"}]},{"id":"at-02_odp.04","props":[{"name":"label","value":"AT-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require privacy literacy training for system users are defined;"}]},{"id":"at-02_odp.05","props":[{"name":"alt-identifier","value":"at-2_prm_3"},{"name":"label","value":"AT-02_ODP[05]","class":"sp800-53a"}],"label":"awareness techniques","guidelines":[{"prose":"techniques to be employed to increase the security and privacy awareness of system users are defined;"}]},{"id":"at-02_odp.06","props":[{"name":"alt-identifier","value":"at-2_prm_4"},{"name":"label","value":"AT-02_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update literacy training and awareness content is defined;"}]},{"id":"at-02_odp.07","props":[{"name":"alt-identifier","value":"at-2_prm_5"},{"name":"label","value":"AT-02_ODP[07]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require literacy training and awareness content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-2"},{"name":"label","value":"AT-02","class":"sp800-53a"},{"name":"sort-id","value":"at-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#89f2a08d-fc49-46d0-856e-bf974c9b1573","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-16","rel":"related"}],"parts":[{"id":"at-2_smt","name":"statement","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and"},{"id":"at-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes or following {{ insert: param, at-2_prm_2 }};"}]},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and"},{"id":"at-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[03]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;"},{"id":"at-2_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[04]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;"}]},{"id":"at-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};"},{"id":"at-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};"}]}]},{"id":"at-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-02b.","class":"sp800-53a"}],"prose":" {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;"},{"id":"at-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[01]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};"},{"id":"at-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[02]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};"}]},{"id":"at-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AT-02d.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques."}]},{"id":"at-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community"}]},{"id":"at-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing information security and privacy literacy training"}]}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","props":[{"name":"label","value":"AT-2(2)"},{"name":"label","value":"AT-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"},{"href":"#pm-12","rel":"related"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"Provide literacy training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations."},{"id":"at-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)","class":"sp800-53a"}],"parts":[{"id":"at-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[01]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential indicators of insider threat is provided;"},{"id":"at-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[02]","class":"sp800-53a"}],"prose":"literacy training on reporting potential indicators of insider threat is provided."}]},{"id":"at-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2.3","class":"SP800-53-enhancement","title":"Social Engineering and Mining","props":[{"name":"label","value":"AT-2(3)"},{"name":"label","value":"AT-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"}],"parts":[{"id":"at-2.3_smt","name":"statement","prose":"Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining."},{"id":"at-2.3_gdn","name":"guidance","prose":"Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures."},{"id":"at-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)","class":"sp800-53a"}],"parts":[{"id":"at-2.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[01]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential and actual instances of social engineering is provided;"},{"id":"at-2.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[02]","class":"sp800-53a"}],"prose":"literacy training on reporting potential and actual instances of social engineering is provided;"},{"id":"at-2.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[03]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential and actual instances of social mining is provided;"},{"id":"at-2.3_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[04]","class":"sp800-53a"}],"prose":"literacy training on reporting potential and actual instances of social mining is provided."}]},{"id":"at-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Training","params":[{"id":"at-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.02"}],"label":"organization-defined roles and responsibilities"},{"id":"at-03_odp.01","props":[{"name":"label","value":"AT-03_ODP[01]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based security training are defined;"}]},{"id":"at-03_odp.02","props":[{"name":"label","value":"AT-03_ODP[02]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based privacy training are defined;"}]},{"id":"at-03_odp.03","props":[{"name":"alt-identifier","value":"at-3_prm_2"},{"name":"label","value":"AT-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;"}]},{"id":"at-03_odp.04","props":[{"name":"alt-identifier","value":"at-3_prm_3"},{"name":"label","value":"AT-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update role-based training content is defined;"}]},{"id":"at-03_odp.05","props":[{"name":"alt-identifier","value":"at-3_prm_4"},{"name":"label","value":"AT-03_ODP[05]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require role-based training content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-3"},{"name":"label","value":"AT-03","class":"sp800-53a"},{"name":"sort-id","value":"at-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"at-3_smt","name":"statement","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:","parts":[{"id":"at-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and"},{"id":"at-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes;"}]},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into role-based training."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency\/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;"},{"id":"at-3_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;"},{"id":"at-3_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[03]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;"},{"id":"at-3_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[04]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;"}]},{"id":"at-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;"},{"id":"at-3_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;"}]}]},{"id":"at-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[01]","class":"sp800-53a"}],"prose":"role-based training content is updated {{ insert: param, at-03_odp.04 }};"},{"id":"at-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[02]","class":"sp800-53a"}],"prose":"role-based training content is updated following {{ insert: param, at-03_odp.05 }};"}]},{"id":"at-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-03c.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into role-based training."}]},{"id":"at-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities"}]},{"id":"at-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing role-based security and privacy training"}]}]},{"id":"at-4","class":"SP800-53","title":"Training Records","params":[{"id":"at-04_odp","props":[{"name":"alt-identifier","value":"at-4_prm_1"},{"name":"label","value":"AT-04_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for retaining individual training records is defined;"}]}],"props":[{"name":"label","value":"AT-4"},{"name":"label","value":"AT-04","class":"sp800-53a"},{"name":"sort-id","value":"at-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-4_smt","name":"statement","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain individual training records for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies."},{"id":"at-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-04","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[01]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;"},{"id":"at-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[02]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;"}]},{"id":"at-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-04b.","class":"sp800-53a"}],"prose":"individual training records are retained for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"at-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy training record retention responsibilities"}]},{"id":"at-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the management of security and privacy training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"au-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"au-01_odp.01","props":[{"name":"label","value":"AU-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability policy is to be disseminated is\/are defined;"}]},{"id":"au-01_odp.02","props":[{"name":"label","value":"AU-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability procedures are to be disseminated is\/are defined;"}]},{"id":"au-01_odp.03","props":[{"name":"alt-identifier","value":"au-1_prm_2"},{"name":"label","value":"AU-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"au-01_odp.04","props":[{"name":"alt-identifier","value":"au-1_prm_3"},{"name":"label","value":"AU-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the audit and accountability policy and procedures is defined;"}]},{"id":"au-01_odp.05","props":[{"name":"alt-identifier","value":"au-1_prm_4"},{"name":"label","value":"AU-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability policy is reviewed and updated is defined;"}]},{"id":"au-01_odp.06","props":[{"name":"alt-identifier","value":"au-1_prm_5"},{"name":"label","value":"AU-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current audit and accountability policy to be reviewed and updated are defined;"}]},{"id":"au-01_odp.07","props":[{"name":"alt-identifier","value":"au-1_prm_6"},{"name":"label","value":"AU-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability procedures are reviewed and updated is defined;"}]},{"id":"au-01_odp.08","props":[{"name":"alt-identifier","value":"au-1_prm_7"},{"name":"label","value":"AU-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require audit and accountability procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AU-1"},{"name":"label","value":"AU-01","class":"sp800-53a"},{"name":"sort-id","value":"au-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-1_smt","name":"statement","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, au-01_odp.03 }} audit and accountability policy that:","parts":[{"id":"au-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and"},{"id":"au-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current audit and accountability:","parts":[{"id":"au-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and"},{"id":"au-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"au-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[01]","class":"sp800-53a"}],"prose":"an audit and accountability policy is developed and documented;"},{"id":"au-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[02]","class":"sp800-53a"}],"prose":"the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};"},{"id":"au-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[03]","class":"sp800-53a"}],"prose":"audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;"},{"id":"au-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[04]","class":"sp800-53a"}],"prose":"the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};"},{"id":"au-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;"},{"id":"au-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;"},{"id":"au-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;"},{"id":"au-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;"},{"id":"au-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;"},{"id":"au-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;"},{"id":"au-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;"}]},{"id":"au-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"au-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;"},{"id":"au-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[01]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};"},{"id":"au-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[02]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};"}]},{"id":"au-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[01]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};"},{"id":"au-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[02]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}."}]}]}]},{"id":"au-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Event Logging","params":[{"id":"au-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.03"}],"label":"organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type"},{"id":"au-02_odp.01","props":[{"name":"alt-identifier","value":"au-2_prm_1"},{"name":"alt-label","value":"event types that the system is capable of logging","class":"sp800-53"},{"name":"label","value":"AU-02_ODP[01]","class":"sp800-53a"}],"label":"event types","guidelines":[{"prose":"the event types that the system is capable of logging in support of the audit function are defined;"}]},{"id":"au-02_odp.02","props":[{"name":"label","value":"AU-02_ODP[02]","class":"sp800-53a"}],"label":"event types (subset of AU-02_ODP[01])","guidelines":[{"prose":"the event types (subset of AU-02_ODP[01]) for logging within the system are defined;"}]},{"id":"au-02_odp.03","props":[{"name":"label","value":"AU-02_ODP[03]","class":"sp800-53a"}],"label":"frequency or situation","guidelines":[{"prose":"the frequency or situation requiring logging for each specified event type is defined;"}]},{"id":"au-02_odp.04","props":[{"name":"alt-identifier","value":"au-2_prm_3"},{"name":"label","value":"AU-02_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of event types selected for logging are reviewed and updated;"}]}],"props":[{"name":"label","value":"AU-2"},{"name":"label","value":"AU-02","class":"sp800-53a"},{"name":"sort-id","value":"au-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-2_smt","name":"statement","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and"},{"id":"au-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures."},{"id":"au-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-02","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-02a.","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;"},{"id":"au-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-02b.","class":"sp800-53a"}],"prose":"the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.02 }} are specified for logging within the system;"},{"id":"au-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[02]","class":"sp800-53a"}],"prose":"the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};"}]},{"id":"au-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-02d.","class":"sp800-53a"}],"prose":"a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;"},{"id":"au-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-02e.","class":"sp800-53a"}],"prose":"the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records"}]},{"id":"au-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing"}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"label","value":"AU-3"},{"name":"label","value":"AU-03","class":"sp800-53a"},{"name":"sort-id","value":"au-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"Ensure that audit records contain information that establishes the following:","parts":[{"id":"au-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"What type of event occurred;"},{"id":"au-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When the event occurred;"},{"id":"au-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Where the event occurred;"},{"id":"au-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Source of the event;"},{"id":"au-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Outcome of the event; and"},{"id":"au-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage."},{"id":"au-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03","class":"sp800-53a"}],"parts":[{"id":"au-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-03a.","class":"sp800-53a"}],"prose":"audit records contain information that establishes what type of event occurred;"},{"id":"au-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-03b.","class":"sp800-53a"}],"prose":"audit records contain information that establishes when the event occurred;"},{"id":"au-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-03c.","class":"sp800-53a"}],"prose":"audit records contain information that establishes where the event occurred;"},{"id":"au-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-03d.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the source of the event;"},{"id":"au-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-03e.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the outcome of the event;"},{"id":"au-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AU-03f.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records"}]},{"id":"au-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing of auditable events"}]}],"controls":[{"id":"au-3.1","class":"SP800-53-enhancement","title":"Additional Audit Information","params":[{"id":"au-03.01_odp","props":[{"name":"alt-identifier","value":"au-3.1_prm_1"},{"name":"label","value":"AU-03(01)_ODP","class":"sp800-53a"}],"label":"additional information","guidelines":[{"prose":"additional information to be included in audit records is defined;"}]}],"props":[{"name":"label","value":"AU-3(1)"},{"name":"label","value":"AU-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-3","rel":"required"}],"parts":[{"id":"au-3.1_smt","name":"statement","prose":"Generate audit records containing the following additional information: {{ insert: param, au-03.01_odp }}."},{"id":"au-3.1_gdn","name":"guidance","prose":"The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy."},{"id":"au-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03(01)","class":"sp800-53a"}],"prose":"generated audit records contain the following {{ insert: param, au-03.01_odp }}."},{"id":"au-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"system audit capability"}]}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Log Storage Capacity","params":[{"id":"au-04_odp","props":[{"name":"alt-identifier","value":"au-4_prm_1"},{"name":"label","value":"AU-04_ODP","class":"sp800-53a"}],"label":"audit log retention requirements","guidelines":[{"prose":"audit log retention requirements are defined;"}]}],"props":[{"name":"label","value":"AU-4"},{"name":"label","value":"AU-04","class":"sp800-53a"},{"name":"sort-id","value":"au-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability."},{"id":"au-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-04","class":"sp800-53a"}],"prose":"audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}."},{"id":"au-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Logging Process Failures","params":[{"id":"au-05_odp.01","props":[{"name":"alt-identifier","value":"au-5_prm_1"},{"name":"label","value":"AU-05_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles receiving audit logging process failure alerts are defined;"}]},{"id":"au-05_odp.02","props":[{"name":"alt-identifier","value":"au-5_prm_2"},{"name":"label","value":"AU-05_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel or roles receiving audit logging process failure alerts is defined;"}]},{"id":"au-05_odp.03","props":[{"name":"alt-identifier","value":"au-5_prm_3"},{"name":"label","value":"AU-05_ODP[03]","class":"sp800-53a"}],"label":"additional actions","guidelines":[{"prose":"additional actions to be taken in the event of an audit logging process failure are defined;"}]}],"props":[{"name":"label","value":"AU-5"},{"name":"label","value":"AU-05","class":"sp800-53a"},{"name":"sort-id","value":"au-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-5_smt","name":"statement","parts":[{"id":"au-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and"},{"id":"au-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Take the following additional actions: {{ insert: param, au-05_odp.03 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel."},{"id":"au-5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05","class":"sp800-53a"}],"parts":[{"id":"au-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-05a.","class":"sp800-53a"}],"prose":" {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};"},{"id":"au-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure."}]},{"id":"au-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system response to audit processing failures"}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Record Review, Analysis, and Reporting","params":[{"id":"au-06_odp.01","props":[{"name":"alt-identifier","value":"au-6_prm_1"},{"name":"label","value":"AU-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which system audit records are reviewed and analyzed is defined;"}]},{"id":"au-06_odp.02","props":[{"name":"alt-identifier","value":"au-6_prm_2"},{"name":"label","value":"AU-06_ODP[02]","class":"sp800-53a"}],"label":"inappropriate or unusual activity","guidelines":[{"prose":"inappropriate or unusual activity is defined;"}]},{"id":"au-06_odp.03","props":[{"name":"alt-identifier","value":"au-6_prm_3"},{"name":"label","value":"AU-06_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive findings from reviews and analyses of system records is\/are defined;"}]}],"props":[{"name":"label","value":"AU-6"},{"name":"label","value":"AU-06","class":"sp800-53a"},{"name":"sort-id","value":"au-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"au-6_smt","name":"statement","parts":[{"id":"au-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"},{"id":"au-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report findings to {{ insert: param, au-06_odp.03 }} ; and"},{"id":"au-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and\/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received."},{"id":"au-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06","class":"sp800-53a"}],"parts":[{"id":"au-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-06a.","class":"sp800-53a"}],"prose":"system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"},{"id":"au-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-06b.","class":"sp800-53a"}],"prose":"findings are reported to {{ insert: param, au-06_odp.03 }};"},{"id":"au-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-06c.","class":"sp800-53a"}],"prose":"the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews\/analyses of audit records\n\nother relevant documents or records"}]},{"id":"au-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"au-6.1","class":"SP800-53-enhancement","title":"Automated Process Integration","params":[{"id":"au-06.01_odp","props":[{"name":"alt-identifier","value":"au-6.1_prm_1"},{"name":"label","value":"AU-06(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;"}]}],"props":[{"name":"label","value":"AU-6(1)"},{"name":"label","value":"AU-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#pm-7","rel":"related"}],"parts":[{"id":"au-6.1_smt","name":"statement","prose":"Integrate audit record review, analysis, and reporting processes using {{ insert: param, au-06.01_odp }}."},{"id":"au-6.1_gdn","name":"guidance","prose":"Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits."},{"id":"au-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(01)","class":"sp800-53a"}],"prose":"audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}."},{"id":"au-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms integrating audit review, analysis, and reporting processes"}]}]},{"id":"au-6.3","class":"SP800-53-enhancement","title":"Correlate Audit Record Repositories","props":[{"name":"label","value":"AU-6(3)"},{"name":"label","value":"AU-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"}],"parts":[{"id":"au-6.3_smt","name":"statement","prose":"Analyze and correlate audit records across different repositories to gain organization-wide situational awareness."},{"id":"au-6.3_gdn","name":"guidance","prose":"Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission\/business process level, and information system level) and supports cross-organization awareness."},{"id":"au-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(03)","class":"sp800-53a"}],"prose":"audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness."},{"id":"au-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records across different repositories\n\nother relevant documents or records"}]},{"id":"au-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the analysis and correlation of audit records"}]}]}]},{"id":"au-7","class":"SP800-53","title":"Audit Record Reduction and Report Generation","props":[{"name":"label","value":"AU-7"},{"name":"label","value":"AU-07","class":"sp800-53a"},{"name":"sort-id","value":"au-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-7_smt","name":"statement","prose":"Provide and implement an audit record reduction and report generation capability that:","parts":[{"id":"au-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and"},{"id":"au-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Does not alter the original content or time ordering of audit records."}]},{"id":"au-7_gdn","name":"guidance","prose":"Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient."},{"id":"au-7_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-07","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.[01]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;"},{"id":"au-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.[02]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;"}]},{"id":"au-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.[01]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;"},{"id":"au-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.[02]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records."}]}]},{"id":"au-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit reduction and report generation capability"}]}],"controls":[{"id":"au-7.1","class":"SP800-53-enhancement","title":"Automatic Processing","params":[{"id":"au-07.01_odp","props":[{"name":"alt-identifier","value":"au-7.1_prm_1"},{"name":"label","value":"AU-07(01)_ODP","class":"sp800-53a"}],"label":"fields within audit records","guidelines":[{"prose":"fields within audit records that can be processed, sorted, or searched are defined;"}]}],"props":[{"name":"label","value":"AU-7(1)"},{"name":"label","value":"AU-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-7","rel":"required"}],"parts":[{"id":"au-7.1_smt","name":"statement","prose":"Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ insert: param, au-07.01_odp }}."},{"id":"au-7.1_gdn","name":"guidance","prose":"Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component."},{"id":"au-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)","class":"sp800-53a"}],"parts":[{"id":"au-7.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)[01]","class":"sp800-53a"}],"prose":"the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;"},{"id":"au-7.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)[02]","class":"sp800-53a"}],"prose":"the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented."}]},{"id":"au-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"au-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit reduction and report generation capability"}]}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","params":[{"id":"au-08_odp","props":[{"name":"alt-identifier","value":"au-8_prm_1"},{"name":"label","value":"AU-08_ODP","class":"sp800-53a"}],"label":"granularity of time measurement","guidelines":[{"prose":"granularity of time measurement for audit record timestamps is defined;"}]}],"props":[{"name":"label","value":"AU-8"},{"name":"label","value":"AU-08","class":"sp800-53a"},{"name":"sort-id","value":"au-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#sc-45","rel":"related"}],"parts":[{"id":"au-8_smt","name":"statement","parts":[{"id":"au-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities."},{"id":"au-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-08","class":"sp800-53a"}],"parts":[{"id":"au-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-08a.","class":"sp800-53a"}],"prose":"internal system clocks are used to generate timestamps for audit records;"},{"id":"au-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-08b.","class":"sp800-53a"}],"prose":"timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp."}]},{"id":"au-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing timestamp generation"}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","params":[{"id":"au-09_odp","props":[{"name":"alt-identifier","value":"au-9_prm_1"},{"name":"label","value":"AU-09_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is\/are defined;"}]}],"props":[{"name":"label","value":"AU-9"},{"name":"label","value":"AU-09","class":"sp800-53a"},{"name":"sort-id","value":"au-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#au-15","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-9_smt","name":"statement","parts":[{"id":"au-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and"},{"id":"au-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information."}]},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls."},{"id":"au-9_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09","class":"sp800-53a"}],"parts":[{"id":"au-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-09a.","class":"sp800-53a"}],"prose":"audit information and audit logging tools are protected from unauthorized access, modification, and deletion;"},{"id":"au-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-09b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information."}]},{"id":"au-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records"}]},{"id":"au-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit information protection"}]}],"controls":[{"id":"au-9.4","class":"SP800-53-enhancement","title":"Access by Subset of Privileged Users","params":[{"id":"au-09.04_odp","props":[{"name":"alt-identifier","value":"au-9.4_prm_1"},{"name":"label","value":"AU-09(04)_ODP","class":"sp800-53a"}],"label":"subset of privileged users or roles","guidelines":[{"prose":"a subset of privileged users or roles authorized to access management of audit logging functionality is defined;"}]}],"props":[{"name":"label","value":"AU-9(4)"},{"name":"label","value":"AU-09(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"au-9.4_smt","name":"statement","prose":"Authorize access to management of audit logging functionality to only {{ insert: param, au-09.04_odp }}."},{"id":"au-9.4_gdn","name":"guidance","prose":"Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges."},{"id":"au-9.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(04)","class":"sp800-53a"}],"prose":"access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}."},{"id":"au-9.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-9.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing access to audit functionality"}]}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_odp","props":[{"name":"alt-identifier","value":"au-11_prm_1"},{"name":"alt-label","value":"time period consistent with records retention policy","class":"sp800-53"},{"name":"label","value":"AU-11_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period to retain audit records that is consistent with the records retention policy is defined;"}]}],"props":[{"name":"label","value":"AU-11"},{"name":"label","value":"AU-11","class":"sp800-53a"},{"name":"sort-id","value":"au-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention."},{"id":"au-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-11","class":"sp800-53a"}],"prose":"audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"id":"au-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Record Generation","params":[{"id":"au-12_odp.01","props":[{"name":"alt-identifier","value":"au-12_prm_1"},{"name":"label","value":"AU-12_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;"}]},{"id":"au-12_odp.02","props":[{"name":"alt-identifier","value":"au-12_prm_2"},{"name":"label","value":"AU-12_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles allowed to select the event types that are to be logged by specific components of the system is\/are defined;"}]}],"props":[{"name":"label","value":"AU-12"},{"name":"label","value":"AU-12","class":"sp800-53a"},{"name":"sort-id","value":"au-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"au-12_smt","name":"statement","parts":[{"id":"au-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};"},{"id":"au-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and"},{"id":"au-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records."},{"id":"au-12_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12","class":"sp800-53a"}],"parts":[{"id":"au-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-12a.","class":"sp800-53a"}],"prose":"audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};"},{"id":"au-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-12b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-12_odp.02 }} is\/are allowed to select the event types that are to be logged by specific components of the system;"},{"id":"au-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-12c.","class":"sp800-53a"}],"prose":"audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated."}]},{"id":"au-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]}]},{"id":"ca","class":"family","title":"Assessment, Authorization, and Monitoring","controls":[{"id":"ca-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ca-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ca-01_odp.01","props":[{"name":"label","value":"CA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.02","props":[{"name":"label","value":"CA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.03","props":[{"name":"alt-identifier","value":"ca-1_prm_2"},{"name":"label","value":"CA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ca-01_odp.04","props":[{"name":"alt-identifier","value":"ca-1_prm_3"},{"name":"label","value":"CA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the assessment, authorization, and monitoring policy and procedures is defined;"}]},{"id":"ca-01_odp.05","props":[{"name":"alt-identifier","value":"ca-1_prm_4"},{"name":"label","value":"CA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;"}]},{"id":"ca-01_odp.06","props":[{"name":"alt-identifier","value":"ca-1_prm_5"},{"name":"label","value":"CA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;"}]},{"id":"ca-01_odp.07","props":[{"name":"alt-identifier","value":"ca-1_prm_6"},{"name":"label","value":"CA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;"}]},{"id":"ca-01_odp.08","props":[{"name":"alt-identifier","value":"ca-1_prm_7"},{"name":"label","value":"CA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CA-1"},{"name":"label","value":"CA-01","class":"sp800-53a"},{"name":"sort-id","value":"ca-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#62ea77ca-e450-4323-b210-e0d75390e785","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-1_smt","name":"statement","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:","parts":[{"id":"ca-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and"},{"id":"ca-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current assessment, authorization, and monitoring:","parts":[{"id":"ca-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and"},{"id":"ca-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ca-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[01]","class":"sp800-53a"}],"prose":"an assessment, authorization, and monitoring policy is developed and documented;"},{"id":"ca-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[02]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};"},{"id":"ca-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[03]","class":"sp800-53a"}],"prose":"assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;"},{"id":"ca-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[04]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};"},{"id":"ca-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;"},{"id":"ca-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;"},{"id":"ca-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;"},{"id":"ca-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;"},{"id":"ca-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;"},{"id":"ca-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;"},{"id":"ca-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;"}]},{"id":"ca-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ca-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;"},{"id":"ca-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; "},{"id":"ca-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};"}]},{"id":"ca-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; "},{"id":"ca-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}."}]}]}]},{"id":"ca-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Control Assessments","params":[{"id":"ca-02_odp.01","props":[{"name":"alt-identifier","value":"ca-2_prm_1"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"CA-02_ODP[01]","class":"sp800-53a"}],"label":"assessment frequency","guidelines":[{"prose":"the frequency at which to assess controls in the system and its environment of operation is defined;"}]},{"id":"ca-02_odp.02","props":[{"name":"alt-identifier","value":"ca-2_prm_2"},{"name":"label","value":"CA-02_ODP[02]","class":"sp800-53a"}],"label":"individuals or roles","guidelines":[{"prose":"individuals or roles to whom control assessment results are to be provided are defined;"}]}],"props":[{"name":"label","value":"CA-2"},{"name":"label","value":"CA-02","class":"sp800-53a"},{"name":"sort-id","value":"ca-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"ca-2_smt","name":"statement","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Select the appropriate assessor or assessment team for the type of assessment to be conducted;"},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop a control assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Controls and control enhancements under assessment;"},{"id":"ca-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine control effectiveness; and"},{"id":"ca-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;"},{"id":"ca-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Produce a control assessment report that document the results of the assessment; and"},{"id":"ca-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)."},{"id":"ca-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-02a.","class":"sp800-53a"}],"prose":"an appropriate assessor or assessment team is selected for the type of assessment to be conducted;"},{"id":"ca-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.01","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;"},{"id":"ca-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.02","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;"},{"id":"ca-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[01]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;"},{"id":"ca-2_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[02]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment team;"},{"id":"ca-2_obj.b.3-3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[03]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;"}]}]},{"id":"ca-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-02c.","class":"sp800-53a"}],"prose":"the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[01]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[02]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;"}]},{"id":"ca-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-02e.","class":"sp800-53a"}],"prose":"a control assessment report is produced that documents the results of the assessment;"},{"id":"ca-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-02f.","class":"sp800-53a"}],"prose":"the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting control assessment, control assessment plan development, and\/or control assessment reporting"}]}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","props":[{"name":"label","value":"CA-2(1)"},{"name":"label","value":"CA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-2","rel":"required"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to conduct control assessments."},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and\/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments."},{"id":"ca-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02(01)","class":"sp800-53a"}],"prose":"independent assessors or assessment teams are employed to conduct control assessments."},{"id":"ca-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\nprevious control assessment plan\n\nprevious control assessment report\n\nplan of action and milestones\n\nexisting authorization statement\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ca-3","class":"SP800-53","title":"Information Exchange","params":[{"id":"ca-03_odp.01","props":[{"name":"alt-identifier","value":"ca-3_prm_1"},{"name":"label","value":"CA-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["interconnection security agreements","information exchange security agreements","memoranda of understanding or agreement","service level agreements","user agreements","non-disclosure agreements"," {{ insert: param, ca-03_odp.02 }} "]}},{"id":"ca-03_odp.02","props":[{"name":"alt-identifier","value":"ca-3_prm_2"},{"name":"label","value":"CA-03_ODP[02]","class":"sp800-53a"}],"label":"type of agreement","guidelines":[{"prose":"the type of agreement used to approve and manage the exchange of information is defined (if selected);"}]},{"id":"ca-03_odp.03","props":[{"name":"alt-identifier","value":"ca-3_prm_3"},{"name":"label","value":"CA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update agreements is defined;"}]}],"props":[{"name":"label","value":"CA-3"},{"name":"label","value":"CA-03","class":"sp800-53a"},{"name":"sort-id","value":"ca-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#c3a76872-e160-4267-99e8-6952de967d04","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-3_smt","name":"statement","parts":[{"id":"ca-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};"},{"id":"ca-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the agreements {{ insert: param, ca-03_odp.03 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks."},{"id":"ca-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-03","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-03a.","class":"sp800-53a"}],"prose":"the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};"},{"id":"ca-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[01]","class":"sp800-53a"}],"prose":"the interface characteristics are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[02]","class":"sp800-53a"}],"prose":"security requirements are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[03]","class":"sp800-53a"}],"prose":"privacy requirements are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[04]","class":"sp800-53a"}],"prose":"controls are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[05]","class":"sp800-53a"}],"prose":"responsibilities for each system are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-6","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[06]","class":"sp800-53a"}],"prose":"the impact level of the information communicated is documented as part of each exchange agreement;"}]},{"id":"ca-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-03c.","class":"sp800-53a"}],"prose":"agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}."}]},{"id":"ca-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies"}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-05_odp","props":[{"name":"alt-identifier","value":"ca-5_prm_1"},{"name":"label","value":"CA-05_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;"}]}],"props":[{"name":"label","value":"CA-5"},{"name":"label","value":"CA-05","class":"sp800-53a"},{"name":"sort-id","value":"ca-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-5_smt","name":"statement","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB."},{"id":"ca-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-05","class":"sp800-53a"}],"parts":[{"id":"ca-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-05a.","class":"sp800-53a"}],"prose":"a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;"},{"id":"ca-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-05b.","class":"sp800-53a"}],"prose":"existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Authorization","params":[{"id":"ca-06_odp","props":[{"name":"alt-identifier","value":"ca-6_prm_1"},{"name":"label","value":"CA-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to update the authorizations is defined;"}]}],"props":[{"name":"label","value":"CA-6"},{"name":"label","value":"CA-06","class":"sp800-53a"},{"name":"sort-id","value":"ca-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-6_smt","name":"statement","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a senior official as the authorizing official for the system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure that the authorizing official for the system, before commencing operations:","parts":[{"id":"ca-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accepts the use of common controls inherited by the system; and"},{"id":"ca-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Authorizes the system to operate;"}]},{"id":"ca-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the authorizations {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions."},{"id":"ca-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-06","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-06a.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for the system;"},{"id":"ca-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-06b.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.01","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;"},{"id":"ca-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.02","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system authorizes the system to operate;"}]},{"id":"ca-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-06d.","class":"sp800-53a"}],"prose":"the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-06e.","class":"sp800-53a"}],"prose":"the authorizations are updated {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records"}]},{"id":"ca-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that facilitate authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.06"}],"label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.07"}],"label":"organization-defined frequency"},{"id":"ca-07_odp.01","props":[{"name":"alt-identifier","value":"ca-7_prm_1"},{"name":"label","value":"CA-07_ODP[01]","class":"sp800-53a"}],"label":"system-level metrics","guidelines":[{"prose":"system-level metrics to be monitored are defined;"}]},{"id":"ca-07_odp.02","props":[{"name":"alt-identifier","value":"ca-7_prm_2"},{"name":"label","value":"CA-07_ODP[02]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to monitor control effectiveness are defined;"}]},{"id":"ca-07_odp.03","props":[{"name":"alt-identifier","value":"ca-7_prm_3"},{"name":"label","value":"CA-07_ODP[03]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to assess control effectiveness are defined;"}]},{"id":"ca-07_odp.04","props":[{"name":"label","value":"CA-07_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the security status of the system is reported are defined;"}]},{"id":"ca-07_odp.05","props":[{"name":"label","value":"CA-07_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the security status of the system is reported is defined;"}]},{"id":"ca-07_odp.06","props":[{"name":"label","value":"CA-07_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the privacy status of the system is reported are defined;"}]},{"id":"ca-07_odp.07","props":[{"name":"label","value":"CA-07_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the privacy status of the system is reported is defined;"}]}],"props":[{"name":"label","value":"CA-7"},{"name":"label","value":"CA-07","class":"sp800-53a"},{"name":"sort-id","value":"ca-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pm-31","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)."},{"id":"ca-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07[01]","class":"sp800-53a"}],"prose":"a system-level continuous monitoring strategy is developed;"},{"id":"ca-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;"},{"id":"ca-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07a.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;"},{"id":"ca-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"}]},{"id":"ca-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07c.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-07d.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-07e.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-07f.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;"},{"id":"ca-7_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};"},{"id":"ca-7_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}."}]}]},{"id":"ca-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting"}]}],"controls":[{"id":"ca-7.1","class":"SP800-53-enhancement","title":"Independent Assessment","props":[{"name":"label","value":"CA-7(1)"},{"name":"label","value":"CA-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis."},{"id":"ca-7.1_gdn","name":"guidance","prose":"Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services."},{"id":"ca-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(01)","class":"sp800-53a"}],"prose":"independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis."},{"id":"ca-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-7.4","class":"SP800-53-enhancement","title":"Risk Monitoring","props":[{"name":"label","value":"CA-7(4)"},{"name":"label","value":"CA-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.4_smt","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:","parts":[{"id":"ca-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Effectiveness monitoring;"},{"id":"ca-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Compliance monitoring; and"},{"id":"ca-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Change monitoring."}]},{"id":"ca-7.4_gdn","name":"guidance","prose":"Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk."},{"id":"ca-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)","class":"sp800-53a"}],"prose":"risk monitoring is an integral part of the continuous monitoring strategy;","parts":[{"id":"ca-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(a)","class":"sp800-53a"}],"prose":"effectiveness monitoring is included in risk monitoring;"},{"id":"ca-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(b)","class":"sp800-53a"}],"prose":"compliance monitoring is included in risk monitoring;"},{"id":"ca-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(c)","class":"sp800-53a"}],"prose":"change monitoring is included in risk monitoring."}]},{"id":"ca-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting risk monitoring"}]}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","params":[{"id":"ca-09_odp.01","props":[{"name":"alt-identifier","value":"ca-9_prm_1"},{"name":"alt-label","value":"system components or classes of components","class":"sp800-53"},{"name":"label","value":"CA-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components or classes of components requiring internal connections to the system are defined;"}]},{"id":"ca-09_odp.02","props":[{"name":"alt-identifier","value":"ca-9_prm_2"},{"name":"label","value":"CA-09_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions requiring termination of internal connections are defined;"}]},{"id":"ca-09_odp.03","props":[{"name":"alt-identifier","value":"ca-9_prm_3"},{"name":"label","value":"CA-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the continued need for each internal connection is defined;"}]}],"props":[{"name":"label","value":"CA-9"},{"name":"label","value":"CA-09","class":"sp800-53a"},{"name":"sort-id","value":"ca-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-9_smt","name":"statement","parts":[{"id":"ca-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;"},{"id":"ca-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;"},{"id":"ca-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and"},{"id":"ca-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection."}]},{"id":"ca-9_gdn","name":"guidance","prose":"Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and\/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions."},{"id":"ca-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-09","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-09a.","class":"sp800-53a"}],"prose":"internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;"},{"id":"ca-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[01]","class":"sp800-53a"}],"prose":"for each internal connection, the interface characteristics are documented;"},{"id":"ca-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[02]","class":"sp800-53a"}],"prose":"for each internal connection, the security requirements are documented;"},{"id":"ca-9_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[03]","class":"sp800-53a"}],"prose":"for each internal connection, the privacy requirements are documented;"},{"id":"ca-9_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[04]","class":"sp800-53a"}],"prose":"for each internal connection, the nature of the information communicated is documented;"}]},{"id":"ca-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-09c.","class":"sp800-53a"}],"prose":"internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};"},{"id":"ca-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-09d.","class":"sp800-53a"}],"prose":"the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}."}]},{"id":"ca-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting internal system connections"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cm-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cm-01_odp.01","props":[{"name":"label","value":"CM-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management policy is to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.02","props":[{"name":"label","value":"CM-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management procedures are to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.03","props":[{"name":"alt-identifier","value":"cm-1_prm_2"},{"name":"label","value":"CM-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cm-01_odp.04","props":[{"name":"alt-identifier","value":"cm-1_prm_3"},{"name":"label","value":"CM-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the configuration management policy and procedures is defined;"}]},{"id":"cm-01_odp.05","props":[{"name":"alt-identifier","value":"cm-1_prm_4"},{"name":"label","value":"CM-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management policy is reviewed and updated is defined;"}]},{"id":"cm-01_odp.06","props":[{"name":"alt-identifier","value":"cm-1_prm_5"},{"name":"label","value":"CM-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current configuration management policy to be reviewed and updated are defined;"}]},{"id":"cm-01_odp.07","props":[{"name":"alt-identifier","value":"cm-1_prm_6"},{"name":"label","value":"CM-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management procedures are reviewed and updated is defined;"}]},{"id":"cm-01_odp.08","props":[{"name":"alt-identifier","value":"cm-1_prm_7"},{"name":"label","value":"CM-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require configuration management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CM-1"},{"name":"label","value":"CM-01","class":"sp800-53a"},{"name":"sort-id","value":"cm-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-1_smt","name":"statement","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cm-01_odp.03 }} configuration management policy that:","parts":[{"id":"cm-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and"},{"id":"cm-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current configuration management:","parts":[{"id":"cm-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and"},{"id":"cm-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cm-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[01]","class":"sp800-53a"}],"prose":"a configuration management policy is developed and documented;"},{"id":"cm-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[02]","class":"sp800-53a"}],"prose":"the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};"},{"id":"cm-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[03]","class":"sp800-53a"}],"prose":"configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;"},{"id":"cm-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[04]","class":"sp800-53a"}],"prose":"the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};"},{"id":"cm-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;"},{"id":"cm-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;"},{"id":"cm-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;"},{"id":"cm-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;"},{"id":"cm-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;"},{"id":"cm-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;"},{"id":"cm-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;"}]},{"id":"cm-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(b)","class":"sp800-53a"}],"prose":"the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"cm-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;"},{"id":"cm-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[01]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; "},{"id":"cm-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[02]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};"}]},{"id":"cm-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[01]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; "},{"id":"cm-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[02]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}."}]}]}]},{"id":"cm-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records"}]},{"id":"cm-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","params":[{"id":"cm-02_odp.01","props":[{"name":"alt-identifier","value":"cm-2_prm_1"},{"name":"label","value":"CM-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of baseline configuration review and update is defined;"}]},{"id":"cm-02_odp.02","props":[{"name":"alt-identifier","value":"cm-2_prm_2"},{"name":"label","value":"CM-02_ODP[02]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"the circumstances requiring baseline configuration review and update are defined;"}]}],"props":[{"name":"label","value":"CM-2"},{"name":"label","value":"CM-02","class":"sp800-53a"},{"name":"sort-id","value":"cm-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-1","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-18","rel":"related"}],"parts":[{"id":"cm-2_smt","name":"statement","parts":[{"id":"cm-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and maintain under configuration control, a current baseline configuration of the system; and"},{"id":"cm-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the baseline configuration of the system:","parts":[{"id":"cm-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cm-02_odp.01 }};"},{"id":"cm-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required due to {{ insert: param, cm-02_odp.02 }} ; and"},{"id":"cm-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"When system components are installed or upgraded."}]}]},{"id":"cm-2_gdn","name":"guidance","prose":"Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture."},{"id":"cm-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[01]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is developed and documented;"},{"id":"cm-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[02]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is maintained under configuration control;"}]},{"id":"cm-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.01","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};"},{"id":"cm-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.02","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};"},{"id":"cm-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.03","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when system components are installed or upgraded."}]}]},{"id":"cm-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records"}]},{"id":"cm-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration"}]}],"controls":[{"id":"cm-2.2","class":"SP800-53-enhancement","title":"Automation Support for Accuracy and Currency","params":[{"id":"cm-02.02_odp","props":[{"name":"alt-identifier","value":"cm-2.2_prm_1"},{"name":"label","value":"CM-02(02)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms for maintaining baseline configuration of the system are defined;"}]}],"props":[{"name":"label","value":"CM-2(2)"},{"name":"label","value":"CM-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"},{"href":"#cm-7","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ra-5","rel":"related"}],"parts":[{"id":"cm-2.2_smt","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ insert: param, cm-02.02_odp }}."},{"id":"cm-2.2_gdn","name":"guidance","prose":"Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of [CM-8(2)](#cm-8.2) for organizations that combine system component inventory and baseline configuration activities."},{"id":"cm-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)","class":"sp800-53a"}],"parts":[{"id":"cm-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[01]","class":"sp800-53a"}],"prose":"the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"},{"id":"cm-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[02]","class":"sp800-53a"}],"prose":"the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"},{"id":"cm-2.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[03]","class":"sp800-53a"}],"prose":"the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"},{"id":"cm-2.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[04]","class":"sp800-53a"}],"prose":"the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}."}]},{"id":"cm-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nconfiguration change control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance"}]}]},{"id":"cm-2.3","class":"SP800-53-enhancement","title":"Retention of Previous Configurations","params":[{"id":"cm-02.03_odp","props":[{"name":"alt-identifier","value":"cm-2.3_prm_1"},{"name":"label","value":"CM-02(03)_ODP","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of previous baseline configuration versions to be retained is defined;"}]}],"props":[{"name":"label","value":"CM-2(3)"},{"name":"label","value":"CM-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"}],"parts":[{"id":"cm-2.3_smt","name":"statement","prose":"Retain {{ insert: param, cm-02.03_odp }} of previous versions of baseline configurations of the system to support rollback."},{"id":"cm-2.3_gdn","name":"guidance","prose":"Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation."},{"id":"cm-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(03)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is\/are retained to support rollback."},{"id":"cm-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations"}]}]},{"id":"cm-2.7","class":"SP800-53-enhancement","title":"Configure Systems and Components for High-risk Areas","params":[{"id":"cm-02.07_odp.01","props":[{"name":"alt-identifier","value":"cm-2.7_prm_1"},{"name":"label","value":"CM-02(07)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"the systems or system components to be issued when individuals travel to high-risk areas are defined;"}]},{"id":"cm-02.07_odp.02","props":[{"name":"alt-identifier","value":"cm-2.7_prm_2"},{"name":"label","value":"CM-02(07)_ODP[02]","class":"sp800-53a"}],"label":"configurations","guidelines":[{"prose":"configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;"}]},{"id":"cm-02.07_odp.03","props":[{"name":"alt-identifier","value":"cm-2.7_prm_3"},{"name":"label","value":"CM-02(07)_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"the controls to be applied when the individuals return from travel are defined;"}]}],"props":[{"name":"label","value":"CM-2(7)"},{"name":"label","value":"CM-02(07)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}],"parts":[{"id":"cm-2.7_smt","name":"statement","parts":[{"id":"cm-2.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} to individuals traveling to locations that the organization deems to be of significant risk; and"},{"id":"cm-2.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Apply the following controls to the systems or components when the individuals return from travel: {{ insert: param, cm-02.07_odp.03 }}."}]},{"id":"cm-2.7_gdn","name":"guidance","prose":"When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the [MP](#mp) (Media Protection) family."},{"id":"cm-2.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)","class":"sp800-53a"}],"parts":[{"id":"cm-2.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)(a)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;"},{"id":"cm-2.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)(b)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel."}]},{"id":"cm-2.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the system\n\nprocedures addressing system component installations and upgrades\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nrecords of system baseline configuration reviews and updates\n\nsystem component installations\/upgrades and associated records\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations"}]}]}]},{"id":"cm-3","class":"SP800-53","title":"Configuration Change Control","params":[{"id":"cm-03_odp.01","props":[{"name":"alt-identifier","value":"cm-3_prm_1"},{"name":"label","value":"CM-03_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to retain records of configuration-controlled changes is defined;"}]},{"id":"cm-03_odp.02","props":[{"name":"alt-identifier","value":"cm-3_prm_2"},{"name":"label","value":"CM-03_ODP[02]","class":"sp800-53a"}],"label":"configuration change control element","guidelines":[{"prose":"the configuration change control element responsible for coordinating and overseeing change control activities is defined;"}]},{"id":"cm-03_odp.03","props":[{"name":"alt-identifier","value":"cm-3_prm_3"},{"name":"label","value":"CM-03_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-03_odp.04 }} ","when {{ insert: param, cm-03_odp.05 }} "]}},{"id":"cm-03_odp.04","props":[{"name":"alt-identifier","value":"cm-3_prm_4"},{"name":"label","value":"CM-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the configuration control element convenes is defined (if selected);"}]},{"id":"cm-03_odp.05","props":[{"name":"alt-identifier","value":"cm-3_prm_5"},{"name":"label","value":"CM-03_ODP[05]","class":"sp800-53a"}],"label":"configuration change conditions","guidelines":[{"prose":"configuration change conditions that prompt the configuration control element to convene are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-3"},{"name":"label","value":"CM-03","class":"sp800-53a"},{"name":"sort-id","value":"cm-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"cm-3_smt","name":"statement","parts":[{"id":"cm-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the types of changes to the system that are configuration-controlled;"},{"id":"cm-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;"},{"id":"cm-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document configuration change decisions associated with the system;"},{"id":"cm-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement approved configuration-controlled changes to the system;"},{"id":"cm-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }};"},{"id":"cm-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Monitor and review activities associated with configuration-controlled changes to the system; and"},{"id":"cm-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: param, cm-03_odp.03 }}."}]},{"id":"cm-3_gdn","name":"guidance","prose":"Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also [SA-10](#sa-10)."},{"id":"cm-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-03a.","class":"sp800-53a"}],"prose":"the types of changes to the system that are configuration-controlled are determined and documented;"},{"id":"cm-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.[01]","class":"sp800-53a"}],"prose":"proposed configuration-controlled changes to the system are reviewed;"},{"id":"cm-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.[02]","class":"sp800-53a"}],"prose":"proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;"}]},{"id":"cm-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-03c.","class":"sp800-53a"}],"prose":"configuration change decisions associated with the system are documented;"},{"id":"cm-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-03d.","class":"sp800-53a"}],"prose":"approved configuration-controlled changes to the system are implemented;"},{"id":"cm-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-03e.","class":"sp800-53a"}],"prose":"records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};"},{"id":"cm-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.[01]","class":"sp800-53a"}],"prose":"activities associated with configuration-controlled changes to the system are monitored;"},{"id":"cm-3_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.[02]","class":"sp800-53a"}],"prose":"activities associated with configuration-controlled changes to the system are reviewed;"}]},{"id":"cm-3_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.[01]","class":"sp800-53a"}],"prose":"configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};"},{"id":"cm-3_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.[02]","class":"sp800-53a"}],"prose":"the configuration control element convenes {{ insert: param, cm-03_odp.03 }}."}]}]},{"id":"cm-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nchange control records\n\nsystem audit records\n\nchange control audit and review reports\n\nagenda\/minutes\/documentation from configuration change control oversight meetings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessments\n\nsystem of records notices\n\nother relevant documents or records"}]},{"id":"cm-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nmechanisms that implement configuration change control"}]}],"controls":[{"id":"cm-3.2","class":"SP800-53-enhancement","title":"Testing, Validation, and Documentation of Changes","props":[{"name":"label","value":"CM-3(2)"},{"name":"label","value":"CM-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.2_smt","name":"statement","prose":"Test, validate, and document changes to the system before finalizing the implementation of the changes."},{"id":"cm-3.2_gdn","name":"guidance","prose":"Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in [CM-6](#cm-6) . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls."},{"id":"cm-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)","class":"sp800-53a"}],"parts":[{"id":"cm-3.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[01]","class":"sp800-53a"}],"prose":"changes to the system are tested before finalizing the implementation of the changes;"},{"id":"cm-3.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[02]","class":"sp800-53a"}],"prose":"changes to the system are validated before finalizing the implementation of the changes;"},{"id":"cm-3.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[03]","class":"sp800-53a"}],"prose":"changes to the system are documented before finalizing the implementation of the changes."}]},{"id":"cm-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nmechanisms supporting and\/or implementing, testing, validating, and documenting system changes"}]}]},{"id":"cm-3.4","class":"SP800-53-enhancement","title":"Security and Privacy Representatives","params":[{"id":"cm-3.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-03.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-03.04_odp.02"}],"label":"organization-defined security and privacy representatives"},{"id":"cm-03.04_odp.01","props":[{"name":"label","value":"CM-03(04)_ODP[01]","class":"sp800-53a"}],"label":"security representatives","guidelines":[{"prose":"security representatives required to be members of the change control element are defined;"}]},{"id":"cm-03.04_odp.02","props":[{"name":"label","value":"CM-03(04)_ODP[02]","class":"sp800-53a"}],"label":"privacy representatives","guidelines":[{"prose":"privacy representatives required to be members of the change control element are defined;"}]},{"id":"cm-03.04_odp.03","props":[{"name":"alt-identifier","value":"cm-3.4_prm_2"},{"name":"label","value":"CM-03(04)_ODP[03]","class":"sp800-53a"}],"label":"configuration change control element","guidelines":[{"prose":"the configuration change control element of which the security and privacy representatives are to be members is defined;"}]}],"props":[{"name":"label","value":"CM-3(4)"},{"name":"label","value":"CM-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.4_smt","name":"statement","prose":"Require {{ insert: param, cm-3.4_prm_1 }} to be members of the {{ insert: param, cm-03.04_odp.03 }}."},{"id":"cm-3.4_gdn","name":"guidance","prose":"Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in [CM-3g](#cm-3_smt.g)."},{"id":"cm-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)","class":"sp800-53a"}],"parts":[{"id":"cm-3.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};"},{"id":"cm-3.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}."}]},{"id":"cm-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of change control board or similar"}]},{"id":"cm-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control"}]}]}]},{"id":"cm-4","class":"SP800-53","title":"Impact Analyses","props":[{"name":"label","value":"CM-4"},{"name":"label","value":"CM-04","class":"sp800-53a"},{"name":"sort-id","value":"cm-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required."},{"id":"cm-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04","class":"sp800-53a"}],"parts":[{"id":"cm-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04[01]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential security impacts prior to change implementation;"},{"id":"cm-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04[02]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential privacy impacts prior to change implementation."}]},{"id":"cm-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses"}]}],"controls":[{"id":"cm-4.2","class":"SP800-53-enhancement","title":"Verification of Controls","props":[{"name":"label","value":"CM-4(2)"},{"name":"label","value":"CM-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-4","rel":"required"},{"href":"#sa-11","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"cm-4.2_smt","name":"statement","prose":"After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system."},{"id":"cm-4.2_gdn","name":"guidance","prose":"Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls."},{"id":"cm-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)","class":"sp800-53a"}],"parts":[{"id":"cm-4.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[01]","class":"sp800-53a"}],"prose":"the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;"},{"id":"cm-4.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[02]","class":"sp800-53a"}],"prose":"the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;"},{"id":"cm-4.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[03]","class":"sp800-53a"}],"prose":"the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;"},{"id":"cm-4.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[04]","class":"sp800-53a"}],"prose":"the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;"},{"id":"cm-4.2_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[05]","class":"sp800-53a"}],"prose":"the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;"},{"id":"cm-4.2_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[06]","class":"sp800-53a"}],"prose":"the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes."}]},{"id":"cm-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nprivacy risk assessment documentation\n\nconfiguration management plan\n\nsecurity and privacy impact analysis documentation\n\nprivacy impact assessment\n\nanalysis tools and associated outputs\n\nchange control records\n\ncontrol assessment results\n\nsystem audit records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsecurity and privacy assessors"}]},{"id":"cm-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and\/or implementing security and privacy impact analyses of changes"}]}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","props":[{"name":"label","value":"CM-5"},{"name":"label","value":"CM-05","class":"sp800-53a"},{"name":"sort-id","value":"cm-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system."},{"id":"cm-5_gdn","name":"guidance","prose":"Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)."},{"id":"cm-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05","class":"sp800-53a"}],"parts":[{"id":"cm-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-05[01]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are defined and documented;"},{"id":"cm-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-05[02]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are approved;"},{"id":"cm-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-05[03]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are enforced;"},{"id":"cm-5_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-05[04]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are defined and documented;"},{"id":"cm-5_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-05[05]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are approved;"},{"id":"cm-5_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-05[06]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are enforced."}]},{"id":"cm-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system"}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","params":[{"id":"cm-06_odp.01","props":[{"name":"alt-identifier","value":"cm-6_prm_1"},{"name":"label","value":"CM-06_ODP[01]","class":"sp800-53a"}],"label":"common secure configurations","guidelines":[{"prose":"common secure configurations to establish and document configuration settings for components employed within the system are defined;"}]},{"id":"cm-06_odp.02","props":[{"name":"alt-identifier","value":"cm-6_prm_2"},{"name":"label","value":"CM-06_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which approval of deviations is needed are defined;"}]},{"id":"cm-06_odp.03","props":[{"name":"alt-identifier","value":"cm-6_prm_3"},{"name":"label","value":"CM-06_ODP[03]","class":"sp800-53a"}],"label":"operational requirements","guidelines":[{"prose":"operational requirements necessitating approval of deviations are defined;"}]}],"props":[{"name":"label","value":"CM-6"},{"name":"label","value":"CM-06","class":"sp800-53a"},{"name":"sort-id","value":"cm-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#98498928-3ca3-44b3-8b1e-f48685373087","rel":"reference"},{"href":"#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","rel":"reference"},{"href":"#aa66e14f-e7cb-4a37-99d2-07578dfd4608","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"cm-6_smt","name":"statement","parts":[{"id":"cm-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};"},{"id":"cm-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the configuration settings;"},{"id":"cm-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and"},{"id":"cm-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitor and control changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input\/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings."},{"id":"cm-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-06a.","class":"sp800-53a"}],"prose":"configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};"},{"id":"cm-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-06b.","class":"sp800-53a"}],"prose":"the configuration settings documented in CM-06a are implemented;"},{"id":"cm-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[01]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};"},{"id":"cm-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[02]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;"}]},{"id":"cm-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[01]","class":"sp800-53a"}],"prose":"changes to the configuration settings are monitored in accordance with organizational policies and procedures;"},{"id":"cm-6_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[02]","class":"sp800-53a"}],"prose":"changes to the configuration settings are controlled in accordance with organizational policies and procedures."}]}]},{"id":"cm-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and\/or control system configuration settings\n\nmechanisms that identify and\/or document deviations from established configuration settings"}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","params":[{"id":"cm-7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.06"}],"label":"organization-defined prohibited or restricted functions, system ports, protocols, software, and\/or services"},{"id":"cm-07_odp.01","props":[{"name":"alt-identifier","value":"cm-7_prm_1"},{"name":"alt-label","value":"mission essential capabilities","class":"sp800-53"},{"name":"label","value":"CM-07_ODP[01]","class":"sp800-53a"}],"label":"mission-essential capabilities","guidelines":[{"prose":"mission-essential capabilities for the system are defined;"}]},{"id":"cm-07_odp.02","props":[{"name":"label","value":"CM-07_ODP[02]","class":"sp800-53a"}],"label":"functions","guidelines":[{"prose":"functions to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.03","props":[{"name":"label","value":"CM-07_ODP[03]","class":"sp800-53a"}],"label":"ports","guidelines":[{"prose":"ports to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.04","props":[{"name":"label","value":"CM-07_ODP[04]","class":"sp800-53a"}],"label":"protocols","guidelines":[{"prose":"protocols to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.05","props":[{"name":"label","value":"CM-07_ODP[05]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be prohibited or restricted is defined;"}]},{"id":"cm-07_odp.06","props":[{"name":"label","value":"CM-07_ODP[06]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services to be prohibited or restricted are defined;"}]}],"props":[{"name":"label","value":"CM-7"},{"name":"label","value":"CM-07","class":"sp800-53a"},{"name":"sort-id","value":"cm-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#38f39739-1ebd-43b1-8b8c-00f591d89ebd","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"cm-7_smt","name":"statement","parts":[{"id":"cm-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and"},{"id":"cm-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit or restrict the use of the following functions, ports, protocols, software, and\/or services: {{ insert: param, cm-7_prm_2 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))."},{"id":"cm-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07a.","class":"sp800-53a"}],"prose":"the system is configured to provide only {{ insert: param, cm-07_odp.01 }};"},{"id":"cm-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[01]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[02]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[03]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[04]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[05]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted."}]}]},{"id":"cm-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols, software, and\/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and\/or services"}]}],"controls":[{"id":"cm-7.1","class":"SP800-53-enhancement","title":"Periodic Review","params":[{"id":"cm-7.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.06"}],"label":"organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and\/or nonsecure"},{"id":"cm-07.01_odp.01","props":[{"name":"alt-identifier","value":"cm-7.1_prm_1"},{"name":"label","value":"CM-07(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the system to identify unnecessary and\/or non-secure functions, ports, protocols, software, and\/or services is defined;"}]},{"id":"cm-07.01_odp.02","props":[{"name":"label","value":"CM-07(01)_ODP[02]","class":"sp800-53a"}],"label":"functions","guidelines":[{"prose":"functions to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.03","props":[{"name":"label","value":"CM-07(01)_ODP[03]","class":"sp800-53a"}],"label":"ports","guidelines":[{"prose":"ports to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.04","props":[{"name":"label","value":"CM-07(01)_ODP[04]","class":"sp800-53a"}],"label":"protocols","guidelines":[{"prose":"protocols to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.05","props":[{"name":"label","value":"CM-07(01)_ODP[05]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be disabled or removed when deemed unnecessary or non-secure is defined;"}]},{"id":"cm-07.01_odp.06","props":[{"name":"label","value":"CM-07(01)_ODP[06]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services to be disabled or removed when deemed unnecessary or non-secure are defined;"}]}],"props":[{"name":"label","value":"CM-7(1)"},{"name":"label","value":"CM-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"cm-7.1_smt","name":"statement","parts":[{"id":"cm-7.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and\/or nonsecure functions, ports, protocols, software, and services; and"},{"id":"cm-7.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Disable or remove {{ insert: param, cm-7.1_prm_2 }}."}]},{"id":"cm-7.1_gdn","name":"guidance","prose":"Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and\/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking."},{"id":"cm-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)","class":"sp800-53a"}],"parts":[{"id":"cm-7.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(a)","class":"sp800-53a"}],"prose":"the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and\/or non-secure functions, ports, protocols, software, and services:"},{"id":"cm-7.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-7.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and\/or non-secure are disabled or removed;"},{"id":"cm-7.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and\/or non-secure are disabled or removed;"},{"id":"cm-7.1_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and\/or non-secure are disabled or removed;"},{"id":"cm-7.1_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[04]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and\/or non-secure is disabled or removed;"},{"id":"cm-7.1_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[05]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and\/or non-secure are disabled or removed."}]}]},{"id":"cm-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\ndocumented reviews of functions, ports, protocols, and\/or services\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system\n\nmechanisms implementing review and disabling of functions, ports, protocols, and\/or services"}]}]},{"id":"cm-7.2","class":"SP800-53-enhancement","title":"Prevent Program Execution","params":[{"id":"cm-07.02_odp.01","props":[{"name":"alt-identifier","value":"cm-7.2_prm_1"},{"name":"label","value":"CM-07(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-07.02_odp.02 }} ","rules authorizing the terms and conditions of software program usage"]}},{"id":"cm-07.02_odp.02","props":[{"name":"alt-identifier","value":"cm-7.2_prm_2"},{"name":"label","value":"CM-07(02)_ODP[02]","class":"sp800-53a"}],"label":"policies, rules of behavior, and\/or access agreements regarding software program usage and restrictions","guidelines":[{"prose":"policies, rules of behavior, and\/or access agreements regarding software program usage and restrictions are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-7(2)"},{"name":"label","value":"CM-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"cm-7.2_smt","name":"statement","prose":"Prevent program execution in accordance with {{ insert: param, cm-07.02_odp.01 }}."},{"id":"cm-7.2_gdn","name":"guidance","prose":"Prevention of program execution addresses organizational policies, rules of behavior, and\/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time."},{"id":"cm-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(02)","class":"sp800-53a"}],"prose":"program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}."},{"id":"cm-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nspecifications for preventing software program execution\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes preventing program execution on the system\n\norganizational processes for software program usage and restrictions\n\nmechanisms preventing program execution on the system\n\nmechanisms supporting and\/or implementing software program usage and restrictions"}]}]},{"id":"cm-7.5","class":"SP800-53-enhancement","title":"Authorized Software — Allow-by-exception","params":[{"id":"cm-07.05_odp.01","props":[{"name":"alt-identifier","value":"cm-7.5_prm_1"},{"name":"alt-label","value":"software programs authorized to execute on the system","class":"sp800-53"},{"name":"label","value":"CM-07(05)_ODP[01]","class":"sp800-53a"}],"label":"software programs","guidelines":[{"prose":"software programs authorized to execute on the system are defined;"}]},{"id":"cm-07.05_odp.02","props":[{"name":"alt-identifier","value":"cm-7.5_prm_2"},{"name":"label","value":"CM-07(05)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the list of authorized software programs is defined;"}]}],"props":[{"name":"label","value":"CM-7(5)"},{"name":"label","value":"CM-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-7.5_smt","name":"statement","parts":[{"id":"cm-7.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identify {{ insert: param, cm-07.05_odp.01 }};"},{"id":"cm-7.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and"},{"id":"cm-7.5_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Review and update the list of authorized software programs {{ insert: param, cm-07.05_odp.02 }}."}]},{"id":"cm-7.5_gdn","name":"guidance","prose":"Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses\/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in [CA-3(5)](#ca-3.5) and [SC-7](#sc-7)."},{"id":"cm-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)","class":"sp800-53a"}],"parts":[{"id":"cm-7.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(a)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.05_odp.01 }} are identified;"},{"id":"cm-7.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(b)","class":"sp800-53a"}],"prose":"a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;"},{"id":"cm-7.5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(c)","class":"sp800-53a"}],"prose":"the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}."}]},{"id":"cm-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software programs authorized to execute on the system\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nreview and update records associated with list of authorized software programs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for identifying software authorized to execute on the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for identifying, reviewing, and updating programs authorized to execute on the system\n\norganizational process for implementing authorized software policy\n\nmechanisms supporting and\/or implementing authorized software policy"}]}]}]},{"id":"cm-8","class":"SP800-53","title":"System Component Inventory","params":[{"id":"cm-08_odp.01","props":[{"name":"alt-identifier","value":"cm-8_prm_1"},{"name":"alt-label","value":"information deemed necessary to achieve effective system component accountability","class":"sp800-53"},{"name":"label","value":"CM-08_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information deemed necessary to achieve effective system component accountability is defined;"}]},{"id":"cm-08_odp.02","props":[{"name":"alt-identifier","value":"cm-8_prm_2"},{"name":"label","value":"CM-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the system component inventory is defined;"}]}],"props":[{"name":"label","value":"CM-8"},{"name":"label","value":"CM-08","class":"sp800-53a"},{"name":"sort-id","value":"cm-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#70402863-5078-43af-9a6c-e11b0f3ec370","rel":"reference"},{"href":"#996241f8-f692-42d5-91f1-ce8b752e39e6","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"cm-8_smt","name":"statement","parts":[{"id":"cm-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document an inventory of system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accurately reflects the system;"},{"id":"cm-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes all components within the system;"},{"id":"cm-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Does not include duplicate accounting of components or components assigned to any other system;"},{"id":"cm-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and"}]},{"id":"cm-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components."},{"id":"cm-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.01","class":"sp800-53a"}],"prose":"an inventory of system components that accurately reflects the system is developed and documented;"},{"id":"cm-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.02","class":"sp800-53a"}],"prose":"an inventory of system components that includes all components within the system is developed and documented;"},{"id":"cm-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.03","class":"sp800-53a"}],"prose":"an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;"},{"id":"cm-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.04","class":"sp800-53a"}],"prose":"an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;"},{"id":"cm-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.05","class":"sp800-53a"}],"prose":"an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;"}]},{"id":"cm-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08b.","class":"sp800-53a"}],"prose":"the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}."}]},{"id":"cm-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory"}]}],"controls":[{"id":"cm-8.1","class":"SP800-53-enhancement","title":"Updates During Installation and Removal","props":[{"name":"label","value":"CM-8(1)"},{"name":"label","value":"CM-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#pm-16","rel":"related"}],"parts":[{"id":"cm-8.1_smt","name":"statement","prose":"Update the inventory of system components as part of component installations, removals, and system updates."},{"id":"cm-8.1_gdn","name":"guidance","prose":"Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components."},{"id":"cm-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)","class":"sp800-53a"}],"parts":[{"id":"cm-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[01]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of component installations;"},{"id":"cm-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[02]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of component removals;"},{"id":"cm-8.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[03]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of system updates."}]},{"id":"cm-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\ninventory reviews and update records\n\nchange control records\n\ncomponent installation records\n\ncomponent removal records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory updating responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for updating the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory updates"}]}]},{"id":"cm-8.3","class":"SP800-53-enhancement","title":"Automated Unauthorized Component Detection","params":[{"id":"cm-8.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"cm-08.03_odp.01","props":[{"name":"label","value":"CM-08(03)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;"}]},{"id":"cm-08.03_odp.02","props":[{"name":"label","value":"CM-08(03)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized software within the system are defined;"}]},{"id":"cm-08.03_odp.03","props":[{"name":"label","value":"CM-08(03)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;"}]},{"id":"cm-08.03_odp.04","props":[{"name":"alt-identifier","value":"cm-8.3_prm_2"},{"name":"label","value":"CM-08(03)_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;"}]},{"id":"cm-08.03_odp.05","props":[{"name":"alt-identifier","value":"cm-8.3_prm_3"},{"name":"label","value":"CM-08(03)_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["disable network access by unauthorized components","isolate unauthorized components","notify {{ insert: param, cm-08.03_odp.06 }} "]}},{"id":"cm-08.03_odp.06","props":[{"name":"alt-identifier","value":"cm-8.3_prm_4"},{"name":"label","value":"CM-08(03)_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when unauthorized components are detected is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-8(3)"},{"name":"label","value":"CM-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-8.3_smt","name":"statement","parts":[{"id":"cm-8.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ insert: param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04 }} ; and"},{"id":"cm-8.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Take the following actions when unauthorized components are detected: {{ insert: param, cm-08.03_odp.05 }}."}]},{"id":"cm-8.3_gdn","name":"guidance","prose":"Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see [CM-7(9)](#cm-7.9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as \"sandboxing.\" "},{"id":"cm-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[01]","class":"sp800-53a"}],"prose":"the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};"},{"id":"cm-8.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[02]","class":"sp800-53a"}],"prose":"the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};"},{"id":"cm-8.3_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[03]","class":"sp800-53a"}],"prose":"the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};"}]},{"id":"cm-8.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;"},{"id":"cm-8.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;"},{"id":"cm-8.3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected."}]}]},{"id":"cm-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nalerts\/notifications of unauthorized components within the system\n\nsystem monitoring records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized system component detection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for detection of unauthorized system components\n\norganizational processes for taking action when unauthorized system components are detected\n\nautomated mechanisms supporting and\/or implementing the detection of unauthorized system components\n\nautomated mechanisms supporting and\/or implementing actions taken when unauthorized system components are detected"}]}]}]},{"id":"cm-9","class":"SP800-53","title":"Configuration Management Plan","params":[{"id":"cm-09_odp","props":[{"name":"alt-identifier","value":"cm-9_prm_1"},{"name":"label","value":"CM-09_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to review and approve the configuration management plan is\/are defined;"}]}],"props":[{"name":"label","value":"CM-9"},{"name":"label","value":"CM-09","class":"sp800-53a"},{"name":"sort-id","value":"cm-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-9_smt","name":"statement","prose":"Develop, document, and implement a configuration management plan for the system that:","parts":[{"id":"cm-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Addresses roles, responsibilities, and configuration management processes and procedures;"},{"id":"cm-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"},{"id":"cm-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Defines the configuration items for the system and places the configuration items under configuration management;"},{"id":"cm-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and"},{"id":"cm-9_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protects the configuration management plan from unauthorized disclosure and modification."}]},{"id":"cm-9_gdn","name":"guidance","prose":"Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\n\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.\n\nOrganizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control."},{"id":"cm-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-09","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09[01]","class":"sp800-53a"}],"prose":"a configuration management plan for the system is developed and documented;"},{"id":"cm-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09[02]","class":"sp800-53a"}],"prose":"a configuration management plan for the system is implemented;"},{"id":"cm-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[01]","class":"sp800-53a"}],"prose":"the configuration management plan addresses roles;"},{"id":"cm-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[02]","class":"sp800-53a"}],"prose":"the configuration management plan addresses responsibilities;"},{"id":"cm-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[03]","class":"sp800-53a"}],"prose":"the configuration management plan addresses configuration management processes and procedures;"}]},{"id":"cm-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.[01]","class":"sp800-53a"}],"prose":"the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;"},{"id":"cm-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.[02]","class":"sp800-53a"}],"prose":"the configuration management plan establishes a process for managing the configuration of the configuration items;"}]},{"id":"cm-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.[01]","class":"sp800-53a"}],"prose":"the configuration management plan defines the configuration items for the system;"},{"id":"cm-9_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.[02]","class":"sp800-53a"}],"prose":"the configuration management plan places the configuration items under configuration management;"}]},{"id":"cm-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-09d.","class":"sp800-53a"}],"prose":"the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};"},{"id":"cm-9_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.[01]","class":"sp800-53a"}],"prose":"the configuration management plan is protected from unauthorized disclosure;"},{"id":"cm-9_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.[02]","class":"sp800-53a"}],"prose":"the configuration management plan is protected from unauthorized modification."}]}]},{"id":"cm-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nmechanisms implementing the configuration management plan\n\nmechanisms for managing configuration items\n\nmechanisms for protecting the configuration management plan"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"label","value":"CM-10"},{"name":"label","value":"CM-10","class":"sp800-53a"},{"name":"sort-id","value":"cm-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cm-10_smt","name":"statement","parts":[{"id":"cm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements."},{"id":"cm-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-10","class":"sp800-53a"}],"parts":[{"id":"cm-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-10a.","class":"sp800-53a"}],"prose":"software and associated documentation are used in accordance with contract agreements and copyright laws;"},{"id":"cm-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-10b.","class":"sp800-53a"}],"prose":"the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;"},{"id":"cm-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-10c.","class":"sp800-53a"}],"prose":"the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling\/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","params":[{"id":"cm-11_odp.01","props":[{"name":"alt-identifier","value":"cm-11_prm_1"},{"name":"label","value":"CM-11_ODP[01]","class":"sp800-53a"}],"label":"policies","guidelines":[{"prose":"policies governing the installation of software by users are defined;"}]},{"id":"cm-11_odp.02","props":[{"name":"alt-identifier","value":"cm-11_prm_2"},{"name":"label","value":"CM-11_ODP[02]","class":"sp800-53a"}],"label":"methods","guidelines":[{"prose":"methods used to enforce software installation policies are defined;"}]},{"id":"cm-11_odp.03","props":[{"name":"alt-identifier","value":"cm-11_prm_3"},{"name":"label","value":"CM-11_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to monitor compliance is defined;"}]}],"props":[{"name":"label","value":"CM-11"},{"name":"label","value":"CM-11","class":"sp800-53a"},{"name":"sort-id","value":"cm-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-11_smt","name":"statement","parts":[{"id":"cm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and"},{"id":"cm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Monitor policy compliance {{ insert: param, cm-11_odp.03 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods."},{"id":"cm-11_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-11","class":"sp800-53a"}],"parts":[{"id":"cm-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-11a.","class":"sp800-53a"}],"prose":" {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;"},{"id":"cm-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-11b.","class":"sp800-53a"}],"prose":"software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};"},{"id":"cm-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-11c.","class":"sp800-53a"}],"prose":"compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}."}]},{"id":"cm-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance"}]}]},{"id":"cm-12","class":"SP800-53","title":"Information Location","params":[{"id":"cm-12_odp","props":[{"name":"alt-identifier","value":"cm-12_prm_1"},{"name":"label","value":"CM-12_ODP","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information for which the location is to be identified and documented is defined;"}]}],"props":[{"name":"label","value":"CM-12"},{"name":"label","value":"CM-12","class":"sp800-53a"},{"name":"sort-id","value":"cm-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-23","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-12_smt","name":"statement","parts":[{"id":"cm-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and stored;"},{"id":"cm-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identify and document the users who have access to the system and system components where the information is processed and stored; and"},{"id":"cm-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document changes to the location (i.e., system or system components) where the information is processed and stored."}]},{"id":"cm-12_gdn","name":"guidance","prose":"Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see [SA-4](#sa-4), [SA-8](#sa-8), [SA-17](#sa-17))."},{"id":"cm-12_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-12","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[01]","class":"sp800-53a"}],"prose":"the location of {{ insert: param, cm-12_odp }} is identified and documented;"},{"id":"cm-12_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[02]","class":"sp800-53a"}],"prose":"the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;"},{"id":"cm-12_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[03]","class":"sp800-53a"}],"prose":"the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;"}]},{"id":"cm-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.[01]","class":"sp800-53a"}],"prose":"the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;"},{"id":"cm-12_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.[02]","class":"sp800-53a"}],"prose":"the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;"}]},{"id":"cm-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.[01]","class":"sp800-53a"}],"prose":"changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;"},{"id":"cm-12_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.[02]","class":"sp800-53a"}],"prose":"changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented."}]}]},{"id":"cm-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\naudit records\n\nlist of users with system and system component access\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing information location and user access to information\n\norganizational personnel with responsibilities for operating, using, and\/or maintaining the system\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location"}]}],"controls":[{"id":"cm-12.1","class":"SP800-53-enhancement","title":"Automated Tools to Support Information Location","params":[{"id":"cm-12.01_odp.01","props":[{"name":"alt-identifier","value":"cm-12.1_prm_1"},{"name":"label","value":"CM-12(01)_ODP[01]","class":"sp800-53a"}],"label":"information by information type","guidelines":[{"prose":"information to be protected is defined by information type;"}]},{"id":"cm-12.01_odp.02","props":[{"name":"alt-identifier","value":"cm-12.1_prm_2"},{"name":"label","value":"CM-12(01)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components where the information is located are defined;"}]}],"props":[{"name":"label","value":"CM-12(1)"},{"name":"label","value":"CM-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-12","rel":"required"}],"parts":[{"id":"cm-12.1_smt","name":"statement","prose":"Use automated tools to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure controls are in place to protect organizational information and individual privacy."},{"id":"cm-12.1_gdn","name":"guidance","prose":"The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions."},{"id":"cm-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-12(01)","class":"sp800-53a"}],"prose":"automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy."},{"id":"cm-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing information location\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nautomated mechanisms enforcing policies and methods for governing information location\n\nautomated tools used to identify information on system components"}]}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-01_odp.01","props":[{"name":"label","value":"CP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning policy is to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.02","props":[{"name":"label","value":"CP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning procedures are to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.03","props":[{"name":"alt-identifier","value":"cp-1_prm_2"},{"name":"label","value":"CP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cp-01_odp.04","props":[{"name":"alt-identifier","value":"cp-1_prm_3"},{"name":"label","value":"CP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the contingency planning policy and procedures is defined;"}]},{"id":"cp-01_odp.05","props":[{"name":"alt-identifier","value":"cp-1_prm_4"},{"name":"label","value":"CP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning policy is reviewed and updated is defined;"}]},{"id":"cp-01_odp.06","props":[{"name":"alt-identifier","value":"cp-1_prm_5"},{"name":"label","value":"CP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current contingency planning policy to be reviewed and updated are defined;"}]},{"id":"cp-01_odp.07","props":[{"name":"alt-identifier","value":"cp-1_prm_6"},{"name":"label","value":"CP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning procedures are reviewed and updated is defined;"}]},{"id":"cp-01_odp.08","props":[{"name":"alt-identifier","value":"cp-1_prm_7"},{"name":"label","value":"CP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CP-1"},{"name":"label","value":"CP-01","class":"sp800-53a"},{"name":"sort-id","value":"cp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-1_smt","name":"statement","parts":[{"id":"cp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cp-01_odp.03 }} contingency planning policy that:","parts":[{"id":"cp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;"}]},{"id":"cp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and"},{"id":"cp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current contingency planning:","parts":[{"id":"cp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and"},{"id":"cp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[01]","class":"sp800-53a"}],"prose":"a contingency planning policy is developed and documented;"},{"id":"cp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[02]","class":"sp800-53a"}],"prose":"the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};"},{"id":"cp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[03]","class":"sp800-53a"}],"prose":"contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;"},{"id":"cp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[04]","class":"sp800-53a"}],"prose":"the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};"},{"id":"cp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;"},{"id":"cp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;"},{"id":"cp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;"},{"id":"cp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;"},{"id":"cp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;"},{"id":"cp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;"},{"id":"cp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;"}]},{"id":"cp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"cp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;"},{"id":"cp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[01]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};"},{"id":"cp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[02]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};"}]},{"id":"cp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[01]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};"},{"id":"cp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[02]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}."}]}]}]},{"id":"cp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","params":[{"id":"cp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.04"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-2_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.07"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-02_odp.01","props":[{"name":"label","value":"CP-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to review a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.02","props":[{"name":"label","value":"CP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to approve a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.03","props":[{"name":"label","value":"CP-02_ODP[03]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to whom copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.04","props":[{"name":"label","value":"CP-02_ODP[04]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to which copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.05","props":[{"name":"alt-identifier","value":"cp-2_prm_3"},{"name":"label","value":"CP-02_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of contingency plan review is defined;"}]},{"id":"cp-02_odp.06","props":[{"name":"label","value":"CP-02_ODP[06]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to communicate changes to are defined;"}]},{"id":"cp-02_odp.07","props":[{"name":"label","value":"CP-02_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to communicate changes to are defined;"}]}],"props":[{"name":"label","value":"CP-2"},{"name":"label","value":"CP-02","class":"sp800-53a"},{"name":"sort-id","value":"cp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#cp-13","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-2_smt","name":"statement","parts":[{"id":"cp-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a contingency plan for the system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifies essential mission and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;"},{"id":"cp-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Addresses the sharing of contingency information; and"},{"id":"cp-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};"},{"id":"cp-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};"},{"id":"cp-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and"},{"id":"cp-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Protect the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family."},{"id":"cp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.01","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;"},{"id":"cp-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides recovery objectives;"},{"id":"cp-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides restoration priorities;"},{"id":"cp-2_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides metrics;"}]},{"id":"cp-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency roles;"},{"id":"cp-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency responsibilities;"},{"id":"cp-2_obj.a.3-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses assigned individuals with contact information;"}]},{"id":"cp-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.04","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.05","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;"},{"id":"cp-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.06","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses the sharing of contingency information;"},{"id":"cp-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};"},{"id":"cp-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};"}]}]},{"id":"cp-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[01]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};"},{"id":"cp-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[02]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};"}]},{"id":"cp-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-02c.","class":"sp800-53a"}],"prose":"contingency planning activities are coordinated with incident handling activities;"},{"id":"cp-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-02d.","class":"sp800-53a"}],"prose":"the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};"},{"id":"cp-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[01]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address changes to the organization, system, or environment of operation;"},{"id":"cp-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[02]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;"}]},{"id":"cp-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[01]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};"},{"id":"cp-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[02]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};"}]},{"id":"cp-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[01]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;"},{"id":"cp-2_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[02]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;"}]},{"id":"cp-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[01]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized disclosure;"},{"id":"cp-2_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[02]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized modification."}]}]},{"id":"cp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and\/or protecting the contingency plan"}]}],"controls":[{"id":"cp-2.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-2(1)"},{"name":"label","value":"CP-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.1_smt","name":"statement","prose":"Coordinate contingency plan development with organizational elements responsible for related plans."},{"id":"cp-2.1_gdn","name":"guidance","prose":"Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans."},{"id":"cp-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(01)","class":"sp800-53a"}],"prose":"contingency plan development is coordinated with organizational elements responsible for related plans."},{"id":"cp-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans"}]}]},{"id":"cp-2.3","class":"SP800-53-enhancement","title":"Resume Mission and Business Functions","params":[{"id":"cp-02.03_odp.01","props":[{"name":"alt-identifier","value":"cp-2.3_prm_1"},{"name":"label","value":"CP-02(03)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["all","essential"]}},{"id":"cp-02.03_odp.02","props":[{"name":"alt-identifier","value":"cp-2.3_prm_2"},{"name":"label","value":"CP-02(03)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the contingency plan activation time period within which to resume mission and business functions is defined;"}]}],"props":[{"name":"label","value":"CP-2(3)"},{"name":"label","value":"CP-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.3_smt","name":"statement","prose":"Plan for the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation."},{"id":"cp-2.3_gdn","name":"guidance","prose":"Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure."},{"id":"cp-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(03)","class":"sp800-53a"}],"prose":"the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation."},{"id":"cp-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother related plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions"}]},{"id":"cp-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.8","class":"SP800-53-enhancement","title":"Identify Critical Assets","params":[{"id":"cp-02.08_odp","props":[{"name":"alt-identifier","value":"cp-2.8_prm_1"},{"name":"label","value":"CP-02(08)_ODP","class":"sp800-53a"}],"select":{"choice":["all","essential"]}}],"props":[{"name":"label","value":"CP-2(8)"},{"name":"label","value":"CP-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"cp-2.8_smt","name":"statement","prose":"Identify critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions."},{"id":"cp-2.8_gdn","name":"guidance","prose":"Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and\/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing [CP-2(7)](#cp-2.7) as a control enhancement."},{"id":"cp-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(08)","class":"sp800-53a"}],"prose":"critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified."},{"id":"cp-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","params":[{"id":"cp-03_odp.01","props":[{"name":"alt-identifier","value":"cp-3_prm_1"},{"name":"label","value":"CP-03_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.02","props":[{"name":"alt-identifier","value":"cp-3_prm_2"},{"name":"label","value":"CP-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide training to system users with a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.03","props":[{"name":"alt-identifier","value":"cp-3_prm_3"},{"name":"label","value":"CP-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update contingency training content is defined;"}]},{"id":"cp-03_odp.04","props":[{"name":"alt-identifier","value":"cp-3_prm_4"},{"name":"label","value":"CP-03_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events necessitating review and update of contingency training are defined;"}]}],"props":[{"name":"label","value":"CP-3"},{"name":"label","value":"CP-03","class":"sp800-53a"},{"name":"sort-id","value":"cp-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"cp-3_smt","name":"statement","parts":[{"id":"cp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide contingency training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"cp-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, cp-03_odp.02 }} thereafter; and"}]},{"id":"cp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements."},{"id":"cp-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-03","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.01","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.02","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"},{"id":"cp-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.03","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;"}]},{"id":"cp-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[01]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};"},{"id":"cp-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[02]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}."}]}]},{"id":"cp-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency training"}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","params":[{"id":"cp-4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.03"}],"label":"organization-defined tests"},{"id":"cp-04_odp.01","props":[{"name":"alt-identifier","value":"cp-4_prm_1"},{"name":"label","value":"CP-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of testing the contingency plan for the system is defined;"}]},{"id":"cp-04_odp.02","props":[{"name":"label","value":"CP-04_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining the effectiveness of the contingency plan are defined;"}]},{"id":"cp-04_odp.03","props":[{"name":"label","value":"CP-04_ODP[03]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining readiness to execute the contingency plan are defined;"}]}],"props":[{"name":"label","value":"CP-4"},{"name":"label","value":"CP-04","class":"sp800-53a"},{"name":"sort-id","value":"cp-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"cp-4_smt","name":"statement","parts":[{"id":"cp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}."},{"id":"cp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Initiate corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions."},{"id":"cp-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[01]","class":"sp800-53a"}],"prose":"the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};"},{"id":"cp-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;"},{"id":"cp-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;"}]},{"id":"cp-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-04b.","class":"sp800-53a"}],"prose":"the contingency plan test results are reviewed;"},{"id":"cp-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-04c.","class":"sp800-53a"}],"prose":"corrective actions are initiated, if needed."}]},{"id":"cp-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and\/or contingency plan testing"}]}],"controls":[{"id":"cp-4.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-4(1)"},{"name":"label","value":"CP-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"},{"href":"#ir-8","rel":"related"},{"href":"#pm-8","rel":"related"}],"parts":[{"id":"cp-4.1_smt","name":"statement","prose":"Coordinate contingency plan testing with organizational elements responsible for related plans."},{"id":"cp-4.1_gdn","name":"guidance","prose":"Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements."},{"id":"cp-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(01)","class":"sp800-53a"}],"prose":"contingency plan testing is coordinated with organizational elements responsible for related plans."},{"id":"cp-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-6","class":"SP800-53","title":"Alternate Storage Site","props":[{"name":"label","value":"CP-6"},{"name":"label","value":"CP-06","class":"sp800-53a"},{"name":"sort-id","value":"cp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-6_smt","name":"statement","parts":[{"id":"cp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and"},{"id":"cp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensure that the alternate storage site provides controls equivalent to that of the primary site."}]},{"id":"cp-6_gdn","name":"guidance","prose":"Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems."},{"id":"cp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06","class":"sp800-53a"}],"parts":[{"id":"cp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.","class":"sp800-53a"}],"parts":[{"id":"cp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.[01]","class":"sp800-53a"}],"prose":"an alternate storage site is established;"},{"id":"cp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.[02]","class":"sp800-53a"}],"prose":"establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;"}]},{"id":"cp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-06b.","class":"sp800-53a"}],"prose":"the alternate storage site provides controls equivalent to that of the primary site."}]},{"id":"cp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing and retrieving system backup information at the alternate storage site\n\nmechanisms supporting and\/or implementing the storage and retrieval of system backup information at the alternate storage site"}]}],"controls":[{"id":"cp-6.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-6(1)"},{"name":"label","value":"CP-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-6.1_smt","name":"statement","prose":"Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats."},{"id":"cp-6.1_gdn","name":"guidance","prose":"Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."},{"id":"cp-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(01)","class":"sp800-53a"}],"prose":"an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats."},{"id":"cp-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-6.3","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-6(3)"},{"name":"label","value":"CP-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-6.3_smt","name":"statement","prose":"Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions."},{"id":"cp-6.3_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted."},{"id":"cp-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)","class":"sp800-53a"}],"parts":[{"id":"cp-6.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)[01]","class":"sp800-53a"}],"prose":"potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;"},{"id":"cp-6.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)[02]","class":"sp800-53a"}],"prose":"explicit mitigation actions to address identified accessibility problems are outlined."}]},{"id":"cp-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-7","class":"SP800-53","title":"Alternate Processing Site","params":[{"id":"cp-07_odp.01","props":[{"name":"alt-identifier","value":"cp-7_prm_1"},{"name":"label","value":"CP-07_ODP[01]","class":"sp800-53a"}],"label":"system operations","guidelines":[{"prose":"system operations for essential mission and business functions are defined;"}]},{"id":"cp-07_odp.02","props":[{"name":"alt-identifier","value":"cp-7_prm_2"},{"name":"alt-label","value":"time period consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-7"},{"name":"label","value":"CP-07","class":"sp800-53a"},{"name":"sort-id","value":"cp-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-11","rel":"related"},{"href":"#pe-12","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-7_smt","name":"statement","parts":[{"id":"cp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and"},{"id":"cp-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provide controls at the alternate processing site that are equivalent to those at the primary site."}]},{"id":"cp-7_gdn","name":"guidance","prose":"Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems."},{"id":"cp-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07","class":"sp800-53a"}],"parts":[{"id":"cp-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-07a.","class":"sp800-53a"}],"prose":"an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.","class":"sp800-53a"}],"parts":[{"id":"cp-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.[01]","class":"sp800-53a"}],"prose":"the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;"},{"id":"cp-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.[02]","class":"sp800-53a"}],"prose":"the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;"}]},{"id":"cp-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-07c.","class":"sp800-53a"}],"prose":"controls provided at the alternate processing site are equivalent to those at the primary site."}]},{"id":"cp-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for contingency planning and\/or alternate site arrangements\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for recovery at the alternate site\n\nmechanisms supporting and\/or implementing recovery at the alternate processing site"}]}],"controls":[{"id":"cp-7.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-7(1)"},{"name":"label","value":"CP-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-7.1_smt","name":"statement","prose":"Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats."},{"id":"cp-7.1_gdn","name":"guidance","prose":"Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."},{"id":"cp-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(01)","class":"sp800-53a"}],"prose":"an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified."},{"id":"cp-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.2","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-7(2)"},{"name":"label","value":"CP-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-7.2_smt","name":"statement","prose":"Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-7.2_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk."},{"id":"cp-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)","class":"sp800-53a"}],"parts":[{"id":"cp-7.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)[01]","class":"sp800-53a"}],"prose":"potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;"},{"id":"cp-7.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)[02]","class":"sp800-53a"}],"prose":"explicit mitigation actions to address identified accessibility problems are outlined."}]},{"id":"cp-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.3","class":"SP800-53-enhancement","title":"Priority of Service","props":[{"name":"label","value":"CP-7(3)"},{"name":"label","value":"CP-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"}],"parts":[{"id":"cp-7.3_smt","name":"statement","prose":"Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)."},{"id":"cp-7.3_gdn","name":"guidance","prose":"Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and\/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning."},{"id":"cp-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(03)","class":"sp800-53a"}],"prose":"alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed."},{"id":"cp-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]}]},{"id":"cp-8","class":"SP800-53","title":"Telecommunications Services","params":[{"id":"cp-08_odp.01","props":[{"name":"alt-identifier","value":"cp-8_prm_1"},{"name":"label","value":"CP-08_ODP[01]","class":"sp800-53a"}],"label":"system operations","guidelines":[{"prose":"system operations to be resumed for essential mission and business functions are defined;"}]},{"id":"cp-08_odp.02","props":[{"name":"alt-identifier","value":"cp-8_prm_2"},{"name":"label","value":"CP-08_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;"}]}],"props":[{"name":"label","value":"CP-8"},{"name":"label","value":"CP-08","class":"sp800-53a"},{"name":"sort-id","value":"cp-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cp-8_smt","name":"statement","prose":"Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_gdn","name":"guidance","prose":"Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for [CP-8](#cp-8) . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements."},{"id":"cp-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08","class":"sp800-53a"}],"prose":"alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"id":"cp-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting telecommunications"}]}],"controls":[{"id":"cp-8.1","class":"SP800-53-enhancement","title":"Priority of Service Provisions","props":[{"name":"label","value":"CP-8(1)"},{"name":"label","value":"CP-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.1_smt","name":"statement","parts":[{"id":"cp-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and"},{"id":"cp-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_gdn","name":"guidance","prose":"Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program."},{"id":"cp-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)","class":"sp800-53a"}],"parts":[{"id":"cp-8.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)","class":"sp800-53a"}],"parts":[{"id":"cp-8.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)[01]","class":"sp800-53a"}],"prose":"primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;"},{"id":"cp-8.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)[02]","class":"sp800-53a"}],"prose":"alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;"}]},{"id":"cp-8.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(b)","class":"sp800-53a"}],"prose":"Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"id":"cp-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting telecommunications"}]}]},{"id":"cp-8.2","class":"SP800-53-enhancement","title":"Single Points of Failure","props":[{"name":"label","value":"CP-8(2)"},{"name":"label","value":"CP-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.2_smt","name":"statement","prose":"Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"id":"cp-8.2_gdn","name":"guidance","prose":"In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services."},{"id":"cp-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(02)","class":"sp800-53a"}],"prose":"alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained."},{"id":"cp-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-9","class":"SP800-53","title":"System Backup","params":[{"id":"cp-09_odp.01","props":[{"name":"alt-identifier","value":"cp-9_prm_1"},{"name":"label","value":"CP-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which to conduct backups of user-level information is defined;"}]},{"id":"cp-09_odp.02","props":[{"name":"alt-identifier","value":"cp-9_prm_2"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.03","props":[{"name":"alt-identifier","value":"cp-9_prm_3"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.04","props":[{"name":"alt-identifier","value":"cp-9_prm_4"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-9"},{"name":"label","value":"CP-09","class":"sp800-53a"},{"name":"sort-id","value":"cp-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#3653e316-8923-430e-8943-b3b2b2562fc6","rel":"reference"},{"href":"#2494df28-9049-4196-b233-540e7440993f","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-9_smt","name":"statement","parts":[{"id":"cp-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};"},{"id":"cp-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};"},{"id":"cp-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and"},{"id":"cp-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protect the confidentiality, integrity, and availability of backup information."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"cp-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-09a.","class":"sp800-53a"}],"prose":"backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};"},{"id":"cp-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-09b.","class":"sp800-53a"}],"prose":"backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};"},{"id":"cp-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-09c.","class":"sp800-53a"}],"prose":"backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};"},{"id":"cp-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[01]","class":"sp800-53a"}],"prose":"the confidentiality of backup information is protected;"},{"id":"cp-9_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[02]","class":"sp800-53a"}],"prose":"the integrity of backup information is protected;"},{"id":"cp-9_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[03]","class":"sp800-53a"}],"prose":"the availability of backup information is protected."}]}]},{"id":"cp-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"cp-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}],"controls":[{"id":"cp-9.1","class":"SP800-53-enhancement","title":"Testing for Reliability and Integrity","params":[{"id":"cp-9.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.01_odp.02"}],"label":"organization-defined frequency"},{"id":"cp-09.01_odp.01","props":[{"name":"label","value":"CP-09(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test backup information for media reliability is defined;"}]},{"id":"cp-09.01_odp.02","props":[{"name":"label","value":"CP-09(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test backup information for information integrity is defined;"}]}],"props":[{"name":"label","value":"CP-9(1)"},{"name":"label","value":"CP-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-9.1_smt","name":"statement","prose":"Test backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity."},{"id":"cp-9.1_gdn","name":"guidance","prose":"Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance."},{"id":"cp-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)","class":"sp800-53a"}],"parts":[{"id":"cp-9.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)[01]","class":"sp800-53a"}],"prose":"backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;"},{"id":"cp-9.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)[02]","class":"sp800-53a"}],"prose":"backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity."}]},{"id":"cp-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}]},{"id":"cp-9.8","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"cp-09.08_odp","props":[{"name":"alt-identifier","value":"cp-9.8_prm_1"},{"name":"label","value":"CP-09(08)_ODP","class":"sp800-53a"}],"label":"backup information","guidelines":[{"prose":"backup information to protect against unauthorized disclosure and modification is defined;"}]}],"props":[{"name":"label","value":"CP-9(8)"},{"name":"label","value":"CP-09(08)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"cp-9.8_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}."},{"id":"cp-9.8_gdn","name":"guidance","prose":"The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions."},{"id":"cp-9.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(08)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}."},{"id":"cp-9.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic protection of backup information"}]}]}]},{"id":"cp-10","class":"SP800-53","title":"System Recovery and Reconstitution","params":[{"id":"cp-10_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.02"}],"label":"organization-defined time period consistent with recovery time and recovery point objectives"},{"id":"cp-10_odp.01","props":[{"name":"label","value":"CP-10_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;"}]},{"id":"cp-10_odp.02","props":[{"name":"label","value":"CP-10_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;"}]}],"props":[{"name":"label","value":"CP-10"},{"name":"label","value":"CP-10","class":"sp800-53a"},{"name":"sort-id","value":"cp-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-24","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning."},{"id":"cp-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10","class":"sp800-53a"}],"parts":[{"id":"cp-10_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-10[01]","class":"sp800-53a"}],"prose":"the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;"},{"id":"cp-10_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-10[02]","class":"sp800-53a"}],"prose":"a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure."}]},{"id":"cp-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, recovery, and\/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and\/or implementing system recovery and reconstitution operations"}]}],"controls":[{"id":"cp-10.2","class":"SP800-53-enhancement","title":"Transaction Recovery","props":[{"name":"label","value":"CP-10(2)"},{"name":"label","value":"CP-10(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-10","rel":"required"}],"parts":[{"id":"cp-10.2_smt","name":"statement","prose":"Implement transaction recovery for systems that are transaction-based."},{"id":"cp-10.2_gdn","name":"guidance","prose":"Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling."},{"id":"cp-10.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10(02)","class":"sp800-53a"}],"prose":"transaction recovery is implemented for systems that are transaction-based."},{"id":"cp-10.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem transaction recovery records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing transaction recovery capability"}]}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ia-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ia-01_odp.01","props":[{"name":"label","value":"IA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication policy is to be disseminated are defined;"}]},{"id":"ia-01_odp.02","props":[{"name":"label","value":"IA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication procedures are to be disseminated is\/are defined;"}]},{"id":"ia-01_odp.03","props":[{"name":"alt-identifier","value":"ia-1_prm_2"},{"name":"label","value":"IA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ia-01_odp.04","props":[{"name":"alt-identifier","value":"ia-1_prm_3"},{"name":"label","value":"IA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the identification and authentication policy and procedures is defined;"}]},{"id":"ia-01_odp.05","props":[{"name":"alt-identifier","value":"ia-1_prm_4"},{"name":"label","value":"IA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication policy is reviewed and updated is defined;"}]},{"id":"ia-01_odp.06","props":[{"name":"alt-identifier","value":"ia-1_prm_5"},{"name":"label","value":"IA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current identification and authentication policy to be reviewed and updated are defined;"}]},{"id":"ia-01_odp.07","props":[{"name":"alt-identifier","value":"ia-1_prm_6"},{"name":"label","value":"IA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication procedures are reviewed and updated is defined;"}]},{"id":"ia-01_odp.08","props":[{"name":"alt-identifier","value":"ia-1_prm_7"},{"name":"label","value":"IA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require identification and authentication procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IA-1"},{"name":"label","value":"IA-01","class":"sp800-53a"},{"name":"sort-id","value":"ia-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ia-1_smt","name":"statement","parts":[{"id":"ia-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:","parts":[{"id":"ia-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ia-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;"}]},{"id":"ia-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and"},{"id":"ia-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current identification and authentication:","parts":[{"id":"ia-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and"},{"id":"ia-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ia-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[01]","class":"sp800-53a"}],"prose":"an identification and authentication policy is developed and documented;"},{"id":"ia-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[02]","class":"sp800-53a"}],"prose":"the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};"},{"id":"ia-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[03]","class":"sp800-53a"}],"prose":"identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;"},{"id":"ia-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[04]","class":"sp800-53a"}],"prose":"the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};"},{"id":"ia-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;"},{"id":"ia-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;"},{"id":"ia-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;"},{"id":"ia-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;"},{"id":"ia-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;"},{"id":"ia-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;"},{"id":"ia-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;"}]},{"id":"ia-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ia-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;"},{"id":"ia-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[01]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};"},{"id":"ia-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[02]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};"}]},{"id":"ia-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[01]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};"},{"id":"ia-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[02]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}."}]}]}]},{"id":"ia-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records"}]},{"id":"ia-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (Organizational Users)","props":[{"name":"label","value":"IA-2"},{"name":"label","value":"IA-02","class":"sp800-53a"},{"name":"sort-id","value":"ia-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#d9e036ba-6eec-46a6-9340-b0bf1fea23b4","rel":"reference"},{"href":"#e8552d48-cf41-40aa-8b06-f45f7fb4706c","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-1","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)."},{"id":"ia-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02","class":"sp800-53a"}],"parts":[{"id":"ia-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-02[01]","class":"sp800-53a"}],"prose":"organizational users are uniquely identified and authenticated;"},{"id":"ia-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-02[02]","class":"sp800-53a"}],"prose":"the unique identification of authenticated organizational users is associated with processes acting on behalf of those users."}]},{"id":"ia-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}]},{"id":"ia-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Privileged Accounts","props":[{"name":"label","value":"IA-2(1)"},{"name":"label","value":"IA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"Implement multi-factor authentication for access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(01)","class":"sp800-53a"}],"prose":"multi-factor authentication is implemented for access to privileged accounts."},{"id":"ia-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(2)"},{"name":"label","value":"IA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"Implement multi-factor authentication for access to non-privileged accounts."},{"id":"ia-2.2_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(02)","class":"sp800-53a"}],"prose":"multi-factor authentication for access to non-privileged accounts is implemented."},{"id":"ia-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Access to Accounts — Replay Resistant","params":[{"id":"ia-02.08_odp","props":[{"name":"alt-identifier","value":"ia-2.8_prm_1"},{"name":"label","value":"IA-02(08)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["privileged accounts","non-privileged accounts"]}}],"props":[{"name":"label","value":"IA-2(8)"},{"name":"label","value":"IA-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators."},{"id":"ia-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(08)","class":"sp800-53a"}],"prose":"replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented."},{"id":"ia-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nMechanisms supporting and\/or implementing replay-resistant authentication mechanisms"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","props":[{"name":"label","value":"IA-2(12)"},{"name":"label","value":"IA-02(12)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential."},{"id":"ia-2.12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(12)","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials are accepted and electronically verified."},{"id":"ia-2.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-2.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing acceptance and verification of PIV credentials"}]}]}]},{"id":"ia-3","class":"SP800-53","title":"Device Identification and Authentication","params":[{"id":"ia-03_odp.01","props":[{"name":"alt-identifier","value":"ia-3_prm_1"},{"name":"label","value":"IA-03_ODP[01]","class":"sp800-53a"}],"label":"devices and\/or types of devices","guidelines":[{"prose":"devices and\/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;"}]},{"id":"ia-03_odp.02","props":[{"name":"alt-identifier","value":"ia-3_prm_2"},{"name":"label","value":"IA-03_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["local","remote","network"]}}],"props":[{"name":"label","value":"IA-3"},{"name":"label","value":"IA-03","class":"sp800-53a"},{"name":"sort-id","value":"ia-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ia-3_smt","name":"statement","prose":"Uniquely identify and authenticate {{ insert: param, ia-03_odp.01 }} before establishing a {{ insert: param, ia-03_odp.02 }} connection."},{"id":"ia-3_gdn","name":"guidance","prose":"Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol\/Internet Protocol [TCP\/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number\/type of devices based on mission or business needs."},{"id":"ia-3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-03","class":"sp800-53a"}],"prose":" {{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection."},{"id":"ia-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing device identification and authentication capabilities"}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","params":[{"id":"ia-04_odp.01","props":[{"name":"alt-identifier","value":"ia-4_prm_1"},{"name":"label","value":"IA-04_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles from whom authorization must be received to assign an identifier are defined;"}]},{"id":"ia-04_odp.02","props":[{"name":"alt-identifier","value":"ia-4_prm_2"},{"name":"label","value":"IA-04_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period for preventing reuse of identifiers is defined;"}]}],"props":[{"name":"label","value":"IA-4"},{"name":"label","value":"IA-04","class":"sp800-53a"},{"name":"sort-id","value":"ia-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-12","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"Manage system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;"},{"id":"ia-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, service, or device; and"},{"id":"ia-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices."},{"id":"ia-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04","class":"sp800-53a"}],"parts":[{"id":"ia-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-04a.","class":"sp800-53a"}],"prose":"system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;"},{"id":"ia-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-04b.","class":"sp800-53a"}],"prose":"system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-04c.","class":"sp800-53a"}],"prose":"system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;"},{"id":"ia-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-04d.","class":"sp800-53a"}],"prose":"system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."}]},{"id":"ia-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records"}]},{"id":"ia-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}],"controls":[{"id":"ia-4.4","class":"SP800-53-enhancement","title":"Identify User Status","params":[{"id":"ia-04.04_odp","props":[{"name":"alt-identifier","value":"ia-4.4_prm_1"},{"name":"alt-label","value":"characteristic identifying individual status","class":"sp800-53"},{"name":"label","value":"IA-04(04)_ODP","class":"sp800-53a"}],"label":"characteristics","guidelines":[{"prose":"characteristics used to identify individual status is defined;"}]}],"props":[{"name":"label","value":"IA-4(4)"},{"name":"label","value":"IA-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-4","rel":"required"}],"parts":[{"id":"ia-4.4_smt","name":"statement","prose":"Manage individual identifiers by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}."},{"id":"ia-4.4_gdn","name":"guidance","prose":"Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor."},{"id":"ia-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(04)","class":"sp800-53a"}],"prose":"individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}."},{"id":"ia-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nlist of characteristics identifying individual status\n\nother relevant documents or records"}]},{"id":"ia-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","params":[{"id":"ia-05_odp.01","props":[{"name":"alt-identifier","value":"ia-5_prm_1"},{"name":"label","value":"IA-05_ODP[01]","class":"sp800-53a"}],"label":"time period by authenticator type","guidelines":[{"prose":"a time period for changing or refreshing authenticators by authenticator type is defined;"}]},{"id":"ia-05_odp.02","props":[{"name":"alt-identifier","value":"ia-5_prm_2"},{"name":"label","value":"IA-05_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that trigger the change or refreshment of authenticators are defined;"}]}],"props":[{"name":"label","value":"IA-5"},{"name":"label","value":"IA-05","class":"sp800-53a"},{"name":"sort-id","value":"ia-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"Manage system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Changing default authenticators prior to first use;"},{"id":"ia-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"},{"id":"ia-5_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and"},{"id":"ia-5_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Changing authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed."},{"id":"ia-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05a.","class":"sp800-53a"}],"prose":"system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;"},{"id":"ia-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05b.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05c.","class":"sp800-53a"}],"prose":"system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05d.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;"},{"id":"ia-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05e.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of default authenticators prior to first use;"},{"id":"ia-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05f.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"},{"id":"ia-5_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05g.","class":"sp800-53a"}],"prose":"system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[01]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;"},{"id":"ia-5_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[02]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;"}]},{"id":"ia-5_obj.i","name":"assessment-objective","props":[{"name":"label","value":"IA-05i.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","params":[{"id":"ia-05.01_odp.01","props":[{"name":"alt-identifier","value":"ia-5.1_prm_1"},{"name":"label","value":"IA-05(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;"}]},{"id":"ia-05.01_odp.02","props":[{"name":"alt-identifier","value":"ia-5.1_prm_2"},{"name":"label","value":"IA-05(01)_ODP[02]","class":"sp800-53a"}],"label":"composition and complexity rules","guidelines":[{"prose":"authenticator composition and complexity rules are defined;"}]}],"props":[{"name":"label","value":"IA-5(1)"},{"name":"label","value":"IA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-6","rel":"related"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"For password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);"},{"id":"ia-5.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Transmit passwords only over cryptographically-protected channels;"},{"id":"ia-5.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Store passwords using an approved salted key derivation function, preferably using a keyed hash;"},{"id":"ia-5.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Require immediate selection of a new password upon account recovery;"},{"id":"ia-5.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Allow user selection of long passwords and passphrases, including spaces and all printable characters;"},{"id":"ia-5.1_smt.g","name":"item","props":[{"name":"label","value":"(g)"}],"prose":"Employ automated tools to assist the user in selecting strong password authenticators; and"},{"id":"ia-5.1_smt.h","name":"item","props":[{"name":"label","value":"(h)"}],"prose":"Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof."},{"id":"ia-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)","class":"sp800-53a"}],"parts":[{"id":"ia-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(a)","class":"sp800-53a"}],"prose":"for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(b)","class":"sp800-53a"}],"prose":"for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);"},{"id":"ia-5.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(c)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are only transmitted over cryptographically protected channels;"},{"id":"ia-5.1_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(d)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;"},{"id":"ia-5.1_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(e)","class":"sp800-53a"}],"prose":"for password-based authentication, immediate selection of a new password is required upon account recovery;"},{"id":"ia-5.1_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(f)","class":"sp800-53a"}],"prose":"for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;"},{"id":"ia-5.1_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(g)","class":"sp800-53a"}],"prose":"for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;"},{"id":"ia-5.1_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(h)","class":"sp800-53a"}],"prose":"for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced."}]},{"id":"ia-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing password-based authenticator management capability"}]}]},{"id":"ia-5.2","class":"SP800-53-enhancement","title":"Public Key-based Authentication","props":[{"name":"label","value":"IA-5(2)"},{"name":"label","value":"IA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-3","rel":"related"},{"href":"#sc-17","rel":"related"}],"parts":[{"id":"ia-5.2_smt","name":"statement","parts":[{"id":"ia-5.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"For public key-based authentication:","parts":[{"id":"ia-5.2_smt.a.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Enforce authorized access to the corresponding private key; and"},{"id":"ia-5.2_smt.a.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Map the authenticated identity to the account of the individual or group; and"}]},{"id":"ia-5.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"When public key infrastructure (PKI) is used:","parts":[{"id":"ia-5.2_smt.b.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and"},{"id":"ia-5.2_smt.b.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Implement a local cache of revocation data to support path discovery and validation."}]}]},{"id":"ia-5.2_gdn","name":"guidance","prose":"Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network."},{"id":"ia-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)(01)","class":"sp800-53a"}],"prose":"authorized access to the corresponding private key is enforced for public key-based authentication;"},{"id":"ia-5.2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)(02)","class":"sp800-53a"}],"prose":"the authenticated identity is mapped to the account of the individual or group for public key-based authentication;"}]},{"id":"ia-5.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)(01)","class":"sp800-53a"}],"prose":"when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;"},{"id":"ia-5.2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)(02)","class":"sp800-53a"}],"prose":"when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation."}]}]},{"id":"ia-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records"}]},{"id":"ia-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing PKI-based, authenticator management capability"}]}]},{"id":"ia-5.6","class":"SP800-53-enhancement","title":"Protection of Authenticators","props":[{"name":"label","value":"IA-5(6)"},{"name":"label","value":"IA-05(06)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ra-2","rel":"related"}],"parts":[{"id":"ia-5.6_smt","name":"statement","prose":"Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access."},{"id":"ia-5.6_gdn","name":"guidance","prose":"For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process."},{"id":"ia-5.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(06)","class":"sp800-53a"}],"prose":"authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access."},{"id":"ia-5.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity categorization documentation for the system\n\nsecurity assessments of authenticator protections\n\nrisk assessment results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-5.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel implementing and\/or maintaining authenticator protections\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability\n\nmechanisms protecting authenticators"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authentication Feedback","props":[{"name":"label","value":"IA-6"},{"name":"label","value":"IA-06","class":"sp800-53a"},{"name":"sort-id","value":"ia-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it."},{"id":"ia-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-06","class":"sp800-53a"}],"prose":"the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the obscuring of feedback of authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","props":[{"name":"label","value":"IA-7"},{"name":"label","value":"IA-07","class":"sp800-53a"},{"name":"sort-id","value":"ia-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role."},{"id":"ia-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-07","class":"sp800-53a"}],"prose":"mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic module authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (Non-organizational Users)","props":[{"name":"label","value":"IA-8"},{"name":"label","value":"IA-08","class":"sp800-53a"},{"name":"sort-id","value":"ia-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a1555677-2b9d-4868-a97b-a1363aff32f5","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk."},{"id":"ia-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08","class":"sp800-53a"}],"prose":"non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated."},{"id":"ia-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","props":[{"name":"label","value":"IA-8(1)"},{"name":"label","value":"IA-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"},{"href":"#pe-3","rel":"related"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)."},{"id":"ia-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)","class":"sp800-53a"}],"parts":[{"id":"ia-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[01]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are accepted;"},{"id":"ia-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[02]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are electronically verified."}]},{"id":"ia-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of External Authenticators","props":[{"name":"label","value":"IA-8(2)"},{"name":"label","value":"IA-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.2_smt","name":"statement","parts":[{"id":"ia-8.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Accept only external authenticators that are NIST-compliant; and"},{"id":"ia-8.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Document and maintain a list of accepted external authenticators."}]},{"id":"ia-8.2_gdn","name":"guidance","prose":"Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level."},{"id":"ia-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(a)","class":"sp800-53a"}],"prose":"only external authenticators that are NIST-compliant are accepted;"},{"id":"ia-8.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[01]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is documented;"},{"id":"ia-8.2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[02]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is maintained."}]}]},{"id":"ia-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Defined Profiles","params":[{"id":"ia-08.04_odp","props":[{"name":"alt-identifier","value":"ia-8.4_prm_1"},{"name":"label","value":"IA-08(04)_ODP","class":"sp800-53a"}],"label":"identity management profiles","guidelines":[{"prose":"identity management profiles are defined;"}]}],"props":[{"name":"label","value":"IA-8(4)"},{"name":"label","value":"IA-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}."},{"id":"ia-8.4_gdn","name":"guidance","prose":"Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"ia-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(04)","class":"sp800-53a"}],"prose":"there is conformance with {{ insert: param, ia-08.04_odp }} for identity management."},{"id":"ia-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms supporting and\/or implementing conformance with profiles"}]}]}]},{"id":"ia-11","class":"SP800-53","title":"Re-authentication","params":[{"id":"ia-11_odp","props":[{"name":"alt-identifier","value":"ia-11_prm_1"},{"name":"alt-label","value":"circumstances or situations requiring re-authentication","class":"sp800-53"},{"name":"label","value":"IA-11_ODP","class":"sp800-53a"}],"label":"circumstances or situations","guidelines":[{"prose":"circumstances or situations requiring re-authentication are defined;"}]}],"props":[{"name":"label","value":"IA-11"},{"name":"label","value":"IA-11","class":"sp800-53a"},{"name":"sort-id","value":"ia-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-11_smt","name":"statement","prose":"Require users to re-authenticate when {{ insert: param, ia-11_odp }}."},{"id":"ia-11_gdn","name":"guidance","prose":"In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically."},{"id":"ia-11_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-11","class":"sp800-53a"}],"prose":"users are required to re-authenticate when {{ insert: param, ia-11_odp }}."},{"id":"ia-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12","class":"SP800-53","title":"Identity Proofing","props":[{"name":"label","value":"IA-12"},{"name":"label","value":"IA-12","class":"sp800-53a"},{"name":"sort-id","value":"ia-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#9099ed2c-922a-493d-bcb4-d896192243ff","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#ia-1","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-12_smt","name":"statement","parts":[{"id":"ia-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;"},{"id":"ia-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Resolve user identities to a unique individual; and"},{"id":"ia-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Collect, validate, and verify identity evidence."}]},{"id":"ia-12_gdn","name":"guidance","prose":"Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3](#737513fa-6758-403f-831d-5ddab5e23cb3) and [SP 800-63A](#9099ed2c-922a-493d-bcb4-d896192243ff) . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"ia-12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12","class":"sp800-53a"}],"parts":[{"id":"ia-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-12a.","class":"sp800-53a"}],"prose":"users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;"},{"id":"ia-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-12b.","class":"sp800-53a"}],"prose":"user identities are resolved to a unique individual;"},{"id":"ia-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.","class":"sp800-53a"}],"parts":[{"id":"ia-12_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[01]","class":"sp800-53a"}],"prose":"identity evidence is collected;"},{"id":"ia-12_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[02]","class":"sp800-53a"}],"prose":"identity evidence is validated;"},{"id":"ia-12_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[03]","class":"sp800-53a"}],"prose":"identity evidence is verified."}]}]},{"id":"ia-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ia-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-12.2","class":"SP800-53-enhancement","title":"Identity Evidence","props":[{"name":"label","value":"IA-12(2)"},{"name":"label","value":"IA-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.2_smt","name":"statement","prose":"Require evidence of individual identification be presented to the registration authority."},{"id":"ia-12.2_gdn","name":"guidance","prose":"Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risks to the systems, roles, and privileges associated with the user’s account."},{"id":"ia-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(02)","class":"sp800-53a"}],"prose":"evidence of individual identification is presented to the registration authority."},{"id":"ia-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.3","class":"SP800-53-enhancement","title":"Identity Evidence Validation and Verification","params":[{"id":"ia-12.03_odp","props":[{"name":"alt-identifier","value":"ia-12.3_prm_1"},{"name":"alt-label","value":"organizational defined methods of validation and verification","class":"sp800-53"},{"name":"label","value":"IA-12(03)_ODP","class":"sp800-53a"}],"label":"methods of validation and verification","guidelines":[{"prose":"methods of validation and verification of identity evidence are defined;"}]}],"props":[{"name":"label","value":"IA-12(3)"},{"name":"label","value":"IA-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.3_smt","name":"statement","prose":"Require that the presented identity evidence be validated and verified through {{ insert: param, ia-12.03_odp }}."},{"id":"ia-12.3_gdn","name":"guidance","prose":"Validation and verification of identity evidence increases the assurance that accounts and identifiers are being established for the correct user and authenticators are being bound to that user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risks to the systems, roles, and privileges associated with the users account."},{"id":"ia-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(03)","class":"sp800-53a"}],"prose":"the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}."},{"id":"ia-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.5","class":"SP800-53-enhancement","title":"Address Confirmation","params":[{"id":"ia-12.05_odp","props":[{"name":"alt-identifier","value":"ia-12.5_prm_1"},{"name":"label","value":"IA-12(05)_ODP","class":"sp800-53a"}],"select":{"choice":["registration code","notice of proofing"]}}],"props":[{"name":"label","value":"IA-12(5)"},{"name":"label","value":"IA-12(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"},{"href":"#ia-12","rel":"related"}],"parts":[{"id":"ia-12.5_smt","name":"statement","prose":"Require that a {{ insert: param, ia-12.05_odp }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record."},{"id":"ia-12.5_gdn","name":"guidance","prose":"To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses."},{"id":"ia-12.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(05)","class":"sp800-53a"}],"prose":"a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record."},{"id":"ia-12.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ir-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ir-01_odp.01","props":[{"name":"label","value":"IR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response policy is to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.02","props":[{"name":"label","value":"IR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response procedures are to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.03","props":[{"name":"alt-identifier","value":"ir-1_prm_2"},{"name":"label","value":"IR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ir-01_odp.04","props":[{"name":"alt-identifier","value":"ir-1_prm_3"},{"name":"label","value":"IR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the incident response policy and procedures is defined;"}]},{"id":"ir-01_odp.05","props":[{"name":"alt-identifier","value":"ir-1_prm_4"},{"name":"label","value":"IR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response policy is reviewed and updated is defined;"}]},{"id":"ir-01_odp.06","props":[{"name":"alt-identifier","value":"ir-1_prm_5"},{"name":"label","value":"IR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current incident response policy to be reviewed and updated are defined;"}]},{"id":"ir-01_odp.07","props":[{"name":"alt-identifier","value":"ir-1_prm_6"},{"name":"label","value":"IR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response procedures are reviewed and updated is defined;"}]},{"id":"ir-01_odp.08","props":[{"name":"alt-identifier","value":"ir-1_prm_7"},{"name":"label","value":"IR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the incident response procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IR-1"},{"name":"label","value":"IR-01","class":"sp800-53a"},{"name":"sort-id","value":"ir-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ir-1_smt","name":"statement","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ir-01_odp.03 }} incident response policy that:","parts":[{"id":"ir-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and"},{"id":"ir-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current incident response:","parts":[{"id":"ir-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and"},{"id":"ir-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ir-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[01]","class":"sp800-53a"}],"prose":"an incident response policy is developed and documented;"},{"id":"ir-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[02]","class":"sp800-53a"}],"prose":"the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};"},{"id":"ir-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[03]","class":"sp800-53a"}],"prose":"incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;"},{"id":"ir-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[04]","class":"sp800-53a"}],"prose":"the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};"},{"id":"ir-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;"},{"id":"ir-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;"},{"id":"ir-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;"},{"id":"ir-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;"},{"id":"ir-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;"},{"id":"ir-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;"},{"id":"ir-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;"}]},{"id":"ir-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ir-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;"},{"id":"ir-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[01]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};"},{"id":"ir-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[02]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};"}]},{"id":"ir-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[01]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};"},{"id":"ir-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[02]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}."}]}]}]},{"id":"ir-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-02_odp.01","props":[{"name":"alt-identifier","value":"ir-2_prm_1"},{"name":"label","value":"IR-02_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;"}]},{"id":"ir-02_odp.02","props":[{"name":"alt-identifier","value":"ir-2_prm_2"},{"name":"label","value":"IR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide incident response training to users is defined;"}]},{"id":"ir-02_odp.03","props":[{"name":"alt-identifier","value":"ir-2_prm_3"},{"name":"label","value":"IR-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update incident response training content is defined;"}]},{"id":"ir-02_odp.04","props":[{"name":"alt-identifier","value":"ir-2_prm_4"},{"name":"label","value":"IR-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that initiate a review of the incident response training content are defined;"}]}],"props":[{"name":"label","value":"IR-2"},{"name":"label","value":"IR-02","class":"sp800-53a"},{"name":"sort-id","value":"ir-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-2_smt","name":"statement","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide incident response training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"ir-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ir-02_odp.02 }} thereafter; and"}]},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"ir-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.01","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.02","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"},{"id":"ir-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.03","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;"}]},{"id":"ir-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[01]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};"},{"id":"ir-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[02]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}."}]}]},{"id":"ir-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","params":[{"id":"ir-03_odp.01","props":[{"name":"alt-identifier","value":"ir-3_prm_1"},{"name":"label","value":"IR-03_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test the effectiveness of the incident response capability for the system is defined;"}]},{"id":"ir-03_odp.02","props":[{"name":"alt-identifier","value":"ir-3_prm_2"},{"name":"label","value":"IR-03_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests used to test the effectiveness of the incident response capability for the system are defined;"}]}],"props":[{"name":"label","value":"IR-3"},{"name":"label","value":"IR-03","class":"sp800-53a"},{"name":"sort-id","value":"ir-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-14","rel":"related"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes."},{"id":"ir-3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03","class":"sp800-53a"}],"prose":"the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}."},{"id":"ir-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"ir-3.2","class":"SP800-53-enhancement","title":"Coordination with Related Plans","props":[{"name":"label","value":"IR-3(2)"},{"name":"label","value":"IR-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-3","rel":"required"}],"parts":[{"id":"ir-3.2_smt","name":"statement","prose":"Coordinate incident response testing with organizational elements responsible for related plans."},{"id":"ir-3.2_gdn","name":"guidance","prose":"Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans."},{"id":"ir-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03(02)","class":"sp800-53a"}],"prose":"incident response testing is coordinated with organizational elements responsible for related plans."},{"id":"ir-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"label","value":"IR-4"},{"name":"label","value":"IR-04","class":"sp800-53a"},{"name":"sort-id","value":"ir-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#31ae65ab-3f26-46b7-9d64-f25a4dac5778","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-4_smt","name":"statement","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate incident handling activities with contingency planning activities;"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and"},{"id":"ir-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes."},{"id":"ir-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[01]","class":"sp800-53a"}],"prose":"an incident handling capability for incidents is implemented that is consistent with the incident response plan;"},{"id":"ir-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[02]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes preparation;"},{"id":"ir-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[03]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes detection and analysis;"},{"id":"ir-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[04]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes containment;"},{"id":"ir-4_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[05]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes eradication;"},{"id":"ir-4_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[06]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes recovery;"}]},{"id":"ir-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-04b.","class":"sp800-53a"}],"prose":"incident handling activities are coordinated with contingency planning activities;"},{"id":"ir-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[01]","class":"sp800-53a"}],"prose":"lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;"},{"id":"ir-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[02]","class":"sp800-53a"}],"prose":"the changes resulting from the incorporated lessons learned are implemented accordingly;"}]},{"id":"ir-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[01]","class":"sp800-53a"}],"prose":"the rigor of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[02]","class":"sp800-53a"}],"prose":"the intensity of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[03]","class":"sp800-53a"}],"prose":"the scope of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[04]","class":"sp800-53a"}],"prose":"the results of incident handling activities are comparable and predictable across the organization."}]}]},{"id":"ir-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident handling capability for the organization"}]}],"controls":[{"id":"ir-4.1","class":"SP800-53-enhancement","title":"Automated Incident Handling Processes","params":[{"id":"ir-04.01_odp","props":[{"name":"alt-identifier","value":"ir-4.1_prm_1"},{"name":"label","value":"IR-04(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to support the incident handling process are defined;"}]}],"props":[{"name":"label","value":"IR-4(1)"},{"name":"label","value":"IR-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.1_smt","name":"statement","prose":"Support the incident handling process using {{ insert: param, ir-04.01_odp }}."},{"id":"ir-4.1_gdn","name":"guidance","prose":"Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis."},{"id":"ir-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(01)","class":"sp800-53a"}],"prose":"the incident handling process is supported using {{ insert: param, ir-04.01_odp }}."},{"id":"ir-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms that support and\/or implement the incident handling process"}]}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"label","value":"IR-5"},{"name":"label","value":"IR-05","class":"sp800-53a"},{"name":"sort-id","value":"ir-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"Track and document incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring."},{"id":"ir-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-05","class":"sp800-53a"}],"parts":[{"id":"ir-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-05[01]","class":"sp800-53a"}],"prose":"incidents are tracked;"},{"id":"ir-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-05[02]","class":"sp800-53a"}],"prose":"incidents are documented."}]},{"id":"ir-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nmechanisms supporting and\/or implementing the tracking and documenting of system security incidents"}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-06_odp.01","props":[{"name":"alt-identifier","value":"ir-6_prm_1"},{"name":"label","value":"IR-06_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel to report suspected incidents to the organizational incident response capability is defined;"}]},{"id":"ir-06_odp.02","props":[{"name":"alt-identifier","value":"ir-6_prm_2"},{"name":"label","value":"IR-06_ODP[02]","class":"sp800-53a"}],"label":"authorities","guidelines":[{"prose":"authorities to whom incident information is to be reported are defined;"}]}],"props":[{"name":"label","value":"IR-6"},{"name":"label","value":"IR-06","class":"sp800-53a"},{"name":"sort-id","value":"ir-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#40b78258-c892-480e-9af8-77ac36648301","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-6_smt","name":"statement","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report incident information to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products."},{"id":"ir-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06","class":"sp800-53a"}],"parts":[{"id":"ir-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-06a.","class":"sp800-53a"}],"prose":"personnel is\/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};"},{"id":"ir-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-06b.","class":"sp800-53a"}],"prose":"incident information is reported to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users"}]},{"id":"ir-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nmechanisms supporting and\/or implementing incident reporting"}]}],"controls":[{"id":"ir-6.1","class":"SP800-53-enhancement","title":"Automated Reporting","params":[{"id":"ir-06.01_odp","props":[{"name":"alt-identifier","value":"ir-6.1_prm_1"},{"name":"label","value":"IR-06(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used for reporting incidents are defined;"}]}],"props":[{"name":"label","value":"IR-6(1)"},{"name":"label","value":"IR-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-6","rel":"required"},{"href":"#ir-7","rel":"related"}],"parts":[{"id":"ir-6.1_smt","name":"statement","prose":"Report incidents using {{ insert: param, ir-06.01_odp }}."},{"id":"ir-6.1_gdn","name":"guidance","prose":"The recipients of incident reports are specified in [IR-6b](#ir-6_smt.b) . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs."},{"id":"ir-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06(01)","class":"sp800-53a"}],"prose":"incidents are reported using {{ insert: param, ir-06.01_odp }}."},{"id":"ir-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing the reporting of security incidents"}]}]},{"id":"ir-6.3","class":"SP800-53-enhancement","title":"Supply Chain Coordination","props":[{"name":"label","value":"IR-6(3)"},{"name":"label","value":"IR-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-6","rel":"required"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-6.3_smt","name":"statement","prose":"Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident."},{"id":"ir-6.3_gdn","name":"guidance","prose":"Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident."},{"id":"ir-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06(03)","class":"sp800-53a"}],"prose":"incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident."},{"id":"ir-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council\n\nacquisition policy\n\nacquisition contracts\n\nservice-level agreements\n\nincident response plan\n\nsupply chain risk management plan\n\nsystem security plan\n\nplans of other organizations involved in supply chain activities\n\nother relevant documents or records"}]},{"id":"ir-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganization personnel with acquisition responsibilities"}]},{"id":"ir-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\norganizational processes for supply chain risk information sharing\n\nmechanisms supporting and\/or implementing the reporting of incident information involved in the supply chain"}]}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"label","value":"IR-7"},{"name":"label","value":"IR-07","class":"sp800-53a"},{"name":"sort-id","value":"ir-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-26","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required."},{"id":"ir-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07","class":"sp800-53a"}],"parts":[{"id":"ir-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-07[01]","class":"sp800-53a"}],"prose":"an incident response support resource, integral to the organizational incident response capability, is provided;"},{"id":"ir-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-07[02]","class":"sp800-53a"}],"prose":"the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents."}]},{"id":"ir-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nmechanisms supporting and\/or implementing incident response assistance"}]}],"controls":[{"id":"ir-7.1","class":"SP800-53-enhancement","title":"Automation Support for Availability of Information and Support","params":[{"id":"ir-07.01_odp","props":[{"name":"alt-identifier","value":"ir-7.1_prm_1"},{"name":"label","value":"IR-07(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to increase the availability of incident response information and support are defined;"}]}],"props":[{"name":"label","value":"IR-7(1)"},{"name":"label","value":"IR-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-7","rel":"required"}],"parts":[{"id":"ir-7.1_smt","name":"statement","prose":"Increase the availability of incident response information and support using {{ insert: param, ir-07.01_odp }}."},{"id":"ir-7.1_gdn","name":"guidance","prose":"Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support."},{"id":"ir-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07(01)","class":"sp800-53a"}],"prose":"the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}."},{"id":"ir-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing an increase in the availability of incident response information and support"}]}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.07"}],"label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-08_odp.01","props":[{"name":"alt-identifier","value":"ir-8_prm_1"},{"name":"label","value":"IR-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles that review and approve the incident response plan is\/are identified;"}]},{"id":"ir-08_odp.02","props":[{"name":"alt-identifier","value":"ir-8_prm_2"},{"name":"label","value":"IR-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and approve the incident response plan is defined;"}]},{"id":"ir-08_odp.03","props":[{"name":"alt-identifier","value":"ir-8_prm_3"},{"name":"label","value":"IR-08_ODP[03]","class":"sp800-53a"}],"label":"entities, personnel, or roles","guidelines":[{"prose":"entities, personnel, or roles with designated responsibility for incident response are defined;"}]},{"id":"ir-08_odp.04","props":[{"name":"alt-identifier","value":"ir-8_prm_4"},{"name":"alt-label","value":"incident response personnel (identified by name and\/or by role) and organizational elements","class":"sp800-53"},{"name":"label","value":"IR-08_ODP[04]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed is\/are defined;"}]},{"id":"ir-08_odp.05","props":[{"name":"label","value":"IR-08_ODP[05]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which copies of the incident response plan are to be distributed are defined;"}]},{"id":"ir-08_odp.06","props":[{"name":"label","value":"IR-08_ODP[06]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom changes to the incident response plan is\/are communicated are defined;"}]},{"id":"ir-08_odp.07","props":[{"name":"label","value":"IR-08_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which changes to the incident response plan are communicated are defined;"}]}],"props":[{"name":"label","value":"IR-8"},{"name":"label","value":"IR-08","class":"sp800-53a"},{"name":"sort-id","value":"ir-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-8_smt","name":"statement","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Addresses the sharing of incident information;"},{"id":"ir-8_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and"},{"id":"ir-8_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly."},{"id":"ir-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-08","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.01","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.02","class":"sp800-53a"}],"prose":"an incident response plan is developed that describes the structure and organization of the incident response capability;"},{"id":"ir-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.03","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.04","class":"sp800-53a"}],"prose":"an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;"},{"id":"ir-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.05","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines reportable incidents;"},{"id":"ir-8_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.06","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.07","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.08","class":"sp800-53a"}],"prose":"an incident response plan is developed that addresses the sharing of incident information;"},{"id":"ir-8_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.09","class":"sp800-53a"}],"prose":"an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};"},{"id":"ir-8_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.10","class":"sp800-53a"}],"prose":"an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[01]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[02]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};"}]},{"id":"ir-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-08c.","class":"sp800-53a"}],"prose":"the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[01]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};"},{"id":"ir-8_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[02]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};"}]},{"id":"ir-8_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[01]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized disclosure;"},{"id":"ir-8_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[02]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized modification."}]}]},{"id":"ir-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"id":"ir-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ma-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ma-01_odp.01","props":[{"name":"label","value":"MA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance policy is to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.02","props":[{"name":"label","value":"MA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance procedures are to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.03","props":[{"name":"alt-identifier","value":"ma-1_prm_2"},{"name":"label","value":"MA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ma-01_odp.04","props":[{"name":"alt-identifier","value":"ma-1_prm_3"},{"name":"label","value":"MA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the maintenance policy and procedures is defined;"}]},{"id":"ma-01_odp.05","props":[{"name":"alt-identifier","value":"ma-1_prm_4"},{"name":"label","value":"MA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance policy is reviewed and updated is defined;"}]},{"id":"ma-01_odp.06","props":[{"name":"alt-identifier","value":"ma-1_prm_5"},{"name":"label","value":"MA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current maintenance policy to be reviewed and updated are defined;"}]},{"id":"ma-01_odp.07","props":[{"name":"alt-identifier","value":"ma-1_prm_6"},{"name":"label","value":"MA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance procedures are reviewed and updated is defined;"}]},{"id":"ma-01_odp.08","props":[{"name":"alt-identifier","value":"ma-1_prm_7"},{"name":"label","value":"MA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the maintenance procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MA-1"},{"name":"label","value":"MA-01","class":"sp800-53a"},{"name":"sort-id","value":"ma-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ma-1_smt","name":"statement","parts":[{"id":"ma-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ma-01_odp.03 }} maintenance policy that:","parts":[{"id":"ma-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ma-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;"}]},{"id":"ma-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and"},{"id":"ma-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current maintenance:","parts":[{"id":"ma-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and"},{"id":"ma-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ma-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[01]","class":"sp800-53a"}],"prose":"a maintenance policy is developed and documented;"},{"id":"ma-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[02]","class":"sp800-53a"}],"prose":"the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};"},{"id":"ma-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[03]","class":"sp800-53a"}],"prose":"maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;"},{"id":"ma-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[04]","class":"sp800-53a"}],"prose":"the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};"},{"id":"ma-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;"},{"id":"ma-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;"},{"id":"ma-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;"},{"id":"ma-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;"},{"id":"ma-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;"},{"id":"ma-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;"},{"id":"ma-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;"}]},{"id":"ma-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ma-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;"},{"id":"ma-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[01]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};"},{"id":"ma-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[02]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};"}]},{"id":"ma-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[01]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};"},{"id":"ma-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[02]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}."}]}]}]},{"id":"ma-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"ma-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","params":[{"id":"ma-02_odp.01","props":[{"name":"alt-identifier","value":"ma-2_prm_1"},{"name":"label","value":"MA-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is\/are defined;"}]},{"id":"ma-02_odp.02","props":[{"name":"alt-identifier","value":"ma-2_prm_2"},{"name":"label","value":"MA-02_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;"}]},{"id":"ma-02_odp.03","props":[{"name":"alt-identifier","value":"ma-2_prm_3"},{"name":"label","value":"MA-02_ODP[03]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be included in organizational maintenance records is defined;"}]}],"props":[{"name":"label","value":"MA-2"},{"name":"label","value":"MA-02","class":"sp800-53a"},{"name":"sort-id","value":"ma-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ma-2_smt","name":"statement","parts":[{"id":"ma-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};"},{"id":"ma-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and"},{"id":"ma-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}."}]},{"id":"ma-2_gdn","name":"guidance","prose":"Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems."},{"id":"ma-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-02","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[01]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[02]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[03]","class":"sp800-53a"}],"prose":"records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and\/or organizational requirements;"}]},{"id":"ma-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[01]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;"},{"id":"ma-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[02]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;"}]},{"id":"ma-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-02c.","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02_odp.01 }} is\/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-02d.","class":"sp800-53a"}],"prose":"equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-02e.","class":"sp800-53a"}],"prose":"all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;"},{"id":"ma-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"MA-02f.","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records."}]},{"id":"ma-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer\/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and\/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components"}]}]},{"id":"ma-3","class":"SP800-53","title":"Maintenance Tools","params":[{"id":"ma-03_odp","props":[{"name":"alt-identifier","value":"ma-3_prm_1"},{"name":"label","value":"MA-03_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review previously approved system maintenance tools is defined;"}]}],"props":[{"name":"label","value":"MA-3"},{"name":"label","value":"MA-03","class":"sp800-53a"},{"name":"sort-id","value":"ma-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#ma-2","rel":"related"},{"href":"#pe-16","rel":"related"}],"parts":[{"id":"ma-3_smt","name":"statement","parts":[{"id":"ma-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve, control, and monitor the use of system maintenance tools; and"},{"id":"ma-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review previously approved system maintenance tools {{ insert: param, ma-03_odp }}."}]},{"id":"ma-3_gdn","name":"guidance","prose":"Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools."},{"id":"ma-3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03","class":"sp800-53a"}],"parts":[{"id":"ma-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.","class":"sp800-53a"}],"parts":[{"id":"ma-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[01]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is approved;"},{"id":"ma-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[02]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is controlled;"},{"id":"ma-3_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[03]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is monitored;"}]},{"id":"ma-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-03b.","class":"sp800-53a"}],"prose":"previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}."}]},{"id":"ma-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for approving, controlling, and monitoring maintenance tools\n\nmechanisms supporting and\/or implementing the approval, control, and\/or monitoring of maintenance tools"}]}],"controls":[{"id":"ma-3.1","class":"SP800-53-enhancement","title":"Inspect Tools","props":[{"name":"label","value":"MA-3(1)"},{"name":"label","value":"MA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ma-3.1_smt","name":"statement","prose":"Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications."},{"id":"ma-3.1_gdn","name":"guidance","prose":"Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling."},{"id":"ma-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(01)","class":"sp800-53a"}],"prose":"maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications."},{"id":"ma-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for inspecting maintenance tools\n\nmechanisms supporting and\/or implementing the inspection of maintenance tools"}]}]},{"id":"ma-3.2","class":"SP800-53-enhancement","title":"Inspect Media","props":[{"name":"label","value":"MA-3(2)"},{"name":"label","value":"MA-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"ma-3.2_smt","name":"statement","prose":"Check media containing diagnostic and test programs for malicious code before the media are used in the system."},{"id":"ma-3.2_gdn","name":"guidance","prose":"If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures."},{"id":"ma-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(02)","class":"sp800-53a"}],"prose":"media containing diagnostic and test programs are checked for malicious code before the media are used in the system."},{"id":"ma-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for inspecting media for malicious code\n\nmechanisms supporting and\/or implementing the inspection of media used for maintenance"}]}]},{"id":"ma-3.3","class":"SP800-53-enhancement","title":"Prevent Unauthorized Removal","params":[{"id":"ma-03.03_odp","props":[{"name":"alt-identifier","value":"ma-3.3_prm_1"},{"name":"label","value":"MA-03(03)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles who can authorize removal of equipment from the facility is\/are defined;"}]}],"props":[{"name":"label","value":"MA-3(3)"},{"name":"label","value":"MA-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#mp-6","rel":"related"}],"parts":[{"id":"ma-3.3_smt","name":"statement","prose":"Prevent the removal of maintenance equipment containing organizational information by:","parts":[{"id":"ma-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verifying that there is no organizational information contained on the equipment;"},{"id":"ma-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Sanitizing or destroying the equipment;"},{"id":"ma-3.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Retaining the equipment within the facility; or"},{"id":"ma-3.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_gdn","name":"guidance","prose":"Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards."},{"id":"ma-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)","class":"sp800-53a"}],"parts":[{"id":"ma-3.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(a)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or"},{"id":"ma-3.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(b)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or"},{"id":"ma-3.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(c)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or"},{"id":"ma-3.3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(d)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization"}]},{"id":"ma-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for preventing unauthorized removal of information\n\nmechanisms supporting media sanitization or destruction of equipment\n\nmechanisms supporting verification of media sanitization"}]}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","props":[{"name":"label","value":"MA-4"},{"name":"label","value":"MA-04","class":"sp800-53a"},{"name":"sort-id","value":"ma-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#736d6310-e403-4b57-a79d-9967970c66d7","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-10","rel":"related"}],"parts":[{"id":"ma-4_smt","name":"statement","parts":[{"id":"ma-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and monitor nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;"},{"id":"ma-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Maintain records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Terminate session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators."},{"id":"ma-4_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[01]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are approved;"},{"id":"ma-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[02]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are monitored;"}]},{"id":"ma-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[01]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;"},{"id":"ma-4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[02]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;"}]},{"id":"ma-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-04c.","class":"sp800-53a"}],"prose":"strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-04d.","class":"sp800-53a"}],"prose":"records for nonlocal maintenance and diagnostic activities are maintained;"},{"id":"ma-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[01]","class":"sp800-53a"}],"prose":"session connections are terminated when nonlocal maintenance is completed;"},{"id":"ma-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[02]","class":"sp800-53a"}],"prose":"network connections are terminated when nonlocal maintenance is completed."}]}]},{"id":"ma-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and\/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections"}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","props":[{"name":"label","value":"MA-5"},{"name":"label","value":"MA-05","class":"sp800-53a"},{"name":"sort-id","value":"ma-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"ma-5_smt","name":"statement","parts":[{"id":"ma-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods."},{"id":"ma-5_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[01]","class":"sp800-53a"}],"prose":"a process for maintenance personnel authorization is established;"},{"id":"ma-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[02]","class":"sp800-53a"}],"prose":"a list of authorized maintenance organizations or personnel is maintained;"}]},{"id":"ma-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-05b.","class":"sp800-53a"}],"prose":"non-escorted personnel performing maintenance on the system possess the required access authorizations;"},{"id":"ma-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-05c.","class":"sp800-53a"}],"prose":"organizational personnel with required access authorizations and technical competence is\/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and\/or implementing authorization of maintenance personnel"}]}]},{"id":"ma-6","class":"SP800-53","title":"Timely Maintenance","params":[{"id":"ma-06_odp.01","props":[{"name":"alt-identifier","value":"ma-6_prm_1"},{"name":"label","value":"MA-06_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which maintenance support and\/or spare parts are obtained are defined;"}]},{"id":"ma-06_odp.02","props":[{"name":"alt-identifier","value":"ma-6_prm_2"},{"name":"label","value":"MA-06_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which maintenance support and\/or spare parts are to be obtained after a failure are defined;"}]}],"props":[{"name":"label","value":"MA-6"},{"name":"label","value":"MA-06","class":"sp800-53a"},{"name":"sort-id","value":"ma-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-8","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-13","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"ma-6_smt","name":"statement","prose":"Obtain maintenance support and\/or spare parts for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure."},{"id":"ma-6_gdn","name":"guidance","prose":"Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place."},{"id":"ma-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-06","class":"sp800-53a"}],"prose":"maintenance support and\/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure."},{"id":"ma-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for ensuring timely maintenance"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"mp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"mp-01_odp.01","props":[{"name":"label","value":"MP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection policy is to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.02","props":[{"name":"label","value":"MP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection procedures are to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.03","props":[{"name":"alt-identifier","value":"mp-1_prm_2"},{"name":"label","value":"MP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"mp-01_odp.04","props":[{"name":"alt-identifier","value":"mp-1_prm_3"},{"name":"label","value":"MP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the media protection policy and procedures is defined;"}]},{"id":"mp-01_odp.05","props":[{"name":"alt-identifier","value":"mp-1_prm_4"},{"name":"label","value":"MP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection policy is reviewed and updated is defined;"}]},{"id":"mp-01_odp.06","props":[{"name":"alt-identifier","value":"mp-1_prm_5"},{"name":"label","value":"MP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current media protection policy to be reviewed and updated are defined;"}]},{"id":"mp-01_odp.07","props":[{"name":"alt-identifier","value":"mp-1_prm_6"},{"name":"label","value":"MP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection procedures are reviewed and updated is defined;"}]},{"id":"mp-01_odp.08","props":[{"name":"alt-identifier","value":"mp-1_prm_7"},{"name":"label","value":"MP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require media protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MP-1"},{"name":"label","value":"MP-01","class":"sp800-53a"},{"name":"sort-id","value":"mp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-1_smt","name":"statement","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, mp-01_odp.03 }} media protection policy that:","parts":[{"id":"mp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and"},{"id":"mp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current media protection:","parts":[{"id":"mp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and"},{"id":"mp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"mp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[01]","class":"sp800-53a"}],"prose":"a media protection policy is developed and documented;"},{"id":"mp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[02]","class":"sp800-53a"}],"prose":"the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};"},{"id":"mp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[03]","class":"sp800-53a"}],"prose":"media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;"},{"id":"mp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[04]","class":"sp800-53a"}],"prose":"the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};"},{"id":"mp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;"},{"id":"mp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;"},{"id":"mp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;"},{"id":"mp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;"},{"id":"mp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;"},{"id":"mp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;"},{"id":"mp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;"}]},{"id":"mp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(b)","class":"sp800-53a"}],"prose":"the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"mp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures."},{"id":"mp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[01]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; "},{"id":"mp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[02]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};"}]},{"id":"mp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[01]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; "},{"id":"mp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[02]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}."}]}]}]},{"id":"mp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","params":[{"id":"mp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.03"}],"label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.04"}],"label":"organization-defined personnel or roles"},{"id":"mp-02_odp.01","props":[{"name":"label","value":"MP-02_ODP[01]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.02","props":[{"name":"label","value":"MP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access digital media is\/are defined;"}]},{"id":"mp-02_odp.03","props":[{"name":"label","value":"MP-02_ODP[03]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.04","props":[{"name":"label","value":"MP-02_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access non-digital media is\/are defined;"}]}],"props":[{"name":"label","value":"MP-2"},{"name":"label","value":"MP-02","class":"sp800-53a"},{"name":"sort-id","value":"mp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media."},{"id":"mp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-02","class":"sp800-53a"}],"parts":[{"id":"mp-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-02[01]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};"},{"id":"mp-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-02[02]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}."}]},{"id":"mp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for restricting information media\n\nmechanisms supporting and\/or implementing media access restrictions"}]}]},{"id":"mp-3","class":"SP800-53","title":"Media Marking","params":[{"id":"mp-03_odp.01","props":[{"name":"alt-identifier","value":"mp-3_prm_1"},{"name":"alt-label","value":"types of system media","class":"sp800-53"},{"name":"label","value":"MP-03_ODP[01]","class":"sp800-53a"}],"label":"types of media exempted from marking","guidelines":[{"prose":"types of system media exempt from marking when remaining in controlled areas are defined;"}]},{"id":"mp-03_odp.02","props":[{"name":"alt-identifier","value":"mp-3_prm_2"},{"name":"label","value":"MP-03_ODP[02]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas where media is exempt from marking are defined;"}]}],"props":[{"name":"label","value":"MP-3"},{"name":"label","value":"MP-03","class":"sp800-53a"},{"name":"sort-id","value":"mp-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#34a5571f-e252-4309-a8a1-2fdb2faefbcd","rel":"reference"},{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-22","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-3_smt","name":"statement","parts":[{"id":"mp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"},{"id":"mp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Exempt {{ insert: param, mp-03_odp.01 }} from marking if the media remain within {{ insert: param, mp-03_odp.02 }}."}]},{"id":"mp-3_gdn","name":"guidance","prose":"Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"mp-3_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-03","class":"sp800-53a"}],"parts":[{"id":"mp-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-03a.","class":"sp800-53a"}],"prose":"system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;"},{"id":"mp-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-03b.","class":"sp800-53a"}],"prose":" {{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}."}]},{"id":"mp-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nlist of system media marking security attributes\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for marking information media\n\nmechanisms supporting and\/or implementing media marking"}]}]},{"id":"mp-4","class":"SP800-53","title":"Media Storage","params":[{"id":"mp-4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.04"}],"label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.06"}],"label":"organization-defined controlled areas"},{"id":"mp-04_odp.01","props":[{"name":"label","value":"MP-04_ODP[01]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to be physically controlled are defined (if selected);"}]},{"id":"mp-04_odp.02","props":[{"name":"label","value":"MP-04_ODP[02]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to be physically controlled are defined (if selected);"}]},{"id":"mp-04_odp.03","props":[{"name":"label","value":"MP-04_ODP[03]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to be securely stored are defined (if selected);"}]},{"id":"mp-04_odp.04","props":[{"name":"label","value":"MP-04_ODP[04]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to be securely stored are defined (if selected);"}]},{"id":"mp-04_odp.05","props":[{"name":"label","value":"MP-04_ODP[05]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas within which to securely store digital media are defined;"}]},{"id":"mp-04_odp.06","props":[{"name":"label","value":"MP-04_ODP[06]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas within which to securely store non-digital media are defined;"}]}],"props":[{"name":"label","value":"MP-4"},{"name":"label","value":"MP-04","class":"sp800-53a"},{"name":"sort-id","value":"mp-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-4_smt","name":"statement","parts":[{"id":"mp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and"},{"id":"mp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection."},{"id":"mp-4_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-04","class":"sp800-53a"}],"parts":[{"id":"mp-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.","class":"sp800-53a"}],"parts":[{"id":"mp-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.01 }} are physically controlled;"},{"id":"mp-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.02 }} are physically controlled;"},{"id":"mp-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};"},{"id":"mp-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[04]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};"}]},{"id":"mp-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-04b.","class":"sp800-53a"}],"prose":"system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing information media\n\nmechanisms supporting and\/or implementing secure media storage\/media protection"}]}]},{"id":"mp-5","class":"SP800-53","title":"Media Transport","params":[{"id":"mp-5_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-05_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-05_odp.03"}],"label":"organization-defined controls"},{"id":"mp-05_odp.01","props":[{"name":"alt-identifier","value":"mp-5_prm_1"},{"name":"label","value":"MP-05_ODP[01]","class":"sp800-53a"}],"label":"types of system media","guidelines":[{"prose":"types of system media to protect and control during transport outside of controlled areas are defined;"}]},{"id":"mp-05_odp.02","props":[{"name":"label","value":"MP-05_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls used to protect system media outside of controlled areas are defined;"}]},{"id":"mp-05_odp.03","props":[{"name":"label","value":"MP-05_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls used to control system media outside of controlled areas are defined;"}]}],"props":[{"name":"label","value":"MP-5"},{"name":"label","value":"MP-05","class":"sp800-53a"},{"name":"sort-id","value":"mp-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#ac-7","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"}],"parts":[{"id":"mp-5_smt","name":"statement","parts":[{"id":"mp-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protect and control {{ insert: param, mp-05_odp.01 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};"},{"id":"mp-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain accountability for system media during transport outside of controlled areas;"},{"id":"mp-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document activities associated with the transport of system media; and"},{"id":"mp-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Restrict the activities associated with the transport of system media to authorized personnel."}]},{"id":"mp-5_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and\/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records."},{"id":"mp-5_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-05","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};"},{"id":"mp-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};"}]},{"id":"mp-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-05b.","class":"sp800-53a"}],"prose":"accountability for system media is maintained during transport outside of controlled areas;"},{"id":"mp-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-05c.","class":"sp800-53a"}],"prose":"activities associated with the transport of system media are documented;"},{"id":"mp-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.[01]","class":"sp800-53a"}],"prose":"personnel authorized to conduct media transport activities is\/are identified;"},{"id":"mp-5_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.[02]","class":"sp800-53a"}],"prose":"activities associated with the transport of system media are restricted to identified authorized personnel."}]}]},{"id":"mp-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nauthorized personnel list\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing information media\n\nmechanisms supporting and\/or implementing media storage\/media protection"}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.03"}],"label":"organization-defined system media"},{"id":"mp-6_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.06"}],"label":"organization-defined sanitization techniques and procedures"},{"id":"mp-06_odp.01","props":[{"name":"label","value":"MP-06_ODP[01]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to disposal is defined;"}]},{"id":"mp-06_odp.02","props":[{"name":"label","value":"MP-06_ODP[02]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release from organizational control is defined;"}]},{"id":"mp-06_odp.03","props":[{"name":"label","value":"MP-06_ODP[03]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release for reuse is defined;"}]},{"id":"mp-06_odp.04","props":[{"name":"label","value":"MP-06_ODP[04]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to disposal are defined;"}]},{"id":"mp-06_odp.05","props":[{"name":"label","value":"MP-06_ODP[05]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;"}]},{"id":"mp-06_odp.06","props":[{"name":"label","value":"MP-06_ODP[06]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;"}]}],"props":[{"name":"label","value":"MP-6"},{"name":"label","value":"MP-06","class":"sp800-53a"},{"name":"sort-id","value":"mp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"},{"href":"#si-19","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"mp-6_smt","name":"statement","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information."},{"id":"mp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;"},{"id":"mp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;"},{"id":"mp-6_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;"}]},{"id":"mp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-06b.","class":"sp800-53a"}],"prose":"sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed."}]},{"id":"mp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization"}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","params":[{"id":"mp-07_odp.01","props":[{"name":"alt-identifier","value":"mp-7_prm_2"},{"name":"label","value":"MP-07_ODP[01]","class":"sp800-53a"}],"label":"types of system media","guidelines":[{"prose":"types of system media to be restricted or prohibited from use on systems or system components are defined;"}]},{"id":"mp-07_odp.02","props":[{"name":"alt-identifier","value":"mp-7_prm_1"},{"name":"label","value":"MP-07_ODP[02]","class":"sp800-53a"}],"select":{"choice":["restrict","prohibit"]}},{"id":"mp-07_odp.03","props":[{"name":"alt-identifier","value":"mp-7_prm_3"},{"name":"label","value":"MP-07_ODP[03]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;"}]},{"id":"mp-07_odp.04","props":[{"name":"alt-identifier","value":"mp-7_prm_4"},{"name":"label","value":"MP-07_ODP[04]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;"}]}],"props":[{"name":"label","value":"MP-7"},{"name":"label","value":"MP-07","class":"sp800-53a"},{"name":"sort-id","value":"mp-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"mp-7_smt","name":"statement","parts":[{"id":"mp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and"},{"id":"mp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner."}]},{"id":"mp-7_gdn","name":"guidance","prose":"System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices."},{"id":"mp-7_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-07","class":"sp800-53a"}],"parts":[{"id":"mp-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-07a.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};"},{"id":"mp-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-07b.","class":"sp800-53a"}],"prose":"the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner."}]},{"id":"mp-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components"}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pe-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pe-01_odp.01","props":[{"name":"label","value":"PE-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection policy is to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.02","props":[{"name":"label","value":"PE-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection procedures are to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.03","props":[{"name":"alt-identifier","value":"pe-1_prm_2"},{"name":"label","value":"PE-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pe-01_odp.04","props":[{"name":"alt-identifier","value":"pe-1_prm_3"},{"name":"label","value":"PE-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the physical and environmental protection policy and procedures is defined;"}]},{"id":"pe-01_odp.05","props":[{"name":"alt-identifier","value":"pe-1_prm_4"},{"name":"label","value":"PE-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;"}]},{"id":"pe-01_odp.06","props":[{"name":"alt-identifier","value":"pe-1_prm_5"},{"name":"label","value":"PE-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current physical and environmental protection policy to be reviewed and updated are defined;"}]},{"id":"pe-01_odp.07","props":[{"name":"alt-identifier","value":"pe-1_prm_6"},{"name":"label","value":"PE-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;"}]},{"id":"pe-01_odp.08","props":[{"name":"alt-identifier","value":"pe-1_prm_7"},{"name":"label","value":"PE-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the physical and environmental protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PE-1"},{"name":"label","value":"PE-01","class":"sp800-53a"},{"name":"sort-id","value":"pe-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pe-1_smt","name":"statement","parts":[{"id":"pe-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:","parts":[{"id":"pe-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pe-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;"}]},{"id":"pe-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and"},{"id":"pe-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current physical and environmental protection:","parts":[{"id":"pe-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and"},{"id":"pe-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pe-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[01]","class":"sp800-53a"}],"prose":"a physical and environmental protection policy is developed and documented;"},{"id":"pe-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[02]","class":"sp800-53a"}],"prose":"the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};"},{"id":"pe-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[03]","class":"sp800-53a"}],"prose":"physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;"},{"id":"pe-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[04]","class":"sp800-53a"}],"prose":"the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};"},{"id":"pe-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;"},{"id":"pe-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;"},{"id":"pe-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;"},{"id":"pe-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;"},{"id":"pe-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;"},{"id":"pe-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;"},{"id":"pe-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;"}]},{"id":"pe-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"pe-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;"},{"id":"pe-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};"},{"id":"pe-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};"}]},{"id":"pe-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};"},{"id":"pe-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}."}]}]}]},{"id":"pe-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"pe-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","params":[{"id":"pe-02_odp","props":[{"name":"alt-identifier","value":"pe-2_prm_1"},{"name":"label","value":"PE-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the access list detailing authorized facility access by individuals is defined;"}]}],"props":[{"name":"label","value":"PE-2"},{"name":"label","value":"PE-02","class":"sp800-53a"},{"name":"sort-id","value":"pe-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"pe-2_smt","name":"statement","parts":[{"id":"pe-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;"},{"id":"pe-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Issue authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and"},{"id":"pe-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remove individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible."},{"id":"pe-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-02","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[01]","class":"sp800-53a"}],"prose":"a list of individuals with authorized access to the facility where the system resides has been developed;"},{"id":"pe-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[02]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been approved;"},{"id":"pe-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[03]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been maintained;"}]},{"id":"pe-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-02b.","class":"sp800-53a"}],"prose":"authorization credentials are issued for facility access;"},{"id":"pe-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-02c.","class":"sp800-53a"}],"prose":"the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};"},{"id":"pe-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-02d.","class":"sp800-53a"}],"prose":"individuals are removed from the facility access list when access is no longer required."}]},{"id":"pe-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access authorizations\n\nmechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","params":[{"id":"pe-3_prm_9","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.09"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.10"}],"label":"organization-defined frequency"},{"id":"pe-03_odp.01","props":[{"name":"alt-identifier","value":"pe-3_prm_1"},{"name":"alt-label","value":"entry and exit points to the facility where the system resides","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[01]","class":"sp800-53a"}],"label":"entry and exit points","guidelines":[{"prose":"entry and exit points to the facility in which the system resides are defined;"}]},{"id":"pe-03_odp.02","props":[{"name":"alt-identifier","value":"pe-3_prm_2"},{"name":"label","value":"PE-03_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, pe-03_odp.03 }} ","guards"]}},{"id":"pe-03_odp.03","props":[{"name":"alt-identifier","value":"pe-3_prm_3"},{"name":"alt-label","value":"physical access control systems or devices","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[03]","class":"sp800-53a"}],"label":"systems or devices","guidelines":[{"prose":"physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);"}]},{"id":"pe-03_odp.04","props":[{"name":"alt-identifier","value":"pe-3_prm_4"},{"name":"label","value":"PE-03_ODP[04]","class":"sp800-53a"}],"label":"entry or exit points","guidelines":[{"prose":"entry or exit points for which physical access logs are maintained are defined;"}]},{"id":"pe-03_odp.05","props":[{"name":"alt-identifier","value":"pe-3_prm_5"},{"name":"label","value":"PE-03_ODP[05]","class":"sp800-53a"}],"label":"physical access controls","guidelines":[{"prose":"physical access controls to control access to areas within the facility designated as publicly accessible are defined;"}]},{"id":"pe-03_odp.06","props":[{"name":"alt-identifier","value":"pe-3_prm_6"},{"name":"alt-label","value":"circumstances requiring visitor escorts and control of visitor activity","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[06]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances requiring visitor escorts and control of visitor activity are defined;"}]},{"id":"pe-03_odp.07","props":[{"name":"alt-identifier","value":"pe-3_prm_7"},{"name":"label","value":"PE-03_ODP[07]","class":"sp800-53a"}],"label":"physical access devices","guidelines":[{"prose":"physical access devices to be inventoried are defined;"}]},{"id":"pe-03_odp.08","props":[{"name":"alt-identifier","value":"pe-3_prm_8"},{"name":"label","value":"PE-03_ODP[08]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inventory physical access devices is defined;"}]},{"id":"pe-03_odp.09","props":[{"name":"label","value":"PE-03_ODP[09]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change combinations is defined;"}]},{"id":"pe-03_odp.10","props":[{"name":"label","value":"PE-03_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change keys is defined;"}]}],"props":[{"name":"label","value":"PE-3"},{"name":"label","value":"PE-03","class":"sp800-53a"},{"name":"sort-id","value":"pe-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"pe-3_smt","name":"statement","parts":[{"id":"pe-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:","parts":[{"id":"pe-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"}]},{"id":"pe-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};"},{"id":"pe-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};"},{"id":"pe-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};"},{"id":"pe-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Secure keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and"},{"id":"pe-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Change combinations and keys {{ insert: param, pe-3_prm_9 }} and\/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs\/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components."},{"id":"pe-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.01","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;"},{"id":"pe-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.02","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"}]},{"id":"pe-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-03b.","class":"sp800-53a"}],"prose":"physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};"},{"id":"pe-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-03c.","class":"sp800-53a"}],"prose":"access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};"},{"id":"pe-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[01]","class":"sp800-53a"}],"prose":"visitors are escorted;"},{"id":"pe-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[02]","class":"sp800-53a"}],"prose":"visitor activity is controlled {{ insert: param, pe-03_odp.06 }};"}]},{"id":"pe-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[01]","class":"sp800-53a"}],"prose":"keys are secured;"},{"id":"pe-3_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[02]","class":"sp800-53a"}],"prose":"combinations are secured;"},{"id":"pe-3_obj.e-3","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[03]","class":"sp800-53a"}],"prose":"other physical access devices are secured;"}]},{"id":"pe-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"PE-03f.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};"},{"id":"pe-3_obj.g","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[01]","class":"sp800-53a"}],"prose":"combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;"},{"id":"pe-3_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[02]","class":"sp800-53a"}],"prose":"keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated."}]}]},{"id":"pe-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control\n\nmechanisms supporting and\/or implementing physical access control\n\nphysical access control devices"}]}]},{"id":"pe-4","class":"SP800-53","title":"Access Control for Transmission","params":[{"id":"pe-04_odp.01","props":[{"name":"alt-identifier","value":"pe-4_prm_1"},{"name":"label","value":"PE-04_ODP[01]","class":"sp800-53a"}],"label":"system distribution and transmission lines","guidelines":[{"prose":"system distribution and transmission lines requiring physical access controls are defined;"}]},{"id":"pe-04_odp.02","props":[{"name":"alt-identifier","value":"pe-4_prm_2"},{"name":"label","value":"PE-04_ODP[02]","class":"sp800-53a"}],"label":"security controls","guidelines":[{"prose":"security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;"}]}],"props":[{"name":"label","value":"PE-4"},{"name":"label","value":"PE-04","class":"sp800-53a"},{"name":"sort-id","value":"pe-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"pe-4_smt","name":"statement","prose":"Control physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities using {{ insert: param, pe-04_odp.02 }}."},{"id":"pe-4_gdn","name":"guidance","prose":"Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors."},{"id":"pe-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-04","class":"sp800-53a"}],"prose":"physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}."},{"id":"pe-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for transmission mediums\n\nsystem design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to system distribution and transmission lines\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access control to distribution and transmission lines\n\nmechanisms\/security safeguards supporting and\/or implementing access control to distribution and transmission lines"}]}]},{"id":"pe-5","class":"SP800-53","title":"Access Control for Output Devices","params":[{"id":"pe-05_odp","props":[{"name":"alt-identifier","value":"pe-5_prm_1"},{"name":"label","value":"PE-05_ODP","class":"sp800-53a"}],"label":"output devices","guidelines":[{"prose":"output devices that require physical access control to output are defined;"}]}],"props":[{"name":"label","value":"PE-5"},{"name":"label","value":"PE-05","class":"sp800-53a"},{"name":"sort-id","value":"pe-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-18","rel":"related"}],"parts":[{"id":"pe-5_smt","name":"statement","prose":"Control physical access to output from {{ insert: param, pe-05_odp }} to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_gdn","name":"guidance","prose":"Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers."},{"id":"pe-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-05","class":"sp800-53a"}],"prose":"physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of system components\n\nactual displays from system components\n\nlist of output devices and associated outputs requiring physical access controls\n\nphysical access control logs or records for areas containing output devices and related outputs\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access control to output devices\n\nmechanisms supporting and\/or implementing access control to output devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","params":[{"id":"pe-06_odp.01","props":[{"name":"alt-identifier","value":"pe-6_prm_1"},{"name":"label","value":"PE-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review physical access logs is defined;"}]},{"id":"pe-06_odp.02","props":[{"name":"alt-identifier","value":"pe-6_prm_2"},{"name":"alt-label","value":"events or potential indications of events","class":"sp800-53"},{"name":"label","value":"PE-06_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events or potential indication of events requiring physical access logs to be reviewed are defined;"}]}],"props":[{"name":"label","value":"PE-6"},{"name":"label","value":"PE-06","class":"sp800-53a"},{"name":"sort-id","value":"pe-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"pe-6_smt","name":"statement","parts":[{"id":"pe-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and"},{"id":"pe-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses."},{"id":"pe-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-06a.","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;"},{"id":"pe-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[01]","class":"sp800-53a"}],"prose":"physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};"},{"id":"pe-6_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[02]","class":"sp800-53a"}],"prose":"physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};"}]},{"id":"pe-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[01]","class":"sp800-53a"}],"prose":"results of reviews are coordinated with organizational incident response capabilities;"},{"id":"pe-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[02]","class":"sp800-53a"}],"prose":"results of investigations are coordinated with organizational incident response capabilities."}]}]},{"id":"pe-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing the review of physical access logs"}]}],"controls":[{"id":"pe-6.1","class":"SP800-53-enhancement","title":"Intrusion Alarms and Surveillance Equipment","props":[{"name":"label","value":"PE-6(1)"},{"name":"label","value":"PE-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-6","rel":"required"}],"parts":[{"id":"pe-6.1_smt","name":"statement","prose":"Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment."},{"id":"pe-6.1_gdn","name":"guidance","prose":"Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility."},{"id":"pe-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)","class":"sp800-53a"}],"parts":[{"id":"pe-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)[01]","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored using physical intrusion alarms;"},{"id":"pe-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)[02]","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored using physical surveillance equipment."}]},{"id":"pe-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing physical intrusion alarms and surveillance equipment"}]}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-08_odp.01","props":[{"name":"alt-identifier","value":"pe-8_prm_1"},{"name":"label","value":"PE-08_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for which to maintain visitor access records for the facility where the system resides is defined;"}]},{"id":"pe-08_odp.02","props":[{"name":"alt-identifier","value":"pe-8_prm_2"},{"name":"label","value":"PE-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review visitor access records is defined;"}]},{"id":"pe-08_odp.03","props":[{"name":"alt-identifier","value":"pe-8_prm_3"},{"name":"label","value":"PE-08_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom visitor access records anomalies are reported to is\/are defined;"}]}],"props":[{"name":"label","value":"PE-8"},{"name":"label","value":"PE-08","class":"sp800-53a"},{"name":"sort-id","value":"pe-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"pe-8_smt","name":"statement","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and"},{"id":"pe-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08","class":"sp800-53a"}],"parts":[{"id":"pe-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-08a.","class":"sp800-53a"}],"prose":"visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-08b.","class":"sp800-53a"}],"prose":"visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};"},{"id":"pe-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-08c.","class":"sp800-53a"}],"prose":"visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and\/or implementing the maintenance and review of visitor access records"}]}]},{"id":"pe-9","class":"SP800-53","title":"Power Equipment and Cabling","props":[{"name":"label","value":"PE-9"},{"name":"label","value":"PE-09","class":"sp800-53a"},{"name":"sort-id","value":"pe-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-4","rel":"related"}],"parts":[{"id":"pe-9_smt","name":"statement","prose":"Protect power equipment and power cabling for the system from damage and destruction."},{"id":"pe-9_gdn","name":"guidance","prose":"Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems."},{"id":"pe-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-09","class":"sp800-53a"}],"parts":[{"id":"pe-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-09[01]","class":"sp800-53a"}],"prose":"power equipment for the system is protected from damage and destruction;"},{"id":"pe-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-09[02]","class":"sp800-53a"}],"prose":"power cabling for the system is protected from damage and destruction."}]},{"id":"pe-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power equipment\/cabling protection\n\nfacilities housing power equipment\/cabling\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility to protect power equipment\/cabling\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the protection of power equipment\/cabling"}]}]},{"id":"pe-10","class":"SP800-53","title":"Emergency Shutoff","params":[{"id":"pe-10_odp.01","props":[{"name":"alt-identifier","value":"pe-10_prm_1"},{"name":"label","value":"PE-10_ODP[01]","class":"sp800-53a"}],"label":"system or individual system components","guidelines":[{"prose":"system or individual system components that require the capability to shut off power in emergency situations is\/are defined;"}]},{"id":"pe-10_odp.02","props":[{"name":"alt-identifier","value":"pe-10_prm_2"},{"name":"alt-label","value":"location by system or system component","class":"sp800-53"},{"name":"label","value":"PE-10_ODP[02]","class":"sp800-53a"}],"label":"location","guidelines":[{"prose":"location of emergency shutoff switches or devices by system or system component is defined;"}]}],"props":[{"name":"label","value":"PE-10"},{"name":"label","value":"PE-10","class":"sp800-53a"},{"name":"sort-id","value":"pe-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-15","rel":"related"}],"parts":[{"id":"pe-10_smt","name":"statement","parts":[{"id":"pe-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide the capability of shutting off power to {{ insert: param, pe-10_odp.01 }} in emergency situations;"},{"id":"pe-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Place emergency shutoff switches or devices in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel; and"},{"id":"pe-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect emergency power shutoff capability from unauthorized activation."}]},{"id":"pe-10_gdn","name":"guidance","prose":"Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery."},{"id":"pe-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-10","class":"sp800-53a"}],"parts":[{"id":"pe-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-10a.","class":"sp800-53a"}],"prose":"the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;"},{"id":"pe-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-10b.","class":"sp800-53a"}],"prose":"emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;"},{"id":"pe-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-10c.","class":"sp800-53a"}],"prose":"the emergency power shutoff capability is protected from unauthorized activation."}]},{"id":"pe-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting the emergency power shutoff capability from unauthorized activation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing emergency power shutoff"}]}]},{"id":"pe-11","class":"SP800-53","title":"Emergency Power","params":[{"id":"pe-11_odp","props":[{"name":"alt-identifier","value":"pe-11_prm_1"},{"name":"label","value":"PE-11_ODP","class":"sp800-53a"}],"select":{"choice":["an orderly shutdown of the system","transition of the system to long-term alternate power"]}}],"props":[{"name":"label","value":"PE-11"},{"name":"label","value":"PE-11","class":"sp800-53a"},{"name":"sort-id","value":"pe-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-11_smt","name":"statement","prose":"Provide an uninterruptible power supply to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss."},{"id":"pe-11_gdn","name":"guidance","prose":"An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system."},{"id":"pe-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-11","class":"sp800-53a"}],"prose":"an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss."},{"id":"pe-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an uninterruptible power supply\n\nthe uninterruptable power supply"}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","props":[{"name":"label","value":"PE-12"},{"name":"label","value":"PE-12","class":"sp800-53a"},{"name":"sort-id","value":"pe-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies."},{"id":"pe-12_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-12","class":"sp800-53a"}],"parts":[{"id":"pe-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-12[01]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;"},{"id":"pe-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-12[02]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;"},{"id":"pe-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-12[03]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers emergency exits within the facility;"},{"id":"pe-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-12[04]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers evacuation routes within the facility."}]},{"id":"pe-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an emergency lighting capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","props":[{"name":"label","value":"PE-13"},{"name":"label","value":"PE-13","class":"sp800-53a"},{"name":"sort-id","value":"pe-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"Employ and maintain fire detection and suppression systems that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility."},{"id":"pe-13_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13","class":"sp800-53a"}],"parts":[{"id":"pe-13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13[01]","class":"sp800-53a"}],"prose":"fire detection systems are employed;"},{"id":"pe-13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13[02]","class":"sp800-53a"}],"prose":"employed fire detection systems are supported by an independent energy source;"},{"id":"pe-13_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13[03]","class":"sp800-53a"}],"prose":"employed fire detection systems are maintained;"},{"id":"pe-13_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-13[04]","class":"sp800-53a"}],"prose":"fire suppression systems are employed;"},{"id":"pe-13_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PE-13[05]","class":"sp800-53a"}],"prose":"employed fire suppression systems are supported by an independent energy source;"},{"id":"pe-13_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PE-13[06]","class":"sp800-53a"}],"prose":"employed fire suppression systems are maintained."}]},{"id":"pe-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\ntest records of fire suppression and detection devices\/systems\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing fire suppression\/detection devices\/systems"}]}],"controls":[{"id":"pe-13.1","class":"SP800-53-enhancement","title":"Detection Systems — Automatic Activation and Notification","params":[{"id":"pe-13.01_odp.01","props":[{"name":"alt-identifier","value":"pe-13.1_prm_1"},{"name":"label","value":"PE-13(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified in the event of a fire is\/are defined;"}]},{"id":"pe-13.01_odp.02","props":[{"name":"alt-identifier","value":"pe-13.1_prm_2"},{"name":"label","value":"PE-13(01)_ODP[02]","class":"sp800-53a"}],"label":"emergency responders","guidelines":[{"prose":"emergency responders to be notified in the event of a fire are defined;"}]}],"props":[{"name":"label","value":"PE-13(1)"},{"name":"label","value":"PE-13(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-13.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-13","rel":"required"}],"parts":[{"id":"pe-13.1_smt","name":"statement","prose":"Employ fire detection systems that activate automatically and notify {{ insert: param, pe-13.01_odp.01 }} and {{ insert: param, pe-13.01_odp.02 }} in the event of a fire."},{"id":"pe-13.1_gdn","name":"guidance","prose":"Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire."},{"id":"pe-13.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)","class":"sp800-53a"}],"parts":[{"id":"pe-13.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[01]","class":"sp800-53a"}],"prose":"fire detection systems that activate automatically are employed in the event of a fire;"},{"id":"pe-13.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[02]","class":"sp800-53a"}],"prose":"fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;"},{"id":"pe-13.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[03]","class":"sp800-53a"}],"prose":"fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire."}]},{"id":"pe-13.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\nalerts\/notifications of fire events\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing fire detection devices\/systems\n\nactivation of fire detection devices\/systems (simulated)\n\nautomated notifications"}]}]}]},{"id":"pe-14","class":"SP800-53","title":"Environmental Controls","params":[{"id":"pe-14_odp.01","props":[{"name":"alt-identifier","value":"pe-14_prm_1"},{"name":"label","value":"PE-14_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["temperature","humidity","pressure","radiation"," {{ insert: param, pe-14_odp.02 }} "]}},{"id":"pe-14_odp.02","props":[{"name":"alt-identifier","value":"pe-14_prm_2"},{"name":"label","value":"PE-14_ODP[02]","class":"sp800-53a"}],"label":"environmental control","guidelines":[{"prose":"environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);"}]},{"id":"pe-14_odp.03","props":[{"name":"alt-identifier","value":"pe-14_prm_3"},{"name":"label","value":"PE-14_ODP[03]","class":"sp800-53a"}],"label":"acceptable levels","guidelines":[{"prose":"acceptable levels for environmental controls are defined;"}]},{"id":"pe-14_odp.04","props":[{"name":"alt-identifier","value":"pe-14_prm_4"},{"name":"label","value":"PE-14_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to monitor environmental control levels is defined;"}]}],"props":[{"name":"label","value":"PE-14"},{"name":"label","value":"PE-14","class":"sp800-53a"},{"name":"sort-id","value":"pe-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"}],"parts":[{"id":"pe-14_smt","name":"statement","parts":[{"id":"pe-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and"},{"id":"pe-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions."},{"id":"pe-14_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-14","class":"sp800-53a"}],"parts":[{"id":"pe-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-14a.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;"},{"id":"pe-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-14b.","class":"sp800-53a"}],"prose":"environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}."}]},{"id":"pe-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the maintenance and monitoring of temperature and humidity levels"}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","props":[{"name":"label","value":"PE-15"},{"name":"label","value":"PE-15","class":"sp800-53a"},{"name":"sort-id","value":"pe-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#pe-10","rel":"related"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations."},{"id":"pe-15_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-15","class":"sp800-53a"}],"parts":[{"id":"pe-15_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-15[01]","class":"sp800-53a"}],"prose":"the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;"},{"id":"pe-15_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-15[02]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are accessible;"},{"id":"pe-15_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-15[03]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are working properly;"},{"id":"pe-15_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-15[04]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are known to key personnel."}]},{"id":"pe-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Master water-shutoff valves\n\norganizational process for activating master water shutoff"}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","params":[{"id":"pe-16_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.02"}],"label":"organization-defined types of system components"},{"id":"pe-16_odp.01","props":[{"name":"label","value":"PE-16_ODP[01]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when entering the facility are defined;"}]},{"id":"pe-16_odp.02","props":[{"name":"label","value":"PE-16_ODP[02]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when exiting the facility are defined;"}]}],"props":[{"name":"label","value":"PE-16"},{"name":"label","value":"PE-16","class":"sp800-53a"},{"name":"sort-id","value":"pe-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"pe-16_smt","name":"statement","parts":[{"id":"pe-16_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and"},{"id":"pe-16_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain records of the system components."}]},{"id":"pe-16_gdn","name":"guidance","prose":"Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries."},{"id":"pe-16_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-16","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;"},{"id":"pe-16_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;"},{"id":"pe-16_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;"},{"id":"pe-16_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[04]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;"}]},{"id":"pe-16_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-16b.","class":"sp800-53a"}],"prose":"records of the system components are maintained."}]},{"id":"pe-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and\/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility"}]}]},{"id":"pe-17","class":"SP800-53","title":"Alternate Work Site","params":[{"id":"pe-17_odp.01","props":[{"name":"alt-identifier","value":"pe-17_prm_1"},{"name":"label","value":"PE-17_ODP[01]","class":"sp800-53a"}],"label":"alternate work sites","guidelines":[{"prose":"alternate work sites allowed for use by employees are defined;"}]},{"id":"pe-17_odp.02","props":[{"name":"alt-identifier","value":"pe-17_prm_2"},{"name":"label","value":"PE-17_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed at alternate work sites are defined;"}]}],"props":[{"name":"label","value":"PE-17"},{"name":"label","value":"PE-17","class":"sp800-53a"},{"name":"sort-id","value":"pe-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#83b9d63b-66b1-467c-9f3b-3a0b108771e9","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-17_smt","name":"statement","parts":[{"id":"pe-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the {{ insert: param, pe-17_odp.01 }} allowed for use by employees;"},{"id":"pe-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls at alternate work sites: {{ insert: param, pe-17_odp.02 }};"},{"id":"pe-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assess the effectiveness of controls at alternate work sites; and"},{"id":"pe-17_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a means for employees to communicate with information security and privacy personnel in case of incidents."}]},{"id":"pe-17_gdn","name":"guidance","prose":"Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations."},{"id":"pe-17_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-17","class":"sp800-53a"}],"parts":[{"id":"pe-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-17a.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-17_odp.01 }} are determined and documented;"},{"id":"pe-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-17b.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;"},{"id":"pe-17_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-17c.","class":"sp800-53a"}],"prose":"the effectiveness of controls at alternate work sites is assessed;"},{"id":"pe-17_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-17d.","class":"sp800-53a"}],"prose":"a means for employees to communicate with information security and privacy personnel in case of incidents is provided."}]},{"id":"pe-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel approving the use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy at alternate work sites\n\nmechanisms supporting alternate work sites\n\nsecurity and privacy controls employed at alternate work sites\n\nmeans of communication between personnel at alternate work sites and security and privacy personnel"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pl-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pl-01_odp.01","props":[{"name":"label","value":"PL-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning policy is to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.02","props":[{"name":"label","value":"PL-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning procedures are to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.03","props":[{"name":"alt-identifier","value":"pl-1_prm_2"},{"name":"label","value":"PL-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pl-01_odp.04","props":[{"name":"alt-identifier","value":"pl-1_prm_3"},{"name":"label","value":"PL-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the planning policy and procedures is defined;"}]},{"id":"pl-01_odp.05","props":[{"name":"alt-identifier","value":"pl-1_prm_4"},{"name":"label","value":"PL-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning policy is reviewed and updated is defined;"}]},{"id":"pl-01_odp.06","props":[{"name":"alt-identifier","value":"pl-1_prm_5"},{"name":"label","value":"PL-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current planning policy to be reviewed and updated are defined;"}]},{"id":"pl-01_odp.07","props":[{"name":"alt-identifier","value":"pl-1_prm_6"},{"name":"label","value":"PL-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning procedures are reviewed and updated is defined;"}]},{"id":"pl-01_odp.08","props":[{"name":"alt-identifier","value":"pl-1_prm_7"},{"name":"label","value":"PL-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PL-1"},{"name":"label","value":"PL-01","class":"sp800-53a"},{"name":"sort-id","value":"pl-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-1_smt","name":"statement","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pl-01_odp.03 }} planning policy that:","parts":[{"id":"pl-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the planning policy and the associated planning controls;"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and"},{"id":"pl-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current planning:","parts":[{"id":"pl-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and"},{"id":"pl-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pl-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[01]","class":"sp800-53a"}],"prose":"a planning policy is developed and documented."},{"id":"pl-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[02]","class":"sp800-53a"}],"prose":"the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};"},{"id":"pl-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[03]","class":"sp800-53a"}],"prose":"planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;"},{"id":"pl-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[04]","class":"sp800-53a"}],"prose":"the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};"},{"id":"pl-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;"},{"id":"pl-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;"},{"id":"pl-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;"},{"id":"pl-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;"},{"id":"pl-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;"},{"id":"pl-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;"},{"id":"pl-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;"}]},{"id":"pl-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"pl-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;"},{"id":"pl-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[01]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};"},{"id":"pl-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[02]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};"}]},{"id":"pl-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[01]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};"},{"id":"pl-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[02]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}."}]}]}]},{"id":"pl-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security and Privacy Plans","params":[{"id":"pl-02_odp.01","props":[{"name":"alt-identifier","value":"pl-2_prm_1"},{"name":"label","value":"PL-02_ODP[01]","class":"sp800-53a"}],"label":"individuals or groups","guidelines":[{"prose":"individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is\/are assigned;"}]},{"id":"pl-02_odp.02","props":[{"name":"alt-identifier","value":"pl-2_prm_2"},{"name":"label","value":"PL-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive distributed copies of the system security and privacy plans is\/are assigned;"}]},{"id":"pl-02_odp.03","props":[{"name":"alt-identifier","value":"pl-2_prm_3"},{"name":"label","value":"PL-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency to review system security and privacy plans is defined;"}]}],"props":[{"name":"label","value":"PL-2"},{"name":"label","value":"PL-02","class":"sp800-53a"},{"name":"sort-id","value":"pl-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"pl-2_smt","name":"statement","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy plans for the system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly define the constituent system components;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Identify the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Identify the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provide the security categorization of the system, including supporting rationale;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Describe any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Provide the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Describe the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Provide an overview of the security and privacy requirements for the system;"},{"id":"pl-2_smt.a.11","name":"item","props":[{"name":"label","value":"11."}],"prose":"Identify any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_smt.a.12","name":"item","props":[{"name":"label","value":"12."}],"prose":"Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;"},{"id":"pl-2_smt.a.13","name":"item","props":[{"name":"label","value":"13."}],"prose":"Include risk determinations for security and privacy architecture and design decisions;"},{"id":"pl-2_smt.a.14","name":"item","props":[{"name":"label","value":"14."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and"},{"id":"pl-2_smt.a.15","name":"item","props":[{"name":"label","value":"15."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the plans {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the plans from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate."},{"id":"pl-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;"}]},{"id":"pl-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that explicitly defines the constituent system components;"},{"id":"pl-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that explicitly defines the constituent system components;"}]},{"id":"pl-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"}]},{"id":"pl-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"}]},{"id":"pl-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.5-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_obj.a.5-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"}]},{"id":"pl-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.6-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;"},{"id":"pl-2_obj.a.6-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;"}]},{"id":"pl-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"}]},{"id":"pl-2_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.8-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_obj.a.8-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"}]},{"id":"pl-2_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.9-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_obj.a.9-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"}]},{"id":"pl-2_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.10-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides an overview of the security requirements for the system;"},{"id":"pl-2_obj.a.10-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;"}]},{"id":"pl-2_obj.a.11","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.11-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_obj.a.11-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"}]},{"id":"pl-2_obj.a.12","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.12-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;"},{"id":"pl-2_obj.a.12-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;"}]},{"id":"pl-2_obj.a.13","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.13-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes risk determinations for security architecture and design decisions;"},{"id":"pl-2_obj.a.13-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;"}]},{"id":"pl-2_obj.a.14","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.14-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"},{"id":"pl-2_obj.a.14-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"}]},{"id":"pl-2_obj.a.15","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.15-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"},{"id":"pl-2_obj.a.15-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]}]},{"id":"pl-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[01]","class":"sp800-53a"}],"prose":"copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[02]","class":"sp800-53a"}],"prose":"subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};"}]},{"id":"pl-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-02c.","class":"sp800-53a"}],"prose":"plans are reviewed {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[01]","class":"sp800-53a"}],"prose":"plans are updated to address changes to the system and environment of operations;"},{"id":"pl-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[02]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during the plan implementation;"},{"id":"pl-2_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[03]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during control assessments;"}]},{"id":"pl-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[01]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized disclosure;"},{"id":"pl-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[02]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized modification."}]}]},{"id":"pl-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records"}]},{"id":"pl-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan"}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-04_odp.01","props":[{"name":"alt-identifier","value":"pl-4_prm_1"},{"name":"label","value":"PL-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for reviewing and updating the rules of behavior is defined;"}]},{"id":"pl-04_odp.02","props":[{"name":"alt-identifier","value":"pl-4_prm_2"},{"name":"label","value":"PL-04_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, pl-04_odp.03 }} ","when the rules are revised or updated"]}},{"id":"pl-04_odp.03","props":[{"name":"alt-identifier","value":"pl-4_prm_3"},{"name":"label","value":"PL-04_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);"}]}],"props":[{"name":"label","value":"PL-4"},{"name":"label","value":"PL-04","class":"sp800-53a"},{"name":"sort-id","value":"pl-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-4_smt","name":"statement","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_gdn","name":"guidance","prose":"Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons."},{"id":"pl-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[01]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;"},{"id":"pl-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[02]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;"}]},{"id":"pl-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04b.","class":"sp800-53a"}],"prose":"before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;"},{"id":"pl-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04c.","class":"sp800-53a"}],"prose":"rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};"},{"id":"pl-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-04d.","class":"sp800-53a"}],"prose":"individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and External Site\/Application Usage Restrictions","props":[{"name":"label","value":"PL-4(1)"},{"name":"label","value":"PL-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"pl-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-4","rel":"required"},{"href":"#ac-22","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"Include in the rules of behavior, restrictions on:","parts":[{"id":"pl-4.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Posting organizational information on public websites; and"},{"id":"pl-4.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_gdn","name":"guidance","prose":"Social media, social networking, and external site\/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information."},{"id":"pl-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)","class":"sp800-53a"}],"parts":[{"id":"pl-4.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(a)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(b)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on posting organizational information on public websites;"},{"id":"pl-4.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(c)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records"}]},{"id":"pl-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing rules of behavior\n\nmechanisms supporting and\/or implementing the establishment of rules of behavior"}]}]}]},{"id":"pl-8","class":"SP800-53","title":"Security and Privacy Architectures","params":[{"id":"pl-08_odp","props":[{"name":"alt-identifier","value":"pl-8_prm_1"},{"name":"label","value":"PL-08_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for review and update to reflect changes in the enterprise architecture;"}]}],"props":[{"name":"label","value":"PL-8"},{"name":"label","value":"PL-08","class":"sp800-53a"},{"name":"sort-id","value":"pl-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"pl-8_smt","name":"statement","parts":[{"id":"pl-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy architectures for the system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe how the architectures are integrated into and support the enterprise architecture; and"},{"id":"pl-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Describe any assumptions about, and dependencies on, external systems and services;"}]},{"id":"pl-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures."},{"id":"pl-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-08","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.01","class":"sp800-53a"}],"prose":"a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.02","class":"sp800-53a"}],"prose":"a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"},{"id":"pl-8_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"}]},{"id":"pl-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes any assumptions about and dependencies on external systems and services;"},{"id":"pl-8_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;"}]}]},{"id":"pl-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-08b.","class":"sp800-53a"}],"prose":"changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;"},{"id":"pl-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[01]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the security plan;"},{"id":"pl-8_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[02]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the privacy plan;"},{"id":"pl-8_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[03]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the Concept of Operations (CONOPS);"},{"id":"pl-8_obj.c-4","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[04]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in criticality analysis;"},{"id":"pl-8_obj.c-5","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[05]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in organizational procedures;"},{"id":"pl-8_obj.c-6","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[06]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in procurements and acquisitions."}]}]},{"id":"pl-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and\/or implementing the development, review, and update of the information security and privacy architecture"}]}]},{"id":"pl-10","class":"SP800-53","title":"Baseline Selection","props":[{"name":"label","value":"PL-10"},{"name":"label","value":"PL-10","class":"sp800-53a"},{"name":"sort-id","value":"pl-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-10_smt","name":"statement","prose":"Select a control baseline for the system."},{"id":"pl-10_gdn","name":"guidance","prose":"Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems."},{"id":"pl-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-10","class":"sp800-53a"}],"prose":"a control baseline for the system is selected."},{"id":"pl-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities"}]}]},{"id":"pl-11","class":"SP800-53","title":"Baseline Tailoring","props":[{"name":"label","value":"PL-11"},{"name":"label","value":"PL-11","class":"sp800-53a"},{"name":"sort-id","value":"pl-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-10","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-11_smt","name":"statement","prose":"Tailor the selected control baseline by applying specified tailoring actions."},{"id":"pl-11_gdn","name":"guidance","prose":"The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities."},{"id":"pl-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-11","class":"sp800-53a"}],"prose":"the selected control baseline is tailored by applying specified tailoring actions."},{"id":"pl-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ps-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ps-01_odp.01","props":[{"name":"label","value":"PS-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security policy is to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.02","props":[{"name":"label","value":"PS-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security procedures are to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.03","props":[{"name":"alt-identifier","value":"ps-1_prm_2"},{"name":"label","value":"PS-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ps-01_odp.04","props":[{"name":"alt-identifier","value":"ps-1_prm_3"},{"name":"label","value":"PS-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the personnel security policy and procedures is defined;"}]},{"id":"ps-01_odp.05","props":[{"name":"alt-identifier","value":"ps-1_prm_4"},{"name":"label","value":"PS-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security policy is reviewed and updated is defined;"}]},{"id":"ps-01_odp.06","props":[{"name":"alt-identifier","value":"ps-1_prm_5"},{"name":"label","value":"PS-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current personnel security policy to be reviewed and updated are defined;"}]},{"id":"ps-01_odp.07","props":[{"name":"alt-identifier","value":"ps-1_prm_6"},{"name":"label","value":"PS-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security procedures are reviewed and updated is defined;"}]},{"id":"ps-01_odp.08","props":[{"name":"alt-identifier","value":"ps-1_prm_7"},{"name":"label","value":"PS-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the personnel security procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PS-1"},{"name":"label","value":"PS-01","class":"sp800-53a"},{"name":"sort-id","value":"ps-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-1_smt","name":"statement","parts":[{"id":"ps-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ps-01_odp.03 }} personnel security policy that:","parts":[{"id":"ps-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ps-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;"}]},{"id":"ps-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and"},{"id":"ps-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current personnel security:","parts":[{"id":"ps-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and"},{"id":"ps-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ps-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[01]","class":"sp800-53a"}],"prose":"a personnel security policy is developed and documented;"},{"id":"ps-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[02]","class":"sp800-53a"}],"prose":"the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};"},{"id":"ps-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[03]","class":"sp800-53a"}],"prose":"personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;"},{"id":"ps-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[04]","class":"sp800-53a"}],"prose":"the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};"},{"id":"ps-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;"},{"id":"ps-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;"},{"id":"ps-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;"},{"id":"ps-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;"},{"id":"ps-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;"},{"id":"ps-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;"},{"id":"ps-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;"}]},{"id":"ps-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ps-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;"},{"id":"ps-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[01]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};"},{"id":"ps-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[02]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};"}]},{"id":"ps-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[01]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};"},{"id":"ps-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[02]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}."}]}]}]},{"id":"ps-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"ps-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","params":[{"id":"ps-02_odp","props":[{"name":"alt-identifier","value":"ps-2_prm_1"},{"name":"label","value":"PS-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update position risk designations is defined;"}]}],"props":[{"name":"label","value":"PS-2"},{"name":"label","value":"PS-02","class":"sp800-53a"},{"name":"sort-id","value":"ps-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#a5ef5e56-5c1a-4911-b419-37dddc1b3581","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-2_smt","name":"statement","parts":[{"id":"ps-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establish screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update position risk designations {{ insert: param, ps-02_odp }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions."},{"id":"ps-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-02","class":"sp800-53a"}],"parts":[{"id":"ps-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-02a.","class":"sp800-53a"}],"prose":"a risk designation is assigned to all organizational positions;"},{"id":"ps-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-02b.","class":"sp800-53a"}],"prose":"screening criteria are established for individuals filling organizational positions;"},{"id":"ps-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-02c.","class":"sp800-53a"}],"prose":"position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}."}]},{"id":"ps-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","params":[{"id":"ps-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.02"}],"label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening"},{"id":"ps-03_odp.01","props":[{"name":"label","value":"PS-03_ODP[01]","class":"sp800-53a"}],"label":"conditions requiring rescreening","guidelines":[{"prose":"conditions requiring rescreening of individuals are defined;"}]},{"id":"ps-03_odp.02","props":[{"name":"label","value":"PS-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of rescreening individuals where it is so indicated is defined;"}]}],"props":[{"name":"label","value":"PS-3"},{"name":"label","value":"PS-03","class":"sp800-53a"},{"name":"sort-id","value":"ps-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#55b0c93a-5e48-457a-baa6-5ce81c239c49","rel":"reference"},{"href":"#0af071a6-cf8e-48ee-8c82-fe91efa20f94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-3_smt","name":"statement","parts":[{"id":"ps-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Screen individuals prior to authorizing access to the system; and"},{"id":"ps-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems."},{"id":"ps-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-03a.","class":"sp800-53a"}],"prose":"individuals are screened prior to authorizing access to the system;"},{"id":"ps-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[01]","class":"sp800-53a"}],"prose":"individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};"},{"id":"ps-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[02]","class":"sp800-53a"}],"prose":"where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}."}]}]},{"id":"ps-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel screening"}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","params":[{"id":"ps-04_odp.01","props":[{"name":"alt-identifier","value":"ps-4_prm_1"},{"name":"label","value":"PS-04_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which to disable system access is defined;"}]},{"id":"ps-04_odp.02","props":[{"name":"alt-identifier","value":"ps-4_prm_2"},{"name":"label","value":"PS-04_ODP[02]","class":"sp800-53a"}],"label":"information security topics","guidelines":[{"prose":"information security topics to be discussed when conducting exit interviews are defined;"}]}],"props":[{"name":"label","value":"PS-4"},{"name":"label","value":"PS-04","class":"sp800-53a"},{"name":"sort-id","value":"ps-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"Upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Disable system access within {{ insert: param, ps-04_odp.01 }};"},{"id":"ps-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Terminate or revoke any authenticators and credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};"},{"id":"ps-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Retrieve all security-related organizational system-related property; and"},{"id":"ps-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retain access to organizational information and systems formerly controlled by terminated individual."}]},{"id":"ps-4_gdn","name":"guidance","prose":"System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified."},{"id":"ps-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-04","class":"sp800-53a"}],"parts":[{"id":"ps-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-04a.","class":"sp800-53a"}],"prose":"upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};"},{"id":"ps-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-04b.","class":"sp800-53a"}],"prose":"upon termination of individual employment, any authenticators and credentials are terminated or revoked;"},{"id":"ps-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-04c.","class":"sp800-53a"}],"prose":"upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;"},{"id":"ps-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-04d.","class":"sp800-53a"}],"prose":"upon termination of individual employment, all security-related organizational system-related property is retrieved;"},{"id":"ps-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-04e.","class":"sp800-53a"}],"prose":"upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained."}]},{"id":"ps-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators\/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel termination\n\nmechanisms supporting and\/or implementing personnel termination notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","params":[{"id":"ps-05_odp.01","props":[{"name":"alt-identifier","value":"ps-5_prm_1"},{"name":"label","value":"PS-05_ODP[01]","class":"sp800-53a"}],"label":"transfer or reassignment actions","guidelines":[{"prose":"transfer or reassignment actions to be initiated following transfer or reassignment are defined;"}]},{"id":"ps-05_odp.02","props":[{"name":"alt-identifier","value":"ps-5_prm_2"},{"name":"label","value":"PS-05_ODP[02]","class":"sp800-53a"}],"label":"time period following the formal transfer action","guidelines":[{"prose":"the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;"}]},{"id":"ps-05_odp.03","props":[{"name":"alt-identifier","value":"ps-5_prm_3"},{"name":"label","value":"PS-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is\/are defined;"}]},{"id":"ps-05_odp.04","props":[{"name":"alt-identifier","value":"ps-5_prm_4"},{"name":"label","value":"PS-05_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;"}]}],"props":[{"name":"label","value":"PS-5"},{"name":"label","value":"PS-05","class":"sp800-53a"},{"name":"sort-id","value":"ps-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-5_smt","name":"statement","parts":[{"id":"ps-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};"},{"id":"ps-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts."},{"id":"ps-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-05","class":"sp800-53a"}],"parts":[{"id":"ps-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-05a.","class":"sp800-53a"}],"prose":"the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};"},{"id":"ps-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-05c.","class":"sp800-53a"}],"prose":"access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;"},{"id":"ps-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-05d.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}."}]},{"id":"ps-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel transfer\n\nmechanisms supporting and\/or implementing personnel transfer notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-06_odp.01","props":[{"name":"alt-identifier","value":"ps-6_prm_1"},{"name":"label","value":"PS-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update access agreements is defined;"}]},{"id":"ps-06_odp.02","props":[{"name":"alt-identifier","value":"ps-6_prm_2"},{"name":"label","value":"PS-06_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to re-sign access agreements to maintain access to organizational information is defined;"}]}],"props":[{"name":"label","value":"PS-6"},{"name":"label","value":"PS-06","class":"sp800-53a"},{"name":"sort-id","value":"ps-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-6_smt","name":"statement","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document access agreements for organizational systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that individuals requiring access to organizational information and systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy."},{"id":"ps-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-06","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-06a.","class":"sp800-53a"}],"prose":"access agreements are developed and documented for organizational systems;"},{"id":"ps-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-06b.","class":"sp800-53a"}],"prose":"the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};"},{"id":"ps-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.01","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;"},{"id":"ps-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.02","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ps-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"External Personnel Security","params":[{"id":"ps-07_odp.01","props":[{"name":"alt-identifier","value":"ps-7_prm_1"},{"name":"label","value":"PS-07_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is\/are defined;"}]},{"id":"ps-07_odp.02","props":[{"name":"alt-identifier","value":"ps-7_prm_2"},{"name":"label","value":"PS-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is defined;"}]}],"props":[{"name":"label","value":"PS-7"},{"name":"label","value":"PS-07","class":"sp800-53a"},{"name":"sort-id","value":"ps-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-7_smt","name":"statement","parts":[{"id":"ps-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish personnel security requirements, including security roles and responsibilities for external providers;"},{"id":"ps-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Require external providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and"},{"id":"ps-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Monitor provider compliance with personnel security requirements."}]},{"id":"ps-7_gdn","name":"guidance","prose":"External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network\/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals."},{"id":"ps-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-07","class":"sp800-53a"}],"parts":[{"id":"ps-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-07a.","class":"sp800-53a"}],"prose":"personnel security requirements are established, including security roles and responsibilities for external providers;"},{"id":"ps-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-07b.","class":"sp800-53a"}],"prose":"external providers are required to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-07c.","class":"sp800-53a"}],"prose":"personnel security requirements are documented;"},{"id":"ps-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-07d.","class":"sp800-53a"}],"prose":"external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};"},{"id":"ps-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-07e.","class":"sp800-53a"}],"prose":"provider compliance with personnel security requirements is monitored."}]},{"id":"ps-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and\/or implementing the monitoring of provider compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","params":[{"id":"ps-08_odp.01","props":[{"name":"alt-identifier","value":"ps-8_prm_1"},{"name":"label","value":"PS-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when a formal employee sanctions process is initiated is\/are defined;"}]},{"id":"ps-08_odp.02","props":[{"name":"alt-identifier","value":"ps-8_prm_2"},{"name":"label","value":"PS-08_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;"}]}],"props":[{"name":"label","value":"PS-8"},{"name":"label","value":"PS-08","class":"sp800-53a"},{"name":"sort-id","value":"ps-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-1","rel":"related"}],"parts":[{"id":"ps-8_smt","name":"statement","parts":[{"id":"ps-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and\/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions."},{"id":"ps-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-08","class":"sp800-53a"}],"parts":[{"id":"ps-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-08a.","class":"sp800-53a"}],"prose":"a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;"},{"id":"ps-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-08b.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-08_odp.01 }} is\/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records"}]},{"id":"ps-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and\/or implementing formal employee sanctions notifications"}]}]},{"id":"ps-9","class":"SP800-53","title":"Position Descriptions","props":[{"name":"label","value":"PS-9"},{"name":"label","value":"PS-09","class":"sp800-53a"},{"name":"sort-id","value":"ps-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"}],"parts":[{"id":"ps-9_smt","name":"statement","prose":"Incorporate security and privacy roles and responsibilities into organizational position descriptions."},{"id":"ps-9_gdn","name":"guidance","prose":"Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles."},{"id":"ps-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-09","class":"sp800-53a"}],"parts":[{"id":"ps-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PS-09[01]","class":"sp800-53a"}],"prose":"security roles and responsibilities are incorporated into organizational position descriptions;"},{"id":"ps-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PS-09[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are incorporated into organizational position descriptions."}]},{"id":"ps-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"ps-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities"}]},{"id":"ps-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing position descriptions"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ra-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ra-01_odp.01","props":[{"name":"label","value":"RA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment policy is to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.02","props":[{"name":"label","value":"RA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment procedures are to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.03","props":[{"name":"alt-identifier","value":"ra-1_prm_2"},{"name":"label","value":"RA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ra-01_odp.04","props":[{"name":"alt-identifier","value":"ra-1_prm_3"},{"name":"label","value":"RA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the risk assessment policy and procedures is defined;"}]},{"id":"ra-01_odp.05","props":[{"name":"alt-identifier","value":"ra-1_prm_4"},{"name":"label","value":"RA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment policy is reviewed and updated is defined;"}]},{"id":"ra-01_odp.06","props":[{"name":"alt-identifier","value":"ra-1_prm_5"},{"name":"label","value":"RA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current risk assessment policy to be reviewed and updated are defined;"}]},{"id":"ra-01_odp.07","props":[{"name":"alt-identifier","value":"ra-1_prm_6"},{"name":"label","value":"RA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment procedures are reviewed and updated is defined;"}]},{"id":"ra-01_odp.08","props":[{"name":"alt-identifier","value":"ra-1_prm_7"},{"name":"label","value":"RA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require risk assessment procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"RA-1"},{"name":"label","value":"RA-01","class":"sp800-53a"},{"name":"sort-id","value":"ra-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-1_smt","name":"statement","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ra-01_odp.03 }} risk assessment policy that:","parts":[{"id":"ra-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and"},{"id":"ra-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current risk assessment:","parts":[{"id":"ra-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and"},{"id":"ra-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ra-1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[01]","class":"sp800-53a"}],"prose":"a risk assessment policy is developed and documented;"},{"id":"ra-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[02]","class":"sp800-53a"}],"prose":"the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};"},{"id":"ra-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[03]","class":"sp800-53a"}],"prose":"risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;"},{"id":"ra-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[04]","class":"sp800-53a"}],"prose":"the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};"},{"id":"ra-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;"},{"id":"ra-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;"},{"id":"ra-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;"},{"id":"ra-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;"},{"id":"ra-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;"},{"id":"ra-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;"},{"id":"ra-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;"}]},{"id":"ra-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ra-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;"},{"id":"ra-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[01]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};"},{"id":"ra-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[02]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};"}]},{"id":"ra-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[01]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};"},{"id":"ra-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[02]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}."}]}]}]},{"id":"ra-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","props":[{"name":"label","value":"RA-2"},{"name":"label","value":"RA-02","class":"sp800-53a"},{"name":"sort-id","value":"ra-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#cm-8","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-2_smt","name":"statement","parts":[{"id":"ra-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Categorize the system and information it processes, stores, and transmits;"},{"id":"ra-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document the security categorization results, including supporting rationale, in the security plan for the system; and"},{"id":"ra-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant."},{"id":"ra-2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-02","class":"sp800-53a"}],"parts":[{"id":"ra-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-02a.","class":"sp800-53a"}],"prose":"the system and the information it processes, stores, and transmits are categorized;"},{"id":"ra-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-02b.","class":"sp800-53a"}],"prose":"the security categorization results, including supporting rationale, are documented in the security plan for the system;"},{"id":"ra-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-02c.","class":"sp800-53a"}],"prose":"the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-03_odp.01","props":[{"name":"alt-identifier","value":"ra-3_prm_1"},{"name":"label","value":"RA-03_ODP[01]","class":"sp800-53a"}],"select":{"choice":["security and privacy plans","risk assessment report"," {{ insert: param, ra-03_odp.02 }} "]}},{"id":"ra-03_odp.02","props":[{"name":"alt-identifier","value":"ra-3_prm_2"},{"name":"label","value":"RA-03_ODP[02]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);"}]},{"id":"ra-03_odp.03","props":[{"name":"alt-identifier","value":"ra-3_prm_3"},{"name":"label","value":"RA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to review risk assessment results is defined;"}]},{"id":"ra-03_odp.04","props":[{"name":"alt-identifier","value":"ra-3_prm_4"},{"name":"label","value":"RA-03_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom risk assessment results are to be disseminated is\/are defined;"}]},{"id":"ra-03_odp.05","props":[{"name":"alt-identifier","value":"ra-3_prm_5"},{"name":"label","value":"RA-03_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to update the risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3"},{"name":"label","value":"RA-03","class":"sp800-53a"},{"name":"sort-id","value":"ra-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-3","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-3_smt","name":"statement","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct a risk assessment, including:","parts":[{"id":"ra-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifying threats to and vulnerabilities in the system;"},{"id":"ra-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and"},{"id":"ra-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document risk assessment results in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review risk assessment results {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and"},{"id":"ra-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination."},{"id":"ra-3_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.01","class":"sp800-53a"}],"prose":"a risk assessment is conducted to identify threats to and vulnerabilities in the system;"},{"id":"ra-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.02","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;"},{"id":"ra-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.03","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03b.","class":"sp800-53a"}],"prose":"risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;"},{"id":"ra-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-03c.","class":"sp800-53a"}],"prose":"risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-03d.","class":"sp800-53a"}],"prose":"risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-03e.","class":"sp800-53a"}],"prose":"risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};"},{"id":"ra-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-03f.","class":"sp800-53a"}],"prose":"the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}],"controls":[{"id":"ra-3.1","class":"SP800-53-enhancement","title":"Supply Chain Risk Assessment","params":[{"id":"ra-03.01_odp.01","props":[{"name":"alt-identifier","value":"ra-3.1_prm_1"},{"name":"label","value":"RA-03(01)_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, and system services","guidelines":[{"prose":"systems, system components, and system services to assess supply chain risks are defined;"}]},{"id":"ra-03.01_odp.02","props":[{"name":"alt-identifier","value":"ra-3.1_prm_2"},{"name":"label","value":"RA-03(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the supply chain risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3(1)"},{"name":"label","value":"RA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ra-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-3","rel":"required"},{"href":"#ra-2","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#pm-17","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-3.1_smt","name":"statement","parts":[{"id":"ra-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and"},{"id":"ra-3.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_gdn","name":"guidance","prose":"Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required."},{"id":"ra-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)","class":"sp800-53a"}],"parts":[{"id":"ra-3.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(a)","class":"sp800-53a"}],"prose":"supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;"},{"id":"ra-3.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(b)","class":"sp800-53a"}],"prose":"the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"ra-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"ra-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment"}]}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Monitoring and Scanning","params":[{"id":"ra-5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.02"}],"label":"organization-defined frequency and\/or randomly in accordance with organization-defined process"},{"id":"ra-05_odp.01","props":[{"name":"label","value":"RA-05_ODP[01]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for monitoring systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.02","props":[{"name":"label","value":"RA-05_ODP[02]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for scanning systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.03","props":[{"name":"alt-identifier","value":"ra-5_prm_2"},{"name":"label","value":"RA-05_ODP[03]","class":"sp800-53a"}],"label":"response times","guidelines":[{"prose":"response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;"}]},{"id":"ra-05_odp.04","props":[{"name":"alt-identifier","value":"ra-5_prm_3"},{"name":"label","value":"RA-05_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;"}]}],"props":[{"name":"label","value":"RA-5"},{"name":"label","value":"RA-05","class":"sp800-53a"},{"name":"sort-id","value":"ra-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#8df72805-2e5c-4731-a73e-81db0f0318d0","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#d2ebec9b-f868-4ee1-a2bd-0b2282aed248","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-8","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ra-5_smt","name":"statement","parts":[{"id":"ra-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Analyze vulnerability scan reports and results from vulnerability monitoring;"},{"id":"ra-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and"},{"id":"ra-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points."},{"id":"ra-5_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[01]","class":"sp800-53a"}],"prose":"systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[02]","class":"sp800-53a"}],"prose":"systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;"}]},{"id":"ra-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;","parts":[{"id":"ra-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.01","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.02","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;"},{"id":"ra-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.03","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;"}]},{"id":"ra-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-05c.","class":"sp800-53a"}],"prose":"vulnerability scan reports and results from vulnerability monitoring are analyzed;"},{"id":"ra-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-05d.","class":"sp800-53a"}],"prose":"legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-05e.","class":"sp800-53a"}],"prose":"information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;"},{"id":"ra-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-05f.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed."}]},{"id":"ra-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and\/or implementing vulnerability scanning, analysis, remediation, and information sharing"}]}],"controls":[{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update Vulnerabilities to Be Scanned","params":[{"id":"ra-05.02_odp.01","props":[{"name":"alt-identifier","value":"ra-5.2_prm_1"},{"name":"label","value":"RA-05(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, ra-05.02_odp.02 }} ","prior to a new scan","when new vulnerabilities are identified and reported"]}},{"id":"ra-05.02_odp.02","props":[{"name":"alt-identifier","value":"ra-5.2_prm_2"},{"name":"label","value":"RA-05(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating the system vulnerabilities to be scanned is defined (if selected);"}]}],"props":[{"name":"label","value":"RA-5(2)"},{"name":"label","value":"RA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"},{"href":"#si-5","rel":"related"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}."},{"id":"ra-5.2_gdn","name":"guidance","prose":"Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner."},{"id":"ra-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(02)","class":"sp800-53a"}],"prose":"the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}."},{"id":"ra-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.5","class":"SP800-53-enhancement","title":"Privileged Access","params":[{"id":"ra-05.05_odp.01","props":[{"name":"alt-identifier","value":"ra-5.5_prm_1"},{"name":"label","value":"RA-05(05)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to which privileged access is authorized for selected vulnerability scanning activities are defined;"}]},{"id":"ra-05.05_odp.02","props":[{"name":"alt-identifier","value":"ra-5.5_prm_2"},{"name":"label","value":"RA-05(05)_ODP[02]","class":"sp800-53a"}],"label":"vulnerability scanning activities","guidelines":[{"prose":"vulnerability scanning activities selected for privileged access authorization to system components are defined;"}]}],"props":[{"name":"label","value":"RA-5(5)"},{"name":"label","value":"RA-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.5_smt","name":"statement","prose":"Implement privileged access authorization to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}."},{"id":"ra-5.5_gdn","name":"guidance","prose":"In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning."},{"id":"ra-5.5_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(05)","class":"sp800-53a"}],"prose":"privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}."},{"id":"ra-5.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\nsystem\/network administrators\n\norganizational personnel responsible for access control to the system\n\norganizational personnel responsible for configuration management of the system\n\nsystem developers\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nmechanisms supporting and\/or implementing access control\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.11","class":"SP800-53-enhancement","title":"Public Disclosure Program","props":[{"name":"label","value":"RA-5(11)"},{"name":"label","value":"RA-05(11)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.11_smt","name":"statement","prose":"Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components."},{"id":"ra-5.11_gdn","name":"guidance","prose":"The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability."},{"id":"ra-5.11_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(11)","class":"sp800-53a"}],"prose":"a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components."},{"id":"ra-5.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities"}]}]}]},{"id":"ra-7","class":"SP800-53","title":"Risk Response","props":[{"name":"label","value":"RA-7"},{"name":"label","value":"RA-07","class":"sp800-53a"},{"name":"sort-id","value":"ra-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-7_smt","name":"statement","prose":"Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."},{"id":"ra-7_gdn","name":"guidance","prose":"Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated."},{"id":"ra-7_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-07","class":"sp800-53a"}],"parts":[{"id":"ra-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-07[01]","class":"sp800-53a"}],"prose":"findings from security assessments are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-07[02]","class":"sp800-53a"}],"prose":"findings from privacy assessments are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"RA-07[03]","class":"sp800-53a"}],"prose":"findings from monitoring are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-4","name":"assessment-objective","props":[{"name":"label","value":"RA-07[04]","class":"sp800-53a"}],"prose":"findings from audits are responded to in accordance with organizational risk tolerance."}]},{"id":"ra-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\naudit records\/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]},{"id":"ra-9","class":"SP800-53","title":"Criticality Analysis","params":[{"id":"ra-09_odp.01","props":[{"name":"alt-identifier","value":"ra-9_prm_1"},{"name":"label","value":"RA-09_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services to be analyzed for criticality are defined;"}]},{"id":"ra-09_odp.02","props":[{"name":"alt-identifier","value":"ra-9_prm_2"},{"name":"label","value":"RA-09_ODP[02]","class":"sp800-53a"}],"label":"decision points in the system development life cycle","guidelines":[{"prose":"decision points in the system development life cycle when a criticality analysis is to be performed are defined;"}]}],"props":[{"name":"label","value":"RA-9"},{"name":"label","value":"RA-09","class":"sp800-53a"},{"name":"sort-id","value":"ra-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"ra-9_smt","name":"statement","prose":"Identify critical system components and functions by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}."},{"id":"ra-9_gdn","name":"guidance","prose":"Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.\n\nThe operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.\n\nCriticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in [RA-2](#ra-2)."},{"id":"ra-9_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-09","class":"sp800-53a"}],"prose":"critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}."},{"id":"ra-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\ncriticality analysis\/finalized criticality for each component\/subcomponent\n\naudit records\/event logs\n\nanalysis reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\norganizational personnel with criticality analysis responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security responsibilities"}]},{"id":"ra-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sa-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sa-01_odp.01","props":[{"name":"label","value":"SA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition policy is to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.02","props":[{"name":"label","value":"SA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition procedures are to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.03","props":[{"name":"alt-identifier","value":"sa-1_prm_2"},{"name":"label","value":"SA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sa-01_odp.04","props":[{"name":"alt-identifier","value":"sa-1_prm_3"},{"name":"label","value":"SA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and services acquisition policy and procedures is defined;"}]},{"id":"sa-01_odp.05","props":[{"name":"alt-identifier","value":"sa-1_prm_4"},{"name":"label","value":"SA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition policy is reviewed and updated is defined;"}]},{"id":"sa-01_odp.06","props":[{"name":"alt-identifier","value":"sa-1_prm_5"},{"name":"label","value":"SA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and services acquisition policy to be reviewed and updated are defined;"}]},{"id":"sa-01_odp.07","props":[{"name":"alt-identifier","value":"sa-1_prm_6"},{"name":"label","value":"SA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;"}]},{"id":"sa-01_odp.08","props":[{"name":"alt-identifier","value":"sa-1_prm_7"},{"name":"label","value":"SA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and services acquisition procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SA-1"},{"name":"label","value":"SA-01","class":"sp800-53a"},{"name":"sort-id","value":"sa-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sa-1_smt","name":"statement","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:","parts":[{"id":"sa-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and"},{"id":"sa-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and services acquisition:","parts":[{"id":"sa-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and"},{"id":"sa-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sa-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[01]","class":"sp800-53a"}],"prose":"a system and services acquisition policy is developed and documented;"},{"id":"sa-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[02]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};"},{"id":"sa-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[03]","class":"sp800-53a"}],"prose":"system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;"},{"id":"sa-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[04]","class":"sp800-53a"}],"prose":"the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};"},{"id":"sa-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;"},{"id":"sa-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;"},{"id":"sa-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;"},{"id":"sa-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;"},{"id":"sa-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;"},{"id":"sa-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;"},{"id":"sa-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;"}]},{"id":"sa-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"sa-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;"},{"id":"sa-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[01]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};"},{"id":"sa-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};"}]},{"id":"sa-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};"},{"id":"sa-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}."}]}]}]},{"id":"sa-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"label","value":"SA-2"},{"name":"label","value":"SA-02","class":"sp800-53a"},{"name":"sort-id","value":"sa-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pl-7","rel":"related"},{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-2_smt","name":"statement","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle."},{"id":"sa-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-02","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[01]","class":"sp800-53a"}],"prose":"the high-level information security requirements for the system or system service are determined in mission and business process planning;"},{"id":"sa-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[02]","class":"sp800-53a"}],"prose":"the high-level privacy requirements for the system or system service are determined in mission and business process planning;"}]},{"id":"sa-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[01]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;"},{"id":"sa-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[02]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;"}]},{"id":"sa-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[01]","class":"sp800-53a"}],"prose":"a discrete line item for information security is established in organizational programming and budgeting documentation;"},{"id":"sa-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[02]","class":"sp800-53a"}],"prose":"a discrete line item for privacy is established in organizational programming and budgeting documentation."}]}]},{"id":"sa-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records"}]},{"id":"sa-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-03_odp","props":[{"name":"alt-identifier","value":"sa-3_prm_1"},{"name":"alt-label","value":"system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-03_ODP","class":"sp800-53a"}],"label":"system-development life cycle","guidelines":[{"prose":"system development life cycle is defined;"}]}],"props":[{"name":"label","value":"SA-3"},{"name":"label","value":"SA-03","class":"sp800-53a"},{"name":"sort-id","value":"sa-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-3_smt","name":"statement","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document information security and privacy roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify individuals having information security and privacy roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrate the organizational information security and privacy risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle."},{"id":"sa-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[01]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;"},{"id":"sa-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[02]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;"}]},{"id":"sa-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[01]","class":"sp800-53a"}],"prose":"information security roles and responsibilities are defined and documented throughout the system development life cycle;"},{"id":"sa-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are defined and documented throughout the system development life cycle;"}]},{"id":"sa-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[01]","class":"sp800-53a"}],"prose":"individuals with information security roles and responsibilities are identified;"},{"id":"sa-3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[02]","class":"sp800-53a"}],"prose":"individuals with privacy roles and responsibilities are identified;"}]},{"id":"sa-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[01]","class":"sp800-53a"}],"prose":"organizational information security risk management processes are integrated into system development life cycle activities;"},{"id":"sa-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[02]","class":"sp800-53a"}],"prose":"organizational privacy risk management processes are integrated into system development life cycle activities."}]}]},{"id":"sa-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"sa-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and\/or implementing the system development life cycle"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","params":[{"id":"sa-04_odp.01","props":[{"name":"alt-identifier","value":"sa-4_prm_1"},{"name":"label","value":"SA-04_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["standardized contract language"," {{ insert: param, sa-04_odp.02 }} "]}},{"id":"sa-04_odp.02","props":[{"name":"alt-identifier","value":"sa-4_prm_2"},{"name":"label","value":"SA-04_ODP[02]","class":"sp800-53a"}],"label":"contract language","guidelines":[{"prose":"contract language is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-4"},{"name":"label","value":"SA-04","class":"sp800-53a"},{"name":"sort-id","value":"sa-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","rel":"reference"},{"href":"#87087451-2af5-43d4-88c1-d66ad850f614","rel":"reference"},{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#06ce9216-bd54-4054-a422-94f358b50a5d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#795aff72-3e6c-4b6b-a80a-b14d84b7f544","rel":"reference"},{"href":"#3d575737-98cb-459d-b41c-d7e82b73ad78","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security and privacy functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Strength of mechanism requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security and privacy assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Controls needed to satisfy the security and privacy requirements."},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Security and privacy documentation requirements;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Requirements for protecting security and privacy documentation;"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Description of the system development environment and environment in which the system is intended to operate;"},{"id":"sa-4_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and"},{"id":"sa-4_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement."},{"id":"sa-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[01]","class":"sp800-53a"}],"prose":"security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[02]","class":"sp800-53a"}],"prose":"privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04b.","class":"sp800-53a"}],"prose":"strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[01]","class":"sp800-53a"}],"prose":"security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[02]","class":"sp800-53a"}],"prose":"privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[01]","class":"sp800-53a"}],"prose":"controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[02]","class":"sp800-53a"}],"prose":"controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[01]","class":"sp800-53a"}],"prose":"security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[02]","class":"sp800-53a"}],"prose":"privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[01]","class":"sp800-53a"}],"prose":"requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[02]","class":"sp800-53a"}],"prose":"requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SA-04g.","class":"sp800-53a"}],"prose":"the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[01]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[02]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"},{"id":"sa-4_obj.h-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[03]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"}]},{"id":"sa-4_obj.i","name":"assessment-objective","props":[{"name":"label","value":"SA-04i.","class":"sp800-53a"}],"prose":"acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service."}]},{"id":"sa-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}],"controls":[{"id":"sa-4.1","class":"SP800-53-enhancement","title":"Functional Properties of Controls","props":[{"name":"label","value":"SA-4(1)"},{"name":"label","value":"SA-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented."},{"id":"sa-4.1_gdn","name":"guidance","prose":"Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls."},{"id":"sa-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(01)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented."},{"id":"sa-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system services\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"sa-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security functional requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}]},{"id":"sa-4.2","class":"SP800-53-enhancement","title":"Design and Implementation Information for Controls","params":[{"id":"sa-04.02_odp.01","props":[{"name":"alt-identifier","value":"sa-4.2_prm_1"},{"name":"label","value":"SA-04(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security-relevant external system interfaces","high-level design","low-level design","source code or hardware schematics"," {{ insert: param, sa-04.02_odp.02 }} "]}},{"id":"sa-04.02_odp.02","props":[{"name":"alt-identifier","value":"sa-4.2_prm_2"},{"name":"label","value":"SA-04(02)_ODP[02]","class":"sp800-53a"}],"label":"design and implementation information","guidelines":[{"prose":"design and implementation information is defined (if selected);"}]},{"id":"sa-04.02_odp.03","props":[{"name":"alt-identifier","value":"sa-4.2_prm_3"},{"name":"label","value":"SA-04(02)_ODP[03]","class":"sp800-53a"}],"label":"level of detail","guidelines":[{"prose":"level of detail is defined;"}]}],"props":[{"name":"label","value":"SA-4(2)"},{"name":"label","value":"SA-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.2_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}."},{"id":"sa-4.2_gdn","name":"guidance","prose":"Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system."},{"id":"sa-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(02)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}."},{"id":"sa-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system components, or system services\n\ndesign and implementation information for controls employed in the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining the level of detail for system design and controls\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing the development of system design details"}]}]},{"id":"sa-4.9","class":"SP800-53-enhancement","title":"Functions, Ports, Protocols, and Services in Use","props":[{"name":"label","value":"SA-4(9)"},{"name":"label","value":"SA-04(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#cm-7","rel":"related"},{"href":"#sa-9","rel":"related"}],"parts":[{"id":"sa-4.9_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use."},{"id":"sa-4.9_gdn","name":"guidance","prose":"The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. [SA-9](#sa-9) describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources."},{"id":"sa-4.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)","class":"sp800-53a"}],"parts":[{"id":"sa-4.9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the functions intended for organizational use;"},{"id":"sa-4.9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the ports intended for organizational use;"},{"id":"sa-4.9_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;"},{"id":"sa-4.9_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the services intended for organizational use."}]},{"id":"sa-4.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsystem design documentation\n\nsystem documentation, including functions, ports, protocols, and services intended for organizational use\n\nacquisition contracts for systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements, descriptions, and criteria for developers of systems, system components, and system services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the system\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","props":[{"name":"label","value":"SA-4(10)"},{"name":"label","value":"SA-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems."},{"id":"sa-4.10_gdn","name":"guidance","prose":"Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations."},{"id":"sa-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(10)","class":"sp800-53a"}],"prose":"only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed."},{"id":"sa-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for selecting and employing FIPS 201-approved products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"System Documentation","params":[{"id":"sa-05_odp.01","props":[{"name":"alt-identifier","value":"sa-5_prm_1"},{"name":"label","value":"SA-05_ODP[01]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;"}]},{"id":"sa-05_odp.02","props":[{"name":"alt-identifier","value":"sa-5_prm_2"},{"name":"label","value":"SA-05_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to distribute system documentation to is\/are defined;"}]}],"props":[{"name":"label","value":"SA-5"},{"name":"label","value":"SA-05","class":"sp800-53a"},{"name":"sort-id","value":"sa-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"sa-5_smt","name":"statement","parts":[{"id":"sa-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtain or develop administrator documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security and privacy functions and mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative or privileged functions;"}]},{"id":"sa-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Obtain or develop user documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and"},{"id":"sa-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;"}]},{"id":"sa-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and"},{"id":"sa-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Distribute documentation to {{ insert: param, sa-05_odp.02 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation."},{"id":"sa-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-05","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;"},{"id":"sa-5_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;"},{"id":"sa-5_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;"}]},{"id":"sa-5_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.a.2-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[04]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;"}]},{"id":"sa-5_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;"},{"id":"sa-5_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;"}]}]},{"id":"sa-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.b.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.b.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[03]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.b.1-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[04]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;"}]},{"id":"sa-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;"},{"id":"sa-5_obj.b.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;"}]},{"id":"sa-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;"},{"id":"sa-5_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;"}]}]},{"id":"sa-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[01]","class":"sp800-53a"}],"prose":"attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;"},{"id":"sa-5_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[02]","class":"sp800-53a"}],"prose":"after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;"}]},{"id":"sa-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-05d.","class":"sp800-53a"}],"prose":"documentation is distributed to {{ insert: param, sa-05_odp.02 }}."}]},{"id":"sa-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and\/or maintaining the system\n\nsystem developers"}]},{"id":"sa-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for obtaining, protecting, and distributing system administrator and user documentation"}]}]},{"id":"sa-8","class":"SP800-53","title":"Security and Privacy Engineering Principles","params":[{"id":"sa-8_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.02"}],"label":"organization-defined systems security and privacy engineering principles"},{"id":"sa-08_odp.01","props":[{"name":"label","value":"SA-08_ODP[01]","class":"sp800-53a"}],"label":"systems security engineering principles","guidelines":[{"prose":"systems security engineering principles are defined;"}]},{"id":"sa-08_odp.02","props":[{"name":"label","value":"SA-08_ODP[02]","class":"sp800-53a"}],"label":"privacy engineering principles","guidelines":[{"prose":"privacy engineering principles are defined;"}]}],"props":[{"name":"label","value":"SA-8"},{"name":"label","value":"SA-08","class":"sp800-53a"},{"name":"sort-id","value":"sa-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}."},{"id":"sa-8_gdn","name":"guidance","prose":"Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design."},{"id":"sa-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08","class":"sp800-53a"}],"parts":[{"id":"sa-8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08[01]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;"},{"id":"sa-8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08[02]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;"},{"id":"sa-8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-08[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;"},{"id":"sa-8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-08[04]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;"},{"id":"sa-8_obj-5","name":"assessment-objective","props":[{"name":"label","value":"SA-08[05]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;"},{"id":"sa-8_obj-6","name":"assessment-objective","props":[{"name":"label","value":"SA-08[06]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;"},{"id":"sa-8_obj-7","name":"assessment-objective","props":[{"name":"label","value":"SA-08[07]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;"},{"id":"sa-8_obj-8","name":"assessment-objective","props":[{"name":"label","value":"SA-08[08]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;"},{"id":"sa-8_obj-9","name":"assessment-objective","props":[{"name":"label","value":"SA-08[09]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;"},{"id":"sa-8_obj-10","name":"assessment-objective","props":[{"name":"label","value":"SA-08[10]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components."}]},{"id":"sa-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-9","class":"SP800-53","title":"External System Services","params":[{"id":"sa-09_odp.01","props":[{"name":"alt-identifier","value":"sa-9_prm_1"},{"name":"label","value":"SA-09_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed by external system service providers are defined;"}]},{"id":"sa-09_odp.02","props":[{"name":"alt-identifier","value":"sa-9_prm_2"},{"name":"label","value":"SA-09_ODP[02]","class":"sp800-53a"}],"label":"processes, methods, and techniques","guidelines":[{"prose":"processes, methods, and techniques employed to monitor control compliance by external service providers are defined;"}]}],"props":[{"name":"label","value":"SA-9"},{"name":"label","value":"SA-09","class":"sp800-53a"},{"name":"sort-id","value":"sa-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-9_smt","name":"statement","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document organizational oversight and user roles and responsibilities with regard to external system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance."},{"id":"sa-9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[01]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational security requirements;"},{"id":"sa-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[02]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational privacy requirements;"},{"id":"sa-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[03]","class":"sp800-53a"}],"prose":"providers of external system services employ {{ insert: param, sa-09_odp.01 }};"}]},{"id":"sa-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[01]","class":"sp800-53a"}],"prose":"organizational oversight with regard to external system services are defined and documented;"},{"id":"sa-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[02]","class":"sp800-53a"}],"prose":"user roles and responsibilities with regard to external system services are defined and documented;"}]},{"id":"sa-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-09c.","class":"sp800-53a"}],"prose":" {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis."}]},{"id":"sa-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis"}]}],"controls":[{"id":"sa-9.2","class":"SP800-53-enhancement","title":"Identification of Functions, Ports, Protocols, and Services","params":[{"id":"sa-09.02_odp","props":[{"name":"alt-identifier","value":"sa-9.2_prm_1"},{"name":"label","value":"SA-09(02)_ODP","class":"sp800-53a"}],"label":"external system services","guidelines":[{"prose":"external system services that require the identification of functions, ports, protocols, and other services are defined;"}]}],"props":[{"name":"label","value":"SA-9(2)"},{"name":"label","value":"SA-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"}],"parts":[{"id":"sa-9.2_smt","name":"statement","prose":"Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ insert: param, sa-09.02_odp }}."},{"id":"sa-9.2_gdn","name":"guidance","prose":"Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols."},{"id":"sa-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(02)","class":"sp800-53a"}],"prose":"providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services."},{"id":"sa-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements and security specifications for external service providers\n\nlist of required functions, ports, protocols, and other services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nexternal providers of system services"}]}]}]},{"id":"sa-10","class":"SP800-53","title":"Developer Configuration Management","params":[{"id":"sa-10_odp.01","props":[{"name":"alt-identifier","value":"sa-10_prm_1"},{"name":"label","value":"SA-10_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["design","development","implementation","operation","disposal"]}},{"id":"sa-10_odp.02","props":[{"name":"alt-identifier","value":"sa-10_prm_2"},{"name":"alt-label","value":"configuration items under configuration management","class":"sp800-53"},{"name":"label","value":"SA-10_ODP[02]","class":"sp800-53a"}],"label":"configuration items","guidelines":[{"prose":"configuration items under configuration management are defined;"}]},{"id":"sa-10_odp.03","props":[{"name":"alt-identifier","value":"sa-10_prm_3"},{"name":"label","value":"SA-10_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is\/are defined;"}]}],"props":[{"name":"label","value":"SA-10"},{"name":"label","value":"SA-10","class":"sp800-53a"},{"name":"sort-id","value":"sa-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"sa-10_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};"},{"id":"sa-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, manage, and control the integrity of changes to {{ insert: param, sa-10_odp.02 }};"},{"id":"sa-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and"},{"id":"sa-10_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_odp.03 }}."}]},{"id":"sa-10_gdn","name":"guidance","prose":"Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.\n\nThe configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle."},{"id":"sa-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-10a.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};"},{"id":"sa-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};"},{"id":"sa-10_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};"},{"id":"sa-10_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};"}]},{"id":"sa-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-10c.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;"},{"id":"sa-10_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;"},{"id":"sa-10_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;"}]},{"id":"sa-10_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;"},{"id":"sa-10_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;"},{"id":"sa-10_obj.e-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}."}]}]},{"id":"sa-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-11","class":"SP800-53","title":"Developer Testing and Evaluation","params":[{"id":"sa-11_odp.01","props":[{"name":"alt-identifier","value":"sa-11_prm_1"},{"name":"label","value":"SA-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["unit","integration","system","regression"]}},{"id":"sa-11_odp.02","props":[{"name":"alt-identifier","value":"sa-11_prm_2"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"SA-11_ODP[02]","class":"sp800-53a"}],"label":"frequency to conduct","guidelines":[{"prose":"frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]},{"id":"sa-11_odp.03","props":[{"name":"alt-identifier","value":"sa-11_prm_3"},{"name":"label","value":"SA-11_ODP[03]","class":"sp800-53a"}],"label":"depth and coverage","guidelines":[{"prose":"depth and coverage of {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]}],"props":[{"name":"label","value":"SA-11"},{"name":"label","value":"SA-11","class":"sp800-53a"},{"name":"sort-id","value":"sa-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#708b94e1-3d5e-4b22-ab43-1c69f3a97e37","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-7","rel":"related"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:","parts":[{"id":"sa-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement a plan for ongoing security and privacy control assessments;"},{"id":"sa-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"},{"id":"sa-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;"},{"id":"sa-11_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during testing and evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\n\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation."},{"id":"sa-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;"},{"id":"sa-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;"},{"id":"sa-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;"},{"id":"sa-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;"}]},{"id":"sa-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-11b.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"},{"id":"sa-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;"},{"id":"sa-11_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;"}]},{"id":"sa-11_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-11d.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;"},{"id":"sa-11_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-11e.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation."}]},{"id":"sa-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security and privacy testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of developer security and privacy assessments for the system, system component, or system service\n\nsecurity and privacy flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\nsystem developers"}]},{"id":"sa-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security and privacy testing and evaluation"}]}]},{"id":"sa-15","class":"SP800-53","title":"Development Process, Standards, and Tools","params":[{"id":"sa-15_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15_odp.03"}],"label":"organization-defined security and privacy requirements"},{"id":"sa-15_odp.01","props":[{"name":"alt-identifier","value":"sa-15_prm_1"},{"name":"label","value":"SA-15_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;"}]},{"id":"sa-15_odp.02","props":[{"name":"label","value":"SA-15_ODP[02]","class":"sp800-53a"}],"label":"security requirements","guidelines":[{"prose":"security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;"}]},{"id":"sa-15_odp.03","props":[{"name":"label","value":"SA-15_ODP[03]","class":"sp800-53a"}],"label":"privacy requirements","guidelines":[{"prose":"privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;"}]}],"props":[{"name":"label","value":"SA-15"},{"name":"label","value":"SA-15","class":"sp800-53a"},{"name":"sort-id","value":"sa-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#ma-6","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-15_smt","name":"statement","parts":[{"id":"sa-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require the developer of the system, system component, or system service to follow a documented development process that:","parts":[{"id":"sa-15_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Explicitly addresses security and privacy requirements;"},{"id":"sa-15_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Identifies the standards and tools used in the development process;"},{"id":"sa-15_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Documents the specific tool options and tool configurations used in the development process; and"},{"id":"sa-15_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Documents, manages, and ensures the integrity of changes to the process and\/or tools used in development; and"}]},{"id":"sa-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ insert: param, sa-15_prm_2 }}."}]},{"id":"sa-15_gdn","name":"guidance","prose":"Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes."},{"id":"sa-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;"},{"id":"sa-15_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;"}]},{"id":"sa-15_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;"},{"id":"sa-15_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;"}]},{"id":"sa-15_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;"},{"id":"sa-15_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;"}]},{"id":"sa-15_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.04","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and\/or tools used in development;"}]},{"id":"sa-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};"},{"id":"sa-15_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}."}]}]},{"id":"sa-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security and privacy requirements during the development process\n\nsolicitation documentation\n\nacquisition documentation\n\ncritical component inventory documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer documentation listing tool options\/configuration guides\n\nconfiguration management policy\n\nconfiguration management records\n\ndocumentation of development process reviews using maturity models\n\nchange control records\n\nconfiguration control records\n\ndocumented reviews of the development process, standards, tools, and tool options\/configurations\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]}],"controls":[{"id":"sa-15.3","class":"SP800-53-enhancement","title":"Criticality Analysis","params":[{"id":"sa-15.3_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15.03_odp.03"}],"label":"organization-defined breadth and depth of criticality analysis"},{"id":"sa-15.03_odp.01","props":[{"name":"alt-identifier","value":"sa-15.3_prm_1"},{"name":"alt-label","value":"decision points in the system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-15(03)_ODP[01]","class":"sp800-53a"}],"label":"decision points","guidelines":[{"prose":"decision points in the system development life cycle are defined;"}]},{"id":"sa-15.03_odp.02","props":[{"name":"label","value":"SA-15(03)_ODP[02]","class":"sp800-53a"}],"label":"breadth","guidelines":[{"prose":"the breadth of criticality analysis is defined;"}]},{"id":"sa-15.03_odp.03","props":[{"name":"label","value":"SA-15(03)_ODP[03]","class":"sp800-53a"}],"label":"depth","guidelines":[{"prose":"the depth of criticality analysis is defined;"}]}],"props":[{"name":"label","value":"SA-15(3)"},{"name":"label","value":"SA-15(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"sa-15.3_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform a criticality analysis:","parts":[{"id":"sa-15.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"At the following decision points in the system development life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and"},{"id":"sa-15.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"At the following level of rigor: {{ insert: param, sa-15.3_prm_2 }}."}]},{"id":"sa-15.3_gdn","name":"guidance","prose":"Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses."},{"id":"sa-15.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)","class":"sp800-53a"}],"parts":[{"id":"sa-15.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;"},{"id":"sa-15.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)","class":"sp800-53a"}],"parts":[{"id":"sa-15.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};"},{"id":"sa-15.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} ."}]}]},{"id":"sa-15.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing criticality analysis requirements for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ncriticality analysis documentation\n\nbusiness impact analysis documentation\n\nsoftware development life cycle documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-15.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for performing criticality analysis\n\nsystem developer\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-15.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-15(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for performing criticality analysis\n\nmechanisms supporting and\/or implementing criticality analysis"}]}]}]},{"id":"sa-22","class":"SP800-53","title":"Unsupported System Components","params":[{"id":"sa-22_odp.01","props":[{"name":"alt-identifier","value":"sa-22_prm_1"},{"name":"label","value":"SA-22_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["in-house support"," {{ insert: param, sa-22_odp.02 }} "]}},{"id":"sa-22_odp.02","props":[{"name":"alt-identifier","value":"sa-22_prm_2"},{"name":"label","value":"SA-22_ODP[02]","class":"sp800-53a"}],"label":"support from external providers","guidelines":[{"prose":"support from external providers is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-22"},{"name":"label","value":"SA-22","class":"sp800-53a"},{"name":"sort-id","value":"sa-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-2","rel":"related"},{"href":"#sa-3","rel":"related"}],"parts":[{"id":"sa-22_smt","name":"statement","parts":[{"id":"sa-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or"},{"id":"sa-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}."}]},{"id":"sa-22_gdn","name":"guidance","prose":"Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation."},{"id":"sa-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-22","class":"sp800-53a"}],"parts":[{"id":"sa-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-22a.","class":"sp800-53a"}],"prose":"system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;"},{"id":"sa-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-22b.","class":"sp800-53a"}],"prose":" {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components."}]},{"id":"sa-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement"}]},{"id":"sa-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for replacing unsupported system components\n\nmechanisms supporting and\/or implementing the replacement of unsupported system components"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sc-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sc-01_odp.01","props":[{"name":"label","value":"SC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection policy is to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.02","props":[{"name":"label","value":"SC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection procedures are to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.03","props":[{"name":"alt-identifier","value":"sc-1_prm_2"},{"name":"label","value":"SC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business-process-level","system-level"]}},{"id":"sc-01_odp.04","props":[{"name":"alt-identifier","value":"sc-1_prm_3"},{"name":"label","value":"SC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and communications protection policy and procedures is defined;"}]},{"id":"sc-01_odp.05","props":[{"name":"alt-identifier","value":"sc-1_prm_4"},{"name":"label","value":"SC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection policy is reviewed and updated is defined;"}]},{"id":"sc-01_odp.06","props":[{"name":"alt-identifier","value":"sc-1_prm_5"},{"name":"label","value":"SC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and communications protection policy to be reviewed and updated are defined;"}]},{"id":"sc-01_odp.07","props":[{"name":"alt-identifier","value":"sc-1_prm_6"},{"name":"label","value":"SC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection procedures are reviewed and updated is defined;"}]},{"id":"sc-01_odp.08","props":[{"name":"alt-identifier","value":"sc-1_prm_7"},{"name":"label","value":"SC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and communications protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SC-1"},{"name":"label","value":"SC-01","class":"sp800-53a"},{"name":"sort-id","value":"sc-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sc-1_smt","name":"statement","parts":[{"id":"sc-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:","parts":[{"id":"sc-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sc-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;"}]},{"id":"sc-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and"},{"id":"sc-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and communications protection:","parts":[{"id":"sc-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and"},{"id":"sc-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sc-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[01]","class":"sp800-53a"}],"prose":"a system and communications protection policy is developed and documented;"},{"id":"sc-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[02]","class":"sp800-53a"}],"prose":"the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};"},{"id":"sc-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[03]","class":"sp800-53a"}],"prose":"system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;"},{"id":"sc-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[04]","class":"sp800-53a"}],"prose":"the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};"},{"id":"sc-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;"},{"id":"sc-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;"},{"id":"sc-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;"},{"id":"sc-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;"},{"id":"sc-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;"},{"id":"sc-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;"},{"id":"sc-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;"}]},{"id":"sc-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"sc-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;"},{"id":"sc-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};"},{"id":"sc-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};"}]},{"id":"sc-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};"},{"id":"sc-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}."}]}]}]},{"id":"sc-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"sc-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"sc-2","class":"SP800-53","title":"Separation of System and User Functionality","props":[{"name":"label","value":"SC-2"},{"name":"label","value":"SC-02","class":"sp800-53a"},{"name":"sort-id","value":"sc-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-22","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"}],"parts":[{"id":"sc-2_smt","name":"statement","prose":"Separate user functionality, including user interface services, from system management functionality."},{"id":"sc-2_gdn","name":"guidance","prose":"System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)."},{"id":"sc-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-02","class":"sp800-53a"}],"prose":"user functionality, including user interface services, is separated from system management functionality."},{"id":"sc-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing application partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of user functionality from system management functionality"}]}]},{"id":"sc-4","class":"SP800-53","title":"Information in Shared System Resources","props":[{"name":"label","value":"SC-4"},{"name":"label","value":"SC-04","class":"sp800-53a"},{"name":"sort-id","value":"sc-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"sc-4_smt","name":"statement","prose":"Prevent unauthorized and unintended information transfer via shared system resources."},{"id":"sc-4_gdn","name":"guidance","prose":"Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles."},{"id":"sc-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-04","class":"sp800-53a"}],"parts":[{"id":"sc-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-04[01]","class":"sp800-53a"}],"prose":"unauthorized information transfer via shared system resources is prevented;"},{"id":"sc-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-04[02]","class":"sp800-53a"}],"prose":"unintended information transfer via shared system resources is prevented."}]},{"id":"sc-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms preventing the unauthorized and unintended transfer of information via shared system resources"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial-of-service Protection","params":[{"id":"sc-05_odp.01","props":[{"name":"alt-identifier","value":"sc-5_prm_2"},{"name":"label","value":"SC-05_ODP[01]","class":"sp800-53a"}],"label":"types of denial-of-service events","guidelines":[{"prose":"types of denial-of-service events to be protected against or limited are defined;"}]},{"id":"sc-05_odp.02","props":[{"name":"alt-identifier","value":"sc-5_prm_1"},{"name":"label","value":"SC-05_ODP[02]","class":"sp800-53a"}],"select":{"choice":["protect against","limit"]}},{"id":"sc-05_odp.03","props":[{"name":"alt-identifier","value":"sc-5_prm_3"},{"name":"label","value":"SC-05_ODP[03]","class":"sp800-53a"}],"label":"controls by type of denial-of-service event","guidelines":[{"prose":"controls to achieve the denial-of-service objective by type of denial-of-service event are defined;"}]}],"props":[{"name":"label","value":"SC-5"},{"name":"label","value":"SC-05","class":"sp800-53a"},{"name":"sort-id","value":"sc-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sc-6","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-40","rel":"related"}],"parts":[{"id":"sc-5_smt","name":"statement","parts":[{"id":"sc-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and"},{"id":"sc-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}."}]},{"id":"sc-5_gdn","name":"guidance","prose":"Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events."},{"id":"sc-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-05","class":"sp800-53a"}],"parts":[{"id":"sc-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-05a.","class":"sp800-53a"}],"prose":"the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};"},{"id":"sc-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective."}]},{"id":"sc-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"id":"sc-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms protecting against or limiting the effects of denial-of-service attacks"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-07_odp","props":[{"name":"alt-identifier","value":"sc-7_prm_1"},{"name":"label","value":"SC-07_ODP","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}}],"props":[{"name":"label","value":"SC-7"},{"name":"label","value":"SC-07","class":"sp800-53a"},{"name":"sort-id","value":"sc-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a7f0e897-29a3-45c4-bd88-40dfef0e034a","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-43","rel":"related"}],"parts":[{"id":"sc-7_smt","name":"statement","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)."},{"id":"sc-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[01]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are monitored;"},{"id":"sc-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[02]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are controlled;"},{"id":"sc-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[03]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are monitored;"},{"id":"sc-7_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[04]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are controlled;"}]},{"id":"sc-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07b.","class":"sp800-53a"}],"prose":"subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;"},{"id":"sc-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07c.","class":"sp800-53a"}],"prose":"external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities"}]}],"controls":[{"id":"sc-7.3","class":"SP800-53-enhancement","title":"Access Points","props":[{"name":"label","value":"SC-7(3)"},{"name":"label","value":"SC-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.3_smt","name":"statement","prose":"Limit the number of external network connections to the system."},{"id":"sc-7.3_gdn","name":"guidance","prose":"Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system."},{"id":"sc-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(03)","class":"sp800-53a"}],"prose":"the number of external network connections to the system is limited."},{"id":"sc-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities\n\nmechanisms limiting the number of external network connections to the system"}]}]},{"id":"sc-7.4","class":"SP800-53-enhancement","title":"External Telecommunications Services","params":[{"id":"sc-07.04_odp","props":[{"name":"alt-identifier","value":"sc-7.4_prm_1"},{"name":"label","value":"SC-07(04)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review exceptions to traffic flow policy is defined;"}]}],"props":[{"name":"label","value":"SC-7(4)"},{"name":"label","value":"SC-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-7.4_smt","name":"statement","parts":[{"id":"sc-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implement a managed interface for each external telecommunication service;"},{"id":"sc-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Establish a traffic flow policy for each managed interface;"},{"id":"sc-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Protect the confidentiality and integrity of the information being transmitted across each interface;"},{"id":"sc-7.4_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;"},{"id":"sc-7.4_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Review exceptions to the traffic flow policy {{ insert: param, sc-07.04_odp }} and remove exceptions that are no longer supported by an explicit mission or business need;"},{"id":"sc-7.4_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Prevent unauthorized exchange of control plane traffic with external networks;"},{"id":"sc-7.4_smt.g","name":"item","props":[{"name":"label","value":"(g)"}],"prose":"Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and"},{"id":"sc-7.4_smt.h","name":"item","props":[{"name":"label","value":"(h)"}],"prose":"Filter unauthorized control plane traffic from external networks."}]},{"id":"sc-7.4_gdn","name":"guidance","prose":"External telecommunications services can provide data and\/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements."},{"id":"sc-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(a)","class":"sp800-53a"}],"prose":"a managed interface is implemented for each external telecommunication service;"},{"id":"sc-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(b)","class":"sp800-53a"}],"prose":"a traffic flow policy is established for each managed interface;"},{"id":"sc-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)[01]","class":"sp800-53a"}],"prose":"the confidentiality of the information being transmitted across each interface is protected;"},{"id":"sc-7.4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)[02]","class":"sp800-53a"}],"prose":"the integrity of the information being transmitted across each interface is protected;"}]},{"id":"sc-7.4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(d)","class":"sp800-53a"}],"prose":"each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;"},{"id":"sc-7.4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)[01]","class":"sp800-53a"}],"prose":"exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};"},{"id":"sc-7.4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)[02]","class":"sp800-53a"}],"prose":"exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;"}]},{"id":"sc-7.4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(f)","class":"sp800-53a"}],"prose":"unauthorized exchanges of control plan traffic with external networks are prevented;"},{"id":"sc-7.4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(g)","class":"sp800-53a"}],"prose":"information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;"},{"id":"sc-7.4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(h)","class":"sp800-53a"}],"prose":"unauthorized control plane traffic is filtered from external networks."}]},{"id":"sc-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\nsystem security architecture\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for documenting and reviewing exceptions to the traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nmechanisms implementing boundary protection capabilities\n\nmanaged interfaces implementing traffic flow policy"}]}]},{"id":"sc-7.5","class":"SP800-53-enhancement","title":"Deny by Default — Allow by Exception","params":[{"id":"sc-07.05_odp.01","props":[{"name":"alt-identifier","value":"sc-7.5_prm_1"},{"name":"label","value":"SC-07(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at managed interfaces","for {{ insert: param, sc-07.05_odp.02 }} "]}},{"id":"sc-07.05_odp.02","props":[{"name":"alt-identifier","value":"sc-7.5_prm_2"},{"name":"label","value":"SC-07(05)_ODP[02]","class":"sp800-53a"}],"label":"systems","guidelines":[{"prose":"systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected)."}]}],"props":[{"name":"label","value":"SC-7(5)"},{"name":"label","value":"SC-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.5_smt","name":"statement","prose":"Deny network communications traffic by default and allow network communications traffic by exception {{ insert: param, sc-07.05_odp.01 }}."},{"id":"sc-7.5_gdn","name":"guidance","prose":"Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system."},{"id":"sc-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)","class":"sp800-53a"}],"parts":[{"id":"sc-7.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)[01]","class":"sp800-53a"}],"prose":"network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};"},{"id":"sc-7.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)[02]","class":"sp800-53a"}],"prose":"network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}."}]},{"id":"sc-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing traffic management at managed interfaces"}]}]},{"id":"sc-7.7","class":"SP800-53-enhancement","title":"Split Tunneling for Remote Devices","params":[{"id":"sc-07.07_odp","props":[{"name":"alt-identifier","value":"sc-7.7_prm_1"},{"name":"label","value":"SC-07(07)_ODP","class":"sp800-53a"}],"label":"safeguards","guidelines":[{"prose":"safeguards to securely provision split tunneling are defined;"}]}],"props":[{"name":"label","value":"SC-7(7)"},{"name":"label","value":"SC-07(07)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.7_smt","name":"statement","prose":"Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}."},{"id":"sc-7.7_gdn","name":"guidance","prose":"Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control."},{"id":"sc-7.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(07)","class":"sp800-53a"}],"prose":"split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}."},{"id":"sc-7.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities\n\nmechanisms supporting\/restricting non-remote connections"}]}]},{"id":"sc-7.8","class":"SP800-53-enhancement","title":"Route Traffic to Authenticated Proxy Servers","params":[{"id":"sc-07.08_odp.01","props":[{"name":"alt-identifier","value":"sc-7.8_prm_1"},{"name":"label","value":"SC-07(08)_ODP[01]","class":"sp800-53a"}],"label":"internal communications traffic","guidelines":[{"prose":"internal communications traffic to be routed to external networks is defined;"}]},{"id":"sc-07.08_odp.02","props":[{"name":"alt-identifier","value":"sc-7.8_prm_2"},{"name":"label","value":"SC-07(08)_ODP[02]","class":"sp800-53a"}],"label":"external networks","guidelines":[{"prose":"external networks to which internal communications traffic is to be routed are defined;"}]}],"props":[{"name":"label","value":"SC-7(8)"},{"name":"label","value":"SC-07(08)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"sc-7.8_smt","name":"statement","prose":"Route {{ insert: param, sc-07.08_odp.01 }} to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces."},{"id":"sc-7.8_gdn","name":"guidance","prose":"External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for \"man-in-the-middle\" attacks (depending on the implementation)."},{"id":"sc-7.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(08)","class":"sp800-53a"}],"prose":" {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces."},{"id":"sc-7.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing traffic management through authenticated proxy servers at managed interfaces"}]}]}]},{"id":"sc-8","class":"SP800-53","title":"Transmission Confidentiality and Integrity","params":[{"id":"sc-08_odp","props":[{"name":"alt-identifier","value":"sc-8_prm_1"},{"name":"label","value":"SC-08_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}}],"props":[{"name":"label","value":"SC-8"},{"name":"label","value":"SC-08","class":"sp800-53a"},{"name":"sort-id","value":"sc-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#736d6310-e403-4b57-a79d-9967970c66d7","rel":"reference"},{"href":"#7537638e-2837-407d-844b-40fb3fafdd99","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"sc-8_smt","name":"statement","prose":"Protect the {{ insert: param, sc-08_odp }} of transmitted information."},{"id":"sc-8_gdn","name":"guidance","prose":"Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls."},{"id":"sc-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-08_odp }} of transmitted information is\/are protected."},{"id":"sc-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity"}]}],"controls":[{"id":"sc-8.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"sc-08.01_odp","props":[{"name":"alt-identifier","value":"sc-8.1_prm_1"},{"name":"label","value":"SC-08(01)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["prevent unauthorized disclosure of information","detect changes to information"]}}],"props":[{"name":"label","value":"SC-8(1)"},{"name":"label","value":"SC-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-8","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-8.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission."},{"id":"sc-8.1_gdn","name":"guidance","prose":"Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes."},{"id":"sc-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08(01)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission."},{"id":"sc-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity\n\nmechanisms supporting and\/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards"}]}]}]},{"id":"sc-10","class":"SP800-53","title":"Network Disconnect","params":[{"id":"sc-10_odp","props":[{"name":"alt-identifier","value":"sc-10_prm_1"},{"name":"label","value":"SC-10_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period of inactivity after which the system terminates a network connection associated with a communication session is defined;"}]}],"props":[{"name":"label","value":"SC-10"},{"name":"label","value":"SC-10","class":"sp800-53a"},{"name":"sort-id","value":"sc-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"sc-10_smt","name":"statement","prose":"Terminate the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity."},{"id":"sc-10_gdn","name":"guidance","prose":"Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP\/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses."},{"id":"sc-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-10","class":"sp800-53a"}],"prose":"the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity."},{"id":"sc-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing network disconnect\n\nsystem design documentation\n\nsecurity plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a network disconnect capability"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","params":[{"id":"sc-12_odp","props":[{"name":"alt-identifier","value":"sc-12_prm_1"},{"name":"alt-label","value":"requirements for key generation, distribution, storage, access, and destruction","class":"sp800-53"},{"name":"label","value":"SC-12_ODP","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements for key generation, distribution, storage, access, and destruction are defined;"}]}],"props":[{"name":"label","value":"SC-12"},{"name":"label","value":"SC-12","class":"sp800-53a"},{"name":"sort-id","value":"sc-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#849b2358-683f-4d97-b111-1cc3d522ded5","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-11","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment."},{"id":"sc-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12","class":"sp800-53a"}],"parts":[{"id":"sc-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-12[01]","class":"sp800-53a"}],"prose":"cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};"},{"id":"sc-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-12[02]","class":"sp800-53a"}],"prose":"cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}."}]},{"id":"sc-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"id":"sc-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","params":[{"id":"sc-13_odp.01","props":[{"name":"alt-identifier","value":"sc-13_prm_1"},{"name":"label","value":"SC-13_ODP[01]","class":"sp800-53a"}],"label":"cryptographic uses","guidelines":[{"prose":"cryptographic uses are defined;"}]},{"id":"sc-13_odp.02","props":[{"name":"alt-identifier","value":"sc-13_prm_2"},{"name":"alt-label","value":"types of cryptography for each specified cryptographic use","class":"sp800-53"},{"name":"label","value":"SC-13_ODP[02]","class":"sp800-53a"}],"label":"types of cryptography","guidelines":[{"prose":"types of cryptography for each specified cryptographic use are defined;"}]}],"props":[{"name":"label","value":"SC-13"},{"name":"label","value":"SC-13","class":"sp800-53a"},{"name":"sort-id","value":"sc-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-13_smt","name":"statement","parts":[{"id":"sc-13_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the {{ insert: param, sc-13_odp.01 }} ; and"},{"id":"sc-13_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}."}]},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"sc-13_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-13","class":"sp800-53a"}],"parts":[{"id":"sc-13_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-13a.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-13_odp.01 }} are identified;"},{"id":"sc-13_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-13b.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented."}]},{"id":"sc-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection"}]},{"id":"sc-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices and Applications","params":[{"id":"sc-15_odp","props":[{"name":"alt-identifier","value":"sc-15_prm_1"},{"name":"label","value":"SC-15_ODP","class":"sp800-53a"}],"label":"exceptions where remote activation is to be allowed","guidelines":[{"prose":"exceptions where remote activation is to be allowed are defined;"}]}],"props":[{"name":"label","value":"SC-15"},{"name":"label","value":"SC-15","class":"sp800-53a"},{"name":"sort-id","value":"sc-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-21","rel":"related"},{"href":"#sc-42","rel":"related"}],"parts":[{"id":"sc-15_smt","name":"statement","parts":[{"id":"sc-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and"},{"id":"sc-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated."},{"id":"sc-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-15","class":"sp800-53a"}],"parts":[{"id":"sc-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-15a.","class":"sp800-53a"}],"prose":"remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};"},{"id":"sc-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-15b.","class":"sp800-53a"}],"prose":"an explicit indication of use is provided to users physically present at the devices."}]},{"id":"sc-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"id":"sc-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices"}]}]},{"id":"sc-17","class":"SP800-53","title":"Public Key Infrastructure Certificates","params":[{"id":"sc-17_odp","props":[{"name":"alt-identifier","value":"sc-17_prm_1"},{"name":"label","value":"SC-17_ODP","class":"sp800-53a"}],"label":"certificate policy","guidelines":[{"prose":"a certificate policy for issuing public key certificates is defined;"}]}],"props":[{"name":"label","value":"SC-17"},{"name":"label","value":"SC-17","class":"sp800-53a"},{"name":"sort-id","value":"sc-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#8cb338a4-e493-4177-818f-3af18983ddc5","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sc-12","rel":"related"}],"parts":[{"id":"sc-17_smt","name":"statement","parts":[{"id":"sc-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and"},{"id":"sc-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Include only approved trust anchors in trust stores or certificate stores managed by the organization."}]},{"id":"sc-17_gdn","name":"guidance","prose":"Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates."},{"id":"sc-17_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-17","class":"sp800-53a"}],"parts":[{"id":"sc-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-17a.","class":"sp800-53a"}],"prose":"public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;"},{"id":"sc-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-17b.","class":"sp800-53a"}],"prose":"only approved trust anchors are included in trust stores or certificate stores managed by the organization."}]},{"id":"sc-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key certificates\n\nservice providers"}]},{"id":"sc-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of public key infrastructure certificates"}]}]},{"id":"sc-18","class":"SP800-53","title":"Mobile Code","props":[{"name":"label","value":"SC-18"},{"name":"label","value":"SC-18","class":"sp800-53a"},{"name":"sort-id","value":"sc-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#f641309f-a3ad-48be-8c67-2b318648b2f5","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"sc-18_smt","name":"statement","parts":[{"id":"sc-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define acceptable and unacceptable mobile code and mobile code technologies; and"},{"id":"sc-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize, monitor, and control the use of mobile code within the system."}]},{"id":"sc-18_gdn","name":"guidance","prose":"Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."},{"id":"sc-18_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[01]","class":"sp800-53a"}],"prose":"acceptable mobile code is defined;"},{"id":"sc-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[02]","class":"sp800-53a"}],"prose":"unacceptable mobile code is defined;"},{"id":"sc-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[03]","class":"sp800-53a"}],"prose":"acceptable mobile code technologies are defined;"},{"id":"sc-18_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[04]","class":"sp800-53a"}],"prose":"unacceptable mobile code technologies are defined;"}]},{"id":"sc-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[01]","class":"sp800-53a"}],"prose":"the use of mobile code is authorized within the system;"},{"id":"sc-18_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[02]","class":"sp800-53a"}],"prose":"the use of mobile code is monitored within the system;"},{"id":"sc-18_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[03]","class":"sp800-53a"}],"prose":"the use of mobile code is controlled within the system."}]}]},{"id":"sc-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code implementation policy and procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code"}]},{"id":"sc-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for authorizing, monitoring, and controlling mobile code\n\nmechanisms supporting and\/or implementing the management of mobile code\n\nmechanisms supporting and\/or implementing the monitoring of mobile code"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Authoritative Source)","props":[{"name":"label","value":"SC-20"},{"name":"label","value":"SC-20","class":"sp800-53a"},{"name":"sort-id","value":"sc-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-20_smt","name":"statement","parts":[{"id":"sc-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host\/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data."},{"id":"sc-20_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-20","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[01]","class":"sp800-53a"}],"prose":"additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;"},{"id":"sc-20_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[02]","class":"sp800-53a"}],"prose":"integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;"}]},{"id":"sc-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[01]","class":"sp800-53a"}],"prose":"the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;"},{"id":"sc-20_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[02]","class":"sp800-53a"}],"prose":"the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided."}]}]},{"id":"sc-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing secure name\/address resolution services"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Recursive or Caching Resolver)","props":[{"name":"label","value":"SC-21"},{"name":"label","value":"SC-21","class":"sp800-53a"},{"name":"sort-id","value":"sc-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-20","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"Request and perform data origin authentication and data integrity verification on the name\/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data."},{"id":"sc-21_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-21","class":"sp800-53a"}],"parts":[{"id":"sc-21_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-21[01]","class":"sp800-53a"}],"prose":"data origin authentication is requested for the name\/address resolution responses that the system receives from authoritative sources;"},{"id":"sc-21_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-21[02]","class":"sp800-53a"}],"prose":"data origin authentication is performed on the name\/address resolution responses that the system receives from authoritative sources;"},{"id":"sc-21_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-21[03]","class":"sp800-53a"}],"prose":"data integrity verification is requested for the name\/address resolution responses that the system receives from authoritative sources;"},{"id":"sc-21_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SC-21[04]","class":"sp800-53a"}],"prose":"data integrity verification is performed on the name\/address resolution responses that the system receives from authoritative sources."}]},{"id":"sc-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing data origin authentication and data integrity verification for name\/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name\/Address Resolution Service","props":[{"name":"label","value":"SC-22"},{"name":"label","value":"SC-22","class":"sp800-53a"},{"name":"sort-id","value":"sc-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-2","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-24","rel":"related"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"Ensure the systems that collectively provide name\/address resolution service for an organization are fault-tolerant and implement internal and external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)."},{"id":"sc-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-22","class":"sp800-53a"}],"parts":[{"id":"sc-22_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-22[01]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization are fault-tolerant;"},{"id":"sc-22_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-22[02]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement internal role separation;"},{"id":"sc-22_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-22[03]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement external role separation."}]},{"id":"sc-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing architecture and provisioning for name\/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing name\/address resolution services for fault tolerance and role separation"}]}]},{"id":"sc-23","class":"SP800-53","title":"Session Authenticity","props":[{"name":"label","value":"SC-23"},{"name":"label","value":"SC-23","class":"sp800-53a"},{"name":"sort-id","value":"sc-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#7537638e-2837-407d-844b-40fb3fafdd99","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#a6b9907a-2a14-4bb4-a142-d4c73026a8b4","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-11","rel":"related"}],"parts":[{"id":"sc-23_smt","name":"statement","prose":"Protect the authenticity of communications sessions."},{"id":"sc-23_gdn","name":"guidance","prose":"Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against \"man-in-the-middle\" attacks, session hijacking, and the insertion of false information into sessions."},{"id":"sc-23_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-23","class":"sp800-53a"}],"prose":"the authenticity of communication sessions is protected."},{"id":"sc-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-23-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing session authenticity"}]}]},{"id":"sc-28","class":"SP800-53","title":"Protection of Information at Rest","params":[{"id":"sc-28_odp.01","props":[{"name":"alt-identifier","value":"sc-28_prm_1"},{"name":"label","value":"SC-28_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}},{"id":"sc-28_odp.02","props":[{"name":"alt-identifier","value":"sc-28_prm_2"},{"name":"label","value":"SC-28_ODP[02]","class":"sp800-53a"}],"label":"information at rest","guidelines":[{"prose":"information at rest requiring protection is defined;"}]}],"props":[{"name":"label","value":"SC-28"},{"name":"label","value":"SC-28","class":"sp800-53a"},{"name":"sort-id","value":"sc-28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-28_smt","name":"statement","prose":"Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}."},{"id":"sc-28_gdn","name":"guidance","prose":"Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage."},{"id":"sc-28_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is\/are protected."},{"id":"sc-28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing confidentiality and integrity protections for information at rest"}]}],"controls":[{"id":"sc-28.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"sc-28.01_odp.01","props":[{"name":"alt-identifier","value":"sc-28.1_prm_2"},{"name":"label","value":"SC-28(01)_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information requiring cryptographic protection is defined;"}]},{"id":"sc-28.01_odp.02","props":[{"name":"alt-identifier","value":"sc-28.1_prm_1"},{"name":"label","value":"SC-28(01)_ODP[02]","class":"sp800-53a"}],"label":"system components or media","guidelines":[{"prose":"system components or media requiring cryptographic protection is\/are defined;"}]}],"props":[{"name":"label","value":"SC-28(1)"},{"name":"label","value":"SC-28(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-28.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-28","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-28.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}."},{"id":"sc-28.1_gdn","name":"guidance","prose":"The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields."},{"id":"sc-28.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)","class":"sp800-53a"}],"parts":[{"id":"sc-28.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)[01]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};"},{"id":"sc-28.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)[02]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}."}]},{"id":"sc-28.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-28.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest"}]}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","props":[{"name":"label","value":"SC-39"},{"name":"label","value":"SC-39","class":"sp800-53a"},{"name":"sort-id","value":"sc-39"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"Maintain a separate execution domain for each executing system process."},{"id":"sc-39_gdn","name":"guidance","prose":"Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies."},{"id":"sc-39_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-39","class":"sp800-53a"}],"prose":"a separate execution domain is maintained for each executing system process."},{"id":"sc-39_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-39-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records"}]},{"id":"sc-39_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-39-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System developers\/integrators\n\nsystem security architect"}]},{"id":"sc-39_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-39-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing separate execution domains for each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"si-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"si-01_odp.01","props":[{"name":"label","value":"SI-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity policy is to be disseminated is\/are defined;"}]},{"id":"si-01_odp.02","props":[{"name":"label","value":"SI-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity procedures are to be disseminated is\/are defined;"}]},{"id":"si-01_odp.03","props":[{"name":"alt-identifier","value":"si-1_prm_2"},{"name":"label","value":"SI-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"si-01_odp.04","props":[{"name":"alt-identifier","value":"si-1_prm_3"},{"name":"label","value":"SI-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and information integrity policy and procedures is defined;"}]},{"id":"si-01_odp.05","props":[{"name":"alt-identifier","value":"si-1_prm_4"},{"name":"label","value":"SI-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity policy is reviewed and updated is defined;"}]},{"id":"si-01_odp.06","props":[{"name":"alt-identifier","value":"si-1_prm_5"},{"name":"label","value":"SI-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and information integrity policy to be reviewed and updated are defined;"}]},{"id":"si-01_odp.07","props":[{"name":"alt-identifier","value":"si-1_prm_6"},{"name":"label","value":"SI-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity procedures are reviewed and updated is defined;"}]},{"id":"si-01_odp.08","props":[{"name":"alt-identifier","value":"si-1_prm_7"},{"name":"label","value":"SI-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and information integrity procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SI-1"},{"name":"label","value":"SI-01","class":"sp800-53a"},{"name":"sort-id","value":"si-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"si-1_smt","name":"statement","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, si-01_odp.03 }} system and information integrity policy that:","parts":[{"id":"si-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and"},{"id":"si-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and information integrity:","parts":[{"id":"si-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and"},{"id":"si-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"si-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[01]","class":"sp800-53a"}],"prose":"a system and information integrity policy is developed and documented;"},{"id":"si-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[02]","class":"sp800-53a"}],"prose":"the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};"},{"id":"si-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[03]","class":"sp800-53a"}],"prose":"system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;"},{"id":"si-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[04]","class":"sp800-53a"}],"prose":"the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};"},{"id":"si-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;"},{"id":"si-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;"},{"id":"si-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;"},{"id":"si-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;"},{"id":"si-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;"},{"id":"si-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;"},{"id":"si-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;"}]},{"id":"si-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"si-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;"},{"id":"si-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};"},{"id":"si-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};"}]},{"id":"si-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};"},{"id":"si-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}."}]}]}]},{"id":"si-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","params":[{"id":"si-02_odp","props":[{"name":"alt-identifier","value":"si-2_prm_1"},{"name":"label","value":"SI-02_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to install security-relevant software updates after the release of the updates is defined;"}]}],"props":[{"name":"label","value":"SI-2"},{"name":"label","value":"SI-02","class":"sp800-53a"},{"name":"sort-id","value":"si-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-5","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"si-2_smt","name":"statement","parts":[{"id":"si-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify, report, and correct system flaws;"},{"id":"si-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures."},{"id":"si-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[01]","class":"sp800-53a"}],"prose":"system flaws are identified;"},{"id":"si-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[02]","class":"sp800-53a"}],"prose":"system flaws are reported;"},{"id":"si-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[03]","class":"sp800-53a"}],"prose":"system flaws are corrected;"}]},{"id":"si-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[01]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for effectiveness before installation;"},{"id":"si-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[02]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for potential side effects before installation;"},{"id":"si-2_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[03]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for effectiveness before installation;"},{"id":"si-2_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[04]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for potential side effects before installation;"}]},{"id":"si-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[01]","class":"sp800-53a"}],"prose":"security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"},{"id":"si-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[02]","class":"sp800-53a"}],"prose":"security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"}]},{"id":"si-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-02d.","class":"sp800-53a"}],"prose":"flaw remediation is incorporated into the organizational configuration management process."}]},{"id":"si-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation\/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and\/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and\/or implementing testing software and firmware updates"}]}],"controls":[{"id":"si-2.2","class":"SP800-53-enhancement","title":"Automated Flaw Remediation Status","params":[{"id":"si-02.02_odp.01","props":[{"name":"alt-identifier","value":"si-2.2_prm_1"},{"name":"label","value":"SI-02(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;"}]},{"id":"si-02.02_odp.02","props":[{"name":"alt-identifier","value":"si-2.2_prm_2"},{"name":"label","value":"SI-02(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;"}]}],"props":[{"name":"label","value":"SI-2(2)"},{"name":"label","value":"SI-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-2","rel":"required"},{"href":"#ca-7","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-2.2_smt","name":"statement","prose":"Determine if system components have applicable security-relevant software and firmware updates installed using {{ insert: param, si-02.02_odp.01 }} {{ insert: param, si-02.02_odp.02 }}."},{"id":"si-2.2_gdn","name":"guidance","prose":"Automated mechanisms can track and determine the status of known flaws for system components."},{"id":"si-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02(02)","class":"sp800-53a"}],"prose":"system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}."},{"id":"si-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation"}]},{"id":"si-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms used to determine the state of system components with regard to flaw remediation"}]}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","params":[{"id":"si-03_odp.01","props":[{"name":"alt-identifier","value":"si-3_prm_1"},{"name":"label","value":"SI-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["signature-based","non-signature-based"]}},{"id":"si-03_odp.02","props":[{"name":"alt-identifier","value":"si-3_prm_2"},{"name":"label","value":"SI-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which malicious code protection mechanisms perform scans is defined;"}]},{"id":"si-03_odp.03","props":[{"name":"alt-identifier","value":"si-3_prm_3"},{"name":"label","value":"SI-03_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["endpoint","network entry and exit points"]}},{"id":"si-03_odp.04","props":[{"name":"alt-identifier","value":"si-3_prm_4"},{"name":"label","value":"SI-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["block malicious code","quarantine malicious code","take {{ insert: param, si-03_odp.05 }} "]}},{"id":"si-03_odp.05","props":[{"name":"alt-identifier","value":"si-3_prm_5"},{"name":"label","value":"SI-03_ODP[05]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"action to be taken in response to malicious code detection are defined (if selected);"}]},{"id":"si-03_odp.06","props":[{"name":"alt-identifier","value":"si-3_prm_6"},{"name":"label","value":"SI-03_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when malicious code is detected is\/are defined;"}]}],"props":[{"name":"label","value":"SI-3"},{"name":"label","value":"SI-03","class":"sp800-53a"},{"name":"sort-id","value":"si-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#88660532-2dcf-442e-845c-03340ce48999","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-8","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"si-3_smt","name":"statement","parts":[{"id":"si-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Configure malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and"},{"id":"si-3_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and"}]},{"id":"si-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system."}]},{"id":"si-3_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files."},{"id":"si-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;"},{"id":"si-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;"}]},{"id":"si-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-03b.","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};"},{"id":"si-3_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;"}]},{"id":"si-3_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;"},{"id":"si-3_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;"}]}]},{"id":"si-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-03d.","class":"sp800-53a"}],"prose":"the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed."}]},{"id":"si-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and\/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and\/or implementing malicious code scanning and subsequent actions"}]}]},{"id":"si-4","class":"SP800-53","title":"System Monitoring","params":[{"id":"si-04_odp.01","props":[{"name":"alt-identifier","value":"si-4_prm_1"},{"name":"label","value":"SI-04_ODP[01]","class":"sp800-53a"}],"label":"monitoring objectives","guidelines":[{"prose":"monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;"}]},{"id":"si-04_odp.02","props":[{"name":"alt-identifier","value":"si-4_prm_2"},{"name":"label","value":"SI-04_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods used to identify unauthorized use of the system are defined;"}]},{"id":"si-04_odp.03","props":[{"name":"alt-identifier","value":"si-4_prm_3"},{"name":"label","value":"SI-04_ODP[03]","class":"sp800-53a"}],"label":"system monitoring information","guidelines":[{"prose":"system monitoring information to be provided to personnel or roles is defined;"}]},{"id":"si-04_odp.04","props":[{"name":"alt-identifier","value":"si-4_prm_4"},{"name":"label","value":"SI-04_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom system monitoring information is to be provided is\/are defined;"}]},{"id":"si-04_odp.05","props":[{"name":"alt-identifier","value":"si-4_prm_5"},{"name":"label","value":"SI-04_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["as needed"," {{ insert: param, si-04_odp.06 }} "]}},{"id":"si-04_odp.06","props":[{"name":"alt-identifier","value":"si-4_prm_6"},{"name":"label","value":"SI-04_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"a frequency for providing system monitoring to personnel or roles is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-4"},{"name":"label","value":"SI-04","class":"sp800-53a"},{"name":"sort-id","value":"si-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-6","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"si-4_smt","name":"statement","parts":[{"id":"si-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor the system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and"},{"id":"si-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};"},{"id":"si-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Invoke internal monitoring capabilities or deploy monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Strategically within the system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Analyze detected events and anomalies;"},{"id":"si-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Obtain legal opinion regarding system monitoring activities; and"},{"id":"si-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"si-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.01","class":"sp800-53a"}],"prose":"the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};"},{"id":"si-4_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[01]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized local connections;"},{"id":"si-4_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[02]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized network connections;"},{"id":"si-4_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[03]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized remote connections;"}]}]},{"id":"si-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04b.","class":"sp800-53a"}],"prose":"unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};"},{"id":"si-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.01","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;"},{"id":"si-4_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.02","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[01]","class":"sp800-53a"}],"prose":"detected events are analyzed;"},{"id":"si-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[02]","class":"sp800-53a"}],"prose":"detected anomalies are analyzed;"}]},{"id":"si-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SI-04e.","class":"sp800-53a"}],"prose":"the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SI-04f.","class":"sp800-53a"}],"prose":"a legal opinion regarding system monitoring activities is obtained;"},{"id":"si-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SI-04g.","class":"sp800-53a"}],"prose":" {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."}]},{"id":"si-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram\/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing system monitoring capabilities"}]}],"controls":[{"id":"si-4.2","class":"SP800-53-enhancement","title":"Automated Tools and Mechanisms for Real-time Analysis","props":[{"name":"label","value":"SI-4(2)"},{"name":"label","value":"SI-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#pm-23","rel":"related"},{"href":"#pm-25","rel":"related"}],"parts":[{"id":"si-4.2_smt","name":"statement","prose":"Employ automated tools and mechanisms to support near real-time analysis of events."},{"id":"si-4.2_gdn","name":"guidance","prose":"Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan."},{"id":"si-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(02)","class":"sp800-53a"}],"prose":"automated tools and mechanisms are employed to support a near real-time analysis of events."},{"id":"si-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk management documentation\n\nother relevant documents or records"}]},{"id":"si-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for incident response\/management"}]},{"id":"si-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the near real-time analysis of events\n\norganizational processes for system monitoring\n\nmechanisms supporting and\/or implementing system monitoring\n\nmechanisms\/tools supporting and\/or implementing an analysis of events"}]}]},{"id":"si-4.4","class":"SP800-53-enhancement","title":"Inbound and Outbound Communications Traffic","params":[{"id":"si-4.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.03"}],"label":"organization-defined frequency"},{"id":"si-4.4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.04"}],"label":"organization-defined unusual or unauthorized activities or conditions"},{"id":"si-04.04_odp.01","props":[{"name":"label","value":"SI-04(04)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;"}]},{"id":"si-04.04_odp.02","props":[{"name":"label","value":"SI-04(04)_ODP[02]","class":"sp800-53a"}],"label":"unusual or unauthorized activities or conditions","guidelines":[{"prose":"unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;"}]},{"id":"si-04.04_odp.03","props":[{"name":"label","value":"SI-04(04)_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;"}]},{"id":"si-04.04_odp.04","props":[{"name":"label","value":"SI-04(04)_ODP[04]","class":"sp800-53a"}],"label":"unusual or unauthorized activities or conditions","guidelines":[{"prose":"unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;"}]}],"props":[{"name":"label","value":"SI-4(4)"},{"name":"label","value":"SI-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.4_smt","name":"statement","parts":[{"id":"si-4.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;"},{"id":"si-4.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Monitor inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for {{ insert: param, si-4.4_prm_2 }}."}]},{"id":"si-4.4_gdn","name":"guidance","prose":"Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components."},{"id":"si-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)[01]","class":"sp800-53a"}],"prose":"criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;"},{"id":"si-4.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)[02]","class":"sp800-53a"}],"prose":"criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;"}]},{"id":"si-4.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)[01]","class":"sp800-53a"}],"prose":"inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};"},{"id":"si-4.4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)[02]","class":"sp800-53a"}],"prose":"outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}."}]}]},{"id":"si-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the monitoring of inbound and outbound communications traffic"}]}]},{"id":"si-4.5","class":"SP800-53-enhancement","title":"System-generated Alerts","params":[{"id":"si-04.05_odp.01","props":[{"name":"alt-identifier","value":"si-4.5_prm_1"},{"name":"label","value":"SI-04(05)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when indications of compromise or potential compromise occur is\/are defined;"}]},{"id":"si-04.05_odp.02","props":[{"name":"alt-identifier","value":"si-4.5_prm_2"},{"name":"label","value":"SI-04(05)_ODP[02]","class":"sp800-53a"}],"label":"compromise indicators","guidelines":[{"prose":"compromise indicators are defined;"}]}],"props":[{"name":"label","value":"SI-4(5)"},{"name":"label","value":"SI-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"si-4.5_smt","name":"statement","prose":"Alert {{ insert: param, si-04.05_odp.01 }} when the following system-generated indications of compromise or potential compromise occur: {{ insert: param, si-04.05_odp.02 }}."},{"id":"si-4.5_gdn","name":"guidance","prose":"Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners\/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in [SI-4(12)](#si-4.12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats."},{"id":"si-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(05)","class":"sp800-53a"}],"prose":" {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur."},{"id":"si-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of personnel selected to receive alerts\n\ndocumentation of alerts generated based on compromise indicators\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel on the system alert notification list\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing alerts for compromise indicators"}]}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","params":[{"id":"si-05_odp.01","props":[{"name":"alt-identifier","value":"si-5_prm_1"},{"name":"label","value":"SI-05_ODP[01]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;"}]},{"id":"si-05_odp.02","props":[{"name":"alt-identifier","value":"si-5_prm_2"},{"name":"label","value":"SI-05_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-05_odp.03 }} "," {{ insert: param, si-05_odp.04 }} "," {{ insert: param, si-05_odp.05 }} "]}},{"id":"si-05_odp.03","props":[{"name":"alt-identifier","value":"si-5_prm_3"},{"name":"label","value":"SI-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom security alerts, advisories, and directives are to be disseminated is\/are defined (if selected);"}]},{"id":"si-05_odp.04","props":[{"name":"alt-identifier","value":"si-5_prm_4"},{"name":"alt-label","value":"elements within the organization","class":"sp800-53"},{"name":"label","value":"SI-05_ODP[04]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]},{"id":"si-05_odp.05","props":[{"name":"alt-identifier","value":"si-5_prm_5"},{"name":"label","value":"SI-05_ODP[05]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-5"},{"name":"label","value":"SI-05","class":"sp800-53a"},{"name":"sort-id","value":"si-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#pm-15","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"si-5_smt","name":"statement","parts":[{"id":"si-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Generate internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and"},{"id":"si-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations."},{"id":"si-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-05","class":"sp800-53a"}],"parts":[{"id":"si-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-05a.","class":"sp800-53a"}],"prose":"system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"},{"id":"si-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-05b.","class":"sp800-53a"}],"prose":"internal security alerts, advisories, and directives are generated as deemed necessary;"},{"id":"si-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-05c.","class":"sp800-53a"}],"prose":"security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};"},{"id":"si-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-05d.","class":"sp800-53a"}],"prose":"security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance."}]},{"id":"si-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"si-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing security directives"}]}]},{"id":"si-7","class":"SP800-53","title":"Software, Firmware, and Information Integrity","params":[{"id":"si-7_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.03"}],"label":"organization-defined software, firmware, and information"},{"id":"si-7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.06"}],"label":"organization-defined actions"},{"id":"si-07_odp.01","props":[{"name":"label","value":"SI-07_ODP[01]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.02","props":[{"name":"label","value":"SI-07_ODP[02]","class":"sp800-53a"}],"label":"firmware","guidelines":[{"prose":"firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.03","props":[{"name":"label","value":"SI-07_ODP[03]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.04","props":[{"name":"label","value":"SI-07_ODP[04]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to software are detected are defined;"}]},{"id":"si-07_odp.05","props":[{"name":"label","value":"SI-07_ODP[05]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to firmware are detected are defined;"}]},{"id":"si-07_odp.06","props":[{"name":"label","value":"SI-07_ODP[06]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to information are detected are defined;"}]}],"props":[{"name":"label","value":"SI-7"},{"name":"label","value":"SI-07","class":"sp800-53a"},{"name":"sort-id","value":"si-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#e47ee630-9cbc-4133-880e-e013f83ccd51","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"si-7_smt","name":"statement","parts":[{"id":"si-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ insert: param, si-7_prm_1 }} ; and"},{"id":"si-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ insert: param, si-7_prm_2 }}."}]},{"id":"si-7_gdn","name":"guidance","prose":"Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input\/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications."},{"id":"si-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[01]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};"},{"id":"si-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[02]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};"},{"id":"si-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[03]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};"}]},{"id":"si-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;"},{"id":"si-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;"},{"id":"si-7_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected."}]}]},{"id":"si-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"si-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools"}]}],"controls":[{"id":"si-7.1","class":"SP800-53-enhancement","title":"Integrity Checks","params":[{"id":"si-7.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.09"}],"label":"organization-defined software, firmware, and information"},{"id":"si-7.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.10"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-7.1_prm_3 }} "," {{ insert: param, si-7.1_prm_4 }} "]}},{"id":"si-7.1_prm_3","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.11"}],"label":"organization-defined transitional states or security-relevant events"},{"id":"si-7.1_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.08"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.12"}],"label":"organization-defined frequency"},{"id":"si-07.01_odp.01","props":[{"name":"label","value":"SI-07(01)_ODP[01]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.02","props":[{"name":"label","value":"SI-07(01)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.03 }} "," {{ insert: param, si-07.01_odp.04 }} "]}},{"id":"si-07.01_odp.03","props":[{"name":"label","value":"SI-07(01)_ODP[03]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);"}]},{"id":"si-07.01_odp.04","props":[{"name":"label","value":"SI-07(01)_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (on software) is defined (if selected);"}]},{"id":"si-07.01_odp.05","props":[{"name":"label","value":"SI-07(01)_ODP[05]","class":"sp800-53a"}],"label":"firmware","guidelines":[{"prose":"firmware on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.06","props":[{"name":"label","value":"SI-07(01)_ODP[06]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.07 }} "," {{ insert: param, si-07.01_odp.08 }} "]}},{"id":"si-07.01_odp.07","props":[{"name":"label","value":"SI-07(01)_ODP[07]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);"}]},{"id":"si-07.01_odp.08","props":[{"name":"label","value":"SI-07(01)_ODP[08]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (on firmware) is defined (if selected);"}]},{"id":"si-07.01_odp.09","props":[{"name":"label","value":"SI-07(01)_ODP[09]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.10","props":[{"name":"label","value":"SI-07(01)_ODP[10]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.11 }} "," {{ insert: param, si-07.01_odp.12 }} "]}},{"id":"si-07.01_odp.11","props":[{"name":"label","value":"SI-07(01)_ODP[11]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);"}]},{"id":"si-07.01_odp.12","props":[{"name":"label","value":"SI-07(01)_ODP[12]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (of information) is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-7(1)"},{"name":"label","value":"SI-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.1_smt","name":"statement","prose":"Perform an integrity check of {{ insert: param, si-7.1_prm_1 }} {{ insert: param, si-7.1_prm_2 }}."},{"id":"si-7.1_gdn","name":"guidance","prose":"Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort."},{"id":"si-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)","class":"sp800-53a"}],"parts":[{"id":"si-7.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[01]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};"},{"id":"si-7.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[02]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};"},{"id":"si-7.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[03]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}."}]},{"id":"si-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity testing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools"}]}]},{"id":"si-7.7","class":"SP800-53-enhancement","title":"Integration of Detection and Response","params":[{"id":"si-07.07_odp","props":[{"name":"alt-identifier","value":"si-7.7_prm_1"},{"name":"alt-label","value":"security-relevant changes to the system","class":"sp800-53"},{"name":"label","value":"SI-07(07)_ODP","class":"sp800-53a"}],"label":"changes","guidelines":[{"prose":"security-relevant changes to the system are defined;"}]}],"props":[{"name":"label","value":"SI-7(7)"},{"name":"label","value":"SI-07(07)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-7.7_smt","name":"statement","prose":"Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ insert: param, si-07.07_odp }}."},{"id":"si-7.7_gdn","name":"guidance","prose":"Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges."},{"id":"si-7.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(07)","class":"sp800-53a"}],"prose":"the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability."},{"id":"si-7.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities"}]},{"id":"si-7.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability"}]}]}]},{"id":"si-8","class":"SP800-53","title":"Spam Protection","props":[{"name":"label","value":"SI-8"},{"name":"label","value":"SI-08","class":"sp800-53a"},{"name":"sort-id","value":"si-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#314e33cb-3681-4b50-a2a2-3fae9604accd","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#pl-9","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-8_smt","name":"statement","parts":[{"id":"si-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and"},{"id":"si-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"id":"si-8_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions."},{"id":"si-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-08","class":"sp800-53a"}],"parts":[{"id":"si-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.","class":"sp800-53a"}],"parts":[{"id":"si-8_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[01]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system entry points to detect unsolicited messages;"},{"id":"si-8_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[02]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system exit points to detect unsolicited messages;"},{"id":"si-8_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[03]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system entry points to act on unsolicited messages;"},{"id":"si-8_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[04]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system exit points to act on unsolicited messages;"}]},{"id":"si-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-08b.","class":"sp800-53a"}],"prose":"spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures."}]},{"id":"si-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policies and procedures (CM-01)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing spam protection\n\nmechanisms supporting and\/or implementing spam protection"}]}],"controls":[{"id":"si-8.2","class":"SP800-53-enhancement","title":"Automatic Updates","params":[{"id":"si-08.02_odp","props":[{"name":"alt-identifier","value":"si-8.2_prm_1"},{"name":"label","value":"SI-08(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to automatically update spam protection mechanisms is defined;"}]}],"props":[{"name":"label","value":"SI-8(2)"},{"name":"label","value":"SI-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-8","rel":"required"}],"parts":[{"id":"si-8.2_smt","name":"statement","prose":"Automatically update spam protection mechanisms {{ insert: param, si-08.02_odp }}."},{"id":"si-8.2_gdn","name":"guidance","prose":"Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities."},{"id":"si-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-08(02)","class":"sp800-53a"}],"prose":"spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}."},{"id":"si-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for spam protection\n\nmechanisms supporting and\/or implementing automatic updates to spam protection mechanisms"}]}]}]},{"id":"si-10","class":"SP800-53","title":"Information Input Validation","params":[{"id":"si-10_odp","props":[{"name":"alt-identifier","value":"si-10_prm_1"},{"name":"alt-identifier","value":"si-10.1_prm_1"},{"name":"alt-label","value":"information inputs to the system","class":"sp800-53"},{"name":"label","value":"SI-10_ODP","class":"sp800-53a"}],"label":"information inputs","guidelines":[{"prose":"information inputs to the system requiring validity checks are defined;"}]}],"props":[{"name":"label","value":"SI-10"},{"name":"label","value":"SI-10","class":"sp800-53a"},{"name":"sort-id","value":"si-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"}],"parts":[{"id":"si-10_smt","name":"statement","prose":"Check the validity of the following information inputs: {{ insert: param, si-10_odp }}."},{"id":"si-10_gdn","name":"guidance","prose":"Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of \"387,\" \"abc,\" or \"%K%\" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks."},{"id":"si-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10","class":"sp800-53a"}],"prose":"the validity of the {{ insert: param, si-10_odp }} is checked."},{"id":"si-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify the validity of information\n\nlist of information inputs requiring validity checks\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing validity checks on information inputs"}]}]},{"id":"si-11","class":"SP800-53","title":"Error Handling","params":[{"id":"si-11_odp","props":[{"name":"alt-identifier","value":"si-11_prm_1"},{"name":"label","value":"SI-11_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom error messages are to be revealed is\/are defined;"}]}],"props":[{"name":"label","value":"SI-11"},{"name":"label","value":"SI-11","class":"sp800-53a"},{"name":"sort-id","value":"si-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"si-11_smt","name":"statement","parts":[{"id":"si-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and"},{"id":"si-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reveal error messages only to {{ insert: param, si-11_odp }}."}]},{"id":"si-11_gdn","name":"guidance","prose":"Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information."},{"id":"si-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-11","class":"sp800-53a"}],"parts":[{"id":"si-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-11a.","class":"sp800-53a"}],"prose":"error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;"},{"id":"si-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-11b.","class":"sp800-53a"}],"prose":"error messages are revealed only to {{ insert: param, si-11_odp }}."}]},{"id":"si-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system error handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing the structure and content of error messages\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for error handling\n\nautomated mechanisms supporting and\/or implementing error handling\n\nautomated mechanisms supporting and\/or implementing the management of error messages"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Management and Retention","props":[{"name":"label","value":"SI-12"},{"name":"label","value":"SI-12","class":"sp800-53a"},{"name":"sort-id","value":"si-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#e922fc50-b1f9-469f-92ef-ed7d9803611c","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)."},{"id":"si-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12","class":"sp800-53a"}],"parts":[{"id":"si-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12[01]","class":"sp800-53a"}],"prose":"information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12[02]","class":"sp800-53a"}],"prose":"information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12[03]","class":"sp800-53a"}],"prose":"information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SI-12[04]","class":"sp800-53a"}],"prose":"information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements."}]},{"id":"si-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and\/or implementing information management, retention, and disposition"}]}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","params":[{"id":"si-16_odp","props":[{"name":"alt-identifier","value":"si-16_prm_1"},{"name":"label","value":"SI-16_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be implemented to protect the system memory from unauthorized code execution are defined;"}]}],"props":[{"name":"label","value":"SI-16"},{"name":"label","value":"SI-16","class":"sp800-53a"},{"name":"sort-id","value":"si-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-25","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"Implement the following controls to protect the system memory from unauthorized code execution: {{ insert: param, si-16_odp }}."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism."},{"id":"si-16_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-16","class":"sp800-53a"}],"prose":" {{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution."},{"id":"si-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing memory protection for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards protecting system memory from unauthorized code execution\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing safeguards to protect the system memory from unauthorized code execution"}]}]}]},{"id":"sr","class":"family","title":"Supply Chain Risk Management","controls":[{"id":"sr-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sr-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sr-01_odp.01","props":[{"name":"label","value":"SR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management policy is to be disseminated to is\/are defined;"}]},{"id":"sr-01_odp.02","props":[{"name":"label","value":"SR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management procedures are disseminated to is\/are defined;"}]},{"id":"sr-01_odp.03","props":[{"name":"alt-identifier","value":"sr-1_prm_2"},{"name":"label","value":"SR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sr-01_odp.04","props":[{"name":"alt-identifier","value":"sr-1_prm_3"},{"name":"label","value":"SR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;"}]},{"id":"sr-01_odp.05","props":[{"name":"alt-identifier","value":"sr-1_prm_4"},{"name":"label","value":"SR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management policy is reviewed and updated is defined;"}]},{"id":"sr-01_odp.06","props":[{"name":"alt-identifier","value":"sr-1_prm_5"},{"name":"label","value":"SR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the current supply chain risk management policy to be reviewed and updated are defined;"}]},{"id":"sr-01_odp.07","props":[{"name":"alt-identifier","value":"sr-1_prm_6"},{"name":"label","value":"SR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;"}]},{"id":"sr-01_odp.08","props":[{"name":"alt-identifier","value":"sr-1_prm_7"},{"name":"label","value":"SR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the supply chain risk management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SR-1"},{"name":"label","value":"SR-01","class":"sp800-53a"},{"name":"sort-id","value":"sr-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sr-1_smt","name":"statement","parts":[{"id":"sr-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:","parts":[{"id":"sr-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:","parts":[{"id":"sr-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sr-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sr-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;"}]},{"id":"sr-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and"},{"id":"sr-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current supply chain risk management:","parts":[{"id":"sr-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and"},{"id":"sr-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}."}]}]},{"id":"sr-1_gdn","name":"guidance","prose":"Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sr-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[01]","class":"sp800-53a"}],"prose":"a supply chain risk management policy is developed and documented;"},{"id":"sr-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};"},{"id":"sr-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[03]","class":"sp800-53a"}],"prose":"supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;"},{"id":"sr-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}."},{"id":"sr-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;"},{"id":"sr-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; "},{"id":"sr-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;"},{"id":"sr-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;"},{"id":"sr-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;"},{"id":"sr-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;"},{"id":"sr-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance."}]},{"id":"sr-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"sr-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;"},{"id":"sr-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};"},{"id":"sr-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};"}]},{"id":"sr-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};"},{"id":"sr-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}."}]}]}]},{"id":"sr-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities"}]}]},{"id":"sr-2","class":"SP800-53","title":"Supply Chain Risk Management Plan","params":[{"id":"sr-02_odp.01","props":[{"name":"alt-identifier","value":"sr-2_prm_1"},{"name":"label","value":"SR-02_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services for which a supply chain risk management plan is developed are defined;"}]},{"id":"sr-02_odp.02","props":[{"name":"alt-identifier","value":"sr-2_prm_2"},{"name":"label","value":"SR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the supply chain risk management plan is defined;"}]}],"props":[{"name":"label","value":"SR-2"},{"name":"label","value":"SR-02","class":"sp800-53a"},{"name":"sort-id","value":"sr-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sr-2_smt","name":"statement","parts":[{"id":"sr-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and"},{"id":"sr-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect the supply chain risk management plan from unauthorized disclosure and modification."}]},{"id":"sr-2_gdn","name":"guidance","prose":"The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development\/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))."},{"id":"sr-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[01]","class":"sp800-53a"}],"prose":"a plan for managing supply chain risks is developed;"},{"id":"sr-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[03]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[05]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[06]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[07]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[08]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-9","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[09]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};"}]},{"id":"sr-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-02b.","class":"sp800-53a"}],"prose":"the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;"},{"id":"sr-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[01]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized disclosure;"},{"id":"sr-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized modification."}]}]},{"id":"sr-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"sr-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and\/or implementing the SDLC"}]}],"controls":[{"id":"sr-2.1","class":"SP800-53-enhancement","title":"Establish SCRM Team","params":[{"id":"sr-02.01_odp.01","props":[{"name":"alt-identifier","value":"sr-2.1_prm_1"},{"name":"alt-label","value":"personnel, roles, and responsibilities","class":"sp800-53"},{"name":"label","value":"SR-02(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel, roles and responsibilities","guidelines":[{"prose":"the personnel, roles, and responsibilities of the supply chain risk management team are defined;"}]},{"id":"sr-02.01_odp.02","props":[{"name":"alt-identifier","value":"sr-2.1_prm_2"},{"name":"label","value":"SR-02(01)_ODP[02]","class":"sp800-53a"}],"label":"supply chain risk management activities","guidelines":[{"prose":"supply chain risk management activities are defined;"}]}],"props":[{"name":"label","value":"SR-2(1)"},{"name":"label","value":"SR-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-2","rel":"required"}],"parts":[{"id":"sr-2.1_smt","name":"statement","prose":"Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}."},{"id":"sr-2.1_gdn","name":"guidance","prose":"To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team."},{"id":"sr-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02(01)","class":"sp800-53a"}],"prose":"a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}."},{"id":"sr-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities"}]}]}]},{"id":"sr-3","class":"SP800-53","title":"Supply Chain Controls and Processes","params":[{"id":"sr-03_odp.01","props":[{"name":"alt-identifier","value":"sr-3_prm_1"},{"name":"label","value":"SR-03_ODP[01]","class":"sp800-53a"}],"label":"system or system component","guidelines":[{"prose":"the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;"}]},{"id":"sr-03_odp.02","props":[{"name":"alt-identifier","value":"sr-3_prm_2"},{"name":"label","value":"SR-03_ODP[02]","class":"sp800-53a"}],"label":"supply chain personnel","guidelines":[{"prose":"supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is\/are defined;"}]},{"id":"sr-03_odp.03","props":[{"name":"alt-identifier","value":"sr-3_prm_3"},{"name":"label","value":"SR-03_ODP[03]","class":"sp800-53a"}],"label":"supply chain controls","guidelines":[{"prose":"supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;"}]},{"id":"sr-03_odp.04","props":[{"name":"alt-identifier","value":"sr-3_prm_4"},{"name":"label","value":"SR-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security and privacy plans","supply chain risk management plan"," {{ insert: param, sr-03_odp.05 }} "]}},{"id":"sr-03_odp.05","props":[{"name":"alt-identifier","value":"sr-3_prm_5"},{"name":"label","value":"SR-03_ODP[05]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"the document identifying the selected and implemented supply chain processes and controls is defined (if selected);"}]}],"props":[{"name":"label","value":"SR-3"},{"name":"label","value":"SR-03","class":"sp800-53a"},{"name":"sort-id","value":"sr-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-29","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-3_smt","name":"statement","parts":[{"id":"sr-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};"},{"id":"sr-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and"},{"id":"sr-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}."}]},{"id":"sr-3_gdn","name":"guidance","prose":"Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain."},{"id":"sr-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-03","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[01]","class":"sp800-53a"}],"prose":"a process or processes is\/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};"},{"id":"sr-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[02]","class":"sp800-53a"}],"prose":"the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is\/are coordinated with {{ insert: param, sr-03_odp.02 }};"}]},{"id":"sr-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-03b.","class":"sp800-53a"}],"prose":" {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;"},{"id":"sr-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-03c.","class":"sp800-53a"}],"prose":"the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}."}]},{"id":"sr-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying and addressing supply chain element and process deficiencies"}]}]},{"id":"sr-5","class":"SP800-53","title":"Acquisition Strategies, Tools, and Methods","params":[{"id":"sr-05_odp","props":[{"name":"alt-identifier","value":"sr-5_prm_1"},{"name":"alt-label","value":"acquisition strategies, contract tools, and procurement methods","class":"sp800-53"},{"name":"label","value":"SR-05_ODP","class":"sp800-53a"}],"label":"strategies, tools, and methods","guidelines":[{"prose":"acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;"}]}],"props":[{"name":"label","value":"SR-5"},{"name":"label","value":"SR-05","class":"sp800-53a"},{"name":"sort-id","value":"sr-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-5_smt","name":"statement","prose":"Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}."},{"id":"sr-5_gdn","name":"guidance","prose":"The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements."},{"id":"sr-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-05","class":"sp800-53a"}],"parts":[{"id":"sr-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-05[01]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;"},{"id":"sr-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-05[02]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;"},{"id":"sr-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SR-05[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks."}]},{"id":"sr-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and\/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods"}]}]},{"id":"sr-6","class":"SP800-53","title":"Supplier Assessments and Reviews","params":[{"id":"sr-06_odp","props":[{"name":"alt-identifier","value":"sr-6_prm_1"},{"name":"label","value":"SR-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;"}]}],"props":[{"name":"label","value":"SR-6"},{"name":"label","value":"SR-06","class":"sp800-53a"},{"name":"sort-id","value":"sr-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sr-6_smt","name":"statement","prose":"Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ insert: param, sr-06_odp }}."},{"id":"sr-6_gdn","name":"guidance","prose":"An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts."},{"id":"sr-6_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-06","class":"sp800-53a"}],"prose":"the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}."},{"id":"sr-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nrecords of supplier due diligence reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting supplier reviews\n\nmechanisms supporting and\/or implementing supplier reviews"}]}]},{"id":"sr-8","class":"SP800-53","title":"Notification Agreements","params":[{"id":"sr-08_odp.01","props":[{"name":"alt-identifier","value":"sr-8_prm_1"},{"name":"label","value":"SR-08_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["notification of supply chain compromises"," {{ insert: param, sr-08_odp.02 }} "]}},{"id":"sr-08_odp.02","props":[{"name":"alt-identifier","value":"sr-8_prm_2"},{"name":"alt-label","value":"information","class":"sp800-53"},{"name":"label","value":"SR-08_ODP[02]","class":"sp800-53a"}],"label":"results of assessments or audits","guidelines":[{"prose":"information for which agreements and procedures are to be established are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-8"},{"name":"label","value":"SR-08","class":"sp800-53a"},{"name":"sort-id","value":"sr-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"sr-8_smt","name":"statement","prose":"Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}."},{"id":"sr-8_gdn","name":"guidance","prose":"The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes."},{"id":"sr-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-08","class":"sp800-53a"}],"prose":"agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}."},{"id":"sr-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities"}]}]},{"id":"sr-10","class":"SP800-53","title":"Inspection of Systems or Components","params":[{"id":"sr-10_odp.01","props":[{"name":"alt-identifier","value":"sr-10_prm_4"},{"name":"label","value":"SR-10_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that require inspection are defined;"}]},{"id":"sr-10_odp.02","props":[{"name":"alt-identifier","value":"sr-10_prm_1"},{"name":"label","value":"SR-10_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at random","at {{ insert: param, sr-10_odp.03 }} ","upon {{ insert: param, sr-10_odp.04 }} "]}},{"id":"sr-10_odp.03","props":[{"name":"alt-identifier","value":"sr-10_prm_2"},{"name":"label","value":"SR-10_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inspect systems or system components is defined (if selected);"}]},{"id":"sr-10_odp.04","props":[{"name":"alt-identifier","value":"sr-10_prm_3"},{"name":"label","value":"SR-10_ODP[04]","class":"sp800-53a"}],"label":"indications of need for inspection","guidelines":[{"prose":"indications of the need for an inspection of systems or system components are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-10"},{"name":"label","value":"SR-10","class":"sp800-53a"},{"name":"sort-id","value":"sr-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-10_smt","name":"statement","prose":"Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}."},{"id":"sr-10_gdn","name":"guidance","prose":"The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations."},{"id":"sr-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-10","class":"sp800-53a"}],"prose":" {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering."},{"id":"sr-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports\/results\n\nassessment reports\/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering"}]}]},{"id":"sr-11","class":"SP800-53","title":"Component Authenticity","params":[{"id":"sr-11_odp.01","props":[{"name":"alt-identifier","value":"sr-11_prm_1"},{"name":"label","value":"SR-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["source of counterfeit component"," {{ insert: param, sr-11_odp.02 }} "," {{ insert: param, sr-11_odp.03 }} "]}},{"id":"sr-11_odp.02","props":[{"name":"alt-identifier","value":"sr-11_prm_2"},{"name":"label","value":"SR-11_ODP[02]","class":"sp800-53a"}],"label":"external reporting organizations","guidelines":[{"prose":"external reporting organizations to whom counterfeit system components are to be reported is\/are defined (if selected);"}]},{"id":"sr-11_odp.03","props":[{"name":"alt-identifier","value":"sr-11_prm_3"},{"name":"label","value":"SR-11_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom counterfeit system components are to be reported is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-11"},{"name":"label","value":"SR-11","class":"sp800-53a"},{"name":"sort-id","value":"sr-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"sr-11_smt","name":"statement","parts":[{"id":"sr-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and"},{"id":"sr-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}."}]},{"id":"sr-11_gdn","name":"guidance","prose":"Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA."},{"id":"sr-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[01]","class":"sp800-53a"}],"prose":"an anti-counterfeit policy is developed and implemented;"},{"id":"sr-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[02]","class":"sp800-53a"}],"prose":"anti-counterfeit procedures are developed and implemented;"},{"id":"sr-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[03]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to detect counterfeit components entering the system;"},{"id":"sr-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[04]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;"}]},{"id":"sr-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-11b.","class":"sp800-53a"}],"prose":"counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}."}]},{"id":"sr-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and\/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting"}]},{"id":"sr-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and\/or implementing anti-counterfeit detection, prevention, and reporting"}]}],"controls":[{"id":"sr-11.1","class":"SP800-53-enhancement","title":"Anti-counterfeit Training","params":[{"id":"sr-11.01_odp","props":[{"name":"alt-identifier","value":"sr-11.1_prm_1"},{"name":"label","value":"SR-11(01)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is\/are defined;"}]}],"props":[{"name":"label","value":"SR-11(1)"},{"name":"label","value":"SR-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"sr-11.1_smt","name":"statement","prose":"Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_gdn","name":"guidance","prose":"None."},{"id":"sr-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(01)","class":"sp800-53a"}],"prose":" {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training"}]},{"id":"sr-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for anti-counterfeit training"}]}]},{"id":"sr-11.2","class":"SP800-53-enhancement","title":"Configuration Control for Component Service and Repair","params":[{"id":"sr-11.02_odp","props":[{"name":"alt-identifier","value":"sr-11.2_prm_1"},{"name":"label","value":"SR-11(02)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring configuration control are defined;"}]}],"props":[{"name":"label","value":"SR-11(2)"},{"name":"label","value":"SR-11(02)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#cm-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#sa-10","rel":"related"}],"parts":[{"id":"sr-11.2_smt","name":"statement","prose":"Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}."},{"id":"sr-11.2_gdn","name":"guidance","prose":"None."},{"id":"sr-11.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)","class":"sp800-53a"}],"parts":[{"id":"sr-11.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[01]","class":"sp800-53a"}],"prose":"configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;"},{"id":"sr-11.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[02]","class":"sp800-53a"}],"prose":"configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained."}]},{"id":"sr-11.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-11.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes"}]}]}]},{"id":"sr-12","class":"SP800-53","title":"Component Disposal","params":[{"id":"sr-12_odp.01","props":[{"name":"alt-identifier","value":"sr-12_prm_1"},{"name":"label","value":"SR-12_ODP[01]","class":"sp800-53a"}],"label":"data, documentation, tools, or system components","guidelines":[{"prose":"data, documentation, tools, or system components to be disposed of are defined;"}]},{"id":"sr-12_odp.02","props":[{"name":"alt-identifier","value":"sr-12_prm_2"},{"name":"label","value":"SR-12_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods for disposing of data, documentation, tools, or system components are defined;"}]}],"props":[{"name":"label","value":"SR-12"},{"name":"label","value":"SR-12","class":"sp800-53a"},{"name":"sort-id","value":"sr-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#mp-6","rel":"related"}],"parts":[{"id":"sr-12_smt","name":"statement","prose":"Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}."},{"id":"sr-12_gdn","name":"guidance","prose":"Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations\/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market."},{"id":"sr-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-12","class":"sp800-53a"}],"prose":" {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}."},{"id":"sr-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational techniques and methods for system component disposal\n\nmechanisms supporting and\/or implementing system component disposal"}]}]}]}],"back-matter":{"resources":[{"uuid":"91f992fb-f668-4c91-a50f-0f05b95ccee3","title":"32 CFR 2002","citation":{"text":"Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/documents\/2016\/09\/14\/2016-21665\/controlled-unclassified-information"}]},{"uuid":"0f963c17-ab5a-432a-a867-91eac550309b","title":"41 CFR 201","citation":{"text":" \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/d\/2020-18939"}]},{"uuid":"a5ef5e56-5c1a-4911-b419-37dddc1b3581","title":"5 CFR 731","citation":{"text":"Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/CFR-2012-title5-vol2\/pdf\/CFR-2012-title5-vol2-sec731-106.pdf"}]},{"uuid":"031cc4b7-9adf-4835-98f1-f1ca493519cf","title":"CNSSD 505","citation":{"text":"Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Directives.cfm"}]},{"uuid":"4e4fbc93-333d-45e6-a875-de36b878b6b9","title":"CNSSI 1253","citation":{"text":"Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Instructions.cfm"}]},{"uuid":"4f42ee6e-86cc-403b-a51f-76c2b4f81b54","title":"DHS TIC","citation":{"text":"Department of Homeland Security, *Trusted Internet Connections (TIC)*."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/trusted-internet-connections"}]},{"uuid":"aa66e14f-e7cb-4a37-99d2-07578dfd4608","title":"DOD STIG","citation":{"text":"Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*."},"rlinks":[{"href":"https:\/\/public.cyber.mil\/stigs"}]},{"uuid":"55b0c93a-5e48-457a-baa6-5ce81c239c49","title":"EO 13526","citation":{"text":"Executive Order 13526, *Classified National Security Information* , December 2009."},"rlinks":[{"href":"https:\/\/www.archives.gov\/isoo\/policy-documents\/cnsi-eo.html"}]},{"uuid":"34a5571f-e252-4309-a8a1-2fdb2faefbcd","title":"EO 13556","citation":{"text":"Executive Order 13556, *Controlled Unclassified Information* , November 2010."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2010\/11\/04\/executive-order-13556-controlled-unclassified-information"}]},{"uuid":"0af071a6-cf8e-48ee-8c82-fe91efa20f94","title":"EO 13587","citation":{"text":"Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2011\/10\/07\/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"21caa535-1154-4369-ba7b-32c309fee0f7","title":"EO 13873","citation":{"text":"Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/presidential-actions\/executive-order-securing-information-communications-technology-services-supply-chain"}]},{"uuid":"4ff10ed3-d8fe-4246-99e3-443045e27482","title":"FASC18","citation":{"text":"Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018."},"rlinks":[{"href":"https:\/\/www.congress.gov\/bill\/115th-congress\/senate-bill\/3085"}]},{"uuid":"a1555677-2b9d-4868-a97b-a1363aff32f5","title":"FED PKI","citation":{"text":"General Services Administration, *Federal Public Key Infrastructure*."},"rlinks":[{"href":"https:\/\/www.idmanagement.gov\/topics\/fpki"}]},{"uuid":"678e3d6c-150b-4393-aec5-6e3481eb1e00","title":"FIPS 140-3","citation":{"text":"National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. "},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.140-3"}]},{"uuid":"eea3c092-42ed-4382-a6f4-1adadef01b9d","title":"FIPS 180-4","citation":{"text":"National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.180-4"}]},{"uuid":"7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","title":"FIPS 186-4","citation":{"text":"National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.186-4"}]},{"uuid":"736d6310-e403-4b57-a79d-9967970c66d7","title":"FIPS 197","citation":{"text":"National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.197"}]},{"uuid":"628d22a1-6a11-4784-bc59-5cd9497b5445","title":"FIPS 199","citation":{"text":"National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.199"}]},{"uuid":"599fb53d-5041-444e-a7fe-640d6d30ad05","title":"FIPS 200","citation":{"text":"National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.200"}]},{"uuid":"7ba1d91c-3934-4d5a-8532-b32f864ad34c","title":"FIPS 201-2","citation":{"text":"National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.201-2"}]},{"uuid":"a295ca19-8c75-4b4c-8800-98024732e181","title":"FIPS 202","citation":{"text":"National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.202"}]},{"uuid":"0c67b2a9-bede-43d2-b86d-5f35b8be36e9","title":"FISMA","citation":{"text":"Federal Information Security Modernization Act (P.L. 113-283), December 2014."},"rlinks":[{"href":"https:\/\/www.congress.gov\/113\/plaws\/publ283\/PLAW-113publ283.pdf"}]},{"uuid":"f16e438e-7114-4144-bfe2-2dfcad8cb2d0","title":"HSPD 12","citation":{"text":"Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/homeland-security-presidential-directive-12"}]},{"uuid":"15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","title":"IR 7539","citation":{"text":"Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7539"}]},{"uuid":"2be7b163-e50a-435c-8906-f1162f2a457a","title":"IR 7559","citation":{"text":"Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7559"}]},{"uuid":"e24b06cc-9129-4998-a76a-65c3d7a576ba","title":"IR 7622","citation":{"text":"Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7622"}]},{"uuid":"4b38e961-1125-4a5b-aa35-1d6c02846dad","title":"IR 7676","citation":{"text":"Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7676"}]},{"uuid":"aa5d04e0-6090-4e17-84d4-b9963d55fc2c","title":"IR 7788","citation":{"text":"Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7788"}]},{"uuid":"91701292-8bcd-4d2e-a5bd-59ab61e34b3c","title":"IR 7817","citation":{"text":"Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7817"}]},{"uuid":"4f5f51ac-2b8d-4b90-a3c7-46f56e967617","title":"IR 7849","citation":{"text":"Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7849"}]},{"uuid":"604774da-9e1d-48eb-9c62-4e959dc80737","title":"IR 7870","citation":{"text":"Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7870"}]},{"uuid":"7f473f21-fdbf-4a6c-81a1-0ab95919609d","title":"IR 7874","citation":{"text":"Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7874"}]},{"uuid":"849b2358-683f-4d97-b111-1cc3d522ded5","title":"IR 7956","citation":{"text":"Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7956"}]},{"uuid":"3915a084-b87b-4f02-83d4-c369e746292f","title":"IR 7966","citation":{"text":"Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7966"}]},{"uuid":"bbac9fc2-df5b-4f2d-bf99-90d0ade45349","title":"IR 8011-1","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-1"}]},{"uuid":"70402863-5078-43af-9a6c-e11b0f3ec370","title":"IR 8011-2","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-2"}]},{"uuid":"996241f8-f692-42d5-91f1-ce8b752e39e6","title":"IR 8011-3","citation":{"text":"Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-3"}]},{"uuid":"d2ebec9b-f868-4ee1-a2bd-0b2282aed248","title":"IR 8011-4","citation":{"text":"Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-4"}]},{"uuid":"4c501da5-9d79-4cb6-ba80-97260e1ce327","title":"IR 8023","citation":{"text":"Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8023"}]},{"uuid":"81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","title":"IR 8040","citation":{"text":"Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8040"}]},{"uuid":"98d415ca-7281-4064-9931-0c366637e324","title":"IR 8062","citation":{"text":"Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8062"}]},{"uuid":"a2590922-82f3-4277-83c0-ca5bee06dba4","title":"IR 8112","citation":{"text":"Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8112"}]},{"uuid":"d4296805-2dca-4c63-a95f-eeccaa826aec","title":"IR 8179","citation":{"text":"Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8179"}]},{"uuid":"38ff38f0-1366-4f50-a4c9-26a39aacee16","title":"IR 8272","citation":{"text":"Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8272"}]},{"uuid":"6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","title":"ISO 15408-1","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART1V3.1R5.pdf"}]},{"uuid":"87087451-2af5-43d4-88c1-d66ad850f614","title":"ISO 15408-2","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART2V3.1R5.pdf"}]},{"uuid":"4452efc0-e79e-47b8-aa30-b54f3ef61c2f","title":"ISO 15408-3","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART3V3.1R5.pdf"}]},{"uuid":"15a95e24-65b6-4686-bc18-90855a10457d","title":"ISO 20243","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/74399.html"}]},{"uuid":"863caf2a-978a-4260-9e8d-4a8929bce40c","title":"ISO 27036","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/59648.html"}]},{"uuid":"8df72805-2e5c-4731-a73e-81db0f0318d0","title":"ISO 29147","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 29147:2018, *Information technology—Security techniques—Vulnerability disclosure* , October 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72311.html"}]},{"uuid":"06ce9216-bd54-4054-a422-94f358b50a5d","title":"ISO 29148","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission\/Institute of Electrical and Electronics Engineers (ISO\/IEC\/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72089.html"}]},{"uuid":"c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","title":"NARA CUI","citation":{"text":"National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry."},"rlinks":[{"href":"https:\/\/www.archives.gov\/cui"}]},{"uuid":"d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","title":"NCPR","citation":{"text":"National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at"},"rlinks":[{"href":"https:\/\/nvd.nist.gov\/ncp\/repository"}]},{"uuid":"795aff72-3e6c-4b6b-a80a-b14d84b7f544","title":"NIAP CCEVS","citation":{"text":"National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*."},"rlinks":[{"href":"https:\/\/www.niap-ccevs.org"}]},{"uuid":"84dc1b0c-acb7-4269-84c4-00dbabacd78c","title":"NIST CAVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-algorithm-validation-program"}]},{"uuid":"1acdc775-aafb-4d11-9341-dc6a822e9d38","title":"NIST CMVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-module-validation-program"}]},{"uuid":"3d575737-98cb-459d-b41c-d7e82b73ad78","title":"NSA CSFC","citation":{"text":"National Security Agency, *Commercial Solutions for Classified Program (CSfC)*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/csfc"}]},{"uuid":"df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","title":"NSA MEDIA","citation":{"text":"National Security Agency, *Media Destruction Guidance*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/media-destruction"}]},{"uuid":"89f2a08d-fc49-46d0-856e-bf974c9b1573","title":"ODNI CTF","citation":{"text":"Office of the Director of National Intelligence (ODNI) Cyber Threat Framework."},"rlinks":[{"href":"https:\/\/www.dni.gov\/index.php\/cyber-threat-framework"}]},{"uuid":"27847491-5ce1-4f6a-a1e4-9e483782f0ef","title":"OMB A-130","citation":{"text":"Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf"}]},{"uuid":"5f4705ac-8d17-438c-b23a-ac7f12362ae4","title":"OMB M-17-12","citation":{"text":"Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/sites\/default\/files\/omb\/memoranda\/2017\/m-17-12_0.pdf"}]},{"uuid":"c5e11048-1d38-4af3-b00b-0d88dc26860c","title":"OMB M-19-03","citation":{"text":"Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2018\/12\/M-19-03.pdf"}]},{"uuid":"18e71fec-c6fd-475a-925a-5d8495cf8455","title":"PRIVACT","citation":{"text":"Privacy Act (P.L. 93-579), December 1974."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-88\/pdf\/STATUTE-88-Pg1896.pdf"}]},{"uuid":"4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","title":"SP 800-100","citation":{"text":"Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"10cf2fad-a216-41f9-bb1a-531b7e3119e3","title":"SP 800-101","citation":{"text":"Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-101r1"}]},{"uuid":"22f2d4f0-4365-4e88-a30d-275c1f5473ea","title":"SP 800-111","citation":{"text":"Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-111"}]},{"uuid":"6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","title":"SP 800-113","citation":{"text":"Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-113"}]},{"uuid":"42e37e51-7cc0-4ffa-81c9-0ac942da7e99","title":"SP 800-114","citation":{"text":"Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-114r1"}]},{"uuid":"122177fa-c4ed-485d-8345-3082c0fb9a06","title":"SP 800-115","citation":{"text":"Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"2100332a-16a5-4598-bacf-7261baea9711","title":"SP 800-116","citation":{"text":"Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-116r1"}]},{"uuid":"d17ebd7a-ffab-499d-bfff-e705bbb01fa6","title":"SP 800-121","citation":{"text":"Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-121r2"}]},{"uuid":"0f66be67-85e7-4ca6-bd19-39453e9f4394","title":"SP 800-124","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-124r1"}]},{"uuid":"88660532-2dcf-442e-845c-03340ce48999","title":"SP 800-125B","citation":{"text":"Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-125B"}]},{"uuid":"8016d2ed-d30f-4416-9c45-0f42c7aa3232","title":"SP 800-126","citation":{"text":"Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-126r3"}]},{"uuid":"20db4e66-e257-450c-b2e4-2bb9a62a2c88","title":"SP 800-128","citation":{"text":"Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-128"}]},{"uuid":"c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","title":"SP 800-12","citation":{"text":"Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"3653e316-8923-430e-8943-b3b2b2562fc6","title":"SP 800-130","citation":{"text":"Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-130"}]},{"uuid":"62ea77ca-e450-4323-b210-e0d75390e785","title":"SP 800-137A","citation":{"text":"Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137A"}]},{"uuid":"067223d8-1ec7-45c5-b21b-c848da6de8fb","title":"SP 800-137","citation":{"text":"Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137"}]},{"uuid":"e47ee630-9cbc-4133-880e-e013f83ccd51","title":"SP 800-147","citation":{"text":"Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-147"}]},{"uuid":"9ef4b43c-42a4-4316-87dc-ffaf528bc05c","title":"SP 800-150","citation":{"text":"Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-150"}]},{"uuid":"2494df28-9049-4196-b233-540e7440993f","title":"SP 800-152","citation":{"text":"Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-152"}]},{"uuid":"708b94e1-3d5e-4b22-ab43-1c69f3a97e37","title":"SP 800-154","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154."},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-154\/draft"}]},{"uuid":"d9e036ba-6eec-46a6-9340-b0bf1fea23b4","title":"SP 800-156","citation":{"text":"Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-156"}]},{"uuid":"e3cc0520-a366-4fc9-abc2-5272db7e3564","title":"SP 800-160-1","citation":{"text":"Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v1"}]},{"uuid":"61ccf0f4-d3e7-42db-9796-ce6cb1c85989","title":"SP 800-160-2","citation":{"text":"Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v2"}]},{"uuid":"e8e84963-14fc-4c3a-be05-b412a5d37cd2","title":"SP 800-161","citation":{"text":"Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-161"}]},{"uuid":"2956e175-f674-43f4-b1b9-e074ad9fc39c","title":"SP 800-162","citation":{"text":"Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-162"}]},{"uuid":"e8552d48-cf41-40aa-8b06-f45f7fb4706c","title":"SP 800-166","citation":{"text":"Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-166"}]},{"uuid":"38f39739-1ebd-43b1-8b8c-00f591d89ebd","title":"SP 800-167","citation":{"text":"Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-167"}]},{"uuid":"7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","title":"SP 800-171","citation":{"text":"Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-171r2"}]},{"uuid":"f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","title":"SP 800-172","citation":{"text":"Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-172-draft"}]},{"uuid":"1c71b420-2bd9-4e52-9fc8-390f58b85b59","title":"SP 800-177","citation":{"text":"Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-177r1"}]},{"uuid":"388a3aa2-5d85-4bad-b8a3-77db80d63c4f","title":"SP 800-178","citation":{"text":"Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-178"}]},{"uuid":"276bd50a-7e58-48e5-a405-8c8cb91d7a5f","title":"SP 800-181","citation":{"text":"Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-181r1"}]},{"uuid":"31ae65ab-3f26-46b7-9d64-f25a4dac5778","title":"SP 800-184","citation":{"text":"Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-184"}]},{"uuid":"f5edfe51-d1f2-422e-9b27-5d0e90b49c72","title":"SP 800-189","citation":{"text":"Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-189"}]},{"uuid":"30eb758a-2707-4bca-90ad-949a74d4eb16","title":"SP 800-18","citation":{"text":"Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-18r1"}]},{"uuid":"53df282b-8b3f-483a-bad1-6a8b8ac00114","title":"SP 800-192","citation":{"text":"Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies\/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-192"}]},{"uuid":"f641309f-a3ad-48be-8c67-2b318648b2f5","title":"SP 800-28","citation":{"text":"Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-28ver2"}]},{"uuid":"08b07465-dbdc-48d6-8a0b-37279602ac16","title":"SP 800-30","citation":{"text":"Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-30r1"}]},{"uuid":"8cb338a4-e493-4177-818f-3af18983ddc5","title":"SP 800-32","citation":{"text":"Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-32"}]},{"uuid":"bc39f179-c735-4da2-b7a7-b2b622119755","title":"SP 800-34","citation":{"text":"Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-34r1"}]},{"uuid":"77faf0bc-c394-44ad-9154-bbac3b79c8ad","title":"SP 800-35","citation":{"text":"Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-35"}]},{"uuid":"482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","title":"SP 800-37","citation":{"text":"Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-37r2"}]},{"uuid":"cec037f3-8aba-4c97-84b4-4082f9e515d2","title":"SP 800-39","citation":{"text":"Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-39"}]},{"uuid":"155f941a-cba9-4afd-9ca6-5d040d697ba9","title":"SP 800-40","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-40r3"}]},{"uuid":"a7f0e897-29a3-45c4-bd88-40dfef0e034a","title":"SP 800-41","citation":{"text":"Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-41r1"}]},{"uuid":"314e33cb-3681-4b50-a2a2-3fae9604accd","title":"SP 800-45","citation":{"text":"Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-45ver2"}]},{"uuid":"83b9d63b-66b1-467c-9f3b-3a0b108771e9","title":"SP 800-46","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-46r2"}]},{"uuid":"c3a76872-e160-4267-99e8-6952de967d04","title":"SP 800-47","citation":{"text":"Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-47"}]},{"uuid":"511f6832-23ca-49a3-8c0f-ce493373cab8","title":"SP 800-50","citation":{"text":"Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-50"}]},{"uuid":"7537638e-2837-407d-844b-40fb3fafdd99","title":"SP 800-52","citation":{"text":"McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-52r2"}]},{"uuid":"a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","title":"SP 800-53A","citation":{"text":"Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53Ar4"}]},{"uuid":"46d9e201-840e-440e-987c-2c773333c752","title":"SP 800-53B","citation":{"text":"Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53B"}]},{"uuid":"20957dbb-6a1e-40a2-b38a-66f67d33ac2e","title":"SP 800-56A","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Ar3"}]},{"uuid":"0d083d8a-5cc6-46f1-8d79-3081d42bcb75","title":"SP 800-56B","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Br2"}]},{"uuid":"eef62b16-c796-4554-955c-505824135b8a","title":"SP 800-56C","citation":{"text":"Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Cr2"}]},{"uuid":"110e26af-4765-49e1-8740-6750f83fcda1","title":"SP 800-57-1","citation":{"text":"Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt1r5"}]},{"uuid":"e7942589-e267-4a5a-a3d9-f39a7aae81f0","title":"SP 800-57-2","citation":{"text":"Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt2r1"}]},{"uuid":"8306620b-1920-4d73-8b21-12008528595f","title":"SP 800-57-3","citation":{"text":"Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt3r1"}]},{"uuid":"e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","title":"SP 800-60-1","citation":{"text":"Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v1r1"}]},{"uuid":"9be5d661-421f-41ad-854e-86f98b811891","title":"SP 800-60-2","citation":{"text":"Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v2r1"}]},{"uuid":"49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","title":"SP 800-61","citation":{"text":"Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-61r2"}]},{"uuid":"737513fa-6758-403f-831d-5ddab5e23cb3","title":"SP 800-63-3","citation":{"text":"Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63-3"}]},{"uuid":"9099ed2c-922a-493d-bcb4-d896192243ff","title":"SP 800-63A","citation":{"text":"Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63a"}]},{"uuid":"e59c5a7c-8b1f-49ca-8de0-6ee0882180ce","title":"SP 800-63B","citation":{"text":"Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63b"}]},{"uuid":"4895b4cd-34c5-4667-bf8a-27d443c12047","title":"SP 800-70","citation":{"text":"Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-70r4"}]},{"uuid":"858705be-3c1f-48aa-a328-0ce398d95ef0","title":"SP 800-73-4","citation":{"text":"Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-73-4"}]},{"uuid":"7af2e6ec-9f7e-4232-ad3f-09888eb0793a","title":"SP 800-76-2","citation":{"text":"Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-76-2"}]},{"uuid":"d4d7c760-2907-403b-8b2a-767ca5370ecd","title":"SP 800-77","citation":{"text":"Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-77r1"}]},{"uuid":"828856bd-d7c4-427b-8b51-815517ec382d","title":"SP 800-78-4","citation":{"text":"Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-78-4"}]},{"uuid":"10963761-58fc-4b20-b3d6-b44a54daba03","title":"SP 800-79-2","citation":{"text":"Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-79-2"}]},{"uuid":"fe209006-bfd4-4033-a79a-9fee1adaf372","title":"SP 800-81-2","citation":{"text":"Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-81-2"}]},{"uuid":"3dd249b0-f57d-44ba-a03e-c3eab1b835ff","title":"SP 800-83","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-83r1"}]},{"uuid":"53be2fcf-cfd1-4bcb-896b-9a3b65c22098","title":"SP 800-84","citation":{"text":"Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-84"}]},{"uuid":"cfdb1858-c473-46b3-89f9-a700308d0be2","title":"SP 800-86","citation":{"text":"Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-86"}]},{"uuid":"a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","title":"SP 800-88","citation":{"text":"Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-88r1"}]},{"uuid":"5eee45d8-3313-4fdc-8d54-1742092bbdd6","title":"SP 800-92","citation":{"text":"Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-92"}]},{"uuid":"25e3e57b-dc2f-4934-af9b-050b020c6f0e","title":"SP 800-94","citation":{"text":"Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-94"}]},{"uuid":"a6b9907a-2a14-4bb4-a142-d4c73026a8b4","title":"SP 800-95","citation":{"text":"Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-95"}]},{"uuid":"03fb73bc-1b12-4182-bd96-e5719254ea61","title":"SP 800-97","citation":{"text":"Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-97"}]},{"uuid":"13f0c39d-eaf7-417a-baef-69a041878bb5","title":"USA PATRIOT","citation":{"text":"USA Patriot Act (P.L. 107-56), October 2001."},"rlinks":[{"href":"https:\/\/www.congress.gov\/107\/plaws\/publ56\/PLAW-107publ56.pdf"}]},{"uuid":"e922fc50-b1f9-469f-92ef-ed7d9803611c","title":"USC 2901","citation":{"text":"United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2011-title44\/pdf\/USCODE-2011-title44-chap29-sec2901.pdf"}]},{"uuid":"40b78258-c892-480e-9af8-77ac36648301","title":"USCERT IR","citation":{"text":"Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017."},"rlinks":[{"href":"https:\/\/us-cert.cisa.gov\/incident-notification-guidelines"}]},{"uuid":"98498928-3ca3-44b3-8b1e-f48685373087","title":"USGCB","citation":{"text":"National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/united-states-government-configuration-baseline"}]},{"uuid":"c3397cc9-83c6-4459-adb2-836739dc1b94","title":"NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)","rlinks":[{"href":"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf","media-type":"application\/pdf"}]}]}}}
\ No newline at end of file
+{"catalog":{"uuid":"6ce800da-ce21-48b7-8da4-715337b033e6","metadata":{"title":"NIST Special Publication 800-53 Revision 5.1.1 MODERATE IMPACT BASELINE","last-modified":"2023-12-05T21:54:58.514658Z","version":"5.1.1+u2","oscal-version":"1.1.1","props":[{"name":"resolution-tool","value":"OSCAL Profile Resolver XSLT Pipeline OPRXP"}],"links":[{"href":"NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml","rel":"source-profile"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"cde369ce-57f8-4ec1-847f-2681a9a881e7","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["cde369ce-57f8-4ec1-847f-2681a9a881e7"]},{"role-id":"contact","party-uuids":["cde369ce-57f8-4ec1-847f-2681a9a881e7"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ac-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ac-01_odp.01","props":[{"name":"label","value":"AC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control policy is to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.02","props":[{"name":"label","value":"AC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control procedures are to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.03","props":[{"name":"alt-identifier","value":"ac-1_prm_2"},{"name":"label","value":"AC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ac-01_odp.04","props":[{"name":"alt-identifier","value":"ac-1_prm_3"},{"name":"label","value":"AC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the access control policy and procedures is defined;"}]},{"id":"ac-01_odp.05","props":[{"name":"alt-identifier","value":"ac-1_prm_4"},{"name":"label","value":"AC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control policy is reviewed and updated is defined;"}]},{"id":"ac-01_odp.06","props":[{"name":"alt-identifier","value":"ac-1_prm_5"},{"name":"label","value":"AC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current access control policy to be reviewed and updated are defined;"}]},{"id":"ac-01_odp.07","props":[{"name":"alt-identifier","value":"ac-1_prm_6"},{"name":"label","value":"AC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control procedures are reviewed and updated is defined;"}]},{"id":"ac-01_odp.08","props":[{"name":"alt-identifier","value":"ac-1_prm_7"},{"name":"label","value":"AC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AC-1"},{"name":"label","value":"AC-01","class":"sp800-53a"},{"name":"sort-id","value":"ac-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ia-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ac-1_smt","name":"statement","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ac-01_odp.03 }} access control policy that:","parts":[{"id":"ac-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and the associated access controls;"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and"},{"id":"ac-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current access control:","parts":[{"id":"ac-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and"},{"id":"ac-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ac-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[01]","class":"sp800-53a"}],"prose":"an access control policy is developed and documented;","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[02]","class":"sp800-53a"}],"prose":"the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[03]","class":"sp800-53a"}],"prose":"access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[04]","class":"sp800-53a"}],"prose":"the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ac-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;","links":[{"href":"#ac-1_smt.b","rel":"assessment-for"}]},{"id":"ac-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[01]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};","links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]},{"id":"ac-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[02]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};","links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]},{"id":"ac-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[01]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};","links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]},{"id":"ac-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[02]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.","links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt","rel":"assessment-for"}]},{"id":"ac-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","params":[{"id":"ac-02_odp.01","props":[{"name":"alt-identifier","value":"ac-2_prm_1"},{"name":"label","value":"AC-02_ODP[01]","class":"sp800-53a"}],"label":"prerequisites and criteria","guidelines":[{"prose":"prerequisites and criteria for group and role membership are defined;"}]},{"id":"ac-02_odp.02","props":[{"name":"alt-identifier","value":"ac-2_prm_2"},{"name":"label","value":"AC-02_ODP[02]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes (as required) for each account are defined;"}]},{"id":"ac-02_odp.03","props":[{"name":"alt-identifier","value":"ac-2_prm_3"},{"name":"label","value":"AC-02_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to approve requests to create accounts is\/are defined;"}]},{"id":"ac-02_odp.04","props":[{"name":"alt-identifier","value":"ac-2_prm_4"},{"name":"label","value":"AC-02_ODP[04]","class":"sp800-53a"}],"label":"policy, procedures, prerequisites, and criteria","guidelines":[{"prose":"policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;"}]},{"id":"ac-02_odp.05","props":[{"name":"alt-identifier","value":"ac-2_prm_5"},{"name":"label","value":"AC-02_ODP[05]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified is\/are defined;"}]},{"id":"ac-02_odp.06","props":[{"name":"alt-identifier","value":"ac-2_prm_6"},{"name":"label","value":"AC-02_ODP[06]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when accounts are no longer required is defined;"}]},{"id":"ac-02_odp.07","props":[{"name":"alt-identifier","value":"ac-2_prm_7"},{"name":"label","value":"AC-02_ODP[07]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when users are terminated or transferred is defined; "}]},{"id":"ac-02_odp.08","props":[{"name":"alt-identifier","value":"ac-2_prm_8"},{"name":"label","value":"AC-02_ODP[08]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when system usage or the need to know changes for an individual is defined;"}]},{"id":"ac-02_odp.09","props":[{"name":"alt-identifier","value":"ac-2_prm_9"},{"name":"label","value":"AC-02_ODP[09]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes needed to authorize system access (as required) are defined;"}]},{"id":"ac-02_odp.10","props":[{"name":"alt-identifier","value":"ac-2_prm_10"},{"name":"label","value":"AC-02_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of account review is defined;"}]}],"props":[{"name":"label","value":"AC-2"},{"name":"label","value":"AC-02","class":"sp800-53a"},{"name":"sort-id","value":"ac-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#53df282b-8b3f-483a-bad1-6a8b8ac00114","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ac-2_smt","name":"statement","parts":[{"id":"ac-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define and document the types of accounts allowed and specifically prohibited for use within the system;"},{"id":"ac-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign account managers;"},{"id":"ac-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require {{ insert: param, ac-02_odp.01 }} for group and role membership;"},{"id":"ac-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Specify:","parts":[{"id":"ac-2_smt.d.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Authorized users of the system;"},{"id":"ac-2_smt.d.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Group and role membership; and"},{"id":"ac-2_smt.d.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;"}]},{"id":"ac-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"},{"id":"ac-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Monitor the use of accounts;"},{"id":"ac-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Notify account managers and {{ insert: param, ac-02_odp.05 }} within:","parts":[{"id":"ac-2_smt.h.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;"}]},{"id":"ac-2_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Authorize access to the system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ac-02_odp.09 }};"}]},{"id":"ac-2_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"},{"id":"ac-2_smt.k","name":"item","props":[{"name":"label","value":"k."}],"prose":"Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and"},{"id":"ac-2_smt.l","name":"item","props":[{"name":"label","value":"l."}],"prose":"Align account management processes with personnel termination and transfer processes."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission\/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared\/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared\/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training."},{"id":"ac-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[01]","class":"sp800-53a"}],"prose":"account types allowed for use within the system are defined and documented;","links":[{"href":"#ac-2_smt.a","rel":"assessment-for"}]},{"id":"ac-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[02]","class":"sp800-53a"}],"prose":"account types specifically prohibited for use within the system are defined and documented;","links":[{"href":"#ac-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.a","rel":"assessment-for"}]},{"id":"ac-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02b.","class":"sp800-53a"}],"prose":"account managers are assigned;","links":[{"href":"#ac-2_smt.b","rel":"assessment-for"}]},{"id":"ac-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02c.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-02_odp.01 }} for group and role membership are required;","links":[{"href":"#ac-2_smt.c","rel":"assessment-for"}]},{"id":"ac-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.01","class":"sp800-53a"}],"prose":"authorized users of the system are specified;","links":[{"href":"#ac-2_smt.d.1","rel":"assessment-for"}]},{"id":"ac-2_obj.d.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.02","class":"sp800-53a"}],"prose":"group and role membership are specified;","links":[{"href":"#ac-2_smt.d.2","rel":"assessment-for"}]},{"id":"ac-2_obj.d.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.3-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[01]","class":"sp800-53a"}],"prose":"access authorizations (i.e., privileges) are specified for each account;","links":[{"href":"#ac-2_smt.d.3","rel":"assessment-for"}]},{"id":"ac-2_obj.d.3-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[02]","class":"sp800-53a"}],"prose":" {{ insert: param, ac-02_odp.02 }} are specified for each account;","links":[{"href":"#ac-2_smt.d.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.d.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.d","rel":"assessment-for"}]},{"id":"ac-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AC-02e.","class":"sp800-53a"}],"prose":"approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;","links":[{"href":"#ac-2_smt.e","rel":"assessment-for"}]},{"id":"ac-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[01]","class":"sp800-53a"}],"prose":"accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[02]","class":"sp800-53a"}],"prose":"accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[03]","class":"sp800-53a"}],"prose":"accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[04]","class":"sp800-53a"}],"prose":"accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-5","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[05]","class":"sp800-53a"}],"prose":"accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"AC-02g.","class":"sp800-53a"}],"prose":"the use of accounts is monitored; ","links":[{"href":"#ac-2_smt.g","rel":"assessment-for"}]},{"id":"ac-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.h.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.01","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;","links":[{"href":"#ac-2_smt.h.1","rel":"assessment-for"}]},{"id":"ac-2_obj.h.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.02","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;","links":[{"href":"#ac-2_smt.h.2","rel":"assessment-for"}]},{"id":"ac-2_obj.h.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.03","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;","links":[{"href":"#ac-2_smt.h.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.h","rel":"assessment-for"}]},{"id":"ac-2_obj.i","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.i.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.01","class":"sp800-53a"}],"prose":"access to the system is authorized based on a valid access authorization;","links":[{"href":"#ac-2_smt.i.1","rel":"assessment-for"}]},{"id":"ac-2_obj.i.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.02","class":"sp800-53a"}],"prose":"access to the system is authorized based on intended system usage;","links":[{"href":"#ac-2_smt.i.2","rel":"assessment-for"}]},{"id":"ac-2_obj.i.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.03","class":"sp800-53a"}],"prose":"access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};","links":[{"href":"#ac-2_smt.i.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.i","rel":"assessment-for"}]},{"id":"ac-2_obj.j","name":"assessment-objective","props":[{"name":"label","value":"AC-02j.","class":"sp800-53a"}],"prose":"accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};","links":[{"href":"#ac-2_smt.j","rel":"assessment-for"}]},{"id":"ac-2_obj.k","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.k-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[01]","class":"sp800-53a"}],"prose":"a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;","links":[{"href":"#ac-2_smt.k","rel":"assessment-for"}]},{"id":"ac-2_obj.k-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[02]","class":"sp800-53a"}],"prose":"a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;","links":[{"href":"#ac-2_smt.k","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.k","rel":"assessment-for"}]},{"id":"ac-2_obj.l","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.l-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[01]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel termination processes;","links":[{"href":"#ac-2_smt.l","rel":"assessment-for"}]},{"id":"ac-2_obj.l-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[02]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel transfer processes.","links":[{"href":"#ac-2_smt.l","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.l","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt","rel":"assessment-for"}]},{"id":"ac-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities"}]},{"id":"ac-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for account management on the system\n\nmechanisms for implementing account management"}]}],"controls":[{"id":"ac-2.1","class":"SP800-53-enhancement","title":"Automated System Account Management","params":[{"id":"ac-02.01_odp","props":[{"name":"alt-identifier","value":"ac-2.1_prm_1"},{"name":"label","value":"AC-02(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to support the management of system accounts are defined; "}]}],"props":[{"name":"label","value":"AC-2(1)"},{"name":"label","value":"AC-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.1_smt","name":"statement","prose":"Support the management of system accounts using {{ insert: param, ac-02.01_odp }}."},{"id":"ac-2.1_gdn","name":"guidance","prose":"Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications."},{"id":"ac-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(01)","class":"sp800-53a"}],"prose":"the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}.","links":[{"href":"#ac-2.1_smt","rel":"assessment-for"}]},{"id":"ac-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for implementing account management functions"}]}]},{"id":"ac-2.2","class":"SP800-53-enhancement","title":"Automated Temporary and Emergency Account Management","params":[{"id":"ac-02.02_odp.01","props":[{"name":"alt-identifier","value":"ac-2.2_prm_1"},{"name":"label","value":"AC-02(02)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["remove","disable"]}},{"id":"ac-02.02_odp.02","props":[{"name":"alt-identifier","value":"ac-2.2_prm_2"},{"name":"alt-label","value":"time period for each type of account","class":"sp800-53"},{"name":"label","value":"AC-02(02)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period after which to automatically remove or disable temporary or emergency accounts is defined;"}]}],"props":[{"name":"label","value":"AC-2(2)"},{"name":"label","value":"AC-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.2_smt","name":"statement","prose":"Automatically {{ insert: param, ac-02.02_odp.01 }} temporary and emergency accounts after {{ insert: param, ac-02.02_odp.02 }}."},{"id":"ac-2.2_gdn","name":"guidance","prose":"Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation."},{"id":"ac-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(02)","class":"sp800-53a"}],"prose":"temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}.","links":[{"href":"#ac-2.2_smt","rel":"assessment-for"}]},{"id":"ac-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of temporary accounts removed and\/or disabled\n\nsystem-generated list of emergency accounts removed and\/or disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for implementing account management functions"}]}]},{"id":"ac-2.3","class":"SP800-53-enhancement","title":"Disable Accounts","params":[{"id":"ac-02.03_odp.01","props":[{"name":"alt-identifier","value":"ac-2.3_prm_1"},{"name":"label","value":"AC-02(03)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to disable accounts is defined;"}]},{"id":"ac-02.03_odp.02","props":[{"name":"alt-identifier","value":"ac-2.3_prm_2"},{"name":"label","value":"AC-02(03)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for account inactivity before disabling is defined;"}]}],"props":[{"name":"label","value":"AC-2(3)"},{"name":"label","value":"AC-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.3_smt","name":"statement","prose":"Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts:","parts":[{"id":"ac-2.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Have expired;"},{"id":"ac-2.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Are no longer associated with a user or individual;"},{"id":"ac-2.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Are in violation of organizational policy; or"},{"id":"ac-2.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Have been inactive for {{ insert: param, ac-02.03_odp.02 }}."}]},{"id":"ac-2.3_gdn","name":"guidance","prose":"Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system."},{"id":"ac-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)","class":"sp800-53a"}],"parts":[{"id":"ac-2.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(a)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;","links":[{"href":"#ac-2.3_smt.a","rel":"assessment-for"}]},{"id":"ac-2.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(b)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;","links":[{"href":"#ac-2.3_smt.b","rel":"assessment-for"}]},{"id":"ac-2.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(c)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;","links":[{"href":"#ac-2.3_smt.c","rel":"assessment-for"}]},{"id":"ac-2.3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(d)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}.","links":[{"href":"#ac-2.3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ac-2.3_smt","rel":"assessment-for"}]},{"id":"ac-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of accounts removed\n\nsystem-generated list of emergency accounts disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for implementing account management functions"}]}]},{"id":"ac-2.4","class":"SP800-53-enhancement","title":"Automated Audit Actions","props":[{"name":"label","value":"AC-2(4)"},{"name":"label","value":"AC-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"}],"parts":[{"id":"ac-2.4_smt","name":"statement","prose":"Automatically audit account creation, modification, enabling, disabling, and removal actions."},{"id":"ac-2.4_gdn","name":"guidance","prose":"Account management audit records are defined in accordance with [AU-2](#au-2) and reviewed, analyzed, and reported in accordance with [AU-6](#au-6)."},{"id":"ac-2.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)","class":"sp800-53a"}],"parts":[{"id":"ac-2.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[01]","class":"sp800-53a"}],"prose":"account creation is automatically audited;","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[02]","class":"sp800-53a"}],"prose":"account modification is automatically audited;","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[03]","class":"sp800-53a"}],"prose":"account enabling is automatically audited;","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[04]","class":"sp800-53a"}],"prose":"account disabling is automatically audited;","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_obj-5","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[05]","class":"sp800-53a"}],"prose":"account removal actions are automatically audited.","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nnotifications\/alerts of account creation, modification, enabling, disabling, and removal actions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.5","class":"SP800-53-enhancement","title":"Inactivity Logout","params":[{"id":"ac-02.05_odp","props":[{"name":"alt-identifier","value":"ac-2.5_prm_1"},{"name":"label","value":"AC-02(05)_ODP","class":"sp800-53a"}],"label":"time period of expected inactivity or description of when to log out","guidelines":[{"prose":"the time period of expected inactivity or description of when to log out is defined;"}]}],"props":[{"name":"label","value":"AC-2(5)"},{"name":"label","value":"AC-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#ac-11","rel":"related"}],"parts":[{"id":"ac-2.5_smt","name":"statement","prose":"Require that users log out when {{ insert: param, ac-02.05_odp }}."},{"id":"ac-2.5_gdn","name":"guidance","prose":"Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by [AC-11](#ac-11)."},{"id":"ac-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(05)","class":"sp800-53a"}],"prose":"users are required to log out when {{ insert: param, ac-02.05_odp }}.","links":[{"href":"#ac-2.5_smt","rel":"assessment-for"}]},{"id":"ac-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity violation reports\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy"}]}]},{"id":"ac-2.13","class":"SP800-53-enhancement","title":"Disable Accounts for High-risk Individuals","params":[{"id":"ac-02.13_odp.01","props":[{"name":"alt-identifier","value":"ac-2.13_prm_1"},{"name":"label","value":"AC-02(13)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;"}]},{"id":"ac-02.13_odp.02","props":[{"name":"alt-identifier","value":"ac-2.13_prm_2"},{"name":"label","value":"AC-02(13)_ODP[02]","class":"sp800-53a"}],"label":"significant risks","guidelines":[{"prose":"significant risks leading to disabling accounts are defined;"}]}],"props":[{"name":"label","value":"AC-2(13)"},{"name":"label","value":"AC-02(13)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-2.13_smt","name":"statement","prose":"Disable accounts of individuals within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}."},{"id":"ac-2.13_gdn","name":"guidance","prose":"Users who pose a significant security and\/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals."},{"id":"ac-2.13_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(13)","class":"sp800-53a"}],"prose":"accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.","links":[{"href":"#ac-2.13_smt","rel":"assessment-for"}]},{"id":"ac-2.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of disabled accounts\n\nlist of user activities posing significant organizational risk\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}]}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"label","value":"AC-3"},{"name":"label","value":"AC-03","class":"sp800-53a"},{"name":"sort-id","value":"ac-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-8","rel":"related"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family."},{"id":"ac-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03","class":"sp800-53a"}],"prose":"approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.","links":[{"href":"#ac-3_smt","rel":"assessment-for"}]},{"id":"ac-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy"}]}]},{"id":"ac-4","class":"SP800-53","title":"Information Flow Enforcement","params":[{"id":"ac-04_odp","props":[{"name":"alt-identifier","value":"ac-4_prm_1"},{"name":"label","value":"AC-04_ODP","class":"sp800-53a"}],"label":"information flow control policies","guidelines":[{"prose":"information flow control policies within the system and between connected systems are defined;"}]}],"props":[{"name":"label","value":"AC-4"},{"name":"label","value":"AC-04","class":"sp800-53a"},{"name":"sort-id","value":"ac-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-31","rel":"related"}],"parts":[{"id":"ac-4_smt","name":"statement","prose":"Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}."},{"id":"ac-4_gdn","name":"guidance","prose":"Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see [CA-3](#ca-3) ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners\/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.\n\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and\/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and\/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS)."},{"id":"ac-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04","class":"sp800-53a"}],"prose":"approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.","links":[{"href":"#ac-4_smt","rel":"assessment-for"}]},{"id":"ac-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsecurity architecture documentation\n\nprivacy architecture documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem baseline configuration\n\nlist of information flow authorizations\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-5","class":"SP800-53","title":"Separation of Duties","params":[{"id":"ac-05_odp","props":[{"name":"alt-identifier","value":"ac-5_prm_1"},{"name":"alt-label","value":"duties of individuals requiring separation","class":"sp800-53"},{"name":"label","value":"AC-05_ODP","class":"sp800-53a"}],"label":"duties of individuals","guidelines":[{"prose":"duties of individuals requiring separation are defined;"}]}],"props":[{"name":"label","value":"AC-5"},{"name":"label","value":"AC-05","class":"sp800-53a"},{"name":"sort-id","value":"ac-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-12","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"}],"parts":[{"id":"ac-5_smt","name":"statement","parts":[{"id":"ac-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document {{ insert: param, ac-05_odp }} ; and"},{"id":"ac-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define system access authorizations to support separation of duties."}]},{"id":"ac-5_gdn","name":"guidance","prose":"Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in [AC-2](#ac-2) , access control mechanisms in [AC-3](#ac-3) , and identity management activities in [IA-2](#ia-2), [IA-4](#ia-4) , and [IA-12](#ia-12)."},{"id":"ac-5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-05","class":"sp800-53a"}],"parts":[{"id":"ac-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-05a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-05_odp }} are identified and documented;","links":[{"href":"#ac-5_smt.a","rel":"assessment-for"}]},{"id":"ac-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-05b.","class":"sp800-53a"}],"prose":"system access authorizations to support separation of duties are defined.","links":[{"href":"#ac-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-5_smt","rel":"assessment-for"}]},{"id":"ac-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\nsystem configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\nsystem access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing separation of duties policy"}]}]},{"id":"ac-6","class":"SP800-53","title":"Least Privilege","props":[{"name":"label","value":"AC-6"},{"name":"label","value":"AC-06","class":"sp800-53a"},{"name":"sort-id","value":"ac-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-38","rel":"related"}],"parts":[{"id":"ac-6_smt","name":"statement","prose":"Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."},{"id":"ac-6_gdn","name":"guidance","prose":"Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems."},{"id":"ac-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06","class":"sp800-53a"}],"prose":"the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.","links":[{"href":"#ac-6_smt","rel":"assessment-for"}]},{"id":"ac-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}],"controls":[{"id":"ac-6.1","class":"SP800-53-enhancement","title":"Authorize Access to Security Functions","params":[{"id":"ac-6.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.04"}],"label":"organization-defined security functions (deployed in hardware, software, and firmware)"},{"id":"ac-06.01_odp.01","props":[{"name":"alt-identifier","value":"ac-6.1_prm_1"},{"name":"alt-label","value":"individuals or roles","class":"sp800-53"},{"name":"label","value":"AC-06(01)_ODP[01]","class":"sp800-53a"}],"label":"individuals and roles","guidelines":[{"prose":"individuals and roles with authorized access to security functions and security-relevant information are defined;"}]},{"id":"ac-06.01_odp.02","props":[{"name":"label","value":"AC-06(01)_ODP[02]","class":"sp800-53a"}],"label":"security functions (deployed in hardware)","guidelines":[{"prose":"security functions (deployed in hardware) for authorized access are defined;"}]},{"id":"ac-06.01_odp.03","props":[{"name":"label","value":"AC-06(01)_ODP[03]","class":"sp800-53a"}],"label":"security functions (deployed in software)","guidelines":[{"prose":"security functions (deployed in software) for authorized access are defined;"}]},{"id":"ac-06.01_odp.04","props":[{"name":"label","value":"AC-06(01)_ODP[04]","class":"sp800-53a"}],"label":"security functions (deployed in firmware)","guidelines":[{"prose":"security functions (deployed in firmware) for authorized access are defined;"}]},{"id":"ac-06.01_odp.05","props":[{"name":"alt-identifier","value":"ac-6.1_prm_3"},{"name":"label","value":"AC-06(01)_ODP[05]","class":"sp800-53a"}],"label":"security-relevant information","guidelines":[{"prose":"security-relevant information for authorized access is defined;"}]}],"props":[{"name":"label","value":"AC-6(1)"},{"name":"label","value":"AC-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#pe-2","rel":"related"}],"parts":[{"id":"ac-6.1_smt","name":"statement","prose":"Authorize access for {{ insert: param, ac-06.01_odp.01 }} to:","parts":[{"id":"ac-6.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":" {{ insert: param, ac-6.1_prm_2 }} ; and"},{"id":"ac-6.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":" {{ insert: param, ac-06.01_odp.05 }}."}]},{"id":"ac-6.1_gdn","name":"guidance","prose":"Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users."},{"id":"ac-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)","class":"sp800-53a"}],"parts":[{"id":"ac-6.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-6.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[01]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};","links":[{"href":"#ac-6.1_smt.a","rel":"assessment-for"}]},{"id":"ac-6.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[02]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};","links":[{"href":"#ac-6.1_smt.a","rel":"assessment-for"}]},{"id":"ac-6.1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[03]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};","links":[{"href":"#ac-6.1_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-6.1_smt.a","rel":"assessment-for"}]},{"id":"ac-6.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(b)","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}.","links":[{"href":"#ac-6.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-6.1_smt","rel":"assessment-for"}]},{"id":"ac-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.2","class":"SP800-53-enhancement","title":"Non-privileged Access for Nonsecurity Functions","params":[{"id":"ac-06.02_odp","props":[{"name":"alt-identifier","value":"ac-6.2_prm_1"},{"name":"label","value":"AC-06(02)_ODP","class":"sp800-53a"}],"label":"security functions or security-relevant information","guidelines":[{"prose":"security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;"}]}],"props":[{"name":"label","value":"AC-6(2)"},{"name":"label","value":"AC-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#pl-4","rel":"related"}],"parts":[{"id":"ac-6.2_smt","name":"statement","prose":"Require that users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} use non-privileged accounts or roles, when accessing nonsecurity functions."},{"id":"ac-6.2_gdn","name":"guidance","prose":"Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account."},{"id":"ac-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(02)","class":"sp800-53a"}],"prose":"users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions.","links":[{"href":"#ac-6.2_smt","rel":"assessment-for"}]},{"id":"ac-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to system accounts or roles\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.5","class":"SP800-53-enhancement","title":"Privileged Accounts","params":[{"id":"ac-06.05_odp","props":[{"name":"alt-identifier","value":"ac-6.5_prm_1"},{"name":"label","value":"AC-06(05)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to which privileged accounts on the system are to be restricted is\/are defined;"}]}],"props":[{"name":"label","value":"AC-6(5)"},{"name":"label","value":"AC-06(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"}],"parts":[{"id":"ac-6.5_smt","name":"statement","prose":"Restrict privileged accounts on the system to {{ insert: param, ac-06.05_odp }}."},{"id":"ac-6.5_gdn","name":"guidance","prose":"Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk."},{"id":"ac-6.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(05)","class":"sp800-53a"}],"prose":"privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}.","links":[{"href":"#ac-6.5_smt","rel":"assessment-for"}]},{"id":"ac-6.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.7","class":"SP800-53-enhancement","title":"Review of User Privileges","params":[{"id":"ac-06.07_odp.01","props":[{"name":"alt-identifier","value":"ac-6.7_prm_1"},{"name":"label","value":"AC-06(07)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the privileges assigned to roles or classes of users is defined;"}]},{"id":"ac-06.07_odp.02","props":[{"name":"alt-identifier","value":"ac-6.7_prm_2"},{"name":"alt-label","value":"roles or classes of users","class":"sp800-53"},{"name":"label","value":"AC-06(07)_ODP[02]","class":"sp800-53a"}],"label":"roles and classes","guidelines":[{"prose":"roles or classes of users to which privileges are assigned are defined;"}]}],"props":[{"name":"label","value":"AC-6(7)"},{"name":"label","value":"AC-06(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ca-7","rel":"related"}],"parts":[{"id":"ac-6.7_smt","name":"statement","parts":[{"id":"ac-6.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and"},{"id":"ac-6.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs."}]},{"id":"ac-6.7_gdn","name":"guidance","prose":"The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions."},{"id":"ac-6.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)","class":"sp800-53a"}],"parts":[{"id":"ac-6.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)(a)","class":"sp800-53a"}],"prose":"privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;","links":[{"href":"#ac-6.7_smt.a","rel":"assessment-for"}]},{"id":"ac-6.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)(b)","class":"sp800-53a"}],"prose":"privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.","links":[{"href":"#ac-6.7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-6.7_smt","rel":"assessment-for"}]},{"id":"ac-6.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated roles or classes of users and assigned privileges\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation reviews of privileges assigned to roles or classes or users\n\nrecords of privilege removals or reassignments for roles or classes of users\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing review of user privileges"}]}]},{"id":"ac-6.9","class":"SP800-53-enhancement","title":"Log Use of Privileged Functions","props":[{"name":"label","value":"AC-6(9)"},{"name":"label","value":"AC-06(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"ac-6.9_smt","name":"statement","prose":"Log the execution of privileged functions."},{"id":"ac-6.9_gdn","name":"guidance","prose":"The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat."},{"id":"ac-6.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(09)","class":"sp800-53a"}],"prose":"the execution of privileged functions is logged.","links":[{"href":"#ac-6.9_smt","rel":"assessment-for"}]},{"id":"ac-6.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ac-6.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms auditing the execution of least privilege functions"}]}]},{"id":"ac-6.10","class":"SP800-53-enhancement","title":"Prohibit Non-privileged Users from Executing Privileged Functions","props":[{"name":"label","value":"AC-6(10)"},{"name":"label","value":"AC-06(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"}],"parts":[{"id":"ac-6.10_smt","name":"statement","prose":"Prevent non-privileged users from executing privileged functions."},{"id":"ac-6.10_gdn","name":"guidance","prose":"Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by [AC-3](#ac-3)."},{"id":"ac-6.10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(10)","class":"sp800-53a"}],"prose":"non-privileged users are prevented from executing privileged functions.","links":[{"href":"#ac-6.10_smt","rel":"assessment-for"}]},{"id":"ac-6.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-6.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions for non-privileged users"}]}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","params":[{"id":"ac-07_odp.01","props":[{"name":"alt-identifier","value":"ac-7_prm_1"},{"name":"label","value":"AC-07_ODP[01]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of consecutive invalid logon attempts by a user allowed during a time period is defined;"}]},{"id":"ac-07_odp.02","props":[{"name":"alt-identifier","value":"ac-7_prm_2"},{"name":"label","value":"AC-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;"}]},{"id":"ac-07_odp.03","props":[{"name":"alt-identifier","value":"ac-7_prm_3"},{"name":"label","value":"AC-07_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["lock the account or node for {{ insert: param, ac-07_odp.04 }} ","lock the account or node until released by an administrator","delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ","notify system administrator","take other {{ insert: param, ac-07_odp.06 }} "]}},{"id":"ac-07_odp.04","props":[{"name":"alt-identifier","value":"ac-7_prm_4"},{"name":"label","value":"AC-07_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for an account or node to be locked is defined (if selected);"}]},{"id":"ac-07_odp.05","props":[{"name":"alt-identifier","value":"ac-7_prm_5"},{"name":"label","value":"AC-07_ODP[05]","class":"sp800-53a"}],"label":"delay algorithm","guidelines":[{"prose":"delay algorithm for the next logon prompt is defined (if selected);"}]},{"id":"ac-07_odp.06","props":[{"name":"alt-identifier","value":"ac-7_prm_6"},{"name":"label","value":"AC-07_ODP[06]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-7"},{"name":"label","value":"AC-07","class":"sp800-53a"},{"name":"sort-id","value":"ac-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"ac-7_smt","name":"statement","parts":[{"id":"ac-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and"},{"id":"ac-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need."},{"id":"ac-7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-07","class":"sp800-53a"}],"parts":[{"id":"ac-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-07a.","class":"sp800-53a"}],"prose":"a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;","links":[{"href":"#ac-7_smt.a","rel":"assessment-for"}]},{"id":"ac-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-07b.","class":"sp800-53a"}],"prose":"automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.","links":[{"href":"#ac-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-7_smt","rel":"assessment-for"}]},{"id":"ac-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem\/network administrators"}]},{"id":"ac-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for unsuccessful logon attempts"}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","params":[{"id":"ac-08_odp.01","props":[{"name":"alt-identifier","value":"ac-8_prm_1"},{"name":"alt-label","value":"system use notification message or banner","class":"sp800-53"},{"name":"label","value":"AC-08_ODP[01]","class":"sp800-53a"}],"label":"system use notification","guidelines":[{"prose":"system use notification message or banner to be displayed by the system to users before granting access to the system is defined;"}]},{"id":"ac-08_odp.02","props":[{"name":"alt-identifier","value":"ac-8_prm_2"},{"name":"label","value":"AC-08_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions for system use to be displayed by the system before granting further access are defined;"}]}],"props":[{"name":"label","value":"AC-8"},{"name":"label","value":"AC-08","class":"sp800-53a"},{"name":"sort-id","value":"ac-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-14","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-8_smt","name":"statement","parts":[{"id":"ac-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:","parts":[{"id":"ac-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government system;"},{"id":"ac-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and"},{"id":"ac-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;"},{"id":"ac-8_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Include a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content."},{"id":"ac-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-08","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","parts":[{"id":"ac-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.01","class":"sp800-53a"}],"prose":"the system use notification states that users are accessing a U.S. Government system;","links":[{"href":"#ac-8_smt.a.1","rel":"assessment-for"}]},{"id":"ac-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.02","class":"sp800-53a"}],"prose":"the system use notification states that system usage may be monitored, recorded, and subject to audit;","links":[{"href":"#ac-8_smt.a.2","rel":"assessment-for"}]},{"id":"ac-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.03","class":"sp800-53a"}],"prose":"the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and","links":[{"href":"#ac-8_smt.a.3","rel":"assessment-for"}]},{"id":"ac-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.04","class":"sp800-53a"}],"prose":"the system use notification states that use of the system indicates consent to monitoring and recording;","links":[{"href":"#ac-8_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#ac-8_smt.a","rel":"assessment-for"}]},{"id":"ac-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-08b.","class":"sp800-53a"}],"prose":"the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;","links":[{"href":"#ac-8_smt.b","rel":"assessment-for"}]},{"id":"ac-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.01","class":"sp800-53a"}],"prose":"for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;","links":[{"href":"#ac-8_smt.c.1","rel":"assessment-for"}]},{"id":"ac-8_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.02","class":"sp800-53a"}],"prose":"for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;","links":[{"href":"#ac-8_smt.c.2","rel":"assessment-for"}]},{"id":"ac-8_obj.c.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.03","class":"sp800-53a"}],"prose":"for publicly accessible systems, a description of the authorized uses of the system is included.","links":[{"href":"#ac-8_smt.c.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ac-8_smt","rel":"assessment-for"}]},{"id":"ac-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records"}]},{"id":"ac-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers"}]},{"id":"ac-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system use notification"}]}]},{"id":"ac-11","class":"SP800-53","title":"Device Lock","params":[{"id":"ac-11_odp.01","props":[{"name":"alt-identifier","value":"ac-11_prm_1"},{"name":"label","value":"AC-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity","requiring the user to initiate a device lock before leaving the system unattended"]}},{"id":"ac-11_odp.02","props":[{"name":"alt-identifier","value":"ac-11_prm_2"},{"name":"label","value":"AC-11_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period of inactivity after which a device lock is initiated is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-11"},{"name":"label","value":"AC-11","class":"sp800-53a"},{"name":"sort-id","value":"ac-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#pl-4","rel":"related"}],"parts":[{"id":"ac-11_smt","name":"statement","parts":[{"id":"ac-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and"},{"id":"ac-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the device lock until the user reestablishes access using established identification and authentication procedures."}]},{"id":"ac-11_gdn","name":"guidance","prose":"Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays."},{"id":"ac-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-11","class":"sp800-53a"}],"parts":[{"id":"ac-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-11a.","class":"sp800-53a"}],"prose":"further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};","links":[{"href":"#ac-11_smt.a","rel":"assessment-for"}]},{"id":"ac-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-11b.","class":"sp800-53a"}],"prose":"device lock is retained until the user re-establishes access using established identification and authentication procedures.","links":[{"href":"#ac-11_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-11_smt","rel":"assessment-for"}]},{"id":"ac-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for session lock"}]}],"controls":[{"id":"ac-11.1","class":"SP800-53-enhancement","title":"Pattern-hiding Displays","props":[{"name":"label","value":"AC-11(1)"},{"name":"label","value":"AC-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-11","rel":"required"}],"parts":[{"id":"ac-11.1_smt","name":"statement","prose":"Conceal, via the device lock, information previously visible on the display with a publicly viewable image."},{"id":"ac-11.1_gdn","name":"guidance","prose":"The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed."},{"id":"ac-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-11(01)","class":"sp800-53a"}],"prose":"information previously visible on the display is concealed, via device lock, with a publicly viewable image.","links":[{"href":"#ac-11.1_smt","rel":"assessment-for"}]},{"id":"ac-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System session lock mechanisms"}]}]}]},{"id":"ac-12","class":"SP800-53","title":"Session Termination","params":[{"id":"ac-12_odp","props":[{"name":"alt-identifier","value":"ac-12_prm_1"},{"name":"alt-label","value":"conditions or trigger events requiring session disconnect","class":"sp800-53"},{"name":"label","value":"AC-12_ODP","class":"sp800-53a"}],"label":"conditions or trigger events","guidelines":[{"prose":"conditions or trigger events requiring session disconnect are defined;"}]}],"props":[{"name":"label","value":"AC-12"},{"name":"label","value":"AC-12","class":"sp800-53a"},{"name":"sort-id","value":"ac-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"ac-12_smt","name":"statement","prose":"Automatically terminate a user session after {{ insert: param, ac-12_odp }}."},{"id":"ac-12_gdn","name":"guidance","prose":"Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use."},{"id":"ac-12_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-12","class":"sp800-53a"}],"prose":"a user session is automatically terminated after {{ insert: param, ac-12_odp }}.","links":[{"href":"#ac-12_smt","rel":"assessment-for"}]},{"id":"ac-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing user session termination"}]}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","params":[{"id":"ac-14_odp","props":[{"name":"alt-identifier","value":"ac-14_prm_1"},{"name":"label","value":"AC-14_ODP","class":"sp800-53a"}],"label":"user actions","guidelines":[{"prose":"user actions that can be performed on the system without identification or authentication are defined;"}]}],"props":[{"name":"label","value":"AC-14"},{"name":"label","value":"AC-14","class":"sp800-53a"},{"name":"sort-id","value":"ac-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"ac-14_smt","name":"statement","parts":[{"id":"ac-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and"},{"id":"ac-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" "},{"id":"ac-14_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-14","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-14a.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;","links":[{"href":"#ac-14_smt.a","rel":"assessment-for"}]},{"id":"ac-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[01]","class":"sp800-53a"}],"prose":"user actions not requiring identification or authentication are documented in the security plan for the system;","links":[{"href":"#ac-14_smt.b","rel":"assessment-for"}]},{"id":"ac-14_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[02]","class":"sp800-53a"}],"prose":"a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.","links":[{"href":"#ac-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-14_smt","rel":"assessment-for"}]},{"id":"ac-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","props":[{"name":"label","value":"AC-17"},{"name":"label","value":"AC-17","class":"sp800-53a"},{"name":"sort-id","value":"ac-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#83b9d63b-66b1-467c-9f3b-3a0b108771e9","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#d17ebd7a-ffab-499d-bfff-e705bbb01fa6","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-17_smt","name":"statement","parts":[{"id":"ac-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document usage restrictions, configuration\/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of remote access to the system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)."},{"id":"ac-17_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[01]","class":"sp800-53a"}],"prose":"usage restrictions are established and documented for each type of remote access allowed;","links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]},{"id":"ac-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[02]","class":"sp800-53a"}],"prose":"configuration\/connection requirements are established and documented for each type of remote access allowed;","links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]},{"id":"ac-17_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established and documented for each type of remote access allowed;","links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]},{"id":"ac-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-17b.","class":"sp800-53a"}],"prose":"each type of remote access to the system is authorized prior to allowing such connections.","links":[{"href":"#ac-17_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-17_smt","rel":"assessment-for"}]},{"id":"ac-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing remote access connections\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Remote access management capability for the system"}]}],"controls":[{"id":"ac-17.1","class":"SP800-53-enhancement","title":"Monitoring and Control","props":[{"name":"label","value":"AC-17(1)"},{"name":"label","value":"AC-17(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"}],"parts":[{"id":"ac-17.1_smt","name":"statement","prose":"Employ automated mechanisms to monitor and control remote access methods."},{"id":"ac-17.1_gdn","name":"guidance","prose":"Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a)."},{"id":"ac-17.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)","class":"sp800-53a"}],"parts":[{"id":"ac-17.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)[01]","class":"sp800-53a"}],"prose":"automated mechanisms are employed to monitor remote access methods;","links":[{"href":"#ac-17.1_smt","rel":"assessment-for"}]},{"id":"ac-17.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)[02]","class":"sp800-53a"}],"prose":"automated mechanisms are employed to control remote access methods.","links":[{"href":"#ac-17.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-17.1_smt","rel":"assessment-for"}]},{"id":"ac-17.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms monitoring and controlling remote access methods"}]}]},{"id":"ac-17.2","class":"SP800-53-enhancement","title":"Protection of Confidentiality and Integrity Using Encryption","props":[{"name":"label","value":"AC-17(2)"},{"name":"label","value":"AC-17(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-17.2_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_gdn","name":"guidance","prose":"Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions."},{"id":"ac-17.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(02)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.","links":[{"href":"#ac-17.2_smt","rel":"assessment-for"}]},{"id":"ac-17.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions"}]}]},{"id":"ac-17.3","class":"SP800-53-enhancement","title":"Managed Access Control Points","props":[{"name":"label","value":"AC-17(3)"},{"name":"label","value":"AC-17(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-17.3_smt","name":"statement","prose":"Route remote accesses through authorized and managed network access control points."},{"id":"ac-17.3_gdn","name":"guidance","prose":"Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces."},{"id":"ac-17.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(03)","class":"sp800-53a"}],"prose":"remote accesses are routed through authorized and managed network access control points.","links":[{"href":"#ac-17.3_smt","rel":"assessment-for"}]},{"id":"ac-17.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nlist of all managed network access control points\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms routing all remote accesses through managed network access control points"}]}]},{"id":"ac-17.4","class":"SP800-53-enhancement","title":"Privileged Commands and Access","params":[{"id":"ac-17.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-17.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-17.04_odp.02"}],"label":"organization-defined needs"},{"id":"ac-17.04_odp.01","props":[{"name":"label","value":"AC-17(04)_ODP[01]","class":"sp800-53a"}],"label":"needs requiring remote access","guidelines":[{"prose":"needs requiring execution of privileged commands via remote access are defined;"}]},{"id":"ac-17.04_odp.02","props":[{"name":"label","value":"AC-17(04)_ODP[02]","class":"sp800-53a"}],"label":"needs requiring remote access","guidelines":[{"prose":"needs requiring access to security-relevant information via remote access are defined;"}]}],"props":[{"name":"label","value":"AC-17(4)"},{"name":"label","value":"AC-17(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#ac-6","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-17.4_smt","name":"statement","parts":[{"id":"ac-17.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ insert: param, ac-17.4_prm_1 }} ; and"},{"id":"ac-17.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Document the rationale for remote access in the security plan for the system."}]},{"id":"ac-17.4_gdn","name":"guidance","prose":"Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability."},{"id":"ac-17.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)","class":"sp800-53a"}],"parts":[{"id":"ac-17.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-17.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[01]","class":"sp800-53a"}],"prose":"the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;","links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]},{"id":"ac-17.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[02]","class":"sp800-53a"}],"prose":"access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;","links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]},{"id":"ac-17.4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[03]","class":"sp800-53a"}],"prose":"the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};","links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]},{"id":"ac-17.4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[04]","class":"sp800-53a"}],"prose":"access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};","links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]},{"id":"ac-17.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(b)","class":"sp800-53a"}],"prose":"the rationale for remote access is documented in the security plan for the system.","links":[{"href":"#ac-17.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-17.4_smt","rel":"assessment-for"}]},{"id":"ac-17.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing remote access management"}]}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","props":[{"name":"label","value":"AC-18"},{"name":"label","value":"AC-18","class":"sp800-53a"},{"name":"sort-id","value":"ac-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#03fb73bc-1b12-4182-bd96-e5719254ea61","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-18_smt","name":"statement","parts":[{"id":"ac-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and"},{"id":"ac-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of wireless access to the system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication."},{"id":"ac-18_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for each type of wireless access;","links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]},{"id":"ac-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for each type of wireless access;","links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]},{"id":"ac-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for each type of wireless access;","links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]},{"id":"ac-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-18b.","class":"sp800-53a"}],"prose":"each type of wireless access to the system is authorized prior to allowing such connections.","links":[{"href":"#ac-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-18_smt","rel":"assessment-for"}]},{"id":"ac-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Wireless access management capability for the system"}]}],"controls":[{"id":"ac-18.1","class":"SP800-53-enhancement","title":"Authentication and Encryption","params":[{"id":"ac-18.01_odp","props":[{"name":"alt-identifier","value":"ac-18.1_prm_1"},{"name":"label","value":"AC-18(01)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["users","devices"]}}],"props":[{"name":"label","value":"AC-18(1)"},{"name":"label","value":"AC-18(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-18","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-18.1_smt","name":"statement","prose":"Protect wireless access to the system using authentication of {{ insert: param, ac-18.01_odp }} and encryption."},{"id":"ac-18.1_gdn","name":"guidance","prose":"Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies."},{"id":"ac-18.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)","class":"sp800-53a"}],"parts":[{"id":"ac-18.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)[01]","class":"sp800-53a"}],"prose":"wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};","links":[{"href":"#ac-18.1_smt","rel":"assessment-for"}]},{"id":"ac-18.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)[02]","class":"sp800-53a"}],"prose":"wireless access to the system is protected using encryption.","links":[{"href":"#ac-18.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-18.1_smt","rel":"assessment-for"}]},{"id":"ac-18.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-18.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing wireless access protections to the system"}]}]},{"id":"ac-18.3","class":"SP800-53-enhancement","title":"Disable Wireless Networking","props":[{"name":"label","value":"AC-18(3)"},{"name":"label","value":"AC-18(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-18","rel":"required"}],"parts":[{"id":"ac-18.3_smt","name":"statement","prose":"Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment."},{"id":"ac-18.3_gdn","name":"guidance","prose":"Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies."},{"id":"ac-18.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(03)","class":"sp800-53a"}],"prose":"when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.","links":[{"href":"#ac-18.3_smt","rel":"assessment-for"}]},{"id":"ac-18.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components"}]}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","props":[{"name":"label","value":"AC-19"},{"name":"label","value":"AC-19","class":"sp800-53a"},{"name":"sort-id","value":"ac-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-19_smt","name":"statement","parts":[{"id":"ac-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and"},{"id":"ac-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize the connection of mobile devices to organizational systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook\/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled."},{"id":"ac-19_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;","links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]},{"id":"ac-19_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;","links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]},{"id":"ac-19_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;","links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]},{"id":"ac-19_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-19b.","class":"sp800-53a"}],"prose":"the connection of mobile devices to organizational systems is authorized.","links":[{"href":"#ac-19_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-19_smt","rel":"assessment-for"}]},{"id":"ac-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel using mobile devices to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices"}]}],"controls":[{"id":"ac-19.5","class":"SP800-53-enhancement","title":"Full Device or Container-based Encryption","params":[{"id":"ac-19.05_odp.01","props":[{"name":"alt-identifier","value":"ac-19.5_prm_1"},{"name":"label","value":"AC-19(05)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["full-device encryption","container-based encryption"]}},{"id":"ac-19.05_odp.02","props":[{"name":"alt-identifier","value":"ac-19.5_prm_2"},{"name":"label","value":"AC-19(05)_ODP[02]","class":"sp800-53a"}],"label":"mobile devices","guidelines":[{"prose":"mobile devices on which to employ encryption are defined;"}]}],"props":[{"name":"label","value":"AC-19(5)"},{"name":"label","value":"AC-19(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-19.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-19","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"ac-19.5_smt","name":"statement","prose":"Employ {{ insert: param, ac-19.05_odp.01 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}."},{"id":"ac-19.5_gdn","name":"guidance","prose":"Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields."},{"id":"ac-19.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19(05)","class":"sp800-53a"}],"prose":" {{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.","links":[{"href":"#ac-19.5_smt","rel":"assessment-for"}]},{"id":"ac-19.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control for mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nencryption mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities for mobile devices\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Encryption mechanisms protecting confidentiality and integrity of information on mobile devices"}]}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Systems","params":[{"id":"ac-20_odp.01","props":[{"name":"alt-identifier","value":"ac-20_prm_1"},{"name":"label","value":"AC-20_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["establish {{ insert: param, ac-20_odp.02 }} ","identify {{ insert: param, ac-20_odp.03 }} "]}},{"id":"ac-20_odp.02","props":[{"name":"alt-identifier","value":"ac-20_prm_2"},{"name":"label","value":"AC-20_ODP[02]","class":"sp800-53a"}],"label":"terms and conditions","guidelines":[{"prose":"terms and conditions consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.03","props":[{"name":"alt-identifier","value":"ac-20_prm_3"},{"name":"alt-label","value":"controls asserted to be implemented on external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[03]","class":"sp800-53a"}],"label":"controls asserted","guidelines":[{"prose":"controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.04","props":[{"name":"alt-identifier","value":"ac-20_prm_4"},{"name":"alt-label","value":"organizationally-defined types of external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[04]","class":"sp800-53a"}],"label":"prohibited types of external systems","guidelines":[{"prose":"types of external systems prohibited from use are defined;"}]}],"props":[{"name":"label","value":"AC-20"},{"name":"label","value":"AC-20","class":"sp800-53a"},{"name":"sort-id","value":"ac-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-20_smt","name":"statement","parts":[{"id":"ac-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Access the system from external systems; and"},{"id":"ac-20_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Process, store, or transmit organization-controlled information using external systems; or"}]},{"id":"ac-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of {{ insert: param, ac-20_odp.04 }}."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems."},{"id":"ac-20_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.01","class":"sp800-53a"}],"prose":" {{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);","links":[{"href":"#ac-20_smt.a.1","rel":"assessment-for"}]},{"id":"ac-20_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.02","class":"sp800-53a"}],"prose":" {{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);","links":[{"href":"#ac-20_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#ac-20_smt.a","rel":"assessment-for"}]},{"id":"ac-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-20b.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).","links":[{"href":"#ac-20_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-20_smt","rel":"assessment-for"}]},{"id":"ac-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing terms and conditions on the use of external systems"}]}],"controls":[{"id":"ac-20.1","class":"SP800-53-enhancement","title":"Limits on Authorized Use","props":[{"name":"label","value":"AC-20(1)"},{"name":"label","value":"AC-20(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"},{"href":"#ca-2","rel":"related"}],"parts":[{"id":"ac-20.1_smt","name":"statement","prose":"Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:","parts":[{"id":"ac-20.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or"},{"id":"ac-20.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Retention of approved system connection or processing agreements with the organizational entity hosting the external system."}]},{"id":"ac-20.1_gdn","name":"guidance","prose":"Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations."},{"id":"ac-20.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)","class":"sp800-53a"}],"parts":[{"id":"ac-20.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)(a)","class":"sp800-53a"}],"prose":"authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);","links":[{"href":"#ac-20.1_smt.a","rel":"assessment-for"}]},{"id":"ac-20.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)(b)","class":"sp800-53a"}],"prose":"authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).","links":[{"href":"#ac-20.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-20.1_smt","rel":"assessment-for"}]},{"id":"ac-20.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing limits on use of external systems"}]}]},{"id":"ac-20.2","class":"SP800-53-enhancement","title":"Portable Storage Devices — Restricted Use","params":[{"id":"ac-20.02_odp","props":[{"name":"alt-identifier","value":"ac-20.2_prm_1"},{"name":"label","value":"AC-20(02)_ODP","class":"sp800-53a"}],"label":"restrictions","guidelines":[{"prose":"restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;"}]}],"props":[{"name":"label","value":"AC-20(2)"},{"name":"label","value":"AC-20(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"},{"href":"#mp-7","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"ac-20.2_smt","name":"statement","prose":"Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ insert: param, ac-20.02_odp }}."},{"id":"ac-20.2_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used."},{"id":"ac-20.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(02)","class":"sp800-53a"}],"prose":"the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}.","links":[{"href":"#ac-20.2_smt","rel":"assessment-for"}]},{"id":"ac-20.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on the use of portable storage devices"}]}]}]},{"id":"ac-21","class":"SP800-53","title":"Information Sharing","params":[{"id":"ac-21_odp.01","props":[{"name":"alt-identifier","value":"ac-21_prm_1"},{"name":"alt-label","value":"information sharing circumstances where user discretion is required","class":"sp800-53"},{"name":"label","value":"AC-21_ODP[01]","class":"sp800-53a"}],"label":"information-sharing circumstances","guidelines":[{"prose":"information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;"}]},{"id":"ac-21_odp.02","props":[{"name":"alt-identifier","value":"ac-21_prm_2"},{"name":"alt-label","value":"automated mechanisms or manual processes","class":"sp800-53"},{"name":"label","value":"AC-21_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;"}]}],"props":[{"name":"label","value":"AC-21"},{"name":"label","value":"AC-21","class":"sp800-53a"},{"name":"sort-id","value":"ac-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-15","rel":"related"}],"parts":[{"id":"ac-21_smt","name":"statement","parts":[{"id":"ac-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and"},{"id":"ac-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions."}]},{"id":"ac-21_gdn","name":"guidance","prose":"Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions."},{"id":"ac-21_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-21","class":"sp800-53a"}],"parts":[{"id":"ac-21_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-21a.","class":"sp800-53a"}],"prose":"authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};","links":[{"href":"#ac-21_smt.a","rel":"assessment-for"}]},{"id":"ac-21_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-21b.","class":"sp800-53a"}],"prose":" {{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions.","links":[{"href":"#ac-21_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-21_smt","rel":"assessment-for"}]},{"id":"ac-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of users authorized to make information-sharing\/collaboration decisions\n\nlist of information-sharing circumstances requiring user discretion\n\nnon-disclosure agreements\n\nacquisitions\/contractual agreements\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nsecurity and privacy risk assessments\n\nother relevant documents or records"}]},{"id":"ac-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information-sharing\/collaboration decisions\n\norganizational personnel with responsibility for acquisitions\/contractual agreements\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ac-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms or manual process implementing access authorizations supporting information-sharing\/user collaboration decisions"}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","params":[{"id":"ac-22_odp","props":[{"name":"alt-identifier","value":"ac-22_prm_1"},{"name":"label","value":"AC-22_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the content on the publicly accessible system for non-public information is defined;"}]}],"props":[{"name":"label","value":"AC-22"},{"name":"label","value":"AC-22","class":"sp800-53a"},{"name":"sort-id","value":"ac-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"ac-22_smt","name":"statement","parts":[{"id":"ac-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Designate individuals authorized to make information publicly accessible;"},{"id":"ac-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible."},{"id":"ac-22_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-22","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-22a.","class":"sp800-53a"}],"prose":"designated individuals are authorized to make information publicly accessible;","links":[{"href":"#ac-22_smt.a","rel":"assessment-for"}]},{"id":"ac-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-22b.","class":"sp800-53a"}],"prose":"authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;","links":[{"href":"#ac-22_smt.b","rel":"assessment-for"}]},{"id":"ac-22_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-22c.","class":"sp800-53a"}],"prose":"the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;","links":[{"href":"#ac-22_smt.c","rel":"assessment-for"}]},{"id":"ac-22_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[01]","class":"sp800-53a"}],"prose":"the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};","links":[{"href":"#ac-22_smt.d","rel":"assessment-for"}]},{"id":"ac-22_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[02]","class":"sp800-53a"}],"prose":"non-public information is removed from the publicly accessible system, if discovered.","links":[{"href":"#ac-22_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ac-22_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ac-22_smt","rel":"assessment-for"}]},{"id":"ac-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and\/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing management of publicly accessible content"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"at-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"at-01_odp.01","props":[{"name":"label","value":"AT-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training policy is to be disseminated is\/are defined;"}]},{"id":"at-01_odp.02","props":[{"name":"label","value":"AT-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training procedures are to be disseminated is\/are defined;"}]},{"id":"at-01_odp.03","props":[{"name":"alt-identifier","value":"at-1_prm_2"},{"name":"label","value":"AT-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"at-01_odp.04","props":[{"name":"alt-identifier","value":"at-1_prm_3"},{"name":"label","value":"AT-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the awareness and training policy and procedures is defined;"}]},{"id":"at-01_odp.05","props":[{"name":"alt-identifier","value":"at-1_prm_4"},{"name":"label","value":"AT-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training policy is reviewed and updated is defined;"}]},{"id":"at-01_odp.06","props":[{"name":"alt-identifier","value":"at-1_prm_5"},{"name":"label","value":"AT-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current awareness and training policy to be reviewed and updated are defined;"}]},{"id":"at-01_odp.07","props":[{"name":"alt-identifier","value":"at-1_prm_6"},{"name":"label","value":"AT-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training procedures are reviewed and updated is defined;"}]},{"id":"at-01_odp.08","props":[{"name":"alt-identifier","value":"at-1_prm_7"},{"name":"label","value":"AT-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AT-1"},{"name":"label","value":"AT-01","class":"sp800-53a"},{"name":"sort-id","value":"at-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-1_smt","name":"statement","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, at-01_odp.03 }} awareness and training policy that:","parts":[{"id":"at-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and"},{"id":"at-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current awareness and training:","parts":[{"id":"at-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and"},{"id":"at-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"at-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[01]","class":"sp800-53a"}],"prose":"an awareness and training policy is developed and documented; ","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[02]","class":"sp800-53a"}],"prose":"the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[03]","class":"sp800-53a"}],"prose":"awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[04]","class":"sp800-53a"}],"prose":"the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and","links":[{"href":"#at-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;","links":[{"href":"#at-1_smt.b","rel":"assessment-for"}]},{"id":"at-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[01]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ","links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]},{"id":"at-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[02]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};","links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]},{"id":"at-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[01]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};","links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]},{"id":"at-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[02]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.","links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt","rel":"assessment-for"}]},{"id":"at-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records"}]},{"id":"at-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Literacy Training and Awareness","params":[{"id":"at-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.02"}],"label":"organization-defined frequency"},{"id":"at-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.04"}],"label":"organization-defined events"},{"id":"at-02_odp.01","props":[{"name":"label","value":"AT-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.02","props":[{"name":"label","value":"AT-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.03","props":[{"name":"label","value":"AT-02_ODP[03]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require security literacy training for system users are defined;"}]},{"id":"at-02_odp.04","props":[{"name":"label","value":"AT-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require privacy literacy training for system users are defined;"}]},{"id":"at-02_odp.05","props":[{"name":"alt-identifier","value":"at-2_prm_3"},{"name":"label","value":"AT-02_ODP[05]","class":"sp800-53a"}],"label":"awareness techniques","guidelines":[{"prose":"techniques to be employed to increase the security and privacy awareness of system users are defined;"}]},{"id":"at-02_odp.06","props":[{"name":"alt-identifier","value":"at-2_prm_4"},{"name":"label","value":"AT-02_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update literacy training and awareness content is defined;"}]},{"id":"at-02_odp.07","props":[{"name":"alt-identifier","value":"at-2_prm_5"},{"name":"label","value":"AT-02_ODP[07]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require literacy training and awareness content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-2"},{"name":"label","value":"AT-02","class":"sp800-53a"},{"name":"sort-id","value":"at-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#89f2a08d-fc49-46d0-856e-bf974c9b1573","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-16","rel":"related"}],"parts":[{"id":"at-2_smt","name":"statement","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and"},{"id":"at-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes or following {{ insert: param, at-2_prm_2 }};"}]},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and"},{"id":"at-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[03]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[04]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};","links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]},{"id":"at-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};","links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a","rel":"assessment-for"}]},{"id":"at-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-02b.","class":"sp800-53a"}],"prose":" {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;","links":[{"href":"#at-2_smt.b","rel":"assessment-for"}]},{"id":"at-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[01]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};","links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]},{"id":"at-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[02]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};","links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]},{"id":"at-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AT-02d.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.","links":[{"href":"#at-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt","rel":"assessment-for"}]},{"id":"at-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community"}]},{"id":"at-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing information security and privacy literacy training"}]}],"controls":[{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","props":[{"name":"label","value":"AT-2(2)"},{"name":"label","value":"AT-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"},{"href":"#pm-12","rel":"related"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"Provide literacy training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations."},{"id":"at-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)","class":"sp800-53a"}],"parts":[{"id":"at-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[01]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential indicators of insider threat is provided;","links":[{"href":"#at-2.2_smt","rel":"assessment-for"}]},{"id":"at-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[02]","class":"sp800-53a"}],"prose":"literacy training on reporting potential indicators of insider threat is provided.","links":[{"href":"#at-2.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#at-2.2_smt","rel":"assessment-for"}]},{"id":"at-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2.3","class":"SP800-53-enhancement","title":"Social Engineering and Mining","props":[{"name":"label","value":"AT-2(3)"},{"name":"label","value":"AT-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"}],"parts":[{"id":"at-2.3_smt","name":"statement","prose":"Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining."},{"id":"at-2.3_gdn","name":"guidance","prose":"Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures."},{"id":"at-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)","class":"sp800-53a"}],"parts":[{"id":"at-2.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[01]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential and actual instances of social engineering is provided;","links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]},{"id":"at-2.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[02]","class":"sp800-53a"}],"prose":"literacy training on reporting potential and actual instances of social engineering is provided;","links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]},{"id":"at-2.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[03]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential and actual instances of social mining is provided;","links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]},{"id":"at-2.3_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[04]","class":"sp800-53a"}],"prose":"literacy training on reporting potential and actual instances of social mining is provided.","links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]},{"id":"at-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Training","params":[{"id":"at-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.02"}],"label":"organization-defined roles and responsibilities"},{"id":"at-03_odp.01","props":[{"name":"label","value":"AT-03_ODP[01]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based security training are defined;"}]},{"id":"at-03_odp.02","props":[{"name":"label","value":"AT-03_ODP[02]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based privacy training are defined;"}]},{"id":"at-03_odp.03","props":[{"name":"alt-identifier","value":"at-3_prm_2"},{"name":"label","value":"AT-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;"}]},{"id":"at-03_odp.04","props":[{"name":"alt-identifier","value":"at-3_prm_3"},{"name":"label","value":"AT-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update role-based training content is defined;"}]},{"id":"at-03_odp.05","props":[{"name":"alt-identifier","value":"at-3_prm_4"},{"name":"label","value":"AT-03_ODP[05]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require role-based training content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-3"},{"name":"label","value":"AT-03","class":"sp800-53a"},{"name":"sort-id","value":"at-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"at-3_smt","name":"statement","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:","parts":[{"id":"at-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and"},{"id":"at-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes;"}]},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into role-based training."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency\/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[03]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[04]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;","links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]},{"id":"at-3_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;","links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a","rel":"assessment-for"}]},{"id":"at-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[01]","class":"sp800-53a"}],"prose":"role-based training content is updated {{ insert: param, at-03_odp.04 }};","links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]},{"id":"at-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[02]","class":"sp800-53a"}],"prose":"role-based training content is updated following {{ insert: param, at-03_odp.05 }};","links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]},{"id":"at-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-03c.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into role-based training.","links":[{"href":"#at-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt","rel":"assessment-for"}]},{"id":"at-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities"}]},{"id":"at-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing role-based security and privacy training"}]}]},{"id":"at-4","class":"SP800-53","title":"Training Records","params":[{"id":"at-04_odp","props":[{"name":"alt-identifier","value":"at-4_prm_1"},{"name":"label","value":"AT-04_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for retaining individual training records is defined;"}]}],"props":[{"name":"label","value":"AT-4"},{"name":"label","value":"AT-04","class":"sp800-53a"},{"name":"sort-id","value":"at-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-4_smt","name":"statement","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain individual training records for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies."},{"id":"at-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-04","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[01]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;","links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]},{"id":"at-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[02]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;","links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]},{"id":"at-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-04b.","class":"sp800-53a"}],"prose":"individual training records are retained for {{ insert: param, at-04_odp }}.","links":[{"href":"#at-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#at-4_smt","rel":"assessment-for"}]},{"id":"at-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"at-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy training record retention responsibilities"}]},{"id":"at-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the management of security and privacy training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"au-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"au-01_odp.01","props":[{"name":"label","value":"AU-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability policy is to be disseminated is\/are defined;"}]},{"id":"au-01_odp.02","props":[{"name":"label","value":"AU-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability procedures are to be disseminated is\/are defined;"}]},{"id":"au-01_odp.03","props":[{"name":"alt-identifier","value":"au-1_prm_2"},{"name":"label","value":"AU-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"au-01_odp.04","props":[{"name":"alt-identifier","value":"au-1_prm_3"},{"name":"label","value":"AU-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the audit and accountability policy and procedures is defined;"}]},{"id":"au-01_odp.05","props":[{"name":"alt-identifier","value":"au-1_prm_4"},{"name":"label","value":"AU-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability policy is reviewed and updated is defined;"}]},{"id":"au-01_odp.06","props":[{"name":"alt-identifier","value":"au-1_prm_5"},{"name":"label","value":"AU-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current audit and accountability policy to be reviewed and updated are defined;"}]},{"id":"au-01_odp.07","props":[{"name":"alt-identifier","value":"au-1_prm_6"},{"name":"label","value":"AU-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability procedures are reviewed and updated is defined;"}]},{"id":"au-01_odp.08","props":[{"name":"alt-identifier","value":"au-1_prm_7"},{"name":"label","value":"AU-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require audit and accountability procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AU-1"},{"name":"label","value":"AU-01","class":"sp800-53a"},{"name":"sort-id","value":"au-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-1_smt","name":"statement","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, au-01_odp.03 }} audit and accountability policy that:","parts":[{"id":"au-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and"},{"id":"au-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current audit and accountability:","parts":[{"id":"au-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and"},{"id":"au-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"au-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[01]","class":"sp800-53a"}],"prose":"an audit and accountability policy is developed and documented;","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[02]","class":"sp800-53a"}],"prose":"the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[03]","class":"sp800-53a"}],"prose":"audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[04]","class":"sp800-53a"}],"prose":"the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#au-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;","links":[{"href":"#au-1_smt.b","rel":"assessment-for"}]},{"id":"au-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[01]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};","links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]},{"id":"au-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[02]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};","links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]},{"id":"au-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[01]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};","links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]},{"id":"au-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[02]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.","links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt","rel":"assessment-for"}]},{"id":"au-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Event Logging","params":[{"id":"au-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.03"}],"label":"organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type"},{"id":"au-02_odp.01","props":[{"name":"alt-identifier","value":"au-2_prm_1"},{"name":"alt-label","value":"event types that the system is capable of logging","class":"sp800-53"},{"name":"label","value":"AU-02_ODP[01]","class":"sp800-53a"}],"label":"event types","guidelines":[{"prose":"the event types that the system is capable of logging in support of the audit function are defined;"}]},{"id":"au-02_odp.02","props":[{"name":"label","value":"AU-02_ODP[02]","class":"sp800-53a"}],"label":"event types (subset of AU-02_ODP[01])","guidelines":[{"prose":"the event types (subset of AU-02_ODP[01]) for logging within the system are defined;"}]},{"id":"au-02_odp.03","props":[{"name":"label","value":"AU-02_ODP[03]","class":"sp800-53a"}],"label":"frequency or situation","guidelines":[{"prose":"the frequency or situation requiring logging for each specified event type is defined;"}]},{"id":"au-02_odp.04","props":[{"name":"alt-identifier","value":"au-2_prm_3"},{"name":"label","value":"AU-02_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of event types selected for logging are reviewed and updated;"}]}],"props":[{"name":"label","value":"AU-2"},{"name":"label","value":"AU-02","class":"sp800-53a"},{"name":"sort-id","value":"au-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-2_smt","name":"statement","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and"},{"id":"au-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures."},{"id":"au-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-02","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-02a.","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;","links":[{"href":"#au-2_smt.a","rel":"assessment-for"}]},{"id":"au-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-02b.","class":"sp800-53a"}],"prose":"the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;","links":[{"href":"#au-2_smt.b","rel":"assessment-for"}]},{"id":"au-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.02 }} are specified for logging within the system;","links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]},{"id":"au-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[02]","class":"sp800-53a"}],"prose":"the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};","links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]},{"id":"au-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-02d.","class":"sp800-53a"}],"prose":"a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;","links":[{"href":"#au-2_smt.d","rel":"assessment-for"}]},{"id":"au-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-02e.","class":"sp800-53a"}],"prose":"the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.","links":[{"href":"#au-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#au-2_smt","rel":"assessment-for"}]},{"id":"au-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records"}]},{"id":"au-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing"}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"label","value":"AU-3"},{"name":"label","value":"AU-03","class":"sp800-53a"},{"name":"sort-id","value":"au-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"Ensure that audit records contain information that establishes the following:","parts":[{"id":"au-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"What type of event occurred;"},{"id":"au-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When the event occurred;"},{"id":"au-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Where the event occurred;"},{"id":"au-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Source of the event;"},{"id":"au-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Outcome of the event; and"},{"id":"au-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage."},{"id":"au-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03","class":"sp800-53a"}],"parts":[{"id":"au-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-03a.","class":"sp800-53a"}],"prose":"audit records contain information that establishes what type of event occurred;","links":[{"href":"#au-3_smt.a","rel":"assessment-for"}]},{"id":"au-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-03b.","class":"sp800-53a"}],"prose":"audit records contain information that establishes when the event occurred;","links":[{"href":"#au-3_smt.b","rel":"assessment-for"}]},{"id":"au-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-03c.","class":"sp800-53a"}],"prose":"audit records contain information that establishes where the event occurred;","links":[{"href":"#au-3_smt.c","rel":"assessment-for"}]},{"id":"au-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-03d.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the source of the event;","links":[{"href":"#au-3_smt.d","rel":"assessment-for"}]},{"id":"au-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-03e.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the outcome of the event;","links":[{"href":"#au-3_smt.e","rel":"assessment-for"}]},{"id":"au-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AU-03f.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the identity of any individuals, subjects, or objects\/entities associated with the event.","links":[{"href":"#au-3_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#au-3_smt","rel":"assessment-for"}]},{"id":"au-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records"}]},{"id":"au-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing of auditable events"}]}],"controls":[{"id":"au-3.1","class":"SP800-53-enhancement","title":"Additional Audit Information","params":[{"id":"au-03.01_odp","props":[{"name":"alt-identifier","value":"au-3.1_prm_1"},{"name":"label","value":"AU-03(01)_ODP","class":"sp800-53a"}],"label":"additional information","guidelines":[{"prose":"additional information to be included in audit records is defined;"}]}],"props":[{"name":"label","value":"AU-3(1)"},{"name":"label","value":"AU-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-3","rel":"required"}],"parts":[{"id":"au-3.1_smt","name":"statement","prose":"Generate audit records containing the following additional information: {{ insert: param, au-03.01_odp }}."},{"id":"au-3.1_gdn","name":"guidance","prose":"The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy."},{"id":"au-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03(01)","class":"sp800-53a"}],"prose":"generated audit records contain the following {{ insert: param, au-03.01_odp }}.","links":[{"href":"#au-3.1_smt","rel":"assessment-for"}]},{"id":"au-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"system audit capability"}]}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Log Storage Capacity","params":[{"id":"au-04_odp","props":[{"name":"alt-identifier","value":"au-4_prm_1"},{"name":"label","value":"AU-04_ODP","class":"sp800-53a"}],"label":"audit log retention requirements","guidelines":[{"prose":"audit log retention requirements are defined;"}]}],"props":[{"name":"label","value":"AU-4"},{"name":"label","value":"AU-04","class":"sp800-53a"},{"name":"sort-id","value":"au-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability."},{"id":"au-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-04","class":"sp800-53a"}],"prose":"audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.","links":[{"href":"#au-4_smt","rel":"assessment-for"}]},{"id":"au-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit record storage capacity and related configuration settings"}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Logging Process Failures","params":[{"id":"au-05_odp.01","props":[{"name":"alt-identifier","value":"au-5_prm_1"},{"name":"label","value":"AU-05_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles receiving audit logging process failure alerts are defined;"}]},{"id":"au-05_odp.02","props":[{"name":"alt-identifier","value":"au-5_prm_2"},{"name":"label","value":"AU-05_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel or roles receiving audit logging process failure alerts is defined;"}]},{"id":"au-05_odp.03","props":[{"name":"alt-identifier","value":"au-5_prm_3"},{"name":"label","value":"AU-05_ODP[03]","class":"sp800-53a"}],"label":"additional actions","guidelines":[{"prose":"additional actions to be taken in the event of an audit logging process failure are defined;"}]}],"props":[{"name":"label","value":"AU-5"},{"name":"label","value":"AU-05","class":"sp800-53a"},{"name":"sort-id","value":"au-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-5_smt","name":"statement","parts":[{"id":"au-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and"},{"id":"au-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Take the following additional actions: {{ insert: param, au-05_odp.03 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel."},{"id":"au-5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05","class":"sp800-53a"}],"parts":[{"id":"au-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-05a.","class":"sp800-53a"}],"prose":" {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};","links":[{"href":"#au-5_smt.a","rel":"assessment-for"}]},{"id":"au-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.","links":[{"href":"#au-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-5_smt","rel":"assessment-for"}]},{"id":"au-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system response to audit processing failures"}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Record Review, Analysis, and Reporting","params":[{"id":"au-06_odp.01","props":[{"name":"alt-identifier","value":"au-6_prm_1"},{"name":"label","value":"AU-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which system audit records are reviewed and analyzed is defined;"}]},{"id":"au-06_odp.02","props":[{"name":"alt-identifier","value":"au-6_prm_2"},{"name":"label","value":"AU-06_ODP[02]","class":"sp800-53a"}],"label":"inappropriate or unusual activity","guidelines":[{"prose":"inappropriate or unusual activity is defined;"}]},{"id":"au-06_odp.03","props":[{"name":"alt-identifier","value":"au-6_prm_3"},{"name":"label","value":"AU-06_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive findings from reviews and analyses of system records is\/are defined;"}]}],"props":[{"name":"label","value":"AU-6"},{"name":"label","value":"AU-06","class":"sp800-53a"},{"name":"sort-id","value":"au-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"au-6_smt","name":"statement","parts":[{"id":"au-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"},{"id":"au-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report findings to {{ insert: param, au-06_odp.03 }} ; and"},{"id":"au-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and\/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received."},{"id":"au-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06","class":"sp800-53a"}],"parts":[{"id":"au-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-06a.","class":"sp800-53a"}],"prose":"system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;","links":[{"href":"#au-6_smt.a","rel":"assessment-for"}]},{"id":"au-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-06b.","class":"sp800-53a"}],"prose":"findings are reported to {{ insert: param, au-06_odp.03 }};","links":[{"href":"#au-6_smt.b","rel":"assessment-for"}]},{"id":"au-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-06c.","class":"sp800-53a"}],"prose":"the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.","links":[{"href":"#au-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-6_smt","rel":"assessment-for"}]},{"id":"au-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews\/analyses of audit records\n\nother relevant documents or records"}]},{"id":"au-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"au-6.1","class":"SP800-53-enhancement","title":"Automated Process Integration","params":[{"id":"au-06.01_odp","props":[{"name":"alt-identifier","value":"au-6.1_prm_1"},{"name":"label","value":"AU-06(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;"}]}],"props":[{"name":"label","value":"AU-6(1)"},{"name":"label","value":"AU-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#pm-7","rel":"related"}],"parts":[{"id":"au-6.1_smt","name":"statement","prose":"Integrate audit record review, analysis, and reporting processes using {{ insert: param, au-06.01_odp }}."},{"id":"au-6.1_gdn","name":"guidance","prose":"Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits."},{"id":"au-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(01)","class":"sp800-53a"}],"prose":"audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}.","links":[{"href":"#au-6.1_smt","rel":"assessment-for"}]},{"id":"au-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms integrating audit review, analysis, and reporting processes"}]}]},{"id":"au-6.3","class":"SP800-53-enhancement","title":"Correlate Audit Record Repositories","props":[{"name":"label","value":"AU-6(3)"},{"name":"label","value":"AU-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"}],"parts":[{"id":"au-6.3_smt","name":"statement","prose":"Analyze and correlate audit records across different repositories to gain organization-wide situational awareness."},{"id":"au-6.3_gdn","name":"guidance","prose":"Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission\/business process level, and information system level) and supports cross-organization awareness."},{"id":"au-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(03)","class":"sp800-53a"}],"prose":"audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.","links":[{"href":"#au-6.3_smt","rel":"assessment-for"}]},{"id":"au-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records across different repositories\n\nother relevant documents or records"}]},{"id":"au-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the analysis and correlation of audit records"}]}]}]},{"id":"au-7","class":"SP800-53","title":"Audit Record Reduction and Report Generation","props":[{"name":"label","value":"AU-7"},{"name":"label","value":"AU-07","class":"sp800-53a"},{"name":"sort-id","value":"au-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-7_smt","name":"statement","prose":"Provide and implement an audit record reduction and report generation capability that:","parts":[{"id":"au-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and"},{"id":"au-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Does not alter the original content or time ordering of audit records."}]},{"id":"au-7_gdn","name":"guidance","prose":"Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient."},{"id":"au-7_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-07","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.[01]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;","links":[{"href":"#au-7_smt.a","rel":"assessment-for"}]},{"id":"au-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.[02]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;","links":[{"href":"#au-7_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#au-7_smt.a","rel":"assessment-for"}]},{"id":"au-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.[01]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;","links":[{"href":"#au-7_smt.b","rel":"assessment-for"}]},{"id":"au-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.[02]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.","links":[{"href":"#au-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-7_smt","rel":"assessment-for"}]},{"id":"au-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit reduction and report generation capability"}]}],"controls":[{"id":"au-7.1","class":"SP800-53-enhancement","title":"Automatic Processing","params":[{"id":"au-07.01_odp","props":[{"name":"alt-identifier","value":"au-7.1_prm_1"},{"name":"label","value":"AU-07(01)_ODP","class":"sp800-53a"}],"label":"fields within audit records","guidelines":[{"prose":"fields within audit records that can be processed, sorted, or searched are defined;"}]}],"props":[{"name":"label","value":"AU-7(1)"},{"name":"label","value":"AU-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-7","rel":"required"}],"parts":[{"id":"au-7.1_smt","name":"statement","prose":"Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ insert: param, au-07.01_odp }}."},{"id":"au-7.1_gdn","name":"guidance","prose":"Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component."},{"id":"au-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)","class":"sp800-53a"}],"parts":[{"id":"au-7.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)[01]","class":"sp800-53a"}],"prose":"the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;","links":[{"href":"#au-7.1_smt","rel":"assessment-for"}]},{"id":"au-7.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)[02]","class":"sp800-53a"}],"prose":"the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented.","links":[{"href":"#au-7.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#au-7.1_smt","rel":"assessment-for"}]},{"id":"au-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"au-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit reduction and report generation capability"}]}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","params":[{"id":"au-08_odp","props":[{"name":"alt-identifier","value":"au-8_prm_1"},{"name":"label","value":"AU-08_ODP","class":"sp800-53a"}],"label":"granularity of time measurement","guidelines":[{"prose":"granularity of time measurement for audit record timestamps is defined;"}]}],"props":[{"name":"label","value":"AU-8"},{"name":"label","value":"AU-08","class":"sp800-53a"},{"name":"sort-id","value":"au-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#sc-45","rel":"related"}],"parts":[{"id":"au-8_smt","name":"statement","parts":[{"id":"au-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities."},{"id":"au-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-08","class":"sp800-53a"}],"parts":[{"id":"au-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-08a.","class":"sp800-53a"}],"prose":"internal system clocks are used to generate timestamps for audit records;","links":[{"href":"#au-8_smt.a","rel":"assessment-for"}]},{"id":"au-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-08b.","class":"sp800-53a"}],"prose":"timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.","links":[{"href":"#au-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-8_smt","rel":"assessment-for"}]},{"id":"au-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing timestamp generation"}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","params":[{"id":"au-09_odp","props":[{"name":"alt-identifier","value":"au-9_prm_1"},{"name":"label","value":"AU-09_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is\/are defined;"}]}],"props":[{"name":"label","value":"AU-9"},{"name":"label","value":"AU-09","class":"sp800-53a"},{"name":"sort-id","value":"au-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#au-15","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-9_smt","name":"statement","parts":[{"id":"au-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and"},{"id":"au-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information."}]},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls."},{"id":"au-9_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09","class":"sp800-53a"}],"parts":[{"id":"au-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-09a.","class":"sp800-53a"}],"prose":"audit information and audit logging tools are protected from unauthorized access, modification, and deletion;","links":[{"href":"#au-9_smt.a","rel":"assessment-for"}]},{"id":"au-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-09b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.","links":[{"href":"#au-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-9_smt","rel":"assessment-for"}]},{"id":"au-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records"}]},{"id":"au-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit information protection"}]}],"controls":[{"id":"au-9.4","class":"SP800-53-enhancement","title":"Access by Subset of Privileged Users","params":[{"id":"au-09.04_odp","props":[{"name":"alt-identifier","value":"au-9.4_prm_1"},{"name":"label","value":"AU-09(04)_ODP","class":"sp800-53a"}],"label":"subset of privileged users or roles","guidelines":[{"prose":"a subset of privileged users or roles authorized to access management of audit logging functionality is defined;"}]}],"props":[{"name":"label","value":"AU-9(4)"},{"name":"label","value":"AU-09(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"au-9.4_smt","name":"statement","prose":"Authorize access to management of audit logging functionality to only {{ insert: param, au-09.04_odp }}."},{"id":"au-9.4_gdn","name":"guidance","prose":"Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges."},{"id":"au-9.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(04)","class":"sp800-53a"}],"prose":"access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}.","links":[{"href":"#au-9.4_smt","rel":"assessment-for"}]},{"id":"au-9.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-9.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing access to audit functionality"}]}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_odp","props":[{"name":"alt-identifier","value":"au-11_prm_1"},{"name":"alt-label","value":"time period consistent with records retention policy","class":"sp800-53"},{"name":"label","value":"AU-11_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period to retain audit records that is consistent with the records retention policy is defined;"}]}],"props":[{"name":"label","value":"AU-11"},{"name":"label","value":"AU-11","class":"sp800-53a"},{"name":"sort-id","value":"au-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention."},{"id":"au-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-11","class":"sp800-53a"}],"prose":"audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.","links":[{"href":"#au-11_smt","rel":"assessment-for"}]},{"id":"au-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"id":"au-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Record Generation","params":[{"id":"au-12_odp.01","props":[{"name":"alt-identifier","value":"au-12_prm_1"},{"name":"label","value":"AU-12_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;"}]},{"id":"au-12_odp.02","props":[{"name":"alt-identifier","value":"au-12_prm_2"},{"name":"label","value":"AU-12_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles allowed to select the event types that are to be logged by specific components of the system is\/are defined;"}]}],"props":[{"name":"label","value":"AU-12"},{"name":"label","value":"AU-12","class":"sp800-53a"},{"name":"sort-id","value":"au-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"au-12_smt","name":"statement","parts":[{"id":"au-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};"},{"id":"au-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and"},{"id":"au-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records."},{"id":"au-12_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12","class":"sp800-53a"}],"parts":[{"id":"au-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-12a.","class":"sp800-53a"}],"prose":"audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};","links":[{"href":"#au-12_smt.a","rel":"assessment-for"}]},{"id":"au-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-12b.","class":"sp800-53a"}],"prose":" {{ insert: param, au-12_odp.02 }} is\/are allowed to select the event types that are to be logged by specific components of the system;","links":[{"href":"#au-12_smt.b","rel":"assessment-for"}]},{"id":"au-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-12c.","class":"sp800-53a"}],"prose":"audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.","links":[{"href":"#au-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-12_smt","rel":"assessment-for"}]},{"id":"au-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]}]},{"id":"ca","class":"family","title":"Assessment, Authorization, and Monitoring","controls":[{"id":"ca-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ca-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ca-01_odp.01","props":[{"name":"label","value":"CA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.02","props":[{"name":"label","value":"CA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.03","props":[{"name":"alt-identifier","value":"ca-1_prm_2"},{"name":"label","value":"CA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ca-01_odp.04","props":[{"name":"alt-identifier","value":"ca-1_prm_3"},{"name":"label","value":"CA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the assessment, authorization, and monitoring policy and procedures is defined;"}]},{"id":"ca-01_odp.05","props":[{"name":"alt-identifier","value":"ca-1_prm_4"},{"name":"label","value":"CA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;"}]},{"id":"ca-01_odp.06","props":[{"name":"alt-identifier","value":"ca-1_prm_5"},{"name":"label","value":"CA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;"}]},{"id":"ca-01_odp.07","props":[{"name":"alt-identifier","value":"ca-1_prm_6"},{"name":"label","value":"CA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;"}]},{"id":"ca-01_odp.08","props":[{"name":"alt-identifier","value":"ca-1_prm_7"},{"name":"label","value":"CA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CA-1"},{"name":"label","value":"CA-01","class":"sp800-53a"},{"name":"sort-id","value":"ca-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#62ea77ca-e450-4323-b210-e0d75390e785","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-1_smt","name":"statement","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:","parts":[{"id":"ca-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and"},{"id":"ca-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current assessment, authorization, and monitoring:","parts":[{"id":"ca-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and"},{"id":"ca-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ca-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[01]","class":"sp800-53a"}],"prose":"an assessment, authorization, and monitoring policy is developed and documented;","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[02]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[03]","class":"sp800-53a"}],"prose":"assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[04]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ca-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;","links":[{"href":"#ca-1_smt.b","rel":"assessment-for"}]},{"id":"ca-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ","links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]},{"id":"ca-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};","links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]},{"id":"ca-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ","links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]},{"id":"ca-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.","links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt","rel":"assessment-for"}]},{"id":"ca-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Control Assessments","params":[{"id":"ca-02_odp.01","props":[{"name":"alt-identifier","value":"ca-2_prm_1"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"CA-02_ODP[01]","class":"sp800-53a"}],"label":"assessment frequency","guidelines":[{"prose":"the frequency at which to assess controls in the system and its environment of operation is defined;"}]},{"id":"ca-02_odp.02","props":[{"name":"alt-identifier","value":"ca-2_prm_2"},{"name":"label","value":"CA-02_ODP[02]","class":"sp800-53a"}],"label":"individuals or roles","guidelines":[{"prose":"individuals or roles to whom control assessment results are to be provided are defined;"}]}],"props":[{"name":"label","value":"CA-2"},{"name":"label","value":"CA-02","class":"sp800-53a"},{"name":"sort-id","value":"ca-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"ca-2_smt","name":"statement","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Select the appropriate assessor or assessment team for the type of assessment to be conducted;"},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop a control assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Controls and control enhancements under assessment;"},{"id":"ca-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine control effectiveness; and"},{"id":"ca-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;"},{"id":"ca-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Produce a control assessment report that document the results of the assessment; and"},{"id":"ca-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)."},{"id":"ca-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-02a.","class":"sp800-53a"}],"prose":"an appropriate assessor or assessment team is selected for the type of assessment to be conducted;","links":[{"href":"#ca-2_smt.a","rel":"assessment-for"}]},{"id":"ca-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.01","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;","links":[{"href":"#ca-2_smt.b.1","rel":"assessment-for"}]},{"id":"ca-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.02","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;","links":[{"href":"#ca-2_smt.b.2","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[01]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[02]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment team;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3-3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[03]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.b","rel":"assessment-for"}]},{"id":"ca-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-02c.","class":"sp800-53a"}],"prose":"the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;","links":[{"href":"#ca-2_smt.c","rel":"assessment-for"}]},{"id":"ca-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[01]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;","links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]},{"id":"ca-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[02]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;","links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]},{"id":"ca-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-02e.","class":"sp800-53a"}],"prose":"a control assessment report is produced that documents the results of the assessment;","links":[{"href":"#ca-2_smt.e","rel":"assessment-for"}]},{"id":"ca-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-02f.","class":"sp800-53a"}],"prose":"the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.","links":[{"href":"#ca-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt","rel":"assessment-for"}]},{"id":"ca-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting control assessment, control assessment plan development, and\/or control assessment reporting"}]}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","props":[{"name":"label","value":"CA-2(1)"},{"name":"label","value":"CA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-2","rel":"required"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to conduct control assessments."},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and\/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments."},{"id":"ca-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02(01)","class":"sp800-53a"}],"prose":"independent assessors or assessment teams are employed to conduct control assessments.","links":[{"href":"#ca-2.1_smt","rel":"assessment-for"}]},{"id":"ca-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\nprevious control assessment plan\n\nprevious control assessment report\n\nplan of action and milestones\n\nexisting authorization statement\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ca-3","class":"SP800-53","title":"Information Exchange","params":[{"id":"ca-03_odp.01","props":[{"name":"alt-identifier","value":"ca-3_prm_1"},{"name":"label","value":"CA-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["interconnection security agreements","information exchange security agreements","memoranda of understanding or agreement","service level agreements","user agreements","non-disclosure agreements"," {{ insert: param, ca-03_odp.02 }} "]}},{"id":"ca-03_odp.02","props":[{"name":"alt-identifier","value":"ca-3_prm_2"},{"name":"label","value":"CA-03_ODP[02]","class":"sp800-53a"}],"label":"type of agreement","guidelines":[{"prose":"the type of agreement used to approve and manage the exchange of information is defined (if selected);"}]},{"id":"ca-03_odp.03","props":[{"name":"alt-identifier","value":"ca-3_prm_3"},{"name":"label","value":"CA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update agreements is defined;"}]}],"props":[{"name":"label","value":"CA-3"},{"name":"label","value":"CA-03","class":"sp800-53a"},{"name":"sort-id","value":"ca-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#c3a76872-e160-4267-99e8-6952de967d04","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-3_smt","name":"statement","parts":[{"id":"ca-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};"},{"id":"ca-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the agreements {{ insert: param, ca-03_odp.03 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks."},{"id":"ca-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-03","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-03a.","class":"sp800-53a"}],"prose":"the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};","links":[{"href":"#ca-3_smt.a","rel":"assessment-for"}]},{"id":"ca-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[01]","class":"sp800-53a"}],"prose":"the interface characteristics are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[02]","class":"sp800-53a"}],"prose":"security requirements are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[03]","class":"sp800-53a"}],"prose":"privacy requirements are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[04]","class":"sp800-53a"}],"prose":"controls are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[05]","class":"sp800-53a"}],"prose":"responsibilities for each system are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-6","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[06]","class":"sp800-53a"}],"prose":"the impact level of the information communicated is documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-03c.","class":"sp800-53a"}],"prose":"agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.","links":[{"href":"#ca-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ca-3_smt","rel":"assessment-for"}]},{"id":"ca-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies"}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-05_odp","props":[{"name":"alt-identifier","value":"ca-5_prm_1"},{"name":"label","value":"CA-05_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;"}]}],"props":[{"name":"label","value":"CA-5"},{"name":"label","value":"CA-05","class":"sp800-53a"},{"name":"sort-id","value":"ca-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-5_smt","name":"statement","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB."},{"id":"ca-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-05","class":"sp800-53a"}],"parts":[{"id":"ca-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-05a.","class":"sp800-53a"}],"prose":"a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;","links":[{"href":"#ca-5_smt.a","rel":"assessment-for"}]},{"id":"ca-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-05b.","class":"sp800-53a"}],"prose":"existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.","links":[{"href":"#ca-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-5_smt","rel":"assessment-for"}]},{"id":"ca-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Authorization","params":[{"id":"ca-06_odp","props":[{"name":"alt-identifier","value":"ca-6_prm_1"},{"name":"label","value":"CA-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to update the authorizations is defined;"}]}],"props":[{"name":"label","value":"CA-6"},{"name":"label","value":"CA-06","class":"sp800-53a"},{"name":"sort-id","value":"ca-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-6_smt","name":"statement","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a senior official as the authorizing official for the system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure that the authorizing official for the system, before commencing operations:","parts":[{"id":"ca-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accepts the use of common controls inherited by the system; and"},{"id":"ca-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Authorizes the system to operate;"}]},{"id":"ca-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the authorizations {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions."},{"id":"ca-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-06","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-06a.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for the system;","links":[{"href":"#ca-6_smt.a","rel":"assessment-for"}]},{"id":"ca-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-06b.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;","links":[{"href":"#ca-6_smt.b","rel":"assessment-for"}]},{"id":"ca-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.01","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;","links":[{"href":"#ca-6_smt.c.1","rel":"assessment-for"}]},{"id":"ca-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.02","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system authorizes the system to operate;","links":[{"href":"#ca-6_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-6_smt.c","rel":"assessment-for"}]},{"id":"ca-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-06d.","class":"sp800-53a"}],"prose":"the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;","links":[{"href":"#ca-6_smt.d","rel":"assessment-for"}]},{"id":"ca-6_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-06e.","class":"sp800-53a"}],"prose":"the authorizations are updated {{ insert: param, ca-06_odp }}.","links":[{"href":"#ca-6_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ca-6_smt","rel":"assessment-for"}]},{"id":"ca-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records"}]},{"id":"ca-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that facilitate authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.06"}],"label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.07"}],"label":"organization-defined frequency"},{"id":"ca-07_odp.01","props":[{"name":"alt-identifier","value":"ca-7_prm_1"},{"name":"label","value":"CA-07_ODP[01]","class":"sp800-53a"}],"label":"system-level metrics","guidelines":[{"prose":"system-level metrics to be monitored are defined;"}]},{"id":"ca-07_odp.02","props":[{"name":"alt-identifier","value":"ca-7_prm_2"},{"name":"label","value":"CA-07_ODP[02]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to monitor control effectiveness are defined;"}]},{"id":"ca-07_odp.03","props":[{"name":"alt-identifier","value":"ca-7_prm_3"},{"name":"label","value":"CA-07_ODP[03]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to assess control effectiveness are defined;"}]},{"id":"ca-07_odp.04","props":[{"name":"label","value":"CA-07_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the security status of the system is reported are defined;"}]},{"id":"ca-07_odp.05","props":[{"name":"label","value":"CA-07_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the security status of the system is reported is defined;"}]},{"id":"ca-07_odp.06","props":[{"name":"label","value":"CA-07_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the privacy status of the system is reported are defined;"}]},{"id":"ca-07_odp.07","props":[{"name":"label","value":"CA-07_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the privacy status of the system is reported is defined;"}]}],"props":[{"name":"label","value":"CA-7"},{"name":"label","value":"CA-07","class":"sp800-53a"},{"name":"sort-id","value":"ca-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pm-31","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)."},{"id":"ca-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07[01]","class":"sp800-53a"}],"prose":"a system-level continuous monitoring strategy is developed;","links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;","links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07a.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};","links":[{"href":"#ca-7_smt.a","rel":"assessment-for"}]},{"id":"ca-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;","links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]},{"id":"ca-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;","links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]},{"id":"ca-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07c.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;","links":[{"href":"#ca-7_smt.c","rel":"assessment-for"}]},{"id":"ca-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-07d.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;","links":[{"href":"#ca-7_smt.d","rel":"assessment-for"}]},{"id":"ca-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-07e.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;","links":[{"href":"#ca-7_smt.e","rel":"assessment-for"}]},{"id":"ca-7_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-07f.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;","links":[{"href":"#ca-7_smt.f","rel":"assessment-for"}]},{"id":"ca-7_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};","links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]},{"id":"ca-7_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.","links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting"}]}],"controls":[{"id":"ca-7.1","class":"SP800-53-enhancement","title":"Independent Assessment","props":[{"name":"label","value":"CA-7(1)"},{"name":"label","value":"CA-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis."},{"id":"ca-7.1_gdn","name":"guidance","prose":"Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services."},{"id":"ca-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(01)","class":"sp800-53a"}],"prose":"independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.","links":[{"href":"#ca-7.1_smt","rel":"assessment-for"}]},{"id":"ca-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-7.4","class":"SP800-53-enhancement","title":"Risk Monitoring","props":[{"name":"label","value":"CA-7(4)"},{"name":"label","value":"CA-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.4_smt","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:","parts":[{"id":"ca-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Effectiveness monitoring;"},{"id":"ca-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Compliance monitoring; and"},{"id":"ca-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Change monitoring."}]},{"id":"ca-7.4_gdn","name":"guidance","prose":"Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk."},{"id":"ca-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)","class":"sp800-53a"}],"prose":"risk monitoring is an integral part of the continuous monitoring strategy;","parts":[{"id":"ca-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(a)","class":"sp800-53a"}],"prose":"effectiveness monitoring is included in risk monitoring;","links":[{"href":"#ca-7.4_smt.a","rel":"assessment-for"}]},{"id":"ca-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(b)","class":"sp800-53a"}],"prose":"compliance monitoring is included in risk monitoring;","links":[{"href":"#ca-7.4_smt.b","rel":"assessment-for"}]},{"id":"ca-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(c)","class":"sp800-53a"}],"prose":"change monitoring is included in risk monitoring.","links":[{"href":"#ca-7.4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ca-7.4_smt","rel":"assessment-for"}]},{"id":"ca-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting risk monitoring"}]}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","params":[{"id":"ca-09_odp.01","props":[{"name":"alt-identifier","value":"ca-9_prm_1"},{"name":"alt-label","value":"system components or classes of components","class":"sp800-53"},{"name":"label","value":"CA-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components or classes of components requiring internal connections to the system are defined;"}]},{"id":"ca-09_odp.02","props":[{"name":"alt-identifier","value":"ca-9_prm_2"},{"name":"label","value":"CA-09_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions requiring termination of internal connections are defined;"}]},{"id":"ca-09_odp.03","props":[{"name":"alt-identifier","value":"ca-9_prm_3"},{"name":"label","value":"CA-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the continued need for each internal connection is defined;"}]}],"props":[{"name":"label","value":"CA-9"},{"name":"label","value":"CA-09","class":"sp800-53a"},{"name":"sort-id","value":"ca-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-9_smt","name":"statement","parts":[{"id":"ca-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;"},{"id":"ca-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;"},{"id":"ca-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and"},{"id":"ca-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection."}]},{"id":"ca-9_gdn","name":"guidance","prose":"Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and\/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions."},{"id":"ca-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-09","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-09a.","class":"sp800-53a"}],"prose":"internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;","links":[{"href":"#ca-9_smt.a","rel":"assessment-for"}]},{"id":"ca-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[01]","class":"sp800-53a"}],"prose":"for each internal connection, the interface characteristics are documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[02]","class":"sp800-53a"}],"prose":"for each internal connection, the security requirements are documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[03]","class":"sp800-53a"}],"prose":"for each internal connection, the privacy requirements are documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[04]","class":"sp800-53a"}],"prose":"for each internal connection, the nature of the information communicated is documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-09c.","class":"sp800-53a"}],"prose":"internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};","links":[{"href":"#ca-9_smt.c","rel":"assessment-for"}]},{"id":"ca-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-09d.","class":"sp800-53a"}],"prose":"the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.","links":[{"href":"#ca-9_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ca-9_smt","rel":"assessment-for"}]},{"id":"ca-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting internal system connections"}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cm-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cm-01_odp.01","props":[{"name":"label","value":"CM-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management policy is to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.02","props":[{"name":"label","value":"CM-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management procedures are to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.03","props":[{"name":"alt-identifier","value":"cm-1_prm_2"},{"name":"label","value":"CM-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cm-01_odp.04","props":[{"name":"alt-identifier","value":"cm-1_prm_3"},{"name":"label","value":"CM-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the configuration management policy and procedures is defined;"}]},{"id":"cm-01_odp.05","props":[{"name":"alt-identifier","value":"cm-1_prm_4"},{"name":"label","value":"CM-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management policy is reviewed and updated is defined;"}]},{"id":"cm-01_odp.06","props":[{"name":"alt-identifier","value":"cm-1_prm_5"},{"name":"label","value":"CM-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current configuration management policy to be reviewed and updated are defined;"}]},{"id":"cm-01_odp.07","props":[{"name":"alt-identifier","value":"cm-1_prm_6"},{"name":"label","value":"CM-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management procedures are reviewed and updated is defined;"}]},{"id":"cm-01_odp.08","props":[{"name":"alt-identifier","value":"cm-1_prm_7"},{"name":"label","value":"CM-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require configuration management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CM-1"},{"name":"label","value":"CM-01","class":"sp800-53a"},{"name":"sort-id","value":"cm-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-1_smt","name":"statement","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cm-01_odp.03 }} configuration management policy that:","parts":[{"id":"cm-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and"},{"id":"cm-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current configuration management:","parts":[{"id":"cm-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and"},{"id":"cm-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cm-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[01]","class":"sp800-53a"}],"prose":"a configuration management policy is developed and documented;","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[02]","class":"sp800-53a"}],"prose":"the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[03]","class":"sp800-53a"}],"prose":"configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[04]","class":"sp800-53a"}],"prose":"the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(b)","class":"sp800-53a"}],"prose":"the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#cm-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;","links":[{"href":"#cm-1_smt.b","rel":"assessment-for"}]},{"id":"cm-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[01]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ","links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]},{"id":"cm-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[02]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};","links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]},{"id":"cm-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[01]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ","links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]},{"id":"cm-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[02]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.","links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt","rel":"assessment-for"}]},{"id":"cm-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records"}]},{"id":"cm-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","params":[{"id":"cm-02_odp.01","props":[{"name":"alt-identifier","value":"cm-2_prm_1"},{"name":"label","value":"CM-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of baseline configuration review and update is defined;"}]},{"id":"cm-02_odp.02","props":[{"name":"alt-identifier","value":"cm-2_prm_2"},{"name":"label","value":"CM-02_ODP[02]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"the circumstances requiring baseline configuration review and update are defined;"}]}],"props":[{"name":"label","value":"CM-2"},{"name":"label","value":"CM-02","class":"sp800-53a"},{"name":"sort-id","value":"cm-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-1","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-18","rel":"related"}],"parts":[{"id":"cm-2_smt","name":"statement","parts":[{"id":"cm-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and maintain under configuration control, a current baseline configuration of the system; and"},{"id":"cm-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the baseline configuration of the system:","parts":[{"id":"cm-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cm-02_odp.01 }};"},{"id":"cm-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required due to {{ insert: param, cm-02_odp.02 }} ; and"},{"id":"cm-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"When system components are installed or upgraded."}]}]},{"id":"cm-2_gdn","name":"guidance","prose":"Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture."},{"id":"cm-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[01]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is developed and documented;","links":[{"href":"#cm-2_smt.a","rel":"assessment-for"}]},{"id":"cm-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[02]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is maintained under configuration control;","links":[{"href":"#cm-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-2_smt.a","rel":"assessment-for"}]},{"id":"cm-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.01","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};","links":[{"href":"#cm-2_smt.b.1","rel":"assessment-for"}]},{"id":"cm-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.02","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};","links":[{"href":"#cm-2_smt.b.2","rel":"assessment-for"}]},{"id":"cm-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.03","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.","links":[{"href":"#cm-2_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#cm-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-2_smt","rel":"assessment-for"}]},{"id":"cm-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records"}]},{"id":"cm-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration"}]}],"controls":[{"id":"cm-2.2","class":"SP800-53-enhancement","title":"Automation Support for Accuracy and Currency","params":[{"id":"cm-02.02_odp","props":[{"name":"alt-identifier","value":"cm-2.2_prm_1"},{"name":"label","value":"CM-02(02)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms for maintaining baseline configuration of the system are defined;"}]}],"props":[{"name":"label","value":"CM-2(2)"},{"name":"label","value":"CM-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"},{"href":"#cm-7","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ra-5","rel":"related"}],"parts":[{"id":"cm-2.2_smt","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ insert: param, cm-02.02_odp }}."},{"id":"cm-2.2_gdn","name":"guidance","prose":"Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of [CM-8(2)](#cm-8.2) for organizations that combine system component inventory and baseline configuration activities."},{"id":"cm-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)","class":"sp800-53a"}],"parts":[{"id":"cm-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[01]","class":"sp800-53a"}],"prose":"the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};","links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]},{"id":"cm-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[02]","class":"sp800-53a"}],"prose":"the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};","links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]},{"id":"cm-2.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[03]","class":"sp800-53a"}],"prose":"the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};","links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]},{"id":"cm-2.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[04]","class":"sp800-53a"}],"prose":"the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}.","links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]},{"id":"cm-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nconfiguration change control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance"}]}]},{"id":"cm-2.3","class":"SP800-53-enhancement","title":"Retention of Previous Configurations","params":[{"id":"cm-02.03_odp","props":[{"name":"alt-identifier","value":"cm-2.3_prm_1"},{"name":"label","value":"CM-02(03)_ODP","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of previous baseline configuration versions to be retained is defined;"}]}],"props":[{"name":"label","value":"CM-2(3)"},{"name":"label","value":"CM-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"}],"parts":[{"id":"cm-2.3_smt","name":"statement","prose":"Retain {{ insert: param, cm-02.03_odp }} of previous versions of baseline configurations of the system to support rollback."},{"id":"cm-2.3_gdn","name":"guidance","prose":"Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation."},{"id":"cm-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(03)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is\/are retained to support rollback.","links":[{"href":"#cm-2.3_smt","rel":"assessment-for"}]},{"id":"cm-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations"}]}]},{"id":"cm-2.7","class":"SP800-53-enhancement","title":"Configure Systems and Components for High-risk Areas","params":[{"id":"cm-02.07_odp.01","props":[{"name":"alt-identifier","value":"cm-2.7_prm_1"},{"name":"label","value":"CM-02(07)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"the systems or system components to be issued when individuals travel to high-risk areas are defined;"}]},{"id":"cm-02.07_odp.02","props":[{"name":"alt-identifier","value":"cm-2.7_prm_2"},{"name":"label","value":"CM-02(07)_ODP[02]","class":"sp800-53a"}],"label":"configurations","guidelines":[{"prose":"configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;"}]},{"id":"cm-02.07_odp.03","props":[{"name":"alt-identifier","value":"cm-2.7_prm_3"},{"name":"label","value":"CM-02(07)_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"the controls to be applied when the individuals return from travel are defined;"}]}],"props":[{"name":"label","value":"CM-2(7)"},{"name":"label","value":"CM-02(07)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}],"parts":[{"id":"cm-2.7_smt","name":"statement","parts":[{"id":"cm-2.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} to individuals traveling to locations that the organization deems to be of significant risk; and"},{"id":"cm-2.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Apply the following controls to the systems or components when the individuals return from travel: {{ insert: param, cm-02.07_odp.03 }}."}]},{"id":"cm-2.7_gdn","name":"guidance","prose":"When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the [MP](#mp) (Media Protection) family."},{"id":"cm-2.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)","class":"sp800-53a"}],"parts":[{"id":"cm-2.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)(a)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;","links":[{"href":"#cm-2.7_smt.a","rel":"assessment-for"}]},{"id":"cm-2.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)(b)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel.","links":[{"href":"#cm-2.7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-2.7_smt","rel":"assessment-for"}]},{"id":"cm-2.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the system\n\nprocedures addressing system component installations and upgrades\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nrecords of system baseline configuration reviews and updates\n\nsystem component installations\/upgrades and associated records\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations"}]}]}]},{"id":"cm-3","class":"SP800-53","title":"Configuration Change Control","params":[{"id":"cm-03_odp.01","props":[{"name":"alt-identifier","value":"cm-3_prm_1"},{"name":"label","value":"CM-03_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to retain records of configuration-controlled changes is defined;"}]},{"id":"cm-03_odp.02","props":[{"name":"alt-identifier","value":"cm-3_prm_2"},{"name":"label","value":"CM-03_ODP[02]","class":"sp800-53a"}],"label":"configuration change control element","guidelines":[{"prose":"the configuration change control element responsible for coordinating and overseeing change control activities is defined;"}]},{"id":"cm-03_odp.03","props":[{"name":"alt-identifier","value":"cm-3_prm_3"},{"name":"label","value":"CM-03_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-03_odp.04 }} ","when {{ insert: param, cm-03_odp.05 }} "]}},{"id":"cm-03_odp.04","props":[{"name":"alt-identifier","value":"cm-3_prm_4"},{"name":"label","value":"CM-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the configuration control element convenes is defined (if selected);"}]},{"id":"cm-03_odp.05","props":[{"name":"alt-identifier","value":"cm-3_prm_5"},{"name":"label","value":"CM-03_ODP[05]","class":"sp800-53a"}],"label":"configuration change conditions","guidelines":[{"prose":"configuration change conditions that prompt the configuration control element to convene are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-3"},{"name":"label","value":"CM-03","class":"sp800-53a"},{"name":"sort-id","value":"cm-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"cm-3_smt","name":"statement","parts":[{"id":"cm-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the types of changes to the system that are configuration-controlled;"},{"id":"cm-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;"},{"id":"cm-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document configuration change decisions associated with the system;"},{"id":"cm-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement approved configuration-controlled changes to the system;"},{"id":"cm-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }};"},{"id":"cm-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Monitor and review activities associated with configuration-controlled changes to the system; and"},{"id":"cm-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: param, cm-03_odp.03 }}."}]},{"id":"cm-3_gdn","name":"guidance","prose":"Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also [SA-10](#sa-10)."},{"id":"cm-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-03a.","class":"sp800-53a"}],"prose":"the types of changes to the system that are configuration-controlled are determined and documented;","links":[{"href":"#cm-3_smt.a","rel":"assessment-for"}]},{"id":"cm-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.[01]","class":"sp800-53a"}],"prose":"proposed configuration-controlled changes to the system are reviewed;","links":[{"href":"#cm-3_smt.b","rel":"assessment-for"}]},{"id":"cm-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.[02]","class":"sp800-53a"}],"prose":"proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;","links":[{"href":"#cm-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-3_smt.b","rel":"assessment-for"}]},{"id":"cm-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-03c.","class":"sp800-53a"}],"prose":"configuration change decisions associated with the system are documented;","links":[{"href":"#cm-3_smt.c","rel":"assessment-for"}]},{"id":"cm-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-03d.","class":"sp800-53a"}],"prose":"approved configuration-controlled changes to the system are implemented;","links":[{"href":"#cm-3_smt.d","rel":"assessment-for"}]},{"id":"cm-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-03e.","class":"sp800-53a"}],"prose":"records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};","links":[{"href":"#cm-3_smt.e","rel":"assessment-for"}]},{"id":"cm-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.[01]","class":"sp800-53a"}],"prose":"activities associated with configuration-controlled changes to the system are monitored;","links":[{"href":"#cm-3_smt.f","rel":"assessment-for"}]},{"id":"cm-3_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.[02]","class":"sp800-53a"}],"prose":"activities associated with configuration-controlled changes to the system are reviewed;","links":[{"href":"#cm-3_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#cm-3_smt.f","rel":"assessment-for"}]},{"id":"cm-3_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.[01]","class":"sp800-53a"}],"prose":"configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};","links":[{"href":"#cm-3_smt.g","rel":"assessment-for"}]},{"id":"cm-3_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.[02]","class":"sp800-53a"}],"prose":"the configuration control element convenes {{ insert: param, cm-03_odp.03 }}.","links":[{"href":"#cm-3_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#cm-3_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#cm-3_smt","rel":"assessment-for"}]},{"id":"cm-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nchange control records\n\nsystem audit records\n\nchange control audit and review reports\n\nagenda\/minutes\/documentation from configuration change control oversight meetings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessments\n\nsystem of records notices\n\nother relevant documents or records"}]},{"id":"cm-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nmechanisms that implement configuration change control"}]}],"controls":[{"id":"cm-3.2","class":"SP800-53-enhancement","title":"Testing, Validation, and Documentation of Changes","props":[{"name":"label","value":"CM-3(2)"},{"name":"label","value":"CM-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.2_smt","name":"statement","prose":"Test, validate, and document changes to the system before finalizing the implementation of the changes."},{"id":"cm-3.2_gdn","name":"guidance","prose":"Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in [CM-6](#cm-6) . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls."},{"id":"cm-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)","class":"sp800-53a"}],"parts":[{"id":"cm-3.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[01]","class":"sp800-53a"}],"prose":"changes to the system are tested before finalizing the implementation of the changes;","links":[{"href":"#cm-3.2_smt","rel":"assessment-for"}]},{"id":"cm-3.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[02]","class":"sp800-53a"}],"prose":"changes to the system are validated before finalizing the implementation of the changes;","links":[{"href":"#cm-3.2_smt","rel":"assessment-for"}]},{"id":"cm-3.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[03]","class":"sp800-53a"}],"prose":"changes to the system are documented before finalizing the implementation of the changes.","links":[{"href":"#cm-3.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-3.2_smt","rel":"assessment-for"}]},{"id":"cm-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nmechanisms supporting and\/or implementing, testing, validating, and documenting system changes"}]}]},{"id":"cm-3.4","class":"SP800-53-enhancement","title":"Security and Privacy Representatives","params":[{"id":"cm-3.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-03.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-03.04_odp.02"}],"label":"organization-defined security and privacy representatives"},{"id":"cm-03.04_odp.01","props":[{"name":"label","value":"CM-03(04)_ODP[01]","class":"sp800-53a"}],"label":"security representatives","guidelines":[{"prose":"security representatives required to be members of the change control element are defined;"}]},{"id":"cm-03.04_odp.02","props":[{"name":"label","value":"CM-03(04)_ODP[02]","class":"sp800-53a"}],"label":"privacy representatives","guidelines":[{"prose":"privacy representatives required to be members of the change control element are defined;"}]},{"id":"cm-03.04_odp.03","props":[{"name":"alt-identifier","value":"cm-3.4_prm_2"},{"name":"label","value":"CM-03(04)_ODP[03]","class":"sp800-53a"}],"label":"configuration change control element","guidelines":[{"prose":"the configuration change control element of which the security and privacy representatives are to be members is defined;"}]}],"props":[{"name":"label","value":"CM-3(4)"},{"name":"label","value":"CM-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.4_smt","name":"statement","prose":"Require {{ insert: param, cm-3.4_prm_1 }} to be members of the {{ insert: param, cm-03.04_odp.03 }}."},{"id":"cm-3.4_gdn","name":"guidance","prose":"Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in [CM-3g](#cm-3_smt.g)."},{"id":"cm-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)","class":"sp800-53a"}],"parts":[{"id":"cm-3.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};","links":[{"href":"#cm-3.4_smt","rel":"assessment-for"}]},{"id":"cm-3.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}.","links":[{"href":"#cm-3.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-3.4_smt","rel":"assessment-for"}]},{"id":"cm-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of change control board or similar"}]},{"id":"cm-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control"}]}]}]},{"id":"cm-4","class":"SP800-53","title":"Impact Analyses","props":[{"name":"label","value":"CM-4"},{"name":"label","value":"CM-04","class":"sp800-53a"},{"name":"sort-id","value":"cm-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required."},{"id":"cm-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04","class":"sp800-53a"}],"parts":[{"id":"cm-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04[01]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential security impacts prior to change implementation;","links":[{"href":"#cm-4_smt","rel":"assessment-for"}]},{"id":"cm-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04[02]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential privacy impacts prior to change implementation.","links":[{"href":"#cm-4_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-4_smt","rel":"assessment-for"}]},{"id":"cm-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses"}]}],"controls":[{"id":"cm-4.2","class":"SP800-53-enhancement","title":"Verification of Controls","props":[{"name":"label","value":"CM-4(2)"},{"name":"label","value":"CM-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-4","rel":"required"},{"href":"#sa-11","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"cm-4.2_smt","name":"statement","prose":"After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system."},{"id":"cm-4.2_gdn","name":"guidance","prose":"Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls."},{"id":"cm-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)","class":"sp800-53a"}],"parts":[{"id":"cm-4.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[01]","class":"sp800-53a"}],"prose":"the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[02]","class":"sp800-53a"}],"prose":"the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[03]","class":"sp800-53a"}],"prose":"the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[04]","class":"sp800-53a"}],"prose":"the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[05]","class":"sp800-53a"}],"prose":"the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[06]","class":"sp800-53a"}],"prose":"the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nprivacy risk assessment documentation\n\nconfiguration management plan\n\nsecurity and privacy impact analysis documentation\n\nprivacy impact assessment\n\nanalysis tools and associated outputs\n\nchange control records\n\ncontrol assessment results\n\nsystem audit records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsecurity and privacy assessors"}]},{"id":"cm-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and\/or implementing security and privacy impact analyses of changes"}]}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","props":[{"name":"label","value":"CM-5"},{"name":"label","value":"CM-05","class":"sp800-53a"},{"name":"sort-id","value":"cm-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system."},{"id":"cm-5_gdn","name":"guidance","prose":"Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)."},{"id":"cm-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05","class":"sp800-53a"}],"parts":[{"id":"cm-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-05[01]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are defined and documented;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-05[02]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are approved;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-05[03]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are enforced;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-05[04]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are defined and documented;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-05[05]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are approved;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-05[06]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are enforced.","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system"}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","params":[{"id":"cm-06_odp.01","props":[{"name":"alt-identifier","value":"cm-6_prm_1"},{"name":"label","value":"CM-06_ODP[01]","class":"sp800-53a"}],"label":"common secure configurations","guidelines":[{"prose":"common secure configurations to establish and document configuration settings for components employed within the system are defined;"}]},{"id":"cm-06_odp.02","props":[{"name":"alt-identifier","value":"cm-6_prm_2"},{"name":"label","value":"CM-06_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which approval of deviations is needed are defined;"}]},{"id":"cm-06_odp.03","props":[{"name":"alt-identifier","value":"cm-6_prm_3"},{"name":"label","value":"CM-06_ODP[03]","class":"sp800-53a"}],"label":"operational requirements","guidelines":[{"prose":"operational requirements necessitating approval of deviations are defined;"}]}],"props":[{"name":"label","value":"CM-6"},{"name":"label","value":"CM-06","class":"sp800-53a"},{"name":"sort-id","value":"cm-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#98498928-3ca3-44b3-8b1e-f48685373087","rel":"reference"},{"href":"#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","rel":"reference"},{"href":"#aa66e14f-e7cb-4a37-99d2-07578dfd4608","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"cm-6_smt","name":"statement","parts":[{"id":"cm-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};"},{"id":"cm-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the configuration settings;"},{"id":"cm-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and"},{"id":"cm-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitor and control changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input\/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings."},{"id":"cm-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-06a.","class":"sp800-53a"}],"prose":"configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};","links":[{"href":"#cm-6_smt.a","rel":"assessment-for"}]},{"id":"cm-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-06b.","class":"sp800-53a"}],"prose":"the configuration settings documented in CM-06a are implemented;","links":[{"href":"#cm-6_smt.b","rel":"assessment-for"}]},{"id":"cm-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[01]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};","links":[{"href":"#cm-6_smt.c","rel":"assessment-for"}]},{"id":"cm-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[02]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;","links":[{"href":"#cm-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-6_smt.c","rel":"assessment-for"}]},{"id":"cm-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[01]","class":"sp800-53a"}],"prose":"changes to the configuration settings are monitored in accordance with organizational policies and procedures;","links":[{"href":"#cm-6_smt.d","rel":"assessment-for"}]},{"id":"cm-6_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[02]","class":"sp800-53a"}],"prose":"changes to the configuration settings are controlled in accordance with organizational policies and procedures.","links":[{"href":"#cm-6_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cm-6_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cm-6_smt","rel":"assessment-for"}]},{"id":"cm-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and\/or control system configuration settings\n\nmechanisms that identify and\/or document deviations from established configuration settings"}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","params":[{"id":"cm-7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.06"}],"label":"organization-defined prohibited or restricted functions, system ports, protocols, software, and\/or services"},{"id":"cm-07_odp.01","props":[{"name":"alt-identifier","value":"cm-7_prm_1"},{"name":"alt-label","value":"mission essential capabilities","class":"sp800-53"},{"name":"label","value":"CM-07_ODP[01]","class":"sp800-53a"}],"label":"mission-essential capabilities","guidelines":[{"prose":"mission-essential capabilities for the system are defined;"}]},{"id":"cm-07_odp.02","props":[{"name":"label","value":"CM-07_ODP[02]","class":"sp800-53a"}],"label":"functions","guidelines":[{"prose":"functions to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.03","props":[{"name":"label","value":"CM-07_ODP[03]","class":"sp800-53a"}],"label":"ports","guidelines":[{"prose":"ports to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.04","props":[{"name":"label","value":"CM-07_ODP[04]","class":"sp800-53a"}],"label":"protocols","guidelines":[{"prose":"protocols to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.05","props":[{"name":"label","value":"CM-07_ODP[05]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be prohibited or restricted is defined;"}]},{"id":"cm-07_odp.06","props":[{"name":"label","value":"CM-07_ODP[06]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services to be prohibited or restricted are defined;"}]}],"props":[{"name":"label","value":"CM-7"},{"name":"label","value":"CM-07","class":"sp800-53a"},{"name":"sort-id","value":"cm-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#38f39739-1ebd-43b1-8b8c-00f591d89ebd","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"cm-7_smt","name":"statement","parts":[{"id":"cm-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and"},{"id":"cm-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit or restrict the use of the following functions, ports, protocols, software, and\/or services: {{ insert: param, cm-7_prm_2 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))."},{"id":"cm-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07a.","class":"sp800-53a"}],"prose":"the system is configured to provide only {{ insert: param, cm-07_odp.01 }};","links":[{"href":"#cm-7_smt.a","rel":"assessment-for"}]},{"id":"cm-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[01]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[02]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[03]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[04]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[05]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7_smt","rel":"assessment-for"}]},{"id":"cm-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols, software, and\/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and\/or services"}]}],"controls":[{"id":"cm-7.1","class":"SP800-53-enhancement","title":"Periodic Review","params":[{"id":"cm-7.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.06"}],"label":"organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and\/or nonsecure"},{"id":"cm-07.01_odp.01","props":[{"name":"alt-identifier","value":"cm-7.1_prm_1"},{"name":"label","value":"CM-07(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the system to identify unnecessary and\/or non-secure functions, ports, protocols, software, and\/or services is defined;"}]},{"id":"cm-07.01_odp.02","props":[{"name":"label","value":"CM-07(01)_ODP[02]","class":"sp800-53a"}],"label":"functions","guidelines":[{"prose":"functions to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.03","props":[{"name":"label","value":"CM-07(01)_ODP[03]","class":"sp800-53a"}],"label":"ports","guidelines":[{"prose":"ports to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.04","props":[{"name":"label","value":"CM-07(01)_ODP[04]","class":"sp800-53a"}],"label":"protocols","guidelines":[{"prose":"protocols to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.05","props":[{"name":"label","value":"CM-07(01)_ODP[05]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be disabled or removed when deemed unnecessary or non-secure is defined;"}]},{"id":"cm-07.01_odp.06","props":[{"name":"label","value":"CM-07(01)_ODP[06]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services to be disabled or removed when deemed unnecessary or non-secure are defined;"}]}],"props":[{"name":"label","value":"CM-7(1)"},{"name":"label","value":"CM-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"cm-7.1_smt","name":"statement","parts":[{"id":"cm-7.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and\/or nonsecure functions, ports, protocols, software, and services; and"},{"id":"cm-7.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Disable or remove {{ insert: param, cm-7.1_prm_2 }}."}]},{"id":"cm-7.1_gdn","name":"guidance","prose":"Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and\/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking."},{"id":"cm-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)","class":"sp800-53a"}],"parts":[{"id":"cm-7.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(a)","class":"sp800-53a"}],"prose":"the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and\/or non-secure functions, ports, protocols, software, and services:","links":[{"href":"#cm-7.1_smt.a","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-7.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and\/or non-secure are disabled or removed;","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and\/or non-secure are disabled or removed;","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and\/or non-secure are disabled or removed;","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[04]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and\/or non-secure is disabled or removed;","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[05]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and\/or non-secure are disabled or removed.","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7.1_smt","rel":"assessment-for"}]},{"id":"cm-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\ndocumented reviews of functions, ports, protocols, and\/or services\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system\n\nmechanisms implementing review and disabling of functions, ports, protocols, and\/or services"}]}]},{"id":"cm-7.2","class":"SP800-53-enhancement","title":"Prevent Program Execution","params":[{"id":"cm-07.02_odp.01","props":[{"name":"alt-identifier","value":"cm-7.2_prm_1"},{"name":"label","value":"CM-07(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, cm-07.02_odp.02 }} ","rules authorizing the terms and conditions of software program usage"]}},{"id":"cm-07.02_odp.02","props":[{"name":"alt-identifier","value":"cm-7.2_prm_2"},{"name":"label","value":"CM-07(02)_ODP[02]","class":"sp800-53a"}],"label":"policies, rules of behavior, and\/or access agreements regarding software program usage and restrictions","guidelines":[{"prose":"policies, rules of behavior, and\/or access agreements regarding software program usage and restrictions are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-7(2)"},{"name":"label","value":"CM-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"cm-7.2_smt","name":"statement","prose":"Prevent program execution in accordance with {{ insert: param, cm-07.02_odp.01 }}."},{"id":"cm-7.2_gdn","name":"guidance","prose":"Prevention of program execution addresses organizational policies, rules of behavior, and\/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time."},{"id":"cm-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(02)","class":"sp800-53a"}],"prose":"program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}.","links":[{"href":"#cm-7.2_smt","rel":"assessment-for"}]},{"id":"cm-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nspecifications for preventing software program execution\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes preventing program execution on the system\n\norganizational processes for software program usage and restrictions\n\nmechanisms preventing program execution on the system\n\nmechanisms supporting and\/or implementing software program usage and restrictions"}]}]},{"id":"cm-7.5","class":"SP800-53-enhancement","title":"Authorized Software — Allow-by-exception","params":[{"id":"cm-07.05_odp.01","props":[{"name":"alt-identifier","value":"cm-7.5_prm_1"},{"name":"alt-label","value":"software programs authorized to execute on the system","class":"sp800-53"},{"name":"label","value":"CM-07(05)_ODP[01]","class":"sp800-53a"}],"label":"software programs","guidelines":[{"prose":"software programs authorized to execute on the system are defined;"}]},{"id":"cm-07.05_odp.02","props":[{"name":"alt-identifier","value":"cm-7.5_prm_2"},{"name":"label","value":"CM-07(05)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the list of authorized software programs is defined;"}]}],"props":[{"name":"label","value":"CM-7(5)"},{"name":"label","value":"CM-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-7.5_smt","name":"statement","parts":[{"id":"cm-7.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identify {{ insert: param, cm-07.05_odp.01 }};"},{"id":"cm-7.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and"},{"id":"cm-7.5_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Review and update the list of authorized software programs {{ insert: param, cm-07.05_odp.02 }}."}]},{"id":"cm-7.5_gdn","name":"guidance","prose":"Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses\/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in [CA-3(5)](#ca-3.5) and [SC-7](#sc-7)."},{"id":"cm-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)","class":"sp800-53a"}],"parts":[{"id":"cm-7.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(a)","class":"sp800-53a"}],"prose":" {{ insert: param, cm-07.05_odp.01 }} are identified;","links":[{"href":"#cm-7.5_smt.a","rel":"assessment-for"}]},{"id":"cm-7.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(b)","class":"sp800-53a"}],"prose":"a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;","links":[{"href":"#cm-7.5_smt.b","rel":"assessment-for"}]},{"id":"cm-7.5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(c)","class":"sp800-53a"}],"prose":"the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}.","links":[{"href":"#cm-7.5_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-7.5_smt","rel":"assessment-for"}]},{"id":"cm-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software programs authorized to execute on the system\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nreview and update records associated with list of authorized software programs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for identifying software authorized to execute on the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for identifying, reviewing, and updating programs authorized to execute on the system\n\norganizational process for implementing authorized software policy\n\nmechanisms supporting and\/or implementing authorized software policy"}]}]}]},{"id":"cm-8","class":"SP800-53","title":"System Component Inventory","params":[{"id":"cm-08_odp.01","props":[{"name":"alt-identifier","value":"cm-8_prm_1"},{"name":"alt-label","value":"information deemed necessary to achieve effective system component accountability","class":"sp800-53"},{"name":"label","value":"CM-08_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information deemed necessary to achieve effective system component accountability is defined;"}]},{"id":"cm-08_odp.02","props":[{"name":"alt-identifier","value":"cm-8_prm_2"},{"name":"label","value":"CM-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the system component inventory is defined;"}]}],"props":[{"name":"label","value":"CM-8"},{"name":"label","value":"CM-08","class":"sp800-53a"},{"name":"sort-id","value":"cm-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#70402863-5078-43af-9a6c-e11b0f3ec370","rel":"reference"},{"href":"#996241f8-f692-42d5-91f1-ce8b752e39e6","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"cm-8_smt","name":"statement","parts":[{"id":"cm-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document an inventory of system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accurately reflects the system;"},{"id":"cm-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes all components within the system;"},{"id":"cm-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Does not include duplicate accounting of components or components assigned to any other system;"},{"id":"cm-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and"}]},{"id":"cm-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components."},{"id":"cm-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.01","class":"sp800-53a"}],"prose":"an inventory of system components that accurately reflects the system is developed and documented;","links":[{"href":"#cm-8_smt.a.1","rel":"assessment-for"}]},{"id":"cm-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.02","class":"sp800-53a"}],"prose":"an inventory of system components that includes all components within the system is developed and documented;","links":[{"href":"#cm-8_smt.a.2","rel":"assessment-for"}]},{"id":"cm-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.03","class":"sp800-53a"}],"prose":"an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;","links":[{"href":"#cm-8_smt.a.3","rel":"assessment-for"}]},{"id":"cm-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.04","class":"sp800-53a"}],"prose":"an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;","links":[{"href":"#cm-8_smt.a.4","rel":"assessment-for"}]},{"id":"cm-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.05","class":"sp800-53a"}],"prose":"an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;","links":[{"href":"#cm-8_smt.a.5","rel":"assessment-for"}]}],"links":[{"href":"#cm-8_smt.a","rel":"assessment-for"}]},{"id":"cm-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08b.","class":"sp800-53a"}],"prose":"the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.","links":[{"href":"#cm-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-8_smt","rel":"assessment-for"}]},{"id":"cm-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory"}]}],"controls":[{"id":"cm-8.1","class":"SP800-53-enhancement","title":"Updates During Installation and Removal","props":[{"name":"label","value":"CM-8(1)"},{"name":"label","value":"CM-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#pm-16","rel":"related"}],"parts":[{"id":"cm-8.1_smt","name":"statement","prose":"Update the inventory of system components as part of component installations, removals, and system updates."},{"id":"cm-8.1_gdn","name":"guidance","prose":"Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components."},{"id":"cm-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)","class":"sp800-53a"}],"parts":[{"id":"cm-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[01]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of component installations;","links":[{"href":"#cm-8.1_smt","rel":"assessment-for"}]},{"id":"cm-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[02]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of component removals;","links":[{"href":"#cm-8.1_smt","rel":"assessment-for"}]},{"id":"cm-8.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[03]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of system updates.","links":[{"href":"#cm-8.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.1_smt","rel":"assessment-for"}]},{"id":"cm-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\ninventory reviews and update records\n\nchange control records\n\ncomponent installation records\n\ncomponent removal records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory updating responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for updating the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory updates"}]}]},{"id":"cm-8.3","class":"SP800-53-enhancement","title":"Automated Unauthorized Component Detection","params":[{"id":"cm-8.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"cm-08.03_odp.01","props":[{"name":"label","value":"CM-08(03)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;"}]},{"id":"cm-08.03_odp.02","props":[{"name":"label","value":"CM-08(03)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized software within the system are defined;"}]},{"id":"cm-08.03_odp.03","props":[{"name":"label","value":"CM-08(03)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;"}]},{"id":"cm-08.03_odp.04","props":[{"name":"alt-identifier","value":"cm-8.3_prm_2"},{"name":"label","value":"CM-08(03)_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;"}]},{"id":"cm-08.03_odp.05","props":[{"name":"alt-identifier","value":"cm-8.3_prm_3"},{"name":"label","value":"CM-08(03)_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["disable network access by unauthorized components","isolate unauthorized components","notify {{ insert: param, cm-08.03_odp.06 }} "]}},{"id":"cm-08.03_odp.06","props":[{"name":"alt-identifier","value":"cm-8.3_prm_4"},{"name":"label","value":"CM-08(03)_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when unauthorized components are detected is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-8(3)"},{"name":"label","value":"CM-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-8.3_smt","name":"statement","parts":[{"id":"cm-8.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ insert: param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04 }} ; and"},{"id":"cm-8.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Take the following actions when unauthorized components are detected: {{ insert: param, cm-08.03_odp.05 }}."}]},{"id":"cm-8.3_gdn","name":"guidance","prose":"Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see [CM-7(9)](#cm-7.9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as \"sandboxing.\" "},{"id":"cm-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[01]","class":"sp800-53a"}],"prose":"the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};","links":[{"href":"#cm-8.3_smt.a","rel":"assessment-for"}]},{"id":"cm-8.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[02]","class":"sp800-53a"}],"prose":"the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};","links":[{"href":"#cm-8.3_smt.a","rel":"assessment-for"}]},{"id":"cm-8.3_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[03]","class":"sp800-53a"}],"prose":"the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};","links":[{"href":"#cm-8.3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.3_smt.a","rel":"assessment-for"}]},{"id":"cm-8.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;","links":[{"href":"#cm-8.3_smt.b","rel":"assessment-for"}]},{"id":"cm-8.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;","links":[{"href":"#cm-8.3_smt.b","rel":"assessment-for"}]},{"id":"cm-8.3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected.","links":[{"href":"#cm-8.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.3_smt","rel":"assessment-for"}]},{"id":"cm-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nalerts\/notifications of unauthorized components within the system\n\nsystem monitoring records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized system component detection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for detection of unauthorized system components\n\norganizational processes for taking action when unauthorized system components are detected\n\nautomated mechanisms supporting and\/or implementing the detection of unauthorized system components\n\nautomated mechanisms supporting and\/or implementing actions taken when unauthorized system components are detected"}]}]}]},{"id":"cm-9","class":"SP800-53","title":"Configuration Management Plan","params":[{"id":"cm-09_odp","props":[{"name":"alt-identifier","value":"cm-9_prm_1"},{"name":"label","value":"CM-09_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to review and approve the configuration management plan is\/are defined;"}]}],"props":[{"name":"label","value":"CM-9"},{"name":"label","value":"CM-09","class":"sp800-53a"},{"name":"sort-id","value":"cm-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-9_smt","name":"statement","prose":"Develop, document, and implement a configuration management plan for the system that:","parts":[{"id":"cm-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Addresses roles, responsibilities, and configuration management processes and procedures;"},{"id":"cm-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"},{"id":"cm-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Defines the configuration items for the system and places the configuration items under configuration management;"},{"id":"cm-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and"},{"id":"cm-9_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protects the configuration management plan from unauthorized disclosure and modification."}]},{"id":"cm-9_gdn","name":"guidance","prose":"Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\n\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.\n\nOrganizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control."},{"id":"cm-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-09","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09[01]","class":"sp800-53a"}],"prose":"a configuration management plan for the system is developed and documented;","links":[{"href":"#cm-9_smt","rel":"assessment-for"}]},{"id":"cm-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09[02]","class":"sp800-53a"}],"prose":"a configuration management plan for the system is implemented;","links":[{"href":"#cm-9_smt","rel":"assessment-for"}]},{"id":"cm-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[01]","class":"sp800-53a"}],"prose":"the configuration management plan addresses roles;","links":[{"href":"#cm-9_smt.a","rel":"assessment-for"}]},{"id":"cm-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[02]","class":"sp800-53a"}],"prose":"the configuration management plan addresses responsibilities;","links":[{"href":"#cm-9_smt.a","rel":"assessment-for"}]},{"id":"cm-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[03]","class":"sp800-53a"}],"prose":"the configuration management plan addresses configuration management processes and procedures;","links":[{"href":"#cm-9_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt.a","rel":"assessment-for"}]},{"id":"cm-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.[01]","class":"sp800-53a"}],"prose":"the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;","links":[{"href":"#cm-9_smt.b","rel":"assessment-for"}]},{"id":"cm-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.[02]","class":"sp800-53a"}],"prose":"the configuration management plan establishes a process for managing the configuration of the configuration items;","links":[{"href":"#cm-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt.b","rel":"assessment-for"}]},{"id":"cm-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.[01]","class":"sp800-53a"}],"prose":"the configuration management plan defines the configuration items for the system;","links":[{"href":"#cm-9_smt.c","rel":"assessment-for"}]},{"id":"cm-9_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.[02]","class":"sp800-53a"}],"prose":"the configuration management plan places the configuration items under configuration management;","links":[{"href":"#cm-9_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt.c","rel":"assessment-for"}]},{"id":"cm-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-09d.","class":"sp800-53a"}],"prose":"the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};","links":[{"href":"#cm-9_smt.d","rel":"assessment-for"}]},{"id":"cm-9_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.[01]","class":"sp800-53a"}],"prose":"the configuration management plan is protected from unauthorized disclosure;","links":[{"href":"#cm-9_smt.e","rel":"assessment-for"}]},{"id":"cm-9_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.[02]","class":"sp800-53a"}],"prose":"the configuration management plan is protected from unauthorized modification.","links":[{"href":"#cm-9_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt","rel":"assessment-for"}]},{"id":"cm-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nmechanisms implementing the configuration management plan\n\nmechanisms for managing configuration items\n\nmechanisms for protecting the configuration management plan"}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"label","value":"CM-10"},{"name":"label","value":"CM-10","class":"sp800-53a"},{"name":"sort-id","value":"cm-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cm-10_smt","name":"statement","parts":[{"id":"cm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements."},{"id":"cm-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-10","class":"sp800-53a"}],"parts":[{"id":"cm-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-10a.","class":"sp800-53a"}],"prose":"software and associated documentation are used in accordance with contract agreements and copyright laws;","links":[{"href":"#cm-10_smt.a","rel":"assessment-for"}]},{"id":"cm-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-10b.","class":"sp800-53a"}],"prose":"the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;","links":[{"href":"#cm-10_smt.b","rel":"assessment-for"}]},{"id":"cm-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-10c.","class":"sp800-53a"}],"prose":"the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.","links":[{"href":"#cm-10_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-10_smt","rel":"assessment-for"}]},{"id":"cm-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling\/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","params":[{"id":"cm-11_odp.01","props":[{"name":"alt-identifier","value":"cm-11_prm_1"},{"name":"label","value":"CM-11_ODP[01]","class":"sp800-53a"}],"label":"policies","guidelines":[{"prose":"policies governing the installation of software by users are defined;"}]},{"id":"cm-11_odp.02","props":[{"name":"alt-identifier","value":"cm-11_prm_2"},{"name":"label","value":"CM-11_ODP[02]","class":"sp800-53a"}],"label":"methods","guidelines":[{"prose":"methods used to enforce software installation policies are defined;"}]},{"id":"cm-11_odp.03","props":[{"name":"alt-identifier","value":"cm-11_prm_3"},{"name":"label","value":"CM-11_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to monitor compliance is defined;"}]}],"props":[{"name":"label","value":"CM-11"},{"name":"label","value":"CM-11","class":"sp800-53a"},{"name":"sort-id","value":"cm-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-11_smt","name":"statement","parts":[{"id":"cm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and"},{"id":"cm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Monitor policy compliance {{ insert: param, cm-11_odp.03 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods."},{"id":"cm-11_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-11","class":"sp800-53a"}],"parts":[{"id":"cm-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-11a.","class":"sp800-53a"}],"prose":" {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;","links":[{"href":"#cm-11_smt.a","rel":"assessment-for"}]},{"id":"cm-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-11b.","class":"sp800-53a"}],"prose":"software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};","links":[{"href":"#cm-11_smt.b","rel":"assessment-for"}]},{"id":"cm-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-11c.","class":"sp800-53a"}],"prose":"compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.","links":[{"href":"#cm-11_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-11_smt","rel":"assessment-for"}]},{"id":"cm-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance"}]}]},{"id":"cm-12","class":"SP800-53","title":"Information Location","params":[{"id":"cm-12_odp","props":[{"name":"alt-identifier","value":"cm-12_prm_1"},{"name":"label","value":"CM-12_ODP","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information for which the location is to be identified and documented is defined;"}]}],"props":[{"name":"label","value":"CM-12"},{"name":"label","value":"CM-12","class":"sp800-53a"},{"name":"sort-id","value":"cm-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-23","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-12_smt","name":"statement","parts":[{"id":"cm-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and stored;"},{"id":"cm-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identify and document the users who have access to the system and system components where the information is processed and stored; and"},{"id":"cm-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document changes to the location (i.e., system or system components) where the information is processed and stored."}]},{"id":"cm-12_gdn","name":"guidance","prose":"Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see [SA-4](#sa-4), [SA-8](#sa-8), [SA-17](#sa-17))."},{"id":"cm-12_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-12","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[01]","class":"sp800-53a"}],"prose":"the location of {{ insert: param, cm-12_odp }} is identified and documented;","links":[{"href":"#cm-12_smt.a","rel":"assessment-for"}]},{"id":"cm-12_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[02]","class":"sp800-53a"}],"prose":"the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;","links":[{"href":"#cm-12_smt.a","rel":"assessment-for"}]},{"id":"cm-12_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[03]","class":"sp800-53a"}],"prose":"the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;","links":[{"href":"#cm-12_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-12_smt.a","rel":"assessment-for"}]},{"id":"cm-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.[01]","class":"sp800-53a"}],"prose":"the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;","links":[{"href":"#cm-12_smt.b","rel":"assessment-for"}]},{"id":"cm-12_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.[02]","class":"sp800-53a"}],"prose":"the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;","links":[{"href":"#cm-12_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-12_smt.b","rel":"assessment-for"}]},{"id":"cm-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.[01]","class":"sp800-53a"}],"prose":"changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;","links":[{"href":"#cm-12_smt.c","rel":"assessment-for"}]},{"id":"cm-12_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.[02]","class":"sp800-53a"}],"prose":"changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented.","links":[{"href":"#cm-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-12_smt","rel":"assessment-for"}]},{"id":"cm-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\naudit records\n\nlist of users with system and system component access\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing information location and user access to information\n\norganizational personnel with responsibilities for operating, using, and\/or maintaining the system\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location"}]}],"controls":[{"id":"cm-12.1","class":"SP800-53-enhancement","title":"Automated Tools to Support Information Location","params":[{"id":"cm-12.01_odp.01","props":[{"name":"alt-identifier","value":"cm-12.1_prm_1"},{"name":"label","value":"CM-12(01)_ODP[01]","class":"sp800-53a"}],"label":"information by information type","guidelines":[{"prose":"information to be protected is defined by information type;"}]},{"id":"cm-12.01_odp.02","props":[{"name":"alt-identifier","value":"cm-12.1_prm_2"},{"name":"label","value":"CM-12(01)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components where the information is located are defined;"}]}],"props":[{"name":"label","value":"CM-12(1)"},{"name":"label","value":"CM-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-12","rel":"required"}],"parts":[{"id":"cm-12.1_smt","name":"statement","prose":"Use automated tools to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure controls are in place to protect organizational information and individual privacy."},{"id":"cm-12.1_gdn","name":"guidance","prose":"The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions."},{"id":"cm-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-12(01)","class":"sp800-53a"}],"prose":"automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy.","links":[{"href":"#cm-12.1_smt","rel":"assessment-for"}]},{"id":"cm-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing information location\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nautomated mechanisms enforcing policies and methods for governing information location\n\nautomated tools used to identify information on system components"}]}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-01_odp.01","props":[{"name":"label","value":"CP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning policy is to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.02","props":[{"name":"label","value":"CP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning procedures are to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.03","props":[{"name":"alt-identifier","value":"cp-1_prm_2"},{"name":"label","value":"CP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cp-01_odp.04","props":[{"name":"alt-identifier","value":"cp-1_prm_3"},{"name":"label","value":"CP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the contingency planning policy and procedures is defined;"}]},{"id":"cp-01_odp.05","props":[{"name":"alt-identifier","value":"cp-1_prm_4"},{"name":"label","value":"CP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning policy is reviewed and updated is defined;"}]},{"id":"cp-01_odp.06","props":[{"name":"alt-identifier","value":"cp-1_prm_5"},{"name":"label","value":"CP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current contingency planning policy to be reviewed and updated are defined;"}]},{"id":"cp-01_odp.07","props":[{"name":"alt-identifier","value":"cp-1_prm_6"},{"name":"label","value":"CP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning procedures are reviewed and updated is defined;"}]},{"id":"cp-01_odp.08","props":[{"name":"alt-identifier","value":"cp-1_prm_7"},{"name":"label","value":"CP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CP-1"},{"name":"label","value":"CP-01","class":"sp800-53a"},{"name":"sort-id","value":"cp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-1_smt","name":"statement","parts":[{"id":"cp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cp-01_odp.03 }} contingency planning policy that:","parts":[{"id":"cp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;"}]},{"id":"cp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and"},{"id":"cp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current contingency planning:","parts":[{"id":"cp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and"},{"id":"cp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[01]","class":"sp800-53a"}],"prose":"a contingency planning policy is developed and documented;","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[02]","class":"sp800-53a"}],"prose":"the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[03]","class":"sp800-53a"}],"prose":"contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[04]","class":"sp800-53a"}],"prose":"the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#cp-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;","links":[{"href":"#cp-1_smt.b","rel":"assessment-for"}]},{"id":"cp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[01]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};","links":[{"href":"#cp-1_smt.c.1","rel":"assessment-for"}]},{"id":"cp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[02]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};","links":[{"href":"#cp-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.c.1","rel":"assessment-for"}]},{"id":"cp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[01]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};","links":[{"href":"#cp-1_smt.c.2","rel":"assessment-for"}]},{"id":"cp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[02]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.","links":[{"href":"#cp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt","rel":"assessment-for"}]},{"id":"cp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","params":[{"id":"cp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.04"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-2_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.07"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-02_odp.01","props":[{"name":"label","value":"CP-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to review a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.02","props":[{"name":"label","value":"CP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to approve a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.03","props":[{"name":"label","value":"CP-02_ODP[03]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to whom copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.04","props":[{"name":"label","value":"CP-02_ODP[04]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to which copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.05","props":[{"name":"alt-identifier","value":"cp-2_prm_3"},{"name":"label","value":"CP-02_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of contingency plan review is defined;"}]},{"id":"cp-02_odp.06","props":[{"name":"label","value":"CP-02_ODP[06]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to communicate changes to are defined;"}]},{"id":"cp-02_odp.07","props":[{"name":"label","value":"CP-02_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to communicate changes to are defined;"}]}],"props":[{"name":"label","value":"CP-2"},{"name":"label","value":"CP-02","class":"sp800-53a"},{"name":"sort-id","value":"cp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#cp-13","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-2_smt","name":"statement","parts":[{"id":"cp-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a contingency plan for the system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifies essential mission and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;"},{"id":"cp-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Addresses the sharing of contingency information; and"},{"id":"cp-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};"},{"id":"cp-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};"},{"id":"cp-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and"},{"id":"cp-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Protect the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family."},{"id":"cp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.01","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;","links":[{"href":"#cp-2_smt.a.1","rel":"assessment-for"}]},{"id":"cp-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides recovery objectives;","links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]},{"id":"cp-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides restoration priorities;","links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]},{"id":"cp-2_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides metrics;","links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]},{"id":"cp-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency roles;","links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]},{"id":"cp-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency responsibilities;","links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]},{"id":"cp-2_obj.a.3-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses assigned individuals with contact information;","links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]},{"id":"cp-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.04","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;","links":[{"href":"#cp-2_smt.a.4","rel":"assessment-for"}]},{"id":"cp-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.05","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;","links":[{"href":"#cp-2_smt.a.5","rel":"assessment-for"}]},{"id":"cp-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.06","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses the sharing of contingency information;","links":[{"href":"#cp-2_smt.a.6","rel":"assessment-for"}]},{"id":"cp-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};","links":[{"href":"#cp-2_smt.a.7","rel":"assessment-for"}]},{"id":"cp-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};","links":[{"href":"#cp-2_smt.a.7","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a.7","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a","rel":"assessment-for"}]},{"id":"cp-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[01]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};","links":[{"href":"#cp-2_smt.b","rel":"assessment-for"}]},{"id":"cp-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[02]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};","links":[{"href":"#cp-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.b","rel":"assessment-for"}]},{"id":"cp-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-02c.","class":"sp800-53a"}],"prose":"contingency planning activities are coordinated with incident handling activities;","links":[{"href":"#cp-2_smt.c","rel":"assessment-for"}]},{"id":"cp-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-02d.","class":"sp800-53a"}],"prose":"the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};","links":[{"href":"#cp-2_smt.d","rel":"assessment-for"}]},{"id":"cp-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[01]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address changes to the organization, system, or environment of operation;","links":[{"href":"#cp-2_smt.e","rel":"assessment-for"}]},{"id":"cp-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[02]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;","links":[{"href":"#cp-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.e","rel":"assessment-for"}]},{"id":"cp-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[01]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};","links":[{"href":"#cp-2_smt.f","rel":"assessment-for"}]},{"id":"cp-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[02]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};","links":[{"href":"#cp-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.f","rel":"assessment-for"}]},{"id":"cp-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[01]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;","links":[{"href":"#cp-2_smt.g","rel":"assessment-for"}]},{"id":"cp-2_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[02]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;","links":[{"href":"#cp-2_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.g","rel":"assessment-for"}]},{"id":"cp-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[01]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized disclosure;","links":[{"href":"#cp-2_smt.h","rel":"assessment-for"}]},{"id":"cp-2_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[02]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized modification.","links":[{"href":"#cp-2_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt","rel":"assessment-for"}]},{"id":"cp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and\/or protecting the contingency plan"}]}],"controls":[{"id":"cp-2.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-2(1)"},{"name":"label","value":"CP-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.1_smt","name":"statement","prose":"Coordinate contingency plan development with organizational elements responsible for related plans."},{"id":"cp-2.1_gdn","name":"guidance","prose":"Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans."},{"id":"cp-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(01)","class":"sp800-53a"}],"prose":"contingency plan development is coordinated with organizational elements responsible for related plans.","links":[{"href":"#cp-2.1_smt","rel":"assessment-for"}]},{"id":"cp-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans"}]}]},{"id":"cp-2.3","class":"SP800-53-enhancement","title":"Resume Mission and Business Functions","params":[{"id":"cp-02.03_odp.01","props":[{"name":"alt-identifier","value":"cp-2.3_prm_1"},{"name":"label","value":"CP-02(03)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["all","essential"]}},{"id":"cp-02.03_odp.02","props":[{"name":"alt-identifier","value":"cp-2.3_prm_2"},{"name":"label","value":"CP-02(03)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the contingency plan activation time period within which to resume mission and business functions is defined;"}]}],"props":[{"name":"label","value":"CP-2(3)"},{"name":"label","value":"CP-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.3_smt","name":"statement","prose":"Plan for the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation."},{"id":"cp-2.3_gdn","name":"guidance","prose":"Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure."},{"id":"cp-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(03)","class":"sp800-53a"}],"prose":"the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.","links":[{"href":"#cp-2.3_smt","rel":"assessment-for"}]},{"id":"cp-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother related plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions"}]},{"id":"cp-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.8","class":"SP800-53-enhancement","title":"Identify Critical Assets","params":[{"id":"cp-02.08_odp","props":[{"name":"alt-identifier","value":"cp-2.8_prm_1"},{"name":"label","value":"CP-02(08)_ODP","class":"sp800-53a"}],"select":{"choice":["all","essential"]}}],"props":[{"name":"label","value":"CP-2(8)"},{"name":"label","value":"CP-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"cp-2.8_smt","name":"statement","prose":"Identify critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions."},{"id":"cp-2.8_gdn","name":"guidance","prose":"Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and\/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing [CP-2(7)](#cp-2.7) as a control enhancement."},{"id":"cp-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(08)","class":"sp800-53a"}],"prose":"critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified.","links":[{"href":"#cp-2.8_smt","rel":"assessment-for"}]},{"id":"cp-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","params":[{"id":"cp-03_odp.01","props":[{"name":"alt-identifier","value":"cp-3_prm_1"},{"name":"label","value":"CP-03_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.02","props":[{"name":"alt-identifier","value":"cp-3_prm_2"},{"name":"label","value":"CP-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide training to system users with a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.03","props":[{"name":"alt-identifier","value":"cp-3_prm_3"},{"name":"label","value":"CP-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update contingency training content is defined;"}]},{"id":"cp-03_odp.04","props":[{"name":"alt-identifier","value":"cp-3_prm_4"},{"name":"label","value":"CP-03_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events necessitating review and update of contingency training are defined;"}]}],"props":[{"name":"label","value":"CP-3"},{"name":"label","value":"CP-03","class":"sp800-53a"},{"name":"sort-id","value":"cp-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"cp-3_smt","name":"statement","parts":[{"id":"cp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide contingency training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"cp-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, cp-03_odp.02 }} thereafter; and"}]},{"id":"cp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements."},{"id":"cp-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-03","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.01","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;","links":[{"href":"#cp-3_smt.a.1","rel":"assessment-for"}]},{"id":"cp-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.02","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;","links":[{"href":"#cp-3_smt.a.2","rel":"assessment-for"}]},{"id":"cp-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.03","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;","links":[{"href":"#cp-3_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#cp-3_smt.a","rel":"assessment-for"}]},{"id":"cp-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[01]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};","links":[{"href":"#cp-3_smt.b","rel":"assessment-for"}]},{"id":"cp-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[02]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.","links":[{"href":"#cp-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-3_smt","rel":"assessment-for"}]},{"id":"cp-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency training"}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","params":[{"id":"cp-4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.03"}],"label":"organization-defined tests"},{"id":"cp-04_odp.01","props":[{"name":"alt-identifier","value":"cp-4_prm_1"},{"name":"label","value":"CP-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of testing the contingency plan for the system is defined;"}]},{"id":"cp-04_odp.02","props":[{"name":"label","value":"CP-04_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining the effectiveness of the contingency plan are defined;"}]},{"id":"cp-04_odp.03","props":[{"name":"label","value":"CP-04_ODP[03]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining readiness to execute the contingency plan are defined;"}]}],"props":[{"name":"label","value":"CP-4"},{"name":"label","value":"CP-04","class":"sp800-53a"},{"name":"sort-id","value":"cp-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"cp-4_smt","name":"statement","parts":[{"id":"cp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}."},{"id":"cp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Initiate corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions."},{"id":"cp-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[01]","class":"sp800-53a"}],"prose":"the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};","links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]},{"id":"cp-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;","links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]},{"id":"cp-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;","links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]},{"id":"cp-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-04b.","class":"sp800-53a"}],"prose":"the contingency plan test results are reviewed;","links":[{"href":"#cp-4_smt.b","rel":"assessment-for"}]},{"id":"cp-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-04c.","class":"sp800-53a"}],"prose":"corrective actions are initiated, if needed.","links":[{"href":"#cp-4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-4_smt","rel":"assessment-for"}]},{"id":"cp-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and\/or contingency plan testing"}]}],"controls":[{"id":"cp-4.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-4(1)"},{"name":"label","value":"CP-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"},{"href":"#ir-8","rel":"related"},{"href":"#pm-8","rel":"related"}],"parts":[{"id":"cp-4.1_smt","name":"statement","prose":"Coordinate contingency plan testing with organizational elements responsible for related plans."},{"id":"cp-4.1_gdn","name":"guidance","prose":"Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements."},{"id":"cp-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(01)","class":"sp800-53a"}],"prose":"contingency plan testing is coordinated with organizational elements responsible for related plans.","links":[{"href":"#cp-4.1_smt","rel":"assessment-for"}]},{"id":"cp-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-6","class":"SP800-53","title":"Alternate Storage Site","props":[{"name":"label","value":"CP-6"},{"name":"label","value":"CP-06","class":"sp800-53a"},{"name":"sort-id","value":"cp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-6_smt","name":"statement","parts":[{"id":"cp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and"},{"id":"cp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensure that the alternate storage site provides controls equivalent to that of the primary site."}]},{"id":"cp-6_gdn","name":"guidance","prose":"Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems."},{"id":"cp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06","class":"sp800-53a"}],"parts":[{"id":"cp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.","class":"sp800-53a"}],"parts":[{"id":"cp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.[01]","class":"sp800-53a"}],"prose":"an alternate storage site is established;","links":[{"href":"#cp-6_smt.a","rel":"assessment-for"}]},{"id":"cp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.[02]","class":"sp800-53a"}],"prose":"establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;","links":[{"href":"#cp-6_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-6_smt.a","rel":"assessment-for"}]},{"id":"cp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-06b.","class":"sp800-53a"}],"prose":"the alternate storage site provides controls equivalent to that of the primary site.","links":[{"href":"#cp-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-6_smt","rel":"assessment-for"}]},{"id":"cp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing and retrieving system backup information at the alternate storage site\n\nmechanisms supporting and\/or implementing the storage and retrieval of system backup information at the alternate storage site"}]}],"controls":[{"id":"cp-6.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-6(1)"},{"name":"label","value":"CP-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-6.1_smt","name":"statement","prose":"Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats."},{"id":"cp-6.1_gdn","name":"guidance","prose":"Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."},{"id":"cp-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(01)","class":"sp800-53a"}],"prose":"an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.","links":[{"href":"#cp-6.1_smt","rel":"assessment-for"}]},{"id":"cp-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-6.3","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-6(3)"},{"name":"label","value":"CP-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-6.3_smt","name":"statement","prose":"Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions."},{"id":"cp-6.3_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted."},{"id":"cp-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)","class":"sp800-53a"}],"parts":[{"id":"cp-6.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)[01]","class":"sp800-53a"}],"prose":"potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;","links":[{"href":"#cp-6.3_smt","rel":"assessment-for"}]},{"id":"cp-6.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)[02]","class":"sp800-53a"}],"prose":"explicit mitigation actions to address identified accessibility problems are outlined.","links":[{"href":"#cp-6.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-6.3_smt","rel":"assessment-for"}]},{"id":"cp-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-7","class":"SP800-53","title":"Alternate Processing Site","params":[{"id":"cp-07_odp.01","props":[{"name":"alt-identifier","value":"cp-7_prm_1"},{"name":"label","value":"CP-07_ODP[01]","class":"sp800-53a"}],"label":"system operations","guidelines":[{"prose":"system operations for essential mission and business functions are defined;"}]},{"id":"cp-07_odp.02","props":[{"name":"alt-identifier","value":"cp-7_prm_2"},{"name":"alt-label","value":"time period consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-7"},{"name":"label","value":"CP-07","class":"sp800-53a"},{"name":"sort-id","value":"cp-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-11","rel":"related"},{"href":"#pe-12","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-7_smt","name":"statement","parts":[{"id":"cp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and"},{"id":"cp-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provide controls at the alternate processing site that are equivalent to those at the primary site."}]},{"id":"cp-7_gdn","name":"guidance","prose":"Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems."},{"id":"cp-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07","class":"sp800-53a"}],"parts":[{"id":"cp-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-07a.","class":"sp800-53a"}],"prose":"an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;","links":[{"href":"#cp-7_smt.a","rel":"assessment-for"}]},{"id":"cp-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.","class":"sp800-53a"}],"parts":[{"id":"cp-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.[01]","class":"sp800-53a"}],"prose":"the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;","links":[{"href":"#cp-7_smt.b","rel":"assessment-for"}]},{"id":"cp-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.[02]","class":"sp800-53a"}],"prose":"the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;","links":[{"href":"#cp-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-7_smt.b","rel":"assessment-for"}]},{"id":"cp-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-07c.","class":"sp800-53a"}],"prose":"controls provided at the alternate processing site are equivalent to those at the primary site.","links":[{"href":"#cp-7_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-7_smt","rel":"assessment-for"}]},{"id":"cp-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for contingency planning and\/or alternate site arrangements\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for recovery at the alternate site\n\nmechanisms supporting and\/or implementing recovery at the alternate processing site"}]}],"controls":[{"id":"cp-7.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-7(1)"},{"name":"label","value":"CP-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-7.1_smt","name":"statement","prose":"Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats."},{"id":"cp-7.1_gdn","name":"guidance","prose":"Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."},{"id":"cp-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(01)","class":"sp800-53a"}],"prose":"an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.","links":[{"href":"#cp-7.1_smt","rel":"assessment-for"}]},{"id":"cp-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.2","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-7(2)"},{"name":"label","value":"CP-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-7.2_smt","name":"statement","prose":"Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-7.2_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk."},{"id":"cp-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)","class":"sp800-53a"}],"parts":[{"id":"cp-7.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)[01]","class":"sp800-53a"}],"prose":"potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;","links":[{"href":"#cp-7.2_smt","rel":"assessment-for"}]},{"id":"cp-7.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)[02]","class":"sp800-53a"}],"prose":"explicit mitigation actions to address identified accessibility problems are outlined.","links":[{"href":"#cp-7.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-7.2_smt","rel":"assessment-for"}]},{"id":"cp-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.3","class":"SP800-53-enhancement","title":"Priority of Service","props":[{"name":"label","value":"CP-7(3)"},{"name":"label","value":"CP-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"}],"parts":[{"id":"cp-7.3_smt","name":"statement","prose":"Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)."},{"id":"cp-7.3_gdn","name":"guidance","prose":"Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and\/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning."},{"id":"cp-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(03)","class":"sp800-53a"}],"prose":"alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.","links":[{"href":"#cp-7.3_smt","rel":"assessment-for"}]},{"id":"cp-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]}]},{"id":"cp-8","class":"SP800-53","title":"Telecommunications Services","params":[{"id":"cp-08_odp.01","props":[{"name":"alt-identifier","value":"cp-8_prm_1"},{"name":"label","value":"CP-08_ODP[01]","class":"sp800-53a"}],"label":"system operations","guidelines":[{"prose":"system operations to be resumed for essential mission and business functions are defined;"}]},{"id":"cp-08_odp.02","props":[{"name":"alt-identifier","value":"cp-8_prm_2"},{"name":"label","value":"CP-08_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;"}]}],"props":[{"name":"label","value":"CP-8"},{"name":"label","value":"CP-08","class":"sp800-53a"},{"name":"sort-id","value":"cp-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cp-8_smt","name":"statement","prose":"Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_gdn","name":"guidance","prose":"Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for [CP-8](#cp-8) . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements."},{"id":"cp-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08","class":"sp800-53a"}],"prose":"alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.","links":[{"href":"#cp-8_smt","rel":"assessment-for"}]},{"id":"cp-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"id":"cp-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting telecommunications"}]}],"controls":[{"id":"cp-8.1","class":"SP800-53-enhancement","title":"Priority of Service Provisions","props":[{"name":"label","value":"CP-8(1)"},{"name":"label","value":"CP-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.1_smt","name":"statement","parts":[{"id":"cp-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and"},{"id":"cp-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_gdn","name":"guidance","prose":"Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program."},{"id":"cp-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)","class":"sp800-53a"}],"parts":[{"id":"cp-8.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)","class":"sp800-53a"}],"parts":[{"id":"cp-8.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)[01]","class":"sp800-53a"}],"prose":"primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;","links":[{"href":"#cp-8.1_smt.a","rel":"assessment-for"}]},{"id":"cp-8.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)[02]","class":"sp800-53a"}],"prose":"alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;","links":[{"href":"#cp-8.1_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-8.1_smt.a","rel":"assessment-for"}]},{"id":"cp-8.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(b)","class":"sp800-53a"}],"prose":"Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and\/or alternate telecommunications services are provided by a common carrier.","links":[{"href":"#cp-8.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-8.1_smt","rel":"assessment-for"}]},{"id":"cp-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"id":"cp-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting telecommunications"}]}]},{"id":"cp-8.2","class":"SP800-53-enhancement","title":"Single Points of Failure","props":[{"name":"label","value":"CP-8(2)"},{"name":"label","value":"CP-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.2_smt","name":"statement","prose":"Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"id":"cp-8.2_gdn","name":"guidance","prose":"In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services."},{"id":"cp-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(02)","class":"sp800-53a"}],"prose":"alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.","links":[{"href":"#cp-8.2_smt","rel":"assessment-for"}]},{"id":"cp-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-9","class":"SP800-53","title":"System Backup","params":[{"id":"cp-09_odp.01","props":[{"name":"alt-identifier","value":"cp-9_prm_1"},{"name":"label","value":"CP-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which to conduct backups of user-level information is defined;"}]},{"id":"cp-09_odp.02","props":[{"name":"alt-identifier","value":"cp-9_prm_2"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.03","props":[{"name":"alt-identifier","value":"cp-9_prm_3"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.04","props":[{"name":"alt-identifier","value":"cp-9_prm_4"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-9"},{"name":"label","value":"CP-09","class":"sp800-53a"},{"name":"sort-id","value":"cp-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#3653e316-8923-430e-8943-b3b2b2562fc6","rel":"reference"},{"href":"#2494df28-9049-4196-b233-540e7440993f","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-9_smt","name":"statement","parts":[{"id":"cp-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};"},{"id":"cp-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};"},{"id":"cp-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and"},{"id":"cp-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protect the confidentiality, integrity, and availability of backup information."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"cp-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-09a.","class":"sp800-53a"}],"prose":"backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};","links":[{"href":"#cp-9_smt.a","rel":"assessment-for"}]},{"id":"cp-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-09b.","class":"sp800-53a"}],"prose":"backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};","links":[{"href":"#cp-9_smt.b","rel":"assessment-for"}]},{"id":"cp-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-09c.","class":"sp800-53a"}],"prose":"backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};","links":[{"href":"#cp-9_smt.c","rel":"assessment-for"}]},{"id":"cp-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[01]","class":"sp800-53a"}],"prose":"the confidentiality of backup information is protected;","links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]},{"id":"cp-9_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[02]","class":"sp800-53a"}],"prose":"the integrity of backup information is protected;","links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]},{"id":"cp-9_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[03]","class":"sp800-53a"}],"prose":"the availability of backup information is protected.","links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cp-9_smt","rel":"assessment-for"}]},{"id":"cp-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"cp-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}],"controls":[{"id":"cp-9.1","class":"SP800-53-enhancement","title":"Testing for Reliability and Integrity","params":[{"id":"cp-9.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.01_odp.02"}],"label":"organization-defined frequency"},{"id":"cp-09.01_odp.01","props":[{"name":"label","value":"CP-09(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test backup information for media reliability is defined;"}]},{"id":"cp-09.01_odp.02","props":[{"name":"label","value":"CP-09(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test backup information for information integrity is defined;"}]}],"props":[{"name":"label","value":"CP-9(1)"},{"name":"label","value":"CP-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-9.1_smt","name":"statement","prose":"Test backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity."},{"id":"cp-9.1_gdn","name":"guidance","prose":"Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance."},{"id":"cp-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)","class":"sp800-53a"}],"parts":[{"id":"cp-9.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)[01]","class":"sp800-53a"}],"prose":"backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;","links":[{"href":"#cp-9.1_smt","rel":"assessment-for"}]},{"id":"cp-9.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)[02]","class":"sp800-53a"}],"prose":"backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity.","links":[{"href":"#cp-9.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-9.1_smt","rel":"assessment-for"}]},{"id":"cp-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}]},{"id":"cp-9.8","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"cp-09.08_odp","props":[{"name":"alt-identifier","value":"cp-9.8_prm_1"},{"name":"label","value":"CP-09(08)_ODP","class":"sp800-53a"}],"label":"backup information","guidelines":[{"prose":"backup information to protect against unauthorized disclosure and modification is defined;"}]}],"props":[{"name":"label","value":"CP-9(8)"},{"name":"label","value":"CP-09(08)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"cp-9.8_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}."},{"id":"cp-9.8_gdn","name":"guidance","prose":"The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions."},{"id":"cp-9.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(08)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.","links":[{"href":"#cp-9.8_smt","rel":"assessment-for"}]},{"id":"cp-9.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic protection of backup information"}]}]}]},{"id":"cp-10","class":"SP800-53","title":"System Recovery and Reconstitution","params":[{"id":"cp-10_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.02"}],"label":"organization-defined time period consistent with recovery time and recovery point objectives"},{"id":"cp-10_odp.01","props":[{"name":"label","value":"CP-10_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;"}]},{"id":"cp-10_odp.02","props":[{"name":"label","value":"CP-10_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;"}]}],"props":[{"name":"label","value":"CP-10"},{"name":"label","value":"CP-10","class":"sp800-53a"},{"name":"sort-id","value":"cp-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-24","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning."},{"id":"cp-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10","class":"sp800-53a"}],"parts":[{"id":"cp-10_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-10[01]","class":"sp800-53a"}],"prose":"the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;","links":[{"href":"#cp-10_smt","rel":"assessment-for"}]},{"id":"cp-10_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-10[02]","class":"sp800-53a"}],"prose":"a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.","links":[{"href":"#cp-10_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-10_smt","rel":"assessment-for"}]},{"id":"cp-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, recovery, and\/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and\/or implementing system recovery and reconstitution operations"}]}],"controls":[{"id":"cp-10.2","class":"SP800-53-enhancement","title":"Transaction Recovery","props":[{"name":"label","value":"CP-10(2)"},{"name":"label","value":"CP-10(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-10","rel":"required"}],"parts":[{"id":"cp-10.2_smt","name":"statement","prose":"Implement transaction recovery for systems that are transaction-based."},{"id":"cp-10.2_gdn","name":"guidance","prose":"Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling."},{"id":"cp-10.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10(02)","class":"sp800-53a"}],"prose":"transaction recovery is implemented for systems that are transaction-based.","links":[{"href":"#cp-10.2_smt","rel":"assessment-for"}]},{"id":"cp-10.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem transaction recovery records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing transaction recovery capability"}]}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ia-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ia-01_odp.01","props":[{"name":"label","value":"IA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication policy is to be disseminated are defined;"}]},{"id":"ia-01_odp.02","props":[{"name":"label","value":"IA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication procedures are to be disseminated is\/are defined;"}]},{"id":"ia-01_odp.03","props":[{"name":"alt-identifier","value":"ia-1_prm_2"},{"name":"label","value":"IA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ia-01_odp.04","props":[{"name":"alt-identifier","value":"ia-1_prm_3"},{"name":"label","value":"IA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the identification and authentication policy and procedures is defined;"}]},{"id":"ia-01_odp.05","props":[{"name":"alt-identifier","value":"ia-1_prm_4"},{"name":"label","value":"IA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication policy is reviewed and updated is defined;"}]},{"id":"ia-01_odp.06","props":[{"name":"alt-identifier","value":"ia-1_prm_5"},{"name":"label","value":"IA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current identification and authentication policy to be reviewed and updated are defined;"}]},{"id":"ia-01_odp.07","props":[{"name":"alt-identifier","value":"ia-1_prm_6"},{"name":"label","value":"IA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication procedures are reviewed and updated is defined;"}]},{"id":"ia-01_odp.08","props":[{"name":"alt-identifier","value":"ia-1_prm_7"},{"name":"label","value":"IA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require identification and authentication procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IA-1"},{"name":"label","value":"IA-01","class":"sp800-53a"},{"name":"sort-id","value":"ia-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ia-1_smt","name":"statement","parts":[{"id":"ia-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ia-01_odp.03 }} identification and authentication policy that:","parts":[{"id":"ia-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ia-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;"}]},{"id":"ia-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and"},{"id":"ia-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current identification and authentication:","parts":[{"id":"ia-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and"},{"id":"ia-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ia-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[01]","class":"sp800-53a"}],"prose":"an identification and authentication policy is developed and documented;","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[02]","class":"sp800-53a"}],"prose":"the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[03]","class":"sp800-53a"}],"prose":"identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[04]","class":"sp800-53a"}],"prose":"the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ia-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;","links":[{"href":"#ia-1_smt.b","rel":"assessment-for"}]},{"id":"ia-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[01]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};","links":[{"href":"#ia-1_smt.c.1","rel":"assessment-for"}]},{"id":"ia-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[02]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};","links":[{"href":"#ia-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.c.1","rel":"assessment-for"}]},{"id":"ia-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[01]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};","links":[{"href":"#ia-1_smt.c.2","rel":"assessment-for"}]},{"id":"ia-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[02]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.","links":[{"href":"#ia-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt","rel":"assessment-for"}]},{"id":"ia-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records"}]},{"id":"ia-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (Organizational Users)","props":[{"name":"label","value":"IA-2"},{"name":"label","value":"IA-02","class":"sp800-53a"},{"name":"sort-id","value":"ia-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#d9e036ba-6eec-46a6-9340-b0bf1fea23b4","rel":"reference"},{"href":"#e8552d48-cf41-40aa-8b06-f45f7fb4706c","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-1","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)."},{"id":"ia-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02","class":"sp800-53a"}],"parts":[{"id":"ia-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-02[01]","class":"sp800-53a"}],"prose":"organizational users are uniquely identified and authenticated;","links":[{"href":"#ia-2_smt","rel":"assessment-for"}]},{"id":"ia-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-02[02]","class":"sp800-53a"}],"prose":"the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.","links":[{"href":"#ia-2_smt","rel":"assessment-for"}]}],"links":[{"href":"#ia-2_smt","rel":"assessment-for"}]},{"id":"ia-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}]},{"id":"ia-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Privileged Accounts","props":[{"name":"label","value":"IA-2(1)"},{"name":"label","value":"IA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"Implement multi-factor authentication for access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(01)","class":"sp800-53a"}],"prose":"multi-factor authentication is implemented for access to privileged accounts.","links":[{"href":"#ia-2.1_smt","rel":"assessment-for"}]},{"id":"ia-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(2)"},{"name":"label","value":"IA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"Implement multi-factor authentication for access to non-privileged accounts."},{"id":"ia-2.2_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(02)","class":"sp800-53a"}],"prose":"multi-factor authentication for access to non-privileged accounts is implemented.","links":[{"href":"#ia-2.2_smt","rel":"assessment-for"}]},{"id":"ia-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Access to Accounts — Replay Resistant","params":[{"id":"ia-02.08_odp","props":[{"name":"alt-identifier","value":"ia-2.8_prm_1"},{"name":"label","value":"IA-02(08)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["privileged accounts","non-privileged accounts"]}}],"props":[{"name":"label","value":"IA-2(8)"},{"name":"label","value":"IA-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators."},{"id":"ia-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(08)","class":"sp800-53a"}],"prose":"replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.","links":[{"href":"#ia-2.8_smt","rel":"assessment-for"}]},{"id":"ia-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nMechanisms supporting and\/or implementing replay-resistant authentication mechanisms"}]}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","props":[{"name":"label","value":"IA-2(12)"},{"name":"label","value":"IA-02(12)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential."},{"id":"ia-2.12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(12)","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials are accepted and electronically verified.","links":[{"href":"#ia-2.12_smt","rel":"assessment-for"}]},{"id":"ia-2.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-2.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing acceptance and verification of PIV credentials"}]}]}]},{"id":"ia-3","class":"SP800-53","title":"Device Identification and Authentication","params":[{"id":"ia-03_odp.01","props":[{"name":"alt-identifier","value":"ia-3_prm_1"},{"name":"label","value":"IA-03_ODP[01]","class":"sp800-53a"}],"label":"devices and\/or types of devices","guidelines":[{"prose":"devices and\/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;"}]},{"id":"ia-03_odp.02","props":[{"name":"alt-identifier","value":"ia-3_prm_2"},{"name":"label","value":"IA-03_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["local","remote","network"]}}],"props":[{"name":"label","value":"IA-3"},{"name":"label","value":"IA-03","class":"sp800-53a"},{"name":"sort-id","value":"ia-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ia-3_smt","name":"statement","prose":"Uniquely identify and authenticate {{ insert: param, ia-03_odp.01 }} before establishing a {{ insert: param, ia-03_odp.02 }} connection."},{"id":"ia-3_gdn","name":"guidance","prose":"Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol\/Internet Protocol [TCP\/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number\/type of devices based on mission or business needs."},{"id":"ia-3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-03","class":"sp800-53a"}],"prose":" {{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection.","links":[{"href":"#ia-3_smt","rel":"assessment-for"}]},{"id":"ia-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing device identification and authentication capabilities"}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","params":[{"id":"ia-04_odp.01","props":[{"name":"alt-identifier","value":"ia-4_prm_1"},{"name":"label","value":"IA-04_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles from whom authorization must be received to assign an identifier are defined;"}]},{"id":"ia-04_odp.02","props":[{"name":"alt-identifier","value":"ia-4_prm_2"},{"name":"label","value":"IA-04_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period for preventing reuse of identifiers is defined;"}]}],"props":[{"name":"label","value":"IA-4"},{"name":"label","value":"IA-04","class":"sp800-53a"},{"name":"sort-id","value":"ia-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-12","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"Manage system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;"},{"id":"ia-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, service, or device; and"},{"id":"ia-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices."},{"id":"ia-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04","class":"sp800-53a"}],"parts":[{"id":"ia-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-04a.","class":"sp800-53a"}],"prose":"system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;","links":[{"href":"#ia-4_smt.a","rel":"assessment-for"}]},{"id":"ia-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-04b.","class":"sp800-53a"}],"prose":"system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;","links":[{"href":"#ia-4_smt.b","rel":"assessment-for"}]},{"id":"ia-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-04c.","class":"sp800-53a"}],"prose":"system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;","links":[{"href":"#ia-4_smt.c","rel":"assessment-for"}]},{"id":"ia-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-04d.","class":"sp800-53a"}],"prose":"system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.","links":[{"href":"#ia-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ia-4_smt","rel":"assessment-for"}]},{"id":"ia-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records"}]},{"id":"ia-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}],"controls":[{"id":"ia-4.4","class":"SP800-53-enhancement","title":"Identify User Status","params":[{"id":"ia-04.04_odp","props":[{"name":"alt-identifier","value":"ia-4.4_prm_1"},{"name":"alt-label","value":"characteristic identifying individual status","class":"sp800-53"},{"name":"label","value":"IA-04(04)_ODP","class":"sp800-53a"}],"label":"characteristics","guidelines":[{"prose":"characteristics used to identify individual status is defined;"}]}],"props":[{"name":"label","value":"IA-4(4)"},{"name":"label","value":"IA-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-4","rel":"required"}],"parts":[{"id":"ia-4.4_smt","name":"statement","prose":"Manage individual identifiers by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}."},{"id":"ia-4.4_gdn","name":"guidance","prose":"Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor."},{"id":"ia-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(04)","class":"sp800-53a"}],"prose":"individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.","links":[{"href":"#ia-4.4_smt","rel":"assessment-for"}]},{"id":"ia-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nlist of characteristics identifying individual status\n\nother relevant documents or records"}]},{"id":"ia-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","params":[{"id":"ia-05_odp.01","props":[{"name":"alt-identifier","value":"ia-5_prm_1"},{"name":"label","value":"IA-05_ODP[01]","class":"sp800-53a"}],"label":"time period by authenticator type","guidelines":[{"prose":"a time period for changing or refreshing authenticators by authenticator type is defined;"}]},{"id":"ia-05_odp.02","props":[{"name":"alt-identifier","value":"ia-5_prm_2"},{"name":"label","value":"IA-05_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that trigger the change or refreshment of authenticators are defined;"}]}],"props":[{"name":"label","value":"IA-5"},{"name":"label","value":"IA-05","class":"sp800-53a"},{"name":"sort-id","value":"ia-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"Manage system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Changing default authenticators prior to first use;"},{"id":"ia-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"},{"id":"ia-5_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and"},{"id":"ia-5_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Changing authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed."},{"id":"ia-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05a.","class":"sp800-53a"}],"prose":"system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;","links":[{"href":"#ia-5_smt.a","rel":"assessment-for"}]},{"id":"ia-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05b.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;","links":[{"href":"#ia-5_smt.b","rel":"assessment-for"}]},{"id":"ia-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05c.","class":"sp800-53a"}],"prose":"system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;","links":[{"href":"#ia-5_smt.c","rel":"assessment-for"}]},{"id":"ia-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05d.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;","links":[{"href":"#ia-5_smt.d","rel":"assessment-for"}]},{"id":"ia-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05e.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of default authenticators prior to first use;","links":[{"href":"#ia-5_smt.e","rel":"assessment-for"}]},{"id":"ia-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05f.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;","links":[{"href":"#ia-5_smt.f","rel":"assessment-for"}]},{"id":"ia-5_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05g.","class":"sp800-53a"}],"prose":"system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;","links":[{"href":"#ia-5_smt.g","rel":"assessment-for"}]},{"id":"ia-5_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[01]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;","links":[{"href":"#ia-5_smt.h","rel":"assessment-for"}]},{"id":"ia-5_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[02]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;","links":[{"href":"#ia-5_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#ia-5_smt.h","rel":"assessment-for"}]},{"id":"ia-5_obj.i","name":"assessment-objective","props":[{"name":"label","value":"IA-05i.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.","links":[{"href":"#ia-5_smt.i","rel":"assessment-for"}]}],"links":[{"href":"#ia-5_smt","rel":"assessment-for"}]},{"id":"ia-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","params":[{"id":"ia-05.01_odp.01","props":[{"name":"alt-identifier","value":"ia-5.1_prm_1"},{"name":"label","value":"IA-05(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;"}]},{"id":"ia-05.01_odp.02","props":[{"name":"alt-identifier","value":"ia-5.1_prm_2"},{"name":"label","value":"IA-05(01)_ODP[02]","class":"sp800-53a"}],"label":"composition and complexity rules","guidelines":[{"prose":"authenticator composition and complexity rules are defined;"}]}],"props":[{"name":"label","value":"IA-5(1)"},{"name":"label","value":"IA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-6","rel":"related"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"For password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);"},{"id":"ia-5.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Transmit passwords only over cryptographically-protected channels;"},{"id":"ia-5.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Store passwords using an approved salted key derivation function, preferably using a keyed hash;"},{"id":"ia-5.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Require immediate selection of a new password upon account recovery;"},{"id":"ia-5.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Allow user selection of long passwords and passphrases, including spaces and all printable characters;"},{"id":"ia-5.1_smt.g","name":"item","props":[{"name":"label","value":"(g)"}],"prose":"Employ automated tools to assist the user in selecting strong password authenticators; and"},{"id":"ia-5.1_smt.h","name":"item","props":[{"name":"label","value":"(h)"}],"prose":"Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof."},{"id":"ia-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)","class":"sp800-53a"}],"parts":[{"id":"ia-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(a)","class":"sp800-53a"}],"prose":"for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;","links":[{"href":"#ia-5.1_smt.a","rel":"assessment-for"}]},{"id":"ia-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(b)","class":"sp800-53a"}],"prose":"for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);","links":[{"href":"#ia-5.1_smt.b","rel":"assessment-for"}]},{"id":"ia-5.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(c)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are only transmitted over cryptographically protected channels;","links":[{"href":"#ia-5.1_smt.c","rel":"assessment-for"}]},{"id":"ia-5.1_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(d)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;","links":[{"href":"#ia-5.1_smt.d","rel":"assessment-for"}]},{"id":"ia-5.1_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(e)","class":"sp800-53a"}],"prose":"for password-based authentication, immediate selection of a new password is required upon account recovery;","links":[{"href":"#ia-5.1_smt.e","rel":"assessment-for"}]},{"id":"ia-5.1_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(f)","class":"sp800-53a"}],"prose":"for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;","links":[{"href":"#ia-5.1_smt.f","rel":"assessment-for"}]},{"id":"ia-5.1_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(g)","class":"sp800-53a"}],"prose":"for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;","links":[{"href":"#ia-5.1_smt.g","rel":"assessment-for"}]},{"id":"ia-5.1_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(h)","class":"sp800-53a"}],"prose":"for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.","links":[{"href":"#ia-5.1_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#ia-5.1_smt","rel":"assessment-for"}]},{"id":"ia-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing password-based authenticator management capability"}]}]},{"id":"ia-5.2","class":"SP800-53-enhancement","title":"Public Key-based Authentication","props":[{"name":"label","value":"IA-5(2)"},{"name":"label","value":"IA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-3","rel":"related"},{"href":"#sc-17","rel":"related"}],"parts":[{"id":"ia-5.2_smt","name":"statement","parts":[{"id":"ia-5.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"For public key-based authentication:","parts":[{"id":"ia-5.2_smt.a.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Enforce authorized access to the corresponding private key; and"},{"id":"ia-5.2_smt.a.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Map the authenticated identity to the account of the individual or group; and"}]},{"id":"ia-5.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"When public key infrastructure (PKI) is used:","parts":[{"id":"ia-5.2_smt.b.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and"},{"id":"ia-5.2_smt.b.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Implement a local cache of revocation data to support path discovery and validation."}]}]},{"id":"ia-5.2_gdn","name":"guidance","prose":"Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network."},{"id":"ia-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)(01)","class":"sp800-53a"}],"prose":"authorized access to the corresponding private key is enforced for public key-based authentication;","links":[{"href":"#ia-5.2_smt.a.1","rel":"assessment-for"}]},{"id":"ia-5.2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)(02)","class":"sp800-53a"}],"prose":"the authenticated identity is mapped to the account of the individual or group for public key-based authentication;","links":[{"href":"#ia-5.2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#ia-5.2_smt.a","rel":"assessment-for"}]},{"id":"ia-5.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)(01)","class":"sp800-53a"}],"prose":"when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;","links":[{"href":"#ia-5.2_smt.b.1","rel":"assessment-for"}]},{"id":"ia-5.2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)(02)","class":"sp800-53a"}],"prose":"when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.","links":[{"href":"#ia-5.2_smt.b.2","rel":"assessment-for"}]}],"links":[{"href":"#ia-5.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-5.2_smt","rel":"assessment-for"}]},{"id":"ia-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records"}]},{"id":"ia-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing PKI-based, authenticator management capability"}]}]},{"id":"ia-5.6","class":"SP800-53-enhancement","title":"Protection of Authenticators","props":[{"name":"label","value":"IA-5(6)"},{"name":"label","value":"IA-05(06)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ra-2","rel":"related"}],"parts":[{"id":"ia-5.6_smt","name":"statement","prose":"Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access."},{"id":"ia-5.6_gdn","name":"guidance","prose":"For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process."},{"id":"ia-5.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(06)","class":"sp800-53a"}],"prose":"authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.","links":[{"href":"#ia-5.6_smt","rel":"assessment-for"}]},{"id":"ia-5.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity categorization documentation for the system\n\nsecurity assessments of authenticator protections\n\nrisk assessment results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-5.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel implementing and\/or maintaining authenticator protections\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability\n\nmechanisms protecting authenticators"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authentication Feedback","props":[{"name":"label","value":"IA-6"},{"name":"label","value":"IA-06","class":"sp800-53a"},{"name":"sort-id","value":"ia-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it."},{"id":"ia-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-06","class":"sp800-53a"}],"prose":"the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.","links":[{"href":"#ia-6_smt","rel":"assessment-for"}]},{"id":"ia-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the obscuring of feedback of authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","props":[{"name":"label","value":"IA-7"},{"name":"label","value":"IA-07","class":"sp800-53a"},{"name":"sort-id","value":"ia-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role."},{"id":"ia-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-07","class":"sp800-53a"}],"prose":"mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.","links":[{"href":"#ia-7_smt","rel":"assessment-for"}]},{"id":"ia-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic module authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (Non-organizational Users)","props":[{"name":"label","value":"IA-8"},{"name":"label","value":"IA-08","class":"sp800-53a"},{"name":"sort-id","value":"ia-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a1555677-2b9d-4868-a97b-a1363aff32f5","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk."},{"id":"ia-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08","class":"sp800-53a"}],"prose":"non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.","links":[{"href":"#ia-8_smt","rel":"assessment-for"}]},{"id":"ia-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","props":[{"name":"label","value":"IA-8(1)"},{"name":"label","value":"IA-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"},{"href":"#pe-3","rel":"related"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)."},{"id":"ia-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)","class":"sp800-53a"}],"parts":[{"id":"ia-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[01]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are accepted;","links":[{"href":"#ia-8.1_smt","rel":"assessment-for"}]},{"id":"ia-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[02]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.","links":[{"href":"#ia-8.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ia-8.1_smt","rel":"assessment-for"}]},{"id":"ia-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of External Authenticators","props":[{"name":"label","value":"IA-8(2)"},{"name":"label","value":"IA-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.2_smt","name":"statement","parts":[{"id":"ia-8.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Accept only external authenticators that are NIST-compliant; and"},{"id":"ia-8.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Document and maintain a list of accepted external authenticators."}]},{"id":"ia-8.2_gdn","name":"guidance","prose":"Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level."},{"id":"ia-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(a)","class":"sp800-53a"}],"prose":"only external authenticators that are NIST-compliant are accepted;","links":[{"href":"#ia-8.2_smt.a","rel":"assessment-for"}]},{"id":"ia-8.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[01]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is documented;","links":[{"href":"#ia-8.2_smt.b","rel":"assessment-for"}]},{"id":"ia-8.2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[02]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is maintained.","links":[{"href":"#ia-8.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-8.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-8.2_smt","rel":"assessment-for"}]},{"id":"ia-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials"}]}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Defined Profiles","params":[{"id":"ia-08.04_odp","props":[{"name":"alt-identifier","value":"ia-8.4_prm_1"},{"name":"label","value":"IA-08(04)_ODP","class":"sp800-53a"}],"label":"identity management profiles","guidelines":[{"prose":"identity management profiles are defined;"}]}],"props":[{"name":"label","value":"IA-8(4)"},{"name":"label","value":"IA-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}."},{"id":"ia-8.4_gdn","name":"guidance","prose":"Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"ia-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(04)","class":"sp800-53a"}],"prose":"there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.","links":[{"href":"#ia-8.4_smt","rel":"assessment-for"}]},{"id":"ia-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms supporting and\/or implementing conformance with profiles"}]}]}]},{"id":"ia-11","class":"SP800-53","title":"Re-authentication","params":[{"id":"ia-11_odp","props":[{"name":"alt-identifier","value":"ia-11_prm_1"},{"name":"alt-label","value":"circumstances or situations requiring re-authentication","class":"sp800-53"},{"name":"label","value":"IA-11_ODP","class":"sp800-53a"}],"label":"circumstances or situations","guidelines":[{"prose":"circumstances or situations requiring re-authentication are defined;"}]}],"props":[{"name":"label","value":"IA-11"},{"name":"label","value":"IA-11","class":"sp800-53a"},{"name":"sort-id","value":"ia-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-11_smt","name":"statement","prose":"Require users to re-authenticate when {{ insert: param, ia-11_odp }}."},{"id":"ia-11_gdn","name":"guidance","prose":"In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically."},{"id":"ia-11_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-11","class":"sp800-53a"}],"prose":"users are required to re-authenticate when {{ insert: param, ia-11_odp }}.","links":[{"href":"#ia-11_smt","rel":"assessment-for"}]},{"id":"ia-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12","class":"SP800-53","title":"Identity Proofing","props":[{"name":"label","value":"IA-12"},{"name":"label","value":"IA-12","class":"sp800-53a"},{"name":"sort-id","value":"ia-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#9099ed2c-922a-493d-bcb4-d896192243ff","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#ia-1","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-13","rel":"related"}],"parts":[{"id":"ia-12_smt","name":"statement","parts":[{"id":"ia-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;"},{"id":"ia-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Resolve user identities to a unique individual; and"},{"id":"ia-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Collect, validate, and verify identity evidence."}]},{"id":"ia-12_gdn","name":"guidance","prose":"Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3](#737513fa-6758-403f-831d-5ddab5e23cb3) and [SP 800-63A](#9099ed2c-922a-493d-bcb4-d896192243ff) . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"ia-12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12","class":"sp800-53a"}],"parts":[{"id":"ia-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-12a.","class":"sp800-53a"}],"prose":"users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;","links":[{"href":"#ia-12_smt.a","rel":"assessment-for"}]},{"id":"ia-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-12b.","class":"sp800-53a"}],"prose":"user identities are resolved to a unique individual;","links":[{"href":"#ia-12_smt.b","rel":"assessment-for"}]},{"id":"ia-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.","class":"sp800-53a"}],"parts":[{"id":"ia-12_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[01]","class":"sp800-53a"}],"prose":"identity evidence is collected;","links":[{"href":"#ia-12_smt.c","rel":"assessment-for"}]},{"id":"ia-12_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[02]","class":"sp800-53a"}],"prose":"identity evidence is validated;","links":[{"href":"#ia-12_smt.c","rel":"assessment-for"}]},{"id":"ia-12_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[03]","class":"sp800-53a"}],"prose":"identity evidence is verified.","links":[{"href":"#ia-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ia-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ia-12_smt","rel":"assessment-for"}]},{"id":"ia-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ia-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-12.2","class":"SP800-53-enhancement","title":"Identity Evidence","props":[{"name":"label","value":"IA-12(2)"},{"name":"label","value":"IA-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.2_smt","name":"statement","prose":"Require evidence of individual identification be presented to the registration authority."},{"id":"ia-12.2_gdn","name":"guidance","prose":"Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risks to the systems, roles, and privileges associated with the user’s account."},{"id":"ia-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(02)","class":"sp800-53a"}],"prose":"evidence of individual identification is presented to the registration authority.","links":[{"href":"#ia-12.2_smt","rel":"assessment-for"}]},{"id":"ia-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.3","class":"SP800-53-enhancement","title":"Identity Evidence Validation and Verification","params":[{"id":"ia-12.03_odp","props":[{"name":"alt-identifier","value":"ia-12.3_prm_1"},{"name":"alt-label","value":"organizational defined methods of validation and verification","class":"sp800-53"},{"name":"label","value":"IA-12(03)_ODP","class":"sp800-53a"}],"label":"methods of validation and verification","guidelines":[{"prose":"methods of validation and verification of identity evidence are defined;"}]}],"props":[{"name":"label","value":"IA-12(3)"},{"name":"label","value":"IA-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.3_smt","name":"statement","prose":"Require that the presented identity evidence be validated and verified through {{ insert: param, ia-12.03_odp }}."},{"id":"ia-12.3_gdn","name":"guidance","prose":"Validation and verification of identity evidence increases the assurance that accounts and identifiers are being established for the correct user and authenticators are being bound to that user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risks to the systems, roles, and privileges associated with the users account."},{"id":"ia-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(03)","class":"sp800-53a"}],"prose":"the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}.","links":[{"href":"#ia-12.3_smt","rel":"assessment-for"}]},{"id":"ia-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.5","class":"SP800-53-enhancement","title":"Address Confirmation","params":[{"id":"ia-12.05_odp","props":[{"name":"alt-identifier","value":"ia-12.5_prm_1"},{"name":"label","value":"IA-12(05)_ODP","class":"sp800-53a"}],"select":{"choice":["registration code","notice of proofing"]}}],"props":[{"name":"label","value":"IA-12(5)"},{"name":"label","value":"IA-12(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"},{"href":"#ia-12","rel":"related"}],"parts":[{"id":"ia-12.5_smt","name":"statement","prose":"Require that a {{ insert: param, ia-12.05_odp }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record."},{"id":"ia-12.5_gdn","name":"guidance","prose":"To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses."},{"id":"ia-12.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(05)","class":"sp800-53a"}],"prose":"a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.","links":[{"href":"#ia-12.5_smt","rel":"assessment-for"}]},{"id":"ia-12.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ir-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ir-01_odp.01","props":[{"name":"label","value":"IR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response policy is to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.02","props":[{"name":"label","value":"IR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response procedures are to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.03","props":[{"name":"alt-identifier","value":"ir-1_prm_2"},{"name":"label","value":"IR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ir-01_odp.04","props":[{"name":"alt-identifier","value":"ir-1_prm_3"},{"name":"label","value":"IR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the incident response policy and procedures is defined;"}]},{"id":"ir-01_odp.05","props":[{"name":"alt-identifier","value":"ir-1_prm_4"},{"name":"label","value":"IR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response policy is reviewed and updated is defined;"}]},{"id":"ir-01_odp.06","props":[{"name":"alt-identifier","value":"ir-1_prm_5"},{"name":"label","value":"IR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current incident response policy to be reviewed and updated are defined;"}]},{"id":"ir-01_odp.07","props":[{"name":"alt-identifier","value":"ir-1_prm_6"},{"name":"label","value":"IR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response procedures are reviewed and updated is defined;"}]},{"id":"ir-01_odp.08","props":[{"name":"alt-identifier","value":"ir-1_prm_7"},{"name":"label","value":"IR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the incident response procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IR-1"},{"name":"label","value":"IR-01","class":"sp800-53a"},{"name":"sort-id","value":"ir-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ir-1_smt","name":"statement","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ir-01_odp.03 }} incident response policy that:","parts":[{"id":"ir-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and"},{"id":"ir-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current incident response:","parts":[{"id":"ir-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and"},{"id":"ir-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ir-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[01]","class":"sp800-53a"}],"prose":"an incident response policy is developed and documented;","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[02]","class":"sp800-53a"}],"prose":"the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[03]","class":"sp800-53a"}],"prose":"incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[04]","class":"sp800-53a"}],"prose":"the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ir-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;","links":[{"href":"#ir-1_smt.b","rel":"assessment-for"}]},{"id":"ir-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[01]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};","links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]},{"id":"ir-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[02]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};","links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]},{"id":"ir-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[01]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};","links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]},{"id":"ir-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[02]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.","links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt","rel":"assessment-for"}]},{"id":"ir-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-02_odp.01","props":[{"name":"alt-identifier","value":"ir-2_prm_1"},{"name":"label","value":"IR-02_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;"}]},{"id":"ir-02_odp.02","props":[{"name":"alt-identifier","value":"ir-2_prm_2"},{"name":"label","value":"IR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide incident response training to users is defined;"}]},{"id":"ir-02_odp.03","props":[{"name":"alt-identifier","value":"ir-2_prm_3"},{"name":"label","value":"IR-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update incident response training content is defined;"}]},{"id":"ir-02_odp.04","props":[{"name":"alt-identifier","value":"ir-2_prm_4"},{"name":"label","value":"IR-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that initiate a review of the incident response training content are defined;"}]}],"props":[{"name":"label","value":"IR-2"},{"name":"label","value":"IR-02","class":"sp800-53a"},{"name":"sort-id","value":"ir-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-2_smt","name":"statement","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide incident response training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"ir-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ir-02_odp.02 }} thereafter; and"}]},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"ir-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.01","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;","links":[{"href":"#ir-2_smt.a.1","rel":"assessment-for"}]},{"id":"ir-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.02","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;","links":[{"href":"#ir-2_smt.a.2","rel":"assessment-for"}]},{"id":"ir-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.03","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;","links":[{"href":"#ir-2_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt.a","rel":"assessment-for"}]},{"id":"ir-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[01]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};","links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]},{"id":"ir-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[02]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.","links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt","rel":"assessment-for"}]},{"id":"ir-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","params":[{"id":"ir-03_odp.01","props":[{"name":"alt-identifier","value":"ir-3_prm_1"},{"name":"label","value":"IR-03_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test the effectiveness of the incident response capability for the system is defined;"}]},{"id":"ir-03_odp.02","props":[{"name":"alt-identifier","value":"ir-3_prm_2"},{"name":"label","value":"IR-03_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests used to test the effectiveness of the incident response capability for the system are defined;"}]}],"props":[{"name":"label","value":"IR-3"},{"name":"label","value":"IR-03","class":"sp800-53a"},{"name":"sort-id","value":"ir-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-14","rel":"related"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes."},{"id":"ir-3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03","class":"sp800-53a"}],"prose":"the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.","links":[{"href":"#ir-3_smt","rel":"assessment-for"}]},{"id":"ir-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"ir-3.2","class":"SP800-53-enhancement","title":"Coordination with Related Plans","props":[{"name":"label","value":"IR-3(2)"},{"name":"label","value":"IR-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-3","rel":"required"}],"parts":[{"id":"ir-3.2_smt","name":"statement","prose":"Coordinate incident response testing with organizational elements responsible for related plans."},{"id":"ir-3.2_gdn","name":"guidance","prose":"Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans."},{"id":"ir-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03(02)","class":"sp800-53a"}],"prose":"incident response testing is coordinated with organizational elements responsible for related plans.","links":[{"href":"#ir-3.2_smt","rel":"assessment-for"}]},{"id":"ir-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"label","value":"IR-4"},{"name":"label","value":"IR-04","class":"sp800-53a"},{"name":"sort-id","value":"ir-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#31ae65ab-3f26-46b7-9d64-f25a4dac5778","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-4_smt","name":"statement","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate incident handling activities with contingency planning activities;"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and"},{"id":"ir-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes."},{"id":"ir-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[01]","class":"sp800-53a"}],"prose":"an incident handling capability for incidents is implemented that is consistent with the incident response plan;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[02]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes preparation;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[03]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes detection and analysis;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[04]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes containment;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[05]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes eradication;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[06]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes recovery;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-04b.","class":"sp800-53a"}],"prose":"incident handling activities are coordinated with contingency planning activities;","links":[{"href":"#ir-4_smt.b","rel":"assessment-for"}]},{"id":"ir-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[01]","class":"sp800-53a"}],"prose":"lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;","links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]},{"id":"ir-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[02]","class":"sp800-53a"}],"prose":"the changes resulting from the incorporated lessons learned are implemented accordingly;","links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]},{"id":"ir-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[01]","class":"sp800-53a"}],"prose":"the rigor of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[02]","class":"sp800-53a"}],"prose":"the intensity of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[03]","class":"sp800-53a"}],"prose":"the scope of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[04]","class":"sp800-53a"}],"prose":"the results of incident handling activities are comparable and predictable across the organization.","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt","rel":"assessment-for"}]},{"id":"ir-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident handling capability for the organization"}]}],"controls":[{"id":"ir-4.1","class":"SP800-53-enhancement","title":"Automated Incident Handling Processes","params":[{"id":"ir-04.01_odp","props":[{"name":"alt-identifier","value":"ir-4.1_prm_1"},{"name":"label","value":"IR-04(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to support the incident handling process are defined;"}]}],"props":[{"name":"label","value":"IR-4(1)"},{"name":"label","value":"IR-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.1_smt","name":"statement","prose":"Support the incident handling process using {{ insert: param, ir-04.01_odp }}."},{"id":"ir-4.1_gdn","name":"guidance","prose":"Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis."},{"id":"ir-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(01)","class":"sp800-53a"}],"prose":"the incident handling process is supported using {{ insert: param, ir-04.01_odp }}.","links":[{"href":"#ir-4.1_smt","rel":"assessment-for"}]},{"id":"ir-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms that support and\/or implement the incident handling process"}]}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"label","value":"IR-5"},{"name":"label","value":"IR-05","class":"sp800-53a"},{"name":"sort-id","value":"ir-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"Track and document incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring."},{"id":"ir-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-05","class":"sp800-53a"}],"parts":[{"id":"ir-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-05[01]","class":"sp800-53a"}],"prose":"incidents are tracked;","links":[{"href":"#ir-5_smt","rel":"assessment-for"}]},{"id":"ir-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-05[02]","class":"sp800-53a"}],"prose":"incidents are documented.","links":[{"href":"#ir-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-5_smt","rel":"assessment-for"}]},{"id":"ir-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nmechanisms supporting and\/or implementing the tracking and documenting of system security incidents"}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-06_odp.01","props":[{"name":"alt-identifier","value":"ir-6_prm_1"},{"name":"label","value":"IR-06_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel to report suspected incidents to the organizational incident response capability is defined;"}]},{"id":"ir-06_odp.02","props":[{"name":"alt-identifier","value":"ir-6_prm_2"},{"name":"label","value":"IR-06_ODP[02]","class":"sp800-53a"}],"label":"authorities","guidelines":[{"prose":"authorities to whom incident information is to be reported are defined;"}]}],"props":[{"name":"label","value":"IR-6"},{"name":"label","value":"IR-06","class":"sp800-53a"},{"name":"sort-id","value":"ir-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#40b78258-c892-480e-9af8-77ac36648301","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-6_smt","name":"statement","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report incident information to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products."},{"id":"ir-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06","class":"sp800-53a"}],"parts":[{"id":"ir-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-06a.","class":"sp800-53a"}],"prose":"personnel is\/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};","links":[{"href":"#ir-6_smt.a","rel":"assessment-for"}]},{"id":"ir-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-06b.","class":"sp800-53a"}],"prose":"incident information is reported to {{ insert: param, ir-06_odp.02 }}.","links":[{"href":"#ir-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-6_smt","rel":"assessment-for"}]},{"id":"ir-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users"}]},{"id":"ir-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nmechanisms supporting and\/or implementing incident reporting"}]}],"controls":[{"id":"ir-6.1","class":"SP800-53-enhancement","title":"Automated Reporting","params":[{"id":"ir-06.01_odp","props":[{"name":"alt-identifier","value":"ir-6.1_prm_1"},{"name":"label","value":"IR-06(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used for reporting incidents are defined;"}]}],"props":[{"name":"label","value":"IR-6(1)"},{"name":"label","value":"IR-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-6","rel":"required"},{"href":"#ir-7","rel":"related"}],"parts":[{"id":"ir-6.1_smt","name":"statement","prose":"Report incidents using {{ insert: param, ir-06.01_odp }}."},{"id":"ir-6.1_gdn","name":"guidance","prose":"The recipients of incident reports are specified in [IR-6b](#ir-6_smt.b) . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs."},{"id":"ir-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06(01)","class":"sp800-53a"}],"prose":"incidents are reported using {{ insert: param, ir-06.01_odp }}.","links":[{"href":"#ir-6.1_smt","rel":"assessment-for"}]},{"id":"ir-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing the reporting of security incidents"}]}]},{"id":"ir-6.3","class":"SP800-53-enhancement","title":"Supply Chain Coordination","props":[{"name":"label","value":"IR-6(3)"},{"name":"label","value":"IR-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-6","rel":"required"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-6.3_smt","name":"statement","prose":"Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident."},{"id":"ir-6.3_gdn","name":"guidance","prose":"Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident."},{"id":"ir-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06(03)","class":"sp800-53a"}],"prose":"incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.","links":[{"href":"#ir-6.3_smt","rel":"assessment-for"}]},{"id":"ir-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council\n\nacquisition policy\n\nacquisition contracts\n\nservice-level agreements\n\nincident response plan\n\nsupply chain risk management plan\n\nsystem security plan\n\nplans of other organizations involved in supply chain activities\n\nother relevant documents or records"}]},{"id":"ir-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganization personnel with acquisition responsibilities"}]},{"id":"ir-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\norganizational processes for supply chain risk information sharing\n\nmechanisms supporting and\/or implementing the reporting of incident information involved in the supply chain"}]}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"label","value":"IR-7"},{"name":"label","value":"IR-07","class":"sp800-53a"},{"name":"sort-id","value":"ir-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-26","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required."},{"id":"ir-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07","class":"sp800-53a"}],"parts":[{"id":"ir-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-07[01]","class":"sp800-53a"}],"prose":"an incident response support resource, integral to the organizational incident response capability, is provided;","links":[{"href":"#ir-7_smt","rel":"assessment-for"}]},{"id":"ir-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-07[02]","class":"sp800-53a"}],"prose":"the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.","links":[{"href":"#ir-7_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-7_smt","rel":"assessment-for"}]},{"id":"ir-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nmechanisms supporting and\/or implementing incident response assistance"}]}],"controls":[{"id":"ir-7.1","class":"SP800-53-enhancement","title":"Automation Support for Availability of Information and Support","params":[{"id":"ir-07.01_odp","props":[{"name":"alt-identifier","value":"ir-7.1_prm_1"},{"name":"label","value":"IR-07(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to increase the availability of incident response information and support are defined;"}]}],"props":[{"name":"label","value":"IR-7(1)"},{"name":"label","value":"IR-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-7","rel":"required"}],"parts":[{"id":"ir-7.1_smt","name":"statement","prose":"Increase the availability of incident response information and support using {{ insert: param, ir-07.01_odp }}."},{"id":"ir-7.1_gdn","name":"guidance","prose":"Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support."},{"id":"ir-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07(01)","class":"sp800-53a"}],"prose":"the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}.","links":[{"href":"#ir-7.1_smt","rel":"assessment-for"}]},{"id":"ir-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing an increase in the availability of incident response information and support"}]}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.07"}],"label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-08_odp.01","props":[{"name":"alt-identifier","value":"ir-8_prm_1"},{"name":"label","value":"IR-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles that review and approve the incident response plan is\/are identified;"}]},{"id":"ir-08_odp.02","props":[{"name":"alt-identifier","value":"ir-8_prm_2"},{"name":"label","value":"IR-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and approve the incident response plan is defined;"}]},{"id":"ir-08_odp.03","props":[{"name":"alt-identifier","value":"ir-8_prm_3"},{"name":"label","value":"IR-08_ODP[03]","class":"sp800-53a"}],"label":"entities, personnel, or roles","guidelines":[{"prose":"entities, personnel, or roles with designated responsibility for incident response are defined;"}]},{"id":"ir-08_odp.04","props":[{"name":"alt-identifier","value":"ir-8_prm_4"},{"name":"alt-label","value":"incident response personnel (identified by name and\/or by role) and organizational elements","class":"sp800-53"},{"name":"label","value":"IR-08_ODP[04]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed is\/are defined;"}]},{"id":"ir-08_odp.05","props":[{"name":"label","value":"IR-08_ODP[05]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which copies of the incident response plan are to be distributed are defined;"}]},{"id":"ir-08_odp.06","props":[{"name":"label","value":"IR-08_ODP[06]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom changes to the incident response plan is\/are communicated are defined;"}]},{"id":"ir-08_odp.07","props":[{"name":"label","value":"IR-08_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which changes to the incident response plan are communicated are defined;"}]}],"props":[{"name":"label","value":"IR-8"},{"name":"label","value":"IR-08","class":"sp800-53a"},{"name":"sort-id","value":"ir-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-8_smt","name":"statement","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Addresses the sharing of incident information;"},{"id":"ir-8_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and"},{"id":"ir-8_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly."},{"id":"ir-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-08","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.01","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;","links":[{"href":"#ir-8_smt.a.1","rel":"assessment-for"}]},{"id":"ir-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.02","class":"sp800-53a"}],"prose":"an incident response plan is developed that describes the structure and organization of the incident response capability;","links":[{"href":"#ir-8_smt.a.2","rel":"assessment-for"}]},{"id":"ir-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.03","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;","links":[{"href":"#ir-8_smt.a.3","rel":"assessment-for"}]},{"id":"ir-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.04","class":"sp800-53a"}],"prose":"an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;","links":[{"href":"#ir-8_smt.a.4","rel":"assessment-for"}]},{"id":"ir-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.05","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines reportable incidents;","links":[{"href":"#ir-8_smt.a.5","rel":"assessment-for"}]},{"id":"ir-8_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.06","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;","links":[{"href":"#ir-8_smt.a.6","rel":"assessment-for"}]},{"id":"ir-8_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.07","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;","links":[{"href":"#ir-8_smt.a.7","rel":"assessment-for"}]},{"id":"ir-8_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.08","class":"sp800-53a"}],"prose":"an incident response plan is developed that addresses the sharing of incident information;","links":[{"href":"#ir-8_smt.a.8","rel":"assessment-for"}]},{"id":"ir-8_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.09","class":"sp800-53a"}],"prose":"an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};","links":[{"href":"#ir-8_smt.a.9","rel":"assessment-for"}]},{"id":"ir-8_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.10","class":"sp800-53a"}],"prose":"an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.","links":[{"href":"#ir-8_smt.a.10","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.a","rel":"assessment-for"}]},{"id":"ir-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[01]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};","links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]},{"id":"ir-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[02]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};","links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]},{"id":"ir-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-08c.","class":"sp800-53a"}],"prose":"the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;","links":[{"href":"#ir-8_smt.c","rel":"assessment-for"}]},{"id":"ir-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[01]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};","links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]},{"id":"ir-8_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[02]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};","links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]},{"id":"ir-8_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[01]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized disclosure;","links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]},{"id":"ir-8_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[02]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized modification.","links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt","rel":"assessment-for"}]},{"id":"ir-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"id":"ir-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ma-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ma-01_odp.01","props":[{"name":"label","value":"MA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance policy is to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.02","props":[{"name":"label","value":"MA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance procedures are to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.03","props":[{"name":"alt-identifier","value":"ma-1_prm_2"},{"name":"label","value":"MA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ma-01_odp.04","props":[{"name":"alt-identifier","value":"ma-1_prm_3"},{"name":"label","value":"MA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the maintenance policy and procedures is defined;"}]},{"id":"ma-01_odp.05","props":[{"name":"alt-identifier","value":"ma-1_prm_4"},{"name":"label","value":"MA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance policy is reviewed and updated is defined;"}]},{"id":"ma-01_odp.06","props":[{"name":"alt-identifier","value":"ma-1_prm_5"},{"name":"label","value":"MA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current maintenance policy to be reviewed and updated are defined;"}]},{"id":"ma-01_odp.07","props":[{"name":"alt-identifier","value":"ma-1_prm_6"},{"name":"label","value":"MA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance procedures are reviewed and updated is defined;"}]},{"id":"ma-01_odp.08","props":[{"name":"alt-identifier","value":"ma-1_prm_7"},{"name":"label","value":"MA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the maintenance procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MA-1"},{"name":"label","value":"MA-01","class":"sp800-53a"},{"name":"sort-id","value":"ma-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ma-1_smt","name":"statement","parts":[{"id":"ma-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ma-01_odp.03 }} maintenance policy that:","parts":[{"id":"ma-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ma-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;"}]},{"id":"ma-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and"},{"id":"ma-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current maintenance:","parts":[{"id":"ma-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and"},{"id":"ma-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ma-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[01]","class":"sp800-53a"}],"prose":"a maintenance policy is developed and documented;","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[02]","class":"sp800-53a"}],"prose":"the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[03]","class":"sp800-53a"}],"prose":"maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[04]","class":"sp800-53a"}],"prose":"the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ma-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;","links":[{"href":"#ma-1_smt.b","rel":"assessment-for"}]},{"id":"ma-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[01]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};","links":[{"href":"#ma-1_smt.c.1","rel":"assessment-for"}]},{"id":"ma-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[02]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};","links":[{"href":"#ma-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.c.1","rel":"assessment-for"}]},{"id":"ma-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[01]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};","links":[{"href":"#ma-1_smt.c.2","rel":"assessment-for"}]},{"id":"ma-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[02]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.","links":[{"href":"#ma-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt","rel":"assessment-for"}]},{"id":"ma-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"ma-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","params":[{"id":"ma-02_odp.01","props":[{"name":"alt-identifier","value":"ma-2_prm_1"},{"name":"label","value":"MA-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is\/are defined;"}]},{"id":"ma-02_odp.02","props":[{"name":"alt-identifier","value":"ma-2_prm_2"},{"name":"label","value":"MA-02_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;"}]},{"id":"ma-02_odp.03","props":[{"name":"alt-identifier","value":"ma-2_prm_3"},{"name":"label","value":"MA-02_ODP[03]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be included in organizational maintenance records is defined;"}]}],"props":[{"name":"label","value":"MA-2"},{"name":"label","value":"MA-02","class":"sp800-53a"},{"name":"sort-id","value":"ma-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ma-2_smt","name":"statement","parts":[{"id":"ma-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};"},{"id":"ma-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and"},{"id":"ma-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}."}]},{"id":"ma-2_gdn","name":"guidance","prose":"Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems."},{"id":"ma-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-02","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[01]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and\/or organizational requirements;","links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]},{"id":"ma-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[02]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and\/or organizational requirements;","links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]},{"id":"ma-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[03]","class":"sp800-53a"}],"prose":"records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and\/or organizational requirements;","links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]},{"id":"ma-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[01]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;","links":[{"href":"#ma-2_smt.b","rel":"assessment-for"}]},{"id":"ma-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[02]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;","links":[{"href":"#ma-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-2_smt.b","rel":"assessment-for"}]},{"id":"ma-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-02c.","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02_odp.01 }} is\/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;","links":[{"href":"#ma-2_smt.c","rel":"assessment-for"}]},{"id":"ma-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-02d.","class":"sp800-53a"}],"prose":"equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;","links":[{"href":"#ma-2_smt.d","rel":"assessment-for"}]},{"id":"ma-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-02e.","class":"sp800-53a"}],"prose":"all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;","links":[{"href":"#ma-2_smt.e","rel":"assessment-for"}]},{"id":"ma-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"MA-02f.","class":"sp800-53a"}],"prose":" {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.","links":[{"href":"#ma-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ma-2_smt","rel":"assessment-for"}]},{"id":"ma-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer\/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and\/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components"}]}]},{"id":"ma-3","class":"SP800-53","title":"Maintenance Tools","params":[{"id":"ma-03_odp","props":[{"name":"alt-identifier","value":"ma-3_prm_1"},{"name":"label","value":"MA-03_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review previously approved system maintenance tools is defined;"}]}],"props":[{"name":"label","value":"MA-3"},{"name":"label","value":"MA-03","class":"sp800-53a"},{"name":"sort-id","value":"ma-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#ma-2","rel":"related"},{"href":"#pe-16","rel":"related"}],"parts":[{"id":"ma-3_smt","name":"statement","parts":[{"id":"ma-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve, control, and monitor the use of system maintenance tools; and"},{"id":"ma-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review previously approved system maintenance tools {{ insert: param, ma-03_odp }}."}]},{"id":"ma-3_gdn","name":"guidance","prose":"Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools."},{"id":"ma-3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03","class":"sp800-53a"}],"parts":[{"id":"ma-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.","class":"sp800-53a"}],"parts":[{"id":"ma-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[01]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is approved;","links":[{"href":"#ma-3_smt.a","rel":"assessment-for"}]},{"id":"ma-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[02]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is controlled;","links":[{"href":"#ma-3_smt.a","rel":"assessment-for"}]},{"id":"ma-3_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[03]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is monitored;","links":[{"href":"#ma-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-3_smt.a","rel":"assessment-for"}]},{"id":"ma-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-03b.","class":"sp800-53a"}],"prose":"previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}.","links":[{"href":"#ma-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-3_smt","rel":"assessment-for"}]},{"id":"ma-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for approving, controlling, and monitoring maintenance tools\n\nmechanisms supporting and\/or implementing the approval, control, and\/or monitoring of maintenance tools"}]}],"controls":[{"id":"ma-3.1","class":"SP800-53-enhancement","title":"Inspect Tools","props":[{"name":"label","value":"MA-3(1)"},{"name":"label","value":"MA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ma-3.1_smt","name":"statement","prose":"Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications."},{"id":"ma-3.1_gdn","name":"guidance","prose":"Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling."},{"id":"ma-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(01)","class":"sp800-53a"}],"prose":"maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.","links":[{"href":"#ma-3.1_smt","rel":"assessment-for"}]},{"id":"ma-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for inspecting maintenance tools\n\nmechanisms supporting and\/or implementing the inspection of maintenance tools"}]}]},{"id":"ma-3.2","class":"SP800-53-enhancement","title":"Inspect Media","props":[{"name":"label","value":"MA-3(2)"},{"name":"label","value":"MA-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"ma-3.2_smt","name":"statement","prose":"Check media containing diagnostic and test programs for malicious code before the media are used in the system."},{"id":"ma-3.2_gdn","name":"guidance","prose":"If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures."},{"id":"ma-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(02)","class":"sp800-53a"}],"prose":"media containing diagnostic and test programs are checked for malicious code before the media are used in the system.","links":[{"href":"#ma-3.2_smt","rel":"assessment-for"}]},{"id":"ma-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for inspecting media for malicious code\n\nmechanisms supporting and\/or implementing the inspection of media used for maintenance"}]}]},{"id":"ma-3.3","class":"SP800-53-enhancement","title":"Prevent Unauthorized Removal","params":[{"id":"ma-03.03_odp","props":[{"name":"alt-identifier","value":"ma-3.3_prm_1"},{"name":"label","value":"MA-03(03)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles who can authorize removal of equipment from the facility is\/are defined;"}]}],"props":[{"name":"label","value":"MA-3(3)"},{"name":"label","value":"MA-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#mp-6","rel":"related"}],"parts":[{"id":"ma-3.3_smt","name":"statement","prose":"Prevent the removal of maintenance equipment containing organizational information by:","parts":[{"id":"ma-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verifying that there is no organizational information contained on the equipment;"},{"id":"ma-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Sanitizing or destroying the equipment;"},{"id":"ma-3.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Retaining the equipment within the facility; or"},{"id":"ma-3.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_gdn","name":"guidance","prose":"Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards."},{"id":"ma-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)","class":"sp800-53a"}],"parts":[{"id":"ma-3.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(a)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or","links":[{"href":"#ma-3.3_smt.a","rel":"assessment-for"}]},{"id":"ma-3.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(b)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or","links":[{"href":"#ma-3.3_smt.b","rel":"assessment-for"}]},{"id":"ma-3.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(c)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or","links":[{"href":"#ma-3.3_smt.c","rel":"assessment-for"}]},{"id":"ma-3.3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(d)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.","links":[{"href":"#ma-3.3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ma-3.3_smt","rel":"assessment-for"}]},{"id":"ma-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization"}]},{"id":"ma-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for preventing unauthorized removal of information\n\nmechanisms supporting media sanitization or destruction of equipment\n\nmechanisms supporting verification of media sanitization"}]}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","props":[{"name":"label","value":"MA-4"},{"name":"label","value":"MA-04","class":"sp800-53a"},{"name":"sort-id","value":"ma-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#736d6310-e403-4b57-a79d-9967970c66d7","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-10","rel":"related"}],"parts":[{"id":"ma-4_smt","name":"statement","parts":[{"id":"ma-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and monitor nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;"},{"id":"ma-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Maintain records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Terminate session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators."},{"id":"ma-4_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[01]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are approved;","links":[{"href":"#ma-4_smt.a","rel":"assessment-for"}]},{"id":"ma-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[02]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are monitored;","links":[{"href":"#ma-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt.a","rel":"assessment-for"}]},{"id":"ma-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[01]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;","links":[{"href":"#ma-4_smt.b","rel":"assessment-for"}]},{"id":"ma-4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[02]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;","links":[{"href":"#ma-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt.b","rel":"assessment-for"}]},{"id":"ma-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-04c.","class":"sp800-53a"}],"prose":"strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;","links":[{"href":"#ma-4_smt.c","rel":"assessment-for"}]},{"id":"ma-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-04d.","class":"sp800-53a"}],"prose":"records for nonlocal maintenance and diagnostic activities are maintained;","links":[{"href":"#ma-4_smt.d","rel":"assessment-for"}]},{"id":"ma-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[01]","class":"sp800-53a"}],"prose":"session connections are terminated when nonlocal maintenance is completed;","links":[{"href":"#ma-4_smt.e","rel":"assessment-for"}]},{"id":"ma-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[02]","class":"sp800-53a"}],"prose":"network connections are terminated when nonlocal maintenance is completed.","links":[{"href":"#ma-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt","rel":"assessment-for"}]},{"id":"ma-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and\/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections"}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","props":[{"name":"label","value":"MA-5"},{"name":"label","value":"MA-05","class":"sp800-53a"},{"name":"sort-id","value":"ma-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"ma-5_smt","name":"statement","parts":[{"id":"ma-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods."},{"id":"ma-5_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[01]","class":"sp800-53a"}],"prose":"a process for maintenance personnel authorization is established;","links":[{"href":"#ma-5_smt.a","rel":"assessment-for"}]},{"id":"ma-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[02]","class":"sp800-53a"}],"prose":"a list of authorized maintenance organizations or personnel is maintained;","links":[{"href":"#ma-5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-5_smt.a","rel":"assessment-for"}]},{"id":"ma-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-05b.","class":"sp800-53a"}],"prose":"non-escorted personnel performing maintenance on the system possess the required access authorizations;","links":[{"href":"#ma-5_smt.b","rel":"assessment-for"}]},{"id":"ma-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-05c.","class":"sp800-53a"}],"prose":"organizational personnel with required access authorizations and technical competence is\/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.","links":[{"href":"#ma-5_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ma-5_smt","rel":"assessment-for"}]},{"id":"ma-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and\/or implementing authorization of maintenance personnel"}]}]},{"id":"ma-6","class":"SP800-53","title":"Timely Maintenance","params":[{"id":"ma-06_odp.01","props":[{"name":"alt-identifier","value":"ma-6_prm_1"},{"name":"label","value":"MA-06_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which maintenance support and\/or spare parts are obtained are defined;"}]},{"id":"ma-06_odp.02","props":[{"name":"alt-identifier","value":"ma-6_prm_2"},{"name":"label","value":"MA-06_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which maintenance support and\/or spare parts are to be obtained after a failure are defined;"}]}],"props":[{"name":"label","value":"MA-6"},{"name":"label","value":"MA-06","class":"sp800-53a"},{"name":"sort-id","value":"ma-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-8","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-13","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"ma-6_smt","name":"statement","prose":"Obtain maintenance support and\/or spare parts for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure."},{"id":"ma-6_gdn","name":"guidance","prose":"Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place."},{"id":"ma-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-06","class":"sp800-53a"}],"prose":"maintenance support and\/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.","links":[{"href":"#ma-6_smt","rel":"assessment-for"}]},{"id":"ma-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for ensuring timely maintenance"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"mp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"mp-01_odp.01","props":[{"name":"label","value":"MP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection policy is to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.02","props":[{"name":"label","value":"MP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection procedures are to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.03","props":[{"name":"alt-identifier","value":"mp-1_prm_2"},{"name":"label","value":"MP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"mp-01_odp.04","props":[{"name":"alt-identifier","value":"mp-1_prm_3"},{"name":"label","value":"MP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the media protection policy and procedures is defined;"}]},{"id":"mp-01_odp.05","props":[{"name":"alt-identifier","value":"mp-1_prm_4"},{"name":"label","value":"MP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection policy is reviewed and updated is defined;"}]},{"id":"mp-01_odp.06","props":[{"name":"alt-identifier","value":"mp-1_prm_5"},{"name":"label","value":"MP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current media protection policy to be reviewed and updated are defined;"}]},{"id":"mp-01_odp.07","props":[{"name":"alt-identifier","value":"mp-1_prm_6"},{"name":"label","value":"MP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection procedures are reviewed and updated is defined;"}]},{"id":"mp-01_odp.08","props":[{"name":"alt-identifier","value":"mp-1_prm_7"},{"name":"label","value":"MP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require media protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MP-1"},{"name":"label","value":"MP-01","class":"sp800-53a"},{"name":"sort-id","value":"mp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-1_smt","name":"statement","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, mp-01_odp.03 }} media protection policy that:","parts":[{"id":"mp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and"},{"id":"mp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current media protection:","parts":[{"id":"mp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and"},{"id":"mp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"mp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[01]","class":"sp800-53a"}],"prose":"a media protection policy is developed and documented;","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[02]","class":"sp800-53a"}],"prose":"the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[03]","class":"sp800-53a"}],"prose":"media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[04]","class":"sp800-53a"}],"prose":"the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(b)","class":"sp800-53a"}],"prose":"the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#mp-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.","links":[{"href":"#mp-1_smt.b","rel":"assessment-for"}]},{"id":"mp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[01]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ","links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]},{"id":"mp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[02]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};","links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]},{"id":"mp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[01]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ","links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]},{"id":"mp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[02]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.","links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt","rel":"assessment-for"}]},{"id":"mp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","params":[{"id":"mp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.03"}],"label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.04"}],"label":"organization-defined personnel or roles"},{"id":"mp-02_odp.01","props":[{"name":"label","value":"MP-02_ODP[01]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.02","props":[{"name":"label","value":"MP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access digital media is\/are defined;"}]},{"id":"mp-02_odp.03","props":[{"name":"label","value":"MP-02_ODP[03]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.04","props":[{"name":"label","value":"MP-02_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access non-digital media is\/are defined;"}]}],"props":[{"name":"label","value":"MP-2"},{"name":"label","value":"MP-02","class":"sp800-53a"},{"name":"sort-id","value":"mp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media."},{"id":"mp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-02","class":"sp800-53a"}],"parts":[{"id":"mp-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-02[01]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};","links":[{"href":"#mp-2_smt","rel":"assessment-for"}]},{"id":"mp-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-02[02]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.","links":[{"href":"#mp-2_smt","rel":"assessment-for"}]}],"links":[{"href":"#mp-2_smt","rel":"assessment-for"}]},{"id":"mp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for restricting information media\n\nmechanisms supporting and\/or implementing media access restrictions"}]}]},{"id":"mp-3","class":"SP800-53","title":"Media Marking","params":[{"id":"mp-03_odp.01","props":[{"name":"alt-identifier","value":"mp-3_prm_1"},{"name":"alt-label","value":"types of system media","class":"sp800-53"},{"name":"label","value":"MP-03_ODP[01]","class":"sp800-53a"}],"label":"types of media exempted from marking","guidelines":[{"prose":"types of system media exempt from marking when remaining in controlled areas are defined;"}]},{"id":"mp-03_odp.02","props":[{"name":"alt-identifier","value":"mp-3_prm_2"},{"name":"label","value":"MP-03_ODP[02]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas where media is exempt from marking are defined;"}]}],"props":[{"name":"label","value":"MP-3"},{"name":"label","value":"MP-03","class":"sp800-53a"},{"name":"sort-id","value":"mp-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#34a5571f-e252-4309-a8a1-2fdb2faefbcd","rel":"reference"},{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-22","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-3_smt","name":"statement","parts":[{"id":"mp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"},{"id":"mp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Exempt {{ insert: param, mp-03_odp.01 }} from marking if the media remain within {{ insert: param, mp-03_odp.02 }}."}]},{"id":"mp-3_gdn","name":"guidance","prose":"Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"mp-3_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-03","class":"sp800-53a"}],"parts":[{"id":"mp-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-03a.","class":"sp800-53a"}],"prose":"system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;","links":[{"href":"#mp-3_smt.a","rel":"assessment-for"}]},{"id":"mp-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-03b.","class":"sp800-53a"}],"prose":" {{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}.","links":[{"href":"#mp-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-3_smt","rel":"assessment-for"}]},{"id":"mp-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nlist of system media marking security attributes\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for marking information media\n\nmechanisms supporting and\/or implementing media marking"}]}]},{"id":"mp-4","class":"SP800-53","title":"Media Storage","params":[{"id":"mp-4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.04"}],"label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.06"}],"label":"organization-defined controlled areas"},{"id":"mp-04_odp.01","props":[{"name":"label","value":"MP-04_ODP[01]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to be physically controlled are defined (if selected);"}]},{"id":"mp-04_odp.02","props":[{"name":"label","value":"MP-04_ODP[02]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to be physically controlled are defined (if selected);"}]},{"id":"mp-04_odp.03","props":[{"name":"label","value":"MP-04_ODP[03]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to be securely stored are defined (if selected);"}]},{"id":"mp-04_odp.04","props":[{"name":"label","value":"MP-04_ODP[04]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to be securely stored are defined (if selected);"}]},{"id":"mp-04_odp.05","props":[{"name":"label","value":"MP-04_ODP[05]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas within which to securely store digital media are defined;"}]},{"id":"mp-04_odp.06","props":[{"name":"label","value":"MP-04_ODP[06]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas within which to securely store non-digital media are defined;"}]}],"props":[{"name":"label","value":"MP-4"},{"name":"label","value":"MP-04","class":"sp800-53a"},{"name":"sort-id","value":"mp-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-4_smt","name":"statement","parts":[{"id":"mp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and"},{"id":"mp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection."},{"id":"mp-4_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-04","class":"sp800-53a"}],"parts":[{"id":"mp-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.","class":"sp800-53a"}],"parts":[{"id":"mp-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.01 }} are physically controlled;","links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]},{"id":"mp-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.02 }} are physically controlled;","links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]},{"id":"mp-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};","links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]},{"id":"mp-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[04]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};","links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]},{"id":"mp-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-04b.","class":"sp800-53a"}],"prose":"system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.","links":[{"href":"#mp-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-4_smt","rel":"assessment-for"}]},{"id":"mp-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing information media\n\nmechanisms supporting and\/or implementing secure media storage\/media protection"}]}]},{"id":"mp-5","class":"SP800-53","title":"Media Transport","params":[{"id":"mp-5_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-05_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-05_odp.03"}],"label":"organization-defined controls"},{"id":"mp-05_odp.01","props":[{"name":"alt-identifier","value":"mp-5_prm_1"},{"name":"label","value":"MP-05_ODP[01]","class":"sp800-53a"}],"label":"types of system media","guidelines":[{"prose":"types of system media to protect and control during transport outside of controlled areas are defined;"}]},{"id":"mp-05_odp.02","props":[{"name":"label","value":"MP-05_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls used to protect system media outside of controlled areas are defined;"}]},{"id":"mp-05_odp.03","props":[{"name":"label","value":"MP-05_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls used to control system media outside of controlled areas are defined;"}]}],"props":[{"name":"label","value":"MP-5"},{"name":"label","value":"MP-05","class":"sp800-53a"},{"name":"sort-id","value":"mp-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#ac-7","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"}],"parts":[{"id":"mp-5_smt","name":"statement","parts":[{"id":"mp-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protect and control {{ insert: param, mp-05_odp.01 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};"},{"id":"mp-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain accountability for system media during transport outside of controlled areas;"},{"id":"mp-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document activities associated with the transport of system media; and"},{"id":"mp-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Restrict the activities associated with the transport of system media to authorized personnel."}]},{"id":"mp-5_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and\/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records."},{"id":"mp-5_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-05","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};","links":[{"href":"#mp-5_smt.a","rel":"assessment-for"}]},{"id":"mp-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};","links":[{"href":"#mp-5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-5_smt.a","rel":"assessment-for"}]},{"id":"mp-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-05b.","class":"sp800-53a"}],"prose":"accountability for system media is maintained during transport outside of controlled areas;","links":[{"href":"#mp-5_smt.b","rel":"assessment-for"}]},{"id":"mp-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-05c.","class":"sp800-53a"}],"prose":"activities associated with the transport of system media are documented;","links":[{"href":"#mp-5_smt.c","rel":"assessment-for"}]},{"id":"mp-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.[01]","class":"sp800-53a"}],"prose":"personnel authorized to conduct media transport activities is\/are identified;","links":[{"href":"#mp-5_smt.d","rel":"assessment-for"}]},{"id":"mp-5_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.[02]","class":"sp800-53a"}],"prose":"activities associated with the transport of system media are restricted to identified authorized personnel.","links":[{"href":"#mp-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#mp-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#mp-5_smt","rel":"assessment-for"}]},{"id":"mp-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nauthorized personnel list\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing information media\n\nmechanisms supporting and\/or implementing media storage\/media protection"}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.03"}],"label":"organization-defined system media"},{"id":"mp-6_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.06"}],"label":"organization-defined sanitization techniques and procedures"},{"id":"mp-06_odp.01","props":[{"name":"label","value":"MP-06_ODP[01]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to disposal is defined;"}]},{"id":"mp-06_odp.02","props":[{"name":"label","value":"MP-06_ODP[02]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release from organizational control is defined;"}]},{"id":"mp-06_odp.03","props":[{"name":"label","value":"MP-06_ODP[03]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release for reuse is defined;"}]},{"id":"mp-06_odp.04","props":[{"name":"label","value":"MP-06_ODP[04]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to disposal are defined;"}]},{"id":"mp-06_odp.05","props":[{"name":"label","value":"MP-06_ODP[05]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;"}]},{"id":"mp-06_odp.06","props":[{"name":"label","value":"MP-06_ODP[06]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;"}]}],"props":[{"name":"label","value":"MP-6"},{"name":"label","value":"MP-06","class":"sp800-53a"},{"name":"sort-id","value":"mp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"},{"href":"#si-19","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"mp-6_smt","name":"statement","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information."},{"id":"mp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-06b.","class":"sp800-53a"}],"prose":"sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.","links":[{"href":"#mp-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-6_smt","rel":"assessment-for"}]},{"id":"mp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization"}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","params":[{"id":"mp-07_odp.01","props":[{"name":"alt-identifier","value":"mp-7_prm_2"},{"name":"label","value":"MP-07_ODP[01]","class":"sp800-53a"}],"label":"types of system media","guidelines":[{"prose":"types of system media to be restricted or prohibited from use on systems or system components are defined;"}]},{"id":"mp-07_odp.02","props":[{"name":"alt-identifier","value":"mp-7_prm_1"},{"name":"label","value":"MP-07_ODP[02]","class":"sp800-53a"}],"select":{"choice":["restrict","prohibit"]}},{"id":"mp-07_odp.03","props":[{"name":"alt-identifier","value":"mp-7_prm_3"},{"name":"label","value":"MP-07_ODP[03]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;"}]},{"id":"mp-07_odp.04","props":[{"name":"alt-identifier","value":"mp-7_prm_4"},{"name":"label","value":"MP-07_ODP[04]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;"}]}],"props":[{"name":"label","value":"MP-7"},{"name":"label","value":"MP-07","class":"sp800-53a"},{"name":"sort-id","value":"mp-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"mp-7_smt","name":"statement","parts":[{"id":"mp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and"},{"id":"mp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner."}]},{"id":"mp-7_gdn","name":"guidance","prose":"System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices."},{"id":"mp-7_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-07","class":"sp800-53a"}],"parts":[{"id":"mp-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-07a.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};","links":[{"href":"#mp-7_smt.a","rel":"assessment-for"}]},{"id":"mp-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-07b.","class":"sp800-53a"}],"prose":"the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.","links":[{"href":"#mp-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-7_smt","rel":"assessment-for"}]},{"id":"mp-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components"}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pe-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pe-01_odp.01","props":[{"name":"label","value":"PE-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection policy is to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.02","props":[{"name":"label","value":"PE-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection procedures are to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.03","props":[{"name":"alt-identifier","value":"pe-1_prm_2"},{"name":"label","value":"PE-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pe-01_odp.04","props":[{"name":"alt-identifier","value":"pe-1_prm_3"},{"name":"label","value":"PE-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the physical and environmental protection policy and procedures is defined;"}]},{"id":"pe-01_odp.05","props":[{"name":"alt-identifier","value":"pe-1_prm_4"},{"name":"label","value":"PE-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;"}]},{"id":"pe-01_odp.06","props":[{"name":"alt-identifier","value":"pe-1_prm_5"},{"name":"label","value":"PE-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current physical and environmental protection policy to be reviewed and updated are defined;"}]},{"id":"pe-01_odp.07","props":[{"name":"alt-identifier","value":"pe-1_prm_6"},{"name":"label","value":"PE-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;"}]},{"id":"pe-01_odp.08","props":[{"name":"alt-identifier","value":"pe-1_prm_7"},{"name":"label","value":"PE-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the physical and environmental protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PE-1"},{"name":"label","value":"PE-01","class":"sp800-53a"},{"name":"sort-id","value":"pe-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pe-1_smt","name":"statement","parts":[{"id":"pe-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:","parts":[{"id":"pe-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pe-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;"}]},{"id":"pe-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and"},{"id":"pe-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current physical and environmental protection:","parts":[{"id":"pe-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and"},{"id":"pe-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pe-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[01]","class":"sp800-53a"}],"prose":"a physical and environmental protection policy is developed and documented;","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[02]","class":"sp800-53a"}],"prose":"the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[03]","class":"sp800-53a"}],"prose":"physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[04]","class":"sp800-53a"}],"prose":"the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#pe-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;","links":[{"href":"#pe-1_smt.b","rel":"assessment-for"}]},{"id":"pe-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};","links":[{"href":"#pe-1_smt.c.1","rel":"assessment-for"}]},{"id":"pe-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};","links":[{"href":"#pe-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.c.1","rel":"assessment-for"}]},{"id":"pe-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};","links":[{"href":"#pe-1_smt.c.2","rel":"assessment-for"}]},{"id":"pe-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.","links":[{"href":"#pe-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt","rel":"assessment-for"}]},{"id":"pe-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"pe-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","params":[{"id":"pe-02_odp","props":[{"name":"alt-identifier","value":"pe-2_prm_1"},{"name":"label","value":"PE-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the access list detailing authorized facility access by individuals is defined;"}]}],"props":[{"name":"label","value":"PE-2"},{"name":"label","value":"PE-02","class":"sp800-53a"},{"name":"sort-id","value":"pe-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"pe-2_smt","name":"statement","parts":[{"id":"pe-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;"},{"id":"pe-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Issue authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and"},{"id":"pe-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remove individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible."},{"id":"pe-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-02","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[01]","class":"sp800-53a"}],"prose":"a list of individuals with authorized access to the facility where the system resides has been developed;","links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]},{"id":"pe-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[02]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been approved;","links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]},{"id":"pe-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[03]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been maintained;","links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]},{"id":"pe-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-02b.","class":"sp800-53a"}],"prose":"authorization credentials are issued for facility access;","links":[{"href":"#pe-2_smt.b","rel":"assessment-for"}]},{"id":"pe-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-02c.","class":"sp800-53a"}],"prose":"the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};","links":[{"href":"#pe-2_smt.c","rel":"assessment-for"}]},{"id":"pe-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-02d.","class":"sp800-53a"}],"prose":"individuals are removed from the facility access list when access is no longer required.","links":[{"href":"#pe-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pe-2_smt","rel":"assessment-for"}]},{"id":"pe-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access authorizations\n\nmechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","params":[{"id":"pe-3_prm_9","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.09"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.10"}],"label":"organization-defined frequency"},{"id":"pe-03_odp.01","props":[{"name":"alt-identifier","value":"pe-3_prm_1"},{"name":"alt-label","value":"entry and exit points to the facility where the system resides","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[01]","class":"sp800-53a"}],"label":"entry and exit points","guidelines":[{"prose":"entry and exit points to the facility in which the system resides are defined;"}]},{"id":"pe-03_odp.02","props":[{"name":"alt-identifier","value":"pe-3_prm_2"},{"name":"label","value":"PE-03_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, pe-03_odp.03 }} ","guards"]}},{"id":"pe-03_odp.03","props":[{"name":"alt-identifier","value":"pe-3_prm_3"},{"name":"alt-label","value":"physical access control systems or devices","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[03]","class":"sp800-53a"}],"label":"systems or devices","guidelines":[{"prose":"physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);"}]},{"id":"pe-03_odp.04","props":[{"name":"alt-identifier","value":"pe-3_prm_4"},{"name":"label","value":"PE-03_ODP[04]","class":"sp800-53a"}],"label":"entry or exit points","guidelines":[{"prose":"entry or exit points for which physical access logs are maintained are defined;"}]},{"id":"pe-03_odp.05","props":[{"name":"alt-identifier","value":"pe-3_prm_5"},{"name":"label","value":"PE-03_ODP[05]","class":"sp800-53a"}],"label":"physical access controls","guidelines":[{"prose":"physical access controls to control access to areas within the facility designated as publicly accessible are defined;"}]},{"id":"pe-03_odp.06","props":[{"name":"alt-identifier","value":"pe-3_prm_6"},{"name":"alt-label","value":"circumstances requiring visitor escorts and control of visitor activity","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[06]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances requiring visitor escorts and control of visitor activity are defined;"}]},{"id":"pe-03_odp.07","props":[{"name":"alt-identifier","value":"pe-3_prm_7"},{"name":"label","value":"PE-03_ODP[07]","class":"sp800-53a"}],"label":"physical access devices","guidelines":[{"prose":"physical access devices to be inventoried are defined;"}]},{"id":"pe-03_odp.08","props":[{"name":"alt-identifier","value":"pe-3_prm_8"},{"name":"label","value":"PE-03_ODP[08]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inventory physical access devices is defined;"}]},{"id":"pe-03_odp.09","props":[{"name":"label","value":"PE-03_ODP[09]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change combinations is defined;"}]},{"id":"pe-03_odp.10","props":[{"name":"label","value":"PE-03_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change keys is defined;"}]}],"props":[{"name":"label","value":"PE-3"},{"name":"label","value":"PE-03","class":"sp800-53a"},{"name":"sort-id","value":"pe-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"pe-3_smt","name":"statement","parts":[{"id":"pe-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:","parts":[{"id":"pe-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"}]},{"id":"pe-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};"},{"id":"pe-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};"},{"id":"pe-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};"},{"id":"pe-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Secure keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and"},{"id":"pe-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Change combinations and keys {{ insert: param, pe-3_prm_9 }} and\/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs\/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components."},{"id":"pe-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.01","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;","links":[{"href":"#pe-3_smt.a.1","rel":"assessment-for"}]},{"id":"pe-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.02","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};","links":[{"href":"#pe-3_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.a","rel":"assessment-for"}]},{"id":"pe-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-03b.","class":"sp800-53a"}],"prose":"physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};","links":[{"href":"#pe-3_smt.b","rel":"assessment-for"}]},{"id":"pe-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-03c.","class":"sp800-53a"}],"prose":"access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};","links":[{"href":"#pe-3_smt.c","rel":"assessment-for"}]},{"id":"pe-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[01]","class":"sp800-53a"}],"prose":"visitors are escorted;","links":[{"href":"#pe-3_smt.d","rel":"assessment-for"}]},{"id":"pe-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[02]","class":"sp800-53a"}],"prose":"visitor activity is controlled {{ insert: param, pe-03_odp.06 }};","links":[{"href":"#pe-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.d","rel":"assessment-for"}]},{"id":"pe-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[01]","class":"sp800-53a"}],"prose":"keys are secured;","links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]},{"id":"pe-3_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[02]","class":"sp800-53a"}],"prose":"combinations are secured;","links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]},{"id":"pe-3_obj.e-3","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[03]","class":"sp800-53a"}],"prose":"other physical access devices are secured;","links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]},{"id":"pe-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"PE-03f.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};","links":[{"href":"#pe-3_smt.f","rel":"assessment-for"}]},{"id":"pe-3_obj.g","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[01]","class":"sp800-53a"}],"prose":"combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;","links":[{"href":"#pe-3_smt.g","rel":"assessment-for"}]},{"id":"pe-3_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[02]","class":"sp800-53a"}],"prose":"keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.","links":[{"href":"#pe-3_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt","rel":"assessment-for"}]},{"id":"pe-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control\n\nmechanisms supporting and\/or implementing physical access control\n\nphysical access control devices"}]}]},{"id":"pe-4","class":"SP800-53","title":"Access Control for Transmission","params":[{"id":"pe-04_odp.01","props":[{"name":"alt-identifier","value":"pe-4_prm_1"},{"name":"label","value":"PE-04_ODP[01]","class":"sp800-53a"}],"label":"system distribution and transmission lines","guidelines":[{"prose":"system distribution and transmission lines requiring physical access controls are defined;"}]},{"id":"pe-04_odp.02","props":[{"name":"alt-identifier","value":"pe-4_prm_2"},{"name":"label","value":"PE-04_ODP[02]","class":"sp800-53a"}],"label":"security controls","guidelines":[{"prose":"security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;"}]}],"props":[{"name":"label","value":"PE-4"},{"name":"label","value":"PE-04","class":"sp800-53a"},{"name":"sort-id","value":"pe-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"pe-4_smt","name":"statement","prose":"Control physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities using {{ insert: param, pe-04_odp.02 }}."},{"id":"pe-4_gdn","name":"guidance","prose":"Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors."},{"id":"pe-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-04","class":"sp800-53a"}],"prose":"physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}.","links":[{"href":"#pe-4_smt","rel":"assessment-for"}]},{"id":"pe-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for transmission mediums\n\nsystem design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to system distribution and transmission lines\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access control to distribution and transmission lines\n\nmechanisms\/security safeguards supporting and\/or implementing access control to distribution and transmission lines"}]}]},{"id":"pe-5","class":"SP800-53","title":"Access Control for Output Devices","params":[{"id":"pe-05_odp","props":[{"name":"alt-identifier","value":"pe-5_prm_1"},{"name":"label","value":"PE-05_ODP","class":"sp800-53a"}],"label":"output devices","guidelines":[{"prose":"output devices that require physical access control to output are defined;"}]}],"props":[{"name":"label","value":"PE-5"},{"name":"label","value":"PE-05","class":"sp800-53a"},{"name":"sort-id","value":"pe-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-18","rel":"related"}],"parts":[{"id":"pe-5_smt","name":"statement","prose":"Control physical access to output from {{ insert: param, pe-05_odp }} to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_gdn","name":"guidance","prose":"Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers."},{"id":"pe-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-05","class":"sp800-53a"}],"prose":"physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output.","links":[{"href":"#pe-5_smt","rel":"assessment-for"}]},{"id":"pe-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of system components\n\nactual displays from system components\n\nlist of output devices and associated outputs requiring physical access controls\n\nphysical access control logs or records for areas containing output devices and related outputs\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access control to output devices\n\nmechanisms supporting and\/or implementing access control to output devices"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","params":[{"id":"pe-06_odp.01","props":[{"name":"alt-identifier","value":"pe-6_prm_1"},{"name":"label","value":"PE-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review physical access logs is defined;"}]},{"id":"pe-06_odp.02","props":[{"name":"alt-identifier","value":"pe-6_prm_2"},{"name":"alt-label","value":"events or potential indications of events","class":"sp800-53"},{"name":"label","value":"PE-06_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events or potential indication of events requiring physical access logs to be reviewed are defined;"}]}],"props":[{"name":"label","value":"PE-6"},{"name":"label","value":"PE-06","class":"sp800-53a"},{"name":"sort-id","value":"pe-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"pe-6_smt","name":"statement","parts":[{"id":"pe-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and"},{"id":"pe-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses."},{"id":"pe-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-06a.","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;","links":[{"href":"#pe-6_smt.a","rel":"assessment-for"}]},{"id":"pe-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[01]","class":"sp800-53a"}],"prose":"physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};","links":[{"href":"#pe-6_smt.b","rel":"assessment-for"}]},{"id":"pe-6_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[02]","class":"sp800-53a"}],"prose":"physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};","links":[{"href":"#pe-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-6_smt.b","rel":"assessment-for"}]},{"id":"pe-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[01]","class":"sp800-53a"}],"prose":"results of reviews are coordinated with organizational incident response capabilities;","links":[{"href":"#pe-6_smt.c","rel":"assessment-for"}]},{"id":"pe-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[02]","class":"sp800-53a"}],"prose":"results of investigations are coordinated with organizational incident response capabilities.","links":[{"href":"#pe-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-6_smt","rel":"assessment-for"}]},{"id":"pe-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing the review of physical access logs"}]}],"controls":[{"id":"pe-6.1","class":"SP800-53-enhancement","title":"Intrusion Alarms and Surveillance Equipment","props":[{"name":"label","value":"PE-6(1)"},{"name":"label","value":"PE-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-6","rel":"required"}],"parts":[{"id":"pe-6.1_smt","name":"statement","prose":"Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment."},{"id":"pe-6.1_gdn","name":"guidance","prose":"Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility."},{"id":"pe-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)","class":"sp800-53a"}],"parts":[{"id":"pe-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)[01]","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored using physical intrusion alarms;","links":[{"href":"#pe-6.1_smt","rel":"assessment-for"}]},{"id":"pe-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)[02]","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored using physical surveillance equipment.","links":[{"href":"#pe-6.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-6.1_smt","rel":"assessment-for"}]},{"id":"pe-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing physical intrusion alarms and surveillance equipment"}]}]}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-08_odp.01","props":[{"name":"alt-identifier","value":"pe-8_prm_1"},{"name":"label","value":"PE-08_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for which to maintain visitor access records for the facility where the system resides is defined;"}]},{"id":"pe-08_odp.02","props":[{"name":"alt-identifier","value":"pe-8_prm_2"},{"name":"label","value":"PE-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review visitor access records is defined;"}]},{"id":"pe-08_odp.03","props":[{"name":"alt-identifier","value":"pe-8_prm_3"},{"name":"label","value":"PE-08_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom visitor access records anomalies are reported to is\/are defined;"}]}],"props":[{"name":"label","value":"PE-8"},{"name":"label","value":"PE-08","class":"sp800-53a"},{"name":"sort-id","value":"pe-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"pe-8_smt","name":"statement","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and"},{"id":"pe-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08","class":"sp800-53a"}],"parts":[{"id":"pe-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-08a.","class":"sp800-53a"}],"prose":"visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};","links":[{"href":"#pe-8_smt.a","rel":"assessment-for"}]},{"id":"pe-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-08b.","class":"sp800-53a"}],"prose":"visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};","links":[{"href":"#pe-8_smt.b","rel":"assessment-for"}]},{"id":"pe-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-08c.","class":"sp800-53a"}],"prose":"visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.","links":[{"href":"#pe-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-8_smt","rel":"assessment-for"}]},{"id":"pe-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and\/or implementing the maintenance and review of visitor access records"}]}]},{"id":"pe-9","class":"SP800-53","title":"Power Equipment and Cabling","props":[{"name":"label","value":"PE-9"},{"name":"label","value":"PE-09","class":"sp800-53a"},{"name":"sort-id","value":"pe-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-4","rel":"related"}],"parts":[{"id":"pe-9_smt","name":"statement","prose":"Protect power equipment and power cabling for the system from damage and destruction."},{"id":"pe-9_gdn","name":"guidance","prose":"Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems."},{"id":"pe-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-09","class":"sp800-53a"}],"parts":[{"id":"pe-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-09[01]","class":"sp800-53a"}],"prose":"power equipment for the system is protected from damage and destruction;","links":[{"href":"#pe-9_smt","rel":"assessment-for"}]},{"id":"pe-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-09[02]","class":"sp800-53a"}],"prose":"power cabling for the system is protected from damage and destruction.","links":[{"href":"#pe-9_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-9_smt","rel":"assessment-for"}]},{"id":"pe-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power equipment\/cabling protection\n\nfacilities housing power equipment\/cabling\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility to protect power equipment\/cabling\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the protection of power equipment\/cabling"}]}]},{"id":"pe-10","class":"SP800-53","title":"Emergency Shutoff","params":[{"id":"pe-10_odp.01","props":[{"name":"alt-identifier","value":"pe-10_prm_1"},{"name":"label","value":"PE-10_ODP[01]","class":"sp800-53a"}],"label":"system or individual system components","guidelines":[{"prose":"system or individual system components that require the capability to shut off power in emergency situations is\/are defined;"}]},{"id":"pe-10_odp.02","props":[{"name":"alt-identifier","value":"pe-10_prm_2"},{"name":"alt-label","value":"location by system or system component","class":"sp800-53"},{"name":"label","value":"PE-10_ODP[02]","class":"sp800-53a"}],"label":"location","guidelines":[{"prose":"location of emergency shutoff switches or devices by system or system component is defined;"}]}],"props":[{"name":"label","value":"PE-10"},{"name":"label","value":"PE-10","class":"sp800-53a"},{"name":"sort-id","value":"pe-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-15","rel":"related"}],"parts":[{"id":"pe-10_smt","name":"statement","parts":[{"id":"pe-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide the capability of shutting off power to {{ insert: param, pe-10_odp.01 }} in emergency situations;"},{"id":"pe-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Place emergency shutoff switches or devices in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel; and"},{"id":"pe-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect emergency power shutoff capability from unauthorized activation."}]},{"id":"pe-10_gdn","name":"guidance","prose":"Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery."},{"id":"pe-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-10","class":"sp800-53a"}],"parts":[{"id":"pe-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-10a.","class":"sp800-53a"}],"prose":"the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;","links":[{"href":"#pe-10_smt.a","rel":"assessment-for"}]},{"id":"pe-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-10b.","class":"sp800-53a"}],"prose":"emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;","links":[{"href":"#pe-10_smt.b","rel":"assessment-for"}]},{"id":"pe-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-10c.","class":"sp800-53a"}],"prose":"the emergency power shutoff capability is protected from unauthorized activation.","links":[{"href":"#pe-10_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-10_smt","rel":"assessment-for"}]},{"id":"pe-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting the emergency power shutoff capability from unauthorized activation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing emergency power shutoff"}]}]},{"id":"pe-11","class":"SP800-53","title":"Emergency Power","params":[{"id":"pe-11_odp","props":[{"name":"alt-identifier","value":"pe-11_prm_1"},{"name":"label","value":"PE-11_ODP","class":"sp800-53a"}],"select":{"choice":["an orderly shutdown of the system","transition of the system to long-term alternate power"]}}],"props":[{"name":"label","value":"PE-11"},{"name":"label","value":"PE-11","class":"sp800-53a"},{"name":"sort-id","value":"pe-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-11_smt","name":"statement","prose":"Provide an uninterruptible power supply to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss."},{"id":"pe-11_gdn","name":"guidance","prose":"An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system."},{"id":"pe-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-11","class":"sp800-53a"}],"prose":"an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss.","links":[{"href":"#pe-11_smt","rel":"assessment-for"}]},{"id":"pe-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an uninterruptible power supply\n\nthe uninterruptable power supply"}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","props":[{"name":"label","value":"PE-12"},{"name":"label","value":"PE-12","class":"sp800-53a"},{"name":"sort-id","value":"pe-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies."},{"id":"pe-12_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-12","class":"sp800-53a"}],"parts":[{"id":"pe-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-12[01]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-12[02]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-12[03]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers emergency exits within the facility;","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-12[04]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers evacuation routes within the facility.","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an emergency lighting capability"}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","props":[{"name":"label","value":"PE-13"},{"name":"label","value":"PE-13","class":"sp800-53a"},{"name":"sort-id","value":"pe-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"Employ and maintain fire detection and suppression systems that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility."},{"id":"pe-13_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13","class":"sp800-53a"}],"parts":[{"id":"pe-13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13[01]","class":"sp800-53a"}],"prose":"fire detection systems are employed;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13[02]","class":"sp800-53a"}],"prose":"employed fire detection systems are supported by an independent energy source;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13[03]","class":"sp800-53a"}],"prose":"employed fire detection systems are maintained;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-13[04]","class":"sp800-53a"}],"prose":"fire suppression systems are employed;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PE-13[05]","class":"sp800-53a"}],"prose":"employed fire suppression systems are supported by an independent energy source;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PE-13[06]","class":"sp800-53a"}],"prose":"employed fire suppression systems are maintained.","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\ntest records of fire suppression and detection devices\/systems\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing fire suppression\/detection devices\/systems"}]}],"controls":[{"id":"pe-13.1","class":"SP800-53-enhancement","title":"Detection Systems — Automatic Activation and Notification","params":[{"id":"pe-13.01_odp.01","props":[{"name":"alt-identifier","value":"pe-13.1_prm_1"},{"name":"label","value":"PE-13(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified in the event of a fire is\/are defined;"}]},{"id":"pe-13.01_odp.02","props":[{"name":"alt-identifier","value":"pe-13.1_prm_2"},{"name":"label","value":"PE-13(01)_ODP[02]","class":"sp800-53a"}],"label":"emergency responders","guidelines":[{"prose":"emergency responders to be notified in the event of a fire are defined;"}]}],"props":[{"name":"label","value":"PE-13(1)"},{"name":"label","value":"PE-13(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-13.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-13","rel":"required"}],"parts":[{"id":"pe-13.1_smt","name":"statement","prose":"Employ fire detection systems that activate automatically and notify {{ insert: param, pe-13.01_odp.01 }} and {{ insert: param, pe-13.01_odp.02 }} in the event of a fire."},{"id":"pe-13.1_gdn","name":"guidance","prose":"Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire."},{"id":"pe-13.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)","class":"sp800-53a"}],"parts":[{"id":"pe-13.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[01]","class":"sp800-53a"}],"prose":"fire detection systems that activate automatically are employed in the event of a fire;","links":[{"href":"#pe-13.1_smt","rel":"assessment-for"}]},{"id":"pe-13.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[02]","class":"sp800-53a"}],"prose":"fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;","links":[{"href":"#pe-13.1_smt","rel":"assessment-for"}]},{"id":"pe-13.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[03]","class":"sp800-53a"}],"prose":"fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire.","links":[{"href":"#pe-13.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-13.1_smt","rel":"assessment-for"}]},{"id":"pe-13.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\nalerts\/notifications of fire events\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing fire detection devices\/systems\n\nactivation of fire detection devices\/systems (simulated)\n\nautomated notifications"}]}]}]},{"id":"pe-14","class":"SP800-53","title":"Environmental Controls","params":[{"id":"pe-14_odp.01","props":[{"name":"alt-identifier","value":"pe-14_prm_1"},{"name":"label","value":"PE-14_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["temperature","humidity","pressure","radiation"," {{ insert: param, pe-14_odp.02 }} "]}},{"id":"pe-14_odp.02","props":[{"name":"alt-identifier","value":"pe-14_prm_2"},{"name":"label","value":"PE-14_ODP[02]","class":"sp800-53a"}],"label":"environmental control","guidelines":[{"prose":"environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);"}]},{"id":"pe-14_odp.03","props":[{"name":"alt-identifier","value":"pe-14_prm_3"},{"name":"label","value":"PE-14_ODP[03]","class":"sp800-53a"}],"label":"acceptable levels","guidelines":[{"prose":"acceptable levels for environmental controls are defined;"}]},{"id":"pe-14_odp.04","props":[{"name":"alt-identifier","value":"pe-14_prm_4"},{"name":"label","value":"PE-14_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to monitor environmental control levels is defined;"}]}],"props":[{"name":"label","value":"PE-14"},{"name":"label","value":"PE-14","class":"sp800-53a"},{"name":"sort-id","value":"pe-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"}],"parts":[{"id":"pe-14_smt","name":"statement","parts":[{"id":"pe-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and"},{"id":"pe-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions."},{"id":"pe-14_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-14","class":"sp800-53a"}],"parts":[{"id":"pe-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-14a.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;","links":[{"href":"#pe-14_smt.a","rel":"assessment-for"}]},{"id":"pe-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-14b.","class":"sp800-53a"}],"prose":"environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.","links":[{"href":"#pe-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-14_smt","rel":"assessment-for"}]},{"id":"pe-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the maintenance and monitoring of temperature and humidity levels"}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","props":[{"name":"label","value":"PE-15"},{"name":"label","value":"PE-15","class":"sp800-53a"},{"name":"sort-id","value":"pe-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#pe-10","rel":"related"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations."},{"id":"pe-15_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-15","class":"sp800-53a"}],"parts":[{"id":"pe-15_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-15[01]","class":"sp800-53a"}],"prose":"the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-15[02]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are accessible;","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-15[03]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are working properly;","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-15[04]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are known to key personnel.","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Master water-shutoff valves\n\norganizational process for activating master water shutoff"}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","params":[{"id":"pe-16_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.02"}],"label":"organization-defined types of system components"},{"id":"pe-16_odp.01","props":[{"name":"label","value":"PE-16_ODP[01]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when entering the facility are defined;"}]},{"id":"pe-16_odp.02","props":[{"name":"label","value":"PE-16_ODP[02]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when exiting the facility are defined;"}]}],"props":[{"name":"label","value":"PE-16"},{"name":"label","value":"PE-16","class":"sp800-53a"},{"name":"sort-id","value":"pe-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"pe-16_smt","name":"statement","parts":[{"id":"pe-16_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and"},{"id":"pe-16_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain records of the system components."}]},{"id":"pe-16_gdn","name":"guidance","prose":"Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries."},{"id":"pe-16_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-16","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[04]","class":"sp800-53a"}],"prose":" {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-16b.","class":"sp800-53a"}],"prose":"records of the system components are maintained.","links":[{"href":"#pe-16_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-16_smt","rel":"assessment-for"}]},{"id":"pe-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and\/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility"}]}]},{"id":"pe-17","class":"SP800-53","title":"Alternate Work Site","params":[{"id":"pe-17_odp.01","props":[{"name":"alt-identifier","value":"pe-17_prm_1"},{"name":"label","value":"PE-17_ODP[01]","class":"sp800-53a"}],"label":"alternate work sites","guidelines":[{"prose":"alternate work sites allowed for use by employees are defined;"}]},{"id":"pe-17_odp.02","props":[{"name":"alt-identifier","value":"pe-17_prm_2"},{"name":"label","value":"PE-17_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed at alternate work sites are defined;"}]}],"props":[{"name":"label","value":"PE-17"},{"name":"label","value":"PE-17","class":"sp800-53a"},{"name":"sort-id","value":"pe-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#83b9d63b-66b1-467c-9f3b-3a0b108771e9","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-17_smt","name":"statement","parts":[{"id":"pe-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the {{ insert: param, pe-17_odp.01 }} allowed for use by employees;"},{"id":"pe-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls at alternate work sites: {{ insert: param, pe-17_odp.02 }};"},{"id":"pe-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assess the effectiveness of controls at alternate work sites; and"},{"id":"pe-17_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a means for employees to communicate with information security and privacy personnel in case of incidents."}]},{"id":"pe-17_gdn","name":"guidance","prose":"Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations."},{"id":"pe-17_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-17","class":"sp800-53a"}],"parts":[{"id":"pe-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-17a.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-17_odp.01 }} are determined and documented;","links":[{"href":"#pe-17_smt.a","rel":"assessment-for"}]},{"id":"pe-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-17b.","class":"sp800-53a"}],"prose":" {{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;","links":[{"href":"#pe-17_smt.b","rel":"assessment-for"}]},{"id":"pe-17_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-17c.","class":"sp800-53a"}],"prose":"the effectiveness of controls at alternate work sites is assessed;","links":[{"href":"#pe-17_smt.c","rel":"assessment-for"}]},{"id":"pe-17_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-17d.","class":"sp800-53a"}],"prose":"a means for employees to communicate with information security and privacy personnel in case of incidents is provided.","links":[{"href":"#pe-17_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pe-17_smt","rel":"assessment-for"}]},{"id":"pe-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel approving the use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy at alternate work sites\n\nmechanisms supporting alternate work sites\n\nsecurity and privacy controls employed at alternate work sites\n\nmeans of communication between personnel at alternate work sites and security and privacy personnel"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pl-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pl-01_odp.01","props":[{"name":"label","value":"PL-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning policy is to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.02","props":[{"name":"label","value":"PL-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning procedures are to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.03","props":[{"name":"alt-identifier","value":"pl-1_prm_2"},{"name":"label","value":"PL-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pl-01_odp.04","props":[{"name":"alt-identifier","value":"pl-1_prm_3"},{"name":"label","value":"PL-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the planning policy and procedures is defined;"}]},{"id":"pl-01_odp.05","props":[{"name":"alt-identifier","value":"pl-1_prm_4"},{"name":"label","value":"PL-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning policy is reviewed and updated is defined;"}]},{"id":"pl-01_odp.06","props":[{"name":"alt-identifier","value":"pl-1_prm_5"},{"name":"label","value":"PL-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current planning policy to be reviewed and updated are defined;"}]},{"id":"pl-01_odp.07","props":[{"name":"alt-identifier","value":"pl-1_prm_6"},{"name":"label","value":"PL-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning procedures are reviewed and updated is defined;"}]},{"id":"pl-01_odp.08","props":[{"name":"alt-identifier","value":"pl-1_prm_7"},{"name":"label","value":"PL-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PL-1"},{"name":"label","value":"PL-01","class":"sp800-53a"},{"name":"sort-id","value":"pl-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-1_smt","name":"statement","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pl-01_odp.03 }} planning policy that:","parts":[{"id":"pl-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the planning policy and the associated planning controls;"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and"},{"id":"pl-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current planning:","parts":[{"id":"pl-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and"},{"id":"pl-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pl-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[01]","class":"sp800-53a"}],"prose":"a planning policy is developed and documented.","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[02]","class":"sp800-53a"}],"prose":"the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[03]","class":"sp800-53a"}],"prose":"planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[04]","class":"sp800-53a"}],"prose":"the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#pl-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;","links":[{"href":"#pl-1_smt.b","rel":"assessment-for"}]},{"id":"pl-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[01]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};","links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]},{"id":"pl-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[02]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};","links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]},{"id":"pl-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[01]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};","links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]},{"id":"pl-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[02]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.","links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt","rel":"assessment-for"}]},{"id":"pl-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security and Privacy Plans","params":[{"id":"pl-02_odp.01","props":[{"name":"alt-identifier","value":"pl-2_prm_1"},{"name":"label","value":"PL-02_ODP[01]","class":"sp800-53a"}],"label":"individuals or groups","guidelines":[{"prose":"individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is\/are assigned;"}]},{"id":"pl-02_odp.02","props":[{"name":"alt-identifier","value":"pl-2_prm_2"},{"name":"label","value":"PL-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive distributed copies of the system security and privacy plans is\/are assigned;"}]},{"id":"pl-02_odp.03","props":[{"name":"alt-identifier","value":"pl-2_prm_3"},{"name":"label","value":"PL-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency to review system security and privacy plans is defined;"}]}],"props":[{"name":"label","value":"PL-2"},{"name":"label","value":"PL-02","class":"sp800-53a"},{"name":"sort-id","value":"pl-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"pl-2_smt","name":"statement","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy plans for the system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly define the constituent system components;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Identify the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Identify the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provide the security categorization of the system, including supporting rationale;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Describe any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Provide the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Describe the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Provide an overview of the security and privacy requirements for the system;"},{"id":"pl-2_smt.a.11","name":"item","props":[{"name":"label","value":"11."}],"prose":"Identify any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_smt.a.12","name":"item","props":[{"name":"label","value":"12."}],"prose":"Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;"},{"id":"pl-2_smt.a.13","name":"item","props":[{"name":"label","value":"13."}],"prose":"Include risk determinations for security and privacy architecture and design decisions;"},{"id":"pl-2_smt.a.14","name":"item","props":[{"name":"label","value":"14."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and"},{"id":"pl-2_smt.a.15","name":"item","props":[{"name":"label","value":"15."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the plans {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the plans from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate."},{"id":"pl-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is consistent with the organization’s enterprise architecture;","links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]},{"id":"pl-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;","links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]},{"id":"pl-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that explicitly defines the constituent system components;","links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]},{"id":"pl-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that explicitly defines the constituent system components;","links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]},{"id":"pl-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;","links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]},{"id":"pl-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;","links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]},{"id":"pl-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;","links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]},{"id":"pl-2_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;","links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]},{"id":"pl-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.5-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;","links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]},{"id":"pl-2_obj.a.5-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;","links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]},{"id":"pl-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.6-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;","links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]},{"id":"pl-2_obj.a.6-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;","links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]},{"id":"pl-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;","links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]},{"id":"pl-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;","links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]},{"id":"pl-2_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.8-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;","links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]},{"id":"pl-2_obj.a.8-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;","links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]},{"id":"pl-2_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.9-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;","links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]},{"id":"pl-2_obj.a.9-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;","links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]},{"id":"pl-2_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.10-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides an overview of the security requirements for the system;","links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]},{"id":"pl-2_obj.a.10-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;","links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]},{"id":"pl-2_obj.a.11","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.11-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;","links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]},{"id":"pl-2_obj.a.11-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;","links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]},{"id":"pl-2_obj.a.12","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.12-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;","links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]},{"id":"pl-2_obj.a.12-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;","links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]},{"id":"pl-2_obj.a.13","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.13-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes risk determinations for security architecture and design decisions;","links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]},{"id":"pl-2_obj.a.13-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;","links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]},{"id":"pl-2_obj.a.14","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.14-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};","links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]},{"id":"pl-2_obj.a.14-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};","links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]},{"id":"pl-2_obj.a.15","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.15-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;","links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]},{"id":"pl-2_obj.a.15-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.","links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a","rel":"assessment-for"}]},{"id":"pl-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[01]","class":"sp800-53a"}],"prose":"copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};","links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]},{"id":"pl-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[02]","class":"sp800-53a"}],"prose":"subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};","links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]},{"id":"pl-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-02c.","class":"sp800-53a"}],"prose":"plans are reviewed {{ insert: param, pl-02_odp.03 }};","links":[{"href":"#pl-2_smt.c","rel":"assessment-for"}]},{"id":"pl-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[01]","class":"sp800-53a"}],"prose":"plans are updated to address changes to the system and environment of operations;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[02]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during the plan implementation;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[03]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during control assessments;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[01]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized disclosure;","links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]},{"id":"pl-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[02]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized modification.","links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt","rel":"assessment-for"}]},{"id":"pl-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records"}]},{"id":"pl-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan"}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-04_odp.01","props":[{"name":"alt-identifier","value":"pl-4_prm_1"},{"name":"label","value":"PL-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for reviewing and updating the rules of behavior is defined;"}]},{"id":"pl-04_odp.02","props":[{"name":"alt-identifier","value":"pl-4_prm_2"},{"name":"label","value":"PL-04_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, pl-04_odp.03 }} ","when the rules are revised or updated"]}},{"id":"pl-04_odp.03","props":[{"name":"alt-identifier","value":"pl-4_prm_3"},{"name":"label","value":"PL-04_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);"}]}],"props":[{"name":"label","value":"PL-4"},{"name":"label","value":"PL-04","class":"sp800-53a"},{"name":"sort-id","value":"pl-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-4_smt","name":"statement","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_gdn","name":"guidance","prose":"Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons."},{"id":"pl-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[01]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;","links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]},{"id":"pl-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[02]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;","links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]},{"id":"pl-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04b.","class":"sp800-53a"}],"prose":"before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;","links":[{"href":"#pl-4_smt.b","rel":"assessment-for"}]},{"id":"pl-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04c.","class":"sp800-53a"}],"prose":"rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};","links":[{"href":"#pl-4_smt.c","rel":"assessment-for"}]},{"id":"pl-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-04d.","class":"sp800-53a"}],"prose":"individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.","links":[{"href":"#pl-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pl-4_smt","rel":"assessment-for"}]},{"id":"pl-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and External Site\/Application Usage Restrictions","props":[{"name":"label","value":"PL-4(1)"},{"name":"label","value":"PL-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"pl-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-4","rel":"required"},{"href":"#ac-22","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"Include in the rules of behavior, restrictions on:","parts":[{"id":"pl-4.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Posting organizational information on public websites; and"},{"id":"pl-4.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_gdn","name":"guidance","prose":"Social media, social networking, and external site\/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information."},{"id":"pl-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)","class":"sp800-53a"}],"parts":[{"id":"pl-4.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(a)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of social media, social networking sites, and external sites\/applications;","links":[{"href":"#pl-4.1_smt.a","rel":"assessment-for"}]},{"id":"pl-4.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(b)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on posting organizational information on public websites;","links":[{"href":"#pl-4.1_smt.b","rel":"assessment-for"}]},{"id":"pl-4.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(c)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications.","links":[{"href":"#pl-4.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-4.1_smt","rel":"assessment-for"}]},{"id":"pl-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records"}]},{"id":"pl-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing rules of behavior\n\nmechanisms supporting and\/or implementing the establishment of rules of behavior"}]}]}]},{"id":"pl-8","class":"SP800-53","title":"Security and Privacy Architectures","params":[{"id":"pl-08_odp","props":[{"name":"alt-identifier","value":"pl-8_prm_1"},{"name":"label","value":"PL-08_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for review and update to reflect changes in the enterprise architecture;"}]}],"props":[{"name":"label","value":"PL-8"},{"name":"label","value":"PL-08","class":"sp800-53a"},{"name":"sort-id","value":"pl-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"pl-8_smt","name":"statement","parts":[{"id":"pl-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy architectures for the system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe how the architectures are integrated into and support the enterprise architecture; and"},{"id":"pl-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Describe any assumptions about, and dependencies on, external systems and services;"}]},{"id":"pl-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures."},{"id":"pl-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-08","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.01","class":"sp800-53a"}],"prose":"a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;","links":[{"href":"#pl-8_smt.a.1","rel":"assessment-for"}]},{"id":"pl-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.02","class":"sp800-53a"}],"prose":"a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;","links":[{"href":"#pl-8_smt.a.2","rel":"assessment-for"}]},{"id":"pl-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;","links":[{"href":"#pl-8_smt.a.3","rel":"assessment-for"}]},{"id":"pl-8_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;","links":[{"href":"#pl-8_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.a.3","rel":"assessment-for"}]},{"id":"pl-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes any assumptions about and dependencies on external systems and services;","links":[{"href":"#pl-8_smt.a.4","rel":"assessment-for"}]},{"id":"pl-8_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;","links":[{"href":"#pl-8_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.a","rel":"assessment-for"}]},{"id":"pl-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-08b.","class":"sp800-53a"}],"prose":"changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;","links":[{"href":"#pl-8_smt.b","rel":"assessment-for"}]},{"id":"pl-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[01]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the security plan;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[02]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the privacy plan;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[03]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the Concept of Operations (CONOPS);","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-4","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[04]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in criticality analysis;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-5","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[05]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in organizational procedures;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-6","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[06]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in procurements and acquisitions.","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt","rel":"assessment-for"}]},{"id":"pl-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and\/or implementing the development, review, and update of the information security and privacy architecture"}]}]},{"id":"pl-10","class":"SP800-53","title":"Baseline Selection","props":[{"name":"label","value":"PL-10"},{"name":"label","value":"PL-10","class":"sp800-53a"},{"name":"sort-id","value":"pl-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-10_smt","name":"statement","prose":"Select a control baseline for the system."},{"id":"pl-10_gdn","name":"guidance","prose":"Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems."},{"id":"pl-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-10","class":"sp800-53a"}],"prose":"a control baseline for the system is selected.","links":[{"href":"#pl-10_smt","rel":"assessment-for"}]},{"id":"pl-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities"}]}]},{"id":"pl-11","class":"SP800-53","title":"Baseline Tailoring","props":[{"name":"label","value":"PL-11"},{"name":"label","value":"PL-11","class":"sp800-53a"},{"name":"sort-id","value":"pl-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-10","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-11_smt","name":"statement","prose":"Tailor the selected control baseline by applying specified tailoring actions."},{"id":"pl-11_gdn","name":"guidance","prose":"The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities."},{"id":"pl-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-11","class":"sp800-53a"}],"prose":"the selected control baseline is tailored by applying specified tailoring actions.","links":[{"href":"#pl-11_smt","rel":"assessment-for"}]},{"id":"pl-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ps-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ps-01_odp.01","props":[{"name":"label","value":"PS-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security policy is to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.02","props":[{"name":"label","value":"PS-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security procedures are to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.03","props":[{"name":"alt-identifier","value":"ps-1_prm_2"},{"name":"label","value":"PS-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ps-01_odp.04","props":[{"name":"alt-identifier","value":"ps-1_prm_3"},{"name":"label","value":"PS-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the personnel security policy and procedures is defined;"}]},{"id":"ps-01_odp.05","props":[{"name":"alt-identifier","value":"ps-1_prm_4"},{"name":"label","value":"PS-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security policy is reviewed and updated is defined;"}]},{"id":"ps-01_odp.06","props":[{"name":"alt-identifier","value":"ps-1_prm_5"},{"name":"label","value":"PS-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current personnel security policy to be reviewed and updated are defined;"}]},{"id":"ps-01_odp.07","props":[{"name":"alt-identifier","value":"ps-1_prm_6"},{"name":"label","value":"PS-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security procedures are reviewed and updated is defined;"}]},{"id":"ps-01_odp.08","props":[{"name":"alt-identifier","value":"ps-1_prm_7"},{"name":"label","value":"PS-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the personnel security procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PS-1"},{"name":"label","value":"PS-01","class":"sp800-53a"},{"name":"sort-id","value":"ps-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-1_smt","name":"statement","parts":[{"id":"ps-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ps-01_odp.03 }} personnel security policy that:","parts":[{"id":"ps-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ps-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;"}]},{"id":"ps-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and"},{"id":"ps-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current personnel security:","parts":[{"id":"ps-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and"},{"id":"ps-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ps-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[01]","class":"sp800-53a"}],"prose":"a personnel security policy is developed and documented;","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[02]","class":"sp800-53a"}],"prose":"the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[03]","class":"sp800-53a"}],"prose":"personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[04]","class":"sp800-53a"}],"prose":"the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ps-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;","links":[{"href":"#ps-1_smt.b","rel":"assessment-for"}]},{"id":"ps-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[01]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};","links":[{"href":"#ps-1_smt.c.1","rel":"assessment-for"}]},{"id":"ps-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[02]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};","links":[{"href":"#ps-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.c.1","rel":"assessment-for"}]},{"id":"ps-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[01]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};","links":[{"href":"#ps-1_smt.c.2","rel":"assessment-for"}]},{"id":"ps-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[02]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.","links":[{"href":"#ps-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt","rel":"assessment-for"}]},{"id":"ps-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"ps-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","params":[{"id":"ps-02_odp","props":[{"name":"alt-identifier","value":"ps-2_prm_1"},{"name":"label","value":"PS-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update position risk designations is defined;"}]}],"props":[{"name":"label","value":"PS-2"},{"name":"label","value":"PS-02","class":"sp800-53a"},{"name":"sort-id","value":"ps-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#a5ef5e56-5c1a-4911-b419-37dddc1b3581","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-2_smt","name":"statement","parts":[{"id":"ps-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establish screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update position risk designations {{ insert: param, ps-02_odp }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions."},{"id":"ps-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-02","class":"sp800-53a"}],"parts":[{"id":"ps-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-02a.","class":"sp800-53a"}],"prose":"a risk designation is assigned to all organizational positions;","links":[{"href":"#ps-2_smt.a","rel":"assessment-for"}]},{"id":"ps-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-02b.","class":"sp800-53a"}],"prose":"screening criteria are established for individuals filling organizational positions;","links":[{"href":"#ps-2_smt.b","rel":"assessment-for"}]},{"id":"ps-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-02c.","class":"sp800-53a"}],"prose":"position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.","links":[{"href":"#ps-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ps-2_smt","rel":"assessment-for"}]},{"id":"ps-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","params":[{"id":"ps-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.02"}],"label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening"},{"id":"ps-03_odp.01","props":[{"name":"label","value":"PS-03_ODP[01]","class":"sp800-53a"}],"label":"conditions requiring rescreening","guidelines":[{"prose":"conditions requiring rescreening of individuals are defined;"}]},{"id":"ps-03_odp.02","props":[{"name":"label","value":"PS-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of rescreening individuals where it is so indicated is defined;"}]}],"props":[{"name":"label","value":"PS-3"},{"name":"label","value":"PS-03","class":"sp800-53a"},{"name":"sort-id","value":"ps-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#55b0c93a-5e48-457a-baa6-5ce81c239c49","rel":"reference"},{"href":"#0af071a6-cf8e-48ee-8c82-fe91efa20f94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-3_smt","name":"statement","parts":[{"id":"ps-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Screen individuals prior to authorizing access to the system; and"},{"id":"ps-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems."},{"id":"ps-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-03a.","class":"sp800-53a"}],"prose":"individuals are screened prior to authorizing access to the system;","links":[{"href":"#ps-3_smt.a","rel":"assessment-for"}]},{"id":"ps-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[01]","class":"sp800-53a"}],"prose":"individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};","links":[{"href":"#ps-3_smt.b","rel":"assessment-for"}]},{"id":"ps-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[02]","class":"sp800-53a"}],"prose":"where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.","links":[{"href":"#ps-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-3_smt","rel":"assessment-for"}]},{"id":"ps-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel screening"}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","params":[{"id":"ps-04_odp.01","props":[{"name":"alt-identifier","value":"ps-4_prm_1"},{"name":"label","value":"PS-04_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which to disable system access is defined;"}]},{"id":"ps-04_odp.02","props":[{"name":"alt-identifier","value":"ps-4_prm_2"},{"name":"label","value":"PS-04_ODP[02]","class":"sp800-53a"}],"label":"information security topics","guidelines":[{"prose":"information security topics to be discussed when conducting exit interviews are defined;"}]}],"props":[{"name":"label","value":"PS-4"},{"name":"label","value":"PS-04","class":"sp800-53a"},{"name":"sort-id","value":"ps-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"Upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Disable system access within {{ insert: param, ps-04_odp.01 }};"},{"id":"ps-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Terminate or revoke any authenticators and credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};"},{"id":"ps-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Retrieve all security-related organizational system-related property; and"},{"id":"ps-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retain access to organizational information and systems formerly controlled by terminated individual."}]},{"id":"ps-4_gdn","name":"guidance","prose":"System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified."},{"id":"ps-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-04","class":"sp800-53a"}],"parts":[{"id":"ps-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-04a.","class":"sp800-53a"}],"prose":"upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};","links":[{"href":"#ps-4_smt.a","rel":"assessment-for"}]},{"id":"ps-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-04b.","class":"sp800-53a"}],"prose":"upon termination of individual employment, any authenticators and credentials are terminated or revoked;","links":[{"href":"#ps-4_smt.b","rel":"assessment-for"}]},{"id":"ps-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-04c.","class":"sp800-53a"}],"prose":"upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;","links":[{"href":"#ps-4_smt.c","rel":"assessment-for"}]},{"id":"ps-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-04d.","class":"sp800-53a"}],"prose":"upon termination of individual employment, all security-related organizational system-related property is retrieved;","links":[{"href":"#ps-4_smt.d","rel":"assessment-for"}]},{"id":"ps-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-04e.","class":"sp800-53a"}],"prose":"upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.","links":[{"href":"#ps-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ps-4_smt","rel":"assessment-for"}]},{"id":"ps-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators\/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel termination\n\nmechanisms supporting and\/or implementing personnel termination notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","params":[{"id":"ps-05_odp.01","props":[{"name":"alt-identifier","value":"ps-5_prm_1"},{"name":"label","value":"PS-05_ODP[01]","class":"sp800-53a"}],"label":"transfer or reassignment actions","guidelines":[{"prose":"transfer or reassignment actions to be initiated following transfer or reassignment are defined;"}]},{"id":"ps-05_odp.02","props":[{"name":"alt-identifier","value":"ps-5_prm_2"},{"name":"label","value":"PS-05_ODP[02]","class":"sp800-53a"}],"label":"time period following the formal transfer action","guidelines":[{"prose":"the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;"}]},{"id":"ps-05_odp.03","props":[{"name":"alt-identifier","value":"ps-5_prm_3"},{"name":"label","value":"PS-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is\/are defined;"}]},{"id":"ps-05_odp.04","props":[{"name":"alt-identifier","value":"ps-5_prm_4"},{"name":"label","value":"PS-05_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;"}]}],"props":[{"name":"label","value":"PS-5"},{"name":"label","value":"PS-05","class":"sp800-53a"},{"name":"sort-id","value":"ps-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-5_smt","name":"statement","parts":[{"id":"ps-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};"},{"id":"ps-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts."},{"id":"ps-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-05","class":"sp800-53a"}],"parts":[{"id":"ps-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-05a.","class":"sp800-53a"}],"prose":"the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;","links":[{"href":"#ps-5_smt.a","rel":"assessment-for"}]},{"id":"ps-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};","links":[{"href":"#ps-5_smt.b","rel":"assessment-for"}]},{"id":"ps-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-05c.","class":"sp800-53a"}],"prose":"access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;","links":[{"href":"#ps-5_smt.c","rel":"assessment-for"}]},{"id":"ps-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-05d.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.","links":[{"href":"#ps-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ps-5_smt","rel":"assessment-for"}]},{"id":"ps-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel transfer\n\nmechanisms supporting and\/or implementing personnel transfer notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-06_odp.01","props":[{"name":"alt-identifier","value":"ps-6_prm_1"},{"name":"label","value":"PS-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update access agreements is defined;"}]},{"id":"ps-06_odp.02","props":[{"name":"alt-identifier","value":"ps-6_prm_2"},{"name":"label","value":"PS-06_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to re-sign access agreements to maintain access to organizational information is defined;"}]}],"props":[{"name":"label","value":"PS-6"},{"name":"label","value":"PS-06","class":"sp800-53a"},{"name":"sort-id","value":"ps-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-6_smt","name":"statement","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document access agreements for organizational systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that individuals requiring access to organizational information and systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy."},{"id":"ps-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-06","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-06a.","class":"sp800-53a"}],"prose":"access agreements are developed and documented for organizational systems;","links":[{"href":"#ps-6_smt.a","rel":"assessment-for"}]},{"id":"ps-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-06b.","class":"sp800-53a"}],"prose":"the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};","links":[{"href":"#ps-6_smt.b","rel":"assessment-for"}]},{"id":"ps-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.01","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;","links":[{"href":"#ps-6_smt.c.1","rel":"assessment-for"}]},{"id":"ps-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.02","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.","links":[{"href":"#ps-6_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ps-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ps-6_smt","rel":"assessment-for"}]},{"id":"ps-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ps-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements"}]}]},{"id":"ps-7","class":"SP800-53","title":"External Personnel Security","params":[{"id":"ps-07_odp.01","props":[{"name":"alt-identifier","value":"ps-7_prm_1"},{"name":"label","value":"PS-07_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is\/are defined;"}]},{"id":"ps-07_odp.02","props":[{"name":"alt-identifier","value":"ps-7_prm_2"},{"name":"label","value":"PS-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is defined;"}]}],"props":[{"name":"label","value":"PS-7"},{"name":"label","value":"PS-07","class":"sp800-53a"},{"name":"sort-id","value":"ps-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-7_smt","name":"statement","parts":[{"id":"ps-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish personnel security requirements, including security roles and responsibilities for external providers;"},{"id":"ps-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Require external providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and"},{"id":"ps-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Monitor provider compliance with personnel security requirements."}]},{"id":"ps-7_gdn","name":"guidance","prose":"External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network\/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals."},{"id":"ps-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-07","class":"sp800-53a"}],"parts":[{"id":"ps-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-07a.","class":"sp800-53a"}],"prose":"personnel security requirements are established, including security roles and responsibilities for external providers;","links":[{"href":"#ps-7_smt.a","rel":"assessment-for"}]},{"id":"ps-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-07b.","class":"sp800-53a"}],"prose":"external providers are required to comply with personnel security policies and procedures established by the organization;","links":[{"href":"#ps-7_smt.b","rel":"assessment-for"}]},{"id":"ps-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-07c.","class":"sp800-53a"}],"prose":"personnel security requirements are documented;","links":[{"href":"#ps-7_smt.c","rel":"assessment-for"}]},{"id":"ps-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-07d.","class":"sp800-53a"}],"prose":"external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};","links":[{"href":"#ps-7_smt.d","rel":"assessment-for"}]},{"id":"ps-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-07e.","class":"sp800-53a"}],"prose":"provider compliance with personnel security requirements is monitored.","links":[{"href":"#ps-7_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ps-7_smt","rel":"assessment-for"}]},{"id":"ps-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and\/or implementing the monitoring of provider compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","params":[{"id":"ps-08_odp.01","props":[{"name":"alt-identifier","value":"ps-8_prm_1"},{"name":"label","value":"PS-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when a formal employee sanctions process is initiated is\/are defined;"}]},{"id":"ps-08_odp.02","props":[{"name":"alt-identifier","value":"ps-8_prm_2"},{"name":"label","value":"PS-08_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;"}]}],"props":[{"name":"label","value":"PS-8"},{"name":"label","value":"PS-08","class":"sp800-53a"},{"name":"sort-id","value":"ps-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-1","rel":"related"}],"parts":[{"id":"ps-8_smt","name":"statement","parts":[{"id":"ps-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and\/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions."},{"id":"ps-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-08","class":"sp800-53a"}],"parts":[{"id":"ps-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-08a.","class":"sp800-53a"}],"prose":"a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;","links":[{"href":"#ps-8_smt.a","rel":"assessment-for"}]},{"id":"ps-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-08b.","class":"sp800-53a"}],"prose":" {{ insert: param, ps-08_odp.01 }} is\/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.","links":[{"href":"#ps-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-8_smt","rel":"assessment-for"}]},{"id":"ps-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records"}]},{"id":"ps-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and\/or implementing formal employee sanctions notifications"}]}]},{"id":"ps-9","class":"SP800-53","title":"Position Descriptions","props":[{"name":"label","value":"PS-9"},{"name":"label","value":"PS-09","class":"sp800-53a"},{"name":"sort-id","value":"ps-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"}],"parts":[{"id":"ps-9_smt","name":"statement","prose":"Incorporate security and privacy roles and responsibilities into organizational position descriptions."},{"id":"ps-9_gdn","name":"guidance","prose":"Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles."},{"id":"ps-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-09","class":"sp800-53a"}],"parts":[{"id":"ps-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PS-09[01]","class":"sp800-53a"}],"prose":"security roles and responsibilities are incorporated into organizational position descriptions;","links":[{"href":"#ps-9_smt","rel":"assessment-for"}]},{"id":"ps-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PS-09[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are incorporated into organizational position descriptions.","links":[{"href":"#ps-9_smt","rel":"assessment-for"}]}],"links":[{"href":"#ps-9_smt","rel":"assessment-for"}]},{"id":"ps-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"ps-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities"}]},{"id":"ps-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing position descriptions"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ra-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ra-01_odp.01","props":[{"name":"label","value":"RA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment policy is to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.02","props":[{"name":"label","value":"RA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment procedures are to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.03","props":[{"name":"alt-identifier","value":"ra-1_prm_2"},{"name":"label","value":"RA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ra-01_odp.04","props":[{"name":"alt-identifier","value":"ra-1_prm_3"},{"name":"label","value":"RA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the risk assessment policy and procedures is defined;"}]},{"id":"ra-01_odp.05","props":[{"name":"alt-identifier","value":"ra-1_prm_4"},{"name":"label","value":"RA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment policy is reviewed and updated is defined;"}]},{"id":"ra-01_odp.06","props":[{"name":"alt-identifier","value":"ra-1_prm_5"},{"name":"label","value":"RA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current risk assessment policy to be reviewed and updated are defined;"}]},{"id":"ra-01_odp.07","props":[{"name":"alt-identifier","value":"ra-1_prm_6"},{"name":"label","value":"RA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment procedures are reviewed and updated is defined;"}]},{"id":"ra-01_odp.08","props":[{"name":"alt-identifier","value":"ra-1_prm_7"},{"name":"label","value":"RA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require risk assessment procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"RA-1"},{"name":"label","value":"RA-01","class":"sp800-53a"},{"name":"sort-id","value":"ra-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-1_smt","name":"statement","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ra-01_odp.03 }} risk assessment policy that:","parts":[{"id":"ra-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and"},{"id":"ra-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current risk assessment:","parts":[{"id":"ra-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and"},{"id":"ra-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ra-1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[01]","class":"sp800-53a"}],"prose":"a risk assessment policy is developed and documented;","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[02]","class":"sp800-53a"}],"prose":"the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[03]","class":"sp800-53a"}],"prose":"risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[04]","class":"sp800-53a"}],"prose":"the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ra-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;","links":[{"href":"#ra-1_smt.b","rel":"assessment-for"}]},{"id":"ra-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[01]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};","links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]},{"id":"ra-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[02]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};","links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]},{"id":"ra-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[01]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};","links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]},{"id":"ra-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[02]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.","links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt","rel":"assessment-for"}]},{"id":"ra-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","props":[{"name":"label","value":"RA-2"},{"name":"label","value":"RA-02","class":"sp800-53a"},{"name":"sort-id","value":"ra-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#cm-8","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-2_smt","name":"statement","parts":[{"id":"ra-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Categorize the system and information it processes, stores, and transmits;"},{"id":"ra-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document the security categorization results, including supporting rationale, in the security plan for the system; and"},{"id":"ra-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant."},{"id":"ra-2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-02","class":"sp800-53a"}],"parts":[{"id":"ra-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-02a.","class":"sp800-53a"}],"prose":"the system and the information it processes, stores, and transmits are categorized;","links":[{"href":"#ra-2_smt.a","rel":"assessment-for"}]},{"id":"ra-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-02b.","class":"sp800-53a"}],"prose":"the security categorization results, including supporting rationale, are documented in the security plan for the system;","links":[{"href":"#ra-2_smt.b","rel":"assessment-for"}]},{"id":"ra-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-02c.","class":"sp800-53a"}],"prose":"the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.","links":[{"href":"#ra-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ra-2_smt","rel":"assessment-for"}]},{"id":"ra-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security categorization"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-03_odp.01","props":[{"name":"alt-identifier","value":"ra-3_prm_1"},{"name":"label","value":"RA-03_ODP[01]","class":"sp800-53a"}],"select":{"choice":["security and privacy plans","risk assessment report"," {{ insert: param, ra-03_odp.02 }} "]}},{"id":"ra-03_odp.02","props":[{"name":"alt-identifier","value":"ra-3_prm_2"},{"name":"label","value":"RA-03_ODP[02]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);"}]},{"id":"ra-03_odp.03","props":[{"name":"alt-identifier","value":"ra-3_prm_3"},{"name":"label","value":"RA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to review risk assessment results is defined;"}]},{"id":"ra-03_odp.04","props":[{"name":"alt-identifier","value":"ra-3_prm_4"},{"name":"label","value":"RA-03_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom risk assessment results are to be disseminated is\/are defined;"}]},{"id":"ra-03_odp.05","props":[{"name":"alt-identifier","value":"ra-3_prm_5"},{"name":"label","value":"RA-03_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to update the risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3"},{"name":"label","value":"RA-03","class":"sp800-53a"},{"name":"sort-id","value":"ra-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-3","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-3_smt","name":"statement","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct a risk assessment, including:","parts":[{"id":"ra-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifying threats to and vulnerabilities in the system;"},{"id":"ra-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and"},{"id":"ra-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document risk assessment results in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review risk assessment results {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and"},{"id":"ra-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination."},{"id":"ra-3_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.01","class":"sp800-53a"}],"prose":"a risk assessment is conducted to identify threats to and vulnerabilities in the system;","links":[{"href":"#ra-3_smt.a.1","rel":"assessment-for"}]},{"id":"ra-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.02","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;","links":[{"href":"#ra-3_smt.a.2","rel":"assessment-for"}]},{"id":"ra-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.03","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;","links":[{"href":"#ra-3_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#ra-3_smt.a","rel":"assessment-for"}]},{"id":"ra-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03b.","class":"sp800-53a"}],"prose":"risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;","links":[{"href":"#ra-3_smt.b","rel":"assessment-for"}]},{"id":"ra-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-03c.","class":"sp800-53a"}],"prose":"risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};","links":[{"href":"#ra-3_smt.c","rel":"assessment-for"}]},{"id":"ra-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-03d.","class":"sp800-53a"}],"prose":"risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};","links":[{"href":"#ra-3_smt.d","rel":"assessment-for"}]},{"id":"ra-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-03e.","class":"sp800-53a"}],"prose":"risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};","links":[{"href":"#ra-3_smt.e","rel":"assessment-for"}]},{"id":"ra-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-03f.","class":"sp800-53a"}],"prose":"the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.","links":[{"href":"#ra-3_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ra-3_smt","rel":"assessment-for"}]},{"id":"ra-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}],"controls":[{"id":"ra-3.1","class":"SP800-53-enhancement","title":"Supply Chain Risk Assessment","params":[{"id":"ra-03.01_odp.01","props":[{"name":"alt-identifier","value":"ra-3.1_prm_1"},{"name":"label","value":"RA-03(01)_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, and system services","guidelines":[{"prose":"systems, system components, and system services to assess supply chain risks are defined;"}]},{"id":"ra-03.01_odp.02","props":[{"name":"alt-identifier","value":"ra-3.1_prm_2"},{"name":"label","value":"RA-03(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the supply chain risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3(1)"},{"name":"label","value":"RA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ra-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-3","rel":"required"},{"href":"#ra-2","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#pm-17","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-3.1_smt","name":"statement","parts":[{"id":"ra-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and"},{"id":"ra-3.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_gdn","name":"guidance","prose":"Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required."},{"id":"ra-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)","class":"sp800-53a"}],"parts":[{"id":"ra-3.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(a)","class":"sp800-53a"}],"prose":"supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;","links":[{"href":"#ra-3.1_smt.a","rel":"assessment-for"}]},{"id":"ra-3.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(b)","class":"sp800-53a"}],"prose":"the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.","links":[{"href":"#ra-3.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ra-3.1_smt","rel":"assessment-for"}]},{"id":"ra-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"ra-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"ra-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment"}]}]}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Monitoring and Scanning","params":[{"id":"ra-5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.02"}],"label":"organization-defined frequency and\/or randomly in accordance with organization-defined process"},{"id":"ra-05_odp.01","props":[{"name":"label","value":"RA-05_ODP[01]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for monitoring systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.02","props":[{"name":"label","value":"RA-05_ODP[02]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for scanning systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.03","props":[{"name":"alt-identifier","value":"ra-5_prm_2"},{"name":"label","value":"RA-05_ODP[03]","class":"sp800-53a"}],"label":"response times","guidelines":[{"prose":"response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;"}]},{"id":"ra-05_odp.04","props":[{"name":"alt-identifier","value":"ra-5_prm_3"},{"name":"label","value":"RA-05_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;"}]}],"props":[{"name":"label","value":"RA-5"},{"name":"label","value":"RA-05","class":"sp800-53a"},{"name":"sort-id","value":"ra-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#8df72805-2e5c-4731-a73e-81db0f0318d0","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#d2ebec9b-f868-4ee1-a2bd-0b2282aed248","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-8","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ra-5_smt","name":"statement","parts":[{"id":"ra-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Analyze vulnerability scan reports and results from vulnerability monitoring;"},{"id":"ra-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and"},{"id":"ra-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points."},{"id":"ra-5_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[01]","class":"sp800-53a"}],"prose":"systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;","links":[{"href":"#ra-5_smt.a","rel":"assessment-for"}]},{"id":"ra-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[02]","class":"sp800-53a"}],"prose":"systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;","links":[{"href":"#ra-5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ra-5_smt.a","rel":"assessment-for"}]},{"id":"ra-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;","parts":[{"id":"ra-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.01","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;","links":[{"href":"#ra-5_smt.b.1","rel":"assessment-for"}]},{"id":"ra-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.02","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;","links":[{"href":"#ra-5_smt.b.2","rel":"assessment-for"}]},{"id":"ra-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.03","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;","links":[{"href":"#ra-5_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#ra-5_smt.b","rel":"assessment-for"}]},{"id":"ra-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-05c.","class":"sp800-53a"}],"prose":"vulnerability scan reports and results from vulnerability monitoring are analyzed;","links":[{"href":"#ra-5_smt.c","rel":"assessment-for"}]},{"id":"ra-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-05d.","class":"sp800-53a"}],"prose":"legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;","links":[{"href":"#ra-5_smt.d","rel":"assessment-for"}]},{"id":"ra-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-05e.","class":"sp800-53a"}],"prose":"information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;","links":[{"href":"#ra-5_smt.e","rel":"assessment-for"}]},{"id":"ra-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-05f.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.","links":[{"href":"#ra-5_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ra-5_smt","rel":"assessment-for"}]},{"id":"ra-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and\/or implementing vulnerability scanning, analysis, remediation, and information sharing"}]}],"controls":[{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update Vulnerabilities to Be Scanned","params":[{"id":"ra-05.02_odp.01","props":[{"name":"alt-identifier","value":"ra-5.2_prm_1"},{"name":"label","value":"RA-05(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, ra-05.02_odp.02 }} ","prior to a new scan","when new vulnerabilities are identified and reported"]}},{"id":"ra-05.02_odp.02","props":[{"name":"alt-identifier","value":"ra-5.2_prm_2"},{"name":"label","value":"RA-05(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating the system vulnerabilities to be scanned is defined (if selected);"}]}],"props":[{"name":"label","value":"RA-5(2)"},{"name":"label","value":"RA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"},{"href":"#si-5","rel":"related"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}."},{"id":"ra-5.2_gdn","name":"guidance","prose":"Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner."},{"id":"ra-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(02)","class":"sp800-53a"}],"prose":"the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.","links":[{"href":"#ra-5.2_smt","rel":"assessment-for"}]},{"id":"ra-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.5","class":"SP800-53-enhancement","title":"Privileged Access","params":[{"id":"ra-05.05_odp.01","props":[{"name":"alt-identifier","value":"ra-5.5_prm_1"},{"name":"label","value":"RA-05(05)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to which privileged access is authorized for selected vulnerability scanning activities are defined;"}]},{"id":"ra-05.05_odp.02","props":[{"name":"alt-identifier","value":"ra-5.5_prm_2"},{"name":"label","value":"RA-05(05)_ODP[02]","class":"sp800-53a"}],"label":"vulnerability scanning activities","guidelines":[{"prose":"vulnerability scanning activities selected for privileged access authorization to system components are defined;"}]}],"props":[{"name":"label","value":"RA-5(5)"},{"name":"label","value":"RA-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.5_smt","name":"statement","prose":"Implement privileged access authorization to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}."},{"id":"ra-5.5_gdn","name":"guidance","prose":"In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning."},{"id":"ra-5.5_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(05)","class":"sp800-53a"}],"prose":"privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.","links":[{"href":"#ra-5.5_smt","rel":"assessment-for"}]},{"id":"ra-5.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\nsystem\/network administrators\n\norganizational personnel responsible for access control to the system\n\norganizational personnel responsible for configuration management of the system\n\nsystem developers\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nmechanisms supporting and\/or implementing access control\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.11","class":"SP800-53-enhancement","title":"Public Disclosure Program","props":[{"name":"label","value":"RA-5(11)"},{"name":"label","value":"RA-05(11)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.11_smt","name":"statement","prose":"Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components."},{"id":"ra-5.11_gdn","name":"guidance","prose":"The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability."},{"id":"ra-5.11_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(11)","class":"sp800-53a"}],"prose":"a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.","links":[{"href":"#ra-5.11_smt","rel":"assessment-for"}]},{"id":"ra-5.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities"}]}]}]},{"id":"ra-7","class":"SP800-53","title":"Risk Response","props":[{"name":"label","value":"RA-7"},{"name":"label","value":"RA-07","class":"sp800-53a"},{"name":"sort-id","value":"ra-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-7_smt","name":"statement","prose":"Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."},{"id":"ra-7_gdn","name":"guidance","prose":"Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated."},{"id":"ra-7_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-07","class":"sp800-53a"}],"parts":[{"id":"ra-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-07[01]","class":"sp800-53a"}],"prose":"findings from security assessments are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-07[02]","class":"sp800-53a"}],"prose":"findings from privacy assessments are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"RA-07[03]","class":"sp800-53a"}],"prose":"findings from monitoring are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-4","name":"assessment-objective","props":[{"name":"label","value":"RA-07[04]","class":"sp800-53a"}],"prose":"findings from audits are responded to in accordance with organizational risk tolerance.","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]}],"links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\naudit records\/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]},{"id":"ra-9","class":"SP800-53","title":"Criticality Analysis","params":[{"id":"ra-09_odp.01","props":[{"name":"alt-identifier","value":"ra-9_prm_1"},{"name":"label","value":"RA-09_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services to be analyzed for criticality are defined;"}]},{"id":"ra-09_odp.02","props":[{"name":"alt-identifier","value":"ra-9_prm_2"},{"name":"label","value":"RA-09_ODP[02]","class":"sp800-53a"}],"label":"decision points in the system development life cycle","guidelines":[{"prose":"decision points in the system development life cycle when a criticality analysis is to be performed are defined;"}]}],"props":[{"name":"label","value":"RA-9"},{"name":"label","value":"RA-09","class":"sp800-53a"},{"name":"sort-id","value":"ra-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"ra-9_smt","name":"statement","prose":"Identify critical system components and functions by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}."},{"id":"ra-9_gdn","name":"guidance","prose":"Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.\n\nThe operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.\n\nCriticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in [RA-2](#ra-2)."},{"id":"ra-9_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-09","class":"sp800-53a"}],"prose":"critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.","links":[{"href":"#ra-9_smt","rel":"assessment-for"}]},{"id":"ra-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\ncriticality analysis\/finalized criticality for each component\/subcomponent\n\naudit records\/event logs\n\nanalysis reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\norganizational personnel with criticality analysis responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security responsibilities"}]},{"id":"ra-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sa-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sa-01_odp.01","props":[{"name":"label","value":"SA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition policy is to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.02","props":[{"name":"label","value":"SA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition procedures are to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.03","props":[{"name":"alt-identifier","value":"sa-1_prm_2"},{"name":"label","value":"SA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sa-01_odp.04","props":[{"name":"alt-identifier","value":"sa-1_prm_3"},{"name":"label","value":"SA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and services acquisition policy and procedures is defined;"}]},{"id":"sa-01_odp.05","props":[{"name":"alt-identifier","value":"sa-1_prm_4"},{"name":"label","value":"SA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition policy is reviewed and updated is defined;"}]},{"id":"sa-01_odp.06","props":[{"name":"alt-identifier","value":"sa-1_prm_5"},{"name":"label","value":"SA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and services acquisition policy to be reviewed and updated are defined;"}]},{"id":"sa-01_odp.07","props":[{"name":"alt-identifier","value":"sa-1_prm_6"},{"name":"label","value":"SA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;"}]},{"id":"sa-01_odp.08","props":[{"name":"alt-identifier","value":"sa-1_prm_7"},{"name":"label","value":"SA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and services acquisition procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SA-1"},{"name":"label","value":"SA-01","class":"sp800-53a"},{"name":"sort-id","value":"sa-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sa-1_smt","name":"statement","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:","parts":[{"id":"sa-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and"},{"id":"sa-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and services acquisition:","parts":[{"id":"sa-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and"},{"id":"sa-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sa-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[01]","class":"sp800-53a"}],"prose":"a system and services acquisition policy is developed and documented;","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[02]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[03]","class":"sp800-53a"}],"prose":"system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[04]","class":"sp800-53a"}],"prose":"the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#sa-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;","links":[{"href":"#sa-1_smt.b","rel":"assessment-for"}]},{"id":"sa-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[01]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};","links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]},{"id":"sa-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};","links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]},{"id":"sa-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};","links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]},{"id":"sa-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.","links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt","rel":"assessment-for"}]},{"id":"sa-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"label","value":"SA-2"},{"name":"label","value":"SA-02","class":"sp800-53a"},{"name":"sort-id","value":"sa-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pl-7","rel":"related"},{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-2_smt","name":"statement","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle."},{"id":"sa-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-02","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[01]","class":"sp800-53a"}],"prose":"the high-level information security requirements for the system or system service are determined in mission and business process planning;","links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]},{"id":"sa-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[02]","class":"sp800-53a"}],"prose":"the high-level privacy requirements for the system or system service are determined in mission and business process planning;","links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]},{"id":"sa-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[01]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;","links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]},{"id":"sa-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[02]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;","links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]},{"id":"sa-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[01]","class":"sp800-53a"}],"prose":"a discrete line item for information security is established in organizational programming and budgeting documentation;","links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]},{"id":"sa-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[02]","class":"sp800-53a"}],"prose":"a discrete line item for privacy is established in organizational programming and budgeting documentation.","links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt","rel":"assessment-for"}]},{"id":"sa-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records"}]},{"id":"sa-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-03_odp","props":[{"name":"alt-identifier","value":"sa-3_prm_1"},{"name":"alt-label","value":"system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-03_ODP","class":"sp800-53a"}],"label":"system-development life cycle","guidelines":[{"prose":"system development life cycle is defined;"}]}],"props":[{"name":"label","value":"SA-3"},{"name":"label","value":"SA-03","class":"sp800-53a"},{"name":"sort-id","value":"sa-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-3_smt","name":"statement","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document information security and privacy roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify individuals having information security and privacy roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrate the organizational information security and privacy risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle."},{"id":"sa-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[01]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;","links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]},{"id":"sa-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[02]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;","links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]},{"id":"sa-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[01]","class":"sp800-53a"}],"prose":"information security roles and responsibilities are defined and documented throughout the system development life cycle;","links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]},{"id":"sa-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are defined and documented throughout the system development life cycle;","links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]},{"id":"sa-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[01]","class":"sp800-53a"}],"prose":"individuals with information security roles and responsibilities are identified;","links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]},{"id":"sa-3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[02]","class":"sp800-53a"}],"prose":"individuals with privacy roles and responsibilities are identified;","links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]},{"id":"sa-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[01]","class":"sp800-53a"}],"prose":"organizational information security risk management processes are integrated into system development life cycle activities;","links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]},{"id":"sa-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[02]","class":"sp800-53a"}],"prose":"organizational privacy risk management processes are integrated into system development life cycle activities.","links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt","rel":"assessment-for"}]},{"id":"sa-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"sa-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and\/or implementing the system development life cycle"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","params":[{"id":"sa-04_odp.01","props":[{"name":"alt-identifier","value":"sa-4_prm_1"},{"name":"label","value":"SA-04_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["standardized contract language"," {{ insert: param, sa-04_odp.02 }} "]}},{"id":"sa-04_odp.02","props":[{"name":"alt-identifier","value":"sa-4_prm_2"},{"name":"label","value":"SA-04_ODP[02]","class":"sp800-53a"}],"label":"contract language","guidelines":[{"prose":"contract language is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-4"},{"name":"label","value":"SA-04","class":"sp800-53a"},{"name":"sort-id","value":"sa-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","rel":"reference"},{"href":"#87087451-2af5-43d4-88c1-d66ad850f614","rel":"reference"},{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#06ce9216-bd54-4054-a422-94f358b50a5d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#795aff72-3e6c-4b6b-a80a-b14d84b7f544","rel":"reference"},{"href":"#3d575737-98cb-459d-b41c-d7e82b73ad78","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security and privacy functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Strength of mechanism requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security and privacy assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Controls needed to satisfy the security and privacy requirements."},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Security and privacy documentation requirements;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Requirements for protecting security and privacy documentation;"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Description of the system development environment and environment in which the system is intended to operate;"},{"id":"sa-4_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and"},{"id":"sa-4_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement."},{"id":"sa-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[01]","class":"sp800-53a"}],"prose":"security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]},{"id":"sa-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[02]","class":"sp800-53a"}],"prose":"privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]},{"id":"sa-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04b.","class":"sp800-53a"}],"prose":"strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.b","rel":"assessment-for"}]},{"id":"sa-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[01]","class":"sp800-53a"}],"prose":"security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]},{"id":"sa-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[02]","class":"sp800-53a"}],"prose":"privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]},{"id":"sa-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[01]","class":"sp800-53a"}],"prose":"controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]},{"id":"sa-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[02]","class":"sp800-53a"}],"prose":"controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]},{"id":"sa-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[01]","class":"sp800-53a"}],"prose":"security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]},{"id":"sa-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[02]","class":"sp800-53a"}],"prose":"privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]},{"id":"sa-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[01]","class":"sp800-53a"}],"prose":"requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]},{"id":"sa-4_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[02]","class":"sp800-53a"}],"prose":"requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]},{"id":"sa-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SA-04g.","class":"sp800-53a"}],"prose":"the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.g","rel":"assessment-for"}]},{"id":"sa-4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[01]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[02]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.h-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[03]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.i","name":"assessment-objective","props":[{"name":"label","value":"SA-04i.","class":"sp800-53a"}],"prose":"acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.","links":[{"href":"#sa-4_smt.i","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt","rel":"assessment-for"}]},{"id":"sa-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}],"controls":[{"id":"sa-4.1","class":"SP800-53-enhancement","title":"Functional Properties of Controls","props":[{"name":"label","value":"SA-4(1)"},{"name":"label","value":"SA-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented."},{"id":"sa-4.1_gdn","name":"guidance","prose":"Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls."},{"id":"sa-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(01)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.","links":[{"href":"#sa-4.1_smt","rel":"assessment-for"}]},{"id":"sa-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system services\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"sa-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security functional requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}]},{"id":"sa-4.2","class":"SP800-53-enhancement","title":"Design and Implementation Information for Controls","params":[{"id":"sa-04.02_odp.01","props":[{"name":"alt-identifier","value":"sa-4.2_prm_1"},{"name":"label","value":"SA-04(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security-relevant external system interfaces","high-level design","low-level design","source code or hardware schematics"," {{ insert: param, sa-04.02_odp.02 }} "]}},{"id":"sa-04.02_odp.02","props":[{"name":"alt-identifier","value":"sa-4.2_prm_2"},{"name":"label","value":"SA-04(02)_ODP[02]","class":"sp800-53a"}],"label":"design and implementation information","guidelines":[{"prose":"design and implementation information is defined (if selected);"}]},{"id":"sa-04.02_odp.03","props":[{"name":"alt-identifier","value":"sa-4.2_prm_3"},{"name":"label","value":"SA-04(02)_ODP[03]","class":"sp800-53a"}],"label":"level of detail","guidelines":[{"prose":"level of detail is defined;"}]}],"props":[{"name":"label","value":"SA-4(2)"},{"name":"label","value":"SA-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.2_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}."},{"id":"sa-4.2_gdn","name":"guidance","prose":"Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system."},{"id":"sa-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(02)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}.","links":[{"href":"#sa-4.2_smt","rel":"assessment-for"}]},{"id":"sa-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system components, or system services\n\ndesign and implementation information for controls employed in the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining the level of detail for system design and controls\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing the development of system design details"}]}]},{"id":"sa-4.9","class":"SP800-53-enhancement","title":"Functions, Ports, Protocols, and Services in Use","props":[{"name":"label","value":"SA-4(9)"},{"name":"label","value":"SA-04(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#cm-7","rel":"related"},{"href":"#sa-9","rel":"related"}],"parts":[{"id":"sa-4.9_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use."},{"id":"sa-4.9_gdn","name":"guidance","prose":"The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. [SA-9](#sa-9) describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources."},{"id":"sa-4.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)","class":"sp800-53a"}],"parts":[{"id":"sa-4.9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the functions intended for organizational use;","links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]},{"id":"sa-4.9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the ports intended for organizational use;","links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]},{"id":"sa-4.9_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;","links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]},{"id":"sa-4.9_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the services intended for organizational use.","links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]},{"id":"sa-4.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsystem design documentation\n\nsystem documentation, including functions, ports, protocols, and services intended for organizational use\n\nacquisition contracts for systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements, descriptions, and criteria for developers of systems, system components, and system services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the system\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","props":[{"name":"label","value":"SA-4(10)"},{"name":"label","value":"SA-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems."},{"id":"sa-4.10_gdn","name":"guidance","prose":"Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations."},{"id":"sa-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(10)","class":"sp800-53a"}],"prose":"only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.","links":[{"href":"#sa-4.10_smt","rel":"assessment-for"}]},{"id":"sa-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for selecting and employing FIPS 201-approved products"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"System Documentation","params":[{"id":"sa-05_odp.01","props":[{"name":"alt-identifier","value":"sa-5_prm_1"},{"name":"label","value":"SA-05_ODP[01]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;"}]},{"id":"sa-05_odp.02","props":[{"name":"alt-identifier","value":"sa-5_prm_2"},{"name":"label","value":"SA-05_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to distribute system documentation to is\/are defined;"}]}],"props":[{"name":"label","value":"SA-5"},{"name":"label","value":"SA-05","class":"sp800-53a"},{"name":"sort-id","value":"sa-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"sa-5_smt","name":"statement","parts":[{"id":"sa-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtain or develop administrator documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security and privacy functions and mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative or privileged functions;"}]},{"id":"sa-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Obtain or develop user documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and"},{"id":"sa-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;"}]},{"id":"sa-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and"},{"id":"sa-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Distribute documentation to {{ insert: param, sa-05_odp.02 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation."},{"id":"sa-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-05","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]},{"id":"sa-5_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]},{"id":"sa-5_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[04]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;","links":[{"href":"#sa-5_smt.a.3","rel":"assessment-for"}]},{"id":"sa-5_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;","links":[{"href":"#sa-5_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a","rel":"assessment-for"}]},{"id":"sa-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[03]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.1-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[04]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;","links":[{"href":"#sa-5_smt.b.2","rel":"assessment-for"}]},{"id":"sa-5_obj.b.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;","links":[{"href":"#sa-5_smt.b.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b.2","rel":"assessment-for"}]},{"id":"sa-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.b.3","rel":"assessment-for"}]},{"id":"sa-5_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;","links":[{"href":"#sa-5_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b","rel":"assessment-for"}]},{"id":"sa-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[01]","class":"sp800-53a"}],"prose":"attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;","links":[{"href":"#sa-5_smt.c","rel":"assessment-for"}]},{"id":"sa-5_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[02]","class":"sp800-53a"}],"prose":"after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;","links":[{"href":"#sa-5_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.c","rel":"assessment-for"}]},{"id":"sa-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-05d.","class":"sp800-53a"}],"prose":"documentation is distributed to {{ insert: param, sa-05_odp.02 }}.","links":[{"href":"#sa-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt","rel":"assessment-for"}]},{"id":"sa-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and\/or maintaining the system\n\nsystem developers"}]},{"id":"sa-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for obtaining, protecting, and distributing system administrator and user documentation"}]}]},{"id":"sa-8","class":"SP800-53","title":"Security and Privacy Engineering Principles","params":[{"id":"sa-8_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.02"}],"label":"organization-defined systems security and privacy engineering principles"},{"id":"sa-08_odp.01","props":[{"name":"label","value":"SA-08_ODP[01]","class":"sp800-53a"}],"label":"systems security engineering principles","guidelines":[{"prose":"systems security engineering principles are defined;"}]},{"id":"sa-08_odp.02","props":[{"name":"label","value":"SA-08_ODP[02]","class":"sp800-53a"}],"label":"privacy engineering principles","guidelines":[{"prose":"privacy engineering principles are defined;"}]}],"props":[{"name":"label","value":"SA-8"},{"name":"label","value":"SA-08","class":"sp800-53a"},{"name":"sort-id","value":"sa-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}."},{"id":"sa-8_gdn","name":"guidance","prose":"Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design."},{"id":"sa-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08","class":"sp800-53a"}],"parts":[{"id":"sa-8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08[01]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08[02]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-08[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-08[04]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-5","name":"assessment-objective","props":[{"name":"label","value":"SA-08[05]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-6","name":"assessment-objective","props":[{"name":"label","value":"SA-08[06]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-7","name":"assessment-objective","props":[{"name":"label","value":"SA-08[07]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-8","name":"assessment-objective","props":[{"name":"label","value":"SA-08[08]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-9","name":"assessment-objective","props":[{"name":"label","value":"SA-08[09]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-10","name":"assessment-objective","props":[{"name":"label","value":"SA-08[10]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-9","class":"SP800-53","title":"External System Services","params":[{"id":"sa-09_odp.01","props":[{"name":"alt-identifier","value":"sa-9_prm_1"},{"name":"label","value":"SA-09_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed by external system service providers are defined;"}]},{"id":"sa-09_odp.02","props":[{"name":"alt-identifier","value":"sa-9_prm_2"},{"name":"label","value":"SA-09_ODP[02]","class":"sp800-53a"}],"label":"processes, methods, and techniques","guidelines":[{"prose":"processes, methods, and techniques employed to monitor control compliance by external service providers are defined;"}]}],"props":[{"name":"label","value":"SA-9"},{"name":"label","value":"SA-09","class":"sp800-53a"},{"name":"sort-id","value":"sa-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-9_smt","name":"statement","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document organizational oversight and user roles and responsibilities with regard to external system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance."},{"id":"sa-9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[01]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational security requirements;","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[02]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational privacy requirements;","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[03]","class":"sp800-53a"}],"prose":"providers of external system services employ {{ insert: param, sa-09_odp.01 }};","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[01]","class":"sp800-53a"}],"prose":"organizational oversight with regard to external system services are defined and documented;","links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]},{"id":"sa-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[02]","class":"sp800-53a"}],"prose":"user roles and responsibilities with regard to external system services are defined and documented;","links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]},{"id":"sa-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-09c.","class":"sp800-53a"}],"prose":" {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.","links":[{"href":"#sa-9_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt","rel":"assessment-for"}]},{"id":"sa-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis"}]}],"controls":[{"id":"sa-9.2","class":"SP800-53-enhancement","title":"Identification of Functions, Ports, Protocols, and Services","params":[{"id":"sa-09.02_odp","props":[{"name":"alt-identifier","value":"sa-9.2_prm_1"},{"name":"label","value":"SA-09(02)_ODP","class":"sp800-53a"}],"label":"external system services","guidelines":[{"prose":"external system services that require the identification of functions, ports, protocols, and other services are defined;"}]}],"props":[{"name":"label","value":"SA-9(2)"},{"name":"label","value":"SA-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"}],"parts":[{"id":"sa-9.2_smt","name":"statement","prose":"Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ insert: param, sa-09.02_odp }}."},{"id":"sa-9.2_gdn","name":"guidance","prose":"Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols."},{"id":"sa-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(02)","class":"sp800-53a"}],"prose":"providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services.","links":[{"href":"#sa-9.2_smt","rel":"assessment-for"}]},{"id":"sa-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements and security specifications for external service providers\n\nlist of required functions, ports, protocols, and other services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nexternal providers of system services"}]}]}]},{"id":"sa-10","class":"SP800-53","title":"Developer Configuration Management","params":[{"id":"sa-10_odp.01","props":[{"name":"alt-identifier","value":"sa-10_prm_1"},{"name":"label","value":"SA-10_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["design","development","implementation","operation","disposal"]}},{"id":"sa-10_odp.02","props":[{"name":"alt-identifier","value":"sa-10_prm_2"},{"name":"alt-label","value":"configuration items under configuration management","class":"sp800-53"},{"name":"label","value":"SA-10_ODP[02]","class":"sp800-53a"}],"label":"configuration items","guidelines":[{"prose":"configuration items under configuration management are defined;"}]},{"id":"sa-10_odp.03","props":[{"name":"alt-identifier","value":"sa-10_prm_3"},{"name":"label","value":"SA-10_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is\/are defined;"}]}],"props":[{"name":"label","value":"SA-10"},{"name":"label","value":"SA-10","class":"sp800-53a"},{"name":"sort-id","value":"sa-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"sa-10_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};"},{"id":"sa-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, manage, and control the integrity of changes to {{ insert: param, sa-10_odp.02 }};"},{"id":"sa-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and"},{"id":"sa-10_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_odp.03 }}."}]},{"id":"sa-10_gdn","name":"guidance","prose":"Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.\n\nThe configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle."},{"id":"sa-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-10a.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};","links":[{"href":"#sa-10_smt.a","rel":"assessment-for"}]},{"id":"sa-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};","links":[{"href":"#sa-10_smt.b","rel":"assessment-for"}]},{"id":"sa-10_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};","links":[{"href":"#sa-10_smt.b","rel":"assessment-for"}]},{"id":"sa-10_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};","links":[{"href":"#sa-10_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-10_smt.b","rel":"assessment-for"}]},{"id":"sa-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-10c.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;","links":[{"href":"#sa-10_smt.c","rel":"assessment-for"}]},{"id":"sa-10_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;","links":[{"href":"#sa-10_smt.d","rel":"assessment-for"}]},{"id":"sa-10_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;","links":[{"href":"#sa-10_smt.d","rel":"assessment-for"}]},{"id":"sa-10_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;","links":[{"href":"#sa-10_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-10_smt.d","rel":"assessment-for"}]},{"id":"sa-10_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;","links":[{"href":"#sa-10_smt.e","rel":"assessment-for"}]},{"id":"sa-10_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;","links":[{"href":"#sa-10_smt.e","rel":"assessment-for"}]},{"id":"sa-10_obj.e-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}.","links":[{"href":"#sa-10_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-10_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-10_smt","rel":"assessment-for"}]},{"id":"sa-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-11","class":"SP800-53","title":"Developer Testing and Evaluation","params":[{"id":"sa-11_odp.01","props":[{"name":"alt-identifier","value":"sa-11_prm_1"},{"name":"label","value":"SA-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["unit","integration","system","regression"]}},{"id":"sa-11_odp.02","props":[{"name":"alt-identifier","value":"sa-11_prm_2"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"SA-11_ODP[02]","class":"sp800-53a"}],"label":"frequency to conduct","guidelines":[{"prose":"frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]},{"id":"sa-11_odp.03","props":[{"name":"alt-identifier","value":"sa-11_prm_3"},{"name":"label","value":"SA-11_ODP[03]","class":"sp800-53a"}],"label":"depth and coverage","guidelines":[{"prose":"depth and coverage of {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]}],"props":[{"name":"label","value":"SA-11"},{"name":"label","value":"SA-11","class":"sp800-53a"},{"name":"sort-id","value":"sa-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#708b94e1-3d5e-4b22-ab43-1c69f3a97e37","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-7","rel":"related"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:","parts":[{"id":"sa-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement a plan for ongoing security and privacy control assessments;"},{"id":"sa-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"},{"id":"sa-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;"},{"id":"sa-11_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during testing and evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\n\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation."},{"id":"sa-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-11b.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};","links":[{"href":"#sa-11_smt.b","rel":"assessment-for"}]},{"id":"sa-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;","links":[{"href":"#sa-11_smt.c","rel":"assessment-for"}]},{"id":"sa-11_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;","links":[{"href":"#sa-11_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-11_smt.c","rel":"assessment-for"}]},{"id":"sa-11_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-11d.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;","links":[{"href":"#sa-11_smt.d","rel":"assessment-for"}]},{"id":"sa-11_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-11e.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.","links":[{"href":"#sa-11_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-11_smt","rel":"assessment-for"}]},{"id":"sa-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security and privacy testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of developer security and privacy assessments for the system, system component, or system service\n\nsecurity and privacy flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\nsystem developers"}]},{"id":"sa-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security and privacy testing and evaluation"}]}]},{"id":"sa-15","class":"SP800-53","title":"Development Process, Standards, and Tools","params":[{"id":"sa-15_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15_odp.03"}],"label":"organization-defined security and privacy requirements"},{"id":"sa-15_odp.01","props":[{"name":"alt-identifier","value":"sa-15_prm_1"},{"name":"label","value":"SA-15_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;"}]},{"id":"sa-15_odp.02","props":[{"name":"label","value":"SA-15_ODP[02]","class":"sp800-53a"}],"label":"security requirements","guidelines":[{"prose":"security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;"}]},{"id":"sa-15_odp.03","props":[{"name":"label","value":"SA-15_ODP[03]","class":"sp800-53a"}],"label":"privacy requirements","guidelines":[{"prose":"privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;"}]}],"props":[{"name":"label","value":"SA-15"},{"name":"label","value":"SA-15","class":"sp800-53a"},{"name":"sort-id","value":"sa-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#ma-6","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-15_smt","name":"statement","parts":[{"id":"sa-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require the developer of the system, system component, or system service to follow a documented development process that:","parts":[{"id":"sa-15_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Explicitly addresses security and privacy requirements;"},{"id":"sa-15_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Identifies the standards and tools used in the development process;"},{"id":"sa-15_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Documents the specific tool options and tool configurations used in the development process; and"},{"id":"sa-15_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Documents, manages, and ensures the integrity of changes to the process and\/or tools used in development; and"}]},{"id":"sa-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ insert: param, sa-15_prm_2 }}."}]},{"id":"sa-15_gdn","name":"guidance","prose":"Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes."},{"id":"sa-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;","links":[{"href":"#sa-15_smt.a.1","rel":"assessment-for"}]},{"id":"sa-15_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;","links":[{"href":"#sa-15_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.a.1","rel":"assessment-for"}]},{"id":"sa-15_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;","links":[{"href":"#sa-15_smt.a.2","rel":"assessment-for"}]},{"id":"sa-15_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;","links":[{"href":"#sa-15_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.a.2","rel":"assessment-for"}]},{"id":"sa-15_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;","links":[{"href":"#sa-15_smt.a.3","rel":"assessment-for"}]},{"id":"sa-15_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;","links":[{"href":"#sa-15_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.a.3","rel":"assessment-for"}]},{"id":"sa-15_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.04","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and\/or tools used in development;","links":[{"href":"#sa-15_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.a","rel":"assessment-for"}]},{"id":"sa-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};","links":[{"href":"#sa-15_smt.b","rel":"assessment-for"}]},{"id":"sa-15_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}.","links":[{"href":"#sa-15_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt","rel":"assessment-for"}]},{"id":"sa-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security and privacy requirements during the development process\n\nsolicitation documentation\n\nacquisition documentation\n\ncritical component inventory documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer documentation listing tool options\/configuration guides\n\nconfiguration management policy\n\nconfiguration management records\n\ndocumentation of development process reviews using maturity models\n\nchange control records\n\nconfiguration control records\n\ndocumented reviews of the development process, standards, tools, and tool options\/configurations\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]}],"controls":[{"id":"sa-15.3","class":"SP800-53-enhancement","title":"Criticality Analysis","params":[{"id":"sa-15.3_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15.03_odp.03"}],"label":"organization-defined breadth and depth of criticality analysis"},{"id":"sa-15.03_odp.01","props":[{"name":"alt-identifier","value":"sa-15.3_prm_1"},{"name":"alt-label","value":"decision points in the system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-15(03)_ODP[01]","class":"sp800-53a"}],"label":"decision points","guidelines":[{"prose":"decision points in the system development life cycle are defined;"}]},{"id":"sa-15.03_odp.02","props":[{"name":"label","value":"SA-15(03)_ODP[02]","class":"sp800-53a"}],"label":"breadth","guidelines":[{"prose":"the breadth of criticality analysis is defined;"}]},{"id":"sa-15.03_odp.03","props":[{"name":"label","value":"SA-15(03)_ODP[03]","class":"sp800-53a"}],"label":"depth","guidelines":[{"prose":"the depth of criticality analysis is defined;"}]}],"props":[{"name":"label","value":"SA-15(3)"},{"name":"label","value":"SA-15(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"sa-15.3_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform a criticality analysis:","parts":[{"id":"sa-15.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"At the following decision points in the system development life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and"},{"id":"sa-15.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"At the following level of rigor: {{ insert: param, sa-15.3_prm_2 }}."}]},{"id":"sa-15.3_gdn","name":"guidance","prose":"Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses."},{"id":"sa-15.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)","class":"sp800-53a"}],"parts":[{"id":"sa-15.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;","links":[{"href":"#sa-15.3_smt.a","rel":"assessment-for"}]},{"id":"sa-15.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)","class":"sp800-53a"}],"parts":[{"id":"sa-15.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};","links":[{"href":"#sa-15.3_smt.b","rel":"assessment-for"}]},{"id":"sa-15.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} .","links":[{"href":"#sa-15.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-15.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-15.3_smt","rel":"assessment-for"}]},{"id":"sa-15.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing criticality analysis requirements for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ncriticality analysis documentation\n\nbusiness impact analysis documentation\n\nsoftware development life cycle documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-15.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for performing criticality analysis\n\nsystem developer\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-15.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-15(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for performing criticality analysis\n\nmechanisms supporting and\/or implementing criticality analysis"}]}]}]},{"id":"sa-22","class":"SP800-53","title":"Unsupported System Components","params":[{"id":"sa-22_odp.01","props":[{"name":"alt-identifier","value":"sa-22_prm_1"},{"name":"label","value":"SA-22_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["in-house support"," {{ insert: param, sa-22_odp.02 }} "]}},{"id":"sa-22_odp.02","props":[{"name":"alt-identifier","value":"sa-22_prm_2"},{"name":"label","value":"SA-22_ODP[02]","class":"sp800-53a"}],"label":"support from external providers","guidelines":[{"prose":"support from external providers is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-22"},{"name":"label","value":"SA-22","class":"sp800-53a"},{"name":"sort-id","value":"sa-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-2","rel":"related"},{"href":"#sa-3","rel":"related"}],"parts":[{"id":"sa-22_smt","name":"statement","parts":[{"id":"sa-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or"},{"id":"sa-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}."}]},{"id":"sa-22_gdn","name":"guidance","prose":"Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation."},{"id":"sa-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-22","class":"sp800-53a"}],"parts":[{"id":"sa-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-22a.","class":"sp800-53a"}],"prose":"system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;","links":[{"href":"#sa-22_smt.a","rel":"assessment-for"}]},{"id":"sa-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-22b.","class":"sp800-53a"}],"prose":" {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.","links":[{"href":"#sa-22_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-22_smt","rel":"assessment-for"}]},{"id":"sa-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement"}]},{"id":"sa-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for replacing unsupported system components\n\nmechanisms supporting and\/or implementing the replacement of unsupported system components"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sc-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sc-01_odp.01","props":[{"name":"label","value":"SC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection policy is to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.02","props":[{"name":"label","value":"SC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection procedures are to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.03","props":[{"name":"alt-identifier","value":"sc-1_prm_2"},{"name":"label","value":"SC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business-process-level","system-level"]}},{"id":"sc-01_odp.04","props":[{"name":"alt-identifier","value":"sc-1_prm_3"},{"name":"label","value":"SC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and communications protection policy and procedures is defined;"}]},{"id":"sc-01_odp.05","props":[{"name":"alt-identifier","value":"sc-1_prm_4"},{"name":"label","value":"SC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection policy is reviewed and updated is defined;"}]},{"id":"sc-01_odp.06","props":[{"name":"alt-identifier","value":"sc-1_prm_5"},{"name":"label","value":"SC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and communications protection policy to be reviewed and updated are defined;"}]},{"id":"sc-01_odp.07","props":[{"name":"alt-identifier","value":"sc-1_prm_6"},{"name":"label","value":"SC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection procedures are reviewed and updated is defined;"}]},{"id":"sc-01_odp.08","props":[{"name":"alt-identifier","value":"sc-1_prm_7"},{"name":"label","value":"SC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and communications protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SC-1"},{"name":"label","value":"SC-01","class":"sp800-53a"},{"name":"sort-id","value":"sc-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sc-1_smt","name":"statement","parts":[{"id":"sc-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sc-01_odp.03 }} system and communications protection policy that:","parts":[{"id":"sc-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sc-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;"}]},{"id":"sc-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and"},{"id":"sc-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and communications protection:","parts":[{"id":"sc-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and"},{"id":"sc-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sc-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[01]","class":"sp800-53a"}],"prose":"a system and communications protection policy is developed and documented;","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[02]","class":"sp800-53a"}],"prose":"the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[03]","class":"sp800-53a"}],"prose":"system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[04]","class":"sp800-53a"}],"prose":"the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#sc-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;","links":[{"href":"#sc-1_smt.b","rel":"assessment-for"}]},{"id":"sc-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};","links":[{"href":"#sc-1_smt.c.1","rel":"assessment-for"}]},{"id":"sc-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};","links":[{"href":"#sc-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.c.1","rel":"assessment-for"}]},{"id":"sc-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};","links":[{"href":"#sc-1_smt.c.2","rel":"assessment-for"}]},{"id":"sc-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.","links":[{"href":"#sc-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt","rel":"assessment-for"}]},{"id":"sc-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"sc-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"sc-2","class":"SP800-53","title":"Separation of System and User Functionality","props":[{"name":"label","value":"SC-2"},{"name":"label","value":"SC-02","class":"sp800-53a"},{"name":"sort-id","value":"sc-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-22","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"}],"parts":[{"id":"sc-2_smt","name":"statement","prose":"Separate user functionality, including user interface services, from system management functionality."},{"id":"sc-2_gdn","name":"guidance","prose":"System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)."},{"id":"sc-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-02","class":"sp800-53a"}],"prose":"user functionality, including user interface services, is separated from system management functionality.","links":[{"href":"#sc-2_smt","rel":"assessment-for"}]},{"id":"sc-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing application partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of user functionality from system management functionality"}]}]},{"id":"sc-4","class":"SP800-53","title":"Information in Shared System Resources","props":[{"name":"label","value":"SC-4"},{"name":"label","value":"SC-04","class":"sp800-53a"},{"name":"sort-id","value":"sc-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"sc-4_smt","name":"statement","prose":"Prevent unauthorized and unintended information transfer via shared system resources."},{"id":"sc-4_gdn","name":"guidance","prose":"Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles."},{"id":"sc-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-04","class":"sp800-53a"}],"parts":[{"id":"sc-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-04[01]","class":"sp800-53a"}],"prose":"unauthorized information transfer via shared system resources is prevented;","links":[{"href":"#sc-4_smt","rel":"assessment-for"}]},{"id":"sc-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-04[02]","class":"sp800-53a"}],"prose":"unintended information transfer via shared system resources is prevented.","links":[{"href":"#sc-4_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-4_smt","rel":"assessment-for"}]},{"id":"sc-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms preventing the unauthorized and unintended transfer of information via shared system resources"}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial-of-service Protection","params":[{"id":"sc-05_odp.01","props":[{"name":"alt-identifier","value":"sc-5_prm_2"},{"name":"label","value":"SC-05_ODP[01]","class":"sp800-53a"}],"label":"types of denial-of-service events","guidelines":[{"prose":"types of denial-of-service events to be protected against or limited are defined;"}]},{"id":"sc-05_odp.02","props":[{"name":"alt-identifier","value":"sc-5_prm_1"},{"name":"label","value":"SC-05_ODP[02]","class":"sp800-53a"}],"select":{"choice":["protect against","limit"]}},{"id":"sc-05_odp.03","props":[{"name":"alt-identifier","value":"sc-5_prm_3"},{"name":"label","value":"SC-05_ODP[03]","class":"sp800-53a"}],"label":"controls by type of denial-of-service event","guidelines":[{"prose":"controls to achieve the denial-of-service objective by type of denial-of-service event are defined;"}]}],"props":[{"name":"label","value":"SC-5"},{"name":"label","value":"SC-05","class":"sp800-53a"},{"name":"sort-id","value":"sc-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sc-6","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-40","rel":"related"}],"parts":[{"id":"sc-5_smt","name":"statement","parts":[{"id":"sc-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":" {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and"},{"id":"sc-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}."}]},{"id":"sc-5_gdn","name":"guidance","prose":"Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events."},{"id":"sc-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-05","class":"sp800-53a"}],"parts":[{"id":"sc-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-05a.","class":"sp800-53a"}],"prose":"the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};","links":[{"href":"#sc-5_smt.a","rel":"assessment-for"}]},{"id":"sc-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-05b.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.","links":[{"href":"#sc-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-5_smt","rel":"assessment-for"}]},{"id":"sc-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"id":"sc-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms protecting against or limiting the effects of denial-of-service attacks"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-07_odp","props":[{"name":"alt-identifier","value":"sc-7_prm_1"},{"name":"label","value":"SC-07_ODP","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}}],"props":[{"name":"label","value":"SC-7"},{"name":"label","value":"SC-07","class":"sp800-53a"},{"name":"sort-id","value":"sc-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a7f0e897-29a3-45c4-bd88-40dfef0e034a","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-43","rel":"related"}],"parts":[{"id":"sc-7_smt","name":"statement","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)."},{"id":"sc-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[01]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are monitored;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[02]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are controlled;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[03]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are monitored;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[04]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are controlled;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07b.","class":"sp800-53a"}],"prose":"subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;","links":[{"href":"#sc-7_smt.b","rel":"assessment-for"}]},{"id":"sc-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07c.","class":"sp800-53a"}],"prose":"external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.","links":[{"href":"#sc-7_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sc-7_smt","rel":"assessment-for"}]},{"id":"sc-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities"}]}],"controls":[{"id":"sc-7.3","class":"SP800-53-enhancement","title":"Access Points","props":[{"name":"label","value":"SC-7(3)"},{"name":"label","value":"SC-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.3_smt","name":"statement","prose":"Limit the number of external network connections to the system."},{"id":"sc-7.3_gdn","name":"guidance","prose":"Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system."},{"id":"sc-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(03)","class":"sp800-53a"}],"prose":"the number of external network connections to the system is limited.","links":[{"href":"#sc-7.3_smt","rel":"assessment-for"}]},{"id":"sc-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities\n\nmechanisms limiting the number of external network connections to the system"}]}]},{"id":"sc-7.4","class":"SP800-53-enhancement","title":"External Telecommunications Services","params":[{"id":"sc-07.04_odp","props":[{"name":"alt-identifier","value":"sc-7.4_prm_1"},{"name":"label","value":"SC-07(04)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review exceptions to traffic flow policy is defined;"}]}],"props":[{"name":"label","value":"SC-7(4)"},{"name":"label","value":"SC-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-7.4_smt","name":"statement","parts":[{"id":"sc-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implement a managed interface for each external telecommunication service;"},{"id":"sc-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Establish a traffic flow policy for each managed interface;"},{"id":"sc-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Protect the confidentiality and integrity of the information being transmitted across each interface;"},{"id":"sc-7.4_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;"},{"id":"sc-7.4_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Review exceptions to the traffic flow policy {{ insert: param, sc-07.04_odp }} and remove exceptions that are no longer supported by an explicit mission or business need;"},{"id":"sc-7.4_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Prevent unauthorized exchange of control plane traffic with external networks;"},{"id":"sc-7.4_smt.g","name":"item","props":[{"name":"label","value":"(g)"}],"prose":"Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and"},{"id":"sc-7.4_smt.h","name":"item","props":[{"name":"label","value":"(h)"}],"prose":"Filter unauthorized control plane traffic from external networks."}]},{"id":"sc-7.4_gdn","name":"guidance","prose":"External telecommunications services can provide data and\/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements."},{"id":"sc-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(a)","class":"sp800-53a"}],"prose":"a managed interface is implemented for each external telecommunication service;","links":[{"href":"#sc-7.4_smt.a","rel":"assessment-for"}]},{"id":"sc-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(b)","class":"sp800-53a"}],"prose":"a traffic flow policy is established for each managed interface;","links":[{"href":"#sc-7.4_smt.b","rel":"assessment-for"}]},{"id":"sc-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)[01]","class":"sp800-53a"}],"prose":"the confidentiality of the information being transmitted across each interface is protected;","links":[{"href":"#sc-7.4_smt.c","rel":"assessment-for"}]},{"id":"sc-7.4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)[02]","class":"sp800-53a"}],"prose":"the integrity of the information being transmitted across each interface is protected;","links":[{"href":"#sc-7.4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.4_smt.c","rel":"assessment-for"}]},{"id":"sc-7.4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(d)","class":"sp800-53a"}],"prose":"each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;","links":[{"href":"#sc-7.4_smt.d","rel":"assessment-for"}]},{"id":"sc-7.4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)[01]","class":"sp800-53a"}],"prose":"exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};","links":[{"href":"#sc-7.4_smt.e","rel":"assessment-for"}]},{"id":"sc-7.4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)[02]","class":"sp800-53a"}],"prose":"exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;","links":[{"href":"#sc-7.4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.4_smt.e","rel":"assessment-for"}]},{"id":"sc-7.4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(f)","class":"sp800-53a"}],"prose":"unauthorized exchanges of control plan traffic with external networks are prevented;","links":[{"href":"#sc-7.4_smt.f","rel":"assessment-for"}]},{"id":"sc-7.4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(g)","class":"sp800-53a"}],"prose":"information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;","links":[{"href":"#sc-7.4_smt.g","rel":"assessment-for"}]},{"id":"sc-7.4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(h)","class":"sp800-53a"}],"prose":"unauthorized control plane traffic is filtered from external networks.","links":[{"href":"#sc-7.4_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.4_smt","rel":"assessment-for"}]},{"id":"sc-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\nsystem security architecture\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for documenting and reviewing exceptions to the traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nmechanisms implementing boundary protection capabilities\n\nmanaged interfaces implementing traffic flow policy"}]}]},{"id":"sc-7.5","class":"SP800-53-enhancement","title":"Deny by Default — Allow by Exception","params":[{"id":"sc-07.05_odp.01","props":[{"name":"alt-identifier","value":"sc-7.5_prm_1"},{"name":"label","value":"SC-07(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at managed interfaces","for {{ insert: param, sc-07.05_odp.02 }} "]}},{"id":"sc-07.05_odp.02","props":[{"name":"alt-identifier","value":"sc-7.5_prm_2"},{"name":"label","value":"SC-07(05)_ODP[02]","class":"sp800-53a"}],"label":"systems","guidelines":[{"prose":"systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected)."}]}],"props":[{"name":"label","value":"SC-7(5)"},{"name":"label","value":"SC-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.5_smt","name":"statement","prose":"Deny network communications traffic by default and allow network communications traffic by exception {{ insert: param, sc-07.05_odp.01 }}."},{"id":"sc-7.5_gdn","name":"guidance","prose":"Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system."},{"id":"sc-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)","class":"sp800-53a"}],"parts":[{"id":"sc-7.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)[01]","class":"sp800-53a"}],"prose":"network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};","links":[{"href":"#sc-7.5_smt","rel":"assessment-for"}]},{"id":"sc-7.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)[02]","class":"sp800-53a"}],"prose":"network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}.","links":[{"href":"#sc-7.5_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.5_smt","rel":"assessment-for"}]},{"id":"sc-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing traffic management at managed interfaces"}]}]},{"id":"sc-7.7","class":"SP800-53-enhancement","title":"Split Tunneling for Remote Devices","params":[{"id":"sc-07.07_odp","props":[{"name":"alt-identifier","value":"sc-7.7_prm_1"},{"name":"label","value":"SC-07(07)_ODP","class":"sp800-53a"}],"label":"safeguards","guidelines":[{"prose":"safeguards to securely provision split tunneling are defined;"}]}],"props":[{"name":"label","value":"SC-7(7)"},{"name":"label","value":"SC-07(07)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.7_smt","name":"statement","prose":"Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}."},{"id":"sc-7.7_gdn","name":"guidance","prose":"Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control."},{"id":"sc-7.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(07)","class":"sp800-53a"}],"prose":"split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.","links":[{"href":"#sc-7.7_smt","rel":"assessment-for"}]},{"id":"sc-7.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities\n\nmechanisms supporting\/restricting non-remote connections"}]}]},{"id":"sc-7.8","class":"SP800-53-enhancement","title":"Route Traffic to Authenticated Proxy Servers","params":[{"id":"sc-07.08_odp.01","props":[{"name":"alt-identifier","value":"sc-7.8_prm_1"},{"name":"label","value":"SC-07(08)_ODP[01]","class":"sp800-53a"}],"label":"internal communications traffic","guidelines":[{"prose":"internal communications traffic to be routed to external networks is defined;"}]},{"id":"sc-07.08_odp.02","props":[{"name":"alt-identifier","value":"sc-7.8_prm_2"},{"name":"label","value":"SC-07(08)_ODP[02]","class":"sp800-53a"}],"label":"external networks","guidelines":[{"prose":"external networks to which internal communications traffic is to be routed are defined;"}]}],"props":[{"name":"label","value":"SC-7(8)"},{"name":"label","value":"SC-07(08)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"sc-7.8_smt","name":"statement","prose":"Route {{ insert: param, sc-07.08_odp.01 }} to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces."},{"id":"sc-7.8_gdn","name":"guidance","prose":"External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for \"man-in-the-middle\" attacks (depending on the implementation)."},{"id":"sc-7.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(08)","class":"sp800-53a"}],"prose":" {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.","links":[{"href":"#sc-7.8_smt","rel":"assessment-for"}]},{"id":"sc-7.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing traffic management through authenticated proxy servers at managed interfaces"}]}]}]},{"id":"sc-8","class":"SP800-53","title":"Transmission Confidentiality and Integrity","params":[{"id":"sc-08_odp","props":[{"name":"alt-identifier","value":"sc-8_prm_1"},{"name":"label","value":"SC-08_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}}],"props":[{"name":"label","value":"SC-8"},{"name":"label","value":"SC-08","class":"sp800-53a"},{"name":"sort-id","value":"sc-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#736d6310-e403-4b57-a79d-9967970c66d7","rel":"reference"},{"href":"#7537638e-2837-407d-844b-40fb3fafdd99","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"sc-8_smt","name":"statement","prose":"Protect the {{ insert: param, sc-08_odp }} of transmitted information."},{"id":"sc-8_gdn","name":"guidance","prose":"Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls."},{"id":"sc-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-08_odp }} of transmitted information is\/are protected.","links":[{"href":"#sc-8_smt","rel":"assessment-for"}]},{"id":"sc-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity"}]}],"controls":[{"id":"sc-8.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"sc-08.01_odp","props":[{"name":"alt-identifier","value":"sc-8.1_prm_1"},{"name":"label","value":"SC-08(01)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["prevent unauthorized disclosure of information","detect changes to information"]}}],"props":[{"name":"label","value":"SC-8(1)"},{"name":"label","value":"SC-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-8","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-8.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission."},{"id":"sc-8.1_gdn","name":"guidance","prose":"Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes."},{"id":"sc-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08(01)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.","links":[{"href":"#sc-8.1_smt","rel":"assessment-for"}]},{"id":"sc-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity\n\nmechanisms supporting and\/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards"}]}]}]},{"id":"sc-10","class":"SP800-53","title":"Network Disconnect","params":[{"id":"sc-10_odp","props":[{"name":"alt-identifier","value":"sc-10_prm_1"},{"name":"label","value":"SC-10_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period of inactivity after which the system terminates a network connection associated with a communication session is defined;"}]}],"props":[{"name":"label","value":"SC-10"},{"name":"label","value":"SC-10","class":"sp800-53a"},{"name":"sort-id","value":"sc-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"sc-10_smt","name":"statement","prose":"Terminate the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity."},{"id":"sc-10_gdn","name":"guidance","prose":"Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP\/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses."},{"id":"sc-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-10","class":"sp800-53a"}],"prose":"the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.","links":[{"href":"#sc-10_smt","rel":"assessment-for"}]},{"id":"sc-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing network disconnect\n\nsystem design documentation\n\nsecurity plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a network disconnect capability"}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","params":[{"id":"sc-12_odp","props":[{"name":"alt-identifier","value":"sc-12_prm_1"},{"name":"alt-label","value":"requirements for key generation, distribution, storage, access, and destruction","class":"sp800-53"},{"name":"label","value":"SC-12_ODP","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements for key generation, distribution, storage, access, and destruction are defined;"}]}],"props":[{"name":"label","value":"SC-12"},{"name":"label","value":"SC-12","class":"sp800-53a"},{"name":"sort-id","value":"sc-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#849b2358-683f-4d97-b111-1cc3d522ded5","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-11","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment."},{"id":"sc-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12","class":"sp800-53a"}],"parts":[{"id":"sc-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-12[01]","class":"sp800-53a"}],"prose":"cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};","links":[{"href":"#sc-12_smt","rel":"assessment-for"}]},{"id":"sc-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-12[02]","class":"sp800-53a"}],"prose":"cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.","links":[{"href":"#sc-12_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-12_smt","rel":"assessment-for"}]},{"id":"sc-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"id":"sc-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","params":[{"id":"sc-13_odp.01","props":[{"name":"alt-identifier","value":"sc-13_prm_1"},{"name":"label","value":"SC-13_ODP[01]","class":"sp800-53a"}],"label":"cryptographic uses","guidelines":[{"prose":"cryptographic uses are defined;"}]},{"id":"sc-13_odp.02","props":[{"name":"alt-identifier","value":"sc-13_prm_2"},{"name":"alt-label","value":"types of cryptography for each specified cryptographic use","class":"sp800-53"},{"name":"label","value":"SC-13_ODP[02]","class":"sp800-53a"}],"label":"types of cryptography","guidelines":[{"prose":"types of cryptography for each specified cryptographic use are defined;"}]}],"props":[{"name":"label","value":"SC-13"},{"name":"label","value":"SC-13","class":"sp800-53a"},{"name":"sort-id","value":"sc-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-13_smt","name":"statement","parts":[{"id":"sc-13_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the {{ insert: param, sc-13_odp.01 }} ; and"},{"id":"sc-13_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}."}]},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"sc-13_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-13","class":"sp800-53a"}],"parts":[{"id":"sc-13_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-13a.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-13_odp.01 }} are identified;","links":[{"href":"#sc-13_smt.a","rel":"assessment-for"}]},{"id":"sc-13_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-13b.","class":"sp800-53a"}],"prose":" {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.","links":[{"href":"#sc-13_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-13_smt","rel":"assessment-for"}]},{"id":"sc-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection"}]},{"id":"sc-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic protection"}]}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices and Applications","params":[{"id":"sc-15_odp","props":[{"name":"alt-identifier","value":"sc-15_prm_1"},{"name":"label","value":"SC-15_ODP","class":"sp800-53a"}],"label":"exceptions where remote activation is to be allowed","guidelines":[{"prose":"exceptions where remote activation is to be allowed are defined;"}]}],"props":[{"name":"label","value":"SC-15"},{"name":"label","value":"SC-15","class":"sp800-53a"},{"name":"sort-id","value":"sc-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-21","rel":"related"},{"href":"#sc-42","rel":"related"}],"parts":[{"id":"sc-15_smt","name":"statement","parts":[{"id":"sc-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and"},{"id":"sc-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated."},{"id":"sc-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-15","class":"sp800-53a"}],"parts":[{"id":"sc-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-15a.","class":"sp800-53a"}],"prose":"remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};","links":[{"href":"#sc-15_smt.a","rel":"assessment-for"}]},{"id":"sc-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-15b.","class":"sp800-53a"}],"prose":"an explicit indication of use is provided to users physically present at the devices.","links":[{"href":"#sc-15_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-15_smt","rel":"assessment-for"}]},{"id":"sc-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"id":"sc-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices"}]}]},{"id":"sc-17","class":"SP800-53","title":"Public Key Infrastructure Certificates","params":[{"id":"sc-17_odp","props":[{"name":"alt-identifier","value":"sc-17_prm_1"},{"name":"label","value":"SC-17_ODP","class":"sp800-53a"}],"label":"certificate policy","guidelines":[{"prose":"a certificate policy for issuing public key certificates is defined;"}]}],"props":[{"name":"label","value":"SC-17"},{"name":"label","value":"SC-17","class":"sp800-53a"},{"name":"sort-id","value":"sc-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#8cb338a4-e493-4177-818f-3af18983ddc5","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sc-12","rel":"related"}],"parts":[{"id":"sc-17_smt","name":"statement","parts":[{"id":"sc-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and"},{"id":"sc-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Include only approved trust anchors in trust stores or certificate stores managed by the organization."}]},{"id":"sc-17_gdn","name":"guidance","prose":"Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates."},{"id":"sc-17_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-17","class":"sp800-53a"}],"parts":[{"id":"sc-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-17a.","class":"sp800-53a"}],"prose":"public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;","links":[{"href":"#sc-17_smt.a","rel":"assessment-for"}]},{"id":"sc-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-17b.","class":"sp800-53a"}],"prose":"only approved trust anchors are included in trust stores or certificate stores managed by the organization.","links":[{"href":"#sc-17_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-17_smt","rel":"assessment-for"}]},{"id":"sc-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key certificates\n\nservice providers"}]},{"id":"sc-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of public key infrastructure certificates"}]}]},{"id":"sc-18","class":"SP800-53","title":"Mobile Code","props":[{"name":"label","value":"SC-18"},{"name":"label","value":"SC-18","class":"sp800-53a"},{"name":"sort-id","value":"sc-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#f641309f-a3ad-48be-8c67-2b318648b2f5","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"sc-18_smt","name":"statement","parts":[{"id":"sc-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define acceptable and unacceptable mobile code and mobile code technologies; and"},{"id":"sc-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize, monitor, and control the use of mobile code within the system."}]},{"id":"sc-18_gdn","name":"guidance","prose":"Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."},{"id":"sc-18_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[01]","class":"sp800-53a"}],"prose":"acceptable mobile code is defined;","links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]},{"id":"sc-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[02]","class":"sp800-53a"}],"prose":"unacceptable mobile code is defined;","links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]},{"id":"sc-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[03]","class":"sp800-53a"}],"prose":"acceptable mobile code technologies are defined;","links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]},{"id":"sc-18_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[04]","class":"sp800-53a"}],"prose":"unacceptable mobile code technologies are defined;","links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]},{"id":"sc-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[01]","class":"sp800-53a"}],"prose":"the use of mobile code is authorized within the system;","links":[{"href":"#sc-18_smt.b","rel":"assessment-for"}]},{"id":"sc-18_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[02]","class":"sp800-53a"}],"prose":"the use of mobile code is monitored within the system;","links":[{"href":"#sc-18_smt.b","rel":"assessment-for"}]},{"id":"sc-18_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[03]","class":"sp800-53a"}],"prose":"the use of mobile code is controlled within the system.","links":[{"href":"#sc-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-18_smt","rel":"assessment-for"}]},{"id":"sc-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code implementation policy and procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code"}]},{"id":"sc-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for authorizing, monitoring, and controlling mobile code\n\nmechanisms supporting and\/or implementing the management of mobile code\n\nmechanisms supporting and\/or implementing the monitoring of mobile code"}]}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Authoritative Source)","props":[{"name":"label","value":"SC-20"},{"name":"label","value":"SC-20","class":"sp800-53a"},{"name":"sort-id","value":"sc-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-20_smt","name":"statement","parts":[{"id":"sc-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host\/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data."},{"id":"sc-20_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-20","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[01]","class":"sp800-53a"}],"prose":"additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;","links":[{"href":"#sc-20_smt.a","rel":"assessment-for"}]},{"id":"sc-20_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[02]","class":"sp800-53a"}],"prose":"integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;","links":[{"href":"#sc-20_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-20_smt.a","rel":"assessment-for"}]},{"id":"sc-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[01]","class":"sp800-53a"}],"prose":"the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;","links":[{"href":"#sc-20_smt.b","rel":"assessment-for"}]},{"id":"sc-20_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[02]","class":"sp800-53a"}],"prose":"the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.","links":[{"href":"#sc-20_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-20_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-20_smt","rel":"assessment-for"}]},{"id":"sc-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing secure name\/address resolution services"}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Recursive or Caching Resolver)","props":[{"name":"label","value":"SC-21"},{"name":"label","value":"SC-21","class":"sp800-53a"},{"name":"sort-id","value":"sc-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-20","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"Request and perform data origin authentication and data integrity verification on the name\/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data."},{"id":"sc-21_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-21","class":"sp800-53a"}],"parts":[{"id":"sc-21_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-21[01]","class":"sp800-53a"}],"prose":"data origin authentication is requested for the name\/address resolution responses that the system receives from authoritative sources;","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-21[02]","class":"sp800-53a"}],"prose":"data origin authentication is performed on the name\/address resolution responses that the system receives from authoritative sources;","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-21[03]","class":"sp800-53a"}],"prose":"data integrity verification is requested for the name\/address resolution responses that the system receives from authoritative sources;","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SC-21[04]","class":"sp800-53a"}],"prose":"data integrity verification is performed on the name\/address resolution responses that the system receives from authoritative sources.","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing data origin authentication and data integrity verification for name\/address resolution services"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name\/Address Resolution Service","props":[{"name":"label","value":"SC-22"},{"name":"label","value":"SC-22","class":"sp800-53a"},{"name":"sort-id","value":"sc-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-2","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-24","rel":"related"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"Ensure the systems that collectively provide name\/address resolution service for an organization are fault-tolerant and implement internal and external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)."},{"id":"sc-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-22","class":"sp800-53a"}],"parts":[{"id":"sc-22_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-22[01]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization are fault-tolerant;","links":[{"href":"#sc-22_smt","rel":"assessment-for"}]},{"id":"sc-22_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-22[02]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement internal role separation;","links":[{"href":"#sc-22_smt","rel":"assessment-for"}]},{"id":"sc-22_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-22[03]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement external role separation.","links":[{"href":"#sc-22_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-22_smt","rel":"assessment-for"}]},{"id":"sc-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing architecture and provisioning for name\/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing name\/address resolution services for fault tolerance and role separation"}]}]},{"id":"sc-23","class":"SP800-53","title":"Session Authenticity","props":[{"name":"label","value":"SC-23"},{"name":"label","value":"SC-23","class":"sp800-53a"},{"name":"sort-id","value":"sc-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#7537638e-2837-407d-844b-40fb3fafdd99","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#a6b9907a-2a14-4bb4-a142-d4c73026a8b4","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-11","rel":"related"}],"parts":[{"id":"sc-23_smt","name":"statement","prose":"Protect the authenticity of communications sessions."},{"id":"sc-23_gdn","name":"guidance","prose":"Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against \"man-in-the-middle\" attacks, session hijacking, and the insertion of false information into sessions."},{"id":"sc-23_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-23","class":"sp800-53a"}],"prose":"the authenticity of communication sessions is protected.","links":[{"href":"#sc-23_smt","rel":"assessment-for"}]},{"id":"sc-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-23-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing session authenticity"}]}]},{"id":"sc-28","class":"SP800-53","title":"Protection of Information at Rest","params":[{"id":"sc-28_odp.01","props":[{"name":"alt-identifier","value":"sc-28_prm_1"},{"name":"label","value":"SC-28_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}},{"id":"sc-28_odp.02","props":[{"name":"alt-identifier","value":"sc-28_prm_2"},{"name":"label","value":"SC-28_ODP[02]","class":"sp800-53a"}],"label":"information at rest","guidelines":[{"prose":"information at rest requiring protection is defined;"}]}],"props":[{"name":"label","value":"SC-28"},{"name":"label","value":"SC-28","class":"sp800-53a"},{"name":"sort-id","value":"sc-28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-28_smt","name":"statement","prose":"Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}."},{"id":"sc-28_gdn","name":"guidance","prose":"Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage."},{"id":"sc-28_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is\/are protected.","links":[{"href":"#sc-28_smt","rel":"assessment-for"}]},{"id":"sc-28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing confidentiality and integrity protections for information at rest"}]}],"controls":[{"id":"sc-28.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"sc-28.01_odp.01","props":[{"name":"alt-identifier","value":"sc-28.1_prm_2"},{"name":"label","value":"SC-28(01)_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information requiring cryptographic protection is defined;"}]},{"id":"sc-28.01_odp.02","props":[{"name":"alt-identifier","value":"sc-28.1_prm_1"},{"name":"label","value":"SC-28(01)_ODP[02]","class":"sp800-53a"}],"label":"system components or media","guidelines":[{"prose":"system components or media requiring cryptographic protection is\/are defined;"}]}],"props":[{"name":"label","value":"SC-28(1)"},{"name":"label","value":"SC-28(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-28.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-28","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-28.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}."},{"id":"sc-28.1_gdn","name":"guidance","prose":"The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields."},{"id":"sc-28.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)","class":"sp800-53a"}],"parts":[{"id":"sc-28.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)[01]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};","links":[{"href":"#sc-28.1_smt","rel":"assessment-for"}]},{"id":"sc-28.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)[02]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.","links":[{"href":"#sc-28.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-28.1_smt","rel":"assessment-for"}]},{"id":"sc-28.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-28.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest"}]}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","props":[{"name":"label","value":"SC-39"},{"name":"label","value":"SC-39","class":"sp800-53a"},{"name":"sort-id","value":"sc-39"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"Maintain a separate execution domain for each executing system process."},{"id":"sc-39_gdn","name":"guidance","prose":"Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies."},{"id":"sc-39_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-39","class":"sp800-53a"}],"prose":"a separate execution domain is maintained for each executing system process.","links":[{"href":"#sc-39_smt","rel":"assessment-for"}]},{"id":"sc-39_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-39-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records"}]},{"id":"sc-39_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-39-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System developers\/integrators\n\nsystem security architect"}]},{"id":"sc-39_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-39-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing separate execution domains for each executing process"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"si-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"si-01_odp.01","props":[{"name":"label","value":"SI-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity policy is to be disseminated is\/are defined;"}]},{"id":"si-01_odp.02","props":[{"name":"label","value":"SI-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity procedures are to be disseminated is\/are defined;"}]},{"id":"si-01_odp.03","props":[{"name":"alt-identifier","value":"si-1_prm_2"},{"name":"label","value":"SI-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"si-01_odp.04","props":[{"name":"alt-identifier","value":"si-1_prm_3"},{"name":"label","value":"SI-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and information integrity policy and procedures is defined;"}]},{"id":"si-01_odp.05","props":[{"name":"alt-identifier","value":"si-1_prm_4"},{"name":"label","value":"SI-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity policy is reviewed and updated is defined;"}]},{"id":"si-01_odp.06","props":[{"name":"alt-identifier","value":"si-1_prm_5"},{"name":"label","value":"SI-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and information integrity policy to be reviewed and updated are defined;"}]},{"id":"si-01_odp.07","props":[{"name":"alt-identifier","value":"si-1_prm_6"},{"name":"label","value":"SI-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity procedures are reviewed and updated is defined;"}]},{"id":"si-01_odp.08","props":[{"name":"alt-identifier","value":"si-1_prm_7"},{"name":"label","value":"SI-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and information integrity procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SI-1"},{"name":"label","value":"SI-01","class":"sp800-53a"},{"name":"sort-id","value":"si-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"si-1_smt","name":"statement","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, si-01_odp.03 }} system and information integrity policy that:","parts":[{"id":"si-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and"},{"id":"si-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and information integrity:","parts":[{"id":"si-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and"},{"id":"si-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"si-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[01]","class":"sp800-53a"}],"prose":"a system and information integrity policy is developed and documented;","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[02]","class":"sp800-53a"}],"prose":"the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[03]","class":"sp800-53a"}],"prose":"system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[04]","class":"sp800-53a"}],"prose":"the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#si-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;","links":[{"href":"#si-1_smt.b","rel":"assessment-for"}]},{"id":"si-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};","links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]},{"id":"si-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};","links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]},{"id":"si-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};","links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]},{"id":"si-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.","links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt","rel":"assessment-for"}]},{"id":"si-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","params":[{"id":"si-02_odp","props":[{"name":"alt-identifier","value":"si-2_prm_1"},{"name":"label","value":"SI-02_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to install security-relevant software updates after the release of the updates is defined;"}]}],"props":[{"name":"label","value":"SI-2"},{"name":"label","value":"SI-02","class":"sp800-53a"},{"name":"sort-id","value":"si-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-5","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"si-2_smt","name":"statement","parts":[{"id":"si-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify, report, and correct system flaws;"},{"id":"si-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures."},{"id":"si-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[01]","class":"sp800-53a"}],"prose":"system flaws are identified;","links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]},{"id":"si-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[02]","class":"sp800-53a"}],"prose":"system flaws are reported;","links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]},{"id":"si-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[03]","class":"sp800-53a"}],"prose":"system flaws are corrected;","links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]},{"id":"si-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[01]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for effectiveness before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[02]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for potential side effects before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[03]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for effectiveness before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[04]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for potential side effects before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[01]","class":"sp800-53a"}],"prose":"security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;","links":[{"href":"#si-2_smt.c","rel":"assessment-for"}]},{"id":"si-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[02]","class":"sp800-53a"}],"prose":"security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;","links":[{"href":"#si-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt.c","rel":"assessment-for"}]},{"id":"si-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-02d.","class":"sp800-53a"}],"prose":"flaw remediation is incorporated into the organizational configuration management process.","links":[{"href":"#si-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt","rel":"assessment-for"}]},{"id":"si-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation\/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and\/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and\/or implementing testing software and firmware updates"}]}],"controls":[{"id":"si-2.2","class":"SP800-53-enhancement","title":"Automated Flaw Remediation Status","params":[{"id":"si-02.02_odp.01","props":[{"name":"alt-identifier","value":"si-2.2_prm_1"},{"name":"label","value":"SI-02(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;"}]},{"id":"si-02.02_odp.02","props":[{"name":"alt-identifier","value":"si-2.2_prm_2"},{"name":"label","value":"SI-02(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;"}]}],"props":[{"name":"label","value":"SI-2(2)"},{"name":"label","value":"SI-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-2","rel":"required"},{"href":"#ca-7","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-2.2_smt","name":"statement","prose":"Determine if system components have applicable security-relevant software and firmware updates installed using {{ insert: param, si-02.02_odp.01 }} {{ insert: param, si-02.02_odp.02 }}."},{"id":"si-2.2_gdn","name":"guidance","prose":"Automated mechanisms can track and determine the status of known flaws for system components."},{"id":"si-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02(02)","class":"sp800-53a"}],"prose":"system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}.","links":[{"href":"#si-2.2_smt","rel":"assessment-for"}]},{"id":"si-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation"}]},{"id":"si-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms used to determine the state of system components with regard to flaw remediation"}]}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","params":[{"id":"si-03_odp.01","props":[{"name":"alt-identifier","value":"si-3_prm_1"},{"name":"label","value":"SI-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["signature-based","non-signature-based"]}},{"id":"si-03_odp.02","props":[{"name":"alt-identifier","value":"si-3_prm_2"},{"name":"label","value":"SI-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which malicious code protection mechanisms perform scans is defined;"}]},{"id":"si-03_odp.03","props":[{"name":"alt-identifier","value":"si-3_prm_3"},{"name":"label","value":"SI-03_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["endpoint","network entry and exit points"]}},{"id":"si-03_odp.04","props":[{"name":"alt-identifier","value":"si-3_prm_4"},{"name":"label","value":"SI-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["block malicious code","quarantine malicious code","take {{ insert: param, si-03_odp.05 }} "]}},{"id":"si-03_odp.05","props":[{"name":"alt-identifier","value":"si-3_prm_5"},{"name":"label","value":"SI-03_ODP[05]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"action to be taken in response to malicious code detection are defined (if selected);"}]},{"id":"si-03_odp.06","props":[{"name":"alt-identifier","value":"si-3_prm_6"},{"name":"label","value":"SI-03_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when malicious code is detected is\/are defined;"}]}],"props":[{"name":"label","value":"SI-3"},{"name":"label","value":"SI-03","class":"sp800-53a"},{"name":"sort-id","value":"si-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#88660532-2dcf-442e-845c-03340ce48999","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-8","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"si-3_smt","name":"statement","parts":[{"id":"si-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Configure malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and"},{"id":"si-3_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and"}]},{"id":"si-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system."}]},{"id":"si-3_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files."},{"id":"si-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;","links":[{"href":"#si-3_smt.a","rel":"assessment-for"}]},{"id":"si-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;","links":[{"href":"#si-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.a","rel":"assessment-for"}]},{"id":"si-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-03b.","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;","links":[{"href":"#si-3_smt.b","rel":"assessment-for"}]},{"id":"si-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};","links":[{"href":"#si-3_smt.c.1","rel":"assessment-for"}]},{"id":"si-3_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;","links":[{"href":"#si-3_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.c.1","rel":"assessment-for"}]},{"id":"si-3_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;","links":[{"href":"#si-3_smt.c.2","rel":"assessment-for"}]},{"id":"si-3_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;","links":[{"href":"#si-3_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.c","rel":"assessment-for"}]},{"id":"si-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-03d.","class":"sp800-53a"}],"prose":"the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.","links":[{"href":"#si-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt","rel":"assessment-for"}]},{"id":"si-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and\/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and\/or implementing malicious code scanning and subsequent actions"}]}]},{"id":"si-4","class":"SP800-53","title":"System Monitoring","params":[{"id":"si-04_odp.01","props":[{"name":"alt-identifier","value":"si-4_prm_1"},{"name":"label","value":"SI-04_ODP[01]","class":"sp800-53a"}],"label":"monitoring objectives","guidelines":[{"prose":"monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;"}]},{"id":"si-04_odp.02","props":[{"name":"alt-identifier","value":"si-4_prm_2"},{"name":"label","value":"SI-04_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods used to identify unauthorized use of the system are defined;"}]},{"id":"si-04_odp.03","props":[{"name":"alt-identifier","value":"si-4_prm_3"},{"name":"label","value":"SI-04_ODP[03]","class":"sp800-53a"}],"label":"system monitoring information","guidelines":[{"prose":"system monitoring information to be provided to personnel or roles is defined;"}]},{"id":"si-04_odp.04","props":[{"name":"alt-identifier","value":"si-4_prm_4"},{"name":"label","value":"SI-04_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom system monitoring information is to be provided is\/are defined;"}]},{"id":"si-04_odp.05","props":[{"name":"alt-identifier","value":"si-4_prm_5"},{"name":"label","value":"SI-04_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["as needed"," {{ insert: param, si-04_odp.06 }} "]}},{"id":"si-04_odp.06","props":[{"name":"alt-identifier","value":"si-4_prm_6"},{"name":"label","value":"SI-04_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"a frequency for providing system monitoring to personnel or roles is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-4"},{"name":"label","value":"SI-04","class":"sp800-53a"},{"name":"sort-id","value":"si-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-6","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"si-4_smt","name":"statement","parts":[{"id":"si-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor the system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and"},{"id":"si-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};"},{"id":"si-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Invoke internal monitoring capabilities or deploy monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Strategically within the system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Analyze detected events and anomalies;"},{"id":"si-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Obtain legal opinion regarding system monitoring activities; and"},{"id":"si-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"si-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.01","class":"sp800-53a"}],"prose":"the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};","links":[{"href":"#si-4_smt.a.1","rel":"assessment-for"}]},{"id":"si-4_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[01]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized local connections;","links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]},{"id":"si-4_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[02]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized network connections;","links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]},{"id":"si-4_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[03]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized remote connections;","links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.a","rel":"assessment-for"}]},{"id":"si-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04b.","class":"sp800-53a"}],"prose":"unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};","links":[{"href":"#si-4_smt.b","rel":"assessment-for"}]},{"id":"si-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.01","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;","links":[{"href":"#si-4_smt.c.1","rel":"assessment-for"}]},{"id":"si-4_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.02","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;","links":[{"href":"#si-4_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.c","rel":"assessment-for"}]},{"id":"si-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[01]","class":"sp800-53a"}],"prose":"detected events are analyzed;","links":[{"href":"#si-4_smt.d","rel":"assessment-for"}]},{"id":"si-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[02]","class":"sp800-53a"}],"prose":"detected anomalies are analyzed;","links":[{"href":"#si-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.d","rel":"assessment-for"}]},{"id":"si-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SI-04e.","class":"sp800-53a"}],"prose":"the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;","links":[{"href":"#si-4_smt.e","rel":"assessment-for"}]},{"id":"si-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SI-04f.","class":"sp800-53a"}],"prose":"a legal opinion regarding system monitoring activities is obtained;","links":[{"href":"#si-4_smt.f","rel":"assessment-for"}]},{"id":"si-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SI-04g.","class":"sp800-53a"}],"prose":" {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.","links":[{"href":"#si-4_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt","rel":"assessment-for"}]},{"id":"si-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram\/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing system monitoring capabilities"}]}],"controls":[{"id":"si-4.2","class":"SP800-53-enhancement","title":"Automated Tools and Mechanisms for Real-time Analysis","props":[{"name":"label","value":"SI-4(2)"},{"name":"label","value":"SI-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#pm-23","rel":"related"},{"href":"#pm-25","rel":"related"}],"parts":[{"id":"si-4.2_smt","name":"statement","prose":"Employ automated tools and mechanisms to support near real-time analysis of events."},{"id":"si-4.2_gdn","name":"guidance","prose":"Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan."},{"id":"si-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(02)","class":"sp800-53a"}],"prose":"automated tools and mechanisms are employed to support a near real-time analysis of events.","links":[{"href":"#si-4.2_smt","rel":"assessment-for"}]},{"id":"si-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk management documentation\n\nother relevant documents or records"}]},{"id":"si-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for incident response\/management"}]},{"id":"si-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the near real-time analysis of events\n\norganizational processes for system monitoring\n\nmechanisms supporting and\/or implementing system monitoring\n\nmechanisms\/tools supporting and\/or implementing an analysis of events"}]}]},{"id":"si-4.4","class":"SP800-53-enhancement","title":"Inbound and Outbound Communications Traffic","params":[{"id":"si-4.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.03"}],"label":"organization-defined frequency"},{"id":"si-4.4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.04"}],"label":"organization-defined unusual or unauthorized activities or conditions"},{"id":"si-04.04_odp.01","props":[{"name":"label","value":"SI-04(04)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;"}]},{"id":"si-04.04_odp.02","props":[{"name":"label","value":"SI-04(04)_ODP[02]","class":"sp800-53a"}],"label":"unusual or unauthorized activities or conditions","guidelines":[{"prose":"unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;"}]},{"id":"si-04.04_odp.03","props":[{"name":"label","value":"SI-04(04)_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;"}]},{"id":"si-04.04_odp.04","props":[{"name":"label","value":"SI-04(04)_ODP[04]","class":"sp800-53a"}],"label":"unusual or unauthorized activities or conditions","guidelines":[{"prose":"unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;"}]}],"props":[{"name":"label","value":"SI-4(4)"},{"name":"label","value":"SI-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.4_smt","name":"statement","parts":[{"id":"si-4.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;"},{"id":"si-4.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Monitor inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for {{ insert: param, si-4.4_prm_2 }}."}]},{"id":"si-4.4_gdn","name":"guidance","prose":"Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components."},{"id":"si-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)[01]","class":"sp800-53a"}],"prose":"criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;","links":[{"href":"#si-4.4_smt.a","rel":"assessment-for"}]},{"id":"si-4.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)[02]","class":"sp800-53a"}],"prose":"criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;","links":[{"href":"#si-4.4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-4.4_smt.a","rel":"assessment-for"}]},{"id":"si-4.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)[01]","class":"sp800-53a"}],"prose":"inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};","links":[{"href":"#si-4.4_smt.b","rel":"assessment-for"}]},{"id":"si-4.4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)[02]","class":"sp800-53a"}],"prose":"outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}.","links":[{"href":"#si-4.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-4.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-4.4_smt","rel":"assessment-for"}]},{"id":"si-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the monitoring of inbound and outbound communications traffic"}]}]},{"id":"si-4.5","class":"SP800-53-enhancement","title":"System-generated Alerts","params":[{"id":"si-04.05_odp.01","props":[{"name":"alt-identifier","value":"si-4.5_prm_1"},{"name":"label","value":"SI-04(05)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when indications of compromise or potential compromise occur is\/are defined;"}]},{"id":"si-04.05_odp.02","props":[{"name":"alt-identifier","value":"si-4.5_prm_2"},{"name":"label","value":"SI-04(05)_ODP[02]","class":"sp800-53a"}],"label":"compromise indicators","guidelines":[{"prose":"compromise indicators are defined;"}]}],"props":[{"name":"label","value":"SI-4(5)"},{"name":"label","value":"SI-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"si-4.5_smt","name":"statement","prose":"Alert {{ insert: param, si-04.05_odp.01 }} when the following system-generated indications of compromise or potential compromise occur: {{ insert: param, si-04.05_odp.02 }}."},{"id":"si-4.5_gdn","name":"guidance","prose":"Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners\/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in [SI-4(12)](#si-4.12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats."},{"id":"si-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(05)","class":"sp800-53a"}],"prose":" {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur.","links":[{"href":"#si-4.5_smt","rel":"assessment-for"}]},{"id":"si-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of personnel selected to receive alerts\n\ndocumentation of alerts generated based on compromise indicators\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel on the system alert notification list\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing alerts for compromise indicators"}]}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","params":[{"id":"si-05_odp.01","props":[{"name":"alt-identifier","value":"si-5_prm_1"},{"name":"label","value":"SI-05_ODP[01]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;"}]},{"id":"si-05_odp.02","props":[{"name":"alt-identifier","value":"si-5_prm_2"},{"name":"label","value":"SI-05_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, si-05_odp.03 }} "," {{ insert: param, si-05_odp.04 }} "," {{ insert: param, si-05_odp.05 }} "]}},{"id":"si-05_odp.03","props":[{"name":"alt-identifier","value":"si-5_prm_3"},{"name":"label","value":"SI-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom security alerts, advisories, and directives are to be disseminated is\/are defined (if selected);"}]},{"id":"si-05_odp.04","props":[{"name":"alt-identifier","value":"si-5_prm_4"},{"name":"alt-label","value":"elements within the organization","class":"sp800-53"},{"name":"label","value":"SI-05_ODP[04]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]},{"id":"si-05_odp.05","props":[{"name":"alt-identifier","value":"si-5_prm_5"},{"name":"label","value":"SI-05_ODP[05]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-5"},{"name":"label","value":"SI-05","class":"sp800-53a"},{"name":"sort-id","value":"si-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#pm-15","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"si-5_smt","name":"statement","parts":[{"id":"si-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Generate internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and"},{"id":"si-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations."},{"id":"si-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-05","class":"sp800-53a"}],"parts":[{"id":"si-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-05a.","class":"sp800-53a"}],"prose":"system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;","links":[{"href":"#si-5_smt.a","rel":"assessment-for"}]},{"id":"si-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-05b.","class":"sp800-53a"}],"prose":"internal security alerts, advisories, and directives are generated as deemed necessary;","links":[{"href":"#si-5_smt.b","rel":"assessment-for"}]},{"id":"si-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-05c.","class":"sp800-53a"}],"prose":"security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};","links":[{"href":"#si-5_smt.c","rel":"assessment-for"}]},{"id":"si-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-05d.","class":"sp800-53a"}],"prose":"security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.","links":[{"href":"#si-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-5_smt","rel":"assessment-for"}]},{"id":"si-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"si-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing security directives"}]}]},{"id":"si-7","class":"SP800-53","title":"Software, Firmware, and Information Integrity","params":[{"id":"si-7_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.03"}],"label":"organization-defined software, firmware, and information"},{"id":"si-7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.06"}],"label":"organization-defined actions"},{"id":"si-07_odp.01","props":[{"name":"label","value":"SI-07_ODP[01]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.02","props":[{"name":"label","value":"SI-07_ODP[02]","class":"sp800-53a"}],"label":"firmware","guidelines":[{"prose":"firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.03","props":[{"name":"label","value":"SI-07_ODP[03]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.04","props":[{"name":"label","value":"SI-07_ODP[04]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to software are detected are defined;"}]},{"id":"si-07_odp.05","props":[{"name":"label","value":"SI-07_ODP[05]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to firmware are detected are defined;"}]},{"id":"si-07_odp.06","props":[{"name":"label","value":"SI-07_ODP[06]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to information are detected are defined;"}]}],"props":[{"name":"label","value":"SI-7"},{"name":"label","value":"SI-07","class":"sp800-53a"},{"name":"sort-id","value":"si-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#e47ee630-9cbc-4133-880e-e013f83ccd51","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"si-7_smt","name":"statement","parts":[{"id":"si-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ insert: param, si-7_prm_1 }} ; and"},{"id":"si-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ insert: param, si-7_prm_2 }}."}]},{"id":"si-7_gdn","name":"guidance","prose":"Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input\/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications."},{"id":"si-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[01]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};","links":[{"href":"#si-7_smt.a","rel":"assessment-for"}]},{"id":"si-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[02]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};","links":[{"href":"#si-7_smt.a","rel":"assessment-for"}]},{"id":"si-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[03]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};","links":[{"href":"#si-7_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-7_smt.a","rel":"assessment-for"}]},{"id":"si-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;","links":[{"href":"#si-7_smt.b","rel":"assessment-for"}]},{"id":"si-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;","links":[{"href":"#si-7_smt.b","rel":"assessment-for"}]},{"id":"si-7_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected.","links":[{"href":"#si-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-7_smt","rel":"assessment-for"}]},{"id":"si-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"si-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools"}]}],"controls":[{"id":"si-7.1","class":"SP800-53-enhancement","title":"Integrity Checks","params":[{"id":"si-7.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.09"}],"label":"organization-defined software, firmware, and information"},{"id":"si-7.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.10"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-7.1_prm_3 }} "," {{ insert: param, si-7.1_prm_4 }} "]}},{"id":"si-7.1_prm_3","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.11"}],"label":"organization-defined transitional states or security-relevant events"},{"id":"si-7.1_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.08"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.12"}],"label":"organization-defined frequency"},{"id":"si-07.01_odp.01","props":[{"name":"label","value":"SI-07(01)_ODP[01]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.02","props":[{"name":"label","value":"SI-07(01)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.03 }} "," {{ insert: param, si-07.01_odp.04 }} "]}},{"id":"si-07.01_odp.03","props":[{"name":"label","value":"SI-07(01)_ODP[03]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);"}]},{"id":"si-07.01_odp.04","props":[{"name":"label","value":"SI-07(01)_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (on software) is defined (if selected);"}]},{"id":"si-07.01_odp.05","props":[{"name":"label","value":"SI-07(01)_ODP[05]","class":"sp800-53a"}],"label":"firmware","guidelines":[{"prose":"firmware on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.06","props":[{"name":"label","value":"SI-07(01)_ODP[06]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.07 }} "," {{ insert: param, si-07.01_odp.08 }} "]}},{"id":"si-07.01_odp.07","props":[{"name":"label","value":"SI-07(01)_ODP[07]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);"}]},{"id":"si-07.01_odp.08","props":[{"name":"label","value":"SI-07(01)_ODP[08]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (on firmware) is defined (if selected);"}]},{"id":"si-07.01_odp.09","props":[{"name":"label","value":"SI-07(01)_ODP[09]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.10","props":[{"name":"label","value":"SI-07(01)_ODP[10]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.11 }} "," {{ insert: param, si-07.01_odp.12 }} "]}},{"id":"si-07.01_odp.11","props":[{"name":"label","value":"SI-07(01)_ODP[11]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);"}]},{"id":"si-07.01_odp.12","props":[{"name":"label","value":"SI-07(01)_ODP[12]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (of information) is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-7(1)"},{"name":"label","value":"SI-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.1_smt","name":"statement","prose":"Perform an integrity check of {{ insert: param, si-7.1_prm_1 }} {{ insert: param, si-7.1_prm_2 }}."},{"id":"si-7.1_gdn","name":"guidance","prose":"Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort."},{"id":"si-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)","class":"sp800-53a"}],"parts":[{"id":"si-7.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[01]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};","links":[{"href":"#si-7.1_smt","rel":"assessment-for"}]},{"id":"si-7.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[02]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};","links":[{"href":"#si-7.1_smt","rel":"assessment-for"}]},{"id":"si-7.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[03]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}.","links":[{"href":"#si-7.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-7.1_smt","rel":"assessment-for"}]},{"id":"si-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity testing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools"}]}]},{"id":"si-7.7","class":"SP800-53-enhancement","title":"Integration of Detection and Response","params":[{"id":"si-07.07_odp","props":[{"name":"alt-identifier","value":"si-7.7_prm_1"},{"name":"alt-label","value":"security-relevant changes to the system","class":"sp800-53"},{"name":"label","value":"SI-07(07)_ODP","class":"sp800-53a"}],"label":"changes","guidelines":[{"prose":"security-relevant changes to the system are defined;"}]}],"props":[{"name":"label","value":"SI-7(7)"},{"name":"label","value":"SI-07(07)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-7.7_smt","name":"statement","prose":"Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ insert: param, si-07.07_odp }}."},{"id":"si-7.7_gdn","name":"guidance","prose":"Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges."},{"id":"si-7.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(07)","class":"sp800-53a"}],"prose":"the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability.","links":[{"href":"#si-7.7_smt","rel":"assessment-for"}]},{"id":"si-7.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities"}]},{"id":"si-7.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability"}]}]}]},{"id":"si-8","class":"SP800-53","title":"Spam Protection","props":[{"name":"label","value":"SI-8"},{"name":"label","value":"SI-08","class":"sp800-53a"},{"name":"sort-id","value":"si-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#314e33cb-3681-4b50-a2a2-3fae9604accd","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#pl-9","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-8_smt","name":"statement","parts":[{"id":"si-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and"},{"id":"si-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"id":"si-8_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions."},{"id":"si-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-08","class":"sp800-53a"}],"parts":[{"id":"si-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.","class":"sp800-53a"}],"parts":[{"id":"si-8_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[01]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system entry points to detect unsolicited messages;","links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]},{"id":"si-8_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[02]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system exit points to detect unsolicited messages;","links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]},{"id":"si-8_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[03]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system entry points to act on unsolicited messages;","links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]},{"id":"si-8_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[04]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system exit points to act on unsolicited messages;","links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]},{"id":"si-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-08b.","class":"sp800-53a"}],"prose":"spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.","links":[{"href":"#si-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-8_smt","rel":"assessment-for"}]},{"id":"si-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policies and procedures (CM-01)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing spam protection\n\nmechanisms supporting and\/or implementing spam protection"}]}],"controls":[{"id":"si-8.2","class":"SP800-53-enhancement","title":"Automatic Updates","params":[{"id":"si-08.02_odp","props":[{"name":"alt-identifier","value":"si-8.2_prm_1"},{"name":"label","value":"SI-08(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to automatically update spam protection mechanisms is defined;"}]}],"props":[{"name":"label","value":"SI-8(2)"},{"name":"label","value":"SI-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-8","rel":"required"}],"parts":[{"id":"si-8.2_smt","name":"statement","prose":"Automatically update spam protection mechanisms {{ insert: param, si-08.02_odp }}."},{"id":"si-8.2_gdn","name":"guidance","prose":"Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities."},{"id":"si-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-08(02)","class":"sp800-53a"}],"prose":"spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}.","links":[{"href":"#si-8.2_smt","rel":"assessment-for"}]},{"id":"si-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for spam protection\n\nmechanisms supporting and\/or implementing automatic updates to spam protection mechanisms"}]}]}]},{"id":"si-10","class":"SP800-53","title":"Information Input Validation","params":[{"id":"si-10_odp","props":[{"name":"alt-identifier","value":"si-10_prm_1"},{"name":"alt-identifier","value":"si-10.1_prm_1"},{"name":"alt-label","value":"information inputs to the system","class":"sp800-53"},{"name":"label","value":"SI-10_ODP","class":"sp800-53a"}],"label":"information inputs","guidelines":[{"prose":"information inputs to the system requiring validity checks are defined;"}]}],"props":[{"name":"label","value":"SI-10"},{"name":"label","value":"SI-10","class":"sp800-53a"},{"name":"sort-id","value":"si-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"}],"parts":[{"id":"si-10_smt","name":"statement","prose":"Check the validity of the following information inputs: {{ insert: param, si-10_odp }}."},{"id":"si-10_gdn","name":"guidance","prose":"Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of \"387,\" \"abc,\" or \"%K%\" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks."},{"id":"si-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10","class":"sp800-53a"}],"prose":"the validity of the {{ insert: param, si-10_odp }} is checked.","links":[{"href":"#si-10_smt","rel":"assessment-for"}]},{"id":"si-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify the validity of information\n\nlist of information inputs requiring validity checks\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing validity checks on information inputs"}]}]},{"id":"si-11","class":"SP800-53","title":"Error Handling","params":[{"id":"si-11_odp","props":[{"name":"alt-identifier","value":"si-11_prm_1"},{"name":"label","value":"SI-11_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom error messages are to be revealed is\/are defined;"}]}],"props":[{"name":"label","value":"SI-11"},{"name":"label","value":"SI-11","class":"sp800-53a"},{"name":"sort-id","value":"si-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"si-11_smt","name":"statement","parts":[{"id":"si-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and"},{"id":"si-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reveal error messages only to {{ insert: param, si-11_odp }}."}]},{"id":"si-11_gdn","name":"guidance","prose":"Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information."},{"id":"si-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-11","class":"sp800-53a"}],"parts":[{"id":"si-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-11a.","class":"sp800-53a"}],"prose":"error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;","links":[{"href":"#si-11_smt.a","rel":"assessment-for"}]},{"id":"si-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-11b.","class":"sp800-53a"}],"prose":"error messages are revealed only to {{ insert: param, si-11_odp }}.","links":[{"href":"#si-11_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-11_smt","rel":"assessment-for"}]},{"id":"si-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system error handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing the structure and content of error messages\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for error handling\n\nautomated mechanisms supporting and\/or implementing error handling\n\nautomated mechanisms supporting and\/or implementing the management of error messages"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Management and Retention","props":[{"name":"label","value":"SI-12"},{"name":"label","value":"SI-12","class":"sp800-53a"},{"name":"sort-id","value":"si-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#e922fc50-b1f9-469f-92ef-ed7d9803611c","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)."},{"id":"si-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12","class":"sp800-53a"}],"parts":[{"id":"si-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12[01]","class":"sp800-53a"}],"prose":"information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12[02]","class":"sp800-53a"}],"prose":"information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12[03]","class":"sp800-53a"}],"prose":"information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SI-12[04]","class":"sp800-53a"}],"prose":"information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.","links":[{"href":"#si-12_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and\/or implementing information management, retention, and disposition"}]}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","params":[{"id":"si-16_odp","props":[{"name":"alt-identifier","value":"si-16_prm_1"},{"name":"label","value":"SI-16_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be implemented to protect the system memory from unauthorized code execution are defined;"}]}],"props":[{"name":"label","value":"SI-16"},{"name":"label","value":"SI-16","class":"sp800-53a"},{"name":"sort-id","value":"si-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-25","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"Implement the following controls to protect the system memory from unauthorized code execution: {{ insert: param, si-16_odp }}."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism."},{"id":"si-16_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-16","class":"sp800-53a"}],"prose":" {{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution.","links":[{"href":"#si-16_smt","rel":"assessment-for"}]},{"id":"si-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing memory protection for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards protecting system memory from unauthorized code execution\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing safeguards to protect the system memory from unauthorized code execution"}]}]}]},{"id":"sr","class":"family","title":"Supply Chain Risk Management","controls":[{"id":"sr-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sr-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sr-01_odp.01","props":[{"name":"label","value":"SR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management policy is to be disseminated to is\/are defined;"}]},{"id":"sr-01_odp.02","props":[{"name":"label","value":"SR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management procedures are disseminated to is\/are defined;"}]},{"id":"sr-01_odp.03","props":[{"name":"alt-identifier","value":"sr-1_prm_2"},{"name":"label","value":"SR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sr-01_odp.04","props":[{"name":"alt-identifier","value":"sr-1_prm_3"},{"name":"label","value":"SR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;"}]},{"id":"sr-01_odp.05","props":[{"name":"alt-identifier","value":"sr-1_prm_4"},{"name":"label","value":"SR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management policy is reviewed and updated is defined;"}]},{"id":"sr-01_odp.06","props":[{"name":"alt-identifier","value":"sr-1_prm_5"},{"name":"label","value":"SR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the current supply chain risk management policy to be reviewed and updated are defined;"}]},{"id":"sr-01_odp.07","props":[{"name":"alt-identifier","value":"sr-1_prm_6"},{"name":"label","value":"SR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;"}]},{"id":"sr-01_odp.08","props":[{"name":"alt-identifier","value":"sr-1_prm_7"},{"name":"label","value":"SR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the supply chain risk management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SR-1"},{"name":"label","value":"SR-01","class":"sp800-53a"},{"name":"sort-id","value":"sr-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sr-1_smt","name":"statement","parts":[{"id":"sr-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:","parts":[{"id":"sr-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:","parts":[{"id":"sr-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sr-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sr-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;"}]},{"id":"sr-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and"},{"id":"sr-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current supply chain risk management:","parts":[{"id":"sr-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and"},{"id":"sr-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}."}]}]},{"id":"sr-1_gdn","name":"guidance","prose":"Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sr-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[01]","class":"sp800-53a"}],"prose":"a supply chain risk management policy is developed and documented;","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[03]","class":"sp800-53a"}],"prose":"supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#sr-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;","links":[{"href":"#sr-1_smt.b","rel":"assessment-for"}]},{"id":"sr-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};","links":[{"href":"#sr-1_smt.c.1","rel":"assessment-for"}]},{"id":"sr-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};","links":[{"href":"#sr-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.c.1","rel":"assessment-for"}]},{"id":"sr-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};","links":[{"href":"#sr-1_smt.c.2","rel":"assessment-for"}]},{"id":"sr-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.","links":[{"href":"#sr-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt","rel":"assessment-for"}]},{"id":"sr-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities"}]}]},{"id":"sr-2","class":"SP800-53","title":"Supply Chain Risk Management Plan","params":[{"id":"sr-02_odp.01","props":[{"name":"alt-identifier","value":"sr-2_prm_1"},{"name":"label","value":"SR-02_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services for which a supply chain risk management plan is developed are defined;"}]},{"id":"sr-02_odp.02","props":[{"name":"alt-identifier","value":"sr-2_prm_2"},{"name":"label","value":"SR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the supply chain risk management plan is defined;"}]}],"props":[{"name":"label","value":"SR-2"},{"name":"label","value":"SR-02","class":"sp800-53a"},{"name":"sort-id","value":"sr-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sr-2_smt","name":"statement","parts":[{"id":"sr-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and"},{"id":"sr-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect the supply chain risk management plan from unauthorized disclosure and modification."}]},{"id":"sr-2_gdn","name":"guidance","prose":"The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development\/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))."},{"id":"sr-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[01]","class":"sp800-53a"}],"prose":"a plan for managing supply chain risks is developed;","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[03]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[05]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[06]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[07]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[08]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-9","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[09]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-02b.","class":"sp800-53a"}],"prose":"the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;","links":[{"href":"#sr-2_smt.b","rel":"assessment-for"}]},{"id":"sr-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[01]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized disclosure;","links":[{"href":"#sr-2_smt.c","rel":"assessment-for"}]},{"id":"sr-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized modification.","links":[{"href":"#sr-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-2_smt","rel":"assessment-for"}]},{"id":"sr-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"sr-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and\/or implementing the SDLC"}]}],"controls":[{"id":"sr-2.1","class":"SP800-53-enhancement","title":"Establish SCRM Team","params":[{"id":"sr-02.01_odp.01","props":[{"name":"alt-identifier","value":"sr-2.1_prm_1"},{"name":"alt-label","value":"personnel, roles, and responsibilities","class":"sp800-53"},{"name":"label","value":"SR-02(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel, roles and responsibilities","guidelines":[{"prose":"the personnel, roles, and responsibilities of the supply chain risk management team are defined;"}]},{"id":"sr-02.01_odp.02","props":[{"name":"alt-identifier","value":"sr-2.1_prm_2"},{"name":"label","value":"SR-02(01)_ODP[02]","class":"sp800-53a"}],"label":"supply chain risk management activities","guidelines":[{"prose":"supply chain risk management activities are defined;"}]}],"props":[{"name":"label","value":"SR-2(1)"},{"name":"label","value":"SR-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-2","rel":"required"}],"parts":[{"id":"sr-2.1_smt","name":"statement","prose":"Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}."},{"id":"sr-2.1_gdn","name":"guidance","prose":"To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team."},{"id":"sr-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02(01)","class":"sp800-53a"}],"prose":"a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.","links":[{"href":"#sr-2.1_smt","rel":"assessment-for"}]},{"id":"sr-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities"}]}]}]},{"id":"sr-3","class":"SP800-53","title":"Supply Chain Controls and Processes","params":[{"id":"sr-03_odp.01","props":[{"name":"alt-identifier","value":"sr-3_prm_1"},{"name":"label","value":"SR-03_ODP[01]","class":"sp800-53a"}],"label":"system or system component","guidelines":[{"prose":"the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;"}]},{"id":"sr-03_odp.02","props":[{"name":"alt-identifier","value":"sr-3_prm_2"},{"name":"label","value":"SR-03_ODP[02]","class":"sp800-53a"}],"label":"supply chain personnel","guidelines":[{"prose":"supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is\/are defined;"}]},{"id":"sr-03_odp.03","props":[{"name":"alt-identifier","value":"sr-3_prm_3"},{"name":"label","value":"SR-03_ODP[03]","class":"sp800-53a"}],"label":"supply chain controls","guidelines":[{"prose":"supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;"}]},{"id":"sr-03_odp.04","props":[{"name":"alt-identifier","value":"sr-3_prm_4"},{"name":"label","value":"SR-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security and privacy plans","supply chain risk management plan"," {{ insert: param, sr-03_odp.05 }} "]}},{"id":"sr-03_odp.05","props":[{"name":"alt-identifier","value":"sr-3_prm_5"},{"name":"label","value":"SR-03_ODP[05]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"the document identifying the selected and implemented supply chain processes and controls is defined (if selected);"}]}],"props":[{"name":"label","value":"SR-3"},{"name":"label","value":"SR-03","class":"sp800-53a"},{"name":"sort-id","value":"sr-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-29","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-3_smt","name":"statement","parts":[{"id":"sr-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};"},{"id":"sr-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and"},{"id":"sr-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}."}]},{"id":"sr-3_gdn","name":"guidance","prose":"Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain."},{"id":"sr-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-03","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[01]","class":"sp800-53a"}],"prose":"a process or processes is\/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};","links":[{"href":"#sr-3_smt.a","rel":"assessment-for"}]},{"id":"sr-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[02]","class":"sp800-53a"}],"prose":"the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is\/are coordinated with {{ insert: param, sr-03_odp.02 }};","links":[{"href":"#sr-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-3_smt.a","rel":"assessment-for"}]},{"id":"sr-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-03b.","class":"sp800-53a"}],"prose":" {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;","links":[{"href":"#sr-3_smt.b","rel":"assessment-for"}]},{"id":"sr-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-03c.","class":"sp800-53a"}],"prose":"the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.","links":[{"href":"#sr-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-3_smt","rel":"assessment-for"}]},{"id":"sr-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying and addressing supply chain element and process deficiencies"}]}]},{"id":"sr-5","class":"SP800-53","title":"Acquisition Strategies, Tools, and Methods","params":[{"id":"sr-05_odp","props":[{"name":"alt-identifier","value":"sr-5_prm_1"},{"name":"alt-label","value":"acquisition strategies, contract tools, and procurement methods","class":"sp800-53"},{"name":"label","value":"SR-05_ODP","class":"sp800-53a"}],"label":"strategies, tools, and methods","guidelines":[{"prose":"acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;"}]}],"props":[{"name":"label","value":"SR-5"},{"name":"label","value":"SR-05","class":"sp800-53a"},{"name":"sort-id","value":"sr-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-5_smt","name":"statement","prose":"Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}."},{"id":"sr-5_gdn","name":"guidance","prose":"The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements."},{"id":"sr-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-05","class":"sp800-53a"}],"parts":[{"id":"sr-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-05[01]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;","links":[{"href":"#sr-5_smt","rel":"assessment-for"}]},{"id":"sr-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-05[02]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;","links":[{"href":"#sr-5_smt","rel":"assessment-for"}]},{"id":"sr-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SR-05[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.","links":[{"href":"#sr-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-5_smt","rel":"assessment-for"}]},{"id":"sr-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and\/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods"}]}]},{"id":"sr-6","class":"SP800-53","title":"Supplier Assessments and Reviews","params":[{"id":"sr-06_odp","props":[{"name":"alt-identifier","value":"sr-6_prm_1"},{"name":"label","value":"SR-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;"}]}],"props":[{"name":"label","value":"SR-6"},{"name":"label","value":"SR-06","class":"sp800-53a"},{"name":"sort-id","value":"sr-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sr-6_smt","name":"statement","prose":"Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ insert: param, sr-06_odp }}."},{"id":"sr-6_gdn","name":"guidance","prose":"An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts."},{"id":"sr-6_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-06","class":"sp800-53a"}],"prose":"the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}.","links":[{"href":"#sr-6_smt","rel":"assessment-for"}]},{"id":"sr-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nrecords of supplier due diligence reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting supplier reviews\n\nmechanisms supporting and\/or implementing supplier reviews"}]}]},{"id":"sr-8","class":"SP800-53","title":"Notification Agreements","params":[{"id":"sr-08_odp.01","props":[{"name":"alt-identifier","value":"sr-8_prm_1"},{"name":"label","value":"SR-08_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["notification of supply chain compromises"," {{ insert: param, sr-08_odp.02 }} "]}},{"id":"sr-08_odp.02","props":[{"name":"alt-identifier","value":"sr-8_prm_2"},{"name":"alt-label","value":"information","class":"sp800-53"},{"name":"label","value":"SR-08_ODP[02]","class":"sp800-53a"}],"label":"results of assessments or audits","guidelines":[{"prose":"information for which agreements and procedures are to be established are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-8"},{"name":"label","value":"SR-08","class":"sp800-53a"},{"name":"sort-id","value":"sr-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"sr-8_smt","name":"statement","prose":"Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}."},{"id":"sr-8_gdn","name":"guidance","prose":"The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes."},{"id":"sr-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-08","class":"sp800-53a"}],"prose":"agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.","links":[{"href":"#sr-8_smt","rel":"assessment-for"}]},{"id":"sr-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities"}]}]},{"id":"sr-10","class":"SP800-53","title":"Inspection of Systems or Components","params":[{"id":"sr-10_odp.01","props":[{"name":"alt-identifier","value":"sr-10_prm_4"},{"name":"label","value":"SR-10_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that require inspection are defined;"}]},{"id":"sr-10_odp.02","props":[{"name":"alt-identifier","value":"sr-10_prm_1"},{"name":"label","value":"SR-10_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at random","at {{ insert: param, sr-10_odp.03 }} ","upon {{ insert: param, sr-10_odp.04 }} "]}},{"id":"sr-10_odp.03","props":[{"name":"alt-identifier","value":"sr-10_prm_2"},{"name":"label","value":"SR-10_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inspect systems or system components is defined (if selected);"}]},{"id":"sr-10_odp.04","props":[{"name":"alt-identifier","value":"sr-10_prm_3"},{"name":"label","value":"SR-10_ODP[04]","class":"sp800-53a"}],"label":"indications of need for inspection","guidelines":[{"prose":"indications of the need for an inspection of systems or system components are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-10"},{"name":"label","value":"SR-10","class":"sp800-53a"},{"name":"sort-id","value":"sr-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-10_smt","name":"statement","prose":"Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}."},{"id":"sr-10_gdn","name":"guidance","prose":"The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations."},{"id":"sr-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-10","class":"sp800-53a"}],"prose":" {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.","links":[{"href":"#sr-10_smt","rel":"assessment-for"}]},{"id":"sr-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports\/results\n\nassessment reports\/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering"}]}]},{"id":"sr-11","class":"SP800-53","title":"Component Authenticity","params":[{"id":"sr-11_odp.01","props":[{"name":"alt-identifier","value":"sr-11_prm_1"},{"name":"label","value":"SR-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["source of counterfeit component"," {{ insert: param, sr-11_odp.02 }} "," {{ insert: param, sr-11_odp.03 }} "]}},{"id":"sr-11_odp.02","props":[{"name":"alt-identifier","value":"sr-11_prm_2"},{"name":"label","value":"SR-11_ODP[02]","class":"sp800-53a"}],"label":"external reporting organizations","guidelines":[{"prose":"external reporting organizations to whom counterfeit system components are to be reported is\/are defined (if selected);"}]},{"id":"sr-11_odp.03","props":[{"name":"alt-identifier","value":"sr-11_prm_3"},{"name":"label","value":"SR-11_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom counterfeit system components are to be reported is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-11"},{"name":"label","value":"SR-11","class":"sp800-53a"},{"name":"sort-id","value":"sr-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"sr-11_smt","name":"statement","parts":[{"id":"sr-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and"},{"id":"sr-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}."}]},{"id":"sr-11_gdn","name":"guidance","prose":"Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA."},{"id":"sr-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[01]","class":"sp800-53a"}],"prose":"an anti-counterfeit policy is developed and implemented;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[02]","class":"sp800-53a"}],"prose":"anti-counterfeit procedures are developed and implemented;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[03]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to detect counterfeit components entering the system;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[04]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-11b.","class":"sp800-53a"}],"prose":"counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.","links":[{"href":"#sr-11_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sr-11_smt","rel":"assessment-for"}]},{"id":"sr-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and\/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting"}]},{"id":"sr-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and\/or implementing anti-counterfeit detection, prevention, and reporting"}]}],"controls":[{"id":"sr-11.1","class":"SP800-53-enhancement","title":"Anti-counterfeit Training","params":[{"id":"sr-11.01_odp","props":[{"name":"alt-identifier","value":"sr-11.1_prm_1"},{"name":"label","value":"SR-11(01)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is\/are defined;"}]}],"props":[{"name":"label","value":"SR-11(1)"},{"name":"label","value":"SR-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"sr-11.1_smt","name":"statement","prose":"Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_gdn","name":"guidance","prose":"None."},{"id":"sr-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(01)","class":"sp800-53a"}],"prose":" {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).","links":[{"href":"#sr-11.1_smt","rel":"assessment-for"}]},{"id":"sr-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training"}]},{"id":"sr-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for anti-counterfeit training"}]}]},{"id":"sr-11.2","class":"SP800-53-enhancement","title":"Configuration Control for Component Service and Repair","params":[{"id":"sr-11.02_odp","props":[{"name":"alt-identifier","value":"sr-11.2_prm_1"},{"name":"label","value":"SR-11(02)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring configuration control are defined;"}]}],"props":[{"name":"label","value":"SR-11(2)"},{"name":"label","value":"SR-11(02)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#cm-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#sa-10","rel":"related"}],"parts":[{"id":"sr-11.2_smt","name":"statement","prose":"Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}."},{"id":"sr-11.2_gdn","name":"guidance","prose":"None."},{"id":"sr-11.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)","class":"sp800-53a"}],"parts":[{"id":"sr-11.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[01]","class":"sp800-53a"}],"prose":"configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;","links":[{"href":"#sr-11.2_smt","rel":"assessment-for"}]},{"id":"sr-11.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[02]","class":"sp800-53a"}],"prose":"configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.","links":[{"href":"#sr-11.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-11.2_smt","rel":"assessment-for"}]},{"id":"sr-11.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-11.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes"}]}]}]},{"id":"sr-12","class":"SP800-53","title":"Component Disposal","params":[{"id":"sr-12_odp.01","props":[{"name":"alt-identifier","value":"sr-12_prm_1"},{"name":"label","value":"SR-12_ODP[01]","class":"sp800-53a"}],"label":"data, documentation, tools, or system components","guidelines":[{"prose":"data, documentation, tools, or system components to be disposed of are defined;"}]},{"id":"sr-12_odp.02","props":[{"name":"alt-identifier","value":"sr-12_prm_2"},{"name":"label","value":"SR-12_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods for disposing of data, documentation, tools, or system components are defined;"}]}],"props":[{"name":"label","value":"SR-12"},{"name":"label","value":"SR-12","class":"sp800-53a"},{"name":"sort-id","value":"sr-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#mp-6","rel":"related"}],"parts":[{"id":"sr-12_smt","name":"statement","prose":"Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}."},{"id":"sr-12_gdn","name":"guidance","prose":"Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations\/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market."},{"id":"sr-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-12","class":"sp800-53a"}],"prose":" {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.","links":[{"href":"#sr-12_smt","rel":"assessment-for"}]},{"id":"sr-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational techniques and methods for system component disposal\n\nmechanisms supporting and\/or implementing system component disposal"}]}]}]}],"back-matter":{"resources":[{"uuid":"91f992fb-f668-4c91-a50f-0f05b95ccee3","title":"32 CFR 2002","citation":{"text":"Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/documents\/2016\/09\/14\/2016-21665\/controlled-unclassified-information"}]},{"uuid":"0f963c17-ab5a-432a-a867-91eac550309b","title":"41 CFR 201","citation":{"text":" \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/d\/2020-18939"}]},{"uuid":"a5ef5e56-5c1a-4911-b419-37dddc1b3581","title":"5 CFR 731","citation":{"text":"Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/CFR-2012-title5-vol2\/pdf\/CFR-2012-title5-vol2-sec731-106.pdf"}]},{"uuid":"031cc4b7-9adf-4835-98f1-f1ca493519cf","title":"CNSSD 505","citation":{"text":"Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Directives.cfm"}]},{"uuid":"4e4fbc93-333d-45e6-a875-de36b878b6b9","title":"CNSSI 1253","citation":{"text":"Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Instructions.cfm"}]},{"uuid":"4f42ee6e-86cc-403b-a51f-76c2b4f81b54","title":"DHS TIC","citation":{"text":"Department of Homeland Security, *Trusted Internet Connections (TIC)*."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/trusted-internet-connections"}]},{"uuid":"aa66e14f-e7cb-4a37-99d2-07578dfd4608","title":"DOD STIG","citation":{"text":"Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*."},"rlinks":[{"href":"https:\/\/public.cyber.mil\/stigs"}]},{"uuid":"55b0c93a-5e48-457a-baa6-5ce81c239c49","title":"EO 13526","citation":{"text":"Executive Order 13526, *Classified National Security Information* , December 2009."},"rlinks":[{"href":"https:\/\/www.archives.gov\/isoo\/policy-documents\/cnsi-eo.html"}]},{"uuid":"34a5571f-e252-4309-a8a1-2fdb2faefbcd","title":"EO 13556","citation":{"text":"Executive Order 13556, *Controlled Unclassified Information* , November 2010."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2010\/11\/04\/executive-order-13556-controlled-unclassified-information"}]},{"uuid":"0af071a6-cf8e-48ee-8c82-fe91efa20f94","title":"EO 13587","citation":{"text":"Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2011\/10\/07\/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"21caa535-1154-4369-ba7b-32c309fee0f7","title":"EO 13873","citation":{"text":"Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/presidential-actions\/executive-order-securing-information-communications-technology-services-supply-chain"}]},{"uuid":"4ff10ed3-d8fe-4246-99e3-443045e27482","title":"FASC18","citation":{"text":"Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018."},"rlinks":[{"href":"https:\/\/www.congress.gov\/bill\/115th-congress\/senate-bill\/3085"}]},{"uuid":"a1555677-2b9d-4868-a97b-a1363aff32f5","title":"FED PKI","citation":{"text":"General Services Administration, *Federal Public Key Infrastructure*."},"rlinks":[{"href":"https:\/\/www.idmanagement.gov\/topics\/fpki"}]},{"uuid":"678e3d6c-150b-4393-aec5-6e3481eb1e00","title":"FIPS 140-3","citation":{"text":"National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. "},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.140-3"}]},{"uuid":"eea3c092-42ed-4382-a6f4-1adadef01b9d","title":"FIPS 180-4","citation":{"text":"National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.180-4"}]},{"uuid":"7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","title":"FIPS 186-4","citation":{"text":"National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.186-4"}]},{"uuid":"736d6310-e403-4b57-a79d-9967970c66d7","title":"FIPS 197","citation":{"text":"National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.197"}]},{"uuid":"628d22a1-6a11-4784-bc59-5cd9497b5445","title":"FIPS 199","citation":{"text":"National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.199"}]},{"uuid":"599fb53d-5041-444e-a7fe-640d6d30ad05","title":"FIPS 200","citation":{"text":"National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.200"}]},{"uuid":"7ba1d91c-3934-4d5a-8532-b32f864ad34c","title":"FIPS 201-2","citation":{"text":"National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.201-2"}]},{"uuid":"a295ca19-8c75-4b4c-8800-98024732e181","title":"FIPS 202","citation":{"text":"National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.202"}]},{"uuid":"0c67b2a9-bede-43d2-b86d-5f35b8be36e9","title":"FISMA","citation":{"text":"Federal Information Security Modernization Act (P.L. 113-283), December 2014."},"rlinks":[{"href":"https:\/\/www.congress.gov\/113\/plaws\/publ283\/PLAW-113publ283.pdf"}]},{"uuid":"f16e438e-7114-4144-bfe2-2dfcad8cb2d0","title":"HSPD 12","citation":{"text":"Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/homeland-security-presidential-directive-12"}]},{"uuid":"15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","title":"IR 7539","citation":{"text":"Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7539"}]},{"uuid":"2be7b163-e50a-435c-8906-f1162f2a457a","title":"IR 7559","citation":{"text":"Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7559"}]},{"uuid":"e24b06cc-9129-4998-a76a-65c3d7a576ba","title":"IR 7622","citation":{"text":"Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7622"}]},{"uuid":"4b38e961-1125-4a5b-aa35-1d6c02846dad","title":"IR 7676","citation":{"text":"Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7676"}]},{"uuid":"aa5d04e0-6090-4e17-84d4-b9963d55fc2c","title":"IR 7788","citation":{"text":"Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7788"}]},{"uuid":"91701292-8bcd-4d2e-a5bd-59ab61e34b3c","title":"IR 7817","citation":{"text":"Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7817"}]},{"uuid":"4f5f51ac-2b8d-4b90-a3c7-46f56e967617","title":"IR 7849","citation":{"text":"Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7849"}]},{"uuid":"604774da-9e1d-48eb-9c62-4e959dc80737","title":"IR 7870","citation":{"text":"Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7870"}]},{"uuid":"7f473f21-fdbf-4a6c-81a1-0ab95919609d","title":"IR 7874","citation":{"text":"Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7874"}]},{"uuid":"849b2358-683f-4d97-b111-1cc3d522ded5","title":"IR 7956","citation":{"text":"Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7956"}]},{"uuid":"3915a084-b87b-4f02-83d4-c369e746292f","title":"IR 7966","citation":{"text":"Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7966"}]},{"uuid":"bbac9fc2-df5b-4f2d-bf99-90d0ade45349","title":"IR 8011-1","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-1"}]},{"uuid":"70402863-5078-43af-9a6c-e11b0f3ec370","title":"IR 8011-2","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-2"}]},{"uuid":"996241f8-f692-42d5-91f1-ce8b752e39e6","title":"IR 8011-3","citation":{"text":"Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-3"}]},{"uuid":"d2ebec9b-f868-4ee1-a2bd-0b2282aed248","title":"IR 8011-4","citation":{"text":"Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-4"}]},{"uuid":"4c501da5-9d79-4cb6-ba80-97260e1ce327","title":"IR 8023","citation":{"text":"Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8023"}]},{"uuid":"81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","title":"IR 8040","citation":{"text":"Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8040"}]},{"uuid":"98d415ca-7281-4064-9931-0c366637e324","title":"IR 8062","citation":{"text":"Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8062"}]},{"uuid":"a2590922-82f3-4277-83c0-ca5bee06dba4","title":"IR 8112","citation":{"text":"Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8112"}]},{"uuid":"d4296805-2dca-4c63-a95f-eeccaa826aec","title":"IR 8179","citation":{"text":"Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8179"}]},{"uuid":"38ff38f0-1366-4f50-a4c9-26a39aacee16","title":"IR 8272","citation":{"text":"Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8272"}]},{"uuid":"6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","title":"ISO 15408-1","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART1V3.1R5.pdf"}]},{"uuid":"87087451-2af5-43d4-88c1-d66ad850f614","title":"ISO 15408-2","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART2V3.1R5.pdf"}]},{"uuid":"4452efc0-e79e-47b8-aa30-b54f3ef61c2f","title":"ISO 15408-3","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART3V3.1R5.pdf"}]},{"uuid":"15a95e24-65b6-4686-bc18-90855a10457d","title":"ISO 20243","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/74399.html"}]},{"uuid":"863caf2a-978a-4260-9e8d-4a8929bce40c","title":"ISO 27036","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/59648.html"}]},{"uuid":"8df72805-2e5c-4731-a73e-81db0f0318d0","title":"ISO 29147","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 29147:2018, *Information technology—Security techniques—Vulnerability disclosure* , October 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72311.html"}]},{"uuid":"06ce9216-bd54-4054-a422-94f358b50a5d","title":"ISO 29148","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission\/Institute of Electrical and Electronics Engineers (ISO\/IEC\/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72089.html"}]},{"uuid":"c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","title":"NARA CUI","citation":{"text":"National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry."},"rlinks":[{"href":"https:\/\/www.archives.gov\/cui"}]},{"uuid":"d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","title":"NCPR","citation":{"text":"National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at"},"rlinks":[{"href":"https:\/\/nvd.nist.gov\/ncp\/repository"}]},{"uuid":"795aff72-3e6c-4b6b-a80a-b14d84b7f544","title":"NIAP CCEVS","citation":{"text":"National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*."},"rlinks":[{"href":"https:\/\/www.niap-ccevs.org"}]},{"uuid":"84dc1b0c-acb7-4269-84c4-00dbabacd78c","title":"NIST CAVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-algorithm-validation-program"}]},{"uuid":"1acdc775-aafb-4d11-9341-dc6a822e9d38","title":"NIST CMVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-module-validation-program"}]},{"uuid":"3d575737-98cb-459d-b41c-d7e82b73ad78","title":"NSA CSFC","citation":{"text":"National Security Agency, *Commercial Solutions for Classified Program (CSfC)*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/csfc"}]},{"uuid":"df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","title":"NSA MEDIA","citation":{"text":"National Security Agency, *Media Destruction Guidance*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/media-destruction"}]},{"uuid":"89f2a08d-fc49-46d0-856e-bf974c9b1573","title":"ODNI CTF","citation":{"text":"Office of the Director of National Intelligence (ODNI) Cyber Threat Framework."},"rlinks":[{"href":"https:\/\/www.dni.gov\/index.php\/cyber-threat-framework"}]},{"uuid":"27847491-5ce1-4f6a-a1e4-9e483782f0ef","title":"OMB A-130","citation":{"text":"Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf"}]},{"uuid":"5f4705ac-8d17-438c-b23a-ac7f12362ae4","title":"OMB M-17-12","citation":{"text":"Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/sites\/default\/files\/omb\/memoranda\/2017\/m-17-12_0.pdf"}]},{"uuid":"c5e11048-1d38-4af3-b00b-0d88dc26860c","title":"OMB M-19-03","citation":{"text":"Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2018\/12\/M-19-03.pdf"}]},{"uuid":"18e71fec-c6fd-475a-925a-5d8495cf8455","title":"PRIVACT","citation":{"text":"Privacy Act (P.L. 93-579), December 1974."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-88\/pdf\/STATUTE-88-Pg1896.pdf"}]},{"uuid":"4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","title":"SP 800-100","citation":{"text":"Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"10cf2fad-a216-41f9-bb1a-531b7e3119e3","title":"SP 800-101","citation":{"text":"Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-101r1"}]},{"uuid":"22f2d4f0-4365-4e88-a30d-275c1f5473ea","title":"SP 800-111","citation":{"text":"Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-111"}]},{"uuid":"6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","title":"SP 800-113","citation":{"text":"Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-113"}]},{"uuid":"42e37e51-7cc0-4ffa-81c9-0ac942da7e99","title":"SP 800-114","citation":{"text":"Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-114r1"}]},{"uuid":"122177fa-c4ed-485d-8345-3082c0fb9a06","title":"SP 800-115","citation":{"text":"Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"2100332a-16a5-4598-bacf-7261baea9711","title":"SP 800-116","citation":{"text":"Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-116r1"}]},{"uuid":"d17ebd7a-ffab-499d-bfff-e705bbb01fa6","title":"SP 800-121","citation":{"text":"Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-121r2"}]},{"uuid":"0f66be67-85e7-4ca6-bd19-39453e9f4394","title":"SP 800-124","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-124r1"}]},{"uuid":"88660532-2dcf-442e-845c-03340ce48999","title":"SP 800-125B","citation":{"text":"Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-125B"}]},{"uuid":"8016d2ed-d30f-4416-9c45-0f42c7aa3232","title":"SP 800-126","citation":{"text":"Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-126r3"}]},{"uuid":"20db4e66-e257-450c-b2e4-2bb9a62a2c88","title":"SP 800-128","citation":{"text":"Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-128"}]},{"uuid":"c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","title":"SP 800-12","citation":{"text":"Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"3653e316-8923-430e-8943-b3b2b2562fc6","title":"SP 800-130","citation":{"text":"Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-130"}]},{"uuid":"62ea77ca-e450-4323-b210-e0d75390e785","title":"SP 800-137A","citation":{"text":"Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137A"}]},{"uuid":"067223d8-1ec7-45c5-b21b-c848da6de8fb","title":"SP 800-137","citation":{"text":"Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137"}]},{"uuid":"e47ee630-9cbc-4133-880e-e013f83ccd51","title":"SP 800-147","citation":{"text":"Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-147"}]},{"uuid":"9ef4b43c-42a4-4316-87dc-ffaf528bc05c","title":"SP 800-150","citation":{"text":"Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-150"}]},{"uuid":"2494df28-9049-4196-b233-540e7440993f","title":"SP 800-152","citation":{"text":"Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-152"}]},{"uuid":"708b94e1-3d5e-4b22-ab43-1c69f3a97e37","title":"SP 800-154","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154."},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-154\/draft"}]},{"uuid":"d9e036ba-6eec-46a6-9340-b0bf1fea23b4","title":"SP 800-156","citation":{"text":"Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-156"}]},{"uuid":"e3cc0520-a366-4fc9-abc2-5272db7e3564","title":"SP 800-160-1","citation":{"text":"Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v1"}]},{"uuid":"61ccf0f4-d3e7-42db-9796-ce6cb1c85989","title":"SP 800-160-2","citation":{"text":"Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v2"}]},{"uuid":"e8e84963-14fc-4c3a-be05-b412a5d37cd2","title":"SP 800-161","citation":{"text":"Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-161"}]},{"uuid":"2956e175-f674-43f4-b1b9-e074ad9fc39c","title":"SP 800-162","citation":{"text":"Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-162"}]},{"uuid":"e8552d48-cf41-40aa-8b06-f45f7fb4706c","title":"SP 800-166","citation":{"text":"Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-166"}]},{"uuid":"38f39739-1ebd-43b1-8b8c-00f591d89ebd","title":"SP 800-167","citation":{"text":"Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-167"}]},{"uuid":"7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","title":"SP 800-171","citation":{"text":"Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-171r2"}]},{"uuid":"f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","title":"SP 800-172","citation":{"text":"Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-172-draft"}]},{"uuid":"1c71b420-2bd9-4e52-9fc8-390f58b85b59","title":"SP 800-177","citation":{"text":"Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-177r1"}]},{"uuid":"388a3aa2-5d85-4bad-b8a3-77db80d63c4f","title":"SP 800-178","citation":{"text":"Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-178"}]},{"uuid":"276bd50a-7e58-48e5-a405-8c8cb91d7a5f","title":"SP 800-181","citation":{"text":"Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-181r1"}]},{"uuid":"31ae65ab-3f26-46b7-9d64-f25a4dac5778","title":"SP 800-184","citation":{"text":"Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-184"}]},{"uuid":"f5edfe51-d1f2-422e-9b27-5d0e90b49c72","title":"SP 800-189","citation":{"text":"Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-189"}]},{"uuid":"30eb758a-2707-4bca-90ad-949a74d4eb16","title":"SP 800-18","citation":{"text":"Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-18r1"}]},{"uuid":"53df282b-8b3f-483a-bad1-6a8b8ac00114","title":"SP 800-192","citation":{"text":"Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies\/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-192"}]},{"uuid":"f641309f-a3ad-48be-8c67-2b318648b2f5","title":"SP 800-28","citation":{"text":"Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-28ver2"}]},{"uuid":"08b07465-dbdc-48d6-8a0b-37279602ac16","title":"SP 800-30","citation":{"text":"Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-30r1"}]},{"uuid":"8cb338a4-e493-4177-818f-3af18983ddc5","title":"SP 800-32","citation":{"text":"Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-32"}]},{"uuid":"bc39f179-c735-4da2-b7a7-b2b622119755","title":"SP 800-34","citation":{"text":"Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-34r1"}]},{"uuid":"77faf0bc-c394-44ad-9154-bbac3b79c8ad","title":"SP 800-35","citation":{"text":"Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-35"}]},{"uuid":"482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","title":"SP 800-37","citation":{"text":"Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-37r2"}]},{"uuid":"cec037f3-8aba-4c97-84b4-4082f9e515d2","title":"SP 800-39","citation":{"text":"Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-39"}]},{"uuid":"155f941a-cba9-4afd-9ca6-5d040d697ba9","title":"SP 800-40","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-40r3"}]},{"uuid":"a7f0e897-29a3-45c4-bd88-40dfef0e034a","title":"SP 800-41","citation":{"text":"Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-41r1"}]},{"uuid":"314e33cb-3681-4b50-a2a2-3fae9604accd","title":"SP 800-45","citation":{"text":"Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-45ver2"}]},{"uuid":"83b9d63b-66b1-467c-9f3b-3a0b108771e9","title":"SP 800-46","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-46r2"}]},{"uuid":"c3a76872-e160-4267-99e8-6952de967d04","title":"SP 800-47","citation":{"text":"Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-47"}]},{"uuid":"511f6832-23ca-49a3-8c0f-ce493373cab8","title":"SP 800-50","citation":{"text":"Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-50"}]},{"uuid":"7537638e-2837-407d-844b-40fb3fafdd99","title":"SP 800-52","citation":{"text":"McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-52r2"}]},{"uuid":"a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","title":"SP 800-53A","citation":{"text":"Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53Ar4"}]},{"uuid":"46d9e201-840e-440e-987c-2c773333c752","title":"SP 800-53B","citation":{"text":"Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53B"}]},{"uuid":"20957dbb-6a1e-40a2-b38a-66f67d33ac2e","title":"SP 800-56A","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Ar3"}]},{"uuid":"0d083d8a-5cc6-46f1-8d79-3081d42bcb75","title":"SP 800-56B","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Br2"}]},{"uuid":"eef62b16-c796-4554-955c-505824135b8a","title":"SP 800-56C","citation":{"text":"Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Cr2"}]},{"uuid":"110e26af-4765-49e1-8740-6750f83fcda1","title":"SP 800-57-1","citation":{"text":"Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt1r5"}]},{"uuid":"e7942589-e267-4a5a-a3d9-f39a7aae81f0","title":"SP 800-57-2","citation":{"text":"Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt2r1"}]},{"uuid":"8306620b-1920-4d73-8b21-12008528595f","title":"SP 800-57-3","citation":{"text":"Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt3r1"}]},{"uuid":"e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","title":"SP 800-60-1","citation":{"text":"Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v1r1"}]},{"uuid":"9be5d661-421f-41ad-854e-86f98b811891","title":"SP 800-60-2","citation":{"text":"Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v2r1"}]},{"uuid":"49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","title":"SP 800-61","citation":{"text":"Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-61r2"}]},{"uuid":"737513fa-6758-403f-831d-5ddab5e23cb3","title":"SP 800-63-3","citation":{"text":"Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63-3"}]},{"uuid":"9099ed2c-922a-493d-bcb4-d896192243ff","title":"SP 800-63A","citation":{"text":"Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63a"}]},{"uuid":"e59c5a7c-8b1f-49ca-8de0-6ee0882180ce","title":"SP 800-63B","citation":{"text":"Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63b"}]},{"uuid":"4895b4cd-34c5-4667-bf8a-27d443c12047","title":"SP 800-70","citation":{"text":"Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-70r4"}]},{"uuid":"858705be-3c1f-48aa-a328-0ce398d95ef0","title":"SP 800-73-4","citation":{"text":"Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-73-4"}]},{"uuid":"7af2e6ec-9f7e-4232-ad3f-09888eb0793a","title":"SP 800-76-2","citation":{"text":"Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-76-2"}]},{"uuid":"d4d7c760-2907-403b-8b2a-767ca5370ecd","title":"SP 800-77","citation":{"text":"Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-77r1"}]},{"uuid":"828856bd-d7c4-427b-8b51-815517ec382d","title":"SP 800-78-4","citation":{"text":"Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-78-4"}]},{"uuid":"10963761-58fc-4b20-b3d6-b44a54daba03","title":"SP 800-79-2","citation":{"text":"Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-79-2"}]},{"uuid":"fe209006-bfd4-4033-a79a-9fee1adaf372","title":"SP 800-81-2","citation":{"text":"Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-81-2"}]},{"uuid":"3dd249b0-f57d-44ba-a03e-c3eab1b835ff","title":"SP 800-83","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-83r1"}]},{"uuid":"53be2fcf-cfd1-4bcb-896b-9a3b65c22098","title":"SP 800-84","citation":{"text":"Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-84"}]},{"uuid":"cfdb1858-c473-46b3-89f9-a700308d0be2","title":"SP 800-86","citation":{"text":"Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-86"}]},{"uuid":"a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","title":"SP 800-88","citation":{"text":"Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-88r1"}]},{"uuid":"5eee45d8-3313-4fdc-8d54-1742092bbdd6","title":"SP 800-92","citation":{"text":"Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-92"}]},{"uuid":"25e3e57b-dc2f-4934-af9b-050b020c6f0e","title":"SP 800-94","citation":{"text":"Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-94"}]},{"uuid":"a6b9907a-2a14-4bb4-a142-d4c73026a8b4","title":"SP 800-95","citation":{"text":"Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-95"}]},{"uuid":"03fb73bc-1b12-4182-bd96-e5719254ea61","title":"SP 800-97","citation":{"text":"Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-97"}]},{"uuid":"13f0c39d-eaf7-417a-baef-69a041878bb5","title":"USA PATRIOT","citation":{"text":"USA Patriot Act (P.L. 107-56), October 2001."},"rlinks":[{"href":"https:\/\/www.congress.gov\/107\/plaws\/publ56\/PLAW-107publ56.pdf"}]},{"uuid":"e922fc50-b1f9-469f-92ef-ed7d9803611c","title":"USC 2901","citation":{"text":"United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2011-title44\/pdf\/USCODE-2011-title44-chap29-sec2901.pdf"}]},{"uuid":"40b78258-c892-480e-9af8-77ac36648301","title":"USCERT IR","citation":{"text":"Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017."},"rlinks":[{"href":"https:\/\/us-cert.cisa.gov\/incident-notification-guidelines"}]},{"uuid":"98498928-3ca3-44b3-8b1e-f48685373087","title":"USGCB","citation":{"text":"National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/united-states-government-configuration-baseline"}]},{"uuid":"c3397cc9-83c6-4459-adb2-836739dc1b94","title":"NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)","rlinks":[{"href":"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf","media-type":"application\/pdf"}]}]}}}
\ No newline at end of file
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.json
index e8c17489..78952119 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.json
@@ -1,10 +1,10 @@
 {
   "catalog": {
-    "uuid": "64dd932d-a3d3-4369-8fa3-09c7b202e580",
+    "uuid": "6ce800da-ce21-48b7-8da4-715337b033e6",
     "metadata": {
-      "title": "NIST Special Publication 800-53 Revision 5 MODERATE IMPACT BASELINE",
-      "last-modified": "2023-11-02T11:49:44.380433-04:00",
-      "version": "Final",
+      "title": "NIST Special Publication 800-53 Revision 5.1.1 MODERATE IMPACT BASELINE",
+      "last-modified": "2023-12-05T21:54:58.514658Z",
+      "version": "5.1.1+u2",
       "oscal-version": "1.1.1",
       "props": [
         {
@@ -468,7 +468,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an access control policy is developed and documented;"
+                        "prose": "an access control policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-2",
@@ -480,7 +486,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};"
+                        "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-3",
@@ -492,7 +504,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;"
+                        "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-4",
@@ -504,7 +522,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};"
+                        "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a.1",
@@ -538,7 +562,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-2",
@@ -550,7 +580,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-3",
@@ -562,7 +598,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-4",
@@ -574,7 +616,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-5",
@@ -586,7 +634,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-6",
@@ -598,7 +652,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-7",
@@ -610,7 +670,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -624,10 +696,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -640,7 +730,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;"
+                    "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-1_obj.c",
@@ -674,7 +770,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};"
+                            "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-1_obj.c.1-2",
@@ -686,7 +788,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};"
+                            "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -711,7 +825,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};"
+                            "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-1_obj.c.2-2",
@@ -723,12 +843,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}."
+                            "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -1410,7 +1554,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account types allowed for use within the system are defined and documented;"
+                        "prose": "account types allowed for use within the system are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.a-2",
@@ -1422,7 +1572,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account types specifically prohibited for use within the system are defined and documented;"
+                        "prose": "account types specifically prohibited for use within the system are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1436,7 +1598,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "account managers are assigned;"
+                    "prose": "account managers are assigned;",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.c",
@@ -1448,7 +1616,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ac-02_odp.01 }} for group and role membership are required;"
+                    "prose": " {{ insert: param, ac-02_odp.01 }} for group and role membership are required;",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.d",
@@ -1471,7 +1645,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized users of the system are specified;"
+                        "prose": "authorized users of the system are specified;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.d.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.d.2",
@@ -1483,7 +1663,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "group and role membership are specified;"
+                        "prose": "group and role membership are specified;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.d.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.d.3",
@@ -1506,7 +1692,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access authorizations (i.e., privileges) are specified for each account;"
+                            "prose": "access authorizations (i.e., privileges) are specified for each account;",
+                            "links": [
+                              {
+                                "href": "#ac-2_smt.d.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-2_obj.d.3-2",
@@ -1518,10 +1710,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, ac-02_odp.02 }} are specified for each account;"
+                            "prose": " {{ insert: param, ac-02_odp.02 }} are specified for each account;",
+                            "links": [
+                              {
+                                "href": "#ac-2_smt.d.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.d.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.d",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -1534,7 +1744,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"
+                    "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.f",
@@ -1557,7 +1773,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-2",
@@ -1569,7 +1791,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-3",
@@ -1581,7 +1809,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-4",
@@ -1593,7 +1827,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-5",
@@ -1605,7 +1845,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1619,7 +1871,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of accounts is monitored; "
+                    "prose": "the use of accounts is monitored; ",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.h",
@@ -1642,7 +1900,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"
+                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.h.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.h.2",
@@ -1654,7 +1918,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;"
+                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.h.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.h.3",
@@ -1666,7 +1936,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;"
+                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.h.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1691,7 +1973,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to the system is authorized based on a valid access authorization;"
+                        "prose": "access to the system is authorized based on a valid access authorization;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.i.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.i.2",
@@ -1703,7 +1991,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to the system is authorized based on intended system usage;"
+                        "prose": "access to the system is authorized based on intended system usage;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.i.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.i.3",
@@ -1715,7 +2009,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};"
+                        "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.i.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.i",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1729,7 +2035,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"
+                    "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.j",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.k",
@@ -1752,7 +2064,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"
+                        "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.k",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.k-2",
@@ -1764,7 +2082,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"
+                        "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.k",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.k",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1789,7 +2119,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account management processes are aligned with personnel termination processes;"
+                        "prose": "account management processes are aligned with personnel termination processes;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.l",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.l-2",
@@ -1801,10 +2137,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account management processes are aligned with personnel transfer processes."
+                        "prose": "account management processes are aligned with personnel transfer processes.",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.l",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.l",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -1948,7 +2302,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}."
+                    "prose": "the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.1_asm-examine",
@@ -2116,7 +2476,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}."
+                    "prose": "temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.2_asm-examine",
@@ -2336,7 +2702,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;"
+                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;",
+                        "links": [
+                          {
+                            "href": "#ac-2.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.3_obj.b",
@@ -2348,7 +2720,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;"
+                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;",
+                        "links": [
+                          {
+                            "href": "#ac-2.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.3_obj.c",
@@ -2360,7 +2738,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;"
+                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;",
+                        "links": [
+                          {
+                            "href": "#ac-2.3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.3_obj.d",
@@ -2372,7 +2756,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}."
+                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-2.3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -2514,7 +2910,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account creation is automatically audited;"
+                        "prose": "account creation is automatically audited;",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.4_obj-2",
@@ -2526,7 +2928,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account modification is automatically audited;"
+                        "prose": "account modification is automatically audited;",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.4_obj-3",
@@ -2538,7 +2946,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account enabling is automatically audited;"
+                        "prose": "account enabling is automatically audited;",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.4_obj-4",
@@ -2550,7 +2964,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account disabling is automatically audited;"
+                        "prose": "account disabling is automatically audited;",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.4_obj-5",
@@ -2562,7 +2982,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account removal actions are automatically audited."
+                        "prose": "account removal actions are automatically audited.",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -2716,7 +3148,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "users are required to log out when {{ insert: param, ac-02.05_odp }}."
+                    "prose": "users are required to log out when {{ insert: param, ac-02.05_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-2.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.5_asm-examine",
@@ -2865,7 +3303,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}."
+                    "prose": "accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-2.13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.13_asm-examine",
@@ -3090,6 +3534,10 @@
                 "href": "#ia-11",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-3",
                 "rel": "related"
@@ -3188,7 +3636,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies."
+                "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.",
+                "links": [
+                  {
+                    "href": "#ac-3_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-3_asm-examine",
@@ -3411,7 +3865,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}."
+                "prose": "approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.",
+                "links": [
+                  {
+                    "href": "#ac-4_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-4_asm-examine",
@@ -3653,7 +4113,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ac-05_odp }} are identified and documented;"
+                    "prose": " {{ insert: param, ac-05_odp }} are identified and documented;",
+                    "links": [
+                      {
+                        "href": "#ac-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-5_obj.b",
@@ -3665,7 +4131,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system access authorizations to support separation of duties are defined."
+                    "prose": "system access authorizations to support separation of duties are defined.",
+                    "links": [
+                      {
+                        "href": "#ac-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -3832,7 +4310,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."
+                "prose": "the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.",
+                "links": [
+                  {
+                    "href": "#ac-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-6_asm-examine",
@@ -4135,7 +4619,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};"
+                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#ac-6.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-6.1_obj.a-2",
@@ -4147,7 +4637,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};"
+                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};",
+                            "links": [
+                              {
+                                "href": "#ac-6.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-6.1_obj.a-3",
@@ -4159,7 +4655,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};"
+                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#ac-6.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-6.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -4173,7 +4681,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}."
+                        "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-6.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-6.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -4334,7 +4854,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions."
+                    "prose": "users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions.",
+                    "links": [
+                      {
+                        "href": "#ac-6.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.2_asm-examine",
@@ -4489,7 +5015,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}."
+                    "prose": "privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-6.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.5_asm-examine",
@@ -4695,7 +5227,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;"
+                        "prose": "privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;",
+                        "links": [
+                          {
+                            "href": "#ac-6.7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-6.7_obj.b",
@@ -4707,7 +5245,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs."
+                        "prose": "privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.",
+                        "links": [
+                          {
+                            "href": "#ac-6.7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-6.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -4842,7 +5392,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the execution of privileged functions is logged."
+                    "prose": "the execution of privileged functions is logged.",
+                    "links": [
+                      {
+                        "href": "#ac-6.9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.9_asm-examine",
@@ -4963,7 +5519,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "non-privileged users are prevented from executing privileged functions."
+                    "prose": "non-privileged users are prevented from executing privileged functions.",
+                    "links": [
+                      {
+                        "href": "#ac-6.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.10_asm-examine",
@@ -5270,7 +5832,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;"
+                    "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;",
+                    "links": [
+                      {
+                        "href": "#ac-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-7_obj.b",
@@ -5282,7 +5850,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."
+                    "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.",
+                    "links": [
+                      {
+                        "href": "#ac-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -5603,7 +6183,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that users are accessing a U.S. Government system;"
+                        "prose": "the system use notification states that users are accessing a U.S. Government system;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.a.2",
@@ -5615,7 +6201,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;"
+                        "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.a.3",
@@ -5627,7 +6219,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"
+                        "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.a.4",
@@ -5639,7 +6237,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;"
+                        "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -5653,7 +6263,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;"
+                    "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;",
+                    "links": [
+                      {
+                        "href": "#ac-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-8_obj.c",
@@ -5676,7 +6292,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;"
+                        "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.c.2",
@@ -5688,7 +6310,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;"
+                        "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.c.3",
@@ -5700,10 +6328,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for publicly accessible systems, a description of the authorized uses of the system is included."
+                        "prose": "for publicly accessible systems, a description of the authorized uses of the system is included.",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.c.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-8_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -5914,7 +6560,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};"
+                    "prose": "further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ac-11_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-11_obj.b",
@@ -5926,7 +6578,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "device lock is retained until the user re-establishes access using established identification and authentication procedures."
+                    "prose": "device lock is retained until the user re-establishes access using established identification and authentication procedures.",
+                    "links": [
+                      {
+                        "href": "#ac-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -6049,7 +6713,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information previously visible on the display is concealed, via device lock, with a publicly viewable image."
+                    "prose": "information previously visible on the display is concealed, via device lock, with a publicly viewable image.",
+                    "links": [
+                      {
+                        "href": "#ac-11.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-11.1_asm-examine",
@@ -6207,7 +6877,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a user session is automatically terminated after {{ insert: param, ac-12_odp }}."
+                "prose": "a user session is automatically terminated after {{ insert: param, ac-12_odp }}.",
+                "links": [
+                  {
+                    "href": "#ac-12_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-12_asm-examine",
@@ -6392,7 +7068,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;"
+                    "prose": " {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;",
+                    "links": [
+                      {
+                        "href": "#ac-14_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-14_obj.b",
@@ -6415,7 +7097,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;"
+                        "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;",
+                        "links": [
+                          {
+                            "href": "#ac-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-14_obj.b-2",
@@ -6427,10 +7115,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system."
+                        "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.",
+                        "links": [
+                          {
+                            "href": "#ac-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-14_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-14_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -6671,7 +7377,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "usage restrictions are established and documented for each type of remote access allowed;"
+                        "prose": "usage restrictions are established and documented for each type of remote access allowed;",
+                        "links": [
+                          {
+                            "href": "#ac-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-17_obj.a-2",
@@ -6683,7 +7395,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;"
+                        "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;",
+                        "links": [
+                          {
+                            "href": "#ac-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-17_obj.a-3",
@@ -6695,7 +7413,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "implementation guidance is established and documented for each type of remote access allowed;"
+                        "prose": "implementation guidance is established and documented for each type of remote access allowed;",
+                        "links": [
+                          {
+                            "href": "#ac-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-17_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -6709,7 +7439,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "each type of remote access to the system is authorized prior to allowing such connections."
+                    "prose": "each type of remote access to the system is authorized prior to allowing such connections.",
+                    "links": [
+                      {
+                        "href": "#ac-17_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-17_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -6864,7 +7606,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "automated mechanisms are employed to monitor remote access methods;"
+                        "prose": "automated mechanisms are employed to monitor remote access methods;",
+                        "links": [
+                          {
+                            "href": "#ac-17.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-17.1_obj-2",
@@ -6876,7 +7624,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "automated mechanisms are employed to control remote access methods."
+                        "prose": "automated mechanisms are employed to control remote access methods.",
+                        "links": [
+                          {
+                            "href": "#ac-17.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-17.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -7011,7 +7771,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions."
+                    "prose": "cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.",
+                    "links": [
+                      {
+                        "href": "#ac-17.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-17.2_asm-examine",
@@ -7136,7 +7902,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "remote accesses are routed through authorized and managed network access control points."
+                    "prose": "remote accesses are routed through authorized and managed network access control points.",
+                    "links": [
+                      {
+                        "href": "#ac-17.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-17.3_asm-examine",
@@ -7364,7 +8136,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;"
+                            "prose": "the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;",
+                            "links": [
+                              {
+                                "href": "#ac-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-17.4_obj.a-2",
@@ -7376,7 +8154,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;"
+                            "prose": "access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;",
+                            "links": [
+                              {
+                                "href": "#ac-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-17.4_obj.a-3",
@@ -7388,7 +8172,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};"
+                            "prose": "the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#ac-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-17.4_obj.a-4",
@@ -7400,7 +8190,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};"
+                            "prose": "access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#ac-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-17.4_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -7414,7 +8216,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rationale for remote access is documented in the security plan for the system."
+                        "prose": "the rationale for remote access is documented in the security plan for the system.",
+                        "links": [
+                          {
+                            "href": "#ac-17.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-17.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -7640,7 +8454,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration requirements are established for each type of wireless access;"
+                        "prose": "configuration requirements are established for each type of wireless access;",
+                        "links": [
+                          {
+                            "href": "#ac-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18_obj.a-2",
@@ -7652,7 +8472,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "connection requirements are established for each type of wireless access;"
+                        "prose": "connection requirements are established for each type of wireless access;",
+                        "links": [
+                          {
+                            "href": "#ac-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18_obj.a-3",
@@ -7664,7 +8490,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "implementation guidance is established for each type of wireless access;"
+                        "prose": "implementation guidance is established for each type of wireless access;",
+                        "links": [
+                          {
+                            "href": "#ac-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-18_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -7678,7 +8516,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "each type of wireless access to the system is authorized prior to allowing such connections."
+                    "prose": "each type of wireless access to the system is authorized prior to allowing such connections.",
+                    "links": [
+                      {
+                        "href": "#ac-18_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-18_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -7847,7 +8697,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};"
+                        "prose": "wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};",
+                        "links": [
+                          {
+                            "href": "#ac-18.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18.1_obj-2",
@@ -7859,7 +8715,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "wireless access to the system is protected using encryption."
+                        "prose": "wireless access to the system is protected using encryption.",
+                        "links": [
+                          {
+                            "href": "#ac-18.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-18.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -7987,7 +8855,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment."
+                    "prose": "when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.",
+                    "links": [
+                      {
+                        "href": "#ac-18.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-18.3_asm-examine",
@@ -8247,7 +9121,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"
+                        "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;",
+                        "links": [
+                          {
+                            "href": "#ac-19_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-19_obj.a-2",
@@ -8259,7 +9139,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"
+                        "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;",
+                        "links": [
+                          {
+                            "href": "#ac-19_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-19_obj.a-3",
@@ -8271,7 +9157,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"
+                        "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;",
+                        "links": [
+                          {
+                            "href": "#ac-19_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-19_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -8285,7 +9183,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the connection of mobile devices to organizational systems is authorized."
+                    "prose": "the connection of mobile devices to organizational systems is authorized.",
+                    "links": [
+                      {
+                        "href": "#ac-19_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-19_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -8462,7 +9372,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}."
+                    "prose": " {{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-19.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-19.5_asm-examine",
@@ -8787,11 +9703,17 @@
                         "props": [
                           {
                             "name": "label",
-                            "value": "AC-20a.1",
+                            "value": "AC-20a.01",
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);"
+                        "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);",
+                        "links": [
+                          {
+                            "href": "#ac-20_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-20_obj.a.2",
@@ -8799,11 +9721,23 @@
                         "props": [
                           {
                             "name": "label",
-                            "value": "AC-20a.2",
+                            "value": "AC-20a.02",
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);"
+                        "prose": " {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);",
+                        "links": [
+                          {
+                            "href": "#ac-20_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-20_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -8817,7 +9751,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable)."
+                    "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).",
+                    "links": [
+                      {
+                        "href": "#ac-20_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-20_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -8979,7 +9925,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);"
+                        "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);",
+                        "links": [
+                          {
+                            "href": "#ac-20.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-20.1_obj.b",
@@ -8991,7 +9943,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable)."
+                        "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).",
+                        "links": [
+                          {
+                            "href": "#ac-20.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-20.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -9144,7 +10108,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}."
+                    "prose": "the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-20.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-20.2_asm-examine",
@@ -9389,7 +10359,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};"
+                    "prose": "authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ac-21_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-21_obj.b",
@@ -9401,7 +10377,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions."
+                    "prose": " {{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions.",
+                    "links": [
+                      {
+                        "href": "#ac-21_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-21_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -9618,7 +10606,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "designated individuals are authorized to make information publicly accessible;"
+                    "prose": "designated individuals are authorized to make information publicly accessible;",
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-22_obj.b",
@@ -9630,7 +10624,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;"
+                    "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;",
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-22_obj.c",
@@ -9642,7 +10642,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;"
+                    "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;",
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-22_obj.d",
@@ -9665,7 +10671,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};"
+                        "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};",
+                        "links": [
+                          {
+                            "href": "#ac-22_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-22_obj.d-2",
@@ -9677,10 +10689,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "non-public information is removed from the publicly accessible system, if discovered."
+                        "prose": "non-public information is removed from the publicly accessible system, if discovered.",
+                        "links": [
+                          {
+                            "href": "#ac-22_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-22_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -10146,7 +11176,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an awareness and training policy is developed and documented; "
+                        "prose": "an awareness and training policy is developed and documented; ",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-2",
@@ -10158,7 +11194,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};"
+                        "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-3",
@@ -10170,7 +11212,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;"
+                        "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-4",
@@ -10182,7 +11230,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}."
+                        "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a.1",
@@ -10216,7 +11270,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-2",
@@ -10228,7 +11288,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-3",
@@ -10240,7 +11306,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-4",
@@ -10252,7 +11324,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-5",
@@ -10264,7 +11342,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-6",
@@ -10276,7 +11360,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-7",
@@ -10288,7 +11378,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#at-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -10302,10 +11404,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and"
+                            "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -10318,7 +11438,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;"
+                    "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#at-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-1_obj.c",
@@ -10352,7 +11478,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; "
+                            "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-1_obj.c.1-2",
@@ -10364,7 +11496,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};"
+                            "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -10389,7 +11533,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};"
+                            "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-1_obj.c.2-2",
@@ -10401,12 +11551,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}."
+                            "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#at-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -10855,7 +12029,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-2",
@@ -10867,7 +12047,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-3",
@@ -10879,7 +12065,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-4",
@@ -10891,7 +12083,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-2_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -10916,7 +12120,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.2-2",
@@ -10928,10 +12138,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-2_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -10944,7 +12172,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;"
+                    "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;",
+                    "links": [
+                      {
+                        "href": "#at-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-2_obj.c",
@@ -10967,7 +12201,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};"
+                        "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#at-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2_obj.c-2",
@@ -10979,7 +12219,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};"
+                        "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#at-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -10993,7 +12245,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques."
+                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.",
+                    "links": [
+                      {
+                        "href": "#at-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -11136,7 +12400,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on recognizing potential indicators of insider threat is provided;"
+                        "prose": "literacy training on recognizing potential indicators of insider threat is provided;",
+                        "links": [
+                          {
+                            "href": "#at-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2.2_obj-2",
@@ -11148,7 +12418,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on reporting potential indicators of insider threat is provided."
+                        "prose": "literacy training on reporting potential indicators of insider threat is provided.",
+                        "links": [
+                          {
+                            "href": "#at-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -11265,7 +12547,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on recognizing potential and actual instances of social engineering is provided;"
+                        "prose": "literacy training on recognizing potential and actual instances of social engineering is provided;",
+                        "links": [
+                          {
+                            "href": "#at-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2.3_obj-2",
@@ -11277,7 +12565,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on reporting potential and actual instances of social engineering is provided;"
+                        "prose": "literacy training on reporting potential and actual instances of social engineering is provided;",
+                        "links": [
+                          {
+                            "href": "#at-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2.3_obj-3",
@@ -11289,7 +12583,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on recognizing potential and actual instances of social mining is provided;"
+                        "prose": "literacy training on recognizing potential and actual instances of social mining is provided;",
+                        "links": [
+                          {
+                            "href": "#at-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2.3_obj-4",
@@ -11301,7 +12601,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on reporting potential and actual instances of social mining is provided."
+                        "prose": "literacy training on reporting potential and actual instances of social mining is provided.",
+                        "links": [
+                          {
+                            "href": "#at-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -11706,7 +13018,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;"
+                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-2",
@@ -11718,7 +13036,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;"
+                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-3",
@@ -11730,7 +13054,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;"
+                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-4",
@@ -11742,7 +13072,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;"
+                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-3_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -11767,7 +13109,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;"
+                            "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.2-2",
@@ -11779,10 +13127,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;"
+                            "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-3_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-3_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -11806,7 +13172,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};"
+                        "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#at-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-3_obj.b-2",
@@ -11818,7 +13190,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};"
+                        "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#at-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -11832,7 +13216,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training."
+                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training.",
+                    "links": [
+                      {
+                        "href": "#at-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -12051,7 +13447,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;"
+                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;",
+                        "links": [
+                          {
+                            "href": "#at-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-4_obj.a-2",
@@ -12063,7 +13465,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;"
+                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;",
+                        "links": [
+                          {
+                            "href": "#at-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -12077,7 +13491,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individual training records are retained for {{ insert: param, at-04_odp }}."
+                    "prose": "individual training records are retained for {{ insert: param, at-04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#at-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -12536,7 +13962,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit and accountability policy is developed and documented;"
+                        "prose": "an audit and accountability policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-2",
@@ -12548,7 +13980,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};"
+                        "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-3",
@@ -12560,7 +13998,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;"
+                        "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-4",
@@ -12572,7 +14016,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};"
+                        "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a.1",
@@ -12606,7 +14056,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-2",
@@ -12618,7 +14074,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-3",
@@ -12630,7 +14092,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-4",
@@ -12642,7 +14110,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-5",
@@ -12654,7 +14128,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-6",
@@ -12666,7 +14146,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-7",
@@ -12678,7 +14164,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#au-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -12692,10 +14190,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -12708,7 +14224,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;"
+                    "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#au-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-1_obj.c",
@@ -12742,7 +14264,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};"
+                            "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "au-1_obj.c.1-2",
@@ -12754,7 +14282,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};"
+                            "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -12779,7 +14319,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};"
+                            "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "au-1_obj.c.2-2",
@@ -12791,12 +14337,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}."
+                            "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#au-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -13198,7 +14768,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;"
+                    "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.b",
@@ -13210,7 +14786,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"
+                    "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.c",
@@ -13233,7 +14815,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;"
+                        "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;",
+                        "links": [
+                          {
+                            "href": "#au-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-2_obj.c-2",
@@ -13245,7 +14833,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};"
+                        "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#au-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -13259,7 +14859,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;"
+                    "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.e",
@@ -13271,7 +14877,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}."
+                    "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -13513,7 +15131,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes what type of event occurred;"
+                    "prose": "audit records contain information that establishes what type of event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.b",
@@ -13525,7 +15149,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes when the event occurred;"
+                    "prose": "audit records contain information that establishes when the event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.c",
@@ -13537,7 +15167,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes where the event occurred;"
+                    "prose": "audit records contain information that establishes where the event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.d",
@@ -13549,7 +15185,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the source of the event;"
+                    "prose": "audit records contain information that establishes the source of the event;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.e",
@@ -13561,7 +15203,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the outcome of the event;"
+                    "prose": "audit records contain information that establishes the outcome of the event;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.f",
@@ -13573,7 +15221,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event."
+                    "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -13718,7 +15378,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "generated audit records contain the following {{ insert: param, au-03.01_odp }}."
+                    "prose": "generated audit records contain the following {{ insert: param, au-03.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#au-3.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3.1_asm-examine",
@@ -13900,7 +15566,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}."
+                "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.",
+                "links": [
+                  {
+                    "href": "#au-4_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "au-4_asm-examine",
@@ -14149,7 +15821,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};"
+                    "prose": " {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#au-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-5_obj.b",
@@ -14161,7 +15839,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure."
+                    "prose": " {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.",
+                    "links": [
+                      {
+                        "href": "#au-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -14520,7 +16210,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"
+                    "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;",
+                    "links": [
+                      {
+                        "href": "#au-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6_obj.b",
@@ -14532,7 +16228,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};"
+                    "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#au-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6_obj.c",
@@ -14544,7 +16246,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."
+                    "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.",
+                    "links": [
+                      {
+                        "href": "#au-6_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -14676,7 +16390,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}."
+                    "prose": "audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#au-6.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6.1_asm-examine",
@@ -14810,7 +16530,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness."
+                    "prose": "audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.",
+                    "links": [
+                      {
+                        "href": "#au-6.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6.3_asm-examine",
@@ -15032,7 +16758,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;"
+                        "prose": "an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;",
+                        "links": [
+                          {
+                            "href": "#au-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-7_obj.a-2",
@@ -15044,7 +16776,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;"
+                        "prose": "an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;",
+                        "links": [
+                          {
+                            "href": "#au-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-7_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -15069,7 +16813,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;"
+                        "prose": "an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;",
+                        "links": [
+                          {
+                            "href": "#au-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-7_obj.b-2",
@@ -15081,10 +16831,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records."
+                        "prose": "an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.",
+                        "links": [
+                          {
+                            "href": "#au-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#au-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -15244,7 +17012,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;"
+                        "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;",
+                        "links": [
+                          {
+                            "href": "#au-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-7.1_obj-2",
@@ -15256,7 +17030,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented."
+                        "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented.",
+                        "links": [
+                          {
+                            "href": "#au-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-7.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -15449,7 +17235,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal system clocks are used to generate timestamps for audit records;"
+                    "prose": "internal system clocks are used to generate timestamps for audit records;",
+                    "links": [
+                      {
+                        "href": "#au-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-8_obj.b",
@@ -15461,7 +17253,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp."
+                    "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.",
+                    "links": [
+                      {
+                        "href": "#au-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -15704,7 +17508,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;"
+                    "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;",
+                    "links": [
+                      {
+                        "href": "#au-9_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9_obj.b",
@@ -15716,7 +17526,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information."
+                    "prose": " {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.",
+                    "links": [
+                      {
+                        "href": "#au-9_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -15865,7 +17687,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}."
+                    "prose": "access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#au-9.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9.4_asm-examine",
@@ -16051,7 +17879,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."
+                "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.",
+                "links": [
+                  {
+                    "href": "#au-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "au-11_asm-examine",
@@ -16309,7 +18143,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};"
+                    "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#au-12_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-12_obj.b",
@@ -16321,7 +18161,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;"
+                    "prose": " {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;",
+                    "links": [
+                      {
+                        "href": "#au-12_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-12_obj.c",
@@ -16333,7 +18179,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated."
+                    "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.",
+                    "links": [
+                      {
+                        "href": "#au-12_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -16816,7 +18674,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an assessment, authorization, and monitoring policy is developed and documented;"
+                        "prose": "an assessment, authorization, and monitoring policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-2",
@@ -16828,7 +18692,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};"
+                        "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-3",
@@ -16840,7 +18710,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;"
+                        "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-4",
@@ -16852,7 +18728,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};"
+                        "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a.1",
@@ -16886,7 +18768,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-2",
@@ -16898,7 +18786,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-3",
@@ -16910,7 +18804,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-4",
@@ -16922,7 +18822,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-5",
@@ -16934,7 +18840,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-6",
@@ -16946,7 +18858,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-7",
@@ -16958,7 +18876,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -16972,10 +18902,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -16988,7 +18936,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;"
+                    "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-1_obj.c",
@@ -17022,7 +18976,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; "
+                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-1_obj.c.1-2",
@@ -17034,7 +18994,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};"
+                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -17059,7 +19031,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; "
+                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-1_obj.c.2-2",
@@ -17071,12 +19049,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}."
+                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -17429,7 +19431,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;"
+                    "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.b",
@@ -17452,7 +19460,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;"
+                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.b.2",
@@ -17464,7 +19478,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;"
+                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.b.3",
@@ -17487,7 +19507,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-2_obj.b.3-2",
@@ -17499,7 +19525,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-2_obj.b.3-3",
@@ -17511,10 +19543,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.b",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -17527,7 +19577,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"
+                    "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.d",
@@ -17550,7 +19606,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"
+                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.d-2",
@@ -17562,7 +19624,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;"
+                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -17576,7 +19650,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a control assessment report is produced that documents the results of the assessment;"
+                    "prose": "a control assessment report is produced that documents the results of the assessment;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.f",
@@ -17588,7 +19668,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}."
+                    "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -17716,7 +19808,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "independent assessors or assessment teams are employed to conduct control assessments."
+                    "prose": "independent assessors or assessment teams are employed to conduct control assessments.",
+                    "links": [
+                      {
+                        "href": "#ca-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2.1_asm-examine",
@@ -17991,7 +20089,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};"
+                    "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ca-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-3_obj.b",
@@ -18014,7 +20118,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the interface characteristics are documented as part of each exchange agreement;"
+                        "prose": "the interface characteristics are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-2",
@@ -18026,7 +20136,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security requirements are documented as part of each exchange agreement;"
+                        "prose": "security requirements are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-3",
@@ -18038,7 +20154,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy requirements are documented as part of each exchange agreement;"
+                        "prose": "privacy requirements are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-4",
@@ -18050,7 +20172,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls are documented as part of each exchange agreement;"
+                        "prose": "controls are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-5",
@@ -18062,7 +20190,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "responsibilities for each system are documented as part of each exchange agreement;"
+                        "prose": "responsibilities for each system are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-6",
@@ -18074,7 +20208,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impact level of the information communicated is documented as part of each exchange agreement;"
+                        "prose": "the impact level of the information communicated is documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -18088,7 +20234,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}."
+                    "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#ca-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -18282,7 +20440,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;"
+                    "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;",
+                    "links": [
+                      {
+                        "href": "#ca-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-5_obj.b",
@@ -18294,7 +20458,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."
+                    "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.",
+                    "links": [
+                      {
+                        "href": "#ca-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -18575,7 +20751,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a senior official is assigned as the authorizing official for the system;"
+                    "prose": "a senior official is assigned as the authorizing official for the system;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.b",
@@ -18587,7 +20769,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;"
+                    "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.c",
@@ -18610,7 +20798,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;"
+                        "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;",
+                        "links": [
+                          {
+                            "href": "#ca-6_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-6_obj.c.2",
@@ -18622,7 +20816,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;"
+                        "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;",
+                        "links": [
+                          {
+                            "href": "#ca-6_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -18636,7 +20842,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"
+                    "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.e",
@@ -18648,7 +20860,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}."
+                    "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -19256,7 +21480,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a system-level continuous monitoring strategy is developed;"
+                    "prose": "a system-level continuous monitoring strategy is developed;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj-2",
@@ -19268,7 +21498,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.a",
@@ -19280,7 +21516,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"
+                    "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.b",
@@ -19303,7 +21545,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;"
+                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7_obj.b-2",
@@ -19315,7 +21563,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"
+                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -19329,7 +21589,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.d",
@@ -19341,7 +21607,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.e",
@@ -19353,7 +21625,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;"
+                    "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.f",
@@ -19365,7 +21643,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;"
+                    "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.g",
@@ -19388,7 +21672,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};"
+                        "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7_obj.g-2",
@@ -19400,10 +21690,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}."
+                        "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -19530,7 +21838,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis."
+                    "prose": "independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.",
+                    "links": [
+                      {
+                        "href": "#ca-7.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7.1_asm-examine",
@@ -19686,7 +22000,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "effectiveness monitoring is included in risk monitoring;"
+                        "prose": "effectiveness monitoring is included in risk monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7.4_obj.b",
@@ -19698,7 +22018,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "compliance monitoring is included in risk monitoring;"
+                        "prose": "compliance monitoring is included in risk monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7.4_obj.c",
@@ -19710,7 +22036,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "change monitoring is included in risk monitoring."
+                        "prose": "change monitoring is included in risk monitoring.",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -19999,7 +22337,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;"
+                    "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;",
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-9_obj.b",
@@ -20022,7 +22366,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the interface characteristics are documented;"
+                        "prose": "for each internal connection, the interface characteristics are documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-9_obj.b-2",
@@ -20034,7 +22384,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the security requirements are documented;"
+                        "prose": "for each internal connection, the security requirements are documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-9_obj.b-3",
@@ -20046,7 +22402,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the privacy requirements are documented;"
+                        "prose": "for each internal connection, the privacy requirements are documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-9_obj.b-4",
@@ -20058,7 +22420,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the nature of the information communicated is documented;"
+                        "prose": "for each internal connection, the nature of the information communicated is documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -20072,7 +22446,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};"
+                    "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-9_obj.d",
@@ -20084,7 +22464,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}."
+                    "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -20551,7 +22943,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a configuration management policy is developed and documented;"
+                        "prose": "a configuration management policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-2",
@@ -20563,7 +22961,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};"
+                        "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-3",
@@ -20575,7 +22979,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;"
+                        "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-4",
@@ -20587,7 +22997,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};"
+                        "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a.1",
@@ -20621,7 +23037,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-2",
@@ -20633,7 +23055,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-3",
@@ -20645,7 +23073,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-4",
@@ -20657,7 +23091,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-5",
@@ -20669,7 +23109,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-6",
@@ -20681,7 +23127,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-7",
@@ -20693,7 +23145,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -20707,10 +23171,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -20723,7 +23205,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;"
+                    "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-1_obj.c",
@@ -20757,7 +23245,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; "
+                            "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-1_obj.c.1-2",
@@ -20769,7 +23263,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};"
+                            "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -20794,7 +23300,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; "
+                            "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-1_obj.c.2-2",
@@ -20806,12 +23318,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}."
+                            "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -21118,7 +23654,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a current baseline configuration of the system is developed and documented;"
+                        "prose": "a current baseline configuration of the system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2_obj.a-2",
@@ -21130,7 +23672,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a current baseline configuration of the system is maintained under configuration control;"
+                        "prose": "a current baseline configuration of the system is maintained under configuration control;",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -21155,7 +23709,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};"
+                        "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.b.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2_obj.b.2",
@@ -21167,7 +23727,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};"
+                        "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.b.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2_obj.b.3",
@@ -21179,10 +23745,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded."
+                        "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.b.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -21354,7 +23938,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"
+                        "prose": "the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};",
+                        "links": [
+                          {
+                            "href": "#cm-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2.2_obj-2",
@@ -21366,7 +23956,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"
+                        "prose": "the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};",
+                        "links": [
+                          {
+                            "href": "#cm-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2.2_obj-3",
@@ -21378,7 +23974,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"
+                        "prose": "the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};",
+                        "links": [
+                          {
+                            "href": "#cm-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2.2_obj-4",
@@ -21390,7 +23992,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}."
+                        "prose": "the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}.",
+                        "links": [
+                          {
+                            "href": "#cm-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -21540,7 +24154,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is/are retained to support rollback."
+                    "prose": " {{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is/are retained to support rollback.",
+                    "links": [
+                      {
+                        "href": "#cm-2.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-2.3_asm-examine",
@@ -21770,7 +24390,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;"
+                        "prose": " {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;",
+                        "links": [
+                          {
+                            "href": "#cm-2.7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2.7_obj.b",
@@ -21782,7 +24408,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel."
+                        "prose": " {{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel.",
+                        "links": [
+                          {
+                            "href": "#cm-2.7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22204,7 +24842,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the types of changes to the system that are configuration-controlled are determined and documented;"
+                    "prose": "the types of changes to the system that are configuration-controlled are determined and documented;",
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3_obj.b",
@@ -22227,7 +24871,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "proposed configuration-controlled changes to the system are reviewed;"
+                        "prose": "proposed configuration-controlled changes to the system are reviewed;",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3_obj.b-2",
@@ -22239,7 +24889,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;"
+                        "prose": "proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22253,7 +24915,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "configuration change decisions associated with the system are documented;"
+                    "prose": "configuration change decisions associated with the system are documented;",
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3_obj.d",
@@ -22265,7 +24933,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "approved configuration-controlled changes to the system are implemented;"
+                    "prose": "approved configuration-controlled changes to the system are implemented;",
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3_obj.e",
@@ -22277,7 +24951,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};"
+                    "prose": "records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3_obj.f",
@@ -22300,7 +24980,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "activities associated with configuration-controlled changes to the system are monitored;"
+                        "prose": "activities associated with configuration-controlled changes to the system are monitored;",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3_obj.f-2",
@@ -22312,7 +24998,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "activities associated with configuration-controlled changes to the system are reviewed;"
+                        "prose": "activities associated with configuration-controlled changes to the system are reviewed;",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22337,7 +25035,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};"
+                        "prose": "configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3_obj.g-2",
@@ -22349,10 +25053,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration control element convenes {{ insert: param, cm-03_odp.03 }}."
+                        "prose": "the configuration control element convenes {{ insert: param, cm-03_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -22490,7 +25212,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are tested before finalizing the implementation of the changes;"
+                        "prose": "changes to the system are tested before finalizing the implementation of the changes;",
+                        "links": [
+                          {
+                            "href": "#cm-3.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.2_obj-2",
@@ -22502,7 +25230,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are validated before finalizing the implementation of the changes;"
+                        "prose": "changes to the system are validated before finalizing the implementation of the changes;",
+                        "links": [
+                          {
+                            "href": "#cm-3.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.2_obj-3",
@@ -22514,7 +25248,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are documented before finalizing the implementation of the changes."
+                        "prose": "changes to the system are documented before finalizing the implementation of the changes.",
+                        "links": [
+                          {
+                            "href": "#cm-3.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22718,7 +25464,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};"
+                        "prose": " {{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cm-3.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.4_obj-2",
@@ -22730,7 +25482,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}."
+                        "prose": " {{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#cm-3.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22919,7 +25683,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;"
+                    "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;",
+                    "links": [
+                      {
+                        "href": "#cm-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-4_obj-2",
@@ -22931,7 +25701,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation."
+                    "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.",
+                    "links": [
+                      {
+                        "href": "#cm-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -23082,7 +25864,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;"
+                        "prose": "the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-2",
@@ -23094,7 +25882,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;"
+                        "prose": "the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-3",
@@ -23106,7 +25900,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;"
+                        "prose": "the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-4",
@@ -23118,7 +25918,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;"
+                        "prose": "the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-5",
@@ -23130,7 +25936,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;"
+                        "prose": "the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-6",
@@ -23142,7 +25954,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes."
+                        "prose": "the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-4.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -23322,7 +26146,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access restrictions associated with changes to the system are defined and documented;"
+                    "prose": "physical access restrictions associated with changes to the system are defined and documented;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-2",
@@ -23334,7 +26164,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access restrictions associated with changes to the system are approved;"
+                    "prose": "physical access restrictions associated with changes to the system are approved;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-3",
@@ -23346,7 +26182,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access restrictions associated with changes to the system are enforced;"
+                    "prose": "physical access restrictions associated with changes to the system are enforced;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-4",
@@ -23358,7 +26200,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "logical access restrictions associated with changes to the system are defined and documented;"
+                    "prose": "logical access restrictions associated with changes to the system are defined and documented;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-5",
@@ -23370,7 +26218,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "logical access restrictions associated with changes to the system are approved;"
+                    "prose": "logical access restrictions associated with changes to the system are approved;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-6",
@@ -23382,7 +26236,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "logical access restrictions associated with changes to the system are enforced."
+                    "prose": "logical access restrictions associated with changes to the system are enforced.",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -23760,7 +26626,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};"
+                    "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-6_obj.b",
@@ -23772,7 +26644,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the configuration settings documented in CM-06a are implemented;"
+                    "prose": "the configuration settings documented in CM-06a are implemented;",
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-6_obj.c",
@@ -23795,7 +26673,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};"
+                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-6_obj.c-2",
@@ -23807,7 +26691,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;"
+                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -23832,7 +26728,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;"
+                        "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-6_obj.d-2",
@@ -23844,10 +26746,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures."
+                        "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-6_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -24230,7 +27150,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};"
+                    "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#cm-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-7_obj.b",
@@ -24253,7 +27179,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-2",
@@ -24265,7 +27197,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-3",
@@ -24277,7 +27215,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-4",
@@ -24289,7 +27233,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-5",
@@ -24301,10 +27251,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted."
+                        "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -24602,7 +27570,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:"
+                        "prose": "the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:",
+                        "links": [
+                          {
+                            "href": "#cm-7.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.1_obj.b",
@@ -24625,7 +27599,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and/or non-secure are disabled or removed;"
+                            "prose": " {{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and/or non-secure are disabled or removed;",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-7.1_obj.b-2",
@@ -24637,7 +27617,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and/or non-secure are disabled or removed;"
+                            "prose": " {{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and/or non-secure are disabled or removed;",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-7.1_obj.b-3",
@@ -24649,7 +27635,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and/or non-secure are disabled or removed;"
+                            "prose": " {{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and/or non-secure are disabled or removed;",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-7.1_obj.b-4",
@@ -24661,7 +27653,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and/or non-secure is disabled or removed;"
+                            "prose": " {{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and/or non-secure is disabled or removed;",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-7.1_obj.b-5",
@@ -24673,10 +27671,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and/or non-secure are disabled or removed."
+                            "prose": " {{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and/or non-secure are disabled or removed.",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-7.1_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-7.1_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -24861,7 +27877,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}."
+                    "prose": "program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#cm-7.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-7.2_asm-examine",
@@ -25115,7 +28137,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cm-07.05_odp.01 }} are identified;"
+                        "prose": " {{ insert: param, cm-07.05_odp.01 }} are identified;",
+                        "links": [
+                          {
+                            "href": "#cm-7.5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.5_obj.b",
@@ -25127,7 +28155,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;"
+                        "prose": "a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;",
+                        "links": [
+                          {
+                            "href": "#cm-7.5_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.5_obj.c",
@@ -25139,7 +28173,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}."
+                        "prose": "the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#cm-7.5_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-7.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -25510,7 +28556,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that accurately reflects the system is developed and documented;"
+                        "prose": "an inventory of system components that accurately reflects the system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.2",
@@ -25522,7 +28574,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that includes all components within the system is developed and documented;"
+                        "prose": "an inventory of system components that includes all components within the system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.3",
@@ -25534,7 +28592,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;"
+                        "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.4",
@@ -25546,7 +28610,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;"
+                        "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.5",
@@ -25558,7 +28628,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;"
+                        "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -25572,7 +28654,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}."
+                    "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#cm-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -25715,7 +28809,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the inventory of system components is updated as part of component installations;"
+                        "prose": "the inventory of system components is updated as part of component installations;",
+                        "links": [
+                          {
+                            "href": "#cm-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8.1_obj-2",
@@ -25727,7 +28827,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the inventory of system components is updated as part of component removals;"
+                        "prose": "the inventory of system components is updated as part of component removals;",
+                        "links": [
+                          {
+                            "href": "#cm-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8.1_obj-3",
@@ -25739,7 +28845,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the inventory of system components is updated as part of system updates."
+                        "prose": "the inventory of system components is updated as part of system updates.",
+                        "links": [
+                          {
+                            "href": "#cm-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-8.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -26081,7 +29199,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};"
+                            "prose": "the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-8.3_obj.a-2",
@@ -26093,7 +29217,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};"
+                            "prose": "the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-8.3_obj.a-3",
@@ -26105,7 +29235,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};"
+                            "prose": "the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-8.3_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -26130,7 +29272,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;"
+                            "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-8.3_obj.b-2",
@@ -26142,7 +29290,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;"
+                            "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-8.3_obj.b-3",
@@ -26154,10 +29308,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected."
+                            "prose": " {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected.",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-8.3_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-8.3_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -26407,7 +29579,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a configuration management plan for the system is developed and documented;"
+                    "prose": "a configuration management plan for the system is developed and documented;",
+                    "links": [
+                      {
+                        "href": "#cm-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-9_obj-2",
@@ -26419,7 +29597,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a configuration management plan for the system is implemented;"
+                    "prose": "a configuration management plan for the system is implemented;",
+                    "links": [
+                      {
+                        "href": "#cm-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-9_obj.a",
@@ -26442,7 +29626,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan addresses roles;"
+                        "prose": "the configuration management plan addresses roles;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.a-2",
@@ -26454,7 +29644,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan addresses responsibilities;"
+                        "prose": "the configuration management plan addresses responsibilities;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.a-3",
@@ -26466,7 +29662,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan addresses configuration management processes and procedures;"
+                        "prose": "the configuration management plan addresses configuration management processes and procedures;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -26491,7 +29699,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;"
+                        "prose": "the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.b-2",
@@ -26503,7 +29717,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan establishes a process for managing the configuration of the configuration items;"
+                        "prose": "the configuration management plan establishes a process for managing the configuration of the configuration items;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -26528,7 +29754,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan defines the configuration items for the system;"
+                        "prose": "the configuration management plan defines the configuration items for the system;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.c-2",
@@ -26540,7 +29772,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan places the configuration items under configuration management;"
+                        "prose": "the configuration management plan places the configuration items under configuration management;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -26554,7 +29798,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};"
+                    "prose": "the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};",
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-9_obj.e",
@@ -26577,7 +29827,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan is protected from unauthorized disclosure;"
+                        "prose": "the configuration management plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.e-2",
@@ -26589,10 +29845,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan is protected from unauthorized modification."
+                        "prose": "the configuration management plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-9_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -26779,7 +30053,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;"
+                    "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;",
+                    "links": [
+                      {
+                        "href": "#cm-10_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-10_obj.b",
@@ -26791,7 +30071,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;"
+                    "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;",
+                    "links": [
+                      {
+                        "href": "#cm-10_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-10_obj.c",
@@ -26803,7 +30089,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."
+                    "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.",
+                    "links": [
+                      {
+                        "href": "#cm-10_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-10_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -27073,7 +30371,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;"
+                    "prose": " {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;",
+                    "links": [
+                      {
+                        "href": "#cm-11_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-11_obj.b",
@@ -27085,7 +30389,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};"
+                    "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#cm-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-11_obj.c",
@@ -27097,7 +30407,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}."
+                    "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#cm-11_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -27375,7 +30697,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the location of {{ insert: param, cm-12_odp }} is identified and documented;"
+                        "prose": "the location of {{ insert: param, cm-12_odp }} is identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-12_obj.a-2",
@@ -27387,7 +30715,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;"
+                        "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-12_obj.a-3",
@@ -27399,7 +30733,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;"
+                        "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-12_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -27424,7 +30770,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;"
+                        "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-12_obj.b-2",
@@ -27436,7 +30788,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;"
+                        "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-12_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -27461,7 +30825,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;"
+                        "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-12_obj.c-2",
@@ -27473,10 +30843,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented."
+                        "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented.",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-12_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-12_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -27645,7 +31033,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy."
+                    "prose": "automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy.",
+                    "links": [
+                      {
+                        "href": "#cm-12.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-12.1_asm-examine",
@@ -28112,7 +31506,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency planning policy is developed and documented;"
+                        "prose": "a contingency planning policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a-2",
@@ -28124,7 +31524,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};"
+                        "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a-3",
@@ -28136,7 +31542,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;"
+                        "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a-4",
@@ -28148,7 +31560,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};"
+                        "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a.1",
@@ -28182,7 +31600,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-2",
@@ -28194,7 +31618,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-3",
@@ -28206,7 +31636,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-4",
@@ -28218,7 +31654,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-5",
@@ -28230,7 +31672,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-6",
@@ -28242,7 +31690,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-7",
@@ -28254,7 +31708,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -28268,10 +31734,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -28284,7 +31768,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;"
+                    "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#cp-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-1_obj.c",
@@ -28318,7 +31808,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};"
+                            "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-1_obj.c.1-2",
@@ -28330,7 +31826,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};"
+                            "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -28355,7 +31863,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};"
+                            "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-1_obj.c.2-2",
@@ -28367,12 +31881,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}."
+                            "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -28932,7 +32470,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;"
+                        "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.2",
@@ -28955,7 +32499,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that provides recovery objectives;"
+                            "prose": "a contingency plan for the system is developed that provides recovery objectives;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.2-2",
@@ -28967,7 +32517,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that provides restoration priorities;"
+                            "prose": "a contingency plan for the system is developed that provides restoration priorities;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.2-3",
@@ -28979,7 +32535,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that provides metrics;"
+                            "prose": "a contingency plan for the system is developed that provides metrics;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -29004,7 +32572,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that addresses contingency roles;"
+                            "prose": "a contingency plan for the system is developed that addresses contingency roles;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.3-2",
@@ -29016,7 +32590,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;"
+                            "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.3-3",
@@ -29028,7 +32608,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;"
+                            "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -29042,7 +32634,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"
+                        "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.5",
@@ -29054,7 +32652,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;"
+                        "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.6",
@@ -29066,7 +32670,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;"
+                        "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.6",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.7",
@@ -29089,7 +32699,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};"
+                            "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.7-2",
@@ -29101,10 +32717,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};"
+                            "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.7",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -29128,7 +32762,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};"
+                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.b-2",
@@ -29140,7 +32780,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};"
+                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -29154,7 +32806,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "contingency planning activities are coordinated with incident handling activities;"
+                    "prose": "contingency planning activities are coordinated with incident handling activities;",
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2_obj.d",
@@ -29166,7 +32824,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};"
+                    "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};",
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2_obj.e",
@@ -29189,7 +32853,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;"
+                        "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.e-2",
@@ -29201,7 +32871,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;"
+                        "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -29226,7 +32908,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};"
+                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.f-2",
@@ -29238,7 +32926,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};"
+                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -29263,7 +32963,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;"
+                        "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.g-2",
@@ -29275,7 +32981,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;"
+                        "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -29300,7 +33018,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is protected from unauthorized disclosure;"
+                        "prose": "the contingency plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.h-2",
@@ -29312,10 +33036,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is protected from unauthorized modification."
+                        "prose": "the contingency plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -29437,7 +33179,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "contingency plan development is coordinated with organizational elements responsible for related plans."
+                    "prose": "contingency plan development is coordinated with organizational elements responsible for related plans.",
+                    "links": [
+                      {
+                        "href": "#cp-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2.1_asm-examine",
@@ -29578,7 +33326,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation."
+                    "prose": "the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.",
+                    "links": [
+                      {
+                        "href": "#cp-2.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2.3_asm-examine",
@@ -29729,7 +33483,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified."
+                    "prose": "critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified.",
+                    "links": [
+                      {
+                        "href": "#cp-2.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2.8_asm-examine",
@@ -30033,7 +33793,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"
+                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-3_obj.a.2",
@@ -30045,7 +33811,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"
+                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-3_obj.a.3",
@@ -30057,7 +33829,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;"
+                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -30082,7 +33866,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};"
+                        "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-3_obj.b-2",
@@ -30094,10 +33884,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}."
+                        "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -30402,7 +34210,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};"
+                        "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-4_obj.a-2",
@@ -30414,7 +34228,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;"
+                        "prose": " {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;",
+                        "links": [
+                          {
+                            "href": "#cp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-4_obj.a-3",
@@ -30426,7 +34246,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;"
+                        "prose": " {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;",
+                        "links": [
+                          {
+                            "href": "#cp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -30440,7 +34272,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the contingency plan test results are reviewed;"
+                    "prose": "the contingency plan test results are reviewed;",
+                    "links": [
+                      {
+                        "href": "#cp-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-4_obj.c",
@@ -30452,7 +34290,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "corrective actions are initiated, if needed."
+                    "prose": "corrective actions are initiated, if needed.",
+                    "links": [
+                      {
+                        "href": "#cp-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -30588,7 +34438,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "contingency plan testing is coordinated with organizational elements responsible for related plans."
+                    "prose": "contingency plan testing is coordinated with organizational elements responsible for related plans.",
+                    "links": [
+                      {
+                        "href": "#cp-4.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-4.1_asm-examine",
@@ -30774,7 +34630,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an alternate storage site is established;"
+                        "prose": "an alternate storage site is established;",
+                        "links": [
+                          {
+                            "href": "#cp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-6_obj.a-2",
@@ -30786,7 +34648,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;"
+                        "prose": "establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;",
+                        "links": [
+                          {
+                            "href": "#cp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-6_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -30800,7 +34674,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the alternate storage site provides controls equivalent to that of the primary site."
+                    "prose": "the alternate storage site provides controls equivalent to that of the primary site.",
+                    "links": [
+                      {
+                        "href": "#cp-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -30927,7 +34813,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats."
+                    "prose": "an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.",
+                    "links": [
+                      {
+                        "href": "#cp-6.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-6.1_asm-examine",
@@ -31041,7 +34933,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;"
+                        "prose": "potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;",
+                        "links": [
+                          {
+                            "href": "#cp-6.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-6.3_obj-2",
@@ -31053,7 +34951,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "explicit mitigation actions to address identified accessibility problems are outlined."
+                        "prose": "explicit mitigation actions to address identified accessibility problems are outlined.",
+                        "links": [
+                          {
+                            "href": "#cp-6.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-6.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -31296,7 +35206,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;"
+                    "prose": "an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;",
+                    "links": [
+                      {
+                        "href": "#cp-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-7_obj.b",
@@ -31319,7 +35235,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;"
+                        "prose": "the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;",
+                        "links": [
+                          {
+                            "href": "#cp-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-7_obj.b-2",
@@ -31331,7 +35253,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;"
+                        "prose": "the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;",
+                        "links": [
+                          {
+                            "href": "#cp-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -31345,7 +35279,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "controls provided at the alternate processing site are equivalent to those at the primary site."
+                    "prose": "controls provided at the alternate processing site are equivalent to those at the primary site.",
+                    "links": [
+                      {
+                        "href": "#cp-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -31472,7 +35418,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified."
+                    "prose": "an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.",
+                    "links": [
+                      {
+                        "href": "#cp-7.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-7.1_asm-examine",
@@ -31586,7 +35538,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;"
+                        "prose": "potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;",
+                        "links": [
+                          {
+                            "href": "#cp-7.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-7.2_obj-2",
@@ -31598,7 +35556,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "explicit mitigation actions to address identified accessibility problems are outlined."
+                        "prose": "explicit mitigation actions to address identified accessibility problems are outlined.",
+                        "links": [
+                          {
+                            "href": "#cp-7.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-7.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -31699,7 +35669,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed."
+                    "prose": "alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.",
+                    "links": [
+                      {
+                        "href": "#cp-7.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-7.3_asm-examine",
@@ -31862,7 +35838,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."
+                "prose": "alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.",
+                "links": [
+                  {
+                    "href": "#cp-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "cp-8_asm-examine",
@@ -32028,7 +36010,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;"
+                            "prose": "primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;",
+                            "links": [
+                              {
+                                "href": "#cp-8.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-8.1_obj.a-2",
@@ -32040,7 +36028,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;"
+                            "prose": "alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;",
+                            "links": [
+                              {
+                                "href": "#cp-8.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-8.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -32054,7 +36054,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier."
+                        "prose": "Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.",
+                        "links": [
+                          {
+                            "href": "#cp-8.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-8.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -32177,7 +36189,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained."
+                    "prose": "alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.",
+                    "links": [
+                      {
+                        "href": "#cp-8.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-8.2_asm-examine",
@@ -32487,7 +36505,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};"
+                    "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9_obj.b",
@@ -32499,7 +36523,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};"
+                    "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9_obj.c",
@@ -32511,7 +36541,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};"
+                    "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9_obj.d",
@@ -32534,7 +36570,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the confidentiality of backup information is protected;"
+                        "prose": "the confidentiality of backup information is protected;",
+                        "links": [
+                          {
+                            "href": "#cp-9_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-9_obj.d-2",
@@ -32546,7 +36588,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the integrity of backup information is protected;"
+                        "prose": "the integrity of backup information is protected;",
+                        "links": [
+                          {
+                            "href": "#cp-9_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-9_obj.d-3",
@@ -32558,10 +36606,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the availability of backup information is protected."
+                        "prose": "the availability of backup information is protected.",
+                        "links": [
+                          {
+                            "href": "#cp-9_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-9_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -32748,7 +36814,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;"
+                        "prose": "backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;",
+                        "links": [
+                          {
+                            "href": "#cp-9.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-9.1_obj-2",
@@ -32760,7 +36832,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity."
+                        "prose": "backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity.",
+                        "links": [
+                          {
+                            "href": "#cp-9.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-9.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -32917,7 +37001,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}."
+                    "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.",
+                    "links": [
+                      {
+                        "href": "#cp-9.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9.8_asm-examine",
@@ -33137,7 +37227,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;"
+                    "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;",
+                    "links": [
+                      {
+                        "href": "#cp-10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-10_obj-2",
@@ -33149,7 +37245,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure."
+                    "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.",
+                    "links": [
+                      {
+                        "href": "#cp-10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-10_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -33272,7 +37380,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "transaction recovery is implemented for systems that are transaction-based."
+                    "prose": "transaction recovery is implemented for systems that are transaction-based.",
+                    "links": [
+                      {
+                        "href": "#cp-10.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-10.2_asm-examine",
@@ -33763,7 +37877,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an identification and authentication policy is developed and documented;"
+                        "prose": "an identification and authentication policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a-2",
@@ -33775,7 +37895,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};"
+                        "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a-3",
@@ -33787,7 +37913,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;"
+                        "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a-4",
@@ -33799,7 +37931,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};"
+                        "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a.1",
@@ -33833,7 +37971,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-2",
@@ -33845,7 +37989,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-3",
@@ -33857,7 +38007,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-4",
@@ -33869,7 +38025,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-5",
@@ -33881,7 +38043,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-6",
@@ -33893,7 +38061,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-7",
@@ -33905,7 +38079,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -33919,10 +38105,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -33935,7 +38139,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;"
+                    "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ia-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-1_obj.c",
@@ -33969,7 +38179,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};"
+                            "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-1_obj.c.1-2",
@@ -33981,7 +38197,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};"
+                            "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -34006,7 +38234,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};"
+                            "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-1_obj.c.2-2",
@@ -34018,12 +38252,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}."
+                            "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -34214,6 +38472,10 @@
                 "href": "#ia-8",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-4",
                 "rel": "related"
@@ -34271,7 +38533,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "organizational users are uniquely identified and authenticated;"
+                    "prose": "organizational users are uniquely identified and authenticated;",
+                    "links": [
+                      {
+                        "href": "#ia-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2_obj-2",
@@ -34283,7 +38551,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users."
+                    "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.",
+                    "links": [
+                      {
+                        "href": "#ia-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -34414,7 +38694,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "multi-factor authentication is implemented for access to privileged accounts."
+                    "prose": "multi-factor authentication is implemented for access to privileged accounts.",
+                    "links": [
+                      {
+                        "href": "#ia-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.1_asm-examine",
@@ -34539,7 +38825,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "multi-factor authentication for access to non-privileged accounts is implemented."
+                    "prose": "multi-factor authentication for access to non-privileged accounts is implemented.",
+                    "links": [
+                      {
+                        "href": "#ia-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.2_asm-examine",
@@ -34683,7 +38975,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented."
+                    "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.",
+                    "links": [
+                      {
+                        "href": "#ia-2.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.8_asm-examine",
@@ -34804,7 +39102,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified."
+                    "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified.",
+                    "links": [
+                      {
+                        "href": "#ia-2.12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.12_asm-examine",
@@ -34985,6 +39289,10 @@
                 "href": "#ia-11",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#si-4",
                 "rel": "related"
@@ -35011,7 +39319,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": " {{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection."
+                "prose": " {{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection.",
+                "links": [
+                  {
+                    "href": "#ia-3_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-3_asm-examine",
@@ -35315,7 +39629,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;"
+                    "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4_obj.b",
@@ -35327,7 +39647,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;"
+                    "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4_obj.c",
@@ -35339,7 +39665,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;"
+                    "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4_obj.d",
@@ -35351,7 +39683,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."
+                    "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -35501,7 +39845,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}."
+                    "prose": "individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ia-4.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4.4_asm-examine",
@@ -35883,7 +40233,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;"
+                    "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.b",
@@ -35895,7 +40251,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;"
+                    "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.c",
@@ -35907,7 +40269,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;"
+                    "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.d",
@@ -35919,7 +40287,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;"
+                    "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.e",
@@ -35931,7 +40305,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the change of default authenticators prior to first use;"
+                    "prose": "system authenticators are managed through the change of default authenticators prior to first use;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.f",
@@ -35943,7 +40323,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"
+                    "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.g",
@@ -35955,7 +40341,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;"
+                    "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.h",
@@ -35978,7 +40370,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;"
+                        "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;",
+                        "links": [
+                          {
+                            "href": "#ia-5_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5_obj.h-2",
@@ -35990,7 +40388,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;"
+                        "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;",
+                        "links": [
+                          {
+                            "href": "#ia-5_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -36004,7 +40414,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes."
+                    "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.i",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -36279,7 +40701,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"
+                        "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.b",
@@ -36291,7 +40719,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);"
+                        "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.c",
@@ -36303,7 +40737,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;"
+                        "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.d",
@@ -36315,7 +40755,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;"
+                        "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.e",
@@ -36327,7 +40773,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;"
+                        "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.f",
@@ -36339,7 +40791,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;"
+                        "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.g",
@@ -36351,7 +40809,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;"
+                        "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.h",
@@ -36363,7 +40827,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced."
+                        "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-5.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -36587,7 +41063,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "authorized access to the corresponding private key is enforced for public key-based authentication;"
+                            "prose": "authorized access to the corresponding private key is enforced for public key-based authentication;",
+                            "links": [
+                              {
+                                "href": "#ia-5.2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-5.2_obj.a.2",
@@ -36599,7 +41081,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the authenticated identity is mapped to the account of the individual or group for public key-based authentication;"
+                            "prose": "the authenticated identity is mapped to the account of the individual or group for public key-based authentication;",
+                            "links": [
+                              {
+                                "href": "#ia-5.2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-5.2_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -36624,7 +41118,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;"
+                            "prose": "when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;",
+                            "links": [
+                              {
+                                "href": "#ia-5.2_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-5.2_obj.b.2",
@@ -36636,10 +41136,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation."
+                            "prose": "when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.",
+                            "links": [
+                              {
+                                "href": "#ia-5.2_smt.b.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-5.2_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-5.2_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -36765,7 +41283,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access."
+                    "prose": "authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.",
+                    "links": [
+                      {
+                        "href": "#ia-5.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5.6_asm-examine",
@@ -36888,7 +41412,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."
+                "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.",
+                "links": [
+                  {
+                    "href": "#ia-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-6_asm-examine",
@@ -37029,7 +41559,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."
+                "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.",
+                "links": [
+                  {
+                    "href": "#ia-7_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-7_asm-examine",
@@ -37196,6 +41732,10 @@
                 "href": "#ia-11",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-4",
                 "rel": "related"
@@ -37234,7 +41774,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated."
+                "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.",
+                "links": [
+                  {
+                    "href": "#ia-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-8_asm-examine",
@@ -37370,7 +41916,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;"
+                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;",
+                        "links": [
+                          {
+                            "href": "#ia-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-8.1_obj-2",
@@ -37382,7 +41934,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified."
+                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.",
+                        "links": [
+                          {
+                            "href": "#ia-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-8.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -37539,7 +42103,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "only external authenticators that are NIST-compliant are accepted;"
+                        "prose": "only external authenticators that are NIST-compliant are accepted;",
+                        "links": [
+                          {
+                            "href": "#ia-8.2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-8.2_obj.b",
@@ -37562,7 +42132,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a list of accepted external authenticators is documented;"
+                            "prose": "a list of accepted external authenticators is documented;",
+                            "links": [
+                              {
+                                "href": "#ia-8.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-8.2_obj.b-2",
@@ -37574,10 +42150,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a list of accepted external authenticators is maintained."
+                            "prose": "a list of accepted external authenticators is maintained.",
+                            "links": [
+                              {
+                                "href": "#ia-8.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-8.2_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-8.2_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -37721,7 +42315,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management."
+                    "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.",
+                    "links": [
+                      {
+                        "href": "#ia-8.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-8.4_asm-examine",
@@ -37896,7 +42496,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}."
+                "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}.",
+                "links": [
+                  {
+                    "href": "#ia-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-11_asm-examine",
@@ -38038,6 +42644,10 @@
               {
                 "href": "#ia-8",
                 "rel": "related"
+              },
+              {
+                "href": "#ia-13",
+                "rel": "related"
               }
             ],
             "parts": [
@@ -38106,7 +42716,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;"
+                    "prose": "users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;",
+                    "links": [
+                      {
+                        "href": "#ia-12_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12_obj.b",
@@ -38118,7 +42734,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "user identities are resolved to a unique individual;"
+                    "prose": "user identities are resolved to a unique individual;",
+                    "links": [
+                      {
+                        "href": "#ia-12_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12_obj.c",
@@ -38141,7 +42763,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "identity evidence is collected;"
+                        "prose": "identity evidence is collected;",
+                        "links": [
+                          {
+                            "href": "#ia-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-12_obj.c-2",
@@ -38153,7 +42781,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "identity evidence is validated;"
+                        "prose": "identity evidence is validated;",
+                        "links": [
+                          {
+                            "href": "#ia-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-12_obj.c-3",
@@ -38165,10 +42799,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "identity evidence is verified."
+                        "prose": "identity evidence is verified.",
+                        "links": [
+                          {
+                            "href": "#ia-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-12_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-12_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -38290,7 +42942,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "evidence of individual identification is presented to the registration authority."
+                    "prose": "evidence of individual identification is presented to the registration authority.",
+                    "links": [
+                      {
+                        "href": "#ia-12.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12.2_asm-examine",
@@ -38438,7 +43096,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}."
+                    "prose": "the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ia-12.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12.3_asm-examine",
@@ -38585,7 +43249,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record."
+                    "prose": "a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.",
+                    "links": [
+                      {
+                        "href": "#ia-12.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12.5_asm-examine",
@@ -39060,7 +43730,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response policy is developed and documented;"
+                        "prose": "an incident response policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-2",
@@ -39072,7 +43748,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};"
+                        "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-3",
@@ -39084,7 +43766,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;"
+                        "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-4",
@@ -39096,7 +43784,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};"
+                        "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a.1",
@@ -39130,7 +43824,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-2",
@@ -39142,7 +43842,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-3",
@@ -39154,7 +43860,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-4",
@@ -39166,7 +43878,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-5",
@@ -39178,7 +43896,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-6",
@@ -39190,7 +43914,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-7",
@@ -39202,7 +43932,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -39216,10 +43958,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -39232,7 +43992,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;"
+                    "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-1_obj.c",
@@ -39266,7 +44032,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};"
+                            "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-1_obj.c.1-2",
@@ -39278,7 +44050,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};"
+                            "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -39303,7 +44087,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};"
+                            "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-1_obj.c.2-2",
@@ -39315,12 +44105,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}."
+                            "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -39623,7 +44437,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.a.2",
@@ -39635,7 +44455,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.a.3",
@@ -39647,7 +44473,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -39672,7 +44510,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};"
+                        "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.b-2",
@@ -39684,10 +44528,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}."
+                        "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -39866,7 +44728,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}."
+                "prose": "the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#ir-3_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ir-3_asm-examine",
@@ -39970,7 +44838,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident response testing is coordinated with organizational elements responsible for related plans."
+                    "prose": "incident response testing is coordinated with organizational elements responsible for related plans.",
+                    "links": [
+                      {
+                        "href": "#ir-3.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-3.2_asm-examine",
@@ -40258,7 +45132,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;"
+                        "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-2",
@@ -40270,7 +45150,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes preparation;"
+                        "prose": "the incident handling capability for incidents includes preparation;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-3",
@@ -40282,7 +45168,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes detection and analysis;"
+                        "prose": "the incident handling capability for incidents includes detection and analysis;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-4",
@@ -40294,7 +45186,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes containment;"
+                        "prose": "the incident handling capability for incidents includes containment;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-5",
@@ -40306,7 +45204,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes eradication;"
+                        "prose": "the incident handling capability for incidents includes eradication;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-6",
@@ -40318,7 +45222,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes recovery;"
+                        "prose": "the incident handling capability for incidents includes recovery;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -40332,7 +45248,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident handling activities are coordinated with contingency planning activities;"
+                    "prose": "incident handling activities are coordinated with contingency planning activities;",
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4_obj.c",
@@ -40355,7 +45277,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;"
+                        "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.c-2",
@@ -40367,7 +45295,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;"
+                        "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -40392,7 +45332,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rigor of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the rigor of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-2",
@@ -40404,7 +45350,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the intensity of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the intensity of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-3",
@@ -40416,7 +45368,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the scope of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the scope of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-4",
@@ -40428,10 +45386,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the results of incident handling activities are comparable and predictable across the organization."
+                        "prose": "the results of incident handling activities are comparable and predictable across the organization.",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-4_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -40575,7 +45551,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the incident handling process is supported using {{ insert: param, ir-04.01_odp }}."
+                    "prose": "the incident handling process is supported using {{ insert: param, ir-04.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ir-4.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4.1_asm-examine",
@@ -40762,7 +45744,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incidents are tracked;"
+                    "prose": "incidents are tracked;",
+                    "links": [
+                      {
+                        "href": "#ir-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-5_obj-2",
@@ -40774,7 +45762,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incidents are documented."
+                    "prose": "incidents are documented.",
+                    "links": [
+                      {
+                        "href": "#ir-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -41009,7 +46009,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};"
+                    "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ir-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-6_obj.b",
@@ -41021,7 +46027,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}."
+                    "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ir-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -41170,7 +46188,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incidents are reported using {{ insert: param, ir-06.01_odp }}."
+                    "prose": "incidents are reported using {{ insert: param, ir-06.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ir-6.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-6.1_asm-examine",
@@ -41295,7 +46319,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident."
+                    "prose": "incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.",
+                    "links": [
+                      {
+                        "href": "#ir-6.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-6.3_asm-examine",
@@ -41469,7 +46499,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;"
+                    "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;",
+                    "links": [
+                      {
+                        "href": "#ir-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-7_obj-2",
@@ -41481,7 +46517,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents."
+                    "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.",
+                    "links": [
+                      {
+                        "href": "#ir-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -41626,7 +46674,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}."
+                    "prose": "the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ir-7.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-7.1_asm-examine",
@@ -42147,7 +47201,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;"
+                        "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.2",
@@ -42159,7 +47219,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;"
+                        "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.3",
@@ -42171,7 +47237,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;"
+                        "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.4",
@@ -42183,7 +47255,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;"
+                        "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.5",
@@ -42195,7 +47273,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that defines reportable incidents;"
+                        "prose": "an incident response plan is developed that defines reportable incidents;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.6",
@@ -42207,7 +47291,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;"
+                        "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.6",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.7",
@@ -42219,7 +47309,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;"
+                        "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.7",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.8",
@@ -42231,7 +47327,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that addresses the sharing of incident information;"
+                        "prose": "an incident response plan is developed that addresses the sharing of incident information;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.8",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.9",
@@ -42243,7 +47345,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};"
+                        "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.9",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.10",
@@ -42255,7 +47363,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."
+                        "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.10",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -42280,7 +47400,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};"
+                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.b-2",
@@ -42292,7 +47418,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};"
+                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -42306,7 +47444,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"
+                    "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;",
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-8_obj.d",
@@ -42329,7 +47473,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};"
+                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.d-2",
@@ -42341,7 +47491,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};"
+                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -42366,7 +47528,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan is protected from unauthorized disclosure;"
+                        "prose": "the incident response plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.e-2",
@@ -42378,10 +47546,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan is protected from unauthorized modification."
+                        "prose": "the incident response plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -42843,7 +48029,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a maintenance policy is developed and documented;"
+                        "prose": "a maintenance policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a-2",
@@ -42855,7 +48047,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};"
+                        "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a-3",
@@ -42867,7 +48065,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;"
+                        "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a-4",
@@ -42879,7 +48083,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};"
+                        "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a.1",
@@ -42913,7 +48123,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-2",
@@ -42925,7 +48141,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-3",
@@ -42937,7 +48159,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-4",
@@ -42949,7 +48177,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-5",
@@ -42961,7 +48195,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-6",
@@ -42973,7 +48213,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-7",
@@ -42985,7 +48231,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -42999,10 +48257,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -43015,7 +48291,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;"
+                    "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ma-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-1_obj.c",
@@ -43049,7 +48331,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};"
+                            "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-1_obj.c.1-2",
@@ -43061,7 +48349,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};"
+                            "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -43086,7 +48386,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};"
+                            "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-1_obj.c.2-2",
@@ -43098,12 +48404,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}."
+                            "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -43406,7 +48736,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;"
+                        "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-2_obj.a-2",
@@ -43418,7 +48754,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;"
+                        "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-2_obj.a-3",
@@ -43430,7 +48772,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;"
+                        "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -43455,7 +48809,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;"
+                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-2_obj.b-2",
@@ -43467,7 +48827,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;"
+                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -43481,7 +48853,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"
+                    "prose": " {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-2_obj.d",
@@ -43493,7 +48871,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;"
+                    "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-2_obj.e",
@@ -43505,7 +48889,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;"
+                    "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-2_obj.f",
@@ -43517,7 +48907,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records."
+                    "prose": " {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -43715,7 +49117,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of system maintenance tools is approved;"
+                        "prose": "the use of system maintenance tools is approved;",
+                        "links": [
+                          {
+                            "href": "#ma-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3_obj.a-2",
@@ -43727,7 +49135,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of system maintenance tools is controlled;"
+                        "prose": "the use of system maintenance tools is controlled;",
+                        "links": [
+                          {
+                            "href": "#ma-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3_obj.a-3",
@@ -43739,7 +49153,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of system maintenance tools is monitored;"
+                        "prose": "the use of system maintenance tools is monitored;",
+                        "links": [
+                          {
+                            "href": "#ma-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -43753,7 +49179,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}."
+                    "prose": "previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ma-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -43880,7 +49318,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications."
+                    "prose": "maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.",
+                    "links": [
+                      {
+                        "href": "#ma-3.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-3.1_asm-examine",
@@ -44005,7 +49449,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "media containing diagnostic and test programs are checked for malicious code before the media are used in the system."
+                    "prose": "media containing diagnostic and test programs are checked for malicious code before the media are used in the system.",
+                    "links": [
+                      {
+                        "href": "#ma-3.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-3.2_asm-examine",
@@ -44209,7 +49659,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or"
+                        "prose": "the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or",
+                        "links": [
+                          {
+                            "href": "#ma-3.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3.3_obj.b",
@@ -44221,7 +49677,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or"
+                        "prose": "the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or",
+                        "links": [
+                          {
+                            "href": "#ma-3.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3.3_obj.c",
@@ -44233,7 +49695,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or"
+                        "prose": "the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or",
+                        "links": [
+                          {
+                            "href": "#ma-3.3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3.3_obj.d",
@@ -44245,7 +49713,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility."
+                        "prose": "the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.",
+                        "links": [
+                          {
+                            "href": "#ma-3.3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-3.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -44524,7 +50004,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "nonlocal maintenance and diagnostic activities are approved;"
+                        "prose": "nonlocal maintenance and diagnostic activities are approved;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4_obj.a-2",
@@ -44536,7 +50022,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "nonlocal maintenance and diagnostic activities are monitored;"
+                        "prose": "nonlocal maintenance and diagnostic activities are monitored;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -44561,7 +50059,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;"
+                        "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4_obj.b-2",
@@ -44573,7 +50077,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;"
+                        "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -44587,7 +50103,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;"
+                    "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;",
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-4_obj.d",
@@ -44599,7 +50121,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "records for nonlocal maintenance and diagnostic activities are maintained;"
+                    "prose": "records for nonlocal maintenance and diagnostic activities are maintained;",
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-4_obj.e",
@@ -44622,7 +50150,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "session connections are terminated when nonlocal maintenance is completed;"
+                        "prose": "session connections are terminated when nonlocal maintenance is completed;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4_obj.e-2",
@@ -44634,10 +50168,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network connections are terminated when nonlocal maintenance is completed."
+                        "prose": "network connections are terminated when nonlocal maintenance is completed.",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-4_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -44859,7 +50411,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process for maintenance personnel authorization is established;"
+                        "prose": "a process for maintenance personnel authorization is established;",
+                        "links": [
+                          {
+                            "href": "#ma-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-5_obj.a-2",
@@ -44871,7 +50429,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a list of authorized maintenance organizations or personnel is maintained;"
+                        "prose": "a list of authorized maintenance organizations or personnel is maintained;",
+                        "links": [
+                          {
+                            "href": "#ma-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-5_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -44885,7 +50455,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;"
+                    "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;",
+                    "links": [
+                      {
+                        "href": "#ma-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-5_obj.c",
@@ -44897,7 +50473,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations."
+                    "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.",
+                    "links": [
+                      {
+                        "href": "#ma-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -45094,7 +50682,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "maintenance support and/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure."
+                "prose": "maintenance support and/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.",
+                "links": [
+                  {
+                    "href": "#ma-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ma-6_asm-examine",
@@ -45555,7 +51149,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a media protection policy is developed and documented;"
+                        "prose": "a media protection policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-2",
@@ -45567,7 +51167,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};"
+                        "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-3",
@@ -45579,7 +51185,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;"
+                        "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-4",
@@ -45591,7 +51203,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};"
+                        "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a.1",
@@ -45625,7 +51243,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-2",
@@ -45637,7 +51261,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-3",
@@ -45649,7 +51279,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-4",
@@ -45661,7 +51297,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-5",
@@ -45673,7 +51315,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-6",
@@ -45685,7 +51333,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-7",
@@ -45697,7 +51351,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -45711,10 +51377,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -45727,7 +51411,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures."
+                    "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.",
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-1_obj.c",
@@ -45761,7 +51451,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; "
+                            "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "mp-1_obj.c.1-2",
@@ -45773,7 +51469,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};"
+                            "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -45798,7 +51506,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; "
+                            "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "mp-1_obj.c.2-2",
@@ -45810,12 +51524,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}."
+                            "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -46088,7 +51826,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};"
+                    "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#mp-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-2_obj-2",
@@ -46100,7 +51844,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}."
+                    "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#mp-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -46332,7 +52088,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;"
+                    "prose": "system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;",
+                    "links": [
+                      {
+                        "href": "#mp-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-3_obj.b",
@@ -46344,7 +52106,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}."
+                    "prose": " {{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#mp-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -46736,7 +52510,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-04_odp.01 }} are physically controlled;"
+                        "prose": " {{ insert: param, mp-04_odp.01 }} are physically controlled;",
+                        "links": [
+                          {
+                            "href": "#mp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-4_obj.a-2",
@@ -46748,7 +52528,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-04_odp.02 }} are physically controlled;"
+                        "prose": " {{ insert: param, mp-04_odp.02 }} are physically controlled;",
+                        "links": [
+                          {
+                            "href": "#mp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-4_obj.a-3",
@@ -46760,7 +52546,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};"
+                        "prose": " {{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#mp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-4_obj.a-4",
@@ -46772,7 +52564,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};"
+                        "prose": " {{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#mp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -46786,7 +52590,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures."
+                    "prose": "system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.",
+                    "links": [
+                      {
+                        "href": "#mp-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -47102,7 +52918,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};"
+                        "prose": " {{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#mp-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-5_obj.a-2",
@@ -47114,7 +52936,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};"
+                        "prose": " {{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#mp-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-5_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -47128,7 +52962,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "accountability for system media is maintained during transport outside of controlled areas;"
+                    "prose": "accountability for system media is maintained during transport outside of controlled areas;",
+                    "links": [
+                      {
+                        "href": "#mp-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-5_obj.c",
@@ -47140,7 +52980,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "activities associated with the transport of system media are documented;"
+                    "prose": "activities associated with the transport of system media are documented;",
+                    "links": [
+                      {
+                        "href": "#mp-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-5_obj.d",
@@ -47163,7 +53009,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personnel authorized to conduct media transport activities is/are identified;"
+                        "prose": "personnel authorized to conduct media transport activities is/are identified;",
+                        "links": [
+                          {
+                            "href": "#mp-5_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-5_obj.d-2",
@@ -47175,10 +53027,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "activities associated with the transport of system media are restricted to identified authorized personnel."
+                        "prose": "activities associated with the transport of system media are restricted to identified authorized personnel.",
+                        "links": [
+                          {
+                            "href": "#mp-5_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-5_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-5_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -47569,7 +53439,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;"
+                        "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6_obj.a-2",
@@ -47581,7 +53457,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;"
+                        "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6_obj.a-3",
@@ -47593,7 +53475,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;"
+                        "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-6_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -47607,7 +53501,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed."
+                    "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.",
+                    "links": [
+                      {
+                        "href": "#mp-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -47874,7 +53780,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};"
+                    "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#mp-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-7_obj.b",
@@ -47886,7 +53798,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner."
+                    "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.",
+                    "links": [
+                      {
+                        "href": "#mp-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -48349,7 +54273,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a physical and environmental protection policy is developed and documented;"
+                        "prose": "a physical and environmental protection policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a-2",
@@ -48361,7 +54291,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};"
+                        "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a-3",
@@ -48373,7 +54309,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;"
+                        "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a-4",
@@ -48385,7 +54327,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};"
+                        "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a.1",
@@ -48419,7 +54367,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-2",
@@ -48431,7 +54385,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-3",
@@ -48443,7 +54403,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-4",
@@ -48455,7 +54421,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-5",
@@ -48467,7 +54439,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-6",
@@ -48479,7 +54457,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-7",
@@ -48491,7 +54475,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -48505,10 +54501,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -48521,7 +54535,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;"
+                    "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#pe-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-1_obj.c",
@@ -48555,7 +54575,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};"
+                            "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pe-1_obj.c.1-2",
@@ -48567,7 +54593,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};"
+                            "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -48592,7 +54630,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};"
+                            "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pe-1_obj.c.2-2",
@@ -48604,12 +54648,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}."
+                            "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -48866,7 +54934,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;"
+                        "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;",
+                        "links": [
+                          {
+                            "href": "#pe-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-2_obj.a-2",
@@ -48878,7 +54952,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;"
+                        "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;",
+                        "links": [
+                          {
+                            "href": "#pe-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-2_obj.a-3",
@@ -48890,7 +54970,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;"
+                        "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;",
+                        "links": [
+                          {
+                            "href": "#pe-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -48904,7 +54996,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "authorization credentials are issued for facility access;"
+                    "prose": "authorization credentials are issued for facility access;",
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-2_obj.c",
@@ -48916,7 +55014,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};"
+                    "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};",
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-2_obj.d",
@@ -48928,7 +55032,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals are removed from the facility access list when access is no longer required."
+                    "prose": "individuals are removed from the facility access list when access is no longer required.",
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -49509,7 +55625,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;"
+                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.a.2",
@@ -49521,7 +55643,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"
+                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -49535,7 +55669,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};"
+                    "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3_obj.c",
@@ -49547,7 +55687,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};"
+                    "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};",
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3_obj.d",
@@ -49570,7 +55716,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "visitors are escorted;"
+                        "prose": "visitors are escorted;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.d-2",
@@ -49582,7 +55734,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};"
+                        "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -49607,7 +55771,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "keys are secured;"
+                        "prose": "keys are secured;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.e-2",
@@ -49619,7 +55789,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "combinations are secured;"
+                        "prose": "combinations are secured;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.e-3",
@@ -49631,7 +55807,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "other physical access devices are secured;"
+                        "prose": "other physical access devices are secured;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -49645,7 +55833,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};"
+                    "prose": " {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};",
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3_obj.g",
@@ -49668,7 +55862,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;"
+                        "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.g-2",
@@ -49680,10 +55880,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated."
+                        "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -49883,7 +56101,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}."
+                "prose": "physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#pe-4_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-4_asm-examine",
@@ -50042,7 +56266,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output."
+                "prose": "physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output.",
+                "links": [
+                  {
+                    "href": "#pe-5_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-5_asm-examine",
@@ -50288,7 +56518,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;"
+                    "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;",
+                    "links": [
+                      {
+                        "href": "#pe-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-6_obj.b",
@@ -50311,7 +56547,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};"
+                        "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-6_obj.b-2",
@@ -50323,7 +56565,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};"
+                        "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-6_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -50348,7 +56602,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "results of reviews are coordinated with organizational incident response capabilities;"
+                        "prose": "results of reviews are coordinated with organizational incident response capabilities;",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-6_obj.c-2",
@@ -50360,10 +56620,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "results of investigations are coordinated with organizational incident response capabilities."
+                        "prose": "results of investigations are coordinated with organizational incident response capabilities.",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-6_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -50501,7 +56779,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access to the facility where the system resides is monitored using physical intrusion alarms;"
+                        "prose": "physical access to the facility where the system resides is monitored using physical intrusion alarms;",
+                        "links": [
+                          {
+                            "href": "#pe-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-6.1_obj-2",
@@ -50513,7 +56797,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access to the facility where the system resides is monitored using physical surveillance equipment."
+                        "prose": "physical access to the facility where the system resides is monitored using physical surveillance equipment.",
+                        "links": [
+                          {
+                            "href": "#pe-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-6.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -50758,7 +57054,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};"
+                    "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-8_obj.b",
@@ -50770,7 +57072,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};"
+                    "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-8_obj.c",
@@ -50782,7 +57090,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}."
+                    "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -50916,7 +57236,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "power equipment for the system is protected from damage and destruction;"
+                    "prose": "power equipment for the system is protected from damage and destruction;",
+                    "links": [
+                      {
+                        "href": "#pe-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-9_obj-2",
@@ -50928,7 +57254,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "power cabling for the system is protected from damage and destruction."
+                    "prose": "power cabling for the system is protected from damage and destruction.",
+                    "links": [
+                      {
+                        "href": "#pe-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -51143,7 +57481,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;"
+                    "prose": "the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;",
+                    "links": [
+                      {
+                        "href": "#pe-10_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-10_obj.b",
@@ -51155,7 +57499,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;"
+                    "prose": "emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;",
+                    "links": [
+                      {
+                        "href": "#pe-10_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-10_obj.c",
@@ -51167,7 +57517,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the emergency power shutoff capability is protected from unauthorized activation."
+                    "prose": "the emergency power shutoff capability is protected from unauthorized activation.",
+                    "links": [
+                      {
+                        "href": "#pe-10_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-10_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -51320,7 +57682,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss."
+                "prose": "an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss.",
+                "links": [
+                  {
+                    "href": "#pe-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-11_asm-examine",
@@ -51456,7 +57824,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;"
+                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-12_obj-2",
@@ -51468,7 +57842,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;"
+                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-12_obj-3",
@@ -51480,7 +57860,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting for the system covers emergency exits within the facility;"
+                    "prose": "automatic emergency lighting for the system covers emergency exits within the facility;",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-12_obj-4",
@@ -51492,7 +57878,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting for the system covers evacuation routes within the facility."
+                    "prose": "automatic emergency lighting for the system covers evacuation routes within the facility.",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -51626,7 +58024,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "fire detection systems are employed;"
+                    "prose": "fire detection systems are employed;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-2",
@@ -51638,7 +58042,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire detection systems are supported by an independent energy source;"
+                    "prose": "employed fire detection systems are supported by an independent energy source;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-3",
@@ -51650,7 +58060,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire detection systems are maintained;"
+                    "prose": "employed fire detection systems are maintained;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-4",
@@ -51662,7 +58078,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "fire suppression systems are employed;"
+                    "prose": "fire suppression systems are employed;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-5",
@@ -51674,7 +58096,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire suppression systems are supported by an independent energy source;"
+                    "prose": "employed fire suppression systems are supported by an independent energy source;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-6",
@@ -51686,7 +58114,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire suppression systems are maintained."
+                    "prose": "employed fire suppression systems are maintained.",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-13_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -51862,7 +58302,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "fire detection systems that activate automatically are employed in the event of a fire;"
+                        "prose": "fire detection systems that activate automatically are employed in the event of a fire;",
+                        "links": [
+                          {
+                            "href": "#pe-13.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-13.1_obj-2",
@@ -51874,7 +58320,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;"
+                        "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;",
+                        "links": [
+                          {
+                            "href": "#pe-13.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-13.1_obj-3",
@@ -51886,7 +58338,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire."
+                        "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire.",
+                        "links": [
+                          {
+                            "href": "#pe-13.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-13.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -52135,7 +58599,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;"
+                    "prose": " {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;",
+                    "links": [
+                      {
+                        "href": "#pe-14_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-14_obj.b",
@@ -52147,7 +58617,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}."
+                    "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#pe-14_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-14_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -52285,7 +58767,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;"
+                    "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-15_obj-2",
@@ -52297,7 +58785,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the master shutoff or isolation valves are accessible;"
+                    "prose": "the master shutoff or isolation valves are accessible;",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-15_obj-3",
@@ -52309,7 +58803,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the master shutoff or isolation valves are working properly;"
+                    "prose": "the master shutoff or isolation valves are working properly;",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-15_obj-4",
@@ -52321,7 +58821,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the master shutoff or isolation valves are known to key personnel."
+                    "prose": "the master shutoff or isolation valves are known to key personnel.",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-15_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -52575,7 +59087,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;"
+                        "prose": " {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-16_obj.a-2",
@@ -52587,7 +59105,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;"
+                        "prose": " {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-16_obj.a-3",
@@ -52599,7 +59123,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;"
+                        "prose": " {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-16_obj.a-4",
@@ -52611,7 +59141,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;"
+                        "prose": " {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-16_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -52625,7 +59167,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "records of the system components are maintained."
+                    "prose": "records of the system components are maintained.",
+                    "links": [
+                      {
+                        "href": "#pe-16_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-16_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -52858,7 +59412,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, pe-17_odp.01 }} are determined and documented;"
+                    "prose": " {{ insert: param, pe-17_odp.01 }} are determined and documented;",
+                    "links": [
+                      {
+                        "href": "#pe-17_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-17_obj.b",
@@ -52870,7 +59430,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;"
+                    "prose": " {{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;",
+                    "links": [
+                      {
+                        "href": "#pe-17_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-17_obj.c",
@@ -52882,7 +59448,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the effectiveness of controls at alternate work sites is assessed;"
+                    "prose": "the effectiveness of controls at alternate work sites is assessed;",
+                    "links": [
+                      {
+                        "href": "#pe-17_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-17_obj.d",
@@ -52894,7 +59466,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a means for employees to communicate with information security and privacy personnel in case of incidents is provided."
+                    "prose": "a means for employees to communicate with information security and privacy personnel in case of incidents is provided.",
+                    "links": [
+                      {
+                        "href": "#pe-17_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-17_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -53361,7 +59945,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a planning policy is developed and documented."
+                        "prose": "a planning policy is developed and documented.",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-2",
@@ -53373,7 +59963,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};"
+                        "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-3",
@@ -53385,7 +59981,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;"
+                        "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-4",
@@ -53397,7 +59999,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};"
+                        "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a.1",
@@ -53431,7 +60039,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-2",
@@ -53443,7 +60057,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-3",
@@ -53455,7 +60075,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-4",
@@ -53467,7 +60093,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-5",
@@ -53479,7 +60111,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-6",
@@ -53491,7 +60129,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-7",
@@ -53503,7 +60147,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -53517,10 +60173,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -53533,7 +60207,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;"
+                    "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-1_obj.c",
@@ -53567,7 +60247,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};"
+                            "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-1_obj.c.1-2",
@@ -53579,7 +60265,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};"
+                            "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -53604,7 +60302,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};"
+                            "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-1_obj.c.2-2",
@@ -53616,12 +60320,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}."
+                            "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -54208,7 +60936,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;"
+                            "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.1-2",
@@ -54220,7 +60954,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;"
+                            "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54245,7 +60991,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that explicitly defines the constituent system components;"
+                            "prose": "a security plan for the system is developed that explicitly defines the constituent system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.2-2",
@@ -54257,7 +61009,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;"
+                            "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54282,7 +61046,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"
+                            "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.3-2",
@@ -54294,7 +61064,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"
+                            "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54319,7 +61101,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"
+                            "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.4-2",
@@ -54331,7 +61119,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"
+                            "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.4",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54356,7 +61156,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"
+                            "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.5",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.5-2",
@@ -54368,7 +61174,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"
+                            "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.5",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.5",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54393,7 +61211,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;"
+                            "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.6",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.6-2",
@@ -54405,7 +61229,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;"
+                            "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.6",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.6",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54430,7 +61266,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"
+                            "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.7-2",
@@ -54442,7 +61284,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"
+                            "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.7",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54467,7 +61321,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"
+                            "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.8",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.8-2",
@@ -54479,7 +61339,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"
+                            "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.8",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.8",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54504,7 +61376,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"
+                            "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.9",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.9-2",
@@ -54516,7 +61394,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"
+                            "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.9",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.9",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54541,7 +61431,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;"
+                            "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.10",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.10-2",
@@ -54553,7 +61449,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;"
+                            "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.10",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.10",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54578,7 +61486,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"
+                            "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.11",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.11-2",
@@ -54590,7 +61504,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"
+                            "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.11",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.11",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54615,7 +61541,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;"
+                            "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.12",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.12-2",
@@ -54627,7 +61559,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;"
+                            "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.12",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.12",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54652,7 +61596,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;"
+                            "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.13",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.13-2",
@@ -54664,7 +61614,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;"
+                            "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.13",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.13",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54689,7 +61651,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"
+                            "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.14",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.14-2",
@@ -54701,7 +61669,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"
+                            "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.14",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.14",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -54726,7 +61706,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"
+                            "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.15",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.15-2",
@@ -54738,10 +61724,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation."
+                            "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.15",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.15",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -54765,7 +61769,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};"
+                        "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.b-2",
@@ -54777,7 +61787,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};"
+                        "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -54791,7 +61813,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};"
+                    "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-2_obj.d",
@@ -54814,7 +61842,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address changes to the system and environment of operations;"
+                        "prose": "plans are updated to address changes to the system and environment of operations;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.d-2",
@@ -54826,7 +61860,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address problems identified during the plan implementation;"
+                        "prose": "plans are updated to address problems identified during the plan implementation;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.d-3",
@@ -54838,7 +61878,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address problems identified during control assessments;"
+                        "prose": "plans are updated to address problems identified during control assessments;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -54863,7 +61915,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are protected from unauthorized disclosure;"
+                        "prose": "plans are protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.e-2",
@@ -54875,10 +61933,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are protected from unauthorized modification."
+                        "prose": "plans are protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -55215,7 +62291,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;"
+                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;",
+                        "links": [
+                          {
+                            "href": "#pl-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4_obj.a-2",
@@ -55227,7 +62309,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;"
+                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;",
+                        "links": [
+                          {
+                            "href": "#pl-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -55241,7 +62335,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;"
+                    "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-4_obj.c",
@@ -55253,7 +62353,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};"
+                    "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-4_obj.d",
@@ -55265,7 +62371,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}."
+                    "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -55447,7 +62565,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;"
+                        "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4.1_obj.b",
@@ -55459,7 +62583,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on posting organizational information on public websites;"
+                        "prose": "the rules of behavior include restrictions on posting organizational information on public websites;",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4.1_obj.c",
@@ -55471,7 +62601,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications."
+                        "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-4.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -55785,7 +62927,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"
+                        "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.a.2",
@@ -55797,7 +62945,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"
+                        "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.a.3",
@@ -55820,7 +62974,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"
+                            "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-8_obj.a.3-2",
@@ -55832,7 +62992,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"
+                            "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -55857,7 +63029,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;"
+                            "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-8_obj.a.4-2",
@@ -55869,10 +63047,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;"
+                            "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.4",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-8_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -55885,7 +63081,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;"
+                    "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;",
+                    "links": [
+                      {
+                        "href": "#pl-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-8_obj.c",
@@ -55908,7 +63110,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in the security plan;"
+                        "prose": "planned architecture changes are reflected in the security plan;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-2",
@@ -55920,7 +63128,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in the privacy plan;"
+                        "prose": "planned architecture changes are reflected in the privacy plan;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-3",
@@ -55932,7 +63146,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);"
+                        "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-4",
@@ -55944,7 +63164,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in criticality analysis;"
+                        "prose": "planned architecture changes are reflected in criticality analysis;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-5",
@@ -55956,7 +63182,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in organizational procedures;"
+                        "prose": "planned architecture changes are reflected in organizational procedures;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-6",
@@ -55968,10 +63200,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in procurements and acquisitions."
+                        "prose": "planned architecture changes are reflected in procurements and acquisitions.",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-8_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -56149,7 +63399,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a control baseline for the system is selected."
+                "prose": "a control baseline for the system is selected.",
+                "links": [
+                  {
+                    "href": "#pl-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pl-10_asm-examine",
@@ -56304,7 +63560,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the selected control baseline is tailored by applying specified tailoring actions."
+                "prose": "the selected control baseline is tailored by applying specified tailoring actions.",
+                "links": [
+                  {
+                    "href": "#pl-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pl-11_asm-examine",
@@ -56739,7 +64001,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a personnel security policy is developed and documented;"
+                        "prose": "a personnel security policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a-2",
@@ -56751,7 +64019,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};"
+                        "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a-3",
@@ -56763,7 +64037,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;"
+                        "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a-4",
@@ -56775,7 +64055,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};"
+                        "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a.1",
@@ -56809,7 +64095,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-2",
@@ -56821,7 +64113,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-3",
@@ -56833,7 +64131,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-4",
@@ -56845,7 +64149,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-5",
@@ -56857,7 +64167,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-6",
@@ -56869,7 +64185,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-7",
@@ -56881,7 +64203,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -56895,10 +64229,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -56911,7 +64263,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;"
+                    "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ps-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-1_obj.c",
@@ -56945,7 +64303,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};"
+                            "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ps-1_obj.c.1-2",
@@ -56957,7 +64321,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};"
+                            "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -56982,7 +64358,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};"
+                            "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ps-1_obj.c.2-2",
@@ -56994,12 +64376,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}."
+                            "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -57210,7 +64616,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a risk designation is assigned to all organizational positions;"
+                    "prose": "a risk designation is assigned to all organizational positions;",
+                    "links": [
+                      {
+                        "href": "#ps-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-2_obj.b",
@@ -57222,7 +64634,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "screening criteria are established for individuals filling organizational positions;"
+                    "prose": "screening criteria are established for individuals filling organizational positions;",
+                    "links": [
+                      {
+                        "href": "#ps-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-2_obj.c",
@@ -57234,7 +64652,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}."
+                    "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ps-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -57509,7 +64939,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals are screened prior to authorizing access to the system;"
+                    "prose": "individuals are screened prior to authorizing access to the system;",
+                    "links": [
+                      {
+                        "href": "#ps-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-3_obj.b",
@@ -57532,7 +64968,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};"
+                        "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ps-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-3_obj.b-2",
@@ -57544,10 +64986,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}."
+                        "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ps-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -57799,7 +65259,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};"
+                    "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.b",
@@ -57811,7 +65277,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;"
+                    "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.c",
@@ -57823,7 +65295,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;"
+                    "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.d",
@@ -57835,7 +65313,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;"
+                    "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.e",
@@ -57847,7 +65331,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained."
+                    "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -58128,7 +65624,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;"
+                    "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-5_obj.b",
@@ -58140,7 +65642,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};"
+                    "prose": " {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-5_obj.c",
@@ -58152,7 +65660,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;"
+                    "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-5_obj.d",
@@ -58164,7 +65678,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}."
+                    "prose": " {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -58439,7 +65965,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access agreements are developed and documented for organizational systems;"
+                    "prose": "access agreements are developed and documented for organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-6_obj.b",
@@ -58451,7 +65983,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};"
+                    "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-6_obj.c",
@@ -58474,7 +66012,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;"
+                        "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;",
+                        "links": [
+                          {
+                            "href": "#ps-6_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-6_obj.c.2",
@@ -58486,10 +66030,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."
+                        "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ps-6_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-6_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -58777,7 +66339,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;"
+                    "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.b",
@@ -58789,7 +66357,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;"
+                    "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.c",
@@ -58801,7 +66375,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personnel security requirements are documented;"
+                    "prose": "personnel security requirements are documented;",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.d",
@@ -58813,7 +66393,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};"
+                    "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.e",
@@ -58825,7 +66411,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "provider compliance with personnel security requirements is monitored."
+                    "prose": "provider compliance with personnel security requirements is monitored.",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -59036,7 +66634,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;"
+                    "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;",
+                    "links": [
+                      {
+                        "href": "#ps-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-8_obj.b",
@@ -59048,7 +66652,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."
+                    "prose": " {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.",
+                    "links": [
+                      {
+                        "href": "#ps-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -59182,7 +66798,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "security roles and responsibilities are incorporated into organizational position descriptions;"
+                    "prose": "security roles and responsibilities are incorporated into organizational position descriptions;",
+                    "links": [
+                      {
+                        "href": "#ps-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-9_obj-2",
@@ -59194,7 +66816,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions."
+                    "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions.",
+                    "links": [
+                      {
+                        "href": "#ps-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -59657,7 +67291,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment policy is developed and documented;"
+                        "prose": "a risk assessment policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-2",
@@ -59669,7 +67309,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};"
+                        "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-3",
@@ -59681,7 +67327,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;"
+                        "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-4",
@@ -59693,7 +67345,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};"
+                        "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a.1",
@@ -59727,7 +67385,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-2",
@@ -59739,7 +67403,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-3",
@@ -59751,7 +67421,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-4",
@@ -59763,7 +67439,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-5",
@@ -59775,7 +67457,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-6",
@@ -59787,7 +67475,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-7",
@@ -59799,7 +67493,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -59813,10 +67519,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -59829,7 +67553,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;"
+                    "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-1_obj.c",
@@ -59863,7 +67593,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};"
+                            "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ra-1_obj.c.1-2",
@@ -59875,7 +67611,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};"
+                            "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -59900,7 +67648,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};"
+                            "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ra-1_obj.c.2-2",
@@ -59912,12 +67666,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}."
+                            "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -60154,7 +67932,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system and the information it processes, stores, and transmits are categorized;"
+                    "prose": "the system and the information it processes, stores, and transmits are categorized;",
+                    "links": [
+                      {
+                        "href": "#ra-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-2_obj.b",
@@ -60166,7 +67950,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;"
+                    "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;",
+                    "links": [
+                      {
+                        "href": "#ra-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-2_obj.c",
@@ -60178,7 +67968,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."
+                    "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.",
+                    "links": [
+                      {
+                        "href": "#ra-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -60661,7 +68463,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;"
+                        "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3_obj.a.2",
@@ -60673,7 +68481,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;"
+                        "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3_obj.a.3",
@@ -60685,7 +68499,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"
+                        "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -60699,7 +68525,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;"
+                    "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.c",
@@ -60711,7 +68543,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};"
+                    "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.d",
@@ -60723,7 +68561,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};"
+                    "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.e",
@@ -60735,7 +68579,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};"
+                    "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.f",
@@ -60747,7 +68597,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."
+                    "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -60971,7 +68833,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;"
+                        "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;",
+                        "links": [
+                          {
+                            "href": "#ra-3.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3.1_obj.b",
@@ -60983,7 +68851,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."
+                        "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.",
+                        "links": [
+                          {
+                            "href": "#ra-3.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-3.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -61427,7 +69307,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;"
+                        "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-5_obj.a-2",
@@ -61439,7 +69325,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;"
+                        "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -61465,7 +69363,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;"
+                        "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.b.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-5_obj.b.2",
@@ -61477,7 +69381,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;"
+                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.b.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-5_obj.b.3",
@@ -61489,7 +69399,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;"
+                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.b.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -61503,7 +69425,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;"
+                    "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5_obj.d",
@@ -61515,7 +69443,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"
+                    "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5_obj.e",
@@ -61527,7 +69461,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;"
+                    "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5_obj.f",
@@ -61539,7 +69479,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed."
+                    "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -61715,7 +69667,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}."
+                    "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#ra-5.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.2_asm-examine",
@@ -61883,7 +69841,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}."
+                    "prose": "privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ra-5.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.5_asm-examine",
@@ -62009,7 +69973,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components."
+                    "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.",
+                    "links": [
+                      {
+                        "href": "#ra-5.11_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.11_asm-examine",
@@ -62196,7 +70166,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-2",
@@ -62208,7 +70184,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-3",
@@ -62220,7 +70202,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-4",
@@ -62232,7 +70220,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from audits are responded to in accordance with organizational risk tolerance."
+                    "prose": "findings from audits are responded to in accordance with organizational risk tolerance.",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -62441,7 +70441,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}."
+                "prose": "critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#ra-9_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ra-9_asm-examine",
@@ -62910,7 +70916,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a system and services acquisition policy is developed and documented;"
+                        "prose": "a system and services acquisition policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-2",
@@ -62922,7 +70934,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};"
+                        "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-3",
@@ -62934,7 +70952,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;"
+                        "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-4",
@@ -62946,7 +70970,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};"
+                        "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a.1",
@@ -62980,7 +71010,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-2",
@@ -62992,7 +71028,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-3",
@@ -63004,7 +71046,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-4",
@@ -63016,7 +71064,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-5",
@@ -63028,7 +71082,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-6",
@@ -63040,7 +71100,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-7",
@@ -63052,7 +71118,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -63066,10 +71144,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -63082,7 +71178,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;"
+                    "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-1_obj.c",
@@ -63116,7 +71218,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};"
+                            "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-1_obj.c.1-2",
@@ -63128,7 +71236,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};"
+                            "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -63153,7 +71273,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};"
+                            "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-1_obj.c.2-2",
@@ -63165,12 +71291,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}."
+                            "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -63363,7 +71513,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;"
+                        "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.a-2",
@@ -63375,7 +71531,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;"
+                        "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -63400,7 +71568,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;"
+                        "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.b-2",
@@ -63412,7 +71586,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;"
+                        "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -63437,7 +71623,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;"
+                        "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.c-2",
@@ -63449,10 +71641,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation."
+                        "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation.",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -63749,7 +71959,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;"
+                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.a-2",
@@ -63761,7 +71977,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;"
+                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -63786,7 +72014,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;"
+                        "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.b-2",
@@ -63798,7 +72032,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;"
+                        "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -63823,7 +72069,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals with information security roles and responsibilities are identified;"
+                        "prose": "individuals with information security roles and responsibilities are identified;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.c-2",
@@ -63835,7 +72087,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals with privacy roles and responsibilities are identified;"
+                        "prose": "individuals with privacy roles and responsibilities are identified;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -63860,7 +72124,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational information security risk management processes are integrated into system development life cycle activities;"
+                        "prose": "organizational information security risk management processes are integrated into system development life cycle activities;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.d-2",
@@ -63872,10 +72142,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational privacy risk management processes are integrated into system development life cycle activities."
+                        "prose": "organizational privacy risk management processes are integrated into system development life cycle activities.",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -64304,7 +72592,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.a-2",
@@ -64316,7 +72610,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -64330,7 +72636,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                    "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4_obj.c",
@@ -64353,7 +72665,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.c-2",
@@ -64365,7 +72683,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -64390,7 +72720,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.d-2",
@@ -64402,7 +72738,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -64427,7 +72775,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.e-2",
@@ -64439,7 +72793,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -64464,7 +72830,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.f-2",
@@ -64476,7 +72848,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -64490,7 +72874,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                    "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4_obj.h",
@@ -64513,7 +72903,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.h-2",
@@ -64525,7 +72921,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"
+                        "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.h-3",
@@ -64537,7 +72939,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"
+                        "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -64551,7 +72965,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service."
+                    "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.i",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -64679,7 +73105,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented."
+                    "prose": "the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.",
+                    "links": [
+                      {
+                        "href": "#sa-4.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4.1_asm-examine",
@@ -64871,7 +73303,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}."
+                    "prose": "the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#sa-4.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4.2_asm-examine",
@@ -65016,7 +73454,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to identify the functions intended for organizational use;"
+                        "prose": "the developer of the system, system component, or system service is required to identify the functions intended for organizational use;",
+                        "links": [
+                          {
+                            "href": "#sa-4.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.9_obj-2",
@@ -65028,7 +73472,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to identify the ports intended for organizational use;"
+                        "prose": "the developer of the system, system component, or system service is required to identify the ports intended for organizational use;",
+                        "links": [
+                          {
+                            "href": "#sa-4.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.9_obj-3",
@@ -65040,7 +73490,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;"
+                        "prose": "the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;",
+                        "links": [
+                          {
+                            "href": "#sa-4.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.9_obj-4",
@@ -65052,7 +73508,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to identify the services intended for organizational use."
+                        "prose": "the developer of the system, system component, or system service is required to identify the services intended for organizational use.",
+                        "links": [
+                          {
+                            "href": "#sa-4.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4.9_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -65170,7 +73638,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed."
+                    "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.",
+                    "links": [
+                      {
+                        "href": "#sa-4.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4.10_asm-examine",
@@ -65564,7 +74038,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.1-2",
@@ -65576,7 +74056,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.1-3",
@@ -65588,7 +74074,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65613,7 +74111,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.2-2",
@@ -65625,7 +74129,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.2-3",
@@ -65637,7 +74147,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.2-4",
@@ -65649,7 +74165,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65674,7 +74202,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.3-2",
@@ -65686,10 +74220,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -65724,7 +74276,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.1-2",
@@ -65736,7 +74294,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.1-3",
@@ -65748,7 +74312,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.1-4",
@@ -65760,7 +74330,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.b.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65785,7 +74367,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.2-2",
@@ -65797,7 +74385,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.b.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -65822,7 +74422,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.3-2",
@@ -65834,10 +74440,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.b.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.b",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -65861,7 +74485,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;"
+                        "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;",
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-5_obj.c-2",
@@ -65873,7 +74503,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;"
+                        "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;",
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -65887,7 +74529,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}."
+                    "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -66184,7 +74838,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-2",
@@ -66196,7 +74856,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-3",
@@ -66208,7 +74874,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-4",
@@ -66220,7 +74892,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-5",
@@ -66232,7 +74910,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-6",
@@ -66244,7 +74928,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-7",
@@ -66256,7 +74946,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-8",
@@ -66268,7 +74964,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-9",
@@ -66280,7 +74982,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-10",
@@ -66292,7 +75000,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components."
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -66582,7 +75302,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services comply with organizational security requirements;"
+                        "prose": "providers of external system services comply with organizational security requirements;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.a-2",
@@ -66594,7 +75320,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services comply with organizational privacy requirements;"
+                        "prose": "providers of external system services comply with organizational privacy requirements;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.a-3",
@@ -66606,7 +75338,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};"
+                        "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -66631,7 +75375,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational oversight with regard to external system services are defined and documented;"
+                        "prose": "organizational oversight with regard to external system services are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.b-2",
@@ -66643,7 +75393,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "user roles and responsibilities with regard to external system services are defined and documented;"
+                        "prose": "user roles and responsibilities with regard to external system services are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -66657,7 +75419,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis."
+                    "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.",
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -66815,7 +75589,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services."
+                    "prose": "providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services.",
+                    "links": [
+                      {
+                        "href": "#sa-9.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-9.2_asm-examine",
@@ -67132,7 +75912,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};"
+                    "prose": "the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-10_obj.b",
@@ -67155,7 +75941,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};"
+                        "prose": "the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.b-2",
@@ -67167,7 +75959,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};"
+                        "prose": "the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.b-3",
@@ -67179,7 +75977,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};"
+                        "prose": "the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -67193,7 +76003,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;"
+                    "prose": "the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;",
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-10_obj.d",
@@ -67216,7 +76032,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;"
+                        "prose": "the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.d-2",
@@ -67228,7 +76050,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;"
+                        "prose": "the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.d-3",
@@ -67240,7 +76068,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;"
+                        "prose": "the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -67265,7 +76105,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;"
+                        "prose": "the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.e-2",
@@ -67277,7 +76123,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;"
+                        "prose": "the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.e-3",
@@ -67289,10 +76141,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}."
+                        "prose": "the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-10_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -67636,7 +76506,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.a-2",
@@ -67648,7 +76524,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.a-3",
@@ -67660,7 +76542,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.a-4",
@@ -67672,7 +76560,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -67686,7 +76586,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"
+                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-11_obj.c",
@@ -67709,7 +76615,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.c-2",
@@ -67721,7 +76633,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -67735,7 +76659,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;"
+                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;",
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-11_obj.e",
@@ -67747,7 +76677,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation."
+                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.",
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -68095,7 +77037,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-15_obj.a.1-2",
@@ -68107,7 +77055,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -68132,7 +77092,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-15_obj.a.2-2",
@@ -68144,7 +77110,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -68169,7 +77147,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-15_obj.a.3-2",
@@ -68181,7 +77165,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -68195,7 +77191,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;"
+                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;",
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-15_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -68220,7 +77228,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};"
+                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-15_obj.b-2",
@@ -68232,10 +77246,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}."
+                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-15_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-15_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -68454,7 +77486,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;"
+                        "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#sa-15.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-15.3_obj.b",
@@ -68477,7 +77515,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#sa-15.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-15.3_obj.b-2",
@@ -68489,10 +77533,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} ."
+                            "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} .",
+                            "links": [
+                              {
+                                "href": "#sa-15.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-15.3_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-15.3_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -68702,7 +77764,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;"
+                    "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;",
+                    "links": [
+                      {
+                        "href": "#sa-22_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-22_obj.b",
@@ -68714,7 +77782,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components."
+                    "prose": " {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.",
+                    "links": [
+                      {
+                        "href": "#sa-22_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-22_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -69173,7 +78253,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a system and communications protection policy is developed and documented;"
+                        "prose": "a system and communications protection policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a-2",
@@ -69185,7 +78271,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};"
+                        "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a-3",
@@ -69197,7 +78289,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;"
+                        "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a-4",
@@ -69209,7 +78307,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};"
+                        "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a.1",
@@ -69243,7 +78347,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-2",
@@ -69255,7 +78365,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-3",
@@ -69267,7 +78383,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-4",
@@ -69279,7 +78401,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-5",
@@ -69291,7 +78419,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-6",
@@ -69303,7 +78437,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-7",
@@ -69315,7 +78455,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -69329,10 +78481,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -69345,7 +78515,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;"
+                    "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#sc-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-1_obj.c",
@@ -69379,7 +78555,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};"
+                            "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-1_obj.c.1-2",
@@ -69391,7 +78573,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};"
+                            "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -69416,7 +78610,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};"
+                            "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-1_obj.c.2-2",
@@ -69428,12 +78628,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}."
+                            "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -69566,7 +78790,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "user functionality, including user interface services, is separated from system management functionality."
+                "prose": "user functionality, including user interface services, is separated from system management functionality.",
+                "links": [
+                  {
+                    "href": "#sc-2_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-2_asm-examine",
@@ -69706,7 +78936,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "unauthorized information transfer via shared system resources is prevented;"
+                    "prose": "unauthorized information transfer via shared system resources is prevented;",
+                    "links": [
+                      {
+                        "href": "#sc-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-4_obj-2",
@@ -69718,7 +78954,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "unintended information transfer via shared system resources is prevented."
+                    "prose": "unintended information transfer via shared system resources is prevented.",
+                    "links": [
+                      {
+                        "href": "#sc-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -69957,7 +79205,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};"
+                    "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#sc-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-5_obj.b",
@@ -69969,7 +79223,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective."
+                    "prose": " {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.",
+                    "links": [
+                      {
+                        "href": "#sc-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -70290,7 +79556,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at external managed interfaces to the system are monitored;"
+                        "prose": "communications at external managed interfaces to the system are monitored;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-2",
@@ -70302,7 +79574,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at external managed interfaces to the system are controlled;"
+                        "prose": "communications at external managed interfaces to the system are controlled;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-3",
@@ -70314,7 +79592,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at key internal managed interfaces within the system are monitored;"
+                        "prose": "communications at key internal managed interfaces within the system are monitored;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-4",
@@ -70326,7 +79610,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at key internal managed interfaces within the system are controlled;"
+                        "prose": "communications at key internal managed interfaces within the system are controlled;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -70340,7 +79636,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;"
+                    "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;",
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7_obj.c",
@@ -70352,7 +79654,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."
+                    "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.",
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -70475,7 +79789,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the number of external network connections to the system is limited."
+                    "prose": "the number of external network connections to the system is limited.",
+                    "links": [
+                      {
+                        "href": "#sc-7.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.3_asm-examine",
@@ -70738,7 +80058,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a managed interface is implemented for each external telecommunication service;"
+                        "prose": "a managed interface is implemented for each external telecommunication service;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.b",
@@ -70750,7 +80076,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a traffic flow policy is established for each managed interface;"
+                        "prose": "a traffic flow policy is established for each managed interface;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.c",
@@ -70773,7 +80105,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the confidentiality of the information being transmitted across each interface is protected;"
+                            "prose": "the confidentiality of the information being transmitted across each interface is protected;",
+                            "links": [
+                              {
+                                "href": "#sc-7.4_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-7.4_obj.c-2",
@@ -70785,7 +80123,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the integrity of the information being transmitted across each interface is protected;"
+                            "prose": "the integrity of the information being transmitted across each interface is protected;",
+                            "links": [
+                              {
+                                "href": "#sc-7.4_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.c",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -70799,7 +80149,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;"
+                        "prose": "each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.e",
@@ -70822,7 +80178,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};"
+                            "prose": "exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};",
+                            "links": [
+                              {
+                                "href": "#sc-7.4_smt.e",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-7.4_obj.e-2",
@@ -70834,7 +80196,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;"
+                            "prose": "exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;",
+                            "links": [
+                              {
+                                "href": "#sc-7.4_smt.e",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.e",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -70848,7 +80222,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "unauthorized exchanges of control plan traffic with external networks are prevented;"
+                        "prose": "unauthorized exchanges of control plan traffic with external networks are prevented;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.g",
@@ -70860,7 +80240,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;"
+                        "prose": "information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.h",
@@ -70872,7 +80258,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "unauthorized control plane traffic is filtered from external networks."
+                        "prose": "unauthorized control plane traffic is filtered from external networks.",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -71049,7 +80447,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};"
+                        "prose": "network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sc-7.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.5_obj-2",
@@ -71061,7 +80465,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}."
+                        "prose": "network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}.",
+                        "links": [
+                          {
+                            "href": "#sc-7.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -71206,7 +80622,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}."
+                    "prose": "split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sc-7.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.7_asm-examine",
@@ -71373,7 +80795,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces."
+                    "prose": " {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.",
+                    "links": [
+                      {
+                        "href": "#sc-7.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.8_asm-examine",
@@ -71607,7 +81035,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected."
+                "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.",
+                "links": [
+                  {
+                    "href": "#sc-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-8_asm-examine",
@@ -71759,7 +81193,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission."
+                    "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.",
+                    "links": [
+                      {
+                        "href": "#sc-8.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-8.1_asm-examine",
@@ -71908,7 +81348,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity."
+                "prose": "the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.",
+                "links": [
+                  {
+                    "href": "#sc-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-10_asm-examine",
@@ -72099,6 +81545,10 @@
                 "href": "#ia-7",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#sa-4",
                 "rel": "related"
@@ -72184,7 +81634,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};"
+                    "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};",
+                    "links": [
+                      {
+                        "href": "#sc-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-12_obj-2",
@@ -72196,7 +81652,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}."
+                    "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sc-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -72396,6 +81864,10 @@
                 "href": "#ia-7",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-4",
                 "rel": "related"
@@ -72512,7 +81984,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sc-13_odp.01 }} are identified;"
+                    "prose": " {{ insert: param, sc-13_odp.01 }} are identified;",
+                    "links": [
+                      {
+                        "href": "#sc-13_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-13_obj.b",
@@ -72524,7 +82002,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented."
+                    "prose": " {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.",
+                    "links": [
+                      {
+                        "href": "#sc-13_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-13_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -72707,7 +82197,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};"
+                    "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};",
+                    "links": [
+                      {
+                        "href": "#sc-15_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-15_obj.b",
@@ -72719,7 +82215,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an explicit indication of use is provided to users physically present at the devices."
+                    "prose": "an explicit indication of use is provided to users physically present at the devices.",
+                    "links": [
+                      {
+                        "href": "#sc-15_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-15_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -72931,7 +82439,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;"
+                    "prose": "public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;",
+                    "links": [
+                      {
+                        "href": "#sc-17_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-17_obj.b",
@@ -72943,7 +82457,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "only approved trust anchors are included in trust stores or certificate stores managed by the organization."
+                    "prose": "only approved trust anchors are included in trust stores or certificate stores managed by the organization.",
+                    "links": [
+                      {
+                        "href": "#sc-17_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-17_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -73131,7 +82657,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "acceptable mobile code is defined;"
+                        "prose": "acceptable mobile code is defined;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.a-2",
@@ -73143,7 +82675,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "unacceptable mobile code is defined;"
+                        "prose": "unacceptable mobile code is defined;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.a-3",
@@ -73155,7 +82693,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "acceptable mobile code technologies are defined;"
+                        "prose": "acceptable mobile code technologies are defined;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.a-4",
@@ -73167,7 +82711,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "unacceptable mobile code technologies are defined;"
+                        "prose": "unacceptable mobile code technologies are defined;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-18_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -73192,7 +82748,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of mobile code is authorized within the system;"
+                        "prose": "the use of mobile code is authorized within the system;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.b-2",
@@ -73204,7 +82766,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of mobile code is monitored within the system;"
+                        "prose": "the use of mobile code is monitored within the system;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.b-3",
@@ -73216,10 +82784,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of mobile code is controlled within the system."
+                        "prose": "the use of mobile code is controlled within the system.",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-18_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-18_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -73418,7 +83004,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;"
+                        "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-20_obj.a-2",
@@ -73430,7 +83022,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;"
+                        "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-20_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -73455,7 +83059,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;"
+                        "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-20_obj.b-2",
@@ -73467,10 +83077,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided."
+                        "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-20_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-20_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -73611,7 +83239,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;"
+                    "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-21_obj-2",
@@ -73623,7 +83257,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;"
+                    "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-21_obj-3",
@@ -73635,7 +83275,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;"
+                    "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-21_obj-4",
@@ -73647,7 +83293,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources."
+                    "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-21_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -73797,7 +83455,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;"
+                    "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;",
+                    "links": [
+                      {
+                        "href": "#sc-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-22_obj-2",
@@ -73809,7 +83473,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;"
+                    "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;",
+                    "links": [
+                      {
+                        "href": "#sc-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-22_obj-3",
@@ -73821,7 +83491,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation."
+                    "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation.",
+                    "links": [
+                      {
+                        "href": "#sc-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-22_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -73972,7 +83654,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the authenticity of communication sessions is protected."
+                "prose": "the authenticity of communication sessions is protected.",
+                "links": [
+                  {
+                    "href": "#sc-23_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-23_asm-examine",
@@ -74244,7 +83932,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected."
+                "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.",
+                "links": [
+                  {
+                    "href": "#sc-28_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-28_asm-examine",
@@ -74430,7 +84124,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};"
+                        "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sc-28.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-28.1_obj-2",
@@ -74442,7 +84142,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}."
+                        "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#sc-28.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-28.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -74604,7 +84316,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a separate execution domain is maintained for each executing system process."
+                "prose": "a separate execution domain is maintained for each executing system process.",
+                "links": [
+                  {
+                    "href": "#sc-39_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-39_asm-examine",
@@ -75061,7 +84779,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a system and information integrity policy is developed and documented;"
+                        "prose": "a system and information integrity policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-2",
@@ -75073,7 +84797,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};"
+                        "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-3",
@@ -75085,7 +84815,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;"
+                        "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-4",
@@ -75097,7 +84833,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};"
+                        "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a.1",
@@ -75131,7 +84873,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-2",
@@ -75143,7 +84891,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-3",
@@ -75155,7 +84909,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-4",
@@ -75167,7 +84927,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-5",
@@ -75179,7 +84945,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-6",
@@ -75191,7 +84963,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-7",
@@ -75203,7 +84981,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#si-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -75217,10 +85007,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -75233,7 +85041,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;"
+                    "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#si-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-1_obj.c",
@@ -75267,7 +85081,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};"
+                            "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-1_obj.c.1-2",
@@ -75279,7 +85099,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};"
+                            "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -75304,7 +85136,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};"
+                            "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-1_obj.c.2-2",
@@ -75316,12 +85154,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}."
+                            "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#si-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -75594,7 +85456,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system flaws are identified;"
+                        "prose": "system flaws are identified;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.a-2",
@@ -75606,7 +85474,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system flaws are reported;"
+                        "prose": "system flaws are reported;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.a-3",
@@ -75618,7 +85492,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system flaws are corrected;"
+                        "prose": "system flaws are corrected;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -75643,7 +85529,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "software updates related to flaw remediation are tested for effectiveness before installation;"
+                        "prose": "software updates related to flaw remediation are tested for effectiveness before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.b-2",
@@ -75655,7 +85547,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "software updates related to flaw remediation are tested for potential side effects before installation;"
+                        "prose": "software updates related to flaw remediation are tested for potential side effects before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.b-3",
@@ -75667,7 +85565,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;"
+                        "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.b-4",
@@ -75679,7 +85583,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;"
+                        "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -75704,7 +85620,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"
+                        "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.c-2",
@@ -75716,7 +85638,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"
+                        "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -75730,7 +85664,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "flaw remediation is incorporated into the organizational configuration management process."
+                    "prose": "flaw remediation is incorporated into the organizational configuration management process.",
+                    "links": [
+                      {
+                        "href": "#si-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -75903,7 +85849,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}."
+                    "prose": "system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#si-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-2.2_asm-examine",
@@ -76332,7 +86284,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;"
+                        "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;",
+                        "links": [
+                          {
+                            "href": "#si-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-3_obj.a-2",
@@ -76344,7 +86302,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;"
+                        "prose": " {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;",
+                        "links": [
+                          {
+                            "href": "#si-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -76358,7 +86328,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;"
+                    "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#si-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-3_obj.c",
@@ -76392,7 +86368,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};"
+                            "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-3_obj.c.1-2",
@@ -76404,7 +86386,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;"
+                            "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-3_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -76429,7 +86423,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;"
+                            "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-3_obj.c.2-2",
@@ -76441,10 +86441,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;"
+                            "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-3_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-3_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -76457,7 +86475,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed."
+                    "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.",
+                    "links": [
+                      {
+                        "href": "#si-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -77041,7 +87071,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};"
+                        "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4_obj.a.2",
@@ -77064,7 +87100,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system is monitored to detect unauthorized local connections;"
+                            "prose": "the system is monitored to detect unauthorized local connections;",
+                            "links": [
+                              {
+                                "href": "#si-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4_obj.a.2-2",
@@ -77076,7 +87118,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system is monitored to detect unauthorized network connections;"
+                            "prose": "the system is monitored to detect unauthorized network connections;",
+                            "links": [
+                              {
+                                "href": "#si-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4_obj.a.2-3",
@@ -77088,10 +87136,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system is monitored to detect unauthorized remote connections;"
+                            "prose": "the system is monitored to detect unauthorized remote connections;",
+                            "links": [
+                              {
+                                "href": "#si-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-4_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -77104,7 +87170,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};"
+                    "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4_obj.c",
@@ -77127,7 +87199,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;"
+                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4_obj.c.2",
@@ -77139,7 +87217,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;"
+                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -77164,7 +87254,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "detected events are analyzed;"
+                        "prose": "detected events are analyzed;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4_obj.d-2",
@@ -77176,7 +87272,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "detected anomalies are analyzed;"
+                        "prose": "detected anomalies are analyzed;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -77190,7 +87298,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"
+                    "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4_obj.f",
@@ -77202,7 +87316,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a legal opinion regarding system monitoring activities is obtained;"
+                    "prose": "a legal opinion regarding system monitoring activities is obtained;",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4_obj.g",
@@ -77214,7 +87334,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."
+                    "prose": " {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -77350,7 +87482,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automated tools and mechanisms are employed to support a near real-time analysis of events."
+                    "prose": "automated tools and mechanisms are employed to support a near real-time analysis of events.",
+                    "links": [
+                      {
+                        "href": "#si-4.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.2_asm-examine",
@@ -77619,7 +87757,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;"
+                            "prose": "criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;",
+                            "links": [
+                              {
+                                "href": "#si-4.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4.4_obj.a-2",
@@ -77631,7 +87775,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;"
+                            "prose": "criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;",
+                            "links": [
+                              {
+                                "href": "#si-4.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-4.4_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -77656,7 +87812,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};"
+                            "prose": "inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#si-4.4_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4.4_obj.b-2",
@@ -77668,10 +87830,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}."
+                            "prose": "outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}.",
+                            "links": [
+                              {
+                                "href": "#si-4.4_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-4.4_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.4_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -77852,7 +88032,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur."
+                    "prose": " {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur.",
+                    "links": [
+                      {
+                        "href": "#si-4.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.5_asm-examine",
@@ -78157,7 +88343,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"
+                    "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-5_obj.b",
@@ -78169,7 +88361,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;"
+                    "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-5_obj.c",
@@ -78181,7 +88379,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};"
+                    "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-5_obj.d",
@@ -78193,7 +88397,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance."
+                    "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -78627,7 +88843,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};"
+                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7_obj.a-2",
@@ -78639,7 +88861,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};"
+                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7_obj.a-3",
@@ -78651,7 +88879,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};"
+                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-7_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -78676,7 +88916,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;"
+                        "prose": " {{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7_obj.b-2",
@@ -78688,7 +88934,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;"
+                        "prose": " {{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7_obj.b-3",
@@ -78700,10 +88952,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected."
+                        "prose": " {{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected.",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#si-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -79132,7 +89402,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};"
+                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#si-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7.1_obj-2",
@@ -79144,7 +89420,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};"
+                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#si-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7.1_obj-3",
@@ -79156,7 +89438,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}."
+                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}.",
+                        "links": [
+                          {
+                            "href": "#si-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-7.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -79331,7 +89625,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability."
+                    "prose": "the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability.",
+                    "links": [
+                      {
+                        "href": "#si-7.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.7_asm-examine",
@@ -79527,7 +89827,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "spam protection mechanisms are employed at system entry points to detect unsolicited messages;"
+                        "prose": "spam protection mechanisms are employed at system entry points to detect unsolicited messages;",
+                        "links": [
+                          {
+                            "href": "#si-8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-8_obj.a-2",
@@ -79539,7 +89845,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "spam protection mechanisms are employed at system exit points to detect unsolicited messages;"
+                        "prose": "spam protection mechanisms are employed at system exit points to detect unsolicited messages;",
+                        "links": [
+                          {
+                            "href": "#si-8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-8_obj.a-3",
@@ -79551,7 +89863,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "spam protection mechanisms are employed at system entry points to act on unsolicited messages;"
+                        "prose": "spam protection mechanisms are employed at system entry points to act on unsolicited messages;",
+                        "links": [
+                          {
+                            "href": "#si-8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-8_obj.a-4",
@@ -79563,7 +89881,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "spam protection mechanisms are employed at system exit points to act on unsolicited messages;"
+                        "prose": "spam protection mechanisms are employed at system exit points to act on unsolicited messages;",
+                        "links": [
+                          {
+                            "href": "#si-8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -79577,7 +89907,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures."
+                    "prose": "spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.",
+                    "links": [
+                      {
+                        "href": "#si-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -79722,7 +90064,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}."
+                    "prose": "spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#si-8.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-8.2_asm-examine",
@@ -79881,7 +90229,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the validity of the {{ insert: param, si-10_odp }} is checked."
+                "prose": "the validity of the {{ insert: param, si-10_odp }} is checked.",
+                "links": [
+                  {
+                    "href": "#si-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "si-10_asm-examine",
@@ -80074,7 +90428,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;"
+                    "prose": "error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;",
+                    "links": [
+                      {
+                        "href": "#si-11_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-11_obj.b",
@@ -80086,7 +90446,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "error messages are revealed only to {{ insert: param, si-11_odp }}."
+                    "prose": "error messages are revealed only to {{ insert: param, si-11_odp }}.",
+                    "links": [
+                      {
+                        "href": "#si-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -80348,7 +90720,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-2",
@@ -80360,7 +90738,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-3",
@@ -80372,7 +90756,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-4",
@@ -80384,7 +90774,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements."
+                    "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -80542,7 +90944,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": " {{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution."
+                "prose": " {{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution.",
+                "links": [
+                  {
+                    "href": "#si-16_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "si-16_asm-examine",
@@ -81023,7 +91431,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a supply chain risk management policy is developed and documented;"
+                        "prose": "a supply chain risk management policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a-2",
@@ -81035,7 +91449,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};"
+                        "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a-3",
@@ -81047,7 +91467,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;"
+                        "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a-4",
@@ -81059,7 +91485,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}."
+                        "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a.1",
@@ -81093,7 +91525,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-2",
@@ -81105,7 +91543,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; "
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-3",
@@ -81117,7 +91561,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;"
+                                "prose": " {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-4",
@@ -81129,7 +91579,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-5",
@@ -81141,7 +91597,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-6",
@@ -81153,7 +91615,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-7",
@@ -81165,7 +91633,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance."
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -81179,10 +91659,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -81195,7 +91693,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;"
+                    "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#sr-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-1_obj.c",
@@ -81229,7 +91733,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};"
+                            "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sr-1_obj.c.1-2",
@@ -81241,7 +91751,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};"
+                            "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -81266,7 +91788,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};"
+                            "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sr-1_obj.c.2-2",
@@ -81278,12 +91806,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}."
+                            "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -81578,7 +92130,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a plan for managing supply chain risks is developed;"
+                        "prose": "a plan for managing supply chain risks is developed;",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-2",
@@ -81590,7 +92148,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-3",
@@ -81602,7 +92166,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-4",
@@ -81614,7 +92184,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-5",
@@ -81626,7 +92202,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-6",
@@ -81638,7 +92220,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-7",
@@ -81650,7 +92238,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-8",
@@ -81662,7 +92256,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-9",
@@ -81674,7 +92274,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -81688,7 +92300,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;"
+                    "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;",
+                    "links": [
+                      {
+                        "href": "#sr-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-2_obj.c",
@@ -81711,7 +92329,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan is protected from unauthorized disclosure;"
+                        "prose": "the supply chain risk management plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.c-2",
@@ -81723,10 +92347,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan is protected from unauthorized modification."
+                        "prose": "the supply chain risk management plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -81900,7 +92542,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}."
+                    "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sr-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-2.1_asm-examine",
@@ -82287,7 +92935,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};"
+                        "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-3_obj.a-2",
@@ -82299,7 +92953,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};"
+                        "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sr-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -82313,7 +92979,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;"
+                    "prose": " {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;",
+                    "links": [
+                      {
+                        "href": "#sr-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-3_obj.c",
@@ -82325,7 +92997,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}."
+                    "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#sr-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -82575,7 +93259,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;"
+                    "prose": " {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;",
+                    "links": [
+                      {
+                        "href": "#sr-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-5_obj-2",
@@ -82587,7 +93277,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;"
+                    "prose": " {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;",
+                    "links": [
+                      {
+                        "href": "#sr-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-5_obj-3",
@@ -82599,7 +93295,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks."
+                    "prose": " {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.",
+                    "links": [
+                      {
+                        "href": "#sr-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -82805,7 +93513,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}."
+                "prose": "the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}.",
+                "links": [
+                  {
+                    "href": "#sr-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-6_asm-examine",
@@ -83015,7 +93729,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}."
+                "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.",
+                "links": [
+                  {
+                    "href": "#sr-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-8_asm-examine",
@@ -83261,7 +93981,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering."
+                "prose": " {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.",
+                "links": [
+                  {
+                    "href": "#sr-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-10_asm-examine",
@@ -83516,7 +94242,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an anti-counterfeit policy is developed and implemented;"
+                        "prose": "an anti-counterfeit policy is developed and implemented;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11_obj.a-2",
@@ -83528,7 +94260,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "anti-counterfeit procedures are developed and implemented;"
+                        "prose": "anti-counterfeit procedures are developed and implemented;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11_obj.a-3",
@@ -83540,7 +94278,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;"
+                        "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11_obj.a-4",
@@ -83552,7 +94296,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;"
+                        "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-11_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -83566,7 +94322,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}."
+                    "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#sr-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -83720,7 +94488,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware)."
+                    "prose": " {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).",
+                    "links": [
+                      {
+                        "href": "#sr-11.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-11.1_asm-examine",
@@ -83895,7 +94669,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;"
+                        "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;",
+                        "links": [
+                          {
+                            "href": "#sr-11.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11.2_obj-2",
@@ -83907,7 +94687,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained."
+                        "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.",
+                        "links": [
+                          {
+                            "href": "#sr-11.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-11.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -84079,7 +94871,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": " {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}."
+                "prose": " {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#sr-12_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-12_asm-examine",
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline_profile-min.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline_profile-min.json
index dae8e774..4ec45133 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline_profile-min.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline_profile-min.json
@@ -1 +1 @@
-{"profile":{"uuid":"1019f424-1556-4aa3-9df3-337b97c2c856","metadata":{"title":"NIST Special Publication 800-53 Revision 5 MODERATE IMPACT BASELINE","last-modified":"2023-10-12T00:00:00.000000-04:00","version":"Final","oscal-version":"1.1.1","roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"cde369ce-57f8-4ec1-847f-2681a9a881e7","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["cde369ce-57f8-4ec1-847f-2681a9a881e7"]},{"role-id":"contact","party-uuids":["cde369ce-57f8-4ec1-847f-2681a9a881e7"]}]},"imports":[{"href":"#84cbf061-eb87-4ec1-8112-1f529232e907","include-controls":[{"with-ids":["ac-1","ac-2","ac-2.1","ac-2.2","ac-2.3","ac-2.4","ac-2.5","ac-2.13","ac-3","ac-4","ac-5","ac-6","ac-6.1","ac-6.2","ac-6.5","ac-6.7","ac-6.9","ac-6.10","ac-7","ac-8","ac-11","ac-11.1","ac-12","ac-14","ac-17","ac-17.1","ac-17.2","ac-17.3","ac-17.4","ac-18","ac-18.1","ac-18.3","ac-19","ac-19.5","ac-20","ac-20.1","ac-20.2","ac-21","ac-22","at-1","at-2","at-2.2","at-2.3","at-3","at-4","au-1","au-2","au-3","au-3.1","au-4","au-5","au-6","au-6.1","au-6.3","au-7","au-7.1","au-8","au-9","au-9.4","au-11","au-12","ca-1","ca-2","ca-2.1","ca-3","ca-5","ca-6","ca-7","ca-7.1","ca-7.4","ca-9","cm-1","cm-2","cm-2.2","cm-2.3","cm-2.7","cm-3","cm-3.2","cm-3.4","cm-4","cm-4.2","cm-5","cm-6","cm-7","cm-7.1","cm-7.2","cm-7.5","cm-8","cm-8.1","cm-8.3","cm-9","cm-10","cm-11","cm-12","cm-12.1","cp-1","cp-2","cp-2.1","cp-2.3","cp-2.8","cp-3","cp-4","cp-4.1","cp-6","cp-6.1","cp-6.3","cp-7","cp-7.1","cp-7.2","cp-7.3","cp-8","cp-8.1","cp-8.2","cp-9","cp-9.1","cp-9.8","cp-10","cp-10.2","ia-1","ia-2","ia-2.1","ia-2.2","ia-2.8","ia-2.12","ia-3","ia-4","ia-4.4","ia-5","ia-5.1","ia-5.2","ia-5.6","ia-6","ia-7","ia-8","ia-8.1","ia-8.2","ia-8.4","ia-11","ia-12","ia-12.2","ia-12.3","ia-12.5","ir-1","ir-2","ir-3","ir-3.2","ir-4","ir-4.1","ir-5","ir-6","ir-6.1","ir-6.3","ir-7","ir-7.1","ir-8","ma-1","ma-2","ma-3","ma-3.1","ma-3.2","ma-3.3","ma-4","ma-5","ma-6","mp-1","mp-2","mp-3","mp-4","mp-5","mp-6","mp-7","pe-1","pe-2","pe-3","pe-4","pe-5","pe-6","pe-6.1","pe-8","pe-9","pe-10","pe-11","pe-12","pe-13","pe-13.1","pe-14","pe-15","pe-16","pe-17","pl-1","pl-2","pl-4","pl-4.1","pl-8","pl-10","pl-11","ps-1","ps-2","ps-3","ps-4","ps-5","ps-6","ps-7","ps-8","ps-9","ra-1","ra-2","ra-3","ra-3.1","ra-5","ra-5.2","ra-5.5","ra-5.11","ra-7","ra-9","sa-1","sa-2","sa-3","sa-4","sa-4.1","sa-4.2","sa-4.9","sa-4.10","sa-5","sa-8","sa-9","sa-9.2","sa-10","sa-11","sa-15","sa-15.3","sa-22","sc-1","sc-2","sc-4","sc-5","sc-7","sc-7.3","sc-7.4","sc-7.5","sc-7.7","sc-7.8","sc-8","sc-8.1","sc-10","sc-12","sc-13","sc-15","sc-17","sc-18","sc-20","sc-21","sc-22","sc-23","sc-28","sc-28.1","sc-39","si-1","si-2","si-2.2","si-3","si-4","si-4.2","si-4.4","si-4.5","si-5","si-7","si-7.1","si-7.7","si-8","si-8.2","si-10","si-11","si-12","si-16","sr-1","sr-2","sr-2.1","sr-3","sr-5","sr-6","sr-8","sr-10","sr-11","sr-11.1","sr-11.2","sr-12"]}]}],"merge":{"as-is":true},"back-matter":{"resources":[{"uuid":"84cbf061-eb87-4ec1-8112-1f529232e907","description":"NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations","rlinks":[{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/xml\/NIST_SP-800-53_rev5_catalog.xml","media-type":"application\/oscal.catalog+xml"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/json\/NIST_SP-800-53_rev5_catalog.json","media-type":"application\/oscal.catalog+json"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/yaml\/NIST_SP-800-53_rev5_catalog.yaml","media-type":"application\/oscal.catalog+yaml"}]}]}}}
\ No newline at end of file
+{"profile":{"uuid":"49f45a95-20d1-450a-b4a5-c27ecc335a26","metadata":{"title":"NIST Special Publication 800-53 Revision 5.1.1 MODERATE IMPACT BASELINE","last-modified":"2023-12-04T14:55:00.000000-04:00","version":"5.1.1+u2","oscal-version":"1.1.1","roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"cde369ce-57f8-4ec1-847f-2681a9a881e7","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["cde369ce-57f8-4ec1-847f-2681a9a881e7"]},{"role-id":"contact","party-uuids":["cde369ce-57f8-4ec1-847f-2681a9a881e7"]}]},"imports":[{"href":"#84cbf061-eb87-4ec1-8112-1f529232e907","include-controls":[{"with-ids":["ac-1","ac-2","ac-2.1","ac-2.2","ac-2.3","ac-2.4","ac-2.5","ac-2.13","ac-3","ac-4","ac-5","ac-6","ac-6.1","ac-6.2","ac-6.5","ac-6.7","ac-6.9","ac-6.10","ac-7","ac-8","ac-11","ac-11.1","ac-12","ac-14","ac-17","ac-17.1","ac-17.2","ac-17.3","ac-17.4","ac-18","ac-18.1","ac-18.3","ac-19","ac-19.5","ac-20","ac-20.1","ac-20.2","ac-21","ac-22","at-1","at-2","at-2.2","at-2.3","at-3","at-4","au-1","au-2","au-3","au-3.1","au-4","au-5","au-6","au-6.1","au-6.3","au-7","au-7.1","au-8","au-9","au-9.4","au-11","au-12","ca-1","ca-2","ca-2.1","ca-3","ca-5","ca-6","ca-7","ca-7.1","ca-7.4","ca-9","cm-1","cm-2","cm-2.2","cm-2.3","cm-2.7","cm-3","cm-3.2","cm-3.4","cm-4","cm-4.2","cm-5","cm-6","cm-7","cm-7.1","cm-7.2","cm-7.5","cm-8","cm-8.1","cm-8.3","cm-9","cm-10","cm-11","cm-12","cm-12.1","cp-1","cp-2","cp-2.1","cp-2.3","cp-2.8","cp-3","cp-4","cp-4.1","cp-6","cp-6.1","cp-6.3","cp-7","cp-7.1","cp-7.2","cp-7.3","cp-8","cp-8.1","cp-8.2","cp-9","cp-9.1","cp-9.8","cp-10","cp-10.2","ia-1","ia-2","ia-2.1","ia-2.2","ia-2.8","ia-2.12","ia-3","ia-4","ia-4.4","ia-5","ia-5.1","ia-5.2","ia-5.6","ia-6","ia-7","ia-8","ia-8.1","ia-8.2","ia-8.4","ia-11","ia-12","ia-12.2","ia-12.3","ia-12.5","ir-1","ir-2","ir-3","ir-3.2","ir-4","ir-4.1","ir-5","ir-6","ir-6.1","ir-6.3","ir-7","ir-7.1","ir-8","ma-1","ma-2","ma-3","ma-3.1","ma-3.2","ma-3.3","ma-4","ma-5","ma-6","mp-1","mp-2","mp-3","mp-4","mp-5","mp-6","mp-7","pe-1","pe-2","pe-3","pe-4","pe-5","pe-6","pe-6.1","pe-8","pe-9","pe-10","pe-11","pe-12","pe-13","pe-13.1","pe-14","pe-15","pe-16","pe-17","pl-1","pl-2","pl-4","pl-4.1","pl-8","pl-10","pl-11","ps-1","ps-2","ps-3","ps-4","ps-5","ps-6","ps-7","ps-8","ps-9","ra-1","ra-2","ra-3","ra-3.1","ra-5","ra-5.2","ra-5.5","ra-5.11","ra-7","ra-9","sa-1","sa-2","sa-3","sa-4","sa-4.1","sa-4.2","sa-4.9","sa-4.10","sa-5","sa-8","sa-9","sa-9.2","sa-10","sa-11","sa-15","sa-15.3","sa-22","sc-1","sc-2","sc-4","sc-5","sc-7","sc-7.3","sc-7.4","sc-7.5","sc-7.7","sc-7.8","sc-8","sc-8.1","sc-10","sc-12","sc-13","sc-15","sc-17","sc-18","sc-20","sc-21","sc-22","sc-23","sc-28","sc-28.1","sc-39","si-1","si-2","si-2.2","si-3","si-4","si-4.2","si-4.4","si-4.5","si-5","si-7","si-7.1","si-7.7","si-8","si-8.2","si-10","si-11","si-12","si-16","sr-1","sr-2","sr-2.1","sr-3","sr-5","sr-6","sr-8","sr-10","sr-11","sr-11.1","sr-11.2","sr-12"]}]}],"merge":{"as-is":true},"back-matter":{"resources":[{"uuid":"84cbf061-eb87-4ec1-8112-1f529232e907","description":"NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations","rlinks":[{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/xml\/NIST_SP-800-53_rev5_catalog.xml","media-type":"application\/oscal.catalog+xml"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/json\/NIST_SP-800-53_rev5_catalog.json","media-type":"application\/oscal.catalog+json"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/yaml\/NIST_SP-800-53_rev5_catalog.yaml","media-type":"application\/oscal.catalog+yaml"}]}]}}}
\ No newline at end of file
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline_profile.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline_profile.json
index 485f476d..2d6a86ae 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline_profile.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_MODERATE-baseline_profile.json
@@ -1,10 +1,10 @@
 {
   "profile": {
-    "uuid": "1019f424-1556-4aa3-9df3-337b97c2c856",
+    "uuid": "49f45a95-20d1-450a-b4a5-c27ecc335a26",
     "metadata": {
-      "title": "NIST Special Publication 800-53 Revision 5 MODERATE IMPACT BASELINE",
-      "last-modified": "2023-10-12T00:00:00.000000-04:00",
-      "version": "Final",
+      "title": "NIST Special Publication 800-53 Revision 5.1.1 MODERATE IMPACT BASELINE",
+      "last-modified": "2023-12-04T14:55:00.000000-04:00",
+      "version": "5.1.1+u2",
       "oscal-version": "1.1.1",
       "roles": [
         {
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog-min.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog-min.json
index 03e2fd6f..448945ec 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog-min.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog-min.json
@@ -1 +1 @@
-{"catalog":{"uuid":"b59abead-41dd-4ba4-818d-b2ce8ca7b80e","metadata":{"title":"NIST Special Publication 800-53 Revision 5 PRIVACY BASELINE","last-modified":"2023-11-02T11:49:42.694597-04:00","version":"Final","oscal-version":"1.1.1","props":[{"name":"resolution-tool","value":"OSCAL Profile Resolver XSLT Pipeline OPRXP"}],"links":[{"href":"NIST_SP-800-53_rev5_PRIVACY-baseline_profile.xml","rel":"source-profile"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"11f1de66-89ba-499d-903e-56418e95af9d","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["11f1de66-89ba-499d-903e-56418e95af9d"]},{"role-id":"contact","party-uuids":["11f1de66-89ba-499d-903e-56418e95af9d"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ac-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ac-01_odp.01","props":[{"name":"label","value":"AC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control policy is to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.02","props":[{"name":"label","value":"AC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control procedures are to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.03","props":[{"name":"alt-identifier","value":"ac-1_prm_2"},{"name":"label","value":"AC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ac-01_odp.04","props":[{"name":"alt-identifier","value":"ac-1_prm_3"},{"name":"label","value":"AC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the access control policy and procedures is defined;"}]},{"id":"ac-01_odp.05","props":[{"name":"alt-identifier","value":"ac-1_prm_4"},{"name":"label","value":"AC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control policy is reviewed and updated is defined;"}]},{"id":"ac-01_odp.06","props":[{"name":"alt-identifier","value":"ac-1_prm_5"},{"name":"label","value":"AC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current access control policy to be reviewed and updated are defined;"}]},{"id":"ac-01_odp.07","props":[{"name":"alt-identifier","value":"ac-1_prm_6"},{"name":"label","value":"AC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control procedures are reviewed and updated is defined;"}]},{"id":"ac-01_odp.08","props":[{"name":"alt-identifier","value":"ac-1_prm_7"},{"name":"label","value":"AC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AC-1"},{"name":"label","value":"AC-01","class":"sp800-53a"},{"name":"sort-id","value":"ac-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ia-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ac-1_smt","name":"statement","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ac-01_odp.03 }} access control policy that:","parts":[{"id":"ac-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and the associated access controls;"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and"},{"id":"ac-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current access control:","parts":[{"id":"ac-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and"},{"id":"ac-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ac-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[01]","class":"sp800-53a"}],"prose":"an access control policy is developed and documented;"},{"id":"ac-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[02]","class":"sp800-53a"}],"prose":"the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};"},{"id":"ac-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[03]","class":"sp800-53a"}],"prose":"access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;"},{"id":"ac-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[04]","class":"sp800-53a"}],"prose":"the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};"},{"id":"ac-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;"},{"id":"ac-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;"},{"id":"ac-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;"},{"id":"ac-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;"},{"id":"ac-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;"},{"id":"ac-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;"},{"id":"ac-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;"}]},{"id":"ac-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ac-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;"},{"id":"ac-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[01]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};"},{"id":"ac-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[02]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};"}]},{"id":"ac-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[01]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};"},{"id":"ac-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[02]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}."}]}]}]},{"id":"ac-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities"}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"label","value":"AC-3"},{"name":"label","value":"AC-03","class":"sp800-53a"},{"name":"sort-id","value":"ac-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-8","rel":"related"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family."},{"id":"ac-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03","class":"sp800-53a"}],"prose":"approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies."},{"id":"ac-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy"}]}],"controls":[{"id":"ac-3.14","class":"SP800-53-enhancement","title":"Individual Access","params":[{"id":"ac-03.14_odp.01","props":[{"name":"alt-identifier","value":"ac-3.14_prm_1"},{"name":"label","value":"AC-03(14)_ODP[01]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms enabling individuals to have access to elements of their personally identifiable information are defined;"}]},{"id":"ac-03.14_odp.02","props":[{"name":"alt-identifier","value":"ac-3.14_prm_2"},{"name":"label","value":"AC-03(14)_ODP[02]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements of personally identifiable information to which individuals have access are defined;"}]}],"props":[{"name":"label","value":"AC-3(14)"},{"name":"label","value":"AC-03(14)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#ia-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-20","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#pt-6","rel":"related"}],"parts":[{"id":"ac-3.14_smt","name":"statement","prose":"Provide {{ insert: param, ac-03.14_odp.01 }} to enable individuals to have access to the following elements of their personally identifiable information: {{ insert: param, ac-03.14_odp.02 }}."},{"id":"ac-3.14_gdn","name":"guidance","prose":"Individual access affords individuals the ability to review personally identifiable information about them held within organizational records, regardless of format. Access helps individuals to develop an understanding about how their personally identifiable information is being processed. It can also help individuals ensure that their data is accurate. Access mechanisms can include request forms and application interfaces. For federal agencies, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) processes can be located in systems of record notices and on agency websites. Access to certain types of records may not be appropriate (e.g., for federal agencies, law enforcement records within a system of records may be exempt from disclosure under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) ) or may require certain levels of authentication assurance. Organizational personnel consult with the senior agency official for privacy and legal counsel to determine appropriate mechanisms and access rights or limitations."},{"id":"ac-3.14_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(14)","class":"sp800-53a"}],"prose":" {{ insert: param, ac-03.14_odp.01 }} are provided to enable individuals to have access to {{ insert: param, ac-03.14_odp.02 }} of their personally identifiable information."},{"id":"ac-3.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access mechanisms (e.g., request forms and application interfaces)\n\naccess control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation regarding access to an individual’s personally identifiable information\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment findings and\/or reports\n\nother relevant documents or records"}]},{"id":"ac-3.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel"}]},{"id":"ac-3.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions\n\nmechanisms enabling individual access to personally identifiable information"}]}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"at-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"at-01_odp.01","props":[{"name":"label","value":"AT-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training policy is to be disseminated is\/are defined;"}]},{"id":"at-01_odp.02","props":[{"name":"label","value":"AT-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training procedures are to be disseminated is\/are defined;"}]},{"id":"at-01_odp.03","props":[{"name":"alt-identifier","value":"at-1_prm_2"},{"name":"label","value":"AT-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"at-01_odp.04","props":[{"name":"alt-identifier","value":"at-1_prm_3"},{"name":"label","value":"AT-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the awareness and training policy and procedures is defined;"}]},{"id":"at-01_odp.05","props":[{"name":"alt-identifier","value":"at-1_prm_4"},{"name":"label","value":"AT-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training policy is reviewed and updated is defined;"}]},{"id":"at-01_odp.06","props":[{"name":"alt-identifier","value":"at-1_prm_5"},{"name":"label","value":"AT-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current awareness and training policy to be reviewed and updated are defined;"}]},{"id":"at-01_odp.07","props":[{"name":"alt-identifier","value":"at-1_prm_6"},{"name":"label","value":"AT-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training procedures are reviewed and updated is defined;"}]},{"id":"at-01_odp.08","props":[{"name":"alt-identifier","value":"at-1_prm_7"},{"name":"label","value":"AT-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AT-1"},{"name":"label","value":"AT-01","class":"sp800-53a"},{"name":"sort-id","value":"at-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-1_smt","name":"statement","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, at-01_odp.03 }} awareness and training policy that:","parts":[{"id":"at-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and"},{"id":"at-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current awareness and training:","parts":[{"id":"at-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and"},{"id":"at-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"at-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[01]","class":"sp800-53a"}],"prose":"an awareness and training policy is developed and documented; "},{"id":"at-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[02]","class":"sp800-53a"}],"prose":"the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};"},{"id":"at-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[03]","class":"sp800-53a"}],"prose":"awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;"},{"id":"at-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[04]","class":"sp800-53a"}],"prose":"the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}."},{"id":"at-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;"},{"id":"at-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;"},{"id":"at-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;"},{"id":"at-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;"},{"id":"at-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;"},{"id":"at-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;"},{"id":"at-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and"}]},{"id":"at-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and"}]}]},{"id":"at-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;"},{"id":"at-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[01]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; "},{"id":"at-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[02]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};"}]},{"id":"at-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[01]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};"},{"id":"at-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[02]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}."}]}]}]},{"id":"at-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records"}]},{"id":"at-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Literacy Training and Awareness","params":[{"id":"at-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.02"}],"label":"organization-defined frequency"},{"id":"at-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.04"}],"label":"organization-defined events"},{"id":"at-02_odp.01","props":[{"name":"label","value":"AT-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.02","props":[{"name":"label","value":"AT-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.03","props":[{"name":"label","value":"AT-02_ODP[03]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require security literacy training for system users are defined;"}]},{"id":"at-02_odp.04","props":[{"name":"label","value":"AT-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require privacy literacy training for system users are defined;"}]},{"id":"at-02_odp.05","props":[{"name":"alt-identifier","value":"at-2_prm_3"},{"name":"label","value":"AT-02_ODP[05]","class":"sp800-53a"}],"label":"awareness techniques","guidelines":[{"prose":"techniques to be employed to increase the security and privacy awareness of system users are defined;"}]},{"id":"at-02_odp.06","props":[{"name":"alt-identifier","value":"at-2_prm_4"},{"name":"label","value":"AT-02_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update literacy training and awareness content is defined;"}]},{"id":"at-02_odp.07","props":[{"name":"alt-identifier","value":"at-2_prm_5"},{"name":"label","value":"AT-02_ODP[07]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require literacy training and awareness content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-2"},{"name":"label","value":"AT-02","class":"sp800-53a"},{"name":"sort-id","value":"at-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#89f2a08d-fc49-46d0-856e-bf974c9b1573","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-16","rel":"related"}],"parts":[{"id":"at-2_smt","name":"statement","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and"},{"id":"at-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes or following {{ insert: param, at-2_prm_2 }};"}]},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and"},{"id":"at-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[03]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;"},{"id":"at-2_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[04]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;"}]},{"id":"at-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};"},{"id":"at-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};"}]}]},{"id":"at-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-02b.","class":"sp800-53a"}],"prose":" {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;"},{"id":"at-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[01]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};"},{"id":"at-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[02]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};"}]},{"id":"at-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AT-02d.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques."}]},{"id":"at-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community"}]},{"id":"at-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing information security and privacy literacy training"}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Training","params":[{"id":"at-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.02"}],"label":"organization-defined roles and responsibilities"},{"id":"at-03_odp.01","props":[{"name":"label","value":"AT-03_ODP[01]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based security training are defined;"}]},{"id":"at-03_odp.02","props":[{"name":"label","value":"AT-03_ODP[02]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based privacy training are defined;"}]},{"id":"at-03_odp.03","props":[{"name":"alt-identifier","value":"at-3_prm_2"},{"name":"label","value":"AT-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;"}]},{"id":"at-03_odp.04","props":[{"name":"alt-identifier","value":"at-3_prm_3"},{"name":"label","value":"AT-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update role-based training content is defined;"}]},{"id":"at-03_odp.05","props":[{"name":"alt-identifier","value":"at-3_prm_4"},{"name":"label","value":"AT-03_ODP[05]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require role-based training content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-3"},{"name":"label","value":"AT-03","class":"sp800-53a"},{"name":"sort-id","value":"at-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"at-3_smt","name":"statement","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:","parts":[{"id":"at-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and"},{"id":"at-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes;"}]},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into role-based training."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency\/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;"},{"id":"at-3_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;"},{"id":"at-3_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[03]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;"},{"id":"at-3_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[04]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;"}]},{"id":"at-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;"},{"id":"at-3_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;"}]}]},{"id":"at-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[01]","class":"sp800-53a"}],"prose":"role-based training content is updated {{ insert: param, at-03_odp.04 }};"},{"id":"at-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[02]","class":"sp800-53a"}],"prose":"role-based training content is updated following {{ insert: param, at-03_odp.05 }};"}]},{"id":"at-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-03c.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into role-based training."}]},{"id":"at-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities"}]},{"id":"at-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing role-based security and privacy training"}]}],"controls":[{"id":"at-3.5","class":"SP800-53-enhancement","title":"Processing Personally Identifiable Information","params":[{"id":"at-03.05_odp.01","props":[{"name":"alt-identifier","value":"at-3.5_prm_1"},{"name":"label","value":"AT-03(05)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be provided with initial and refresher training in the employment and operation of personally identifiable information processing and transparency controls is\/are defined;"}]},{"id":"at-03.05_odp.02","props":[{"name":"alt-identifier","value":"at-3.5_prm_2"},{"name":"label","value":"AT-03(05)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide refresher training in the employment and operation of personally identifiable information processing and transparency controls is defined;"}]}],"props":[{"name":"label","value":"AT-3(5)"},{"name":"label","value":"AT-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"at-03.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-3","rel":"required"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"}],"parts":[{"id":"at-3.5_smt","name":"statement","prose":"Provide {{ insert: param, at-03.05_odp.01 }} with initial and {{ insert: param, at-03.05_odp.02 }} training in the employment and operation of personally identifiable information processing and transparency controls."},{"id":"at-3.5_gdn","name":"guidance","prose":"Personally identifiable information processing and transparency controls include the organization’s authority to process personally identifiable information and personally identifiable information processing purposes. Role-based training for federal agencies addresses the types of information that may constitute personally identifiable information and the risks, considerations, and obligations associated with its processing. Such training also considers the authority to process personally identifiable information documented in privacy policies and notices, system of records notices, computer matching agreements and notices, privacy impact assessments, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, contracts, information sharing agreements, memoranda of understanding, and\/or other documentation."},{"id":"at-3.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03(05)","class":"sp800-53a"}],"prose":" {{ insert: param, at-03.05_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.05_odp.02 }} in the employment and operation of personally identifiable information processing and transparency controls."},{"id":"at-3.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy awareness training implementation\n\nsecurity and privacy awareness training curriculum\n\nsecurity and privacy awareness training materials\n\nsystem security plan\n\nprivacy plan\n\norganizational privacy notices\n\norganizational policies\n\nsystem of records notices\n\nPrivacy Act statements\n\ncomputer matching agreements and notices\n\nprivacy impact assessments\n\ninformation sharing agreements\n\nother relevant documents or records"}]},{"id":"at-3.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel who participate in security and privacy awareness training"}]}]}]},{"id":"at-4","class":"SP800-53","title":"Training Records","params":[{"id":"at-04_odp","props":[{"name":"alt-identifier","value":"at-4_prm_1"},{"name":"label","value":"AT-04_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for retaining individual training records is defined;"}]}],"props":[{"name":"label","value":"AT-4"},{"name":"label","value":"AT-04","class":"sp800-53a"},{"name":"sort-id","value":"at-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-4_smt","name":"statement","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain individual training records for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies."},{"id":"at-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-04","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[01]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;"},{"id":"at-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[02]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;"}]},{"id":"at-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-04b.","class":"sp800-53a"}],"prose":"individual training records are retained for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"at-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy training record retention responsibilities"}]},{"id":"at-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the management of security and privacy training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"au-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"au-01_odp.01","props":[{"name":"label","value":"AU-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability policy is to be disseminated is\/are defined;"}]},{"id":"au-01_odp.02","props":[{"name":"label","value":"AU-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability procedures are to be disseminated is\/are defined;"}]},{"id":"au-01_odp.03","props":[{"name":"alt-identifier","value":"au-1_prm_2"},{"name":"label","value":"AU-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"au-01_odp.04","props":[{"name":"alt-identifier","value":"au-1_prm_3"},{"name":"label","value":"AU-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the audit and accountability policy and procedures is defined;"}]},{"id":"au-01_odp.05","props":[{"name":"alt-identifier","value":"au-1_prm_4"},{"name":"label","value":"AU-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability policy is reviewed and updated is defined;"}]},{"id":"au-01_odp.06","props":[{"name":"alt-identifier","value":"au-1_prm_5"},{"name":"label","value":"AU-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current audit and accountability policy to be reviewed and updated are defined;"}]},{"id":"au-01_odp.07","props":[{"name":"alt-identifier","value":"au-1_prm_6"},{"name":"label","value":"AU-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability procedures are reviewed and updated is defined;"}]},{"id":"au-01_odp.08","props":[{"name":"alt-identifier","value":"au-1_prm_7"},{"name":"label","value":"AU-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require audit and accountability procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AU-1"},{"name":"label","value":"AU-01","class":"sp800-53a"},{"name":"sort-id","value":"au-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-1_smt","name":"statement","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, au-01_odp.03 }} audit and accountability policy that:","parts":[{"id":"au-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and"},{"id":"au-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current audit and accountability:","parts":[{"id":"au-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and"},{"id":"au-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"au-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[01]","class":"sp800-53a"}],"prose":"an audit and accountability policy is developed and documented;"},{"id":"au-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[02]","class":"sp800-53a"}],"prose":"the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};"},{"id":"au-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[03]","class":"sp800-53a"}],"prose":"audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;"},{"id":"au-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[04]","class":"sp800-53a"}],"prose":"the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};"},{"id":"au-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;"},{"id":"au-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;"},{"id":"au-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;"},{"id":"au-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;"},{"id":"au-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;"},{"id":"au-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;"},{"id":"au-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;"}]},{"id":"au-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"au-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;"},{"id":"au-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[01]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};"},{"id":"au-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[02]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};"}]},{"id":"au-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[01]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};"},{"id":"au-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[02]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}."}]}]}]},{"id":"au-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Event Logging","params":[{"id":"au-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.03"}],"label":"organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type"},{"id":"au-02_odp.01","props":[{"name":"alt-identifier","value":"au-2_prm_1"},{"name":"alt-label","value":"event types that the system is capable of logging","class":"sp800-53"},{"name":"label","value":"AU-02_ODP[01]","class":"sp800-53a"}],"label":"event types","guidelines":[{"prose":"the event types that the system is capable of logging in support of the audit function are defined;"}]},{"id":"au-02_odp.02","props":[{"name":"label","value":"AU-02_ODP[02]","class":"sp800-53a"}],"label":"event types (subset of AU-02_ODP[01])","guidelines":[{"prose":"the event types (subset of AU-02_ODP[01]) for logging within the system are defined;"}]},{"id":"au-02_odp.03","props":[{"name":"label","value":"AU-02_ODP[03]","class":"sp800-53a"}],"label":"frequency or situation","guidelines":[{"prose":"the frequency or situation requiring logging for each specified event type is defined;"}]},{"id":"au-02_odp.04","props":[{"name":"alt-identifier","value":"au-2_prm_3"},{"name":"label","value":"AU-02_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of event types selected for logging are reviewed and updated;"}]}],"props":[{"name":"label","value":"AU-2"},{"name":"label","value":"AU-02","class":"sp800-53a"},{"name":"sort-id","value":"au-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-2_smt","name":"statement","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and"},{"id":"au-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures."},{"id":"au-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-02","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-02a.","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;"},{"id":"au-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-02b.","class":"sp800-53a"}],"prose":"the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.02 }} are specified for logging within the system;"},{"id":"au-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[02]","class":"sp800-53a"}],"prose":"the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};"}]},{"id":"au-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-02d.","class":"sp800-53a"}],"prose":"a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;"},{"id":"au-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-02e.","class":"sp800-53a"}],"prose":"the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records"}]},{"id":"au-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing"}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"label","value":"AU-3"},{"name":"label","value":"AU-03","class":"sp800-53a"},{"name":"sort-id","value":"au-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"Ensure that audit records contain information that establishes the following:","parts":[{"id":"au-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"What type of event occurred;"},{"id":"au-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When the event occurred;"},{"id":"au-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Where the event occurred;"},{"id":"au-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Source of the event;"},{"id":"au-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Outcome of the event; and"},{"id":"au-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage."},{"id":"au-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03","class":"sp800-53a"}],"parts":[{"id":"au-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-03a.","class":"sp800-53a"}],"prose":"audit records contain information that establishes what type of event occurred;"},{"id":"au-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-03b.","class":"sp800-53a"}],"prose":"audit records contain information that establishes when the event occurred;"},{"id":"au-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-03c.","class":"sp800-53a"}],"prose":"audit records contain information that establishes where the event occurred;"},{"id":"au-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-03d.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the source of the event;"},{"id":"au-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-03e.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the outcome of the event;"},{"id":"au-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AU-03f.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records"}]},{"id":"au-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing of auditable events"}]}],"controls":[{"id":"au-3.3","class":"SP800-53-enhancement","title":"Limit Personally Identifiable Information Elements","params":[{"id":"au-03.03_odp","props":[{"name":"alt-identifier","value":"au-3.3_prm_1"},{"name":"label","value":"AU-03(03)_ODP","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements identified in the privacy risk assessment are defined;"}]}],"props":[{"name":"label","value":"AU-3(3)"},{"name":"label","value":"AU-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-3","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"au-3.3_smt","name":"statement","prose":"Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: {{ insert: param, au-03.03_odp }}."},{"id":"au-3.3_gdn","name":"guidance","prose":"Limiting personally identifiable information in audit records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system."},{"id":"au-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03(03)","class":"sp800-53a"}],"prose":"personally identifiable information contained in audit records is limited to {{ insert: param, au-03.03_odp }} identified in the privacy risk assessment."},{"id":"au-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprivacy risk assessment\n\nprivacy risk assessment results\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nthird party contracts\n\nother relevant documents or records"}]},{"id":"au-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"system audit capability"}]}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_odp","props":[{"name":"alt-identifier","value":"au-11_prm_1"},{"name":"alt-label","value":"time period consistent with records retention policy","class":"sp800-53"},{"name":"label","value":"AU-11_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period to retain audit records that is consistent with the records retention policy is defined;"}]}],"props":[{"name":"label","value":"AU-11"},{"name":"label","value":"AU-11","class":"sp800-53a"},{"name":"sort-id","value":"au-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention."},{"id":"au-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-11","class":"sp800-53a"}],"prose":"audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"id":"au-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]}]}]},{"id":"ca","class":"family","title":"Assessment, Authorization, and Monitoring","controls":[{"id":"ca-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ca-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ca-01_odp.01","props":[{"name":"label","value":"CA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.02","props":[{"name":"label","value":"CA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.03","props":[{"name":"alt-identifier","value":"ca-1_prm_2"},{"name":"label","value":"CA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ca-01_odp.04","props":[{"name":"alt-identifier","value":"ca-1_prm_3"},{"name":"label","value":"CA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the assessment, authorization, and monitoring policy and procedures is defined;"}]},{"id":"ca-01_odp.05","props":[{"name":"alt-identifier","value":"ca-1_prm_4"},{"name":"label","value":"CA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;"}]},{"id":"ca-01_odp.06","props":[{"name":"alt-identifier","value":"ca-1_prm_5"},{"name":"label","value":"CA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;"}]},{"id":"ca-01_odp.07","props":[{"name":"alt-identifier","value":"ca-1_prm_6"},{"name":"label","value":"CA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;"}]},{"id":"ca-01_odp.08","props":[{"name":"alt-identifier","value":"ca-1_prm_7"},{"name":"label","value":"CA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CA-1"},{"name":"label","value":"CA-01","class":"sp800-53a"},{"name":"sort-id","value":"ca-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#62ea77ca-e450-4323-b210-e0d75390e785","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-1_smt","name":"statement","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:","parts":[{"id":"ca-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and"},{"id":"ca-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current assessment, authorization, and monitoring:","parts":[{"id":"ca-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and"},{"id":"ca-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ca-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[01]","class":"sp800-53a"}],"prose":"an assessment, authorization, and monitoring policy is developed and documented;"},{"id":"ca-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[02]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};"},{"id":"ca-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[03]","class":"sp800-53a"}],"prose":"assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;"},{"id":"ca-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[04]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};"},{"id":"ca-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;"},{"id":"ca-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;"},{"id":"ca-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;"},{"id":"ca-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;"},{"id":"ca-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;"},{"id":"ca-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;"},{"id":"ca-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;"}]},{"id":"ca-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ca-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;"},{"id":"ca-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; "},{"id":"ca-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};"}]},{"id":"ca-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; "},{"id":"ca-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}."}]}]}]},{"id":"ca-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Control Assessments","params":[{"id":"ca-02_odp.01","props":[{"name":"alt-identifier","value":"ca-2_prm_1"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"CA-02_ODP[01]","class":"sp800-53a"}],"label":"assessment frequency","guidelines":[{"prose":"the frequency at which to assess controls in the system and its environment of operation is defined;"}]},{"id":"ca-02_odp.02","props":[{"name":"alt-identifier","value":"ca-2_prm_2"},{"name":"label","value":"CA-02_ODP[02]","class":"sp800-53a"}],"label":"individuals or roles","guidelines":[{"prose":"individuals or roles to whom control assessment results are to be provided are defined;"}]}],"props":[{"name":"label","value":"CA-2"},{"name":"label","value":"CA-02","class":"sp800-53a"},{"name":"sort-id","value":"ca-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"ca-2_smt","name":"statement","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Select the appropriate assessor or assessment team for the type of assessment to be conducted;"},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop a control assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Controls and control enhancements under assessment;"},{"id":"ca-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine control effectiveness; and"},{"id":"ca-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;"},{"id":"ca-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Produce a control assessment report that document the results of the assessment; and"},{"id":"ca-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)."},{"id":"ca-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-02a.","class":"sp800-53a"}],"prose":"an appropriate assessor or assessment team is selected for the type of assessment to be conducted;"},{"id":"ca-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.01","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;"},{"id":"ca-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.02","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;"},{"id":"ca-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[01]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;"},{"id":"ca-2_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[02]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment team;"},{"id":"ca-2_obj.b.3-3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[03]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;"}]}]},{"id":"ca-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-02c.","class":"sp800-53a"}],"prose":"the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[01]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[02]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;"}]},{"id":"ca-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-02e.","class":"sp800-53a"}],"prose":"a control assessment report is produced that documents the results of the assessment;"},{"id":"ca-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-02f.","class":"sp800-53a"}],"prose":"the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting control assessment, control assessment plan development, and\/or control assessment reporting"}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-05_odp","props":[{"name":"alt-identifier","value":"ca-5_prm_1"},{"name":"label","value":"CA-05_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;"}]}],"props":[{"name":"label","value":"CA-5"},{"name":"label","value":"CA-05","class":"sp800-53a"},{"name":"sort-id","value":"ca-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-5_smt","name":"statement","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB."},{"id":"ca-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-05","class":"sp800-53a"}],"parts":[{"id":"ca-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-05a.","class":"sp800-53a"}],"prose":"a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;"},{"id":"ca-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-05b.","class":"sp800-53a"}],"prose":"existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Authorization","params":[{"id":"ca-06_odp","props":[{"name":"alt-identifier","value":"ca-6_prm_1"},{"name":"label","value":"CA-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to update the authorizations is defined;"}]}],"props":[{"name":"label","value":"CA-6"},{"name":"label","value":"CA-06","class":"sp800-53a"},{"name":"sort-id","value":"ca-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-6_smt","name":"statement","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a senior official as the authorizing official for the system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure that the authorizing official for the system, before commencing operations:","parts":[{"id":"ca-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accepts the use of common controls inherited by the system; and"},{"id":"ca-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Authorizes the system to operate;"}]},{"id":"ca-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the authorizations {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions."},{"id":"ca-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-06","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-06a.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for the system;"},{"id":"ca-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-06b.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.01","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;"},{"id":"ca-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.02","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system authorizes the system to operate;"}]},{"id":"ca-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-06d.","class":"sp800-53a"}],"prose":"the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-06e.","class":"sp800-53a"}],"prose":"the authorizations are updated {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records"}]},{"id":"ca-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that facilitate authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.06"}],"label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.07"}],"label":"organization-defined frequency"},{"id":"ca-07_odp.01","props":[{"name":"alt-identifier","value":"ca-7_prm_1"},{"name":"label","value":"CA-07_ODP[01]","class":"sp800-53a"}],"label":"system-level metrics","guidelines":[{"prose":"system-level metrics to be monitored are defined;"}]},{"id":"ca-07_odp.02","props":[{"name":"alt-identifier","value":"ca-7_prm_2"},{"name":"label","value":"CA-07_ODP[02]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to monitor control effectiveness are defined;"}]},{"id":"ca-07_odp.03","props":[{"name":"alt-identifier","value":"ca-7_prm_3"},{"name":"label","value":"CA-07_ODP[03]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to assess control effectiveness are defined;"}]},{"id":"ca-07_odp.04","props":[{"name":"label","value":"CA-07_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the security status of the system is reported are defined;"}]},{"id":"ca-07_odp.05","props":[{"name":"label","value":"CA-07_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the security status of the system is reported is defined;"}]},{"id":"ca-07_odp.06","props":[{"name":"label","value":"CA-07_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the privacy status of the system is reported are defined;"}]},{"id":"ca-07_odp.07","props":[{"name":"label","value":"CA-07_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the privacy status of the system is reported is defined;"}]}],"props":[{"name":"label","value":"CA-7"},{"name":"label","value":"CA-07","class":"sp800-53a"},{"name":"sort-id","value":"ca-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pm-31","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)."},{"id":"ca-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07[01]","class":"sp800-53a"}],"prose":"a system-level continuous monitoring strategy is developed;"},{"id":"ca-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;"},{"id":"ca-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07a.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;"},{"id":"ca-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"}]},{"id":"ca-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07c.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-07d.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-07e.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-07f.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;"},{"id":"ca-7_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};"},{"id":"ca-7_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}."}]}]},{"id":"ca-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting"}]}],"controls":[{"id":"ca-7.4","class":"SP800-53-enhancement","title":"Risk Monitoring","props":[{"name":"label","value":"CA-7(4)"},{"name":"label","value":"CA-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.4_smt","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:","parts":[{"id":"ca-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Effectiveness monitoring;"},{"id":"ca-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Compliance monitoring; and"},{"id":"ca-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Change monitoring."}]},{"id":"ca-7.4_gdn","name":"guidance","prose":"Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk."},{"id":"ca-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)","class":"sp800-53a"}],"prose":"risk monitoring is an integral part of the continuous monitoring strategy;","parts":[{"id":"ca-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(a)","class":"sp800-53a"}],"prose":"effectiveness monitoring is included in risk monitoring;"},{"id":"ca-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(b)","class":"sp800-53a"}],"prose":"compliance monitoring is included in risk monitoring;"},{"id":"ca-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(c)","class":"sp800-53a"}],"prose":"change monitoring is included in risk monitoring."}]},{"id":"ca-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting risk monitoring"}]}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cm-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cm-01_odp.01","props":[{"name":"label","value":"CM-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management policy is to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.02","props":[{"name":"label","value":"CM-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management procedures are to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.03","props":[{"name":"alt-identifier","value":"cm-1_prm_2"},{"name":"label","value":"CM-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cm-01_odp.04","props":[{"name":"alt-identifier","value":"cm-1_prm_3"},{"name":"label","value":"CM-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the configuration management policy and procedures is defined;"}]},{"id":"cm-01_odp.05","props":[{"name":"alt-identifier","value":"cm-1_prm_4"},{"name":"label","value":"CM-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management policy is reviewed and updated is defined;"}]},{"id":"cm-01_odp.06","props":[{"name":"alt-identifier","value":"cm-1_prm_5"},{"name":"label","value":"CM-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current configuration management policy to be reviewed and updated are defined;"}]},{"id":"cm-01_odp.07","props":[{"name":"alt-identifier","value":"cm-1_prm_6"},{"name":"label","value":"CM-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management procedures are reviewed and updated is defined;"}]},{"id":"cm-01_odp.08","props":[{"name":"alt-identifier","value":"cm-1_prm_7"},{"name":"label","value":"CM-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require configuration management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CM-1"},{"name":"label","value":"CM-01","class":"sp800-53a"},{"name":"sort-id","value":"cm-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-1_smt","name":"statement","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cm-01_odp.03 }} configuration management policy that:","parts":[{"id":"cm-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and"},{"id":"cm-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current configuration management:","parts":[{"id":"cm-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and"},{"id":"cm-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cm-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[01]","class":"sp800-53a"}],"prose":"a configuration management policy is developed and documented;"},{"id":"cm-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[02]","class":"sp800-53a"}],"prose":"the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};"},{"id":"cm-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[03]","class":"sp800-53a"}],"prose":"configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;"},{"id":"cm-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[04]","class":"sp800-53a"}],"prose":"the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};"},{"id":"cm-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;"},{"id":"cm-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;"},{"id":"cm-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;"},{"id":"cm-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;"},{"id":"cm-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;"},{"id":"cm-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;"},{"id":"cm-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;"}]},{"id":"cm-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(b)","class":"sp800-53a"}],"prose":"the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"cm-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;"},{"id":"cm-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[01]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; "},{"id":"cm-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[02]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};"}]},{"id":"cm-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[01]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; "},{"id":"cm-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[02]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}."}]}]}]},{"id":"cm-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records"}]},{"id":"cm-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cm-4","class":"SP800-53","title":"Impact Analyses","props":[{"name":"label","value":"CM-4"},{"name":"label","value":"CM-04","class":"sp800-53a"},{"name":"sort-id","value":"cm-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required."},{"id":"cm-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04","class":"sp800-53a"}],"parts":[{"id":"cm-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04[01]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential security impacts prior to change implementation;"},{"id":"cm-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04[02]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential privacy impacts prior to change implementation."}]},{"id":"cm-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses"}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ir-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ir-01_odp.01","props":[{"name":"label","value":"IR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response policy is to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.02","props":[{"name":"label","value":"IR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response procedures are to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.03","props":[{"name":"alt-identifier","value":"ir-1_prm_2"},{"name":"label","value":"IR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ir-01_odp.04","props":[{"name":"alt-identifier","value":"ir-1_prm_3"},{"name":"label","value":"IR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the incident response policy and procedures is defined;"}]},{"id":"ir-01_odp.05","props":[{"name":"alt-identifier","value":"ir-1_prm_4"},{"name":"label","value":"IR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response policy is reviewed and updated is defined;"}]},{"id":"ir-01_odp.06","props":[{"name":"alt-identifier","value":"ir-1_prm_5"},{"name":"label","value":"IR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current incident response policy to be reviewed and updated are defined;"}]},{"id":"ir-01_odp.07","props":[{"name":"alt-identifier","value":"ir-1_prm_6"},{"name":"label","value":"IR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response procedures are reviewed and updated is defined;"}]},{"id":"ir-01_odp.08","props":[{"name":"alt-identifier","value":"ir-1_prm_7"},{"name":"label","value":"IR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the incident response procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IR-1"},{"name":"label","value":"IR-01","class":"sp800-53a"},{"name":"sort-id","value":"ir-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ir-1_smt","name":"statement","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ir-01_odp.03 }} incident response policy that:","parts":[{"id":"ir-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and"},{"id":"ir-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current incident response:","parts":[{"id":"ir-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and"},{"id":"ir-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ir-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[01]","class":"sp800-53a"}],"prose":"an incident response policy is developed and documented;"},{"id":"ir-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[02]","class":"sp800-53a"}],"prose":"the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};"},{"id":"ir-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[03]","class":"sp800-53a"}],"prose":"incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;"},{"id":"ir-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[04]","class":"sp800-53a"}],"prose":"the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};"},{"id":"ir-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;"},{"id":"ir-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;"},{"id":"ir-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;"},{"id":"ir-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;"},{"id":"ir-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;"},{"id":"ir-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;"},{"id":"ir-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;"}]},{"id":"ir-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ir-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;"},{"id":"ir-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[01]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};"},{"id":"ir-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[02]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};"}]},{"id":"ir-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[01]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};"},{"id":"ir-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[02]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}."}]}]}]},{"id":"ir-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-02_odp.01","props":[{"name":"alt-identifier","value":"ir-2_prm_1"},{"name":"label","value":"IR-02_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;"}]},{"id":"ir-02_odp.02","props":[{"name":"alt-identifier","value":"ir-2_prm_2"},{"name":"label","value":"IR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide incident response training to users is defined;"}]},{"id":"ir-02_odp.03","props":[{"name":"alt-identifier","value":"ir-2_prm_3"},{"name":"label","value":"IR-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update incident response training content is defined;"}]},{"id":"ir-02_odp.04","props":[{"name":"alt-identifier","value":"ir-2_prm_4"},{"name":"label","value":"IR-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that initiate a review of the incident response training content are defined;"}]}],"props":[{"name":"label","value":"IR-2"},{"name":"label","value":"IR-02","class":"sp800-53a"},{"name":"sort-id","value":"ir-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-2_smt","name":"statement","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide incident response training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"ir-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ir-02_odp.02 }} thereafter; and"}]},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"ir-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.01","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.02","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"},{"id":"ir-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.03","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;"}]},{"id":"ir-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[01]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};"},{"id":"ir-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[02]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}."}]}]},{"id":"ir-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"ir-2.3","class":"SP800-53-enhancement","title":"Breach","props":[{"name":"label","value":"IR-2(3)"},{"name":"label","value":"IR-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-2","rel":"required"}],"parts":[{"id":"ir-2.3_smt","name":"statement","prose":"Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach."},{"id":"ir-2.3_gdn","name":"guidance","prose":"For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. The incident response training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Incident response training includes tabletop exercises that simulate a breach. See [IR-2(1)](#ir-2.1)."},{"id":"ir-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02(03)","class":"sp800-53a"}],"parts":[{"id":"ir-2.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-02(03)[01]","class":"sp800-53a"}],"prose":"incident response training on how to identify and respond to a breach is provided;"},{"id":"ir-2.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-02(03)[02]","class":"sp800-53a"}],"prose":"incident response training on the organization’s process for reporting a breach is provided."}]},{"id":"ir-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","params":[{"id":"ir-03_odp.01","props":[{"name":"alt-identifier","value":"ir-3_prm_1"},{"name":"label","value":"IR-03_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test the effectiveness of the incident response capability for the system is defined;"}]},{"id":"ir-03_odp.02","props":[{"name":"alt-identifier","value":"ir-3_prm_2"},{"name":"label","value":"IR-03_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests used to test the effectiveness of the incident response capability for the system are defined;"}]}],"props":[{"name":"label","value":"IR-3"},{"name":"label","value":"IR-03","class":"sp800-53a"},{"name":"sort-id","value":"ir-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-14","rel":"related"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes."},{"id":"ir-3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03","class":"sp800-53a"}],"prose":"the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}."},{"id":"ir-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"label","value":"IR-4"},{"name":"label","value":"IR-04","class":"sp800-53a"},{"name":"sort-id","value":"ir-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#31ae65ab-3f26-46b7-9d64-f25a4dac5778","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-4_smt","name":"statement","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate incident handling activities with contingency planning activities;"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and"},{"id":"ir-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes."},{"id":"ir-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[01]","class":"sp800-53a"}],"prose":"an incident handling capability for incidents is implemented that is consistent with the incident response plan;"},{"id":"ir-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[02]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes preparation;"},{"id":"ir-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[03]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes detection and analysis;"},{"id":"ir-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[04]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes containment;"},{"id":"ir-4_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[05]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes eradication;"},{"id":"ir-4_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[06]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes recovery;"}]},{"id":"ir-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-04b.","class":"sp800-53a"}],"prose":"incident handling activities are coordinated with contingency planning activities;"},{"id":"ir-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[01]","class":"sp800-53a"}],"prose":"lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;"},{"id":"ir-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[02]","class":"sp800-53a"}],"prose":"the changes resulting from the incorporated lessons learned are implemented accordingly;"}]},{"id":"ir-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[01]","class":"sp800-53a"}],"prose":"the rigor of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[02]","class":"sp800-53a"}],"prose":"the intensity of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[03]","class":"sp800-53a"}],"prose":"the scope of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[04]","class":"sp800-53a"}],"prose":"the results of incident handling activities are comparable and predictable across the organization."}]}]},{"id":"ir-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident handling capability for the organization"}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"label","value":"IR-5"},{"name":"label","value":"IR-05","class":"sp800-53a"},{"name":"sort-id","value":"ir-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"Track and document incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring."},{"id":"ir-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-05","class":"sp800-53a"}],"parts":[{"id":"ir-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-05[01]","class":"sp800-53a"}],"prose":"incidents are tracked;"},{"id":"ir-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-05[02]","class":"sp800-53a"}],"prose":"incidents are documented."}]},{"id":"ir-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nmechanisms supporting and\/or implementing the tracking and documenting of system security incidents"}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-06_odp.01","props":[{"name":"alt-identifier","value":"ir-6_prm_1"},{"name":"label","value":"IR-06_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel to report suspected incidents to the organizational incident response capability is defined;"}]},{"id":"ir-06_odp.02","props":[{"name":"alt-identifier","value":"ir-6_prm_2"},{"name":"label","value":"IR-06_ODP[02]","class":"sp800-53a"}],"label":"authorities","guidelines":[{"prose":"authorities to whom incident information is to be reported are defined;"}]}],"props":[{"name":"label","value":"IR-6"},{"name":"label","value":"IR-06","class":"sp800-53a"},{"name":"sort-id","value":"ir-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#40b78258-c892-480e-9af8-77ac36648301","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-6_smt","name":"statement","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report incident information to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products."},{"id":"ir-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06","class":"sp800-53a"}],"parts":[{"id":"ir-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-06a.","class":"sp800-53a"}],"prose":"personnel is\/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};"},{"id":"ir-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-06b.","class":"sp800-53a"}],"prose":"incident information is reported to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users"}]},{"id":"ir-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nmechanisms supporting and\/or implementing incident reporting"}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"label","value":"IR-7"},{"name":"label","value":"IR-07","class":"sp800-53a"},{"name":"sort-id","value":"ir-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-26","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required."},{"id":"ir-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07","class":"sp800-53a"}],"parts":[{"id":"ir-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-07[01]","class":"sp800-53a"}],"prose":"an incident response support resource, integral to the organizational incident response capability, is provided;"},{"id":"ir-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-07[02]","class":"sp800-53a"}],"prose":"the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents."}]},{"id":"ir-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nmechanisms supporting and\/or implementing incident response assistance"}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.07"}],"label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-08_odp.01","props":[{"name":"alt-identifier","value":"ir-8_prm_1"},{"name":"label","value":"IR-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles that review and approve the incident response plan is\/are identified;"}]},{"id":"ir-08_odp.02","props":[{"name":"alt-identifier","value":"ir-8_prm_2"},{"name":"label","value":"IR-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and approve the incident response plan is defined;"}]},{"id":"ir-08_odp.03","props":[{"name":"alt-identifier","value":"ir-8_prm_3"},{"name":"label","value":"IR-08_ODP[03]","class":"sp800-53a"}],"label":"entities, personnel, or roles","guidelines":[{"prose":"entities, personnel, or roles with designated responsibility for incident response are defined;"}]},{"id":"ir-08_odp.04","props":[{"name":"alt-identifier","value":"ir-8_prm_4"},{"name":"alt-label","value":"incident response personnel (identified by name and\/or by role) and organizational elements","class":"sp800-53"},{"name":"label","value":"IR-08_ODP[04]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed is\/are defined;"}]},{"id":"ir-08_odp.05","props":[{"name":"label","value":"IR-08_ODP[05]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which copies of the incident response plan are to be distributed are defined;"}]},{"id":"ir-08_odp.06","props":[{"name":"label","value":"IR-08_ODP[06]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom changes to the incident response plan is\/are communicated are defined;"}]},{"id":"ir-08_odp.07","props":[{"name":"label","value":"IR-08_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which changes to the incident response plan are communicated are defined;"}]}],"props":[{"name":"label","value":"IR-8"},{"name":"label","value":"IR-08","class":"sp800-53a"},{"name":"sort-id","value":"ir-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-8_smt","name":"statement","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Addresses the sharing of incident information;"},{"id":"ir-8_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and"},{"id":"ir-8_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly."},{"id":"ir-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-08","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.01","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.02","class":"sp800-53a"}],"prose":"an incident response plan is developed that describes the structure and organization of the incident response capability;"},{"id":"ir-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.03","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.04","class":"sp800-53a"}],"prose":"an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;"},{"id":"ir-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.05","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines reportable incidents;"},{"id":"ir-8_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.06","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.07","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.08","class":"sp800-53a"}],"prose":"an incident response plan is developed that addresses the sharing of incident information;"},{"id":"ir-8_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.09","class":"sp800-53a"}],"prose":"an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};"},{"id":"ir-8_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.10","class":"sp800-53a"}],"prose":"an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[01]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[02]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};"}]},{"id":"ir-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-08c.","class":"sp800-53a"}],"prose":"the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[01]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};"},{"id":"ir-8_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[02]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};"}]},{"id":"ir-8_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[01]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized disclosure;"},{"id":"ir-8_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[02]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized modification."}]}]},{"id":"ir-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"id":"ir-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational incident response plan and related organizational processes"}]}],"controls":[{"id":"ir-8.1","class":"SP800-53-enhancement","title":"Breaches","props":[{"name":"label","value":"IR-8(1)"},{"name":"label","value":"IR-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-8","rel":"required"},{"href":"#pt-1","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-7","rel":"related"}],"parts":[{"id":"ir-8.1_smt","name":"statement","prose":"Include the following in the Incident Response Plan for breaches involving personally identifiable information:","parts":[{"id":"ir-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;"},{"id":"ir-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and"},{"id":"ir-8.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Identification of applicable privacy requirements."}]},{"id":"ir-8.1_gdn","name":"guidance","prose":"Organizations may be required by law, regulation, or policy to follow specific procedures relating to breaches, including notice to individuals, affected organizations, and oversight bodies; standards of harm; and mitigation or other specific requirements."},{"id":"ir-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)","class":"sp800-53a"}],"parts":[{"id":"ir-8.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)(a)","class":"sp800-53a"}],"prose":"the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;"},{"id":"ir-8.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)(b)","class":"sp800-53a"}],"prose":"the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;"},{"id":"ir-8.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)(c)","class":"sp800-53a"}],"prose":"the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements."}]},{"id":"ir-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"id":"ir-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"mp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"mp-01_odp.01","props":[{"name":"label","value":"MP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection policy is to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.02","props":[{"name":"label","value":"MP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection procedures are to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.03","props":[{"name":"alt-identifier","value":"mp-1_prm_2"},{"name":"label","value":"MP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"mp-01_odp.04","props":[{"name":"alt-identifier","value":"mp-1_prm_3"},{"name":"label","value":"MP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the media protection policy and procedures is defined;"}]},{"id":"mp-01_odp.05","props":[{"name":"alt-identifier","value":"mp-1_prm_4"},{"name":"label","value":"MP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection policy is reviewed and updated is defined;"}]},{"id":"mp-01_odp.06","props":[{"name":"alt-identifier","value":"mp-1_prm_5"},{"name":"label","value":"MP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current media protection policy to be reviewed and updated are defined;"}]},{"id":"mp-01_odp.07","props":[{"name":"alt-identifier","value":"mp-1_prm_6"},{"name":"label","value":"MP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection procedures are reviewed and updated is defined;"}]},{"id":"mp-01_odp.08","props":[{"name":"alt-identifier","value":"mp-1_prm_7"},{"name":"label","value":"MP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require media protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MP-1"},{"name":"label","value":"MP-01","class":"sp800-53a"},{"name":"sort-id","value":"mp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-1_smt","name":"statement","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, mp-01_odp.03 }} media protection policy that:","parts":[{"id":"mp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and"},{"id":"mp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current media protection:","parts":[{"id":"mp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and"},{"id":"mp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"mp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[01]","class":"sp800-53a"}],"prose":"a media protection policy is developed and documented;"},{"id":"mp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[02]","class":"sp800-53a"}],"prose":"the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};"},{"id":"mp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[03]","class":"sp800-53a"}],"prose":"media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;"},{"id":"mp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[04]","class":"sp800-53a"}],"prose":"the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};"},{"id":"mp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;"},{"id":"mp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;"},{"id":"mp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;"},{"id":"mp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;"},{"id":"mp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;"},{"id":"mp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;"},{"id":"mp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;"}]},{"id":"mp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(b)","class":"sp800-53a"}],"prose":"the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"mp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures."},{"id":"mp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[01]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; "},{"id":"mp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[02]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};"}]},{"id":"mp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[01]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; "},{"id":"mp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[02]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}."}]}]}]},{"id":"mp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.03"}],"label":"organization-defined system media"},{"id":"mp-6_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.06"}],"label":"organization-defined sanitization techniques and procedures"},{"id":"mp-06_odp.01","props":[{"name":"label","value":"MP-06_ODP[01]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to disposal is defined;"}]},{"id":"mp-06_odp.02","props":[{"name":"label","value":"MP-06_ODP[02]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release from organizational control is defined;"}]},{"id":"mp-06_odp.03","props":[{"name":"label","value":"MP-06_ODP[03]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release for reuse is defined;"}]},{"id":"mp-06_odp.04","props":[{"name":"label","value":"MP-06_ODP[04]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to disposal are defined;"}]},{"id":"mp-06_odp.05","props":[{"name":"label","value":"MP-06_ODP[05]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;"}]},{"id":"mp-06_odp.06","props":[{"name":"label","value":"MP-06_ODP[06]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;"}]}],"props":[{"name":"label","value":"MP-6"},{"name":"label","value":"MP-06","class":"sp800-53a"},{"name":"sort-id","value":"mp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"},{"href":"#si-19","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"mp-6_smt","name":"statement","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information."},{"id":"mp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;"},{"id":"mp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;"},{"id":"mp-6_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;"}]},{"id":"mp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-06b.","class":"sp800-53a"}],"prose":"sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed."}]},{"id":"mp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization"}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-08_odp.01","props":[{"name":"alt-identifier","value":"pe-8_prm_1"},{"name":"label","value":"PE-08_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for which to maintain visitor access records for the facility where the system resides is defined;"}]},{"id":"pe-08_odp.02","props":[{"name":"alt-identifier","value":"pe-8_prm_2"},{"name":"label","value":"PE-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review visitor access records is defined;"}]},{"id":"pe-08_odp.03","props":[{"name":"alt-identifier","value":"pe-8_prm_3"},{"name":"label","value":"PE-08_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom visitor access records anomalies are reported to is\/are defined;"}]}],"props":[{"name":"label","value":"PE-8"},{"name":"label","value":"PE-08","class":"sp800-53a"},{"name":"sort-id","value":"pe-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"pe-8_smt","name":"statement","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and"},{"id":"pe-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08","class":"sp800-53a"}],"parts":[{"id":"pe-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-08a.","class":"sp800-53a"}],"prose":"visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-08b.","class":"sp800-53a"}],"prose":"visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};"},{"id":"pe-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-08c.","class":"sp800-53a"}],"prose":"visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and\/or implementing the maintenance and review of visitor access records"}]}],"controls":[{"id":"pe-8.3","class":"SP800-53-enhancement","title":"Limit Personally Identifiable Information Elements","params":[{"id":"pe-08.03_odp","props":[{"name":"alt-identifier","value":"pe-8.3_prm_1"},{"name":"label","value":"PE-08(03)_ODP","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements identified in the privacy risk assessment to limit personally identifiable information contained in visitor access logs are defined;"}]}],"props":[{"name":"label","value":"PE-8(3)"},{"name":"label","value":"PE-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"pe-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-8","rel":"required"},{"href":"#ra-3","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pe-8.3_smt","name":"statement","prose":"Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: {{ insert: param, pe-08.03_odp }}."},{"id":"pe-8.3_gdn","name":"guidance","prose":"Organizations may have requirements that specify the contents of visitor access records. Limiting personally identifiable information in visitor access records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system."},{"id":"pe-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08(03)","class":"sp800-53a"}],"prose":"personally identifiable information contained in visitor access records is limited to {{ insert: param, pe-08.03_odp }} identified in the privacy risk assessment."},{"id":"pe-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\npersonally identifiable information processing policy\n\nprivacy risk assessment documentation\n\nprivacy impact assessment\n\nvisitor access records\n\npersonally identifiable information inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records"}]}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pl-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pl-01_odp.01","props":[{"name":"label","value":"PL-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning policy is to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.02","props":[{"name":"label","value":"PL-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning procedures are to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.03","props":[{"name":"alt-identifier","value":"pl-1_prm_2"},{"name":"label","value":"PL-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pl-01_odp.04","props":[{"name":"alt-identifier","value":"pl-1_prm_3"},{"name":"label","value":"PL-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the planning policy and procedures is defined;"}]},{"id":"pl-01_odp.05","props":[{"name":"alt-identifier","value":"pl-1_prm_4"},{"name":"label","value":"PL-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning policy is reviewed and updated is defined;"}]},{"id":"pl-01_odp.06","props":[{"name":"alt-identifier","value":"pl-1_prm_5"},{"name":"label","value":"PL-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current planning policy to be reviewed and updated are defined;"}]},{"id":"pl-01_odp.07","props":[{"name":"alt-identifier","value":"pl-1_prm_6"},{"name":"label","value":"PL-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning procedures are reviewed and updated is defined;"}]},{"id":"pl-01_odp.08","props":[{"name":"alt-identifier","value":"pl-1_prm_7"},{"name":"label","value":"PL-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PL-1"},{"name":"label","value":"PL-01","class":"sp800-53a"},{"name":"sort-id","value":"pl-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-1_smt","name":"statement","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pl-01_odp.03 }} planning policy that:","parts":[{"id":"pl-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the planning policy and the associated planning controls;"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and"},{"id":"pl-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current planning:","parts":[{"id":"pl-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and"},{"id":"pl-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pl-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[01]","class":"sp800-53a"}],"prose":"a planning policy is developed and documented."},{"id":"pl-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[02]","class":"sp800-53a"}],"prose":"the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};"},{"id":"pl-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[03]","class":"sp800-53a"}],"prose":"planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;"},{"id":"pl-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[04]","class":"sp800-53a"}],"prose":"the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};"},{"id":"pl-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;"},{"id":"pl-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;"},{"id":"pl-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;"},{"id":"pl-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;"},{"id":"pl-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;"},{"id":"pl-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;"},{"id":"pl-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;"}]},{"id":"pl-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"pl-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;"},{"id":"pl-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[01]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};"},{"id":"pl-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[02]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};"}]},{"id":"pl-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[01]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};"},{"id":"pl-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[02]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}."}]}]}]},{"id":"pl-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security and Privacy Plans","params":[{"id":"pl-02_odp.01","props":[{"name":"alt-identifier","value":"pl-2_prm_1"},{"name":"label","value":"PL-02_ODP[01]","class":"sp800-53a"}],"label":"individuals or groups","guidelines":[{"prose":"individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is\/are assigned;"}]},{"id":"pl-02_odp.02","props":[{"name":"alt-identifier","value":"pl-2_prm_2"},{"name":"label","value":"PL-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive distributed copies of the system security and privacy plans is\/are assigned;"}]},{"id":"pl-02_odp.03","props":[{"name":"alt-identifier","value":"pl-2_prm_3"},{"name":"label","value":"PL-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency to review system security and privacy plans is defined;"}]}],"props":[{"name":"label","value":"PL-2"},{"name":"label","value":"PL-02","class":"sp800-53a"},{"name":"sort-id","value":"pl-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"pl-2_smt","name":"statement","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy plans for the system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly define the constituent system components;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Identify the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Identify the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provide the security categorization of the system, including supporting rationale;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Describe any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Provide the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Describe the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Provide an overview of the security and privacy requirements for the system;"},{"id":"pl-2_smt.a.11","name":"item","props":[{"name":"label","value":"11."}],"prose":"Identify any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_smt.a.12","name":"item","props":[{"name":"label","value":"12."}],"prose":"Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;"},{"id":"pl-2_smt.a.13","name":"item","props":[{"name":"label","value":"13."}],"prose":"Include risk determinations for security and privacy architecture and design decisions;"},{"id":"pl-2_smt.a.14","name":"item","props":[{"name":"label","value":"14."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and"},{"id":"pl-2_smt.a.15","name":"item","props":[{"name":"label","value":"15."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the plans {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the plans from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate."},{"id":"pl-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;"}]},{"id":"pl-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that explicitly defines the constituent system components;"},{"id":"pl-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that explicitly defines the constituent system components;"}]},{"id":"pl-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"}]},{"id":"pl-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"}]},{"id":"pl-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.5-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_obj.a.5-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"}]},{"id":"pl-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.6-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;"},{"id":"pl-2_obj.a.6-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;"}]},{"id":"pl-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"}]},{"id":"pl-2_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.8-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_obj.a.8-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"}]},{"id":"pl-2_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.9-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_obj.a.9-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"}]},{"id":"pl-2_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.10-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides an overview of the security requirements for the system;"},{"id":"pl-2_obj.a.10-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;"}]},{"id":"pl-2_obj.a.11","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.11-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_obj.a.11-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"}]},{"id":"pl-2_obj.a.12","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.12-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;"},{"id":"pl-2_obj.a.12-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;"}]},{"id":"pl-2_obj.a.13","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.13-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes risk determinations for security architecture and design decisions;"},{"id":"pl-2_obj.a.13-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;"}]},{"id":"pl-2_obj.a.14","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.14-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"},{"id":"pl-2_obj.a.14-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"}]},{"id":"pl-2_obj.a.15","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.15-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"},{"id":"pl-2_obj.a.15-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]}]},{"id":"pl-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[01]","class":"sp800-53a"}],"prose":"copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[02]","class":"sp800-53a"}],"prose":"subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};"}]},{"id":"pl-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-02c.","class":"sp800-53a"}],"prose":"plans are reviewed {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[01]","class":"sp800-53a"}],"prose":"plans are updated to address changes to the system and environment of operations;"},{"id":"pl-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[02]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during the plan implementation;"},{"id":"pl-2_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[03]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during control assessments;"}]},{"id":"pl-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[01]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized disclosure;"},{"id":"pl-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[02]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized modification."}]}]},{"id":"pl-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records"}]},{"id":"pl-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan"}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-04_odp.01","props":[{"name":"alt-identifier","value":"pl-4_prm_1"},{"name":"label","value":"PL-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for reviewing and updating the rules of behavior is defined;"}]},{"id":"pl-04_odp.02","props":[{"name":"alt-identifier","value":"pl-4_prm_2"},{"name":"label","value":"PL-04_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, pl-04_odp.03 }} ","when the rules are revised or updated"]}},{"id":"pl-04_odp.03","props":[{"name":"alt-identifier","value":"pl-4_prm_3"},{"name":"label","value":"PL-04_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);"}]}],"props":[{"name":"label","value":"PL-4"},{"name":"label","value":"PL-04","class":"sp800-53a"},{"name":"sort-id","value":"pl-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-4_smt","name":"statement","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_gdn","name":"guidance","prose":"Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons."},{"id":"pl-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[01]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;"},{"id":"pl-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[02]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;"}]},{"id":"pl-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04b.","class":"sp800-53a"}],"prose":"before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;"},{"id":"pl-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04c.","class":"sp800-53a"}],"prose":"rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};"},{"id":"pl-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-04d.","class":"sp800-53a"}],"prose":"individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and External Site\/Application Usage Restrictions","props":[{"name":"label","value":"PL-4(1)"},{"name":"label","value":"PL-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"pl-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-4","rel":"required"},{"href":"#ac-22","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"Include in the rules of behavior, restrictions on:","parts":[{"id":"pl-4.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Posting organizational information on public websites; and"},{"id":"pl-4.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_gdn","name":"guidance","prose":"Social media, social networking, and external site\/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information."},{"id":"pl-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)","class":"sp800-53a"}],"parts":[{"id":"pl-4.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(a)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(b)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on posting organizational information on public websites;"},{"id":"pl-4.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(c)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records"}]},{"id":"pl-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing rules of behavior\n\nmechanisms supporting and\/or implementing the establishment of rules of behavior"}]}]}]},{"id":"pl-8","class":"SP800-53","title":"Security and Privacy Architectures","params":[{"id":"pl-08_odp","props":[{"name":"alt-identifier","value":"pl-8_prm_1"},{"name":"label","value":"PL-08_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for review and update to reflect changes in the enterprise architecture;"}]}],"props":[{"name":"label","value":"PL-8"},{"name":"label","value":"PL-08","class":"sp800-53a"},{"name":"sort-id","value":"pl-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"pl-8_smt","name":"statement","parts":[{"id":"pl-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy architectures for the system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe how the architectures are integrated into and support the enterprise architecture; and"},{"id":"pl-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Describe any assumptions about, and dependencies on, external systems and services;"}]},{"id":"pl-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures."},{"id":"pl-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-08","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.01","class":"sp800-53a"}],"prose":"a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.02","class":"sp800-53a"}],"prose":"a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"},{"id":"pl-8_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"}]},{"id":"pl-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes any assumptions about and dependencies on external systems and services;"},{"id":"pl-8_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;"}]}]},{"id":"pl-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-08b.","class":"sp800-53a"}],"prose":"changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;"},{"id":"pl-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[01]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the security plan;"},{"id":"pl-8_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[02]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the privacy plan;"},{"id":"pl-8_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[03]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the Concept of Operations (CONOPS);"},{"id":"pl-8_obj.c-4","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[04]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in criticality analysis;"},{"id":"pl-8_obj.c-5","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[05]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in organizational procedures;"},{"id":"pl-8_obj.c-6","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[06]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in procurements and acquisitions."}]}]},{"id":"pl-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and\/or implementing the development, review, and update of the information security and privacy architecture"}]}]},{"id":"pl-9","class":"SP800-53","title":"Central Management","params":[{"id":"pl-09_odp","props":[{"name":"alt-identifier","value":"pl-9_prm_1"},{"name":"label","value":"PL-09_ODP","class":"sp800-53a"}],"label":"controls and related processes","guidelines":[{"prose":"security and privacy controls and related processes to be centrally managed are defined;"}]}],"props":[{"name":"label","value":"PL-9"},{"name":"label","value":"PL-09","class":"sp800-53a"},{"name":"sort-id","value":"pl-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#pl-8","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"pl-9_smt","name":"statement","prose":"Centrally manage {{ insert: param, pl-09_odp }}."},{"id":"pl-9_gdn","name":"guidance","prose":"Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes. As the central management of controls is generally associated with the concept of common (inherited) controls, such management promotes and facilitates standardization of control implementations and management and the judicious use of organizational resources. Centrally managed controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate and as part of organizational continuous monitoring.\n\nAutomated tools (e.g., security information and event management tools or enterprise security monitoring and management tools) can improve the accuracy, consistency, and availability of information associated with centrally managed controls and processes. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision-making within the organization.\n\nAs part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include but are not limited to: [AC-2(1)](#ac-2.1), [AC-2(2)](#ac-2.2), [AC-2(3)](#ac-2.3), [AC-2(4)](#ac-2.4), [AC-4(all)](#ac-4), [AC-17(1)](#ac-17.1), [AC-17(2)](#ac-17.2), [AC-17(3)](#ac-17.3), [AC-17(9)](#ac-17.9), [AC-18(1)](#ac-18.1), [AC-18(3)](#ac-18.3), [AC-18(4)](#ac-18.4), [AC-18(5)](#ac-18.5), [AC-19(4)](#ac-19.4), [AC-22](#ac-22), [AC-23](#ac-23), [AT-2(1)](#at-2.1), [AT-2(2)](#at-2.2), [AT-3(1)](#at-3.1), [AT-3(2)](#at-3.2), [AT-3(3)](#at-3.3), [AT-4](#at-4), [AU-3](#au-3), [AU-6(1)](#au-6.1), [AU-6(3)](#au-6.3), [AU-6(5)](#au-6.5), [AU-6(6)](#au-6.6), [AU-6(9)](#au-6.9), [AU-7(1)](#au-7.1), [AU-7(2)](#au-7.2), [AU-11](#au-11), [AU-13](#au-13), [AU-16](#au-16), [CA-2(1)](#ca-2.1), [CA-2(2)](#ca-2.2), [CA-2(3)](#ca-2.3), [CA-3(1)](#ca-3.1), [CA-3(2)](#ca-3.2), [CA-3(3)](#ca-3.3), [CA-7(1)](#ca-7.1), [CA-9](#ca-9), [CM-2(2)](#cm-2.2), [CM-3(1)](#cm-3.1), [CM-3(4)](#cm-3.4), [CM-4](#cm-4), [CM-6](#cm-6), [CM-6(1)](#cm-6.1), [CM-7(2)](#cm-7.2), [CM-7(4)](#cm-7.4), [CM-7(5)](#cm-7.5), [CM-8(all)](#cm-8), [CM-9(1)](#cm-9.1), [CM-10](#cm-10), [CM-11](#cm-11), [CP-7(all)](#cp-7), [CP-8(all)](#cp-8), [SC-43](#sc-43), [SI-2](#si-2), [SI-3](#si-3), [SI-4(all)](#si-4), [SI-7](#si-7), [SI-8](#si-8)."},{"id":"pl-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-09","class":"sp800-53a"}],"prose":" {{ insert: param, pl-09_odp }} are centrally managed."},{"id":"pl-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing security and privacy plan development and implementation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with responsibilities for planning\/implementing central management of controls and related processes\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the central management of controls and related processes\n\nmechanisms supporting and\/or implementing central management of controls and related processes"}]}]}]},{"id":"pm","class":"family","title":"Program Management","parts":[{"id":"pm_ovw","name":"overview","title":"Program Management Controls","prose":" [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) require federal agencies to develop, implement, and provide oversight for organization-wide information security and privacy programs to help ensure the confidentiality, integrity, and availability of federal information processed, stored, and transmitted by federal information systems and to protect individual privacy. The program management (PM) controls described in this section are implemented at the organization level and not directed at individual information systems. The PM controls have been designed to facilitate organizational compliance with applicable federal laws, executive orders, directives, policies, regulations, and standards. The controls are independent of [FIPS 200](#599fb53d-5041-444e-a7fe-640d6d30ad05) impact levels and, therefore, are not associated with the control baselines described in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752).\n\nOrganizations document program management controls in the information security and privacy program plans. The organization-wide information security program plan (see [PM-1](#pm-1) ) and privacy program plan (see [PM-18](#pm-18) ) supplement system security and privacy plans (see [PL-2](#pl-2) ) developed for organizational information systems. Together, the system security and privacy plans for the individual information systems and the information security and privacy program plans cover the totality of security and privacy controls employed by the organization."}],"controls":[{"id":"pm-3","class":"SP800-53","title":"Information Security and Privacy Resources","props":[{"name":"label","value":"PM-3"},{"name":"label","value":"PM-03","class":"sp800-53a"},{"name":"sort-id","value":"pm-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-4","rel":"related"},{"href":"#sa-2","rel":"related"}],"parts":[{"id":"pm-3_smt","name":"statement","parts":[{"id":"pm-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;"},{"id":"pm-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and"},{"id":"pm-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Make available for expenditure, the planned information security and privacy resources."}]},{"id":"pm-3_gdn","name":"guidance","prose":"Organizations consider establishing champions for information security and privacy and, as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process."},{"id":"pm-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-03","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-03a.","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-03a.[01]","class":"sp800-53a"}],"prose":"the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented;"},{"id":"pm-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-03a.[02]","class":"sp800-53a"}],"prose":"the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented;"}]},{"id":"pm-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-03b.","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-03b.[01]","class":"sp800-53a"}],"prose":"the documentation required for addressing the information security program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;"},{"id":"pm-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-03b.[02]","class":"sp800-53a"}],"prose":"the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;"}]},{"id":"pm-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-03c.","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-03c.[01]","class":"sp800-53a"}],"prose":"information security resources are made available for expenditure as planned;"},{"id":"pm-3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-03c.[02]","class":"sp800-53a"}],"prose":"privacy resources are made available for expenditure as planned."}]}]},{"id":"pm-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nExhibit 300\n\nExhibit 53\n\nbusiness cases for capital planning and investment\n\nprocedures for capital planning and investment\n\ndocumentation of exceptions to capital planning requirements\n\nother relevant documents or records"}]},{"id":"pm-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security program planning responsibilities\n\norganizational personnel with privacy program planning responsibilities\n\norganizational personnel responsible for capital planning and investment\n\norganizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for capital planning and investment\n\norganizational processes for business case, Exhibit 300, and Exhibit 53 development\n\nmechanisms supporting the capital planning and investment process"}]}]},{"id":"pm-4","class":"SP800-53","title":"Plan of Action and Milestones Process","props":[{"name":"label","value":"PM-4"},{"name":"label","value":"PM-04","class":"sp800-53a"},{"name":"sort-id","value":"pm-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-3","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pm-4_smt","name":"statement","parts":[{"id":"pm-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems:","parts":[{"id":"pm-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are developed and maintained;"},{"id":"pm-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and"},{"id":"pm-4_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Are reported in accordance with established reporting requirements."}]},{"id":"pm-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-4_gdn","name":"guidance","prose":"The plan of action and milestones is a key organizational document and is subject to reporting requirements established by the Office of Management and Budget. Organizations develop plans of action and milestones with an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple plans of action and milestones corresponding to the information system level, mission\/business process level, and organizational\/governance level. While plans of action and milestones are required for federal organizations, other types of organizations can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones at the system level is provided in [CA-5](#ca-5)."},{"id":"pm-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-04","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[01]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed;"},{"id":"pm-4_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[02]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security program and associated organizational systems are maintained;"},{"id":"pm-4_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[03]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed;"},{"id":"pm-4_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[04]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained;"},{"id":"pm-4_obj.a.1-5","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[05]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed;"},{"id":"pm-4_obj.a.1-6","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[06]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained;"}]},{"id":"pm-4_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02[01]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security program and associated organizational systems document remedial information security risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;"},{"id":"pm-4_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02[02]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;"},{"id":"pm-4_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02[03]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;"}]},{"id":"pm-4_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03[01]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security risk management programs and associated organizational systems are reported in accordance with established reporting requirements;"},{"id":"pm-4_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03[02]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements;"},{"id":"pm-4_obj.a.3-3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03[03]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements;"}]}]},{"id":"pm-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-04b.","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04b.[01]","class":"sp800-53a"}],"prose":"plans of action and milestones are reviewed for consistency with the organizational risk management strategy;"},{"id":"pm-4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04b.[02]","class":"sp800-53a"}],"prose":"plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions."}]}]},{"id":"pm-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nplans of action and milestones\n\nprocedures addressing plans of action and milestones development and maintenance\n\nprocedures addressing plans of action and milestones reporting\n\nprocedures for reviewing plans of action and milestones for consistency with risk management strategy and risk response priorities\n\nresults of risk assessments associated with plans of action and milestones\n\nOMB FISMA reporting requirements\n\nother relevant documents or records"}]},{"id":"pm-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, maintaining, reviewing, and reporting plans of action and milestones\n\norganizational personnel with information security responsibilities"}]},{"id":"pm-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for plan of action and milestones development, review, maintenance, and reporting\n\nmechanisms supporting plans of action and milestones"}]}]},{"id":"pm-5","class":"SP800-53","title":"System Inventory","params":[{"id":"pm-05_odp","props":[{"name":"alt-identifier","value":"pm-5_prm_1"},{"name":"label","value":"PM-05_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the inventory of organizational systems is defined;"}]}],"props":[{"name":"label","value":"PM-5"},{"name":"label","value":"PM-05","class":"sp800-53a"},{"name":"sort-id","value":"pm-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"}],"parts":[{"id":"pm-5_smt","name":"statement","prose":"Develop and update {{ insert: param, pm-05_odp }} an inventory of organizational systems."},{"id":"pm-5_gdn","name":"guidance","prose":" [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) provides guidance on developing systems inventories and associated reporting requirements. System inventory refers to an organization-wide inventory of systems, not system components as described in [CM-8](#cm-8)."},{"id":"pm-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-05","class":"sp800-53a"}],"parts":[{"id":"pm-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-05[01]","class":"sp800-53a"}],"prose":"an inventory of organizational systems is developed;"},{"id":"pm-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-05[02]","class":"sp800-53a"}],"prose":"the inventory of organizational systems is updated {{ insert: param, pm-05_odp }}."}]},{"id":"pm-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nsystem inventory\n\nprocedures addressing system inventory development and maintenance\n\nOMB FISMA reporting guidance\n\nother relevant documents or records"}]},{"id":"pm-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing and maintaining the system inventory\n\norganizational personnel with information security responsibilities"}]},{"id":"pm-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system inventory development and maintenance\n\nmechanisms supporting the system inventory"}]}],"controls":[{"id":"pm-5.1","class":"SP800-53-enhancement","title":"Inventory of Personally Identifiable Information","params":[{"id":"pm-05.01_odp","props":[{"name":"alt-identifier","value":"pm-5.1_prm_1"},{"name":"label","value":"PM-05(01)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the inventory of systems, applications, and projects that process personally identifiable information is defined;"}]}],"props":[{"name":"label","value":"PM-5(1)"},{"name":"label","value":"PM-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"pm-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pm-5","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pm-5.1_smt","name":"statement","prose":"Establish, maintain, and update {{ insert: param, pm-05.01_odp }} an inventory of all systems, applications, and projects that process personally identifiable information."},{"id":"pm-5.1_gdn","name":"guidance","prose":"An inventory of systems, applications, and projects that process personally identifiable information supports the mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein."},{"id":"pm-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)","class":"sp800-53a"}],"parts":[{"id":"pm-5.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)[01]","class":"sp800-53a"}],"prose":"an inventory of all systems, applications, and projects that process personally identifiable information is established;"},{"id":"pm-5.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)[02]","class":"sp800-53a"}],"prose":"an inventory of all systems, applications, and projects that process personally identifiable information is maintained;"},{"id":"pm-5.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)[03]","class":"sp800-53a"}],"prose":"an inventory of all systems, applications, and projects that process personally identifiable information is updated {{ insert: param, pm-05.01_odp }}."}]},{"id":"pm-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing system inventory development, maintenance, and updates\n\nOMB FISMA reporting guidance\n\nprivacy program plan\n\ninformation security program plan\n\npersonally identifiable information processing policy\n\nsystem inventory\n\npersonally identifiable information inventory\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"pm-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing and maintaining the system inventory\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system inventory development, maintenance, and updates\n\nmechanisms supporting the system inventory"}]}]}]},{"id":"pm-6","class":"SP800-53","title":"Measures of Performance","props":[{"name":"label","value":"PM-6"},{"name":"label","value":"PM-06","class":"sp800-53a"},{"name":"sort-id","value":"pm-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#7798067b-4ed0-4adc-a505-79dad4741693","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"pm-6_smt","name":"statement","prose":"Develop, monitor, and report on the results of information security and privacy measures of performance."},{"id":"pm-6_gdn","name":"guidance","prose":"Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program. To facilitate security and privacy risk management, organizations consider aligning measures of performance with the organizational risk tolerance as defined in the risk management strategy."},{"id":"pm-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-06","class":"sp800-53a"}],"parts":[{"id":"pm-6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-06[01]","class":"sp800-53a"}],"prose":"information security measures of performance are developed;"},{"id":"pm-6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-06[02]","class":"sp800-53a"}],"prose":"information security measures of performance are monitored;"},{"id":"pm-6_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-06[03]","class":"sp800-53a"}],"prose":"the results of information security measures of performance are reported;"},{"id":"pm-6_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-06[04]","class":"sp800-53a"}],"prose":"privacy measures of performance are developed;"},{"id":"pm-6_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-06[05]","class":"sp800-53a"}],"prose":"privacy measures of performance are monitored;"},{"id":"pm-6_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PM-06[06]","class":"sp800-53a"}],"prose":"the results of privacy measures of performance are reported."}]},{"id":"pm-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\ninformation security measures of performance\n\nprivacy measures of performance\n\nprocedures addressing the development, monitoring, and reporting of information security and privacy measures of performance\n\nrisk management strategy\n\nother relevant documents or records"}]},{"id":"pm-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing, monitoring, and reporting information security and privacy measures of performance\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, monitoring, and reporting information security and privacy measures of performance\n\nmechanisms supporting the development, monitoring, and reporting of information security and privacy measures of performance"}]}]},{"id":"pm-7","class":"SP800-53","title":"Enterprise Architecture","props":[{"name":"label","value":"PM-7"},{"name":"label","value":"PM-07","class":"sp800-53a"},{"name":"sort-id","value":"pm-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#au-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"}],"parts":[{"id":"pm-7_smt","name":"statement","prose":"Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation."},{"id":"pm-7_gdn","name":"guidance","prose":"The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture and the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For [PL-8](#pl-8) , the security and privacy architectures are developed at a level that represents an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37](#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8) and supporting security standards and guidelines."},{"id":"pm-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-07","class":"sp800-53a"}],"parts":[{"id":"pm-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-07[01]","class":"sp800-53a"}],"prose":"an enterprise architecture is developed with consideration for information security;"},{"id":"pm-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-07[02]","class":"sp800-53a"}],"prose":"an enterprise architecture is maintained with consideration for information security;"},{"id":"pm-7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-07[03]","class":"sp800-53a"}],"prose":"an enterprise architecture is developed with consideration for privacy;"},{"id":"pm-7_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-07[04]","class":"sp800-53a"}],"prose":"an enterprise architecture is maintained with consideration for privacy;"},{"id":"pm-7_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-07[05]","class":"sp800-53a"}],"prose":"an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation;"},{"id":"pm-7_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PM-07[06]","class":"sp800-53a"}],"prose":"an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation."}]},{"id":"pm-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nprocedures addressing enterprise architecture development\n\nresults of risk assessments of enterprise architecture\n\nother relevant documents or records"}]},{"id":"pm-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing enterprise architecture\n\norganizational personnel responsible for risk assessments of enterprise architecture\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for enterprise architecture development\n\nmechanisms supporting the enterprise architecture and its development"}]}]},{"id":"pm-8","class":"SP800-53","title":"Critical Infrastructure Plan","props":[{"name":"label","value":"PM-8"},{"name":"label","value":"PM-08","class":"sp800-53a"},{"name":"sort-id","value":"pm-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#3406fdc0-d61c-44a9-a5ca-84180544c83a","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#488d6934-00b2-4252-bf23-1b3c2d71eb13","rel":"reference"},{"href":"#b9951d04-6385-478c-b1a3-ab68c19d9041","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#pm-18","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pm-8_smt","name":"statement","prose":"Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan."},{"id":"pm-8_gdn","name":"guidance","prose":"Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"pm-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-08","class":"sp800-53a"}],"parts":[{"id":"pm-8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-08[01]","class":"sp800-53a"}],"prose":"information security issues are addressed in the development of a critical infrastructure and key resources protection plan;"},{"id":"pm-8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-08[02]","class":"sp800-53a"}],"prose":"information security issues are addressed in the documentation of a critical infrastructure and key resources protection plan;"},{"id":"pm-8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-08[03]","class":"sp800-53a"}],"prose":"information security issues are addressed in the update of a critical infrastructure and key resources protection plan;"},{"id":"pm-8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-08[04]","class":"sp800-53a"}],"prose":"privacy issues are addressed in the development of a critical infrastructure and key resources protection plan;"},{"id":"pm-8_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-08[05]","class":"sp800-53a"}],"prose":"privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan;"},{"id":"pm-8_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PM-08[06]","class":"sp800-53a"}],"prose":"privacy issues are addressed in the update of a critical infrastructure and key resources protection plan."}]},{"id":"pm-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\ncritical infrastructure and key resources protection plan\n\nprocedures addressing the development, documentation, and updating of the critical infrastructure and key resources protection plan\n\nHSPD 7\n\nNational Infrastructure Protection Plan\n\nother relevant documents or records"}]},{"id":"pm-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing, documenting, and updating the critical infrastructure and key resources protection plan\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, documenting, and updating the critical infrastructure and key resources protection plan\n\nmechanisms supporting the development, documentation, and updating of the critical infrastructure and key resources protection plan"}]}]},{"id":"pm-9","class":"SP800-53","title":"Risk Management Strategy","params":[{"id":"pm-09_odp","props":[{"name":"alt-identifier","value":"pm-9_prm_1"},{"name":"label","value":"PM-09_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the risk management strategy is defined;"}]}],"props":[{"name":"label","value":"PM-9"},{"name":"label","value":"PM-09","class":"sp800-53a"},{"name":"sort-id","value":"pm-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-1","rel":"related"},{"href":"#au-1","rel":"related"},{"href":"#at-1","rel":"related"},{"href":"#ca-1","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-1","rel":"related"},{"href":"#cp-1","rel":"related"},{"href":"#ia-1","rel":"related"},{"href":"#ir-1","rel":"related"},{"href":"#ma-1","rel":"related"},{"href":"#mp-1","rel":"related"},{"href":"#pe-1","rel":"related"},{"href":"#pl-1","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-2","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-18","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ps-1","rel":"related"},{"href":"#pt-1","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-1","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-1","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-1","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-1","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-1","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"pm-9_smt","name":"statement","parts":[{"id":"pm-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a comprehensive strategy to manage:","parts":[{"id":"pm-9_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and"},{"id":"pm-9_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Privacy risk to individuals resulting from the authorized processing of personally identifiable information;"}]},{"id":"pm-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the risk management strategy consistently across the organization; and"},{"id":"pm-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the risk management strategy {{ insert: param, pm-09_odp }} or as required, to address organizational changes."}]},{"id":"pm-9_gdn","name":"guidance","prose":"An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure that the strategy is broad-based and comprehensive. The supply chain risk management strategy described in [PM-30](#pm-30) can also provide useful inputs to the organization-wide risk management strategy."},{"id":"pm-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-09","class":"sp800-53a"}],"parts":[{"id":"pm-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-09a.","class":"sp800-53a"}],"parts":[{"id":"pm-9_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-09a.01","class":"sp800-53a"}],"prose":"a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems;"},{"id":"pm-9_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-09a.02","class":"sp800-53a"}],"prose":"a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information;"}]},{"id":"pm-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-09b.","class":"sp800-53a"}],"prose":"the risk management strategy is implemented consistently across the organization;"},{"id":"pm-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-09c.","class":"sp800-53a"}],"prose":"the risk management strategy is reviewed and updated {{ insert: param, pm-09_odp }} or as required to address organizational changes."}]},{"id":"pm-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nrisk management strategy\n\nsupply chain risk management strategy\n\nprocedures addressing the development, implementation, review, and update of the risk management strategy\n\nrisk assessment results relevant to the risk management strategy\n\nother relevant documents or records"}]},{"id":"pm-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for the development, implementation, review, and update of the risk management strategy\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the development, implementation, review, and update of the risk management strategy\n\nmechanisms supporting the development, implementation, review, and update of the risk management strategy"}]}]},{"id":"pm-10","class":"SP800-53","title":"Authorization Process","props":[{"name":"label","value":"PM-10"},{"name":"label","value":"PM-10","class":"sp800-53a"},{"name":"sort-id","value":"pm-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"pm-10_smt","name":"statement","parts":[{"id":"pm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;"},{"id":"pm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and"},{"id":"pm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Integrate the authorization processes into an organization-wide risk management program."}]},{"id":"pm-10_gdn","name":"guidance","prose":"Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The authorization processes for the organization are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation."},{"id":"pm-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-10","class":"sp800-53a"}],"parts":[{"id":"pm-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-10a.","class":"sp800-53a"}],"parts":[{"id":"pm-10_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-10a.[01]","class":"sp800-53a"}],"prose":"the security state of organizational systems and the environments in which those systems operate are managed through authorization processes;"},{"id":"pm-10_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-10a.[02]","class":"sp800-53a"}],"prose":"the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes;"}]},{"id":"pm-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-10b.","class":"sp800-53a"}],"prose":"individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process;"},{"id":"pm-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-10c.","class":"sp800-53a"}],"prose":"the authorization processes are integrated into an organization-wide risk management program."}]},{"id":"pm-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nprocedures addressing management (i.e., documentation, tracking, and reporting) of the authorization process\n\nassessment, authorization, and monitoring policy\n\nassessment, authorization, and monitoring procedures\n\nsystem authorization documentation\n\nlists or other documentation about authorization process roles and responsibilities\n\nrisk assessment results relevant to the authorization process and the organization-wide risk management program\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"pm-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for management of the authorization process\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorization\n\nmechanisms supporting the authorization process"}]}]},{"id":"pm-11","class":"SP800-53","title":"Mission and Business Process Definition","params":[{"id":"pm-11_odp","props":[{"name":"alt-identifier","value":"pm-11_prm_1"},{"name":"label","value":"PM-11_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and revise the mission and business processes is defined;"}]}],"props":[{"name":"label","value":"PM-11"},{"name":"label","value":"PM-11","class":"sp800-53a"},{"name":"sort-id","value":"pm-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-2","rel":"related"}],"parts":[{"id":"pm-11_smt","name":"statement","parts":[{"id":"pm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and"},{"id":"pm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and"},{"id":"pm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and revise the mission and business processes {{ insert: param, pm-11_odp }}."}]},{"id":"pm-11_gdn","name":"guidance","prose":"Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by organizational stakeholders, the mission and business processes designed to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent to defining protection and personally identifiable information processing needs is an understanding of the adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of the processing of personally identifiable information at any stage of the information life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policies and procedures."},{"id":"pm-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-11","class":"sp800-53a"}],"parts":[{"id":"pm-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.","class":"sp800-53a"}],"parts":[{"id":"pm-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.[01]","class":"sp800-53a"}],"prose":"organizational mission and business processes are defined with consideration for information security;"},{"id":"pm-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.[02]","class":"sp800-53a"}],"prose":"organizational mission and business processes are defined with consideration for privacy;"},{"id":"pm-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.[03]","class":"sp800-53a"}],"prose":"organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;"}]},{"id":"pm-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-11b.","class":"sp800-53a"}],"parts":[{"id":"pm-11_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-11b.[01]","class":"sp800-53a"}],"prose":"information protection needs arising from the defined mission and business processes are determined;"},{"id":"pm-11_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-11b.[02]","class":"sp800-53a"}],"prose":"personally identifiable information processing needs arising from the defined mission and business processes are determined;"}]},{"id":"pm-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-11c.","class":"sp800-53a"}],"prose":"the mission and business processes are reviewed and revised {{ insert: param, pm-11_odp }}."}]},{"id":"pm-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nrisk management strategy\n\nprocedures for determining mission and business protection needs\n\ninformation security and privacy risk assessment results relevant to the determination of mission and business protection needs\n\npersonally identifiable information processing policy\n\npersonally identifiable information inventory\n\nother relevant documents or records"}]},{"id":"pm-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for enterprise risk management\n\norganizational personnel responsible for determining information protection needs for mission and business processes\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining mission and business processes and their information protection needs"}]}]},{"id":"pm-13","class":"SP800-53","title":"Security and Privacy Workforce","props":[{"name":"label","value":"PM-13"},{"name":"label","value":"PM-13","class":"sp800-53a"},{"name":"sort-id","value":"pm-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"pm-13_smt","name":"statement","prose":"Establish a security and privacy workforce development and improvement program."},{"id":"pm-13_gdn","name":"guidance","prose":"Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals."},{"id":"pm-13_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-13","class":"sp800-53a"}],"parts":[{"id":"pm-13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-13[01]","class":"sp800-53a"}],"prose":"a security workforce development and improvement program is established;"},{"id":"pm-13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-13[02]","class":"sp800-53a"}],"prose":"a privacy workforce development and improvement program is established."}]},{"id":"pm-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\ninformation security and privacy workforce development and improvement program documentation\n\nprocedures for the information security and privacy workforce development and improvement program\n\ninformation security and privacy role-based training program documentation\n\nother relevant documents or records"}]},{"id":"pm-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for the information security and privacy workforce development and improvement program\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing the information security and privacy workforce development and improvement program\n\nmechanisms supporting and\/or implementing the information security and privacy workforce development and improvement program"}]}]},{"id":"pm-14","class":"SP800-53","title":"Testing, Training, and Monitoring","props":[{"name":"label","value":"PM-14"},{"name":"label","value":"PM-14","class":"sp800-53a"},{"name":"sort-id","value":"pm-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"pm-14_smt","name":"statement","parts":[{"id":"pm-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:","parts":[{"id":"pm-14_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are developed and maintained; and"},{"id":"pm-14_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Continue to be executed; and"}]},{"id":"pm-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-14_gdn","name":"guidance","prose":"A process for organization-wide security and privacy testing, training, and monitoring helps ensure that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments."},{"id":"pm-14_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-14","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[01]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed;"},{"id":"pm-14_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[02]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained;"},{"id":"pm-14_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[03]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed;"},{"id":"pm-14_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[04]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained;"}]},{"id":"pm-14_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.02","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.02[01]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed;"},{"id":"pm-14_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.02[02]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed;"}]}]},{"id":"pm-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[01]","class":"sp800-53a"}],"prose":"testing plans are reviewed for consistency with the organizational risk management strategy;"},{"id":"pm-14_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[02]","class":"sp800-53a"}],"prose":"training plans are reviewed for consistency with the organizational risk management strategy;"},{"id":"pm-14_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[03]","class":"sp800-53a"}],"prose":"monitoring plans are reviewed for consistency with the organizational risk management strategy;"},{"id":"pm-14_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[04]","class":"sp800-53a"}],"prose":"testing plans are reviewed for consistency with organization-wide priorities for risk response actions;"},{"id":"pm-14_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[05]","class":"sp800-53a"}],"prose":"training plans are reviewed for consistency with organization-wide priorities for risk response actions;"},{"id":"pm-14_obj.b-6","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[06]","class":"sp800-53a"}],"prose":"monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions."}]}]},{"id":"pm-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nplans for conducting security and privacy testing, training, and monitoring activities\n\norganizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities\n\nrisk management strategy\n\nprocedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities\n\nresults of risk assessments associated with conducting security and privacy testing, training, and monitoring activities\n\ndocumentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities\n\nother relevant documents or records"}]},{"id":"pm-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities\n\nmechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities"}]}]},{"id":"pm-17","class":"SP800-53","title":"Protecting Controlled Unclassified Information on External Systems","params":[{"id":"pm-17_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-17_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-17_odp.02"}],"label":"organization-defined frequency"},{"id":"pm-17_odp.01","props":[{"name":"label","value":"PM-17_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the policy is defined;"}]},{"id":"pm-17_odp.02","props":[{"name":"label","value":"PM-17_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the procedures is defined;"}]}],"props":[{"name":"label","value":"PM-17"},{"name":"label","value":"PM-17","class":"sp800-53a"},{"name":"sort-id","value":"pm-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#ca-6","rel":"related"},{"href":"#pm-10","rel":"related"}],"parts":[{"id":"pm-17_smt","name":"statement","parts":[{"id":"pm-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and"},{"id":"pm-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the policy and procedures {{ insert: param, pm-17_prm_1 }}."}]},{"id":"pm-17_gdn","name":"guidance","prose":"Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) and, specifically for systems external to the federal organization, [32 CFR 2002.14h](https:\/\/www.govinfo.gov\/content\/pkg\/CFR-2017-title32-vol6\/xml\/CFR-2017-title32-vol6-part2002.xml) . The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes."},{"id":"pm-17_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-17","class":"sp800-53a"}],"parts":[{"id":"pm-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-17a.","class":"sp800-53a"}],"parts":[{"id":"pm-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-17a.[01]","class":"sp800-53a"}],"prose":"policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;"},{"id":"pm-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-17a.[02]","class":"sp800-53a"}],"prose":"procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;"}]},{"id":"pm-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-17b.","class":"sp800-53a"}],"parts":[{"id":"pm-17_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-17b.[01]","class":"sp800-53a"}],"prose":"policy is reviewed and updated {{ insert: param, pm-17_odp.01 }};"},{"id":"pm-17_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-17b.[02]","class":"sp800-53a"}],"prose":"procedures are reviewed and updated {{ insert: param, pm-17_odp.02 }} "}]}]},{"id":"pm-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Controlled unclassified information policy\n\ncontrolled unclassified information procedures\n\nother relevant documents or records."}]},{"id":"pm-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with controlled unclassified information responsibilities\n\norganizational personnel with information security responsibilities."}]}]},{"id":"pm-18","class":"SP800-53","title":"Privacy Program Plan","params":[{"id":"pm-18_odp","props":[{"name":"alt-identifier","value":"pm-18_prm_1"},{"name":"label","value":"PM-18_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of updates to the privacy program plan is defined;"}]}],"props":[{"name":"label","value":"PM-18"},{"name":"label","value":"PM-18","class":"sp800-53a"},{"name":"sort-id","value":"pm-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-19","rel":"related"}],"parts":[{"id":"pm-18_smt","name":"statement","parts":[{"id":"pm-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:","parts":[{"id":"pm-18_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;"},{"id":"pm-18_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;"},{"id":"pm-18_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;"},{"id":"pm-18_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;"},{"id":"pm-18_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Reflects coordination among organizational entities responsible for the different aspects of privacy; and"},{"id":"pm-18_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and"}]},{"id":"pm-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update the plan {{ insert: param, pm-18_odp }} and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments."}]},{"id":"pm-18_gdn","name":"guidance","prose":"A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program, the resources dedicated to the privacy program, the role of the senior agency official for privacy and other privacy officials and staff, the strategic goals and objectives of the privacy program, and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.\n\nThe senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection operations explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.\n\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. Together, the privacy plans for individual systems and the organization-wide privacy program plan provide complete coverage for the privacy controls employed within the organization.\n\nCommon controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls."},{"id":"pm-18_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-18","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.[01]","class":"sp800-53a"}],"prose":"an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed;"},{"id":"pm-18_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.01","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.01[01]","class":"sp800-53a"}],"prose":"the privacy program plan includes a description of the structure of the privacy program;"},{"id":"pm-18_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.01[02]","class":"sp800-53a"}],"prose":"the privacy program plan includes a description of the resources dedicated to the privacy program;"}]},{"id":"pm-18_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02[01]","class":"sp800-53a"}],"prose":"the privacy program plan provides an overview of the requirements for the privacy program;"},{"id":"pm-18_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02[02]","class":"sp800-53a"}],"prose":"the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program;"},{"id":"pm-18_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02[03]","class":"sp800-53a"}],"prose":"the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program;"}]},{"id":"pm-18_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.03","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.03[01]","class":"sp800-53a"}],"prose":"the privacy program plan includes the role of the senior agency official for privacy;"},{"id":"pm-18_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.03[02]","class":"sp800-53a"}],"prose":"the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities;"}]},{"id":"pm-18_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04[01]","class":"sp800-53a"}],"prose":"the privacy program plan describes management commitment;"},{"id":"pm-18_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04[02]","class":"sp800-53a"}],"prose":"the privacy program plan describes compliance;"},{"id":"pm-18_obj.a.4-3","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04[03]","class":"sp800-53a"}],"prose":"the privacy program plan describes the strategic goals and objectives of the privacy program;"}]},{"id":"pm-18_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.05","class":"sp800-53a"}],"prose":"the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy;"},{"id":"pm-18_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.06","class":"sp800-53a"}],"prose":"the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"},{"id":"pm-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.[02]","class":"sp800-53a"}],"prose":"the privacy program plan is disseminated;"}]},{"id":"pm-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[01]","class":"sp800-53a"}],"prose":"the privacy program plan is updated {{ insert: param, pm-18_odp }};"},{"id":"pm-18_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[02]","class":"sp800-53a"}],"prose":"the privacy program plan is updated to address changes in federal privacy laws and policies;"},{"id":"pm-18_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[03]","class":"sp800-53a"}],"prose":"the privacy program plan is updated to address organizational changes;"},{"id":"pm-18_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[04]","class":"sp800-53a"}],"prose":"the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments."}]}]},{"id":"pm-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprocedures addressing program plan development and implementation\n\nprocedures addressing program plan reviews, updates, and approvals\n\nprocedures addressing coordination of the program plan with relevant entities\n\nrecords of program plan reviews, updates, and approvals\n\nother relevant documents or records"}]},{"id":"pm-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program planning and plan implementation responsibilities\n\norganizational personnel with privacy responsibilities"}]}]},{"id":"pm-19","class":"SP800-53","title":"Privacy Program Leadership Role","props":[{"name":"label","value":"PM-19"},{"name":"label","value":"PM-19","class":"sp800-53a"},{"name":"sort-id","value":"pm-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-18","rel":"related"},{"href":"#pm-20","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#pm-27","rel":"related"}],"parts":[{"id":"pm-19_smt","name":"statement","prose":"Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program."},{"id":"pm-19_gdn","name":"guidance","prose":"The privacy officer is an organizational official. For federal agencies—as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines—this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has roles on the data management board (see [PM-23](#pm-23) ) and the data integrity board (see [PM-24](#pm-24))."},{"id":"pm-19_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-19","class":"sp800-53a"}],"parts":[{"id":"pm-19_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-19[01]","class":"sp800-53a"}],"prose":"a senior agency official for privacy with authority, mission, accountability, and resources is appointed;"},{"id":"pm-19_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-19[02]","class":"sp800-53a"}],"prose":"the senior agency official for privacy coordinates applicable privacy requirements;"},{"id":"pm-19_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-19[03]","class":"sp800-53a"}],"prose":"the senior agency official for privacy develops applicable privacy requirements;"},{"id":"pm-19_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-19[04]","class":"sp800-53a"}],"prose":"the senior agency official for privacy implements applicable privacy requirements;"},{"id":"pm-19_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-19[05]","class":"sp800-53a"}],"prose":"the senior agency official for privacy manages privacy risks through the organization-wide privacy program."}]},{"id":"pm-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program documents, including policies, procedures, plans, and reports\n\npublic privacy notices, including Federal Register notices\n\nprivacy impact assessments\n\nprivacy risk assessments\n\nPrivacy Act statements\n\nsystem of records notices\n\ncomputer matching agreements and notices\n\ncontracts, information sharing agreements, and memoranda of understanding\n\ngoverning requirements, including laws, executive orders, regulations, standards, and guidance\n\nother relevant documents or records"}]},{"id":"pm-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program planning and plan implementation responsibilities\n\norganizational personnel with privacy responsibilities\n\nsenior agency official for privacy\n\nprivacy officials"}]}]},{"id":"pm-20","class":"SP800-53","title":"Dissemination of Privacy Program Information","props":[{"name":"label","value":"PM-20"},{"name":"label","value":"PM-20","class":"sp800-53a"},{"name":"sort-id","value":"pm-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#206a3284-6a7e-423c-8ea9-25b22542541d","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#pm-19","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"}],"parts":[{"id":"pm-20_smt","name":"statement","prose":"Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:","parts":[{"id":"pm-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;"},{"id":"pm-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that organizational privacy practices and reports are publicly available; and"},{"id":"pm-20_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs publicly facing email addresses and\/or phone lines to enable the public to provide feedback and\/or direct questions to privacy offices regarding privacy practices."}]},{"id":"pm-20_gdn","name":"guidance","prose":"For federal agencies, the webpage is located at www.[agency].gov\/privacy. Federal agencies include public privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) exemption and implementation rules, privacy reports, privacy policies, instructions for individuals making an access or amendment request, email addresses for questions\/complaints, blogs, and periodic publications."},{"id":"pm-20_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-20","class":"sp800-53a"}],"parts":[{"id":"pm-20_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20[01]","class":"sp800-53a"}],"prose":"a central resource webpage is maintained on the organization’s principal public website;"},{"id":"pm-20_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20[02]","class":"sp800-53a"}],"prose":"the webpage serves as a central source of information about the organization’s privacy program;"},{"id":"pm-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-20a.","class":"sp800-53a"}],"parts":[{"id":"pm-20_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20a.[01]","class":"sp800-53a"}],"prose":"the webpage ensures that the public has access to information about organizational privacy activities;"},{"id":"pm-20_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20a.[02]","class":"sp800-53a"}],"prose":"the webpage ensures that the public can communicate with its senior agency official for privacy;"}]},{"id":"pm-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-20b.","class":"sp800-53a"}],"parts":[{"id":"pm-20_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20b.[01]","class":"sp800-53a"}],"prose":"the webpage ensures that organizational privacy practices are publicly available;"},{"id":"pm-20_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20b.[02]","class":"sp800-53a"}],"prose":"the webpage ensures that organizational privacy reports are publicly available;"}]},{"id":"pm-20_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-20c.","class":"sp800-53a"}],"prose":"the webpage employs publicly facing email addresses and\/or phone numbers to enable the public to provide feedback and\/or direct questions to privacy offices regarding privacy practices."}]},{"id":"pm-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Public website\n\npublicly posted privacy program documents, including policies, procedures, plans, and reports\n\nposition description of the senior agency official for privacy\n\npublic privacy notices, including Federal Register notices\n\nprivacy impact assessments\n\nprivacy risk assessments\n\nPrivacy Act statements and system of records notices\n\ncomputer matching agreements and notices\n\nother relevant documents or records"}]},{"id":"pm-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program information dissemination responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Location, access, availability, and functionality of privacy resource webpage"}]}],"controls":[{"id":"pm-20.1","class":"SP800-53-enhancement","title":"Privacy Policies on Websites, Applications, and Digital Services","props":[{"name":"label","value":"PM-20(1)"},{"name":"label","value":"PM-20(01)","class":"sp800-53a"},{"name":"sort-id","value":"pm-20.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pm-20","rel":"required"}],"parts":[{"id":"pm-20.1_smt","name":"statement","prose":"Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:","parts":[{"id":"pm-20.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Are written in plain language and organized in a way that is easy to understand and navigate;"},{"id":"pm-20.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and"},{"id":"pm-20.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Are updated whenever the organization makes a substantive change to the practices it describes and includes a time\/date stamp to inform the public of the date of the most recent changes."}]},{"id":"pm-20.1_gdn","name":"guidance","prose":"Organizations post privacy policies on all external-facing websites, mobile applications, and other digital services. Organizations post a link to the relevant privacy policy on any known, major entry points to the website, application, or digital service. In addition, organizations provide a link to the privacy policy on any webpage that collects personally identifiable information. Organizations may be subject to applicable laws, executive orders, directives, regulations, or policies that require the provision of specific information to the public. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"pm-20.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)[01]","class":"sp800-53a"}],"prose":"privacy policies are developed and posted on all external-facing websites;"},{"id":"pm-20.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)[02]","class":"sp800-53a"}],"prose":"privacy policies are developed and posted on all mobile applications;"},{"id":"pm-20.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)[03]","class":"sp800-53a"}],"prose":"privacy policies are developed and posted on all other digital services;"},{"id":"pm-20.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(a)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(a)[01]","class":"sp800-53a"}],"prose":"the privacy policies are written in plain language;"},{"id":"pm-20.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(a)[02]","class":"sp800-53a"}],"prose":"the privacy policies are organized in a way that is easy to understand and navigate;"}]},{"id":"pm-20.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(b)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(b)[01]","class":"sp800-53a"}],"prose":"the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization;"},{"id":"pm-20.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(b)[02]","class":"sp800-53a"}],"prose":"the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization;"}]},{"id":"pm-20.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(c)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(c)[01]","class":"sp800-53a"}],"prose":"the privacy policies are updated whenever the organization makes a substantive change to the practices it describes;"},{"id":"pm-20.1_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(c)[02]","class":"sp800-53a"}],"prose":"the privacy policies include a time\/date stamp to inform the public of the date of the most recent changes."}]}]},{"id":"pm-20.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-20(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprivacy policies on the agency website, mobile applications, and\/or other digital services"}]},{"id":"pm-20.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-20(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program information dissemination responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-20.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-20(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing\n\norganizational procedures and practices for disseminating privacy program information\n\nmechanisms supporting the dissemination of privacy program information"}]}]}]},{"id":"pm-21","class":"SP800-53","title":"Accounting of Disclosures","props":[{"name":"label","value":"PM-21"},{"name":"label","value":"PM-21","class":"sp800-53a"},{"name":"sort-id","value":"pm-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#pt-2","rel":"related"}],"parts":[{"id":"pm-21_smt","name":"statement","parts":[{"id":"pm-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:","parts":[{"id":"pm-21_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Date, nature, and purpose of each disclosure; and"},{"id":"pm-21_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Name and address, or other contact information of the individual or organization to which the disclosure was made;"}]},{"id":"pm-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and"},{"id":"pm-21_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request."}]},{"id":"pm-21_gdn","name":"guidance","prose":"The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information, and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) ; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.\n\nOrganizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services that provide notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing the disclosure or dissemination of information and dissemination restrictions."},{"id":"pm-21_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-21","class":"sp800-53a"}],"parts":[{"id":"pm-21_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.","class":"sp800-53a"}],"prose":"an accurate accounting of disclosures of personally identifiable information is developed and maintained;","parts":[{"id":"pm-21_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01","class":"sp800-53a"}],"parts":[{"id":"pm-21_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01[01]","class":"sp800-53a"}],"prose":"the accounting includes the date of each disclosure;"},{"id":"pm-21_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01[02]","class":"sp800-53a"}],"prose":"the accounting includes the nature of each disclosure;"},{"id":"pm-21_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01[03]","class":"sp800-53a"}],"prose":"the accounting includes the purpose of each disclosure;"}]},{"id":"pm-21_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.02","class":"sp800-53a"}],"parts":[{"id":"pm-21_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.02[01]","class":"sp800-53a"}],"prose":"the accounting includes the name of the individual or organization to whom the disclosure was made;"},{"id":"pm-21_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.02[02]","class":"sp800-53a"}],"prose":"the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made;"}]}]},{"id":"pm-21_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-21b.","class":"sp800-53a"}],"prose":"the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;"},{"id":"pm-21_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-21c.","class":"sp800-53a"}],"prose":"the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request."}]},{"id":"pm-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\ndisclosure policies and procedures\n\nrecords of disclosures\n\naudit logs\n\nPrivacy Act policies and procedures\n\nsystem of records notice\n\nPrivacy Act exemption rules."}]},{"id":"pm-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities."}]},{"id":"pm-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for disclosures\n\nmechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts."}]}]},{"id":"pm-22","class":"SP800-53","title":"Personally Identifiable Information Quality Management","props":[{"name":"label","value":"PM-22"},{"name":"label","value":"PM-22","class":"sp800-53a"},{"name":"sort-id","value":"pm-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#227063d4-431e-435f-9e8f-009b6dbc20f4","rel":"reference"},{"href":"#c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","rel":"reference"},{"href":"#pm-23","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pm-22_smt","name":"statement","prose":"Develop and document organization-wide policies and procedures for:","parts":[{"id":"pm-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;"},{"id":"pm-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Correcting or deleting inaccurate or outdated personally identifiable information;"},{"id":"pm-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and"},{"id":"pm-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Appeals of adverse decisions on correction or deletion requests."}]},{"id":"pm-22_gdn","name":"guidance","prose":"Personally identifiable information quality management includes steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.\n\nThe senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.\n\nOrganizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to the complexity of data flows and storage, other entities may need to be informed of the correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem."},{"id":"pm-22_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-22","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22[01]","class":"sp800-53a"}],"prose":"organization-wide policies for personally identifiable information quality management are developed and documented;"},{"id":"pm-22_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22[02]","class":"sp800-53a"}],"prose":"organization-wide procedures for personally identifiable information quality management are developed and documented;"},{"id":"pm-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[01]","class":"sp800-53a"}],"prose":"the policies address reviewing the accuracy of personally identifiable information across the information life cycle;"},{"id":"pm-22_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[02]","class":"sp800-53a"}],"prose":"the policies address reviewing the relevance of personally identifiable information across the information life cycle;"},{"id":"pm-22_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[03]","class":"sp800-53a"}],"prose":"the policies address reviewing the timeliness of personally identifiable information across the information life cycle;"},{"id":"pm-22_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[04]","class":"sp800-53a"}],"prose":"the policies address reviewing the completeness of personally identifiable information across the information life cycle;"},{"id":"pm-22_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[05]","class":"sp800-53a"}],"prose":"the procedures address reviewing the accuracy of personally identifiable information across the information life cycle;"},{"id":"pm-22_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[06]","class":"sp800-53a"}],"prose":"the procedures address reviewing the relevance of personally identifiable information across the information life cycle;"},{"id":"pm-22_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[07]","class":"sp800-53a"}],"prose":"the procedures address reviewing the timeliness of personally identifiable information across the information life cycle;"},{"id":"pm-22_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[08]","class":"sp800-53a"}],"prose":"the procedures address reviewing the completeness of personally identifiable information across the information life cycle;"}]},{"id":"pm-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-22b.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22b.[01]","class":"sp800-53a"}],"prose":"the policies address correcting or deleting inaccurate or outdated personally identifiable information;"},{"id":"pm-22_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22b.[02]","class":"sp800-53a"}],"prose":"the procedures address correcting or deleting inaccurate or outdated personally identifiable information;"}]},{"id":"pm-22_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-22c.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22c.[01]","class":"sp800-53a"}],"prose":"the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;"},{"id":"pm-22_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22c.[02]","class":"sp800-53a"}],"prose":"the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;"}]},{"id":"pm-22_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-22d.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22d.[01]","class":"sp800-53a"}],"prose":"the policies address appeals of adverse decisions on correction or deletion requests;"},{"id":"pm-22_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22d.[02]","class":"sp800-53a"}],"prose":"the procedures address appeals of adverse decisions on correction or deletion requests."}]}]},{"id":"pm-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\npolicies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion\n\nrecords of monitoring PII quality management practices\n\ndocumentation of reviews and updates of policies and procedures"}]},{"id":"pm-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program information dissemination responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"[Organizational processes for data quality and personally identifiable information quality management procedures\n\nmechanisms supporting and\/or implementing quality management requirements"}]}]},{"id":"pm-24","class":"SP800-53","title":"Data Integrity Board","props":[{"name":"label","value":"PM-24"},{"name":"label","value":"PM-24","class":"sp800-53a"},{"name":"sort-id","value":"pm-24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#pm-19","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-8","rel":"related"}],"parts":[{"id":"pm-24_smt","name":"statement","prose":"Establish a Data Integrity Board to:","parts":[{"id":"pm-24_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review proposals to conduct or participate in a matching program; and"},{"id":"pm-24_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conduct an annual review of all matching programs in which the agency has participated."}]},{"id":"pm-24_gdn","name":"guidance","prose":"A Data Integrity Board is the board of senior officials designated by the head of a federal agency and is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy."},{"id":"pm-24_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-24","class":"sp800-53a"}],"prose":"a Data Integrity Board is established;","parts":[{"id":"pm-24_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-24a.","class":"sp800-53a"}],"prose":"the Data Integrity Board reviews proposals to conduct or participate in a matching program;"},{"id":"pm-24_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-24b.","class":"sp800-53a"}],"prose":"the Data Integrity Board conducts an annual review of all matching programs in which the agency has participated."}]},{"id":"pm-24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-24-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprivacy program documents relating to the Data Integrity Board, including documents establishing the board, its charter of operations, and any plans and reports\n\ncomputer matching agreements and notices\n\ninformation sharing agreements\n\nmemoranda of understanding\n\nrecords documenting annual reviews\n\ngoverning requirements, including laws, executive orders, regulations, standards, and guidance"}]},{"id":"pm-24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-24-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"members of the Data Integrity Board (e.g., the chief information officer, senior information security officer, senior agency official for privacy, and agency Inspector General)"}]}]},{"id":"pm-25","class":"SP800-53","title":"Minimization of Personally Identifiable Information Used in Testing, Training, and Research","params":[{"id":"pm-25_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.04"}],"label":"organization-defined frequency"},{"id":"pm-25_odp.01","props":[{"name":"label","value":"PM-25_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing policies that address the use of personally identifiable information for internal testing, training, and research is defined;"}]},{"id":"pm-25_odp.02","props":[{"name":"label","value":"PM-25_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating policies that address the use of personally identifiable information for internal testing, training, and research is defined;"}]},{"id":"pm-25_odp.03","props":[{"name":"label","value":"PM-25_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing procedures that address the use of personally identifiable information for internal testing, training, and research is defined;"}]},{"id":"pm-25_odp.04","props":[{"name":"label","value":"PM-25_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating procedures that address the use of personally identifiable information for internal testing, training, and research is defined;"}]}],"props":[{"name":"label","value":"PM-25"},{"name":"label","value":"PM-25","class":"sp800-53a"},{"name":"sort-id","value":"pm-25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-23","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pm-25_smt","name":"statement","parts":[{"id":"pm-25_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;"},{"id":"pm-25_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;"},{"id":"pm-25_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and"},{"id":"pm-25_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review and update policies and procedures {{ insert: param, pm-25_prm_1 }}."}]},{"id":"pm-25_gdn","name":"guidance","prose":"The use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and\/or legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research."},{"id":"pm-25_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-25","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[01]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal testing are developed and documented;"},{"id":"pm-25_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[02]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal training are developed and documented;"},{"id":"pm-25_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[03]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal research are developed and documented;"},{"id":"pm-25_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[04]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal testing are developed and documented;"},{"id":"pm-25_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[05]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal training are developed and documented;"},{"id":"pm-25_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[06]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal research are developed and documented;"},{"id":"pm-25_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[07]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal testing, are implemented;"},{"id":"pm-25_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[08]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for training are implemented;"},{"id":"pm-25_obj.a-9","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[09]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for research are implemented;"},{"id":"pm-25_obj.a-10","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[10]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal testing are implemented;"},{"id":"pm-25_obj.a-11","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[11]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for training are implemented;"},{"id":"pm-25_obj.a-12","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[12]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for research are implemented;"}]},{"id":"pm-25_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.[01]","class":"sp800-53a"}],"prose":"the amount of personally identifiable information used for internal testing purposes is limited or minimized;"},{"id":"pm-25_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.[02]","class":"sp800-53a"}],"prose":"the amount of personally identifiable information used for internal training purposes is limited or minimized;"},{"id":"pm-25_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.[03]","class":"sp800-53a"}],"prose":"the amount of personally identifiable information used for internal research purposes is limited or minimized;"}]},{"id":"pm-25_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.[01]","class":"sp800-53a"}],"prose":"the required use of personally identifiable information for internal testing is authorized;"},{"id":"pm-25_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.[02]","class":"sp800-53a"}],"prose":"the required use of personally identifiable information for internal training is authorized;"},{"id":"pm-25_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.[03]","class":"sp800-53a"}],"prose":"the required use of personally identifiable information for internal research is authorized;"}]},{"id":"pm-25_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[01]","class":"sp800-53a"}],"prose":"policies are reviewed {{ insert: param, pm-25_odp.01 }};"},{"id":"pm-25_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[02]","class":"sp800-53a"}],"prose":"policies are updated {{ insert: param, pm-25_odp.02 }};"},{"id":"pm-25_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[03]","class":"sp800-53a"}],"prose":"procedures are reviewed {{ insert: param, pm-25_odp.03 }};"},{"id":"pm-25_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[04]","class":"sp800-53a"}],"prose":"procedures are updated {{ insert: param, pm-25_odp.04 }}."}]}]},{"id":"pm-25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-25-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\npolicies and procedures for the minimization of personally identifiable information used in testing, training, and research\n\ndocumentation supporting policy implementation (e.g., templates for testing, training, and research\n\nprivacy threshold analysis\n\nprivacy risk assessment)\n\ndata sets used for testing, training, and research"}]},{"id":"pm-25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-25-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities\n\nsystem developers\n\npersonnel with IRB responsibilities"}]},{"id":"pm-25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-25-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for data quality and personally identifiable information management\n\nmechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information"}]}]},{"id":"pm-26","class":"SP800-53","title":"Complaint Management","params":[{"id":"pm-26_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-26_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-26_odp.02"}],"label":"organization-defined time period"},{"id":"pm-26_odp.01","props":[{"name":"label","value":"PM-26_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period in which complaints (including concerns or questions) from individuals are to be reviewed is defined;"}]},{"id":"pm-26_odp.02","props":[{"name":"label","value":"PM-26_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period in which complaints (including concerns or questions) from individuals are to be addressed is defined;"}]},{"id":"pm-26_odp.03","props":[{"name":"alt-identifier","value":"pm-26_prm_2"},{"name":"label","value":"PM-26_ODP[03]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period for acknowledging the receipt of complaints is defined;"}]},{"id":"pm-26_odp.04","props":[{"name":"alt-identifier","value":"pm-26_prm_3"},{"name":"label","value":"PM-26_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period for responding to complaints is defined;"}]}],"props":[{"name":"label","value":"PM-26"},{"name":"label","value":"PM-26","class":"sp800-53a"},{"name":"sort-id","value":"pm-26"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pm-26_smt","name":"statement","prose":"Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes:","parts":[{"id":"pm-26_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Mechanisms that are easy to use and readily accessible by the public;"},{"id":"pm-26_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"All information necessary for successfully filing complaints;"},{"id":"pm-26_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ insert: param, pm-26_prm_1 }};"},{"id":"pm-26_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }} ; and"},{"id":"pm-26_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Response to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}."}]},{"id":"pm-26_gdn","name":"guidance","prose":"Complaints, concerns, and questions from individuals can serve as valuable sources of input to organizations and ultimately improve operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information which is handled in accordance with relevant policies and processes."},{"id":"pm-26_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-26","class":"sp800-53a"}],"parts":[{"id":"pm-26_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-26[01]","class":"sp800-53a"}],"prose":"a process for receiving complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;"},{"id":"pm-26_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-26[02]","class":"sp800-53a"}],"prose":"a process for responding to complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;"},{"id":"pm-26_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-26a.","class":"sp800-53a"}],"parts":[{"id":"pm-26_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-26a.[01]","class":"sp800-53a"}],"prose":"the complaint management process includes mechanisms that are easy to use by the public;"},{"id":"pm-26_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-26a.[02]","class":"sp800-53a"}],"prose":"the complaint management process includes mechanisms that are readily accessible by the public;"}]},{"id":"pm-26_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-26b.","class":"sp800-53a"}],"prose":"the complaint management process includes all information necessary for successfully filing complaints;"},{"id":"pm-26_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-26c.","class":"sp800-53a"}],"parts":[{"id":"pm-26_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-26c.[01]","class":"sp800-53a"}],"prose":"the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within {{ insert: param, pm-26_odp.01 }};"},{"id":"pm-26_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-26c.[02]","class":"sp800-53a"}],"prose":"the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within {{ insert: param, pm-26_odp.02 }};"}]},{"id":"pm-26_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-26d.","class":"sp800-53a"}],"prose":"the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }};"},{"id":"pm-26_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PM-26e.","class":"sp800-53a"}],"prose":"the complaint management process includes responding to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}."}]},{"id":"pm-26_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-26-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprocedures addressing complaint management\n\ncomplaint documentation\n\nprocedures addressing the reviews of complaints\n\nother relevant documents or records"}]},{"id":"pm-26_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-26-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-26_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-26-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for complaint management\n\nmechanisms supporting complaint management\n\ntools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms"}]}]},{"id":"pm-27","class":"SP800-53","title":"Privacy Reporting","params":[{"id":"pm-27_odp.01","props":[{"name":"alt-identifier","value":"pm-27_prm_1"},{"name":"label","value":"PM-27_ODP[01]","class":"sp800-53a"}],"label":"privacy reports","guidelines":[{"prose":"privacy reports are defined;"}]},{"id":"pm-27_odp.02","props":[{"name":"alt-identifier","value":"pm-27_prm_2"},{"name":"label","value":"PM-27_ODP[02]","class":"sp800-53a"}],"label":"oversight bodies","guidelines":[{"prose":"privacy oversight bodies are defined;"}]},{"id":"pm-27_odp.03","props":[{"name":"alt-identifier","value":"pm-27_prm_3"},{"name":"label","value":"PM-27_ODP[03]","class":"sp800-53a"}],"label":"officials","guidelines":[{"prose":"officials responsible for monitoring privacy program compliance are defined;"}]},{"id":"pm-27_odp.04","props":[{"name":"alt-identifier","value":"pm-27_prm_4"},{"name":"label","value":"PM-27_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing and updating privacy reports is defined;"}]}],"props":[{"name":"label","value":"PM-27"},{"name":"label","value":"PM-27","class":"sp800-53a"},{"name":"sort-id","value":"pm-27"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#0c67b2a9-bede-43d2-b86d-5f35b8be36e9","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#ir-9","rel":"related"},{"href":"#pm-19","rel":"related"}],"parts":[{"id":"pm-27_smt","name":"statement","parts":[{"id":"pm-27_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop {{ insert: param, pm-27_odp.01 }} and disseminate to:","parts":[{"id":"pm-27_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and"},{"id":"pm-27_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, pm-27_odp.03 }} and other personnel with responsibility for monitoring privacy program compliance; and"}]},{"id":"pm-27_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update privacy reports {{ insert: param, pm-27_odp.04 }}."}]},{"id":"pm-27_gdn","name":"guidance","prose":"Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. For federal agencies, privacy reports include annual senior agency official for privacy reports to OMB, reports to Congress required by Implementing Regulations of the 9\/11 Commission Act, and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements."},{"id":"pm-27_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-27","class":"sp800-53a"}],"parts":[{"id":"pm-27_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.","class":"sp800-53a"}],"prose":" {{ insert: param, pm-27_odp.01 }} are developed;","parts":[{"id":"pm-27_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.01","class":"sp800-53a"}],"prose":"the privacy reports are disseminated to {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates;"},{"id":"pm-27_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.02","class":"sp800-53a"}],"parts":[{"id":"pm-27_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.02[01]","class":"sp800-53a"}],"prose":"the privacy reports are disseminated to {{ insert: param, pm-27_odp.03 }};"},{"id":"pm-27_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.02[02]","class":"sp800-53a"}],"prose":"the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance;"}]}]},{"id":"pm-27_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-27b.","class":"sp800-53a"}],"prose":"the privacy reports are reviewed and updated {{ insert: param, pm-27_odp.04 }}."}]},{"id":"pm-27_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-27-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\ninternal and external privacy reports\n\nprivacy program plan\n\nannual senior agency official for privacy reports to OMB\n\nreports to Congress required by law, regulation, or policy, including internal policies\n\nrecords documenting the dissemination of reports to oversight bodies and officials responsible for monitoring privacy program compliance\n\nrecords of review and updates of privacy reports."}]},{"id":"pm-27_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-27-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities\n\nlegal counsel."}]}]},{"id":"pm-28","class":"SP800-53","title":"Risk Framing","params":[{"id":"pm-28_odp.01","props":[{"name":"alt-identifier","value":"pm-28_prm_1"},{"name":"label","value":"PM-28_ODP[01]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"the personnel to receive the results of risk framing activities is\/are defined;"}]},{"id":"pm-28_odp.02","props":[{"name":"alt-identifier","value":"pm-28_prm_2"},{"name":"label","value":"PM-28_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing and updating risk framing considerations is defined;"}]}],"props":[{"name":"label","value":"PM-28"},{"name":"label","value":"PM-28","class":"sp800-53a"},{"name":"sort-id","value":"pm-28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"}],"parts":[{"id":"pm-28_smt","name":"statement","parts":[{"id":"pm-28_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document:","parts":[{"id":"pm-28_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Assumptions affecting risk assessments, risk responses, and risk monitoring;"},{"id":"pm-28_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Constraints affecting risk assessments, risk responses, and risk monitoring;"},{"id":"pm-28_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Priorities and trade-offs considered by the organization for managing risk; and"},{"id":"pm-28_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Organizational risk tolerance;"}]},{"id":"pm-28_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute the results of risk framing activities to {{ insert: param, pm-28_odp.01 }} ; and"},{"id":"pm-28_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update risk framing considerations {{ insert: param, pm-28_odp.02 }}."}]},{"id":"pm-28_gdn","name":"guidance","prose":"Risk framing is most effective when conducted at the organization level and in consultation with stakeholders throughout the organization including mission, business, and system owners. The assumptions, constraints, risk tolerance, priorities, and trade-offs identified as part of the risk framing process inform the risk management strategy, which in turn informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel, including mission and business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management."},{"id":"pm-28_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-28","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01[01]","class":"sp800-53a"}],"prose":"assumptions affecting risk assessments are identified and documented;"},{"id":"pm-28_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01[02]","class":"sp800-53a"}],"prose":"assumptions affecting risk responses are identified and documented;"},{"id":"pm-28_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01[03]","class":"sp800-53a"}],"prose":"assumptions affecting risk monitoring are identified and documented;"}]},{"id":"pm-28_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02[01]","class":"sp800-53a"}],"prose":"constraints affecting risk assessments are identified and documented;"},{"id":"pm-28_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02[02]","class":"sp800-53a"}],"prose":"constraints affecting risk responses are identified and documented;"},{"id":"pm-28_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02[03]","class":"sp800-53a"}],"prose":"constraints affecting risk monitoring are identified and documented;"}]},{"id":"pm-28_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.03","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.03[01]","class":"sp800-53a"}],"prose":"priorities considered by the organization for managing risk are identified and documented;"},{"id":"pm-28_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.03[02]","class":"sp800-53a"}],"prose":"trade-offs considered by the organization for managing risk are identified and documented;"}]},{"id":"pm-28_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.04","class":"sp800-53a"}],"prose":"organizational risk tolerance is identified and documented;"}]},{"id":"pm-28_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-28b.","class":"sp800-53a"}],"prose":"the results of risk framing activities are distributed to {{ insert: param, pm-28_odp.01 }};"},{"id":"pm-28_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-28c.","class":"sp800-53a"}],"prose":"risk framing considerations are reviewed and updated {{ insert: param, pm-28_odp.02 }}."}]},{"id":"pm-28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-28-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nsupply chain risk management strategy\n\ndocumentation of risk framing activities\n\npolicies and procedures for risk framing activities\n\nrisk management strategy"}]},{"id":"pm-28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-28-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel (including mission, business, and system owners or stewards\n\nauthorizing officials\n\nsenior agency information security officer\n\nsenior agency official for privacy\n\nand senior accountable official for risk management)"}]},{"id":"pm-28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-28-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing\n\norganizational processes for risk framing\n\nmechanisms supporting the development, review, update, and approval of risk framing"}]}]},{"id":"pm-31","class":"SP800-53","title":"Continuous Monitoring Strategy","params":[{"id":"pm-31_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.05"}],"label":"organization-defined personnel or roles"},{"id":"pm-31_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.07"}],"label":"organization-defined frequency"},{"id":"pm-31_odp.01","props":[{"name":"alt-identifier","value":"pm-31_prm_1"},{"name":"label","value":"PM-31_ODP[01]","class":"sp800-53a"}],"label":"metrics","guidelines":[{"prose":"the metrics for organization-wide continuous monitoring are defined;"}]},{"id":"pm-31_odp.02","props":[{"name":"alt-identifier","value":"pm-31_prm_2"},{"name":"alt-label","value":"frequencies","class":"sp800-53"},{"name":"label","value":"PM-31_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for monitoring is defined;"}]},{"id":"pm-31_odp.03","props":[{"name":"alt-identifier","value":"pm-31_prm_3"},{"name":"alt-label","value":"frequencies","class":"sp800-53"},{"name":"label","value":"PM-31_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for assessing control effectiveness is defined;"}]},{"id":"pm-31_odp.04","props":[{"name":"label","value":"PM-31_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"the personnel or roles for reporting the security status of organizational systems to is\/are defined;"}]},{"id":"pm-31_odp.05","props":[{"name":"label","value":"PM-31_ODP[05]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"the personnel or roles for reporting the privacy status of organizational systems to is\/are defined;"}]},{"id":"pm-31_odp.06","props":[{"name":"label","value":"PM-31_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to report the security status of organizational systems is defined;"}]},{"id":"pm-31_odp.07","props":[{"name":"label","value":"PM-31_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to report the privacy status of organizational systems is defined;"}]}],"props":[{"name":"label","value":"PM-31"},{"name":"label","value":"PM-31","class":"sp800-53a"},{"name":"sort-id","value":"pm-31"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#62ea77ca-e450-4323-b210-e0d75390e785","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"pm-31_smt","name":"statement","prose":"Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:","parts":[{"id":"pm-31_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishing the following organization-wide metrics to be monitored: {{ insert: param, pm-31_odp.01 }};"},{"id":"pm-31_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, pm-31_odp.02 }} for monitoring and {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;"},{"id":"pm-31_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"pm-31_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"pm-31_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"pm-31_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Reporting the security and privacy status of organizational systems to {{ insert: param, pm-31_prm_4 }} {{ insert: param, pm-31_prm_5 }}."}]},{"id":"pm-31_gdn","name":"guidance","prose":"Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective, timely, and informed risk management decisions, including ongoing authorization decisions. To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy. Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as, [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CA-7](#ca-7), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b), [SI-4](#si-4)."},{"id":"pm-31_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-31","class":"sp800-53a"}],"prose":"an organization-wide continuous monitoring strategy is developed;","parts":[{"id":"pm-31_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-31a.","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include establishing {{ insert: param, pm-31_odp.01 }} to be monitored;"},{"id":"pm-31_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-31b.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31b.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.02 }} for monitoring;"},{"id":"pm-31_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31b.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;"}]},{"id":"pm-31_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-31c.","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include monitoring {{ insert: param, pm-31_odp.01 }} on an ongoing basis in accordance with the continuous monitoring strategy;"},{"id":"pm-31_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-31d.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31d.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring;"},{"id":"pm-31_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31d.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring;"}]},{"id":"pm-31_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PM-31e.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31e.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information;"},{"id":"pm-31_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31e.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information;"}]},{"id":"pm-31_obj.f","name":"assessment-objective","props":[{"name":"label","value":"PM-31f.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31f.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include reporting the security status of organizational systems to {{ insert: param, pm-31_odp.04 }} {{ insert: param, pm-31_odp.06 }};"},{"id":"pm-31_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31f.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to {{ insert: param, pm-31_odp.05 }} {{ insert: param, pm-31_odp.07 }}."}]}]},{"id":"pm-31_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-31-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nsupply chain risk management plan\n\ncontinuous monitoring strategy\n\nrisk management strategy\n\ninformation security continuous monitoring program documentation, reporting, metrics, and artifacts\n\ninformation security continuous monitoring program assessment documentation, reporting, metrics, and artifacts\n\nassessment and authorization policy\n\nprocedures addressing the continuous monitoring of controls\n\nprivacy program continuous monitoring documentation, reporting, metrics, and artifacts\n\ncontinuous monitoring program records, security, and privacy impact analyses\n\nstatus reports\n\nrisk response documentation\n\nother relevant documents or records."}]},{"id":"pm-31_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-31-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Senior Accountable Official for Risk Management\n\nchief information officer\n\nsenior agency information security officer\n\nsenior agency official for privacy\n\norganizational personnel with information security, privacy, and supply chain risk management program responsibilities"}]},{"id":"pm-31_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-31-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-06_odp.01","props":[{"name":"alt-identifier","value":"ps-6_prm_1"},{"name":"label","value":"PS-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update access agreements is defined;"}]},{"id":"ps-06_odp.02","props":[{"name":"alt-identifier","value":"ps-6_prm_2"},{"name":"label","value":"PS-06_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to re-sign access agreements to maintain access to organizational information is defined;"}]}],"props":[{"name":"label","value":"PS-6"},{"name":"label","value":"PS-06","class":"sp800-53a"},{"name":"sort-id","value":"ps-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-6_smt","name":"statement","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document access agreements for organizational systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that individuals requiring access to organizational information and systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy."},{"id":"ps-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-06","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-06a.","class":"sp800-53a"}],"prose":"access agreements are developed and documented for organizational systems;"},{"id":"ps-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-06b.","class":"sp800-53a"}],"prose":"the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};"},{"id":"ps-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.01","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;"},{"id":"ps-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.02","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ps-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements"}]}]}]},{"id":"pt","class":"family","title":"Personally Identifiable Information Processing and Transparency","controls":[{"id":"pt-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pt-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pt-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pt-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pt-01_odp.01","props":[{"name":"label","value":"PT-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personally identifiable information processing and transparency policy is to be disseminated is\/are defined;"}]},{"id":"pt-01_odp.02","props":[{"name":"label","value":"PT-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personally identifiable information processing and transparency procedures are to be disseminated is\/are defined;"}]},{"id":"pt-01_odp.03","props":[{"name":"alt-identifier","value":"pt-1_prm_2"},{"name":"label","value":"PT-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pt-01_odp.04","props":[{"name":"alt-identifier","value":"pt-1_prm_3"},{"name":"label","value":"PT-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the personally identifiable information processing and transparency policy and procedures is defined;"}]},{"id":"pt-01_odp.05","props":[{"name":"alt-identifier","value":"pt-1_prm_4"},{"name":"label","value":"PT-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personally identifiable information processing and transparency policy is reviewed and updated is defined;"}]},{"id":"pt-01_odp.06","props":[{"name":"alt-identifier","value":"pt-1_prm_5"},{"name":"label","value":"PT-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current personally identifiable information processing and transparency policy to be reviewed and updated are defined;"}]},{"id":"pt-01_odp.07","props":[{"name":"alt-identifier","value":"pt-1_prm_6"},{"name":"label","value":"PT-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personally identifiable information processing and transparency procedures are reviewed and updated is defined;"}]},{"id":"pt-01_odp.08","props":[{"name":"alt-identifier","value":"pt-1_prm_7"},{"name":"label","value":"PT-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the personally identifiable information processing and transparency procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PT-1"},{"name":"label","value":"PT-01","class":"sp800-53a"},{"name":"sort-id","value":"pt-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"}],"parts":[{"id":"pt-1_smt","name":"statement","parts":[{"id":"pt-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pt-1_prm_1 }}:","parts":[{"id":"pt-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy that:","parts":[{"id":"pt-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pt-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pt-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls;"}]},{"id":"pt-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pt-01_odp.04 }} to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and"},{"id":"pt-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current personally identifiable information processing and transparency:","parts":[{"id":"pt-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pt-01_odp.05 }} and following {{ insert: param, pt-01_odp.06 }} ; and"},{"id":"pt-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pt-01_odp.07 }} and following {{ insert: param, pt-01_odp.08 }}."}]}]},{"id":"pt-1_gdn","name":"guidance","prose":"Personally identifiable information processing and transparency policy and procedures address the controls in the PT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of personally identifiable information processing and transparency policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personally identifiable information processing and transparency policy and procedures include assessment or audit findings, breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pt-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-01","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[01]","class":"sp800-53a"}],"prose":"a personally identifiable information processing and transparency policy is developed and documented;"},{"id":"pt-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[02]","class":"sp800-53a"}],"prose":"the personally identifiable information processing and transparency policy is disseminated to {{ insert: param, pt-01_odp.01 }};"},{"id":"pt-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[03]","class":"sp800-53a"}],"prose":"personally identifiable information processing and transparency procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and associated personally identifiable information processing and transparency controls are developed and documented;"},{"id":"pt-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[04]","class":"sp800-53a"}],"prose":"the personally identifiable information processing and transparency procedures are disseminated to {{ insert: param, pt-01_odp.02 }};"},{"id":"pt-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses purpose;"},{"id":"pt-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses scope;"},{"id":"pt-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses roles;"},{"id":"pt-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses responsibilities;"},{"id":"pt-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses management commitment;"},{"id":"pt-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses coordination among organizational entities;"},{"id":"pt-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses compliance;"}]},{"id":"pt-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"pt-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures;"},{"id":"pt-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.01","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.01[01]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency policy is reviewed and updated {{ insert: param, pt-01_odp.05 }};"},{"id":"pt-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.01[02]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency policy is reviewed and updated following {{ insert: param, pt-01_odp.06 }};"}]},{"id":"pt-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.02","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.02[01]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency procedures are reviewed and updated {{ insert: param, pt-01_odp.07 }};"},{"id":"pt-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.02[02]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency procedures are reviewed and updated following {{ insert: param, pt-01_odp.08 }}."}]}]}]},{"id":"pt-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"pt-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pt-2","class":"SP800-53","title":"Authority to Process Personally Identifiable Information","params":[{"id":"pt-02_odp.01","props":[{"name":"alt-identifier","value":"pt-2_prm_1"},{"name":"label","value":"PT-02_ODP[01]","class":"sp800-53a"}],"label":"authority","guidelines":[{"prose":"the authority to permit the processing (defined in PT-02_ODP[02]) of personally identifiable information is defined;"}]},{"id":"pt-02_odp.02","props":[{"name":"alt-identifier","value":"pt-2_prm_2"},{"name":"label","value":"PT-02_ODP[02]","class":"sp800-53a"}],"label":"processing","guidelines":[{"prose":"the type of processing of personally identifiable information is defined;"}]},{"id":"pt-02_odp.03","props":[{"name":"alt-identifier","value":"pt-2_prm_3"},{"name":"label","value":"PT-02_ODP[03]","class":"sp800-53a"}],"label":"processing","guidelines":[{"prose":"the type of processing of personally identifiable information to be restricted is defined;"}]}],"props":[{"name":"label","value":"PT-2"},{"name":"label","value":"PT-02","class":"sp800-53a"},{"name":"sort-id","value":"pt-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#pt-1","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pt-2_smt","name":"statement","parts":[{"id":"pt-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information; and"},{"id":"pt-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Restrict the {{ insert: param, pt-02_odp.03 }} of personally identifiable information to only that which is authorized."}]},{"id":"pt-2_gdn","name":"guidance","prose":"The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information across the information life cycle. Processing includes but is not limited to creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining.\n\nOrganizations may be subject to laws, executive orders, directives, regulations, or policies that establish the organization’s authority and thereby limit certain types of processing of personally identifiable information or establish other requirements related to the processing. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such authority, particularly if the organization is subject to multiple jurisdictions or sources of authority. For organizations whose processing is not determined according to legal authorities, the organization’s policies and determinations govern how they process personally identifiable information. While processing of personally identifiable information may be legally permissible, privacy risks may still arise. Privacy risk assessments can identify the privacy risks associated with the authorized processing of personally identifiable information and support solutions to manage such risks.\n\nOrganizations consider applicable requirements and organizational policies to determine how to document this authority. For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and other documentation.\n\nOrganizations take steps to ensure that personally identifiable information is only processed for authorized purposes, including training organizational personnel on the authorized processing of personally identifiable information and monitoring and auditing organizational use of personally identifiable information."},{"id":"pt-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-02","class":"sp800-53a"}],"parts":[{"id":"pt-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-02a.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information is determined and documented;"},{"id":"pt-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-02b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-02_odp.03 }} of personally identifiable information is restricted to only that which is authorized."}]},{"id":"pt-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing the processing of personally identifiable information\n\nmechanisms supporting and\/or implementing the restriction of personally identifiable information processing"}]}]},{"id":"pt-3","class":"SP800-53","title":"Personally Identifiable Information Processing Purposes","params":[{"id":"pt-03_odp.01","props":[{"name":"alt-identifier","value":"pt-3_prm_1"},{"name":"label","value":"PT-03_ODP[01]","class":"sp800-53a"}],"label":"purpose(s)","guidelines":[{"prose":"the purpose(s) for processing personally identifiable information is\/are defined;"}]},{"id":"pt-03_odp.02","props":[{"name":"alt-identifier","value":"pt-3_prm_2"},{"name":"label","value":"PT-03_ODP[02]","class":"sp800-53a"}],"label":"processing","guidelines":[{"prose":"the processing of personally identifiable information to be restricted is defined;"}]},{"id":"pt-03_odp.03","props":[{"name":"alt-identifier","value":"pt-3_prm_3"},{"name":"label","value":"PT-03_ODP[03]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms to be implemented for ensuring any changes in the processing of personally identifiable information are made in accordance with requirements are defined;"}]},{"id":"pt-03_odp.04","props":[{"name":"alt-identifier","value":"pt-3_prm_4"},{"name":"label","value":"PT-03_ODP[04]","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements for changing the processing of personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-3"},{"name":"label","value":"PT-03","class":"sp800-53a"},{"name":"sort-id","value":"pt-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-25","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pt-3_smt","name":"statement","parts":[{"id":"pt-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information;"},{"id":"pt-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Describe the purpose(s) in the public privacy notices and policies of the organization;"},{"id":"pt-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Restrict the {{ insert: param, pt-03_odp.02 }} of personally identifiable information to only that which is compatible with the identified purpose(s); and"},{"id":"pt-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitor changes in processing personally identifiable information and implement {{ insert: param, pt-03_odp.03 }} to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}."}]},{"id":"pt-3_gdn","name":"guidance","prose":"Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term \"process\" includes every step of the information life cycle, including creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and documenting the purpose of processing is a prerequisite to enabling owners and operators of the system and individuals whose information is processed by the system to understand how the information will be processed. This enables individuals to make informed decisions about their engagement with information systems and organizations and to manage their privacy interests. Once the specific processing purpose has been identified, the purpose is described in the organization’s privacy notices, policies, and any related privacy compliance documentation, including privacy impact assessments, system of records notices, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, computer matching notices, and other applicable Federal Register notices.\n\nOrganizations take steps to help ensure that personally identifiable information is processed only for identified purposes, including training organizational personnel and monitoring and auditing organizational processing of personally identifiable information.\n\nOrganizations monitor for changes in personally identifiable information processing. Organizational personnel consult with the senior agency official for privacy and legal counsel to ensure that any new purposes that arise from changes in processing are compatible with the purpose for which the information was collected, or if the new purpose is not compatible, implement mechanisms in accordance with defined requirements to allow for the new processing, if appropriate. Mechanisms may include obtaining consent from individuals, revising privacy policies, or other measures to manage privacy risks that arise from changes in personally identifiable information processing purposes."},{"id":"pt-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-03","class":"sp800-53a"}],"parts":[{"id":"pt-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-03a.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information is\/are identified and documented;"},{"id":"pt-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-03b.","class":"sp800-53a"}],"parts":[{"id":"pt-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PT-03b.[01]","class":"sp800-53a"}],"prose":"the purpose(s) is\/are described in the public privacy notices of the organization;"},{"id":"pt-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PT-03b.[02]","class":"sp800-53a"}],"prose":"the purpose(s) is\/are described in the policies of the organization;"}]},{"id":"pt-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-03c.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-03_odp.02 }} of personally identifiable information are restricted to only that which is compatible with the identified purpose(s);"},{"id":"pt-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PT-03d.","class":"sp800-53a"}],"parts":[{"id":"pt-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PT-03d.[01]","class":"sp800-53a"}],"prose":"changes in the processing of personally identifiable information are monitored;"},{"id":"pt-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PT-03d.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, pt-03_odp.03 }} are implemented to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}."}]}]},{"id":"pt-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nconfiguration management plan\n\norganizational privacy notices\n\norganizational policies\n\nPrivacy Act statements\n\ncomputer matching notices\n\napplicable Federal Register notices\n\ndocumented requirements for enforcing and monitoring the processing of personally identifiable information\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing the processing of personally identifiable information\n\nmechanisms supporting and\/or implementing the management of authorized personally identifiable information processing\n\norganizational processes for monitoring changes in processing personally identifiable information"}]}]},{"id":"pt-4","class":"SP800-53","title":"Consent","params":[{"id":"pt-04_odp","props":[{"name":"alt-identifier","value":"pt-4_prm_1"},{"name":"label","value":"PT-04_ODP","class":"sp800-53a"}],"label":"tools or mechanisms","guidelines":[{"prose":"the tools or mechanisms to be implemented for individuals to consent to the processing of their personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-4"},{"name":"label","value":"PT-04","class":"sp800-53a"},{"name":"sort-id","value":"pt-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-5","rel":"related"}],"parts":[{"id":"pt-4_smt","name":"statement","prose":"Implement {{ insert: param, pt-04_odp }} for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making."},{"id":"pt-4_gdn","name":"guidance","prose":"Consent allows individuals to participate in making decisions about the processing of their information and transfers some of the risk that arises from the processing of personally identifiable information from the organization to an individual. Consent may be required by applicable laws, executive orders, directives, regulations, policies, standards, or guidelines. Otherwise, when selecting consent as a control, organizations consider whether individuals can be reasonably expected to understand and accept the privacy risks that arise from their authorization. Organizations consider whether other controls may more effectively mitigate privacy risk either alone or in conjunction with consent. Organizations also consider any demographic or contextual factors that may influence the understanding or behavior of individuals with respect to the processing carried out by the system or organization. When soliciting consent from individuals, organizations consider the appropriate mechanism for obtaining consent, including the type of consent (e.g., opt-in, opt-out), how to properly authenticate and identity proof individuals and how to obtain consent through electronic means. In addition, organizations consider providing a mechanism for individuals to revoke consent once it has been provided, as appropriate. Finally, organizations consider usability factors to help individuals understand the risks being accepted when providing consent, including the use of plain language and avoiding technical jargon."},{"id":"pt-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-04","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-04_odp }} are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making."},{"id":"pt-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nconsent policies and procedures\n\nconsent tools and mechanisms\n\nconsent presentation or display (user interface)\n\nevidence of individuals’ consent\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the collection of personally identifiable information\n\nconsent tools or mechanisms for users to authorize the processing of their personally identifiable information\n\nmechanisms implementing consent"}]}]},{"id":"pt-5","class":"SP800-53","title":"Privacy Notice","params":[{"id":"pt-05_odp.01","props":[{"name":"alt-identifier","value":"pt-5_prm_1"},{"name":"label","value":"PT-05_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which a notice is provided to individuals after initial interaction with an organization is defined;"}]},{"id":"pt-05_odp.02","props":[{"name":"alt-identifier","value":"pt-5_prm_2"},{"name":"label","value":"PT-05_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be included with the notice about the processing of personally identifiable information is defined;"}]}],"props":[{"name":"label","value":"PT-5"},{"name":"label","value":"PT-05","class":"sp800-53a"},{"name":"sort-id","value":"pt-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#pm-20","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-42","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pt-5_smt","name":"statement","prose":"Provide notice to individuals about the processing of personally identifiable information that:","parts":[{"id":"pt-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Is available to individuals upon first interacting with an organization, and subsequently at {{ insert: param, pt-05_odp.01 }};"},{"id":"pt-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;"},{"id":"pt-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies the authority that authorizes the processing of personally identifiable information;"},{"id":"pt-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Identifies the purposes for which personally identifiable information is to be processed; and"},{"id":"pt-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Includes {{ insert: param, pt-05_odp.02 }}."}]},{"id":"pt-5_gdn","name":"guidance","prose":"Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices.\n\nPrivacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon."},{"id":"pt-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-05","class":"sp800-53a"}],"parts":[{"id":"pt-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-05a.","class":"sp800-53a"}],"parts":[{"id":"pt-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-05a.[01]","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information is provided such that the notice is available to individuals upon first interacting with an organization;"},{"id":"pt-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-05a.[02]","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals {{ insert: param, pt-05_odp.01 }};"}]},{"id":"pt-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-05b.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information is provided that is clear, easy-to-understand, and expresses information about personally identifiable information processing in plain language;"},{"id":"pt-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-05c.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information is provided;"},{"id":"pt-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PT-05d.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information that identifies the purpose for which personally identifiable information is to be processed is provided;"},{"id":"pt-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PT-05e.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information which includes {{ insert: param, pt-05_odp.02 }} is provided."}]},{"id":"pt-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act statements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with user interface or user experience responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes and implementation support or mechanisms for providing notice to individuals regarding the processing of their personally identifiable information"}]}],"controls":[{"id":"pt-5.2","class":"SP800-53-enhancement","title":"Privacy Act Statements","props":[{"name":"label","value":"PT-5(2)"},{"name":"label","value":"PT-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-5","rel":"required"},{"href":"#pt-6","rel":"related"}],"parts":[{"id":"pt-5.2_smt","name":"statement","prose":"Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals."},{"id":"pt-5.2_gdn","name":"guidance","prose":"If a federal agency asks individuals to supply information that will become part of a system of records, the agency is required to provide a [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statement on the form used to collect the information or on a separate form that can be retained by the individual. The agency provides a [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statement in such circumstances regardless of whether the information will be collected on a paper or electronic form, on a website, on a mobile application, over the telephone, or through some other medium. This requirement ensures that the individual is provided with sufficient information about the request for information to make an informed decision on whether or not to respond.\n\n [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements provide formal notice to individuals of the authority that authorizes the solicitation of the information; whether providing the information is mandatory or voluntary; the principal purpose(s) for which the information is to be used; the published routine uses to which the information is subject; the effects on the individual, if any, of not providing all or any part of the information requested; and an appropriate citation and link to the relevant system of records notice. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding the notice provisions of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455)."},{"id":"pt-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-05(02)","class":"sp800-53a"}],"prose":"Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or Privacy Act statements are provided on separate forms that can be retained by individuals."},{"id":"pt-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nforms that include Privacy Act statements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for including Privacy Act statements on forms that collect information or on separate forms that can be retained by individuals"}]}]}]},{"id":"pt-6","class":"SP800-53","title":"System of Records Notice","props":[{"name":"label","value":"PT-6"},{"name":"label","value":"PT-06","class":"sp800-53a"},{"name":"sort-id","value":"pt-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#pm-20","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"}],"parts":[{"id":"pt-6_smt","name":"statement","prose":"For systems that process information that will be maintained in a Privacy Act system of records:","parts":[{"id":"pt-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review;"},{"id":"pt-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Publish system of records notices in the Federal Register; and"},{"id":"pt-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Keep system of records notices accurate, up-to-date, and scoped in accordance with policy."}]},{"id":"pt-6_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and\/or modification of a [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in [OMB A-108](#3671ff20-c17c-44d6-8a88-7de203fa74aa)."},{"id":"pt-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-06","class":"sp800-53a"}],"parts":[{"id":"pt-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-06a.","class":"sp800-53a"}],"parts":[{"id":"pt-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-06a.[01]","class":"sp800-53a"}],"prose":"system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records;"},{"id":"pt-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-06a.[02]","class":"sp800-53a"}],"prose":"new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records;"}]},{"id":"pt-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-06b.","class":"sp800-53a"}],"prose":"system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records;"},{"id":"pt-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-06c.","class":"sp800-53a"}],"prose":"system of records notices are kept accurate, up-to-date, and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records."}]},{"id":"pt-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nFederal Register notices\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for Privacy Act system of records maintenance"}]}],"controls":[{"id":"pt-6.1","class":"SP800-53-enhancement","title":"Routine Uses","params":[{"id":"pt-06.01_odp","props":[{"name":"alt-identifier","value":"pt-6.1_prm_1"},{"name":"label","value":"PT-06(01)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review all routine uses published in the system of records notice is defined;"}]}],"props":[{"name":"label","value":"PT-6(1)"},{"name":"label","value":"PT-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-6","rel":"required"}],"parts":[{"id":"pt-6.1_smt","name":"statement","prose":"Review all routine uses published in the system of records notice at {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected."},{"id":"pt-6.1_gdn","name":"guidance","prose":"A [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) routine use is a particular kind of disclosure of a record outside of the federal agency maintaining the system of records. A routine use is an exception to the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) prohibition on the disclosure of a record in a system of records without the prior written consent of the individual to whom the record pertains. To qualify as a routine use, the disclosure must be for a purpose that is compatible with the purpose for which the information was originally collected. The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) requires agencies to describe each routine use of the records maintained in the system of records, including the categories of users of the records and the purpose of the use. Agencies may only establish routine uses by explicitly publishing them in the relevant system of records notice."},{"id":"pt-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-06(01)","class":"sp800-53a"}],"prose":"all routine uses published in the system of records notice are reviewed {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected."},{"id":"pt-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing system of records notices"}]}]},{"id":"pt-6.2","class":"SP800-53-enhancement","title":"Exemption Rules","params":[{"id":"pt-06.02_odp","props":[{"name":"alt-identifier","value":"pt-6.2_prm_1"},{"name":"label","value":"PT-06(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review all Privacy Act exemptions claimed for the system of records is defined;"}]}],"props":[{"name":"label","value":"PT-6(2)"},{"name":"label","value":"PT-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-6","rel":"required"}],"parts":[{"id":"pt-6.2_smt","name":"statement","prose":"Review all Privacy Act exemptions claimed for the system of records at {{ insert: param, pt-06.02_odp }} to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice."},{"id":"pt-6.2_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) includes two sets of provisions that allow federal agencies to claim exemptions from certain requirements in the statute. In certain circumstances, these provisions allow agencies to promulgate regulations to exempt a system of records from select provisions of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . At a minimum, organizations’ [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) exemption regulations include the specific name(s) of any system(s) of records that will be exempt, the specific provisions of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) from which the system(s) of records is to be exempted, the reasons for the exemption, and an explanation for why the exemption is both necessary and appropriate."},{"id":"pt-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)","class":"sp800-53a"}],"parts":[{"id":"pt-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)[01]","class":"sp800-53a"}],"prose":"all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they remain appropriate and necessary in accordance with law;"},{"id":"pt-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)[02]","class":"sp800-53a"}],"prose":"all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they have been promulgated as regulations;"},{"id":"pt-6.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)[03]","class":"sp800-53a"}],"prose":"all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they are accurately described in the system of records notice."}]},{"id":"pt-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nPrivacy Act exemptions\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for Privacy Act system of records maintenance"}]}]}]},{"id":"pt-7","class":"SP800-53","title":"Specific Categories of Personally Identifiable Information","params":[{"id":"pt-07_odp","props":[{"name":"alt-identifier","value":"pt-7_prm_1"},{"name":"label","value":"PT-07_ODP","class":"sp800-53a"}],"label":"processing conditions","guidelines":[{"prose":"processing conditions to be applied for specific categories of personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-7"},{"name":"label","value":"PT-07","class":"sp800-53a"},{"name":"sort-id","value":"pt-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#ir-9","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"pt-7_smt","name":"statement","prose":"Apply {{ insert: param, pt-07_odp }} for specific categories of personally identifiable information."},{"id":"pt-7_gdn","name":"guidance","prose":"Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from the results of privacy risk assessments that factor in contextual changes that may result in an organizational determination that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary."},{"id":"pt-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-07","class":"sp800-53a"}],"prose":" {{ insert: param, pt-07_odp }} are applied for specific categories of personally identifiable information."},{"id":"pt-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\ncomputer matching agreements and notices\n\ncontracts\n\nprivacy information sharing agreements\n\nmemoranda of understanding\n\ngoverning requirements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for supporting and\/or implementing personally identifiable information processing"}]}],"controls":[{"id":"pt-7.1","class":"SP800-53-enhancement","title":"Social Security Numbers","props":[{"name":"label","value":"PT-7(1)"},{"name":"label","value":"PT-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-7","rel":"required"},{"href":"#ia-4","rel":"related"}],"parts":[{"id":"pt-7.1_smt","name":"statement","prose":"When a system processes Social Security numbers:","parts":[{"id":"pt-7.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier;"},{"id":"pt-7.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and"},{"id":"pt-7.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it."}]},{"id":"pt-7.1_gdn","name":"guidance","prose":"Federal law and policy establish specific requirements for organizations’ processing of Social Security numbers. Organizations take steps to eliminate unnecessary uses of Social Security numbers and other sensitive information and observe any particular requirements that apply."},{"id":"pt-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)","class":"sp800-53a"}],"parts":[{"id":"pt-7.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(a)","class":"sp800-53a"}],"parts":[{"id":"pt-7.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(a)[01]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, the unnecessary collection, maintenance, and use of Social Security numbers are eliminated;"},{"id":"pt-7.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(a)[02]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored;"}]},{"id":"pt-7.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(b)","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, individual rights, benefits, or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number;"},{"id":"pt-7.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)","class":"sp800-53a"}],"parts":[{"id":"pt-7.1_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)[01]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it;"},{"id":"pt-7.1_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)[02]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited;"},{"id":"pt-7.1_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)[03]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it."}]}]},{"id":"pt-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nprivacy notice\n\nseparate notice regarding the use of Social Security numbers\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, reviewing, and taking action to control the unnecessary use of Social Security numbers\n\nimplementation of an alternative to Social Security numbers as identifiers"}]}]},{"id":"pt-7.2","class":"SP800-53-enhancement","title":"First Amendment Information","props":[{"name":"label","value":"PT-7(2)"},{"name":"label","value":"PT-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-7","rel":"required"}],"parts":[{"id":"pt-7.2_smt","name":"statement","prose":"Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity."},{"id":"pt-7.2_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) limits agencies’ ability to process information that describes how individuals exercise rights guaranteed by the First Amendment. Organizations consult with the senior agency official for privacy and legal counsel regarding these requirements."},{"id":"pt-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-07(02)","class":"sp800-53a"}],"prose":"the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity."},{"id":"pt-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for supporting and\/or implementing personally identifiable information processing"}]}]}]},{"id":"pt-8","class":"SP800-53","title":"Computer Matching Requirements","props":[{"name":"label","value":"PT-8"},{"name":"label","value":"PT-08","class":"sp800-53a"},{"name":"sort-id","value":"pt-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#94c64e1a-456c-457f-86da-83ac0dfc85ac","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#pm-24","rel":"related"}],"parts":[{"id":"pt-8_smt","name":"statement","prose":"When a system or organization processes information for the purpose of conducting a matching program:","parts":[{"id":"pt-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtain approval from the Data Integrity Board to conduct the matching program;"},{"id":"pt-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop and enter into a computer matching agreement;"},{"id":"pt-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Publish a matching notice in the Federal Register;"},{"id":"pt-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and"},{"id":"pt-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual."}]},{"id":"pt-8_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) establishes requirements for federal and non-federal agencies if they engage in a matching program. In general, a matching program is a computerized comparison of records from two or more automated [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to federal benefit programs or federal personnel or payroll records. A federal benefit match is performed to determine or verify eligibility for payments under federal benefit programs or to recoup payments or delinquent debts under federal benefit programs. A matching program involves not just the matching activity itself but also the investigative follow-up and ultimate action, if any."},{"id":"pt-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-08","class":"sp800-53a"}],"parts":[{"id":"pt-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-08a.","class":"sp800-53a"}],"prose":"approval to conduct the matching program is obtained from the Data Integrity Board when a system or organization processes information for the purpose of conducting a matching program;"},{"id":"pt-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-08b.","class":"sp800-53a"}],"parts":[{"id":"pt-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PT-08b.[01]","class":"sp800-53a"}],"prose":"a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program;"},{"id":"pt-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PT-08b.[02]","class":"sp800-53a"}],"prose":"a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program;"}]},{"id":"pt-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-08c.","class":"sp800-53a"}],"prose":"a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program;"},{"id":"pt-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PT-08d.","class":"sp800-53a"}],"prose":"the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program;"},{"id":"pt-8_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PT-08e.","class":"sp800-53a"}],"parts":[{"id":"pt-8_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PT-08e.[01]","class":"sp800-53a"}],"prose":"individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program;"},{"id":"pt-8_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PT-08e.[02]","class":"sp800-53a"}],"prose":"individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program."}]}]},{"id":"pt-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nFederal Register notices\n\nData Integrity Board determinations\n\ncontracts\n\ninformation sharing agreements\n\nmemoranda of understanding\n\ngoverning requirements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for supporting and\/or implementing personally identifiable information processing\n\nmatching program"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ra-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ra-01_odp.01","props":[{"name":"label","value":"RA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment policy is to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.02","props":[{"name":"label","value":"RA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment procedures are to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.03","props":[{"name":"alt-identifier","value":"ra-1_prm_2"},{"name":"label","value":"RA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ra-01_odp.04","props":[{"name":"alt-identifier","value":"ra-1_prm_3"},{"name":"label","value":"RA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the risk assessment policy and procedures is defined;"}]},{"id":"ra-01_odp.05","props":[{"name":"alt-identifier","value":"ra-1_prm_4"},{"name":"label","value":"RA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment policy is reviewed and updated is defined;"}]},{"id":"ra-01_odp.06","props":[{"name":"alt-identifier","value":"ra-1_prm_5"},{"name":"label","value":"RA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current risk assessment policy to be reviewed and updated are defined;"}]},{"id":"ra-01_odp.07","props":[{"name":"alt-identifier","value":"ra-1_prm_6"},{"name":"label","value":"RA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment procedures are reviewed and updated is defined;"}]},{"id":"ra-01_odp.08","props":[{"name":"alt-identifier","value":"ra-1_prm_7"},{"name":"label","value":"RA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require risk assessment procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"RA-1"},{"name":"label","value":"RA-01","class":"sp800-53a"},{"name":"sort-id","value":"ra-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-1_smt","name":"statement","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ra-01_odp.03 }} risk assessment policy that:","parts":[{"id":"ra-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and"},{"id":"ra-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current risk assessment:","parts":[{"id":"ra-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and"},{"id":"ra-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ra-1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[01]","class":"sp800-53a"}],"prose":"a risk assessment policy is developed and documented;"},{"id":"ra-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[02]","class":"sp800-53a"}],"prose":"the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};"},{"id":"ra-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[03]","class":"sp800-53a"}],"prose":"risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;"},{"id":"ra-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[04]","class":"sp800-53a"}],"prose":"the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};"},{"id":"ra-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;"},{"id":"ra-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;"},{"id":"ra-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;"},{"id":"ra-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;"},{"id":"ra-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;"},{"id":"ra-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;"},{"id":"ra-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;"}]},{"id":"ra-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ra-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;"},{"id":"ra-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[01]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};"},{"id":"ra-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[02]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};"}]},{"id":"ra-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[01]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};"},{"id":"ra-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[02]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}."}]}]}]},{"id":"ra-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-03_odp.01","props":[{"name":"alt-identifier","value":"ra-3_prm_1"},{"name":"label","value":"RA-03_ODP[01]","class":"sp800-53a"}],"select":{"choice":["security and privacy plans","risk assessment report"," {{ insert: param, ra-03_odp.02 }} "]}},{"id":"ra-03_odp.02","props":[{"name":"alt-identifier","value":"ra-3_prm_2"},{"name":"label","value":"RA-03_ODP[02]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);"}]},{"id":"ra-03_odp.03","props":[{"name":"alt-identifier","value":"ra-3_prm_3"},{"name":"label","value":"RA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to review risk assessment results is defined;"}]},{"id":"ra-03_odp.04","props":[{"name":"alt-identifier","value":"ra-3_prm_4"},{"name":"label","value":"RA-03_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom risk assessment results are to be disseminated is\/are defined;"}]},{"id":"ra-03_odp.05","props":[{"name":"alt-identifier","value":"ra-3_prm_5"},{"name":"label","value":"RA-03_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to update the risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3"},{"name":"label","value":"RA-03","class":"sp800-53a"},{"name":"sort-id","value":"ra-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-3","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-3_smt","name":"statement","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct a risk assessment, including:","parts":[{"id":"ra-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifying threats to and vulnerabilities in the system;"},{"id":"ra-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and"},{"id":"ra-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document risk assessment results in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review risk assessment results {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and"},{"id":"ra-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination."},{"id":"ra-3_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.01","class":"sp800-53a"}],"prose":"a risk assessment is conducted to identify threats to and vulnerabilities in the system;"},{"id":"ra-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.02","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;"},{"id":"ra-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.03","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03b.","class":"sp800-53a"}],"prose":"risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;"},{"id":"ra-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-03c.","class":"sp800-53a"}],"prose":"risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-03d.","class":"sp800-53a"}],"prose":"risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-03e.","class":"sp800-53a"}],"prose":"risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};"},{"id":"ra-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-03f.","class":"sp800-53a"}],"prose":"the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}]},{"id":"ra-7","class":"SP800-53","title":"Risk Response","props":[{"name":"label","value":"RA-7"},{"name":"label","value":"RA-07","class":"sp800-53a"},{"name":"sort-id","value":"ra-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-7_smt","name":"statement","prose":"Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."},{"id":"ra-7_gdn","name":"guidance","prose":"Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated."},{"id":"ra-7_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-07","class":"sp800-53a"}],"parts":[{"id":"ra-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-07[01]","class":"sp800-53a"}],"prose":"findings from security assessments are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-07[02]","class":"sp800-53a"}],"prose":"findings from privacy assessments are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"RA-07[03]","class":"sp800-53a"}],"prose":"findings from monitoring are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-4","name":"assessment-objective","props":[{"name":"label","value":"RA-07[04]","class":"sp800-53a"}],"prose":"findings from audits are responded to in accordance with organizational risk tolerance."}]},{"id":"ra-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\naudit records\/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]},{"id":"ra-8","class":"SP800-53","title":"Privacy Impact Assessments","props":[{"name":"label","value":"RA-8"},{"name":"label","value":"RA-08","class":"sp800-53a"},{"name":"sort-id","value":"ra-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#7b0b9634-741a-4335-b6fa-161228c3a76e","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#d229ae60-51dd-4d7b-a8bf-1f7195cc7561","rel":"reference"},{"href":"#cm-4","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#ra-1","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"}],"parts":[{"id":"ra-8_smt","name":"statement","prose":"Conduct privacy impact assessments for systems, programs, or other activities before:","parts":[{"id":"ra-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Developing or procuring information technology that processes personally identifiable information; and"},{"id":"ra-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiating a new collection of personally identifiable information that:","parts":[{"id":"ra-8_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Will be processed using information technology; and"},{"id":"ra-8_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government."}]}]},{"id":"ra-8_gdn","name":"guidance","prose":"A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks. A privacy impact assessment is both an analysis and a formal document that details the process and the outcome of the analysis.\n\nOrganizations conduct and develop a privacy impact assessment with sufficient clarity and specificity to demonstrate that the organization fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the organization’s activity and throughout the information life cycle. In order to conduct a meaningful privacy impact assessment, the organization’s senior agency official for privacy works closely with program managers, system owners, information technology experts, security officials, counsel, and other relevant organization personnel. Moreover, a privacy impact assessment is not a time-restricted activity that is limited to a particular milestone or stage of the information system or personally identifiable information life cycles. Rather, the privacy analysis continues throughout the system and personally identifiable information life cycles. Accordingly, a privacy impact assessment is a living document that organizations update whenever changes to the information technology, changes to the organization’s practices, or other factors alter the privacy risks associated with the use of such information technology.\n\nTo conduct the privacy impact assessment, organizations can use security and privacy risk assessments. Organizations may also use other related processes that may have different names, including privacy threshold analyses. A privacy impact assessment can also serve as notice to the public regarding the organization’s practices with respect to privacy. Although conducting and publishing privacy impact assessments may be required by law, organizations may develop such policies in the absence of applicable laws. For federal agencies, privacy impact assessments may be required by [EGOV](#7b0b9634-741a-4335-b6fa-161228c3a76e) ; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision."},{"id":"ra-8_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-08","class":"sp800-53a"}],"parts":[{"id":"ra-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-08a.","class":"sp800-53a"}],"prose":"privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information;"},{"id":"ra-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-08b.","class":"sp800-53a"}],"parts":[{"id":"ra-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"RA-08b.[01]","class":"sp800-53a"}],"prose":"privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology;"},{"id":"ra-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"RA-08b.[02]","class":"sp800-53a"}],"prose":"privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government."}]}]},{"id":"ra-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity and privacy risk assessment reports\n\nacquisitions documents\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nprogram managers\n\nlegal counsel\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sa-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sa-01_odp.01","props":[{"name":"label","value":"SA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition policy is to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.02","props":[{"name":"label","value":"SA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition procedures are to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.03","props":[{"name":"alt-identifier","value":"sa-1_prm_2"},{"name":"label","value":"SA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sa-01_odp.04","props":[{"name":"alt-identifier","value":"sa-1_prm_3"},{"name":"label","value":"SA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and services acquisition policy and procedures is defined;"}]},{"id":"sa-01_odp.05","props":[{"name":"alt-identifier","value":"sa-1_prm_4"},{"name":"label","value":"SA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition policy is reviewed and updated is defined;"}]},{"id":"sa-01_odp.06","props":[{"name":"alt-identifier","value":"sa-1_prm_5"},{"name":"label","value":"SA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and services acquisition policy to be reviewed and updated are defined;"}]},{"id":"sa-01_odp.07","props":[{"name":"alt-identifier","value":"sa-1_prm_6"},{"name":"label","value":"SA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;"}]},{"id":"sa-01_odp.08","props":[{"name":"alt-identifier","value":"sa-1_prm_7"},{"name":"label","value":"SA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and services acquisition procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SA-1"},{"name":"label","value":"SA-01","class":"sp800-53a"},{"name":"sort-id","value":"sa-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sa-1_smt","name":"statement","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:","parts":[{"id":"sa-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and"},{"id":"sa-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and services acquisition:","parts":[{"id":"sa-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and"},{"id":"sa-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sa-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[01]","class":"sp800-53a"}],"prose":"a system and services acquisition policy is developed and documented;"},{"id":"sa-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[02]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};"},{"id":"sa-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[03]","class":"sp800-53a"}],"prose":"system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;"},{"id":"sa-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[04]","class":"sp800-53a"}],"prose":"the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};"},{"id":"sa-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;"},{"id":"sa-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;"},{"id":"sa-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;"},{"id":"sa-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;"},{"id":"sa-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;"},{"id":"sa-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;"},{"id":"sa-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;"}]},{"id":"sa-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"sa-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;"},{"id":"sa-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[01]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};"},{"id":"sa-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};"}]},{"id":"sa-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};"},{"id":"sa-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}."}]}]}]},{"id":"sa-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"label","value":"SA-2"},{"name":"label","value":"SA-02","class":"sp800-53a"},{"name":"sort-id","value":"sa-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pl-7","rel":"related"},{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-2_smt","name":"statement","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle."},{"id":"sa-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-02","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[01]","class":"sp800-53a"}],"prose":"the high-level information security requirements for the system or system service are determined in mission and business process planning;"},{"id":"sa-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[02]","class":"sp800-53a"}],"prose":"the high-level privacy requirements for the system or system service are determined in mission and business process planning;"}]},{"id":"sa-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[01]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;"},{"id":"sa-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[02]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;"}]},{"id":"sa-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[01]","class":"sp800-53a"}],"prose":"a discrete line item for information security is established in organizational programming and budgeting documentation;"},{"id":"sa-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[02]","class":"sp800-53a"}],"prose":"a discrete line item for privacy is established in organizational programming and budgeting documentation."}]}]},{"id":"sa-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records"}]},{"id":"sa-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-03_odp","props":[{"name":"alt-identifier","value":"sa-3_prm_1"},{"name":"alt-label","value":"system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-03_ODP","class":"sp800-53a"}],"label":"system-development life cycle","guidelines":[{"prose":"system development life cycle is defined;"}]}],"props":[{"name":"label","value":"SA-3"},{"name":"label","value":"SA-03","class":"sp800-53a"},{"name":"sort-id","value":"sa-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-3_smt","name":"statement","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document information security and privacy roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify individuals having information security and privacy roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrate the organizational information security and privacy risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle."},{"id":"sa-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[01]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;"},{"id":"sa-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[02]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;"}]},{"id":"sa-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[01]","class":"sp800-53a"}],"prose":"information security roles and responsibilities are defined and documented throughout the system development life cycle;"},{"id":"sa-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are defined and documented throughout the system development life cycle;"}]},{"id":"sa-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[01]","class":"sp800-53a"}],"prose":"individuals with information security roles and responsibilities are identified;"},{"id":"sa-3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[02]","class":"sp800-53a"}],"prose":"individuals with privacy roles and responsibilities are identified;"}]},{"id":"sa-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[01]","class":"sp800-53a"}],"prose":"organizational information security risk management processes are integrated into system development life cycle activities;"},{"id":"sa-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[02]","class":"sp800-53a"}],"prose":"organizational privacy risk management processes are integrated into system development life cycle activities."}]}]},{"id":"sa-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"sa-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and\/or implementing the system development life cycle"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","params":[{"id":"sa-04_odp.01","props":[{"name":"alt-identifier","value":"sa-4_prm_1"},{"name":"label","value":"SA-04_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["standardized contract language"," {{ insert: param, sa-04_odp.02 }} "]}},{"id":"sa-04_odp.02","props":[{"name":"alt-identifier","value":"sa-4_prm_2"},{"name":"label","value":"SA-04_ODP[02]","class":"sp800-53a"}],"label":"contract language","guidelines":[{"prose":"contract language is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-4"},{"name":"label","value":"SA-04","class":"sp800-53a"},{"name":"sort-id","value":"sa-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","rel":"reference"},{"href":"#87087451-2af5-43d4-88c1-d66ad850f614","rel":"reference"},{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#06ce9216-bd54-4054-a422-94f358b50a5d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#795aff72-3e6c-4b6b-a80a-b14d84b7f544","rel":"reference"},{"href":"#3d575737-98cb-459d-b41c-d7e82b73ad78","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security and privacy functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Strength of mechanism requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security and privacy assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Controls needed to satisfy the security and privacy requirements."},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Security and privacy documentation requirements;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Requirements for protecting security and privacy documentation;"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Description of the system development environment and environment in which the system is intended to operate;"},{"id":"sa-4_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and"},{"id":"sa-4_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement."},{"id":"sa-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[01]","class":"sp800-53a"}],"prose":"security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[02]","class":"sp800-53a"}],"prose":"privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04b.","class":"sp800-53a"}],"prose":"strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[01]","class":"sp800-53a"}],"prose":"security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[02]","class":"sp800-53a"}],"prose":"privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[01]","class":"sp800-53a"}],"prose":"controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[02]","class":"sp800-53a"}],"prose":"controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[01]","class":"sp800-53a"}],"prose":"security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[02]","class":"sp800-53a"}],"prose":"privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[01]","class":"sp800-53a"}],"prose":"requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[02]","class":"sp800-53a"}],"prose":"requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SA-04g.","class":"sp800-53a"}],"prose":"the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[01]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[02]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"},{"id":"sa-4_obj.h-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[03]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"}]},{"id":"sa-4_obj.i","name":"assessment-objective","props":[{"name":"label","value":"SA-04i.","class":"sp800-53a"}],"prose":"acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service."}]},{"id":"sa-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}]},{"id":"sa-8","class":"SP800-53","title":"Security and Privacy Engineering Principles","params":[{"id":"sa-8_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.02"}],"label":"organization-defined systems security and privacy engineering principles"},{"id":"sa-08_odp.01","props":[{"name":"label","value":"SA-08_ODP[01]","class":"sp800-53a"}],"label":"systems security engineering principles","guidelines":[{"prose":"systems security engineering principles are defined;"}]},{"id":"sa-08_odp.02","props":[{"name":"label","value":"SA-08_ODP[02]","class":"sp800-53a"}],"label":"privacy engineering principles","guidelines":[{"prose":"privacy engineering principles are defined;"}]}],"props":[{"name":"label","value":"SA-8"},{"name":"label","value":"SA-08","class":"sp800-53a"},{"name":"sort-id","value":"sa-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}."},{"id":"sa-8_gdn","name":"guidance","prose":"Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design."},{"id":"sa-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08","class":"sp800-53a"}],"parts":[{"id":"sa-8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08[01]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;"},{"id":"sa-8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08[02]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;"},{"id":"sa-8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-08[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;"},{"id":"sa-8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-08[04]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;"},{"id":"sa-8_obj-5","name":"assessment-objective","props":[{"name":"label","value":"SA-08[05]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;"},{"id":"sa-8_obj-6","name":"assessment-objective","props":[{"name":"label","value":"SA-08[06]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;"},{"id":"sa-8_obj-7","name":"assessment-objective","props":[{"name":"label","value":"SA-08[07]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;"},{"id":"sa-8_obj-8","name":"assessment-objective","props":[{"name":"label","value":"SA-08[08]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;"},{"id":"sa-8_obj-9","name":"assessment-objective","props":[{"name":"label","value":"SA-08[09]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;"},{"id":"sa-8_obj-10","name":"assessment-objective","props":[{"name":"label","value":"SA-08[10]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components."}]},{"id":"sa-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification"}]}],"controls":[{"id":"sa-8.33","class":"SP800-53-enhancement","title":"Minimization","params":[{"id":"sa-08.33_odp","props":[{"name":"alt-identifier","value":"sa-8.33_prm_1"},{"name":"label","value":"SA-08(33)_ODP","class":"sp800-53a"}],"label":"processes","guidelines":[{"prose":"processes that implement the privacy principle of minimization are defined;"}]}],"props":[{"name":"label","value":"SA-8(33)"},{"name":"label","value":"SA-08(33)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.33"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#pe-8","rel":"related"},{"href":"#pm-25","rel":"related"},{"href":"#sc-42","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sa-8.33_smt","name":"statement","prose":"Implement the privacy principle of minimization using {{ insert: param, sa-08.33_odp }}."},{"id":"sa-8.33_gdn","name":"guidance","prose":"The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization."},{"id":"sa-8.33_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(33)","class":"sp800-53a"}],"prose":"the privacy principle of minimization is implemented using {{ insert: param, sa-08.33_odp }}."},{"id":"sa-8.33_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(33)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\npersonally identifiable information processing policy\n\nprocedures addressing the minimization of personally identifiable information in system design\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\ninformation security and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8.33_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(33)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8.33_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(33)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the privacy design principle of minimization in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of sufficient documentation in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security and privacy policy\n\norganizational processes for managing change configuration\n\nmechanisms supporting configuration control"}]}]}]},{"id":"sa-9","class":"SP800-53","title":"External System Services","params":[{"id":"sa-09_odp.01","props":[{"name":"alt-identifier","value":"sa-9_prm_1"},{"name":"label","value":"SA-09_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed by external system service providers are defined;"}]},{"id":"sa-09_odp.02","props":[{"name":"alt-identifier","value":"sa-9_prm_2"},{"name":"label","value":"SA-09_ODP[02]","class":"sp800-53a"}],"label":"processes, methods, and techniques","guidelines":[{"prose":"processes, methods, and techniques employed to monitor control compliance by external service providers are defined;"}]}],"props":[{"name":"label","value":"SA-9"},{"name":"label","value":"SA-09","class":"sp800-53a"},{"name":"sort-id","value":"sa-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-9_smt","name":"statement","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document organizational oversight and user roles and responsibilities with regard to external system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance."},{"id":"sa-9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[01]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational security requirements;"},{"id":"sa-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[02]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational privacy requirements;"},{"id":"sa-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[03]","class":"sp800-53a"}],"prose":"providers of external system services employ {{ insert: param, sa-09_odp.01 }};"}]},{"id":"sa-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[01]","class":"sp800-53a"}],"prose":"organizational oversight with regard to external system services are defined and documented;"},{"id":"sa-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[02]","class":"sp800-53a"}],"prose":"user roles and responsibilities with regard to external system services are defined and documented;"}]},{"id":"sa-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-09c.","class":"sp800-53a"}],"prose":" {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis."}]},{"id":"sa-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis"}]}]},{"id":"sa-11","class":"SP800-53","title":"Developer Testing and Evaluation","params":[{"id":"sa-11_odp.01","props":[{"name":"alt-identifier","value":"sa-11_prm_1"},{"name":"label","value":"SA-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["unit","integration","system","regression"]}},{"id":"sa-11_odp.02","props":[{"name":"alt-identifier","value":"sa-11_prm_2"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"SA-11_ODP[02]","class":"sp800-53a"}],"label":"frequency to conduct","guidelines":[{"prose":"frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]},{"id":"sa-11_odp.03","props":[{"name":"alt-identifier","value":"sa-11_prm_3"},{"name":"label","value":"SA-11_ODP[03]","class":"sp800-53a"}],"label":"depth and coverage","guidelines":[{"prose":"depth and coverage of {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]}],"props":[{"name":"label","value":"SA-11"},{"name":"label","value":"SA-11","class":"sp800-53a"},{"name":"sort-id","value":"sa-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#708b94e1-3d5e-4b22-ab43-1c69f3a97e37","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-7","rel":"related"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:","parts":[{"id":"sa-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement a plan for ongoing security and privacy control assessments;"},{"id":"sa-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"},{"id":"sa-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;"},{"id":"sa-11_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during testing and evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\n\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation."},{"id":"sa-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;"},{"id":"sa-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;"},{"id":"sa-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;"},{"id":"sa-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;"}]},{"id":"sa-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-11b.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"},{"id":"sa-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;"},{"id":"sa-11_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;"}]},{"id":"sa-11_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-11d.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;"},{"id":"sa-11_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-11e.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation."}]},{"id":"sa-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security and privacy testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of developer security and privacy assessments for the system, system component, or system service\n\nsecurity and privacy flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\nsystem developers"}]},{"id":"sa-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security and privacy testing and evaluation"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-07_odp","props":[{"name":"alt-identifier","value":"sc-7_prm_1"},{"name":"label","value":"SC-07_ODP","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}}],"props":[{"name":"label","value":"SC-7"},{"name":"label","value":"SC-07","class":"sp800-53a"},{"name":"sort-id","value":"sc-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a7f0e897-29a3-45c4-bd88-40dfef0e034a","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-43","rel":"related"}],"parts":[{"id":"sc-7_smt","name":"statement","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)."},{"id":"sc-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[01]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are monitored;"},{"id":"sc-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[02]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are controlled;"},{"id":"sc-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[03]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are monitored;"},{"id":"sc-7_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[04]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are controlled;"}]},{"id":"sc-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07b.","class":"sp800-53a"}],"prose":"subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;"},{"id":"sc-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07c.","class":"sp800-53a"}],"prose":"external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities"}]}],"controls":[{"id":"sc-7.24","class":"SP800-53-enhancement","title":"Personally Identifiable Information","params":[{"id":"sc-07.24_odp","props":[{"name":"alt-identifier","value":"sc-7.24_prm_1"},{"name":"label","value":"SC-07(24)_ODP","class":"sp800-53a"}],"label":"processing rules","guidelines":[{"prose":"processing rules for systems that process personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"SC-7(24)"},{"name":"label","value":"SC-07(24)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#pt-2","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"sc-7.24_smt","name":"statement","prose":"For systems that process personally identifiable information:","parts":[{"id":"sc-7.24_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Apply the following processing rules to data elements of personally identifiable information: {{ insert: param, sc-07.24_odp }};"},{"id":"sc-7.24_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;"},{"id":"sc-7.24_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Document each processing exception; and"},{"id":"sc-7.24_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Review and remove exceptions that are no longer supported."}]},{"id":"sc-7.24_gdn","name":"guidance","prose":"Managing the processing of personally identifiable information is an important aspect of protecting an individual’s privacy. Applying, monitoring for, and documenting exceptions to processing rules ensure that personally identifiable information is processed only in accordance with established privacy requirements."},{"id":"sc-7.24_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)","class":"sp800-53a"}],"parts":[{"id":"sc-7.24_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(a)","class":"sp800-53a"}],"prose":" {{ insert: param, sc-07.24_odp }} are applied to data elements of personally identifiable information on systems that process personally identifiable information;"},{"id":"sc-7.24_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(b)","class":"sp800-53a"}],"parts":[{"id":"sc-7.24_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(b)[01]","class":"sp800-53a"}],"prose":"permitted processing is monitored at the external interfaces to the systems that process personally identifiable information;"},{"id":"sc-7.24_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(b)[02]","class":"sp800-53a"}],"prose":"permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information;"}]},{"id":"sc-7.24_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(c)","class":"sp800-53a"}],"prose":"each processing exception is documented for systems that process personally identifiable information;"},{"id":"sc-7.24_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(d)","class":"sp800-53a"}],"parts":[{"id":"sc-7.24_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(d)[01]","class":"sp800-53a"}],"prose":"exceptions for systems that process personally identifiable information are reviewed;"},{"id":"sc-7.24_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(d)[02]","class":"sp800-53a"}],"prose":"exceptions for systems that process personally identifiable information that are no longer supported are removed."}]}]},{"id":"sc-7.24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(24)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\npersonally identifiable information processing policies\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nenterprise security and privacy architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information inventory documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"sc-7.24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(24)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(24)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities"}]}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"si-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"si-01_odp.01","props":[{"name":"label","value":"SI-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity policy is to be disseminated is\/are defined;"}]},{"id":"si-01_odp.02","props":[{"name":"label","value":"SI-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity procedures are to be disseminated is\/are defined;"}]},{"id":"si-01_odp.03","props":[{"name":"alt-identifier","value":"si-1_prm_2"},{"name":"label","value":"SI-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"si-01_odp.04","props":[{"name":"alt-identifier","value":"si-1_prm_3"},{"name":"label","value":"SI-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and information integrity policy and procedures is defined;"}]},{"id":"si-01_odp.05","props":[{"name":"alt-identifier","value":"si-1_prm_4"},{"name":"label","value":"SI-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity policy is reviewed and updated is defined;"}]},{"id":"si-01_odp.06","props":[{"name":"alt-identifier","value":"si-1_prm_5"},{"name":"label","value":"SI-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and information integrity policy to be reviewed and updated are defined;"}]},{"id":"si-01_odp.07","props":[{"name":"alt-identifier","value":"si-1_prm_6"},{"name":"label","value":"SI-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity procedures are reviewed and updated is defined;"}]},{"id":"si-01_odp.08","props":[{"name":"alt-identifier","value":"si-1_prm_7"},{"name":"label","value":"SI-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and information integrity procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SI-1"},{"name":"label","value":"SI-01","class":"sp800-53a"},{"name":"sort-id","value":"si-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"si-1_smt","name":"statement","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, si-01_odp.03 }} system and information integrity policy that:","parts":[{"id":"si-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and"},{"id":"si-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and information integrity:","parts":[{"id":"si-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and"},{"id":"si-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"si-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[01]","class":"sp800-53a"}],"prose":"a system and information integrity policy is developed and documented;"},{"id":"si-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[02]","class":"sp800-53a"}],"prose":"the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};"},{"id":"si-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[03]","class":"sp800-53a"}],"prose":"system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;"},{"id":"si-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[04]","class":"sp800-53a"}],"prose":"the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};"},{"id":"si-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;"},{"id":"si-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;"},{"id":"si-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;"},{"id":"si-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;"},{"id":"si-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;"},{"id":"si-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;"},{"id":"si-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;"}]},{"id":"si-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"si-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;"},{"id":"si-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};"},{"id":"si-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};"}]},{"id":"si-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};"},{"id":"si-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}."}]}]}]},{"id":"si-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Management and Retention","props":[{"name":"label","value":"SI-12"},{"name":"label","value":"SI-12","class":"sp800-53a"},{"name":"sort-id","value":"si-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#e922fc50-b1f9-469f-92ef-ed7d9803611c","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)."},{"id":"si-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12","class":"sp800-53a"}],"parts":[{"id":"si-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12[01]","class":"sp800-53a"}],"prose":"information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12[02]","class":"sp800-53a"}],"prose":"information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12[03]","class":"sp800-53a"}],"prose":"information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SI-12[04]","class":"sp800-53a"}],"prose":"information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements."}]},{"id":"si-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and\/or implementing information management, retention, and disposition"}]}],"controls":[{"id":"si-12.1","class":"SP800-53-enhancement","title":"Limit Personally Identifiable Information Elements","params":[{"id":"si-12.01_odp","props":[{"name":"alt-identifier","value":"si-12.1_prm_1"},{"name":"label","value":"SI-12(01)_ODP","class":"sp800-53a"}],"label":"elements of personally identifiable information","guidelines":[{"prose":"elements of personally identifiable information being processed in the information life cycle are defined;"}]}],"props":[{"name":"label","value":"SI-12(1)"},{"name":"label","value":"SI-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-12","rel":"required"},{"href":"#pm-25","rel":"related"}],"parts":[{"id":"si-12.1_smt","name":"statement","prose":"Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: {{ insert: param, si-12.01_odp }}."},{"id":"si-12.1_gdn","name":"guidance","prose":"Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for operational purposes helps to reduce the level of privacy risk created by a system. The information life cycle includes information creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining which elements of personally identifiable information may create risk."},{"id":"si-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12(01)","class":"sp800-53a"}],"prose":"personally identifiable information being processed in the information life cycle is limited to {{ insert: param, si-12.01_odp }}."},{"id":"si-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\npersonally identifiable information processing procedures\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to limiting personally identifiable information elements\n\npersonally identifiable information inventory\n\nsystem audit records\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"si-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information management and retention (including limiting personally identifiable information processing)\n\nautomated mechanisms supporting and\/or implementing limits to personally identifiable information processing"}]}]},{"id":"si-12.2","class":"SP800-53-enhancement","title":"Minimize Personally Identifiable Information in Testing, Training, and Research","params":[{"id":"si-12.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.02_odp.03"}],"label":"organization-defined techniques"},{"id":"si-12.02_odp.01","props":[{"name":"label","value":"SI-12(02)_ODP[01]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to minimize the use of personally identifiable information for research are defined;"}]},{"id":"si-12.02_odp.02","props":[{"name":"label","value":"SI-12(02)_ODP[02]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to minimize the use of personally identifiable information for testing are defined;"}]},{"id":"si-12.02_odp.03","props":[{"name":"label","value":"SI-12(02)_ODP[03]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to minimize the use of personally identifiable information for training are defined;"}]}],"props":[{"name":"label","value":"SI-12(2)"},{"name":"label","value":"SI-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-12","rel":"required"},{"href":"#pm-22","rel":"related"},{"href":"#pm-25","rel":"related"},{"href":"#si-19","rel":"related"}],"parts":[{"id":"si-12.2_smt","name":"statement","prose":"Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: {{ insert: param, si-12.2_prm_1 }}."},{"id":"si-12.2_gdn","name":"guidance","prose":"Organizations can minimize the risk to an individual’s privacy by employing techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for research, testing, or training helps reduce the level of privacy risk created by a system. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining the techniques to use and when to use them."},{"id":"si-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)","class":"sp800-53a"}],"parts":[{"id":"si-12.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-12.02_odp.01 }} are used to minimize the use of personally identifiable information for research;"},{"id":"si-12.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-12.02_odp.02 }} are used to minimize the use of personally identifiable information for testing;"},{"id":"si-12.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, si-12.02_odp.03 }} are used to minimize the use of personally identifiable information for training."}]},{"id":"si-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\npersonally identifiable information processing procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to minimizing the use of personally identifiable information in testing, training, and research\n\npolicy for the minimization of personally identifiable information used in testing, training, and research\n\nprocedures for the minimization of personally identifiable information used in testing, training, and research\n\ndocumentation supporting minimization policy implementation (e.g., templates for testing, training, and research)\n\ndata sets used for testing, training, and research\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators\n\nsystem developers\n\npersonnel with IRB responsibilities"}]},{"id":"si-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the minimization of personally identifiable information used in testing, training, and research\n\nautomated mechanisms supporting and\/or implementing the minimization of personally identifiable information used in testing, training, and research"}]}]},{"id":"si-12.3","class":"SP800-53-enhancement","title":"Information Disposal","params":[{"id":"si-12.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.03_odp.03"}],"label":"organization-defined techniques"},{"id":"si-12.03_odp.01","props":[{"name":"label","value":"SI-12(03)_ODP[01]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to dispose of information following the retention period are defined;"}]},{"id":"si-12.03_odp.02","props":[{"name":"label","value":"SI-12(03)_ODP[02]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to destroy information following the retention period are defined;"}]},{"id":"si-12.03_odp.03","props":[{"name":"label","value":"SI-12(03)_ODP[03]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to erase information following the retention period are defined;"}]}],"props":[{"name":"label","value":"SI-12(3)"},{"name":"label","value":"SI-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-12","rel":"required"}],"parts":[{"id":"si-12.3_smt","name":"statement","prose":"Use the following techniques to dispose of, destroy, or erase information following the retention period: {{ insert: param, si-12.3_prm_1 }}."},{"id":"si-12.3_gdn","name":"guidance","prose":"Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. The disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information."},{"id":"si-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)","class":"sp800-53a"}],"parts":[{"id":"si-12.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-12.03_odp.01 }} are used to dispose of information following the retention period;"},{"id":"si-12.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-12.03_odp.02 }} are used to destroy information following the retention period;"},{"id":"si-12.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, si-12.03_odp.03 }} are used to erase information following the retention period."}]},{"id":"si-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\npersonally identifiable information processing procedures\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nlaws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information disposal\n\nmedia protection policy\n\nmedia protection procedures\n\nsystem audit records\n\naudit findings\n\ninformation disposal records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information disposition\n\nautomated mechanisms supporting and\/or implementing information disposition"}]}]}]},{"id":"si-18","class":"SP800-53","title":"Personally Identifiable Information Quality Operations","params":[{"id":"si-18_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.04"}],"label":"organization-defined frequency"},{"id":"si-18_odp.01","props":[{"name":"label","value":"SI-18_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the accuracy of personally identifiable information across the information life cycle is defined;"}]},{"id":"si-18_odp.02","props":[{"name":"label","value":"SI-18_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the relevance of personally identifiable information across the information life cycle is defined;"}]},{"id":"si-18_odp.03","props":[{"name":"label","value":"SI-18_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the timeliness of personally identifiable information across the information life cycle is defined;"}]},{"id":"si-18_odp.04","props":[{"name":"label","value":"SI-18_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the completeness of personally identifiable information across the information life cycle is defined;"}]}],"props":[{"name":"label","value":"SI-18"},{"name":"label","value":"SI-18","class":"sp800-53a"},{"name":"sort-id","value":"si-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#227063d4-431e-435f-9e8f-009b6dbc20f4","rel":"reference"},{"href":"#c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#pm-22","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-18_smt","name":"statement","parts":[{"id":"si-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle {{ insert: param, si-18_prm_1 }} ; and"},{"id":"si-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Correct or delete inaccurate or outdated personally identifiable information."}]},{"id":"si-18_gdn","name":"guidance","prose":"Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and the potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes."},{"id":"si-18_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18","class":"sp800-53a"}],"parts":[{"id":"si-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.","class":"sp800-53a"}],"parts":[{"id":"si-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[01]","class":"sp800-53a"}],"prose":"the accuracy of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.01 }};"},{"id":"si-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[02]","class":"sp800-53a"}],"prose":"the relevance of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.02 }};"},{"id":"si-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[03]","class":"sp800-53a"}],"prose":"the timeliness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.03 }};"},{"id":"si-18_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[04]","class":"sp800-53a"}],"prose":"the completeness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.04 }};"}]},{"id":"si-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-18b.","class":"sp800-53a"}],"prose":"inaccurate or outdated personally identifiable information is corrected or deleted."}]},{"id":"si-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\ndocumentation addressing personally identifiable information quality operations\n\nquality reports\n\nmaintenance logs\n\nsystem audit records\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for performing personally identifiable information quality inspections\n\norganizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"si-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personally identifiable information quality inspection\n\nautomated mechanisms supporting and\/or implementing personally identifiable information quality operations"}]}],"controls":[{"id":"si-18.4","class":"SP800-53-enhancement","title":"Individual Requests","props":[{"name":"label","value":"SI-18(4)"},{"name":"label","value":"SI-18(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-18.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-18","rel":"required"}],"parts":[{"id":"si-18.4_smt","name":"statement","prose":"Correct or delete personally identifiable information upon request by individuals or their designated representatives."},{"id":"si-18.4_gdn","name":"guidance","prose":"Inaccurate personally identifiable information maintained by organizations may cause problems for individuals, especially in those business functions where inaccurate information may result in inappropriate decisions or the denial of benefits and services to individuals. Even correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of an organization maintaining the information. Organizations use discretion when determining if personally identifiable information is to be corrected or deleted based on the scope of requests, the changes sought, the impact of the changes, and laws, regulations, and policies. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding appropriate instances of correction or deletion."},{"id":"si-18.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18(04)","class":"sp800-53a"}],"prose":"personally identifiable information is corrected or deleted upon request by individuals or their designated representatives."},{"id":"si-18.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nsystem configuration\n\nindividual requests\n\nrecords of correction or deletion actions performed\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for responding to individual requests for personally identifiable information correction or deletion\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-18.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Request mechanisms\n\nautomated mechanisms supporting and\/or implementing individual requests for correction or deletion"}]}]}]},{"id":"si-19","class":"SP800-53","title":"De-identification","params":[{"id":"si-19_odp.01","props":[{"name":"alt-identifier","value":"si-19_prm_1"},{"name":"alt-label","value":"elements of personally identifiable information","class":"sp800-53"},{"name":"label","value":"SI-19_ODP[01]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements of personally identifiable information to be removed from datasets are defined;"}]},{"id":"si-19_odp.02","props":[{"name":"alt-identifier","value":"si-19_prm_2"},{"name":"label","value":"SI-19_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to evaluate the effectiveness of de-identification is defined;"}]}],"props":[{"name":"label","value":"SI-19"},{"name":"label","value":"SI-19","class":"sp800-53a"},{"name":"sort-id","value":"si-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","rel":"reference"},{"href":"#mp-6","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"si-19_smt","name":"statement","parts":[{"id":"si-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Remove the following elements of personally identifiable information from datasets: {{ insert: param, si-19_odp.01 }} ; and"},{"id":"si-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Evaluate {{ insert: param, si-19_odp.02 }} for effectiveness of de-identification."}]},{"id":"si-19_gdn","name":"guidance","prose":"De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk."},{"id":"si-19_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19","class":"sp800-53a"}],"parts":[{"id":"si-19_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-19a.","class":"sp800-53a"}],"prose":" {{ insert: param, si-19_odp.01 }} are removed from datasets;"},{"id":"si-19_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-19b.","class":"sp800-53a"}],"prose":"the effectiveness of de-identification is evaluated {{ insert: param, si-19_odp.02 }}."}]},{"id":"si-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration\n\ndatasets with personally identifiable information removed\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for identifying unnecessary identifiers\n\norganizational personnel responsible for removing personally identifiable information from datasets\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing the removal of personally identifiable information elements"}]}]}]}],"back-matter":{"resources":[{"uuid":"91f992fb-f668-4c91-a50f-0f05b95ccee3","title":"32 CFR 2002","citation":{"text":"Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/documents\/2016\/09\/14\/2016-21665\/controlled-unclassified-information"}]},{"uuid":"0f963c17-ab5a-432a-a867-91eac550309b","title":"41 CFR 201","citation":{"text":" \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/d\/2020-18939"}]},{"uuid":"94c64e1a-456c-457f-86da-83ac0dfc85ac","title":"CMPPA","citation":{"text":"Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503), October 1988."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-102\/pdf\/STATUTE-102-Pg2507.pdf"}]},{"uuid":"b9951d04-6385-478c-b1a3-ab68c19d9041","title":"DHS NIPP","citation":{"text":"Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)* , 2009."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/xlibrary\/assets\/NIPP_Plan.pdf"}]},{"uuid":"7b0b9634-741a-4335-b6fa-161228c3a76e","title":"EGOV","citation":{"text":"E-Government Act [includes FISMA] (P.L. 107-347), December 2002. "},"rlinks":[{"href":"https:\/\/www.congress.gov\/107\/plaws\/publ347\/PLAW-107publ347.pdf"}]},{"uuid":"3406fdc0-d61c-44a9-a5ca-84180544c83a","title":"EO 13636","citation":{"text":"Executive Order 13636, *Improving Critical Infrastructure Cybersecurity* , February 2013."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2013\/02\/12\/executive-order-improving-critical-infrastructure-cybersecurity"}]},{"uuid":"4ff10ed3-d8fe-4246-99e3-443045e27482","title":"FASC18","citation":{"text":"Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018."},"rlinks":[{"href":"https:\/\/www.congress.gov\/bill\/115th-congress\/senate-bill\/3085"}]},{"uuid":"678e3d6c-150b-4393-aec5-6e3481eb1e00","title":"FIPS 140-3","citation":{"text":"National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. "},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.140-3"}]},{"uuid":"628d22a1-6a11-4784-bc59-5cd9497b5445","title":"FIPS 199","citation":{"text":"National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.199"}]},{"uuid":"599fb53d-5041-444e-a7fe-640d6d30ad05","title":"FIPS 200","citation":{"text":"National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.200"}]},{"uuid":"7ba1d91c-3934-4d5a-8532-b32f864ad34c","title":"FIPS 201-2","citation":{"text":"National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.201-2"}]},{"uuid":"0c67b2a9-bede-43d2-b86d-5f35b8be36e9","title":"FISMA","citation":{"text":"Federal Information Security Modernization Act (P.L. 113-283), December 2014."},"rlinks":[{"href":"https:\/\/www.congress.gov\/113\/plaws\/publ283\/PLAW-113publ283.pdf"}]},{"uuid":"488d6934-00b2-4252-bf23-1b3c2d71eb13","title":"HSPD 7","citation":{"text":"Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection* , December 2003."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/homeland-security-presidential-directive-7"}]},{"uuid":"15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","title":"IR 7539","citation":{"text":"Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7539"}]},{"uuid":"2be7b163-e50a-435c-8906-f1162f2a457a","title":"IR 7559","citation":{"text":"Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7559"}]},{"uuid":"e24b06cc-9129-4998-a76a-65c3d7a576ba","title":"IR 7622","citation":{"text":"Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7622"}]},{"uuid":"4b38e961-1125-4a5b-aa35-1d6c02846dad","title":"IR 7676","citation":{"text":"Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7676"}]},{"uuid":"604774da-9e1d-48eb-9c62-4e959dc80737","title":"IR 7870","citation":{"text":"Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7870"}]},{"uuid":"7f473f21-fdbf-4a6c-81a1-0ab95919609d","title":"IR 7874","citation":{"text":"Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7874"}]},{"uuid":"bbac9fc2-df5b-4f2d-bf99-90d0ade45349","title":"IR 8011-1","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-1"}]},{"uuid":"4c501da5-9d79-4cb6-ba80-97260e1ce327","title":"IR 8023","citation":{"text":"Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8023"}]},{"uuid":"98d415ca-7281-4064-9931-0c366637e324","title":"IR 8062","citation":{"text":"Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8062"}]},{"uuid":"a2590922-82f3-4277-83c0-ca5bee06dba4","title":"IR 8112","citation":{"text":"Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8112"}]},{"uuid":"38ff38f0-1366-4f50-a4c9-26a39aacee16","title":"IR 8272","citation":{"text":"Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8272"}]},{"uuid":"6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","title":"ISO 15408-1","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART1V3.1R5.pdf"}]},{"uuid":"87087451-2af5-43d4-88c1-d66ad850f614","title":"ISO 15408-2","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART2V3.1R5.pdf"}]},{"uuid":"4452efc0-e79e-47b8-aa30-b54f3ef61c2f","title":"ISO 15408-3","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART3V3.1R5.pdf"}]},{"uuid":"06ce9216-bd54-4054-a422-94f358b50a5d","title":"ISO 29148","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission\/Institute of Electrical and Electronics Engineers (ISO\/IEC\/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72089.html"}]},{"uuid":"c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","title":"NARA CUI","citation":{"text":"National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry."},"rlinks":[{"href":"https:\/\/www.archives.gov\/cui"}]},{"uuid":"795aff72-3e6c-4b6b-a80a-b14d84b7f544","title":"NIAP CCEVS","citation":{"text":"National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*."},"rlinks":[{"href":"https:\/\/www.niap-ccevs.org"}]},{"uuid":"3d575737-98cb-459d-b41c-d7e82b73ad78","title":"NSA CSFC","citation":{"text":"National Security Agency, *Commercial Solutions for Classified Program (CSfC)*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/csfc"}]},{"uuid":"df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","title":"NSA MEDIA","citation":{"text":"National Security Agency, *Media Destruction Guidance*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/media-destruction"}]},{"uuid":"89f2a08d-fc49-46d0-856e-bf974c9b1573","title":"ODNI CTF","citation":{"text":"Office of the Director of National Intelligence (ODNI) Cyber Threat Framework."},"rlinks":[{"href":"https:\/\/www.dni.gov\/index.php\/cyber-threat-framework"}]},{"uuid":"3671ff20-c17c-44d6-8a88-7de203fa74aa","title":"OMB A-108","citation":{"text":"Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act* , December 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A108\/omb_circular_a-108.pdf"}]},{"uuid":"27847491-5ce1-4f6a-a1e4-9e483782f0ef","title":"OMB A-130","citation":{"text":"Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf"}]},{"uuid":"d229ae60-51dd-4d7b-a8bf-1f7195cc7561","title":"OMB M-03-22","citation":{"text":"Office of Management and Budget Memorandum M-03-22, *OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002* , September 2003. [https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2003\/m03_22.pdf](https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2003\/m03_22.pdf) "},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2003\/m03_22.pdf"}]},{"uuid":"206a3284-6a7e-423c-8ea9-25b22542541d","title":"OMB M-17-06","citation":{"text":"Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services* , November 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2017\/m-17-06.pdf"}]},{"uuid":"5f4705ac-8d17-438c-b23a-ac7f12362ae4","title":"OMB M-17-12","citation":{"text":"Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/sites\/default\/files\/omb\/memoranda\/2017\/m-17-12_0.pdf"}]},{"uuid":"c5e11048-1d38-4af3-b00b-0d88dc26860c","title":"OMB M-19-03","citation":{"text":"Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2018\/12\/M-19-03.pdf"}]},{"uuid":"227063d4-431e-435f-9e8f-009b6dbc20f4","title":"OMB M-19-15","citation":{"text":"Office of Management and Budget Memorandum M-19-15, *Improving Implementation of the Information Quality Act* , April 2019."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2019\/04\/M-19-15.pdf"}]},{"uuid":"18e71fec-c6fd-475a-925a-5d8495cf8455","title":"PRIVACT","citation":{"text":"Privacy Act (P.L. 93-579), December 1974."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-88\/pdf\/STATUTE-88-Pg1896.pdf"}]},{"uuid":"4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","title":"SP 800-100","citation":{"text":"Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"10cf2fad-a216-41f9-bb1a-531b7e3119e3","title":"SP 800-101","citation":{"text":"Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-101r1"}]},{"uuid":"122177fa-c4ed-485d-8345-3082c0fb9a06","title":"SP 800-115","citation":{"text":"Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"0f66be67-85e7-4ca6-bd19-39453e9f4394","title":"SP 800-124","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-124r1"}]},{"uuid":"20db4e66-e257-450c-b2e4-2bb9a62a2c88","title":"SP 800-128","citation":{"text":"Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-128"}]},{"uuid":"c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","title":"SP 800-12","citation":{"text":"Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"62ea77ca-e450-4323-b210-e0d75390e785","title":"SP 800-137A","citation":{"text":"Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137A"}]},{"uuid":"067223d8-1ec7-45c5-b21b-c848da6de8fb","title":"SP 800-137","citation":{"text":"Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137"}]},{"uuid":"9ef4b43c-42a4-4316-87dc-ffaf528bc05c","title":"SP 800-150","citation":{"text":"Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-150"}]},{"uuid":"708b94e1-3d5e-4b22-ab43-1c69f3a97e37","title":"SP 800-154","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154."},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-154\/draft"}]},{"uuid":"e3cc0520-a366-4fc9-abc2-5272db7e3564","title":"SP 800-160-1","citation":{"text":"Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v1"}]},{"uuid":"61ccf0f4-d3e7-42db-9796-ce6cb1c85989","title":"SP 800-160-2","citation":{"text":"Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v2"}]},{"uuid":"e8e84963-14fc-4c3a-be05-b412a5d37cd2","title":"SP 800-161","citation":{"text":"Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-161"}]},{"uuid":"2956e175-f674-43f4-b1b9-e074ad9fc39c","title":"SP 800-162","citation":{"text":"Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-162"}]},{"uuid":"7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","title":"SP 800-171","citation":{"text":"Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-171r2"}]},{"uuid":"f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","title":"SP 800-172","citation":{"text":"Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-172-draft"}]},{"uuid":"388a3aa2-5d85-4bad-b8a3-77db80d63c4f","title":"SP 800-178","citation":{"text":"Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-178"}]},{"uuid":"276bd50a-7e58-48e5-a405-8c8cb91d7a5f","title":"SP 800-181","citation":{"text":"Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-181r1"}]},{"uuid":"31ae65ab-3f26-46b7-9d64-f25a4dac5778","title":"SP 800-184","citation":{"text":"Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-184"}]},{"uuid":"c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","title":"SP 800-188","citation":{"text":"Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188."},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-188\/draft"}]},{"uuid":"f5edfe51-d1f2-422e-9b27-5d0e90b49c72","title":"SP 800-189","citation":{"text":"Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-189"}]},{"uuid":"30eb758a-2707-4bca-90ad-949a74d4eb16","title":"SP 800-18","citation":{"text":"Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-18r1"}]},{"uuid":"08b07465-dbdc-48d6-8a0b-37279602ac16","title":"SP 800-30","citation":{"text":"Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-30r1"}]},{"uuid":"77faf0bc-c394-44ad-9154-bbac3b79c8ad","title":"SP 800-35","citation":{"text":"Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-35"}]},{"uuid":"482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","title":"SP 800-37","citation":{"text":"Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-37r2"}]},{"uuid":"cec037f3-8aba-4c97-84b4-4082f9e515d2","title":"SP 800-39","citation":{"text":"Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-39"}]},{"uuid":"a7f0e897-29a3-45c4-bd88-40dfef0e034a","title":"SP 800-41","citation":{"text":"Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-41r1"}]},{"uuid":"511f6832-23ca-49a3-8c0f-ce493373cab8","title":"SP 800-50","citation":{"text":"Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-50"}]},{"uuid":"a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","title":"SP 800-53A","citation":{"text":"Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53Ar4"}]},{"uuid":"46d9e201-840e-440e-987c-2c773333c752","title":"SP 800-53B","citation":{"text":"Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53B"}]},{"uuid":"7798067b-4ed0-4adc-a505-79dad4741693","title":"SP 800-55","citation":{"text":"Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-55r1"}]},{"uuid":"110e26af-4765-49e1-8740-6750f83fcda1","title":"SP 800-57-1","citation":{"text":"Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt1r5"}]},{"uuid":"e7942589-e267-4a5a-a3d9-f39a7aae81f0","title":"SP 800-57-2","citation":{"text":"Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt2r1"}]},{"uuid":"8306620b-1920-4d73-8b21-12008528595f","title":"SP 800-57-3","citation":{"text":"Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt3r1"}]},{"uuid":"e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","title":"SP 800-60-1","citation":{"text":"Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v1r1"}]},{"uuid":"9be5d661-421f-41ad-854e-86f98b811891","title":"SP 800-60-2","citation":{"text":"Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v2r1"}]},{"uuid":"49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","title":"SP 800-61","citation":{"text":"Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-61r2"}]},{"uuid":"737513fa-6758-403f-831d-5ddab5e23cb3","title":"SP 800-63-3","citation":{"text":"Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63-3"}]},{"uuid":"4895b4cd-34c5-4667-bf8a-27d443c12047","title":"SP 800-70","citation":{"text":"Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-70r4"}]},{"uuid":"858705be-3c1f-48aa-a328-0ce398d95ef0","title":"SP 800-73-4","citation":{"text":"Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-73-4"}]},{"uuid":"d4d7c760-2907-403b-8b2a-767ca5370ecd","title":"SP 800-77","citation":{"text":"Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-77r1"}]},{"uuid":"3dd249b0-f57d-44ba-a03e-c3eab1b835ff","title":"SP 800-83","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-83r1"}]},{"uuid":"53be2fcf-cfd1-4bcb-896b-9a3b65c22098","title":"SP 800-84","citation":{"text":"Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-84"}]},{"uuid":"cfdb1858-c473-46b3-89f9-a700308d0be2","title":"SP 800-86","citation":{"text":"Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-86"}]},{"uuid":"a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","title":"SP 800-88","citation":{"text":"Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-88r1"}]},{"uuid":"5eee45d8-3313-4fdc-8d54-1742092bbdd6","title":"SP 800-92","citation":{"text":"Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-92"}]},{"uuid":"e922fc50-b1f9-469f-92ef-ed7d9803611c","title":"USC 2901","citation":{"text":"United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2011-title44\/pdf\/USCODE-2011-title44-chap29-sec2901.pdf"}]},{"uuid":"40b78258-c892-480e-9af8-77ac36648301","title":"USCERT IR","citation":{"text":"Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017."},"rlinks":[{"href":"https:\/\/us-cert.cisa.gov\/incident-notification-guidelines"}]},{"uuid":"c3397cc9-83c6-4459-adb2-836739dc1b94","title":"NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)","rlinks":[{"href":"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf","media-type":"application\/pdf"}]}]}}}
\ No newline at end of file
+{"catalog":{"uuid":"f8f8bd60-df08-46cc-8083-cf001f43ea6a","metadata":{"title":"NIST Special Publication 800-53 Revision 5.1.1 PRIVACY BASELINE","last-modified":"2023-12-05T21:54:56.105295Z","version":"5.1.1+u2","oscal-version":"1.1.1","props":[{"name":"resolution-tool","value":"OSCAL Profile Resolver XSLT Pipeline OPRXP"}],"links":[{"href":"NIST_SP-800-53_rev5_PRIVACY-baseline_profile.xml","rel":"source-profile"}],"roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"11f1de66-89ba-499d-903e-56418e95af9d","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["11f1de66-89ba-499d-903e-56418e95af9d"]},{"role-id":"contact","party-uuids":["11f1de66-89ba-499d-903e-56418e95af9d"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ac-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ac-01_odp.01","props":[{"name":"label","value":"AC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control policy is to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.02","props":[{"name":"label","value":"AC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control procedures are to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.03","props":[{"name":"alt-identifier","value":"ac-1_prm_2"},{"name":"label","value":"AC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ac-01_odp.04","props":[{"name":"alt-identifier","value":"ac-1_prm_3"},{"name":"label","value":"AC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the access control policy and procedures is defined;"}]},{"id":"ac-01_odp.05","props":[{"name":"alt-identifier","value":"ac-1_prm_4"},{"name":"label","value":"AC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control policy is reviewed and updated is defined;"}]},{"id":"ac-01_odp.06","props":[{"name":"alt-identifier","value":"ac-1_prm_5"},{"name":"label","value":"AC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current access control policy to be reviewed and updated are defined;"}]},{"id":"ac-01_odp.07","props":[{"name":"alt-identifier","value":"ac-1_prm_6"},{"name":"label","value":"AC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control procedures are reviewed and updated is defined;"}]},{"id":"ac-01_odp.08","props":[{"name":"alt-identifier","value":"ac-1_prm_7"},{"name":"label","value":"AC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AC-1"},{"name":"label","value":"AC-01","class":"sp800-53a"},{"name":"sort-id","value":"ac-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ia-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ac-1_smt","name":"statement","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ac-01_odp.03 }} access control policy that:","parts":[{"id":"ac-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and the associated access controls;"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and"},{"id":"ac-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current access control:","parts":[{"id":"ac-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and"},{"id":"ac-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ac-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[01]","class":"sp800-53a"}],"prose":"an access control policy is developed and documented;","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[02]","class":"sp800-53a"}],"prose":"the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[03]","class":"sp800-53a"}],"prose":"access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[04]","class":"sp800-53a"}],"prose":"the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ac-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;","links":[{"href":"#ac-1_smt.b","rel":"assessment-for"}]},{"id":"ac-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[01]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};","links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]},{"id":"ac-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[02]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};","links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]},{"id":"ac-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[01]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};","links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]},{"id":"ac-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[02]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.","links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt","rel":"assessment-for"}]},{"id":"ac-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities"}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"label","value":"AC-3"},{"name":"label","value":"AC-03","class":"sp800-53a"},{"name":"sort-id","value":"ac-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-8","rel":"related"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family."},{"id":"ac-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03","class":"sp800-53a"}],"prose":"approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.","links":[{"href":"#ac-3_smt","rel":"assessment-for"}]},{"id":"ac-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy"}]}],"controls":[{"id":"ac-3.14","class":"SP800-53-enhancement","title":"Individual Access","params":[{"id":"ac-03.14_odp.01","props":[{"name":"alt-identifier","value":"ac-3.14_prm_1"},{"name":"label","value":"AC-03(14)_ODP[01]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms enabling individuals to have access to elements of their personally identifiable information are defined;"}]},{"id":"ac-03.14_odp.02","props":[{"name":"alt-identifier","value":"ac-3.14_prm_2"},{"name":"label","value":"AC-03(14)_ODP[02]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements of personally identifiable information to which individuals have access are defined;"}]}],"props":[{"name":"label","value":"AC-3(14)"},{"name":"label","value":"AC-03(14)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#ia-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-20","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#pt-6","rel":"related"}],"parts":[{"id":"ac-3.14_smt","name":"statement","prose":"Provide {{ insert: param, ac-03.14_odp.01 }} to enable individuals to have access to the following elements of their personally identifiable information: {{ insert: param, ac-03.14_odp.02 }}."},{"id":"ac-3.14_gdn","name":"guidance","prose":"Individual access affords individuals the ability to review personally identifiable information about them held within organizational records, regardless of format. Access helps individuals to develop an understanding about how their personally identifiable information is being processed. It can also help individuals ensure that their data is accurate. Access mechanisms can include request forms and application interfaces. For federal agencies, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) processes can be located in systems of record notices and on agency websites. Access to certain types of records may not be appropriate (e.g., for federal agencies, law enforcement records within a system of records may be exempt from disclosure under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) ) or may require certain levels of authentication assurance. Organizational personnel consult with the senior agency official for privacy and legal counsel to determine appropriate mechanisms and access rights or limitations."},{"id":"ac-3.14_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(14)","class":"sp800-53a"}],"prose":" {{ insert: param, ac-03.14_odp.01 }} are provided to enable individuals to have access to {{ insert: param, ac-03.14_odp.02 }} of their personally identifiable information.","links":[{"href":"#ac-3.14_smt","rel":"assessment-for"}]},{"id":"ac-3.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access mechanisms (e.g., request forms and application interfaces)\n\naccess control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation regarding access to an individual’s personally identifiable information\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment findings and\/or reports\n\nother relevant documents or records"}]},{"id":"ac-3.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel"}]},{"id":"ac-3.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions\n\nmechanisms enabling individual access to personally identifiable information"}]}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"at-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"at-01_odp.01","props":[{"name":"label","value":"AT-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training policy is to be disseminated is\/are defined;"}]},{"id":"at-01_odp.02","props":[{"name":"label","value":"AT-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training procedures are to be disseminated is\/are defined;"}]},{"id":"at-01_odp.03","props":[{"name":"alt-identifier","value":"at-1_prm_2"},{"name":"label","value":"AT-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"at-01_odp.04","props":[{"name":"alt-identifier","value":"at-1_prm_3"},{"name":"label","value":"AT-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the awareness and training policy and procedures is defined;"}]},{"id":"at-01_odp.05","props":[{"name":"alt-identifier","value":"at-1_prm_4"},{"name":"label","value":"AT-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training policy is reviewed and updated is defined;"}]},{"id":"at-01_odp.06","props":[{"name":"alt-identifier","value":"at-1_prm_5"},{"name":"label","value":"AT-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current awareness and training policy to be reviewed and updated are defined;"}]},{"id":"at-01_odp.07","props":[{"name":"alt-identifier","value":"at-1_prm_6"},{"name":"label","value":"AT-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training procedures are reviewed and updated is defined;"}]},{"id":"at-01_odp.08","props":[{"name":"alt-identifier","value":"at-1_prm_7"},{"name":"label","value":"AT-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AT-1"},{"name":"label","value":"AT-01","class":"sp800-53a"},{"name":"sort-id","value":"at-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-1_smt","name":"statement","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, at-01_odp.03 }} awareness and training policy that:","parts":[{"id":"at-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and"},{"id":"at-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current awareness and training:","parts":[{"id":"at-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and"},{"id":"at-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"at-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[01]","class":"sp800-53a"}],"prose":"an awareness and training policy is developed and documented; ","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[02]","class":"sp800-53a"}],"prose":"the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[03]","class":"sp800-53a"}],"prose":"awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[04]","class":"sp800-53a"}],"prose":"the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and","links":[{"href":"#at-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;","links":[{"href":"#at-1_smt.b","rel":"assessment-for"}]},{"id":"at-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[01]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ","links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]},{"id":"at-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[02]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};","links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]},{"id":"at-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[01]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};","links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]},{"id":"at-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[02]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.","links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt","rel":"assessment-for"}]},{"id":"at-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records"}]},{"id":"at-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Literacy Training and Awareness","params":[{"id":"at-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.02"}],"label":"organization-defined frequency"},{"id":"at-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.04"}],"label":"organization-defined events"},{"id":"at-02_odp.01","props":[{"name":"label","value":"AT-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.02","props":[{"name":"label","value":"AT-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.03","props":[{"name":"label","value":"AT-02_ODP[03]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require security literacy training for system users are defined;"}]},{"id":"at-02_odp.04","props":[{"name":"label","value":"AT-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require privacy literacy training for system users are defined;"}]},{"id":"at-02_odp.05","props":[{"name":"alt-identifier","value":"at-2_prm_3"},{"name":"label","value":"AT-02_ODP[05]","class":"sp800-53a"}],"label":"awareness techniques","guidelines":[{"prose":"techniques to be employed to increase the security and privacy awareness of system users are defined;"}]},{"id":"at-02_odp.06","props":[{"name":"alt-identifier","value":"at-2_prm_4"},{"name":"label","value":"AT-02_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update literacy training and awareness content is defined;"}]},{"id":"at-02_odp.07","props":[{"name":"alt-identifier","value":"at-2_prm_5"},{"name":"label","value":"AT-02_ODP[07]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require literacy training and awareness content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-2"},{"name":"label","value":"AT-02","class":"sp800-53a"},{"name":"sort-id","value":"at-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#89f2a08d-fc49-46d0-856e-bf974c9b1573","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-16","rel":"related"}],"parts":[{"id":"at-2_smt","name":"statement","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and"},{"id":"at-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes or following {{ insert: param, at-2_prm_2 }};"}]},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and"},{"id":"at-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[03]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[04]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};","links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]},{"id":"at-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};","links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a","rel":"assessment-for"}]},{"id":"at-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-02b.","class":"sp800-53a"}],"prose":" {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;","links":[{"href":"#at-2_smt.b","rel":"assessment-for"}]},{"id":"at-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[01]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};","links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]},{"id":"at-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[02]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};","links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]},{"id":"at-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AT-02d.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.","links":[{"href":"#at-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt","rel":"assessment-for"}]},{"id":"at-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community"}]},{"id":"at-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing information security and privacy literacy training"}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Training","params":[{"id":"at-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.02"}],"label":"organization-defined roles and responsibilities"},{"id":"at-03_odp.01","props":[{"name":"label","value":"AT-03_ODP[01]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based security training are defined;"}]},{"id":"at-03_odp.02","props":[{"name":"label","value":"AT-03_ODP[02]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based privacy training are defined;"}]},{"id":"at-03_odp.03","props":[{"name":"alt-identifier","value":"at-3_prm_2"},{"name":"label","value":"AT-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;"}]},{"id":"at-03_odp.04","props":[{"name":"alt-identifier","value":"at-3_prm_3"},{"name":"label","value":"AT-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update role-based training content is defined;"}]},{"id":"at-03_odp.05","props":[{"name":"alt-identifier","value":"at-3_prm_4"},{"name":"label","value":"AT-03_ODP[05]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require role-based training content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-3"},{"name":"label","value":"AT-03","class":"sp800-53a"},{"name":"sort-id","value":"at-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"at-3_smt","name":"statement","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:","parts":[{"id":"at-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and"},{"id":"at-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes;"}]},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into role-based training."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency\/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[03]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[04]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;","links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]},{"id":"at-3_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;","links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a","rel":"assessment-for"}]},{"id":"at-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[01]","class":"sp800-53a"}],"prose":"role-based training content is updated {{ insert: param, at-03_odp.04 }};","links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]},{"id":"at-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[02]","class":"sp800-53a"}],"prose":"role-based training content is updated following {{ insert: param, at-03_odp.05 }};","links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]},{"id":"at-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-03c.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into role-based training.","links":[{"href":"#at-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt","rel":"assessment-for"}]},{"id":"at-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities"}]},{"id":"at-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing role-based security and privacy training"}]}],"controls":[{"id":"at-3.5","class":"SP800-53-enhancement","title":"Processing Personally Identifiable Information","params":[{"id":"at-03.05_odp.01","props":[{"name":"alt-identifier","value":"at-3.5_prm_1"},{"name":"label","value":"AT-03(05)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be provided with initial and refresher training in the employment and operation of personally identifiable information processing and transparency controls is\/are defined;"}]},{"id":"at-03.05_odp.02","props":[{"name":"alt-identifier","value":"at-3.5_prm_2"},{"name":"label","value":"AT-03(05)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide refresher training in the employment and operation of personally identifiable information processing and transparency controls is defined;"}]}],"props":[{"name":"label","value":"AT-3(5)"},{"name":"label","value":"AT-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"at-03.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-3","rel":"required"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"}],"parts":[{"id":"at-3.5_smt","name":"statement","prose":"Provide {{ insert: param, at-03.05_odp.01 }} with initial and {{ insert: param, at-03.05_odp.02 }} training in the employment and operation of personally identifiable information processing and transparency controls."},{"id":"at-3.5_gdn","name":"guidance","prose":"Personally identifiable information processing and transparency controls include the organization’s authority to process personally identifiable information and personally identifiable information processing purposes. Role-based training for federal agencies addresses the types of information that may constitute personally identifiable information and the risks, considerations, and obligations associated with its processing. Such training also considers the authority to process personally identifiable information documented in privacy policies and notices, system of records notices, computer matching agreements and notices, privacy impact assessments, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, contracts, information sharing agreements, memoranda of understanding, and\/or other documentation."},{"id":"at-3.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03(05)","class":"sp800-53a"}],"prose":" {{ insert: param, at-03.05_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.05_odp.02 }} in the employment and operation of personally identifiable information processing and transparency controls.","links":[{"href":"#at-3.5_smt","rel":"assessment-for"}]},{"id":"at-3.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy awareness training implementation\n\nsecurity and privacy awareness training curriculum\n\nsecurity and privacy awareness training materials\n\nsystem security plan\n\nprivacy plan\n\norganizational privacy notices\n\norganizational policies\n\nsystem of records notices\n\nPrivacy Act statements\n\ncomputer matching agreements and notices\n\nprivacy impact assessments\n\ninformation sharing agreements\n\nother relevant documents or records"}]},{"id":"at-3.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel who participate in security and privacy awareness training"}]}]}]},{"id":"at-4","class":"SP800-53","title":"Training Records","params":[{"id":"at-04_odp","props":[{"name":"alt-identifier","value":"at-4_prm_1"},{"name":"label","value":"AT-04_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for retaining individual training records is defined;"}]}],"props":[{"name":"label","value":"AT-4"},{"name":"label","value":"AT-04","class":"sp800-53a"},{"name":"sort-id","value":"at-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-4_smt","name":"statement","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain individual training records for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies."},{"id":"at-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-04","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[01]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;","links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]},{"id":"at-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[02]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;","links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]},{"id":"at-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-04b.","class":"sp800-53a"}],"prose":"individual training records are retained for {{ insert: param, at-04_odp }}.","links":[{"href":"#at-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#at-4_smt","rel":"assessment-for"}]},{"id":"at-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"at-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy training record retention responsibilities"}]},{"id":"at-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the management of security and privacy training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"au-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"au-01_odp.01","props":[{"name":"label","value":"AU-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability policy is to be disseminated is\/are defined;"}]},{"id":"au-01_odp.02","props":[{"name":"label","value":"AU-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability procedures are to be disseminated is\/are defined;"}]},{"id":"au-01_odp.03","props":[{"name":"alt-identifier","value":"au-1_prm_2"},{"name":"label","value":"AU-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"au-01_odp.04","props":[{"name":"alt-identifier","value":"au-1_prm_3"},{"name":"label","value":"AU-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the audit and accountability policy and procedures is defined;"}]},{"id":"au-01_odp.05","props":[{"name":"alt-identifier","value":"au-1_prm_4"},{"name":"label","value":"AU-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability policy is reviewed and updated is defined;"}]},{"id":"au-01_odp.06","props":[{"name":"alt-identifier","value":"au-1_prm_5"},{"name":"label","value":"AU-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current audit and accountability policy to be reviewed and updated are defined;"}]},{"id":"au-01_odp.07","props":[{"name":"alt-identifier","value":"au-1_prm_6"},{"name":"label","value":"AU-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability procedures are reviewed and updated is defined;"}]},{"id":"au-01_odp.08","props":[{"name":"alt-identifier","value":"au-1_prm_7"},{"name":"label","value":"AU-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require audit and accountability procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AU-1"},{"name":"label","value":"AU-01","class":"sp800-53a"},{"name":"sort-id","value":"au-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-1_smt","name":"statement","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, au-01_odp.03 }} audit and accountability policy that:","parts":[{"id":"au-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and"},{"id":"au-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current audit and accountability:","parts":[{"id":"au-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and"},{"id":"au-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"au-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[01]","class":"sp800-53a"}],"prose":"an audit and accountability policy is developed and documented;","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[02]","class":"sp800-53a"}],"prose":"the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[03]","class":"sp800-53a"}],"prose":"audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[04]","class":"sp800-53a"}],"prose":"the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#au-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;","links":[{"href":"#au-1_smt.b","rel":"assessment-for"}]},{"id":"au-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[01]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};","links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]},{"id":"au-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[02]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};","links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]},{"id":"au-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[01]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};","links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]},{"id":"au-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[02]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.","links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt","rel":"assessment-for"}]},{"id":"au-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Event Logging","params":[{"id":"au-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.03"}],"label":"organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type"},{"id":"au-02_odp.01","props":[{"name":"alt-identifier","value":"au-2_prm_1"},{"name":"alt-label","value":"event types that the system is capable of logging","class":"sp800-53"},{"name":"label","value":"AU-02_ODP[01]","class":"sp800-53a"}],"label":"event types","guidelines":[{"prose":"the event types that the system is capable of logging in support of the audit function are defined;"}]},{"id":"au-02_odp.02","props":[{"name":"label","value":"AU-02_ODP[02]","class":"sp800-53a"}],"label":"event types (subset of AU-02_ODP[01])","guidelines":[{"prose":"the event types (subset of AU-02_ODP[01]) for logging within the system are defined;"}]},{"id":"au-02_odp.03","props":[{"name":"label","value":"AU-02_ODP[03]","class":"sp800-53a"}],"label":"frequency or situation","guidelines":[{"prose":"the frequency or situation requiring logging for each specified event type is defined;"}]},{"id":"au-02_odp.04","props":[{"name":"alt-identifier","value":"au-2_prm_3"},{"name":"label","value":"AU-02_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of event types selected for logging are reviewed and updated;"}]}],"props":[{"name":"label","value":"AU-2"},{"name":"label","value":"AU-02","class":"sp800-53a"},{"name":"sort-id","value":"au-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-2_smt","name":"statement","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and"},{"id":"au-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures."},{"id":"au-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-02","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-02a.","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;","links":[{"href":"#au-2_smt.a","rel":"assessment-for"}]},{"id":"au-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-02b.","class":"sp800-53a"}],"prose":"the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;","links":[{"href":"#au-2_smt.b","rel":"assessment-for"}]},{"id":"au-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, au-02_odp.02 }} are specified for logging within the system;","links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]},{"id":"au-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[02]","class":"sp800-53a"}],"prose":"the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};","links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]},{"id":"au-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-02d.","class":"sp800-53a"}],"prose":"a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;","links":[{"href":"#au-2_smt.d","rel":"assessment-for"}]},{"id":"au-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-02e.","class":"sp800-53a"}],"prose":"the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.","links":[{"href":"#au-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#au-2_smt","rel":"assessment-for"}]},{"id":"au-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records"}]},{"id":"au-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing"}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"label","value":"AU-3"},{"name":"label","value":"AU-03","class":"sp800-53a"},{"name":"sort-id","value":"au-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"Ensure that audit records contain information that establishes the following:","parts":[{"id":"au-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"What type of event occurred;"},{"id":"au-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When the event occurred;"},{"id":"au-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Where the event occurred;"},{"id":"au-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Source of the event;"},{"id":"au-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Outcome of the event; and"},{"id":"au-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage."},{"id":"au-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03","class":"sp800-53a"}],"parts":[{"id":"au-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-03a.","class":"sp800-53a"}],"prose":"audit records contain information that establishes what type of event occurred;","links":[{"href":"#au-3_smt.a","rel":"assessment-for"}]},{"id":"au-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-03b.","class":"sp800-53a"}],"prose":"audit records contain information that establishes when the event occurred;","links":[{"href":"#au-3_smt.b","rel":"assessment-for"}]},{"id":"au-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-03c.","class":"sp800-53a"}],"prose":"audit records contain information that establishes where the event occurred;","links":[{"href":"#au-3_smt.c","rel":"assessment-for"}]},{"id":"au-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-03d.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the source of the event;","links":[{"href":"#au-3_smt.d","rel":"assessment-for"}]},{"id":"au-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-03e.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the outcome of the event;","links":[{"href":"#au-3_smt.e","rel":"assessment-for"}]},{"id":"au-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AU-03f.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the identity of any individuals, subjects, or objects\/entities associated with the event.","links":[{"href":"#au-3_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#au-3_smt","rel":"assessment-for"}]},{"id":"au-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records"}]},{"id":"au-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing of auditable events"}]}],"controls":[{"id":"au-3.3","class":"SP800-53-enhancement","title":"Limit Personally Identifiable Information Elements","params":[{"id":"au-03.03_odp","props":[{"name":"alt-identifier","value":"au-3.3_prm_1"},{"name":"label","value":"AU-03(03)_ODP","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements identified in the privacy risk assessment are defined;"}]}],"props":[{"name":"label","value":"AU-3(3)"},{"name":"label","value":"AU-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-3","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"au-3.3_smt","name":"statement","prose":"Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: {{ insert: param, au-03.03_odp }}."},{"id":"au-3.3_gdn","name":"guidance","prose":"Limiting personally identifiable information in audit records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system."},{"id":"au-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03(03)","class":"sp800-53a"}],"prose":"personally identifiable information contained in audit records is limited to {{ insert: param, au-03.03_odp }} identified in the privacy risk assessment.","links":[{"href":"#au-3.3_smt","rel":"assessment-for"}]},{"id":"au-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprivacy risk assessment\n\nprivacy risk assessment results\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nthird party contracts\n\nother relevant documents or records"}]},{"id":"au-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"system audit capability"}]}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_odp","props":[{"name":"alt-identifier","value":"au-11_prm_1"},{"name":"alt-label","value":"time period consistent with records retention policy","class":"sp800-53"},{"name":"label","value":"AU-11_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period to retain audit records that is consistent with the records retention policy is defined;"}]}],"props":[{"name":"label","value":"AU-11"},{"name":"label","value":"AU-11","class":"sp800-53a"},{"name":"sort-id","value":"au-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention."},{"id":"au-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-11","class":"sp800-53a"}],"prose":"audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.","links":[{"href":"#au-11_smt","rel":"assessment-for"}]},{"id":"au-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"id":"au-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]}]}]},{"id":"ca","class":"family","title":"Assessment, Authorization, and Monitoring","controls":[{"id":"ca-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ca-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ca-01_odp.01","props":[{"name":"label","value":"CA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.02","props":[{"name":"label","value":"CA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.03","props":[{"name":"alt-identifier","value":"ca-1_prm_2"},{"name":"label","value":"CA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ca-01_odp.04","props":[{"name":"alt-identifier","value":"ca-1_prm_3"},{"name":"label","value":"CA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the assessment, authorization, and monitoring policy and procedures is defined;"}]},{"id":"ca-01_odp.05","props":[{"name":"alt-identifier","value":"ca-1_prm_4"},{"name":"label","value":"CA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;"}]},{"id":"ca-01_odp.06","props":[{"name":"alt-identifier","value":"ca-1_prm_5"},{"name":"label","value":"CA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;"}]},{"id":"ca-01_odp.07","props":[{"name":"alt-identifier","value":"ca-1_prm_6"},{"name":"label","value":"CA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;"}]},{"id":"ca-01_odp.08","props":[{"name":"alt-identifier","value":"ca-1_prm_7"},{"name":"label","value":"CA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CA-1"},{"name":"label","value":"CA-01","class":"sp800-53a"},{"name":"sort-id","value":"ca-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#62ea77ca-e450-4323-b210-e0d75390e785","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-1_smt","name":"statement","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:","parts":[{"id":"ca-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and"},{"id":"ca-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current assessment, authorization, and monitoring:","parts":[{"id":"ca-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and"},{"id":"ca-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ca-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[01]","class":"sp800-53a"}],"prose":"an assessment, authorization, and monitoring policy is developed and documented;","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[02]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[03]","class":"sp800-53a"}],"prose":"assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[04]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ca-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;","links":[{"href":"#ca-1_smt.b","rel":"assessment-for"}]},{"id":"ca-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ","links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]},{"id":"ca-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};","links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]},{"id":"ca-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ","links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]},{"id":"ca-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.","links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt","rel":"assessment-for"}]},{"id":"ca-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Control Assessments","params":[{"id":"ca-02_odp.01","props":[{"name":"alt-identifier","value":"ca-2_prm_1"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"CA-02_ODP[01]","class":"sp800-53a"}],"label":"assessment frequency","guidelines":[{"prose":"the frequency at which to assess controls in the system and its environment of operation is defined;"}]},{"id":"ca-02_odp.02","props":[{"name":"alt-identifier","value":"ca-2_prm_2"},{"name":"label","value":"CA-02_ODP[02]","class":"sp800-53a"}],"label":"individuals or roles","guidelines":[{"prose":"individuals or roles to whom control assessment results are to be provided are defined;"}]}],"props":[{"name":"label","value":"CA-2"},{"name":"label","value":"CA-02","class":"sp800-53a"},{"name":"sort-id","value":"ca-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"ca-2_smt","name":"statement","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Select the appropriate assessor or assessment team for the type of assessment to be conducted;"},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop a control assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Controls and control enhancements under assessment;"},{"id":"ca-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine control effectiveness; and"},{"id":"ca-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;"},{"id":"ca-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Produce a control assessment report that document the results of the assessment; and"},{"id":"ca-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)."},{"id":"ca-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-02a.","class":"sp800-53a"}],"prose":"an appropriate assessor or assessment team is selected for the type of assessment to be conducted;","links":[{"href":"#ca-2_smt.a","rel":"assessment-for"}]},{"id":"ca-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.01","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;","links":[{"href":"#ca-2_smt.b.1","rel":"assessment-for"}]},{"id":"ca-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.02","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;","links":[{"href":"#ca-2_smt.b.2","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[01]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[02]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment team;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3-3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[03]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.b","rel":"assessment-for"}]},{"id":"ca-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-02c.","class":"sp800-53a"}],"prose":"the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;","links":[{"href":"#ca-2_smt.c","rel":"assessment-for"}]},{"id":"ca-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[01]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;","links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]},{"id":"ca-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[02]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;","links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]},{"id":"ca-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-02e.","class":"sp800-53a"}],"prose":"a control assessment report is produced that documents the results of the assessment;","links":[{"href":"#ca-2_smt.e","rel":"assessment-for"}]},{"id":"ca-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-02f.","class":"sp800-53a"}],"prose":"the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.","links":[{"href":"#ca-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt","rel":"assessment-for"}]},{"id":"ca-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting control assessment, control assessment plan development, and\/or control assessment reporting"}]}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-05_odp","props":[{"name":"alt-identifier","value":"ca-5_prm_1"},{"name":"label","value":"CA-05_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;"}]}],"props":[{"name":"label","value":"CA-5"},{"name":"label","value":"CA-05","class":"sp800-53a"},{"name":"sort-id","value":"ca-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-5_smt","name":"statement","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB."},{"id":"ca-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-05","class":"sp800-53a"}],"parts":[{"id":"ca-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-05a.","class":"sp800-53a"}],"prose":"a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;","links":[{"href":"#ca-5_smt.a","rel":"assessment-for"}]},{"id":"ca-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-05b.","class":"sp800-53a"}],"prose":"existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.","links":[{"href":"#ca-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-5_smt","rel":"assessment-for"}]},{"id":"ca-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}]},{"id":"ca-6","class":"SP800-53","title":"Authorization","params":[{"id":"ca-06_odp","props":[{"name":"alt-identifier","value":"ca-6_prm_1"},{"name":"label","value":"CA-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to update the authorizations is defined;"}]}],"props":[{"name":"label","value":"CA-6"},{"name":"label","value":"CA-06","class":"sp800-53a"},{"name":"sort-id","value":"ca-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-6_smt","name":"statement","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a senior official as the authorizing official for the system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure that the authorizing official for the system, before commencing operations:","parts":[{"id":"ca-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accepts the use of common controls inherited by the system; and"},{"id":"ca-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Authorizes the system to operate;"}]},{"id":"ca-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the authorizations {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions."},{"id":"ca-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-06","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-06a.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for the system;","links":[{"href":"#ca-6_smt.a","rel":"assessment-for"}]},{"id":"ca-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-06b.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;","links":[{"href":"#ca-6_smt.b","rel":"assessment-for"}]},{"id":"ca-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.01","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;","links":[{"href":"#ca-6_smt.c.1","rel":"assessment-for"}]},{"id":"ca-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.02","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system authorizes the system to operate;","links":[{"href":"#ca-6_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-6_smt.c","rel":"assessment-for"}]},{"id":"ca-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-06d.","class":"sp800-53a"}],"prose":"the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;","links":[{"href":"#ca-6_smt.d","rel":"assessment-for"}]},{"id":"ca-6_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-06e.","class":"sp800-53a"}],"prose":"the authorizations are updated {{ insert: param, ca-06_odp }}.","links":[{"href":"#ca-6_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ca-6_smt","rel":"assessment-for"}]},{"id":"ca-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records"}]},{"id":"ca-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that facilitate authorizations and updates"}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.06"}],"label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.07"}],"label":"organization-defined frequency"},{"id":"ca-07_odp.01","props":[{"name":"alt-identifier","value":"ca-7_prm_1"},{"name":"label","value":"CA-07_ODP[01]","class":"sp800-53a"}],"label":"system-level metrics","guidelines":[{"prose":"system-level metrics to be monitored are defined;"}]},{"id":"ca-07_odp.02","props":[{"name":"alt-identifier","value":"ca-7_prm_2"},{"name":"label","value":"CA-07_ODP[02]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to monitor control effectiveness are defined;"}]},{"id":"ca-07_odp.03","props":[{"name":"alt-identifier","value":"ca-7_prm_3"},{"name":"label","value":"CA-07_ODP[03]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to assess control effectiveness are defined;"}]},{"id":"ca-07_odp.04","props":[{"name":"label","value":"CA-07_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the security status of the system is reported are defined;"}]},{"id":"ca-07_odp.05","props":[{"name":"label","value":"CA-07_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the security status of the system is reported is defined;"}]},{"id":"ca-07_odp.06","props":[{"name":"label","value":"CA-07_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the privacy status of the system is reported are defined;"}]},{"id":"ca-07_odp.07","props":[{"name":"label","value":"CA-07_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the privacy status of the system is reported is defined;"}]}],"props":[{"name":"label","value":"CA-7"},{"name":"label","value":"CA-07","class":"sp800-53a"},{"name":"sort-id","value":"ca-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pm-31","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)."},{"id":"ca-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07[01]","class":"sp800-53a"}],"prose":"a system-level continuous monitoring strategy is developed;","links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;","links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07a.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};","links":[{"href":"#ca-7_smt.a","rel":"assessment-for"}]},{"id":"ca-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;","links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]},{"id":"ca-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;","links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]},{"id":"ca-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07c.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;","links":[{"href":"#ca-7_smt.c","rel":"assessment-for"}]},{"id":"ca-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-07d.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;","links":[{"href":"#ca-7_smt.d","rel":"assessment-for"}]},{"id":"ca-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-07e.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;","links":[{"href":"#ca-7_smt.e","rel":"assessment-for"}]},{"id":"ca-7_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-07f.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;","links":[{"href":"#ca-7_smt.f","rel":"assessment-for"}]},{"id":"ca-7_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};","links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]},{"id":"ca-7_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.","links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting"}]}],"controls":[{"id":"ca-7.4","class":"SP800-53-enhancement","title":"Risk Monitoring","props":[{"name":"label","value":"CA-7(4)"},{"name":"label","value":"CA-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.4_smt","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:","parts":[{"id":"ca-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Effectiveness monitoring;"},{"id":"ca-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Compliance monitoring; and"},{"id":"ca-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Change monitoring."}]},{"id":"ca-7.4_gdn","name":"guidance","prose":"Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk."},{"id":"ca-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)","class":"sp800-53a"}],"prose":"risk monitoring is an integral part of the continuous monitoring strategy;","parts":[{"id":"ca-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(a)","class":"sp800-53a"}],"prose":"effectiveness monitoring is included in risk monitoring;","links":[{"href":"#ca-7.4_smt.a","rel":"assessment-for"}]},{"id":"ca-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(b)","class":"sp800-53a"}],"prose":"compliance monitoring is included in risk monitoring;","links":[{"href":"#ca-7.4_smt.b","rel":"assessment-for"}]},{"id":"ca-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(c)","class":"sp800-53a"}],"prose":"change monitoring is included in risk monitoring.","links":[{"href":"#ca-7.4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ca-7.4_smt","rel":"assessment-for"}]},{"id":"ca-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting risk monitoring"}]}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cm-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cm-01_odp.01","props":[{"name":"label","value":"CM-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management policy is to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.02","props":[{"name":"label","value":"CM-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management procedures are to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.03","props":[{"name":"alt-identifier","value":"cm-1_prm_2"},{"name":"label","value":"CM-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cm-01_odp.04","props":[{"name":"alt-identifier","value":"cm-1_prm_3"},{"name":"label","value":"CM-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the configuration management policy and procedures is defined;"}]},{"id":"cm-01_odp.05","props":[{"name":"alt-identifier","value":"cm-1_prm_4"},{"name":"label","value":"CM-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management policy is reviewed and updated is defined;"}]},{"id":"cm-01_odp.06","props":[{"name":"alt-identifier","value":"cm-1_prm_5"},{"name":"label","value":"CM-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current configuration management policy to be reviewed and updated are defined;"}]},{"id":"cm-01_odp.07","props":[{"name":"alt-identifier","value":"cm-1_prm_6"},{"name":"label","value":"CM-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management procedures are reviewed and updated is defined;"}]},{"id":"cm-01_odp.08","props":[{"name":"alt-identifier","value":"cm-1_prm_7"},{"name":"label","value":"CM-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require configuration management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CM-1"},{"name":"label","value":"CM-01","class":"sp800-53a"},{"name":"sort-id","value":"cm-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-1_smt","name":"statement","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, cm-01_odp.03 }} configuration management policy that:","parts":[{"id":"cm-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and"},{"id":"cm-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current configuration management:","parts":[{"id":"cm-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and"},{"id":"cm-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cm-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[01]","class":"sp800-53a"}],"prose":"a configuration management policy is developed and documented;","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[02]","class":"sp800-53a"}],"prose":"the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[03]","class":"sp800-53a"}],"prose":"configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[04]","class":"sp800-53a"}],"prose":"the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(b)","class":"sp800-53a"}],"prose":"the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#cm-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;","links":[{"href":"#cm-1_smt.b","rel":"assessment-for"}]},{"id":"cm-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[01]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ","links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]},{"id":"cm-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[02]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};","links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]},{"id":"cm-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[01]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ","links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]},{"id":"cm-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[02]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.","links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt","rel":"assessment-for"}]},{"id":"cm-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records"}]},{"id":"cm-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cm-4","class":"SP800-53","title":"Impact Analyses","props":[{"name":"label","value":"CM-4"},{"name":"label","value":"CM-04","class":"sp800-53a"},{"name":"sort-id","value":"cm-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required."},{"id":"cm-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04","class":"sp800-53a"}],"parts":[{"id":"cm-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04[01]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential security impacts prior to change implementation;","links":[{"href":"#cm-4_smt","rel":"assessment-for"}]},{"id":"cm-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04[02]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential privacy impacts prior to change implementation.","links":[{"href":"#cm-4_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-4_smt","rel":"assessment-for"}]},{"id":"cm-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses"}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ir-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ir-01_odp.01","props":[{"name":"label","value":"IR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response policy is to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.02","props":[{"name":"label","value":"IR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response procedures are to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.03","props":[{"name":"alt-identifier","value":"ir-1_prm_2"},{"name":"label","value":"IR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ir-01_odp.04","props":[{"name":"alt-identifier","value":"ir-1_prm_3"},{"name":"label","value":"IR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the incident response policy and procedures is defined;"}]},{"id":"ir-01_odp.05","props":[{"name":"alt-identifier","value":"ir-1_prm_4"},{"name":"label","value":"IR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response policy is reviewed and updated is defined;"}]},{"id":"ir-01_odp.06","props":[{"name":"alt-identifier","value":"ir-1_prm_5"},{"name":"label","value":"IR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current incident response policy to be reviewed and updated are defined;"}]},{"id":"ir-01_odp.07","props":[{"name":"alt-identifier","value":"ir-1_prm_6"},{"name":"label","value":"IR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response procedures are reviewed and updated is defined;"}]},{"id":"ir-01_odp.08","props":[{"name":"alt-identifier","value":"ir-1_prm_7"},{"name":"label","value":"IR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the incident response procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IR-1"},{"name":"label","value":"IR-01","class":"sp800-53a"},{"name":"sort-id","value":"ir-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ir-1_smt","name":"statement","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ir-01_odp.03 }} incident response policy that:","parts":[{"id":"ir-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and"},{"id":"ir-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current incident response:","parts":[{"id":"ir-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and"},{"id":"ir-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ir-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[01]","class":"sp800-53a"}],"prose":"an incident response policy is developed and documented;","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[02]","class":"sp800-53a"}],"prose":"the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[03]","class":"sp800-53a"}],"prose":"incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[04]","class":"sp800-53a"}],"prose":"the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ir-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;","links":[{"href":"#ir-1_smt.b","rel":"assessment-for"}]},{"id":"ir-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[01]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};","links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]},{"id":"ir-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[02]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};","links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]},{"id":"ir-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[01]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};","links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]},{"id":"ir-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[02]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.","links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt","rel":"assessment-for"}]},{"id":"ir-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-02_odp.01","props":[{"name":"alt-identifier","value":"ir-2_prm_1"},{"name":"label","value":"IR-02_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;"}]},{"id":"ir-02_odp.02","props":[{"name":"alt-identifier","value":"ir-2_prm_2"},{"name":"label","value":"IR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide incident response training to users is defined;"}]},{"id":"ir-02_odp.03","props":[{"name":"alt-identifier","value":"ir-2_prm_3"},{"name":"label","value":"IR-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update incident response training content is defined;"}]},{"id":"ir-02_odp.04","props":[{"name":"alt-identifier","value":"ir-2_prm_4"},{"name":"label","value":"IR-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that initiate a review of the incident response training content are defined;"}]}],"props":[{"name":"label","value":"IR-2"},{"name":"label","value":"IR-02","class":"sp800-53a"},{"name":"sort-id","value":"ir-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-2_smt","name":"statement","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide incident response training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"ir-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":" {{ insert: param, ir-02_odp.02 }} thereafter; and"}]},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"ir-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.01","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;","links":[{"href":"#ir-2_smt.a.1","rel":"assessment-for"}]},{"id":"ir-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.02","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;","links":[{"href":"#ir-2_smt.a.2","rel":"assessment-for"}]},{"id":"ir-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.03","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;","links":[{"href":"#ir-2_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt.a","rel":"assessment-for"}]},{"id":"ir-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[01]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};","links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]},{"id":"ir-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[02]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.","links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt","rel":"assessment-for"}]},{"id":"ir-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"ir-2.3","class":"SP800-53-enhancement","title":"Breach","props":[{"name":"label","value":"IR-2(3)"},{"name":"label","value":"IR-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-2","rel":"required"}],"parts":[{"id":"ir-2.3_smt","name":"statement","prose":"Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach."},{"id":"ir-2.3_gdn","name":"guidance","prose":"For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. The incident response training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Incident response training includes tabletop exercises that simulate a breach. See [IR-2(1)](#ir-2.1)."},{"id":"ir-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02(03)","class":"sp800-53a"}],"parts":[{"id":"ir-2.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-02(03)[01]","class":"sp800-53a"}],"prose":"incident response training on how to identify and respond to a breach is provided;","links":[{"href":"#ir-2.3_smt","rel":"assessment-for"}]},{"id":"ir-2.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-02(03)[02]","class":"sp800-53a"}],"prose":"incident response training on the organization’s process for reporting a breach is provided.","links":[{"href":"#ir-2.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-2.3_smt","rel":"assessment-for"}]},{"id":"ir-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","params":[{"id":"ir-03_odp.01","props":[{"name":"alt-identifier","value":"ir-3_prm_1"},{"name":"label","value":"IR-03_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test the effectiveness of the incident response capability for the system is defined;"}]},{"id":"ir-03_odp.02","props":[{"name":"alt-identifier","value":"ir-3_prm_2"},{"name":"label","value":"IR-03_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests used to test the effectiveness of the incident response capability for the system are defined;"}]}],"props":[{"name":"label","value":"IR-3"},{"name":"label","value":"IR-03","class":"sp800-53a"},{"name":"sort-id","value":"ir-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-14","rel":"related"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes."},{"id":"ir-3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03","class":"sp800-53a"}],"prose":"the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.","links":[{"href":"#ir-3_smt","rel":"assessment-for"}]},{"id":"ir-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"label","value":"IR-4"},{"name":"label","value":"IR-04","class":"sp800-53a"},{"name":"sort-id","value":"ir-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#31ae65ab-3f26-46b7-9d64-f25a4dac5778","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-4_smt","name":"statement","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate incident handling activities with contingency planning activities;"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and"},{"id":"ir-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes."},{"id":"ir-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[01]","class":"sp800-53a"}],"prose":"an incident handling capability for incidents is implemented that is consistent with the incident response plan;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[02]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes preparation;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[03]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes detection and analysis;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[04]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes containment;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[05]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes eradication;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[06]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes recovery;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-04b.","class":"sp800-53a"}],"prose":"incident handling activities are coordinated with contingency planning activities;","links":[{"href":"#ir-4_smt.b","rel":"assessment-for"}]},{"id":"ir-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[01]","class":"sp800-53a"}],"prose":"lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;","links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]},{"id":"ir-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[02]","class":"sp800-53a"}],"prose":"the changes resulting from the incorporated lessons learned are implemented accordingly;","links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]},{"id":"ir-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[01]","class":"sp800-53a"}],"prose":"the rigor of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[02]","class":"sp800-53a"}],"prose":"the intensity of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[03]","class":"sp800-53a"}],"prose":"the scope of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[04]","class":"sp800-53a"}],"prose":"the results of incident handling activities are comparable and predictable across the organization.","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt","rel":"assessment-for"}]},{"id":"ir-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident handling capability for the organization"}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"label","value":"IR-5"},{"name":"label","value":"IR-05","class":"sp800-53a"},{"name":"sort-id","value":"ir-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"Track and document incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring."},{"id":"ir-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-05","class":"sp800-53a"}],"parts":[{"id":"ir-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-05[01]","class":"sp800-53a"}],"prose":"incidents are tracked;","links":[{"href":"#ir-5_smt","rel":"assessment-for"}]},{"id":"ir-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-05[02]","class":"sp800-53a"}],"prose":"incidents are documented.","links":[{"href":"#ir-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-5_smt","rel":"assessment-for"}]},{"id":"ir-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nmechanisms supporting and\/or implementing the tracking and documenting of system security incidents"}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-06_odp.01","props":[{"name":"alt-identifier","value":"ir-6_prm_1"},{"name":"label","value":"IR-06_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel to report suspected incidents to the organizational incident response capability is defined;"}]},{"id":"ir-06_odp.02","props":[{"name":"alt-identifier","value":"ir-6_prm_2"},{"name":"label","value":"IR-06_ODP[02]","class":"sp800-53a"}],"label":"authorities","guidelines":[{"prose":"authorities to whom incident information is to be reported are defined;"}]}],"props":[{"name":"label","value":"IR-6"},{"name":"label","value":"IR-06","class":"sp800-53a"},{"name":"sort-id","value":"ir-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#40b78258-c892-480e-9af8-77ac36648301","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-6_smt","name":"statement","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report incident information to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products."},{"id":"ir-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06","class":"sp800-53a"}],"parts":[{"id":"ir-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-06a.","class":"sp800-53a"}],"prose":"personnel is\/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};","links":[{"href":"#ir-6_smt.a","rel":"assessment-for"}]},{"id":"ir-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-06b.","class":"sp800-53a"}],"prose":"incident information is reported to {{ insert: param, ir-06_odp.02 }}.","links":[{"href":"#ir-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-6_smt","rel":"assessment-for"}]},{"id":"ir-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users"}]},{"id":"ir-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nmechanisms supporting and\/or implementing incident reporting"}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"label","value":"IR-7"},{"name":"label","value":"IR-07","class":"sp800-53a"},{"name":"sort-id","value":"ir-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-26","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required."},{"id":"ir-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07","class":"sp800-53a"}],"parts":[{"id":"ir-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-07[01]","class":"sp800-53a"}],"prose":"an incident response support resource, integral to the organizational incident response capability, is provided;","links":[{"href":"#ir-7_smt","rel":"assessment-for"}]},{"id":"ir-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-07[02]","class":"sp800-53a"}],"prose":"the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.","links":[{"href":"#ir-7_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-7_smt","rel":"assessment-for"}]},{"id":"ir-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nmechanisms supporting and\/or implementing incident response assistance"}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.07"}],"label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-08_odp.01","props":[{"name":"alt-identifier","value":"ir-8_prm_1"},{"name":"label","value":"IR-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles that review and approve the incident response plan is\/are identified;"}]},{"id":"ir-08_odp.02","props":[{"name":"alt-identifier","value":"ir-8_prm_2"},{"name":"label","value":"IR-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and approve the incident response plan is defined;"}]},{"id":"ir-08_odp.03","props":[{"name":"alt-identifier","value":"ir-8_prm_3"},{"name":"label","value":"IR-08_ODP[03]","class":"sp800-53a"}],"label":"entities, personnel, or roles","guidelines":[{"prose":"entities, personnel, or roles with designated responsibility for incident response are defined;"}]},{"id":"ir-08_odp.04","props":[{"name":"alt-identifier","value":"ir-8_prm_4"},{"name":"alt-label","value":"incident response personnel (identified by name and\/or by role) and organizational elements","class":"sp800-53"},{"name":"label","value":"IR-08_ODP[04]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed is\/are defined;"}]},{"id":"ir-08_odp.05","props":[{"name":"label","value":"IR-08_ODP[05]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which copies of the incident response plan are to be distributed are defined;"}]},{"id":"ir-08_odp.06","props":[{"name":"label","value":"IR-08_ODP[06]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom changes to the incident response plan is\/are communicated are defined;"}]},{"id":"ir-08_odp.07","props":[{"name":"label","value":"IR-08_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which changes to the incident response plan are communicated are defined;"}]}],"props":[{"name":"label","value":"IR-8"},{"name":"label","value":"IR-08","class":"sp800-53a"},{"name":"sort-id","value":"ir-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-8_smt","name":"statement","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Addresses the sharing of incident information;"},{"id":"ir-8_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and"},{"id":"ir-8_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly."},{"id":"ir-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-08","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.01","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;","links":[{"href":"#ir-8_smt.a.1","rel":"assessment-for"}]},{"id":"ir-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.02","class":"sp800-53a"}],"prose":"an incident response plan is developed that describes the structure and organization of the incident response capability;","links":[{"href":"#ir-8_smt.a.2","rel":"assessment-for"}]},{"id":"ir-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.03","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;","links":[{"href":"#ir-8_smt.a.3","rel":"assessment-for"}]},{"id":"ir-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.04","class":"sp800-53a"}],"prose":"an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;","links":[{"href":"#ir-8_smt.a.4","rel":"assessment-for"}]},{"id":"ir-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.05","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines reportable incidents;","links":[{"href":"#ir-8_smt.a.5","rel":"assessment-for"}]},{"id":"ir-8_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.06","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;","links":[{"href":"#ir-8_smt.a.6","rel":"assessment-for"}]},{"id":"ir-8_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.07","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;","links":[{"href":"#ir-8_smt.a.7","rel":"assessment-for"}]},{"id":"ir-8_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.08","class":"sp800-53a"}],"prose":"an incident response plan is developed that addresses the sharing of incident information;","links":[{"href":"#ir-8_smt.a.8","rel":"assessment-for"}]},{"id":"ir-8_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.09","class":"sp800-53a"}],"prose":"an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};","links":[{"href":"#ir-8_smt.a.9","rel":"assessment-for"}]},{"id":"ir-8_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.10","class":"sp800-53a"}],"prose":"an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.","links":[{"href":"#ir-8_smt.a.10","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.a","rel":"assessment-for"}]},{"id":"ir-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[01]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};","links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]},{"id":"ir-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[02]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};","links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]},{"id":"ir-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-08c.","class":"sp800-53a"}],"prose":"the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;","links":[{"href":"#ir-8_smt.c","rel":"assessment-for"}]},{"id":"ir-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[01]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};","links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]},{"id":"ir-8_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[02]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};","links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]},{"id":"ir-8_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[01]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized disclosure;","links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]},{"id":"ir-8_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[02]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized modification.","links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt","rel":"assessment-for"}]},{"id":"ir-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"id":"ir-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational incident response plan and related organizational processes"}]}],"controls":[{"id":"ir-8.1","class":"SP800-53-enhancement","title":"Breaches","props":[{"name":"label","value":"IR-8(1)"},{"name":"label","value":"IR-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-8","rel":"required"},{"href":"#pt-1","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-7","rel":"related"}],"parts":[{"id":"ir-8.1_smt","name":"statement","prose":"Include the following in the Incident Response Plan for breaches involving personally identifiable information:","parts":[{"id":"ir-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;"},{"id":"ir-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and"},{"id":"ir-8.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Identification of applicable privacy requirements."}]},{"id":"ir-8.1_gdn","name":"guidance","prose":"Organizations may be required by law, regulation, or policy to follow specific procedures relating to breaches, including notice to individuals, affected organizations, and oversight bodies; standards of harm; and mitigation or other specific requirements."},{"id":"ir-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)","class":"sp800-53a"}],"parts":[{"id":"ir-8.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)(a)","class":"sp800-53a"}],"prose":"the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;","links":[{"href":"#ir-8.1_smt.a","rel":"assessment-for"}]},{"id":"ir-8.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)(b)","class":"sp800-53a"}],"prose":"the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;","links":[{"href":"#ir-8.1_smt.b","rel":"assessment-for"}]},{"id":"ir-8.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)(c)","class":"sp800-53a"}],"prose":"the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements.","links":[{"href":"#ir-8.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ir-8.1_smt","rel":"assessment-for"}]},{"id":"ir-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"id":"ir-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"mp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"mp-01_odp.01","props":[{"name":"label","value":"MP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection policy is to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.02","props":[{"name":"label","value":"MP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection procedures are to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.03","props":[{"name":"alt-identifier","value":"mp-1_prm_2"},{"name":"label","value":"MP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"mp-01_odp.04","props":[{"name":"alt-identifier","value":"mp-1_prm_3"},{"name":"label","value":"MP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the media protection policy and procedures is defined;"}]},{"id":"mp-01_odp.05","props":[{"name":"alt-identifier","value":"mp-1_prm_4"},{"name":"label","value":"MP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection policy is reviewed and updated is defined;"}]},{"id":"mp-01_odp.06","props":[{"name":"alt-identifier","value":"mp-1_prm_5"},{"name":"label","value":"MP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current media protection policy to be reviewed and updated are defined;"}]},{"id":"mp-01_odp.07","props":[{"name":"alt-identifier","value":"mp-1_prm_6"},{"name":"label","value":"MP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection procedures are reviewed and updated is defined;"}]},{"id":"mp-01_odp.08","props":[{"name":"alt-identifier","value":"mp-1_prm_7"},{"name":"label","value":"MP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require media protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MP-1"},{"name":"label","value":"MP-01","class":"sp800-53a"},{"name":"sort-id","value":"mp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-1_smt","name":"statement","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, mp-01_odp.03 }} media protection policy that:","parts":[{"id":"mp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and"},{"id":"mp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current media protection:","parts":[{"id":"mp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and"},{"id":"mp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"mp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[01]","class":"sp800-53a"}],"prose":"a media protection policy is developed and documented;","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[02]","class":"sp800-53a"}],"prose":"the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[03]","class":"sp800-53a"}],"prose":"media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[04]","class":"sp800-53a"}],"prose":"the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(b)","class":"sp800-53a"}],"prose":"the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#mp-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.","links":[{"href":"#mp-1_smt.b","rel":"assessment-for"}]},{"id":"mp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[01]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ","links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]},{"id":"mp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[02]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};","links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]},{"id":"mp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[01]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ","links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]},{"id":"mp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[02]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.","links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt","rel":"assessment-for"}]},{"id":"mp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.03"}],"label":"organization-defined system media"},{"id":"mp-6_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.06"}],"label":"organization-defined sanitization techniques and procedures"},{"id":"mp-06_odp.01","props":[{"name":"label","value":"MP-06_ODP[01]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to disposal is defined;"}]},{"id":"mp-06_odp.02","props":[{"name":"label","value":"MP-06_ODP[02]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release from organizational control is defined;"}]},{"id":"mp-06_odp.03","props":[{"name":"label","value":"MP-06_ODP[03]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release for reuse is defined;"}]},{"id":"mp-06_odp.04","props":[{"name":"label","value":"MP-06_ODP[04]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to disposal are defined;"}]},{"id":"mp-06_odp.05","props":[{"name":"label","value":"MP-06_ODP[05]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;"}]},{"id":"mp-06_odp.06","props":[{"name":"label","value":"MP-06_ODP[06]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;"}]}],"props":[{"name":"label","value":"MP-6"},{"name":"label","value":"MP-06","class":"sp800-53a"},{"name":"sort-id","value":"mp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"},{"href":"#si-19","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"mp-6_smt","name":"statement","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information."},{"id":"mp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[01]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[03]","class":"sp800-53a"}],"prose":" {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-06b.","class":"sp800-53a"}],"prose":"sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.","links":[{"href":"#mp-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-6_smt","rel":"assessment-for"}]},{"id":"mp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization"}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-08_odp.01","props":[{"name":"alt-identifier","value":"pe-8_prm_1"},{"name":"label","value":"PE-08_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for which to maintain visitor access records for the facility where the system resides is defined;"}]},{"id":"pe-08_odp.02","props":[{"name":"alt-identifier","value":"pe-8_prm_2"},{"name":"label","value":"PE-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review visitor access records is defined;"}]},{"id":"pe-08_odp.03","props":[{"name":"alt-identifier","value":"pe-8_prm_3"},{"name":"label","value":"PE-08_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom visitor access records anomalies are reported to is\/are defined;"}]}],"props":[{"name":"label","value":"PE-8"},{"name":"label","value":"PE-08","class":"sp800-53a"},{"name":"sort-id","value":"pe-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"pe-8_smt","name":"statement","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and"},{"id":"pe-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08","class":"sp800-53a"}],"parts":[{"id":"pe-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-08a.","class":"sp800-53a"}],"prose":"visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};","links":[{"href":"#pe-8_smt.a","rel":"assessment-for"}]},{"id":"pe-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-08b.","class":"sp800-53a"}],"prose":"visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};","links":[{"href":"#pe-8_smt.b","rel":"assessment-for"}]},{"id":"pe-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-08c.","class":"sp800-53a"}],"prose":"visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.","links":[{"href":"#pe-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-8_smt","rel":"assessment-for"}]},{"id":"pe-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and\/or implementing the maintenance and review of visitor access records"}]}],"controls":[{"id":"pe-8.3","class":"SP800-53-enhancement","title":"Limit Personally Identifiable Information Elements","params":[{"id":"pe-08.03_odp","props":[{"name":"alt-identifier","value":"pe-8.3_prm_1"},{"name":"label","value":"PE-08(03)_ODP","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements identified in the privacy risk assessment to limit personally identifiable information contained in visitor access logs are defined;"}]}],"props":[{"name":"label","value":"PE-8(3)"},{"name":"label","value":"PE-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"pe-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-8","rel":"required"},{"href":"#ra-3","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pe-8.3_smt","name":"statement","prose":"Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: {{ insert: param, pe-08.03_odp }}."},{"id":"pe-8.3_gdn","name":"guidance","prose":"Organizations may have requirements that specify the contents of visitor access records. Limiting personally identifiable information in visitor access records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system."},{"id":"pe-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08(03)","class":"sp800-53a"}],"prose":"personally identifiable information contained in visitor access records is limited to {{ insert: param, pe-08.03_odp }} identified in the privacy risk assessment.","links":[{"href":"#pe-8.3_smt","rel":"assessment-for"}]},{"id":"pe-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\npersonally identifiable information processing policy\n\nprivacy risk assessment documentation\n\nprivacy impact assessment\n\nvisitor access records\n\npersonally identifiable information inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records"}]}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pl-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pl-01_odp.01","props":[{"name":"label","value":"PL-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning policy is to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.02","props":[{"name":"label","value":"PL-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning procedures are to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.03","props":[{"name":"alt-identifier","value":"pl-1_prm_2"},{"name":"label","value":"PL-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pl-01_odp.04","props":[{"name":"alt-identifier","value":"pl-1_prm_3"},{"name":"label","value":"PL-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the planning policy and procedures is defined;"}]},{"id":"pl-01_odp.05","props":[{"name":"alt-identifier","value":"pl-1_prm_4"},{"name":"label","value":"PL-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning policy is reviewed and updated is defined;"}]},{"id":"pl-01_odp.06","props":[{"name":"alt-identifier","value":"pl-1_prm_5"},{"name":"label","value":"PL-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current planning policy to be reviewed and updated are defined;"}]},{"id":"pl-01_odp.07","props":[{"name":"alt-identifier","value":"pl-1_prm_6"},{"name":"label","value":"PL-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning procedures are reviewed and updated is defined;"}]},{"id":"pl-01_odp.08","props":[{"name":"alt-identifier","value":"pl-1_prm_7"},{"name":"label","value":"PL-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PL-1"},{"name":"label","value":"PL-01","class":"sp800-53a"},{"name":"sort-id","value":"pl-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-1_smt","name":"statement","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pl-01_odp.03 }} planning policy that:","parts":[{"id":"pl-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the planning policy and the associated planning controls;"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and"},{"id":"pl-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current planning:","parts":[{"id":"pl-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and"},{"id":"pl-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pl-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[01]","class":"sp800-53a"}],"prose":"a planning policy is developed and documented.","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[02]","class":"sp800-53a"}],"prose":"the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[03]","class":"sp800-53a"}],"prose":"planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[04]","class":"sp800-53a"}],"prose":"the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#pl-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;","links":[{"href":"#pl-1_smt.b","rel":"assessment-for"}]},{"id":"pl-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[01]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};","links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]},{"id":"pl-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[02]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};","links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]},{"id":"pl-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[01]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};","links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]},{"id":"pl-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[02]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.","links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt","rel":"assessment-for"}]},{"id":"pl-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security and Privacy Plans","params":[{"id":"pl-02_odp.01","props":[{"name":"alt-identifier","value":"pl-2_prm_1"},{"name":"label","value":"PL-02_ODP[01]","class":"sp800-53a"}],"label":"individuals or groups","guidelines":[{"prose":"individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is\/are assigned;"}]},{"id":"pl-02_odp.02","props":[{"name":"alt-identifier","value":"pl-2_prm_2"},{"name":"label","value":"PL-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive distributed copies of the system security and privacy plans is\/are assigned;"}]},{"id":"pl-02_odp.03","props":[{"name":"alt-identifier","value":"pl-2_prm_3"},{"name":"label","value":"PL-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency to review system security and privacy plans is defined;"}]}],"props":[{"name":"label","value":"PL-2"},{"name":"label","value":"PL-02","class":"sp800-53a"},{"name":"sort-id","value":"pl-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"pl-2_smt","name":"statement","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy plans for the system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly define the constituent system components;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Identify the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Identify the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provide the security categorization of the system, including supporting rationale;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Describe any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Provide the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Describe the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Provide an overview of the security and privacy requirements for the system;"},{"id":"pl-2_smt.a.11","name":"item","props":[{"name":"label","value":"11."}],"prose":"Identify any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_smt.a.12","name":"item","props":[{"name":"label","value":"12."}],"prose":"Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;"},{"id":"pl-2_smt.a.13","name":"item","props":[{"name":"label","value":"13."}],"prose":"Include risk determinations for security and privacy architecture and design decisions;"},{"id":"pl-2_smt.a.14","name":"item","props":[{"name":"label","value":"14."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and"},{"id":"pl-2_smt.a.15","name":"item","props":[{"name":"label","value":"15."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the plans {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the plans from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate."},{"id":"pl-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is consistent with the organization’s enterprise architecture;","links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]},{"id":"pl-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;","links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]},{"id":"pl-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that explicitly defines the constituent system components;","links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]},{"id":"pl-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that explicitly defines the constituent system components;","links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]},{"id":"pl-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;","links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]},{"id":"pl-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;","links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]},{"id":"pl-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;","links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]},{"id":"pl-2_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;","links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]},{"id":"pl-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.5-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;","links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]},{"id":"pl-2_obj.a.5-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;","links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]},{"id":"pl-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.6-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;","links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]},{"id":"pl-2_obj.a.6-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;","links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]},{"id":"pl-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;","links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]},{"id":"pl-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;","links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]},{"id":"pl-2_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.8-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;","links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]},{"id":"pl-2_obj.a.8-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;","links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]},{"id":"pl-2_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.9-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;","links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]},{"id":"pl-2_obj.a.9-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;","links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]},{"id":"pl-2_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.10-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides an overview of the security requirements for the system;","links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]},{"id":"pl-2_obj.a.10-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;","links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]},{"id":"pl-2_obj.a.11","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.11-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;","links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]},{"id":"pl-2_obj.a.11-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;","links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]},{"id":"pl-2_obj.a.12","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.12-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;","links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]},{"id":"pl-2_obj.a.12-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;","links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]},{"id":"pl-2_obj.a.13","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.13-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes risk determinations for security architecture and design decisions;","links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]},{"id":"pl-2_obj.a.13-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;","links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]},{"id":"pl-2_obj.a.14","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.14-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};","links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]},{"id":"pl-2_obj.a.14-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};","links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]},{"id":"pl-2_obj.a.15","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.15-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;","links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]},{"id":"pl-2_obj.a.15-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.","links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a","rel":"assessment-for"}]},{"id":"pl-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[01]","class":"sp800-53a"}],"prose":"copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};","links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]},{"id":"pl-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[02]","class":"sp800-53a"}],"prose":"subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};","links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]},{"id":"pl-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-02c.","class":"sp800-53a"}],"prose":"plans are reviewed {{ insert: param, pl-02_odp.03 }};","links":[{"href":"#pl-2_smt.c","rel":"assessment-for"}]},{"id":"pl-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[01]","class":"sp800-53a"}],"prose":"plans are updated to address changes to the system and environment of operations;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[02]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during the plan implementation;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[03]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during control assessments;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[01]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized disclosure;","links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]},{"id":"pl-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[02]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized modification.","links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt","rel":"assessment-for"}]},{"id":"pl-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records"}]},{"id":"pl-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan"}]}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-04_odp.01","props":[{"name":"alt-identifier","value":"pl-4_prm_1"},{"name":"label","value":"PL-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for reviewing and updating the rules of behavior is defined;"}]},{"id":"pl-04_odp.02","props":[{"name":"alt-identifier","value":"pl-4_prm_2"},{"name":"label","value":"PL-04_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":[" {{ insert: param, pl-04_odp.03 }} ","when the rules are revised or updated"]}},{"id":"pl-04_odp.03","props":[{"name":"alt-identifier","value":"pl-4_prm_3"},{"name":"label","value":"PL-04_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);"}]}],"props":[{"name":"label","value":"PL-4"},{"name":"label","value":"PL-04","class":"sp800-53a"},{"name":"sort-id","value":"pl-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-4_smt","name":"statement","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_gdn","name":"guidance","prose":"Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons."},{"id":"pl-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[01]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;","links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]},{"id":"pl-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[02]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;","links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]},{"id":"pl-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04b.","class":"sp800-53a"}],"prose":"before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;","links":[{"href":"#pl-4_smt.b","rel":"assessment-for"}]},{"id":"pl-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04c.","class":"sp800-53a"}],"prose":"rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};","links":[{"href":"#pl-4_smt.c","rel":"assessment-for"}]},{"id":"pl-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-04d.","class":"sp800-53a"}],"prose":"individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.","links":[{"href":"#pl-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pl-4_smt","rel":"assessment-for"}]},{"id":"pl-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and External Site\/Application Usage Restrictions","props":[{"name":"label","value":"PL-4(1)"},{"name":"label","value":"PL-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"pl-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-4","rel":"required"},{"href":"#ac-22","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"Include in the rules of behavior, restrictions on:","parts":[{"id":"pl-4.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Posting organizational information on public websites; and"},{"id":"pl-4.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_gdn","name":"guidance","prose":"Social media, social networking, and external site\/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information."},{"id":"pl-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)","class":"sp800-53a"}],"parts":[{"id":"pl-4.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(a)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of social media, social networking sites, and external sites\/applications;","links":[{"href":"#pl-4.1_smt.a","rel":"assessment-for"}]},{"id":"pl-4.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(b)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on posting organizational information on public websites;","links":[{"href":"#pl-4.1_smt.b","rel":"assessment-for"}]},{"id":"pl-4.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(c)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications.","links":[{"href":"#pl-4.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-4.1_smt","rel":"assessment-for"}]},{"id":"pl-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records"}]},{"id":"pl-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing rules of behavior\n\nmechanisms supporting and\/or implementing the establishment of rules of behavior"}]}]}]},{"id":"pl-8","class":"SP800-53","title":"Security and Privacy Architectures","params":[{"id":"pl-08_odp","props":[{"name":"alt-identifier","value":"pl-8_prm_1"},{"name":"label","value":"PL-08_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for review and update to reflect changes in the enterprise architecture;"}]}],"props":[{"name":"label","value":"PL-8"},{"name":"label","value":"PL-08","class":"sp800-53a"},{"name":"sort-id","value":"pl-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"pl-8_smt","name":"statement","parts":[{"id":"pl-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy architectures for the system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe how the architectures are integrated into and support the enterprise architecture; and"},{"id":"pl-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Describe any assumptions about, and dependencies on, external systems and services;"}]},{"id":"pl-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n [PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures."},{"id":"pl-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-08","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.01","class":"sp800-53a"}],"prose":"a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;","links":[{"href":"#pl-8_smt.a.1","rel":"assessment-for"}]},{"id":"pl-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.02","class":"sp800-53a"}],"prose":"a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;","links":[{"href":"#pl-8_smt.a.2","rel":"assessment-for"}]},{"id":"pl-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;","links":[{"href":"#pl-8_smt.a.3","rel":"assessment-for"}]},{"id":"pl-8_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;","links":[{"href":"#pl-8_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.a.3","rel":"assessment-for"}]},{"id":"pl-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes any assumptions about and dependencies on external systems and services;","links":[{"href":"#pl-8_smt.a.4","rel":"assessment-for"}]},{"id":"pl-8_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;","links":[{"href":"#pl-8_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.a","rel":"assessment-for"}]},{"id":"pl-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-08b.","class":"sp800-53a"}],"prose":"changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;","links":[{"href":"#pl-8_smt.b","rel":"assessment-for"}]},{"id":"pl-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[01]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the security plan;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[02]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the privacy plan;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[03]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the Concept of Operations (CONOPS);","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-4","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[04]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in criticality analysis;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-5","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[05]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in organizational procedures;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-6","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[06]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in procurements and acquisitions.","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt","rel":"assessment-for"}]},{"id":"pl-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and\/or implementing the development, review, and update of the information security and privacy architecture"}]}]},{"id":"pl-9","class":"SP800-53","title":"Central Management","params":[{"id":"pl-09_odp","props":[{"name":"alt-identifier","value":"pl-9_prm_1"},{"name":"label","value":"PL-09_ODP","class":"sp800-53a"}],"label":"controls and related processes","guidelines":[{"prose":"security and privacy controls and related processes to be centrally managed are defined;"}]}],"props":[{"name":"label","value":"PL-9"},{"name":"label","value":"PL-09","class":"sp800-53a"},{"name":"sort-id","value":"pl-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#pl-8","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"pl-9_smt","name":"statement","prose":"Centrally manage {{ insert: param, pl-09_odp }}."},{"id":"pl-9_gdn","name":"guidance","prose":"Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes. As the central management of controls is generally associated with the concept of common (inherited) controls, such management promotes and facilitates standardization of control implementations and management and the judicious use of organizational resources. Centrally managed controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate and as part of organizational continuous monitoring.\n\nAutomated tools (e.g., security information and event management tools or enterprise security monitoring and management tools) can improve the accuracy, consistency, and availability of information associated with centrally managed controls and processes. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision-making within the organization.\n\nAs part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include but are not limited to: [AC-2(1)](#ac-2.1), [AC-2(2)](#ac-2.2), [AC-2(3)](#ac-2.3), [AC-2(4)](#ac-2.4), [AC-4(all)](#ac-4), [AC-17(1)](#ac-17.1), [AC-17(2)](#ac-17.2), [AC-17(3)](#ac-17.3), [AC-17(9)](#ac-17.9), [AC-18(1)](#ac-18.1), [AC-18(3)](#ac-18.3), [AC-18(4)](#ac-18.4), [AC-18(5)](#ac-18.5), [AC-19(4)](#ac-19.4), [AC-22](#ac-22), [AC-23](#ac-23), [AT-2(1)](#at-2.1), [AT-2(2)](#at-2.2), [AT-3(1)](#at-3.1), [AT-3(2)](#at-3.2), [AT-3(3)](#at-3.3), [AT-4](#at-4), [AU-3](#au-3), [AU-6(1)](#au-6.1), [AU-6(3)](#au-6.3), [AU-6(5)](#au-6.5), [AU-6(6)](#au-6.6), [AU-6(9)](#au-6.9), [AU-7(1)](#au-7.1), [AU-7(2)](#au-7.2), [AU-11](#au-11), [AU-13](#au-13), [AU-16](#au-16), [CA-2(1)](#ca-2.1), [CA-2(2)](#ca-2.2), [CA-2(3)](#ca-2.3), [CA-3(1)](#ca-3.1), [CA-3(2)](#ca-3.2), [CA-3(3)](#ca-3.3), [CA-7(1)](#ca-7.1), [CA-9](#ca-9), [CM-2(2)](#cm-2.2), [CM-3(1)](#cm-3.1), [CM-3(4)](#cm-3.4), [CM-4](#cm-4), [CM-6](#cm-6), [CM-6(1)](#cm-6.1), [CM-7(2)](#cm-7.2), [CM-7(4)](#cm-7.4), [CM-7(5)](#cm-7.5), [CM-8(all)](#cm-8), [CM-9(1)](#cm-9.1), [CM-10](#cm-10), [CM-11](#cm-11), [CP-7(all)](#cp-7), [CP-8(all)](#cp-8), [SC-43](#sc-43), [SI-2](#si-2), [SI-3](#si-3), [SI-4(all)](#si-4), [SI-7](#si-7), [SI-8](#si-8)."},{"id":"pl-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-09","class":"sp800-53a"}],"prose":" {{ insert: param, pl-09_odp }} are centrally managed.","links":[{"href":"#pl-9_smt","rel":"assessment-for"}]},{"id":"pl-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing security and privacy plan development and implementation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with responsibilities for planning\/implementing central management of controls and related processes\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the central management of controls and related processes\n\nmechanisms supporting and\/or implementing central management of controls and related processes"}]}]}]},{"id":"pm","class":"family","title":"Program Management","parts":[{"id":"pm_ovw","name":"overview","title":"Program Management Controls","prose":" [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) require federal agencies to develop, implement, and provide oversight for organization-wide information security and privacy programs to help ensure the confidentiality, integrity, and availability of federal information processed, stored, and transmitted by federal information systems and to protect individual privacy. The program management (PM) controls described in this section are implemented at the organization level and not directed at individual information systems. The PM controls have been designed to facilitate organizational compliance with applicable federal laws, executive orders, directives, policies, regulations, and standards. The controls are independent of [FIPS 200](#599fb53d-5041-444e-a7fe-640d6d30ad05) impact levels and, therefore, are not associated with the control baselines described in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752).\n\nOrganizations document program management controls in the information security and privacy program plans. The organization-wide information security program plan (see [PM-1](#pm-1) ) and privacy program plan (see [PM-18](#pm-18) ) supplement system security and privacy plans (see [PL-2](#pl-2) ) developed for organizational information systems. Together, the system security and privacy plans for the individual information systems and the information security and privacy program plans cover the totality of security and privacy controls employed by the organization."}],"controls":[{"id":"pm-3","class":"SP800-53","title":"Information Security and Privacy Resources","props":[{"name":"label","value":"PM-3"},{"name":"label","value":"PM-03","class":"sp800-53a"},{"name":"sort-id","value":"pm-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-4","rel":"related"},{"href":"#sa-2","rel":"related"}],"parts":[{"id":"pm-3_smt","name":"statement","parts":[{"id":"pm-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;"},{"id":"pm-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and"},{"id":"pm-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Make available for expenditure, the planned information security and privacy resources."}]},{"id":"pm-3_gdn","name":"guidance","prose":"Organizations consider establishing champions for information security and privacy and, as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process."},{"id":"pm-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-03","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-03a.","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-03a.[01]","class":"sp800-53a"}],"prose":"the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented;","links":[{"href":"#pm-3_smt.a","rel":"assessment-for"}]},{"id":"pm-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-03a.[02]","class":"sp800-53a"}],"prose":"the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented;","links":[{"href":"#pm-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-3_smt.a","rel":"assessment-for"}]},{"id":"pm-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-03b.","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-03b.[01]","class":"sp800-53a"}],"prose":"the documentation required for addressing the information security program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;","links":[{"href":"#pm-3_smt.b","rel":"assessment-for"}]},{"id":"pm-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-03b.[02]","class":"sp800-53a"}],"prose":"the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;","links":[{"href":"#pm-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-3_smt.b","rel":"assessment-for"}]},{"id":"pm-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-03c.","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-03c.[01]","class":"sp800-53a"}],"prose":"information security resources are made available for expenditure as planned;","links":[{"href":"#pm-3_smt.c","rel":"assessment-for"}]},{"id":"pm-3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-03c.[02]","class":"sp800-53a"}],"prose":"privacy resources are made available for expenditure as planned.","links":[{"href":"#pm-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-3_smt","rel":"assessment-for"}]},{"id":"pm-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nExhibit 300\n\nExhibit 53\n\nbusiness cases for capital planning and investment\n\nprocedures for capital planning and investment\n\ndocumentation of exceptions to capital planning requirements\n\nother relevant documents or records"}]},{"id":"pm-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security program planning responsibilities\n\norganizational personnel with privacy program planning responsibilities\n\norganizational personnel responsible for capital planning and investment\n\norganizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for capital planning and investment\n\norganizational processes for business case, Exhibit 300, and Exhibit 53 development\n\nmechanisms supporting the capital planning and investment process"}]}]},{"id":"pm-4","class":"SP800-53","title":"Plan of Action and Milestones Process","props":[{"name":"label","value":"PM-4"},{"name":"label","value":"PM-04","class":"sp800-53a"},{"name":"sort-id","value":"pm-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-3","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pm-4_smt","name":"statement","parts":[{"id":"pm-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems:","parts":[{"id":"pm-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are developed and maintained;"},{"id":"pm-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and"},{"id":"pm-4_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Are reported in accordance with established reporting requirements."}]},{"id":"pm-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-4_gdn","name":"guidance","prose":"The plan of action and milestones is a key organizational document and is subject to reporting requirements established by the Office of Management and Budget. Organizations develop plans of action and milestones with an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple plans of action and milestones corresponding to the information system level, mission\/business process level, and organizational\/governance level. While plans of action and milestones are required for federal organizations, other types of organizations can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones at the system level is provided in [CA-5](#ca-5)."},{"id":"pm-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-04","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[01]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed;","links":[{"href":"#pm-4_smt.a.1","rel":"assessment-for"}]},{"id":"pm-4_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[02]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security program and associated organizational systems are maintained;","links":[{"href":"#pm-4_smt.a.1","rel":"assessment-for"}]},{"id":"pm-4_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[03]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed;","links":[{"href":"#pm-4_smt.a.1","rel":"assessment-for"}]},{"id":"pm-4_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[04]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained;","links":[{"href":"#pm-4_smt.a.1","rel":"assessment-for"}]},{"id":"pm-4_obj.a.1-5","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[05]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed;","links":[{"href":"#pm-4_smt.a.1","rel":"assessment-for"}]},{"id":"pm-4_obj.a.1-6","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[06]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained;","links":[{"href":"#pm-4_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pm-4_smt.a.1","rel":"assessment-for"}]},{"id":"pm-4_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02[01]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security program and associated organizational systems document remedial information security risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;","links":[{"href":"#pm-4_smt.a.2","rel":"assessment-for"}]},{"id":"pm-4_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02[02]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;","links":[{"href":"#pm-4_smt.a.2","rel":"assessment-for"}]},{"id":"pm-4_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02[03]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;","links":[{"href":"#pm-4_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-4_smt.a.2","rel":"assessment-for"}]},{"id":"pm-4_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03[01]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security risk management programs and associated organizational systems are reported in accordance with established reporting requirements;","links":[{"href":"#pm-4_smt.a.3","rel":"assessment-for"}]},{"id":"pm-4_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03[02]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements;","links":[{"href":"#pm-4_smt.a.3","rel":"assessment-for"}]},{"id":"pm-4_obj.a.3-3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03[03]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements;","links":[{"href":"#pm-4_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pm-4_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pm-4_smt.a","rel":"assessment-for"}]},{"id":"pm-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-04b.","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04b.[01]","class":"sp800-53a"}],"prose":"plans of action and milestones are reviewed for consistency with the organizational risk management strategy;","links":[{"href":"#pm-4_smt.b","rel":"assessment-for"}]},{"id":"pm-4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04b.[02]","class":"sp800-53a"}],"prose":"plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions.","links":[{"href":"#pm-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-4_smt","rel":"assessment-for"}]},{"id":"pm-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nplans of action and milestones\n\nprocedures addressing plans of action and milestones development and maintenance\n\nprocedures addressing plans of action and milestones reporting\n\nprocedures for reviewing plans of action and milestones for consistency with risk management strategy and risk response priorities\n\nresults of risk assessments associated with plans of action and milestones\n\nOMB FISMA reporting requirements\n\nother relevant documents or records"}]},{"id":"pm-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, maintaining, reviewing, and reporting plans of action and milestones\n\norganizational personnel with information security responsibilities"}]},{"id":"pm-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for plan of action and milestones development, review, maintenance, and reporting\n\nmechanisms supporting plans of action and milestones"}]}]},{"id":"pm-5","class":"SP800-53","title":"System Inventory","params":[{"id":"pm-05_odp","props":[{"name":"alt-identifier","value":"pm-5_prm_1"},{"name":"label","value":"PM-05_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the inventory of organizational systems is defined;"}]}],"props":[{"name":"label","value":"PM-5"},{"name":"label","value":"PM-05","class":"sp800-53a"},{"name":"sort-id","value":"pm-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"}],"parts":[{"id":"pm-5_smt","name":"statement","prose":"Develop and update {{ insert: param, pm-05_odp }} an inventory of organizational systems."},{"id":"pm-5_gdn","name":"guidance","prose":" [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) provides guidance on developing systems inventories and associated reporting requirements. System inventory refers to an organization-wide inventory of systems, not system components as described in [CM-8](#cm-8)."},{"id":"pm-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-05","class":"sp800-53a"}],"parts":[{"id":"pm-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-05[01]","class":"sp800-53a"}],"prose":"an inventory of organizational systems is developed;","links":[{"href":"#pm-5_smt","rel":"assessment-for"}]},{"id":"pm-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-05[02]","class":"sp800-53a"}],"prose":"the inventory of organizational systems is updated {{ insert: param, pm-05_odp }}.","links":[{"href":"#pm-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-5_smt","rel":"assessment-for"}]},{"id":"pm-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nsystem inventory\n\nprocedures addressing system inventory development and maintenance\n\nOMB FISMA reporting guidance\n\nother relevant documents or records"}]},{"id":"pm-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing and maintaining the system inventory\n\norganizational personnel with information security responsibilities"}]},{"id":"pm-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system inventory development and maintenance\n\nmechanisms supporting the system inventory"}]}],"controls":[{"id":"pm-5.1","class":"SP800-53-enhancement","title":"Inventory of Personally Identifiable Information","params":[{"id":"pm-05.01_odp","props":[{"name":"alt-identifier","value":"pm-5.1_prm_1"},{"name":"label","value":"PM-05(01)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the inventory of systems, applications, and projects that process personally identifiable information is defined;"}]}],"props":[{"name":"label","value":"PM-5(1)"},{"name":"label","value":"PM-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"pm-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pm-5","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pm-5.1_smt","name":"statement","prose":"Establish, maintain, and update {{ insert: param, pm-05.01_odp }} an inventory of all systems, applications, and projects that process personally identifiable information."},{"id":"pm-5.1_gdn","name":"guidance","prose":"An inventory of systems, applications, and projects that process personally identifiable information supports the mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein."},{"id":"pm-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)","class":"sp800-53a"}],"parts":[{"id":"pm-5.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)[01]","class":"sp800-53a"}],"prose":"an inventory of all systems, applications, and projects that process personally identifiable information is established;","links":[{"href":"#pm-5.1_smt","rel":"assessment-for"}]},{"id":"pm-5.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)[02]","class":"sp800-53a"}],"prose":"an inventory of all systems, applications, and projects that process personally identifiable information is maintained;","links":[{"href":"#pm-5.1_smt","rel":"assessment-for"}]},{"id":"pm-5.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)[03]","class":"sp800-53a"}],"prose":"an inventory of all systems, applications, and projects that process personally identifiable information is updated {{ insert: param, pm-05.01_odp }}.","links":[{"href":"#pm-5.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-5.1_smt","rel":"assessment-for"}]},{"id":"pm-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing system inventory development, maintenance, and updates\n\nOMB FISMA reporting guidance\n\nprivacy program plan\n\ninformation security program plan\n\npersonally identifiable information processing policy\n\nsystem inventory\n\npersonally identifiable information inventory\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"pm-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing and maintaining the system inventory\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system inventory development, maintenance, and updates\n\nmechanisms supporting the system inventory"}]}]}]},{"id":"pm-6","class":"SP800-53","title":"Measures of Performance","props":[{"name":"label","value":"PM-6"},{"name":"label","value":"PM-06","class":"sp800-53a"},{"name":"sort-id","value":"pm-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#7798067b-4ed0-4adc-a505-79dad4741693","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"pm-6_smt","name":"statement","prose":"Develop, monitor, and report on the results of information security and privacy measures of performance."},{"id":"pm-6_gdn","name":"guidance","prose":"Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program. To facilitate security and privacy risk management, organizations consider aligning measures of performance with the organizational risk tolerance as defined in the risk management strategy."},{"id":"pm-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-06","class":"sp800-53a"}],"parts":[{"id":"pm-6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-06[01]","class":"sp800-53a"}],"prose":"information security measures of performance are developed;","links":[{"href":"#pm-6_smt","rel":"assessment-for"}]},{"id":"pm-6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-06[02]","class":"sp800-53a"}],"prose":"information security measures of performance are monitored;","links":[{"href":"#pm-6_smt","rel":"assessment-for"}]},{"id":"pm-6_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-06[03]","class":"sp800-53a"}],"prose":"the results of information security measures of performance are reported;","links":[{"href":"#pm-6_smt","rel":"assessment-for"}]},{"id":"pm-6_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-06[04]","class":"sp800-53a"}],"prose":"privacy measures of performance are developed;","links":[{"href":"#pm-6_smt","rel":"assessment-for"}]},{"id":"pm-6_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-06[05]","class":"sp800-53a"}],"prose":"privacy measures of performance are monitored;","links":[{"href":"#pm-6_smt","rel":"assessment-for"}]},{"id":"pm-6_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PM-06[06]","class":"sp800-53a"}],"prose":"the results of privacy measures of performance are reported.","links":[{"href":"#pm-6_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-6_smt","rel":"assessment-for"}]},{"id":"pm-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\ninformation security measures of performance\n\nprivacy measures of performance\n\nprocedures addressing the development, monitoring, and reporting of information security and privacy measures of performance\n\nrisk management strategy\n\nother relevant documents or records"}]},{"id":"pm-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing, monitoring, and reporting information security and privacy measures of performance\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, monitoring, and reporting information security and privacy measures of performance\n\nmechanisms supporting the development, monitoring, and reporting of information security and privacy measures of performance"}]}]},{"id":"pm-7","class":"SP800-53","title":"Enterprise Architecture","props":[{"name":"label","value":"PM-7"},{"name":"label","value":"PM-07","class":"sp800-53a"},{"name":"sort-id","value":"pm-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#au-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"}],"parts":[{"id":"pm-7_smt","name":"statement","prose":"Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation."},{"id":"pm-7_gdn","name":"guidance","prose":"The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture and the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For [PL-8](#pl-8) , the security and privacy architectures are developed at a level that represents an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37](#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8) and supporting security standards and guidelines."},{"id":"pm-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-07","class":"sp800-53a"}],"parts":[{"id":"pm-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-07[01]","class":"sp800-53a"}],"prose":"an enterprise architecture is developed with consideration for information security;","links":[{"href":"#pm-7_smt","rel":"assessment-for"}]},{"id":"pm-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-07[02]","class":"sp800-53a"}],"prose":"an enterprise architecture is maintained with consideration for information security;","links":[{"href":"#pm-7_smt","rel":"assessment-for"}]},{"id":"pm-7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-07[03]","class":"sp800-53a"}],"prose":"an enterprise architecture is developed with consideration for privacy;","links":[{"href":"#pm-7_smt","rel":"assessment-for"}]},{"id":"pm-7_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-07[04]","class":"sp800-53a"}],"prose":"an enterprise architecture is maintained with consideration for privacy;","links":[{"href":"#pm-7_smt","rel":"assessment-for"}]},{"id":"pm-7_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-07[05]","class":"sp800-53a"}],"prose":"an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation;","links":[{"href":"#pm-7_smt","rel":"assessment-for"}]},{"id":"pm-7_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PM-07[06]","class":"sp800-53a"}],"prose":"an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.","links":[{"href":"#pm-7_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-7_smt","rel":"assessment-for"}]},{"id":"pm-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nprocedures addressing enterprise architecture development\n\nresults of risk assessments of enterprise architecture\n\nother relevant documents or records"}]},{"id":"pm-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing enterprise architecture\n\norganizational personnel responsible for risk assessments of enterprise architecture\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for enterprise architecture development\n\nmechanisms supporting the enterprise architecture and its development"}]}]},{"id":"pm-8","class":"SP800-53","title":"Critical Infrastructure Plan","props":[{"name":"label","value":"PM-8"},{"name":"label","value":"PM-08","class":"sp800-53a"},{"name":"sort-id","value":"pm-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#3406fdc0-d61c-44a9-a5ca-84180544c83a","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#488d6934-00b2-4252-bf23-1b3c2d71eb13","rel":"reference"},{"href":"#b9951d04-6385-478c-b1a3-ab68c19d9041","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#pm-18","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pm-8_smt","name":"statement","prose":"Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan."},{"id":"pm-8_gdn","name":"guidance","prose":"Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"pm-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-08","class":"sp800-53a"}],"parts":[{"id":"pm-8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-08[01]","class":"sp800-53a"}],"prose":"information security issues are addressed in the development of a critical infrastructure and key resources protection plan;","links":[{"href":"#pm-8_smt","rel":"assessment-for"}]},{"id":"pm-8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-08[02]","class":"sp800-53a"}],"prose":"information security issues are addressed in the documentation of a critical infrastructure and key resources protection plan;","links":[{"href":"#pm-8_smt","rel":"assessment-for"}]},{"id":"pm-8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-08[03]","class":"sp800-53a"}],"prose":"information security issues are addressed in the update of a critical infrastructure and key resources protection plan;","links":[{"href":"#pm-8_smt","rel":"assessment-for"}]},{"id":"pm-8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-08[04]","class":"sp800-53a"}],"prose":"privacy issues are addressed in the development of a critical infrastructure and key resources protection plan;","links":[{"href":"#pm-8_smt","rel":"assessment-for"}]},{"id":"pm-8_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-08[05]","class":"sp800-53a"}],"prose":"privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan;","links":[{"href":"#pm-8_smt","rel":"assessment-for"}]},{"id":"pm-8_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PM-08[06]","class":"sp800-53a"}],"prose":"privacy issues are addressed in the update of a critical infrastructure and key resources protection plan.","links":[{"href":"#pm-8_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-8_smt","rel":"assessment-for"}]},{"id":"pm-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\ncritical infrastructure and key resources protection plan\n\nprocedures addressing the development, documentation, and updating of the critical infrastructure and key resources protection plan\n\nHSPD 7\n\nNational Infrastructure Protection Plan\n\nother relevant documents or records"}]},{"id":"pm-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing, documenting, and updating the critical infrastructure and key resources protection plan\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, documenting, and updating the critical infrastructure and key resources protection plan\n\nmechanisms supporting the development, documentation, and updating of the critical infrastructure and key resources protection plan"}]}]},{"id":"pm-9","class":"SP800-53","title":"Risk Management Strategy","params":[{"id":"pm-09_odp","props":[{"name":"alt-identifier","value":"pm-9_prm_1"},{"name":"label","value":"PM-09_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the risk management strategy is defined;"}]}],"props":[{"name":"label","value":"PM-9"},{"name":"label","value":"PM-09","class":"sp800-53a"},{"name":"sort-id","value":"pm-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-1","rel":"related"},{"href":"#au-1","rel":"related"},{"href":"#at-1","rel":"related"},{"href":"#ca-1","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-1","rel":"related"},{"href":"#cp-1","rel":"related"},{"href":"#ia-1","rel":"related"},{"href":"#ir-1","rel":"related"},{"href":"#ma-1","rel":"related"},{"href":"#mp-1","rel":"related"},{"href":"#pe-1","rel":"related"},{"href":"#pl-1","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-2","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-18","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ps-1","rel":"related"},{"href":"#pt-1","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-1","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-1","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-1","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-1","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-1","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"pm-9_smt","name":"statement","parts":[{"id":"pm-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a comprehensive strategy to manage:","parts":[{"id":"pm-9_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and"},{"id":"pm-9_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Privacy risk to individuals resulting from the authorized processing of personally identifiable information;"}]},{"id":"pm-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the risk management strategy consistently across the organization; and"},{"id":"pm-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the risk management strategy {{ insert: param, pm-09_odp }} or as required, to address organizational changes."}]},{"id":"pm-9_gdn","name":"guidance","prose":"An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure that the strategy is broad-based and comprehensive. The supply chain risk management strategy described in [PM-30](#pm-30) can also provide useful inputs to the organization-wide risk management strategy."},{"id":"pm-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-09","class":"sp800-53a"}],"parts":[{"id":"pm-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-09a.","class":"sp800-53a"}],"parts":[{"id":"pm-9_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-09a.01","class":"sp800-53a"}],"prose":"a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems;","links":[{"href":"#pm-9_smt.a.1","rel":"assessment-for"}]},{"id":"pm-9_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-09a.02","class":"sp800-53a"}],"prose":"a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information;","links":[{"href":"#pm-9_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-9_smt.a","rel":"assessment-for"}]},{"id":"pm-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-09b.","class":"sp800-53a"}],"prose":"the risk management strategy is implemented consistently across the organization;","links":[{"href":"#pm-9_smt.b","rel":"assessment-for"}]},{"id":"pm-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-09c.","class":"sp800-53a"}],"prose":"the risk management strategy is reviewed and updated {{ insert: param, pm-09_odp }} or as required to address organizational changes.","links":[{"href":"#pm-9_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-9_smt","rel":"assessment-for"}]},{"id":"pm-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nrisk management strategy\n\nsupply chain risk management strategy\n\nprocedures addressing the development, implementation, review, and update of the risk management strategy\n\nrisk assessment results relevant to the risk management strategy\n\nother relevant documents or records"}]},{"id":"pm-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for the development, implementation, review, and update of the risk management strategy\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the development, implementation, review, and update of the risk management strategy\n\nmechanisms supporting the development, implementation, review, and update of the risk management strategy"}]}]},{"id":"pm-10","class":"SP800-53","title":"Authorization Process","props":[{"name":"label","value":"PM-10"},{"name":"label","value":"PM-10","class":"sp800-53a"},{"name":"sort-id","value":"pm-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"pm-10_smt","name":"statement","parts":[{"id":"pm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;"},{"id":"pm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and"},{"id":"pm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Integrate the authorization processes into an organization-wide risk management program."}]},{"id":"pm-10_gdn","name":"guidance","prose":"Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The authorization processes for the organization are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation."},{"id":"pm-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-10","class":"sp800-53a"}],"parts":[{"id":"pm-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-10a.","class":"sp800-53a"}],"parts":[{"id":"pm-10_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-10a.[01]","class":"sp800-53a"}],"prose":"the security state of organizational systems and the environments in which those systems operate are managed through authorization processes;","links":[{"href":"#pm-10_smt.a","rel":"assessment-for"}]},{"id":"pm-10_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-10a.[02]","class":"sp800-53a"}],"prose":"the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes;","links":[{"href":"#pm-10_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-10_smt.a","rel":"assessment-for"}]},{"id":"pm-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-10b.","class":"sp800-53a"}],"prose":"individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process;","links":[{"href":"#pm-10_smt.b","rel":"assessment-for"}]},{"id":"pm-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-10c.","class":"sp800-53a"}],"prose":"the authorization processes are integrated into an organization-wide risk management program.","links":[{"href":"#pm-10_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-10_smt","rel":"assessment-for"}]},{"id":"pm-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nprocedures addressing management (i.e., documentation, tracking, and reporting) of the authorization process\n\nassessment, authorization, and monitoring policy\n\nassessment, authorization, and monitoring procedures\n\nsystem authorization documentation\n\nlists or other documentation about authorization process roles and responsibilities\n\nrisk assessment results relevant to the authorization process and the organization-wide risk management program\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"pm-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for management of the authorization process\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorization\n\nmechanisms supporting the authorization process"}]}]},{"id":"pm-11","class":"SP800-53","title":"Mission and Business Process Definition","params":[{"id":"pm-11_odp","props":[{"name":"alt-identifier","value":"pm-11_prm_1"},{"name":"label","value":"PM-11_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and revise the mission and business processes is defined;"}]}],"props":[{"name":"label","value":"PM-11"},{"name":"label","value":"PM-11","class":"sp800-53a"},{"name":"sort-id","value":"pm-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-2","rel":"related"}],"parts":[{"id":"pm-11_smt","name":"statement","parts":[{"id":"pm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and"},{"id":"pm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and"},{"id":"pm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and revise the mission and business processes {{ insert: param, pm-11_odp }}."}]},{"id":"pm-11_gdn","name":"guidance","prose":"Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by organizational stakeholders, the mission and business processes designed to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent to defining protection and personally identifiable information processing needs is an understanding of the adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of the processing of personally identifiable information at any stage of the information life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policies and procedures."},{"id":"pm-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-11","class":"sp800-53a"}],"parts":[{"id":"pm-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.","class":"sp800-53a"}],"parts":[{"id":"pm-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.[01]","class":"sp800-53a"}],"prose":"organizational mission and business processes are defined with consideration for information security;","links":[{"href":"#pm-11_smt.a","rel":"assessment-for"}]},{"id":"pm-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.[02]","class":"sp800-53a"}],"prose":"organizational mission and business processes are defined with consideration for privacy;","links":[{"href":"#pm-11_smt.a","rel":"assessment-for"}]},{"id":"pm-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.[03]","class":"sp800-53a"}],"prose":"organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;","links":[{"href":"#pm-11_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-11_smt.a","rel":"assessment-for"}]},{"id":"pm-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-11b.","class":"sp800-53a"}],"parts":[{"id":"pm-11_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-11b.[01]","class":"sp800-53a"}],"prose":"information protection needs arising from the defined mission and business processes are determined;","links":[{"href":"#pm-11_smt.b","rel":"assessment-for"}]},{"id":"pm-11_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-11b.[02]","class":"sp800-53a"}],"prose":"personally identifiable information processing needs arising from the defined mission and business processes are determined;","links":[{"href":"#pm-11_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-11_smt.b","rel":"assessment-for"}]},{"id":"pm-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-11c.","class":"sp800-53a"}],"prose":"the mission and business processes are reviewed and revised {{ insert: param, pm-11_odp }}.","links":[{"href":"#pm-11_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-11_smt","rel":"assessment-for"}]},{"id":"pm-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nrisk management strategy\n\nprocedures for determining mission and business protection needs\n\ninformation security and privacy risk assessment results relevant to the determination of mission and business protection needs\n\npersonally identifiable information processing policy\n\npersonally identifiable information inventory\n\nother relevant documents or records"}]},{"id":"pm-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for enterprise risk management\n\norganizational personnel responsible for determining information protection needs for mission and business processes\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining mission and business processes and their information protection needs"}]}]},{"id":"pm-13","class":"SP800-53","title":"Security and Privacy Workforce","props":[{"name":"label","value":"PM-13"},{"name":"label","value":"PM-13","class":"sp800-53a"},{"name":"sort-id","value":"pm-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"pm-13_smt","name":"statement","prose":"Establish a security and privacy workforce development and improvement program."},{"id":"pm-13_gdn","name":"guidance","prose":"Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals."},{"id":"pm-13_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-13","class":"sp800-53a"}],"parts":[{"id":"pm-13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-13[01]","class":"sp800-53a"}],"prose":"a security workforce development and improvement program is established;","links":[{"href":"#pm-13_smt","rel":"assessment-for"}]},{"id":"pm-13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-13[02]","class":"sp800-53a"}],"prose":"a privacy workforce development and improvement program is established.","links":[{"href":"#pm-13_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-13_smt","rel":"assessment-for"}]},{"id":"pm-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\ninformation security and privacy workforce development and improvement program documentation\n\nprocedures for the information security and privacy workforce development and improvement program\n\ninformation security and privacy role-based training program documentation\n\nother relevant documents or records"}]},{"id":"pm-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for the information security and privacy workforce development and improvement program\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing the information security and privacy workforce development and improvement program\n\nmechanisms supporting and\/or implementing the information security and privacy workforce development and improvement program"}]}]},{"id":"pm-14","class":"SP800-53","title":"Testing, Training, and Monitoring","props":[{"name":"label","value":"PM-14"},{"name":"label","value":"PM-14","class":"sp800-53a"},{"name":"sort-id","value":"pm-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"pm-14_smt","name":"statement","parts":[{"id":"pm-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:","parts":[{"id":"pm-14_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are developed and maintained; and"},{"id":"pm-14_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Continue to be executed; and"}]},{"id":"pm-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-14_gdn","name":"guidance","prose":"A process for organization-wide security and privacy testing, training, and monitoring helps ensure that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments."},{"id":"pm-14_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-14","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[01]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed;","links":[{"href":"#pm-14_smt.a.1","rel":"assessment-for"}]},{"id":"pm-14_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[02]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained;","links":[{"href":"#pm-14_smt.a.1","rel":"assessment-for"}]},{"id":"pm-14_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[03]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed;","links":[{"href":"#pm-14_smt.a.1","rel":"assessment-for"}]},{"id":"pm-14_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[04]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained;","links":[{"href":"#pm-14_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pm-14_smt.a.1","rel":"assessment-for"}]},{"id":"pm-14_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.02","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.02[01]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed;","links":[{"href":"#pm-14_smt.a.2","rel":"assessment-for"}]},{"id":"pm-14_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.02[02]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed;","links":[{"href":"#pm-14_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-14_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-14_smt.a","rel":"assessment-for"}]},{"id":"pm-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[01]","class":"sp800-53a"}],"prose":"testing plans are reviewed for consistency with the organizational risk management strategy;","links":[{"href":"#pm-14_smt.b","rel":"assessment-for"}]},{"id":"pm-14_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[02]","class":"sp800-53a"}],"prose":"training plans are reviewed for consistency with the organizational risk management strategy;","links":[{"href":"#pm-14_smt.b","rel":"assessment-for"}]},{"id":"pm-14_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[03]","class":"sp800-53a"}],"prose":"monitoring plans are reviewed for consistency with the organizational risk management strategy;","links":[{"href":"#pm-14_smt.b","rel":"assessment-for"}]},{"id":"pm-14_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[04]","class":"sp800-53a"}],"prose":"testing plans are reviewed for consistency with organization-wide priorities for risk response actions;","links":[{"href":"#pm-14_smt.b","rel":"assessment-for"}]},{"id":"pm-14_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[05]","class":"sp800-53a"}],"prose":"training plans are reviewed for consistency with organization-wide priorities for risk response actions;","links":[{"href":"#pm-14_smt.b","rel":"assessment-for"}]},{"id":"pm-14_obj.b-6","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[06]","class":"sp800-53a"}],"prose":"monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions.","links":[{"href":"#pm-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-14_smt","rel":"assessment-for"}]},{"id":"pm-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nplans for conducting security and privacy testing, training, and monitoring activities\n\norganizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities\n\nrisk management strategy\n\nprocedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities\n\nresults of risk assessments associated with conducting security and privacy testing, training, and monitoring activities\n\ndocumentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities\n\nother relevant documents or records"}]},{"id":"pm-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities\n\nmechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities"}]}]},{"id":"pm-17","class":"SP800-53","title":"Protecting Controlled Unclassified Information on External Systems","params":[{"id":"pm-17_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-17_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-17_odp.02"}],"label":"organization-defined frequency"},{"id":"pm-17_odp.01","props":[{"name":"label","value":"PM-17_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the policy is defined;"}]},{"id":"pm-17_odp.02","props":[{"name":"label","value":"PM-17_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the procedures is defined;"}]}],"props":[{"name":"label","value":"PM-17"},{"name":"label","value":"PM-17","class":"sp800-53a"},{"name":"sort-id","value":"pm-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#ca-6","rel":"related"},{"href":"#pm-10","rel":"related"}],"parts":[{"id":"pm-17_smt","name":"statement","parts":[{"id":"pm-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and"},{"id":"pm-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the policy and procedures {{ insert: param, pm-17_prm_1 }}."}]},{"id":"pm-17_gdn","name":"guidance","prose":"Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) and, specifically for systems external to the federal organization, [32 CFR 2002.14h](https:\/\/www.govinfo.gov\/content\/pkg\/CFR-2017-title32-vol6\/xml\/CFR-2017-title32-vol6-part2002.xml) . The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes."},{"id":"pm-17_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-17","class":"sp800-53a"}],"parts":[{"id":"pm-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-17a.","class":"sp800-53a"}],"parts":[{"id":"pm-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-17a.[01]","class":"sp800-53a"}],"prose":"policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;","links":[{"href":"#pm-17_smt.a","rel":"assessment-for"}]},{"id":"pm-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-17a.[02]","class":"sp800-53a"}],"prose":"procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;","links":[{"href":"#pm-17_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-17_smt.a","rel":"assessment-for"}]},{"id":"pm-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-17b.","class":"sp800-53a"}],"parts":[{"id":"pm-17_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-17b.[01]","class":"sp800-53a"}],"prose":"policy is reviewed and updated {{ insert: param, pm-17_odp.01 }};","links":[{"href":"#pm-17_smt.b","rel":"assessment-for"}]},{"id":"pm-17_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-17b.[02]","class":"sp800-53a"}],"prose":"procedures are reviewed and updated {{ insert: param, pm-17_odp.02 }} ","links":[{"href":"#pm-17_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-17_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-17_smt","rel":"assessment-for"}]},{"id":"pm-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Controlled unclassified information policy\n\ncontrolled unclassified information procedures\n\nother relevant documents or records."}]},{"id":"pm-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with controlled unclassified information responsibilities\n\norganizational personnel with information security responsibilities."}]}]},{"id":"pm-18","class":"SP800-53","title":"Privacy Program Plan","params":[{"id":"pm-18_odp","props":[{"name":"alt-identifier","value":"pm-18_prm_1"},{"name":"label","value":"PM-18_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of updates to the privacy program plan is defined;"}]}],"props":[{"name":"label","value":"PM-18"},{"name":"label","value":"PM-18","class":"sp800-53a"},{"name":"sort-id","value":"pm-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-19","rel":"related"}],"parts":[{"id":"pm-18_smt","name":"statement","parts":[{"id":"pm-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:","parts":[{"id":"pm-18_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;"},{"id":"pm-18_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;"},{"id":"pm-18_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;"},{"id":"pm-18_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;"},{"id":"pm-18_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Reflects coordination among organizational entities responsible for the different aspects of privacy; and"},{"id":"pm-18_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and"}]},{"id":"pm-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update the plan {{ insert: param, pm-18_odp }} and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments."}]},{"id":"pm-18_gdn","name":"guidance","prose":"A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program, the resources dedicated to the privacy program, the role of the senior agency official for privacy and other privacy officials and staff, the strategic goals and objectives of the privacy program, and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.\n\nThe senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection operations explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.\n\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. Together, the privacy plans for individual systems and the organization-wide privacy program plan provide complete coverage for the privacy controls employed within the organization.\n\nCommon controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls."},{"id":"pm-18_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-18","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.[01]","class":"sp800-53a"}],"prose":"an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed;","links":[{"href":"#pm-18_smt.a","rel":"assessment-for"}]},{"id":"pm-18_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.01","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.01[01]","class":"sp800-53a"}],"prose":"the privacy program plan includes a description of the structure of the privacy program;","links":[{"href":"#pm-18_smt.a.1","rel":"assessment-for"}]},{"id":"pm-18_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.01[02]","class":"sp800-53a"}],"prose":"the privacy program plan includes a description of the resources dedicated to the privacy program;","links":[{"href":"#pm-18_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pm-18_smt.a.1","rel":"assessment-for"}]},{"id":"pm-18_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02[01]","class":"sp800-53a"}],"prose":"the privacy program plan provides an overview of the requirements for the privacy program;","links":[{"href":"#pm-18_smt.a.2","rel":"assessment-for"}]},{"id":"pm-18_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02[02]","class":"sp800-53a"}],"prose":"the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program;","links":[{"href":"#pm-18_smt.a.2","rel":"assessment-for"}]},{"id":"pm-18_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02[03]","class":"sp800-53a"}],"prose":"the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program;","links":[{"href":"#pm-18_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-18_smt.a.2","rel":"assessment-for"}]},{"id":"pm-18_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.03","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.03[01]","class":"sp800-53a"}],"prose":"the privacy program plan includes the role of the senior agency official for privacy;","links":[{"href":"#pm-18_smt.a.3","rel":"assessment-for"}]},{"id":"pm-18_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.03[02]","class":"sp800-53a"}],"prose":"the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities;","links":[{"href":"#pm-18_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pm-18_smt.a.3","rel":"assessment-for"}]},{"id":"pm-18_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04[01]","class":"sp800-53a"}],"prose":"the privacy program plan describes management commitment;","links":[{"href":"#pm-18_smt.a.4","rel":"assessment-for"}]},{"id":"pm-18_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04[02]","class":"sp800-53a"}],"prose":"the privacy program plan describes compliance;","links":[{"href":"#pm-18_smt.a.4","rel":"assessment-for"}]},{"id":"pm-18_obj.a.4-3","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04[03]","class":"sp800-53a"}],"prose":"the privacy program plan describes the strategic goals and objectives of the privacy program;","links":[{"href":"#pm-18_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pm-18_smt.a.4","rel":"assessment-for"}]},{"id":"pm-18_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.05","class":"sp800-53a"}],"prose":"the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy;","links":[{"href":"#pm-18_smt.a.5","rel":"assessment-for"}]},{"id":"pm-18_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.06","class":"sp800-53a"}],"prose":"the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;","links":[{"href":"#pm-18_smt.a.6","rel":"assessment-for"}]},{"id":"pm-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.[02]","class":"sp800-53a"}],"prose":"the privacy program plan is disseminated;","links":[{"href":"#pm-18_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-18_smt.a","rel":"assessment-for"}]},{"id":"pm-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[01]","class":"sp800-53a"}],"prose":"the privacy program plan is updated {{ insert: param, pm-18_odp }};","links":[{"href":"#pm-18_smt.b","rel":"assessment-for"}]},{"id":"pm-18_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[02]","class":"sp800-53a"}],"prose":"the privacy program plan is updated to address changes in federal privacy laws and policies;","links":[{"href":"#pm-18_smt.b","rel":"assessment-for"}]},{"id":"pm-18_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[03]","class":"sp800-53a"}],"prose":"the privacy program plan is updated to address organizational changes;","links":[{"href":"#pm-18_smt.b","rel":"assessment-for"}]},{"id":"pm-18_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[04]","class":"sp800-53a"}],"prose":"the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments.","links":[{"href":"#pm-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-18_smt","rel":"assessment-for"}]},{"id":"pm-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprocedures addressing program plan development and implementation\n\nprocedures addressing program plan reviews, updates, and approvals\n\nprocedures addressing coordination of the program plan with relevant entities\n\nrecords of program plan reviews, updates, and approvals\n\nother relevant documents or records"}]},{"id":"pm-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program planning and plan implementation responsibilities\n\norganizational personnel with privacy responsibilities"}]}]},{"id":"pm-19","class":"SP800-53","title":"Privacy Program Leadership Role","props":[{"name":"label","value":"PM-19"},{"name":"label","value":"PM-19","class":"sp800-53a"},{"name":"sort-id","value":"pm-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-18","rel":"related"},{"href":"#pm-20","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#pm-27","rel":"related"}],"parts":[{"id":"pm-19_smt","name":"statement","prose":"Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program."},{"id":"pm-19_gdn","name":"guidance","prose":"The privacy officer is an organizational official. For federal agencies—as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines—this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has roles on the data management board (see [PM-23](#pm-23) ) and the data integrity board (see [PM-24](#pm-24))."},{"id":"pm-19_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-19","class":"sp800-53a"}],"parts":[{"id":"pm-19_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-19[01]","class":"sp800-53a"}],"prose":"a senior agency official for privacy with authority, mission, accountability, and resources is appointed;","links":[{"href":"#pm-19_smt","rel":"assessment-for"}]},{"id":"pm-19_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-19[02]","class":"sp800-53a"}],"prose":"the senior agency official for privacy coordinates applicable privacy requirements;","links":[{"href":"#pm-19_smt","rel":"assessment-for"}]},{"id":"pm-19_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-19[03]","class":"sp800-53a"}],"prose":"the senior agency official for privacy develops applicable privacy requirements;","links":[{"href":"#pm-19_smt","rel":"assessment-for"}]},{"id":"pm-19_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-19[04]","class":"sp800-53a"}],"prose":"the senior agency official for privacy implements applicable privacy requirements;","links":[{"href":"#pm-19_smt","rel":"assessment-for"}]},{"id":"pm-19_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-19[05]","class":"sp800-53a"}],"prose":"the senior agency official for privacy manages privacy risks through the organization-wide privacy program.","links":[{"href":"#pm-19_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-19_smt","rel":"assessment-for"}]},{"id":"pm-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program documents, including policies, procedures, plans, and reports\n\npublic privacy notices, including Federal Register notices\n\nprivacy impact assessments\n\nprivacy risk assessments\n\nPrivacy Act statements\n\nsystem of records notices\n\ncomputer matching agreements and notices\n\ncontracts, information sharing agreements, and memoranda of understanding\n\ngoverning requirements, including laws, executive orders, regulations, standards, and guidance\n\nother relevant documents or records"}]},{"id":"pm-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program planning and plan implementation responsibilities\n\norganizational personnel with privacy responsibilities\n\nsenior agency official for privacy\n\nprivacy officials"}]}]},{"id":"pm-20","class":"SP800-53","title":"Dissemination of Privacy Program Information","props":[{"name":"label","value":"PM-20"},{"name":"label","value":"PM-20","class":"sp800-53a"},{"name":"sort-id","value":"pm-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#206a3284-6a7e-423c-8ea9-25b22542541d","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#pm-19","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"}],"parts":[{"id":"pm-20_smt","name":"statement","prose":"Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:","parts":[{"id":"pm-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;"},{"id":"pm-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that organizational privacy practices and reports are publicly available; and"},{"id":"pm-20_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs publicly facing email addresses and\/or phone lines to enable the public to provide feedback and\/or direct questions to privacy offices regarding privacy practices."}]},{"id":"pm-20_gdn","name":"guidance","prose":"For federal agencies, the webpage is located at www.[agency].gov\/privacy. Federal agencies include public privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) exemption and implementation rules, privacy reports, privacy policies, instructions for individuals making an access or amendment request, email addresses for questions\/complaints, blogs, and periodic publications."},{"id":"pm-20_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-20","class":"sp800-53a"}],"parts":[{"id":"pm-20_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20[01]","class":"sp800-53a"}],"prose":"a central resource webpage is maintained on the organization’s principal public website;","links":[{"href":"#pm-20_smt","rel":"assessment-for"}]},{"id":"pm-20_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20[02]","class":"sp800-53a"}],"prose":"the webpage serves as a central source of information about the organization’s privacy program;","links":[{"href":"#pm-20_smt","rel":"assessment-for"}]},{"id":"pm-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-20a.","class":"sp800-53a"}],"parts":[{"id":"pm-20_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20a.[01]","class":"sp800-53a"}],"prose":"the webpage ensures that the public has access to information about organizational privacy activities;","links":[{"href":"#pm-20_smt.a","rel":"assessment-for"}]},{"id":"pm-20_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20a.[02]","class":"sp800-53a"}],"prose":"the webpage ensures that the public can communicate with its senior agency official for privacy;","links":[{"href":"#pm-20_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-20_smt.a","rel":"assessment-for"}]},{"id":"pm-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-20b.","class":"sp800-53a"}],"parts":[{"id":"pm-20_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20b.[01]","class":"sp800-53a"}],"prose":"the webpage ensures that organizational privacy practices are publicly available;","links":[{"href":"#pm-20_smt.b","rel":"assessment-for"}]},{"id":"pm-20_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20b.[02]","class":"sp800-53a"}],"prose":"the webpage ensures that organizational privacy reports are publicly available;","links":[{"href":"#pm-20_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-20_smt.b","rel":"assessment-for"}]},{"id":"pm-20_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-20c.","class":"sp800-53a"}],"prose":"the webpage employs publicly facing email addresses and\/or phone numbers to enable the public to provide feedback and\/or direct questions to privacy offices regarding privacy practices.","links":[{"href":"#pm-20_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-20_smt","rel":"assessment-for"}]},{"id":"pm-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Public website\n\npublicly posted privacy program documents, including policies, procedures, plans, and reports\n\nposition description of the senior agency official for privacy\n\npublic privacy notices, including Federal Register notices\n\nprivacy impact assessments\n\nprivacy risk assessments\n\nPrivacy Act statements and system of records notices\n\ncomputer matching agreements and notices\n\nother relevant documents or records"}]},{"id":"pm-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program information dissemination responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Location, access, availability, and functionality of privacy resource webpage"}]}],"controls":[{"id":"pm-20.1","class":"SP800-53-enhancement","title":"Privacy Policies on Websites, Applications, and Digital Services","props":[{"name":"label","value":"PM-20(1)"},{"name":"label","value":"PM-20(01)","class":"sp800-53a"},{"name":"sort-id","value":"pm-20.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pm-20","rel":"required"}],"parts":[{"id":"pm-20.1_smt","name":"statement","prose":"Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:","parts":[{"id":"pm-20.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Are written in plain language and organized in a way that is easy to understand and navigate;"},{"id":"pm-20.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and"},{"id":"pm-20.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Are updated whenever the organization makes a substantive change to the practices it describes and includes a time\/date stamp to inform the public of the date of the most recent changes."}]},{"id":"pm-20.1_gdn","name":"guidance","prose":"Organizations post privacy policies on all external-facing websites, mobile applications, and other digital services. Organizations post a link to the relevant privacy policy on any known, major entry points to the website, application, or digital service. In addition, organizations provide a link to the privacy policy on any webpage that collects personally identifiable information. Organizations may be subject to applicable laws, executive orders, directives, regulations, or policies that require the provision of specific information to the public. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"pm-20.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)[01]","class":"sp800-53a"}],"prose":"privacy policies are developed and posted on all external-facing websites;","links":[{"href":"#pm-20.1_smt","rel":"assessment-for"}]},{"id":"pm-20.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)[02]","class":"sp800-53a"}],"prose":"privacy policies are developed and posted on all mobile applications;","links":[{"href":"#pm-20.1_smt","rel":"assessment-for"}]},{"id":"pm-20.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)[03]","class":"sp800-53a"}],"prose":"privacy policies are developed and posted on all other digital services;","links":[{"href":"#pm-20.1_smt","rel":"assessment-for"}]},{"id":"pm-20.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(a)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(a)[01]","class":"sp800-53a"}],"prose":"the privacy policies are written in plain language;","links":[{"href":"#pm-20.1_smt.a","rel":"assessment-for"}]},{"id":"pm-20.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(a)[02]","class":"sp800-53a"}],"prose":"the privacy policies are organized in a way that is easy to understand and navigate;","links":[{"href":"#pm-20.1_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-20.1_smt.a","rel":"assessment-for"}]},{"id":"pm-20.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(b)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(b)[01]","class":"sp800-53a"}],"prose":"the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization;","links":[{"href":"#pm-20.1_smt.b","rel":"assessment-for"}]},{"id":"pm-20.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(b)[02]","class":"sp800-53a"}],"prose":"the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization;","links":[{"href":"#pm-20.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-20.1_smt.b","rel":"assessment-for"}]},{"id":"pm-20.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(c)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(c)[01]","class":"sp800-53a"}],"prose":"the privacy policies are updated whenever the organization makes a substantive change to the practices it describes;","links":[{"href":"#pm-20.1_smt.c","rel":"assessment-for"}]},{"id":"pm-20.1_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(c)[02]","class":"sp800-53a"}],"prose":"the privacy policies include a time\/date stamp to inform the public of the date of the most recent changes.","links":[{"href":"#pm-20.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-20.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-20.1_smt","rel":"assessment-for"}]},{"id":"pm-20.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-20(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprivacy policies on the agency website, mobile applications, and\/or other digital services"}]},{"id":"pm-20.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-20(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program information dissemination responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-20.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-20(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing\n\norganizational procedures and practices for disseminating privacy program information\n\nmechanisms supporting the dissemination of privacy program information"}]}]}]},{"id":"pm-21","class":"SP800-53","title":"Accounting of Disclosures","props":[{"name":"label","value":"PM-21"},{"name":"label","value":"PM-21","class":"sp800-53a"},{"name":"sort-id","value":"pm-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#pt-2","rel":"related"}],"parts":[{"id":"pm-21_smt","name":"statement","parts":[{"id":"pm-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:","parts":[{"id":"pm-21_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Date, nature, and purpose of each disclosure; and"},{"id":"pm-21_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Name and address, or other contact information of the individual or organization to which the disclosure was made;"}]},{"id":"pm-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and"},{"id":"pm-21_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request."}]},{"id":"pm-21_gdn","name":"guidance","prose":"The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information, and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) ; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.\n\nOrganizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services that provide notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing the disclosure or dissemination of information and dissemination restrictions."},{"id":"pm-21_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-21","class":"sp800-53a"}],"parts":[{"id":"pm-21_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.","class":"sp800-53a"}],"prose":"an accurate accounting of disclosures of personally identifiable information is developed and maintained;","parts":[{"id":"pm-21_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01","class":"sp800-53a"}],"parts":[{"id":"pm-21_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01[01]","class":"sp800-53a"}],"prose":"the accounting includes the date of each disclosure;","links":[{"href":"#pm-21_smt.a.1","rel":"assessment-for"}]},{"id":"pm-21_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01[02]","class":"sp800-53a"}],"prose":"the accounting includes the nature of each disclosure;","links":[{"href":"#pm-21_smt.a.1","rel":"assessment-for"}]},{"id":"pm-21_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01[03]","class":"sp800-53a"}],"prose":"the accounting includes the purpose of each disclosure;","links":[{"href":"#pm-21_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pm-21_smt.a.1","rel":"assessment-for"}]},{"id":"pm-21_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.02","class":"sp800-53a"}],"parts":[{"id":"pm-21_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.02[01]","class":"sp800-53a"}],"prose":"the accounting includes the name of the individual or organization to whom the disclosure was made;","links":[{"href":"#pm-21_smt.a.2","rel":"assessment-for"}]},{"id":"pm-21_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.02[02]","class":"sp800-53a"}],"prose":"the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made;","links":[{"href":"#pm-21_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-21_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-21_smt.a","rel":"assessment-for"}]},{"id":"pm-21_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-21b.","class":"sp800-53a"}],"prose":"the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;","links":[{"href":"#pm-21_smt.b","rel":"assessment-for"}]},{"id":"pm-21_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-21c.","class":"sp800-53a"}],"prose":"the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request.","links":[{"href":"#pm-21_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-21_smt","rel":"assessment-for"}]},{"id":"pm-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\ndisclosure policies and procedures\n\nrecords of disclosures\n\naudit logs\n\nPrivacy Act policies and procedures\n\nsystem of records notice\n\nPrivacy Act exemption rules."}]},{"id":"pm-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities."}]},{"id":"pm-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for disclosures\n\nmechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts."}]}]},{"id":"pm-22","class":"SP800-53","title":"Personally Identifiable Information Quality Management","props":[{"name":"label","value":"PM-22"},{"name":"label","value":"PM-22","class":"sp800-53a"},{"name":"sort-id","value":"pm-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#227063d4-431e-435f-9e8f-009b6dbc20f4","rel":"reference"},{"href":"#c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","rel":"reference"},{"href":"#pm-23","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pm-22_smt","name":"statement","prose":"Develop and document organization-wide policies and procedures for:","parts":[{"id":"pm-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;"},{"id":"pm-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Correcting or deleting inaccurate or outdated personally identifiable information;"},{"id":"pm-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and"},{"id":"pm-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Appeals of adverse decisions on correction or deletion requests."}]},{"id":"pm-22_gdn","name":"guidance","prose":"Personally identifiable information quality management includes steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.\n\nThe senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.\n\nOrganizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to the complexity of data flows and storage, other entities may need to be informed of the correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem."},{"id":"pm-22_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-22","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22[01]","class":"sp800-53a"}],"prose":"organization-wide policies for personally identifiable information quality management are developed and documented;","links":[{"href":"#pm-22_smt","rel":"assessment-for"}]},{"id":"pm-22_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22[02]","class":"sp800-53a"}],"prose":"organization-wide procedures for personally identifiable information quality management are developed and documented;","links":[{"href":"#pm-22_smt","rel":"assessment-for"}]},{"id":"pm-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[01]","class":"sp800-53a"}],"prose":"the policies address reviewing the accuracy of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[02]","class":"sp800-53a"}],"prose":"the policies address reviewing the relevance of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[03]","class":"sp800-53a"}],"prose":"the policies address reviewing the timeliness of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[04]","class":"sp800-53a"}],"prose":"the policies address reviewing the completeness of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[05]","class":"sp800-53a"}],"prose":"the procedures address reviewing the accuracy of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[06]","class":"sp800-53a"}],"prose":"the procedures address reviewing the relevance of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[07]","class":"sp800-53a"}],"prose":"the procedures address reviewing the timeliness of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[08]","class":"sp800-53a"}],"prose":"the procedures address reviewing the completeness of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-22b.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22b.[01]","class":"sp800-53a"}],"prose":"the policies address correcting or deleting inaccurate or outdated personally identifiable information;","links":[{"href":"#pm-22_smt.b","rel":"assessment-for"}]},{"id":"pm-22_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22b.[02]","class":"sp800-53a"}],"prose":"the procedures address correcting or deleting inaccurate or outdated personally identifiable information;","links":[{"href":"#pm-22_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-22_smt.b","rel":"assessment-for"}]},{"id":"pm-22_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-22c.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22c.[01]","class":"sp800-53a"}],"prose":"the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;","links":[{"href":"#pm-22_smt.c","rel":"assessment-for"}]},{"id":"pm-22_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22c.[02]","class":"sp800-53a"}],"prose":"the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;","links":[{"href":"#pm-22_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-22_smt.c","rel":"assessment-for"}]},{"id":"pm-22_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-22d.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22d.[01]","class":"sp800-53a"}],"prose":"the policies address appeals of adverse decisions on correction or deletion requests;","links":[{"href":"#pm-22_smt.d","rel":"assessment-for"}]},{"id":"pm-22_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22d.[02]","class":"sp800-53a"}],"prose":"the procedures address appeals of adverse decisions on correction or deletion requests.","links":[{"href":"#pm-22_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pm-22_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pm-22_smt","rel":"assessment-for"}]},{"id":"pm-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\npolicies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion\n\nrecords of monitoring PII quality management practices\n\ndocumentation of reviews and updates of policies and procedures"}]},{"id":"pm-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program information dissemination responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"[Organizational processes for data quality and personally identifiable information quality management procedures\n\nmechanisms supporting and\/or implementing quality management requirements"}]}]},{"id":"pm-24","class":"SP800-53","title":"Data Integrity Board","props":[{"name":"label","value":"PM-24"},{"name":"label","value":"PM-24","class":"sp800-53a"},{"name":"sort-id","value":"pm-24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#pm-19","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-8","rel":"related"}],"parts":[{"id":"pm-24_smt","name":"statement","prose":"Establish a Data Integrity Board to:","parts":[{"id":"pm-24_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review proposals to conduct or participate in a matching program; and"},{"id":"pm-24_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conduct an annual review of all matching programs in which the agency has participated."}]},{"id":"pm-24_gdn","name":"guidance","prose":"A Data Integrity Board is the board of senior officials designated by the head of a federal agency and is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy."},{"id":"pm-24_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-24","class":"sp800-53a"}],"prose":"a Data Integrity Board is established;","parts":[{"id":"pm-24_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-24a.","class":"sp800-53a"}],"prose":"the Data Integrity Board reviews proposals to conduct or participate in a matching program;","links":[{"href":"#pm-24_smt.a","rel":"assessment-for"}]},{"id":"pm-24_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-24b.","class":"sp800-53a"}],"prose":"the Data Integrity Board conducts an annual review of all matching programs in which the agency has participated.","links":[{"href":"#pm-24_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-24_smt","rel":"assessment-for"}]},{"id":"pm-24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-24-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprivacy program documents relating to the Data Integrity Board, including documents establishing the board, its charter of operations, and any plans and reports\n\ncomputer matching agreements and notices\n\ninformation sharing agreements\n\nmemoranda of understanding\n\nrecords documenting annual reviews\n\ngoverning requirements, including laws, executive orders, regulations, standards, and guidance"}]},{"id":"pm-24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-24-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"members of the Data Integrity Board (e.g., the chief information officer, senior information security officer, senior agency official for privacy, and agency Inspector General)"}]}]},{"id":"pm-25","class":"SP800-53","title":"Minimization of Personally Identifiable Information Used in Testing, Training, and Research","params":[{"id":"pm-25_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.04"}],"label":"organization-defined frequency"},{"id":"pm-25_odp.01","props":[{"name":"label","value":"PM-25_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing policies that address the use of personally identifiable information for internal testing, training, and research is defined;"}]},{"id":"pm-25_odp.02","props":[{"name":"label","value":"PM-25_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating policies that address the use of personally identifiable information for internal testing, training, and research is defined;"}]},{"id":"pm-25_odp.03","props":[{"name":"label","value":"PM-25_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing procedures that address the use of personally identifiable information for internal testing, training, and research is defined;"}]},{"id":"pm-25_odp.04","props":[{"name":"label","value":"PM-25_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating procedures that address the use of personally identifiable information for internal testing, training, and research is defined;"}]}],"props":[{"name":"label","value":"PM-25"},{"name":"label","value":"PM-25","class":"sp800-53a"},{"name":"sort-id","value":"pm-25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-23","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pm-25_smt","name":"statement","parts":[{"id":"pm-25_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;"},{"id":"pm-25_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;"},{"id":"pm-25_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and"},{"id":"pm-25_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review and update policies and procedures {{ insert: param, pm-25_prm_1 }}."}]},{"id":"pm-25_gdn","name":"guidance","prose":"The use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and\/or legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research."},{"id":"pm-25_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-25","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[01]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal testing are developed and documented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[02]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal training are developed and documented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[03]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal research are developed and documented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[04]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal testing are developed and documented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[05]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal training are developed and documented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[06]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal research are developed and documented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[07]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal testing, are implemented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[08]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for training are implemented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-9","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[09]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for research are implemented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-10","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[10]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal testing are implemented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-11","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[11]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for training are implemented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-12","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[12]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for research are implemented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.[01]","class":"sp800-53a"}],"prose":"the amount of personally identifiable information used for internal testing purposes is limited or minimized;","links":[{"href":"#pm-25_smt.b","rel":"assessment-for"}]},{"id":"pm-25_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.[02]","class":"sp800-53a"}],"prose":"the amount of personally identifiable information used for internal training purposes is limited or minimized;","links":[{"href":"#pm-25_smt.b","rel":"assessment-for"}]},{"id":"pm-25_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.[03]","class":"sp800-53a"}],"prose":"the amount of personally identifiable information used for internal research purposes is limited or minimized;","links":[{"href":"#pm-25_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-25_smt.b","rel":"assessment-for"}]},{"id":"pm-25_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.[01]","class":"sp800-53a"}],"prose":"the required use of personally identifiable information for internal testing is authorized;","links":[{"href":"#pm-25_smt.c","rel":"assessment-for"}]},{"id":"pm-25_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.[02]","class":"sp800-53a"}],"prose":"the required use of personally identifiable information for internal training is authorized;","links":[{"href":"#pm-25_smt.c","rel":"assessment-for"}]},{"id":"pm-25_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.[03]","class":"sp800-53a"}],"prose":"the required use of personally identifiable information for internal research is authorized;","links":[{"href":"#pm-25_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-25_smt.c","rel":"assessment-for"}]},{"id":"pm-25_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[01]","class":"sp800-53a"}],"prose":"policies are reviewed {{ insert: param, pm-25_odp.01 }};","links":[{"href":"#pm-25_smt.d","rel":"assessment-for"}]},{"id":"pm-25_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[02]","class":"sp800-53a"}],"prose":"policies are updated {{ insert: param, pm-25_odp.02 }};","links":[{"href":"#pm-25_smt.d","rel":"assessment-for"}]},{"id":"pm-25_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[03]","class":"sp800-53a"}],"prose":"procedures are reviewed {{ insert: param, pm-25_odp.03 }};","links":[{"href":"#pm-25_smt.d","rel":"assessment-for"}]},{"id":"pm-25_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[04]","class":"sp800-53a"}],"prose":"procedures are updated {{ insert: param, pm-25_odp.04 }}.","links":[{"href":"#pm-25_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pm-25_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pm-25_smt","rel":"assessment-for"}]},{"id":"pm-25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-25-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\npolicies and procedures for the minimization of personally identifiable information used in testing, training, and research\n\ndocumentation supporting policy implementation (e.g., templates for testing, training, and research\n\nprivacy threshold analysis\n\nprivacy risk assessment)\n\ndata sets used for testing, training, and research"}]},{"id":"pm-25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-25-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities\n\nsystem developers\n\npersonnel with IRB responsibilities"}]},{"id":"pm-25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-25-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for data quality and personally identifiable information management\n\nmechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information"}]}]},{"id":"pm-26","class":"SP800-53","title":"Complaint Management","params":[{"id":"pm-26_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-26_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-26_odp.02"}],"label":"organization-defined time period"},{"id":"pm-26_odp.01","props":[{"name":"label","value":"PM-26_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period in which complaints (including concerns or questions) from individuals are to be reviewed is defined;"}]},{"id":"pm-26_odp.02","props":[{"name":"label","value":"PM-26_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period in which complaints (including concerns or questions) from individuals are to be addressed is defined;"}]},{"id":"pm-26_odp.03","props":[{"name":"alt-identifier","value":"pm-26_prm_2"},{"name":"label","value":"PM-26_ODP[03]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period for acknowledging the receipt of complaints is defined;"}]},{"id":"pm-26_odp.04","props":[{"name":"alt-identifier","value":"pm-26_prm_3"},{"name":"label","value":"PM-26_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period for responding to complaints is defined;"}]}],"props":[{"name":"label","value":"PM-26"},{"name":"label","value":"PM-26","class":"sp800-53a"},{"name":"sort-id","value":"pm-26"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pm-26_smt","name":"statement","prose":"Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes:","parts":[{"id":"pm-26_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Mechanisms that are easy to use and readily accessible by the public;"},{"id":"pm-26_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"All information necessary for successfully filing complaints;"},{"id":"pm-26_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ insert: param, pm-26_prm_1 }};"},{"id":"pm-26_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }} ; and"},{"id":"pm-26_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Response to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}."}]},{"id":"pm-26_gdn","name":"guidance","prose":"Complaints, concerns, and questions from individuals can serve as valuable sources of input to organizations and ultimately improve operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information which is handled in accordance with relevant policies and processes."},{"id":"pm-26_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-26","class":"sp800-53a"}],"parts":[{"id":"pm-26_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-26[01]","class":"sp800-53a"}],"prose":"a process for receiving complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;","links":[{"href":"#pm-26_smt","rel":"assessment-for"}]},{"id":"pm-26_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-26[02]","class":"sp800-53a"}],"prose":"a process for responding to complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;","links":[{"href":"#pm-26_smt","rel":"assessment-for"}]},{"id":"pm-26_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-26a.","class":"sp800-53a"}],"parts":[{"id":"pm-26_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-26a.[01]","class":"sp800-53a"}],"prose":"the complaint management process includes mechanisms that are easy to use by the public;","links":[{"href":"#pm-26_smt.a","rel":"assessment-for"}]},{"id":"pm-26_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-26a.[02]","class":"sp800-53a"}],"prose":"the complaint management process includes mechanisms that are readily accessible by the public;","links":[{"href":"#pm-26_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-26_smt.a","rel":"assessment-for"}]},{"id":"pm-26_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-26b.","class":"sp800-53a"}],"prose":"the complaint management process includes all information necessary for successfully filing complaints;","links":[{"href":"#pm-26_smt.b","rel":"assessment-for"}]},{"id":"pm-26_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-26c.","class":"sp800-53a"}],"parts":[{"id":"pm-26_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-26c.[01]","class":"sp800-53a"}],"prose":"the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within {{ insert: param, pm-26_odp.01 }};","links":[{"href":"#pm-26_smt.c","rel":"assessment-for"}]},{"id":"pm-26_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-26c.[02]","class":"sp800-53a"}],"prose":"the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within {{ insert: param, pm-26_odp.02 }};","links":[{"href":"#pm-26_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-26_smt.c","rel":"assessment-for"}]},{"id":"pm-26_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-26d.","class":"sp800-53a"}],"prose":"the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }};","links":[{"href":"#pm-26_smt.d","rel":"assessment-for"}]},{"id":"pm-26_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PM-26e.","class":"sp800-53a"}],"prose":"the complaint management process includes responding to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}.","links":[{"href":"#pm-26_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pm-26_smt","rel":"assessment-for"}]},{"id":"pm-26_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-26-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprocedures addressing complaint management\n\ncomplaint documentation\n\nprocedures addressing the reviews of complaints\n\nother relevant documents or records"}]},{"id":"pm-26_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-26-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-26_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-26-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for complaint management\n\nmechanisms supporting complaint management\n\ntools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms"}]}]},{"id":"pm-27","class":"SP800-53","title":"Privacy Reporting","params":[{"id":"pm-27_odp.01","props":[{"name":"alt-identifier","value":"pm-27_prm_1"},{"name":"label","value":"PM-27_ODP[01]","class":"sp800-53a"}],"label":"privacy reports","guidelines":[{"prose":"privacy reports are defined;"}]},{"id":"pm-27_odp.02","props":[{"name":"alt-identifier","value":"pm-27_prm_2"},{"name":"label","value":"PM-27_ODP[02]","class":"sp800-53a"}],"label":"oversight bodies","guidelines":[{"prose":"privacy oversight bodies are defined;"}]},{"id":"pm-27_odp.03","props":[{"name":"alt-identifier","value":"pm-27_prm_3"},{"name":"label","value":"PM-27_ODP[03]","class":"sp800-53a"}],"label":"officials","guidelines":[{"prose":"officials responsible for monitoring privacy program compliance are defined;"}]},{"id":"pm-27_odp.04","props":[{"name":"alt-identifier","value":"pm-27_prm_4"},{"name":"label","value":"PM-27_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing and updating privacy reports is defined;"}]}],"props":[{"name":"label","value":"PM-27"},{"name":"label","value":"PM-27","class":"sp800-53a"},{"name":"sort-id","value":"pm-27"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#0c67b2a9-bede-43d2-b86d-5f35b8be36e9","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#ir-9","rel":"related"},{"href":"#pm-19","rel":"related"}],"parts":[{"id":"pm-27_smt","name":"statement","parts":[{"id":"pm-27_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop {{ insert: param, pm-27_odp.01 }} and disseminate to:","parts":[{"id":"pm-27_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and"},{"id":"pm-27_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":" {{ insert: param, pm-27_odp.03 }} and other personnel with responsibility for monitoring privacy program compliance; and"}]},{"id":"pm-27_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update privacy reports {{ insert: param, pm-27_odp.04 }}."}]},{"id":"pm-27_gdn","name":"guidance","prose":"Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. For federal agencies, privacy reports include annual senior agency official for privacy reports to OMB, reports to Congress required by Implementing Regulations of the 9\/11 Commission Act, and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements."},{"id":"pm-27_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-27","class":"sp800-53a"}],"parts":[{"id":"pm-27_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.","class":"sp800-53a"}],"prose":" {{ insert: param, pm-27_odp.01 }} are developed;","parts":[{"id":"pm-27_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.01","class":"sp800-53a"}],"prose":"the privacy reports are disseminated to {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates;","links":[{"href":"#pm-27_smt.a.1","rel":"assessment-for"}]},{"id":"pm-27_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.02","class":"sp800-53a"}],"parts":[{"id":"pm-27_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.02[01]","class":"sp800-53a"}],"prose":"the privacy reports are disseminated to {{ insert: param, pm-27_odp.03 }};","links":[{"href":"#pm-27_smt.a.2","rel":"assessment-for"}]},{"id":"pm-27_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.02[02]","class":"sp800-53a"}],"prose":"the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance;","links":[{"href":"#pm-27_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-27_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-27_smt.a","rel":"assessment-for"}]},{"id":"pm-27_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-27b.","class":"sp800-53a"}],"prose":"the privacy reports are reviewed and updated {{ insert: param, pm-27_odp.04 }}.","links":[{"href":"#pm-27_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-27_smt","rel":"assessment-for"}]},{"id":"pm-27_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-27-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\ninternal and external privacy reports\n\nprivacy program plan\n\nannual senior agency official for privacy reports to OMB\n\nreports to Congress required by law, regulation, or policy, including internal policies\n\nrecords documenting the dissemination of reports to oversight bodies and officials responsible for monitoring privacy program compliance\n\nrecords of review and updates of privacy reports."}]},{"id":"pm-27_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-27-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities\n\nlegal counsel."}]}]},{"id":"pm-28","class":"SP800-53","title":"Risk Framing","params":[{"id":"pm-28_odp.01","props":[{"name":"alt-identifier","value":"pm-28_prm_1"},{"name":"label","value":"PM-28_ODP[01]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"the personnel to receive the results of risk framing activities is\/are defined;"}]},{"id":"pm-28_odp.02","props":[{"name":"alt-identifier","value":"pm-28_prm_2"},{"name":"label","value":"PM-28_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing and updating risk framing considerations is defined;"}]}],"props":[{"name":"label","value":"PM-28"},{"name":"label","value":"PM-28","class":"sp800-53a"},{"name":"sort-id","value":"pm-28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"}],"parts":[{"id":"pm-28_smt","name":"statement","parts":[{"id":"pm-28_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document:","parts":[{"id":"pm-28_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Assumptions affecting risk assessments, risk responses, and risk monitoring;"},{"id":"pm-28_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Constraints affecting risk assessments, risk responses, and risk monitoring;"},{"id":"pm-28_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Priorities and trade-offs considered by the organization for managing risk; and"},{"id":"pm-28_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Organizational risk tolerance;"}]},{"id":"pm-28_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute the results of risk framing activities to {{ insert: param, pm-28_odp.01 }} ; and"},{"id":"pm-28_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update risk framing considerations {{ insert: param, pm-28_odp.02 }}."}]},{"id":"pm-28_gdn","name":"guidance","prose":"Risk framing is most effective when conducted at the organization level and in consultation with stakeholders throughout the organization including mission, business, and system owners. The assumptions, constraints, risk tolerance, priorities, and trade-offs identified as part of the risk framing process inform the risk management strategy, which in turn informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel, including mission and business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management."},{"id":"pm-28_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-28","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01[01]","class":"sp800-53a"}],"prose":"assumptions affecting risk assessments are identified and documented;","links":[{"href":"#pm-28_smt.a.1","rel":"assessment-for"}]},{"id":"pm-28_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01[02]","class":"sp800-53a"}],"prose":"assumptions affecting risk responses are identified and documented;","links":[{"href":"#pm-28_smt.a.1","rel":"assessment-for"}]},{"id":"pm-28_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01[03]","class":"sp800-53a"}],"prose":"assumptions affecting risk monitoring are identified and documented;","links":[{"href":"#pm-28_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pm-28_smt.a.1","rel":"assessment-for"}]},{"id":"pm-28_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02[01]","class":"sp800-53a"}],"prose":"constraints affecting risk assessments are identified and documented;","links":[{"href":"#pm-28_smt.a.2","rel":"assessment-for"}]},{"id":"pm-28_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02[02]","class":"sp800-53a"}],"prose":"constraints affecting risk responses are identified and documented;","links":[{"href":"#pm-28_smt.a.2","rel":"assessment-for"}]},{"id":"pm-28_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02[03]","class":"sp800-53a"}],"prose":"constraints affecting risk monitoring are identified and documented;","links":[{"href":"#pm-28_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-28_smt.a.2","rel":"assessment-for"}]},{"id":"pm-28_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.03","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.03[01]","class":"sp800-53a"}],"prose":"priorities considered by the organization for managing risk are identified and documented;","links":[{"href":"#pm-28_smt.a.3","rel":"assessment-for"}]},{"id":"pm-28_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.03[02]","class":"sp800-53a"}],"prose":"trade-offs considered by the organization for managing risk are identified and documented;","links":[{"href":"#pm-28_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pm-28_smt.a.3","rel":"assessment-for"}]},{"id":"pm-28_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.04","class":"sp800-53a"}],"prose":"organizational risk tolerance is identified and documented;","links":[{"href":"#pm-28_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pm-28_smt.a","rel":"assessment-for"}]},{"id":"pm-28_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-28b.","class":"sp800-53a"}],"prose":"the results of risk framing activities are distributed to {{ insert: param, pm-28_odp.01 }};","links":[{"href":"#pm-28_smt.b","rel":"assessment-for"}]},{"id":"pm-28_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-28c.","class":"sp800-53a"}],"prose":"risk framing considerations are reviewed and updated {{ insert: param, pm-28_odp.02 }}.","links":[{"href":"#pm-28_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-28_smt","rel":"assessment-for"}]},{"id":"pm-28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-28-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nsupply chain risk management strategy\n\ndocumentation of risk framing activities\n\npolicies and procedures for risk framing activities\n\nrisk management strategy"}]},{"id":"pm-28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-28-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel (including mission, business, and system owners or stewards\n\nauthorizing officials\n\nsenior agency information security officer\n\nsenior agency official for privacy\n\nand senior accountable official for risk management)"}]},{"id":"pm-28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-28-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing\n\norganizational processes for risk framing\n\nmechanisms supporting the development, review, update, and approval of risk framing"}]}]},{"id":"pm-31","class":"SP800-53","title":"Continuous Monitoring Strategy","params":[{"id":"pm-31_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.05"}],"label":"organization-defined personnel or roles"},{"id":"pm-31_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.07"}],"label":"organization-defined frequency"},{"id":"pm-31_odp.01","props":[{"name":"alt-identifier","value":"pm-31_prm_1"},{"name":"label","value":"PM-31_ODP[01]","class":"sp800-53a"}],"label":"metrics","guidelines":[{"prose":"the metrics for organization-wide continuous monitoring are defined;"}]},{"id":"pm-31_odp.02","props":[{"name":"alt-identifier","value":"pm-31_prm_2"},{"name":"alt-label","value":"frequencies","class":"sp800-53"},{"name":"label","value":"PM-31_ODP[02]","class":"sp800-53a"}],"label":"monitoring frequencies","guidelines":[{"prose":"the frequencies for monitoring are defined;"}]},{"id":"pm-31_odp.03","props":[{"name":"alt-identifier","value":"pm-31_prm_3"},{"name":"alt-label","value":"frequencies","class":"sp800-53"},{"name":"label","value":"PM-31_ODP[03]","class":"sp800-53a"}],"label":"assessment frequencies","guidelines":[{"prose":"the frequencies for assessing control effectiveness are defined;"}]},{"id":"pm-31_odp.04","props":[{"name":"label","value":"PM-31_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"the personnel or roles for reporting the security status of organizational systems to is\/are defined;"}]},{"id":"pm-31_odp.05","props":[{"name":"label","value":"PM-31_ODP[05]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"the personnel or roles for reporting the privacy status of organizational systems to is\/are defined;"}]},{"id":"pm-31_odp.06","props":[{"name":"label","value":"PM-31_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to report the security status of organizational systems is defined;"}]},{"id":"pm-31_odp.07","props":[{"name":"label","value":"PM-31_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to report the privacy status of organizational systems is defined;"}]}],"props":[{"name":"label","value":"PM-31"},{"name":"label","value":"PM-31","class":"sp800-53a"},{"name":"sort-id","value":"pm-31"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#62ea77ca-e450-4323-b210-e0d75390e785","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"pm-31_smt","name":"statement","prose":"Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:","parts":[{"id":"pm-31_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishing the following organization-wide metrics to be monitored: {{ insert: param, pm-31_odp.01 }};"},{"id":"pm-31_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, pm-31_odp.02 }} and {{ insert: param, pm-31_odp.03 }} for control effectiveness;"},{"id":"pm-31_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"pm-31_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"pm-31_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"pm-31_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Reporting the security and privacy status of organizational systems to {{ insert: param, pm-31_prm_4 }} {{ insert: param, pm-31_prm_5 }}."}]},{"id":"pm-31_gdn","name":"guidance","prose":"Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective, timely, and informed risk management decisions, including ongoing authorization decisions. To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy. Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as, [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CA-7](#ca-7), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b), [SI-4](#si-4)."},{"id":"pm-31_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-31","class":"sp800-53a"}],"prose":"an organization-wide continuous monitoring strategy is developed;","parts":[{"id":"pm-31_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-31a.","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include establishing {{ insert: param, pm-31_odp.01 }} to be monitored;","links":[{"href":"#pm-31_smt.a","rel":"assessment-for"}]},{"id":"pm-31_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-31b.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31b.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.02 }} for monitoring;","links":[{"href":"#pm-31_smt.b","rel":"assessment-for"}]},{"id":"pm-31_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31b.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;","links":[{"href":"#pm-31_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-31_smt.b","rel":"assessment-for"}]},{"id":"pm-31_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-31c.","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include monitoring {{ insert: param, pm-31_odp.01 }} on an ongoing basis in accordance with the continuous monitoring strategy;","links":[{"href":"#pm-31_smt.c","rel":"assessment-for"}]},{"id":"pm-31_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-31d.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31d.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring;","links":[{"href":"#pm-31_smt.d","rel":"assessment-for"}]},{"id":"pm-31_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31d.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring;","links":[{"href":"#pm-31_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pm-31_smt.d","rel":"assessment-for"}]},{"id":"pm-31_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PM-31e.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31e.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information;","links":[{"href":"#pm-31_smt.e","rel":"assessment-for"}]},{"id":"pm-31_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31e.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information;","links":[{"href":"#pm-31_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pm-31_smt.e","rel":"assessment-for"}]},{"id":"pm-31_obj.f","name":"assessment-objective","props":[{"name":"label","value":"PM-31f.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31f.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include reporting the security status of organizational systems to {{ insert: param, pm-31_odp.04 }} {{ insert: param, pm-31_odp.06 }};","links":[{"href":"#pm-31_smt.f","rel":"assessment-for"}]},{"id":"pm-31_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31f.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to {{ insert: param, pm-31_odp.05 }} {{ insert: param, pm-31_odp.07 }}.","links":[{"href":"#pm-31_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#pm-31_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#pm-31_smt","rel":"assessment-for"}]},{"id":"pm-31_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-31-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nsupply chain risk management plan\n\ncontinuous monitoring strategy\n\nrisk management strategy\n\ninformation security continuous monitoring program documentation, reporting, metrics, and artifacts\n\ninformation security continuous monitoring program assessment documentation, reporting, metrics, and artifacts\n\nassessment and authorization policy\n\nprocedures addressing the continuous monitoring of controls\n\nprivacy program continuous monitoring documentation, reporting, metrics, and artifacts\n\ncontinuous monitoring program records, security, and privacy impact analyses\n\nstatus reports\n\nrisk response documentation\n\nother relevant documents or records."}]},{"id":"pm-31_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-31-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Senior Accountable Official for Risk Management\n\nchief information officer\n\nsenior agency information security officer\n\nsenior agency official for privacy\n\norganizational personnel with information security, privacy, and supply chain risk management program responsibilities"}]},{"id":"pm-31_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-31-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-06_odp.01","props":[{"name":"alt-identifier","value":"ps-6_prm_1"},{"name":"label","value":"PS-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update access agreements is defined;"}]},{"id":"ps-06_odp.02","props":[{"name":"alt-identifier","value":"ps-6_prm_2"},{"name":"label","value":"PS-06_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to re-sign access agreements to maintain access to organizational information is defined;"}]}],"props":[{"name":"label","value":"PS-6"},{"name":"label","value":"PS-06","class":"sp800-53a"},{"name":"sort-id","value":"ps-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-6_smt","name":"statement","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document access agreements for organizational systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that individuals requiring access to organizational information and systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy."},{"id":"ps-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-06","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-06a.","class":"sp800-53a"}],"prose":"access agreements are developed and documented for organizational systems;","links":[{"href":"#ps-6_smt.a","rel":"assessment-for"}]},{"id":"ps-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-06b.","class":"sp800-53a"}],"prose":"the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};","links":[{"href":"#ps-6_smt.b","rel":"assessment-for"}]},{"id":"ps-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.01","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;","links":[{"href":"#ps-6_smt.c.1","rel":"assessment-for"}]},{"id":"ps-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.02","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.","links":[{"href":"#ps-6_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ps-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ps-6_smt","rel":"assessment-for"}]},{"id":"ps-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ps-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements"}]}]}]},{"id":"pt","class":"family","title":"Personally Identifiable Information Processing and Transparency","controls":[{"id":"pt-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pt-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pt-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pt-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pt-01_odp.01","props":[{"name":"label","value":"PT-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personally identifiable information processing and transparency policy is to be disseminated is\/are defined;"}]},{"id":"pt-01_odp.02","props":[{"name":"label","value":"PT-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personally identifiable information processing and transparency procedures are to be disseminated is\/are defined;"}]},{"id":"pt-01_odp.03","props":[{"name":"alt-identifier","value":"pt-1_prm_2"},{"name":"label","value":"PT-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pt-01_odp.04","props":[{"name":"alt-identifier","value":"pt-1_prm_3"},{"name":"label","value":"PT-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the personally identifiable information processing and transparency policy and procedures is defined;"}]},{"id":"pt-01_odp.05","props":[{"name":"alt-identifier","value":"pt-1_prm_4"},{"name":"label","value":"PT-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personally identifiable information processing and transparency policy is reviewed and updated is defined;"}]},{"id":"pt-01_odp.06","props":[{"name":"alt-identifier","value":"pt-1_prm_5"},{"name":"label","value":"PT-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current personally identifiable information processing and transparency policy to be reviewed and updated are defined;"}]},{"id":"pt-01_odp.07","props":[{"name":"alt-identifier","value":"pt-1_prm_6"},{"name":"label","value":"PT-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personally identifiable information processing and transparency procedures are reviewed and updated is defined;"}]},{"id":"pt-01_odp.08","props":[{"name":"alt-identifier","value":"pt-1_prm_7"},{"name":"label","value":"PT-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the personally identifiable information processing and transparency procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PT-1"},{"name":"label","value":"PT-01","class":"sp800-53a"},{"name":"sort-id","value":"pt-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"}],"parts":[{"id":"pt-1_smt","name":"statement","parts":[{"id":"pt-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pt-1_prm_1 }}:","parts":[{"id":"pt-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy that:","parts":[{"id":"pt-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pt-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pt-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls;"}]},{"id":"pt-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pt-01_odp.04 }} to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and"},{"id":"pt-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current personally identifiable information processing and transparency:","parts":[{"id":"pt-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pt-01_odp.05 }} and following {{ insert: param, pt-01_odp.06 }} ; and"},{"id":"pt-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pt-01_odp.07 }} and following {{ insert: param, pt-01_odp.08 }}."}]}]},{"id":"pt-1_gdn","name":"guidance","prose":"Personally identifiable information processing and transparency policy and procedures address the controls in the PT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of personally identifiable information processing and transparency policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personally identifiable information processing and transparency policy and procedures include assessment or audit findings, breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pt-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-01","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[01]","class":"sp800-53a"}],"prose":"a personally identifiable information processing and transparency policy is developed and documented;","links":[{"href":"#pt-1_smt.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[02]","class":"sp800-53a"}],"prose":"the personally identifiable information processing and transparency policy is disseminated to {{ insert: param, pt-01_odp.01 }};","links":[{"href":"#pt-1_smt.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[03]","class":"sp800-53a"}],"prose":"personally identifiable information processing and transparency procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and associated personally identifiable information processing and transparency controls are developed and documented;","links":[{"href":"#pt-1_smt.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[04]","class":"sp800-53a"}],"prose":"the personally identifiable information processing and transparency procedures are disseminated to {{ insert: param, pt-01_odp.02 }};","links":[{"href":"#pt-1_smt.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses purpose;","links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses scope;","links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses roles;","links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses responsibilities;","links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses management commitment;","links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses coordination among organizational entities;","links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses compliance;","links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#pt-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#pt-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pt-1_smt.a","rel":"assessment-for"}]},{"id":"pt-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures;","links":[{"href":"#pt-1_smt.b","rel":"assessment-for"}]},{"id":"pt-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.01","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.01[01]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency policy is reviewed and updated {{ insert: param, pt-01_odp.05 }};","links":[{"href":"#pt-1_smt.c.1","rel":"assessment-for"}]},{"id":"pt-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.01[02]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency policy is reviewed and updated following {{ insert: param, pt-01_odp.06 }};","links":[{"href":"#pt-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#pt-1_smt.c.1","rel":"assessment-for"}]},{"id":"pt-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.02","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.02[01]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency procedures are reviewed and updated {{ insert: param, pt-01_odp.07 }};","links":[{"href":"#pt-1_smt.c.2","rel":"assessment-for"}]},{"id":"pt-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.02[02]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency procedures are reviewed and updated following {{ insert: param, pt-01_odp.08 }}.","links":[{"href":"#pt-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pt-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pt-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pt-1_smt","rel":"assessment-for"}]},{"id":"pt-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"pt-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pt-2","class":"SP800-53","title":"Authority to Process Personally Identifiable Information","params":[{"id":"pt-02_odp.01","props":[{"name":"alt-identifier","value":"pt-2_prm_1"},{"name":"label","value":"PT-02_ODP[01]","class":"sp800-53a"}],"label":"authority","guidelines":[{"prose":"the authority to permit the processing (defined in PT-02_ODP[02]) of personally identifiable information is defined;"}]},{"id":"pt-02_odp.02","props":[{"name":"alt-identifier","value":"pt-2_prm_2"},{"name":"label","value":"PT-02_ODP[02]","class":"sp800-53a"}],"label":"processing","guidelines":[{"prose":"the type of processing of personally identifiable information is defined;"}]},{"id":"pt-02_odp.03","props":[{"name":"alt-identifier","value":"pt-2_prm_3"},{"name":"label","value":"PT-02_ODP[03]","class":"sp800-53a"}],"label":"processing","guidelines":[{"prose":"the type of processing of personally identifiable information to be restricted is defined;"}]}],"props":[{"name":"label","value":"PT-2"},{"name":"label","value":"PT-02","class":"sp800-53a"},{"name":"sort-id","value":"pt-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#pt-1","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pt-2_smt","name":"statement","parts":[{"id":"pt-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information; and"},{"id":"pt-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Restrict the {{ insert: param, pt-02_odp.03 }} of personally identifiable information to only that which is authorized."}]},{"id":"pt-2_gdn","name":"guidance","prose":"The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information across the information life cycle. Processing includes but is not limited to creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining.\n\nOrganizations may be subject to laws, executive orders, directives, regulations, or policies that establish the organization’s authority and thereby limit certain types of processing of personally identifiable information or establish other requirements related to the processing. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such authority, particularly if the organization is subject to multiple jurisdictions or sources of authority. For organizations whose processing is not determined according to legal authorities, the organization’s policies and determinations govern how they process personally identifiable information. While processing of personally identifiable information may be legally permissible, privacy risks may still arise. Privacy risk assessments can identify the privacy risks associated with the authorized processing of personally identifiable information and support solutions to manage such risks.\n\nOrganizations consider applicable requirements and organizational policies to determine how to document this authority. For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and other documentation.\n\nOrganizations take steps to ensure that personally identifiable information is only processed for authorized purposes, including training organizational personnel on the authorized processing of personally identifiable information and monitoring and auditing organizational use of personally identifiable information."},{"id":"pt-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-02","class":"sp800-53a"}],"parts":[{"id":"pt-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-02a.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information is determined and documented;","links":[{"href":"#pt-2_smt.a","rel":"assessment-for"}]},{"id":"pt-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-02b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-02_odp.03 }} of personally identifiable information is restricted to only that which is authorized.","links":[{"href":"#pt-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pt-2_smt","rel":"assessment-for"}]},{"id":"pt-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing the processing of personally identifiable information\n\nmechanisms supporting and\/or implementing the restriction of personally identifiable information processing"}]}]},{"id":"pt-3","class":"SP800-53","title":"Personally Identifiable Information Processing Purposes","params":[{"id":"pt-03_odp.01","props":[{"name":"alt-identifier","value":"pt-3_prm_1"},{"name":"label","value":"PT-03_ODP[01]","class":"sp800-53a"}],"label":"purpose(s)","guidelines":[{"prose":"the purpose(s) for processing personally identifiable information is\/are defined;"}]},{"id":"pt-03_odp.02","props":[{"name":"alt-identifier","value":"pt-3_prm_2"},{"name":"label","value":"PT-03_ODP[02]","class":"sp800-53a"}],"label":"processing","guidelines":[{"prose":"the processing of personally identifiable information to be restricted is defined;"}]},{"id":"pt-03_odp.03","props":[{"name":"alt-identifier","value":"pt-3_prm_3"},{"name":"label","value":"PT-03_ODP[03]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms to be implemented for ensuring any changes in the processing of personally identifiable information are made in accordance with requirements are defined;"}]},{"id":"pt-03_odp.04","props":[{"name":"alt-identifier","value":"pt-3_prm_4"},{"name":"label","value":"PT-03_ODP[04]","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements for changing the processing of personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-3"},{"name":"label","value":"PT-03","class":"sp800-53a"},{"name":"sort-id","value":"pt-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-25","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pt-3_smt","name":"statement","parts":[{"id":"pt-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information;"},{"id":"pt-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Describe the purpose(s) in the public privacy notices and policies of the organization;"},{"id":"pt-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Restrict the {{ insert: param, pt-03_odp.02 }} of personally identifiable information to only that which is compatible with the identified purpose(s); and"},{"id":"pt-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitor changes in processing personally identifiable information and implement {{ insert: param, pt-03_odp.03 }} to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}."}]},{"id":"pt-3_gdn","name":"guidance","prose":"Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term \"process\" includes every step of the information life cycle, including creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and documenting the purpose of processing is a prerequisite to enabling owners and operators of the system and individuals whose information is processed by the system to understand how the information will be processed. This enables individuals to make informed decisions about their engagement with information systems and organizations and to manage their privacy interests. Once the specific processing purpose has been identified, the purpose is described in the organization’s privacy notices, policies, and any related privacy compliance documentation, including privacy impact assessments, system of records notices, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, computer matching notices, and other applicable Federal Register notices.\n\nOrganizations take steps to help ensure that personally identifiable information is processed only for identified purposes, including training organizational personnel and monitoring and auditing organizational processing of personally identifiable information.\n\nOrganizations monitor for changes in personally identifiable information processing. Organizational personnel consult with the senior agency official for privacy and legal counsel to ensure that any new purposes that arise from changes in processing are compatible with the purpose for which the information was collected, or if the new purpose is not compatible, implement mechanisms in accordance with defined requirements to allow for the new processing, if appropriate. Mechanisms may include obtaining consent from individuals, revising privacy policies, or other measures to manage privacy risks that arise from changes in personally identifiable information processing purposes."},{"id":"pt-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-03","class":"sp800-53a"}],"parts":[{"id":"pt-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-03a.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information is\/are identified and documented;","links":[{"href":"#pt-3_smt.a","rel":"assessment-for"}]},{"id":"pt-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-03b.","class":"sp800-53a"}],"parts":[{"id":"pt-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PT-03b.[01]","class":"sp800-53a"}],"prose":"the purpose(s) is\/are described in the public privacy notices of the organization;","links":[{"href":"#pt-3_smt.b","rel":"assessment-for"}]},{"id":"pt-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PT-03b.[02]","class":"sp800-53a"}],"prose":"the purpose(s) is\/are described in the policies of the organization;","links":[{"href":"#pt-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pt-3_smt.b","rel":"assessment-for"}]},{"id":"pt-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-03c.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-03_odp.02 }} of personally identifiable information are restricted to only that which is compatible with the identified purpose(s);","links":[{"href":"#pt-3_smt.c","rel":"assessment-for"}]},{"id":"pt-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PT-03d.","class":"sp800-53a"}],"parts":[{"id":"pt-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PT-03d.[01]","class":"sp800-53a"}],"prose":"changes in the processing of personally identifiable information are monitored;","links":[{"href":"#pt-3_smt.d","rel":"assessment-for"}]},{"id":"pt-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PT-03d.[02]","class":"sp800-53a"}],"prose":" {{ insert: param, pt-03_odp.03 }} are implemented to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}.","links":[{"href":"#pt-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pt-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pt-3_smt","rel":"assessment-for"}]},{"id":"pt-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nconfiguration management plan\n\norganizational privacy notices\n\norganizational policies\n\nPrivacy Act statements\n\ncomputer matching notices\n\napplicable Federal Register notices\n\ndocumented requirements for enforcing and monitoring the processing of personally identifiable information\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing the processing of personally identifiable information\n\nmechanisms supporting and\/or implementing the management of authorized personally identifiable information processing\n\norganizational processes for monitoring changes in processing personally identifiable information"}]}]},{"id":"pt-4","class":"SP800-53","title":"Consent","params":[{"id":"pt-04_odp","props":[{"name":"alt-identifier","value":"pt-4_prm_1"},{"name":"label","value":"PT-04_ODP","class":"sp800-53a"}],"label":"tools or mechanisms","guidelines":[{"prose":"the tools or mechanisms to be implemented for individuals to consent to the processing of their personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-4"},{"name":"label","value":"PT-04","class":"sp800-53a"},{"name":"sort-id","value":"pt-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-5","rel":"related"}],"parts":[{"id":"pt-4_smt","name":"statement","prose":"Implement {{ insert: param, pt-04_odp }} for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making."},{"id":"pt-4_gdn","name":"guidance","prose":"Consent allows individuals to participate in making decisions about the processing of their information and transfers some of the risk that arises from the processing of personally identifiable information from the organization to an individual. Consent may be required by applicable laws, executive orders, directives, regulations, policies, standards, or guidelines. Otherwise, when selecting consent as a control, organizations consider whether individuals can be reasonably expected to understand and accept the privacy risks that arise from their authorization. Organizations consider whether other controls may more effectively mitigate privacy risk either alone or in conjunction with consent. Organizations also consider any demographic or contextual factors that may influence the understanding or behavior of individuals with respect to the processing carried out by the system or organization. When soliciting consent from individuals, organizations consider the appropriate mechanism for obtaining consent, including the type of consent (e.g., opt-in, opt-out), how to properly authenticate and identity proof individuals and how to obtain consent through electronic means. In addition, organizations consider providing a mechanism for individuals to revoke consent once it has been provided, as appropriate. Finally, organizations consider usability factors to help individuals understand the risks being accepted when providing consent, including the use of plain language and avoiding technical jargon."},{"id":"pt-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-04","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-04_odp }} are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.","links":[{"href":"#pt-4_smt","rel":"assessment-for"}]},{"id":"pt-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nconsent policies and procedures\n\nconsent tools and mechanisms\n\nconsent presentation or display (user interface)\n\nevidence of individuals’ consent\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the collection of personally identifiable information\n\nconsent tools or mechanisms for users to authorize the processing of their personally identifiable information\n\nmechanisms implementing consent"}]}]},{"id":"pt-5","class":"SP800-53","title":"Privacy Notice","params":[{"id":"pt-05_odp.01","props":[{"name":"alt-identifier","value":"pt-5_prm_1"},{"name":"label","value":"PT-05_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which a notice is provided to individuals after initial interaction with an organization is defined;"}]},{"id":"pt-05_odp.02","props":[{"name":"alt-identifier","value":"pt-5_prm_2"},{"name":"label","value":"PT-05_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be included with the notice about the processing of personally identifiable information is defined;"}]}],"props":[{"name":"label","value":"PT-5"},{"name":"label","value":"PT-05","class":"sp800-53a"},{"name":"sort-id","value":"pt-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#pm-20","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-42","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pt-5_smt","name":"statement","prose":"Provide notice to individuals about the processing of personally identifiable information that:","parts":[{"id":"pt-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Is available to individuals upon first interacting with an organization, and subsequently at {{ insert: param, pt-05_odp.01 }};"},{"id":"pt-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;"},{"id":"pt-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies the authority that authorizes the processing of personally identifiable information;"},{"id":"pt-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Identifies the purposes for which personally identifiable information is to be processed; and"},{"id":"pt-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Includes {{ insert: param, pt-05_odp.02 }}."}]},{"id":"pt-5_gdn","name":"guidance","prose":"Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices.\n\nPrivacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon."},{"id":"pt-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-05","class":"sp800-53a"}],"parts":[{"id":"pt-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-05a.","class":"sp800-53a"}],"parts":[{"id":"pt-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-05a.[01]","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information is provided such that the notice is available to individuals upon first interacting with an organization;","links":[{"href":"#pt-5_smt.a","rel":"assessment-for"}]},{"id":"pt-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-05a.[02]","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals {{ insert: param, pt-05_odp.01 }};","links":[{"href":"#pt-5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pt-5_smt.a","rel":"assessment-for"}]},{"id":"pt-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-05b.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information is provided that is clear, easy-to-understand, and expresses information about personally identifiable information processing in plain language;","links":[{"href":"#pt-5_smt.b","rel":"assessment-for"}]},{"id":"pt-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-05c.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information is provided;","links":[{"href":"#pt-5_smt.c","rel":"assessment-for"}]},{"id":"pt-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PT-05d.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information that identifies the purpose for which personally identifiable information is to be processed is provided;","links":[{"href":"#pt-5_smt.d","rel":"assessment-for"}]},{"id":"pt-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PT-05e.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information which includes {{ insert: param, pt-05_odp.02 }} is provided.","links":[{"href":"#pt-5_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pt-5_smt","rel":"assessment-for"}]},{"id":"pt-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act statements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with user interface or user experience responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes and implementation support or mechanisms for providing notice to individuals regarding the processing of their personally identifiable information"}]}],"controls":[{"id":"pt-5.2","class":"SP800-53-enhancement","title":"Privacy Act Statements","props":[{"name":"label","value":"PT-5(2)"},{"name":"label","value":"PT-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-5","rel":"required"},{"href":"#pt-6","rel":"related"}],"parts":[{"id":"pt-5.2_smt","name":"statement","prose":"Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals."},{"id":"pt-5.2_gdn","name":"guidance","prose":"If a federal agency asks individuals to supply information that will become part of a system of records, the agency is required to provide a [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statement on the form used to collect the information or on a separate form that can be retained by the individual. The agency provides a [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statement in such circumstances regardless of whether the information will be collected on a paper or electronic form, on a website, on a mobile application, over the telephone, or through some other medium. This requirement ensures that the individual is provided with sufficient information about the request for information to make an informed decision on whether or not to respond.\n\n [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements provide formal notice to individuals of the authority that authorizes the solicitation of the information; whether providing the information is mandatory or voluntary; the principal purpose(s) for which the information is to be used; the published routine uses to which the information is subject; the effects on the individual, if any, of not providing all or any part of the information requested; and an appropriate citation and link to the relevant system of records notice. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding the notice provisions of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455)."},{"id":"pt-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-05(02)","class":"sp800-53a"}],"prose":"Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or Privacy Act statements are provided on separate forms that can be retained by individuals.","links":[{"href":"#pt-5.2_smt","rel":"assessment-for"}]},{"id":"pt-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nforms that include Privacy Act statements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for including Privacy Act statements on forms that collect information or on separate forms that can be retained by individuals"}]}]}]},{"id":"pt-6","class":"SP800-53","title":"System of Records Notice","props":[{"name":"label","value":"PT-6"},{"name":"label","value":"PT-06","class":"sp800-53a"},{"name":"sort-id","value":"pt-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#pm-20","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"}],"parts":[{"id":"pt-6_smt","name":"statement","prose":"For systems that process information that will be maintained in a Privacy Act system of records:","parts":[{"id":"pt-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review;"},{"id":"pt-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Publish system of records notices in the Federal Register; and"},{"id":"pt-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Keep system of records notices accurate, up-to-date, and scoped in accordance with policy."}]},{"id":"pt-6_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and\/or modification of a [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in [OMB A-108](#3671ff20-c17c-44d6-8a88-7de203fa74aa)."},{"id":"pt-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-06","class":"sp800-53a"}],"parts":[{"id":"pt-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-06a.","class":"sp800-53a"}],"parts":[{"id":"pt-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-06a.[01]","class":"sp800-53a"}],"prose":"system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records;","links":[{"href":"#pt-6_smt.a","rel":"assessment-for"}]},{"id":"pt-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-06a.[02]","class":"sp800-53a"}],"prose":"new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records;","links":[{"href":"#pt-6_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pt-6_smt.a","rel":"assessment-for"}]},{"id":"pt-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-06b.","class":"sp800-53a"}],"prose":"system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records;","links":[{"href":"#pt-6_smt.b","rel":"assessment-for"}]},{"id":"pt-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-06c.","class":"sp800-53a"}],"prose":"system of records notices are kept accurate, up-to-date, and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records.","links":[{"href":"#pt-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pt-6_smt","rel":"assessment-for"}]},{"id":"pt-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nFederal Register notices\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for Privacy Act system of records maintenance"}]}],"controls":[{"id":"pt-6.1","class":"SP800-53-enhancement","title":"Routine Uses","params":[{"id":"pt-06.01_odp","props":[{"name":"alt-identifier","value":"pt-6.1_prm_1"},{"name":"label","value":"PT-06(01)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review all routine uses published in the system of records notice is defined;"}]}],"props":[{"name":"label","value":"PT-6(1)"},{"name":"label","value":"PT-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-6","rel":"required"}],"parts":[{"id":"pt-6.1_smt","name":"statement","prose":"Review all routine uses published in the system of records notice at {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected."},{"id":"pt-6.1_gdn","name":"guidance","prose":"A [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) routine use is a particular kind of disclosure of a record outside of the federal agency maintaining the system of records. A routine use is an exception to the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) prohibition on the disclosure of a record in a system of records without the prior written consent of the individual to whom the record pertains. To qualify as a routine use, the disclosure must be for a purpose that is compatible with the purpose for which the information was originally collected. The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) requires agencies to describe each routine use of the records maintained in the system of records, including the categories of users of the records and the purpose of the use. Agencies may only establish routine uses by explicitly publishing them in the relevant system of records notice."},{"id":"pt-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-06(01)","class":"sp800-53a"}],"prose":"all routine uses published in the system of records notice are reviewed {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.","links":[{"href":"#pt-6.1_smt","rel":"assessment-for"}]},{"id":"pt-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing system of records notices"}]}]},{"id":"pt-6.2","class":"SP800-53-enhancement","title":"Exemption Rules","params":[{"id":"pt-06.02_odp","props":[{"name":"alt-identifier","value":"pt-6.2_prm_1"},{"name":"label","value":"PT-06(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review all Privacy Act exemptions claimed for the system of records is defined;"}]}],"props":[{"name":"label","value":"PT-6(2)"},{"name":"label","value":"PT-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-6","rel":"required"}],"parts":[{"id":"pt-6.2_smt","name":"statement","prose":"Review all Privacy Act exemptions claimed for the system of records at {{ insert: param, pt-06.02_odp }} to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice."},{"id":"pt-6.2_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) includes two sets of provisions that allow federal agencies to claim exemptions from certain requirements in the statute. In certain circumstances, these provisions allow agencies to promulgate regulations to exempt a system of records from select provisions of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . At a minimum, organizations’ [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) exemption regulations include the specific name(s) of any system(s) of records that will be exempt, the specific provisions of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) from which the system(s) of records is to be exempted, the reasons for the exemption, and an explanation for why the exemption is both necessary and appropriate."},{"id":"pt-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)","class":"sp800-53a"}],"parts":[{"id":"pt-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)[01]","class":"sp800-53a"}],"prose":"all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they remain appropriate and necessary in accordance with law;","links":[{"href":"#pt-6.2_smt","rel":"assessment-for"}]},{"id":"pt-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)[02]","class":"sp800-53a"}],"prose":"all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they have been promulgated as regulations;","links":[{"href":"#pt-6.2_smt","rel":"assessment-for"}]},{"id":"pt-6.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)[03]","class":"sp800-53a"}],"prose":"all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they are accurately described in the system of records notice.","links":[{"href":"#pt-6.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#pt-6.2_smt","rel":"assessment-for"}]},{"id":"pt-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nPrivacy Act exemptions\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for Privacy Act system of records maintenance"}]}]}]},{"id":"pt-7","class":"SP800-53","title":"Specific Categories of Personally Identifiable Information","params":[{"id":"pt-07_odp","props":[{"name":"alt-identifier","value":"pt-7_prm_1"},{"name":"label","value":"PT-07_ODP","class":"sp800-53a"}],"label":"processing conditions","guidelines":[{"prose":"processing conditions to be applied for specific categories of personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-7"},{"name":"label","value":"PT-07","class":"sp800-53a"},{"name":"sort-id","value":"pt-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#ir-9","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"pt-7_smt","name":"statement","prose":"Apply {{ insert: param, pt-07_odp }} for specific categories of personally identifiable information."},{"id":"pt-7_gdn","name":"guidance","prose":"Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from the results of privacy risk assessments that factor in contextual changes that may result in an organizational determination that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary."},{"id":"pt-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-07","class":"sp800-53a"}],"prose":" {{ insert: param, pt-07_odp }} are applied for specific categories of personally identifiable information.","links":[{"href":"#pt-7_smt","rel":"assessment-for"}]},{"id":"pt-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\ncomputer matching agreements and notices\n\ncontracts\n\nprivacy information sharing agreements\n\nmemoranda of understanding\n\ngoverning requirements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for supporting and\/or implementing personally identifiable information processing"}]}],"controls":[{"id":"pt-7.1","class":"SP800-53-enhancement","title":"Social Security Numbers","props":[{"name":"label","value":"PT-7(1)"},{"name":"label","value":"PT-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-7","rel":"required"},{"href":"#ia-4","rel":"related"}],"parts":[{"id":"pt-7.1_smt","name":"statement","prose":"When a system processes Social Security numbers:","parts":[{"id":"pt-7.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier;"},{"id":"pt-7.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and"},{"id":"pt-7.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it."}]},{"id":"pt-7.1_gdn","name":"guidance","prose":"Federal law and policy establish specific requirements for organizations’ processing of Social Security numbers. Organizations take steps to eliminate unnecessary uses of Social Security numbers and other sensitive information and observe any particular requirements that apply."},{"id":"pt-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)","class":"sp800-53a"}],"parts":[{"id":"pt-7.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(a)","class":"sp800-53a"}],"parts":[{"id":"pt-7.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(a)[01]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, the unnecessary collection, maintenance, and use of Social Security numbers are eliminated;","links":[{"href":"#pt-7.1_smt.a","rel":"assessment-for"}]},{"id":"pt-7.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(a)[02]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored;","links":[{"href":"#pt-7.1_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pt-7.1_smt.a","rel":"assessment-for"}]},{"id":"pt-7.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(b)","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, individual rights, benefits, or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number;","links":[{"href":"#pt-7.1_smt.b","rel":"assessment-for"}]},{"id":"pt-7.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)","class":"sp800-53a"}],"parts":[{"id":"pt-7.1_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)[01]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it;","links":[{"href":"#pt-7.1_smt.c","rel":"assessment-for"}]},{"id":"pt-7.1_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)[02]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited;","links":[{"href":"#pt-7.1_smt.c","rel":"assessment-for"}]},{"id":"pt-7.1_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)[03]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it.","links":[{"href":"#pt-7.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pt-7.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pt-7.1_smt","rel":"assessment-for"}]},{"id":"pt-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nprivacy notice\n\nseparate notice regarding the use of Social Security numbers\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, reviewing, and taking action to control the unnecessary use of Social Security numbers\n\nimplementation of an alternative to Social Security numbers as identifiers"}]}]},{"id":"pt-7.2","class":"SP800-53-enhancement","title":"First Amendment Information","props":[{"name":"label","value":"PT-7(2)"},{"name":"label","value":"PT-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-7","rel":"required"}],"parts":[{"id":"pt-7.2_smt","name":"statement","prose":"Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity."},{"id":"pt-7.2_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) limits agencies’ ability to process information that describes how individuals exercise rights guaranteed by the First Amendment. Organizations consult with the senior agency official for privacy and legal counsel regarding these requirements."},{"id":"pt-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-07(02)","class":"sp800-53a"}],"prose":"the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.","links":[{"href":"#pt-7.2_smt","rel":"assessment-for"}]},{"id":"pt-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for supporting and\/or implementing personally identifiable information processing"}]}]}]},{"id":"pt-8","class":"SP800-53","title":"Computer Matching Requirements","props":[{"name":"label","value":"PT-8"},{"name":"label","value":"PT-08","class":"sp800-53a"},{"name":"sort-id","value":"pt-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#94c64e1a-456c-457f-86da-83ac0dfc85ac","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#pm-24","rel":"related"}],"parts":[{"id":"pt-8_smt","name":"statement","prose":"When a system or organization processes information for the purpose of conducting a matching program:","parts":[{"id":"pt-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtain approval from the Data Integrity Board to conduct the matching program;"},{"id":"pt-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop and enter into a computer matching agreement;"},{"id":"pt-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Publish a matching notice in the Federal Register;"},{"id":"pt-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and"},{"id":"pt-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual."}]},{"id":"pt-8_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) establishes requirements for federal and non-federal agencies if they engage in a matching program. In general, a matching program is a computerized comparison of records from two or more automated [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to federal benefit programs or federal personnel or payroll records. A federal benefit match is performed to determine or verify eligibility for payments under federal benefit programs or to recoup payments or delinquent debts under federal benefit programs. A matching program involves not just the matching activity itself but also the investigative follow-up and ultimate action, if any."},{"id":"pt-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-08","class":"sp800-53a"}],"parts":[{"id":"pt-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-08a.","class":"sp800-53a"}],"prose":"approval to conduct the matching program is obtained from the Data Integrity Board when a system or organization processes information for the purpose of conducting a matching program;","links":[{"href":"#pt-8_smt.a","rel":"assessment-for"}]},{"id":"pt-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-08b.","class":"sp800-53a"}],"parts":[{"id":"pt-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PT-08b.[01]","class":"sp800-53a"}],"prose":"a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program;","links":[{"href":"#pt-8_smt.b","rel":"assessment-for"}]},{"id":"pt-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PT-08b.[02]","class":"sp800-53a"}],"prose":"a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program;","links":[{"href":"#pt-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pt-8_smt.b","rel":"assessment-for"}]},{"id":"pt-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-08c.","class":"sp800-53a"}],"prose":"a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program;","links":[{"href":"#pt-8_smt.c","rel":"assessment-for"}]},{"id":"pt-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PT-08d.","class":"sp800-53a"}],"prose":"the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program;","links":[{"href":"#pt-8_smt.d","rel":"assessment-for"}]},{"id":"pt-8_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PT-08e.","class":"sp800-53a"}],"parts":[{"id":"pt-8_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PT-08e.[01]","class":"sp800-53a"}],"prose":"individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program;","links":[{"href":"#pt-8_smt.e","rel":"assessment-for"}]},{"id":"pt-8_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PT-08e.[02]","class":"sp800-53a"}],"prose":"individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program.","links":[{"href":"#pt-8_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pt-8_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pt-8_smt","rel":"assessment-for"}]},{"id":"pt-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nFederal Register notices\n\nData Integrity Board determinations\n\ncontracts\n\ninformation sharing agreements\n\nmemoranda of understanding\n\ngoverning requirements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for supporting and\/or implementing personally identifiable information processing\n\nmatching program"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ra-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ra-01_odp.01","props":[{"name":"label","value":"RA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment policy is to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.02","props":[{"name":"label","value":"RA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment procedures are to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.03","props":[{"name":"alt-identifier","value":"ra-1_prm_2"},{"name":"label","value":"RA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ra-01_odp.04","props":[{"name":"alt-identifier","value":"ra-1_prm_3"},{"name":"label","value":"RA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the risk assessment policy and procedures is defined;"}]},{"id":"ra-01_odp.05","props":[{"name":"alt-identifier","value":"ra-1_prm_4"},{"name":"label","value":"RA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment policy is reviewed and updated is defined;"}]},{"id":"ra-01_odp.06","props":[{"name":"alt-identifier","value":"ra-1_prm_5"},{"name":"label","value":"RA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current risk assessment policy to be reviewed and updated are defined;"}]},{"id":"ra-01_odp.07","props":[{"name":"alt-identifier","value":"ra-1_prm_6"},{"name":"label","value":"RA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment procedures are reviewed and updated is defined;"}]},{"id":"ra-01_odp.08","props":[{"name":"alt-identifier","value":"ra-1_prm_7"},{"name":"label","value":"RA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require risk assessment procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"RA-1"},{"name":"label","value":"RA-01","class":"sp800-53a"},{"name":"sort-id","value":"ra-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-1_smt","name":"statement","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, ra-01_odp.03 }} risk assessment policy that:","parts":[{"id":"ra-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and"},{"id":"ra-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current risk assessment:","parts":[{"id":"ra-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and"},{"id":"ra-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ra-1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[01]","class":"sp800-53a"}],"prose":"a risk assessment policy is developed and documented;","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[02]","class":"sp800-53a"}],"prose":"the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[03]","class":"sp800-53a"}],"prose":"risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[04]","class":"sp800-53a"}],"prose":"the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ra-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;","links":[{"href":"#ra-1_smt.b","rel":"assessment-for"}]},{"id":"ra-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[01]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};","links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]},{"id":"ra-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[02]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};","links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]},{"id":"ra-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[01]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};","links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]},{"id":"ra-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[02]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.","links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt","rel":"assessment-for"}]},{"id":"ra-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-03_odp.01","props":[{"name":"alt-identifier","value":"ra-3_prm_1"},{"name":"label","value":"RA-03_ODP[01]","class":"sp800-53a"}],"select":{"choice":["security and privacy plans","risk assessment report"," {{ insert: param, ra-03_odp.02 }} "]}},{"id":"ra-03_odp.02","props":[{"name":"alt-identifier","value":"ra-3_prm_2"},{"name":"label","value":"RA-03_ODP[02]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);"}]},{"id":"ra-03_odp.03","props":[{"name":"alt-identifier","value":"ra-3_prm_3"},{"name":"label","value":"RA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to review risk assessment results is defined;"}]},{"id":"ra-03_odp.04","props":[{"name":"alt-identifier","value":"ra-3_prm_4"},{"name":"label","value":"RA-03_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom risk assessment results are to be disseminated is\/are defined;"}]},{"id":"ra-03_odp.05","props":[{"name":"alt-identifier","value":"ra-3_prm_5"},{"name":"label","value":"RA-03_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to update the risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3"},{"name":"label","value":"RA-03","class":"sp800-53a"},{"name":"sort-id","value":"ra-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-3","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-3_smt","name":"statement","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct a risk assessment, including:","parts":[{"id":"ra-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifying threats to and vulnerabilities in the system;"},{"id":"ra-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and"},{"id":"ra-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document risk assessment results in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review risk assessment results {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and"},{"id":"ra-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination."},{"id":"ra-3_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.01","class":"sp800-53a"}],"prose":"a risk assessment is conducted to identify threats to and vulnerabilities in the system;","links":[{"href":"#ra-3_smt.a.1","rel":"assessment-for"}]},{"id":"ra-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.02","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;","links":[{"href":"#ra-3_smt.a.2","rel":"assessment-for"}]},{"id":"ra-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.03","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;","links":[{"href":"#ra-3_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#ra-3_smt.a","rel":"assessment-for"}]},{"id":"ra-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03b.","class":"sp800-53a"}],"prose":"risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;","links":[{"href":"#ra-3_smt.b","rel":"assessment-for"}]},{"id":"ra-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-03c.","class":"sp800-53a"}],"prose":"risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};","links":[{"href":"#ra-3_smt.c","rel":"assessment-for"}]},{"id":"ra-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-03d.","class":"sp800-53a"}],"prose":"risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};","links":[{"href":"#ra-3_smt.d","rel":"assessment-for"}]},{"id":"ra-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-03e.","class":"sp800-53a"}],"prose":"risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};","links":[{"href":"#ra-3_smt.e","rel":"assessment-for"}]},{"id":"ra-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-03f.","class":"sp800-53a"}],"prose":"the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.","links":[{"href":"#ra-3_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ra-3_smt","rel":"assessment-for"}]},{"id":"ra-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}]},{"id":"ra-7","class":"SP800-53","title":"Risk Response","props":[{"name":"label","value":"RA-7"},{"name":"label","value":"RA-07","class":"sp800-53a"},{"name":"sort-id","value":"ra-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-7_smt","name":"statement","prose":"Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."},{"id":"ra-7_gdn","name":"guidance","prose":"Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated."},{"id":"ra-7_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-07","class":"sp800-53a"}],"parts":[{"id":"ra-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-07[01]","class":"sp800-53a"}],"prose":"findings from security assessments are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-07[02]","class":"sp800-53a"}],"prose":"findings from privacy assessments are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"RA-07[03]","class":"sp800-53a"}],"prose":"findings from monitoring are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-4","name":"assessment-objective","props":[{"name":"label","value":"RA-07[04]","class":"sp800-53a"}],"prose":"findings from audits are responded to in accordance with organizational risk tolerance.","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]}],"links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\naudit records\/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]},{"id":"ra-8","class":"SP800-53","title":"Privacy Impact Assessments","props":[{"name":"label","value":"RA-8"},{"name":"label","value":"RA-08","class":"sp800-53a"},{"name":"sort-id","value":"ra-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#7b0b9634-741a-4335-b6fa-161228c3a76e","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#d229ae60-51dd-4d7b-a8bf-1f7195cc7561","rel":"reference"},{"href":"#cm-4","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#ra-1","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"}],"parts":[{"id":"ra-8_smt","name":"statement","prose":"Conduct privacy impact assessments for systems, programs, or other activities before:","parts":[{"id":"ra-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Developing or procuring information technology that processes personally identifiable information; and"},{"id":"ra-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiating a new collection of personally identifiable information that:","parts":[{"id":"ra-8_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Will be processed using information technology; and"},{"id":"ra-8_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government."}]}]},{"id":"ra-8_gdn","name":"guidance","prose":"A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks. A privacy impact assessment is both an analysis and a formal document that details the process and the outcome of the analysis.\n\nOrganizations conduct and develop a privacy impact assessment with sufficient clarity and specificity to demonstrate that the organization fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the organization’s activity and throughout the information life cycle. In order to conduct a meaningful privacy impact assessment, the organization’s senior agency official for privacy works closely with program managers, system owners, information technology experts, security officials, counsel, and other relevant organization personnel. Moreover, a privacy impact assessment is not a time-restricted activity that is limited to a particular milestone or stage of the information system or personally identifiable information life cycles. Rather, the privacy analysis continues throughout the system and personally identifiable information life cycles. Accordingly, a privacy impact assessment is a living document that organizations update whenever changes to the information technology, changes to the organization’s practices, or other factors alter the privacy risks associated with the use of such information technology.\n\nTo conduct the privacy impact assessment, organizations can use security and privacy risk assessments. Organizations may also use other related processes that may have different names, including privacy threshold analyses. A privacy impact assessment can also serve as notice to the public regarding the organization’s practices with respect to privacy. Although conducting and publishing privacy impact assessments may be required by law, organizations may develop such policies in the absence of applicable laws. For federal agencies, privacy impact assessments may be required by [EGOV](#7b0b9634-741a-4335-b6fa-161228c3a76e) ; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision."},{"id":"ra-8_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-08","class":"sp800-53a"}],"parts":[{"id":"ra-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-08a.","class":"sp800-53a"}],"prose":"privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information;","links":[{"href":"#ra-8_smt.a","rel":"assessment-for"}]},{"id":"ra-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-08b.","class":"sp800-53a"}],"parts":[{"id":"ra-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"RA-08b.[01]","class":"sp800-53a"}],"prose":"privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology;","links":[{"href":"#ra-8_smt.b","rel":"assessment-for"}]},{"id":"ra-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"RA-08b.[02]","class":"sp800-53a"}],"prose":"privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.","links":[{"href":"#ra-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ra-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ra-8_smt","rel":"assessment-for"}]},{"id":"ra-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity and privacy risk assessment reports\n\nacquisitions documents\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nprogram managers\n\nlegal counsel\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sa-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sa-01_odp.01","props":[{"name":"label","value":"SA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition policy is to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.02","props":[{"name":"label","value":"SA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition procedures are to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.03","props":[{"name":"alt-identifier","value":"sa-1_prm_2"},{"name":"label","value":"SA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sa-01_odp.04","props":[{"name":"alt-identifier","value":"sa-1_prm_3"},{"name":"label","value":"SA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and services acquisition policy and procedures is defined;"}]},{"id":"sa-01_odp.05","props":[{"name":"alt-identifier","value":"sa-1_prm_4"},{"name":"label","value":"SA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition policy is reviewed and updated is defined;"}]},{"id":"sa-01_odp.06","props":[{"name":"alt-identifier","value":"sa-1_prm_5"},{"name":"label","value":"SA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and services acquisition policy to be reviewed and updated are defined;"}]},{"id":"sa-01_odp.07","props":[{"name":"alt-identifier","value":"sa-1_prm_6"},{"name":"label","value":"SA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;"}]},{"id":"sa-01_odp.08","props":[{"name":"alt-identifier","value":"sa-1_prm_7"},{"name":"label","value":"SA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and services acquisition procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SA-1"},{"name":"label","value":"SA-01","class":"sp800-53a"},{"name":"sort-id","value":"sa-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sa-1_smt","name":"statement","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:","parts":[{"id":"sa-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and"},{"id":"sa-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and services acquisition:","parts":[{"id":"sa-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and"},{"id":"sa-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sa-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[01]","class":"sp800-53a"}],"prose":"a system and services acquisition policy is developed and documented;","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[02]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[03]","class":"sp800-53a"}],"prose":"system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[04]","class":"sp800-53a"}],"prose":"the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#sa-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;","links":[{"href":"#sa-1_smt.b","rel":"assessment-for"}]},{"id":"sa-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[01]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};","links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]},{"id":"sa-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};","links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]},{"id":"sa-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};","links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]},{"id":"sa-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.","links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt","rel":"assessment-for"}]},{"id":"sa-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"label","value":"SA-2"},{"name":"label","value":"SA-02","class":"sp800-53a"},{"name":"sort-id","value":"sa-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pl-7","rel":"related"},{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-2_smt","name":"statement","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle."},{"id":"sa-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-02","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[01]","class":"sp800-53a"}],"prose":"the high-level information security requirements for the system or system service are determined in mission and business process planning;","links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]},{"id":"sa-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[02]","class":"sp800-53a"}],"prose":"the high-level privacy requirements for the system or system service are determined in mission and business process planning;","links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]},{"id":"sa-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[01]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;","links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]},{"id":"sa-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[02]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;","links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]},{"id":"sa-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[01]","class":"sp800-53a"}],"prose":"a discrete line item for information security is established in organizational programming and budgeting documentation;","links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]},{"id":"sa-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[02]","class":"sp800-53a"}],"prose":"a discrete line item for privacy is established in organizational programming and budgeting documentation.","links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt","rel":"assessment-for"}]},{"id":"sa-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records"}]},{"id":"sa-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-03_odp","props":[{"name":"alt-identifier","value":"sa-3_prm_1"},{"name":"alt-label","value":"system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-03_ODP","class":"sp800-53a"}],"label":"system-development life cycle","guidelines":[{"prose":"system development life cycle is defined;"}]}],"props":[{"name":"label","value":"SA-3"},{"name":"label","value":"SA-03","class":"sp800-53a"},{"name":"sort-id","value":"sa-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-3_smt","name":"statement","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document information security and privacy roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify individuals having information security and privacy roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrate the organizational information security and privacy risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle."},{"id":"sa-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[01]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;","links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]},{"id":"sa-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[02]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;","links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]},{"id":"sa-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[01]","class":"sp800-53a"}],"prose":"information security roles and responsibilities are defined and documented throughout the system development life cycle;","links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]},{"id":"sa-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are defined and documented throughout the system development life cycle;","links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]},{"id":"sa-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[01]","class":"sp800-53a"}],"prose":"individuals with information security roles and responsibilities are identified;","links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]},{"id":"sa-3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[02]","class":"sp800-53a"}],"prose":"individuals with privacy roles and responsibilities are identified;","links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]},{"id":"sa-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[01]","class":"sp800-53a"}],"prose":"organizational information security risk management processes are integrated into system development life cycle activities;","links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]},{"id":"sa-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[02]","class":"sp800-53a"}],"prose":"organizational privacy risk management processes are integrated into system development life cycle activities.","links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt","rel":"assessment-for"}]},{"id":"sa-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"sa-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and\/or implementing the system development life cycle"}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","params":[{"id":"sa-04_odp.01","props":[{"name":"alt-identifier","value":"sa-4_prm_1"},{"name":"label","value":"SA-04_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["standardized contract language"," {{ insert: param, sa-04_odp.02 }} "]}},{"id":"sa-04_odp.02","props":[{"name":"alt-identifier","value":"sa-4_prm_2"},{"name":"label","value":"SA-04_ODP[02]","class":"sp800-53a"}],"label":"contract language","guidelines":[{"prose":"contract language is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-4"},{"name":"label","value":"SA-04","class":"sp800-53a"},{"name":"sort-id","value":"sa-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","rel":"reference"},{"href":"#87087451-2af5-43d4-88c1-d66ad850f614","rel":"reference"},{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#06ce9216-bd54-4054-a422-94f358b50a5d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#795aff72-3e6c-4b6b-a80a-b14d84b7f544","rel":"reference"},{"href":"#3d575737-98cb-459d-b41c-d7e82b73ad78","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security and privacy functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Strength of mechanism requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security and privacy assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Controls needed to satisfy the security and privacy requirements."},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Security and privacy documentation requirements;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Requirements for protecting security and privacy documentation;"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Description of the system development environment and environment in which the system is intended to operate;"},{"id":"sa-4_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and"},{"id":"sa-4_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement."},{"id":"sa-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[01]","class":"sp800-53a"}],"prose":"security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]},{"id":"sa-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[02]","class":"sp800-53a"}],"prose":"privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]},{"id":"sa-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04b.","class":"sp800-53a"}],"prose":"strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.b","rel":"assessment-for"}]},{"id":"sa-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[01]","class":"sp800-53a"}],"prose":"security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]},{"id":"sa-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[02]","class":"sp800-53a"}],"prose":"privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]},{"id":"sa-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[01]","class":"sp800-53a"}],"prose":"controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]},{"id":"sa-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[02]","class":"sp800-53a"}],"prose":"controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]},{"id":"sa-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[01]","class":"sp800-53a"}],"prose":"security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]},{"id":"sa-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[02]","class":"sp800-53a"}],"prose":"privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]},{"id":"sa-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[01]","class":"sp800-53a"}],"prose":"requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]},{"id":"sa-4_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[02]","class":"sp800-53a"}],"prose":"requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]},{"id":"sa-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SA-04g.","class":"sp800-53a"}],"prose":"the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.g","rel":"assessment-for"}]},{"id":"sa-4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[01]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[02]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.h-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[03]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.i","name":"assessment-objective","props":[{"name":"label","value":"SA-04i.","class":"sp800-53a"}],"prose":"acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.","links":[{"href":"#sa-4_smt.i","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt","rel":"assessment-for"}]},{"id":"sa-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}]},{"id":"sa-8","class":"SP800-53","title":"Security and Privacy Engineering Principles","params":[{"id":"sa-8_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.02"}],"label":"organization-defined systems security and privacy engineering principles"},{"id":"sa-08_odp.01","props":[{"name":"label","value":"SA-08_ODP[01]","class":"sp800-53a"}],"label":"systems security engineering principles","guidelines":[{"prose":"systems security engineering principles are defined;"}]},{"id":"sa-08_odp.02","props":[{"name":"label","value":"SA-08_ODP[02]","class":"sp800-53a"}],"label":"privacy engineering principles","guidelines":[{"prose":"privacy engineering principles are defined;"}]}],"props":[{"name":"label","value":"SA-8"},{"name":"label","value":"SA-08","class":"sp800-53a"},{"name":"sort-id","value":"sa-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}."},{"id":"sa-8_gdn","name":"guidance","prose":"Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design."},{"id":"sa-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08","class":"sp800-53a"}],"parts":[{"id":"sa-8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08[01]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08[02]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-08[03]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-08[04]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-5","name":"assessment-objective","props":[{"name":"label","value":"SA-08[05]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-6","name":"assessment-objective","props":[{"name":"label","value":"SA-08[06]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-7","name":"assessment-objective","props":[{"name":"label","value":"SA-08[07]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-8","name":"assessment-objective","props":[{"name":"label","value":"SA-08[08]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-9","name":"assessment-objective","props":[{"name":"label","value":"SA-08[09]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-10","name":"assessment-objective","props":[{"name":"label","value":"SA-08[10]","class":"sp800-53a"}],"prose":" {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification"}]}],"controls":[{"id":"sa-8.33","class":"SP800-53-enhancement","title":"Minimization","params":[{"id":"sa-08.33_odp","props":[{"name":"alt-identifier","value":"sa-8.33_prm_1"},{"name":"label","value":"SA-08(33)_ODP","class":"sp800-53a"}],"label":"processes","guidelines":[{"prose":"processes that implement the privacy principle of minimization are defined;"}]}],"props":[{"name":"label","value":"SA-8(33)"},{"name":"label","value":"SA-08(33)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.33"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#pe-8","rel":"related"},{"href":"#pm-25","rel":"related"},{"href":"#sc-42","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sa-8.33_smt","name":"statement","prose":"Implement the privacy principle of minimization using {{ insert: param, sa-08.33_odp }}."},{"id":"sa-8.33_gdn","name":"guidance","prose":"The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization."},{"id":"sa-8.33_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(33)","class":"sp800-53a"}],"prose":"the privacy principle of minimization is implemented using {{ insert: param, sa-08.33_odp }}.","links":[{"href":"#sa-8.33_smt","rel":"assessment-for"}]},{"id":"sa-8.33_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(33)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\npersonally identifiable information processing policy\n\nprocedures addressing the minimization of personally identifiable information in system design\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\ninformation security and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8.33_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(33)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8.33_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(33)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the privacy design principle of minimization in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of sufficient documentation in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security and privacy policy\n\norganizational processes for managing change configuration\n\nmechanisms supporting configuration control"}]}]}]},{"id":"sa-9","class":"SP800-53","title":"External System Services","params":[{"id":"sa-09_odp.01","props":[{"name":"alt-identifier","value":"sa-9_prm_1"},{"name":"label","value":"SA-09_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed by external system service providers are defined;"}]},{"id":"sa-09_odp.02","props":[{"name":"alt-identifier","value":"sa-9_prm_2"},{"name":"label","value":"SA-09_ODP[02]","class":"sp800-53a"}],"label":"processes, methods, and techniques","guidelines":[{"prose":"processes, methods, and techniques employed to monitor control compliance by external service providers are defined;"}]}],"props":[{"name":"label","value":"SA-9"},{"name":"label","value":"SA-09","class":"sp800-53a"},{"name":"sort-id","value":"sa-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-9_smt","name":"statement","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document organizational oversight and user roles and responsibilities with regard to external system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance."},{"id":"sa-9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[01]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational security requirements;","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[02]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational privacy requirements;","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[03]","class":"sp800-53a"}],"prose":"providers of external system services employ {{ insert: param, sa-09_odp.01 }};","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[01]","class":"sp800-53a"}],"prose":"organizational oversight with regard to external system services are defined and documented;","links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]},{"id":"sa-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[02]","class":"sp800-53a"}],"prose":"user roles and responsibilities with regard to external system services are defined and documented;","links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]},{"id":"sa-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-09c.","class":"sp800-53a"}],"prose":" {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.","links":[{"href":"#sa-9_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt","rel":"assessment-for"}]},{"id":"sa-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis"}]}]},{"id":"sa-11","class":"SP800-53","title":"Developer Testing and Evaluation","params":[{"id":"sa-11_odp.01","props":[{"name":"alt-identifier","value":"sa-11_prm_1"},{"name":"label","value":"SA-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["unit","integration","system","regression"]}},{"id":"sa-11_odp.02","props":[{"name":"alt-identifier","value":"sa-11_prm_2"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"SA-11_ODP[02]","class":"sp800-53a"}],"label":"frequency to conduct","guidelines":[{"prose":"frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]},{"id":"sa-11_odp.03","props":[{"name":"alt-identifier","value":"sa-11_prm_3"},{"name":"label","value":"SA-11_ODP[03]","class":"sp800-53a"}],"label":"depth and coverage","guidelines":[{"prose":"depth and coverage of {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]}],"props":[{"name":"label","value":"SA-11"},{"name":"label","value":"SA-11","class":"sp800-53a"},{"name":"sort-id","value":"sa-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#708b94e1-3d5e-4b22-ab43-1c69f3a97e37","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-7","rel":"related"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:","parts":[{"id":"sa-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement a plan for ongoing security and privacy control assessments;"},{"id":"sa-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"},{"id":"sa-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;"},{"id":"sa-11_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during testing and evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\n\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation."},{"id":"sa-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-11b.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};","links":[{"href":"#sa-11_smt.b","rel":"assessment-for"}]},{"id":"sa-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;","links":[{"href":"#sa-11_smt.c","rel":"assessment-for"}]},{"id":"sa-11_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;","links":[{"href":"#sa-11_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-11_smt.c","rel":"assessment-for"}]},{"id":"sa-11_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-11d.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;","links":[{"href":"#sa-11_smt.d","rel":"assessment-for"}]},{"id":"sa-11_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-11e.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.","links":[{"href":"#sa-11_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-11_smt","rel":"assessment-for"}]},{"id":"sa-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security and privacy testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of developer security and privacy assessments for the system, system component, or system service\n\nsecurity and privacy flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\nsystem developers"}]},{"id":"sa-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security and privacy testing and evaluation"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-07_odp","props":[{"name":"alt-identifier","value":"sc-7_prm_1"},{"name":"label","value":"SC-07_ODP","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}}],"props":[{"name":"label","value":"SC-7"},{"name":"label","value":"SC-07","class":"sp800-53a"},{"name":"sort-id","value":"sc-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a7f0e897-29a3-45c4-bd88-40dfef0e034a","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-43","rel":"related"}],"parts":[{"id":"sc-7_smt","name":"statement","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)."},{"id":"sc-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[01]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are monitored;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[02]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are controlled;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[03]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are monitored;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[04]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are controlled;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07b.","class":"sp800-53a"}],"prose":"subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;","links":[{"href":"#sc-7_smt.b","rel":"assessment-for"}]},{"id":"sc-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07c.","class":"sp800-53a"}],"prose":"external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.","links":[{"href":"#sc-7_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sc-7_smt","rel":"assessment-for"}]},{"id":"sc-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities"}]}],"controls":[{"id":"sc-7.24","class":"SP800-53-enhancement","title":"Personally Identifiable Information","params":[{"id":"sc-07.24_odp","props":[{"name":"alt-identifier","value":"sc-7.24_prm_1"},{"name":"label","value":"SC-07(24)_ODP","class":"sp800-53a"}],"label":"processing rules","guidelines":[{"prose":"processing rules for systems that process personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"SC-7(24)"},{"name":"label","value":"SC-07(24)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#pt-2","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"sc-7.24_smt","name":"statement","prose":"For systems that process personally identifiable information:","parts":[{"id":"sc-7.24_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Apply the following processing rules to data elements of personally identifiable information: {{ insert: param, sc-07.24_odp }};"},{"id":"sc-7.24_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;"},{"id":"sc-7.24_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Document each processing exception; and"},{"id":"sc-7.24_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Review and remove exceptions that are no longer supported."}]},{"id":"sc-7.24_gdn","name":"guidance","prose":"Managing the processing of personally identifiable information is an important aspect of protecting an individual’s privacy. Applying, monitoring for, and documenting exceptions to processing rules ensure that personally identifiable information is processed only in accordance with established privacy requirements."},{"id":"sc-7.24_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)","class":"sp800-53a"}],"parts":[{"id":"sc-7.24_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(a)","class":"sp800-53a"}],"prose":" {{ insert: param, sc-07.24_odp }} are applied to data elements of personally identifiable information on systems that process personally identifiable information;","links":[{"href":"#sc-7.24_smt.a","rel":"assessment-for"}]},{"id":"sc-7.24_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(b)","class":"sp800-53a"}],"parts":[{"id":"sc-7.24_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(b)[01]","class":"sp800-53a"}],"prose":"permitted processing is monitored at the external interfaces to the systems that process personally identifiable information;","links":[{"href":"#sc-7.24_smt.b","rel":"assessment-for"}]},{"id":"sc-7.24_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(b)[02]","class":"sp800-53a"}],"prose":"permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information;","links":[{"href":"#sc-7.24_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.24_smt.b","rel":"assessment-for"}]},{"id":"sc-7.24_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(c)","class":"sp800-53a"}],"prose":"each processing exception is documented for systems that process personally identifiable information;","links":[{"href":"#sc-7.24_smt.c","rel":"assessment-for"}]},{"id":"sc-7.24_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(d)","class":"sp800-53a"}],"parts":[{"id":"sc-7.24_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(d)[01]","class":"sp800-53a"}],"prose":"exceptions for systems that process personally identifiable information are reviewed;","links":[{"href":"#sc-7.24_smt.d","rel":"assessment-for"}]},{"id":"sc-7.24_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(d)[02]","class":"sp800-53a"}],"prose":"exceptions for systems that process personally identifiable information that are no longer supported are removed.","links":[{"href":"#sc-7.24_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.24_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.24_smt","rel":"assessment-for"}]},{"id":"sc-7.24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(24)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\npersonally identifiable information processing policies\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nenterprise security and privacy architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information inventory documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"sc-7.24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(24)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(24)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities"}]}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"si-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"si-01_odp.01","props":[{"name":"label","value":"SI-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity policy is to be disseminated is\/are defined;"}]},{"id":"si-01_odp.02","props":[{"name":"label","value":"SI-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity procedures are to be disseminated is\/are defined;"}]},{"id":"si-01_odp.03","props":[{"name":"alt-identifier","value":"si-1_prm_2"},{"name":"label","value":"SI-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"si-01_odp.04","props":[{"name":"alt-identifier","value":"si-1_prm_3"},{"name":"label","value":"SI-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and information integrity policy and procedures is defined;"}]},{"id":"si-01_odp.05","props":[{"name":"alt-identifier","value":"si-1_prm_4"},{"name":"label","value":"SI-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity policy is reviewed and updated is defined;"}]},{"id":"si-01_odp.06","props":[{"name":"alt-identifier","value":"si-1_prm_5"},{"name":"label","value":"SI-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and information integrity policy to be reviewed and updated are defined;"}]},{"id":"si-01_odp.07","props":[{"name":"alt-identifier","value":"si-1_prm_6"},{"name":"label","value":"SI-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity procedures are reviewed and updated is defined;"}]},{"id":"si-01_odp.08","props":[{"name":"alt-identifier","value":"si-1_prm_7"},{"name":"label","value":"SI-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and information integrity procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SI-1"},{"name":"label","value":"SI-01","class":"sp800-53a"},{"name":"sort-id","value":"si-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"si-1_smt","name":"statement","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":" {{ insert: param, si-01_odp.03 }} system and information integrity policy that:","parts":[{"id":"si-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and"},{"id":"si-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and information integrity:","parts":[{"id":"si-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and"},{"id":"si-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"si-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[01]","class":"sp800-53a"}],"prose":"a system and information integrity policy is developed and documented;","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[02]","class":"sp800-53a"}],"prose":"the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[03]","class":"sp800-53a"}],"prose":"system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[04]","class":"sp800-53a"}],"prose":"the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#si-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;","links":[{"href":"#si-1_smt.b","rel":"assessment-for"}]},{"id":"si-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};","links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]},{"id":"si-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};","links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]},{"id":"si-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};","links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]},{"id":"si-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.","links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt","rel":"assessment-for"}]},{"id":"si-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Management and Retention","props":[{"name":"label","value":"SI-12"},{"name":"label","value":"SI-12","class":"sp800-53a"},{"name":"sort-id","value":"si-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#e922fc50-b1f9-469f-92ef-ed7d9803611c","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)."},{"id":"si-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12","class":"sp800-53a"}],"parts":[{"id":"si-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12[01]","class":"sp800-53a"}],"prose":"information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12[02]","class":"sp800-53a"}],"prose":"information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12[03]","class":"sp800-53a"}],"prose":"information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SI-12[04]","class":"sp800-53a"}],"prose":"information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.","links":[{"href":"#si-12_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and\/or implementing information management, retention, and disposition"}]}],"controls":[{"id":"si-12.1","class":"SP800-53-enhancement","title":"Limit Personally Identifiable Information Elements","params":[{"id":"si-12.01_odp","props":[{"name":"alt-identifier","value":"si-12.1_prm_1"},{"name":"label","value":"SI-12(01)_ODP","class":"sp800-53a"}],"label":"elements of personally identifiable information","guidelines":[{"prose":"elements of personally identifiable information being processed in the information life cycle are defined;"}]}],"props":[{"name":"label","value":"SI-12(1)"},{"name":"label","value":"SI-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-12","rel":"required"},{"href":"#pm-25","rel":"related"}],"parts":[{"id":"si-12.1_smt","name":"statement","prose":"Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: {{ insert: param, si-12.01_odp }}."},{"id":"si-12.1_gdn","name":"guidance","prose":"Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for operational purposes helps to reduce the level of privacy risk created by a system. The information life cycle includes information creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining which elements of personally identifiable information may create risk."},{"id":"si-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12(01)","class":"sp800-53a"}],"prose":"personally identifiable information being processed in the information life cycle is limited to {{ insert: param, si-12.01_odp }}.","links":[{"href":"#si-12.1_smt","rel":"assessment-for"}]},{"id":"si-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\npersonally identifiable information processing procedures\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to limiting personally identifiable information elements\n\npersonally identifiable information inventory\n\nsystem audit records\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"si-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information management and retention (including limiting personally identifiable information processing)\n\nautomated mechanisms supporting and\/or implementing limits to personally identifiable information processing"}]}]},{"id":"si-12.2","class":"SP800-53-enhancement","title":"Minimize Personally Identifiable Information in Testing, Training, and Research","params":[{"id":"si-12.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.02_odp.03"}],"label":"organization-defined techniques"},{"id":"si-12.02_odp.01","props":[{"name":"label","value":"SI-12(02)_ODP[01]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to minimize the use of personally identifiable information for research are defined;"}]},{"id":"si-12.02_odp.02","props":[{"name":"label","value":"SI-12(02)_ODP[02]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to minimize the use of personally identifiable information for testing are defined;"}]},{"id":"si-12.02_odp.03","props":[{"name":"label","value":"SI-12(02)_ODP[03]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to minimize the use of personally identifiable information for training are defined;"}]}],"props":[{"name":"label","value":"SI-12(2)"},{"name":"label","value":"SI-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-12","rel":"required"},{"href":"#pm-22","rel":"related"},{"href":"#pm-25","rel":"related"},{"href":"#si-19","rel":"related"}],"parts":[{"id":"si-12.2_smt","name":"statement","prose":"Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: {{ insert: param, si-12.2_prm_1 }}."},{"id":"si-12.2_gdn","name":"guidance","prose":"Organizations can minimize the risk to an individual’s privacy by employing techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for research, testing, or training helps reduce the level of privacy risk created by a system. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining the techniques to use and when to use them."},{"id":"si-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)","class":"sp800-53a"}],"parts":[{"id":"si-12.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-12.02_odp.01 }} are used to minimize the use of personally identifiable information for research;","links":[{"href":"#si-12.2_smt","rel":"assessment-for"}]},{"id":"si-12.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-12.02_odp.02 }} are used to minimize the use of personally identifiable information for testing;","links":[{"href":"#si-12.2_smt","rel":"assessment-for"}]},{"id":"si-12.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, si-12.02_odp.03 }} are used to minimize the use of personally identifiable information for training.","links":[{"href":"#si-12.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-12.2_smt","rel":"assessment-for"}]},{"id":"si-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\npersonally identifiable information processing procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to minimizing the use of personally identifiable information in testing, training, and research\n\npolicy for the minimization of personally identifiable information used in testing, training, and research\n\nprocedures for the minimization of personally identifiable information used in testing, training, and research\n\ndocumentation supporting minimization policy implementation (e.g., templates for testing, training, and research)\n\ndata sets used for testing, training, and research\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators\n\nsystem developers\n\npersonnel with IRB responsibilities"}]},{"id":"si-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the minimization of personally identifiable information used in testing, training, and research\n\nautomated mechanisms supporting and\/or implementing the minimization of personally identifiable information used in testing, training, and research"}]}]},{"id":"si-12.3","class":"SP800-53-enhancement","title":"Information Disposal","params":[{"id":"si-12.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.03_odp.03"}],"label":"organization-defined techniques"},{"id":"si-12.03_odp.01","props":[{"name":"label","value":"SI-12(03)_ODP[01]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to dispose of information following the retention period are defined;"}]},{"id":"si-12.03_odp.02","props":[{"name":"label","value":"SI-12(03)_ODP[02]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to destroy information following the retention period are defined;"}]},{"id":"si-12.03_odp.03","props":[{"name":"label","value":"SI-12(03)_ODP[03]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to erase information following the retention period are defined;"}]}],"props":[{"name":"label","value":"SI-12(3)"},{"name":"label","value":"SI-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-12","rel":"required"}],"parts":[{"id":"si-12.3_smt","name":"statement","prose":"Use the following techniques to dispose of, destroy, or erase information following the retention period: {{ insert: param, si-12.3_prm_1 }}."},{"id":"si-12.3_gdn","name":"guidance","prose":"Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. The disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information."},{"id":"si-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)","class":"sp800-53a"}],"parts":[{"id":"si-12.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)[01]","class":"sp800-53a"}],"prose":" {{ insert: param, si-12.03_odp.01 }} are used to dispose of information following the retention period;","links":[{"href":"#si-12.3_smt","rel":"assessment-for"}]},{"id":"si-12.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)[02]","class":"sp800-53a"}],"prose":" {{ insert: param, si-12.03_odp.02 }} are used to destroy information following the retention period;","links":[{"href":"#si-12.3_smt","rel":"assessment-for"}]},{"id":"si-12.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)[03]","class":"sp800-53a"}],"prose":" {{ insert: param, si-12.03_odp.03 }} are used to erase information following the retention period.","links":[{"href":"#si-12.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-12.3_smt","rel":"assessment-for"}]},{"id":"si-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\npersonally identifiable information processing procedures\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nlaws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information disposal\n\nmedia protection policy\n\nmedia protection procedures\n\nsystem audit records\n\naudit findings\n\ninformation disposal records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information disposition\n\nautomated mechanisms supporting and\/or implementing information disposition"}]}]}]},{"id":"si-18","class":"SP800-53","title":"Personally Identifiable Information Quality Operations","params":[{"id":"si-18_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.04"}],"label":"organization-defined frequency"},{"id":"si-18_odp.01","props":[{"name":"label","value":"SI-18_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the accuracy of personally identifiable information across the information life cycle is defined;"}]},{"id":"si-18_odp.02","props":[{"name":"label","value":"SI-18_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the relevance of personally identifiable information across the information life cycle is defined;"}]},{"id":"si-18_odp.03","props":[{"name":"label","value":"SI-18_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the timeliness of personally identifiable information across the information life cycle is defined;"}]},{"id":"si-18_odp.04","props":[{"name":"label","value":"SI-18_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the completeness of personally identifiable information across the information life cycle is defined;"}]}],"props":[{"name":"label","value":"SI-18"},{"name":"label","value":"SI-18","class":"sp800-53a"},{"name":"sort-id","value":"si-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#227063d4-431e-435f-9e8f-009b6dbc20f4","rel":"reference"},{"href":"#c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#pm-22","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-18_smt","name":"statement","parts":[{"id":"si-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle {{ insert: param, si-18_prm_1 }} ; and"},{"id":"si-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Correct or delete inaccurate or outdated personally identifiable information."}]},{"id":"si-18_gdn","name":"guidance","prose":"Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and the potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes."},{"id":"si-18_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18","class":"sp800-53a"}],"parts":[{"id":"si-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.","class":"sp800-53a"}],"parts":[{"id":"si-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[01]","class":"sp800-53a"}],"prose":"the accuracy of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.01 }};","links":[{"href":"#si-18_smt.a","rel":"assessment-for"}]},{"id":"si-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[02]","class":"sp800-53a"}],"prose":"the relevance of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.02 }};","links":[{"href":"#si-18_smt.a","rel":"assessment-for"}]},{"id":"si-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[03]","class":"sp800-53a"}],"prose":"the timeliness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.03 }};","links":[{"href":"#si-18_smt.a","rel":"assessment-for"}]},{"id":"si-18_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[04]","class":"sp800-53a"}],"prose":"the completeness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.04 }};","links":[{"href":"#si-18_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-18_smt.a","rel":"assessment-for"}]},{"id":"si-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-18b.","class":"sp800-53a"}],"prose":"inaccurate or outdated personally identifiable information is corrected or deleted.","links":[{"href":"#si-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-18_smt","rel":"assessment-for"}]},{"id":"si-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\ndocumentation addressing personally identifiable information quality operations\n\nquality reports\n\nmaintenance logs\n\nsystem audit records\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for performing personally identifiable information quality inspections\n\norganizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"si-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personally identifiable information quality inspection\n\nautomated mechanisms supporting and\/or implementing personally identifiable information quality operations"}]}],"controls":[{"id":"si-18.4","class":"SP800-53-enhancement","title":"Individual Requests","props":[{"name":"label","value":"SI-18(4)"},{"name":"label","value":"SI-18(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-18.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-18","rel":"required"}],"parts":[{"id":"si-18.4_smt","name":"statement","prose":"Correct or delete personally identifiable information upon request by individuals or their designated representatives."},{"id":"si-18.4_gdn","name":"guidance","prose":"Inaccurate personally identifiable information maintained by organizations may cause problems for individuals, especially in those business functions where inaccurate information may result in inappropriate decisions or the denial of benefits and services to individuals. Even correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of an organization maintaining the information. Organizations use discretion when determining if personally identifiable information is to be corrected or deleted based on the scope of requests, the changes sought, the impact of the changes, and laws, regulations, and policies. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding appropriate instances of correction or deletion."},{"id":"si-18.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18(04)","class":"sp800-53a"}],"prose":"personally identifiable information is corrected or deleted upon request by individuals or their designated representatives.","links":[{"href":"#si-18.4_smt","rel":"assessment-for"}]},{"id":"si-18.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nsystem configuration\n\nindividual requests\n\nrecords of correction or deletion actions performed\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for responding to individual requests for personally identifiable information correction or deletion\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-18.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Request mechanisms\n\nautomated mechanisms supporting and\/or implementing individual requests for correction or deletion"}]}]}]},{"id":"si-19","class":"SP800-53","title":"De-identification","params":[{"id":"si-19_odp.01","props":[{"name":"alt-identifier","value":"si-19_prm_1"},{"name":"alt-label","value":"elements of personally identifiable information","class":"sp800-53"},{"name":"label","value":"SI-19_ODP[01]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements of personally identifiable information to be removed from datasets are defined;"}]},{"id":"si-19_odp.02","props":[{"name":"alt-identifier","value":"si-19_prm_2"},{"name":"label","value":"SI-19_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to evaluate the effectiveness of de-identification is defined;"}]}],"props":[{"name":"label","value":"SI-19"},{"name":"label","value":"SI-19","class":"sp800-53a"},{"name":"sort-id","value":"si-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","rel":"reference"},{"href":"#mp-6","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"si-19_smt","name":"statement","parts":[{"id":"si-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Remove the following elements of personally identifiable information from datasets: {{ insert: param, si-19_odp.01 }} ; and"},{"id":"si-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Evaluate {{ insert: param, si-19_odp.02 }} for effectiveness of de-identification."}]},{"id":"si-19_gdn","name":"guidance","prose":"De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk."},{"id":"si-19_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19","class":"sp800-53a"}],"parts":[{"id":"si-19_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-19a.","class":"sp800-53a"}],"prose":" {{ insert: param, si-19_odp.01 }} are removed from datasets;","links":[{"href":"#si-19_smt.a","rel":"assessment-for"}]},{"id":"si-19_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-19b.","class":"sp800-53a"}],"prose":"the effectiveness of de-identification is evaluated {{ insert: param, si-19_odp.02 }}.","links":[{"href":"#si-19_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-19_smt","rel":"assessment-for"}]},{"id":"si-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration\n\ndatasets with personally identifiable information removed\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for identifying unnecessary identifiers\n\norganizational personnel responsible for removing personally identifiable information from datasets\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing the removal of personally identifiable information elements"}]}]}]}],"back-matter":{"resources":[{"uuid":"91f992fb-f668-4c91-a50f-0f05b95ccee3","title":"32 CFR 2002","citation":{"text":"Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/documents\/2016\/09\/14\/2016-21665\/controlled-unclassified-information"}]},{"uuid":"0f963c17-ab5a-432a-a867-91eac550309b","title":"41 CFR 201","citation":{"text":" \"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/d\/2020-18939"}]},{"uuid":"94c64e1a-456c-457f-86da-83ac0dfc85ac","title":"CMPPA","citation":{"text":"Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503), October 1988."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-102\/pdf\/STATUTE-102-Pg2507.pdf"}]},{"uuid":"b9951d04-6385-478c-b1a3-ab68c19d9041","title":"DHS NIPP","citation":{"text":"Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)* , 2009."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/xlibrary\/assets\/NIPP_Plan.pdf"}]},{"uuid":"7b0b9634-741a-4335-b6fa-161228c3a76e","title":"EGOV","citation":{"text":"E-Government Act [includes FISMA] (P.L. 107-347), December 2002. "},"rlinks":[{"href":"https:\/\/www.congress.gov\/107\/plaws\/publ347\/PLAW-107publ347.pdf"}]},{"uuid":"3406fdc0-d61c-44a9-a5ca-84180544c83a","title":"EO 13636","citation":{"text":"Executive Order 13636, *Improving Critical Infrastructure Cybersecurity* , February 2013."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2013\/02\/12\/executive-order-improving-critical-infrastructure-cybersecurity"}]},{"uuid":"4ff10ed3-d8fe-4246-99e3-443045e27482","title":"FASC18","citation":{"text":"Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018."},"rlinks":[{"href":"https:\/\/www.congress.gov\/bill\/115th-congress\/senate-bill\/3085"}]},{"uuid":"678e3d6c-150b-4393-aec5-6e3481eb1e00","title":"FIPS 140-3","citation":{"text":"National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. "},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.140-3"}]},{"uuid":"628d22a1-6a11-4784-bc59-5cd9497b5445","title":"FIPS 199","citation":{"text":"National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.199"}]},{"uuid":"599fb53d-5041-444e-a7fe-640d6d30ad05","title":"FIPS 200","citation":{"text":"National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.200"}]},{"uuid":"7ba1d91c-3934-4d5a-8532-b32f864ad34c","title":"FIPS 201-2","citation":{"text":"National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.201-2"}]},{"uuid":"0c67b2a9-bede-43d2-b86d-5f35b8be36e9","title":"FISMA","citation":{"text":"Federal Information Security Modernization Act (P.L. 113-283), December 2014."},"rlinks":[{"href":"https:\/\/www.congress.gov\/113\/plaws\/publ283\/PLAW-113publ283.pdf"}]},{"uuid":"488d6934-00b2-4252-bf23-1b3c2d71eb13","title":"HSPD 7","citation":{"text":"Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection* , December 2003."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/homeland-security-presidential-directive-7"}]},{"uuid":"15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","title":"IR 7539","citation":{"text":"Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7539"}]},{"uuid":"2be7b163-e50a-435c-8906-f1162f2a457a","title":"IR 7559","citation":{"text":"Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7559"}]},{"uuid":"e24b06cc-9129-4998-a76a-65c3d7a576ba","title":"IR 7622","citation":{"text":"Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7622"}]},{"uuid":"4b38e961-1125-4a5b-aa35-1d6c02846dad","title":"IR 7676","citation":{"text":"Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7676"}]},{"uuid":"604774da-9e1d-48eb-9c62-4e959dc80737","title":"IR 7870","citation":{"text":"Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7870"}]},{"uuid":"7f473f21-fdbf-4a6c-81a1-0ab95919609d","title":"IR 7874","citation":{"text":"Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7874"}]},{"uuid":"bbac9fc2-df5b-4f2d-bf99-90d0ade45349","title":"IR 8011-1","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-1"}]},{"uuid":"4c501da5-9d79-4cb6-ba80-97260e1ce327","title":"IR 8023","citation":{"text":"Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8023"}]},{"uuid":"98d415ca-7281-4064-9931-0c366637e324","title":"IR 8062","citation":{"text":"Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8062"}]},{"uuid":"a2590922-82f3-4277-83c0-ca5bee06dba4","title":"IR 8112","citation":{"text":"Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8112"}]},{"uuid":"38ff38f0-1366-4f50-a4c9-26a39aacee16","title":"IR 8272","citation":{"text":"Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8272"}]},{"uuid":"6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","title":"ISO 15408-1","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART1V3.1R5.pdf"}]},{"uuid":"87087451-2af5-43d4-88c1-d66ad850f614","title":"ISO 15408-2","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART2V3.1R5.pdf"}]},{"uuid":"4452efc0-e79e-47b8-aa30-b54f3ef61c2f","title":"ISO 15408-3","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART3V3.1R5.pdf"}]},{"uuid":"06ce9216-bd54-4054-a422-94f358b50a5d","title":"ISO 29148","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission\/Institute of Electrical and Electronics Engineers (ISO\/IEC\/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72089.html"}]},{"uuid":"c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","title":"NARA CUI","citation":{"text":"National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry."},"rlinks":[{"href":"https:\/\/www.archives.gov\/cui"}]},{"uuid":"795aff72-3e6c-4b6b-a80a-b14d84b7f544","title":"NIAP CCEVS","citation":{"text":"National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*."},"rlinks":[{"href":"https:\/\/www.niap-ccevs.org"}]},{"uuid":"3d575737-98cb-459d-b41c-d7e82b73ad78","title":"NSA CSFC","citation":{"text":"National Security Agency, *Commercial Solutions for Classified Program (CSfC)*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/csfc"}]},{"uuid":"df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","title":"NSA MEDIA","citation":{"text":"National Security Agency, *Media Destruction Guidance*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/media-destruction"}]},{"uuid":"89f2a08d-fc49-46d0-856e-bf974c9b1573","title":"ODNI CTF","citation":{"text":"Office of the Director of National Intelligence (ODNI) Cyber Threat Framework."},"rlinks":[{"href":"https:\/\/www.dni.gov\/index.php\/cyber-threat-framework"}]},{"uuid":"3671ff20-c17c-44d6-8a88-7de203fa74aa","title":"OMB A-108","citation":{"text":"Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act* , December 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A108\/omb_circular_a-108.pdf"}]},{"uuid":"27847491-5ce1-4f6a-a1e4-9e483782f0ef","title":"OMB A-130","citation":{"text":"Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf"}]},{"uuid":"d229ae60-51dd-4d7b-a8bf-1f7195cc7561","title":"OMB M-03-22","citation":{"text":"Office of Management and Budget Memorandum M-03-22, *OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002* , September 2003. [https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2003\/m03_22.pdf](https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2003\/m03_22.pdf) "},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2003\/m03_22.pdf"}]},{"uuid":"206a3284-6a7e-423c-8ea9-25b22542541d","title":"OMB M-17-06","citation":{"text":"Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services* , November 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2017\/m-17-06.pdf"}]},{"uuid":"5f4705ac-8d17-438c-b23a-ac7f12362ae4","title":"OMB M-17-12","citation":{"text":"Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/sites\/default\/files\/omb\/memoranda\/2017\/m-17-12_0.pdf"}]},{"uuid":"c5e11048-1d38-4af3-b00b-0d88dc26860c","title":"OMB M-19-03","citation":{"text":"Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2018\/12\/M-19-03.pdf"}]},{"uuid":"227063d4-431e-435f-9e8f-009b6dbc20f4","title":"OMB M-19-15","citation":{"text":"Office of Management and Budget Memorandum M-19-15, *Improving Implementation of the Information Quality Act* , April 2019."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2019\/04\/M-19-15.pdf"}]},{"uuid":"18e71fec-c6fd-475a-925a-5d8495cf8455","title":"PRIVACT","citation":{"text":"Privacy Act (P.L. 93-579), December 1974."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-88\/pdf\/STATUTE-88-Pg1896.pdf"}]},{"uuid":"4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","title":"SP 800-100","citation":{"text":"Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"10cf2fad-a216-41f9-bb1a-531b7e3119e3","title":"SP 800-101","citation":{"text":"Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-101r1"}]},{"uuid":"122177fa-c4ed-485d-8345-3082c0fb9a06","title":"SP 800-115","citation":{"text":"Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"0f66be67-85e7-4ca6-bd19-39453e9f4394","title":"SP 800-124","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-124r1"}]},{"uuid":"20db4e66-e257-450c-b2e4-2bb9a62a2c88","title":"SP 800-128","citation":{"text":"Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-128"}]},{"uuid":"c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","title":"SP 800-12","citation":{"text":"Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"62ea77ca-e450-4323-b210-e0d75390e785","title":"SP 800-137A","citation":{"text":"Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137A"}]},{"uuid":"067223d8-1ec7-45c5-b21b-c848da6de8fb","title":"SP 800-137","citation":{"text":"Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137"}]},{"uuid":"9ef4b43c-42a4-4316-87dc-ffaf528bc05c","title":"SP 800-150","citation":{"text":"Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-150"}]},{"uuid":"708b94e1-3d5e-4b22-ab43-1c69f3a97e37","title":"SP 800-154","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154."},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-154\/draft"}]},{"uuid":"e3cc0520-a366-4fc9-abc2-5272db7e3564","title":"SP 800-160-1","citation":{"text":"Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v1"}]},{"uuid":"61ccf0f4-d3e7-42db-9796-ce6cb1c85989","title":"SP 800-160-2","citation":{"text":"Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v2"}]},{"uuid":"e8e84963-14fc-4c3a-be05-b412a5d37cd2","title":"SP 800-161","citation":{"text":"Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-161"}]},{"uuid":"2956e175-f674-43f4-b1b9-e074ad9fc39c","title":"SP 800-162","citation":{"text":"Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-162"}]},{"uuid":"7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","title":"SP 800-171","citation":{"text":"Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-171r2"}]},{"uuid":"f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","title":"SP 800-172","citation":{"text":"Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-172-draft"}]},{"uuid":"388a3aa2-5d85-4bad-b8a3-77db80d63c4f","title":"SP 800-178","citation":{"text":"Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-178"}]},{"uuid":"276bd50a-7e58-48e5-a405-8c8cb91d7a5f","title":"SP 800-181","citation":{"text":"Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-181r1"}]},{"uuid":"31ae65ab-3f26-46b7-9d64-f25a4dac5778","title":"SP 800-184","citation":{"text":"Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-184"}]},{"uuid":"c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","title":"SP 800-188","citation":{"text":"Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188."},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-188\/draft"}]},{"uuid":"f5edfe51-d1f2-422e-9b27-5d0e90b49c72","title":"SP 800-189","citation":{"text":"Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-189"}]},{"uuid":"30eb758a-2707-4bca-90ad-949a74d4eb16","title":"SP 800-18","citation":{"text":"Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-18r1"}]},{"uuid":"08b07465-dbdc-48d6-8a0b-37279602ac16","title":"SP 800-30","citation":{"text":"Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-30r1"}]},{"uuid":"77faf0bc-c394-44ad-9154-bbac3b79c8ad","title":"SP 800-35","citation":{"text":"Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-35"}]},{"uuid":"482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","title":"SP 800-37","citation":{"text":"Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-37r2"}]},{"uuid":"cec037f3-8aba-4c97-84b4-4082f9e515d2","title":"SP 800-39","citation":{"text":"Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-39"}]},{"uuid":"a7f0e897-29a3-45c4-bd88-40dfef0e034a","title":"SP 800-41","citation":{"text":"Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-41r1"}]},{"uuid":"511f6832-23ca-49a3-8c0f-ce493373cab8","title":"SP 800-50","citation":{"text":"Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-50"}]},{"uuid":"a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","title":"SP 800-53A","citation":{"text":"Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53Ar4"}]},{"uuid":"46d9e201-840e-440e-987c-2c773333c752","title":"SP 800-53B","citation":{"text":"Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53B"}]},{"uuid":"7798067b-4ed0-4adc-a505-79dad4741693","title":"SP 800-55","citation":{"text":"Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-55r1"}]},{"uuid":"110e26af-4765-49e1-8740-6750f83fcda1","title":"SP 800-57-1","citation":{"text":"Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt1r5"}]},{"uuid":"e7942589-e267-4a5a-a3d9-f39a7aae81f0","title":"SP 800-57-2","citation":{"text":"Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt2r1"}]},{"uuid":"8306620b-1920-4d73-8b21-12008528595f","title":"SP 800-57-3","citation":{"text":"Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt3r1"}]},{"uuid":"e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","title":"SP 800-60-1","citation":{"text":"Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v1r1"}]},{"uuid":"9be5d661-421f-41ad-854e-86f98b811891","title":"SP 800-60-2","citation":{"text":"Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v2r1"}]},{"uuid":"49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","title":"SP 800-61","citation":{"text":"Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-61r2"}]},{"uuid":"737513fa-6758-403f-831d-5ddab5e23cb3","title":"SP 800-63-3","citation":{"text":"Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63-3"}]},{"uuid":"4895b4cd-34c5-4667-bf8a-27d443c12047","title":"SP 800-70","citation":{"text":"Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-70r4"}]},{"uuid":"858705be-3c1f-48aa-a328-0ce398d95ef0","title":"SP 800-73-4","citation":{"text":"Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-73-4"}]},{"uuid":"d4d7c760-2907-403b-8b2a-767ca5370ecd","title":"SP 800-77","citation":{"text":"Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-77r1"}]},{"uuid":"3dd249b0-f57d-44ba-a03e-c3eab1b835ff","title":"SP 800-83","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-83r1"}]},{"uuid":"53be2fcf-cfd1-4bcb-896b-9a3b65c22098","title":"SP 800-84","citation":{"text":"Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-84"}]},{"uuid":"cfdb1858-c473-46b3-89f9-a700308d0be2","title":"SP 800-86","citation":{"text":"Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-86"}]},{"uuid":"a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","title":"SP 800-88","citation":{"text":"Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-88r1"}]},{"uuid":"5eee45d8-3313-4fdc-8d54-1742092bbdd6","title":"SP 800-92","citation":{"text":"Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-92"}]},{"uuid":"e922fc50-b1f9-469f-92ef-ed7d9803611c","title":"USC 2901","citation":{"text":"United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2011-title44\/pdf\/USCODE-2011-title44-chap29-sec2901.pdf"}]},{"uuid":"40b78258-c892-480e-9af8-77ac36648301","title":"USCERT IR","citation":{"text":"Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017."},"rlinks":[{"href":"https:\/\/us-cert.cisa.gov\/incident-notification-guidelines"}]},{"uuid":"c3397cc9-83c6-4459-adb2-836739dc1b94","title":"NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)","rlinks":[{"href":"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf","media-type":"application\/pdf"}]}]}}}
\ No newline at end of file
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.json
index d34f4538..61adc2bc 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.json
@@ -1,10 +1,10 @@
 {
   "catalog": {
-    "uuid": "b59abead-41dd-4ba4-818d-b2ce8ca7b80e",
+    "uuid": "f8f8bd60-df08-46cc-8083-cf001f43ea6a",
     "metadata": {
-      "title": "NIST Special Publication 800-53 Revision 5 PRIVACY BASELINE",
-      "last-modified": "2023-11-02T11:49:42.694597-04:00",
-      "version": "Final",
+      "title": "NIST Special Publication 800-53 Revision 5.1.1 PRIVACY BASELINE",
+      "last-modified": "2023-12-05T21:54:56.105295Z",
+      "version": "5.1.1+u2",
       "oscal-version": "1.1.1",
       "props": [
         {
@@ -468,7 +468,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an access control policy is developed and documented;"
+                        "prose": "an access control policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-2",
@@ -480,7 +486,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};"
+                        "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-3",
@@ -492,7 +504,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;"
+                        "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-4",
@@ -504,7 +522,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};"
+                        "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a.1",
@@ -538,7 +562,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-2",
@@ -550,7 +580,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-3",
@@ -562,7 +598,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-4",
@@ -574,7 +616,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-5",
@@ -586,7 +634,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-6",
@@ -598,7 +652,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-7",
@@ -610,7 +670,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -624,10 +696,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -640,7 +730,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;"
+                    "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-1_obj.c",
@@ -674,7 +770,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};"
+                            "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-1_obj.c.1-2",
@@ -686,7 +788,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};"
+                            "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -711,7 +825,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};"
+                            "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-1_obj.c.2-2",
@@ -723,12 +843,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}."
+                            "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -930,6 +1074,10 @@
                 "href": "#ia-11",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-3",
                 "rel": "related"
@@ -1028,7 +1176,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies."
+                "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.",
+                "links": [
+                  {
+                    "href": "#ac-3_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-3_asm-examine",
@@ -1211,7 +1365,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, ac-03.14_odp.01 }} are provided to enable individuals to have access to {{ insert: param, ac-03.14_odp.02 }} of their personally identifiable information."
+                    "prose": " {{ insert: param, ac-03.14_odp.01 }} are provided to enable individuals to have access to {{ insert: param, ac-03.14_odp.02 }} of their personally identifiable information.",
+                    "links": [
+                      {
+                        "href": "#ac-3.14_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-3.14_asm-examine",
@@ -1678,7 +1838,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an awareness and training policy is developed and documented; "
+                        "prose": "an awareness and training policy is developed and documented; ",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-2",
@@ -1690,7 +1856,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};"
+                        "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-3",
@@ -1702,7 +1874,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;"
+                        "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-4",
@@ -1714,7 +1892,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}."
+                        "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a.1",
@@ -1748,7 +1932,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-2",
@@ -1760,7 +1950,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-3",
@@ -1772,7 +1968,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-4",
@@ -1784,7 +1986,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-5",
@@ -1796,7 +2004,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-6",
@@ -1808,7 +2022,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-7",
@@ -1820,7 +2040,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#at-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -1834,10 +2066,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and"
+                            "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -1850,7 +2100,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;"
+                    "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#at-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-1_obj.c",
@@ -1884,7 +2140,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; "
+                            "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-1_obj.c.1-2",
@@ -1896,7 +2158,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};"
+                            "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -1921,7 +2195,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};"
+                            "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-1_obj.c.2-2",
@@ -1933,12 +2213,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}."
+                            "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#at-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -2387,7 +2691,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-2",
@@ -2399,7 +2709,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-3",
@@ -2411,7 +2727,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-4",
@@ -2423,7 +2745,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-2_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -2448,7 +2782,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.2-2",
@@ -2460,10 +2800,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-2_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -2476,7 +2834,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;"
+                    "prose": " {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;",
+                    "links": [
+                      {
+                        "href": "#at-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-2_obj.c",
@@ -2499,7 +2863,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};"
+                        "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#at-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2_obj.c-2",
@@ -2511,7 +2881,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};"
+                        "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#at-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -2525,7 +2907,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques."
+                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.",
+                    "links": [
+                      {
+                        "href": "#at-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -2950,7 +3344,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;"
+                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-2",
@@ -2962,7 +3362,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;"
+                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-3",
@@ -2974,7 +3380,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;"
+                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-4",
@@ -2986,7 +3398,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;"
+                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-3_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -3011,7 +3435,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;"
+                            "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.2-2",
@@ -3023,10 +3453,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;"
+                            "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-3_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-3_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -3050,7 +3498,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};"
+                        "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#at-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-3_obj.b-2",
@@ -3062,7 +3516,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};"
+                        "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#at-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -3076,7 +3542,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training."
+                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training.",
+                    "links": [
+                      {
+                        "href": "#at-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -3262,7 +3740,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, at-03.05_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.05_odp.02 }} in the employment and operation of personally identifiable information processing and transparency controls."
+                    "prose": " {{ insert: param, at-03.05_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.05_odp.02 }} in the employment and operation of personally identifiable information processing and transparency controls.",
+                    "links": [
+                      {
+                        "href": "#at-3.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-3.5_asm-examine",
@@ -3459,7 +3943,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;"
+                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;",
+                        "links": [
+                          {
+                            "href": "#at-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-4_obj.a-2",
@@ -3471,7 +3961,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;"
+                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;",
+                        "links": [
+                          {
+                            "href": "#at-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -3485,7 +3987,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individual training records are retained for {{ insert: param, at-04_odp }}."
+                    "prose": "individual training records are retained for {{ insert: param, at-04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#at-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -3944,7 +4458,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit and accountability policy is developed and documented;"
+                        "prose": "an audit and accountability policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-2",
@@ -3956,7 +4476,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};"
+                        "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-3",
@@ -3968,7 +4494,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;"
+                        "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-4",
@@ -3980,7 +4512,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};"
+                        "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a.1",
@@ -4014,7 +4552,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-2",
@@ -4026,7 +4570,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-3",
@@ -4038,7 +4588,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-4",
@@ -4050,7 +4606,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-5",
@@ -4062,7 +4624,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-6",
@@ -4074,7 +4642,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-7",
@@ -4086,7 +4660,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#au-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -4100,10 +4686,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -4116,7 +4720,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;"
+                    "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#au-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-1_obj.c",
@@ -4150,7 +4760,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};"
+                            "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "au-1_obj.c.1-2",
@@ -4162,7 +4778,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};"
+                            "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -4187,7 +4815,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};"
+                            "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "au-1_obj.c.2-2",
@@ -4199,12 +4833,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}."
+                            "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#au-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -4606,7 +5264,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;"
+                    "prose": " {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.b",
@@ -4618,7 +5282,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"
+                    "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.c",
@@ -4641,7 +5311,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;"
+                        "prose": " {{ insert: param, au-02_odp.02 }} are specified for logging within the system;",
+                        "links": [
+                          {
+                            "href": "#au-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-2_obj.c-2",
@@ -4653,7 +5329,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};"
+                        "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#au-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -4667,7 +5355,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;"
+                    "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.e",
@@ -4679,7 +5373,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}."
+                    "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -4921,7 +5627,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes what type of event occurred;"
+                    "prose": "audit records contain information that establishes what type of event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.b",
@@ -4933,7 +5645,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes when the event occurred;"
+                    "prose": "audit records contain information that establishes when the event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.c",
@@ -4945,7 +5663,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes where the event occurred;"
+                    "prose": "audit records contain information that establishes where the event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.d",
@@ -4957,7 +5681,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the source of the event;"
+                    "prose": "audit records contain information that establishes the source of the event;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.e",
@@ -4969,7 +5699,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the outcome of the event;"
+                    "prose": "audit records contain information that establishes the outcome of the event;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.f",
@@ -4981,7 +5717,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event."
+                    "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -5130,7 +5878,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personally identifiable information contained in audit records is limited to {{ insert: param, au-03.03_odp }} identified in the privacy risk assessment."
+                    "prose": "personally identifiable information contained in audit records is limited to {{ insert: param, au-03.03_odp }} identified in the privacy risk assessment.",
+                    "links": [
+                      {
+                        "href": "#au-3.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3.3_asm-examine",
@@ -5316,7 +6070,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."
+                "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.",
+                "links": [
+                  {
+                    "href": "#au-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "au-11_asm-examine",
@@ -5775,7 +6535,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an assessment, authorization, and monitoring policy is developed and documented;"
+                        "prose": "an assessment, authorization, and monitoring policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-2",
@@ -5787,7 +6553,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};"
+                        "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-3",
@@ -5799,7 +6571,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;"
+                        "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-4",
@@ -5811,7 +6589,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};"
+                        "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a.1",
@@ -5845,7 +6629,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-2",
@@ -5857,7 +6647,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-3",
@@ -5869,7 +6665,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-4",
@@ -5881,7 +6683,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-5",
@@ -5893,7 +6701,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-6",
@@ -5905,7 +6719,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-7",
@@ -5917,7 +6737,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -5931,10 +6763,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -5947,7 +6797,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;"
+                    "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-1_obj.c",
@@ -5981,7 +6837,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; "
+                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-1_obj.c.1-2",
@@ -5993,7 +6855,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};"
+                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -6018,7 +6892,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; "
+                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-1_obj.c.2-2",
@@ -6030,12 +6910,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}."
+                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -6388,7 +7292,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;"
+                    "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.b",
@@ -6411,7 +7321,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;"
+                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.b.2",
@@ -6423,7 +7339,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;"
+                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.b.3",
@@ -6446,7 +7368,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-2_obj.b.3-2",
@@ -6458,7 +7386,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-2_obj.b.3-3",
@@ -6470,10 +7404,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.b",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -6486,7 +7438,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"
+                    "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.d",
@@ -6509,7 +7467,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"
+                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.d-2",
@@ -6521,7 +7485,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;"
+                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -6535,7 +7511,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a control assessment report is produced that documents the results of the assessment;"
+                    "prose": "a control assessment report is produced that documents the results of the assessment;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.f",
@@ -6547,7 +7529,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}."
+                    "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -6763,7 +7757,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;"
+                    "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;",
+                    "links": [
+                      {
+                        "href": "#ca-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-5_obj.b",
@@ -6775,7 +7775,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."
+                    "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.",
+                    "links": [
+                      {
+                        "href": "#ca-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -7056,7 +8068,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a senior official is assigned as the authorizing official for the system;"
+                    "prose": "a senior official is assigned as the authorizing official for the system;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.b",
@@ -7068,7 +8086,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;"
+                    "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.c",
@@ -7091,7 +8115,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;"
+                        "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;",
+                        "links": [
+                          {
+                            "href": "#ca-6_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-6_obj.c.2",
@@ -7103,7 +8133,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;"
+                        "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;",
+                        "links": [
+                          {
+                            "href": "#ca-6_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -7117,7 +8159,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"
+                    "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.e",
@@ -7129,7 +8177,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}."
+                    "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -7737,7 +8797,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a system-level continuous monitoring strategy is developed;"
+                    "prose": "a system-level continuous monitoring strategy is developed;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj-2",
@@ -7749,7 +8815,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.a",
@@ -7761,7 +8833,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"
+                    "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.b",
@@ -7784,7 +8862,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;"
+                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7_obj.b-2",
@@ -7796,7 +8880,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"
+                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -7810,7 +8906,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.d",
@@ -7822,7 +8924,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.e",
@@ -7834,7 +8942,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;"
+                    "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.f",
@@ -7846,7 +8960,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;"
+                    "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.g",
@@ -7869,7 +8989,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};"
+                        "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7_obj.g-2",
@@ -7881,10 +9007,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}."
+                        "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -8063,7 +9207,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "effectiveness monitoring is included in risk monitoring;"
+                        "prose": "effectiveness monitoring is included in risk monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7.4_obj.b",
@@ -8075,7 +9225,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "compliance monitoring is included in risk monitoring;"
+                        "prose": "compliance monitoring is included in risk monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7.4_obj.c",
@@ -8087,7 +9243,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "change monitoring is included in risk monitoring."
+                        "prose": "change monitoring is included in risk monitoring.",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -8556,7 +9724,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a configuration management policy is developed and documented;"
+                        "prose": "a configuration management policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-2",
@@ -8568,7 +9742,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};"
+                        "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-3",
@@ -8580,7 +9760,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;"
+                        "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-4",
@@ -8592,7 +9778,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};"
+                        "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a.1",
@@ -8626,7 +9818,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-2",
@@ -8638,7 +9836,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-3",
@@ -8650,7 +9854,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-4",
@@ -8662,7 +9872,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-5",
@@ -8674,7 +9890,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-6",
@@ -8686,7 +9908,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-7",
@@ -8698,7 +9926,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -8712,10 +9952,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -8728,7 +9986,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;"
+                    "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-1_obj.c",
@@ -8762,7 +10026,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; "
+                            "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-1_obj.c.1-2",
@@ -8774,7 +10044,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};"
+                            "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -8799,7 +10081,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; "
+                            "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-1_obj.c.2-2",
@@ -8811,12 +10099,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}."
+                            "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -8980,7 +10292,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;"
+                    "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;",
+                    "links": [
+                      {
+                        "href": "#cm-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-4_obj-2",
@@ -8992,7 +10310,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation."
+                    "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.",
+                    "links": [
+                      {
+                        "href": "#cm-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -9467,7 +10797,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response policy is developed and documented;"
+                        "prose": "an incident response policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-2",
@@ -9479,7 +10815,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};"
+                        "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-3",
@@ -9491,7 +10833,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;"
+                        "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-4",
@@ -9503,7 +10851,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};"
+                        "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a.1",
@@ -9537,7 +10891,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-2",
@@ -9549,7 +10909,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-3",
@@ -9561,7 +10927,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-4",
@@ -9573,7 +10945,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-5",
@@ -9585,7 +10963,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-6",
@@ -9597,7 +10981,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-7",
@@ -9609,7 +10999,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -9623,10 +11025,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -9639,7 +11059,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;"
+                    "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-1_obj.c",
@@ -9673,7 +11099,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};"
+                            "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-1_obj.c.1-2",
@@ -9685,7 +11117,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};"
+                            "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -9710,7 +11154,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};"
+                            "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-1_obj.c.2-2",
@@ -9722,12 +11172,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}."
+                            "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -10030,7 +11504,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.a.2",
@@ -10042,7 +11522,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.a.3",
@@ -10054,7 +11540,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -10079,7 +11577,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};"
+                        "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.b-2",
@@ -10091,10 +11595,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}."
+                        "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -10210,7 +11732,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training on how to identify and respond to a breach is provided;"
+                        "prose": "incident response training on how to identify and respond to a breach is provided;",
+                        "links": [
+                          {
+                            "href": "#ir-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2.3_obj-2",
@@ -10222,7 +11750,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training on the organization’s process for reporting a breach is provided."
+                        "prose": "incident response training on the organization’s process for reporting a breach is provided.",
+                        "links": [
+                          {
+                            "href": "#ir-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-2.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -10404,7 +11944,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}."
+                "prose": "the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#ir-3_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ir-3_asm-examine",
@@ -10690,7 +12236,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;"
+                        "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-2",
@@ -10702,7 +12254,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes preparation;"
+                        "prose": "the incident handling capability for incidents includes preparation;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-3",
@@ -10714,7 +12272,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes detection and analysis;"
+                        "prose": "the incident handling capability for incidents includes detection and analysis;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-4",
@@ -10726,7 +12290,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes containment;"
+                        "prose": "the incident handling capability for incidents includes containment;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-5",
@@ -10738,7 +12308,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes eradication;"
+                        "prose": "the incident handling capability for incidents includes eradication;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-6",
@@ -10750,7 +12326,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes recovery;"
+                        "prose": "the incident handling capability for incidents includes recovery;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -10764,7 +12352,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident handling activities are coordinated with contingency planning activities;"
+                    "prose": "incident handling activities are coordinated with contingency planning activities;",
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4_obj.c",
@@ -10787,7 +12381,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;"
+                        "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.c-2",
@@ -10799,7 +12399,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;"
+                        "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -10824,7 +12436,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rigor of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the rigor of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-2",
@@ -10836,7 +12454,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the intensity of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the intensity of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-3",
@@ -10848,7 +12472,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the scope of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the scope of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-4",
@@ -10860,10 +12490,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the results of incident handling activities are comparable and predictable across the organization."
+                        "prose": "the results of incident handling activities are comparable and predictable across the organization.",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-4_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -11049,7 +12697,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incidents are tracked;"
+                    "prose": "incidents are tracked;",
+                    "links": [
+                      {
+                        "href": "#ir-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-5_obj-2",
@@ -11061,7 +12715,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incidents are documented."
+                    "prose": "incidents are documented.",
+                    "links": [
+                      {
+                        "href": "#ir-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -11296,7 +12962,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};"
+                    "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ir-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-6_obj.b",
@@ -11308,7 +12980,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}."
+                    "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ir-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -11482,7 +13166,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;"
+                    "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;",
+                    "links": [
+                      {
+                        "href": "#ir-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-7_obj-2",
@@ -11494,7 +13184,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents."
+                    "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.",
+                    "links": [
+                      {
+                        "href": "#ir-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -12015,7 +13717,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;"
+                        "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.2",
@@ -12027,7 +13735,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;"
+                        "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.3",
@@ -12039,7 +13753,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;"
+                        "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.4",
@@ -12051,7 +13771,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;"
+                        "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.5",
@@ -12063,7 +13789,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that defines reportable incidents;"
+                        "prose": "an incident response plan is developed that defines reportable incidents;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.6",
@@ -12075,7 +13807,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;"
+                        "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.6",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.7",
@@ -12087,7 +13825,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;"
+                        "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.7",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.8",
@@ -12099,7 +13843,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that addresses the sharing of incident information;"
+                        "prose": "an incident response plan is developed that addresses the sharing of incident information;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.8",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.9",
@@ -12111,7 +13861,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};"
+                        "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.9",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.10",
@@ -12123,7 +13879,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."
+                        "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.10",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -12148,7 +13916,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};"
+                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.b-2",
@@ -12160,7 +13934,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};"
+                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -12174,7 +13960,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"
+                    "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;",
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-8_obj.d",
@@ -12197,7 +13989,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};"
+                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.d-2",
@@ -12209,7 +14007,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};"
+                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -12234,7 +14044,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan is protected from unauthorized disclosure;"
+                        "prose": "the incident response plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.e-2",
@@ -12246,10 +14062,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan is protected from unauthorized modification."
+                        "prose": "the incident response plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -12441,7 +14275,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;"
+                        "prose": "the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;",
+                        "links": [
+                          {
+                            "href": "#ir-8.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8.1_obj.b",
@@ -12453,7 +14293,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;"
+                        "prose": "the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;",
+                        "links": [
+                          {
+                            "href": "#ir-8.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8.1_obj.c",
@@ -12465,7 +14311,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements."
+                        "prose": "the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements.",
+                        "links": [
+                          {
+                            "href": "#ir-8.1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -12930,7 +14788,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a media protection policy is developed and documented;"
+                        "prose": "a media protection policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-2",
@@ -12942,7 +14806,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};"
+                        "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-3",
@@ -12954,7 +14824,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;"
+                        "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-4",
@@ -12966,7 +14842,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};"
+                        "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a.1",
@@ -13000,7 +14882,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-2",
@@ -13012,7 +14900,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-3",
@@ -13024,7 +14918,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-4",
@@ -13036,7 +14936,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-5",
@@ -13048,7 +14954,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-6",
@@ -13060,7 +14972,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-7",
@@ -13072,7 +14990,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -13086,10 +15016,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -13102,7 +15050,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures."
+                    "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.",
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-1_obj.c",
@@ -13136,7 +15090,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; "
+                            "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "mp-1_obj.c.1-2",
@@ -13148,7 +15108,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};"
+                            "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -13173,7 +15145,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; "
+                            "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "mp-1_obj.c.2-2",
@@ -13185,12 +15163,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}."
+                            "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -13559,7 +15561,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;"
+                        "prose": " {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6_obj.a-2",
@@ -13571,7 +15579,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;"
+                        "prose": " {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6_obj.a-3",
@@ -13583,7 +15597,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;"
+                        "prose": " {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-6_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -13597,7 +15623,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed."
+                    "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.",
+                    "links": [
+                      {
+                        "href": "#mp-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -13847,7 +15885,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};"
+                    "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-8_obj.b",
@@ -13859,7 +15903,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};"
+                    "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-8_obj.c",
@@ -13871,7 +15921,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}."
+                    "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -14024,7 +16086,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personally identifiable information contained in visitor access records is limited to {{ insert: param, pe-08.03_odp }} identified in the privacy risk assessment."
+                    "prose": "personally identifiable information contained in visitor access records is limited to {{ insert: param, pe-08.03_odp }} identified in the privacy risk assessment.",
+                    "links": [
+                      {
+                        "href": "#pe-8.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-8.3_asm-examine",
@@ -14491,7 +16559,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a planning policy is developed and documented."
+                        "prose": "a planning policy is developed and documented.",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-2",
@@ -14503,7 +16577,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};"
+                        "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-3",
@@ -14515,7 +16595,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;"
+                        "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-4",
@@ -14527,7 +16613,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};"
+                        "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a.1",
@@ -14561,7 +16653,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-2",
@@ -14573,7 +16671,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-3",
@@ -14585,7 +16689,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-4",
@@ -14597,7 +16707,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-5",
@@ -14609,7 +16725,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-6",
@@ -14621,7 +16743,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-7",
@@ -14633,7 +16761,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -14647,10 +16787,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -14663,7 +16821,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;"
+                    "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-1_obj.c",
@@ -14697,7 +16861,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};"
+                            "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-1_obj.c.1-2",
@@ -14709,7 +16879,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};"
+                            "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -14734,7 +16916,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};"
+                            "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-1_obj.c.2-2",
@@ -14746,12 +16934,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}."
+                            "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -15338,7 +17550,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;"
+                            "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.1-2",
@@ -15350,7 +17568,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;"
+                            "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -15375,7 +17605,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that explicitly defines the constituent system components;"
+                            "prose": "a security plan for the system is developed that explicitly defines the constituent system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.2-2",
@@ -15387,7 +17623,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;"
+                            "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -15412,7 +17660,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"
+                            "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.3-2",
@@ -15424,7 +17678,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"
+                            "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -15449,7 +17715,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"
+                            "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.4-2",
@@ -15461,7 +17733,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"
+                            "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.4",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -15486,7 +17770,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"
+                            "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.5",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.5-2",
@@ -15498,7 +17788,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"
+                            "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.5",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.5",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -15523,7 +17825,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;"
+                            "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.6",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.6-2",
@@ -15535,7 +17843,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;"
+                            "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.6",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.6",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -15560,7 +17880,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"
+                            "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.7-2",
@@ -15572,7 +17898,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"
+                            "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.7",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -15597,7 +17935,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"
+                            "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.8",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.8-2",
@@ -15609,7 +17953,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"
+                            "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.8",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.8",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -15634,7 +17990,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"
+                            "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.9",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.9-2",
@@ -15646,7 +18008,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"
+                            "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.9",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.9",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -15671,7 +18045,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;"
+                            "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.10",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.10-2",
@@ -15683,7 +18063,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;"
+                            "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.10",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.10",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -15708,7 +18100,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"
+                            "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.11",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.11-2",
@@ -15720,7 +18118,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"
+                            "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.11",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.11",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -15745,7 +18155,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;"
+                            "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.12",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.12-2",
@@ -15757,7 +18173,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;"
+                            "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.12",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.12",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -15782,7 +18210,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;"
+                            "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.13",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.13-2",
@@ -15794,7 +18228,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;"
+                            "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.13",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.13",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -15819,7 +18265,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"
+                            "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.14",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.14-2",
@@ -15831,7 +18283,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"
+                            "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.14",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.14",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -15856,7 +18320,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"
+                            "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.15",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.15-2",
@@ -15868,10 +18338,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation."
+                            "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.15",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.15",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -15895,7 +18383,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};"
+                        "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.b-2",
@@ -15907,7 +18401,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};"
+                        "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -15921,7 +18427,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};"
+                    "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-2_obj.d",
@@ -15944,7 +18456,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address changes to the system and environment of operations;"
+                        "prose": "plans are updated to address changes to the system and environment of operations;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.d-2",
@@ -15956,7 +18474,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address problems identified during the plan implementation;"
+                        "prose": "plans are updated to address problems identified during the plan implementation;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.d-3",
@@ -15968,7 +18492,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address problems identified during control assessments;"
+                        "prose": "plans are updated to address problems identified during control assessments;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -15993,7 +18529,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are protected from unauthorized disclosure;"
+                        "prose": "plans are protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.e-2",
@@ -16005,10 +18547,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are protected from unauthorized modification."
+                        "prose": "plans are protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -16345,7 +18905,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;"
+                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;",
+                        "links": [
+                          {
+                            "href": "#pl-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4_obj.a-2",
@@ -16357,7 +18923,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;"
+                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;",
+                        "links": [
+                          {
+                            "href": "#pl-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -16371,7 +18949,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;"
+                    "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-4_obj.c",
@@ -16383,7 +18967,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};"
+                    "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-4_obj.d",
@@ -16395,7 +18985,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}."
+                    "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -16577,7 +19179,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;"
+                        "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4.1_obj.b",
@@ -16589,7 +19197,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on posting organizational information on public websites;"
+                        "prose": "the rules of behavior include restrictions on posting organizational information on public websites;",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4.1_obj.c",
@@ -16601,7 +19215,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications."
+                        "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-4.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -16915,7 +19541,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"
+                        "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.a.2",
@@ -16927,7 +19559,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"
+                        "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.a.3",
@@ -16950,7 +19588,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"
+                            "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-8_obj.a.3-2",
@@ -16962,7 +19606,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"
+                            "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -16987,7 +19643,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;"
+                            "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-8_obj.a.4-2",
@@ -16999,10 +19661,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;"
+                            "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.4",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-8_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -17015,7 +19695,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;"
+                    "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;",
+                    "links": [
+                      {
+                        "href": "#pl-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-8_obj.c",
@@ -17038,7 +19724,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in the security plan;"
+                        "prose": "planned architecture changes are reflected in the security plan;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-2",
@@ -17050,7 +19742,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in the privacy plan;"
+                        "prose": "planned architecture changes are reflected in the privacy plan;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-3",
@@ -17062,7 +19760,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);"
+                        "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-4",
@@ -17074,7 +19778,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in criticality analysis;"
+                        "prose": "planned architecture changes are reflected in criticality analysis;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-5",
@@ -17086,7 +19796,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in organizational procedures;"
+                        "prose": "planned architecture changes are reflected in organizational procedures;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-6",
@@ -17098,10 +19814,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in procurements and acquisitions."
+                        "prose": "planned architecture changes are reflected in procurements and acquisitions.",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-8_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -17262,7 +19996,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": " {{ insert: param, pl-09_odp }} are centrally managed."
+                "prose": " {{ insert: param, pl-09_odp }} are centrally managed.",
+                "links": [
+                  {
+                    "href": "#pl-9_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pl-9_asm-examine",
@@ -17462,7 +20202,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented;"
+                        "prose": "the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented;",
+                        "links": [
+                          {
+                            "href": "#pm-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-3_obj.a-2",
@@ -17474,7 +20220,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented;"
+                        "prose": "the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented;",
+                        "links": [
+                          {
+                            "href": "#pm-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -17499,7 +20257,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the documentation required for addressing the information security program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;"
+                        "prose": "the documentation required for addressing the information security program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;",
+                        "links": [
+                          {
+                            "href": "#pm-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-3_obj.b-2",
@@ -17511,7 +20275,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;"
+                        "prose": "the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;",
+                        "links": [
+                          {
+                            "href": "#pm-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -17536,7 +20312,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security resources are made available for expenditure as planned;"
+                        "prose": "information security resources are made available for expenditure as planned;",
+                        "links": [
+                          {
+                            "href": "#pm-3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-3_obj.c-2",
@@ -17548,10 +20330,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy resources are made available for expenditure as planned."
+                        "prose": "privacy resources are made available for expenditure as planned.",
+                        "links": [
+                          {
+                            "href": "#pm-3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-3_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -17792,7 +20592,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed;"
+                            "prose": "a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.1-2",
@@ -17804,7 +20610,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the information security program and associated organizational systems are maintained;"
+                            "prose": "a process to ensure that plans of action and milestones for the information security program and associated organizational systems are maintained;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.1-3",
@@ -17816,7 +20628,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed;"
+                            "prose": "a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.1-4",
@@ -17828,7 +20646,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained;"
+                            "prose": "a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.1-5",
@@ -17840,7 +20664,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed;"
+                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.1-6",
@@ -17852,7 +20682,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained;"
+                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-4_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -17877,7 +20719,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the information security program and associated organizational systems document remedial information security risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;"
+                            "prose": "a process to ensure that plans of action and milestones for the information security program and associated organizational systems document remedial information security risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.2-2",
@@ -17889,7 +20737,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;"
+                            "prose": "a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.2-3",
@@ -17901,7 +20755,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;"
+                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-4_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -17926,7 +20792,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the information security risk management programs and associated organizational systems are reported in accordance with established reporting requirements;"
+                            "prose": "a process to ensure that plans of action and milestones for the information security risk management programs and associated organizational systems are reported in accordance with established reporting requirements;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.3-2",
@@ -17938,7 +20810,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements;"
+                            "prose": "a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.3-3",
@@ -17950,10 +20828,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements;"
+                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-4_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-4_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -17977,7 +20873,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans of action and milestones are reviewed for consistency with the organizational risk management strategy;"
+                        "prose": "plans of action and milestones are reviewed for consistency with the organizational risk management strategy;",
+                        "links": [
+                          {
+                            "href": "#pm-4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-4_obj.b-2",
@@ -17989,10 +20891,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions."
+                        "prose": "plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions.",
+                        "links": [
+                          {
+                            "href": "#pm-4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-4_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-4_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -18151,7 +21071,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an inventory of organizational systems is developed;"
+                    "prose": "an inventory of organizational systems is developed;",
+                    "links": [
+                      {
+                        "href": "#pm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-5_obj-2",
@@ -18163,7 +21089,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the inventory of organizational systems is updated {{ insert: param, pm-05_odp }}."
+                    "prose": "the inventory of organizational systems is updated {{ insert: param, pm-05_odp }}.",
+                    "links": [
+                      {
+                        "href": "#pm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -18359,7 +21297,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of all systems, applications, and projects that process personally identifiable information is established;"
+                        "prose": "an inventory of all systems, applications, and projects that process personally identifiable information is established;",
+                        "links": [
+                          {
+                            "href": "#pm-5.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-5.1_obj-2",
@@ -18371,7 +21315,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of all systems, applications, and projects that process personally identifiable information is maintained;"
+                        "prose": "an inventory of all systems, applications, and projects that process personally identifiable information is maintained;",
+                        "links": [
+                          {
+                            "href": "#pm-5.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-5.1_obj-3",
@@ -18383,7 +21333,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of all systems, applications, and projects that process personally identifiable information is updated {{ insert: param, pm-05.01_odp }}."
+                        "prose": "an inventory of all systems, applications, and projects that process personally identifiable information is updated {{ insert: param, pm-05.01_odp }}.",
+                        "links": [
+                          {
+                            "href": "#pm-5.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-5.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -18548,7 +21510,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information security measures of performance are developed;"
+                    "prose": "information security measures of performance are developed;",
+                    "links": [
+                      {
+                        "href": "#pm-6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-6_obj-2",
@@ -18560,7 +21528,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information security measures of performance are monitored;"
+                    "prose": "information security measures of performance are monitored;",
+                    "links": [
+                      {
+                        "href": "#pm-6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-6_obj-3",
@@ -18572,7 +21546,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the results of information security measures of performance are reported;"
+                    "prose": "the results of information security measures of performance are reported;",
+                    "links": [
+                      {
+                        "href": "#pm-6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-6_obj-4",
@@ -18584,7 +21564,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy measures of performance are developed;"
+                    "prose": "privacy measures of performance are developed;",
+                    "links": [
+                      {
+                        "href": "#pm-6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-6_obj-5",
@@ -18596,7 +21582,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy measures of performance are monitored;"
+                    "prose": "privacy measures of performance are monitored;",
+                    "links": [
+                      {
+                        "href": "#pm-6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-6_obj-6",
@@ -18608,7 +21600,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the results of privacy measures of performance are reported."
+                    "prose": "the results of privacy measures of performance are reported.",
+                    "links": [
+                      {
+                        "href": "#pm-6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -18790,7 +21794,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an enterprise architecture is developed with consideration for information security;"
+                    "prose": "an enterprise architecture is developed with consideration for information security;",
+                    "links": [
+                      {
+                        "href": "#pm-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-7_obj-2",
@@ -18802,7 +21812,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an enterprise architecture is maintained with consideration for information security;"
+                    "prose": "an enterprise architecture is maintained with consideration for information security;",
+                    "links": [
+                      {
+                        "href": "#pm-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-7_obj-3",
@@ -18814,7 +21830,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an enterprise architecture is developed with consideration for privacy;"
+                    "prose": "an enterprise architecture is developed with consideration for privacy;",
+                    "links": [
+                      {
+                        "href": "#pm-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-7_obj-4",
@@ -18826,7 +21848,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an enterprise architecture is maintained with consideration for privacy;"
+                    "prose": "an enterprise architecture is maintained with consideration for privacy;",
+                    "links": [
+                      {
+                        "href": "#pm-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-7_obj-5",
@@ -18838,7 +21866,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation;"
+                    "prose": "an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation;",
+                    "links": [
+                      {
+                        "href": "#pm-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-7_obj-6",
@@ -18850,7 +21884,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation."
+                    "prose": "an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.",
+                    "links": [
+                      {
+                        "href": "#pm-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -19032,7 +22078,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information security issues are addressed in the development of a critical infrastructure and key resources protection plan;"
+                    "prose": "information security issues are addressed in the development of a critical infrastructure and key resources protection plan;",
+                    "links": [
+                      {
+                        "href": "#pm-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-8_obj-2",
@@ -19044,7 +22096,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information security issues are addressed in the documentation of a critical infrastructure and key resources protection plan;"
+                    "prose": "information security issues are addressed in the documentation of a critical infrastructure and key resources protection plan;",
+                    "links": [
+                      {
+                        "href": "#pm-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-8_obj-3",
@@ -19056,7 +22114,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information security issues are addressed in the update of a critical infrastructure and key resources protection plan;"
+                    "prose": "information security issues are addressed in the update of a critical infrastructure and key resources protection plan;",
+                    "links": [
+                      {
+                        "href": "#pm-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-8_obj-4",
@@ -19068,7 +22132,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy issues are addressed in the development of a critical infrastructure and key resources protection plan;"
+                    "prose": "privacy issues are addressed in the development of a critical infrastructure and key resources protection plan;",
+                    "links": [
+                      {
+                        "href": "#pm-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-8_obj-5",
@@ -19080,7 +22150,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan;"
+                    "prose": "privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan;",
+                    "links": [
+                      {
+                        "href": "#pm-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-8_obj-6",
@@ -19092,7 +22168,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy issues are addressed in the update of a critical infrastructure and key resources protection plan."
+                    "prose": "privacy issues are addressed in the update of a critical infrastructure and key resources protection plan.",
+                    "links": [
+                      {
+                        "href": "#pm-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -19490,7 +22578,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems;"
+                        "prose": "a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems;",
+                        "links": [
+                          {
+                            "href": "#pm-9_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-9_obj.a.2",
@@ -19502,7 +22596,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information;"
+                        "prose": "a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#pm-9_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-9_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -19516,7 +22622,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the risk management strategy is implemented consistently across the organization;"
+                    "prose": "the risk management strategy is implemented consistently across the organization;",
+                    "links": [
+                      {
+                        "href": "#pm-9_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-9_obj.c",
@@ -19528,7 +22640,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the risk management strategy is reviewed and updated {{ insert: param, pm-09_odp }} or as required to address organizational changes."
+                    "prose": "the risk management strategy is reviewed and updated {{ insert: param, pm-09_odp }} or as required to address organizational changes.",
+                    "links": [
+                      {
+                        "href": "#pm-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -19732,7 +22856,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the security state of organizational systems and the environments in which those systems operate are managed through authorization processes;"
+                        "prose": "the security state of organizational systems and the environments in which those systems operate are managed through authorization processes;",
+                        "links": [
+                          {
+                            "href": "#pm-10_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-10_obj.a-2",
@@ -19744,7 +22874,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes;"
+                        "prose": "the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes;",
+                        "links": [
+                          {
+                            "href": "#pm-10_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-10_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -19758,7 +22900,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process;"
+                    "prose": "individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process;",
+                    "links": [
+                      {
+                        "href": "#pm-10_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-10_obj.c",
@@ -19770,7 +22918,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorization processes are integrated into an organization-wide risk management program."
+                    "prose": "the authorization processes are integrated into an organization-wide risk management program.",
+                    "links": [
+                      {
+                        "href": "#pm-10_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-10_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -20023,7 +23183,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational mission and business processes are defined with consideration for information security;"
+                        "prose": "organizational mission and business processes are defined with consideration for information security;",
+                        "links": [
+                          {
+                            "href": "#pm-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-11_obj.a-2",
@@ -20035,7 +23201,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational mission and business processes are defined with consideration for privacy;"
+                        "prose": "organizational mission and business processes are defined with consideration for privacy;",
+                        "links": [
+                          {
+                            "href": "#pm-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-11_obj.a-3",
@@ -20047,7 +23219,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;"
+                        "prose": "organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;",
+                        "links": [
+                          {
+                            "href": "#pm-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-11_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -20072,7 +23256,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information protection needs arising from the defined mission and business processes are determined;"
+                        "prose": "information protection needs arising from the defined mission and business processes are determined;",
+                        "links": [
+                          {
+                            "href": "#pm-11_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-11_obj.b-2",
@@ -20084,7 +23274,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personally identifiable information processing needs arising from the defined mission and business processes are determined;"
+                        "prose": "personally identifiable information processing needs arising from the defined mission and business processes are determined;",
+                        "links": [
+                          {
+                            "href": "#pm-11_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-11_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -20098,7 +23300,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the mission and business processes are reviewed and revised {{ insert: param, pm-11_odp }}."
+                    "prose": "the mission and business processes are reviewed and revised {{ insert: param, pm-11_odp }}.",
+                    "links": [
+                      {
+                        "href": "#pm-11_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -20244,7 +23458,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a security workforce development and improvement program is established;"
+                    "prose": "a security workforce development and improvement program is established;",
+                    "links": [
+                      {
+                        "href": "#pm-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-13_obj-2",
@@ -20256,7 +23476,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a privacy workforce development and improvement program is established."
+                    "prose": "a privacy workforce development and improvement program is established.",
+                    "links": [
+                      {
+                        "href": "#pm-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-13_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -20512,7 +23744,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed;"
+                            "prose": "a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed;",
+                            "links": [
+                              {
+                                "href": "#pm-14_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-14_obj.a.1-2",
@@ -20524,7 +23762,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained;"
+                            "prose": "a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained;",
+                            "links": [
+                              {
+                                "href": "#pm-14_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-14_obj.a.1-3",
@@ -20536,7 +23780,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed;"
+                            "prose": "a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed;",
+                            "links": [
+                              {
+                                "href": "#pm-14_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-14_obj.a.1-4",
@@ -20548,7 +23798,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained;"
+                            "prose": "a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained;",
+                            "links": [
+                              {
+                                "href": "#pm-14_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -20573,7 +23835,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed;"
+                            "prose": "a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed;",
+                            "links": [
+                              {
+                                "href": "#pm-14_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-14_obj.a.2-2",
@@ -20585,10 +23853,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed;"
+                            "prose": "a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed;",
+                            "links": [
+                              {
+                                "href": "#pm-14_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-14_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -20612,7 +23898,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "testing plans are reviewed for consistency with the organizational risk management strategy;"
+                        "prose": "testing plans are reviewed for consistency with the organizational risk management strategy;",
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-14_obj.b-2",
@@ -20624,7 +23916,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "training plans are reviewed for consistency with the organizational risk management strategy;"
+                        "prose": "training plans are reviewed for consistency with the organizational risk management strategy;",
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-14_obj.b-3",
@@ -20636,7 +23934,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "monitoring plans are reviewed for consistency with the organizational risk management strategy;"
+                        "prose": "monitoring plans are reviewed for consistency with the organizational risk management strategy;",
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-14_obj.b-4",
@@ -20648,7 +23952,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "testing plans are reviewed for consistency with organization-wide priorities for risk response actions;"
+                        "prose": "testing plans are reviewed for consistency with organization-wide priorities for risk response actions;",
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-14_obj.b-5",
@@ -20660,7 +23970,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "training plans are reviewed for consistency with organization-wide priorities for risk response actions;"
+                        "prose": "training plans are reviewed for consistency with organization-wide priorities for risk response actions;",
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-14_obj.b-6",
@@ -20672,10 +23988,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions."
+                        "prose": "monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions.",
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-14_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-14_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -20917,7 +24251,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;"
+                        "prose": "policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;",
+                        "links": [
+                          {
+                            "href": "#pm-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-17_obj.a-2",
@@ -20929,7 +24269,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;"
+                        "prose": "procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;",
+                        "links": [
+                          {
+                            "href": "#pm-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-17_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -20954,7 +24306,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policy is reviewed and updated {{ insert: param, pm-17_odp.01 }};"
+                        "prose": "policy is reviewed and updated {{ insert: param, pm-17_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pm-17_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-17_obj.b-2",
@@ -20966,10 +24324,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures are reviewed and updated {{ insert: param, pm-17_odp.02 }} "
+                        "prose": "procedures are reviewed and updated {{ insert: param, pm-17_odp.02 }} ",
+                        "links": [
+                          {
+                            "href": "#pm-17_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-17_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-17_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -21220,7 +24596,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed;"
+                        "prose": "an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed;",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-18_obj.a.1",
@@ -21243,7 +24625,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan includes a description of the structure of the privacy program;"
+                            "prose": "the privacy program plan includes a description of the structure of the privacy program;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-18_obj.a.1-2",
@@ -21255,7 +24643,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan includes a description of the resources dedicated to the privacy program;"
+                            "prose": "the privacy program plan includes a description of the resources dedicated to the privacy program;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -21280,7 +24680,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan provides an overview of the requirements for the privacy program;"
+                            "prose": "the privacy program plan provides an overview of the requirements for the privacy program;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-18_obj.a.2-2",
@@ -21292,7 +24698,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program;"
+                            "prose": "the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-18_obj.a.2-3",
@@ -21304,7 +24716,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program;"
+                            "prose": "the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -21329,7 +24753,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan includes the role of the senior agency official for privacy;"
+                            "prose": "the privacy program plan includes the role of the senior agency official for privacy;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-18_obj.a.3-2",
@@ -21341,7 +24771,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities;"
+                            "prose": "the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -21366,7 +24808,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan describes management commitment;"
+                            "prose": "the privacy program plan describes management commitment;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-18_obj.a.4-2",
@@ -21378,7 +24826,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan describes compliance;"
+                            "prose": "the privacy program plan describes compliance;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-18_obj.a.4-3",
@@ -21390,7 +24844,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan describes the strategic goals and objectives of the privacy program;"
+                            "prose": "the privacy program plan describes the strategic goals and objectives of the privacy program;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a.4",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -21404,7 +24870,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy;"
+                        "prose": "the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy;",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-18_obj.a.6",
@@ -21416,7 +24888,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"
+                        "prose": "the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a.6",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-18_obj.a-2",
@@ -21428,7 +24906,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy program plan is disseminated;"
+                        "prose": "the privacy program plan is disseminated;",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-18_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -21453,7 +24943,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy program plan is updated {{ insert: param, pm-18_odp }};"
+                        "prose": "the privacy program plan is updated {{ insert: param, pm-18_odp }};",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-18_obj.b-2",
@@ -21465,7 +24961,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy program plan is updated to address changes in federal privacy laws and policies;"
+                        "prose": "the privacy program plan is updated to address changes in federal privacy laws and policies;",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-18_obj.b-3",
@@ -21477,7 +24979,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy program plan is updated to address organizational changes;"
+                        "prose": "the privacy program plan is updated to address organizational changes;",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-18_obj.b-4",
@@ -21489,10 +24997,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments."
+                        "prose": "the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments.",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-18_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-18_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -21623,7 +25149,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a senior agency official for privacy with authority, mission, accountability, and resources is appointed;"
+                    "prose": "a senior agency official for privacy with authority, mission, accountability, and resources is appointed;",
+                    "links": [
+                      {
+                        "href": "#pm-19_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-19_obj-2",
@@ -21635,7 +25167,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the senior agency official for privacy coordinates applicable privacy requirements;"
+                    "prose": "the senior agency official for privacy coordinates applicable privacy requirements;",
+                    "links": [
+                      {
+                        "href": "#pm-19_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-19_obj-3",
@@ -21647,7 +25185,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the senior agency official for privacy develops applicable privacy requirements;"
+                    "prose": "the senior agency official for privacy develops applicable privacy requirements;",
+                    "links": [
+                      {
+                        "href": "#pm-19_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-19_obj-4",
@@ -21659,7 +25203,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the senior agency official for privacy implements applicable privacy requirements;"
+                    "prose": "the senior agency official for privacy implements applicable privacy requirements;",
+                    "links": [
+                      {
+                        "href": "#pm-19_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-19_obj-5",
@@ -21671,7 +25221,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the senior agency official for privacy manages privacy risks through the organization-wide privacy program."
+                    "prose": "the senior agency official for privacy manages privacy risks through the organization-wide privacy program.",
+                    "links": [
+                      {
+                        "href": "#pm-19_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-19_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -21850,7 +25412,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a central resource webpage is maintained on the organization’s principal public website;"
+                    "prose": "a central resource webpage is maintained on the organization’s principal public website;",
+                    "links": [
+                      {
+                        "href": "#pm-20_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-20_obj-2",
@@ -21862,7 +25430,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the webpage serves as a central source of information about the organization’s privacy program;"
+                    "prose": "the webpage serves as a central source of information about the organization’s privacy program;",
+                    "links": [
+                      {
+                        "href": "#pm-20_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-20_obj.a",
@@ -21885,7 +25459,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the webpage ensures that the public has access to information about organizational privacy activities;"
+                        "prose": "the webpage ensures that the public has access to information about organizational privacy activities;",
+                        "links": [
+                          {
+                            "href": "#pm-20_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-20_obj.a-2",
@@ -21897,7 +25477,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the webpage ensures that the public can communicate with its senior agency official for privacy;"
+                        "prose": "the webpage ensures that the public can communicate with its senior agency official for privacy;",
+                        "links": [
+                          {
+                            "href": "#pm-20_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-20_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -21922,7 +25514,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the webpage ensures that organizational privacy practices are publicly available;"
+                        "prose": "the webpage ensures that organizational privacy practices are publicly available;",
+                        "links": [
+                          {
+                            "href": "#pm-20_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-20_obj.b-2",
@@ -21934,7 +25532,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the webpage ensures that organizational privacy reports are publicly available;"
+                        "prose": "the webpage ensures that organizational privacy reports are publicly available;",
+                        "links": [
+                          {
+                            "href": "#pm-20_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-20_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -21948,7 +25558,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the webpage employs publicly facing email addresses and/or phone numbers to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices."
+                    "prose": "the webpage employs publicly facing email addresses and/or phone numbers to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.",
+                    "links": [
+                      {
+                        "href": "#pm-20_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-20_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -22122,7 +25744,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy policies are developed and posted on all external-facing websites;"
+                        "prose": "privacy policies are developed and posted on all external-facing websites;",
+                        "links": [
+                          {
+                            "href": "#pm-20.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-20.1_obj-2",
@@ -22134,7 +25762,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy policies are developed and posted on all mobile applications;"
+                        "prose": "privacy policies are developed and posted on all mobile applications;",
+                        "links": [
+                          {
+                            "href": "#pm-20.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-20.1_obj-3",
@@ -22146,7 +25780,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy policies are developed and posted on all other digital services;"
+                        "prose": "privacy policies are developed and posted on all other digital services;",
+                        "links": [
+                          {
+                            "href": "#pm-20.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-20.1_obj.a",
@@ -22169,7 +25809,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy policies are written in plain language;"
+                            "prose": "the privacy policies are written in plain language;",
+                            "links": [
+                              {
+                                "href": "#pm-20.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-20.1_obj.a-2",
@@ -22181,7 +25827,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy policies are organized in a way that is easy to understand and navigate;"
+                            "prose": "the privacy policies are organized in a way that is easy to understand and navigate;",
+                            "links": [
+                              {
+                                "href": "#pm-20.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-20.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -22206,7 +25864,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization;"
+                            "prose": "the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization;",
+                            "links": [
+                              {
+                                "href": "#pm-20.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-20.1_obj.b-2",
@@ -22218,7 +25882,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization;"
+                            "prose": "the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization;",
+                            "links": [
+                              {
+                                "href": "#pm-20.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-20.1_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -22243,7 +25919,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy policies are updated whenever the organization makes a substantive change to the practices it describes;"
+                            "prose": "the privacy policies are updated whenever the organization makes a substantive change to the practices it describes;",
+                            "links": [
+                              {
+                                "href": "#pm-20.1_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-20.1_obj.c-2",
@@ -22255,10 +25937,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy policies include a time/date stamp to inform the public of the date of the most recent changes."
+                            "prose": "the privacy policies include a time/date stamp to inform the public of the date of the most recent changes.",
+                            "links": [
+                              {
+                                "href": "#pm-20.1_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-20.1_smt.c",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-20.1_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -22490,7 +26190,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the accounting includes the date of each disclosure;"
+                            "prose": "the accounting includes the date of each disclosure;",
+                            "links": [
+                              {
+                                "href": "#pm-21_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-21_obj.a.1-2",
@@ -22502,7 +26208,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the accounting includes the nature of each disclosure;"
+                            "prose": "the accounting includes the nature of each disclosure;",
+                            "links": [
+                              {
+                                "href": "#pm-21_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-21_obj.a.1-3",
@@ -22514,7 +26226,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the accounting includes the purpose of each disclosure;"
+                            "prose": "the accounting includes the purpose of each disclosure;",
+                            "links": [
+                              {
+                                "href": "#pm-21_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-21_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -22539,7 +26263,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the accounting includes the name of the individual or organization to whom the disclosure was made;"
+                            "prose": "the accounting includes the name of the individual or organization to whom the disclosure was made;",
+                            "links": [
+                              {
+                                "href": "#pm-21_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-21_obj.a.2-2",
@@ -22551,10 +26281,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made;"
+                            "prose": "the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made;",
+                            "links": [
+                              {
+                                "href": "#pm-21_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-21_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-21_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -22567,7 +26315,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;"
+                    "prose": "the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;",
+                    "links": [
+                      {
+                        "href": "#pm-21_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-21_obj.c",
@@ -22579,7 +26333,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request."
+                    "prose": "the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request.",
+                    "links": [
+                      {
+                        "href": "#pm-21_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-21_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -22780,7 +26546,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "organization-wide policies for personally identifiable information quality management are developed and documented;"
+                    "prose": "organization-wide policies for personally identifiable information quality management are developed and documented;",
+                    "links": [
+                      {
+                        "href": "#pm-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-22_obj-2",
@@ -22792,7 +26564,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "organization-wide procedures for personally identifiable information quality management are developed and documented;"
+                    "prose": "organization-wide procedures for personally identifiable information quality management are developed and documented;",
+                    "links": [
+                      {
+                        "href": "#pm-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-22_obj.a",
@@ -22815,7 +26593,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the policies address reviewing the accuracy of personally identifiable information across the information life cycle;"
+                        "prose": "the policies address reviewing the accuracy of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.a-2",
@@ -22827,7 +26611,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the policies address reviewing the relevance of personally identifiable information across the information life cycle;"
+                        "prose": "the policies address reviewing the relevance of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.a-3",
@@ -22839,7 +26629,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the policies address reviewing the timeliness of personally identifiable information across the information life cycle;"
+                        "prose": "the policies address reviewing the timeliness of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.a-4",
@@ -22851,7 +26647,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the policies address reviewing the completeness of personally identifiable information across the information life cycle;"
+                        "prose": "the policies address reviewing the completeness of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.a-5",
@@ -22863,7 +26665,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the procedures address reviewing the accuracy of personally identifiable information across the information life cycle;"
+                        "prose": "the procedures address reviewing the accuracy of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.a-6",
@@ -22875,7 +26683,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the procedures address reviewing the relevance of personally identifiable information across the information life cycle;"
+                        "prose": "the procedures address reviewing the relevance of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.a-7",
@@ -22887,7 +26701,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the procedures address reviewing the timeliness of personally identifiable information across the information life cycle;"
+                        "prose": "the procedures address reviewing the timeliness of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.a-8",
@@ -22899,7 +26719,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the procedures address reviewing the completeness of personally identifiable information across the information life cycle;"
+                        "prose": "the procedures address reviewing the completeness of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-22_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22924,7 +26756,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the policies address correcting or deleting inaccurate or outdated personally identifiable information;"
+                        "prose": "the policies address correcting or deleting inaccurate or outdated personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.b-2",
@@ -22936,7 +26774,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the procedures address correcting or deleting inaccurate or outdated personally identifiable information;"
+                        "prose": "the procedures address correcting or deleting inaccurate or outdated personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-22_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22961,7 +26811,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;"
+                        "prose": "the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.c-2",
@@ -22973,7 +26829,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;"
+                        "prose": "the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-22_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22998,7 +26866,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the policies address appeals of adverse decisions on correction or deletion requests;"
+                        "prose": "the policies address appeals of adverse decisions on correction or deletion requests;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.d-2",
@@ -23010,10 +26884,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the procedures address appeals of adverse decisions on correction or deletion requests."
+                        "prose": "the procedures address appeals of adverse decisions on correction or deletion requests.",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-22_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-22_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -23204,7 +27096,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the Data Integrity Board reviews proposals to conduct or participate in a matching program;"
+                    "prose": "the Data Integrity Board reviews proposals to conduct or participate in a matching program;",
+                    "links": [
+                      {
+                        "href": "#pm-24_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-24_obj.b",
@@ -23216,7 +27114,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the Data Integrity Board conducts an annual review of all matching programs in which the agency has participated."
+                    "prose": "the Data Integrity Board conducts an annual review of all matching programs in which the agency has participated.",
+                    "links": [
+                      {
+                        "href": "#pm-24_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-24_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -23496,7 +27406,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies that address the use of personally identifiable information for internal testing are developed and documented;"
+                        "prose": "policies that address the use of personally identifiable information for internal testing are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-2",
@@ -23508,7 +27424,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies that address the use of personally identifiable information for internal training are developed and documented;"
+                        "prose": "policies that address the use of personally identifiable information for internal training are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-3",
@@ -23520,7 +27442,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies that address the use of personally identifiable information for internal research are developed and documented;"
+                        "prose": "policies that address the use of personally identifiable information for internal research are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-4",
@@ -23532,7 +27460,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures that address the use of personally identifiable information for internal testing are developed and documented;"
+                        "prose": "procedures that address the use of personally identifiable information for internal testing are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-5",
@@ -23544,7 +27478,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures that address the use of personally identifiable information for internal training are developed and documented;"
+                        "prose": "procedures that address the use of personally identifiable information for internal training are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-6",
@@ -23556,7 +27496,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures that address the use of personally identifiable information for internal research are developed and documented;"
+                        "prose": "procedures that address the use of personally identifiable information for internal research are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-7",
@@ -23568,7 +27514,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies that address the use of personally identifiable information for internal testing, are implemented;"
+                        "prose": "policies that address the use of personally identifiable information for internal testing, are implemented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-8",
@@ -23580,7 +27532,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies that address the use of personally identifiable information for training are implemented;"
+                        "prose": "policies that address the use of personally identifiable information for training are implemented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-9",
@@ -23592,7 +27550,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies that address the use of personally identifiable information for research are implemented;"
+                        "prose": "policies that address the use of personally identifiable information for research are implemented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-10",
@@ -23604,7 +27568,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures that address the use of personally identifiable information for internal testing are implemented;"
+                        "prose": "procedures that address the use of personally identifiable information for internal testing are implemented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-11",
@@ -23616,7 +27586,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures that address the use of personally identifiable information for training are implemented;"
+                        "prose": "procedures that address the use of personally identifiable information for training are implemented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-12",
@@ -23628,7 +27604,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures that address the use of personally identifiable information for research are implemented;"
+                        "prose": "procedures that address the use of personally identifiable information for research are implemented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-25_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -23653,7 +27641,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the amount of personally identifiable information used for internal testing purposes is limited or minimized;"
+                        "prose": "the amount of personally identifiable information used for internal testing purposes is limited or minimized;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.b-2",
@@ -23665,7 +27659,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the amount of personally identifiable information used for internal training purposes is limited or minimized;"
+                        "prose": "the amount of personally identifiable information used for internal training purposes is limited or minimized;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.b-3",
@@ -23677,7 +27677,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the amount of personally identifiable information used for internal research purposes is limited or minimized;"
+                        "prose": "the amount of personally identifiable information used for internal research purposes is limited or minimized;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-25_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -23702,7 +27714,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the required use of personally identifiable information for internal testing is authorized;"
+                        "prose": "the required use of personally identifiable information for internal testing is authorized;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.c-2",
@@ -23714,7 +27732,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the required use of personally identifiable information for internal training is authorized;"
+                        "prose": "the required use of personally identifiable information for internal training is authorized;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.c-3",
@@ -23726,7 +27750,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the required use of personally identifiable information for internal research is authorized;"
+                        "prose": "the required use of personally identifiable information for internal research is authorized;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-25_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -23751,7 +27787,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies are reviewed {{ insert: param, pm-25_odp.01 }};"
+                        "prose": "policies are reviewed {{ insert: param, pm-25_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.d-2",
@@ -23763,7 +27805,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies are updated {{ insert: param, pm-25_odp.02 }};"
+                        "prose": "policies are updated {{ insert: param, pm-25_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.d-3",
@@ -23775,7 +27823,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures are reviewed {{ insert: param, pm-25_odp.03 }};"
+                        "prose": "procedures are reviewed {{ insert: param, pm-25_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.d-4",
@@ -23787,10 +27841,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures are updated {{ insert: param, pm-25_odp.04 }}."
+                        "prose": "procedures are updated {{ insert: param, pm-25_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-25_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-25_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -24086,7 +28158,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a process for receiving complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;"
+                    "prose": "a process for receiving complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;",
+                    "links": [
+                      {
+                        "href": "#pm-26_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-26_obj-2",
@@ -24098,7 +28176,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a process for responding to complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;"
+                    "prose": "a process for responding to complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;",
+                    "links": [
+                      {
+                        "href": "#pm-26_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-26_obj.a",
@@ -24121,7 +28205,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the complaint management process includes mechanisms that are easy to use by the public;"
+                        "prose": "the complaint management process includes mechanisms that are easy to use by the public;",
+                        "links": [
+                          {
+                            "href": "#pm-26_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-26_obj.a-2",
@@ -24133,7 +28223,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the complaint management process includes mechanisms that are readily accessible by the public;"
+                        "prose": "the complaint management process includes mechanisms that are readily accessible by the public;",
+                        "links": [
+                          {
+                            "href": "#pm-26_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-26_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -24147,7 +28249,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the complaint management process includes all information necessary for successfully filing complaints;"
+                    "prose": "the complaint management process includes all information necessary for successfully filing complaints;",
+                    "links": [
+                      {
+                        "href": "#pm-26_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-26_obj.c",
@@ -24170,7 +28278,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within {{ insert: param, pm-26_odp.01 }};"
+                        "prose": "the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within {{ insert: param, pm-26_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pm-26_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-26_obj.c-2",
@@ -24182,7 +28296,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within {{ insert: param, pm-26_odp.02 }};"
+                        "prose": "the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within {{ insert: param, pm-26_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pm-26_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-26_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -24196,7 +28322,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }};"
+                    "prose": "the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#pm-26_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-26_obj.e",
@@ -24208,7 +28340,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the complaint management process includes responding to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}."
+                    "prose": "the complaint management process includes responding to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#pm-26_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-26_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -24499,7 +28643,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy reports are disseminated to {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates;"
+                        "prose": "the privacy reports are disseminated to {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates;",
+                        "links": [
+                          {
+                            "href": "#pm-27_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-27_obj.a.2",
@@ -24522,7 +28672,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy reports are disseminated to {{ insert: param, pm-27_odp.03 }};"
+                            "prose": "the privacy reports are disseminated to {{ insert: param, pm-27_odp.03 }};",
+                            "links": [
+                              {
+                                "href": "#pm-27_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-27_obj.a.2-2",
@@ -24534,10 +28690,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance;"
+                            "prose": "the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance;",
+                            "links": [
+                              {
+                                "href": "#pm-27_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-27_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-27_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -24550,7 +28724,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the privacy reports are reviewed and updated {{ insert: param, pm-27_odp.04 }}."
+                    "prose": "the privacy reports are reviewed and updated {{ insert: param, pm-27_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#pm-27_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-27_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -24831,7 +29017,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "assumptions affecting risk assessments are identified and documented;"
+                            "prose": "assumptions affecting risk assessments are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-28_obj.a.1-2",
@@ -24843,7 +29035,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "assumptions affecting risk responses are identified and documented;"
+                            "prose": "assumptions affecting risk responses are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-28_obj.a.1-3",
@@ -24855,7 +29053,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "assumptions affecting risk monitoring are identified and documented;"
+                            "prose": "assumptions affecting risk monitoring are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-28_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -24880,7 +29090,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "constraints affecting risk assessments are identified and documented;"
+                            "prose": "constraints affecting risk assessments are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-28_obj.a.2-2",
@@ -24892,7 +29108,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "constraints affecting risk responses are identified and documented;"
+                            "prose": "constraints affecting risk responses are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-28_obj.a.2-3",
@@ -24904,7 +29126,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "constraints affecting risk monitoring are identified and documented;"
+                            "prose": "constraints affecting risk monitoring are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-28_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -24929,7 +29163,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "priorities considered by the organization for managing risk are identified and documented;"
+                            "prose": "priorities considered by the organization for managing risk are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-28_obj.a.3-2",
@@ -24941,7 +29181,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "trade-offs considered by the organization for managing risk are identified and documented;"
+                            "prose": "trade-offs considered by the organization for managing risk are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-28_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -24955,7 +29207,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational risk tolerance is identified and documented;"
+                        "prose": "organizational risk tolerance is identified and documented;",
+                        "links": [
+                          {
+                            "href": "#pm-28_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-28_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -24969,7 +29233,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the results of risk framing activities are distributed to {{ insert: param, pm-28_odp.01 }};"
+                    "prose": "the results of risk framing activities are distributed to {{ insert: param, pm-28_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#pm-28_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-28_obj.c",
@@ -24981,7 +29251,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk framing considerations are reviewed and updated {{ insert: param, pm-28_odp.02 }}."
+                    "prose": "risk framing considerations are reviewed and updated {{ insert: param, pm-28_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#pm-28_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-28_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -25128,10 +29410,10 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "label": "frequency",
+                "label": "monitoring frequencies",
                 "guidelines": [
                   {
-                    "prose": "the frequency for monitoring is defined;"
+                    "prose": "the frequencies for monitoring are defined;"
                   }
                 ]
               },
@@ -25153,10 +29435,10 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "label": "frequency",
+                "label": "assessment frequencies",
                 "guidelines": [
                   {
-                    "prose": "the frequency for assessing control effectiveness is defined;"
+                    "prose": "the frequencies for assessing control effectiveness are defined;"
                   }
                 ]
               },
@@ -25489,7 +29771,7 @@
                         "value": "b."
                       }
                     ],
-                    "prose": "Establishing {{ insert: param, pm-31_odp.02 }} for monitoring and {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;"
+                    "prose": "Establishing {{ insert: param, pm-31_odp.02 }} and {{ insert: param, pm-31_odp.03 }} for control effectiveness;"
                   },
                   {
                     "id": "pm-31_smt.c",
@@ -25564,7 +29846,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "continuous monitoring programs are implemented that include establishing {{ insert: param, pm-31_odp.01 }} to be monitored;"
+                    "prose": "continuous monitoring programs are implemented that include establishing {{ insert: param, pm-31_odp.01 }} to be monitored;",
+                    "links": [
+                      {
+                        "href": "#pm-31_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-31_obj.b",
@@ -25587,7 +29875,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.02 }} for monitoring;"
+                        "prose": "continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.02 }} for monitoring;",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-31_obj.b-2",
@@ -25599,7 +29893,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;"
+                        "prose": "continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-31_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -25613,7 +29919,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "continuous monitoring programs are implemented that include monitoring {{ insert: param, pm-31_odp.01 }} on an ongoing basis in accordance with the continuous monitoring strategy;"
+                    "prose": "continuous monitoring programs are implemented that include monitoring {{ insert: param, pm-31_odp.01 }} on an ongoing basis in accordance with the continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#pm-31_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-31_obj.d",
@@ -25636,7 +29948,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring;"
+                        "prose": "continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring;",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-31_obj.d-2",
@@ -25648,7 +29966,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring;"
+                        "prose": "continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring;",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-31_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -25673,7 +30003,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information;"
+                        "prose": "continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information;",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-31_obj.e-2",
@@ -25685,7 +30021,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information;"
+                        "prose": "continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information;",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-31_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -25710,7 +30058,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that include reporting the security status of organizational systems to {{ insert: param, pm-31_odp.04 }} {{ insert: param, pm-31_odp.06 }};"
+                        "prose": "continuous monitoring programs are implemented that include reporting the security status of organizational systems to {{ insert: param, pm-31_odp.04 }} {{ insert: param, pm-31_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-31_obj.f-2",
@@ -25722,10 +30076,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to {{ insert: param, pm-31_odp.05 }} {{ insert: param, pm-31_odp.07 }}."
+                        "prose": "continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to {{ insert: param, pm-31_odp.05 }} {{ insert: param, pm-31_odp.07 }}.",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-31_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-31_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -26006,7 +30378,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access agreements are developed and documented for organizational systems;"
+                    "prose": "access agreements are developed and documented for organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-6_obj.b",
@@ -26018,7 +30396,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};"
+                    "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-6_obj.c",
@@ -26041,7 +30425,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;"
+                        "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;",
+                        "links": [
+                          {
+                            "href": "#ps-6_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-6_obj.c.2",
@@ -26053,10 +30443,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."
+                        "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ps-6_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-6_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -26490,7 +30898,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a personally identifiable information processing and transparency policy is developed and documented;"
+                        "prose": "a personally identifiable information processing and transparency policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pt-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-1_obj.a-2",
@@ -26502,7 +30916,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the personally identifiable information processing and transparency policy is disseminated to {{ insert: param, pt-01_odp.01 }};"
+                        "prose": "the personally identifiable information processing and transparency policy is disseminated to {{ insert: param, pt-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pt-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-1_obj.a-3",
@@ -26514,7 +30934,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personally identifiable information processing and transparency procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and associated personally identifiable information processing and transparency controls are developed and documented;"
+                        "prose": "personally identifiable information processing and transparency procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and associated personally identifiable information processing and transparency controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pt-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-1_obj.a-4",
@@ -26526,7 +30952,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the personally identifiable information processing and transparency procedures are disseminated to {{ insert: param, pt-01_odp.02 }};"
+                        "prose": "the personally identifiable information processing and transparency procedures are disseminated to {{ insert: param, pt-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pt-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-1_obj.a.1",
@@ -26560,7 +30992,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses purpose;"
+                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#pt-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pt-1_obj.a.1.a-2",
@@ -26572,7 +31010,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses scope;"
+                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#pt-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pt-1_obj.a.1.a-3",
@@ -26584,7 +31028,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses roles;"
+                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#pt-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pt-1_obj.a.1.a-4",
@@ -26596,7 +31046,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#pt-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pt-1_obj.a.1.a-5",
@@ -26608,7 +31064,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses management commitment;"
+                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#pt-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pt-1_obj.a.1.a-6",
@@ -26620,7 +31082,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#pt-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pt-1_obj.a.1.a-7",
@@ -26632,7 +31100,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses compliance;"
+                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#pt-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#pt-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -26646,10 +31126,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#pt-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pt-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -26662,7 +31160,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pt-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures;"
+                    "prose": "the {{ insert: param, pt-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#pt-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-1_obj.c",
@@ -26696,7 +31200,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personally identifiable information processing and transparency policy is reviewed and updated {{ insert: param, pt-01_odp.05 }};"
+                            "prose": "the current personally identifiable information processing and transparency policy is reviewed and updated {{ insert: param, pt-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#pt-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pt-1_obj.c.1-2",
@@ -26708,7 +31218,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personally identifiable information processing and transparency policy is reviewed and updated following {{ insert: param, pt-01_odp.06 }};"
+                            "prose": "the current personally identifiable information processing and transparency policy is reviewed and updated following {{ insert: param, pt-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#pt-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pt-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -26733,7 +31255,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personally identifiable information processing and transparency procedures are reviewed and updated {{ insert: param, pt-01_odp.07 }};"
+                            "prose": "the current personally identifiable information processing and transparency procedures are reviewed and updated {{ insert: param, pt-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#pt-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pt-1_obj.c.2-2",
@@ -26745,12 +31273,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personally identifiable information processing and transparency procedures are reviewed and updated following {{ insert: param, pt-01_odp.08 }}."
+                            "prose": "the current personally identifiable information processing and transparency procedures are reviewed and updated following {{ insert: param, pt-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#pt-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pt-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pt-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -27015,7 +31567,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information is determined and documented;"
+                    "prose": "the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information is determined and documented;",
+                    "links": [
+                      {
+                        "href": "#pt-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-2_obj.b",
@@ -27027,7 +31585,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pt-02_odp.03 }} of personally identifiable information is restricted to only that which is authorized."
+                    "prose": "the {{ insert: param, pt-02_odp.03 }} of personally identifiable information is restricted to only that which is authorized.",
+                    "links": [
+                      {
+                        "href": "#pt-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pt-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -27356,7 +31926,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information is/are identified and documented;"
+                    "prose": "the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information is/are identified and documented;",
+                    "links": [
+                      {
+                        "href": "#pt-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-3_obj.b",
@@ -27379,7 +31955,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the purpose(s) is/are described in the public privacy notices of the organization;"
+                        "prose": "the purpose(s) is/are described in the public privacy notices of the organization;",
+                        "links": [
+                          {
+                            "href": "#pt-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-3_obj.b-2",
@@ -27391,7 +31973,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the purpose(s) is/are described in the policies of the organization;"
+                        "prose": "the purpose(s) is/are described in the policies of the organization;",
+                        "links": [
+                          {
+                            "href": "#pt-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -27405,7 +31999,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pt-03_odp.02 }} of personally identifiable information are restricted to only that which is compatible with the identified purpose(s);"
+                    "prose": "the {{ insert: param, pt-03_odp.02 }} of personally identifiable information are restricted to only that which is compatible with the identified purpose(s);",
+                    "links": [
+                      {
+                        "href": "#pt-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-3_obj.d",
@@ -27428,7 +32028,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes in the processing of personally identifiable information are monitored;"
+                        "prose": "changes in the processing of personally identifiable information are monitored;",
+                        "links": [
+                          {
+                            "href": "#pt-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-3_obj.d-2",
@@ -27440,10 +32046,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, pt-03_odp.03 }} are implemented to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}."
+                        "prose": " {{ insert: param, pt-03_odp.03 }} are implemented to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#pt-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-3_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pt-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -27607,7 +32231,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the {{ insert: param, pt-04_odp }} are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making."
+                "prose": "the {{ insert: param, pt-04_odp }} are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.",
+                "links": [
+                  {
+                    "href": "#pt-4_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pt-4_asm-examine",
@@ -27893,7 +32523,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a notice to individuals about the processing of personally identifiable information is provided such that the notice is available to individuals upon first interacting with an organization;"
+                        "prose": "a notice to individuals about the processing of personally identifiable information is provided such that the notice is available to individuals upon first interacting with an organization;",
+                        "links": [
+                          {
+                            "href": "#pt-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-5_obj.a-2",
@@ -27905,7 +32541,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals {{ insert: param, pt-05_odp.01 }};"
+                        "prose": "a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals {{ insert: param, pt-05_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pt-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-5_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -27919,7 +32567,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a notice to individuals about the processing of personally identifiable information is provided that is clear, easy-to-understand, and expresses information about personally identifiable information processing in plain language;"
+                    "prose": "a notice to individuals about the processing of personally identifiable information is provided that is clear, easy-to-understand, and expresses information about personally identifiable information processing in plain language;",
+                    "links": [
+                      {
+                        "href": "#pt-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-5_obj.c",
@@ -27931,7 +32585,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information is provided;"
+                    "prose": "a notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information is provided;",
+                    "links": [
+                      {
+                        "href": "#pt-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-5_obj.d",
@@ -27943,7 +32603,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a notice to individuals about the processing of personally identifiable information that identifies the purpose for which personally identifiable information is to be processed is provided;"
+                    "prose": "a notice to individuals about the processing of personally identifiable information that identifies the purpose for which personally identifiable information is to be processed is provided;",
+                    "links": [
+                      {
+                        "href": "#pt-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-5_obj.e",
@@ -27955,7 +32621,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a notice to individuals about the processing of personally identifiable information which includes {{ insert: param, pt-05_odp.02 }} is provided."
+                    "prose": "a notice to individuals about the processing of personally identifiable information which includes {{ insert: param, pt-05_odp.02 }} is provided.",
+                    "links": [
+                      {
+                        "href": "#pt-5_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pt-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -28082,7 +32760,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or Privacy Act statements are provided on separate forms that can be retained by individuals."
+                    "prose": "Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or Privacy Act statements are provided on separate forms that can be retained by individuals.",
+                    "links": [
+                      {
+                        "href": "#pt-5.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-5.2_asm-examine",
@@ -28286,7 +32970,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records;"
+                        "prose": "system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records;",
+                        "links": [
+                          {
+                            "href": "#pt-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-6_obj.a-2",
@@ -28298,7 +32988,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records;"
+                        "prose": "new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records;",
+                        "links": [
+                          {
+                            "href": "#pt-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-6_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -28312,7 +33014,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records;"
+                    "prose": "system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records;",
+                    "links": [
+                      {
+                        "href": "#pt-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-6_obj.c",
@@ -28324,7 +33032,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system of records notices are kept accurate, up-to-date, and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records."
+                    "prose": "system of records notices are kept accurate, up-to-date, and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records.",
+                    "links": [
+                      {
+                        "href": "#pt-6_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pt-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -28469,7 +33189,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "all routine uses published in the system of records notice are reviewed {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected."
+                    "prose": "all routine uses published in the system of records notice are reviewed {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.",
+                    "links": [
+                      {
+                        "href": "#pt-6.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-6.1_asm-examine",
@@ -28623,7 +33349,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they remain appropriate and necessary in accordance with law;"
+                        "prose": "all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they remain appropriate and necessary in accordance with law;",
+                        "links": [
+                          {
+                            "href": "#pt-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-6.2_obj-2",
@@ -28635,7 +33367,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they have been promulgated as regulations;"
+                        "prose": "all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they have been promulgated as regulations;",
+                        "links": [
+                          {
+                            "href": "#pt-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-6.2_obj-3",
@@ -28647,7 +33385,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they are accurately described in the system of records notice."
+                        "prose": "all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they are accurately described in the system of records notice.",
+                        "links": [
+                          {
+                            "href": "#pt-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-6.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -28822,7 +33572,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": " {{ insert: param, pt-07_odp }} are applied for specific categories of personally identifiable information."
+                "prose": " {{ insert: param, pt-07_odp }} are applied for specific categories of personally identifiable information.",
+                "links": [
+                  {
+                    "href": "#pt-7_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pt-7_asm-examine",
@@ -29004,7 +33760,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when a system processes Social Security numbers, the unnecessary collection, maintenance, and use of Social Security numbers are eliminated;"
+                            "prose": "when a system processes Social Security numbers, the unnecessary collection, maintenance, and use of Social Security numbers are eliminated;",
+                            "links": [
+                              {
+                                "href": "#pt-7.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pt-7.1_obj.a-2",
@@ -29016,7 +33778,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored;"
+                            "prose": "when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored;",
+                            "links": [
+                              {
+                                "href": "#pt-7.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pt-7.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -29030,7 +33804,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when a system processes Social Security numbers, individual rights, benefits, or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number;"
+                        "prose": "when a system processes Social Security numbers, individual rights, benefits, or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number;",
+                        "links": [
+                          {
+                            "href": "#pt-7.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-7.1_obj.c",
@@ -29053,7 +33833,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it;"
+                            "prose": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it;",
+                            "links": [
+                              {
+                                "href": "#pt-7.1_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pt-7.1_obj.c-2",
@@ -29065,7 +33851,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited;"
+                            "prose": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited;",
+                            "links": [
+                              {
+                                "href": "#pt-7.1_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pt-7.1_obj.c-3",
@@ -29077,10 +33869,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it."
+                            "prose": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it.",
+                            "links": [
+                              {
+                                "href": "#pt-7.1_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pt-7.1_smt.c",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-7.1_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -29202,7 +34012,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity."
+                    "prose": "the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.",
+                    "links": [
+                      {
+                        "href": "#pt-7.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-7.2_asm-examine",
@@ -29409,7 +34225,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "approval to conduct the matching program is obtained from the Data Integrity Board when a system or organization processes information for the purpose of conducting a matching program;"
+                    "prose": "approval to conduct the matching program is obtained from the Data Integrity Board when a system or organization processes information for the purpose of conducting a matching program;",
+                    "links": [
+                      {
+                        "href": "#pt-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-8_obj.b",
@@ -29432,7 +34254,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program;"
+                        "prose": "a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program;",
+                        "links": [
+                          {
+                            "href": "#pt-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-8_obj.b-2",
@@ -29444,7 +34272,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program;"
+                        "prose": "a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program;",
+                        "links": [
+                          {
+                            "href": "#pt-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-8_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -29458,7 +34298,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program;"
+                    "prose": "a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program;",
+                    "links": [
+                      {
+                        "href": "#pt-8_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-8_obj.d",
@@ -29470,7 +34316,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program;"
+                    "prose": "the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program;",
+                    "links": [
+                      {
+                        "href": "#pt-8_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-8_obj.e",
@@ -29493,7 +34345,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program;"
+                        "prose": "individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program;",
+                        "links": [
+                          {
+                            "href": "#pt-8_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-8_obj.e-2",
@@ -29505,10 +34363,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program."
+                        "prose": "individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program.",
+                        "links": [
+                          {
+                            "href": "#pt-8_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-8_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pt-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -29970,7 +34846,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment policy is developed and documented;"
+                        "prose": "a risk assessment policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-2",
@@ -29982,7 +34864,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};"
+                        "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-3",
@@ -29994,7 +34882,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;"
+                        "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-4",
@@ -30006,7 +34900,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};"
+                        "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a.1",
@@ -30040,7 +34940,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-2",
@@ -30052,7 +34958,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-3",
@@ -30064,7 +34976,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-4",
@@ -30076,7 +34994,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-5",
@@ -30088,7 +35012,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-6",
@@ -30100,7 +35030,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-7",
@@ -30112,7 +35048,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -30126,10 +35074,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -30142,7 +35108,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;"
+                    "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-1_obj.c",
@@ -30176,7 +35148,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};"
+                            "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ra-1_obj.c.1-2",
@@ -30188,7 +35166,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};"
+                            "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -30213,7 +35203,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};"
+                            "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ra-1_obj.c.2-2",
@@ -30225,12 +35221,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}."
+                            "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -30690,7 +35710,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;"
+                        "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3_obj.a.2",
@@ -30702,7 +35728,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;"
+                        "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3_obj.a.3",
@@ -30714,7 +35746,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"
+                        "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -30728,7 +35772,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;"
+                    "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.c",
@@ -30740,7 +35790,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};"
+                    "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.d",
@@ -30752,7 +35808,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};"
+                    "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.e",
@@ -30764,7 +35826,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};"
+                    "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.f",
@@ -30776,7 +35844,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."
+                    "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -30963,7 +36043,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-2",
@@ -30975,7 +36061,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-3",
@@ -30987,7 +36079,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-4",
@@ -30999,7 +36097,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from audits are responded to in accordance with organizational risk tolerance."
+                    "prose": "findings from audits are responded to in accordance with organizational risk tolerance.",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -31234,7 +36344,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information;"
+                    "prose": "privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information;",
+                    "links": [
+                      {
+                        "href": "#ra-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-8_obj.b",
@@ -31257,7 +36373,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology;"
+                        "prose": "privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology;",
+                        "links": [
+                          {
+                            "href": "#ra-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-8_obj.b-2",
@@ -31269,10 +36391,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government."
+                        "prose": "privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.",
+                        "links": [
+                          {
+                            "href": "#ra-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-8_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -31742,7 +36882,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a system and services acquisition policy is developed and documented;"
+                        "prose": "a system and services acquisition policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-2",
@@ -31754,7 +36900,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};"
+                        "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-3",
@@ -31766,7 +36918,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;"
+                        "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-4",
@@ -31778,7 +36936,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};"
+                        "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a.1",
@@ -31812,7 +36976,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-2",
@@ -31824,7 +36994,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-3",
@@ -31836,7 +37012,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-4",
@@ -31848,7 +37030,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-5",
@@ -31860,7 +37048,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-6",
@@ -31872,7 +37066,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-7",
@@ -31884,7 +37084,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -31898,10 +37110,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -31914,7 +37144,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;"
+                    "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-1_obj.c",
@@ -31948,7 +37184,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};"
+                            "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-1_obj.c.1-2",
@@ -31960,7 +37202,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};"
+                            "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -31985,7 +37239,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};"
+                            "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-1_obj.c.2-2",
@@ -31997,12 +37257,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}."
+                            "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -32195,7 +37479,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;"
+                        "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.a-2",
@@ -32207,7 +37497,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;"
+                        "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -32232,7 +37534,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;"
+                        "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.b-2",
@@ -32244,7 +37552,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;"
+                        "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -32269,7 +37589,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;"
+                        "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.c-2",
@@ -32281,10 +37607,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation."
+                        "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation.",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -32581,7 +37925,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;"
+                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.a-2",
@@ -32593,7 +37943,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;"
+                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -32618,7 +37980,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;"
+                        "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.b-2",
@@ -32630,7 +37998,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;"
+                        "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -32655,7 +38035,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals with information security roles and responsibilities are identified;"
+                        "prose": "individuals with information security roles and responsibilities are identified;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.c-2",
@@ -32667,7 +38053,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals with privacy roles and responsibilities are identified;"
+                        "prose": "individuals with privacy roles and responsibilities are identified;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -32692,7 +38090,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational information security risk management processes are integrated into system development life cycle activities;"
+                        "prose": "organizational information security risk management processes are integrated into system development life cycle activities;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.d-2",
@@ -32704,10 +38108,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational privacy risk management processes are integrated into system development life cycle activities."
+                        "prose": "organizational privacy risk management processes are integrated into system development life cycle activities.",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -33136,7 +38558,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.a-2",
@@ -33148,7 +38576,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -33162,7 +38602,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                    "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4_obj.c",
@@ -33185,7 +38631,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.c-2",
@@ -33197,7 +38649,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -33222,7 +38686,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.d-2",
@@ -33234,7 +38704,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -33259,7 +38741,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.e-2",
@@ -33271,7 +38759,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -33296,7 +38796,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.f-2",
@@ -33308,7 +38814,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -33322,7 +38840,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                    "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4_obj.h",
@@ -33345,7 +38869,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.h-2",
@@ -33357,7 +38887,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"
+                        "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.h-3",
@@ -33369,7 +38905,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"
+                        "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -33383,7 +38931,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service."
+                    "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.i",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -33680,7 +39240,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-2",
@@ -33692,7 +39258,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-3",
@@ -33704,7 +39276,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-4",
@@ -33716,7 +39294,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-5",
@@ -33728,7 +39312,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-6",
@@ -33740,7 +39330,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-7",
@@ -33752,7 +39348,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-8",
@@ -33764,7 +39366,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-9",
@@ -33776,7 +39384,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;"
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-10",
@@ -33788,7 +39402,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components."
+                    "prose": " {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -33959,7 +39585,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the privacy principle of minimization is implemented using {{ insert: param, sa-08.33_odp }}."
+                    "prose": "the privacy principle of minimization is implemented using {{ insert: param, sa-08.33_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sa-8.33_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.33_asm-examine",
@@ -34249,7 +39881,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services comply with organizational security requirements;"
+                        "prose": "providers of external system services comply with organizational security requirements;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.a-2",
@@ -34261,7 +39899,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services comply with organizational privacy requirements;"
+                        "prose": "providers of external system services comply with organizational privacy requirements;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.a-3",
@@ -34273,7 +39917,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};"
+                        "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -34298,7 +39954,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational oversight with regard to external system services are defined and documented;"
+                        "prose": "organizational oversight with regard to external system services are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.b-2",
@@ -34310,7 +39972,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "user roles and responsibilities with regard to external system services are defined and documented;"
+                        "prose": "user roles and responsibilities with regard to external system services are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -34324,7 +39998,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis."
+                    "prose": " {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.",
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -34669,7 +40355,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.a-2",
@@ -34681,7 +40373,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.a-3",
@@ -34693,7 +40391,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.a-4",
@@ -34705,7 +40409,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -34719,7 +40435,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"
+                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-11_obj.c",
@@ -34742,7 +40464,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.c-2",
@@ -34754,7 +40482,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -34768,7 +40508,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;"
+                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;",
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-11_obj.e",
@@ -34780,7 +40526,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation."
+                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.",
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -35108,7 +40866,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at external managed interfaces to the system are monitored;"
+                        "prose": "communications at external managed interfaces to the system are monitored;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-2",
@@ -35120,7 +40884,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at external managed interfaces to the system are controlled;"
+                        "prose": "communications at external managed interfaces to the system are controlled;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-3",
@@ -35132,7 +40902,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at key internal managed interfaces within the system are monitored;"
+                        "prose": "communications at key internal managed interfaces within the system are monitored;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-4",
@@ -35144,7 +40920,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at key internal managed interfaces within the system are controlled;"
+                        "prose": "communications at key internal managed interfaces within the system are controlled;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -35158,7 +40946,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;"
+                    "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;",
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7_obj.c",
@@ -35170,7 +40964,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."
+                    "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.",
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -35385,7 +41191,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, sc-07.24_odp }} are applied to data elements of personally identifiable information on systems that process personally identifiable information;"
+                        "prose": " {{ insert: param, sc-07.24_odp }} are applied to data elements of personally identifiable information on systems that process personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#sc-7.24_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.24_obj.b",
@@ -35408,7 +41220,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "permitted processing is monitored at the external interfaces to the systems that process personally identifiable information;"
+                            "prose": "permitted processing is monitored at the external interfaces to the systems that process personally identifiable information;",
+                            "links": [
+                              {
+                                "href": "#sc-7.24_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-7.24_obj.b-2",
@@ -35420,7 +41238,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information;"
+                            "prose": "permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information;",
+                            "links": [
+                              {
+                                "href": "#sc-7.24_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-7.24_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -35434,7 +41264,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "each processing exception is documented for systems that process personally identifiable information;"
+                        "prose": "each processing exception is documented for systems that process personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#sc-7.24_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.24_obj.d",
@@ -35457,7 +41293,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "exceptions for systems that process personally identifiable information are reviewed;"
+                            "prose": "exceptions for systems that process personally identifiable information are reviewed;",
+                            "links": [
+                              {
+                                "href": "#sc-7.24_smt.d",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-7.24_obj.d-2",
@@ -35469,10 +41311,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "exceptions for systems that process personally identifiable information that are no longer supported are removed."
+                            "prose": "exceptions for systems that process personally identifiable information that are no longer supported are removed.",
+                            "links": [
+                              {
+                                "href": "#sc-7.24_smt.d",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-7.24_smt.d",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7.24_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -35932,7 +41792,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a system and information integrity policy is developed and documented;"
+                        "prose": "a system and information integrity policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-2",
@@ -35944,7 +41810,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};"
+                        "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-3",
@@ -35956,7 +41828,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;"
+                        "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-4",
@@ -35968,7 +41846,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};"
+                        "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a.1",
@@ -36002,7 +41886,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-2",
@@ -36014,7 +41904,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-3",
@@ -36026,7 +41922,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-4",
@@ -36038,7 +41940,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-5",
@@ -36050,7 +41958,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-6",
@@ -36062,7 +41976,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-7",
@@ -36074,7 +41994,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#si-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -36088,10 +42020,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -36104,7 +42054,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;"
+                    "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#si-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-1_obj.c",
@@ -36138,7 +42094,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};"
+                            "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-1_obj.c.1-2",
@@ -36150,7 +42112,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};"
+                            "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -36175,7 +42149,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};"
+                            "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-1_obj.c.2-2",
@@ -36187,12 +42167,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}."
+                            "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#si-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -36431,7 +42435,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-2",
@@ -36443,7 +42453,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-3",
@@ -36455,7 +42471,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-4",
@@ -36467,7 +42489,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements."
+                    "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -36616,7 +42650,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personally identifiable information being processed in the information life cycle is limited to {{ insert: param, si-12.01_odp }}."
+                    "prose": "personally identifiable information being processed in the information life cycle is limited to {{ insert: param, si-12.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#si-12.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12.1_asm-examine",
@@ -36831,7 +42871,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-12.02_odp.01 }} are used to minimize the use of personally identifiable information for research;"
+                        "prose": " {{ insert: param, si-12.02_odp.01 }} are used to minimize the use of personally identifiable information for research;",
+                        "links": [
+                          {
+                            "href": "#si-12.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-12.2_obj-2",
@@ -36843,7 +42889,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-12.02_odp.02 }} are used to minimize the use of personally identifiable information for testing;"
+                        "prose": " {{ insert: param, si-12.02_odp.02 }} are used to minimize the use of personally identifiable information for testing;",
+                        "links": [
+                          {
+                            "href": "#si-12.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-12.2_obj-3",
@@ -36855,7 +42907,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-12.02_odp.03 }} are used to minimize the use of personally identifiable information for training."
+                        "prose": " {{ insert: param, si-12.02_odp.03 }} are used to minimize the use of personally identifiable information for training.",
+                        "links": [
+                          {
+                            "href": "#si-12.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-12.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -37060,7 +43124,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-12.03_odp.01 }} are used to dispose of information following the retention period;"
+                        "prose": " {{ insert: param, si-12.03_odp.01 }} are used to dispose of information following the retention period;",
+                        "links": [
+                          {
+                            "href": "#si-12.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-12.3_obj-2",
@@ -37072,7 +43142,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-12.03_odp.02 }} are used to destroy information following the retention period;"
+                        "prose": " {{ insert: param, si-12.03_odp.02 }} are used to destroy information following the retention period;",
+                        "links": [
+                          {
+                            "href": "#si-12.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-12.3_obj-3",
@@ -37084,7 +43160,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": " {{ insert: param, si-12.03_odp.03 }} are used to erase information following the retention period."
+                        "prose": " {{ insert: param, si-12.03_odp.03 }} are used to erase information following the retention period.",
+                        "links": [
+                          {
+                            "href": "#si-12.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-12.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -37375,7 +43463,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the accuracy of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.01 }};"
+                        "prose": "the accuracy of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-18_obj.a-2",
@@ -37387,7 +43481,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the relevance of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.02 }};"
+                        "prose": "the relevance of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#si-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-18_obj.a-3",
@@ -37399,7 +43499,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the timeliness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.03 }};"
+                        "prose": "the timeliness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#si-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-18_obj.a-4",
@@ -37411,7 +43517,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the completeness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.04 }};"
+                        "prose": "the completeness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#si-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-18_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -37425,7 +43543,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "inaccurate or outdated personally identifiable information is corrected or deleted."
+                    "prose": "inaccurate or outdated personally identifiable information is corrected or deleted.",
+                    "links": [
+                      {
+                        "href": "#si-18_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-18_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -37553,7 +43683,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personally identifiable information is corrected or deleted upon request by individuals or their designated representatives."
+                    "prose": "personally identifiable information is corrected or deleted upon request by individuals or their designated representatives.",
+                    "links": [
+                      {
+                        "href": "#si-18.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-18.4_asm-examine",
@@ -37790,7 +43926,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": " {{ insert: param, si-19_odp.01 }} are removed from datasets;"
+                    "prose": " {{ insert: param, si-19_odp.01 }} are removed from datasets;",
+                    "links": [
+                      {
+                        "href": "#si-19_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-19_obj.b",
@@ -37802,7 +43944,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the effectiveness of de-identification is evaluated {{ insert: param, si-19_odp.02 }}."
+                    "prose": "the effectiveness of de-identification is evaluated {{ insert: param, si-19_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#si-19_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-19_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline_profile-min.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline_profile-min.json
index 4bb8b568..ea385c36 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline_profile-min.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline_profile-min.json
@@ -1 +1 @@
-{"profile":{"uuid":"66b95dd9-650d-456f-b143-19ae7bb36944","metadata":{"title":"NIST Special Publication 800-53 Revision 5 PRIVACY BASELINE","last-modified":"2023-10-12T00:00:00.000000-04:00","version":"Final","oscal-version":"1.1.1","roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"11f1de66-89ba-499d-903e-56418e95af9d","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["11f1de66-89ba-499d-903e-56418e95af9d"]},{"role-id":"contact","party-uuids":["11f1de66-89ba-499d-903e-56418e95af9d"]}]},"imports":[{"href":"#84cbf061-eb87-4ec1-8112-1f529232e907","include-controls":[{"with-ids":["ac-1","ac-3.14","at-1","at-2","at-3","at-3.5","at-4","au-1","au-2","au-3.3","au-11","ca-1","ca-2","ca-5","ca-6","ca-7","ca-7.4","cm-1","cm-4","ir-1","ir-2","ir-2.3","ir-3","ir-4","ir-5","ir-6","ir-7","ir-8","ir-8.1","mp-1","mp-6","pe-8.3","pl-1","pl-2","pl-4","pl-4.1","pl-8","pl-9","pm-3","pm-4","pm-5.1","pm-6","pm-7","pm-8","pm-9","pm-10","pm-11","pm-13","pm-14","pm-17","pm-18","pm-19","pm-20","pm-20.1","pm-21","pm-22","pm-24","pm-25","pm-26","pm-27","pm-28","pm-31","ps-6","pt-1","pt-2","pt-3","pt-4","pt-5","pt-5.2","pt-6","pt-6.1","pt-6.2","pt-7","pt-7.1","pt-7.2","pt-8","ra-1","ra-3","ra-7","ra-8","sa-1","sa-2","sa-3","sa-4","sa-8.33","sa-9","sa-11","sc-7.24","si-1","si-12","si-12.1","si-12.2","si-12.3","si-18","si-18.4","si-19"]}]}],"merge":{"as-is":true},"back-matter":{"resources":[{"uuid":"84cbf061-eb87-4ec1-8112-1f529232e907","description":"NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations","rlinks":[{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/xml\/NIST_SP-800-53_rev5_catalog.xml","media-type":"application\/oscal.catalog+xml"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/json\/NIST_SP-800-53_rev5_catalog.json","media-type":"application\/oscal.catalog+json"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/yaml\/NIST_SP-800-53_rev5_catalog.yaml","media-type":"application\/oscal.catalog+yaml"}]}]}}}
\ No newline at end of file
+{"profile":{"uuid":"c8485895-a2f7-46f1-843a-380668cd6fe8","metadata":{"title":"NIST Special Publication 800-53 Revision 5.1.1 PRIVACY BASELINE","last-modified":"2023-12-04T14:55:00.000000-04:00","version":"5.1.1+u2","oscal-version":"1.1.1","roles":[{"id":"creator","title":"Document Creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"11f1de66-89ba-499d-903e-56418e95af9d","type":"organization","name":"Joint Task Force, Transformation Initiative","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["11f1de66-89ba-499d-903e-56418e95af9d"]},{"role-id":"contact","party-uuids":["11f1de66-89ba-499d-903e-56418e95af9d"]}]},"imports":[{"href":"#84cbf061-eb87-4ec1-8112-1f529232e907","include-controls":[{"with-ids":["ac-1","ac-3.14","at-1","at-2","at-3","at-3.5","at-4","au-1","au-2","au-3.3","au-11","ca-1","ca-2","ca-5","ca-6","ca-7","ca-7.4","cm-1","cm-4","ir-1","ir-2","ir-2.3","ir-3","ir-4","ir-5","ir-6","ir-7","ir-8","ir-8.1","mp-1","mp-6","pe-8.3","pl-1","pl-2","pl-4","pl-4.1","pl-8","pl-9","pm-3","pm-4","pm-5.1","pm-6","pm-7","pm-8","pm-9","pm-10","pm-11","pm-13","pm-14","pm-17","pm-18","pm-19","pm-20","pm-20.1","pm-21","pm-22","pm-24","pm-25","pm-26","pm-27","pm-28","pm-31","ps-6","pt-1","pt-2","pt-3","pt-4","pt-5","pt-5.2","pt-6","pt-6.1","pt-6.2","pt-7","pt-7.1","pt-7.2","pt-8","ra-1","ra-3","ra-7","ra-8","sa-1","sa-2","sa-3","sa-4","sa-8.33","sa-9","sa-11","sc-7.24","si-1","si-12","si-12.1","si-12.2","si-12.3","si-18","si-18.4","si-19"]}]}],"merge":{"as-is":true},"back-matter":{"resources":[{"uuid":"84cbf061-eb87-4ec1-8112-1f529232e907","description":"NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Federal Information Systems and Organizations","rlinks":[{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/xml\/NIST_SP-800-53_rev5_catalog.xml","media-type":"application\/oscal.catalog+xml"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/json\/NIST_SP-800-53_rev5_catalog.json","media-type":"application\/oscal.catalog+json"},{"href":"..\/..\/..\/..\/nist.gov\/SP800-53\/rev5\/yaml\/NIST_SP-800-53_rev5_catalog.yaml","media-type":"application\/oscal.catalog+yaml"}]}]}}}
\ No newline at end of file
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.json
index 801bb9b1..ba8f84e2 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.json
@@ -1,10 +1,10 @@
 {
   "profile": {
-    "uuid": "66b95dd9-650d-456f-b143-19ae7bb36944",
+    "uuid": "c8485895-a2f7-46f1-843a-380668cd6fe8",
     "metadata": {
-      "title": "NIST Special Publication 800-53 Revision 5 PRIVACY BASELINE",
-      "last-modified": "2023-10-12T00:00:00.000000-04:00",
-      "version": "Final",
+      "title": "NIST Special Publication 800-53 Revision 5.1.1 PRIVACY BASELINE",
+      "last-modified": "2023-12-04T14:55:00.000000-04:00",
+      "version": "5.1.1+u2",
       "oscal-version": "1.1.1",
       "roles": [
         {
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog-min.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog-min.json
index 3ab9818f..e3eaf634 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog-min.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog-min.json
@@ -1 +1 @@
-{"catalog":{"uuid":"0e9e8558-4d93-4a7f-8c87-34d4d4f9e7bd","metadata":{"title":"Electronic Version of NIST SP 800-53 Rev 5 Controls and SP 800-53A Rev 5 Assessment Procedures","last-modified":"2023-10-12T00:00:00.000000-04:00","version":"5.1.1","oscal-version":"1.1.1","props":[{"name":"keywords","value":"Assessment, assessment plan, assurance, availability, computer security, confidentiality, control, control assessment, cybersecurity, FISMA, information security, information system, integrity, personally identifiable information, OSCAL, Open Security Controls Assessment Language, Privacy Act, privacy controls, privacy functions, privacy requirements, Risk Management Framework, security controls, security functions, security requirements, system, system security"}],"links":[{"href":"#c3397cc9-83c6-4459-adb2-836739dc1b94","rel":"alternate"},{"href":"#f7cf488d-bc64-4a91-a994-810e153ee481","rel":"canonical"}],"roles":[{"id":"creator","title":"Document creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"41a93829-b76b-43ec-b9e7-250553511549","type":"organization","name":"Joint Task Force, Interagency Working Group","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["41a93829-b76b-43ec-b9e7-250553511549"]},{"role-id":"contact","party-uuids":["41a93829-b76b-43ec-b9e7-250553511549"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ac-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ac-01_odp.01","props":[{"name":"label","value":"AC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control policy is to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.02","props":[{"name":"label","value":"AC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control procedures are to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.03","props":[{"name":"alt-identifier","value":"ac-1_prm_2"},{"name":"label","value":"AC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ac-01_odp.04","props":[{"name":"alt-identifier","value":"ac-1_prm_3"},{"name":"label","value":"AC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the access control policy and procedures is defined;"}]},{"id":"ac-01_odp.05","props":[{"name":"alt-identifier","value":"ac-1_prm_4"},{"name":"label","value":"AC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control policy is reviewed and updated is defined;"}]},{"id":"ac-01_odp.06","props":[{"name":"alt-identifier","value":"ac-1_prm_5"},{"name":"label","value":"AC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current access control policy to be reviewed and updated are defined;"}]},{"id":"ac-01_odp.07","props":[{"name":"alt-identifier","value":"ac-1_prm_6"},{"name":"label","value":"AC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control procedures are reviewed and updated is defined;"}]},{"id":"ac-01_odp.08","props":[{"name":"alt-identifier","value":"ac-1_prm_7"},{"name":"label","value":"AC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AC-1"},{"name":"label","value":"AC-01","class":"sp800-53a"},{"name":"sort-id","value":"ac-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ia-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ac-1_smt","name":"statement","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ac-01_odp.03 }} access control policy that:","parts":[{"id":"ac-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and the associated access controls;"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and"},{"id":"ac-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current access control:","parts":[{"id":"ac-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and"},{"id":"ac-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ac-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[01]","class":"sp800-53a"}],"prose":"an access control policy is developed and documented;"},{"id":"ac-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[02]","class":"sp800-53a"}],"prose":"the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};"},{"id":"ac-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[03]","class":"sp800-53a"}],"prose":"access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;"},{"id":"ac-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[04]","class":"sp800-53a"}],"prose":"the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};"},{"id":"ac-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;"},{"id":"ac-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;"},{"id":"ac-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;"},{"id":"ac-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;"},{"id":"ac-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;"},{"id":"ac-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;"},{"id":"ac-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;"}]},{"id":"ac-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ac-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;"},{"id":"ac-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[01]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};"},{"id":"ac-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[02]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};"}]},{"id":"ac-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[01]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};"},{"id":"ac-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[02]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}."}]}]}]},{"id":"ac-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","params":[{"id":"ac-02_odp.01","props":[{"name":"alt-identifier","value":"ac-2_prm_1"},{"name":"label","value":"AC-02_ODP[01]","class":"sp800-53a"}],"label":"prerequisites and criteria","guidelines":[{"prose":"prerequisites and criteria for group and role membership are defined;"}]},{"id":"ac-02_odp.02","props":[{"name":"alt-identifier","value":"ac-2_prm_2"},{"name":"label","value":"AC-02_ODP[02]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes (as required) for each account are defined;"}]},{"id":"ac-02_odp.03","props":[{"name":"alt-identifier","value":"ac-2_prm_3"},{"name":"label","value":"AC-02_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to approve requests to create accounts is\/are defined;"}]},{"id":"ac-02_odp.04","props":[{"name":"alt-identifier","value":"ac-2_prm_4"},{"name":"label","value":"AC-02_ODP[04]","class":"sp800-53a"}],"label":"policy, procedures, prerequisites, and criteria","guidelines":[{"prose":"policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;"}]},{"id":"ac-02_odp.05","props":[{"name":"alt-identifier","value":"ac-2_prm_5"},{"name":"label","value":"AC-02_ODP[05]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified is\/are defined;"}]},{"id":"ac-02_odp.06","props":[{"name":"alt-identifier","value":"ac-2_prm_6"},{"name":"label","value":"AC-02_ODP[06]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when accounts are no longer required is defined;"}]},{"id":"ac-02_odp.07","props":[{"name":"alt-identifier","value":"ac-2_prm_7"},{"name":"label","value":"AC-02_ODP[07]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when users are terminated or transferred is defined; "}]},{"id":"ac-02_odp.08","props":[{"name":"alt-identifier","value":"ac-2_prm_8"},{"name":"label","value":"AC-02_ODP[08]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when system usage or the need to know changes for an individual is defined;"}]},{"id":"ac-02_odp.09","props":[{"name":"alt-identifier","value":"ac-2_prm_9"},{"name":"label","value":"AC-02_ODP[09]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes needed to authorize system access (as required) are defined;"}]},{"id":"ac-02_odp.10","props":[{"name":"alt-identifier","value":"ac-2_prm_10"},{"name":"label","value":"AC-02_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of account review is defined;"}]}],"props":[{"name":"label","value":"AC-2"},{"name":"label","value":"AC-02","class":"sp800-53a"},{"name":"sort-id","value":"ac-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#53df282b-8b3f-483a-bad1-6a8b8ac00114","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ac-2_smt","name":"statement","parts":[{"id":"ac-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define and document the types of accounts allowed and specifically prohibited for use within the system;"},{"id":"ac-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign account managers;"},{"id":"ac-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require {{ insert: param, ac-02_odp.01 }} for group and role membership;"},{"id":"ac-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Specify:","parts":[{"id":"ac-2_smt.d.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Authorized users of the system;"},{"id":"ac-2_smt.d.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Group and role membership; and"},{"id":"ac-2_smt.d.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;"}]},{"id":"ac-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"},{"id":"ac-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Monitor the use of accounts;"},{"id":"ac-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Notify account managers and {{ insert: param, ac-02_odp.05 }} within:","parts":[{"id":"ac-2_smt.h.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"{{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"{{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;"}]},{"id":"ac-2_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Authorize access to the system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"{{ insert: param, ac-02_odp.09 }};"}]},{"id":"ac-2_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"},{"id":"ac-2_smt.k","name":"item","props":[{"name":"label","value":"k."}],"prose":"Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and"},{"id":"ac-2_smt.l","name":"item","props":[{"name":"label","value":"l."}],"prose":"Align account management processes with personnel termination and transfer processes."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission\/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared\/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared\/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training."},{"id":"ac-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[01]","class":"sp800-53a"}],"prose":"account types allowed for use within the system are defined and documented;"},{"id":"ac-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[02]","class":"sp800-53a"}],"prose":"account types specifically prohibited for use within the system are defined and documented;"}]},{"id":"ac-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02b.","class":"sp800-53a"}],"prose":"account managers are assigned;"},{"id":"ac-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02c.","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02_odp.01 }} for group and role membership are required;"},{"id":"ac-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.01","class":"sp800-53a"}],"prose":"authorized users of the system are specified;"},{"id":"ac-2_obj.d.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.02","class":"sp800-53a"}],"prose":"group and role membership are specified;"},{"id":"ac-2_obj.d.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.3-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[01]","class":"sp800-53a"}],"prose":"access authorizations (i.e., privileges) are specified for each account;"},{"id":"ac-2_obj.d.3-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02_odp.02 }} are specified for each account;"}]}]},{"id":"ac-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AC-02e.","class":"sp800-53a"}],"prose":"approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"},{"id":"ac-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[01]","class":"sp800-53a"}],"prose":"accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[02]","class":"sp800-53a"}],"prose":"accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[03]","class":"sp800-53a"}],"prose":"accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[04]","class":"sp800-53a"}],"prose":"accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_obj.f-5","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[05]","class":"sp800-53a"}],"prose":"accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};"}]},{"id":"ac-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"AC-02g.","class":"sp800-53a"}],"prose":"the use of accounts is monitored; "},{"id":"ac-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.h.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.01","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"},{"id":"ac-2_obj.h.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.02","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;"},{"id":"ac-2_obj.h.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.03","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;"}]},{"id":"ac-2_obj.i","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.i.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.01","class":"sp800-53a"}],"prose":"access to the system is authorized based on a valid access authorization;"},{"id":"ac-2_obj.i.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.02","class":"sp800-53a"}],"prose":"access to the system is authorized based on intended system usage;"},{"id":"ac-2_obj.i.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.03","class":"sp800-53a"}],"prose":"access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};"}]},{"id":"ac-2_obj.j","name":"assessment-objective","props":[{"name":"label","value":"AC-02j.","class":"sp800-53a"}],"prose":"accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"},{"id":"ac-2_obj.k","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.k-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[01]","class":"sp800-53a"}],"prose":"a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"},{"id":"ac-2_obj.k-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[02]","class":"sp800-53a"}],"prose":"a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"}]},{"id":"ac-2_obj.l","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.l-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[01]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel termination processes;"},{"id":"ac-2_obj.l-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[02]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel transfer processes."}]}]},{"id":"ac-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities"}]},{"id":"ac-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for account management on the system\n\nmechanisms for implementing account management"}]}],"controls":[{"id":"ac-2.1","class":"SP800-53-enhancement","title":"Automated System Account Management","params":[{"id":"ac-02.01_odp","props":[{"name":"alt-identifier","value":"ac-2.1_prm_1"},{"name":"label","value":"AC-02(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to support the management of system accounts are defined; "}]}],"props":[{"name":"label","value":"AC-2(1)"},{"name":"label","value":"AC-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.1_smt","name":"statement","prose":"Support the management of system accounts using {{ insert: param, ac-02.01_odp }}."},{"id":"ac-2.1_gdn","name":"guidance","prose":"Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications."},{"id":"ac-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(01)","class":"sp800-53a"}],"prose":"the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}."},{"id":"ac-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for implementing account management functions"}]}]},{"id":"ac-2.2","class":"SP800-53-enhancement","title":"Automated Temporary and Emergency Account Management","params":[{"id":"ac-02.02_odp.01","props":[{"name":"alt-identifier","value":"ac-2.2_prm_1"},{"name":"label","value":"AC-02(02)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["remove","disable"]}},{"id":"ac-02.02_odp.02","props":[{"name":"alt-identifier","value":"ac-2.2_prm_2"},{"name":"alt-label","value":"time period for each type of account","class":"sp800-53"},{"name":"label","value":"AC-02(02)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period after which to automatically remove or disable temporary or emergency accounts is defined;"}]}],"props":[{"name":"label","value":"AC-2(2)"},{"name":"label","value":"AC-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.2_smt","name":"statement","prose":"Automatically {{ insert: param, ac-02.02_odp.01 }} temporary and emergency accounts after {{ insert: param, ac-02.02_odp.02 }}."},{"id":"ac-2.2_gdn","name":"guidance","prose":"Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation."},{"id":"ac-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(02)","class":"sp800-53a"}],"prose":"temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}."},{"id":"ac-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of temporary accounts removed and\/or disabled\n\nsystem-generated list of emergency accounts removed and\/or disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for implementing account management functions"}]}]},{"id":"ac-2.3","class":"SP800-53-enhancement","title":"Disable Accounts","params":[{"id":"ac-02.03_odp.01","props":[{"name":"alt-identifier","value":"ac-2.3_prm_1"},{"name":"label","value":"AC-02(03)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to disable accounts is defined;"}]},{"id":"ac-02.03_odp.02","props":[{"name":"alt-identifier","value":"ac-2.3_prm_2"},{"name":"label","value":"AC-02(03)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for account inactivity before disabling is defined;"}]}],"props":[{"name":"label","value":"AC-2(3)"},{"name":"label","value":"AC-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.3_smt","name":"statement","prose":"Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts:","parts":[{"id":"ac-2.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Have expired;"},{"id":"ac-2.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Are no longer associated with a user or individual;"},{"id":"ac-2.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Are in violation of organizational policy; or"},{"id":"ac-2.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Have been inactive for {{ insert: param, ac-02.03_odp.02 }}."}]},{"id":"ac-2.3_gdn","name":"guidance","prose":"Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system."},{"id":"ac-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)","class":"sp800-53a"}],"parts":[{"id":"ac-2.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(a)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;"},{"id":"ac-2.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(b)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;"},{"id":"ac-2.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(c)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;"},{"id":"ac-2.3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(d)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}."}]},{"id":"ac-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of accounts removed\n\nsystem-generated list of emergency accounts disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for implementing account management functions"}]}]},{"id":"ac-2.4","class":"SP800-53-enhancement","title":"Automated Audit Actions","props":[{"name":"label","value":"AC-2(4)"},{"name":"label","value":"AC-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"}],"parts":[{"id":"ac-2.4_smt","name":"statement","prose":"Automatically audit account creation, modification, enabling, disabling, and removal actions."},{"id":"ac-2.4_gdn","name":"guidance","prose":"Account management audit records are defined in accordance with [AU-2](#au-2) and reviewed, analyzed, and reported in accordance with [AU-6](#au-6)."},{"id":"ac-2.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)","class":"sp800-53a"}],"parts":[{"id":"ac-2.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[01]","class":"sp800-53a"}],"prose":"account creation is automatically audited;"},{"id":"ac-2.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[02]","class":"sp800-53a"}],"prose":"account modification is automatically audited;"},{"id":"ac-2.4_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[03]","class":"sp800-53a"}],"prose":"account enabling is automatically audited;"},{"id":"ac-2.4_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[04]","class":"sp800-53a"}],"prose":"account disabling is automatically audited;"},{"id":"ac-2.4_obj-5","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[05]","class":"sp800-53a"}],"prose":"account removal actions are automatically audited."}]},{"id":"ac-2.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nnotifications\/alerts of account creation, modification, enabling, disabling, and removal actions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.5","class":"SP800-53-enhancement","title":"Inactivity Logout","params":[{"id":"ac-02.05_odp","props":[{"name":"alt-identifier","value":"ac-2.5_prm_1"},{"name":"label","value":"AC-02(05)_ODP","class":"sp800-53a"}],"label":"time period of expected inactivity or description of when to log out","guidelines":[{"prose":"the time period of expected inactivity or description of when to log out is defined;"}]}],"props":[{"name":"label","value":"AC-2(5)"},{"name":"label","value":"AC-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#ac-11","rel":"related"}],"parts":[{"id":"ac-2.5_smt","name":"statement","prose":"Require that users log out when {{ insert: param, ac-02.05_odp }}."},{"id":"ac-2.5_gdn","name":"guidance","prose":"Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by [AC-11](#ac-11)."},{"id":"ac-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(05)","class":"sp800-53a"}],"prose":"users are required to log out when {{ insert: param, ac-02.05_odp }}."},{"id":"ac-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity violation reports\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy"}]}]},{"id":"ac-2.6","class":"SP800-53-enhancement","title":"Dynamic Privilege Management","params":[{"id":"ac-02.06_odp","props":[{"name":"alt-identifier","value":"ac-2.6_prm_1"},{"name":"label","value":"AC-02(06)_ODP","class":"sp800-53a"}],"label":"dynamic privilege management capabilities","guidelines":[{"prose":"dynamic privilege management capabilities are defined;"}]}],"props":[{"name":"label","value":"AC-2(6)"},{"name":"label","value":"AC-02(06)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"ac-2.6_smt","name":"statement","prose":"Implement {{ insert: param, ac-02.06_odp }}."},{"id":"ac-2.6_gdn","name":"guidance","prose":"In contrast to access control approaches that employ static accounts and predefined user privileges, dynamic access control approaches rely on runtime access control decisions facilitated by dynamic privilege management, such as attribute-based access control. While user identities remain relatively constant over time, user privileges typically change more frequently based on ongoing mission or business requirements and the operational needs of organizations. An example of dynamic privilege management is the immediate revocation of privileges from users as opposed to requiring that users terminate and restart their sessions to reflect changes in privileges. Dynamic privilege management can also include mechanisms that change user privileges based on dynamic rules as opposed to editing specific user profiles. Examples include automatic adjustments of user privileges if they are operating out of their normal work times, if their job function or assignment changes, or if systems are under duress or in emergency situations. Dynamic privilege management includes the effects of privilege changes, for example, when there are changes to encryption keys used for communications."},{"id":"ac-2.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(06)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02.06_odp }} are implemented."},{"id":"ac-2.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of dynamic privilege management capabilities\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"system or mechanisms implementing dynamic privilege management capabilities"}]}]},{"id":"ac-2.7","class":"SP800-53-enhancement","title":"Privileged User Accounts","params":[{"id":"ac-02.07_odp","props":[{"name":"alt-identifier","value":"ac-2.7_prm_1"},{"name":"label","value":"AC-02(07)_ODP","class":"sp800-53a"}],"select":{"choice":["a role-based access scheme","an attribute-based access scheme"]}}],"props":[{"name":"label","value":"AC-2(7)"},{"name":"label","value":"AC-02(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.7_smt","name":"statement","parts":[{"id":"ac-2.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Establish and administer privileged user accounts in accordance with {{ insert: param, ac-02.07_odp }};"},{"id":"ac-2.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Monitor privileged role or attribute assignments;"},{"id":"ac-2.7_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Monitor changes to roles or attributes; and"},{"id":"ac-2.7_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Revoke access when privileged role or attribute assignments are no longer appropriate."}]},{"id":"ac-2.7_gdn","name":"guidance","prose":"Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes."},{"id":"ac-2.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(07)","class":"sp800-53a"}],"parts":[{"id":"ac-2.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02(07)(a)","class":"sp800-53a"}],"prose":"privileged user accounts are established and administered in accordance with {{ insert: param, ac-02.07_odp }};"},{"id":"ac-2.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02(07)(b)","class":"sp800-53a"}],"prose":"privileged role or attribute assignments are monitored;"},{"id":"ac-2.7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02(07)(c)","class":"sp800-53a"}],"prose":"changes to roles or attributes are monitored;"},{"id":"ac-2.7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02(07)(d)","class":"sp800-53a"}],"prose":"access is revoked when privileged role or attribute assignments are no longer appropriate."}]},{"id":"ac-2.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged user accounts and associated roles\n\nrecords of actions taken when privileged role assignments are no longer appropriate\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions\n\nmechanisms monitoring privileged role assignments"}]}]},{"id":"ac-2.8","class":"SP800-53-enhancement","title":"Dynamic Account Management","params":[{"id":"ac-02.08_odp","props":[{"name":"alt-identifier","value":"ac-2.8_prm_1"},{"name":"label","value":"AC-02(08)_ODP","class":"sp800-53a"}],"label":"system accounts","guidelines":[{"prose":"system accounts that are dynamically created, activated, managed, and deactivated are defined;"}]}],"props":[{"name":"label","value":"AC-2(8)"},{"name":"label","value":"AC-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"ac-2.8_smt","name":"statement","prose":"Create, activate, manage, and deactivate {{ insert: param, ac-02.08_odp }} dynamically."},{"id":"ac-2.8_gdn","name":"guidance","prose":"Approaches for dynamically creating, activating, managing, and deactivating system accounts rely on automatically provisioning the accounts at runtime for entities that were previously unknown. Organizations plan for the dynamic management, creation, activation, and deactivation of system accounts by establishing trust relationships, business rules, and mechanisms with appropriate authorities to validate related authorizations and privileges."},{"id":"ac-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(08)","class":"sp800-53a"}],"parts":[{"id":"ac-2.8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02(08)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02.08_odp }} are created dynamically;"},{"id":"ac-2.8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02(08)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02.08_odp }} are activated dynamically;"},{"id":"ac-2.8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02(08)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02.08_odp }} are managed dynamically;"},{"id":"ac-2.8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02(08)[04]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02.08_odp }} are deactivated dynamically."}]},{"id":"ac-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of system accounts\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.9","class":"SP800-53-enhancement","title":"Restrictions on Use of Shared and Group Accounts","params":[{"id":"ac-02.09_odp","props":[{"name":"alt-identifier","value":"ac-2.9_prm_1"},{"name":"alt-label","value":"conditions for establishing shared and group accounts","class":"sp800-53"},{"name":"label","value":"AC-02(09)_ODP","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions for establishing shared and group accounts are defined;"}]}],"props":[{"name":"label","value":"AC-2(9)"},{"name":"label","value":"AC-02(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.9_smt","name":"statement","prose":"Only permit the use of shared and group accounts that meet {{ insert: param, ac-02.09_odp }}."},{"id":"ac-2.9_gdn","name":"guidance","prose":"Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts."},{"id":"ac-2.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(09)","class":"sp800-53a"}],"prose":"the use of shared and group accounts is only permitted if {{ insert: param, ac-02.09_odp }} are met."},{"id":"ac-2.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of shared\/group accounts and associated roles\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing management of shared\/group accounts"}]}]},{"id":"ac-2.10","class":"SP800-53-enhancement","title":"Shared and Group Account Credential Change","props":[{"name":"label","value":"AC-2(10)"},{"name":"label","value":"AC-02(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.10"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-2_smt.k","rel":"incorporated-into"}]},{"id":"ac-2.11","class":"SP800-53-enhancement","title":"Usage Conditions","params":[{"id":"ac-02.11_odp.01","props":[{"name":"alt-identifier","value":"ac-2.11_prm_1"},{"name":"label","value":"AC-02(11)_ODP[01]","class":"sp800-53a"}],"label":"circumstances and\/or usage conditions","guidelines":[{"prose":"circumstances and\/or usage conditions to be enforced for system accounts are defined;"}]},{"id":"ac-02.11_odp.02","props":[{"name":"alt-identifier","value":"ac-2.11_prm_2"},{"name":"label","value":"AC-02(11)_ODP[02]","class":"sp800-53a"}],"label":"system accounts","guidelines":[{"prose":"system accounts subject to enforcement of circumstances and\/or usage conditions are defined;"}]}],"props":[{"name":"label","value":"AC-2(11)"},{"name":"label","value":"AC-02(11)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.11_smt","name":"statement","prose":"Enforce {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }}."},{"id":"ac-2.11_gdn","name":"guidance","prose":"Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time."},{"id":"ac-2.11_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(11)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }} are enforced."},{"id":"ac-2.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of system accounts and associated assignments of usage circumstances and\/or usage conditions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}]}]},{"id":"ac-2.12","class":"SP800-53-enhancement","title":"Account Monitoring for Atypical Usage","params":[{"id":"ac-02.12_odp.01","props":[{"name":"alt-identifier","value":"ac-2.12_prm_1"},{"name":"label","value":"AC-02(12)_ODP[01]","class":"sp800-53a"}],"label":"atypical usage","guidelines":[{"prose":"atypical usage for which to monitor system accounts is defined;"}]},{"id":"ac-02.12_odp.02","props":[{"name":"alt-identifier","value":"ac-2.12_prm_2"},{"name":"label","value":"AC-02(12)_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to report atypical usage is\/are defined;"}]}],"props":[{"name":"label","value":"AC-2(12)"},{"name":"label","value":"AC-02(12)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-2.12_smt","name":"statement","parts":[{"id":"ac-2.12_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Monitor system accounts for {{ insert: param, ac-02.12_odp.01 }} ; and"},{"id":"ac-2.12_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Report atypical usage of system accounts to {{ insert: param, ac-02.12_odp.02 }}."}]},{"id":"ac-2.12_gdn","name":"guidance","prose":"Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan."},{"id":"ac-2.12_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(12)","class":"sp800-53a"}],"parts":[{"id":"ac-2.12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02(12)(a)","class":"sp800-53a"}],"prose":"system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; "},{"id":"ac-2.12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02(12)(b)","class":"sp800-53a"}],"prose":"atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}."}]},{"id":"ac-2.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring records\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nprivacy impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-2.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}]}]},{"id":"ac-2.13","class":"SP800-53-enhancement","title":"Disable Accounts for High-risk Individuals","params":[{"id":"ac-02.13_odp.01","props":[{"name":"alt-identifier","value":"ac-2.13_prm_1"},{"name":"label","value":"AC-02(13)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;"}]},{"id":"ac-02.13_odp.02","props":[{"name":"alt-identifier","value":"ac-2.13_prm_2"},{"name":"label","value":"AC-02(13)_ODP[02]","class":"sp800-53a"}],"label":"significant risks","guidelines":[{"prose":"significant risks leading to disabling accounts are defined;"}]}],"props":[{"name":"label","value":"AC-2(13)"},{"name":"label","value":"AC-02(13)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-2.13_smt","name":"statement","prose":"Disable accounts of individuals within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}."},{"id":"ac-2.13_gdn","name":"guidance","prose":"Users who pose a significant security and\/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals."},{"id":"ac-2.13_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(13)","class":"sp800-53a"}],"prose":"accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}."},{"id":"ac-2.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of disabled accounts\n\nlist of user activities posing significant organizational risk\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}]}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"label","value":"AC-3"},{"name":"label","value":"AC-03","class":"sp800-53a"},{"name":"sort-id","value":"ac-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-8","rel":"related"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family."},{"id":"ac-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03","class":"sp800-53a"}],"prose":"approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies."},{"id":"ac-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy"}]}],"controls":[{"id":"ac-3.1","class":"SP800-53-enhancement","title":"Restricted Access to Privileged Functions","props":[{"name":"label","value":"AC-3(1)"},{"name":"label","value":"AC-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-6","rel":"incorporated-into"}]},{"id":"ac-3.2","class":"SP800-53-enhancement","title":"Dual Authorization","params":[{"id":"ac-03.02_odp","props":[{"name":"alt-identifier","value":"ac-3.2_prm_1"},{"name":"alt-label","value":"privileged commands and\/or other organization-defined actions","class":"sp800-53"},{"name":"label","value":"AC-03(02)_ODP","class":"sp800-53a"}],"label":"privileged commands and\/or other actions","guidelines":[{"prose":"privileged commands and\/or other actions requiring dual authorization are defined;"}]}],"props":[{"name":"label","value":"AC-3(2)"},{"name":"label","value":"AC-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#cp-9","rel":"related"},{"href":"#mp-6","rel":"related"}],"parts":[{"id":"ac-3.2_smt","name":"statement","prose":"Enforce dual authorization for {{ insert: param, ac-03.02_odp }}."},{"id":"ac-3.2_gdn","name":"guidance","prose":"Dual authorization, also known as two-person control, reduces risk related to insider threats. Dual authorization mechanisms require the approval of two authorized individuals to execute. To reduce the risk of collusion, organizations consider rotating dual authorization duties. Organizations consider the risk associated with implementing dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety."},{"id":"ac-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(02)","class":"sp800-53a"}],"prose":"dual authorization is enforced for {{ insert: param, ac-03.02_odp }}."},{"id":"ac-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement and dual authorization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged commands requiring dual authorization\n\nlist of actions requiring dual authorization\n\nlist of approved authorizations (user privileges)\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Dual authorization mechanisms implementing access control policy"}]}]},{"id":"ac-3.3","class":"SP800-53-enhancement","title":"Mandatory Access Control","params":[{"id":"ac-3.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.03_odp.02"}],"label":"organization-defined mandatory access control policy"},{"id":"ac-03.03_odp.01","props":[{"name":"label","value":"AC-03(03)_ODP[01]","class":"sp800-53a"}],"label":"mandatory access control policy","guidelines":[{"prose":"mandatory access control policy enforced over the set of covered subjects is defined;"}]},{"id":"ac-03.03_odp.02","props":[{"name":"label","value":"AC-03(03)_ODP[02]","class":"sp800-53a"}],"label":"mandatory access control policy","guidelines":[{"prose":"mandatory access control policy enforced over the set of covered objects is defined;"}]},{"id":"ac-03.03_odp.03","props":[{"name":"alt-identifier","value":"ac-3.3_prm_2"},{"name":"label","value":"AC-03(03)_ODP[03]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects to be explicitly granted privileges are defined;"}]},{"id":"ac-03.03_odp.04","props":[{"name":"alt-identifier","value":"ac-3.3_prm_3"},{"name":"label","value":"AC-03(03)_ODP[04]","class":"sp800-53a"}],"label":"privileges","guidelines":[{"prose":"privileges to be explicitly granted to subjects are defined;"}]}],"props":[{"name":"label","value":"AC-3(3)"},{"name":"label","value":"AC-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-3.3_smt","name":"statement","prose":"Enforce {{ insert: param, ac-3.3_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy:","parts":[{"id":"ac-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Is uniformly enforced across the covered subjects and objects within the system;"},{"id":"ac-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Specifies that a subject that has been granted access to information is constrained from doing any of the following;","parts":[{"id":"ac-3.3_smt.b.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Passing the information to unauthorized subjects or objects;"},{"id":"ac-3.3_smt.b.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Granting its privileges to other subjects;"},{"id":"ac-3.3_smt.b.3","name":"item","props":[{"name":"label","value":"(3)"}],"prose":"Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;"},{"id":"ac-3.3_smt.b.4","name":"item","props":[{"name":"label","value":"(4)"}],"prose":"Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and"},{"id":"ac-3.3_smt.b.5","name":"item","props":[{"name":"label","value":"(5)"}],"prose":"Changing the rules governing access control; and"}]},{"id":"ac-3.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Specifies that {{ insert: param, ac-03.03_odp.03 }} may explicitly be granted {{ insert: param, ac-03.03_odp.04 }} such that they are not limited by any defined subset (or all) of the above constraints."}]},{"id":"ac-3.3_gdn","name":"guidance","prose":"Mandatory access control is a type of nondiscretionary access control. Mandatory access control policies constrain what actions subjects can take with information obtained from objects for which they have already been granted access. This prevents the subjects from passing the information to unauthorized subjects and objects. Mandatory access control policies constrain actions that subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the system has control. Otherwise, the access control policy can be circumvented. This enforcement is provided by an implementation that meets the reference monitor concept as described in [AC-25](#ac-25) . The policy is bounded by the system (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect).\n\nThe trusted subjects described above are granted privileges consistent with the concept of least privilege (see [AC-6](#ac-6) ). Trusted subjects are only given the minimum privileges necessary for satisfying organizational mission\/business needs relative to the above policy. The control is most applicable when there is a mandate that establishes a policy regarding access to controlled unclassified information or classified information and some users of the system are not authorized access to all such information resident in the system. Mandatory access control can operate in conjunction with discretionary access control as described in [AC-3(4)](#ac-3.4) . A subject constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of AC-3(4), but mandatory access control policies take precedence over the less rigorous constraints of AC-3(4). For example, while a mandatory access control policy imposes a constraint that prevents a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any other subject with the same impact or classification level as the subject. Examples of mandatory access control policies include the Bell-LaPadula policy to protect confidentiality of information and the Biba policy to protect the integrity of information."},{"id":"ac-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)","class":"sp800-53a"}],"parts":[{"id":"ac-3.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} is enforced over the set of covered subjects specified in the policy;"},{"id":"ac-3.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.02 }} is enforced over the set of covered objects specified in the policy;"},{"id":"ac-3.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-3.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(a)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} is uniformly enforced across the covered subjects within the system;"},{"id":"ac-3.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(a)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.02 }} is uniformly enforced across the covered objects within the system;"}]},{"id":"ac-3.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(b)","class":"sp800-53a"}],"parts":[{"id":"ac-3.3_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(b)(01)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects are enforced;"},{"id":"ac-3.3_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(b)(02)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from granting its privileges to other subjects are enforced;"},{"id":"ac-3.3_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(b)(03)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from changing one of more security attributes (specified by the policy) on subjects, objects, the system, or system components are enforced;"},{"id":"ac-3.3_obj.b.4","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(b)(04)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects are enforced;"},{"id":"ac-3.3_obj.b.5","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(b)(05)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from changing the rules governing access control are enforced;"}]},{"id":"ac-3.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(c)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that {{ insert: param, ac-03.03_odp.03 }} may explicitly be granted {{ insert: param, ac-03.03_odp.04 }} such that they are not limited by any defined subset (or all) of the above constraints are enforced."}]},{"id":"ac-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nmandatory access control policies\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing mandatory access control"}]}]},{"id":"ac-3.4","class":"SP800-53-enhancement","title":"Discretionary Access Control","params":[{"id":"ac-3.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.04_odp.02"}],"label":"organization-defined discretionary access control policy"},{"id":"ac-03.04_odp.01","props":[{"name":"label","value":"AC-03(04)_ODP[01]","class":"sp800-53a"}],"label":"discretionary access control policy","guidelines":[{"prose":"discretionary access control policy enforced over the set of covered subjects is defined;"}]},{"id":"ac-03.04_odp.02","props":[{"name":"label","value":"AC-03(04)_ODP[02]","class":"sp800-53a"}],"label":"discretionary access control policy","guidelines":[{"prose":"discretionary access control policy enforced over the set of covered objects is defined;"}]}],"props":[{"name":"label","value":"AC-3(4)"},{"name":"label","value":"AC-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"}],"parts":[{"id":"ac-3.4_smt","name":"statement","prose":"Enforce {{ insert: param, ac-3.4_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:","parts":[{"id":"ac-3.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Pass the information to any other subjects or objects;"},{"id":"ac-3.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Grant its privileges to other subjects;"},{"id":"ac-3.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Change security attributes on subjects, objects, the system, or the system’s components;"},{"id":"ac-3.4_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Choose the security attributes to be associated with newly created or revised objects; or"},{"id":"ac-3.4_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Change the rules governing access control."}]},{"id":"ac-3.4_gdn","name":"guidance","prose":"When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing the information to other subjects or objects (i.e., subjects have the discretion to pass). Discretionary access control can operate in conjunction with mandatory access control as described in [AC-3(3)](#ac-3.3) and [AC-3(15)](#ac-3.15) . A subject that is constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of discretionary access control. Therefore, while [AC-3(3)](#ac-3.3) imposes constraints that prevent a subject from passing information to another subject operating at a different impact or classification level, [AC-3(4)](#ac-3.4) permits the subject to pass the information to any subject at the same impact or classification level. The policy is bounded by the system. Once the information is passed outside of system control, additional means may be required to ensure that the constraints remain in effect. While traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this particular use of discretionary access control."},{"id":"ac-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)","class":"sp800-53a"}],"parts":[{"id":"ac-3.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.04_odp.01 }} is enforced over the set of covered subjects specified in the policy;"},{"id":"ac-3.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.04_odp.02 }} is enforced over the set of covered objects specified in the policy;"},{"id":"ac-3.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can pass the information to any other subjects or objects;"},{"id":"ac-3.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects;"},{"id":"ac-3.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)(c)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can change security attributes on subjects, objects, the system, or the system’s components;"},{"id":"ac-3.4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)(d)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can choose the security attributes to be associated with newly created or revised objects;"},{"id":"ac-3.4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)(e)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can change the rules governing access control."}]},{"id":"ac-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ndiscretionary access control policies\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing discretionary access control policy"}]}]},{"id":"ac-3.5","class":"SP800-53-enhancement","title":"Security-relevant Information","params":[{"id":"ac-03.05_odp","props":[{"name":"alt-identifier","value":"ac-3.5_prm_1"},{"name":"label","value":"AC-03(05)_ODP","class":"sp800-53a"}],"label":"security-relevant information","guidelines":[{"prose":"security-relevant information to which access is prevented except during secure, non-operable system states is defined;"}]}],"props":[{"name":"label","value":"AC-3(5)"},{"name":"label","value":"AC-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#cm-6","rel":"related"},{"href":"#sc-39","rel":"related"}],"parts":[{"id":"ac-3.5_smt","name":"statement","prose":"Prevent access to {{ insert: param, ac-03.05_odp }} except during secure, non-operable system states."},{"id":"ac-3.5_gdn","name":"guidance","prose":"Security-relevant information is information within systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security and privacy policies or maintain the separation of code and data. Security-relevant information includes access control lists, filtering rules for routers or firewalls, configuration parameters for security services, and cryptographic key management information. Secure, non-operable system states include the times in which systems are not performing mission or business-related processing, such as when the system is offline for maintenance, boot-up, troubleshooting, or shut down."},{"id":"ac-3.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(05)","class":"sp800-53a"}],"prose":"access to {{ insert: param, ac-03.05_odp }} is prevented except during secure, non-operable system states."},{"id":"ac-3.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-3.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms preventing access to security-relevant information within the system"}]}]},{"id":"ac-3.6","class":"SP800-53-enhancement","title":"Protection of User and System Information","props":[{"name":"label","value":"AC-3(6)"},{"name":"label","value":"AC-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-4","rel":"incorporated-into"},{"href":"#sc-28","rel":"incorporated-into"}]},{"id":"ac-3.7","class":"SP800-53-enhancement","title":"Role-based Access Control","params":[{"id":"ac-3.7_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.07_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.07_odp.02"}],"label":"organization-defined roles and users authorized to assume such roles"},{"id":"ac-03.07_odp.01","props":[{"name":"label","value":"AC-03(07)_ODP[01]","class":"sp800-53a"}],"label":"roles","guidelines":[{"prose":"roles upon which to base control of access are defined;"}]},{"id":"ac-03.07_odp.02","props":[{"name":"label","value":"AC-03(07)_ODP[02]","class":"sp800-53a"}],"label":"users authorized to assume such roles","guidelines":[{"prose":"users authorized to assume roles (defined in AC-03(07)_ODP[01]) are defined;"}]}],"props":[{"name":"label","value":"AC-3(7)"},{"name":"label","value":"AC-03(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"}],"parts":[{"id":"ac-3.7_smt","name":"statement","prose":"Enforce a role-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-3.7_prm_1 }}."},{"id":"ac-3.7_gdn","name":"guidance","prose":"Role-based access control (RBAC) is an access control policy that enforces access to objects and system functions based on the defined role (i.e., job function) of the subject. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on the systems associated with the organization-defined roles. When users are assigned to specific roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a large number of individuals) but are instead acquired through role assignments. RBAC can also increase privacy and security risk if individuals assigned to a role are given access to information beyond what they need to support organizational missions or business functions. RBAC can be implemented as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in [AC-3(3)](#ac-3.3) define the scope of the subjects and objects covered by the policy."},{"id":"ac-3.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(07)","class":"sp800-53a"}],"parts":[{"id":"ac-3.7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(07)[01]","class":"sp800-53a"}],"prose":"a role-based access control policy is enforced over defined subjects;"},{"id":"ac-3.7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(07)[02]","class":"sp800-53a"}],"prose":"a role-based access control policy is enforced over defined objects;"},{"id":"ac-3.7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-03(07)[03]","class":"sp800-53a"}],"prose":"access is controlled based on {{ insert: param, ac-03.07_odp.01 }} and {{ insert: param, ac-03.07_odp.02 }}."}]},{"id":"ac-3.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nrole-based access control policies\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of roles, users, and associated privileges required to control system access\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-3.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-3.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing role-based access control policy"}]}]},{"id":"ac-3.8","class":"SP800-53-enhancement","title":"Revocation of Access Authorizations","params":[{"id":"ac-03.08_odp","props":[{"name":"alt-identifier","value":"ac-3.8_prm_1"},{"name":"alt-label","value":"rules governing the timing of revocations of access authorizations","class":"sp800-53"},{"name":"label","value":"AC-03(08)_ODP","class":"sp800-53a"}],"label":"rules","guidelines":[{"prose":"rules governing the timing of revocations of access authorizations are defined;"}]}],"props":[{"name":"label","value":"AC-3(8)"},{"name":"label","value":"AC-03(08)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"}],"parts":[{"id":"ac-3.8_smt","name":"statement","prose":"Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on {{ insert: param, ac-03.08_odp }}."},{"id":"ac-3.8_gdn","name":"guidance","prose":"Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process acting on behalf of a user) is removed from a group, access may not be revoked until the next time the object is opened or the next time the subject attempts to access the object. Revocation based on changes to security labels may take effect immediately. Organizations provide alternative approaches on how to make revocations immediate if systems cannot provide such capability and immediate revocation is necessary."},{"id":"ac-3.8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(08)","class":"sp800-53a"}],"parts":[{"id":"ac-3.8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(08)[01]","class":"sp800-53a"}],"prose":"revocation of access authorizations is enforced, resulting from changes to the security attributes of subjects based on {{ insert: param, ac-03.08_odp }};"},{"id":"ac-3.8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(08)[02]","class":"sp800-53a"}],"prose":"revocation of access authorizations is enforced resulting from changes to the security attributes of objects based on {{ insert: param, ac-03.08_odp }}."}]},{"id":"ac-3.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrules governing revocation of access authorizations, system audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-3.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]},{"id":"ac-3.9","class":"SP800-53-enhancement","title":"Controlled Release","params":[{"id":"ac-03.09_odp.01","props":[{"name":"alt-identifier","value":"ac-3.9_prm_1"},{"name":"label","value":"AC-03(09)_ODP[01]","class":"sp800-53a"}],"label":"system or system component","guidelines":[{"prose":"the outside system or system component to which to release information is defined;"}]},{"id":"ac-03.09_odp.02","props":[{"name":"alt-identifier","value":"ac-3.9_prm_2"},{"name":"label","value":"AC-03(09)_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be provided by the outside system or system component (defined in AC-03(09)_ODP[01]) are defined;"}]},{"id":"ac-03.09_odp.03","props":[{"name":"alt-identifier","value":"ac-3.9_prm_3"},{"name":"label","value":"AC-03(09)_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls used to validate appropriateness of information to be released are defined;"}]}],"props":[{"name":"label","value":"AC-3(9)"},{"name":"label","value":"AC-03(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#ca-3","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#pt-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-16","rel":"related"}],"parts":[{"id":"ac-3.9_smt","name":"statement","prose":"Release information outside of the system only if:","parts":[{"id":"ac-3.9_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"The receiving {{ insert: param, ac-03.09_odp.01 }} provides {{ insert: param, ac-03.09_odp.02 }} ; and"},{"id":"ac-3.9_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"{{ insert: param, ac-03.09_odp.03 }} are used to validate the appropriateness of the information designated for release."}]},{"id":"ac-3.9_gdn","name":"guidance","prose":"Organizations can only directly protect information when it resides within the system. Additional controls may be needed to ensure that organizational information is adequately protected once it is transmitted outside of the system. In situations where the system is unable to determine the adequacy of the protections provided by external entities, as a mitigation measure, organizations procedurally determine whether the external systems are providing adequate controls. The means used to determine the adequacy of controls provided by external systems include conducting periodic assessments (inspections\/tests), establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security and privacy policy to protect the information and individuals’ privacy.\n\nControlled release of information requires systems to implement technical or procedural means to validate the information prior to releasing it to external systems. For example, if the system passes information to a system controlled by another organization, technical means are employed to validate that the security and privacy attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only authorized individuals gain access to the printer."},{"id":"ac-3.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(09)","class":"sp800-53a"}],"parts":[{"id":"ac-3.9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-03(09)(a)","class":"sp800-53a"}],"prose":"information is released outside of the system only if the receiving {{ insert: param, ac-03.09_odp.01 }} provides {{ insert: param, ac-03.09_odp.02 }};"},{"id":"ac-3.9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-03(09)(b)","class":"sp800-53a"}],"prose":"information is released outside of the system only if {{ insert: param, ac-03.09_odp.03 }} are used to validate the appropriateness of the information designated for release."}]},{"id":"ac-3.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security and privacy safeguards provided by receiving system or system components\n\nlist of security and privacy safeguards validating appropriateness of information designated for release\n\nsystem audit records\n\nresults of period assessments (inspections\/tests) of the external system\n\ninformation sharing agreements\n\nmemoranda of understanding\n\nacquisitions\/contractual agreements\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-3.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements\n\nlegal counsel\n\nsystem developers"}]},{"id":"ac-3.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]},{"id":"ac-3.10","class":"SP800-53-enhancement","title":"Audited Override of Access Control Mechanisms","params":[{"id":"ac-03.10_odp.01","props":[{"name":"alt-identifier","value":"ac-3.10_prm_1"},{"name":"label","value":"AC-03(10)_ODP[01]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions under which to employ an audited override of automated access control mechanisms are defined;"}]},{"id":"ac-03.10_odp.02","props":[{"name":"alt-identifier","value":"ac-3.10_prm_2"},{"name":"label","value":"AC-03(10)_ODP[02]","class":"sp800-53a"}],"label":"roles","guidelines":[{"prose":"roles allowed to employ an audited override of automated access control mechanisms are defined;"}]}],"props":[{"name":"label","value":"AC-3(10)"},{"name":"label","value":"AC-03(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"}],"parts":[{"id":"ac-3.10_smt","name":"statement","prose":"Employ an audited override of automated access control mechanisms under {{ insert: param, ac-03.10_odp.01 }} by {{ insert: param, ac-03.10_odp.02 }}."},{"id":"ac-3.10_gdn","name":"guidance","prose":"In certain situations, such as when there is a threat to human life or an event that threatens the organization’s ability to carry out critical missions or business functions, an override capability for access control mechanisms may be needed. Override conditions are defined by organizations and used only in those limited circumstances. Audit events are defined in [AU-2](#au-2) . Audit records are generated in [AU-12](#au-12)."},{"id":"ac-3.10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(10)","class":"sp800-53a"}],"prose":"an audited override of automated access control mechanisms is employed under {{ insert: param, ac-03.10_odp.01 }} by {{ insert: param, ac-03.10_odp.02 }}."},{"id":"ac-3.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nconditions for employing audited override of automated access control mechanisms\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-3.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]},{"id":"ac-3.11","class":"SP800-53-enhancement","title":"Restrict Access to Specific Information Types","params":[{"id":"ac-03.11_odp","props":[{"name":"alt-identifier","value":"ac-3.11_prm_1"},{"name":"label","value":"AC-03(11)_ODP","class":"sp800-53a"}],"label":"information types","guidelines":[{"prose":"information types requiring restricted access to data repositories are defined;"}]}],"props":[{"name":"label","value":"AC-3(11)"},{"name":"label","value":"AC-03(11)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#pm-5","rel":"related"}],"parts":[{"id":"ac-3.11_smt","name":"statement","prose":"Restrict access to data repositories containing {{ insert: param, ac-03.11_odp }}."},{"id":"ac-3.11_gdn","name":"guidance","prose":"Restricting access to specific information is intended to provide flexibility regarding access control of specific information types within a system. For example, role-based access could be employed to allow access to only a specific type of personally identifiable information within a database rather than allowing access to the database in its entirety. Other examples include restricting access to cryptographic keys, authentication information, and selected system information."},{"id":"ac-3.11_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(11)","class":"sp800-53a"}],"prose":"access to data repositories containing {{ insert: param, ac-03.11_odp }} is restricted."},{"id":"ac-3.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\norganizational personnel with responsibilities for data repositories\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-3.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]},{"id":"ac-3.12","class":"SP800-53-enhancement","title":"Assert and Enforce Application Access","params":[{"id":"ac-03.12_odp","props":[{"name":"alt-identifier","value":"ac-3.12_prm_1"},{"name":"label","value":"AC-03(12)_ODP","class":"sp800-53a"}],"label":"system applications and functions","guidelines":[{"prose":"system applications and functions requiring access assertion are defined;"}]}],"props":[{"name":"label","value":"AC-3(12)"},{"name":"label","value":"AC-03(12)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#cm-7","rel":"related"}],"parts":[{"id":"ac-3.12_smt","name":"statement","parts":[{"id":"ac-3.12_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: {{ insert: param, ac-03.12_odp }};"},{"id":"ac-3.12_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Provide an enforcement mechanism to prevent unauthorized access; and"},{"id":"ac-3.12_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Approve access changes after initial installation of the application."}]},{"id":"ac-3.12_gdn","name":"guidance","prose":"Asserting and enforcing application access is intended to address applications that need to access existing system applications and functions, including user contacts, global positioning systems, cameras, keyboards, microphones, networks, phones, or other files."},{"id":"ac-3.12_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(12)","class":"sp800-53a"}],"parts":[{"id":"ac-3.12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-03(12)(a)","class":"sp800-53a"}],"prose":"as part of the installation process, applications are required to assert the access needed to the following system applications and functions: {{ insert: param, ac-03.12_odp }};"},{"id":"ac-3.12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-03(12)(b)","class":"sp800-53a"}],"prose":"an enforcement mechanism to prevent unauthorized access is provided; "},{"id":"ac-3.12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-03(12)(c)","class":"sp800-53a"}],"prose":"access changes after initial installation of the application are approved."}]},{"id":"ac-3.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-3.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]},{"id":"ac-3.13","class":"SP800-53-enhancement","title":"Attribute-based Access Control","params":[{"id":"ac-03.13_odp","props":[{"name":"alt-identifier","value":"ac-3.13_prm_1"},{"name":"alt-label","value":"attributes to assume access permissions","class":"sp800-53"},{"name":"label","value":"AC-03(13)_ODP","class":"sp800-53a"}],"label":"attributes","guidelines":[{"prose":"attributes to assume access permissions are defined;"}]}],"props":[{"name":"label","value":"AC-3(13)"},{"name":"label","value":"AC-03(13)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"}],"parts":[{"id":"ac-3.13_smt","name":"statement","prose":"Enforce attribute-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-03.13_odp }}."},{"id":"ac-3.13_gdn","name":"guidance","prose":"Attribute-based access control is an access control policy that restricts system access to authorized users based on specified organizational attributes (e.g., job function, identity), action attributes (e.g., read, write, delete), environmental attributes (e.g., time of day, location), and resource attributes (e.g., classification of a document). Organizations can create rules based on attributes and the authorizations (i.e., privileges) to perform needed operations on the systems associated with organization-defined attributes and rules. When users are assigned to attributes defined in attribute-based access control policies or rules, they can be provisioned to a system with the appropriate privileges or dynamically granted access to a protected resource. Attribute-based access control can be implemented as either a mandatory or discretionary form of access control. When implemented with mandatory access controls, the requirements in [AC-3(3)](#ac-3.3) define the scope of the subjects and objects covered by the policy."},{"id":"ac-3.13_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(13)","class":"sp800-53a"}],"parts":[{"id":"ac-3.13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(13)[01]","class":"sp800-53a"}],"prose":"the attribute-based access control policy is enforced over defined subjects;"},{"id":"ac-3.13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(13)[02]","class":"sp800-53a"}],"prose":"the attribute-based access control policy is enforced over defined objects;"},{"id":"ac-3.13_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-03(13)[03]","class":"sp800-53a"}],"prose":"access is controlled based on {{ insert: param, ac-03.13_odp }}."}]},{"id":"ac-3.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of attribute-based access control policies\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-3.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]},{"id":"ac-3.14","class":"SP800-53-enhancement","title":"Individual Access","params":[{"id":"ac-03.14_odp.01","props":[{"name":"alt-identifier","value":"ac-3.14_prm_1"},{"name":"label","value":"AC-03(14)_ODP[01]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms enabling individuals to have access to elements of their personally identifiable information are defined;"}]},{"id":"ac-03.14_odp.02","props":[{"name":"alt-identifier","value":"ac-3.14_prm_2"},{"name":"label","value":"AC-03(14)_ODP[02]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements of personally identifiable information to which individuals have access are defined;"}]}],"props":[{"name":"label","value":"AC-3(14)"},{"name":"label","value":"AC-03(14)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#ia-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-20","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#pt-6","rel":"related"}],"parts":[{"id":"ac-3.14_smt","name":"statement","prose":"Provide {{ insert: param, ac-03.14_odp.01 }} to enable individuals to have access to the following elements of their personally identifiable information: {{ insert: param, ac-03.14_odp.02 }}."},{"id":"ac-3.14_gdn","name":"guidance","prose":"Individual access affords individuals the ability to review personally identifiable information about them held within organizational records, regardless of format. Access helps individuals to develop an understanding about how their personally identifiable information is being processed. It can also help individuals ensure that their data is accurate. Access mechanisms can include request forms and application interfaces. For federal agencies, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) processes can be located in systems of record notices and on agency websites. Access to certain types of records may not be appropriate (e.g., for federal agencies, law enforcement records within a system of records may be exempt from disclosure under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) ) or may require certain levels of authentication assurance. Organizational personnel consult with the senior agency official for privacy and legal counsel to determine appropriate mechanisms and access rights or limitations."},{"id":"ac-3.14_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(14)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.14_odp.01 }} are provided to enable individuals to have access to {{ insert: param, ac-03.14_odp.02 }} of their personally identifiable information."},{"id":"ac-3.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access mechanisms (e.g., request forms and application interfaces)\n\naccess control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation regarding access to an individual’s personally identifiable information\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment findings and\/or reports\n\nother relevant documents or records"}]},{"id":"ac-3.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel"}]},{"id":"ac-3.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions\n\nmechanisms enabling individual access to personally identifiable information"}]}]},{"id":"ac-3.15","class":"SP800-53-enhancement","title":"Discretionary and Mandatory Access Control","params":[{"id":"ac-3.15_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.15_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.15_odp.02"}],"label":"organization-defined mandatory access control policy"},{"id":"ac-3.15_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.15_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.15_odp.04"}],"label":"organization-defined discretionary access control policy"},{"id":"ac-03.15_odp.01","props":[{"name":"label","value":"AC-03(15)_ODP[01]","class":"sp800-53a"}],"label":"mandatory access control policy","guidelines":[{"prose":"a mandatory access control policy enforced over the set of covered subjects specified in the policy is defined;"}]},{"id":"ac-03.15_odp.02","props":[{"name":"label","value":"AC-03(15)_ODP[02]","class":"sp800-53a"}],"label":"mandatory access control policy","guidelines":[{"prose":"a mandatory access control policy enforced over the set of covered objects specified in the policy is defined;"}]},{"id":"ac-03.15_odp.03","props":[{"name":"label","value":"AC-03(15)_ODP[03]","class":"sp800-53a"}],"label":"discretionary access control policy","guidelines":[{"prose":"a discretionary access control policy enforced over the set of covered subjects specified in the policy is defined;"}]},{"id":"ac-03.15_odp.04","props":[{"name":"label","value":"AC-03(15)_ODP[04]","class":"sp800-53a"}],"label":"discretionary access control policy","guidelines":[{"prose":"a discretionary access control policy enforced over the set of covered objects specified in the policy is defined;"}]}],"props":[{"name":"label","value":"AC-3(15)"},{"name":"label","value":"AC-03(15)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#ac-4","rel":"related"}],"parts":[{"id":"ac-3.15_smt","name":"statement","parts":[{"id":"ac-3.15_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Enforce {{ insert: param, ac-3.15_prm_1 }} over the set of covered subjects and objects specified in the policy; and"},{"id":"ac-3.15_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforce {{ insert: param, ac-3.15_prm_2 }} over the set of covered subjects and objects specified in the policy."}]},{"id":"ac-3.15_gdn","name":"guidance","prose":"Simultaneously implementing a mandatory access control policy and a discretionary access control policy can provide additional protection against the unauthorized execution of code by users or processes acting on behalf of users. This helps prevent a single compromised user or process from compromising the entire system."},{"id":"ac-3.15_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(15)","class":"sp800-53a"}],"parts":[{"id":"ac-3.15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-03(15)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-3.15_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(15)(a)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.15_odp.01 }} is enforced over the set of covered subjects specified in the policy;"},{"id":"ac-3.15_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(15)(a)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.15_odp.02 }} is enforced over the set of covered objects specified in the policy;"}]},{"id":"ac-3.15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-03(15)(b)","class":"sp800-53a"}],"parts":[{"id":"ac-3.15_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(15)(b)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.15_odp.03 }} is enforced over the set of covered subjects specified in the policy;"},{"id":"ac-3.15_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(15)(b)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.15_odp.04 }} is enforced over the set of covered objects specified in the policy."}]}]},{"id":"ac-3.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-3.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing mandatory and discretionary access control policy"}]}]}]},{"id":"ac-4","class":"SP800-53","title":"Information Flow Enforcement","params":[{"id":"ac-04_odp","props":[{"name":"alt-identifier","value":"ac-4_prm_1"},{"name":"label","value":"AC-04_ODP","class":"sp800-53a"}],"label":"information flow control policies","guidelines":[{"prose":"information flow control policies within the system and between connected systems are defined;"}]}],"props":[{"name":"label","value":"AC-4"},{"name":"label","value":"AC-04","class":"sp800-53a"},{"name":"sort-id","value":"ac-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-31","rel":"related"}],"parts":[{"id":"ac-4_smt","name":"statement","prose":"Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}."},{"id":"ac-4_gdn","name":"guidance","prose":"Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see [CA-3](#ca-3) ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners\/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.\n\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and\/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and\/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS)."},{"id":"ac-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04","class":"sp800-53a"}],"prose":"approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}."},{"id":"ac-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsecurity architecture documentation\n\nprivacy architecture documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem baseline configuration\n\nlist of information flow authorizations\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}],"controls":[{"id":"ac-4.1","class":"SP800-53-enhancement","title":"Object Security and Privacy Attributes","params":[{"id":"ac-4.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.02"}],"label":"organization-defined security and privacy attributes"},{"id":"ac-4.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.08"}],"label":"organization-defined information, source, and destination objects"},{"id":"ac-04.01_odp.01","props":[{"name":"label","value":"AC-04(01)_ODP[01]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes to be associated with information, source, and destination objects are defined;"}]},{"id":"ac-04.01_odp.02","props":[{"name":"label","value":"AC-04(01)_ODP[02]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes to be associated with information, source, and destination objects are defined;"}]},{"id":"ac-04.01_odp.03","props":[{"name":"label","value":"AC-04(01)_ODP[03]","class":"sp800-53a"}],"label":"information objects","guidelines":[{"prose":"information objects to be associated with information security attributes are defined;"}]},{"id":"ac-04.01_odp.04","props":[{"name":"label","value":"AC-04(01)_ODP[04]","class":"sp800-53a"}],"label":"information objects","guidelines":[{"prose":"information objects to be associated with privacy attributes are defined;"}]},{"id":"ac-04.01_odp.05","props":[{"name":"label","value":"AC-04(01)_ODP[05]","class":"sp800-53a"}],"label":"source objects","guidelines":[{"prose":"source objects to be associated with information security attributes are defined;"}]},{"id":"ac-04.01_odp.06","props":[{"name":"label","value":"AC-04(01)_ODP[06]","class":"sp800-53a"}],"label":"source objects","guidelines":[{"prose":"source objects to be associated with privacy attributes are defined;"}]},{"id":"ac-04.01_odp.07","props":[{"name":"label","value":"AC-04(01)_ODP[07]","class":"sp800-53a"}],"label":"destination objects","guidelines":[{"prose":"destination objects to be associated with information security attributes are defined;"}]},{"id":"ac-04.01_odp.08","props":[{"name":"label","value":"AC-04(01)_ODP[08]","class":"sp800-53a"}],"label":"destination objects","guidelines":[{"prose":"destination objects to be associated with privacy attributes are defined;"}]},{"id":"ac-04.01_odp.09","props":[{"name":"alt-identifier","value":"ac-4.1_prm_3"},{"name":"label","value":"AC-04(01)_ODP[09]","class":"sp800-53a"}],"label":"information flow control policies","guidelines":[{"prose":"information flow control policies as a basis for enforcement of flow control decisions are defined;"}]}],"props":[{"name":"label","value":"AC-4(1)"},{"name":"label","value":"AC-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.1_smt","name":"statement","prose":"Use {{ insert: param, ac-4.1_prm_1 }} associated with {{ insert: param, ac-4.1_prm_2 }} to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions."},{"id":"ac-4.1_gdn","name":"guidance","prose":"Information flow enforcement mechanisms compare security and privacy attributes associated with information (i.e., data content and structure) and source and destination objects and respond appropriately when the enforcement mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. A dataset of personally identifiable information may be tagged with restrictions against combining with other types of datasets and, thus, would not be allowed to flow to the restricted dataset. Security and privacy attributes can also include source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security or privacy attributes can be used, for example, to control the release of certain types of information."},{"id":"ac-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(01)","class":"sp800-53a"}],"parts":[{"id":"ac-4.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(01)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-04.01_odp.01 }} associated with {{ insert: param, ac-04.01_odp.03 }}, {{ insert: param, ac-04.01_odp.05 }} , and {{ insert: param, ac-04.01_odp.07 }} are used to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions;"},{"id":"ac-4.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(01)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-04.01_odp.02 }} associated with {{ insert: param, ac-04.01_odp.04 }}, {{ insert: param, ac-04.01_odp.06 }} , and {{ insert: param, ac-04.01_odp.08 }} are used to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions."}]},{"id":"ac-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security and privacy attributes and associated source and destination objects\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.2","class":"SP800-53-enhancement","title":"Processing Domains","params":[{"id":"ac-04.02_odp","props":[{"name":"alt-identifier","value":"ac-4.2_prm_1"},{"name":"label","value":"AC-04(02)_ODP","class":"sp800-53a"}],"label":"information flow control policies","guidelines":[{"prose":"information flow control policies to be enforced by use of protected processing domains are defined;"}]}],"props":[{"name":"label","value":"AC-4(2)"},{"name":"label","value":"AC-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#sc-39","rel":"related"}],"parts":[{"id":"ac-4.2_smt","name":"statement","prose":"Use protected processing domains to enforce {{ insert: param, ac-04.02_odp }} as a basis for flow control decisions."},{"id":"ac-4.2_gdn","name":"guidance","prose":"Protected processing domains within systems are processing spaces that have controlled interactions with other processing spaces, enabling control of information flows between these spaces and to\/from information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, system processes are assigned to domains, information is identified by types, and information flows are controlled based on allowed information accesses (i.e., determined by domain and type), allowed signaling among domains, and allowed process transitions to other domains."},{"id":"ac-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(02)","class":"sp800-53a"}],"prose":"protected processing domains are used to enforce {{ insert: param, ac-04.02_odp }} as a basis for flow control decisions."},{"id":"ac-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem security architecture and associated documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.3","class":"SP800-53-enhancement","title":"Dynamic Information Flow Control","params":[{"id":"ac-04.03_odp","props":[{"name":"alt-identifier","value":"ac-4.3_prm_1"},{"name":"label","value":"AC-04(03)_ODP","class":"sp800-53a"}],"label":"information flow control policies","guidelines":[{"prose":"information flow control policies to be enforced are defined;"}]}],"props":[{"name":"label","value":"AC-4(3)"},{"name":"label","value":"AC-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-4.3_smt","name":"statement","prose":"Enforce {{ insert: param, ac-04.03_odp }}."},{"id":"ac-4.3_gdn","name":"guidance","prose":"Organizational policies regarding dynamic information flow control include allowing or disallowing information flows based on changing conditions or mission or operational considerations. Changing conditions include changes in risk tolerance due to changes in the immediacy of mission or business needs, changes in the threat environment, and detection of potentially harmful or adverse events."},{"id":"ac-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(03)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-04.03_odp }} are enforced."},{"id":"ac-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem security architecture and associated documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.4","class":"SP800-53-enhancement","title":"Flow Control of Encrypted Information","params":[{"id":"ac-04.04_odp.01","props":[{"name":"alt-identifier","value":"ac-4.4_prm_1"},{"name":"label","value":"AC-04(04)_ODP[01]","class":"sp800-53a"}],"label":"information flow control mechanisms","guidelines":[{"prose":"information flow control mechanisms that encrypted information is prevented from bypassing are defined;"}]},{"id":"ac-04.04_odp.02","props":[{"name":"alt-identifier","value":"ac-4.4_prm_2"},{"name":"label","value":"AC-04(04)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["decrypting the information","blocking the flow of the encrypted information","terminating communications sessions attempting to pass encrypted information","{{ insert: param, ac-04.04_odp.03 }} "]}},{"id":"ac-04.04_odp.03","props":[{"name":"alt-identifier","value":"ac-4.4_prm_3"},{"name":"alt-label","value":"procedure or method","class":"sp800-53"},{"name":"label","value":"AC-04(04)_ODP[03]","class":"sp800-53a"}],"label":"organization-defined procedure or method","guidelines":[{"prose":"the organization-defined procedure or method used to prevent encrypted information from bypassing information flow control mechanisms is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-4(4)"},{"name":"label","value":"AC-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-4.4_smt","name":"statement","prose":"Prevent encrypted information from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}."},{"id":"ac-4.4_gdn","name":"guidance","prose":"Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms."},{"id":"ac-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(04)","class":"sp800-53a"}],"prose":"encrypted information is prevented from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}."},{"id":"ac-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.5","class":"SP800-53-enhancement","title":"Embedded Data Types","params":[{"id":"ac-04.05_odp","props":[{"name":"alt-identifier","value":"ac-4.5_prm_1"},{"name":"label","value":"AC-04(05)_ODP","class":"sp800-53a"}],"label":"limitations","guidelines":[{"prose":"limitations on embedding data types within other data types are defined;"}]}],"props":[{"name":"label","value":"AC-4(5)"},{"name":"label","value":"AC-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.5_smt","name":"statement","prose":"Enforce {{ insert: param, ac-04.05_odp }} on embedding data types within other data types."},{"id":"ac-4.5_gdn","name":"guidance","prose":"Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes inserting files as objects within other files and using compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools."},{"id":"ac-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(05)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-04.05_odp }} are enforced on embedding data types within other data types."},{"id":"ac-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of limitations to be enforced on embedding data types within other data types\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.6","class":"SP800-53-enhancement","title":"Metadata","params":[{"id":"ac-04.06_odp","props":[{"name":"alt-identifier","value":"ac-4.6_prm_1"},{"name":"label","value":"AC-04(06)_ODP","class":"sp800-53a"}],"label":"metadata","guidelines":[{"prose":"metadata on which to base enforcement of information flow control is defined;"}]}],"props":[{"name":"label","value":"AC-4(6)"},{"name":"label","value":"AC-04(06)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#ac-16","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ac-4.6_smt","name":"statement","prose":"Enforce information flow control based on {{ insert: param, ac-04.06_odp }}."},{"id":"ac-4.6_gdn","name":"guidance","prose":"Metadata is information that describes the characteristics of data. Metadata can include structural metadata describing data structures or descriptive metadata describing data content. Enforcement of allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., employing sufficiently strong binding techniques with appropriate assurance)."},{"id":"ac-4.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(06)","class":"sp800-53a"}],"prose":"information flow control enforcement is based on {{ insert: param, ac-04.06_odp }}."},{"id":"ac-4.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ntypes of metadata used to enforce information flow control decisions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.7","class":"SP800-53-enhancement","title":"One-way Flow Mechanisms","props":[{"name":"label","value":"AC-4(7)"},{"name":"label","value":"AC-04(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.7_smt","name":"statement","prose":"Enforce one-way information flows through hardware-based flow control mechanisms."},{"id":"ac-4.7_gdn","name":"guidance","prose":"One-way flow mechanisms may also be referred to as a unidirectional network, unidirectional security gateway, or data diode. One-way flow mechanisms can be used to prevent data from being exported from a higher impact or classified domain or system while permitting data from a lower impact or unclassified domain or system to be imported."},{"id":"ac-4.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(07)","class":"sp800-53a"}],"prose":"one-way information flows are enforced through hardware-based flow control mechanisms."},{"id":"ac-4.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem hardware mechanisms and associated configurations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Hardware mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.8","class":"SP800-53-enhancement","title":"Security and Privacy Policy Filters","params":[{"id":"ac-4.8_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.08_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.08_odp.02"}],"label":"organization-defined security or privacy policy filters"},{"id":"ac-4.8_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.08_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.08_odp.04"}],"label":"organization-defined information flows"},{"id":"ac-4.8_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.08_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.08_odp.07"}],"label":"organization-defined security or privacy policy"},{"id":"ac-04.08_odp.01","props":[{"name":"label","value":"AC-04(08)_ODP[01]","class":"sp800-53a"}],"label":"security policy filter","guidelines":[{"prose":"security policy filters to be used as a basis for enforcing information flow control are defined;"}]},{"id":"ac-04.08_odp.02","props":[{"name":"label","value":"AC-04(08)_ODP[02]","class":"sp800-53a"}],"label":"privacy policy filter","guidelines":[{"prose":"privacy policy filters to be used as a basis for enforcing information flow control are defined;"}]},{"id":"ac-04.08_odp.03","props":[{"name":"label","value":"AC-04(08)_ODP[03]","class":"sp800-53a"}],"label":"information flows","guidelines":[{"prose":"information flows for which information flow control is enforced by security filters are defined;"}]},{"id":"ac-04.08_odp.04","props":[{"name":"label","value":"AC-04(08)_ODP[04]","class":"sp800-53a"}],"label":"information flows","guidelines":[{"prose":"information flows for which information flow control is enforced by privacy filters are defined;"}]},{"id":"ac-04.08_odp.05","props":[{"name":"alt-identifier","value":"ac-4.8_prm_3"},{"name":"label","value":"AC-04(08)_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["block","strip","modify","quarantine"]}},{"id":"ac-04.08_odp.06","props":[{"name":"label","value":"AC-04(08)_ODP[06]","class":"sp800-53a"}],"label":"security policy","guidelines":[{"prose":"security policy identifying actions to be taken after a filter processing failure are defined;"}]},{"id":"ac-04.08_odp.07","props":[{"name":"label","value":"AC-04(08)_ODP[07]","class":"sp800-53a"}],"label":"privacy policy","guidelines":[{"prose":"privacy policy identifying actions to be taken after a filter processing failure are defined;"}]}],"props":[{"name":"label","value":"AC-4(8)"},{"name":"label","value":"AC-04(08)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.8_smt","name":"statement","parts":[{"id":"ac-4.8_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Enforce information flow control using {{ insert: param, ac-4.8_prm_1 }} as a basis for flow control decisions for {{ insert: param, ac-4.8_prm_2 }} ; and"},{"id":"ac-4.8_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-4.8_prm_4 }}."}]},{"id":"ac-4.8_gdn","name":"guidance","prose":"Organization-defined security or privacy policy filters can address data structures and content. For example, security or privacy policy filters for data structures can check for maximum file lengths, maximum field sizes, and data\/file types (for structured and unstructured data). Security or privacy policy filters for data content can check for specific words, enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data refers to digital information without a data structure or with a data structure that does not facilitate the development of rule sets to address the impact or classification level of the information conveyed by the data or the flow enforcement decisions. Unstructured data consists of bitmap objects that are inherently non-language-based (i.e., image, video, or audio files) and textual objects that are based on written or printed languages. Organizations can implement more than one security or privacy policy filter to meet information flow control objectives."},{"id":"ac-4.8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(08)","class":"sp800-53a"}],"parts":[{"id":"ac-4.8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-04(08)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-4.8_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(08)(a)[01]","class":"sp800-53a"}],"prose":"information flow control is enforced using {{ insert: param, ac-04.08_odp.01 }} as a basis for flow control decisions for {{ insert: param, ac-04.08_odp.03 }};"},{"id":"ac-4.8_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(08)(a)[02]","class":"sp800-53a"}],"prose":"information flow control is enforced using {{ insert: param, ac-04.08_odp.02 }} as a basis for flow control decisions for {{ insert: param, ac-04.08_odp.04 }};"}]},{"id":"ac-4.8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-04(08)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-04.08_odp.06 }};\n\n{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-04.08_odp.07 }}."}]},{"id":"ac-4.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security policy filters regulating flow control decisions\n\nlist of privacy policy filters regulating flow control decisions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy\n\nsecurity and privacy policy filters"}]}]},{"id":"ac-4.9","class":"SP800-53-enhancement","title":"Human Reviews","params":[{"id":"ac-04.09_odp.01","props":[{"name":"alt-identifier","value":"ac-4.9_prm_1"},{"name":"label","value":"AC-04(09)_ODP[01]","class":"sp800-53a"}],"label":"information flows","guidelines":[{"prose":"information flows requiring the use of human reviews are defined;"}]},{"id":"ac-04.09_odp.02","props":[{"name":"alt-identifier","value":"ac-4.9_prm_2"},{"name":"label","value":"AC-04(09)_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions under which the use of human reviews for information flows are to be enforced are defined;"}]}],"props":[{"name":"label","value":"AC-4(9)"},{"name":"label","value":"AC-04(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.9_smt","name":"statement","prose":"Enforce the use of human reviews for {{ insert: param, ac-04.09_odp.01 }} under the following conditions: {{ insert: param, ac-04.09_odp.02 }}."},{"id":"ac-4.9_gdn","name":"guidance","prose":"Organizations define security or privacy policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of or as a complement to automated security or privacy policy filtering. Human reviews may also be employed as deemed necessary by organizations."},{"id":"ac-4.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(09)","class":"sp800-53a"}],"prose":"human reviews are used for {{ insert: param, ac-04.09_odp.01 }} under {{ insert: param, ac-04.09_odp.02 }}."},{"id":"ac-4.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of human reviews regarding information flows\n\nlist of information flows requiring the use of human reviews\n\nlist of conditions requiring human reviews for information flows\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with information flow enforcement responsibilities\n\nsystem developers"}]},{"id":"ac-4.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms enforcing the use of human reviews"}]}]},{"id":"ac-4.10","class":"SP800-53-enhancement","title":"Enable and Disable Security or Privacy Policy Filters","params":[{"id":"ac-4.10_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.10_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.10_odp.02"}],"label":"organization-defined security or privacy policy filters"},{"id":"ac-4.10_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.10_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.10_odp.04"}],"label":"organization-defined conditions"},{"id":"ac-04.10_odp.01","props":[{"name":"label","value":"AC-04(10)_ODP[01]","class":"sp800-53a"}],"label":"security filters","guidelines":[{"prose":"security policy filters that privileged administrators have the capability to enable and disable are defined;"}]},{"id":"ac-04.10_odp.02","props":[{"name":"label","value":"AC-04(10)_ODP[02]","class":"sp800-53a"}],"label":"privacy filters","guidelines":[{"prose":"privacy policy filters that privileged administrators have the capability to enable and disable are defined;"}]},{"id":"ac-04.10_odp.03","props":[{"name":"label","value":"AC-04(10)_ODP[03]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions under which privileged administrators have the capability to enable and disable security policy filters are defined;"}]},{"id":"ac-04.10_odp.04","props":[{"name":"label","value":"AC-04(10)_ODP[04]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions under which privileged administrators have the capability to enable and disable privacy policy filters are defined;"}]}],"props":[{"name":"label","value":"AC-4(10)"},{"name":"label","value":"AC-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.10_smt","name":"statement","prose":"Provide the capability for privileged administrators to enable and disable {{ insert: param, ac-4.10_prm_1 }} under the following conditions: {{ insert: param, ac-4.10_prm_2 }}."},{"id":"ac-4.10_gdn","name":"guidance","prose":"For example, as allowed by the system authorization, administrators can enable security or privacy policy filters to accommodate approved data types. Administrators also have the capability to select the filters that are executed on a specific data flow based on the type of data that is being transferred, the source and destination security domains, and other security or privacy relevant features, as needed."},{"id":"ac-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(10)","class":"sp800-53a"}],"parts":[{"id":"ac-4.10_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(10)[01]","class":"sp800-53a"}],"prose":"capability is provided for privileged administrators to enable and disable {{ insert: param, ac-04.10_odp.01 }} under {{ insert: param, ac-04.10_odp.03 }};"},{"id":"ac-4.10_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(10)[02]","class":"sp800-53a"}],"prose":"capability is provided for privileged administrators to enable and disable {{ insert: param, ac-04.10_odp.02 }} under {{ insert: param, ac-04.10_odp.04 }}."}]},{"id":"ac-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow information policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security policy filters enabled\/disabled by privileged administrators\n\nlist of privacy policy filters enabled\/disabled by privileged administrators\n\nlist of approved data types for enabling\/disabling by privileged administrators\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for enabling\/disabling security and privacy policy filters\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy\n\nsecurity and privacy policy filters"}]}]},{"id":"ac-4.11","class":"SP800-53-enhancement","title":"Configuration of Security or Privacy Policy Filters","params":[{"id":"ac-4.11_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.11_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.11_odp.02"}],"label":"organization-defined security or privacy policy filters"},{"id":"ac-04.11_odp.01","props":[{"name":"label","value":"AC-04(11)_ODP[01]","class":"sp800-53a"}],"label":"security policy filters","guidelines":[{"prose":"security policy filters that privileged administrators have the capability to configure to support different security and privacy policies are defined;"}]},{"id":"ac-04.11_odp.02","props":[{"name":"label","value":"AC-04(11)_ODP[02]","class":"sp800-53a"}],"label":"privacy policy filters","guidelines":[{"prose":"privacy policy filters that privileged administrators have the capability to configure to support different security and privacy policies are defined;"}]}],"props":[{"name":"label","value":"AC-4(11)"},{"name":"label","value":"AC-04(11)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.11_smt","name":"statement","prose":"Provide the capability for privileged administrators to configure {{ insert: param, ac-4.11_prm_1 }} to support different security or privacy policies."},{"id":"ac-4.11_gdn","name":"guidance","prose":"Documentation contains detailed information for configuring security or privacy policy filters. For example, administrators can configure security or privacy policy filters to include the list of inappropriate words that security or privacy policy mechanisms check in accordance with the definitions provided by organizations."},{"id":"ac-4.11_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(11)","class":"sp800-53a"}],"parts":[{"id":"ac-4.11_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(11)[01]","class":"sp800-53a"}],"prose":"capability is provided for privileged administrators to configure {{ insert: param, ac-04.11_odp.01 }} to support different security or privacy policies;"},{"id":"ac-4.11_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(11)[02]","class":"sp800-53a"}],"prose":"capability is provided for privileged administrators to configure {{ insert: param, ac-04.11_odp.02 }} to support different security or privacy policies."}]},{"id":"ac-4.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security policy filters\n\nlist of privacy policy filters\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for configuring security and privacy policy filters\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy\n\nsecurity and privacy policy filters"}]}]},{"id":"ac-4.12","class":"SP800-53-enhancement","title":"Data Type Identifiers","params":[{"id":"ac-04.12_odp","props":[{"name":"alt-identifier","value":"ac-4.12_prm_1"},{"name":"label","value":"AC-04(12)_ODP","class":"sp800-53a"}],"label":"data type identifiers","guidelines":[{"prose":"data type identifiers to be used to validate data essential for information flow decisions are defined;"}]}],"props":[{"name":"label","value":"AC-4(12)"},{"name":"label","value":"AC-04(12)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.12_smt","name":"statement","prose":"When transferring information between different security domains, use {{ insert: param, ac-04.12_odp }} to validate data essential for information flow decisions."},{"id":"ac-4.12_gdn","name":"guidance","prose":"Data type identifiers include filenames, file types, file signatures or tokens, and multiple internal file signatures or tokens. Systems only allow transfer of data that is compliant with data type format specifications. Identification and validation of data types is based on defined specifications associated with each allowed data format. The filename and number alone are not used for data type identification. Content is validated syntactically and semantically against its specification to ensure that it is the proper data type."},{"id":"ac-4.12_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(12)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, {{ insert: param, ac-04.12_odp }} are used to validate data essential for information flow decisions."},{"id":"ac-4.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of data type identifiers\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.13","class":"SP800-53-enhancement","title":"Decomposition into Policy-relevant Subcomponents","params":[{"id":"ac-04.13_odp","props":[{"name":"alt-identifier","value":"ac-4.13_prm_1"},{"name":"label","value":"AC-04(13)_ODP","class":"sp800-53a"}],"label":"policy-relevant subcomponents","guidelines":[{"prose":"policy-relevant subcomponents into which to decompose information for submission to policy enforcement mechanisms are defined;"}]}],"props":[{"name":"label","value":"AC-4(13)"},{"name":"label","value":"AC-04(13)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.13_smt","name":"statement","prose":"When transferring information between different security domains, decompose information into {{ insert: param, ac-04.13_odp }} for submission to policy enforcement mechanisms."},{"id":"ac-4.13_gdn","name":"guidance","prose":"Decomposing information into policy-relevant subcomponents prior to information transfer facilitates policy decisions on source, destination, certificates, classification, attachments, and other security- or privacy-related component differentiators. Policy enforcement mechanisms apply filtering, inspection, and\/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains."},{"id":"ac-4.13_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(13)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, information is decomposed into {{ insert: param, ac-04.13_odp }} for submission to policy enforcement mechanisms."},{"id":"ac-4.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.14","class":"SP800-53-enhancement","title":"Security or Privacy Policy Filter Constraints","params":[{"id":"ac-4.14_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.14_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.14_odp.02"}],"label":"organization-defined security or privacy policy filters"},{"id":"ac-04.14_odp.01","props":[{"name":"label","value":"AC-04(14)_ODP[01]","class":"sp800-53a"}],"label":"security policy filters","guidelines":[{"prose":"security policy filters to be implemented that require fully enumerated formats restricting data structure and content have been defined;"}]},{"id":"ac-04.14_odp.02","props":[{"name":"label","value":"AC-04(14)_ODP[02]","class":"sp800-53a"}],"label":"privacy policy filters","guidelines":[{"prose":"privacy policy filters to be implemented that require fully enumerated formats restricting data structure and content are defined;"}]}],"props":[{"name":"label","value":"AC-4(14)"},{"name":"label","value":"AC-04(14)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.14_smt","name":"statement","prose":"When transferring information between different security domains, implement {{ insert: param, ac-4.14_prm_1 }} requiring fully enumerated formats that restrict data structure and content."},{"id":"ac-4.14_gdn","name":"guidance","prose":"Data structure and content restrictions reduce the range of potential malicious or unsanctioned content in cross-domain transactions. Security or privacy policy filters that restrict data structures include restricting file sizes and field lengths. Data content policy filters include encoding formats for character sets, restricting character data fields to only contain alpha-numeric characters, prohibiting special characters, and validating schema structures."},{"id":"ac-4.14_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(14)","class":"sp800-53a"}],"parts":[{"id":"ac-4.14_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(14)[01]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, implemented {{ insert: param, ac-04.14_odp.01 }} require fully enumerated formats that restrict data structure and content;"},{"id":"ac-4.14_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(14)[02]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, implemented {{ insert: param, ac-04.14_odp.02 }} require fully enumerated formats that restrict data structure and content."}]},{"id":"ac-4.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security and privacy policy filters\n\nlist of data structure policy filters\n\nlist of data content policy filters\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy\n\nsecurity and privacy policy filters"}]}]},{"id":"ac-4.15","class":"SP800-53-enhancement","title":"Detection of Unsanctioned Information","params":[{"id":"ac-4.15_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.15_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.15_odp.03"}],"label":"organization-defined security or privacy policy"},{"id":"ac-04.15_odp.01","props":[{"name":"alt-identifier","value":"ac-4.15_prm_1"},{"name":"label","value":"AC-04(15)_ODP[01]","class":"sp800-53a"}],"label":"unsanctioned information","guidelines":[{"prose":"unsanctioned information to be detected is defined;"}]},{"id":"ac-04.15_odp.02","props":[{"name":"label","value":"AC-04(15)_ODP[02]","class":"sp800-53a"}],"label":"security policy","guidelines":[{"prose":"security policy that requires the transfer of unsanctioned information between different security domains to be prohibited is defined (if selected);"}]},{"id":"ac-04.15_odp.03","props":[{"name":"label","value":"AC-04(15)_ODP[03]","class":"sp800-53a"}],"label":"privacy policy","guidelines":[{"prose":"privacy policy that requires the transfer of organization-defined unsanctioned information between different security domains to be prohibited is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-4(15)"},{"name":"label","value":"AC-04(15)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"ac-4.15_smt","name":"statement","prose":"When transferring information between different security domains, examine the information for the presence of {{ insert: param, ac-04.15_odp.01 }} and prohibit the transfer of such information in accordance with the {{ insert: param, ac-4.15_prm_2 }}."},{"id":"ac-4.15_gdn","name":"guidance","prose":"Unsanctioned information includes malicious code, information that is inappropriate for release from the source network, or executable code that could disrupt or harm the services or systems on the destination network."},{"id":"ac-4.15_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(15)","class":"sp800-53a"}],"parts":[{"id":"ac-4.15_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(15)[01]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, information is examined for the presence of {{ insert: param, ac-04.15_odp.01 }};"},{"id":"ac-4.15_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(15)[02]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, transfer of {{ insert: param, ac-04.15_odp.01 }} is prohibited in accordance with the {{ insert: param, ac-04.15_odp.02 }};"},{"id":"ac-4.15_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-04(15)[03]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, transfer of {{ insert: param, ac-04.15_odp.01 }} is prohibited in accordance with the {{ insert: param, ac-04.15_odp.03 }}."}]},{"id":"ac-4.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of unsanctioned information types and associated information\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.16","class":"SP800-53-enhancement","title":"Information Transfers on Interconnected Systems","props":[{"name":"label","value":"AC-4(16)"},{"name":"label","value":"AC-04(16)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.16"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-4","rel":"incorporated-into"}]},{"id":"ac-4.17","class":"SP800-53-enhancement","title":"Domain Authentication","params":[{"id":"ac-04.17_odp","props":[{"name":"alt-identifier","value":"ac-4.17_prm_1"},{"name":"label","value":"AC-04(17)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization, system, application, service, individual"]}}],"props":[{"name":"label","value":"AC-4(17)"},{"name":"label","value":"AC-04(17)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-9","rel":"related"}],"parts":[{"id":"ac-4.17_smt","name":"statement","prose":"Uniquely identify and authenticate source and destination points by {{ insert: param, ac-04.17_odp }} for information transfer."},{"id":"ac-4.17_gdn","name":"guidance","prose":"Attribution is a critical component of a security and privacy concept of operations. The ability to identify source and destination points for information flowing within systems allows the forensic reconstruction of events and encourages policy compliance by attributing policy violations to specific organizations or individuals. Successful domain authentication requires that system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information. Attribution also allows organizations to better maintain the lineage of personally identifiable information processing as it flows through systems and can facilitate consent tracking, as well as correction, deletion, or access requests from individuals."},{"id":"ac-4.17_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(17)","class":"sp800-53a"}],"prose":"source and destination points are uniquely identified and authenticated by {{ insert: param, ac-04.17_odp }} for information transfer."},{"id":"ac-4.17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(17)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nprocedures addressing source and destination domain identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system labels\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(17)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(17)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.18","class":"SP800-53-enhancement","title":"Security Attribute Binding","props":[{"name":"label","value":"AC-4(18)"},{"name":"label","value":"AC-04(18)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.18"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-16","rel":"incorporated-into"}]},{"id":"ac-4.19","class":"SP800-53-enhancement","title":"Validation of Metadata","params":[{"id":"ac-4.19_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.19_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.19_odp.02"}],"label":"organization-defined security or privacy policy filters"},{"id":"ac-04.19_odp.01","props":[{"name":"label","value":"AC-04(19)_ODP[01]","class":"sp800-53a"}],"label":"security policy filters","guidelines":[{"prose":"security policy filters to be implemented on metadata are defined (if selected);"}]},{"id":"ac-04.19_odp.02","props":[{"name":"label","value":"AC-04(19)_ODP[02]","class":"sp800-53a"}],"label":"privacy policy filters","guidelines":[{"prose":"privacy policy filters to be implemented on metadata are defined (if selected);"}]}],"props":[{"name":"label","value":"AC-4(19)"},{"name":"label","value":"AC-04(19)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.19_smt","name":"statement","prose":"When transferring information between different security domains, implement {{ insert: param, ac-4.19_prm_1 }} on metadata."},{"id":"ac-4.19_gdn","name":"guidance","prose":"All information (including metadata and the data to which the metadata applies) is subject to filtering and inspection. Some organizations distinguish between metadata and data payloads (i.e., only the data to which the metadata is bound). Other organizations do not make such distinctions and consider metadata and the data to which the metadata applies to be part of the payload."},{"id":"ac-4.19_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(19)","class":"sp800-53a"}],"parts":[{"id":"ac-4.19_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(19)[01]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, {{ insert: param, ac-04.19_odp.01 }} are implemented on metadata;"},{"id":"ac-4.19_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(19)[02]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, {{ insert: param, ac-04.19_odp.02 }} are implemented on metadata."}]},{"id":"ac-4.19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(19)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security policy filtering criteria applied to metadata and data payloads\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(19)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(19)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions\n\nsecurity and policy filters"}]}]},{"id":"ac-4.20","class":"SP800-53-enhancement","title":"Approved Solutions","params":[{"id":"ac-04.20_odp.01","props":[{"name":"alt-identifier","value":"ac-4.20_prm_1"},{"name":"label","value":"AC-04(20)_ODP[01]","class":"sp800-53a"}],"label":"solutions in approved configurations","guidelines":[{"prose":"solutions in approved configurations to control the flow of information across security domains are defined;"}]},{"id":"ac-04.20_odp.02","props":[{"name":"alt-identifier","value":"ac-4.20_prm_2"},{"name":"label","value":"AC-04(20)_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be controlled when it flows across security domains is defined;"}]}],"props":[{"name":"label","value":"AC-4(20)"},{"name":"label","value":"AC-04(20)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.20_smt","name":"statement","prose":"Employ {{ insert: param, ac-04.20_odp.01 }} to control the flow of {{ insert: param, ac-04.20_odp.02 }} across security domains."},{"id":"ac-4.20_gdn","name":"guidance","prose":"Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The National Security Agency (NSA) National Cross Domain Strategy and Management Office provides a listing of approved cross-domain solutions. Contact [ncdsmo@nsa.gov](mailto:ncdsmo@nsa.gov) for more information."},{"id":"ac-4.20_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(20)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-04.20_odp.01 }} are employed to control the flow of {{ insert: param, ac-04.20_odp.02 }} across security domains."},{"id":"ac-4.20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(20)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of solutions in approved configurations\n\napproved configuration baselines\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(20)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(20)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.21","class":"SP800-53-enhancement","title":"Physical or Logical Separation of Information Flows","params":[{"id":"ac-4.21_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.21_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.21_odp.02"}],"label":"organization-defined mechanisms and\/or techniques"},{"id":"ac-04.21_odp.01","props":[{"name":"label","value":"AC-04(21)_ODP[01]","class":"sp800-53a"}],"label":"mechanisms and\/or techniques","guidelines":[{"prose":"mechanisms and\/or techniques used to logically separate information flows are defined (if selected);"}]},{"id":"ac-04.21_odp.02","props":[{"name":"label","value":"AC-04(21)_ODP[02]","class":"sp800-53a"}],"label":"mechanisms and\/or techniques","guidelines":[{"prose":"mechanisms and\/or techniques used to physically separate information flows are defined (if selected);"}]},{"id":"ac-04.21_odp.03","props":[{"name":"alt-identifier","value":"ac-4.21_prm_2"},{"name":"alt-label","value":"required separations by types of information","class":"sp800-53"},{"name":"label","value":"AC-04(21)_ODP[03]","class":"sp800-53a"}],"label":"required separations","guidelines":[{"prose":"required separations by types of information are defined;"}]}],"props":[{"name":"label","value":"AC-4(21)"},{"name":"label","value":"AC-04(21)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#sc-32","rel":"related"}],"parts":[{"id":"ac-4.21_smt","name":"statement","prose":"Separate information flows logically or physically using {{ insert: param, ac-4.21_prm_1 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}."},{"id":"ac-4.21_gdn","name":"guidance","prose":"Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels."},{"id":"ac-4.21_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(21)","class":"sp800-53a"}],"parts":[{"id":"ac-4.21_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(21)[01]","class":"sp800-53a"}],"prose":"information flows are separated logically using {{ insert: param, ac-04.21_odp.01 }} to accomplish {{ insert: param, ac-04.21_odp.03 }};"},{"id":"ac-4.21_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(21)[02]","class":"sp800-53a"}],"prose":"information flows are separated physically using {{ insert: param, ac-04.21_odp.02 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}."}]},{"id":"ac-4.21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(21)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of required separation of information flows by information types\n\nlist of mechanisms and\/or techniques used to logically or physically separate information flows\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(21)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(21)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.22","class":"SP800-53-enhancement","title":"Access Only","props":[{"name":"label","value":"AC-4(22)"},{"name":"label","value":"AC-04(22)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.22_smt","name":"statement","prose":"Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains."},{"id":"ac-4.22_gdn","name":"guidance","prose":"The system provides a capability for users to access each connected security domain without providing any mechanisms to allow users to transfer data or information between the different security domains. An example of an access-only solution is a terminal that provides a user access to information with different security classifications while assuredly keeping the information separate."},{"id":"ac-4.22_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(22)","class":"sp800-53a"}],"prose":"access is provided from a single device to computing platforms, applications, or data that reside in multiple different security domains while preventing information flow between the different security domains."},{"id":"ac-4.22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(22)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(22)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(22)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.23","class":"SP800-53-enhancement","title":"Modify Non-releasable Information","params":[{"id":"ac-04.23_odp","props":[{"name":"alt-identifier","value":"ac-4.23_prm_1"},{"name":"label","value":"AC-04(23)_ODP","class":"sp800-53a"}],"label":"modification action","guidelines":[{"prose":"modification action implemented on non-releasable information is defined;"}]}],"props":[{"name":"label","value":"AC-4(23)"},{"name":"label","value":"AC-04(23)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.23_smt","name":"statement","prose":"When transferring information between different security domains, modify non-releasable information by implementing {{ insert: param, ac-04.23_odp }}."},{"id":"ac-4.23_gdn","name":"guidance","prose":"Modifying non-releasable information can help prevent a data spill or attack when information is transferred across security domains. Modification actions include masking, permutation, alteration, removal, or redaction."},{"id":"ac-4.23_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(23)","class":"sp800-53a"}],"prose":"when transferring information between security domains, non-releasable information is modified by implementing {{ insert: param, ac-04.23_odp }}."},{"id":"ac-4.23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(23)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(23)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(23)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.24","class":"SP800-53-enhancement","title":"Internal Normalized Format","props":[{"name":"label","value":"AC-4(24)"},{"name":"label","value":"AC-04(24)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.24_smt","name":"statement","prose":"When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification."},{"id":"ac-4.24_gdn","name":"guidance","prose":"Converting data into normalized forms is one of most of effective mechanisms to stop malicious attacks and large classes of data exfiltration."},{"id":"ac-4.24_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(24)","class":"sp800-53a"}],"parts":[{"id":"ac-4.24_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(24)[01]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, incoming data is parsed into an internal, normalized format;"},{"id":"ac-4.24_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(24)[02]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, the data is regenerated to be consistent with its intended specification."}]},{"id":"ac-4.24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(24)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(24)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(24)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.25","class":"SP800-53-enhancement","title":"Data Sanitization","params":[{"id":"ac-04.25_odp.01","props":[{"name":"alt-identifier","value":"ac-4.25_prm_1"},{"name":"label","value":"AC-04(25)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography-encoded data","spillage of sensitive information"]}},{"id":"ac-04.25_odp.02","props":[{"name":"alt-identifier","value":"ac-4.25_prm_2"},{"name":"label","value":"AC-04(25)_ODP[02]","class":"sp800-53a"}],"label":"policy","guidelines":[{"prose":"policy for sanitizing data is defined;"}]}],"props":[{"name":"label","value":"AC-4(25)"},{"name":"label","value":"AC-04(25)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#mp-6","rel":"related"}],"parts":[{"id":"ac-4.25_smt","name":"statement","prose":"When transferring information between different security domains, sanitize data to minimize {{ insert: param, ac-04.25_odp.01 }} in accordance with {{ insert: param, ac-04.25_odp.02 }}."},{"id":"ac-4.25_gdn","name":"guidance","prose":"Data sanitization is the process of irreversibly removing or destroying data stored on a memory device (e.g., hard drives, flash memory\/solid state drives, mobile devices, CDs, and DVDs) or in hard copy form."},{"id":"ac-4.25_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(25)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, data is sanitized to minimize {{ insert: param, ac-04.25_odp.01 }} in accordance with {{ insert: param, ac-04.25_odp.02 }}."},{"id":"ac-4.25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(25)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(25)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(25)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.26","class":"SP800-53-enhancement","title":"Audit Filtering Actions","props":[{"name":"label","value":"AC-4(26)"},{"name":"label","value":"AC-04(26)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.26"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"ac-4.26_smt","name":"statement","prose":"When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered."},{"id":"ac-4.26_gdn","name":"guidance","prose":"Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. Content filtering actions and the results of filtering actions are recorded for individual messages to ensure that the correct filter actions were applied. Content filter reports are used to assist in troubleshooting actions by, for example, determining why message content was modified and\/or why it failed the filtering process. Audit events are defined in [AU-2](#au-2) . Audit records are generated in [AU-12](#au-12)."},{"id":"ac-4.26_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(26)","class":"sp800-53a"}],"parts":[{"id":"ac-4.26_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(26)[01]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, content-filtering actions are recorded and audited;"},{"id":"ac-4.26_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(26)[02]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, results for the information being filtered are recorded and audited."}]},{"id":"ac-4.26_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(26)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.26_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(26)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.26_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(26)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing content filtering\n\nmechanisms recording and auditing content filtering"}]}]},{"id":"ac-4.27","class":"SP800-53-enhancement","title":"Redundant\/Independent Filtering Mechanisms","props":[{"name":"label","value":"AC-4(27)"},{"name":"label","value":"AC-04(27)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.27"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.27_smt","name":"statement","prose":"When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type."},{"id":"ac-4.27_gdn","name":"guidance","prose":"Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. Redundant and independent content filtering eliminates a single point of failure filtering system. Independence is defined as the implementation of a content filter that uses a different code base and supporting libraries (e.g., two JPEG filters using different vendors’ JPEG libraries) and multiple, independent system processes."},{"id":"ac-4.27_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(27)","class":"sp800-53a"}],"prose":"when transferring information between security domains, implemented content filtering solutions provide redundant and independent filtering mechanisms for each data type."},{"id":"ac-4.27_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(27)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.27_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(27)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.27_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(27)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.28","class":"SP800-53-enhancement","title":"Linear Filter Pipelines","props":[{"name":"label","value":"AC-4(28)"},{"name":"label","value":"AC-04(28)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.28_smt","name":"statement","prose":"When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls."},{"id":"ac-4.28_gdn","name":"guidance","prose":"Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. The use of linear content filter pipelines ensures that filter processes are non-bypassable and always invoked. In general, the use of parallel filtering architectures for content filtering of a single data type introduces bypass and non-invocation issues."},{"id":"ac-4.28_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(28)","class":"sp800-53a"}],"prose":"when transferring information between security domains, a linear content filter pipeline is implemented that is enforced with discretionary and mandatory access controls."},{"id":"ac-4.28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(28)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(28)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(28)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing linear content filters"}]}]},{"id":"ac-4.29","class":"SP800-53-enhancement","title":"Filter Orchestration Engines","params":[{"id":"ac-04.29_odp","props":[{"name":"alt-identifier","value":"ac-4.29_prm_1"},{"name":"label","value":"AC-04(29)_ODP","class":"sp800-53a"}],"label":"policy","guidelines":[{"prose":"policy for content-filtering actions is defined;"}]}],"props":[{"name":"label","value":"AC-4(29)"},{"name":"label","value":"AC-04(29)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.29"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.29_smt","name":"statement","prose":"When transferring information between different security domains, employ content filter orchestration engines to ensure that:","parts":[{"id":"ac-4.29_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Content filtering mechanisms successfully complete execution without errors; and"},{"id":"ac-4.29_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Content filtering actions occur in the correct order and comply with {{ insert: param, ac-04.29_odp }}."}]},{"id":"ac-4.29_gdn","name":"guidance","prose":"Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined security policy. An orchestration engine coordinates the sequencing of activities (manual and automated) in a content filtering process. Errors are defined as either anomalous actions or unexpected termination of the content filter process. This is not the same as a filter failing content due to non-compliance with policy. Content filter reports are a commonly used mechanism to ensure that expected filtering actions are completed successfully."},{"id":"ac-4.29_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(29)","class":"sp800-53a"}],"parts":[{"id":"ac-4.29_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-04(29)(a)","class":"sp800-53a"}],"prose":"when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering mechanisms successfully complete execution without errors;"},{"id":"ac-4.29_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-04(29)(b)","class":"sp800-53a"}],"parts":[{"id":"ac-4.29_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(29)(b)[01]","class":"sp800-53a"}],"prose":"when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions occur in the correct order;"},{"id":"ac-4.29_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(29)(b)[02]","class":"sp800-53a"}],"prose":"when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions comply with {{ insert: param, ac-04.29_odp }}."}]}]},{"id":"ac-4.29_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(29)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.29_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(29)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.29_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(29)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing content filter orchestration engines"}]}]},{"id":"ac-4.30","class":"SP800-53-enhancement","title":"Filter Mechanisms Using Multiple Processes","props":[{"name":"label","value":"AC-4(30)"},{"name":"label","value":"AC-04(30)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.30"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.30_smt","name":"statement","prose":"When transferring information between different security domains, implement content filtering mechanisms using multiple processes."},{"id":"ac-4.30_gdn","name":"guidance","prose":"The use of multiple processes to implement content filtering mechanisms reduces the likelihood of a single point of failure."},{"id":"ac-4.30_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(30)","class":"sp800-53a"}],"prose":"when transferring information between security domains, content-filtering mechanisms using multiple processes are implemented."},{"id":"ac-4.30_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(30)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.30_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(30)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.30_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(30)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing content filtering"}]}]},{"id":"ac-4.31","class":"SP800-53-enhancement","title":"Failed Content Transfer Prevention","props":[{"name":"label","value":"AC-4(31)"},{"name":"label","value":"AC-04(31)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.31"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.31_smt","name":"statement","prose":"When transferring information between different security domains, prevent the transfer of failed content to the receiving domain."},{"id":"ac-4.31_gdn","name":"guidance","prose":"Content that failed filtering checks can corrupt the system if transferred to the receiving domain."},{"id":"ac-4.31_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(31)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, the transfer of failed content to the receiving domain is prevented."},{"id":"ac-4.31_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(31)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.31_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(31)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.31_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(31)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.32","class":"SP800-53-enhancement","title":"Process Requirements for Information Transfer","props":[{"name":"label","value":"AC-4(32)"},{"name":"label","value":"AC-04(32)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.32"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.32_smt","name":"statement","prose":"When transferring information between different security domains, the process that transfers information between filter pipelines:","parts":[{"id":"ac-4.32_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Does not filter message content;"},{"id":"ac-4.32_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Validates filtering metadata;"},{"id":"ac-4.32_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Ensures the content associated with the filtering metadata has successfully completed filtering; and"},{"id":"ac-4.32_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Transfers the content to the destination filter pipeline."}]},{"id":"ac-4.32_gdn","name":"guidance","prose":"The processes transferring information between filter pipelines have minimum complexity and functionality to provide assurance that the processes operate correctly."},{"id":"ac-4.32_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(32)","class":"sp800-53a"}],"parts":[{"id":"ac-4.32_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-04(32)(a)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, the process that transfers information between filter pipelines does not filter message content;"},{"id":"ac-4.32_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-04(32)(b)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, the process that transfers information between filter pipelines validates filtering metadata;"},{"id":"ac-4.32_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-04(32)(c)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, the process that transfers information between filter pipelines ensures that the content with the filtering metadata has successfully completed filtering;"},{"id":"ac-4.32_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-04(32)(d)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, the process that transfers information between filter pipelines transfers the content to the destination filter pipeline."}]},{"id":"ac-4.32_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(32)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.32_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(32)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.32_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(32)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing content filtering"}]}]}]},{"id":"ac-5","class":"SP800-53","title":"Separation of Duties","params":[{"id":"ac-05_odp","props":[{"name":"alt-identifier","value":"ac-5_prm_1"},{"name":"alt-label","value":"duties of individuals requiring separation","class":"sp800-53"},{"name":"label","value":"AC-05_ODP","class":"sp800-53a"}],"label":"duties of individuals","guidelines":[{"prose":"duties of individuals requiring separation are defined;"}]}],"props":[{"name":"label","value":"AC-5"},{"name":"label","value":"AC-05","class":"sp800-53a"},{"name":"sort-id","value":"ac-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-12","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"}],"parts":[{"id":"ac-5_smt","name":"statement","parts":[{"id":"ac-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document {{ insert: param, ac-05_odp }} ; and"},{"id":"ac-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define system access authorizations to support separation of duties."}]},{"id":"ac-5_gdn","name":"guidance","prose":"Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in [AC-2](#ac-2) , access control mechanisms in [AC-3](#ac-3) , and identity management activities in [IA-2](#ia-2), [IA-4](#ia-4) , and [IA-12](#ia-12)."},{"id":"ac-5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-05","class":"sp800-53a"}],"parts":[{"id":"ac-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-05a.","class":"sp800-53a"}],"prose":"{{ insert: param, ac-05_odp }} are identified and documented;"},{"id":"ac-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-05b.","class":"sp800-53a"}],"prose":"system access authorizations to support separation of duties are defined."}]},{"id":"ac-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\nsystem configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\nsystem access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing separation of duties policy"}]}]},{"id":"ac-6","class":"SP800-53","title":"Least Privilege","props":[{"name":"label","value":"AC-6"},{"name":"label","value":"AC-06","class":"sp800-53a"},{"name":"sort-id","value":"ac-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-38","rel":"related"}],"parts":[{"id":"ac-6_smt","name":"statement","prose":"Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."},{"id":"ac-6_gdn","name":"guidance","prose":"Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems."},{"id":"ac-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06","class":"sp800-53a"}],"prose":"the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."},{"id":"ac-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}],"controls":[{"id":"ac-6.1","class":"SP800-53-enhancement","title":"Authorize Access to Security Functions","params":[{"id":"ac-6.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.04"}],"label":"organization-defined security functions (deployed in hardware, software, and firmware)"},{"id":"ac-06.01_odp.01","props":[{"name":"alt-identifier","value":"ac-6.1_prm_1"},{"name":"alt-label","value":"individuals or roles","class":"sp800-53"},{"name":"label","value":"AC-06(01)_ODP[01]","class":"sp800-53a"}],"label":"individuals and roles","guidelines":[{"prose":"individuals and roles with authorized access to security functions and security-relevant information are defined;"}]},{"id":"ac-06.01_odp.02","props":[{"name":"label","value":"AC-06(01)_ODP[02]","class":"sp800-53a"}],"label":"security functions (deployed in hardware)","guidelines":[{"prose":"security functions (deployed in hardware) for authorized access are defined;"}]},{"id":"ac-06.01_odp.03","props":[{"name":"label","value":"AC-06(01)_ODP[03]","class":"sp800-53a"}],"label":"security functions (deployed in software)","guidelines":[{"prose":"security functions (deployed in software) for authorized access are defined;"}]},{"id":"ac-06.01_odp.04","props":[{"name":"label","value":"AC-06(01)_ODP[04]","class":"sp800-53a"}],"label":"security functions (deployed in firmware)","guidelines":[{"prose":"security functions (deployed in firmware) for authorized access are defined;"}]},{"id":"ac-06.01_odp.05","props":[{"name":"alt-identifier","value":"ac-6.1_prm_3"},{"name":"label","value":"AC-06(01)_ODP[05]","class":"sp800-53a"}],"label":"security-relevant information","guidelines":[{"prose":"security-relevant information for authorized access is defined;"}]}],"props":[{"name":"label","value":"AC-6(1)"},{"name":"label","value":"AC-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#pe-2","rel":"related"}],"parts":[{"id":"ac-6.1_smt","name":"statement","prose":"Authorize access for {{ insert: param, ac-06.01_odp.01 }} to:","parts":[{"id":"ac-6.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"{{ insert: param, ac-6.1_prm_2 }} ; and"},{"id":"ac-6.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"{{ insert: param, ac-06.01_odp.05 }}."}]},{"id":"ac-6.1_gdn","name":"guidance","prose":"Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users."},{"id":"ac-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)","class":"sp800-53a"}],"parts":[{"id":"ac-6.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-6.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[01]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};"},{"id":"ac-6.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[02]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};"},{"id":"ac-6.1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[03]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};"}]},{"id":"ac-6.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(b)","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}."}]},{"id":"ac-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.2","class":"SP800-53-enhancement","title":"Non-privileged Access for Nonsecurity Functions","params":[{"id":"ac-06.02_odp","props":[{"name":"alt-identifier","value":"ac-6.2_prm_1"},{"name":"label","value":"AC-06(02)_ODP","class":"sp800-53a"}],"label":"security functions or security-relevant information","guidelines":[{"prose":"security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;"}]}],"props":[{"name":"label","value":"AC-6(2)"},{"name":"label","value":"AC-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#pl-4","rel":"related"}],"parts":[{"id":"ac-6.2_smt","name":"statement","prose":"Require that users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} use non-privileged accounts or roles, when accessing nonsecurity functions."},{"id":"ac-6.2_gdn","name":"guidance","prose":"Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account."},{"id":"ac-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(02)","class":"sp800-53a"}],"prose":"users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions."},{"id":"ac-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to system accounts or roles\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.3","class":"SP800-53-enhancement","title":"Network Access to Privileged Commands","params":[{"id":"ac-06.03_odp.01","props":[{"name":"alt-identifier","value":"ac-6.3_prm_1"},{"name":"label","value":"AC-06(03)_ODP[01]","class":"sp800-53a"}],"label":"privileged commands","guidelines":[{"prose":"privileged commands to which network access is to be authorized only for compelling operational needs are defined;"}]},{"id":"ac-06.03_odp.02","props":[{"name":"alt-identifier","value":"ac-6.3_prm_2"},{"name":"label","value":"AC-06(03)_ODP[02]","class":"sp800-53a"}],"label":"compelling operational needs","guidelines":[{"prose":"compelling operational needs necessitating network access to privileged commands are defined;"}]}],"props":[{"name":"label","value":"AC-6(3)"},{"name":"label","value":"AC-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"}],"parts":[{"id":"ac-6.3_smt","name":"statement","prose":"Authorize network access to {{ insert: param, ac-06.03_odp.01 }} only for {{ insert: param, ac-06.03_odp.02 }} and document the rationale for such access in the security plan for the system."},{"id":"ac-6.3_gdn","name":"guidance","prose":"Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device)."},{"id":"ac-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(03)","class":"sp800-53a"}],"parts":[{"id":"ac-6.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-06(03)[01]","class":"sp800-53a"}],"prose":"network access to {{ insert: param, ac-06.03_odp.01 }} is authorized only for {{ insert: param, ac-06.03_odp.02 }};"},{"id":"ac-6.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-06(03)[02]","class":"sp800-53a"}],"prose":"the rationale for authorizing network access to privileged commands is documented in the security plan for the system."}]},{"id":"ac-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of operational needs for authorizing network access to privileged commands\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.4","class":"SP800-53-enhancement","title":"Separate Processing Domains","props":[{"name":"label","value":"AC-6(4)"},{"name":"label","value":"AC-06(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-4","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"}],"parts":[{"id":"ac-6.4_smt","name":"statement","prose":"Provide separate processing domains to enable finer-grained allocation of user privileges."},{"id":"ac-6.4_gdn","name":"guidance","prose":"Providing separate processing domains for finer-grained allocation of user privileges includes using virtualization techniques to permit additional user privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying physical machine, implementing separate physical domains, and employing hardware or software domain separation mechanisms."},{"id":"ac-6.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(04)","class":"sp800-53a"}],"prose":"separate processing domains are provided to enable finer-grain allocation of user privileges."},{"id":"ac-6.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-6.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.5","class":"SP800-53-enhancement","title":"Privileged Accounts","params":[{"id":"ac-06.05_odp","props":[{"name":"alt-identifier","value":"ac-6.5_prm_1"},{"name":"label","value":"AC-06(05)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to which privileged accounts on the system are to be restricted is\/are defined;"}]}],"props":[{"name":"label","value":"AC-6(5)"},{"name":"label","value":"AC-06(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"}],"parts":[{"id":"ac-6.5_smt","name":"statement","prose":"Restrict privileged accounts on the system to {{ insert: param, ac-06.05_odp }}."},{"id":"ac-6.5_gdn","name":"guidance","prose":"Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk."},{"id":"ac-6.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(05)","class":"sp800-53a"}],"prose":"privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}."},{"id":"ac-6.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.6","class":"SP800-53-enhancement","title":"Privileged Access by Non-organizational Users","props":[{"name":"label","value":"AC-6(6)"},{"name":"label","value":"AC-06(06)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ac-6.6_smt","name":"statement","prose":"Prohibit privileged access to the system by non-organizational users."},{"id":"ac-6.6_gdn","name":"guidance","prose":"An organizational user is an employee or an individual considered by the organization to have the equivalent status of an employee. Organizational users include contractors, guest researchers, or individuals detailed from other organizations. A non-organizational user is a user who is not an organizational user. Policies and procedures for granting equivalent status of employees to individuals include a need-to-know, citizenship, and the relationship to the organization."},{"id":"ac-6.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(06)","class":"sp800-53a"}],"prose":"privileged access to the system by non-organizational users is prohibited."},{"id":"ac-6.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of non-organizational users\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms prohibiting privileged access to the system"}]}]},{"id":"ac-6.7","class":"SP800-53-enhancement","title":"Review of User Privileges","params":[{"id":"ac-06.07_odp.01","props":[{"name":"alt-identifier","value":"ac-6.7_prm_1"},{"name":"label","value":"AC-06(07)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the privileges assigned to roles or classes of users is defined;"}]},{"id":"ac-06.07_odp.02","props":[{"name":"alt-identifier","value":"ac-6.7_prm_2"},{"name":"alt-label","value":"roles or classes of users","class":"sp800-53"},{"name":"label","value":"AC-06(07)_ODP[02]","class":"sp800-53a"}],"label":"roles and classes","guidelines":[{"prose":"roles or classes of users to which privileges are assigned are defined;"}]}],"props":[{"name":"label","value":"AC-6(7)"},{"name":"label","value":"AC-06(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ca-7","rel":"related"}],"parts":[{"id":"ac-6.7_smt","name":"statement","parts":[{"id":"ac-6.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and"},{"id":"ac-6.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs."}]},{"id":"ac-6.7_gdn","name":"guidance","prose":"The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions."},{"id":"ac-6.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)","class":"sp800-53a"}],"parts":[{"id":"ac-6.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)(a)","class":"sp800-53a"}],"prose":"privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;"},{"id":"ac-6.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)(b)","class":"sp800-53a"}],"prose":"privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs."}]},{"id":"ac-6.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated roles or classes of users and assigned privileges\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation reviews of privileges assigned to roles or classes or users\n\nrecords of privilege removals or reassignments for roles or classes of users\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing review of user privileges"}]}]},{"id":"ac-6.8","class":"SP800-53-enhancement","title":"Privilege Levels for Code Execution","params":[{"id":"ac-06.08_odp","props":[{"name":"alt-identifier","value":"ac-6.8_prm_1"},{"name":"label","value":"AC-06(08)_ODP","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be prevented from executing at higher privilege levels than users executing the software is defined;"}]}],"props":[{"name":"label","value":"AC-6(8)"},{"name":"label","value":"AC-06(08)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"}],"parts":[{"id":"ac-6.8_smt","name":"statement","prose":"Prevent the following software from executing at higher privilege levels than users executing the software: {{ insert: param, ac-06.08_odp }}."},{"id":"ac-6.8_gdn","name":"guidance","prose":"In certain situations, software applications or programs need to execute with elevated privileges to perform required functions. However, depending on the software functionality and configuration, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications or programs, those users may indirectly be provided with greater privileges than assigned."},{"id":"ac-6.8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(08)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-06.08_odp }} is prevented from executing at higher privilege levels than users executing the software."},{"id":"ac-6.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of software that should not execute at higher privilege levels than users executing software\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ac-6.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions for software execution"}]}]},{"id":"ac-6.9","class":"SP800-53-enhancement","title":"Log Use of Privileged Functions","props":[{"name":"label","value":"AC-6(9)"},{"name":"label","value":"AC-06(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"ac-6.9_smt","name":"statement","prose":"Log the execution of privileged functions."},{"id":"ac-6.9_gdn","name":"guidance","prose":"The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat."},{"id":"ac-6.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(09)","class":"sp800-53a"}],"prose":"the execution of privileged functions is logged."},{"id":"ac-6.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ac-6.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms auditing the execution of least privilege functions"}]}]},{"id":"ac-6.10","class":"SP800-53-enhancement","title":"Prohibit Non-privileged Users from Executing Privileged Functions","props":[{"name":"label","value":"AC-6(10)"},{"name":"label","value":"AC-06(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"}],"parts":[{"id":"ac-6.10_smt","name":"statement","prose":"Prevent non-privileged users from executing privileged functions."},{"id":"ac-6.10_gdn","name":"guidance","prose":"Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by [AC-3](#ac-3)."},{"id":"ac-6.10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(10)","class":"sp800-53a"}],"prose":"non-privileged users are prevented from executing privileged functions."},{"id":"ac-6.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-6.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions for non-privileged users"}]}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","params":[{"id":"ac-07_odp.01","props":[{"name":"alt-identifier","value":"ac-7_prm_1"},{"name":"label","value":"AC-07_ODP[01]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of consecutive invalid logon attempts by a user allowed during a time period is defined;"}]},{"id":"ac-07_odp.02","props":[{"name":"alt-identifier","value":"ac-7_prm_2"},{"name":"label","value":"AC-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;"}]},{"id":"ac-07_odp.03","props":[{"name":"alt-identifier","value":"ac-7_prm_3"},{"name":"label","value":"AC-07_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["lock the account or node for {{ insert: param, ac-07_odp.04 }} ","lock the account or node until released by an administrator","delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ","notify system administrator","take other {{ insert: param, ac-07_odp.06 }} "]}},{"id":"ac-07_odp.04","props":[{"name":"alt-identifier","value":"ac-7_prm_4"},{"name":"label","value":"AC-07_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for an account or node to be locked is defined (if selected);"}]},{"id":"ac-07_odp.05","props":[{"name":"alt-identifier","value":"ac-7_prm_5"},{"name":"label","value":"AC-07_ODP[05]","class":"sp800-53a"}],"label":"delay algorithm","guidelines":[{"prose":"delay algorithm for the next logon prompt is defined (if selected);"}]},{"id":"ac-07_odp.06","props":[{"name":"alt-identifier","value":"ac-7_prm_6"},{"name":"label","value":"AC-07_ODP[06]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-7"},{"name":"label","value":"AC-07","class":"sp800-53a"},{"name":"sort-id","value":"ac-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"ac-7_smt","name":"statement","parts":[{"id":"ac-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and"},{"id":"ac-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need."},{"id":"ac-7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-07","class":"sp800-53a"}],"parts":[{"id":"ac-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-07a.","class":"sp800-53a"}],"prose":"a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;"},{"id":"ac-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-07b.","class":"sp800-53a"}],"prose":"automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem\/network administrators"}]},{"id":"ac-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for unsuccessful logon attempts"}]}],"controls":[{"id":"ac-7.1","class":"SP800-53-enhancement","title":"Automatic Account Lock","props":[{"name":"label","value":"AC-7(1)"},{"name":"label","value":"AC-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-07.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-7","rel":"incorporated-into"}]},{"id":"ac-7.2","class":"SP800-53-enhancement","title":"Purge or Wipe Mobile Device","params":[{"id":"ac-07.02_odp.01","props":[{"name":"alt-identifier","value":"ac-7.2_prm_1"},{"name":"label","value":"AC-07(02)_ODP[01]","class":"sp800-53a"}],"label":"mobile devices","guidelines":[{"prose":"mobile devices to be purged or wiped of information are defined;"}]},{"id":"ac-07.02_odp.02","props":[{"name":"alt-identifier","value":"ac-7.2_prm_2"},{"name":"alt-label","value":"purging or wiping requirements and techniques","class":"sp800-53"},{"name":"label","value":"AC-07(02)_ODP[02]","class":"sp800-53a"}],"label":"purging or wiping requirements or techniques","guidelines":[{"prose":"purging or wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined;"}]},{"id":"ac-07.02_odp.03","props":[{"name":"alt-identifier","value":"ac-7.2_prm_3"},{"name":"label","value":"AC-07(02)_ODP[03]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of consecutive, unsuccessful logon attempts before the information is purged or wiped from mobile devices is defined;"}]}],"props":[{"name":"label","value":"AC-7(2)"},{"name":"label","value":"AC-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-7","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#mp-6","rel":"related"}],"parts":[{"id":"ac-7.2_smt","name":"statement","prose":"Purge or wipe information from {{ insert: param, ac-07.02_odp.01 }} based on {{ insert: param, ac-07.02_odp.02 }} after {{ insert: param, ac-07.02_odp.03 }} consecutive, unsuccessful device logon attempts."},{"id":"ac-7.2_gdn","name":"guidance","prose":"A mobile device is a computing device that has a small form factor such that it can be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Purging or wiping the device applies only to mobile devices for which the organization-defined number of unsuccessful logons occurs. The logon is to the mobile device, not to any one account on the device. Successful logons to accounts on mobile devices reset the unsuccessful logon count to zero. Purging or wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms."},{"id":"ac-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-07(02)","class":"sp800-53a"}],"prose":"information is purged or wiped from {{ insert: param, ac-07.02_odp.01 }} based on {{ insert: param, ac-07.02_odp.02 }} after {{ insert: param, ac-07.02_odp.03 }} consecutive, unsuccessful device logon attempts."},{"id":"ac-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts on mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of mobile devices to be purged\/wiped after organization-defined consecutive, unsuccessful device logon attempts\n\nlist of purging\/wiping requirements or techniques for mobile devices\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for unsuccessful device logon attempts"}]}]},{"id":"ac-7.3","class":"SP800-53-enhancement","title":"Biometric Attempt Limiting","params":[{"id":"ac-07.03_odp","props":[{"name":"alt-identifier","value":"ac-7.3_prm_1"},{"name":"label","value":"AC-07(03)_ODP","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of unsuccessful biometric logon attempts is defined;"}]}],"props":[{"name":"label","value":"AC-7(3)"},{"name":"label","value":"AC-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-7","rel":"required"},{"href":"#ia-3","rel":"related"}],"parts":[{"id":"ac-7.3_smt","name":"statement","prose":"Limit the number of unsuccessful biometric logon attempts to {{ insert: param, ac-07.03_odp }}."},{"id":"ac-7.3_gdn","name":"guidance","prose":"Biometrics are probabilistic in nature. The ability to successfully authenticate can be impacted by many factors, including matching performance and presentation attack detection mechanisms. Organizations select the appropriate number of attempts for users based on organizationally-defined factors."},{"id":"ac-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-07(03)","class":"sp800-53a"}],"prose":"unsuccessful biometric logon attempts are limited to {{ insert: param, ac-07.03_odp }}."},{"id":"ac-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts on biometric devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-7.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-07(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for unsuccessful logon attempts"}]}]},{"id":"ac-7.4","class":"SP800-53-enhancement","title":"Use of Alternate Authentication Factor","params":[{"id":"ac-07.04_odp.01","props":[{"name":"alt-identifier","value":"ac-7.4_prm_1"},{"name":"label","value":"AC-07(04)_ODP[01]","class":"sp800-53a"}],"label":"authentication factors","guidelines":[{"prose":"authentication factors allowed to be used that are different from the primary authentication factors are defined;"}]},{"id":"ac-07.04_odp.02","props":[{"name":"alt-identifier","value":"ac-7.4_prm_2"},{"name":"label","value":"AC-07(04)_ODP[02]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of consecutive, invalid logon attempts through the use of alternative factors for which to enforce a limit by a user is defined;"}]},{"id":"ac-07.04_odp.03","props":[{"name":"alt-identifier","value":"ac-7.4_prm_3"},{"name":"label","value":"AC-07(04)_ODP[03]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period during which a user can attempt logons through alternative factors is defined;"}]}],"props":[{"name":"label","value":"AC-7(4)"},{"name":"label","value":"AC-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-7","rel":"required"},{"href":"#ia-3","rel":"related"}],"parts":[{"id":"ac-7.4_smt","name":"statement","parts":[{"id":"ac-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Allow the use of {{ insert: param, ac-07.04_odp.01 }} that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and"},{"id":"ac-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforce a limit of {{ insert: param, ac-07.04_odp.02 }} consecutive invalid logon attempts through use of the alternative factors by a user during a {{ insert: param, ac-07.04_odp.03 }}."}]},{"id":"ac-7.4_gdn","name":"guidance","prose":"The use of alternate authentication factors supports the objective of availability and allows a user who has inadvertently been locked out to use additional authentication factors to bypass the lockout."},{"id":"ac-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-07(04)","class":"sp800-53a"}],"parts":[{"id":"ac-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-07(04)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-07.04_odp.01 }} that are different from the primary authentication factors are allowed to be used after the number of organization-defined consecutive invalid logon attempts have been exceeded;"},{"id":"ac-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-07(04)(b)","class":"sp800-53a"}],"prose":"a limit of {{ insert: param, ac-07.04_odp.02 }} consecutive invalid logon attempts through the use of the alternative factors by the user during a {{ insert: param, ac-07.04_odp.03 }} is enforced."}]},{"id":"ac-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts for primary and alternate authentication factors\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for unsuccessful logon attempts"}]}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","params":[{"id":"ac-08_odp.01","props":[{"name":"alt-identifier","value":"ac-8_prm_1"},{"name":"alt-label","value":"system use notification message or banner","class":"sp800-53"},{"name":"label","value":"AC-08_ODP[01]","class":"sp800-53a"}],"label":"system use notification","guidelines":[{"prose":"system use notification message or banner to be displayed by the system to users before granting access to the system is defined;"}]},{"id":"ac-08_odp.02","props":[{"name":"alt-identifier","value":"ac-8_prm_2"},{"name":"label","value":"AC-08_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions for system use to be displayed by the system before granting further access are defined;"}]}],"props":[{"name":"label","value":"AC-8"},{"name":"label","value":"AC-08","class":"sp800-53a"},{"name":"sort-id","value":"ac-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-14","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-8_smt","name":"statement","parts":[{"id":"ac-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:","parts":[{"id":"ac-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government system;"},{"id":"ac-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and"},{"id":"ac-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;"},{"id":"ac-8_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Include a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content."},{"id":"ac-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-08","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.","class":"sp800-53a"}],"prose":"{{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","parts":[{"id":"ac-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.01","class":"sp800-53a"}],"prose":"the system use notification states that users are accessing a U.S. Government system;"},{"id":"ac-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.02","class":"sp800-53a"}],"prose":"the system use notification states that system usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.03","class":"sp800-53a"}],"prose":"the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.04","class":"sp800-53a"}],"prose":"the system use notification states that use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-08b.","class":"sp800-53a"}],"prose":"the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;"},{"id":"ac-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.01","class":"sp800-53a"}],"prose":"for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;"},{"id":"ac-8_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.02","class":"sp800-53a"}],"prose":"for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;"},{"id":"ac-8_obj.c.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.03","class":"sp800-53a"}],"prose":"for publicly accessible systems, a description of the authorized uses of the system is included."}]}]},{"id":"ac-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records"}]},{"id":"ac-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers"}]},{"id":"ac-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system use notification"}]}]},{"id":"ac-9","class":"SP800-53","title":"Previous Logon Notification","props":[{"name":"label","value":"AC-9"},{"name":"label","value":"AC-09","class":"sp800-53a"},{"name":"sort-id","value":"ac-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-7","rel":"related"},{"href":"#pl-4","rel":"related"}],"parts":[{"id":"ac-9_smt","name":"statement","prose":"Notify the user, upon successful logon to the system, of the date and time of the last logon."},{"id":"ac-9_gdn","name":"guidance","prose":"Previous logon notification is applicable to system access via human user interfaces and access to systems that occurs in other types of architectures. Information about the last successful logon allows the user to recognize if the date and time provided is not consistent with the user’s last access."},{"id":"ac-9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-09","class":"sp800-53a"}],"prose":"the user is notified, upon successful logon to the system, of the date and time of the last logon."},{"id":"ac-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem notification messages\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for previous logon notification"}]}],"controls":[{"id":"ac-9.1","class":"SP800-53-enhancement","title":"Unsuccessful Logons","props":[{"name":"label","value":"AC-9(1)"},{"name":"label","value":"AC-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-9","rel":"required"}],"parts":[{"id":"ac-9.1_smt","name":"statement","prose":"Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon."},{"id":"ac-9.1_gdn","name":"guidance","prose":"Information about the number of unsuccessful logon attempts since the last successful logon allows the user to recognize if the number of unsuccessful logon attempts is consistent with the user’s actual logon attempts."},{"id":"ac-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-09(01)","class":"sp800-53a"}],"prose":"the user is notified, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon."},{"id":"ac-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for previous logon notification"}]}]},{"id":"ac-9.2","class":"SP800-53-enhancement","title":"Successful and Unsuccessful Logons","params":[{"id":"ac-09.02_odp.01","props":[{"name":"alt-identifier","value":"ac-9.2_prm_1"},{"name":"label","value":"AC-09(02)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["successful logons","unsuccessful logon attempts","both"]}},{"id":"ac-09.02_odp.02","props":[{"name":"alt-identifier","value":"ac-9.2_prm_2"},{"name":"label","value":"AC-09(02)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period for which the system notifies the user of the number of successful logons, unsuccessful logon attempts, or both is defined;"}]}],"props":[{"name":"label","value":"AC-9(2)"},{"name":"label","value":"AC-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-9","rel":"required"}],"parts":[{"id":"ac-9.2_smt","name":"statement","prose":"Notify the user, upon successful logon, of the number of {{ insert: param, ac-09.02_odp.01 }} during {{ insert: param, ac-09.02_odp.02 }}."},{"id":"ac-9.2_gdn","name":"guidance","prose":"Information about the number of successful and unsuccessful logon attempts within a specified time period allows the user to recognize if the number and type of logon attempts are consistent with the user’s actual logon attempts."},{"id":"ac-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-09(02)","class":"sp800-53a"}],"prose":"the user is notified, upon successful logon, of the number of {{ insert: param, ac-09.02_odp.01 }} during {{ insert: param, ac-09.02_odp.02 }}."},{"id":"ac-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-9.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-09(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for previous logon notification"}]}]},{"id":"ac-9.3","class":"SP800-53-enhancement","title":"Notification of Account Changes","params":[{"id":"ac-09.03_odp.01","props":[{"name":"alt-identifier","value":"ac-9.3_prm_1"},{"name":"alt-label","value":"security-related characteristics or parameters of the user’s account","class":"sp800-53"},{"name":"label","value":"AC-09(03)_ODP[01]","class":"sp800-53a"}],"label":"security-related characteristics or parameters","guidelines":[{"prose":"changes to security-related characteristics or parameters of the user’s account that require notification are defined;"}]},{"id":"ac-09.03_odp.02","props":[{"name":"alt-identifier","value":"ac-9.3_prm_2"},{"name":"label","value":"AC-09(03)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period for which the system notifies the user of changes to security-related characteristics or parameters of the user’s account is defined;"}]}],"props":[{"name":"label","value":"AC-9(3)"},{"name":"label","value":"AC-09(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-09.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-9","rel":"required"}],"parts":[{"id":"ac-9.3_smt","name":"statement","prose":"Notify the user, upon successful logon, of changes to {{ insert: param, ac-09.03_odp.01 }} during {{ insert: param, ac-09.03_odp.02 }}."},{"id":"ac-9.3_gdn","name":"guidance","prose":"Information about changes to security-related account characteristics within a specified time period allows users to recognize if changes were made without their knowledge."},{"id":"ac-9.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-09(03)","class":"sp800-53a"}],"prose":"the user is notified, upon successful logon, of changes to {{ insert: param, ac-09.03_odp.01 }} during {{ insert: param, ac-09.03_odp.02 }}."},{"id":"ac-9.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-09(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-9.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-09(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-9.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-09(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for previous logon notification"}]}]},{"id":"ac-9.4","class":"SP800-53-enhancement","title":"Additional Logon Information","params":[{"id":"ac-09.04_odp","props":[{"name":"alt-identifier","value":"ac-9.4_prm_1"},{"name":"label","value":"AC-09(04)_ODP","class":"sp800-53a"}],"label":"additional information","guidelines":[{"prose":"additional information about which to notify the user is defined;"}]}],"props":[{"name":"label","value":"AC-9(4)"},{"name":"label","value":"AC-09(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-09.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-9","rel":"required"}],"parts":[{"id":"ac-9.4_smt","name":"statement","prose":"Notify the user, upon successful logon, of the following additional information: {{ insert: param, ac-09.04_odp }}."},{"id":"ac-9.4_gdn","name":"guidance","prose":"Organizations can specify additional information to be provided to users upon logon, including the location of the last logon. User location is defined as information that can be determined by systems, such as Internet Protocol (IP) addresses from which network logons occurred, notifications of local logons, or device identifiers."},{"id":"ac-9.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-09(04)","class":"sp800-53a"}],"prose":"the user is notified, upon successful logon, of {{ insert: param, ac-09.04_odp }}."},{"id":"ac-9.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-09(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-9.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-09(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-9.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-09(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for previous logon notification"}]}]}]},{"id":"ac-10","class":"SP800-53","title":"Concurrent Session Control","params":[{"id":"ac-10_odp.01","props":[{"name":"alt-identifier","value":"ac-10_prm_1"},{"name":"alt-label","value":"account and\/or account type","class":"sp800-53"},{"name":"label","value":"AC-10_ODP[01]","class":"sp800-53a"}],"label":"account and\/or account types","guidelines":[{"prose":"accounts and\/or account types for which to limit the number of concurrent sessions is defined;"}]},{"id":"ac-10_odp.02","props":[{"name":"alt-identifier","value":"ac-10_prm_2"},{"name":"label","value":"AC-10_ODP[02]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of concurrent sessions to be allowed for each account and\/or account type is defined;"}]}],"props":[{"name":"label","value":"AC-10"},{"name":"label","value":"AC-10","class":"sp800-53a"},{"name":"sort-id","value":"ac-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-23","rel":"related"}],"parts":[{"id":"ac-10_smt","name":"statement","prose":"Limit the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} to {{ insert: param, ac-10_odp.02 }}."},{"id":"ac-10_gdn","name":"guidance","prose":"Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts."},{"id":"ac-10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-10","class":"sp800-53a"}],"prose":"the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}."},{"id":"ac-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing concurrent session control\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for concurrent session control"}]}]},{"id":"ac-11","class":"SP800-53","title":"Device Lock","params":[{"id":"ac-11_odp.01","props":[{"name":"alt-identifier","value":"ac-11_prm_1"},{"name":"label","value":"AC-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity","requiring the user to initiate a device lock before leaving the system unattended"]}},{"id":"ac-11_odp.02","props":[{"name":"alt-identifier","value":"ac-11_prm_2"},{"name":"label","value":"AC-11_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period of inactivity after which a device lock is initiated is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-11"},{"name":"label","value":"AC-11","class":"sp800-53a"},{"name":"sort-id","value":"ac-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#pl-4","rel":"related"}],"parts":[{"id":"ac-11_smt","name":"statement","parts":[{"id":"ac-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and"},{"id":"ac-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the device lock until the user reestablishes access using established identification and authentication procedures."}]},{"id":"ac-11_gdn","name":"guidance","prose":"Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays."},{"id":"ac-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-11","class":"sp800-53a"}],"parts":[{"id":"ac-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-11a.","class":"sp800-53a"}],"prose":"further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};"},{"id":"ac-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-11b.","class":"sp800-53a"}],"prose":"device lock is retained until the user re-establishes access using established identification and authentication procedures."}]},{"id":"ac-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for session lock"}]}],"controls":[{"id":"ac-11.1","class":"SP800-53-enhancement","title":"Pattern-hiding Displays","props":[{"name":"label","value":"AC-11(1)"},{"name":"label","value":"AC-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-11","rel":"required"}],"parts":[{"id":"ac-11.1_smt","name":"statement","prose":"Conceal, via the device lock, information previously visible on the display with a publicly viewable image."},{"id":"ac-11.1_gdn","name":"guidance","prose":"The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed."},{"id":"ac-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-11(01)","class":"sp800-53a"}],"prose":"information previously visible on the display is concealed, via device lock, with a publicly viewable image."},{"id":"ac-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System session lock mechanisms"}]}]}]},{"id":"ac-12","class":"SP800-53","title":"Session Termination","params":[{"id":"ac-12_odp","props":[{"name":"alt-identifier","value":"ac-12_prm_1"},{"name":"alt-label","value":"conditions or trigger events requiring session disconnect","class":"sp800-53"},{"name":"label","value":"AC-12_ODP","class":"sp800-53a"}],"label":"conditions or trigger events","guidelines":[{"prose":"conditions or trigger events requiring session disconnect are defined;"}]}],"props":[{"name":"label","value":"AC-12"},{"name":"label","value":"AC-12","class":"sp800-53a"},{"name":"sort-id","value":"ac-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"ac-12_smt","name":"statement","prose":"Automatically terminate a user session after {{ insert: param, ac-12_odp }}."},{"id":"ac-12_gdn","name":"guidance","prose":"Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use."},{"id":"ac-12_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-12","class":"sp800-53a"}],"prose":"a user session is automatically terminated after {{ insert: param, ac-12_odp }}."},{"id":"ac-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing user session termination"}]}],"controls":[{"id":"ac-12.1","class":"SP800-53-enhancement","title":"User-initiated Logouts","params":[{"id":"ac-12.01_odp","props":[{"name":"alt-identifier","value":"ac-12.1_prm_1"},{"name":"label","value":"AC-12(01)_ODP","class":"sp800-53a"}],"label":"information resources","guidelines":[{"prose":"information resources for which a logout capability for user-initiated communications sessions is required are defined;"}]}],"props":[{"name":"label","value":"AC-12(1)"},{"name":"label","value":"AC-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-12","rel":"required"}],"parts":[{"id":"ac-12.1_smt","name":"statement","prose":"Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.01_odp }}."},{"id":"ac-12.1_gdn","name":"guidance","prose":"Information resources to which users gain access via authentication include local workstations, databases, and password-protected websites or web-based services."},{"id":"ac-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-12(01)","class":"sp800-53a"}],"prose":"a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.01_odp }}."},{"id":"ac-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session termination\n\nuser logout messages\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System session termination mechanisms\n\nlogout capabilities for user-initiated communications sessions"}]}]},{"id":"ac-12.2","class":"SP800-53-enhancement","title":"Termination Message","props":[{"name":"label","value":"AC-12(2)"},{"name":"label","value":"AC-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-12","rel":"required"}],"parts":[{"id":"ac-12.2_smt","name":"statement","prose":"Display an explicit logout message to users indicating the termination of authenticated communications sessions."},{"id":"ac-12.2_gdn","name":"guidance","prose":"Logout messages for web access can be displayed after authenticated sessions have been terminated. However, for certain types of sessions, including file transfer protocol (FTP) sessions, systems typically send logout messages as final messages prior to terminating sessions."},{"id":"ac-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-12(02)","class":"sp800-53a"}],"prose":"an explicit logout message is displayed to users indicating the termination of authenticated communication sessions."},{"id":"ac-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session termination\n\nuser logout messages\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System session termination mechanisms\n\ndisplay of logout messages"}]}]},{"id":"ac-12.3","class":"SP800-53-enhancement","title":"Timeout Warning Message","params":[{"id":"ac-12.03_odp","props":[{"name":"alt-identifier","value":"ac-12.3_prm_1"},{"name":"alt-label","value":"time until end of session","class":"sp800-53"},{"name":"label","value":"AC-12(03)_ODP","class":"sp800-53a"}],"label":"time","guidelines":[{"prose":"time until the end of session for display to users is defined;"}]}],"props":[{"name":"label","value":"AC-12(3)"},{"name":"label","value":"AC-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-12","rel":"required"}],"parts":[{"id":"ac-12.3_smt","name":"statement","prose":"Display an explicit message to users indicating that the session will end in {{ insert: param, ac-12.03_odp }}."},{"id":"ac-12.3_gdn","name":"guidance","prose":"To increase usability, notify users of pending session termination and prompt users to continue the session. The pending session termination time period is based on the parameters defined in the [AC-12](#ac-12) base control."},{"id":"ac-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-12(03)","class":"sp800-53a"}],"prose":"an explicit message to users is displayed indicating that the session will end in {{ insert: param, ac-12.03_odp }}."},{"id":"ac-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session termination\n\ntime until end of session messages\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System session termination mechanisms\n\ndisplay of end of session time"}]}]}]},{"id":"ac-13","class":"SP800-53","title":"Supervision and Review — Access Control","props":[{"name":"label","value":"AC-13"},{"name":"label","value":"AC-13","class":"sp800-53a"},{"name":"sort-id","value":"ac-13"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-2","rel":"incorporated-into"},{"href":"#au-6","rel":"incorporated-into"}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","params":[{"id":"ac-14_odp","props":[{"name":"alt-identifier","value":"ac-14_prm_1"},{"name":"label","value":"AC-14_ODP","class":"sp800-53a"}],"label":"user actions","guidelines":[{"prose":"user actions that can be performed on the system without identification or authentication are defined;"}]}],"props":[{"name":"label","value":"AC-14"},{"name":"label","value":"AC-14","class":"sp800-53a"},{"name":"sort-id","value":"ac-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"ac-14_smt","name":"statement","parts":[{"id":"ac-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and"},{"id":"ac-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" "},{"id":"ac-14_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-14","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-14a.","class":"sp800-53a"}],"prose":"{{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;"},{"id":"ac-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[01]","class":"sp800-53a"}],"prose":"user actions not requiring identification or authentication are documented in the security plan for the system;"},{"id":"ac-14_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[02]","class":"sp800-53a"}],"prose":"a rationale for user actions not requiring identification or authentication is provided in the security plan for the system."}]}]},{"id":"ac-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"ac-14.1","class":"SP800-53-enhancement","title":"Necessary Uses","props":[{"name":"label","value":"AC-14(1)"},{"name":"label","value":"AC-14(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-14.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-14","rel":"incorporated-into"}]}]},{"id":"ac-15","class":"SP800-53","title":"Automated Marking","props":[{"name":"label","value":"AC-15"},{"name":"label","value":"AC-15","class":"sp800-53a"},{"name":"sort-id","value":"ac-15"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-3","rel":"incorporated-into"}]},{"id":"ac-16","class":"SP800-53","title":"Security and Privacy Attributes","params":[{"id":"ac-16_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.02"}],"label":"organization-defined types of security and privacy attributes"},{"id":"ac-16_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.04"}],"label":"organization-defined security and privacy attribute values"},{"id":"ac-16_prm_3","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.06"}],"label":"organization-defined systems"},{"id":"ac-16_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.08"}],"label":"organization-defined security and privacy attributes"},{"id":"ac-16_prm_6","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.08"}],"label":"organization-defined security and privacy attributes"},{"id":"ac-16_prm_7","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.10"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.11"}],"label":"organization-defined frequency"},{"id":"ac-16_odp.01","props":[{"name":"label","value":"AC-16_ODP[01]","class":"sp800-53a"}],"label":"types of security attributes","guidelines":[{"prose":"types of security attributes to be associated with information security attribute values for information in storage, in process, and\/or in transmission are defined;"}]},{"id":"ac-16_odp.02","props":[{"name":"label","value":"AC-16_ODP[02]","class":"sp800-53a"}],"label":"types of privacy attributes","guidelines":[{"prose":"types of privacy attributes to be associated with privacy attribute values for information in storage, in process, and\/or in transmission are defined;"}]},{"id":"ac-16_odp.03","props":[{"name":"label","value":"AC-16_ODP[03]","class":"sp800-53a"}],"label":"security attribute values","guidelines":[{"prose":"security attribute values for types of security attributes are defined;"}]},{"id":"ac-16_odp.04","props":[{"name":"label","value":"AC-16_ODP[04]","class":"sp800-53a"}],"label":"privacy attribute values","guidelines":[{"prose":"privacy attribute values for types of privacy attributes are defined;"}]},{"id":"ac-16_odp.05","props":[{"name":"label","value":"AC-16_ODP[05]","class":"sp800-53a"}],"label":"systems","guidelines":[{"prose":"systems for which permitted security attributes are to be established are defined;"}]},{"id":"ac-16_odp.06","props":[{"name":"label","value":"AC-16_ODP[06]","class":"sp800-53a"}],"label":"systems","guidelines":[{"prose":"systems for which permitted privacy attributes are to be established are defined;"}]},{"id":"ac-16_odp.07","props":[{"name":"label","value":"AC-16_ODP[07]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes defined as part of AC-16a that are permitted for systems are defined;"}]},{"id":"ac-16_odp.08","props":[{"name":"label","value":"AC-16_ODP[08]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes defined as part of AC-16a that are permitted for systems are defined;"}]},{"id":"ac-16_odp.09","props":[{"name":"alt-identifier","value":"ac-16_prm_5"},{"name":"alt-label","value":"attribute values or ranges for established attributes","class":"sp800-53"},{"name":"label","value":"AC-16_ODP[09]","class":"sp800-53a"}],"label":"attribute values or ranges","guidelines":[{"prose":"attribute values or ranges for established attributes are defined;"}]},{"id":"ac-16_odp.10","props":[{"name":"label","value":"AC-16_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review security attributes for applicability is defined;"}]},{"id":"ac-16_odp.11","props":[{"name":"label","value":"AC-16_ODP[11]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review privacy attributes for applicability is defined;"}]}],"props":[{"name":"label","value":"AC-16"},{"name":"label","value":"AC-16","class":"sp800-53a"},{"name":"sort-id","value":"ac-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#pe-22","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#sc-11","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"ac-16_smt","name":"statement","parts":[{"id":"ac-16_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide the means to associate {{ insert: param, ac-16_prm_1 }} with {{ insert: param, ac-16_prm_2 }} for information in storage, in process, and\/or in transmission;"},{"id":"ac-16_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensure that the attribute associations are made and retained with the information;"},{"id":"ac-16_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for {{ insert: param, ac-16_prm_3 }}: {{ insert: param, ac-16_prm_4 }};"},{"id":"ac-16_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Determine the following permitted attribute values or ranges for each of the established attributes: {{ insert: param, ac-16_odp.09 }};"},{"id":"ac-16_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Audit changes to attributes; and"},{"id":"ac-16_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Review {{ insert: param, ac-16_prm_6 }} for applicability {{ insert: param, ac-16_prm_7 }}."}]},{"id":"ac-16_gdn","name":"guidance","prose":"Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures, such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions that represent the basic properties or characteristics of active and passive entities with respect to safeguarding information. Privacy attributes, which may be used independently or in conjunction with security attributes, represent the basic properties or characteristics of active or passive entities with respect to the management of personally identifiable information. Attributes can be either explicitly or implicitly associated with the information contained in organizational systems or system components.\n\nAttributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, cause information to flow among objects, or change the system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of attributes to subjects and objects by a system is referred to as binding and is inclusive of setting the attribute value and the attribute type. Attributes, when bound to data or information, permit the enforcement of security and privacy policies for access control and information flow control, including data retention limits, permitted uses of personally identifiable information, and identification of personal information within data objects. Such enforcement occurs through organizational processes or system functions or mechanisms. The binding techniques implemented by systems affect the strength of attribute binding to information. Binding strength and the assurance associated with binding techniques play important parts in the trust that organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. The content or assigned values of attributes can directly affect the ability of individuals to access organizational information.\n\nOrganizations can define the types of attributes needed for systems to support missions or business functions. There are many values that can be assigned to a security attribute. By specifying the permitted attribute ranges and values, organizations ensure that attribute values are meaningful and relevant. Labeling refers to the association of attributes with the subjects and objects represented by the internal data structures within systems. This facilitates system-based enforcement of information security and privacy policies. Labels include classification of information in accordance with legal and compliance requirements (e.g., top secret, secret, confidential, controlled unclassified), information impact level; high value asset information, access authorizations, nationality; data life cycle protection (i.e., encryption and data expiration), personally identifiable information processing permissions, including individual consent to personally identifiable information processing, and contractor affiliation. A related term to labeling is marking. Marking refers to the association of attributes with objects in a human-readable form and displayed on system media. Marking enables manual, procedural, or process-based enforcement of information security and privacy policies. Security and privacy labels may have the same value as media markings (e.g., top secret, secret, confidential). See [MP-3](#mp-3) (Media Marking)."},{"id":"ac-16_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16","class":"sp800-53a"}],"parts":[{"id":"ac-16_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-16a.","class":"sp800-53a"}],"parts":[{"id":"ac-16_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16a.[01]","class":"sp800-53a"}],"prose":"the means to associate {{ insert: param, ac-16_odp.01 }} with {{ insert: param, ac-16_odp.03 }} for information in storage, in process, and\/or in transmission are provided;"},{"id":"ac-16_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16a.[02]","class":"sp800-53a"}],"prose":"the means to associate {{ insert: param, ac-16_odp.02 }} with {{ insert: param, ac-16_odp.04 }} for information in storage, in process, and\/or in transmission are provided;"}]},{"id":"ac-16_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-16b.","class":"sp800-53a"}],"parts":[{"id":"ac-16_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16b.[01]","class":"sp800-53a"}],"prose":"attribute associations are made;"},{"id":"ac-16_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16b.[02]","class":"sp800-53a"}],"prose":"attribute associations are retained with the information;"}]},{"id":"ac-16_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-16c.","class":"sp800-53a"}],"parts":[{"id":"ac-16_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16c.[01]","class":"sp800-53a"}],"prose":"the following permitted security attributes are established from the attributes defined in AC-16_ODP[01] for {{ insert: param, ac-16_odp.05 }}: {{ insert: param, ac-16_odp.07 }};"},{"id":"ac-16_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16c.[02]","class":"sp800-53a"}],"prose":"the following permitted privacy attributes are established from the attributes defined in AC-16_ODP[02] for {{ insert: param, ac-16_odp.06 }}: {{ insert: param, ac-16_odp.08 }};"}]},{"id":"ac-16_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-16d.","class":"sp800-53a"}],"prose":"the following permitted attribute values or ranges for each of the established attributes are determined: {{ insert: param, ac-16_odp.09 }};"},{"id":"ac-16_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AC-16e.","class":"sp800-53a"}],"prose":"changes to attributes are audited;"},{"id":"ac-16_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AC-16f.","class":"sp800-53a"}],"parts":[{"id":"ac-16_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16f.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-16_odp.07 }} are reviewed for applicability {{ insert: param, ac-16_odp.10 }};"},{"id":"ac-16_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16f.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-16_odp.08 }} are reviewed for applicability {{ insert: param, ac-16_odp.11 }}."}]}]},{"id":"ac-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the association of security and privacy attributes to information in storage, in process, and in transmission\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational capability supporting and maintaining the association of security and privacy attributes to information in storage, in process, and in transmission"}]}],"controls":[{"id":"ac-16.1","class":"SP800-53-enhancement","title":"Dynamic Attribute Association","params":[{"id":"ac-16.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.01_odp.04"}],"label":"organization-defined subjects and objects"},{"id":"ac-16.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.01_odp.06"}],"label":"organization-defined security and privacy policies"},{"id":"ac-16.01_odp.01","props":[{"name":"label","value":"AC-16(01)_ODP[01]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects with which security attributes are to be dynamically associated as information is created and combined are defined;"}]},{"id":"ac-16.01_odp.02","props":[{"name":"label","value":"AC-16(01)_ODP[02]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects with which security attributes are to be dynamically associated as information is created and combined are defined;"}]},{"id":"ac-16.01_odp.03","props":[{"name":"label","value":"AC-16(01)_ODP[03]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects with which privacy attributes are to be dynamically associated as information is created and combined are defined;"}]},{"id":"ac-16.01_odp.04","props":[{"name":"label","value":"AC-16(01)_ODP[04]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects with which privacy attributes are to be dynamically associated as information is created and combined are defined;"}]},{"id":"ac-16.01_odp.05","props":[{"name":"label","value":"AC-16(01)_ODP[05]","class":"sp800-53a"}],"label":"security policies","guidelines":[{"prose":"security policies requiring dynamic association of security attributes with subjects and objects are defined;"}]},{"id":"ac-16.01_odp.06","props":[{"name":"label","value":"AC-16(01)_ODP[06]","class":"sp800-53a"}],"label":"privacy policies","guidelines":[{"prose":"privacy policies requiring dynamic association of privacy attributes with subjects and objects are defined;"}]}],"props":[{"name":"label","value":"AC-16(1)"},{"name":"label","value":"AC-16(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.1_smt","name":"statement","prose":"Dynamically associate security and privacy attributes with {{ insert: param, ac-16.1_prm_1 }} in accordance with the following security and privacy policies as information is created and combined: {{ insert: param, ac-16.1_prm_2 }}."},{"id":"ac-16.1_gdn","name":"guidance","prose":"Dynamic association of attributes is appropriate whenever the security or privacy characteristics of information change over time. Attributes may change due to information aggregation issues (i.e., characteristics of individual data elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), changes in the security category of information, or changes in security or privacy policies. Attributes may also change situationally."},{"id":"ac-16.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(01)","class":"sp800-53a"}],"parts":[{"id":"ac-16.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(01)[01]","class":"sp800-53a"}],"prose":"security attributes are dynamically associated with {{ insert: param, ac-16.01_odp.01 }} in accordance with the following security policies as information is created and combined: {{ insert: param, ac-16.01_odp.05 }};"},{"id":"ac-16.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(01)[02]","class":"sp800-53a"}],"prose":"security attributes are dynamically associated with {{ insert: param, ac-16.01_odp.02 }} in accordance with the following security policies as information is created and combined: {{ insert: param, ac-16.01_odp.05 }};"},{"id":"ac-16.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-16(01)[03]","class":"sp800-53a"}],"prose":"privacy attributes are dynamically associated with {{ insert: param, ac-16.01_odp.03 }} in accordance with the following privacy policies as information is created and combined: {{ insert: param, ac-16.01_odp.06 }};"},{"id":"ac-16.1_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-16(01)[04]","class":"sp800-53a"}],"prose":"privacy attributes are dynamically associated with {{ insert: param, ac-16.01_odp.04 }} in accordance with the following privacy policies as information is created and combined: {{ insert: param, ac-16.01_odp.06 }}."}]},{"id":"ac-16.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing dynamic association of security and privacy attributes to information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing dynamic association of security and privacy attributes to information"}]}]},{"id":"ac-16.2","class":"SP800-53-enhancement","title":"Attribute Value Changes by Authorized Individuals","props":[{"name":"label","value":"AC-16(2)"},{"name":"label","value":"AC-16(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.2_smt","name":"statement","prose":"Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes."},{"id":"ac-16.2_gdn","name":"guidance","prose":"The content or assigned values of attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for systems to be able to limit the ability to create or modify attributes to authorized individuals."},{"id":"ac-16.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(02)","class":"sp800-53a"}],"parts":[{"id":"ac-16.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(02)[01]","class":"sp800-53a"}],"prose":"authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated security attributes;"},{"id":"ac-16.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(02)[02]","class":"sp800-53a"}],"prose":"authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated privacy attributes."}]},{"id":"ac-16.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the change of security and privacy attribute values\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of individuals authorized to change security and privacy attributes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for changing values of security and privacy attributes\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms permitting changes to values of security and privacy attributes"}]}]},{"id":"ac-16.3","class":"SP800-53-enhancement","title":"Maintenance of Attribute Associations by System","params":[{"id":"ac-16.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.03_odp.02"}],"label":"organization-defined security and privacy attributes"},{"id":"ac-16.3_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.03_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.03_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.03_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.03_odp.06"}],"label":"organization-defined subjects and objects"},{"id":"ac-16.03_odp.01","props":[{"name":"label","value":"AC-16(03)_ODP[01]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes that require association and integrity maintenance are defined;"}]},{"id":"ac-16.03_odp.02","props":[{"name":"label","value":"AC-16(03)_ODP[02]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes that require association and integrity maintenance are defined;"}]},{"id":"ac-16.03_odp.03","props":[{"name":"label","value":"AC-16(03)_ODP[03]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects requiring the association and integrity of security attributes to such subjects to be maintained are defined;"}]},{"id":"ac-16.03_odp.04","props":[{"name":"label","value":"AC-16(03)_ODP[04]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects requiring the association and integrity of security attributes to such objects to be maintained are defined;"}]},{"id":"ac-16.03_odp.05","props":[{"name":"label","value":"AC-16(03)_ODP[05]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects requiring the association and integrity of privacy attributes to such subjects to be maintained are defined;"}]},{"id":"ac-16.03_odp.06","props":[{"name":"label","value":"AC-16(03)_ODP[06]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects requiring the association and integrity of privacy attributes to such objects to be maintained are defined;"}]}],"props":[{"name":"label","value":"AC-16(3)"},{"name":"label","value":"AC-16(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.3_smt","name":"statement","prose":"Maintain the association and integrity of {{ insert: param, ac-16.3_prm_1 }} to {{ insert: param, ac-16.3_prm_2 }}."},{"id":"ac-16.3_gdn","name":"guidance","prose":"Maintaining the association and integrity of security and privacy attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. The integrity of specific items, such as security configuration files, may be maintained through the use of an integrity monitoring mechanism that detects anomalies and changes that deviate from \"known good\" baselines. Automated policy actions include retention date expirations, access control decisions, information flow control decisions, and information disclosure decisions."},{"id":"ac-16.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(03)","class":"sp800-53a"}],"parts":[{"id":"ac-16.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(03)[01]","class":"sp800-53a"}],"prose":"the association and integrity of {{ insert: param, ac-16.03_odp.01 }} to {{ insert: param, ac-16.03_odp.03 }} is maintained;"},{"id":"ac-16.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(03)[02]","class":"sp800-53a"}],"prose":"the association and integrity of {{ insert: param, ac-16.03_odp.01 }} to {{ insert: param, ac-16.03_odp.04 }} is maintained."},{"id":"ac-16.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-16(03)[03]","class":"sp800-53a"}],"prose":"the association and integrity of {{ insert: param, ac-16.03_odp.02 }} to {{ insert: param, ac-16.03_odp.05 }} is maintained;"},{"id":"ac-16.3_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-16(03)[04]","class":"sp800-53a"}],"prose":"the association and integrity of {{ insert: param, ac-16.03_odp.02 }} to {{ insert: param, ac-16.03_odp.06 }} is maintained."}]},{"id":"ac-16.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the association of security and privacy attributes to information\n\nprocedures addressing labeling or marking\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms maintaining association and integrity of security and privacy attributes to information"}]}]},{"id":"ac-16.4","class":"SP800-53-enhancement","title":"Association of Attributes by Authorized Individuals","params":[{"id":"ac-16.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.04"}],"label":"organization-defined security and privacy attributes"},{"id":"ac-16.4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.08"}],"label":"organization-defined subjects and objects"},{"id":"ac-16.04_odp.01","props":[{"name":"label","value":"AC-16(04)_ODP[01]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined;"}]},{"id":"ac-16.04_odp.02","props":[{"name":"label","value":"AC-16(04)_ODP[02]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined;"}]},{"id":"ac-16.04_odp.03","props":[{"name":"label","value":"AC-16(04)_ODP[03]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined;"}]},{"id":"ac-16.04_odp.04","props":[{"name":"label","value":"AC-16(04)_ODP[04]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined;"}]},{"id":"ac-16.04_odp.05","props":[{"name":"label","value":"AC-16(04)_ODP[05]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined;"}]},{"id":"ac-16.04_odp.06","props":[{"name":"label","value":"AC-16(04)_ODP[06]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined;"}]},{"id":"ac-16.04_odp.07","props":[{"name":"label","value":"AC-16(04)_ODP[07]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined;"}]},{"id":"ac-16.04_odp.08","props":[{"name":"label","value":"AC-16(04)_ODP[08]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined;"}]}],"props":[{"name":"label","value":"AC-16(4)"},{"name":"label","value":"AC-16(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.4_smt","name":"statement","prose":"Provide the capability to associate {{ insert: param, ac-16.4_prm_1 }} with {{ insert: param, ac-16.4_prm_2 }} by authorized individuals (or processes acting on behalf of individuals)."},{"id":"ac-16.4_gdn","name":"guidance","prose":"Systems, in general, provide the capability for privileged users to assign security and privacy attributes to system-defined subjects (e.g., users) and objects (e.g., directories, files, and ports). Some systems provide additional capability for general users to assign security and privacy attributes to additional objects (e.g., files, emails). The association of attributes by authorized individuals is described in the design documentation. The support provided by systems can include prompting users to select security and privacy attributes to be associated with information objects, employing automated mechanisms to categorize information with attributes based on defined policies, or ensuring that the combination of the security or privacy attributes selected is valid. Organizations consider the creation, deletion, or modification of attributes when defining auditable events."},{"id":"ac-16.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(04)","class":"sp800-53a"}],"parts":[{"id":"ac-16.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(04)[01]","class":"sp800-53a"}],"prose":"authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.01 }} with {{ insert: param, ac-16.04_odp.05 }};"},{"id":"ac-16.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(04)[02]","class":"sp800-53a"}],"prose":"authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.02 }} with {{ insert: param, ac-16.04_odp.06 }};"},{"id":"ac-16.4_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-16(04)[03]","class":"sp800-53a"}],"prose":"authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.03 }} with {{ insert: param, ac-16.04_odp.07 }};"},{"id":"ac-16.4_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-16(04)[04]","class":"sp800-53a"}],"prose":"authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.04 }} with {{ insert: param, ac-16.04_odp.08 }}."}]},{"id":"ac-16.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the association of security and privacy attributes to information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of users authorized to associate security and privacy attributes to information\n\nsystem prompts for privileged users to select security and privacy attributes to be associated with information objects\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for associating security and privacy attributes to information\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting user associations of security and privacy attributes to information"}]}]},{"id":"ac-16.5","class":"SP800-53-enhancement","title":"Attribute Displays on Objects to Be Output","params":[{"id":"ac-16.05_odp.01","props":[{"name":"alt-identifier","value":"ac-16.5_prm_1"},{"name":"alt-label","value":"special dissemination, handling, or distribution instructions","class":"sp800-53"},{"name":"label","value":"AC-16(05)_ODP[01]","class":"sp800-53a"}],"label":"instructions","guidelines":[{"prose":"special dissemination, handling, or distribution instructions to be used for each object that the system transmits to output devices are defined;"}]},{"id":"ac-16.05_odp.02","props":[{"name":"alt-identifier","value":"ac-16.5_prm_2"},{"name":"alt-label","value":"human-readable, standard naming conventions","class":"sp800-53"},{"name":"label","value":"AC-16(05)_ODP[02]","class":"sp800-53a"}],"label":"naming conventions","guidelines":[{"prose":"human-readable, standard naming conventions for the security and privacy attributes to be displayed in human-readable form on each object that the system transmits to output devices are defined;"}]}],"props":[{"name":"label","value":"AC-16(5)"},{"name":"label","value":"AC-16(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.5_smt","name":"statement","prose":"Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }}."},{"id":"ac-16.5_gdn","name":"guidance","prose":"System outputs include printed pages, screens, or equivalent items. System output devices include printers, notebook computers, video displays, smart phones, and tablets. To mitigate the risk of unauthorized exposure of information (e.g., shoulder surfing), the outputs display full attribute values when unmasked by the subscriber."},{"id":"ac-16.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(05)","class":"sp800-53a"}],"parts":[{"id":"ac-16.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(05)[01]","class":"sp800-53a"}],"prose":"security attributes are displayed in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }};"},{"id":"ac-16.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(05)[02]","class":"sp800-53a"}],"prose":"privacy attributes are displayed in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }}."}]},{"id":"ac-16.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing display of security and privacy attributes in human-readable form\n\nspecial dissemination, handling, or distribution instructions\n\ntypes of human-readable, standard naming conventions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System output devices displaying security and privacy attributes in human-readable form on each object"}]}]},{"id":"ac-16.6","class":"SP800-53-enhancement","title":"Maintenance of Attribute Association","params":[{"id":"ac-16.6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.04"}],"label":"organization-defined security and privacy attributes"},{"id":"ac-16.6_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.08"}],"label":"organization-defined subjects and objects"},{"id":"ac-16.6_prm_3","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.09"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.10"}],"label":"organization-defined security and privacy policies"},{"id":"ac-16.06_odp.01","props":[{"name":"label","value":"AC-16(06)_ODP[01]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes to be associated with subjects are defined;"}]},{"id":"ac-16.06_odp.02","props":[{"name":"label","value":"AC-16(06)_ODP[02]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes to be associated with objects are defined;"}]},{"id":"ac-16.06_odp.03","props":[{"name":"label","value":"AC-16(06)_ODP[03]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes to be associated with subjects are defined;"}]},{"id":"ac-16.06_odp.04","props":[{"name":"label","value":"AC-16(06)_ODP[04]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes to be associated with objects are defined;"}]},{"id":"ac-16.06_odp.05","props":[{"name":"label","value":"AC-16(06)_ODP[05]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects to be associated with information security attributes are defined;"}]},{"id":"ac-16.06_odp.06","props":[{"name":"label","value":"AC-16(06)_ODP[06]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects to be associated with information security attributes are defined;"}]},{"id":"ac-16.06_odp.07","props":[{"name":"label","value":"AC-16(06)_ODP[07]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects to be associated with privacy attributes are defined;"}]},{"id":"ac-16.06_odp.08","props":[{"name":"label","value":"AC-16(06)_ODP[08]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects to be associated with privacy attributes are defined;"}]},{"id":"ac-16.06_odp.09","props":[{"name":"label","value":"AC-16(06)_ODP[09]","class":"sp800-53a"}],"label":"security policies","guidelines":[{"prose":"security policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects;"}]},{"id":"ac-16.06_odp.10","props":[{"name":"label","value":"AC-16(06)_ODP[10]","class":"sp800-53a"}],"label":"privacy policies","guidelines":[{"prose":"privacy policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects;"}]}],"props":[{"name":"label","value":"AC-16(6)"},{"name":"label","value":"AC-16(06)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.6_smt","name":"statement","prose":"Require personnel to associate and maintain the association of {{ insert: param, ac-16.6_prm_1 }} with {{ insert: param, ac-16.6_prm_2 }} in accordance with {{ insert: param, ac-16.6_prm_3 }}."},{"id":"ac-16.6_gdn","name":"guidance","prose":"Maintaining attribute association requires individual users (as opposed to the system) to maintain associations of defined security and privacy attributes with subjects and objects."},{"id":"ac-16.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(06)","class":"sp800-53a"}],"parts":[{"id":"ac-16.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(06)[01]","class":"sp800-53a"}],"prose":"personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.01 }} with {{ insert: param, ac-16.06_odp.05 }} in accordance with {{ insert: param, ac-16.06_odp.09 }};"},{"id":"ac-16.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(06)[02]","class":"sp800-53a"}],"prose":"personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.02 }} with {{ insert: param, ac-16.06_odp.06 }} in accordance with {{ insert: param, ac-16.06_odp.09 }};"},{"id":"ac-16.6_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-16(06)[03]","class":"sp800-53a"}],"prose":"personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.03 }} with {{ insert: param, ac-16.06_odp.07 }} in accordance with {{ insert: param, ac-16.06_odp.10 }};"},{"id":"ac-16.6_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-16(06)[04]","class":"sp800-53a"}],"prose":"personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.04 }} with {{ insert: param, ac-16.06_odp.08 }} in accordance with {{ insert: param, ac-16.06_odp.10 }}."}]},{"id":"ac-16.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing association of security and privacy attributes with subjects and objects\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for associating and maintaining association of security and privacy attributes with subjects and objects\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting associations of security and privacy attributes to subjects and objects"}]}]},{"id":"ac-16.7","class":"SP800-53-enhancement","title":"Consistent Attribute Interpretation","props":[{"name":"label","value":"AC-16(7)"},{"name":"label","value":"AC-16(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.7_smt","name":"statement","prose":"Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components."},{"id":"ac-16.7_gdn","name":"guidance","prose":"To enforce security and privacy policies across multiple system components in distributed systems, organizations provide a consistent interpretation of security and privacy attributes employed in access enforcement and flow enforcement decisions. Organizations can establish agreements and processes to help ensure that distributed system components implement attributes with consistent interpretations in automated access enforcement and flow enforcement actions."},{"id":"ac-16.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(07)","class":"sp800-53a"}],"parts":[{"id":"ac-16.7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(07)[01]","class":"sp800-53a"}],"prose":"a consistent interpretation of security attributes transmitted between distributed system components is provided;"},{"id":"ac-16.7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(07)[02]","class":"sp800-53a"}],"prose":"a consistent interpretation of privacy attributes transmitted between distributed system components is provided."}]},{"id":"ac-16.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policies and procedures\n\nprocedures addressing consistent interpretation of security and privacy attributes transmitted between distributed system components\n\nprocedures addressing access enforcement\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy access control policy\n\nother relevant documents or records"}]},{"id":"ac-16.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for providing consistent interpretation of security and privacy attributes used in access enforcement and information flow enforcement actions\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement and information flow enforcement functions"}]}]},{"id":"ac-16.8","class":"SP800-53-enhancement","title":"Association Techniques and Technologies","params":[{"id":"ac-16.8_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.08_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.08_odp.02"}],"label":"organization-defined techniques and technologies"},{"id":"ac-16.08_odp.01","props":[{"name":"label","value":"AC-16(08)_ODP[01]","class":"sp800-53a"}],"label":"techniques and technologies","guidelines":[{"prose":"techniques and technologies to be implemented in associating security attributes to information are defined;"}]},{"id":"ac-16.08_odp.02","props":[{"name":"label","value":"AC-16(08)_ODP[02]","class":"sp800-53a"}],"label":"techniques and technologies","guidelines":[{"prose":"techniques and technologies to be implemented in associating privacy attributes to information are defined;"}]}],"props":[{"name":"label","value":"AC-16(8)"},{"name":"label","value":"AC-16(08)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-16","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-16.8_smt","name":"statement","prose":"Implement {{ insert: param, ac-16.8_prm_1 }} in associating security and privacy attributes to information."},{"id":"ac-16.8_gdn","name":"guidance","prose":"The association of security and privacy attributes to information within systems is important for conducting automated access enforcement and flow enforcement actions. The association of such attributes to information (i.e., binding) can be accomplished with technologies and techniques that provide different levels of assurance. For example, systems can cryptographically bind attributes to information using digital signatures that support cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust)."},{"id":"ac-16.8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(08)","class":"sp800-53a"}],"parts":[{"id":"ac-16.8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(08)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-16.08_odp.01 }} are implemented in associating security attributes to information;"},{"id":"ac-16.8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(08)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-16.08_odp.02 }} are implemented in associating privacy attributes to information."}]},{"id":"ac-16.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing association of security and privacy attributes to information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for associating security and privacy attributes to information\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing techniques or technologies associating security and privacy attributes to information"}]}]},{"id":"ac-16.9","class":"SP800-53-enhancement","title":"Attribute Reassignment — Regrading Mechanisms","params":[{"id":"ac-16.9_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.09_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.09_odp.02"}],"label":"organization-defined techniques or procedures"},{"id":"ac-16.09_odp.01","props":[{"name":"label","value":"AC-16(09)_ODP[01]","class":"sp800-53a"}],"label":"techniques or procedures","guidelines":[{"prose":"techniques or procedures used to validate regrading mechanisms for security attributes are defined;"}]},{"id":"ac-16.09_odp.02","props":[{"name":"label","value":"AC-16(09)_ODP[02]","class":"sp800-53a"}],"label":"techniques or procedures","guidelines":[{"prose":"techniques or procedures used to validate regrading mechanisms for privacy attributes are defined;"}]}],"props":[{"name":"label","value":"AC-16(9)"},{"name":"label","value":"AC-16(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.9_smt","name":"statement","prose":"Change security and privacy attributes associated with information only via regrading mechanisms validated using {{ insert: param, ac-16.9_prm_1 }}."},{"id":"ac-16.9_gdn","name":"guidance","prose":"A regrading mechanism is a trusted process authorized to re-classify and re-label data in accordance with a defined policy exception. Validated regrading mechanisms are used by organizations to provide the requisite levels of assurance for attribute reassignment activities. The validation is facilitated by ensuring that regrading mechanisms are single purpose and of limited function. Since security and privacy attribute changes can directly affect policy enforcement actions, implementing trustworthy regrading mechanisms is necessary to help ensure that such mechanisms perform in a consistent and correct mode of operation."},{"id":"ac-16.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(09)","class":"sp800-53a"}],"parts":[{"id":"ac-16.9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(09)[01]","class":"sp800-53a"}],"prose":"security attributes associated with information are changed only via regrading mechanisms validated using {{ insert: param, ac-16.09_odp.01 }};"},{"id":"ac-16.9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(09)[02]","class":"sp800-53a"}],"prose":"privacy attributes associated with information are changed only via regrading mechanisms validated using {{ insert: param, ac-16.09_odp.02 }}."}]},{"id":"ac-16.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing reassignment of security attributes to information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reassigning association of security and privacy attributes to information\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing techniques or procedures for reassigning association of security and privacy attributes to information"}]}]},{"id":"ac-16.10","class":"SP800-53-enhancement","title":"Attribute Configuration by Authorized Individuals","props":[{"name":"label","value":"AC-16(10)"},{"name":"label","value":"AC-16(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.10_smt","name":"statement","prose":"Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects."},{"id":"ac-16.10_gdn","name":"guidance","prose":"The content or assigned values of security and privacy attributes can directly affect the ability of individuals to access organizational information. Thus, it is important for systems to be able to limit the ability to create or modify the type and value of attributes available for association with subjects and objects to authorized individuals only."},{"id":"ac-16.10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(10)","class":"sp800-53a"}],"parts":[{"id":"ac-16.10_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(10)[01]","class":"sp800-53a"}],"prose":"authorized individuals are provided with the capability to define or change the type and value of security attributes available for association with subjects and objects;"},{"id":"ac-16.10_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(10)[02]","class":"sp800-53a"}],"prose":"authorized individuals are provided with the capability to define or change the type and value of privacy attributes available for association with subjects and objects."}]},{"id":"ac-16.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing configuration of security and privacy attributes by authorized individuals\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining or changing security and privacy attributes associated with information\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing capability for defining or changing security and privacy attributes"}]}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","props":[{"name":"label","value":"AC-17"},{"name":"label","value":"AC-17","class":"sp800-53a"},{"name":"sort-id","value":"ac-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#83b9d63b-66b1-467c-9f3b-3a0b108771e9","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#d17ebd7a-ffab-499d-bfff-e705bbb01fa6","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-17_smt","name":"statement","parts":[{"id":"ac-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document usage restrictions, configuration\/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of remote access to the system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)."},{"id":"ac-17_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[01]","class":"sp800-53a"}],"prose":"usage restrictions are established and documented for each type of remote access allowed;"},{"id":"ac-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[02]","class":"sp800-53a"}],"prose":"configuration\/connection requirements are established and documented for each type of remote access allowed;"},{"id":"ac-17_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established and documented for each type of remote access allowed;"}]},{"id":"ac-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-17b.","class":"sp800-53a"}],"prose":"each type of remote access to the system is authorized prior to allowing such connections."}]},{"id":"ac-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing remote access connections\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Remote access management capability for the system"}]}],"controls":[{"id":"ac-17.1","class":"SP800-53-enhancement","title":"Monitoring and Control","props":[{"name":"label","value":"AC-17(1)"},{"name":"label","value":"AC-17(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"}],"parts":[{"id":"ac-17.1_smt","name":"statement","prose":"Employ automated mechanisms to monitor and control remote access methods."},{"id":"ac-17.1_gdn","name":"guidance","prose":"Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a)."},{"id":"ac-17.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)","class":"sp800-53a"}],"parts":[{"id":"ac-17.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)[01]","class":"sp800-53a"}],"prose":"automated mechanisms are employed to monitor remote access methods;"},{"id":"ac-17.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)[02]","class":"sp800-53a"}],"prose":"automated mechanisms are employed to control remote access methods."}]},{"id":"ac-17.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms monitoring and controlling remote access methods"}]}]},{"id":"ac-17.2","class":"SP800-53-enhancement","title":"Protection of Confidentiality and Integrity Using Encryption","props":[{"name":"label","value":"AC-17(2)"},{"name":"label","value":"AC-17(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-17.2_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_gdn","name":"guidance","prose":"Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions."},{"id":"ac-17.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(02)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions"}]}]},{"id":"ac-17.3","class":"SP800-53-enhancement","title":"Managed Access Control Points","props":[{"name":"label","value":"AC-17(3)"},{"name":"label","value":"AC-17(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-17.3_smt","name":"statement","prose":"Route remote accesses through authorized and managed network access control points."},{"id":"ac-17.3_gdn","name":"guidance","prose":"Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces."},{"id":"ac-17.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(03)","class":"sp800-53a"}],"prose":"remote accesses are routed through authorized and managed network access control points."},{"id":"ac-17.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nlist of all managed network access control points\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms routing all remote accesses through managed network access control points"}]}]},{"id":"ac-17.4","class":"SP800-53-enhancement","title":"Privileged Commands and Access","params":[{"id":"ac-17.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-17.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-17.04_odp.02"}],"label":"organization-defined needs"},{"id":"ac-17.04_odp.01","props":[{"name":"label","value":"AC-17(04)_ODP[01]","class":"sp800-53a"}],"label":"needs requiring remote access","guidelines":[{"prose":"needs requiring execution of privileged commands via remote access are defined;"}]},{"id":"ac-17.04_odp.02","props":[{"name":"label","value":"AC-17(04)_ODP[02]","class":"sp800-53a"}],"label":"needs requiring remote access","guidelines":[{"prose":"needs requiring access to security-relevant information via remote access are defined;"}]}],"props":[{"name":"label","value":"AC-17(4)"},{"name":"label","value":"AC-17(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#ac-6","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-17.4_smt","name":"statement","parts":[{"id":"ac-17.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ insert: param, ac-17.4_prm_1 }} ; and"},{"id":"ac-17.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Document the rationale for remote access in the security plan for the system."}]},{"id":"ac-17.4_gdn","name":"guidance","prose":"Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability."},{"id":"ac-17.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)","class":"sp800-53a"}],"parts":[{"id":"ac-17.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-17.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[01]","class":"sp800-53a"}],"prose":"the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;"},{"id":"ac-17.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[02]","class":"sp800-53a"}],"prose":"access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;"},{"id":"ac-17.4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[03]","class":"sp800-53a"}],"prose":"the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};"},{"id":"ac-17.4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[04]","class":"sp800-53a"}],"prose":"access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};"}]},{"id":"ac-17.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(b)","class":"sp800-53a"}],"prose":"the rationale for remote access is documented in the security plan for the system."}]},{"id":"ac-17.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing remote access management"}]}]},{"id":"ac-17.5","class":"SP800-53-enhancement","title":"Monitoring for Unauthorized Connections","props":[{"name":"label","value":"AC-17(5)"},{"name":"label","value":"AC-17(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-4","rel":"incorporated-into"}]},{"id":"ac-17.6","class":"SP800-53-enhancement","title":"Protection of Mechanism Information","props":[{"name":"label","value":"AC-17(6)"},{"name":"label","value":"AC-17(06)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"ac-17.6_smt","name":"statement","prose":"Protect information about remote access mechanisms from unauthorized use and disclosure."},{"id":"ac-17.6_gdn","name":"guidance","prose":"Remote access to organizational information by non-organizational entities can increase the risk of unauthorized use and disclosure about remote access mechanisms. The organization considers including remote access requirements in the information exchange agreements with other organizations, as applicable. Remote access requirements can also be included in rules of behavior (see [PL-4](#pl-4) ) and access agreements (see [PS-6](#ps-6))."},{"id":"ac-17.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(06)","class":"sp800-53a"}],"prose":"information about remote access mechanisms is protected from unauthorized use and disclosure."},{"id":"ac-17.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for implementing or monitoring remote access to the system\n\nsystem users with knowledge of information about remote access mechanisms\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17.7","class":"SP800-53-enhancement","title":"Additional Protection for Security Function Access","props":[{"name":"label","value":"AC-17(7)"},{"name":"label","value":"AC-17(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-3.10","rel":"incorporated-into"}]},{"id":"ac-17.8","class":"SP800-53-enhancement","title":"Disable Nonsecure Network Protocols","props":[{"name":"label","value":"AC-17(8)"},{"name":"label","value":"AC-17(08)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.08"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-7","rel":"incorporated-into"}]},{"id":"ac-17.9","class":"SP800-53-enhancement","title":"Disconnect or Disable Access","params":[{"id":"ac-17.09_odp","props":[{"name":"alt-identifier","value":"ac-17.9_prm_1"},{"name":"label","value":"AC-17(09)_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which to disconnect or disable remote access to the system is defined;"}]}],"props":[{"name":"label","value":"AC-17(9)"},{"name":"label","value":"AC-17(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"required"}],"parts":[{"id":"ac-17.9_smt","name":"statement","prose":"Provide the capability to disconnect or disable remote access to the system within {{ insert: param, ac-17.09_odp }}."},{"id":"ac-17.9_gdn","name":"guidance","prose":"The speed of system disconnect or disablement varies based on the criticality of missions or business functions and the need to eliminate immediate or future remote access to systems."},{"id":"ac-17.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(09)","class":"sp800-53a"}],"prose":"the capability to disconnect or disable remote access to the system within {{ insert: param, ac-17.09_odp }} is provided."},{"id":"ac-17.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing disconnecting or disabling remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan, system audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing capability to disconnect or disable remote access to system"}]}]},{"id":"ac-17.10","class":"SP800-53-enhancement","title":"Authenticate Remote Commands","params":[{"id":"ac-17.10_odp.01","props":[{"name":"alt-identifier","value":"ac-17.10_prm_1"},{"name":"label","value":"AC-17(10)_ODP[01]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms implemented to authenticate remote commands are defined;"}]},{"id":"ac-17.10_odp.02","props":[{"name":"alt-identifier","value":"ac-17.10_prm_2"},{"name":"label","value":"AC-17(10)_ODP[02]","class":"sp800-53a"}],"label":"remote commands","guidelines":[{"prose":"remote commands to be authenticated by mechanisms are defined;"}]}],"props":[{"name":"label","value":"AC-17(10)"},{"name":"label","value":"AC-17(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"ac-17.10_smt","name":"statement","prose":"Implement {{ insert: param, ac-17.10_odp.01 }} to authenticate {{ insert: param, ac-17.10_odp.02 }}."},{"id":"ac-17.10_gdn","name":"guidance","prose":"Authenticating remote commands protects against unauthorized commands and the replay of authorized commands. The ability to authenticate remote commands is important for remote systems for which loss, malfunction, misdirection, or exploitation would have immediate or serious consequences, such as injury, death, property damage, loss of high value assets, failure of mission or business functions, or compromise of classified or controlled unclassified information. Authentication mechanisms for remote commands ensure that systems accept and execute commands in the order intended, execute only authorized commands, and reject unauthorized commands. Cryptographic mechanisms can be used, for example, to authenticate remote commands."},{"id":"ac-17.10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(10)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-17.10_odp.01 }} are implemented to authenticate {{ insert: param, ac-17.10_odp.02 }}."},{"id":"ac-17.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing authentication of remote commands\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing authentication of remote commands"}]}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","props":[{"name":"label","value":"AC-18"},{"name":"label","value":"AC-18","class":"sp800-53a"},{"name":"sort-id","value":"ac-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#03fb73bc-1b12-4182-bd96-e5719254ea61","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-18_smt","name":"statement","parts":[{"id":"ac-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and"},{"id":"ac-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of wireless access to the system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication."},{"id":"ac-18_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for each type of wireless access;"},{"id":"ac-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for each type of wireless access;"},{"id":"ac-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for each type of wireless access;"}]},{"id":"ac-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-18b.","class":"sp800-53a"}],"prose":"each type of wireless access to the system is authorized prior to allowing such connections."}]},{"id":"ac-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Wireless access management capability for the system"}]}],"controls":[{"id":"ac-18.1","class":"SP800-53-enhancement","title":"Authentication and Encryption","params":[{"id":"ac-18.01_odp","props":[{"name":"alt-identifier","value":"ac-18.1_prm_1"},{"name":"label","value":"AC-18(01)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["users","devices"]}}],"props":[{"name":"label","value":"AC-18(1)"},{"name":"label","value":"AC-18(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-18","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-18.1_smt","name":"statement","prose":"Protect wireless access to the system using authentication of {{ insert: param, ac-18.01_odp }} and encryption."},{"id":"ac-18.1_gdn","name":"guidance","prose":"Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies."},{"id":"ac-18.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)","class":"sp800-53a"}],"parts":[{"id":"ac-18.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)[01]","class":"sp800-53a"}],"prose":"wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};"},{"id":"ac-18.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)[02]","class":"sp800-53a"}],"prose":"wireless access to the system is protected using encryption."}]},{"id":"ac-18.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-18.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing wireless access protections to the system"}]}]},{"id":"ac-18.2","class":"SP800-53-enhancement","title":"Monitoring Unauthorized Connections","props":[{"name":"label","value":"AC-18(2)"},{"name":"label","value":"AC-18(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-4","rel":"incorporated-into"}]},{"id":"ac-18.3","class":"SP800-53-enhancement","title":"Disable Wireless Networking","props":[{"name":"label","value":"AC-18(3)"},{"name":"label","value":"AC-18(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-18","rel":"required"}],"parts":[{"id":"ac-18.3_smt","name":"statement","prose":"Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment."},{"id":"ac-18.3_gdn","name":"guidance","prose":"Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies."},{"id":"ac-18.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(03)","class":"sp800-53a"}],"prose":"when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment."},{"id":"ac-18.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components"}]}]},{"id":"ac-18.4","class":"SP800-53-enhancement","title":"Restrict Configurations by Users","props":[{"name":"label","value":"AC-18(4)"},{"name":"label","value":"AC-18(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-18","rel":"required"},{"href":"#sc-7","rel":"related"},{"href":"#sc-15","rel":"related"}],"parts":[{"id":"ac-18.4_smt","name":"statement","prose":"Identify and explicitly authorize users allowed to independently configure wireless networking capabilities."},{"id":"ac-18.4_gdn","name":"guidance","prose":"Organizational authorizations to allow selected users to configure wireless networking capabilities are enforced, in part, by the access enforcement mechanisms employed within organizational systems."},{"id":"ac-18.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(04)","class":"sp800-53a"}],"parts":[{"id":"ac-18.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18(04)[01]","class":"sp800-53a"}],"prose":"users allowed to independently configure wireless networking capabilities are identified;"},{"id":"ac-18.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18(04)[02]","class":"sp800-53a"}],"prose":"users allowed to independently configure wireless networking capabilities are explicitly authorized."}]},{"id":"ac-18.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms authorizing independent user configuration of wireless networking capabilities"}]}]},{"id":"ac-18.5","class":"SP800-53-enhancement","title":"Antennas and Transmission Power Levels","props":[{"name":"label","value":"AC-18(5)"},{"name":"label","value":"AC-18(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-18","rel":"required"},{"href":"#pe-19","rel":"related"}],"parts":[{"id":"ac-18.5_smt","name":"statement","prose":"Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries."},{"id":"ac-18.5_gdn","name":"guidance","prose":"Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization, employing measures such as emissions security to control wireless emanations, and using directional or beamforming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area."},{"id":"ac-18.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(05)","class":"sp800-53a"}],"parts":[{"id":"ac-18.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18(05)[01]","class":"sp800-53a"}],"prose":"radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;"},{"id":"ac-18.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18(05)[02]","class":"sp800-53a"}],"prose":"transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries."}]},{"id":"ac-18.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Calibration of transmission power levels for wireless access\n\nradio antenna signals for wireless access\n\nwireless access reception outside of organization-controlled boundaries"}]}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","props":[{"name":"label","value":"AC-19"},{"name":"label","value":"AC-19","class":"sp800-53a"},{"name":"sort-id","value":"ac-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-19_smt","name":"statement","parts":[{"id":"ac-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and"},{"id":"ac-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize the connection of mobile devices to organizational systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook\/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled."},{"id":"ac-19_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"},{"id":"ac-19_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"},{"id":"ac-19_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"}]},{"id":"ac-19_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-19b.","class":"sp800-53a"}],"prose":"the connection of mobile devices to organizational systems is authorized."}]},{"id":"ac-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel using mobile devices to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices"}]}],"controls":[{"id":"ac-19.1","class":"SP800-53-enhancement","title":"Use of Writable and Portable Storage Devices","props":[{"name":"label","value":"AC-19(1)"},{"name":"label","value":"AC-19(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-19.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-7","rel":"incorporated-into"}]},{"id":"ac-19.2","class":"SP800-53-enhancement","title":"Use of Personally Owned Portable Storage Devices","props":[{"name":"label","value":"AC-19(2)"},{"name":"label","value":"AC-19(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-19.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-7","rel":"incorporated-into"}]},{"id":"ac-19.3","class":"SP800-53-enhancement","title":"Use of Portable Storage Devices with No Identifiable Owner","props":[{"name":"label","value":"AC-19(3)"},{"name":"label","value":"AC-19(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-19.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-7","rel":"incorporated-into"}]},{"id":"ac-19.4","class":"SP800-53-enhancement","title":"Restrictions for Classified Information","params":[{"id":"ac-19.04_odp.01","props":[{"name":"alt-identifier","value":"ac-19.4_prm_1"},{"name":"label","value":"AC-19(04)_ODP[01]","class":"sp800-53a"}],"label":"security officials","guidelines":[{"prose":"security officials responsible for the review and inspection of unclassified mobile devices and the information stored on those devices are defined;"}]},{"id":"ac-19.04_odp.02","props":[{"name":"alt-identifier","value":"ac-19.4_prm_2"},{"name":"label","value":"AC-19(04)_ODP[02]","class":"sp800-53a"}],"label":"security policies","guidelines":[{"prose":"security policies restricting the connection of classified mobile devices to classified systems are defined;"}]}],"props":[{"name":"label","value":"AC-19(4)"},{"name":"label","value":"AC-19(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-19.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-19","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#ir-4","rel":"related"}],"parts":[{"id":"ac-19.4_smt","name":"statement","parts":[{"id":"ac-19.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and"},{"id":"ac-19.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information:","parts":[{"id":"ac-19.4_smt.b.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Connection of unclassified mobile devices to classified systems is prohibited;"},{"id":"ac-19.4_smt.b.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official;"},{"id":"ac-19.4_smt.b.3","name":"item","props":[{"name":"label","value":"(3)"}],"prose":"Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and"},{"id":"ac-19.4_smt.b.4","name":"item","props":[{"name":"label","value":"(4)"}],"prose":"Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by {{ insert: param, ac-19.04_odp.01 }} , and if classified information is found, the incident handling policy is followed."}]},{"id":"ac-19.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Restrict the connection of classified mobile devices to classified systems in accordance with {{ insert: param, ac-19.04_odp.02 }}."}]},{"id":"ac-19.4_gdn","name":"guidance","prose":"None."},{"id":"ac-19.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)","class":"sp800-53a"}],"parts":[{"id":"ac-19.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(a)","class":"sp800-53a"}],"prose":"the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information is prohibited unless specifically permitted by the authorizing official;"},{"id":"ac-19.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(b)","class":"sp800-53a"}],"parts":[{"id":"ac-19.4_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(b)(01)","class":"sp800-53a"}],"prose":"prohibition of the connection of unclassified mobile devices to classified systems is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;"},{"id":"ac-19.4_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(b)(02)","class":"sp800-53a"}],"prose":"approval by the authorizing official for the connection of unclassified mobile devices to unclassified systems is enforced on individuals permitted to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;"},{"id":"ac-19.4_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(b)(03)","class":"sp800-53a"}],"prose":"prohibition of the use of internal or external modems or wireless interfaces within unclassified mobile devices is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;"},{"id":"ac-19.4_obj.b.4","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(b)(04)","class":"sp800-53a"}],"parts":[{"id":"ac-19.4_obj.b.4-1","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(b)(04)[01]","class":"sp800-53a"}],"prose":"random review and inspection of unclassified mobile devices and the information stored on those devices by {{ insert: param, ac-19.04_odp.01 }} are enforced;"},{"id":"ac-19.4_obj.b.4-2","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(b)(04)[02]","class":"sp800-53a"}],"prose":"following of the incident handling policy is enforced if classified information is found during a random review and inspection of unclassified mobile devices;"}]}]},{"id":"ac-19.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(c)","class":"sp800-53a"}],"prose":"the connection of classified mobile devices to classified systems is restricted in accordance with {{ insert: param, ac-19.04_odp.02 }}."}]},{"id":"ac-19.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nincident handling policy\n\nprocedures addressing access control for mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nevidentiary documentation for random inspections and reviews of mobile devices\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for random reviews\/inspections of mobile devices\n\norganizational personnel using mobile devices in facilities containing systems processing, storing, or transmitting classified information\n\norganizational personnel with incident response responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms prohibiting the use of internal or external modems or wireless interfaces with mobile devices"}]}]},{"id":"ac-19.5","class":"SP800-53-enhancement","title":"Full Device or Container-based Encryption","params":[{"id":"ac-19.05_odp.01","props":[{"name":"alt-identifier","value":"ac-19.5_prm_1"},{"name":"label","value":"AC-19(05)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["full-device encryption","container-based encryption"]}},{"id":"ac-19.05_odp.02","props":[{"name":"alt-identifier","value":"ac-19.5_prm_2"},{"name":"label","value":"AC-19(05)_ODP[02]","class":"sp800-53a"}],"label":"mobile devices","guidelines":[{"prose":"mobile devices on which to employ encryption are defined;"}]}],"props":[{"name":"label","value":"AC-19(5)"},{"name":"label","value":"AC-19(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-19.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-19","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"ac-19.5_smt","name":"statement","prose":"Employ {{ insert: param, ac-19.05_odp.01 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}."},{"id":"ac-19.5_gdn","name":"guidance","prose":"Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields."},{"id":"ac-19.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19(05)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}."},{"id":"ac-19.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control for mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nencryption mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities for mobile devices\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Encryption mechanisms protecting confidentiality and integrity of information on mobile devices"}]}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Systems","params":[{"id":"ac-20_odp.01","props":[{"name":"alt-identifier","value":"ac-20_prm_1"},{"name":"label","value":"AC-20_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["establish {{ insert: param, ac-20_odp.02 }} ","identify {{ insert: param, ac-20_odp.03 }} "]}},{"id":"ac-20_odp.02","props":[{"name":"alt-identifier","value":"ac-20_prm_2"},{"name":"label","value":"AC-20_ODP[02]","class":"sp800-53a"}],"label":"terms and conditions","guidelines":[{"prose":"terms and conditions consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.03","props":[{"name":"alt-identifier","value":"ac-20_prm_3"},{"name":"alt-label","value":"controls asserted to be implemented on external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[03]","class":"sp800-53a"}],"label":"controls asserted","guidelines":[{"prose":"controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.04","props":[{"name":"alt-identifier","value":"ac-20_prm_4"},{"name":"alt-label","value":"organizationally-defined types of external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[04]","class":"sp800-53a"}],"label":"prohibited types of external systems","guidelines":[{"prose":"types of external systems prohibited from use are defined;"}]}],"props":[{"name":"label","value":"AC-20"},{"name":"label","value":"AC-20","class":"sp800-53a"},{"name":"sort-id","value":"ac-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-20_smt","name":"statement","parts":[{"id":"ac-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"{{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Access the system from external systems; and"},{"id":"ac-20_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Process, store, or transmit organization-controlled information using external systems; or"}]},{"id":"ac-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of {{ insert: param, ac-20_odp.04 }}."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems."},{"id":"ac-20_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.1","class":"sp800-53a"}],"prose":"{{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);"},{"id":"ac-20_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.2","class":"sp800-53a"}],"prose":"{{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);"}]},{"id":"ac-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-20b.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable)."}]},{"id":"ac-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing terms and conditions on the use of external systems"}]}],"controls":[{"id":"ac-20.1","class":"SP800-53-enhancement","title":"Limits on Authorized Use","props":[{"name":"label","value":"AC-20(1)"},{"name":"label","value":"AC-20(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"},{"href":"#ca-2","rel":"related"}],"parts":[{"id":"ac-20.1_smt","name":"statement","prose":"Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:","parts":[{"id":"ac-20.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or"},{"id":"ac-20.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Retention of approved system connection or processing agreements with the organizational entity hosting the external system."}]},{"id":"ac-20.1_gdn","name":"guidance","prose":"Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations."},{"id":"ac-20.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)","class":"sp800-53a"}],"parts":[{"id":"ac-20.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)(a)","class":"sp800-53a"}],"prose":"authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);"},{"id":"ac-20.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)(b)","class":"sp800-53a"}],"prose":"authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable)."}]},{"id":"ac-20.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing limits on use of external systems"}]}]},{"id":"ac-20.2","class":"SP800-53-enhancement","title":"Portable Storage Devices — Restricted Use","params":[{"id":"ac-20.02_odp","props":[{"name":"alt-identifier","value":"ac-20.2_prm_1"},{"name":"label","value":"AC-20(02)_ODP","class":"sp800-53a"}],"label":"restrictions","guidelines":[{"prose":"restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;"}]}],"props":[{"name":"label","value":"AC-20(2)"},{"name":"label","value":"AC-20(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"},{"href":"#mp-7","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"ac-20.2_smt","name":"statement","prose":"Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ insert: param, ac-20.02_odp }}."},{"id":"ac-20.2_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used."},{"id":"ac-20.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(02)","class":"sp800-53a"}],"prose":"the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}."},{"id":"ac-20.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on the use of portable storage devices"}]}]},{"id":"ac-20.3","class":"SP800-53-enhancement","title":"Non-organizationally Owned Systems — Restricted Use","params":[{"id":"ac-20.03_odp","props":[{"name":"alt-identifier","value":"ac-20.3_prm_1"},{"name":"label","value":"AC-20(03)_ODP","class":"sp800-53a"}],"label":"restrictions","guidelines":[{"prose":"restrictions on the use of non-organizationally owned systems or system components to process, store, or transmit organizational information are defined;"}]}],"props":[{"name":"label","value":"AC-20(3)"},{"name":"label","value":"AC-20(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"}],"parts":[{"id":"ac-20.3_smt","name":"statement","prose":"Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using {{ insert: param, ac-20.03_odp }}."},{"id":"ac-20.3_gdn","name":"guidance","prose":"Non-organizationally owned systems or system components include systems or system components owned by other organizations as well as personally owned devices. There are potential risks to using non-organizationally owned systems or components. In some cases, the risk is sufficiently high as to prohibit such use (see [AC-20 b.](#ac-20_smt.b) ). In other cases, the use of such systems or system components may be allowed but restricted in some way. Restrictions include requiring the implementation of approved controls prior to authorizing the connection of non-organizationally owned systems and components; limiting access to types of information, services, or applications; using virtualization techniques to limit processing and storage activities to servers or system components provisioned by the organization; and agreeing to the terms and conditions for usage. Organizations consult with the Office of the General Counsel regarding legal issues associated with using personally owned devices, including requirements for conducting forensic analyses during investigations after an incident."},{"id":"ac-20.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(03)","class":"sp800-53a"}],"prose":"the use of non-organizationally owned systems or system components to process, store, or transmit organizational information is restricted using {{ insert: param, ac-20.03_odp }}."},{"id":"ac-20.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem audit records, other relevant documents or records"}]},{"id":"ac-20.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for restricting or prohibiting the use of non-organizationally owned systems, system components, or devices\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on the use of non-organizationally owned systems, components, or devices"}]}]},{"id":"ac-20.4","class":"SP800-53-enhancement","title":"Network Accessible Storage Devices — Prohibited Use","params":[{"id":"ac-20.04_odp","props":[{"name":"alt-identifier","value":"ac-20.4_prm_1"},{"name":"alt-label","value":"network accessible storage devices","class":"sp800-53"},{"name":"label","value":"AC-20(04)_ODP","class":"sp800-53a"}],"label":"network-accessible storage devices","guidelines":[{"prose":"network-accessible storage devices prohibited from use in external systems are defined;"}]}],"props":[{"name":"label","value":"AC-20(4)"},{"name":"label","value":"AC-20(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"}],"parts":[{"id":"ac-20.4_smt","name":"statement","prose":"Prohibit the use of {{ insert: param, ac-20.04_odp }} in external systems."},{"id":"ac-20.4_gdn","name":"guidance","prose":"Network-accessible storage devices in external systems include online storage devices in public, hybrid, or community cloud-based systems."},{"id":"ac-20.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(04)","class":"sp800-53a"}],"prose":"the use of {{ insert: param, ac-20.04_odp }} is prohibited in external systems."},{"id":"ac-20.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing use of network-accessible storage devices in external systems\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\nlist of network-accessible storage devices prohibited from use in external systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for prohibiting the use of network-accessible storage devices in external systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms prohibiting the use of network-accessible storage devices in external systems"}]}]},{"id":"ac-20.5","class":"SP800-53-enhancement","title":"Portable Storage Devices — Prohibited Use","props":[{"name":"label","value":"AC-20(5)"},{"name":"label","value":"AC-20(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"},{"href":"#mp-7","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"ac-20.5_smt","name":"statement","prose":"Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems."},{"id":"ac-20.5_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external systems include a complete prohibition of the use of such devices. Prohibiting such use is enforced using technical methods and\/or nontechnical (i.e., process-based) methods."},{"id":"ac-20.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(05)","class":"sp800-53a"}],"prose":"the use of organization-controlled portable storage devices by authorized individuals is prohibited on external systems."},{"id":"ac-20.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing use of portable storage devices in external systems\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for prohibiting the use of portable storage devices in external systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ac-21","class":"SP800-53","title":"Information Sharing","params":[{"id":"ac-21_odp.01","props":[{"name":"alt-identifier","value":"ac-21_prm_1"},{"name":"alt-label","value":"information sharing circumstances where user discretion is required","class":"sp800-53"},{"name":"label","value":"AC-21_ODP[01]","class":"sp800-53a"}],"label":"information-sharing circumstances","guidelines":[{"prose":"information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;"}]},{"id":"ac-21_odp.02","props":[{"name":"alt-identifier","value":"ac-21_prm_2"},{"name":"alt-label","value":"automated mechanisms or manual processes","class":"sp800-53"},{"name":"label","value":"AC-21_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;"}]}],"props":[{"name":"label","value":"AC-21"},{"name":"label","value":"AC-21","class":"sp800-53a"},{"name":"sort-id","value":"ac-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-15","rel":"related"}],"parts":[{"id":"ac-21_smt","name":"statement","parts":[{"id":"ac-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and"},{"id":"ac-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions."}]},{"id":"ac-21_gdn","name":"guidance","prose":"Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions."},{"id":"ac-21_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-21","class":"sp800-53a"}],"parts":[{"id":"ac-21_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-21a.","class":"sp800-53a"}],"prose":"authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};"},{"id":"ac-21_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-21b.","class":"sp800-53a"}],"prose":"{{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions."}]},{"id":"ac-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of users authorized to make information-sharing\/collaboration decisions\n\nlist of information-sharing circumstances requiring user discretion\n\nnon-disclosure agreements\n\nacquisitions\/contractual agreements\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nsecurity and privacy risk assessments\n\nother relevant documents or records"}]},{"id":"ac-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information-sharing\/collaboration decisions\n\norganizational personnel with responsibility for acquisitions\/contractual agreements\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ac-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms or manual process implementing access authorizations supporting information-sharing\/user collaboration decisions"}]}],"controls":[{"id":"ac-21.1","class":"SP800-53-enhancement","title":"Automated Decision Support","params":[{"id":"ac-21.01_odp","props":[{"name":"alt-identifier","value":"ac-21.1_prm_1"},{"name":"label","value":"AC-21(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms employed to enforce information-sharing decisions by authorized users are defined;"}]}],"props":[{"name":"label","value":"AC-21(1)"},{"name":"label","value":"AC-21(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-21.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-21","rel":"required"}],"parts":[{"id":"ac-21.1_smt","name":"statement","prose":"Employ {{ insert: param, ac-21.01_odp }} to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared."},{"id":"ac-21.1_gdn","name":"guidance","prose":"Automated mechanisms are used to enforce information sharing decisions."},{"id":"ac-21.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-21(01)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-21.01_odp }} are employed to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared."},{"id":"ac-21.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-21(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of users authorized to make information-sharing\/collaboration decisions\n\nsystem-generated list of sharing partners and access authorizations\n\nsystem-generated list of access restrictions regarding information to be shared\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-21.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-21(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-21.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-21(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing access authorizations supporting information-sharing\/user collaboration decisions"}]}]},{"id":"ac-21.2","class":"SP800-53-enhancement","title":"Information Search and Retrieval","params":[{"id":"ac-21.02_odp","props":[{"name":"alt-identifier","value":"ac-21.2_prm_1"},{"name":"alt-label","value":"information sharing restrictions","class":"sp800-53"},{"name":"label","value":"AC-21(02)_ODP","class":"sp800-53a"}],"label":"information-sharing restrictions","guidelines":[{"prose":"information-sharing restrictions to be enforced by information search and retrieval services are defined;"}]}],"props":[{"name":"label","value":"AC-21(2)"},{"name":"label","value":"AC-21(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-21.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-21","rel":"required"}],"parts":[{"id":"ac-21.2_smt","name":"statement","prose":"Implement information search and retrieval services that enforce {{ insert: param, ac-21.02_odp }}."},{"id":"ac-21.2_gdn","name":"guidance","prose":"Information search and retrieval services identify information system resources relevant to an information need."},{"id":"ac-21.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-21(02)","class":"sp800-53a"}],"prose":"information search and retrieval services that enforce {{ insert: param, ac-21.02_odp }} are implemented."},{"id":"ac-21.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-21(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of access restrictions regarding information to be shared\n\ninformation search and retrieval records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-21.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-21(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities for system search and retrieval services\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-21.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-21(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System search and retrieval services enforcing information-sharing restrictions"}]}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","params":[{"id":"ac-22_odp","props":[{"name":"alt-identifier","value":"ac-22_prm_1"},{"name":"label","value":"AC-22_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the content on the publicly accessible system for non-public information is defined;"}]}],"props":[{"name":"label","value":"AC-22"},{"name":"label","value":"AC-22","class":"sp800-53a"},{"name":"sort-id","value":"ac-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"ac-22_smt","name":"statement","parts":[{"id":"ac-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Designate individuals authorized to make information publicly accessible;"},{"id":"ac-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible."},{"id":"ac-22_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-22","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-22a.","class":"sp800-53a"}],"prose":"designated individuals are authorized to make information publicly accessible;"},{"id":"ac-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-22b.","class":"sp800-53a"}],"prose":"authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;"},{"id":"ac-22_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-22c.","class":"sp800-53a"}],"prose":"the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;"},{"id":"ac-22_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[01]","class":"sp800-53a"}],"prose":"the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};"},{"id":"ac-22_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[02]","class":"sp800-53a"}],"prose":"non-public information is removed from the publicly accessible system, if discovered."}]}]},{"id":"ac-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and\/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing management of publicly accessible content"}]}]},{"id":"ac-23","class":"SP800-53","title":"Data Mining Protection","params":[{"id":"ac-23_odp.01","props":[{"name":"alt-identifier","value":"ac-23_prm_1"},{"name":"alt-label","value":"data mining prevention and detection techniques","class":"sp800-53"},{"name":"label","value":"AC-23_ODP[01]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"data mining prevention and detection techniques are defined;"}]},{"id":"ac-23_odp.02","props":[{"name":"alt-identifier","value":"ac-23_prm_2"},{"name":"label","value":"AC-23_ODP[02]","class":"sp800-53a"}],"label":"data storage objects","guidelines":[{"prose":"data storage objects to be protected against unauthorized data mining are defined;"}]}],"props":[{"name":"label","value":"AC-23"},{"name":"label","value":"AC-23","class":"sp800-53a"},{"name":"sort-id","value":"ac-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#0af071a6-cf8e-48ee-8c82-fe91efa20f94","rel":"reference"},{"href":"#pm-12","rel":"related"},{"href":"#pt-2","rel":"related"}],"parts":[{"id":"ac-23_smt","name":"statement","prose":"Employ {{ insert: param, ac-23_odp.01 }} for {{ insert: param, ac-23_odp.02 }} to detect and protect against unauthorized data mining."},{"id":"ac-23_gdn","name":"guidance","prose":"Data mining is an analytical process that attempts to find correlations or patterns in large data sets for the purpose of data or knowledge discovery. Data storage objects include database records and database fields. Sensitive information can be extracted from data mining operations. When information is personally identifiable information, it may lead to unanticipated revelations about individuals and give rise to privacy risks. Prior to performing data mining activities, organizations determine whether such activities are authorized. Organizations may be subject to applicable laws, executive orders, directives, regulations, or policies that address data mining requirements. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.\n\nData mining prevention and detection techniques include limiting the number and frequency of database queries to increase the work factor needed to determine the contents of databases, limiting types of responses provided to database queries, applying differential privacy techniques or homomorphic encryption, and notifying personnel when atypical database queries or accesses occur. Data mining protection focuses on protecting information from data mining while such information resides in organizational data stores. In contrast, [AU-13](#au-13) focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is available as open-source information residing on external sites, such as social networking or social media websites.\n\n[EO 13587](#0af071a6-cf8e-48ee-8c82-fe91efa20f94) requires the establishment of an insider threat program for deterring, detecting, and mitigating insider threats, including the safeguarding of sensitive information from exploitation, compromise, or other unauthorized disclosure. Data mining protection requires organizations to identify appropriate techniques to prevent and detect unnecessary or unauthorized data mining. Data mining can be used by an insider to collect organizational information for the purpose of exfiltration."},{"id":"ac-23_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-23","class":"sp800-53a"}],"prose":"{{ insert: param, ac-23_odp.01 }} are employed for {{ insert: param, ac-23_odp.02 }} to detect and protect against unauthorized data mining."},{"id":"ac-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for preventing and detecting data mining\n\npolicies and procedures addressing authorized data mining techniques\n\nprocedures addressing protection of data storage objects against data mining\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit logs\n\nsystem audit records\n\nprocedures addressing differential privacy techniques\n\nnotifications of atypical database queries or accesses\n\ndocumentation or reports of insider threat program\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for implementing data mining detection and prevention techniques for data storage objects\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-23-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing data mining prevention and detection"}]}]},{"id":"ac-24","class":"SP800-53","title":"Access Control Decisions","params":[{"id":"ac-24_odp.01","props":[{"name":"alt-identifier","value":"ac-24_prm_1"},{"name":"label","value":"AC-24_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["establish procedures","implement mechanisms"]}},{"id":"ac-24_odp.02","props":[{"name":"alt-identifier","value":"ac-24_prm_2"},{"name":"label","value":"AC-24_ODP[02]","class":"sp800-53a"}],"label":"access control decisions","guidelines":[{"prose":"access control decisions applied to each access request prior to access enforcement are defined;"}]}],"props":[{"name":"label","value":"AC-24"},{"name":"label","value":"AC-24","class":"sp800-53a"},{"name":"sort-id","value":"ac-24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"ac-24_smt","name":"statement","prose":"{{ insert: param, ac-24_odp.01 }} to ensure {{ insert: param, ac-24_odp.02 }} are applied to each access request prior to access enforcement."},{"id":"ac-24_gdn","name":"guidance","prose":"Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when systems enforce access control decisions. While it is common to have access control decisions and access enforcement implemented by the same entity, it is not required, and it is not always an optimal implementation choice. For some architectures and distributed systems, different entities may make access control decisions and enforce access."},{"id":"ac-24_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-24","class":"sp800-53a"}],"prose":"{{ insert: param, ac-24_odp.01 }} are taken to ensure that {{ insert: param, ac-24_odp.02 }} are applied to each access request prior to access enforcement."},{"id":"ac-24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-24-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control decisions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-24-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for establishing procedures regarding access control decisions to the system\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-24-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms applying established access control decisions and procedures"}]}],"controls":[{"id":"ac-24.1","class":"SP800-53-enhancement","title":"Transmit Access Authorization Information","params":[{"id":"ac-24.01_odp.01","props":[{"name":"alt-identifier","value":"ac-24.1_prm_1"},{"name":"label","value":"AC-24(01)_ODP[01]","class":"sp800-53a"}],"label":"access authorization information","guidelines":[{"prose":"access authorization information transmitted to systems that enforce access control decisions is defined;"}]},{"id":"ac-24.01_odp.02","props":[{"name":"alt-identifier","value":"ac-24.1_prm_2"},{"name":"label","value":"AC-24(01)_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be used when authorization information is transmitted to systems that enforce access control decisions are defined;"}]},{"id":"ac-24.01_odp.03","props":[{"name":"alt-identifier","value":"ac-24.1_prm_3"},{"name":"label","value":"AC-24(01)_ODP[03]","class":"sp800-53a"}],"label":"systems","guidelines":[{"prose":"systems that enforce access control decisions are defined;"}]}],"props":[{"name":"label","value":"AC-24(1)"},{"name":"label","value":"AC-24(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-24.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-24","rel":"required"},{"href":"#au-10","rel":"related"}],"parts":[{"id":"ac-24.1_smt","name":"statement","prose":"Transmit {{ insert: param, ac-24.01_odp.01 }} using {{ insert: param, ac-24.01_odp.02 }} to {{ insert: param, ac-24.01_odp.03 }} that enforce access control decisions."},{"id":"ac-24.1_gdn","name":"guidance","prose":"Authorization processes and access control decisions may occur in separate parts of systems or in separate systems. In such instances, authorization information is transmitted securely (e.g., using cryptographic mechanisms) so that timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information supporting security and privacy attributes. This is because in distributed systems, there are various access control decisions that need to be made, and different entities make these decisions in a serial fashion, each requiring those attributes to make the decisions. Protecting access authorization information ensures that such information cannot be altered, spoofed, or compromised during transmission."},{"id":"ac-24.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-24(01)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-24.01_odp.01 }} is transmitted using {{ insert: param, ac-24.01_odp.02 }} to {{ insert: param, ac-24.01_odp.03 }} that enforce access control decisions."},{"id":"ac-24.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-24(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-24.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-24(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-24.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-24(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]},{"id":"ac-24.2","class":"SP800-53-enhancement","title":"No User or Process Identity","params":[{"id":"ac-24.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-24.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-24.02_odp.02"}],"label":"organization-defined security or privacy attributes"},{"id":"ac-24.02_odp.01","props":[{"name":"label","value":"AC-24(02)_ODP[01]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes that do not include the identity of the user or process acting on behalf of the user are defined (if selected);"}]},{"id":"ac-24.02_odp.02","props":[{"name":"label","value":"AC-24(02)_ODP[02]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes that do not include the identity of the user or process acting on behalf of the user are defined (if selected);"}]}],"props":[{"name":"label","value":"AC-24(2)"},{"name":"label","value":"AC-24(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-24.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-24","rel":"required"}],"parts":[{"id":"ac-24.2_smt","name":"statement","prose":"Enforce access control decisions based on {{ insert: param, ac-24.2_prm_1 }} that do not include the identity of the user or process acting on behalf of the user."},{"id":"ac-24.2_gdn","name":"guidance","prose":"In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions, and especially in the case of distributed systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish. MAC, RBAC, ABAC, and label-based control policies, for example, might not include user identity as an attribute."},{"id":"ac-24.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-24(02)","class":"sp800-53a"}],"parts":[{"id":"ac-24.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-24(02)[01]","class":"sp800-53a"}],"prose":"access control decisions are enforced based on {{ insert: param, ac-24.02_odp.01 }} that do not include the identity of the user or process acting on behalf of the user (if selected);"},{"id":"ac-24.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-24(02)[02]","class":"sp800-53a"}],"prose":"access control decisions are enforced based on {{ insert: param, ac-24.02_odp.02 }} that do not include the identity of the user or process acting on behalf of the user (if selected)."}]},{"id":"ac-24.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-24(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-24.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-24(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-24.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-24(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]}]},{"id":"ac-25","class":"SP800-53","title":"Reference Monitor","params":[{"id":"ac-25_odp","props":[{"name":"alt-identifier","value":"ac-25_prm_1"},{"name":"label","value":"AC-25_ODP","class":"sp800-53a"}],"label":"access control policies","guidelines":[{"prose":"access control policies for which a reference monitor is implemented are defined;"}]}],"props":[{"name":"label","value":"AC-25"},{"name":"label","value":"AC-25","class":"sp800-53a"},{"name":"sort-id","value":"ac-25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-11","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"ac-25_smt","name":"statement","prose":"Implement a reference monitor for {{ insert: param, ac-25_odp }} that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured."},{"id":"ac-25_gdn","name":"guidance","prose":"A reference monitor is a set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects. A reference validation mechanism is always invoked, tamper-proof, and small enough to be subject to analysis and tests, the completeness of which can be assured (i.e., verifiable). Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are associated with data structures, such as records, buffers, communications ports, tables, files, and inter-process pipes. Reference monitors enforce access control policies that restrict access to objects based on the identity of subjects or groups to which the subjects belong. The system enforces the access control policy based on the rule set established by the policy. The tamper-proof property of the reference monitor prevents determined adversaries from compromising the functioning of the reference validation mechanism. The always invoked property prevents adversaries from bypassing the mechanism and violating the security policy. The smallness property helps to ensure completeness in the analysis and testing of the mechanism to detect any weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy."},{"id":"ac-25_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-25","class":"sp800-53a"}],"prose":"a reference monitor is implemented for {{ insert: param, ac-25_odp }} that is tamper-proof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured."},{"id":"ac-25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-25-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-25-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-25-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"at-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"at-01_odp.01","props":[{"name":"label","value":"AT-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training policy is to be disseminated is\/are defined;"}]},{"id":"at-01_odp.02","props":[{"name":"label","value":"AT-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training procedures are to be disseminated is\/are defined;"}]},{"id":"at-01_odp.03","props":[{"name":"alt-identifier","value":"at-1_prm_2"},{"name":"label","value":"AT-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"at-01_odp.04","props":[{"name":"alt-identifier","value":"at-1_prm_3"},{"name":"label","value":"AT-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the awareness and training policy and procedures is defined;"}]},{"id":"at-01_odp.05","props":[{"name":"alt-identifier","value":"at-1_prm_4"},{"name":"label","value":"AT-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training policy is reviewed and updated is defined;"}]},{"id":"at-01_odp.06","props":[{"name":"alt-identifier","value":"at-1_prm_5"},{"name":"label","value":"AT-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current awareness and training policy to be reviewed and updated are defined;"}]},{"id":"at-01_odp.07","props":[{"name":"alt-identifier","value":"at-1_prm_6"},{"name":"label","value":"AT-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training procedures are reviewed and updated is defined;"}]},{"id":"at-01_odp.08","props":[{"name":"alt-identifier","value":"at-1_prm_7"},{"name":"label","value":"AT-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AT-1"},{"name":"label","value":"AT-01","class":"sp800-53a"},{"name":"sort-id","value":"at-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-1_smt","name":"statement","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, at-01_odp.03 }} awareness and training policy that:","parts":[{"id":"at-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and"},{"id":"at-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current awareness and training:","parts":[{"id":"at-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and"},{"id":"at-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"at-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[01]","class":"sp800-53a"}],"prose":"an awareness and training policy is developed and documented; "},{"id":"at-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[02]","class":"sp800-53a"}],"prose":"the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};"},{"id":"at-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[03]","class":"sp800-53a"}],"prose":"awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;"},{"id":"at-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[04]","class":"sp800-53a"}],"prose":"the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}."},{"id":"at-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;"},{"id":"at-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;"},{"id":"at-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;"},{"id":"at-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;"},{"id":"at-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;"},{"id":"at-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;"},{"id":"at-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and"}]},{"id":"at-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and"}]}]},{"id":"at-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;"},{"id":"at-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[01]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; "},{"id":"at-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[02]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};"}]},{"id":"at-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[01]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};"},{"id":"at-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[02]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}."}]}]}]},{"id":"at-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records"}]},{"id":"at-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Literacy Training and Awareness","params":[{"id":"at-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.02"}],"label":"organization-defined frequency"},{"id":"at-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.04"}],"label":"organization-defined events"},{"id":"at-02_odp.01","props":[{"name":"label","value":"AT-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.02","props":[{"name":"label","value":"AT-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.03","props":[{"name":"label","value":"AT-02_ODP[03]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require security literacy training for system users are defined;"}]},{"id":"at-02_odp.04","props":[{"name":"label","value":"AT-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require privacy literacy training for system users are defined;"}]},{"id":"at-02_odp.05","props":[{"name":"alt-identifier","value":"at-2_prm_3"},{"name":"label","value":"AT-02_ODP[05]","class":"sp800-53a"}],"label":"awareness techniques","guidelines":[{"prose":"techniques to be employed to increase the security and privacy awareness of system users are defined;"}]},{"id":"at-02_odp.06","props":[{"name":"alt-identifier","value":"at-2_prm_4"},{"name":"label","value":"AT-02_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update literacy training and awareness content is defined;"}]},{"id":"at-02_odp.07","props":[{"name":"alt-identifier","value":"at-2_prm_5"},{"name":"label","value":"AT-02_ODP[07]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require literacy training and awareness content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-2"},{"name":"label","value":"AT-02","class":"sp800-53a"},{"name":"sort-id","value":"at-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#89f2a08d-fc49-46d0-856e-bf974c9b1573","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-16","rel":"related"}],"parts":[{"id":"at-2_smt","name":"statement","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and"},{"id":"at-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes or following {{ insert: param, at-2_prm_2 }};"}]},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and"},{"id":"at-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"},{"id":"at-2_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[03]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;"},{"id":"at-2_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[04]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;"}]},{"id":"at-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};"},{"id":"at-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};"}]}]},{"id":"at-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-02b.","class":"sp800-53a"}],"prose":"{{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;"},{"id":"at-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[01]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};"},{"id":"at-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[02]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};"}]},{"id":"at-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AT-02d.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques."}]},{"id":"at-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community"}]},{"id":"at-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing information security and privacy literacy training"}]}],"controls":[{"id":"at-2.1","class":"SP800-53-enhancement","title":"Practical Exercises","props":[{"name":"label","value":"AT-2(1)"},{"name":"label","value":"AT-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-3","rel":"related"}],"parts":[{"id":"at-2.1_smt","name":"statement","prose":"Provide practical exercises in literacy training that simulate events and incidents."},{"id":"at-2.1_gdn","name":"guidance","prose":"Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links."},{"id":"at-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(01)","class":"sp800-53a"}],"prose":"practical exercises in literacy training that simulate events and incidents are provided."},{"id":"at-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nsecurity awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nother relevant documents or records"}]},{"id":"at-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for security awareness training\n\norganizational personnel with information security responsibilities"}]},{"id":"at-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing cyber-attack simulations in practical exercises"}]}]},{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","props":[{"name":"label","value":"AT-2(2)"},{"name":"label","value":"AT-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"},{"href":"#pm-12","rel":"related"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"Provide literacy training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations."},{"id":"at-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)","class":"sp800-53a"}],"parts":[{"id":"at-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[01]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential indicators of insider threat is provided;"},{"id":"at-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[02]","class":"sp800-53a"}],"prose":"literacy training on reporting potential indicators of insider threat is provided."}]},{"id":"at-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2.3","class":"SP800-53-enhancement","title":"Social Engineering and Mining","props":[{"name":"label","value":"AT-2(3)"},{"name":"label","value":"AT-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"}],"parts":[{"id":"at-2.3_smt","name":"statement","prose":"Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining."},{"id":"at-2.3_gdn","name":"guidance","prose":"Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures."},{"id":"at-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)","class":"sp800-53a"}],"parts":[{"id":"at-2.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[01]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential and actual instances of social engineering is provided;"},{"id":"at-2.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[02]","class":"sp800-53a"}],"prose":"literacy training on reporting potential and actual instances of social engineering is provided;"},{"id":"at-2.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[03]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential and actual instances of social mining is provided;"},{"id":"at-2.3_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[04]","class":"sp800-53a"}],"prose":"literacy training on reporting potential and actual instances of social mining is provided."}]},{"id":"at-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2.4","class":"SP800-53-enhancement","title":"Suspicious Communications and Anomalous System Behavior","params":[{"id":"at-02.04_odp","props":[{"name":"alt-identifier","value":"at-2.4_prm_1"},{"name":"label","value":"AT-02(04)_ODP","class":"sp800-53a"}],"label":"indicators of malicious code","guidelines":[{"prose":"indicators of malicious code are defined;"}]}],"props":[{"name":"label","value":"AT-2(4)"},{"name":"label","value":"AT-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"}],"parts":[{"id":"at-2.4_smt","name":"statement","prose":"Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using {{ insert: param, at-02.04_odp }}."},{"id":"at-2.4_gdn","name":"guidance","prose":"A well-trained workforce provides another organizational control that can be employed as part of a defense-in-depth strategy to protect against malicious code coming into organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender that appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to suspicious email or web communications. For this process to work effectively, personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in systems can provide organizations with early warning for the presence of malicious code. Recognition of anomalous behavior by organizational personnel can supplement malicious code detection and protection tools and systems employed by organizations."},{"id":"at-2.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(04)","class":"sp800-53a"}],"prose":"literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using {{ insert: param, at-02.04_odp }} is provided."},{"id":"at-2.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for basic literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2.5","class":"SP800-53-enhancement","title":"Advanced Persistent Threat","props":[{"name":"label","value":"AT-2(5)"},{"name":"label","value":"AT-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"}],"parts":[{"id":"at-2.5_smt","name":"statement","prose":"Provide literacy training on the advanced persistent threat."},{"id":"at-2.5_gdn","name":"guidance","prose":"An effective way to detect advanced persistent threats (APT) and to preclude successful attacks is to provide specific literacy training for individuals. Threat literacy training includes educating individuals on the various ways that APTs can infiltrate the organization (e.g., through websites, emails, advertisement pop-ups, articles, and social engineering). Effective training includes techniques for recognizing suspicious emails, use of removable systems in non-secure settings, and the potential targeting of individuals at home."},{"id":"at-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(05)","class":"sp800-53a"}],"prose":"literacy training on the advanced persistent threat is provided."},{"id":"at-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for basic literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2.6","class":"SP800-53-enhancement","title":"Cyber Threat Environment","props":[{"name":"label","value":"AT-2(6)"},{"name":"label","value":"AT-02(06)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"at-2.6_smt","name":"statement","parts":[{"id":"at-2.6_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Provide literacy training on the cyber threat environment; and"},{"id":"at-2.6_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Reflect current cyber threat information in system operations."}]},{"id":"at-2.6_gdn","name":"guidance","prose":"Since threats continue to change over time, threat literacy training by the organization is dynamic. Moreover, threat literacy training is not performed in isolation from the system operations that support organizational mission and business functions."},{"id":"at-2.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(06)","class":"sp800-53a"}],"parts":[{"id":"at-2.6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-02(06)(a)","class":"sp800-53a"}],"prose":"literacy training on the cyber threat environment is provided;"},{"id":"at-2.6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-02(06)(b)","class":"sp800-53a"}],"prose":"system operations reflects current cyber threat information."}]},{"id":"at-2.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness training implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for basic literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Training","params":[{"id":"at-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.02"}],"label":"organization-defined roles and responsibilities"},{"id":"at-03_odp.01","props":[{"name":"label","value":"AT-03_ODP[01]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based security training are defined;"}]},{"id":"at-03_odp.02","props":[{"name":"label","value":"AT-03_ODP[02]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based privacy training are defined;"}]},{"id":"at-03_odp.03","props":[{"name":"alt-identifier","value":"at-3_prm_2"},{"name":"label","value":"AT-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;"}]},{"id":"at-03_odp.04","props":[{"name":"alt-identifier","value":"at-3_prm_3"},{"name":"label","value":"AT-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update role-based training content is defined;"}]},{"id":"at-03_odp.05","props":[{"name":"alt-identifier","value":"at-3_prm_4"},{"name":"label","value":"AT-03_ODP[05]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require role-based training content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-3"},{"name":"label","value":"AT-03","class":"sp800-53a"},{"name":"sort-id","value":"at-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"at-3_smt","name":"statement","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:","parts":[{"id":"at-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and"},{"id":"at-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes;"}]},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into role-based training."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency\/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;"},{"id":"at-3_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;"},{"id":"at-3_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[03]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;"},{"id":"at-3_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[04]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;"}]},{"id":"at-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;"},{"id":"at-3_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;"}]}]},{"id":"at-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[01]","class":"sp800-53a"}],"prose":"role-based training content is updated {{ insert: param, at-03_odp.04 }};"},{"id":"at-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[02]","class":"sp800-53a"}],"prose":"role-based training content is updated following {{ insert: param, at-03_odp.05 }};"}]},{"id":"at-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-03c.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into role-based training."}]},{"id":"at-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities"}]},{"id":"at-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing role-based security and privacy training"}]}],"controls":[{"id":"at-3.1","class":"SP800-53-enhancement","title":"Environmental Controls","params":[{"id":"at-03.01_odp.01","props":[{"name":"alt-identifier","value":"at-3.1_prm_1"},{"name":"label","value":"AT-03(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be provided with initial and refresher training in the employment and operation of environmental controls are defined;"}]},{"id":"at-03.01_odp.02","props":[{"name":"alt-identifier","value":"at-3.1_prm_2"},{"name":"label","value":"AT-03(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide refresher training in the employment and operation of environmental controls is defined;"}]}],"props":[{"name":"label","value":"AT-3(1)"},{"name":"label","value":"AT-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"at-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-3","rel":"required"},{"href":"#pe-1","rel":"related"},{"href":"#pe-11","rel":"related"},{"href":"#pe-13","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-15","rel":"related"}],"parts":[{"id":"at-3.1_smt","name":"statement","prose":"Provide {{ insert: param, at-03.01_odp.01 }} with initial and {{ insert: param, at-03.01_odp.02 }} training in the employment and operation of environmental controls."},{"id":"at-3.1_gdn","name":"guidance","prose":"Environmental controls include fire suppression and detection devices or systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature or humidity, heating, ventilation, air conditioning, and power within the facility."},{"id":"at-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03(01)","class":"sp800-53a"}],"prose":"{{ insert: param, at-03.01_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.01_odp.02 }} in the employment and operation of environmental controls."},{"id":"at-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\nsystem security plan\n\nprivacy plan\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with responsibilities for employing and operating environmental controls"}]}]},{"id":"at-3.2","class":"SP800-53-enhancement","title":"Physical Security Controls","params":[{"id":"at-03.02_odp.01","props":[{"name":"alt-identifier","value":"at-3.2_prm_1"},{"name":"label","value":"AT-03(02)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be provided with initial and refresher training in the employment and operation of physical security controls is\/are defined;"}]},{"id":"at-03.02_odp.02","props":[{"name":"alt-identifier","value":"at-3.2_prm_2"},{"name":"label","value":"AT-03(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide refresher training in the employment and operation of physical security controls is defined;"}]}],"props":[{"name":"label","value":"AT-3(2)"},{"name":"label","value":"AT-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"at-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-3","rel":"required"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"}],"parts":[{"id":"at-3.2_smt","name":"statement","prose":"Provide {{ insert: param, at-03.02_odp.01 }} with initial and {{ insert: param, at-03.02_odp.02 }} training in the employment and operation of physical security controls."},{"id":"at-3.2_gdn","name":"guidance","prose":"Physical security controls include physical access control devices, physical intrusion and detection alarms, operating procedures for facility security guards, and monitoring or surveillance equipment."},{"id":"at-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03(02)","class":"sp800-53a"}],"prose":"{{ insert: param, at-03.02_odp.01 }} is\/are provided with initial and refresher training {{ insert: param, at-03.02_odp.02 }} in the employment and operation of physical security controls."},{"id":"at-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\nsystem security plan\n\nprivacy plan\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with responsibilities for employing and operating physical security controls"}]}]},{"id":"at-3.3","class":"SP800-53-enhancement","title":"Practical Exercises","props":[{"name":"label","value":"AT-3(3)"},{"name":"label","value":"AT-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"at-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-3","rel":"required"}],"parts":[{"id":"at-3.3_smt","name":"statement","prose":"Provide practical exercises in security and privacy training that reinforce training objectives."},{"id":"at-3.3_gdn","name":"guidance","prose":"Practical exercises for security include training for software developers that addresses simulated attacks that exploit common software vulnerabilities or spear or whale phishing attacks targeted at senior leaders or executives. Practical exercises for privacy include modules with quizzes on identifying and processing personally identifiable information in various scenarios or scenarios on conducting privacy impact assessments."},{"id":"at-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03(03)","class":"sp800-53a"}],"parts":[{"id":"at-3.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03(03)[01]","class":"sp800-53a"}],"prose":"practical exercises in security training that reinforce training objectives are provided;"},{"id":"at-3.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03(03)[02]","class":"sp800-53a"}],"prose":"practical exercises in privacy training that reinforce training objectives are provided."}]},{"id":"at-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy awareness training implementation\n\nsecurity and privacy awareness training curriculum\n\nsecurity and privacy awareness training materials\n\nsecurity and privacy awareness training reports and results\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"at-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel who participate in security and privacy awareness training"}]}]},{"id":"at-3.4","class":"SP800-53-enhancement","title":"Suspicious Communications and Anomalous System Behavior","props":[{"name":"label","value":"AT-3(4)"},{"name":"label","value":"AT-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"at-03.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#at-2.4","rel":"moved-to"}]},{"id":"at-3.5","class":"SP800-53-enhancement","title":"Processing Personally Identifiable Information","params":[{"id":"at-03.05_odp.01","props":[{"name":"alt-identifier","value":"at-3.5_prm_1"},{"name":"label","value":"AT-03(05)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be provided with initial and refresher training in the employment and operation of personally identifiable information processing and transparency controls is\/are defined;"}]},{"id":"at-03.05_odp.02","props":[{"name":"alt-identifier","value":"at-3.5_prm_2"},{"name":"label","value":"AT-03(05)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide refresher training in the employment and operation of personally identifiable information processing and transparency controls is defined;"}]}],"props":[{"name":"label","value":"AT-3(5)"},{"name":"label","value":"AT-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"at-03.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-3","rel":"required"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"}],"parts":[{"id":"at-3.5_smt","name":"statement","prose":"Provide {{ insert: param, at-03.05_odp.01 }} with initial and {{ insert: param, at-03.05_odp.02 }} training in the employment and operation of personally identifiable information processing and transparency controls."},{"id":"at-3.5_gdn","name":"guidance","prose":"Personally identifiable information processing and transparency controls include the organization’s authority to process personally identifiable information and personally identifiable information processing purposes. Role-based training for federal agencies addresses the types of information that may constitute personally identifiable information and the risks, considerations, and obligations associated with its processing. Such training also considers the authority to process personally identifiable information documented in privacy policies and notices, system of records notices, computer matching agreements and notices, privacy impact assessments, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, contracts, information sharing agreements, memoranda of understanding, and\/or other documentation."},{"id":"at-3.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03(05)","class":"sp800-53a"}],"prose":"{{ insert: param, at-03.05_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.05_odp.02 }} in the employment and operation of personally identifiable information processing and transparency controls."},{"id":"at-3.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy awareness training implementation\n\nsecurity and privacy awareness training curriculum\n\nsecurity and privacy awareness training materials\n\nsystem security plan\n\nprivacy plan\n\norganizational privacy notices\n\norganizational policies\n\nsystem of records notices\n\nPrivacy Act statements\n\ncomputer matching agreements and notices\n\nprivacy impact assessments\n\ninformation sharing agreements\n\nother relevant documents or records"}]},{"id":"at-3.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel who participate in security and privacy awareness training"}]}]}]},{"id":"at-4","class":"SP800-53","title":"Training Records","params":[{"id":"at-04_odp","props":[{"name":"alt-identifier","value":"at-4_prm_1"},{"name":"label","value":"AT-04_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for retaining individual training records is defined;"}]}],"props":[{"name":"label","value":"AT-4"},{"name":"label","value":"AT-04","class":"sp800-53a"},{"name":"sort-id","value":"at-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-4_smt","name":"statement","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain individual training records for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies."},{"id":"at-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-04","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[01]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;"},{"id":"at-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[02]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;"}]},{"id":"at-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-04b.","class":"sp800-53a"}],"prose":"individual training records are retained for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"at-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy training record retention responsibilities"}]},{"id":"at-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the management of security and privacy training records"}]}]},{"id":"at-5","class":"SP800-53","title":"Contacts with Security Groups and Associations","props":[{"name":"label","value":"AT-5"},{"name":"label","value":"AT-05","class":"sp800-53a"},{"name":"sort-id","value":"at-05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pm-15","rel":"incorporated-into"}]},{"id":"at-6","class":"SP800-53","title":"Training Feedback","params":[{"id":"at-06_odp.01","props":[{"name":"alt-identifier","value":"at-6_prm_1"},{"name":"label","value":"AT-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide feedback on organizational training results is defined;"}]},{"id":"at-06_odp.02","props":[{"name":"alt-identifier","value":"at-6_prm_2"},{"name":"label","value":"AT-06_ODP[02]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom feedback on organizational training results will be provided is\/are assigned;"}]}],"props":[{"name":"label","value":"AT-6"},{"name":"label","value":"AT-06","class":"sp800-53a"},{"name":"sort-id","value":"at-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"parts":[{"id":"at-6_smt","name":"statement","prose":"Provide feedback on organizational training results to the following personnel {{ insert: param, at-06_odp.01 }}: {{ insert: param, at-06_odp.02 }}."},{"id":"at-6_gdn","name":"guidance","prose":"Training feedback includes awareness training results and role-based training results. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. Therefore, it is important that senior managers are made aware of such situations so that they can take appropriate response actions. Training feedback supports the evaluation and update of organizational training described in [AT-2b](#at-2_smt.b) and [AT-3b](#at-3_smt.b)."},{"id":"at-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-06","class":"sp800-53a"}],"prose":"feedback on organizational training results is provided {{ insert: param, at-06_odp.01 }} to {{ insert: param, at-06_odp.02 }}."},{"id":"at-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security awareness and training policy\n\nprocedures addressing security training records\n\nsecurity awareness and training records\n\nsecurity plan\n\nother relevant documents or records"}]},{"id":"at-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security training record retention responsibilities"}]},{"id":"at-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the management of security training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"au-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"au-01_odp.01","props":[{"name":"label","value":"AU-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability policy is to be disseminated is\/are defined;"}]},{"id":"au-01_odp.02","props":[{"name":"label","value":"AU-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability procedures are to be disseminated is\/are defined;"}]},{"id":"au-01_odp.03","props":[{"name":"alt-identifier","value":"au-1_prm_2"},{"name":"label","value":"AU-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"au-01_odp.04","props":[{"name":"alt-identifier","value":"au-1_prm_3"},{"name":"label","value":"AU-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the audit and accountability policy and procedures is defined;"}]},{"id":"au-01_odp.05","props":[{"name":"alt-identifier","value":"au-1_prm_4"},{"name":"label","value":"AU-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability policy is reviewed and updated is defined;"}]},{"id":"au-01_odp.06","props":[{"name":"alt-identifier","value":"au-1_prm_5"},{"name":"label","value":"AU-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current audit and accountability policy to be reviewed and updated are defined;"}]},{"id":"au-01_odp.07","props":[{"name":"alt-identifier","value":"au-1_prm_6"},{"name":"label","value":"AU-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability procedures are reviewed and updated is defined;"}]},{"id":"au-01_odp.08","props":[{"name":"alt-identifier","value":"au-1_prm_7"},{"name":"label","value":"AU-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require audit and accountability procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AU-1"},{"name":"label","value":"AU-01","class":"sp800-53a"},{"name":"sort-id","value":"au-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-1_smt","name":"statement","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, au-01_odp.03 }} audit and accountability policy that:","parts":[{"id":"au-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and"},{"id":"au-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current audit and accountability:","parts":[{"id":"au-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and"},{"id":"au-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"au-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[01]","class":"sp800-53a"}],"prose":"an audit and accountability policy is developed and documented;"},{"id":"au-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[02]","class":"sp800-53a"}],"prose":"the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};"},{"id":"au-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[03]","class":"sp800-53a"}],"prose":"audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;"},{"id":"au-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[04]","class":"sp800-53a"}],"prose":"the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};"},{"id":"au-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;"},{"id":"au-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;"},{"id":"au-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;"},{"id":"au-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;"},{"id":"au-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;"},{"id":"au-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;"},{"id":"au-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;"}]},{"id":"au-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"au-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;"},{"id":"au-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[01]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};"},{"id":"au-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[02]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};"}]},{"id":"au-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[01]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};"},{"id":"au-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[02]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}."}]}]}]},{"id":"au-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Event Logging","params":[{"id":"au-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.03"}],"label":"organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type"},{"id":"au-02_odp.01","props":[{"name":"alt-identifier","value":"au-2_prm_1"},{"name":"alt-label","value":"event types that the system is capable of logging","class":"sp800-53"},{"name":"label","value":"AU-02_ODP[01]","class":"sp800-53a"}],"label":"event types","guidelines":[{"prose":"the event types that the system is capable of logging in support of the audit function are defined;"}]},{"id":"au-02_odp.02","props":[{"name":"label","value":"AU-02_ODP[02]","class":"sp800-53a"}],"label":"event types (subset of AU-02_ODP[01])","guidelines":[{"prose":"the event types (subset of AU-02_ODP[01]) for logging within the system are defined;"}]},{"id":"au-02_odp.03","props":[{"name":"label","value":"AU-02_ODP[03]","class":"sp800-53a"}],"label":"frequency or situation","guidelines":[{"prose":"the frequency or situation requiring logging for each specified event type is defined;"}]},{"id":"au-02_odp.04","props":[{"name":"alt-identifier","value":"au-2_prm_3"},{"name":"label","value":"AU-02_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of event types selected for logging are reviewed and updated;"}]}],"props":[{"name":"label","value":"AU-2"},{"name":"label","value":"AU-02","class":"sp800-53a"},{"name":"sort-id","value":"au-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-2_smt","name":"statement","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and"},{"id":"au-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures."},{"id":"au-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-02","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-02a.","class":"sp800-53a"}],"prose":"{{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;"},{"id":"au-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-02b.","class":"sp800-53a"}],"prose":"the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, au-02_odp.02 }} are specified for logging within the system;"},{"id":"au-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[02]","class":"sp800-53a"}],"prose":"the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};"}]},{"id":"au-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-02d.","class":"sp800-53a"}],"prose":"a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;"},{"id":"au-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-02e.","class":"sp800-53a"}],"prose":"the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records"}]},{"id":"au-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing"}]}],"controls":[{"id":"au-2.1","class":"SP800-53-enhancement","title":"Compilation of Audit Records from Multiple Sources","props":[{"name":"label","value":"AU-2(1)"},{"name":"label","value":"AU-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-02.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#au-12","rel":"incorporated-into"}]},{"id":"au-2.2","class":"SP800-53-enhancement","title":"Selection of Audit Events by Component","props":[{"name":"label","value":"AU-2(2)"},{"name":"label","value":"AU-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-02.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#au-12","rel":"incorporated-into"}]},{"id":"au-2.3","class":"SP800-53-enhancement","title":"Reviews and Updates","props":[{"name":"label","value":"AU-2(3)"},{"name":"label","value":"AU-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-02.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#au-2","rel":"incorporated-into"}]},{"id":"au-2.4","class":"SP800-53-enhancement","title":"Privileged Functions","props":[{"name":"label","value":"AU-2(4)"},{"name":"label","value":"AU-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-02.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-6.9","rel":"incorporated-into"}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"label","value":"AU-3"},{"name":"label","value":"AU-03","class":"sp800-53a"},{"name":"sort-id","value":"au-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"Ensure that audit records contain information that establishes the following:","parts":[{"id":"au-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"What type of event occurred;"},{"id":"au-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When the event occurred;"},{"id":"au-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Where the event occurred;"},{"id":"au-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Source of the event;"},{"id":"au-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Outcome of the event; and"},{"id":"au-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage."},{"id":"au-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03","class":"sp800-53a"}],"parts":[{"id":"au-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-03a.","class":"sp800-53a"}],"prose":"audit records contain information that establishes what type of event occurred;"},{"id":"au-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-03b.","class":"sp800-53a"}],"prose":"audit records contain information that establishes when the event occurred;"},{"id":"au-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-03c.","class":"sp800-53a"}],"prose":"audit records contain information that establishes where the event occurred;"},{"id":"au-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-03d.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the source of the event;"},{"id":"au-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-03e.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the outcome of the event;"},{"id":"au-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AU-03f.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records"}]},{"id":"au-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing of auditable events"}]}],"controls":[{"id":"au-3.1","class":"SP800-53-enhancement","title":"Additional Audit Information","params":[{"id":"au-03.01_odp","props":[{"name":"alt-identifier","value":"au-3.1_prm_1"},{"name":"label","value":"AU-03(01)_ODP","class":"sp800-53a"}],"label":"additional information","guidelines":[{"prose":"additional information to be included in audit records is defined;"}]}],"props":[{"name":"label","value":"AU-3(1)"},{"name":"label","value":"AU-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-3","rel":"required"}],"parts":[{"id":"au-3.1_smt","name":"statement","prose":"Generate audit records containing the following additional information: {{ insert: param, au-03.01_odp }}."},{"id":"au-3.1_gdn","name":"guidance","prose":"The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy."},{"id":"au-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03(01)","class":"sp800-53a"}],"prose":"generated audit records contain the following {{ insert: param, au-03.01_odp }}."},{"id":"au-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"system audit capability"}]}]},{"id":"au-3.2","class":"SP800-53-enhancement","title":"Centralized Management of Planned Audit Record Content","props":[{"name":"label","value":"AU-3(2)"},{"name":"label","value":"AU-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-03.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-9","rel":"incorporated-into"}]},{"id":"au-3.3","class":"SP800-53-enhancement","title":"Limit Personally Identifiable Information Elements","params":[{"id":"au-03.03_odp","props":[{"name":"alt-identifier","value":"au-3.3_prm_1"},{"name":"label","value":"AU-03(03)_ODP","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements identified in the privacy risk assessment are defined;"}]}],"props":[{"name":"label","value":"AU-3(3)"},{"name":"label","value":"AU-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-3","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"au-3.3_smt","name":"statement","prose":"Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: {{ insert: param, au-03.03_odp }}."},{"id":"au-3.3_gdn","name":"guidance","prose":"Limiting personally identifiable information in audit records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system."},{"id":"au-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03(03)","class":"sp800-53a"}],"prose":"personally identifiable information contained in audit records is limited to {{ insert: param, au-03.03_odp }} identified in the privacy risk assessment."},{"id":"au-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprivacy risk assessment\n\nprivacy risk assessment results\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nthird party contracts\n\nother relevant documents or records"}]},{"id":"au-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"system audit capability"}]}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Log Storage Capacity","params":[{"id":"au-04_odp","props":[{"name":"alt-identifier","value":"au-4_prm_1"},{"name":"label","value":"AU-04_ODP","class":"sp800-53a"}],"label":"audit log retention requirements","guidelines":[{"prose":"audit log retention requirements are defined;"}]}],"props":[{"name":"label","value":"AU-4"},{"name":"label","value":"AU-04","class":"sp800-53a"},{"name":"sort-id","value":"au-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability."},{"id":"au-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-04","class":"sp800-53a"}],"prose":"audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}."},{"id":"au-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit record storage capacity and related configuration settings"}]}],"controls":[{"id":"au-4.1","class":"SP800-53-enhancement","title":"Transfer to Alternate Storage","params":[{"id":"au-04.01_odp","props":[{"name":"alt-identifier","value":"au-4.1_prm_1"},{"name":"label","value":"AU-04(01)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of audit logs transferred to a different system, system component, or media other than the system or system component conducting the logging is defined;"}]}],"props":[{"name":"label","value":"AU-4(1)"},{"name":"label","value":"AU-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-4","rel":"required"}],"parts":[{"id":"au-4.1_smt","name":"statement","prose":"Transfer audit logs {{ insert: param, au-04.01_odp }} to a different system, system component, or media other than the system or system component conducting the logging."},{"id":"au-4.1_gdn","name":"guidance","prose":"Audit log transfer, also known as off-loading, is a common process in systems with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log storage is only used in a transitory fashion until the system can communicate with the secondary or alternate system allocated to audit log storage, at which point the audit logs are transferred. Transferring audit logs to alternate storage is similar to [AU-9(2)](#au-9.2) in that audit logs are transferred to a different entity. However, the purpose of selecting [AU-9(2)](#au-9.2) is to protect the confidentiality and integrity of audit records. Organizations can select either control enhancement to obtain the benefit of increased audit log storage capacity and preserving the confidentiality, integrity, and availability of audit records and logs."},{"id":"au-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-04(01)","class":"sp800-53a"}],"prose":"audit logs are transferred {{ insert: param, au-04.01_odp }} to a different system, system component, or media other than the system or system component conducting the logging."},{"id":"au-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit storage capacity\n\nprocedures addressing transfer of system audit records to secondary or alternate systems\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlogs of audit record transfers to secondary or alternate systems\n\nsystem audit records transferred to secondary or alternate systems\n\nother relevant documents or records"}]},{"id":"au-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit storage capacity planning responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the transfer of audit records onto a different system"}]}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Logging Process Failures","params":[{"id":"au-05_odp.01","props":[{"name":"alt-identifier","value":"au-5_prm_1"},{"name":"label","value":"AU-05_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles receiving audit logging process failure alerts are defined;"}]},{"id":"au-05_odp.02","props":[{"name":"alt-identifier","value":"au-5_prm_2"},{"name":"label","value":"AU-05_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel or roles receiving audit logging process failure alerts is defined;"}]},{"id":"au-05_odp.03","props":[{"name":"alt-identifier","value":"au-5_prm_3"},{"name":"label","value":"AU-05_ODP[03]","class":"sp800-53a"}],"label":"additional actions","guidelines":[{"prose":"additional actions to be taken in the event of an audit logging process failure are defined;"}]}],"props":[{"name":"label","value":"AU-5"},{"name":"label","value":"AU-05","class":"sp800-53a"},{"name":"sort-id","value":"au-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-5_smt","name":"statement","parts":[{"id":"au-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and"},{"id":"au-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Take the following additional actions: {{ insert: param, au-05_odp.03 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel."},{"id":"au-5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05","class":"sp800-53a"}],"parts":[{"id":"au-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-05a.","class":"sp800-53a"}],"prose":"{{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};"},{"id":"au-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-05b.","class":"sp800-53a"}],"prose":"{{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure."}]},{"id":"au-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system response to audit processing failures"}]}],"controls":[{"id":"au-5.1","class":"SP800-53-enhancement","title":"Storage Capacity Warning","params":[{"id":"au-05.01_odp.01","props":[{"name":"alt-identifier","value":"au-5.1_prm_1"},{"name":"label","value":"AU-05(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel, roles, and\/or locations","guidelines":[{"prose":"personnel, roles, and\/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity."}]},{"id":"au-05.01_odp.02","props":[{"name":"alt-identifier","value":"au-5.1_prm_2"},{"name":"label","value":"AU-05(01)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for defined personnel, roles, and\/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined;"}]},{"id":"au-05.01_odp.03","props":[{"name":"alt-identifier","value":"au-5.1_prm_3"},{"name":"label","value":"AU-05(01)_ODP[03]","class":"sp800-53a"}],"label":"percentage","guidelines":[{"prose":"percentage of repository maximum audit log storage capacity is defined;"}]}],"props":[{"name":"label","value":"AU-5(1)"},{"name":"label","value":"AU-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-5","rel":"required"}],"parts":[{"id":"au-5.1_smt","name":"statement","prose":"Provide a warning to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity."},{"id":"au-5.1_gdn","name":"guidance","prose":"Organizations may have multiple audit log storage repositories distributed across multiple system components with each repository having different storage volume capacities."},{"id":"au-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05(01)","class":"sp800-53a"}],"prose":"a warning is provided to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity."},{"id":"au-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy system configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit storage limit warnings"}]}]},{"id":"au-5.2","class":"SP800-53-enhancement","title":"Real-time Alerts","params":[{"id":"au-05.02_odp.01","props":[{"name":"alt-identifier","value":"au-5.2_prm_1"},{"name":"label","value":"AU-05(02)_ODP[01]","class":"sp800-53a"}],"label":"real-time period","guidelines":[{"prose":"real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined;"}]},{"id":"au-05.02_odp.02","props":[{"name":"alt-identifier","value":"au-5.2_prm_2"},{"name":"label","value":"AU-05(02)_ODP[02]","class":"sp800-53a"}],"label":"personnel, roles, and\/or locations","guidelines":[{"prose":"personnel, roles, and\/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is\/are defined;"}]},{"id":"au-05.02_odp.03","props":[{"name":"alt-identifier","value":"au-5.2_prm_3"},{"name":"label","value":"AU-05(02)_ODP[03]","class":"sp800-53a"}],"label":"audit logging failure events requiring real-time alerts","guidelines":[{"prose":"audit logging failure events requiring real-time alerts are defined;"}]}],"props":[{"name":"label","value":"AU-5(2)"},{"name":"label","value":"AU-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-5","rel":"required"}],"parts":[{"id":"au-5.2_smt","name":"statement","prose":"Provide an alert within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when the following audit failure events occur: {{ insert: param, au-05.02_odp.03 }}."},{"id":"au-5.2_gdn","name":"guidance","prose":"Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less)."},{"id":"au-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05(02)","class":"sp800-53a"}],"prose":"an alert is provided within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when {{ insert: param, au-05.02_odp.03 }} occur."},{"id":"au-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]}]},{"id":"au-5.3","class":"SP800-53-enhancement","title":"Configurable Traffic Volume Thresholds","params":[{"id":"au-05.03_odp","props":[{"name":"alt-identifier","value":"au-5.3_prm_1"},{"name":"label","value":"AU-05(03)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["reject","delay"]}}],"props":[{"name":"label","value":"AU-5(3)"},{"name":"label","value":"AU-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-05.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-5","rel":"required"}],"parts":[{"id":"au-5.3_smt","name":"statement","prose":"Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and {{ insert: param, au-05.03_odp }} network traffic above those thresholds."},{"id":"au-5.3_gdn","name":"guidance","prose":"Organizations have the capability to reject or delay the processing of network communications traffic if audit logging information about such traffic is determined to exceed the storage capacity of the system audit logging function. The rejection or delay response is triggered by the established organizational traffic volume thresholds that can be adjusted based on changes to audit log storage capacity."},{"id":"au-5.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05(03)","class":"sp800-53a"}],"parts":[{"id":"au-5.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-05(03)[01]","class":"sp800-53a"}],"prose":"configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity are enforced;"},{"id":"au-5.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-05(03)[02]","class":"sp800-53a"}],"prose":"network traffic is {{ insert: param, au-05.03_odp }} if network traffic volume is above configured thresholds."}]},{"id":"au-5.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]}]},{"id":"au-5.4","class":"SP800-53-enhancement","title":"Shutdown on Failure","params":[{"id":"au-05.04_odp.01","props":[{"name":"alt-identifier","value":"au-5.4_prm_1"},{"name":"label","value":"AU-05(04)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["full system shutdown","partial system shutdown","degraded operational mode with limited mission or business functionality available"]}},{"id":"au-05.04_odp.02","props":[{"name":"alt-identifier","value":"au-5.4_prm_2"},{"name":"label","value":"AU-05(04)_ODP[02]","class":"sp800-53a"}],"label":"audit logging failures","guidelines":[{"prose":"audit logging failures that trigger a change in operational mode are defined;"}]}],"props":[{"name":"label","value":"AU-5(4)"},{"name":"label","value":"AU-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-05.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-5","rel":"required"},{"href":"#au-15","rel":"related"}],"parts":[{"id":"au-5.4_smt","name":"statement","prose":"Invoke a {{ insert: param, au-05.04_odp.01 }} in the event of {{ insert: param, au-05.04_odp.02 }} , unless an alternate audit logging capability exists."},{"id":"au-5.4_gdn","name":"guidance","prose":"Organizations determine the types of audit logging failures that can trigger automatic system shutdowns or degraded operations. Because of the importance of ensuring mission and business continuity, organizations may determine that the nature of the audit logging failure is not so severe that it warrants a complete shutdown of the system supporting the core organizational mission and business functions. In those instances, partial system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives."},{"id":"au-5.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05(04)","class":"sp800-53a"}],"prose":"{{ insert: param, au-05.04_odp.01 }} is\/are invoked in the event of {{ insert: param, au-05.04_odp.02 }} , unless an alternate audit logging capability exists."},{"id":"au-5.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System capability invoking system shutdown or degraded operational mode in the event of an audit processing failure"}]}]},{"id":"au-5.5","class":"SP800-53-enhancement","title":"Alternate Audit Logging Capability","params":[{"id":"au-05.05_odp","props":[{"name":"alt-identifier","value":"au-5.5_prm_1"},{"name":"label","value":"AU-05(05)_ODP","class":"sp800-53a"}],"label":"alternate audit logging functionality","guidelines":[{"prose":"an alternate audit logging functionality in the event of a failure in primary audit logging capability is defined;"}]}],"props":[{"name":"label","value":"AU-5(5)"},{"name":"label","value":"AU-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"au-05.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-5","rel":"required"},{"href":"#au-9","rel":"related"}],"parts":[{"id":"au-5.5_smt","name":"statement","prose":"Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements {{ insert: param, au-05.05_odp }}."},{"id":"au-5.5_gdn","name":"guidance","prose":"Since an alternate audit logging capability may be a short-term protection solution employed until the failure in the primary audit logging capability is corrected, organizations may determine that the alternate audit logging capability need only provide a subset of the primary audit logging functionality that is impacted by the failure."},{"id":"au-5.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05(05)","class":"sp800-53a"}],"prose":"an alternate audit logging capability is provided in the event of a failure in primary audit logging capability that implements {{ insert: param, au-05.05_odp }}."},{"id":"au-5.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Alternate audit logging capability"}]}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Record Review, Analysis, and Reporting","params":[{"id":"au-06_odp.01","props":[{"name":"alt-identifier","value":"au-6_prm_1"},{"name":"label","value":"AU-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which system audit records are reviewed and analyzed is defined;"}]},{"id":"au-06_odp.02","props":[{"name":"alt-identifier","value":"au-6_prm_2"},{"name":"label","value":"AU-06_ODP[02]","class":"sp800-53a"}],"label":"inappropriate or unusual activity","guidelines":[{"prose":"inappropriate or unusual activity is defined;"}]},{"id":"au-06_odp.03","props":[{"name":"alt-identifier","value":"au-6_prm_3"},{"name":"label","value":"AU-06_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive findings from reviews and analyses of system records is\/are defined;"}]}],"props":[{"name":"label","value":"AU-6"},{"name":"label","value":"AU-06","class":"sp800-53a"},{"name":"sort-id","value":"au-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"au-6_smt","name":"statement","parts":[{"id":"au-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"},{"id":"au-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report findings to {{ insert: param, au-06_odp.03 }} ; and"},{"id":"au-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and\/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received."},{"id":"au-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06","class":"sp800-53a"}],"parts":[{"id":"au-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-06a.","class":"sp800-53a"}],"prose":"system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"},{"id":"au-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-06b.","class":"sp800-53a"}],"prose":"findings are reported to {{ insert: param, au-06_odp.03 }};"},{"id":"au-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-06c.","class":"sp800-53a"}],"prose":"the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews\/analyses of audit records\n\nother relevant documents or records"}]},{"id":"au-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"au-6.1","class":"SP800-53-enhancement","title":"Automated Process Integration","params":[{"id":"au-06.01_odp","props":[{"name":"alt-identifier","value":"au-6.1_prm_1"},{"name":"label","value":"AU-06(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;"}]}],"props":[{"name":"label","value":"AU-6(1)"},{"name":"label","value":"AU-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#pm-7","rel":"related"}],"parts":[{"id":"au-6.1_smt","name":"statement","prose":"Integrate audit record review, analysis, and reporting processes using {{ insert: param, au-06.01_odp }}."},{"id":"au-6.1_gdn","name":"guidance","prose":"Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits."},{"id":"au-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(01)","class":"sp800-53a"}],"prose":"audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}."},{"id":"au-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms integrating audit review, analysis, and reporting processes"}]}]},{"id":"au-6.2","class":"SP800-53-enhancement","title":"Automated Security Alerts","props":[{"name":"label","value":"AU-6(2)"},{"name":"label","value":"AU-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-4","rel":"incorporated-into"}]},{"id":"au-6.3","class":"SP800-53-enhancement","title":"Correlate Audit Record Repositories","props":[{"name":"label","value":"AU-6(3)"},{"name":"label","value":"AU-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"}],"parts":[{"id":"au-6.3_smt","name":"statement","prose":"Analyze and correlate audit records across different repositories to gain organization-wide situational awareness."},{"id":"au-6.3_gdn","name":"guidance","prose":"Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission\/business process level, and information system level) and supports cross-organization awareness."},{"id":"au-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(03)","class":"sp800-53a"}],"prose":"audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness."},{"id":"au-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records across different repositories\n\nother relevant documents or records"}]},{"id":"au-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the analysis and correlation of audit records"}]}]},{"id":"au-6.4","class":"SP800-53-enhancement","title":"Central Review and Analysis","props":[{"name":"label","value":"AU-6(4)"},{"name":"label","value":"AU-06(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"au-6.4_smt","name":"statement","prose":"Provide and implement the capability to centrally review and analyze audit records from multiple components within the system."},{"id":"au-6.4_gdn","name":"guidance","prose":"Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products."},{"id":"au-6.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(04)","class":"sp800-53a"}],"parts":[{"id":"au-6.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-06(04)[01]","class":"sp800-53a"}],"prose":"the capability to centrally review and analyze audit records from multiple components within the system is provided;"},{"id":"au-6.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-06(04)[02]","class":"sp800-53a"}],"prose":"the capability to centrally review and analyze audit records from multiple components within the system is implemented."}]},{"id":"au-6.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-6.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"au-6.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System capability to centralize review and analysis of audit records"}]}]},{"id":"au-6.5","class":"SP800-53-enhancement","title":"Integrated Analysis of Audit Records","params":[{"id":"au-06.05_odp.01","props":[{"name":"alt-identifier","value":"au-6.5_prm_1"},{"name":"label","value":"AU-06(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["vulnerability scanning information","performance data","system monitoring information","{{ insert: param, au-06.05_odp.02 }} "]}},{"id":"au-06.05_odp.02","props":[{"name":"alt-identifier","value":"au-6.5_prm_2"},{"name":"label","value":"AU-06(05)_ODP[02]","class":"sp800-53a"}],"label":"data\/information collected from other sources","guidelines":[{"prose":"data\/information collected from other sources to be analyzed is defined (if selected);"}]}],"props":[{"name":"label","value":"AU-6(5)"},{"name":"label","value":"AU-06(05)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"}],"parts":[{"id":"au-6.5_smt","name":"statement","prose":"Integrate analysis of audit records with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity."},{"id":"au-6.5_gdn","name":"guidance","prose":"Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial-of-service attacks or other types of attacks that result in the unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations."},{"id":"au-6.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(05)","class":"sp800-53a"}],"prose":"analysis of audit records is integrated with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity."},{"id":"au-6.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information, and associated documentation\n\nother relevant documents or records"}]},{"id":"au-6.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the capability to integrate analysis of audit records with analysis of data\/information sources"}]}]},{"id":"au-6.6","class":"SP800-53-enhancement","title":"Correlation with Physical Monitoring","props":[{"name":"label","value":"AU-6(6)"},{"name":"label","value":"AU-06(06)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"}],"parts":[{"id":"au-6.6_smt","name":"statement","prose":"Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."},{"id":"au-6.6_gdn","name":"guidance","prose":"The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred may be useful in investigations."},{"id":"au-6.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(06)","class":"sp800-53a"}],"prose":"information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."},{"id":"au-6.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing physical access monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing evidence of correlated information obtained from audit records and physical access monitoring records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-6.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the capability to correlate information from audit records with information from monitoring physical access"}]}]},{"id":"au-6.7","class":"SP800-53-enhancement","title":"Permitted Actions","params":[{"id":"au-06.07_odp","props":[{"name":"alt-identifier","value":"au-6.7_prm_1"},{"name":"label","value":"AU-06(07)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["system process","role","user"]}}],"props":[{"name":"label","value":"AU-6(7)"},{"name":"label","value":"AU-06(07)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"}],"parts":[{"id":"au-6.7_smt","name":"statement","prose":"Specify the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information."},{"id":"au-6.7_gdn","name":"guidance","prose":"Organizations specify permitted actions for system processes, roles, and users associated with the review, analysis, and reporting of audit records through system account management activities. Specifying permitted actions on audit record information is a way to enforce the principle of least privilege. Permitted actions are enforced by the system and include read, write, execute, append, and delete."},{"id":"au-6.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(07)","class":"sp800-53a"}],"prose":"the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information are specified."},{"id":"au-6.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing process, role and\/or user permitted actions from audit review, analysis, and reporting\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-6.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting permitted actions for the review, analysis, and reporting of audit information"}]}]},{"id":"au-6.8","class":"SP800-53-enhancement","title":"Full Text Analysis of Privileged Commands","props":[{"name":"label","value":"AU-6(8)"},{"name":"label","value":"AU-06(08)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#au-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"au-6.8_smt","name":"statement","prose":"Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis."},{"id":"au-6.8_gdn","name":"guidance","prose":"Full text analysis of privileged commands requires a distinct environment for the analysis of audit record information related to privileged users without compromising such information on the system where the users have elevated privileges, including the capability to execute privileged commands. Full text analysis refers to analysis that considers the full text of privileged commands (i.e., commands and parameters) as opposed to analysis that considers only the name of the command. Full text analysis includes the use of pattern matching and heuristics."},{"id":"au-6.8_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(08)","class":"sp800-53a"}],"prose":"a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system or other system that is dedicated to that analysis is performed."},{"id":"au-6.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ntext analysis tools and techniques\n\ntext analysis documentation of audited privileged commands\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-6.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the capability to perform a full text analysis of audited privilege commands"}]}]},{"id":"au-6.9","class":"SP800-53-enhancement","title":"Correlation with Information from Nontechnical Sources","props":[{"name":"label","value":"AU-6(9)"},{"name":"label","value":"AU-06(09)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#pm-12","rel":"related"}],"parts":[{"id":"au-6.9_smt","name":"statement","prose":"Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness."},{"id":"au-6.9_gdn","name":"guidance","prose":"Nontechnical sources include records that document organizational policy violations related to harassment incidents and the improper use of information assets. Such information can lead to a directed analytical effort to detect potential malicious insider activity. Organizations limit access to information that is available from nontechnical sources due to its sensitive nature. Limited access minimizes the potential for inadvertent release of privacy-related information to individuals who do not have a need to know. The correlation of information from nontechnical sources with audit record information generally occurs only when individuals are suspected of being involved in an incident. Organizations obtain legal advice prior to initiating such actions."},{"id":"au-6.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(09)","class":"sp800-53a"}],"prose":"information from non-technical sources is correlated with audit record information to enhance organization-wide situational awareness."},{"id":"au-6.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing evidence of correlated information obtained from audit records and organization-defined non-technical sources\n\nlist of information types from non-technical sources for correlation with audit information\n\nother relevant documents or records"}]},{"id":"au-6.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing capability to correlate information from non-technical sources"}]}]},{"id":"au-6.10","class":"SP800-53-enhancement","title":"Audit Level Adjustment","props":[{"name":"label","value":"AU-6(10)"},{"name":"label","value":"AU-06(10)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.10"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#au-6","rel":"incorporated-into"}]}]},{"id":"au-7","class":"SP800-53","title":"Audit Record Reduction and Report Generation","props":[{"name":"label","value":"AU-7"},{"name":"label","value":"AU-07","class":"sp800-53a"},{"name":"sort-id","value":"au-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-7_smt","name":"statement","prose":"Provide and implement an audit record reduction and report generation capability that:","parts":[{"id":"au-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and"},{"id":"au-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Does not alter the original content or time ordering of audit records."}]},{"id":"au-7_gdn","name":"guidance","prose":"Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient."},{"id":"au-7_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-07","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.[01]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;"},{"id":"au-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.[02]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;"}]},{"id":"au-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.[01]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;"},{"id":"au-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.[02]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records."}]}]},{"id":"au-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit reduction and report generation capability"}]}],"controls":[{"id":"au-7.1","class":"SP800-53-enhancement","title":"Automatic Processing","params":[{"id":"au-07.01_odp","props":[{"name":"alt-identifier","value":"au-7.1_prm_1"},{"name":"label","value":"AU-07(01)_ODP","class":"sp800-53a"}],"label":"fields within audit records","guidelines":[{"prose":"fields within audit records that can be processed, sorted, or searched are defined;"}]}],"props":[{"name":"label","value":"AU-7(1)"},{"name":"label","value":"AU-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-7","rel":"required"}],"parts":[{"id":"au-7.1_smt","name":"statement","prose":"Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ insert: param, au-07.01_odp }}."},{"id":"au-7.1_gdn","name":"guidance","prose":"Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component."},{"id":"au-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)","class":"sp800-53a"}],"parts":[{"id":"au-7.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)[01]","class":"sp800-53a"}],"prose":"the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;"},{"id":"au-7.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)[02]","class":"sp800-53a"}],"prose":"the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented."}]},{"id":"au-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"au-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit reduction and report generation capability"}]}]},{"id":"au-7.2","class":"SP800-53-enhancement","title":"Automatic Sort and Search","props":[{"name":"label","value":"AU-7(2)"},{"name":"label","value":"AU-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-07.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#au-7.1","rel":"incorporated-into"}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","params":[{"id":"au-08_odp","props":[{"name":"alt-identifier","value":"au-8_prm_1"},{"name":"label","value":"AU-08_ODP","class":"sp800-53a"}],"label":"granularity of time measurement","guidelines":[{"prose":"granularity of time measurement for audit record timestamps is defined;"}]}],"props":[{"name":"label","value":"AU-8"},{"name":"label","value":"AU-08","class":"sp800-53a"},{"name":"sort-id","value":"au-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#sc-45","rel":"related"}],"parts":[{"id":"au-8_smt","name":"statement","parts":[{"id":"au-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities."},{"id":"au-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-08","class":"sp800-53a"}],"parts":[{"id":"au-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-08a.","class":"sp800-53a"}],"prose":"internal system clocks are used to generate timestamps for audit records;"},{"id":"au-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-08b.","class":"sp800-53a"}],"prose":"timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp."}]},{"id":"au-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing timestamp generation"}]}],"controls":[{"id":"au-8.1","class":"SP800-53-enhancement","title":"Synchronization with Authoritative Time Source","props":[{"name":"label","value":"AU-8(1)"},{"name":"label","value":"AU-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-08.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-45.1","rel":"moved-to"}]},{"id":"au-8.2","class":"SP800-53-enhancement","title":"Secondary Authoritative Time Source","props":[{"name":"label","value":"AU-8(2)"},{"name":"label","value":"AU-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-08.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-45.2","rel":"moved-to"}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","params":[{"id":"au-09_odp","props":[{"name":"alt-identifier","value":"au-9_prm_1"},{"name":"label","value":"AU-09_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is\/are defined;"}]}],"props":[{"name":"label","value":"AU-9"},{"name":"label","value":"AU-09","class":"sp800-53a"},{"name":"sort-id","value":"au-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#au-15","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-9_smt","name":"statement","parts":[{"id":"au-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and"},{"id":"au-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information."}]},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls."},{"id":"au-9_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09","class":"sp800-53a"}],"parts":[{"id":"au-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-09a.","class":"sp800-53a"}],"prose":"audit information and audit logging tools are protected from unauthorized access, modification, and deletion;"},{"id":"au-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-09b.","class":"sp800-53a"}],"prose":"{{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information."}]},{"id":"au-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records"}]},{"id":"au-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit information protection"}]}],"controls":[{"id":"au-9.1","class":"SP800-53-enhancement","title":"Hardware Write-once Media","props":[{"name":"label","value":"AU-9(1)"},{"name":"label","value":"AU-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"}],"parts":[{"id":"au-9.1_smt","name":"statement","prose":"Write audit trails to hardware-enforced, write-once media."},{"id":"au-9.1_gdn","name":"guidance","prose":"Writing audit trails to hardware-enforced, write-once media applies to the initial generation of audit trails (i.e., the collection of audit records that represents the information to be used for detection, analysis, and reporting purposes) and to the backup of those audit trails. Writing audit trails to hardware-enforced, write-once media does not apply to the initial generation of audit records prior to being written to an audit trail. Write-once, read-many (WORM) media includes Compact Disc-Recordable (CD-R), Blu-Ray Disc Recordable (BD-R), and Digital Versatile Disc-Recordable (DVD-R). In contrast, the use of switchable write-protection media, such as tape cartridges, Universal Serial Bus (USB) drives, Compact Disc Re-Writeable (CD-RW), and Digital Versatile Disc-Read Write (DVD-RW) results in write-protected but not write-once media."},{"id":"au-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(01)","class":"sp800-53a"}],"prose":"audit trails are written to hardware-enforced, write-once media."},{"id":"au-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem hardware settings\n\nsystem configuration settings and associated documentation\n\nsystem storage media\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media storing audit trails"}]}]},{"id":"au-9.2","class":"SP800-53-enhancement","title":"Store on Separate Physical Systems or Components","params":[{"id":"au-09.02_odp","props":[{"name":"alt-identifier","value":"au-9.2_prm_1"},{"name":"label","value":"AU-09(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of storing audit records in a repository is defined;"}]}],"props":[{"name":"label","value":"AU-9(2)"},{"name":"label","value":"AU-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"}],"parts":[{"id":"au-9.2_smt","name":"statement","prose":"Store audit records {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited."},{"id":"au-9.2_gdn","name":"guidance","prose":"Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records."},{"id":"au-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(02)","class":"sp800-53a"}],"prose":"audit records are stored {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited."},{"id":"au-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem or media storing backups of system audit records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the backing up of audit records"}]}]},{"id":"au-9.3","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"AU-9(3)"},{"name":"label","value":"AU-09(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#au-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"au-9.3_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect the integrity of audit information and audit tools."},{"id":"au-9.3_gdn","name":"guidance","prose":"Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash."},{"id":"au-9.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(03)","class":"sp800-53a"}],"prose":"cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented."},{"id":"au-9.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem hardware settings\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms protecting the integrity of audit information and tools"}]}]},{"id":"au-9.4","class":"SP800-53-enhancement","title":"Access by Subset of Privileged Users","params":[{"id":"au-09.04_odp","props":[{"name":"alt-identifier","value":"au-9.4_prm_1"},{"name":"label","value":"AU-09(04)_ODP","class":"sp800-53a"}],"label":"subset of privileged users or roles","guidelines":[{"prose":"a subset of privileged users or roles authorized to access management of audit logging functionality is defined;"}]}],"props":[{"name":"label","value":"AU-9(4)"},{"name":"label","value":"AU-09(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"au-9.4_smt","name":"statement","prose":"Authorize access to management of audit logging functionality to only {{ insert: param, au-09.04_odp }}."},{"id":"au-9.4_gdn","name":"guidance","prose":"Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges."},{"id":"au-9.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(04)","class":"sp800-53a"}],"prose":"access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}."},{"id":"au-9.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-9.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing access to audit functionality"}]}]},{"id":"au-9.5","class":"SP800-53-enhancement","title":"Dual Authorization","params":[{"id":"au-09.05_odp.01","props":[{"name":"alt-identifier","value":"au-9.5_prm_1"},{"name":"label","value":"AU-09(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["movement","deletion"]}},{"id":"au-09.05_odp.02","props":[{"name":"alt-identifier","value":"au-9.5_prm_2"},{"name":"label","value":"AU-09(05)_ODP[02]","class":"sp800-53a"}],"label":"audit information","guidelines":[{"prose":"audit information for which dual authorization is to be enforced is defined;"}]}],"props":[{"name":"label","value":"AU-9(5)"},{"name":"label","value":"AU-09(05)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"au-9.5_smt","name":"statement","prose":"Enforce dual authorization for {{ insert: param, au-09.05_odp.01 }} of {{ insert: param, au-09.05_odp.02 }}."},{"id":"au-9.5_gdn","name":"guidance","prose":"Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms (also known as two-person control) require the approval of two authorized individuals to execute audit functions. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety."},{"id":"au-9.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(05)","class":"sp800-53a"}],"prose":"dual authorization is enforced for the {{ insert: param, au-09.05_odp.01 }} of {{ insert: param, au-09.05_odp.02 }}."},{"id":"au-9.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naccess authorizations\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-9.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the enforcement of dual authorization"}]}]},{"id":"au-9.6","class":"SP800-53-enhancement","title":"Read-only Access","params":[{"id":"au-09.06_odp","props":[{"name":"alt-identifier","value":"au-9.6_prm_1"},{"name":"label","value":"AU-09(06)_ODP","class":"sp800-53a"}],"label":"subset of privileged users or roles","guidelines":[{"prose":"a subset of privileged users or roles with authorized read-only access to audit information is defined;"}]}],"props":[{"name":"label","value":"AU-9(6)"},{"name":"label","value":"AU-09(06)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-9","rel":"required"}],"parts":[{"id":"au-9.6_smt","name":"statement","prose":"Authorize read-only access to audit information to {{ insert: param, au-09.06_odp }}."},{"id":"au-9.6_gdn","name":"guidance","prose":"Restricting privileged user or role authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users or roles, such as deleting audit records to cover up malicious activity."},{"id":"au-9.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(06)","class":"sp800-53a"}],"prose":"read-only access to audit information is authorized to {{ insert: param, au-09.06_odp }}."},{"id":"au-9.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged users with read-only access to audit information\n\naccess authorizations\n\naccess control list\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-9.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing access to audit information"}]}]},{"id":"au-9.7","class":"SP800-53-enhancement","title":"Store on Component with Different Operating System","props":[{"name":"label","value":"AU-9(7)"},{"name":"label","value":"AU-09(07)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#sc-29","rel":"related"}],"parts":[{"id":"au-9.7_smt","name":"statement","prose":"Store audit information on a component running a different operating system than the system or component being audited."},{"id":"au-9.7_gdn","name":"guidance","prose":"Storing auditing information on a system component running a different operating system reduces the risk of a vulnerability specific to the system, resulting in a compromise of the audit records."},{"id":"au-9.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(07)","class":"sp800-53a"}],"prose":"audit information is stored on a component running a different operating system than the system or component being audited."},{"id":"au-9.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-9.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing operating system verification capability\n\nmechanisms verifying audit information storage location"}]}]}]},{"id":"au-10","class":"SP800-53","title":"Non-repudiation","params":[{"id":"au-10_odp","props":[{"name":"alt-identifier","value":"au-10_prm_1"},{"name":"alt-label","value":"actions to be covered by non-repudiation","class":"sp800-53"},{"name":"label","value":"AU-10_ODP","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be covered by non-repudiation are defined;"}]}],"props":[{"name":"label","value":"AU-10"},{"name":"label","value":"AU-10","class":"sp800-53a"},{"name":"sort-id","value":"au-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#au-9","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"au-10_smt","name":"statement","prose":"Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}."},{"id":"au-10_gdn","name":"guidance","prose":"Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts."},{"id":"au-10_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-10","class":"sp800-53a"}],"prose":"irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}."},{"id":"au-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing non-repudiation capability"}]}],"controls":[{"id":"au-10.1","class":"SP800-53-enhancement","title":"Association of Identities","params":[{"id":"au-10.01_odp","props":[{"name":"alt-identifier","value":"au-10.1_prm_1"},{"name":"label","value":"AU-10(01)_ODP","class":"sp800-53a"}],"label":"strength of binding","guidelines":[{"prose":"the strength of binding between the identity of the information producer and the information is defined;"}]}],"props":[{"name":"label","value":"AU-10(1)"},{"name":"label","value":"AU-10(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-10.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-10","rel":"required"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"au-10.1_smt","name":"statement","parts":[{"id":"au-10.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Bind the identity of the information producer with the information to {{ insert: param, au-10.01_odp }} ; and"},{"id":"au-10.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Provide the means for authorized individuals to determine the identity of the producer of the information."}]},{"id":"au-10.1_gdn","name":"guidance","prose":"Binding identities to the information supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations determine and approve the strength of attribute binding between the information producer and the information based on the security category of the information and other relevant risk factors."},{"id":"au-10.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-10(01)","class":"sp800-53a"}],"parts":[{"id":"au-10.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-10(01)(a)","class":"sp800-53a"}],"prose":"the identity of the information producer is bound with the information to {{ insert: param, au-10.01_odp }};"},{"id":"au-10.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-10(01)(b)","class":"sp800-53a"}],"prose":"the means for authorized individuals to determine the identity of the producer of the information is provided."}]},{"id":"au-10.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-10(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-10.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-10(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-10.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-10(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing non-repudiation capability"}]}]},{"id":"au-10.2","class":"SP800-53-enhancement","title":"Validate Binding of Information Producer Identity","params":[{"id":"au-10.02_odp.01","props":[{"name":"alt-identifier","value":"au-10.2_prm_1"},{"name":"label","value":"AU-10(02)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to validate the binding of the information producer identity to the information is defined;"}]},{"id":"au-10.02_odp.02","props":[{"name":"alt-identifier","value":"au-10.2_prm_2"},{"name":"label","value":"AU-10(02)_ODP[02]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"the actions to be performed in the event of a validation error are defined;"}]}],"props":[{"name":"label","value":"AU-10(2)"},{"name":"label","value":"AU-10(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-10.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-10","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"au-10.2_smt","name":"statement","parts":[{"id":"au-10.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Validate the binding of the information producer identity to the information at {{ insert: param, au-10.02_odp.01 }} ; and"},{"id":"au-10.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Perform {{ insert: param, au-10.02_odp.02 }} in the event of a validation error."}]},{"id":"au-10.2_gdn","name":"guidance","prose":"Validating the binding of the information producer identity to the information prevents the modification of information between production and review. The validation of bindings can be achieved by, for example, using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically."},{"id":"au-10.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-10(02)","class":"sp800-53a"}],"parts":[{"id":"au-10.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-10(02)(a)","class":"sp800-53a"}],"prose":"the binding of the information producer identity to the information is validated at {{ insert: param, au-10.02_odp.01 }};"},{"id":"au-10.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-10(02)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, au-10.02_odp.02 }} in the event of a validation error are performed."}]},{"id":"au-10.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-10(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-10.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-10(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-10.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-10(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing non-repudiation capability"}]}]},{"id":"au-10.3","class":"SP800-53-enhancement","title":"Chain of Custody","props":[{"name":"label","value":"AU-10(3)"},{"name":"label","value":"AU-10(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-10.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-10","rel":"required"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"au-10.3_smt","name":"statement","prose":"Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released."},{"id":"au-10.3_gdn","name":"guidance","prose":"Chain of custody is a process that tracks the movement of evidence through its collection, safeguarding, and analysis life cycle by documenting each individual who handled the evidence, the date and time the evidence was collected or transferred, and the purpose for the transfer. If the reviewer is a human or if the review function is automated but separate from the release or transfer function, the system associates the identity of the reviewer of the information to be released with the information and the information label. In the case of human reviews, maintaining the credentials of reviewers or releasers provides the organization with the means to identify who reviewed and released the information. In the case of automated reviews, it ensures that only approved review functions are used."},{"id":"au-10.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-10(03)","class":"sp800-53a"}],"prose":"reviewer or releaser credentials are maintained within the established chain of custody for information reviewed or released."},{"id":"au-10.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-10(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of information reviews and releases\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-10.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-10(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-10.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-10(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing non-repudiation capability"}]}]},{"id":"au-10.4","class":"SP800-53-enhancement","title":"Validate Binding of Information Reviewer Identity","params":[{"id":"au-10.04_odp.01","props":[{"name":"alt-identifier","value":"au-10.4_prm_1"},{"name":"label","value":"AU-10(04)_ODP[01]","class":"sp800-53a"}],"label":"security domains","guidelines":[{"prose":"security domains for which the binding of the information reviewer identity to the information is to be validated at transfer or release are defined;"}]},{"id":"au-10.04_odp.02","props":[{"name":"alt-identifier","value":"au-10.4_prm_2"},{"name":"label","value":"AU-10(04)_ODP[02]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be performed in the event of a validation error are defined;"}]}],"props":[{"name":"label","value":"AU-10(4)"},{"name":"label","value":"AU-10(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-10.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-10","rel":"required"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"au-10.4_smt","name":"statement","parts":[{"id":"au-10.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between {{ insert: param, au-10.04_odp.01 }} ; and"},{"id":"au-10.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Perform {{ insert: param, au-10.04_odp.02 }} in the event of a validation error."}]},{"id":"au-10.4_gdn","name":"guidance","prose":"Validating the binding of the information reviewer identity to the information at transfer or release points prevents the unauthorized modification of information between review and the transfer or release. The validation of bindings can be achieved by using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically."},{"id":"au-10.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-10(04)","class":"sp800-53a"}],"parts":[{"id":"au-10.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-10(04)(a)","class":"sp800-53a"}],"prose":"the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between {{ insert: param, au-10.04_odp.01 }} is validated;"},{"id":"au-10.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-10(04)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, au-10.04_odp.02 }} are performed in the event of a validation error."}]},{"id":"au-10.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-10(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-10.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-10(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-10.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-10(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing non-repudiation capability"}]}]},{"id":"au-10.5","class":"SP800-53-enhancement","title":"Digital Signatures","props":[{"name":"label","value":"AU-10(5)"},{"name":"label","value":"AU-10(05)","class":"sp800-53a"},{"name":"sort-id","value":"au-10.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-7","rel":"incorporated-into"}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_odp","props":[{"name":"alt-identifier","value":"au-11_prm_1"},{"name":"alt-label","value":"time period consistent with records retention policy","class":"sp800-53"},{"name":"label","value":"AU-11_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period to retain audit records that is consistent with the records retention policy is defined;"}]}],"props":[{"name":"label","value":"AU-11"},{"name":"label","value":"AU-11","class":"sp800-53a"},{"name":"sort-id","value":"au-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention."},{"id":"au-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-11","class":"sp800-53a"}],"prose":"audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"id":"au-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]}],"controls":[{"id":"au-11.1","class":"SP800-53-enhancement","title":"Long-term Retrieval Capability","params":[{"id":"au-11.01_odp","props":[{"name":"alt-identifier","value":"au-11.1_prm_1"},{"name":"label","value":"AU-11(01)_ODP","class":"sp800-53a"}],"label":"measures","guidelines":[{"prose":"measures to be employed to ensure that long-term audit records generated by the system can be retrieved are defined;"}]}],"props":[{"name":"label","value":"AU-11(1)"},{"name":"label","value":"AU-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-11","rel":"required"}],"parts":[{"id":"au-11.1_smt","name":"statement","prose":"Employ {{ insert: param, au-11.01_odp }} to ensure that long-term audit records generated by the system can be retrieved."},{"id":"au-11.1_gdn","name":"guidance","prose":"Organizations need to access and read audit records requiring long-term storage (on the order of years). Measures employed to help facilitate the retrieval of audit records include converting records to newer formats, retaining equipment capable of reading the records, and retaining the necessary documentation to help personnel understand how to interpret the records."},{"id":"au-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-11(01)","class":"sp800-53a"}],"prose":"{{ insert: param, au-11.01_odp }} are employed to ensure that long-term audit records generated by the system can be retrieved."},{"id":"au-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"id":"au-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record retention capability"}]}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Record Generation","params":[{"id":"au-12_odp.01","props":[{"name":"alt-identifier","value":"au-12_prm_1"},{"name":"label","value":"AU-12_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;"}]},{"id":"au-12_odp.02","props":[{"name":"alt-identifier","value":"au-12_prm_2"},{"name":"label","value":"AU-12_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles allowed to select the event types that are to be logged by specific components of the system is\/are defined;"}]}],"props":[{"name":"label","value":"AU-12"},{"name":"label","value":"AU-12","class":"sp800-53a"},{"name":"sort-id","value":"au-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"au-12_smt","name":"statement","parts":[{"id":"au-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};"},{"id":"au-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and"},{"id":"au-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records."},{"id":"au-12_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12","class":"sp800-53a"}],"parts":[{"id":"au-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-12a.","class":"sp800-53a"}],"prose":"audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};"},{"id":"au-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-12b.","class":"sp800-53a"}],"prose":"{{ insert: param, au-12_odp.02 }} is\/are allowed to select the event types that are to be logged by specific components of the system;"},{"id":"au-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-12c.","class":"sp800-53a"}],"prose":"audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated."}]},{"id":"au-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}],"controls":[{"id":"au-12.1","class":"SP800-53-enhancement","title":"System-wide and Time-correlated Audit Trail","params":[{"id":"au-12.01_odp.01","props":[{"name":"alt-identifier","value":"au-12.1_prm_1"},{"name":"label","value":"AU-12(01)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined;"}]},{"id":"au-12.01_odp.02","props":[{"name":"alt-identifier","value":"au-12.1_prm_2"},{"name":"alt-label","value":"level of tolerance for the relationship between time stamps of individual records in the audit trail","class":"sp800-53"},{"name":"label","value":"AU-12(01)_ODP[02]","class":"sp800-53a"}],"label":"level of tolerance","guidelines":[{"prose":"level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;"}]}],"props":[{"name":"label","value":"AU-12(1)"},{"name":"label","value":"AU-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-12","rel":"required"},{"href":"#au-8","rel":"related"},{"href":"#sc-45","rel":"related"}],"parts":[{"id":"au-12.1_smt","name":"statement","prose":"Compile audit records from {{ insert: param, au-12.01_odp.01 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}."},{"id":"au-12.1_gdn","name":"guidance","prose":"Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances."},{"id":"au-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12(01)","class":"sp800-53a"}],"prose":"audit records from {{ insert: param, au-12.01_odp.01 }} are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}."},{"id":"au-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-wide audit trail (logical or physical)\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]},{"id":"au-12.2","class":"SP800-53-enhancement","title":"Standardized Formats","props":[{"name":"label","value":"AU-12(2)"},{"name":"label","value":"AU-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-12","rel":"required"}],"parts":[{"id":"au-12.2_smt","name":"statement","prose":"Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format."},{"id":"au-12.2_gdn","name":"guidance","prose":"Audit records that follow common standards promote interoperability and information exchange between devices and systems. Promoting interoperability and information exchange facilitates the production of event information that can be readily analyzed and correlated. If logging mechanisms do not conform to standardized formats, systems may convert individual audit records into standardized formats when compiling system-wide audit trails."},{"id":"au-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12(02)","class":"sp800-53a"}],"prose":"a system-wide (logical or physical) audit trail composed of audit records is produced in a standardized format."},{"id":"au-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-wide audit trail (logical or physical)\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]},{"id":"au-12.3","class":"SP800-53-enhancement","title":"Changes by Authorized Individuals","params":[{"id":"au-12.03_odp.01","props":[{"name":"alt-identifier","value":"au-12.3_prm_1"},{"name":"label","value":"AU-12(03)_ODP[01]","class":"sp800-53a"}],"label":"individuals or roles","guidelines":[{"prose":"individuals or roles authorized to change the logging on system components are defined;"}]},{"id":"au-12.03_odp.02","props":[{"name":"alt-identifier","value":"au-12.3_prm_2"},{"name":"label","value":"AU-12(03)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components on which logging is to be performed are defined;"}]},{"id":"au-12.03_odp.03","props":[{"name":"alt-identifier","value":"au-12.3_prm_3"},{"name":"label","value":"AU-12(03)_ODP[03]","class":"sp800-53a"}],"label":"selectable event criteria","guidelines":[{"prose":"selectable event criteria with which change logging is to be performed are defined;"}]},{"id":"au-12.03_odp.04","props":[{"name":"alt-identifier","value":"au-12.3_prm_4"},{"name":"label","value":"AU-12(03)_ODP[04]","class":"sp800-53a"}],"label":"time thresholds","guidelines":[{"prose":"time thresholds in which logging actions are to change is defined;"}]}],"props":[{"name":"label","value":"AU-12(3)"},{"name":"label","value":"AU-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-12","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"au-12.3_smt","name":"statement","prose":"Provide and implement the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }}."},{"id":"au-12.3_gdn","name":"guidance","prose":"Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours)."},{"id":"au-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12(03)","class":"sp800-53a"}],"parts":[{"id":"au-12.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-12(03)[01]","class":"sp800-53a"}],"prose":"the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is provided;"},{"id":"au-12.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-12(03)[02]","class":"sp800-53a"}],"prose":"the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is implemented."}]},{"id":"au-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of individuals or roles authorized to change auditing to be performed\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]},{"id":"au-12.4","class":"SP800-53-enhancement","title":"Query Parameter Audits of Personally Identifiable Information","props":[{"name":"label","value":"AU-12(4)"},{"name":"label","value":"AU-12(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-12.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-12","rel":"required"}],"parts":[{"id":"au-12.4_smt","name":"statement","prose":"Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information."},{"id":"au-12.4_gdn","name":"guidance","prose":"Query parameters are explicit criteria that an individual or automated system submits to a system to retrieve data. Auditing of query parameters for datasets that contain personally identifiable information augments the capability of an organization to track and understand the access, usage, or sharing of personally identifiable information by authorized personnel."},{"id":"au-12.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12(04)","class":"sp800-53a"}],"parts":[{"id":"au-12.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-12(04)[01]","class":"sp800-53a"}],"prose":"the capability to audit the parameters of user query events for data sets containing personally identifiable information is provided;"},{"id":"au-12.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-12(04)[02]","class":"sp800-53a"}],"prose":"the capability to audit the parameters of user query events for data sets containing personally identifiable information is implemented."}]},{"id":"au-12.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nquery event records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmap of system data actions\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]}]},{"id":"au-13","class":"SP800-53","title":"Monitoring for Information Disclosure","params":[{"id":"au-13_odp.01","props":[{"name":"alt-identifier","value":"au-13_prm_1"},{"name":"label","value":"AU-13_ODP[01]","class":"sp800-53a"}],"label":"open-source information and\/or information sites","guidelines":[{"prose":"open-source information and\/or information sites to be monitored for evidence of unauthorized disclosure of organizational information is\/are defined;"}]},{"id":"au-13_odp.02","props":[{"name":"alt-identifier","value":"au-13_prm_2"},{"name":"label","value":"AU-13_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which open-source information and\/or information sites are monitored for evidence of unauthorized disclosure of organizational information is defined;"}]},{"id":"au-13_odp.03","props":[{"name":"alt-identifier","value":"au-13_prm_3"},{"name":"label","value":"AU-13_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified if an information disclosure is discovered is\/are defined;"}]},{"id":"au-13_odp.04","props":[{"name":"alt-identifier","value":"au-13_prm_4"},{"name":"label","value":"AU-13_ODP[04]","class":"sp800-53a"}],"label":"additional actions","guidelines":[{"prose":"additional actions to be taken if an information disclosure is discovered are defined;"}]}],"props":[{"name":"label","value":"AU-13"},{"name":"label","value":"AU-13","class":"sp800-53a"},{"name":"sort-id","value":"au-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-22","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-20","rel":"related"}],"parts":[{"id":"au-13_smt","name":"statement","parts":[{"id":"au-13_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor {{ insert: param, au-13_odp.01 }} {{ insert: param, au-13_odp.02 }} for evidence of unauthorized disclosure of organizational information; and"},{"id":"au-13_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"If an information disclosure is discovered:","parts":[{"id":"au-13_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Notify {{ insert: param, au-13_odp.03 }} ; and"},{"id":"au-13_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Take the following additional actions: {{ insert: param, au-13_odp.04 }}."}]}]},{"id":"au-13_gdn","name":"guidance","prose":"Unauthorized disclosure of information is a form of data leakage. Open-source information includes social networking sites and code-sharing platforms and repositories. Examples of organizational information include personally identifiable information retained by the organization or proprietary information generated by the organization."},{"id":"au-13_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-13","class":"sp800-53a"}],"parts":[{"id":"au-13_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-13a.","class":"sp800-53a"}],"prose":"{{ insert: param, au-13_odp.01 }} is\/are monitored {{ insert: param, au-13_odp.02 }} for evidence of unauthorized disclosure of organizational information;"},{"id":"au-13_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-13b.","class":"sp800-53a"}],"parts":[{"id":"au-13_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"AU-13b.01","class":"sp800-53a"}],"prose":"{{ insert: param, au-13_odp.03 }} are notified if an information disclosure is discovered;"},{"id":"au-13_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"AU-13b.02","class":"sp800-53a"}],"prose":"{{ insert: param, au-13_odp.04 }} are taken if an information disclosure is discovered."}]}]},{"id":"au-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing information disclosure monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmonitoring records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for monitoring open-source information and\/or information sites\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"au-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing monitoring for information disclosure"}]}],"controls":[{"id":"au-13.1","class":"SP800-53-enhancement","title":"Use of Automated Tools","params":[{"id":"au-13.01_odp","props":[{"name":"alt-identifier","value":"au-13.1_prm_1"},{"name":"label","value":"AU-13(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms for monitoring open-source information and information sites are defined;"}]}],"props":[{"name":"label","value":"AU-13(1)"},{"name":"label","value":"AU-13(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-13.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-13","rel":"required"}],"parts":[{"id":"au-13.1_smt","name":"statement","prose":"Monitor open-source information and information sites using {{ insert: param, au-13.01_odp }}."},{"id":"au-13.1_gdn","name":"guidance","prose":"Automated mechanisms include commercial services that provide notifications and alerts to organizations and automated scripts to monitor new posts on websites."},{"id":"au-13.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-13(01)","class":"sp800-53a"}],"prose":"open-source information and information sites are monitored using {{ insert: param, au-13.01_odp }}."},{"id":"au-13.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-13(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing information disclosure monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nautomated monitoring tools\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-13.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-13(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for monitoring information disclosures\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-13.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-13(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing monitoring for information disclosure"}]}]},{"id":"au-13.2","class":"SP800-53-enhancement","title":"Review of Monitored Sites","params":[{"id":"au-13.02_odp","props":[{"name":"alt-identifier","value":"au-13.2_prm_1"},{"name":"label","value":"AU-13(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the open-source information sites being monitored is defined;"}]}],"props":[{"name":"label","value":"AU-13(2)"},{"name":"label","value":"AU-13(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-13.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-13","rel":"required"}],"parts":[{"id":"au-13.2_smt","name":"statement","prose":"Review the list of open-source information sites being monitored {{ insert: param, au-13.02_odp }}."},{"id":"au-13.2_gdn","name":"guidance","prose":"Reviewing the current list of open-source information sites being monitored on a regular basis helps to ensure that the selected sites remain relevant. The review also provides the opportunity to add new open-source information sites with the potential to provide evidence of unauthorized disclosure of organizational information. The list of sites monitored can be guided and informed by threat intelligence of other credible sources of information."},{"id":"au-13.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-13(02)","class":"sp800-53a"}],"prose":"the list of open-source information sites being monitored is reviewed {{ insert: param, au-13.02_odp }}."},{"id":"au-13.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-13(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing information disclosure monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nreviews for open-source information sites being monitored\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-13.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-13(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for monitoring open-source information sites\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-13.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-13(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing monitoring for information disclosure"}]}]},{"id":"au-13.3","class":"SP800-53-enhancement","title":"Unauthorized Replication of Information","props":[{"name":"label","value":"AU-13(3)"},{"name":"label","value":"AU-13(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-13.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-13","rel":"required"}],"parts":[{"id":"au-13.3_smt","name":"statement","prose":"Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner."},{"id":"au-13.3_gdn","name":"guidance","prose":"The unauthorized use or replication of organizational information by external entities can cause adverse impacts on organizational operations and assets, including damage to reputation. Such activity can include the replication of an organizational website by an adversary or hostile threat actor who attempts to impersonate the web-hosting organization. Discovery tools, techniques, and processes used to determine if external entities are replicating organizational information in an unauthorized manner include scanning external websites, monitoring social media, and training staff to recognize the unauthorized use of organizational information."},{"id":"au-13.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-13(03)","class":"sp800-53a"}],"prose":"discovery techniques, processes, and tools are employed to determine if external entities are replicating organizational information in an unauthorized manner."},{"id":"au-13.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-13(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing information disclosure monitoring\n\nprocedures addressing information replication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\ntraining resources for staff to recognize the unauthorized use of organizational information\n\nother relevant documents or records"}]},{"id":"au-13.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-13(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for monitoring unauthorized replication of information\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-13.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-13(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Discovery tools for identifying unauthorized information replication"}]}]}]},{"id":"au-14","class":"SP800-53","title":"Session Audit","params":[{"id":"au-14_odp.01","props":[{"name":"alt-identifier","value":"au-14_prm_1"},{"name":"label","value":"AU-14_ODP[01]","class":"sp800-53a"}],"label":"users or roles","guidelines":[{"prose":"users or roles who can audit the content of a user session are defined;"}]},{"id":"au-14_odp.02","props":[{"name":"alt-identifier","value":"au-14_prm_2"},{"name":"label","value":"AU-14_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["record","view","hear","log"]}},{"id":"au-14_odp.03","props":[{"name":"alt-identifier","value":"au-14_prm_3"},{"name":"label","value":"AU-14_ODP[03]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances under which the content of a user session can be audited are defined;"}]}],"props":[{"name":"label","value":"AU-14"},{"name":"label","value":"AU-14","class":"sp800-53a"},{"name":"sort-id","value":"au-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"au-14_smt","name":"statement","parts":[{"id":"au-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide and implement the capability for {{ insert: param, au-14_odp.01 }} to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }} ; and"},{"id":"au-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}]},{"id":"au-14_gdn","name":"guidance","prose":"Session audits can include monitoring keystrokes, tracking websites visited, and recording information and\/or file transfers. Session audit capability is implemented in addition to event logging and may involve implementation of specialized session capture technology. Organizations consider how session auditing can reveal information about individuals that may give rise to privacy risk as well as how to mitigate those risks. Because session auditing can impact system and network performance, organizations activate the capability under well-defined situations (e.g., the organization is suspicious of a specific individual). Organizations consult with legal counsel, civil liberties officials, and privacy officials to ensure that any legal, privacy, civil rights, or civil liberties issues, including the use of personally identifiable information, are appropriately addressed."},{"id":"au-14_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-14","class":"sp800-53a"}],"parts":[{"id":"au-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-14a.","class":"sp800-53a"}],"parts":[{"id":"au-14_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-14a.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, au-14_odp.01 }} are provided with the capability to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }};"},{"id":"au-14_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-14a.[02]","class":"sp800-53a"}],"prose":"the capability for {{ insert: param, au-14_odp.01 }} to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }} is implemented;"}]},{"id":"au-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-14b.","class":"sp800-53a"}],"parts":[{"id":"au-14_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AU-14b.[01]","class":"sp800-53a"}],"prose":"session auditing activities are developed in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"},{"id":"au-14_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AU-14b.[02]","class":"sp800-53a"}],"prose":"session auditing activities are integrated in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"},{"id":"au-14_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"AU-14b.[03]","class":"sp800-53a"}],"prose":"session auditing activities are used in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"au-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user session auditing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nlegal counsel\n\npersonnel with civil liberties responsibilities"}]},{"id":"au-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing user session auditing capability"}]}],"controls":[{"id":"au-14.1","class":"SP800-53-enhancement","title":"System Start-up","props":[{"name":"label","value":"AU-14(1)"},{"name":"label","value":"AU-14(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-14.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-14","rel":"required"}],"parts":[{"id":"au-14.1_smt","name":"statement","prose":"Initiate session audits automatically at system start-up."},{"id":"au-14.1_gdn","name":"guidance","prose":"The automatic initiation of session audits at startup helps to ensure that the information being captured on selected individuals is complete and not subject to compromise through tampering by malicious threat actors."},{"id":"au-14.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-14(01)","class":"sp800-53a"}],"prose":"session audits are initiated automatically at system start-up."},{"id":"au-14.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-14(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user session auditing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-14.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-14(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-14.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-14(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing user session auditing capability"}]}]},{"id":"au-14.2","class":"SP800-53-enhancement","title":"Capture and Record Content","props":[{"name":"label","value":"AU-14(2)"},{"name":"label","value":"AU-14(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-14.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#au-14","rel":"incorporated-into"}]},{"id":"au-14.3","class":"SP800-53-enhancement","title":"Remote Viewing and Listening","props":[{"name":"label","value":"AU-14(3)"},{"name":"label","value":"AU-14(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-14.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-14","rel":"required"},{"href":"#ac-17","rel":"related"}],"parts":[{"id":"au-14.3_smt","name":"statement","prose":"Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time."},{"id":"au-14.3_gdn","name":"guidance","prose":"None."},{"id":"au-14.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-14(03)","class":"sp800-53a"}],"parts":[{"id":"au-14.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-14(03)[01]","class":"sp800-53a"}],"prose":"the capability for authorized users to remotely view and hear content related to an established user session in real time is provided;"},{"id":"au-14.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-14(03)[02]","class":"sp800-53a"}],"prose":"the capability for authorized users to remotely view and hear content related to an established user session in real time is implemented."}]},{"id":"au-14.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-14(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user session auditing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-14.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-14(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nlegal counsel\n\npersonnel with civil liberties responsibilities"}]},{"id":"au-14.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-14(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing user session auditing capability"}]}]}]},{"id":"au-15","class":"SP800-53","title":"Alternate Audit Logging Capability","props":[{"name":"label","value":"AU-15"},{"name":"label","value":"AU-15","class":"sp800-53a"},{"name":"sort-id","value":"au-15"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#au-5.5","rel":"moved-to"}]},{"id":"au-16","class":"SP800-53","title":"Cross-organizational Audit Logging","params":[{"id":"au-16_odp.01","props":[{"name":"alt-identifier","value":"au-16_prm_1"},{"name":"label","value":"AU-16_ODP[01]","class":"sp800-53a"}],"label":"methods","guidelines":[{"prose":"methods for coordinating audit information among external organizations when audit information is transmitted across organizational boundaries are defined;"}]},{"id":"au-16_odp.02","props":[{"name":"alt-identifier","value":"au-16_prm_2"},{"name":"label","value":"AU-16_ODP[02]","class":"sp800-53a"}],"label":"audit information","guidelines":[{"prose":"audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries is defined;"}]}],"props":[{"name":"label","value":"AU-16"},{"name":"label","value":"AU-16","class":"sp800-53a"},{"name":"sort-id","value":"au-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pt-7","rel":"related"}],"parts":[{"id":"au-16_smt","name":"statement","prose":"Employ {{ insert: param, au-16_odp.01 }} for coordinating {{ insert: param, au-16_odp.02 }} among external organizations when audit information is transmitted across organizational boundaries."},{"id":"au-16_gdn","name":"guidance","prose":"When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of individuals who request specific services across organizational boundaries may often be difficult, and doing so may prove to have significant performance and privacy ramifications. Therefore, it is often the case that cross-organizational audit logging simply captures the identity of individuals who issue requests at the initial system, and subsequent systems record that the requests originated from authorized individuals. Organizations consider including processes for coordinating audit information requirements and protection of audit information in information exchange agreements."},{"id":"au-16_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-16","class":"sp800-53a"}],"prose":"{{ insert: param, au-16_odp.01 }} for coordinating {{ insert: param, au-16_odp.02 }} among external organizations when audit information is transmitted across organizational boundaries are employed."},{"id":"au-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing methods for coordinating audit information among external organizations\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for coordinating audit information among external organizations\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing cross-organizational auditing"}]}],"controls":[{"id":"au-16.1","class":"SP800-53-enhancement","title":"Identity Preservation","props":[{"name":"label","value":"AU-16(1)"},{"name":"label","value":"AU-16(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-16.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-16","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"au-16.1_smt","name":"statement","prose":"Preserve the identity of individuals in cross-organizational audit trails."},{"id":"au-16.1_gdn","name":"guidance","prose":"Identity preservation is applied when there is a need to be able to trace actions that are performed across organizational boundaries to a specific individual."},{"id":"au-16.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-16(01)","class":"sp800-53a"}],"prose":"the identity of individuals in cross-organizational audit trails is preserved."},{"id":"au-16.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-16(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing cross-organizational audit trails\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-16.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-16(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with cross-organizational audit responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-16.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-16(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing cross-organizational auditing (if applicable)"}]}]},{"id":"au-16.2","class":"SP800-53-enhancement","title":"Sharing of Audit Information","params":[{"id":"au-16.02_odp.01","props":[{"name":"alt-identifier","value":"au-16.2_prm_1"},{"name":"label","value":"AU-16(02)_ODP[01]","class":"sp800-53a"}],"label":"organizations","guidelines":[{"prose":"organizations with which cross-organizational audit information is to be shared are defined;"}]},{"id":"au-16.02_odp.02","props":[{"name":"alt-identifier","value":"au-16.2_prm_2"},{"name":"label","value":"AU-16(02)_ODP[02]","class":"sp800-53a"}],"label":"cross-organizational sharing agreements","guidelines":[{"prose":"cross-organizational sharing agreements to be used when providing cross-organizational audit information to organizations are defined;"}]}],"props":[{"name":"label","value":"AU-16(2)"},{"name":"label","value":"AU-16(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-16.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-16","rel":"required"},{"href":"#ir-4","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-16.2_smt","name":"statement","prose":"Provide cross-organizational audit information to {{ insert: param, au-16.02_odp.01 }} based on {{ insert: param, au-16.02_odp.02 }}."},{"id":"au-16.2_gdn","name":"guidance","prose":"Due to the distributed nature of the audit information, cross-organization sharing of audit information may be essential for effective analysis of the auditing being performed. For example, the audit records of one organization may not provide sufficient information to determine the appropriate or inappropriate use of organizational information resources by individuals in other organizations. In some instances, only individuals’ home organizations have the appropriate knowledge to make such determinations, thus requiring the sharing of audit information among organizations."},{"id":"au-16.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-16(02)","class":"sp800-53a"}],"prose":"cross-organizational audit information is provided to {{ insert: param, au-16.02_odp.01 }} based on {{ insert: param, au-16.02_odp.02 }}."},{"id":"au-16.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-16(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing cross-organizational sharing of audit information\n\ninformation sharing agreements\n\nother relevant documents or records"}]},{"id":"au-16.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-16(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for sharing cross-organizational audit information\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"au-16.3","class":"SP800-53-enhancement","title":"Disassociability","params":[{"id":"au-16.03_odp","props":[{"name":"alt-identifier","value":"au-16.3_prm_1"},{"name":"label","value":"AU-16(03)_ODP","class":"sp800-53a"}],"label":"measures","guidelines":[{"prose":"measures to disassociate individuals from audit information transmitted across organizational boundaries are defined;"}]}],"props":[{"name":"label","value":"AU-16(3)"},{"name":"label","value":"AU-16(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-16.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-16","rel":"required"}],"parts":[{"id":"au-16.3_smt","name":"statement","prose":"Implement {{ insert: param, au-16.03_odp }} to disassociate individuals from audit information transmitted across organizational boundaries."},{"id":"au-16.3_gdn","name":"guidance","prose":"Preserving identities in audit trails could have privacy ramifications, such as enabling the tracking and profiling of individuals, but may not be operationally necessary. These risks could be further amplified when transmitting information across organizational boundaries. Implementing privacy-enhancing cryptographic techniques can disassociate individuals from audit information and reduce privacy risk while maintaining accountability."},{"id":"au-16.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-16(03)","class":"sp800-53a"}],"prose":"{{ insert: param, au-16.03_odp }} are implemented to disassociate individuals from audit information transmitted across organizational boundaries."},{"id":"au-16.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-16(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing cross-organizational sharing of audit information\n\npolicy and\/or procedures regarding the deidentification of PII\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-16.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-16(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for sharing cross-organizational audit information\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-16.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-16(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing disassociability"}]}]}]}]},{"id":"ca","class":"family","title":"Assessment, Authorization, and Monitoring","controls":[{"id":"ca-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ca-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ca-01_odp.01","props":[{"name":"label","value":"CA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.02","props":[{"name":"label","value":"CA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.03","props":[{"name":"alt-identifier","value":"ca-1_prm_2"},{"name":"label","value":"CA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ca-01_odp.04","props":[{"name":"alt-identifier","value":"ca-1_prm_3"},{"name":"label","value":"CA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the assessment, authorization, and monitoring policy and procedures is defined;"}]},{"id":"ca-01_odp.05","props":[{"name":"alt-identifier","value":"ca-1_prm_4"},{"name":"label","value":"CA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;"}]},{"id":"ca-01_odp.06","props":[{"name":"alt-identifier","value":"ca-1_prm_5"},{"name":"label","value":"CA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;"}]},{"id":"ca-01_odp.07","props":[{"name":"alt-identifier","value":"ca-1_prm_6"},{"name":"label","value":"CA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;"}]},{"id":"ca-01_odp.08","props":[{"name":"alt-identifier","value":"ca-1_prm_7"},{"name":"label","value":"CA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CA-1"},{"name":"label","value":"CA-01","class":"sp800-53a"},{"name":"sort-id","value":"ca-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#62ea77ca-e450-4323-b210-e0d75390e785","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-1_smt","name":"statement","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:","parts":[{"id":"ca-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and"},{"id":"ca-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current assessment, authorization, and monitoring:","parts":[{"id":"ca-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and"},{"id":"ca-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ca-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[01]","class":"sp800-53a"}],"prose":"an assessment, authorization, and monitoring policy is developed and documented;"},{"id":"ca-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[02]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};"},{"id":"ca-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[03]","class":"sp800-53a"}],"prose":"assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;"},{"id":"ca-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[04]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};"},{"id":"ca-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;"},{"id":"ca-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;"},{"id":"ca-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;"},{"id":"ca-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;"},{"id":"ca-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;"},{"id":"ca-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;"},{"id":"ca-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;"}]},{"id":"ca-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ca-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;"},{"id":"ca-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; "},{"id":"ca-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};"}]},{"id":"ca-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; "},{"id":"ca-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}."}]}]}]},{"id":"ca-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Control Assessments","params":[{"id":"ca-02_odp.01","props":[{"name":"alt-identifier","value":"ca-2_prm_1"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"CA-02_ODP[01]","class":"sp800-53a"}],"label":"assessment frequency","guidelines":[{"prose":"the frequency at which to assess controls in the system and its environment of operation is defined;"}]},{"id":"ca-02_odp.02","props":[{"name":"alt-identifier","value":"ca-2_prm_2"},{"name":"label","value":"CA-02_ODP[02]","class":"sp800-53a"}],"label":"individuals or roles","guidelines":[{"prose":"individuals or roles to whom control assessment results are to be provided are defined;"}]}],"props":[{"name":"label","value":"CA-2"},{"name":"label","value":"CA-02","class":"sp800-53a"},{"name":"sort-id","value":"ca-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"ca-2_smt","name":"statement","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Select the appropriate assessor or assessment team for the type of assessment to be conducted;"},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop a control assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Controls and control enhancements under assessment;"},{"id":"ca-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine control effectiveness; and"},{"id":"ca-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;"},{"id":"ca-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Produce a control assessment report that document the results of the assessment; and"},{"id":"ca-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)."},{"id":"ca-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-02a.","class":"sp800-53a"}],"prose":"an appropriate assessor or assessment team is selected for the type of assessment to be conducted;"},{"id":"ca-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.01","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;"},{"id":"ca-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.02","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;"},{"id":"ca-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[01]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;"},{"id":"ca-2_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[02]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment team;"},{"id":"ca-2_obj.b.3-3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[03]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;"}]}]},{"id":"ca-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-02c.","class":"sp800-53a"}],"prose":"the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[01]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"},{"id":"ca-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[02]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;"}]},{"id":"ca-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-02e.","class":"sp800-53a"}],"prose":"a control assessment report is produced that documents the results of the assessment;"},{"id":"ca-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-02f.","class":"sp800-53a"}],"prose":"the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting control assessment, control assessment plan development, and\/or control assessment reporting"}]}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","props":[{"name":"label","value":"CA-2(1)"},{"name":"label","value":"CA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-2","rel":"required"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to conduct control assessments."},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and\/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments."},{"id":"ca-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02(01)","class":"sp800-53a"}],"prose":"independent assessors or assessment teams are employed to conduct control assessments."},{"id":"ca-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\nprevious control assessment plan\n\nprevious control assessment report\n\nplan of action and milestones\n\nexisting authorization statement\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-2.2","class":"SP800-53-enhancement","title":"Specialized Assessments","params":[{"id":"ca-02.02_odp.01","props":[{"name":"alt-identifier","value":"ca-2.2_prm_1"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"CA-02(02)_ODP[01]","class":"sp800-53a"}],"label":"specialized assessment frequency","guidelines":[{"prose":"frequency at which to include specialized assessments as part of the control assessment is defined;"}]},{"id":"ca-02.02_odp.02","props":[{"name":"alt-identifier","value":"ca-2.2_prm_2"},{"name":"label","value":"CA-02(02)_ODP[02]","class":"sp800-53a"}],"select":{"choice":["announced","unannounced"]}},{"id":"ca-02.02_odp.03","props":[{"name":"alt-identifier","value":"ca-2.2_prm_3"},{"name":"label","value":"CA-02(02)_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["in-depth monitoring","security instrumentation","automated security test cases","vulnerability scanning","malicious user testing","insider threat assessment","performance and load testing","data leakage or data loss assessment","{{ insert: param, ca-02.02_odp.04 }} "]}},{"id":"ca-02.02_odp.04","props":[{"name":"alt-identifier","value":"ca-2.2_prm_4"},{"name":"label","value":"CA-02(02)_ODP[04]","class":"sp800-53a"}],"label":"other forms of assessment","guidelines":[{"prose":"other forms of assessment are defined (if selected);"}]}],"props":[{"name":"label","value":"CA-2(2)"},{"name":"label","value":"CA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ca-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-2","rel":"required"},{"href":"#pe-3","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"ca-2.2_smt","name":"statement","prose":"Include as part of control assessments, {{ insert: param, ca-02.02_odp.01 }}, {{ insert: param, ca-02.02_odp.02 }}, {{ insert: param, ca-02.02_odp.03 }}."},{"id":"ca-2.2_gdn","name":"guidance","prose":"Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle (e.g., during initial design, development, and unit testing)."},{"id":"ca-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02(02)","class":"sp800-53a"}],"prose":"{{ insert: param, ca-02.02_odp.01 }} {{ insert: param, ca-02.02_odp.02 }} {{ insert: param, ca-02.02_odp.03 }} are included as part of control assessments."},{"id":"ca-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting control assessment"}]}]},{"id":"ca-2.3","class":"SP800-53-enhancement","title":"Leveraging Results from External Organizations","params":[{"id":"ca-02.03_odp.01","props":[{"name":"alt-identifier","value":"ca-2.3_prm_1"},{"name":"alt-label","value":"external organization","class":"sp800-53"},{"name":"label","value":"CA-02(03)_ODP[01]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations from which the results of control assessments are leveraged are defined;"}]},{"id":"ca-02.03_odp.02","props":[{"name":"alt-identifier","value":"ca-2.3_prm_2"},{"name":"label","value":"CA-02(03)_ODP[02]","class":"sp800-53a"}],"label":"system","guidelines":[{"prose":"system on which a control assessment was performed by an external organization is defined;"}]},{"id":"ca-02.03_odp.03","props":[{"name":"alt-identifier","value":"ca-2.3_prm_3"},{"name":"label","value":"CA-02(03)_ODP[03]","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements to be met by the control assessment performed by an external organization on the system are defined;"}]}],"props":[{"name":"label","value":"CA-2(3)"},{"name":"label","value":"CA-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"ca-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-2","rel":"required"},{"href":"#sa-4","rel":"related"}],"parts":[{"id":"ca-2.3_smt","name":"statement","prose":"Leverage the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} when the assessment meets {{ insert: param, ca-02.03_odp.03 }}."},{"id":"ca-2.3_gdn","name":"guidance","prose":"Organizations may rely on control assessments of organizational systems by other (external) organizations. Using such assessments and reusing existing assessment evidence can decrease the time and resources required for assessments by limiting the independent assessment activities that organizations need to perform. The factors that organizations consider in determining whether to accept assessment results from external organizations can vary. Such factors include the organization’s past experience with the organization that conducted the assessment, the reputation of the assessment organization, the level of detail of supporting assessment evidence provided, and mandates imposed by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Accredited testing laboratories that support the Common Criteria Program [ISO 15408-1](#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73) , the NIST Cryptographic Module Validation Program (CMVP), or the NIST Cryptographic Algorithm Validation Program (CAVP) can provide independent assessment results that organizations can leverage."},{"id":"ca-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02(03)","class":"sp800-53a"}],"prose":"the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} are leveraged when the assessment meets {{ insert: param, ca-02.03_odp.03 }}."},{"id":"ca-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\ncontrol assessment requirements\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel performing control assessments for the specified external organization"}]}]}]},{"id":"ca-3","class":"SP800-53","title":"Information Exchange","params":[{"id":"ca-03_odp.01","props":[{"name":"alt-identifier","value":"ca-3_prm_1"},{"name":"label","value":"CA-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["interconnection security agreements","information exchange security agreements","memoranda of understanding or agreement","service level agreements","user agreements","non-disclosure agreements","{{ insert: param, ca-03_odp.02 }} "]}},{"id":"ca-03_odp.02","props":[{"name":"alt-identifier","value":"ca-3_prm_2"},{"name":"label","value":"CA-03_ODP[02]","class":"sp800-53a"}],"label":"type of agreement","guidelines":[{"prose":"the type of agreement used to approve and manage the exchange of information is defined (if selected);"}]},{"id":"ca-03_odp.03","props":[{"name":"alt-identifier","value":"ca-3_prm_3"},{"name":"label","value":"CA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update agreements is defined;"}]}],"props":[{"name":"label","value":"CA-3"},{"name":"label","value":"CA-03","class":"sp800-53a"},{"name":"sort-id","value":"ca-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#c3a76872-e160-4267-99e8-6952de967d04","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-3_smt","name":"statement","parts":[{"id":"ca-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};"},{"id":"ca-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the agreements {{ insert: param, ca-03_odp.03 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks."},{"id":"ca-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-03","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-03a.","class":"sp800-53a"}],"prose":"the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};"},{"id":"ca-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[01]","class":"sp800-53a"}],"prose":"the interface characteristics are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[02]","class":"sp800-53a"}],"prose":"security requirements are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[03]","class":"sp800-53a"}],"prose":"privacy requirements are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[04]","class":"sp800-53a"}],"prose":"controls are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[05]","class":"sp800-53a"}],"prose":"responsibilities for each system are documented as part of each exchange agreement;"},{"id":"ca-3_obj.b-6","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[06]","class":"sp800-53a"}],"prose":"the impact level of the information communicated is documented as part of each exchange agreement;"}]},{"id":"ca-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-03c.","class":"sp800-53a"}],"prose":"agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}."}]},{"id":"ca-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies"}]}],"controls":[{"id":"ca-3.1","class":"SP800-53-enhancement","title":"Unclassified National Security System Connections","props":[{"name":"label","value":"CA-3(1)"},{"name":"label","value":"CA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7.25","rel":"moved-to"}]},{"id":"ca-3.2","class":"SP800-53-enhancement","title":"Classified National Security System Connections","props":[{"name":"label","value":"CA-3(2)"},{"name":"label","value":"CA-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7.26","rel":"moved-to"}]},{"id":"ca-3.3","class":"SP800-53-enhancement","title":"Unclassified Non-national Security System Connections","props":[{"name":"label","value":"CA-3(3)"},{"name":"label","value":"CA-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7.27","rel":"moved-to"}]},{"id":"ca-3.4","class":"SP800-53-enhancement","title":"Connections to Public Networks","props":[{"name":"label","value":"CA-3(4)"},{"name":"label","value":"CA-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7.28","rel":"moved-to"}]},{"id":"ca-3.5","class":"SP800-53-enhancement","title":"Restrictions on External System Connections","props":[{"name":"label","value":"CA-3(5)"},{"name":"label","value":"CA-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7.5","rel":"moved-to"}]},{"id":"ca-3.6","class":"SP800-53-enhancement","title":"Transfer Authorizations","props":[{"name":"label","value":"CA-3(6)"},{"name":"label","value":"CA-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-3","rel":"required"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"}],"parts":[{"id":"ca-3.6_smt","name":"statement","prose":"Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data."},{"id":"ca-3.6_gdn","name":"guidance","prose":"To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies—via independent means— whether the individual or system attempting to transfer information is authorized to do so. Verification of the authorization to transfer information also applies to control plane traffic (e.g., routing and DNS) and services (e.g., authenticated SMTP relays)."},{"id":"ca-3.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-03(06)","class":"sp800-53a"}],"prose":"individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data."},{"id":"ca-3.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-03(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontrol assessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-3.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-03(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing connections to external systems\n\nnetwork administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-3.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-03(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on external system connections"}]}]},{"id":"ca-3.7","class":"SP800-53-enhancement","title":"Transitive Information Exchanges","props":[{"name":"label","value":"CA-3(7)"},{"name":"label","value":"CA-03(07)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-3","rel":"required"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ca-3.7_smt","name":"statement","parts":[{"id":"ca-3.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identify transitive (downstream) information exchanges with other systems through the systems identified in [CA-3a](#ca-3_smt.a) ; and"},{"id":"ca-3.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated."}]},{"id":"ca-3.7_gdn","name":"guidance","prose":"Transitive or \"downstream\" information exchanges are information exchanges between the system or systems with which the organizational system exchanges information and other systems. For mission-essential systems, services, and applications, including high value assets, it is necessary to identify such information exchanges. The transparency of the controls or protection measures in place in such downstream systems connected directly or indirectly to organizational systems is essential to understanding the security and privacy risks resulting from those information exchanges. Organizational systems can inherit risk from downstream systems through transitive connections and information exchanges, which can make the organizational systems more susceptible to threats, hazards, and adverse impacts."},{"id":"ca-3.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-03(07)","class":"sp800-53a"}],"parts":[{"id":"ca-3.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-03(07)(a)","class":"sp800-53a"}],"prose":"transitive (downstream) information exchanges with other systems through the systems identified in CA-03a are identified;"},{"id":"ca-3.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-03(07)(b)","class":"sp800-53a"}],"prose":"measures are taken to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated."}]},{"id":"ca-3.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-03(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontrol assessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-3.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-03(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing connections to external systems\n\nnetwork administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-3.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-03(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on external system connections"}]}]}]},{"id":"ca-4","class":"SP800-53","title":"Security Certification","props":[{"name":"label","value":"CA-4"},{"name":"label","value":"CA-04","class":"sp800-53a"},{"name":"sort-id","value":"ca-04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ca-2","rel":"incorporated-into"}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-05_odp","props":[{"name":"alt-identifier","value":"ca-5_prm_1"},{"name":"label","value":"CA-05_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;"}]}],"props":[{"name":"label","value":"CA-5"},{"name":"label","value":"CA-05","class":"sp800-53a"},{"name":"sort-id","value":"ca-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-5_smt","name":"statement","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB."},{"id":"ca-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-05","class":"sp800-53a"}],"parts":[{"id":"ca-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-05a.","class":"sp800-53a"}],"prose":"a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;"},{"id":"ca-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-05b.","class":"sp800-53a"}],"prose":"existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}],"controls":[{"id":"ca-5.1","class":"SP800-53-enhancement","title":"Automation Support for Accuracy and Currency","params":[{"id":"ca-05.01_odp","props":[{"name":"alt-identifier","value":"ca-5.1_prm_1"},{"name":"label","value":"CA-05(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system are defined;"}]}],"props":[{"name":"label","value":"CA-5(1)"},{"name":"label","value":"CA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-5","rel":"required"}],"parts":[{"id":"ca-5.1_smt","name":"statement","prose":"Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using {{ insert: param, ca-05.01_odp }}."},{"id":"ca-5.1_gdn","name":"guidance","prose":"Using automated tools helps maintain the accuracy, currency, and availability of the plan of action and milestones and facilitates the coordination and sharing of security and privacy information throughout the organization. Such coordination and information sharing help to identify systemic weaknesses or deficiencies in organizational systems and ensure that appropriate resources are directed at the most critical system vulnerabilities in a timely manner."},{"id":"ca-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-05(01)","class":"sp800-53a"}],"prose":"{{ insert: param, ca-05.01_odp }} are used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system."},{"id":"ca-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for developing, implementing, and maintaining a plan of action and milestones"}]}]}]},{"id":"ca-6","class":"SP800-53","title":"Authorization","params":[{"id":"ca-06_odp","props":[{"name":"alt-identifier","value":"ca-6_prm_1"},{"name":"label","value":"CA-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to update the authorizations is defined;"}]}],"props":[{"name":"label","value":"CA-6"},{"name":"label","value":"CA-06","class":"sp800-53a"},{"name":"sort-id","value":"ca-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-6_smt","name":"statement","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a senior official as the authorizing official for the system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure that the authorizing official for the system, before commencing operations:","parts":[{"id":"ca-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accepts the use of common controls inherited by the system; and"},{"id":"ca-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Authorizes the system to operate;"}]},{"id":"ca-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the authorizations {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions."},{"id":"ca-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-06","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-06a.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for the system;"},{"id":"ca-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-06b.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.01","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;"},{"id":"ca-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.02","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system authorizes the system to operate;"}]},{"id":"ca-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-06d.","class":"sp800-53a"}],"prose":"the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-06e.","class":"sp800-53a"}],"prose":"the authorizations are updated {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records"}]},{"id":"ca-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that facilitate authorizations and updates"}]}],"controls":[{"id":"ca-6.1","class":"SP800-53-enhancement","title":"Joint Authorization — Intra-organization","props":[{"name":"label","value":"CA-6(1)"},{"name":"label","value":"CA-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-6","rel":"required"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ca-6.1_smt","name":"statement","prose":"Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization."},{"id":"ca-6.1_gdn","name":"guidance","prose":"Assigning multiple authorizing officials from the same organization to serve as co-authorizing officials for the system increases the level of independence in the risk-based decision-making process. It also implements the concepts of separation of duties and dual authorization as applied to the system authorization process. The intra-organization joint authorization process is most relevant for connected systems, shared systems, and systems with multiple information owners."},{"id":"ca-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-06(01)","class":"sp800-53a"}],"parts":[{"id":"ca-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-06(01)[01]","class":"sp800-53a"}],"prose":"a joint authorization process is employed for the system;"},{"id":"ca-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-06(01)[02]","class":"sp800-53a"}],"prose":"the joint authorization process employed for the system includes multiple authorizing officials from the same organization conducting the authorization."}]},{"id":"ca-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan\n\nprivacy plan\n\nassessment report\n\nplan of action and milestones\n\nauthorization statement\n\nother relevant documents or records"}]},{"id":"ca-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that facilitate authorizations and updates"}]}]},{"id":"ca-6.2","class":"SP800-53-enhancement","title":"Joint Authorization — Inter-organization","props":[{"name":"label","value":"CA-6(2)"},{"name":"label","value":"CA-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"ca-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-6","rel":"required"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ca-6.2_smt","name":"statement","prose":"Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization."},{"id":"ca-6.2_gdn","name":"guidance","prose":"Assigning multiple authorizing officials, at least one of whom comes from an external organization, to serve as co-authorizing officials for the system increases the level of independence in the risk-based decision-making process. It implements the concepts of separation of duties and dual authorization as applied to the system authorization process. Employing authorizing officials from external organizations to supplement the authorizing official from the organization that owns or hosts the system may be necessary when the external organizations have a vested interest or equities in the outcome of the authorization decision. The inter-organization joint authorization process is relevant and appropriate for connected systems, shared systems or services, and systems with multiple information owners. The authorizing officials from the external organizations are key stakeholders of the system undergoing authorization."},{"id":"ca-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-06(02)","class":"sp800-53a"}],"parts":[{"id":"ca-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-06(02)[01]","class":"sp800-53a"}],"prose":"a joint authorization process is employed for the system;"},{"id":"ca-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-06(02)[02]","class":"sp800-53a"}],"prose":"the joint authorization process employed for the system includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization."}]},{"id":"ca-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan\n\nprivacy plan\n\nassessment report\n\nplan of action and milestones\n\nauthorization statement\n\nother relevant documents or records"}]},{"id":"ca-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that facilitate authorizations and updates"}]}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.06"}],"label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.07"}],"label":"organization-defined frequency"},{"id":"ca-07_odp.01","props":[{"name":"alt-identifier","value":"ca-7_prm_1"},{"name":"label","value":"CA-07_ODP[01]","class":"sp800-53a"}],"label":"system-level metrics","guidelines":[{"prose":"system-level metrics to be monitored are defined;"}]},{"id":"ca-07_odp.02","props":[{"name":"alt-identifier","value":"ca-7_prm_2"},{"name":"label","value":"CA-07_ODP[02]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to monitor control effectiveness are defined;"}]},{"id":"ca-07_odp.03","props":[{"name":"alt-identifier","value":"ca-7_prm_3"},{"name":"label","value":"CA-07_ODP[03]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to assess control effectiveness are defined;"}]},{"id":"ca-07_odp.04","props":[{"name":"label","value":"CA-07_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the security status of the system is reported are defined;"}]},{"id":"ca-07_odp.05","props":[{"name":"label","value":"CA-07_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the security status of the system is reported is defined;"}]},{"id":"ca-07_odp.06","props":[{"name":"label","value":"CA-07_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the privacy status of the system is reported are defined;"}]},{"id":"ca-07_odp.07","props":[{"name":"label","value":"CA-07_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the privacy status of the system is reported is defined;"}]}],"props":[{"name":"label","value":"CA-7"},{"name":"label","value":"CA-07","class":"sp800-53a"},{"name":"sort-id","value":"ca-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pm-31","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)."},{"id":"ca-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07[01]","class":"sp800-53a"}],"prose":"a system-level continuous monitoring strategy is developed;"},{"id":"ca-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;"},{"id":"ca-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07a.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;"},{"id":"ca-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"}]},{"id":"ca-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07c.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-07d.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-07e.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-07f.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;"},{"id":"ca-7_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};"},{"id":"ca-7_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}."}]}]},{"id":"ca-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting"}]}],"controls":[{"id":"ca-7.1","class":"SP800-53-enhancement","title":"Independent Assessment","props":[{"name":"label","value":"CA-7(1)"},{"name":"label","value":"CA-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis."},{"id":"ca-7.1_gdn","name":"guidance","prose":"Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services."},{"id":"ca-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(01)","class":"sp800-53a"}],"prose":"independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis."},{"id":"ca-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-7.2","class":"SP800-53-enhancement","title":"Types of Assessments","props":[{"name":"label","value":"CA-7(2)"},{"name":"label","value":"CA-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ca-2","rel":"incorporated-into"}]},{"id":"ca-7.3","class":"SP800-53-enhancement","title":"Trend Analyses","props":[{"name":"label","value":"CA-7(3)"},{"name":"label","value":"CA-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.3_smt","name":"statement","prose":"Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data."},{"id":"ca-7.3_gdn","name":"guidance","prose":"Trend analyses include examining recent threat information that addresses the types of threat events that have occurred in the organization or the Federal Government, success rates of certain types of attacks, emerging vulnerabilities in technologies, evolving social engineering techniques, the effectiveness of configuration settings, results from multiple control assessments, and findings from Inspectors General or auditors."},{"id":"ca-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(03)","class":"sp800-53a"}],"parts":[{"id":"ca-7.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07(03)[01]","class":"sp800-53a"}],"prose":"trend analysis is employed to determine if control implementations used in the continuous monitoring process need to be modified based on empirical data;"},{"id":"ca-7.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07(03)[02]","class":"sp800-53a"}],"prose":"trend analysis is employed to determine if the frequency of continuous monitoring activities used in the continuous monitoring process needs to be modified based on empirical data;"},{"id":"ca-7.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CA-07(03)[03]","class":"sp800-53a"}],"prose":"trend analysis is employed to determine if the types of activities used in the continuous monitoring process need to be modified based on empirical data."}]},{"id":"ca-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nassessment, authorization, and monitoring policy\n\nprocedures addressing continuous monitoring of system controls\n\nprivacy controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting trend analyses"}]}]},{"id":"ca-7.4","class":"SP800-53-enhancement","title":"Risk Monitoring","props":[{"name":"label","value":"CA-7(4)"},{"name":"label","value":"CA-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.4_smt","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:","parts":[{"id":"ca-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Effectiveness monitoring;"},{"id":"ca-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Compliance monitoring; and"},{"id":"ca-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Change monitoring."}]},{"id":"ca-7.4_gdn","name":"guidance","prose":"Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk."},{"id":"ca-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)","class":"sp800-53a"}],"prose":"risk monitoring is an integral part of the continuous monitoring strategy;","parts":[{"id":"ca-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(a)","class":"sp800-53a"}],"prose":"effectiveness monitoring is included in risk monitoring;"},{"id":"ca-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(b)","class":"sp800-53a"}],"prose":"compliance monitoring is included in risk monitoring;"},{"id":"ca-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(c)","class":"sp800-53a"}],"prose":"change monitoring is included in risk monitoring."}]},{"id":"ca-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting risk monitoring"}]}]},{"id":"ca-7.5","class":"SP800-53-enhancement","title":"Consistency Analysis","params":[{"id":"ca-7.5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07.05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07.05_odp.02"}],"label":"organization-defined actions"},{"id":"ca-07.05_odp.01","props":[{"name":"label","value":"CA-07(05)_ODP[01]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to validate that policies are established are defined;"}]},{"id":"ca-07.05_odp.02","props":[{"name":"label","value":"CA-07(05)_ODP[02]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to validate that implemented controls are operating in a consistent manner are defined;"}]}],"props":[{"name":"label","value":"CA-7(5)"},{"name":"label","value":"CA-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.5_smt","name":"statement","prose":"Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: {{ insert: param, ca-7.5_prm_1 }}."},{"id":"ca-7.5_gdn","name":"guidance","prose":"Security and privacy controls are often added incrementally to a system. As a result, policies for selecting and implementing controls may be inconsistent, and the controls could fail to work together in a consistent or coordinated manner. At a minimum, the lack of consistency and coordination could mean that there are unacceptable security and privacy gaps in the system. At worst, it could mean that some of the controls implemented in one location or by one component are actually impeding the functionality of other controls (e.g., encrypting internal network traffic can impede monitoring). In other situations, failing to consistently monitor all implemented network protocols (e.g., a dual stack of IPv4 and IPv6) may create unintended vulnerabilities in the system that could be exploited by adversaries. It is important to validate—through testing, monitoring, and analysis—that the implemented controls are operating in a consistent, coordinated, non-interfering manner."},{"id":"ca-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(05)","class":"sp800-53a"}],"parts":[{"id":"ca-7.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07(05)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ca-07.05_odp.01 }} are employed to validate that policies are established;"},{"id":"ca-7.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07(05)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ca-07.05_odp.02 }} are employed to validate that implemented controls are operating in a consistent manner."}]},{"id":"ca-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system security controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nsecurity impact analyses\n\nstatus reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ca-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting consistency analyses"}]}]},{"id":"ca-7.6","class":"SP800-53-enhancement","title":"Automation Support for Monitoring","params":[{"id":"ca-07.06_odp","props":[{"name":"alt-identifier","value":"ca-7.6_prm_1"},{"name":"label","value":"CA-07(06)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to ensure the accuracy, currency, and availability of monitoring results for the system are defined;"}]}],"props":[{"name":"label","value":"CA-7(6)"},{"name":"label","value":"CA-07(06)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.6_smt","name":"statement","prose":"Ensure the accuracy, currency, and availability of monitoring results for the system using {{ insert: param, ca-07.06_odp }}."},{"id":"ca-7.6_gdn","name":"guidance","prose":"Using automated tools for monitoring helps to maintain the accuracy, currency, and availability of monitoring information which in turns helps to increase the level of ongoing awareness of the system security and privacy posture in support of organizational risk management decisions."},{"id":"ca-7.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(06)","class":"sp800-53a"}],"prose":"{{ insert: param, ca-07.06_odp }} are used to ensure the accuracy, currency, and availability of monitoring results for the system."},{"id":"ca-7.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting automated monitoring"}]}]}]},{"id":"ca-8","class":"SP800-53","title":"Penetration Testing","params":[{"id":"ca-08_odp.01","props":[{"name":"alt-identifier","value":"ca-8_prm_1"},{"name":"label","value":"CA-08_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct penetration testing on systems or system components is defined;"}]},{"id":"ca-08_odp.02","props":[{"name":"alt-identifier","value":"ca-8_prm_2"},{"name":"alt-label","value":"systems or system components","class":"sp800-53"},{"name":"label","value":"CA-08_ODP[02]","class":"sp800-53a"}],"label":"system(s) or system components","guidelines":[{"prose":"systems or system components on which penetration testing is to be conducted are defined;"}]}],"props":[{"name":"label","value":"CA-8"},{"name":"label","value":"CA-08","class":"sp800-53a"},{"name":"sort-id","value":"ca-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"ca-8_smt","name":"statement","prose":"Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}."},{"id":"ca-8_gdn","name":"guidance","prose":"Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and\/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\n\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing."},{"id":"ca-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-08","class":"sp800-53a"}],"prose":"penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}."},{"id":"ca-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting penetration testing"}]}],"controls":[{"id":"ca-8.1","class":"SP800-53-enhancement","title":"Independent Penetration Testing Agent or Team","props":[{"name":"label","value":"CA-8(1)"},{"name":"label","value":"CA-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-8","rel":"required"},{"href":"#ca-2","rel":"related"}],"parts":[{"id":"ca-8.1_smt","name":"statement","prose":"Employ an independent penetration testing agent or team to perform penetration testing on the system or system components."},{"id":"ca-8.1_gdn","name":"guidance","prose":"Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. [CA-2(1)](#ca-2.1) provides additional information on independent assessments that can be applied to penetration testing."},{"id":"ca-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-08(01)","class":"sp800-53a"}],"prose":"an independent penetration testing agent or team is employed to perform penetration testing on the system or system components."},{"id":"ca-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nsecurity assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-8.2","class":"SP800-53-enhancement","title":"Red Team Exercises","params":[{"id":"ca-08.02_odp","props":[{"name":"alt-identifier","value":"ca-8.2_prm_1"},{"name":"label","value":"CA-08(02)_ODP","class":"sp800-53a"}],"label":"red team exercises","guidelines":[{"prose":"red team exercises to simulate attempts by adversaries to compromise organizational systems are defined;"}]}],"props":[{"name":"label","value":"CA-8(2)"},{"name":"label","value":"CA-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"ca-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-8","rel":"required"}],"parts":[{"id":"ca-8.2_smt","name":"statement","prose":"Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: {{ insert: param, ca-08.02_odp }}."},{"id":"ca-8.2_gdn","name":"guidance","prose":"Red team exercises extend the objectives of penetration testing by examining the security and privacy posture of organizations and the capability to implement effective cyber defenses. Red team exercises simulate attempts by adversaries to compromise mission and business functions and provide a comprehensive assessment of the security and privacy posture of systems and organizations. Such attempts may include technology-based attacks and social engineering-based attacks. Technology-based attacks include interactions with hardware, software, or firmware components and\/or mission and business processes. Social engineering-based attacks include interactions via email, telephone, shoulder surfing, or personal conversations. Red team exercises are most effective when conducted by penetration testing agents and teams with knowledge of and experience with current adversarial tactics, techniques, procedures, and tools. While penetration testing may be primarily laboratory-based testing, organizations can use red team exercises to provide more comprehensive assessments that reflect real-world conditions. The results from red team exercises can be used by organizations to improve security and privacy awareness and training and to assess control effectiveness."},{"id":"ca-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-08(02)","class":"sp800-53a"}],"prose":"{{ insert: param, ca-08.02_odp }} are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement."},{"id":"ca-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nprocedures addressing red team exercises\n\nassessment plan\n\nresults of red team exercises\n\npenetration test report\n\nassessment report\n\nrules of engagement\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the employment of red team exercises"}]}]},{"id":"ca-8.3","class":"SP800-53-enhancement","title":"Facility Penetration Testing","params":[{"id":"ca-08.03_odp.01","props":[{"name":"alt-identifier","value":"ca-8.3_prm_1"},{"name":"label","value":"CA-08(03)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to employ penetration testing that attempts to bypass or circumvent controls associated with physical access points to the facility is defined;"}]},{"id":"ca-08.03_odp.02","props":[{"name":"alt-identifier","value":"ca-8.3_prm_2"},{"name":"label","value":"CA-08(03)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["announced","unannounced"]}}],"props":[{"name":"label","value":"CA-8(3)"},{"name":"label","value":"CA-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"ca-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-8","rel":"required"},{"href":"#ca-2","rel":"related"},{"href":"#pe-3","rel":"related"}],"parts":[{"id":"ca-8.3_smt","name":"statement","prose":"Employ a penetration testing process that includes {{ insert: param, ca-08.03_odp.01 }} {{ insert: param, ca-08.03_odp.02 }} attempts to bypass or circumvent controls associated with physical access points to the facility."},{"id":"ca-8.3_gdn","name":"guidance","prose":"Penetration testing of physical access points can provide information on critical vulnerabilities in the operating environments of organizational systems. Such information can be used to correct weaknesses or deficiencies in physical controls that are necessary to protect organizational systems."},{"id":"ca-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-08(03)","class":"sp800-53a"}],"prose":"the penetration testing process includes {{ insert: param, ca-08.03_odp.01 }} {{ insert: param, ca-08.03_odp.02 }} attempts to bypass or circumvent controls associated with physical access points to facility."},{"id":"ca-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nprocedures addressing red team exercises\n\nassessment plan\n\nresults of red team exercises\n\npenetration test report\n\nassessment report\n\nrules of engagement\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting the employment of red team exercises"}]}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","params":[{"id":"ca-09_odp.01","props":[{"name":"alt-identifier","value":"ca-9_prm_1"},{"name":"alt-label","value":"system components or classes of components","class":"sp800-53"},{"name":"label","value":"CA-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components or classes of components requiring internal connections to the system are defined;"}]},{"id":"ca-09_odp.02","props":[{"name":"alt-identifier","value":"ca-9_prm_2"},{"name":"label","value":"CA-09_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions requiring termination of internal connections are defined;"}]},{"id":"ca-09_odp.03","props":[{"name":"alt-identifier","value":"ca-9_prm_3"},{"name":"label","value":"CA-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the continued need for each internal connection is defined;"}]}],"props":[{"name":"label","value":"CA-9"},{"name":"label","value":"CA-09","class":"sp800-53a"},{"name":"sort-id","value":"ca-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-9_smt","name":"statement","parts":[{"id":"ca-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;"},{"id":"ca-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;"},{"id":"ca-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and"},{"id":"ca-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection."}]},{"id":"ca-9_gdn","name":"guidance","prose":"Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and\/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions."},{"id":"ca-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-09","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-09a.","class":"sp800-53a"}],"prose":"internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;"},{"id":"ca-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[01]","class":"sp800-53a"}],"prose":"for each internal connection, the interface characteristics are documented;"},{"id":"ca-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[02]","class":"sp800-53a"}],"prose":"for each internal connection, the security requirements are documented;"},{"id":"ca-9_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[03]","class":"sp800-53a"}],"prose":"for each internal connection, the privacy requirements are documented;"},{"id":"ca-9_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[04]","class":"sp800-53a"}],"prose":"for each internal connection, the nature of the information communicated is documented;"}]},{"id":"ca-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-09c.","class":"sp800-53a"}],"prose":"internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};"},{"id":"ca-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-09d.","class":"sp800-53a"}],"prose":"the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}."}]},{"id":"ca-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting internal system connections"}]}],"controls":[{"id":"ca-9.1","class":"SP800-53-enhancement","title":"Compliance Checks","props":[{"name":"label","value":"CA-9(1)"},{"name":"label","value":"CA-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-9","rel":"required"},{"href":"#cm-6","rel":"related"}],"parts":[{"id":"ca-9.1_smt","name":"statement","prose":"Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection."},{"id":"ca-9.1_gdn","name":"guidance","prose":"Compliance checks include verification of the relevant baseline configuration."},{"id":"ca-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-09(01)","class":"sp800-53a"}],"parts":[{"id":"ca-9.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-09(01)[01]","class":"sp800-53a"}],"prose":"security compliance checks are performed on constituent system components prior to the establishment of the internal connection;"},{"id":"ca-9.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-09(01)[02]","class":"sp800-53a"}],"prose":"privacy compliance checks are performed on constituent system components prior to the establishment of the internal connection."}]},{"id":"ca-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting compliance checks"}]}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cm-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cm-01_odp.01","props":[{"name":"label","value":"CM-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management policy is to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.02","props":[{"name":"label","value":"CM-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management procedures are to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.03","props":[{"name":"alt-identifier","value":"cm-1_prm_2"},{"name":"label","value":"CM-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cm-01_odp.04","props":[{"name":"alt-identifier","value":"cm-1_prm_3"},{"name":"label","value":"CM-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the configuration management policy and procedures is defined;"}]},{"id":"cm-01_odp.05","props":[{"name":"alt-identifier","value":"cm-1_prm_4"},{"name":"label","value":"CM-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management policy is reviewed and updated is defined;"}]},{"id":"cm-01_odp.06","props":[{"name":"alt-identifier","value":"cm-1_prm_5"},{"name":"label","value":"CM-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current configuration management policy to be reviewed and updated are defined;"}]},{"id":"cm-01_odp.07","props":[{"name":"alt-identifier","value":"cm-1_prm_6"},{"name":"label","value":"CM-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management procedures are reviewed and updated is defined;"}]},{"id":"cm-01_odp.08","props":[{"name":"alt-identifier","value":"cm-1_prm_7"},{"name":"label","value":"CM-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require configuration management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CM-1"},{"name":"label","value":"CM-01","class":"sp800-53a"},{"name":"sort-id","value":"cm-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-1_smt","name":"statement","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, cm-01_odp.03 }} configuration management policy that:","parts":[{"id":"cm-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and"},{"id":"cm-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current configuration management:","parts":[{"id":"cm-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and"},{"id":"cm-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cm-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[01]","class":"sp800-53a"}],"prose":"a configuration management policy is developed and documented;"},{"id":"cm-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[02]","class":"sp800-53a"}],"prose":"the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};"},{"id":"cm-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[03]","class":"sp800-53a"}],"prose":"configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;"},{"id":"cm-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[04]","class":"sp800-53a"}],"prose":"the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};"},{"id":"cm-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;"},{"id":"cm-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;"},{"id":"cm-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;"},{"id":"cm-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;"},{"id":"cm-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;"},{"id":"cm-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;"},{"id":"cm-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;"}]},{"id":"cm-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(b)","class":"sp800-53a"}],"prose":"the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"cm-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;"},{"id":"cm-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[01]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; "},{"id":"cm-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[02]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};"}]},{"id":"cm-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[01]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; "},{"id":"cm-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[02]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}."}]}]}]},{"id":"cm-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records"}]},{"id":"cm-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","params":[{"id":"cm-02_odp.01","props":[{"name":"alt-identifier","value":"cm-2_prm_1"},{"name":"label","value":"CM-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of baseline configuration review and update is defined;"}]},{"id":"cm-02_odp.02","props":[{"name":"alt-identifier","value":"cm-2_prm_2"},{"name":"label","value":"CM-02_ODP[02]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"the circumstances requiring baseline configuration review and update are defined;"}]}],"props":[{"name":"label","value":"CM-2"},{"name":"label","value":"CM-02","class":"sp800-53a"},{"name":"sort-id","value":"cm-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-1","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-18","rel":"related"}],"parts":[{"id":"cm-2_smt","name":"statement","parts":[{"id":"cm-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and maintain under configuration control, a current baseline configuration of the system; and"},{"id":"cm-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the baseline configuration of the system:","parts":[{"id":"cm-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, cm-02_odp.01 }};"},{"id":"cm-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required due to {{ insert: param, cm-02_odp.02 }} ; and"},{"id":"cm-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"When system components are installed or upgraded."}]}]},{"id":"cm-2_gdn","name":"guidance","prose":"Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture."},{"id":"cm-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[01]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is developed and documented;"},{"id":"cm-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[02]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is maintained under configuration control;"}]},{"id":"cm-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.01","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};"},{"id":"cm-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.02","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};"},{"id":"cm-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.03","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when system components are installed or upgraded."}]}]},{"id":"cm-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records"}]},{"id":"cm-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration"}]}],"controls":[{"id":"cm-2.1","class":"SP800-53-enhancement","title":"Reviews and Updates","props":[{"name":"label","value":"CM-2(1)"},{"name":"label","value":"CM-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-2","rel":"incorporated-into"}]},{"id":"cm-2.2","class":"SP800-53-enhancement","title":"Automation Support for Accuracy and Currency","params":[{"id":"cm-02.02_odp","props":[{"name":"alt-identifier","value":"cm-2.2_prm_1"},{"name":"label","value":"CM-02(02)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms for maintaining baseline configuration of the system are defined;"}]}],"props":[{"name":"label","value":"CM-2(2)"},{"name":"label","value":"CM-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"},{"href":"#cm-7","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ra-5","rel":"related"}],"parts":[{"id":"cm-2.2_smt","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ insert: param, cm-02.02_odp }}."},{"id":"cm-2.2_gdn","name":"guidance","prose":"Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of [CM-8(2)](#cm-8.2) for organizations that combine system component inventory and baseline configuration activities."},{"id":"cm-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)","class":"sp800-53a"}],"parts":[{"id":"cm-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[01]","class":"sp800-53a"}],"prose":"the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"},{"id":"cm-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[02]","class":"sp800-53a"}],"prose":"the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"},{"id":"cm-2.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[03]","class":"sp800-53a"}],"prose":"the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"},{"id":"cm-2.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[04]","class":"sp800-53a"}],"prose":"the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}."}]},{"id":"cm-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nconfiguration change control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance"}]}]},{"id":"cm-2.3","class":"SP800-53-enhancement","title":"Retention of Previous Configurations","params":[{"id":"cm-02.03_odp","props":[{"name":"alt-identifier","value":"cm-2.3_prm_1"},{"name":"label","value":"CM-02(03)_ODP","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of previous baseline configuration versions to be retained is defined;"}]}],"props":[{"name":"label","value":"CM-2(3)"},{"name":"label","value":"CM-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"}],"parts":[{"id":"cm-2.3_smt","name":"statement","prose":"Retain {{ insert: param, cm-02.03_odp }} of previous versions of baseline configurations of the system to support rollback."},{"id":"cm-2.3_gdn","name":"guidance","prose":"Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation."},{"id":"cm-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(03)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is\/are retained to support rollback."},{"id":"cm-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations"}]}]},{"id":"cm-2.4","class":"SP800-53-enhancement","title":"Unauthorized Software","props":[{"name":"label","value":"CM-2(4)"},{"name":"label","value":"CM-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-7.4","rel":"incorporated-into"}]},{"id":"cm-2.5","class":"SP800-53-enhancement","title":"Authorized Software","props":[{"name":"label","value":"CM-2(5)"},{"name":"label","value":"CM-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-7.5","rel":"incorporated-into"}]},{"id":"cm-2.6","class":"SP800-53-enhancement","title":"Development and Test Environments","props":[{"name":"label","value":"CM-2(6)"},{"name":"label","value":"CM-02(06)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"},{"href":"#cm-4","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cm-2.6_smt","name":"statement","prose":"Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration."},{"id":"cm-2.6_gdn","name":"guidance","prose":"Establishing separate baseline configurations for development, testing, and operational environments protects systems from unplanned or unexpected events related to development and testing activities. Separate baseline configurations allow organizations to apply the configuration management that is most appropriate for each type of configuration. For example, the management of operational configurations typically emphasizes the need for stability, while the management of development or test configurations requires greater flexibility. Configurations in the test environment mirror configurations in the operational environment to the extent practicable so that the results of the testing are representative of the proposed changes to the operational systems. Separate baseline configurations do not necessarily require separate physical environments."},{"id":"cm-2.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(06)","class":"sp800-53a"}],"parts":[{"id":"cm-2.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02(06)[01]","class":"sp800-53a"}],"prose":"a baseline configuration for system development environments that is managed separately from the operational baseline configuration is maintained;"},{"id":"cm-2.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02(06)[02]","class":"sp800-53a"}],"prose":"a baseline configuration for test environments that is managed separately from the operational baseline configuration is maintained."}]},{"id":"cm-2.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nmechanisms implementing separate baseline configurations for development, test, and operational environments"}]}]},{"id":"cm-2.7","class":"SP800-53-enhancement","title":"Configure Systems and Components for High-risk Areas","params":[{"id":"cm-02.07_odp.01","props":[{"name":"alt-identifier","value":"cm-2.7_prm_1"},{"name":"label","value":"CM-02(07)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"the systems or system components to be issued when individuals travel to high-risk areas are defined;"}]},{"id":"cm-02.07_odp.02","props":[{"name":"alt-identifier","value":"cm-2.7_prm_2"},{"name":"label","value":"CM-02(07)_ODP[02]","class":"sp800-53a"}],"label":"configurations","guidelines":[{"prose":"configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;"}]},{"id":"cm-02.07_odp.03","props":[{"name":"alt-identifier","value":"cm-2.7_prm_3"},{"name":"label","value":"CM-02(07)_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"the controls to be applied when the individuals return from travel are defined;"}]}],"props":[{"name":"label","value":"CM-2(7)"},{"name":"label","value":"CM-02(07)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}],"parts":[{"id":"cm-2.7_smt","name":"statement","parts":[{"id":"cm-2.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} to individuals traveling to locations that the organization deems to be of significant risk; and"},{"id":"cm-2.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Apply the following controls to the systems or components when the individuals return from travel: {{ insert: param, cm-02.07_odp.03 }}."}]},{"id":"cm-2.7_gdn","name":"guidance","prose":"When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the [MP](#mp) (Media Protection) family."},{"id":"cm-2.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)","class":"sp800-53a"}],"parts":[{"id":"cm-2.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;"},{"id":"cm-2.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel."}]},{"id":"cm-2.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the system\n\nprocedures addressing system component installations and upgrades\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nrecords of system baseline configuration reviews and updates\n\nsystem component installations\/upgrades and associated records\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations"}]}]}]},{"id":"cm-3","class":"SP800-53","title":"Configuration Change Control","params":[{"id":"cm-03_odp.01","props":[{"name":"alt-identifier","value":"cm-3_prm_1"},{"name":"label","value":"CM-03_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to retain records of configuration-controlled changes is defined;"}]},{"id":"cm-03_odp.02","props":[{"name":"alt-identifier","value":"cm-3_prm_2"},{"name":"label","value":"CM-03_ODP[02]","class":"sp800-53a"}],"label":"configuration change control element","guidelines":[{"prose":"the configuration change control element responsible for coordinating and overseeing change control activities is defined;"}]},{"id":"cm-03_odp.03","props":[{"name":"alt-identifier","value":"cm-3_prm_3"},{"name":"label","value":"CM-03_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, cm-03_odp.04 }} ","when {{ insert: param, cm-03_odp.05 }} "]}},{"id":"cm-03_odp.04","props":[{"name":"alt-identifier","value":"cm-3_prm_4"},{"name":"label","value":"CM-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the configuration control element convenes is defined (if selected);"}]},{"id":"cm-03_odp.05","props":[{"name":"alt-identifier","value":"cm-3_prm_5"},{"name":"label","value":"CM-03_ODP[05]","class":"sp800-53a"}],"label":"configuration change conditions","guidelines":[{"prose":"configuration change conditions that prompt the configuration control element to convene are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-3"},{"name":"label","value":"CM-03","class":"sp800-53a"},{"name":"sort-id","value":"cm-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"cm-3_smt","name":"statement","parts":[{"id":"cm-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the types of changes to the system that are configuration-controlled;"},{"id":"cm-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;"},{"id":"cm-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document configuration change decisions associated with the system;"},{"id":"cm-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement approved configuration-controlled changes to the system;"},{"id":"cm-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }};"},{"id":"cm-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Monitor and review activities associated with configuration-controlled changes to the system; and"},{"id":"cm-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: param, cm-03_odp.03 }}."}]},{"id":"cm-3_gdn","name":"guidance","prose":"Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also [SA-10](#sa-10)."},{"id":"cm-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-03a.","class":"sp800-53a"}],"prose":"the types of changes to the system that are configuration-controlled are determined and documented;"},{"id":"cm-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.[01]","class":"sp800-53a"}],"prose":"proposed configuration-controlled changes to the system are reviewed;"},{"id":"cm-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.[02]","class":"sp800-53a"}],"prose":"proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;"}]},{"id":"cm-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-03c.","class":"sp800-53a"}],"prose":"configuration change decisions associated with the system are documented;"},{"id":"cm-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-03d.","class":"sp800-53a"}],"prose":"approved configuration-controlled changes to the system are implemented;"},{"id":"cm-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-03e.","class":"sp800-53a"}],"prose":"records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};"},{"id":"cm-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.[01]","class":"sp800-53a"}],"prose":"activities associated with configuration-controlled changes to the system are monitored;"},{"id":"cm-3_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.[02]","class":"sp800-53a"}],"prose":"activities associated with configuration-controlled changes to the system are reviewed;"}]},{"id":"cm-3_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.[01]","class":"sp800-53a"}],"prose":"configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};"},{"id":"cm-3_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.[02]","class":"sp800-53a"}],"prose":"the configuration control element convenes {{ insert: param, cm-03_odp.03 }}."}]}]},{"id":"cm-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nchange control records\n\nsystem audit records\n\nchange control audit and review reports\n\nagenda\/minutes\/documentation from configuration change control oversight meetings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessments\n\nsystem of records notices\n\nother relevant documents or records"}]},{"id":"cm-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nmechanisms that implement configuration change control"}]}],"controls":[{"id":"cm-3.1","class":"SP800-53-enhancement","title":"Automated Documentation, Notification, and Prohibition of Changes","params":[{"id":"cm-03.01_odp.01","props":[{"name":"alt-identifier","value":"cm-3.1_prm_1"},{"name":"label","value":"CM-03(01)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"mechanisms used to automate configuration change control are defined;"}]},{"id":"cm-03.01_odp.02","props":[{"name":"alt-identifier","value":"cm-3.1_prm_2"},{"name":"label","value":"CM-03(01)_ODP[02]","class":"sp800-53a"}],"label":"approval authorities","guidelines":[{"prose":"approval authorities to be notified of and request approval for proposed changes to the system are defined;"}]},{"id":"cm-03.01_odp.03","props":[{"name":"alt-identifier","value":"cm-3.1_prm_3"},{"name":"label","value":"CM-03(01)_ODP[03]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period after which to highlight changes that have not been approved or disapproved is defined;"}]},{"id":"cm-03.01_odp.04","props":[{"name":"alt-identifier","value":"cm-3.1_prm_4"},{"name":"label","value":"CM-03(01)_ODP[04]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to be notified when approved changes are complete is\/are defined;"}]}],"props":[{"name":"label","value":"CM-3(1)"},{"name":"label","value":"CM-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.1_smt","name":"statement","prose":"Use {{ insert: param, cm-03.01_odp.01 }} to:","parts":[{"id":"cm-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Document proposed changes to the system;"},{"id":"cm-3.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;"},{"id":"cm-3.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};"},{"id":"cm-3.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Prohibit changes to the system until designated approvals are received;"},{"id":"cm-3.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Document all changes to the system; and"},{"id":"cm-3.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed."}]},{"id":"cm-3.1_gdn","name":"guidance","prose":"None."},{"id":"cm-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)","class":"sp800-53a"}],"parts":[{"id":"cm-3.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.01_odp.01 }} are used to document proposed changes to the system;"},{"id":"cm-3.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;"},{"id":"cm-3.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(c)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.01_odp.01 }} are used to highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};"},{"id":"cm-3.1_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(d)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.01_odp.01 }} are used to prohibit changes to the system until designated approvals are received;"},{"id":"cm-3.1_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(e)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.01_odp.01 }} are used to document all changes to the system;"},{"id":"cm-3.1_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(f)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed."}]},{"id":"cm-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nautomated configuration control mechanisms\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nchange approval requests\n\nchange approvals\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms implementing configuration change control activities"}]}]},{"id":"cm-3.2","class":"SP800-53-enhancement","title":"Testing, Validation, and Documentation of Changes","props":[{"name":"label","value":"CM-3(2)"},{"name":"label","value":"CM-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.2_smt","name":"statement","prose":"Test, validate, and document changes to the system before finalizing the implementation of the changes."},{"id":"cm-3.2_gdn","name":"guidance","prose":"Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in [CM-6](#cm-6) . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls."},{"id":"cm-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)","class":"sp800-53a"}],"parts":[{"id":"cm-3.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[01]","class":"sp800-53a"}],"prose":"changes to the system are tested before finalizing the implementation of the changes;"},{"id":"cm-3.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[02]","class":"sp800-53a"}],"prose":"changes to the system are validated before finalizing the implementation of the changes;"},{"id":"cm-3.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[03]","class":"sp800-53a"}],"prose":"changes to the system are documented before finalizing the implementation of the changes."}]},{"id":"cm-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nmechanisms supporting and\/or implementing, testing, validating, and documenting system changes"}]}]},{"id":"cm-3.3","class":"SP800-53-enhancement","title":"Automated Change Implementation","params":[{"id":"cm-03.03_odp","props":[{"name":"alt-identifier","value":"cm-3.3_prm_1"},{"name":"label","value":"CM-03(03)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"mechanisms used to automate the implementation of changes and deployment of the updated baseline across the installed base are defined;"}]}],"props":[{"name":"label","value":"CM-3(3)"},{"name":"label","value":"CM-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.3_smt","name":"statement","prose":"Implement changes to the current system baseline and deploy the updated baseline across the installed base using {{ insert: param, cm-03.03_odp }}."},{"id":"cm-3.3_gdn","name":"guidance","prose":"Automated tools can improve the accuracy, consistency, and availability of configuration baseline information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization."},{"id":"cm-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(03)","class":"sp800-53a"}],"parts":[{"id":"cm-3.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03(03)[01]","class":"sp800-53a"}],"prose":"changes to the current system baseline are implemented using {{ insert: param, cm-03.03_odp }};"},{"id":"cm-3.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03(03)[02]","class":"sp800-53a"}],"prose":"the updated baseline is deployed across the installed base using {{ insert: param, cm-03.03_odp }}."}]},{"id":"cm-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nautomated configuration control mechanisms\n\nchange control records\n\nsystem component inventory\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms implementing changes to current system baseline"}]}]},{"id":"cm-3.4","class":"SP800-53-enhancement","title":"Security and Privacy Representatives","params":[{"id":"cm-3.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-03.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-03.04_odp.02"}],"label":"organization-defined security and privacy representatives"},{"id":"cm-03.04_odp.01","props":[{"name":"label","value":"CM-03(04)_ODP[01]","class":"sp800-53a"}],"label":"security representatives","guidelines":[{"prose":"security representatives required to be members of the change control element are defined;"}]},{"id":"cm-03.04_odp.02","props":[{"name":"label","value":"CM-03(04)_ODP[02]","class":"sp800-53a"}],"label":"privacy representatives","guidelines":[{"prose":"privacy representatives required to be members of the change control element are defined;"}]},{"id":"cm-03.04_odp.03","props":[{"name":"alt-identifier","value":"cm-3.4_prm_2"},{"name":"label","value":"CM-03(04)_ODP[03]","class":"sp800-53a"}],"label":"configuration change control element","guidelines":[{"prose":"the configuration change control element of which the security and privacy representatives are to be members is defined;"}]}],"props":[{"name":"label","value":"CM-3(4)"},{"name":"label","value":"CM-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.4_smt","name":"statement","prose":"Require {{ insert: param, cm-3.4_prm_1 }} to be members of the {{ insert: param, cm-03.04_odp.03 }}."},{"id":"cm-3.4_gdn","name":"guidance","prose":"Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in [CM-3g](#cm-3_smt.g)."},{"id":"cm-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)","class":"sp800-53a"}],"parts":[{"id":"cm-3.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};"},{"id":"cm-3.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}."}]},{"id":"cm-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of change control board or similar"}]},{"id":"cm-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control"}]}]},{"id":"cm-3.5","class":"SP800-53-enhancement","title":"Automated Security Response","params":[{"id":"cm-03.05_odp","props":[{"name":"alt-identifier","value":"cm-3.5_prm_1"},{"name":"label","value":"CM-03(05)_ODP","class":"sp800-53a"}],"label":"security responses","guidelines":[{"prose":"security responses to be automatically implemented are defined;"}]}],"props":[{"name":"label","value":"CM-3(5)"},{"name":"label","value":"CM-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.5_smt","name":"statement","prose":"Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: {{ insert: param, cm-03.05_odp }}."},{"id":"cm-3.5_gdn","name":"guidance","prose":"Automated security responses include halting selected system functions, halting system processing, and issuing alerts or notifications to organizational personnel when there is an unauthorized modification of a configuration item."},{"id":"cm-3.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(05)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.05_odp }} are automatically implemented if baseline configurations are changed in an unauthorized manner."},{"id":"cm-3.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nconfiguration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nalerts\/notifications of unauthorized baseline configuration changes\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"cm-3.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms implementing security responses to unauthorized changes to the baseline configurations"}]}]},{"id":"cm-3.6","class":"SP800-53-enhancement","title":"Cryptography Management","params":[{"id":"cm-03.06_odp","props":[{"name":"alt-identifier","value":"cm-3.6_prm_1"},{"name":"label","value":"CM-03(06)_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls provided by cryptographic mechanisms that are to be under configuration management are defined;"}]}],"props":[{"name":"label","value":"CM-3(6)"},{"name":"label","value":"CM-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"required"},{"href":"#sc-12","rel":"related"}],"parts":[{"id":"cm-3.6_smt","name":"statement","prose":"Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: {{ insert: param, cm-03.06_odp }}."},{"id":"cm-3.6_gdn","name":"guidance","prose":"The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates."},{"id":"cm-3.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(06)","class":"sp800-53a"}],"prose":"cryptographic mechanisms used to provide {{ insert: param, cm-03.06_odp }} are under configuration management."},{"id":"cm-3.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\ncryptographic mechanisms implementing organizational security safeguards (controls)"}]}]},{"id":"cm-3.7","class":"SP800-53-enhancement","title":"Review System Changes","params":[{"id":"cm-03.07_odp.01","props":[{"name":"alt-identifier","value":"cm-3.7_prm_1"},{"name":"label","value":"CM-03(07)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which changes are to be reviewed is defined;"}]},{"id":"cm-03.07_odp.02","props":[{"name":"alt-identifier","value":"cm-3.7_prm_2"},{"name":"label","value":"CM-03(07)_ODP[02]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"the circumstances under which changes are to be reviewed are defined;"}]}],"props":[{"name":"label","value":"CM-3(7)"},{"name":"label","value":"CM-03(07)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#cm-3","rel":"related"}],"parts":[{"id":"cm-3.7_smt","name":"statement","prose":"Review changes to the system {{ insert: param, cm-03.07_odp.01 }} or when {{ insert: param, cm-03.07_odp.02 }} to determine whether unauthorized changes have occurred."},{"id":"cm-3.7_gdn","name":"guidance","prose":"Indications that warrant a review of changes to the system and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process or continuous monitoring process."},{"id":"cm-3.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(07)","class":"sp800-53a"}],"prose":"changes to the system are reviewed {{ insert: param, cm-03.07_odp.01 }} or when {{ insert: param, cm-03.07_odp.02 }} to determine whether unauthorized changes have occurred."},{"id":"cm-3.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nchange control records\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-3.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nmechanisms implementing audit records for changes"}]}]},{"id":"cm-3.8","class":"SP800-53-enhancement","title":"Prevent or Restrict Configuration Changes","params":[{"id":"cm-03.08_odp","props":[{"name":"alt-identifier","value":"cm-3.8_prm_1"},{"name":"label","value":"CM-03(08)_ODP","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"the circumstances under which changes are to be prevented or restricted are defined;"}]}],"props":[{"name":"label","value":"CM-3(8)"},{"name":"label","value":"CM-03(08)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.8_smt","name":"statement","prose":"Prevent or restrict changes to the configuration of the system under the following circumstances: {{ insert: param, cm-03.08_odp }}."},{"id":"cm-3.8_gdn","name":"guidance","prose":"System configuration changes can adversely affect critical system security and privacy functionality. Change restrictions can be enforced through automated mechanisms."},{"id":"cm-3.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(08)","class":"sp800-53a"}],"prose":"changes to the configuration of the system are prevented or restricted under {{ insert: param, cm-03.08_odp }}."},{"id":"cm-3.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nchange control records\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]}]}]},{"id":"cm-4","class":"SP800-53","title":"Impact Analyses","props":[{"name":"label","value":"CM-4"},{"name":"label","value":"CM-04","class":"sp800-53a"},{"name":"sort-id","value":"cm-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required."},{"id":"cm-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04","class":"sp800-53a"}],"parts":[{"id":"cm-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04[01]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential security impacts prior to change implementation;"},{"id":"cm-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04[02]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential privacy impacts prior to change implementation."}]},{"id":"cm-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses"}]}],"controls":[{"id":"cm-4.1","class":"SP800-53-enhancement","title":"Separate Test Environments","props":[{"name":"label","value":"CM-4(1)"},{"name":"label","value":"CM-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-4","rel":"required"},{"href":"#sa-11","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cm-4.1_smt","name":"statement","prose":"Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice."},{"id":"cm-4.1_gdn","name":"guidance","prose":"A separate test environment requires an environment that is physically or logically separate and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment and that information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not implemented, organizations determine the strength of mechanism required when implementing logical separation."},{"id":"cm-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)","class":"sp800-53a"}],"parts":[{"id":"cm-4.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[01]","class":"sp800-53a"}],"prose":"changes to the system are analyzed in a separate test environment before implementation in an operational environment;"},{"id":"cm-4.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[02]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to flaws;"},{"id":"cm-4.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[03]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to flaws;"},{"id":"cm-4.1_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[04]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to weaknesses;"},{"id":"cm-4.1_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[05]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to weaknesses;"},{"id":"cm-4.1_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[06]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to incompatibility;"},{"id":"cm-4.1_obj-7","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[07]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to incompatibility;"},{"id":"cm-4.1_obj-8","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[08]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to intentional malice;"},{"id":"cm-4.1_obj-9","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[09]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to intentional malice."}]},{"id":"cm-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nanalysis tools and associated outputs system design documentation\n\nsystem architecture and configuration documentation\n\nchange control records\n\nprocedures addressing the authority to test with PII\n\nsystem audit records\n\ndocumentation of separate test and operational environments\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and\/or implementing security and privacy impact analyses of changes"}]}]},{"id":"cm-4.2","class":"SP800-53-enhancement","title":"Verification of Controls","props":[{"name":"label","value":"CM-4(2)"},{"name":"label","value":"CM-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-4","rel":"required"},{"href":"#sa-11","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"cm-4.2_smt","name":"statement","prose":"After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system."},{"id":"cm-4.2_gdn","name":"guidance","prose":"Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls."},{"id":"cm-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)","class":"sp800-53a"}],"parts":[{"id":"cm-4.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[01]","class":"sp800-53a"}],"prose":"the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;"},{"id":"cm-4.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[02]","class":"sp800-53a"}],"prose":"the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;"},{"id":"cm-4.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[03]","class":"sp800-53a"}],"prose":"the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;"},{"id":"cm-4.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[04]","class":"sp800-53a"}],"prose":"the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;"},{"id":"cm-4.2_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[05]","class":"sp800-53a"}],"prose":"the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;"},{"id":"cm-4.2_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[06]","class":"sp800-53a"}],"prose":"the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes."}]},{"id":"cm-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nprivacy risk assessment documentation\n\nconfiguration management plan\n\nsecurity and privacy impact analysis documentation\n\nprivacy impact assessment\n\nanalysis tools and associated outputs\n\nchange control records\n\ncontrol assessment results\n\nsystem audit records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsecurity and privacy assessors"}]},{"id":"cm-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and\/or implementing security and privacy impact analyses of changes"}]}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","props":[{"name":"label","value":"CM-5"},{"name":"label","value":"CM-05","class":"sp800-53a"},{"name":"sort-id","value":"cm-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system."},{"id":"cm-5_gdn","name":"guidance","prose":"Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)."},{"id":"cm-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05","class":"sp800-53a"}],"parts":[{"id":"cm-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-05[01]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are defined and documented;"},{"id":"cm-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-05[02]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are approved;"},{"id":"cm-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-05[03]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are enforced;"},{"id":"cm-5_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-05[04]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are defined and documented;"},{"id":"cm-5_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-05[05]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are approved;"},{"id":"cm-5_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-05[06]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are enforced."}]},{"id":"cm-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system"}]}],"controls":[{"id":"cm-5.1","class":"SP800-53-enhancement","title":"Automated Access Enforcement and Audit Records","params":[{"id":"cm-05.01_odp","props":[{"name":"alt-identifier","value":"cm-5.1_prm_1"},{"name":"label","value":"CM-05(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"mechanisms used to automate the enforcement of access restrictions are defined;"}]}],"props":[{"name":"label","value":"CM-5(1)"},{"name":"label","value":"CM-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-5","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-5.1_smt","name":"statement","parts":[{"id":"cm-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Enforce access restrictions using {{ insert: param, cm-05.01_odp }} ; and"},{"id":"cm-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Automatically generate audit records of the enforcement actions."}]},{"id":"cm-5.1_gdn","name":"guidance","prose":"Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes."},{"id":"cm-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05(01)","class":"sp800-53a"}],"parts":[{"id":"cm-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-05(01)(a)","class":"sp800-53a"}],"prose":"access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};"},{"id":"cm-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-05(01)(b)","class":"sp800-53a"}],"prose":"audit records of enforcement actions are automatically generated."}]},{"id":"cm-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nautomated mechanisms implementing the enforcement of access restrictions for changes to the system\n\nautomated mechanisms supporting auditing of enforcement actions"}]}]},{"id":"cm-5.2","class":"SP800-53-enhancement","title":"Review System Changes","props":[{"name":"label","value":"CM-5(2)"},{"name":"label","value":"CM-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-3.7","rel":"incorporated-into"}]},{"id":"cm-5.3","class":"SP800-53-enhancement","title":"Signed Components","props":[{"name":"label","value":"CM-5(3)"},{"name":"label","value":"CM-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-14","rel":"moved-to"}]},{"id":"cm-5.4","class":"SP800-53-enhancement","title":"Dual Authorization","params":[{"id":"cm-5.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-05.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-05.04_odp.02"}],"label":"organization-defined system components and system-level information"},{"id":"cm-05.04_odp.01","props":[{"name":"label","value":"CM-05(04)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring dual authorization for changes are defined;"}]},{"id":"cm-05.04_odp.02","props":[{"name":"label","value":"CM-05(04)_ODP[02]","class":"sp800-53a"}],"label":"system-level information","guidelines":[{"prose":"system-level information requiring dual authorization for changes is defined;"}]}],"props":[{"name":"label","value":"CM-5(4)"},{"name":"label","value":"CM-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-5","rel":"required"},{"href":"#ac-2","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#cm-3","rel":"related"}],"parts":[{"id":"cm-5.4_smt","name":"statement","prose":"Enforce dual authorization for implementing changes to {{ insert: param, cm-5.4_prm_1 }}."},{"id":"cm-5.4_gdn","name":"guidance","prose":"Organizations employ dual authorization to help ensure that any changes to selected system components and information cannot occur unless two qualified individuals approve and implement such changes. The two individuals possess the skills and expertise to determine if the proposed changes are correct implementations of approved changes. The individuals are also accountable for the changes. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. System-level information includes operational procedures."},{"id":"cm-5.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05(04)","class":"sp800-53a"}],"parts":[{"id":"cm-5.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-05(04)[01]","class":"sp800-53a"}],"prose":"dual authorization for implementing changes to {{ insert: param, cm-05.04_odp.01 }} is enforced;"},{"id":"cm-5.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-05(04)[02]","class":"sp800-53a"}],"prose":"dual authorization for implementing changes to {{ insert: param, cm-05.04_odp.02 }} is enforced."}]},{"id":"cm-5.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nsystem component inventory\n\nsystem information types information\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with dual authorization enforcement responsibilities for implementing system changes\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nmechanisms implementing dual authorization enforcement"}]}]},{"id":"cm-5.5","class":"SP800-53-enhancement","title":"Privilege Limitation for Production and Operation","params":[{"id":"cm-5.5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-05.05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-05.05_odp.02"}],"label":"organization-defined frequency"},{"id":"cm-05.05_odp.01","props":[{"name":"label","value":"CM-05(05)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review privileges is defined;"}]},{"id":"cm-05.05_odp.02","props":[{"name":"label","value":"CM-05(05)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to reevaluate privileges is defined;"}]}],"props":[{"name":"label","value":"CM-5(5)"},{"name":"label","value":"CM-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-5","rel":"required"},{"href":"#ac-2","rel":"related"}],"parts":[{"id":"cm-5.5_smt","name":"statement","parts":[{"id":"cm-5.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Limit privileges to change system components and system-related information within a production or operational environment; and"},{"id":"cm-5.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Review and reevaluate privileges {{ insert: param, cm-5.5_prm_1 }}."}]},{"id":"cm-5.5_gdn","name":"guidance","prose":"In many organizations, systems support multiple mission and business functions. Limiting privileges to change system components with respect to operational systems is necessary because changes to a system component may have far-reaching effects on mission and business processes supported by the system. The relationships between systems and mission\/business processes are, in some cases, unknown to developers. System-related information includes operational procedures."},{"id":"cm-5.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05(05)","class":"sp800-53a"}],"parts":[{"id":"cm-5.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-05(05)(a)","class":"sp800-53a"}],"parts":[{"id":"cm-5.5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-05(05)(a)[01]","class":"sp800-53a"}],"prose":"privileges to change system components within a production or operational environment are limited;"},{"id":"cm-5.5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-05(05)(a)[02]","class":"sp800-53a"}],"prose":"privileges to change system-related information within a production or operational environment are limited;"}]},{"id":"cm-5.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-05(05)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-5.5_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-05(05)(b)[01]","class":"sp800-53a"}],"prose":"privileges are reviewed {{ insert: param, cm-05.05_odp.01 }};"},{"id":"cm-5.5_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-05(05)(b)[02]","class":"sp800-53a"}],"prose":"privileges are reevaluated {{ insert: param, cm-05.05_odp.02 }}."}]}]},{"id":"cm-5.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nuser privilege reviews\n\nuser privilege recertifications\n\nsystem component inventory\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nmechanisms supporting and\/or implementing access restrictions for change"}]}]},{"id":"cm-5.6","class":"SP800-53-enhancement","title":"Limit Library Privileges","props":[{"name":"label","value":"CM-5(6)"},{"name":"label","value":"CM-05(06)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-5","rel":"required"},{"href":"#ac-2","rel":"related"}],"parts":[{"id":"cm-5.6_smt","name":"statement","prose":"Limit privileges to change software resident within software libraries."},{"id":"cm-5.6_gdn","name":"guidance","prose":"Software libraries include privileged programs."},{"id":"cm-5.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05(06)","class":"sp800-53a"}],"prose":"privileges to change software resident within software libraries are limited."},{"id":"cm-5.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nmechanisms supporting and\/or implementing access restrictions for change"}]}]},{"id":"cm-5.7","class":"SP800-53-enhancement","title":"Automatic Implementation of Security Safeguards","props":[{"name":"label","value":"CM-5(7)"},{"name":"label","value":"CM-05(07)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-7","rel":"incorporated-into"}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","params":[{"id":"cm-06_odp.01","props":[{"name":"alt-identifier","value":"cm-6_prm_1"},{"name":"label","value":"CM-06_ODP[01]","class":"sp800-53a"}],"label":"common secure configurations","guidelines":[{"prose":"common secure configurations to establish and document configuration settings for components employed within the system are defined;"}]},{"id":"cm-06_odp.02","props":[{"name":"alt-identifier","value":"cm-6_prm_2"},{"name":"label","value":"CM-06_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which approval of deviations is needed are defined;"}]},{"id":"cm-06_odp.03","props":[{"name":"alt-identifier","value":"cm-6_prm_3"},{"name":"label","value":"CM-06_ODP[03]","class":"sp800-53a"}],"label":"operational requirements","guidelines":[{"prose":"operational requirements necessitating approval of deviations are defined;"}]}],"props":[{"name":"label","value":"CM-6"},{"name":"label","value":"CM-06","class":"sp800-53a"},{"name":"sort-id","value":"cm-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#98498928-3ca3-44b3-8b1e-f48685373087","rel":"reference"},{"href":"#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","rel":"reference"},{"href":"#aa66e14f-e7cb-4a37-99d2-07578dfd4608","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"cm-6_smt","name":"statement","parts":[{"id":"cm-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};"},{"id":"cm-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the configuration settings;"},{"id":"cm-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and"},{"id":"cm-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitor and control changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input\/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings."},{"id":"cm-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-06a.","class":"sp800-53a"}],"prose":"configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};"},{"id":"cm-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-06b.","class":"sp800-53a"}],"prose":"the configuration settings documented in CM-06a are implemented;"},{"id":"cm-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[01]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};"},{"id":"cm-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[02]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;"}]},{"id":"cm-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[01]","class":"sp800-53a"}],"prose":"changes to the configuration settings are monitored in accordance with organizational policies and procedures;"},{"id":"cm-6_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[02]","class":"sp800-53a"}],"prose":"changes to the configuration settings are controlled in accordance with organizational policies and procedures."}]}]},{"id":"cm-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and\/or control system configuration settings\n\nmechanisms that identify and\/or document deviations from established configuration settings"}]}],"controls":[{"id":"cm-6.1","class":"SP800-53-enhancement","title":"Automated Management, Application, and Verification","params":[{"id":"cm-6.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-06.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-06.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-06.01_odp.04"}],"label":"organization-defined automated mechanisms"},{"id":"cm-06.01_odp.01","props":[{"name":"alt-identifier","value":"cm-6.1_prm_1"},{"name":"label","value":"CM-06(01)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which to manage, apply, and verify configuration settings are defined;"}]},{"id":"cm-06.01_odp.02","props":[{"name":"label","value":"CM-06(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to manage configuration settings are defined;"}]},{"id":"cm-06.01_odp.03","props":[{"name":"label","value":"CM-06(01)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to apply configuration settings are defined;"}]},{"id":"cm-06.01_odp.04","props":[{"name":"label","value":"CM-06(01)_ODP[04]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to verify configuration settings are defined;"}]}],"props":[{"name":"label","value":"CM-6(1)"},{"name":"label","value":"CM-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-6","rel":"required"},{"href":"#ca-7","rel":"related"}],"parts":[{"id":"cm-6.1_smt","name":"statement","prose":"Manage, apply, and verify configuration settings for {{ insert: param, cm-06.01_odp.01 }} using {{ insert: param, cm-6.1_prm_2 }}."},{"id":"cm-6.1_gdn","name":"guidance","prose":"Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization."},{"id":"cm-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)","class":"sp800-53a"}],"parts":[{"id":"cm-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)[01]","class":"sp800-53a"}],"prose":"configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};"},{"id":"cm-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)[02]","class":"sp800-53a"}],"prose":"configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};"},{"id":"cm-6.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)[03]","class":"sp800-53a"}],"prose":"configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}."}]},{"id":"cm-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing configuration settings\n\nautomated mechanisms implemented to manage, apply, and verify system configuration settings"}]}]},{"id":"cm-6.2","class":"SP800-53-enhancement","title":"Respond to Unauthorized Changes","params":[{"id":"cm-06.02_odp.01","props":[{"name":"alt-identifier","value":"cm-6.2_prm_2"},{"name":"label","value":"CM-06(02)_ODP[01]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken upon an unauthorized change are defined;"}]},{"id":"cm-06.02_odp.02","props":[{"name":"alt-identifier","value":"cm-6.2_prm_1"},{"name":"label","value":"CM-06(02)_ODP[02]","class":"sp800-53a"}],"label":"configuration settings","guidelines":[{"prose":"configuration settings requiring action upon an unauthorized change are defined;"}]}],"props":[{"name":"label","value":"CM-6(2)"},{"name":"label","value":"CM-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-6","rel":"required"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-6.2_smt","name":"statement","prose":"Take the following actions in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}: {{ insert: param, cm-06.02_odp.01 }}."},{"id":"cm-6.2_gdn","name":"guidance","prose":"Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or—in extreme cases—halting affected system processing."},{"id":"cm-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06(02)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-06.02_odp.01 }} are taken in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}."},{"id":"cm-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nconfiguration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts\/notifications of unauthorized changes to system configuration settings\n\nsystem component inventory\n\ndocumented responses to unauthorized changes to system configuration settings\n\nchange control records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"cm-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for responding to unauthorized changes to system configuration settings\n\nmechanisms supporting and\/or implementing actions in response to unauthorized changes"}]}]},{"id":"cm-6.3","class":"SP800-53-enhancement","title":"Unauthorized Change Detection","props":[{"name":"label","value":"CM-6(3)"},{"name":"label","value":"CM-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-06.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-7","rel":"incorporated-into"}]},{"id":"cm-6.4","class":"SP800-53-enhancement","title":"Conformance Demonstration","props":[{"name":"label","value":"CM-6(4)"},{"name":"label","value":"CM-06(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-06.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-4","rel":"incorporated-into"}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","params":[{"id":"cm-7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.06"}],"label":"organization-defined prohibited or restricted functions, system ports, protocols, software, and\/or services"},{"id":"cm-07_odp.01","props":[{"name":"alt-identifier","value":"cm-7_prm_1"},{"name":"alt-label","value":"mission essential capabilities","class":"sp800-53"},{"name":"label","value":"CM-07_ODP[01]","class":"sp800-53a"}],"label":"mission-essential capabilities","guidelines":[{"prose":"mission-essential capabilities for the system are defined;"}]},{"id":"cm-07_odp.02","props":[{"name":"label","value":"CM-07_ODP[02]","class":"sp800-53a"}],"label":"functions","guidelines":[{"prose":"functions to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.03","props":[{"name":"label","value":"CM-07_ODP[03]","class":"sp800-53a"}],"label":"ports","guidelines":[{"prose":"ports to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.04","props":[{"name":"label","value":"CM-07_ODP[04]","class":"sp800-53a"}],"label":"protocols","guidelines":[{"prose":"protocols to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.05","props":[{"name":"label","value":"CM-07_ODP[05]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be prohibited or restricted is defined;"}]},{"id":"cm-07_odp.06","props":[{"name":"label","value":"CM-07_ODP[06]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services to be prohibited or restricted are defined;"}]}],"props":[{"name":"label","value":"CM-7"},{"name":"label","value":"CM-07","class":"sp800-53a"},{"name":"sort-id","value":"cm-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#38f39739-1ebd-43b1-8b8c-00f591d89ebd","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"cm-7_smt","name":"statement","parts":[{"id":"cm-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and"},{"id":"cm-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit or restrict the use of the following functions, ports, protocols, software, and\/or services: {{ insert: param, cm-7_prm_2 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))."},{"id":"cm-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07a.","class":"sp800-53a"}],"prose":"the system is configured to provide only {{ insert: param, cm-07_odp.01 }};"},{"id":"cm-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[01]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[02]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[03]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[04]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;"},{"id":"cm-7_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[05]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted."}]}]},{"id":"cm-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols, software, and\/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and\/or services"}]}],"controls":[{"id":"cm-7.1","class":"SP800-53-enhancement","title":"Periodic Review","params":[{"id":"cm-7.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.06"}],"label":"organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and\/or nonsecure"},{"id":"cm-07.01_odp.01","props":[{"name":"alt-identifier","value":"cm-7.1_prm_1"},{"name":"label","value":"CM-07(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the system to identify unnecessary and\/or non-secure functions, ports, protocols, software, and\/or services is defined;"}]},{"id":"cm-07.01_odp.02","props":[{"name":"label","value":"CM-07(01)_ODP[02]","class":"sp800-53a"}],"label":"functions","guidelines":[{"prose":"functions to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.03","props":[{"name":"label","value":"CM-07(01)_ODP[03]","class":"sp800-53a"}],"label":"ports","guidelines":[{"prose":"ports to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.04","props":[{"name":"label","value":"CM-07(01)_ODP[04]","class":"sp800-53a"}],"label":"protocols","guidelines":[{"prose":"protocols to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.05","props":[{"name":"label","value":"CM-07(01)_ODP[05]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be disabled or removed when deemed unnecessary or non-secure is defined;"}]},{"id":"cm-07.01_odp.06","props":[{"name":"label","value":"CM-07(01)_ODP[06]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services to be disabled or removed when deemed unnecessary or non-secure are defined;"}]}],"props":[{"name":"label","value":"CM-7(1)"},{"name":"label","value":"CM-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"cm-7.1_smt","name":"statement","parts":[{"id":"cm-7.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and\/or nonsecure functions, ports, protocols, software, and services; and"},{"id":"cm-7.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Disable or remove {{ insert: param, cm-7.1_prm_2 }}."}]},{"id":"cm-7.1_gdn","name":"guidance","prose":"Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and\/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking."},{"id":"cm-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)","class":"sp800-53a"}],"parts":[{"id":"cm-7.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(a)","class":"sp800-53a"}],"prose":"the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and\/or non-secure functions, ports, protocols, software, and services:"},{"id":"cm-7.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-7.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and\/or non-secure are disabled or removed;"},{"id":"cm-7.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and\/or non-secure are disabled or removed;"},{"id":"cm-7.1_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and\/or non-secure are disabled or removed;"},{"id":"cm-7.1_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[04]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and\/or non-secure is disabled or removed;"},{"id":"cm-7.1_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[05]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and\/or non-secure are disabled or removed."}]}]},{"id":"cm-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\ndocumented reviews of functions, ports, protocols, and\/or services\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system\n\nmechanisms implementing review and disabling of functions, ports, protocols, and\/or services"}]}]},{"id":"cm-7.2","class":"SP800-53-enhancement","title":"Prevent Program Execution","params":[{"id":"cm-07.02_odp.01","props":[{"name":"alt-identifier","value":"cm-7.2_prm_1"},{"name":"label","value":"CM-07(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, cm-07.02_odp.02 }} ","rules authorizing the terms and conditions of software program usage"]}},{"id":"cm-07.02_odp.02","props":[{"name":"alt-identifier","value":"cm-7.2_prm_2"},{"name":"label","value":"CM-07(02)_ODP[02]","class":"sp800-53a"}],"label":"policies, rules of behavior, and\/or access agreements regarding software program usage and restrictions","guidelines":[{"prose":"policies, rules of behavior, and\/or access agreements regarding software program usage and restrictions are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-7(2)"},{"name":"label","value":"CM-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"cm-7.2_smt","name":"statement","prose":"Prevent program execution in accordance with {{ insert: param, cm-07.02_odp.01 }}."},{"id":"cm-7.2_gdn","name":"guidance","prose":"Prevention of program execution addresses organizational policies, rules of behavior, and\/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time."},{"id":"cm-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(02)","class":"sp800-53a"}],"prose":"program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}."},{"id":"cm-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nspecifications for preventing software program execution\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes preventing program execution on the system\n\norganizational processes for software program usage and restrictions\n\nmechanisms preventing program execution on the system\n\nmechanisms supporting and\/or implementing software program usage and restrictions"}]}]},{"id":"cm-7.3","class":"SP800-53-enhancement","title":"Registration Compliance","params":[{"id":"cm-07.03_odp","props":[{"name":"alt-identifier","value":"cm-7.3_prm_1"},{"name":"alt-label","value":"registration requirements for functions, ports, protocols, and services","class":"sp800-53"},{"name":"label","value":"CM-07(03)_ODP","class":"sp800-53a"}],"label":"registration requirements","guidelines":[{"prose":"registration requirements for functions, ports, protocols, and services are defined;"}]}],"props":[{"name":"label","value":"CM-7(3)"},{"name":"label","value":"CM-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-7","rel":"required"}],"parts":[{"id":"cm-7.3_smt","name":"statement","prose":"Ensure compliance with {{ insert: param, cm-07.03_odp }}."},{"id":"cm-7.3_gdn","name":"guidance","prose":"Organizations use the registration process to manage, track, and provide oversight for systems and implemented functions, ports, protocols, and services."},{"id":"cm-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(03)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.03_odp }} are complied with."},{"id":"cm-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nconfiguration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\naudit and compliance reviews\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"cm-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes ensuring compliance with registration requirements for functions, ports, protocols, and\/or services\n\nmechanisms implementing compliance with registration requirements for functions, ports, protocols, and\/or services"}]}]},{"id":"cm-7.4","class":"SP800-53-enhancement","title":"Unauthorized Software — Deny-by-exception","params":[{"id":"cm-07.04_odp.01","props":[{"name":"alt-identifier","value":"cm-7.4_prm_1"},{"name":"alt-label","value":"software programs not authorized to execute on the system","class":"sp800-53"},{"name":"label","value":"CM-07(04)_ODP[01]","class":"sp800-53a"}],"label":"software programs","guidelines":[{"prose":"software programs not authorized to execute on the system are defined;"}]},{"id":"cm-07.04_odp.02","props":[{"name":"alt-identifier","value":"cm-7.4_prm_2"},{"name":"label","value":"CM-07(04)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the list of unauthorized software programs is defined;"}]}],"props":[{"name":"label","value":"CM-7(4)"},{"name":"label","value":"CM-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"}],"parts":[{"id":"cm-7.4_smt","name":"statement","parts":[{"id":"cm-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identify {{ insert: param, cm-07.04_odp.01 }};"},{"id":"cm-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and"},{"id":"cm-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Review and update the list of unauthorized software programs {{ insert: param, cm-07.04_odp.02 }}."}]},{"id":"cm-7.4_gdn","name":"guidance","prose":"Unauthorized software programs can be limited to specific versions or from a specific source. The concept of prohibiting the execution of unauthorized software may also be applied to user actions, system ports and protocols, IP addresses\/ranges, websites, and MAC addresses."},{"id":"cm-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(04)","class":"sp800-53a"}],"parts":[{"id":"cm-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(04)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.04_odp.01 }} are identified;"},{"id":"cm-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(04)(b)","class":"sp800-53a"}],"prose":"an allow-all, deny-by-exception policy is employed to prohibit the execution of unauthorized software programs on the system;"},{"id":"cm-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-07(04)(c)","class":"sp800-53a"}],"prose":"the list of unauthorized software programs is reviewed and updated {{ insert: param, cm-07.04_odp.02 }}."}]},{"id":"cm-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software programs not authorized to execute on the system\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nreview and update records associated with list of unauthorized software programs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for identifying software not authorized to execute on the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for identifying, reviewing, and updating programs not authorized to execute on the system\n\norganizational process for implementing unauthorized software policy\n\nmechanisms supporting and\/or implementing unauthorized software policy"}]}]},{"id":"cm-7.5","class":"SP800-53-enhancement","title":"Authorized Software — Allow-by-exception","params":[{"id":"cm-07.05_odp.01","props":[{"name":"alt-identifier","value":"cm-7.5_prm_1"},{"name":"alt-label","value":"software programs authorized to execute on the system","class":"sp800-53"},{"name":"label","value":"CM-07(05)_ODP[01]","class":"sp800-53a"}],"label":"software programs","guidelines":[{"prose":"software programs authorized to execute on the system are defined;"}]},{"id":"cm-07.05_odp.02","props":[{"name":"alt-identifier","value":"cm-7.5_prm_2"},{"name":"label","value":"CM-07(05)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the list of authorized software programs is defined;"}]}],"props":[{"name":"label","value":"CM-7(5)"},{"name":"label","value":"CM-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-7.5_smt","name":"statement","parts":[{"id":"cm-7.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identify {{ insert: param, cm-07.05_odp.01 }};"},{"id":"cm-7.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and"},{"id":"cm-7.5_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Review and update the list of authorized software programs {{ insert: param, cm-07.05_odp.02 }}."}]},{"id":"cm-7.5_gdn","name":"guidance","prose":"Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses\/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in [CA-3(5)](#ca-3.5) and [SC-7](#sc-7)."},{"id":"cm-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)","class":"sp800-53a"}],"parts":[{"id":"cm-7.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.05_odp.01 }} are identified;"},{"id":"cm-7.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(b)","class":"sp800-53a"}],"prose":"a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;"},{"id":"cm-7.5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(c)","class":"sp800-53a"}],"prose":"the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}."}]},{"id":"cm-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software programs authorized to execute on the system\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nreview and update records associated with list of authorized software programs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for identifying software authorized to execute on the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for identifying, reviewing, and updating programs authorized to execute on the system\n\norganizational process for implementing authorized software policy\n\nmechanisms supporting and\/or implementing authorized software policy"}]}]},{"id":"cm-7.6","class":"SP800-53-enhancement","title":"Confined Environments with Limited Privileges","params":[{"id":"cm-07.06_odp","props":[{"name":"alt-identifier","value":"cm-7.6_prm_1"},{"name":"label","value":"CM-07(06)_ODP","class":"sp800-53a"}],"label":"user-installed software","guidelines":[{"prose":"user-installed software required to be executed in a confined environment is defined;"}]}],"props":[{"name":"label","value":"CM-7(6)"},{"name":"label","value":"CM-07(06)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-11","rel":"related"},{"href":"#sc-44","rel":"related"}],"parts":[{"id":"cm-7.6_smt","name":"statement","prose":"Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: {{ insert: param, cm-07.06_odp }}."},{"id":"cm-7.6_gdn","name":"guidance","prose":"Organizations identify software that may be of concern regarding its origin or potential for containing malicious code. For this type of software, user installations occur in confined environments of operation to limit or contain damage from malicious code that may be executed."},{"id":"cm-7.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(06)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.06_odp }} is required to be executed in a confined physical or virtual machine environment with limited privileges."},{"id":"cm-7.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist or record of software required to execute in a confined environment\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for identifying and\/or managing user-installed software and associated privileges\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-7.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for identifying user-installed software required to execute in a confined environment\n\nmechanisms supporting and\/or implementing the confinement of user-installed software to physical or virtual machine environments\n\nmechanisms supporting and\/or implementing privilege limitations on user-installed software"}]}]},{"id":"cm-7.7","class":"SP800-53-enhancement","title":"Code Execution in Protected Environments","params":[{"id":"cm-07.07_odp","props":[{"name":"alt-identifier","value":"cm-7.7_prm_1"},{"name":"label","value":"CM-07(07)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to explicitly approve execution of binary or machine-executable code is\/are defined;"}]}],"props":[{"name":"label","value":"CM-7(7)"},{"name":"label","value":"CM-07(07)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-10","rel":"related"},{"href":"#sc-44","rel":"related"}],"parts":[{"id":"cm-7.7_smt","name":"statement","prose":"Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of {{ insert: param, cm-07.07_odp }} when such code is:","parts":[{"id":"cm-7.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Obtained from sources with limited or no warranty; and\/or"},{"id":"cm-7.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Without the provision of source code."}]},{"id":"cm-7.7_gdn","name":"guidance","prose":"Code execution in protected environments applies to all sources of binary or machine-executable code, including commercial software and firmware and open-source software."},{"id":"cm-7.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(07)","class":"sp800-53a"}],"prose":"the execution of binary or machine-executable code is only allowed in confined physical or virtual machine environments;","parts":[{"id":"cm-7.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(07)(a)","class":"sp800-53a"}],"prose":"the execution of binary or machine-executable code obtained from sources with limited or no warranty is only allowed with the explicit approval of {{ insert: param, cm-07.07_odp }};"},{"id":"cm-7.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(07)(b)","class":"sp800-53a"}],"prose":"the execution of binary or machine-executable code without the provision of source code is only allowed with the explicit approval of {{ insert: param, cm-07.07_odp }}."}]},{"id":"cm-7.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist or record of binary or machine-executable code\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for approving execution of binary or machine-executable code\n\norganizational personnel with information security responsibilities\n\norganizational personnel with software management responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for approving execution of binary or machine-executable code\n\norganizational process for confining binary or machine-executable code to physical or virtual machine environments\n\nmechanisms supporting and\/or implementing the confinement of binary or machine-executable code to physical or virtual machine environments"}]}]},{"id":"cm-7.8","class":"SP800-53-enhancement","title":"Binary or Machine Executable Code","props":[{"name":"label","value":"CM-7(8)"},{"name":"label","value":"CM-07(08)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#sa-5","rel":"related"},{"href":"#sa-22","rel":"related"}],"parts":[{"id":"cm-7.8_smt","name":"statement","parts":[{"id":"cm-7.8_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and"},{"id":"cm-7.8_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official."}]},{"id":"cm-7.8_gdn","name":"guidance","prose":"Binary or machine executable code applies to all sources of binary or machine-executable code, including commercial software and firmware and open-source software. Organizations assess software products without accompanying source code or from sources with limited or no warranty for potential security impacts. The assessments address the fact that software products without the provision of source code may be difficult to review, repair, or extend. In addition, there may be no owners to make such repairs on behalf of organizations. If open-source software is used, the assessments address the fact that there is no warranty, the open-source software could contain back doors or malware, and there may be no support available."},{"id":"cm-7.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(08)","class":"sp800-53a"}],"parts":[{"id":"cm-7.8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(08)(a)","class":"sp800-53a"}],"prose":"the use of binary or machine-executable code is prohibited when it originates from sources with limited or no warranty or without the provision of source code;"},{"id":"cm-7.8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(08)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-7.8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07(08)(b)[01]","class":"sp800-53a"}],"prose":"exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only for compelling mission or operational requirements;"},{"id":"cm-7.8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07(08)(b)[02]","class":"sp800-53a"}],"prose":"exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only with the approval of the authorizing official."}]}]},{"id":"cm-7.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist or record of binary or machine-executable code\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for determining mission and operational requirements\n\nauthorizing official for the system\n\norganizational personnel with information security responsibilities\n\norganizational personnel with software management responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-7.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for approving execution of binary or machine-executable code\n\nmechanisms supporting and\/or implementing the prohibition of binary or machine-executable code"}]}]},{"id":"cm-7.9","class":"SP800-53-enhancement","title":"Prohibiting The Use of Unauthorized Hardware","params":[{"id":"cm-07.09_odp.01","props":[{"name":"alt-identifier","value":"cm-7.9_prm_1"},{"name":"alt-label","value":"hardware components authorized for system use","class":"sp800-53"},{"name":"label","value":"CM-07(09)_ODP[01]","class":"sp800-53a"}],"label":"hardware components","guidelines":[{"prose":"hardware components authorized for system use are defined;"}]},{"id":"cm-07.09_odp.02","props":[{"name":"alt-identifier","value":"cm-7.9_prm_2"},{"name":"label","value":"CM-07(09)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the list of authorized hardware components is defined;"}]}],"props":[{"name":"label","value":"CM-7(9)"},{"name":"label","value":"CM-07(09)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-7","rel":"required"}],"parts":[{"id":"cm-7.9_smt","name":"statement","parts":[{"id":"cm-7.9_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identify {{ insert: param, cm-07.09_odp.01 }};"},{"id":"cm-7.9_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Prohibit the use or connection of unauthorized hardware components;"},{"id":"cm-7.9_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Review and update the list of authorized hardware components {{ insert: param, cm-07.09_odp.02 }}."}]},{"id":"cm-7.9_gdn","name":"guidance","prose":"Hardware components provide the foundation for organizational systems and the platform for the execution of authorized software programs. Managing the inventory of hardware components and controlling which hardware components are permitted to be installed or connected to organizational systems is essential in order to provide adequate security."},{"id":"cm-7.9_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(09)","class":"sp800-53a"}],"parts":[{"id":"cm-7.9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(09)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.09_odp.01 }} are identified;"},{"id":"cm-7.9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(09)(b)","class":"sp800-53a"}],"prose":"the use or connection of unauthorized hardware components is prohibited;"},{"id":"cm-7.9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-07(09)(c)","class":"sp800-53a"}],"prose":"the list of authorized hardware components is reviewed and updated {{ insert: param, cm-07.09_odp.02 }}."}]},{"id":"cm-7.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nnetwork connection policy and procedures\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system hardware management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-7.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for approving execution of binary or machine-executable code\n\nmechanisms supporting and\/or implementing the prohibition of binary or machine-executable code"}]}]}]},{"id":"cm-8","class":"SP800-53","title":"System Component Inventory","params":[{"id":"cm-08_odp.01","props":[{"name":"alt-identifier","value":"cm-8_prm_1"},{"name":"alt-label","value":"information deemed necessary to achieve effective system component accountability","class":"sp800-53"},{"name":"label","value":"CM-08_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information deemed necessary to achieve effective system component accountability is defined;"}]},{"id":"cm-08_odp.02","props":[{"name":"alt-identifier","value":"cm-8_prm_2"},{"name":"label","value":"CM-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the system component inventory is defined;"}]}],"props":[{"name":"label","value":"CM-8"},{"name":"label","value":"CM-08","class":"sp800-53a"},{"name":"sort-id","value":"cm-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#70402863-5078-43af-9a6c-e11b0f3ec370","rel":"reference"},{"href":"#996241f8-f692-42d5-91f1-ce8b752e39e6","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"cm-8_smt","name":"statement","parts":[{"id":"cm-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document an inventory of system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accurately reflects the system;"},{"id":"cm-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes all components within the system;"},{"id":"cm-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Does not include duplicate accounting of components or components assigned to any other system;"},{"id":"cm-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and"}]},{"id":"cm-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components."},{"id":"cm-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.01","class":"sp800-53a"}],"prose":"an inventory of system components that accurately reflects the system is developed and documented;"},{"id":"cm-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.02","class":"sp800-53a"}],"prose":"an inventory of system components that includes all components within the system is developed and documented;"},{"id":"cm-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.03","class":"sp800-53a"}],"prose":"an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;"},{"id":"cm-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.04","class":"sp800-53a"}],"prose":"an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;"},{"id":"cm-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.05","class":"sp800-53a"}],"prose":"an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;"}]},{"id":"cm-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08b.","class":"sp800-53a"}],"prose":"the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}."}]},{"id":"cm-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory"}]}],"controls":[{"id":"cm-8.1","class":"SP800-53-enhancement","title":"Updates During Installation and Removal","props":[{"name":"label","value":"CM-8(1)"},{"name":"label","value":"CM-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#pm-16","rel":"related"}],"parts":[{"id":"cm-8.1_smt","name":"statement","prose":"Update the inventory of system components as part of component installations, removals, and system updates."},{"id":"cm-8.1_gdn","name":"guidance","prose":"Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components."},{"id":"cm-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)","class":"sp800-53a"}],"parts":[{"id":"cm-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[01]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of component installations;"},{"id":"cm-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[02]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of component removals;"},{"id":"cm-8.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[03]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of system updates."}]},{"id":"cm-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\ninventory reviews and update records\n\nchange control records\n\ncomponent installation records\n\ncomponent removal records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory updating responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for updating the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory updates"}]}]},{"id":"cm-8.2","class":"SP800-53-enhancement","title":"Automated Maintenance","params":[{"id":"cm-8.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.04"}],"label":"organization-defined automated mechanisms"},{"id":"cm-08.02_odp.01","props":[{"name":"label","value":"CM-08(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the currency of the system component inventory are defined;"}]},{"id":"cm-08.02_odp.02","props":[{"name":"label","value":"CM-08(02)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the completeness of the system component inventory are defined;"}]},{"id":"cm-08.02_odp.03","props":[{"name":"label","value":"CM-08(02)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the accuracy of the system component inventory are defined;"}]},{"id":"cm-08.02_odp.04","props":[{"name":"label","value":"CM-08(02)_ODP[04]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the availability of the system component inventory are defined;"}]}],"props":[{"name":"label","value":"CM-8(2)"},{"name":"label","value":"CM-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"}],"parts":[{"id":"cm-8.2_smt","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the inventory of system components using {{ insert: param, cm-8.2_prm_1 }}."},{"id":"cm-8.2_gdn","name":"guidance","prose":"Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of [CM-2(2)](#cm-2.2) for organizations that combine system component inventory and baseline configuration activities."},{"id":"cm-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)","class":"sp800-53a"}],"parts":[{"id":"cm-8.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.02_odp.01 }} are used to maintain the currency of the system component inventory;"},{"id":"cm-8.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.02_odp.02 }} are used to maintain the completeness of the system component inventory;"},{"id":"cm-8.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.02_odp.03 }} are used to maintain the accuracy of the system component inventory;"},{"id":"cm-8.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[04]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.02_odp.04 }} are used to maintain the availability of the system component inventory."}]},{"id":"cm-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining the system component inventory\n\nautomated mechanisms supporting and\/or implementing the system component inventory"}]}]},{"id":"cm-8.3","class":"SP800-53-enhancement","title":"Automated Unauthorized Component Detection","params":[{"id":"cm-8.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"cm-08.03_odp.01","props":[{"name":"label","value":"CM-08(03)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;"}]},{"id":"cm-08.03_odp.02","props":[{"name":"label","value":"CM-08(03)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized software within the system are defined;"}]},{"id":"cm-08.03_odp.03","props":[{"name":"label","value":"CM-08(03)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;"}]},{"id":"cm-08.03_odp.04","props":[{"name":"alt-identifier","value":"cm-8.3_prm_2"},{"name":"label","value":"CM-08(03)_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;"}]},{"id":"cm-08.03_odp.05","props":[{"name":"alt-identifier","value":"cm-8.3_prm_3"},{"name":"label","value":"CM-08(03)_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["disable network access by unauthorized components","isolate unauthorized components","notify {{ insert: param, cm-08.03_odp.06 }} "]}},{"id":"cm-08.03_odp.06","props":[{"name":"alt-identifier","value":"cm-8.3_prm_4"},{"name":"label","value":"CM-08(03)_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when unauthorized components are detected is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-8(3)"},{"name":"label","value":"CM-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-8.3_smt","name":"statement","parts":[{"id":"cm-8.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ insert: param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04 }} ; and"},{"id":"cm-8.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Take the following actions when unauthorized components are detected: {{ insert: param, cm-08.03_odp.05 }}."}]},{"id":"cm-8.3_gdn","name":"guidance","prose":"Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see [CM-7(9)](#cm-7.9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as \"sandboxing.\" "},{"id":"cm-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[01]","class":"sp800-53a"}],"prose":"the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};"},{"id":"cm-8.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[02]","class":"sp800-53a"}],"prose":"the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};"},{"id":"cm-8.3_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[03]","class":"sp800-53a"}],"prose":"the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};"}]},{"id":"cm-8.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;"},{"id":"cm-8.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;"},{"id":"cm-8.3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected."}]}]},{"id":"cm-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nalerts\/notifications of unauthorized components within the system\n\nsystem monitoring records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized system component detection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for detection of unauthorized system components\n\norganizational processes for taking action when unauthorized system components are detected\n\nautomated mechanisms supporting and\/or implementing the detection of unauthorized system components\n\nautomated mechanisms supporting and\/or implementing actions taken when unauthorized system components are detected"}]}]},{"id":"cm-8.4","class":"SP800-53-enhancement","title":"Accountability Information","params":[{"id":"cm-08.04_odp","props":[{"name":"alt-identifier","value":"cm-8.4_prm_1"},{"name":"label","value":"CM-08(04)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["name","position","role"]}}],"props":[{"name":"label","value":"CM-8(4)"},{"name":"label","value":"CM-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"cm-8.4_smt","name":"statement","prose":"Include in the system component inventory information, a means for identifying by {{ insert: param, cm-08.04_odp }} , individuals responsible and accountable for administering those components."},{"id":"cm-8.4_gdn","name":"guidance","prose":"Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required (e.g., when the component is determined to be the source of a breach, needs to be recalled or replaced, or needs to be relocated)."},{"id":"cm-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(04)","class":"sp800-53a"}],"prose":"individuals responsible and accountable for administering system components are identified by {{ insert: param, cm-08.04_odp }} in the system component inventory."},{"id":"cm-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing the system component inventory"}]}]},{"id":"cm-8.5","class":"SP800-53-enhancement","title":"No Duplicate Accounting of Components","props":[{"name":"label","value":"CM-8(5)"},{"name":"label","value":"CM-08(05)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-8","rel":"incorporated-into"}]},{"id":"cm-8.6","class":"SP800-53-enhancement","title":"Assessed Configurations and Approved Deviations","props":[{"name":"label","value":"CM-8(6)"},{"name":"label","value":"CM-08(06)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"}],"parts":[{"id":"cm-8.6_smt","name":"statement","prose":"Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory."},{"id":"cm-8.6_gdn","name":"guidance","prose":"Assessed configurations and approved deviations focus on configuration settings established by organizations for system components, the specific components that have been assessed to determine compliance with the required configuration settings, and any approved deviations from established configuration settings."},{"id":"cm-8.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(06)","class":"sp800-53a"}],"parts":[{"id":"cm-8.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(06)[01]","class":"sp800-53a"}],"prose":"assessed component configurations are included in the system component inventory;"},{"id":"cm-8.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(06)[02]","class":"sp800-53a"}],"prose":"any approved deviations to current deployed configurations are included in the system component inventory."}]},{"id":"cm-8.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with assessment responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory"}]}]},{"id":"cm-8.7","class":"SP800-53-enhancement","title":"Centralized Repository","props":[{"name":"label","value":"CM-8(7)"},{"name":"label","value":"CM-08(07)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"}],"parts":[{"id":"cm-8.7_smt","name":"statement","prose":"Provide a centralized repository for the inventory of system components."},{"id":"cm-8.7_gdn","name":"guidance","prose":"Organizations may implement centralized system component inventories that include components from all organizational systems. Centralized repositories of component inventories provide opportunities for efficiencies in accounting for organizational hardware, software, and firmware assets. Such repositories may also help organizations rapidly identify the location and responsible individuals of components that have been compromised, breached, or are otherwise in need of mitigation actions. Organizations ensure that the resulting centralized inventories include system-specific information required for proper component accountability."},{"id":"cm-8.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(07)","class":"sp800-53a"}],"prose":"a centralized repository for the system component inventory is provided."},{"id":"cm-8.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with security responsibilities\n\n"}]},{"id":"cm-8.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory"}]}]},{"id":"cm-8.8","class":"SP800-53-enhancement","title":"Automated Location Tracking","params":[{"id":"cm-08.08_odp","props":[{"name":"alt-identifier","value":"cm-8.8_prm_1"},{"name":"label","value":"CM-08(08)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms for tracking components are defined;"}]}],"props":[{"name":"label","value":"CM-8(8)"},{"name":"label","value":"CM-08(08)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"}],"parts":[{"id":"cm-8.8_smt","name":"statement","prose":"Support the tracking of system components by geographic location using {{ insert: param, cm-08.08_odp }}."},{"id":"cm-8.8_gdn","name":"guidance","prose":"The use of automated mechanisms to track the location of system components can increase the accuracy of component inventories. Such capability may help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions. The use of tracking mechanisms can be coordinated with senior agency officials for privacy if there are implications that affect individual privacy."},{"id":"cm-8.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(08)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.08_odp }} are used to support the tracking of system components by geographic location."},{"id":"cm-8.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem component inventory\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-8.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-8.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nautomated mechanisms supporting and\/or implementing system component inventory\n\nautomated mechanisms supporting and\/or implementing tracking of components by geographic locations"}]}]},{"id":"cm-8.9","class":"SP800-53-enhancement","title":"Assignment of Components to Systems","params":[{"id":"cm-08.09_odp","props":[{"name":"alt-identifier","value":"cm-8.9_prm_1"},{"name":"label","value":"CM-08(09)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles from which to receive an acknowledgement is\/are defined;"}]}],"props":[{"name":"label","value":"CM-8(9)"},{"name":"label","value":"CM-08(09)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"}],"parts":[{"id":"cm-8.9_smt","name":"statement","parts":[{"id":"cm-8.9_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Assign system components to a system; and"},{"id":"cm-8.9_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Receive an acknowledgement from {{ insert: param, cm-08.09_odp }} of this assignment."}]},{"id":"cm-8.9_gdn","name":"guidance","prose":"System components that are not assigned to a system may be unmanaged, lack the required protection, and become an organizational vulnerability."},{"id":"cm-8.9_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(09)","class":"sp800-53a"}],"parts":[{"id":"cm-8.9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08(09)(a)","class":"sp800-53a"}],"prose":"system components are assigned to a system;"},{"id":"cm-8.9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08(09)(b)","class":"sp800-53a"}],"prose":"an acknowledgement of the component assignment is received from {{ insert: param, cm-08.09_odp }}."}]},{"id":"cm-8.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\nchange control records\n\nacknowledgements of system component assignments\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\nsystem owner\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assigning components to systems\n\norganizational processes for acknowledging assignment of components to systems\n\nmechanisms implementing assignment of components to the system\n\nmechanisms implementing acknowledgment of assignment of components to the system"}]}]}]},{"id":"cm-9","class":"SP800-53","title":"Configuration Management Plan","params":[{"id":"cm-09_odp","props":[{"name":"alt-identifier","value":"cm-9_prm_1"},{"name":"label","value":"CM-09_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to review and approve the configuration management plan is\/are defined;"}]}],"props":[{"name":"label","value":"CM-9"},{"name":"label","value":"CM-09","class":"sp800-53a"},{"name":"sort-id","value":"cm-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-9_smt","name":"statement","prose":"Develop, document, and implement a configuration management plan for the system that:","parts":[{"id":"cm-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Addresses roles, responsibilities, and configuration management processes and procedures;"},{"id":"cm-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"},{"id":"cm-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Defines the configuration items for the system and places the configuration items under configuration management;"},{"id":"cm-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and"},{"id":"cm-9_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protects the configuration management plan from unauthorized disclosure and modification."}]},{"id":"cm-9_gdn","name":"guidance","prose":"Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\n\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.\n\nOrganizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control."},{"id":"cm-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-09","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09[01]","class":"sp800-53a"}],"prose":"a configuration management plan for the system is developed and documented;"},{"id":"cm-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09[02]","class":"sp800-53a"}],"prose":"a configuration management plan for the system is implemented;"},{"id":"cm-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[01]","class":"sp800-53a"}],"prose":"the configuration management plan addresses roles;"},{"id":"cm-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[02]","class":"sp800-53a"}],"prose":"the configuration management plan addresses responsibilities;"},{"id":"cm-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[03]","class":"sp800-53a"}],"prose":"the configuration management plan addresses configuration management processes and procedures;"}]},{"id":"cm-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.[01]","class":"sp800-53a"}],"prose":"the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;"},{"id":"cm-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.[02]","class":"sp800-53a"}],"prose":"the configuration management plan establishes a process for managing the configuration of the configuration items;"}]},{"id":"cm-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.[01]","class":"sp800-53a"}],"prose":"the configuration management plan defines the configuration items for the system;"},{"id":"cm-9_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.[02]","class":"sp800-53a"}],"prose":"the configuration management plan places the configuration items under configuration management;"}]},{"id":"cm-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-09d.","class":"sp800-53a"}],"prose":"the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};"},{"id":"cm-9_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.[01]","class":"sp800-53a"}],"prose":"the configuration management plan is protected from unauthorized disclosure;"},{"id":"cm-9_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.[02]","class":"sp800-53a"}],"prose":"the configuration management plan is protected from unauthorized modification."}]}]},{"id":"cm-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nmechanisms implementing the configuration management plan\n\nmechanisms for managing configuration items\n\nmechanisms for protecting the configuration management plan"}]}],"controls":[{"id":"cm-9.1","class":"SP800-53-enhancement","title":"Assignment of Responsibility","props":[{"name":"label","value":"CM-9(1)"},{"name":"label","value":"CM-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-9","rel":"required"}],"parts":[{"id":"cm-9.1_smt","name":"statement","prose":"Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development."},{"id":"cm-9.1_gdn","name":"guidance","prose":"In the absence of dedicated configuration management teams assigned within organizations, system developers may be tasked with developing configuration management processes using personnel who are not directly involved in system development or system integration. This separation of duties ensures that organizations establish and maintain a sufficient degree of independence between the system development and integration processes and configuration management processes to facilitate quality control and more effective oversight."},{"id":"cm-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-09(01)","class":"sp800-53a"}],"prose":"the responsibility for developing the configuration management process is assigned to organizational personnel who are not directly involved in system development."},{"id":"cm-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing responsibilities for configuration management process development\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for configuration management process development\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"label","value":"CM-10"},{"name":"label","value":"CM-10","class":"sp800-53a"},{"name":"sort-id","value":"cm-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cm-10_smt","name":"statement","parts":[{"id":"cm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements."},{"id":"cm-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-10","class":"sp800-53a"}],"parts":[{"id":"cm-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-10a.","class":"sp800-53a"}],"prose":"software and associated documentation are used in accordance with contract agreements and copyright laws;"},{"id":"cm-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-10b.","class":"sp800-53a"}],"prose":"the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;"},{"id":"cm-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-10c.","class":"sp800-53a"}],"prose":"the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling\/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}],"controls":[{"id":"cm-10.1","class":"SP800-53-enhancement","title":"Open-source Software","params":[{"id":"cm-10.01_odp","props":[{"name":"alt-identifier","value":"cm-10.1_prm_1"},{"name":"label","value":"CM-10(01)_ODP","class":"sp800-53a"}],"label":"restrictions","guidelines":[{"prose":"restrictions on the use of open-source software are defined;"}]}],"props":[{"name":"label","value":"CM-10(1)"},{"name":"label","value":"CM-10(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-10.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-10","rel":"required"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-10.1_smt","name":"statement","prose":"Establish the following restrictions on the use of open-source software: {{ insert: param, cm-10.01_odp }}."},{"id":"cm-10.1_gdn","name":"guidance","prose":"Open-source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open-source software is that it provides organizations with the ability to examine the source code. In some cases, there is an online community associated with the software that inspects, tests, updates, and reports on issues found in software on an ongoing basis. However, remediating vulnerabilities in open-source software may be problematic. There may also be licensing issues associated with open-source software, including the constraints on derivative use of such software. Open-source software that is available only in binary form may increase the level of risk in using such software."},{"id":"cm-10.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-10(01)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-10.01_odp }} are established for the use of open-source software."},{"id":"cm-10.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-10(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-10.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-10(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-10.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-10(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling\/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","params":[{"id":"cm-11_odp.01","props":[{"name":"alt-identifier","value":"cm-11_prm_1"},{"name":"label","value":"CM-11_ODP[01]","class":"sp800-53a"}],"label":"policies","guidelines":[{"prose":"policies governing the installation of software by users are defined;"}]},{"id":"cm-11_odp.02","props":[{"name":"alt-identifier","value":"cm-11_prm_2"},{"name":"label","value":"CM-11_ODP[02]","class":"sp800-53a"}],"label":"methods","guidelines":[{"prose":"methods used to enforce software installation policies are defined;"}]},{"id":"cm-11_odp.03","props":[{"name":"alt-identifier","value":"cm-11_prm_3"},{"name":"label","value":"CM-11_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to monitor compliance is defined;"}]}],"props":[{"name":"label","value":"CM-11"},{"name":"label","value":"CM-11","class":"sp800-53a"},{"name":"sort-id","value":"cm-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-11_smt","name":"statement","parts":[{"id":"cm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and"},{"id":"cm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Monitor policy compliance {{ insert: param, cm-11_odp.03 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods."},{"id":"cm-11_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-11","class":"sp800-53a"}],"parts":[{"id":"cm-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-11a.","class":"sp800-53a"}],"prose":"{{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;"},{"id":"cm-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-11b.","class":"sp800-53a"}],"prose":"software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};"},{"id":"cm-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-11c.","class":"sp800-53a"}],"prose":"compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}."}]},{"id":"cm-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance"}]}],"controls":[{"id":"cm-11.1","class":"SP800-53-enhancement","title":"Alerts for Unauthorized Installations","props":[{"name":"label","value":"CM-11(1)"},{"name":"label","value":"CM-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-11.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-8.3","rel":"incorporated-into"}]},{"id":"cm-11.2","class":"SP800-53-enhancement","title":"Software Installation with Privileged Status","props":[{"name":"label","value":"CM-11(2)"},{"name":"label","value":"CM-11(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-11.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-11","rel":"required"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"cm-11.2_smt","name":"statement","prose":"Allow user installation of software only with explicit privileged status."},{"id":"cm-11.2_gdn","name":"guidance","prose":"Privileged status can be obtained, for example, by serving in the role of system administrator."},{"id":"cm-11.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-11(02)","class":"sp800-53a"}],"prose":"user installation of software is allowed only with explicit privileged status."},{"id":"cm-11.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-11(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts\/notifications of unauthorized software installations\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-11.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-11(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-11.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-11(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing user-installed software on the system\n\nmechanisms for prohibiting installation of software without privileged status (e.g., access controls)"}]}]},{"id":"cm-11.3","class":"SP800-53-enhancement","title":"Automated Enforcement and Monitoring","params":[{"id":"cm-11.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-11.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-11.03_odp.02"}],"label":"organization-defined automated mechanisms"},{"id":"cm-11.03_odp.01","props":[{"name":"label","value":"CM-11(03)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to enforce compliance are defined;"}]},{"id":"cm-11.03_odp.02","props":[{"name":"label","value":"CM-11(03)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to monitor compliance are defined;"}]}],"props":[{"name":"label","value":"CM-11(3)"},{"name":"label","value":"CM-11(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-11.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-11","rel":"required"}],"parts":[{"id":"cm-11.3_smt","name":"statement","prose":"Enforce and monitor compliance with software installation policies using {{ insert: param, cm-11.3_prm_1 }}."},{"id":"cm-11.3_gdn","name":"guidance","prose":"Organizations enforce and monitor compliance with software installation policies using automated mechanisms to more quickly detect and respond to unauthorized software installation which can be an indicator of an internal or external hostile attack."},{"id":"cm-11.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-11(03)","class":"sp800-53a"}],"parts":[{"id":"cm-11.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-11(03)[01]","class":"sp800-53a"}],"prose":"compliance with software installation policies is enforced using {{ insert: param, cm-11.03_odp.01 }};"},{"id":"cm-11.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-11(03)[02]","class":"sp800-53a"}],"prose":"compliance with software installation policies is monitored using {{ insert: param, cm-11.03_odp.02 }}."}]},{"id":"cm-11.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-11(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-11.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-11(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-11.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-11(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing user-installed software on the system\n\nautomated mechanisms enforcing policies on installation of software by users\n\nautomated mechanisms monitoring policy compliance"}]}]}]},{"id":"cm-12","class":"SP800-53","title":"Information Location","params":[{"id":"cm-12_odp","props":[{"name":"alt-identifier","value":"cm-12_prm_1"},{"name":"label","value":"CM-12_ODP","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information for which the location is to be identified and documented is defined;"}]}],"props":[{"name":"label","value":"CM-12"},{"name":"label","value":"CM-12","class":"sp800-53a"},{"name":"sort-id","value":"cm-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-23","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-12_smt","name":"statement","parts":[{"id":"cm-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and stored;"},{"id":"cm-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identify and document the users who have access to the system and system components where the information is processed and stored; and"},{"id":"cm-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document changes to the location (i.e., system or system components) where the information is processed and stored."}]},{"id":"cm-12_gdn","name":"guidance","prose":"Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see [SA-4](#sa-4), [SA-8](#sa-8), [SA-17](#sa-17))."},{"id":"cm-12_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-12","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[01]","class":"sp800-53a"}],"prose":"the location of {{ insert: param, cm-12_odp }} is identified and documented;"},{"id":"cm-12_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[02]","class":"sp800-53a"}],"prose":"the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;"},{"id":"cm-12_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[03]","class":"sp800-53a"}],"prose":"the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;"}]},{"id":"cm-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.[01]","class":"sp800-53a"}],"prose":"the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;"},{"id":"cm-12_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.[02]","class":"sp800-53a"}],"prose":"the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;"}]},{"id":"cm-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.[01]","class":"sp800-53a"}],"prose":"changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;"},{"id":"cm-12_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.[02]","class":"sp800-53a"}],"prose":"changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented."}]}]},{"id":"cm-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\naudit records\n\nlist of users with system and system component access\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing information location and user access to information\n\norganizational personnel with responsibilities for operating, using, and\/or maintaining the system\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location"}]}],"controls":[{"id":"cm-12.1","class":"SP800-53-enhancement","title":"Automated Tools to Support Information Location","params":[{"id":"cm-12.01_odp.01","props":[{"name":"alt-identifier","value":"cm-12.1_prm_1"},{"name":"label","value":"CM-12(01)_ODP[01]","class":"sp800-53a"}],"label":"information by information type","guidelines":[{"prose":"information to be protected is defined by information type;"}]},{"id":"cm-12.01_odp.02","props":[{"name":"alt-identifier","value":"cm-12.1_prm_2"},{"name":"label","value":"CM-12(01)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components where the information is located are defined;"}]}],"props":[{"name":"label","value":"CM-12(1)"},{"name":"label","value":"CM-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-12","rel":"required"}],"parts":[{"id":"cm-12.1_smt","name":"statement","prose":"Use automated tools to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure controls are in place to protect organizational information and individual privacy."},{"id":"cm-12.1_gdn","name":"guidance","prose":"The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions."},{"id":"cm-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-12(01)","class":"sp800-53a"}],"prose":"automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy."},{"id":"cm-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing information location\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nautomated mechanisms enforcing policies and methods for governing information location\n\nautomated tools used to identify information on system components"}]}]}]},{"id":"cm-13","class":"SP800-53","title":"Data Action Mapping","props":[{"name":"label","value":"CM-13"},{"name":"label","value":"CM-13","class":"sp800-53a"},{"name":"sort-id","value":"cm-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-27","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"}],"parts":[{"id":"cm-13_smt","name":"statement","prose":"Develop and document a map of system data actions."},{"id":"cm-13_gdn","name":"guidance","prose":"Data actions are system operations that process personally identifiable information. The processing of such information encompasses the full information life cycle, which includes collection, generation, transformation, use, disclosure, retention, and disposal. A map of system data actions includes discrete data actions, elements of personally identifiable information being processed in the data actions, system components involved in the data actions, and the owners or operators of the system components. Understanding what personally identifiable information is being processed (e.g., the sensitivity of the personally identifiable information), how personally identifiable information is being processed (e.g., if the data action is visible to the individual or is processed in another part of the system), and by whom (e.g., individuals may have different privacy perceptions based on the entity that is processing the personally identifiable information) provides a number of contextual factors that are important to assessing the degree of privacy risk created by the system. Data maps can be illustrated in different ways, and the level of detail may vary based on the mission and business needs of the organization. The data map may be an overlay of any system design artifact that the organization is using. The development of this map may necessitate coordination between the privacy and security programs regarding the covered data actions and the components that are identified as part of the system."},{"id":"cm-13_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-13","class":"sp800-53a"}],"prose":"a map of system data actions is developed and documented."},{"id":"cm-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures for identification and documentation of information location\n\nprocedures for mapping data actions\n\nconfiguration management plan\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\nchange control records\n\nsystem component inventory\n\nother relevant documents or records"}]},{"id":"cm-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing information location\n\norganizational personnel responsible for data action mapping\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nmechanisms supporting or implementing data action mapping"}]}]},{"id":"cm-14","class":"SP800-53","title":"Signed Components","params":[{"id":"cm-14_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-14_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-14_odp.02"}],"label":"organization-defined software and firmware components"},{"id":"cm-14_odp.01","props":[{"name":"label","value":"CM-14_ODP[01]","class":"sp800-53a"}],"label":"software components","guidelines":[{"prose":"software components requiring verification of a digitally signed certificate before installation are defined;"}]},{"id":"cm-14_odp.02","props":[{"name":"label","value":"CM-14_ODP[02]","class":"sp800-53a"}],"label":"firmware components","guidelines":[{"prose":"firmware components requiring verification of a digitally signed certificate before installation are defined;"}]}],"props":[{"name":"label","value":"CM-14"},{"name":"label","value":"CM-14","class":"sp800-53a"},{"name":"sort-id","value":"cm-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#cm-7","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-14_smt","name":"statement","prose":"Prevent the installation of {{ insert: param, cm-14_prm_1 }} without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization."},{"id":"cm-14_gdn","name":"guidance","prose":"Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input\/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication."},{"id":"cm-14_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-14","class":"sp800-53a"}],"parts":[{"id":"cm-14_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-14[01]","class":"sp800-53a"}],"prose":"the installation of {{ insert: param, cm-14_odp.01 }} is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization;"},{"id":"cm-14_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-14[02]","class":"sp800-53a"}],"prose":"the installation of {{ insert: param, cm-14_odp.02 }} is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization."}]},{"id":"cm-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing digitally signed certificates for software and firmware components\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for verifying digitally signed certificates for software and firmware component installation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location\n\nautomated tools supporting or implementing digitally signatures for software and firmware components\n\nautomated tools supporting or implementing verification of digital signatures for software and firmware component installation"}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-01_odp.01","props":[{"name":"label","value":"CP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning policy is to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.02","props":[{"name":"label","value":"CP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning procedures are to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.03","props":[{"name":"alt-identifier","value":"cp-1_prm_2"},{"name":"label","value":"CP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cp-01_odp.04","props":[{"name":"alt-identifier","value":"cp-1_prm_3"},{"name":"label","value":"CP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the contingency planning policy and procedures is defined;"}]},{"id":"cp-01_odp.05","props":[{"name":"alt-identifier","value":"cp-1_prm_4"},{"name":"label","value":"CP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning policy is reviewed and updated is defined;"}]},{"id":"cp-01_odp.06","props":[{"name":"alt-identifier","value":"cp-1_prm_5"},{"name":"label","value":"CP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current contingency planning policy to be reviewed and updated are defined;"}]},{"id":"cp-01_odp.07","props":[{"name":"alt-identifier","value":"cp-1_prm_6"},{"name":"label","value":"CP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning procedures are reviewed and updated is defined;"}]},{"id":"cp-01_odp.08","props":[{"name":"alt-identifier","value":"cp-1_prm_7"},{"name":"label","value":"CP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CP-1"},{"name":"label","value":"CP-01","class":"sp800-53a"},{"name":"sort-id","value":"cp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-1_smt","name":"statement","parts":[{"id":"cp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, cp-01_odp.03 }} contingency planning policy that:","parts":[{"id":"cp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;"}]},{"id":"cp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and"},{"id":"cp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current contingency planning:","parts":[{"id":"cp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and"},{"id":"cp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[01]","class":"sp800-53a"}],"prose":"a contingency planning policy is developed and documented;"},{"id":"cp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[02]","class":"sp800-53a"}],"prose":"the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};"},{"id":"cp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[03]","class":"sp800-53a"}],"prose":"contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;"},{"id":"cp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[04]","class":"sp800-53a"}],"prose":"the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};"},{"id":"cp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;"},{"id":"cp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;"},{"id":"cp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;"},{"id":"cp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;"},{"id":"cp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;"},{"id":"cp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;"},{"id":"cp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;"}]},{"id":"cp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"cp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;"},{"id":"cp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[01]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};"},{"id":"cp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[02]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};"}]},{"id":"cp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[01]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};"},{"id":"cp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[02]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}."}]}]}]},{"id":"cp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","params":[{"id":"cp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.04"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-2_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.07"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-02_odp.01","props":[{"name":"label","value":"CP-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to review a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.02","props":[{"name":"label","value":"CP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to approve a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.03","props":[{"name":"label","value":"CP-02_ODP[03]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to whom copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.04","props":[{"name":"label","value":"CP-02_ODP[04]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to which copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.05","props":[{"name":"alt-identifier","value":"cp-2_prm_3"},{"name":"label","value":"CP-02_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of contingency plan review is defined;"}]},{"id":"cp-02_odp.06","props":[{"name":"label","value":"CP-02_ODP[06]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to communicate changes to are defined;"}]},{"id":"cp-02_odp.07","props":[{"name":"label","value":"CP-02_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to communicate changes to are defined;"}]}],"props":[{"name":"label","value":"CP-2"},{"name":"label","value":"CP-02","class":"sp800-53a"},{"name":"sort-id","value":"cp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#cp-13","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-2_smt","name":"statement","parts":[{"id":"cp-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a contingency plan for the system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifies essential mission and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;"},{"id":"cp-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Addresses the sharing of contingency information; and"},{"id":"cp-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};"},{"id":"cp-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};"},{"id":"cp-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and"},{"id":"cp-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Protect the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family."},{"id":"cp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.01","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;"},{"id":"cp-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides recovery objectives;"},{"id":"cp-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides restoration priorities;"},{"id":"cp-2_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides metrics;"}]},{"id":"cp-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency roles;"},{"id":"cp-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency responsibilities;"},{"id":"cp-2_obj.a.3-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses assigned individuals with contact information;"}]},{"id":"cp-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.04","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.05","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;"},{"id":"cp-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.06","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses the sharing of contingency information;"},{"id":"cp-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};"},{"id":"cp-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};"}]}]},{"id":"cp-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[01]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};"},{"id":"cp-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[02]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};"}]},{"id":"cp-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-02c.","class":"sp800-53a"}],"prose":"contingency planning activities are coordinated with incident handling activities;"},{"id":"cp-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-02d.","class":"sp800-53a"}],"prose":"the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};"},{"id":"cp-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[01]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address changes to the organization, system, or environment of operation;"},{"id":"cp-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[02]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;"}]},{"id":"cp-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[01]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};"},{"id":"cp-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[02]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};"}]},{"id":"cp-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[01]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;"},{"id":"cp-2_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[02]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;"}]},{"id":"cp-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[01]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized disclosure;"},{"id":"cp-2_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[02]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized modification."}]}]},{"id":"cp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and\/or protecting the contingency plan"}]}],"controls":[{"id":"cp-2.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-2(1)"},{"name":"label","value":"CP-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.1_smt","name":"statement","prose":"Coordinate contingency plan development with organizational elements responsible for related plans."},{"id":"cp-2.1_gdn","name":"guidance","prose":"Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans."},{"id":"cp-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(01)","class":"sp800-53a"}],"prose":"contingency plan development is coordinated with organizational elements responsible for related plans."},{"id":"cp-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans"}]}]},{"id":"cp-2.2","class":"SP800-53-enhancement","title":"Capacity Planning","props":[{"name":"label","value":"CP-2(2)"},{"name":"label","value":"CP-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"},{"href":"#pe-11","rel":"related"},{"href":"#pe-12","rel":"related"},{"href":"#pe-13","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#sc-5","rel":"related"}],"parts":[{"id":"cp-2.2_smt","name":"statement","prose":"Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations."},{"id":"cp-2.2_gdn","name":"guidance","prose":"Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential mission and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance."},{"id":"cp-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)","class":"sp800-53a"}],"parts":[{"id":"cp-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)[01]","class":"sp800-53a"}],"prose":"capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;"},{"id":"cp-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)[02]","class":"sp800-53a"}],"prose":"capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;"},{"id":"cp-2.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)[03]","class":"sp800-53a"}],"prose":"capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support."}]},{"id":"cp-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\ncapacity planning documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel responsible for capacity planning\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2.3","class":"SP800-53-enhancement","title":"Resume Mission and Business Functions","params":[{"id":"cp-02.03_odp.01","props":[{"name":"alt-identifier","value":"cp-2.3_prm_1"},{"name":"label","value":"CP-02(03)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["all","essential"]}},{"id":"cp-02.03_odp.02","props":[{"name":"alt-identifier","value":"cp-2.3_prm_2"},{"name":"label","value":"CP-02(03)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the contingency plan activation time period within which to resume mission and business functions is defined;"}]}],"props":[{"name":"label","value":"CP-2(3)"},{"name":"label","value":"CP-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.3_smt","name":"statement","prose":"Plan for the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation."},{"id":"cp-2.3_gdn","name":"guidance","prose":"Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure."},{"id":"cp-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(03)","class":"sp800-53a"}],"prose":"the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation."},{"id":"cp-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother related plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions"}]},{"id":"cp-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.4","class":"SP800-53-enhancement","title":"Resume All Mission and Business Functions","props":[{"name":"label","value":"CP-2(4)"},{"name":"label","value":"CP-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cp-2.3","rel":"incorporated-into"}]},{"id":"cp-2.5","class":"SP800-53-enhancement","title":"Continue Mission and Business Functions","params":[{"id":"cp-02.05_odp","props":[{"name":"alt-identifier","value":"cp-2.5_prm_1"},{"name":"label","value":"CP-02(05)_ODP","class":"sp800-53a"}],"select":{"choice":["all","essential"]}}],"props":[{"name":"label","value":"CP-2(5)"},{"name":"label","value":"CP-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.5_smt","name":"statement","prose":"Plan for the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and\/or storage sites."},{"id":"cp-2.5_gdn","name":"guidance","prose":"Organizations may choose to conduct the contingency planning activities to continue mission and business functions as part of business continuity planning or business impact analyses. Primary processing and\/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency."},{"id":"cp-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(05)","class":"sp800-53a"}],"parts":[{"id":"cp-2.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02(05)[01]","class":"sp800-53a"}],"prose":"the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity is planned for;"},{"id":"cp-2.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02(05)[02]","class":"sp800-53a"}],"prose":"continuity is sustained until full system restoration at primary processing and\/or storage sites."}]},{"id":"cp-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nprimary processing site agreements\n\nprimary storage site agreements\n\nalternate processing site agreements\n\nalternate storage site agreements\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-2.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for continuing missions and business functions"}]}]},{"id":"cp-2.6","class":"SP800-53-enhancement","title":"Alternate Processing and Storage Sites","params":[{"id":"cp-02.06_odp","props":[{"name":"alt-identifier","value":"cp-2.6_prm_1"},{"name":"label","value":"CP-02(06)_ODP","class":"sp800-53a"}],"select":{"choice":["all","essential"]}}],"props":[{"name":"label","value":"CP-2(6)"},{"name":"label","value":"CP-02(06)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.6_smt","name":"statement","prose":"Plan for the transfer of {{ insert: param, cp-02.06_odp }} mission and business functions to alternate processing and\/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and\/or storage sites."},{"id":"cp-2.6_gdn","name":"guidance","prose":"Organizations may choose to conduct contingency planning activities for alternate processing and storage sites as part of business continuity planning or business impact analyses. Primary processing and\/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency."},{"id":"cp-2.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(06)","class":"sp800-53a"}],"parts":[{"id":"cp-2.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02(06)[01]","class":"sp800-53a"}],"prose":"the transfer of {{ insert: param, cp-02.06_odp }} mission and business functions to alternate processing and\/or storage sites with minimal or no loss of operational continuity is planned for;"},{"id":"cp-2.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02(06)[02]","class":"sp800-53a"}],"prose":"operational continuity is sustained until full system restoration at primary processing and\/or storage sites."}]},{"id":"cp-2.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nalternate processing site agreements\n\nalternate storage site agreements\n\ncontingency plan testing documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-2.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for transfer of essential mission and business functions to alternate processing\/storage sites"}]}]},{"id":"cp-2.7","class":"SP800-53-enhancement","title":"Coordinate with External Service Providers","props":[{"name":"label","value":"CP-2(7)"},{"name":"label","value":"CP-02(07)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"},{"href":"#sa-9","rel":"related"}],"parts":[{"id":"cp-2.7_smt","name":"statement","prose":"Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied."},{"id":"cp-2.7_gdn","name":"guidance","prose":"When the capability of an organization to carry out its mission and business functions is dependent on external service providers, developing a comprehensive and timely contingency plan may become more challenging. When mission and business functions are dependent on external service providers, organizations coordinate contingency planning activities with the external entities to ensure that the individual plans reflect the overall contingency needs of the organization."},{"id":"cp-2.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(07)","class":"sp800-53a"}],"prose":"the contingency plan is coordinated with the contingency plans of external service providers to ensure that contingency requirements can be satisfied."},{"id":"cp-2.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\ncontingency plans of external\n\nservice providers\n\nservice level agreements\n\ncontingency plan requirements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\nexternal service providers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2.8","class":"SP800-53-enhancement","title":"Identify Critical Assets","params":[{"id":"cp-02.08_odp","props":[{"name":"alt-identifier","value":"cp-2.8_prm_1"},{"name":"label","value":"CP-02(08)_ODP","class":"sp800-53a"}],"select":{"choice":["all","essential"]}}],"props":[{"name":"label","value":"CP-2(8)"},{"name":"label","value":"CP-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"cp-2.8_smt","name":"statement","prose":"Identify critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions."},{"id":"cp-2.8_gdn","name":"guidance","prose":"Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and\/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing [CP-2(7)](#cp-2.7) as a control enhancement."},{"id":"cp-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(08)","class":"sp800-53a"}],"prose":"critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified."},{"id":"cp-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","params":[{"id":"cp-03_odp.01","props":[{"name":"alt-identifier","value":"cp-3_prm_1"},{"name":"label","value":"CP-03_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.02","props":[{"name":"alt-identifier","value":"cp-3_prm_2"},{"name":"label","value":"CP-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide training to system users with a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.03","props":[{"name":"alt-identifier","value":"cp-3_prm_3"},{"name":"label","value":"CP-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update contingency training content is defined;"}]},{"id":"cp-03_odp.04","props":[{"name":"alt-identifier","value":"cp-3_prm_4"},{"name":"label","value":"CP-03_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events necessitating review and update of contingency training are defined;"}]}],"props":[{"name":"label","value":"CP-3"},{"name":"label","value":"CP-03","class":"sp800-53a"},{"name":"sort-id","value":"cp-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"cp-3_smt","name":"statement","parts":[{"id":"cp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide contingency training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"cp-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"{{ insert: param, cp-03_odp.02 }} thereafter; and"}]},{"id":"cp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements."},{"id":"cp-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-03","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.01","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.02","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"},{"id":"cp-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.03","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;"}]},{"id":"cp-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[01]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};"},{"id":"cp-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[02]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}."}]}]},{"id":"cp-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency training"}]}],"controls":[{"id":"cp-3.1","class":"SP800-53-enhancement","title":"Simulated Events","props":[{"name":"label","value":"CP-3(1)"},{"name":"label","value":"CP-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-3","rel":"required"}],"parts":[{"id":"cp-3.1_smt","name":"statement","prose":"Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations."},{"id":"cp-3.1_gdn","name":"guidance","prose":"The use of simulated events creates an environment for personnel to experience actual threat events, including cyber-attacks that disable websites, ransomware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures."},{"id":"cp-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-03(01)","class":"sp800-53a"}],"prose":"simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations."},{"id":"cp-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency training\n\nmechanisms for simulating contingency events"}]}]},{"id":"cp-3.2","class":"SP800-53-enhancement","title":"Mechanisms Used in Training Environments","props":[{"name":"label","value":"CP-3(2)"},{"name":"label","value":"CP-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-3","rel":"required"}],"parts":[{"id":"cp-3.2_smt","name":"statement","prose":"Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment."},{"id":"cp-3.2_gdn","name":"guidance","prose":"Operational mechanisms refer to processes that have been established to accomplish an organizational goal or a system that supports a particular organizational mission or business objective. Actual mission and business processes, systems, and\/or facilities may be used to generate simulated events and enhance the realism of simulated events during contingency training."},{"id":"cp-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-03(02)","class":"sp800-53a"}],"prose":"mechanisms used in operations are employed to provide a more thorough and realistic contingency training environment."},{"id":"cp-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency training\n\nmechanisms for providing contingency training environments"}]}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","params":[{"id":"cp-4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.03"}],"label":"organization-defined tests"},{"id":"cp-04_odp.01","props":[{"name":"alt-identifier","value":"cp-4_prm_1"},{"name":"label","value":"CP-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of testing the contingency plan for the system is defined;"}]},{"id":"cp-04_odp.02","props":[{"name":"label","value":"CP-04_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining the effectiveness of the contingency plan are defined;"}]},{"id":"cp-04_odp.03","props":[{"name":"label","value":"CP-04_ODP[03]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining readiness to execute the contingency plan are defined;"}]}],"props":[{"name":"label","value":"CP-4"},{"name":"label","value":"CP-04","class":"sp800-53a"},{"name":"sort-id","value":"cp-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"cp-4_smt","name":"statement","parts":[{"id":"cp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}."},{"id":"cp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Initiate corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions."},{"id":"cp-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[01]","class":"sp800-53a"}],"prose":"the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};"},{"id":"cp-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;"},{"id":"cp-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[03]","class":"sp800-53a"}],"prose":"{{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;"}]},{"id":"cp-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-04b.","class":"sp800-53a"}],"prose":"the contingency plan test results are reviewed;"},{"id":"cp-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-04c.","class":"sp800-53a"}],"prose":"corrective actions are initiated, if needed."}]},{"id":"cp-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and\/or contingency plan testing"}]}],"controls":[{"id":"cp-4.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-4(1)"},{"name":"label","value":"CP-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"},{"href":"#ir-8","rel":"related"},{"href":"#pm-8","rel":"related"}],"parts":[{"id":"cp-4.1_smt","name":"statement","prose":"Coordinate contingency plan testing with organizational elements responsible for related plans."},{"id":"cp-4.1_gdn","name":"guidance","prose":"Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements."},{"id":"cp-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(01)","class":"sp800-53a"}],"prose":"contingency plan testing is coordinated with organizational elements responsible for related plans."},{"id":"cp-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-4.2","class":"SP800-53-enhancement","title":"Alternate Processing Site","props":[{"name":"label","value":"CP-4(2)"},{"name":"label","value":"CP-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"cp-4.2_smt","name":"statement","prose":"Test the contingency plan at the alternate processing site:","parts":[{"id":"cp-4.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"To familiarize contingency personnel with the facility and available resources; and"},{"id":"cp-4.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"To evaluate the capabilities of the alternate processing site to support contingency operations."}]},{"id":"cp-4.2_gdn","name":"guidance","prose":"Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational mission and business functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing."},{"id":"cp-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(02)","class":"sp800-53a"}],"parts":[{"id":"cp-4.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-04(02)(a)","class":"sp800-53a"}],"prose":"the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;"},{"id":"cp-4.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-04(02)(b)","class":"sp800-53a"}],"prose":"the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations."}]},{"id":"cp-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and\/or contingency plan testing"}]}]},{"id":"cp-4.3","class":"SP800-53-enhancement","title":"Automated Testing","params":[{"id":"cp-04.03_odp","props":[{"name":"alt-identifier","value":"cp-4.3_prm_1"},{"name":"label","value":"CP-04(03)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms for contingency plan testing are defined;"}]}],"props":[{"name":"label","value":"CP-4(3)"},{"name":"label","value":"CP-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"}],"parts":[{"id":"cp-4.3_smt","name":"statement","prose":"Test the contingency plan using {{ insert: param, cp-04.03_odp }}."},{"id":"cp-4.3_gdn","name":"guidance","prose":"Automated mechanisms facilitate thorough and effective testing of contingency plans by providing more complete coverage of contingency issues, selecting more realistic test scenarios and environments, and effectively stressing the system and supported mission and business functions."},{"id":"cp-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(03)","class":"sp800-53a"}],"prose":"the contingency plan is tested using {{ insert: param, cp-04.03_odp }}."},{"id":"cp-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\nautomated mechanisms supporting contingency plan testing\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nautomated mechanisms supporting contingency plan testing"}]}]},{"id":"cp-4.4","class":"SP800-53-enhancement","title":"Full Recovery and Reconstitution","props":[{"name":"label","value":"CP-4(4)"},{"name":"label","value":"CP-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"},{"href":"#cp-10","rel":"related"},{"href":"#sc-24","rel":"related"}],"parts":[{"id":"cp-4.4_smt","name":"statement","prose":"Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing."},{"id":"cp-4.4_gdn","name":"guidance","prose":"Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Organizations establish a known state for systems that includes system state information for hardware, software programs, and data. Preserving system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission and business processes."},{"id":"cp-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(04)","class":"sp800-53a"}],"parts":[{"id":"cp-4.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-04(04)[01]","class":"sp800-53a"}],"prose":"a full recovery of the system to a known state is included as part of contingency plan testing;"},{"id":"cp-4.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-04(04)[02]","class":"sp800-53a"}],"prose":"a full reconstitution of the system to a known state is included as part of contingency plan testing."}]},{"id":"cp-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting contingency plan testing\n\nmechanisms supporting recovery and reconstitution of the system"}]}]},{"id":"cp-4.5","class":"SP800-53-enhancement","title":"Self-challenge","params":[{"id":"cp-04.05_odp.01","props":[{"name":"alt-identifier","value":"cp-4.5_prm_1"},{"name":"label","value":"CP-04(05)_ODP[01]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms employed to disrupt and adversely affect the system or system component are defined;"}]},{"id":"cp-04.05_odp.02","props":[{"name":"alt-identifier","value":"cp-4.5_prm_2"},{"name":"label","value":"CP-04(05)_ODP[02]","class":"sp800-53a"}],"label":"system or system component","guidelines":[{"prose":"system or system component on which to apply disruption mechanisms are defined;"}]}],"props":[{"name":"label","value":"CP-4(5)"},{"name":"label","value":"CP-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"}],"parts":[{"id":"cp-4.5_smt","name":"statement","prose":"Employ {{ insert: param, cp-04.05_odp.01 }} to {{ insert: param, cp-04.05_odp.02 }} to disrupt and adversely affect the system or system component."},{"id":"cp-4.5_gdn","name":"guidance","prose":"Often, the best method of assessing system resilience is to disrupt the system in some manner. The mechanisms used by the organization could disrupt system functions or system services in many ways, including terminating or disabling critical system components, changing the configuration of system components, degrading critical functionality (e.g., restricting network bandwidth), or altering privileges. Automated, on-going, and simulated cyber-attacks and service disruptions can reveal unexpected functional dependencies and help the organization determine its ability to ensure resilience in the face of an actual cyber-attack."},{"id":"cp-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(05)","class":"sp800-53a"}],"prose":"{{ insert: param, cp-04.05_odp.01 }} are employed to disrupt and adversely affect the {{ insert: param, cp-04.05_odp.02 }}."},{"id":"cp-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting contingency plan testing"}]}]}]},{"id":"cp-5","class":"SP800-53","title":"Contingency Plan Update","props":[{"name":"label","value":"CP-5"},{"name":"label","value":"CP-05","class":"sp800-53a"},{"name":"sort-id","value":"cp-05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cp-2","rel":"incorporated-into"}]},{"id":"cp-6","class":"SP800-53","title":"Alternate Storage Site","props":[{"name":"label","value":"CP-6"},{"name":"label","value":"CP-06","class":"sp800-53a"},{"name":"sort-id","value":"cp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-6_smt","name":"statement","parts":[{"id":"cp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and"},{"id":"cp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensure that the alternate storage site provides controls equivalent to that of the primary site."}]},{"id":"cp-6_gdn","name":"guidance","prose":"Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems."},{"id":"cp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06","class":"sp800-53a"}],"parts":[{"id":"cp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.","class":"sp800-53a"}],"parts":[{"id":"cp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.[01]","class":"sp800-53a"}],"prose":"an alternate storage site is established;"},{"id":"cp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.[02]","class":"sp800-53a"}],"prose":"establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;"}]},{"id":"cp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-06b.","class":"sp800-53a"}],"prose":"the alternate storage site provides controls equivalent to that of the primary site."}]},{"id":"cp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing and retrieving system backup information at the alternate storage site\n\nmechanisms supporting and\/or implementing the storage and retrieval of system backup information at the alternate storage site"}]}],"controls":[{"id":"cp-6.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-6(1)"},{"name":"label","value":"CP-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-6.1_smt","name":"statement","prose":"Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats."},{"id":"cp-6.1_gdn","name":"guidance","prose":"Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."},{"id":"cp-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(01)","class":"sp800-53a"}],"prose":"an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats."},{"id":"cp-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-6.2","class":"SP800-53-enhancement","title":"Recovery Time and Recovery Point Objectives","props":[{"name":"label","value":"CP-6(2)"},{"name":"label","value":"CP-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"}],"parts":[{"id":"cp-6.2_smt","name":"statement","prose":"Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives."},{"id":"cp-6.2_gdn","name":"guidance","prose":"Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations that ensure accessibility and correct execution."},{"id":"cp-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(02)","class":"sp800-53a"}],"parts":[{"id":"cp-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06(02)[01]","class":"sp800-53a"}],"prose":"the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;"},{"id":"cp-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06(02)[02]","class":"sp800-53a"}],"prose":"the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives."}]},{"id":"cp-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nalternate storage site configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with responsibilities for testing related plans\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting recovery time and point objectives"}]}]},{"id":"cp-6.3","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-6(3)"},{"name":"label","value":"CP-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-6.3_smt","name":"statement","prose":"Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions."},{"id":"cp-6.3_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted."},{"id":"cp-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)","class":"sp800-53a"}],"parts":[{"id":"cp-6.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)[01]","class":"sp800-53a"}],"prose":"potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;"},{"id":"cp-6.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)[02]","class":"sp800-53a"}],"prose":"explicit mitigation actions to address identified accessibility problems are outlined."}]},{"id":"cp-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-7","class":"SP800-53","title":"Alternate Processing Site","params":[{"id":"cp-07_odp.01","props":[{"name":"alt-identifier","value":"cp-7_prm_1"},{"name":"label","value":"CP-07_ODP[01]","class":"sp800-53a"}],"label":"system operations","guidelines":[{"prose":"system operations for essential mission and business functions are defined;"}]},{"id":"cp-07_odp.02","props":[{"name":"alt-identifier","value":"cp-7_prm_2"},{"name":"alt-label","value":"time period consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-7"},{"name":"label","value":"CP-07","class":"sp800-53a"},{"name":"sort-id","value":"cp-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-11","rel":"related"},{"href":"#pe-12","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-7_smt","name":"statement","parts":[{"id":"cp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and"},{"id":"cp-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provide controls at the alternate processing site that are equivalent to those at the primary site."}]},{"id":"cp-7_gdn","name":"guidance","prose":"Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems."},{"id":"cp-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07","class":"sp800-53a"}],"parts":[{"id":"cp-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-07a.","class":"sp800-53a"}],"prose":"an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.","class":"sp800-53a"}],"parts":[{"id":"cp-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.[01]","class":"sp800-53a"}],"prose":"the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;"},{"id":"cp-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.[02]","class":"sp800-53a"}],"prose":"the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;"}]},{"id":"cp-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-07c.","class":"sp800-53a"}],"prose":"controls provided at the alternate processing site are equivalent to those at the primary site."}]},{"id":"cp-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for contingency planning and\/or alternate site arrangements\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for recovery at the alternate site\n\nmechanisms supporting and\/or implementing recovery at the alternate processing site"}]}],"controls":[{"id":"cp-7.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-7(1)"},{"name":"label","value":"CP-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-7.1_smt","name":"statement","prose":"Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats."},{"id":"cp-7.1_gdn","name":"guidance","prose":"Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."},{"id":"cp-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(01)","class":"sp800-53a"}],"prose":"an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified."},{"id":"cp-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.2","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-7(2)"},{"name":"label","value":"CP-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-7.2_smt","name":"statement","prose":"Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-7.2_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk."},{"id":"cp-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)","class":"sp800-53a"}],"parts":[{"id":"cp-7.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)[01]","class":"sp800-53a"}],"prose":"potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;"},{"id":"cp-7.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)[02]","class":"sp800-53a"}],"prose":"explicit mitigation actions to address identified accessibility problems are outlined."}]},{"id":"cp-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.3","class":"SP800-53-enhancement","title":"Priority of Service","props":[{"name":"label","value":"CP-7(3)"},{"name":"label","value":"CP-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"}],"parts":[{"id":"cp-7.3_smt","name":"statement","prose":"Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)."},{"id":"cp-7.3_gdn","name":"guidance","prose":"Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and\/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning."},{"id":"cp-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(03)","class":"sp800-53a"}],"prose":"alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed."},{"id":"cp-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]},{"id":"cp-7.4","class":"SP800-53-enhancement","title":"Preparation for Use","props":[{"name":"label","value":"CP-7(4)"},{"name":"label","value":"CP-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-7.4_smt","name":"statement","prose":"Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions."},{"id":"cp-7.4_gdn","name":"guidance","prose":"Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place."},{"id":"cp-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(04)","class":"sp800-53a"}],"prose":"the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions."},{"id":"cp-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nalternate processing site configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing recovery at the alternate processing site"}]}]},{"id":"cp-7.5","class":"SP800-53-enhancement","title":"Equivalent Information Security Safeguards","props":[{"name":"label","value":"CP-7(5)"},{"name":"label","value":"CP-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cp-7","rel":"incorporated-into"}]},{"id":"cp-7.6","class":"SP800-53-enhancement","title":"Inability to Return to Primary Site","props":[{"name":"label","value":"CP-7(6)"},{"name":"label","value":"CP-07(06)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"}],"parts":[{"id":"cp-7.6_smt","name":"statement","prose":"Plan and prepare for circumstances that preclude returning to the primary processing site."},{"id":"cp-7.6_gdn","name":"guidance","prose":"There may be situations that preclude an organization from returning to the primary processing site such as if a natural disaster (e.g., flood or a hurricane) damaged or destroyed a facility and it was determined that rebuilding in the same location was not prudent."},{"id":"cp-7.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(06)","class":"sp800-53a"}],"parts":[{"id":"cp-7.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-07(06)[01]","class":"sp800-53a"}],"prose":"circumstances that preclude returning to the primary processing site are planned for;"},{"id":"cp-7.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-07(06)[02]","class":"sp800-53a"}],"prose":"circumstances that preclude returning to the primary processing site are prepared for."}]},{"id":"cp-7.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nalternate processing site configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-8","class":"SP800-53","title":"Telecommunications Services","params":[{"id":"cp-08_odp.01","props":[{"name":"alt-identifier","value":"cp-8_prm_1"},{"name":"label","value":"CP-08_ODP[01]","class":"sp800-53a"}],"label":"system operations","guidelines":[{"prose":"system operations to be resumed for essential mission and business functions are defined;"}]},{"id":"cp-08_odp.02","props":[{"name":"alt-identifier","value":"cp-8_prm_2"},{"name":"label","value":"CP-08_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;"}]}],"props":[{"name":"label","value":"CP-8"},{"name":"label","value":"CP-08","class":"sp800-53a"},{"name":"sort-id","value":"cp-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cp-8_smt","name":"statement","prose":"Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_gdn","name":"guidance","prose":"Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for [CP-8](#cp-8) . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements."},{"id":"cp-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08","class":"sp800-53a"}],"prose":"alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"id":"cp-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting telecommunications"}]}],"controls":[{"id":"cp-8.1","class":"SP800-53-enhancement","title":"Priority of Service Provisions","props":[{"name":"label","value":"CP-8(1)"},{"name":"label","value":"CP-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.1_smt","name":"statement","parts":[{"id":"cp-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and"},{"id":"cp-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_gdn","name":"guidance","prose":"Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program."},{"id":"cp-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)","class":"sp800-53a"}],"parts":[{"id":"cp-8.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)","class":"sp800-53a"}],"parts":[{"id":"cp-8.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)[01]","class":"sp800-53a"}],"prose":"primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;"},{"id":"cp-8.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)[02]","class":"sp800-53a"}],"prose":"alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;"}]},{"id":"cp-8.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(b)","class":"sp800-53a"}],"prose":"Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"id":"cp-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting telecommunications"}]}]},{"id":"cp-8.2","class":"SP800-53-enhancement","title":"Single Points of Failure","props":[{"name":"label","value":"CP-8(2)"},{"name":"label","value":"CP-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.2_smt","name":"statement","prose":"Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"id":"cp-8.2_gdn","name":"guidance","prose":"In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services."},{"id":"cp-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(02)","class":"sp800-53a"}],"prose":"alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained."},{"id":"cp-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-8.3","class":"SP800-53-enhancement","title":"Separation of Primary and Alternate Providers","props":[{"name":"label","value":"CP-8(3)"},{"name":"label","value":"CP-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.3_smt","name":"statement","prose":"Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats."},{"id":"cp-8.3_gdn","name":"guidance","prose":"Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services that meet the separation needs addressed in the risk assessment."},{"id":"cp-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(03)","class":"sp800-53a"}],"prose":"alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats."},{"id":"cp-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nalternate telecommunications service provider site\n\nprimary telecommunications service provider site\n\nother relevant documents or records"}]},{"id":"cp-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-8.4","class":"SP800-53-enhancement","title":"Provider Contingency Plan","params":[{"id":"cp-8.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-08.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-08.04_odp.02"}],"label":"organization-defined frequency"},{"id":"cp-08.04_odp.01","props":[{"name":"label","value":"CP-08(04)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to obtain evidence of contingency testing by providers is defined;"}]},{"id":"cp-08.04_odp.02","props":[{"name":"label","value":"CP-08(04)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to obtain evidence of contingency training by providers is defined;"}]}],"props":[{"name":"label","value":"CP-8(4)"},{"name":"label","value":"CP-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-8.4_smt","name":"statement","parts":[{"id":"cp-8.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Require primary and alternate telecommunications service providers to have contingency plans;"},{"id":"cp-8.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and"},{"id":"cp-8.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Obtain evidence of contingency testing and training by providers {{ insert: param, cp-8.4_prm_1 }}."}]},{"id":"cp-8.4_gdn","name":"guidance","prose":"Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training."},{"id":"cp-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)","class":"sp800-53a"}],"parts":[{"id":"cp-8.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(a)","class":"sp800-53a"}],"parts":[{"id":"cp-8.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(a)[01]","class":"sp800-53a"}],"prose":"primary telecommunications service providers are required to have contingency plans;"},{"id":"cp-8.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(a)[02]","class":"sp800-53a"}],"prose":"alternate telecommunications service providers are required to have contingency plans;"}]},{"id":"cp-8.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(b)","class":"sp800-53a"}],"prose":"provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;"},{"id":"cp-8.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(c)","class":"sp800-53a"}],"parts":[{"id":"cp-8.4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(c)[01]","class":"sp800-53a"}],"prose":"evidence of contingency testing by providers is obtained {{ insert: param, cp-08.04_odp.01 }}."},{"id":"cp-8.4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(c)[02]","class":"sp800-53a"}],"prose":"evidence of contingency training by providers is obtained {{ insert: param, cp-08.04_odp.02 }}."}]}]},{"id":"cp-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprovider contingency plans\n\nevidence of contingency testing\/training by providers\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and testing responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]},{"id":"cp-8.5","class":"SP800-53-enhancement","title":"Alternate Telecommunication Service Testing","params":[{"id":"cp-08.05_odp","props":[{"name":"alt-identifier","value":"cp-8.5_prm_1"},{"name":"label","value":"CP-08(05)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which alternate telecommunications services are tested is defined;"}]}],"props":[{"name":"label","value":"CP-8(5)"},{"name":"label","value":"CP-08(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"},{"href":"#cp-3","rel":"related"}],"parts":[{"id":"cp-8.5_smt","name":"statement","prose":"Test alternate telecommunication services {{ insert: param, cp-08.05_odp }}."},{"id":"cp-8.5_gdn","name":"guidance","prose":"Alternate telecommunications services testing is arranged through contractual agreements with service providers. The testing may occur in parallel with normal operations to ensure that there is no degradation in organizational missions or functions."},{"id":"cp-8.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(05)","class":"sp800-53a"}],"prose":"alternate telecommunications services are tested {{ insert: param, cp-08.05_odp }}."},{"id":"cp-8.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nevidence of testing alternate telecommunications services\n\nalternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and testing responsibilities\n\nalternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-8.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-08(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting testing alternate telecommunications services"}]}]}]},{"id":"cp-9","class":"SP800-53","title":"System Backup","params":[{"id":"cp-09_odp.01","props":[{"name":"alt-identifier","value":"cp-9_prm_1"},{"name":"label","value":"CP-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which to conduct backups of user-level information is defined;"}]},{"id":"cp-09_odp.02","props":[{"name":"alt-identifier","value":"cp-9_prm_2"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.03","props":[{"name":"alt-identifier","value":"cp-9_prm_3"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.04","props":[{"name":"alt-identifier","value":"cp-9_prm_4"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-9"},{"name":"label","value":"CP-09","class":"sp800-53a"},{"name":"sort-id","value":"cp-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#3653e316-8923-430e-8943-b3b2b2562fc6","rel":"reference"},{"href":"#2494df28-9049-4196-b233-540e7440993f","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-9_smt","name":"statement","parts":[{"id":"cp-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};"},{"id":"cp-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};"},{"id":"cp-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and"},{"id":"cp-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protect the confidentiality, integrity, and availability of backup information."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"cp-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-09a.","class":"sp800-53a"}],"prose":"backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};"},{"id":"cp-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-09b.","class":"sp800-53a"}],"prose":"backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};"},{"id":"cp-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-09c.","class":"sp800-53a"}],"prose":"backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};"},{"id":"cp-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[01]","class":"sp800-53a"}],"prose":"the confidentiality of backup information is protected;"},{"id":"cp-9_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[02]","class":"sp800-53a"}],"prose":"the integrity of backup information is protected;"},{"id":"cp-9_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[03]","class":"sp800-53a"}],"prose":"the availability of backup information is protected."}]}]},{"id":"cp-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"cp-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}],"controls":[{"id":"cp-9.1","class":"SP800-53-enhancement","title":"Testing for Reliability and Integrity","params":[{"id":"cp-9.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.01_odp.02"}],"label":"organization-defined frequency"},{"id":"cp-09.01_odp.01","props":[{"name":"label","value":"CP-09(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test backup information for media reliability is defined;"}]},{"id":"cp-09.01_odp.02","props":[{"name":"label","value":"CP-09(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test backup information for information integrity is defined;"}]}],"props":[{"name":"label","value":"CP-9(1)"},{"name":"label","value":"CP-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-9.1_smt","name":"statement","prose":"Test backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity."},{"id":"cp-9.1_gdn","name":"guidance","prose":"Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance."},{"id":"cp-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)","class":"sp800-53a"}],"parts":[{"id":"cp-9.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)[01]","class":"sp800-53a"}],"prose":"backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;"},{"id":"cp-9.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)[02]","class":"sp800-53a"}],"prose":"backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity."}]},{"id":"cp-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}]},{"id":"cp-9.2","class":"SP800-53-enhancement","title":"Test Restoration Using Sampling","props":[{"name":"label","value":"CP-9(2)"},{"name":"label","value":"CP-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-9.2_smt","name":"statement","prose":"Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing."},{"id":"cp-9.2_gdn","name":"guidance","prose":"Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is retrieved to determine whether the functions are operating as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed."},{"id":"cp-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(02)","class":"sp800-53a"}],"prose":"a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing."},{"id":"cp-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with contingency planning\/contingency plan testing responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}]},{"id":"cp-9.3","class":"SP800-53-enhancement","title":"Separate Storage for Critical Information","params":[{"id":"cp-09.03_odp","props":[{"name":"alt-identifier","value":"cp-9.3_prm_1"},{"name":"label","value":"CP-09(03)_ODP","class":"sp800-53a"}],"label":"critical system software and other security-related information","guidelines":[{"prose":"critical system software and other security-related information backups to be stored in a separate facility are defined;"}]}],"props":[{"name":"label","value":"CP-9(3)"},{"name":"label","value":"CP-09(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"}],"parts":[{"id":"cp-9.3_smt","name":"statement","prose":"Store backup copies of {{ insert: param, cp-09.03_odp }} in a separate facility or in a fire rated container that is not collocated with the operational system."},{"id":"cp-9.3_gdn","name":"guidance","prose":"Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire rated containers."},{"id":"cp-9.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(03)","class":"sp800-53a"}],"prose":"backup copies of {{ insert: param, cp-09.03_odp }} are stored in a separate facility or in a fire rated container that is not collocated with the operational system."},{"id":"cp-9.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup configurations and associated documentation\n\nsystem backup logs or records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-9.4","class":"SP800-53-enhancement","title":"Protection from Unauthorized Modification","props":[{"name":"label","value":"CP-9(4)"},{"name":"label","value":"CP-09(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cp-9","rel":"incorporated-into"}]},{"id":"cp-9.5","class":"SP800-53-enhancement","title":"Transfer to Alternate Storage Site","params":[{"id":"cp-9.5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.05_odp.02"}],"label":"organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives"},{"id":"cp-09.05_odp.01","props":[{"name":"label","value":"CP-09(05)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09.05_odp.02","props":[{"name":"label","value":"CP-09(05)_ODP[02]","class":"sp800-53a"}],"label":"transfer rate","guidelines":[{"prose":"transfer rate consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-9(5)"},{"name":"label","value":"CP-09(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-7","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}],"parts":[{"id":"cp-9.5_smt","name":"statement","prose":"Transfer system backup information to the alternate storage site {{ insert: param, cp-9.5_prm_1 }}."},{"id":"cp-9.5_gdn","name":"guidance","prose":"System backup information can be transferred to alternate storage sites either electronically or by the physical shipment of storage media."},{"id":"cp-9.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(05)","class":"sp800-53a"}],"parts":[{"id":"cp-9.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09(05)[01]","class":"sp800-53a"}],"prose":"system backup information is transferred to the alternate storage site for {{ insert: param, cp-09.05_odp.01 }};"},{"id":"cp-9.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09(05)[02]","class":"sp800-53a"}],"prose":"system backup information is transferred to the alternate storage site {{ insert: param, cp-09.05_odp.02 }}."}]},{"id":"cp-9.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup logs or records\n\nevidence of system backup information transferred to alternate storage site\n\nalternate storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for transferring system backups to the alternate storage site\n\nmechanisms supporting and\/or implementing system backups\n\nmechanisms supporting and\/or implementing information transfer to the alternate storage site"}]}]},{"id":"cp-9.6","class":"SP800-53-enhancement","title":"Redundant Secondary System","props":[{"name":"label","value":"CP-9(6)"},{"name":"label","value":"CP-09(06)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"cp-9.6_smt","name":"statement","prose":"Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations."},{"id":"cp-9.6_gdn","name":"guidance","prose":"The effect of system backup can be achieved by maintaining a redundant secondary system that mirrors the primary system, including the replication of information. If this type of redundancy is in place and there is sufficient geographic separation between the two systems, the secondary system can also serve as the alternate processing site."},{"id":"cp-9.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(06)","class":"sp800-53a"}],"parts":[{"id":"cp-9.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09(06)[01]","class":"sp800-53a"}],"prose":"system backup is conducted by maintaining a redundant secondary system that is not collocated with the primary system;"},{"id":"cp-9.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09(06)[02]","class":"sp800-53a"}],"prose":"system backup is conducted by maintaining a redundant secondary system that can be activated without loss of information or disruption to operations."}]},{"id":"cp-9.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for the redundant secondary system"}]},{"id":"cp-9.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining redundant secondary systems\n\nmechanisms supporting and\/or implementing system backups\n\nmechanisms supporting and\/or implementing information transfer to a redundant secondary system"}]}]},{"id":"cp-9.7","class":"SP800-53-enhancement","title":"Dual Authorization for Deletion or Destruction","params":[{"id":"cp-09.07_odp","props":[{"name":"alt-identifier","value":"cp-9.7_prm_1"},{"name":"label","value":"CP-09(07)_ODP","class":"sp800-53a"}],"label":"backup information","guidelines":[{"prose":"backup information for which to enforce dual authorization in order to delete or destroy is defined;"}]}],"props":[{"name":"label","value":"CP-9(7)"},{"name":"label","value":"CP-09(07)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#mp-2","rel":"related"}],"parts":[{"id":"cp-9.7_smt","name":"statement","prose":"Enforce dual authorization for the deletion or destruction of {{ insert: param, cp-09.07_odp }}."},{"id":"cp-9.7_gdn","name":"guidance","prose":"Dual authorization ensures that deletion or destruction of backup information cannot occur unless two qualified individuals carry out the task. Individuals deleting or destroying backup information possess the skills or expertise to determine if the proposed deletion or destruction of information reflects organizational policies and procedures. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals."},{"id":"cp-9.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(07)","class":"sp800-53a"}],"prose":"dual authorization for the deletion or destruction of {{ insert: param, cp-09.07_odp }} is enforced."},{"id":"cp-9.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem generated list of dual authorization credentials or rules\n\nlogs or records of deletion or destruction of backup information\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing dual authorization\n\nmechanisms supporting and\/or implementing the deletion\/destruction of backup information"}]}]},{"id":"cp-9.8","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"cp-09.08_odp","props":[{"name":"alt-identifier","value":"cp-9.8_prm_1"},{"name":"label","value":"CP-09(08)_ODP","class":"sp800-53a"}],"label":"backup information","guidelines":[{"prose":"backup information to protect against unauthorized disclosure and modification is defined;"}]}],"props":[{"name":"label","value":"CP-9(8)"},{"name":"label","value":"CP-09(08)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"cp-9.8_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}."},{"id":"cp-9.8_gdn","name":"guidance","prose":"The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions."},{"id":"cp-9.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(08)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}."},{"id":"cp-9.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic protection of backup information"}]}]}]},{"id":"cp-10","class":"SP800-53","title":"System Recovery and Reconstitution","params":[{"id":"cp-10_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.02"}],"label":"organization-defined time period consistent with recovery time and recovery point objectives"},{"id":"cp-10_odp.01","props":[{"name":"label","value":"CP-10_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;"}]},{"id":"cp-10_odp.02","props":[{"name":"label","value":"CP-10_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;"}]}],"props":[{"name":"label","value":"CP-10"},{"name":"label","value":"CP-10","class":"sp800-53a"},{"name":"sort-id","value":"cp-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-24","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning."},{"id":"cp-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10","class":"sp800-53a"}],"parts":[{"id":"cp-10_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-10[01]","class":"sp800-53a"}],"prose":"the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;"},{"id":"cp-10_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-10[02]","class":"sp800-53a"}],"prose":"a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure."}]},{"id":"cp-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, recovery, and\/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and\/or implementing system recovery and reconstitution operations"}]}],"controls":[{"id":"cp-10.1","class":"SP800-53-enhancement","title":"Contingency Plan Testing","props":[{"name":"label","value":"CP-10(1)"},{"name":"label","value":"CP-10(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cp-4","rel":"incorporated-into"}]},{"id":"cp-10.2","class":"SP800-53-enhancement","title":"Transaction Recovery","props":[{"name":"label","value":"CP-10(2)"},{"name":"label","value":"CP-10(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-10","rel":"required"}],"parts":[{"id":"cp-10.2_smt","name":"statement","prose":"Implement transaction recovery for systems that are transaction-based."},{"id":"cp-10.2_gdn","name":"guidance","prose":"Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling."},{"id":"cp-10.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10(02)","class":"sp800-53a"}],"prose":"transaction recovery is implemented for systems that are transaction-based."},{"id":"cp-10.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem transaction recovery records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing transaction recovery capability"}]}]},{"id":"cp-10.3","class":"SP800-53-enhancement","title":"Compensating Security Controls","props":[{"name":"label","value":"CP-10(3)"},{"name":"label","value":"CP-10(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.03"},{"name":"status","value":"withdrawn"}],"parts":[{"id":"cp-10.3_smt","name":"statement","prose":"Addressed through tailoring."}]},{"id":"cp-10.4","class":"SP800-53-enhancement","title":"Restore Within Time Period","params":[{"id":"cp-10.04_odp","props":[{"name":"alt-identifier","value":"cp-10.4_prm_1"},{"name":"label","value":"CP-10(04)_ODP","class":"sp800-53a"}],"label":"restoration time periods","guidelines":[{"prose":"restoration time period within which to restore system components to a known, operational state is defined;"}]}],"props":[{"name":"label","value":"CP-10(4)"},{"name":"label","value":"CP-10(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-10","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"}],"parts":[{"id":"cp-10.4_smt","name":"statement","prose":"Provide the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components."},{"id":"cp-10.4_gdn","name":"guidance","prose":"Restoration of system components includes reimaging, which restores the components to known, operational states."},{"id":"cp-10.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10(04)","class":"sp800-53a"}],"prose":"the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided."},{"id":"cp-10.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nevidence of system recovery and reconstitution operations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the recovery\/reconstitution of system information"}]}]},{"id":"cp-10.5","class":"SP800-53-enhancement","title":"Failover Capability","props":[{"name":"label","value":"CP-10(5)"},{"name":"label","value":"CP-10(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-13","rel":"incorporated-into"}]},{"id":"cp-10.6","class":"SP800-53-enhancement","title":"Component Protection","props":[{"name":"label","value":"CP-10(6)"},{"name":"label","value":"CP-10(06)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-10","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"cp-10.6_smt","name":"statement","prose":"Protect system components used for recovery and reconstitution."},{"id":"cp-10.6_gdn","name":"guidance","prose":"Protection of system recovery and reconstitution components (i.e., hardware, firmware, and software) includes physical and technical controls. Backup and restoration components used for recovery and reconstitution include router tables, compilers, and other system software."},{"id":"cp-10.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10(06)","class":"sp800-53a"}],"prose":"system components used for recovery and reconstitution are protected."},{"id":"cp-10.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlogical access credentials\n\nphysical access credentials\n\nlogical access authorization records\n\nphysical access authorization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for protecting backup and restoration of hardware, firmware, and software\n\nmechanisms supporting and\/or implementing protection of backups and restoration of hardware, firmware, and software"}]}]}]},{"id":"cp-11","class":"SP800-53","title":"Alternate Communications Protocols","params":[{"id":"cp-11_odp","props":[{"name":"alt-identifier","value":"cp-11_prm_1"},{"name":"label","value":"CP-11_ODP","class":"sp800-53a"}],"label":"alternative communications protocols","guidelines":[{"prose":"alternative communications protocols in support of maintaining continuity of operations are defined;"}]}],"props":[{"name":"label","value":"CP-11"},{"name":"label","value":"CP-11","class":"sp800-53a"},{"name":"sort-id","value":"cp-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-13","rel":"related"}],"parts":[{"id":"cp-11_smt","name":"statement","prose":"Provide the capability to employ {{ insert: param, cp-11_odp }} in support of maintaining continuity of operations."},{"id":"cp-11_gdn","name":"guidance","prose":"Contingency plans and the contingency training or testing associated with those plans incorporate an alternate communications protocol capability as part of establishing resilience in organizational systems. Switching communications protocols may affect software applications and operational aspects of systems. Organizations assess the potential side effects of introducing alternate communications protocols prior to implementation."},{"id":"cp-11_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-11","class":"sp800-53a"}],"prose":"the capability to employ {{ insert: param, cp-11_odp }} are provided in support of maintaining continuity of operations."},{"id":"cp-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternative communications protocols\n\ncontingency plan\n\ncontinuity of operations plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of alternative communications protocols supporting continuity of operations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with continuity of operations planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cp-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms employing alternative communications protocols"}]}]},{"id":"cp-12","class":"SP800-53","title":"Safe Mode","params":[{"id":"cp-12_odp.01","props":[{"name":"alt-identifier","value":"cp-12_prm_2"},{"name":"alt-label","value":"restrictions of safe mode of operation","class":"sp800-53"},{"name":"label","value":"CP-12_ODP[01]","class":"sp800-53a"}],"label":"restrictions","guidelines":[{"prose":"restrictions for safe mode of operation are defined;"}]},{"id":"cp-12_odp.02","props":[{"name":"alt-identifier","value":"cp-12_prm_1"},{"name":"label","value":"CP-12_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions detected to enter a safe mode of operation are defined;"}]}],"props":[{"name":"label","value":"CP-12"},{"name":"label","value":"CP-12","class":"sp800-53a"},{"name":"sort-id","value":"cp-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-24","rel":"related"},{"href":"#si-13","rel":"related"},{"href":"#si-17","rel":"related"}],"parts":[{"id":"cp-12_smt","name":"statement","prose":"When {{ insert: param, cp-12_odp.02 }} are detected, enter a safe mode of operation with {{ insert: param, cp-12_odp.01 }}."},{"id":"cp-12_gdn","name":"guidance","prose":"For systems that support critical mission and business functions—including military operations, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments)—organizations can identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated either automatically or manually, restricts the operations that systems can execute when those conditions are encountered. Restriction includes allowing only selected functions to execute that can be carried out under limited power or with reduced communications bandwidth."},{"id":"cp-12_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-12","class":"sp800-53a"}],"prose":"a safe mode of operation is entered with {{ insert: param, cp-12_odp.01 }} when {{ insert: param, cp-12_odp.02 }} are detected."},{"id":"cp-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing safe mode of operation for the system\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem administration manuals\n\nsystem operation manuals\n\nsystem installation manuals\n\ncontingency plan test records\n\nincident handling records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cp-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing safe mode of operation"}]}]},{"id":"cp-13","class":"SP800-53","title":"Alternative Security Mechanisms","params":[{"id":"cp-13_odp.01","props":[{"name":"alt-identifier","value":"cp-13_prm_1"},{"name":"label","value":"CP-13_ODP[01]","class":"sp800-53a"}],"label":"alternative or supplemental security mechanisms","guidelines":[{"prose":"alternative or supplemental security mechanisms are defined;"}]},{"id":"cp-13_odp.02","props":[{"name":"alt-identifier","value":"cp-13_prm_2"},{"name":"label","value":"CP-13_ODP[02]","class":"sp800-53a"}],"label":"security functions","guidelines":[{"prose":"security functions are defined;"}]}],"props":[{"name":"label","value":"CP-13"},{"name":"label","value":"CP-13","class":"sp800-53a"},{"name":"sort-id","value":"cp-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-13_smt","name":"statement","prose":"Employ {{ insert: param, cp-13_odp.01 }} for satisfying {{ insert: param, cp-13_odp.02 }} when the primary means of implementing the security function is unavailable or compromised."},{"id":"cp-13_gdn","name":"guidance","prose":"Use of alternative security mechanisms supports system resiliency, contingency planning, and continuity of operations. To ensure mission and business continuity, organizations can implement alternative or supplemental security mechanisms. The mechanisms may be less effective than the primary mechanisms. However, having the capability to readily employ alternative or supplemental mechanisms enhances mission and business continuity that might otherwise be adversely impacted if operations had to be curtailed until the primary means of implementing the functions was restored. Given the cost and level of effort required to provide such alternative capabilities, the alternative or supplemental mechanisms are only applied to critical security capabilities provided by systems, system components, or system services. For example, an organization may issue one-time pads to senior executives, officials, and system administrators if multi-factor tokens—the standard means for achieving secure authentication— are compromised."},{"id":"cp-13_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-13","class":"sp800-53a"}],"prose":"{{ insert: param, cp-13_odp.01 }} are employed for satisfying {{ insert: param, cp-13_odp.02 }} when the primary means of implementing the security function is unavailable or compromised."},{"id":"cp-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate security mechanisms\n\ncontingency plan\n\ncontinuity of operations plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test records\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"system capability implementing alternative security mechanisms"}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ia-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ia-01_odp.01","props":[{"name":"label","value":"IA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication policy is to be disseminated are defined;"}]},{"id":"ia-01_odp.02","props":[{"name":"label","value":"IA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication procedures are to be disseminated is\/are defined;"}]},{"id":"ia-01_odp.03","props":[{"name":"alt-identifier","value":"ia-1_prm_2"},{"name":"label","value":"IA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ia-01_odp.04","props":[{"name":"alt-identifier","value":"ia-1_prm_3"},{"name":"label","value":"IA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the identification and authentication policy and procedures is defined;"}]},{"id":"ia-01_odp.05","props":[{"name":"alt-identifier","value":"ia-1_prm_4"},{"name":"label","value":"IA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication policy is reviewed and updated is defined;"}]},{"id":"ia-01_odp.06","props":[{"name":"alt-identifier","value":"ia-1_prm_5"},{"name":"label","value":"IA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current identification and authentication policy to be reviewed and updated are defined;"}]},{"id":"ia-01_odp.07","props":[{"name":"alt-identifier","value":"ia-1_prm_6"},{"name":"label","value":"IA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication procedures are reviewed and updated is defined;"}]},{"id":"ia-01_odp.08","props":[{"name":"alt-identifier","value":"ia-1_prm_7"},{"name":"label","value":"IA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require identification and authentication procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IA-1"},{"name":"label","value":"IA-01","class":"sp800-53a"},{"name":"sort-id","value":"ia-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ia-1_smt","name":"statement","parts":[{"id":"ia-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ia-01_odp.03 }} identification and authentication policy that:","parts":[{"id":"ia-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ia-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;"}]},{"id":"ia-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and"},{"id":"ia-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current identification and authentication:","parts":[{"id":"ia-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and"},{"id":"ia-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ia-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[01]","class":"sp800-53a"}],"prose":"an identification and authentication policy is developed and documented;"},{"id":"ia-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[02]","class":"sp800-53a"}],"prose":"the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};"},{"id":"ia-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[03]","class":"sp800-53a"}],"prose":"identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;"},{"id":"ia-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[04]","class":"sp800-53a"}],"prose":"the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};"},{"id":"ia-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;"},{"id":"ia-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;"},{"id":"ia-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;"},{"id":"ia-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;"},{"id":"ia-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;"},{"id":"ia-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;"},{"id":"ia-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;"}]},{"id":"ia-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ia-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;"},{"id":"ia-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[01]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};"},{"id":"ia-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[02]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};"}]},{"id":"ia-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[01]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};"},{"id":"ia-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[02]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}."}]}]}]},{"id":"ia-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records"}]},{"id":"ia-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (Organizational Users)","props":[{"name":"label","value":"IA-2"},{"name":"label","value":"IA-02","class":"sp800-53a"},{"name":"sort-id","value":"ia-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#d9e036ba-6eec-46a6-9340-b0bf1fea23b4","rel":"reference"},{"href":"#e8552d48-cf41-40aa-8b06-f45f7fb4706c","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-1","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)."},{"id":"ia-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02","class":"sp800-53a"}],"parts":[{"id":"ia-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-02[01]","class":"sp800-53a"}],"prose":"organizational users are uniquely identified and authenticated;"},{"id":"ia-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-02[02]","class":"sp800-53a"}],"prose":"the unique identification of authenticated organizational users is associated with processes acting on behalf of those users."}]},{"id":"ia-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}]},{"id":"ia-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Privileged Accounts","props":[{"name":"label","value":"IA-2(1)"},{"name":"label","value":"IA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"Implement multi-factor authentication for access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(01)","class":"sp800-53a"}],"prose":"multi-factor authentication is implemented for access to privileged accounts."},{"id":"ia-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(2)"},{"name":"label","value":"IA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"Implement multi-factor authentication for access to non-privileged accounts."},{"id":"ia-2.2_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(02)","class":"sp800-53a"}],"prose":"multi-factor authentication for access to non-privileged accounts is implemented."},{"id":"ia-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.3","class":"SP800-53-enhancement","title":"Local Access to Privileged Accounts","props":[{"name":"label","value":"IA-2(3)"},{"name":"label","value":"IA-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-2.1","rel":"incorporated-into"}]},{"id":"ia-2.4","class":"SP800-53-enhancement","title":"Local Access to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(4)"},{"name":"label","value":"IA-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-2.2","rel":"incorporated-into"}]},{"id":"ia-2.5","class":"SP800-53-enhancement","title":"Individual Authentication with Group Authentication","props":[{"name":"label","value":"IA-2(5)"},{"name":"label","value":"IA-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.5_smt","name":"statement","prose":"When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources."},{"id":"ia-2.5_gdn","name":"guidance","prose":"Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators."},{"id":"ia-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(05)","class":"sp800-53a"}],"prose":"users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed."},{"id":"ia-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an authentication capability for group accounts"}]}]},{"id":"ia-2.6","class":"SP800-53-enhancement","title":"Access to Accounts —separate Device","params":[{"id":"ia-02.06_odp.01","props":[{"name":"alt-identifier","value":"ia-2.6_prm_1"},{"name":"label","value":"IA-02(06)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["local","network","remote"]}},{"id":"ia-02.06_odp.02","props":[{"name":"alt-identifier","value":"ia-2.6_prm_2"},{"name":"label","value":"IA-02(06)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["privileged accounts","non-privileged accounts"]}},{"id":"ia-02.06_odp.03","props":[{"name":"alt-identifier","value":"ia-2.6_prm_3"},{"name":"label","value":"IA-02(06)_ODP[03]","class":"sp800-53a"}],"label":"strength of mechanism requirements","guidelines":[{"prose":"the strength of mechanism requirements to be enforced by a device separate from the system gaining access to accounts is defined;"}]}],"props":[{"name":"label","value":"IA-2(6)"},{"name":"label","value":"IA-02(06)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ia-2.6_smt","name":"statement","prose":"Implement multi-factor authentication for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that:","parts":[{"id":"ia-2.6_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"One of the factors is provided by a device separate from the system gaining access; and"},{"id":"ia-2.6_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"The device meets {{ insert: param, ia-02.06_odp.03 }}."}]},{"id":"ia-2.6_gdn","name":"guidance","prose":"The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multi-factor authentication is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process."},{"id":"ia-2.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(06)","class":"sp800-53a"}],"parts":[{"id":"ia-2.6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-02(06)(a)","class":"sp800-53a"}],"prose":"multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that one of the factors is provided by a device separate from the system gaining access;"},{"id":"ia-2.6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-02(06)(b)","class":"sp800-53a"}],"prose":"multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that the device meets {{ insert: param, ia-02.06_odp.03 }}."}]},{"id":"ia-2.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing multi-factor authentication capability"}]}]},{"id":"ia-2.7","class":"SP800-53-enhancement","title":"Network Access to Non-privileged Accounts — Separate Device","props":[{"name":"label","value":"IA-2(7)"},{"name":"label","value":"IA-02(07)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-2.6","rel":"incorporated-into"}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Access to Accounts — Replay Resistant","params":[{"id":"ia-02.08_odp","props":[{"name":"alt-identifier","value":"ia-2.8_prm_1"},{"name":"label","value":"IA-02(08)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["privileged accounts","non-privileged accounts"]}}],"props":[{"name":"label","value":"IA-2(8)"},{"name":"label","value":"IA-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators."},{"id":"ia-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(08)","class":"sp800-53a"}],"prose":"replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented."},{"id":"ia-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nMechanisms supporting and\/or implementing replay-resistant authentication mechanisms"}]}]},{"id":"ia-2.9","class":"SP800-53-enhancement","title":"Network Access to Non-privileged Accounts — Replay Resistant","props":[{"name":"label","value":"IA-2(9)"},{"name":"label","value":"IA-02(09)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.09"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-2.8","rel":"incorporated-into"}]},{"id":"ia-2.10","class":"SP800-53-enhancement","title":"Single Sign-on","params":[{"id":"ia-02.10_odp","props":[{"name":"alt-identifier","value":"ia-2.10_prm_1"},{"name":"label","value":"IA-02(10)_ODP","class":"sp800-53a"}],"label":"system accounts and services","guidelines":[{"prose":"system accounts and services for which a single sign-on capability must be provided are defined;"}]}],"props":[{"name":"label","value":"IA-2(10)"},{"name":"label","value":"IA-02(10)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.10_smt","name":"statement","prose":"Provide a single sign-on capability for {{ insert: param, ia-02.10_odp }}."},{"id":"ia-2.10_gdn","name":"guidance","prose":"Single sign-on enables users to log in once and gain access to multiple system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the risk introduced by allowing access to multiple systems via a single authentication event. Single sign-on can present opportunities to improve system security, for example by providing the ability to add multi-factor authentication for applications and systems (existing and new) that may not be able to natively support multi-factor authentication."},{"id":"ia-2.10_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(10)","class":"sp800-53a"}],"prose":"a single sign-on capability is provided for {{ insert: param, ia-02.10_odp }}."},{"id":"ia-2.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing single sign-on capability for system accounts and services\n\nprocedures addressing identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts and services requiring single sign-on capability\n\nother relevant documents or records"}]},{"id":"ia-2.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms supporting and\/or implementing single sign-on capability for system accounts and services"}]}]},{"id":"ia-2.11","class":"SP800-53-enhancement","title":"Remote Access — Separate Device","props":[{"name":"label","value":"IA-2(11)"},{"name":"label","value":"IA-02(11)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.11"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-2.6","rel":"incorporated-into"}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","props":[{"name":"label","value":"IA-2(12)"},{"name":"label","value":"IA-02(12)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential."},{"id":"ia-2.12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(12)","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials are accepted and electronically verified."},{"id":"ia-2.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-2.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing acceptance and verification of PIV credentials"}]}]},{"id":"ia-2.13","class":"SP800-53-enhancement","title":"Out-of-band Authentication","params":[{"id":"ia-02.13_odp.01","props":[{"name":"alt-identifier","value":"ia-2.13_prm_2"},{"name":"label","value":"IA-02(13)_ODP[01]","class":"sp800-53a"}],"label":"out-of-band authentication","guidelines":[{"prose":"out-of-band authentication mechanisms to be implemented are defined;"}]},{"id":"ia-02.13_odp.02","props":[{"name":"alt-identifier","value":"ia-2.13_prm_1"},{"name":"label","value":"IA-02(13)_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions under which out-of-band authentication is to be implemented are defined;"}]}],"props":[{"name":"label","value":"IA-2(13)"},{"name":"label","value":"IA-02(13)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ia-10","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ia-2.13_smt","name":"statement","prose":"Implement the following out-of-band authentication mechanisms under {{ insert: param, ia-02.13_odp.02 }}: {{ insert: param, ia-02.13_odp.01 }}."},{"id":"ia-2.13_gdn","name":"guidance","prose":"Out-of-band authentication refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path) is used to identify and authenticate users or devices and is generally the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and\/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user’s cell phone to verify that the requested action originated from the user. The user may confirm the intended action to an individual on the telephone or provide an authentication code via the telephone. Out-of-band authentication can be used to mitigate actual or suspected \"man-in the-middle\" attacks. The conditions or criteria for activation include suspicious activities, new threat indicators, elevated threat levels, or the impact or classification level of information in requested transactions."},{"id":"ia-2.13_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(13)","class":"sp800-53a"}],"prose":"{{ insert: param, ia-02.13_odp.01 }} mechanisms are implemented under {{ insert: param, ia-02.13_odp.02 }}."},{"id":"ia-2.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem-generated list of out-of-band authentication paths\n\nother relevant documents or records"}]},{"id":"ia-2.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing out-of-band authentication capability"}]}]}]},{"id":"ia-3","class":"SP800-53","title":"Device Identification and Authentication","params":[{"id":"ia-03_odp.01","props":[{"name":"alt-identifier","value":"ia-3_prm_1"},{"name":"label","value":"IA-03_ODP[01]","class":"sp800-53a"}],"label":"devices and\/or types of devices","guidelines":[{"prose":"devices and\/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;"}]},{"id":"ia-03_odp.02","props":[{"name":"alt-identifier","value":"ia-3_prm_2"},{"name":"label","value":"IA-03_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["local","remote","network"]}}],"props":[{"name":"label","value":"IA-3"},{"name":"label","value":"IA-03","class":"sp800-53a"},{"name":"sort-id","value":"ia-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ia-3_smt","name":"statement","prose":"Uniquely identify and authenticate {{ insert: param, ia-03_odp.01 }} before establishing a {{ insert: param, ia-03_odp.02 }} connection."},{"id":"ia-3_gdn","name":"guidance","prose":"Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol\/Internet Protocol [TCP\/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number\/type of devices based on mission or business needs."},{"id":"ia-3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-03","class":"sp800-53a"}],"prose":"{{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection."},{"id":"ia-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing device identification and authentication capabilities"}]}],"controls":[{"id":"ia-3.1","class":"SP800-53-enhancement","title":"Cryptographic Bidirectional Authentication","params":[{"id":"ia-03.01_odp.01","props":[{"name":"alt-identifier","value":"ia-3.1_prm_1"},{"name":"label","value":"IA-03(01)_ODP[01]","class":"sp800-53a"}],"label":"devices and\/or types of devices","guidelines":[{"prose":"devices and\/or types of devices requiring use of cryptographically based, bidirectional authentication to authenticate before establishing one or more connections are defined;"}]},{"id":"ia-03.01_odp.02","props":[{"name":"alt-identifier","value":"ia-3.1_prm_2"},{"name":"label","value":"IA-03(01)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["local","remote","network"]}}],"props":[{"name":"label","value":"IA-3(1)"},{"name":"label","value":"IA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-3","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-3.1_smt","name":"statement","prose":"Authenticate {{ insert: param, ia-03.01_odp.01 }} before establishing {{ insert: param, ia-03.01_odp.02 }} connection using bidirectional authentication that is cryptographically based."},{"id":"ia-3.1_gdn","name":"guidance","prose":"A local connection is a connection with a device that communicates without the use of a network. A network connection is a connection with a device that communicates through a network. A remote connection is a connection with a device that communicates through an external network. Bidirectional authentication provides stronger protection to validate the identity of other devices for connections that are of greater risk."},{"id":"ia-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-03(01)","class":"sp800-53a"}],"prose":"{{ insert: param, ia-03.01_odp.01 }} are authenticated before establishing {{ insert: param, ia-03.01_odp.02 }} connection using bidirectional authentication that is cryptographically based."},{"id":"ia-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing device authentication capability\n\ncryptographically based bidirectional authentication mechanisms"}]}]},{"id":"ia-3.2","class":"SP800-53-enhancement","title":"Cryptographic Bidirectional Network Authentication","props":[{"name":"label","value":"IA-3(2)"},{"name":"label","value":"IA-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-03.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-3.1","rel":"incorporated-into"}]},{"id":"ia-3.3","class":"SP800-53-enhancement","title":"Dynamic Address Allocation","params":[{"id":"ia-3.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-03.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-03.03_odp.02"}],"label":"organization-defined lease information and lease duration"},{"id":"ia-03.03_odp.01","props":[{"name":"label","value":"IA-03(03)_ODP[01]","class":"sp800-53a"}],"label":"lease information","guidelines":[{"prose":"lease information to be employed to standardize dynamic address allocation for devices is defined;"}]},{"id":"ia-03.03_odp.02","props":[{"name":"label","value":"IA-03(03)_ODP[02]","class":"sp800-53a"}],"label":"lease duration","guidelines":[{"prose":"lease duration to be employed to standardize dynamic address allocation for devices is defined;"}]}],"props":[{"name":"label","value":"IA-3(3)"},{"name":"label","value":"IA-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-3","rel":"required"},{"href":"#au-2","rel":"related"}],"parts":[{"id":"ia-3.3_smt","name":"statement","parts":[{"id":"ia-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with {{ insert: param, ia-3.3_prm_1 }} ; and"},{"id":"ia-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Audit lease information when assigned to a device."}]},{"id":"ia-3.3_gdn","name":"guidance","prose":"The Dynamic Host Configuration Protocol (DHCP) is an example of a means by which clients can dynamically receive network address assignments."},{"id":"ia-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-03(03)","class":"sp800-53a"}],"parts":[{"id":"ia-3.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-03(03)(a)","class":"sp800-53a"}],"parts":[{"id":"ia-3.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-03(03)(a)[01]","class":"sp800-53a"}],"prose":"dynamic address allocation lease information assigned to devices where addresses are allocated dynamically are standardized in accordance with {{ insert: param, ia-03.03_odp.01 }};"},{"id":"ia-3.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-03(03)(a)[02]","class":"sp800-53a"}],"prose":"dynamic address allocation lease duration assigned to devices where addresses are allocated dynamically are standardized in accordance with {{ insert: param, ia-03.03_odp.02 }};"}]},{"id":"ia-3.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-03(03)(b)","class":"sp800-53a"}],"prose":"lease information is audited when assigned to a device."}]},{"id":"ia-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nevidence of lease information and lease duration assigned to devices\n\ndevice connection reports\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing device identification and authentication capabilities\n\nmechanisms supporting and\/or implementing dynamic address allocation\n\nmechanisms supporting and\/or implanting auditing of lease information"}]}]},{"id":"ia-3.4","class":"SP800-53-enhancement","title":"Device Attestation","params":[{"id":"ia-03.04_odp","props":[{"name":"alt-identifier","value":"ia-3.4_prm_1"},{"name":"label","value":"IA-03(04)_ODP","class":"sp800-53a"}],"label":"configuration management process","guidelines":[{"prose":"configuration management process to be employed to handle device identification and authentication based on attestation is defined;"}]}],"props":[{"name":"label","value":"IA-3(4)"},{"name":"label","value":"IA-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-3","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"}],"parts":[{"id":"ia-3.4_smt","name":"statement","prose":"Handle device identification and authentication based on attestation by {{ insert: param, ia-03.04_odp }}."},{"id":"ia-3.4_gdn","name":"guidance","prose":"Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. Device attestation can be determined via a cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the patches and updates are done securely and do not disrupt identification and authentication to other devices."},{"id":"ia-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-03(04)","class":"sp800-53a"}],"prose":"device identification and authentication are handled based on attestation by {{ insert: param, ia-03.04_odp }}."},{"id":"ia-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nprocedures addressing device configuration management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nconfiguration management records\n\nchange control records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing device identification and authentication capabilities\n\nmechanisms supporting and\/or implementing configuration management\n\ncryptographic mechanisms supporting device attestation"}]}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","params":[{"id":"ia-04_odp.01","props":[{"name":"alt-identifier","value":"ia-4_prm_1"},{"name":"label","value":"IA-04_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles from whom authorization must be received to assign an identifier are defined;"}]},{"id":"ia-04_odp.02","props":[{"name":"alt-identifier","value":"ia-4_prm_2"},{"name":"label","value":"IA-04_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period for preventing reuse of identifiers is defined;"}]}],"props":[{"name":"label","value":"IA-4"},{"name":"label","value":"IA-04","class":"sp800-53a"},{"name":"sort-id","value":"ia-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-12","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"Manage system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;"},{"id":"ia-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, service, or device; and"},{"id":"ia-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices."},{"id":"ia-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04","class":"sp800-53a"}],"parts":[{"id":"ia-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-04a.","class":"sp800-53a"}],"prose":"system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;"},{"id":"ia-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-04b.","class":"sp800-53a"}],"prose":"system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-04c.","class":"sp800-53a"}],"prose":"system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;"},{"id":"ia-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-04d.","class":"sp800-53a"}],"prose":"system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."}]},{"id":"ia-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records"}]},{"id":"ia-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}],"controls":[{"id":"ia-4.1","class":"SP800-53-enhancement","title":"Prohibit Account Identifiers as Public Identifiers","props":[{"name":"label","value":"IA-4(1)"},{"name":"label","value":"IA-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-4","rel":"required"},{"href":"#at-2","rel":"related"},{"href":"#pt-7","rel":"related"}],"parts":[{"id":"ia-4.1_smt","name":"statement","prose":"Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts."},{"id":"ia-4.1_gdn","name":"guidance","prose":"Prohibiting account identifiers as public identifiers applies to any publicly disclosed account identifier used for communication such as, electronic mail and instant messaging. Prohibiting the use of systems account identifiers that are the same as some public identifier, such as the individual identifier section of an electronic mail address, makes it more difficult for adversaries to guess user identifiers. Prohibiting account identifiers as public identifiers without the implementation of other supporting controls only complicates guessing of identifiers. Additional protections are required for authenticators and credentials to protect the account."},{"id":"ia-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(01)","class":"sp800-53a"}],"prose":"the use of system account identifiers that are the same as public identifiers is prohibited for individual accounts."},{"id":"ia-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-4.2","class":"SP800-53-enhancement","title":"Supervisor Authorization","props":[{"name":"label","value":"IA-4(2)"},{"name":"label","value":"IA-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-12.1","rel":"incorporated-into"}]},{"id":"ia-4.3","class":"SP800-53-enhancement","title":"Multiple Forms of Certification","props":[{"name":"label","value":"IA-4(3)"},{"name":"label","value":"IA-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-12.2","rel":"incorporated-into"}]},{"id":"ia-4.4","class":"SP800-53-enhancement","title":"Identify User Status","params":[{"id":"ia-04.04_odp","props":[{"name":"alt-identifier","value":"ia-4.4_prm_1"},{"name":"alt-label","value":"characteristic identifying individual status","class":"sp800-53"},{"name":"label","value":"IA-04(04)_ODP","class":"sp800-53a"}],"label":"characteristics","guidelines":[{"prose":"characteristics used to identify individual status is defined;"}]}],"props":[{"name":"label","value":"IA-4(4)"},{"name":"label","value":"IA-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-4","rel":"required"}],"parts":[{"id":"ia-4.4_smt","name":"statement","prose":"Manage individual identifiers by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}."},{"id":"ia-4.4_gdn","name":"guidance","prose":"Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor."},{"id":"ia-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(04)","class":"sp800-53a"}],"prose":"individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}."},{"id":"ia-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nlist of characteristics identifying individual status\n\nother relevant documents or records"}]},{"id":"ia-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-4.5","class":"SP800-53-enhancement","title":"Dynamic Management","params":[{"id":"ia-04.05_odp","props":[{"name":"alt-identifier","value":"ia-4.5_prm_1"},{"name":"label","value":"IA-04(05)_ODP","class":"sp800-53a"}],"label":"dynamic identifier policy","guidelines":[{"prose":"a dynamic identifier policy for managing individual identifiers is defined;"}]}],"props":[{"name":"label","value":"IA-4(5)"},{"name":"label","value":"IA-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-4","rel":"required"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"ia-4.5_smt","name":"statement","prose":"Manage individual identifiers dynamically in accordance with {{ insert: param, ia-04.05_odp }}."},{"id":"ia-4.5_gdn","name":"guidance","prose":"In contrast to conventional approaches to identification that presume static accounts for preregistered users, many distributed systems establish identifiers at runtime for entities that were previously unknown. When identifiers are established at runtime for previously unknown entities, organizations can anticipate and provision for the dynamic establishment of identifiers. Pre-established trust relationships and mechanisms with appropriate authorities to validate credentials and related identifiers are essential."},{"id":"ia-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(05)","class":"sp800-53a"}],"prose":"individual identifiers are dynamically managed in accordance with {{ insert: param, ia-04.05_odp }}."},{"id":"ia-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing dynamic identifier management"}]}]},{"id":"ia-4.6","class":"SP800-53-enhancement","title":"Cross-organization Management","params":[{"id":"ia-04.06_odp","props":[{"name":"alt-identifier","value":"ia-4.6_prm_1"},{"name":"label","value":"IA-04(06)_ODP","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations with whom to coordinate the cross-organization management of identifiers are defined;"}]}],"props":[{"name":"label","value":"IA-4(6)"},{"name":"label","value":"IA-04(06)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-4","rel":"required"},{"href":"#au-16","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"ia-4.6_smt","name":"statement","prose":"Coordinate with the following external organizations for cross-organization management of identifiers: {{ insert: param, ia-04.06_odp }}."},{"id":"ia-4.6_gdn","name":"guidance","prose":"Cross-organization identifier management provides the capability to identify individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information."},{"id":"ia-4.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(06)","class":"sp800-53a"}],"prose":"cross-organization management of identifiers is coordinated with {{ insert: param, ia-04.06_odp }}."},{"id":"ia-4.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-4.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ia-4.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-4.7","class":"SP800-53-enhancement","title":"In-person Registration","props":[{"name":"label","value":"IA-4(7)"},{"name":"label","value":"IA-04(07)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-12.4","rel":"incorporated-into"}]},{"id":"ia-4.8","class":"SP800-53-enhancement","title":"Pairwise Pseudonymous Identifiers","props":[{"name":"label","value":"IA-4(8)"},{"name":"label","value":"IA-04(08)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-4","rel":"required"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"ia-4.8_smt","name":"statement","prose":"Generate pairwise pseudonymous identifiers."},{"id":"ia-4.8_gdn","name":"guidance","prose":"A pairwise pseudonymous identifier is an opaque unguessable subscriber identifier generated by an identity provider for use at a specific individual relying party. Generating distinct pairwise pseudonymous identifiers with no identifying information about a subscriber discourages subscriber activity tracking and profiling beyond the operational requirements established by an organization. The pairwise pseudonymous identifiers are unique to each relying party except in situations where relying parties can show a demonstrable relationship justifying an operational need for correlation, or all parties consent to being correlated in such a manner."},{"id":"ia-4.8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(08)","class":"sp800-53a"}],"prose":"pairwise pseudonymous identifiers are generated."},{"id":"ia-4.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-4.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ia-4.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-4.9","class":"SP800-53-enhancement","title":"Attribute Maintenance and Protection","params":[{"id":"ia-04.09_odp","props":[{"name":"alt-identifier","value":"ia-4.9_prm_1"},{"name":"label","value":"IA-04(09)_ODP","class":"sp800-53a"}],"label":"protected central storage","guidelines":[{"prose":"protected central storage used to maintain the attributes for each uniquely identified individual, device, or service is defined;"}]}],"props":[{"name":"label","value":"IA-4(9)"},{"name":"label","value":"IA-04(09)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-4","rel":"required"}],"parts":[{"id":"ia-4.9_smt","name":"statement","prose":"Maintain the attributes for each uniquely identified individual, device, or service in {{ insert: param, ia-04.09_odp }}."},{"id":"ia-4.9_gdn","name":"guidance","prose":"For each of the entities covered in [IA-2](#ia-2), [IA-3](#ia-3), [IA-8](#ia-8) , and [IA-9](#ia-9) , it is important to maintain the attributes for each authenticated entity on an ongoing basis in a central (protected) store."},{"id":"ia-4.9_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(09)","class":"sp800-53a"}],"prose":"the attributes for each uniquely identified individual, device, or service are maintained in {{ insert: param, ia-04.09_odp }}."},{"id":"ia-4.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-4.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ia-4.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","params":[{"id":"ia-05_odp.01","props":[{"name":"alt-identifier","value":"ia-5_prm_1"},{"name":"label","value":"IA-05_ODP[01]","class":"sp800-53a"}],"label":"time period by authenticator type","guidelines":[{"prose":"a time period for changing or refreshing authenticators by authenticator type is defined;"}]},{"id":"ia-05_odp.02","props":[{"name":"alt-identifier","value":"ia-5_prm_2"},{"name":"label","value":"IA-05_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that trigger the change or refreshment of authenticators are defined;"}]}],"props":[{"name":"label","value":"IA-5"},{"name":"label","value":"IA-05","class":"sp800-53a"},{"name":"sort-id","value":"ia-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"Manage system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Changing default authenticators prior to first use;"},{"id":"ia-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"},{"id":"ia-5_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and"},{"id":"ia-5_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Changing authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed."},{"id":"ia-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05a.","class":"sp800-53a"}],"prose":"system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;"},{"id":"ia-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05b.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05c.","class":"sp800-53a"}],"prose":"system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05d.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;"},{"id":"ia-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05e.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of default authenticators prior to first use;"},{"id":"ia-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05f.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"},{"id":"ia-5_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05g.","class":"sp800-53a"}],"prose":"system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[01]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;"},{"id":"ia-5_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[02]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;"}]},{"id":"ia-5_obj.i","name":"assessment-objective","props":[{"name":"label","value":"IA-05i.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","params":[{"id":"ia-05.01_odp.01","props":[{"name":"alt-identifier","value":"ia-5.1_prm_1"},{"name":"label","value":"IA-05(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;"}]},{"id":"ia-05.01_odp.02","props":[{"name":"alt-identifier","value":"ia-5.1_prm_2"},{"name":"label","value":"IA-05(01)_ODP[02]","class":"sp800-53a"}],"label":"composition and complexity rules","guidelines":[{"prose":"authenticator composition and complexity rules are defined;"}]}],"props":[{"name":"label","value":"IA-5(1)"},{"name":"label","value":"IA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-6","rel":"related"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"For password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);"},{"id":"ia-5.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Transmit passwords only over cryptographically-protected channels;"},{"id":"ia-5.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Store passwords using an approved salted key derivation function, preferably using a keyed hash;"},{"id":"ia-5.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Require immediate selection of a new password upon account recovery;"},{"id":"ia-5.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Allow user selection of long passwords and passphrases, including spaces and all printable characters;"},{"id":"ia-5.1_smt.g","name":"item","props":[{"name":"label","value":"(g)"}],"prose":"Employ automated tools to assist the user in selecting strong password authenticators; and"},{"id":"ia-5.1_smt.h","name":"item","props":[{"name":"label","value":"(h)"}],"prose":"Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof."},{"id":"ia-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)","class":"sp800-53a"}],"parts":[{"id":"ia-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(a)","class":"sp800-53a"}],"prose":"for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(b)","class":"sp800-53a"}],"prose":"for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);"},{"id":"ia-5.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(c)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are only transmitted over cryptographically protected channels;"},{"id":"ia-5.1_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(d)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;"},{"id":"ia-5.1_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(e)","class":"sp800-53a"}],"prose":"for password-based authentication, immediate selection of a new password is required upon account recovery;"},{"id":"ia-5.1_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(f)","class":"sp800-53a"}],"prose":"for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;"},{"id":"ia-5.1_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(g)","class":"sp800-53a"}],"prose":"for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;"},{"id":"ia-5.1_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(h)","class":"sp800-53a"}],"prose":"for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced."}]},{"id":"ia-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing password-based authenticator management capability"}]}]},{"id":"ia-5.2","class":"SP800-53-enhancement","title":"Public Key-based Authentication","props":[{"name":"label","value":"IA-5(2)"},{"name":"label","value":"IA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-3","rel":"related"},{"href":"#sc-17","rel":"related"}],"parts":[{"id":"ia-5.2_smt","name":"statement","parts":[{"id":"ia-5.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"For public key-based authentication:","parts":[{"id":"ia-5.2_smt.a.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Enforce authorized access to the corresponding private key; and"},{"id":"ia-5.2_smt.a.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Map the authenticated identity to the account of the individual or group; and"}]},{"id":"ia-5.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"When public key infrastructure (PKI) is used:","parts":[{"id":"ia-5.2_smt.b.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and"},{"id":"ia-5.2_smt.b.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Implement a local cache of revocation data to support path discovery and validation."}]}]},{"id":"ia-5.2_gdn","name":"guidance","prose":"Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network."},{"id":"ia-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)(01)","class":"sp800-53a"}],"prose":"authorized access to the corresponding private key is enforced for public key-based authentication;"},{"id":"ia-5.2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)(02)","class":"sp800-53a"}],"prose":"the authenticated identity is mapped to the account of the individual or group for public key-based authentication;"}]},{"id":"ia-5.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)(01)","class":"sp800-53a"}],"prose":"when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;"},{"id":"ia-5.2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)(02)","class":"sp800-53a"}],"prose":"when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation."}]}]},{"id":"ia-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records"}]},{"id":"ia-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing PKI-based, authenticator management capability"}]}]},{"id":"ia-5.3","class":"SP800-53-enhancement","title":"In-person or Trusted External Party Registration","props":[{"name":"label","value":"IA-5(3)"},{"name":"label","value":"IA-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-12.4","rel":"incorporated-into"}]},{"id":"ia-5.4","class":"SP800-53-enhancement","title":"Automated Support for Password Strength Determination","props":[{"name":"label","value":"IA-5(4)"},{"name":"label","value":"IA-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-5.1","rel":"incorporated-into"}]},{"id":"ia-5.5","class":"SP800-53-enhancement","title":"Change Authenticators Prior to Delivery","props":[{"name":"label","value":"IA-5(5)"},{"name":"label","value":"IA-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"}],"parts":[{"id":"ia-5.5_smt","name":"statement","prose":"Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation."},{"id":"ia-5.5_gdn","name":"guidance","prose":"Changing authenticators prior to the delivery and installation of system components extends the requirement for organizations to change default authenticators upon system installation by requiring developers and\/or installers to provide unique authenticators or change default authenticators for system components prior to delivery and\/or installation. However, it typically does not apply to developers of commercial off-the-shelf information technology products. Requirements for unique authenticators can be included in acquisition documents prepared by organizations when procuring systems or system components."},{"id":"ia-5.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(05)","class":"sp800-53a"}],"prose":"developers and installers of system components are required to provide unique authenticators or change default authenticators prior to delivery and installation."},{"id":"ia-5.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nsystem and services acquisition policy\n\nprocedures addressing authenticator management\n\nprocedures addressing the integration of security requirements into the acquisition process\n\nacquisition documentation\n\nacquisition contracts for system procurements or services\n\nother relevant documents or records"}]},{"id":"ia-5.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security, acquisition, and contracting responsibilities\n\nsystem developers"}]},{"id":"ia-5.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability"}]}]},{"id":"ia-5.6","class":"SP800-53-enhancement","title":"Protection of Authenticators","props":[{"name":"label","value":"IA-5(6)"},{"name":"label","value":"IA-05(06)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ra-2","rel":"related"}],"parts":[{"id":"ia-5.6_smt","name":"statement","prose":"Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access."},{"id":"ia-5.6_gdn","name":"guidance","prose":"For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process."},{"id":"ia-5.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(06)","class":"sp800-53a"}],"prose":"authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access."},{"id":"ia-5.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity categorization documentation for the system\n\nsecurity assessments of authenticator protections\n\nrisk assessment results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-5.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel implementing and\/or maintaining authenticator protections\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability\n\nmechanisms protecting authenticators"}]}]},{"id":"ia-5.7","class":"SP800-53-enhancement","title":"No Embedded Unencrypted Static Authenticators","props":[{"name":"label","value":"IA-5(7)"},{"name":"label","value":"IA-05(07)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"}],"parts":[{"id":"ia-5.7_smt","name":"statement","prose":"Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage."},{"id":"ia-5.7_gdn","name":"guidance","prose":"In addition to applications, other forms of static storage include access scripts and function keys. Organizations exercise caution when determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators."},{"id":"ia-5.7_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(07)","class":"sp800-53a"}],"prose":"unencrypted static authenticators are not embedded in applications or other forms of static storage."},{"id":"ia-5.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlogical access scripts\n\napplication code reviews for detecting unencrypted static authenticators\n\nother relevant documents or records"}]},{"id":"ia-5.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability\n\nmechanisms implementing authentication in applications"}]}]},{"id":"ia-5.8","class":"SP800-53-enhancement","title":"Multiple System Accounts","params":[{"id":"ia-05.08_odp","props":[{"name":"alt-identifier","value":"ia-5.8_prm_1"},{"name":"label","value":"IA-05(08)_ODP","class":"sp800-53a"}],"label":"security controls","guidelines":[{"prose":"security controls implemented to manage the risk of compromise due to individuals having accounts on multiple systems are defined;"}]}],"props":[{"name":"label","value":"IA-5(8)"},{"name":"label","value":"IA-05(08)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"ia-5.8_smt","name":"statement","prose":"Implement {{ insert: param, ia-05.08_odp }} to manage the risk of compromise due to individuals having accounts on multiple systems."},{"id":"ia-5.8_gdn","name":"guidance","prose":"When individuals have accounts on multiple systems and use the same authenticators such as passwords, there is the risk that a compromise of one account may lead to the compromise of other accounts. Alternative approaches include having different authenticators (passwords) on all systems, employing a single sign-on or federation mechanism, or using some form of one-time passwords on all systems. Organizations can also use rules of behavior (see [PL-4](#pl-4) ) and access agreements (see [PS-6](#ps-6) ) to mitigate the risk of multiple system accounts."},{"id":"ia-5.8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(08)","class":"sp800-53a"}],"prose":"{{ insert: param, ia-05.08_odp }} are implemented to manage the risk of compromise due to individuals having accounts on multiple systems."},{"id":"ia-5.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nlist of individuals having accounts on multiple systems\n\nlist of security safeguards intended to manage risk of compromise due to individuals having accounts on multiple systems\n\nother relevant documents or records"}]},{"id":"ia-5.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing safeguards for authenticator management"}]}]},{"id":"ia-5.9","class":"SP800-53-enhancement","title":"Federated Credential Management","params":[{"id":"ia-05.09_odp","props":[{"name":"alt-identifier","value":"ia-5.9_prm_1"},{"name":"label","value":"IA-05(09)_ODP","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations to be used for federating credentials are defined;"}]}],"props":[{"name":"label","value":"IA-5(9)"},{"name":"label","value":"IA-05(09)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"}],"parts":[{"id":"ia-5.9_smt","name":"statement","prose":"Use the following external organizations to federate credentials: {{ insert: param, ia-05.09_odp }}."},{"id":"ia-5.9_gdn","name":"guidance","prose":"Federation provides organizations with the capability to authenticate individuals and devices when conducting cross-organization activities involving the processing, storage, or transmission of information. Using a specific list of approved external organizations for authentication helps to ensure that those organizations are vetted and trusted."},{"id":"ia-5.9_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(09)","class":"sp800-53a"}],"prose":"{{ insert: param, ia-05.09_odp }} are used to federate credentials."},{"id":"ia-5.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nprocedures addressing account management\n\nsystem security plan\n\nsecurity agreements\n\nother relevant documents or records"}]},{"id":"ia-5.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing safeguards for authenticator management"}]}]},{"id":"ia-5.10","class":"SP800-53-enhancement","title":"Dynamic Credential Binding","params":[{"id":"ia-05.10_odp","props":[{"name":"alt-identifier","value":"ia-5.10_prm_1"},{"name":"label","value":"IA-05(10)_ODP","class":"sp800-53a"}],"label":"binding rules","guidelines":[{"prose":"rules for dynamically binding identities and authenticators are defined;"}]}],"props":[{"name":"label","value":"IA-5(10)"},{"name":"label","value":"IA-05(10)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#au-16","rel":"related"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"ia-5.10_smt","name":"statement","prose":"Bind identities and authenticators dynamically using the following rules: {{ insert: param, ia-05.10_odp }}."},{"id":"ia-5.10_gdn","name":"guidance","prose":"Authentication requires some form of binding between an identity and the authenticator that is used to confirm the identity. In conventional approaches, binding is established by pre-provisioning both the identity and the authenticator to the system. For example, the binding between a username (i.e., identity) and a password (i.e., authenticator) is accomplished by provisioning the identity and authenticator as a pair in the system. New authentication techniques allow the binding between the identity and the authenticator to be implemented external to a system. For example, with smartcard credentials, the identity and authenticator are bound together on the smartcard. Using these credentials, systems can authenticate identities that have not been pre-provisioned, dynamically provisioning the identity after authentication. In these situations, organizations can anticipate the dynamic provisioning of identities. Pre-established trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential."},{"id":"ia-5.10_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(10)","class":"sp800-53a"}],"prose":"identities and authenticators are dynamically bound using {{ insert: param, ia-05.10_odp }}."},{"id":"ia-5.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nautomated mechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing identifier management capability\n\nautomated mechanisms implementing dynamic binding of identities and authenticators"}]}]},{"id":"ia-5.11","class":"SP800-53-enhancement","title":"Hardware Token-based Authentication","props":[{"name":"label","value":"IA-5(11)"},{"name":"label","value":"IA-05(11)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.11"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-2.1","rel":"incorporated-into"},{"href":"#ia-2.2","rel":"incorporated-into"}]},{"id":"ia-5.12","class":"SP800-53-enhancement","title":"Biometric Authentication Performance","params":[{"id":"ia-05.12_odp","props":[{"name":"alt-identifier","value":"ia-5.12_prm_1"},{"name":"label","value":"IA-05(12)_ODP","class":"sp800-53a"}],"label":"biometric quality requirements","guidelines":[{"prose":"biometric quality requirements for biometric-based authentication are defined;"}]}],"props":[{"name":"label","value":"IA-5(12)"},{"name":"label","value":"IA-05(12)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ac-7","rel":"related"}],"parts":[{"id":"ia-5.12_smt","name":"statement","prose":"For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements {{ insert: param, ia-05.12_odp }}."},{"id":"ia-5.12_gdn","name":"guidance","prose":"Unlike password-based authentication, which provides exact matches of user-input passwords to stored passwords, biometric authentication does not provide exact matches. Depending on the type of biometric and the type of collection mechanism, there is likely to be some divergence from the presented biometric and the stored biometric that serves as the basis for comparison. Matching performance is the rate at which a biometric algorithm correctly results in a match for a genuine user and rejects other users. Biometric performance requirements include the match rate, which reflects the accuracy of the biometric matching algorithm used by a system."},{"id":"ia-5.12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(12)","class":"sp800-53a"}],"prose":"mechanisms that satisfy {{ insert: param, ia-05.12_odp }} are employed for biometric-based authentication."},{"id":"ia-5.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms employing biometric-based authentication for the system\n\nlist of biometric quality requirements\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing biometric-based authenticator management capability"}]}]},{"id":"ia-5.13","class":"SP800-53-enhancement","title":"Expiration of Cached Authenticators","params":[{"id":"ia-05.13_odp","props":[{"name":"alt-identifier","value":"ia-5.13_prm_1"},{"name":"label","value":"IA-05(13)_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period after which the use of cached authenticators is prohibited is defined;"}]}],"props":[{"name":"label","value":"IA-5(13)"},{"name":"label","value":"IA-05(13)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"}],"parts":[{"id":"ia-5.13_smt","name":"statement","prose":"Prohibit the use of cached authenticators after {{ insert: param, ia-05.13_odp }}."},{"id":"ia-5.13_gdn","name":"guidance","prose":"Cached authenticators are used to authenticate to the local machine when the network is not available. If cached authentication information is out of date, the validity of the authentication information may be questionable."},{"id":"ia-5.13_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(13)","class":"sp800-53a"}],"prose":"the use of cached authenticators is prohibited after {{ insert: param, ia-05.13_odp }}."},{"id":"ia-5.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability"}]}]},{"id":"ia-5.14","class":"SP800-53-enhancement","title":"Managing Content of PKI Trust Stores","props":[{"name":"label","value":"IA-5(14)"},{"name":"label","value":"IA-05(14)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"}],"parts":[{"id":"ia-5.14_smt","name":"statement","prose":"For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications."},{"id":"ia-5.14_gdn","name":"guidance","prose":"An organization-wide methodology for managing the content of PKI trust stores helps improve the accuracy and currency of PKI-based authentication credentials across the organization."},{"id":"ia-5.14_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(14)","class":"sp800-53a"}],"prose":"an organization-wide methodology for managing the content of PKI trust stores is employed across all platforms, including networks, operating systems, browsers, and applications for PKI-based authentication."},{"id":"ia-5.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\norganizational methodology for managing content of PKI trust stores across installed all platforms\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nenterprise architecture documentation\n\nother relevant documents or records"}]},{"id":"ia-5.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing PKI-based authenticator management capability\n\nmechanisms supporting and\/or implementing the PKI trust store capability"}]}]},{"id":"ia-5.15","class":"SP800-53-enhancement","title":"GSA-approved Products and Services","props":[{"name":"label","value":"IA-5(15)"},{"name":"label","value":"IA-05(15)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"}],"parts":[{"id":"ia-5.15_smt","name":"statement","prose":"Use only General Services Administration-approved products and services for identity, credential, and access management."},{"id":"ia-5.15_gdn","name":"guidance","prose":"General Services Administration (GSA)-approved products and services are products and services that have been approved through the GSA conformance program, where applicable, and posted to the GSA Approved Products List. GSA provides guidance for teams to design and build functional and secure systems that comply with Federal Identity, Credential, and Access Management (FICAM) policies, technologies, and implementation patterns."},{"id":"ia-5.15_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(15)","class":"sp800-53a"}],"prose":"only General Services Administration-approved products and services are used for identity, credential, and access management."},{"id":"ia-5.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing account management capability\n\nmechanisms supporting and\/or implementing identification and authentication management capabilities for the system"}]}]},{"id":"ia-5.16","class":"SP800-53-enhancement","title":"In-person or Trusted External Party Authenticator Issuance","params":[{"id":"ia-05.16_odp.01","props":[{"name":"alt-identifier","value":"ia-5.16_prm_1"},{"name":"label","value":"IA-05(16)_ODP[01]","class":"sp800-53a"}],"label":"types of and\/or specific authenticators","guidelines":[{"prose":"types of and\/or specific authenticators to be issued are defined;"}]},{"id":"ia-05.16_odp.02","props":[{"name":"alt-identifier","value":"ia-5.16_prm_2"},{"name":"label","value":"IA-05(16)_ODP[02]","class":"sp800-53a"}],"select":{"choice":["in person","by a trusted external party"]}},{"id":"ia-05.16_odp.03","props":[{"name":"alt-identifier","value":"ia-5.16_prm_3"},{"name":"label","value":"IA-05(16)_ODP[03]","class":"sp800-53a"}],"label":"registration authority","guidelines":[{"prose":"the registration authority that issues authenticators is defined;"}]},{"id":"ia-05.16_odp.04","props":[{"name":"alt-identifier","value":"ia-5.16_prm_4"},{"name":"label","value":"IA-05(16)_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"the personnel or roles who authorize the issuance of authenticators are defined;"}]}],"props":[{"name":"label","value":"IA-5(16)"},{"name":"label","value":"IA-05(16)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-12","rel":"related"}],"parts":[{"id":"ia-5.16_smt","name":"statement","prose":"Require that the issuance of {{ insert: param, ia-05.16_odp.01 }} be conducted {{ insert: param, ia-05.16_odp.02 }} before {{ insert: param, ia-05.16_odp.03 }} with authorization by {{ insert: param, ia-05.16_odp.04 }}."},{"id":"ia-5.16_gdn","name":"guidance","prose":"Issuing authenticators in person or by a trusted external party enhances and reinforces the trustworthiness of the identity proofing process."},{"id":"ia-5.16_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(16)","class":"sp800-53a"}],"prose":"the issuance of {{ insert: param, ia-05.16_odp.01 }} is required to be conducted {{ insert: param, ia-05.16_odp.02 }} before {{ insert: param, ia-05.16_odp.03 }} with authorization by {{ insert: param, ia-05.16_odp.04 }}."},{"id":"ia-5.16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(16)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5.16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(16)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(16)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing account management capability\n\nmechanisms supporting and\/or implementing identification and authentication management capabilities for the system"}]}]},{"id":"ia-5.17","class":"SP800-53-enhancement","title":"Presentation Attack Detection for Biometric Authenticators","props":[{"name":"label","value":"IA-5(17)"},{"name":"label","value":"IA-05(17)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ac-7","rel":"related"}],"parts":[{"id":"ia-5.17_smt","name":"statement","prose":"Employ presentation attack detection mechanisms for biometric-based authentication."},{"id":"ia-5.17_gdn","name":"guidance","prose":"Biometric characteristics do not constitute secrets. Such characteristics can be obtained by online web accesses, taking a picture of someone with a camera phone to obtain facial images with or without their knowledge, lifting from objects that someone has touched (e.g., a latent fingerprint), or capturing a high-resolution image (e.g., an iris pattern). Presentation attack detection technologies including liveness detection, can mitigate the risk of these types of attacks by making it difficult to produce artifacts intended to defeat the biometric sensor."},{"id":"ia-5.17_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(17)","class":"sp800-53a"}],"prose":"presentation attack detection mechanisms are employed for biometric-based authentication."},{"id":"ia-5.17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(17)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5.17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(17)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(17)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing account management capability\n\nmechanisms supporting and\/or implementing identification and authentication management capabilities for the system"}]}]},{"id":"ia-5.18","class":"SP800-53-enhancement","title":"Password Managers","params":[{"id":"ia-05.18_odp.01","props":[{"name":"alt-identifier","value":"ia-5.18_prm_1"},{"name":"label","value":"IA-05(18)_ODP[01]","class":"sp800-53a"}],"label":"password managers","guidelines":[{"prose":"password managers employed for generating and managing passwords are defined;"}]},{"id":"ia-05.18_odp.02","props":[{"name":"alt-identifier","value":"ia-5.18_prm_2"},{"name":"label","value":"IA-05(18)_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls for protecting passwords are defined;"}]}],"props":[{"name":"label","value":"IA-5(18)"},{"name":"label","value":"IA-05(18)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"}],"parts":[{"id":"ia-5.18_smt","name":"statement","parts":[{"id":"ia-5.18_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ {{ insert: param, ia-05.18_odp.01 }} to generate and manage passwords; and"},{"id":"ia-5.18_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Protect the passwords using {{ insert: param, ia-05.18_odp.02 }}."}]},{"id":"ia-5.18_gdn","name":"guidance","prose":"For systems where static passwords are employed, it is often a challenge to ensure that the passwords are suitably complex and that the same passwords are not employed on multiple systems. A password manager is a solution to this problem as it automatically generates and stores strong and different passwords for various accounts. A potential risk of using password managers is that adversaries can target the collection of passwords generated by the password manager. Therefore, the collection of passwords requires protection including encrypting the passwords (see [IA-5(1)(d)](#ia-5.1_smt.d) ) and storing the collection offline in a token."},{"id":"ia-5.18_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(18)","class":"sp800-53a"}],"parts":[{"id":"ia-5.18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(18)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, ia-05.18_odp.01 }} are employed to generate and manage passwords;"},{"id":"ia-5.18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(18)(b)","class":"sp800-53a"}],"prose":"the passwords are protected using {{ insert: param, ia-05.18_odp.02 }}."}]},{"id":"ia-5.18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(18)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5.18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(18)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(18)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing account management capability\n\nmechanisms supporting and\/or implementing identification and authentication management capabilities for the system"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authentication Feedback","props":[{"name":"label","value":"IA-6"},{"name":"label","value":"IA-06","class":"sp800-53a"},{"name":"sort-id","value":"ia-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it."},{"id":"ia-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-06","class":"sp800-53a"}],"prose":"the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the obscuring of feedback of authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","props":[{"name":"label","value":"IA-7"},{"name":"label","value":"IA-07","class":"sp800-53a"},{"name":"sort-id","value":"ia-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role."},{"id":"ia-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-07","class":"sp800-53a"}],"prose":"mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic module authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (Non-organizational Users)","props":[{"name":"label","value":"IA-8"},{"name":"label","value":"IA-08","class":"sp800-53a"},{"name":"sort-id","value":"ia-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a1555677-2b9d-4868-a97b-a1363aff32f5","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk."},{"id":"ia-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08","class":"sp800-53a"}],"prose":"non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated."},{"id":"ia-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","props":[{"name":"label","value":"IA-8(1)"},{"name":"label","value":"IA-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"},{"href":"#pe-3","rel":"related"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)."},{"id":"ia-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)","class":"sp800-53a"}],"parts":[{"id":"ia-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[01]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are accepted;"},{"id":"ia-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[02]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are electronically verified."}]},{"id":"ia-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of External Authenticators","props":[{"name":"label","value":"IA-8(2)"},{"name":"label","value":"IA-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.2_smt","name":"statement","parts":[{"id":"ia-8.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Accept only external authenticators that are NIST-compliant; and"},{"id":"ia-8.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Document and maintain a list of accepted external authenticators."}]},{"id":"ia-8.2_gdn","name":"guidance","prose":"Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level."},{"id":"ia-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(a)","class":"sp800-53a"}],"prose":"only external authenticators that are NIST-compliant are accepted;"},{"id":"ia-8.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[01]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is documented;"},{"id":"ia-8.2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[02]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is maintained."}]}]},{"id":"ia-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials"}]}]},{"id":"ia-8.3","class":"SP800-53-enhancement","title":"Use of FICAM-approved Products","props":[{"name":"label","value":"IA-8(3)"},{"name":"label","value":"IA-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-8.2","rel":"incorporated-into"}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Defined Profiles","params":[{"id":"ia-08.04_odp","props":[{"name":"alt-identifier","value":"ia-8.4_prm_1"},{"name":"label","value":"IA-08(04)_ODP","class":"sp800-53a"}],"label":"identity management profiles","guidelines":[{"prose":"identity management profiles are defined;"}]}],"props":[{"name":"label","value":"IA-8(4)"},{"name":"label","value":"IA-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}."},{"id":"ia-8.4_gdn","name":"guidance","prose":"Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"ia-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(04)","class":"sp800-53a"}],"prose":"there is conformance with {{ insert: param, ia-08.04_odp }} for identity management."},{"id":"ia-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms supporting and\/or implementing conformance with profiles"}]}]},{"id":"ia-8.5","class":"SP800-53-enhancement","title":"Acceptance of PIV-I Credentials","params":[{"id":"ia-08.05_odp","props":[{"name":"alt-identifier","value":"ia-8.5_prm_1"},{"name":"label","value":"IA-08(05)_ODP","class":"sp800-53a"}],"label":"policy","guidelines":[{"prose":"a policy for using federated or PKI credentials is defined;"}]}],"props":[{"name":"label","value":"IA-8(5)"},{"name":"label","value":"IA-08(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.5_smt","name":"statement","prose":"Accept and verify federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }}."},{"id":"ia-8.5_gdn","name":"guidance","prose":"Acceptance of PIV-I credentials can be implemented by PIV, PIV-I, and other commercial or external identity providers. The acceptance and verification of PIV-I-compliant credentials apply to both logical and physical access control systems. The acceptance and verification of PIV-I credentials address nonfederal issuers of identity cards that desire to interoperate with United States Government PIV systems and that can be trusted by Federal Government-relying parties. The X.509 certificate policy for the Federal Bridge Certification Authority (FBCA) addresses PIV-I requirements. The PIV-I card is commensurate with the PIV credentials as defined in cited references. PIV-I credentials are the credentials issued by a PIV-I provider whose PIV-I certificate policy maps to the Federal Bridge PIV-I Certificate Policy. A PIV-I provider is cross-certified with the FBCA (directly or through another PKI bridge) with policies that have been mapped and approved as meeting the requirements of the PIV-I policies defined in the FBCA certificate policy."},{"id":"ia-8.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(05)","class":"sp800-53a"}],"parts":[{"id":"ia-8.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(05)[01]","class":"sp800-53a"}],"prose":"federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }} are accepted;"},{"id":"ia-8.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(05)[02]","class":"sp800-53a"}],"prose":"federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }} are verified."}]},{"id":"ia-8.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV-I verification records\n\nevidence of PIV-I credentials\n\nPIV-I credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV-I credentials"}]}]},{"id":"ia-8.6","class":"SP800-53-enhancement","title":"Disassociability","params":[{"id":"ia-08.06_odp","props":[{"name":"alt-identifier","value":"ia-8.6_prm_1"},{"name":"label","value":"IA-08(06)_ODP","class":"sp800-53a"}],"label":"measures","guidelines":[{"prose":"disassociability measures are defined;"}]}],"props":[{"name":"label","value":"IA-8(6)"},{"name":"label","value":"IA-08(06)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.6_smt","name":"statement","prose":"Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: {{ insert: param, ia-08.06_odp }}."},{"id":"ia-8.6_gdn","name":"guidance","prose":"Federated identity solutions can create increased privacy risks due to the tracking and profiling of individuals. Using identifier mapping tables or cryptographic techniques to blind credential service providers and relying parties from each other or to make identity attributes less visible to transmitting parties can reduce these privacy risks."},{"id":"ia-8.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(06)","class":"sp800-53a"}],"prose":"{{ insert: param, ia-08.06_odp }} to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties are implemented."},{"id":"ia-8.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-8.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]}]},{"id":"ia-9","class":"SP800-53","title":"Service Identification and Authentication","params":[{"id":"ia-09_odp","props":[{"name":"alt-identifier","value":"ia-9_prm_1"},{"name":"label","value":"IA-09_ODP","class":"sp800-53a"}],"label":"system services and applications","guidelines":[{"prose":"system services and applications to be uniquely identified and authenticated are defined;"}]}],"props":[{"name":"label","value":"IA-9"},{"name":"label","value":"IA-09","class":"sp800-53a"},{"name":"sort-id","value":"ia-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"ia-9_smt","name":"statement","prose":"Uniquely identify and authenticate {{ insert: param, ia-09_odp }} before establishing communications with devices, users, or other services or applications."},{"id":"ia-9_gdn","name":"guidance","prose":"Services that may require identification and authentication include web applications using digital certificates or services or applications that query a database. Identification and authentication methods for system services and applications include information or code signing, provenance graphs, and electronic signatures that indicate the sources of services. Decisions regarding the validity of identification and authentication claims can be made by services separate from the services acting on those decisions. This can occur in distributed system architectures. In such situations, the identification and authentication decisions (instead of actual identifiers and authentication data) are provided to the services that need to act on those decisions."},{"id":"ia-9_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-09","class":"sp800-53a"}],"prose":"{{ insert: param, ia-09_odp }} are uniquely identified and authenticated before establishing communications with devices, users, or other services or applications."},{"id":"ia-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing service identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsecurity safeguards used to identify and authenticate system services\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security safeguards implementing service identification and authentication capabilities"}]}],"controls":[{"id":"ia-9.1","class":"SP800-53-enhancement","title":"Information Exchange","props":[{"name":"label","value":"IA-9(1)"},{"name":"label","value":"IA-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-09.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-9","rel":"incorporated-into"}]},{"id":"ia-9.2","class":"SP800-53-enhancement","title":"Transmission of Decisions","props":[{"name":"label","value":"IA-9(2)"},{"name":"label","value":"IA-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-09.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-9","rel":"incorporated-into"}]}]},{"id":"ia-10","class":"SP800-53","title":"Adaptive Authentication","params":[{"id":"ia-10_odp.01","props":[{"name":"alt-identifier","value":"ia-10_prm_1"},{"name":"label","value":"IA-10_ODP[01]","class":"sp800-53a"}],"label":"supplemental authentication techniques or mechanisms","guidelines":[{"prose":"supplemental authentication techniques or mechanisms to be employed when accessing the system under specific circumstances or situations are defined;"}]},{"id":"ia-10_odp.02","props":[{"name":"alt-identifier","value":"ia-10_prm_2"},{"name":"label","value":"IA-10_ODP[02]","class":"sp800-53a"}],"label":"circumstances or situations","guidelines":[{"prose":"circumstances or situations that require individuals accessing the system to employ supplemental authentication techniques or mechanisms are defined;"}]}],"props":[{"name":"label","value":"IA-10"},{"name":"label","value":"IA-10","class":"sp800-53a"},{"name":"sort-id","value":"ia-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-10_smt","name":"statement","prose":"Require individuals accessing the system to employ {{ insert: param, ia-10_odp.01 }} under specific {{ insert: param, ia-10_odp.02 }}."},{"id":"ia-10_gdn","name":"guidance","prose":"Adversaries may compromise individual authentication mechanisms employed by organizations and subsequently attempt to impersonate legitimate users. To address this threat, organizations may employ specific techniques or mechanisms and establish protocols to assess suspicious behavior. Suspicious behavior may include accessing information that individuals do not typically access as part of their duties, roles, or responsibilities; accessing greater quantities of information than individuals would routinely access; or attempting to access information from suspicious network addresses. When pre-established conditions or triggers occur, organizations can require individuals to provide additional authentication information. Another potential use for adaptive authentication is to increase the strength of mechanism based on the number or types of records being accessed. Adaptive authentication does not replace and is not used to avoid the use of multi-factor authentication mechanisms but can augment implementations of multi-factor authentication."},{"id":"ia-10_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-10","class":"sp800-53a"}],"prose":"individuals accessing the system are required to employ {{ insert: param, ia-10_odp.01 }} under specific {{ insert: param, ia-10_odp.02 }}."},{"id":"ia-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing adaptive\/supplemental identification and authentication techniques or mechanisms\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsupplemental identification and authentication techniques or mechanisms\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-11","class":"SP800-53","title":"Re-authentication","params":[{"id":"ia-11_odp","props":[{"name":"alt-identifier","value":"ia-11_prm_1"},{"name":"alt-label","value":"circumstances or situations requiring re-authentication","class":"sp800-53"},{"name":"label","value":"IA-11_ODP","class":"sp800-53a"}],"label":"circumstances or situations","guidelines":[{"prose":"circumstances or situations requiring re-authentication are defined;"}]}],"props":[{"name":"label","value":"IA-11"},{"name":"label","value":"IA-11","class":"sp800-53a"},{"name":"sort-id","value":"ia-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-11_smt","name":"statement","prose":"Require users to re-authenticate when {{ insert: param, ia-11_odp }}."},{"id":"ia-11_gdn","name":"guidance","prose":"In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically."},{"id":"ia-11_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-11","class":"sp800-53a"}],"prose":"users are required to re-authenticate when {{ insert: param, ia-11_odp }}."},{"id":"ia-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12","class":"SP800-53","title":"Identity Proofing","props":[{"name":"label","value":"IA-12"},{"name":"label","value":"IA-12","class":"sp800-53a"},{"name":"sort-id","value":"ia-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#9099ed2c-922a-493d-bcb4-d896192243ff","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#ia-1","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-12_smt","name":"statement","parts":[{"id":"ia-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;"},{"id":"ia-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Resolve user identities to a unique individual; and"},{"id":"ia-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Collect, validate, and verify identity evidence."}]},{"id":"ia-12_gdn","name":"guidance","prose":"Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3](#737513fa-6758-403f-831d-5ddab5e23cb3) and [SP 800-63A](#9099ed2c-922a-493d-bcb4-d896192243ff) . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"ia-12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12","class":"sp800-53a"}],"parts":[{"id":"ia-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-12a.","class":"sp800-53a"}],"prose":"users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;"},{"id":"ia-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-12b.","class":"sp800-53a"}],"prose":"user identities are resolved to a unique individual;"},{"id":"ia-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.","class":"sp800-53a"}],"parts":[{"id":"ia-12_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[01]","class":"sp800-53a"}],"prose":"identity evidence is collected;"},{"id":"ia-12_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[02]","class":"sp800-53a"}],"prose":"identity evidence is validated;"},{"id":"ia-12_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[03]","class":"sp800-53a"}],"prose":"identity evidence is verified."}]}]},{"id":"ia-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ia-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-12.1","class":"SP800-53-enhancement","title":"Supervisor Authorization","props":[{"name":"label","value":"IA-12(1)"},{"name":"label","value":"IA-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.1_smt","name":"statement","prose":"Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization."},{"id":"ia-12.1_gdn","name":"guidance","prose":"Including supervisor or sponsor authorization as part of the registration process provides an additional level of scrutiny to ensure that the user’s management chain is aware of the account, the account is essential to carry out organizational missions and functions, and the user’s privileges are appropriate for the anticipated responsibilities and authorities within the organization."},{"id":"ia-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(01)","class":"sp800-53a"}],"prose":"the registration process to receive an account for logical access includes supervisor or sponsor authorization."},{"id":"ia-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.2","class":"SP800-53-enhancement","title":"Identity Evidence","props":[{"name":"label","value":"IA-12(2)"},{"name":"label","value":"IA-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.2_smt","name":"statement","prose":"Require evidence of individual identification be presented to the registration authority."},{"id":"ia-12.2_gdn","name":"guidance","prose":"Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risks to the systems, roles, and privileges associated with the user’s account."},{"id":"ia-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(02)","class":"sp800-53a"}],"prose":"evidence of individual identification is presented to the registration authority."},{"id":"ia-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.3","class":"SP800-53-enhancement","title":"Identity Evidence Validation and Verification","params":[{"id":"ia-12.03_odp","props":[{"name":"alt-identifier","value":"ia-12.3_prm_1"},{"name":"alt-label","value":"organizational defined methods of validation and verification","class":"sp800-53"},{"name":"label","value":"IA-12(03)_ODP","class":"sp800-53a"}],"label":"methods of validation and verification","guidelines":[{"prose":"methods of validation and verification of identity evidence are defined;"}]}],"props":[{"name":"label","value":"IA-12(3)"},{"name":"label","value":"IA-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.3_smt","name":"statement","prose":"Require that the presented identity evidence be validated and verified through {{ insert: param, ia-12.03_odp }}."},{"id":"ia-12.3_gdn","name":"guidance","prose":"Validation and verification of identity evidence increases the assurance that accounts and identifiers are being established for the correct user and authenticators are being bound to that user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risks to the systems, roles, and privileges associated with the users account."},{"id":"ia-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(03)","class":"sp800-53a"}],"prose":"the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}."},{"id":"ia-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.4","class":"SP800-53-enhancement","title":"In-person Validation and Verification","props":[{"name":"label","value":"IA-12(4)"},{"name":"label","value":"IA-12(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.4_smt","name":"statement","prose":"Require that the validation and verification of identity evidence be conducted in person before a designated registration authority."},{"id":"ia-12.4_gdn","name":"guidance","prose":"In-person proofing reduces the likelihood of fraudulent credentials being issued because it requires the physical presence of individuals, the presentation of physical identity documents, and actual face-to-face interactions with designated registration authorities."},{"id":"ia-12.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(04)","class":"sp800-53a"}],"prose":"the validation and verification of identity evidence is conducted in person before a designated registration authority."},{"id":"ia-12.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.5","class":"SP800-53-enhancement","title":"Address Confirmation","params":[{"id":"ia-12.05_odp","props":[{"name":"alt-identifier","value":"ia-12.5_prm_1"},{"name":"label","value":"IA-12(05)_ODP","class":"sp800-53a"}],"select":{"choice":["registration code","notice of proofing"]}}],"props":[{"name":"label","value":"IA-12(5)"},{"name":"label","value":"IA-12(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"},{"href":"#ia-12","rel":"related"}],"parts":[{"id":"ia-12.5_smt","name":"statement","prose":"Require that a {{ insert: param, ia-12.05_odp }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record."},{"id":"ia-12.5_gdn","name":"guidance","prose":"To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses."},{"id":"ia-12.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(05)","class":"sp800-53a"}],"prose":"a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record."},{"id":"ia-12.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.6","class":"SP800-53-enhancement","title":"Accept Externally-proofed Identities","params":[{"id":"ia-12.06_odp","props":[{"name":"alt-identifier","value":"ia-12.6_prm_1"},{"name":"label","value":"IA-12(06)_ODP","class":"sp800-53a"}],"label":"identity assurance level","guidelines":[{"prose":"an identity assurance level for accepting externally proofed identities is defined;"}]}],"props":[{"name":"label","value":"IA-12(6)"},{"name":"label","value":"IA-12(06)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-12.6_smt","name":"statement","prose":"Accept externally-proofed identities at {{ insert: param, ia-12.06_odp }}."},{"id":"ia-12.6_gdn","name":"guidance","prose":"To limit unnecessary re-proofing of identities, particularly of non-PIV users, organizations accept proofing conducted at a commensurate level of assurance by other agencies or organizations. Proofing is consistent with organizational security policy and the identity assurance level appropriate for the system, application, or information accessed. Accepting externally-proofed identities is a fundamental component of managing federated identities across agencies and organizations."},{"id":"ia-12.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(06)","class":"sp800-53a"}],"prose":"externally proofed identities are accepted {{ insert: param, ia-12.06_odp }}."},{"id":"ia-12.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ir-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ir-01_odp.01","props":[{"name":"label","value":"IR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response policy is to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.02","props":[{"name":"label","value":"IR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response procedures are to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.03","props":[{"name":"alt-identifier","value":"ir-1_prm_2"},{"name":"label","value":"IR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ir-01_odp.04","props":[{"name":"alt-identifier","value":"ir-1_prm_3"},{"name":"label","value":"IR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the incident response policy and procedures is defined;"}]},{"id":"ir-01_odp.05","props":[{"name":"alt-identifier","value":"ir-1_prm_4"},{"name":"label","value":"IR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response policy is reviewed and updated is defined;"}]},{"id":"ir-01_odp.06","props":[{"name":"alt-identifier","value":"ir-1_prm_5"},{"name":"label","value":"IR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current incident response policy to be reviewed and updated are defined;"}]},{"id":"ir-01_odp.07","props":[{"name":"alt-identifier","value":"ir-1_prm_6"},{"name":"label","value":"IR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response procedures are reviewed and updated is defined;"}]},{"id":"ir-01_odp.08","props":[{"name":"alt-identifier","value":"ir-1_prm_7"},{"name":"label","value":"IR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the incident response procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IR-1"},{"name":"label","value":"IR-01","class":"sp800-53a"},{"name":"sort-id","value":"ir-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ir-1_smt","name":"statement","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ir-01_odp.03 }} incident response policy that:","parts":[{"id":"ir-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and"},{"id":"ir-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current incident response:","parts":[{"id":"ir-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and"},{"id":"ir-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ir-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[01]","class":"sp800-53a"}],"prose":"an incident response policy is developed and documented;"},{"id":"ir-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[02]","class":"sp800-53a"}],"prose":"the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};"},{"id":"ir-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[03]","class":"sp800-53a"}],"prose":"incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;"},{"id":"ir-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[04]","class":"sp800-53a"}],"prose":"the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};"},{"id":"ir-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;"},{"id":"ir-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;"},{"id":"ir-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;"},{"id":"ir-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;"},{"id":"ir-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;"},{"id":"ir-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;"},{"id":"ir-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;"}]},{"id":"ir-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ir-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;"},{"id":"ir-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[01]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};"},{"id":"ir-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[02]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};"}]},{"id":"ir-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[01]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};"},{"id":"ir-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[02]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}."}]}]}]},{"id":"ir-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-02_odp.01","props":[{"name":"alt-identifier","value":"ir-2_prm_1"},{"name":"label","value":"IR-02_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;"}]},{"id":"ir-02_odp.02","props":[{"name":"alt-identifier","value":"ir-2_prm_2"},{"name":"label","value":"IR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide incident response training to users is defined;"}]},{"id":"ir-02_odp.03","props":[{"name":"alt-identifier","value":"ir-2_prm_3"},{"name":"label","value":"IR-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update incident response training content is defined;"}]},{"id":"ir-02_odp.04","props":[{"name":"alt-identifier","value":"ir-2_prm_4"},{"name":"label","value":"IR-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that initiate a review of the incident response training content are defined;"}]}],"props":[{"name":"label","value":"IR-2"},{"name":"label","value":"IR-02","class":"sp800-53a"},{"name":"sort-id","value":"ir-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-2_smt","name":"statement","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide incident response training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"ir-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"{{ insert: param, ir-02_odp.02 }} thereafter; and"}]},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"ir-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.01","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.02","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"},{"id":"ir-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.03","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;"}]},{"id":"ir-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[01]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};"},{"id":"ir-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[02]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}."}]}]},{"id":"ir-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"ir-2.1","class":"SP800-53-enhancement","title":"Simulated Events","props":[{"name":"label","value":"IR-2(1)"},{"name":"label","value":"IR-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-2","rel":"required"}],"parts":[{"id":"ir-2.1_smt","name":"statement","prose":"Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations."},{"id":"ir-2.1_gdn","name":"guidance","prose":"Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations."},{"id":"ir-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02(01)","class":"sp800-53a"}],"prose":"simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations."},{"id":"ir-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that support and\/or implement simulated events for incident response training"}]}]},{"id":"ir-2.2","class":"SP800-53-enhancement","title":"Automated Training Environments","params":[{"id":"ir-02.02_odp","props":[{"name":"alt-identifier","value":"ir-2.2_prm_1"},{"name":"label","value":"IR-02(02)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used in an incident response training environment are defined;"}]}],"props":[{"name":"label","value":"IR-2(2)"},{"name":"label","value":"IR-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-2","rel":"required"}],"parts":[{"id":"ir-2.2_smt","name":"statement","prose":"Provide an incident response training environment using {{ insert: param, ir-02.02_odp }}."},{"id":"ir-2.2_gdn","name":"guidance","prose":"Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues, selecting more realistic training scenarios and environments, and stressing the response capability."},{"id":"ir-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02(02)","class":"sp800-53a"}],"prose":"an incident response training environment is provided using {{ insert: param, ir-02.02_odp }}."},{"id":"ir-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nautomated mechanisms supporting incident response training\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms that provide a thorough and realistic incident response training environment"}]}]},{"id":"ir-2.3","class":"SP800-53-enhancement","title":"Breach","props":[{"name":"label","value":"IR-2(3)"},{"name":"label","value":"IR-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-2","rel":"required"}],"parts":[{"id":"ir-2.3_smt","name":"statement","prose":"Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach."},{"id":"ir-2.3_gdn","name":"guidance","prose":"For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. The incident response training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Incident response training includes tabletop exercises that simulate a breach. See [IR-2(1)](#ir-2.1)."},{"id":"ir-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02(03)","class":"sp800-53a"}],"parts":[{"id":"ir-2.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-02(03)[01]","class":"sp800-53a"}],"prose":"incident response training on how to identify and respond to a breach is provided;"},{"id":"ir-2.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-02(03)[02]","class":"sp800-53a"}],"prose":"incident response training on the organization’s process for reporting a breach is provided."}]},{"id":"ir-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","params":[{"id":"ir-03_odp.01","props":[{"name":"alt-identifier","value":"ir-3_prm_1"},{"name":"label","value":"IR-03_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test the effectiveness of the incident response capability for the system is defined;"}]},{"id":"ir-03_odp.02","props":[{"name":"alt-identifier","value":"ir-3_prm_2"},{"name":"label","value":"IR-03_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests used to test the effectiveness of the incident response capability for the system are defined;"}]}],"props":[{"name":"label","value":"IR-3"},{"name":"label","value":"IR-03","class":"sp800-53a"},{"name":"sort-id","value":"ir-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-14","rel":"related"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes."},{"id":"ir-3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03","class":"sp800-53a"}],"prose":"the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}."},{"id":"ir-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"ir-3.1","class":"SP800-53-enhancement","title":"Automated Testing","params":[{"id":"ir-03.01_odp","props":[{"name":"alt-identifier","value":"ir-3.1_prm_1"},{"name":"label","value":"IR-03(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to test the incident response capability are defined;"}]}],"props":[{"name":"label","value":"IR-3(1)"},{"name":"label","value":"IR-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-3","rel":"required"}],"parts":[{"id":"ir-3.1_smt","name":"statement","prose":"Test the incident response capability using {{ insert: param, ir-03.01_odp }}."},{"id":"ir-3.1_gdn","name":"guidance","prose":"Organizations use automated mechanisms to more thoroughly and effectively test incident response capabilities. This can be accomplished by providing more complete coverage of incident response issues, selecting realistic test scenarios and environments, and stressing the response capability."},{"id":"ir-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03(01)","class":"sp800-53a"}],"prose":"the incident response capability is tested using {{ insert: param, ir-03.01_odp }}."},{"id":"ir-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing documentation\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nautomated mechanisms supporting incident response tests\n\nother relevant documents or records"}]},{"id":"ir-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms that more thoroughly and effectively test the incident response capability"}]}]},{"id":"ir-3.2","class":"SP800-53-enhancement","title":"Coordination with Related Plans","props":[{"name":"label","value":"IR-3(2)"},{"name":"label","value":"IR-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-3","rel":"required"}],"parts":[{"id":"ir-3.2_smt","name":"statement","prose":"Coordinate incident response testing with organizational elements responsible for related plans."},{"id":"ir-3.2_gdn","name":"guidance","prose":"Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans."},{"id":"ir-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03(02)","class":"sp800-53a"}],"prose":"incident response testing is coordinated with organizational elements responsible for related plans."},{"id":"ir-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-3.3","class":"SP800-53-enhancement","title":"Continuous Improvement","props":[{"name":"label","value":"IR-3(3)"},{"name":"label","value":"IR-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-3","rel":"required"}],"parts":[{"id":"ir-3.3_smt","name":"statement","prose":"Use qualitative and quantitative data from testing to:","parts":[{"id":"ir-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Determine the effectiveness of incident response processes;"},{"id":"ir-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Continuously improve incident response processes; and"},{"id":"ir-3.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format."}]},{"id":"ir-3.3_gdn","name":"guidance","prose":"To help incident response activities function as intended, organizations may use metrics and evaluation criteria to assess incident response programs as part of an effort to continually improve response performance. These efforts facilitate improvement in incident response efficacy and lessen the impact of incidents."},{"id":"ir-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)","class":"sp800-53a"}],"parts":[{"id":"ir-3.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(a)","class":"sp800-53a"}],"parts":[{"id":"ir-3.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(a)[01]","class":"sp800-53a"}],"prose":"qualitative data from testing are used to determine the effectiveness of incident response processes;"},{"id":"ir-3.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(a)[02]","class":"sp800-53a"}],"prose":"quantitative data from testing are used to determine the effectiveness of incident response processes;"}]},{"id":"ir-3.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(b)","class":"sp800-53a"}],"parts":[{"id":"ir-3.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(b)[01]","class":"sp800-53a"}],"prose":"qualitative data from testing are used to continuously improve incident response processes;"},{"id":"ir-3.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(b)[02]","class":"sp800-53a"}],"prose":"quantitative data from testing are used to continuously improve incident response processes;"}]},{"id":"ir-3.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(c)","class":"sp800-53a"}],"parts":[{"id":"ir-3.3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(c)[01]","class":"sp800-53a"}],"prose":"qualitative data from testing are used to provide incident response measures and metrics that are accurate;"},{"id":"ir-3.3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(c)[02]","class":"sp800-53a"}],"prose":"quantitative data from testing are used to provide incident response measures and metrics that are accurate;"},{"id":"ir-3.3_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(c)[03]","class":"sp800-53a"}],"prose":"qualitative data from testing are used to provide incident response measures and metrics that are consistent;"},{"id":"ir-3.3_obj.c-4","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(c)[04]","class":"sp800-53a"}],"prose":"quantitative data from testing are used to provide incident response measures and metrics that are consistent;"},{"id":"ir-3.3_obj.c-5","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(c)[05]","class":"sp800-53a"}],"prose":"qualitative data from testing are used to provide incident response measures and metrics in a reproducible format;"},{"id":"ir-3.3_obj.c-6","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(c)[06]","class":"sp800-53a"}],"prose":"quantitative data from testing are used to provide incident response measures and metrics in a reproducible format."}]}]},{"id":"ir-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"label","value":"IR-4"},{"name":"label","value":"IR-04","class":"sp800-53a"},{"name":"sort-id","value":"ir-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#31ae65ab-3f26-46b7-9d64-f25a4dac5778","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-4_smt","name":"statement","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate incident handling activities with contingency planning activities;"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and"},{"id":"ir-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes."},{"id":"ir-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[01]","class":"sp800-53a"}],"prose":"an incident handling capability for incidents is implemented that is consistent with the incident response plan;"},{"id":"ir-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[02]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes preparation;"},{"id":"ir-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[03]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes detection and analysis;"},{"id":"ir-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[04]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes containment;"},{"id":"ir-4_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[05]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes eradication;"},{"id":"ir-4_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[06]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes recovery;"}]},{"id":"ir-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-04b.","class":"sp800-53a"}],"prose":"incident handling activities are coordinated with contingency planning activities;"},{"id":"ir-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[01]","class":"sp800-53a"}],"prose":"lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;"},{"id":"ir-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[02]","class":"sp800-53a"}],"prose":"the changes resulting from the incorporated lessons learned are implemented accordingly;"}]},{"id":"ir-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[01]","class":"sp800-53a"}],"prose":"the rigor of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[02]","class":"sp800-53a"}],"prose":"the intensity of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[03]","class":"sp800-53a"}],"prose":"the scope of incident handling activities is comparable and predictable across the organization;"},{"id":"ir-4_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[04]","class":"sp800-53a"}],"prose":"the results of incident handling activities are comparable and predictable across the organization."}]}]},{"id":"ir-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident handling capability for the organization"}]}],"controls":[{"id":"ir-4.1","class":"SP800-53-enhancement","title":"Automated Incident Handling Processes","params":[{"id":"ir-04.01_odp","props":[{"name":"alt-identifier","value":"ir-4.1_prm_1"},{"name":"label","value":"IR-04(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to support the incident handling process are defined;"}]}],"props":[{"name":"label","value":"IR-4(1)"},{"name":"label","value":"IR-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.1_smt","name":"statement","prose":"Support the incident handling process using {{ insert: param, ir-04.01_odp }}."},{"id":"ir-4.1_gdn","name":"guidance","prose":"Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis."},{"id":"ir-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(01)","class":"sp800-53a"}],"prose":"the incident handling process is supported using {{ insert: param, ir-04.01_odp }}."},{"id":"ir-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms that support and\/or implement the incident handling process"}]}]},{"id":"ir-4.2","class":"SP800-53-enhancement","title":"Dynamic Reconfiguration","params":[{"id":"ir-04.02_odp.01","props":[{"name":"alt-identifier","value":"ir-4.2_prm_2"},{"name":"label","value":"IR-04(02)_ODP[01]","class":"sp800-53a"}],"label":"types of dynamic reconfiguration","guidelines":[{"prose":"types of dynamic reconfiguration for system components are defined;"}]},{"id":"ir-04.02_odp.02","props":[{"name":"alt-identifier","value":"ir-4.2_prm_1"},{"name":"label","value":"IR-04(02)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components that require dynamic reconfiguration are defined;"}]}],"props":[{"name":"label","value":"IR-4(2)"},{"name":"label","value":"IR-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"},{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#cm-2","rel":"related"}],"parts":[{"id":"ir-4.2_smt","name":"statement","prose":"Include the following types of dynamic reconfiguration for {{ insert: param, ir-04.02_odp.02 }} as part of the incident response capability: {{ insert: param, ir-04.02_odp.01 }}."},{"id":"ir-4.2_gdn","name":"guidance","prose":"Dynamic reconfiguration includes changes to router rules, access control lists, intrusion detection or prevention system parameters, and filter rules for guards or firewalls. Organizations may perform dynamic reconfiguration of systems to stop attacks, misdirect attackers, and isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include specific time frames for achieving the reconfiguration of systems in the definition of the reconfiguration capability, considering the potential need for rapid response to effectively address cyber threats."},{"id":"ir-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(02)","class":"sp800-53a"}],"prose":"{{ insert: param, ir-04.02_odp.01 }} for {{ insert: param, ir-04.02_odp.02 }} are included as part of the incident response capability."},{"id":"ir-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nmechanisms supporting incident handling\n\nlist of system components to be dynamically reconfigured as part of incident response capability\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that support and\/or implement the dynamic reconfiguration of components as part of incident response"}]}]},{"id":"ir-4.3","class":"SP800-53-enhancement","title":"Continuity of Operations","params":[{"id":"ir-04.03_odp.01","props":[{"name":"alt-identifier","value":"ir-4.3_prm_1"},{"name":"label","value":"IR-04(03)_ODP[01]","class":"sp800-53a"}],"label":"classes of incidents","guidelines":[{"prose":"classes of incidents requiring an organization-defined action (defined in IR-04(03)_ODP[02]) to be taken are defined;"}]},{"id":"ir-04.03_odp.02","props":[{"name":"alt-identifier","value":"ir-4.3_prm_2"},{"name":"alt-label","value":"actions to take in response to classes of incidents","class":"sp800-53"},{"name":"label","value":"IR-04(03)_ODP[02]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken in response to organization-defined classes of incidents are defined;"}]}],"props":[{"name":"label","value":"IR-4(3)"},{"name":"label","value":"IR-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.3_smt","name":"statement","prose":"Identify {{ insert: param, ir-04.03_odp.01 }} and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: {{ insert: param, ir-04.03_odp.02 }}."},{"id":"ir-4.3_gdn","name":"guidance","prose":"Classes of incidents include malfunctions due to design or implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Incident response actions include orderly system degradation, system shutdown, fall back to manual mode or activation of alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved for when systems are under attack. Organizations consider whether continuity of operations requirements during an incident conflict with the capability to automatically disable the system as specified as part of [IR-4(5)](#ir-4.5)."},{"id":"ir-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(03)","class":"sp800-53a"}],"parts":[{"id":"ir-4.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04(03)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ir-04.03_odp.01 }} are identified;"},{"id":"ir-4.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04(03)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ir-04.03_odp.02 }} are taken in response to those incidents (defined in IR-04(03)_ODP[01]) to ensure the continuation of organizational mission and business functions."}]},{"id":"ir-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\nprivacy plan\n\nlist of classes of incidents\n\nlist of appropriate incident response actions\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that support and\/or implement continuity of operations"}]}]},{"id":"ir-4.4","class":"SP800-53-enhancement","title":"Information Correlation","props":[{"name":"label","value":"IR-4(4)"},{"name":"label","value":"IR-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.4_smt","name":"statement","prose":"Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response."},{"id":"ir-4.4_gdn","name":"guidance","prose":"Sometimes, a threat event, such as a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations."},{"id":"ir-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(04)","class":"sp800-53a"}],"prose":"incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response."},{"id":"ir-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\nprivacy plan\n\nmechanisms supporting incident and event correlation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nincident management correlation logs\n\nevent management correlation logs\n\nsecurity information and event management logs\n\nincident management correlation reports\n\nevent management correlation reports\n\nsecurity information and event management reports\n\naudit records\n\nother relevant documents or records"}]},{"id":"ir-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with whom incident information and individual incident responses are to be correlated"}]},{"id":"ir-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for correlating incident information and individual incident responses\n\nmechanisms that support and or implement the correlation of incident response information with individual incident responses"}]}]},{"id":"ir-4.5","class":"SP800-53-enhancement","title":"Automatic Disabling of System","params":[{"id":"ir-04.05_odp","props":[{"name":"alt-identifier","value":"ir-4.5_prm_1"},{"name":"label","value":"IR-04(05)_ODP","class":"sp800-53a"}],"label":"security violations","guidelines":[{"prose":"security violations that automatically disable a system are defined;"}]}],"props":[{"name":"label","value":"IR-4(5)"},{"name":"label","value":"IR-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.5_smt","name":"statement","prose":"Implement a configurable capability to automatically disable the system if {{ insert: param, ir-04.05_odp }} are detected."},{"id":"ir-4.5_gdn","name":"guidance","prose":"Organizations consider whether the capability to automatically disable the system conflicts with continuity of operations requirements specified as part of [CP-2](#cp-2) or [IR-4(3)](#ir-4.3) . Security violations include cyber-attacks that have compromised the integrity of the system or exfiltrated organizational information and serious errors in software programs that could adversely impact organizational missions or functions or jeopardize the safety of individuals."},{"id":"ir-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(05)","class":"sp800-53a"}],"prose":"a configurable capability is implemented to automatically disable the system if {{ insert: param, ir-04.05_odp }} are detected."},{"id":"ir-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nincident response plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ir-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident handling capability for the organization\n\nautomated mechanisms supporting and\/or implementing automatic disabling of the system"}]}]},{"id":"ir-4.6","class":"SP800-53-enhancement","title":"Insider Threats","props":[{"name":"label","value":"IR-4(6)"},{"name":"label","value":"IR-04(06)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.6_smt","name":"statement","prose":"Implement an incident handling capability for incidents involving insider threats."},{"id":"ir-4.6_gdn","name":"guidance","prose":"Explicit focus on handling incidents involving insider threats provides additional emphasis on this type of threat and the need for specific incident handling capabilities to provide appropriate and timely responses."},{"id":"ir-4.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(06)","class":"sp800-53a"}],"prose":"an incident handling capability is implemented for incidents involving insider threats."},{"id":"ir-4.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nmechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\naudit records\n\nother relevant documents or records"}]},{"id":"ir-4.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident handling capability for the organization"}]}]},{"id":"ir-4.7","class":"SP800-53-enhancement","title":"Insider Threats — Intra-organization Coordination","params":[{"id":"ir-04.07_odp","props":[{"name":"alt-identifier","value":"ir-4.7_prm_1"},{"name":"label","value":"IR-04(07)_ODP","class":"sp800-53a"}],"label":"entities","guidelines":[{"prose":"entities that require coordination for an incident handling capability for insider threats are defined;"}]}],"props":[{"name":"label","value":"IR-4(7)"},{"name":"label","value":"IR-04(07)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.7_smt","name":"statement","prose":"Coordinate an incident handling capability for insider threats that includes the following organizational entities {{ insert: param, ir-04.07_odp }}."},{"id":"ir-4.7_gdn","name":"guidance","prose":"Incident handling for insider threat incidents (e.g., preparation, detection and analysis, containment, eradication, and recovery) requires coordination among many organizational entities, including mission or business owners, system owners, human resources offices, procurement offices, personnel offices, physical security offices, senior agency information security officer, operations personnel, risk executive (function), senior agency official for privacy, and legal counsel. In addition, organizations may require external support from federal, state, and local law enforcement agencies."},{"id":"ir-4.7_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(07)","class":"sp800-53a"}],"parts":[{"id":"ir-4.7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04(07)[01]","class":"sp800-53a"}],"prose":"an incident handling capability is coordinated for insider threats;"},{"id":"ir-4.7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04(07)[02]","class":"sp800-53a"}],"prose":"the coordinated incident handling capability includes {{ insert: param, ir-04.07_odp }}."}]},{"id":"ir-4.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ninsider threat program plan\n\ninsider threat CONOPS\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel\/elements with whom the incident handling capability is to be coordinated"}]},{"id":"ir-4.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for coordinating incident handling"}]}]},{"id":"ir-4.8","class":"SP800-53-enhancement","title":"Correlation with External Organizations","params":[{"id":"ir-04.08_odp.01","props":[{"name":"alt-identifier","value":"ir-4.8_prm_1"},{"name":"label","value":"IR-04(08)_ODP[01]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations with whom organizational incident information is to be coordinated and shared are defined;"}]},{"id":"ir-04.08_odp.02","props":[{"name":"alt-identifier","value":"ir-4.8_prm_2"},{"name":"label","value":"IR-04(08)_ODP[02]","class":"sp800-53a"}],"label":"incident information","guidelines":[{"prose":"incident information to be correlated and shared with organization-defined external organizations are defined;"}]}],"props":[{"name":"label","value":"IR-4(8)"},{"name":"label","value":"IR-04(08)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"},{"href":"#au-16","rel":"related"},{"href":"#pm-16","rel":"related"}],"parts":[{"id":"ir-4.8_smt","name":"statement","prose":"Coordinate with {{ insert: param, ir-04.08_odp.01 }} to correlate and share {{ insert: param, ir-04.08_odp.02 }} to achieve a cross-organization perspective on incident awareness and more effective incident responses."},{"id":"ir-4.8_gdn","name":"guidance","prose":"The coordination of incident information with external organizations—including mission or business partners, military or coalition partners, customers, and developers—can provide significant benefits. Cross-organizational coordination can serve as an important risk management capability. This capability allows organizations to leverage information from a variety of sources to effectively respond to incidents and breaches that could potentially affect the organization’s operations, assets, and individuals."},{"id":"ir-4.8_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(08)","class":"sp800-53a"}],"prose":"there is coordination with {{ insert: param, ir-04.08_odp.01 }} to correlate and share {{ insert: param, ir-04.08_odp.02 }} to achieve a cross-organization perspective on incident awareness and more effective incident responses."},{"id":"ir-4.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nlist of external organizations\n\nrecords of incident handling coordination with external organizations\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel from external organizations with whom incident response information is to be coordinated, shared, and correlated"}]},{"id":"ir-4.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for coordinating incident handling information with external organizations"}]}]},{"id":"ir-4.9","class":"SP800-53-enhancement","title":"Dynamic Response Capability","params":[{"id":"ir-04.09_odp","props":[{"name":"alt-identifier","value":"ir-4.9_prm_1"},{"name":"label","value":"IR-04(09)_ODP","class":"sp800-53a"}],"label":"dynamic response capabilities","guidelines":[{"prose":"dynamic response capabilities to be employed to respond to incidents are defined;"}]}],"props":[{"name":"label","value":"IR-4(9)"},{"name":"label","value":"IR-04(09)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.9_smt","name":"statement","prose":"Employ {{ insert: param, ir-04.09_odp }} to respond to incidents."},{"id":"ir-4.9_gdn","name":"guidance","prose":"The dynamic response capability addresses the timely deployment of new or replacement organizational capabilities in response to incidents. This includes capabilities implemented at the mission and business process level and at the system level."},{"id":"ir-4.9_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(09)","class":"sp800-53a"}],"prose":"{{ insert: param, ir-04.09_odp }} are employed to respond to incidents."},{"id":"ir-4.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting dynamic response capabilities\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\naudit records\n\nother relevant documents or records"}]},{"id":"ir-4.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for dynamic response capability\n\nautomated mechanisms supporting and\/or implementing the dynamic response capability for the organization"}]}]},{"id":"ir-4.10","class":"SP800-53-enhancement","title":"Supply Chain Coordination","props":[{"name":"label","value":"IR-4(10)"},{"name":"label","value":"IR-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"},{"href":"#ca-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-4.10_smt","name":"statement","prose":"Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain."},{"id":"ir-4.10_gdn","name":"guidance","prose":"Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents can occur anywhere through or to the supply chain and include compromises or breaches that involve primary or sub-tier providers, information technology products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations consider including processes for protecting and sharing incident information in information exchange agreements and their obligations for reporting incidents to government oversight bodies (e.g., Federal Acquisition Security Council)."},{"id":"ir-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(10)","class":"sp800-53a"}],"prose":"incident handling activities involving supply chain events are coordinated with other organizations involved in the supply chain."},{"id":"ir-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council\n\nacquisition contracts\n\nservice-level agreements\n\nincident response plan\n\nsupply chain risk management plan\n\nsystem security plan\n\nincident response plans of other organization involved in supply chain activities\n\nother relevant documents or records"}]},{"id":"ir-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with mission and business responsibilities\n\norganizational personnel with legal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with acquisition responsibilities"}]}]},{"id":"ir-4.11","class":"SP800-53-enhancement","title":"Integrated Incident Response Team","params":[{"id":"ir-04.11_odp","props":[{"name":"alt-identifier","value":"ir-4.11_prm_1"},{"name":"label","value":"IR-04(11)_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which an integrated incident response team can be deployed is defined;"}]}],"props":[{"name":"label","value":"IR-4(11)"},{"name":"label","value":"IR-04(11)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"ir-4.11_smt","name":"statement","prose":"Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}."},{"id":"ir-4.11_gdn","name":"guidance","prose":"An integrated incident response team is a team of experts that assesses, documents, and responds to incidents so that organizational systems and networks can recover quickly and implement the necessary controls to avoid future incidents. Incident response team personnel include forensic and malicious code analysts, tool developers, systems security and privacy engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. For some organizations, the incident response team can be a cross-organizational entity.\n\nAn integrated incident response team facilitates information sharing and allows organizational personnel (e.g., developers, implementers, and operators) to leverage team knowledge of the threat and implement defensive measures that enable organizations to deter intrusions more effectively. Moreover, integrated teams promote the rapid detection of intrusions, the development of appropriate mitigations, and the deployment of effective defensive measures. For example, when an intrusion is detected, the integrated team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing cyber intelligence development. Integrated incident response teams are better able to identify adversary tactics, techniques, and procedures that are linked to the operations tempo or specific mission and business functions and to define responsive actions in a way that does not disrupt those mission and business functions. Incident response teams can be distributed within organizations to make the capability resilient."},{"id":"ir-4.11_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(11)","class":"sp800-53a"}],"parts":[{"id":"ir-4.11_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04(11)[01]","class":"sp800-53a"}],"prose":"an integrated incident response team is established and maintained;"},{"id":"ir-4.11_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04(11)[02]","class":"sp800-53a"}],"prose":"the integrated incident response team can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}."}]},{"id":"ir-4.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of the integrated incident response team"}]}]},{"id":"ir-4.12","class":"SP800-53-enhancement","title":"Malicious Code and Forensic Analysis","props":[{"name":"label","value":"IR-4(12)"},{"name":"label","value":"IR-04(12)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.12_smt","name":"statement","prose":"Analyze malicious code and\/or other residual artifacts remaining in the system after the incident."},{"id":"ir-4.12_gdn","name":"guidance","prose":"When conducted carefully in an isolated environment, analysis of malicious code and other residual artifacts of a security incident or breach can give the organization insight into adversary tactics, techniques, and procedures. It can also indicate the identity or some defining characteristics of the adversary. In addition, malicious code analysis can help the organization develop responses to future incidents."},{"id":"ir-4.12_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(12)","class":"sp800-53a"}],"parts":[{"id":"ir-4.12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04(12)[01]","class":"sp800-53a"}],"prose":"malicious code remaining in the system is analyzed after the incident;"},{"id":"ir-4.12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04(12)[02]","class":"sp800-53a"}],"prose":"other residual artifacts remaining in the system (if any) are analyzed after the incident."}]},{"id":"ir-4.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing code and forensic analysis\n\nprocedures addressing incident response\n\nincident response plan\n\nsystem design documentation\n\nmalicious code protection mechanisms, tools, and techniques\n\nresults from malicious code analyses\n\nsystem security plan\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ir-4.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel with responsibility for malicious code protection\n\norganizational personnel responsible for incident response\/management"}]},{"id":"ir-4.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for incident response\n\norganizational processes for conducting forensic analysis\n\ntools and techniques for analysis of malicious code characteristics and behavior"}]}]},{"id":"ir-4.13","class":"SP800-53-enhancement","title":"Behavior Analysis","params":[{"id":"ir-04.13_odp","props":[{"name":"alt-identifier","value":"ir-4.13_prm_1"},{"name":"label","value":"IR-04(13)_ODP","class":"sp800-53a"}],"label":"environments or resources","guidelines":[{"prose":"environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined;"}]}],"props":[{"name":"label","value":"IR-4(13)"},{"name":"label","value":"IR-04(13)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.13_smt","name":"statement","prose":"Analyze anomalous or suspected adversarial behavior in or related to {{ insert: param, ir-04.13_odp }}."},{"id":"ir-4.13_gdn","name":"guidance","prose":"If the organization maintains a deception environment, an analysis of behaviors in that environment, including resources targeted by the adversary and timing of the incident or event, can provide insight into adversarial tactics, techniques, and procedures. External to a deception environment, the analysis of anomalous adversarial behavior (e.g., changes in system performance or usage patterns) or suspected behavior (e.g., changes in searches for the location of specific resources) can give the organization such insight."},{"id":"ir-4.13_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(13)","class":"sp800-53a"}],"prose":"anomalous or suspected adversarial behavior in or related to {{ insert: param, ir-04.13_odp }} are analyzed."},{"id":"ir-4.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing system monitoring tools and techniques\n\nincident response plan\n\nsystem monitoring logs or records\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem component inventory\n\nnetwork diagram\n\nsystem protocols documentation\n\nlist of acceptable thresholds for false positives and false negatives\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ir-4.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for detecting anomalous behavior"}]}]},{"id":"ir-4.14","class":"SP800-53-enhancement","title":"Security Operations Center","props":[{"name":"label","value":"IR-4(14)"},{"name":"label","value":"IR-04(14)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.14_smt","name":"statement","prose":"Establish and maintain a security operations center."},{"id":"ir-4.14_gdn","name":"guidance","prose":"A security operations center (SOC) is the focal point for security operations and computer network defense for an organization. The purpose of the SOC is to defend and monitor an organization’s systems and networks (i.e., cyber infrastructure) on an ongoing basis. The SOC is also responsible for detecting, analyzing, and responding to cybersecurity incidents in a timely manner. The organization staffs the SOC with skilled technical and operational personnel (e.g., security analysts, incident response personnel, systems security engineers) and implements a combination of technical, management, and operational controls (including monitoring, scanning, and forensics tools) to monitor, fuse, correlate, analyze, and respond to threat and security-relevant event data from multiple sources. These sources include perimeter defenses, network devices (e.g., routers, switches), and endpoint agent data feeds. The SOC provides a holistic situational awareness capability to help organizations determine the security posture of the system and organization. A SOC capability can be obtained in a variety of ways. Larger organizations may implement a dedicated SOC while smaller organizations may employ third-party organizations to provide such a capability."},{"id":"ir-4.14_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(14)","class":"sp800-53a"}],"parts":[{"id":"ir-4.14_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04(14)[01]","class":"sp800-53a"}],"prose":"a security operations center is established;"},{"id":"ir-4.14_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04(14)[02]","class":"sp800-53a"}],"prose":"a security operations center is maintained."}]},{"id":"ir-4.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nprocedures addressing the security operations center operations\n\nmechanisms supporting dynamic response capabilities\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\nsecurity operations center personnel\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that support and\/or implement the security operations center capability\n\nmechanisms that support and\/or implement the incident handling process"}]}]},{"id":"ir-4.15","class":"SP800-53-enhancement","title":"Public Relations and Reputation Repair","props":[{"name":"label","value":"IR-4(15)"},{"name":"label","value":"IR-04(15)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.15_smt","name":"statement","parts":[{"id":"ir-4.15_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Manage public relations associated with an incident; and"},{"id":"ir-4.15_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employ measures to repair the reputation of the organization."}]},{"id":"ir-4.15_gdn","name":"guidance","prose":"It is important for an organization to have a strategy in place for addressing incidents that have been brought to the attention of the general public, have cast the organization in a negative light, or have affected the organization’s constituents (e.g., partners, customers). Such publicity can be extremely harmful to the organization and affect its ability to carry out its mission and business functions. Taking proactive steps to repair the organization’s reputation is an essential aspect of reestablishing the trust and confidence of its constituents."},{"id":"ir-4.15_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(15)","class":"sp800-53a"}],"parts":[{"id":"ir-4.15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-04(15)(a)","class":"sp800-53a"}],"prose":"public relations associated with an incident are managed;"},{"id":"ir-4.15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-04(15)(b)","class":"sp800-53a"}],"prose":"measures are employed to repair the reputation of the organization."}]},{"id":"ir-4.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing incident handling\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with communications or public relations responsibilities"}]}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"label","value":"IR-5"},{"name":"label","value":"IR-05","class":"sp800-53a"},{"name":"sort-id","value":"ir-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"Track and document incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring."},{"id":"ir-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-05","class":"sp800-53a"}],"parts":[{"id":"ir-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-05[01]","class":"sp800-53a"}],"prose":"incidents are tracked;"},{"id":"ir-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-05[02]","class":"sp800-53a"}],"prose":"incidents are documented."}]},{"id":"ir-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nmechanisms supporting and\/or implementing the tracking and documenting of system security incidents"}]}],"controls":[{"id":"ir-5.1","class":"SP800-53-enhancement","title":"Automated Tracking, Data Collection, and Analysis","params":[{"id":"ir-5.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-05.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-05.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-05.01_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"ir-05.01_odp.01","props":[{"name":"label","value":"IR-05(01)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to track incidents are defined;"}]},{"id":"ir-05.01_odp.02","props":[{"name":"label","value":"IR-05(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to collect incident information are defined;"}]},{"id":"ir-05.01_odp.03","props":[{"name":"label","value":"IR-05(01)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to analyze incident information are defined;"}]}],"props":[{"name":"label","value":"IR-5(1)"},{"name":"label","value":"IR-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-5","rel":"required"}],"parts":[{"id":"ir-5.1_smt","name":"statement","prose":"Track incidents and collect and analyze incident information using {{ insert: param, ir-5.1_prm_1 }}."},{"id":"ir-5.1_gdn","name":"guidance","prose":"Automated mechanisms for tracking incidents and collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices."},{"id":"ir-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)","class":"sp800-53a"}],"parts":[{"id":"ir-5.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)[01]","class":"sp800-53a"}],"prose":"incidents are tracked using {{ insert: param, ir-05.01_odp.01 }};"},{"id":"ir-5.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)[02]","class":"sp800-53a"}],"prose":"incident information is collected using {{ insert: param, ir-05.01_odp.02 }};"},{"id":"ir-5.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)[03]","class":"sp800-53a"}],"prose":"incident information is analyzed using {{ insert: param, ir-05.01_odp.03 }}."}]},{"id":"ir-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nsystem security plan\n\nincident response plan\n\nother relevant documents or records"}]},{"id":"ir-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nautomated mechanisms supporting and\/or implementing the tracking and documenting of system security incidents"}]}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-06_odp.01","props":[{"name":"alt-identifier","value":"ir-6_prm_1"},{"name":"label","value":"IR-06_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel to report suspected incidents to the organizational incident response capability is defined;"}]},{"id":"ir-06_odp.02","props":[{"name":"alt-identifier","value":"ir-6_prm_2"},{"name":"label","value":"IR-06_ODP[02]","class":"sp800-53a"}],"label":"authorities","guidelines":[{"prose":"authorities to whom incident information is to be reported are defined;"}]}],"props":[{"name":"label","value":"IR-6"},{"name":"label","value":"IR-06","class":"sp800-53a"},{"name":"sort-id","value":"ir-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#40b78258-c892-480e-9af8-77ac36648301","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-6_smt","name":"statement","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report incident information to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products."},{"id":"ir-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06","class":"sp800-53a"}],"parts":[{"id":"ir-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-06a.","class":"sp800-53a"}],"prose":"personnel is\/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};"},{"id":"ir-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-06b.","class":"sp800-53a"}],"prose":"incident information is reported to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users"}]},{"id":"ir-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nmechanisms supporting and\/or implementing incident reporting"}]}],"controls":[{"id":"ir-6.1","class":"SP800-53-enhancement","title":"Automated Reporting","params":[{"id":"ir-06.01_odp","props":[{"name":"alt-identifier","value":"ir-6.1_prm_1"},{"name":"label","value":"IR-06(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used for reporting incidents are defined;"}]}],"props":[{"name":"label","value":"IR-6(1)"},{"name":"label","value":"IR-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-6","rel":"required"},{"href":"#ir-7","rel":"related"}],"parts":[{"id":"ir-6.1_smt","name":"statement","prose":"Report incidents using {{ insert: param, ir-06.01_odp }}."},{"id":"ir-6.1_gdn","name":"guidance","prose":"The recipients of incident reports are specified in [IR-6b](#ir-6_smt.b) . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs."},{"id":"ir-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06(01)","class":"sp800-53a"}],"prose":"incidents are reported using {{ insert: param, ir-06.01_odp }}."},{"id":"ir-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing the reporting of security incidents"}]}]},{"id":"ir-6.2","class":"SP800-53-enhancement","title":"Vulnerabilities Related to Incidents","params":[{"id":"ir-06.02_odp","props":[{"name":"alt-identifier","value":"ir-6.2_prm_1"},{"name":"label","value":"IR-06(02)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom system vulnerabilities associated with reported incidents are reported to is\/are defined;"}]}],"props":[{"name":"label","value":"IR-6(2)"},{"name":"label","value":"IR-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-6","rel":"required"}],"parts":[{"id":"ir-6.2_smt","name":"statement","prose":"Report system vulnerabilities associated with reported incidents to {{ insert: param, ir-06.02_odp }}."},{"id":"ir-6.2_gdn","name":"guidance","prose":"Reported incidents that uncover system vulnerabilities are analyzed by organizational personnel including system owners, mission and business owners, senior agency information security officers, senior agency officials for privacy, authorizing officials, and the risk executive (function). The analysis can serve to prioritize and initiate mitigation actions to address the discovered system vulnerability."},{"id":"ir-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06(02)","class":"sp800-53a"}],"prose":"system vulnerabilities associated with reported incidents are reported to {{ insert: param, ir-06.02_odp }}."},{"id":"ir-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nsecurity incident reports and associated system vulnerabilities\n\nother relevant documents or records"}]},{"id":"ir-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\npersonnel to whom vulnerabilities associated with security incidents are to be reported"}]},{"id":"ir-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nmechanisms supporting and\/or implementing the reporting of vulnerabilities associated with security incidents"}]}]},{"id":"ir-6.3","class":"SP800-53-enhancement","title":"Supply Chain Coordination","props":[{"name":"label","value":"IR-6(3)"},{"name":"label","value":"IR-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-6","rel":"required"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-6.3_smt","name":"statement","prose":"Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident."},{"id":"ir-6.3_gdn","name":"guidance","prose":"Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident."},{"id":"ir-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06(03)","class":"sp800-53a"}],"prose":"incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident."},{"id":"ir-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council\n\nacquisition policy\n\nacquisition contracts\n\nservice-level agreements\n\nincident response plan\n\nsupply chain risk management plan\n\nsystem security plan\n\nplans of other organizations involved in supply chain activities\n\nother relevant documents or records"}]},{"id":"ir-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganization personnel with acquisition responsibilities"}]},{"id":"ir-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\norganizational processes for supply chain risk information sharing\n\nmechanisms supporting and\/or implementing the reporting of incident information involved in the supply chain"}]}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"label","value":"IR-7"},{"name":"label","value":"IR-07","class":"sp800-53a"},{"name":"sort-id","value":"ir-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-26","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required."},{"id":"ir-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07","class":"sp800-53a"}],"parts":[{"id":"ir-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-07[01]","class":"sp800-53a"}],"prose":"an incident response support resource, integral to the organizational incident response capability, is provided;"},{"id":"ir-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-07[02]","class":"sp800-53a"}],"prose":"the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents."}]},{"id":"ir-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nmechanisms supporting and\/or implementing incident response assistance"}]}],"controls":[{"id":"ir-7.1","class":"SP800-53-enhancement","title":"Automation Support for Availability of Information and Support","params":[{"id":"ir-07.01_odp","props":[{"name":"alt-identifier","value":"ir-7.1_prm_1"},{"name":"label","value":"IR-07(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to increase the availability of incident response information and support are defined;"}]}],"props":[{"name":"label","value":"IR-7(1)"},{"name":"label","value":"IR-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-7","rel":"required"}],"parts":[{"id":"ir-7.1_smt","name":"statement","prose":"Increase the availability of incident response information and support using {{ insert: param, ir-07.01_odp }}."},{"id":"ir-7.1_gdn","name":"guidance","prose":"Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support."},{"id":"ir-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07(01)","class":"sp800-53a"}],"prose":"the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}."},{"id":"ir-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing an increase in the availability of incident response information and support"}]}]},{"id":"ir-7.2","class":"SP800-53-enhancement","title":"Coordination with External Providers","props":[{"name":"label","value":"IR-7(2)"},{"name":"label","value":"IR-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-7","rel":"required"}],"parts":[{"id":"ir-7.2_smt","name":"statement","parts":[{"id":"ir-7.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and"},{"id":"ir-7.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Identify organizational incident response team members to the external providers."}]},{"id":"ir-7.2_gdn","name":"guidance","prose":"External providers of a system protection capability include the Computer Network Defense program within the U.S. Department of Defense. External providers help to protect, monitor, analyze, detect, and respond to unauthorized activity within organizational information systems and networks. It may be beneficial to have agreements in place with external providers to clarify the roles and responsibilities of each party before an incident occurs."},{"id":"ir-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07(02)","class":"sp800-53a"}],"parts":[{"id":"ir-7.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-07(02)(a)","class":"sp800-53a"}],"prose":"a direct, cooperative relationship is established between its incident response capability and external providers of the system protection capability;"},{"id":"ir-7.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-07(02)(b)","class":"sp800-53a"}],"prose":"organizational incident response team members are identified to the external providers."}]},{"id":"ir-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response support and assistance responsibilities\n\nexternal providers of system protection capability\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.07"}],"label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-08_odp.01","props":[{"name":"alt-identifier","value":"ir-8_prm_1"},{"name":"label","value":"IR-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles that review and approve the incident response plan is\/are identified;"}]},{"id":"ir-08_odp.02","props":[{"name":"alt-identifier","value":"ir-8_prm_2"},{"name":"label","value":"IR-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and approve the incident response plan is defined;"}]},{"id":"ir-08_odp.03","props":[{"name":"alt-identifier","value":"ir-8_prm_3"},{"name":"label","value":"IR-08_ODP[03]","class":"sp800-53a"}],"label":"entities, personnel, or roles","guidelines":[{"prose":"entities, personnel, or roles with designated responsibility for incident response are defined;"}]},{"id":"ir-08_odp.04","props":[{"name":"alt-identifier","value":"ir-8_prm_4"},{"name":"alt-label","value":"incident response personnel (identified by name and\/or by role) and organizational elements","class":"sp800-53"},{"name":"label","value":"IR-08_ODP[04]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed is\/are defined;"}]},{"id":"ir-08_odp.05","props":[{"name":"label","value":"IR-08_ODP[05]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which copies of the incident response plan are to be distributed are defined;"}]},{"id":"ir-08_odp.06","props":[{"name":"label","value":"IR-08_ODP[06]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom changes to the incident response plan is\/are communicated are defined;"}]},{"id":"ir-08_odp.07","props":[{"name":"label","value":"IR-08_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which changes to the incident response plan are communicated are defined;"}]}],"props":[{"name":"label","value":"IR-8"},{"name":"label","value":"IR-08","class":"sp800-53a"},{"name":"sort-id","value":"ir-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-8_smt","name":"statement","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Addresses the sharing of incident information;"},{"id":"ir-8_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and"},{"id":"ir-8_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly."},{"id":"ir-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-08","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.01","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.02","class":"sp800-53a"}],"prose":"an incident response plan is developed that describes the structure and organization of the incident response capability;"},{"id":"ir-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.03","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.04","class":"sp800-53a"}],"prose":"an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;"},{"id":"ir-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.05","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines reportable incidents;"},{"id":"ir-8_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.06","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.07","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.08","class":"sp800-53a"}],"prose":"an incident response plan is developed that addresses the sharing of incident information;"},{"id":"ir-8_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.09","class":"sp800-53a"}],"prose":"an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};"},{"id":"ir-8_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.10","class":"sp800-53a"}],"prose":"an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[01]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[02]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};"}]},{"id":"ir-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-08c.","class":"sp800-53a"}],"prose":"the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[01]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};"},{"id":"ir-8_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[02]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};"}]},{"id":"ir-8_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[01]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized disclosure;"},{"id":"ir-8_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[02]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized modification."}]}]},{"id":"ir-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"id":"ir-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational incident response plan and related organizational processes"}]}],"controls":[{"id":"ir-8.1","class":"SP800-53-enhancement","title":"Breaches","props":[{"name":"label","value":"IR-8(1)"},{"name":"label","value":"IR-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-8","rel":"required"},{"href":"#pt-1","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-7","rel":"related"}],"parts":[{"id":"ir-8.1_smt","name":"statement","prose":"Include the following in the Incident Response Plan for breaches involving personally identifiable information:","parts":[{"id":"ir-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;"},{"id":"ir-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and"},{"id":"ir-8.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Identification of applicable privacy requirements."}]},{"id":"ir-8.1_gdn","name":"guidance","prose":"Organizations may be required by law, regulation, or policy to follow specific procedures relating to breaches, including notice to individuals, affected organizations, and oversight bodies; standards of harm; and mitigation or other specific requirements."},{"id":"ir-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)","class":"sp800-53a"}],"parts":[{"id":"ir-8.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)(a)","class":"sp800-53a"}],"prose":"the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;"},{"id":"ir-8.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)(b)","class":"sp800-53a"}],"prose":"the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;"},{"id":"ir-8.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)(c)","class":"sp800-53a"}],"prose":"the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements."}]},{"id":"ir-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"id":"ir-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ir-9","class":"SP800-53","title":"Information Spillage Response","params":[{"id":"ir-09_odp.01","props":[{"name":"alt-identifier","value":"ir-9_prm_1"},{"name":"label","value":"IR-09_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles assigned the responsibility for responding to information spills is\/are defined;"}]},{"id":"ir-09_odp.02","props":[{"name":"alt-identifier","value":"ir-9_prm_2"},{"name":"label","value":"IR-09_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is\/are defined;"}]},{"id":"ir-09_odp.03","props":[{"name":"alt-identifier","value":"ir-9_prm_3"},{"name":"label","value":"IR-09_ODP[03]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be performed are defined;"}]}],"props":[{"name":"label","value":"IR-9"},{"name":"label","value":"IR-09","class":"sp800-53a"},{"name":"sort-id","value":"ir-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#pm-26","rel":"related"},{"href":"#pm-27","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-7","rel":"related"}],"parts":[{"id":"ir-9_smt","name":"statement","prose":"Respond to information spills by:","parts":[{"id":"ir-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assigning {{ insert: param, ir-09_odp.01 }} with responsibility for responding to information spills;"},{"id":"ir-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identifying the specific information involved in the system contamination;"},{"id":"ir-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Alerting {{ insert: param, ir-09_odp.02 }} of the information spill using a method of communication not associated with the spill;"},{"id":"ir-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Isolating the contaminated system or system component;"},{"id":"ir-9_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Eradicating the information from the contaminated system or component;"},{"id":"ir-9_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Identifying other systems or system components that may have been subsequently contaminated; and"},{"id":"ir-9_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Performing the following additional actions: {{ insert: param, ir-09_odp.03 }}."}]},{"id":"ir-9_gdn","name":"guidance","prose":"Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of a higher classification or impact level. At that point, corrective action is required. The nature of the response is based on the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of the contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated."},{"id":"ir-9_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-09","class":"sp800-53a"}],"parts":[{"id":"ir-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-09a.","class":"sp800-53a"}],"prose":"{{ insert: param, ir-09_odp.01 }} is\/are assigned the responsibility to respond to information spills;"},{"id":"ir-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-09b.","class":"sp800-53a"}],"prose":"the specific information involved in the system contamination is identified in response to information spills;"},{"id":"ir-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-09c.","class":"sp800-53a"}],"prose":"{{ insert: param, ir-09_odp.02 }} is\/are alerted of the information spill using a method of communication not associated with the spill;"},{"id":"ir-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-09d.","class":"sp800-53a"}],"prose":"the contaminated system or system component is isolated in response to information spills;"},{"id":"ir-9_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IR-09e.","class":"sp800-53a"}],"prose":"the information is eradicated from the contaminated system or component in response to information spills;"},{"id":"ir-9_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IR-09f.","class":"sp800-53a"}],"prose":"other systems or system components that may have been subsequently contaminated are identified in response to information spills;"},{"id":"ir-9_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IR-09g.","class":"sp800-53a"}],"prose":"{{ insert: param, ir-09_odp.03 }} are performed in response to information spills."}]},{"id":"ir-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nrecords of information spillage alerts\/notifications\n\nlist of personnel who should receive alerts of information spillage\n\nlist of actions to be performed regarding information spillage\n\nother relevant documents or records"}]},{"id":"ir-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information spillage response\n\nmechanisms supporting and\/or implementing information spillage response actions and related communications"}]}],"controls":[{"id":"ir-9.1","class":"SP800-53-enhancement","title":"Responsible Personnel","props":[{"name":"label","value":"IR-9(1)"},{"name":"label","value":"IR-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-09.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ir-9","rel":"incorporated-into"}]},{"id":"ir-9.2","class":"SP800-53-enhancement","title":"Training","params":[{"id":"ir-09.02_odp","props":[{"name":"alt-identifier","value":"ir-9.2_prm_1"},{"name":"label","value":"IR-09(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide information spillage response training is defined;"}]}],"props":[{"name":"label","value":"IR-9(2)"},{"name":"label","value":"IR-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-9","rel":"required"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"}],"parts":[{"id":"ir-9.2_smt","name":"statement","prose":"Provide information spillage response training {{ insert: param, ir-09.02_odp }}."},{"id":"ir-9.2_gdn","name":"guidance","prose":"Organizations establish requirements for responding to information spillage incidents in incident response plans. Incident response training on a regular basis helps to ensure that organizational personnel understand their individual responsibilities and what specific actions to take when spillage incidents occur."},{"id":"ir-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-09(02)","class":"sp800-53a"}],"prose":"information spillage response training is provided {{ insert: param, ir-09.02_odp }}."},{"id":"ir-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing information spillage response training\n\ninformation spillage response training curriculum\n\ninformation spillage response training materials\n\nincident response plan\n\nsystem security plan\n\ninformation spillage response training records\n\nother relevant documents or records"}]},{"id":"ir-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-9.3","class":"SP800-53-enhancement","title":"Post-spill Operations","params":[{"id":"ir-09.03_odp","props":[{"name":"alt-identifier","value":"ir-9.3_prm_1"},{"name":"label","value":"IR-09(03)_ODP","class":"sp800-53a"}],"label":"procedures","guidelines":[{"prose":"procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions are defined;"}]}],"props":[{"name":"label","value":"IR-9(3)"},{"name":"label","value":"IR-09(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-09.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-9","rel":"required"}],"parts":[{"id":"ir-9.3_smt","name":"statement","prose":"Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: {{ insert: param, ir-09.03_odp }}."},{"id":"ir-9.3_gdn","name":"guidance","prose":"Corrective actions for systems contaminated due to information spillages may be time-consuming. Personnel may not have access to the contaminated systems while corrective actions are being taken, which may potentially affect their ability to conduct organizational business."},{"id":"ir-9.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-09(03)","class":"sp800-53a"}],"prose":"{{ insert: param, ir-09.03_odp }} are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions."},{"id":"ir-9.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-09(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-9.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-09(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-9.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-09(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for post-spill operations"}]}]},{"id":"ir-9.4","class":"SP800-53-enhancement","title":"Exposure to Unauthorized Personnel","params":[{"id":"ir-09.04_odp","props":[{"name":"alt-identifier","value":"ir-9.4_prm_1"},{"name":"label","value":"IR-09(04)_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls employed for personnel exposed to information not within assigned access authorizations are defined;"}]}],"props":[{"name":"label","value":"IR-9(4)"},{"name":"label","value":"IR-09(04)","class":"sp800-53a"},{"name":"sort-id","value":"ir-09.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-9","rel":"required"}],"parts":[{"id":"ir-9.4_smt","name":"statement","prose":"Employ the following controls for personnel exposed to information not within assigned access authorizations: {{ insert: param, ir-09.04_odp }}."},{"id":"ir-9.4_gdn","name":"guidance","prose":"Controls include ensuring that personnel who are exposed to spilled information are made aware of the laws, executive orders, directives, regulations, policies, standards, and guidelines regarding the information and the restrictions imposed based on exposure to such information."},{"id":"ir-9.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-09(04)","class":"sp800-53a"}],"prose":"{{ insert: param, ir-09.04_odp }} are employed for personnel exposed to information not within assigned access authorizations."},{"id":"ir-9.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-09(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nsecurity safeguards regarding information spillage\/exposure to unauthorized personnel\n\nother relevant documents or records"}]},{"id":"ir-9.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-09(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-9.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-09(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for dealing with information exposed to unauthorized personnel\n\nmechanisms supporting and\/or implementing safeguards for personnel exposed to information not within assigned access authorizations"}]}]}]},{"id":"ir-10","class":"SP800-53","title":"Integrated Information Security Analysis Team","props":[{"name":"label","value":"IR-10"},{"name":"label","value":"IR-10","class":"sp800-53a"},{"name":"sort-id","value":"ir-10"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ir-4.11","rel":"moved-to"}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ma-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ma-01_odp.01","props":[{"name":"label","value":"MA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance policy is to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.02","props":[{"name":"label","value":"MA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance procedures are to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.03","props":[{"name":"alt-identifier","value":"ma-1_prm_2"},{"name":"label","value":"MA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ma-01_odp.04","props":[{"name":"alt-identifier","value":"ma-1_prm_3"},{"name":"label","value":"MA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the maintenance policy and procedures is defined;"}]},{"id":"ma-01_odp.05","props":[{"name":"alt-identifier","value":"ma-1_prm_4"},{"name":"label","value":"MA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance policy is reviewed and updated is defined;"}]},{"id":"ma-01_odp.06","props":[{"name":"alt-identifier","value":"ma-1_prm_5"},{"name":"label","value":"MA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current maintenance policy to be reviewed and updated are defined;"}]},{"id":"ma-01_odp.07","props":[{"name":"alt-identifier","value":"ma-1_prm_6"},{"name":"label","value":"MA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance procedures are reviewed and updated is defined;"}]},{"id":"ma-01_odp.08","props":[{"name":"alt-identifier","value":"ma-1_prm_7"},{"name":"label","value":"MA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the maintenance procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MA-1"},{"name":"label","value":"MA-01","class":"sp800-53a"},{"name":"sort-id","value":"ma-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ma-1_smt","name":"statement","parts":[{"id":"ma-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ma-01_odp.03 }} maintenance policy that:","parts":[{"id":"ma-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ma-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;"}]},{"id":"ma-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and"},{"id":"ma-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current maintenance:","parts":[{"id":"ma-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and"},{"id":"ma-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ma-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[01]","class":"sp800-53a"}],"prose":"a maintenance policy is developed and documented;"},{"id":"ma-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[02]","class":"sp800-53a"}],"prose":"the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};"},{"id":"ma-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[03]","class":"sp800-53a"}],"prose":"maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;"},{"id":"ma-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[04]","class":"sp800-53a"}],"prose":"the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};"},{"id":"ma-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;"},{"id":"ma-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;"},{"id":"ma-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;"},{"id":"ma-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;"},{"id":"ma-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;"},{"id":"ma-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;"},{"id":"ma-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;"}]},{"id":"ma-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ma-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;"},{"id":"ma-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[01]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};"},{"id":"ma-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[02]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};"}]},{"id":"ma-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[01]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};"},{"id":"ma-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[02]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}."}]}]}]},{"id":"ma-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"ma-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","params":[{"id":"ma-02_odp.01","props":[{"name":"alt-identifier","value":"ma-2_prm_1"},{"name":"label","value":"MA-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is\/are defined;"}]},{"id":"ma-02_odp.02","props":[{"name":"alt-identifier","value":"ma-2_prm_2"},{"name":"label","value":"MA-02_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;"}]},{"id":"ma-02_odp.03","props":[{"name":"alt-identifier","value":"ma-2_prm_3"},{"name":"label","value":"MA-02_ODP[03]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be included in organizational maintenance records is defined;"}]}],"props":[{"name":"label","value":"MA-2"},{"name":"label","value":"MA-02","class":"sp800-53a"},{"name":"sort-id","value":"ma-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ma-2_smt","name":"statement","parts":[{"id":"ma-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};"},{"id":"ma-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and"},{"id":"ma-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}."}]},{"id":"ma-2_gdn","name":"guidance","prose":"Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems."},{"id":"ma-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-02","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[01]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[02]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[03]","class":"sp800-53a"}],"prose":"records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and\/or organizational requirements;"}]},{"id":"ma-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[01]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;"},{"id":"ma-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[02]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;"}]},{"id":"ma-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-02c.","class":"sp800-53a"}],"prose":"{{ insert: param, ma-02_odp.01 }} is\/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-02d.","class":"sp800-53a"}],"prose":"equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-02e.","class":"sp800-53a"}],"prose":"all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;"},{"id":"ma-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"MA-02f.","class":"sp800-53a"}],"prose":"{{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records."}]},{"id":"ma-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer\/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and\/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components"}]}],"controls":[{"id":"ma-2.1","class":"SP800-53-enhancement","title":"Record Content","props":[{"name":"label","value":"MA-2(1)"},{"name":"label","value":"MA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-02.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ma-2","rel":"incorporated-into"}]},{"id":"ma-2.2","class":"SP800-53-enhancement","title":"Automated Maintenance Activities","params":[{"id":"ma-2.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-02.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-02.02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-02.02_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"ma-02.02_odp.01","props":[{"name":"label","value":"MA-02(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to schedule maintenance, repair, and replacement actions for the system are defined;"}]},{"id":"ma-02.02_odp.02","props":[{"name":"label","value":"MA-02(02)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to conduct maintenance, repair, and replacement actions for the system are defined;"}]},{"id":"ma-02.02_odp.03","props":[{"name":"label","value":"MA-02(02)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to document maintenance, repair, and replacement actions for the system are defined;"}]}],"props":[{"name":"label","value":"MA-2(2)"},{"name":"label","value":"MA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-2","rel":"required"},{"href":"#ma-3","rel":"related"}],"parts":[{"id":"ma-2.2_smt","name":"statement","parts":[{"id":"ma-2.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Schedule, conduct, and document maintenance, repair, and replacement actions for the system using {{ insert: param, ma-2.2_prm_1 }} ; and"},{"id":"ma-2.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed."}]},{"id":"ma-2.2_gdn","name":"guidance","prose":"The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records."},{"id":"ma-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)","class":"sp800-53a"}],"parts":[{"id":"ma-2.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)","class":"sp800-53a"}],"parts":[{"id":"ma-2.2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ma-02.02_odp.01 }} are used to schedule maintenance, repair, and replacement actions for the system;"},{"id":"ma-2.2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ma-02.02_odp.02 }} are used to conduct maintenance, repair, and replacement actions for the system;"},{"id":"ma-2.2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, ma-02.02_odp.03 }} are used to document maintenance, repair, and replacement actions for the system;"}]},{"id":"ma-2.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ma-2.2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)[01]","class":"sp800-53a"}],"prose":"up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced."},{"id":"ma-2.2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)[02]","class":"sp800-53a"}],"prose":"up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced."},{"id":"ma-2.2_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)[03]","class":"sp800-53a"}],"prose":"up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced."}]}]},{"id":"ma-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nautomated mechanisms supporting system maintenance activities\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing controlled maintenance\n\nautomated mechanisms supporting and\/or implementing the production of records of maintenance and repair actions"}]}]}]},{"id":"ma-3","class":"SP800-53","title":"Maintenance Tools","params":[{"id":"ma-03_odp","props":[{"name":"alt-identifier","value":"ma-3_prm_1"},{"name":"label","value":"MA-03_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review previously approved system maintenance tools is defined;"}]}],"props":[{"name":"label","value":"MA-3"},{"name":"label","value":"MA-03","class":"sp800-53a"},{"name":"sort-id","value":"ma-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#ma-2","rel":"related"},{"href":"#pe-16","rel":"related"}],"parts":[{"id":"ma-3_smt","name":"statement","parts":[{"id":"ma-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve, control, and monitor the use of system maintenance tools; and"},{"id":"ma-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review previously approved system maintenance tools {{ insert: param, ma-03_odp }}."}]},{"id":"ma-3_gdn","name":"guidance","prose":"Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools."},{"id":"ma-3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03","class":"sp800-53a"}],"parts":[{"id":"ma-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.","class":"sp800-53a"}],"parts":[{"id":"ma-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[01]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is approved;"},{"id":"ma-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[02]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is controlled;"},{"id":"ma-3_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[03]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is monitored;"}]},{"id":"ma-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-03b.","class":"sp800-53a"}],"prose":"previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}."}]},{"id":"ma-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for approving, controlling, and monitoring maintenance tools\n\nmechanisms supporting and\/or implementing the approval, control, and\/or monitoring of maintenance tools"}]}],"controls":[{"id":"ma-3.1","class":"SP800-53-enhancement","title":"Inspect Tools","props":[{"name":"label","value":"MA-3(1)"},{"name":"label","value":"MA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ma-3.1_smt","name":"statement","prose":"Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications."},{"id":"ma-3.1_gdn","name":"guidance","prose":"Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling."},{"id":"ma-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(01)","class":"sp800-53a"}],"prose":"maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications."},{"id":"ma-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for inspecting maintenance tools\n\nmechanisms supporting and\/or implementing the inspection of maintenance tools"}]}]},{"id":"ma-3.2","class":"SP800-53-enhancement","title":"Inspect Media","props":[{"name":"label","value":"MA-3(2)"},{"name":"label","value":"MA-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"ma-3.2_smt","name":"statement","prose":"Check media containing diagnostic and test programs for malicious code before the media are used in the system."},{"id":"ma-3.2_gdn","name":"guidance","prose":"If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures."},{"id":"ma-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(02)","class":"sp800-53a"}],"prose":"media containing diagnostic and test programs are checked for malicious code before the media are used in the system."},{"id":"ma-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for inspecting media for malicious code\n\nmechanisms supporting and\/or implementing the inspection of media used for maintenance"}]}]},{"id":"ma-3.3","class":"SP800-53-enhancement","title":"Prevent Unauthorized Removal","params":[{"id":"ma-03.03_odp","props":[{"name":"alt-identifier","value":"ma-3.3_prm_1"},{"name":"label","value":"MA-03(03)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles who can authorize removal of equipment from the facility is\/are defined;"}]}],"props":[{"name":"label","value":"MA-3(3)"},{"name":"label","value":"MA-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#mp-6","rel":"related"}],"parts":[{"id":"ma-3.3_smt","name":"statement","prose":"Prevent the removal of maintenance equipment containing organizational information by:","parts":[{"id":"ma-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verifying that there is no organizational information contained on the equipment;"},{"id":"ma-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Sanitizing or destroying the equipment;"},{"id":"ma-3.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Retaining the equipment within the facility; or"},{"id":"ma-3.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_gdn","name":"guidance","prose":"Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards."},{"id":"ma-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)","class":"sp800-53a"}],"parts":[{"id":"ma-3.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(a)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or"},{"id":"ma-3.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(b)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or"},{"id":"ma-3.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(c)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or"},{"id":"ma-3.3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(d)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization"}]},{"id":"ma-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for preventing unauthorized removal of information\n\nmechanisms supporting media sanitization or destruction of equipment\n\nmechanisms supporting verification of media sanitization"}]}]},{"id":"ma-3.4","class":"SP800-53-enhancement","title":"Restricted Tool Use","props":[{"name":"label","value":"MA-3(4)"},{"name":"label","value":"MA-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ma-3.4_smt","name":"statement","prose":"Restrict the use of maintenance tools to authorized personnel only."},{"id":"ma-3.4_gdn","name":"guidance","prose":"Restricting the use of maintenance tools to only authorized personnel applies to systems that are used to carry out maintenance functions."},{"id":"ma-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(04)","class":"sp800-53a"}],"prose":"the use of maintenance tools is restricted to authorized personnel only."},{"id":"ma-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nlist of personnel authorized to use maintenance tools\n\nmaintenance tool usage records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for restricting the use of maintenance tools\n\nmechanisms supporting and\/or implementing the restricted use of maintenance tools"}]}]},{"id":"ma-3.5","class":"SP800-53-enhancement","title":"Execution with Privilege","props":[{"name":"label","value":"MA-3(5)"},{"name":"label","value":"MA-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ma-3.5_smt","name":"statement","prose":"Monitor the use of maintenance tools that execute with increased privilege."},{"id":"ma-3.5_gdn","name":"guidance","prose":"Maintenance tools that execute with increased system privilege can result in unauthorized access to organizational information and assets that would otherwise be inaccessible."},{"id":"ma-3.5_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(05)","class":"sp800-53a"}],"prose":"the use of maintenance tools that execute with increased privilege is monitored."},{"id":"ma-3.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nlist of personnel authorized to use maintenance tools\n\nmaintenance tool usage records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for restricting the use of maintenance tools\n\norganizational process for monitoring maintenance tools and maintenance tool usage\n\nmechanisms monitoring the use of maintenance tools"}]}]},{"id":"ma-3.6","class":"SP800-53-enhancement","title":"Software Updates and Patches","props":[{"name":"label","value":"MA-3(6)"},{"name":"label","value":"MA-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ma-3.6_smt","name":"statement","prose":"Inspect maintenance tools to ensure the latest software updates and patches are installed."},{"id":"ma-3.6_gdn","name":"guidance","prose":"Maintenance tools using outdated and\/or unpatched software can provide a threat vector for adversaries and result in a significant vulnerability for organizations."},{"id":"ma-3.6_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(06)","class":"sp800-53a"}],"prose":"maintenance tools are inspected to ensure that the latest software updates and patches are installed."},{"id":"ma-3.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nlist of personnel authorized to use maintenance tools\n\nmaintenance tool usage records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for inspecting maintenance tools\n\norganizational processes for maintenance tools updates\n\nmechanisms supporting and\/or implementing the inspection of maintenance tools\n\nmechanisms supporting and\/or implementing maintenance tool updates."}]}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","props":[{"name":"label","value":"MA-4"},{"name":"label","value":"MA-04","class":"sp800-53a"},{"name":"sort-id","value":"ma-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#736d6310-e403-4b57-a79d-9967970c66d7","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-10","rel":"related"}],"parts":[{"id":"ma-4_smt","name":"statement","parts":[{"id":"ma-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and monitor nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;"},{"id":"ma-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Maintain records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Terminate session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators."},{"id":"ma-4_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[01]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are approved;"},{"id":"ma-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[02]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are monitored;"}]},{"id":"ma-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[01]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;"},{"id":"ma-4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[02]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;"}]},{"id":"ma-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-04c.","class":"sp800-53a"}],"prose":"strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-04d.","class":"sp800-53a"}],"prose":"records for nonlocal maintenance and diagnostic activities are maintained;"},{"id":"ma-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[01]","class":"sp800-53a"}],"prose":"session connections are terminated when nonlocal maintenance is completed;"},{"id":"ma-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[02]","class":"sp800-53a"}],"prose":"network connections are terminated when nonlocal maintenance is completed."}]}]},{"id":"ma-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and\/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections"}]}],"controls":[{"id":"ma-4.1","class":"SP800-53-enhancement","title":"Logging and Review","params":[{"id":"ma-4.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-04.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-04.01_odp.02"}],"label":"organization-defined audit events"},{"id":"ma-04.01_odp.01","props":[{"name":"label","value":"MA-04(01)_ODP[01]","class":"sp800-53a"}],"label":"audit events","guidelines":[{"prose":"audit events to be logged for nonlocal maintenance are defined;"}]},{"id":"ma-04.01_odp.02","props":[{"name":"label","value":"MA-04(01)_ODP[02]","class":"sp800-53a"}],"label":"audit events","guidelines":[{"prose":"audit events to be logged for diagnostic sessions are defined;"}]}],"props":[{"name":"label","value":"MA-4(1)"},{"name":"label","value":"MA-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-4","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"ma-4.1_smt","name":"statement","parts":[{"id":"ma-4.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Log {{ insert: param, ma-4.1_prm_1 }} for nonlocal maintenance and diagnostic sessions; and"},{"id":"ma-4.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior."}]},{"id":"ma-4.1_gdn","name":"guidance","prose":"Audit logging for nonlocal maintenance is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a)."},{"id":"ma-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04(01)","class":"sp800-53a"}],"parts":[{"id":"ma-4.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04(01)(a)","class":"sp800-53a"}],"parts":[{"id":"ma-4.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(01)(a)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ma-04.01_odp.01 }} are logged for nonlocal maintenance sessions;"},{"id":"ma-4.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(01)(a)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ma-04.01_odp.02 }} are logged for nonlocal diagnostic sessions;"}]},{"id":"ma-4.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04(01)(b)","class":"sp800-53a"}],"parts":[{"id":"ma-4.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(01)(b)[01]","class":"sp800-53a"}],"prose":"the audit records of the maintenance sessions are reviewed to detect anomalous behavior;"},{"id":"ma-4.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(01)(b)[02]","class":"sp800-53a"}],"prose":"the audit records of the diagnostic sessions are reviewed to detect anomalous behavior."}]}]},{"id":"ma-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nlist of audit events\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nreviews of maintenance and diagnostic session records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with audit and review responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for audit and review of nonlocal maintenance\n\nmechanisms supporting and\/or implementing audit and review of nonlocal maintenance"}]}]},{"id":"ma-4.2","class":"SP800-53-enhancement","title":"Document Nonlocal Maintenance","props":[{"name":"label","value":"MA-4(2)"},{"name":"label","value":"MA-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ma-1","rel":"incorporated-into"},{"href":"#ma-4","rel":"incorporated-into"}]},{"id":"ma-4.3","class":"SP800-53-enhancement","title":"Comparable Security and Sanitization","props":[{"name":"label","value":"MA-4(3)"},{"name":"label","value":"MA-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-4","rel":"required"},{"href":"#mp-6","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ma-4.3_smt","name":"statement","parts":[{"id":"ma-4.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or"},{"id":"ma-4.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system."}]},{"id":"ma-4.3_gdn","name":"guidance","prose":"Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced."},{"id":"ma-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)","class":"sp800-53a"}],"parts":[{"id":"ma-4.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(a)","class":"sp800-53a"}],"parts":[{"id":"ma-4.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(a)[01]","class":"sp800-53a"}],"prose":"nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;"},{"id":"ma-4.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(a)[02]","class":"sp800-53a"}],"prose":"nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or"}]},{"id":"ma-4.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)","class":"sp800-53a"}],"parts":[{"id":"ma-4.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)[01]","class":"sp800-53a"}],"prose":"the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;"},{"id":"ma-4.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)[02]","class":"sp800-53a"}],"prose":"the component to be serviced is sanitized (for organizational information);"},{"id":"ma-4.3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)[03]","class":"sp800-53a"}],"prose":"the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system."}]}]},{"id":"ma-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nservice provider contracts and\/or service-level agreements\n\nmaintenance records\n\ninspection records\n\naudit records\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\nsystem maintenance provider\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for comparable security and sanitization for nonlocal maintenance\n\norganizational processes for the removal, sanitization, and inspection of components serviced via nonlocal maintenance\n\nmechanisms supporting and\/or implementing component sanitization and inspection"}]}]},{"id":"ma-4.4","class":"SP800-53-enhancement","title":"Authentication and Separation of Maintenance Sessions","params":[{"id":"ma-04.04_odp","props":[{"name":"alt-identifier","value":"ma-4.4_prm_1"},{"name":"label","value":"MA-04(04)_ODP","class":"sp800-53a"}],"label":"authenticators that are replay resistant","guidelines":[{"prose":"authenticators that are replay resistant are defined;"}]}],"props":[{"name":"label","value":"MA-4(4)"},{"name":"label","value":"MA-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-4","rel":"required"}],"parts":[{"id":"ma-4.4_smt","name":"statement","prose":"Protect nonlocal maintenance sessions by:","parts":[{"id":"ma-4.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employing {{ insert: param, ma-04.04_odp }} ; and"},{"id":"ma-4.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Separating the maintenance sessions from other network sessions with the system by either:","parts":[{"id":"ma-4.4_smt.b.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Physically separated communications paths; or"},{"id":"ma-4.4_smt.b.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Logically separated communications paths."}]}]},{"id":"ma-4.4_gdn","name":"guidance","prose":"Communications paths can be logically separated using encryption."},{"id":"ma-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04(04)","class":"sp800-53a"}],"parts":[{"id":"ma-4.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04(04)(a)","class":"sp800-53a"}],"prose":"nonlocal maintenance sessions are protected by employing {{ insert: param, ma-04.04_odp }};"},{"id":"ma-4.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04(04)(b)","class":"sp800-53a"}],"parts":[{"id":"ma-4.4_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(04)(b)(01)","class":"sp800-53a"}],"prose":"nonlocal maintenance sessions are protected by separating maintenance sessions from other network sessions with the system by physically separated communication paths; or"},{"id":"ma-4.4_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(04)(b)(02)","class":"sp800-53a"}],"prose":"nonlocal maintenance sessions are protected by logically separated communication paths."}]}]},{"id":"ma-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\nnetwork engineers\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for protecting nonlocal maintenance sessions\n\nmechanisms implementing replay-resistant authenticators\n\nmechanisms implementing logically separated\/encrypted communication paths"}]}]},{"id":"ma-4.5","class":"SP800-53-enhancement","title":"Approvals and Notifications","params":[{"id":"ma-04.05_odp.01","props":[{"name":"alt-identifier","value":"ma-4.5_prm_1"},{"name":"label","value":"MA-04(05)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to approve each nonlocal maintenance session is\/are defined;"}]},{"id":"ma-04.05_odp.02","props":[{"name":"alt-identifier","value":"ma-4.5_prm_2"},{"name":"alt-label","value":"personnel or roles","class":"sp800-53"},{"name":"label","value":"MA-04(05)_ODP[02]","class":"sp800-53a"}],"label":"personnel and roles","guidelines":[{"prose":"personnel and roles to be notified of the date and time of planned nonlocal maintenance is\/are defined;"}]}],"props":[{"name":"label","value":"MA-4(5)"},{"name":"label","value":"MA-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-4","rel":"required"}],"parts":[{"id":"ma-4.5_smt","name":"statement","parts":[{"id":"ma-4.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Require the approval of each nonlocal maintenance session by {{ insert: param, ma-04.05_odp.01 }} ; and"},{"id":"ma-4.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Notify the following personnel or roles of the date and time of planned nonlocal maintenance: {{ insert: param, ma-04.05_odp.02 }}."}]},{"id":"ma-4.5_gdn","name":"guidance","prose":"Notification may be performed by maintenance personnel. Approval of nonlocal maintenance is accomplished by personnel with sufficient information security and system knowledge to determine the appropriateness of the proposed maintenance."},{"id":"ma-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04(05)","class":"sp800-53a"}],"parts":[{"id":"ma-4.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04(05)(a)","class":"sp800-53a"}],"prose":"the approval of each nonlocal maintenance session is required by {{ insert: param, ma-04.05_odp.01 }};"},{"id":"ma-4.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04(05)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, ma-04.05_odp.02 }} is\/are notified of the date and time of planned nonlocal maintenance."}]},{"id":"ma-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nnotifications supporting nonlocal maintenance sessions\n\nmaintenance records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with notification responsibilities\n\norganizational personnel with approval responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for approving and notifying personnel regarding nonlocal maintenance\n\nmechanisms supporting the notification and approval of nonlocal maintenance"}]}]},{"id":"ma-4.6","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"ma-04.06_odp","props":[{"name":"alt-identifier","value":"ma-4.6_prm_1"},{"name":"label","value":"MA-04(06)_ODP","class":"sp800-53a"}],"label":"cryptographic mechanisms","guidelines":[{"prose":"cryptographic mechanisms to be implemented to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications are defined;"}]}],"props":[{"name":"label","value":"MA-4(6)"},{"name":"label","value":"MA-04(06)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-4","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ma-4.6_smt","name":"statement","prose":"Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: {{ insert: param, ma-04.06_odp }}."},{"id":"ma-4.6_gdn","name":"guidance","prose":"Failure to protect nonlocal maintenance and diagnostic communications can result in unauthorized individuals gaining access to organizational information. Unauthorized access during remote maintenance sessions can result in a variety of hostile actions, including malicious code insertion, unauthorized changes to system parameters, and exfiltration of organizational information. Such actions can result in the loss or degradation of mission or business capabilities."},{"id":"ma-4.6_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04(06)","class":"sp800-53a"}],"parts":[{"id":"ma-4.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(06)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ma-04.06_odp }} are implemented to protect the integrity of nonlocal maintenance and diagnostic communications;"},{"id":"ma-4.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(06)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ma-04.06_odp }} are implemented to protect the confidentiality of nonlocal maintenance and diagnostic communications."}]},{"id":"ma-4.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms protecting nonlocal maintenance activities\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\nnetwork engineers\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms protecting nonlocal maintenance and diagnostic communications"}]}]},{"id":"ma-4.7","class":"SP800-53-enhancement","title":"Disconnect Verification","props":[{"name":"label","value":"MA-4(7)"},{"name":"label","value":"MA-04(07)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-4","rel":"required"},{"href":"#ac-12","rel":"related"}],"parts":[{"id":"ma-4.7_smt","name":"statement","prose":"Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions."},{"id":"ma-4.7_gdn","name":"guidance","prose":"Verifying the termination of a connection once maintenance is completed ensures that connections established during nonlocal maintenance and diagnostic sessions have been terminated and are no longer available for use."},{"id":"ma-4.7_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04(07)","class":"sp800-53a"}],"parts":[{"id":"ma-4.7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(07)[01]","class":"sp800-53a"}],"prose":"session connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4.7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(07)[02]","class":"sp800-53a"}],"prose":"network connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions."}]},{"id":"ma-4.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsession\/network termination logs\n\ncryptographic mechanisms protecting nonlocal maintenance activities\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\nnetwork engineers\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing remote disconnect verifications of terminated nonlocal maintenance and diagnostic sessions"}]}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","props":[{"name":"label","value":"MA-5"},{"name":"label","value":"MA-05","class":"sp800-53a"},{"name":"sort-id","value":"ma-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"ma-5_smt","name":"statement","parts":[{"id":"ma-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods."},{"id":"ma-5_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[01]","class":"sp800-53a"}],"prose":"a process for maintenance personnel authorization is established;"},{"id":"ma-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[02]","class":"sp800-53a"}],"prose":"a list of authorized maintenance organizations or personnel is maintained;"}]},{"id":"ma-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-05b.","class":"sp800-53a"}],"prose":"non-escorted personnel performing maintenance on the system possess the required access authorizations;"},{"id":"ma-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-05c.","class":"sp800-53a"}],"prose":"organizational personnel with required access authorizations and technical competence is\/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and\/or implementing authorization of maintenance personnel"}]}],"controls":[{"id":"ma-5.1","class":"SP800-53-enhancement","title":"Individuals Without Appropriate Access","params":[{"id":"ma-05.01_odp","props":[{"name":"alt-identifier","value":"ma-5.1_prm_1"},{"name":"label","value":"MA-05(01)_ODP","class":"sp800-53a"}],"label":"alternate controls","guidelines":[{"prose":"alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined;"}]}],"props":[{"name":"label","value":"MA-5(1)"},{"name":"label","value":"MA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-5","rel":"required"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"ma-5.1_smt","name":"statement","parts":[{"id":"ma-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:","parts":[{"id":"ma-5.1_smt.a.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and"},{"id":"ma-5.1_smt.a.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and"}]},{"id":"ma-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Develop and implement {{ insert: param, ma-05.01_odp }} in the event a system component cannot be sanitized, removed, or disconnected from the system."}]},{"id":"ma-5.1_gdn","name":"guidance","prose":"Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems."},{"id":"ma-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)","class":"sp800-53a"}],"parts":[{"id":"ma-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(a)","class":"sp800-53a"}],"parts":[{"id":"ma-5.1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(a)(01)","class":"sp800-53a"}],"prose":"procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;"},{"id":"ma-5.1_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(a)(02)","class":"sp800-53a"}],"prose":"procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;"}]},{"id":"ma-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system."}]},{"id":"ma-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\nphysical and environmental protection policy\n\nlist of maintenance personnel requiring escort\/supervision\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing maintenance personnel without appropriate access\n\nmechanisms supporting and\/or implementing alternative security safeguards\n\nmechanisms supporting and\/or implementing information storage component sanitization"}]}]},{"id":"ma-5.2","class":"SP800-53-enhancement","title":"Security Clearances for Classified Systems","props":[{"name":"label","value":"MA-5(2)"},{"name":"label","value":"MA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-5","rel":"required"},{"href":"#ps-3","rel":"related"}],"parts":[{"id":"ma-5.2_smt","name":"statement","prose":"Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for compartments of information on the system."},{"id":"ma-5.2_gdn","name":"guidance","prose":"Personnel who conduct maintenance on organizational systems may be exposed to classified information during the course of their maintenance activities. To mitigate the inherent risk of such exposure, organizations use maintenance personnel that are cleared (i.e., possess security clearances) to the classification level of the information stored on the system."},{"id":"ma-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05(02)","class":"sp800-53a"}],"parts":[{"id":"ma-5.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MA-05(02)[01]","class":"sp800-53a"}],"prose":"personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances for at least the highest classification level and for compartments of information on the system;"},{"id":"ma-5.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MA-05(02)[02]","class":"sp800-53a"}],"prose":"personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess formal access approvals for at least the highest classification level and for compartments of information on the system."}]},{"id":"ma-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\npersonnel records\n\nmaintenance records\n\naccess control records\n\naccess credentials\n\naccess authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing security clearances for maintenance personnel"}]}]},{"id":"ma-5.3","class":"SP800-53-enhancement","title":"Citizenship Requirements for Classified Systems","props":[{"name":"label","value":"MA-5(3)"},{"name":"label","value":"MA-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"ma-05.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-5","rel":"required"},{"href":"#ps-3","rel":"related"}],"parts":[{"id":"ma-5.3_smt","name":"statement","prose":"Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens."},{"id":"ma-5.3_gdn","name":"guidance","prose":"Personnel who conduct maintenance on organizational systems may be exposed to classified information during the course of their maintenance activities. If access to classified information on organizational systems is restricted to U.S. citizens, the same restriction is applied to personnel performing maintenance on those systems."},{"id":"ma-5.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05(03)","class":"sp800-53a"}],"prose":"personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens."},{"id":"ma-5.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\npersonnel records\n\nmaintenance records\n\naccess control records\n\naccess credentials\n\naccess authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-5.4","class":"SP800-53-enhancement","title":"Foreign Nationals","props":[{"name":"label","value":"MA-5(4)"},{"name":"label","value":"MA-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"ma-05.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-5","rel":"required"},{"href":"#ps-3","rel":"related"}],"parts":[{"id":"ma-5.4_smt","name":"statement","prose":"Ensure that:","parts":[{"id":"ma-5.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and"},{"id":"ma-5.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements."}]},{"id":"ma-5.4_gdn","name":"guidance","prose":"Personnel who conduct maintenance and diagnostic activities on organizational systems may be exposed to classified information. If non-U.S. citizens are permitted to perform maintenance and diagnostics activities on classified systems, then additional vetting is required to ensure agreements and restrictions are not being violated."},{"id":"ma-5.4_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05(04)","class":"sp800-53a"}],"parts":[{"id":"ma-5.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-05(04)(a)","class":"sp800-53a"}],"prose":"foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments or owned and operated solely by foreign allied governments;"},{"id":"ma-5.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-05(04)(b)","class":"sp800-53a"}],"parts":[{"id":"ma-5.4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-05(04)(b)[01]","class":"sp800-53a"}],"prose":"approvals regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;"},{"id":"ma-5.4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-05(04)(b)[02]","class":"sp800-53a"}],"prose":"consents regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;"},{"id":"ma-5.4_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"MA-05(04)(b)[03]","class":"sp800-53a"}],"prose":"detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements."}]}]},{"id":"ma-5.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmemorandum of agreement\n\nmaintenance records\n\naccess control records\n\naccess credentials\n\naccess authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities, organizational personnel with personnel security responsibilities\n\norganizational personnel managing memoranda of agreements\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-5.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing foreign national maintenance personnel"}]}]},{"id":"ma-5.5","class":"SP800-53-enhancement","title":"Non-system Maintenance","props":[{"name":"label","value":"MA-5(5)"},{"name":"label","value":"MA-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"ma-05.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-5","rel":"required"}],"parts":[{"id":"ma-5.5_smt","name":"statement","prose":"Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations."},{"id":"ma-5.5_gdn","name":"guidance","prose":"Personnel who perform maintenance activities in other capacities not directly related to the system include physical plant personnel and custodial personnel."},{"id":"ma-5.5_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05(05)","class":"sp800-53a"}],"prose":"non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system have required access authorizations."},{"id":"ma-5.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmaintenance records\n\naccess control records\n\naccess authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ma-6","class":"SP800-53","title":"Timely Maintenance","params":[{"id":"ma-06_odp.01","props":[{"name":"alt-identifier","value":"ma-6_prm_1"},{"name":"label","value":"MA-06_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which maintenance support and\/or spare parts are obtained are defined;"}]},{"id":"ma-06_odp.02","props":[{"name":"alt-identifier","value":"ma-6_prm_2"},{"name":"label","value":"MA-06_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which maintenance support and\/or spare parts are to be obtained after a failure are defined;"}]}],"props":[{"name":"label","value":"MA-6"},{"name":"label","value":"MA-06","class":"sp800-53a"},{"name":"sort-id","value":"ma-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-8","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-13","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"ma-6_smt","name":"statement","prose":"Obtain maintenance support and\/or spare parts for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure."},{"id":"ma-6_gdn","name":"guidance","prose":"Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place."},{"id":"ma-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-06","class":"sp800-53a"}],"prose":"maintenance support and\/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure."},{"id":"ma-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for ensuring timely maintenance"}]}],"controls":[{"id":"ma-6.1","class":"SP800-53-enhancement","title":"Preventive Maintenance","params":[{"id":"ma-06.01_odp.01","props":[{"name":"alt-identifier","value":"ma-6.1_prm_1"},{"name":"label","value":"MA-06(01)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components on which preventive maintenance is to be performed are defined;"}]},{"id":"ma-06.01_odp.02","props":[{"name":"alt-identifier","value":"ma-6.1_prm_2"},{"name":"label","value":"MA-06(01)_ODP[02]","class":"sp800-53a"}],"label":"time intervals","guidelines":[{"prose":"time intervals within which preventive maintenance is to be performed on system components are defined;"}]}],"props":[{"name":"label","value":"MA-6(1)"},{"name":"label","value":"MA-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-6","rel":"required"}],"parts":[{"id":"ma-6.1_smt","name":"statement","prose":"Perform preventive maintenance on {{ insert: param, ma-06.01_odp.01 }} at {{ insert: param, ma-06.01_odp.02 }}."},{"id":"ma-6.1_gdn","name":"guidance","prose":"Preventive maintenance includes proactive care and the servicing of system components to maintain organizational equipment and facilities in satisfactory operating condition. Such maintenance provides for the systematic inspection, tests, measurements, adjustments, parts replacement, detection, and correction of incipient failures either before they occur or before they develop into major defects. The primary goal of preventive maintenance is to avoid or mitigate the consequences of equipment failures. Preventive maintenance is designed to preserve and restore equipment reliability by replacing worn components before they fail. Methods of determining what preventive (or other) failure management policies to apply include original equipment manufacturer recommendations; statistical failure records; expert opinion; maintenance that has already been conducted on similar equipment; requirements of codes, laws, or regulations within a jurisdiction; or measured values and performance indications."},{"id":"ma-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-06(01)","class":"sp800-53a"}],"prose":"preventive maintenance is performed on {{ insert: param, ma-06.01_odp.01 }} at {{ insert: param, ma-06.01_odp.02 }}."},{"id":"ma-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\nmaintenance records\n\nlist of system components requiring preventive maintenance\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for preventive maintenance\n\nmechanisms supporting and\/or implementing preventive maintenance"}]}]},{"id":"ma-6.2","class":"SP800-53-enhancement","title":"Predictive Maintenance","params":[{"id":"ma-06.02_odp.01","props":[{"name":"alt-identifier","value":"ma-6.2_prm_1"},{"name":"label","value":"MA-06(02)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components on which predictive maintenance is to be performed are defined;"}]},{"id":"ma-06.02_odp.02","props":[{"name":"alt-identifier","value":"ma-6.2_prm_2"},{"name":"label","value":"MA-06(02)_ODP[02]","class":"sp800-53a"}],"label":"time intervals","guidelines":[{"prose":"time intervals within which predictive maintenance is to be performed are defined;"}]}],"props":[{"name":"label","value":"MA-6(2)"},{"name":"label","value":"MA-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-6","rel":"required"}],"parts":[{"id":"ma-6.2_smt","name":"statement","prose":"Perform predictive maintenance on {{ insert: param, ma-06.02_odp.01 }} at {{ insert: param, ma-06.02_odp.02 }}."},{"id":"ma-6.2_gdn","name":"guidance","prose":"Predictive maintenance evaluates the condition of equipment by performing periodic or continuous (online) equipment condition monitoring. The goal of predictive maintenance is to perform maintenance at a scheduled time when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold. The predictive component of predictive maintenance stems from the objective of predicting the future trend of the equipment's condition. The predictive maintenance approach employs principles of statistical process control to determine at what point in the future maintenance activities will be appropriate. Most predictive maintenance inspections are performed while equipment is in service, thus minimizing disruption of normal system operations. Predictive maintenance can result in substantial cost savings and higher system reliability."},{"id":"ma-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-06(02)","class":"sp800-53a"}],"prose":"predictive maintenance is performed on {{ insert: param, ma-06.02_odp.01 }} at {{ insert: param, ma-06.02_odp.02 }}."},{"id":"ma-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\nmaintenance records\n\nlist of system components requiring predictive maintenance\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for predictive maintenance\n\nmechanisms supporting and\/or implementing predictive maintenance"}]}]},{"id":"ma-6.3","class":"SP800-53-enhancement","title":"Automated Support for Predictive Maintenance","params":[{"id":"ma-06.03_odp","props":[{"name":"alt-identifier","value":"ma-6.3_prm_1"},{"name":"label","value":"MA-06(03)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to transfer predictive maintenance data to a maintenance management system are defined;"}]}],"props":[{"name":"label","value":"MA-6(3)"},{"name":"label","value":"MA-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"ma-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-6","rel":"required"}],"parts":[{"id":"ma-6.3_smt","name":"statement","prose":"Transfer predictive maintenance data to a maintenance management system using {{ insert: param, ma-06.03_odp }}."},{"id":"ma-6.3_gdn","name":"guidance","prose":"A computerized maintenance management system maintains a database of information about the maintenance operations of organizations and automates the processing of equipment condition data to trigger maintenance planning, execution, and reporting."},{"id":"ma-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-06(03)","class":"sp800-53a"}],"prose":"predictive maintenance data is transferred to a maintenance management system using {{ insert: param, ma-06.03_odp }}."},{"id":"ma-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\nmaintenance records\n\nlist of system components requiring predictive maintenance\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing the transfer of predictive maintenance data to a computerized maintenance management system\n\noperations of the computer maintenance management system"}]}]}]},{"id":"ma-7","class":"SP800-53","title":"Field Maintenance","params":[{"id":"ma-07_odp.01","props":[{"name":"alt-identifier","value":"ma-7_prm_1"},{"name":"label","value":"MA-07_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components on which field maintenance is restricted or prohibited to trusted maintenance facilities are defined;"}]},{"id":"ma-07_odp.02","props":[{"name":"alt-identifier","value":"ma-7_prm_2"},{"name":"label","value":"MA-07_ODP[02]","class":"sp800-53a"}],"label":"trusted maintenance facilities","guidelines":[{"prose":"trusted maintenance facilities that are not restricted or prohibited from conducting field maintenance are defined;"}]}],"props":[{"name":"label","value":"MA-7"},{"name":"label","value":"MA-07","class":"sp800-53a"},{"name":"sort-id","value":"ma-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"}],"parts":[{"id":"ma-7_smt","name":"statement","prose":"Restrict or prohibit field maintenance on {{ insert: param, ma-07_odp.01 }} to {{ insert: param, ma-07_odp.02 }}."},{"id":"ma-7_gdn","name":"guidance","prose":"Field maintenance is the type of maintenance conducted on a system or system component after the system or component has been deployed to a specific site (i.e., operational environment). In certain instances, field maintenance (i.e., local maintenance at the site) may not be executed with the same degree of rigor or with the same quality control checks as depot maintenance. For critical systems designated as such by the organization, it may be necessary to restrict or prohibit field maintenance at the local site and require that such maintenance be conducted in trusted facilities with additional controls."},{"id":"ma-7_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-07","class":"sp800-53a"}],"prose":"field maintenance on {{ insert: param, ma-07_odp.01 }} are restricted or prohibited to {{ insert: param, ma-07_odp.02 }}."},{"id":"ma-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing field maintenance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records."}]},{"id":"ma-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing field maintenance\n\nmechanisms implementing, supporting, and\/or managing field maintenance\n\nmechanisms for strong authentication of field maintenance diagnostic sessions\n\nmechanisms for terminating field maintenance sessions and network connections"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"mp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"mp-01_odp.01","props":[{"name":"label","value":"MP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection policy is to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.02","props":[{"name":"label","value":"MP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection procedures are to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.03","props":[{"name":"alt-identifier","value":"mp-1_prm_2"},{"name":"label","value":"MP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"mp-01_odp.04","props":[{"name":"alt-identifier","value":"mp-1_prm_3"},{"name":"label","value":"MP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the media protection policy and procedures is defined;"}]},{"id":"mp-01_odp.05","props":[{"name":"alt-identifier","value":"mp-1_prm_4"},{"name":"label","value":"MP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection policy is reviewed and updated is defined;"}]},{"id":"mp-01_odp.06","props":[{"name":"alt-identifier","value":"mp-1_prm_5"},{"name":"label","value":"MP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current media protection policy to be reviewed and updated are defined;"}]},{"id":"mp-01_odp.07","props":[{"name":"alt-identifier","value":"mp-1_prm_6"},{"name":"label","value":"MP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection procedures are reviewed and updated is defined;"}]},{"id":"mp-01_odp.08","props":[{"name":"alt-identifier","value":"mp-1_prm_7"},{"name":"label","value":"MP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require media protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MP-1"},{"name":"label","value":"MP-01","class":"sp800-53a"},{"name":"sort-id","value":"mp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-1_smt","name":"statement","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, mp-01_odp.03 }} media protection policy that:","parts":[{"id":"mp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and"},{"id":"mp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current media protection:","parts":[{"id":"mp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and"},{"id":"mp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"mp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[01]","class":"sp800-53a"}],"prose":"a media protection policy is developed and documented;"},{"id":"mp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[02]","class":"sp800-53a"}],"prose":"the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};"},{"id":"mp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[03]","class":"sp800-53a"}],"prose":"media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;"},{"id":"mp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[04]","class":"sp800-53a"}],"prose":"the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};"},{"id":"mp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;"},{"id":"mp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;"},{"id":"mp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;"},{"id":"mp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;"},{"id":"mp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;"},{"id":"mp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;"},{"id":"mp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;"}]},{"id":"mp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(b)","class":"sp800-53a"}],"prose":"the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"mp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures."},{"id":"mp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[01]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; "},{"id":"mp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[02]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};"}]},{"id":"mp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[01]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; "},{"id":"mp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[02]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}."}]}]}]},{"id":"mp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","params":[{"id":"mp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.03"}],"label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.04"}],"label":"organization-defined personnel or roles"},{"id":"mp-02_odp.01","props":[{"name":"label","value":"MP-02_ODP[01]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.02","props":[{"name":"label","value":"MP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access digital media is\/are defined;"}]},{"id":"mp-02_odp.03","props":[{"name":"label","value":"MP-02_ODP[03]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.04","props":[{"name":"label","value":"MP-02_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access non-digital media is\/are defined;"}]}],"props":[{"name":"label","value":"MP-2"},{"name":"label","value":"MP-02","class":"sp800-53a"},{"name":"sort-id","value":"mp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media."},{"id":"mp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-02","class":"sp800-53a"}],"parts":[{"id":"mp-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-02[01]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};"},{"id":"mp-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-02[02]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}."}]},{"id":"mp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for restricting information media\n\nmechanisms supporting and\/or implementing media access restrictions"}]}],"controls":[{"id":"mp-2.1","class":"SP800-53-enhancement","title":"Automated Restricted Access","props":[{"name":"label","value":"MP-2(1)"},{"name":"label","value":"MP-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"mp-02.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-4.2","rel":"incorporated-into"}]},{"id":"mp-2.2","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"MP-2(2)"},{"name":"label","value":"MP-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"mp-02.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-28.1","rel":"incorporated-into"}]}]},{"id":"mp-3","class":"SP800-53","title":"Media Marking","params":[{"id":"mp-03_odp.01","props":[{"name":"alt-identifier","value":"mp-3_prm_1"},{"name":"alt-label","value":"types of system media","class":"sp800-53"},{"name":"label","value":"MP-03_ODP[01]","class":"sp800-53a"}],"label":"types of media exempted from marking","guidelines":[{"prose":"types of system media exempt from marking when remaining in controlled areas are defined;"}]},{"id":"mp-03_odp.02","props":[{"name":"alt-identifier","value":"mp-3_prm_2"},{"name":"label","value":"MP-03_ODP[02]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas where media is exempt from marking are defined;"}]}],"props":[{"name":"label","value":"MP-3"},{"name":"label","value":"MP-03","class":"sp800-53a"},{"name":"sort-id","value":"mp-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#34a5571f-e252-4309-a8a1-2fdb2faefbcd","rel":"reference"},{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-22","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-3_smt","name":"statement","parts":[{"id":"mp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"},{"id":"mp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Exempt {{ insert: param, mp-03_odp.01 }} from marking if the media remain within {{ insert: param, mp-03_odp.02 }}."}]},{"id":"mp-3_gdn","name":"guidance","prose":"Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"mp-3_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-03","class":"sp800-53a"}],"parts":[{"id":"mp-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-03a.","class":"sp800-53a"}],"prose":"system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;"},{"id":"mp-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-03b.","class":"sp800-53a"}],"prose":"{{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}."}]},{"id":"mp-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nlist of system media marking security attributes\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for marking information media\n\nmechanisms supporting and\/or implementing media marking"}]}]},{"id":"mp-4","class":"SP800-53","title":"Media Storage","params":[{"id":"mp-4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.04"}],"label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.06"}],"label":"organization-defined controlled areas"},{"id":"mp-04_odp.01","props":[{"name":"label","value":"MP-04_ODP[01]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to be physically controlled are defined (if selected);"}]},{"id":"mp-04_odp.02","props":[{"name":"label","value":"MP-04_ODP[02]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to be physically controlled are defined (if selected);"}]},{"id":"mp-04_odp.03","props":[{"name":"label","value":"MP-04_ODP[03]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to be securely stored are defined (if selected);"}]},{"id":"mp-04_odp.04","props":[{"name":"label","value":"MP-04_ODP[04]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to be securely stored are defined (if selected);"}]},{"id":"mp-04_odp.05","props":[{"name":"label","value":"MP-04_ODP[05]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas within which to securely store digital media are defined;"}]},{"id":"mp-04_odp.06","props":[{"name":"label","value":"MP-04_ODP[06]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas within which to securely store non-digital media are defined;"}]}],"props":[{"name":"label","value":"MP-4"},{"name":"label","value":"MP-04","class":"sp800-53a"},{"name":"sort-id","value":"mp-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-4_smt","name":"statement","parts":[{"id":"mp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and"},{"id":"mp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection."},{"id":"mp-4_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-04","class":"sp800-53a"}],"parts":[{"id":"mp-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.","class":"sp800-53a"}],"parts":[{"id":"mp-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-04_odp.01 }} are physically controlled;"},{"id":"mp-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-04_odp.02 }} are physically controlled;"},{"id":"mp-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[03]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};"},{"id":"mp-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[04]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};"}]},{"id":"mp-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-04b.","class":"sp800-53a"}],"prose":"system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing information media\n\nmechanisms supporting and\/or implementing secure media storage\/media protection"}]}],"controls":[{"id":"mp-4.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"MP-4(1)"},{"name":"label","value":"MP-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"mp-04.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-28.1","rel":"incorporated-into"}]},{"id":"mp-4.2","class":"SP800-53-enhancement","title":"Automated Restricted Access","params":[{"id":"mp-4.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04.02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04.02_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"mp-04.02_odp.01","props":[{"name":"label","value":"MP-04(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to restrict access to media storage areas are defined;"}]},{"id":"mp-04.02_odp.02","props":[{"name":"label","value":"MP-04(02)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to log access attempts to media storage areas are defined;"}]},{"id":"mp-04.02_odp.03","props":[{"name":"label","value":"MP-04(02)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to log access granted to media storage areas are defined;"}]}],"props":[{"name":"label","value":"MP-4(2)"},{"name":"label","value":"MP-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"mp-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-4","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#pe-3","rel":"related"}],"parts":[{"id":"mp-4.2_smt","name":"statement","prose":"Restrict access to media storage areas and log access attempts and access granted using {{ insert: param, mp-4.2_prm_1 }}."},{"id":"mp-4.2_gdn","name":"guidance","prose":"Automated mechanisms include keypads, biometric readers, or card readers on the external entries to media storage areas."},{"id":"mp-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-04(02)","class":"sp800-53a"}],"parts":[{"id":"mp-4.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-04(02)[01]","class":"sp800-53a"}],"prose":"access to media storage areas is restricted using {{ insert: param, mp-04.02_odp.01 }};"},{"id":"mp-4.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-04(02)[02]","class":"sp800-53a"}],"prose":"access attempts to media storage areas are logged using {{ insert: param, mp-04.02_odp.02 }};"},{"id":"mp-4.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"MP-04(02)[03]","class":"sp800-53a"}],"prose":"access granted to media storage areas is logged using {{ insert: param, mp-04.02_odp.03 }}."}]},{"id":"mp-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media storage\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmedia storage facilities\n\naccess control devices\n\naccess control records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms restricting access to media storage areas\n\nautomated mechanisms auditing access attempts and access granted to media storage areas"}]}]}]},{"id":"mp-5","class":"SP800-53","title":"Media Transport","params":[{"id":"mp-5_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-05_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-05_odp.03"}],"label":"organization-defined controls"},{"id":"mp-05_odp.01","props":[{"name":"alt-identifier","value":"mp-5_prm_1"},{"name":"label","value":"MP-05_ODP[01]","class":"sp800-53a"}],"label":"types of system media","guidelines":[{"prose":"types of system media to protect and control during transport outside of controlled areas are defined;"}]},{"id":"mp-05_odp.02","props":[{"name":"label","value":"MP-05_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls used to protect system media outside of controlled areas are defined;"}]},{"id":"mp-05_odp.03","props":[{"name":"label","value":"MP-05_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls used to control system media outside of controlled areas are defined;"}]}],"props":[{"name":"label","value":"MP-5"},{"name":"label","value":"MP-05","class":"sp800-53a"},{"name":"sort-id","value":"mp-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#ac-7","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"}],"parts":[{"id":"mp-5_smt","name":"statement","parts":[{"id":"mp-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protect and control {{ insert: param, mp-05_odp.01 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};"},{"id":"mp-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain accountability for system media during transport outside of controlled areas;"},{"id":"mp-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document activities associated with the transport of system media; and"},{"id":"mp-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Restrict the activities associated with the transport of system media to authorized personnel."}]},{"id":"mp-5_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and\/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records."},{"id":"mp-5_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-05","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};"},{"id":"mp-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};"}]},{"id":"mp-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-05b.","class":"sp800-53a"}],"prose":"accountability for system media is maintained during transport outside of controlled areas;"},{"id":"mp-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-05c.","class":"sp800-53a"}],"prose":"activities associated with the transport of system media are documented;"},{"id":"mp-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.[01]","class":"sp800-53a"}],"prose":"personnel authorized to conduct media transport activities is\/are identified;"},{"id":"mp-5_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.[02]","class":"sp800-53a"}],"prose":"activities associated with the transport of system media are restricted to identified authorized personnel."}]}]},{"id":"mp-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nauthorized personnel list\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing information media\n\nmechanisms supporting and\/or implementing media storage\/media protection"}]}],"controls":[{"id":"mp-5.1","class":"SP800-53-enhancement","title":"Protection Outside of Controlled Areas","props":[{"name":"label","value":"MP-5(1)"},{"name":"label","value":"MP-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"mp-05.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-5","rel":"incorporated-into"}]},{"id":"mp-5.2","class":"SP800-53-enhancement","title":"Documentation of Activities","props":[{"name":"label","value":"MP-5(2)"},{"name":"label","value":"MP-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"mp-05.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-5","rel":"incorporated-into"}]},{"id":"mp-5.3","class":"SP800-53-enhancement","title":"Custodians","props":[{"name":"label","value":"MP-5(3)"},{"name":"label","value":"MP-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"mp-05.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-5","rel":"required"}],"parts":[{"id":"mp-5.3_smt","name":"statement","prose":"Employ an identified custodian during transport of system media outside of controlled areas."},{"id":"mp-5.3_gdn","name":"guidance","prose":"Identified custodians provide organizations with specific points of contact during the media transport process and facilitate individual accountability. Custodial responsibilities can be transferred from one individual to another if an unambiguous custodian is identified."},{"id":"mp-5.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-05(03)","class":"sp800-53a"}],"parts":[{"id":"mp-5.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-05(03)[01]","class":"sp800-53a"}],"prose":"a custodian to transport system media outside of controlled areas is identified;"},{"id":"mp-5.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-05(03)[02]","class":"sp800-53a"}],"prose":"the identified custodian is employed during the transport of system media outside of controlled areas."}]},{"id":"mp-5.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-05(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media transport\n\nphysical and environmental protection policy and procedures\n\nsystem media transport records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-5.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-05(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media transport responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-5.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-05(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying and employing a custodian to transport media outside of controlled areas"}]}]},{"id":"mp-5.4","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"MP-5(4)"},{"name":"label","value":"MP-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"mp-05.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-28.1","rel":"incorporated-into"}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.03"}],"label":"organization-defined system media"},{"id":"mp-6_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.06"}],"label":"organization-defined sanitization techniques and procedures"},{"id":"mp-06_odp.01","props":[{"name":"label","value":"MP-06_ODP[01]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to disposal is defined;"}]},{"id":"mp-06_odp.02","props":[{"name":"label","value":"MP-06_ODP[02]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release from organizational control is defined;"}]},{"id":"mp-06_odp.03","props":[{"name":"label","value":"MP-06_ODP[03]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release for reuse is defined;"}]},{"id":"mp-06_odp.04","props":[{"name":"label","value":"MP-06_ODP[04]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to disposal are defined;"}]},{"id":"mp-06_odp.05","props":[{"name":"label","value":"MP-06_ODP[05]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;"}]},{"id":"mp-06_odp.06","props":[{"name":"label","value":"MP-06_ODP[06]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;"}]}],"props":[{"name":"label","value":"MP-6"},{"name":"label","value":"MP-06","class":"sp800-53a"},{"name":"sort-id","value":"mp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"},{"href":"#si-19","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"mp-6_smt","name":"statement","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information."},{"id":"mp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;"},{"id":"mp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;"},{"id":"mp-6_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[03]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;"}]},{"id":"mp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-06b.","class":"sp800-53a"}],"prose":"sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed."}]},{"id":"mp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization"}]}],"controls":[{"id":"mp-6.1","class":"SP800-53-enhancement","title":"Review, Approve, Track, Document, and Verify","props":[{"name":"label","value":"MP-6(1)"},{"name":"label","value":"MP-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"}],"parts":[{"id":"mp-6.1_smt","name":"statement","prose":"Review, approve, track, document, and verify media sanitization and disposal actions."},{"id":"mp-6.1_gdn","name":"guidance","prose":"Organizations review and approve media to be sanitized to ensure compliance with records retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken and personnel who performed the verification, and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal."},{"id":"mp-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)","class":"sp800-53a"}],"parts":[{"id":"mp-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[01]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are reviewed;"},{"id":"mp-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[02]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are approved;"},{"id":"mp-6.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[03]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are tracked;"},{"id":"mp-6.1_obj-4","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[04]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are documented;"},{"id":"mp-6.1_obj-5","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[05]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are verified."}]},{"id":"mp-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nmedia sanitization and disposal records\n\nreview records for media sanitization and disposal actions\n\napprovals for media sanitization and disposal actions\n\ntracking records\n\nverification records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization and disposal responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization\n\nmechanisms supporting and\/or implementing verification of media sanitization"}]}]},{"id":"mp-6.2","class":"SP800-53-enhancement","title":"Equipment Testing","params":[{"id":"mp-6.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06.02_odp.02"}],"label":"organization-defined frequency"},{"id":"mp-06.02_odp.01","props":[{"name":"label","value":"MP-06(02)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to test sanitization equipment is defined;"}]},{"id":"mp-06.02_odp.02","props":[{"name":"label","value":"MP-06(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to test sanitization procedures is defined;"}]}],"props":[{"name":"label","value":"MP-6(2)"},{"name":"label","value":"MP-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"}],"parts":[{"id":"mp-6.2_smt","name":"statement","prose":"Test sanitization equipment and procedures {{ insert: param, mp-6.2_prm_1 }} to ensure that the intended sanitization is being achieved."},{"id":"mp-6.2_gdn","name":"guidance","prose":"Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers."},{"id":"mp-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(02)","class":"sp800-53a"}],"parts":[{"id":"mp-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06(02)[01]","class":"sp800-53a"}],"prose":"sanitization equipment is tested {{ insert: param, mp-06.02_odp.01 }} to ensure that the intended sanitization is being achieved;"},{"id":"mp-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06(02)[02]","class":"sp800-53a"}],"prose":"sanitization procedures are tested {{ insert: param, mp-06.02_odp.02 }} to ensure that the intended sanitization is being achieved."}]},{"id":"mp-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nprocedures addressing testing of media sanitization equipment\n\nresults of media sanitization equipment and procedures testing\n\nsystem audit records\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"mp-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization procedures\n\nsanitization equipment"}]}]},{"id":"mp-6.3","class":"SP800-53-enhancement","title":"Nondestructive Techniques","params":[{"id":"mp-06.03_odp","props":[{"name":"alt-identifier","value":"mp-6.3_prm_1"},{"name":"alt-label","value":"circumstances requiring sanitization of portable storage devices","class":"sp800-53"},{"name":"label","value":"MP-06(03)_ODP","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances requiring sanitization of portable storage devices are defined;"}]}],"props":[{"name":"label","value":"MP-6(3)"},{"name":"label","value":"MP-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"}],"parts":[{"id":"mp-6.3_smt","name":"statement","prose":"Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: {{ insert: param, mp-06.03_odp }}."},{"id":"mp-6.3_gdn","name":"guidance","prose":"Portable storage devices include external or removable hard disk drives (e.g., solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices."},{"id":"mp-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(03)","class":"sp800-53a"}],"prose":"non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under {{ insert: param, mp-06.03_odp }}."},{"id":"mp-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\ninformation on portable storage devices for the system\n\nlist of circumstances requiring sanitization of portable storage devices\n\nmedia sanitization records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization of portable storage devices\n\nmechanisms supporting and\/or implementing media sanitization"}]}]},{"id":"mp-6.4","class":"SP800-53-enhancement","title":"Controlled Unclassified Information","props":[{"name":"label","value":"MP-6(4)"},{"name":"label","value":"MP-06(04)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-6","rel":"incorporated-into"}]},{"id":"mp-6.5","class":"SP800-53-enhancement","title":"Classified Information","props":[{"name":"label","value":"MP-6(5)"},{"name":"label","value":"MP-06(05)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-6","rel":"incorporated-into"}]},{"id":"mp-6.6","class":"SP800-53-enhancement","title":"Media Destruction","props":[{"name":"label","value":"MP-6(6)"},{"name":"label","value":"MP-06(06)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-6","rel":"incorporated-into"}]},{"id":"mp-6.7","class":"SP800-53-enhancement","title":"Dual Authorization","params":[{"id":"mp-06.07_odp","props":[{"name":"alt-identifier","value":"mp-6.7_prm_1"},{"name":"label","value":"MP-06(07)_ODP","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized using dual authorization is defined;"}]}],"props":[{"name":"label","value":"MP-6(7)"},{"name":"label","value":"MP-06(07)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#mp-2","rel":"related"}],"parts":[{"id":"mp-6.7_smt","name":"statement","prose":"Enforce dual authorization for the sanitization of {{ insert: param, mp-06.07_odp }}."},{"id":"mp-6.7_gdn","name":"guidance","prose":"Organizations employ dual authorization to help ensure that system media sanitization cannot occur unless two technically qualified individuals conduct the designated task. Individuals who sanitize system media possess sufficient skills and expertise to determine if the proposed sanitization reflects applicable federal and organizational standards, policies, and procedures. Dual authorization also helps to ensure that sanitization occurs as intended, protecting against errors and false claims of having performed the sanitization actions. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals."},{"id":"mp-6.7_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(07)","class":"sp800-53a"}],"prose":"dual authorization for sanitization of {{ insert: param, mp-06.07_odp }} is enforced."},{"id":"mp-6.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\ndual authorization policy and procedures\n\nlist of system media requiring dual authorization for sanitization\n\nauthorization records\n\nmedia sanitization records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-6.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes requiring dual authorization for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization\n\nmechanisms supporting and\/or implementing dual authorization"}]}]},{"id":"mp-6.8","class":"SP800-53-enhancement","title":"Remote Purging or Wiping of Information","params":[{"id":"mp-06.08_odp.01","props":[{"name":"alt-identifier","value":"mp-6.8_prm_1"},{"name":"label","value":"MP-06(08)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components to purge or wipe information either remotely or under specific conditions are defined;"}]},{"id":"mp-06.08_odp.02","props":[{"name":"alt-identifier","value":"mp-6.8_prm_2"},{"name":"label","value":"MP-06(08)_ODP[02]","class":"sp800-53a"}],"select":{"choice":["remotely","under {{ insert: param, mp-06.08_odp.03 }} "]}},{"id":"mp-06.08_odp.03","props":[{"name":"alt-identifier","value":"mp-6.8_prm_3"},{"name":"label","value":"MP-06(08)_ODP[03]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions under which information is to be purged or wiped are defined (if selected);"}]}],"props":[{"name":"label","value":"MP-6(8)"},{"name":"label","value":"MP-06(08)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"}],"parts":[{"id":"mp-6.8_smt","name":"statement","prose":"Provide the capability to purge or wipe information from {{ insert: param, mp-06.08_odp.01 }} {{ insert: param, mp-06.08_odp.02 }}."},{"id":"mp-6.8_gdn","name":"guidance","prose":"Remote purging or wiping of information protects information on organizational systems and system components if systems or components are obtained by unauthorized individuals. Remote purge or wipe commands require strong authentication to help mitigate the risk of unauthorized individuals purging or wiping the system, component, or device. The purge or wipe function can be implemented in a variety of ways, including by overwriting data or information multiple times or by destroying the key necessary to decrypt encrypted data."},{"id":"mp-6.8_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(08)","class":"sp800-53a"}],"prose":"the capability to purge or wipe information from {{ insert: param, mp-06.08_odp.01 }} {{ insert: param, mp-06.08_odp.02 }} is provided."},{"id":"mp-6.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorization records\n\nmedia sanitization records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-6.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for purging\/wiping media\n\nmechanisms supporting and\/or implementing purge\/wipe capabilities"}]}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","params":[{"id":"mp-07_odp.01","props":[{"name":"alt-identifier","value":"mp-7_prm_2"},{"name":"label","value":"MP-07_ODP[01]","class":"sp800-53a"}],"label":"types of system media","guidelines":[{"prose":"types of system media to be restricted or prohibited from use on systems or system components are defined;"}]},{"id":"mp-07_odp.02","props":[{"name":"alt-identifier","value":"mp-7_prm_1"},{"name":"label","value":"MP-07_ODP[02]","class":"sp800-53a"}],"select":{"choice":["restrict","prohibit"]}},{"id":"mp-07_odp.03","props":[{"name":"alt-identifier","value":"mp-7_prm_3"},{"name":"label","value":"MP-07_ODP[03]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;"}]},{"id":"mp-07_odp.04","props":[{"name":"alt-identifier","value":"mp-7_prm_4"},{"name":"label","value":"MP-07_ODP[04]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;"}]}],"props":[{"name":"label","value":"MP-7"},{"name":"label","value":"MP-07","class":"sp800-53a"},{"name":"sort-id","value":"mp-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"mp-7_smt","name":"statement","parts":[{"id":"mp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"{{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and"},{"id":"mp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner."}]},{"id":"mp-7_gdn","name":"guidance","prose":"System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices."},{"id":"mp-7_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-07","class":"sp800-53a"}],"parts":[{"id":"mp-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-07a.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};"},{"id":"mp-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-07b.","class":"sp800-53a"}],"prose":"the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner."}]},{"id":"mp-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components"}]}],"controls":[{"id":"mp-7.1","class":"SP800-53-enhancement","title":"Prohibit Use Without Owner","props":[{"name":"label","value":"MP-7(1)"},{"name":"label","value":"MP-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"mp-07.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-7","rel":"incorporated-into"}]},{"id":"mp-7.2","class":"SP800-53-enhancement","title":"Prohibit Use of Sanitization-resistant Media","props":[{"name":"label","value":"MP-7(2)"},{"name":"label","value":"MP-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"mp-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-7","rel":"required"},{"href":"#mp-6","rel":"related"}],"parts":[{"id":"mp-7.2_smt","name":"statement","prose":"Prohibit the use of sanitization-resistant media in organizational systems."},{"id":"mp-7.2_gdn","name":"guidance","prose":"Sanitization resistance refers to how resistant media are to non-destructive sanitization techniques with respect to the capability to purge information from media. Certain types of media do not support sanitization commands, or if supported, the interfaces are not supported in a standardized way across these devices. Sanitization-resistant media includes compact flash, embedded flash on boards and devices, solid state drives, and USB removable media."},{"id":"mp-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-07(02)","class":"sp800-53a"}],"parts":[{"id":"mp-7.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-07(02)[01]","class":"sp800-53a"}],"prose":"sanitization-resistant media is identified;"},{"id":"mp-7.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-07(02)[02]","class":"sp800-53a"}],"prose":"the use of sanitization-resistant media in organizational systems is prohibited."}]},{"id":"mp-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media use\n\nmechanisms prohibiting use of media on systems or system components"}]}]}]},{"id":"mp-8","class":"SP800-53","title":"Media Downgrading","params":[{"id":"mp-08_odp.01","props":[{"name":"alt-identifier","value":"mp-8_prm_1"},{"name":"label","value":"MP-08_ODP[01]","class":"sp800-53a"}],"label":"system media downgrading process","guidelines":[{"prose":"a system media downgrading process is defined;"}]},{"id":"mp-08_odp.02","props":[{"name":"alt-identifier","value":"mp-8_prm_2"},{"name":"label","value":"MP-08_ODP[02]","class":"sp800-53a"}],"label":"system media requiring downgrading","guidelines":[{"prose":"system media requiring downgrading is defined;"}]}],"props":[{"name":"label","value":"MP-8"},{"name":"label","value":"MP-08","class":"sp800-53a"},{"name":"sort-id","value":"mp-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","rel":"reference"}],"parts":[{"id":"mp-8_smt","name":"statement","parts":[{"id":"mp-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish {{ insert: param, mp-08_odp.01 }} that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;"},{"id":"mp-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Verify that the system media downgrading process is commensurate with the security category and\/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;"},{"id":"mp-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify {{ insert: param, mp-08_odp.02 }} ; and"},{"id":"mp-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Downgrade the identified system media using the established process."}]},{"id":"mp-8_gdn","name":"guidance","prose":"Media downgrading applies to digital and non-digital media subject to release outside of the organization, whether the media is considered removable or not. When applied to system media, the downgrading process removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading ensures that empty space on the media is devoid of information."},{"id":"mp-8_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-08","class":"sp800-53a"}],"parts":[{"id":"mp-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-08a.","class":"sp800-53a"}],"parts":[{"id":"mp-8_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-08a.[01]","class":"sp800-53a"}],"prose":"a {{ insert: param, mp-08_odp.01 }} is established;"},{"id":"mp-8_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-08a.[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-08_odp.01 }} includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;"}]},{"id":"mp-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-08b.","class":"sp800-53a"}],"parts":[{"id":"mp-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MP-08b.[01]","class":"sp800-53a"}],"prose":"there is verification that the system media downgrading process is commensurate with the security category and\/or classification level of the information to be removed;"},{"id":"mp-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MP-08b.[02]","class":"sp800-53a"}],"prose":"there is verification that the system media downgrading process is commensurate with the access authorizations of the potential recipients of the downgraded information;"}]},{"id":"mp-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-08c.","class":"sp800-53a"}],"prose":"{{ insert: param, mp-08_odp.02 }} is identified;"},{"id":"mp-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MP-08d.","class":"sp800-53a"}],"prose":"the identified system media is downgraded using the {{ insert: param, mp-08_odp.01 }}."}]},{"id":"mp-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media downgrading\n\nsystem categorization documentation\n\nlist of media requiring downgrading\n\nrecords of media downgrading\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media downgrading\n\nmechanisms supporting and\/or implementing media downgrading"}]}],"controls":[{"id":"mp-8.1","class":"SP800-53-enhancement","title":"Documentation of Process","props":[{"name":"label","value":"MP-8(1)"},{"name":"label","value":"MP-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"mp-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-8","rel":"required"}],"parts":[{"id":"mp-8.1_smt","name":"statement","prose":"Document system media downgrading actions."},{"id":"mp-8.1_gdn","name":"guidance","prose":"Organizations can document the media downgrading process by providing information, such as the downgrading technique employed, the identification number of the downgraded media, and the identity of the individual that authorized and\/or performed the downgrading action."},{"id":"mp-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-08(01)","class":"sp800-53a"}],"prose":"system media downgrading actions are documented."},{"id":"mp-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media downgrading\n\nsystem categorization documentation\n\nlist of media requiring downgrading\n\nrecords of media downgrading\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media downgrading\n\nmechanisms supporting and\/or implementing media downgrading"}]}]},{"id":"mp-8.2","class":"SP800-53-enhancement","title":"Equipment Testing","params":[{"id":"mp-8.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-08.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-08.02_odp.02"}],"label":"organization-defined frequency"},{"id":"mp-08.02_odp.01","props":[{"name":"label","value":"MP-08(02)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which to test downgrading equipment is defined;"}]},{"id":"mp-08.02_odp.02","props":[{"name":"label","value":"MP-08(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which to test downgrading procedures is defined;"}]}],"props":[{"name":"label","value":"MP-8(2)"},{"name":"label","value":"MP-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"mp-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-8","rel":"required"}],"parts":[{"id":"mp-8.2_smt","name":"statement","prose":"Test downgrading equipment and procedures {{ insert: param, mp-8.2_prm_1 }} to ensure that downgrading actions are being achieved."},{"id":"mp-8.2_gdn","name":"guidance","prose":"None."},{"id":"mp-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-08(02)","class":"sp800-53a"}],"parts":[{"id":"mp-8.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-08(02)[01]","class":"sp800-53a"}],"prose":"downgrading equipment is tested {{ insert: param, mp-08.02_odp.01 }} to ensure that downgrading actions are being achieved;"},{"id":"mp-8.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-08(02)[02]","class":"sp800-53a"}],"prose":"downgrading procedures are tested {{ insert: param, mp-08.02_odp.02 }} to ensure that downgrading actions are being achieved."}]},{"id":"mp-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media downgrading\n\nprocedures addressing testing of media downgrading equipment\n\nresults of downgrading equipment and procedures testing\n\nrecords of media downgrading\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media downgrading\n\nmechanisms supporting and\/or implementing media downgrading"}]}]},{"id":"mp-8.3","class":"SP800-53-enhancement","title":"Controlled Unclassified Information","props":[{"name":"label","value":"MP-8(3)"},{"name":"label","value":"MP-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"mp-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-8","rel":"required"}],"parts":[{"id":"mp-8.3_smt","name":"statement","prose":"Downgrade system media containing controlled unclassified information prior to public release."},{"id":"mp-8.3_gdn","name":"guidance","prose":"The downgrading of controlled unclassified information uses approved sanitization tools, techniques, and procedures."},{"id":"mp-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-08(03)","class":"sp800-53a"}],"parts":[{"id":"mp-8.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-08(03)[01]","class":"sp800-53a"}],"prose":"system media containing controlled unclassified information is identified;"},{"id":"mp-8.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-08(03)[02]","class":"sp800-53a"}],"prose":"system media containing controlled unclassified information is downgraded prior to public release."}]},{"id":"mp-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\naccess authorization policy\n\nprocedures addressing downgrading of media containing CUI\n\napplicable federal and organizational standards and policies regarding protection of CUI\n\nmedia downgrading records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media downgrading\n\nmechanisms supporting and\/or implementing media downgrading"}]}]},{"id":"mp-8.4","class":"SP800-53-enhancement","title":"Classified Information","props":[{"name":"label","value":"MP-8(4)"},{"name":"label","value":"MP-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"mp-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-8","rel":"required"}],"parts":[{"id":"mp-8.4_smt","name":"statement","prose":"Downgrade system media containing classified information prior to release to individuals without required access authorizations."},{"id":"mp-8.4_gdn","name":"guidance","prose":"Downgrading of classified information uses approved sanitization tools, techniques, and procedures to transfer information confirmed to be unclassified from classified systems to unclassified media."},{"id":"mp-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-08(04)","class":"sp800-53a"}],"parts":[{"id":"mp-8.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-08(04)[01]","class":"sp800-53a"}],"prose":"system media containing classified information is identified;"},{"id":"mp-8.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-08(04)[02]","class":"sp800-53a"}],"prose":"system media containing classified information is downgraded prior to release to individuals without required access authorizations."}]},{"id":"mp-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\naccess authorization policy\n\nprocedures addressing downgrading of media containing classified information\n\nprocedures addressing handling of classified information\n\nNSA standards and policies regarding protection of classified information\n\nmedia downgrading records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media downgrading\n\nmechanisms supporting and\/or implementing media downgrading"}]}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pe-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pe-01_odp.01","props":[{"name":"label","value":"PE-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection policy is to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.02","props":[{"name":"label","value":"PE-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection procedures are to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.03","props":[{"name":"alt-identifier","value":"pe-1_prm_2"},{"name":"label","value":"PE-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pe-01_odp.04","props":[{"name":"alt-identifier","value":"pe-1_prm_3"},{"name":"label","value":"PE-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the physical and environmental protection policy and procedures is defined;"}]},{"id":"pe-01_odp.05","props":[{"name":"alt-identifier","value":"pe-1_prm_4"},{"name":"label","value":"PE-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;"}]},{"id":"pe-01_odp.06","props":[{"name":"alt-identifier","value":"pe-1_prm_5"},{"name":"label","value":"PE-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current physical and environmental protection policy to be reviewed and updated are defined;"}]},{"id":"pe-01_odp.07","props":[{"name":"alt-identifier","value":"pe-1_prm_6"},{"name":"label","value":"PE-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;"}]},{"id":"pe-01_odp.08","props":[{"name":"alt-identifier","value":"pe-1_prm_7"},{"name":"label","value":"PE-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the physical and environmental protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PE-1"},{"name":"label","value":"PE-01","class":"sp800-53a"},{"name":"sort-id","value":"pe-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pe-1_smt","name":"statement","parts":[{"id":"pe-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:","parts":[{"id":"pe-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pe-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;"}]},{"id":"pe-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and"},{"id":"pe-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current physical and environmental protection:","parts":[{"id":"pe-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and"},{"id":"pe-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pe-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[01]","class":"sp800-53a"}],"prose":"a physical and environmental protection policy is developed and documented;"},{"id":"pe-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[02]","class":"sp800-53a"}],"prose":"the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};"},{"id":"pe-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[03]","class":"sp800-53a"}],"prose":"physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;"},{"id":"pe-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[04]","class":"sp800-53a"}],"prose":"the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};"},{"id":"pe-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;"},{"id":"pe-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;"},{"id":"pe-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;"},{"id":"pe-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;"},{"id":"pe-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;"},{"id":"pe-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;"},{"id":"pe-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;"}]},{"id":"pe-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"pe-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;"},{"id":"pe-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};"},{"id":"pe-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};"}]},{"id":"pe-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};"},{"id":"pe-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}."}]}]}]},{"id":"pe-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"pe-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","params":[{"id":"pe-02_odp","props":[{"name":"alt-identifier","value":"pe-2_prm_1"},{"name":"label","value":"PE-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the access list detailing authorized facility access by individuals is defined;"}]}],"props":[{"name":"label","value":"PE-2"},{"name":"label","value":"PE-02","class":"sp800-53a"},{"name":"sort-id","value":"pe-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"pe-2_smt","name":"statement","parts":[{"id":"pe-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;"},{"id":"pe-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Issue authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and"},{"id":"pe-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remove individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible."},{"id":"pe-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-02","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[01]","class":"sp800-53a"}],"prose":"a list of individuals with authorized access to the facility where the system resides has been developed;"},{"id":"pe-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[02]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been approved;"},{"id":"pe-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[03]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been maintained;"}]},{"id":"pe-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-02b.","class":"sp800-53a"}],"prose":"authorization credentials are issued for facility access;"},{"id":"pe-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-02c.","class":"sp800-53a"}],"prose":"the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};"},{"id":"pe-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-02d.","class":"sp800-53a"}],"prose":"individuals are removed from the facility access list when access is no longer required."}]},{"id":"pe-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access authorizations\n\nmechanisms supporting and\/or implementing physical access authorizations"}]}],"controls":[{"id":"pe-2.1","class":"SP800-53-enhancement","title":"Access by Position or Role","props":[{"name":"label","value":"PE-2(1)"},{"name":"label","value":"PE-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-2","rel":"required"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"pe-2.1_smt","name":"statement","prose":"Authorize physical access to the facility where the system resides based on position or role."},{"id":"pe-2.1_gdn","name":"guidance","prose":"Role-based facility access includes access by authorized permanent and regular\/routine maintenance personnel, duty officers, and emergency medical staff."},{"id":"pe-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-02(01)","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is authorized based on position or role."},{"id":"pe-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nphysical access control logs or records\n\nlist of positions\/roles and corresponding physical access authorizations\n\nsystem entry and exit points\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access authorizations\n\nmechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-2.2","class":"SP800-53-enhancement","title":"Two Forms of Identification","params":[{"id":"pe-02.02_odp","props":[{"name":"alt-identifier","value":"pe-2.2_prm_1"},{"name":"label","value":"PE-02(02)_ODP","class":"sp800-53a"}],"label":"list of acceptable forms of identification","guidelines":[{"prose":"a list of acceptable forms of identification for visitor access to the facility where the system resides is defined;"}]}],"props":[{"name":"label","value":"PE-2(2)"},{"name":"label","value":"PE-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-2","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"pe-2.2_smt","name":"statement","prose":"Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: {{ insert: param, pe-02.02_odp }}."},{"id":"pe-2.2_gdn","name":"guidance","prose":"Acceptable forms of identification include passports, REAL ID-compliant drivers’ licenses, and Personal Identity Verification (PIV) cards. For gaining access to facilities using automated mechanisms, organizations may use PIV cards, key cards, PINs, and biometrics."},{"id":"pe-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-02(02)","class":"sp800-53a"}],"prose":"two forms of identification are required from {{ insert: param, pe-02.02_odp }} for visitor access to the facility where the system resides."},{"id":"pe-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nlist of acceptable forms of identification for visitor access to the facility where the system resides\n\naccess authorization forms\n\naccess credentials\n\nphysical access control logs or records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to the system facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access authorizations\n\nmechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-2.3","class":"SP800-53-enhancement","title":"Restrict Unescorted Access","params":[{"id":"pe-02.03_odp.01","props":[{"name":"alt-identifier","value":"pe-2.3_prm_1"},{"name":"label","value":"PE-02(03)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security clearances for all information contained within the system","formal access authorizations for all information contained within the system","need for access to all information contained within the system","{{ insert: param, pe-02.03_odp.02 }} "]}},{"id":"pe-02.03_odp.02","props":[{"name":"alt-identifier","value":"pe-2.3_prm_2"},{"name":"label","value":"PE-02(03)_ODP[02]","class":"sp800-53a"}],"label":"physical access authorizations","guidelines":[{"prose":"physical access authorizations for unescorted access to the facility where the system resides are defined (if selected);"}]}],"props":[{"name":"label","value":"PE-2(3)"},{"name":"label","value":"PE-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"pe-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-2","rel":"required"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"pe-2.3_smt","name":"statement","prose":"Restrict unescorted access to the facility where the system resides to personnel with {{ insert: param, pe-02.03_odp.01 }}."},{"id":"pe-2.3_gdn","name":"guidance","prose":"Individuals without required security clearances, access approvals, or need to know are escorted by individuals with appropriate physical access authorizations to ensure that information is not exposed or otherwise compromised."},{"id":"pe-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-02(03)","class":"sp800-53a"}],"prose":"unescorted access to the facility where the system resides is restricted to personnel with {{ insert: param, pe-02.03_odp.01 }}."},{"id":"pe-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nsecurity clearances\n\naccess authorizations\n\naccess credentials\n\nphysical access control logs or records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to the system facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access authorizations\n\nmechanisms supporting and\/or implementing physical access authorizations"}]}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","params":[{"id":"pe-3_prm_9","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.09"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.10"}],"label":"organization-defined frequency"},{"id":"pe-03_odp.01","props":[{"name":"alt-identifier","value":"pe-3_prm_1"},{"name":"alt-label","value":"entry and exit points to the facility where the system resides","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[01]","class":"sp800-53a"}],"label":"entry and exit points","guidelines":[{"prose":"entry and exit points to the facility in which the system resides are defined;"}]},{"id":"pe-03_odp.02","props":[{"name":"alt-identifier","value":"pe-3_prm_2"},{"name":"label","value":"PE-03_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, pe-03_odp.03 }} ","guards"]}},{"id":"pe-03_odp.03","props":[{"name":"alt-identifier","value":"pe-3_prm_3"},{"name":"alt-label","value":"physical access control systems or devices","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[03]","class":"sp800-53a"}],"label":"systems or devices","guidelines":[{"prose":"physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);"}]},{"id":"pe-03_odp.04","props":[{"name":"alt-identifier","value":"pe-3_prm_4"},{"name":"label","value":"PE-03_ODP[04]","class":"sp800-53a"}],"label":"entry or exit points","guidelines":[{"prose":"entry or exit points for which physical access logs are maintained are defined;"}]},{"id":"pe-03_odp.05","props":[{"name":"alt-identifier","value":"pe-3_prm_5"},{"name":"label","value":"PE-03_ODP[05]","class":"sp800-53a"}],"label":"physical access controls","guidelines":[{"prose":"physical access controls to control access to areas within the facility designated as publicly accessible are defined;"}]},{"id":"pe-03_odp.06","props":[{"name":"alt-identifier","value":"pe-3_prm_6"},{"name":"alt-label","value":"circumstances requiring visitor escorts and control of visitor activity","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[06]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances requiring visitor escorts and control of visitor activity are defined;"}]},{"id":"pe-03_odp.07","props":[{"name":"alt-identifier","value":"pe-3_prm_7"},{"name":"label","value":"PE-03_ODP[07]","class":"sp800-53a"}],"label":"physical access devices","guidelines":[{"prose":"physical access devices to be inventoried are defined;"}]},{"id":"pe-03_odp.08","props":[{"name":"alt-identifier","value":"pe-3_prm_8"},{"name":"label","value":"PE-03_ODP[08]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inventory physical access devices is defined;"}]},{"id":"pe-03_odp.09","props":[{"name":"label","value":"PE-03_ODP[09]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change combinations is defined;"}]},{"id":"pe-03_odp.10","props":[{"name":"label","value":"PE-03_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change keys is defined;"}]}],"props":[{"name":"label","value":"PE-3"},{"name":"label","value":"PE-03","class":"sp800-53a"},{"name":"sort-id","value":"pe-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"pe-3_smt","name":"statement","parts":[{"id":"pe-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:","parts":[{"id":"pe-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"}]},{"id":"pe-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};"},{"id":"pe-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};"},{"id":"pe-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};"},{"id":"pe-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Secure keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and"},{"id":"pe-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Change combinations and keys {{ insert: param, pe-3_prm_9 }} and\/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs\/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components."},{"id":"pe-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.01","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;"},{"id":"pe-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.02","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"}]},{"id":"pe-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-03b.","class":"sp800-53a"}],"prose":"physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};"},{"id":"pe-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-03c.","class":"sp800-53a"}],"prose":"access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};"},{"id":"pe-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[01]","class":"sp800-53a"}],"prose":"visitors are escorted;"},{"id":"pe-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[02]","class":"sp800-53a"}],"prose":"visitor activity is controlled {{ insert: param, pe-03_odp.06 }};"}]},{"id":"pe-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[01]","class":"sp800-53a"}],"prose":"keys are secured;"},{"id":"pe-3_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[02]","class":"sp800-53a"}],"prose":"combinations are secured;"},{"id":"pe-3_obj.e-3","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[03]","class":"sp800-53a"}],"prose":"other physical access devices are secured;"}]},{"id":"pe-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"PE-03f.","class":"sp800-53a"}],"prose":"{{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};"},{"id":"pe-3_obj.g","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[01]","class":"sp800-53a"}],"prose":"combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;"},{"id":"pe-3_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[02]","class":"sp800-53a"}],"prose":"keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated."}]}]},{"id":"pe-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control\n\nmechanisms supporting and\/or implementing physical access control\n\nphysical access control devices"}]}],"controls":[{"id":"pe-3.1","class":"SP800-53-enhancement","title":"System Access","params":[{"id":"pe-03.01_odp","props":[{"name":"alt-identifier","value":"pe-3.1_prm_1"},{"name":"alt-label","value":"physical spaces containing one or more components of the system","class":"sp800-53"},{"name":"label","value":"PE-03(01)_ODP","class":"sp800-53a"}],"label":"physical spaces","guidelines":[{"prose":"physical spaces containing one or more components of the system are defined;"}]}],"props":[{"name":"label","value":"PE-3(1)"},{"name":"label","value":"PE-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"}],"parts":[{"id":"pe-3.1_smt","name":"statement","prose":"Enforce physical access authorizations to the system in addition to the physical access controls for the facility at {{ insert: param, pe-03.01_odp }}."},{"id":"pe-3.1_gdn","name":"guidance","prose":"Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components."},{"id":"pe-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(01)","class":"sp800-53a"}],"parts":[{"id":"pe-3.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03(01)[01]","class":"sp800-53a"}],"prose":"physical access authorizations to the system are enforced;"},{"id":"pe-3.1_obj.2","name":"assessment-objective","props":[{"name":"label","value":"PE-03(01)[02]","class":"sp800-53a"}],"prose":"physical access controls are enforced for the facility at {{ insert: param, pe-03.01_odp }}."}]},{"id":"pe-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nsystem entry and exit points\n\nlist of areas within the facility containing concentrations of system components or system components requiring additional physical protection\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control to the information system\/components\n\nmechanisms supporting and\/or implementing physical access control for facility areas containing system components"}]}]},{"id":"pe-3.2","class":"SP800-53-enhancement","title":"Facility and Systems","params":[{"id":"pe-03.02_odp","props":[{"name":"alt-identifier","value":"pe-3.2_prm_1"},{"name":"label","value":"PE-03(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to perform security checks at the physical perimeter of the facility or system for exfiltration of information or removal of system components is defined;"}]}],"props":[{"name":"label","value":"PE-3(2)"},{"name":"label","value":"PE-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"},{"href":"#ac-4","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"pe-3.2_smt","name":"statement","prose":"Perform security checks {{ insert: param, pe-03.02_odp }} at the physical perimeter of the facility or system for exfiltration of information or removal of system components."},{"id":"pe-3.2_gdn","name":"guidance","prose":"Organizations determine the extent, frequency, and\/or randomness of security checks to adequately mitigate risk associated with exfiltration."},{"id":"pe-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(02)","class":"sp800-53a"}],"prose":"security checks are performed {{ insert: param, pe-03.02_odp }} at the physical perimeter of the facility or system for exfiltration of information or removal of system components."},{"id":"pe-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nrecords of security checks\n\nsecurity audit reports\n\nsecurity inspection reports\n\nfacility layout documentation\n\nsystem entry and exit points\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control to the facility and\/or system\n\nmechanisms supporting and\/or implementing physical access control for the facility or system\n\nmechanisms supporting and\/or implementing security checks for the unauthorized exfiltration of information"}]}]},{"id":"pe-3.3","class":"SP800-53-enhancement","title":"Continuous Guards","params":[{"id":"pe-03.03_odp","props":[{"name":"alt-identifier","value":"pe-3.3_prm_1"},{"name":"label","value":"PE-03(03)_ODP","class":"sp800-53a"}],"label":"physical access points","guidelines":[{"prose":"physical access points to the facility where the system resides are defined;"}]}],"props":[{"name":"label","value":"PE-3(3)"},{"name":"label","value":"PE-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"pe-3.3_smt","name":"statement","prose":"Employ guards to control {{ insert: param, pe-03.03_odp }} to the facility where the system resides 24 hours per day, 7 days per week."},{"id":"pe-3.3_gdn","name":"guidance","prose":"Employing guards at selected physical access points to the facility provides a more rapid response capability for organizations. Guards also provide the opportunity for human surveillance in areas of the facility not covered by video surveillance."},{"id":"pe-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(03)","class":"sp800-53a"}],"prose":"guards are employed to control {{ insert: param, pe-03.03_odp }} to the facility where the system resides 24 hours per day, 7 days per week."},{"id":"pe-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nphysical access control devices\n\nfacility surveillance records\n\nfacility layout documentation\n\nsystem entry and exit points\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control to the facility where the system resides\n\nmechanisms supporting and\/or implementing physical access control for the facility where the system resides"}]}]},{"id":"pe-3.4","class":"SP800-53-enhancement","title":"Lockable Casings","params":[{"id":"pe-03.04_odp","props":[{"name":"alt-identifier","value":"pe-3.4_prm_1"},{"name":"label","value":"PE-03(04)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to be protected from unauthorized physical access are defined;"}]}],"props":[{"name":"label","value":"PE-3(4)"},{"name":"label","value":"PE-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"}],"parts":[{"id":"pe-3.4_smt","name":"statement","prose":"Use lockable physical casings to protect {{ insert: param, pe-03.04_odp }} from unauthorized physical access."},{"id":"pe-3.4_gdn","name":"guidance","prose":"The greatest risk from the use of portable devices—such as smart phones, tablets, and notebook computers—is theft. Organizations can employ lockable, physical casings to reduce or eliminate the risk of equipment theft. Such casings come in a variety of sizes, from units that protect a single notebook computer to full cabinets that can protect multiple servers, computers, and peripherals. Lockable physical casings can be used in conjunction with cable locks or lockdown plates to prevent the theft of the locked casing containing the computer equipment."},{"id":"pe-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(04)","class":"sp800-53a"}],"prose":"lockable physical casings are used to protect {{ insert: param, pe-03.04_odp }} from unauthorized access."},{"id":"pe-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nlist of system components requiring protection through lockable physical casings\n\nlockable physical casings\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Lockable physical casings"}]}]},{"id":"pe-3.5","class":"SP800-53-enhancement","title":"Tamper Protection","params":[{"id":"pe-03.05_odp.01","props":[{"name":"alt-identifier","value":"pe-3.5_prm_1"},{"name":"label","value":"PE-03(05)_ODP[01]","class":"sp800-53a"}],"label":"anti-tamper technologies","guidelines":[{"prose":"anti-tamper technologies to be employed are defined;"}]},{"id":"pe-03.05_odp.02","props":[{"name":"alt-identifier","value":"pe-3.5_prm_2"},{"name":"label","value":"PE-03(05)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["detect","prevent"]}},{"id":"pe-03.05_odp.03","props":[{"name":"alt-identifier","value":"pe-3.5_prm_3"},{"name":"label","value":"PE-03(05)_ODP[03]","class":"sp800-53a"}],"label":"hardware components","guidelines":[{"prose":"hardware components to be protected from physical tampering or alteration are defined;"}]}],"props":[{"name":"label","value":"PE-3(5)"},{"name":"label","value":"PE-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"},{"href":"#sa-16","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"pe-3.5_smt","name":"statement","prose":"Employ {{ insert: param, pe-03.05_odp.01 }} to {{ insert: param, pe-03.05_odp.02 }} physical tampering or alteration of {{ insert: param, pe-03.05_odp.03 }} within the system."},{"id":"pe-3.5_gdn","name":"guidance","prose":"Organizations can implement tamper detection and prevention at selected hardware components or implement tamper detection at some components and tamper prevention at other components. Detection and prevention activities can employ many types of anti-tamper technologies, including tamper-detection seals and anti-tamper coatings. Anti-tamper programs help to detect hardware alterations through counterfeiting and other supply chain-related risks."},{"id":"pe-3.5_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(05)","class":"sp800-53a"}],"prose":"{{ insert: param, pe-03.05_odp.01 }} are employed to {{ insert: param, pe-03.05_odp.02 }} physical tampering or alteration of {{ insert: param, pe-03.05_odp.03 }} within the system."},{"id":"pe-3.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nlist of security safeguards to detect\/prevent physical tampering or alteration of system hardware components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes to detect\/prevent physical tampering or alteration of system hardware components\n\nmechanisms\/security safeguards supporting and\/or implementing the detection\/prevention of physical tampering\/alternation of system hardware components"}]}]},{"id":"pe-3.6","class":"SP800-53-enhancement","title":"Facility Penetration Testing","props":[{"name":"label","value":"PE-3(6)"},{"name":"label","value":"PE-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ca-8","rel":"incorporated-into"}]},{"id":"pe-3.7","class":"SP800-53-enhancement","title":"Physical Barriers","props":[{"name":"label","value":"PE-3(7)"},{"name":"label","value":"PE-03(07)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"}],"parts":[{"id":"pe-3.7_smt","name":"statement","prose":"Limit access using physical barriers."},{"id":"pe-3.7_gdn","name":"guidance","prose":"Physical barriers include bollards, concrete slabs, jersey walls, and hydraulic active vehicle barriers."},{"id":"pe-3.7_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(07)","class":"sp800-53a"}],"prose":"physical barriers are used to limit access."},{"id":"pe-3.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nlist of physical barriers to limit access to the system\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pe-3.8","class":"SP800-53-enhancement","title":"Access Control Vestibules","params":[{"id":"pe-03.08_odp","props":[{"name":"alt-identifier","value":"pe-3.8_prm_1"},{"name":"alt-label","value":"locations within the facility","class":"sp800-53"},{"name":"label","value":"PE-03(08)_ODP","class":"sp800-53a"}],"label":"locations","guidelines":[{"prose":"locations within the facility where access control vestibules are to be employed are defined;"}]}],"props":[{"name":"label","value":"PE-3(8)"},{"name":"label","value":"PE-03(08)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"}],"parts":[{"id":"pe-3.8_smt","name":"statement","prose":"Employ access control vestibules at {{ insert: param, pe-03.08_odp }}."},{"id":"pe-3.8_gdn","name":"guidance","prose":"An access control vestibule is part of a physical access control system that typically provides a space between two sets of interlocking doors. Vestibules are designed to prevent unauthorized individuals from following authorized individuals into facilities with controlled access. This activity, also known as piggybacking or tailgating, results in unauthorized access to the facility. Interlocking door controllers can be used to limit the number of individuals who enter controlled access points and to provide containment areas while authorization for physical access is verified. Interlocking door controllers can be fully automated (i.e., controlling the opening and closing of the doors) or partially automated (i.e., using security guards to control the number of individuals entering the containment area)."},{"id":"pe-3.8_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(08)","class":"sp800-53a"}],"prose":"access control vestibules are employed at {{ insert: param, pe-03.08_odp }}."},{"id":"pe-3.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nlist of access control vestibules and locations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vestibules to prevent unauthorized access."}]}]}]},{"id":"pe-4","class":"SP800-53","title":"Access Control for Transmission","params":[{"id":"pe-04_odp.01","props":[{"name":"alt-identifier","value":"pe-4_prm_1"},{"name":"label","value":"PE-04_ODP[01]","class":"sp800-53a"}],"label":"system distribution and transmission lines","guidelines":[{"prose":"system distribution and transmission lines requiring physical access controls are defined;"}]},{"id":"pe-04_odp.02","props":[{"name":"alt-identifier","value":"pe-4_prm_2"},{"name":"label","value":"PE-04_ODP[02]","class":"sp800-53a"}],"label":"security controls","guidelines":[{"prose":"security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;"}]}],"props":[{"name":"label","value":"PE-4"},{"name":"label","value":"PE-04","class":"sp800-53a"},{"name":"sort-id","value":"pe-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"pe-4_smt","name":"statement","prose":"Control physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities using {{ insert: param, pe-04_odp.02 }}."},{"id":"pe-4_gdn","name":"guidance","prose":"Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors."},{"id":"pe-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-04","class":"sp800-53a"}],"prose":"physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}."},{"id":"pe-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for transmission mediums\n\nsystem design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to system distribution and transmission lines\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access control to distribution and transmission lines\n\nmechanisms\/security safeguards supporting and\/or implementing access control to distribution and transmission lines"}]}]},{"id":"pe-5","class":"SP800-53","title":"Access Control for Output Devices","params":[{"id":"pe-05_odp","props":[{"name":"alt-identifier","value":"pe-5_prm_1"},{"name":"label","value":"PE-05_ODP","class":"sp800-53a"}],"label":"output devices","guidelines":[{"prose":"output devices that require physical access control to output are defined;"}]}],"props":[{"name":"label","value":"PE-5"},{"name":"label","value":"PE-05","class":"sp800-53a"},{"name":"sort-id","value":"pe-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-18","rel":"related"}],"parts":[{"id":"pe-5_smt","name":"statement","prose":"Control physical access to output from {{ insert: param, pe-05_odp }} to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_gdn","name":"guidance","prose":"Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers."},{"id":"pe-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-05","class":"sp800-53a"}],"prose":"physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of system components\n\nactual displays from system components\n\nlist of output devices and associated outputs requiring physical access controls\n\nphysical access control logs or records for areas containing output devices and related outputs\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access control to output devices\n\nmechanisms supporting and\/or implementing access control to output devices"}]}],"controls":[{"id":"pe-5.1","class":"SP800-53-enhancement","title":"Access to Output by Authorized Individuals","props":[{"name":"label","value":"PE-5(1)"},{"name":"label","value":"PE-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-05.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pe-5","rel":"incorporated-into"}]},{"id":"pe-5.2","class":"SP800-53-enhancement","title":"Link to Individual Identity","props":[{"name":"label","value":"PE-5(2)"},{"name":"label","value":"PE-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#pe-5","rel":"required"}],"parts":[{"id":"pe-5.2_smt","name":"statement","prose":"Link individual identity to receipt of output from output devices."},{"id":"pe-5.2_gdn","name":"guidance","prose":"Methods for linking individual identity to the receipt of output from output devices include installing security functionality on facsimile machines, copiers, and printers. Such functionality allows organizations to implement authentication on output devices prior to the release of output to individuals."},{"id":"pe-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-05(02)","class":"sp800-53a"}],"prose":"individual identity is linked to the receipt of output from output devices."},{"id":"pe-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of output devices and associated outputs requiring physical access controls\n\nphysical access control logs or records for areas containing output devices and related outputs\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"pe-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access control to output devices\n\nmechanisms supporting and\/or implementing access control to output devices"}]}]},{"id":"pe-5.3","class":"SP800-53-enhancement","title":"Marking Output Devices","props":[{"name":"label","value":"PE-5(3)"},{"name":"label","value":"PE-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"pe-05.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pe-22","rel":"incorporated-into"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","params":[{"id":"pe-06_odp.01","props":[{"name":"alt-identifier","value":"pe-6_prm_1"},{"name":"label","value":"PE-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review physical access logs is defined;"}]},{"id":"pe-06_odp.02","props":[{"name":"alt-identifier","value":"pe-6_prm_2"},{"name":"alt-label","value":"events or potential indications of events","class":"sp800-53"},{"name":"label","value":"PE-06_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events or potential indication of events requiring physical access logs to be reviewed are defined;"}]}],"props":[{"name":"label","value":"PE-6"},{"name":"label","value":"PE-06","class":"sp800-53a"},{"name":"sort-id","value":"pe-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"pe-6_smt","name":"statement","parts":[{"id":"pe-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and"},{"id":"pe-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses."},{"id":"pe-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-06a.","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;"},{"id":"pe-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[01]","class":"sp800-53a"}],"prose":"physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};"},{"id":"pe-6_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[02]","class":"sp800-53a"}],"prose":"physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};"}]},{"id":"pe-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[01]","class":"sp800-53a"}],"prose":"results of reviews are coordinated with organizational incident response capabilities;"},{"id":"pe-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[02]","class":"sp800-53a"}],"prose":"results of investigations are coordinated with organizational incident response capabilities."}]}]},{"id":"pe-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing the review of physical access logs"}]}],"controls":[{"id":"pe-6.1","class":"SP800-53-enhancement","title":"Intrusion Alarms and Surveillance Equipment","props":[{"name":"label","value":"PE-6(1)"},{"name":"label","value":"PE-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-6","rel":"required"}],"parts":[{"id":"pe-6.1_smt","name":"statement","prose":"Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment."},{"id":"pe-6.1_gdn","name":"guidance","prose":"Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility."},{"id":"pe-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)","class":"sp800-53a"}],"parts":[{"id":"pe-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)[01]","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored using physical intrusion alarms;"},{"id":"pe-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)[02]","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored using physical surveillance equipment."}]},{"id":"pe-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing physical intrusion alarms and surveillance equipment"}]}]},{"id":"pe-6.2","class":"SP800-53-enhancement","title":"Automated Intrusion Recognition and Responses","params":[{"id":"pe-06.02_odp.01","props":[{"name":"alt-identifier","value":"pe-6.2_prm_1"},{"name":"label","value":"PE-06(02)_ODP[01]","class":"sp800-53a"}],"label":"classes or types of intrusions","guidelines":[{"prose":"classes or types of intrusions to be recognized by automated mechanisms are defined;"}]},{"id":"pe-06.02_odp.02","props":[{"name":"alt-identifier","value":"pe-6.2_prm_2"},{"name":"label","value":"PE-06(02)_ODP[02]","class":"sp800-53a"}],"label":"response actions","guidelines":[{"prose":"response actions to be initiated by automated mechanisms when organization-defined classes or types of intrusions are recognized are defined;"}]},{"id":"pe-06.02_odp.03","props":[{"name":"alt-identifier","value":"pe-6.2_prm_3"},{"name":"label","value":"PE-06(02)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to recognize classes or types of intrusions and initiate response actions (defined in [PE-06(02)_ODP](#pe-06.02_odp.02)) are defined;"}]}],"props":[{"name":"label","value":"PE-6(2)"},{"name":"label","value":"PE-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-6","rel":"required"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"pe-6.2_smt","name":"statement","prose":"Recognize {{ insert: param, pe-06.02_odp.01 }} and initiate {{ insert: param, pe-06.02_odp.02 }} using {{ insert: param, pe-06.02_odp.03 }}."},{"id":"pe-6.2_gdn","name":"guidance","prose":"Response actions can include notifying selected organizational personnel or law enforcement personnel. Automated mechanisms implemented to initiate response actions include system alert notifications, email and text messages, and activating door locking mechanisms. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide integrated threat coverage for the organization."},{"id":"pe-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06(02)","class":"sp800-53a"}],"parts":[{"id":"pe-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06(02)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, pe-06.02_odp.01 }} are recognized;"},{"id":"pe-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06(02)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, pe-06.02_odp.02 }} are initiated using {{ insert: param, pe-06.02_odp.03 }}."}]},{"id":"pe-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of response actions to be initiated when specific classes\/types of intrusions are recognized\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access\n\nautomated mechanisms supporting and\/or implementing physical access monitoring\n\nautomated mechanisms supporting and\/or implementing recognition of classes\/types of intrusions and initiation of a response"}]}]},{"id":"pe-6.3","class":"SP800-53-enhancement","title":"Video Surveillance","params":[{"id":"pe-06.03_odp.01","props":[{"name":"alt-identifier","value":"pe-6.3_prm_1"},{"name":"label","value":"PE-06(03)_ODP[01]","class":"sp800-53a"}],"label":"operational areas","guidelines":[{"prose":"operational areas where video surveillance is to be employed are defined;"}]},{"id":"pe-06.03_odp.02","props":[{"name":"alt-identifier","value":"pe-6.3_prm_2"},{"name":"label","value":"PE-06(03)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review video recordings is defined;"}]},{"id":"pe-06.03_odp.03","props":[{"name":"alt-identifier","value":"pe-6.3_prm_3"},{"name":"label","value":"PE-06(03)_ODP[03]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for which to retain video recordings is defined;"}]}],"props":[{"name":"label","value":"PE-6(3)"},{"name":"label","value":"PE-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"pe-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-6","rel":"required"}],"parts":[{"id":"pe-6.3_smt","name":"statement","parts":[{"id":"pe-6.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ video surveillance of {{ insert: param, pe-06.03_odp.01 }};"},{"id":"pe-6.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Review video recordings {{ insert: param, pe-06.03_odp.02 }} ; and"},{"id":"pe-6.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Retain video recordings for {{ insert: param, pe-06.03_odp.03 }}."}]},{"id":"pe-6.3_gdn","name":"guidance","prose":"Video surveillance focuses on recording activity in specified areas for the purposes of subsequent review, if circumstances so warrant. Video recordings are typically reviewed to detect anomalous events or incidents. Monitoring the surveillance video is not required, although organizations may choose to do so. There may be legal considerations when performing and retaining video surveillance, especially if such surveillance is in a public location."},{"id":"pe-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06(03)","class":"sp800-53a"}],"parts":[{"id":"pe-6.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-06(03)(a)","class":"sp800-53a"}],"prose":"video surveillance of {{ insert: param, pe-06.03_odp.01 }} is employed;"},{"id":"pe-6.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-06(03)(b)","class":"sp800-53a"}],"prose":"video recordings are reviewed {{ insert: param, pe-06.03_odp.02 }};"},{"id":"pe-6.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-06(03)(c)","class":"sp800-53a"}],"prose":"video recordings are retained for {{ insert: param, pe-06.03_odp.03 }}."}]},{"id":"pe-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nvideo surveillance equipment used to monitor operational areas\n\nvideo recordings of operational areas where video surveillance is employed\n\nvideo surveillance equipment logs or records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing video surveillance"}]}]},{"id":"pe-6.4","class":"SP800-53-enhancement","title":"Monitoring Physical Access to Systems","params":[{"id":"pe-06.04_odp","props":[{"name":"alt-identifier","value":"pe-6.4_prm_1"},{"name":"alt-label","value":"physical spaces containing one or more components of the system","class":"sp800-53"},{"name":"label","value":"PE-06(04)_ODP","class":"sp800-53a"}],"label":"physical spaces","guidelines":[{"prose":"physical spaces containing one or more components of the system are defined;"}]}],"props":[{"name":"label","value":"PE-6(4)"},{"name":"label","value":"PE-06(04)","class":"sp800-53a"},{"name":"sort-id","value":"pe-06.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-6","rel":"required"}],"parts":[{"id":"pe-6.4_smt","name":"statement","prose":"Monitor physical access to the system in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}."},{"id":"pe-6.4_gdn","name":"guidance","prose":"Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization."},{"id":"pe-6.4_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06(04)","class":"sp800-53a"}],"prose":"physical access to the system is monitored in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}."},{"id":"pe-6.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nlist of areas within the facility containing concentrations of system components or system components requiring additional physical access monitoring\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-6.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-6.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access to the system\n\nmechanisms supporting and\/or implementing physical access monitoring for facility areas containing system components"}]}]}]},{"id":"pe-7","class":"SP800-53","title":"Visitor Control","props":[{"name":"label","value":"PE-7"},{"name":"label","value":"PE-07","class":"sp800-53a"},{"name":"sort-id","value":"pe-07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pe-2","rel":"incorporated-into"},{"href":"#pe-3","rel":"incorporated-into"}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-08_odp.01","props":[{"name":"alt-identifier","value":"pe-8_prm_1"},{"name":"label","value":"PE-08_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for which to maintain visitor access records for the facility where the system resides is defined;"}]},{"id":"pe-08_odp.02","props":[{"name":"alt-identifier","value":"pe-8_prm_2"},{"name":"label","value":"PE-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review visitor access records is defined;"}]},{"id":"pe-08_odp.03","props":[{"name":"alt-identifier","value":"pe-8_prm_3"},{"name":"label","value":"PE-08_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom visitor access records anomalies are reported to is\/are defined;"}]}],"props":[{"name":"label","value":"PE-8"},{"name":"label","value":"PE-08","class":"sp800-53a"},{"name":"sort-id","value":"pe-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"pe-8_smt","name":"statement","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and"},{"id":"pe-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08","class":"sp800-53a"}],"parts":[{"id":"pe-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-08a.","class":"sp800-53a"}],"prose":"visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-08b.","class":"sp800-53a"}],"prose":"visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};"},{"id":"pe-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-08c.","class":"sp800-53a"}],"prose":"visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and\/or implementing the maintenance and review of visitor access records"}]}],"controls":[{"id":"pe-8.1","class":"SP800-53-enhancement","title":"Automated Records Maintenance and Review","params":[{"id":"pe-8.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-08.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-08.01_odp.02"}],"label":"organization-defined automated mechanisms"},{"id":"pe-08.01_odp.01","props":[{"name":"label","value":"PE-08(01)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain visitor access records are defined;"}]},{"id":"pe-08.01_odp.02","props":[{"name":"label","value":"PE-08(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to review visitor access records are defined;"}]}],"props":[{"name":"label","value":"PE-8(1)"},{"name":"label","value":"PE-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-8","rel":"required"}],"parts":[{"id":"pe-8.1_smt","name":"statement","prose":"Maintain and review visitor access records using {{ insert: param, pe-8.1_prm_1 }}."},{"id":"pe-8.1_gdn","name":"guidance","prose":"Visitor access records may be stored and maintained in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on a regular basis to determine if access authorizations are current and still required to support organizational mission and business functions."},{"id":"pe-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08(01)","class":"sp800-53a"}],"parts":[{"id":"pe-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-08(01)[01]","class":"sp800-53a"}],"prose":"visitor access records are maintained using {{ insert: param, pe-08.01_odp.01 }};"},{"id":"pe-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-08(01)[02]","class":"sp800-53a"}],"prose":"visitor access records are reviewed using {{ insert: param, pe-08.01_odp.02 }}."}]},{"id":"pe-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nautomated mechanisms supporting management of visitor access records\n\nvisitor access control logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and\/or implementing the maintenance and review of visitor access records"}]}]},{"id":"pe-8.2","class":"SP800-53-enhancement","title":"Physical Access Records","props":[{"name":"label","value":"PE-8(2)"},{"name":"label","value":"PE-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-08.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pe-2","rel":"incorporated-into"}]},{"id":"pe-8.3","class":"SP800-53-enhancement","title":"Limit Personally Identifiable Information Elements","params":[{"id":"pe-08.03_odp","props":[{"name":"alt-identifier","value":"pe-8.3_prm_1"},{"name":"label","value":"PE-08(03)_ODP","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements identified in the privacy risk assessment to limit personally identifiable information contained in visitor access logs are defined;"}]}],"props":[{"name":"label","value":"PE-8(3)"},{"name":"label","value":"PE-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"pe-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-8","rel":"required"},{"href":"#ra-3","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pe-8.3_smt","name":"statement","prose":"Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: {{ insert: param, pe-08.03_odp }}."},{"id":"pe-8.3_gdn","name":"guidance","prose":"Organizations may have requirements that specify the contents of visitor access records. Limiting personally identifiable information in visitor access records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system."},{"id":"pe-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08(03)","class":"sp800-53a"}],"prose":"personally identifiable information contained in visitor access records is limited to {{ insert: param, pe-08.03_odp }} identified in the privacy risk assessment."},{"id":"pe-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\npersonally identifiable information processing policy\n\nprivacy risk assessment documentation\n\nprivacy impact assessment\n\nvisitor access records\n\npersonally identifiable information inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records"}]}]}]},{"id":"pe-9","class":"SP800-53","title":"Power Equipment and Cabling","props":[{"name":"label","value":"PE-9"},{"name":"label","value":"PE-09","class":"sp800-53a"},{"name":"sort-id","value":"pe-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-4","rel":"related"}],"parts":[{"id":"pe-9_smt","name":"statement","prose":"Protect power equipment and power cabling for the system from damage and destruction."},{"id":"pe-9_gdn","name":"guidance","prose":"Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems."},{"id":"pe-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-09","class":"sp800-53a"}],"parts":[{"id":"pe-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-09[01]","class":"sp800-53a"}],"prose":"power equipment for the system is protected from damage and destruction;"},{"id":"pe-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-09[02]","class":"sp800-53a"}],"prose":"power cabling for the system is protected from damage and destruction."}]},{"id":"pe-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power equipment\/cabling protection\n\nfacilities housing power equipment\/cabling\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility to protect power equipment\/cabling\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the protection of power equipment\/cabling"}]}],"controls":[{"id":"pe-9.1","class":"SP800-53-enhancement","title":"Redundant Cabling","params":[{"id":"pe-09.01_odp","props":[{"name":"alt-identifier","value":"pe-9.1_prm_1"},{"name":"label","value":"PE-09(01)_ODP","class":"sp800-53a"}],"label":"distance","guidelines":[{"prose":"distance by which redundant power cabling paths are to be physically separated is defined;"}]}],"props":[{"name":"label","value":"PE-9(1)"},{"name":"label","value":"PE-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-9","rel":"required"}],"parts":[{"id":"pe-9.1_smt","name":"statement","prose":"Employ redundant power cabling paths that are physically separated by {{ insert: param, pe-09.01_odp }}."},{"id":"pe-9.1_gdn","name":"guidance","prose":"Physically separate and redundant power cables ensure that power continues to flow in the event that one of the cables is cut or otherwise damaged."},{"id":"pe-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-09(01)","class":"sp800-53a"}],"prose":"redundant power cabling paths that are physically separated by {{ insert: param, pe-09.01_odp }} are employed."},{"id":"pe-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power equipment\/cabling protection\n\nfacilities housing power equipment\/cabling\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility to protect power equipment\/cabling\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the protection of power equipment\/cabling"}]}]},{"id":"pe-9.2","class":"SP800-53-enhancement","title":"Automatic Voltage Controls","params":[{"id":"pe-09.02_odp","props":[{"name":"alt-identifier","value":"pe-9.2_prm_1"},{"name":"label","value":"PE-09(02)_ODP","class":"sp800-53a"}],"label":"critical system components","guidelines":[{"prose":"the critical system components that require automatic voltage controls are defined;"}]}],"props":[{"name":"label","value":"PE-9(2)"},{"name":"label","value":"PE-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-9","rel":"required"}],"parts":[{"id":"pe-9.2_smt","name":"statement","prose":"Employ automatic voltage controls for {{ insert: param, pe-09.02_odp }}."},{"id":"pe-9.2_gdn","name":"guidance","prose":"Automatic voltage controls can monitor and control voltage. Such controls include voltage regulators, voltage conditioners, and voltage stabilizers."},{"id":"pe-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-09(02)","class":"sp800-53a"}],"prose":"automatic voltage controls for {{ insert: param, pe-09.02_odp }} are employed."},{"id":"pe-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing voltage control\n\nsecurity plan\n\nlist of critical system components requiring automatic voltage controls\n\nautomatic voltage control mechanisms and associated configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for environmental protection of system components\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-9.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-09(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing automatic voltage controls"}]}]}]},{"id":"pe-10","class":"SP800-53","title":"Emergency Shutoff","params":[{"id":"pe-10_odp.01","props":[{"name":"alt-identifier","value":"pe-10_prm_1"},{"name":"label","value":"PE-10_ODP[01]","class":"sp800-53a"}],"label":"system or individual system components","guidelines":[{"prose":"system or individual system components that require the capability to shut off power in emergency situations is\/are defined;"}]},{"id":"pe-10_odp.02","props":[{"name":"alt-identifier","value":"pe-10_prm_2"},{"name":"alt-label","value":"location by system or system component","class":"sp800-53"},{"name":"label","value":"PE-10_ODP[02]","class":"sp800-53a"}],"label":"location","guidelines":[{"prose":"location of emergency shutoff switches or devices by system or system component is defined;"}]}],"props":[{"name":"label","value":"PE-10"},{"name":"label","value":"PE-10","class":"sp800-53a"},{"name":"sort-id","value":"pe-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-15","rel":"related"}],"parts":[{"id":"pe-10_smt","name":"statement","parts":[{"id":"pe-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide the capability of shutting off power to {{ insert: param, pe-10_odp.01 }} in emergency situations;"},{"id":"pe-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Place emergency shutoff switches or devices in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel; and"},{"id":"pe-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect emergency power shutoff capability from unauthorized activation."}]},{"id":"pe-10_gdn","name":"guidance","prose":"Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery."},{"id":"pe-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-10","class":"sp800-53a"}],"parts":[{"id":"pe-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-10a.","class":"sp800-53a"}],"prose":"the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;"},{"id":"pe-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-10b.","class":"sp800-53a"}],"prose":"emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;"},{"id":"pe-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-10c.","class":"sp800-53a"}],"prose":"the emergency power shutoff capability is protected from unauthorized activation."}]},{"id":"pe-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting the emergency power shutoff capability from unauthorized activation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing emergency power shutoff"}]}],"controls":[{"id":"pe-10.1","class":"SP800-53-enhancement","title":"Accidental and Unauthorized Activation","props":[{"name":"label","value":"PE-10(1)"},{"name":"label","value":"PE-10(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-10.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pe-10","rel":"incorporated-into"}]}]},{"id":"pe-11","class":"SP800-53","title":"Emergency Power","params":[{"id":"pe-11_odp","props":[{"name":"alt-identifier","value":"pe-11_prm_1"},{"name":"label","value":"PE-11_ODP","class":"sp800-53a"}],"select":{"choice":["an orderly shutdown of the system","transition of the system to long-term alternate power"]}}],"props":[{"name":"label","value":"PE-11"},{"name":"label","value":"PE-11","class":"sp800-53a"},{"name":"sort-id","value":"pe-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-11_smt","name":"statement","prose":"Provide an uninterruptible power supply to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss."},{"id":"pe-11_gdn","name":"guidance","prose":"An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system."},{"id":"pe-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-11","class":"sp800-53a"}],"prose":"an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss."},{"id":"pe-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an uninterruptible power supply\n\nthe uninterruptable power supply"}]}],"controls":[{"id":"pe-11.1","class":"SP800-53-enhancement","title":"Alternate Power Supply — Minimal Operational Capability","params":[{"id":"pe-11.01_odp","props":[{"name":"alt-identifier","value":"pe-11.1_prm_1"},{"name":"label","value":"PE-11(01)_ODP","class":"sp800-53a"}],"select":{"choice":["manually","automatically"]}}],"props":[{"name":"label","value":"PE-11(1)"},{"name":"label","value":"PE-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-11","rel":"required"}],"parts":[{"id":"pe-11.1_smt","name":"statement","prose":"Provide an alternate power supply for the system that is activated {{ insert: param, pe-11.01_odp }} and that can maintain minimally required operational capability in the event of an extended loss of the primary power source."},{"id":"pe-11.1_gdn","name":"guidance","prose":"Provision of an alternate power supply with minimal operating capability can be satisfied by accessing a secondary commercial power supply or other external power supply."},{"id":"pe-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-11(01)","class":"sp800-53a"}],"parts":[{"id":"pe-11.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-11(01)[01]","class":"sp800-53a"}],"prose":"an alternate power supply provided for the system is activated {{ insert: param, pe-11.01_odp }};"},{"id":"pe-11.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-11(01)[02]","class":"sp800-53a"}],"prose":"the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source."}]},{"id":"pe-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nalternate power supply\n\nalternate power supply documentation\n\nalternate power supply test records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an alternate power supply\n\nthe alternate power supply"}]}]},{"id":"pe-11.2","class":"SP800-53-enhancement","title":"Alternate Power Supply — Self-contained","params":[{"id":"pe-11.02_odp.01","props":[{"name":"alt-identifier","value":"pe-11.2_prm_1"},{"name":"label","value":"PE-11(02)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["manually","automatically"]}},{"id":"pe-11.02_odp.02","props":[{"name":"alt-identifier","value":"pe-11.2_prm_2"},{"name":"label","value":"PE-11(02)_ODP[02]","class":"sp800-53a"}],"select":{"choice":["minimally required operational capability","full operational capability"]}}],"props":[{"name":"label","value":"PE-11(2)"},{"name":"label","value":"PE-11(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-11.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-11","rel":"required"}],"parts":[{"id":"pe-11.2_smt","name":"statement","prose":"Provide an alternate power supply for the system that is activated {{ insert: param, pe-11.02_odp.01 }} and that is:","parts":[{"id":"pe-11.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Self-contained;"},{"id":"pe-11.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Not reliant on external power generation; and"},{"id":"pe-11.2_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Capable of maintaining {{ insert: param, pe-11.02_odp.02 }} in the event of an extended loss of the primary power source."}]},{"id":"pe-11.2_gdn","name":"guidance","prose":"The provision of a long-term, self-contained power supply can be satisfied by using one or more generators with sufficient capacity to meet the needs of the organization."},{"id":"pe-11.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-11(02)","class":"sp800-53a"}],"prose":"an alternate power supply provided for the system is activated {{ insert: param, pe-11.02_odp.01 }};","parts":[{"id":"pe-11.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-11(02)(a)","class":"sp800-53a"}],"prose":"the alternate power supply provided for the system is self-contained;"},{"id":"pe-11.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-11(02)(b)","class":"sp800-53a"}],"prose":"the alternate power supply provided for the system is not reliant on external power generation;"},{"id":"pe-11.2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-11(02)(c)","class":"sp800-53a"}],"prose":"the alternate power supply provided for the system is capable of maintaining {{ insert: param, pe-11.02_odp.02 }} in the event of an extended loss of the primary power source."}]},{"id":"pe-11.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-11(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nalternate power supply\n\nalternate power supply documentation\n\nalternate power supply test records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-11.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-11(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-11.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-11(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an alternate power supply\n\nthe alternate power supply"}]}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","props":[{"name":"label","value":"PE-12"},{"name":"label","value":"PE-12","class":"sp800-53a"},{"name":"sort-id","value":"pe-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies."},{"id":"pe-12_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-12","class":"sp800-53a"}],"parts":[{"id":"pe-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-12[01]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;"},{"id":"pe-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-12[02]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;"},{"id":"pe-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-12[03]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers emergency exits within the facility;"},{"id":"pe-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-12[04]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers evacuation routes within the facility."}]},{"id":"pe-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an emergency lighting capability"}]}],"controls":[{"id":"pe-12.1","class":"SP800-53-enhancement","title":"Essential Mission and Business Functions","props":[{"name":"label","value":"PE-12(1)"},{"name":"label","value":"PE-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-12","rel":"required"}],"parts":[{"id":"pe-12.1_smt","name":"statement","prose":"Provide emergency lighting for all areas within the facility supporting essential mission and business functions."},{"id":"pe-12.1_gdn","name":"guidance","prose":"Organizations define their essential missions and functions."},{"id":"pe-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-12(01)","class":"sp800-53a"}],"prose":"emergency lighting is provided for all areas within the facility supporting essential mission and business functions."},{"id":"pe-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nareas\/locations within facility supporting essential missions and business functions\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the emergency lighting capability"}]}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","props":[{"name":"label","value":"PE-13"},{"name":"label","value":"PE-13","class":"sp800-53a"},{"name":"sort-id","value":"pe-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"Employ and maintain fire detection and suppression systems that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility."},{"id":"pe-13_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13","class":"sp800-53a"}],"parts":[{"id":"pe-13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13[01]","class":"sp800-53a"}],"prose":"fire detection systems are employed;"},{"id":"pe-13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13[02]","class":"sp800-53a"}],"prose":"employed fire detection systems are supported by an independent energy source;"},{"id":"pe-13_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13[03]","class":"sp800-53a"}],"prose":"employed fire detection systems are maintained;"},{"id":"pe-13_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-13[04]","class":"sp800-53a"}],"prose":"fire suppression systems are employed;"},{"id":"pe-13_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PE-13[05]","class":"sp800-53a"}],"prose":"employed fire suppression systems are supported by an independent energy source;"},{"id":"pe-13_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PE-13[06]","class":"sp800-53a"}],"prose":"employed fire suppression systems are maintained."}]},{"id":"pe-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\ntest records of fire suppression and detection devices\/systems\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing fire suppression\/detection devices\/systems"}]}],"controls":[{"id":"pe-13.1","class":"SP800-53-enhancement","title":"Detection Systems — Automatic Activation and Notification","params":[{"id":"pe-13.01_odp.01","props":[{"name":"alt-identifier","value":"pe-13.1_prm_1"},{"name":"label","value":"PE-13(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified in the event of a fire is\/are defined;"}]},{"id":"pe-13.01_odp.02","props":[{"name":"alt-identifier","value":"pe-13.1_prm_2"},{"name":"label","value":"PE-13(01)_ODP[02]","class":"sp800-53a"}],"label":"emergency responders","guidelines":[{"prose":"emergency responders to be notified in the event of a fire are defined;"}]}],"props":[{"name":"label","value":"PE-13(1)"},{"name":"label","value":"PE-13(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-13.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-13","rel":"required"}],"parts":[{"id":"pe-13.1_smt","name":"statement","prose":"Employ fire detection systems that activate automatically and notify {{ insert: param, pe-13.01_odp.01 }} and {{ insert: param, pe-13.01_odp.02 }} in the event of a fire."},{"id":"pe-13.1_gdn","name":"guidance","prose":"Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire."},{"id":"pe-13.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)","class":"sp800-53a"}],"parts":[{"id":"pe-13.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[01]","class":"sp800-53a"}],"prose":"fire detection systems that activate automatically are employed in the event of a fire;"},{"id":"pe-13.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[02]","class":"sp800-53a"}],"prose":"fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;"},{"id":"pe-13.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[03]","class":"sp800-53a"}],"prose":"fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire."}]},{"id":"pe-13.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\nalerts\/notifications of fire events\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing fire detection devices\/systems\n\nactivation of fire detection devices\/systems (simulated)\n\nautomated notifications"}]}]},{"id":"pe-13.2","class":"SP800-53-enhancement","title":"Suppression Systems — Automatic Activation and Notification","params":[{"id":"pe-13.02_odp.01","props":[{"name":"alt-identifier","value":"pe-13.2_prm_1"},{"name":"label","value":"PE-13(02)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified in the event of a fire is\/are defined;"}]},{"id":"pe-13.02_odp.02","props":[{"name":"alt-identifier","value":"pe-13.2_prm_2"},{"name":"label","value":"PE-13(02)_ODP[02]","class":"sp800-53a"}],"label":"emergency responders","guidelines":[{"prose":"emergency responders to be notified in the event of a fire are defined;"}]}],"props":[{"name":"label","value":"PE-13(2)"},{"name":"label","value":"PE-13(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-13.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-13","rel":"required"}],"parts":[{"id":"pe-13.2_smt","name":"statement","parts":[{"id":"pe-13.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ fire suppression systems that activate automatically and notify {{ insert: param, pe-13.02_odp.01 }} and {{ insert: param, pe-13.02_odp.02 }} ; and"},{"id":"pe-13.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis."}]},{"id":"pe-13.2_gdn","name":"guidance","prose":"Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and\/or clearances (e.g., to enter to facilities where access is restricted due to the impact level or classification of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire."},{"id":"pe-13.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)","class":"sp800-53a"}],"parts":[{"id":"pe-13.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)","class":"sp800-53a"}],"parts":[{"id":"pe-13.2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)[01]","class":"sp800-53a"}],"prose":"fire suppression systems that activate automatically are employed;"},{"id":"pe-13.2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)[02]","class":"sp800-53a"}],"prose":"fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;"},{"id":"pe-13.2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)[03]","class":"sp800-53a"}],"prose":"fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;"}]},{"id":"pe-13.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(b)","class":"sp800-53a"}],"prose":"an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis."}]},{"id":"pe-13.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems documentation\n\nfacility housing the system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices\/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression devices\/systems\n\nactivation of fire suppression devices\/systems (simulated)\n\nautomated notifications"}]}]},{"id":"pe-13.3","class":"SP800-53-enhancement","title":"Automatic Fire Suppression","props":[{"name":"label","value":"PE-13(3)"},{"name":"label","value":"PE-13(03)","class":"sp800-53a"},{"name":"sort-id","value":"pe-13.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pe-13.2","rel":"incorporated-into"}]},{"id":"pe-13.4","class":"SP800-53-enhancement","title":"Inspections","params":[{"id":"pe-13.04_odp.01","props":[{"name":"alt-identifier","value":"pe-13.4_prm_1"},{"name":"label","value":"PE-13(04)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for conducting fire protection inspections on the facility is defined;"}]},{"id":"pe-13.04_odp.02","props":[{"name":"alt-identifier","value":"pe-13.4_prm_2"},{"name":"label","value":"PE-13(04)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period for resolving deficiencies identified by fire protection inspections is defined;"}]}],"props":[{"name":"label","value":"PE-13(4)"},{"name":"label","value":"PE-13(04)","class":"sp800-53a"},{"name":"sort-id","value":"pe-13.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-13","rel":"required"}],"parts":[{"id":"pe-13.4_smt","name":"statement","prose":"Ensure that the facility undergoes {{ insert: param, pe-13.04_odp.01 }} fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within {{ insert: param, pe-13.04_odp.02 }}."},{"id":"pe-13.4_gdn","name":"guidance","prose":"Authorized and qualified personnel within the jurisdiction of the organization include state, county, and city fire inspectors and fire marshals. Organizations provide escorts during inspections in situations where the systems that reside within the facilities contain sensitive information."},{"id":"pe-13.4_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13(04)","class":"sp800-53a"}],"parts":[{"id":"pe-13.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13(04)[01]","class":"sp800-53a"}],"prose":"the facility undergoes fire protection inspections {{ insert: param, pe-13.04_odp.01 }} by authorized and qualified inspectors;"},{"id":"pe-13.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13(04)[02]","class":"sp800-53a"}],"prose":"the identified deficiencies from fire protection inspections are resolved within {{ insert: param, pe-13.04_odp.02 }}."}]},{"id":"pe-13.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the system\n\ninspection plans\n\ninspection results\n\ninspect reports\n\ntest records of fire suppression and detection devices\/systems\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for planning, approving, and executing fire inspections\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"pe-14","class":"SP800-53","title":"Environmental Controls","params":[{"id":"pe-14_odp.01","props":[{"name":"alt-identifier","value":"pe-14_prm_1"},{"name":"label","value":"PE-14_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["temperature","humidity","pressure","radiation","{{ insert: param, pe-14_odp.02 }} "]}},{"id":"pe-14_odp.02","props":[{"name":"alt-identifier","value":"pe-14_prm_2"},{"name":"label","value":"PE-14_ODP[02]","class":"sp800-53a"}],"label":"environmental control","guidelines":[{"prose":"environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);"}]},{"id":"pe-14_odp.03","props":[{"name":"alt-identifier","value":"pe-14_prm_3"},{"name":"label","value":"PE-14_ODP[03]","class":"sp800-53a"}],"label":"acceptable levels","guidelines":[{"prose":"acceptable levels for environmental controls are defined;"}]},{"id":"pe-14_odp.04","props":[{"name":"alt-identifier","value":"pe-14_prm_4"},{"name":"label","value":"PE-14_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to monitor environmental control levels is defined;"}]}],"props":[{"name":"label","value":"PE-14"},{"name":"label","value":"PE-14","class":"sp800-53a"},{"name":"sort-id","value":"pe-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"}],"parts":[{"id":"pe-14_smt","name":"statement","parts":[{"id":"pe-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and"},{"id":"pe-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions."},{"id":"pe-14_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-14","class":"sp800-53a"}],"parts":[{"id":"pe-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-14a.","class":"sp800-53a"}],"prose":"{{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;"},{"id":"pe-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-14b.","class":"sp800-53a"}],"prose":"environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}."}]},{"id":"pe-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the maintenance and monitoring of temperature and humidity levels"}]}],"controls":[{"id":"pe-14.1","class":"SP800-53-enhancement","title":"Automatic Controls","params":[{"id":"pe-14.01_odp","props":[{"name":"alt-identifier","value":"pe-14.1_prm_1"},{"name":"label","value":"PE-14(01)_ODP","class":"sp800-53a"}],"label":"automatic environmental controls","guidelines":[{"prose":"automatic environmental controls to prevent fluctuations that are potentially harmful to the system are defined;"}]}],"props":[{"name":"label","value":"PE-14(1)"},{"name":"label","value":"PE-14(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-14.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-14","rel":"required"}],"parts":[{"id":"pe-14.1_smt","name":"statement","prose":"Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: {{ insert: param, pe-14.01_odp }}."},{"id":"pe-14.1_gdn","name":"guidance","prose":"The implementation of automatic environmental controls provides an immediate response to environmental conditions that can damage, degrade, or destroy organizational systems or systems components."},{"id":"pe-14.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-14(01)","class":"sp800-53a"}],"prose":"{{ insert: param, pe-14.01_odp }} are employed in the facility to prevent fluctuations that are potentially harmful to the system."},{"id":"pe-14.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-14(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity controls\n\nfacility housing the system\n\nautomated mechanisms for temperature and humidity\n\ntemperature and humidity controls\n\ntemperature and humidity documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-14.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-14(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-14.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-14(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing temperature and humidity levels"}]}]},{"id":"pe-14.2","class":"SP800-53-enhancement","title":"Monitoring with Alarms and Notifications","params":[{"id":"pe-14.02_odp","props":[{"name":"alt-identifier","value":"pe-14.2_prm_1"},{"name":"label","value":"PE-14(02)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified by environmental control monitoring when environmental changes are potentially harmful to personnel or equipment is\/are defined;"}]}],"props":[{"name":"label","value":"PE-14(2)"},{"name":"label","value":"PE-14(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-14.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-14","rel":"required"}],"parts":[{"id":"pe-14.2_smt","name":"statement","prose":"Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to {{ insert: param, pe-14.02_odp }}."},{"id":"pe-14.2_gdn","name":"guidance","prose":"The alarm or notification may be an audible alarm or a visual message in real time to personnel or roles defined by the organization. Such alarms and notifications can help minimize harm to individuals and damage to organizational assets by facilitating a timely incident response."},{"id":"pe-14.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-14(02)","class":"sp800-53a"}],"parts":[{"id":"pe-14.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-14(02)[01]","class":"sp800-53a"}],"prose":"environmental control monitoring is employed;"},{"id":"pe-14.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-14(02)[02]","class":"sp800-53a"}],"prose":"the environmental control monitoring capability provides an alarm or notification to {{ insert: param, pe-14.02_odp }} when changes are potentially harmful to personnel or equipment."}]},{"id":"pe-14.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-14(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity monitoring\n\nfacility housing the system\n\nlogs or records of temperature and humidity monitoring\n\nrecords of changes to temperature and humidity levels that generate alarms or notifications\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-14.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-14(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-14.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-14(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing temperature and humidity monitoring"}]}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","props":[{"name":"label","value":"PE-15"},{"name":"label","value":"PE-15","class":"sp800-53a"},{"name":"sort-id","value":"pe-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#pe-10","rel":"related"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations."},{"id":"pe-15_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-15","class":"sp800-53a"}],"parts":[{"id":"pe-15_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-15[01]","class":"sp800-53a"}],"prose":"the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;"},{"id":"pe-15_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-15[02]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are accessible;"},{"id":"pe-15_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-15[03]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are working properly;"},{"id":"pe-15_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-15[04]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are known to key personnel."}]},{"id":"pe-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Master water-shutoff valves\n\norganizational process for activating master water shutoff"}]}],"controls":[{"id":"pe-15.1","class":"SP800-53-enhancement","title":"Automation Support","params":[{"id":"pe-15.01_odp.01","props":[{"name":"alt-identifier","value":"pe-15.1_prm_1"},{"name":"label","value":"PE-15(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when the presence of water is detected near the system is\/are defined;"}]},{"id":"pe-15.01_odp.02","props":[{"name":"alt-identifier","value":"pe-15.1_prm_2"},{"name":"label","value":"PE-15(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of water near the system are defined;"}]}],"props":[{"name":"label","value":"PE-15(1)"},{"name":"label","value":"PE-15(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-15.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-15","rel":"required"}],"parts":[{"id":"pe-15.1_smt","name":"statement","prose":"Detect the presence of water near the system and alert {{ insert: param, pe-15.01_odp.01 }} using {{ insert: param, pe-15.01_odp.02 }}."},{"id":"pe-15.1_gdn","name":"guidance","prose":"Automated mechanisms include notification systems, water detection sensors, and alarms."},{"id":"pe-15.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-15(01)","class":"sp800-53a"}],"parts":[{"id":"pe-15.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-15(01)[01]","class":"sp800-53a"}],"prose":"the presence of water near the system can be detected automatically;"},{"id":"pe-15.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-15(01)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, pe-15.01_odp.01 }} is\/are alerted using {{ insert: param, pe-15.01_odp.02 }}."}]},{"id":"pe-15.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-15(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nautomated mechanisms for water shutoff valves\n\nautomated mechanisms for detecting the presence of water in the vicinity of the system\n\nalerts\/notifications of water detection in system facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-15.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-15(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-15.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-15(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing water detection capabilities and alerts for the system"}]}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","params":[{"id":"pe-16_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.02"}],"label":"organization-defined types of system components"},{"id":"pe-16_odp.01","props":[{"name":"label","value":"PE-16_ODP[01]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when entering the facility are defined;"}]},{"id":"pe-16_odp.02","props":[{"name":"label","value":"PE-16_ODP[02]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when exiting the facility are defined;"}]}],"props":[{"name":"label","value":"PE-16"},{"name":"label","value":"PE-16","class":"sp800-53a"},{"name":"sort-id","value":"pe-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"pe-16_smt","name":"statement","parts":[{"id":"pe-16_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and"},{"id":"pe-16_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain records of the system components."}]},{"id":"pe-16_gdn","name":"guidance","prose":"Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries."},{"id":"pe-16_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-16","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;"},{"id":"pe-16_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;"},{"id":"pe-16_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[03]","class":"sp800-53a"}],"prose":"{{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;"},{"id":"pe-16_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[04]","class":"sp800-53a"}],"prose":"{{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;"}]},{"id":"pe-16_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-16b.","class":"sp800-53a"}],"prose":"records of the system components are maintained."}]},{"id":"pe-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and\/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility"}]}]},{"id":"pe-17","class":"SP800-53","title":"Alternate Work Site","params":[{"id":"pe-17_odp.01","props":[{"name":"alt-identifier","value":"pe-17_prm_1"},{"name":"label","value":"PE-17_ODP[01]","class":"sp800-53a"}],"label":"alternate work sites","guidelines":[{"prose":"alternate work sites allowed for use by employees are defined;"}]},{"id":"pe-17_odp.02","props":[{"name":"alt-identifier","value":"pe-17_prm_2"},{"name":"label","value":"PE-17_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed at alternate work sites are defined;"}]}],"props":[{"name":"label","value":"PE-17"},{"name":"label","value":"PE-17","class":"sp800-53a"},{"name":"sort-id","value":"pe-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#83b9d63b-66b1-467c-9f3b-3a0b108771e9","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-17_smt","name":"statement","parts":[{"id":"pe-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the {{ insert: param, pe-17_odp.01 }} allowed for use by employees;"},{"id":"pe-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls at alternate work sites: {{ insert: param, pe-17_odp.02 }};"},{"id":"pe-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assess the effectiveness of controls at alternate work sites; and"},{"id":"pe-17_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a means for employees to communicate with information security and privacy personnel in case of incidents."}]},{"id":"pe-17_gdn","name":"guidance","prose":"Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations."},{"id":"pe-17_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-17","class":"sp800-53a"}],"parts":[{"id":"pe-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-17a.","class":"sp800-53a"}],"prose":"{{ insert: param, pe-17_odp.01 }} are determined and documented;"},{"id":"pe-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-17b.","class":"sp800-53a"}],"prose":"{{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;"},{"id":"pe-17_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-17c.","class":"sp800-53a"}],"prose":"the effectiveness of controls at alternate work sites is assessed;"},{"id":"pe-17_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-17d.","class":"sp800-53a"}],"prose":"a means for employees to communicate with information security and privacy personnel in case of incidents is provided."}]},{"id":"pe-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel approving the use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy at alternate work sites\n\nmechanisms supporting alternate work sites\n\nsecurity and privacy controls employed at alternate work sites\n\nmeans of communication between personnel at alternate work sites and security and privacy personnel"}]}]},{"id":"pe-18","class":"SP800-53","title":"Location of System Components","params":[{"id":"pe-18_odp","props":[{"name":"alt-identifier","value":"pe-18_prm_1"},{"name":"label","value":"PE-18_ODP","class":"sp800-53a"}],"label":"physical and environmental hazards","guidelines":[{"prose":"physical and environmental hazards that could result in potential damage to system components within the facility are defined;"}]}],"props":[{"name":"label","value":"PE-18"},{"name":"label","value":"PE-18","class":"sp800-53a"},{"name":"sort-id","value":"pe-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-19","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"pe-18_smt","name":"statement","prose":"Position system components within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access."},{"id":"pe-18_gdn","name":"guidance","prose":"Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information."},{"id":"pe-18_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-18","class":"sp800-53a"}],"prose":"system components are positioned within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access."},{"id":"pe-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing the positioning of system components\n\ndocumentation providing the location and position of system components within the facility\n\nlocations housing system components within the facility\n\nlist of physical and environmental hazards with the potential to damage system components within the facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for positioning system components\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for positioning system components"}]}],"controls":[{"id":"pe-18.1","class":"SP800-53-enhancement","title":"Facility Site","props":[{"name":"label","value":"PE-18(1)"},{"name":"label","value":"PE-18(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-18.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pe-23","rel":"moved-to"}]}]},{"id":"pe-19","class":"SP800-53","title":"Information Leakage","props":[{"name":"label","value":"PE-19"},{"name":"label","value":"PE-19","class":"sp800-53a"},{"name":"sort-id","value":"pe-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#ac-18","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pe-20","rel":"related"}],"parts":[{"id":"pe-19_smt","name":"statement","prose":"Protect the system from information leakage due to electromagnetic signals emanations."},{"id":"pe-19_gdn","name":"guidance","prose":"Information leakage is the intentional or unintentional release of data or information to an untrusted environment from electromagnetic signals emanations. The security categories or classifications of systems (with respect to confidentiality), organizational security policies, and risk tolerance guide the selection of controls employed to protect systems against information leakage due to electromagnetic signals emanations."},{"id":"pe-19_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-19","class":"sp800-53a"}],"prose":"the system is protected from information leakage due to electromagnetic signal emanations."},{"id":"pe-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing information leakage due to electromagnetic signal emanations\n\nmechanisms protecting the system against electronic signal emanations\n\nfacility housing the system\n\nrecords from electromagnetic signal emanation tests\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-19-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing protection from information leakage due to electromagnetic signal emanations"}]}],"controls":[{"id":"pe-19.1","class":"SP800-53-enhancement","title":"National Emissions Policies and Procedures","props":[{"name":"label","value":"PE-19(1)"},{"name":"label","value":"PE-19(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-19.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-19","rel":"required"}],"parts":[{"id":"pe-19.1_smt","name":"statement","prose":"Protect system components, associated data communications, and networks in accordance with national Emissions Security policies and procedures based on the security category or classification of the information."},{"id":"pe-19.1_gdn","name":"guidance","prose":"Emissions Security (EMSEC) policies include the former TEMPEST policies."},{"id":"pe-19.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-19(01)","class":"sp800-53a"}],"parts":[{"id":"pe-19.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-19(01)[01]","class":"sp800-53a"}],"prose":"system components are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;"},{"id":"pe-19.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-19(01)[02]","class":"sp800-53a"}],"prose":"associated data communications are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;"},{"id":"pe-19.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-19(01)[03]","class":"sp800-53a"}],"prose":"networks are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information."}]},{"id":"pe-19.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-19(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing information leakage that comply with national emissions and TEMPEST policies and procedures\n\nsystem component design documentation\n\nsystem configuration settings and associated documentation system security plan\n\nother relevant documents or records"}]},{"id":"pe-19.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-19(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-19.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-19(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information system components for compliance with national emissions and TEMPEST policies and procedures"}]}]}]},{"id":"pe-20","class":"SP800-53","title":"Asset Monitoring and Tracking","params":[{"id":"pe-20_odp.01","props":[{"name":"alt-identifier","value":"pe-20_prm_1"},{"name":"label","value":"PE-20_ODP[01]","class":"sp800-53a"}],"label":"asset location technologies","guidelines":[{"prose":"asset location technologies to be employed to track and monitor the location and movement of assets is defined;"}]},{"id":"pe-20_odp.02","props":[{"name":"alt-identifier","value":"pe-20_prm_2"},{"name":"label","value":"PE-20_ODP[02]","class":"sp800-53a"}],"label":"assets","guidelines":[{"prose":"assets whose location and movement are to be tracked and monitored are defined;"}]},{"id":"pe-20_odp.03","props":[{"name":"alt-identifier","value":"pe-20_prm_3"},{"name":"label","value":"PE-20_ODP[03]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas within which asset location and movement are to be tracked and monitored are defined;"}]}],"props":[{"name":"label","value":"PE-20"},{"name":"label","value":"PE-20","class":"sp800-53a"},{"name":"sort-id","value":"pe-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-8","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pm-8","rel":"related"}],"parts":[{"id":"pe-20_smt","name":"statement","prose":"Employ {{ insert: param, pe-20_odp.01 }} to track and monitor the location and movement of {{ insert: param, pe-20_odp.02 }} within {{ insert: param, pe-20_odp.03 }}."},{"id":"pe-20_gdn","name":"guidance","prose":"Asset location technologies can help ensure that critical assets—including vehicles, equipment, and system components—remain in authorized locations. Organizations consult with the Office of the General Counsel and senior agency official for privacy regarding the deployment and use of asset location technologies to address potential privacy concerns."},{"id":"pe-20_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-20","class":"sp800-53a"}],"prose":"{{ insert: param, pe-20_odp.01 }} are employed to track and monitor the location and movement of {{ insert: param, pe-20_odp.02 }} within {{ insert: param, pe-20_odp.03 }}."},{"id":"pe-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing asset monitoring and tracking\n\ndocumentation showing the use of asset location technologies\n\nsystem configuration documentation\n\nlist of organizational assets requiring tracking and monitoring\n\nasset monitoring and tracking records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with asset monitoring and tracking responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for tracking and monitoring assets\n\nmechanisms supporting and\/or implementing the tracking and monitoring of assets"}]}]},{"id":"pe-21","class":"SP800-53","title":"Electromagnetic Pulse Protection","params":[{"id":"pe-21_odp.01","props":[{"name":"alt-identifier","value":"pe-21_prm_1"},{"name":"label","value":"PE-21_ODP[01]","class":"sp800-53a"}],"label":"protective measures","guidelines":[{"prose":"protective measures to be employed against electromagnetic pulse damage are defined;"}]},{"id":"pe-21_odp.02","props":[{"name":"alt-identifier","value":"pe-21_prm_2"},{"name":"alt-label","value":"systems and system components","class":"sp800-53"},{"name":"label","value":"PE-21_ODP[02]","class":"sp800-53a"}],"label":"system and system components","guidelines":[{"prose":"system and system components requiring protection against electromagnetic pulse damage are defined;"}]}],"props":[{"name":"label","value":"PE-21"},{"name":"label","value":"PE-21","class":"sp800-53a"},{"name":"sort-id","value":"pe-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-18","rel":"related"},{"href":"#pe-19","rel":"related"}],"parts":[{"id":"pe-21_smt","name":"statement","prose":"Employ {{ insert: param, pe-21_odp.01 }} against electromagnetic pulse damage for {{ insert: param, pe-21_odp.02 }}."},{"id":"pe-21_gdn","name":"guidance","prose":"An electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is spread over a range of frequencies. Such energy bursts may be natural or man-made. EMP interference may be disruptive or damaging to electronic equipment. Protective measures used to mitigate EMP risk include shielding, surge suppressors, ferro-resonant transformers, and earth grounding. EMP protection may be especially significant for systems and applications that are part of the U.S. critical infrastructure."},{"id":"pe-21_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-21","class":"sp800-53a"}],"prose":"{{ insert: param, pe-21_odp.01 }} are employed against electromagnetic pulse damage for {{ insert: param, pe-21_odp.02 }}."},{"id":"pe-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing protective measures to mitigate EMP risk to systems and components\n\ndocumentation detailing protective measures to mitigate EMP risk\n\nlist of locations where protective measures to mitigate EMP risk are implemented\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for physical and environmental protection\n\nsystem developers\/integrators\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for mitigating EMP risk"}]}]},{"id":"pe-22","class":"SP800-53","title":"Component Marking","params":[{"id":"pe-22_odp","props":[{"name":"alt-identifier","value":"pe-22_prm_1"},{"name":"label","value":"PE-22_ODP","class":"sp800-53a"}],"label":"system hardware components","guidelines":[{"prose":"system hardware components to be marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component are defined;"}]}],"props":[{"name":"label","value":"PE-22"},{"name":"label","value":"PE-22","class":"sp800-53a"},{"name":"sort-id","value":"pe-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#mp-3","rel":"related"}],"parts":[{"id":"pe-22_smt","name":"statement","prose":"Mark {{ insert: param, pe-22_odp }} indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component."},{"id":"pe-22_gdn","name":"guidance","prose":"Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printers, monitors\/video displays, facsimile machines, scanners, copiers, and audio devices. Permissions controlling output to the output devices are addressed in [AC-3](#ac-3) or [AC-4](#ac-4) . Components are marked to indicate the impact level or classification level of the system to which the devices are connected, or the impact level or classification level of the information permitted to be output. Security marking refers to the use of human-readable security attributes. Security labeling refers to the use of security attributes for internal system data structures. Security marking is generally not required for hardware components that process, store, or transmit information determined by organizations to be in the public domain or to be publicly releasable. However, organizations may require markings for hardware components that process, store, or transmit public information in order to indicate that such information is publicly releasable. Marking of system hardware components reflects applicable laws, executive orders, directives, policies, regulations, and standards."},{"id":"pe-22_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-22","class":"sp800-53a"}],"prose":"{{ insert: param, pe-22_odp }} are marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component."},{"id":"pe-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing component marking\n\nlist of component marking security attributes\n\ncomponent inventory\n\ninformation types and their impact\/classification level\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component marking responsibilities\n\norganizational personnel with component inventory responsibilities\n\norganizational personnel with information categorization\/classification responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for component marking\n\nautomated mechanisms supporting and\/or implementing component marking"}]}]},{"id":"pe-23","class":"SP800-53","title":"Facility Location","props":[{"name":"label","value":"PE-23"},{"name":"label","value":"PE-23","class":"sp800-53a"},{"name":"sort-id","value":"pe-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pe-19","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"pe-23_smt","name":"statement","parts":[{"id":"pe-23_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Plan the location or site of the facility where the system resides considering physical and environmental hazards; and"},{"id":"pe-23_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"For existing facilities, consider the physical and environmental hazards in the organizational risk management strategy."}]},{"id":"pe-23_gdn","name":"guidance","prose":"Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. The location of system components within the facility is addressed in [PE-18](#pe-18)."},{"id":"pe-23_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-23","class":"sp800-53a"}],"parts":[{"id":"pe-23_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-23a.","class":"sp800-53a"}],"prose":"the location or site of the facility where the system resides is planned considering physical and environmental hazards;"},{"id":"pe-23_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-23b.","class":"sp800-53a"}],"prose":"for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy."}]},{"id":"pe-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nphysical site planning documents\n\norganizational assessment of risk\n\ncontingency plan\n\nrisk mitigation strategy documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with site selection responsibilities for the facility housing the system\n\norganizational personnel with risk mitigation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-23-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for site planning"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pl-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pl-01_odp.01","props":[{"name":"label","value":"PL-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning policy is to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.02","props":[{"name":"label","value":"PL-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning procedures are to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.03","props":[{"name":"alt-identifier","value":"pl-1_prm_2"},{"name":"label","value":"PL-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pl-01_odp.04","props":[{"name":"alt-identifier","value":"pl-1_prm_3"},{"name":"label","value":"PL-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the planning policy and procedures is defined;"}]},{"id":"pl-01_odp.05","props":[{"name":"alt-identifier","value":"pl-1_prm_4"},{"name":"label","value":"PL-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning policy is reviewed and updated is defined;"}]},{"id":"pl-01_odp.06","props":[{"name":"alt-identifier","value":"pl-1_prm_5"},{"name":"label","value":"PL-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current planning policy to be reviewed and updated are defined;"}]},{"id":"pl-01_odp.07","props":[{"name":"alt-identifier","value":"pl-1_prm_6"},{"name":"label","value":"PL-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning procedures are reviewed and updated is defined;"}]},{"id":"pl-01_odp.08","props":[{"name":"alt-identifier","value":"pl-1_prm_7"},{"name":"label","value":"PL-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PL-1"},{"name":"label","value":"PL-01","class":"sp800-53a"},{"name":"sort-id","value":"pl-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-1_smt","name":"statement","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, pl-01_odp.03 }} planning policy that:","parts":[{"id":"pl-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the planning policy and the associated planning controls;"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and"},{"id":"pl-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current planning:","parts":[{"id":"pl-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and"},{"id":"pl-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pl-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[01]","class":"sp800-53a"}],"prose":"a planning policy is developed and documented."},{"id":"pl-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[02]","class":"sp800-53a"}],"prose":"the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};"},{"id":"pl-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[03]","class":"sp800-53a"}],"prose":"planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;"},{"id":"pl-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[04]","class":"sp800-53a"}],"prose":"the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};"},{"id":"pl-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;"},{"id":"pl-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;"},{"id":"pl-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;"},{"id":"pl-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;"},{"id":"pl-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;"},{"id":"pl-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;"},{"id":"pl-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;"}]},{"id":"pl-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"pl-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;"},{"id":"pl-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[01]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};"},{"id":"pl-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[02]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};"}]},{"id":"pl-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[01]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};"},{"id":"pl-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[02]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}."}]}]}]},{"id":"pl-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security and Privacy Plans","params":[{"id":"pl-02_odp.01","props":[{"name":"alt-identifier","value":"pl-2_prm_1"},{"name":"label","value":"PL-02_ODP[01]","class":"sp800-53a"}],"label":"individuals or groups","guidelines":[{"prose":"individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is\/are assigned;"}]},{"id":"pl-02_odp.02","props":[{"name":"alt-identifier","value":"pl-2_prm_2"},{"name":"label","value":"PL-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive distributed copies of the system security and privacy plans is\/are assigned;"}]},{"id":"pl-02_odp.03","props":[{"name":"alt-identifier","value":"pl-2_prm_3"},{"name":"label","value":"PL-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency to review system security and privacy plans is defined;"}]}],"props":[{"name":"label","value":"PL-2"},{"name":"label","value":"PL-02","class":"sp800-53a"},{"name":"sort-id","value":"pl-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"pl-2_smt","name":"statement","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy plans for the system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly define the constituent system components;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Identify the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Identify the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provide the security categorization of the system, including supporting rationale;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Describe any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Provide the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Describe the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Provide an overview of the security and privacy requirements for the system;"},{"id":"pl-2_smt.a.11","name":"item","props":[{"name":"label","value":"11."}],"prose":"Identify any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_smt.a.12","name":"item","props":[{"name":"label","value":"12."}],"prose":"Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;"},{"id":"pl-2_smt.a.13","name":"item","props":[{"name":"label","value":"13."}],"prose":"Include risk determinations for security and privacy architecture and design decisions;"},{"id":"pl-2_smt.a.14","name":"item","props":[{"name":"label","value":"14."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and"},{"id":"pl-2_smt.a.15","name":"item","props":[{"name":"label","value":"15."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the plans {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the plans from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate."},{"id":"pl-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is consistent with the organization’s enterprise architecture;"},{"id":"pl-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;"}]},{"id":"pl-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that explicitly defines the constituent system components;"},{"id":"pl-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that explicitly defines the constituent system components;"}]},{"id":"pl-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"}]},{"id":"pl-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"}]},{"id":"pl-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.5-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_obj.a.5-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"}]},{"id":"pl-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.6-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;"},{"id":"pl-2_obj.a.6-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;"}]},{"id":"pl-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"}]},{"id":"pl-2_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.8-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_obj.a.8-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"}]},{"id":"pl-2_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.9-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_obj.a.9-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"}]},{"id":"pl-2_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.10-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides an overview of the security requirements for the system;"},{"id":"pl-2_obj.a.10-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;"}]},{"id":"pl-2_obj.a.11","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.11-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_obj.a.11-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"}]},{"id":"pl-2_obj.a.12","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.12-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;"},{"id":"pl-2_obj.a.12-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;"}]},{"id":"pl-2_obj.a.13","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.13-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes risk determinations for security architecture and design decisions;"},{"id":"pl-2_obj.a.13-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;"}]},{"id":"pl-2_obj.a.14","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.14-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"},{"id":"pl-2_obj.a.14-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"}]},{"id":"pl-2_obj.a.15","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.15-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"},{"id":"pl-2_obj.a.15-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]}]},{"id":"pl-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[01]","class":"sp800-53a"}],"prose":"copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[02]","class":"sp800-53a"}],"prose":"subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};"}]},{"id":"pl-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-02c.","class":"sp800-53a"}],"prose":"plans are reviewed {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[01]","class":"sp800-53a"}],"prose":"plans are updated to address changes to the system and environment of operations;"},{"id":"pl-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[02]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during the plan implementation;"},{"id":"pl-2_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[03]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during control assessments;"}]},{"id":"pl-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[01]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized disclosure;"},{"id":"pl-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[02]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized modification."}]}]},{"id":"pl-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records"}]},{"id":"pl-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan"}]}],"controls":[{"id":"pl-2.1","class":"SP800-53-enhancement","title":"Concept of Operations","props":[{"name":"label","value":"PL-2(1)"},{"name":"label","value":"PL-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"pl-02.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-7","rel":"incorporated-into"}]},{"id":"pl-2.2","class":"SP800-53-enhancement","title":"Functional Architecture","props":[{"name":"label","value":"PL-2(2)"},{"name":"label","value":"PL-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"pl-02.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-8","rel":"incorporated-into"}]},{"id":"pl-2.3","class":"SP800-53-enhancement","title":"Plan and Coordinate with Other Organizational Entities","props":[{"name":"label","value":"PL-2(3)"},{"name":"label","value":"PL-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"pl-02.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-2","rel":"incorporated-into"}]}]},{"id":"pl-3","class":"SP800-53","title":"System Security Plan Update","props":[{"name":"label","value":"PL-3"},{"name":"label","value":"PL-03","class":"sp800-53a"},{"name":"sort-id","value":"pl-03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-2","rel":"incorporated-into"}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-04_odp.01","props":[{"name":"alt-identifier","value":"pl-4_prm_1"},{"name":"label","value":"PL-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for reviewing and updating the rules of behavior is defined;"}]},{"id":"pl-04_odp.02","props":[{"name":"alt-identifier","value":"pl-4_prm_2"},{"name":"label","value":"PL-04_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, pl-04_odp.03 }} ","when the rules are revised or updated"]}},{"id":"pl-04_odp.03","props":[{"name":"alt-identifier","value":"pl-4_prm_3"},{"name":"label","value":"PL-04_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);"}]}],"props":[{"name":"label","value":"PL-4"},{"name":"label","value":"PL-04","class":"sp800-53a"},{"name":"sort-id","value":"pl-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-4_smt","name":"statement","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_gdn","name":"guidance","prose":"Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons."},{"id":"pl-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[01]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;"},{"id":"pl-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[02]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;"}]},{"id":"pl-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04b.","class":"sp800-53a"}],"prose":"before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;"},{"id":"pl-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04c.","class":"sp800-53a"}],"prose":"rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};"},{"id":"pl-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-04d.","class":"sp800-53a"}],"prose":"individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and External Site\/Application Usage Restrictions","props":[{"name":"label","value":"PL-4(1)"},{"name":"label","value":"PL-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"pl-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-4","rel":"required"},{"href":"#ac-22","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"Include in the rules of behavior, restrictions on:","parts":[{"id":"pl-4.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Posting organizational information on public websites; and"},{"id":"pl-4.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_gdn","name":"guidance","prose":"Social media, social networking, and external site\/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information."},{"id":"pl-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)","class":"sp800-53a"}],"parts":[{"id":"pl-4.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(a)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(b)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on posting organizational information on public websites;"},{"id":"pl-4.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(c)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records"}]},{"id":"pl-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing rules of behavior\n\nmechanisms supporting and\/or implementing the establishment of rules of behavior"}]}]}]},{"id":"pl-5","class":"SP800-53","title":"Privacy Impact Assessment","props":[{"name":"label","value":"PL-5"},{"name":"label","value":"PL-05","class":"sp800-53a"},{"name":"sort-id","value":"pl-05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ra-8","rel":"incorporated-into"}]},{"id":"pl-6","class":"SP800-53","title":"Security-related Activity Planning","props":[{"name":"label","value":"PL-6"},{"name":"label","value":"PL-06","class":"sp800-53a"},{"name":"sort-id","value":"pl-06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-2","rel":"incorporated-into"}]},{"id":"pl-7","class":"SP800-53","title":"Concept of Operations","params":[{"id":"pl-07_odp","props":[{"name":"alt-identifier","value":"pl-7_prm_1"},{"name":"label","value":"PL-07_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for review and update of the Concept of Operations (CONOPS) is defined;"}]}],"props":[{"name":"label","value":"PL-7"},{"name":"label","value":"PL-07","class":"sp800-53a"},{"name":"sort-id","value":"pl-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-7_smt","name":"statement","parts":[{"id":"pl-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and"},{"id":"pl-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the CONOPS {{ insert: param, pl-07_odp }}."}]},{"id":"pl-7_gdn","name":"guidance","prose":"The CONOPS may be included in the security or privacy plans for the system or in other system development life cycle documents. The CONOPS is a living document that requires updating throughout the system development life cycle. For example, during system design reviews, the concept of operations is checked to ensure that it remains consistent with the design for controls, the system architecture, and the operational procedures. Changes to the CONOPS are reflected in ongoing updates to the security and privacy plans, security and privacy architectures, and other organizational documents, such as procurement specifications, system development life cycle documents, and systems engineering documents."},{"id":"pl-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-07","class":"sp800-53a"}],"parts":[{"id":"pl-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-07a.","class":"sp800-53a"}],"prose":"a CONOPS for the system describing how the organization intends to operate the system from the perspective of information security and privacy is developed;"},{"id":"pl-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-07b.","class":"sp800-53a"}],"prose":"the CONOPS is reviewed and updated {{ insert: param, pl-07_odp }}."}]},{"id":"pl-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing security and privacy CONOPS development\n\nprocedures addressing security and privacy CONOPS reviews and updates\n\nsecurity and privacy CONOPS for the system\n\nsystem security plan\n\nprivacy plan\n\nrecords of security and privacy CONOPS reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, reviewing, and updating the security CONOPS\n\nmechanisms supporting and\/or implementing the development, review, and update of the security CONOPS"}]}]},{"id":"pl-8","class":"SP800-53","title":"Security and Privacy Architectures","params":[{"id":"pl-08_odp","props":[{"name":"alt-identifier","value":"pl-8_prm_1"},{"name":"label","value":"PL-08_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for review and update to reflect changes in the enterprise architecture;"}]}],"props":[{"name":"label","value":"PL-8"},{"name":"label","value":"PL-08","class":"sp800-53a"},{"name":"sort-id","value":"pl-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"pl-8_smt","name":"statement","parts":[{"id":"pl-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy architectures for the system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe how the architectures are integrated into and support the enterprise architecture; and"},{"id":"pl-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Describe any assumptions about, and dependencies on, external systems and services;"}]},{"id":"pl-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n[SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n[PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures."},{"id":"pl-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-08","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.01","class":"sp800-53a"}],"prose":"a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.02","class":"sp800-53a"}],"prose":"a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"},{"id":"pl-8_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"}]},{"id":"pl-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes any assumptions about and dependencies on external systems and services;"},{"id":"pl-8_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;"}]}]},{"id":"pl-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-08b.","class":"sp800-53a"}],"prose":"changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;"},{"id":"pl-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[01]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the security plan;"},{"id":"pl-8_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[02]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the privacy plan;"},{"id":"pl-8_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[03]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the Concept of Operations (CONOPS);"},{"id":"pl-8_obj.c-4","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[04]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in criticality analysis;"},{"id":"pl-8_obj.c-5","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[05]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in organizational procedures;"},{"id":"pl-8_obj.c-6","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[06]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in procurements and acquisitions."}]}]},{"id":"pl-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and\/or implementing the development, review, and update of the information security and privacy architecture"}]}],"controls":[{"id":"pl-8.1","class":"SP800-53-enhancement","title":"Defense in Depth","params":[{"id":"pl-08.01_odp.01","props":[{"name":"alt-identifier","value":"pl-8.1_prm_1"},{"name":"label","value":"PL-08(01)_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be allocated are defined;"}]},{"id":"pl-08.01_odp.02","props":[{"name":"alt-identifier","value":"pl-8.1_prm_2"},{"name":"label","value":"PL-08(01)_ODP[02]","class":"sp800-53a"}],"label":"locations and architectural layers","guidelines":[{"prose":"locations and architectural layers are defined;"}]}],"props":[{"name":"label","value":"PL-8(1)"},{"name":"label","value":"PL-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"pl-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-8","rel":"required"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-29","rel":"related"},{"href":"#sc-36","rel":"related"}],"parts":[{"id":"pl-8.1_smt","name":"statement","prose":"Design the security and privacy architectures for the system using a defense-in-depth approach that:","parts":[{"id":"pl-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }} ; and"},{"id":"pl-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner."}]},{"id":"pl-8.1_gdn","name":"guidance","prose":"Organizations strategically allocate security and privacy controls in the security and privacy architectures so that adversaries must overcome multiple controls to achieve their objective. Requiring adversaries to defeat multiple controls makes it more difficult to attack information resources by increasing the work factor of the adversary; it also increases the likelihood of detection. The coordination of allocated controls is essential to ensure that an attack that involves one control does not create adverse, unintended consequences by interfering with other controls. Unintended consequences can include system lockout and cascading alarms. The placement of controls in systems and organizations is an important activity that requires thoughtful analysis. The value of organizational assets is an important consideration in providing additional layering. Defense-in-depth architectural approaches include modularity and layering (see [SA-8(3)](#sa-8.3) ), separation of system and user functionality (see [SC-2](#sc-2) ), and security function isolation (see [SC-3](#sc-3))."},{"id":"pl-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-08(01)","class":"sp800-53a"}],"parts":[{"id":"pl-8.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-08(01)(a)","class":"sp800-53a"}],"parts":[{"id":"pl-8.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08(01)(a)[01]","class":"sp800-53a"}],"prose":"the security architecture for the system is designed using a defense-in-depth approach that allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }};"},{"id":"pl-8.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08(01)(a)[02]","class":"sp800-53a"}],"prose":"the privacy architecture for the system is designed using a defense-in-depth approach that allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }};"}]},{"id":"pl-8.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-08(01)(b)","class":"sp800-53a"}],"parts":[{"id":"pl-8.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08(01)(b)[01]","class":"sp800-53a"}],"prose":"the security architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner;"},{"id":"pl-8.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08(01)(b)[02]","class":"sp800-53a"}],"prose":"the privacy architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner."}]}]},{"id":"pl-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nother relevant documents or records"}]},{"id":"pl-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for designing the information security and privacy architecture\n\nmechanisms supporting and\/or implementing the design of the information security and privacy architecture"}]}]},{"id":"pl-8.2","class":"SP800-53-enhancement","title":"Supplier Diversity","params":[{"id":"pl-08.02_odp.01","props":[{"name":"alt-identifier","value":"pl-8.2_prm_1"},{"name":"label","value":"PL-08(02)_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be allocated are defined;"}]},{"id":"pl-08.02_odp.02","props":[{"name":"alt-identifier","value":"pl-8.2_prm_2"},{"name":"label","value":"PL-08(02)_ODP[02]","class":"sp800-53a"}],"label":"locations and architectural layers","guidelines":[{"prose":"locations and architectural layers are defined;"}]}],"props":[{"name":"label","value":"PL-8(2)"},{"name":"label","value":"PL-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"pl-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-8","rel":"required"},{"href":"#sc-29","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"pl-8.2_smt","name":"statement","prose":"Require that {{ insert: param, pl-08.02_odp.01 }} allocated to {{ insert: param, pl-08.02_odp.02 }} are obtained from different suppliers."},{"id":"pl-8.2_gdn","name":"guidance","prose":"Information technology products have different strengths and weaknesses. Providing a broad spectrum of products complements the individual offerings. For example, vendors offering malicious code protection typically update their products at different times, often developing solutions for known viruses, Trojans, or worms based on their priorities and development schedules. By deploying different products at different locations, there is an increased likelihood that at least one of the products will detect the malicious code. With respect to privacy, vendors may offer products that track personally identifiable information in systems. Products may use different tracking methods. Using multiple products may result in more assurance that personally identifiable information is inventoried."},{"id":"pl-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-08(02)","class":"sp800-53a"}],"prose":"{{ insert: param, pl-08.02_odp.01 }} that are allocated to {{ insert: param, pl-08.02_odp.02 }} are required to be obtained from different suppliers."},{"id":"pl-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nIT acquisitions policy\n\nother relevant documents or records"}]},{"id":"pl-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for obtaining information security and privacy safeguards from different suppliers"}]}]}]},{"id":"pl-9","class":"SP800-53","title":"Central Management","params":[{"id":"pl-09_odp","props":[{"name":"alt-identifier","value":"pl-9_prm_1"},{"name":"label","value":"PL-09_ODP","class":"sp800-53a"}],"label":"controls and related processes","guidelines":[{"prose":"security and privacy controls and related processes to be centrally managed are defined;"}]}],"props":[{"name":"label","value":"PL-9"},{"name":"label","value":"PL-09","class":"sp800-53a"},{"name":"sort-id","value":"pl-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#pl-8","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"pl-9_smt","name":"statement","prose":"Centrally manage {{ insert: param, pl-09_odp }}."},{"id":"pl-9_gdn","name":"guidance","prose":"Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes. As the central management of controls is generally associated with the concept of common (inherited) controls, such management promotes and facilitates standardization of control implementations and management and the judicious use of organizational resources. Centrally managed controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate and as part of organizational continuous monitoring.\n\nAutomated tools (e.g., security information and event management tools or enterprise security monitoring and management tools) can improve the accuracy, consistency, and availability of information associated with centrally managed controls and processes. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision-making within the organization.\n\nAs part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include but are not limited to: [AC-2(1)](#ac-2.1), [AC-2(2)](#ac-2.2), [AC-2(3)](#ac-2.3), [AC-2(4)](#ac-2.4), [AC-4(all)](#ac-4), [AC-17(1)](#ac-17.1), [AC-17(2)](#ac-17.2), [AC-17(3)](#ac-17.3), [AC-17(9)](#ac-17.9), [AC-18(1)](#ac-18.1), [AC-18(3)](#ac-18.3), [AC-18(4)](#ac-18.4), [AC-18(5)](#ac-18.5), [AC-19(4)](#ac-19.4), [AC-22](#ac-22), [AC-23](#ac-23), [AT-2(1)](#at-2.1), [AT-2(2)](#at-2.2), [AT-3(1)](#at-3.1), [AT-3(2)](#at-3.2), [AT-3(3)](#at-3.3), [AT-4](#at-4), [AU-3](#au-3), [AU-6(1)](#au-6.1), [AU-6(3)](#au-6.3), [AU-6(5)](#au-6.5), [AU-6(6)](#au-6.6), [AU-6(9)](#au-6.9), [AU-7(1)](#au-7.1), [AU-7(2)](#au-7.2), [AU-11](#au-11), [AU-13](#au-13), [AU-16](#au-16), [CA-2(1)](#ca-2.1), [CA-2(2)](#ca-2.2), [CA-2(3)](#ca-2.3), [CA-3(1)](#ca-3.1), [CA-3(2)](#ca-3.2), [CA-3(3)](#ca-3.3), [CA-7(1)](#ca-7.1), [CA-9](#ca-9), [CM-2(2)](#cm-2.2), [CM-3(1)](#cm-3.1), [CM-3(4)](#cm-3.4), [CM-4](#cm-4), [CM-6](#cm-6), [CM-6(1)](#cm-6.1), [CM-7(2)](#cm-7.2), [CM-7(4)](#cm-7.4), [CM-7(5)](#cm-7.5), [CM-8(all)](#cm-8), [CM-9(1)](#cm-9.1), [CM-10](#cm-10), [CM-11](#cm-11), [CP-7(all)](#cp-7), [CP-8(all)](#cp-8), [SC-43](#sc-43), [SI-2](#si-2), [SI-3](#si-3), [SI-4(all)](#si-4), [SI-7](#si-7), [SI-8](#si-8)."},{"id":"pl-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-09","class":"sp800-53a"}],"prose":"{{ insert: param, pl-09_odp }} are centrally managed."},{"id":"pl-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing security and privacy plan development and implementation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with responsibilities for planning\/implementing central management of controls and related processes\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the central management of controls and related processes\n\nmechanisms supporting and\/or implementing central management of controls and related processes"}]}]},{"id":"pl-10","class":"SP800-53","title":"Baseline Selection","props":[{"name":"label","value":"PL-10"},{"name":"label","value":"PL-10","class":"sp800-53a"},{"name":"sort-id","value":"pl-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-10_smt","name":"statement","prose":"Select a control baseline for the system."},{"id":"pl-10_gdn","name":"guidance","prose":"Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems."},{"id":"pl-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-10","class":"sp800-53a"}],"prose":"a control baseline for the system is selected."},{"id":"pl-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities"}]}]},{"id":"pl-11","class":"SP800-53","title":"Baseline Tailoring","props":[{"name":"label","value":"PL-11"},{"name":"label","value":"PL-11","class":"sp800-53a"},{"name":"sort-id","value":"pl-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-10","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-11_smt","name":"statement","prose":"Tailor the selected control baseline by applying specified tailoring actions."},{"id":"pl-11_gdn","name":"guidance","prose":"The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities."},{"id":"pl-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-11","class":"sp800-53a"}],"prose":"the selected control baseline is tailored by applying specified tailoring actions."},{"id":"pl-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"pm","class":"family","title":"Program Management","parts":[{"id":"pm_ovw","name":"overview","title":"Program Management Controls","prose":"[FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) require federal agencies to develop, implement, and provide oversight for organization-wide information security and privacy programs to help ensure the confidentiality, integrity, and availability of federal information processed, stored, and transmitted by federal information systems and to protect individual privacy. The program management (PM) controls described in this section are implemented at the organization level and not directed at individual information systems. The PM controls have been designed to facilitate organizational compliance with applicable federal laws, executive orders, directives, policies, regulations, and standards. The controls are independent of [FIPS 200](#599fb53d-5041-444e-a7fe-640d6d30ad05) impact levels and, therefore, are not associated with the control baselines described in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752).\n\nOrganizations document program management controls in the information security and privacy program plans. The organization-wide information security program plan (see [PM-1](#pm-1) ) and privacy program plan (see [PM-18](#pm-18) ) supplement system security and privacy plans (see [PL-2](#pl-2) ) developed for organizational information systems. Together, the system security and privacy plans for the individual information systems and the information security and privacy program plans cover the totality of security and privacy controls employed by the organization."}],"controls":[{"id":"pm-1","class":"SP800-53","title":"Information Security Program Plan","params":[{"id":"pm-01_odp.01","props":[{"name":"alt-identifier","value":"pm-1_prm_1"},{"name":"label","value":"PM-01_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the organization-wide information security program plan is defined;"}]},{"id":"pm-01_odp.02","props":[{"name":"alt-identifier","value":"pm-1_prm_2"},{"name":"label","value":"PM-01_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that trigger the review and update of the organization-wide information security program plan are defined;"}]}],"props":[{"name":"label","value":"PM-1"},{"name":"label","value":"PM-01","class":"sp800-53a"},{"name":"sort-id","value":"pm-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#0c67b2a9-bede-43d2-b86d-5f35b8be36e9","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#pm-18","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"pm-1_smt","name":"statement","parts":[{"id":"pm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and disseminate an organization-wide information security program plan that:","parts":[{"id":"pm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;"},{"id":"pm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;"},{"id":"pm-1_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Reflects the coordination among organizational entities responsible for information security; and"},{"id":"pm-1_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"}]},{"id":"pm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the organization-wide information security program plan {{ insert: param, pm-01_odp.01 }} and following {{ insert: param, pm-01_odp.02 }} ; and"},{"id":"pm-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect the information security program plan from unauthorized disclosure and modification."}]},{"id":"pm-1_gdn","name":"guidance","prose":"An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. An information security program plan can be represented in a single document or compilations of documents. Privacy program plans and supply chain risk management plans are addressed separately in [PM-18](#pm-18) and [SR-2](#sr-2) , respectively.\n\nAn information security program plan documents implementation details about program management and common controls. The plan provides sufficient information about the controls (including specification of parameters for assignment and selection operations, explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended. Updates to information security program plans include organizational changes and problems identified during plan implementation or control assessments.\n\nProgram management controls may be implemented at the organization level or the mission or business process level, and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular system. Together, the individual system security plans and the organization-wide information security program plan provide complete coverage for the security controls employed within the organization.\n\nCommon controls available for inheritance by organizational systems are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls.\n\nEvents that may precipitate an update to the information security program plan include, but are not limited to, organization-wide assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"pm-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-01","class":"sp800-53a"}],"parts":[{"id":"pm-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.","class":"sp800-53a"}],"parts":[{"id":"pm-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.[01]","class":"sp800-53a"}],"prose":"an organization-wide information security program plan is developed;"},{"id":"pm-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.[02]","class":"sp800-53a"}],"prose":"the information security program plan is disseminated;"},{"id":"pm-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.01","class":"sp800-53a"}],"parts":[{"id":"pm-1_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.01[01]","class":"sp800-53a"}],"prose":"the information security program plan provides an overview of the requirements for the security program;"},{"id":"pm-1_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.01[02]","class":"sp800-53a"}],"prose":"the information security program plan provides a description of the security program management controls in place or planned for meeting those requirements;"},{"id":"pm-1_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.01[03]","class":"sp800-53a"}],"prose":"the information security program plan provides a description of the common controls in place or planned for meeting those requirements;"}]},{"id":"pm-1_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.02","class":"sp800-53a"}],"parts":[{"id":"pm-1_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.02[01]","class":"sp800-53a"}],"prose":"the information security program plan includes the identification and assignment of roles;"},{"id":"pm-1_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.02[02]","class":"sp800-53a"}],"prose":"the information security program plan includes the identification and assignment of responsibilities;"},{"id":"pm-1_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.02[03]","class":"sp800-53a"}],"prose":"the information security program plan addresses management commitment;"},{"id":"pm-1_obj.a.2-4","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.02[04]","class":"sp800-53a"}],"prose":"the information security program plan addresses coordination among organizational entities;"},{"id":"pm-1_obj.a.2-5","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.02[05]","class":"sp800-53a"}],"prose":"the information security program plan addresses compliance;"}]},{"id":"pm-1_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.03","class":"sp800-53a"}],"prose":"the information security program plan reflects the coordination among the organizational entities responsible for information security;"},{"id":"pm-1_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.04","class":"sp800-53a"}],"prose":"the information security program plan is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"}]},{"id":"pm-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-01b.","class":"sp800-53a"}],"parts":[{"id":"pm-1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-01b.[01]","class":"sp800-53a"}],"prose":"the information security program plan is reviewed and updated {{ insert: param, pm-01_odp.01 }};"},{"id":"pm-1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-01b.[02]","class":"sp800-53a"}],"prose":"the information security program plan is reviewed and updated following {{ insert: param, pm-01_odp.02 }};"}]},{"id":"pm-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-01c.","class":"sp800-53a"}],"parts":[{"id":"pm-1_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-01c.[01]","class":"sp800-53a"}],"prose":"the information security program plan is protected from unauthorized disclosure;"},{"id":"pm-1_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-01c.[02]","class":"sp800-53a"}],"prose":"the information security program plan is protected from unauthorized modification."}]}]},{"id":"pm-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprocedures addressing program plan development and implementation\n\nprocedures addressing program plan reviews and updates\n\nprocedures addressing coordination of the program plan with relevant entities\n\nprocedures for program plan approvals\n\nrecords of program plan reviews and updates\n\nother relevant documents or records"}]},{"id":"pm-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security program planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pm-1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-01-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information security program plan development, review, update, and approval\n\nmechanisms supporting and\/or implementing the information security program plan"}]}]},{"id":"pm-2","class":"SP800-53","title":"Information Security Program Leadership Role","props":[{"name":"label","value":"PM-2"},{"name":"label","value":"PM-02","class":"sp800-53a"},{"name":"sort-id","value":"pm-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#81c44706-0227-4258-a920-620a4d259990","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"}],"parts":[{"id":"pm-2_smt","name":"statement","prose":"Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program."},{"id":"pm-2_gdn","name":"guidance","prose":"The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer."},{"id":"pm-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-02","class":"sp800-53a"}],"parts":[{"id":"pm-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-02[01]","class":"sp800-53a"}],"prose":"a senior agency information security officer is appointed;"},{"id":"pm-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-02[02]","class":"sp800-53a"}],"prose":"the senior agency information security officer is provided with the mission and resources to coordinate an organization-wide information security program;"},{"id":"pm-2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-02[03]","class":"sp800-53a"}],"prose":"the senior agency information security officer is provided with the mission and resources to develop an organization-wide information security program;"},{"id":"pm-2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-02[04]","class":"sp800-53a"}],"prose":"the senior agency information security officer is provided with the mission and resources to implement an organization-wide information security program;"},{"id":"pm-2_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-02[05]","class":"sp800-53a"}],"prose":"the senior agency information security officer is provided with the mission and resources to maintain an organization-wide information security program."}]},{"id":"pm-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprocedures addressing program plan development and implementation\n\nprocedures addressing program plan reviews and updates\n\nprocedures addressing coordination of the program plan with relevant entities\n\nother relevant documents or records"}]},{"id":"pm-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security program planning and plan implementation responsibilities\n\nsenior information security officer\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pm-3","class":"SP800-53","title":"Information Security and Privacy Resources","props":[{"name":"label","value":"PM-3"},{"name":"label","value":"PM-03","class":"sp800-53a"},{"name":"sort-id","value":"pm-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-4","rel":"related"},{"href":"#sa-2","rel":"related"}],"parts":[{"id":"pm-3_smt","name":"statement","parts":[{"id":"pm-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;"},{"id":"pm-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and"},{"id":"pm-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Make available for expenditure, the planned information security and privacy resources."}]},{"id":"pm-3_gdn","name":"guidance","prose":"Organizations consider establishing champions for information security and privacy and, as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process."},{"id":"pm-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-03","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-03a.","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-03a.[01]","class":"sp800-53a"}],"prose":"the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented;"},{"id":"pm-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-03a.[02]","class":"sp800-53a"}],"prose":"the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented;"}]},{"id":"pm-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-03b.","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-03b.[01]","class":"sp800-53a"}],"prose":"the documentation required for addressing the information security program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;"},{"id":"pm-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-03b.[02]","class":"sp800-53a"}],"prose":"the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;"}]},{"id":"pm-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-03c.","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-03c.[01]","class":"sp800-53a"}],"prose":"information security resources are made available for expenditure as planned;"},{"id":"pm-3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-03c.[02]","class":"sp800-53a"}],"prose":"privacy resources are made available for expenditure as planned."}]}]},{"id":"pm-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nExhibit 300\n\nExhibit 53\n\nbusiness cases for capital planning and investment\n\nprocedures for capital planning and investment\n\ndocumentation of exceptions to capital planning requirements\n\nother relevant documents or records"}]},{"id":"pm-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security program planning responsibilities\n\norganizational personnel with privacy program planning responsibilities\n\norganizational personnel responsible for capital planning and investment\n\norganizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for capital planning and investment\n\norganizational processes for business case, Exhibit 300, and Exhibit 53 development\n\nmechanisms supporting the capital planning and investment process"}]}]},{"id":"pm-4","class":"SP800-53","title":"Plan of Action and Milestones Process","props":[{"name":"label","value":"PM-4"},{"name":"label","value":"PM-04","class":"sp800-53a"},{"name":"sort-id","value":"pm-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-3","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pm-4_smt","name":"statement","parts":[{"id":"pm-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems:","parts":[{"id":"pm-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are developed and maintained;"},{"id":"pm-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and"},{"id":"pm-4_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Are reported in accordance with established reporting requirements."}]},{"id":"pm-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-4_gdn","name":"guidance","prose":"The plan of action and milestones is a key organizational document and is subject to reporting requirements established by the Office of Management and Budget. Organizations develop plans of action and milestones with an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple plans of action and milestones corresponding to the information system level, mission\/business process level, and organizational\/governance level. While plans of action and milestones are required for federal organizations, other types of organizations can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones at the system level is provided in [CA-5](#ca-5)."},{"id":"pm-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-04","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[01]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed;"},{"id":"pm-4_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[02]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security program and associated organizational systems are maintained;"},{"id":"pm-4_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[03]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed;"},{"id":"pm-4_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[04]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained;"},{"id":"pm-4_obj.a.1-5","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[05]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed;"},{"id":"pm-4_obj.a.1-6","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[06]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained;"}]},{"id":"pm-4_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02[01]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security program and associated organizational systems document remedial information security risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;"},{"id":"pm-4_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02[02]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;"},{"id":"pm-4_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02[03]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;"}]},{"id":"pm-4_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03[01]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security risk management programs and associated organizational systems are reported in accordance with established reporting requirements;"},{"id":"pm-4_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03[02]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements;"},{"id":"pm-4_obj.a.3-3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03[03]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements;"}]}]},{"id":"pm-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-04b.","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04b.[01]","class":"sp800-53a"}],"prose":"plans of action and milestones are reviewed for consistency with the organizational risk management strategy;"},{"id":"pm-4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04b.[02]","class":"sp800-53a"}],"prose":"plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions."}]}]},{"id":"pm-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nplans of action and milestones\n\nprocedures addressing plans of action and milestones development and maintenance\n\nprocedures addressing plans of action and milestones reporting\n\nprocedures for reviewing plans of action and milestones for consistency with risk management strategy and risk response priorities\n\nresults of risk assessments associated with plans of action and milestones\n\nOMB FISMA reporting requirements\n\nother relevant documents or records"}]},{"id":"pm-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, maintaining, reviewing, and reporting plans of action and milestones\n\norganizational personnel with information security responsibilities"}]},{"id":"pm-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for plan of action and milestones development, review, maintenance, and reporting\n\nmechanisms supporting plans of action and milestones"}]}]},{"id":"pm-5","class":"SP800-53","title":"System Inventory","params":[{"id":"pm-05_odp","props":[{"name":"alt-identifier","value":"pm-5_prm_1"},{"name":"label","value":"PM-05_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the inventory of organizational systems is defined;"}]}],"props":[{"name":"label","value":"PM-5"},{"name":"label","value":"PM-05","class":"sp800-53a"},{"name":"sort-id","value":"pm-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"}],"parts":[{"id":"pm-5_smt","name":"statement","prose":"Develop and update {{ insert: param, pm-05_odp }} an inventory of organizational systems."},{"id":"pm-5_gdn","name":"guidance","prose":"[OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) provides guidance on developing systems inventories and associated reporting requirements. System inventory refers to an organization-wide inventory of systems, not system components as described in [CM-8](#cm-8)."},{"id":"pm-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-05","class":"sp800-53a"}],"parts":[{"id":"pm-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-05[01]","class":"sp800-53a"}],"prose":"an inventory of organizational systems is developed;"},{"id":"pm-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-05[02]","class":"sp800-53a"}],"prose":"the inventory of organizational systems is updated {{ insert: param, pm-05_odp }}."}]},{"id":"pm-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nsystem inventory\n\nprocedures addressing system inventory development and maintenance\n\nOMB FISMA reporting guidance\n\nother relevant documents or records"}]},{"id":"pm-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing and maintaining the system inventory\n\norganizational personnel with information security responsibilities"}]},{"id":"pm-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system inventory development and maintenance\n\nmechanisms supporting the system inventory"}]}],"controls":[{"id":"pm-5.1","class":"SP800-53-enhancement","title":"Inventory of Personally Identifiable Information","params":[{"id":"pm-05.01_odp","props":[{"name":"alt-identifier","value":"pm-5.1_prm_1"},{"name":"label","value":"PM-05(01)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the inventory of systems, applications, and projects that process personally identifiable information is defined;"}]}],"props":[{"name":"label","value":"PM-5(1)"},{"name":"label","value":"PM-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"pm-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pm-5","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pm-5.1_smt","name":"statement","prose":"Establish, maintain, and update {{ insert: param, pm-05.01_odp }} an inventory of all systems, applications, and projects that process personally identifiable information."},{"id":"pm-5.1_gdn","name":"guidance","prose":"An inventory of systems, applications, and projects that process personally identifiable information supports the mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein."},{"id":"pm-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)","class":"sp800-53a"}],"parts":[{"id":"pm-5.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)[01]","class":"sp800-53a"}],"prose":"an inventory of all systems, applications, and projects that process personally identifiable information is established;"},{"id":"pm-5.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)[02]","class":"sp800-53a"}],"prose":"an inventory of all systems, applications, and projects that process personally identifiable information is maintained;"},{"id":"pm-5.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)[03]","class":"sp800-53a"}],"prose":"an inventory of all systems, applications, and projects that process personally identifiable information is updated {{ insert: param, pm-05.01_odp }}."}]},{"id":"pm-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing system inventory development, maintenance, and updates\n\nOMB FISMA reporting guidance\n\nprivacy program plan\n\ninformation security program plan\n\npersonally identifiable information processing policy\n\nsystem inventory\n\npersonally identifiable information inventory\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"pm-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing and maintaining the system inventory\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system inventory development, maintenance, and updates\n\nmechanisms supporting the system inventory"}]}]}]},{"id":"pm-6","class":"SP800-53","title":"Measures of Performance","props":[{"name":"label","value":"PM-6"},{"name":"label","value":"PM-06","class":"sp800-53a"},{"name":"sort-id","value":"pm-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#7798067b-4ed0-4adc-a505-79dad4741693","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"pm-6_smt","name":"statement","prose":"Develop, monitor, and report on the results of information security and privacy measures of performance."},{"id":"pm-6_gdn","name":"guidance","prose":"Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program. To facilitate security and privacy risk management, organizations consider aligning measures of performance with the organizational risk tolerance as defined in the risk management strategy."},{"id":"pm-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-06","class":"sp800-53a"}],"parts":[{"id":"pm-6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-06[01]","class":"sp800-53a"}],"prose":"information security measures of performance are developed;"},{"id":"pm-6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-06[02]","class":"sp800-53a"}],"prose":"information security measures of performance are monitored;"},{"id":"pm-6_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-06[03]","class":"sp800-53a"}],"prose":"the results of information security measures of performance are reported;"},{"id":"pm-6_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-06[04]","class":"sp800-53a"}],"prose":"privacy measures of performance are developed;"},{"id":"pm-6_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-06[05]","class":"sp800-53a"}],"prose":"privacy measures of performance are monitored;"},{"id":"pm-6_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PM-06[06]","class":"sp800-53a"}],"prose":"the results of privacy measures of performance are reported."}]},{"id":"pm-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\ninformation security measures of performance\n\nprivacy measures of performance\n\nprocedures addressing the development, monitoring, and reporting of information security and privacy measures of performance\n\nrisk management strategy\n\nother relevant documents or records"}]},{"id":"pm-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing, monitoring, and reporting information security and privacy measures of performance\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, monitoring, and reporting information security and privacy measures of performance\n\nmechanisms supporting the development, monitoring, and reporting of information security and privacy measures of performance"}]}]},{"id":"pm-7","class":"SP800-53","title":"Enterprise Architecture","props":[{"name":"label","value":"PM-7"},{"name":"label","value":"PM-07","class":"sp800-53a"},{"name":"sort-id","value":"pm-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#au-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"}],"parts":[{"id":"pm-7_smt","name":"statement","prose":"Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation."},{"id":"pm-7_gdn","name":"guidance","prose":"The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture and the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For [PL-8](#pl-8) , the security and privacy architectures are developed at a level that represents an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37](#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8) and supporting security standards and guidelines."},{"id":"pm-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-07","class":"sp800-53a"}],"parts":[{"id":"pm-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-07[01]","class":"sp800-53a"}],"prose":"an enterprise architecture is developed with consideration for information security;"},{"id":"pm-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-07[02]","class":"sp800-53a"}],"prose":"an enterprise architecture is maintained with consideration for information security;"},{"id":"pm-7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-07[03]","class":"sp800-53a"}],"prose":"an enterprise architecture is developed with consideration for privacy;"},{"id":"pm-7_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-07[04]","class":"sp800-53a"}],"prose":"an enterprise architecture is maintained with consideration for privacy;"},{"id":"pm-7_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-07[05]","class":"sp800-53a"}],"prose":"an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation;"},{"id":"pm-7_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PM-07[06]","class":"sp800-53a"}],"prose":"an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation."}]},{"id":"pm-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nprocedures addressing enterprise architecture development\n\nresults of risk assessments of enterprise architecture\n\nother relevant documents or records"}]},{"id":"pm-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing enterprise architecture\n\norganizational personnel responsible for risk assessments of enterprise architecture\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for enterprise architecture development\n\nmechanisms supporting the enterprise architecture and its development"}]}],"controls":[{"id":"pm-7.1","class":"SP800-53-enhancement","title":"Offloading","params":[{"id":"pm-07.01_odp","props":[{"name":"alt-identifier","value":"pm-7.1_prm_1"},{"name":"label","value":"PM-07(01)_ODP","class":"sp800-53a"}],"label":"non-essential functions or services","guidelines":[{"prose":"non-essential functions or services to be offloaded are defined;"}]}],"props":[{"name":"label","value":"PM-7(1)"},{"name":"label","value":"PM-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"pm-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pm-7","rel":"required"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pm-7.1_smt","name":"statement","prose":"Offload {{ insert: param, pm-07.01_odp }} to other systems, system components, or an external provider."},{"id":"pm-7.1_gdn","name":"guidance","prose":"Not every function or service that a system provides is essential to organizational mission or business functions. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services that support essential mission or business functions. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission-essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services."},{"id":"pm-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-07(01)","class":"sp800-53a"}],"prose":"{{ insert: param, pm-07.01_odp }} are offloaded to other systems, system components, or an external provider."},{"id":"pm-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nprocedures addressing enterprise architecture development\n\nprocedures for identifying and offloading functions or services\n\nresults of risk assessments of enterprise architecture\n\nother relevant documents or records"}]},{"id":"pm-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing enterprise architecture\n\norganizational personnel responsible for risk assessments of enterprise architecture\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for enterprise architecture development\n\nmechanisms supporting the enterprise architecture and its development\n\nmechanisms for offloading functions and services"}]}]}]},{"id":"pm-8","class":"SP800-53","title":"Critical Infrastructure Plan","props":[{"name":"label","value":"PM-8"},{"name":"label","value":"PM-08","class":"sp800-53a"},{"name":"sort-id","value":"pm-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#3406fdc0-d61c-44a9-a5ca-84180544c83a","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#488d6934-00b2-4252-bf23-1b3c2d71eb13","rel":"reference"},{"href":"#b9951d04-6385-478c-b1a3-ab68c19d9041","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#pm-18","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pm-8_smt","name":"statement","prose":"Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan."},{"id":"pm-8_gdn","name":"guidance","prose":"Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"pm-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-08","class":"sp800-53a"}],"parts":[{"id":"pm-8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-08[01]","class":"sp800-53a"}],"prose":"information security issues are addressed in the development of a critical infrastructure and key resources protection plan;"},{"id":"pm-8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-08[02]","class":"sp800-53a"}],"prose":"information security issues are addressed in the documentation of a critical infrastructure and key resources protection plan;"},{"id":"pm-8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-08[03]","class":"sp800-53a"}],"prose":"information security issues are addressed in the update of a critical infrastructure and key resources protection plan;"},{"id":"pm-8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-08[04]","class":"sp800-53a"}],"prose":"privacy issues are addressed in the development of a critical infrastructure and key resources protection plan;"},{"id":"pm-8_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-08[05]","class":"sp800-53a"}],"prose":"privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan;"},{"id":"pm-8_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PM-08[06]","class":"sp800-53a"}],"prose":"privacy issues are addressed in the update of a critical infrastructure and key resources protection plan."}]},{"id":"pm-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\ncritical infrastructure and key resources protection plan\n\nprocedures addressing the development, documentation, and updating of the critical infrastructure and key resources protection plan\n\nHSPD 7\n\nNational Infrastructure Protection Plan\n\nother relevant documents or records"}]},{"id":"pm-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing, documenting, and updating the critical infrastructure and key resources protection plan\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, documenting, and updating the critical infrastructure and key resources protection plan\n\nmechanisms supporting the development, documentation, and updating of the critical infrastructure and key resources protection plan"}]}]},{"id":"pm-9","class":"SP800-53","title":"Risk Management Strategy","params":[{"id":"pm-09_odp","props":[{"name":"alt-identifier","value":"pm-9_prm_1"},{"name":"label","value":"PM-09_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the risk management strategy is defined;"}]}],"props":[{"name":"label","value":"PM-9"},{"name":"label","value":"PM-09","class":"sp800-53a"},{"name":"sort-id","value":"pm-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-1","rel":"related"},{"href":"#au-1","rel":"related"},{"href":"#at-1","rel":"related"},{"href":"#ca-1","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-1","rel":"related"},{"href":"#cp-1","rel":"related"},{"href":"#ia-1","rel":"related"},{"href":"#ir-1","rel":"related"},{"href":"#ma-1","rel":"related"},{"href":"#mp-1","rel":"related"},{"href":"#pe-1","rel":"related"},{"href":"#pl-1","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-2","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-18","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ps-1","rel":"related"},{"href":"#pt-1","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-1","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-1","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-1","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-1","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-1","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"pm-9_smt","name":"statement","parts":[{"id":"pm-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a comprehensive strategy to manage:","parts":[{"id":"pm-9_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and"},{"id":"pm-9_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Privacy risk to individuals resulting from the authorized processing of personally identifiable information;"}]},{"id":"pm-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the risk management strategy consistently across the organization; and"},{"id":"pm-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the risk management strategy {{ insert: param, pm-09_odp }} or as required, to address organizational changes."}]},{"id":"pm-9_gdn","name":"guidance","prose":"An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure that the strategy is broad-based and comprehensive. The supply chain risk management strategy described in [PM-30](#pm-30) can also provide useful inputs to the organization-wide risk management strategy."},{"id":"pm-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-09","class":"sp800-53a"}],"parts":[{"id":"pm-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-09a.","class":"sp800-53a"}],"parts":[{"id":"pm-9_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-09a.01","class":"sp800-53a"}],"prose":"a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems;"},{"id":"pm-9_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-09a.02","class":"sp800-53a"}],"prose":"a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information;"}]},{"id":"pm-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-09b.","class":"sp800-53a"}],"prose":"the risk management strategy is implemented consistently across the organization;"},{"id":"pm-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-09c.","class":"sp800-53a"}],"prose":"the risk management strategy is reviewed and updated {{ insert: param, pm-09_odp }} or as required to address organizational changes."}]},{"id":"pm-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nrisk management strategy\n\nsupply chain risk management strategy\n\nprocedures addressing the development, implementation, review, and update of the risk management strategy\n\nrisk assessment results relevant to the risk management strategy\n\nother relevant documents or records"}]},{"id":"pm-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for the development, implementation, review, and update of the risk management strategy\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the development, implementation, review, and update of the risk management strategy\n\nmechanisms supporting the development, implementation, review, and update of the risk management strategy"}]}]},{"id":"pm-10","class":"SP800-53","title":"Authorization Process","props":[{"name":"label","value":"PM-10"},{"name":"label","value":"PM-10","class":"sp800-53a"},{"name":"sort-id","value":"pm-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"pm-10_smt","name":"statement","parts":[{"id":"pm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;"},{"id":"pm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and"},{"id":"pm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Integrate the authorization processes into an organization-wide risk management program."}]},{"id":"pm-10_gdn","name":"guidance","prose":"Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The authorization processes for the organization are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation."},{"id":"pm-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-10","class":"sp800-53a"}],"parts":[{"id":"pm-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-10a.","class":"sp800-53a"}],"parts":[{"id":"pm-10_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-10a.[01]","class":"sp800-53a"}],"prose":"the security state of organizational systems and the environments in which those systems operate are managed through authorization processes;"},{"id":"pm-10_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-10a.[02]","class":"sp800-53a"}],"prose":"the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes;"}]},{"id":"pm-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-10b.","class":"sp800-53a"}],"prose":"individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process;"},{"id":"pm-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-10c.","class":"sp800-53a"}],"prose":"the authorization processes are integrated into an organization-wide risk management program."}]},{"id":"pm-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nprocedures addressing management (i.e., documentation, tracking, and reporting) of the authorization process\n\nassessment, authorization, and monitoring policy\n\nassessment, authorization, and monitoring procedures\n\nsystem authorization documentation\n\nlists or other documentation about authorization process roles and responsibilities\n\nrisk assessment results relevant to the authorization process and the organization-wide risk management program\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"pm-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for management of the authorization process\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorization\n\nmechanisms supporting the authorization process"}]}]},{"id":"pm-11","class":"SP800-53","title":"Mission and Business Process Definition","params":[{"id":"pm-11_odp","props":[{"name":"alt-identifier","value":"pm-11_prm_1"},{"name":"label","value":"PM-11_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and revise the mission and business processes is defined;"}]}],"props":[{"name":"label","value":"PM-11"},{"name":"label","value":"PM-11","class":"sp800-53a"},{"name":"sort-id","value":"pm-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-2","rel":"related"}],"parts":[{"id":"pm-11_smt","name":"statement","parts":[{"id":"pm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and"},{"id":"pm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and"},{"id":"pm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and revise the mission and business processes {{ insert: param, pm-11_odp }}."}]},{"id":"pm-11_gdn","name":"guidance","prose":"Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by organizational stakeholders, the mission and business processes designed to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent to defining protection and personally identifiable information processing needs is an understanding of the adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of the processing of personally identifiable information at any stage of the information life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policies and procedures."},{"id":"pm-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-11","class":"sp800-53a"}],"parts":[{"id":"pm-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.","class":"sp800-53a"}],"parts":[{"id":"pm-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.[01]","class":"sp800-53a"}],"prose":"organizational mission and business processes are defined with consideration for information security;"},{"id":"pm-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.[02]","class":"sp800-53a"}],"prose":"organizational mission and business processes are defined with consideration for privacy;"},{"id":"pm-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.[03]","class":"sp800-53a"}],"prose":"organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;"}]},{"id":"pm-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-11b.","class":"sp800-53a"}],"parts":[{"id":"pm-11_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-11b.[01]","class":"sp800-53a"}],"prose":"information protection needs arising from the defined mission and business processes are determined;"},{"id":"pm-11_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-11b.[02]","class":"sp800-53a"}],"prose":"personally identifiable information processing needs arising from the defined mission and business processes are determined;"}]},{"id":"pm-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-11c.","class":"sp800-53a"}],"prose":"the mission and business processes are reviewed and revised {{ insert: param, pm-11_odp }}."}]},{"id":"pm-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nrisk management strategy\n\nprocedures for determining mission and business protection needs\n\ninformation security and privacy risk assessment results relevant to the determination of mission and business protection needs\n\npersonally identifiable information processing policy\n\npersonally identifiable information inventory\n\nother relevant documents or records"}]},{"id":"pm-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for enterprise risk management\n\norganizational personnel responsible for determining information protection needs for mission and business processes\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining mission and business processes and their information protection needs"}]}]},{"id":"pm-12","class":"SP800-53","title":"Insider Threat Program","props":[{"name":"label","value":"PM-12"},{"name":"label","value":"PM-12","class":"sp800-53a"},{"name":"sort-id","value":"pm-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0af071a6-cf8e-48ee-8c82-fe91efa20f94","rel":"reference"},{"href":"#528135e3-c65b-461a-93d3-46513610f792","rel":"reference"},{"href":"#06d74ea9-2178-449c-a9c5-b2980f804ac8","rel":"reference"},{"href":"#ac-6","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-16","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#pm-14","rel":"related"}],"parts":[{"id":"pm-12_smt","name":"statement","prose":"Implement an insider threat program that includes a cross-discipline insider threat incident handling team."},{"id":"pm-12_gdn","name":"guidance","prose":"Organizations that handle classified information are required, under Executive Order 13587 [EO 13587](#0af071a6-cf8e-48ee-8c82-fe91efa20f94) and the National Insider Threat Policy [ODNI NITP](#06d74ea9-2178-449c-a9c5-b2980f804ac8) , to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and nontechnical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans, conduct host-based user monitoring of individual employee activities on government-owned classified computers, provide insider threat awareness training to employees, receive access to information from offices in the department or agency for insider threat analysis, and conduct self-assessments of department or agency insider threat posture.\n\nInsider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"pm-12_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-12","class":"sp800-53a"}],"prose":"an insider threat program that includes a cross-discipline insider threat incident handling team is implemented."},{"id":"pm-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for the insider threat program\n\nmembers of the cross-discipline insider threat incident handling team\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing the insider threat program and the cross-discipline insider threat incident handling team\n\nmechanisms supporting and\/or implementing the insider threat program and the cross-discipline insider threat incident handling team"}]}]},{"id":"pm-13","class":"SP800-53","title":"Security and Privacy Workforce","props":[{"name":"label","value":"PM-13"},{"name":"label","value":"PM-13","class":"sp800-53a"},{"name":"sort-id","value":"pm-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"pm-13_smt","name":"statement","prose":"Establish a security and privacy workforce development and improvement program."},{"id":"pm-13_gdn","name":"guidance","prose":"Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals."},{"id":"pm-13_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-13","class":"sp800-53a"}],"parts":[{"id":"pm-13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-13[01]","class":"sp800-53a"}],"prose":"a security workforce development and improvement program is established;"},{"id":"pm-13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-13[02]","class":"sp800-53a"}],"prose":"a privacy workforce development and improvement program is established."}]},{"id":"pm-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\ninformation security and privacy workforce development and improvement program documentation\n\nprocedures for the information security and privacy workforce development and improvement program\n\ninformation security and privacy role-based training program documentation\n\nother relevant documents or records"}]},{"id":"pm-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for the information security and privacy workforce development and improvement program\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing the information security and privacy workforce development and improvement program\n\nmechanisms supporting and\/or implementing the information security and privacy workforce development and improvement program"}]}]},{"id":"pm-14","class":"SP800-53","title":"Testing, Training, and Monitoring","props":[{"name":"label","value":"PM-14"},{"name":"label","value":"PM-14","class":"sp800-53a"},{"name":"sort-id","value":"pm-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"pm-14_smt","name":"statement","parts":[{"id":"pm-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:","parts":[{"id":"pm-14_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are developed and maintained; and"},{"id":"pm-14_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Continue to be executed; and"}]},{"id":"pm-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-14_gdn","name":"guidance","prose":"A process for organization-wide security and privacy testing, training, and monitoring helps ensure that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments."},{"id":"pm-14_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-14","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[01]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed;"},{"id":"pm-14_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[02]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained;"},{"id":"pm-14_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[03]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed;"},{"id":"pm-14_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[04]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained;"}]},{"id":"pm-14_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.02","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.02[01]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed;"},{"id":"pm-14_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.02[02]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed;"}]}]},{"id":"pm-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[01]","class":"sp800-53a"}],"prose":"testing plans are reviewed for consistency with the organizational risk management strategy;"},{"id":"pm-14_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[02]","class":"sp800-53a"}],"prose":"training plans are reviewed for consistency with the organizational risk management strategy;"},{"id":"pm-14_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[03]","class":"sp800-53a"}],"prose":"monitoring plans are reviewed for consistency with the organizational risk management strategy;"},{"id":"pm-14_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[04]","class":"sp800-53a"}],"prose":"testing plans are reviewed for consistency with organization-wide priorities for risk response actions;"},{"id":"pm-14_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[05]","class":"sp800-53a"}],"prose":"training plans are reviewed for consistency with organization-wide priorities for risk response actions;"},{"id":"pm-14_obj.b-6","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[06]","class":"sp800-53a"}],"prose":"monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions."}]}]},{"id":"pm-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nplans for conducting security and privacy testing, training, and monitoring activities\n\norganizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities\n\nrisk management strategy\n\nprocedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities\n\nresults of risk assessments associated with conducting security and privacy testing, training, and monitoring activities\n\ndocumentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities\n\nother relevant documents or records"}]},{"id":"pm-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities\n\nmechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities"}]}]},{"id":"pm-15","class":"SP800-53","title":"Security and Privacy Groups and Associations","props":[{"name":"label","value":"PM-15"},{"name":"label","value":"PM-15","class":"sp800-53a"},{"name":"sort-id","value":"pm-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#sa-11","rel":"related"},{"href":"#si-5","rel":"related"}],"parts":[{"id":"pm-15_smt","name":"statement","prose":"Establish and institutionalize contact with selected groups and associations within the security and privacy communities:","parts":[{"id":"pm-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"To facilitate ongoing security and privacy education and training for organizational personnel;"},{"id":"pm-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"To maintain currency with recommended security and privacy practices, techniques, and technologies; and"},{"id":"pm-15_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"To share current security and privacy information, including threats, vulnerabilities, and incidents."}]},{"id":"pm-15_gdn","name":"guidance","prose":"Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on mission and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"pm-15_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-15","class":"sp800-53a"}],"parts":[{"id":"pm-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-15a.","class":"sp800-53a"}],"parts":[{"id":"pm-15_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-15a.[01]","class":"sp800-53a"}],"prose":"contact is established and institutionalized with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel;"},{"id":"pm-15_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-15a.[02]","class":"sp800-53a"}],"prose":"contact is established and institutionalized with selected groups and associations within the privacy community to facilitate ongoing privacy education and training for organizational personnel;"}]},{"id":"pm-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-15b.","class":"sp800-53a"}],"parts":[{"id":"pm-15_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-15b.[01]","class":"sp800-53a"}],"prose":"contact is established and institutionalized with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies;"},{"id":"pm-15_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-15b.[02]","class":"sp800-53a"}],"prose":"contact is established and institutionalized with selected groups and associations within the privacy community to maintain currency with recommended privacy practices, techniques, and technologies;"}]},{"id":"pm-15_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-15c.","class":"sp800-53a"}],"parts":[{"id":"pm-15_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-15c.[01]","class":"sp800-53a"}],"prose":"contact is established and institutionalized with selected groups and associations within the security community to share current security information, including threats, vulnerabilities, and incidents;"},{"id":"pm-15_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-15c.[02]","class":"sp800-53a"}],"prose":"contact is established and institutionalized with selected groups and associations within the privacy community to share current privacy information, including threats, vulnerabilities, and incidents."}]}]},{"id":"pm-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nrisk management strategy\n\nprocedures for establishing and institutionalizing contacts with security and privacy groups and associations\n\nlists or other records of contacts with and\/or membership in security and privacy groups and associations\n\nother relevant documents or records"}]},{"id":"pm-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for establishing and institutionalizing contact with security and privacy groups and associations\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel from selected groups and associations with which the organization has established and institutionalized contact"}]},{"id":"pm-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing and institutionalizing contact with security and privacy groups and associations\n\nmechanisms supporting contact with security and privacy groups and associations"}]}]},{"id":"pm-16","class":"SP800-53","title":"Threat Awareness Program","props":[{"name":"label","value":"PM-16"},{"name":"label","value":"PM-16","class":"sp800-53a"},{"name":"sort-id","value":"pm-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-4","rel":"related"},{"href":"#pm-12","rel":"related"}],"parts":[{"id":"pm-16_smt","name":"statement","prose":"Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence."},{"id":"pm-16_gdn","name":"guidance","prose":"Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information, including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may require special agreements and protection, or it may be freely shared."},{"id":"pm-16_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-16","class":"sp800-53a"}],"prose":"a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence is implemented."},{"id":"pm-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nthreat awareness program policy\n\nthreat awareness program procedures\n\nrisk assessment results relevant to threat awareness\n\ndocumentation about the cross-organization information-sharing capability\n\nother relevant documents or records"}]},{"id":"pm-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for the threat awareness program\n\norganizational personnel responsible for the cross-organization information-sharing capability\n\norganizational personnel with information security and privacy responsibilities\n\nexternal personnel with whom threat awareness information is shared by the organization"}]},{"id":"pm-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing the threat awareness program\n\norganizational processes for implementing the cross-organization information-sharing capability\n\nmechanisms supporting and\/or implementing the threat awareness program\n\nmechanisms supporting and\/or implementing the cross-organization information-sharing capability"}]}],"controls":[{"id":"pm-16.1","class":"SP800-53-enhancement","title":"Automated Means for Sharing Threat Intelligence","props":[{"name":"label","value":"PM-16(1)"},{"name":"label","value":"PM-16(01)","class":"sp800-53a"},{"name":"sort-id","value":"pm-16.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pm-16","rel":"required"}],"parts":[{"id":"pm-16.1_smt","name":"statement","prose":"Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information."},{"id":"pm-16.1_gdn","name":"guidance","prose":"To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By using well-established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed the relevant threat detection signatures into monitoring tools."},{"id":"pm-16.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-16(01)","class":"sp800-53a"}],"prose":"automated mechanisms are employed to maximize the effectiveness of sharing threat intelligence information."},{"id":"pm-16.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-16(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nthreat awareness program policy\n\nthreat awareness program procedures\n\nrisk assessment results related to threat awareness\n\ndocumentation about the cross-organization information-sharing capability\n\nother relevant documents or records"}]},{"id":"pm-16.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-16(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for the threat awareness program\n\norganizational personnel responsible for the cross-organization information-sharing capability\n\norganizational personnel with information security and privacy responsibilities\n\nexternal personnel with whom threat awareness information is shared by the organization"}]},{"id":"pm-16.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-16(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing the threat awareness program\n\norganizational processes for implementing the cross-organization information-sharing capability\n\nautomated mechanisms supporting and\/or implementing the threat awareness program\n\nautomated mechanisms supporting and\/or implementing the cross-organization information-sharing capability"}]}]}]},{"id":"pm-17","class":"SP800-53","title":"Protecting Controlled Unclassified Information on External Systems","params":[{"id":"pm-17_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-17_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-17_odp.02"}],"label":"organization-defined frequency"},{"id":"pm-17_odp.01","props":[{"name":"label","value":"PM-17_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the policy is defined;"}]},{"id":"pm-17_odp.02","props":[{"name":"label","value":"PM-17_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the procedures is defined;"}]}],"props":[{"name":"label","value":"PM-17"},{"name":"label","value":"PM-17","class":"sp800-53a"},{"name":"sort-id","value":"pm-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#ca-6","rel":"related"},{"href":"#pm-10","rel":"related"}],"parts":[{"id":"pm-17_smt","name":"statement","parts":[{"id":"pm-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and"},{"id":"pm-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the policy and procedures {{ insert: param, pm-17_prm_1 }}."}]},{"id":"pm-17_gdn","name":"guidance","prose":"Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) and, specifically for systems external to the federal organization, [32 CFR 2002.14h](https:\/\/www.govinfo.gov\/content\/pkg\/CFR-2017-title32-vol6\/xml\/CFR-2017-title32-vol6-part2002.xml) . The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes."},{"id":"pm-17_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-17","class":"sp800-53a"}],"parts":[{"id":"pm-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-17a.","class":"sp800-53a"}],"parts":[{"id":"pm-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-17a.[01]","class":"sp800-53a"}],"prose":"policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;"},{"id":"pm-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-17a.[02]","class":"sp800-53a"}],"prose":"procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;"}]},{"id":"pm-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-17b.","class":"sp800-53a"}],"parts":[{"id":"pm-17_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-17b.[01]","class":"sp800-53a"}],"prose":"policy is reviewed and updated {{ insert: param, pm-17_odp.01 }};"},{"id":"pm-17_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-17b.[02]","class":"sp800-53a"}],"prose":"procedures are reviewed and updated {{ insert: param, pm-17_odp.02 }} "}]}]},{"id":"pm-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Controlled unclassified information policy\n\ncontrolled unclassified information procedures\n\nother relevant documents or records."}]},{"id":"pm-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with controlled unclassified information responsibilities\n\norganizational personnel with information security responsibilities."}]}]},{"id":"pm-18","class":"SP800-53","title":"Privacy Program Plan","params":[{"id":"pm-18_odp","props":[{"name":"alt-identifier","value":"pm-18_prm_1"},{"name":"label","value":"PM-18_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of updates to the privacy program plan is defined;"}]}],"props":[{"name":"label","value":"PM-18"},{"name":"label","value":"PM-18","class":"sp800-53a"},{"name":"sort-id","value":"pm-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-19","rel":"related"}],"parts":[{"id":"pm-18_smt","name":"statement","parts":[{"id":"pm-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:","parts":[{"id":"pm-18_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;"},{"id":"pm-18_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;"},{"id":"pm-18_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;"},{"id":"pm-18_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;"},{"id":"pm-18_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Reflects coordination among organizational entities responsible for the different aspects of privacy; and"},{"id":"pm-18_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and"}]},{"id":"pm-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update the plan {{ insert: param, pm-18_odp }} and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments."}]},{"id":"pm-18_gdn","name":"guidance","prose":"A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program, the resources dedicated to the privacy program, the role of the senior agency official for privacy and other privacy officials and staff, the strategic goals and objectives of the privacy program, and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.\n\nThe senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection operations explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.\n\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. Together, the privacy plans for individual systems and the organization-wide privacy program plan provide complete coverage for the privacy controls employed within the organization.\n\nCommon controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls."},{"id":"pm-18_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-18","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.[01]","class":"sp800-53a"}],"prose":"an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed;"},{"id":"pm-18_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.01","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.01[01]","class":"sp800-53a"}],"prose":"the privacy program plan includes a description of the structure of the privacy program;"},{"id":"pm-18_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.01[02]","class":"sp800-53a"}],"prose":"the privacy program plan includes a description of the resources dedicated to the privacy program;"}]},{"id":"pm-18_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02[01]","class":"sp800-53a"}],"prose":"the privacy program plan provides an overview of the requirements for the privacy program;"},{"id":"pm-18_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02[02]","class":"sp800-53a"}],"prose":"the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program;"},{"id":"pm-18_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02[03]","class":"sp800-53a"}],"prose":"the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program;"}]},{"id":"pm-18_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.03","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.03[01]","class":"sp800-53a"}],"prose":"the privacy program plan includes the role of the senior agency official for privacy;"},{"id":"pm-18_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.03[02]","class":"sp800-53a"}],"prose":"the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities;"}]},{"id":"pm-18_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04[01]","class":"sp800-53a"}],"prose":"the privacy program plan describes management commitment;"},{"id":"pm-18_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04[02]","class":"sp800-53a"}],"prose":"the privacy program plan describes compliance;"},{"id":"pm-18_obj.a.4-3","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04[03]","class":"sp800-53a"}],"prose":"the privacy program plan describes the strategic goals and objectives of the privacy program;"}]},{"id":"pm-18_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.05","class":"sp800-53a"}],"prose":"the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy;"},{"id":"pm-18_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.06","class":"sp800-53a"}],"prose":"the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"},{"id":"pm-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.[02]","class":"sp800-53a"}],"prose":"the privacy program plan is disseminated;"}]},{"id":"pm-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[01]","class":"sp800-53a"}],"prose":"the privacy program plan is updated {{ insert: param, pm-18_odp }};"},{"id":"pm-18_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[02]","class":"sp800-53a"}],"prose":"the privacy program plan is updated to address changes in federal privacy laws and policies;"},{"id":"pm-18_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[03]","class":"sp800-53a"}],"prose":"the privacy program plan is updated to address organizational changes;"},{"id":"pm-18_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[04]","class":"sp800-53a"}],"prose":"the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments."}]}]},{"id":"pm-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprocedures addressing program plan development and implementation\n\nprocedures addressing program plan reviews, updates, and approvals\n\nprocedures addressing coordination of the program plan with relevant entities\n\nrecords of program plan reviews, updates, and approvals\n\nother relevant documents or records"}]},{"id":"pm-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program planning and plan implementation responsibilities\n\norganizational personnel with privacy responsibilities"}]}]},{"id":"pm-19","class":"SP800-53","title":"Privacy Program Leadership Role","props":[{"name":"label","value":"PM-19"},{"name":"label","value":"PM-19","class":"sp800-53a"},{"name":"sort-id","value":"pm-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-18","rel":"related"},{"href":"#pm-20","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#pm-27","rel":"related"}],"parts":[{"id":"pm-19_smt","name":"statement","prose":"Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program."},{"id":"pm-19_gdn","name":"guidance","prose":"The privacy officer is an organizational official. For federal agencies—as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines—this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has roles on the data management board (see [PM-23](#pm-23) ) and the data integrity board (see [PM-24](#pm-24))."},{"id":"pm-19_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-19","class":"sp800-53a"}],"parts":[{"id":"pm-19_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-19[01]","class":"sp800-53a"}],"prose":"a senior agency official for privacy with authority, mission, accountability, and resources is appointed;"},{"id":"pm-19_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-19[02]","class":"sp800-53a"}],"prose":"the senior agency official for privacy coordinates applicable privacy requirements;"},{"id":"pm-19_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-19[03]","class":"sp800-53a"}],"prose":"the senior agency official for privacy develops applicable privacy requirements;"},{"id":"pm-19_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-19[04]","class":"sp800-53a"}],"prose":"the senior agency official for privacy implements applicable privacy requirements;"},{"id":"pm-19_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-19[05]","class":"sp800-53a"}],"prose":"the senior agency official for privacy manages privacy risks through the organization-wide privacy program."}]},{"id":"pm-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program documents, including policies, procedures, plans, and reports\n\npublic privacy notices, including Federal Register notices\n\nprivacy impact assessments\n\nprivacy risk assessments\n\nPrivacy Act statements\n\nsystem of records notices\n\ncomputer matching agreements and notices\n\ncontracts, information sharing agreements, and memoranda of understanding\n\ngoverning requirements, including laws, executive orders, regulations, standards, and guidance\n\nother relevant documents or records"}]},{"id":"pm-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program planning and plan implementation responsibilities\n\norganizational personnel with privacy responsibilities\n\nsenior agency official for privacy\n\nprivacy officials"}]}]},{"id":"pm-20","class":"SP800-53","title":"Dissemination of Privacy Program Information","props":[{"name":"label","value":"PM-20"},{"name":"label","value":"PM-20","class":"sp800-53a"},{"name":"sort-id","value":"pm-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#206a3284-6a7e-423c-8ea9-25b22542541d","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#pm-19","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"}],"parts":[{"id":"pm-20_smt","name":"statement","prose":"Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:","parts":[{"id":"pm-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;"},{"id":"pm-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that organizational privacy practices and reports are publicly available; and"},{"id":"pm-20_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs publicly facing email addresses and\/or phone lines to enable the public to provide feedback and\/or direct questions to privacy offices regarding privacy practices."}]},{"id":"pm-20_gdn","name":"guidance","prose":"For federal agencies, the webpage is located at www.[agency].gov\/privacy. Federal agencies include public privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) exemption and implementation rules, privacy reports, privacy policies, instructions for individuals making an access or amendment request, email addresses for questions\/complaints, blogs, and periodic publications."},{"id":"pm-20_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-20","class":"sp800-53a"}],"parts":[{"id":"pm-20_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20[01]","class":"sp800-53a"}],"prose":"a central resource webpage is maintained on the organization’s principal public website;"},{"id":"pm-20_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20[02]","class":"sp800-53a"}],"prose":"the webpage serves as a central source of information about the organization’s privacy program;"},{"id":"pm-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-20a.","class":"sp800-53a"}],"parts":[{"id":"pm-20_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20a.[01]","class":"sp800-53a"}],"prose":"the webpage ensures that the public has access to information about organizational privacy activities;"},{"id":"pm-20_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20a.[02]","class":"sp800-53a"}],"prose":"the webpage ensures that the public can communicate with its senior agency official for privacy;"}]},{"id":"pm-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-20b.","class":"sp800-53a"}],"parts":[{"id":"pm-20_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20b.[01]","class":"sp800-53a"}],"prose":"the webpage ensures that organizational privacy practices are publicly available;"},{"id":"pm-20_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20b.[02]","class":"sp800-53a"}],"prose":"the webpage ensures that organizational privacy reports are publicly available;"}]},{"id":"pm-20_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-20c.","class":"sp800-53a"}],"prose":"the webpage employs publicly facing email addresses and\/or phone numbers to enable the public to provide feedback and\/or direct questions to privacy offices regarding privacy practices."}]},{"id":"pm-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Public website\n\npublicly posted privacy program documents, including policies, procedures, plans, and reports\n\nposition description of the senior agency official for privacy\n\npublic privacy notices, including Federal Register notices\n\nprivacy impact assessments\n\nprivacy risk assessments\n\nPrivacy Act statements and system of records notices\n\ncomputer matching agreements and notices\n\nother relevant documents or records"}]},{"id":"pm-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program information dissemination responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Location, access, availability, and functionality of privacy resource webpage"}]}],"controls":[{"id":"pm-20.1","class":"SP800-53-enhancement","title":"Privacy Policies on Websites, Applications, and Digital Services","props":[{"name":"label","value":"PM-20(1)"},{"name":"label","value":"PM-20(01)","class":"sp800-53a"},{"name":"sort-id","value":"pm-20.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pm-20","rel":"required"}],"parts":[{"id":"pm-20.1_smt","name":"statement","prose":"Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:","parts":[{"id":"pm-20.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Are written in plain language and organized in a way that is easy to understand and navigate;"},{"id":"pm-20.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and"},{"id":"pm-20.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Are updated whenever the organization makes a substantive change to the practices it describes and includes a time\/date stamp to inform the public of the date of the most recent changes."}]},{"id":"pm-20.1_gdn","name":"guidance","prose":"Organizations post privacy policies on all external-facing websites, mobile applications, and other digital services. Organizations post a link to the relevant privacy policy on any known, major entry points to the website, application, or digital service. In addition, organizations provide a link to the privacy policy on any webpage that collects personally identifiable information. Organizations may be subject to applicable laws, executive orders, directives, regulations, or policies that require the provision of specific information to the public. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"pm-20.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)[01]","class":"sp800-53a"}],"prose":"privacy policies are developed and posted on all external-facing websites;"},{"id":"pm-20.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)[02]","class":"sp800-53a"}],"prose":"privacy policies are developed and posted on all mobile applications;"},{"id":"pm-20.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)[03]","class":"sp800-53a"}],"prose":"privacy policies are developed and posted on all other digital services;"},{"id":"pm-20.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(a)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(a)[01]","class":"sp800-53a"}],"prose":"the privacy policies are written in plain language;"},{"id":"pm-20.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(a)[02]","class":"sp800-53a"}],"prose":"the privacy policies are organized in a way that is easy to understand and navigate;"}]},{"id":"pm-20.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(b)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(b)[01]","class":"sp800-53a"}],"prose":"the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization;"},{"id":"pm-20.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(b)[02]","class":"sp800-53a"}],"prose":"the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization;"}]},{"id":"pm-20.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(c)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(c)[01]","class":"sp800-53a"}],"prose":"the privacy policies are updated whenever the organization makes a substantive change to the practices it describes;"},{"id":"pm-20.1_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(c)[02]","class":"sp800-53a"}],"prose":"the privacy policies include a time\/date stamp to inform the public of the date of the most recent changes."}]}]},{"id":"pm-20.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-20(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprivacy policies on the agency website, mobile applications, and\/or other digital services"}]},{"id":"pm-20.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-20(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program information dissemination responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-20.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-20(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing\n\norganizational procedures and practices for disseminating privacy program information\n\nmechanisms supporting the dissemination of privacy program information"}]}]}]},{"id":"pm-21","class":"SP800-53","title":"Accounting of Disclosures","props":[{"name":"label","value":"PM-21"},{"name":"label","value":"PM-21","class":"sp800-53a"},{"name":"sort-id","value":"pm-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#pt-2","rel":"related"}],"parts":[{"id":"pm-21_smt","name":"statement","parts":[{"id":"pm-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:","parts":[{"id":"pm-21_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Date, nature, and purpose of each disclosure; and"},{"id":"pm-21_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Name and address, or other contact information of the individual or organization to which the disclosure was made;"}]},{"id":"pm-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and"},{"id":"pm-21_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request."}]},{"id":"pm-21_gdn","name":"guidance","prose":"The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information, and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) ; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.\n\nOrganizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services that provide notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing the disclosure or dissemination of information and dissemination restrictions."},{"id":"pm-21_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-21","class":"sp800-53a"}],"parts":[{"id":"pm-21_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.","class":"sp800-53a"}],"prose":"an accurate accounting of disclosures of personally identifiable information is developed and maintained;","parts":[{"id":"pm-21_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01","class":"sp800-53a"}],"parts":[{"id":"pm-21_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01[01]","class":"sp800-53a"}],"prose":"the accounting includes the date of each disclosure;"},{"id":"pm-21_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01[02]","class":"sp800-53a"}],"prose":"the accounting includes the nature of each disclosure;"},{"id":"pm-21_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01[03]","class":"sp800-53a"}],"prose":"the accounting includes the purpose of each disclosure;"}]},{"id":"pm-21_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.02","class":"sp800-53a"}],"parts":[{"id":"pm-21_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.02[01]","class":"sp800-53a"}],"prose":"the accounting includes the name of the individual or organization to whom the disclosure was made;"},{"id":"pm-21_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.02[02]","class":"sp800-53a"}],"prose":"the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made;"}]}]},{"id":"pm-21_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-21b.","class":"sp800-53a"}],"prose":"the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;"},{"id":"pm-21_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-21c.","class":"sp800-53a"}],"prose":"the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request."}]},{"id":"pm-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\ndisclosure policies and procedures\n\nrecords of disclosures\n\naudit logs\n\nPrivacy Act policies and procedures\n\nsystem of records notice\n\nPrivacy Act exemption rules."}]},{"id":"pm-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities."}]},{"id":"pm-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for disclosures\n\nmechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts."}]}]},{"id":"pm-22","class":"SP800-53","title":"Personally Identifiable Information Quality Management","props":[{"name":"label","value":"PM-22"},{"name":"label","value":"PM-22","class":"sp800-53a"},{"name":"sort-id","value":"pm-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#227063d4-431e-435f-9e8f-009b6dbc20f4","rel":"reference"},{"href":"#c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","rel":"reference"},{"href":"#pm-23","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pm-22_smt","name":"statement","prose":"Develop and document organization-wide policies and procedures for:","parts":[{"id":"pm-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;"},{"id":"pm-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Correcting or deleting inaccurate or outdated personally identifiable information;"},{"id":"pm-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and"},{"id":"pm-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Appeals of adverse decisions on correction or deletion requests."}]},{"id":"pm-22_gdn","name":"guidance","prose":"Personally identifiable information quality management includes steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.\n\nThe senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.\n\nOrganizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to the complexity of data flows and storage, other entities may need to be informed of the correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem."},{"id":"pm-22_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-22","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22[01]","class":"sp800-53a"}],"prose":"organization-wide policies for personally identifiable information quality management are developed and documented;"},{"id":"pm-22_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22[02]","class":"sp800-53a"}],"prose":"organization-wide procedures for personally identifiable information quality management are developed and documented;"},{"id":"pm-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[01]","class":"sp800-53a"}],"prose":"the policies address reviewing the accuracy of personally identifiable information across the information life cycle;"},{"id":"pm-22_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[02]","class":"sp800-53a"}],"prose":"the policies address reviewing the relevance of personally identifiable information across the information life cycle;"},{"id":"pm-22_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[03]","class":"sp800-53a"}],"prose":"the policies address reviewing the timeliness of personally identifiable information across the information life cycle;"},{"id":"pm-22_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[04]","class":"sp800-53a"}],"prose":"the policies address reviewing the completeness of personally identifiable information across the information life cycle;"},{"id":"pm-22_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[05]","class":"sp800-53a"}],"prose":"the procedures address reviewing the accuracy of personally identifiable information across the information life cycle;"},{"id":"pm-22_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[06]","class":"sp800-53a"}],"prose":"the procedures address reviewing the relevance of personally identifiable information across the information life cycle;"},{"id":"pm-22_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[07]","class":"sp800-53a"}],"prose":"the procedures address reviewing the timeliness of personally identifiable information across the information life cycle;"},{"id":"pm-22_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[08]","class":"sp800-53a"}],"prose":"the procedures address reviewing the completeness of personally identifiable information across the information life cycle;"}]},{"id":"pm-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-22b.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22b.[01]","class":"sp800-53a"}],"prose":"the policies address correcting or deleting inaccurate or outdated personally identifiable information;"},{"id":"pm-22_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22b.[02]","class":"sp800-53a"}],"prose":"the procedures address correcting or deleting inaccurate or outdated personally identifiable information;"}]},{"id":"pm-22_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-22c.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22c.[01]","class":"sp800-53a"}],"prose":"the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;"},{"id":"pm-22_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22c.[02]","class":"sp800-53a"}],"prose":"the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;"}]},{"id":"pm-22_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-22d.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22d.[01]","class":"sp800-53a"}],"prose":"the policies address appeals of adverse decisions on correction or deletion requests;"},{"id":"pm-22_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22d.[02]","class":"sp800-53a"}],"prose":"the procedures address appeals of adverse decisions on correction or deletion requests."}]}]},{"id":"pm-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\npolicies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion\n\nrecords of monitoring PII quality management practices\n\ndocumentation of reviews and updates of policies and procedures"}]},{"id":"pm-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program information dissemination responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"[Organizational processes for data quality and personally identifiable information quality management procedures\n\nmechanisms supporting and\/or implementing quality management requirements"}]}]},{"id":"pm-23","class":"SP800-53","title":"Data Governance Body","params":[{"id":"pm-23_odp.01","props":[{"name":"alt-identifier","value":"pm-23_prm_1"},{"name":"label","value":"PM-23_ODP[01]","class":"sp800-53a"}],"label":"roles","guidelines":[{"prose":"the roles of a Data Governance Body are defined;"}]},{"id":"pm-23_odp.02","props":[{"name":"alt-identifier","value":"pm-23_prm_2"},{"name":"label","value":"PM-23_ODP[02]","class":"sp800-53a"}],"label":"responsibilities","guidelines":[{"prose":"the responsibilities of a Data Governance Body are defined;"}]}],"props":[{"name":"label","value":"PM-23"},{"name":"label","value":"PM-23","class":"sp800-53a"},{"name":"sort-id","value":"pm-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#511da9ca-604d-43f7-be41-b862085420a9","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#d886c141-c832-4ad7-ac6d-4b94f4b550d3","rel":"reference"},{"href":"#c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pm-19","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-19","rel":"related"}],"parts":[{"id":"pm-23_smt","name":"statement","prose":"Establish a Data Governance Body consisting of {{ insert: param, pm-23_odp.01 }} with {{ insert: param, pm-23_odp.02 }}."},{"id":"pm-23_gdn","name":"guidance","prose":"A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines that support data modeling, quality, integrity, and the de-identification needs of personally identifiable information across the information life cycle as well as reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT](#511da9ca-604d-43f7-be41-b862085420a9) and policies set forth under [OMB M-19-23](#d886c141-c832-4ad7-ac6d-4b94f4b550d3)."},{"id":"pm-23_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-23","class":"sp800-53a"}],"prose":"a Data Governance Body consisting of {{ insert: param, pm-23_odp.01 }} with {{ insert: param, pm-23_odp.02 }} is established."},{"id":"pm-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\ndocumentation relating to the Data Governance Body, including documents establishing such a body, its charter of operations, and any plans and reports\n\nrecords of board meetings and decisions\n\nrecords of requests to review data\n\npolicies, procedures, and standards that facilitate data governance"}]},{"id":"pm-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Officials serving on the Data Governance Body (e.g., chief information officer, senior agency information security officer, and senior agency official for privacy)"}]}]},{"id":"pm-24","class":"SP800-53","title":"Data Integrity Board","props":[{"name":"label","value":"PM-24"},{"name":"label","value":"PM-24","class":"sp800-53a"},{"name":"sort-id","value":"pm-24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#pm-19","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-8","rel":"related"}],"parts":[{"id":"pm-24_smt","name":"statement","prose":"Establish a Data Integrity Board to:","parts":[{"id":"pm-24_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review proposals to conduct or participate in a matching program; and"},{"id":"pm-24_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conduct an annual review of all matching programs in which the agency has participated."}]},{"id":"pm-24_gdn","name":"guidance","prose":"A Data Integrity Board is the board of senior officials designated by the head of a federal agency and is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy."},{"id":"pm-24_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-24","class":"sp800-53a"}],"prose":"a Data Integrity Board is established;","parts":[{"id":"pm-24_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-24a.","class":"sp800-53a"}],"prose":"the Data Integrity Board reviews proposals to conduct or participate in a matching program;"},{"id":"pm-24_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-24b.","class":"sp800-53a"}],"prose":"the Data Integrity Board conducts an annual review of all matching programs in which the agency has participated."}]},{"id":"pm-24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-24-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprivacy program documents relating to the Data Integrity Board, including documents establishing the board, its charter of operations, and any plans and reports\n\ncomputer matching agreements and notices\n\ninformation sharing agreements\n\nmemoranda of understanding\n\nrecords documenting annual reviews\n\ngoverning requirements, including laws, executive orders, regulations, standards, and guidance"}]},{"id":"pm-24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-24-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"members of the Data Integrity Board (e.g., the chief information officer, senior information security officer, senior agency official for privacy, and agency Inspector General)"}]}]},{"id":"pm-25","class":"SP800-53","title":"Minimization of Personally Identifiable Information Used in Testing, Training, and Research","params":[{"id":"pm-25_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.04"}],"label":"organization-defined frequency"},{"id":"pm-25_odp.01","props":[{"name":"label","value":"PM-25_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing policies that address the use of personally identifiable information for internal testing, training, and research is defined;"}]},{"id":"pm-25_odp.02","props":[{"name":"label","value":"PM-25_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating policies that address the use of personally identifiable information for internal testing, training, and research is defined;"}]},{"id":"pm-25_odp.03","props":[{"name":"label","value":"PM-25_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing procedures that address the use of personally identifiable information for internal testing, training, and research is defined;"}]},{"id":"pm-25_odp.04","props":[{"name":"label","value":"PM-25_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating procedures that address the use of personally identifiable information for internal testing, training, and research is defined;"}]}],"props":[{"name":"label","value":"PM-25"},{"name":"label","value":"PM-25","class":"sp800-53a"},{"name":"sort-id","value":"pm-25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-23","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pm-25_smt","name":"statement","parts":[{"id":"pm-25_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;"},{"id":"pm-25_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;"},{"id":"pm-25_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and"},{"id":"pm-25_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review and update policies and procedures {{ insert: param, pm-25_prm_1 }}."}]},{"id":"pm-25_gdn","name":"guidance","prose":"The use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and\/or legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research."},{"id":"pm-25_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-25","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[01]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal testing are developed and documented;"},{"id":"pm-25_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[02]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal training are developed and documented;"},{"id":"pm-25_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[03]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal research are developed and documented;"},{"id":"pm-25_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[04]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal testing are developed and documented;"},{"id":"pm-25_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[05]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal training are developed and documented;"},{"id":"pm-25_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[06]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal research are developed and documented;"},{"id":"pm-25_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[07]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal testing, are implemented;"},{"id":"pm-25_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[08]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for training are implemented;"},{"id":"pm-25_obj.a-9","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[09]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for research are implemented;"},{"id":"pm-25_obj.a-10","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[10]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal testing are implemented;"},{"id":"pm-25_obj.a-11","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[11]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for training are implemented;"},{"id":"pm-25_obj.a-12","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[12]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for research are implemented;"}]},{"id":"pm-25_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.[01]","class":"sp800-53a"}],"prose":"the amount of personally identifiable information used for internal testing purposes is limited or minimized;"},{"id":"pm-25_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.[02]","class":"sp800-53a"}],"prose":"the amount of personally identifiable information used for internal training purposes is limited or minimized;"},{"id":"pm-25_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.[03]","class":"sp800-53a"}],"prose":"the amount of personally identifiable information used for internal research purposes is limited or minimized;"}]},{"id":"pm-25_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.[01]","class":"sp800-53a"}],"prose":"the required use of personally identifiable information for internal testing is authorized;"},{"id":"pm-25_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.[02]","class":"sp800-53a"}],"prose":"the required use of personally identifiable information for internal training is authorized;"},{"id":"pm-25_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.[03]","class":"sp800-53a"}],"prose":"the required use of personally identifiable information for internal research is authorized;"}]},{"id":"pm-25_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[01]","class":"sp800-53a"}],"prose":"policies are reviewed {{ insert: param, pm-25_odp.01 }};"},{"id":"pm-25_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[02]","class":"sp800-53a"}],"prose":"policies are updated {{ insert: param, pm-25_odp.02 }};"},{"id":"pm-25_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[03]","class":"sp800-53a"}],"prose":"procedures are reviewed {{ insert: param, pm-25_odp.03 }};"},{"id":"pm-25_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[04]","class":"sp800-53a"}],"prose":"procedures are updated {{ insert: param, pm-25_odp.04 }}."}]}]},{"id":"pm-25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-25-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\npolicies and procedures for the minimization of personally identifiable information used in testing, training, and research\n\ndocumentation supporting policy implementation (e.g., templates for testing, training, and research\n\nprivacy threshold analysis\n\nprivacy risk assessment)\n\ndata sets used for testing, training, and research"}]},{"id":"pm-25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-25-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities\n\nsystem developers\n\npersonnel with IRB responsibilities"}]},{"id":"pm-25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-25-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for data quality and personally identifiable information management\n\nmechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information"}]}]},{"id":"pm-26","class":"SP800-53","title":"Complaint Management","params":[{"id":"pm-26_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-26_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-26_odp.02"}],"label":"organization-defined time period"},{"id":"pm-26_odp.01","props":[{"name":"label","value":"PM-26_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period in which complaints (including concerns or questions) from individuals are to be reviewed is defined;"}]},{"id":"pm-26_odp.02","props":[{"name":"label","value":"PM-26_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period in which complaints (including concerns or questions) from individuals are to be addressed is defined;"}]},{"id":"pm-26_odp.03","props":[{"name":"alt-identifier","value":"pm-26_prm_2"},{"name":"label","value":"PM-26_ODP[03]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period for acknowledging the receipt of complaints is defined;"}]},{"id":"pm-26_odp.04","props":[{"name":"alt-identifier","value":"pm-26_prm_3"},{"name":"label","value":"PM-26_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period for responding to complaints is defined;"}]}],"props":[{"name":"label","value":"PM-26"},{"name":"label","value":"PM-26","class":"sp800-53a"},{"name":"sort-id","value":"pm-26"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pm-26_smt","name":"statement","prose":"Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes:","parts":[{"id":"pm-26_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Mechanisms that are easy to use and readily accessible by the public;"},{"id":"pm-26_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"All information necessary for successfully filing complaints;"},{"id":"pm-26_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ insert: param, pm-26_prm_1 }};"},{"id":"pm-26_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }} ; and"},{"id":"pm-26_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Response to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}."}]},{"id":"pm-26_gdn","name":"guidance","prose":"Complaints, concerns, and questions from individuals can serve as valuable sources of input to organizations and ultimately improve operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information which is handled in accordance with relevant policies and processes."},{"id":"pm-26_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-26","class":"sp800-53a"}],"parts":[{"id":"pm-26_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-26[01]","class":"sp800-53a"}],"prose":"a process for receiving complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;"},{"id":"pm-26_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-26[02]","class":"sp800-53a"}],"prose":"a process for responding to complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;"},{"id":"pm-26_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-26a.","class":"sp800-53a"}],"parts":[{"id":"pm-26_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-26a.[01]","class":"sp800-53a"}],"prose":"the complaint management process includes mechanisms that are easy to use by the public;"},{"id":"pm-26_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-26a.[02]","class":"sp800-53a"}],"prose":"the complaint management process includes mechanisms that are readily accessible by the public;"}]},{"id":"pm-26_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-26b.","class":"sp800-53a"}],"prose":"the complaint management process includes all information necessary for successfully filing complaints;"},{"id":"pm-26_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-26c.","class":"sp800-53a"}],"parts":[{"id":"pm-26_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-26c.[01]","class":"sp800-53a"}],"prose":"the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within {{ insert: param, pm-26_odp.01 }};"},{"id":"pm-26_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-26c.[02]","class":"sp800-53a"}],"prose":"the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within {{ insert: param, pm-26_odp.02 }};"}]},{"id":"pm-26_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-26d.","class":"sp800-53a"}],"prose":"the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }};"},{"id":"pm-26_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PM-26e.","class":"sp800-53a"}],"prose":"the complaint management process includes responding to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}."}]},{"id":"pm-26_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-26-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprocedures addressing complaint management\n\ncomplaint documentation\n\nprocedures addressing the reviews of complaints\n\nother relevant documents or records"}]},{"id":"pm-26_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-26-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-26_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-26-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for complaint management\n\nmechanisms supporting complaint management\n\ntools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms"}]}]},{"id":"pm-27","class":"SP800-53","title":"Privacy Reporting","params":[{"id":"pm-27_odp.01","props":[{"name":"alt-identifier","value":"pm-27_prm_1"},{"name":"label","value":"PM-27_ODP[01]","class":"sp800-53a"}],"label":"privacy reports","guidelines":[{"prose":"privacy reports are defined;"}]},{"id":"pm-27_odp.02","props":[{"name":"alt-identifier","value":"pm-27_prm_2"},{"name":"label","value":"PM-27_ODP[02]","class":"sp800-53a"}],"label":"oversight bodies","guidelines":[{"prose":"privacy oversight bodies are defined;"}]},{"id":"pm-27_odp.03","props":[{"name":"alt-identifier","value":"pm-27_prm_3"},{"name":"label","value":"PM-27_ODP[03]","class":"sp800-53a"}],"label":"officials","guidelines":[{"prose":"officials responsible for monitoring privacy program compliance are defined;"}]},{"id":"pm-27_odp.04","props":[{"name":"alt-identifier","value":"pm-27_prm_4"},{"name":"label","value":"PM-27_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing and updating privacy reports is defined;"}]}],"props":[{"name":"label","value":"PM-27"},{"name":"label","value":"PM-27","class":"sp800-53a"},{"name":"sort-id","value":"pm-27"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#0c67b2a9-bede-43d2-b86d-5f35b8be36e9","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#ir-9","rel":"related"},{"href":"#pm-19","rel":"related"}],"parts":[{"id":"pm-27_smt","name":"statement","parts":[{"id":"pm-27_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop {{ insert: param, pm-27_odp.01 }} and disseminate to:","parts":[{"id":"pm-27_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and"},{"id":"pm-27_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"{{ insert: param, pm-27_odp.03 }} and other personnel with responsibility for monitoring privacy program compliance; and"}]},{"id":"pm-27_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update privacy reports {{ insert: param, pm-27_odp.04 }}."}]},{"id":"pm-27_gdn","name":"guidance","prose":"Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. For federal agencies, privacy reports include annual senior agency official for privacy reports to OMB, reports to Congress required by Implementing Regulations of the 9\/11 Commission Act, and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements."},{"id":"pm-27_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-27","class":"sp800-53a"}],"parts":[{"id":"pm-27_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.","class":"sp800-53a"}],"prose":"{{ insert: param, pm-27_odp.01 }} are developed;","parts":[{"id":"pm-27_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.01","class":"sp800-53a"}],"prose":"the privacy reports are disseminated to {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates;"},{"id":"pm-27_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.02","class":"sp800-53a"}],"parts":[{"id":"pm-27_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.02[01]","class":"sp800-53a"}],"prose":"the privacy reports are disseminated to {{ insert: param, pm-27_odp.03 }};"},{"id":"pm-27_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.02[02]","class":"sp800-53a"}],"prose":"the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance;"}]}]},{"id":"pm-27_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-27b.","class":"sp800-53a"}],"prose":"the privacy reports are reviewed and updated {{ insert: param, pm-27_odp.04 }}."}]},{"id":"pm-27_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-27-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\ninternal and external privacy reports\n\nprivacy program plan\n\nannual senior agency official for privacy reports to OMB\n\nreports to Congress required by law, regulation, or policy, including internal policies\n\nrecords documenting the dissemination of reports to oversight bodies and officials responsible for monitoring privacy program compliance\n\nrecords of review and updates of privacy reports."}]},{"id":"pm-27_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-27-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities\n\nlegal counsel."}]}]},{"id":"pm-28","class":"SP800-53","title":"Risk Framing","params":[{"id":"pm-28_odp.01","props":[{"name":"alt-identifier","value":"pm-28_prm_1"},{"name":"label","value":"PM-28_ODP[01]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"the personnel to receive the results of risk framing activities is\/are defined;"}]},{"id":"pm-28_odp.02","props":[{"name":"alt-identifier","value":"pm-28_prm_2"},{"name":"label","value":"PM-28_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing and updating risk framing considerations is defined;"}]}],"props":[{"name":"label","value":"PM-28"},{"name":"label","value":"PM-28","class":"sp800-53a"},{"name":"sort-id","value":"pm-28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"}],"parts":[{"id":"pm-28_smt","name":"statement","parts":[{"id":"pm-28_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document:","parts":[{"id":"pm-28_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Assumptions affecting risk assessments, risk responses, and risk monitoring;"},{"id":"pm-28_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Constraints affecting risk assessments, risk responses, and risk monitoring;"},{"id":"pm-28_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Priorities and trade-offs considered by the organization for managing risk; and"},{"id":"pm-28_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Organizational risk tolerance;"}]},{"id":"pm-28_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute the results of risk framing activities to {{ insert: param, pm-28_odp.01 }} ; and"},{"id":"pm-28_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update risk framing considerations {{ insert: param, pm-28_odp.02 }}."}]},{"id":"pm-28_gdn","name":"guidance","prose":"Risk framing is most effective when conducted at the organization level and in consultation with stakeholders throughout the organization including mission, business, and system owners. The assumptions, constraints, risk tolerance, priorities, and trade-offs identified as part of the risk framing process inform the risk management strategy, which in turn informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel, including mission and business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management."},{"id":"pm-28_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-28","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01[01]","class":"sp800-53a"}],"prose":"assumptions affecting risk assessments are identified and documented;"},{"id":"pm-28_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01[02]","class":"sp800-53a"}],"prose":"assumptions affecting risk responses are identified and documented;"},{"id":"pm-28_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01[03]","class":"sp800-53a"}],"prose":"assumptions affecting risk monitoring are identified and documented;"}]},{"id":"pm-28_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02[01]","class":"sp800-53a"}],"prose":"constraints affecting risk assessments are identified and documented;"},{"id":"pm-28_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02[02]","class":"sp800-53a"}],"prose":"constraints affecting risk responses are identified and documented;"},{"id":"pm-28_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02[03]","class":"sp800-53a"}],"prose":"constraints affecting risk monitoring are identified and documented;"}]},{"id":"pm-28_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.03","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.03[01]","class":"sp800-53a"}],"prose":"priorities considered by the organization for managing risk are identified and documented;"},{"id":"pm-28_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.03[02]","class":"sp800-53a"}],"prose":"trade-offs considered by the organization for managing risk are identified and documented;"}]},{"id":"pm-28_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.04","class":"sp800-53a"}],"prose":"organizational risk tolerance is identified and documented;"}]},{"id":"pm-28_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-28b.","class":"sp800-53a"}],"prose":"the results of risk framing activities are distributed to {{ insert: param, pm-28_odp.01 }};"},{"id":"pm-28_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-28c.","class":"sp800-53a"}],"prose":"risk framing considerations are reviewed and updated {{ insert: param, pm-28_odp.02 }}."}]},{"id":"pm-28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-28-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nsupply chain risk management strategy\n\ndocumentation of risk framing activities\n\npolicies and procedures for risk framing activities\n\nrisk management strategy"}]},{"id":"pm-28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-28-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel (including mission, business, and system owners or stewards\n\nauthorizing officials\n\nsenior agency information security officer\n\nsenior agency official for privacy\n\nand senior accountable official for risk management)"}]},{"id":"pm-28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-28-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing\n\norganizational processes for risk framing\n\nmechanisms supporting the development, review, update, and approval of risk framing"}]}]},{"id":"pm-29","class":"SP800-53","title":"Risk Management Program Leadership Roles","props":[{"name":"label","value":"PM-29"},{"name":"label","value":"PM-29","class":"sp800-53a"},{"name":"sort-id","value":"pm-29"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#pm-2","rel":"related"},{"href":"#pm-19","rel":"related"}],"parts":[{"id":"pm-29_smt","name":"statement","parts":[{"id":"pm-29_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and"},{"id":"pm-29_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization."}]},{"id":"pm-29_gdn","name":"guidance","prose":"The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities."},{"id":"pm-29_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-29","class":"sp800-53a"}],"parts":[{"id":"pm-29_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-29a.","class":"sp800-53a"}],"parts":[{"id":"pm-29_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-29a.[01]","class":"sp800-53a"}],"prose":"a Senior Accountable Official for Risk Management is appointed;"},{"id":"pm-29_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-29a.[02]","class":"sp800-53a"}],"prose":"a Senior Accountable Official for Risk Management aligns information security and privacy management processes with strategic, operational, and budgetary planning processes;"}]},{"id":"pm-29_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-29b.","class":"sp800-53a"}],"parts":[{"id":"pm-29_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-29b.[01]","class":"sp800-53a"}],"prose":"a Risk Executive (function) is established;"},{"id":"pm-29_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-29b.[02]","class":"sp800-53a"}],"prose":"a Risk Executive (function) views and analyzes risk from an organization-wide perspective;"},{"id":"pm-29_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"PM-29b.[03]","class":"sp800-53a"}],"prose":"a Risk Executive (function) ensures that the management of risk is consistent across the organization."}]}]},{"id":"pm-29_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-29-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nrisk management strategy\n\nsupply chain risk management strategy\n\ndocumentation of appointment, roles, and responsibilities of a Senior Accountable Official for Risk Management\n\ndocumentation of actions taken by the Official\n\ndocumentation of the establishment, policies, and procedures of a Risk Executive (function)"}]},{"id":"pm-29_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-29-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Senior Accountable Official for Risk Management\n\nchief information officer\n\nsenior agency information security officer\n\nsenior agency official for privacy\n\norganizational personnel with information security and privacy program responsibilities"}]}]},{"id":"pm-30","class":"SP800-53","title":"Supply Chain Risk Management Strategy","params":[{"id":"pm-30_odp","props":[{"name":"alt-identifier","value":"pm-30_prm_1"},{"name":"label","value":"PM-30_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing and updating the supply chain risk management strategy is defined;"}]}],"props":[{"name":"label","value":"PM-30"},{"name":"label","value":"PM-30","class":"sp800-53a"},{"name":"sort-id","value":"pm-30"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#206a3284-6a7e-423c-8ea9-25b22542541d","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#cm-10","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#sr-1","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-7","rel":"related"},{"href":"#sr-8","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"pm-30_smt","name":"statement","parts":[{"id":"pm-30_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;"},{"id":"pm-30_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the supply chain risk management strategy consistently across the organization; and"},{"id":"pm-30_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the supply chain risk management strategy on {{ insert: param, pm-30_odp }} or as required, to address organizational changes."}]},{"id":"pm-30_gdn","name":"guidance","prose":"An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of the security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans. In addition, the use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organization and mission\/business levels, whereas the supply chain risk management plan (see [SR-2](#sr-2) ) is implemented at the system level."},{"id":"pm-30_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-30","class":"sp800-53a"}],"parts":[{"id":"pm-30_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.","class":"sp800-53a"}],"parts":[{"id":"pm-30_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[01]","class":"sp800-53a"}],"prose":"an organization-wide strategy for managing supply chain risks is developed;"},{"id":"pm-30_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the development of systems;"},{"id":"pm-30_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[03]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the development of system components;"},{"id":"pm-30_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the development of system services;"},{"id":"pm-30_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[05]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the acquisition of systems;"},{"id":"pm-30_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[06]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the acquisition of system components;"},{"id":"pm-30_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[07]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the acquisition of system services;"},{"id":"pm-30_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[08]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the maintenance of systems;"},{"id":"pm-30_obj.a-9","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[09]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the maintenance of system components;"},{"id":"pm-30_obj.a-10","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[10]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the maintenance of system services;"},{"id":"pm-30_obj.a-11","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[11]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the disposal of systems;"},{"id":"pm-30_obj.a-12","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[12]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the disposal of system components;"},{"id":"pm-30_obj.a-13","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[13]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the disposal of system services;"}]},{"id":"pm-30_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-30b.","class":"sp800-53a"}],"prose":"the supply chain risk management strategy is implemented consistently across the organization;"},{"id":"pm-30_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-30c.","class":"sp800-53a"}],"prose":"the supply chain risk management strategy is reviewed and updated {{ insert: param, pm-30_odp }} or as required to address organizational changes."}]},{"id":"pm-30_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-30-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management strategy\n\norganizational risk management strategy\n\nenterprise risk management documents\n\nother relevant documents or records"}]},{"id":"pm-30_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-30-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities"}]}],"controls":[{"id":"pm-30.1","class":"SP800-53-enhancement","title":"Suppliers of Critical or Mission-essential Items","props":[{"name":"label","value":"PM-30(1)"},{"name":"label","value":"PM-30(01)","class":"sp800-53a"},{"name":"sort-id","value":"pm-30.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pm-30","rel":"required"},{"href":"#ra-3","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"pm-30.1_smt","name":"statement","prose":"Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services."},{"id":"pm-30.1_gdn","name":"guidance","prose":"The identification and prioritization of suppliers of critical or mission-essential technologies, products, and services is paramount to the mission\/business success of organizations. The assessment of suppliers is conducted using supplier reviews (see [SR-6](#sr-6) ) and supply chain risk assessment processes (see [RA-3(1)](#ra-3.1) ). An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required."},{"id":"pm-30.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-30(01)","class":"sp800-53a"}],"parts":[{"id":"pm-30.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-30(01)[01]","class":"sp800-53a"}],"prose":"suppliers of critical or mission-essential technologies, products, and services are identified;"},{"id":"pm-30.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-30(01)[02]","class":"sp800-53a"}],"prose":"suppliers of critical or mission-essential technologies, products, and services are prioritized;"},{"id":"pm-30.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-30(01)[03]","class":"sp800-53a"}],"prose":"suppliers of critical or mission-essential technologies, products, and services are assessed."}]},{"id":"pm-30.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-30(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management strategy\n\norganization-wide risk management strategy\n\nenterprise risk management documents\n\ninventory records or suppliers\n\nassessment and prioritization documentation\n\ncritical or mission-essential technologies, products, and service documents or records\n\nother relevant documents or records"}]},{"id":"pm-30.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-30(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities"}]},{"id":"pm-30.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-30(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, prioritizing, and assessing critical or mission-essential technologies, products, and services\n\norganizational processes for maintaining an inventory of suppliers\n\norganizational process for associating suppliers with critical or mission-essential technologies, products, and services"}]}]}]},{"id":"pm-31","class":"SP800-53","title":"Continuous Monitoring Strategy","params":[{"id":"pm-31_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.05"}],"label":"organization-defined personnel or roles"},{"id":"pm-31_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.07"}],"label":"organization-defined frequency"},{"id":"pm-31_odp.01","props":[{"name":"alt-identifier","value":"pm-31_prm_1"},{"name":"label","value":"PM-31_ODP[01]","class":"sp800-53a"}],"label":"metrics","guidelines":[{"prose":"the metrics for organization-wide continuous monitoring are defined;"}]},{"id":"pm-31_odp.02","props":[{"name":"alt-identifier","value":"pm-31_prm_2"},{"name":"alt-label","value":"frequencies","class":"sp800-53"},{"name":"label","value":"PM-31_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for monitoring is defined;"}]},{"id":"pm-31_odp.03","props":[{"name":"alt-identifier","value":"pm-31_prm_3"},{"name":"alt-label","value":"frequencies","class":"sp800-53"},{"name":"label","value":"PM-31_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for assessing control effectiveness is defined;"}]},{"id":"pm-31_odp.04","props":[{"name":"label","value":"PM-31_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"the personnel or roles for reporting the security status of organizational systems to is\/are defined;"}]},{"id":"pm-31_odp.05","props":[{"name":"label","value":"PM-31_ODP[05]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"the personnel or roles for reporting the privacy status of organizational systems to is\/are defined;"}]},{"id":"pm-31_odp.06","props":[{"name":"label","value":"PM-31_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to report the security status of organizational systems is defined;"}]},{"id":"pm-31_odp.07","props":[{"name":"label","value":"PM-31_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to report the privacy status of organizational systems is defined;"}]}],"props":[{"name":"label","value":"PM-31"},{"name":"label","value":"PM-31","class":"sp800-53a"},{"name":"sort-id","value":"pm-31"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#62ea77ca-e450-4323-b210-e0d75390e785","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"pm-31_smt","name":"statement","prose":"Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:","parts":[{"id":"pm-31_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishing the following organization-wide metrics to be monitored: {{ insert: param, pm-31_odp.01 }};"},{"id":"pm-31_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, pm-31_odp.02 }} for monitoring and {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;"},{"id":"pm-31_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"pm-31_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"pm-31_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"pm-31_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Reporting the security and privacy status of organizational systems to {{ insert: param, pm-31_prm_4 }} {{ insert: param, pm-31_prm_5 }}."}]},{"id":"pm-31_gdn","name":"guidance","prose":"Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective, timely, and informed risk management decisions, including ongoing authorization decisions. To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy. Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as, [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CA-7](#ca-7), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b), [SI-4](#si-4)."},{"id":"pm-31_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-31","class":"sp800-53a"}],"prose":"an organization-wide continuous monitoring strategy is developed;","parts":[{"id":"pm-31_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-31a.","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include establishing {{ insert: param, pm-31_odp.01 }} to be monitored;"},{"id":"pm-31_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-31b.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31b.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.02 }} for monitoring;"},{"id":"pm-31_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31b.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;"}]},{"id":"pm-31_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-31c.","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include monitoring {{ insert: param, pm-31_odp.01 }} on an ongoing basis in accordance with the continuous monitoring strategy;"},{"id":"pm-31_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-31d.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31d.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring;"},{"id":"pm-31_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31d.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring;"}]},{"id":"pm-31_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PM-31e.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31e.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information;"},{"id":"pm-31_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31e.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information;"}]},{"id":"pm-31_obj.f","name":"assessment-objective","props":[{"name":"label","value":"PM-31f.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31f.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include reporting the security status of organizational systems to {{ insert: param, pm-31_odp.04 }} {{ insert: param, pm-31_odp.06 }};"},{"id":"pm-31_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31f.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to {{ insert: param, pm-31_odp.05 }} {{ insert: param, pm-31_odp.07 }}."}]}]},{"id":"pm-31_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-31-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nsupply chain risk management plan\n\ncontinuous monitoring strategy\n\nrisk management strategy\n\ninformation security continuous monitoring program documentation, reporting, metrics, and artifacts\n\ninformation security continuous monitoring program assessment documentation, reporting, metrics, and artifacts\n\nassessment and authorization policy\n\nprocedures addressing the continuous monitoring of controls\n\nprivacy program continuous monitoring documentation, reporting, metrics, and artifacts\n\ncontinuous monitoring program records, security, and privacy impact analyses\n\nstatus reports\n\nrisk response documentation\n\nother relevant documents or records."}]},{"id":"pm-31_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-31-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Senior Accountable Official for Risk Management\n\nchief information officer\n\nsenior agency information security officer\n\nsenior agency official for privacy\n\norganizational personnel with information security, privacy, and supply chain risk management program responsibilities"}]},{"id":"pm-31_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-31-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring"}]}]},{"id":"pm-32","class":"SP800-53","title":"Purposing","params":[{"id":"pm-32_odp","props":[{"name":"alt-identifier","value":"pm-32_prm_1"},{"name":"alt-label","value":"systems or systems components","class":"sp800-53"},{"name":"label","value":"PM-32_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"the systems or system components supporting mission-essential services or functions are defined;"}]}],"props":[{"name":"label","value":"PM-32"},{"name":"label","value":"PM-32","class":"sp800-53a"},{"name":"sort-id","value":"pm-32"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"pm-32_smt","name":"statement","prose":"Analyze {{ insert: param, pm-32_odp }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose."},{"id":"pm-32_gdn","name":"guidance","prose":"Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside of the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are more vulnerable to compromise, which can ultimately impact the services and functions for which they were intended. This is especially impactful for mission-essential services and functions. By analyzing resource use, organizations can identify such potential exposures."},{"id":"pm-32_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-32","class":"sp800-53a"}],"prose":"{{ insert: param, pm-32_odp }} supporting mission-essential services or functions are analyzed to ensure that the information resources are being used in a manner that is consistent with their intended purpose."},{"id":"pm-32_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-32-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nlist of essential services and functions\n\norganizational analysis of information resources\n\nrisk management strategy\n\nother relevant documents or records."}]},{"id":"pm-32_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-32-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security, privacy, and supply chain risk management program responsibilities"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ps-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ps-01_odp.01","props":[{"name":"label","value":"PS-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security policy is to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.02","props":[{"name":"label","value":"PS-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security procedures are to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.03","props":[{"name":"alt-identifier","value":"ps-1_prm_2"},{"name":"label","value":"PS-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ps-01_odp.04","props":[{"name":"alt-identifier","value":"ps-1_prm_3"},{"name":"label","value":"PS-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the personnel security policy and procedures is defined;"}]},{"id":"ps-01_odp.05","props":[{"name":"alt-identifier","value":"ps-1_prm_4"},{"name":"label","value":"PS-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security policy is reviewed and updated is defined;"}]},{"id":"ps-01_odp.06","props":[{"name":"alt-identifier","value":"ps-1_prm_5"},{"name":"label","value":"PS-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current personnel security policy to be reviewed and updated are defined;"}]},{"id":"ps-01_odp.07","props":[{"name":"alt-identifier","value":"ps-1_prm_6"},{"name":"label","value":"PS-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security procedures are reviewed and updated is defined;"}]},{"id":"ps-01_odp.08","props":[{"name":"alt-identifier","value":"ps-1_prm_7"},{"name":"label","value":"PS-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the personnel security procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PS-1"},{"name":"label","value":"PS-01","class":"sp800-53a"},{"name":"sort-id","value":"ps-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-1_smt","name":"statement","parts":[{"id":"ps-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ps-01_odp.03 }} personnel security policy that:","parts":[{"id":"ps-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ps-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;"}]},{"id":"ps-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and"},{"id":"ps-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current personnel security:","parts":[{"id":"ps-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and"},{"id":"ps-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ps-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[01]","class":"sp800-53a"}],"prose":"a personnel security policy is developed and documented;"},{"id":"ps-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[02]","class":"sp800-53a"}],"prose":"the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};"},{"id":"ps-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[03]","class":"sp800-53a"}],"prose":"personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;"},{"id":"ps-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[04]","class":"sp800-53a"}],"prose":"the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};"},{"id":"ps-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;"},{"id":"ps-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;"},{"id":"ps-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;"},{"id":"ps-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;"},{"id":"ps-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;"},{"id":"ps-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;"},{"id":"ps-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;"}]},{"id":"ps-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ps-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;"},{"id":"ps-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[01]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};"},{"id":"ps-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[02]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};"}]},{"id":"ps-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[01]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};"},{"id":"ps-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[02]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}."}]}]}]},{"id":"ps-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"ps-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","params":[{"id":"ps-02_odp","props":[{"name":"alt-identifier","value":"ps-2_prm_1"},{"name":"label","value":"PS-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update position risk designations is defined;"}]}],"props":[{"name":"label","value":"PS-2"},{"name":"label","value":"PS-02","class":"sp800-53a"},{"name":"sort-id","value":"ps-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#a5ef5e56-5c1a-4911-b419-37dddc1b3581","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-2_smt","name":"statement","parts":[{"id":"ps-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establish screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update position risk designations {{ insert: param, ps-02_odp }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions."},{"id":"ps-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-02","class":"sp800-53a"}],"parts":[{"id":"ps-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-02a.","class":"sp800-53a"}],"prose":"a risk designation is assigned to all organizational positions;"},{"id":"ps-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-02b.","class":"sp800-53a"}],"prose":"screening criteria are established for individuals filling organizational positions;"},{"id":"ps-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-02c.","class":"sp800-53a"}],"prose":"position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}."}]},{"id":"ps-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","params":[{"id":"ps-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.02"}],"label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening"},{"id":"ps-03_odp.01","props":[{"name":"label","value":"PS-03_ODP[01]","class":"sp800-53a"}],"label":"conditions requiring rescreening","guidelines":[{"prose":"conditions requiring rescreening of individuals are defined;"}]},{"id":"ps-03_odp.02","props":[{"name":"label","value":"PS-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of rescreening individuals where it is so indicated is defined;"}]}],"props":[{"name":"label","value":"PS-3"},{"name":"label","value":"PS-03","class":"sp800-53a"},{"name":"sort-id","value":"ps-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#55b0c93a-5e48-457a-baa6-5ce81c239c49","rel":"reference"},{"href":"#0af071a6-cf8e-48ee-8c82-fe91efa20f94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-3_smt","name":"statement","parts":[{"id":"ps-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Screen individuals prior to authorizing access to the system; and"},{"id":"ps-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems."},{"id":"ps-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-03a.","class":"sp800-53a"}],"prose":"individuals are screened prior to authorizing access to the system;"},{"id":"ps-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[01]","class":"sp800-53a"}],"prose":"individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};"},{"id":"ps-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[02]","class":"sp800-53a"}],"prose":"where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}."}]}]},{"id":"ps-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel screening"}]}],"controls":[{"id":"ps-3.1","class":"SP800-53-enhancement","title":"Classified Information","props":[{"name":"label","value":"PS-3(1)"},{"name":"label","value":"PS-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ps-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ps-3","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"}],"parts":[{"id":"ps-3.1_smt","name":"statement","prose":"Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system."},{"id":"ps-3.1_gdn","name":"guidance","prose":"Classified information is the most sensitive information that the Federal Government processes, stores, or transmits. It is imperative that individuals have the requisite security clearances and system access authorizations prior to gaining access to such information. Access authorizations are enforced by system access controls (see [AC-3](#ac-3) ) and flow controls (see [AC-4](#ac-4))."},{"id":"ps-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03(01)","class":"sp800-53a"}],"parts":[{"id":"ps-3.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PS-03(01)[01]","class":"sp800-53a"}],"prose":"individuals accessing a system processing, storing, or transmitting classified information are cleared;"},{"id":"ps-3.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PS-03(01)[02]","class":"sp800-53a"}],"prose":"individuals accessing a system processing, storing, or transmitting classified information are indoctrinated to the highest classification level of the information to which they have access on the system."}]},{"id":"ps-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for clearing and indoctrinating personnel for access to classified information"}]}]},{"id":"ps-3.2","class":"SP800-53-enhancement","title":"Formal Indoctrination","props":[{"name":"label","value":"PS-3(2)"},{"name":"label","value":"PS-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ps-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ps-3","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"}],"parts":[{"id":"ps-3.2_smt","name":"statement","prose":"Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system."},{"id":"ps-3.2_gdn","name":"guidance","prose":"Types of classified information that require formal indoctrination include Special Access Program (SAP), Restricted Data (RD), and Sensitive Compartmented Information (SCI)."},{"id":"ps-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03(02)","class":"sp800-53a"}],"prose":"individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination are formally indoctrinated for all of the relevant types of information to which they have access on the system."},{"id":"ps-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nindoctrination documents\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for formal indoctrination for all relevant types of information to which personnel have access"}]}]},{"id":"ps-3.3","class":"SP800-53-enhancement","title":"Information Requiring Special Protective Measures","params":[{"id":"ps-03.03_odp","props":[{"name":"alt-identifier","value":"ps-3.3_prm_1"},{"name":"label","value":"PS-03(03)_ODP","class":"sp800-53a"}],"label":"additional personnel screening criteria","guidelines":[{"prose":"additional personnel screening criteria to be satisfied for individuals accessing a system processing, storing, or transmitting information requiring special protection are defined;"}]}],"props":[{"name":"label","value":"PS-3(3)"},{"name":"label","value":"PS-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ps-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ps-3","rel":"required"}],"parts":[{"id":"ps-3.3_smt","name":"statement","prose":"Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection:","parts":[{"id":"ps-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Have valid access authorizations that are demonstrated by assigned official government duties; and"},{"id":"ps-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Satisfy {{ insert: param, ps-03.03_odp }}."}]},{"id":"ps-3.3_gdn","name":"guidance","prose":"Organizational information that requires special protection includes controlled unclassified information. Personnel security criteria include position sensitivity background screening requirements."},{"id":"ps-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03(03)","class":"sp800-53a"}],"parts":[{"id":"ps-3.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-03(03)(a)","class":"sp800-53a"}],"prose":"individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;"},{"id":"ps-3.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-03(03)(b)","class":"sp800-53a"}],"prose":"individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy {{ insert: param, ps-03.03_odp }}."}]},{"id":"ps-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\naccess control policy, procedures addressing personnel screening\n\nrecords of screened personnel\n\nscreening criteria\n\nrecords of access authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for ensuring valid access authorizations for information requiring special protection\n\norganizational process for additional personnel screening for information requiring special protection"}]}]},{"id":"ps-3.4","class":"SP800-53-enhancement","title":"Citizenship Requirements","params":[{"id":"ps-03.04_odp.01","props":[{"name":"alt-identifier","value":"ps-3.4_prm_1"},{"name":"label","value":"PS-03(04)_ODP[01]","class":"sp800-53a"}],"label":"information types","guidelines":[{"prose":"information types that are processed, stored, or transmitted by a system that require individuals accessing the system to meet {{ insert: param, ps-03.04_odp.02 }} are defined;"}]},{"id":"ps-03.04_odp.02","props":[{"name":"alt-identifier","value":"ps-3.4_prm_2"},{"name":"label","value":"PS-03(04)_ODP[02]","class":"sp800-53a"}],"label":"citizenship requirements","guidelines":[{"prose":"citizenship requirements to be met by individuals to access a system processing, storing, or transmitting information are defined;"}]}],"props":[{"name":"label","value":"PS-3(4)"},{"name":"label","value":"PS-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"ps-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ps-3","rel":"required"}],"parts":[{"id":"ps-3.4_smt","name":"statement","prose":"Verify that individuals accessing a system processing, storing, or transmitting {{ insert: param, ps-03.04_odp.01 }} meet {{ insert: param, ps-03.04_odp.02 }}."},{"id":"ps-3.4_gdn","name":"guidance","prose":"None."},{"id":"ps-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03(04)","class":"sp800-53a"}],"prose":"individuals accessing a system processing, storing, or transmitting {{ insert: param, ps-03.04_odp.01 }} meet {{ insert: param, ps-03.04_odp.02 }}."},{"id":"ps-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\naccess control policy, procedures addressing personnel screening\n\nrecords of screened personnel\n\nscreening criteria\n\nrecords of access authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for ensuring valid access authorizations for information requiring citizenship\n\norganizational process for additional personnel screening for information requiring citizenship"}]}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","params":[{"id":"ps-04_odp.01","props":[{"name":"alt-identifier","value":"ps-4_prm_1"},{"name":"label","value":"PS-04_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which to disable system access is defined;"}]},{"id":"ps-04_odp.02","props":[{"name":"alt-identifier","value":"ps-4_prm_2"},{"name":"label","value":"PS-04_ODP[02]","class":"sp800-53a"}],"label":"information security topics","guidelines":[{"prose":"information security topics to be discussed when conducting exit interviews are defined;"}]}],"props":[{"name":"label","value":"PS-4"},{"name":"label","value":"PS-04","class":"sp800-53a"},{"name":"sort-id","value":"ps-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"Upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Disable system access within {{ insert: param, ps-04_odp.01 }};"},{"id":"ps-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Terminate or revoke any authenticators and credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};"},{"id":"ps-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Retrieve all security-related organizational system-related property; and"},{"id":"ps-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retain access to organizational information and systems formerly controlled by terminated individual."}]},{"id":"ps-4_gdn","name":"guidance","prose":"System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified."},{"id":"ps-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-04","class":"sp800-53a"}],"parts":[{"id":"ps-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-04a.","class":"sp800-53a"}],"prose":"upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};"},{"id":"ps-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-04b.","class":"sp800-53a"}],"prose":"upon termination of individual employment, any authenticators and credentials are terminated or revoked;"},{"id":"ps-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-04c.","class":"sp800-53a"}],"prose":"upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;"},{"id":"ps-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-04d.","class":"sp800-53a"}],"prose":"upon termination of individual employment, all security-related organizational system-related property is retrieved;"},{"id":"ps-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-04e.","class":"sp800-53a"}],"prose":"upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained."}]},{"id":"ps-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators\/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel termination\n\nmechanisms supporting and\/or implementing personnel termination notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}],"controls":[{"id":"ps-4.1","class":"SP800-53-enhancement","title":"Post-employment Requirements","props":[{"name":"label","value":"PS-4(1)"},{"name":"label","value":"PS-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"ps-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ps-4","rel":"required"}],"parts":[{"id":"ps-4.1_smt","name":"statement","parts":[{"id":"ps-4.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and"},{"id":"ps-4.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process."}]},{"id":"ps-4.1_gdn","name":"guidance","prose":"Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals."},{"id":"ps-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-04(01)","class":"sp800-53a"}],"parts":[{"id":"ps-4.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-04(01)(a)","class":"sp800-53a"}],"prose":"terminated individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information;"},{"id":"ps-4.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-04(01)(b)","class":"sp800-53a"}],"prose":"terminated individuals are required to sign an acknowledgement of post-employment requirements as part of the organizational termination process."}]},{"id":"ps-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nsigned post-employment acknowledgement forms\n\nlist of applicable, legally binding post-employment requirements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for post-employment requirements"}]}]},{"id":"ps-4.2","class":"SP800-53-enhancement","title":"Automated Actions","params":[{"id":"ps-04.02_odp.01","props":[{"name":"alt-identifier","value":"ps-4.2_prm_1"},{"name":"label","value":"PS-04(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to notify personnel or roles of individual termination actions and\/or to disable access to system resources are defined;"}]},{"id":"ps-04.02_odp.02","props":[{"name":"alt-identifier","value":"ps-4.2_prm_2"},{"name":"label","value":"PS-04(02)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["notify {{ insert: param, ps-04.02_odp.03 }} of individual termination actions","disable access to system resources"]}},{"id":"ps-04.02_odp.03","props":[{"name":"alt-identifier","value":"ps-4.2_prm_3"},{"name":"label","value":"PS-04(02)_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified upon termination of an individual is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"PS-4(2)"},{"name":"label","value":"PS-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"ps-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ps-4","rel":"required"}],"parts":[{"id":"ps-4.2_smt","name":"statement","prose":"Use {{ insert: param, ps-04.02_odp.01 }} to {{ insert: param, ps-04.02_odp.02 }}."},{"id":"ps-4.2_gdn","name":"guidance","prose":"In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications, or if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including via telephone, electronic mail, text message, or websites. Automated mechanisms can also be employed to quickly and thoroughly disable access to system resources after an employee is terminated."},{"id":"ps-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-04(02)","class":"sp800-53a"}],"prose":"{{ insert: param, ps-04.02_odp.01 }} are used to {{ insert: param, ps-04.02_odp.02 }}."},{"id":"ps-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of personnel termination actions\n\nautomated notifications of employee terminations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel termination\n\nautomated mechanisms supporting and\/or implementing personnel termination notifications"}]}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","params":[{"id":"ps-05_odp.01","props":[{"name":"alt-identifier","value":"ps-5_prm_1"},{"name":"label","value":"PS-05_ODP[01]","class":"sp800-53a"}],"label":"transfer or reassignment actions","guidelines":[{"prose":"transfer or reassignment actions to be initiated following transfer or reassignment are defined;"}]},{"id":"ps-05_odp.02","props":[{"name":"alt-identifier","value":"ps-5_prm_2"},{"name":"label","value":"PS-05_ODP[02]","class":"sp800-53a"}],"label":"time period following the formal transfer action","guidelines":[{"prose":"the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;"}]},{"id":"ps-05_odp.03","props":[{"name":"alt-identifier","value":"ps-5_prm_3"},{"name":"label","value":"PS-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is\/are defined;"}]},{"id":"ps-05_odp.04","props":[{"name":"alt-identifier","value":"ps-5_prm_4"},{"name":"label","value":"PS-05_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;"}]}],"props":[{"name":"label","value":"PS-5"},{"name":"label","value":"PS-05","class":"sp800-53a"},{"name":"sort-id","value":"ps-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-5_smt","name":"statement","parts":[{"id":"ps-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};"},{"id":"ps-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts."},{"id":"ps-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-05","class":"sp800-53a"}],"parts":[{"id":"ps-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-05a.","class":"sp800-53a"}],"prose":"the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-05b.","class":"sp800-53a"}],"prose":"{{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};"},{"id":"ps-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-05c.","class":"sp800-53a"}],"prose":"access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;"},{"id":"ps-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-05d.","class":"sp800-53a"}],"prose":"{{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}."}]},{"id":"ps-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel transfer\n\nmechanisms supporting and\/or implementing personnel transfer notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-06_odp.01","props":[{"name":"alt-identifier","value":"ps-6_prm_1"},{"name":"label","value":"PS-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update access agreements is defined;"}]},{"id":"ps-06_odp.02","props":[{"name":"alt-identifier","value":"ps-6_prm_2"},{"name":"label","value":"PS-06_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to re-sign access agreements to maintain access to organizational information is defined;"}]}],"props":[{"name":"label","value":"PS-6"},{"name":"label","value":"PS-06","class":"sp800-53a"},{"name":"sort-id","value":"ps-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-6_smt","name":"statement","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document access agreements for organizational systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that individuals requiring access to organizational information and systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy."},{"id":"ps-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-06","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-06a.","class":"sp800-53a"}],"prose":"access agreements are developed and documented for organizational systems;"},{"id":"ps-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-06b.","class":"sp800-53a"}],"prose":"the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};"},{"id":"ps-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.01","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;"},{"id":"ps-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.02","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ps-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements"}]}],"controls":[{"id":"ps-6.1","class":"SP800-53-enhancement","title":"Information Requiring Special Protection","props":[{"name":"label","value":"PS-6(1)"},{"name":"label","value":"PS-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ps-06.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ps-3","rel":"incorporated-into"}]},{"id":"ps-6.2","class":"SP800-53-enhancement","title":"Classified Information Requiring Special Protection","props":[{"name":"label","value":"PS-6(2)"},{"name":"label","value":"PS-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"ps-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ps-6","rel":"required"}],"parts":[{"id":"ps-6.2_smt","name":"statement","prose":"Verify that access to classified information requiring special protection is granted only to individuals who:","parts":[{"id":"ps-6.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Have a valid access authorization that is demonstrated by assigned official government duties;"},{"id":"ps-6.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Satisfy associated personnel security criteria; and"},{"id":"ps-6.2_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Have read, understood, and signed a nondisclosure agreement."}]},{"id":"ps-6.2_gdn","name":"guidance","prose":"Classified information that requires special protection includes collateral information, Special Access Program (SAP) information, and Sensitive Compartmented Information (SCI). Personnel security criteria reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"ps-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-06(02)","class":"sp800-53a"}],"parts":[{"id":"ps-6.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-06(02)(a)","class":"sp800-53a"}],"prose":"access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties;"},{"id":"ps-6.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-06(02)(b)","class":"sp800-53a"}],"prose":"access to classified information requiring special protection is granted only to individuals who satisfy associated personnel security criteria;"},{"id":"ps-6.2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-06(02)(c)","class":"sp800-53a"}],"prose":"access to classified information requiring special protection is granted only to individuals who have read, understood, and signed a non-disclosure agreement."}]},{"id":"ps-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing access agreements for organizational information and systems\n\naccess agreements\n\naccess authorizations\n\npersonnel security criteria\n\nsigned non-disclosure agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed non-disclosure agreements\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access to classified information requiring special protection"}]}]},{"id":"ps-6.3","class":"SP800-53-enhancement","title":"Post-employment Requirements","props":[{"name":"label","value":"PS-6(3)"},{"name":"label","value":"PS-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"ps-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ps-6","rel":"required"},{"href":"#ps-4","rel":"related"}],"parts":[{"id":"ps-6.3_smt","name":"statement","parts":[{"id":"ps-6.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and"},{"id":"ps-6.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information."}]},{"id":"ps-6.3_gdn","name":"guidance","prose":"Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals."},{"id":"ps-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-06(03)","class":"sp800-53a"}],"parts":[{"id":"ps-6.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-06(03)(a)","class":"sp800-53a"}],"prose":"individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information;"},{"id":"ps-6.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-06(03)(b)","class":"sp800-53a"}],"prose":"individuals are required to sign an acknowledgement of applicable, legally binding post-employment requirements as part of being granted initial access to covered information."}]},{"id":"ps-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing access agreements for organizational information and systems\n\nsigned post-employment acknowledgement forms\n\naccess agreements\n\nlist of applicable, legally binding post-employment requirements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed access agreements that include post-employment requirements\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for post-employment requirements\n\nmechanisms supporting notifications and individual acknowledgements of post-employment requirements"}]}]}]},{"id":"ps-7","class":"SP800-53","title":"External Personnel Security","params":[{"id":"ps-07_odp.01","props":[{"name":"alt-identifier","value":"ps-7_prm_1"},{"name":"label","value":"PS-07_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is\/are defined;"}]},{"id":"ps-07_odp.02","props":[{"name":"alt-identifier","value":"ps-7_prm_2"},{"name":"label","value":"PS-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is defined;"}]}],"props":[{"name":"label","value":"PS-7"},{"name":"label","value":"PS-07","class":"sp800-53a"},{"name":"sort-id","value":"ps-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-7_smt","name":"statement","parts":[{"id":"ps-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish personnel security requirements, including security roles and responsibilities for external providers;"},{"id":"ps-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Require external providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and"},{"id":"ps-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Monitor provider compliance with personnel security requirements."}]},{"id":"ps-7_gdn","name":"guidance","prose":"External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network\/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals."},{"id":"ps-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-07","class":"sp800-53a"}],"parts":[{"id":"ps-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-07a.","class":"sp800-53a"}],"prose":"personnel security requirements are established, including security roles and responsibilities for external providers;"},{"id":"ps-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-07b.","class":"sp800-53a"}],"prose":"external providers are required to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-07c.","class":"sp800-53a"}],"prose":"personnel security requirements are documented;"},{"id":"ps-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-07d.","class":"sp800-53a"}],"prose":"external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};"},{"id":"ps-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-07e.","class":"sp800-53a"}],"prose":"provider compliance with personnel security requirements is monitored."}]},{"id":"ps-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and\/or implementing the monitoring of provider compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","params":[{"id":"ps-08_odp.01","props":[{"name":"alt-identifier","value":"ps-8_prm_1"},{"name":"label","value":"PS-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when a formal employee sanctions process is initiated is\/are defined;"}]},{"id":"ps-08_odp.02","props":[{"name":"alt-identifier","value":"ps-8_prm_2"},{"name":"label","value":"PS-08_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;"}]}],"props":[{"name":"label","value":"PS-8"},{"name":"label","value":"PS-08","class":"sp800-53a"},{"name":"sort-id","value":"ps-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-1","rel":"related"}],"parts":[{"id":"ps-8_smt","name":"statement","parts":[{"id":"ps-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and\/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions."},{"id":"ps-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-08","class":"sp800-53a"}],"parts":[{"id":"ps-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-08a.","class":"sp800-53a"}],"prose":"a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;"},{"id":"ps-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-08b.","class":"sp800-53a"}],"prose":"{{ insert: param, ps-08_odp.01 }} is\/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records"}]},{"id":"ps-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and\/or implementing formal employee sanctions notifications"}]}]},{"id":"ps-9","class":"SP800-53","title":"Position Descriptions","props":[{"name":"label","value":"PS-9"},{"name":"label","value":"PS-09","class":"sp800-53a"},{"name":"sort-id","value":"ps-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"}],"parts":[{"id":"ps-9_smt","name":"statement","prose":"Incorporate security and privacy roles and responsibilities into organizational position descriptions."},{"id":"ps-9_gdn","name":"guidance","prose":"Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles."},{"id":"ps-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-09","class":"sp800-53a"}],"parts":[{"id":"ps-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PS-09[01]","class":"sp800-53a"}],"prose":"security roles and responsibilities are incorporated into organizational position descriptions;"},{"id":"ps-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PS-09[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are incorporated into organizational position descriptions."}]},{"id":"ps-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"ps-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities"}]},{"id":"ps-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing position descriptions"}]}]}]},{"id":"pt","class":"family","title":"Personally Identifiable Information Processing and Transparency","controls":[{"id":"pt-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pt-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pt-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pt-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pt-01_odp.01","props":[{"name":"label","value":"PT-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personally identifiable information processing and transparency policy is to be disseminated is\/are defined;"}]},{"id":"pt-01_odp.02","props":[{"name":"label","value":"PT-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personally identifiable information processing and transparency procedures are to be disseminated is\/are defined;"}]},{"id":"pt-01_odp.03","props":[{"name":"alt-identifier","value":"pt-1_prm_2"},{"name":"label","value":"PT-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pt-01_odp.04","props":[{"name":"alt-identifier","value":"pt-1_prm_3"},{"name":"label","value":"PT-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the personally identifiable information processing and transparency policy and procedures is defined;"}]},{"id":"pt-01_odp.05","props":[{"name":"alt-identifier","value":"pt-1_prm_4"},{"name":"label","value":"PT-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personally identifiable information processing and transparency policy is reviewed and updated is defined;"}]},{"id":"pt-01_odp.06","props":[{"name":"alt-identifier","value":"pt-1_prm_5"},{"name":"label","value":"PT-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current personally identifiable information processing and transparency policy to be reviewed and updated are defined;"}]},{"id":"pt-01_odp.07","props":[{"name":"alt-identifier","value":"pt-1_prm_6"},{"name":"label","value":"PT-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personally identifiable information processing and transparency procedures are reviewed and updated is defined;"}]},{"id":"pt-01_odp.08","props":[{"name":"alt-identifier","value":"pt-1_prm_7"},{"name":"label","value":"PT-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the personally identifiable information processing and transparency procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PT-1"},{"name":"label","value":"PT-01","class":"sp800-53a"},{"name":"sort-id","value":"pt-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"}],"parts":[{"id":"pt-1_smt","name":"statement","parts":[{"id":"pt-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pt-1_prm_1 }}:","parts":[{"id":"pt-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy that:","parts":[{"id":"pt-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pt-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pt-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls;"}]},{"id":"pt-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pt-01_odp.04 }} to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and"},{"id":"pt-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current personally identifiable information processing and transparency:","parts":[{"id":"pt-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pt-01_odp.05 }} and following {{ insert: param, pt-01_odp.06 }} ; and"},{"id":"pt-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pt-01_odp.07 }} and following {{ insert: param, pt-01_odp.08 }}."}]}]},{"id":"pt-1_gdn","name":"guidance","prose":"Personally identifiable information processing and transparency policy and procedures address the controls in the PT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of personally identifiable information processing and transparency policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personally identifiable information processing and transparency policy and procedures include assessment or audit findings, breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pt-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-01","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[01]","class":"sp800-53a"}],"prose":"a personally identifiable information processing and transparency policy is developed and documented;"},{"id":"pt-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[02]","class":"sp800-53a"}],"prose":"the personally identifiable information processing and transparency policy is disseminated to {{ insert: param, pt-01_odp.01 }};"},{"id":"pt-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[03]","class":"sp800-53a"}],"prose":"personally identifiable information processing and transparency procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and associated personally identifiable information processing and transparency controls are developed and documented;"},{"id":"pt-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[04]","class":"sp800-53a"}],"prose":"the personally identifiable information processing and transparency procedures are disseminated to {{ insert: param, pt-01_odp.02 }};"},{"id":"pt-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses purpose;"},{"id":"pt-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses scope;"},{"id":"pt-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses roles;"},{"id":"pt-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses responsibilities;"},{"id":"pt-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses management commitment;"},{"id":"pt-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses coordination among organizational entities;"},{"id":"pt-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses compliance;"}]},{"id":"pt-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"pt-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures;"},{"id":"pt-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.01","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.01[01]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency policy is reviewed and updated {{ insert: param, pt-01_odp.05 }};"},{"id":"pt-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.01[02]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency policy is reviewed and updated following {{ insert: param, pt-01_odp.06 }};"}]},{"id":"pt-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.02","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.02[01]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency procedures are reviewed and updated {{ insert: param, pt-01_odp.07 }};"},{"id":"pt-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.02[02]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency procedures are reviewed and updated following {{ insert: param, pt-01_odp.08 }}."}]}]}]},{"id":"pt-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"pt-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pt-2","class":"SP800-53","title":"Authority to Process Personally Identifiable Information","params":[{"id":"pt-02_odp.01","props":[{"name":"alt-identifier","value":"pt-2_prm_1"},{"name":"label","value":"PT-02_ODP[01]","class":"sp800-53a"}],"label":"authority","guidelines":[{"prose":"the authority to permit the processing (defined in PT-02_ODP[02]) of personally identifiable information is defined;"}]},{"id":"pt-02_odp.02","props":[{"name":"alt-identifier","value":"pt-2_prm_2"},{"name":"label","value":"PT-02_ODP[02]","class":"sp800-53a"}],"label":"processing","guidelines":[{"prose":"the type of processing of personally identifiable information is defined;"}]},{"id":"pt-02_odp.03","props":[{"name":"alt-identifier","value":"pt-2_prm_3"},{"name":"label","value":"PT-02_ODP[03]","class":"sp800-53a"}],"label":"processing","guidelines":[{"prose":"the type of processing of personally identifiable information to be restricted is defined;"}]}],"props":[{"name":"label","value":"PT-2"},{"name":"label","value":"PT-02","class":"sp800-53a"},{"name":"sort-id","value":"pt-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#pt-1","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pt-2_smt","name":"statement","parts":[{"id":"pt-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information; and"},{"id":"pt-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Restrict the {{ insert: param, pt-02_odp.03 }} of personally identifiable information to only that which is authorized."}]},{"id":"pt-2_gdn","name":"guidance","prose":"The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information across the information life cycle. Processing includes but is not limited to creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining.\n\nOrganizations may be subject to laws, executive orders, directives, regulations, or policies that establish the organization’s authority and thereby limit certain types of processing of personally identifiable information or establish other requirements related to the processing. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such authority, particularly if the organization is subject to multiple jurisdictions or sources of authority. For organizations whose processing is not determined according to legal authorities, the organization’s policies and determinations govern how they process personally identifiable information. While processing of personally identifiable information may be legally permissible, privacy risks may still arise. Privacy risk assessments can identify the privacy risks associated with the authorized processing of personally identifiable information and support solutions to manage such risks.\n\nOrganizations consider applicable requirements and organizational policies to determine how to document this authority. For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and other documentation.\n\nOrganizations take steps to ensure that personally identifiable information is only processed for authorized purposes, including training organizational personnel on the authorized processing of personally identifiable information and monitoring and auditing organizational use of personally identifiable information."},{"id":"pt-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-02","class":"sp800-53a"}],"parts":[{"id":"pt-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-02a.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information is determined and documented;"},{"id":"pt-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-02b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-02_odp.03 }} of personally identifiable information is restricted to only that which is authorized."}]},{"id":"pt-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing the processing of personally identifiable information\n\nmechanisms supporting and\/or implementing the restriction of personally identifiable information processing"}]}],"controls":[{"id":"pt-2.1","class":"SP800-53-enhancement","title":"Data Tagging","params":[{"id":"pt-02.01_odp.01","props":[{"name":"alt-identifier","value":"pt-2.1_prm_1"},{"name":"label","value":"PT-02(01)_ODP[01]","class":"sp800-53a"}],"label":"authorized processing","guidelines":[{"prose":"the authorized processing of personally identifiable information is defined;"}]},{"id":"pt-02.01_odp.02","props":[{"name":"alt-identifier","value":"pt-2.1_prm_2"},{"name":"label","value":"PT-02(01)_ODP[02]","class":"sp800-53a"}],"label":"elements of personally identifiable information","guidelines":[{"prose":"elements of personally identifiable information to be tagged are defined;"}]}],"props":[{"name":"label","value":"PT-2(1)"},{"name":"label","value":"PT-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pt-2","rel":"required"},{"href":"#ac-16","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-15","rel":"related"},{"href":"#si-19","rel":"related"}],"parts":[{"id":"pt-2.1_smt","name":"statement","prose":"Attach data tags containing {{ insert: param, pt-02.01_odp.01 }} to {{ insert: param, pt-02.01_odp.02 }}."},{"id":"pt-2.1_gdn","name":"guidance","prose":"Data tags support the tracking and enforcement of authorized processing by conveying the types of processing that are authorized along with the relevant elements of personally identifiable information throughout the system. Data tags may also support the use of automated tools."},{"id":"pt-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-02(01)","class":"sp800-53a"}],"prose":"data tags containing {{ insert: param, pt-02.01_odp.01 }} are attached to {{ insert: param, pt-02.01_odp.02 }}."},{"id":"pt-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures including procedures addressing data tagging\n\ndata tag definitions\n\ndocumented requirements for use and monitoring of data tagging\n\ndata extracts with corresponding data tags\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing the processing of personally identifiable information\n\norganizational processes for data tagging\n\nmechanisms for applying and monitoring data tagging\n\nmechanisms supporting and\/or implementing the restriction of personally identifiable information processing"}]}]},{"id":"pt-2.2","class":"SP800-53-enhancement","title":"Automation","params":[{"id":"pt-02.02_odp","props":[{"name":"alt-identifier","value":"pt-2.2_prm_1"},{"name":"label","value":"PT-02(02)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to manage enforcement of the authorized processing of personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-2(2)"},{"name":"label","value":"PT-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pt-2","rel":"required"},{"href":"#ca-6","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-15","rel":"related"},{"href":"#si-19","rel":"related"}],"parts":[{"id":"pt-2.2_smt","name":"statement","prose":"Manage enforcement of the authorized processing of personally identifiable information using {{ insert: param, pt-02.02_odp }}."},{"id":"pt-2.2_gdn","name":"guidance","prose":"Automated mechanisms augment verification that only authorized processing is occurring."},{"id":"pt-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-02(02)","class":"sp800-53a"}],"prose":"enforcement of the authorized processing of personally identifiable information is managed using {{ insert: param, pt-02.02_odp }}."},{"id":"pt-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing the processing of personally identifiable information\n\nautomated mechanisms supporting and\/or implementing the management of authorized personally identifiable information processing"}]}]}]},{"id":"pt-3","class":"SP800-53","title":"Personally Identifiable Information Processing Purposes","params":[{"id":"pt-03_odp.01","props":[{"name":"alt-identifier","value":"pt-3_prm_1"},{"name":"label","value":"PT-03_ODP[01]","class":"sp800-53a"}],"label":"purpose(s)","guidelines":[{"prose":"the purpose(s) for processing personally identifiable information is\/are defined;"}]},{"id":"pt-03_odp.02","props":[{"name":"alt-identifier","value":"pt-3_prm_2"},{"name":"label","value":"PT-03_ODP[02]","class":"sp800-53a"}],"label":"processing","guidelines":[{"prose":"the processing of personally identifiable information to be restricted is defined;"}]},{"id":"pt-03_odp.03","props":[{"name":"alt-identifier","value":"pt-3_prm_3"},{"name":"label","value":"PT-03_ODP[03]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms to be implemented for ensuring any changes in the processing of personally identifiable information are made in accordance with requirements are defined;"}]},{"id":"pt-03_odp.04","props":[{"name":"alt-identifier","value":"pt-3_prm_4"},{"name":"label","value":"PT-03_ODP[04]","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements for changing the processing of personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-3"},{"name":"label","value":"PT-03","class":"sp800-53a"},{"name":"sort-id","value":"pt-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-25","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pt-3_smt","name":"statement","parts":[{"id":"pt-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information;"},{"id":"pt-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Describe the purpose(s) in the public privacy notices and policies of the organization;"},{"id":"pt-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Restrict the {{ insert: param, pt-03_odp.02 }} of personally identifiable information to only that which is compatible with the identified purpose(s); and"},{"id":"pt-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitor changes in processing personally identifiable information and implement {{ insert: param, pt-03_odp.03 }} to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}."}]},{"id":"pt-3_gdn","name":"guidance","prose":"Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term \"process\" includes every step of the information life cycle, including creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and documenting the purpose of processing is a prerequisite to enabling owners and operators of the system and individuals whose information is processed by the system to understand how the information will be processed. This enables individuals to make informed decisions about their engagement with information systems and organizations and to manage their privacy interests. Once the specific processing purpose has been identified, the purpose is described in the organization’s privacy notices, policies, and any related privacy compliance documentation, including privacy impact assessments, system of records notices, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, computer matching notices, and other applicable Federal Register notices.\n\nOrganizations take steps to help ensure that personally identifiable information is processed only for identified purposes, including training organizational personnel and monitoring and auditing organizational processing of personally identifiable information.\n\nOrganizations monitor for changes in personally identifiable information processing. Organizational personnel consult with the senior agency official for privacy and legal counsel to ensure that any new purposes that arise from changes in processing are compatible with the purpose for which the information was collected, or if the new purpose is not compatible, implement mechanisms in accordance with defined requirements to allow for the new processing, if appropriate. Mechanisms may include obtaining consent from individuals, revising privacy policies, or other measures to manage privacy risks that arise from changes in personally identifiable information processing purposes."},{"id":"pt-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-03","class":"sp800-53a"}],"parts":[{"id":"pt-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-03a.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information is\/are identified and documented;"},{"id":"pt-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-03b.","class":"sp800-53a"}],"parts":[{"id":"pt-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PT-03b.[01]","class":"sp800-53a"}],"prose":"the purpose(s) is\/are described in the public privacy notices of the organization;"},{"id":"pt-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PT-03b.[02]","class":"sp800-53a"}],"prose":"the purpose(s) is\/are described in the policies of the organization;"}]},{"id":"pt-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-03c.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-03_odp.02 }} of personally identifiable information are restricted to only that which is compatible with the identified purpose(s);"},{"id":"pt-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PT-03d.","class":"sp800-53a"}],"parts":[{"id":"pt-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PT-03d.[01]","class":"sp800-53a"}],"prose":"changes in the processing of personally identifiable information are monitored;"},{"id":"pt-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PT-03d.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, pt-03_odp.03 }} are implemented to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}."}]}]},{"id":"pt-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nconfiguration management plan\n\norganizational privacy notices\n\norganizational policies\n\nPrivacy Act statements\n\ncomputer matching notices\n\napplicable Federal Register notices\n\ndocumented requirements for enforcing and monitoring the processing of personally identifiable information\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing the processing of personally identifiable information\n\nmechanisms supporting and\/or implementing the management of authorized personally identifiable information processing\n\norganizational processes for monitoring changes in processing personally identifiable information"}]}],"controls":[{"id":"pt-3.1","class":"SP800-53-enhancement","title":"Data Tagging","params":[{"id":"pt-03.01_odp.01","props":[{"name":"alt-identifier","value":"pt-3.1_prm_2"},{"name":"label","value":"PT-03(01)_ODP[01]","class":"sp800-53a"}],"label":"processing purposes","guidelines":[{"prose":"processing purposes to be contained in data tags are defined;"}]},{"id":"pt-03.01_odp.02","props":[{"name":"alt-identifier","value":"pt-3.1_prm_1"},{"name":"label","value":"PT-03(01)_ODP[02]","class":"sp800-53a"}],"label":"elements of personally identifiable information","guidelines":[{"prose":"elements of personally identifiable information to be tagged are defined;"}]}],"props":[{"name":"label","value":"PT-3(1)"},{"name":"label","value":"PT-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pt-3","rel":"required"},{"href":"#ca-6","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-15","rel":"related"},{"href":"#si-19","rel":"related"}],"parts":[{"id":"pt-3.1_smt","name":"statement","prose":"Attach data tags containing the following purposes to {{ insert: param, pt-03.01_odp.02 }}: {{ insert: param, pt-03.01_odp.01 }}."},{"id":"pt-3.1_gdn","name":"guidance","prose":"Data tags support the tracking of processing purposes by conveying the purposes along with the relevant elements of personally identifiable information throughout the system. By conveying the processing purposes in a data tag along with the personally identifiable information as the information transits a system, a system owner or operator can identify whether a change in processing would be compatible with the identified and documented purposes. Data tags may also support the use of automated tools."},{"id":"pt-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-03(01)","class":"sp800-53a"}],"prose":"data tags containing {{ insert: param, pt-03.01_odp.01 }} are attached to {{ insert: param, pt-03.01_odp.02 }}."},{"id":"pt-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\ndocumented description of how data tags are used to identify personally identifiable information data elements and their authorized uses\n\ndata tag schema\n\ndata extracts with corresponding data tags\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with data tagging responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing the processing of personally identifiable information\n\nmechanisms supporting and\/or implementing data tagging"}]}]},{"id":"pt-3.2","class":"SP800-53-enhancement","title":"Automation","params":[{"id":"pt-03.02_odp","props":[{"name":"alt-identifier","value":"pt-3.2_prm_1"},{"name":"label","value":"PT-03(02)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms for tracking the processing purposes of personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-3(2)"},{"name":"label","value":"PT-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pt-3","rel":"required"},{"href":"#ca-6","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-15","rel":"related"},{"href":"#si-19","rel":"related"}],"parts":[{"id":"pt-3.2_smt","name":"statement","prose":"Track processing purposes of personally identifiable information using {{ insert: param, pt-03.02_odp }}."},{"id":"pt-3.2_gdn","name":"guidance","prose":"Automated mechanisms augment tracking of the processing purposes."},{"id":"pt-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-03(02)","class":"sp800-53a"}],"prose":"the processing purposes of personally identifiable information are tracked using {{ insert: param, pt-03.02_odp }}."},{"id":"pt-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\ndata extracts with corresponding data tags\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the enforcement of authorized processing of personally identifiable information\n\nautomated tracking mechanisms"}]}]}]},{"id":"pt-4","class":"SP800-53","title":"Consent","params":[{"id":"pt-04_odp","props":[{"name":"alt-identifier","value":"pt-4_prm_1"},{"name":"label","value":"PT-04_ODP","class":"sp800-53a"}],"label":"tools or mechanisms","guidelines":[{"prose":"the tools or mechanisms to be implemented for individuals to consent to the processing of their personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-4"},{"name":"label","value":"PT-04","class":"sp800-53a"},{"name":"sort-id","value":"pt-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-5","rel":"related"}],"parts":[{"id":"pt-4_smt","name":"statement","prose":"Implement {{ insert: param, pt-04_odp }} for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making."},{"id":"pt-4_gdn","name":"guidance","prose":"Consent allows individuals to participate in making decisions about the processing of their information and transfers some of the risk that arises from the processing of personally identifiable information from the organization to an individual. Consent may be required by applicable laws, executive orders, directives, regulations, policies, standards, or guidelines. Otherwise, when selecting consent as a control, organizations consider whether individuals can be reasonably expected to understand and accept the privacy risks that arise from their authorization. Organizations consider whether other controls may more effectively mitigate privacy risk either alone or in conjunction with consent. Organizations also consider any demographic or contextual factors that may influence the understanding or behavior of individuals with respect to the processing carried out by the system or organization. When soliciting consent from individuals, organizations consider the appropriate mechanism for obtaining consent, including the type of consent (e.g., opt-in, opt-out), how to properly authenticate and identity proof individuals and how to obtain consent through electronic means. In addition, organizations consider providing a mechanism for individuals to revoke consent once it has been provided, as appropriate. Finally, organizations consider usability factors to help individuals understand the risks being accepted when providing consent, including the use of plain language and avoiding technical jargon."},{"id":"pt-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-04","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-04_odp }} are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making."},{"id":"pt-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nconsent policies and procedures\n\nconsent tools and mechanisms\n\nconsent presentation or display (user interface)\n\nevidence of individuals’ consent\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the collection of personally identifiable information\n\nconsent tools or mechanisms for users to authorize the processing of their personally identifiable information\n\nmechanisms implementing consent"}]}],"controls":[{"id":"pt-4.1","class":"SP800-53-enhancement","title":"Tailored Consent","params":[{"id":"pt-04.01_odp","props":[{"name":"alt-identifier","value":"pt-4.1_prm_1"},{"name":"label","value":"PT-04(01)_ODP","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"tailoring mechanisms for processing selected elements of personally identifiable information permissions are defined;"}]}],"props":[{"name":"label","value":"PT-4(1)"},{"name":"label","value":"PT-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-4","rel":"required"},{"href":"#pt-2","rel":"related"}],"parts":[{"id":"pt-4.1_smt","name":"statement","prose":"Provide {{ insert: param, pt-04.01_odp }} to allow individuals to tailor processing permissions to selected elements of personally identifiable information."},{"id":"pt-4.1_gdn","name":"guidance","prose":"While some processing may be necessary for the basic functionality of the product or service, other processing may not. In these circumstances, organizations allow individuals to select how specific personally identifiable information elements may be processed. More tailored consent may help reduce privacy risk, increase individual satisfaction, and avoid adverse behaviors, such as abandonment of the product or service."},{"id":"pt-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-04(01)","class":"sp800-53a"}],"prose":"{{ insert: param, pt-04.01_odp }} are provided to allow individuals to tailor processing permissions to selected elements of personally identifiable information."},{"id":"pt-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nconsent policies and procedures\n\nconsent tools and mechanisms\n\nconsent presentation or display (user interface)\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with user interface or user experience responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for consenting to the processing of personally identifiable information\n\nconsent tools or mechanisms\n\nmechanisms implementing consent"}]}]},{"id":"pt-4.2","class":"SP800-53-enhancement","title":"Just-in-time Consent","params":[{"id":"pt-04.02_odp.01","props":[{"name":"alt-identifier","value":"pt-4.2_prm_1"},{"name":"label","value":"PT-04(02)_ODP[01]","class":"sp800-53a"}],"label":"consent mechanisms","guidelines":[{"prose":"consent mechanisms to be presented to individuals are defined;"}]},{"id":"pt-04.02_odp.02","props":[{"name":"alt-identifier","value":"pt-4.2_prm_2"},{"name":"label","value":"PT-04(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to present consent mechanisms to individuals is defined;"}]},{"id":"pt-04.02_odp.03","props":[{"name":"alt-identifier","value":"pt-4.2_prm_3"},{"name":"label","value":"PT-04(02)_ODP[03]","class":"sp800-53a"}],"label":"personally identifiable information processing","guidelines":[{"prose":"personally identifiable information processing to be presented in conjunction with organization-defined consent mechanisms is defined;"}]}],"props":[{"name":"label","value":"PT-4(2)"},{"name":"label","value":"PT-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-4","rel":"required"},{"href":"#pt-2","rel":"related"}],"parts":[{"id":"pt-4.2_smt","name":"statement","prose":"Present {{ insert: param, pt-04.02_odp.01 }} to individuals at {{ insert: param, pt-04.02_odp.02 }} and in conjunction with {{ insert: param, pt-04.02_odp.03 }}."},{"id":"pt-4.2_gdn","name":"guidance","prose":"Just-in-time consent enables individuals to participate in how their personally identifiable information is being processed at the time or in conjunction with specific types of data processing when such participation may be most useful to the individual. Individual assumptions about how personally identifiable information is being processed might not be accurate or reliable if time has passed since the individual last gave consent or the type of processing creates significant privacy risk. Organizations use discretion to determine when to use just-in-time consent and may use supporting information on demographics, focus groups, or surveys to learn more about individuals’ privacy interests and concerns."},{"id":"pt-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-04(02)","class":"sp800-53a"}],"prose":"{{ insert: param, pt-04.02_odp.01 }} are presented to individuals {{ insert: param, pt-04.02_odp.02 }} and in conjunction with {{ insert: param, pt-04.02_odp.03 }}."},{"id":"pt-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nconsent policies and procedures\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with user interface or user experience responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the collection of personally identifiable information\n\nmechanisms for obtaining just-in-time consent from users for the processing of their personally identifiable information\n\nmechanisms implementing just-in-time consent"}]}]},{"id":"pt-4.3","class":"SP800-53-enhancement","title":"Revocation","params":[{"id":"pt-04.03_odp","props":[{"name":"alt-identifier","value":"pt-4.3_prm_1"},{"name":"label","value":"PT-04(03)_ODP","class":"sp800-53a"}],"label":"tools or mechanisms","guidelines":[{"prose":"the tools or mechanisms to be implemented for revoking consent to the processing of personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-4(3)"},{"name":"label","value":"PT-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"pt-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-4","rel":"required"},{"href":"#pt-2","rel":"related"}],"parts":[{"id":"pt-4.3_smt","name":"statement","prose":"Implement {{ insert: param, pt-04.03_odp }} for individuals to revoke consent to the processing of their personally identifiable information."},{"id":"pt-4.3_gdn","name":"guidance","prose":"Revocation of consent enables individuals to exercise control over their initial consent decision when circumstances change. Organizations consider usability factors in enabling easy-to-use revocation capabilities."},{"id":"pt-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-04(03)","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-04.03_odp }} are implemented for individuals to revoke consent to the processing of their personally identifiable information."},{"id":"pt-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nconsent revocation policies and procedures\n\nconsent revocation user interface or user experience\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with user interface or user experience responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for consenting to the processing of personally identifiable information\n\ntools or mechanisms for implementing consent revocation"}]}]}]},{"id":"pt-5","class":"SP800-53","title":"Privacy Notice","params":[{"id":"pt-05_odp.01","props":[{"name":"alt-identifier","value":"pt-5_prm_1"},{"name":"label","value":"PT-05_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which a notice is provided to individuals after initial interaction with an organization is defined;"}]},{"id":"pt-05_odp.02","props":[{"name":"alt-identifier","value":"pt-5_prm_2"},{"name":"label","value":"PT-05_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be included with the notice about the processing of personally identifiable information is defined;"}]}],"props":[{"name":"label","value":"PT-5"},{"name":"label","value":"PT-05","class":"sp800-53a"},{"name":"sort-id","value":"pt-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#pm-20","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-42","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pt-5_smt","name":"statement","prose":"Provide notice to individuals about the processing of personally identifiable information that:","parts":[{"id":"pt-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Is available to individuals upon first interacting with an organization, and subsequently at {{ insert: param, pt-05_odp.01 }};"},{"id":"pt-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;"},{"id":"pt-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies the authority that authorizes the processing of personally identifiable information;"},{"id":"pt-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Identifies the purposes for which personally identifiable information is to be processed; and"},{"id":"pt-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Includes {{ insert: param, pt-05_odp.02 }}."}]},{"id":"pt-5_gdn","name":"guidance","prose":"Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices.\n\nPrivacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon."},{"id":"pt-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-05","class":"sp800-53a"}],"parts":[{"id":"pt-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-05a.","class":"sp800-53a"}],"parts":[{"id":"pt-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-05a.[01]","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information is provided such that the notice is available to individuals upon first interacting with an organization;"},{"id":"pt-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-05a.[02]","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals {{ insert: param, pt-05_odp.01 }};"}]},{"id":"pt-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-05b.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information is provided that is clear, easy-to-understand, and expresses information about personally identifiable information processing in plain language;"},{"id":"pt-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-05c.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information is provided;"},{"id":"pt-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PT-05d.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information that identifies the purpose for which personally identifiable information is to be processed is provided;"},{"id":"pt-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PT-05e.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information which includes {{ insert: param, pt-05_odp.02 }} is provided."}]},{"id":"pt-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act statements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with user interface or user experience responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes and implementation support or mechanisms for providing notice to individuals regarding the processing of their personally identifiable information"}]}],"controls":[{"id":"pt-5.1","class":"SP800-53-enhancement","title":"Just-in-time Notice","params":[{"id":"pt-05.01_odp","props":[{"name":"alt-identifier","value":"pt-5.1_prm_1"},{"name":"label","value":"PT-05(01)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to present a notice of personally identifiable information processing is defined;"}]}],"props":[{"name":"label","value":"PT-5(1)"},{"name":"label","value":"PT-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-5","rel":"required"},{"href":"#pm-21","rel":"related"}],"parts":[{"id":"pt-5.1_smt","name":"statement","prose":"Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or {{ insert: param, pt-05.01_odp }}."},{"id":"pt-5.1_gdn","name":"guidance","prose":"Just-in-time notices inform individuals of how organizations process their personally identifiable information at a time when such notices may be most useful to the individuals. Individual assumptions about how personally identifiable information will be processed might not be accurate or reliable if time has passed since the organization last presented notice or the circumstances under which the individual was last provided notice have changed. A just-in-time notice can explain data actions that organizations have identified as potentially giving rise to greater privacy risk for individuals. Organizations can use a just-in-time notice to update or remind individuals about specific data actions as they occur or highlight specific changes that occurred since last presenting notice. A just-in-time notice can be used in conjunction with just-in-time consent to explain what will occur if consent is declined. Organizations use discretion to determine when to use a just-in-time notice and may use supporting information on user demographics, focus groups, or surveys to learn about users’ privacy interests and concerns."},{"id":"pt-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-05(01)","class":"sp800-53a"}],"prose":"a notice of personally identifiable information processing is presented to individuals at a time and location where the individual provides personally identifiable information, in conjunction with a data action, or {{ insert: param, pt-05.01_odp }}."},{"id":"pt-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with user interface or user experience responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes and implementation support or mechanisms for providing notice to individuals regarding the processing of their personally identifiable information"}]}]},{"id":"pt-5.2","class":"SP800-53-enhancement","title":"Privacy Act Statements","props":[{"name":"label","value":"PT-5(2)"},{"name":"label","value":"PT-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-5","rel":"required"},{"href":"#pt-6","rel":"related"}],"parts":[{"id":"pt-5.2_smt","name":"statement","prose":"Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals."},{"id":"pt-5.2_gdn","name":"guidance","prose":"If a federal agency asks individuals to supply information that will become part of a system of records, the agency is required to provide a [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statement on the form used to collect the information or on a separate form that can be retained by the individual. The agency provides a [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statement in such circumstances regardless of whether the information will be collected on a paper or electronic form, on a website, on a mobile application, over the telephone, or through some other medium. This requirement ensures that the individual is provided with sufficient information about the request for information to make an informed decision on whether or not to respond.\n\n[PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements provide formal notice to individuals of the authority that authorizes the solicitation of the information; whether providing the information is mandatory or voluntary; the principal purpose(s) for which the information is to be used; the published routine uses to which the information is subject; the effects on the individual, if any, of not providing all or any part of the information requested; and an appropriate citation and link to the relevant system of records notice. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding the notice provisions of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455)."},{"id":"pt-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-05(02)","class":"sp800-53a"}],"prose":"Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or Privacy Act statements are provided on separate forms that can be retained by individuals."},{"id":"pt-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nforms that include Privacy Act statements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for including Privacy Act statements on forms that collect information or on separate forms that can be retained by individuals"}]}]}]},{"id":"pt-6","class":"SP800-53","title":"System of Records Notice","props":[{"name":"label","value":"PT-6"},{"name":"label","value":"PT-06","class":"sp800-53a"},{"name":"sort-id","value":"pt-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#pm-20","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"}],"parts":[{"id":"pt-6_smt","name":"statement","prose":"For systems that process information that will be maintained in a Privacy Act system of records:","parts":[{"id":"pt-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review;"},{"id":"pt-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Publish system of records notices in the Federal Register; and"},{"id":"pt-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Keep system of records notices accurate, up-to-date, and scoped in accordance with policy."}]},{"id":"pt-6_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and\/or modification of a [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in [OMB A-108](#3671ff20-c17c-44d6-8a88-7de203fa74aa)."},{"id":"pt-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-06","class":"sp800-53a"}],"parts":[{"id":"pt-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-06a.","class":"sp800-53a"}],"parts":[{"id":"pt-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-06a.[01]","class":"sp800-53a"}],"prose":"system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records;"},{"id":"pt-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-06a.[02]","class":"sp800-53a"}],"prose":"new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records;"}]},{"id":"pt-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-06b.","class":"sp800-53a"}],"prose":"system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records;"},{"id":"pt-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-06c.","class":"sp800-53a"}],"prose":"system of records notices are kept accurate, up-to-date, and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records."}]},{"id":"pt-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nFederal Register notices\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for Privacy Act system of records maintenance"}]}],"controls":[{"id":"pt-6.1","class":"SP800-53-enhancement","title":"Routine Uses","params":[{"id":"pt-06.01_odp","props":[{"name":"alt-identifier","value":"pt-6.1_prm_1"},{"name":"label","value":"PT-06(01)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review all routine uses published in the system of records notice is defined;"}]}],"props":[{"name":"label","value":"PT-6(1)"},{"name":"label","value":"PT-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-6","rel":"required"}],"parts":[{"id":"pt-6.1_smt","name":"statement","prose":"Review all routine uses published in the system of records notice at {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected."},{"id":"pt-6.1_gdn","name":"guidance","prose":"A [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) routine use is a particular kind of disclosure of a record outside of the federal agency maintaining the system of records. A routine use is an exception to the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) prohibition on the disclosure of a record in a system of records without the prior written consent of the individual to whom the record pertains. To qualify as a routine use, the disclosure must be for a purpose that is compatible with the purpose for which the information was originally collected. The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) requires agencies to describe each routine use of the records maintained in the system of records, including the categories of users of the records and the purpose of the use. Agencies may only establish routine uses by explicitly publishing them in the relevant system of records notice."},{"id":"pt-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-06(01)","class":"sp800-53a"}],"prose":"all routine uses published in the system of records notice are reviewed {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected."},{"id":"pt-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing system of records notices"}]}]},{"id":"pt-6.2","class":"SP800-53-enhancement","title":"Exemption Rules","params":[{"id":"pt-06.02_odp","props":[{"name":"alt-identifier","value":"pt-6.2_prm_1"},{"name":"label","value":"PT-06(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review all Privacy Act exemptions claimed for the system of records is defined;"}]}],"props":[{"name":"label","value":"PT-6(2)"},{"name":"label","value":"PT-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-6","rel":"required"}],"parts":[{"id":"pt-6.2_smt","name":"statement","prose":"Review all Privacy Act exemptions claimed for the system of records at {{ insert: param, pt-06.02_odp }} to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice."},{"id":"pt-6.2_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) includes two sets of provisions that allow federal agencies to claim exemptions from certain requirements in the statute. In certain circumstances, these provisions allow agencies to promulgate regulations to exempt a system of records from select provisions of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . At a minimum, organizations’ [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) exemption regulations include the specific name(s) of any system(s) of records that will be exempt, the specific provisions of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) from which the system(s) of records is to be exempted, the reasons for the exemption, and an explanation for why the exemption is both necessary and appropriate."},{"id":"pt-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)","class":"sp800-53a"}],"parts":[{"id":"pt-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)[01]","class":"sp800-53a"}],"prose":"all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they remain appropriate and necessary in accordance with law;"},{"id":"pt-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)[02]","class":"sp800-53a"}],"prose":"all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they have been promulgated as regulations;"},{"id":"pt-6.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)[03]","class":"sp800-53a"}],"prose":"all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they are accurately described in the system of records notice."}]},{"id":"pt-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nPrivacy Act exemptions\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for Privacy Act system of records maintenance"}]}]}]},{"id":"pt-7","class":"SP800-53","title":"Specific Categories of Personally Identifiable Information","params":[{"id":"pt-07_odp","props":[{"name":"alt-identifier","value":"pt-7_prm_1"},{"name":"label","value":"PT-07_ODP","class":"sp800-53a"}],"label":"processing conditions","guidelines":[{"prose":"processing conditions to be applied for specific categories of personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-7"},{"name":"label","value":"PT-07","class":"sp800-53a"},{"name":"sort-id","value":"pt-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#ir-9","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"pt-7_smt","name":"statement","prose":"Apply {{ insert: param, pt-07_odp }} for specific categories of personally identifiable information."},{"id":"pt-7_gdn","name":"guidance","prose":"Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from the results of privacy risk assessments that factor in contextual changes that may result in an organizational determination that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary."},{"id":"pt-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-07","class":"sp800-53a"}],"prose":"{{ insert: param, pt-07_odp }} are applied for specific categories of personally identifiable information."},{"id":"pt-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\ncomputer matching agreements and notices\n\ncontracts\n\nprivacy information sharing agreements\n\nmemoranda of understanding\n\ngoverning requirements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for supporting and\/or implementing personally identifiable information processing"}]}],"controls":[{"id":"pt-7.1","class":"SP800-53-enhancement","title":"Social Security Numbers","props":[{"name":"label","value":"PT-7(1)"},{"name":"label","value":"PT-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-7","rel":"required"},{"href":"#ia-4","rel":"related"}],"parts":[{"id":"pt-7.1_smt","name":"statement","prose":"When a system processes Social Security numbers:","parts":[{"id":"pt-7.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier;"},{"id":"pt-7.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and"},{"id":"pt-7.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it."}]},{"id":"pt-7.1_gdn","name":"guidance","prose":"Federal law and policy establish specific requirements for organizations’ processing of Social Security numbers. Organizations take steps to eliminate unnecessary uses of Social Security numbers and other sensitive information and observe any particular requirements that apply."},{"id":"pt-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)","class":"sp800-53a"}],"parts":[{"id":"pt-7.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(a)","class":"sp800-53a"}],"parts":[{"id":"pt-7.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(a)[01]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, the unnecessary collection, maintenance, and use of Social Security numbers are eliminated;"},{"id":"pt-7.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(a)[02]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored;"}]},{"id":"pt-7.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(b)","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, individual rights, benefits, or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number;"},{"id":"pt-7.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)","class":"sp800-53a"}],"parts":[{"id":"pt-7.1_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)[01]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it;"},{"id":"pt-7.1_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)[02]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited;"},{"id":"pt-7.1_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)[03]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it."}]}]},{"id":"pt-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nprivacy notice\n\nseparate notice regarding the use of Social Security numbers\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, reviewing, and taking action to control the unnecessary use of Social Security numbers\n\nimplementation of an alternative to Social Security numbers as identifiers"}]}]},{"id":"pt-7.2","class":"SP800-53-enhancement","title":"First Amendment Information","props":[{"name":"label","value":"PT-7(2)"},{"name":"label","value":"PT-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-7","rel":"required"}],"parts":[{"id":"pt-7.2_smt","name":"statement","prose":"Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity."},{"id":"pt-7.2_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) limits agencies’ ability to process information that describes how individuals exercise rights guaranteed by the First Amendment. Organizations consult with the senior agency official for privacy and legal counsel regarding these requirements."},{"id":"pt-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-07(02)","class":"sp800-53a"}],"prose":"the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity."},{"id":"pt-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for supporting and\/or implementing personally identifiable information processing"}]}]}]},{"id":"pt-8","class":"SP800-53","title":"Computer Matching Requirements","props":[{"name":"label","value":"PT-8"},{"name":"label","value":"PT-08","class":"sp800-53a"},{"name":"sort-id","value":"pt-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#94c64e1a-456c-457f-86da-83ac0dfc85ac","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#pm-24","rel":"related"}],"parts":[{"id":"pt-8_smt","name":"statement","prose":"When a system or organization processes information for the purpose of conducting a matching program:","parts":[{"id":"pt-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtain approval from the Data Integrity Board to conduct the matching program;"},{"id":"pt-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop and enter into a computer matching agreement;"},{"id":"pt-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Publish a matching notice in the Federal Register;"},{"id":"pt-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and"},{"id":"pt-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual."}]},{"id":"pt-8_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) establishes requirements for federal and non-federal agencies if they engage in a matching program. In general, a matching program is a computerized comparison of records from two or more automated [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to federal benefit programs or federal personnel or payroll records. A federal benefit match is performed to determine or verify eligibility for payments under federal benefit programs or to recoup payments or delinquent debts under federal benefit programs. A matching program involves not just the matching activity itself but also the investigative follow-up and ultimate action, if any."},{"id":"pt-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-08","class":"sp800-53a"}],"parts":[{"id":"pt-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-08a.","class":"sp800-53a"}],"prose":"approval to conduct the matching program is obtained from the Data Integrity Board when a system or organization processes information for the purpose of conducting a matching program;"},{"id":"pt-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-08b.","class":"sp800-53a"}],"parts":[{"id":"pt-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PT-08b.[01]","class":"sp800-53a"}],"prose":"a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program;"},{"id":"pt-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PT-08b.[02]","class":"sp800-53a"}],"prose":"a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program;"}]},{"id":"pt-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-08c.","class":"sp800-53a"}],"prose":"a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program;"},{"id":"pt-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PT-08d.","class":"sp800-53a"}],"prose":"the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program;"},{"id":"pt-8_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PT-08e.","class":"sp800-53a"}],"parts":[{"id":"pt-8_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PT-08e.[01]","class":"sp800-53a"}],"prose":"individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program;"},{"id":"pt-8_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PT-08e.[02]","class":"sp800-53a"}],"prose":"individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program."}]}]},{"id":"pt-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nFederal Register notices\n\nData Integrity Board determinations\n\ncontracts\n\ninformation sharing agreements\n\nmemoranda of understanding\n\ngoverning requirements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for supporting and\/or implementing personally identifiable information processing\n\nmatching program"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ra-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ra-01_odp.01","props":[{"name":"label","value":"RA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment policy is to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.02","props":[{"name":"label","value":"RA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment procedures are to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.03","props":[{"name":"alt-identifier","value":"ra-1_prm_2"},{"name":"label","value":"RA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ra-01_odp.04","props":[{"name":"alt-identifier","value":"ra-1_prm_3"},{"name":"label","value":"RA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the risk assessment policy and procedures is defined;"}]},{"id":"ra-01_odp.05","props":[{"name":"alt-identifier","value":"ra-1_prm_4"},{"name":"label","value":"RA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment policy is reviewed and updated is defined;"}]},{"id":"ra-01_odp.06","props":[{"name":"alt-identifier","value":"ra-1_prm_5"},{"name":"label","value":"RA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current risk assessment policy to be reviewed and updated are defined;"}]},{"id":"ra-01_odp.07","props":[{"name":"alt-identifier","value":"ra-1_prm_6"},{"name":"label","value":"RA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment procedures are reviewed and updated is defined;"}]},{"id":"ra-01_odp.08","props":[{"name":"alt-identifier","value":"ra-1_prm_7"},{"name":"label","value":"RA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require risk assessment procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"RA-1"},{"name":"label","value":"RA-01","class":"sp800-53a"},{"name":"sort-id","value":"ra-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-1_smt","name":"statement","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ra-01_odp.03 }} risk assessment policy that:","parts":[{"id":"ra-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and"},{"id":"ra-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current risk assessment:","parts":[{"id":"ra-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and"},{"id":"ra-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ra-1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[01]","class":"sp800-53a"}],"prose":"a risk assessment policy is developed and documented;"},{"id":"ra-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[02]","class":"sp800-53a"}],"prose":"the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};"},{"id":"ra-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[03]","class":"sp800-53a"}],"prose":"risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;"},{"id":"ra-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[04]","class":"sp800-53a"}],"prose":"the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};"},{"id":"ra-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;"},{"id":"ra-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;"},{"id":"ra-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;"},{"id":"ra-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;"},{"id":"ra-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;"},{"id":"ra-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;"},{"id":"ra-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;"}]},{"id":"ra-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"ra-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;"},{"id":"ra-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[01]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};"},{"id":"ra-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[02]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};"}]},{"id":"ra-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[01]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};"},{"id":"ra-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[02]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}."}]}]}]},{"id":"ra-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","props":[{"name":"label","value":"RA-2"},{"name":"label","value":"RA-02","class":"sp800-53a"},{"name":"sort-id","value":"ra-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#cm-8","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-2_smt","name":"statement","parts":[{"id":"ra-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Categorize the system and information it processes, stores, and transmits;"},{"id":"ra-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document the security categorization results, including supporting rationale, in the security plan for the system; and"},{"id":"ra-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant."},{"id":"ra-2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-02","class":"sp800-53a"}],"parts":[{"id":"ra-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-02a.","class":"sp800-53a"}],"prose":"the system and the information it processes, stores, and transmits are categorized;"},{"id":"ra-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-02b.","class":"sp800-53a"}],"prose":"the security categorization results, including supporting rationale, are documented in the security plan for the system;"},{"id":"ra-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-02c.","class":"sp800-53a"}],"prose":"the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security categorization"}]}],"controls":[{"id":"ra-2.1","class":"SP800-53-enhancement","title":"Impact-level Prioritization","props":[{"name":"label","value":"RA-2(1)"},{"name":"label","value":"RA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ra-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ra-2","rel":"required"}],"parts":[{"id":"ra-2.1_smt","name":"statement","prose":"Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels."},{"id":"ra-2.1_gdn","name":"guidance","prose":"Organizations apply the \"high-water mark\" concept to each system categorized in accordance with [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) , resulting in systems designated as low impact, moderate impact, or high impact. Organizations that desire additional granularity in the system impact designations for risk-based decision-making, can further partition the systems into sub-categories of the initial system categorization. For example, an impact-level prioritization on a moderate-impact system can produce three new sub-categories: low-moderate systems, moderate-moderate systems, and high-moderate systems. Impact-level prioritization and the resulting sub-categories of the system give organizations an opportunity to focus their investments related to security control selection and the tailoring of control baselines in responding to identified risks. Impact-level prioritization can also be used to determine those systems that may be of heightened interest or value to adversaries or represent a critical loss to the federal enterprise, sometimes described as high value assets. For such high value assets, organizations may be more focused on complexity, aggregation, and information exchanges. Systems with high value assets can be prioritized by partitioning high-impact systems into low-high systems, moderate-high systems, and high-high systems. Alternatively, organizations can apply the guidance in [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) for security objective-related categorization."},{"id":"ra-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-02(01)","class":"sp800-53a"}],"prose":"an impact-level prioritization of organizational systems is conducted to obtain additional granularity on system impact levels."},{"id":"ra-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security categorization"}]}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-03_odp.01","props":[{"name":"alt-identifier","value":"ra-3_prm_1"},{"name":"label","value":"RA-03_ODP[01]","class":"sp800-53a"}],"select":{"choice":["security and privacy plans","risk assessment report","{{ insert: param, ra-03_odp.02 }} "]}},{"id":"ra-03_odp.02","props":[{"name":"alt-identifier","value":"ra-3_prm_2"},{"name":"label","value":"RA-03_ODP[02]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);"}]},{"id":"ra-03_odp.03","props":[{"name":"alt-identifier","value":"ra-3_prm_3"},{"name":"label","value":"RA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to review risk assessment results is defined;"}]},{"id":"ra-03_odp.04","props":[{"name":"alt-identifier","value":"ra-3_prm_4"},{"name":"label","value":"RA-03_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom risk assessment results are to be disseminated is\/are defined;"}]},{"id":"ra-03_odp.05","props":[{"name":"alt-identifier","value":"ra-3_prm_5"},{"name":"label","value":"RA-03_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to update the risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3"},{"name":"label","value":"RA-03","class":"sp800-53a"},{"name":"sort-id","value":"ra-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-3","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-3_smt","name":"statement","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct a risk assessment, including:","parts":[{"id":"ra-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifying threats to and vulnerabilities in the system;"},{"id":"ra-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and"},{"id":"ra-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document risk assessment results in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review risk assessment results {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and"},{"id":"ra-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination."},{"id":"ra-3_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.01","class":"sp800-53a"}],"prose":"a risk assessment is conducted to identify threats to and vulnerabilities in the system;"},{"id":"ra-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.02","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;"},{"id":"ra-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.03","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03b.","class":"sp800-53a"}],"prose":"risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;"},{"id":"ra-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-03c.","class":"sp800-53a"}],"prose":"risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-03d.","class":"sp800-53a"}],"prose":"risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-03e.","class":"sp800-53a"}],"prose":"risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};"},{"id":"ra-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-03f.","class":"sp800-53a"}],"prose":"the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}],"controls":[{"id":"ra-3.1","class":"SP800-53-enhancement","title":"Supply Chain Risk Assessment","params":[{"id":"ra-03.01_odp.01","props":[{"name":"alt-identifier","value":"ra-3.1_prm_1"},{"name":"label","value":"RA-03(01)_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, and system services","guidelines":[{"prose":"systems, system components, and system services to assess supply chain risks are defined;"}]},{"id":"ra-03.01_odp.02","props":[{"name":"alt-identifier","value":"ra-3.1_prm_2"},{"name":"label","value":"RA-03(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the supply chain risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3(1)"},{"name":"label","value":"RA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ra-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-3","rel":"required"},{"href":"#ra-2","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#pm-17","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-3.1_smt","name":"statement","parts":[{"id":"ra-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and"},{"id":"ra-3.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_gdn","name":"guidance","prose":"Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required."},{"id":"ra-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)","class":"sp800-53a"}],"parts":[{"id":"ra-3.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(a)","class":"sp800-53a"}],"prose":"supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;"},{"id":"ra-3.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(b)","class":"sp800-53a"}],"prose":"the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"ra-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"ra-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment"}]}]},{"id":"ra-3.2","class":"SP800-53-enhancement","title":"Use of All-source Intelligence","props":[{"name":"label","value":"RA-3(2)"},{"name":"label","value":"RA-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ra-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-3","rel":"required"}],"parts":[{"id":"ra-3.2_smt","name":"statement","prose":"Use all-source intelligence to assist in the analysis of risk."},{"id":"ra-3.2_gdn","name":"guidance","prose":"Organizations employ all-source intelligence to inform engineering, acquisition, and risk management decisions. All-source intelligence consists of information derived from all available sources, including publicly available or open-source information, measurement and signature intelligence, human intelligence, signals intelligence, and imagery intelligence. All-source intelligence is used to analyze the risk of vulnerabilities (both intentional and unintentional) from development, manufacturing, and delivery processes, people, and the environment. The risk analysis may be performed on suppliers at multiple tiers in the supply chain sufficient to manage risks. Organizations may develop agreements to share all-source intelligence information or resulting decisions with other organizations, as appropriate."},{"id":"ra-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03(02)","class":"sp800-53a"}],"prose":"all-source intelligence is used to assist in the analysis of risk."},{"id":"ra-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nrisk intelligence reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}]},{"id":"ra-3.3","class":"SP800-53-enhancement","title":"Dynamic Threat Awareness","params":[{"id":"ra-03.03_odp","props":[{"name":"alt-identifier","value":"ra-3.3_prm_1"},{"name":"label","value":"RA-03(03)_ODP","class":"sp800-53a"}],"label":"means","guidelines":[{"prose":"means to determine the current cyber threat environment on an ongoing basis;"}]}],"props":[{"name":"label","value":"RA-3(3)"},{"name":"label","value":"RA-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ra-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-3","rel":"required"},{"href":"#at-2","rel":"related"}],"parts":[{"id":"ra-3.3_smt","name":"statement","prose":"Determine the current cyber threat environment on an ongoing basis using {{ insert: param, ra-03.03_odp }}."},{"id":"ra-3.3_gdn","name":"guidance","prose":"The threat awareness information that is gathered feeds into the organization’s information security operations to ensure that procedures are updated in response to the changing threat environment. For example, at higher threat levels, organizations may change the privilege or authentication thresholds required to perform certain operations."},{"id":"ra-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03(03)","class":"sp800-53a"}],"prose":"the current cyber threat environment is determined on an ongoing basis using {{ insert: param, ra-03.03_odp }}."},{"id":"ra-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nrisk reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}]},{"id":"ra-3.4","class":"SP800-53-enhancement","title":"Predictive Cyber Analytics","params":[{"id":"ra-3.4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-03.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-03.04_odp.03"}],"label":"organization-defined advanced automation and analytics capabilities"},{"id":"ra-03.04_odp.01","props":[{"name":"label","value":"RA-03(04)_ODP[01]","class":"sp800-53a"}],"label":"advanced automation capabilities","guidelines":[{"prose":"advanced automation capabilities to predict and identify risks are defined;"}]},{"id":"ra-03.04_odp.02","props":[{"name":"alt-identifier","value":"ra-3.4_prm_1"},{"name":"label","value":"RA-03(04)_ODP[02]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components where advanced automation and analytics capabilities are to be employed are defined;"}]},{"id":"ra-03.04_odp.03","props":[{"name":"label","value":"RA-03(04)_ODP[03]","class":"sp800-53a"}],"label":"advanced analytics capabilities","guidelines":[{"prose":"advanced analytics capabilities to predict and identify risks are defined;"}]}],"props":[{"name":"label","value":"RA-3(4)"},{"name":"label","value":"RA-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"ra-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-3","rel":"required"}],"parts":[{"id":"ra-3.4_smt","name":"statement","prose":"Employ the following advanced automation and analytics capabilities to predict and identify risks to {{ insert: param, ra-03.04_odp.02 }}: {{ insert: param, ra-3.4_prm_2 }}."},{"id":"ra-3.4_gdn","name":"guidance","prose":"A properly resourced Security Operations Center (SOC) or Computer Incident Response Team (CIRT) may be overwhelmed by the volume of information generated by the proliferation of security tools and appliances unless it employs advanced automation and analytics to analyze the data. Advanced automation and analytics capabilities are typically supported by artificial intelligence concepts, including machine learning. Examples include Automated Threat Discovery and Response (which includes broad-based collection, context-based analysis, and adaptive response capabilities), automated workflow operations, and machine assisted decision tools. Note, however, that sophisticated adversaries may be able to extract information related to analytic parameters and retrain the machine learning to classify malicious activity as benign. Accordingly, machine learning is augmented by human monitoring to ensure that sophisticated adversaries are not able to conceal their activities."},{"id":"ra-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03(04)","class":"sp800-53a"}],"parts":[{"id":"ra-3.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-03(04)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ra-03.04_odp.01 }} are employed to predict and identify risks to {{ insert: param, ra-03.04_odp.02 }};"},{"id":"ra-3.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-03(04)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ra-03.04_odp.03 }} are employed to predict and identify risks to {{ insert: param, ra-03.04_odp.02 }}."}]},{"id":"ra-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nrisk reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}]}]},{"id":"ra-4","class":"SP800-53","title":"Risk Assessment Update","props":[{"name":"label","value":"RA-4"},{"name":"label","value":"RA-04","class":"sp800-53a"},{"name":"sort-id","value":"ra-04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ra-3","rel":"incorporated-into"}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Monitoring and Scanning","params":[{"id":"ra-5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.02"}],"label":"organization-defined frequency and\/or randomly in accordance with organization-defined process"},{"id":"ra-05_odp.01","props":[{"name":"label","value":"RA-05_ODP[01]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for monitoring systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.02","props":[{"name":"label","value":"RA-05_ODP[02]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for scanning systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.03","props":[{"name":"alt-identifier","value":"ra-5_prm_2"},{"name":"label","value":"RA-05_ODP[03]","class":"sp800-53a"}],"label":"response times","guidelines":[{"prose":"response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;"}]},{"id":"ra-05_odp.04","props":[{"name":"alt-identifier","value":"ra-5_prm_3"},{"name":"label","value":"RA-05_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;"}]}],"props":[{"name":"label","value":"RA-5"},{"name":"label","value":"RA-05","class":"sp800-53a"},{"name":"sort-id","value":"ra-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#8df72805-2e5c-4731-a73e-81db0f0318d0","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#d2ebec9b-f868-4ee1-a2bd-0b2282aed248","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-8","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ra-5_smt","name":"statement","parts":[{"id":"ra-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Analyze vulnerability scan reports and results from vulnerability monitoring;"},{"id":"ra-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and"},{"id":"ra-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points."},{"id":"ra-5_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[01]","class":"sp800-53a"}],"prose":"systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[02]","class":"sp800-53a"}],"prose":"systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;"}]},{"id":"ra-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;","parts":[{"id":"ra-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.01","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.02","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;"},{"id":"ra-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.03","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;"}]},{"id":"ra-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-05c.","class":"sp800-53a"}],"prose":"vulnerability scan reports and results from vulnerability monitoring are analyzed;"},{"id":"ra-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-05d.","class":"sp800-53a"}],"prose":"legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-05e.","class":"sp800-53a"}],"prose":"information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;"},{"id":"ra-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-05f.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed."}]},{"id":"ra-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and\/or implementing vulnerability scanning, analysis, remediation, and information sharing"}]}],"controls":[{"id":"ra-5.1","class":"SP800-53-enhancement","title":"Update Tool Capability","props":[{"name":"label","value":"RA-5(1)"},{"name":"label","value":"RA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ra-5","rel":"incorporated-into"}]},{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update Vulnerabilities to Be Scanned","params":[{"id":"ra-05.02_odp.01","props":[{"name":"alt-identifier","value":"ra-5.2_prm_1"},{"name":"label","value":"RA-05(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, ra-05.02_odp.02 }} ","prior to a new scan","when new vulnerabilities are identified and reported"]}},{"id":"ra-05.02_odp.02","props":[{"name":"alt-identifier","value":"ra-5.2_prm_2"},{"name":"label","value":"RA-05(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating the system vulnerabilities to be scanned is defined (if selected);"}]}],"props":[{"name":"label","value":"RA-5(2)"},{"name":"label","value":"RA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"},{"href":"#si-5","rel":"related"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}."},{"id":"ra-5.2_gdn","name":"guidance","prose":"Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner."},{"id":"ra-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(02)","class":"sp800-53a"}],"prose":"the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}."},{"id":"ra-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.3","class":"SP800-53-enhancement","title":"Breadth and Depth of Coverage","props":[{"name":"label","value":"RA-5(3)"},{"name":"label","value":"RA-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.3_smt","name":"statement","prose":"Define the breadth and depth of vulnerability scanning coverage."},{"id":"ra-5.3_gdn","name":"guidance","prose":"The breadth of vulnerability scanning coverage can be expressed as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design that the organization intends to monitor (e.g., component, module, subsystem, element). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors. Scanning tools and how the tools are configured may affect the depth and coverage. Multiple scanning tools may be needed to achieve the desired depth and coverage. [SP 800-53A](#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d) provides additional information on the breadth and depth of coverage."},{"id":"ra-5.3_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(03)","class":"sp800-53a"}],"prose":"the breadth and depth of vulnerability scanning coverage are defined."},{"id":"ra-5.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.4","class":"SP800-53-enhancement","title":"Discoverable Information","params":[{"id":"ra-05.04_odp","props":[{"name":"alt-identifier","value":"ra-5.4_prm_1"},{"name":"label","value":"RA-05(04)_ODP","class":"sp800-53a"}],"label":"corrective actions","guidelines":[{"prose":"corrective actions to be taken if information about the system is discoverable are defined;"}]}],"props":[{"name":"label","value":"RA-5(4)"},{"name":"label","value":"RA-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"},{"href":"#au-13","rel":"related"},{"href":"#sc-26","rel":"related"}],"parts":[{"id":"ra-5.4_smt","name":"statement","prose":"Determine information about the system that is discoverable and take {{ insert: param, ra-05.04_odp }}."},{"id":"ra-5.4_gdn","name":"guidance","prose":"Discoverable information includes information that adversaries could obtain without compromising or breaching the system, such as by collecting information that the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization."},{"id":"ra-5.4_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(04)","class":"sp800-53a"}],"parts":[{"id":"ra-5.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-05(04)[01]","class":"sp800-53a"}],"prose":"information about the system is discoverable;"},{"id":"ra-5.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-05(04)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ra-05.04_odp }} are taken when information about the system is confirmed as discoverable."}]},{"id":"ra-5.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\npenetration test results\n\nvulnerability scanning results\n\nrisk assessment report\n\nrecords of corrective actions taken\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning and\/or penetration testing responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel responsible for risk response\n\norganizational personnel responsible for incident management and response\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for risk response\n\norganizational processes for incident management and response\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms supporting and\/or implementing risk response\n\nmechanisms supporting and\/or implementing incident management and response"}]}]},{"id":"ra-5.5","class":"SP800-53-enhancement","title":"Privileged Access","params":[{"id":"ra-05.05_odp.01","props":[{"name":"alt-identifier","value":"ra-5.5_prm_1"},{"name":"label","value":"RA-05(05)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to which privileged access is authorized for selected vulnerability scanning activities are defined;"}]},{"id":"ra-05.05_odp.02","props":[{"name":"alt-identifier","value":"ra-5.5_prm_2"},{"name":"label","value":"RA-05(05)_ODP[02]","class":"sp800-53a"}],"label":"vulnerability scanning activities","guidelines":[{"prose":"vulnerability scanning activities selected for privileged access authorization to system components are defined;"}]}],"props":[{"name":"label","value":"RA-5(5)"},{"name":"label","value":"RA-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.5_smt","name":"statement","prose":"Implement privileged access authorization to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}."},{"id":"ra-5.5_gdn","name":"guidance","prose":"In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning."},{"id":"ra-5.5_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(05)","class":"sp800-53a"}],"prose":"privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}."},{"id":"ra-5.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\nsystem\/network administrators\n\norganizational personnel responsible for access control to the system\n\norganizational personnel responsible for configuration management of the system\n\nsystem developers\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nmechanisms supporting and\/or implementing access control\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.6","class":"SP800-53-enhancement","title":"Automated Trend Analyses","params":[{"id":"ra-05.06_odp","props":[{"name":"alt-identifier","value":"ra-5.6_prm_1"},{"name":"label","value":"RA-05(06)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to compare the results of multiple vulnerability scans are defined;"}]}],"props":[{"name":"label","value":"RA-5(6)"},{"name":"label","value":"RA-05(06)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.6_smt","name":"statement","prose":"Compare the results of multiple vulnerability scans using {{ insert: param, ra-05.06_odp }}."},{"id":"ra-5.6_gdn","name":"guidance","prose":"Using automated mechanisms to analyze multiple vulnerability scans over time can help determine trends in system vulnerabilities and identify patterns of attack."},{"id":"ra-5.6_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(06)","class":"sp800-53a"}],"prose":"the results of multiple vulnerability scans are compared using {{ insert: param, ra-05.06_odp }}."},{"id":"ra-5.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsystem design documentation\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nautomated mechanisms supporting and\/or implementing trend analysis of vulnerability scan results"}]}]},{"id":"ra-5.7","class":"SP800-53-enhancement","title":"Automated Detection and Notification of Unauthorized Components","props":[{"name":"label","value":"RA-5(7)"},{"name":"label","value":"RA-05(07)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-8","rel":"incorporated-into"}]},{"id":"ra-5.8","class":"SP800-53-enhancement","title":"Review Historic Audit Logs","params":[{"id":"ra-05.08_odp.01","props":[{"name":"alt-identifier","value":"ra-5.8_prm_1"},{"name":"label","value":"RA-05(08)_ODP[01]","class":"sp800-53a"}],"label":"system","guidelines":[{"prose":"a system whose historic audit logs are to be reviewed is defined;"}]},{"id":"ra-05.08_odp.02","props":[{"name":"alt-identifier","value":"ra-5.8_prm_2"},{"name":"label","value":"RA-05(08)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period for a potential previous exploit of a system is defined;"}]}],"props":[{"name":"label","value":"RA-5(8)"},{"name":"label","value":"RA-05(08)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#au-11","rel":"related"}],"parts":[{"id":"ra-5.8_smt","name":"statement","prose":"Review historic audit logs to determine if a vulnerability identified in a {{ insert: param, ra-05.08_odp.01 }} has been previously exploited within an {{ insert: param, ra-05.08_odp.02 }}."},{"id":"ra-5.8_gdn","name":"guidance","prose":"Reviewing historic audit logs to determine if a recently detected vulnerability in a system has been previously exploited by an adversary can provide important information for forensic analyses. Such analyses can help identify, for example, the extent of a previous intrusion, the trade craft employed during the attack, organizational information exfiltrated or modified, mission or business capabilities affected, and the duration of the attack."},{"id":"ra-5.8_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(08)","class":"sp800-53a"}],"prose":"historic audit logs are reviewed to determine if a vulnerability identified in a {{ insert: param, ra-05.08_odp.01 }} has been previously exploited within {{ insert: param, ra-05.08_odp.02 }}."},{"id":"ra-5.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\naudit logs\n\nrecords of audit log reviews\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with audit record review responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\norganizational process for audit record review and response\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms supporting and\/or implementing audit record review"}]}]},{"id":"ra-5.9","class":"SP800-53-enhancement","title":"Penetration Testing and Analyses","props":[{"name":"label","value":"RA-5(9)"},{"name":"label","value":"RA-05(09)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.09"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ca-8","rel":"incorporated-into"}]},{"id":"ra-5.10","class":"SP800-53-enhancement","title":"Correlate Scanning Information","props":[{"name":"label","value":"RA-5(10)"},{"name":"label","value":"RA-05(10)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.10_smt","name":"statement","prose":"Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors."},{"id":"ra-5.10_gdn","name":"guidance","prose":"An attack vector is a path or means by which an adversary can gain access to a system in order to deliver malicious code or exfiltrate information. Organizations can use attack trees to show how hostile activities by adversaries interact and combine to produce adverse impacts or negative consequences to systems and organizations. Such information, together with correlated data from vulnerability scanning tools, can provide greater clarity regarding multi-vulnerability and multi-hop attack vectors. The correlation of vulnerability scanning information is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). During such transitions, some system components may inadvertently be unmanaged and create opportunities for adversary exploitation."},{"id":"ra-5.10_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(10)","class":"sp800-53a"}],"prose":"the output from vulnerability scanning tools is correlated to determine the presence of multi-vulnerability and multi-hop attack vectors."},{"id":"ra-5.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\nevent\/vulnerability correlation logs\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms implementing the correlation of vulnerability scan results"}]}]},{"id":"ra-5.11","class":"SP800-53-enhancement","title":"Public Disclosure Program","props":[{"name":"label","value":"RA-5(11)"},{"name":"label","value":"RA-05(11)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.11_smt","name":"statement","prose":"Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components."},{"id":"ra-5.11_gdn","name":"guidance","prose":"The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability."},{"id":"ra-5.11_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(11)","class":"sp800-53a"}],"prose":"a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components."},{"id":"ra-5.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities"}]}]}]},{"id":"ra-6","class":"SP800-53","title":"Technical Surveillance Countermeasures Survey","params":[{"id":"ra-06_odp.01","props":[{"name":"alt-identifier","value":"ra-6_prm_1"},{"name":"label","value":"RA-06_ODP[01]","class":"sp800-53a"}],"label":"locations","guidelines":[{"prose":"locations to employ technical surveillance countermeasure surveys are defined;"}]},{"id":"ra-06_odp.02","props":[{"name":"alt-identifier","value":"ra-6_prm_2"},{"name":"label","value":"RA-06_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, ra-06_odp.03 }} ","when {{ insert: param, ra-06_odp.04 }} "]}},{"id":"ra-06_odp.03","props":[{"name":"alt-identifier","value":"ra-6_prm_3"},{"name":"label","value":"RA-06_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to employ technical surveillance countermeasure surveys is defined (if selected);"}]},{"id":"ra-06_odp.04","props":[{"name":"alt-identifier","value":"ra-6_prm_4"},{"name":"label","value":"RA-06_ODP[04]","class":"sp800-53a"}],"label":"events or indicators","guidelines":[{"prose":"events or indicators which, if they occur, trigger a technical surveillance countermeasures survey are defined (if selected);"}]}],"props":[{"name":"label","value":"RA-6"},{"name":"label","value":"RA-06","class":"sp800-53a"},{"name":"sort-id","value":"ra-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"parts":[{"id":"ra-6_smt","name":"statement","prose":"Employ a technical surveillance countermeasures survey at {{ insert: param, ra-06_odp.01 }} {{ insert: param, ra-06_odp.02 }}."},{"id":"ra-6_gdn","name":"guidance","prose":"A technical surveillance countermeasures survey is a service provided by qualified personnel to detect the presence of technical surveillance devices and hazards and to identify technical security weaknesses that could be used in the conduct of a technical penetration of the surveyed facility. Technical surveillance countermeasures surveys also provide evaluations of the technical security posture of organizations and facilities and include visual, electronic, and physical examinations of surveyed facilities, internally and externally. The surveys also provide useful input for risk assessments and information regarding organizational exposure to potential adversaries."},{"id":"ra-6_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-06","class":"sp800-53a"}],"prose":"a technical surveillance countermeasures survey is employed at {{ insert: param, ra-06_odp.01 }} {{ insert: param, ra-06_odp.02 }}."},{"id":"ra-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing technical surveillance countermeasures surveys\n\naudit records\/event logs\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with technical surveillance countermeasures surveys responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security responsibilities"}]},{"id":"ra-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for technical surveillance countermeasures surveys\n\nmechanisms\/tools supporting and\/or implementing technical surveillance countermeasure surveys"}]}]},{"id":"ra-7","class":"SP800-53","title":"Risk Response","props":[{"name":"label","value":"RA-7"},{"name":"label","value":"RA-07","class":"sp800-53a"},{"name":"sort-id","value":"ra-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-7_smt","name":"statement","prose":"Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."},{"id":"ra-7_gdn","name":"guidance","prose":"Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated."},{"id":"ra-7_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-07","class":"sp800-53a"}],"parts":[{"id":"ra-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-07[01]","class":"sp800-53a"}],"prose":"findings from security assessments are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-07[02]","class":"sp800-53a"}],"prose":"findings from privacy assessments are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"RA-07[03]","class":"sp800-53a"}],"prose":"findings from monitoring are responded to in accordance with organizational risk tolerance;"},{"id":"ra-7_obj-4","name":"assessment-objective","props":[{"name":"label","value":"RA-07[04]","class":"sp800-53a"}],"prose":"findings from audits are responded to in accordance with organizational risk tolerance."}]},{"id":"ra-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\naudit records\/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]},{"id":"ra-8","class":"SP800-53","title":"Privacy Impact Assessments","props":[{"name":"label","value":"RA-8"},{"name":"label","value":"RA-08","class":"sp800-53a"},{"name":"sort-id","value":"ra-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#7b0b9634-741a-4335-b6fa-161228c3a76e","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#d229ae60-51dd-4d7b-a8bf-1f7195cc7561","rel":"reference"},{"href":"#cm-4","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#ra-1","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"}],"parts":[{"id":"ra-8_smt","name":"statement","prose":"Conduct privacy impact assessments for systems, programs, or other activities before:","parts":[{"id":"ra-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Developing or procuring information technology that processes personally identifiable information; and"},{"id":"ra-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiating a new collection of personally identifiable information that:","parts":[{"id":"ra-8_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Will be processed using information technology; and"},{"id":"ra-8_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government."}]}]},{"id":"ra-8_gdn","name":"guidance","prose":"A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks. A privacy impact assessment is both an analysis and a formal document that details the process and the outcome of the analysis.\n\nOrganizations conduct and develop a privacy impact assessment with sufficient clarity and specificity to demonstrate that the organization fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the organization’s activity and throughout the information life cycle. In order to conduct a meaningful privacy impact assessment, the organization’s senior agency official for privacy works closely with program managers, system owners, information technology experts, security officials, counsel, and other relevant organization personnel. Moreover, a privacy impact assessment is not a time-restricted activity that is limited to a particular milestone or stage of the information system or personally identifiable information life cycles. Rather, the privacy analysis continues throughout the system and personally identifiable information life cycles. Accordingly, a privacy impact assessment is a living document that organizations update whenever changes to the information technology, changes to the organization’s practices, or other factors alter the privacy risks associated with the use of such information technology.\n\nTo conduct the privacy impact assessment, organizations can use security and privacy risk assessments. Organizations may also use other related processes that may have different names, including privacy threshold analyses. A privacy impact assessment can also serve as notice to the public regarding the organization’s practices with respect to privacy. Although conducting and publishing privacy impact assessments may be required by law, organizations may develop such policies in the absence of applicable laws. For federal agencies, privacy impact assessments may be required by [EGOV](#7b0b9634-741a-4335-b6fa-161228c3a76e) ; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision."},{"id":"ra-8_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-08","class":"sp800-53a"}],"parts":[{"id":"ra-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-08a.","class":"sp800-53a"}],"prose":"privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information;"},{"id":"ra-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-08b.","class":"sp800-53a"}],"parts":[{"id":"ra-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"RA-08b.[01]","class":"sp800-53a"}],"prose":"privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology;"},{"id":"ra-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"RA-08b.[02]","class":"sp800-53a"}],"prose":"privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government."}]}]},{"id":"ra-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity and privacy risk assessment reports\n\nacquisitions documents\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nprogram managers\n\nlegal counsel\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]},{"id":"ra-9","class":"SP800-53","title":"Criticality Analysis","params":[{"id":"ra-09_odp.01","props":[{"name":"alt-identifier","value":"ra-9_prm_1"},{"name":"label","value":"RA-09_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services to be analyzed for criticality are defined;"}]},{"id":"ra-09_odp.02","props":[{"name":"alt-identifier","value":"ra-9_prm_2"},{"name":"label","value":"RA-09_ODP[02]","class":"sp800-53a"}],"label":"decision points in the system development life cycle","guidelines":[{"prose":"decision points in the system development life cycle when a criticality analysis is to be performed are defined;"}]}],"props":[{"name":"label","value":"RA-9"},{"name":"label","value":"RA-09","class":"sp800-53a"},{"name":"sort-id","value":"ra-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"ra-9_smt","name":"statement","prose":"Identify critical system components and functions by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}."},{"id":"ra-9_gdn","name":"guidance","prose":"Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.\n\nThe operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.\n\nCriticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in [RA-2](#ra-2)."},{"id":"ra-9_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-09","class":"sp800-53a"}],"prose":"critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}."},{"id":"ra-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\ncriticality analysis\/finalized criticality for each component\/subcomponent\n\naudit records\/event logs\n\nanalysis reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\norganizational personnel with criticality analysis responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security responsibilities"}]},{"id":"ra-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]},{"id":"ra-10","class":"SP800-53","title":"Threat Hunting","params":[{"id":"ra-10_odp","props":[{"name":"alt-identifier","value":"ra-10_prm_1"},{"name":"label","value":"RA-10_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to employ the threat hunting capability is defined;"}]}],"props":[{"name":"label","value":"RA-10"},{"name":"label","value":"RA-10","class":"sp800-53a"},{"name":"sort-id","value":"ra-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-8","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-6","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ra-10_smt","name":"statement","parts":[{"id":"ra-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and maintain a cyber threat hunting capability to:","parts":[{"id":"ra-10_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Search for indicators of compromise in organizational systems; and"},{"id":"ra-10_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Detect, track, and disrupt threats that evade existing controls; and"}]},{"id":"ra-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the threat hunting capability {{ insert: param, ra-10_odp }}."}]},{"id":"ra-10_gdn","name":"guidance","prose":"Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code. Threat hunting teams leverage existing threat intelligence and may create new threat intelligence, which is shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies."},{"id":"ra-10_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-10","class":"sp800-53a"}],"parts":[{"id":"ra-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-10a.","class":"sp800-53a"}],"parts":[{"id":"ra-10_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-10a.01","class":"sp800-53a"}],"prose":"a cyber threat capability is established and maintained to search for indicators of compromise in organizational systems;"},{"id":"ra-10_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"RA-10a.02","class":"sp800-53a"}],"prose":"a cyber threat capability is established and maintained to detect, track, and disrupt threats that evade existing controls;"}]},{"id":"ra-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-10b.","class":"sp800-53a"}],"prose":"the threat hunting capability is employed {{ insert: param, ra-10_odp }}."}]},{"id":"ra-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\naudit records\/event logs\n\nthreat hunting capability\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with threat hunting responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security responsibilities"}]},{"id":"ra-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing threat hunting capabilities"}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sa-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sa-01_odp.01","props":[{"name":"label","value":"SA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition policy is to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.02","props":[{"name":"label","value":"SA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition procedures are to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.03","props":[{"name":"alt-identifier","value":"sa-1_prm_2"},{"name":"label","value":"SA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sa-01_odp.04","props":[{"name":"alt-identifier","value":"sa-1_prm_3"},{"name":"label","value":"SA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and services acquisition policy and procedures is defined;"}]},{"id":"sa-01_odp.05","props":[{"name":"alt-identifier","value":"sa-1_prm_4"},{"name":"label","value":"SA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition policy is reviewed and updated is defined;"}]},{"id":"sa-01_odp.06","props":[{"name":"alt-identifier","value":"sa-1_prm_5"},{"name":"label","value":"SA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and services acquisition policy to be reviewed and updated are defined;"}]},{"id":"sa-01_odp.07","props":[{"name":"alt-identifier","value":"sa-1_prm_6"},{"name":"label","value":"SA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;"}]},{"id":"sa-01_odp.08","props":[{"name":"alt-identifier","value":"sa-1_prm_7"},{"name":"label","value":"SA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and services acquisition procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SA-1"},{"name":"label","value":"SA-01","class":"sp800-53a"},{"name":"sort-id","value":"sa-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sa-1_smt","name":"statement","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:","parts":[{"id":"sa-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and"},{"id":"sa-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and services acquisition:","parts":[{"id":"sa-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and"},{"id":"sa-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sa-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[01]","class":"sp800-53a"}],"prose":"a system and services acquisition policy is developed and documented;"},{"id":"sa-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[02]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};"},{"id":"sa-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[03]","class":"sp800-53a"}],"prose":"system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;"},{"id":"sa-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[04]","class":"sp800-53a"}],"prose":"the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};"},{"id":"sa-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;"},{"id":"sa-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;"},{"id":"sa-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;"},{"id":"sa-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;"},{"id":"sa-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;"},{"id":"sa-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;"},{"id":"sa-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;"}]},{"id":"sa-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"sa-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;"},{"id":"sa-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[01]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};"},{"id":"sa-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};"}]},{"id":"sa-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};"},{"id":"sa-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}."}]}]}]},{"id":"sa-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"label","value":"SA-2"},{"name":"label","value":"SA-02","class":"sp800-53a"},{"name":"sort-id","value":"sa-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pl-7","rel":"related"},{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-2_smt","name":"statement","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle."},{"id":"sa-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-02","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[01]","class":"sp800-53a"}],"prose":"the high-level information security requirements for the system or system service are determined in mission and business process planning;"},{"id":"sa-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[02]","class":"sp800-53a"}],"prose":"the high-level privacy requirements for the system or system service are determined in mission and business process planning;"}]},{"id":"sa-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[01]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;"},{"id":"sa-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[02]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;"}]},{"id":"sa-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[01]","class":"sp800-53a"}],"prose":"a discrete line item for information security is established in organizational programming and budgeting documentation;"},{"id":"sa-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[02]","class":"sp800-53a"}],"prose":"a discrete line item for privacy is established in organizational programming and budgeting documentation."}]}]},{"id":"sa-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records"}]},{"id":"sa-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-03_odp","props":[{"name":"alt-identifier","value":"sa-3_prm_1"},{"name":"alt-label","value":"system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-03_ODP","class":"sp800-53a"}],"label":"system-development life cycle","guidelines":[{"prose":"system development life cycle is defined;"}]}],"props":[{"name":"label","value":"SA-3"},{"name":"label","value":"SA-03","class":"sp800-53a"},{"name":"sort-id","value":"sa-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-3_smt","name":"statement","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document information security and privacy roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify individuals having information security and privacy roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrate the organizational information security and privacy risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle."},{"id":"sa-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[01]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;"},{"id":"sa-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[02]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;"}]},{"id":"sa-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[01]","class":"sp800-53a"}],"prose":"information security roles and responsibilities are defined and documented throughout the system development life cycle;"},{"id":"sa-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are defined and documented throughout the system development life cycle;"}]},{"id":"sa-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[01]","class":"sp800-53a"}],"prose":"individuals with information security roles and responsibilities are identified;"},{"id":"sa-3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[02]","class":"sp800-53a"}],"prose":"individuals with privacy roles and responsibilities are identified;"}]},{"id":"sa-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[01]","class":"sp800-53a"}],"prose":"organizational information security risk management processes are integrated into system development life cycle activities;"},{"id":"sa-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[02]","class":"sp800-53a"}],"prose":"organizational privacy risk management processes are integrated into system development life cycle activities."}]}]},{"id":"sa-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"sa-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and\/or implementing the system development life cycle"}]}],"controls":[{"id":"sa-3.1","class":"SP800-53-enhancement","title":"Manage Preproduction Environment","props":[{"name":"label","value":"SA-3(1)"},{"name":"label","value":"SA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-3","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-4","rel":"related"}],"parts":[{"id":"sa-3.1_smt","name":"statement","prose":"Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service."},{"id":"sa-3.1_gdn","name":"guidance","prose":"The preproduction environment includes development, test, and integration environments. The program protection planning processes established by the Department of Defense are examples of managing the preproduction environment for defense contractors. Criticality analysis and the application of controls on developers also contribute to a more secure system development environment."},{"id":"sa-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03(01)","class":"sp800-53a"}],"prose":"system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component, or system service."},{"id":"sa-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of security and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\nprocedures addressing program protection planning\n\ncriticality analysis results\n\nsecurity and supply chain risk management strategy\/program documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and system life cycle development responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational process for integrating security risk management into the system development life cycle\n\nmechanisms supporting and\/or implementing the system development life cycle"}]}]},{"id":"sa-3.2","class":"SP800-53-enhancement","title":"Use of Live or Operational Data","props":[{"name":"label","value":"SA-3(2)"},{"name":"label","value":"SA-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-3","rel":"required"},{"href":"#pm-25","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"sa-3.2_smt","name":"statement","parts":[{"id":"sa-3.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and"},{"id":"sa-3.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data in use within the preproduction environments."}]},{"id":"sa-3.2_gdn","name":"guidance","prose":"Live data is also referred to as operational data. The use of live or operational data in preproduction (i.e., development, test, and integration) environments can result in significant risks to organizations. In addition, the use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Therefore, it is important for the organization to manage any additional risks that may result from the use of live or operational data. Organizations can minimize such risks by using test or dummy data during the design, development, and testing of systems, system components, and system services. Risk assessment techniques may be used to determine if the risk of using live or operational data is acceptable."},{"id":"sa-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03(02)","class":"sp800-53a"}],"parts":[{"id":"sa-3.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-03(02)a.","class":"sp800-53a"}],"parts":[{"id":"sa-3.2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03(02)a.[01]","class":"sp800-53a"}],"prose":"the use of live data in pre-production environments is approved for the system, system component, or system service;"},{"id":"sa-3.2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03(02)a.[02]","class":"sp800-53a"}],"prose":"the use of live data in pre-production environments is documented for the system, system component, or system service;"},{"id":"sa-3.2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-03(02)a.[03]","class":"sp800-53a"}],"prose":"the use of live data in pre-production environments is controlled for the system, system component, or system service;"}]},{"id":"sa-3.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-03(02)b.","class":"sp800-53a"}],"prose":"pre-production environments for the system, system component, or system service are protected at the same impact or classification level as any live data in use within the pre-production environments."}]},{"id":"sa-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security and privacy into the system development life cycle process\n\nsystem development life cycle documentation\n\nsecurity risk assessment documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nsystem security plan\n\nprivacy plan\n\ndata mapping documentation\n\npersonally identifiable information processing policy\n\nprocedures addressing the authority to test with personally identifiable information\n\nprocedures addressing the minimization of personally identifiable information used in testing, training, and research\n\nother relevant documents or records"}]},{"id":"sa-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibility\n\norganizational personnel with system life cycle development responsibilities"}]},{"id":"sa-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes the use of live data in pre-production environments\n\nmechanisms for protecting live data in pre-production environments"}]}]},{"id":"sa-3.3","class":"SP800-53-enhancement","title":"Technology Refresh","props":[{"name":"label","value":"SA-3(3)"},{"name":"label","value":"SA-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-3","rel":"required"},{"href":"#ma-6","rel":"related"}],"parts":[{"id":"sa-3.3_smt","name":"statement","prose":"Plan for and implement a technology refresh schedule for the system throughout the system development life cycle."},{"id":"sa-3.3_gdn","name":"guidance","prose":"Technology refresh planning may encompass hardware, software, firmware, processes, personnel skill sets, suppliers, service providers, and facilities. The use of obsolete or nearing obsolete technology may increase the security and privacy risks associated with unsupported components, counterfeit or repurposed components, components unable to implement security or privacy requirements, slow or inoperable components, components from untrusted sources, inadvertent personnel error, or increased complexity. Technology refreshes typically occur during the operations and maintenance stage of the system development life cycle."},{"id":"sa-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03(03)","class":"sp800-53a"}],"parts":[{"id":"sa-3.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03(03)[01]","class":"sp800-53a"}],"prose":"a technology refresh schedule is planned for the system throughout the system development life cycle;"},{"id":"sa-3.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03(03)[02]","class":"sp800-53a"}],"prose":"a technology refresh schedule is implemented for the system throughout the system development life cycle."}]},{"id":"sa-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing technology refresh planning and implementation\n\nsystem development life cycle documentation\n\ntechnology refresh schedule\n\nsecurity risk assessment documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities"}]},{"id":"sa-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating security and privacy risk management into the system development life cycle\n\nmechanisms supporting and\/or implementing the system development life cycle"}]}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","params":[{"id":"sa-04_odp.01","props":[{"name":"alt-identifier","value":"sa-4_prm_1"},{"name":"label","value":"SA-04_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["standardized contract language","{{ insert: param, sa-04_odp.02 }} "]}},{"id":"sa-04_odp.02","props":[{"name":"alt-identifier","value":"sa-4_prm_2"},{"name":"label","value":"SA-04_ODP[02]","class":"sp800-53a"}],"label":"contract language","guidelines":[{"prose":"contract language is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-4"},{"name":"label","value":"SA-04","class":"sp800-53a"},{"name":"sort-id","value":"sa-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","rel":"reference"},{"href":"#87087451-2af5-43d4-88c1-d66ad850f614","rel":"reference"},{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#06ce9216-bd54-4054-a422-94f358b50a5d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#795aff72-3e6c-4b6b-a80a-b14d84b7f544","rel":"reference"},{"href":"#3d575737-98cb-459d-b41c-d7e82b73ad78","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security and privacy functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Strength of mechanism requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security and privacy assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Controls needed to satisfy the security and privacy requirements."},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Security and privacy documentation requirements;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Requirements for protecting security and privacy documentation;"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Description of the system development environment and environment in which the system is intended to operate;"},{"id":"sa-4_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and"},{"id":"sa-4_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement."},{"id":"sa-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[01]","class":"sp800-53a"}],"prose":"security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[02]","class":"sp800-53a"}],"prose":"privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04b.","class":"sp800-53a"}],"prose":"strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[01]","class":"sp800-53a"}],"prose":"security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[02]","class":"sp800-53a"}],"prose":"privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[01]","class":"sp800-53a"}],"prose":"controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[02]","class":"sp800-53a"}],"prose":"controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[01]","class":"sp800-53a"}],"prose":"security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[02]","class":"sp800-53a"}],"prose":"privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[01]","class":"sp800-53a"}],"prose":"requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[02]","class":"sp800-53a"}],"prose":"requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"}]},{"id":"sa-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SA-04g.","class":"sp800-53a"}],"prose":"the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[01]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"},{"id":"sa-4_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[02]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"},{"id":"sa-4_obj.h-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[03]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"}]},{"id":"sa-4_obj.i","name":"assessment-objective","props":[{"name":"label","value":"SA-04i.","class":"sp800-53a"}],"prose":"acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service."}]},{"id":"sa-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}],"controls":[{"id":"sa-4.1","class":"SP800-53-enhancement","title":"Functional Properties of Controls","props":[{"name":"label","value":"SA-4(1)"},{"name":"label","value":"SA-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented."},{"id":"sa-4.1_gdn","name":"guidance","prose":"Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls."},{"id":"sa-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(01)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented."},{"id":"sa-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system services\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"sa-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security functional requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}]},{"id":"sa-4.2","class":"SP800-53-enhancement","title":"Design and Implementation Information for Controls","params":[{"id":"sa-04.02_odp.01","props":[{"name":"alt-identifier","value":"sa-4.2_prm_1"},{"name":"label","value":"SA-04(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security-relevant external system interfaces","high-level design","low-level design","source code or hardware schematics","{{ insert: param, sa-04.02_odp.02 }} "]}},{"id":"sa-04.02_odp.02","props":[{"name":"alt-identifier","value":"sa-4.2_prm_2"},{"name":"label","value":"SA-04(02)_ODP[02]","class":"sp800-53a"}],"label":"design and implementation information","guidelines":[{"prose":"design and implementation information is defined (if selected);"}]},{"id":"sa-04.02_odp.03","props":[{"name":"alt-identifier","value":"sa-4.2_prm_3"},{"name":"label","value":"SA-04(02)_ODP[03]","class":"sp800-53a"}],"label":"level of detail","guidelines":[{"prose":"level of detail is defined;"}]}],"props":[{"name":"label","value":"SA-4(2)"},{"name":"label","value":"SA-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.2_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}."},{"id":"sa-4.2_gdn","name":"guidance","prose":"Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system."},{"id":"sa-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(02)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}."},{"id":"sa-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system components, or system services\n\ndesign and implementation information for controls employed in the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining the level of detail for system design and controls\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing the development of system design details"}]}]},{"id":"sa-4.3","class":"SP800-53-enhancement","title":"Development Methods, Techniques, and Practices","params":[{"id":"sa-04.03_odp.01","props":[{"name":"alt-identifier","value":"sa-4.3_prm_1"},{"name":"label","value":"SA-04(03)_ODP[01]","class":"sp800-53a"}],"label":"systems engineering methods","guidelines":[{"prose":"systems engineering methods are defined;"}]},{"id":"sa-04.03_odp.02","props":[{"name":"alt-identifier","value":"sa-4.3_prm_2"},{"name":"alt-label","value":"[Selection (one or more): systems security; privacy] engineering methods","class":"sp800-53"},{"name":"label","value":"SA-04(03)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, sa-04.03_odp.03 }} ","{{ insert: param, sa-04.03_odp.04 }} "]}},{"id":"sa-04.03_odp.03","props":[{"name":"label","value":"SA-04(03)_ODP[03]","class":"sp800-53a"}],"label":"system security engineering methods","guidelines":[{"prose":"system security engineering methods are defined (if selected);"}]},{"id":"sa-04.03_odp.04","props":[{"name":"label","value":"SA-04(03)_ODP[04]","class":"sp800-53a"}],"label":"privacy engineering methods","guidelines":[{"prose":"privacy engineering methods are defined (if selected);"}]},{"id":"sa-04.03_odp.05","props":[{"name":"alt-identifier","value":"sa-4.3_prm_3"},{"name":"alt-label","value":"software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes","class":"sp800-53"},{"name":"label","value":"SA-04(03)_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, sa-04.03_odp.06 }} ","{{ insert: param, sa-04.03_odp.07 }} ","{{ insert: param, sa-04.03_odp.08 }} "]}},{"id":"sa-04.03_odp.06","props":[{"name":"label","value":"SA-04(03)_ODP[06]","class":"sp800-53a"}],"label":"software development methods","guidelines":[{"prose":"software development methods are defined (if selected);"}]},{"id":"sa-04.03_odp.07","props":[{"name":"label","value":"SA-04(03)_ODP[07]","class":"sp800-53a"}],"label":"testing, evaluation, assessment, verification, and validation methods","guidelines":[{"prose":"testing, evaluation, assessment, verification, and validation methods are defined (if selected);"}]},{"id":"sa-04.03_odp.08","props":[{"name":"label","value":"SA-04(03)_ODP[08]","class":"sp800-53a"}],"label":"quality control processes","guidelines":[{"prose":"quality control processes are defined (if selected);"}]}],"props":[{"name":"label","value":"SA-4(3)"},{"name":"label","value":"SA-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.3_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes:","parts":[{"id":"sa-4.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"{{ insert: param, sa-04.03_odp.01 }};"},{"id":"sa-4.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"{{ insert: param, sa-04.03_odp.02 }} ; and"},{"id":"sa-4.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"{{ insert: param, sa-04.03_odp.05 }}."}]},{"id":"sa-4.3_gdn","name":"guidance","prose":"Following a system development life cycle that includes state-of-the-practice software development methods, systems engineering methods, systems security and privacy engineering methods, and quality control processes helps to reduce the number and severity of latent errors within systems, system components, and system services. Reducing the number and severity of such errors reduces the number of vulnerabilities in those systems, components, and services. Transparency in the methods and techniques that developers select and implement for systems engineering, systems security and privacy engineering, software development, component and system assessments, and quality control processes provides an increased level of assurance in the trustworthiness of the system, system component, or system service being acquired."},{"id":"sa-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(03)","class":"sp800-53a"}],"parts":[{"id":"sa-4.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04(03)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.01 }};"},{"id":"sa-4.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04(03)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.02 }};"},{"id":"sa-4.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-04(03)(c)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.05 }}."}]},{"id":"sa-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nlist of systems security and privacy engineering methods to be included in the developer’s system development life cycle process\n\nlist of software development methods to be included in the developer’s system development life cycle process\n\nlist of testing, evaluation, or validation techniques to be included in the developer’s system development life cycle process\n\nlist of quality control processes to be included in the developer’s system development life cycle process\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle responsibilities\n\nsystem developers or service provider"}]},{"id":"sa-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for development methods, techniques, and processes"}]}]},{"id":"sa-4.4","class":"SP800-53-enhancement","title":"Assignment of Components to Systems","props":[{"name":"label","value":"SA-4(4)"},{"name":"label","value":"SA-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-8.9","rel":"incorporated-into"}]},{"id":"sa-4.5","class":"SP800-53-enhancement","title":"System, Component, and Service Configurations","params":[{"id":"sa-04.05_odp","props":[{"name":"alt-identifier","value":"sa-4.5_prm_1"},{"name":"label","value":"SA-04(05)_ODP","class":"sp800-53a"}],"label":"security configurations","guidelines":[{"prose":"security configurations for the system, component, or service are defined;"}]}],"props":[{"name":"label","value":"SA-4(5)"},{"name":"label","value":"SA-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.5_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-4.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented; and"},{"id":"sa-4.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade."}]},{"id":"sa-4.5_gdn","name":"guidance","prose":"Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed."},{"id":"sa-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(05)","class":"sp800-53a"}],"parts":[{"id":"sa-4.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04(05)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented;"},{"id":"sa-4.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04(05)(b)","class":"sp800-53a"}],"prose":"the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade."}]},{"id":"sa-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nsecurity configurations to be implemented by the developer of the system, system component, or system service\n\nservice level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms used to verify that the configuration of the system, component, or service is delivered as specified"}]}]},{"id":"sa-4.6","class":"SP800-53-enhancement","title":"Use of Information Assurance Products","props":[{"name":"label","value":"SA-4(6)"},{"name":"label","value":"SA-04(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sa-4.6_smt","name":"statement","parts":[{"id":"sa-4.6_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and"},{"id":"sa-4.6_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Ensure that these products have been evaluated and\/or validated by NSA or in accordance with NSA-approved procedures."}]},{"id":"sa-4.6_gdn","name":"guidance","prose":"Commercial off-the-shelf IA or IA-enabled information technology products used to protect classified information by cryptographic means may be required to use NSA-approved key management. See [NSA CSFC](#3d575737-98cb-459d-b41c-d7e82b73ad78)."},{"id":"sa-4.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(06)","class":"sp800-53a"}],"parts":[{"id":"sa-4.6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04(06)(a)","class":"sp800-53a"}],"prose":"only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted are employed;"},{"id":"sa-4.6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04(06)(b)","class":"sp800-53a"}],"prose":"these products have been evaluated and\/or validated by NSA or in accordance with NSA-approved procedures."}]},{"id":"sa-4.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nsecurity configurations to be implemented by the developer of the system, system component, or system service\n\nservice level agreements\n\nlist of deployed IT products\/solutions\n\nNSA-approved list\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\norganizational personnel responsible for ensuring information assurance products are NSA-approved and are evaluated and\/or validated products in accordance with NSA-approved procedures\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for selecting and employing evaluated and\/or validated information assurance products and services that compose an NSA-approved solution to protect classified information"}]}]},{"id":"sa-4.7","class":"SP800-53-enhancement","title":"NIAP-approved Protection Profiles ","props":[{"name":"label","value":"SA-4(7)"},{"name":"label","value":"SA-04(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#ia-7","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sa-4.7_smt","name":"statement","parts":[{"id":"sa-4.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and"},{"id":"sa-4.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved."}]},{"id":"sa-4.7_gdn","name":"guidance","prose":"See [NIAP CCEVS](#795aff72-3e6c-4b6b-a80a-b14d84b7f544) for additional information on NIAP. See [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) for additional information on FIPS-validated cryptographic modules."},{"id":"sa-4.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(07)","class":"sp800-53a"}],"parts":[{"id":"sa-4.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04(07)(a)","class":"sp800-53a"}],"prose":"the use of commercially provided information assurance and information assurance-enabled information technology products is limited to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists;"},{"id":"sa-4.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04(07)(b)","class":"sp800-53a"}],"prose":"if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that cryptographic module is required to be FIPS-validated or NSA-approved."}]},{"id":"sa-4.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nlist of deployed IT products\/solutions\n\nNAIP-approved protection profiles\n\nFIPS-validation information for cryptographic functionality\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel responsible for ensuring that information assurance products have been evaluated against a NIAP-approved protection profile or for ensuring products relying on cryptographic functionality are FIPS-validated\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for selecting and employing products\/services evaluated against a NIAP-approved protection profile or FIPS-validated products"}]}]},{"id":"sa-4.8","class":"SP800-53-enhancement","title":"Continuous Monitoring Plan for Controls","props":[{"name":"label","value":"SA-4(8)"},{"name":"label","value":"SA-04(08)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#ca-7","rel":"related"}],"parts":[{"id":"sa-4.8_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization."},{"id":"sa-4.8_gdn","name":"guidance","prose":"The objective of continuous monitoring plans is to determine if the planned, required, and deployed controls within the system, system component, or system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into continuous monitoring programs implemented by organizations. Continuous monitoring plans can include the types of control assessment and monitoring activities planned, frequency of control monitoring, and actions to be taken when controls fail or become ineffective."},{"id":"sa-4.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(08)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a plan for the continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization."},{"id":"sa-4.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing developer continuous monitoring plans\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\ndeveloper continuous monitoring plans\n\nsecurity assessment plans\n\nacquisition contracts for the system, system component, or system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Vendor processes for continuous monitoring\n\nmechanisms supporting and\/or implementing developer continuous monitoring"}]}]},{"id":"sa-4.9","class":"SP800-53-enhancement","title":"Functions, Ports, Protocols, and Services in Use","props":[{"name":"label","value":"SA-4(9)"},{"name":"label","value":"SA-04(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#cm-7","rel":"related"},{"href":"#sa-9","rel":"related"}],"parts":[{"id":"sa-4.9_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use."},{"id":"sa-4.9_gdn","name":"guidance","prose":"The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. [SA-9](#sa-9) describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources."},{"id":"sa-4.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)","class":"sp800-53a"}],"parts":[{"id":"sa-4.9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the functions intended for organizational use;"},{"id":"sa-4.9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the ports intended for organizational use;"},{"id":"sa-4.9_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;"},{"id":"sa-4.9_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the services intended for organizational use."}]},{"id":"sa-4.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsystem design documentation\n\nsystem documentation, including functions, ports, protocols, and services intended for organizational use\n\nacquisition contracts for systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements, descriptions, and criteria for developers of systems, system components, and system services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the system\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","props":[{"name":"label","value":"SA-4(10)"},{"name":"label","value":"SA-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems."},{"id":"sa-4.10_gdn","name":"guidance","prose":"Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations."},{"id":"sa-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(10)","class":"sp800-53a"}],"prose":"only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed."},{"id":"sa-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for selecting and employing FIPS 201-approved products"}]}]},{"id":"sa-4.11","class":"SP800-53-enhancement","title":"System of Records","params":[{"id":"sa-04.11_odp","props":[{"name":"alt-identifier","value":"sa-4.11_prm_1"},{"name":"label","value":"SA-04(11)_ODP","class":"sp800-53a"}],"label":"Privacy Act requirements","guidelines":[{"prose":"Privacy Act requirements for the operation of a system of records are defined;"}]}],"props":[{"name":"label","value":"SA-4(11)"},{"name":"label","value":"SA-04(11)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#pt-6","rel":"related"}],"parts":[{"id":"sa-4.11_smt","name":"statement","prose":"Include {{ insert: param, sa-04.11_odp }} in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function."},{"id":"sa-4.11_gdn","name":"guidance","prose":"When, by contract, an organization provides for the operation of a system of records to accomplish an organizational mission or function, the organization, consistent with its authority, causes the requirements of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) to be applied to the system of records."},{"id":"sa-4.11_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(11)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-04.11_odp }} are defined in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function."},{"id":"sa-4.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of Privacy Act requirements into systems of records operated by external organizations\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-4.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"sa-4.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contract management processes to verify Privacy Act requirements are defined for the operation of a system of records\n\nvendor processes for demonstrating incorporation of Privacy Act requirements in its operation of a system of records"}]}]},{"id":"sa-4.12","class":"SP800-53-enhancement","title":"Data Ownership","params":[{"id":"sa-04.12_odp","props":[{"name":"alt-identifier","value":"sa-4.12_prm_1"},{"name":"label","value":"SA-04(12)_ODP","class":"sp800-53a"}],"label":"time frame","guidelines":[{"prose":"time frame to remove data from a contractor system and return it to the organization is defined;"}]}],"props":[{"name":"label","value":"SA-4(12)"},{"name":"label","value":"SA-04(12)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.12_smt","name":"statement","parts":[{"id":"sa-4.12_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Include organizational data ownership requirements in the acquisition contract; and"},{"id":"sa-4.12_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Require all data to be removed from the contractor’s system and returned to the organization within {{ insert: param, sa-04.12_odp }}."}]},{"id":"sa-4.12_gdn","name":"guidance","prose":"Contractors who operate a system that contains data owned by an organization initiating the contract have policies and procedures in place to remove the data from their systems and\/or return the data in a time frame defined by the contract."},{"id":"sa-4.12_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(12)","class":"sp800-53a"}],"parts":[{"id":"sa-4.12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04(12)(a)","class":"sp800-53a"}],"prose":"organizational data ownership requirements are included in the acquisition contract;"},{"id":"sa-4.12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04(12)(b)","class":"sp800-53a"}],"prose":"all data to be removed from the contractor’s system and returned to the organization is required within {{ insert: param, sa-04.12_odp }}."}]},{"id":"sa-4.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements, descriptions, and criteria into the acquisition process\n\nprocedures addressing the disposition of personally identifiable information\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system or system service\n\npersonally identifiable information processing policy\n\nservice level agreements\n\ninformation sharing agreements\n\nmemoranda of understanding\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-4.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for data management and processing requirements\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"sa-4.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contract management processes to verify that data is removed as required\n\nvendor processes for removing data in required timeframe\n\nmechanisms verifying the removal and return of data"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"System Documentation","params":[{"id":"sa-05_odp.01","props":[{"name":"alt-identifier","value":"sa-5_prm_1"},{"name":"label","value":"SA-05_ODP[01]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;"}]},{"id":"sa-05_odp.02","props":[{"name":"alt-identifier","value":"sa-5_prm_2"},{"name":"label","value":"SA-05_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to distribute system documentation to is\/are defined;"}]}],"props":[{"name":"label","value":"SA-5"},{"name":"label","value":"SA-05","class":"sp800-53a"},{"name":"sort-id","value":"sa-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"sa-5_smt","name":"statement","parts":[{"id":"sa-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtain or develop administrator documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security and privacy functions and mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative or privileged functions;"}]},{"id":"sa-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Obtain or develop user documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and"},{"id":"sa-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;"}]},{"id":"sa-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and"},{"id":"sa-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Distribute documentation to {{ insert: param, sa-05_odp.02 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation."},{"id":"sa-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-05","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;"},{"id":"sa-5_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;"},{"id":"sa-5_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;"}]},{"id":"sa-5_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.a.2-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[04]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;"}]},{"id":"sa-5_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;"},{"id":"sa-5_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;"}]}]},{"id":"sa-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.b.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.b.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[03]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;"},{"id":"sa-5_obj.b.1-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[04]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;"}]},{"id":"sa-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;"},{"id":"sa-5_obj.b.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;"}]},{"id":"sa-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;"},{"id":"sa-5_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;"}]}]},{"id":"sa-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[01]","class":"sp800-53a"}],"prose":"attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;"},{"id":"sa-5_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[02]","class":"sp800-53a"}],"prose":"after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;"}]},{"id":"sa-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-05d.","class":"sp800-53a"}],"prose":"documentation is distributed to {{ insert: param, sa-05_odp.02 }}."}]},{"id":"sa-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and\/or maintaining the system\n\nsystem developers"}]},{"id":"sa-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for obtaining, protecting, and distributing system administrator and user documentation"}]}],"controls":[{"id":"sa-5.1","class":"SP800-53-enhancement","title":"Functional Properties of Security Controls","props":[{"name":"label","value":"SA-5(1)"},{"name":"label","value":"SA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-05.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-4.1","rel":"incorporated-into"}]},{"id":"sa-5.2","class":"SP800-53-enhancement","title":"Security-relevant External System Interfaces","props":[{"name":"label","value":"SA-5(2)"},{"name":"label","value":"SA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-05.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-4.2","rel":"incorporated-into"}]},{"id":"sa-5.3","class":"SP800-53-enhancement","title":"High-level Design","props":[{"name":"label","value":"SA-5(3)"},{"name":"label","value":"SA-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-05.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-4.2","rel":"incorporated-into"}]},{"id":"sa-5.4","class":"SP800-53-enhancement","title":"Low-level Design","props":[{"name":"label","value":"SA-5(4)"},{"name":"label","value":"SA-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-05.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-4.2","rel":"incorporated-into"}]},{"id":"sa-5.5","class":"SP800-53-enhancement","title":"Source Code","props":[{"name":"label","value":"SA-5(5)"},{"name":"label","value":"SA-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-05.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-4.2","rel":"incorporated-into"}]}]},{"id":"sa-6","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"label","value":"SA-6"},{"name":"label","value":"SA-06","class":"sp800-53a"},{"name":"sort-id","value":"sa-06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-10","rel":"incorporated-into"},{"href":"#si-7","rel":"incorporated-into"}]},{"id":"sa-7","class":"SP800-53","title":"User-installed Software","props":[{"name":"label","value":"SA-7"},{"name":"label","value":"SA-07","class":"sp800-53a"},{"name":"sort-id","value":"sa-07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-11","rel":"incorporated-into"},{"href":"#si-7","rel":"incorporated-into"}]},{"id":"sa-8","class":"SP800-53","title":"Security and Privacy Engineering Principles","params":[{"id":"sa-8_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.02"}],"label":"organization-defined systems security and privacy engineering principles"},{"id":"sa-08_odp.01","props":[{"name":"label","value":"SA-08_ODP[01]","class":"sp800-53a"}],"label":"systems security engineering principles","guidelines":[{"prose":"systems security engineering principles are defined;"}]},{"id":"sa-08_odp.02","props":[{"name":"label","value":"SA-08_ODP[02]","class":"sp800-53a"}],"label":"privacy engineering principles","guidelines":[{"prose":"privacy engineering principles are defined;"}]}],"props":[{"name":"label","value":"SA-8"},{"name":"label","value":"SA-08","class":"sp800-53a"},{"name":"sort-id","value":"sa-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}."},{"id":"sa-8_gdn","name":"guidance","prose":"Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design."},{"id":"sa-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08","class":"sp800-53a"}],"parts":[{"id":"sa-8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;"},{"id":"sa-8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;"},{"id":"sa-8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-08[03]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;"},{"id":"sa-8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-08[04]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;"},{"id":"sa-8_obj-5","name":"assessment-objective","props":[{"name":"label","value":"SA-08[05]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;"},{"id":"sa-8_obj-6","name":"assessment-objective","props":[{"name":"label","value":"SA-08[06]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;"},{"id":"sa-8_obj-7","name":"assessment-objective","props":[{"name":"label","value":"SA-08[07]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;"},{"id":"sa-8_obj-8","name":"assessment-objective","props":[{"name":"label","value":"SA-08[08]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;"},{"id":"sa-8_obj-9","name":"assessment-objective","props":[{"name":"label","value":"SA-08[09]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;"},{"id":"sa-8_obj-10","name":"assessment-objective","props":[{"name":"label","value":"SA-08[10]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components."}]},{"id":"sa-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification"}]}],"controls":[{"id":"sa-8.1","class":"SP800-53-enhancement","title":"Clear Abstractions","props":[{"name":"label","value":"SA-8(1)"},{"name":"label","value":"SA-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.1_smt","name":"statement","prose":"Implement the security design principle of clear abstractions."},{"id":"sa-8.1_gdn","name":"guidance","prose":"The principle of clear abstractions states that a system has simple, well-defined interfaces and functions that provide a consistent and intuitive view of the data and how the data is managed. The clarity, simplicity, necessity, and sufficiency of the system interfaces— combined with a precise definition of their functional behavior—promotes ease of analysis, inspection, and testing as well as the correct and secure use of the system. The clarity of an abstraction is subjective. Examples that reflect the application of this principle include avoidance of redundant, unused interfaces; information hiding; and avoidance of semantic overloading of interfaces or their parameters. Information hiding (i.e., representation-independent programming), is a design discipline used to ensure that the internal representation of information in one system component is not visible to another system component invoking or calling the first component, such that the published abstraction is not influenced by how the data may be managed internally."},{"id":"sa-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(01)","class":"sp800-53a"}],"prose":"the security design principle of clear abstractions is implemented."},{"id":"sa-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of clear abstractions used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of clear abstractions to system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of clear abstractions to system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.2","class":"SP800-53-enhancement","title":"Least Common Mechanism","params":[{"id":"sa-08.02_odp","props":[{"name":"alt-identifier","value":"sa-8.2_prm_1"},{"name":"label","value":"SA-08(02)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of least common mechanism are defined;"}]}],"props":[{"name":"label","value":"SA-8(2)"},{"name":"label","value":"SA-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.2_smt","name":"statement","prose":"Implement the security design principle of least common mechanism in {{ insert: param, sa-08.02_odp }}."},{"id":"sa-8.2_gdn","name":"guidance","prose":"The principle of least common mechanism states that the amount of mechanism common to more than one user and depended on by all users is minimized [POPEK74](#79453f84-26a4-4995-8257-d32d37aefea3) . Mechanism minimization implies that different components of a system refrain from using the same mechanism to access a system resource. Every shared mechanism (especially a mechanism involving shared variables) represents a potential information path between users and is designed with care to ensure that it does not unintentionally compromise security [SALTZER75](#c9495d6e-ef64-4090-8509-e58c3b9009ff) . Implementing the principle of least common mechanism helps to reduce the adverse consequences of sharing the system state among different programs. A single program that corrupts a shared state (including shared variables) has the potential to corrupt other programs that are dependent on the state. The principle of least common mechanism also supports the principle of simplicity of design and addresses the issue of covert storage channels [LAMPSON73](#d1cdab13-4218-400d-91a9-c3818dfa5ec8)."},{"id":"sa-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(02)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.02_odp }} implement the security design principle of least common mechanism."},{"id":"sa-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of least common mechanism used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of least common mechanism in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of least common mechanism in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.3","class":"SP800-53-enhancement","title":"Modularity and Layering","params":[{"id":"sa-8.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08.03_odp.02"}],"label":"organization-defined systems or system components"},{"id":"sa-08.03_odp.01","props":[{"name":"label","value":"SA-08(03)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of modularity are defined;"}]},{"id":"sa-08.03_odp.02","props":[{"name":"label","value":"SA-08(03)_ODP[02]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of layering are defined;"}]}],"props":[{"name":"label","value":"SA-8(3)"},{"name":"label","value":"SA-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"}],"parts":[{"id":"sa-8.3_smt","name":"statement","prose":"Implement the security design principles of modularity and layering in {{ insert: param, sa-8.3_prm_1 }}."},{"id":"sa-8.3_gdn","name":"guidance","prose":"The principles of modularity and layering are fundamental across system engineering disciplines. Modularity and layering derived from functional decomposition are effective in managing system complexity by making it possible to comprehend the structure of the system. Modular decomposition, or refinement in system design, is challenging and resists general statements of principle. Modularity serves to isolate functions and related data structures into well-defined logical units. Layering allows the relationships of these units to be better understood so that dependencies are clear and undesired complexity can be avoided. The security design principle of modularity extends functional modularity to include considerations based on trust, trustworthiness, privilege, and security policy. Security-informed modular decomposition includes the allocation of policies to systems in a network, separation of system applications into processes with distinct address spaces, allocation of system policies to layers, and separation of processes into subjects with distinct privileges based on hardware-supported privilege domains."},{"id":"sa-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(03)","class":"sp800-53a"}],"parts":[{"id":"sa-8.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08(03)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.03_odp.01 }} implement the security design principle of modularity;"},{"id":"sa-8.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08(03)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.03_odp.02 }} implement the security design principle of layering."}]},{"id":"sa-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principles of modularity and layering used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principles of modularity and layering in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principles of modularity and layering in system specification, design, development, implementation, and modification\n\nmechanisms supporting and\/or implementing an isolation boundary"}]}]},{"id":"sa-8.4","class":"SP800-53-enhancement","title":"Partially Ordered Dependencies","params":[{"id":"sa-08.04_odp","props":[{"name":"alt-identifier","value":"sa-8.4_prm_1"},{"name":"label","value":"SA-08(04)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of partially ordered dependencies are defined;"}]}],"props":[{"name":"label","value":"SA-8(4)"},{"name":"label","value":"SA-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.4_smt","name":"statement","prose":"Implement the security design principle of partially ordered dependencies in {{ insert: param, sa-08.04_odp }}."},{"id":"sa-8.4_gdn","name":"guidance","prose":"The principle of partially ordered dependencies states that the synchronization, calling, and other dependencies in the system are partially ordered. A fundamental concept in system design is layering, whereby the system is organized into well-defined, functionally related modules or components. The layers are linearly ordered with respect to inter-layer dependencies, such that higher layers are dependent on lower layers. While providing functionality to higher layers, some layers can be self-contained and not dependent on lower layers. While a partial ordering of all functions in a given system may not be possible, if circular dependencies are constrained to occur within layers, the inherent problems of circularity can be more easily managed. Partially ordered dependencies and system layering contribute significantly to the simplicity and coherency of the system design. Partially ordered dependencies also facilitate system testing and analysis."},{"id":"sa-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(04)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.04_odp }} implement the security design principle of partially ordered dependencies."},{"id":"sa-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of partially ordered dependencies used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of partially ordered dependencies in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of partially ordered dependencies in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.5","class":"SP800-53-enhancement","title":"Efficiently Mediated Access","params":[{"id":"sa-08.05_odp","props":[{"name":"alt-identifier","value":"sa-8.5_prm_1"},{"name":"label","value":"SA-08(05)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of efficiently mediated access are defined;"}]}],"props":[{"name":"label","value":"SA-8(5)"},{"name":"label","value":"SA-08(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#ac-25","rel":"related"}],"parts":[{"id":"sa-8.5_smt","name":"statement","prose":"Implement the security design principle of efficiently mediated access in {{ insert: param, sa-08.05_odp }}."},{"id":"sa-8.5_gdn","name":"guidance","prose":"The principle of efficiently mediated access states that policy enforcement mechanisms utilize the least common mechanism available while satisfying stakeholder requirements within expressed constraints. The mediation of access to system resources (i.e., CPU, memory, devices, communication ports, services, infrastructure, data, and information) is often the predominant security function of secure systems. It also enables the realization of protections for the capability provided to stakeholders by the system. Mediation of resource access can result in performance bottlenecks if the system is not designed correctly. For example, by using hardware mechanisms, efficiently mediated access can be achieved. Once access to a low-level resource such as memory has been obtained, hardware protection mechanisms can ensure that out-of-bounds access does not occur."},{"id":"sa-8.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(05)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.05_odp }} implement the security design principle of efficiently mediated access."},{"id":"sa-8.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of efficiently mediated access used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of efficiently mediated access in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of efficiently mediated access in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.6","class":"SP800-53-enhancement","title":"Minimized Sharing","params":[{"id":"sa-08.06_odp","props":[{"name":"alt-identifier","value":"sa-8.6_prm_1"},{"name":"label","value":"SA-08(06)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of minimized sharing are defined;"}]}],"props":[{"name":"label","value":"SA-8(6)"},{"name":"label","value":"SA-08(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#sc-31","rel":"related"}],"parts":[{"id":"sa-8.6_smt","name":"statement","prose":"Implement the security design principle of minimized sharing in {{ insert: param, sa-08.06_odp }}."},{"id":"sa-8.6_gdn","name":"guidance","prose":"The principle of minimized sharing states that no computer resource is shared between system components (e.g., subjects, processes, functions) unless it is absolutely necessary to do so. Minimized sharing helps to simplify system design and implementation. In order to protect user-domain resources from arbitrary active entities, no resource is shared unless that sharing has been explicitly requested and granted. The need for resource sharing can be motivated by the design principle of least common mechanism in the case of internal entities or driven by stakeholder requirements. However, internal sharing is carefully designed to avoid performance and covert storage and timing channel problems. Sharing via common mechanism can increase the susceptibility of data and information to unauthorized access, disclosure, use, or modification and can adversely affect the inherent capability provided by the system. To minimize sharing induced by common mechanisms, such mechanisms can be designed to be reentrant or virtualized to preserve separation. Moreover, the use of global data to share information is carefully scrutinized. The lack of encapsulation may obfuscate relationships among the sharing entities."},{"id":"sa-8.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(06)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.06_odp }} implement the security design principle of minimized sharing."},{"id":"sa-8.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of minimized sharing used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of minimized sharing in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of minimized sharing in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.7","class":"SP800-53-enhancement","title":"Reduced Complexity","params":[{"id":"sa-08.07_odp","props":[{"name":"alt-identifier","value":"sa-8.7_prm_1"},{"name":"label","value":"SA-08(07)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of reduced complexity are defined;"}]}],"props":[{"name":"label","value":"SA-8(7)"},{"name":"label","value":"SA-08(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.7_smt","name":"statement","prose":"Implement the security design principle of reduced complexity in {{ insert: param, sa-08.07_odp }}."},{"id":"sa-8.7_gdn","name":"guidance","prose":"The principle of reduced complexity states that the system design is as simple and small as possible. A small and simple design is more understandable, more analyzable, and less prone to error. The reduced complexity principle applies to any aspect of a system, but it has particular importance for security due to the various analyses performed to obtain evidence about the emergent security property of the system. For such analyses to be successful, a small and simple design is essential. Application of the principle of reduced complexity contributes to the ability of system developers to understand the correctness and completeness of system security functions. It also facilitates the identification of potential vulnerabilities. The corollary of reduced complexity states that the simplicity of the system is directly related to the number of vulnerabilities it will contain; that is, simpler systems contain fewer vulnerabilities. An benefit of reduced complexity is that it is easier to understand whether the intended security policy has been captured in the system design and that fewer vulnerabilities are likely to be introduced during engineering development. An additional benefit is that any such conclusion about correctness, completeness, and the existence of vulnerabilities can be reached with a higher degree of assurance in contrast to conclusions reached in situations where the system design is inherently more complex. Transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6) may require implementing the older and newer technologies simultaneously during the transition period. This may result in a temporary increase in system complexity during the transition."},{"id":"sa-8.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(07)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.07_odp }} implement the security design principle of reduced complexity."},{"id":"sa-8.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of reduced complexity used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of reduced complexity in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of reduced complexity in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.8","class":"SP800-53-enhancement","title":"Secure Evolvability","params":[{"id":"sa-08.08_odp","props":[{"name":"alt-identifier","value":"sa-8.8_prm_1"},{"name":"label","value":"SA-08(08)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of secure evolvability are defined;"}]}],"props":[{"name":"label","value":"SA-8(8)"},{"name":"label","value":"SA-08(08)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#cm-3","rel":"related"}],"parts":[{"id":"sa-8.8_smt","name":"statement","prose":"Implement the security design principle of secure evolvability in {{ insert: param, sa-08.08_odp }}."},{"id":"sa-8.8_gdn","name":"guidance","prose":"The principle of secure evolvability states that a system is developed to facilitate the maintenance of its security properties when there are changes to the system’s structure, interfaces, interconnections (i.e., system architecture), functionality, or configuration (i.e., security policy enforcement). Changes include a new, enhanced, or upgraded system capability; maintenance and sustainment activities; and reconfiguration. Although it is not possible to plan for every aspect of system evolution, system upgrades and changes can be anticipated by analyses of mission or business strategic direction, anticipated changes in the threat environment, and anticipated maintenance and sustainment needs. It is unrealistic to expect that complex systems remain secure in contexts not envisioned during development, whether such contexts are related to the operational environment or to usage. A system may be secure in some new contexts, but there is no guarantee that its emergent behavior will always be secure. It is easier to build trustworthiness into a system from the outset, and it follows that the sustainment of system trustworthiness requires planning for change as opposed to adapting in an ad hoc or non-methodical manner. The benefits of this principle include reduced vendor life cycle costs, reduced cost of ownership, improved system security, more effective management of security risk, and less risk uncertainty."},{"id":"sa-8.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(08)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.08_odp }} implement the security design principle of secure evolvability."},{"id":"sa-8.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of secure evolvability used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of secure evolvability in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of secure evolvability in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.9","class":"SP800-53-enhancement","title":"Trusted Components","params":[{"id":"sa-08.09_odp","props":[{"name":"alt-identifier","value":"sa-8.9_prm_1"},{"name":"label","value":"SA-08(09)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of trusted components are defined;"}]}],"props":[{"name":"label","value":"SA-8(9)"},{"name":"label","value":"SA-08(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.9_smt","name":"statement","prose":"Implement the security design principle of trusted components in {{ insert: param, sa-08.09_odp }}."},{"id":"sa-8.9_gdn","name":"guidance","prose":"The principle of trusted components states that a component is trustworthy to at least a level commensurate with the security dependencies it supports (i.e., how much it is trusted to perform its security functions by other components). This principle enables the composition of components such that trustworthiness is not inadvertently diminished and the trust is not consequently misplaced. Ultimately, this principle demands some metric by which the trust in a component and the trustworthiness of a component can be measured on the same abstract scale. The principle of trusted components is particularly relevant when considering systems and components in which there are complex chains of trust dependencies. A trust dependency is also referred to as a trust relationship and there may be chains of trust relationships.\n\nThe principle of trusted components also applies to a compound component that consists of subcomponents (e.g., a subsystem), which may have varying levels of trustworthiness. The conservative assumption is that the trustworthiness of a compound component is that of its least trustworthy subcomponent. It may be possible to provide a security engineering rationale that the trustworthiness of a particular compound component is greater than the conservative assumption. However, any such rationale reflects logical reasoning based on a clear statement of the trustworthiness objectives as well as relevant and credible evidence. The trustworthiness of a compound component is not the same as increased application of defense-in-depth layering within the component or a replication of components. Defense-in-depth techniques do not increase the trustworthiness of the whole above that of the least trustworthy component."},{"id":"sa-8.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(09)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.09_odp }} implement the security design principle of trusted components."},{"id":"sa-8.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the security design principle of trusted components used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity, supply chain risk management, and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nprocedures for determining component assurance\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-8.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of trusted components in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of trusted components in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.10","class":"SP800-53-enhancement","title":"Hierarchical Trust","params":[{"id":"sa-08.10_odp","props":[{"name":"alt-identifier","value":"sa-8.10_prm_1"},{"name":"label","value":"SA-08(10)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of hierarchical trust are defined;"}]}],"props":[{"name":"label","value":"SA-8(10)"},{"name":"label","value":"SA-08(10)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.10_smt","name":"statement","prose":"Implement the security design principle of hierarchical trust in {{ insert: param, sa-08.10_odp }}."},{"id":"sa-8.10_gdn","name":"guidance","prose":"The principle of hierarchical trust for components builds on the principle of trusted components and states that the security dependencies in a system will form a partial ordering if they preserve the principle of trusted components. The partial ordering provides the basis for trustworthiness reasoning or an assurance case (assurance argument) when composing a secure system from heterogeneously trustworthy components. To analyze a system composed of heterogeneously trustworthy components for its trustworthiness, it is essential to eliminate circular dependencies with regard to the trustworthiness. If a more trustworthy component located in a lower layer of the system were to depend on a less trustworthy component in a higher layer, this would, in effect, put the components in the same \"less trustworthy\" equivalence class per the principle of trusted components. Trust relationships, or chains of trust, can have various manifestations. For example, the root certificate of a certificate hierarchy is the most trusted node in the hierarchy, whereas the leaves in the hierarchy may be the least trustworthy nodes. Another example occurs in a layered high-assurance system where the security kernel (including the hardware base), which is located at the lowest layer of the system, is the most trustworthy component. The principle of hierarchical trust, however, does not prohibit the use of overly trustworthy components. There may be cases in a system of low trustworthiness where it is reasonable to employ a highly trustworthy component rather than one that is less trustworthy (e.g., due to availability or other cost-benefit driver). For such a case, any dependency of the highly trustworthy component upon a less trustworthy component does not degrade the trustworthiness of the resulting low-trust system."},{"id":"sa-8.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(10)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.10_odp }} implement the security design principle of hierarchical trust."},{"id":"sa-8.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of hierarchical trust used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of hierarchical trust in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of hierarchical trust in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.11","class":"SP800-53-enhancement","title":"Inverse Modification Threshold","params":[{"id":"sa-08.11_odp","props":[{"name":"alt-identifier","value":"sa-8.11_prm_1"},{"name":"label","value":"SA-08(11)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of inverse modification threshold are defined;"}]}],"props":[{"name":"label","value":"SA-8(11)"},{"name":"label","value":"SA-08(11)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.11_smt","name":"statement","prose":"Implement the security design principle of inverse modification threshold in {{ insert: param, sa-08.11_odp }}."},{"id":"sa-8.11_gdn","name":"guidance","prose":"The principle of inverse modification threshold builds on the principle of trusted components and the principle of hierarchical trust and states that the degree of protection provided to a component is commensurate with its trustworthiness. As the trust placed in a component increases, the protection against unauthorized modification of the component also increases to the same degree. Protection from unauthorized modification can come in the form of the component’s own self-protection and innate trustworthiness, or it can come from the protections afforded to the component from other elements or attributes of the security architecture (to include protections in the environment of operation)."},{"id":"sa-8.11_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(11)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.11_odp }} implement the security design principle of inverse modification threshold."},{"id":"sa-8.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of inverse modification threshold used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of inverse modification threshold in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of inverse modification threshold in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.12","class":"SP800-53-enhancement","title":"Hierarchical Protection","params":[{"id":"sa-08.12_odp","props":[{"name":"alt-identifier","value":"sa-8.12_prm_1"},{"name":"label","value":"SA-08(12)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of hierarchical protection are defined;"}]}],"props":[{"name":"label","value":"SA-8(12)"},{"name":"label","value":"SA-08(12)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.12_smt","name":"statement","prose":"Implement the security design principle of hierarchical protection in {{ insert: param, sa-08.12_odp }}."},{"id":"sa-8.12_gdn","name":"guidance","prose":"The principle of hierarchical protection states that a component need not be protected from more trustworthy components. In the degenerate case of the most trusted component, it protects itself from all other components. For example, if an operating system kernel is deemed the most trustworthy component in a system, then it protects itself from all untrusted applications it supports, but the applications, conversely, do not need to protect themselves from the kernel. The trustworthiness of users is a consideration for applying the principle of hierarchical protection. A trusted system need not protect itself from an equally trustworthy user, reflecting use of untrusted systems in \"system high\" environments where users are highly trustworthy and where other protections are put in place to bound and protect the \"system high\" execution environment."},{"id":"sa-8.12_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(12)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.12_odp }} implement the security design principle of hierarchical protection."},{"id":"sa-8.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of hierarchical protection used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of hierarchical protection in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of hierarchical protection in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.13","class":"SP800-53-enhancement","title":"Minimized Security Elements","params":[{"id":"sa-08.13_odp","props":[{"name":"alt-identifier","value":"sa-8.13_prm_1"},{"name":"label","value":"SA-08(13)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of minimized security elements are defined;"}]}],"props":[{"name":"label","value":"SA-8(13)"},{"name":"label","value":"SA-08(13)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.13_smt","name":"statement","prose":"Implement the security design principle of minimized security elements in {{ insert: param, sa-08.13_odp }}."},{"id":"sa-8.13_gdn","name":"guidance","prose":"The principle of minimized security elements states that the system does not have extraneous trusted components. The principle of minimized security elements has two aspects: the overall cost of security analysis and the complexity of security analysis. Trusted components are generally costlier to construct and implement, owing to the increased rigor of development processes. Trusted components require greater security analysis to qualify their trustworthiness. Thus, to reduce the cost and decrease the complexity of the security analysis, a system contains as few trustworthy components as possible. The analysis of the interaction of trusted components with other components of the system is one of the most important aspects of system security verification. If the interactions between components are unnecessarily complex, the security of the system will also be more difficult to ascertain than one whose internal trust relationships are simple and elegantly constructed. In general, fewer trusted components result in fewer internal trust relationships and a simpler system."},{"id":"sa-8.13_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(13)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.13_odp }} implement the security design principle of minimized security elements."},{"id":"sa-8.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of minimized security elements used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of minimized security elements in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of minimized security elements in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.14","class":"SP800-53-enhancement","title":"Least Privilege","params":[{"id":"sa-08.14_odp","props":[{"name":"alt-identifier","value":"sa-8.14_prm_1"},{"name":"label","value":"SA-08(14)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of least privilege are defined;"}]}],"props":[{"name":"label","value":"SA-8(14)"},{"name":"label","value":"SA-08(14)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#ac-6","rel":"related"},{"href":"#cm-7","rel":"related"}],"parts":[{"id":"sa-8.14_smt","name":"statement","prose":"Implement the security design principle of least privilege in {{ insert: param, sa-08.14_odp }}."},{"id":"sa-8.14_gdn","name":"guidance","prose":"The principle of least privilege states that each system component is allocated sufficient privileges to accomplish its specified functions but no more. Applying the principle of least privilege limits the scope of the component’s actions, which has two desirable effects: the security impact of a failure, corruption, or misuse of the component will have a minimized security impact, and the security analysis of the component will be simplified. Least privilege is a pervasive principle that is reflected in all aspects of the secure system design. Interfaces used to invoke component capability are available to only certain subsets of the user population, and component design supports a sufficiently fine granularity of privilege decomposition. For example, in the case of an audit mechanism, there may be an interface for the audit manager, who configures the audit settings; an interface for the audit operator, who ensures that audit data is safely collected and stored; and, finally, yet another interface for the audit reviewer, who only has need to view the audit data that has been collected but no need to perform operations on that data.\n\nIn addition to its manifestations at the system interface, least privilege can be used as a guiding principle for the internal structure of the system itself. One aspect of internal least privilege is to construct modules so that only the elements encapsulated by the module are directly operated on by the functions within the module. Elements external to a module that may be affected by the module’s operation are indirectly accessed through interaction (e.g., via a function call) with the module that contains those elements. Another aspect of internal least privilege is that the scope of a given module or component includes only those system elements that are necessary for its functionality and that the access modes for the elements (e.g., read, write) are minimal."},{"id":"sa-8.14_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(14)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.14_odp }} implement the security design principle of least privilege."},{"id":"sa-8.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of least privilege used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of least privilege in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of least privilege in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.15","class":"SP800-53-enhancement","title":"Predicate Permission","params":[{"id":"sa-08.15_odp","props":[{"name":"alt-identifier","value":"sa-8.15_prm_1"},{"name":"label","value":"SA-08(15)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of predicate permission are defined;"}]}],"props":[{"name":"label","value":"SA-8(15)"},{"name":"label","value":"SA-08(15)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"sa-8.15_smt","name":"statement","prose":"Implement the security design principle of predicate permission in {{ insert: param, sa-08.15_odp }}."},{"id":"sa-8.15_gdn","name":"guidance","prose":"The principle of predicate permission states that system designers consider requiring multiple authorized entities to provide consent before a highly critical operation or access to highly sensitive data, information, or resources is allowed to proceed. [SALTZER75](#c9495d6e-ef64-4090-8509-e58c3b9009ff) originally named predicate permission the separation of privilege. It is also equivalent to separation of duty. The division of privilege among multiple parties decreases the likelihood of abuse and provides the safeguard that no single accident, deception, or breach of trust is sufficient to enable an unrecoverable action that can lead to significantly damaging effects. The design options for such a mechanism may require simultaneous action (e.g., the firing of a nuclear weapon requires two different authorized individuals to give the correct command within a small time window) or a sequence of operations where each successive action is enabled by some prior action, but no single individual is able to enable more than one action."},{"id":"sa-8.15_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(15)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.15_odp }} implement the security design principle of predicate permission."},{"id":"sa-8.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of predicate permission used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of predicate permission in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of predicate permission in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.16","class":"SP800-53-enhancement","title":"Self-reliant Trustworthiness","params":[{"id":"sa-08.16_odp","props":[{"name":"alt-identifier","value":"sa-8.16_prm_1"},{"name":"label","value":"SA-08(16)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of self-reliant trustworthiness are defined;"}]}],"props":[{"name":"label","value":"SA-8(16)"},{"name":"label","value":"SA-08(16)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.16_smt","name":"statement","prose":"Implement the security design principle of self-reliant trustworthiness in {{ insert: param, sa-08.16_odp }}."},{"id":"sa-8.16_gdn","name":"guidance","prose":"The principle of self-reliant trustworthiness states that systems minimize their reliance on other systems for their own trustworthiness. A system is trustworthy by default, and any connection to an external entity is used to supplement its function. If a system were required to maintain a connection with another external entity in order to maintain its trustworthiness, then that system would be vulnerable to malicious and non-malicious threats that could result in the loss or degradation of that connection. The benefit of the principle of self-reliant trustworthiness is that the isolation of a system will make it less vulnerable to attack. A corollary to this principle relates to the ability of the system (or system component) to operate in isolation and then resynchronize with other components when it is rejoined with them."},{"id":"sa-8.16_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(16)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.16_odp }} implement the security design principle of self-reliant trustworthiness."},{"id":"sa-8.16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(16)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of self-reliant trustworthiness used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(16)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(16)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of self-reliant trustworthiness in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of self-reliant trustworthiness in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.17","class":"SP800-53-enhancement","title":"Secure Distributed Composition","params":[{"id":"sa-08.17_odp","props":[{"name":"alt-identifier","value":"sa-8.17_prm_1"},{"name":"label","value":"SA-08(17)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of secure distributed composition are defined;"}]}],"props":[{"name":"label","value":"SA-8(17)"},{"name":"label","value":"SA-08(17)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.17_smt","name":"statement","prose":"Implement the security design principle of secure distributed composition in {{ insert: param, sa-08.17_odp }}."},{"id":"sa-8.17_gdn","name":"guidance","prose":"The principle of secure distributed composition states that the composition of distributed components that enforce the same system security policy result in a system that enforces that policy at least as well as the individual components do. Many of the design principles for secure systems deal with how components can or should interact. The need to create or enable a capability from the composition of distributed components can magnify the relevancy of these principles. In particular, the translation of security policy from a stand-alone to a distributed system or a system-of-systems can have unexpected or emergent results. Communication protocols and distributed data consistency mechanisms help to ensure consistent policy enforcement across a distributed system. To ensure a system-wide level of assurance of correct policy enforcement, the security architecture of a distributed composite system is thoroughly analyzed."},{"id":"sa-8.17_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(17)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.17_odp }} implement the security design principle of secure distributed composition."},{"id":"sa-8.17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(17)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of secure distributed composition used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(17)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(17)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of secure distributed composition in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of secure distributed composition in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.18","class":"SP800-53-enhancement","title":"Trusted Communications Channels","params":[{"id":"sa-08.18_odp","props":[{"name":"alt-identifier","value":"sa-8.18_prm_1"},{"name":"label","value":"SA-08(18)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of trusted communications channels are defined;"}]}],"props":[{"name":"label","value":"SA-8(18)"},{"name":"label","value":"SA-08(18)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sa-8.18_smt","name":"statement","prose":"Implement the security design principle of trusted communications channels in {{ insert: param, sa-08.18_odp }}."},{"id":"sa-8.18_gdn","name":"guidance","prose":"The principle of trusted communication channels states that when composing a system where there is a potential threat to communications between components (i.e., the interconnections between components), each communication channel is trustworthy to a level commensurate with the security dependencies it supports (i.e., how much it is trusted by other components to perform its security functions). Trusted communication channels are achieved by a combination of restricting access to the communication channel (to ensure an acceptable match in the trustworthiness of the endpoints involved in the communication) and employing end-to-end protections for the data transmitted over the communication channel (to protect against interception and modification and to further increase the assurance of proper end-to-end communication)."},{"id":"sa-8.18_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(18)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.18_odp }} implement the security design principle of trusted communications channels."},{"id":"sa-8.18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(18)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of trusted communications channels used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(18)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(18)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of trusted communications channels in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of trusted communications channels in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.19","class":"SP800-53-enhancement","title":"Continuous Protection","params":[{"id":"sa-08.19_odp","props":[{"name":"alt-identifier","value":"sa-8.19_prm_1"},{"name":"label","value":"SA-08(19)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of continuous protection are defined;"}]}],"props":[{"name":"label","value":"SA-8(19)"},{"name":"label","value":"SA-08(19)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#ac-25","rel":"related"}],"parts":[{"id":"sa-8.19_smt","name":"statement","prose":"Implement the security design principle of continuous protection in {{ insert: param, sa-08.19_odp }}."},{"id":"sa-8.19_gdn","name":"guidance","prose":"The principle of continuous protection states that components and data used to enforce the security policy have uninterrupted protection that is consistent with the security policy and the security architecture assumptions. No assurances that the system can provide the confidentiality, integrity, availability, and privacy protections for its design capability can be made if there are gaps in the protection. Any assurances about the ability to secure a delivered capability require that data and information are continuously protected. That is, there are no periods during which data and information are left unprotected while under control of the system (i.e., during the creation, storage, processing, or communication of the data and information, as well as during system initialization, execution, failure, interruption, and shutdown). Continuous protection requires adherence to the precepts of the reference monitor concept (i.e., every request is validated by the reference monitor; the reference monitor is able to protect itself from tampering; and sufficient assurance of the correctness and completeness of the mechanism can be ascertained from analysis and testing) and the principle of secure failure and recovery (i.e., preservation of a secure state during error, fault, failure, and successful attack; preservation of a secure state during recovery to normal, degraded, or alternative operational modes).\n\nContinuous protection also applies to systems designed to operate in varying configurations, including those that deliver full operational capability and degraded-mode configurations that deliver partial operational capability. The continuous protection principle requires that changes to the system security policies be traceable to the operational need that drives the configuration and be verifiable (i.e., it is possible to verify that the proposed changes will not put the system into an insecure state). Insufficient traceability and verification may lead to inconsistent states or protection discontinuities due to the complex or undecidable nature of the problem. The use of pre-verified configuration definitions that reflect the new security policy enables analysis to determine that a transition from old to new policies is essentially atomic and that any residual effects from the old policy are guaranteed to not conflict with the new policy. The ability to demonstrate continuous protection is rooted in the clear articulation of life cycle protection needs as stakeholder security requirements."},{"id":"sa-8.19_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(19)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.19_odp }} implement the security design principle of continuous protection."},{"id":"sa-8.19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(19)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\naccess control policy\n\nsystem and communications protection policy\n\nprocedures addressing boundary protection\n\nprocedures addressing the security design principle of continuous protection used in the specification, design, development, implementation, and modification of the system\n\nsystem configuration settings and associated documentation\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(19)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\norganizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sa-8.19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(19)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of continuous protection in system specification, design, development, implementation, and modification\n\nmechanisms implementing access enforcement functions\n\nmechanisms supporting the application of the security design principle of continuous protection in system specification, design, development, implementation, and modification\n\nmechanisms supporting and\/or implementing secure failure"}]}]},{"id":"sa-8.20","class":"SP800-53-enhancement","title":"Secure Metadata Management","params":[{"id":"sa-08.20_odp","props":[{"name":"alt-identifier","value":"sa-8.20_prm_1"},{"name":"label","value":"SA-08(20)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of secure metadata management are defined;"}]}],"props":[{"name":"label","value":"SA-8(20)"},{"name":"label","value":"SA-08(20)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.20_smt","name":"statement","prose":"Implement the security design principle of secure metadata management in {{ insert: param, sa-08.20_odp }}."},{"id":"sa-8.20_gdn","name":"guidance","prose":"The principle of secure metadata management states that metadata are \"first class\" objects with respect to security policy when the policy requires either complete protection of information or that the security subsystem be self-protecting. The principle of secure metadata management is driven by the recognition that a system, subsystem, or component cannot achieve self-protection unless it protects the data it relies on for correct execution. Data is generally not interpreted by the system that stores it. It may have semantic value (i.e., it comprises information) to users and programs that process the data. In contrast, metadata is information about data, such as a file name or the date when the file was created. Metadata is bound to the target data that it describes in a way that the system can interpret, but it need not be stored inside of or proximate to its target data. There may be metadata whose target is itself metadata (e.g., the classification level or impact level of a file name), including self-referential metadata.\n\nThe apparent secondary nature of metadata can lead to neglect of its legitimate need for protection, resulting in a violation of the security policy that includes the exfiltration of information. A particular concern associated with insufficient protections for metadata is associated with multilevel secure (MLS) systems. MLS systems mediate access by a subject to an object based on relative sensitivity levels. It follows that all subjects and objects in the scope of control of the MLS system are either directly labeled or indirectly attributed with sensitivity levels. The corollary of labeled metadata for MLS systems states that objects containing metadata are labeled. As with protection needs assessments for data, attention is given to ensure that the confidentiality and integrity protections are individually assessed, specified, and allocated to metadata, as would be done for mission, business, and system data."},{"id":"sa-8.20_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(20)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.20_odp }} implement the security design principle of secure metadata management."},{"id":"sa-8.20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(20)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of metadata management used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(20)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(20)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of metadata management in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of metadata management in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.21","class":"SP800-53-enhancement","title":"Self-analysis","params":[{"id":"sa-08.21_odp","props":[{"name":"alt-identifier","value":"sa-8.21_prm_1"},{"name":"label","value":"SA-08(21)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of self-analysis are defined;"}]}],"props":[{"name":"label","value":"SA-8(21)"},{"name":"label","value":"SA-08(21)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#ca-7","rel":"related"}],"parts":[{"id":"sa-8.21_smt","name":"statement","prose":"Implement the security design principle of self-analysis in {{ insert: param, sa-08.21_odp }}."},{"id":"sa-8.21_gdn","name":"guidance","prose":"The principle of self-analysis states that a system component is able to assess its internal state and functionality to a limited extent at various stages of execution, and that this self-analysis capability is commensurate with the level of trustworthiness invested in the system. At the system level, self-analysis can be achieved through hierarchical assessments of trustworthiness established in a bottom-up fashion. In this approach, the lower-level components check for data integrity and correct functionality (to a limited extent) of higher-level components. For example, trusted boot sequences involve a trusted lower-level component that attests to the trustworthiness of the next higher-level components so that a transitive chain of trust can be established. At the root, a component attests to itself, which usually involves an axiomatic or environmentally enforced assumption about its integrity. Results of the self-analyses can be used to guard against externally induced errors, internal malfunction, or transient errors. By following this principle, some simple malfunctions or errors can be detected without allowing the effects of the error or malfunction to propagate outside of the component. Further, the self-test can be used to attest to the configuration of the component, detecting any potential conflicts in configuration with respect to the expected configuration."},{"id":"sa-8.21_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(21)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.21_odp }} implement the security design principle of self-analysis."},{"id":"sa-8.21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(21)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of self-analysis used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(21)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(21)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of self-analysis in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of self-analysis in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.22","class":"SP800-53-enhancement","title":"Accountability and Traceability","params":[{"id":"sa-8.22_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08.22_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08.22_odp.02"}],"label":"organization-defined systems or system components"},{"id":"sa-08.22_odp.01","props":[{"name":"label","value":"SA-08(22)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of accountability are defined;"}]},{"id":"sa-08.22_odp.02","props":[{"name":"label","value":"SA-08(22)_ODP[02]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of traceability are defined;"}]}],"props":[{"name":"label","value":"SA-8(22)"},{"name":"label","value":"SA-08(22)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#ac-6","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ir-4","rel":"related"}],"parts":[{"id":"sa-8.22_smt","name":"statement","prose":"Implement the security design principle of accountability and traceability in {{ insert: param, sa-8.22_prm_1 }}."},{"id":"sa-8.22_gdn","name":"guidance","prose":"The principle of accountability and traceability states that it is possible to trace security-relevant actions (i.e., subject-object interactions) to the entity on whose behalf the action is being taken. The principle of accountability and traceability requires a trustworthy infrastructure that can record details about actions that affect system security (e.g., an audit subsystem). To record the details about actions, the system is able to uniquely identify the entity on whose behalf the action is being carried out and also record the relevant sequence of actions that are carried out. The accountability policy also requires that audit trail itself be protected from unauthorized access and modification. The principle of least privilege assists in tracing the actions to particular entities, as it increases the granularity of accountability. Associating specific actions with system entities, and ultimately with users, and making the audit trail secure against unauthorized access and modifications provide non-repudiation because once an action is recorded, it is not possible to change the audit trail. Another important function that accountability and traceability serves is in the routine and forensic analysis of events associated with the violation of security policy. Analysis of audit logs may provide additional information that may be helpful in determining the path or component that allowed the violation of the security policy and the actions of individuals associated with the violation of the security policy."},{"id":"sa-8.22_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(22)","class":"sp800-53a"}],"parts":[{"id":"sa-8.22_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08(22)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.22_odp.01 }} implement the security design principle of accountability;"},{"id":"sa-8.22_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08(22)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.22_odp.02 }} implement the security design principle of traceability."}]},{"id":"sa-8.22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(22)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\naudit and accountability policy\n\naccess control policy\n\nprocedures addressing least privilege\n\nprocedures addressing auditable events\n\nidentification and authentication policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the security design principle of accountability and traceability used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsystem audit records\n\nsystem auditable events\n\nsystem configuration settings and associated documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(22)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with audit and accountability responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(22)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of accountability and traceability in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of accountability and traceability in system specification, design, development, implementation, and modification\n\nmechanisms implementing information system auditing\n\nmechanisms implementing least privilege functions"}]}]},{"id":"sa-8.23","class":"SP800-53-enhancement","title":"Secure Defaults","params":[{"id":"sa-08.23_odp","props":[{"name":"alt-identifier","value":"sa-8.23_prm_1"},{"name":"label","value":"SA-08(23)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of secure defaults are defined;"}]}],"props":[{"name":"label","value":"SA-8(23)"},{"name":"label","value":"SA-08(23)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#sa-4","rel":"related"}],"parts":[{"id":"sa-8.23_smt","name":"statement","prose":"Implement the security design principle of secure defaults in {{ insert: param, sa-08.23_odp }}."},{"id":"sa-8.23_gdn","name":"guidance","prose":"The principle of secure defaults states that the default configuration of a system (including its constituent subsystems, components, and mechanisms) reflects a restrictive and conservative enforcement of security policy. The principle of secure defaults applies to the initial (i.e., default) configuration of a system as well as to the security engineering and design of access control and other security functions that follow a \"deny unless explicitly authorized\" strategy. The initial configuration aspect of this principle requires that any \"as shipped\" configuration of a system, subsystem, or system component does not aid in the violation of the security policy and can prevent the system from operating in the default configuration for those cases where the security policy itself requires configuration by the operational user.\n\nRestrictive defaults mean that the system will operate \"as-shipped\" with adequate self-protection and be able to prevent security breaches before the intended security policy and system configuration is established. In cases where the protection provided by the \"as-shipped\" product is inadequate, stakeholders assess the risk of using it prior to establishing a secure initial state. Adherence to the principle of secure defaults guarantees that a system is established in a secure state upon successfully completing initialization. In situations where the system fails to complete initialization, either it will perform a requested operation using secure defaults or it will not perform the operation. Refer to the principles of continuous protection and secure failure and recovery that parallel this principle to provide the ability to detect and recover from failure.\n\nThe security engineering approach to this principle states that security mechanisms deny requests unless the request is found to be well-formed and consistent with the security policy. The insecure alternative is to allow a request unless it is shown to be inconsistent with the policy. In a large system, the conditions that are satisfied to grant a request that is denied by default are often far more compact and complete than those that would need to be checked in order to deny a request that is granted by default."},{"id":"sa-8.23_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(23)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.23_odp }} implement the security design principle of secure defaults."},{"id":"sa-8.23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(23)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nconfiguration management policy\n\nprocedures addressing the security design principle of secure defaults used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nprocedures addressing system documentation\n\nsystem documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(23)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(23)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of secure defaults in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of secure defaults in system specification, design, development, implementation, and modification\n\norganizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration"}]}]},{"id":"sa-8.24","class":"SP800-53-enhancement","title":"Secure Failure and Recovery","params":[{"id":"sa-8.24_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08.24_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08.24_odp.02"}],"label":"organization-defined systems or system components"},{"id":"sa-08.24_odp.01","props":[{"name":"label","value":"SA-08(24)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of secure failure are defined;"}]},{"id":"sa-08.24_odp.02","props":[{"name":"label","value":"SA-08(24)_ODP[02]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of secure recovery are defined;"}]}],"props":[{"name":"label","value":"SA-8(24)"},{"name":"label","value":"SA-08(24)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-24","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"sa-8.24_smt","name":"statement","prose":"Implement the security design principle of secure failure and recovery in {{ insert: param, sa-8.24_prm_1 }}."},{"id":"sa-8.24_gdn","name":"guidance","prose":"The principle of secure failure and recovery states that neither a failure in a system function or mechanism nor any recovery action in response to failure leads to a violation of security policy. The principle of secure failure and recovery parallels the principle of continuous protection to ensure that a system is capable of detecting (within limits) actual and impending failure at any stage of its operation (i.e., initialization, normal operation, shutdown, and maintenance) and to take appropriate steps to ensure that security policies are not violated. In addition, when specified, the system is capable of recovering from impending or actual failure to resume normal, degraded, or alternative secure operations while ensuring that a secure state is maintained such that security policies are not violated.\n\nFailure is a condition in which the behavior of a component deviates from its specified or expected behavior for an explicitly documented input. Once a failed security function is detected, the system may reconfigure itself to circumvent the failed component while maintaining security and provide all or part of the functionality of the original system, or it may completely shut itself down to prevent any further violation of security policies. For this to occur, the reconfiguration functions of the system are designed to ensure continuous enforcement of security policy during the various phases of reconfiguration.\n\nAnother technique that can be used to recover from failures is to perform a rollback to a secure state (which may be the initial state) and then either shutdown or replace the service or component that failed such that secure operations may resume. Failure of a component may or may not be detectable to the components using it. The principle of secure failure indicates that components fail in a state that denies rather than grants access. For example, a nominally \"atomic\" operation interrupted before completion does not violate security policy and is designed to handle interruption events by employing higher-level atomicity and rollback mechanisms (e.g., transactions). If a service is being used, its atomicity properties are well-documented and characterized so that the component availing itself of that service can detect and handle interruption events appropriately. For example, a system is designed to gracefully respond to disconnection and support resynchronization and data consistency after disconnection.\n\nFailure protection strategies that employ replication of policy enforcement mechanisms, sometimes called defense in depth, can allow the system to continue in a secure state even when one mechanism has failed to protect the system. If the mechanisms are similar, however, the additional protection may be illusory, as the adversary can simply attack in series. Similarly, in a networked system, breaking the security on one system or service may enable an attacker to do the same on other similar replicated systems and services. By employing multiple protection mechanisms whose features are significantly different, the possibility of attack replication or repetition can be reduced. Analyses are conducted to weigh the costs and benefits of such redundancy techniques against increased resource usage and adverse effects on the overall system performance. Additional analyses are conducted as the complexity of these mechanisms increases, as could be the case for dynamic behaviors. Increased complexity generally reduces trustworthiness. When a resource cannot be continuously protected, it is critical to detect and repair any security breaches before the resource is once again used in a secure context."},{"id":"sa-8.24_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(24)","class":"sp800-53a"}],"parts":[{"id":"sa-8.24_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08(24)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.24_odp.01 }} implement the security design principle of secure failure;"},{"id":"sa-8.24_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08(24)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.24_odp.02 }} implement the security design principle of secure recovery."}]},{"id":"sa-8.24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(24)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and communications protection policy\n\ncontingency planning policy\n\nprocedures addressing information system recovery and reconstitution\n\nprocedures addressing the security design principle of secure failure and recovery used in the specification, design, development, implementation, and modification of the system\n\ncontingency plan\n\nprocedures addressing system backup\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(24)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\norganizational personnel with contingency plan testing responsibilities\n\norganizational personnel with system recovery and reconstitution responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with information system backup responsibilities"}]},{"id":"sa-8.24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(24)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of secure failure and recovery in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of secure failure and recovery in system specification, design, development, implementation, and modification\n\nmechanisms supporting and\/or implementing secure failure\n\norganizational processes for contingency plan testing\n\nmechanisms supporting contingency plan testing\n\nmechanisms supporting recovery and reconstitution of the system\n\norganizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}]},{"id":"sa-8.25","class":"SP800-53-enhancement","title":"Economic Security","params":[{"id":"sa-08.25_odp","props":[{"name":"alt-identifier","value":"sa-8.25_prm_1"},{"name":"label","value":"SA-08(25)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of economic security are defined;"}]}],"props":[{"name":"label","value":"SA-8(25)"},{"name":"label","value":"SA-08(25)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"sa-8.25_smt","name":"statement","prose":"Implement the security design principle of economic security in {{ insert: param, sa-08.25_odp }}."},{"id":"sa-8.25_gdn","name":"guidance","prose":"The principle of economic security states that security mechanisms are not costlier than the potential damage that could occur from a security breach. This is the security-relevant form of the cost-benefit analyses used in risk management. The cost assumptions of cost-benefit analysis prevent the system designer from incorporating security mechanisms of greater strength than necessary, where strength of mechanism is proportional to cost. The principle of economic security also requires analysis of the benefits of assurance relative to the cost of that assurance in terms of the effort expended to obtain relevant and credible evidence as well as the necessary analyses to assess and draw trustworthiness and risk conclusions from the evidence."},{"id":"sa-8.25_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(25)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.25_odp }} implement the security design principle of economic security."},{"id":"sa-8.25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(25)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of economic security used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\ncost-benefit analysis\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(25)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(25)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of economic security in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of economic security in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.26","class":"SP800-53-enhancement","title":"Performance Security","params":[{"id":"sa-08.26_odp","props":[{"name":"alt-identifier","value":"sa-8.26_prm_1"},{"name":"label","value":"SA-08(26)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of performance security are defined;"}]}],"props":[{"name":"label","value":"SA-8(26)"},{"name":"label","value":"SA-08(26)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.26"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sa-8.26_smt","name":"statement","prose":"Implement the security design principle of performance security in {{ insert: param, sa-08.26_odp }}."},{"id":"sa-8.26_gdn","name":"guidance","prose":"The principle of performance security states that security mechanisms are constructed so that they do not degrade system performance unnecessarily. Stakeholder and system design requirements for performance and security are precisely articulated and prioritized. For the system implementation to meet its design requirements and be found acceptable to stakeholders (i.e., validation against stakeholder requirements), the designers adhere to the specified constraints that capability performance needs place on protection needs. The overall impact of computationally intensive security services (e.g., cryptography) are assessed and demonstrated to pose no significant impact to higher-priority performance considerations or are deemed to provide an acceptable trade-off of performance for trustworthy protection. The trade-off considerations include less computationally intensive security services unless they are unavailable or insufficient. The insufficiency of a security service is determined by functional capability and strength of mechanism. The strength of mechanism is selected with respect to security requirements, performance-critical overhead issues (e.g., cryptographic key management), and an assessment of the capability of the threat.\n\nThe principle of performance security leads to the incorporation of features that help in the enforcement of security policy but incur minimum overhead, such as low-level hardware mechanisms upon which higher-level services can be built. Such low-level mechanisms are usually very specific, have very limited functionality, and are optimized for performance. For example, once access rights to a portion of memory is granted, many systems use hardware mechanisms to ensure that all further accesses involve the correct memory address and access mode. Application of this principle reinforces the need to design security into the system from the ground up and to incorporate simple mechanisms at the lower layers that can be used as building blocks for higher-level mechanisms."},{"id":"sa-8.26_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(26)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.26_odp }} implement the security design principle of performance security."},{"id":"sa-8.26_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(26)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of performance security used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\ntrade-off analysis between performance and security\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.26_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(26)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.26_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(26)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of performance security in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of performance security in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.27","class":"SP800-53-enhancement","title":"Human Factored Security","params":[{"id":"sa-08.27_odp","props":[{"name":"alt-identifier","value":"sa-8.27_prm_1"},{"name":"label","value":"SA-08(27)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of human factored security are defined;"}]}],"props":[{"name":"label","value":"SA-8(27)"},{"name":"label","value":"SA-08(27)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.27"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.27_smt","name":"statement","prose":"Implement the security design principle of human factored security in {{ insert: param, sa-08.27_odp }}."},{"id":"sa-8.27_gdn","name":"guidance","prose":"The principle of human factored security states that the user interface for security functions and supporting services is intuitive, user-friendly, and provides feedback for user actions that affect such policy and its enforcement. The mechanisms that enforce security policy are not intrusive to the user and are designed not to degrade user efficiency. Security policy enforcement mechanisms also provide the user with meaningful, clear, and relevant feedback and warnings when insecure choices are being made. Particular attention is given to interfaces through which personnel responsible for system administration and operation configure and set up the security policies. Ideally, these personnel are able to understand the impact of their choices. Personnel with system administrative and operational responsibilities are able to configure systems before start-up and administer them during runtime with confidence that their intent is correctly mapped to the system’s mechanisms. Security services, functions, and mechanisms do not impede or unnecessarily complicate the intended use of the system. There is a trade-off between system usability and the strictness necessary for security policy enforcement. If security mechanisms are frustrating or difficult to use, then users may disable them, avoid them, or use them in ways inconsistent with the security requirements and protection needs that the mechanisms were designed to satisfy."},{"id":"sa-8.27_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(27)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.27_odp }} implement the security design principle of human factored security."},{"id":"sa-8.27_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(27)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of human factored security used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nusability analysis\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.27_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(27)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with human factored security responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.27_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(27)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of human factored security in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of human factored security in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security policies"}]}]},{"id":"sa-8.28","class":"SP800-53-enhancement","title":"Acceptable Security","params":[{"id":"sa-08.28_odp","props":[{"name":"alt-identifier","value":"sa-8.28_prm_1"},{"name":"label","value":"SA-08(28)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of acceptable security are defined;"}]}],"props":[{"name":"label","value":"SA-8(28)"},{"name":"label","value":"SA-08(28)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.28_smt","name":"statement","prose":"Implement the security design principle of acceptable security in {{ insert: param, sa-08.28_odp }}."},{"id":"sa-8.28_gdn","name":"guidance","prose":"The principle of acceptable security requires that the level of privacy and performance that the system provides is consistent with the users’ expectations. The perception of personal privacy may affect user behavior, morale, and effectiveness. Based on the organizational privacy policy and the system design, users should be able to restrict their actions to protect their privacy. When systems fail to provide intuitive interfaces or meet privacy and performance expectations, users may either choose to completely avoid the system or use it in ways that may be inefficient or even insecure."},{"id":"sa-8.28_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(28)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.28_odp }} implement the security design principle of acceptable security."},{"id":"sa-8.28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(28)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the security design principle of acceptable security used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\npersonally identifiable information processing policy\n\nprivacy notifications provided to users\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8.28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(28)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8.28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(28)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of acceptable security in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of acceptable security in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security policies"}]}]},{"id":"sa-8.29","class":"SP800-53-enhancement","title":"Repeatable and Documented Procedures","params":[{"id":"sa-08.29_odp","props":[{"name":"alt-identifier","value":"sa-8.29_prm_1"},{"name":"label","value":"SA-08(29)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of repeatable and documented procedures are defined;"}]}],"props":[{"name":"label","value":"SA-8(29)"},{"name":"label","value":"SA-08(29)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.29"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#cm-1","rel":"related"},{"href":"#sa-1","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-1","rel":"related"},{"href":"#si-1","rel":"related"}],"parts":[{"id":"sa-8.29_smt","name":"statement","prose":"Implement the security design principle of repeatable and documented procedures in {{ insert: param, sa-08.29_odp }}."},{"id":"sa-8.29_gdn","name":"guidance","prose":"The principle of repeatable and documented procedures states that the techniques and methods employed to construct a system component permit the same component to be completely and correctly reconstructed at a later time. Repeatable and documented procedures support the development of a component that is identical to the component created earlier, which may be in widespread use. In the case of other system artifacts (e.g., documentation and testing results), repeatability supports consistency and the ability to inspect the artifacts. Repeatable and documented procedures can be introduced at various stages within the system development life cycle and contribute to the ability to evaluate assurance claims for the system. Examples include systematic procedures for code development and review, procedures for the configuration management of development tools and system artifacts, and procedures for system delivery."},{"id":"sa-8.29_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(29)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.29_odp }} implement the security design principle of repeatable and documented procedures."},{"id":"sa-8.29_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(29)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of repeatable and documented procedures used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.29_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(29)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.29_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(29)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of repeatable and documented procedures in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of repeatable and documented procedures in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security policies"}]}]},{"id":"sa-8.30","class":"SP800-53-enhancement","title":"Procedural Rigor","params":[{"id":"sa-08.30_odp","props":[{"name":"alt-identifier","value":"sa-8.30_prm_1"},{"name":"label","value":"SA-08(30)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of procedural rigor are defined;"}]}],"props":[{"name":"label","value":"SA-8(30)"},{"name":"label","value":"SA-08(30)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.30"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.30_smt","name":"statement","prose":"Implement the security design principle of procedural rigor in {{ insert: param, sa-08.30_odp }}."},{"id":"sa-8.30_gdn","name":"guidance","prose":"The principle of procedural rigor states that the rigor of a system life cycle process is commensurate with its intended trustworthiness. Procedural rigor defines the scope, depth, and detail of the system life cycle procedures. Rigorous system life cycle procedures contribute to the assurance that the system is correct and free of unintended functionality in several ways. First, the procedures impose checks and balances on the life cycle process such that the introduction of unspecified functionality is prevented.\n\nSecond, rigorous procedures applied to systems security engineering activities that produce specifications and other system design documents contribute to the ability to understand the system as it has been built rather than trusting that the component, as implemented, is the authoritative (and potentially misleading) specification.\n\nFinally, modifications to an existing system component are easier when there are detailed specifications that describe its current design instead of studying source code or schematics to try to understand how it works. Procedural rigor helps ensure that security functional and assurance requirements have been satisfied, and it contributes to a better-informed basis for the determination of trustworthiness and risk posture. Procedural rigor is commensurate with the degree of assurance desired for the system. If the required trustworthiness of the system is low, a high level of procedural rigor may add unnecessary cost, whereas when high trustworthiness is critical, the cost of high procedural rigor is merited."},{"id":"sa-8.30_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(30)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.30_odp }} implement the security design principle of procedural rigor."},{"id":"sa-8.30_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(30)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of procedural rigor used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.30_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(30)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.30_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(30)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of procedural rigor in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of procedural rigor in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security policies"}]}]},{"id":"sa-8.31","class":"SP800-53-enhancement","title":"Secure System Modification","params":[{"id":"sa-08.31_odp","props":[{"name":"alt-identifier","value":"sa-8.31_prm_1"},{"name":"label","value":"SA-08(31)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of secure system modification are defined;"}]}],"props":[{"name":"label","value":"SA-8(31)"},{"name":"label","value":"SA-08(31)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.31"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"}],"parts":[{"id":"sa-8.31_smt","name":"statement","prose":"Implement the security design principle of secure system modification in {{ insert: param, sa-08.31_odp }}."},{"id":"sa-8.31_gdn","name":"guidance","prose":"The principle of secure system modification states that system modification maintains system security with respect to the security requirements and risk tolerance of stakeholders. Upgrades or modifications to systems can transform secure systems into systems that are not secure. The procedures for system modification ensure that if the system is to maintain its trustworthiness, the same rigor that was applied to its initial development is applied to any system changes. Because modifications can affect the ability of the system to maintain its secure state, a careful security analysis of the modification is needed prior to its implementation and deployment. This principle parallels the principle of secure evolvability."},{"id":"sa-8.31_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(31)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.31_odp }} implement the security design principle of secure system modification."},{"id":"sa-8.31_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(31)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nconfiguration management policy and procedures\n\nprocedures addressing the security design principle of secure system modification used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.31_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(31)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.31_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(31)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of secure system modification in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of secure system modification in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security policies\n\norganizational processes for managing change configuration\n\nmechanisms supporting configuration control"}]}]},{"id":"sa-8.32","class":"SP800-53-enhancement","title":"Sufficient Documentation","params":[{"id":"sa-08.32_odp","props":[{"name":"alt-identifier","value":"sa-8.32_prm_1"},{"name":"label","value":"SA-08(32)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of sufficient documentation are defined;"}]}],"props":[{"name":"label","value":"SA-8(32)"},{"name":"label","value":"SA-08(32)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.32"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#sa-5","rel":"related"}],"parts":[{"id":"sa-8.32_smt","name":"statement","prose":"Implement the security design principle of sufficient documentation in {{ insert: param, sa-08.32_odp }}."},{"id":"sa-8.32_gdn","name":"guidance","prose":"The principle of sufficient documentation states that organizational personnel with responsibilities to interact with the system are provided with adequate documentation and other information such that the personnel contribute to rather than detract from system security. Despite attempts to comply with principles such as human factored security and acceptable security, systems are inherently complex, and the design intent for the use of security mechanisms and the ramifications of the misuse or misconfiguration of security mechanisms are not always intuitively obvious. Uninformed and insufficiently trained users can introduce vulnerabilities due to errors of omission and commission. The availability of documentation and training can help to ensure a knowledgeable cadre of personnel, all of whom have a critical role in the achievement of principles such as continuous protection. Documentation is written clearly and supported by training that provides security awareness and understanding of security-relevant responsibilities."},{"id":"sa-8.32_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(32)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.32_odp }} implement the security design principle of sufficient documentation."},{"id":"sa-8.32_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(32)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of sufficient documentation used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy documentation\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.32_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(32)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.32_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(32)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of sufficient documentation in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of sufficient documentation in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security policies\n\norganizational processes for managing change configuration\n\nmechanisms supporting configuration control"}]}]},{"id":"sa-8.33","class":"SP800-53-enhancement","title":"Minimization","params":[{"id":"sa-08.33_odp","props":[{"name":"alt-identifier","value":"sa-8.33_prm_1"},{"name":"label","value":"SA-08(33)_ODP","class":"sp800-53a"}],"label":"processes","guidelines":[{"prose":"processes that implement the privacy principle of minimization are defined;"}]}],"props":[{"name":"label","value":"SA-8(33)"},{"name":"label","value":"SA-08(33)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.33"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#pe-8","rel":"related"},{"href":"#pm-25","rel":"related"},{"href":"#sc-42","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sa-8.33_smt","name":"statement","prose":"Implement the privacy principle of minimization using {{ insert: param, sa-08.33_odp }}."},{"id":"sa-8.33_gdn","name":"guidance","prose":"The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization."},{"id":"sa-8.33_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(33)","class":"sp800-53a"}],"prose":"the privacy principle of minimization is implemented using {{ insert: param, sa-08.33_odp }}."},{"id":"sa-8.33_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(33)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\npersonally identifiable information processing policy\n\nprocedures addressing the minimization of personally identifiable information in system design\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\ninformation security and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8.33_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(33)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8.33_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(33)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the privacy design principle of minimization in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of sufficient documentation in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security and privacy policy\n\norganizational processes for managing change configuration\n\nmechanisms supporting configuration control"}]}]}]},{"id":"sa-9","class":"SP800-53","title":"External System Services","params":[{"id":"sa-09_odp.01","props":[{"name":"alt-identifier","value":"sa-9_prm_1"},{"name":"label","value":"SA-09_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed by external system service providers are defined;"}]},{"id":"sa-09_odp.02","props":[{"name":"alt-identifier","value":"sa-9_prm_2"},{"name":"label","value":"SA-09_ODP[02]","class":"sp800-53a"}],"label":"processes, methods, and techniques","guidelines":[{"prose":"processes, methods, and techniques employed to monitor control compliance by external service providers are defined;"}]}],"props":[{"name":"label","value":"SA-9"},{"name":"label","value":"SA-09","class":"sp800-53a"},{"name":"sort-id","value":"sa-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-9_smt","name":"statement","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document organizational oversight and user roles and responsibilities with regard to external system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance."},{"id":"sa-9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[01]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational security requirements;"},{"id":"sa-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[02]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational privacy requirements;"},{"id":"sa-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[03]","class":"sp800-53a"}],"prose":"providers of external system services employ {{ insert: param, sa-09_odp.01 }};"}]},{"id":"sa-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[01]","class":"sp800-53a"}],"prose":"organizational oversight with regard to external system services are defined and documented;"},{"id":"sa-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[02]","class":"sp800-53a"}],"prose":"user roles and responsibilities with regard to external system services are defined and documented;"}]},{"id":"sa-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-09c.","class":"sp800-53a"}],"prose":"{{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis."}]},{"id":"sa-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis"}]}],"controls":[{"id":"sa-9.1","class":"SP800-53-enhancement","title":"Risk Assessments and Organizational Approvals","params":[{"id":"sa-09.01_odp","props":[{"name":"alt-identifier","value":"sa-9.1_prm_1"},{"name":"label","value":"SA-09(01)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles that approve the acquisition or outsourcing of dedicated information security services is\/are defined;"}]}],"props":[{"name":"label","value":"SA-9(1)"},{"name":"label","value":"SA-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#ca-6","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"}],"parts":[{"id":"sa-9.1_smt","name":"statement","parts":[{"id":"sa-9.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and"},{"id":"sa-9.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Verify that the acquisition or outsourcing of dedicated information security services is approved by {{ insert: param, sa-09.01_odp }}."}]},{"id":"sa-9.1_gdn","name":"guidance","prose":"Information security services include the operation of security devices, such as firewalls or key management services as well as incident monitoring, analysis, and response. Risks assessed can include system, mission or business, security, privacy, or supply chain risks."},{"id":"sa-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(01)","class":"sp800-53a"}],"parts":[{"id":"sa-9.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-09(01)(a)","class":"sp800-53a"}],"prose":"an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services;"},{"id":"sa-9.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-09(01)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-09.01_odp }} approve the acquisition or outsourcing of dedicated information security services."}]},{"id":"sa-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nrisk assessment reports\n\napproval records for the acquisition or outsourcing of dedicated security services\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with system security responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting a risk assessment prior to acquiring or outsourcing dedicated security services\n\norganizational processes for approving the outsourcing of dedicated security services\n\nmechanisms supporting and\/or implementing risk assessment\n\nmechanisms supporting and\/or implementing approval processes"}]}]},{"id":"sa-9.2","class":"SP800-53-enhancement","title":"Identification of Functions, Ports, Protocols, and Services","params":[{"id":"sa-09.02_odp","props":[{"name":"alt-identifier","value":"sa-9.2_prm_1"},{"name":"label","value":"SA-09(02)_ODP","class":"sp800-53a"}],"label":"external system services","guidelines":[{"prose":"external system services that require the identification of functions, ports, protocols, and other services are defined;"}]}],"props":[{"name":"label","value":"SA-9(2)"},{"name":"label","value":"SA-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"}],"parts":[{"id":"sa-9.2_smt","name":"statement","prose":"Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ insert: param, sa-09.02_odp }}."},{"id":"sa-9.2_gdn","name":"guidance","prose":"Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols."},{"id":"sa-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(02)","class":"sp800-53a"}],"prose":"providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services."},{"id":"sa-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements and security specifications for external service providers\n\nlist of required functions, ports, protocols, and other services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nexternal providers of system services"}]}]},{"id":"sa-9.3","class":"SP800-53-enhancement","title":"Establish and Maintain Trust Relationship with Providers","params":[{"id":"sa-9.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-09.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-09.03_odp.02"}],"label":"organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships"},{"id":"sa-09.03_odp.01","props":[{"name":"label","value":"SA-09(03)_ODP[01]","class":"sp800-53a"}],"label":"security requirements, properties, factors, or conditions","guidelines":[{"prose":"security requirements, properties, factors, or conditions defining acceptable trust relationships on which a trust relationship is maintained are defined;"}]},{"id":"sa-09.03_odp.02","props":[{"name":"label","value":"SA-09(03)_ODP[02]","class":"sp800-53a"}],"label":"privacy requirements, properties, factors, or conditions","guidelines":[{"prose":"privacy requirements, properties, factors, or conditions defining acceptable trust relationships on which a trust relationship is maintained are defined;"}]}],"props":[{"name":"label","value":"SA-9(3)"},{"name":"label","value":"SA-09(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"sa-9.3_smt","name":"statement","prose":"Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: {{ insert: param, sa-9.3_prm_1 }}."},{"id":"sa-9.3_gdn","name":"guidance","prose":"Trust relationships between organizations and external service providers reflect the degree of confidence that the risk from using external services is at an acceptable level. Trust relationships can help organizations gain increased levels of confidence that service providers are providing adequate protection for the services rendered and can also be useful when conducting incident response or when planning for upgrades or obsolescence. Trust relationships can be complicated due to the potentially large number of entities participating in the consumer-provider interactions, subordinate relationships and levels of trust, and types of interactions between the parties. In some cases, the degree of trust is based on the level of control that organizations can exert on external service providers regarding the controls necessary for the protection of the service, information, or individual privacy and the evidence brought forth as to the effectiveness of the implemented controls. The level of control is established by the terms and conditions of the contracts or service-level agreements."},{"id":"sa-9.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(03)","class":"sp800-53a"}],"parts":[{"id":"sa-9.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09(03)[01]","class":"sp800-53a"}],"prose":"trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.01 }} are established and documented;"},{"id":"sa-9.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09(03)[02]","class":"sp800-53a"}],"prose":"trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.01 }} are maintained;"},{"id":"sa-9.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-09(03)[03]","class":"sp800-53a"}],"prose":"trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.02 }} are established and documented;"},{"id":"sa-9.3_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-09(03)[04]","class":"sp800-53a"}],"prose":"trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.02 }} are maintained."}]},{"id":"sa-9.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nacquisition contracts for the system, system component, or system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\nmemorandum of understanding\n\nmemorandum of agreements\n\nlist of organizational security and privacy requirements, properties, factors, or conditions for external provider services\n\ndocumentation of trust relationships with external service providers\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nexternal providers of system services\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-9.4","class":"SP800-53-enhancement","title":"Consistent Interests of Consumers and Providers","params":[{"id":"sa-09.04_odp.01","props":[{"name":"alt-identifier","value":"sa-9.4_prm_1"},{"name":"label","value":"SA-09(04)_ODP[01]","class":"sp800-53a"}],"label":"external service providers","guidelines":[{"prose":"external service providers are defined;"}]},{"id":"sa-09.04_odp.02","props":[{"name":"alt-identifier","value":"sa-9.4_prm_2"},{"name":"label","value":"SA-09(04)_ODP[02]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken to verify that the interests of external service providers are consistent with and reflect organizational interests are defined;"}]}],"props":[{"name":"label","value":"SA-9(4)"},{"name":"label","value":"SA-09(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"}],"parts":[{"id":"sa-9.4_smt","name":"statement","prose":"Take the following actions to verify that the interests of {{ insert: param, sa-09.04_odp.01 }} are consistent with and reflect organizational interests: {{ insert: param, sa-09.04_odp.02 }}."},{"id":"sa-9.4_gdn","name":"guidance","prose":"As organizations increasingly use external service providers, it is possible that the interests of the service providers may diverge from organizational interests. In such situations, simply having the required technical, management, or operational controls in place may not be sufficient if the providers that implement and manage those controls are not operating in a manner consistent with the interests of the consuming organizations. Actions that organizations take to address such concerns include requiring background checks for selected service provider personnel; examining ownership records; employing only trustworthy service providers, such as providers with which organizations have had successful trust relationships; and conducting routine, periodic, unscheduled visits to service provider facilities."},{"id":"sa-9.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(04)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-09.04_odp.02 }} are taken to verify that the interests of {{ insert: param, sa-09.04_odp.01 }} are consistent with and reflect organizational interests."},{"id":"sa-9.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\norganizational security requirements\/safeguards for external service providers\n\npersonnel security policies for external service providers\n\nassessments performed on external service providers\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nexternal providers of system services\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing safeguards to ensure consistent interests with external service providers\n\nmechanisms supporting and\/or implementing safeguards to ensure consistent interests with external service providers"}]}]},{"id":"sa-9.5","class":"SP800-53-enhancement","title":"Processing, Storage, and Service Location","params":[{"id":"sa-09.05_odp.01","props":[{"name":"alt-identifier","value":"sa-9.5_prm_1"},{"name":"label","value":"SA-09(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["information processing","information or data","system services"]}},{"id":"sa-09.05_odp.02","props":[{"name":"alt-identifier","value":"sa-9.5_prm_2"},{"name":"label","value":"SA-09(05)_ODP[02]","class":"sp800-53a"}],"label":"locations","guidelines":[{"prose":"locations where {{ insert: param, sa-09.05_odp.01 }} is\/are to be restricted are defined;"}]},{"id":"sa-09.05_odp.03","props":[{"name":"alt-identifier","value":"sa-9.5_prm_3"},{"name":"alt-label","value":"requirements or conditions","class":"sp800-53"},{"name":"label","value":"SA-09(05)_ODP[03]","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements or conditions for restricting the location of {{ insert: param, sa-09.05_odp.01 }} are defined;"}]}],"props":[{"name":"label","value":"SA-9(5)"},{"name":"label","value":"SA-09(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#sa-5","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"sa-9.5_smt","name":"statement","prose":"Restrict the location of {{ insert: param, sa-09.05_odp.01 }} to {{ insert: param, sa-09.05_odp.02 }} based on {{ insert: param, sa-09.05_odp.03 }}."},{"id":"sa-9.5_gdn","name":"guidance","prose":"The location of information processing, information and data storage, or system services can have a direct impact on the ability of organizations to successfully execute their mission and business functions. The impact occurs when external providers control the location of processing, storage, or services. The criteria that external providers use for the selection of processing, storage, or service locations may be different from the criteria that organizations use. For example, organizations may desire that data or information storage locations be restricted to certain locations to help facilitate incident response activities in case of information security incidents or breaches. Incident response activities, including forensic analyses and after-the-fact investigations, may be adversely affected by the governing laws, policies, or protocols in the locations where processing and storage occur and\/or the locations from which system services emanate."},{"id":"sa-9.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(05)","class":"sp800-53a"}],"prose":"based on {{ insert: param, sa-09.05_odp.03 }}, {{ insert: param, sa-09.05_odp.01 }} is\/are restricted to {{ insert: param, sa-09.05_odp.02 }}."},{"id":"sa-9.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nrestricted locations for information processing\n\ninformation\/data and\/or system services\n\ninformation processing, information\/data, and\/or system services to be maintained in restricted locations\n\norganizational security requirements or conditions for external providers\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nexternal providers of system services\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining the requirements to restrict locations of information processing, information\/data, or information services\n\norganizational processes for ensuring the location is restricted in accordance with requirements or conditions"}]}]},{"id":"sa-9.6","class":"SP800-53-enhancement","title":"Organization-controlled Cryptographic Keys","props":[{"name":"label","value":"SA-9(6)"},{"name":"label","value":"SA-09(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sa-9.6_smt","name":"statement","prose":"Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system."},{"id":"sa-9.6_gdn","name":"guidance","prose":"Maintaining exclusive control of cryptographic keys in an external system prevents decryption of organizational data by external system staff. Organizational control of cryptographic keys can be implemented by encrypting and decrypting data inside the organization as data is sent to and received from the external system or by employing a component that permits encryption and decryption functions to be local to the external system but allows exclusive organizational access to the encryption keys."},{"id":"sa-9.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(06)","class":"sp800-53a"}],"prose":"exclusive control of cryptographic keys is maintained for encrypted material stored or transmitted through an external system."},{"id":"sa-9.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nprocedures addressing organization-controlled cryptographic key management\n\norganizational security requirements or conditions for external providers\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganization personnel with cryptographic key management responsibilities\n\nexternal providers of system services\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for cryptographic key management\n\nmechanisms for supporting and implementing the management of organization-controlled cryptographic keys"}]}]},{"id":"sa-9.7","class":"SP800-53-enhancement","title":"Organization-controlled Integrity Checking","props":[{"name":"label","value":"SA-9(7)"},{"name":"label","value":"SA-09(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sa-9.7_smt","name":"statement","prose":"Provide the capability to check the integrity of information while it resides in the external system."},{"id":"sa-9.7_gdn","name":"guidance","prose":"Storage of organizational information in an external system could limit visibility into the security status of its data. The ability of the organization to verify and validate the integrity of its stored data without transferring it out of the external system provides such visibility."},{"id":"sa-9.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(07)","class":"sp800-53a"}],"prose":"the capability is provided to check the integrity of information while it resides in the external system."},{"id":"sa-9.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nprocedures addressing organization-controlled integrity checking\n\ninformation\/data and\/or system services\n\norganizational security requirements or conditions for external providers\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganization personnel with integrity checking responsibilities\n\nexternal providers of system services\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for integrity checking\n\nmechanisms for supporting and implementing integrity checking of information in external systems"}]}]},{"id":"sa-9.8","class":"SP800-53-enhancement","title":"Processing and Storage Location — U.S. Jurisdiction","props":[{"name":"label","value":"SA-9(8)"},{"name":"label","value":"SA-09(08)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#sa-5","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"sa-9.8_smt","name":"statement","prose":"Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States."},{"id":"sa-9.8_gdn","name":"guidance","prose":"The geographic location of information processing and data storage can have a direct impact on the ability of organizations to successfully execute their mission and business functions. A compromise or breach of high impact information and systems can have severe or catastrophic adverse impacts on organizational assets and operations, individuals, other organizations, and the Nation. Restricting the processing and storage of high-impact information to facilities within the legal jurisdictional boundary of the United States provides greater control over such processing and storage."},{"id":"sa-9.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(08)","class":"sp800-53a"}],"prose":"the geographic location of information processing and data storage is restricted to facilities located within the legal jurisdictional boundary of the United States."},{"id":"sa-9.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nprocedures addressing determining jurisdiction restrictions for processing and storage location\n\ninformation\/data and\/or system services\n\norganizational security requirements or conditions for external providers\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganization personnel with supply chain risk management responsibilities\n\nexternal providers of system services"}]},{"id":"sa-9.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes restricting external system service providers to process and store information within the legal jurisdictional boundary of the United States"}]}]}]},{"id":"sa-10","class":"SP800-53","title":"Developer Configuration Management","params":[{"id":"sa-10_odp.01","props":[{"name":"alt-identifier","value":"sa-10_prm_1"},{"name":"label","value":"SA-10_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["design","development","implementation","operation","disposal"]}},{"id":"sa-10_odp.02","props":[{"name":"alt-identifier","value":"sa-10_prm_2"},{"name":"alt-label","value":"configuration items under configuration management","class":"sp800-53"},{"name":"label","value":"SA-10_ODP[02]","class":"sp800-53a"}],"label":"configuration items","guidelines":[{"prose":"configuration items under configuration management are defined;"}]},{"id":"sa-10_odp.03","props":[{"name":"alt-identifier","value":"sa-10_prm_3"},{"name":"label","value":"SA-10_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is\/are defined;"}]}],"props":[{"name":"label","value":"SA-10"},{"name":"label","value":"SA-10","class":"sp800-53a"},{"name":"sort-id","value":"sa-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"sa-10_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};"},{"id":"sa-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, manage, and control the integrity of changes to {{ insert: param, sa-10_odp.02 }};"},{"id":"sa-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and"},{"id":"sa-10_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_odp.03 }}."}]},{"id":"sa-10_gdn","name":"guidance","prose":"Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.\n\nThe configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle."},{"id":"sa-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-10a.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};"},{"id":"sa-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};"},{"id":"sa-10_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};"},{"id":"sa-10_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};"}]},{"id":"sa-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-10c.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;"},{"id":"sa-10_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;"},{"id":"sa-10_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;"}]},{"id":"sa-10_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;"},{"id":"sa-10_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;"},{"id":"sa-10_obj.e-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}."}]}]},{"id":"sa-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}],"controls":[{"id":"sa-10.1","class":"SP800-53-enhancement","title":"Software and Firmware Integrity Verification","props":[{"name":"label","value":"SA-10(1)"},{"name":"label","value":"SA-10(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-10.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-10","rel":"required"},{"href":"#si-7","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sa-10.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components."},{"id":"sa-10.1_gdn","name":"guidance","prose":"Software and firmware integrity verification allows organizations to detect unauthorized changes to software and firmware components using developer-provided tools, techniques, and mechanisms. The integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components."},{"id":"sa-10.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10(01)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to enable integrity verification of software and firmware components."},{"id":"sa-10.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nsoftware and firmware integrity verification records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-10.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-10.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-10.2","class":"SP800-53-enhancement","title":"Alternative Configuration Management Processes","props":[{"name":"label","value":"SA-10(2)"},{"name":"label","value":"SA-10(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-10.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-10","rel":"required"}],"parts":[{"id":"sa-10.2_smt","name":"statement","prose":"Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team."},{"id":"sa-10.2_gdn","name":"guidance","prose":"Alternate configuration management processes may be required when organizations use commercial off-the-shelf information technology products. Alternate configuration management processes include organizational personnel who review and approve proposed changes to systems, system components, and system services and conduct security and privacy impact analyses prior to the implementation of changes to systems, components, or services."},{"id":"sa-10.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10(02)","class":"sp800-53a"}],"prose":"an alternate configuration management process has been provided using organizational personnel in the absence of a dedicated developer configuration management team."},{"id":"sa-10.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nconfiguration management policy\n\nconfiguration management plan\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nsecurity impact analyses\n\nprivacy impact analyses\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-10.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-10.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-10.3","class":"SP800-53-enhancement","title":"Hardware Integrity Verification","props":[{"name":"label","value":"SA-10(3)"},{"name":"label","value":"SA-10(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-10.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-10","rel":"required"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sa-10.3_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to enable integrity verification of hardware components."},{"id":"sa-10.3_gdn","name":"guidance","prose":"Hardware integrity verification allows organizations to detect unauthorized changes to hardware components using developer-provided tools, techniques, methods, and mechanisms. Organizations may verify the integrity of hardware components with hard-to-copy labels, verifiable serial numbers provided by developers, and by requiring the use of anti-tamper technologies. Delivered hardware components also include hardware and firmware updates to such components."},{"id":"sa-10.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10(03)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to enable integrity verification of hardware components."},{"id":"sa-10.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nhardware integrity verification records\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-10.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-10.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-10.4","class":"SP800-53-enhancement","title":"Trusted Generation","props":[{"name":"label","value":"SA-10(4)"},{"name":"label","value":"SA-10(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-10.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-10","rel":"required"}],"parts":[{"id":"sa-10.4_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions, source code, and object code with previous versions."},{"id":"sa-10.4_gdn","name":"guidance","prose":"The trusted generation of descriptions, source code, and object code addresses authorized changes to hardware, software, and firmware components between versions during development. The focus is on the efficacy of the configuration management process by the developer to ensure that newly generated versions of security-relevant hardware descriptions, source code, and object code continue to enforce the security policy for the system, system component, or system service. In contrast, [SA-10(1)](#sa-10.1) and [SA-10(3)](#sa-10.3) allow organizations to detect unauthorized changes to hardware, software, and firmware components using tools, techniques, or mechanisms provided by developers."},{"id":"sa-10.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10(04)","class":"sp800-53a"}],"parts":[{"id":"sa-10.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10(04)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of security-relevant hardware descriptions with previous versions;"},{"id":"sa-10.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10(04)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of source code with previous versions;"},{"id":"sa-10.4_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10(04)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of object code with previous versions."}]},{"id":"sa-10.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nchange control records\n\nconfiguration management records\n\nconfiguration control audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-10.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-10.5","class":"SP800-53-enhancement","title":"Mapping Integrity for Version Control","props":[{"name":"label","value":"SA-10(5)"},{"name":"label","value":"SA-10(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-10.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-10","rel":"required"}],"parts":[{"id":"sa-10.5_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version."},{"id":"sa-10.5_gdn","name":"guidance","prose":"Mapping integrity for version control addresses changes to hardware, software, and firmware components during both initial development and system development life cycle updates. Maintaining the integrity between the master copies of security-relevant hardware, software, and firmware (including designs, hardware drawings, source code) and the equivalent data in master copies in operational environments is essential to ensuring the availability of organizational systems that support critical mission and business functions."},{"id":"sa-10.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10(05)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version."},{"id":"sa-10.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nchange control records\n\nconfiguration management records\n\nversion control change\/update records\n\nintegrity verification records between master copies of security-relevant hardware, software, and firmware (including designs and source code)\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-10.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-10.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-10.6","class":"SP800-53-enhancement","title":"Trusted Distribution","props":[{"name":"label","value":"SA-10(6)"},{"name":"label","value":"SA-10(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-10.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-10","rel":"required"}],"parts":[{"id":"sa-10.6_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies."},{"id":"sa-10.6_gdn","name":"guidance","prose":"The trusted distribution of security-relevant hardware, software, and firmware updates help to ensure that the updates are correct representations of the master copies maintained by the developer and have not been tampered with during distribution."},{"id":"sa-10.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10(06)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies."},{"id":"sa-10.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-10.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-10.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-10.7","class":"SP800-53-enhancement","title":"Security and Privacy Representatives","params":[{"id":"sa-10.7_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-10.07_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-10.07_odp.02"}],"label":"organization-defined security and privacy representatives"},{"id":"sa-10.7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-10.07_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-10.07_odp.04"}],"label":"organization-defined configuration change management and control process"},{"id":"sa-10.07_odp.01","props":[{"name":"label","value":"SA-10(07)_ODP[01]","class":"sp800-53a"}],"label":"security representatives","guidelines":[{"prose":"security representatives to be included in the configuration change management and control process are defined;"}]},{"id":"sa-10.07_odp.02","props":[{"name":"label","value":"SA-10(07)_ODP[02]","class":"sp800-53a"}],"label":"privacy representatives","guidelines":[{"prose":"privacy representatives to be included in the configuration change management and control process are defined;"}]},{"id":"sa-10.07_odp.03","props":[{"name":"label","value":"SA-10(07)_ODP[03]","class":"sp800-53a"}],"label":"configuration change management and control processes","guidelines":[{"prose":"configuration change management and control processes in which security representatives are required to be included are defined;"}]},{"id":"sa-10.07_odp.04","props":[{"name":"label","value":"SA-10(07)_ODP[04]","class":"sp800-53a"}],"label":"configuration change management and control processes","guidelines":[{"prose":"configuration change management and control processes in which privacy representatives are required to be included are defined;"}]}],"props":[{"name":"label","value":"SA-10(7)"},{"name":"label","value":"SA-10(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-10.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-10","rel":"required"}],"parts":[{"id":"sa-10.7_smt","name":"statement","prose":"Require {{ insert: param, sa-10.7_prm_1 }} to be included in the {{ insert: param, sa-10.7_prm_2 }}."},{"id":"sa-10.7_gdn","name":"guidance","prose":"Information security and privacy representatives can include system security officers, senior agency information security officers, senior agency officials for privacy, and system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change management and control process in this control enhancement refers to the change management and control process defined by organizations in [SA-10b](#sa-10_smt.b)."},{"id":"sa-10.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10(07)","class":"sp800-53a"}],"parts":[{"id":"sa-10.7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10(07)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-10.07_odp.01 }} are required to be included in the {{ insert: param, sa-10.07_odp.03 }};"},{"id":"sa-10.7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10(07)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-10.07_odp.02 }} are required to be included in the {{ insert: param, sa-10.07_odp.04 }}."}]},{"id":"sa-10.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nconfiguration management policy\n\nconfiguration management plan\n\nsolicitation documentation requiring representatives for security and privacy\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-10.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]}]}]},{"id":"sa-11","class":"SP800-53","title":"Developer Testing and Evaluation","params":[{"id":"sa-11_odp.01","props":[{"name":"alt-identifier","value":"sa-11_prm_1"},{"name":"label","value":"SA-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["unit","integration","system","regression"]}},{"id":"sa-11_odp.02","props":[{"name":"alt-identifier","value":"sa-11_prm_2"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"SA-11_ODP[02]","class":"sp800-53a"}],"label":"frequency to conduct","guidelines":[{"prose":"frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]},{"id":"sa-11_odp.03","props":[{"name":"alt-identifier","value":"sa-11_prm_3"},{"name":"label","value":"SA-11_ODP[03]","class":"sp800-53a"}],"label":"depth and coverage","guidelines":[{"prose":"depth and coverage of {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]}],"props":[{"name":"label","value":"SA-11"},{"name":"label","value":"SA-11","class":"sp800-53a"},{"name":"sort-id","value":"sa-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#708b94e1-3d5e-4b22-ab43-1c69f3a97e37","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-7","rel":"related"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:","parts":[{"id":"sa-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement a plan for ongoing security and privacy control assessments;"},{"id":"sa-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"},{"id":"sa-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;"},{"id":"sa-11_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during testing and evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\n\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation."},{"id":"sa-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;"},{"id":"sa-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;"},{"id":"sa-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;"},{"id":"sa-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;"}]},{"id":"sa-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-11b.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"},{"id":"sa-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;"},{"id":"sa-11_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;"}]},{"id":"sa-11_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-11d.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;"},{"id":"sa-11_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-11e.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation."}]},{"id":"sa-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security and privacy testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of developer security and privacy assessments for the system, system component, or system service\n\nsecurity and privacy flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\nsystem developers"}]},{"id":"sa-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security and privacy testing and evaluation"}]}],"controls":[{"id":"sa-11.1","class":"SP800-53-enhancement","title":"Static Code Analysis","props":[{"name":"label","value":"SA-11(1)"},{"name":"label","value":"SA-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"}],"parts":[{"id":"sa-11.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis."},{"id":"sa-11.1_gdn","name":"guidance","prose":"Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources."},{"id":"sa-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(01)","class":"sp800-53a"}],"parts":[{"id":"sa-11.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(01)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws;"},{"id":"sa-11.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(01)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis."}]},{"id":"sa-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of system developer security and privacy assessments\n\nsecurity flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation\n\nstatic code analysis tools"}]}]},{"id":"sa-11.2","class":"SP800-53-enhancement","title":"Threat Modeling and Vulnerability Analyses","params":[{"id":"sa-11.2_prm_3","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.02_odp.04"}],"label":"organization-defined breadth and depth of modeling and analyses"},{"id":"sa-11.2_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.02_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.02_odp.06"}],"label":"organization-defined acceptance criteria"},{"id":"sa-11.02_odp.01","props":[{"name":"alt-identifier","value":"sa-11.2_prm_1"},{"name":"alt-label","value":"information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels","class":"sp800-53"},{"name":"label","value":"SA-11(02)_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined;"}]},{"id":"sa-11.02_odp.02","props":[{"name":"alt-identifier","value":"sa-11.2_prm_2"},{"name":"label","value":"SA-11(02)_ODP[02]","class":"sp800-53a"}],"label":"tools and methods","guidelines":[{"prose":"the tools and methods to be employed for threat modeling and vulnerability analyses are defined;"}]},{"id":"sa-11.02_odp.03","props":[{"name":"label","value":"SA-11(02)_ODP[03]","class":"sp800-53a"}],"label":"breadth and depth","guidelines":[{"prose":"the breadth and depth of threat modeling to be conducted is defined;"}]},{"id":"sa-11.02_odp.04","props":[{"name":"label","value":"SA-11(02)_ODP[04]","class":"sp800-53a"}],"label":"breadth and depth","guidelines":[{"prose":"the breadth and depth of vulnerability analyses to be conducted is defined;"}]},{"id":"sa-11.02_odp.05","props":[{"name":"label","value":"SA-11(02)_ODP[05]","class":"sp800-53a"}],"label":"acceptance criteria","guidelines":[{"prose":"acceptance criteria to be met by produced evidence for threat modeling are defined;"}]},{"id":"sa-11.02_odp.06","props":[{"name":"label","value":"SA-11(02)_ODP[06]","class":"sp800-53a"}],"label":"acceptance criteria","guidelines":[{"prose":"acceptance criteria to be met by produced evidence for vulnerability analyses are defined;"}]}],"props":[{"name":"label","value":"SA-11(2)"},{"name":"label","value":"SA-11(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"},{"href":"#pm-15","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"}],"parts":[{"id":"sa-11.2_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:","parts":[{"id":"sa-11.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Uses the following contextual information: {{ insert: param, sa-11.02_odp.01 }};"},{"id":"sa-11.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employs the following tools and methods: {{ insert: param, sa-11.02_odp.02 }};"},{"id":"sa-11.2_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Conducts the modeling and analyses at the following level of rigor: {{ insert: param, sa-11.2_prm_3 }} ; and"},{"id":"sa-11.2_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Produces evidence that meets the following acceptance criteria: {{ insert: param, sa-11.2_prm_4 }}."}]},{"id":"sa-11.2_gdn","name":"guidance","prose":"Systems, system components, and system services may deviate significantly from the functional and design specifications created during the requirements and design stages of the system development life cycle. Therefore, updates to threat modeling and vulnerability analyses of those systems, system components, and system services during development and prior to delivery are critical to the effective operation of those systems, components, and services. Threat modeling and vulnerability analyses at this stage of the system development life cycle ensure that design and implementation changes have been accounted for and that vulnerabilities created because of those changes have been reviewed and mitigated."},{"id":"sa-11.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)","class":"sp800-53a"}],"parts":[{"id":"sa-11.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(a)","class":"sp800-53a"}],"parts":[{"id":"sa-11.2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(a)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};"},{"id":"sa-11.2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(a)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};"},{"id":"sa-11.2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(a)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};"},{"id":"sa-11.2_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(a)[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};"}]},{"id":"sa-11.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(b)","class":"sp800-53a"}],"parts":[{"id":"sa-11.2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(b)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};"},{"id":"sa-11.2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(b)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};"},{"id":"sa-11.2_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(b)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};"},{"id":"sa-11.2_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(b)[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};"}]},{"id":"sa-11.2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(c)","class":"sp800-53a"}],"parts":[{"id":"sa-11.2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(c)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform threat modeling at {{ insert: param, sa-11.02_odp.03 }} during development of the system, component, or service;"},{"id":"sa-11.2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(c)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at {{ insert: param, sa-11.02_odp.04 }};"}]},{"id":"sa-11.2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(d)","class":"sp800-53a"}],"parts":[{"id":"sa-11.2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(d)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};"},{"id":"sa-11.2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(d)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};"},{"id":"sa-11.2_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(d)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }};"},{"id":"sa-11.2_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(d)[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }}."}]}]},{"id":"sa-11.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security test plans\n\nrecords of developer security testing results for the system, system component, or system service\n\nvulnerability scanning results\n\nsystem risk assessment reports\n\nthreat and vulnerability analysis reports\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-11.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-11.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation"}]}]},{"id":"sa-11.3","class":"SP800-53-enhancement","title":"Independent Verification of Assessment Plans and Evidence","params":[{"id":"sa-11.03_odp","props":[{"name":"alt-identifier","value":"sa-11.3_prm_1"},{"name":"label","value":"SA-11(03)_ODP","class":"sp800-53a"}],"label":"independence criteria","guidelines":[{"prose":"independence criteria to be satisfied by an independent agent are defined;"}]}],"props":[{"name":"label","value":"SA-11(3)"},{"name":"label","value":"SA-11(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"},{"href":"#at-3","rel":"related"},{"href":"#ra-5","rel":"related"}],"parts":[{"id":"sa-11.3_smt","name":"statement","parts":[{"id":"sa-11.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Require an independent agent satisfying {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and"},{"id":"sa-11.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information."}]},{"id":"sa-11.3_gdn","name":"guidance","prose":"Independent agents have the qualifications—including the expertise, skills, training, certifications, and experience—to verify the correct implementation of developer security and privacy assessment plans."},{"id":"sa-11.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(03)","class":"sp800-53a"}],"parts":[{"id":"sa-11.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-11(03)(a)","class":"sp800-53a"}],"parts":[{"id":"sa-11.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(03)(a)[01]","class":"sp800-53a"}],"prose":"an independent agent is required to satisfy {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer security assessment plan and the evidence produced during testing and evaluation;"},{"id":"sa-11.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(03)(a)[02]","class":"sp800-53a"}],"prose":"an independent agent is required to satisfy {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer privacy assessment plan and the evidence produced during testing and evaluation;"}]},{"id":"sa-11.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-11(03)(b)","class":"sp800-53a"}],"prose":"the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information."}]},{"id":"sa-11.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nindependent verification and validation reports\n\nsecurity and privacy assessment plans\n\nresults of security and privacy assessments for the system, system component, or system service\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"sa-11.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers\n\nindependent verification agent"}]},{"id":"sa-11.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation"}]}]},{"id":"sa-11.4","class":"SP800-53-enhancement","title":"Manual Code Reviews","params":[{"id":"sa-11.04_odp.01","props":[{"name":"alt-identifier","value":"sa-11.4_prm_1"},{"name":"label","value":"SA-11(04)_ODP[01]","class":"sp800-53a"}],"label":"specific code","guidelines":[{"prose":"specific code requiring manual code review is defined;"}]},{"id":"sa-11.04_odp.02","props":[{"name":"alt-identifier","value":"sa-11.4_prm_2"},{"name":"label","value":"SA-11(04)_ODP[02]","class":"sp800-53a"}],"label":"processes, procedures, and\/or techniques","guidelines":[{"prose":"processes, procedures, and\/or techniques used for manual code reviews are defined;"}]}],"props":[{"name":"label","value":"SA-11(4)"},{"name":"label","value":"SA-11(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"}],"parts":[{"id":"sa-11.4_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform a manual code review of {{ insert: param, sa-11.04_odp.01 }} using the following processes, procedures, and\/or techniques: {{ insert: param, sa-11.04_odp.02 }}."},{"id":"sa-11.4_gdn","name":"guidance","prose":"Manual code reviews are usually reserved for the critical software and firmware components of systems. Manual code reviews are effective at identifying weaknesses that require knowledge of the application’s requirements or context that, in most cases, is unavailable to automated analytic tools and techniques, such as static and dynamic analysis. The benefits of manual code review include the ability to verify access control matrices against application controls and review detailed aspects of cryptographic implementations and controls."},{"id":"sa-11.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(04)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a manual code review of {{ insert: param, sa-11.04_odp.01 }} using {{ insert: param, sa-11.04_odp.02 }}."},{"id":"sa-11.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocesses, procedures, and\/or techniques for performing manual code reviews\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security testing and evaluation plans\n\nsystem developer security testing and evaluation results\n\nlist of code requiring manual reviews\n\nrecords of manual code reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-11.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers\n\nindependent verification agent"}]},{"id":"sa-11.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer testing and evaluation"}]}]},{"id":"sa-11.5","class":"SP800-53-enhancement","title":"Penetration Testing","params":[{"id":"sa-11.5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.05_odp.02"}],"label":"organization-defined breadth and depth of testing"},{"id":"sa-11.05_odp.01","props":[{"name":"label","value":"SA-11(05)_ODP[01]","class":"sp800-53a"}],"label":"breadth","guidelines":[{"prose":"the breadth of penetration testing is defined;"}]},{"id":"sa-11.05_odp.02","props":[{"name":"label","value":"SA-11(05)_ODP[02]","class":"sp800-53a"}],"label":"depth","guidelines":[{"prose":"the depth of penetration testing is defined;"}]},{"id":"sa-11.05_odp.03","props":[{"name":"alt-identifier","value":"sa-11.5_prm_2"},{"name":"label","value":"SA-11(05)_ODP[03]","class":"sp800-53a"}],"label":"constraints","guidelines":[{"prose":"constraints of penetration testing are defined;"}]}],"props":[{"name":"label","value":"SA-11(5)"},{"name":"label","value":"SA-11(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"},{"href":"#ca-8","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-25","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"sa-11.5_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform penetration testing:","parts":[{"id":"sa-11.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"At the following level of rigor: {{ insert: param, sa-11.5_prm_1 }} ; and"},{"id":"sa-11.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Under the following constraints: {{ insert: param, sa-11.05_odp.03 }}."}]},{"id":"sa-11.5_gdn","name":"guidance","prose":"Penetration testing is an assessment methodology in which assessors, using all available information technology product or system documentation and working under specific constraints, attempt to circumvent the implemented security and privacy features of information technology products and systems. Useful information for assessors who conduct penetration testing includes product and system design specifications, source code, and administrator and operator manuals. Penetration testing can include white-box, gray-box, or black-box testing with analyses performed by skilled professionals who simulate adversary actions. The objective of penetration testing is to discover vulnerabilities in systems, system components, and services that result from implementation errors, configuration faults, or other operational weaknesses or deficiencies. Penetration tests can be performed in conjunction with automated and manual code reviews to provide a greater level of analysis than would ordinarily be possible. When user session information and other personally identifiable information is captured or recorded during penetration testing, such information is handled appropriately to protect privacy."},{"id":"sa-11.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(05)","class":"sp800-53a"}],"parts":[{"id":"sa-11.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-11(05)(a)","class":"sp800-53a"}],"parts":[{"id":"sa-11.5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(05)(a)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: {{ insert: param, sa-11.05_odp.01 }};"},{"id":"sa-11.5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(05)(a)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: {{ insert: param, sa-11.05_odp.02 }};"}]},{"id":"sa-11.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-11(05)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform penetration testing under {{ insert: param, sa-11.05_odp.03 }}."}]},{"id":"sa-11.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer penetration testing and evaluation plans\n\nsystem developer penetration testing and evaluation results\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records"}]},{"id":"sa-11.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers\n\nindependent verification agent"}]},{"id":"sa-11.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security and privacy assessments\n\nmechanisms supporting and\/or implementing the monitoring of developer security and privacy assessments"}]}]},{"id":"sa-11.6","class":"SP800-53-enhancement","title":"Attack Surface Reviews","props":[{"name":"label","value":"SA-11(6)"},{"name":"label","value":"SA-11(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"},{"href":"#sa-15","rel":"related"}],"parts":[{"id":"sa-11.6_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform attack surface reviews."},{"id":"sa-11.6_gdn","name":"guidance","prose":"Attack surfaces of systems and system components are exposed areas that make those systems more vulnerable to attacks. Attack surfaces include any accessible areas where weaknesses or deficiencies in the hardware, software, and firmware components provide opportunities for adversaries to exploit vulnerabilities. Attack surface reviews ensure that developers analyze the design and implementation changes to systems and mitigate attack vectors generated as a result of the changes. The correction of identified flaws includes deprecation of unsafe functions."},{"id":"sa-11.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(06)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform attack surface reviews."},{"id":"sa-11.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security testing and evaluation plans\n\nsystem developer security testing and evaluation results\n\nrecords of attack surface reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-11.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-11.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation"}]}]},{"id":"sa-11.7","class":"SP800-53-enhancement","title":"Verify Scope of Testing and Evaluation","params":[{"id":"sa-11.7_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.07_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.07_odp.02"}],"label":"organization-defined breadth and depth of testing and evaluation"},{"id":"sa-11.07_odp.01","props":[{"name":"label","value":"SA-11(07)_ODP[01]","class":"sp800-53a"}],"label":"breadth","guidelines":[{"prose":"the breadth of testing and evaluation of required controls is defined;"}]},{"id":"sa-11.07_odp.02","props":[{"name":"label","value":"SA-11(07)_ODP[02]","class":"sp800-53a"}],"label":"depth","guidelines":[{"prose":"the depth of testing and evaluation of required controls is defined;"}]}],"props":[{"name":"label","value":"SA-11(7)"},{"name":"label","value":"SA-11(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"},{"href":"#sa-15","rel":"related"}],"parts":[{"id":"sa-11.7_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: {{ insert: param, sa-11.7_prm_1 }}."},{"id":"sa-11.7_gdn","name":"guidance","prose":"Verifying that testing and evaluation provides complete coverage of required controls can be accomplished by a variety of analytic techniques ranging from informal to formal. Each of these techniques provides an increasing level of assurance that corresponds to the degree of formality of the analysis. Rigorously demonstrating control coverage at the highest levels of assurance can be achieved using formal modeling and analysis techniques, including correlation between control implementation and corresponding test cases."},{"id":"sa-11.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(07)","class":"sp800-53a"}],"parts":[{"id":"sa-11.7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(07)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at {{ insert: param, sa-11.07_odp.01 }};"},{"id":"sa-11.7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(07)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at {{ insert: param, sa-11.07_odp.02 }}."}]},{"id":"sa-11.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security testing and evaluation plans\n\nsystem developer security testing and evaluation results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-11.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers\n\nindependent verification agent"}]},{"id":"sa-11.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation"}]}]},{"id":"sa-11.8","class":"SP800-53-enhancement","title":"Dynamic Code Analysis","props":[{"name":"label","value":"SA-11(8)"},{"name":"label","value":"SA-11(08)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"}],"parts":[{"id":"sa-11.8_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis."},{"id":"sa-11.8_gdn","name":"guidance","prose":"Dynamic code analysis provides runtime verification of software programs using tools capable of monitoring programs for memory corruption, user privilege issues, and other potential security problems. Dynamic code analysis employs runtime tools to ensure that security functionality performs in the way it was designed. A type of dynamic analysis, known as fuzz testing, induces program failures by deliberately introducing malformed or random data into software programs. Fuzz testing strategies are derived from the intended use of applications and the functional and design specifications for the applications. To understand the scope of dynamic code analysis and the assurance provided, organizations may also consider conducting code coverage analysis (i.e., checking the degree to which the code has been tested using metrics such as percent of subroutines tested or percent of program statements called during execution of the test suite) and\/or concordance analysis (i.e., checking for words that are out of place in software code, such as non-English language words or derogatory terms)."},{"id":"sa-11.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(08)","class":"sp800-53a"}],"parts":[{"id":"sa-11.8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(08)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to employ dynamic code analysis tools to identify common flaws;"},{"id":"sa-11.8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(08)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the results of the analysis."}]},{"id":"sa-11.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security test and evaluation plans\n\nsecurity test and evaluation results\n\nsecurity flaw and remediation tracking reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-11.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-11.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation"}]}]},{"id":"sa-11.9","class":"SP800-53-enhancement","title":"Interactive Application Security Testing","props":[{"name":"label","value":"SA-11(9)"},{"name":"label","value":"SA-11(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"}],"parts":[{"id":"sa-11.9_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results."},{"id":"sa-11.9_gdn","name":"guidance","prose":"Interactive (also known as instrumentation-based) application security testing is a method of detecting vulnerabilities by observing applications as they run during testing. The use of instrumentation relies on direct measurements of the actual running applications and uses access to the code, user interaction, libraries, frameworks, backend connections, and configurations to directly measure control effectiveness. When combined with analysis techniques, interactive application security testing can identify a broad range of potential vulnerabilities and confirm control effectiveness. Instrumentation-based testing works in real time and can be used continuously throughout the system development life cycle."},{"id":"sa-11.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(09)","class":"sp800-53a"}],"parts":[{"id":"sa-11.9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(09)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to employ interactive application security testing tools to identify flaws;"},{"id":"sa-11.9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(09)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the results of flaw identification."}]},{"id":"sa-11.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocedures addressing interactive application security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security test and evaluation plans\n\nsecurity test and evaluation results\n\nsecurity flaw and remediation tracking reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-11.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-11.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for interactive application security testing\n\nmechanisms supporting and\/or implementing interactive application security testing"}]}]}]},{"id":"sa-12","class":"SP800-53","title":"Supply Chain Protection","props":[{"name":"label","value":"SA-12"},{"name":"label","value":"SA-12","class":"sp800-53a"},{"name":"sort-id","value":"sa-12"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr","rel":"incorporated-into"}],"controls":[{"id":"sa-12.1","class":"SP800-53-enhancement","title":"Acquisition Strategies \/ Tools \/ Methods","props":[{"name":"label","value":"SA-12(1)"},{"name":"label","value":"SA-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-5","rel":"moved-to"}]},{"id":"sa-12.2","class":"SP800-53-enhancement","title":"Supplier Reviews","props":[{"name":"label","value":"SA-12(2)"},{"name":"label","value":"SA-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-6","rel":"moved-to"}]},{"id":"sa-12.3","class":"SP800-53-enhancement","title":"Trusted Shipping and Warehousing","props":[{"name":"label","value":"SA-12(3)"},{"name":"label","value":"SA-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-3","rel":"incorporated-into"}]},{"id":"sa-12.4","class":"SP800-53-enhancement","title":"Diversity of Suppliers","props":[{"name":"label","value":"SA-12(4)"},{"name":"label","value":"SA-12(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-3.1","rel":"moved-to"}]},{"id":"sa-12.5","class":"SP800-53-enhancement","title":"Limitation of Harm","props":[{"name":"label","value":"SA-12(5)"},{"name":"label","value":"SA-12(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-3.2","rel":"moved-to"}]},{"id":"sa-12.6","class":"SP800-53-enhancement","title":"Minimizing Procurement Time","props":[{"name":"label","value":"SA-12(6)"},{"name":"label","value":"SA-12(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-5.1","rel":"incorporated-into"}]},{"id":"sa-12.7","class":"SP800-53-enhancement","title":"Assessments Prior to Selection \/ Acceptance \/ Update","props":[{"name":"label","value":"SA-12(7)"},{"name":"label","value":"SA-12(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-5.2","rel":"moved-to"}]},{"id":"sa-12.8","class":"SP800-53-enhancement","title":"Use of All-source Intelligence","props":[{"name":"label","value":"SA-12(8)"},{"name":"label","value":"SA-12(08)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.08"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ra-3.2","rel":"incorporated-into"}]},{"id":"sa-12.9","class":"SP800-53-enhancement","title":"Operations Security","props":[{"name":"label","value":"SA-12(9)"},{"name":"label","value":"SA-12(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.09"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-7","rel":"moved-to"}]},{"id":"sa-12.10","class":"SP800-53-enhancement","title":"Validate as Genuine and Not Altered","props":[{"name":"label","value":"SA-12(10)"},{"name":"label","value":"SA-12(10)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.10"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-4.3","rel":"moved-to"}]},{"id":"sa-12.11","class":"SP800-53-enhancement","title":"Penetration Testing \/ Analysis of Elements, Processes, and Actors","props":[{"name":"label","value":"SA-12(11)"},{"name":"label","value":"SA-12(11)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.11"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-6.1","rel":"moved-to"}]},{"id":"sa-12.12","class":"SP800-53-enhancement","title":"Inter-organizational Agreements","props":[{"name":"label","value":"SA-12(12)"},{"name":"label","value":"SA-12(12)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.12"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-8","rel":"moved-to"}]},{"id":"sa-12.13","class":"SP800-53-enhancement","title":"Critical Information System Components","props":[{"name":"label","value":"SA-12(13)"},{"name":"label","value":"SA-12(13)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.13"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ma-6","rel":"incorporated-into"},{"href":"#ra-9","rel":"incorporated-into"}]},{"id":"sa-12.14","class":"SP800-53-enhancement","title":"Identity and Traceability","props":[{"name":"label","value":"SA-12(14)"},{"name":"label","value":"SA-12(14)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.14"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-4.1","rel":"incorporated-into"},{"href":"#sr-4.2","rel":"incorporated-into"}]},{"id":"sa-12.15","class":"SP800-53-enhancement","title":"Processes to Address Weaknesses or Deficiencies","props":[{"name":"label","value":"SA-12(15)"},{"name":"label","value":"SA-12(15)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.15"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-3","rel":"incorporated-into"}]}]},{"id":"sa-13","class":"SP800-53","title":"Trustworthiness","props":[{"name":"label","value":"SA-13"},{"name":"label","value":"SA-13","class":"sp800-53a"},{"name":"sort-id","value":"sa-13"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-8","rel":"incorporated-into"}]},{"id":"sa-14","class":"SP800-53","title":"Criticality Analysis","props":[{"name":"label","value":"SA-14"},{"name":"label","value":"SA-14","class":"sp800-53a"},{"name":"sort-id","value":"sa-14"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ra-9","rel":"incorporated-into"}],"controls":[{"id":"sa-14.1","class":"SP800-53-enhancement","title":"Critical Components with No Viable Alternative Sourcing","props":[{"name":"label","value":"SA-14(1)"},{"name":"label","value":"SA-14(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-14.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-20","rel":"incorporated-into"}]}]},{"id":"sa-15","class":"SP800-53","title":"Development Process, Standards, and Tools","params":[{"id":"sa-15_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15_odp.03"}],"label":"organization-defined security and privacy requirements"},{"id":"sa-15_odp.01","props":[{"name":"alt-identifier","value":"sa-15_prm_1"},{"name":"label","value":"SA-15_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;"}]},{"id":"sa-15_odp.02","props":[{"name":"label","value":"SA-15_ODP[02]","class":"sp800-53a"}],"label":"security requirements","guidelines":[{"prose":"security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;"}]},{"id":"sa-15_odp.03","props":[{"name":"label","value":"SA-15_ODP[03]","class":"sp800-53a"}],"label":"privacy requirements","guidelines":[{"prose":"privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;"}]}],"props":[{"name":"label","value":"SA-15"},{"name":"label","value":"SA-15","class":"sp800-53a"},{"name":"sort-id","value":"sa-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#ma-6","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-15_smt","name":"statement","parts":[{"id":"sa-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require the developer of the system, system component, or system service to follow a documented development process that:","parts":[{"id":"sa-15_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Explicitly addresses security and privacy requirements;"},{"id":"sa-15_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Identifies the standards and tools used in the development process;"},{"id":"sa-15_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Documents the specific tool options and tool configurations used in the development process; and"},{"id":"sa-15_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Documents, manages, and ensures the integrity of changes to the process and\/or tools used in development; and"}]},{"id":"sa-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ insert: param, sa-15_prm_2 }}."}]},{"id":"sa-15_gdn","name":"guidance","prose":"Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes."},{"id":"sa-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;"},{"id":"sa-15_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;"}]},{"id":"sa-15_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;"},{"id":"sa-15_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;"}]},{"id":"sa-15_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;"},{"id":"sa-15_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;"}]},{"id":"sa-15_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.04","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and\/or tools used in development;"}]},{"id":"sa-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};"},{"id":"sa-15_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}."}]}]},{"id":"sa-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security and privacy requirements during the development process\n\nsolicitation documentation\n\nacquisition documentation\n\ncritical component inventory documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer documentation listing tool options\/configuration guides\n\nconfiguration management policy\n\nconfiguration management records\n\ndocumentation of development process reviews using maturity models\n\nchange control records\n\nconfiguration control records\n\ndocumented reviews of the development process, standards, tools, and tool options\/configurations\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]}],"controls":[{"id":"sa-15.1","class":"SP800-53-enhancement","title":"Quality Metrics","params":[{"id":"sa-15.01_odp.01","props":[{"name":"alt-identifier","value":"sa-15.1_prm_1"},{"name":"label","value":"SA-15(01)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, sa-15.01_odp.02 }} ","{{ insert: param, sa-15.01_odp.03 }} ","upon delivery"]}},{"id":"sa-15.01_odp.02","props":[{"name":"alt-identifier","value":"sa-15.1_prm_2"},{"name":"label","value":"SA-15(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide evidence of meeting the quality metrics is defined (if selected);"}]},{"id":"sa-15.01_odp.03","props":[{"name":"alt-identifier","value":"sa-15.1_prm_3"},{"name":"alt-label","value":"program review milestones","class":"sp800-53"},{"name":"label","value":"SA-15(01)_ODP[03]","class":"sp800-53a"}],"label":"program review","guidelines":[{"prose":"program review milestones are defined (if selected);"}]}],"props":[{"name":"label","value":"SA-15(1)"},{"name":"label","value":"SA-15(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"}],"parts":[{"id":"sa-15.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-15.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Define quality metrics at the beginning of the development process; and"},{"id":"sa-15.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Provide evidence of meeting the quality metrics {{ insert: param, sa-15.01_odp.01 }}."}]},{"id":"sa-15.1_gdn","name":"guidance","prose":"Organizations use quality metrics to establish acceptable levels of system quality. Metrics can include quality gates, which are collections of completion criteria or sufficiency standards that represent the satisfactory execution of specific phases of the system development project. For example, a quality gate may require the elimination of all compiler warnings or a determination that such warnings have no impact on the effectiveness of required security or privacy capabilities. During the execution phases of development projects, quality gates provide clear, unambiguous indications of progress. Other metrics apply to the entire development project. Metrics can include defining the severity thresholds of vulnerabilities in accordance with organizational risk tolerance, such as requiring no known vulnerabilities in the delivered system with a Common Vulnerability Scoring System (CVSS) severity of medium or high."},{"id":"sa-15.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(01)","class":"sp800-53a"}],"parts":[{"id":"sa-15.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15(01)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to define quality metrics at the beginning of the development process;"},{"id":"sa-15.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15(01)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide evidence of meeting the quality metrics {{ insert: param, sa-15.01_odp.01 }}."}]},{"id":"sa-15.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of quality metrics\n\ndocumentation evidence of meeting quality metrics\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-15.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]}]},{"id":"sa-15.2","class":"SP800-53-enhancement","title":"Security and Privacy Tracking Tools","props":[{"name":"label","value":"SA-15(2)"},{"name":"label","value":"SA-15(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#sa-11","rel":"related"}],"parts":[{"id":"sa-15.2_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process."},{"id":"sa-15.2_gdn","name":"guidance","prose":"System development teams select and deploy security and privacy tracking tools, including vulnerability or work item tracking systems that facilitate assignment, sorting, filtering, and tracking of completed work items or tasks associated with development processes."},{"id":"sa-15.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(02)","class":"sp800-53a"}],"parts":[{"id":"sa-15.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15(02)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to select and employ security tracking tools for use during the development process;"},{"id":"sa-15.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15(02)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to select and employ privacy tracking tools for use during the development process."}]},{"id":"sa-15.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ndocumentation of the selection of security and privacy tracking tools\n\nevidence of employing security and privacy tracking tools\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-15.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with privacy responsibilities"}]}]},{"id":"sa-15.3","class":"SP800-53-enhancement","title":"Criticality Analysis","params":[{"id":"sa-15.3_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15.03_odp.03"}],"label":"organization-defined breadth and depth of criticality analysis"},{"id":"sa-15.03_odp.01","props":[{"name":"alt-identifier","value":"sa-15.3_prm_1"},{"name":"alt-label","value":"decision points in the system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-15(03)_ODP[01]","class":"sp800-53a"}],"label":"decision points","guidelines":[{"prose":"decision points in the system development life cycle are defined;"}]},{"id":"sa-15.03_odp.02","props":[{"name":"label","value":"SA-15(03)_ODP[02]","class":"sp800-53a"}],"label":"breadth","guidelines":[{"prose":"the breadth of criticality analysis is defined;"}]},{"id":"sa-15.03_odp.03","props":[{"name":"label","value":"SA-15(03)_ODP[03]","class":"sp800-53a"}],"label":"depth","guidelines":[{"prose":"the depth of criticality analysis is defined;"}]}],"props":[{"name":"label","value":"SA-15(3)"},{"name":"label","value":"SA-15(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"sa-15.3_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform a criticality analysis:","parts":[{"id":"sa-15.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"At the following decision points in the system development life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and"},{"id":"sa-15.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"At the following level of rigor: {{ insert: param, sa-15.3_prm_2 }}."}]},{"id":"sa-15.3_gdn","name":"guidance","prose":"Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses."},{"id":"sa-15.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)","class":"sp800-53a"}],"parts":[{"id":"sa-15.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;"},{"id":"sa-15.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)","class":"sp800-53a"}],"parts":[{"id":"sa-15.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};"},{"id":"sa-15.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} ."}]}]},{"id":"sa-15.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing criticality analysis requirements for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ncriticality analysis documentation\n\nbusiness impact analysis documentation\n\nsoftware development life cycle documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-15.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for performing criticality analysis\n\nsystem developer\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-15.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-15(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for performing criticality analysis\n\nmechanisms supporting and\/or implementing criticality analysis"}]}]},{"id":"sa-15.4","class":"SP800-53-enhancement","title":"Threat Modeling and Vulnerability Analysis","props":[{"name":"label","value":"SA-15(4)"},{"name":"label","value":"SA-15(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-11.2","rel":"incorporated-into"}]},{"id":"sa-15.5","class":"SP800-53-enhancement","title":"Attack Surface Reduction","params":[{"id":"sa-15.05_odp","props":[{"name":"alt-identifier","value":"sa-15.5_prm_1"},{"name":"label","value":"SA-15(05)_ODP","class":"sp800-53a"}],"label":"thresholds","guidelines":[{"prose":"thresholds to which attack surfaces are to be reduced are defined;"}]}],"props":[{"name":"label","value":"SA-15(5)"},{"name":"label","value":"SA-15(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#ac-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"}],"parts":[{"id":"sa-15.5_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to reduce attack surfaces to {{ insert: param, sa-15.05_odp }}."},{"id":"sa-15.5_gdn","name":"guidance","prose":"Attack surface reduction is closely aligned with threat and vulnerability analyses and system architecture and design. Attack surface reduction is a means of reducing risk to organizations by giving attackers less opportunity to exploit weaknesses or deficiencies (i.e., potential vulnerabilities) within systems, system components, and system services. Attack surface reduction includes implementing the concept of layered defenses, applying the principles of least privilege and least functionality, applying secure software development practices, deprecating unsafe functions, reducing entry points available to unauthorized users, reducing the amount of code that executes, and eliminating application programming interfaces (APIs) that are vulnerable to attacks."},{"id":"sa-15.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(05)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to reduce attack surfaces to {{ insert: param, sa-15.05_odp }}."},{"id":"sa-15.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing attack surface reduction\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system or system service\n\nsystem design documentation\n\nnetwork diagram\n\nsystem configuration settings and associated documentation establishing\/enforcing organization-defined thresholds for reducing attack surfaces\n\nlist of restricted ports, protocols, functions, and services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-15.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for attack surface reduction thresholds\n\nsystem developer"}]},{"id":"sa-15.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-15(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining attack surface reduction thresholds"}]}]},{"id":"sa-15.6","class":"SP800-53-enhancement","title":"Continuous Improvement","props":[{"name":"label","value":"SA-15(6)"},{"name":"label","value":"SA-15(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"}],"parts":[{"id":"sa-15.6_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process."},{"id":"sa-15.6_gdn","name":"guidance","prose":"Developers of systems, system components, and system services consider the effectiveness and efficiency of their development processes for meeting quality objectives and addressing the security and privacy capabilities in current threat environments."},{"id":"sa-15.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(06)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to implement an explicit process to continuously improve the development process."},{"id":"sa-15.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing development process, standards, and tools\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nquality goals and metrics for improving the system development process\n\nsecurity assessments\n\nquality control reviews of system development process\n\nplans of action and milestones for improving the system development process\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-15.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]}]},{"id":"sa-15.7","class":"SP800-53-enhancement","title":"Automated Vulnerability Analysis","params":[{"id":"sa-15.07_odp.01","props":[{"name":"alt-identifier","value":"sa-15.7_prm_1"},{"name":"label","value":"SA-15(07)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct vulnerability analysis is defined;"}]},{"id":"sa-15.07_odp.02","props":[{"name":"alt-identifier","value":"sa-15.7_prm_2"},{"name":"label","value":"SA-15(07)_ODP[02]","class":"sp800-53a"}],"label":"tools","guidelines":[{"prose":"tools used to perform automated vulnerability analysis are defined;"}]},{"id":"sa-15.07_odp.03","props":[{"name":"alt-identifier","value":"sa-15.7_prm_3"},{"name":"label","value":"SA-15(07)_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the outputs of tools and results of the analysis are to be delivered is\/are defined;"}]}],"props":[{"name":"label","value":"SA-15(7)"},{"name":"label","value":"SA-15(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"}],"parts":[{"id":"sa-15.7_smt","name":"statement","prose":"Require the developer of the system, system component, or system service {{ insert: param, sa-15.07_odp.01 }} to:","parts":[{"id":"sa-15.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Perform an automated vulnerability analysis using {{ insert: param, sa-15.07_odp.02 }};"},{"id":"sa-15.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Determine the exploitation potential for discovered vulnerabilities;"},{"id":"sa-15.7_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Determine potential risk mitigations for delivered vulnerabilities; and"},{"id":"sa-15.7_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Deliver the outputs of the tools and results of the analysis to {{ insert: param, sa-15.07_odp.03 }}."}]},{"id":"sa-15.7_gdn","name":"guidance","prose":"Automated tools can be more effective at analyzing exploitable weaknesses or deficiencies in large and complex systems, prioritizing vulnerabilities by severity, and providing recommendations for risk mitigations."},{"id":"sa-15.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(07)","class":"sp800-53a"}],"parts":[{"id":"sa-15.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15(07)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform automated vulnerability analysis {{ insert: param, sa-15.07_odp.01 }} using {{ insert: param, sa-15.07_odp.02 }};"},{"id":"sa-15.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15(07)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to determine the exploitation potential for discovered vulnerabilities {{ insert: param, sa-15.07_odp.01 }};"},{"id":"sa-15.7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-15(07)(c)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to determine potential risk mitigations {{ insert: param, sa-15.07_odp.01 }} for delivered vulnerabilities;"},{"id":"sa-15.7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-15(07)(d)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to deliver the outputs of the tools and results of the analysis {{ insert: param, sa-15.07_odp.01 }} to {{ insert: param, sa-15.07_odp.03 }}."}]},{"id":"sa-15.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nvulnerability analysis tools and associated documentation\n\nrisk assessment reports\n\nvulnerability analysis results\n\nvulnerability mitigation reports\n\nrisk mitigation strategy documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-15.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel performing automated vulnerability analysis on the system"}]},{"id":"sa-15.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-15(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability analysis of systems, system components, or system services under development\n\nmechanisms supporting and\/or implementing vulnerability analysis of systems, system components, or system services under development"}]}]},{"id":"sa-15.8","class":"SP800-53-enhancement","title":"Reuse of Threat and Vulnerability Information","props":[{"name":"label","value":"SA-15(8)"},{"name":"label","value":"SA-15(08)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"}],"parts":[{"id":"sa-15.8_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process."},{"id":"sa-15.8_gdn","name":"guidance","prose":"Analysis of vulnerabilities found in similar software applications can inform potential design and implementation issues for systems under development. Similar systems or system components may exist within developer organizations. Vulnerability information is available from a variety of public and private sector sources, including the NIST National Vulnerability Database."},{"id":"sa-15.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(08)","class":"sp800-53a"}],"parts":[{"id":"sa-15.8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15(08)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to use threat modeling from similar systems, components, or services to inform the current development process;"},{"id":"sa-15.8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15(08)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to use vulnerability analyses from similar systems, components, or services to inform the current development process."}]},{"id":"sa-15.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsupply chain risk management plan\n\nprocedures addressing development process, standards, and tools\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nthreat modeling and vulnerability analyses from similar systems, system components, or system services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-15.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-15.9","class":"SP800-53-enhancement","title":"Use of Live Data","props":[{"name":"label","value":"SA-15(9)"},{"name":"label","value":"SA-15(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.09"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-3.2","rel":"incorporated-into"}]},{"id":"sa-15.10","class":"SP800-53-enhancement","title":"Incident Response Plan","props":[{"name":"label","value":"SA-15(10)"},{"name":"label","value":"SA-15(10)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"sa-15.10_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan."},{"id":"sa-15.10_gdn","name":"guidance","prose":"The incident response plan provided by developers may provide information not readily available to organizations and be incorporated into organizational incident response plans. Developer information may also be extremely helpful, such as when organizations respond to vulnerabilities in commercial off-the-shelf products."},{"id":"sa-15.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(10)","class":"sp800-53a"}],"parts":[{"id":"sa-15.10_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15(10)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide an incident response plan;"},{"id":"sa-15.10_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15(10)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to implement an incident response plan;"},{"id":"sa-15.10_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-15(10)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to test an incident response plan."}]},{"id":"sa-15.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing incident response, standards, and tools\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system components or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\ndeveloper incident response plan\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-15.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-15.11","class":"SP800-53-enhancement","title":"Archive System or Component","props":[{"name":"label","value":"SA-15(11)"},{"name":"label","value":"SA-15(11)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#cm-2","rel":"related"}],"parts":[{"id":"sa-15.11_smt","name":"statement","prose":"Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review."},{"id":"sa-15.11_gdn","name":"guidance","prose":"Archiving system or system components requires the developer to retain key development artifacts, including hardware specifications, source code, object code, and relevant documentation from the development process that can provide a readily available configuration baseline for system and component upgrades or modifications."},{"id":"sa-15.11_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(11)","class":"sp800-53a"}],"prose":"the developer of the system or system component is required to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review."},{"id":"sa-15.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system or system component\n\nevidence of archived system or component\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-15.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with privacy responsibilities"}]}]},{"id":"sa-15.12","class":"SP800-53-enhancement","title":"Minimize Personally Identifiable Information","props":[{"name":"label","value":"SA-15(12)"},{"name":"label","value":"SA-15(12)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#pm-25","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"sa-15.12_smt","name":"statement","prose":"Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments."},{"id":"sa-15.12_gdn","name":"guidance","prose":"Organizations can minimize the risk to an individual’s privacy by using techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information in development and test environments helps reduce the level of privacy risk created by a system."},{"id":"sa-15.12_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(12)","class":"sp800-53a"}],"prose":"the developer of the system or system component is required to minimize the use of personally identifiable information in development and test environments."},{"id":"sa-15.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the development process\n\nprocedures addressing the minimization of personally identifiable information in testing, training, and research\n\npersonally identifiable information processing policy\n\nprocedures addressing the authority to test with personally identifiable information\n\nstandards and tools\n\nsolicitation documentation\n\nservice level agreements\n\nacquisition contracts for the system or services\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-15.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]},{"id":"sa-15.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-15(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the minimization of personally identifiable information in development and test environments\n\nmechanisms to facilitate the minimization of personally identifiable information in development and test environments"}]}]}]},{"id":"sa-16","class":"SP800-53","title":"Developer-provided Training","params":[{"id":"sa-16_odp","props":[{"name":"alt-identifier","value":"sa-16_prm_1"},{"name":"label","value":"SA-16_ODP","class":"sp800-53a"}],"label":"training","guidelines":[{"prose":"training on the correct use and operation of the implemented security and privacy functions, controls, and\/or mechanisms provided by the developer of the system, system component, or system service is defined;"}]}],"props":[{"name":"label","value":"SA-16"},{"name":"label","value":"SA-16","class":"sp800-53a"},{"name":"sort-id","value":"sa-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"}],"parts":[{"id":"sa-16_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and\/or mechanisms: {{ insert: param, sa-16_odp }}."},{"id":"sa-16_gdn","name":"guidance","prose":"Developer-provided training applies to external and internal (in-house) developers. Training personnel is essential to ensuring the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms."},{"id":"sa-16_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-16","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide {{ insert: param, sa-16_odp }} on the correct use and operation of the implemented security and privacy functions, controls, and\/or mechanisms."},{"id":"sa-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing developer-provided training\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\norganizational security and privacy training policy\n\ndeveloper-provided training materials\n\ntraining records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nexternal or internal (in-house) developers with training responsibilities for the system, system component, or information system service"}]}]},{"id":"sa-17","class":"SP800-53","title":"Developer Security and Privacy Architecture and Design","props":[{"name":"label","value":"SA-17"},{"name":"label","value":"SA-17","class":"sp800-53a"},{"name":"sort-id","value":"sa-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#87087451-2af5-43d4-88c1-d66ad850f614","rel":"reference"},{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"sa-17_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:","parts":[{"id":"sa-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture;"},{"id":"sa-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and"},{"id":"sa-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection."}]},{"id":"sa-17_gdn","name":"guidance","prose":"Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, [PL-8](#pl-8) is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and [PL-8](#pl-8) is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. [ISO 15408-2](#87087451-2af5-43d4-88c1-d66ad850f614), [ISO 15408-3](#4452efc0-e79e-47b8-aa30-b54f3ef61c2f) , and [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing."},{"id":"sa-17_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-17(a)","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(a)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;"},{"id":"sa-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(a)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;"}]},{"id":"sa-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-17(b)","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(b)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;"},{"id":"sa-17_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(b)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;"}]},{"id":"sa-17_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-17(c)","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(c)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;"},{"id":"sa-17_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(c)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection."}]}]},{"id":"sa-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nenterprise architecture policy\n\nenterprise architecture documentation\n\nprocedures addressing developer security and privacy architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]}],"controls":[{"id":"sa-17.1","class":"SP800-53-enhancement","title":"Formal Policy Model","params":[{"id":"sa-17.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-17.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-17.01_odp.02"}],"label":"organization-defined elements of organizational security and privacy policy"},{"id":"sa-17.01_odp.01","props":[{"name":"label","value":"SA-17(01)_ODP[01]","class":"sp800-53a"}],"label":"organizational security policy","guidelines":[{"prose":"organizational security policy to be enforced is defined;"}]},{"id":"sa-17.01_odp.02","props":[{"name":"label","value":"SA-17(01)_ODP[02]","class":"sp800-53a"}],"label":"organizational privacy policy","guidelines":[{"prose":"organizational privacy policy to be enforced is defined;"}]}],"props":[{"name":"label","value":"SA-17(1)"},{"name":"label","value":"SA-17(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-25","rel":"related"}],"parts":[{"id":"sa-17.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-17.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Produce, as an integral part of the development process, a formal policy model describing the {{ insert: param, sa-17.1_prm_1 }} to be enforced; and"},{"id":"sa-17.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security and privacy policy when implemented."}]},{"id":"sa-17.1_gdn","name":"guidance","prose":"Formal models describe specific behaviors or security and privacy policies using formal languages, thus enabling the correctness of those behaviors and policies to be formally proven. Not all components of systems can be modeled. Generally, formal specifications are scoped to the behaviors or policies of interest, such as nondiscretionary access control policies. Organizations choose the formal modeling language and approach based on the nature of the behaviors and policies to be described and the available tools."},{"id":"sa-17.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(01)","class":"sp800-53a"}],"parts":[{"id":"sa-17.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-17(01)(a)","class":"sp800-53a"}],"parts":[{"id":"sa-17.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(01)(a)[01]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the {{ insert: param, sa-17.01_odp.01 }} to be enforced;"},{"id":"sa-17.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(01)(a)[02]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the {{ insert: param, sa-17.01_odp.02 }} to be enforced;"}]},{"id":"sa-17.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-17(01)(b)","class":"sp800-53a"}],"parts":[{"id":"sa-17.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(01)(b)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented;"},{"id":"sa-17.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(01)(b)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational privacy policy when implemented."}]}]},{"id":"sa-17.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nenterprise architecture policy\n\nenterprise architecture documentation\n\nprocedures addressing developer security and privacy architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-17.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]}]},{"id":"sa-17.2","class":"SP800-53-enhancement","title":"Security-relevant Components","props":[{"name":"label","value":"SA-17(2)"},{"name":"label","value":"SA-17(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"},{"href":"#ac-25","rel":"related"},{"href":"#sa-5","rel":"related"}],"parts":[{"id":"sa-17.2_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-17.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Define security-relevant hardware, software, and firmware; and"},{"id":"sa-17.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete."}]},{"id":"sa-17.2_gdn","name":"guidance","prose":"The security-relevant hardware, software, and firmware represent the portion of the system, component, or service that is trusted to perform correctly to maintain required security properties."},{"id":"sa-17.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(02)","class":"sp800-53a"}],"parts":[{"id":"sa-17.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-17(02)(a)","class":"sp800-53a"}],"parts":[{"id":"sa-17.2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(02)(a)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to define security-relevant hardware;"},{"id":"sa-17.2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(02)(a)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to define security-relevant software;"},{"id":"sa-17.2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-17(02)(a)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to define security-relevant firmware;"}]},{"id":"sa-17.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-17(02)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide a rationale that the definition for security-relevant hardware, software, and firmware is complete."}]},{"id":"sa-17.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of security-relevant hardware, software, and firmware components\n\ndocumented rationale of completeness regarding definitions provided for security-relevant hardware, software, and firmware\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-17.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel with information security architecture and design responsibilities"}]}]},{"id":"sa-17.3","class":"SP800-53-enhancement","title":"Formal Correspondence","props":[{"name":"label","value":"SA-17(3)"},{"name":"label","value":"SA-17(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"}],"parts":[{"id":"sa-17.3_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-17.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;"},{"id":"sa-17.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;"},{"id":"sa-17.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;"},{"id":"sa-17.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and"},{"id":"sa-17.3_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware."}]},{"id":"sa-17.3_gdn","name":"guidance","prose":"Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details that are present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal system description, and that the formal system description is correctly implemented by a description of some lower level, including a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal and informal methods may be needed to demonstrate such consistency. Consistency between the formal top-level specification and the actual implementation may require the use of an informal demonstration due to limitations on the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms internal to security-relevant components include mapping registers and direct memory input and output."},{"id":"sa-17.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)","class":"sp800-53a"}],"parts":[{"id":"sa-17.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(a)","class":"sp800-53a"}],"parts":[{"id":"sa-17.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(a)[01]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions;"},{"id":"sa-17.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(a)[02]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages;"},{"id":"sa-17.3_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(a)[03]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects;"}]},{"id":"sa-17.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to show proof that the formal top-level specification is consistent with the formal policy model to the extent feasible with additional informal demonstration as necessary;"},{"id":"sa-17.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(c)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to show via informal demonstration that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;"},{"id":"sa-17.3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(d)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware;"},{"id":"sa-17.3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(e)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the formal top-level specification but are strictly internal to the security-relevant hardware, software, and firmware."}]},{"id":"sa-17.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nformal policy model\n\nprocedures addressing developer security architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nformal top-level specification documentation\n\nsystem security architecture and design documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation describing security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-17.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with information security architecture and design responsibilities"}]}]},{"id":"sa-17.4","class":"SP800-53-enhancement","title":"Informal Correspondence","params":[{"id":"sa-17.04_odp","props":[{"name":"alt-identifier","value":"sa-17.4_prm_1"},{"name":"label","value":"SA-17(04)_ODP","class":"sp800-53a"}],"select":{"choice":["informal demonstration, convincing argument with formal methods as feasible"]}}],"props":[{"name":"label","value":"SA-17(4)"},{"name":"label","value":"SA-17(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"}],"parts":[{"id":"sa-17.4_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-17.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;"},{"id":"sa-17.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Show via {{ insert: param, sa-17.04_odp }} that the descriptive top-level specification is consistent with the formal policy model;"},{"id":"sa-17.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;"},{"id":"sa-17.4_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and"},{"id":"sa-17.4_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware."}]},{"id":"sa-17.4_gdn","name":"guidance","prose":"Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that additional code or implementation detail has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level\/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal and informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include mapping registers and direct memory input and output."},{"id":"sa-17.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)","class":"sp800-53a"}],"parts":[{"id":"sa-17.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(a)","class":"sp800-53a"}],"parts":[{"id":"sa-17.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(a)[01]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions;"},{"id":"sa-17.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(a)[02]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages;"},{"id":"sa-17.4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(a)[03]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects;"}]},{"id":"sa-17.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to show via {{ insert: param, sa-17.04_odp }} that the descriptive top-level specification is consistent with the formal policy model;"},{"id":"sa-17.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(c)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to show via informal demonstration that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;"},{"id":"sa-17.4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(d)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware;"},{"id":"sa-17.4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(e)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the descriptive top-level specification but are strictly internal to the security-relevant hardware, software, and firmware."}]},{"id":"sa-17.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nformal policy model\n\nprocedures addressing developer security architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninformal, descriptive top-level specification documentation\n\nsystem security architecture and design documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation describing security-relevant hardware, software, and firmware mechanisms not addressed in the informal, descriptive top-level specification documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-17.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with information security architecture and design responsibilities"}]}]},{"id":"sa-17.5","class":"SP800-53-enhancement","title":"Conceptually Simple Design","props":[{"name":"label","value":"SA-17(5)"},{"name":"label","value":"SA-17(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"},{"href":"#ac-25","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-3","rel":"related"}],"parts":[{"id":"sa-17.5_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-17.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and"},{"id":"sa-17.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism."}]},{"id":"sa-17.5_gdn","name":"guidance","prose":"The principle of reduced complexity states that the system design is as simple and small as possible (see [SA-8(7)](#sa-8.7) ). A small and simple design is easier to understand and analyze and is also less prone to error (see [AC-25](#ac-25), [SA-8(13)](#sa-8.13) ). The principle of reduced complexity applies to any aspect of a system, but it has particular importance for security due to the various analyses performed to obtain evidence about the emergent security property of the system. For such analyses to be successful, a small and simple design is essential. Application of the principle of reduced complexity contributes to the ability of system developers to understand the correctness and completeness of system security functions and facilitates the identification of potential vulnerabilities. The corollary of reduced complexity states that the simplicity of the system is directly related to the number of vulnerabilities it will contain. That is, simpler systems contain fewer vulnerabilities. An important benefit of reduced complexity is that it is easier to understand whether the security policy has been captured in the system design and that fewer vulnerabilities are likely to be introduced during engineering development. An additional benefit is that any such conclusion about correctness, completeness, and existence of vulnerabilities can be reached with a higher degree of assurance in contrast to conclusions reached in situations where the system design is inherently more complex."},{"id":"sa-17.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(05)","class":"sp800-53a"}],"parts":[{"id":"sa-17.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-17(05)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics;"},{"id":"sa-17.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-17(05)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism."}]},{"id":"sa-17.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security architecture documentation\n\nsystem configuration settings and associated documentation\n\ndeveloper documentation describing the design and structure of security-relevant hardware, software, and firmware components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-17.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with information security architecture and design responsibilities"}]}]},{"id":"sa-17.6","class":"SP800-53-enhancement","title":"Structure for Testing","props":[{"name":"label","value":"SA-17(6)"},{"name":"label","value":"SA-17(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"},{"href":"#sa-5","rel":"related"},{"href":"#sa-11","rel":"related"}],"parts":[{"id":"sa-17.6_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing."},{"id":"sa-17.6_gdn","name":"guidance","prose":"Applying the security design principles in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) promotes complete, consistent, and comprehensive testing and evaluation of systems, system components, and services. The thoroughness of such testing contributes to the evidence produced to generate an effective assurance case or argument as to the trustworthiness of the system, system component, or service."},{"id":"sa-17.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(06)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate testing."},{"id":"sa-17.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security architecture documentation\n\nprivacy architecture documentation\n\nsystem configuration settings and associated documentation\n\ndeveloper documentation describing the design and structure of security-relevant hardware, software, and firmware components to facilitate testing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-17.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\norganizational personnel with information security and privacy architecture and design responsibilities"}]}]},{"id":"sa-17.7","class":"SP800-53-enhancement","title":"Structure for Least Privilege","props":[{"name":"label","value":"SA-17(7)"},{"name":"label","value":"SA-17(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"sa-17.7_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege."},{"id":"sa-17.7_gdn","name":"guidance","prose":"The principle of least privilege states that each component is allocated sufficient privileges to accomplish its specified functions but no more (see [SA-8(14)](#sa-8.14) ). Applying the principle of least privilege limits the scope of the component’s actions, which has two desirable effects. First, the security impact of a failure, corruption, or misuse of the system component results in a minimized security impact. Second, the security analysis of the component is simplified. Least privilege is a pervasive principle that is reflected in all aspects of the secure system design. Interfaces used to invoke component capability are available to only certain subsets of the user population, and component design supports a sufficiently fine granularity of privilege decomposition. For example, in the case of an audit mechanism, there may be an interface for the audit manager, who configures the audit settings; an interface for the audit operator, who ensures that audit data is safely collected and stored; and, finally, yet another interface for the audit reviewer, who only has a need to view the audit data that has been collected but no need to perform operations on that data.\n\nIn addition to its manifestations at the system interface, least privilege can be used as a guiding principle for the internal structure of the system itself. One aspect of internal least privilege is to construct modules so that only the elements encapsulated by the module are directly operated upon by the functions within the module. Elements external to a module that may be affected by the module’s operation are indirectly accessed through interaction (e.g., via a function call) with the module that contains those elements. Another aspect of internal least privilege is that the scope of a given module or component includes only those system elements that are necessary for its functionality, and the access modes to the elements (e.g., read, write) are minimal."},{"id":"sa-17.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(07)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege."},{"id":"sa-17.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security architecture documentation\n\nsystem configuration settings and associated documentation\n\ndeveloper documentation describing the design and structure of security-relevant hardware, software, and firmware components to facilitate controlling access with least privilege\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-17.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with information security architecture and design responsibilities"}]}]},{"id":"sa-17.8","class":"SP800-53-enhancement","title":"Orchestration","params":[{"id":"sa-17.08_odp.01","props":[{"name":"alt-identifier","value":"sa-17.8_prm_1"},{"name":"alt-label","value":"critical systems or system components","class":"sp800-53"},{"name":"label","value":"SA-17(08)_ODP[01]","class":"sp800-53a"}],"label":"critical systems","guidelines":[{"prose":"critical systems or system components are defined;"}]},{"id":"sa-17.08_odp.02","props":[{"name":"alt-identifier","value":"sa-17.8_prm_2"},{"name":"alt-label","value":"capabilities, by system or component","class":"sp800-53"},{"name":"label","value":"SA-17(08)_ODP[02]","class":"sp800-53a"}],"label":"capabilities","guidelines":[{"prose":"capabilities to be implemented by systems or components are defined;"}]}],"props":[{"name":"label","value":"SA-17(8)"},{"name":"label","value":"SA-17(08)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"}],"parts":[{"id":"sa-17.8_smt","name":"statement","prose":"Design {{ insert: param, sa-17.08_odp.01 }} with coordinated behavior to implement the following capabilities: {{ insert: param, sa-17.08_odp.02 }}."},{"id":"sa-17.8_gdn","name":"guidance","prose":"Security resources that are distributed, located at different layers or in different system elements, or are implemented to support different aspects of trustworthiness can interact in unforeseen or incorrect ways. Adverse consequences can include cascading failures, interference, or coverage gaps. Coordination of the behavior of security resources (e.g., by ensuring that one patch is installed across all resources before making a configuration change that assumes that the patch is propagated) can avert such negative interactions."},{"id":"sa-17.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(08)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-17.08_odp.01 }} are designed with coordinated behavior to implement {{ insert: param, sa-17.08_odp.02 }}."},{"id":"sa-17.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security and privacy architecture and design\n\nenterprise architecture\n\nsecurity architecture\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndeveloper documentation describing design orchestration\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-17.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\norganizational personnel with information security architecture responsibilities"}]}]},{"id":"sa-17.9","class":"SP800-53-enhancement","title":"Design Diversity","params":[{"id":"sa-17.09_odp","props":[{"name":"alt-identifier","value":"sa-17.9_prm_1"},{"name":"alt-label","value":"critical systems or system components","class":"sp800-53"},{"name":"label","value":"SA-17(09)_ODP","class":"sp800-53a"}],"label":"critical systems","guidelines":[{"prose":"critical systems or system components to be designed differently are defined;"}]}],"props":[{"name":"label","value":"SA-17(9)"},{"name":"label","value":"SA-17(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"}],"parts":[{"id":"sa-17.9_smt","name":"statement","prose":"Use different designs for {{ insert: param, sa-17.09_odp }} to satisfy a common set of requirements or to provide equivalent functionality."},{"id":"sa-17.9_gdn","name":"guidance","prose":"Design diversity is achieved by supplying the same requirements specification to multiple developers, each of whom is responsible for developing a variant of the system or system component that meets the requirements. Variants can be in software design, in hardware design, or in both hardware and a software design. Differences in the designs of the variants can result from developer experience (e.g., prior use of a design pattern), design style (e.g., when decomposing a required function into smaller tasks, determining what constitutes a separate task and how far to decompose tasks into sub-tasks), selection of libraries to incorporate into the variant, and the development environment (e.g., different design tools make some design patterns easier to visualize). Hardware design diversity includes making different decisions about what information to keep in analog form and what information to convert to digital form, transmitting the same information at different times, and introducing delays in sampling (temporal diversity). Design diversity is commonly used to support fault tolerance."},{"id":"sa-17.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(09)","class":"sp800-53a"}],"prose":"different designs are used for {{ insert: param, sa-17.09_odp }} to satisfy a common set of requirements or to provide equivalent functionality."},{"id":"sa-17.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security architecture and design diversity for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security architecture documentation\n\nsystem configuration settings and associated documentation\n\ndeveloper documentation describing design diversity\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-17.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with information security architecture responsibilities"}]}]}]},{"id":"sa-18","class":"SP800-53","title":"Tamper Resistance and Detection","props":[{"name":"label","value":"SA-18"},{"name":"label","value":"SA-18","class":"sp800-53a"},{"name":"sort-id","value":"sa-18"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-9","rel":"moved-to"}],"controls":[{"id":"sa-18.1","class":"SP800-53-enhancement","title":"Multiple Phases of System Development Life Cycle","props":[{"name":"label","value":"SA-18(1)"},{"name":"label","value":"SA-18(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-18.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-9.1","rel":"moved-to"}]},{"id":"sa-18.2","class":"SP800-53-enhancement","title":"Inspection of Systems or Components","props":[{"name":"label","value":"SA-18(2)"},{"name":"sort-id","value":"sa-18.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-10","rel":"moved-to"}]}]},{"id":"sa-19","class":"SP800-53","title":"Component Authenticity","props":[{"name":"label","value":"SA-19"},{"name":"label","value":"SA-19","class":"sp800-53a"},{"name":"sort-id","value":"sa-19"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-11","rel":"moved-to"}],"controls":[{"id":"sa-19.1","class":"SP800-53-enhancement","title":"Anti-counterfeit Training","props":[{"name":"label","value":"SA-19(1)"},{"name":"label","value":"SA-19(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-19.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-11.1","rel":"moved-to"}]},{"id":"sa-19.2","class":"SP800-53-enhancement","title":"Configuration Control for Component Service and Repair","props":[{"name":"label","value":"SA-19(2)"},{"name":"label","value":"SA-19(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-19.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-11.2","rel":"moved-to"}]},{"id":"sa-19.3","class":"SP800-53-enhancement","title":"Component Disposal","props":[{"name":"label","value":"SA-19(3)"},{"name":"label","value":"SA-19(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-19.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-12","rel":"moved-to"}]},{"id":"sa-19.4","class":"SP800-53-enhancement","title":"Anti-counterfeit Scanning","props":[{"name":"label","value":"SA-19(4)"},{"name":"label","value":"SA-19(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-19.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-11.3","rel":"moved-to"}]}]},{"id":"sa-20","class":"SP800-53","title":"Customized Development of Critical Components","params":[{"id":"sa-20_odp","props":[{"name":"alt-identifier","value":"sa-20_prm_1"},{"name":"alt-label","value":"critical system components","class":"sp800-53"},{"name":"label","value":"SA-20_ODP","class":"sp800-53a"}],"label":"critical system","guidelines":[{"prose":"critical system components to be reimplemented or custom-developed are defined;"}]}],"props":[{"name":"label","value":"SA-20"},{"name":"label","value":"SA-20","class":"sp800-53a"},{"name":"sort-id","value":"sa-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"sa-20_smt","name":"statement","prose":"Reimplement or custom develop the following critical system components: {{ insert: param, sa-20_odp }}."},{"id":"sa-20_gdn","name":"guidance","prose":"Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to adequately mitigate risk. Reimplementation or custom development of such components may satisfy requirements for higher assurance and is carried out by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed. In situations where no alternative sourcing is available and organizations choose not to reimplement or custom develop critical system components, additional controls can be employed. Controls include enhanced auditing, restrictions on source code and system utility access, and protection from deletion of system and application files."},{"id":"sa-20_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-20","class":"sp800-53a"}],"prose":"{{ insert: param, sa-20_odp }} are reimplemented or custom-developed."},{"id":"sa-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the customized development of critical system components\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem development life cycle documentation addressing the custom development of critical system components\n\nconfiguration management records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for the reimplementation or customized development of critical system components"}]},{"id":"sa-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the reimplementation or customized development of critical system components\n\nmechanisms supporting and\/or implementing the reimplementation or customized development of critical system components"}]}]},{"id":"sa-21","class":"SP800-53","title":"Developer Screening","params":[{"id":"sa-21_odp.01","props":[{"name":"alt-identifier","value":"sa-21_prm_1"},{"name":"alt-label","value":"system, system component, or system service","class":"sp800-53"},{"name":"label","value":"SA-21_ODP[01]","class":"sp800-53a"}],"label":"system, systems component, or system service","guidelines":[{"prose":"the system, systems component, or system service that the developer has access to is\/are defined;"}]},{"id":"sa-21_odp.02","props":[{"name":"alt-identifier","value":"sa-21_prm_2"},{"name":"label","value":"SA-21_ODP[02]","class":"sp800-53a"}],"label":"official government duties","guidelines":[{"prose":"official government duties assigned to the developer are defined;"}]},{"id":"sa-21_odp.03","props":[{"name":"alt-identifier","value":"sa-21_prm_3"},{"name":"label","value":"SA-21_ODP[03]","class":"sp800-53a"}],"label":"additional personnel screening criteria","guidelines":[{"prose":"additional personnel screening criteria for the developer are defined;"}]}],"props":[{"name":"label","value":"SA-21"},{"name":"label","value":"SA-21","class":"sp800-53a"},{"name":"sort-id","value":"sa-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"sa-21_smt","name":"statement","prose":"Require that the developer of {{ insert: param, sa-21_odp.01 }}:","parts":[{"id":"sa-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Has appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }} ; and"},{"id":"sa-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Satisfies the following additional personnel screening criteria: {{ insert: param, sa-21_odp.03 }}."}]},{"id":"sa-21_gdn","name":"guidance","prose":"Developer screening is directed at external developers. Internal developer screening is addressed by [PS-3](#ps-3) . Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals who access the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships that the company has with entities that may potentially affect the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements."},{"id":"sa-21_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-21","class":"sp800-53a"}],"parts":[{"id":"sa-21_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-21a.","class":"sp800-53a"}],"prose":"the developer of {{ insert: param, sa-21_odp.01 }} is required to have appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }};"},{"id":"sa-21_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-21b.","class":"sp800-53a"}],"prose":"the developer of {{ insert: param, sa-21_odp.01 }} is required to satisfy {{ insert: param, sa-21_odp.03 }}."}]},{"id":"sa-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\npersonnel security policy and procedures\n\nprocedures addressing personnel screening\n\nsystem design documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for developer services\n\nsystem configuration settings and associated documentation\n\nlist of appropriate access authorizations required by the developers of the system\n\npersonnel screening criteria and associated documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for developer screening"}]},{"id":"sa-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developer screening\n\nmechanisms supporting developer screening"}]}],"controls":[{"id":"sa-21.1","class":"SP800-53-enhancement","title":"Validation of Screening","props":[{"name":"label","value":"SA-21(1)"},{"name":"label","value":"SA-21(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-21.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-21","rel":"incorporated-into"}]}]},{"id":"sa-22","class":"SP800-53","title":"Unsupported System Components","params":[{"id":"sa-22_odp.01","props":[{"name":"alt-identifier","value":"sa-22_prm_1"},{"name":"label","value":"SA-22_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["in-house support","{{ insert: param, sa-22_odp.02 }} "]}},{"id":"sa-22_odp.02","props":[{"name":"alt-identifier","value":"sa-22_prm_2"},{"name":"label","value":"SA-22_ODP[02]","class":"sp800-53a"}],"label":"support from external providers","guidelines":[{"prose":"support from external providers is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-22"},{"name":"label","value":"SA-22","class":"sp800-53a"},{"name":"sort-id","value":"sa-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-2","rel":"related"},{"href":"#sa-3","rel":"related"}],"parts":[{"id":"sa-22_smt","name":"statement","parts":[{"id":"sa-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or"},{"id":"sa-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}."}]},{"id":"sa-22_gdn","name":"guidance","prose":"Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation."},{"id":"sa-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-22","class":"sp800-53a"}],"parts":[{"id":"sa-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-22a.","class":"sp800-53a"}],"prose":"system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;"},{"id":"sa-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-22b.","class":"sp800-53a"}],"prose":"{{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components."}]},{"id":"sa-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement"}]},{"id":"sa-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for replacing unsupported system components\n\nmechanisms supporting and\/or implementing the replacement of unsupported system components"}]}],"controls":[{"id":"sa-22.1","class":"SP800-53-enhancement","title":"Alternative Sources for Continued Support","props":[{"name":"label","value":"SA-22(1)"},{"name":"label","value":"SA-22(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-22.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-22","rel":"incorporated-into"}]}]},{"id":"sa-23","class":"SP800-53","title":"Specialization","params":[{"id":"sa-23_odp.01","props":[{"name":"alt-identifier","value":"sa-23_prm_1"},{"name":"label","value":"SA-23_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["design modification","augmentation","reconfiguration"]}},{"id":"sa-23_odp.02","props":[{"name":"alt-identifier","value":"sa-23_prm_2"},{"name":"label","value":"SA-23_ODP[02]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components supporting mission-essential services or functions are defined;"}]}],"props":[{"name":"label","value":"SA-23"},{"name":"label","value":"SA-23","class":"sp800-53a"},{"name":"sort-id","value":"sa-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#ra-9","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"sa-23_smt","name":"statement","prose":"Employ {{ insert: param, sa-23_odp.01 }} on {{ insert: param, sa-23_odp.02 }} supporting mission essential services or functions to increase the trustworthiness in those systems or components."},{"id":"sa-23_gdn","name":"guidance","prose":"It is often necessary for a system or system component that supports mission-essential services or functions to be enhanced to maximize the trustworthiness of the resource. Sometimes this enhancement is done at the design level. In other instances, it is done post-design, either through modifications of the system in question or by augmenting the system with additional components. For example, supplemental authentication or non-repudiation functions may be added to the system to enhance the identity of critical resources to other resources that depend on the organization-defined resources."},{"id":"sa-23_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-23","class":"sp800-53a"}],"prose":"{{ insert: param, sa-23_odp.01 }} is employed on {{ insert: param, sa-23_odp.02 }} supporting essential services or functions to increase the trustworthiness in those systems or components."},{"id":"sa-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing design modification, augmentation, or reconfiguration of systems or system components\n\ndocumented evidence of design modification, augmentation, or reconfiguration\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for security architecture\n\norganizational personnel responsible for configuration management"}]},{"id":"sa-23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-23-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the modification of design, augmentation, or reconfiguration of systems or system components\n\nmechanisms supporting and\/or implementing design modification, augmentation, or reconfiguration of systems or system components"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sc-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sc-01_odp.01","props":[{"name":"label","value":"SC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection policy is to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.02","props":[{"name":"label","value":"SC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection procedures are to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.03","props":[{"name":"alt-identifier","value":"sc-1_prm_2"},{"name":"label","value":"SC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business-process-level","system-level"]}},{"id":"sc-01_odp.04","props":[{"name":"alt-identifier","value":"sc-1_prm_3"},{"name":"label","value":"SC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and communications protection policy and procedures is defined;"}]},{"id":"sc-01_odp.05","props":[{"name":"alt-identifier","value":"sc-1_prm_4"},{"name":"label","value":"SC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection policy is reviewed and updated is defined;"}]},{"id":"sc-01_odp.06","props":[{"name":"alt-identifier","value":"sc-1_prm_5"},{"name":"label","value":"SC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and communications protection policy to be reviewed and updated are defined;"}]},{"id":"sc-01_odp.07","props":[{"name":"alt-identifier","value":"sc-1_prm_6"},{"name":"label","value":"SC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection procedures are reviewed and updated is defined;"}]},{"id":"sc-01_odp.08","props":[{"name":"alt-identifier","value":"sc-1_prm_7"},{"name":"label","value":"SC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and communications protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SC-1"},{"name":"label","value":"SC-01","class":"sp800-53a"},{"name":"sort-id","value":"sc-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sc-1_smt","name":"statement","parts":[{"id":"sc-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, sc-01_odp.03 }} system and communications protection policy that:","parts":[{"id":"sc-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sc-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;"}]},{"id":"sc-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and"},{"id":"sc-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and communications protection:","parts":[{"id":"sc-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and"},{"id":"sc-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sc-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[01]","class":"sp800-53a"}],"prose":"a system and communications protection policy is developed and documented;"},{"id":"sc-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[02]","class":"sp800-53a"}],"prose":"the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};"},{"id":"sc-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[03]","class":"sp800-53a"}],"prose":"system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;"},{"id":"sc-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[04]","class":"sp800-53a"}],"prose":"the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};"},{"id":"sc-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;"},{"id":"sc-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;"},{"id":"sc-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;"},{"id":"sc-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;"},{"id":"sc-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;"},{"id":"sc-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;"},{"id":"sc-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;"}]},{"id":"sc-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"sc-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;"},{"id":"sc-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};"},{"id":"sc-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};"}]},{"id":"sc-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};"},{"id":"sc-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}."}]}]}]},{"id":"sc-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"sc-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"sc-2","class":"SP800-53","title":"Separation of System and User Functionality","props":[{"name":"label","value":"SC-2"},{"name":"label","value":"SC-02","class":"sp800-53a"},{"name":"sort-id","value":"sc-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-22","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"}],"parts":[{"id":"sc-2_smt","name":"statement","prose":"Separate user functionality, including user interface services, from system management functionality."},{"id":"sc-2_gdn","name":"guidance","prose":"System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)."},{"id":"sc-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-02","class":"sp800-53a"}],"prose":"user functionality, including user interface services, is separated from system management functionality."},{"id":"sc-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing application partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of user functionality from system management functionality"}]}],"controls":[{"id":"sc-2.1","class":"SP800-53-enhancement","title":"Interfaces for Non-privileged Users","props":[{"name":"label","value":"SC-2(1)"},{"name":"label","value":"SC-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-2","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"sc-2.1_smt","name":"statement","prose":"Prevent the presentation of system management functionality at interfaces to non-privileged users."},{"id":"sc-2.1_gdn","name":"guidance","prose":"Preventing the presentation of system management functionality at interfaces to non-privileged users ensures that system administration options, including administrator privileges, are not available to the general user population. Restricting user access also prohibits the use of the grey-out option commonly used to eliminate accessibility to such information. One potential solution is to withhold system administration options until users establish sessions with administrator privileges."},{"id":"sc-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-02(01)","class":"sp800-53a"}],"prose":"the presentation of system management functionality is prevented at interfaces to non-privileged users."},{"id":"sc-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing application partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nnon-privileged users of the system\n\nsystem developer"}]},{"id":"sc-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of user functionality from system management functionality"}]}]},{"id":"sc-2.2","class":"SP800-53-enhancement","title":"Disassociability","props":[{"name":"label","value":"SC-2(2)"},{"name":"label","value":"SC-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-2","rel":"required"}],"parts":[{"id":"sc-2.2_smt","name":"statement","prose":"Store state information from applications and software separately."},{"id":"sc-2.2_gdn","name":"guidance","prose":"If a system is compromised, storing applications and software separately from state information about users’ interactions with an application may better protect individuals’ privacy."},{"id":"sc-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-02(02)","class":"sp800-53a"}],"prose":"state information is stored separately from applications and software."},{"id":"sc-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing application and software partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]},{"id":"sc-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of application state information from software"}]}]}]},{"id":"sc-3","class":"SP800-53","title":"Security Function Isolation","props":[{"name":"label","value":"SC-3"},{"name":"label","value":"SC-03","class":"sp800-53a"},{"name":"sort-id","value":"sc-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-3_smt","name":"statement","prose":"Isolate security functions from nonsecurity functions."},{"id":"sc-3_gdn","name":"guidance","prose":"Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform system security functions. Systems implement code separation in many ways, such as through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)."},{"id":"sc-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-03","class":"sp800-53a"}],"prose":"security functions are isolated from non-security functions."},{"id":"sc-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nlist of security functions to be isolated from non-security functions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of security functions from non-security functions within the system"}]}],"controls":[{"id":"sc-3.1","class":"SP800-53-enhancement","title":"Hardware Separation","props":[{"name":"label","value":"SC-3(1)"},{"name":"label","value":"SC-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-3","rel":"required"}],"parts":[{"id":"sc-3.1_smt","name":"statement","prose":"Employ hardware separation mechanisms to implement security function isolation."},{"id":"sc-3.1_gdn","name":"guidance","prose":"Hardware separation mechanisms include hardware ring architectures that are implemented within microprocessors and hardware-enforced address segmentation used to support logically distinct storage objects with separate attributes (i.e., readable, writeable)."},{"id":"sc-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-03(01)","class":"sp800-53a"}],"prose":"hardware separation mechanisms are employed to implement security function isolation."},{"id":"sc-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nsystem design documentation\n\nhardware separation mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of security functions from non-security functions within the system"}]}]},{"id":"sc-3.2","class":"SP800-53-enhancement","title":"Access and Flow Control Functions","props":[{"name":"label","value":"SC-3(2)"},{"name":"label","value":"SC-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-3","rel":"required"}],"parts":[{"id":"sc-3.2_smt","name":"statement","prose":"Isolate security functions enforcing access and information flow control from nonsecurity functions and from other security functions."},{"id":"sc-3.2_gdn","name":"guidance","prose":"Security function isolation occurs because of implementation. The functions can still be scanned and monitored. Security functions that are potentially isolated from access and flow control enforcement functions include auditing, intrusion detection, and malicious code protection functions."},{"id":"sc-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-03(02)","class":"sp800-53a"}],"parts":[{"id":"sc-3.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-03(02)[01]","class":"sp800-53a"}],"prose":"security functions enforcing access control are isolated from non-security functions;"},{"id":"sc-3.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-03(02)[02]","class":"sp800-53a"}],"prose":"security functions enforcing access control are isolated from other security functions;"},{"id":"sc-3.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-03(02)[03]","class":"sp800-53a"}],"prose":"security functions enforcing information flow control are isolated from non-security functions;"},{"id":"sc-3.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SC-03(02)[04]","class":"sp800-53a"}],"prose":"security functions enforcing information flow control are isolated from other security functions."}]},{"id":"sc-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nlist of critical security functions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records system security plan\n\nother relevant documents or records"}]},{"id":"sc-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Isolation of security functions enforcing access and information flow control"}]}]},{"id":"sc-3.3","class":"SP800-53-enhancement","title":"Minimize Nonsecurity Functionality","props":[{"name":"label","value":"SC-3(3)"},{"name":"label","value":"SC-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-3","rel":"required"}],"parts":[{"id":"sc-3.3_smt","name":"statement","prose":"Minimize the number of nonsecurity functions included within the isolation boundary containing security functions."},{"id":"sc-3.3_gdn","name":"guidance","prose":"Where it is not feasible to achieve strict isolation of nonsecurity functions from security functions, it is necessary to take actions to minimize nonsecurity-relevant functions within the security function boundary. Nonsecurity functions contained within the isolation boundary are considered security-relevant because errors or malicious code in the software can directly impact the security functions of systems. The fundamental design objective is that the specific portions of systems that provide information security are of minimal size and complexity. Minimizing the number of nonsecurity functions in the security-relevant system components allows designers and implementers to focus only on those functions which are necessary to provide the desired security capability (typically access enforcement). By minimizing the nonsecurity functions within the isolation boundaries, the amount of code that is trusted to enforce security policies is significantly reduced, thus contributing to understandability."},{"id":"sc-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-03(03)","class":"sp800-53a"}],"prose":"the number of non-security functions included within the isolation boundary containing security functions is minimized."},{"id":"sc-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an isolation boundary"}]}]},{"id":"sc-3.4","class":"SP800-53-enhancement","title":"Module Coupling and Cohesiveness","props":[{"name":"label","value":"SC-3(4)"},{"name":"label","value":"SC-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-3","rel":"required"}],"parts":[{"id":"sc-3.4_smt","name":"statement","prose":"Implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules."},{"id":"sc-3.4_gdn","name":"guidance","prose":"The reduction of inter-module interactions helps to constrain security functions and manage complexity. The concepts of coupling and cohesion are important with respect to modularity in software design. Coupling refers to the dependencies that one module has on other modules. Cohesion refers to the relationship between functions within a module. Best practices in software engineering and systems security engineering rely on layering, minimization, and modular decomposition to reduce and manage complexity. This produces software modules that are highly cohesive and loosely coupled."},{"id":"sc-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-03(04)","class":"sp800-53a"}],"parts":[{"id":"sc-3.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-03(04)[01]","class":"sp800-53a"}],"prose":"security functions are implemented as largely independent modules that maximize internal cohesiveness within modules;"},{"id":"sc-3.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-03(04)[02]","class":"sp800-53a"}],"prose":"security functions are implemented as largely independent modules that minimize coupling between modules."}]},{"id":"sc-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maximizing internal cohesiveness within modules and minimizing coupling between modules\n\nmechanisms supporting and\/or implementing security functions as independent modules"}]}]},{"id":"sc-3.5","class":"SP800-53-enhancement","title":"Layered Structures","props":[{"name":"label","value":"SC-3(5)"},{"name":"label","value":"SC-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-03.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-3","rel":"required"}],"parts":[{"id":"sc-3.5_smt","name":"statement","prose":"Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers."},{"id":"sc-3.5_gdn","name":"guidance","prose":"The implementation of layered structures with minimized interactions among security functions and non-looping layers (i.e., lower-layer functions do not depend on higher-layer functions) enables the isolation of security functions and the management of complexity."},{"id":"sc-3.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-03(05)","class":"sp800-53a"}],"prose":"security functions are implemented as a layered structure, minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers."},{"id":"sc-3.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-03(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-3.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-03(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-3.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-03(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing security functions as a layered structure that minimizes interactions between layers and avoids dependence by lower layers on functionality\/correctness of higher layers\n\nmechanisms supporting and\/or implementing security functions as a layered structure"}]}]}]},{"id":"sc-4","class":"SP800-53","title":"Information in Shared System Resources","props":[{"name":"label","value":"SC-4"},{"name":"label","value":"SC-04","class":"sp800-53a"},{"name":"sort-id","value":"sc-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"sc-4_smt","name":"statement","prose":"Prevent unauthorized and unintended information transfer via shared system resources."},{"id":"sc-4_gdn","name":"guidance","prose":"Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles."},{"id":"sc-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-04","class":"sp800-53a"}],"parts":[{"id":"sc-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-04[01]","class":"sp800-53a"}],"prose":"unauthorized information transfer via shared system resources is prevented;"},{"id":"sc-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-04[02]","class":"sp800-53a"}],"prose":"unintended information transfer via shared system resources is prevented."}]},{"id":"sc-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms preventing the unauthorized and unintended transfer of information via shared system resources"}]}],"controls":[{"id":"sc-4.1","class":"SP800-53-enhancement","title":"Security Levels","props":[{"name":"label","value":"SC-4(1)"},{"name":"label","value":"SC-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-04.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-4","rel":"incorporated-into"}]},{"id":"sc-4.2","class":"SP800-53-enhancement","title":"Multilevel or Periods Processing","params":[{"id":"sc-04.02_odp","props":[{"name":"alt-identifier","value":"sc-4.2_prm_1"},{"name":"label","value":"SC-04(02)_ODP","class":"sp800-53a"}],"label":"procedures","guidelines":[{"prose":"procedures to prevent unauthorized information transfer via shared resources are defined;"}]}],"props":[{"name":"label","value":"SC-4(2)"},{"name":"label","value":"SC-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-4","rel":"required"}],"parts":[{"id":"sc-4.2_smt","name":"statement","prose":"Prevent unauthorized information transfer via shared resources in accordance with {{ insert: param, sc-04.02_odp }} when system processing explicitly switches between different information classification levels or security categories."},{"id":"sc-4.2_gdn","name":"guidance","prose":"Changes in processing levels can occur during multilevel or periods processing with information at different classification levels or security categories. It can also occur during serial reuse of hardware components at different classification levels. Organization-defined procedures can include approved sanitization processes for electronically stored information."},{"id":"sc-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-04(02)","class":"sp800-53a"}],"prose":"unauthorized information transfer via shared resources is prevented in accordance with {{ insert: param, sc-04.02_odp }} when system processing explicitly switches between different information classification levels or security categories."},{"id":"sc-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms preventing the unauthorized transfer of information via shared system resources"}]}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial-of-service Protection","params":[{"id":"sc-05_odp.01","props":[{"name":"alt-identifier","value":"sc-5_prm_2"},{"name":"label","value":"SC-05_ODP[01]","class":"sp800-53a"}],"label":"types of denial-of-service events","guidelines":[{"prose":"types of denial-of-service events to be protected against or limited are defined;"}]},{"id":"sc-05_odp.02","props":[{"name":"alt-identifier","value":"sc-5_prm_1"},{"name":"label","value":"SC-05_ODP[02]","class":"sp800-53a"}],"select":{"choice":["protect against","limit"]}},{"id":"sc-05_odp.03","props":[{"name":"alt-identifier","value":"sc-5_prm_3"},{"name":"label","value":"SC-05_ODP[03]","class":"sp800-53a"}],"label":"controls by type of denial-of-service event","guidelines":[{"prose":"controls to achieve the denial-of-service objective by type of denial-of-service event are defined;"}]}],"props":[{"name":"label","value":"SC-5"},{"name":"label","value":"SC-05","class":"sp800-53a"},{"name":"sort-id","value":"sc-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sc-6","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-40","rel":"related"}],"parts":[{"id":"sc-5_smt","name":"statement","parts":[{"id":"sc-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"{{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and"},{"id":"sc-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}."}]},{"id":"sc-5_gdn","name":"guidance","prose":"Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events."},{"id":"sc-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-05","class":"sp800-53a"}],"parts":[{"id":"sc-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-05a.","class":"sp800-53a"}],"prose":"the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};"},{"id":"sc-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-05b.","class":"sp800-53a"}],"prose":"{{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective."}]},{"id":"sc-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"id":"sc-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms protecting against or limiting the effects of denial-of-service attacks"}]}],"controls":[{"id":"sc-5.1","class":"SP800-53-enhancement","title":"Restrict Ability to Attack Other Systems","params":[{"id":"sc-05.01_odp","props":[{"name":"alt-identifier","value":"sc-5.1_prm_1"},{"name":"label","value":"SC-05(01)_ODP","class":"sp800-53a"}],"label":"denial-of-service attacks","guidelines":[{"prose":"denial-of-service attacks for which to restrict the ability of individuals to launch are defined;"}]}],"props":[{"name":"label","value":"SC-5(1)"},{"name":"label","value":"SC-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-5","rel":"required"}],"parts":[{"id":"sc-5.1_smt","name":"statement","prose":"Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: {{ insert: param, sc-05.01_odp }}."},{"id":"sc-5.1_gdn","name":"guidance","prose":"Restricting the ability of individuals to launch denial-of-service attacks requires the mechanisms commonly used for such attacks to be unavailable. Individuals of concern include hostile insiders or external adversaries who have breached or compromised the system and are using it to launch a denial-of-service attack. Organizations can restrict the ability of individuals to connect and transmit arbitrary information on the transport medium (i.e., wired networks, wireless networks, spoofed Internet protocol packets). Organizations can also limit the ability of individuals to use excessive system resources. Protection against individuals having the ability to launch denial-of-service attacks may be implemented on specific systems or boundary devices that prohibit egress to potential target systems."},{"id":"sc-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-05(01)","class":"sp800-53a"}],"prose":"the ability of individuals to launch {{ insert: param, sc-05.01_odp }} against other systems is restricted."},{"id":"sc-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks launched by individuals against systems\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"id":"sc-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms restricting the ability to launch denial-of-service attacks against other systems"}]}]},{"id":"sc-5.2","class":"SP800-53-enhancement","title":"Capacity, Bandwidth, and Redundancy","props":[{"name":"label","value":"SC-5(2)"},{"name":"label","value":"SC-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-5","rel":"required"}],"parts":[{"id":"sc-5.2_smt","name":"statement","prose":"Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks."},{"id":"sc-5.2_gdn","name":"guidance","prose":"Managing capacity ensures that sufficient capacity is available to counter flooding attacks. Managing capacity includes establishing selected usage priorities, quotas, partitioning, or load balancing."},{"id":"sc-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-05(02)","class":"sp800-53a"}],"prose":"capacity, bandwidth, or other redundancies to limit the effects of information flooding denial-of-service attacks are managed."},{"id":"sc-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"id":"sc-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the management of system bandwidth, capacity, and redundancy to limit the effects of information flooding denial-of-service attacks"}]}]},{"id":"sc-5.3","class":"SP800-53-enhancement","title":"Detection and Monitoring","params":[{"id":"sc-05.03_odp.01","props":[{"name":"alt-identifier","value":"sc-5.3_prm_1"},{"name":"label","value":"SC-05(03)_ODP[01]","class":"sp800-53a"}],"label":"monitoring tools","guidelines":[{"prose":"monitoring tools for detecting indicators of denial-of-service attacks are defined;"}]},{"id":"sc-05.03_odp.02","props":[{"name":"alt-identifier","value":"sc-5.3_prm_2"},{"name":"label","value":"SC-05(03)_ODP[02]","class":"sp800-53a"}],"label":"system resources","guidelines":[{"prose":"system resources to be monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks are defined;"}]}],"props":[{"name":"label","value":"SC-5(3)"},{"name":"label","value":"SC-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-05.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-5","rel":"required"},{"href":"#ca-7","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-5.3_smt","name":"statement","parts":[{"id":"sc-5.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: {{ insert: param, sc-05.03_odp.01 }} ; and"},{"id":"sc-5.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: {{ insert: param, sc-05.03_odp.02 }}."}]},{"id":"sc-5.3_gdn","name":"guidance","prose":"Organizations consider the utilization and capacity of system resources when managing risk associated with a denial of service due to malicious attacks. Denial-of-service attacks can originate from external or internal sources. System resources that are sensitive to denial of service include physical disk storage, memory, and CPU cycles. Techniques used to prevent denial-of-service attacks related to storage utilization and capacity include instituting disk quotas, configuring systems to automatically alert administrators when specific storage capacity thresholds are reached, using file compression technologies to maximize available storage space, and imposing separate partitions for system and user data."},{"id":"sc-5.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-05(03)","class":"sp800-53a"}],"parts":[{"id":"sc-5.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-05(03)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-05.03_odp.01 }} are employed to detect indicators of denial-of-service attacks against or launched from the system;"},{"id":"sc-5.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-05(03)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-05.03_odp.02 }} are monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks."}]},{"id":"sc-5.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-05(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-5.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-05(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with detection and monitoring responsibilities"}]},{"id":"sc-5.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-05(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms\/tools implementing system monitoring for denial-of-service attacks"}]}]}]},{"id":"sc-6","class":"SP800-53","title":"Resource Availability","params":[{"id":"sc-06_odp.01","props":[{"name":"alt-identifier","value":"sc-6_prm_1"},{"name":"label","value":"SC-06_ODP[01]","class":"sp800-53a"}],"label":"resources","guidelines":[{"prose":"resources to be allocated to protect the availability of resources are defined;"}]},{"id":"sc-06_odp.02","props":[{"name":"alt-identifier","value":"sc-6_prm_2"},{"name":"label","value":"SC-06_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["priority","quota","{{ insert: param, sc-06_odp.03 }} "]}},{"id":"sc-06_odp.03","props":[{"name":"alt-identifier","value":"sc-6_prm_3"},{"name":"label","value":"SC-06_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to protect the availability of resources are defined (if selected);"}]}],"props":[{"name":"label","value":"SC-6"},{"name":"label","value":"SC-06","class":"sp800-53a"},{"name":"sort-id","value":"sc-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#047b041a-b4b0-4537-ab2d-2b36283eeda0","rel":"reference"},{"href":"#4f42ee6e-86cc-403b-a51f-76c2b4f81b54","rel":"reference"},{"href":"#sc-5","rel":"related"}],"parts":[{"id":"sc-6_smt","name":"statement","prose":"Protect the availability of resources by allocating {{ insert: param, sc-06_odp.01 }} by {{ insert: param, sc-06_odp.02 }}."},{"id":"sc-6_gdn","name":"guidance","prose":"Priority protection prevents lower-priority processes from delaying or interfering with the system that services higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources."},{"id":"sc-6_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-06","class":"sp800-53a"}],"prose":"the availability of resources is protected by allocating {{ insert: param, sc-06_odp.01 }} by {{ insert: param, sc-06_odp.02 }}."},{"id":"sc-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing prioritization of system resources\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a resource allocation capability\n\nsafeguards employed to protect availability of resources"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-07_odp","props":[{"name":"alt-identifier","value":"sc-7_prm_1"},{"name":"label","value":"SC-07_ODP","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}}],"props":[{"name":"label","value":"SC-7"},{"name":"label","value":"SC-07","class":"sp800-53a"},{"name":"sort-id","value":"sc-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a7f0e897-29a3-45c4-bd88-40dfef0e034a","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-43","rel":"related"}],"parts":[{"id":"sc-7_smt","name":"statement","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)."},{"id":"sc-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[01]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are monitored;"},{"id":"sc-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[02]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are controlled;"},{"id":"sc-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[03]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are monitored;"},{"id":"sc-7_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[04]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are controlled;"}]},{"id":"sc-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07b.","class":"sp800-53a"}],"prose":"subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;"},{"id":"sc-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07c.","class":"sp800-53a"}],"prose":"external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities"}]}],"controls":[{"id":"sc-7.1","class":"SP800-53-enhancement","title":"Physically Separated Subnetworks","props":[{"name":"label","value":"SC-7(1)"},{"name":"label","value":"SC-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7","rel":"incorporated-into"}]},{"id":"sc-7.2","class":"SP800-53-enhancement","title":"Public Access","props":[{"name":"label","value":"SC-7(2)"},{"name":"label","value":"SC-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7","rel":"incorporated-into"}]},{"id":"sc-7.3","class":"SP800-53-enhancement","title":"Access Points","props":[{"name":"label","value":"SC-7(3)"},{"name":"label","value":"SC-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.3_smt","name":"statement","prose":"Limit the number of external network connections to the system."},{"id":"sc-7.3_gdn","name":"guidance","prose":"Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system."},{"id":"sc-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(03)","class":"sp800-53a"}],"prose":"the number of external network connections to the system is limited."},{"id":"sc-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities\n\nmechanisms limiting the number of external network connections to the system"}]}]},{"id":"sc-7.4","class":"SP800-53-enhancement","title":"External Telecommunications Services","params":[{"id":"sc-07.04_odp","props":[{"name":"alt-identifier","value":"sc-7.4_prm_1"},{"name":"label","value":"SC-07(04)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review exceptions to traffic flow policy is defined;"}]}],"props":[{"name":"label","value":"SC-7(4)"},{"name":"label","value":"SC-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-7.4_smt","name":"statement","parts":[{"id":"sc-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implement a managed interface for each external telecommunication service;"},{"id":"sc-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Establish a traffic flow policy for each managed interface;"},{"id":"sc-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Protect the confidentiality and integrity of the information being transmitted across each interface;"},{"id":"sc-7.4_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;"},{"id":"sc-7.4_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Review exceptions to the traffic flow policy {{ insert: param, sc-07.04_odp }} and remove exceptions that are no longer supported by an explicit mission or business need;"},{"id":"sc-7.4_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Prevent unauthorized exchange of control plane traffic with external networks;"},{"id":"sc-7.4_smt.g","name":"item","props":[{"name":"label","value":"(g)"}],"prose":"Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and"},{"id":"sc-7.4_smt.h","name":"item","props":[{"name":"label","value":"(h)"}],"prose":"Filter unauthorized control plane traffic from external networks."}]},{"id":"sc-7.4_gdn","name":"guidance","prose":"External telecommunications services can provide data and\/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements."},{"id":"sc-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(a)","class":"sp800-53a"}],"prose":"a managed interface is implemented for each external telecommunication service;"},{"id":"sc-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(b)","class":"sp800-53a"}],"prose":"a traffic flow policy is established for each managed interface;"},{"id":"sc-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)[01]","class":"sp800-53a"}],"prose":"the confidentiality of the information being transmitted across each interface is protected;"},{"id":"sc-7.4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)[02]","class":"sp800-53a"}],"prose":"the integrity of the information being transmitted across each interface is protected;"}]},{"id":"sc-7.4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(d)","class":"sp800-53a"}],"prose":"each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;"},{"id":"sc-7.4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)[01]","class":"sp800-53a"}],"prose":"exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};"},{"id":"sc-7.4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)[02]","class":"sp800-53a"}],"prose":"exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;"}]},{"id":"sc-7.4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(f)","class":"sp800-53a"}],"prose":"unauthorized exchanges of control plan traffic with external networks are prevented;"},{"id":"sc-7.4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(g)","class":"sp800-53a"}],"prose":"information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;"},{"id":"sc-7.4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(h)","class":"sp800-53a"}],"prose":"unauthorized control plane traffic is filtered from external networks."}]},{"id":"sc-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\nsystem security architecture\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for documenting and reviewing exceptions to the traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nmechanisms implementing boundary protection capabilities\n\nmanaged interfaces implementing traffic flow policy"}]}]},{"id":"sc-7.5","class":"SP800-53-enhancement","title":"Deny by Default — Allow by Exception","params":[{"id":"sc-07.05_odp.01","props":[{"name":"alt-identifier","value":"sc-7.5_prm_1"},{"name":"label","value":"SC-07(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at managed interfaces","for {{ insert: param, sc-07.05_odp.02 }} "]}},{"id":"sc-07.05_odp.02","props":[{"name":"alt-identifier","value":"sc-7.5_prm_2"},{"name":"label","value":"SC-07(05)_ODP[02]","class":"sp800-53a"}],"label":"systems","guidelines":[{"prose":"systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected)."}]}],"props":[{"name":"label","value":"SC-7(5)"},{"name":"label","value":"SC-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.5_smt","name":"statement","prose":"Deny network communications traffic by default and allow network communications traffic by exception {{ insert: param, sc-07.05_odp.01 }}."},{"id":"sc-7.5_gdn","name":"guidance","prose":"Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system."},{"id":"sc-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)","class":"sp800-53a"}],"parts":[{"id":"sc-7.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)[01]","class":"sp800-53a"}],"prose":"network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};"},{"id":"sc-7.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)[02]","class":"sp800-53a"}],"prose":"network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}."}]},{"id":"sc-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing traffic management at managed interfaces"}]}]},{"id":"sc-7.6","class":"SP800-53-enhancement","title":"Response to Recognized Failures","props":[{"name":"label","value":"SC-7(6)"},{"name":"label","value":"SC-07(06)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7.18","rel":"incorporated-into"}]},{"id":"sc-7.7","class":"SP800-53-enhancement","title":"Split Tunneling for Remote Devices","params":[{"id":"sc-07.07_odp","props":[{"name":"alt-identifier","value":"sc-7.7_prm_1"},{"name":"label","value":"SC-07(07)_ODP","class":"sp800-53a"}],"label":"safeguards","guidelines":[{"prose":"safeguards to securely provision split tunneling are defined;"}]}],"props":[{"name":"label","value":"SC-7(7)"},{"name":"label","value":"SC-07(07)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.7_smt","name":"statement","prose":"Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}."},{"id":"sc-7.7_gdn","name":"guidance","prose":"Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control."},{"id":"sc-7.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(07)","class":"sp800-53a"}],"prose":"split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}."},{"id":"sc-7.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities\n\nmechanisms supporting\/restricting non-remote connections"}]}]},{"id":"sc-7.8","class":"SP800-53-enhancement","title":"Route Traffic to Authenticated Proxy Servers","params":[{"id":"sc-07.08_odp.01","props":[{"name":"alt-identifier","value":"sc-7.8_prm_1"},{"name":"label","value":"SC-07(08)_ODP[01]","class":"sp800-53a"}],"label":"internal communications traffic","guidelines":[{"prose":"internal communications traffic to be routed to external networks is defined;"}]},{"id":"sc-07.08_odp.02","props":[{"name":"alt-identifier","value":"sc-7.8_prm_2"},{"name":"label","value":"SC-07(08)_ODP[02]","class":"sp800-53a"}],"label":"external networks","guidelines":[{"prose":"external networks to which internal communications traffic is to be routed are defined;"}]}],"props":[{"name":"label","value":"SC-7(8)"},{"name":"label","value":"SC-07(08)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"sc-7.8_smt","name":"statement","prose":"Route {{ insert: param, sc-07.08_odp.01 }} to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces."},{"id":"sc-7.8_gdn","name":"guidance","prose":"External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for \"man-in-the-middle\" attacks (depending on the implementation)."},{"id":"sc-7.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(08)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces."},{"id":"sc-7.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing traffic management through authenticated proxy servers at managed interfaces"}]}]},{"id":"sc-7.9","class":"SP800-53-enhancement","title":"Restrict Threatening Outgoing Communications Traffic","props":[{"name":"label","value":"SC-7(9)"},{"name":"label","value":"SC-07(09)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-7.9_smt","name":"statement","parts":[{"id":"sc-7.9_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Detect and deny outgoing communications traffic posing a threat to external systems; and"},{"id":"sc-7.9_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Audit the identity of internal users associated with denied communications."}]},{"id":"sc-7.9_gdn","name":"guidance","prose":"Detecting outgoing communications traffic from internal actions that may pose threats to external systems is known as extrusion detection. Extrusion detection is carried out within the system at managed interfaces. Extrusion detection includes the analysis of incoming and outgoing communications traffic while searching for indications of internal threats to the security of external systems. Internal threats to external systems include traffic indicative of denial-of-service attacks, traffic with spoofed source addresses, and traffic that contains malicious code. Organizations have criteria to determine, update, and manage identified threats related to extrusion detection."},{"id":"sc-7.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(09)","class":"sp800-53a"}],"parts":[{"id":"sc-7.9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07(09)(a)","class":"sp800-53a"}],"parts":[{"id":"sc-7.9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(09)(a)[01]","class":"sp800-53a"}],"prose":"outgoing communications traffic posing a threat to external systems is detected;"},{"id":"sc-7.9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(09)(a)[02]","class":"sp800-53a"}],"prose":"outgoing communications traffic posing a threat to external systems is denied;"}]},{"id":"sc-7.9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07(09)(b)","class":"sp800-53a"}],"prose":"the identity of internal users associated with denied communications is audited."}]},{"id":"sc-7.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities\n\nmechanisms implementing the detection and denial of threatening outgoing communications traffic\n\nmechanisms implementing auditing of outgoing communications traffic"}]}]},{"id":"sc-7.10","class":"SP800-53-enhancement","title":"Prevent Exfiltration","params":[{"id":"sc-07.10_odp","props":[{"name":"alt-identifier","value":"sc-7.10_prm_1"},{"name":"label","value":"SC-07(10)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for conducting exfiltration tests is defined;"}]}],"props":[{"name":"label","value":"SC-7(10)"},{"name":"label","value":"SC-07(10)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-2","rel":"related"},{"href":"#ca-8","rel":"related"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"sc-7.10_smt","name":"statement","parts":[{"id":"sc-7.10_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Prevent the exfiltration of information; and"},{"id":"sc-7.10_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Conduct exfiltration tests {{ insert: param, sc-07.10_odp }}."}]},{"id":"sc-7.10_gdn","name":"guidance","prose":"Prevention of exfiltration applies to both the intentional and unintentional exfiltration of information. Techniques used to prevent the exfiltration of information from systems may be implemented at internal endpoints, external boundaries, and across managed interfaces and include adherence to protocol formats, monitoring for beaconing activity from systems, disconnecting external network interfaces except when explicitly needed, employing traffic profile analysis to detect deviations from the volume and types of traffic expected, call backs to command and control centers, conducting penetration testing, monitoring for steganography, disassembling and reassembling packet headers, and using data loss and data leakage prevention tools. Devices that enforce strict adherence to protocol formats include deep packet inspection firewalls and Extensible Markup Language (XML) gateways. The devices verify adherence to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices that operate at the network or transport layers. The prevention of exfiltration is similar to data loss prevention or data leakage prevention and is closely associated with cross-domain solutions and system guards that enforce information flow requirements."},{"id":"sc-7.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(10)","class":"sp800-53a"}],"parts":[{"id":"sc-7.10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07(10)(a)","class":"sp800-53a"}],"prose":"the exfiltration of information is prevented;"},{"id":"sc-7.10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07(10)(b)","class":"sp800-53a"}],"prose":"exfiltration tests are conducted {{ insert: param, sc-07.10_odp }}."}]},{"id":"sc-7.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities that prevent the unauthorized exfiltration of information across managed interfaces"}]}]},{"id":"sc-7.11","class":"SP800-53-enhancement","title":"Restrict Incoming Communications Traffic","params":[{"id":"sc-07.11_odp.01","props":[{"name":"alt-identifier","value":"sc-7.11_prm_1"},{"name":"label","value":"SC-07(11)_ODP[01]","class":"sp800-53a"}],"label":"authorized sources","guidelines":[{"prose":"authorized sources of incoming communications to be routed are defined;"}]},{"id":"sc-07.11_odp.02","props":[{"name":"alt-identifier","value":"sc-7.11_prm_2"},{"name":"label","value":"SC-07(11)_ODP[02]","class":"sp800-53a"}],"label":"authorized destinations","guidelines":[{"prose":"authorized destinations to which incoming communications from authorized sources may be routed are defined;"}]}],"props":[{"name":"label","value":"SC-7(11)"},{"name":"label","value":"SC-07(11)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"sc-7.11_smt","name":"statement","prose":"Only allow incoming communications from {{ insert: param, sc-07.11_odp.01 }} to be routed to {{ insert: param, sc-07.11_odp.02 }}."},{"id":"sc-7.11_gdn","name":"guidance","prose":"General source address validation techniques are applied to restrict the use of illegal and unallocated source addresses as well as source addresses that should only be used within the system. The restriction of incoming communications traffic provides determinations that source and destination address pairs represent authorized or allowed communications. Determinations can be based on several factors, including the presence of such address pairs in the lists of authorized or allowed communications, the absence of such address pairs in lists of unauthorized or disallowed pairs, or meeting more general rules for authorized or allowed source and destination pairs. Strong authentication of network addresses is not possible without the use of explicit security protocols, and thus, addresses can often be spoofed. Further, identity-based incoming traffic restriction methods can be employed, including router access control lists and firewall rules."},{"id":"sc-7.11_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(11)","class":"sp800-53a"}],"prose":"only incoming communications from {{ insert: param, sc-07.11_odp.01 }} are allowed to be routed to {{ insert: param, sc-07.11_odp.02 }}."},{"id":"sc-7.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities with respect to source\/destination address pairs"}]}]},{"id":"sc-7.12","class":"SP800-53-enhancement","title":"Host-based Protection","params":[{"id":"sc-07.12_odp.01","props":[{"name":"alt-identifier","value":"sc-7.12_prm_1"},{"name":"label","value":"SC-07(12)_ODP[01]","class":"sp800-53a"}],"label":"host-based boundary protection mechanisms","guidelines":[{"prose":"host-based boundary protection mechanisms to be implemented are defined;"}]},{"id":"sc-07.12_odp.02","props":[{"name":"alt-identifier","value":"sc-7.12_prm_2"},{"name":"label","value":"SC-07(12)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components where host-based boundary protection mechanisms are to be implemented are defined;"}]}],"props":[{"name":"label","value":"SC-7(12)"},{"name":"label","value":"SC-07(12)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.12_smt","name":"statement","prose":"Implement {{ insert: param, sc-07.12_odp.01 }} at {{ insert: param, sc-07.12_odp.02 }}."},{"id":"sc-7.12_gdn","name":"guidance","prose":"Host-based boundary protection mechanisms include host-based firewalls. System components that employ host-based boundary protection mechanisms include servers, workstations, notebook computers, and mobile devices."},{"id":"sc-7.12_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(12)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-07.12_odp.01 }} are implemented at {{ insert: param, sc-07.12_odp.02 }}."},{"id":"sc-7.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities\n\nsystem users"}]},{"id":"sc-7.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing host-based boundary protection capabilities"}]}]},{"id":"sc-7.13","class":"SP800-53-enhancement","title":"Isolation of Security Tools, Mechanisms, and Support Components","params":[{"id":"sc-07.13_odp","props":[{"name":"alt-identifier","value":"sc-7.13_prm_1"},{"name":"label","value":"SC-07(13)_ODP","class":"sp800-53a"}],"label":"information security tools, mechanisms, and support components","guidelines":[{"prose":"information security tools, mechanisms, and support components to be isolated from other internal system components are defined;"}]}],"props":[{"name":"label","value":"SC-7(13)"},{"name":"label","value":"SC-07(13)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"}],"parts":[{"id":"sc-7.13_smt","name":"statement","prose":"Isolate {{ insert: param, sc-07.13_odp }} from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system."},{"id":"sc-7.13_gdn","name":"guidance","prose":"Physically separate subnetworks with managed interfaces are useful in isolating computer network defenses from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques employed by organizations."},{"id":"sc-7.13_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(13)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-07.13_odp }} are isolated from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system."},{"id":"sc-7.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nlist of security tools and support components to be isolated from other internal system components\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the isolation of information security tools, mechanisms, and support components"}]}]},{"id":"sc-7.14","class":"SP800-53-enhancement","title":"Protect Against Unauthorized Physical Connections","params":[{"id":"sc-07.14_odp","props":[{"name":"alt-identifier","value":"sc-7.14_prm_1"},{"name":"label","value":"SC-07(14)_ODP","class":"sp800-53a"}],"label":"managed interfaces","guidelines":[{"prose":"managed interfaces to be protected against unauthorized physical connections are defined;"}]}],"props":[{"name":"label","value":"SC-7(14)"},{"name":"label","value":"SC-07(14)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#pe-4","rel":"related"},{"href":"#pe-19","rel":"related"}],"parts":[{"id":"sc-7.14_smt","name":"statement","prose":"Protect against unauthorized physical connections at {{ insert: param, sc-07.14_odp }}."},{"id":"sc-7.14_gdn","name":"guidance","prose":"Systems that operate at different security categories or classification levels may share common physical and environmental controls, since the systems may share space within the same facilities. In practice, it is possible that these separate systems may share common equipment rooms, wiring closets, and cable distribution paths. Protection against unauthorized physical connections can be achieved by using clearly identified and physically separated cable trays, connection frames, and patch panels for each side of managed interfaces with physical access controls that enforce limited authorized access to these items."},{"id":"sc-7.14_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(14)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-07.14_odp }} are protected against unauthorized physical connections."},{"id":"sc-7.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nfacility communications and wiring diagram system security plan\n\nother relevant documents or records"}]},{"id":"sc-7.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing protection against unauthorized physical connections"}]}]},{"id":"sc-7.15","class":"SP800-53-enhancement","title":"Networked Privileged Accesses","props":[{"name":"label","value":"SC-7(15)"},{"name":"label","value":"SC-07(15)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-7.15_smt","name":"statement","prose":"Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing."},{"id":"sc-7.15_gdn","name":"guidance","prose":"Privileged access provides greater accessibility to system functions, including security functions. Adversaries attempt to gain privileged access to systems through remote access to cause adverse mission or business impacts, such as by exfiltrating information or bringing down a critical system capability. Routing networked, privileged access requests through a dedicated, managed interface further restricts privileged access for increased access control and auditing."},{"id":"sc-7.15_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(15)","class":"sp800-53a"}],"parts":[{"id":"sc-7.15_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(15)[01]","class":"sp800-53a"}],"prose":"networked, privileged accesses are routed through a dedicated, managed interface for purposes of access control;"},{"id":"sc-7.15_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(15)[02]","class":"sp800-53a"}],"prose":"networked, privileged accesses are routed through a dedicated, managed interface for purposes of auditing."}]},{"id":"sc-7.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\naudit logs\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the routing of networked, privileged access through dedicated, managed interfaces"}]}]},{"id":"sc-7.16","class":"SP800-53-enhancement","title":"Prevent Discovery of System Components","props":[{"name":"label","value":"SC-7(16)"},{"name":"label","value":"SC-07(16)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.16_smt","name":"statement","prose":"Prevent the discovery of specific system components that represent a managed interface."},{"id":"sc-7.16_gdn","name":"guidance","prose":"Preventing the discovery of system components representing a managed interface helps protect network addresses of those components from discovery through common tools and techniques used to identify devices on networks. Network addresses are not available for discovery and require prior knowledge for access. Preventing the discovery of components and devices can be accomplished by not publishing network addresses, using network address translation, or not entering the addresses in domain name systems. Another prevention technique is to periodically change network addresses."},{"id":"sc-7.16_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(16)","class":"sp800-53a"}],"prose":"the discovery of specific system components that represent a managed interface is prevented."},{"id":"sc-7.16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(16)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(16)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(16)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the prevention of discovery of system components at managed interfaces"}]}]},{"id":"sc-7.17","class":"SP800-53-enhancement","title":"Automated Enforcement of Protocol Formats","props":[{"name":"label","value":"SC-7(17)"},{"name":"label","value":"SC-07(17)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#sc-4","rel":"related"}],"parts":[{"id":"sc-7.17_smt","name":"statement","prose":"Enforce adherence to protocol formats."},{"id":"sc-7.17_gdn","name":"guidance","prose":"System components that enforce protocol formats include deep packet inspection firewalls and XML gateways. The components verify adherence to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices operating at the network or transport layers."},{"id":"sc-7.17_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(17)","class":"sp800-53a"}],"prose":"adherence to protocol formats is enforced."},{"id":"sc-7.17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(17)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(17)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(17)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the enforcement of adherence to protocol formats"}]}]},{"id":"sc-7.18","class":"SP800-53-enhancement","title":"Fail Secure","props":[{"name":"label","value":"SC-7(18)"},{"name":"label","value":"SC-07(18)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#cp-2","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#sc-24","rel":"related"}],"parts":[{"id":"sc-7.18_smt","name":"statement","prose":"Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device."},{"id":"sc-7.18_gdn","name":"guidance","prose":"Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways that reside on protected subnetworks (commonly referred to as demilitarized zones). Failures of boundary protection devices cannot lead to or cause information external to the devices to enter the devices nor can failures permit unauthorized information releases."},{"id":"sc-7.18_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(18)","class":"sp800-53a"}],"prose":"systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device."},{"id":"sc-7.18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(18)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(18)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(18)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing secure failure"}]}]},{"id":"sc-7.19","class":"SP800-53-enhancement","title":"Block Communication from Non-organizationally Configured Hosts","params":[{"id":"sc-07.19_odp","props":[{"name":"alt-identifier","value":"sc-7.19_prm_1"},{"name":"label","value":"SC-07(19)_ODP","class":"sp800-53a"}],"label":"communication clients","guidelines":[{"prose":"communication clients that are independently configured by end users and external service providers are defined;"}]}],"props":[{"name":"label","value":"SC-7(19)"},{"name":"label","value":"SC-07(19)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.19_smt","name":"statement","prose":"Block inbound and outbound communications traffic between {{ insert: param, sc-07.19_odp }} that are independently configured by end users and external service providers."},{"id":"sc-7.19_gdn","name":"guidance","prose":"Communication clients independently configured by end users and external service providers include instant messaging clients and video conferencing software and applications. Traffic blocking does not apply to communication clients that are configured by organizations to perform authorized functions."},{"id":"sc-7.19_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(19)","class":"sp800-53a"}],"parts":[{"id":"sc-7.19_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(19)[01]","class":"sp800-53a"}],"prose":"inbound communications traffic is blocked between {{ insert: param, sc-07.19_odp }} that are independently configured by end users and external service providers;"},{"id":"sc-7.19_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(19)[02]","class":"sp800-53a"}],"prose":"outbound communications traffic is blocked between {{ insert: param, sc-07.19_odp }} that are independently configured by end users and external service providers."}]},{"id":"sc-7.19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(19)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nlist of communication clients independently configured by end users and external service providers\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(19)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(19)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the blocking of inbound and outbound communications traffic between communication clients independently configured by end users and external service providers"}]}]},{"id":"sc-7.20","class":"SP800-53-enhancement","title":"Dynamic Isolation and Segregation","params":[{"id":"sc-07.20_odp","props":[{"name":"alt-identifier","value":"sc-7.20_prm_1"},{"name":"label","value":"SC-07(20)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to be dynamically isolated from other system components are defined;"}]}],"props":[{"name":"label","value":"SC-7(20)"},{"name":"label","value":"SC-07(20)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.20_smt","name":"statement","prose":"Provide the capability to dynamically isolate {{ insert: param, sc-07.20_odp }} from other system components."},{"id":"sc-7.20_gdn","name":"guidance","prose":"The capability to dynamically isolate certain internal system components is useful when it is necessary to partition or separate system components of questionable origin from components that possess greater trustworthiness. Component isolation reduces the attack surface of organizational systems. Isolating selected system components can also limit the damage from successful attacks when such attacks occur."},{"id":"sc-7.20_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(20)","class":"sp800-53a"}],"prose":"the capability to dynamically isolate {{ insert: param, sc-07.20_odp }} from other system components is provided."},{"id":"sc-7.20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(20)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nlist of system components to be dynamically isolated\/segregated from other components of the system\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(20)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(20)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the capability to dynamically isolate\/segregate system components"}]}]},{"id":"sc-7.21","class":"SP800-53-enhancement","title":"Isolation of System Components","params":[{"id":"sc-07.21_odp.01","props":[{"name":"alt-identifier","value":"sc-7.21_prm_1"},{"name":"label","value":"SC-07(21)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to be isolated by boundary protection mechanisms are defined;"}]},{"id":"sc-07.21_odp.02","props":[{"name":"alt-identifier","value":"sc-7.21_prm_2"},{"name":"label","value":"SC-07(21)_ODP[02]","class":"sp800-53a"}],"label":"missions and\/or business functions","guidelines":[{"prose":"missions and\/or business functions to be supported by system components isolated by boundary protection mechanisms are defined;"}]}],"props":[{"name":"label","value":"SC-7(21)"},{"name":"label","value":"SC-07(21)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ca-9","rel":"related"}],"parts":[{"id":"sc-7.21_smt","name":"statement","prose":"Employ boundary protection mechanisms to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}."},{"id":"sc-7.21_gdn","name":"guidance","prose":"Organizations can isolate system components that perform different mission or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber-attacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls that separate system components into physically separate networks or subnetworks; cross-domain devices that separate subnetworks; virtualization techniques; and the encryption of information flows among system components using distinct encryption keys."},{"id":"sc-7.21_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(21)","class":"sp800-53a"}],"prose":"boundary protection mechanisms are employed to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}."},{"id":"sc-7.21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(21)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nenterprise architecture documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(21)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(21)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the capability to separate system components supporting organizational missions and\/or business functions"}]}]},{"id":"sc-7.22","class":"SP800-53-enhancement","title":"Separate Subnets for Connecting to Different Security Domains","props":[{"name":"label","value":"SC-7(22)"},{"name":"label","value":"SC-07(22)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.22_smt","name":"statement","prose":"Implement separate network addresses to connect to systems in different security domains."},{"id":"sc-7.22_gdn","name":"guidance","prose":"The decomposition of systems into subnetworks (i.e., subnets) helps to provide the appropriate level of protection for network connections to different security domains that contain information with different security categories or classification levels."},{"id":"sc-7.22_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(22)","class":"sp800-53a"}],"prose":"separate network addresses are implemented to connect to systems in different security domains."},{"id":"sc-7.22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(22)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(22)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(22)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing separate network addresses\/different subnets"}]}]},{"id":"sc-7.23","class":"SP800-53-enhancement","title":"Disable Sender Feedback on Protocol Validation Failure","props":[{"name":"label","value":"SC-7(23)"},{"name":"label","value":"SC-07(23)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.23_smt","name":"statement","prose":"Disable feedback to senders on protocol format validation failure."},{"id":"sc-7.23_gdn","name":"guidance","prose":"Disabling feedback to senders when there is a failure in protocol validation format prevents adversaries from obtaining information that would otherwise be unavailable."},{"id":"sc-7.23_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(23)","class":"sp800-53a"}],"prose":"feedback to senders is disabled on protocol format validation failure."},{"id":"sc-7.23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(23)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(23)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(23)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the disabling of feedback to senders on protocol format validation failure"}]}]},{"id":"sc-7.24","class":"SP800-53-enhancement","title":"Personally Identifiable Information","params":[{"id":"sc-07.24_odp","props":[{"name":"alt-identifier","value":"sc-7.24_prm_1"},{"name":"label","value":"SC-07(24)_ODP","class":"sp800-53a"}],"label":"processing rules","guidelines":[{"prose":"processing rules for systems that process personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"SC-7(24)"},{"name":"label","value":"SC-07(24)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#pt-2","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"sc-7.24_smt","name":"statement","prose":"For systems that process personally identifiable information:","parts":[{"id":"sc-7.24_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Apply the following processing rules to data elements of personally identifiable information: {{ insert: param, sc-07.24_odp }};"},{"id":"sc-7.24_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;"},{"id":"sc-7.24_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Document each processing exception; and"},{"id":"sc-7.24_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Review and remove exceptions that are no longer supported."}]},{"id":"sc-7.24_gdn","name":"guidance","prose":"Managing the processing of personally identifiable information is an important aspect of protecting an individual’s privacy. Applying, monitoring for, and documenting exceptions to processing rules ensure that personally identifiable information is processed only in accordance with established privacy requirements."},{"id":"sc-7.24_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)","class":"sp800-53a"}],"parts":[{"id":"sc-7.24_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-07.24_odp }} are applied to data elements of personally identifiable information on systems that process personally identifiable information;"},{"id":"sc-7.24_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(b)","class":"sp800-53a"}],"parts":[{"id":"sc-7.24_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(b)[01]","class":"sp800-53a"}],"prose":"permitted processing is monitored at the external interfaces to the systems that process personally identifiable information;"},{"id":"sc-7.24_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(b)[02]","class":"sp800-53a"}],"prose":"permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information;"}]},{"id":"sc-7.24_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(c)","class":"sp800-53a"}],"prose":"each processing exception is documented for systems that process personally identifiable information;"},{"id":"sc-7.24_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(d)","class":"sp800-53a"}],"parts":[{"id":"sc-7.24_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(d)[01]","class":"sp800-53a"}],"prose":"exceptions for systems that process personally identifiable information are reviewed;"},{"id":"sc-7.24_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(d)[02]","class":"sp800-53a"}],"prose":"exceptions for systems that process personally identifiable information that are no longer supported are removed."}]}]},{"id":"sc-7.24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(24)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\npersonally identifiable information processing policies\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nenterprise security and privacy architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information inventory documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"sc-7.24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(24)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(24)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities"}]}]},{"id":"sc-7.25","class":"SP800-53-enhancement","title":"Unclassified National Security System Connections","params":[{"id":"sc-07.25_odp.01","props":[{"name":"alt-identifier","value":"sc-7.25_prm_1"},{"name":"label","value":"SC-07(25)_ODP[01]","class":"sp800-53a"}],"label":"unclassified national security system","guidelines":[{"prose":"the unclassified national security system prohibited from directly connecting to an external network is defined;"}]},{"id":"sc-07.25_odp.02","props":[{"name":"alt-identifier","value":"sc-7.25_prm_2"},{"name":"label","value":"SC-07(25)_ODP[02]","class":"sp800-53a"}],"label":"boundary protection device","guidelines":[{"prose":"the boundary protection device required for a direct connection to an external network is defined;"}]}],"props":[{"name":"label","value":"SC-7(25)"},{"name":"label","value":"SC-07(25)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.25_smt","name":"statement","prose":"Prohibit the direct connection of {{ insert: param, sc-07.25_odp.01 }} to an external network without the use of {{ insert: param, sc-07.25_odp.02 }}."},{"id":"sc-7.25_gdn","name":"guidance","prose":"A direct connection is a dedicated physical or virtual connection between two or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices (e.g., firewalls, gateways, and routers) mediate communications and information flows between unclassified national security systems and external networks."},{"id":"sc-7.25_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(25)","class":"sp800-53a"}],"prose":"the direct connection of {{ insert: param, sc-07.25_odp.01 }} to an external network without the use of {{ insert: param, sc-07.25_odp.02 }} is prohibited."},{"id":"sc-7.25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(25)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(25)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(25)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms prohibiting the direct connection of unclassified national security systems to an external network"}]}]},{"id":"sc-7.26","class":"SP800-53-enhancement","title":"Classified National Security System Connections","params":[{"id":"sc-07.26_odp","props":[{"name":"alt-identifier","value":"sc-7.26_prm_1"},{"name":"label","value":"SC-07(26)_ODP","class":"sp800-53a"}],"label":"boundary protection device","guidelines":[{"prose":"the boundary protection device required for a direct connection to an external network is defined;"}]}],"props":[{"name":"label","value":"SC-7(26)"},{"name":"label","value":"SC-07(26)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.26"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.26_smt","name":"statement","prose":"Prohibit the direct connection of a classified national security system to an external network without the use of {{ insert: param, sc-07.26_odp }}."},{"id":"sc-7.26_gdn","name":"guidance","prose":"A direct connection is a dedicated physical or virtual connection between two or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices (e.g., firewalls, gateways, and routers) mediate communications and information flows between classified national security systems and external networks. In addition, approved boundary protection devices (typically managed interface or cross-domain systems) provide information flow enforcement from systems to external networks."},{"id":"sc-7.26_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(26)","class":"sp800-53a"}],"prose":"the direct connection of classified national security system to an external network without the use of a {{ insert: param, sc-07.26_odp }} is prohibited."},{"id":"sc-7.26_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(26)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.26_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(26)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.26_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(26)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms prohibiting the direct connection of classified national security systems to an external network"}]}]},{"id":"sc-7.27","class":"SP800-53-enhancement","title":"Unclassified Non-national Security System Connections","params":[{"id":"sc-07.27_odp.01","props":[{"name":"alt-identifier","value":"sc-7.27_prm_1"},{"name":"alt-label","value":"unclassified non-national security system","class":"sp800-53"},{"name":"label","value":"SC-07(27)_ODP[01]","class":"sp800-53a"}],"label":"unclassified, non-national security system","guidelines":[{"prose":"the unclassified, non-national security system prohibited from directly connecting to an external network is defined;"}]},{"id":"sc-07.27_odp.02","props":[{"name":"alt-identifier","value":"sc-7.27_prm_2"},{"name":"label","value":"SC-07(27)_ODP[02]","class":"sp800-53a"}],"label":"boundary protection device","guidelines":[{"prose":"the boundary protection device required for a direct connection of unclassified, non-national security system to an external network is defined;"}]}],"props":[{"name":"label","value":"SC-7(27)"},{"name":"label","value":"SC-07(27)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.27"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.27_smt","name":"statement","prose":"Prohibit the direct connection of {{ insert: param, sc-07.27_odp.01 }} to an external network without the use of {{ insert: param, sc-07.27_odp.02 }}."},{"id":"sc-7.27_gdn","name":"guidance","prose":"A direct connection is a dedicated physical or virtual connection between two or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices (e.g., firewalls, gateways, and routers) mediate communications and information flows between unclassified non-national security systems and external networks."},{"id":"sc-7.27_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(27)","class":"sp800-53a"}],"prose":"the direct connection of {{ insert: param, sc-07.27_odp.01 }} to an external network without the use of a {{ insert: param, sc-07.27_odp.02 }} is prohibited."},{"id":"sc-7.27_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(27)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.27_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(27)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.27_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(27)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms prohibiting the direct connection of unclassified, non-national security systems to an external network"}]}]},{"id":"sc-7.28","class":"SP800-53-enhancement","title":"Connections to Public Networks","params":[{"id":"sc-07.28_odp","props":[{"name":"alt-identifier","value":"sc-7.28_prm_1"},{"name":"label","value":"SC-07(28)_ODP","class":"sp800-53a"}],"label":"system","guidelines":[{"prose":"the system that is prohibited from directly connecting to a public network is defined;"}]}],"props":[{"name":"label","value":"SC-7(28)"},{"name":"label","value":"SC-07(28)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.28_smt","name":"statement","prose":"Prohibit the direct connection of {{ insert: param, sc-07.28_odp }} to a public network."},{"id":"sc-7.28_gdn","name":"guidance","prose":"A direct connection is a dedicated physical or virtual connection between two or more systems. A public network is a network accessible to the public, including the Internet and organizational extranets with public access."},{"id":"sc-7.28_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(28)","class":"sp800-53a"}],"prose":"the direct connection of the {{ insert: param, sc-07.28_odp }} to a public network is prohibited."},{"id":"sc-7.28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(28)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(28)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(28)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms prohibiting the direct connection of systems to an external network"}]}]},{"id":"sc-7.29","class":"SP800-53-enhancement","title":"Separate Subnets to Isolate Functions","params":[{"id":"sc-07.29_odp.01","props":[{"name":"alt-identifier","value":"sc-7.29_prm_1"},{"name":"label","value":"SC-07(29)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}},{"id":"sc-07.29_odp.02","props":[{"name":"alt-identifier","value":"sc-7.29_prm_2"},{"name":"label","value":"SC-07(29)_ODP[02]","class":"sp800-53a"}],"label":"critical system components and functions","guidelines":[{"prose":"critical system components and functions to be isolated are defined;"}]}],"props":[{"name":"label","value":"SC-7(29)"},{"name":"label","value":"SC-07(29)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.29"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.29_smt","name":"statement","prose":"Implement {{ insert: param, sc-07.29_odp.01 }} separate subnetworks to isolate the following critical system components and functions: {{ insert: param, sc-07.29_odp.02 }}."},{"id":"sc-7.29_gdn","name":"guidance","prose":"Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions."},{"id":"sc-7.29_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(29)","class":"sp800-53a"}],"prose":"subnetworks are separated {{ insert: param, sc-07.29_odp.01 }} to isolate {{ insert: param, sc-07.29_odp.02 }}."},{"id":"sc-7.29_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(29)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\ncriticality analysis\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.29_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(29)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.29_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(29)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms separating critical system components and functions"}]}]}]},{"id":"sc-8","class":"SP800-53","title":"Transmission Confidentiality and Integrity","params":[{"id":"sc-08_odp","props":[{"name":"alt-identifier","value":"sc-8_prm_1"},{"name":"label","value":"SC-08_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}}],"props":[{"name":"label","value":"SC-8"},{"name":"label","value":"SC-08","class":"sp800-53a"},{"name":"sort-id","value":"sc-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#736d6310-e403-4b57-a79d-9967970c66d7","rel":"reference"},{"href":"#7537638e-2837-407d-844b-40fb3fafdd99","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"sc-8_smt","name":"statement","prose":"Protect the {{ insert: param, sc-08_odp }} of transmitted information."},{"id":"sc-8_gdn","name":"guidance","prose":"Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls."},{"id":"sc-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-08_odp }} of transmitted information is\/are protected."},{"id":"sc-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity"}]}],"controls":[{"id":"sc-8.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"sc-08.01_odp","props":[{"name":"alt-identifier","value":"sc-8.1_prm_1"},{"name":"label","value":"SC-08(01)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["prevent unauthorized disclosure of information","detect changes to information"]}}],"props":[{"name":"label","value":"SC-8(1)"},{"name":"label","value":"SC-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-8","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-8.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission."},{"id":"sc-8.1_gdn","name":"guidance","prose":"Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes."},{"id":"sc-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08(01)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission."},{"id":"sc-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity\n\nmechanisms supporting and\/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards"}]}]},{"id":"sc-8.2","class":"SP800-53-enhancement","title":"Pre- and Post-transmission Handling","params":[{"id":"sc-08.02_odp","props":[{"name":"alt-identifier","value":"sc-8.2_prm_1"},{"name":"label","value":"SC-08(02)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}}],"props":[{"name":"label","value":"SC-8(2)"},{"name":"label","value":"SC-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-8","rel":"required"}],"parts":[{"id":"sc-8.2_smt","name":"statement","prose":"Maintain the {{ insert: param, sc-08.02_odp }} of information during preparation for transmission and during reception."},{"id":"sc-8.2_gdn","name":"guidance","prose":"Information can be unintentionally or maliciously disclosed or modified during preparation for transmission or during reception, including during aggregation, at protocol transformation points, and during packing and unpacking. Such unauthorized disclosures or modifications compromise the confidentiality or integrity of the information."},{"id":"sc-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08(02)","class":"sp800-53a"}],"parts":[{"id":"sc-8.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-08(02)[01]","class":"sp800-53a"}],"prose":"information {{ insert: param, sc-08.02_odp }} is\/are maintained during preparation for transmission;"},{"id":"sc-8.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-08(02)[02]","class":"sp800-53a"}],"prose":"information {{ insert: param, sc-08.02_odp }} is\/are maintained during reception."}]},{"id":"sc-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity"}]}]},{"id":"sc-8.3","class":"SP800-53-enhancement","title":"Cryptographic Protection for Message Externals","params":[{"id":"sc-08.03_odp","props":[{"name":"alt-identifier","value":"sc-8.3_prm_1"},{"name":"label","value":"SC-08(03)_ODP","class":"sp800-53a"}],"label":"alternative physical controls","guidelines":[{"prose":"alternative physical controls to protect message externals are defined;"}]}],"props":[{"name":"label","value":"SC-8(3)"},{"name":"label","value":"SC-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-8","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-8.3_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect message externals unless otherwise protected by {{ insert: param, sc-08.03_odp }}."},{"id":"sc-8.3_gdn","name":"guidance","prose":"Cryptographic protection for message externals addresses protection from the unauthorized disclosure of information. Message externals include message headers and routing information. Cryptographic protection prevents the exploitation of message externals and applies to internal and external networks or links that may be visible to individuals who are not authorized users. Header and routing information is sometimes transmitted in clear text (i.e., unencrypted) because the information is not identified by organizations as having significant value or because encrypting the information can result in lower network performance or higher costs. Alternative physical controls include protected distribution systems."},{"id":"sc-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08(03)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to protect message externals unless otherwise protected by {{ insert: param, sc-08.03_odp }}."},{"id":"sc-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity for message externals\n\nmechanisms supporting and\/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards"}]}]},{"id":"sc-8.4","class":"SP800-53-enhancement","title":"Conceal or Randomize Communications","params":[{"id":"sc-08.04_odp","props":[{"name":"alt-identifier","value":"sc-8.4_prm_1"},{"name":"label","value":"SC-08(04)_ODP","class":"sp800-53a"}],"label":"alternative physical controls","guidelines":[{"prose":"alternative physical controls to protect against unauthorized disclosure of communication patterns are defined;"}]}],"props":[{"name":"label","value":"SC-8(4)"},{"name":"label","value":"SC-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-8","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-8.4_smt","name":"statement","prose":"Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by {{ insert: param, sc-08.04_odp }}."},{"id":"sc-8.4_gdn","name":"guidance","prose":"Concealing or randomizing communication patterns addresses protection from unauthorized disclosure of information. Communication patterns include frequency, periods, predictability, and amount. Changes to communications patterns can reveal information with intelligence value, especially when combined with other available information related to the mission and business functions of the organization. Concealing or randomizing communications prevents the derivation of intelligence based on communications patterns and applies to both internal and external networks or links that may be visible to individuals who are not authorized users. Encrypting the links and transmitting in continuous, fixed, or random patterns prevents the derivation of intelligence from the system communications patterns. Alternative physical controls include protected distribution systems."},{"id":"sc-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08(04)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to conceal or randomize communication patterns unless otherwise protected by {{ insert: param, sc-08.04_odp }}."},{"id":"sc-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms supporting and\/or implementing concealment or randomization of communication patterns\n\nmechanisms supporting and\/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards"}]}]},{"id":"sc-8.5","class":"SP800-53-enhancement","title":"Protected Distribution System","params":[{"id":"sc-08.05_odp.01","props":[{"name":"alt-identifier","value":"sc-8.5_prm_1"},{"name":"label","value":"SC-08(05)_ODP[01]","class":"sp800-53a"}],"label":"protected distribution system","guidelines":[{"prose":"the protected distribution system is defined;"}]},{"id":"sc-08.05_odp.02","props":[{"name":"alt-identifier","value":"sc-8.5_prm_2"},{"name":"label","value":"SC-08(05)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["prevent unauthorized disclosure of information","detect changes to information"]}}],"props":[{"name":"label","value":"SC-8(5)"},{"name":"label","value":"SC-08(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-08.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-8","rel":"required"}],"parts":[{"id":"sc-8.5_smt","name":"statement","prose":"Implement {{ insert: param, sc-08.05_odp.01 }} to {{ insert: param, sc-08.05_odp.02 }} during transmission."},{"id":"sc-8.5_gdn","name":"guidance","prose":"The purpose of a protected distribution system is to deter, detect, and\/or make difficult physical access to the communication lines that carry national security information."},{"id":"sc-8.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08(05)","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-08.05_odp.01 }} is implemented to {{ insert: param, sc-08.05_odp.02 }} during transmission."},{"id":"sc-8.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms supporting and\/or implementing concealment or randomization of communication patterns\n\nmechanisms supporting and\/or implementing protected distribution systems"}]}]}]},{"id":"sc-9","class":"SP800-53","title":"Transmission Confidentiality","props":[{"name":"label","value":"SC-9"},{"name":"label","value":"SC-09","class":"sp800-53a"},{"name":"sort-id","value":"sc-09"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-8","rel":"incorporated-into"}]},{"id":"sc-10","class":"SP800-53","title":"Network Disconnect","params":[{"id":"sc-10_odp","props":[{"name":"alt-identifier","value":"sc-10_prm_1"},{"name":"label","value":"SC-10_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period of inactivity after which the system terminates a network connection associated with a communication session is defined;"}]}],"props":[{"name":"label","value":"SC-10"},{"name":"label","value":"SC-10","class":"sp800-53a"},{"name":"sort-id","value":"sc-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"sc-10_smt","name":"statement","prose":"Terminate the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity."},{"id":"sc-10_gdn","name":"guidance","prose":"Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP\/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses."},{"id":"sc-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-10","class":"sp800-53a"}],"prose":"the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity."},{"id":"sc-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing network disconnect\n\nsystem design documentation\n\nsecurity plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a network disconnect capability"}]}]},{"id":"sc-11","class":"SP800-53","title":"Trusted Path","params":[{"id":"sc-11_odp.01","props":[{"name":"alt-identifier","value":"sc-11_prm_1"},{"name":"label","value":"SC-11_ODP[01]","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}},{"id":"sc-11_odp.02","props":[{"name":"alt-identifier","value":"sc-11_prm_2"},{"name":"label","value":"SC-11_ODP[02]","class":"sp800-53a"}],"label":"security functions","guidelines":[{"prose":"security functions of the system are defined;"}]}],"props":[{"name":"label","value":"SC-11"},{"name":"label","value":"SC-11","class":"sp800-53a"},{"name":"sort-id","value":"sc-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"sc-11_smt","name":"statement","parts":[{"id":"sc-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide a {{ insert: param, sc-11_odp.01 }} isolated trusted communications path for communications between the user and the trusted components of the system; and"},{"id":"sc-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: {{ insert: param, sc-11_odp.02 }}."}]},{"id":"sc-11_gdn","name":"guidance","prose":"Trusted paths are mechanisms by which users can communicate (using input devices such as keyboards) directly with the security functions of systems with the requisite assurance to support security policies. Trusted path mechanisms can only be activated by users or the security functions of organizational systems. User responses that occur via trusted paths are protected from modification by and disclosure to untrusted applications. Organizations employ trusted paths for trustworthy, high-assurance connections between security functions of systems and users, including during system logons. The original implementations of trusted paths employed an out-of-band signal to initiate the path, such as using the <BREAK> key, which does not transmit characters that can be spoofed. In later implementations, a key combination that could not be hijacked was used (e.g., the <CTRL> + <ALT> + <DEL> keys). Such key combinations, however, are platform-specific and may not provide a trusted path implementation in every case. The enforcement of trusted communications paths is provided by a specific implementation that meets the reference monitor concept."},{"id":"sc-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-11","class":"sp800-53a"}],"parts":[{"id":"sc-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-11a.","class":"sp800-53a"}],"prose":"a {{ insert: param, sc-11_odp.01 }} isolated trusted communication path is provided for communications between the user and the trusted components of the system;"},{"id":"sc-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-11b.","class":"sp800-53a"}],"prose":"users are permitted to invoke the trusted communication path for communications between the user and the {{ insert: param, sc-11_odp.02 }} of the system, including authentication and re-authentication, at a minimum."}]},{"id":"sc-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing trusted communication paths\n\nsecurity plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nassessment results from independent, testing organizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing trusted communication paths"}]}],"controls":[{"id":"sc-11.1","class":"SP800-53-enhancement","title":"Irrefutable Communications Path","params":[{"id":"sc-11.01_odp","props":[{"name":"alt-identifier","value":"sc-11.1_prm_1"},{"name":"label","value":"SC-11(01)_ODP","class":"sp800-53a"}],"label":"security functions","guidelines":[{"prose":"security functions of the system are defined;"}]}],"props":[{"name":"label","value":"SC-11(1)"},{"name":"label","value":"SC-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-11","rel":"required"}],"parts":[{"id":"sc-11.1_smt","name":"statement","parts":[{"id":"sc-11.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Provide a trusted communications path that is irrefutably distinguishable from other communications paths; and"},{"id":"sc-11.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Initiate the trusted communications path for communications between the {{ insert: param, sc-11.01_odp }} of the system and the user."}]},{"id":"sc-11.1_gdn","name":"guidance","prose":"An irrefutable communications path permits the system to initiate a trusted path, which necessitates that the user can unmistakably recognize the source of the communication as a trusted system component. For example, the trusted path may appear in an area of the display that other applications cannot access or be based on the presence of an identifier that cannot be spoofed."},{"id":"sc-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-11(01)","class":"sp800-53a"}],"parts":[{"id":"sc-11.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-11(01)(a)","class":"sp800-53a"}],"prose":"a trusted communication path that is irrefutably distinguishable from other communication paths is provided;"},{"id":"sc-11.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-11(01)(b)","class":"sp800-53a"}],"prose":"the trusted communication path for communications between the {{ insert: param, sc-11.01_odp }} of the system and the user is initiated."}]},{"id":"sc-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing trusted communication paths\n\nsecurity plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nassessment results from independent, testing organizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing trusted communication paths"}]}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","params":[{"id":"sc-12_odp","props":[{"name":"alt-identifier","value":"sc-12_prm_1"},{"name":"alt-label","value":"requirements for key generation, distribution, storage, access, and destruction","class":"sp800-53"},{"name":"label","value":"SC-12_ODP","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements for key generation, distribution, storage, access, and destruction are defined;"}]}],"props":[{"name":"label","value":"SC-12"},{"name":"label","value":"SC-12","class":"sp800-53a"},{"name":"sort-id","value":"sc-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#849b2358-683f-4d97-b111-1cc3d522ded5","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-11","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment."},{"id":"sc-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12","class":"sp800-53a"}],"parts":[{"id":"sc-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-12[01]","class":"sp800-53a"}],"prose":"cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};"},{"id":"sc-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-12[02]","class":"sp800-53a"}],"prose":"cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}."}]},{"id":"sc-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"id":"sc-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}],"controls":[{"id":"sc-12.1","class":"SP800-53-enhancement","title":"Availability","props":[{"name":"label","value":"SC-12(1)"},{"name":"label","value":"SC-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-12","rel":"required"}],"parts":[{"id":"sc-12.1_smt","name":"statement","prose":"Maintain availability of information in the event of the loss of cryptographic keys by users."},{"id":"sc-12.1_gdn","name":"guidance","prose":"Escrowing of encryption keys is a common practice for ensuring availability in the event of key loss. A forgotten passphrase is an example of losing a cryptographic key."},{"id":"sc-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12(01)","class":"sp800-53a"}],"prose":"information availability is maintained in the event of the loss of cryptographic keys by users."},{"id":"sc-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment, management, and recovery\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment or management"}]},{"id":"sc-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]},{"id":"sc-12.2","class":"SP800-53-enhancement","title":"Symmetric Keys","params":[{"id":"sc-12.02_odp","props":[{"name":"alt-identifier","value":"sc-12.2_prm_1"},{"name":"label","value":"SC-12(02)_ODP","class":"sp800-53a"}],"select":{"choice":["NIST FIPS-validated","NSA-approved"]}}],"props":[{"name":"label","value":"SC-12(2)"},{"name":"label","value":"SC-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-12","rel":"required"}],"parts":[{"id":"sc-12.2_smt","name":"statement","prose":"Produce, control, and distribute symmetric cryptographic keys using {{ insert: param, sc-12.02_odp }} key management technology and processes."},{"id":"sc-12.2_gdn","name":"guidance","prose":"[SP 800-56A](#20957dbb-6a1e-40a2-b38a-66f67d33ac2e), [SP 800-56B](#0d083d8a-5cc6-46f1-8d79-3081d42bcb75) , and [SP 800-56C](#eef62b16-c796-4554-955c-505824135b8a) provide guidance on cryptographic key establishment schemes and key derivation methods. [SP 800-57-1](#110e26af-4765-49e1-8740-6750f83fcda1), [SP 800-57-2](#e7942589-e267-4a5a-a3d9-f39a7aae81f0) , and [SP 800-57-3](#8306620b-1920-4d73-8b21-12008528595f) provide guidance on cryptographic key management."},{"id":"sc-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12(02)","class":"sp800-53a"}],"parts":[{"id":"sc-12.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-12(02)[01]","class":"sp800-53a"}],"prose":"symmetric cryptographic keys are produced using {{ insert: param, sc-12.02_odp }} key management technology and processes;"},{"id":"sc-12.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-12(02)[02]","class":"sp800-53a"}],"prose":"symmetric cryptographic keys are controlled using {{ insert: param, sc-12.02_odp }} key management technology and processes;"},{"id":"sc-12.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-12(02)[03]","class":"sp800-53a"}],"prose":"symmetric cryptographic keys are distributed using {{ insert: param, sc-12.02_odp }} key management technology and processes."}]},{"id":"sc-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of FIPS-validated cryptographic products\n\nlist of NSA-approved cryptographic products\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic key establishment or management"}]},{"id":"sc-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing symmetric cryptographic key establishment and management"}]}]},{"id":"sc-12.3","class":"SP800-53-enhancement","title":"Asymmetric Keys","params":[{"id":"sc-12.03_odp","props":[{"name":"alt-identifier","value":"sc-12.3_prm_1"},{"name":"label","value":"SC-12(03)_ODP","class":"sp800-53a"}],"select":{"choice":["NSA-approved key management technology and processes","prepositioned keying material","DoD-approved or DoD-issued Medium Assurance PKI certificates","DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key","certificates issued in accordance with organization-defined requirements"]}}],"props":[{"name":"label","value":"SC-12(3)"},{"name":"label","value":"SC-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-12","rel":"required"}],"parts":[{"id":"sc-12.3_smt","name":"statement","prose":"Produce, control, and distribute asymmetric cryptographic keys using {{ insert: param, sc-12.03_odp }}."},{"id":"sc-12.3_gdn","name":"guidance","prose":"[SP 800-56A](#20957dbb-6a1e-40a2-b38a-66f67d33ac2e), [SP 800-56B](#0d083d8a-5cc6-46f1-8d79-3081d42bcb75) , and [SP 800-56C](#eef62b16-c796-4554-955c-505824135b8a) provide guidance on cryptographic key establishment schemes and key derivation methods. [SP 800-57-1](#110e26af-4765-49e1-8740-6750f83fcda1), [SP 800-57-2](#e7942589-e267-4a5a-a3d9-f39a7aae81f0) , and [SP 800-57-3](#8306620b-1920-4d73-8b21-12008528595f) provide guidance on cryptographic key management."},{"id":"sc-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12(03)","class":"sp800-53a"}],"parts":[{"id":"sc-12.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-12(03)[01]","class":"sp800-53a"}],"prose":"asymmetric cryptographic keys are produced using {{ insert: param, sc-12.03_odp }};"},{"id":"sc-12.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-12(03)[02]","class":"sp800-53a"}],"prose":"asymmetric cryptographic keys are controlled using {{ insert: param, sc-12.03_odp }};"},{"id":"sc-12.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-12(03)[03]","class":"sp800-53a"}],"prose":"asymmetric cryptographic keys are distributed using {{ insert: param, sc-12.03_odp }}."}]},{"id":"sc-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of NSA-approved cryptographic products\n\nlist of approved PKI Class 3 and Class 4 certificates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic key establishment or management\n\norganizational personnel with responsibilities for PKI certificates"}]},{"id":"sc-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing asymmetric cryptographic key establishment and management"}]}]},{"id":"sc-12.4","class":"SP800-53-enhancement","title":"PKI Certificates","props":[{"name":"label","value":"SC-12(4)"},{"name":"label","value":"SC-12(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-12.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-12.3","rel":"incorporated-into"}]},{"id":"sc-12.5","class":"SP800-53-enhancement","title":"PKI Certificates \/ Hardware Tokens","props":[{"name":"label","value":"SC-12(5)"},{"name":"label","value":"SC-12(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-12.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-12.3","rel":"incorporated-into"}]},{"id":"sc-12.6","class":"SP800-53-enhancement","title":"Physical Control of Keys","props":[{"name":"label","value":"SC-12(6)"},{"name":"label","value":"SC-12(06)","class":"sp800-53a"},{"name":"sort-id","value":"sc-12.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-12","rel":"required"}],"parts":[{"id":"sc-12.6_smt","name":"statement","prose":"Maintain physical control of cryptographic keys when stored information is encrypted by external service providers."},{"id":"sc-12.6_gdn","name":"guidance","prose":"For organizations that use external service providers (e.g., cloud service or data center providers), physical control of cryptographic keys provides additional assurance that information stored by such external providers is not subject to unauthorized disclosure or modification."},{"id":"sc-12.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12(06)","class":"sp800-53a"}],"prose":"physical control of cryptographic keys is maintained when stored information is encrypted by external service providers."},{"id":"sc-12.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment, management, and recovery\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment or management"}]},{"id":"sc-12.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","params":[{"id":"sc-13_odp.01","props":[{"name":"alt-identifier","value":"sc-13_prm_1"},{"name":"label","value":"SC-13_ODP[01]","class":"sp800-53a"}],"label":"cryptographic uses","guidelines":[{"prose":"cryptographic uses are defined;"}]},{"id":"sc-13_odp.02","props":[{"name":"alt-identifier","value":"sc-13_prm_2"},{"name":"alt-label","value":"types of cryptography for each specified cryptographic use","class":"sp800-53"},{"name":"label","value":"SC-13_ODP[02]","class":"sp800-53a"}],"label":"types of cryptography","guidelines":[{"prose":"types of cryptography for each specified cryptographic use are defined;"}]}],"props":[{"name":"label","value":"SC-13"},{"name":"label","value":"SC-13","class":"sp800-53a"},{"name":"sort-id","value":"sc-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-13_smt","name":"statement","parts":[{"id":"sc-13_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the {{ insert: param, sc-13_odp.01 }} ; and"},{"id":"sc-13_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}."}]},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"sc-13_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-13","class":"sp800-53a"}],"parts":[{"id":"sc-13_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-13a.","class":"sp800-53a"}],"prose":"{{ insert: param, sc-13_odp.01 }} are identified;"},{"id":"sc-13_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-13b.","class":"sp800-53a"}],"prose":"{{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented."}]},{"id":"sc-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection"}]},{"id":"sc-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic protection"}]}],"controls":[{"id":"sc-13.1","class":"SP800-53-enhancement","title":"FIPS-validated Cryptography","props":[{"name":"label","value":"SC-13(1)"},{"name":"label","value":"SC-13(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-13.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-13","rel":"incorporated-into"}]},{"id":"sc-13.2","class":"SP800-53-enhancement","title":"NSA-approved Cryptography","props":[{"name":"label","value":"SC-13(2)"},{"name":"label","value":"SC-13(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-13.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-13","rel":"incorporated-into"}]},{"id":"sc-13.3","class":"SP800-53-enhancement","title":"Individuals Without Formal Access Approvals","props":[{"name":"label","value":"SC-13(3)"},{"name":"label","value":"SC-13(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-13.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-13","rel":"incorporated-into"}]},{"id":"sc-13.4","class":"SP800-53-enhancement","title":"Digital Signatures","props":[{"name":"label","value":"SC-13(4)"},{"name":"label","value":"SC-13(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-13.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-13","rel":"incorporated-into"}]}]},{"id":"sc-14","class":"SP800-53","title":"Public Access Protections","props":[{"name":"label","value":"SC-14"},{"name":"label","value":"SC-14","class":"sp800-53a"},{"name":"sort-id","value":"sc-14"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-2","rel":"incorporated-into"},{"href":"#ac-3","rel":"incorporated-into"},{"href":"#ac-5","rel":"incorporated-into"},{"href":"#ac-6","rel":"incorporated-into"},{"href":"#si-3","rel":"incorporated-into"},{"href":"#si-4","rel":"incorporated-into"},{"href":"#si-5","rel":"incorporated-into"},{"href":"#si-7","rel":"incorporated-into"},{"href":"#si-10","rel":"incorporated-into"}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices and Applications","params":[{"id":"sc-15_odp","props":[{"name":"alt-identifier","value":"sc-15_prm_1"},{"name":"label","value":"SC-15_ODP","class":"sp800-53a"}],"label":"exceptions where remote activation is to be allowed","guidelines":[{"prose":"exceptions where remote activation is to be allowed are defined;"}]}],"props":[{"name":"label","value":"SC-15"},{"name":"label","value":"SC-15","class":"sp800-53a"},{"name":"sort-id","value":"sc-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-21","rel":"related"},{"href":"#sc-42","rel":"related"}],"parts":[{"id":"sc-15_smt","name":"statement","parts":[{"id":"sc-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and"},{"id":"sc-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated."},{"id":"sc-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-15","class":"sp800-53a"}],"parts":[{"id":"sc-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-15a.","class":"sp800-53a"}],"prose":"remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};"},{"id":"sc-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-15b.","class":"sp800-53a"}],"prose":"an explicit indication of use is provided to users physically present at the devices."}]},{"id":"sc-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"id":"sc-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices"}]}],"controls":[{"id":"sc-15.1","class":"SP800-53-enhancement","title":"Physical or Logical Disconnect","params":[{"id":"sc-15.01_odp","props":[{"name":"alt-identifier","value":"sc-15.1_prm_1"},{"name":"label","value":"SC-15(01)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["physical","logical"]}}],"props":[{"name":"label","value":"SC-15(1)"},{"name":"label","value":"SC-15(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-15.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-15","rel":"required"}],"parts":[{"id":"sc-15.1_smt","name":"statement","prose":"Provide {{ insert: param, sc-15.01_odp }} disconnect of collaborative computing devices in a manner that supports ease of use."},{"id":"sc-15.1_gdn","name":"guidance","prose":"Failing to disconnect from collaborative computing devices can result in subsequent compromises of organizational information. Providing easy methods to disconnect from such devices after a collaborative computing session ensures that participants carry out the disconnect activity without having to go through complex and tedious procedures. Disconnect from collaborative computing devices can be manual or automatic."},{"id":"sc-15.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-15(01)","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-15.01_odp }} disconnect of collaborative computing devices is\/are provided in a manner that supports ease of use."},{"id":"sc-15.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-15(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-15.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-15(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"id":"sc-15.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-15(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the physical disconnect of collaborative computing devices"}]}]},{"id":"sc-15.2","class":"SP800-53-enhancement","title":"Blocking Inbound and Outbound Communications Traffic","props":[{"name":"label","value":"SC-15(2)"},{"name":"label","value":"SC-15(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-15.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7","rel":"incorporated-into"}]},{"id":"sc-15.3","class":"SP800-53-enhancement","title":"Disabling and Removal in Secure Work Areas","params":[{"id":"sc-15.03_odp.01","props":[{"name":"alt-identifier","value":"sc-15.3_prm_1"},{"name":"label","value":"SC-15(03)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components from which collaborative computing devices are to be disabled or removed are defined;"}]},{"id":"sc-15.03_odp.02","props":[{"name":"alt-identifier","value":"sc-15.3_prm_2"},{"name":"label","value":"SC-15(03)_ODP[02]","class":"sp800-53a"}],"label":"secure work areas","guidelines":[{"prose":"secure work areas where collaborative computing devices are to be disabled or removed from systems or system components are defined;"}]}],"props":[{"name":"label","value":"SC-15(3)"},{"name":"label","value":"SC-15(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-15.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-15","rel":"required"}],"parts":[{"id":"sc-15.3_smt","name":"statement","prose":"Disable or remove collaborative computing devices and applications from {{ insert: param, sc-15.03_odp.01 }} in {{ insert: param, sc-15.03_odp.02 }}."},{"id":"sc-15.3_gdn","name":"guidance","prose":"Failing to disable or remove collaborative computing devices and applications from systems or system components can result in compromises of information, including eavesdropping on conversations. A Sensitive Compartmented Information Facility (SCIF) is an example of a secure work area."},{"id":"sc-15.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-15(03)","class":"sp800-53a"}],"prose":"collaborative computing devices and applications are disabled or removed from {{ insert: param, sc-15.03_odp.01 }} in {{ insert: param, sc-15.03_odp.02 }}."},{"id":"sc-15.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-15(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of secure work areas\n\nsystems or system components in secured work areas where collaborative computing devices are to be disabled or removed\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-15.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-15(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"id":"sc-15.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-15(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the capability to disable collaborative computing devices"}]}]},{"id":"sc-15.4","class":"SP800-53-enhancement","title":"Explicitly Indicate Current Participants","params":[{"id":"sc-15.04_odp","props":[{"name":"alt-identifier","value":"sc-15.4_prm_1"},{"name":"label","value":"SC-15(04)_ODP","class":"sp800-53a"}],"label":"online meetings and teleconferences","guidelines":[{"prose":"online meetings and teleconferences for which an explicit indication of current participants is to be provided are defined;"}]}],"props":[{"name":"label","value":"SC-15(4)"},{"name":"label","value":"SC-15(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-15.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-15","rel":"required"}],"parts":[{"id":"sc-15.4_smt","name":"statement","prose":"Provide an explicit indication of current participants in {{ insert: param, sc-15.04_odp }}."},{"id":"sc-15.4_gdn","name":"guidance","prose":"Explicitly indicating current participants prevents unauthorized individuals from participating in collaborative computing sessions without the explicit knowledge of other participants."},{"id":"sc-15.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-15(04)","class":"sp800-53a"}],"prose":"an explicit indication of current participants in {{ insert: param, sc-15.04_odp }} is provided."},{"id":"sc-15.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-15(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of types of meetings and teleconferences requiring explicit indication of current participants\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-15.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-15(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"id":"sc-15.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-15(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the capability to indicate participants on collaborative computing devices"}]}]}]},{"id":"sc-16","class":"SP800-53","title":"Transmission of Security and Privacy Attributes","params":[{"id":"sc-16_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-16_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-16_odp.02"}],"label":"organization-defined security and privacy attributes"},{"id":"sc-16_odp.01","props":[{"name":"label","value":"SC-16_ODP[01]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes to be associated with information exchanged are defined;"}]},{"id":"sc-16_odp.02","props":[{"name":"label","value":"SC-16_ODP[02]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes to be associated with information exchanged are defined;"}]}],"props":[{"name":"label","value":"SC-16"},{"name":"label","value":"SC-16","class":"sp800-53a"},{"name":"sort-id","value":"sc-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"sc-16_smt","name":"statement","prose":"Associate {{ insert: param, sc-16_prm_1 }} with information exchanged between systems and between system components."},{"id":"sc-16_gdn","name":"guidance","prose":"Security and privacy attributes can be explicitly or implicitly associated with the information contained in organizational systems or system components. Attributes are abstractions that represent the basic properties or characteristics of an entity with respect to protecting information or the management of personally identifiable information. Attributes are typically associated with internal data structures, including records, buffers, and files within the system. Security and privacy attributes are used to implement access control and information flow control policies; reflect special dissemination, management, or distribution instructions, including permitted uses of personally identifiable information; or support other aspects of the information security and privacy policies. Privacy attributes may be used independently or in conjunction with security attributes."},{"id":"sc-16_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-16","class":"sp800-53a"}],"parts":[{"id":"sc-16_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-16[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-16_odp.01 }} are associated with information exchanged between systems;"},{"id":"sc-16_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-16[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-16_odp.01 }} are associated with information exchanged between system components;"},{"id":"sc-16_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-16[03]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-16_odp.02 }} are associated with information exchanged between systems;"},{"id":"sc-16_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SC-16[04]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-16_odp.02 }} are associated with information exchanged between system components."}]},{"id":"sc-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the transmission of security and privacy attributes\n\naccess control policy and procedures\n\ninformation flow control policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"sc-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the transmission of security and privacy attributes between systems"}]}],"controls":[{"id":"sc-16.1","class":"SP800-53-enhancement","title":"Integrity Verification","props":[{"name":"label","value":"SC-16(1)"},{"name":"label","value":"SC-16(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-16.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-16","rel":"required"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"sc-16.1_smt","name":"statement","prose":"Verify the integrity of transmitted security and privacy attributes."},{"id":"sc-16.1_gdn","name":"guidance","prose":"Part of verifying the integrity of transmitted information is ensuring that security and privacy attributes that are associated with such information have not been modified in an unauthorized manner. Unauthorized modification of security or privacy attributes can result in a loss of integrity for transmitted information."},{"id":"sc-16.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-16(01)","class":"sp800-53a"}],"parts":[{"id":"sc-16.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-16(01)[01]","class":"sp800-53a"}],"prose":"the integrity of transmitted security attributes is verified;"},{"id":"sc-16.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-16(01)[02]","class":"sp800-53a"}],"prose":"the integrity of transmitted privacy attributes is verified."}]},{"id":"sc-16.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-16(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the transmission of security and privacy attributes\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-16.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-16(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"sc-16.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-16(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing verification of the integrity of transmitted security and privacy attributes"}]}]},{"id":"sc-16.2","class":"SP800-53-enhancement","title":"Anti-spoofing Mechanisms","props":[{"name":"label","value":"SC-16(2)"},{"name":"label","value":"SC-16(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-16.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-16","rel":"required"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-16.2_smt","name":"statement","prose":"Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indicating the successful application of the security process."},{"id":"sc-16.2_gdn","name":"guidance","prose":"Some attack vectors operate by altering the security attributes of an information system to intentionally and maliciously implement an insufficient level of security within the system. The alteration of attributes leads organizations to believe that a greater number of security functions are in place and operational than have actually been implemented."},{"id":"sc-16.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-16(02)","class":"sp800-53a"}],"prose":"anti-spoofing mechanisms are implemented to prevent adversaries from falsifying the security attributes indicating the successful application of the security process."},{"id":"sc-16.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-16(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the transmission of security and privacy attributes\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-16.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-16(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-16.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-16(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing anti-spoofing mechanisms"}]}]},{"id":"sc-16.3","class":"SP800-53-enhancement","title":"Cryptographic Binding","params":[{"id":"sc-16.03_odp","props":[{"name":"alt-identifier","value":"sc-16.3_prm_1"},{"name":"label","value":"SC-16(03)_ODP","class":"sp800-53a"}],"label":"mechanisms or techniques","guidelines":[{"prose":"mechanisms or techniques to bind security and privacy attributes to transmitted information are defined;"}]}],"props":[{"name":"label","value":"SC-16(3)"},{"name":"label","value":"SC-16(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-16.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-16","rel":"required"},{"href":"#ac-16","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-16.3_smt","name":"statement","prose":"Implement {{ insert: param, sc-16.03_odp }} to bind security and privacy attributes to transmitted information."},{"id":"sc-16.3_gdn","name":"guidance","prose":"Cryptographic mechanisms and techniques can provide strong security and privacy attribute binding to transmitted information to help ensure the integrity of such information."},{"id":"sc-16.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-16(03)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-16.03_odp }} are implemented to bind security and privacy attributes to transmitted information."},{"id":"sc-16.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-16(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the transmission of security and privacy attributes\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-16.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-16(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-16.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-16(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing anti-spoofing mechanisms"}]}]}]},{"id":"sc-17","class":"SP800-53","title":"Public Key Infrastructure Certificates","params":[{"id":"sc-17_odp","props":[{"name":"alt-identifier","value":"sc-17_prm_1"},{"name":"label","value":"SC-17_ODP","class":"sp800-53a"}],"label":"certificate policy","guidelines":[{"prose":"a certificate policy for issuing public key certificates is defined;"}]}],"props":[{"name":"label","value":"SC-17"},{"name":"label","value":"SC-17","class":"sp800-53a"},{"name":"sort-id","value":"sc-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#8cb338a4-e493-4177-818f-3af18983ddc5","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sc-12","rel":"related"}],"parts":[{"id":"sc-17_smt","name":"statement","parts":[{"id":"sc-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and"},{"id":"sc-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Include only approved trust anchors in trust stores or certificate stores managed by the organization."}]},{"id":"sc-17_gdn","name":"guidance","prose":"Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates."},{"id":"sc-17_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-17","class":"sp800-53a"}],"parts":[{"id":"sc-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-17a.","class":"sp800-53a"}],"prose":"public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;"},{"id":"sc-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-17b.","class":"sp800-53a"}],"prose":"only approved trust anchors are included in trust stores or certificate stores managed by the organization."}]},{"id":"sc-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key certificates\n\nservice providers"}]},{"id":"sc-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of public key infrastructure certificates"}]}]},{"id":"sc-18","class":"SP800-53","title":"Mobile Code","props":[{"name":"label","value":"SC-18"},{"name":"label","value":"SC-18","class":"sp800-53a"},{"name":"sort-id","value":"sc-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#f641309f-a3ad-48be-8c67-2b318648b2f5","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"sc-18_smt","name":"statement","parts":[{"id":"sc-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define acceptable and unacceptable mobile code and mobile code technologies; and"},{"id":"sc-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize, monitor, and control the use of mobile code within the system."}]},{"id":"sc-18_gdn","name":"guidance","prose":"Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."},{"id":"sc-18_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[01]","class":"sp800-53a"}],"prose":"acceptable mobile code is defined;"},{"id":"sc-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[02]","class":"sp800-53a"}],"prose":"unacceptable mobile code is defined;"},{"id":"sc-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[03]","class":"sp800-53a"}],"prose":"acceptable mobile code technologies are defined;"},{"id":"sc-18_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[04]","class":"sp800-53a"}],"prose":"unacceptable mobile code technologies are defined;"}]},{"id":"sc-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[01]","class":"sp800-53a"}],"prose":"the use of mobile code is authorized within the system;"},{"id":"sc-18_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[02]","class":"sp800-53a"}],"prose":"the use of mobile code is monitored within the system;"},{"id":"sc-18_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[03]","class":"sp800-53a"}],"prose":"the use of mobile code is controlled within the system."}]}]},{"id":"sc-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code implementation policy and procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code"}]},{"id":"sc-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for authorizing, monitoring, and controlling mobile code\n\nmechanisms supporting and\/or implementing the management of mobile code\n\nmechanisms supporting and\/or implementing the monitoring of mobile code"}]}],"controls":[{"id":"sc-18.1","class":"SP800-53-enhancement","title":"Identify Unacceptable Code and Take Corrective Actions","params":[{"id":"sc-18.01_odp.01","props":[{"name":"alt-identifier","value":"sc-18.1_prm_1"},{"name":"label","value":"SC-18(01)_ODP[01]","class":"sp800-53a"}],"label":"unacceptable mobile code","guidelines":[{"prose":"unacceptable mobile code to be identified is defined;"}]},{"id":"sc-18.01_odp.02","props":[{"name":"alt-identifier","value":"sc-18.1_prm_2"},{"name":"label","value":"SC-18(01)_ODP[02]","class":"sp800-53a"}],"label":"corrective actions","guidelines":[{"prose":"corrective actions to be taken when unacceptable mobile code is identified are defined;"}]}],"props":[{"name":"label","value":"SC-18(1)"},{"name":"label","value":"SC-18(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-18.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-18","rel":"required"}],"parts":[{"id":"sc-18.1_smt","name":"statement","prose":"Identify {{ insert: param, sc-18.01_odp.01 }} and take {{ insert: param, sc-18.01_odp.02 }}."},{"id":"sc-18.1_gdn","name":"guidance","prose":"Corrective actions when unacceptable mobile code is detected include blocking, quarantine, or alerting administrators. Blocking includes preventing the transmission of word processing files with embedded macros when such macros have been determined to be unacceptable mobile code."},{"id":"sc-18.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18(01)","class":"sp800-53a"}],"parts":[{"id":"sc-18.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18(01)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-18.01_odp.01 }} is identified;"},{"id":"sc-18.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18(01)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-18.01_odp.02 }} are taken if unacceptable mobile code is identified."}]},{"id":"sc-18.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code usage restrictions\n\nmobile code implementation policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of unacceptable mobile code\n\nlist of corrective actions to be taken when unacceptable mobile code is identified\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing mobile code"}]},{"id":"sc-18.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing mobile code detection, inspection, and corrective capabilities"}]}]},{"id":"sc-18.2","class":"SP800-53-enhancement","title":"Acquisition, Development, and Use","params":[{"id":"sc-18.02_odp","props":[{"name":"alt-identifier","value":"sc-18.2_prm_1"},{"name":"label","value":"SC-18(02)_ODP","class":"sp800-53a"}],"label":"mobile code requirements","guidelines":[{"prose":"mobile code requirements for the acquisition, development, and use of mobile code to be deployed in the system are defined;"}]}],"props":[{"name":"label","value":"SC-18(2)"},{"name":"label","value":"SC-18(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-18.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-18","rel":"required"}],"parts":[{"id":"sc-18.2_smt","name":"statement","prose":"Verify that the acquisition, development, and use of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }}."},{"id":"sc-18.2_gdn","name":"guidance","prose":"None."},{"id":"sc-18.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18(02)","class":"sp800-53a"}],"parts":[{"id":"sc-18.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18(02)[01]","class":"sp800-53a"}],"prose":"the acquisition of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }};"},{"id":"sc-18.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18(02)[02]","class":"sp800-53a"}],"prose":"the development of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }};"},{"id":"sc-18.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-18(02)[03]","class":"sp800-53a"}],"prose":"the use of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }}."}]},{"id":"sc-18.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code requirements\n\nmobile code usage restrictions\n\nmobile code implementation policy and procedures\n\nacquisition documentation\n\nacquisition contracts for system, system component, or system service\n\nsystem development life cycle documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code\n\norganizational personnel with acquisition and contracting responsibilities"}]},{"id":"sc-18.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the acquisition, development, and use of mobile code"}]}]},{"id":"sc-18.3","class":"SP800-53-enhancement","title":"Prevent Downloading and Execution","params":[{"id":"sc-18.03_odp","props":[{"name":"alt-identifier","value":"sc-18.3_prm_1"},{"name":"label","value":"SC-18(03)_ODP","class":"sp800-53a"}],"label":"unacceptable mobile code","guidelines":[{"prose":"unacceptable mobile code to be prevented from downloading and executing is defined;"}]}],"props":[{"name":"label","value":"SC-18(3)"},{"name":"label","value":"SC-18(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-18.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-18","rel":"required"}],"parts":[{"id":"sc-18.3_smt","name":"statement","prose":"Prevent the download and execution of {{ insert: param, sc-18.03_odp }}."},{"id":"sc-18.3_gdn","name":"guidance","prose":"None."},{"id":"sc-18.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18(03)","class":"sp800-53a"}],"parts":[{"id":"sc-18.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18(03)[01]","class":"sp800-53a"}],"prose":"the download of {{ insert: param, sc-18.03_odp }} is prevented;"},{"id":"sc-18.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18(03)[02]","class":"sp800-53a"}],"prose":"the execution of {{ insert: param, sc-18.03_odp }} is prevented."}]},{"id":"sc-18.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code usage restrictions\n\nmobile code implementation policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing mobile code"}]},{"id":"sc-18.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms preventing the download and execution of unacceptable mobile code"}]}]},{"id":"sc-18.4","class":"SP800-53-enhancement","title":"Prevent Automatic Execution","params":[{"id":"sc-18.04_odp.01","props":[{"name":"alt-identifier","value":"sc-18.4_prm_1"},{"name":"label","value":"SC-18(04)_ODP[01]","class":"sp800-53a"}],"label":"software applications","guidelines":[{"prose":"software applications in which the automatic execution of mobile code is to be prevented are defined;"}]},{"id":"sc-18.04_odp.02","props":[{"name":"alt-identifier","value":"sc-18.4_prm_2"},{"name":"label","value":"SC-18(04)_ODP[02]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be enforced by the system prior to executing mobile code are defined;"}]}],"props":[{"name":"label","value":"SC-18(4)"},{"name":"label","value":"SC-18(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-18.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-18","rel":"required"}],"parts":[{"id":"sc-18.4_smt","name":"statement","prose":"Prevent the automatic execution of mobile code in {{ insert: param, sc-18.04_odp.01 }} and enforce {{ insert: param, sc-18.04_odp.02 }} prior to executing the code."},{"id":"sc-18.4_gdn","name":"guidance","prose":"Actions enforced before executing mobile code include prompting users prior to opening email attachments or clicking on web links. Preventing the automatic execution of mobile code includes disabling auto-execute features on system components that employ portable storage devices, such as compact discs, digital versatile discs, and universal serial bus devices."},{"id":"sc-18.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18(04)","class":"sp800-53a"}],"parts":[{"id":"sc-18.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18(04)[01]","class":"sp800-53a"}],"prose":"the automatic execution of mobile code in {{ insert: param, sc-18.04_odp.01 }} is prevented;"},{"id":"sc-18.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18(04)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-18.04_odp.02 }} are enforced prior to executing mobile code."}]},{"id":"sc-18.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code usage restrictions\n\nmobile code implementation policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software applications in which the automatic execution of mobile code must be prohibited\n\nlist of actions required before execution of mobile code\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing mobile code"}]},{"id":"sc-18.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms preventing the automatic execution of unacceptable mobile code\n\nmechanisms enforcing actions to be taken prior to the execution of the mobile code"}]}]},{"id":"sc-18.5","class":"SP800-53-enhancement","title":"Allow Execution Only in Confined Environments","props":[{"name":"label","value":"SC-18(5)"},{"name":"label","value":"SC-18(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-18.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-18","rel":"required"},{"href":"#sc-44","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-18.5_smt","name":"statement","prose":"Allow execution of permitted mobile code only in confined virtual machine environments."},{"id":"sc-18.5_gdn","name":"guidance","prose":"Permitting the execution of mobile code only in confined virtual machine environments helps prevent the introduction of malicious code into other systems and system components."},{"id":"sc-18.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18(05)","class":"sp800-53a"}],"prose":"execution of permitted mobile code is allowed only in confined virtual machine environments."},{"id":"sc-18.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code usage allowances\n\nmobile code usage restrictions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of confined virtual machine environments in which the execution of organizationally acceptable mobile code is allowed\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing mobile code"}]},{"id":"sc-18.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms allowing for the execution of permitted mobile code in confined virtual machine environments"}]}]}]},{"id":"sc-19","class":"SP800-53","title":"Voice Over Internet Protocol","props":[{"name":"label","value":"SC-19"},{"name":"label","value":"SC-19","class":"sp800-53a"},{"name":"sort-id","value":"sc-19"},{"name":"status","value":"withdrawn"}],"parts":[{"id":"sc-19_smt","name":"statement","prose":"Technology-specific; addressed as any other technology or protocol."}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Authoritative Source)","props":[{"name":"label","value":"SC-20"},{"name":"label","value":"SC-20","class":"sp800-53a"},{"name":"sort-id","value":"sc-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-20_smt","name":"statement","parts":[{"id":"sc-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host\/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data."},{"id":"sc-20_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-20","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[01]","class":"sp800-53a"}],"prose":"additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;"},{"id":"sc-20_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[02]","class":"sp800-53a"}],"prose":"integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;"}]},{"id":"sc-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[01]","class":"sp800-53a"}],"prose":"the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;"},{"id":"sc-20_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[02]","class":"sp800-53a"}],"prose":"the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided."}]}]},{"id":"sc-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing secure name\/address resolution services"}]}],"controls":[{"id":"sc-20.1","class":"SP800-53-enhancement","title":"Child Subspaces","props":[{"name":"label","value":"SC-20(1)"},{"name":"label","value":"SC-20(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-20.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-20","rel":"incorporated-into"}]},{"id":"sc-20.2","class":"SP800-53-enhancement","title":"Data Origin and Integrity","props":[{"name":"label","value":"SC-20(2)"},{"name":"label","value":"SC-20(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-20.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-20","rel":"required"}],"parts":[{"id":"sc-20.2_smt","name":"statement","prose":"Provide data origin and integrity protection artifacts for internal name\/address resolution queries."},{"id":"sc-20.2_gdn","name":"guidance","prose":"None."},{"id":"sc-20.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-20(02)","class":"sp800-53a"}],"parts":[{"id":"sc-20.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20(02)[01]","class":"sp800-53a"}],"prose":"data origin artifacts are provided for internal name\/address resolution queries;"},{"id":"sc-20.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20(02)[02]","class":"sp800-53a"}],"prose":"integrity protection artifacts are provided for internal name\/address resolution queries."}]},{"id":"sc-20.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-20(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-20.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-20(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-20.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-20(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing data origin and integrity protection for internal name\/address resolution service queries"}]}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Recursive or Caching Resolver)","props":[{"name":"label","value":"SC-21"},{"name":"label","value":"SC-21","class":"sp800-53a"},{"name":"sort-id","value":"sc-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-20","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"Request and perform data origin authentication and data integrity verification on the name\/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data."},{"id":"sc-21_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-21","class":"sp800-53a"}],"parts":[{"id":"sc-21_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-21[01]","class":"sp800-53a"}],"prose":"data origin authentication is requested for the name\/address resolution responses that the system receives from authoritative sources;"},{"id":"sc-21_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-21[02]","class":"sp800-53a"}],"prose":"data origin authentication is performed on the name\/address resolution responses that the system receives from authoritative sources;"},{"id":"sc-21_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-21[03]","class":"sp800-53a"}],"prose":"data integrity verification is requested for the name\/address resolution responses that the system receives from authoritative sources;"},{"id":"sc-21_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SC-21[04]","class":"sp800-53a"}],"prose":"data integrity verification is performed on the name\/address resolution responses that the system receives from authoritative sources."}]},{"id":"sc-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing data origin authentication and data integrity verification for name\/address resolution services"}]}],"controls":[{"id":"sc-21.1","class":"SP800-53-enhancement","title":"Data Origin and Integrity","props":[{"name":"label","value":"SC-21(1)"},{"name":"label","value":"SC-21(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-21.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-21","rel":"incorporated-into"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name\/Address Resolution Service","props":[{"name":"label","value":"SC-22"},{"name":"label","value":"SC-22","class":"sp800-53a"},{"name":"sort-id","value":"sc-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-2","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-24","rel":"related"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"Ensure the systems that collectively provide name\/address resolution service for an organization are fault-tolerant and implement internal and external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)."},{"id":"sc-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-22","class":"sp800-53a"}],"parts":[{"id":"sc-22_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-22[01]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization are fault-tolerant;"},{"id":"sc-22_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-22[02]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement internal role separation;"},{"id":"sc-22_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-22[03]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement external role separation."}]},{"id":"sc-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing architecture and provisioning for name\/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing name\/address resolution services for fault tolerance and role separation"}]}]},{"id":"sc-23","class":"SP800-53","title":"Session Authenticity","props":[{"name":"label","value":"SC-23"},{"name":"label","value":"SC-23","class":"sp800-53a"},{"name":"sort-id","value":"sc-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#7537638e-2837-407d-844b-40fb3fafdd99","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#a6b9907a-2a14-4bb4-a142-d4c73026a8b4","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-11","rel":"related"}],"parts":[{"id":"sc-23_smt","name":"statement","prose":"Protect the authenticity of communications sessions."},{"id":"sc-23_gdn","name":"guidance","prose":"Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against \"man-in-the-middle\" attacks, session hijacking, and the insertion of false information into sessions."},{"id":"sc-23_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-23","class":"sp800-53a"}],"prose":"the authenticity of communication sessions is protected."},{"id":"sc-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-23-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing session authenticity"}]}],"controls":[{"id":"sc-23.1","class":"SP800-53-enhancement","title":"Invalidate Session Identifiers at Logout","props":[{"name":"label","value":"SC-23(1)"},{"name":"label","value":"SC-23(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-23.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-23","rel":"required"}],"parts":[{"id":"sc-23.1_smt","name":"statement","prose":"Invalidate session identifiers upon user logout or other session termination."},{"id":"sc-23.1_gdn","name":"guidance","prose":"Invalidating session identifiers at logout curtails the ability of adversaries to capture and continue to employ previously valid session IDs."},{"id":"sc-23.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-23(01)","class":"sp800-53a"}],"prose":"session identifiers are invalidated upon user logout or other session termination."},{"id":"sc-23.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-23(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-23.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-23(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-23.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-23(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing session identifier invalidation upon session termination"}]}]},{"id":"sc-23.2","class":"SP800-53-enhancement","title":"User-initiated Logouts and Message Displays","props":[{"name":"label","value":"SC-23(2)"},{"name":"label","value":"SC-23(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-23.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-12.1","rel":"incorporated-into"}]},{"id":"sc-23.3","class":"SP800-53-enhancement","title":"Unique System-generated Session Identifiers","params":[{"id":"sc-23.03_odp","props":[{"name":"alt-identifier","value":"sc-23.3_prm_1"},{"name":"label","value":"SC-23(03)_ODP","class":"sp800-53a"}],"label":"randomness requirements","guidelines":[{"prose":"randomness requirements for generating a unique session identifier for each session are defined;"}]}],"props":[{"name":"label","value":"SC-23(3)"},{"name":"label","value":"SC-23(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-23.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-23","rel":"required"},{"href":"#ac-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-23.3_smt","name":"statement","prose":"Generate a unique session identifier for each session with {{ insert: param, sc-23.03_odp }} and recognize only session identifiers that are system-generated."},{"id":"sc-23.3_gdn","name":"guidance","prose":"Generating unique session identifiers curtails the ability of adversaries to reuse previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers protects against brute-force attacks to determine future session identifiers."},{"id":"sc-23.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-23(03)","class":"sp800-53a"}],"parts":[{"id":"sc-23.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-23(03)[01]","class":"sp800-53a"}],"prose":"a unique session identifier is generated for each session with {{ insert: param, sc-23.03_odp }};"},{"id":"sc-23.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-23(03)[02]","class":"sp800-53a"}],"prose":"only system-generated session identifiers are recognized."}]},{"id":"sc-23.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-23(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-23.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-23(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-23.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-23(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting, implementing, generating, and monitoring unique session identifiers\n\nmechanisms supporting and\/or implementing randomness requirements"}]}]},{"id":"sc-23.4","class":"SP800-53-enhancement","title":"Unique Session Identifiers with Randomization","props":[{"name":"label","value":"SC-23(4)"},{"name":"label","value":"SC-23(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-23.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-23.3","rel":"incorporated-into"}]},{"id":"sc-23.5","class":"SP800-53-enhancement","title":"Allowed Certificate Authorities","params":[{"id":"sc-23.05_odp","props":[{"name":"alt-identifier","value":"sc-23.5_prm_1"},{"name":"alt-label","value":"certificate authorities","class":"sp800-53"},{"name":"label","value":"SC-23(05)_ODP","class":"sp800-53a"}],"label":"certificated authorities","guidelines":[{"prose":"certificate authorities to be allowed for verification of the establishment of protected sessions are defined;"}]}],"props":[{"name":"label","value":"SC-23(5)"},{"name":"label","value":"SC-23(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-23.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-23","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-23.5_smt","name":"statement","prose":"Only allow the use of {{ insert: param, sc-23.05_odp }} for verification of the establishment of protected sessions."},{"id":"sc-23.5_gdn","name":"guidance","prose":"Reliance on certificate authorities for the establishment of secure sessions includes the use of Transport Layer Security (TLS) certificates. These certificates, after verification by their respective certificate authorities, facilitate the establishment of protected sessions between web clients and web servers."},{"id":"sc-23.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-23(05)","class":"sp800-53a"}],"prose":"only the use of {{ insert: param, sc-23.05_odp }} for verification of the establishment of protected sessions is allowed."},{"id":"sc-23.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-23(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of certificate authorities allowed for verification of the establishment of protected sessions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-23.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-23(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-23.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-23(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of certificate authorities"}]}]}]},{"id":"sc-24","class":"SP800-53","title":"Fail in Known State","params":[{"id":"sc-24_odp.01","props":[{"name":"alt-identifier","value":"sc-24_prm_3"},{"name":"alt-label","value":"list of organization-defined types of system failures on organization-defined system components","class":"sp800-53"},{"name":"label","value":"SC-24_ODP[01]","class":"sp800-53a"}],"label":"types of system failures on system components","guidelines":[{"prose":"types of system failures for which the system components fail to a known state are defined;"}]},{"id":"sc-24_odp.02","props":[{"name":"alt-identifier","value":"sc-24_prm_1"},{"name":"label","value":"SC-24_ODP[02]","class":"sp800-53a"}],"label":"known system state","guidelines":[{"prose":"known system state to which system components fail in the event of a system failure is defined;"}]},{"id":"sc-24_odp.03","props":[{"name":"alt-identifier","value":"sc-24_prm_2"},{"name":"label","value":"SC-24_ODP[03]","class":"sp800-53a"}],"label":"system state information","guidelines":[{"prose":"system state information to be preserved in the event of a system failure is defined;"}]}],"props":[{"name":"label","value":"SC-24"},{"name":"label","value":"SC-24","class":"sp800-53a"},{"name":"sort-id","value":"sc-24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-22","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"sc-24_smt","name":"statement","prose":"Fail to a {{ insert: param, sc-24_odp.02 }} for the following failures on the indicated components while preserving {{ insert: param, sc-24_odp.03 }} in failure: {{ insert: param, sc-24_odp.01 }}."},{"id":"sc-24_gdn","name":"guidance","prose":"Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes."},{"id":"sc-24_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-24","class":"sp800-53a"}],"prose":"{{ insert: param, sc-24_odp.01 }} fail to a {{ insert: param, sc-24_odp.02 }} while preserving {{ insert: param, sc-24_odp.03 }} in failure."},{"id":"sc-24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-24-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing system failure to known state\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of failures requiring system to fail in a known state\n\nstate information to be preserved in system failure\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-24-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-24-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the fail in known state capability\n\nmechanisms preserving system state information in the event of a system failure"}]}]},{"id":"sc-25","class":"SP800-53","title":"Thin Nodes","params":[{"id":"sc-25_odp","props":[{"name":"alt-identifier","value":"sc-25_prm_1"},{"name":"label","value":"SC-25_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to be employed with minimal functionality and information storage are defined;"}]}],"props":[{"name":"label","value":"SC-25"},{"name":"label","value":"SC-25","class":"sp800-53a"},{"name":"sort-id","value":"sc-25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-30","rel":"related"},{"href":"#sc-44","rel":"related"}],"parts":[{"id":"sc-25_smt","name":"statement","prose":"Employ minimal functionality and information storage on the following system components: {{ insert: param, sc-25_odp }}."},{"id":"sc-25_gdn","name":"guidance","prose":"The deployment of system components with minimal functionality reduces the need to secure every endpoint and may reduce the exposure of information, systems, and services to attacks. Reduced or minimal functionality includes diskless nodes and thin client technologies."},{"id":"sc-25_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-25","class":"sp800-53a"}],"parts":[{"id":"sc-25_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-25[01]","class":"sp800-53a"}],"prose":"minimal functionality for {{ insert: param, sc-25_odp }} is employed;"},{"id":"sc-25_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-25[02]","class":"sp800-53a"}],"prose":"minimal information storage on {{ insert: param, sc-25_odp }} is allocated."}]},{"id":"sc-25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-25-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing use of thin nodes\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-25-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-25-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing thin nodes"}]}]},{"id":"sc-26","class":"SP800-53","title":"Decoys","props":[{"name":"label","value":"SC-26"},{"name":"label","value":"SC-26","class":"sp800-53a"},{"name":"sort-id","value":"sc-26"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-26_smt","name":"statement","prose":"Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks."},{"id":"sc-26_gdn","name":"guidance","prose":"Decoys (i.e., honeypots, honeynets, or deception nets) are established to attract adversaries and deflect attacks away from the operational systems that support organizational mission and business functions. Use of decoys requires some supporting isolation measures to ensure that any deflected malicious code does not infect organizational systems. Depending on the specific usage of the decoy, consultation with the Office of the General Counsel before deployment may be needed."},{"id":"sc-26_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-26","class":"sp800-53a"}],"parts":[{"id":"sc-26_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-26[01]","class":"sp800-53a"}],"prose":"components within organizational systems specifically designed to be the target of malicious attacks are included to detect such attacks;"},{"id":"sc-26_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-26[02]","class":"sp800-53a"}],"prose":"components within organizational systems specifically designed to be the target of malicious attacks are included to deflect such attacks;"},{"id":"sc-26_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-26[03]","class":"sp800-53a"}],"prose":"components within organizational systems specifically designed to be the target of malicious attacks are included to analyze such attacks."}]},{"id":"sc-26_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-26-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the use of decoys\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-26_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-26-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-26_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-26-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing decoys"}]}],"controls":[{"id":"sc-26.1","class":"SP800-53-enhancement","title":"Detection of Malicious Code","props":[{"name":"label","value":"SC-26(1)"},{"name":"label","value":"SC-26(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-26.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-35","rel":"incorporated-into"}]}]},{"id":"sc-27","class":"SP800-53","title":"Platform-independent Applications","params":[{"id":"sc-27_odp","props":[{"name":"alt-identifier","value":"sc-27_prm_1"},{"name":"label","value":"SC-27_ODP","class":"sp800-53a"}],"label":"platform-independent applications","guidelines":[{"prose":"platform-independent applications to be included within organizational systems are defined;"}]}],"props":[{"name":"label","value":"SC-27"},{"name":"label","value":"SC-27","class":"sp800-53a"},{"name":"sort-id","value":"sc-27"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-29","rel":"related"}],"parts":[{"id":"sc-27_smt","name":"statement","prose":"Include within organizational systems the following platform independent applications: {{ insert: param, sc-27_odp }}."},{"id":"sc-27_gdn","name":"guidance","prose":"Platforms are combinations of hardware, firmware, and software components used to execute software applications. Platforms include operating systems, the underlying computer architectures, or both. Platform-independent applications are applications with the capability to execute on multiple platforms. Such applications promote portability and reconstitution on different platforms. Application portability and the ability to reconstitute on different platforms increase the availability of mission-essential functions within organizations in situations where systems with specific operating systems are under attack."},{"id":"sc-27_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-27","class":"sp800-53a"}],"prose":"{{ insert: param, sc-27_odp }} are included within organizational systems."},{"id":"sc-27_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-27-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing platform-independent applications\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of platform-independent applications\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-27_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-27-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-27_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-27-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing platform-independent applications"}]}]},{"id":"sc-28","class":"SP800-53","title":"Protection of Information at Rest","params":[{"id":"sc-28_odp.01","props":[{"name":"alt-identifier","value":"sc-28_prm_1"},{"name":"label","value":"SC-28_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}},{"id":"sc-28_odp.02","props":[{"name":"alt-identifier","value":"sc-28_prm_2"},{"name":"label","value":"SC-28_ODP[02]","class":"sp800-53a"}],"label":"information at rest","guidelines":[{"prose":"information at rest requiring protection is defined;"}]}],"props":[{"name":"label","value":"SC-28"},{"name":"label","value":"SC-28","class":"sp800-53a"},{"name":"sort-id","value":"sc-28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-28_smt","name":"statement","prose":"Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}."},{"id":"sc-28_gdn","name":"guidance","prose":"Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage."},{"id":"sc-28_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is\/are protected."},{"id":"sc-28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing confidentiality and integrity protections for information at rest"}]}],"controls":[{"id":"sc-28.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"sc-28.01_odp.01","props":[{"name":"alt-identifier","value":"sc-28.1_prm_2"},{"name":"label","value":"SC-28(01)_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information requiring cryptographic protection is defined;"}]},{"id":"sc-28.01_odp.02","props":[{"name":"alt-identifier","value":"sc-28.1_prm_1"},{"name":"label","value":"SC-28(01)_ODP[02]","class":"sp800-53a"}],"label":"system components or media","guidelines":[{"prose":"system components or media requiring cryptographic protection is\/are defined;"}]}],"props":[{"name":"label","value":"SC-28(1)"},{"name":"label","value":"SC-28(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-28.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-28","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-28.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}."},{"id":"sc-28.1_gdn","name":"guidance","prose":"The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields."},{"id":"sc-28.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)","class":"sp800-53a"}],"parts":[{"id":"sc-28.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)[01]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};"},{"id":"sc-28.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)[02]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}."}]},{"id":"sc-28.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-28.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest"}]}]},{"id":"sc-28.2","class":"SP800-53-enhancement","title":"Offline Storage","params":[{"id":"sc-28.02_odp","props":[{"name":"alt-identifier","value":"sc-28.2_prm_1"},{"name":"label","value":"SC-28(02)_ODP","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be removed from online storage and stored offline in a secure location is defined;"}]}],"props":[{"name":"label","value":"SC-28(2)"},{"name":"label","value":"SC-28(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-28.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-28","rel":"required"}],"parts":[{"id":"sc-28.2_smt","name":"statement","prose":"Remove the following information from online storage and store offline in a secure location: {{ insert: param, sc-28.02_odp }}."},{"id":"sc-28.2_gdn","name":"guidance","prose":"Removing organizational information from online storage to offline storage eliminates the possibility of individuals gaining unauthorized access to the information through a network. Therefore, organizations may choose to move information to offline storage in lieu of protecting such information in online storage."},{"id":"sc-28.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28(02)","class":"sp800-53a"}],"parts":[{"id":"sc-28.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-28(02)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-28.02_odp }} is removed from online storage;"},{"id":"sc-28.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-28(02)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-28.02_odp }} is stored offline in a secure location."}]},{"id":"sc-28.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\noffline storage locations for information at rest\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-28.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the removal of information from online storage\n\nmechanisms supporting and\/or implementing storage of information offline"}]}]},{"id":"sc-28.3","class":"SP800-53-enhancement","title":"Cryptographic Keys","params":[{"id":"sc-28.03_odp.01","props":[{"name":"alt-identifier","value":"sc-28.3_prm_1"},{"name":"label","value":"SC-28(03)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["{{ insert: param, sc-28.03_odp.02 }} ","hardware-protected key store"]}},{"id":"sc-28.03_odp.02","props":[{"name":"alt-identifier","value":"sc-28.3_prm_2"},{"name":"label","value":"SC-28(03)_ODP[02]","class":"sp800-53a"}],"label":"safeguards","guidelines":[{"prose":"safeguards for protecting the storage of cryptographic keys are defined (if selected);"}]}],"props":[{"name":"label","value":"SC-28(3)"},{"name":"label","value":"SC-28(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-28.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-28","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-28.3_smt","name":"statement","prose":"Provide protected storage for cryptographic keys {{ insert: param, sc-28.03_odp.01 }}."},{"id":"sc-28.3_gdn","name":"guidance","prose":"A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys."},{"id":"sc-28.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28(03)","class":"sp800-53a"}],"prose":"protected storage for cryptographic keys is provided using {{ insert: param, sc-28.03_odp.01 }}."},{"id":"sc-28.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-28.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing hardware-based key store protection"}]}]}]},{"id":"sc-29","class":"SP800-53","title":"Heterogeneity","params":[{"id":"sc-29_odp","props":[{"name":"alt-identifier","value":"sc-29_prm_1"},{"name":"label","value":"SC-29_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring a diverse set of information technologies to be employed in the implementation of the system are defined;"}]}],"props":[{"name":"label","value":"SC-29"},{"name":"label","value":"SC-29","class":"sp800-53a"},{"name":"sort-id","value":"sc-29"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-9","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#sc-27","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"sc-29_smt","name":"statement","prose":"Employ a diverse set of information technologies for the following system components in the implementation of the system: {{ insert: param, sc-29_odp }}."},{"id":"sc-29_gdn","name":"guidance","prose":"Increasing the diversity of information technologies within organizational systems reduces the impact of potential exploitations or compromises of specific technologies. Such diversity protects against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one system component will be effective against other system components, thus further increasing the adversary work factor to successfully complete planned attacks. An increase in diversity may add complexity and management overhead that could ultimately lead to mistakes and unauthorized configurations."},{"id":"sc-29_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-29","class":"sp800-53a"}],"prose":"a diverse set of information technologies is employed for {{ insert: param, sc-29_odp }} in the implementation of the system."},{"id":"sc-29_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-29-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of technologies deployed in the system\n\nacquisition documentation\n\nacquisition contracts for system components or services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-29_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-29-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with system acquisition, development, and implementation responsibilities"}]},{"id":"sc-29_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-29-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the employment of a diverse set of information technologies"}]}],"controls":[{"id":"sc-29.1","class":"SP800-53-enhancement","title":"Virtualization Techniques","params":[{"id":"sc-29.01_odp","props":[{"name":"alt-identifier","value":"sc-29.1_prm_1"},{"name":"label","value":"SC-29(01)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to change the diversity of operating systems and applications deployed using virtualization techniques is defined;"}]}],"props":[{"name":"label","value":"SC-29(1)"},{"name":"label","value":"SC-29(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-29.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-29","rel":"required"}],"parts":[{"id":"sc-29.1_smt","name":"statement","prose":"Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed {{ insert: param, sc-29.01_odp }}."},{"id":"sc-29.1_gdn","name":"guidance","prose":"While frequent changes to operating systems and applications can pose significant configuration management challenges, the changes can result in an increased work factor for adversaries to conduct successful attacks. Changing virtual operating systems or applications, as opposed to changing actual operating systems or applications, provides virtual changes that impede attacker success while reducing configuration management efforts. Virtualization techniques can assist in isolating untrustworthy software or software of dubious provenance into confined execution environments."},{"id":"sc-29.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-29(01)","class":"sp800-53a"}],"prose":"virtualization techniques are employed to support the deployment of a diverse range of operating systems and applications that are changed {{ insert: param, sc-29.01_odp }}."},{"id":"sc-29.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-29(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nconfiguration management policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of operating systems and applications deployed using virtualization techniques\n\nchange control records\n\nconfiguration management records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-29.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-29(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for implementing approved virtualization techniques to the system"}]},{"id":"sc-29.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-29(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the employment of a diverse set of information technologies\n\nmechanisms supporting and\/or implementing virtualization techniques"}]}]}]},{"id":"sc-30","class":"SP800-53","title":"Concealment and Misdirection","params":[{"id":"sc-30_odp.01","props":[{"name":"alt-identifier","value":"sc-30_prm_3"},{"name":"label","value":"SC-30_ODP[01]","class":"sp800-53a"}],"label":"concealment and misdirection techniques","guidelines":[{"prose":"concealment and misdirection techniques to be employed to confuse and mislead adversaries potentially targeting systems are defined;"}]},{"id":"sc-30_odp.02","props":[{"name":"alt-identifier","value":"sc-30_prm_1"},{"name":"label","value":"SC-30_ODP[02]","class":"sp800-53a"}],"label":"systems","guidelines":[{"prose":"systems for which concealment and misdirection techniques are to be employed are defined;"}]},{"id":"sc-30_odp.03","props":[{"name":"alt-identifier","value":"sc-30_prm_2"},{"name":"label","value":"SC-30_ODP[03]","class":"sp800-53a"}],"label":"time periods","guidelines":[{"prose":"time periods to employ concealment and misdirection techniques for systems are defined;"}]}],"props":[{"name":"label","value":"SC-30"},{"name":"label","value":"SC-30","class":"sp800-53a"},{"name":"sort-id","value":"sc-30"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#sc-25","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-29","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-14","rel":"related"}],"parts":[{"id":"sc-30_smt","name":"statement","prose":"Employ the following concealment and misdirection techniques for {{ insert: param, sc-30_odp.02 }} at {{ insert: param, sc-30_odp.03 }} to confuse and mislead adversaries: {{ insert: param, sc-30_odp.01 }}."},{"id":"sc-30_gdn","name":"guidance","prose":"Concealment and misdirection techniques can significantly reduce the targeting capabilities of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. For example, virtualization techniques provide organizations with the ability to disguise systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. The increased use of concealment and misdirection techniques and methods—including randomness, uncertainty, and virtualization—may sufficiently confuse and mislead adversaries and subsequently increase the risk of discovery and\/or exposing tradecraft. Concealment and misdirection techniques may provide additional time to perform core mission and business functions. The implementation of concealment and misdirection techniques may add to the complexity and management overhead required for the system."},{"id":"sc-30_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-30","class":"sp800-53a"}],"prose":"{{ insert: param, sc-30_odp.01 }} are employed for {{ insert: param, sc-30_odp.02 }} for {{ insert: param, sc-30_odp.03 }} to confuse and mislead adversaries."},{"id":"sc-30_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-30-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing concealment and misdirection techniques for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of concealment and misdirection techniques to be employed for organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-30_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-30-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility to implement concealment and misdirection techniques for systems"}]},{"id":"sc-30_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-30-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing concealment and misdirection techniques"}]}],"controls":[{"id":"sc-30.1","class":"SP800-53-enhancement","title":"Virtualization Techniques","props":[{"name":"label","value":"SC-30(1)"},{"name":"label","value":"SC-30(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-30.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-29.1","rel":"incorporated-into"}]},{"id":"sc-30.2","class":"SP800-53-enhancement","title":"Randomness","params":[{"id":"sc-30.02_odp","props":[{"name":"alt-identifier","value":"sc-30.2_prm_1"},{"name":"label","value":"SC-30(02)_ODP","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques employed to introduce randomness into organizational operations and assets are defined;"}]}],"props":[{"name":"label","value":"SC-30(2)"},{"name":"label","value":"SC-30(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-30.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-30","rel":"required"}],"parts":[{"id":"sc-30.2_smt","name":"statement","prose":"Employ {{ insert: param, sc-30.02_odp }} to introduce randomness into organizational operations and assets."},{"id":"sc-30.2_gdn","name":"guidance","prose":"Randomness introduces increased levels of uncertainty for adversaries regarding the actions that organizations take to defend their systems against attacks. Such actions may impede the ability of adversaries to correctly target information resources of organizations that support critical missions or business functions. Uncertainty may also cause adversaries to hesitate before initiating or continuing attacks. Misdirection techniques that involve randomness include performing certain routine actions at different times of day, employing different information technologies, using different suppliers, and rotating roles and responsibilities of organizational personnel."},{"id":"sc-30.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-30(02)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-30.02_odp }} are employed to introduce randomness into organizational operations and assets."},{"id":"sc-30.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-30(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing concealment and misdirection techniques for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of techniques to be employed to introduce randomness into organizational operations and assets\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-30.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-30(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility to implement concealment and misdirection techniques for systems"}]},{"id":"sc-30.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-30(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing randomness as a concealment and misdirection technique"}]}]},{"id":"sc-30.3","class":"SP800-53-enhancement","title":"Change Processing and Storage Locations","params":[{"id":"sc-30.03_odp.01","props":[{"name":"alt-identifier","value":"sc-30.3_prm_1"},{"name":"label","value":"SC-30(03)_ODP[01]","class":"sp800-53a"}],"label":"processing and\/or storage","guidelines":[{"prose":"processing and\/or storage locations to be changed are defined;"}]},{"id":"sc-30.03_odp.02","props":[{"name":"alt-identifier","value":"sc-30.3_prm_2"},{"name":"label","value":"SC-30(03)_ODP[02]","class":"sp800-53a"}],"select":{"choice":["{{ insert: param, sc-30.03_odp.03 }} ","random time intervals"]}},{"id":"sc-30.03_odp.03","props":[{"name":"alt-identifier","value":"sc-30.3_prm_3"},{"name":"label","value":"SC-30(03)_ODP[03]","class":"sp800-53a"}],"label":"time frequency","guidelines":[{"prose":"time frequency at which to change the location of processing and\/or storage is defined (if selected);"}]}],"props":[{"name":"label","value":"SC-30(3)"},{"name":"label","value":"SC-30(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-30.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-30","rel":"required"}],"parts":[{"id":"sc-30.3_smt","name":"statement","prose":"Change the location of {{ insert: param, sc-30.03_odp.01 }} {{ insert: param, sc-30.03_odp.02 }}]."},{"id":"sc-30.3_gdn","name":"guidance","prose":"Adversaries target critical mission and business functions and the systems that support those mission and business functions while also trying to minimize the exposure of their existence and tradecraft. The static, homogeneous, and deterministic nature of organizational systems targeted by adversaries make such systems more susceptible to attacks with less adversary cost and effort to be successful. Changing processing and storage locations (also referred to as moving target defense) addresses the advanced persistent threat using techniques such as virtualization, distributed processing, and replication. This enables organizations to relocate the system components (i.e., processing, storage) that support critical mission and business functions. Changing the locations of processing activities and\/or storage sites introduces a degree of uncertainty into the targeting activities of adversaries. The targeting uncertainty increases the work factor of adversaries and makes compromises or breaches of the organizational systems more difficult and time-consuming. It also increases the chances that adversaries may inadvertently disclose certain aspects of their tradecraft while attempting to locate critical organizational resources."},{"id":"sc-30.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-30(03)","class":"sp800-53a"}],"prose":"the location of {{ insert: param, sc-30.03_odp.01 }} is changed {{ insert: param, sc-30.03_odp.02 }}."},{"id":"sc-30.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-30(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nconfiguration management policy and procedures\n\nprocedures addressing concealment and misdirection techniques for the system\n\nlist of processing\/storage locations to be changed at organizational time intervals\n\nchange control records\n\nconfiguration management records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-30.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-30(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility to change processing and\/or storage locations"}]},{"id":"sc-30.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-30(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing changing processing and\/or storage locations"}]}]},{"id":"sc-30.4","class":"SP800-53-enhancement","title":"Misleading Information","params":[{"id":"sc-30.04_odp","props":[{"name":"alt-identifier","value":"sc-30.4_prm_1"},{"name":"label","value":"SC-30(04)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which realistic but misleading information about their security state or posture is employed are defined;"}]}],"props":[{"name":"label","value":"SC-30(4)"},{"name":"label","value":"SC-30(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-30.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-30","rel":"required"}],"parts":[{"id":"sc-30.4_smt","name":"statement","prose":"Employ realistic, but misleading information in {{ insert: param, sc-30.04_odp }} about its security state or posture."},{"id":"sc-30.4_gdn","name":"guidance","prose":"Employing misleading information is intended to confuse potential adversaries regarding the nature and extent of controls deployed by organizations. Thus, adversaries may employ incorrect and ineffective attack techniques. One technique for misleading adversaries is for organizations to place misleading information regarding the specific controls deployed in external systems that are known to be targeted by adversaries. Another technique is the use of deception nets that mimic actual aspects of organizational systems but use, for example, out-of-date software configurations."},{"id":"sc-30.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-30(04)","class":"sp800-53a"}],"prose":"realistic but misleading information about the security state or posture of {{ insert: param, sc-30.04_odp }} is employed."},{"id":"sc-30.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-30(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nconfiguration management policy and procedures\n\nprocedures addressing concealment and misdirection techniques for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-30.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-30(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility to define and employ realistic but misleading information about the security posture of system components"}]},{"id":"sc-30.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-30(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the employment of realistic but misleading information about the security posture of system components"}]}]},{"id":"sc-30.5","class":"SP800-53-enhancement","title":"Concealment of System Components","params":[{"id":"sc-30.05_odp.01","props":[{"name":"alt-identifier","value":"sc-30.5_prm_2"},{"name":"label","value":"SC-30(05)_ODP[01]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques to be employed to hide or conceal system components are defined;"}]},{"id":"sc-30.05_odp.02","props":[{"name":"alt-identifier","value":"sc-30.5_prm_1"},{"name":"label","value":"SC-30(05)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to be hidden or concealed using techniques (defined in SC-30(05)_ODP[01]) are defined;"}]}],"props":[{"name":"label","value":"SC-30(5)"},{"name":"label","value":"SC-30(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-30.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-30","rel":"required"}],"parts":[{"id":"sc-30.5_smt","name":"statement","prose":"Employ the following techniques to hide or conceal {{ insert: param, sc-30.05_odp.02 }}: {{ insert: param, sc-30.05_odp.01 }}."},{"id":"sc-30.5_gdn","name":"guidance","prose":"By hiding, disguising, or concealing critical system components, organizations may be able to decrease the probability that adversaries target and successfully compromise those assets. Potential means to hide, disguise, or conceal system components include the configuration of routers or the use of encryption or virtualization techniques."},{"id":"sc-30.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-30(05)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-30.05_odp.01 }} are employed to hide or conceal {{ insert: param, sc-30.05_odp.02 }}."},{"id":"sc-30.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-30(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nconfiguration management policy and procedures\n\nprocedures addressing concealment and misdirection techniques for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of techniques employed to hide or conceal system components\n\nlist of system components to be hidden or concealed\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-30.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-30(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility to conceal system components"}]},{"id":"sc-30.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-30(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing techniques for the concealment of system components"}]}]}]},{"id":"sc-31","class":"SP800-53","title":"Covert Channel Analysis","params":[{"id":"sc-31_odp","props":[{"name":"alt-identifier","value":"sc-31_prm_1"},{"name":"label","value":"SC-31_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["storage","timing"]}}],"props":[{"name":"label","value":"SC-31"},{"name":"label","value":"SC-31","class":"sp800-53a"},{"name":"sort-id","value":"sc-31"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"sc-31_smt","name":"statement","parts":[{"id":"sc-31_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert {{ insert: param, sc-31_odp }} channels; and"},{"id":"sc-31_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Estimate the maximum bandwidth of those channels."}]},{"id":"sc-31_gdn","name":"guidance","prose":"Developers are in the best position to identify potential areas within systems that might lead to covert channels. Covert channel analysis is a meaningful activity when there is the potential for unauthorized information flows across security domains, such as in the case of systems that contain export-controlled information and have connections to external networks (i.e., networks that are not controlled by organizations). Covert channel analysis is also useful for multilevel secure systems, multiple security level systems, and cross-domain systems."},{"id":"sc-31_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-31","class":"sp800-53a"}],"parts":[{"id":"sc-31_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-31a.","class":"sp800-53a"}],"prose":"a covert channel analysis is performed to identify those aspects of communications within the system that are potential avenues for covert {{ insert: param, sc-31_odp }} channels;"},{"id":"sc-31_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-31b.","class":"sp800-53a"}],"prose":"the maximum bandwidth of those channels is estimated."}]},{"id":"sc-31_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-31-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing covert channel analysis\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncovert channel analysis documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-31_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-31-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with covert channel analysis responsibilities\n\nsystem developers\/integrators"}]},{"id":"sc-31_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-31-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for conducting covert channel analysis\n\nmechanisms supporting and\/or implementing covert channel analysis\n\nmechanisms supporting and\/or implementing the capability to estimate the bandwidth of covert channels"}]}],"controls":[{"id":"sc-31.1","class":"SP800-53-enhancement","title":"Test Covert Channels for Exploitability","props":[{"name":"label","value":"SC-31(1)"},{"name":"label","value":"SC-31(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-31.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-31","rel":"required"}],"parts":[{"id":"sc-31.1_smt","name":"statement","prose":"Test a subset of the identified covert channels to determine the channels that are exploitable."},{"id":"sc-31.1_gdn","name":"guidance","prose":"None."},{"id":"sc-31.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-31(01)","class":"sp800-53a"}],"prose":"a subset of the identified covert channels is tested to determine the channels that are exploitable."},{"id":"sc-31.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-31(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing covert channel analysis\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of covert channels\n\ncovert channel analysis documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-31.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-31(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with covert channel analysis responsibilities"}]},{"id":"sc-31.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-31(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for testing covert channels\n\nmechanisms supporting and\/or implementing the testing of covert channel analysis"}]}]},{"id":"sc-31.2","class":"SP800-53-enhancement","title":"Maximum Bandwidth","params":[{"id":"sc-31.02_odp.01","props":[{"name":"alt-identifier","value":"sc-31.2_prm_1"},{"name":"label","value":"SC-31(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["storage","timing"]}},{"id":"sc-31.02_odp.02","props":[{"name":"alt-identifier","value":"sc-31.2_prm_2"},{"name":"label","value":"SC-31(02)_ODP[02]","class":"sp800-53a"}],"label":"values","guidelines":[{"prose":"values for the maximum bandwidth for identified covert channels are defined;"}]}],"props":[{"name":"label","value":"SC-31(2)"},{"name":"label","value":"SC-31(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-31.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-31","rel":"required"}],"parts":[{"id":"sc-31.2_smt","name":"statement","prose":"Reduce the maximum bandwidth for identified covert {{ insert: param, sc-31.02_odp.01 }} channels to {{ insert: param, sc-31.02_odp.02 }}."},{"id":"sc-31.2_gdn","name":"guidance","prose":"The complete elimination of covert channels, especially covert timing channels, is usually not possible without significant performance impacts."},{"id":"sc-31.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-31(02)","class":"sp800-53a"}],"prose":"the maximum bandwidth for identified covert {{ insert: param, sc-31.02_odp.01 }} channels is reduced to {{ insert: param, sc-31.02_odp.02 }}."},{"id":"sc-31.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-31(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing covert channel analysis\n\nacquisition contracts for systems or services\n\nacquisition documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncovert channel analysis documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-31.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-31(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with covert channel analysis responsibilities\n\nsystem developers\/integrators"}]},{"id":"sc-31.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-31(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for conducting covert channel analysis\n\nmechanisms supporting and\/or implementing covert channel analysis\n\nmechanisms supporting and\/or implementing the capability to reduce the bandwidth of covert channels"}]}]},{"id":"sc-31.3","class":"SP800-53-enhancement","title":"Measure Bandwidth in Operational Environments","params":[{"id":"sc-31.03_odp","props":[{"name":"alt-identifier","value":"sc-31.3_prm_1"},{"name":"label","value":"SC-31(03)_ODP","class":"sp800-53a"}],"label":"subset of identified covert channels","guidelines":[{"prose":"subset of identified covert channels whose bandwidth is to be measured in the operational environment of the system is defined;"}]}],"props":[{"name":"label","value":"SC-31(3)"},{"name":"label","value":"SC-31(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-31.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-31","rel":"required"}],"parts":[{"id":"sc-31.3_smt","name":"statement","prose":"Measure the bandwidth of {{ insert: param, sc-31.03_odp }} in the operational environment of the system."},{"id":"sc-31.3_gdn","name":"guidance","prose":"Measuring covert channel bandwidth in specified operational environments helps organizations determine how much information can be covertly leaked before such leakage adversely affects mission or business functions. Covert channel bandwidth may be significantly different when measured in settings that are independent of the specific environments of operation, including laboratories or system development environments."},{"id":"sc-31.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-31(03)","class":"sp800-53a"}],"prose":"the bandwidth of {{ insert: param, sc-31.03_odp }} is measured in the operational environment of the system."},{"id":"sc-31.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-31(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing covert channel analysis\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncovert channel analysis documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-31.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-31(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with covert channel analysis responsibilities\n\nsystem developers\/integrators"}]},{"id":"sc-31.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-31(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for conducting covert channel analysis\n\nmechanisms supporting and\/or implementing covert channel analysis\n\nmechanisms supporting and\/or implementing the capability to measure the bandwidth of covert channels"}]}]}]},{"id":"sc-32","class":"SP800-53","title":"System Partitioning","params":[{"id":"sc-32_odp.01","props":[{"name":"alt-identifier","value":"sc-32_prm_1"},{"name":"label","value":"SC-32_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to reside in separate physical or logical domains or environments based on circumstances for the physical or logical separation of components are defined;"}]},{"id":"sc-32_odp.02","props":[{"name":"alt-identifier","value":"sc-32_prm_2"},{"name":"label","value":"SC-32_ODP[02]","class":"sp800-53a"}],"select":{"choice":["physical","logical"]}},{"id":"sc-32_odp.03","props":[{"name":"alt-identifier","value":"sc-32_prm_3"},{"name":"alt-label","value":"circumstances for physical or logical separation of components","class":"sp800-53"},{"name":"label","value":"SC-32_ODP[03]","class":"sp800-53a"}],"label":"circumstances for the physical or logical separation of components","guidelines":[{"prose":"circumstances for the physical or logical separation of components are defined;"}]}],"props":[{"name":"label","value":"SC-32"},{"name":"label","value":"SC-32","class":"sp800-53a"},{"name":"sort-id","value":"sc-32"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-36","rel":"related"}],"parts":[{"id":"sc-32_smt","name":"statement","prose":"Partition the system into {{ insert: param, sc-32_odp.01 }} residing in separate {{ insert: param, sc-32_odp.02 }} domains or environments based on {{ insert: param, sc-32_odp.03 }}."},{"id":"sc-32_gdn","name":"guidance","prose":"System partitioning is part of a defense-in-depth protection strategy. Organizations determine the degree of physical separation of system components. Physical separation options include physically distinct components in separate racks in the same room, critical components in separate rooms, and geographical separation of critical components. Security categorization can guide the selection of candidates for domain partitioning. Managed interfaces restrict or prohibit network access and information flow among partitioned system components."},{"id":"sc-32_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-32","class":"sp800-53a"}],"prose":"the system is partitioned into {{ insert: param, sc-32_odp.01 }} residing in separate {{ insert: param, sc-32_odp.02 }} domains or environments based on {{ insert: param, sc-32_odp.03 }}."},{"id":"sc-32_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-32-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing system partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of system physical domains (or environments)\n\nsystem facility diagrams\n\nsystem network diagrams\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-32_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-32-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-32_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-32-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the physical separation of system components"}]}],"controls":[{"id":"sc-32.1","class":"SP800-53-enhancement","title":"Separate Physical Domains for Privileged Functions","props":[{"name":"label","value":"SC-32(1)"},{"name":"label","value":"SC-32(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-32.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-32","rel":"required"}],"parts":[{"id":"sc-32.1_smt","name":"statement","prose":"Partition privileged functions into separate physical domains."},{"id":"sc-32.1_gdn","name":"guidance","prose":"Privileged functions that operate in a single physical domain may represent a single point of failure if that domain becomes compromised or experiences a denial of service."},{"id":"sc-32.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-32(01)","class":"sp800-53a"}],"prose":"privileged functions are partitioned into separate physical domains."},{"id":"sc-32.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-32-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing system partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of system physical domains (or environments)\n\nsystem facility diagrams\n\nsystem network diagrams\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-32.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-32-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-32.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-32-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the physical separation of system components"}]}]}]},{"id":"sc-33","class":"SP800-53","title":"Transmission Preparation Integrity","props":[{"name":"label","value":"SC-33"},{"name":"label","value":"SC-33","class":"sp800-53a"},{"name":"sort-id","value":"sc-33"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-8","rel":"incorporated-into"}]},{"id":"sc-34","class":"SP800-53","title":"Non-modifiable Executable Programs","params":[{"id":"sc-34_odp.01","props":[{"name":"alt-identifier","value":"sc-34_prm_1"},{"name":"label","value":"SC-34_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which the operating environment and applications are to be loaded and executed from hardware-enforced, read-only media are defined;"}]},{"id":"sc-34_odp.02","props":[{"name":"alt-identifier","value":"sc-34_prm_2"},{"name":"label","value":"SC-34_ODP[02]","class":"sp800-53a"}],"label":"applications","guidelines":[{"prose":"applications to be loaded and executed from hardware-enforced, read-only media are defined;"}]}],"props":[{"name":"label","value":"SC-34"},{"name":"label","value":"SC-34","class":"sp800-53a"},{"name":"sort-id","value":"sc-34"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-14","rel":"related"}],"parts":[{"id":"sc-34_smt","name":"statement","prose":"For {{ insert: param, sc-34_odp.01 }} , load and execute:","parts":[{"id":"sc-34_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"The operating environment from hardware-enforced, read-only media; and"},{"id":"sc-34_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"The following applications from hardware-enforced, read-only media: {{ insert: param, sc-34_odp.02 }}."}]},{"id":"sc-34_gdn","name":"guidance","prose":"The operating environment for a system contains the code that hosts applications, including operating systems, executives, or virtual machine monitors (i.e., hypervisors). It can also include certain applications that run directly on hardware platforms. Hardware-enforced, read-only media include Compact Disc-Recordable (CD-R) and Digital Versatile Disc-Recordable (DVD-R) disk drives as well as one-time, programmable, read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable, read-only memory can be accepted as read-only media provided that integrity can be adequately protected from the point of initial writing to the insertion of the memory into the system, and there are reliable hardware protections against reprogramming the memory while installed in organizational systems."},{"id":"sc-34_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-34","class":"sp800-53a"}],"parts":[{"id":"sc-34_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-34a.","class":"sp800-53a"}],"prose":"the operating environment for {{ insert: param, sc-34_odp.01 }} is loaded and executed from hardware-enforced, read-only media;"},{"id":"sc-34_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-34b.","class":"sp800-53a"}],"prose":"{{ insert: param, sc-34_odp.02 }} for {{ insert: param, sc-34_odp.01 }} are loaded and executed from hardware-enforced, read-only media."}]},{"id":"sc-34_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-34-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing non-modifiable executable programs\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of operating system components to be loaded from hardware-enforced, read-only media\n\nlist of applications to be loaded from hardware-enforced, read-only media\n\nmedia used to load and execute the system operating environment\n\nmedia used to load and execute system applications\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-34_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-34-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-34_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-34-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing, loading, and executing the operating environment from hardware-enforced, read-only media\n\nmechanisms supporting and\/or implementing, loading, and executing applications from hardware-enforced, read-only media"}]}],"controls":[{"id":"sc-34.1","class":"SP800-53-enhancement","title":"No Writable Storage","params":[{"id":"sc-34.01_odp","props":[{"name":"alt-identifier","value":"sc-34.1_prm_1"},{"name":"label","value":"SC-34(01)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to be employed with no writeable storage are defined;"}]}],"props":[{"name":"label","value":"SC-34(1)"},{"name":"label","value":"SC-34(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-34.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-34","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#mp-7","rel":"related"}],"parts":[{"id":"sc-34.1_smt","name":"statement","prose":"Employ {{ insert: param, sc-34.01_odp }} with no writeable storage that is persistent across component restart or power on\/off."},{"id":"sc-34.1_gdn","name":"guidance","prose":"Disallowing writeable storage eliminates the possibility of malicious code insertion via persistent, writeable storage within the designated system components. The restriction applies to fixed and removable storage, with the latter being addressed either directly or as specific restrictions imposed through access controls for mobile devices."},{"id":"sc-34.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-34(01)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-34.01_odp }} are employed with no writeable storage that is persistent across component restart or power on\/off."},{"id":"sc-34.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-34(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing non-modifiable executable programs\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of system components to be employed without writeable storage capabilities\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-34.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-34(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-34.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-34(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the employment of components with no writeable storage\n\nmechanisms supporting and\/or implementing persistent non-writeable storage across component restart and power on\/off"}]}]},{"id":"sc-34.2","class":"SP800-53-enhancement","title":"Integrity Protection on Read-only Media","props":[{"name":"label","value":"SC-34(2)"},{"name":"label","value":"SC-34(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-34.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-34","rel":"required"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"sc-34.2_smt","name":"statement","prose":"Protect the integrity of information prior to storage on read-only media and control the media after such information has been recorded onto the media."},{"id":"sc-34.2_gdn","name":"guidance","prose":"Controls prevent the substitution of media into systems or the reprogramming of programmable read-only media prior to installation into the systems. Integrity protection controls include a combination of prevention, detection, and response."},{"id":"sc-34.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-34(02)","class":"sp800-53a"}],"parts":[{"id":"sc-34.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-34(02)[01]","class":"sp800-53a"}],"prose":"the integrity of information is protected prior to storage on read-only media;"},{"id":"sc-34.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-34(02)[02]","class":"sp800-53a"}],"prose":"the media is controlled after such information has been recorded onto the media;"}]},{"id":"sc-34.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-34(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing non-modifiable executable programs\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-34.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-34(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-34.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-34(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the capability to protect information integrity on read-only media prior to storage and after information has been recorded onto the media"}]}]},{"id":"sc-34.3","class":"SP800-53-enhancement","title":"Hardware-based Protection","props":[{"name":"label","value":"SC-34(3)"},{"name":"label","value":"SC-34(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-34.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-51","rel":"moved-to"}]}]},{"id":"sc-35","class":"SP800-53","title":"External Malicious Code Identification","props":[{"name":"label","value":"SC-35"},{"name":"label","value":"SC-35","class":"sp800-53a"},{"name":"sort-id","value":"sc-35"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-35_smt","name":"statement","prose":"Include system components that proactively seek to identify network-based malicious code or malicious websites."},{"id":"sc-35_gdn","name":"guidance","prose":"External malicious code identification differs from decoys in [SC-26](#sc-26) in that the components actively probe networks, including the Internet, in search of malicious code contained on external websites. Like decoys, the use of external malicious code identification techniques requires some supporting isolation measures to ensure that any malicious code discovered during the search and subsequently executed does not infect organizational systems. Virtualization is a common technique for achieving such isolation."},{"id":"sc-35_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-35","class":"sp800-53a"}],"prose":"system components that proactively seek to identify network-based malicious code or malicious websites are included."},{"id":"sc-35_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-35-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing external malicious code identification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem components deployed to identify malicious websites and\/or web-based malicious code\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-35_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-35-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-35_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-35-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing external malicious code identification"}]}]},{"id":"sc-36","class":"SP800-53","title":"Distributed Processing and Storage","params":[{"id":"sc-36_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-36_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-36_odp.04"}],"select":{"choice":["physical locations","logical domains"]}},{"id":"sc-36_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-36_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-36_odp.03"}],"label":"organization-defined processing and storage components"},{"id":"sc-36_odp.01","props":[{"name":"label","value":"SC-36_ODP[01]","class":"sp800-53a"}],"label":"processing components","guidelines":[{"prose":"processing components to be distributed across multiple locations\/domains are defined;"}]},{"id":"sc-36_odp.02","props":[{"name":"label","value":"SC-36_ODP[02]","class":"sp800-53a"}],"select":{"choice":["physical locations","logical domains"]}},{"id":"sc-36_odp.03","props":[{"name":"label","value":"SC-36_ODP[03]","class":"sp800-53a"}],"label":"storage components","guidelines":[{"prose":"storage components to be distributed across multiple locations\/domains are defined;"}]},{"id":"sc-36_odp.04","props":[{"name":"label","value":"SC-36_ODP[04]","class":"sp800-53a"}],"select":{"choice":["physical locations","logical domains"]}}],"props":[{"name":"label","value":"SC-36"},{"name":"label","value":"SC-36","class":"sp800-53a"},{"name":"sort-id","value":"sc-36"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#sc-32","rel":"related"}],"parts":[{"id":"sc-36_smt","name":"statement","prose":"Distribute the following processing and storage components across multiple {{ insert: param, sc-36_prm_1 }}: {{ insert: param, sc-36_prm_2 }}."},{"id":"sc-36_gdn","name":"guidance","prose":"Distributing processing and storage across multiple physical locations or logical domains provides a degree of redundancy or overlap for organizations. The redundancy and overlap increase the work factor of adversaries to adversely impact organizational operations, assets, and individuals. The use of distributed processing and storage does not assume a single primary processing or storage location. Therefore, it allows for parallel processing and storage."},{"id":"sc-36_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-36","class":"sp800-53a"}],"parts":[{"id":"sc-36_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-36[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-36_odp.01 }} are distributed across {{ insert: param, sc-36_odp.02 }};"},{"id":"sc-36_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-36[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-36_odp.03 }} are distributed across {{ insert: param, sc-36_odp.04 }}."}]},{"id":"sc-36_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-36-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\ncontingency planning policy and procedures\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of system physical locations (or environments) with distributed processing and storage\n\nsystem facility diagrams\n\nprocessing site agreements\n\nstorage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-36_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-36-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel with contingency planning and plan implementation responsibilities\n\nsystem developers\/integrators"}]},{"id":"sc-36_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-36-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for distributed processing and storage across multiple physical locations\n\nmechanisms supporting and\/or implementing the capability to distribute processing and storage across multiple physical locations"}]}],"controls":[{"id":"sc-36.1","class":"SP800-53-enhancement","title":"Polling Techniques","params":[{"id":"sc-36.01_odp.01","props":[{"name":"alt-identifier","value":"sc-36.1_prm_1"},{"name":"label","value":"SC-36(01)_ODP[01]","class":"sp800-53a"}],"label":"distributed processing and storage components","guidelines":[{"prose":"distributed processing and storage components for which polling techniques are to be employed to identify potential faults, errors, or compromises are defined;"}]},{"id":"sc-36.01_odp.02","props":[{"name":"alt-identifier","value":"sc-36.1_prm_2"},{"name":"label","value":"SC-36(01)_ODP[02]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken in response to identified faults, errors, or compromise are defined;"}]}],"props":[{"name":"label","value":"SC-36(1)"},{"name":"label","value":"SC-36(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-36.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-36","rel":"required"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-36.1_smt","name":"statement","parts":[{"id":"sc-36.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: {{ insert: param, sc-36.01_odp.01 }} ; and"},{"id":"sc-36.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Take the following actions in response to identified faults, errors, or compromises: {{ insert: param, sc-36.01_odp.02 }}."}]},{"id":"sc-36.1_gdn","name":"guidance","prose":"Distributed processing and\/or storage may be used to reduce opportunities for adversaries to compromise the confidentiality, integrity, or availability of organizational information and systems. However, the distribution of processing and storage components does not prevent adversaries from compromising one or more of the components. Polling compares the processing results and\/or storage content from the distributed components and subsequently votes on the outcomes. Polling identifies potential faults, compromises, or errors in the distributed processing and storage components."},{"id":"sc-36.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-36(01)","class":"sp800-53a"}],"parts":[{"id":"sc-36.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-36(01)(a)","class":"sp800-53a"}],"prose":"polling techniques are employed to identify potential faults, errors, or compromises to {{ insert: param, sc-36.01_odp.01 }};"},{"id":"sc-36.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-36(01)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-36.01_odp.02 }} are taken in response to identified faults, errors, or compromise."}]},{"id":"sc-36.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-36(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of distributed processing and storage components subject to polling\n\nsystem polling techniques and associated documentation or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-36.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-36(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-36.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-36(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing polling techniques"}]}]},{"id":"sc-36.2","class":"SP800-53-enhancement","title":"Synchronization","params":[{"id":"sc-36.02_odp","props":[{"name":"alt-identifier","value":"sc-36.2_prm_1"},{"name":"label","value":"SC-36(02)_ODP","class":"sp800-53a"}],"label":"duplicate systems or system components","guidelines":[{"prose":"duplicate systems or system components to be synchronized are defined;"}]}],"props":[{"name":"label","value":"SC-36(2)"},{"name":"label","value":"SC-36(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-36.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-36","rel":"required"},{"href":"#cp-9","rel":"related"}],"parts":[{"id":"sc-36.2_smt","name":"statement","prose":"Synchronize the following duplicate systems or system components: {{ insert: param, sc-36.02_odp }}."},{"id":"sc-36.2_gdn","name":"guidance","prose":"[SC-36](#sc-36) and [CP-9(6)](#cp-9.6) require the duplication of systems or system components in distributed locations. The synchronization of duplicated and redundant services and data helps to ensure that information contained in the distributed locations can be used in the mission or business functions of organizations, as needed."},{"id":"sc-36.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-36(02)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-36.02_odp }} are synchronized."},{"id":"sc-36.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-36(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of distributed processing and storage components subject to polling\n\nsystem polling techniques and associated documentation or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-36.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-36(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-36.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-36(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing duplicate system or system component synchronization"}]}]}]},{"id":"sc-37","class":"SP800-53","title":"Out-of-band Channels","params":[{"id":"sc-37_odp.01","props":[{"name":"alt-identifier","value":"sc-37_prm_3"},{"name":"label","value":"SC-37_ODP[01]","class":"sp800-53a"}],"label":"out-of-band channels","guidelines":[{"prose":"out-of-band channels to be employed for the physical delivery or electronic transmission of information, system components, or devices to individuals or the system are defined;"}]},{"id":"sc-37_odp.02","props":[{"name":"alt-identifier","value":"sc-37_prm_1"},{"name":"label","value":"SC-37_ODP[02]","class":"sp800-53a"}],"label":"information, system components, or devices","guidelines":[{"prose":"information, system components, or devices to employ out-of-band-channels for physical delivery or electronic transmission are defined;"}]},{"id":"sc-37_odp.03","props":[{"name":"alt-identifier","value":"sc-37_prm_2"},{"name":"label","value":"SC-37_ODP[03]","class":"sp800-53a"}],"label":"individuals or systems","guidelines":[{"prose":"individuals or systems to which physical delivery or electronic transmission of information, system components, or devices is to be achieved via the employment of out-of-band channels are defined;"}]}],"props":[{"name":"label","value":"SC-37"},{"name":"label","value":"SC-37","class":"sp800-53a"},{"name":"sort-id","value":"sc-37"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-37_smt","name":"statement","prose":"Employ the following out-of-band channels for the physical delivery or electronic transmission of {{ insert: param, sc-37_odp.02 }} to {{ insert: param, sc-37_odp.03 }}: {{ insert: param, sc-37_odp.01 }}."},{"id":"sc-37_gdn","name":"guidance","prose":"Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates."},{"id":"sc-37_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-37","class":"sp800-53a"}],"prose":"{{ insert: param, sc-37_odp.01 }} are employed for the physical delivery or electronic transmission of {{ insert: param, sc-37_odp.02 }} to {{ insert: param, sc-37_odp.03 }}."},{"id":"sc-37_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-37-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the use of out-of-band channels\n\naccess control policy and procedures\n\nidentification and authentication policy and procedures\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nlist of out-of-band channels\n\ntypes of information, system components, or devices requiring the use of out-of-band channels for physical delivery or electronic transmission to authorized individuals or systems\n\nphysical delivery records\n\nelectronic transmission records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-37_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-37-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel authorizing, installing, configuring, operating, and\/or using out-of-band channels\n\nsystem developers\/integrators"}]},{"id":"sc-37_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-37-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the use of out-of-band channels\n\nmechanisms supporting and\/or implementing the use of out-of-band channels"}]}],"controls":[{"id":"sc-37.1","class":"SP800-53-enhancement","title":"Ensure Delivery and Transmission","params":[{"id":"sc-37.01_odp.01","props":[{"name":"alt-identifier","value":"sc-37.1_prm_1"},{"name":"label","value":"SC-37(01)_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed to ensure that only designated individuals or systems receive specific information, system components, or devices are defined;"}]},{"id":"sc-37.01_odp.02","props":[{"name":"alt-identifier","value":"sc-37.1_prm_2"},{"name":"label","value":"SC-37(01)_ODP[02]","class":"sp800-53a"}],"label":"individuals or systems","guidelines":[{"prose":"individuals or systems designated to receive specific information, system components, or devices are defined;"}]},{"id":"sc-37.01_odp.03","props":[{"name":"alt-identifier","value":"sc-37.1_prm_3"},{"name":"label","value":"SC-37(01)_ODP[03]","class":"sp800-53a"}],"label":"information, system components, or devices","guidelines":[{"prose":"information, system components, or devices that only individuals or systems are designated to receive are defined;"}]}],"props":[{"name":"label","value":"SC-37(1)"},{"name":"label","value":"SC-37(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-37.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-37","rel":"required"}],"parts":[{"id":"sc-37.1_smt","name":"statement","prose":"Employ {{ insert: param, sc-37.01_odp.01 }} to ensure that only {{ insert: param, sc-37.01_odp.02 }} receive the following information, system components, or devices: {{ insert: param, sc-37.01_odp.03 }}."},{"id":"sc-37.1_gdn","name":"guidance","prose":"Techniques employed by organizations to ensure that only designated systems or individuals receive certain information, system components, or devices include sending authenticators via an approved courier service but requiring recipients to show some form of government-issued photographic identification as a condition of receipt."},{"id":"sc-37.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-37(01)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-37.01_odp.01 }} are employed to ensure that only {{ insert: param, sc-37.01_odp.02 }} receive {{ insert: param, sc-37.01_odp.03 }}."},{"id":"sc-37.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-37(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the use of out-of-band channels\n\naccess control policy and procedures\n\nidentification and authentication policy and procedures\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards to be employed to ensure that designated individuals or systems receive organization-defined information, system components, or devices\n\nlist of security safeguards for delivering designated information, system components, or devices to designated individuals or systems\n\nlist of information, system components, or devices to be delivered to designated individuals or systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-37.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-37(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel authorizing, installing, configuring, operating, and\/or using out-of-band channels\n\nsystem developers\/integrators"}]},{"id":"sc-37.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-37(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the use of out-of-band channels\n\nmechanisms supporting and\/or implementing the use of out-of-band channels\n\nmechanisms supporting\/implementing safeguards to ensure the delivery of designated information, system components, or devices"}]}]}]},{"id":"sc-38","class":"SP800-53","title":"Operations Security","params":[{"id":"sc-38_odp","props":[{"name":"alt-identifier","value":"sc-38_prm_1"},{"name":"label","value":"SC-38_ODP","class":"sp800-53a"}],"label":"operations security controls","guidelines":[{"prose":"operations security controls to be employed to protect key organizational information throughout the system development life cycle are defined;"}]}],"props":[{"name":"label","value":"SC-38"},{"name":"label","value":"SC-38","class":"sp800-53a"},{"name":"sort-id","value":"sc-38"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pl-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-7","rel":"related"}],"parts":[{"id":"sc-38_smt","name":"statement","prose":"Employ the following operations security controls to protect key organizational information throughout the system development life cycle: {{ insert: param, sc-38_odp }}."},{"id":"sc-38_gdn","name":"guidance","prose":"Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities. The OPSEC process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and the application of appropriate countermeasures. OPSEC controls are applied to organizational systems and the environments in which those systems operate. OPSEC controls protect the confidentiality of information, including limiting the sharing of information with suppliers, potential suppliers, and other non-organizational elements and individuals. Information critical to organizational mission and business functions includes user identities, element uses, suppliers, supply chain processes, functional requirements, security requirements, system design specifications, testing and evaluation protocols, and security control implementation details."},{"id":"sc-38_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-38","class":"sp800-53a"}],"prose":"{{ insert: param, sc-38_odp }} are employed to protect key organizational information throughout the system development life cycle."},{"id":"sc-38_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-38-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing operations security\n\nsecurity plan\n\nlist of operations security safeguards\n\nsecurity control assessments\n\nrisk assessments\n\nthreat and vulnerability assessments\n\nplans of action and milestones\n\nsystem development life cycle documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-38_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-38-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-38_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-38-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for protecting organizational information throughout the system development life cycle\n\nmechanisms supporting and\/or implementing safeguards to protect organizational information throughout the system development life cycle"}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","props":[{"name":"label","value":"SC-39"},{"name":"label","value":"SC-39","class":"sp800-53a"},{"name":"sort-id","value":"sc-39"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"Maintain a separate execution domain for each executing system process."},{"id":"sc-39_gdn","name":"guidance","prose":"Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies."},{"id":"sc-39_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-39","class":"sp800-53a"}],"prose":"a separate execution domain is maintained for each executing system process."},{"id":"sc-39_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-39-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records"}]},{"id":"sc-39_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-39-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System developers\/integrators\n\nsystem security architect"}]},{"id":"sc-39_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-39-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing separate execution domains for each executing process"}]}],"controls":[{"id":"sc-39.1","class":"SP800-53-enhancement","title":"Hardware Separation","props":[{"name":"label","value":"SC-39(1)"},{"name":"label","value":"SC-39(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-39.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-39","rel":"required"}],"parts":[{"id":"sc-39.1_smt","name":"statement","prose":"Implement hardware separation mechanisms to facilitate process isolation."},{"id":"sc-39.1_gdn","name":"guidance","prose":"Hardware-based separation of system processes is generally less susceptible to compromise than software-based separation, thus providing greater assurance that the separation will be enforced. Hardware separation mechanisms include hardware memory management."},{"id":"sc-39.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-39(01)","class":"sp800-53a"}],"prose":"hardware separation is implemented to facilitate process isolation."},{"id":"sc-39.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-39(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem documentation for hardware separation mechanisms\n\nsystem documentation from vendors, manufacturers, or developers\n\nindependent verification and validation documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-39.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-39(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-39.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-39(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System capability implementing underlying hardware separation mechanisms for process separation"}]}]},{"id":"sc-39.2","class":"SP800-53-enhancement","title":"Separate Execution Domain Per Thread","params":[{"id":"sc-39.02_odp","props":[{"name":"alt-identifier","value":"sc-39.2_prm_1"},{"name":"label","value":"SC-39(02)_ODP","class":"sp800-53a"}],"label":"multi-threaded processing","guidelines":[{"prose":"multi-thread processing for which a separate execution domain is to be maintained for each thread is defined;"}]}],"props":[{"name":"label","value":"SC-39(2)"},{"name":"label","value":"SC-39(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-39.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-39","rel":"required"}],"parts":[{"id":"sc-39.2_smt","name":"statement","prose":"Maintain a separate execution domain for each thread in {{ insert: param, sc-39.02_odp }}."},{"id":"sc-39.2_gdn","name":"guidance","prose":"None."},{"id":"sc-39.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-39(02)","class":"sp800-53a"}],"prose":"a separate execution domain is maintained for each thread in {{ insert: param, sc-39.02_odp }}."},{"id":"sc-39.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-39(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of system execution domains for each thread in multi-threaded processing\n\nsystem documentation for multi-threaded processing\n\nsystem documentation from vendors, manufacturers, or developers\n\nindependent verification and validation documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-39.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-39(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-39.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-39(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System capability implementing a separate execution domain for each thread in multi-threaded processing"}]}]}]},{"id":"sc-40","class":"SP800-53","title":"Wireless Link Protection","params":[{"id":"sc-40_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-40_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-40_odp.03"}],"label":"organization-defined wireless links"},{"id":"sc-40_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-40_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-40_odp.04"}],"label":"organization-defined types of signal parameter attacks or references to sources for such attacks"},{"id":"sc-40_odp.01","props":[{"name":"label","value":"SC-40_ODP[01]","class":"sp800-53a"}],"label":"wireless links","guidelines":[{"prose":"external wireless links to be protected from particular types of signal parameter attacks are defined;"}]},{"id":"sc-40_odp.02","props":[{"name":"label","value":"SC-40_ODP[02]","class":"sp800-53a"}],"label":"types of signal parameter attacks or references to sources for such attacks","guidelines":[{"prose":"types of signal parameter attacks or references to sources for such attacks from which to protect external wireless links are defined;"}]},{"id":"sc-40_odp.03","props":[{"name":"label","value":"SC-40_ODP[03]","class":"sp800-53a"}],"label":"wireless links","guidelines":[{"prose":"internal wireless links to be protected from particular types of signal parameter attacks are defined;"}]},{"id":"sc-40_odp.04","props":[{"name":"label","value":"SC-40_ODP[04]","class":"sp800-53a"}],"label":"types of signal parameter attacks or references to sources for such attacks","guidelines":[{"prose":"types of signal parameter attacks or references to sources for such attacks from which to protect internal wireless links are defined;"}]}],"props":[{"name":"label","value":"SC-40"},{"name":"label","value":"SC-40","class":"sp800-53a"},{"name":"sort-id","value":"sc-40"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-18","rel":"related"},{"href":"#sc-5","rel":"related"}],"parts":[{"id":"sc-40_smt","name":"statement","prose":"Protect external and internal {{ insert: param, sc-40_prm_1 }} from the following signal parameter attacks: {{ insert: param, sc-40_prm_2 }}."},{"id":"sc-40_gdn","name":"guidance","prose":"Wireless link protection applies to internal and external wireless communication links that may be visible to individuals who are not authorized system users. Adversaries can exploit the signal parameters of wireless links if such links are not adequately protected. There are many ways to exploit the signal parameters of wireless links to gain intelligence, deny service, or spoof system users. Protection of wireless links reduces the impact of attacks that are unique to wireless systems. If organizations rely on commercial service providers for transmission services as commodity items rather than as fully dedicated services, it may not be possible to implement wireless link protections to the extent necessary to meet organizational security requirements."},{"id":"sc-40_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-40","class":"sp800-53a"}],"parts":[{"id":"sc-40_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-40[01]","class":"sp800-53a"}],"prose":"external {{ insert: param, sc-40_odp.01 }} are protected from {{ insert: param, sc-40_odp.02 }}."},{"id":"sc-40_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-40[02]","class":"sp800-53a"}],"prose":"internal {{ insert: param, sc-40_odp.03 }} are protected from {{ insert: param, sc-40_odp.04 }}."}]},{"id":"sc-40_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-40-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing wireless link protection\n\nsystem design documentation\n\nwireless network diagrams\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of internal and external wireless links\n\nlist of signal parameter attacks or references to sources for attacks\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-40_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-40-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel authorizing, installing, configuring, and\/or maintaining internal and external wireless links"}]},{"id":"sc-40_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-40-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the protection of wireless links"}]}],"controls":[{"id":"sc-40.1","class":"SP800-53-enhancement","title":"Electromagnetic Interference","params":[{"id":"sc-40.01_odp","props":[{"name":"alt-identifier","value":"sc-40.1_prm_1"},{"name":"label","value":"SC-40(01)_ODP","class":"sp800-53a"}],"label":"level of protection","guidelines":[{"prose":"level of protection to be employed against the effects of intentional electromagnetic interference is defined;"}]}],"props":[{"name":"label","value":"SC-40(1)"},{"name":"label","value":"SC-40(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-40.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-40","rel":"required"},{"href":"#pe-21","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-40.1_smt","name":"statement","prose":"Implement cryptographic mechanisms that achieve {{ insert: param, sc-40.01_odp }} against the effects of intentional electromagnetic interference."},{"id":"sc-40.1_gdn","name":"guidance","prose":"The implementation of cryptographic mechanisms for electromagnetic interference protects systems against intentional jamming that might deny or impair communications by ensuring that wireless spread spectrum waveforms used to provide anti-jam protection are not predictable by unauthorized individuals. The implementation of cryptographic mechanisms may also coincidentally mitigate the effects of unintentional jamming due to interference from legitimate transmitters that share the same spectrum. Mission requirements, projected threats, concept of operations, and laws, executive orders, directives, regulations, policies, and standards determine levels of wireless link availability, cryptography needed, and performance."},{"id":"sc-40.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-40(01)","class":"sp800-53a"}],"prose":"cryptographic mechanisms that achieve {{ insert: param, sc-40.01_odp }} against the effects of intentional electromagnetic interference are implemented."},{"id":"sc-40.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-40(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing wireless link protection\n\nsystem design documentation\n\nwireless network diagrams\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem communications hardware and software\n\nsecurity categorization results\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-40.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-40(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel authorizing, installing, configuring, and\/or maintaining internal and external wireless links"}]},{"id":"sc-40.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-40(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms enforcing protections against effects of intentional electromagnetic interference"}]}]},{"id":"sc-40.2","class":"SP800-53-enhancement","title":"Reduce Detection Potential","params":[{"id":"sc-40.02_odp","props":[{"name":"alt-identifier","value":"sc-40.2_prm_1"},{"name":"label","value":"SC-40(02)_ODP","class":"sp800-53a"}],"label":"level of reduction","guidelines":[{"prose":"the level of reduction to be achieved to reduce the detection potential of wireless links is defined;"}]}],"props":[{"name":"label","value":"SC-40(2)"},{"name":"label","value":"SC-40(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-40.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-40","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-40.2_smt","name":"statement","prose":"Implement cryptographic mechanisms to reduce the detection potential of wireless links to {{ insert: param, sc-40.02_odp }}."},{"id":"sc-40.2_gdn","name":"guidance","prose":"The implementation of cryptographic mechanisms to reduce detection potential is used for covert communications and to protect wireless transmitters from geo-location. It also ensures that the spread spectrum waveforms used to achieve a low probability of detection are not predictable by unauthorized individuals. Mission requirements, projected threats, concept of operations, and applicable laws, executive orders, directives, regulations, policies, and standards determine the levels to which wireless links are undetectable."},{"id":"sc-40.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-40(02)","class":"sp800-53a"}],"prose":"cryptographic mechanisms to reduce the detection potential of wireless links to {{ insert: param, sc-40.02_odp }} are implemented."},{"id":"sc-40.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-40(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing wireless link protection\n\nsystem design documentation\n\nwireless network diagrams\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem communications hardware and software\n\nsecurity categorization results\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-40.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-40(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel authorizing, installing, configuring, and\/or maintaining internal and external wireless links"}]},{"id":"sc-40.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-40(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms enforcing protections to reduce the detection of wireless links"}]}]},{"id":"sc-40.3","class":"SP800-53-enhancement","title":"Imitative or Manipulative Communications Deception","props":[{"name":"label","value":"SC-40(3)"},{"name":"label","value":"SC-40(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-40.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-40","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-40.3_smt","name":"statement","prose":"Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters."},{"id":"sc-40.3_gdn","name":"guidance","prose":"The implementation of cryptographic mechanisms to identify and reject imitative or manipulative communications ensures that the signal parameters of wireless transmissions are not predictable by unauthorized individuals. Such unpredictability reduces the probability of imitative or manipulative communications deception based on signal parameters alone."},{"id":"sc-40.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-40(03)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters."},{"id":"sc-40.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-40(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing system design documentation\n\nwireless network diagrams\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem communications hardware and software\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-40.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-40(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel authorizing, installing, configuring, and\/or maintaining internal and external wireless links"}]},{"id":"sc-40.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-40(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms enforcing wireless link protections against imitative or manipulative communications deception"}]}]},{"id":"sc-40.4","class":"SP800-53-enhancement","title":"Signal Parameter Identification","params":[{"id":"sc-40.04_odp","props":[{"name":"alt-identifier","value":"sc-40.4_prm_1"},{"name":"label","value":"SC-40(04)_ODP","class":"sp800-53a"}],"label":"wireless transmitters","guidelines":[{"prose":"wireless transmitters for which cryptographic mechanisms are to be implemented are defined;"}]}],"props":[{"name":"label","value":"SC-40(4)"},{"name":"label","value":"SC-40(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-40.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-40","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-40.4_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent the identification of {{ insert: param, sc-40.04_odp }} by using the transmitter signal parameters."},{"id":"sc-40.4_gdn","name":"guidance","prose":"The implementation of cryptographic mechanisms to prevent the identification of wireless transmitters protects against the unique identification of wireless transmitters for the purposes of intelligence exploitation by ensuring that anti-fingerprinting alterations to signal parameters are not predictable by unauthorized individuals. It also provides anonymity when required. Radio fingerprinting techniques identify the unique signal parameters of transmitters to fingerprint such transmitters for purposes of tracking and mission or user identification."},{"id":"sc-40.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-40(04)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent the identification of {{ insert: param, sc-40.04_odp }} by using the transmitter signal parameters."},{"id":"sc-40.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-40(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing system design documentation\n\nwireless network diagrams\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem communications hardware and software\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-40.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-40(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel authorizing, installing, configuring, and\/or maintaining internal and external wireless links"}]},{"id":"sc-40.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-40(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms preventing the identification of wireless transmitters"}]}]}]},{"id":"sc-41","class":"SP800-53","title":"Port and I\/O Device Access","params":[{"id":"sc-41_odp.01","props":[{"name":"alt-identifier","value":"sc-41_prm_2"},{"name":"label","value":"SC-41_ODP[01]","class":"sp800-53a"}],"label":"connection ports or input\/output devices","guidelines":[{"prose":"connection ports or input\/output devices to be disabled or removed are defined;"}]},{"id":"sc-41_odp.02","props":[{"name":"alt-identifier","value":"sc-41_prm_1"},{"name":"label","value":"SC-41_ODP[02]","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}},{"id":"sc-41_odp.03","props":[{"name":"alt-identifier","value":"sc-41_prm_3"},{"name":"label","value":"SC-41_ODP[03]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components with connection ports or input\/output devices to be disabled or removed are defined;"}]}],"props":[{"name":"label","value":"SC-41"},{"name":"label","value":"SC-41","class":"sp800-53a"},{"name":"sort-id","value":"sc-41"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-20","rel":"related"},{"href":"#mp-7","rel":"related"}],"parts":[{"id":"sc-41_smt","name":"statement","prose":"{{ insert: param, sc-41_odp.02 }} disable or remove {{ insert: param, sc-41_odp.01 }} on the following systems or system components: {{ insert: param, sc-41_odp.03 }}."},{"id":"sc-41_gdn","name":"guidance","prose":"Connection ports include Universal Serial Bus (USB), Thunderbolt, and Firewire (IEEE 1394). Input\/output (I\/O) devices include compact disc and digital versatile disc drives. Disabling or removing such connection ports and I\/O devices helps prevent the exfiltration of information from systems and the introduction of malicious code from those ports or devices. Physically disabling or removing ports and\/or devices is the stronger action."},{"id":"sc-41_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-41","class":"sp800-53a"}],"prose":"{{ insert: param, sc-41_odp.01 }} are {{ insert: param, sc-41_odp.02 }} disabled or removed on {{ insert: param, sc-41_odp.03 }}."},{"id":"sc-41_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-41-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing port and input\/output device access\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystems or system components\n\nlist of connection ports or input\/output devices to be physically disabled or removed on systems or system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-41_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-41-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-41_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-41-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the disabling of connection ports or input\/output devices"}]}]},{"id":"sc-42","class":"SP800-53","title":"Sensor Capability and Data","params":[{"id":"sc-42_odp.01","props":[{"name":"alt-identifier","value":"sc-42_prm_1"},{"name":"label","value":"SC-42_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["the use of devices possessing {{ insert: param, sc-42_odp.02 }} in {{ insert: param, sc-42_odp.03 }} ","the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions: {{ insert: param, sc-42_odp.04 }} "]}},{"id":"sc-42_odp.02","props":[{"name":"alt-identifier","value":"sc-42_prm_2"},{"name":"label","value":"SC-42_ODP[02]","class":"sp800-53a"}],"label":"environmental sensing capabilities","guidelines":[{"prose":"environmental sensing capabilities in devices are defined (if selected);"}]},{"id":"sc-42_odp.03","props":[{"name":"alt-identifier","value":"sc-42_prm_3"},{"name":"label","value":"SC-42_ODP[03]","class":"sp800-53a"}],"label":"facilities, areas, or systems","guidelines":[{"prose":"facilities, areas, or systems where the use of devices possessing environmental sensing capabilities is prohibited are defined (if selected);"}]},{"id":"sc-42_odp.04","props":[{"name":"alt-identifier","value":"sc-42_prm_4"},{"name":"label","value":"SC-42_ODP[04]","class":"sp800-53a"}],"label":"exceptions where remote activation of sensors is allowed","guidelines":[{"prose":"exceptions where remote activation of sensors is allowed are defined (if selected);"}]},{"id":"sc-42_odp.05","props":[{"name":"alt-identifier","value":"sc-42_prm_5"},{"name":"label","value":"SC-42_ODP[05]","class":"sp800-53a"}],"label":"group of users","guidelines":[{"prose":"group of users to whom an explicit indication of sensor use is to be provided is defined;"}]}],"props":[{"name":"label","value":"SC-42"},{"name":"label","value":"SC-42","class":"sp800-53a"},{"name":"sort-id","value":"sc-42"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#sc-15","rel":"related"}],"parts":[{"id":"sc-42_smt","name":"statement","parts":[{"id":"sc-42_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibit {{ insert: param, sc-42_odp.01 }} ; and"},{"id":"sc-42_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide an explicit indication of sensor use to {{ insert: param, sc-42_odp.05 }}."}]},{"id":"sc-42_gdn","name":"guidance","prose":"Sensor capability and data applies to types of systems or system components characterized as mobile devices, such as cellular telephones, smart phones, and tablets. Mobile devices often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include microphones, cameras, Global Positioning System (GPS) mechanisms, and accelerometers. While the sensors on mobiles devices provide an important function, if activated covertly, such devices can potentially provide a means for adversaries to learn valuable information about individuals and organizations. For example, remotely activating the GPS function on a mobile device could provide an adversary with the ability to track the movements of an individual. Organizations may prohibit individuals from bringing cellular telephones or digital cameras into certain designated facilities or controlled areas within facilities where classified information is stored or sensitive conversations are taking place."},{"id":"sc-42_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-42","class":"sp800-53a"}],"parts":[{"id":"sc-42_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-42a.","class":"sp800-53a"}],"prose":"{{ insert: param, sc-42_odp.01 }} is\/are prohibited;"},{"id":"sc-42_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-42b.","class":"sp800-53a"}],"prose":"an explicit indication of sensor use is provided to {{ insert: param, sc-42_odp.05 }}."}]},{"id":"sc-42_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-42-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing sensor capabilities and data collection\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-42_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-42-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for sensor capabilities"}]},{"id":"sc-42_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-42-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access controls for the remote activation of system sensor capabilities\n\nmechanisms implementing the capability to indicate sensor use"}]}],"controls":[{"id":"sc-42.1","class":"SP800-53-enhancement","title":"Reporting to Authorized Individuals or Roles","params":[{"id":"sc-42.01_odp","props":[{"name":"alt-identifier","value":"sc-42.1_prm_1"},{"name":"alt-identifier","value":"sc-42.2_prm_1"},{"name":"label","value":"SC-42(01)_ODP","class":"sp800-53a"}],"label":"sensors","guidelines":[{"prose":"sensors to be used to collect data or information are defined;"}]}],"props":[{"name":"label","value":"SC-42(1)"},{"name":"label","value":"SC-42(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-42.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-42","rel":"required"}],"parts":[{"id":"sc-42.1_smt","name":"statement","prose":"Verify that the system is configured so that data or information collected by the {{ insert: param, sc-42.01_odp }} is only reported to authorized individuals or roles."},{"id":"sc-42.1_gdn","name":"guidance","prose":"In situations where sensors are activated by authorized individuals, it is still possible that the data or information collected by the sensors will be sent to unauthorized entities."},{"id":"sc-42.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-42(01)","class":"sp800-53a"}],"prose":"the system is configured so that data or information collected by the {{ insert: param, sc-42.01_odp }} is only reported to authorized individuals or roles."},{"id":"sc-42.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-42(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing sensor capability and data collection\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-42.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-42(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for the sensor capabilities"}]},{"id":"sc-42.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-42(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms restricting the reporting of sensor information to those authorized\n\nsensor data collection and reporting capabilities for the system"}]}]},{"id":"sc-42.2","class":"SP800-53-enhancement","title":"Authorized Use","params":[{"id":"sc-42.02_odp","props":[{"name":"alt-identifier","value":"sc-42.2_prm_2"},{"name":"label","value":"SC-42(02)_ODP","class":"sp800-53a"}],"label":"measures","guidelines":[{"prose":"measures to be employed so that data or information collected by sensors is only used for authorized purposes are defined;"}]}],"props":[{"name":"label","value":"SC-42(2)"},{"name":"label","value":"SC-42(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-42.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-42","rel":"required"},{"href":"#sc-42.1","rel":"required"},{"href":"#pt-2","rel":"related"}],"parts":[{"id":"sc-42.2_smt","name":"statement","prose":"Employ the following measures so that data or information collected by {{ insert: param, sc-42.01_odp }} is only used for authorized purposes: {{ insert: param, sc-42.02_odp }}."},{"id":"sc-42.2_gdn","name":"guidance","prose":"Information collected by sensors for a specific authorized purpose could be misused for some unauthorized purpose. For example, GPS sensors that are used to support traffic navigation could be misused to track the movements of individuals. Measures to mitigate such activities include additional training to help ensure that authorized individuals do not abuse their authority and, in the case where sensor data is maintained by external parties, contractual restrictions on the use of such data."},{"id":"sc-42.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-42(02)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-42.02_odp }} are employed so that data or information collected by {{ insert: param, sc-42.01_odp }} is only used for authorized purposes."},{"id":"sc-42.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-42(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\npersonally identifiable information processing policy\n\nsensor capability and data collection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of measures to be employed to that the ensure data or information collected by sensors is only used for authorized purposes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-42.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-42(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for sensor capabilities"}]},{"id":"sc-42.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-42(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing measures to ensure that sensor information is only used for authorized purposes\n\nsensor information collection capability for the system"}]}]},{"id":"sc-42.3","class":"SP800-53-enhancement","title":"Prohibit Use of Devices","props":[{"name":"label","value":"SC-42(3)"},{"name":"label","value":"SC-42(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-42.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-42","rel":"incorporated-into"}]},{"id":"sc-42.4","class":"SP800-53-enhancement","title":"Notice of Collection","params":[{"id":"sc-42.04_odp.01","props":[{"name":"alt-identifier","value":"sc-42.4_prm_2"},{"name":"label","value":"SC-42(04)_ODP[01]","class":"sp800-53a"}],"label":"measures","guidelines":[{"prose":"measures to facilitate an individual’s awareness that personally identifiable information is being collected are defined;"}]},{"id":"sc-42.04_odp.02","props":[{"name":"alt-identifier","value":"sc-42.4_prm_1"},{"name":"label","value":"SC-42(04)_ODP[02]","class":"sp800-53a"}],"label":"sensors","guidelines":[{"prose":"sensors that collect personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"SC-42(4)"},{"name":"label","value":"SC-42(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-42.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-42","rel":"required"},{"href":"#pt-1","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#pt-5","rel":"related"}],"parts":[{"id":"sc-42.4_smt","name":"statement","prose":"Employ the following measures to facilitate an individual’s awareness that personally identifiable information is being collected by {{ insert: param, sc-42.04_odp.02 }}: {{ insert: param, sc-42.04_odp.01 }}."},{"id":"sc-42.4_gdn","name":"guidance","prose":"Awareness that organizational sensors are collecting data enables individuals to more effectively engage in managing their privacy. Measures can include conventional written notices and sensor configurations that make individuals directly or indirectly aware through other devices that the sensor is collecting information. The usability and efficacy of the notice are important considerations."},{"id":"sc-42.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-42(04)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-42.04_odp.01 }} are employed to facilitate an individual’s awareness that personally identifiable information is being collected by {{ insert: param, sc-42.04_odp.02 }} "},{"id":"sc-42.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-42(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\npersonally identifiable information processing policy\n\nsensor capability and data collection policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nprivacy risk assessment documentation\n\nprivacy impact assessments\n\nsystem architecture\n\nlist of measures to be employed to ensure that individuals are aware that personally identifiable information is being collected by sensors\n\nexamples of notifications provided to individuals that personally identifiable information is being collected by sensors\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-42.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-42(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for sensor capabilities"}]},{"id":"sc-42.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-42(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing measures to facilitate an individual’s awareness that personally identifiable information is being collected by sensors\n\nsensor information collection capabilities for the system"}]}]},{"id":"sc-42.5","class":"SP800-53-enhancement","title":"Collection Minimization","params":[{"id":"sc-42.05_odp","props":[{"name":"alt-identifier","value":"sc-42.5_prm_1"},{"name":"label","value":"SC-42(05)_ODP","class":"sp800-53a"}],"label":"sensors","guidelines":[{"prose":"the sensors that are configured to minimize the collection of unneeded information about individuals are defined;"}]}],"props":[{"name":"label","value":"SC-42(5)"},{"name":"label","value":"SC-42(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-42.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-42","rel":"required"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sc-42.5_smt","name":"statement","prose":"Employ {{ insert: param, sc-42.05_odp }} that are configured to minimize the collection of information about individuals that is not needed."},{"id":"sc-42.5_gdn","name":"guidance","prose":"Although policies to control for authorized use can be applied to information once it is collected, minimizing the collection of information that is not needed mitigates privacy risk at the system entry point and mitigates the risk of policy control failures. Sensor configurations include the obscuring of human features, such as blurring or pixelating flesh tones."},{"id":"sc-42.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-42(05)","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-42.05_odp }} configured to minimize the collection of information about individuals that is not needed are employed."},{"id":"sc-42.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-42(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\npersonally identifiable information processing policy\n\nsensor capability and data collection policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nprivacy risk assessment documentation\n\nprivacy impact assessments\n\nsystem architecture\n\nlist of information being collected by sensors\n\nlist of sensor configurations that minimize the collection of personally identifiable information (e.g., obscure human features)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-42.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-42(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for sensor capabilities"}]},{"id":"sc-42.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-42(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing measures to facilitate the review of information that is being collected by sensors\n\nsensor information collection capabilities for the system"}]}]}]},{"id":"sc-43","class":"SP800-53","title":"Usage Restrictions","params":[{"id":"sc-43_odp","props":[{"name":"alt-identifier","value":"sc-43_prm_1"},{"name":"alt-label","value":"system components","class":"sp800-53"},{"name":"label","value":"SC-43_ODP","class":"sp800-53a"}],"label":"components","guidelines":[{"prose":"the components for which usage restrictions and implementation guidance are to be established are defined;"}]}],"props":[{"name":"label","value":"SC-43"},{"name":"label","value":"SC-43","class":"sp800-53a"},{"name":"sort-id","value":"sc-43"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"}],"parts":[{"id":"sc-43_smt","name":"statement","parts":[{"id":"sc-43_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish usage restrictions and implementation guidelines for the following system components: {{ insert: param, sc-43_odp }} ; and"},{"id":"sc-43_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize, monitor, and control the use of such components within the system."}]},{"id":"sc-43_gdn","name":"guidance","prose":"Usage restrictions apply to all system components including but not limited to mobile code, mobile devices, wireless access, and wired and wireless peripheral components (e.g., copiers, printers, scanners, optical devices, and other similar technologies). The usage restrictions and implementation guidelines are based on the potential for system components to cause damage to the system and help to ensure that only authorized system use occurs."},{"id":"sc-43_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-43","class":"sp800-53a"}],"parts":[{"id":"sc-43_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-43a.","class":"sp800-53a"}],"prose":"usage restrictions and implementation guidelines are established for {{ insert: param, sc-43_odp }};"},{"id":"sc-43_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-43b.","class":"sp800-53a"}],"parts":[{"id":"sc-43_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-43b.[01]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, sc-43_odp }} is authorized within the system;"},{"id":"sc-43_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-43b.[02]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, sc-43_odp }} is monitored within the system;"},{"id":"sc-43_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SC-43b.[03]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, sc-43_odp }} is controlled within the system."}]}]},{"id":"sc-43_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-43-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nusage restrictions\n\nprocedures addressing usage restrictions\n\nimplementation policy and procedures\n\nauthorization records\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-43_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-43-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-43_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-43-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing, monitoring, and controlling the use of components with usage restrictions\n\nmechanisms supporting and\/or implementing, authorizing, monitoring, and controlling the use of components with usage restrictions"}]}]},{"id":"sc-44","class":"SP800-53","title":"Detonation Chambers","params":[{"id":"sc-44_odp","props":[{"name":"alt-identifier","value":"sc-44_prm_1"},{"name":"label","value":"SC-44_ODP","class":"sp800-53a"}],"label":"system, system component, or location","guidelines":[{"prose":"the system, system component, or location where a detonation chamber capability is to be employed is defined;"}]}],"props":[{"name":"label","value":"SC-44"},{"name":"label","value":"SC-44","class":"sp800-53a"},{"name":"sort-id","value":"sc-44"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-25","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-44_smt","name":"statement","prose":"Employ a detonation chamber capability within {{ insert: param, sc-44_odp }}."},{"id":"sc-44_gdn","name":"guidance","prose":"Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator requests in the safety of an isolated environment or a virtualized sandbox. Protected and isolated execution environments provide a means of determining whether the associated attachments or applications contain malicious code. While related to the concept of deception nets, the employment of detonation chambers is not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, detonation chambers are intended to quickly identify malicious code and either reduce the likelihood that the code is propagated to user environments of operation or prevent such propagation completely."},{"id":"sc-44_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-44","class":"sp800-53a"}],"prose":"a detonation chamber capability is employed within the {{ insert: param, sc-44_odp }}."},{"id":"sc-44_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-44-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing detonation chambers\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-44_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-44-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-44_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-44-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the detonation chamber capability"}]}]},{"id":"sc-45","class":"SP800-53","title":"System Time Synchronization","props":[{"name":"label","value":"SC-45"},{"name":"label","value":"SC-45","class":"sp800-53a"},{"name":"sort-id","value":"sc-45"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#e4d37285-1e79-4029-8b6a-42df39cace30","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"sc-45_smt","name":"statement","prose":"Synchronize system clocks within and between systems and system components."},{"id":"sc-45_gdn","name":"guidance","prose":"Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities—such as access control and identification and authentication—depending on the nature of the mechanisms used to support the capabilities."},{"id":"sc-45_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-45","class":"sp800-53a"}],"prose":"system clocks are synchronized within and between systems and system components."},{"id":"sc-45_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-45-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing time synchronization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-45_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-45-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-45_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-45-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing system time synchronization"}]}],"controls":[{"id":"sc-45.1","class":"SP800-53-enhancement","title":"Synchronization with Authoritative Time Source","params":[{"id":"sc-45.01_odp.01","props":[{"name":"alt-identifier","value":"sc-45.1_prm_1"},{"name":"label","value":"SC-45(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to compare the internal system clocks with the authoritative time source is defined;"}]},{"id":"sc-45.01_odp.02","props":[{"name":"alt-identifier","value":"sc-45.1_prm_2"},{"name":"label","value":"SC-45(01)_ODP[02]","class":"sp800-53a"}],"label":"authoritative time source","guidelines":[{"prose":"the authoritative time source to which internal system clocks are to be compared is defined;"}]},{"id":"sc-45.01_odp.03","props":[{"name":"alt-identifier","value":"sc-45.1_prm_3"},{"name":"label","value":"SC-45(01)_ODP[03]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to compare the internal system clocks with the authoritative time source is defined;"}]}],"props":[{"name":"label","value":"SC-45(1)"},{"name":"label","value":"SC-45(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-45.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-45","rel":"required"}],"parts":[{"id":"sc-45.1_smt","name":"statement","parts":[{"id":"sc-45.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Compare the internal system clocks {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }} ; and"},{"id":"sc-45.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Synchronize the internal system clocks to the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}."}]},{"id":"sc-45.1_gdn","name":"guidance","prose":"Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network."},{"id":"sc-45.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-45(01)","class":"sp800-53a"}],"parts":[{"id":"sc-45.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-45(01)(a)","class":"sp800-53a"}],"prose":"the internal system clocks are compared {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }};"},{"id":"sc-45.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-45(01)(b)","class":"sp800-53a"}],"prose":"the internal system clocks are synchronized with the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}."}]},{"id":"sc-45.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-45(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing time synchronization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-45.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-45(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-45.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-45(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing system time synchronization"}]}]},{"id":"sc-45.2","class":"SP800-53-enhancement","title":"Secondary Authoritative Time Source","props":[{"name":"label","value":"SC-45(2)"},{"name":"label","value":"SC-45(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-45.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-45","rel":"required"}],"parts":[{"id":"sc-45.2_smt","name":"statement","parts":[{"id":"sc-45.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source; and"},{"id":"sc-45.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Synchronize the internal system clocks to the secondary authoritative time source if the primary authoritative time source is unavailable."}]},{"id":"sc-45.2_gdn","name":"guidance","prose":"It may be necessary to employ geolocation information to determine that the secondary authoritative time source is in a different geographic region."},{"id":"sc-45.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-45(02)","class":"sp800-53a"}],"parts":[{"id":"sc-45.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-45(02)(a)","class":"sp800-53a"}],"prose":"a secondary authoritative time source is identified that is in a different geographic region than the primary authoritative time source;"},{"id":"sc-45.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-45(02)(b)","class":"sp800-53a"}],"prose":"the internal system clocks are synchronized to the secondary authoritative time source if the primary authoritative time source is unavailable."}]},{"id":"sc-45.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-45(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing time synchronization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-45.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-45(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-45.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-45(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing system time synchronization with secondary authoritative time sources"}]}]}]},{"id":"sc-46","class":"SP800-53","title":"Cross Domain Policy Enforcement","params":[{"id":"sc-46_odp","props":[{"name":"alt-identifier","value":"sc-46_prm_1"},{"name":"label","value":"SC-46_ODP","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}}],"props":[{"name":"label","value":"SC-46"},{"name":"label","value":"SC-46","class":"sp800-53a"},{"name":"sort-id","value":"sc-46"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"sc-46_smt","name":"statement","prose":"Implement a policy enforcement mechanism {{ insert: param, sc-46_odp }} between the physical and\/or network interfaces for the connecting security domains."},{"id":"sc-46_gdn","name":"guidance","prose":"For logical policy enforcement mechanisms, organizations avoid creating a logical path between interfaces to prevent the ability to bypass the policy enforcement mechanism. For physical policy enforcement mechanisms, the robustness of physical isolation afforded by the physical implementation of policy enforcement to preclude the presence of logical covert channels penetrating the security domain may be needed. Contact [ncdsmo@nsa.gov](mailto:ncdsmo@nsa.gov) for more information."},{"id":"sc-46_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-46","class":"sp800-53a"}],"prose":"a policy enforcement mechanism is {{ insert: param, sc-46_odp }} implemented between the physical and\/or network interfaces for the connecting security domains."},{"id":"sc-46_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-46-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cross-domain policy enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-46_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-46-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-46_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-46-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cross-domain policy enforcement"}]}]},{"id":"sc-47","class":"SP800-53","title":"Alternate Communications Paths","params":[{"id":"sc-47_odp","props":[{"name":"alt-identifier","value":"sc-47_prm_1"},{"name":"alt-label","value":"alternate communications paths","class":"sp800-53"},{"name":"label","value":"SC-47_ODP","class":"sp800-53a"}],"label":"alternate communication paths","guidelines":[{"prose":"alternate communication paths for system operations and operational command and control are defined;"}]}],"props":[{"name":"label","value":"SC-47"},{"name":"label","value":"SC-47","class":"sp800-53a"},{"name":"sort-id","value":"sc-47"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-8","rel":"related"}],"parts":[{"id":"sc-47_smt","name":"statement","prose":"Establish {{ insert: param, sc-47_odp }} for system operations organizational command and control."},{"id":"sc-47_gdn","name":"guidance","prose":"An incident, whether adversarial- or nonadversarial-based, can disrupt established communications paths used for system operations and organizational command and control. Alternate communications paths reduce the risk of all communications paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about disruptions or to provide timely direction to operational elements after a communications path incident, can impact the ability of the organization to respond to such incidents in a timely manner. Establishing alternate communications paths for command and control purposes, including designating alternative decision makers if primary decision makers are unavailable and establishing the extent and limitations of their actions, can greatly facilitate the organization’s ability to continue to operate and take appropriate actions during an incident."},{"id":"sc-47_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-47","class":"sp800-53a"}],"prose":"{{ insert: param, sc-47_odp }} are established for system operations and operational command and control."},{"id":"sc-47_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-47-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing communication paths\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-47_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-47-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"sc-47_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-47-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing alternate communication paths for system operations"}]}]},{"id":"sc-48","class":"SP800-53","title":"Sensor Relocation","params":[{"id":"sc-48_odp.01","props":[{"name":"alt-identifier","value":"sc-48_prm_1"},{"name":"label","value":"SC-48_ODP[01]","class":"sp800-53a"}],"label":"sensors and monitoring capabilities","guidelines":[{"prose":"sensors and monitoring capabilities to be relocated are defined;"}]},{"id":"sc-48_odp.02","props":[{"name":"alt-identifier","value":"sc-48_prm_2"},{"name":"label","value":"SC-48_ODP[02]","class":"sp800-53a"}],"label":"locations","guidelines":[{"prose":"locations to where sensors and monitoring capabilities are to be relocated are defined;"}]},{"id":"sc-48_odp.03","props":[{"name":"alt-identifier","value":"sc-48_prm_3"},{"name":"label","value":"SC-48_ODP[03]","class":"sp800-53a"}],"label":"conditions or circumstances","guidelines":[{"prose":"conditions or circumstances for relocating sensors and monitoring capabilities are defined;"}]}],"props":[{"name":"label","value":"SC-48"},{"name":"label","value":"SC-48","class":"sp800-53a"},{"name":"sort-id","value":"sc-48"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-48_smt","name":"statement","prose":"Relocate {{ insert: param, sc-48_odp.01 }} to {{ insert: param, sc-48_odp.02 }} under the following conditions or circumstances: {{ insert: param, sc-48_odp.03 }}."},{"id":"sc-48_gdn","name":"guidance","prose":"Adversaries may take various paths and use different approaches as they move laterally through an organization (including its systems) to reach their target or as they attempt to exfiltrate information from the organization. The organization often only has a limited set of monitoring and detection capabilities, and they may be focused on the critical or likely infiltration or exfiltration paths. By using communications paths that the organization typically does not monitor, the adversary can increase its chances of achieving its desired goals. By relocating its sensors or monitoring capabilities to new locations, the organization can impede the adversary’s ability to achieve its goals. The relocation of the sensors or monitoring capabilities might be done based on threat information that the organization has acquired or randomly to confuse the adversary and make its lateral transition through the system or organization more challenging."},{"id":"sc-48_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-48","class":"sp800-53a"}],"prose":"{{ insert: param, sc-48_odp.01 }} are relocated to {{ insert: param, sc-48_odp.02 }} under {{ insert: param, sc-48_odp.03 }}."},{"id":"sc-48_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-48-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing sensor and monitoring capability relocation\n\nlist of sensors\/monitoring capabilities to be relocated\n\nchange control records\n\nconfiguration management records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-48_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-48-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-48_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-48-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing sensor relocation"}]}],"controls":[{"id":"sc-48.1","class":"SP800-53-enhancement","title":"Dynamic Relocation of Sensors or Monitoring Capabilities","params":[{"id":"sc-48.01_odp.01","props":[{"name":"alt-identifier","value":"sc-48.1_prm_1"},{"name":"label","value":"SC-48(01)_ODP[01]","class":"sp800-53a"}],"label":"sensors and monitoring capabilities","guidelines":[{"prose":"sensors and monitoring capabilities to be dynamically relocated are defined;"}]},{"id":"sc-48.01_odp.02","props":[{"name":"alt-identifier","value":"sc-48.1_prm_2"},{"name":"label","value":"SC-48(01)_ODP[02]","class":"sp800-53a"}],"label":"locations","guidelines":[{"prose":"locations to where sensors and monitoring capabilities are to be dynamically relocated are defined;"}]},{"id":"sc-48.01_odp.03","props":[{"name":"alt-identifier","value":"sc-48.1_prm_3"},{"name":"label","value":"SC-48(01)_ODP[03]","class":"sp800-53a"}],"label":"conditions or circumstances","guidelines":[{"prose":"conditions or circumstances for dynamically relocating sensors and monitoring capabilities are defined;"}]}],"props":[{"name":"label","value":"SC-48(1)"},{"name":"label","value":"SC-48(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-48.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-48","rel":"required"}],"parts":[{"id":"sc-48.1_smt","name":"statement","prose":"Dynamically relocate {{ insert: param, sc-48.01_odp.01 }} to {{ insert: param, sc-48.01_odp.02 }} under the following conditions or circumstances: {{ insert: param, sc-48.01_odp.03 }}."},{"id":"sc-48.1_gdn","name":"guidance","prose":"None."},{"id":"sc-48.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-48(01)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-48.01_odp.01 }} are dynamically relocated to {{ insert: param, sc-48.01_odp.02 }} under {{ insert: param, sc-48.01_odp.03 }}."},{"id":"sc-48.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-48(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing sensor and monitoring capability relocation\n\nlist of sensors\/monitoring capabilities to be relocated\n\nchange control records\n\nconfiguration management records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-48.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-48(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-48.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-48(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"SELECT FROM: Mechanisms supporting and\/or implementing sensor relocation"}]}]}]},{"id":"sc-49","class":"SP800-53","title":"Hardware-enforced Separation and Policy Enforcement","params":[{"id":"sc-49_odp","props":[{"name":"alt-identifier","value":"sc-49_prm_1"},{"name":"label","value":"SC-49_ODP","class":"sp800-53a"}],"label":"security domains","guidelines":[{"prose":"security domains requiring hardware-enforced separation and policy enforcement mechanisms are defined;"}]}],"props":[{"name":"label","value":"SC-49"},{"name":"label","value":"SC-49","class":"sp800-53a"},{"name":"sort-id","value":"sc-49"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-50","rel":"related"}],"parts":[{"id":"sc-49_smt","name":"statement","prose":"Implement hardware-enforced separation and policy enforcement mechanisms between {{ insert: param, sc-49_odp }}."},{"id":"sc-49_gdn","name":"guidance","prose":"System owners may require additional strength of mechanism and robustness to ensure domain separation and policy enforcement for specific types of threats and environments of operation. Hardware-enforced separation and policy enforcement provide greater strength of mechanism than software-enforced separation and policy enforcement."},{"id":"sc-49_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-49","class":"sp800-53a"}],"prose":"hardware-enforced separation and policy enforcement mechanisms are implemented between {{ insert: param, sc-49_odp }}."},{"id":"sc-49_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-49-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cross-domain policy enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-49_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-49-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-49_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-49-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing hardware-enforced security domain separation and policy enforcement"}]}]},{"id":"sc-50","class":"SP800-53","title":"Software-enforced Separation and Policy Enforcement","params":[{"id":"sc-50_odp","props":[{"name":"alt-identifier","value":"sc-50_prm_1"},{"name":"label","value":"SC-50_ODP","class":"sp800-53a"}],"label":"security domains","guidelines":[{"prose":"security domains requiring software-enforced separation and policy enforcement mechanisms are defined;"}]}],"props":[{"name":"label","value":"SC-50"},{"name":"label","value":"SC-50","class":"sp800-53a"},{"name":"sort-id","value":"sc-50"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-49","rel":"related"}],"parts":[{"id":"sc-50_smt","name":"statement","prose":"Implement software-enforced separation and policy enforcement mechanisms between {{ insert: param, sc-50_odp }}."},{"id":"sc-50_gdn","name":"guidance","prose":"System owners may require additional strength of mechanism to ensure domain separation and policy enforcement for specific types of threats and environments of operation."},{"id":"sc-50_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-50","class":"sp800-53a"}],"prose":"software-enforced separation and policy enforcement mechanisms are implemented between {{ insert: param, sc-50_odp }}."},{"id":"sc-50_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-50-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cross-domain policy enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-50_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-50-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-50_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-50-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing software-enforced separation and policy enforcement"}]}]},{"id":"sc-51","class":"SP800-53","title":"Hardware-based Protection","params":[{"id":"sc-51_odp.01","props":[{"name":"alt-identifier","value":"sc-51_prm_1"},{"name":"label","value":"SC-51_ODP[01]","class":"sp800-53a"}],"label":"system firmware components","guidelines":[{"prose":"system firmware components requiring hardware-based write-protect are defined;"}]},{"id":"sc-51_odp.02","props":[{"name":"alt-identifier","value":"sc-51_prm_2"},{"name":"label","value":"SC-51_ODP[02]","class":"sp800-53a"}],"label":"authorized individuals","guidelines":[{"prose":"authorized individuals requiring procedures for disabling and re-enabling hardware write-protect are defined;"}]}],"props":[{"name":"label","value":"SC-51"},{"name":"label","value":"SC-51","class":"sp800-53a"},{"name":"sort-id","value":"sc-51"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"parts":[{"id":"sc-51_smt","name":"statement","parts":[{"id":"sc-51_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ hardware-based, write-protect for {{ insert: param, sc-51_odp.01 }} ; and"},{"id":"sc-51_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement specific procedures for {{ insert: param, sc-51_odp.02 }} to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode."}]},{"id":"sc-51_gdn","name":"guidance","prose":"None."},{"id":"sc-51_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-51","class":"sp800-53a"}],"parts":[{"id":"sc-51_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-51a.","class":"sp800-53a"}],"prose":"hardware-based write-protect for {{ insert: param, sc-51_odp.01 }} is employed;"},{"id":"sc-51_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-51b.","class":"sp800-53a"}],"parts":[{"id":"sc-51_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-51b.[01]","class":"sp800-53a"}],"prose":"specific procedures are implemented for {{ insert: param, sc-51_odp.02 }} to manually disable hardware write-protect for firmware modifications;"},{"id":"sc-51_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-51b.[02]","class":"sp800-53a"}],"prose":"specific procedures are implemented for {{ insert: param, sc-51_odp.02 }} to re-enable the write-protect prior to returning to operational mode."}]}]},{"id":"sc-51_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-51-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing firmware modifications\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-51_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-51-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-51_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-51-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for modifying system firmware\n\nmechanisms supporting and\/or implementing hardware-based write-protection for system firmware"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"si-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"si-01_odp.01","props":[{"name":"label","value":"SI-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity policy is to be disseminated is\/are defined;"}]},{"id":"si-01_odp.02","props":[{"name":"label","value":"SI-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity procedures are to be disseminated is\/are defined;"}]},{"id":"si-01_odp.03","props":[{"name":"alt-identifier","value":"si-1_prm_2"},{"name":"label","value":"SI-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"si-01_odp.04","props":[{"name":"alt-identifier","value":"si-1_prm_3"},{"name":"label","value":"SI-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and information integrity policy and procedures is defined;"}]},{"id":"si-01_odp.05","props":[{"name":"alt-identifier","value":"si-1_prm_4"},{"name":"label","value":"SI-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity policy is reviewed and updated is defined;"}]},{"id":"si-01_odp.06","props":[{"name":"alt-identifier","value":"si-1_prm_5"},{"name":"label","value":"SI-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and information integrity policy to be reviewed and updated are defined;"}]},{"id":"si-01_odp.07","props":[{"name":"alt-identifier","value":"si-1_prm_6"},{"name":"label","value":"SI-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity procedures are reviewed and updated is defined;"}]},{"id":"si-01_odp.08","props":[{"name":"alt-identifier","value":"si-1_prm_7"},{"name":"label","value":"SI-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and information integrity procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SI-1"},{"name":"label","value":"SI-01","class":"sp800-53a"},{"name":"sort-id","value":"si-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"si-1_smt","name":"statement","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, si-01_odp.03 }} system and information integrity policy that:","parts":[{"id":"si-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and"},{"id":"si-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and information integrity:","parts":[{"id":"si-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and"},{"id":"si-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"si-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[01]","class":"sp800-53a"}],"prose":"a system and information integrity policy is developed and documented;"},{"id":"si-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[02]","class":"sp800-53a"}],"prose":"the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};"},{"id":"si-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[03]","class":"sp800-53a"}],"prose":"system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;"},{"id":"si-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[04]","class":"sp800-53a"}],"prose":"the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};"},{"id":"si-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;"},{"id":"si-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;"},{"id":"si-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;"},{"id":"si-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;"},{"id":"si-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;"},{"id":"si-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;"},{"id":"si-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;"}]},{"id":"si-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"si-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;"},{"id":"si-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};"},{"id":"si-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};"}]},{"id":"si-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};"},{"id":"si-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}."}]}]}]},{"id":"si-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","params":[{"id":"si-02_odp","props":[{"name":"alt-identifier","value":"si-2_prm_1"},{"name":"label","value":"SI-02_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to install security-relevant software updates after the release of the updates is defined;"}]}],"props":[{"name":"label","value":"SI-2"},{"name":"label","value":"SI-02","class":"sp800-53a"},{"name":"sort-id","value":"si-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-5","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"si-2_smt","name":"statement","parts":[{"id":"si-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify, report, and correct system flaws;"},{"id":"si-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures."},{"id":"si-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[01]","class":"sp800-53a"}],"prose":"system flaws are identified;"},{"id":"si-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[02]","class":"sp800-53a"}],"prose":"system flaws are reported;"},{"id":"si-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[03]","class":"sp800-53a"}],"prose":"system flaws are corrected;"}]},{"id":"si-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[01]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for effectiveness before installation;"},{"id":"si-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[02]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for potential side effects before installation;"},{"id":"si-2_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[03]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for effectiveness before installation;"},{"id":"si-2_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[04]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for potential side effects before installation;"}]},{"id":"si-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[01]","class":"sp800-53a"}],"prose":"security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"},{"id":"si-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[02]","class":"sp800-53a"}],"prose":"security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"}]},{"id":"si-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-02d.","class":"sp800-53a"}],"prose":"flaw remediation is incorporated into the organizational configuration management process."}]},{"id":"si-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation\/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and\/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and\/or implementing testing software and firmware updates"}]}],"controls":[{"id":"si-2.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-2(1)"},{"name":"label","value":"SI-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-9","rel":"incorporated-into"}]},{"id":"si-2.2","class":"SP800-53-enhancement","title":"Automated Flaw Remediation Status","params":[{"id":"si-02.02_odp.01","props":[{"name":"alt-identifier","value":"si-2.2_prm_1"},{"name":"label","value":"SI-02(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;"}]},{"id":"si-02.02_odp.02","props":[{"name":"alt-identifier","value":"si-2.2_prm_2"},{"name":"label","value":"SI-02(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;"}]}],"props":[{"name":"label","value":"SI-2(2)"},{"name":"label","value":"SI-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-2","rel":"required"},{"href":"#ca-7","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-2.2_smt","name":"statement","prose":"Determine if system components have applicable security-relevant software and firmware updates installed using {{ insert: param, si-02.02_odp.01 }} {{ insert: param, si-02.02_odp.02 }}."},{"id":"si-2.2_gdn","name":"guidance","prose":"Automated mechanisms can track and determine the status of known flaws for system components."},{"id":"si-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02(02)","class":"sp800-53a"}],"prose":"system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}."},{"id":"si-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation"}]},{"id":"si-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms used to determine the state of system components with regard to flaw remediation"}]}]},{"id":"si-2.3","class":"SP800-53-enhancement","title":"Time to Remediate Flaws and Benchmarks for Corrective Actions","params":[{"id":"si-02.03_odp","props":[{"name":"alt-identifier","value":"si-2.3_prm_1"},{"name":"label","value":"SI-02(03)_ODP","class":"sp800-53a"}],"label":"benchmarks","guidelines":[{"prose":"the benchmarks for taking corrective actions are defined;"}]}],"props":[{"name":"label","value":"SI-2(3)"},{"name":"label","value":"SI-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-2","rel":"required"}],"parts":[{"id":"si-2.3_smt","name":"statement","parts":[{"id":"si-2.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Measure the time between flaw identification and flaw remediation; and"},{"id":"si-2.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Establish the following benchmarks for taking corrective actions: {{ insert: param, si-02.03_odp }}."}]},{"id":"si-2.3_gdn","name":"guidance","prose":"Organizations determine the time it takes on average to correct system flaws after such flaws have been identified and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type of flaw or the severity of the potential vulnerability if the flaw can be exploited."},{"id":"si-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02(03)","class":"sp800-53a"}],"parts":[{"id":"si-2.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-02(03)(a)","class":"sp800-53a"}],"prose":"the time between flaw identification and flaw remediation is measured;"},{"id":"si-2.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-02(03)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, si-02.03_odp }} for taking corrective actions have been established."}]},{"id":"si-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of benchmarks for taking corrective action on identified flaws\n\nrecords that provide timestamps of flaw identification and subsequent flaw remediation activities\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation"}]},{"id":"si-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, reporting, and correcting system flaws\n\nmechanisms used to measure the time between flaw identification and flaw remediation"}]}]},{"id":"si-2.4","class":"SP800-53-enhancement","title":"Automated Patch Management Tools","params":[{"id":"si-02.04_odp","props":[{"name":"alt-identifier","value":"si-2.4_prm_1"},{"name":"alt-label","value":"system components","class":"sp800-53"},{"name":"label","value":"SI-02(04)_ODP","class":"sp800-53a"}],"label":"components","guidelines":[{"prose":"the system components requiring automated patch management tools to facilitate flaw remediation are defined;"}]}],"props":[{"name":"label","value":"SI-2(4)"},{"name":"label","value":"SI-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-2","rel":"required"}],"parts":[{"id":"si-2.4_smt","name":"statement","prose":"Employ automated patch management tools to facilitate flaw remediation to the following system components: {{ insert: param, si-02.04_odp }}."},{"id":"si-2.4_gdn","name":"guidance","prose":"Using automated tools to support patch management helps to ensure the timeliness and completeness of system patching operations."},{"id":"si-2.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02(04)","class":"sp800-53a"}],"prose":"automated patch management tools are employed to facilitate flaw remediation to {{ insert: param, si-02.04_odp }}."},{"id":"si-2.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nmechanisms supporting flaw remediation and automatic software\/firmware updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system flaws\n\nrecords of recent security-relevant software and firmware updates that are automatically installed to system components\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-2.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation"}]},{"id":"si-2.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated patch management tools\n\nmechanisms implementing automatic software\/firmware updates\n\nmechanisms facilitating flaw remediation to system components"}]}]},{"id":"si-2.5","class":"SP800-53-enhancement","title":"Automatic Software and Firmware Updates","params":[{"id":"si-02.05_odp.01","props":[{"name":"alt-identifier","value":"si-2.5_prm_1"},{"name":"label","value":"SI-02(05)_ODP[01]","class":"sp800-53a"}],"label":"security-relevant software and firmware updates","guidelines":[{"prose":"security-relevant software and firmware updates to be automatically installed to system components are defined;"}]},{"id":"si-02.05_odp.02","props":[{"name":"alt-identifier","value":"si-2.5_prm_2"},{"name":"label","value":"SI-02(05)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring security-relevant software updates to be automatically installed are defined;"}]}],"props":[{"name":"label","value":"SI-2(5)"},{"name":"label","value":"SI-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-2","rel":"required"}],"parts":[{"id":"si-2.5_smt","name":"statement","prose":"Install {{ insert: param, si-02.05_odp.01 }} automatically to {{ insert: param, si-02.05_odp.02 }}."},{"id":"si-2.5_gdn","name":"guidance","prose":"Due to system integrity and availability concerns, organizations consider the methodology used to carry out automatic updates. Organizations balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and control with any mission or operational impacts that automatic updates might impose."},{"id":"si-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02(05)","class":"sp800-53a"}],"prose":"{{ insert: param, si-02.05_odp.01 }} are installed automatically to {{ insert: param, si-02.05_odp.02 }}."},{"id":"si-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nmechanisms supporting flaw remediation and automatic software\/firmware updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of recent security-relevant software and firmware updates automatically installed to system components\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation"}]},{"id":"si-2.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing automatic software\/firmware updates"}]}]},{"id":"si-2.6","class":"SP800-53-enhancement","title":"Removal of Previous Versions of Software and Firmware","params":[{"id":"si-02.06_odp","props":[{"name":"alt-identifier","value":"si-2.6_prm_1"},{"name":"label","value":"SI-02(06)_ODP","class":"sp800-53a"}],"label":"software and firmware components","guidelines":[{"prose":"software and firmware components to be removed after updated versions have been installed are defined;"}]}],"props":[{"name":"label","value":"SI-2(6)"},{"name":"label","value":"SI-02(06)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-2","rel":"required"}],"parts":[{"id":"si-2.6_smt","name":"statement","prose":"Remove previous versions of {{ insert: param, si-02.06_odp }} after updated versions have been installed."},{"id":"si-2.6_gdn","name":"guidance","prose":"Previous versions of software or firmware components that are not removed from the system after updates have been installed may be exploited by adversaries. Some products may automatically remove previous versions of software and firmware from the system."},{"id":"si-2.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02(06)","class":"sp800-53a"}],"prose":"previous versions of {{ insert: param, si-02.06_odp }} are removed after updated versions have been installed."},{"id":"si-2.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nmechanisms supporting flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of software and firmware component removals after updated versions are installed\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-2.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation"}]},{"id":"si-2.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the removal of previous versions of software\/firmware"}]}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","params":[{"id":"si-03_odp.01","props":[{"name":"alt-identifier","value":"si-3_prm_1"},{"name":"label","value":"SI-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["signature-based","non-signature-based"]}},{"id":"si-03_odp.02","props":[{"name":"alt-identifier","value":"si-3_prm_2"},{"name":"label","value":"SI-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which malicious code protection mechanisms perform scans is defined;"}]},{"id":"si-03_odp.03","props":[{"name":"alt-identifier","value":"si-3_prm_3"},{"name":"label","value":"SI-03_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["endpoint","network entry and exit points"]}},{"id":"si-03_odp.04","props":[{"name":"alt-identifier","value":"si-3_prm_4"},{"name":"label","value":"SI-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["block malicious code","quarantine malicious code","take {{ insert: param, si-03_odp.05 }} "]}},{"id":"si-03_odp.05","props":[{"name":"alt-identifier","value":"si-3_prm_5"},{"name":"label","value":"SI-03_ODP[05]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"action to be taken in response to malicious code detection are defined (if selected);"}]},{"id":"si-03_odp.06","props":[{"name":"alt-identifier","value":"si-3_prm_6"},{"name":"label","value":"SI-03_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when malicious code is detected is\/are defined;"}]}],"props":[{"name":"label","value":"SI-3"},{"name":"label","value":"SI-03","class":"sp800-53a"},{"name":"sort-id","value":"si-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#88660532-2dcf-442e-845c-03340ce48999","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-8","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"si-3_smt","name":"statement","parts":[{"id":"si-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Configure malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and"},{"id":"si-3_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"{{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and"}]},{"id":"si-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system."}]},{"id":"si-3_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files."},{"id":"si-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;"},{"id":"si-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;"}]},{"id":"si-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-03b.","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};"},{"id":"si-3_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;"}]},{"id":"si-3_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;"},{"id":"si-3_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;"}]}]},{"id":"si-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-03d.","class":"sp800-53a"}],"prose":"the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed."}]},{"id":"si-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and\/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and\/or implementing malicious code scanning and subsequent actions"}]}],"controls":[{"id":"si-3.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-3(1)"},{"name":"label","value":"SI-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-9","rel":"incorporated-into"}]},{"id":"si-3.2","class":"SP800-53-enhancement","title":"Automatic Updates","props":[{"name":"label","value":"SI-3(2)"},{"name":"label","value":"SI-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-3","rel":"incorporated-into"}]},{"id":"si-3.3","class":"SP800-53-enhancement","title":"Non-privileged Users","props":[{"name":"label","value":"SI-3(3)"},{"name":"label","value":"SI-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-6.10","rel":"incorporated-into"}]},{"id":"si-3.4","class":"SP800-53-enhancement","title":"Updates Only by Privileged Users","props":[{"name":"label","value":"SI-3(4)"},{"name":"label","value":"SI-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-3","rel":"required"},{"href":"#cm-5","rel":"related"}],"parts":[{"id":"si-3.4_smt","name":"statement","prose":"Update malicious code protection mechanisms only when directed by a privileged user."},{"id":"si-3.4_gdn","name":"guidance","prose":"Protection mechanisms for malicious code are typically categorized as security-related software and, as such, are only updated by organizational personnel with appropriate access privileges."},{"id":"si-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03(04)","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are updated only when directed by a privileged user."},{"id":"si-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing malicious code protection\n\nlist of privileged users on system\n\nsystem design documentation\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection"}]},{"id":"si-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing malicious code protection capabilities"}]}]},{"id":"si-3.5","class":"SP800-53-enhancement","title":"Portable Storage Devices","props":[{"name":"label","value":"SI-3(5)"},{"name":"label","value":"SI-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-7","rel":"incorporated-into"}]},{"id":"si-3.6","class":"SP800-53-enhancement","title":"Testing and Verification","params":[{"id":"si-03.06_odp","props":[{"name":"alt-identifier","value":"si-3.6_prm_1"},{"name":"label","value":"SI-03(06)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to test malicious code protection mechanisms is defined;"}]}],"props":[{"name":"label","value":"SI-3(6)"},{"name":"label","value":"SI-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-3","rel":"required"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ra-5","rel":"related"}],"parts":[{"id":"si-3.6_smt","name":"statement","parts":[{"id":"si-3.6_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Test malicious code protection mechanisms {{ insert: param, si-03.06_odp }} by introducing known benign code into the system; and"},{"id":"si-3.6_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Verify that the detection of the code and the associated incident reporting occur."}]},{"id":"si-3.6_gdn","name":"guidance","prose":"None."},{"id":"si-3.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03(06)","class":"sp800-53a"}],"parts":[{"id":"si-3.6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-03(06)(a)","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are tested {{ insert: param, si-03.06_odp }} by introducing known benign code into the system;"},{"id":"si-3.6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-03(06)(b)","class":"sp800-53a"}],"parts":[{"id":"si-3.6_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03(06)(b)[01]","class":"sp800-53a"}],"prose":"the detection of (benign test) code occurs;"},{"id":"si-3.6_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03(06)(b)[02]","class":"sp800-53a"}],"prose":"the associated incident reporting occurs."}]}]},{"id":"si-3.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing malicious code protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ntest cases\n\nrecords providing evidence of test cases executed on malicious code protection mechanisms\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection"}]},{"id":"si-3.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the testing and verification of malicious code protection capabilities"}]}]},{"id":"si-3.7","class":"SP800-53-enhancement","title":"Nonsignature-based Detection","props":[{"name":"label","value":"SI-3(7)"},{"name":"label","value":"SI-03(07)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-3","rel":"incorporated-into"}]},{"id":"si-3.8","class":"SP800-53-enhancement","title":"Detect Unauthorized Commands","params":[{"id":"si-03.08_odp.01","props":[{"name":"alt-identifier","value":"si-3.8_prm_2"},{"name":"label","value":"SI-03(08)_ODP[01]","class":"sp800-53a"}],"label":"unauthorized operating system commands","guidelines":[{"prose":"system hardware components for which unauthorized operating system commands are to be detected through the kernel application programming interface are defined;"}]},{"id":"si-03.08_odp.02","props":[{"name":"alt-identifier","value":"si-3.8_prm_1"},{"name":"label","value":"SI-03(08)_ODP[02]","class":"sp800-53a"}],"label":"system hardware components","guidelines":[{"prose":"unauthorized operating system commands to be detected are defined;"}]},{"id":"si-03.08_odp.03","props":[{"name":"alt-identifier","value":"si-3.8_prm_3"},{"name":"label","value":"SI-03(08)_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["issue a warning","audit the command execution","prevent the execution of the command"]}}],"props":[{"name":"label","value":"SI-3(8)"},{"name":"label","value":"SI-03(08)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-3","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"si-3.8_smt","name":"statement","parts":[{"id":"si-3.8_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Detect the following unauthorized operating system commands through the kernel application programming interface on {{ insert: param, si-03.08_odp.02 }}: {{ insert: param, si-03.08_odp.01 }} ; and"},{"id":"si-3.8_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"{{ insert: param, si-03.08_odp.03 }}."}]},{"id":"si-3.8_gdn","name":"guidance","prose":"Detecting unauthorized commands can be applied to critical interfaces other than kernel-based interfaces, including interfaces with virtual machines and privileged applications. Unauthorized operating system commands include commands for kernel functions from system processes that are not trusted to initiate such commands as well as commands for kernel functions that are suspicious even though commands of that type are reasonable for processes to initiate. Organizations can define the malicious commands to be detected by a combination of command types, command classes, or specific instances of commands. Organizations can also define hardware components by component type, component, component location in the network, or a combination thereof. Organizations may select different actions for different types, classes, or instances of malicious commands."},{"id":"si-3.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03(08)","class":"sp800-53a"}],"parts":[{"id":"si-3.8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-03(08)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, si-03.08_odp.01 }} are detected through the kernel application programming interface on {{ insert: param, si-03.08_odp.02 }};"},{"id":"si-3.8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-03(08)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, si-03.08_odp.03 }} is\/are performed."}]},{"id":"si-3.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing malicious code protection\n\nsystem design documentation\n\nmalicious code protection mechanisms\n\nwarning messages sent upon the detection of unauthorized operating system command execution\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection"}]},{"id":"si-3.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing malicious code protection capabilities\n\nmechanisms supporting and\/or implementing the detection of unauthorized operating system commands through the kernel application programming interface"}]}]},{"id":"si-3.9","class":"SP800-53-enhancement","title":"Authenticate Remote Commands","props":[{"name":"label","value":"SI-3(9)"},{"name":"label","value":"SI-03(09)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.09"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-17.10","rel":"moved-to"}]},{"id":"si-3.10","class":"SP800-53-enhancement","title":"Malicious Code Analysis","params":[{"id":"si-03.10_odp","props":[{"name":"alt-identifier","value":"si-3.10_prm_1"},{"name":"label","value":"SI-03(10)_ODP","class":"sp800-53a"}],"label":"tools and techniques","guidelines":[{"prose":"tools and techniques to be employed to analyze the characteristics and behavior of malicious code are defined;"}]}],"props":[{"name":"label","value":"SI-3(10)"},{"name":"label","value":"SI-03(10)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-3","rel":"required"}],"parts":[{"id":"si-3.10_smt","name":"statement","parts":[{"id":"si-3.10_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: {{ insert: param, si-03.10_odp }} ; and"},{"id":"si-3.10_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Incorporate the results from malicious code analysis into organizational incident response and flaw remediation processes."}]},{"id":"si-3.10_gdn","name":"guidance","prose":"The use of malicious code analysis tools provides organizations with a more in-depth understanding of adversary tradecraft (i.e., tactics, techniques, and procedures) and the functionality and purpose of specific instances of malicious code. Understanding the characteristics of malicious code facilitates effective organizational responses to current and future threats. Organizations can conduct malicious code analyses by employing reverse engineering techniques or by monitoring the behavior of executing code."},{"id":"si-3.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03(10)","class":"sp800-53a"}],"parts":[{"id":"si-3.10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-03(10)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, si-03.10_odp }} are employed to analyze the characteristics and behavior of malicious code;"},{"id":"si-3.10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-03(10)(b)","class":"sp800-53a"}],"parts":[{"id":"si-3.10_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03(10)(b)[01]","class":"sp800-53a"}],"prose":"the results from malicious code analysis are incorporated into organizational incident response processes;"},{"id":"si-3.10_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03(10)(b)[02]","class":"sp800-53a"}],"prose":"the results from malicious code analysis are incorporated into organizational flaw remediation processes."}]}]},{"id":"si-3.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing malicious code protection\n\nprocedures addressing incident response\n\nprocedures addressing flaw remediation\n\nsystem design documentation\n\nmalicious code protection mechanisms, tools, and techniques\n\nsystem configuration settings and associated documentation\n\nresults from malicious code analyses\n\nrecords of flaw remediation events resulting from malicious code analyses\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel responsible for incident response\/management"}]},{"id":"si-3.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for incident response\n\norganizational process for flaw remediation\n\nmechanisms supporting and\/or implementing malicious code protection capabilities\n\ntools and techniques for the analysis of malicious code characteristics and behavior"}]}]}]},{"id":"si-4","class":"SP800-53","title":"System Monitoring","params":[{"id":"si-04_odp.01","props":[{"name":"alt-identifier","value":"si-4_prm_1"},{"name":"label","value":"SI-04_ODP[01]","class":"sp800-53a"}],"label":"monitoring objectives","guidelines":[{"prose":"monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;"}]},{"id":"si-04_odp.02","props":[{"name":"alt-identifier","value":"si-4_prm_2"},{"name":"label","value":"SI-04_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods used to identify unauthorized use of the system are defined;"}]},{"id":"si-04_odp.03","props":[{"name":"alt-identifier","value":"si-4_prm_3"},{"name":"label","value":"SI-04_ODP[03]","class":"sp800-53a"}],"label":"system monitoring information","guidelines":[{"prose":"system monitoring information to be provided to personnel or roles is defined;"}]},{"id":"si-04_odp.04","props":[{"name":"alt-identifier","value":"si-4_prm_4"},{"name":"label","value":"SI-04_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom system monitoring information is to be provided is\/are defined;"}]},{"id":"si-04_odp.05","props":[{"name":"alt-identifier","value":"si-4_prm_5"},{"name":"label","value":"SI-04_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["as needed","{{ insert: param, si-04_odp.06 }} "]}},{"id":"si-04_odp.06","props":[{"name":"alt-identifier","value":"si-4_prm_6"},{"name":"label","value":"SI-04_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"a frequency for providing system monitoring to personnel or roles is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-4"},{"name":"label","value":"SI-04","class":"sp800-53a"},{"name":"sort-id","value":"si-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-6","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"si-4_smt","name":"statement","parts":[{"id":"si-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor the system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and"},{"id":"si-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};"},{"id":"si-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Invoke internal monitoring capabilities or deploy monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Strategically within the system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Analyze detected events and anomalies;"},{"id":"si-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Obtain legal opinion regarding system monitoring activities; and"},{"id":"si-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"si-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.01","class":"sp800-53a"}],"prose":"the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};"},{"id":"si-4_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[01]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized local connections;"},{"id":"si-4_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[02]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized network connections;"},{"id":"si-4_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[03]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized remote connections;"}]}]},{"id":"si-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04b.","class":"sp800-53a"}],"prose":"unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};"},{"id":"si-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.01","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;"},{"id":"si-4_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.02","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[01]","class":"sp800-53a"}],"prose":"detected events are analyzed;"},{"id":"si-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[02]","class":"sp800-53a"}],"prose":"detected anomalies are analyzed;"}]},{"id":"si-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SI-04e.","class":"sp800-53a"}],"prose":"the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SI-04f.","class":"sp800-53a"}],"prose":"a legal opinion regarding system monitoring activities is obtained;"},{"id":"si-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SI-04g.","class":"sp800-53a"}],"prose":"{{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."}]},{"id":"si-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram\/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing system monitoring capabilities"}]}],"controls":[{"id":"si-4.1","class":"SP800-53-enhancement","title":"System-wide Intrusion Detection System","props":[{"name":"label","value":"SI-4(1)"},{"name":"label","value":"SI-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.1_smt","name":"statement","prose":"Connect and configure individual intrusion detection tools into a system-wide intrusion detection system."},{"id":"si-4.1_gdn","name":"guidance","prose":"Linking individual intrusion detection tools into a system-wide intrusion detection system provides additional coverage and effective detection capabilities. The information contained in one intrusion detection tool can be shared widely across the organization, making the system-wide detection capability more robust and powerful."},{"id":"si-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(01)","class":"sp800-53a"}],"parts":[{"id":"si-4.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(01)[01]","class":"sp800-53a"}],"prose":"individual intrusion detection tools are connected to a system-wide intrusion detection system;"},{"id":"si-4.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(01)[02]","class":"sp800-53a"}],"prose":"individual intrusion detection tools are configured into a system-wide intrusion detection system."}]},{"id":"si-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection capabilities"}]}]},{"id":"si-4.2","class":"SP800-53-enhancement","title":"Automated Tools and Mechanisms for Real-time Analysis","props":[{"name":"label","value":"SI-4(2)"},{"name":"label","value":"SI-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#pm-23","rel":"related"},{"href":"#pm-25","rel":"related"}],"parts":[{"id":"si-4.2_smt","name":"statement","prose":"Employ automated tools and mechanisms to support near real-time analysis of events."},{"id":"si-4.2_gdn","name":"guidance","prose":"Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan."},{"id":"si-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(02)","class":"sp800-53a"}],"prose":"automated tools and mechanisms are employed to support a near real-time analysis of events."},{"id":"si-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk management documentation\n\nother relevant documents or records"}]},{"id":"si-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for incident response\/management"}]},{"id":"si-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the near real-time analysis of events\n\norganizational processes for system monitoring\n\nmechanisms supporting and\/or implementing system monitoring\n\nmechanisms\/tools supporting and\/or implementing an analysis of events"}]}]},{"id":"si-4.3","class":"SP800-53-enhancement","title":"Automated Tool and Mechanism Integration","props":[{"name":"label","value":"SI-4(3)"},{"name":"label","value":"SI-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#pm-23","rel":"related"},{"href":"#pm-25","rel":"related"}],"parts":[{"id":"si-4.3_smt","name":"statement","prose":"Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms."},{"id":"si-4.3_gdn","name":"guidance","prose":"Using automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access and flow control mechanisms facilitates a rapid response to attacks by enabling the reconfiguration of mechanisms in support of attack isolation and elimination."},{"id":"si-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(03)","class":"sp800-53a"}],"parts":[{"id":"si-4.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(03)[01]","class":"sp800-53a"}],"prose":"automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into access control mechanisms;"},{"id":"si-4.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(03)[02]","class":"sp800-53a"}],"prose":"automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into flow control mechanisms."}]},{"id":"si-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing the intrusion detection and system monitoring capability\n\nmechanisms and tools supporting and\/or implementing the access and flow control capabilities\n\nmechanisms and tools supporting and\/or implementing the integration of intrusion detection tools into the access and flow control mechanisms"}]}]},{"id":"si-4.4","class":"SP800-53-enhancement","title":"Inbound and Outbound Communications Traffic","params":[{"id":"si-4.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.03"}],"label":"organization-defined frequency"},{"id":"si-4.4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.04"}],"label":"organization-defined unusual or unauthorized activities or conditions"},{"id":"si-04.04_odp.01","props":[{"name":"label","value":"SI-04(04)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;"}]},{"id":"si-04.04_odp.02","props":[{"name":"label","value":"SI-04(04)_ODP[02]","class":"sp800-53a"}],"label":"unusual or unauthorized activities or conditions","guidelines":[{"prose":"unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;"}]},{"id":"si-04.04_odp.03","props":[{"name":"label","value":"SI-04(04)_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;"}]},{"id":"si-04.04_odp.04","props":[{"name":"label","value":"SI-04(04)_ODP[04]","class":"sp800-53a"}],"label":"unusual or unauthorized activities or conditions","guidelines":[{"prose":"unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;"}]}],"props":[{"name":"label","value":"SI-4(4)"},{"name":"label","value":"SI-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.4_smt","name":"statement","parts":[{"id":"si-4.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;"},{"id":"si-4.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Monitor inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for {{ insert: param, si-4.4_prm_2 }}."}]},{"id":"si-4.4_gdn","name":"guidance","prose":"Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components."},{"id":"si-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)[01]","class":"sp800-53a"}],"prose":"criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;"},{"id":"si-4.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)[02]","class":"sp800-53a"}],"prose":"criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;"}]},{"id":"si-4.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)[01]","class":"sp800-53a"}],"prose":"inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};"},{"id":"si-4.4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)[02]","class":"sp800-53a"}],"prose":"outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}."}]}]},{"id":"si-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the monitoring of inbound and outbound communications traffic"}]}]},{"id":"si-4.5","class":"SP800-53-enhancement","title":"System-generated Alerts","params":[{"id":"si-04.05_odp.01","props":[{"name":"alt-identifier","value":"si-4.5_prm_1"},{"name":"label","value":"SI-04(05)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when indications of compromise or potential compromise occur is\/are defined;"}]},{"id":"si-04.05_odp.02","props":[{"name":"alt-identifier","value":"si-4.5_prm_2"},{"name":"label","value":"SI-04(05)_ODP[02]","class":"sp800-53a"}],"label":"compromise indicators","guidelines":[{"prose":"compromise indicators are defined;"}]}],"props":[{"name":"label","value":"SI-4(5)"},{"name":"label","value":"SI-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"si-4.5_smt","name":"statement","prose":"Alert {{ insert: param, si-04.05_odp.01 }} when the following system-generated indications of compromise or potential compromise occur: {{ insert: param, si-04.05_odp.02 }}."},{"id":"si-4.5_gdn","name":"guidance","prose":"Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners\/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in [SI-4(12)](#si-4.12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats."},{"id":"si-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(05)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur."},{"id":"si-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of personnel selected to receive alerts\n\ndocumentation of alerts generated based on compromise indicators\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel on the system alert notification list\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing alerts for compromise indicators"}]}]},{"id":"si-4.6","class":"SP800-53-enhancement","title":"Restrict Non-privileged Users","props":[{"name":"label","value":"SI-4(6)"},{"name":"label","value":"SI-04(06)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-6.10","rel":"incorporated-into"}]},{"id":"si-4.7","class":"SP800-53-enhancement","title":"Automated Response to Suspicious Events","params":[{"id":"si-04.07_odp.01","props":[{"name":"alt-identifier","value":"si-4.7_prm_1"},{"name":"alt-label","value":"incident response personnel (identified by name and\/or by role)","class":"sp800-53"},{"name":"label","value":"SI-04(07)_ODP[01]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to be notified of detected suspicious events is\/are defined;"}]},{"id":"si-04.07_odp.02","props":[{"name":"alt-identifier","value":"si-4.7_prm_2"},{"name":"alt-label","value":"least-disruptive actions to terminate suspicious events","class":"sp800-53"},{"name":"label","value":"SI-04(07)_ODP[02]","class":"sp800-53a"}],"label":"least-disruptive actions","guidelines":[{"prose":"least-disruptive actions to terminate suspicious events are defined;"}]}],"props":[{"name":"label","value":"SI-4(7)"},{"name":"label","value":"SI-04(07)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.7_smt","name":"statement","parts":[{"id":"si-4.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Notify {{ insert: param, si-04.07_odp.01 }} of detected suspicious events; and"},{"id":"si-4.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Take the following actions upon detection: {{ insert: param, si-04.07_odp.02 }}."}]},{"id":"si-4.7_gdn","name":"guidance","prose":"Least-disruptive actions include initiating requests for human responses."},{"id":"si-4.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(07)","class":"sp800-53a"}],"parts":[{"id":"si-4.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04(07)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.07_odp.01 }} are notified of detected suspicious events;"},{"id":"si-4.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04(07)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.07_odp.02 }} are taken upon the detection of suspicious events."}]},{"id":"si-4.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nalerts and notifications generated based on detected suspicious events\n\nrecords of actions taken to terminate suspicious events\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing notifications to incident response personnel\n\nmechanisms supporting and\/or implementing actions to terminate suspicious events"}]}]},{"id":"si-4.8","class":"SP800-53-enhancement","title":"Protection of Monitoring Information","props":[{"name":"label","value":"SI-4(8)"},{"name":"label","value":"SI-04(08)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.08"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-4","rel":"incorporated-into"}]},{"id":"si-4.9","class":"SP800-53-enhancement","title":"Testing of Monitoring Tools and Mechanisms","params":[{"id":"si-04.09_odp","props":[{"name":"alt-identifier","value":"si-4.9_prm_1"},{"name":"label","value":"SI-04(09)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"a frequency at which to test intrusion-monitoring tools and mechanisms is defined;"}]}],"props":[{"name":"label","value":"SI-4(9)"},{"name":"label","value":"SI-04(09)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.9_smt","name":"statement","prose":"Test intrusion-monitoring tools and mechanisms {{ insert: param, si-04.09_odp }}."},{"id":"si-4.9_gdn","name":"guidance","prose":"Testing intrusion-monitoring tools and mechanisms is necessary to ensure that the tools and mechanisms are operating correctly and continue to satisfy the monitoring objectives of organizations. The frequency and depth of testing depends on the types of tools and mechanisms used by organizations and the methods of deployment."},{"id":"si-4.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(09)","class":"sp800-53a"}],"prose":"intrusion-monitoring tools and mechanisms are tested {{ insert: param, si-04.09_odp }}."},{"id":"si-4.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing the testing of system monitoring tools and techniques\n\ndocumentation providing evidence of testing intrusion-monitoring tools\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the testing of intrusion-monitoring tools"}]}]},{"id":"si-4.10","class":"SP800-53-enhancement","title":"Visibility of Encrypted Communications","params":[{"id":"si-04.10_odp.01","props":[{"name":"alt-identifier","value":"si-4.10_prm_1"},{"name":"label","value":"SI-04(10)_ODP[01]","class":"sp800-53a"}],"label":"encrypted communications traffic","guidelines":[{"prose":"encrypted communications traffic to be made visible to system monitoring tools and mechanisms is defined;"}]},{"id":"si-04.10_odp.02","props":[{"name":"alt-identifier","value":"si-4.10_prm_2"},{"name":"label","value":"SI-04(10)_ODP[02]","class":"sp800-53a"}],"label":"system monitoring tools and mechanisms","guidelines":[{"prose":"system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined;"}]}],"props":[{"name":"label","value":"SI-4(10)"},{"name":"label","value":"SI-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.10_smt","name":"statement","prose":"Make provisions so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}."},{"id":"si-4.10_gdn","name":"guidance","prose":"Organizations balance the need to encrypt communications traffic to protect data confidentiality with the need to maintain visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types."},{"id":"si-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(10)","class":"sp800-53a"}],"prose":"provisions are made so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}."},{"id":"si-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the visibility of encrypted communications traffic to monitoring tools"}]}]},{"id":"si-4.11","class":"SP800-53-enhancement","title":"Analyze Communications Traffic Anomalies","params":[{"id":"si-04.11_odp","props":[{"name":"alt-identifier","value":"si-4.11_prm_1"},{"name":"alt-label","value":"interior points within the system","class":"sp800-53"},{"name":"label","value":"SI-04(11)_ODP","class":"sp800-53a"}],"label":"interior points","guidelines":[{"prose":"interior points within the system where communications traffic is to be analyzed are defined;"}]}],"props":[{"name":"label","value":"SI-4(11)"},{"name":"label","value":"SI-04(11)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.11_smt","name":"statement","prose":"Analyze outbound communications traffic at the external interfaces to the system and selected {{ insert: param, si-04.11_odp }} to discover anomalies."},{"id":"si-4.11_gdn","name":"guidance","prose":"Organization-defined interior points include subnetworks and subsystems. Anomalies within organizational systems include large file transfers, long-time persistent connections, attempts to access information from unexpected locations, the use of unusual protocols and ports, the use of unmonitored network protocols (e.g., IPv6 usage during IPv4 transition), and attempted communications with suspected malicious external addresses."},{"id":"si-4.11_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(11)","class":"sp800-53a"}],"parts":[{"id":"si-4.11_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(11)[01]","class":"sp800-53a"}],"prose":"outbound communications traffic at the external interfaces to the system is analyzed to discover anomalies;"},{"id":"si-4.11_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(11)[02]","class":"sp800-53a"}],"prose":"outbound communications traffic at {{ insert: param, si-04.11_odp }} is analyzed to discover anomalies."}]},{"id":"si-4.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nnetwork diagram\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the analysis of communications traffic"}]}]},{"id":"si-4.12","class":"SP800-53-enhancement","title":"Automated Organization-generated Alerts","params":[{"id":"si-04.12_odp.01","props":[{"name":"alt-identifier","value":"si-4.12_prm_1"},{"name":"label","value":"SI-04(12)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when indications of inappropriate or unusual activity with security or privacy implications occur is\/are defined;"}]},{"id":"si-04.12_odp.02","props":[{"name":"alt-identifier","value":"si-4.12_prm_2"},{"name":"label","value":"SI-04(12)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to alert personnel or roles are defined;"}]},{"id":"si-04.12_odp.03","props":[{"name":"alt-identifier","value":"si-4.12_prm_3"},{"name":"label","value":"SI-04(12)_ODP[03]","class":"sp800-53a"}],"label":"activities that trigger alerts","guidelines":[{"prose":"activities that trigger alerts to personnel or are defined;"}]}],"props":[{"name":"label","value":"SI-4(12)"},{"name":"label","value":"SI-04(12)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.12_smt","name":"statement","prose":"Alert {{ insert: param, si-04.12_odp.01 }} using {{ insert: param, si-04.12_odp.02 }} when the following indications of inappropriate or unusual activities with security or privacy implications occur: {{ insert: param, si-04.12_odp.03 }}."},{"id":"si-4.12_gdn","name":"guidance","prose":"Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. Automated organization-generated alerts are the security alerts generated by organizations and transmitted using automated means. The sources for organization-generated alerts are focused on other entities such as suspicious activity reports and reports on potential insider threats. In contrast to alerts generated by the organization, alerts generated by the system in [SI-4(5)](#si-4.5) focus on information sources that are internal to the systems, such as audit records."},{"id":"si-4.12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(12)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.12_odp.01 }} is\/are alerted using {{ insert: param, si-04.12_odp.02 }} when {{ insert: param, si-04.12_odp.03 }} indicate inappropriate or unusual activities with security or privacy implications."},{"id":"si-4.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of inappropriate or unusual activities with security and privacy implications that trigger alerts\n\nsuspicious activity reports\n\nalerts provided to security and privacy personnel\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-4.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nautomated mechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nautomated mechanisms supporting and\/or implementing automated alerts to security personnel"}]}]},{"id":"si-4.13","class":"SP800-53-enhancement","title":"Analyze Traffic and Event Patterns","props":[{"name":"label","value":"SI-4(13)"},{"name":"label","value":"SI-04(13)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.13_smt","name":"statement","parts":[{"id":"si-4.13_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Analyze communications traffic and event patterns for the system;"},{"id":"si-4.13_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Develop profiles representing common traffic and event patterns; and"},{"id":"si-4.13_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Use the traffic and event profiles in tuning system-monitoring devices."}]},{"id":"si-4.13_gdn","name":"guidance","prose":"Identifying and understanding common communications traffic and event patterns help organizations provide useful information to system monitoring devices to more effectively identify suspicious or anomalous traffic and events when they occur. Such information can help reduce the number of false positives and false negatives during system monitoring."},{"id":"si-4.13_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)","class":"sp800-53a"}],"parts":[{"id":"si-4.13_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(a)","class":"sp800-53a"}],"parts":[{"id":"si-4.13_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(a)[01]","class":"sp800-53a"}],"prose":"communications traffic for the system is analyzed;"},{"id":"si-4.13_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(a)[02]","class":"sp800-53a"}],"prose":"event patterns for the system are analyzed;"}]},{"id":"si-4.13_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(b)","class":"sp800-53a"}],"parts":[{"id":"si-4.13_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(b)[01]","class":"sp800-53a"}],"prose":"profiles representing common traffic are developed;"},{"id":"si-4.13_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(b)[02]","class":"sp800-53a"}],"prose":"profiles representing event patterns are developed;"}]},{"id":"si-4.13_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(c)","class":"sp800-53a"}],"parts":[{"id":"si-4.13_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(c)[01]","class":"sp800-53a"}],"prose":"traffic profiles are used in tuning system-monitoring devices;"},{"id":"si-4.13_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(c)[02]","class":"sp800-53a"}],"prose":"event profiles are used in tuning system-monitoring devices."}]}]},{"id":"si-4.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of profiles representing common traffic patterns and\/or events\n\nsystem protocols documentation\n\nlist of acceptable thresholds for false positives and false negatives\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the analysis of communications traffic and event patterns"}]}]},{"id":"si-4.14","class":"SP800-53-enhancement","title":"Wireless Intrusion Detection","props":[{"name":"label","value":"SI-4(14)"},{"name":"label","value":"SI-04(14)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"},{"href":"#ia-3","rel":"related"}],"parts":[{"id":"si-4.14_smt","name":"statement","prose":"Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system."},{"id":"si-4.14_gdn","name":"guidance","prose":"Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems."},{"id":"si-4.14_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)","class":"sp800-53a"}],"parts":[{"id":"si-4.14_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)[01]","class":"sp800-53a"}],"prose":"a wireless intrusion detection system is employed to identify rogue wireless devices;"},{"id":"si-4.14_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)[02]","class":"sp800-53a"}],"prose":"a wireless intrusion detection system is employed to detect attack attempts on the system;"},{"id":"si-4.14_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)[03]","class":"sp800-53a"}],"prose":"a wireless intrusion detection system is employed to detect potential compromises or breaches to the system."}]},{"id":"si-4.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection\n\nmechanisms supporting and\/or implementing a wireless intrusion detection capability"}]}]},{"id":"si-4.15","class":"SP800-53-enhancement","title":"Wireless to Wireline Communications","props":[{"name":"label","value":"SI-4(15)"},{"name":"label","value":"SI-04(15)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"si-4.15_smt","name":"statement","prose":"Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks."},{"id":"si-4.15_gdn","name":"guidance","prose":"Wireless networks are inherently less secure than wired networks. For example, wireless networks are more susceptible to eavesdroppers or traffic analysis than wireline networks. When wireless to wireline communications exist, the wireless network could become a port of entry into the wired network. Given the greater facility of unauthorized network access via wireless access points compared to unauthorized wired network access from within the physical boundaries of the system, additional monitoring of transitioning traffic between wireless and wired networks may be necessary to detect malicious activities. Employing intrusion detection systems to monitor wireless communications traffic helps to ensure that the traffic does not contain malicious code prior to transitioning to the wireline network."},{"id":"si-4.15_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(15)","class":"sp800-53a"}],"prose":"an intrusion detection system is employed to monitor wireless communications traffic as the traffic passes from wireless to wireline networks."},{"id":"si-4.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing a wireless intrusion detection capability"}]}]},{"id":"si-4.16","class":"SP800-53-enhancement","title":"Correlate Monitoring Information","props":[{"name":"label","value":"SI-4(16)"},{"name":"label","value":"SI-04(16)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#au-6","rel":"related"}],"parts":[{"id":"si-4.16_smt","name":"statement","prose":"Correlate information from monitoring tools and mechanisms employed throughout the system."},{"id":"si-4.16_gdn","name":"guidance","prose":"Correlating information from different system monitoring tools and mechanisms can provide a more comprehensive view of system activity. Correlating system monitoring tools and mechanisms that typically work in isolation—including malicious code protection software, host monitoring, and network monitoring—can provide an organization-wide monitoring view and may reveal otherwise unseen attack patterns. Understanding the capabilities and limitations of diverse monitoring tools and mechanisms and how to maximize the use of information generated by those tools and mechanisms can help organizations develop, operate, and maintain effective monitoring programs. The correlation of monitoring information is especially important during the transition from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols)."},{"id":"si-4.16_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(16)","class":"sp800-53a"}],"prose":"information from monitoring tools and mechanisms employed throughout the system is correlated."},{"id":"si-4.16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(16)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nevent correlation logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(16)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(16)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the correlation of information from monitoring tools"}]}]},{"id":"si-4.17","class":"SP800-53-enhancement","title":"Integrated Situational Awareness","props":[{"name":"label","value":"SI-4(17)"},{"name":"label","value":"SI-04(17)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#au-16","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"si-4.17_smt","name":"statement","prose":"Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness."},{"id":"si-4.17_gdn","name":"guidance","prose":"Correlating monitoring information from a more diverse set of information sources helps to achieve integrated situational awareness. Integrated situational awareness from a combination of physical, cyber, and supply chain monitoring activities enhances the capability of organizations to more quickly detect sophisticated attacks and investigate the methods and techniques employed to carry out such attacks. In contrast to [SI-4(16)](#si-4.16) , which correlates the various cyber monitoring information, integrated situational awareness is intended to correlate monitoring beyond the cyber domain. Correlation of monitoring information from multiple activities may help reveal attacks on organizations that are operating across multiple attack vectors."},{"id":"si-4.17_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(17)","class":"sp800-53a"}],"prose":"information from monitoring physical, cyber, and supply chain activities are correlated to achieve integrated, organization-wide situational awareness."},{"id":"si-4.17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(17)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nevent correlation logs or records resulting from physical, cyber, and supply chain activities\n\nsystem audit records\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"si-4.17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(17)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(17)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the correlation of information from monitoring tools"}]}]},{"id":"si-4.18","class":"SP800-53-enhancement","title":"Analyze Traffic and Covert Exfiltration","params":[{"id":"si-04.18_odp","props":[{"name":"alt-identifier","value":"si-4.18_prm_1"},{"name":"alt-label","value":"interior points within the system","class":"sp800-53"},{"name":"label","value":"SI-04(18)_ODP","class":"sp800-53a"}],"label":"interior points","guidelines":[{"prose":"interior points within the system where communications traffic is to be analyzed are defined;"}]}],"props":[{"name":"label","value":"SI-4(18)"},{"name":"label","value":"SI-04(18)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.18_smt","name":"statement","prose":"Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: {{ insert: param, si-04.18_odp }}."},{"id":"si-4.18_gdn","name":"guidance","prose":"Organization-defined interior points include subnetworks and subsystems. Covert means that can be used to exfiltrate information include steganography."},{"id":"si-4.18_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(18)","class":"sp800-53a"}],"parts":[{"id":"si-4.18_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(18)[01]","class":"sp800-53a"}],"prose":"outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information;"},{"id":"si-4.18_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(18)[02]","class":"sp800-53a"}],"prose":"outbound communications traffic is analyzed at {{ insert: param, si-04.18_odp }} to detect covert exfiltration of information."}]},{"id":"si-4.18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(18)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nnetwork diagram\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(18)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(18)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing an analysis of outbound communications traffic"}]}]},{"id":"si-4.19","class":"SP800-53-enhancement","title":"Risk for Individuals","params":[{"id":"si-04.19_odp.01","props":[{"name":"alt-identifier","value":"si-4.19_prm_1"},{"name":"label","value":"SI-04(19)_ODP[01]","class":"sp800-53a"}],"label":"additional monitoring","guidelines":[{"prose":"additional monitoring of individuals who have been identified as posing an increased level of risk is defined;"}]},{"id":"si-04.19_odp.02","props":[{"name":"alt-identifier","value":"si-4.19_prm_2"},{"name":"label","value":"SI-04(19)_ODP[02]","class":"sp800-53a"}],"label":"sources","guidelines":[{"prose":"sources that identify individuals who pose an increased level of risk are defined;"}]}],"props":[{"name":"label","value":"SI-4(19)"},{"name":"label","value":"SI-04(19)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.19_smt","name":"statement","prose":"Implement {{ insert: param, si-04.19_odp.01 }} of individuals who have been identified by {{ insert: param, si-04.19_odp.02 }} as posing an increased level of risk."},{"id":"si-4.19_gdn","name":"guidance","prose":"Indications of increased risk from individuals can be obtained from different sources, including personnel records, intelligence agencies, law enforcement organizations, and other sources. The monitoring of individuals is coordinated with the management, legal, security, privacy, and human resource officials who conduct such monitoring. Monitoring is conducted in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"si-4.19_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(19)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.19_odp.01 }} is implemented on individuals who have been identified by {{ insert: param, si-04.19_odp.02 }} as posing an increased level of risk."},{"id":"si-4.19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(19)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-4.19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(19)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\nlegal counsel\n\nhuman resource officials\n\norganizational personnel with personnel security responsibilities"}]},{"id":"si-4.19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(19)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing a system monitoring capability"}]}]},{"id":"si-4.20","class":"SP800-53-enhancement","title":"Privileged Users","params":[{"id":"si-04.20_odp","props":[{"name":"alt-identifier","value":"si-4.20_prm_1"},{"name":"label","value":"SI-04(20)_ODP","class":"sp800-53a"}],"label":"additional monitoring","guidelines":[{"prose":"additional monitoring of privileged users is defined;"}]}],"props":[{"name":"label","value":"SI-4(20)"},{"name":"label","value":"SI-04(20)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"si-4.20_smt","name":"statement","prose":"Implement the following additional monitoring of privileged users: {{ insert: param, si-04.20_odp }}."},{"id":"si-4.20_gdn","name":"guidance","prose":"Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions."},{"id":"si-4.20_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(20)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.20_odp }} of privileged users is implemented."},{"id":"si-4.20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(20)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(20)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4.20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(20)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing a system monitoring capability"}]}]},{"id":"si-4.21","class":"SP800-53-enhancement","title":"Probationary Periods","params":[{"id":"si-04.21_odp.01","props":[{"name":"alt-identifier","value":"si-4.21_prm_2"},{"name":"label","value":"SI-04(21)_ODP[01]","class":"sp800-53a"}],"label":"additional monitoring","guidelines":[{"prose":"additional monitoring to be implemented on individuals during probationary periods is defined;"}]},{"id":"si-04.21_odp.02","props":[{"name":"alt-identifier","value":"si-4.21_prm_1"},{"name":"label","value":"SI-04(21)_ODP[02]","class":"sp800-53a"}],"label":"probationary period","guidelines":[{"prose":"the probationary period of individuals is defined;"}]}],"props":[{"name":"label","value":"SI-4(21)"},{"name":"label","value":"SI-04(21)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"si-4.21_smt","name":"statement","prose":"Implement the following additional monitoring of individuals during {{ insert: param, si-04.21_odp.02 }}: {{ insert: param, si-04.21_odp.01 }}."},{"id":"si-4.21_gdn","name":"guidance","prose":"During probationary periods, employees do not have permanent employment status within organizations. Without such status or access to information that is resident on the system, additional monitoring can help identify any potentially malicious activity or inappropriate behavior."},{"id":"si-4.21_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(21)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.21_odp.01 }} of individuals is implemented during {{ insert: param, si-04.21_odp.02 }}."},{"id":"si-4.21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(21)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(21)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4.21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(21)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing a system monitoring capability"}]}]},{"id":"si-4.22","class":"SP800-53-enhancement","title":"Unauthorized Network Services","params":[{"id":"si-04.22_odp.01","props":[{"name":"alt-identifier","value":"si-4.22_prm_1"},{"name":"label","value":"SI-04(22)_ODP[01]","class":"sp800-53a"}],"label":"authorization or approval processes","guidelines":[{"prose":"authorization or approval processes for network services are defined;"}]},{"id":"si-04.22_odp.02","props":[{"name":"alt-identifier","value":"si-4.22_prm_2"},{"name":"label","value":"SI-04(22)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["audit","alert {{ insert: param, si-04.22_odp.03 }} "]}},{"id":"si-04.22_odp.03","props":[{"name":"alt-identifier","value":"si-4.22_prm_3"},{"name":"label","value":"SI-04(22)_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-4(22)"},{"name":"label","value":"SI-04(22)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#cm-7","rel":"related"}],"parts":[{"id":"si-4.22_smt","name":"statement","parts":[{"id":"si-4.22_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Detect network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} ; and"},{"id":"si-4.22_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"{{ insert: param, si-04.22_odp.02 }} when detected."}]},{"id":"si-4.22_gdn","name":"guidance","prose":"Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and may therefore be unreliable or serve as malicious rogues for valid services."},{"id":"si-4.22_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(22)","class":"sp800-53a"}],"parts":[{"id":"si-4.22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04(22)(a)","class":"sp800-53a"}],"prose":"network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} are detected;"},{"id":"si-4.22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04(22)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.22_odp.02 }} is\/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected."}]},{"id":"si-4.22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(22)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\ndocumented authorization\/approval of network services\n\nnotifications or alerts of unauthorized network services\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(22)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4.22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(22)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing a system monitoring capability\n\nmechanisms for auditing network services\n\nmechanisms for providing alerts"}]}]},{"id":"si-4.23","class":"SP800-53-enhancement","title":"Host-based Devices","params":[{"id":"si-04.23_odp.01","props":[{"name":"alt-identifier","value":"si-4.23_prm_2"},{"name":"label","value":"SI-04(23)_ODP[01]","class":"sp800-53a"}],"label":"host-based monitoring mechanisms","guidelines":[{"prose":"host-based monitoring mechanisms to be implemented on system components are defined;"}]},{"id":"si-04.23_odp.02","props":[{"name":"alt-identifier","value":"si-4.23_prm_1"},{"name":"label","value":"SI-04(23)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components where host-based monitoring is to be implemented are defined;"}]}],"props":[{"name":"label","value":"SI-4(23)"},{"name":"label","value":"SI-04(23)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"}],"parts":[{"id":"si-4.23_smt","name":"statement","prose":"Implement the following host-based monitoring mechanisms at {{ insert: param, si-04.23_odp.02 }}: {{ insert: param, si-04.23_odp.01 }}."},{"id":"si-4.23_gdn","name":"guidance","prose":"Host-based monitoring collects information about the host (or system in which it resides). System components in which host-based monitoring can be implemented include servers, notebook computers, and mobile devices. Organizations may consider employing host-based monitoring mechanisms from multiple product developers or vendors."},{"id":"si-4.23_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(23)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.23_odp.01 }} are implemented on {{ insert: param, si-04.23_odp.02 }}."},{"id":"si-4.23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(23)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nhost-based monitoring mechanisms\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components requiring host-based monitoring\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(23)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring system hosts"}]},{"id":"si-4.23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(23)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing a host-based monitoring capability"}]}]},{"id":"si-4.24","class":"SP800-53-enhancement","title":"Indicators of Compromise","params":[{"id":"si-04.24_odp.01","props":[{"name":"alt-identifier","value":"si-4.24_prm_2"},{"name":"label","value":"SI-04(24)_ODP[01]","class":"sp800-53a"}],"label":"sources","guidelines":[{"prose":"sources that provide indicators of compromise are defined;"}]},{"id":"si-04.24_odp.02","props":[{"name":"alt-identifier","value":"si-4.24_prm_1"},{"name":"label","value":"SI-04(24)_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom indicators of compromise are to be distributed is\/are defined;"}]}],"props":[{"name":"label","value":"SI-4(24)"},{"name":"label","value":"SI-04(24)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"si-4.24_smt","name":"statement","prose":"Discover, collect, and distribute to {{ insert: param, si-04.24_odp.02 }} , indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }}."},{"id":"si-4.24_gdn","name":"guidance","prose":"Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational systems at the host or network level. IOCs provide valuable information on systems that have been compromised. IOCs can include the creation of registry key values. IOCs for network traffic include Universal Resource Locator or protocol elements that indicate malicious code command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that systems and organizations are vulnerable to the same exploit or attack. Threat indicators, signatures, tactics, techniques, procedures, and other indicators of compromise may be available via government and non-government cooperatives, including the Forum of Incident Response and Security Teams, the United States Computer Emergency Readiness Team, the Defense Industrial Base Cybersecurity Information Sharing Program, and the CERT Coordination Center."},{"id":"si-4.24_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(24)","class":"sp800-53a"}],"parts":[{"id":"si-4.24_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(24)[01]","class":"sp800-53a"}],"prose":"indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are discovered;"},{"id":"si-4.24_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(24)[02]","class":"sp800-53a"}],"prose":"indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are collected;"},{"id":"si-4.24_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-04(24)[03]","class":"sp800-53a"}],"prose":"indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are distributed to {{ insert: param, si-04.24_odp.02 }}."}]},{"id":"si-4.24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(24)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(24)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring system hosts"}]},{"id":"si-4.24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(24)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\norganizational processes for the discovery, collection, distribution, and use of indicators of compromise\n\nmechanisms supporting and\/or implementing a system monitoring capability\n\nmechanisms supporting and\/or implementing the discovery, collection, distribution, and use of indicators of compromise"}]}]},{"id":"si-4.25","class":"SP800-53-enhancement","title":"Optimize Network Traffic Analysis","props":[{"name":"label","value":"SI-4(25)"},{"name":"label","value":"SI-04(25)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.25_smt","name":"statement","prose":"Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices."},{"id":"si-4.25_gdn","name":"guidance","prose":"Encrypted traffic, asymmetric routing architectures, capacity and latency limitations, and transitioning from older to newer technologies (e.g., IPv4 to IPv6 network protocol transition) may result in blind spots for organizations when analyzing network traffic. Collecting, decrypting, pre-processing, and distributing only relevant traffic to monitoring devices can streamline the efficiency and use of devices and optimize traffic analysis."},{"id":"si-4.25_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(25)","class":"sp800-53a"}],"parts":[{"id":"si-4.25_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(25)[01]","class":"sp800-53a"}],"prose":"visibility into network traffic at external system interfaces is provided to optimize the effectiveness of monitoring devices;"},{"id":"si-4.25_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(25)[02]","class":"sp800-53a"}],"prose":"visibility into network traffic at key internal system interfaces is provided to optimize the effectiveness of monitoring devices."}]},{"id":"si-4.25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(25)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem architecture\n\nsystem audit records\n\nnetwork traffic reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(25)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring system hosts"}]},{"id":"si-4.25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(25)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\norganizational processes for the discovery, collection, distribution, and use of indicators of compromise\n\nmechanisms supporting and\/or implementing a system monitoring capability\n\nmechanisms supporting and\/or implementing the discovery, collection, distribution, and use of indicators of compromise"}]}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","params":[{"id":"si-05_odp.01","props":[{"name":"alt-identifier","value":"si-5_prm_1"},{"name":"label","value":"SI-05_ODP[01]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;"}]},{"id":"si-05_odp.02","props":[{"name":"alt-identifier","value":"si-5_prm_2"},{"name":"label","value":"SI-05_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, si-05_odp.03 }} ","{{ insert: param, si-05_odp.04 }} ","{{ insert: param, si-05_odp.05 }} "]}},{"id":"si-05_odp.03","props":[{"name":"alt-identifier","value":"si-5_prm_3"},{"name":"label","value":"SI-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom security alerts, advisories, and directives are to be disseminated is\/are defined (if selected);"}]},{"id":"si-05_odp.04","props":[{"name":"alt-identifier","value":"si-5_prm_4"},{"name":"alt-label","value":"elements within the organization","class":"sp800-53"},{"name":"label","value":"SI-05_ODP[04]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]},{"id":"si-05_odp.05","props":[{"name":"alt-identifier","value":"si-5_prm_5"},{"name":"label","value":"SI-05_ODP[05]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-5"},{"name":"label","value":"SI-05","class":"sp800-53a"},{"name":"sort-id","value":"si-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#pm-15","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"si-5_smt","name":"statement","parts":[{"id":"si-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Generate internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and"},{"id":"si-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations."},{"id":"si-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-05","class":"sp800-53a"}],"parts":[{"id":"si-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-05a.","class":"sp800-53a"}],"prose":"system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"},{"id":"si-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-05b.","class":"sp800-53a"}],"prose":"internal security alerts, advisories, and directives are generated as deemed necessary;"},{"id":"si-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-05c.","class":"sp800-53a"}],"prose":"security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};"},{"id":"si-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-05d.","class":"sp800-53a"}],"prose":"security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance."}]},{"id":"si-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"si-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing security directives"}]}],"controls":[{"id":"si-5.1","class":"SP800-53-enhancement","title":"Automated Alerts and Advisories","params":[{"id":"si-05.01_odp","props":[{"name":"alt-identifier","value":"si-5.1_prm_1"},{"name":"label","value":"SI-05(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined;"}]}],"props":[{"name":"label","value":"SI-5(1)"},{"name":"label","value":"SI-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-5","rel":"required"}],"parts":[{"id":"si-5.1_smt","name":"statement","prose":"Broadcast security alert and advisory information throughout the organization using {{ insert: param, si-05.01_odp }}."},{"id":"si-5.1_gdn","name":"guidance","prose":"The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational mission and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of risk, including the governance level, mission and business process level, and the information system level."},{"id":"si-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-05(01)","class":"sp800-53a"}],"prose":"{{ insert: param, si-05.01_odp }} are used to broadcast security alert and advisory information throughout the organization."},{"id":"si-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nautomated mechanisms supporting the distribution of security alert and advisory information\n\nrecords of security alerts and advisories\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts and advisories are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"si-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories\n\nautomated mechanisms supporting and\/or implementing the dissemination of security alerts and advisories"}]}]}]},{"id":"si-6","class":"SP800-53","title":"Security and Privacy Function Verification","params":[{"id":"si-6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-06_odp.02"}],"label":"organization-defined security and privacy functions"},{"id":"si-06_odp.01","props":[{"name":"label","value":"SI-06_ODP[01]","class":"sp800-53a"}],"label":"security functions","guidelines":[{"prose":"security functions to be verified for correct operation are defined;"}]},{"id":"si-06_odp.02","props":[{"name":"label","value":"SI-06_ODP[02]","class":"sp800-53a"}],"label":"privacy functions","guidelines":[{"prose":"privacy functions to be verified for correct operation are defined;"}]},{"id":"si-06_odp.03","props":[{"name":"alt-identifier","value":"si-6_prm_2"},{"name":"label","value":"SI-06_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, si-06_odp.04 }} ","upon command by user with appropriate privilege","{{ insert: param, si-06_odp.05 }} "]}},{"id":"si-06_odp.04","props":[{"name":"alt-identifier","value":"si-6_prm_3"},{"name":"label","value":"SI-06_ODP[04]","class":"sp800-53a"}],"label":"system transitional states","guidelines":[{"prose":"system transitional states requiring the verification of security and privacy functions are defined; (if selected)"}]},{"id":"si-06_odp.05","props":[{"name":"alt-identifier","value":"si-6_prm_4"},{"name":"label","value":"SI-06_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to verify the correct operation of security and privacy functions is defined; (if selected)"}]},{"id":"si-06_odp.06","props":[{"name":"alt-identifier","value":"si-6_prm_5"},{"name":"label","value":"SI-06_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted of failed security and privacy verification tests is\/are defined;"}]},{"id":"si-06_odp.07","props":[{"name":"alt-identifier","value":"si-6_prm_6"},{"name":"label","value":"SI-06_ODP[07]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["shut the system down","restart the system","{{ insert: param, si-06_odp.08 }} "]}},{"id":"si-06_odp.08","props":[{"name":"alt-identifier","value":"si-6_prm_7"},{"name":"label","value":"SI-06_ODP[08]","class":"sp800-53a"}],"label":"alternative action(s)","guidelines":[{"prose":"alternative action(s) to be performed when anomalies are discovered are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-6"},{"name":"label","value":"SI-06","class":"sp800-53a"},{"name":"sort-id","value":"si-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"si-6_smt","name":"statement","parts":[{"id":"si-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verify the correct operation of {{ insert: param, si-6_prm_1 }};"},{"id":"si-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform the verification of the functions specified in SI-6a {{ insert: param, si-06_odp.03 }};"},{"id":"si-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Alert {{ insert: param, si-06_odp.06 }} to failed security and privacy verification tests; and"},{"id":"si-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"{{ insert: param, si-06_odp.07 }} when anomalies are discovered."}]},{"id":"si-6_gdn","name":"guidance","prose":"Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected."},{"id":"si-6_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-06","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-06a.","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06a.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, si-06_odp.01 }} are verified to be operating correctly;"},{"id":"si-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06a.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-06_odp.02 }} are verified to be operating correctly;"}]},{"id":"si-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-06b.","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06b.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, si-06_odp.01 }} are verified {{ insert: param, si-06_odp.03 }};"},{"id":"si-6_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06b.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-06_odp.02 }} are verified {{ insert: param, si-06_odp.03 }};"}]},{"id":"si-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-06c.","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06c.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, si-06_odp.06 }} is\/are alerted to failed security verification tests;"},{"id":"si-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06c.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-06_odp.06 }} is\/are alerted to failed privacy verification tests;"}]},{"id":"si-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-06d.","class":"sp800-53a"}],"prose":"{{ insert: param, si-06_odp.07 }} is\/are initiated when anomalies are discovered."}]},{"id":"si-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security and privacy function verification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts\/notifications of failed security verification tests\n\nlist of system transition states requiring security functionality verification\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy function verification responsibilities\n\norganizational personnel implementing, operating, and maintaining the system\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]},{"id":"si-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy function verification\n\nmechanisms supporting and\/or implementing the security and privacy function verification capability"}]}],"controls":[{"id":"si-6.1","class":"SP800-53-enhancement","title":"Notification of Failed Security Tests","props":[{"name":"label","value":"SI-6(1)"},{"name":"label","value":"SI-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-06.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-6","rel":"incorporated-into"}]},{"id":"si-6.2","class":"SP800-53-enhancement","title":"Automation Support for Distributed Testing","props":[{"name":"label","value":"SI-6(2)"},{"name":"label","value":"SI-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-6","rel":"required"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"si-6.2_smt","name":"statement","prose":"Implement automated mechanisms to support the management of distributed security and privacy function testing."},{"id":"si-6.2_gdn","name":"guidance","prose":"The use of automated mechanisms to support the management of distributed function testing helps to ensure the integrity, timeliness, completeness, and efficacy of such testing."},{"id":"si-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-06(02)","class":"sp800-53a"}],"parts":[{"id":"si-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06(02)[01]","class":"sp800-53a"}],"prose":"automated mechanisms are implemented to support the management of distributed security function testing;"},{"id":"si-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06(02)[02]","class":"sp800-53a"}],"prose":"automated mechanisms are implemented to support the management of distributed privacy function testing."}]},{"id":"si-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security and privacy function verification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy function verification responsibilities\n\norganizational personnel implementing, operating, and maintaining the system\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy function verification\n\nautomated mechanisms supporting and\/or implementing the management of distributed security and privacy testing"}]}]},{"id":"si-6.3","class":"SP800-53-enhancement","title":"Report Verification Results","params":[{"id":"si-06.03_odp","props":[{"name":"alt-identifier","value":"si-6.3_prm_1"},{"name":"label","value":"SI-06(03)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles designated to receive the results of security and privacy function verification is\/are defined;"}]}],"props":[{"name":"label","value":"SI-6(3)"},{"name":"label","value":"SI-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-6","rel":"required"},{"href":"#si-4","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"si-6.3_smt","name":"statement","prose":"Report the results of security and privacy function verification to {{ insert: param, si-06.03_odp }}."},{"id":"si-6.3_gdn","name":"guidance","prose":"Organizational personnel with potential interest in the results of the verification of security and privacy functions include systems security officers, senior agency information security officers, and senior agency officials for privacy."},{"id":"si-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-06(03)","class":"sp800-53a"}],"parts":[{"id":"si-6.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06(03)[01]","class":"sp800-53a"}],"prose":"the results of security function verification are reported to {{ insert: param, si-06.03_odp }};"},{"id":"si-6.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06(03)[02]","class":"sp800-53a"}],"prose":"the results of privacy function verification are reported to {{ insert: param, si-06.03_odp }}."}]},{"id":"si-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security and privacy function verification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nreports of security and privacy function verification results\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy function verification responsibilities\n\norganizational personnel who are recipients of security and privacy function verification reports\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reporting security and privacy function verification results\n\nmechanisms supporting and\/or implementing the reporting of security and privacy function verification results"}]}]}]},{"id":"si-7","class":"SP800-53","title":"Software, Firmware, and Information Integrity","params":[{"id":"si-7_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.03"}],"label":"organization-defined software, firmware, and information"},{"id":"si-7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.06"}],"label":"organization-defined actions"},{"id":"si-07_odp.01","props":[{"name":"label","value":"SI-07_ODP[01]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.02","props":[{"name":"label","value":"SI-07_ODP[02]","class":"sp800-53a"}],"label":"firmware","guidelines":[{"prose":"firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.03","props":[{"name":"label","value":"SI-07_ODP[03]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.04","props":[{"name":"label","value":"SI-07_ODP[04]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to software are detected are defined;"}]},{"id":"si-07_odp.05","props":[{"name":"label","value":"SI-07_ODP[05]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to firmware are detected are defined;"}]},{"id":"si-07_odp.06","props":[{"name":"label","value":"SI-07_ODP[06]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to information are detected are defined;"}]}],"props":[{"name":"label","value":"SI-7"},{"name":"label","value":"SI-07","class":"sp800-53a"},{"name":"sort-id","value":"si-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#e47ee630-9cbc-4133-880e-e013f83ccd51","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"si-7_smt","name":"statement","parts":[{"id":"si-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ insert: param, si-7_prm_1 }} ; and"},{"id":"si-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ insert: param, si-7_prm_2 }}."}]},{"id":"si-7_gdn","name":"guidance","prose":"Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input\/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications."},{"id":"si-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[01]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};"},{"id":"si-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[02]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};"},{"id":"si-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[03]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};"}]},{"id":"si-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;"},{"id":"si-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;"},{"id":"si-7_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[03]","class":"sp800-53a"}],"prose":"{{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected."}]}]},{"id":"si-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"si-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools"}]}],"controls":[{"id":"si-7.1","class":"SP800-53-enhancement","title":"Integrity Checks","params":[{"id":"si-7.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.09"}],"label":"organization-defined software, firmware, and information"},{"id":"si-7.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.10"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-7.1_prm_3 }} ","{{ insert: param, si-7.1_prm_4 }} "]}},{"id":"si-7.1_prm_3","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.11"}],"label":"organization-defined transitional states or security-relevant events"},{"id":"si-7.1_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.08"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.12"}],"label":"organization-defined frequency"},{"id":"si-07.01_odp.01","props":[{"name":"label","value":"SI-07(01)_ODP[01]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.02","props":[{"name":"label","value":"SI-07(01)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.03 }} ","{{ insert: param, si-07.01_odp.04 }} "]}},{"id":"si-07.01_odp.03","props":[{"name":"label","value":"SI-07(01)_ODP[03]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);"}]},{"id":"si-07.01_odp.04","props":[{"name":"label","value":"SI-07(01)_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (on software) is defined (if selected);"}]},{"id":"si-07.01_odp.05","props":[{"name":"label","value":"SI-07(01)_ODP[05]","class":"sp800-53a"}],"label":"firmware","guidelines":[{"prose":"firmware on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.06","props":[{"name":"label","value":"SI-07(01)_ODP[06]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.07 }} ","{{ insert: param, si-07.01_odp.08 }} "]}},{"id":"si-07.01_odp.07","props":[{"name":"label","value":"SI-07(01)_ODP[07]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);"}]},{"id":"si-07.01_odp.08","props":[{"name":"label","value":"SI-07(01)_ODP[08]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (on firmware) is defined (if selected);"}]},{"id":"si-07.01_odp.09","props":[{"name":"label","value":"SI-07(01)_ODP[09]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.10","props":[{"name":"label","value":"SI-07(01)_ODP[10]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.11 }} ","{{ insert: param, si-07.01_odp.12 }} "]}},{"id":"si-07.01_odp.11","props":[{"name":"label","value":"SI-07(01)_ODP[11]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);"}]},{"id":"si-07.01_odp.12","props":[{"name":"label","value":"SI-07(01)_ODP[12]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (of information) is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-7(1)"},{"name":"label","value":"SI-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.1_smt","name":"statement","prose":"Perform an integrity check of {{ insert: param, si-7.1_prm_1 }} {{ insert: param, si-7.1_prm_2 }}."},{"id":"si-7.1_gdn","name":"guidance","prose":"Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort."},{"id":"si-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)","class":"sp800-53a"}],"parts":[{"id":"si-7.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[01]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};"},{"id":"si-7.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[02]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};"},{"id":"si-7.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[03]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}."}]},{"id":"si-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity testing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools"}]}]},{"id":"si-7.2","class":"SP800-53-enhancement","title":"Automated Notifications of Integrity Violations","params":[{"id":"si-07.02_odp","props":[{"name":"alt-identifier","value":"si-7.2_prm_1"},{"name":"label","value":"SI-07(02)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is\/are defined;"}]}],"props":[{"name":"label","value":"SI-7(2)"},{"name":"label","value":"SI-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.2_smt","name":"statement","prose":"Employ automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification."},{"id":"si-7.2_gdn","name":"guidance","prose":"The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel with an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, system administrators, software developers, systems integrators, information security officers, and privacy officers."},{"id":"si-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(02)","class":"sp800-53a"}],"prose":"automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification are employed."},{"id":"si-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nautomated tools supporting alerts and notifications for integrity discrepancies\n\nnotifications provided upon discovering discrepancies during integrity verifications\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\nsoftware developers"}]},{"id":"si-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms providing integrity discrepancy notifications"}]}]},{"id":"si-7.3","class":"SP800-53-enhancement","title":"Centrally Managed Integrity Tools","props":[{"name":"label","value":"SI-7(3)"},{"name":"label","value":"SI-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#au-3","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-8","rel":"related"}],"parts":[{"id":"si-7.3_smt","name":"statement","prose":"Employ centrally managed integrity verification tools."},{"id":"si-7.3_gdn","name":"guidance","prose":"Centrally managed integrity verification tools provides greater consistency in the application of such tools and can facilitate more comprehensive coverage of integrity verification actions."},{"id":"si-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(03)","class":"sp800-53a"}],"prose":"centrally managed integrity verification tools are employed."},{"id":"si-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for the central management of integrity verification tools\n\norganizational personnel with information security responsibilities"}]},{"id":"si-7.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the central management of integrity verification tools"}]}]},{"id":"si-7.4","class":"SP800-53-enhancement","title":"Tamper-evident Packaging","props":[{"name":"label","value":"SI-7(4)"},{"name":"label","value":"SI-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-9","rel":"incorporated-into"}]},{"id":"si-7.5","class":"SP800-53-enhancement","title":"Automated Response to Integrity Violations","params":[{"id":"si-07.05_odp.01","props":[{"name":"alt-identifier","value":"si-7.5_prm_1"},{"name":"label","value":"SI-07(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["shut down the system","restart the system","implement {{ insert: param, si-07.05_odp.02 }} "]}},{"id":"si-07.05_odp.02","props":[{"name":"alt-identifier","value":"si-7.5_prm_2"},{"name":"label","value":"SI-07(05)_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be implemented automatically when integrity violations are discovered are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-7(5)"},{"name":"label","value":"SI-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.5_smt","name":"statement","prose":"Automatically {{ insert: param, si-07.05_odp.01 }} when integrity violations are discovered."},{"id":"si-7.5_gdn","name":"guidance","prose":"Organizations may define different integrity-checking responses by type of information, specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur."},{"id":"si-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(05)","class":"sp800-53a"}],"prose":"{{ insert: param, si-07.05_odp.01 }} are automatically performed when integrity violations are discovered."},{"id":"si-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nrecords of integrity checks and responses to integrity violations\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms providing an automated response to integrity violations\n\nmechanisms supporting and\/or implementing security safeguards to be implemented when integrity violations are discovered"}]}]},{"id":"si-7.6","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"SI-7(6)"},{"name":"label","value":"SI-07(06)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"si-7.6_smt","name":"statement","prose":"Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information."},{"id":"si-7.6_gdn","name":"guidance","prose":"Cryptographic mechanisms used to protect integrity include digital signatures and the computation and application of signed hashes using asymmetric cryptography, protecting the confidentiality of the key used to generate the hash, and using the public key to verify the hash information. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions."},{"id":"si-7.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(06)","class":"sp800-53a"}],"parts":[{"id":"si-7.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07(06)[01]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to detect unauthorized changes to software;"},{"id":"si-7.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07(06)[02]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to detect unauthorized changes to firmware;"},{"id":"si-7.6_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07(06)[03]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to detect unauthorized changes to information."}]},{"id":"si-7.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated documentation\n\nrecords of detected unauthorized changes to software, firmware, and information\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\ncryptographic mechanisms implementing software, firmware, and information integrity"}]}]},{"id":"si-7.7","class":"SP800-53-enhancement","title":"Integration of Detection and Response","params":[{"id":"si-07.07_odp","props":[{"name":"alt-identifier","value":"si-7.7_prm_1"},{"name":"alt-label","value":"security-relevant changes to the system","class":"sp800-53"},{"name":"label","value":"SI-07(07)_ODP","class":"sp800-53a"}],"label":"changes","guidelines":[{"prose":"security-relevant changes to the system are defined;"}]}],"props":[{"name":"label","value":"SI-7(7)"},{"name":"label","value":"SI-07(07)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-7.7_smt","name":"statement","prose":"Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ insert: param, si-07.07_odp }}."},{"id":"si-7.7_gdn","name":"guidance","prose":"Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges."},{"id":"si-7.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(07)","class":"sp800-53a"}],"prose":"the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability."},{"id":"si-7.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities"}]},{"id":"si-7.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability"}]}]},{"id":"si-7.8","class":"SP800-53-enhancement","title":"Auditing Capability for Significant Events","params":[{"id":"si-07.08_odp.01","props":[{"name":"alt-identifier","value":"si-7.8_prm_1"},{"name":"label","value":"SI-07(08)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["generate an audit record","alert current user","alert {{ insert: param, si-07.08_odp.02 }} ","{{ insert: param, si-07.08_odp.03 }} "]}},{"id":"si-07.08_odp.02","props":[{"name":"alt-identifier","value":"si-7.8_prm_2"},{"name":"label","value":"SI-07(08)_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted upon the detection of a potential integrity violation is\/are defined (if selected);"}]},{"id":"si-07.08_odp.03","props":[{"name":"alt-identifier","value":"si-7.8_prm_3"},{"name":"label","value":"SI-07(08)_ODP[03]","class":"sp800-53a"}],"label":"other actions","guidelines":[{"prose":"other actions to be taken upon the detection of a potential integrity violation are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-7(8)"},{"name":"label","value":"SI-07(08)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"si-7.8_smt","name":"statement","prose":"Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: {{ insert: param, si-07.08_odp.01 }}."},{"id":"si-7.8_gdn","name":"guidance","prose":"Organizations select response actions based on types of software, specific software, or information for which there are potential integrity violations."},{"id":"si-7.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(08)","class":"sp800-53a"}],"parts":[{"id":"si-7.8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07(08)[01]","class":"sp800-53a"}],"prose":"the capability to audit an event upon the detection of a potential integrity violation is provided;"},{"id":"si-7.8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07(08)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-07.08_odp.01 }} is\/are initiated upon the detection of a potential integrity violation."}]},{"id":"si-7.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nincident response records\n\nlist of security-relevant changes to the system\n\nautomated tools supporting alerts and notifications if unauthorized security changes are detected\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing the capability to audit potential integrity violations\n\nmechanisms supporting and\/or implementing alerts about potential integrity violations"}]}]},{"id":"si-7.9","class":"SP800-53-enhancement","title":"Verify Boot Process","params":[{"id":"si-07.09_odp","props":[{"name":"alt-identifier","value":"si-7.9_prm_1"},{"name":"label","value":"SI-07(09)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring integrity verification of the boot process are defined;"}]}],"props":[{"name":"label","value":"SI-7(9)"},{"name":"label","value":"SI-07(09)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"si-7.9_smt","name":"statement","prose":"Verify the integrity of the boot process of the following system components: {{ insert: param, si-07.09_odp }}."},{"id":"si-7.9_gdn","name":"guidance","prose":"Ensuring the integrity of boot processes is critical to starting system components in known, trustworthy states. Integrity verification mechanisms provide a level of assurance that only trusted code is executed during boot processes."},{"id":"si-7.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(09)","class":"sp800-53a"}],"prose":"the integrity of the boot process of {{ insert: param, si-07.09_odp }} is verified."},{"id":"si-7.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\ndocumentation\n\nrecords of integrity verification scans\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"si-7.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing integrity verification of the boot process"}]}]},{"id":"si-7.10","class":"SP800-53-enhancement","title":"Protection of Boot Firmware","params":[{"id":"si-07.10_odp.01","props":[{"name":"alt-identifier","value":"si-7.10_prm_2"},{"name":"label","value":"SI-07(10)_ODP[01]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms to be implemented to protect the integrity of boot firmware in system components are defined;"}]},{"id":"si-07.10_odp.02","props":[{"name":"alt-identifier","value":"si-7.10_prm_1"},{"name":"label","value":"SI-07(10)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring mechanisms to protect the integrity of boot firmware are defined;"}]}],"props":[{"name":"label","value":"SI-7(10)"},{"name":"label","value":"SI-07(10)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"si-7.10_smt","name":"statement","prose":"Implement the following mechanisms to protect the integrity of boot firmware in {{ insert: param, si-07.10_odp.02 }}: {{ insert: param, si-07.10_odp.01 }}."},{"id":"si-7.10_gdn","name":"guidance","prose":"Unauthorized modifications to boot firmware may indicate a sophisticated, targeted attack. These types of targeted attacks can result in a permanent denial of service or a persistent malicious code presence. These situations can occur if the firmware is corrupted or if the malicious code is embedded within the firmware. System components can protect the integrity of boot firmware in organizational systems by verifying the integrity and authenticity of all updates to the firmware prior to applying changes to the system component and preventing unauthorized processes from modifying the boot firmware."},{"id":"si-7.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(10)","class":"sp800-53a"}],"prose":"{{ insert: param, si-07.10_odp.01 }} are implemented to protect the integrity of boot firmware in {{ insert: param, si-07.10_odp.02 }}."},{"id":"si-7.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity verification scans\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing protection of the integrity of boot firmware\n\nsafeguards implementing protection of the integrity of boot firmware"}]}]},{"id":"si-7.11","class":"SP800-53-enhancement","title":"Confined Environments with Limited Privileges","props":[{"name":"label","value":"SI-7(11)"},{"name":"label","value":"SI-07(11)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.11"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-7.6","rel":"moved-to"}]},{"id":"si-7.12","class":"SP800-53-enhancement","title":"Integrity Verification","params":[{"id":"si-07.12_odp","props":[{"name":"alt-identifier","value":"si-7.12_prm_1"},{"name":"label","value":"SI-07(12)_ODP","class":"sp800-53a"}],"label":"user-installed software","guidelines":[{"prose":"user-installed software requiring integrity verification prior to execution is defined;"}]}],"props":[{"name":"label","value":"SI-7(12)"},{"name":"label","value":"SI-07(12)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#cm-11","rel":"related"}],"parts":[{"id":"si-7.12_smt","name":"statement","prose":"Require that the integrity of the following user-installed software be verified prior to execution: {{ insert: param, si-07.12_odp }}."},{"id":"si-7.12_gdn","name":"guidance","prose":"Organizations verify the integrity of user-installed software prior to execution to reduce the likelihood of executing malicious code or programs that contains errors from unauthorized modifications. Organizations consider the practicality of approaches to verifying software integrity, including the availability of trustworthy checksums from software developers and vendors."},{"id":"si-7.12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(12)","class":"sp800-53a"}],"prose":"the integrity of {{ insert: param, si-07.12_odp }} is verified prior to execution."},{"id":"si-7.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities"}]},{"id":"si-7.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing verification of the integrity of user-installed software prior to execution"}]}]},{"id":"si-7.13","class":"SP800-53-enhancement","title":"Code Execution in Protected Environments","props":[{"name":"label","value":"SI-7(13)"},{"name":"label","value":"SI-07(13)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.13"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-7.7","rel":"moved-to"}]},{"id":"si-7.14","class":"SP800-53-enhancement","title":"Binary or Machine Executable Code","props":[{"name":"label","value":"SI-7(14)"},{"name":"label","value":"SI-07(14)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.14"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-7.8","rel":"moved-to"}]},{"id":"si-7.15","class":"SP800-53-enhancement","title":"Code Authentication","params":[{"id":"si-07.15_odp","props":[{"name":"alt-identifier","value":"si-7.15_prm_1"},{"name":"label","value":"SI-07(15)_ODP","class":"sp800-53a"}],"label":"software or firmware components","guidelines":[{"prose":"software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined;"}]}],"props":[{"name":"label","value":"SI-7(15)"},{"name":"label","value":"SI-07(15)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#cm-5","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"si-7.15_smt","name":"statement","prose":"Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: {{ insert: param, si-07.15_odp }}."},{"id":"si-7.15_gdn","name":"guidance","prose":"Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions."},{"id":"si-7.15_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(15)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to authenticate {{ insert: param, si-07.15_odp }} prior to installation."},{"id":"si-7.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms authenticating software and firmware prior to installation"}]}]},{"id":"si-7.16","class":"SP800-53-enhancement","title":"Time Limit on Process Execution Without Supervision","params":[{"id":"si-07.16_odp","props":[{"name":"alt-identifier","value":"si-7.16_prm_1"},{"name":"label","value":"SI-07(16)_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the maximum time period permitted for processes to execute without supervision is defined;"}]}],"props":[{"name":"label","value":"SI-7(16)"},{"name":"label","value":"SI-07(16)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.16_smt","name":"statement","prose":"Prohibit processes from executing without supervision for more than {{ insert: param, si-07.16_odp }}."},{"id":"si-7.16_gdn","name":"guidance","prose":"Placing a time limit on process execution without supervision is intended to apply to processes for which typical or normal execution periods can be determined and situations in which organizations exceed such periods. Supervision includes timers on operating systems, automated responses, and manual oversight and response when system process anomalies occur."},{"id":"si-7.16_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(16)","class":"sp800-53a"}],"prose":"processes are prohibited from executing without supervision for more than {{ insert: param, si-07.16_odp }}."},{"id":"si-7.16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(16)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(16)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(16)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing time limits on process execution without supervision"}]}]},{"id":"si-7.17","class":"SP800-53-enhancement","title":"Runtime Application Self-protection","params":[{"id":"si-07.17_odp","props":[{"name":"alt-identifier","value":"si-7.17_prm_1"},{"name":"label","value":"SI-07(17)_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be implemented for application self-protection at runtime are defined;"}]}],"props":[{"name":"label","value":"SI-7(17)"},{"name":"label","value":"SI-07(17)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"si-7.17_smt","name":"statement","prose":"Implement {{ insert: param, si-07.17_odp }} for application self-protection at runtime."},{"id":"si-7.17_gdn","name":"guidance","prose":"Runtime application self-protection employs runtime instrumentation to detect and block the exploitation of software vulnerabilities by taking advantage of information from the software in execution. Runtime exploit prevention differs from traditional perimeter-based protections such as guards and firewalls which can only detect and block attacks by using network information without contextual awareness. Runtime application self-protection technology can reduce the susceptibility of software to attacks by monitoring its inputs and blocking those inputs that could allow attacks. It can also help protect the runtime environment from unwanted changes and tampering. When a threat is detected, runtime application self-protection technology can prevent exploitation and take other actions (e.g., sending a warning message to the user, terminating the user's session, terminating the application, or sending an alert to organizational personnel). Runtime application self-protection solutions can be deployed in either a monitor or protection mode."},{"id":"si-7.17_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(17)","class":"sp800-53a"}],"prose":"{{ insert: param, si-07.17_odp }} are implemented for application self-protection at runtime."},{"id":"si-7.17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(17)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of known vulnerabilities addressed by runtime instrumentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(17)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(17)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing runtime application self-protection"}]}]}]},{"id":"si-8","class":"SP800-53","title":"Spam Protection","props":[{"name":"label","value":"SI-8"},{"name":"label","value":"SI-08","class":"sp800-53a"},{"name":"sort-id","value":"si-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#314e33cb-3681-4b50-a2a2-3fae9604accd","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#pl-9","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-8_smt","name":"statement","parts":[{"id":"si-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and"},{"id":"si-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"id":"si-8_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions."},{"id":"si-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-08","class":"sp800-53a"}],"parts":[{"id":"si-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.","class":"sp800-53a"}],"parts":[{"id":"si-8_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[01]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system entry points to detect unsolicited messages;"},{"id":"si-8_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[02]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system exit points to detect unsolicited messages;"},{"id":"si-8_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[03]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system entry points to act on unsolicited messages;"},{"id":"si-8_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[04]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system exit points to act on unsolicited messages;"}]},{"id":"si-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-08b.","class":"sp800-53a"}],"prose":"spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures."}]},{"id":"si-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policies and procedures (CM-01)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing spam protection\n\nmechanisms supporting and\/or implementing spam protection"}]}],"controls":[{"id":"si-8.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-8(1)"},{"name":"label","value":"SI-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-08.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-9","rel":"incorporated-into"}]},{"id":"si-8.2","class":"SP800-53-enhancement","title":"Automatic Updates","params":[{"id":"si-08.02_odp","props":[{"name":"alt-identifier","value":"si-8.2_prm_1"},{"name":"label","value":"SI-08(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to automatically update spam protection mechanisms is defined;"}]}],"props":[{"name":"label","value":"SI-8(2)"},{"name":"label","value":"SI-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-8","rel":"required"}],"parts":[{"id":"si-8.2_smt","name":"statement","prose":"Automatically update spam protection mechanisms {{ insert: param, si-08.02_odp }}."},{"id":"si-8.2_gdn","name":"guidance","prose":"Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities."},{"id":"si-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-08(02)","class":"sp800-53a"}],"prose":"spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}."},{"id":"si-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for spam protection\n\nmechanisms supporting and\/or implementing automatic updates to spam protection mechanisms"}]}]},{"id":"si-8.3","class":"SP800-53-enhancement","title":"Continuous Learning Capability","props":[{"name":"label","value":"SI-8(3)"},{"name":"label","value":"SI-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-8","rel":"required"}],"parts":[{"id":"si-8.3_smt","name":"statement","prose":"Implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic."},{"id":"si-8.3_gdn","name":"guidance","prose":"Learning mechanisms include Bayesian filters that respond to user inputs that identify specific traffic as spam or legitimate by updating algorithm parameters and thereby more accurately separating types of traffic."},{"id":"si-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-08(03)","class":"sp800-53a"}],"prose":"spam protection mechanisms with a learning capability are implemented to more effectively identify legitimate communications traffic."},{"id":"si-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for spam protection\n\nmechanisms supporting and\/or implementing spam protection mechanisms with a learning capability"}]}]}]},{"id":"si-9","class":"SP800-53","title":"Information Input Restrictions","props":[{"name":"label","value":"SI-9"},{"name":"label","value":"SI-09","class":"sp800-53a"},{"name":"sort-id","value":"si-09"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-2","rel":"incorporated-into"},{"href":"#ac-3","rel":"incorporated-into"},{"href":"#ac-5","rel":"incorporated-into"},{"href":"#ac-6","rel":"incorporated-into"}]},{"id":"si-10","class":"SP800-53","title":"Information Input Validation","params":[{"id":"si-10_odp","props":[{"name":"alt-identifier","value":"si-10_prm_1"},{"name":"alt-identifier","value":"si-10.1_prm_1"},{"name":"alt-label","value":"information inputs to the system","class":"sp800-53"},{"name":"label","value":"SI-10_ODP","class":"sp800-53a"}],"label":"information inputs","guidelines":[{"prose":"information inputs to the system requiring validity checks are defined;"}]}],"props":[{"name":"label","value":"SI-10"},{"name":"label","value":"SI-10","class":"sp800-53a"},{"name":"sort-id","value":"si-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"}],"parts":[{"id":"si-10_smt","name":"statement","prose":"Check the validity of the following information inputs: {{ insert: param, si-10_odp }}."},{"id":"si-10_gdn","name":"guidance","prose":"Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of \"387,\" \"abc,\" or \"%K%\" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks."},{"id":"si-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10","class":"sp800-53a"}],"prose":"the validity of the {{ insert: param, si-10_odp }} is checked."},{"id":"si-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify the validity of information\n\nlist of information inputs requiring validity checks\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing validity checks on information inputs"}]}],"controls":[{"id":"si-10.1","class":"SP800-53-enhancement","title":"Manual Override Capability","params":[{"id":"si-10.01_odp","props":[{"name":"alt-identifier","value":"si-10.1_prm_2"},{"name":"label","value":"SI-10(01)_ODP","class":"sp800-53a"}],"label":"authorized individuals","guidelines":[{"prose":"authorized individuals who can use the manual override capability are defined;"}]}],"props":[{"name":"label","value":"SI-10(1)"},{"name":"label","value":"SI-10(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-10.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-10","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"si-10.1_smt","name":"statement","parts":[{"id":"si-10.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Provide a manual override capability for input validation of the following information inputs: {{ insert: param, si-10_odp }};"},{"id":"si-10.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Restrict the use of the manual override capability to only {{ insert: param, si-10.01_odp }} ; and"},{"id":"si-10.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Audit the use of the manual override capability."}]},{"id":"si-10.1_gdn","name":"guidance","prose":"In certain situations, such as during events that are defined in contingency plans, a manual override capability for input validation may be needed. Manual overrides are used only in limited circumstances and with the inputs defined by the organization."},{"id":"si-10.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10(01)","class":"sp800-53a"}],"parts":[{"id":"si-10.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-10(01)(a)","class":"sp800-53a"}],"prose":"a manual override capability for the validation of {{ insert: param, si-10_odp }} is provided;"},{"id":"si-10.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-10(01)(b)","class":"sp800-53a"}],"prose":"the use of the manual override capability is restricted to only {{ insert: param, si-10.01_odp }};"},{"id":"si-10.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-10(01)(c)","class":"sp800-53a"}],"prose":"the use of the manual override capability is audited."}]},{"id":"si-10.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the use of a manual override capability\n\nmechanisms supporting and\/or implementing a manual override capability for input validation\n\nmechanisms supporting and\/or implementing auditing of the use of a manual override capability"}]}]},{"id":"si-10.2","class":"SP800-53-enhancement","title":"Review and Resolve Errors","params":[{"id":"si-10.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-10.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-10.02_odp.02"}],"label":"organization-defined time period"},{"id":"si-10.02_odp.01","props":[{"name":"label","value":"SI-10(02)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which input validation errors are to be reviewed is defined;"}]},{"id":"si-10.02_odp.02","props":[{"name":"label","value":"SI-10(02)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which input validation errors are to be resolved is defined;"}]}],"props":[{"name":"label","value":"SI-10(2)"},{"name":"label","value":"SI-10(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-10.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-10","rel":"required"}],"parts":[{"id":"si-10.2_smt","name":"statement","prose":"Review and resolve input validation errors within {{ insert: param, si-10.2_prm_1 }}."},{"id":"si-10.2_gdn","name":"guidance","prose":"Resolution of input validation errors includes correcting systemic causes of errors and resubmitting transactions with corrected input. Input validation errors are those related to the information inputs defined by the organization in the base control ( [SI-10](#si-10))."},{"id":"si-10.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10(02)","class":"sp800-53a"}],"parts":[{"id":"si-10.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-10(02)[01]","class":"sp800-53a"}],"prose":"input validation errors are reviewed within {{ insert: param, si-10.02_odp.01 }};"},{"id":"si-10.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-10(02)[02]","class":"sp800-53a"}],"prose":"input validation errors are resolved within {{ insert: param, si-10.02_odp.02 }}."}]},{"id":"si-10.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing information input validation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nreview records of information input validation errors and resulting resolutions\n\ninformation input validation error logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"si-10.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the review and resolution of input validation errors\n\nmechanisms supporting and\/or implementing the review and resolution of input validation errors"}]}]},{"id":"si-10.3","class":"SP800-53-enhancement","title":"Predictable Behavior","props":[{"name":"label","value":"SI-10(3)"},{"name":"label","value":"SI-10(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-10.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-10","rel":"required"}],"parts":[{"id":"si-10.3_smt","name":"statement","prose":"Verify that the system behaves in a predictable and documented manner when invalid inputs are received."},{"id":"si-10.3_gdn","name":"guidance","prose":"A common vulnerability in organizational systems is unpredictable behavior when invalid inputs are received. Verification of system predictability helps ensure that the system behaves as expected when invalid inputs are received. This occurs by specifying system responses that allow the system to transition to known states without adverse, unintended side effects. The invalid inputs are those related to the information inputs defined by the organization in the base control ( [SI-10](#si-10))."},{"id":"si-10.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10(03)","class":"sp800-53a"}],"parts":[{"id":"si-10.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-10(03)[01]","class":"sp800-53a"}],"prose":"the system behaves in a predictable manner when invalid inputs are received;"},{"id":"si-10.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-10(03)[02]","class":"sp800-53a"}],"prose":"the system behaves in a documented manner when invalid inputs are received."}]},{"id":"si-10.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing information input validation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing predictable behavior when invalid inputs are received"}]}]},{"id":"si-10.4","class":"SP800-53-enhancement","title":"Timing Interactions","props":[{"name":"label","value":"SI-10(4)"},{"name":"label","value":"SI-10(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-10.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-10","rel":"required"}],"parts":[{"id":"si-10.4_smt","name":"statement","prose":"Account for timing interactions among system components in determining appropriate responses for invalid inputs."},{"id":"si-10.4_gdn","name":"guidance","prose":"In addressing invalid system inputs received across protocol interfaces, timing interactions become relevant, where one protocol needs to consider the impact of the error response on other protocols in the protocol stack. For example, 802.11 standard wireless network protocols do not interact well with Transmission Control Protocols (TCP) when packets are dropped (which could be due to invalid packet input). TCP assumes packet losses are due to congestion, while packets lost over 802.11 links are typically dropped due to noise or collisions on the link. If TCP makes a congestion response, it takes the wrong action in response to a collision event. Adversaries may be able to use what appear to be acceptable individual behaviors of the protocols in concert to achieve adverse effects through suitable construction of invalid input. The invalid inputs are those related to the information inputs defined by the organization in the base control ( [SI-10](#si-10))."},{"id":"si-10.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10(04)","class":"sp800-53a"}],"prose":"timing interactions among system components are accounted for in determining appropriate responses for invalid inputs."},{"id":"si-10.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing information input validation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining appropriate responses to invalid inputs\n\nautomated mechanisms supporting and\/or implementing responses to invalid inputs"}]}]},{"id":"si-10.5","class":"SP800-53-enhancement","title":"Restrict Inputs to Trusted Sources and Approved Formats","params":[{"id":"si-10.05_odp.01","props":[{"name":"alt-identifier","value":"si-10.5_prm_1"},{"name":"label","value":"SI-10(05)_ODP[01]","class":"sp800-53a"}],"label":"trusted sources","guidelines":[{"prose":"trusted sources to which the use of information inputs is to be restricted are defined;"}]},{"id":"si-10.05_odp.02","props":[{"name":"alt-identifier","value":"si-10.5_prm_2"},{"name":"label","value":"SI-10(05)_ODP[02]","class":"sp800-53a"}],"label":"formats","guidelines":[{"prose":"formats to which the use of information inputs is to be restricted are defined;"}]}],"props":[{"name":"label","value":"SI-10(5)"},{"name":"label","value":"SI-10(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-10.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-10","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"si-10.5_smt","name":"statement","prose":"Restrict the use of information inputs to {{ insert: param, si-10.05_odp.01 }} and\/or {{ insert: param, si-10.05_odp.02 }}."},{"id":"si-10.5_gdn","name":"guidance","prose":"Restricting the use of inputs to trusted sources and in trusted formats applies the concept of authorized or permitted software to information inputs. Specifying known trusted sources for information inputs and acceptable formats for such inputs can reduce the probability of malicious activity. The information inputs are those defined by the organization in the base control ( [SI-10](#si-10))."},{"id":"si-10.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10(05)","class":"sp800-53a"}],"prose":"the use of information inputs is restricted to {{ insert: param, si-10.05_odp.01 }} and\/or {{ insert: param, si-10.05_odp.02 }}."},{"id":"si-10.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing information input validation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of trusted sources for information inputs\n\nlist of acceptable formats for input restrictions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for restricting information inputs\n\nautomated mechanisms supporting and\/or implementing restriction of information inputs"}]}]},{"id":"si-10.6","class":"SP800-53-enhancement","title":"Injection Prevention","props":[{"name":"label","value":"SI-10(6)"},{"name":"label","value":"SI-10(06)","class":"sp800-53a"},{"name":"sort-id","value":"si-10.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-10","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"si-10.6_smt","name":"statement","prose":"Prevent untrusted data injections."},{"id":"si-10.6_gdn","name":"guidance","prose":"Untrusted data injections may be prevented using a parameterized interface or output escaping (output encoding). Parameterized interfaces separate data from code so that injections of malicious or unintended data cannot change the semantics of commands being sent. Output escaping uses specified characters to inform the interpreter’s parser whether data is trusted. Prevention of untrusted data injections are with respect to the information inputs defined by the organization in the base control ( [SI-10](#si-10))."},{"id":"si-10.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10(06)","class":"sp800-53a"}],"prose":"untrusted data injections are prevented."},{"id":"si-10.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing information input validation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of trusted sources for information inputs\n\nlist of acceptable formats for input restrictions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for preventing untrusted data injections\n\nautomated mechanisms supporting and\/or implementing injection prevention"}]}]}]},{"id":"si-11","class":"SP800-53","title":"Error Handling","params":[{"id":"si-11_odp","props":[{"name":"alt-identifier","value":"si-11_prm_1"},{"name":"label","value":"SI-11_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom error messages are to be revealed is\/are defined;"}]}],"props":[{"name":"label","value":"SI-11"},{"name":"label","value":"SI-11","class":"sp800-53a"},{"name":"sort-id","value":"si-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"si-11_smt","name":"statement","parts":[{"id":"si-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and"},{"id":"si-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reveal error messages only to {{ insert: param, si-11_odp }}."}]},{"id":"si-11_gdn","name":"guidance","prose":"Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information."},{"id":"si-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-11","class":"sp800-53a"}],"parts":[{"id":"si-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-11a.","class":"sp800-53a"}],"prose":"error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;"},{"id":"si-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-11b.","class":"sp800-53a"}],"prose":"error messages are revealed only to {{ insert: param, si-11_odp }}."}]},{"id":"si-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system error handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing the structure and content of error messages\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for error handling\n\nautomated mechanisms supporting and\/or implementing error handling\n\nautomated mechanisms supporting and\/or implementing the management of error messages"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Management and Retention","props":[{"name":"label","value":"SI-12"},{"name":"label","value":"SI-12","class":"sp800-53a"},{"name":"sort-id","value":"si-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#e922fc50-b1f9-469f-92ef-ed7d9803611c","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)."},{"id":"si-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12","class":"sp800-53a"}],"parts":[{"id":"si-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12[01]","class":"sp800-53a"}],"prose":"information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12[02]","class":"sp800-53a"}],"prose":"information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12[03]","class":"sp800-53a"}],"prose":"information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"},{"id":"si-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SI-12[04]","class":"sp800-53a"}],"prose":"information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements."}]},{"id":"si-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and\/or implementing information management, retention, and disposition"}]}],"controls":[{"id":"si-12.1","class":"SP800-53-enhancement","title":"Limit Personally Identifiable Information Elements","params":[{"id":"si-12.01_odp","props":[{"name":"alt-identifier","value":"si-12.1_prm_1"},{"name":"label","value":"SI-12(01)_ODP","class":"sp800-53a"}],"label":"elements of personally identifiable information","guidelines":[{"prose":"elements of personally identifiable information being processed in the information life cycle are defined;"}]}],"props":[{"name":"label","value":"SI-12(1)"},{"name":"label","value":"SI-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-12","rel":"required"},{"href":"#pm-25","rel":"related"}],"parts":[{"id":"si-12.1_smt","name":"statement","prose":"Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: {{ insert: param, si-12.01_odp }}."},{"id":"si-12.1_gdn","name":"guidance","prose":"Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for operational purposes helps to reduce the level of privacy risk created by a system. The information life cycle includes information creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining which elements of personally identifiable information may create risk."},{"id":"si-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12(01)","class":"sp800-53a"}],"prose":"personally identifiable information being processed in the information life cycle is limited to {{ insert: param, si-12.01_odp }}."},{"id":"si-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\npersonally identifiable information processing procedures\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to limiting personally identifiable information elements\n\npersonally identifiable information inventory\n\nsystem audit records\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"si-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information management and retention (including limiting personally identifiable information processing)\n\nautomated mechanisms supporting and\/or implementing limits to personally identifiable information processing"}]}]},{"id":"si-12.2","class":"SP800-53-enhancement","title":"Minimize Personally Identifiable Information in Testing, Training, and Research","params":[{"id":"si-12.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.02_odp.03"}],"label":"organization-defined techniques"},{"id":"si-12.02_odp.01","props":[{"name":"label","value":"SI-12(02)_ODP[01]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to minimize the use of personally identifiable information for research are defined;"}]},{"id":"si-12.02_odp.02","props":[{"name":"label","value":"SI-12(02)_ODP[02]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to minimize the use of personally identifiable information for testing are defined;"}]},{"id":"si-12.02_odp.03","props":[{"name":"label","value":"SI-12(02)_ODP[03]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to minimize the use of personally identifiable information for training are defined;"}]}],"props":[{"name":"label","value":"SI-12(2)"},{"name":"label","value":"SI-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-12","rel":"required"},{"href":"#pm-22","rel":"related"},{"href":"#pm-25","rel":"related"},{"href":"#si-19","rel":"related"}],"parts":[{"id":"si-12.2_smt","name":"statement","prose":"Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: {{ insert: param, si-12.2_prm_1 }}."},{"id":"si-12.2_gdn","name":"guidance","prose":"Organizations can minimize the risk to an individual’s privacy by employing techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for research, testing, or training helps reduce the level of privacy risk created by a system. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining the techniques to use and when to use them."},{"id":"si-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)","class":"sp800-53a"}],"parts":[{"id":"si-12.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, si-12.02_odp.01 }} are used to minimize the use of personally identifiable information for research;"},{"id":"si-12.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-12.02_odp.02 }} are used to minimize the use of personally identifiable information for testing;"},{"id":"si-12.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, si-12.02_odp.03 }} are used to minimize the use of personally identifiable information for training."}]},{"id":"si-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\npersonally identifiable information processing procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to minimizing the use of personally identifiable information in testing, training, and research\n\npolicy for the minimization of personally identifiable information used in testing, training, and research\n\nprocedures for the minimization of personally identifiable information used in testing, training, and research\n\ndocumentation supporting minimization policy implementation (e.g., templates for testing, training, and research)\n\ndata sets used for testing, training, and research\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators\n\nsystem developers\n\npersonnel with IRB responsibilities"}]},{"id":"si-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the minimization of personally identifiable information used in testing, training, and research\n\nautomated mechanisms supporting and\/or implementing the minimization of personally identifiable information used in testing, training, and research"}]}]},{"id":"si-12.3","class":"SP800-53-enhancement","title":"Information Disposal","params":[{"id":"si-12.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.03_odp.03"}],"label":"organization-defined techniques"},{"id":"si-12.03_odp.01","props":[{"name":"label","value":"SI-12(03)_ODP[01]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to dispose of information following the retention period are defined;"}]},{"id":"si-12.03_odp.02","props":[{"name":"label","value":"SI-12(03)_ODP[02]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to destroy information following the retention period are defined;"}]},{"id":"si-12.03_odp.03","props":[{"name":"label","value":"SI-12(03)_ODP[03]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to erase information following the retention period are defined;"}]}],"props":[{"name":"label","value":"SI-12(3)"},{"name":"label","value":"SI-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-12","rel":"required"}],"parts":[{"id":"si-12.3_smt","name":"statement","prose":"Use the following techniques to dispose of, destroy, or erase information following the retention period: {{ insert: param, si-12.3_prm_1 }}."},{"id":"si-12.3_gdn","name":"guidance","prose":"Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. The disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information."},{"id":"si-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)","class":"sp800-53a"}],"parts":[{"id":"si-12.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, si-12.03_odp.01 }} are used to dispose of information following the retention period;"},{"id":"si-12.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-12.03_odp.02 }} are used to destroy information following the retention period;"},{"id":"si-12.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, si-12.03_odp.03 }} are used to erase information following the retention period."}]},{"id":"si-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\npersonally identifiable information processing procedures\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nlaws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information disposal\n\nmedia protection policy\n\nmedia protection procedures\n\nsystem audit records\n\naudit findings\n\ninformation disposal records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information disposition\n\nautomated mechanisms supporting and\/or implementing information disposition"}]}]}]},{"id":"si-13","class":"SP800-53","title":"Predictable Failure Prevention","params":[{"id":"si-13_odp.01","props":[{"name":"alt-identifier","value":"si-13_prm_1"},{"name":"label","value":"SI-13_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which mean time to failure (MTTF) should be determined are defined;"}]},{"id":"si-13_odp.02","props":[{"name":"alt-identifier","value":"si-13_prm_2"},{"name":"alt-label","value":"MTTF substitution criteria","class":"sp800-53"},{"name":"label","value":"SI-13_ODP[02]","class":"sp800-53a"}],"label":"mean time to failure (MTTF) substitution criteria","guidelines":[{"prose":"mean time to failure (MTTF) substitution criteria to be used as a means to exchange active and standby components are defined;"}]}],"props":[{"name":"label","value":"SI-13"},{"name":"label","value":"SI-13","class":"sp800-53a"},{"name":"sort-id","value":"si-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-13","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-6","rel":"related"}],"parts":[{"id":"si-13_smt","name":"statement","parts":[{"id":"si-13_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine mean time to failure (MTTF) for the following system components in specific environments of operation: {{ insert: param, si-13_odp.01 }} ; and"},{"id":"si-13_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: {{ insert: param, si-13_odp.02 }}."}]},{"id":"si-13_gdn","name":"guidance","prose":"While MTTF is primarily a reliability issue, predictable failure prevention is intended to address potential failures of system components that provide security capabilities. Failure rates reflect installation-specific consideration rather than the industry-average. Organizations define the criteria for the substitution of system components based on the MTTF value with consideration for the potential harm from component failures. The transfer of responsibilities between active and standby components does not compromise safety, operational readiness, or security capabilities. The preservation of system state variables is also critical to help ensure a successful transfer process. Standby components remain available at all times except for maintenance issues or recovery failures in progress."},{"id":"si-13_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-13","class":"sp800-53a"}],"parts":[{"id":"si-13_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-13a.","class":"sp800-53a"}],"prose":"mean time to failure (MTTF) is determined for {{ insert: param, si-13_odp.01 }} in specific environments of operation;"},{"id":"si-13_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-13b.","class":"sp800-53a"}],"prose":"substitute system components and a means to exchange active and standby components are provided in accordance with {{ insert: param, si-13_odp.02 }}."}]},{"id":"si-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing predictable failure prevention\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of MTTF substitution criteria\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for MTTF determinations and activities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with contingency planning responsibilities"}]},{"id":"si-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing MTTF"}]}],"controls":[{"id":"si-13.1","class":"SP800-53-enhancement","title":"Transferring Component Responsibilities","params":[{"id":"si-13.01_odp","props":[{"name":"alt-identifier","value":"si-13.1_prm_1"},{"name":"label","value":"SI-13(01)_ODP","class":"sp800-53a"}],"label":"fraction or percentage","guidelines":[{"prose":"the fraction or percentage of mean time to failure within which to transfer the responsibilities of a system component to a substitute component is defined;"}]}],"props":[{"name":"label","value":"SI-13(1)"},{"name":"label","value":"SI-13(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-13.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-13","rel":"required"}],"parts":[{"id":"si-13.1_smt","name":"statement","prose":"Take system components out of service by transferring component responsibilities to substitute components no later than {{ insert: param, si-13.01_odp }} of mean time to failure."},{"id":"si-13.1_gdn","name":"guidance","prose":"Transferring primary system component responsibilities to other substitute components prior to primary component failure is important to reduce the risk of degraded or debilitated mission or business functions. Making such transfers based on a percentage of mean time to failure allows organizations to be proactive based on their risk tolerance. However, the premature replacement of system components can result in the increased cost of system operations."},{"id":"si-13.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-13(01)","class":"sp800-53a"}],"prose":"system components are taken out of service by transferring component responsibilities to substitute components no later than {{ insert: param, si-13.01_odp }} of mean time to failure."},{"id":"si-13.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-13(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing predictable failure prevention\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-13.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-13(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for MTTF activities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with contingency planning responsibilities"}]},{"id":"si-13.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-13(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing MTTF\n\nautomated mechanisms supporting and\/or implementing the transfer of component responsibilities to substitute components"}]}]},{"id":"si-13.2","class":"SP800-53-enhancement","title":"Time Limit on Process Execution Without Supervision","props":[{"name":"label","value":"SI-13(2)"},{"name":"label","value":"SI-13(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-13.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-7.16","rel":"incorporated-into"}]},{"id":"si-13.3","class":"SP800-53-enhancement","title":"Manual Transfer Between Components","params":[{"id":"si-13.03_odp","props":[{"name":"alt-identifier","value":"si-13.3_prm_1"},{"name":"label","value":"SI-13(03)_ODP","class":"sp800-53a"}],"label":"percentage","guidelines":[{"prose":"the percentage of the mean time to failure for transfers to be manually initiated is defined;"}]}],"props":[{"name":"label","value":"SI-13(3)"},{"name":"label","value":"SI-13(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-13.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-13","rel":"required"}],"parts":[{"id":"si-13.3_smt","name":"statement","prose":"Manually initiate transfers between active and standby system components when the use of the active component reaches {{ insert: param, si-13.03_odp }} of the mean time to failure."},{"id":"si-13.3_gdn","name":"guidance","prose":"For example, if the MTTF for a system component is 100 days and the MTTF percentage defined by the organization is 90 percent, the manual transfer would occur after 90 days."},{"id":"si-13.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-13(03)","class":"sp800-53a"}],"prose":"transfers are initiated manually between active and standby system components when the use of the active component reaches {{ insert: param, si-13.03_odp }} of the mean time to failure."},{"id":"si-13.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-13(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing predictable failure prevention\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-13.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-13(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for MTTF activities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with contingency planning responsibilities"}]},{"id":"si-13.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-13(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing MTTF and conducting the manual transfer between active and standby components"}]}]},{"id":"si-13.4","class":"SP800-53-enhancement","title":"Standby Component Installation and Notification","params":[{"id":"si-13.04_odp.01","props":[{"name":"alt-identifier","value":"si-13.4_prm_1"},{"name":"label","value":"SI-13(04)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for standby components to be installed is defined;"}]},{"id":"si-13.04_odp.02","props":[{"name":"alt-identifier","value":"si-13.4_prm_2"},{"name":"label","value":"SI-13(04)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["activate {{ insert: param, si-13.04_odp.03 }} ","automatically shut down the system","{{ insert: param, si-13.04_odp.04 }} "]}},{"id":"si-13.04_odp.03","props":[{"name":"alt-identifier","value":"si-13.4_prm_3"},{"name":"label","value":"SI-13(04)_ODP[03]","class":"sp800-53a"}],"label":"alarm","guidelines":[{"prose":"alarm to be activated when system component failures are detected is defined (if selected);"}]},{"id":"si-13.04_odp.04","props":[{"name":"alt-identifier","value":"si-13.4_prm_4"},{"name":"label","value":"SI-13(04)_ODP[04]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"action to be taken when system component failures are detected is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-13(4)"},{"name":"label","value":"SI-13(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-13.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-13","rel":"required"}],"parts":[{"id":"si-13.4_smt","name":"statement","prose":"If system component failures are detected:","parts":[{"id":"si-13.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Ensure that the standby components are successfully and transparently installed within {{ insert: param, si-13.04_odp.01 }} ; and"},{"id":"si-13.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"{{ insert: param, si-13.04_odp.02 }}."}]},{"id":"si-13.4_gdn","name":"guidance","prose":"Automatic or manual transfer of components from standby to active mode can occur upon the detection of component failures."},{"id":"si-13.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-13(04)","class":"sp800-53a"}],"parts":[{"id":"si-13.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-13(04)(a)","class":"sp800-53a"}],"prose":"the standby components are successfully and transparently installed within {{ insert: param, si-13.04_odp.01 }} if system component failures are detected;"},{"id":"si-13.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-13(04)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, si-13.04_odp.02 }} are performed if system component failures are detected."}]},{"id":"si-13.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-13(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing predictable failure prevention\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of actions to be taken once system component failure is detected\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-13.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-13(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for MTTF activities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with contingency planning responsibilities"}]},{"id":"si-13.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-13(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing MTTF\n\nautomated mechanisms supporting and\/or implementing the transparent installation of standby components\n\nautomated mechanisms supporting and\/or implementing alarms or system shutdown if component failures are detected"}]}]},{"id":"si-13.5","class":"SP800-53-enhancement","title":"Failover Capability","params":[{"id":"si-13.05_odp.01","props":[{"name":"alt-identifier","value":"si-13.5_prm_1"},{"name":"label","value":"SI-13(05)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["real-time","near real-time"]}},{"id":"si-13.05_odp.02","props":[{"name":"alt-identifier","value":"si-13.5_prm_2"},{"name":"label","value":"SI-13(05)_ODP[02]","class":"sp800-53a"}],"label":"failover capability","guidelines":[{"prose":"a failover capability for the system has been defined;"}]}],"props":[{"name":"label","value":"SI-13(5)"},{"name":"label","value":"SI-13(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-13.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-13","rel":"required"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"}],"parts":[{"id":"si-13.5_smt","name":"statement","prose":"Provide {{ insert: param, si-13.05_odp.01 }} {{ insert: param, si-13.05_odp.02 }} for the system."},{"id":"si-13.5_gdn","name":"guidance","prose":"Failover refers to the automatic switchover to an alternate system upon the failure of the primary system. Failover capability includes incorporating mirrored system operations at alternate processing sites or periodic data mirroring at regular intervals defined by the recovery time periods of organizations."},{"id":"si-13.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-13(05)","class":"sp800-53a"}],"prose":"{{ insert: param, si-13.05_odp.01 }} {{ insert: param, si-13.05_odp.02 }} is provided for the system."},{"id":"si-13.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-13(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing predictable failure prevention\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation describing the failover capability provided for the system\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-13.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-13(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for the failover capability\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with contingency planning responsibilities"}]},{"id":"si-13.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-13(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the failover capability\n\nautomated mechanisms supporting and\/or implementing the failover capability"}]}]}]},{"id":"si-14","class":"SP800-53","title":"Non-persistence","params":[{"id":"si-14_odp.01","props":[{"name":"alt-identifier","value":"si-14_prm_1"},{"name":"label","value":"SI-14_ODP[01]","class":"sp800-53a"}],"label":"system components and services","guidelines":[{"prose":"non-persistent system components and services to be implemented are defined;"}]},{"id":"si-14_odp.02","props":[{"name":"alt-identifier","value":"si-14_prm_2"},{"name":"label","value":"SI-14_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["upon end of session of use","{{ insert: param, si-14_odp.03 }} "]}},{"id":"si-14_odp.03","props":[{"name":"alt-identifier","value":"si-14_prm_3"},{"name":"label","value":"SI-14_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to terminate non-persistent components and services that are initiated in a known state is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-14"},{"name":"label","value":"SI-14","class":"sp800-53a"},{"name":"sort-id","value":"si-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-30","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-21","rel":"related"}],"parts":[{"id":"si-14_smt","name":"statement","prose":"Implement non-persistent {{ insert: param, si-14_odp.01 }} that are initiated in a known state and terminated {{ insert: param, si-14_odp.02 }}."},{"id":"si-14_gdn","name":"guidance","prose":"Implementation of non-persistent components and services mitigates risk from advanced persistent threats (APTs) by reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. By implementing the concept of non-persistence for selected system components, organizations can provide a trusted, known state computing resource for a specific time period that does not give adversaries sufficient time to exploit vulnerabilities in organizational systems or operating environments. Since the APT is a high-end, sophisticated threat with regard to capability, intent, and targeting, organizations assume that over an extended period, a percentage of attacks will be successful. Non-persistent system components and services are activated as required using protected information and terminated periodically or at the end of sessions. Non-persistence increases the work factor of adversaries attempting to compromise or breach organizational systems.\n\nNon-persistence can be achieved by refreshing system components, periodically reimaging components, or using a variety of common virtualization techniques. Non-persistent services can be implemented by using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent). The benefit of periodic refreshes of system components and services is that it does not require organizations to first determine whether compromises of components or services have occurred (something that may often be difficult to determine). The refresh of selected system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not with such frequency that it makes the system unstable. Refreshes of critical components and services may be done periodically to hinder the ability of adversaries to exploit optimum windows of vulnerabilities."},{"id":"si-14_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-14","class":"sp800-53a"}],"parts":[{"id":"si-14_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-14[01]","class":"sp800-53a"}],"prose":"non-persistent {{ insert: param, si-14_odp.01 }} that are initiated in a known state are implemented;"},{"id":"si-14_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-14[02]","class":"sp800-53a"}],"prose":"non-persistent {{ insert: param, si-14_odp.01 }} are terminated {{ insert: param, si-14_odp.02 }}."}]},{"id":"si-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing non-persistence for system components\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for non-persistence\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing the initiation and termination of non-persistent components"}]}],"controls":[{"id":"si-14.1","class":"SP800-53-enhancement","title":"Refresh from Trusted Sources","params":[{"id":"si-14.01_odp","props":[{"name":"alt-identifier","value":"si-14.1_prm_1"},{"name":"label","value":"SI-14(01)_ODP","class":"sp800-53a"}],"label":"trusted sources","guidelines":[{"prose":"trusted sources to obtain software and data for system component and service refreshes are defined;"}]}],"props":[{"name":"label","value":"SI-14(1)"},{"name":"label","value":"SI-14(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-14.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-14","rel":"required"}],"parts":[{"id":"si-14.1_smt","name":"statement","prose":"Obtain software and data employed during system component and service refreshes from the following trusted sources: {{ insert: param, si-14.01_odp }}."},{"id":"si-14.1_gdn","name":"guidance","prose":"Trusted sources include software and data from write-once, read-only media or from selected offline secure storage facilities."},{"id":"si-14.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-14(01)","class":"sp800-53a"}],"prose":"the software and data employed during system component and service refreshes are obtained from {{ insert: param, si-14.01_odp }}."},{"id":"si-14.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-14(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing non-persistence for system components\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-14.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-14(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for obtaining component and service refreshes from trusted sources\n\norganizational personnel with information security responsibilities"}]},{"id":"si-14.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-14(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and obtaining component and service refreshes from trusted sources\n\nautomated mechanisms supporting and\/or implementing component and service refreshes"}]}]},{"id":"si-14.2","class":"SP800-53-enhancement","title":"Non-persistent Information","params":[{"id":"si-14.02_odp.01","props":[{"name":"alt-identifier","value":"si-14.2_prm_1"},{"name":"label","value":"SI-14(02)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["refresh {{ insert: param, si-14.02_odp.02 }} {{ insert: param, si-14.02_odp.03 }} ","generate {{ insert: param, si-14.02_odp.04 }} on demand"]}},{"id":"si-14.02_odp.02","props":[{"name":"alt-identifier","value":"si-14.2_prm_2"},{"name":"label","value":"SI-14(02)_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"the information to be refreshed is defined (if selected);"}]},{"id":"si-14.02_odp.03","props":[{"name":"alt-identifier","value":"si-14.2_prm_3"},{"name":"label","value":"SI-14(02)_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to refresh information is defined (if selected);"}]},{"id":"si-14.02_odp.04","props":[{"name":"alt-identifier","value":"si-14.2_prm_4"},{"name":"label","value":"SI-14(02)_ODP[04]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"the information to be generated is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-14(2)"},{"name":"label","value":"SI-14(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-14.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-14","rel":"required"}],"parts":[{"id":"si-14.2_smt","name":"statement","parts":[{"id":"si-14.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"{{ insert: param, si-14.02_odp.01 }} ; and"},{"id":"si-14.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Delete information when no longer needed."}]},{"id":"si-14.2_gdn","name":"guidance","prose":"Retaining information longer than is needed makes the information a potential target for advanced adversaries searching for high value assets to compromise through unauthorized disclosure, unauthorized modification, or exfiltration. For system-related information, unnecessary retention provides advanced adversaries information that can assist in their reconnaissance and lateral movement through the system."},{"id":"si-14.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-14(02)","class":"sp800-53a"}],"parts":[{"id":"si-14.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-14(02)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, si-14.02_odp.01 }} is performed;"},{"id":"si-14.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-14(02)(b)","class":"sp800-53a"}],"prose":"information is deleted when no longer needed."}]},{"id":"si-14.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-14(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing non-persistence for system components\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-14.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-14(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for ensuring that information is and remains non-persistent\n\norganizational personnel with information security responsibilities"}]},{"id":"si-14.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-14(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for ensuring that information is and remains non-persistent\n\nautomated mechanisms supporting and\/or implementing component and service refreshes"}]}]},{"id":"si-14.3","class":"SP800-53-enhancement","title":"Non-persistent Connectivity","params":[{"id":"si-14.03_odp","props":[{"name":"alt-identifier","value":"si-14.3_prm_1"},{"name":"label","value":"SI-14(03)_ODP","class":"sp800-53a"}],"select":{"choice":["completion of a request","a period of non-use"]}}],"props":[{"name":"label","value":"SI-14(3)"},{"name":"label","value":"SI-14(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-14.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-14","rel":"required"},{"href":"#sc-10","rel":"related"}],"parts":[{"id":"si-14.3_smt","name":"statement","prose":"Establish connections to the system on demand and terminate connections after {{ insert: param, si-14.03_odp }}."},{"id":"si-14.3_gdn","name":"guidance","prose":"Persistent connections to systems can provide advanced adversaries with paths to move laterally through systems and potentially position themselves closer to high value assets. Limiting the availability of such connections impedes the adversary’s ability to move freely through organizational systems."},{"id":"si-14.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-14(03)","class":"sp800-53a"}],"parts":[{"id":"si-14.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-14(03)[01]","class":"sp800-53a"}],"prose":"connections to the system are established on demand;"},{"id":"si-14.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-14(03)[02]","class":"sp800-53a"}],"prose":"connections to the system are terminated after {{ insert: param, si-14.03_odp }}."}]},{"id":"si-14.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-14(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing non-persistence for system components\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-14.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-14(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for limiting persistent connections\n\norganizational personnel with information security responsibilities"}]},{"id":"si-14.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-14(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for limiting persistent connections\n\nautomated mechanisms supporting and\/or implementing non-persistent connectivity"}]}]}]},{"id":"si-15","class":"SP800-53","title":"Information Output Filtering","params":[{"id":"si-15_odp","props":[{"name":"alt-identifier","value":"si-15_prm_1"},{"name":"label","value":"SI-15_ODP","class":"sp800-53a"}],"label":"software programs and\/or applications","guidelines":[{"prose":"software programs and\/or applications whose information output requires validation are defined;"}]}],"props":[{"name":"label","value":"SI-15"},{"name":"label","value":"SI-15","class":"sp800-53a"},{"name":"sort-id","value":"si-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"si-15_smt","name":"statement","prose":"Validate information output from the following software programs and\/or applications to ensure that the information is consistent with the expected content: {{ insert: param, si-15_odp }}."},{"id":"si-15_gdn","name":"guidance","prose":"Certain types of attacks, including SQL injections, produce output results that are unexpected or inconsistent with the output results that would be expected from software programs or applications. Information output filtering focuses on detecting extraneous content, preventing such extraneous content from being displayed, and then alerting monitoring tools that anomalous behavior has been discovered."},{"id":"si-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-15","class":"sp800-53a"}],"prose":"information output from {{ insert: param, si-15_odp }} is validated to ensure that the information is consistent with the expected content."},{"id":"si-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing information output filtering\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for validating information output\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for validating information output\n\nautomated mechanisms supporting and\/or implementing information output validation"}]}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","params":[{"id":"si-16_odp","props":[{"name":"alt-identifier","value":"si-16_prm_1"},{"name":"label","value":"SI-16_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be implemented to protect the system memory from unauthorized code execution are defined;"}]}],"props":[{"name":"label","value":"SI-16"},{"name":"label","value":"SI-16","class":"sp800-53a"},{"name":"sort-id","value":"si-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-25","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"Implement the following controls to protect the system memory from unauthorized code execution: {{ insert: param, si-16_odp }}."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism."},{"id":"si-16_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-16","class":"sp800-53a"}],"prose":"{{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution."},{"id":"si-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing memory protection for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards protecting system memory from unauthorized code execution\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing safeguards to protect the system memory from unauthorized code execution"}]}]},{"id":"si-17","class":"SP800-53","title":"Fail-safe Procedures","params":[{"id":"si-17_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-17_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-17_odp.02"}],"label":"organization-defined list of failure conditions and associated fail-safe procedures"},{"id":"si-17_odp.01","props":[{"name":"label","value":"SI-17_ODP[01]","class":"sp800-53a"}],"label":"fail-safe procedures","guidelines":[{"prose":"fail-safe procedures associated with failure conditions are defined;"}]},{"id":"si-17_odp.02","props":[{"name":"label","value":"SI-17_ODP[02]","class":"sp800-53a"}],"label":"list of failure conditions","guidelines":[{"prose":"a list of failure conditions requiring fail-safe procedures is defined;"}]}],"props":[{"name":"label","value":"SI-17"},{"name":"label","value":"SI-17","class":"sp800-53a"},{"name":"sort-id","value":"si-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-12","rel":"related"},{"href":"#cp-13","rel":"related"},{"href":"#sc-24","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"si-17_smt","name":"statement","prose":"Implement the indicated fail-safe procedures when the indicated failures occur: {{ insert: param, si-17_prm_1 }}."},{"id":"si-17_gdn","name":"guidance","prose":"Failure conditions include the loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include alerting operator personnel and providing specific instructions on subsequent steps to take. Subsequent steps may include doing nothing, reestablishing system settings, shutting down processes, restarting the system, or contacting designated organizational personnel."},{"id":"si-17_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-17","class":"sp800-53a"}],"prose":"{{ insert: param, si-17_odp.01 }} are implemented when {{ insert: param, si-17_odp.02 }} occur."},{"id":"si-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\ndocumentation addressing fail-safe procedures for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards protecting the system memory from unauthorized code execution\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for fail-safe procedures\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational fail-safe procedures\n\nautomated mechanisms supporting and\/or implementing fail-safe procedures"}]}]},{"id":"si-18","class":"SP800-53","title":"Personally Identifiable Information Quality Operations","params":[{"id":"si-18_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.04"}],"label":"organization-defined frequency"},{"id":"si-18_odp.01","props":[{"name":"label","value":"SI-18_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the accuracy of personally identifiable information across the information life cycle is defined;"}]},{"id":"si-18_odp.02","props":[{"name":"label","value":"SI-18_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the relevance of personally identifiable information across the information life cycle is defined;"}]},{"id":"si-18_odp.03","props":[{"name":"label","value":"SI-18_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the timeliness of personally identifiable information across the information life cycle is defined;"}]},{"id":"si-18_odp.04","props":[{"name":"label","value":"SI-18_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the completeness of personally identifiable information across the information life cycle is defined;"}]}],"props":[{"name":"label","value":"SI-18"},{"name":"label","value":"SI-18","class":"sp800-53a"},{"name":"sort-id","value":"si-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#227063d4-431e-435f-9e8f-009b6dbc20f4","rel":"reference"},{"href":"#c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#pm-22","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-18_smt","name":"statement","parts":[{"id":"si-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle {{ insert: param, si-18_prm_1 }} ; and"},{"id":"si-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Correct or delete inaccurate or outdated personally identifiable information."}]},{"id":"si-18_gdn","name":"guidance","prose":"Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and the potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes."},{"id":"si-18_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18","class":"sp800-53a"}],"parts":[{"id":"si-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.","class":"sp800-53a"}],"parts":[{"id":"si-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[01]","class":"sp800-53a"}],"prose":"the accuracy of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.01 }};"},{"id":"si-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[02]","class":"sp800-53a"}],"prose":"the relevance of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.02 }};"},{"id":"si-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[03]","class":"sp800-53a"}],"prose":"the timeliness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.03 }};"},{"id":"si-18_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[04]","class":"sp800-53a"}],"prose":"the completeness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.04 }};"}]},{"id":"si-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-18b.","class":"sp800-53a"}],"prose":"inaccurate or outdated personally identifiable information is corrected or deleted."}]},{"id":"si-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\ndocumentation addressing personally identifiable information quality operations\n\nquality reports\n\nmaintenance logs\n\nsystem audit records\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for performing personally identifiable information quality inspections\n\norganizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"si-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personally identifiable information quality inspection\n\nautomated mechanisms supporting and\/or implementing personally identifiable information quality operations"}]}],"controls":[{"id":"si-18.1","class":"SP800-53-enhancement","title":"Automation Support","params":[{"id":"si-18.01_odp","props":[{"name":"alt-identifier","value":"si-18.1_prm_1"},{"name":"label","value":"SI-18(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified are defined;"}]}],"props":[{"name":"label","value":"SI-18(1)"},{"name":"label","value":"SI-18(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-18.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-18","rel":"required"},{"href":"#pm-18","rel":"related"},{"href":"#ra-8","rel":"related"}],"parts":[{"id":"si-18.1_smt","name":"statement","prose":"Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using {{ insert: param, si-18.01_odp }}."},{"id":"si-18.1_gdn","name":"guidance","prose":"The use of automated mechanisms to improve data quality may inadvertently create privacy risks. Automated tools may connect to external or otherwise unrelated systems, and the matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessments and make determinations that are in alignment with their privacy program plans.\n\nAs data is obtained and used across the information life cycle, it is important to confirm the accuracy and relevance of personally identifiable information. Automated mechanisms can augment existing data quality processes and procedures and enable an organization to better identify and manage personally identifiable information in large-scale systems. For example, automated tools can greatly improve efforts to consistently normalize data or identify malformed data. Automated tools can also be used to improve the auditing of data and detect errors that may incorrectly alter personally identifiable information or incorrectly associate such information with the wrong individual. Automated capabilities backstop processes and procedures at-scale and enable more fine-grained detection and correction of data quality errors."},{"id":"si-18.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18(01)","class":"sp800-53a"}],"prose":"{{ insert: param, si-18.01_odp }} are used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified."},{"id":"si-18.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\ndocumentation addressing personally identifiable information quality operations\n\nquality reports\n\nmaintenance logs\n\nsystem audit records\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for performing personally identifiable information quality inspections\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-18.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personally identifiable information quality inspection\n\nautomated mechanisms supporting and\/or implementing personally identifiable information quality operations"}]}]},{"id":"si-18.2","class":"SP800-53-enhancement","title":"Data Tags","props":[{"name":"label","value":"SI-18(2)"},{"name":"label","value":"SI-18(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-18.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-18","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#sc-16","rel":"related"}],"parts":[{"id":"si-18.2_smt","name":"statement","prose":"Employ data tags to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems."},{"id":"si-18.2_gdn","name":"guidance","prose":"Data tagging personally identifiable information includes tags that note processing permissions, authority to process, de-identification, impact level, information life cycle stage, and retention or last updated dates. Employing data tags for personally identifiable information can support the use of automation tools to correct or delete relevant personally identifiable information."},{"id":"si-18.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18(02)","class":"sp800-53a"}],"prose":"data tags are employed to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems."},{"id":"si-18.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nprocedures addressing data tagging\n\npersonally identifiable information inventory\n\nsystem audit records\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for tagging data\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-18.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Data tagging mechanisms\n\nautomated mechanisms supporting and\/or implementing data tagging"}]}]},{"id":"si-18.3","class":"SP800-53-enhancement","title":"Collection","props":[{"name":"label","value":"SI-18(3)"},{"name":"label","value":"SI-18(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-18.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-18","rel":"required"}],"parts":[{"id":"si-18.3_smt","name":"statement","prose":"Collect personally identifiable information directly from the individual."},{"id":"si-18.3_gdn","name":"guidance","prose":"Individuals or their designated representatives can be sources of correct personally identifiable information. Organizations consider contextual factors that may incentivize individuals to provide correct data versus false data. Additional steps may be necessary to validate collected information based on the nature and context of the personally identifiable information, how it is to be used, and how it was obtained. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than the measures taken to validate less sensitive personally identifiable information."},{"id":"si-18.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18(03)","class":"sp800-53a"}],"prose":"personally identifiable information is collected directly from the individual."},{"id":"si-18.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nsystem configuration documentation\n\nsystem audit records\n\nuser interface where personally identifiable information is collected\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for data collection\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-18.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Data collection mechanisms\n\nautomated mechanisms supporting and\/or validating collection directly from the individual"}]}]},{"id":"si-18.4","class":"SP800-53-enhancement","title":"Individual Requests","props":[{"name":"label","value":"SI-18(4)"},{"name":"label","value":"SI-18(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-18.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-18","rel":"required"}],"parts":[{"id":"si-18.4_smt","name":"statement","prose":"Correct or delete personally identifiable information upon request by individuals or their designated representatives."},{"id":"si-18.4_gdn","name":"guidance","prose":"Inaccurate personally identifiable information maintained by organizations may cause problems for individuals, especially in those business functions where inaccurate information may result in inappropriate decisions or the denial of benefits and services to individuals. Even correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of an organization maintaining the information. Organizations use discretion when determining if personally identifiable information is to be corrected or deleted based on the scope of requests, the changes sought, the impact of the changes, and laws, regulations, and policies. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding appropriate instances of correction or deletion."},{"id":"si-18.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18(04)","class":"sp800-53a"}],"prose":"personally identifiable information is corrected or deleted upon request by individuals or their designated representatives."},{"id":"si-18.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nsystem configuration\n\nindividual requests\n\nrecords of correction or deletion actions performed\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for responding to individual requests for personally identifiable information correction or deletion\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-18.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Request mechanisms\n\nautomated mechanisms supporting and\/or implementing individual requests for correction or deletion"}]}]},{"id":"si-18.5","class":"SP800-53-enhancement","title":"Notice of Correction or Deletion","params":[{"id":"si-18.05_odp","props":[{"name":"alt-identifier","value":"si-18.5_prm_1"},{"name":"alt-label","value":"recipients of personally identifiable information","class":"sp800-53"},{"name":"label","value":"SI-18(05)_ODP","class":"sp800-53a"}],"label":"recipients","guidelines":[{"prose":"recipients of personally identifiable information to be notified when the personally identifiable information has been corrected or deleted are defined;"}]}],"props":[{"name":"label","value":"SI-18(5)"},{"name":"label","value":"SI-18(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-18.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-18","rel":"required"}],"parts":[{"id":"si-18.5_smt","name":"statement","prose":"Notify {{ insert: param, si-18.05_odp }} and individuals that the personally identifiable information has been corrected or deleted."},{"id":"si-18.5_gdn","name":"guidance","prose":"When personally identifiable information is corrected or deleted, organizations take steps to ensure that all authorized recipients of such information, and the individual with whom the information is associated or their designated representatives, are informed of the corrected or deleted information."},{"id":"si-18.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18(05)","class":"sp800-53a"}],"prose":"{{ insert: param, si-18.05_odp }} and individuals are notified when the personally identifiable information has been corrected or deleted."},{"id":"si-18.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nsystem configuration\n\nindividual requests for corrections or deletions\n\nnotifications of correction or deletion action\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for sending correction or deletion notices\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-18.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for notifications of correction or deletion\n\nautomated mechanisms supporting and\/or implementing notifications of correction or deletion"}]}]}]},{"id":"si-19","class":"SP800-53","title":"De-identification","params":[{"id":"si-19_odp.01","props":[{"name":"alt-identifier","value":"si-19_prm_1"},{"name":"alt-label","value":"elements of personally identifiable information","class":"sp800-53"},{"name":"label","value":"SI-19_ODP[01]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements of personally identifiable information to be removed from datasets are defined;"}]},{"id":"si-19_odp.02","props":[{"name":"alt-identifier","value":"si-19_prm_2"},{"name":"label","value":"SI-19_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to evaluate the effectiveness of de-identification is defined;"}]}],"props":[{"name":"label","value":"SI-19"},{"name":"label","value":"SI-19","class":"sp800-53a"},{"name":"sort-id","value":"si-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","rel":"reference"},{"href":"#mp-6","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"si-19_smt","name":"statement","parts":[{"id":"si-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Remove the following elements of personally identifiable information from datasets: {{ insert: param, si-19_odp.01 }} ; and"},{"id":"si-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Evaluate {{ insert: param, si-19_odp.02 }} for effectiveness of de-identification."}]},{"id":"si-19_gdn","name":"guidance","prose":"De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk."},{"id":"si-19_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19","class":"sp800-53a"}],"parts":[{"id":"si-19_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-19a.","class":"sp800-53a"}],"prose":"{{ insert: param, si-19_odp.01 }} are removed from datasets;"},{"id":"si-19_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-19b.","class":"sp800-53a"}],"prose":"the effectiveness of de-identification is evaluated {{ insert: param, si-19_odp.02 }}."}]},{"id":"si-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration\n\ndatasets with personally identifiable information removed\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for identifying unnecessary identifiers\n\norganizational personnel responsible for removing personally identifiable information from datasets\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing the removal of personally identifiable information elements"}]}],"controls":[{"id":"si-19.1","class":"SP800-53-enhancement","title":"Collection","props":[{"name":"label","value":"SI-19(1)"},{"name":"label","value":"SI-19(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-19","rel":"required"}],"parts":[{"id":"si-19.1_smt","name":"statement","prose":"De-identify the dataset upon collection by not collecting personally identifiable information."},{"id":"si-19.1_gdn","name":"guidance","prose":"If a data source contains personally identifiable information but the information will not be used, the dataset can be de-identified when it is created by not collecting the data elements that contain the personally identifiable information. For example, if an organization does not intend to use the social security number of an applicant, then application forms do not ask for a social security number."},{"id":"si-19.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(01)","class":"sp800-53a"}],"prose":"the dataset is de-identified upon collection by not collecting personally identifiable information."},{"id":"si-19.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nprocedures for minimizing the collection of personally identifiable information\n\nsystem configuration\n\ndata collection mechanisms\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms preventing the collection of personally identifiable information"}]}]},{"id":"si-19.2","class":"SP800-53-enhancement","title":"Archiving","props":[{"name":"label","value":"SI-19(2)"},{"name":"label","value":"SI-19(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-19","rel":"required"}],"parts":[{"id":"si-19.2_smt","name":"statement","prose":"Prohibit archiving of personally identifiable information elements if those elements in a dataset will not be needed after the dataset is archived."},{"id":"si-19.2_gdn","name":"guidance","prose":"Datasets can be archived for many reasons. The envisioned purposes for the archived dataset are specified, and if personally identifiable information elements are not required, the elements are not archived. For example, social security numbers may have been collected for record linkage, but the archived dataset may include the required elements from the linked records. In this case, it is not necessary to archive the social security numbers."},{"id":"si-19.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(02)","class":"sp800-53a"}],"prose":"the archiving of personally identifiable information elements is prohibited if those elements in a dataset will not be needed after the dataset is archived."},{"id":"si-19.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration documentation\n\ndata archiving mechanisms\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with dataset archival responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms prohibiting the archival of personally identifiable information elements"}]}]},{"id":"si-19.3","class":"SP800-53-enhancement","title":"Release","props":[{"name":"label","value":"SI-19(3)"},{"name":"label","value":"SI-19(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-19","rel":"required"}],"parts":[{"id":"si-19.3_smt","name":"statement","prose":"Remove personally identifiable information elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release."},{"id":"si-19.3_gdn","name":"guidance","prose":"Prior to releasing a dataset, a data custodian considers the intended uses of the dataset and determines if it is necessary to release personally identifiable information. If the personally identifiable information is not necessary, the information can be removed using de-identification techniques."},{"id":"si-19.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(03)","class":"sp800-53a"}],"prose":"personally identifiable information elements are removed from a dataset prior to its release if those elements in the dataset do not need to be part of the data release."},{"id":"si-19.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nprocedures for minimizing the release of personally identifiable information\n\nsystem configuration\n\ndata release mechanisms\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing the removal of personally identifiable information elements from a dataset"}]}]},{"id":"si-19.4","class":"SP800-53-enhancement","title":"Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers","props":[{"name":"label","value":"SI-19(4)"},{"name":"label","value":"SI-19(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-19","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"si-19.4_smt","name":"statement","prose":"Remove, mask, encrypt, hash, or replace direct identifiers in a dataset."},{"id":"si-19.4_gdn","name":"guidance","prose":"There are many possible processes for removing direct identifiers from a dataset. Columns in a dataset that contain a direct identifier can be removed. In masking, the direct identifier is transformed into a repeating character, such as XXXXXX or 999999. Identifiers can be encrypted or hashed so that the linked records remain linked. In the case of encryption or hashing, algorithms are employed that require the use of a key, including the Advanced Encryption Standard or a Hash-based Message Authentication Code. Implementations may use the same key for all identifiers or use a different key for each identifier. Using a different key for each identifier provides a higher degree of security and privacy. Identifiers can alternatively be replaced with a keyword, including transforming \"George Washington\" to \"PATIENT\" or replacing it with a surrogate value, such as transforming \"George Washington\" to \"Abraham Polk.\" "},{"id":"si-19.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(04)","class":"sp800-53a"}],"prose":"direct identifiers in a dataset are removed, masked, encrypted, hashed, or replaced."},{"id":"si-19.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration\n\ndocumentation of de-identified datasets\n\ntools for the removal, masking, encryption, hashing or replacement of direct identifiers\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing the removal, masking, encryption, hashing or replacement of direct identifiers"}]}]},{"id":"si-19.5","class":"SP800-53-enhancement","title":"Statistical Disclosure Control","props":[{"name":"label","value":"SI-19(5)"},{"name":"label","value":"SI-19(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-19","rel":"required"}],"parts":[{"id":"si-19.5_smt","name":"statement","prose":"Manipulate numerical data, contingency tables, and statistical findings so that no individual or organization is identifiable in the results of the analysis."},{"id":"si-19.5_gdn","name":"guidance","prose":"Many types of statistical analyses can result in the disclosure of information about individuals even if only summary information is provided. For example, if a school that publishes a monthly table with the number of minority students enrolled, reports that it has 10-19 such students in January, and subsequently reports that it has 20-29 such students in March, then it can be inferred that the student who enrolled in February was a minority."},{"id":"si-19.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(05)","class":"sp800-53a"}],"parts":[{"id":"si-19.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-19(05)[01]","class":"sp800-53a"}],"prose":"numerical data is manipulated so that no individual or organization is identifiable in the results of the analysis;"},{"id":"si-19.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-19(05)[02]","class":"sp800-53a"}],"prose":"contingency tables are manipulated so that no individual or organization is identifiable in the results of the analysis;"},{"id":"si-19.5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-19(05)[03]","class":"sp800-53a"}],"prose":"statistical findings are manipulated so that no individual or organization is identifiable in the results of the analysis."}]},{"id":"si-19.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration\n\nde-identified datasets\n\nstatistical analysis report\n\ntools for the control of statistical disclosure\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing the control of statistical disclosure"}]}]},{"id":"si-19.6","class":"SP800-53-enhancement","title":"Differential Privacy","props":[{"name":"label","value":"SI-19(6)"},{"name":"label","value":"SI-19(06)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-19","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"si-19.6_smt","name":"statement","prose":"Prevent disclosure of personally identifiable information by adding non-deterministic noise to the results of mathematical operations before the results are reported."},{"id":"si-19.6_gdn","name":"guidance","prose":"The mathematical definition for differential privacy holds that the result of a dataset analysis should be approximately the same before and after the addition or removal of a single data record (which is assumed to be the data from a single individual). In its most basic form, differential privacy applies only to online query systems. However, it can also be used to produce machine-learning statistical classifiers and synthetic data. Differential privacy comes at the cost of decreased accuracy of results, forcing organizations to quantify the trade-off between privacy protection and the overall accuracy, usefulness, and utility of the de-identified dataset. Non-deterministic noise can include adding small, random values to the results of mathematical operations in dataset analysis."},{"id":"si-19.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(06)","class":"sp800-53a"}],"prose":"the disclosure of personally identifiable information is prevented by adding non-deterministic noise to the results of mathematical operations before the results are reported."},{"id":"si-19.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration\n\nde-identified datasets\n\ndifferential privacy tools\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Online query systems\n\nautomated mechanisms supporting and\/or implementing differential privacy"}]}]},{"id":"si-19.7","class":"SP800-53-enhancement","title":"Validated Algorithms and Software","props":[{"name":"label","value":"SI-19(7)"},{"name":"label","value":"SI-19(07)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-19","rel":"required"}],"parts":[{"id":"si-19.7_smt","name":"statement","prose":"Perform de-identification using validated algorithms and software that is validated to implement the algorithms."},{"id":"si-19.7_gdn","name":"guidance","prose":"Algorithms that appear to remove personally identifiable information from a dataset may in fact leave information that is personally identifiable or data that is re-identifiable. Software that is claimed to implement a validated algorithm may contain bugs or implement a different algorithm. Software may de-identify one type of data, such as integers, but not de-identify another type of data, such as floating point numbers. For these reasons, de-identification is performed using algorithms and software that are validated."},{"id":"si-19.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(07)","class":"sp800-53a"}],"parts":[{"id":"si-19.7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-19(07)[01]","class":"sp800-53a"}],"prose":"de-identification is performed using validated algorithms;"},{"id":"si-19.7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-19(07)[02]","class":"sp800-53a"}],"prose":"de-identification is performed using software that is validated to implement the algorithms."}]},{"id":"si-19.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration\n\nde-identified datasets\n\nalgorithm and software validation tools\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Validated algorithms and software"}]}]},{"id":"si-19.8","class":"SP800-53-enhancement","title":"Motivated Intruder","props":[{"name":"label","value":"SI-19(8)"},{"name":"label","value":"SI-19(08)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-19","rel":"required"}],"parts":[{"id":"si-19.8_smt","name":"statement","prose":"Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified."},{"id":"si-19.8_gdn","name":"guidance","prose":"A motivated intruder test is a test in which an individual or group takes a data release and specified resources and attempts to re-identify one or more individuals in the de-identified dataset. Such tests specify the amount of inside knowledge, computational resources, financial resources, data, and skills that intruders possess to conduct the tests. A motivated intruder test can determine if the de-identification is insufficient. It can also be a useful diagnostic tool to assess if de-identification is likely to be sufficient. However, the test alone cannot prove that de-identification is sufficient."},{"id":"si-19.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(08)","class":"sp800-53a"}],"prose":"a motivated intruder test is performed on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified."},{"id":"si-19.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration\n\nmotivated intruder test procedures\n\nde-identified datasets\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Motivated intruder test"}]}]}]},{"id":"si-20","class":"SP800-53","title":"Tainting","params":[{"id":"si-20_odp","props":[{"name":"alt-identifier","value":"si-20_prm_1"},{"name":"label","value":"SI-20_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"the systems or system components with data or capabilities to be embedded are defined;"}]}],"props":[{"name":"label","value":"SI-20"},{"name":"label","value":"SI-20","class":"sp800-53a"},{"name":"sort-id","value":"si-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"si-20_smt","name":"statement","prose":"Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: {{ insert: param, si-20_odp }}."},{"id":"si-20_gdn","name":"guidance","prose":"Many cyber-attacks target organizational information, or information that the organization holds on behalf of other entities (e.g., personally identifiable information), and exfiltrate that data. In addition, insider attacks and erroneous user procedures can remove information from the system that is in violation of the organizational policies. Tainting approaches can range from passive to active. A passive tainting approach can be as simple as adding false email names and addresses to an internal database. If the organization receives email at one of the false email addresses, it knows that the database has been compromised. Moreover, the organization knows that the email was sent by an unauthorized entity, so any packets it includes potentially contain malicious code, and that the unauthorized entity may have potentially obtained a copy of the database. Another tainting approach can include embedding false data or steganographic data in files to enable the data to be found via open-source analysis. Finally, an active tainting approach can include embedding software in the data that is able to \"call home,\" thereby alerting the organization to its \"capture,\" and possibly its location, and the path by which it was exfiltrated or removed."},{"id":"si-20_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-20","class":"sp800-53a"}],"prose":"data or capabilities are embedded in {{ insert: param, si-20_odp }} to determine if organizational data has been exfiltrated or improperly removed from the organization."},{"id":"si-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nprocedures addressing software and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npolicy and procedures addressing the systems security engineering technique of deception\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for detecting tainted data\n\norganizational personnel with systems security engineering responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for post-breach detection\n\ndecoys, traps, lures, and methods for deceiving adversaries\n\ndetection and notification mechanisms"}]}]},{"id":"si-21","class":"SP800-53","title":"Information Refresh","params":[{"id":"si-21_odp.01","props":[{"name":"alt-identifier","value":"si-21_prm_1"},{"name":"label","value":"SI-21_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"the information to be refreshed is defined;"}]},{"id":"si-21_odp.02","props":[{"name":"alt-identifier","value":"si-21_prm_2"},{"name":"label","value":"SI-21_ODP[02]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"the frequencies at which to refresh information are defined;"}]}],"props":[{"name":"label","value":"SI-21"},{"name":"label","value":"SI-21","class":"sp800-53a"},{"name":"sort-id","value":"si-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#si-14","rel":"related"}],"parts":[{"id":"si-21_smt","name":"statement","prose":"Refresh {{ insert: param, si-21_odp.01 }} at {{ insert: param, si-21_odp.02 }} or generate the information on demand and delete the information when no longer needed."},{"id":"si-21_gdn","name":"guidance","prose":"Retaining information for longer than it is needed makes it an increasingly valuable and enticing target for adversaries. Keeping information available for the minimum period of time needed to support organizational missions or business functions reduces the opportunity for adversaries to compromise, capture, and exfiltrate that information."},{"id":"si-21_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-21","class":"sp800-53a"}],"prose":"the {{ insert: param, si-21_odp.01 }} is refreshed {{ insert: param, si-21_odp.02 }} or is generated on demand and deleted when no longer needed."},{"id":"si-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nprocedures addressing software and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ninformation refresh procedures\n\nlist of information to be refreshed\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for refreshing information\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with systems security engineering responsibilities\n\nsystem developers"}]},{"id":"si-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for information refresh\n\norganizational processes for information refresh"}]}]},{"id":"si-22","class":"SP800-53","title":"Information Diversity","params":[{"id":"si-22_odp.01","props":[{"name":"alt-identifier","value":"si-22_prm_2"},{"name":"label","value":"SI-22_ODP[01]","class":"sp800-53a"}],"label":"alternative information sources","guidelines":[{"prose":"alternative information sources for essential functions and services are defined;"}]},{"id":"si-22_odp.02","props":[{"name":"alt-identifier","value":"si-22_prm_1"},{"name":"label","value":"SI-22_ODP[02]","class":"sp800-53a"}],"label":"essential functions and services","guidelines":[{"prose":"essential functions and services that require alternative sources of information are defined;"}]},{"id":"si-22_odp.03","props":[{"name":"alt-identifier","value":"si-22_prm_3"},{"name":"label","value":"SI-22_ODP[03]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that require an alternative information source for the execution of essential functions or services are defined;"}]}],"props":[{"name":"label","value":"SI-22"},{"name":"label","value":"SI-22","class":"sp800-53a"},{"name":"sort-id","value":"si-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"}],"parts":[{"id":"si-22_smt","name":"statement","parts":[{"id":"si-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify the following alternative sources of information for {{ insert: param, si-22_odp.02 }}: {{ insert: param, si-22_odp.01 }} ; and"},{"id":"si-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Use an alternative information source for the execution of essential functions or services on {{ insert: param, si-22_odp.03 }} when the primary source of information is corrupted or unavailable."}]},{"id":"si-22_gdn","name":"guidance","prose":"Actions taken by a system service or a function are often driven by the information it receives. Corruption, fabrication, modification, or deletion of that information could impact the ability of the service function to properly carry out its intended actions. By having multiple sources of input, the service or function can continue operation if one source is corrupted or no longer available. It is possible that the alternative sources of information may be less precise or less accurate than the primary source of information. But having such sub-optimal information sources may still provide a sufficient level of quality that the essential service or function can be carried out, even in a degraded or debilitated manner."},{"id":"si-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-22","class":"sp800-53a"}],"parts":[{"id":"si-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-22a.","class":"sp800-53a"}],"prose":"{{ insert: param, si-22_odp.01 }} for {{ insert: param, si-22_odp.02 }} are identified;"},{"id":"si-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-22b.","class":"sp800-53a"}],"prose":"an alternative information source is used for the execution of essential functions or services on {{ insert: param, si-22_odp.03 }} when the primary source of information is corrupted or unavailable."}]},{"id":"si-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of information sources\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with systems security engineering responsibilities\n\nsystem developers"}]},{"id":"si-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated methods and mechanisms to convert information from an analog to digital medium"}]}]},{"id":"si-23","class":"SP800-53","title":"Information Fragmentation","params":[{"id":"si-23_odp.01","props":[{"name":"alt-identifier","value":"si-23_prm_1"},{"name":"label","value":"SI-23_ODP[01]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances that require information fragmentation are defined;"}]},{"id":"si-23_odp.02","props":[{"name":"alt-identifier","value":"si-23_prm_2"},{"name":"label","value":"SI-23_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"the information to be fragmented is defined;"}]},{"id":"si-23_odp.03","props":[{"name":"alt-identifier","value":"si-23_prm_3"},{"name":"label","value":"SI-23_ODP[03]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components across which the fragmented information is to be distributed are defined;"}]}],"props":[{"name":"label","value":"SI-23"},{"name":"label","value":"SI-23","class":"sp800-53a"},{"name":"sort-id","value":"si-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"}],"parts":[{"id":"si-23_smt","name":"statement","prose":"Based on {{ insert: param, si-23_odp.01 }}:","parts":[{"id":"si-23_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Fragment the following information: {{ insert: param, si-23_odp.02 }} ; and"},{"id":"si-23_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute the fragmented information across the following systems or system components: {{ insert: param, si-23_odp.03 }}."}]},{"id":"si-23_gdn","name":"guidance","prose":"One objective of the advanced persistent threat is to exfiltrate valuable information. Once exfiltrated, there is generally no way for the organization to recover the lost information. Therefore, organizations may consider dividing the information into disparate elements and distributing those elements across multiple systems or system components and locations. Such actions will increase the adversary’s work factor to capture and exfiltrate the desired information and, in so doing, increase the probability of detection. The fragmentation of information impacts the organization’s ability to access the information in a timely manner. The extent of the fragmentation is dictated by the impact or classification level (and value) of the information, threat intelligence information received, and whether data tainting is used (i.e., data tainting-derived information about the exfiltration of some information could result in the fragmentation of the remaining information)."},{"id":"si-23_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-23","class":"sp800-53a"}],"parts":[{"id":"si-23_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-23a.","class":"sp800-53a"}],"prose":"under {{ insert: param, si-23_odp.01 }}, {{ insert: param, si-23_odp.02 }} is fragmented;"},{"id":"si-23_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-23b.","class":"sp800-53a"}],"prose":"under {{ insert: param, si-23_odp.01 }} , the fragmented information is distributed across {{ insert: param, si-23_odp.03 }}."}]},{"id":"si-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nprocedures addressing software and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nprocedures to identify information for fragmentation and distribution across systems\/system components\n\nlist of distributed and fragmented information\n\nlist of circumstances requiring information fragmentation\n\nenterprise architecture\n\nsystem security architecture\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with systems security engineering responsibilities\n\nsystem developers\n\nsecurity architects"}]},{"id":"si-23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-23-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes to identify information for fragmentation and distribution across systems\/system components\n\nautomated mechanisms supporting and\/or implementing information fragmentation and distribution across systems\/system components"}]}]}]},{"id":"sr","class":"family","title":"Supply Chain Risk Management","controls":[{"id":"sr-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sr-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sr-01_odp.01","props":[{"name":"label","value":"SR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management policy is to be disseminated to is\/are defined;"}]},{"id":"sr-01_odp.02","props":[{"name":"label","value":"SR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management procedures are disseminated to is\/are defined;"}]},{"id":"sr-01_odp.03","props":[{"name":"alt-identifier","value":"sr-1_prm_2"},{"name":"label","value":"SR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sr-01_odp.04","props":[{"name":"alt-identifier","value":"sr-1_prm_3"},{"name":"label","value":"SR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;"}]},{"id":"sr-01_odp.05","props":[{"name":"alt-identifier","value":"sr-1_prm_4"},{"name":"label","value":"SR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management policy is reviewed and updated is defined;"}]},{"id":"sr-01_odp.06","props":[{"name":"alt-identifier","value":"sr-1_prm_5"},{"name":"label","value":"SR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the current supply chain risk management policy to be reviewed and updated are defined;"}]},{"id":"sr-01_odp.07","props":[{"name":"alt-identifier","value":"sr-1_prm_6"},{"name":"label","value":"SR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;"}]},{"id":"sr-01_odp.08","props":[{"name":"alt-identifier","value":"sr-1_prm_7"},{"name":"label","value":"SR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the supply chain risk management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SR-1"},{"name":"label","value":"SR-01","class":"sp800-53a"},{"name":"sort-id","value":"sr-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sr-1_smt","name":"statement","parts":[{"id":"sr-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:","parts":[{"id":"sr-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:","parts":[{"id":"sr-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sr-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sr-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;"}]},{"id":"sr-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and"},{"id":"sr-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current supply chain risk management:","parts":[{"id":"sr-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and"},{"id":"sr-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}."}]}]},{"id":"sr-1_gdn","name":"guidance","prose":"Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sr-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[01]","class":"sp800-53a"}],"prose":"a supply chain risk management policy is developed and documented;"},{"id":"sr-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};"},{"id":"sr-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[03]","class":"sp800-53a"}],"prose":"supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;"},{"id":"sr-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}."},{"id":"sr-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;"},{"id":"sr-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; "},{"id":"sr-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;"},{"id":"sr-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;"},{"id":"sr-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;"},{"id":"sr-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;"},{"id":"sr-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance."}]},{"id":"sr-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"}]}]},{"id":"sr-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;"},{"id":"sr-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};"},{"id":"sr-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};"}]},{"id":"sr-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};"},{"id":"sr-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}."}]}]}]},{"id":"sr-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities"}]}]},{"id":"sr-2","class":"SP800-53","title":"Supply Chain Risk Management Plan","params":[{"id":"sr-02_odp.01","props":[{"name":"alt-identifier","value":"sr-2_prm_1"},{"name":"label","value":"SR-02_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services for which a supply chain risk management plan is developed are defined;"}]},{"id":"sr-02_odp.02","props":[{"name":"alt-identifier","value":"sr-2_prm_2"},{"name":"label","value":"SR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the supply chain risk management plan is defined;"}]}],"props":[{"name":"label","value":"SR-2"},{"name":"label","value":"SR-02","class":"sp800-53a"},{"name":"sort-id","value":"sr-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sr-2_smt","name":"statement","parts":[{"id":"sr-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and"},{"id":"sr-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect the supply chain risk management plan from unauthorized disclosure and modification."}]},{"id":"sr-2_gdn","name":"guidance","prose":"The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development\/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))."},{"id":"sr-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[01]","class":"sp800-53a"}],"prose":"a plan for managing supply chain risks is developed;"},{"id":"sr-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[03]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[05]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[06]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[07]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[08]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_obj.a-9","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[09]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};"}]},{"id":"sr-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-02b.","class":"sp800-53a"}],"prose":"the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;"},{"id":"sr-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[01]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized disclosure;"},{"id":"sr-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized modification."}]}]},{"id":"sr-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"sr-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and\/or implementing the SDLC"}]}],"controls":[{"id":"sr-2.1","class":"SP800-53-enhancement","title":"Establish SCRM Team","params":[{"id":"sr-02.01_odp.01","props":[{"name":"alt-identifier","value":"sr-2.1_prm_1"},{"name":"alt-label","value":"personnel, roles, and responsibilities","class":"sp800-53"},{"name":"label","value":"SR-02(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel, roles and responsibilities","guidelines":[{"prose":"the personnel, roles, and responsibilities of the supply chain risk management team are defined;"}]},{"id":"sr-02.01_odp.02","props":[{"name":"alt-identifier","value":"sr-2.1_prm_2"},{"name":"label","value":"SR-02(01)_ODP[02]","class":"sp800-53a"}],"label":"supply chain risk management activities","guidelines":[{"prose":"supply chain risk management activities are defined;"}]}],"props":[{"name":"label","value":"SR-2(1)"},{"name":"label","value":"SR-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-2","rel":"required"}],"parts":[{"id":"sr-2.1_smt","name":"statement","prose":"Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}."},{"id":"sr-2.1_gdn","name":"guidance","prose":"To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team."},{"id":"sr-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02(01)","class":"sp800-53a"}],"prose":"a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}."},{"id":"sr-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities"}]}]}]},{"id":"sr-3","class":"SP800-53","title":"Supply Chain Controls and Processes","params":[{"id":"sr-03_odp.01","props":[{"name":"alt-identifier","value":"sr-3_prm_1"},{"name":"label","value":"SR-03_ODP[01]","class":"sp800-53a"}],"label":"system or system component","guidelines":[{"prose":"the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;"}]},{"id":"sr-03_odp.02","props":[{"name":"alt-identifier","value":"sr-3_prm_2"},{"name":"label","value":"SR-03_ODP[02]","class":"sp800-53a"}],"label":"supply chain personnel","guidelines":[{"prose":"supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is\/are defined;"}]},{"id":"sr-03_odp.03","props":[{"name":"alt-identifier","value":"sr-3_prm_3"},{"name":"label","value":"SR-03_ODP[03]","class":"sp800-53a"}],"label":"supply chain controls","guidelines":[{"prose":"supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;"}]},{"id":"sr-03_odp.04","props":[{"name":"alt-identifier","value":"sr-3_prm_4"},{"name":"label","value":"SR-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security and privacy plans","supply chain risk management plan","{{ insert: param, sr-03_odp.05 }} "]}},{"id":"sr-03_odp.05","props":[{"name":"alt-identifier","value":"sr-3_prm_5"},{"name":"label","value":"SR-03_ODP[05]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"the document identifying the selected and implemented supply chain processes and controls is defined (if selected);"}]}],"props":[{"name":"label","value":"SR-3"},{"name":"label","value":"SR-03","class":"sp800-53a"},{"name":"sort-id","value":"sr-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-29","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-3_smt","name":"statement","parts":[{"id":"sr-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};"},{"id":"sr-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and"},{"id":"sr-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}."}]},{"id":"sr-3_gdn","name":"guidance","prose":"Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain."},{"id":"sr-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-03","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[01]","class":"sp800-53a"}],"prose":"a process or processes is\/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};"},{"id":"sr-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[02]","class":"sp800-53a"}],"prose":"the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is\/are coordinated with {{ insert: param, sr-03_odp.02 }};"}]},{"id":"sr-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-03b.","class":"sp800-53a"}],"prose":"{{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;"},{"id":"sr-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-03c.","class":"sp800-53a"}],"prose":"the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}."}]},{"id":"sr-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying and addressing supply chain element and process deficiencies"}]}],"controls":[{"id":"sr-3.1","class":"SP800-53-enhancement","title":"Diverse Supply Base","params":[{"id":"sr-3.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-03.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-03.01_odp.02"}],"label":"organization-defined system components and services"},{"id":"sr-03.01_odp.01","props":[{"name":"label","value":"SR-03(01)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components with a diverse set of sources are defined;"}]},{"id":"sr-03.01_odp.02","props":[{"name":"label","value":"SR-03(01)_ODP[02]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services with a diverse set of sources are defined;"}]}],"props":[{"name":"label","value":"SR-3(1)"},{"name":"label","value":"SR-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-3","rel":"required"}],"parts":[{"id":"sr-3.1_smt","name":"statement","prose":"Employ a diverse set of sources for the following system components and services: {{ insert: param, sr-3.1_prm_1 }}."},{"id":"sr-3.1_gdn","name":"guidance","prose":"Diversifying the supply of systems, system components, and services can reduce the probability that adversaries will successfully identify and target the supply chain and can reduce the impact of a supply chain event or compromise. Identifying multiple suppliers for replacement components can reduce the probability that the replacement component will become unavailable. Employing a diverse set of developers or logistics service providers can reduce the impact of a natural disaster or other supply chain event. Organizations consider designing the system to include diverse materials and components."},{"id":"sr-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-03(01)","class":"sp800-53a"}],"parts":[{"id":"sr-3.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-03(01)[01]","class":"sp800-53a"}],"prose":"a diverse set of sources is employed for {{ insert: param, sr-03.01_odp.01 }};"},{"id":"sr-3.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-03(01)[02]","class":"sp800-53a"}],"prose":"a diverse set of sources is employed for {{ insert: param, sr-03.01_odp.02 }}."}]},{"id":"sr-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsystem and services acquisition policy\n\nplanning policy\n\nprocedures addressing supply chain protection\n\nphysical inventory of critical systems and system components\n\ninventory of critical suppliers, service providers, developers, and contracts\n\ninventory records of critical system components\n\nlist of security safeguards ensuring an adequate supply of critical system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing security safeguards to ensure an adequate supply of critical system components\n\nprocesses to identify critical suppliers\n\nmechanisms supporting and\/or implementing the security safeguards that ensure an adequate supply of critical system components"}]}]},{"id":"sr-3.2","class":"SP800-53-enhancement","title":"Limitation of Harm","params":[{"id":"sr-03.02_odp","props":[{"name":"alt-identifier","value":"sr-3.2_prm_1"},{"name":"label","value":"SR-03(02)_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to limit harm from potential supply chain adversaries are defined;"}]}],"props":[{"name":"label","value":"SR-3(2)"},{"name":"label","value":"SR-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"sr-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-3","rel":"required"}],"parts":[{"id":"sr-3.2_smt","name":"statement","prose":"Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: {{ insert: param, sr-03.02_odp }}."},{"id":"sr-3.2_gdn","name":"guidance","prose":"Controls that can be implemented to reduce the probability of adversaries successfully identifying and targeting the supply chain include avoiding the purchase of custom or non-standardized configurations, employing approved vendor lists with standing reputations in industry, following pre-agreed maintenance schedules and update and patch delivery mechanisms, maintaining a contingency plan in case of a supply chain event, using procurement carve-outs that provide exclusions to commitments or obligations, using diverse delivery routes, and minimizing the time between purchase decisions and delivery."},{"id":"sr-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-03(02)","class":"sp800-53a"}],"prose":"{{ insert: param, sr-03.02_odp }} are employed to limit harm from potential adversaries identifying and targeting the organizational supply chain."},{"id":"sr-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nconfiguration management policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and associated configuration documentation\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nthreat assessments\n\nvulnerability assessments\n\nlist of security safeguards to be taken to protect the organizational supply chain against potential supply chain threats\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing safeguards to limit harm from adversaries of the organizational supply chain\n\nmechanisms supporting and\/or implementing the definition and employment of safeguards to protect the organizational supply chain"}]}]},{"id":"sr-3.3","class":"SP800-53-enhancement","title":"Sub-tier Flow Down","props":[{"name":"label","value":"SR-3(3)"},{"name":"label","value":"SR-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"sr-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-3","rel":"required"},{"href":"#sr-5","rel":"related"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"sr-3.3_smt","name":"statement","prose":"Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors."},{"id":"sr-3.3_gdn","name":"guidance","prose":"To manage supply chain risk effectively and holistically, it is important that organizations ensure that supply chain risk management controls are included at all tiers in the supply chain. This includes ensuring that Tier 1 (prime) contractors have implemented processes to facilitate the \"flow down\" of supply chain risk management controls to sub-tier contractors. The controls subject to flow down are identified in [SR-3b](#sr-3_smt.b)."},{"id":"sr-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-03(03)","class":"sp800-53a"}],"prose":"the controls included in the contracts of prime contractors are also included in the contracts of subcontractors."},{"id":"sr-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities"}]}]}]},{"id":"sr-4","class":"SP800-53","title":"Provenance","params":[{"id":"sr-04_odp","props":[{"name":"alt-identifier","value":"sr-4_prm_1"},{"name":"label","value":"SR-04_ODP","class":"sp800-53a"}],"label":"systems, system components, and associated data","guidelines":[{"prose":"systems, system components, and associated data that require valid provenance are defined;"}]}],"props":[{"name":"label","value":"SR-4"},{"name":"label","value":"SR-04","class":"sp800-53a"},{"name":"sort-id","value":"sr-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sr-4_smt","name":"statement","prose":"Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: {{ insert: param, sr-04_odp }}."},{"id":"sr-4_gdn","name":"guidance","prose":"Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data. Organizations consider developing procedures (see [SR-1](#sr-1) ) for allocating responsibilities for the creation, maintenance, and monitoring of provenance for systems and system components; transferring provenance documentation and responsibility between organizations; and preventing and monitoring for unauthorized changes to the provenance records. Organizations have methods to document, monitor, and maintain valid provenance baselines for systems, system components, and related data. These actions help track, assess, and document any changes to the provenance, including changes in supply chain elements or configuration, and help ensure non-repudiation of provenance information and the provenance change records. Provenance considerations are addressed throughout the system development life cycle and incorporated into contracts and other arrangements, as appropriate."},{"id":"sr-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-04","class":"sp800-53a"}],"parts":[{"id":"sr-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-04[01]","class":"sp800-53a"}],"prose":"valid provenance is documented for {{ insert: param, sr-04_odp }};"},{"id":"sr-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-04[02]","class":"sp800-53a"}],"prose":"valid provenance is monitored for {{ insert: param, sr-04_odp }};"},{"id":"sr-4_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SR-04[03]","class":"sp800-53a"}],"prose":"valid provenance is maintained for {{ insert: param, sr-04_odp }}."}]},{"id":"sr-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\ndocumentation of critical systems, critical system components, and associated data\n\ndocumentation showing the history of ownership, custody, and location of and changes to critical systems or critical system components\n\nsystem architecture\n\ninter-organizational agreements and procedures\n\ncontracts\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records"}]},{"id":"sr-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying the provenance of critical systems and critical system components\n\nmechanisms used to document, monitor, or maintain provenance"}]}],"controls":[{"id":"sr-4.1","class":"SP800-53-enhancement","title":"Identity","params":[{"id":"sr-04.01_odp","props":[{"name":"alt-identifier","value":"sr-4.1_prm_1"},{"name":"alt-label","value":"supply chain elements, processes, and personnel associated with organization-defined systems and critical system components","class":"sp800-53"},{"name":"label","value":"SR-04(01)_ODP","class":"sp800-53a"}],"label":"supply chain elements, processes, and personnel","guidelines":[{"prose":"supply chain elements, processes, and personnel associated with systems and critical system components that require unique identification are defined;"}]}],"props":[{"name":"label","value":"SR-4(1)"},{"name":"label","value":"SR-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-4","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pe-16","rel":"related"}],"parts":[{"id":"sr-4.1_smt","name":"statement","prose":"Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: {{ insert: param, sr-04.01_odp }}."},{"id":"sr-4.1_gdn","name":"guidance","prose":"Knowing who and what is in the supply chains of organizations is critical to gaining visibility into supply chain activities. Visibility into supply chain activities is also important for monitoring and identifying high-risk events and activities. Without reasonable visibility into supply chains elements, processes, and personnel, it is very difficult for organizations to understand and manage risk and reduce their susceptibility to adverse events. Supply chain elements include organizations, entities, or tools used for the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems and system components. Supply chain processes include development processes for hardware, software, and firmware; shipping and handling procedures; configuration management tools, techniques, and measures to maintain provenance; personnel and physical security programs; or other programs, processes, or procedures associated with the production and distribution of supply chain elements. Supply chain personnel are individuals with specific roles and responsibilities related to the secure the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of a system or system component. Identification methods are sufficient to support an investigation in case of a supply chain change (e.g. if a supply company is purchased), compromise, or event."},{"id":"sr-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-04(01)","class":"sp800-53a"}],"parts":[{"id":"sr-4.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-04(01)[01]","class":"sp800-53a"}],"prose":"unique identification of {{ insert: param, sr-04.01_odp }} is established;"},{"id":"sr-4.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-04(01)[02]","class":"sp800-53a"}],"prose":"unique identification of {{ insert: param, sr-04.01_odp }} is maintained."}]},{"id":"sr-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nlist of supply chain elements, processes, and actors (associated with the system, system component, or system service) requiring implementation of unique identification processes, procedures, tools, mechanisms, equipment, techniques, and\/or configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities\n\norganizational personnel with responsibilities for establishing and retaining the unique identification of supply chain elements, processes, and actors"}]},{"id":"sr-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, establishing, and retaining unique identification for supply chain elements, processes, and actors\n\nmechanisms supporting and\/or implementing the definition, establishment, and retention of unique identification for supply chain elements, processes, and actors"}]}]},{"id":"sr-4.2","class":"SP800-53-enhancement","title":"Track and Trace","params":[{"id":"sr-04.02_odp","props":[{"name":"alt-identifier","value":"sr-4.2_prm_1"},{"name":"label","value":"SR-04(02)_ODP","class":"sp800-53a"}],"label":"systems and critical system components","guidelines":[{"prose":"systems and critical system components that require unique identification for tracking through the supply chain are defined;"}]}],"props":[{"name":"label","value":"SR-4(2)"},{"name":"label","value":"SR-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"sr-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-4","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"sr-4.2_smt","name":"statement","prose":"Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: {{ insert: param, sr-04.02_odp }}."},{"id":"sr-4.2_gdn","name":"guidance","prose":"Tracking the unique identification of systems and system components during development and transport activities provides a foundational identity structure for the establishment and maintenance of provenance. For example, system components may be labeled using serial numbers or tagged using radio-frequency identification tags. Labels and tags can help provide better visibility into the provenance of a system or system component. A system or system component may have more than one unique identifier. Identification methods are sufficient to support a forensic investigation after a supply chain compromise or event."},{"id":"sr-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-04(02)","class":"sp800-53a"}],"parts":[{"id":"sr-4.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-04(02)[01]","class":"sp800-53a"}],"prose":"the unique identification of {{ insert: param, sr-04.02_odp }} is established for tracking through the supply chain;"},{"id":"sr-4.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-04(02)[02]","class":"sp800-53a"}],"prose":"the unique identification of {{ insert: param, sr-04.02_odp }} is maintained for tracking through the supply chain."}]},{"id":"sr-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nsupply chain risk management plan\n\nlist of supply chain elements, processes, and actors (associated with the system, system component, or system service) requiring implementation of unique identification processes, procedures, tools, mechanisms, equipment, techniques, and\/or configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities\n\norganizational personnel with responsibilities for establishing and retaining the unique identification of supply chain elements, processes, and actors"}]},{"id":"sr-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, establishing, and retaining unique identification for supply chain elements, processes, and actors\n\nmechanisms supporting and\/or implementing the definition, establishment, and retention of unique identification for supply chain elements, processes, and actors"}]}]},{"id":"sr-4.3","class":"SP800-53-enhancement","title":"Validate as Genuine and Not Altered","params":[{"id":"sr-4.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-04.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-04.03_odp.02"}],"label":"organization-defined controls"},{"id":"sr-04.03_odp.01","props":[{"name":"label","value":"SR-04(03)_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to validate that the system or system component received is genuine are defined;"}]},{"id":"sr-04.03_odp.02","props":[{"name":"label","value":"SR-04(03)_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to validate that the system or system component received has not been altered are defined;"}]}],"props":[{"name":"label","value":"SR-4(3)"},{"name":"label","value":"SR-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"sr-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-4","rel":"required"},{"href":"#at-3","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-4.3_smt","name":"statement","prose":"Employ the following controls to validate that the system or system component received is genuine and has not been altered: {{ insert: param, sr-4.3_prm_1 }}."},{"id":"sr-4.3_gdn","name":"guidance","prose":"For many systems and system components, especially hardware, there are technical means to determine if the items are genuine or have been altered, including optical and nanotechnology tagging, physically unclonable functions, side-channel analysis, cryptographic hash verifications or digital signatures, and visible anti-tamper labels or stickers. Controls can also include monitoring for out of specification performance, which can be an indicator of tampering or counterfeits. Organizations may leverage supplier and contractor processes for validating that a system or component is genuine and has not been altered and for replacing a suspect system or component. Some indications of tampering may be visible and addressable before accepting delivery, such as inconsistent packaging, broken seals, and incorrect labels. When a system or system component is suspected of being altered or counterfeit, the supplier, contractor, or original equipment manufacturer may be able to replace the item or provide a forensic capability to determine the origin of the counterfeit or altered item. Organizations can provide training to personnel on how to identify suspicious system or component deliveries."},{"id":"sr-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-04(03)","class":"sp800-53a"}],"parts":[{"id":"sr-4.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-04(03)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-04.03_odp.01 }} are employed to validate that the system or system component received is genuine;"},{"id":"sr-4.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-04(03)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-04.03_odp.02 }} are employed to validate that the system or system component received has not been altered."}]},{"id":"sr-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the security design principle of trusted components used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nevidentiary documentation (including applicable configurations) indicating that the system or system component is genuine and has not been altered\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing validation safeguards\n\nmechanisms supporting and\/or implementing the definition and employment of validation safeguards\n\nmechanisms supporting the application of the security design principle of trusted components in system specification, design, development, implementation, and modification"}]}]},{"id":"sr-4.4","class":"SP800-53-enhancement","title":"Supply Chain Integrity — Pedigree","params":[{"id":"sr-04.04_odp.01","props":[{"name":"alt-identifier","value":"sr-4.4_prm_1"},{"name":"label","value":"SR-04(04)_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls employed to ensure that the integrity of the system and system component are defined;"}]},{"id":"sr-04.04_odp.02","props":[{"name":"alt-identifier","value":"sr-4.4_prm_2"},{"name":"alt-label","value":"analysis","class":"sp800-53"},{"name":"label","value":"SR-04(04)_ODP[02]","class":"sp800-53a"}],"label":"analysis method","guidelines":[{"prose":"an analysis method to be conducted to validate the internal composition and provenance of critical or mission-essential technologies, products, and services to ensure the integrity of the system and system component is defined;"}]}],"props":[{"name":"label","value":"SR-4(4)"},{"name":"label","value":"SR-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"sr-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-4","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"sr-4.4_smt","name":"statement","prose":"Employ {{ insert: param, sr-04.04_odp.01 }} and conduct {{ insert: param, sr-04.04_odp.02 }} to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services."},{"id":"sr-4.4_gdn","name":"guidance","prose":"Authoritative information regarding the internal composition of system components and the provenance of technology, products, and services provides a strong basis for trust. The validation of the internal composition and provenance of technologies, products, and services is referred to as the pedigree. For microelectronics, this includes material composition of components. For software this includes the composition of open-source and proprietary code, including the version of the component at a given point in time. Pedigrees increase the assurance that the claims suppliers assert about the internal composition and provenance of the products, services, and technologies they provide are valid. The validation of the internal composition and provenance can be achieved by various evidentiary artifacts or records that manufacturers and suppliers produce during the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of technology, products, and services. Evidentiary artifacts include, but are not limited to, software identification (SWID) tags, software component inventory, the manufacturers’ declarations of platform attributes (e.g., serial numbers, hardware component inventory), and measurements (e.g., firmware hashes) that are tightly bound to the hardware itself."},{"id":"sr-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-04(04)","class":"sp800-53a"}],"parts":[{"id":"sr-4.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-04(04)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-04.04_odp.01 }} are employed to ensure the integrity of the system and system components;"},{"id":"sr-4.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-04(04)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-04.04_odp.02 }} is conducted to ensure the integrity of the system and system components."}]},{"id":"sr-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nbill of materials for critical systems or system components\n\nacquisition documentation\n\nsoftware identification tags\n\nmanufacturer declarations of platform attributes (e.g., serial numbers, hardware component inventory) and measurements (e.g., firmware hashes) that are tightly bound to the hardware itself\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying pedigree information\n\norganizational processes to determine and validate the integrity of the internal composition of critical systems and critical system components\n\nmechanisms to determine and validate the integrity of the internal composition of critical systems and critical system components"}]}]}]},{"id":"sr-5","class":"SP800-53","title":"Acquisition Strategies, Tools, and Methods","params":[{"id":"sr-05_odp","props":[{"name":"alt-identifier","value":"sr-5_prm_1"},{"name":"alt-label","value":"acquisition strategies, contract tools, and procurement methods","class":"sp800-53"},{"name":"label","value":"SR-05_ODP","class":"sp800-53a"}],"label":"strategies, tools, and methods","guidelines":[{"prose":"acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;"}]}],"props":[{"name":"label","value":"SR-5"},{"name":"label","value":"SR-05","class":"sp800-53a"},{"name":"sort-id","value":"sr-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-5_smt","name":"statement","prose":"Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}."},{"id":"sr-5_gdn","name":"guidance","prose":"The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements."},{"id":"sr-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-05","class":"sp800-53a"}],"parts":[{"id":"sr-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-05[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;"},{"id":"sr-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-05[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-05_odp }} are employed to identify supply chain risks;"},{"id":"sr-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SR-05[03]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks."}]},{"id":"sr-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and\/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods"}]}],"controls":[{"id":"sr-5.1","class":"SP800-53-enhancement","title":"Adequate Supply","params":[{"id":"sr-05.01_odp.01","props":[{"name":"alt-identifier","value":"sr-5.1_prm_2"},{"name":"label","value":"SR-05(01)_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to ensure an adequate supply of critical system components are defined;"}]},{"id":"sr-05.01_odp.02","props":[{"name":"alt-identifier","value":"sr-5.1_prm_1"},{"name":"label","value":"SR-05(01)_ODP[02]","class":"sp800-53a"}],"label":"critical system components","guidelines":[{"prose":"critical system components of which an adequate supply is required are defined;"}]}],"props":[{"name":"label","value":"SR-5(1)"},{"name":"label","value":"SR-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-5","rel":"required"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"sr-5.1_smt","name":"statement","prose":"Employ the following controls to ensure an adequate supply of {{ insert: param, sr-05.01_odp.02 }}: {{ insert: param, sr-05.01_odp.01 }}."},{"id":"sr-5.1_gdn","name":"guidance","prose":"Adversaries can attempt to impede organizational operations by disrupting the supply of critical system components or corrupting supplier operations. Organizations may track systems and component mean time to failure to mitigate the loss of temporary or permanent system function. Controls to ensure that adequate supplies of critical system components include the use of multiple suppliers throughout the supply chain for the identified critical components, stockpiling spare components to ensure operation during mission-critical times, and the identification of functionally identical or similar components that may be used, if necessary."},{"id":"sr-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-05(01)","class":"sp800-53a"}],"prose":"{{ insert: param, sr-05.01_odp.01 }} are employed to ensure an adequate supply of {{ insert: param, sr-05.01_odp.02 }}."},{"id":"sr-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\ncontingency planning documents\n\ninventory of critical systems and system components\n\ndetermination of adequate supply\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nprocedures addressing the integration of acquisition strategies, contract tools, and procurement methods into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for systems or services\n\npurchase orders\/requisitions for the system, system component, or system service from suppliers\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and\/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods"}]}]},{"id":"sr-5.2","class":"SP800-53-enhancement","title":"Assessments Prior to Selection, Acceptance, Modification, or Update","props":[{"name":"label","value":"SR-5(2)"},{"name":"label","value":"SR-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"sr-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-5","rel":"required"},{"href":"#ca-8","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sr-5.2_smt","name":"statement","prose":"Assess the system, system component, or system service prior to selection, acceptance, modification, or update."},{"id":"sr-5.2_gdn","name":"guidance","prose":"Organizational personnel or independent, external entities conduct assessments of systems, components, products, tools, and services to uncover evidence of tampering, unintentional and intentional vulnerabilities, or evidence of non-compliance with supply chain controls. These include malicious code, malicious processes, defective software, backdoors, and counterfeits. Assessments can include evaluations; design proposal reviews; visual or physical inspection; static and dynamic analyses; visual, x-ray, or magnetic particle inspections; simulations; white, gray, or black box testing; fuzz testing; stress testing; and penetration testing (see [SR-6(1)](#sr-6.1) ). Evidence generated during assessments is documented for follow-on actions by organizations. The evidence generated during the organizational or independent assessments of supply chain elements may be used to improve supply chain processes and inform the supply chain risk management process. The evidence can be leveraged in follow-on assessments. Evidence and other documentation may be shared in accordance with organizational agreements."},{"id":"sr-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-05(02)","class":"sp800-53a"}],"parts":[{"id":"sr-5.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-05(02)[01]","class":"sp800-53a"}],"prose":"the system, system component, or system service is assessed prior to selection;"},{"id":"sr-5.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-05(02)[02]","class":"sp800-53a"}],"prose":"the system, system component, or system service is assessed prior to acceptance;"},{"id":"sr-5.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SR-05(02)[03]","class":"sp800-53a"}],"prose":"the system, system component, or system service is assessed prior to modification;"},{"id":"sr-5.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SR-05(02)[04]","class":"sp800-53a"}],"prose":"the system, system component, or system service is assessed prior to update."}]},{"id":"sr-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nsecurity test and evaluation results\n\nvulnerability assessment results\n\npenetration testing results\n\norganizational risk assessment results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting assessments prior to selection, acceptance, or update\n\nmechanisms supporting and\/or implementing the conducting of assessments prior to selection, acceptance, or update"}]}]}]},{"id":"sr-6","class":"SP800-53","title":"Supplier Assessments and Reviews","params":[{"id":"sr-06_odp","props":[{"name":"alt-identifier","value":"sr-6_prm_1"},{"name":"label","value":"SR-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;"}]}],"props":[{"name":"label","value":"SR-6"},{"name":"label","value":"SR-06","class":"sp800-53a"},{"name":"sort-id","value":"sr-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sr-6_smt","name":"statement","prose":"Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ insert: param, sr-06_odp }}."},{"id":"sr-6_gdn","name":"guidance","prose":"An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts."},{"id":"sr-6_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-06","class":"sp800-53a"}],"prose":"the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}."},{"id":"sr-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nrecords of supplier due diligence reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting supplier reviews\n\nmechanisms supporting and\/or implementing supplier reviews"}]}],"controls":[{"id":"sr-6.1","class":"SP800-53-enhancement","title":"Testing and Analysis","params":[{"id":"sr-06.01_odp.01","props":[{"name":"alt-identifier","value":"sr-6.1_prm_1"},{"name":"label","value":"SR-06(01)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organizational analysis","independent third-party analysis","organizational testing","independent third-party testing"]}},{"id":"sr-06.01_odp.02","props":[{"name":"alt-identifier","value":"sr-6.1_prm_2"},{"name":"label","value":"SR-06(01)_ODP[02]","class":"sp800-53a"}],"label":"supply chain elements, processes, and actors","guidelines":[{"prose":"supply chain elements, processes, and actors to be analyzed and tested are defined;"}]}],"props":[{"name":"label","value":"SR-6(1)"},{"name":"label","value":"SR-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-6","rel":"required"},{"href":"#ca-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sr-6.1_smt","name":"statement","prose":"Employ {{ insert: param, sr-06.01_odp.01 }} of the following supply chain elements, processes, and actors associated with the system, system component, or system service: {{ insert: param, sr-06.01_odp.02 }}."},{"id":"sr-6.1_gdn","name":"guidance","prose":"Relationships between entities and procedures within the supply chain, including development and delivery, are considered. Supply chain elements include organizations, entities, or tools that are used for the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems, system components, or system services. Supply chain processes include supply chain risk management programs; SCRM strategies and implementation plans; personnel and physical security programs; hardware, software, and firmware development processes; configuration management tools, techniques, and measures to maintain provenance; shipping and handling procedures; and programs, processes, or procedures associated with the production and distribution of supply chain elements. Supply chain actors are individuals with specific roles and responsibilities in the supply chain. The evidence generated and collected during analyses and testing of supply chain elements, processes, and actors is documented and used to inform organizational risk management activities and decisions."},{"id":"sr-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-06(01)","class":"sp800-53a"}],"prose":"{{ insert: param, sr-06.01_odp.01 }} is\/are employed on {{ insert: param, sr-06.01_odp.02 }} associated with the system, system component, or system service."},{"id":"sr-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nevidence of organizational analysis, independent third-party analysis, organizational penetration testing, and\/or independent third-party penetration testing\n\nlist of supply chain elements, processes, and actors (associated with the system, system component, or system service) subject to analysis and\/or testing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for analyzing and\/or testing supply chain elements, processes, and actors"}]},{"id":"sr-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing methods of analysis\/testing of supply chain elements, processes, and actors\n\nmechanisms supporting and\/or implementing the analysis\/testing of supply chain elements, processes, and actors"}]}]}]},{"id":"sr-7","class":"SP800-53","title":"Supply Chain Operations Security","params":[{"id":"sr-07_odp","props":[{"name":"alt-identifier","value":"sr-7_prm_1"},{"name":"alt-label","value":"Operations Security (OPSEC) controls","class":"sp800-53"},{"name":"label","value":"SR-07_ODP","class":"sp800-53a"}],"label":"OPSEC controls","guidelines":[{"prose":"Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service are defined;"}]}],"props":[{"name":"label","value":"SR-7"},{"name":"label","value":"SR-07","class":"sp800-53a"},{"name":"sort-id","value":"sr-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#sc-38","rel":"related"}],"parts":[{"id":"sr-7_smt","name":"statement","prose":"Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: {{ insert: param, sr-07_odp }}."},{"id":"sr-7_gdn","name":"guidance","prose":"Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information, analyzing friendly actions related to operations and other activities to identify actions that can be observed by potential adversaries, determining indicators that potential adversaries might obtain that could be interpreted or pieced together to derive information in sufficient time to cause harm to organizations, implementing safeguards or countermeasures to eliminate or reduce exploitable vulnerabilities and risk to an acceptable level, and considering how aggregated information may expose users or specific uses of the supply chain. Supply chain information includes user identities; uses for systems, system components, and system services; supplier identities; security and privacy requirements; system and component configurations; supplier processes; design specifications; and testing and evaluation results. Supply chain OPSEC may require organizations to withhold mission or business information from suppliers and may include the use of intermediaries to hide the end use or users of systems, system components, or system services."},{"id":"sr-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-07","class":"sp800-53a"}],"prose":"{{ insert: param, sr-07_odp }} are employed to protect supply chain-related information for the system, system component, or system service."},{"id":"sr-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsupply chain risk management procedures\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nlist of OPSEC controls to be employed\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nrecords of all-source intelligence analyses\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with OPSEC responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing OPSEC safeguards\n\nmechanisms supporting and\/or implementing the definition and employment of OPSEC safeguards"}]}]},{"id":"sr-8","class":"SP800-53","title":"Notification Agreements","params":[{"id":"sr-08_odp.01","props":[{"name":"alt-identifier","value":"sr-8_prm_1"},{"name":"label","value":"SR-08_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["notification of supply chain compromises","{{ insert: param, sr-08_odp.02 }} "]}},{"id":"sr-08_odp.02","props":[{"name":"alt-identifier","value":"sr-8_prm_2"},{"name":"alt-label","value":"information","class":"sp800-53"},{"name":"label","value":"SR-08_ODP[02]","class":"sp800-53a"}],"label":"results of assessments or audits","guidelines":[{"prose":"information for which agreements and procedures are to be established are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-8"},{"name":"label","value":"SR-08","class":"sp800-53a"},{"name":"sort-id","value":"sr-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"sr-8_smt","name":"statement","prose":"Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}."},{"id":"sr-8_gdn","name":"guidance","prose":"The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes."},{"id":"sr-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-08","class":"sp800-53a"}],"prose":"agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}."},{"id":"sr-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities"}]}]},{"id":"sr-9","class":"SP800-53","title":"Tamper Resistance and Detection","props":[{"name":"label","value":"SR-9"},{"name":"label","value":"SR-09","class":"sp800-53a"},{"name":"sort-id","value":"sr-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#pe-3","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-9_smt","name":"statement","prose":"Implement a tamper protection program for the system, system component, or system service."},{"id":"sr-9_gdn","name":"guidance","prose":"Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and\/or tamper detection is essential to protecting systems and components during distribution and when in use."},{"id":"sr-9_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-09","class":"sp800-53a"}],"prose":"a tamper protection program is implemented for the system, system component, or system service."},{"id":"sr-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing tamper resistance and detection\n\ntamper protection program documentation\n\ntamper protection tools and techniques documentation\n\ntamper resistance and detection tools and techniques documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with tamper protection program responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the implementation of the tamper protection program\n\nmechanisms supporting and\/or implementing the tamper protection program"}]}],"controls":[{"id":"sr-9.1","class":"SP800-53-enhancement","title":"Multiple Stages of System Development Life Cycle","props":[{"name":"label","value":"SR-9(1)"},{"name":"label","value":"SR-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-9","rel":"required"},{"href":"#sa-3","rel":"related"}],"parts":[{"id":"sr-9.1_smt","name":"statement","prose":"Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle."},{"id":"sr-9.1_gdn","name":"guidance","prose":"The system development life cycle includes research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal. Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations use obfuscation and self-checking to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage."},{"id":"sr-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-09(01)","class":"sp800-53a"}],"prose":"anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle."},{"id":"sr-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing tamper resistance and detection\n\ntamper protection program documentation\n\ntamper protection tools and techniques documentation\n\ntamper resistance and detection tools (technologies) and techniques documentation\n\nsystem development life cycle documentation\n\nprocedures addressing supply chain protection\n\nsystem development life cycle procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with SDLC responsibilities"}]},{"id":"sr-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for employing anti-tamper technologies\n\nmechanisms supporting and\/or implementing anti-tamper technologies"}]}]}]},{"id":"sr-10","class":"SP800-53","title":"Inspection of Systems or Components","params":[{"id":"sr-10_odp.01","props":[{"name":"alt-identifier","value":"sr-10_prm_4"},{"name":"label","value":"SR-10_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that require inspection are defined;"}]},{"id":"sr-10_odp.02","props":[{"name":"alt-identifier","value":"sr-10_prm_1"},{"name":"label","value":"SR-10_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at random","at {{ insert: param, sr-10_odp.03 }} ","upon {{ insert: param, sr-10_odp.04 }} "]}},{"id":"sr-10_odp.03","props":[{"name":"alt-identifier","value":"sr-10_prm_2"},{"name":"label","value":"SR-10_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inspect systems or system components is defined (if selected);"}]},{"id":"sr-10_odp.04","props":[{"name":"alt-identifier","value":"sr-10_prm_3"},{"name":"label","value":"SR-10_ODP[04]","class":"sp800-53a"}],"label":"indications of need for inspection","guidelines":[{"prose":"indications of the need for an inspection of systems or system components are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-10"},{"name":"label","value":"SR-10","class":"sp800-53a"},{"name":"sort-id","value":"sr-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-10_smt","name":"statement","prose":"Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}."},{"id":"sr-10_gdn","name":"guidance","prose":"The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations."},{"id":"sr-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-10","class":"sp800-53a"}],"prose":"{{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering."},{"id":"sr-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports\/results\n\nassessment reports\/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering"}]}]},{"id":"sr-11","class":"SP800-53","title":"Component Authenticity","params":[{"id":"sr-11_odp.01","props":[{"name":"alt-identifier","value":"sr-11_prm_1"},{"name":"label","value":"SR-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["source of counterfeit component","{{ insert: param, sr-11_odp.02 }} ","{{ insert: param, sr-11_odp.03 }} "]}},{"id":"sr-11_odp.02","props":[{"name":"alt-identifier","value":"sr-11_prm_2"},{"name":"label","value":"SR-11_ODP[02]","class":"sp800-53a"}],"label":"external reporting organizations","guidelines":[{"prose":"external reporting organizations to whom counterfeit system components are to be reported is\/are defined (if selected);"}]},{"id":"sr-11_odp.03","props":[{"name":"alt-identifier","value":"sr-11_prm_3"},{"name":"label","value":"SR-11_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom counterfeit system components are to be reported is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-11"},{"name":"label","value":"SR-11","class":"sp800-53a"},{"name":"sort-id","value":"sr-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"sr-11_smt","name":"statement","parts":[{"id":"sr-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and"},{"id":"sr-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}."}]},{"id":"sr-11_gdn","name":"guidance","prose":"Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA."},{"id":"sr-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[01]","class":"sp800-53a"}],"prose":"an anti-counterfeit policy is developed and implemented;"},{"id":"sr-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[02]","class":"sp800-53a"}],"prose":"anti-counterfeit procedures are developed and implemented;"},{"id":"sr-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[03]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to detect counterfeit components entering the system;"},{"id":"sr-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[04]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;"}]},{"id":"sr-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-11b.","class":"sp800-53a"}],"prose":"counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}."}]},{"id":"sr-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and\/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting"}]},{"id":"sr-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and\/or implementing anti-counterfeit detection, prevention, and reporting"}]}],"controls":[{"id":"sr-11.1","class":"SP800-53-enhancement","title":"Anti-counterfeit Training","params":[{"id":"sr-11.01_odp","props":[{"name":"alt-identifier","value":"sr-11.1_prm_1"},{"name":"label","value":"SR-11(01)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is\/are defined;"}]}],"props":[{"name":"label","value":"SR-11(1)"},{"name":"label","value":"SR-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"sr-11.1_smt","name":"statement","prose":"Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_gdn","name":"guidance","prose":"None."},{"id":"sr-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(01)","class":"sp800-53a"}],"prose":"{{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training"}]},{"id":"sr-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for anti-counterfeit training"}]}]},{"id":"sr-11.2","class":"SP800-53-enhancement","title":"Configuration Control for Component Service and Repair","params":[{"id":"sr-11.02_odp","props":[{"name":"alt-identifier","value":"sr-11.2_prm_1"},{"name":"label","value":"SR-11(02)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring configuration control are defined;"}]}],"props":[{"name":"label","value":"SR-11(2)"},{"name":"label","value":"SR-11(02)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#cm-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#sa-10","rel":"related"}],"parts":[{"id":"sr-11.2_smt","name":"statement","prose":"Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}."},{"id":"sr-11.2_gdn","name":"guidance","prose":"None."},{"id":"sr-11.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)","class":"sp800-53a"}],"parts":[{"id":"sr-11.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[01]","class":"sp800-53a"}],"prose":"configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;"},{"id":"sr-11.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[02]","class":"sp800-53a"}],"prose":"configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained."}]},{"id":"sr-11.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-11.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes"}]}]},{"id":"sr-11.3","class":"SP800-53-enhancement","title":"Anti-counterfeit Scanning","params":[{"id":"sr-11.03_odp","props":[{"name":"alt-identifier","value":"sr-11.3_prm_1"},{"name":"label","value":"SR-11(03)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to scan for counterfeit system components is defined;"}]}],"props":[{"name":"label","value":"SR-11(3)"},{"name":"label","value":"SR-11(03)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#ra-5","rel":"related"}],"parts":[{"id":"sr-11.3_smt","name":"statement","prose":"Scan for counterfeit system components {{ insert: param, sr-11.03_odp }}."},{"id":"sr-11.3_gdn","name":"guidance","prose":"The type of component determines the type of scanning to be conducted (e.g., web application scanning if the component is a web application)."},{"id":"sr-11.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(03)","class":"sp800-53a"}],"prose":"scanning for counterfeit system components is conducted {{ insert: param, sr-11.03_odp }}."},{"id":"sr-11.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nanti-counterfeit policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscanning tools and associated documentation\n\nscanning results\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies and procedures\n\norganizational personnel with responsibility for anti-counterfeit scanning"}]},{"id":"sr-11.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for scanning for counterfeit system components\n\nmechanisms supporting and\/or implementing anti-counterfeit scanning"}]}]}]},{"id":"sr-12","class":"SP800-53","title":"Component Disposal","params":[{"id":"sr-12_odp.01","props":[{"name":"alt-identifier","value":"sr-12_prm_1"},{"name":"label","value":"SR-12_ODP[01]","class":"sp800-53a"}],"label":"data, documentation, tools, or system components","guidelines":[{"prose":"data, documentation, tools, or system components to be disposed of are defined;"}]},{"id":"sr-12_odp.02","props":[{"name":"alt-identifier","value":"sr-12_prm_2"},{"name":"label","value":"SR-12_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods for disposing of data, documentation, tools, or system components are defined;"}]}],"props":[{"name":"label","value":"SR-12"},{"name":"label","value":"SR-12","class":"sp800-53a"},{"name":"sort-id","value":"sr-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#mp-6","rel":"related"}],"parts":[{"id":"sr-12_smt","name":"statement","prose":"Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}."},{"id":"sr-12_gdn","name":"guidance","prose":"Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations\/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market."},{"id":"sr-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-12","class":"sp800-53a"}],"prose":"{{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}."},{"id":"sr-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational techniques and methods for system component disposal\n\nmechanisms supporting and\/or implementing system component disposal"}]}]}]}],"back-matter":{"resources":[{"uuid":"91f992fb-f668-4c91-a50f-0f05b95ccee3","title":"32 CFR 2002","citation":{"text":"Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/documents\/2016\/09\/14\/2016-21665\/controlled-unclassified-information"}]},{"uuid":"0f963c17-ab5a-432a-a867-91eac550309b","title":"41 CFR 201","citation":{"text":"\"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/d\/2020-18939"}]},{"uuid":"a5ef5e56-5c1a-4911-b419-37dddc1b3581","title":"5 CFR 731","citation":{"text":"Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/CFR-2012-title5-vol2\/pdf\/CFR-2012-title5-vol2-sec731-106.pdf"}]},{"uuid":"d3b71d4d-27c1-40f7-ad7f-1c1fe6d8bde8","title":"ATOM54","citation":{"text":"Atomic Energy Act (P.L. 83-703), August 1954."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-68\/pdf\/STATUTE-68-Pg919.pdf"}]},{"uuid":"94c64e1a-456c-457f-86da-83ac0dfc85ac","title":"CMPPA","citation":{"text":"Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503), October 1988."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-102\/pdf\/STATUTE-102-Pg2507.pdf"}]},{"uuid":"031cc4b7-9adf-4835-98f1-f1ca493519cf","title":"CNSSD 505","citation":{"text":"Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Directives.cfm"}]},{"uuid":"4e4fbc93-333d-45e6-a875-de36b878b6b9","title":"CNSSI 1253","citation":{"text":"Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Instructions.cfm"}]},{"uuid":"6f63a36d-24bb-44f3-885a-5a50b5e1ada0","title":"CNSSI 4009","citation":{"text":"Committee on National Security Systems Instruction No. 4009, *Committee on National Security Systems (CNSS) Glossary* , April 2015."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Instructions.cfm"}]},{"uuid":"8a687894-cdab-423d-b95b-8d9475e4b51e","title":"CNSSP 22","citation":{"text":"Committee on National Security Systems Policy No. 22, *Cybersecurity Risk Management Policy* , August 2016."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Policies.cfm"}]},{"uuid":"b9951d04-6385-478c-b1a3-ab68c19d9041","title":"DHS NIPP","citation":{"text":"Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)* , 2009."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/xlibrary\/assets\/NIPP_Plan.pdf"}]},{"uuid":"4f42ee6e-86cc-403b-a51f-76c2b4f81b54","title":"DHS TIC","citation":{"text":"Department of Homeland Security, *Trusted Internet Connections (TIC)*."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/trusted-internet-connections"}]},{"uuid":"aa66e14f-e7cb-4a37-99d2-07578dfd4608","title":"DOD STIG","citation":{"text":"Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*."},"rlinks":[{"href":"https:\/\/public.cyber.mil\/stigs"}]},{"uuid":"d6f8ff7f-4b71-47ba-b61b-a5ee3ffd3af0","title":"DODI 8510.01","citation":{"text":"Department of Defense Instruction 8510.01, *Risk Management Framework (RMF) for DoD Information Technology (IT)* , March 2014."},"rlinks":[{"href":"https:\/\/www.esd.whs.mil\/Portals\/54\/Documents\/DD\/issuances\/dodi\/851001p.pdf?ver=2019-02-26-101520-300"}]},{"uuid":"1c861e8c-cb40-463e-9cf2-693554107693","title":"DODTERMS","citation":{"text":"Department of Defense, *Dictionary of Military and Associated Terms*."},"rlinks":[{"href":"https:\/\/www.jcs.mil\/Portals\/36\/Documents\/Doctrine\/pubs\/dictionary.pdf"}]},{"uuid":"00db708b-4704-4fcb-b854-b66d1d756a58","title":"DSB 2017","citation":{"text":"Department of Defense, Defense Science Board, *Task Force on Cyber Deterrence* , February 2017."},"rlinks":[{"href":"https:\/\/dsb.cto.mil\/reports\/2010s\/DSB-CyberDeterrenceReport_02-28-17_Final.pdf"}]},{"uuid":"7b0b9634-741a-4335-b6fa-161228c3a76e","title":"EGOV","citation":{"text":"E-Government Act [includes FISMA] (P.L. 107-347), December 2002. "},"rlinks":[{"href":"https:\/\/www.congress.gov\/107\/plaws\/publ347\/PLAW-107publ347.pdf"}]},{"uuid":"55b0c93a-5e48-457a-baa6-5ce81c239c49","title":"EO 13526","citation":{"text":"Executive Order 13526, *Classified National Security Information* , December 2009."},"rlinks":[{"href":"https:\/\/www.archives.gov\/isoo\/policy-documents\/cnsi-eo.html"}]},{"uuid":"34a5571f-e252-4309-a8a1-2fdb2faefbcd","title":"EO 13556","citation":{"text":"Executive Order 13556, *Controlled Unclassified Information* , November 2010."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2010\/11\/04\/executive-order-13556-controlled-unclassified-information"}]},{"uuid":"0af071a6-cf8e-48ee-8c82-fe91efa20f94","title":"EO 13587","citation":{"text":"Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2011\/10\/07\/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"3406fdc0-d61c-44a9-a5ca-84180544c83a","title":"EO 13636","citation":{"text":"Executive Order 13636, *Improving Critical Infrastructure Cybersecurity* , February 2013."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2013\/02\/12\/executive-order-improving-critical-infrastructure-cybersecurity"}]},{"uuid":"09afa3a7-e564-4c5f-865f-2679049563b0","title":"EO 13800","citation":{"text":"Executive Order 13800, *Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure* , May 2017."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/presidential-actions\/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure"}]},{"uuid":"21caa535-1154-4369-ba7b-32c309fee0f7","title":"EO 13873","citation":{"text":"Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/presidential-actions\/executive-order-securing-information-communications-technology-services-supply-chain"}]},{"uuid":"511da9ca-604d-43f7-be41-b862085420a9","title":"EVIDACT","citation":{"text":"Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019."},"rlinks":[{"href":"https:\/\/www.congress.gov\/115\/plaws\/publ435\/PLAW-115publ435.pdf"}]},{"uuid":"4ff10ed3-d8fe-4246-99e3-443045e27482","title":"FASC18","citation":{"text":"Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018."},"rlinks":[{"href":"https:\/\/www.congress.gov\/bill\/115th-congress\/senate-bill\/3085"}]},{"uuid":"a1555677-2b9d-4868-a97b-a1363aff32f5","title":"FED PKI","citation":{"text":"General Services Administration, *Federal Public Key Infrastructure*."},"rlinks":[{"href":"https:\/\/www.idmanagement.gov\/topics\/fpki"}]},{"uuid":"678e3d6c-150b-4393-aec5-6e3481eb1e00","title":"FIPS 140-3","citation":{"text":"National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. "},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.140-3"}]},{"uuid":"eea3c092-42ed-4382-a6f4-1adadef01b9d","title":"FIPS 180-4","citation":{"text":"National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.180-4"}]},{"uuid":"7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","title":"FIPS 186-4","citation":{"text":"National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.186-4"}]},{"uuid":"736d6310-e403-4b57-a79d-9967970c66d7","title":"FIPS 197","citation":{"text":"National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.197"}]},{"uuid":"628d22a1-6a11-4784-bc59-5cd9497b5445","title":"FIPS 199","citation":{"text":"National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.199"}]},{"uuid":"599fb53d-5041-444e-a7fe-640d6d30ad05","title":"FIPS 200","citation":{"text":"National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.200"}]},{"uuid":"7ba1d91c-3934-4d5a-8532-b32f864ad34c","title":"FIPS 201-2","citation":{"text":"National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.201-2"}]},{"uuid":"a295ca19-8c75-4b4c-8800-98024732e181","title":"FIPS 202","citation":{"text":"National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.202"}]},{"uuid":"d68867c0-2f21-4193-bef8-300f3270db56","title":"FISMA IMP","citation":{"text":"Federal Information Security Modernization Act (FISMA) Implementation Project."},"rlinks":[{"href":"https:\/\/nist.gov\/RMF"}]},{"uuid":"0c67b2a9-bede-43d2-b86d-5f35b8be36e9","title":"FISMA","citation":{"text":"Federal Information Security Modernization Act (P.L. 113-283), December 2014."},"rlinks":[{"href":"https:\/\/www.congress.gov\/113\/plaws\/publ283\/PLAW-113publ283.pdf"}]},{"uuid":"d9b1262c-9ee6-4c3e-846f-3a15f9d7eaa6","title":"FOIA96","citation":{"text":"Freedom of Information Act (FOIA), 5 U.S.C. § 552, As Amended By Public Law No. 104-231, 110 Stat. 3048, Electronic Freedom of Information Act Amendments of 1996."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/PLAW-104publ231\/pdf\/PLAW-104publ231.pdf"}]},{"uuid":"f16e438e-7114-4144-bfe2-2dfcad8cb2d0","title":"HSPD 12","citation":{"text":"Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/homeland-security-presidential-directive-12"}]},{"uuid":"488d6934-00b2-4252-bf23-1b3c2d71eb13","title":"HSPD 7","citation":{"text":"Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection* , December 2003."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/homeland-security-presidential-directive-7"}]},{"uuid":"7623635e-1a92-4250-a829-4a5c8a4da2bc","title":"IETF 4949","citation":{"text":"Internet Engineering Task Force (IETF), Request for Comments: 4949, *Internet Security Glossary, Version 2* , August 2007."},"rlinks":[{"href":"https:\/\/tools.ietf.org\/html\/rfc4949"}]},{"uuid":"e4d37285-1e79-4029-8b6a-42df39cace30","title":"IETF 5905","citation":{"text":"Internet Engineering Task Force (IETF), Request for Comments: 5905, *Network Time Protocol Version 4: Protocol and Algorithms Specification* , June 2010."},"rlinks":[{"href":"https:\/\/tools.ietf.org\/pdf\/rfc5905.pdf"}]},{"uuid":"15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","title":"IR 7539","citation":{"text":"Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7539"}]},{"uuid":"2be7b163-e50a-435c-8906-f1162f2a457a","title":"IR 7559","citation":{"text":"Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7559"}]},{"uuid":"e24b06cc-9129-4998-a76a-65c3d7a576ba","title":"IR 7622","citation":{"text":"Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7622"}]},{"uuid":"4b38e961-1125-4a5b-aa35-1d6c02846dad","title":"IR 7676","citation":{"text":"Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7676"}]},{"uuid":"aa5d04e0-6090-4e17-84d4-b9963d55fc2c","title":"IR 7788","citation":{"text":"Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7788"}]},{"uuid":"91701292-8bcd-4d2e-a5bd-59ab61e34b3c","title":"IR 7817","citation":{"text":"Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7817"}]},{"uuid":"4f5f51ac-2b8d-4b90-a3c7-46f56e967617","title":"IR 7849","citation":{"text":"Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7849"}]},{"uuid":"604774da-9e1d-48eb-9c62-4e959dc80737","title":"IR 7870","citation":{"text":"Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7870"}]},{"uuid":"7f473f21-fdbf-4a6c-81a1-0ab95919609d","title":"IR 7874","citation":{"text":"Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7874"}]},{"uuid":"849b2358-683f-4d97-b111-1cc3d522ded5","title":"IR 7956","citation":{"text":"Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7956"}]},{"uuid":"3915a084-b87b-4f02-83d4-c369e746292f","title":"IR 7966","citation":{"text":"Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7966"}]},{"uuid":"bbac9fc2-df5b-4f2d-bf99-90d0ade45349","title":"IR 8011-1","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-1"}]},{"uuid":"70402863-5078-43af-9a6c-e11b0f3ec370","title":"IR 8011-2","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-2"}]},{"uuid":"996241f8-f692-42d5-91f1-ce8b752e39e6","title":"IR 8011-3","citation":{"text":"Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-3"}]},{"uuid":"d2ebec9b-f868-4ee1-a2bd-0b2282aed248","title":"IR 8011-4","citation":{"text":"Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-4"}]},{"uuid":"4c501da5-9d79-4cb6-ba80-97260e1ce327","title":"IR 8023","citation":{"text":"Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8023"}]},{"uuid":"81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","title":"IR 8040","citation":{"text":"Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8040"}]},{"uuid":"98d415ca-7281-4064-9931-0c366637e324","title":"IR 8062","citation":{"text":"Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8062"}]},{"uuid":"a2590922-82f3-4277-83c0-ca5bee06dba4","title":"IR 8112","citation":{"text":"Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8112"}]},{"uuid":"d4296805-2dca-4c63-a95f-eeccaa826aec","title":"IR 8179","citation":{"text":"Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8179"}]},{"uuid":"38ff38f0-1366-4f50-a4c9-26a39aacee16","title":"IR 8272","citation":{"text":"Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8272"}]},{"uuid":"0c559766-0df1-468f-a499-3577bb6dfa46","title":"ISO 15026-1","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission\/Institute of Electrical and Electronics Engineers (ISO\/IEC\/IEEE) 15026-1:2019, *Systems and software engineering — Systems and software assurance — Part 1: Concepts and vocabulary* , March 2019."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/73567.html"}]},{"uuid":"7d8ec7b7-dba0-4a17-981c-c959dbcc6c68","title":"ISO 15288","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission\/Institute of Electrical and Electronics Engineers (ISO\/IEC\/IEEE) 15288:2015, *Systems and software engineering —Systems life cycle processes* , May 2015."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/63711.html"}]},{"uuid":"6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","title":"ISO 15408-1","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART1V3.1R5.pdf"}]},{"uuid":"87087451-2af5-43d4-88c1-d66ad850f614","title":"ISO 15408-2","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART2V3.1R5.pdf"}]},{"uuid":"4452efc0-e79e-47b8-aa30-b54f3ef61c2f","title":"ISO 15408-3","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART3V3.1R5.pdf"}]},{"uuid":"15a95e24-65b6-4686-bc18-90855a10457d","title":"ISO 20243","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/74399.html"}]},{"uuid":"c22d2905-4087-4397-b574-c534b9e808c8","title":"ISO 25237","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 25237:2017, *Health informatics —Pseudonymization* , January 2017."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/63553.html"}]},{"uuid":"863caf2a-978a-4260-9e8d-4a8929bce40c","title":"ISO 27036","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/59648.html"}]},{"uuid":"094ad8c9-960f-4091-acff-8c99a390f08d","title":"ISO 29100","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 29100:2011, *Information technology—Security techniques—Privacy framework* , December 2011."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/45123.html"}]},{"uuid":"8df72805-2e5c-4731-a73e-81db0f0318d0","title":"ISO 29147","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 29147:2018, *Information technology—Security techniques—Vulnerability disclosure* , October 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72311.html"}]},{"uuid":"06ce9216-bd54-4054-a422-94f358b50a5d","title":"ISO 29148","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission\/Institute of Electrical and Electronics Engineers (ISO\/IEC\/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72089.html"}]},{"uuid":"d1cdab13-4218-400d-91a9-c3818dfa5ec8","title":"LAMPSON73","citation":{"text":"B. W. Lampson, *A Note on the Confinement Problem* , Communications of the ACM 16, 10, pp. 613-615, October 1973."}},{"uuid":"c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","title":"NARA CUI","citation":{"text":"National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry."},"rlinks":[{"href":"https:\/\/www.archives.gov\/cui"}]},{"uuid":"d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","title":"NCPR","citation":{"text":"National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at"},"rlinks":[{"href":"https:\/\/nvd.nist.gov\/ncp\/repository"}]},{"uuid":"aea5026f-e5c5-4256-8293-ffcdc487bcd5","title":"NEUM04","citation":{"text":"*Principled Assuredly Trustworthy Composable Architectures* , P. Neumann, CDRL A001 Final Report, SRI International, December 2004."},"rlinks":[{"href":"http:\/\/www.csl.sri.com\/users\/neumann\/chats4.pdf"}]},{"uuid":"795aff72-3e6c-4b6b-a80a-b14d84b7f544","title":"NIAP CCEVS","citation":{"text":"National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*."},"rlinks":[{"href":"https:\/\/www.niap-ccevs.org"}]},{"uuid":"84dc1b0c-acb7-4269-84c4-00dbabacd78c","title":"NIST CAVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-algorithm-validation-program"}]},{"uuid":"1acdc775-aafb-4d11-9341-dc6a822e9d38","title":"NIST CMVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-module-validation-program"}]},{"uuid":"a806de34-70a2-4239-8030-4ab286acc7b8","title":"NIST CSF","citation":{"text":"National Institute of Standards and Technology (2018) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. (National Institute of Standards and Technology, Gaithersburg, MD)."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.CSWP.04162018"}]},{"uuid":"956dcbb3-8109-4b6a-9058-ff0b909ec812","title":"NIST PF","citation":{"text":"National Institute of Standards and Technology (2020) Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0. (National Institute of Standards and Technology, Gaithersburg, MD)."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.CSWP.01162020"}]},{"uuid":"528135e3-c65b-461a-93d3-46513610f792","title":"NITP12","citation":{"text":"Presidential Memorandum for the Heads of Executive Departments and Agencies, *National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs* , November 2012."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2012\/11\/21\/presidential-memorandum-national-insider-threat-policy-and-minimum-stand"}]},{"uuid":"3d575737-98cb-459d-b41c-d7e82b73ad78","title":"NSA CSFC","citation":{"text":"National Security Agency, *Commercial Solutions for Classified Program (CSfC)*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/csfc"}]},{"uuid":"df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","title":"NSA MEDIA","citation":{"text":"National Security Agency, *Media Destruction Guidance*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/media-destruction"}]},{"uuid":"782a8c6d-39a4-45df-a6db-ad0b9226fa38","title":"NVD 800-53","citation":{"text":"National Institute of Standards and Technology (2020) *National Vulnerability Database: NIST Special Publication 800-53 [database of controls].* Available at"},"rlinks":[{"href":"https:\/\/nvd.nist.gov\/800-53"}]},{"uuid":"89f2a08d-fc49-46d0-856e-bf974c9b1573","title":"ODNI CTF","citation":{"text":"Office of the Director of National Intelligence (ODNI) Cyber Threat Framework."},"rlinks":[{"href":"https:\/\/www.dni.gov\/index.php\/cyber-threat-framework"}]},{"uuid":"06d74ea9-2178-449c-a9c5-b2980f804ac8","title":"ODNI NITP","citation":{"text":"Office of the Director National Intelligence, *National Insider Threat Policy* "},"rlinks":[{"href":"https:\/\/www.dni.gov\/files\/NCSC\/documents\/nittf\/National_Insider_Threat_Policy.pdf"}]},{"uuid":"3671ff20-c17c-44d6-8a88-7de203fa74aa","title":"OMB A-108","citation":{"text":"Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act* , December 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A108\/omb_circular_a-108.pdf"}]},{"uuid":"27847491-5ce1-4f6a-a1e4-9e483782f0ef","title":"OMB A-130","citation":{"text":"Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf"}]},{"uuid":"d229ae60-51dd-4d7b-a8bf-1f7195cc7561","title":"OMB M-03-22","citation":{"text":"Office of Management and Budget Memorandum M-03-22, *OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002* , September 2003. [https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2003\/m03_22.pdf](https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2003\/m03_22.pdf) "},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2003\/m03_22.pdf"}]},{"uuid":"047b041a-b4b0-4537-ab2d-2b36283eeda0","title":"OMB M-08-05","citation":{"text":"Office of Management and Budget Memorandum M-08-05, *Implementation of Trusted Internet Connections (TIC)* , November 2007."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2008\/m08-05.pdf"}]},{"uuid":"206a3284-6a7e-423c-8ea9-25b22542541d","title":"OMB M-17-06","citation":{"text":"Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services* , November 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2017\/m-17-06.pdf"}]},{"uuid":"5f4705ac-8d17-438c-b23a-ac7f12362ae4","title":"OMB M-17-12","citation":{"text":"Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/sites\/default\/files\/omb\/memoranda\/2017\/m-17-12_0.pdf"}]},{"uuid":"81c44706-0227-4258-a920-620a4d259990","title":"OMB M-17-25","citation":{"text":"Office of Management and Budget Memorandum M-17-25, *Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure* , May 2017."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2017\/M-17-25.pdf"}]},{"uuid":"c5e11048-1d38-4af3-b00b-0d88dc26860c","title":"OMB M-19-03","citation":{"text":"Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2018\/12\/M-19-03.pdf"}]},{"uuid":"227063d4-431e-435f-9e8f-009b6dbc20f4","title":"OMB M-19-15","citation":{"text":"Office of Management and Budget Memorandum M-19-15, *Improving Implementation of the Information Quality Act* , April 2019."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2019\/04\/M-19-15.pdf"}]},{"uuid":"d886c141-c832-4ad7-ac6d-4b94f4b550d3","title":"OMB M-19-23","citation":{"text":"Office of Management and Budget Memorandum M-19-23, *Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance* , July 2019."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2019\/07\/M-19-23.pdf"}]},{"uuid":"79453f84-26a4-4995-8257-d32d37aefea3","title":"POPEK74","citation":{"text":"G. Popek, *The Principle of Kernel Design* , in 1974 NCC, AFIPS Cong. Proc., Vol. 43, pp. 977-978."}},{"uuid":"18e71fec-c6fd-475a-925a-5d8495cf8455","title":"PRIVACT","citation":{"text":"Privacy Act (P.L. 93-579), December 1974."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-88\/pdf\/STATUTE-88-Pg1896.pdf"}]},{"uuid":"c9495d6e-ef64-4090-8509-e58c3b9009ff","title":"SALTZER75","citation":{"text":"J. Saltzer and M. Schroeder, *The Protection of Information in Computer Systems* , in Proceedings of the IEEE 63(9), September 1975, pp. 1278-1308."}},{"uuid":"4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","title":"SP 800-100","citation":{"text":"Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"10cf2fad-a216-41f9-bb1a-531b7e3119e3","title":"SP 800-101","citation":{"text":"Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-101r1"}]},{"uuid":"22f2d4f0-4365-4e88-a30d-275c1f5473ea","title":"SP 800-111","citation":{"text":"Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-111"}]},{"uuid":"6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","title":"SP 800-113","citation":{"text":"Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-113"}]},{"uuid":"42e37e51-7cc0-4ffa-81c9-0ac942da7e99","title":"SP 800-114","citation":{"text":"Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-114r1"}]},{"uuid":"122177fa-c4ed-485d-8345-3082c0fb9a06","title":"SP 800-115","citation":{"text":"Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"2100332a-16a5-4598-bacf-7261baea9711","title":"SP 800-116","citation":{"text":"Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-116r1"}]},{"uuid":"d17ebd7a-ffab-499d-bfff-e705bbb01fa6","title":"SP 800-121","citation":{"text":"Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-121r2"}]},{"uuid":"0f66be67-85e7-4ca6-bd19-39453e9f4394","title":"SP 800-124","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-124r1"}]},{"uuid":"88660532-2dcf-442e-845c-03340ce48999","title":"SP 800-125B","citation":{"text":"Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-125B"}]},{"uuid":"8016d2ed-d30f-4416-9c45-0f42c7aa3232","title":"SP 800-126","citation":{"text":"Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-126r3"}]},{"uuid":"20db4e66-e257-450c-b2e4-2bb9a62a2c88","title":"SP 800-128","citation":{"text":"Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-128"}]},{"uuid":"c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","title":"SP 800-12","citation":{"text":"Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"3653e316-8923-430e-8943-b3b2b2562fc6","title":"SP 800-130","citation":{"text":"Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-130"}]},{"uuid":"62ea77ca-e450-4323-b210-e0d75390e785","title":"SP 800-137A","citation":{"text":"Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137A"}]},{"uuid":"067223d8-1ec7-45c5-b21b-c848da6de8fb","title":"SP 800-137","citation":{"text":"Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137"}]},{"uuid":"e47ee630-9cbc-4133-880e-e013f83ccd51","title":"SP 800-147","citation":{"text":"Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-147"}]},{"uuid":"9ef4b43c-42a4-4316-87dc-ffaf528bc05c","title":"SP 800-150","citation":{"text":"Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-150"}]},{"uuid":"2494df28-9049-4196-b233-540e7440993f","title":"SP 800-152","citation":{"text":"Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-152"}]},{"uuid":"708b94e1-3d5e-4b22-ab43-1c69f3a97e37","title":"SP 800-154","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154."},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-154\/draft"}]},{"uuid":"d9e036ba-6eec-46a6-9340-b0bf1fea23b4","title":"SP 800-156","citation":{"text":"Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-156"}]},{"uuid":"e3cc0520-a366-4fc9-abc2-5272db7e3564","title":"SP 800-160-1","citation":{"text":"Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v1"}]},{"uuid":"61ccf0f4-d3e7-42db-9796-ce6cb1c85989","title":"SP 800-160-2","citation":{"text":"Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v2"}]},{"uuid":"e8e84963-14fc-4c3a-be05-b412a5d37cd2","title":"SP 800-161","citation":{"text":"Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-161"}]},{"uuid":"2956e175-f674-43f4-b1b9-e074ad9fc39c","title":"SP 800-162","citation":{"text":"Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-162"}]},{"uuid":"e8552d48-cf41-40aa-8b06-f45f7fb4706c","title":"SP 800-166","citation":{"text":"Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-166"}]},{"uuid":"38f39739-1ebd-43b1-8b8c-00f591d89ebd","title":"SP 800-167","citation":{"text":"Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-167"}]},{"uuid":"7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","title":"SP 800-171","citation":{"text":"Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-171r2"}]},{"uuid":"f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","title":"SP 800-172","citation":{"text":"Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-172-draft"}]},{"uuid":"1c71b420-2bd9-4e52-9fc8-390f58b85b59","title":"SP 800-177","citation":{"text":"Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-177r1"}]},{"uuid":"388a3aa2-5d85-4bad-b8a3-77db80d63c4f","title":"SP 800-178","citation":{"text":"Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-178"}]},{"uuid":"276bd50a-7e58-48e5-a405-8c8cb91d7a5f","title":"SP 800-181","citation":{"text":"Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-181r1"}]},{"uuid":"31ae65ab-3f26-46b7-9d64-f25a4dac5778","title":"SP 800-184","citation":{"text":"Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-184"}]},{"uuid":"c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","title":"SP 800-188","citation":{"text":"Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188."},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-188\/draft"}]},{"uuid":"f5edfe51-d1f2-422e-9b27-5d0e90b49c72","title":"SP 800-189","citation":{"text":"Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-189"}]},{"uuid":"30eb758a-2707-4bca-90ad-949a74d4eb16","title":"SP 800-18","citation":{"text":"Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-18r1"}]},{"uuid":"53df282b-8b3f-483a-bad1-6a8b8ac00114","title":"SP 800-192","citation":{"text":"Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies\/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-192"}]},{"uuid":"f641309f-a3ad-48be-8c67-2b318648b2f5","title":"SP 800-28","citation":{"text":"Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-28ver2"}]},{"uuid":"08b07465-dbdc-48d6-8a0b-37279602ac16","title":"SP 800-30","citation":{"text":"Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-30r1"}]},{"uuid":"8cb338a4-e493-4177-818f-3af18983ddc5","title":"SP 800-32","citation":{"text":"Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-32"}]},{"uuid":"bc39f179-c735-4da2-b7a7-b2b622119755","title":"SP 800-34","citation":{"text":"Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-34r1"}]},{"uuid":"77faf0bc-c394-44ad-9154-bbac3b79c8ad","title":"SP 800-35","citation":{"text":"Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-35"}]},{"uuid":"482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","title":"SP 800-37","citation":{"text":"Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-37r2"}]},{"uuid":"cec037f3-8aba-4c97-84b4-4082f9e515d2","title":"SP 800-39","citation":{"text":"Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-39"}]},{"uuid":"155f941a-cba9-4afd-9ca6-5d040d697ba9","title":"SP 800-40","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-40r3"}]},{"uuid":"a7f0e897-29a3-45c4-bd88-40dfef0e034a","title":"SP 800-41","citation":{"text":"Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-41r1"}]},{"uuid":"314e33cb-3681-4b50-a2a2-3fae9604accd","title":"SP 800-45","citation":{"text":"Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-45ver2"}]},{"uuid":"83b9d63b-66b1-467c-9f3b-3a0b108771e9","title":"SP 800-46","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-46r2"}]},{"uuid":"c3a76872-e160-4267-99e8-6952de967d04","title":"SP 800-47","citation":{"text":"Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-47"}]},{"uuid":"511f6832-23ca-49a3-8c0f-ce493373cab8","title":"SP 800-50","citation":{"text":"Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-50"}]},{"uuid":"7537638e-2837-407d-844b-40fb3fafdd99","title":"SP 800-52","citation":{"text":"McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-52r2"}]},{"uuid":"4e0d3c99-0f4e-496f-8951-d4f57c122fc2","title":"SP 800-53 RES","citation":{"text":"NIST Special Publication 800-53, Revision 5 Resource Center."},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-53\/rev-5\/final"}]},{"uuid":"a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","title":"SP 800-53A","citation":{"text":"Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53Ar4"}]},{"uuid":"46d9e201-840e-440e-987c-2c773333c752","title":"SP 800-53B","citation":{"text":"Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53B"}]},{"uuid":"7798067b-4ed0-4adc-a505-79dad4741693","title":"SP 800-55","citation":{"text":"Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-55r1"}]},{"uuid":"20957dbb-6a1e-40a2-b38a-66f67d33ac2e","title":"SP 800-56A","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Ar3"}]},{"uuid":"0d083d8a-5cc6-46f1-8d79-3081d42bcb75","title":"SP 800-56B","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Br2"}]},{"uuid":"eef62b16-c796-4554-955c-505824135b8a","title":"SP 800-56C","citation":{"text":"Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Cr2"}]},{"uuid":"110e26af-4765-49e1-8740-6750f83fcda1","title":"SP 800-57-1","citation":{"text":"Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt1r5"}]},{"uuid":"e7942589-e267-4a5a-a3d9-f39a7aae81f0","title":"SP 800-57-2","citation":{"text":"Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt2r1"}]},{"uuid":"8306620b-1920-4d73-8b21-12008528595f","title":"SP 800-57-3","citation":{"text":"Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt3r1"}]},{"uuid":"e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","title":"SP 800-60-1","citation":{"text":"Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v1r1"}]},{"uuid":"9be5d661-421f-41ad-854e-86f98b811891","title":"SP 800-60-2","citation":{"text":"Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v2r1"}]},{"uuid":"49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","title":"SP 800-61","citation":{"text":"Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-61r2"}]},{"uuid":"737513fa-6758-403f-831d-5ddab5e23cb3","title":"SP 800-63-3","citation":{"text":"Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63-3"}]},{"uuid":"9099ed2c-922a-493d-bcb4-d896192243ff","title":"SP 800-63A","citation":{"text":"Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63a"}]},{"uuid":"e59c5a7c-8b1f-49ca-8de0-6ee0882180ce","title":"SP 800-63B","citation":{"text":"Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63b"}]},{"uuid":"4895b4cd-34c5-4667-bf8a-27d443c12047","title":"SP 800-70","citation":{"text":"Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-70r4"}]},{"uuid":"858705be-3c1f-48aa-a328-0ce398d95ef0","title":"SP 800-73-4","citation":{"text":"Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-73-4"}]},{"uuid":"7af2e6ec-9f7e-4232-ad3f-09888eb0793a","title":"SP 800-76-2","citation":{"text":"Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-76-2"}]},{"uuid":"d4d7c760-2907-403b-8b2a-767ca5370ecd","title":"SP 800-77","citation":{"text":"Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-77r1"}]},{"uuid":"828856bd-d7c4-427b-8b51-815517ec382d","title":"SP 800-78-4","citation":{"text":"Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-78-4"}]},{"uuid":"10963761-58fc-4b20-b3d6-b44a54daba03","title":"SP 800-79-2","citation":{"text":"Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-79-2"}]},{"uuid":"fe209006-bfd4-4033-a79a-9fee1adaf372","title":"SP 800-81-2","citation":{"text":"Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-81-2"}]},{"uuid":"6264c85d-19f5-408a-aa44-d737daaf311e","title":"SP 800-82","citation":{"text":"Stouffer KA, Lightman S, Pillitteri VY, Abrams M, Hahn A (2015) Guide to Industrial Control Systems (ICS) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-82, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-82r2"}]},{"uuid":"3dd249b0-f57d-44ba-a03e-c3eab1b835ff","title":"SP 800-83","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-83r1"}]},{"uuid":"53be2fcf-cfd1-4bcb-896b-9a3b65c22098","title":"SP 800-84","citation":{"text":"Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-84"}]},{"uuid":"cfdb1858-c473-46b3-89f9-a700308d0be2","title":"SP 800-86","citation":{"text":"Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-86"}]},{"uuid":"a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","title":"SP 800-88","citation":{"text":"Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-88r1"}]},{"uuid":"5eee45d8-3313-4fdc-8d54-1742092bbdd6","title":"SP 800-92","citation":{"text":"Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-92"}]},{"uuid":"25e3e57b-dc2f-4934-af9b-050b020c6f0e","title":"SP 800-94","citation":{"text":"Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-94"}]},{"uuid":"a6b9907a-2a14-4bb4-a142-d4c73026a8b4","title":"SP 800-95","citation":{"text":"Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-95"}]},{"uuid":"03fb73bc-1b12-4182-bd96-e5719254ea61","title":"SP 800-97","citation":{"text":"Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-97"}]},{"uuid":"13f0c39d-eaf7-417a-baef-69a041878bb5","title":"USA PATRIOT","citation":{"text":"USA Patriot Act (P.L. 107-56), October 2001."},"rlinks":[{"href":"https:\/\/www.congress.gov\/107\/plaws\/publ56\/PLAW-107publ56.pdf"}]},{"uuid":"dd1a42a3-20c0-43ba-bbdb-6ea3624f1d38","title":"USC 11101","citation":{"text":"\"Definitions,\" Title 40 U.S. Code, Sec. 11101. 2018 ed."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/app\/details\/USCODE-2018-title40\/USCODE-2018-title40-subtitleIII-chap111-sec11101"}]},{"uuid":"e922fc50-b1f9-469f-92ef-ed7d9803611c","title":"USC 2901","citation":{"text":"United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2011-title44\/pdf\/USCODE-2011-title44-chap29-sec2901.pdf"}]},{"uuid":"82460f0b-1060-420e-9181-554e2dc921df","title":"USC 3502","citation":{"text":"\"Definitions,\" Title 44 U.S. Code, Sec. 3502. 2011 ed."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/app\/details\/USCODE-2011-title44\/USCODE-2011-title44-chap35-subchapI-sec3502"}]},{"uuid":"ef3550b5-60a0-4489-8d4e-08223a929c7a","title":"USC 552","citation":{"text":"United States Code, 2006 Edition, Supplement 4, Title 5 - *Government Organization and Employees* , January 2011."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2010-title5\/pdf\/USCODE-2010-title5-partI-chap5-subchapII-sec552a.pdf"}]},{"uuid":"40b78258-c892-480e-9af8-77ac36648301","title":"USCERT IR","citation":{"text":"Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017."},"rlinks":[{"href":"https:\/\/us-cert.cisa.gov\/incident-notification-guidelines"}]},{"uuid":"98498928-3ca3-44b3-8b1e-f48685373087","title":"USGCB","citation":{"text":"National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/united-states-government-configuration-baseline"}]},{"uuid":"c3397cc9-83c6-4459-adb2-836739dc1b94","title":"NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)","rlinks":[{"href":"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf","media-type":"application\/pdf"}]},{"uuid":"f7cf488d-bc64-4a91-a994-810e153ee481","title":"NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (DOI link)","rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53r5","media-type":"application\/pdf"}]}]}}}
\ No newline at end of file
+{"catalog":{"uuid":"1f2fcda3-408f-422c-aecd-b1717c3f7843","metadata":{"title":"Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures","last-modified":"2023-12-04T13:16:10.000000-04:00","version":"5.1.1+u2","oscal-version":"1.1.1","revisions":[{"title":"Electronic Version of NIST SP 800-53 Rev 5 Controls and SP 800-53A Rev 5 Assessment Procedures","last-modified":"2023-10-12T00:00:00.000000-04:00","version":"5.1.1","oscal-version":"1.1.1","links":[{"href":"#5a5ffcb9-2272-484e-8d47-4483a0585dec","rel":"version-history"}],"remarks":"This revison of the SP 800-53 Revision 5 Catalog includes metadata and tagging reflecting richer control semantics, such as organizational vs system-level controls as indicated in SP800-53 Rev 5.1 Appendix C, and minor bug fixes in its content."},{"title":"Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures","last-modified":"2023-11-14T00:00:00.000000-04:00","version":"5.1.1+u1","oscal-version":"1.1.1","links":[{"href":"#5a5ffcb9-2272-484e-8d47-4483a0585dec","rel":"version-history"}],"remarks":"This revision of the SP 800-53 Revision 5 Catalog is the finalized changes to NIST SP 800-53 Revision 5.1.1 on November, 7, 2023."}],"props":[{"name":"keywords","value":"Assessment, assessment plan, assurance, availability, computer security, confidentiality, control, control assessment, cybersecurity, FISMA, information security, information system, integrity, personally identifiable information, OSCAL, Open Security Controls Assessment Language, Privacy Act, privacy controls, privacy functions, privacy requirements, Risk Management Framework, security controls, security functions, security requirements, system, system security"}],"links":[{"href":"#c3397cc9-83c6-4459-adb2-836739dc1b94","rel":"alternate"},{"href":"#f7cf488d-bc64-4a91-a994-810e153ee481","rel":"canonical"}],"roles":[{"id":"creator","title":"Document creator"},{"id":"contact","title":"Contact"}],"parties":[{"uuid":"41a93829-b76b-43ec-b9e7-250553511549","type":"organization","name":"Joint Task Force, Interagency Working Group","email-addresses":["sec-cert@nist.gov"],"addresses":[{"addr-lines":["National Institute of Standards and Technology","Attn: Computer Security Division","Information Technology Laboratory","100 Bureau Drive (Mail Stop 8930)"],"city":"Gaithersburg","state":"MD","postal-code":"20899-8930"}]}],"responsible-parties":[{"role-id":"creator","party-uuids":["41a93829-b76b-43ec-b9e7-250553511549"]},{"role-id":"contact","party-uuids":["41a93829-b76b-43ec-b9e7-250553511549"]}]},"groups":[{"id":"ac","class":"family","title":"Access Control","controls":[{"id":"ac-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ac-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ac-01_odp.01","props":[{"name":"label","value":"AC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control policy is to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.02","props":[{"name":"label","value":"AC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the access control procedures are to be disseminated is\/are defined;"}]},{"id":"ac-01_odp.03","props":[{"name":"alt-identifier","value":"ac-1_prm_2"},{"name":"label","value":"AC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ac-01_odp.04","props":[{"name":"alt-identifier","value":"ac-1_prm_3"},{"name":"label","value":"AC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the access control policy and procedures is defined;"}]},{"id":"ac-01_odp.05","props":[{"name":"alt-identifier","value":"ac-1_prm_4"},{"name":"label","value":"AC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control policy is reviewed and updated is defined;"}]},{"id":"ac-01_odp.06","props":[{"name":"alt-identifier","value":"ac-1_prm_5"},{"name":"label","value":"AC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current access control policy to be reviewed and updated are defined;"}]},{"id":"ac-01_odp.07","props":[{"name":"alt-identifier","value":"ac-1_prm_6"},{"name":"label","value":"AC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current access control procedures are reviewed and updated is defined;"}]},{"id":"ac-01_odp.08","props":[{"name":"alt-identifier","value":"ac-1_prm_7"},{"name":"label","value":"AC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AC-1"},{"name":"label","value":"AC-01","class":"sp800-53a"},{"name":"sort-id","value":"ac-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ia-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ac-1_smt","name":"statement","parts":[{"id":"ac-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}:","parts":[{"id":"ac-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ac-01_odp.03 }} access control policy that:","parts":[{"id":"ac-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ac-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ac-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the access control policy and the associated access controls;"}]},{"id":"ac-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and"},{"id":"ac-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current access control:","parts":[{"id":"ac-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and"},{"id":"ac-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}."}]}]},{"id":"ac-1_gdn","name":"guidance","prose":"Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ac-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[01]","class":"sp800-53a"}],"prose":"an access control policy is developed and documented;","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[02]","class":"sp800-53a"}],"prose":"the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[03]","class":"sp800-53a"}],"prose":"access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.[04]","class":"sp800-53a"}],"prose":"the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};","links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;","links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ac-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ac-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.a","rel":"assessment-for"}]},{"id":"ac-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;","links":[{"href":"#ac-1_smt.b","rel":"assessment-for"}]},{"id":"ac-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[01]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};","links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]},{"id":"ac-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.01[02]","class":"sp800-53a"}],"prose":"the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};","links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c.1","rel":"assessment-for"}]},{"id":"ac-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02","class":"sp800-53a"}],"parts":[{"id":"ac-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[01]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};","links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]},{"id":"ac-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AC-01c.02[02]","class":"sp800-53a"}],"prose":"the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.","links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ac-1_smt","rel":"assessment-for"}]},{"id":"ac-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities\n\norganizational personnel with information security with information security and privacy responsibilities"}]}]},{"id":"ac-2","class":"SP800-53","title":"Account Management","params":[{"id":"ac-02_odp.01","props":[{"name":"alt-identifier","value":"ac-2_prm_1"},{"name":"label","value":"AC-02_ODP[01]","class":"sp800-53a"}],"label":"prerequisites and criteria","guidelines":[{"prose":"prerequisites and criteria for group and role membership are defined;"}]},{"id":"ac-02_odp.02","props":[{"name":"alt-identifier","value":"ac-2_prm_2"},{"name":"label","value":"AC-02_ODP[02]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes (as required) for each account are defined;"}]},{"id":"ac-02_odp.03","props":[{"name":"alt-identifier","value":"ac-2_prm_3"},{"name":"label","value":"AC-02_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to approve requests to create accounts is\/are defined;"}]},{"id":"ac-02_odp.04","props":[{"name":"alt-identifier","value":"ac-2_prm_4"},{"name":"label","value":"AC-02_ODP[04]","class":"sp800-53a"}],"label":"policy, procedures, prerequisites, and criteria","guidelines":[{"prose":"policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;"}]},{"id":"ac-02_odp.05","props":[{"name":"alt-identifier","value":"ac-2_prm_5"},{"name":"label","value":"AC-02_ODP[05]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified is\/are defined;"}]},{"id":"ac-02_odp.06","props":[{"name":"alt-identifier","value":"ac-2_prm_6"},{"name":"label","value":"AC-02_ODP[06]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when accounts are no longer required is defined;"}]},{"id":"ac-02_odp.07","props":[{"name":"alt-identifier","value":"ac-2_prm_7"},{"name":"label","value":"AC-02_ODP[07]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when users are terminated or transferred is defined; "}]},{"id":"ac-02_odp.08","props":[{"name":"alt-identifier","value":"ac-2_prm_8"},{"name":"label","value":"AC-02_ODP[08]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify account managers when system usage or the need to know changes for an individual is defined;"}]},{"id":"ac-02_odp.09","props":[{"name":"alt-identifier","value":"ac-2_prm_9"},{"name":"label","value":"AC-02_ODP[09]","class":"sp800-53a"}],"label":"attributes (as required)","guidelines":[{"prose":"attributes needed to authorize system access (as required) are defined;"}]},{"id":"ac-02_odp.10","props":[{"name":"alt-identifier","value":"ac-2_prm_10"},{"name":"label","value":"AC-02_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of account review is defined;"}]}],"props":[{"name":"label","value":"AC-2"},{"name":"label","value":"AC-02","class":"sp800-53a"},{"name":"sort-id","value":"ac-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#53df282b-8b3f-483a-bad1-6a8b8ac00114","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ac-2_smt","name":"statement","parts":[{"id":"ac-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define and document the types of accounts allowed and specifically prohibited for use within the system;"},{"id":"ac-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign account managers;"},{"id":"ac-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require {{ insert: param, ac-02_odp.01 }} for group and role membership;"},{"id":"ac-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Specify:","parts":[{"id":"ac-2_smt.d.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Authorized users of the system;"},{"id":"ac-2_smt.d.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Group and role membership; and"},{"id":"ac-2_smt.d.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account;"}]},{"id":"ac-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"},{"id":"ac-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }};"},{"id":"ac-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Monitor the use of accounts;"},{"id":"ac-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Notify account managers and {{ insert: param, ac-02_odp.05 }} within:","parts":[{"id":"ac-2_smt.h.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"},{"id":"ac-2_smt.h.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"{{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and"},{"id":"ac-2_smt.h.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"{{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual;"}]},{"id":"ac-2_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Authorize access to the system based on:","parts":[{"id":"ac-2_smt.i.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"A valid access authorization;"},{"id":"ac-2_smt.i.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Intended system usage; and"},{"id":"ac-2_smt.i.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"{{ insert: param, ac-02_odp.09 }};"}]},{"id":"ac-2_smt.j","name":"item","props":[{"name":"label","value":"j."}],"prose":"Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"},{"id":"ac-2_smt.k","name":"item","props":[{"name":"label","value":"k."}],"prose":"Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and"},{"id":"ac-2_smt.l","name":"item","props":[{"name":"label","value":"l."}],"prose":"Align account management processes with personnel termination and transfer processes."}]},{"id":"ac-2_gdn","name":"guidance","prose":"Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.\n\nWhere access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission\/business requirements. Failure to consider these factors could affect system availability.\n\nTemporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared\/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared\/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training."},{"id":"ac-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[01]","class":"sp800-53a"}],"prose":"account types allowed for use within the system are defined and documented;","links":[{"href":"#ac-2_smt.a","rel":"assessment-for"}]},{"id":"ac-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02a.[02]","class":"sp800-53a"}],"prose":"account types specifically prohibited for use within the system are defined and documented;","links":[{"href":"#ac-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.a","rel":"assessment-for"}]},{"id":"ac-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02b.","class":"sp800-53a"}],"prose":"account managers are assigned;","links":[{"href":"#ac-2_smt.b","rel":"assessment-for"}]},{"id":"ac-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02c.","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02_odp.01 }} for group and role membership are required;","links":[{"href":"#ac-2_smt.c","rel":"assessment-for"}]},{"id":"ac-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.01","class":"sp800-53a"}],"prose":"authorized users of the system are specified;","links":[{"href":"#ac-2_smt.d.1","rel":"assessment-for"}]},{"id":"ac-2_obj.d.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.02","class":"sp800-53a"}],"prose":"group and role membership are specified;","links":[{"href":"#ac-2_smt.d.2","rel":"assessment-for"}]},{"id":"ac-2_obj.d.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.d.3-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[01]","class":"sp800-53a"}],"prose":"access authorizations (i.e., privileges) are specified for each account;","links":[{"href":"#ac-2_smt.d.3","rel":"assessment-for"}]},{"id":"ac-2_obj.d.3-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02d.03[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02_odp.02 }} are specified for each account;","links":[{"href":"#ac-2_smt.d.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.d.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.d","rel":"assessment-for"}]},{"id":"ac-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AC-02e.","class":"sp800-53a"}],"prose":"approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;","links":[{"href":"#ac-2_smt.e","rel":"assessment-for"}]},{"id":"ac-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[01]","class":"sp800-53a"}],"prose":"accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[02]","class":"sp800-53a"}],"prose":"accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[03]","class":"sp800-53a"}],"prose":"accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[04]","class":"sp800-53a"}],"prose":"accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.f-5","name":"assessment-objective","props":[{"name":"label","value":"AC-02f.[05]","class":"sp800-53a"}],"prose":"accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};","links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.f","rel":"assessment-for"}]},{"id":"ac-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"AC-02g.","class":"sp800-53a"}],"prose":"the use of accounts is monitored; ","links":[{"href":"#ac-2_smt.g","rel":"assessment-for"}]},{"id":"ac-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.h.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.01","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;","links":[{"href":"#ac-2_smt.h.1","rel":"assessment-for"}]},{"id":"ac-2_obj.h.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.02","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;","links":[{"href":"#ac-2_smt.h.2","rel":"assessment-for"}]},{"id":"ac-2_obj.h.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02h.03","class":"sp800-53a"}],"prose":"account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;","links":[{"href":"#ac-2_smt.h.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.h","rel":"assessment-for"}]},{"id":"ac-2_obj.i","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.i.1","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.01","class":"sp800-53a"}],"prose":"access to the system is authorized based on a valid access authorization;","links":[{"href":"#ac-2_smt.i.1","rel":"assessment-for"}]},{"id":"ac-2_obj.i.2","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.02","class":"sp800-53a"}],"prose":"access to the system is authorized based on intended system usage;","links":[{"href":"#ac-2_smt.i.2","rel":"assessment-for"}]},{"id":"ac-2_obj.i.3","name":"assessment-objective","props":[{"name":"label","value":"AC-02i.03","class":"sp800-53a"}],"prose":"access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};","links":[{"href":"#ac-2_smt.i.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.i","rel":"assessment-for"}]},{"id":"ac-2_obj.j","name":"assessment-objective","props":[{"name":"label","value":"AC-02j.","class":"sp800-53a"}],"prose":"accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};","links":[{"href":"#ac-2_smt.j","rel":"assessment-for"}]},{"id":"ac-2_obj.k","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.k-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[01]","class":"sp800-53a"}],"prose":"a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;","links":[{"href":"#ac-2_smt.k","rel":"assessment-for"}]},{"id":"ac-2_obj.k-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02k.[02]","class":"sp800-53a"}],"prose":"a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;","links":[{"href":"#ac-2_smt.k","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.k","rel":"assessment-for"}]},{"id":"ac-2_obj.l","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.","class":"sp800-53a"}],"parts":[{"id":"ac-2_obj.l-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[01]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel termination processes;","links":[{"href":"#ac-2_smt.l","rel":"assessment-for"}]},{"id":"ac-2_obj.l-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02l.[02]","class":"sp800-53a"}],"prose":"account management processes are aligned with personnel transfer processes.","links":[{"href":"#ac-2_smt.l","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt.l","rel":"assessment-for"}]}],"links":[{"href":"#ac-2_smt","rel":"assessment-for"}]},{"id":"ac-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\npersonnel termination policy and procedure\n\npersonnel transfer policy and procedure\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of active system accounts along with the name of the individual associated with each account\n\nlist of recently disabled system accounts and the name of the individual associated with each account\n\nlist of conditions for group and role membership\n\nnotifications of recent transfers, separations, or terminations of employees\n\naccess authorization records\n\naccount management compliance reviews\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security and privacy responsibilities"}]},{"id":"ac-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for account management on the system\n\nmechanisms for implementing account management"}]}],"controls":[{"id":"ac-2.1","class":"SP800-53-enhancement","title":"Automated System Account Management","params":[{"id":"ac-02.01_odp","props":[{"name":"alt-identifier","value":"ac-2.1_prm_1"},{"name":"label","value":"AC-02(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to support the management of system accounts are defined; "}]}],"props":[{"name":"label","value":"AC-2(1)"},{"name":"label","value":"AC-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.1_smt","name":"statement","prose":"Support the management of system accounts using {{ insert: param, ac-02.01_odp }}."},{"id":"ac-2.1_gdn","name":"guidance","prose":"Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications."},{"id":"ac-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(01)","class":"sp800-53a"}],"prose":"the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}.","links":[{"href":"#ac-2.1_smt","rel":"assessment-for"}]},{"id":"ac-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for implementing account management functions"}]}]},{"id":"ac-2.2","class":"SP800-53-enhancement","title":"Automated Temporary and Emergency Account Management","params":[{"id":"ac-02.02_odp.01","props":[{"name":"alt-identifier","value":"ac-2.2_prm_1"},{"name":"label","value":"AC-02(02)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["remove","disable"]}},{"id":"ac-02.02_odp.02","props":[{"name":"alt-identifier","value":"ac-2.2_prm_2"},{"name":"alt-label","value":"time period for each type of account","class":"sp800-53"},{"name":"label","value":"AC-02(02)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period after which to automatically remove or disable temporary or emergency accounts is defined;"}]}],"props":[{"name":"label","value":"AC-2(2)"},{"name":"label","value":"AC-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.2_smt","name":"statement","prose":"Automatically {{ insert: param, ac-02.02_odp.01 }} temporary and emergency accounts after {{ insert: param, ac-02.02_odp.02 }}."},{"id":"ac-2.2_gdn","name":"guidance","prose":"Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation."},{"id":"ac-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(02)","class":"sp800-53a"}],"prose":"temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}.","links":[{"href":"#ac-2.2_smt","rel":"assessment-for"}]},{"id":"ac-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of temporary accounts removed and\/or disabled\n\nsystem-generated list of emergency accounts removed and\/or disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for implementing account management functions"}]}]},{"id":"ac-2.3","class":"SP800-53-enhancement","title":"Disable Accounts","params":[{"id":"ac-02.03_odp.01","props":[{"name":"alt-identifier","value":"ac-2.3_prm_1"},{"name":"label","value":"AC-02(03)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to disable accounts is defined;"}]},{"id":"ac-02.03_odp.02","props":[{"name":"alt-identifier","value":"ac-2.3_prm_2"},{"name":"label","value":"AC-02(03)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for account inactivity before disabling is defined;"}]}],"props":[{"name":"label","value":"AC-2(3)"},{"name":"label","value":"AC-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.3_smt","name":"statement","prose":"Disable accounts within {{ insert: param, ac-02.03_odp.01 }} when the accounts:","parts":[{"id":"ac-2.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Have expired;"},{"id":"ac-2.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Are no longer associated with a user or individual;"},{"id":"ac-2.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Are in violation of organizational policy; or"},{"id":"ac-2.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Have been inactive for {{ insert: param, ac-02.03_odp.02 }}."}]},{"id":"ac-2.3_gdn","name":"guidance","prose":"Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system."},{"id":"ac-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)","class":"sp800-53a"}],"parts":[{"id":"ac-2.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(a)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;","links":[{"href":"#ac-2.3_smt.a","rel":"assessment-for"}]},{"id":"ac-2.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(b)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;","links":[{"href":"#ac-2.3_smt.b","rel":"assessment-for"}]},{"id":"ac-2.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(c)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;","links":[{"href":"#ac-2.3_smt.c","rel":"assessment-for"}]},{"id":"ac-2.3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02(03)(d)","class":"sp800-53a"}],"prose":"accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}.","links":[{"href":"#ac-2.3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ac-2.3_smt","rel":"assessment-for"}]},{"id":"ac-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of accounts removed\n\nsystem-generated list of emergency accounts disabled\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for implementing account management functions"}]}]},{"id":"ac-2.4","class":"SP800-53-enhancement","title":"Automated Audit Actions","props":[{"name":"label","value":"AC-2(4)"},{"name":"label","value":"AC-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"}],"parts":[{"id":"ac-2.4_smt","name":"statement","prose":"Automatically audit account creation, modification, enabling, disabling, and removal actions."},{"id":"ac-2.4_gdn","name":"guidance","prose":"Account management audit records are defined in accordance with [AU-2](#au-2) and reviewed, analyzed, and reported in accordance with [AU-6](#au-6)."},{"id":"ac-2.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)","class":"sp800-53a"}],"parts":[{"id":"ac-2.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[01]","class":"sp800-53a"}],"prose":"account creation is automatically audited;","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[02]","class":"sp800-53a"}],"prose":"account modification is automatically audited;","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[03]","class":"sp800-53a"}],"prose":"account enabling is automatically audited;","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[04]","class":"sp800-53a"}],"prose":"account disabling is automatically audited;","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_obj-5","name":"assessment-objective","props":[{"name":"label","value":"AC-02(04)[05]","class":"sp800-53a"}],"prose":"account removal actions are automatically audited.","links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-2.4_smt","rel":"assessment-for"}]},{"id":"ac-2.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nnotifications\/alerts of account creation, modification, enabling, disabling, and removal actions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.5","class":"SP800-53-enhancement","title":"Inactivity Logout","params":[{"id":"ac-02.05_odp","props":[{"name":"alt-identifier","value":"ac-2.5_prm_1"},{"name":"label","value":"AC-02(05)_ODP","class":"sp800-53a"}],"label":"time period of expected inactivity or description of when to log out","guidelines":[{"prose":"the time period of expected inactivity or description of when to log out is defined;"}]}],"props":[{"name":"label","value":"AC-2(5)"},{"name":"label","value":"AC-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#ac-11","rel":"related"}],"parts":[{"id":"ac-2.5_smt","name":"statement","prose":"Require that users log out when {{ insert: param, ac-02.05_odp }}."},{"id":"ac-2.5_gdn","name":"guidance","prose":"Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by [AC-11](#ac-11)."},{"id":"ac-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(05)","class":"sp800-53a"}],"prose":"users are required to log out when {{ insert: param, ac-02.05_odp }}.","links":[{"href":"#ac-2.5_smt","rel":"assessment-for"}]},{"id":"ac-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity violation reports\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nusers that must comply with inactivity logout policy"}]}]},{"id":"ac-2.6","class":"SP800-53-enhancement","title":"Dynamic Privilege Management","params":[{"id":"ac-02.06_odp","props":[{"name":"alt-identifier","value":"ac-2.6_prm_1"},{"name":"label","value":"AC-02(06)_ODP","class":"sp800-53a"}],"label":"dynamic privilege management capabilities","guidelines":[{"prose":"dynamic privilege management capabilities are defined;"}]}],"props":[{"name":"label","value":"AC-2(6)"},{"name":"label","value":"AC-02(06)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"ac-2.6_smt","name":"statement","prose":"Implement {{ insert: param, ac-02.06_odp }}."},{"id":"ac-2.6_gdn","name":"guidance","prose":"In contrast to access control approaches that employ static accounts and predefined user privileges, dynamic access control approaches rely on runtime access control decisions facilitated by dynamic privilege management, such as attribute-based access control. While user identities remain relatively constant over time, user privileges typically change more frequently based on ongoing mission or business requirements and the operational needs of organizations. An example of dynamic privilege management is the immediate revocation of privileges from users as opposed to requiring that users terminate and restart their sessions to reflect changes in privileges. Dynamic privilege management can also include mechanisms that change user privileges based on dynamic rules as opposed to editing specific user profiles. Examples include automatic adjustments of user privileges if they are operating out of their normal work times, if their job function or assignment changes, or if systems are under duress or in emergency situations. Dynamic privilege management includes the effects of privilege changes, for example, when there are changes to encryption keys used for communications."},{"id":"ac-2.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(06)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02.06_odp }} are implemented.","links":[{"href":"#ac-2.6_smt","rel":"assessment-for"}]},{"id":"ac-2.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of dynamic privilege management capabilities\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"system or mechanisms implementing dynamic privilege management capabilities"}]}]},{"id":"ac-2.7","class":"SP800-53-enhancement","title":"Privileged User Accounts","params":[{"id":"ac-02.07_odp","props":[{"name":"alt-identifier","value":"ac-2.7_prm_1"},{"name":"label","value":"AC-02(07)_ODP","class":"sp800-53a"}],"select":{"choice":["a role-based access scheme","an attribute-based access scheme"]}}],"props":[{"name":"label","value":"AC-2(7)"},{"name":"label","value":"AC-02(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.7_smt","name":"statement","parts":[{"id":"ac-2.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Establish and administer privileged user accounts in accordance with {{ insert: param, ac-02.07_odp }};"},{"id":"ac-2.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Monitor privileged role or attribute assignments;"},{"id":"ac-2.7_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Monitor changes to roles or attributes; and"},{"id":"ac-2.7_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Revoke access when privileged role or attribute assignments are no longer appropriate."}]},{"id":"ac-2.7_gdn","name":"guidance","prose":"Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes."},{"id":"ac-2.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(07)","class":"sp800-53a"}],"parts":[{"id":"ac-2.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02(07)(a)","class":"sp800-53a"}],"prose":"privileged user accounts are established and administered in accordance with {{ insert: param, ac-02.07_odp }};","links":[{"href":"#ac-2.7_smt.a","rel":"assessment-for"}]},{"id":"ac-2.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02(07)(b)","class":"sp800-53a"}],"prose":"privileged role or attribute assignments are monitored;","links":[{"href":"#ac-2.7_smt.b","rel":"assessment-for"}]},{"id":"ac-2.7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-02(07)(c)","class":"sp800-53a"}],"prose":"changes to roles or attributes are monitored;","links":[{"href":"#ac-2.7_smt.c","rel":"assessment-for"}]},{"id":"ac-2.7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-02(07)(d)","class":"sp800-53a"}],"prose":"access is revoked when privileged role or attribute assignments are no longer appropriate.","links":[{"href":"#ac-2.7_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ac-2.7_smt","rel":"assessment-for"}]},{"id":"ac-2.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged user accounts and associated roles\n\nrecords of actions taken when privileged role assignments are no longer appropriate\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions\n\nmechanisms monitoring privileged role assignments"}]}]},{"id":"ac-2.8","class":"SP800-53-enhancement","title":"Dynamic Account Management","params":[{"id":"ac-02.08_odp","props":[{"name":"alt-identifier","value":"ac-2.8_prm_1"},{"name":"label","value":"AC-02(08)_ODP","class":"sp800-53a"}],"label":"system accounts","guidelines":[{"prose":"system accounts that are dynamically created, activated, managed, and deactivated are defined;"}]}],"props":[{"name":"label","value":"AC-2(8)"},{"name":"label","value":"AC-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"ac-2.8_smt","name":"statement","prose":"Create, activate, manage, and deactivate {{ insert: param, ac-02.08_odp }} dynamically."},{"id":"ac-2.8_gdn","name":"guidance","prose":"Approaches for dynamically creating, activating, managing, and deactivating system accounts rely on automatically provisioning the accounts at runtime for entities that were previously unknown. Organizations plan for the dynamic management, creation, activation, and deactivation of system accounts by establishing trust relationships, business rules, and mechanisms with appropriate authorities to validate related authorizations and privileges."},{"id":"ac-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(08)","class":"sp800-53a"}],"parts":[{"id":"ac-2.8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-02(08)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02.08_odp }} are created dynamically;","links":[{"href":"#ac-2.8_smt","rel":"assessment-for"}]},{"id":"ac-2.8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-02(08)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02.08_odp }} are activated dynamically;","links":[{"href":"#ac-2.8_smt","rel":"assessment-for"}]},{"id":"ac-2.8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-02(08)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02.08_odp }} are managed dynamically;","links":[{"href":"#ac-2.8_smt","rel":"assessment-for"}]},{"id":"ac-2.8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-02(08)[04]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02.08_odp }} are deactivated dynamically.","links":[{"href":"#ac-2.8_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-2.8_smt","rel":"assessment-for"}]},{"id":"ac-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of system accounts\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing account management functions"}]}]},{"id":"ac-2.9","class":"SP800-53-enhancement","title":"Restrictions on Use of Shared and Group Accounts","params":[{"id":"ac-02.09_odp","props":[{"name":"alt-identifier","value":"ac-2.9_prm_1"},{"name":"alt-label","value":"conditions for establishing shared and group accounts","class":"sp800-53"},{"name":"label","value":"AC-02(09)_ODP","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions for establishing shared and group accounts are defined;"}]}],"props":[{"name":"label","value":"AC-2(9)"},{"name":"label","value":"AC-02(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.9_smt","name":"statement","prose":"Only permit the use of shared and group accounts that meet {{ insert: param, ac-02.09_odp }}."},{"id":"ac-2.9_gdn","name":"guidance","prose":"Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts."},{"id":"ac-2.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(09)","class":"sp800-53a"}],"prose":"the use of shared and group accounts is only permitted if {{ insert: param, ac-02.09_odp }} are met.","links":[{"href":"#ac-2.9_smt","rel":"assessment-for"}]},{"id":"ac-2.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of shared\/group accounts and associated roles\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing management of shared\/group accounts"}]}]},{"id":"ac-2.10","class":"SP800-53-enhancement","title":"Shared and Group Account Credential Change","props":[{"name":"label","value":"AC-2(10)"},{"name":"label","value":"AC-02(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.10"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-2_smt.k","rel":"incorporated-into"}]},{"id":"ac-2.11","class":"SP800-53-enhancement","title":"Usage Conditions","params":[{"id":"ac-02.11_odp.01","props":[{"name":"alt-identifier","value":"ac-2.11_prm_1"},{"name":"label","value":"AC-02(11)_ODP[01]","class":"sp800-53a"}],"label":"circumstances and\/or usage conditions","guidelines":[{"prose":"circumstances and\/or usage conditions to be enforced for system accounts are defined;"}]},{"id":"ac-02.11_odp.02","props":[{"name":"alt-identifier","value":"ac-2.11_prm_2"},{"name":"label","value":"AC-02(11)_ODP[02]","class":"sp800-53a"}],"label":"system accounts","guidelines":[{"prose":"system accounts subject to enforcement of circumstances and\/or usage conditions are defined;"}]}],"props":[{"name":"label","value":"AC-2(11)"},{"name":"label","value":"AC-02(11)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"}],"parts":[{"id":"ac-2.11_smt","name":"statement","prose":"Enforce {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }}."},{"id":"ac-2.11_gdn","name":"guidance","prose":"Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time."},{"id":"ac-2.11_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(11)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }} are enforced.","links":[{"href":"#ac-2.11_smt","rel":"assessment-for"}]},{"id":"ac-2.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of system accounts and associated assignments of usage circumstances and\/or usage conditions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-2.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}]}]},{"id":"ac-2.12","class":"SP800-53-enhancement","title":"Account Monitoring for Atypical Usage","params":[{"id":"ac-02.12_odp.01","props":[{"name":"alt-identifier","value":"ac-2.12_prm_1"},{"name":"label","value":"AC-02(12)_ODP[01]","class":"sp800-53a"}],"label":"atypical usage","guidelines":[{"prose":"atypical usage for which to monitor system accounts is defined;"}]},{"id":"ac-02.12_odp.02","props":[{"name":"alt-identifier","value":"ac-2.12_prm_2"},{"name":"label","value":"AC-02(12)_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to report atypical usage is\/are defined;"}]}],"props":[{"name":"label","value":"AC-2(12)"},{"name":"label","value":"AC-02(12)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-2.12_smt","name":"statement","parts":[{"id":"ac-2.12_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Monitor system accounts for {{ insert: param, ac-02.12_odp.01 }} ; and"},{"id":"ac-2.12_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Report atypical usage of system accounts to {{ insert: param, ac-02.12_odp.02 }}."}]},{"id":"ac-2.12_gdn","name":"guidance","prose":"Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan."},{"id":"ac-2.12_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(12)","class":"sp800-53a"}],"parts":[{"id":"ac-2.12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-02(12)(a)","class":"sp800-53a"}],"prose":"system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; ","links":[{"href":"#ac-2.12_smt.a","rel":"assessment-for"}]},{"id":"ac-2.12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-02(12)(b)","class":"sp800-53a"}],"prose":"atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}.","links":[{"href":"#ac-2.12_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-2.12_smt","rel":"assessment-for"}]},{"id":"ac-2.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring records\n\nsystem audit records\n\naudit tracking and monitoring reports\n\nprivacy impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-2.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}]}]},{"id":"ac-2.13","class":"SP800-53-enhancement","title":"Disable Accounts for High-risk Individuals","params":[{"id":"ac-02.13_odp.01","props":[{"name":"alt-identifier","value":"ac-2.13_prm_1"},{"name":"label","value":"AC-02(13)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;"}]},{"id":"ac-02.13_odp.02","props":[{"name":"alt-identifier","value":"ac-2.13_prm_2"},{"name":"label","value":"AC-02(13)_ODP[02]","class":"sp800-53a"}],"label":"significant risks","guidelines":[{"prose":"significant risks leading to disabling accounts are defined;"}]}],"props":[{"name":"label","value":"AC-2(13)"},{"name":"label","value":"AC-02(13)","class":"sp800-53a"},{"name":"sort-id","value":"ac-02.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-2.13_smt","name":"statement","prose":"Disable accounts of individuals within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}."},{"id":"ac-2.13_gdn","name":"guidance","prose":"Users who pose a significant security and\/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals."},{"id":"ac-2.13_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-02(13)","class":"sp800-53a"}],"prose":"accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.","links":[{"href":"#ac-2.13_smt","rel":"assessment-for"}]},{"id":"ac-2.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-02(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of disabled accounts\n\nlist of user activities posing significant organizational risk\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-2.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-02(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-2.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-02(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing account management functions"}]}]}]},{"id":"ac-3","class":"SP800-53","title":"Access Enforcement","props":[{"name":"label","value":"AC-3"},{"name":"label","value":"AC-03","class":"sp800-53a"},{"name":"sort-id","value":"ac-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#ac-24","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-8","rel":"related"}],"parts":[{"id":"ac-3_smt","name":"statement","prose":"Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."},{"id":"ac-3_gdn","name":"guidance","prose":"Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( [PE](#pe) ) family."},{"id":"ac-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03","class":"sp800-53a"}],"prose":"approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.","links":[{"href":"#ac-3_smt","rel":"assessment-for"}]},{"id":"ac-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of approved authorizations (user privileges)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy"}]}],"controls":[{"id":"ac-3.1","class":"SP800-53-enhancement","title":"Restricted Access to Privileged Functions","props":[{"name":"label","value":"AC-3(1)"},{"name":"label","value":"AC-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-6","rel":"incorporated-into"}]},{"id":"ac-3.2","class":"SP800-53-enhancement","title":"Dual Authorization","params":[{"id":"ac-03.02_odp","props":[{"name":"alt-identifier","value":"ac-3.2_prm_1"},{"name":"alt-label","value":"privileged commands and\/or other organization-defined actions","class":"sp800-53"},{"name":"label","value":"AC-03(02)_ODP","class":"sp800-53a"}],"label":"privileged commands and\/or other actions","guidelines":[{"prose":"privileged commands and\/or other actions requiring dual authorization are defined;"}]}],"props":[{"name":"label","value":"AC-3(2)"},{"name":"label","value":"AC-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#cp-9","rel":"related"},{"href":"#mp-6","rel":"related"}],"parts":[{"id":"ac-3.2_smt","name":"statement","prose":"Enforce dual authorization for {{ insert: param, ac-03.02_odp }}."},{"id":"ac-3.2_gdn","name":"guidance","prose":"Dual authorization, also known as two-person control, reduces risk related to insider threats. Dual authorization mechanisms require the approval of two authorized individuals to execute. To reduce the risk of collusion, organizations consider rotating dual authorization duties. Organizations consider the risk associated with implementing dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety."},{"id":"ac-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(02)","class":"sp800-53a"}],"prose":"dual authorization is enforced for {{ insert: param, ac-03.02_odp }}.","links":[{"href":"#ac-3.2_smt","rel":"assessment-for"}]},{"id":"ac-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement and dual authorization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged commands requiring dual authorization\n\nlist of actions requiring dual authorization\n\nlist of approved authorizations (user privileges)\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Dual authorization mechanisms implementing access control policy"}]}]},{"id":"ac-3.3","class":"SP800-53-enhancement","title":"Mandatory Access Control","params":[{"id":"ac-3.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.03_odp.02"}],"label":"organization-defined mandatory access control policy"},{"id":"ac-03.03_odp.01","props":[{"name":"label","value":"AC-03(03)_ODP[01]","class":"sp800-53a"}],"label":"mandatory access control policy","guidelines":[{"prose":"mandatory access control policy enforced over the set of covered subjects is defined;"}]},{"id":"ac-03.03_odp.02","props":[{"name":"label","value":"AC-03(03)_ODP[02]","class":"sp800-53a"}],"label":"mandatory access control policy","guidelines":[{"prose":"mandatory access control policy enforced over the set of covered objects is defined;"}]},{"id":"ac-03.03_odp.03","props":[{"name":"alt-identifier","value":"ac-3.3_prm_2"},{"name":"label","value":"AC-03(03)_ODP[03]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects to be explicitly granted privileges are defined;"}]},{"id":"ac-03.03_odp.04","props":[{"name":"alt-identifier","value":"ac-3.3_prm_3"},{"name":"label","value":"AC-03(03)_ODP[04]","class":"sp800-53a"}],"label":"privileges","guidelines":[{"prose":"privileges to be explicitly granted to subjects are defined;"}]}],"props":[{"name":"label","value":"AC-3(3)"},{"name":"label","value":"AC-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-3.3_smt","name":"statement","prose":"Enforce {{ insert: param, ac-3.3_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy:","parts":[{"id":"ac-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Is uniformly enforced across the covered subjects and objects within the system;"},{"id":"ac-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Specifies that a subject that has been granted access to information is constrained from doing any of the following;","parts":[{"id":"ac-3.3_smt.b.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Passing the information to unauthorized subjects or objects;"},{"id":"ac-3.3_smt.b.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Granting its privileges to other subjects;"},{"id":"ac-3.3_smt.b.3","name":"item","props":[{"name":"label","value":"(3)"}],"prose":"Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;"},{"id":"ac-3.3_smt.b.4","name":"item","props":[{"name":"label","value":"(4)"}],"prose":"Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and"},{"id":"ac-3.3_smt.b.5","name":"item","props":[{"name":"label","value":"(5)"}],"prose":"Changing the rules governing access control; and"}]},{"id":"ac-3.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Specifies that {{ insert: param, ac-03.03_odp.03 }} may explicitly be granted {{ insert: param, ac-03.03_odp.04 }} such that they are not limited by any defined subset (or all) of the above constraints."}]},{"id":"ac-3.3_gdn","name":"guidance","prose":"Mandatory access control is a type of nondiscretionary access control. Mandatory access control policies constrain what actions subjects can take with information obtained from objects for which they have already been granted access. This prevents the subjects from passing the information to unauthorized subjects and objects. Mandatory access control policies constrain actions that subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the system has control. Otherwise, the access control policy can be circumvented. This enforcement is provided by an implementation that meets the reference monitor concept as described in [AC-25](#ac-25) . The policy is bounded by the system (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect).\n\nThe trusted subjects described above are granted privileges consistent with the concept of least privilege (see [AC-6](#ac-6) ). Trusted subjects are only given the minimum privileges necessary for satisfying organizational mission\/business needs relative to the above policy. The control is most applicable when there is a mandate that establishes a policy regarding access to controlled unclassified information or classified information and some users of the system are not authorized access to all such information resident in the system. Mandatory access control can operate in conjunction with discretionary access control as described in [AC-3(4)](#ac-3.4) . A subject constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of AC-3(4), but mandatory access control policies take precedence over the less rigorous constraints of AC-3(4). For example, while a mandatory access control policy imposes a constraint that prevents a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any other subject with the same impact or classification level as the subject. Examples of mandatory access control policies include the Bell-LaPadula policy to protect confidentiality of information and the Biba policy to protect the integrity of information."},{"id":"ac-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)","class":"sp800-53a"}],"parts":[{"id":"ac-3.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} is enforced over the set of covered subjects specified in the policy;","links":[{"href":"#ac-3.3_smt","rel":"assessment-for"}]},{"id":"ac-3.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.02 }} is enforced over the set of covered objects specified in the policy;","links":[{"href":"#ac-3.3_smt","rel":"assessment-for"}]},{"id":"ac-3.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-3.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(a)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} is uniformly enforced across the covered subjects within the system;","links":[{"href":"#ac-3.3_smt.a","rel":"assessment-for"}]},{"id":"ac-3.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(a)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.02 }} is uniformly enforced across the covered objects within the system;","links":[{"href":"#ac-3.3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-3.3_smt.a","rel":"assessment-for"}]},{"id":"ac-3.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(b)","class":"sp800-53a"}],"parts":[{"id":"ac-3.3_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(b)(01)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects are enforced;","links":[{"href":"#ac-3.3_smt.b.1","rel":"assessment-for"}]},{"id":"ac-3.3_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(b)(02)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from granting its privileges to other subjects are enforced;","links":[{"href":"#ac-3.3_smt.b.2","rel":"assessment-for"}]},{"id":"ac-3.3_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(b)(03)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from changing one of more security attributes (specified by the policy) on subjects, objects, the system, or system components are enforced;","links":[{"href":"#ac-3.3_smt.b.3","rel":"assessment-for"}]},{"id":"ac-3.3_obj.b.4","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(b)(04)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects are enforced;","links":[{"href":"#ac-3.3_smt.b.4","rel":"assessment-for"}]},{"id":"ac-3.3_obj.b.5","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(b)(05)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from changing the rules governing access control are enforced;","links":[{"href":"#ac-3.3_smt.b.5","rel":"assessment-for"}]}],"links":[{"href":"#ac-3.3_smt.b","rel":"assessment-for"}]},{"id":"ac-3.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-03(03)(c)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that {{ insert: param, ac-03.03_odp.03 }} may explicitly be granted {{ insert: param, ac-03.03_odp.04 }} such that they are not limited by any defined subset (or all) of the above constraints are enforced.","links":[{"href":"#ac-3.3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ac-3.3_smt","rel":"assessment-for"}]},{"id":"ac-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nmandatory access control policies\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing mandatory access control"}]}]},{"id":"ac-3.4","class":"SP800-53-enhancement","title":"Discretionary Access Control","params":[{"id":"ac-3.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.04_odp.02"}],"label":"organization-defined discretionary access control policy"},{"id":"ac-03.04_odp.01","props":[{"name":"label","value":"AC-03(04)_ODP[01]","class":"sp800-53a"}],"label":"discretionary access control policy","guidelines":[{"prose":"discretionary access control policy enforced over the set of covered subjects is defined;"}]},{"id":"ac-03.04_odp.02","props":[{"name":"label","value":"AC-03(04)_ODP[02]","class":"sp800-53a"}],"label":"discretionary access control policy","guidelines":[{"prose":"discretionary access control policy enforced over the set of covered objects is defined;"}]}],"props":[{"name":"label","value":"AC-3(4)"},{"name":"label","value":"AC-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"}],"parts":[{"id":"ac-3.4_smt","name":"statement","prose":"Enforce {{ insert: param, ac-3.4_prm_1 }} over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:","parts":[{"id":"ac-3.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Pass the information to any other subjects or objects;"},{"id":"ac-3.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Grant its privileges to other subjects;"},{"id":"ac-3.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Change security attributes on subjects, objects, the system, or the system’s components;"},{"id":"ac-3.4_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Choose the security attributes to be associated with newly created or revised objects; or"},{"id":"ac-3.4_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Change the rules governing access control."}]},{"id":"ac-3.4_gdn","name":"guidance","prose":"When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing the information to other subjects or objects (i.e., subjects have the discretion to pass). Discretionary access control can operate in conjunction with mandatory access control as described in [AC-3(3)](#ac-3.3) and [AC-3(15)](#ac-3.15) . A subject that is constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of discretionary access control. Therefore, while [AC-3(3)](#ac-3.3) imposes constraints that prevent a subject from passing information to another subject operating at a different impact or classification level, [AC-3(4)](#ac-3.4) permits the subject to pass the information to any subject at the same impact or classification level. The policy is bounded by the system. Once the information is passed outside of system control, additional means may be required to ensure that the constraints remain in effect. While traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this particular use of discretionary access control."},{"id":"ac-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)","class":"sp800-53a"}],"parts":[{"id":"ac-3.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.04_odp.01 }} is enforced over the set of covered subjects specified in the policy;","links":[{"href":"#ac-3.4_smt","rel":"assessment-for"}]},{"id":"ac-3.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.04_odp.02 }} is enforced over the set of covered objects specified in the policy;","links":[{"href":"#ac-3.4_smt","rel":"assessment-for"}]},{"id":"ac-3.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can pass the information to any other subjects or objects;","links":[{"href":"#ac-3.4_smt.a","rel":"assessment-for"}]},{"id":"ac-3.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects;","links":[{"href":"#ac-3.4_smt.b","rel":"assessment-for"}]},{"id":"ac-3.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)(c)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can change security attributes on subjects, objects, the system, or the system’s components;","links":[{"href":"#ac-3.4_smt.c","rel":"assessment-for"}]},{"id":"ac-3.4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)(d)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can choose the security attributes to be associated with newly created or revised objects;","links":[{"href":"#ac-3.4_smt.d","rel":"assessment-for"}]},{"id":"ac-3.4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AC-03(04)(e)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can change the rules governing access control.","links":[{"href":"#ac-3.4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ac-3.4_smt","rel":"assessment-for"}]},{"id":"ac-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ndiscretionary access control policies\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing discretionary access control policy"}]}]},{"id":"ac-3.5","class":"SP800-53-enhancement","title":"Security-relevant Information","params":[{"id":"ac-03.05_odp","props":[{"name":"alt-identifier","value":"ac-3.5_prm_1"},{"name":"label","value":"AC-03(05)_ODP","class":"sp800-53a"}],"label":"security-relevant information","guidelines":[{"prose":"security-relevant information to which access is prevented except during secure, non-operable system states is defined;"}]}],"props":[{"name":"label","value":"AC-3(5)"},{"name":"label","value":"AC-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#cm-6","rel":"related"},{"href":"#sc-39","rel":"related"}],"parts":[{"id":"ac-3.5_smt","name":"statement","prose":"Prevent access to {{ insert: param, ac-03.05_odp }} except during secure, non-operable system states."},{"id":"ac-3.5_gdn","name":"guidance","prose":"Security-relevant information is information within systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security and privacy policies or maintain the separation of code and data. Security-relevant information includes access control lists, filtering rules for routers or firewalls, configuration parameters for security services, and cryptographic key management information. Secure, non-operable system states include the times in which systems are not performing mission or business-related processing, such as when the system is offline for maintenance, boot-up, troubleshooting, or shut down."},{"id":"ac-3.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(05)","class":"sp800-53a"}],"prose":"access to {{ insert: param, ac-03.05_odp }} is prevented except during secure, non-operable system states.","links":[{"href":"#ac-3.5_smt","rel":"assessment-for"}]},{"id":"ac-3.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-3.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms preventing access to security-relevant information within the system"}]}]},{"id":"ac-3.6","class":"SP800-53-enhancement","title":"Protection of User and System Information","props":[{"name":"label","value":"AC-3(6)"},{"name":"label","value":"AC-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-4","rel":"incorporated-into"},{"href":"#sc-28","rel":"incorporated-into"}]},{"id":"ac-3.7","class":"SP800-53-enhancement","title":"Role-based Access Control","params":[{"id":"ac-3.7_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.07_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.07_odp.02"}],"label":"organization-defined roles and users authorized to assume such roles"},{"id":"ac-03.07_odp.01","props":[{"name":"label","value":"AC-03(07)_ODP[01]","class":"sp800-53a"}],"label":"roles","guidelines":[{"prose":"roles upon which to base control of access are defined;"}]},{"id":"ac-03.07_odp.02","props":[{"name":"label","value":"AC-03(07)_ODP[02]","class":"sp800-53a"}],"label":"users authorized to assume such roles","guidelines":[{"prose":"users authorized to assume roles (defined in AC-03(07)_ODP[01]) are defined;"}]}],"props":[{"name":"label","value":"AC-3(7)"},{"name":"label","value":"AC-03(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"}],"parts":[{"id":"ac-3.7_smt","name":"statement","prose":"Enforce a role-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-3.7_prm_1 }}."},{"id":"ac-3.7_gdn","name":"guidance","prose":"Role-based access control (RBAC) is an access control policy that enforces access to objects and system functions based on the defined role (i.e., job function) of the subject. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on the systems associated with the organization-defined roles. When users are assigned to specific roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a large number of individuals) but are instead acquired through role assignments. RBAC can also increase privacy and security risk if individuals assigned to a role are given access to information beyond what they need to support organizational missions or business functions. RBAC can be implemented as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in [AC-3(3)](#ac-3.3) define the scope of the subjects and objects covered by the policy."},{"id":"ac-3.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(07)","class":"sp800-53a"}],"parts":[{"id":"ac-3.7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(07)[01]","class":"sp800-53a"}],"prose":"a role-based access control policy is enforced over defined subjects;","links":[{"href":"#ac-3.7_smt","rel":"assessment-for"}]},{"id":"ac-3.7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(07)[02]","class":"sp800-53a"}],"prose":"a role-based access control policy is enforced over defined objects;","links":[{"href":"#ac-3.7_smt","rel":"assessment-for"}]},{"id":"ac-3.7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-03(07)[03]","class":"sp800-53a"}],"prose":"access is controlled based on {{ insert: param, ac-03.07_odp.01 }} and {{ insert: param, ac-03.07_odp.02 }}.","links":[{"href":"#ac-3.7_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-3.7_smt","rel":"assessment-for"}]},{"id":"ac-3.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nrole-based access control policies\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of roles, users, and associated privileges required to control system access\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-3.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-3.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing role-based access control policy"}]}]},{"id":"ac-3.8","class":"SP800-53-enhancement","title":"Revocation of Access Authorizations","params":[{"id":"ac-03.08_odp","props":[{"name":"alt-identifier","value":"ac-3.8_prm_1"},{"name":"alt-label","value":"rules governing the timing of revocations of access authorizations","class":"sp800-53"},{"name":"label","value":"AC-03(08)_ODP","class":"sp800-53a"}],"label":"rules","guidelines":[{"prose":"rules governing the timing of revocations of access authorizations are defined;"}]}],"props":[{"name":"label","value":"AC-3(8)"},{"name":"label","value":"AC-03(08)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"}],"parts":[{"id":"ac-3.8_smt","name":"statement","prose":"Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on {{ insert: param, ac-03.08_odp }}."},{"id":"ac-3.8_gdn","name":"guidance","prose":"Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process acting on behalf of a user) is removed from a group, access may not be revoked until the next time the object is opened or the next time the subject attempts to access the object. Revocation based on changes to security labels may take effect immediately. Organizations provide alternative approaches on how to make revocations immediate if systems cannot provide such capability and immediate revocation is necessary."},{"id":"ac-3.8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(08)","class":"sp800-53a"}],"parts":[{"id":"ac-3.8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(08)[01]","class":"sp800-53a"}],"prose":"revocation of access authorizations is enforced, resulting from changes to the security attributes of subjects based on {{ insert: param, ac-03.08_odp }};","links":[{"href":"#ac-3.8_smt","rel":"assessment-for"}]},{"id":"ac-3.8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(08)[02]","class":"sp800-53a"}],"prose":"revocation of access authorizations is enforced resulting from changes to the security attributes of objects based on {{ insert: param, ac-03.08_odp }}.","links":[{"href":"#ac-3.8_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-3.8_smt","rel":"assessment-for"}]},{"id":"ac-3.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrules governing revocation of access authorizations, system audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-3.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]},{"id":"ac-3.9","class":"SP800-53-enhancement","title":"Controlled Release","params":[{"id":"ac-03.09_odp.01","props":[{"name":"alt-identifier","value":"ac-3.9_prm_1"},{"name":"label","value":"AC-03(09)_ODP[01]","class":"sp800-53a"}],"label":"system or system component","guidelines":[{"prose":"the outside system or system component to which to release information is defined;"}]},{"id":"ac-03.09_odp.02","props":[{"name":"alt-identifier","value":"ac-3.9_prm_2"},{"name":"label","value":"AC-03(09)_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be provided by the outside system or system component (defined in AC-03(09)_ODP[01]) are defined;"}]},{"id":"ac-03.09_odp.03","props":[{"name":"alt-identifier","value":"ac-3.9_prm_3"},{"name":"label","value":"AC-03(09)_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls used to validate appropriateness of information to be released are defined;"}]}],"props":[{"name":"label","value":"AC-3(9)"},{"name":"label","value":"AC-03(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#ca-3","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#pt-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-16","rel":"related"}],"parts":[{"id":"ac-3.9_smt","name":"statement","prose":"Release information outside of the system only if:","parts":[{"id":"ac-3.9_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"The receiving {{ insert: param, ac-03.09_odp.01 }} provides {{ insert: param, ac-03.09_odp.02 }} ; and"},{"id":"ac-3.9_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"{{ insert: param, ac-03.09_odp.03 }} are used to validate the appropriateness of the information designated for release."}]},{"id":"ac-3.9_gdn","name":"guidance","prose":"Organizations can only directly protect information when it resides within the system. Additional controls may be needed to ensure that organizational information is adequately protected once it is transmitted outside of the system. In situations where the system is unable to determine the adequacy of the protections provided by external entities, as a mitigation measure, organizations procedurally determine whether the external systems are providing adequate controls. The means used to determine the adequacy of controls provided by external systems include conducting periodic assessments (inspections\/tests), establishing agreements between the organization and its counterpart organizations, or some other process. The means used by external entities to protect the information received need not be the same as those used by the organization, but the means employed are sufficient to provide consistent adjudication of the security and privacy policy to protect the information and individuals’ privacy.\n\nControlled release of information requires systems to implement technical or procedural means to validate the information prior to releasing it to external systems. For example, if the system passes information to a system controlled by another organization, technical means are employed to validate that the security and privacy attributes associated with the exported information are appropriate for the receiving system. Alternatively, if the system passes information to a printer in organization-controlled space, procedural means can be employed to ensure that only authorized individuals gain access to the printer."},{"id":"ac-3.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(09)","class":"sp800-53a"}],"parts":[{"id":"ac-3.9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-03(09)(a)","class":"sp800-53a"}],"prose":"information is released outside of the system only if the receiving {{ insert: param, ac-03.09_odp.01 }} provides {{ insert: param, ac-03.09_odp.02 }};","links":[{"href":"#ac-3.9_smt.a","rel":"assessment-for"}]},{"id":"ac-3.9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-03(09)(b)","class":"sp800-53a"}],"prose":"information is released outside of the system only if {{ insert: param, ac-03.09_odp.03 }} are used to validate the appropriateness of the information designated for release.","links":[{"href":"#ac-3.9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-3.9_smt","rel":"assessment-for"}]},{"id":"ac-3.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security and privacy safeguards provided by receiving system or system components\n\nlist of security and privacy safeguards validating appropriateness of information designated for release\n\nsystem audit records\n\nresults of period assessments (inspections\/tests) of the external system\n\ninformation sharing agreements\n\nmemoranda of understanding\n\nacquisitions\/contractual agreements\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-3.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements\n\nlegal counsel\n\nsystem developers"}]},{"id":"ac-3.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]},{"id":"ac-3.10","class":"SP800-53-enhancement","title":"Audited Override of Access Control Mechanisms","params":[{"id":"ac-03.10_odp.01","props":[{"name":"alt-identifier","value":"ac-3.10_prm_1"},{"name":"label","value":"AC-03(10)_ODP[01]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions under which to employ an audited override of automated access control mechanisms are defined;"}]},{"id":"ac-03.10_odp.02","props":[{"name":"alt-identifier","value":"ac-3.10_prm_2"},{"name":"label","value":"AC-03(10)_ODP[02]","class":"sp800-53a"}],"label":"roles","guidelines":[{"prose":"roles allowed to employ an audited override of automated access control mechanisms are defined;"}]}],"props":[{"name":"label","value":"AC-3(10)"},{"name":"label","value":"AC-03(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"}],"parts":[{"id":"ac-3.10_smt","name":"statement","prose":"Employ an audited override of automated access control mechanisms under {{ insert: param, ac-03.10_odp.01 }} by {{ insert: param, ac-03.10_odp.02 }}."},{"id":"ac-3.10_gdn","name":"guidance","prose":"In certain situations, such as when there is a threat to human life or an event that threatens the organization’s ability to carry out critical missions or business functions, an override capability for access control mechanisms may be needed. Override conditions are defined by organizations and used only in those limited circumstances. Audit events are defined in [AU-2](#au-2) . Audit records are generated in [AU-12](#au-12)."},{"id":"ac-3.10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(10)","class":"sp800-53a"}],"prose":"an audited override of automated access control mechanisms is employed under {{ insert: param, ac-03.10_odp.01 }} by {{ insert: param, ac-03.10_odp.02 }}.","links":[{"href":"#ac-3.10_smt","rel":"assessment-for"}]},{"id":"ac-3.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nconditions for employing audited override of automated access control mechanisms\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-3.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]},{"id":"ac-3.11","class":"SP800-53-enhancement","title":"Restrict Access to Specific Information Types","params":[{"id":"ac-03.11_odp","props":[{"name":"alt-identifier","value":"ac-3.11_prm_1"},{"name":"label","value":"AC-03(11)_ODP","class":"sp800-53a"}],"label":"information types","guidelines":[{"prose":"information types requiring restricted access to data repositories are defined;"}]}],"props":[{"name":"label","value":"AC-3(11)"},{"name":"label","value":"AC-03(11)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#pm-5","rel":"related"}],"parts":[{"id":"ac-3.11_smt","name":"statement","prose":"Restrict access to data repositories containing {{ insert: param, ac-03.11_odp }}."},{"id":"ac-3.11_gdn","name":"guidance","prose":"Restricting access to specific information is intended to provide flexibility regarding access control of specific information types within a system. For example, role-based access could be employed to allow access to only a specific type of personally identifiable information within a database rather than allowing access to the database in its entirety. Other examples include restricting access to cryptographic keys, authentication information, and selected system information."},{"id":"ac-3.11_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(11)","class":"sp800-53a"}],"prose":"access to data repositories containing {{ insert: param, ac-03.11_odp }} is restricted.","links":[{"href":"#ac-3.11_smt","rel":"assessment-for"}]},{"id":"ac-3.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\norganizational personnel with responsibilities for data repositories\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-3.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]},{"id":"ac-3.12","class":"SP800-53-enhancement","title":"Assert and Enforce Application Access","params":[{"id":"ac-03.12_odp","props":[{"name":"alt-identifier","value":"ac-3.12_prm_1"},{"name":"label","value":"AC-03(12)_ODP","class":"sp800-53a"}],"label":"system applications and functions","guidelines":[{"prose":"system applications and functions requiring access assertion are defined;"}]}],"props":[{"name":"label","value":"AC-3(12)"},{"name":"label","value":"AC-03(12)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#cm-7","rel":"related"}],"parts":[{"id":"ac-3.12_smt","name":"statement","parts":[{"id":"ac-3.12_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: {{ insert: param, ac-03.12_odp }};"},{"id":"ac-3.12_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Provide an enforcement mechanism to prevent unauthorized access; and"},{"id":"ac-3.12_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Approve access changes after initial installation of the application."}]},{"id":"ac-3.12_gdn","name":"guidance","prose":"Asserting and enforcing application access is intended to address applications that need to access existing system applications and functions, including user contacts, global positioning systems, cameras, keyboards, microphones, networks, phones, or other files."},{"id":"ac-3.12_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(12)","class":"sp800-53a"}],"parts":[{"id":"ac-3.12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-03(12)(a)","class":"sp800-53a"}],"prose":"as part of the installation process, applications are required to assert the access needed to the following system applications and functions: {{ insert: param, ac-03.12_odp }};","links":[{"href":"#ac-3.12_smt.a","rel":"assessment-for"}]},{"id":"ac-3.12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-03(12)(b)","class":"sp800-53a"}],"prose":"an enforcement mechanism to prevent unauthorized access is provided; ","links":[{"href":"#ac-3.12_smt.b","rel":"assessment-for"}]},{"id":"ac-3.12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-03(12)(c)","class":"sp800-53a"}],"prose":"access changes after initial installation of the application are approved.","links":[{"href":"#ac-3.12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ac-3.12_smt","rel":"assessment-for"}]},{"id":"ac-3.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-3.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]},{"id":"ac-3.13","class":"SP800-53-enhancement","title":"Attribute-based Access Control","params":[{"id":"ac-03.13_odp","props":[{"name":"alt-identifier","value":"ac-3.13_prm_1"},{"name":"alt-label","value":"attributes to assume access permissions","class":"sp800-53"},{"name":"label","value":"AC-03(13)_ODP","class":"sp800-53a"}],"label":"attributes","guidelines":[{"prose":"attributes to assume access permissions are defined;"}]}],"props":[{"name":"label","value":"AC-3(13)"},{"name":"label","value":"AC-03(13)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"}],"parts":[{"id":"ac-3.13_smt","name":"statement","prose":"Enforce attribute-based access control policy over defined subjects and objects and control access based upon {{ insert: param, ac-03.13_odp }}."},{"id":"ac-3.13_gdn","name":"guidance","prose":"Attribute-based access control is an access control policy that restricts system access to authorized users based on specified organizational attributes (e.g., job function, identity), action attributes (e.g., read, write, delete), environmental attributes (e.g., time of day, location), and resource attributes (e.g., classification of a document). Organizations can create rules based on attributes and the authorizations (i.e., privileges) to perform needed operations on the systems associated with organization-defined attributes and rules. When users are assigned to attributes defined in attribute-based access control policies or rules, they can be provisioned to a system with the appropriate privileges or dynamically granted access to a protected resource. Attribute-based access control can be implemented as either a mandatory or discretionary form of access control. When implemented with mandatory access controls, the requirements in [AC-3(3)](#ac-3.3) define the scope of the subjects and objects covered by the policy."},{"id":"ac-3.13_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(13)","class":"sp800-53a"}],"parts":[{"id":"ac-3.13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(13)[01]","class":"sp800-53a"}],"prose":"the attribute-based access control policy is enforced over defined subjects;","links":[{"href":"#ac-3.13_smt","rel":"assessment-for"}]},{"id":"ac-3.13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(13)[02]","class":"sp800-53a"}],"prose":"the attribute-based access control policy is enforced over defined objects;","links":[{"href":"#ac-3.13_smt","rel":"assessment-for"}]},{"id":"ac-3.13_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-03(13)[03]","class":"sp800-53a"}],"prose":"access is controlled based on {{ insert: param, ac-03.13_odp }}.","links":[{"href":"#ac-3.13_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-3.13_smt","rel":"assessment-for"}]},{"id":"ac-3.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of attribute-based access control policies\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-3.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]},{"id":"ac-3.14","class":"SP800-53-enhancement","title":"Individual Access","params":[{"id":"ac-03.14_odp.01","props":[{"name":"alt-identifier","value":"ac-3.14_prm_1"},{"name":"label","value":"AC-03(14)_ODP[01]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms enabling individuals to have access to elements of their personally identifiable information are defined;"}]},{"id":"ac-03.14_odp.02","props":[{"name":"alt-identifier","value":"ac-3.14_prm_2"},{"name":"label","value":"AC-03(14)_ODP[02]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements of personally identifiable information to which individuals have access are defined;"}]}],"props":[{"name":"label","value":"AC-3(14)"},{"name":"label","value":"AC-03(14)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#ia-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-20","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#pt-6","rel":"related"}],"parts":[{"id":"ac-3.14_smt","name":"statement","prose":"Provide {{ insert: param, ac-03.14_odp.01 }} to enable individuals to have access to the following elements of their personally identifiable information: {{ insert: param, ac-03.14_odp.02 }}."},{"id":"ac-3.14_gdn","name":"guidance","prose":"Individual access affords individuals the ability to review personally identifiable information about them held within organizational records, regardless of format. Access helps individuals to develop an understanding about how their personally identifiable information is being processed. It can also help individuals ensure that their data is accurate. Access mechanisms can include request forms and application interfaces. For federal agencies, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) processes can be located in systems of record notices and on agency websites. Access to certain types of records may not be appropriate (e.g., for federal agencies, law enforcement records within a system of records may be exempt from disclosure under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) ) or may require certain levels of authentication assurance. Organizational personnel consult with the senior agency official for privacy and legal counsel to determine appropriate mechanisms and access rights or limitations."},{"id":"ac-3.14_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(14)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.14_odp.01 }} are provided to enable individuals to have access to {{ insert: param, ac-03.14_odp.02 }} of their personally identifiable information.","links":[{"href":"#ac-3.14_smt","rel":"assessment-for"}]},{"id":"ac-3.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access mechanisms (e.g., request forms and application interfaces)\n\naccess control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation regarding access to an individual’s personally identifiable information\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment findings and\/or reports\n\nother relevant documents or records"}]},{"id":"ac-3.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel"}]},{"id":"ac-3.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions\n\nmechanisms enabling individual access to personally identifiable information"}]}]},{"id":"ac-3.15","class":"SP800-53-enhancement","title":"Discretionary and Mandatory Access Control","params":[{"id":"ac-3.15_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.15_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.15_odp.02"}],"label":"organization-defined mandatory access control policy"},{"id":"ac-3.15_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.15_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-03.15_odp.04"}],"label":"organization-defined discretionary access control policy"},{"id":"ac-03.15_odp.01","props":[{"name":"label","value":"AC-03(15)_ODP[01]","class":"sp800-53a"}],"label":"mandatory access control policy","guidelines":[{"prose":"a mandatory access control policy enforced over the set of covered subjects specified in the policy is defined;"}]},{"id":"ac-03.15_odp.02","props":[{"name":"label","value":"AC-03(15)_ODP[02]","class":"sp800-53a"}],"label":"mandatory access control policy","guidelines":[{"prose":"a mandatory access control policy enforced over the set of covered objects specified in the policy is defined;"}]},{"id":"ac-03.15_odp.03","props":[{"name":"label","value":"AC-03(15)_ODP[03]","class":"sp800-53a"}],"label":"discretionary access control policy","guidelines":[{"prose":"a discretionary access control policy enforced over the set of covered subjects specified in the policy is defined;"}]},{"id":"ac-03.15_odp.04","props":[{"name":"label","value":"AC-03(15)_ODP[04]","class":"sp800-53a"}],"label":"discretionary access control policy","guidelines":[{"prose":"a discretionary access control policy enforced over the set of covered objects specified in the policy is defined;"}]}],"props":[{"name":"label","value":"AC-3(15)"},{"name":"label","value":"AC-03(15)","class":"sp800-53a"},{"name":"sort-id","value":"ac-03.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"required"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#ac-4","rel":"related"}],"parts":[{"id":"ac-3.15_smt","name":"statement","parts":[{"id":"ac-3.15_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Enforce {{ insert: param, ac-3.15_prm_1 }} over the set of covered subjects and objects specified in the policy; and"},{"id":"ac-3.15_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforce {{ insert: param, ac-3.15_prm_2 }} over the set of covered subjects and objects specified in the policy."}]},{"id":"ac-3.15_gdn","name":"guidance","prose":"Simultaneously implementing a mandatory access control policy and a discretionary access control policy can provide additional protection against the unauthorized execution of code by users or processes acting on behalf of users. This helps prevent a single compromised user or process from compromising the entire system."},{"id":"ac-3.15_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-03(15)","class":"sp800-53a"}],"parts":[{"id":"ac-3.15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-03(15)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-3.15_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(15)(a)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.15_odp.01 }} is enforced over the set of covered subjects specified in the policy;","links":[{"href":"#ac-3.15_smt.a","rel":"assessment-for"}]},{"id":"ac-3.15_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(15)(a)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.15_odp.02 }} is enforced over the set of covered objects specified in the policy;","links":[{"href":"#ac-3.15_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-3.15_smt.a","rel":"assessment-for"}]},{"id":"ac-3.15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-03(15)(b)","class":"sp800-53a"}],"parts":[{"id":"ac-3.15_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AC-03(15)(b)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.15_odp.03 }} is enforced over the set of covered subjects specified in the policy;","links":[{"href":"#ac-3.15_smt.b","rel":"assessment-for"}]},{"id":"ac-3.15_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AC-03(15)(b)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-03.15_odp.04 }} is enforced over the set of covered objects specified in the policy.","links":[{"href":"#ac-3.15_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-3.15_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-3.15_smt","rel":"assessment-for"}]},{"id":"ac-3.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-03(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of mandatory access control policies\n\nlist of subjects and objects (i.e., users and resources) requiring enforcement of discretionary access control policies\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-3.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-03(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-3.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-03(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing mandatory and discretionary access control policy"}]}]}]},{"id":"ac-4","class":"SP800-53","title":"Information Flow Enforcement","params":[{"id":"ac-04_odp","props":[{"name":"alt-identifier","value":"ac-4_prm_1"},{"name":"label","value":"AC-04_ODP","class":"sp800-53a"}],"label":"information flow control policies","guidelines":[{"prose":"information flow control policies within the system and between connected systems are defined;"}]}],"props":[{"name":"label","value":"AC-4"},{"name":"label","value":"AC-04","class":"sp800-53a"},{"name":"sort-id","value":"ac-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-31","rel":"related"}],"parts":[{"id":"ac-4_smt","name":"statement","prose":"Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}."},{"id":"ac-4_gdn","name":"guidance","prose":"Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see [CA-3](#ca-3) ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners\/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.\n\nOrganizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and\/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and\/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS)."},{"id":"ac-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04","class":"sp800-53a"}],"prose":"approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.","links":[{"href":"#ac-4_smt","rel":"assessment-for"}]},{"id":"ac-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsecurity architecture documentation\n\nprivacy architecture documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem baseline configuration\n\nlist of information flow authorizations\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}],"controls":[{"id":"ac-4.1","class":"SP800-53-enhancement","title":"Object Security and Privacy Attributes","params":[{"id":"ac-4.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.02"}],"label":"organization-defined security and privacy attributes"},{"id":"ac-4.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.01_odp.08"}],"label":"organization-defined information, source, and destination objects"},{"id":"ac-04.01_odp.01","props":[{"name":"label","value":"AC-04(01)_ODP[01]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes to be associated with information, source, and destination objects are defined;"}]},{"id":"ac-04.01_odp.02","props":[{"name":"label","value":"AC-04(01)_ODP[02]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes to be associated with information, source, and destination objects are defined;"}]},{"id":"ac-04.01_odp.03","props":[{"name":"label","value":"AC-04(01)_ODP[03]","class":"sp800-53a"}],"label":"information objects","guidelines":[{"prose":"information objects to be associated with information security attributes are defined;"}]},{"id":"ac-04.01_odp.04","props":[{"name":"label","value":"AC-04(01)_ODP[04]","class":"sp800-53a"}],"label":"information objects","guidelines":[{"prose":"information objects to be associated with privacy attributes are defined;"}]},{"id":"ac-04.01_odp.05","props":[{"name":"label","value":"AC-04(01)_ODP[05]","class":"sp800-53a"}],"label":"source objects","guidelines":[{"prose":"source objects to be associated with information security attributes are defined;"}]},{"id":"ac-04.01_odp.06","props":[{"name":"label","value":"AC-04(01)_ODP[06]","class":"sp800-53a"}],"label":"source objects","guidelines":[{"prose":"source objects to be associated with privacy attributes are defined;"}]},{"id":"ac-04.01_odp.07","props":[{"name":"label","value":"AC-04(01)_ODP[07]","class":"sp800-53a"}],"label":"destination objects","guidelines":[{"prose":"destination objects to be associated with information security attributes are defined;"}]},{"id":"ac-04.01_odp.08","props":[{"name":"label","value":"AC-04(01)_ODP[08]","class":"sp800-53a"}],"label":"destination objects","guidelines":[{"prose":"destination objects to be associated with privacy attributes are defined;"}]},{"id":"ac-04.01_odp.09","props":[{"name":"alt-identifier","value":"ac-4.1_prm_3"},{"name":"label","value":"AC-04(01)_ODP[09]","class":"sp800-53a"}],"label":"information flow control policies","guidelines":[{"prose":"information flow control policies as a basis for enforcement of flow control decisions are defined;"}]}],"props":[{"name":"label","value":"AC-4(1)"},{"name":"label","value":"AC-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.1_smt","name":"statement","prose":"Use {{ insert: param, ac-4.1_prm_1 }} associated with {{ insert: param, ac-4.1_prm_2 }} to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions."},{"id":"ac-4.1_gdn","name":"guidance","prose":"Information flow enforcement mechanisms compare security and privacy attributes associated with information (i.e., data content and structure) and source and destination objects and respond appropriately when the enforcement mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. A dataset of personally identifiable information may be tagged with restrictions against combining with other types of datasets and, thus, would not be allowed to flow to the restricted dataset. Security and privacy attributes can also include source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security or privacy attributes can be used, for example, to control the release of certain types of information."},{"id":"ac-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(01)","class":"sp800-53a"}],"parts":[{"id":"ac-4.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(01)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-04.01_odp.01 }} associated with {{ insert: param, ac-04.01_odp.03 }}, {{ insert: param, ac-04.01_odp.05 }} , and {{ insert: param, ac-04.01_odp.07 }} are used to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions;","links":[{"href":"#ac-4.1_smt","rel":"assessment-for"}]},{"id":"ac-4.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(01)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-04.01_odp.02 }} associated with {{ insert: param, ac-04.01_odp.04 }}, {{ insert: param, ac-04.01_odp.06 }} , and {{ insert: param, ac-04.01_odp.08 }} are used to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions.","links":[{"href":"#ac-4.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-4.1_smt","rel":"assessment-for"}]},{"id":"ac-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security and privacy attributes and associated source and destination objects\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.2","class":"SP800-53-enhancement","title":"Processing Domains","params":[{"id":"ac-04.02_odp","props":[{"name":"alt-identifier","value":"ac-4.2_prm_1"},{"name":"label","value":"AC-04(02)_ODP","class":"sp800-53a"}],"label":"information flow control policies","guidelines":[{"prose":"information flow control policies to be enforced by use of protected processing domains are defined;"}]}],"props":[{"name":"label","value":"AC-4(2)"},{"name":"label","value":"AC-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#sc-39","rel":"related"}],"parts":[{"id":"ac-4.2_smt","name":"statement","prose":"Use protected processing domains to enforce {{ insert: param, ac-04.02_odp }} as a basis for flow control decisions."},{"id":"ac-4.2_gdn","name":"guidance","prose":"Protected processing domains within systems are processing spaces that have controlled interactions with other processing spaces, enabling control of information flows between these spaces and to\/from information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, system processes are assigned to domains, information is identified by types, and information flows are controlled based on allowed information accesses (i.e., determined by domain and type), allowed signaling among domains, and allowed process transitions to other domains."},{"id":"ac-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(02)","class":"sp800-53a"}],"prose":"protected processing domains are used to enforce {{ insert: param, ac-04.02_odp }} as a basis for flow control decisions.","links":[{"href":"#ac-4.2_smt","rel":"assessment-for"}]},{"id":"ac-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem security architecture and associated documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.3","class":"SP800-53-enhancement","title":"Dynamic Information Flow Control","params":[{"id":"ac-04.03_odp","props":[{"name":"alt-identifier","value":"ac-4.3_prm_1"},{"name":"label","value":"AC-04(03)_ODP","class":"sp800-53a"}],"label":"information flow control policies","guidelines":[{"prose":"information flow control policies to be enforced are defined;"}]}],"props":[{"name":"label","value":"AC-4(3)"},{"name":"label","value":"AC-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-4.3_smt","name":"statement","prose":"Enforce {{ insert: param, ac-04.03_odp }}."},{"id":"ac-4.3_gdn","name":"guidance","prose":"Organizational policies regarding dynamic information flow control include allowing or disallowing information flows based on changing conditions or mission or operational considerations. Changing conditions include changes in risk tolerance due to changes in the immediacy of mission or business needs, changes in the threat environment, and detection of potentially harmful or adverse events."},{"id":"ac-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(03)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-04.03_odp }} are enforced.","links":[{"href":"#ac-4.3_smt","rel":"assessment-for"}]},{"id":"ac-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem security architecture and associated documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.4","class":"SP800-53-enhancement","title":"Flow Control of Encrypted Information","params":[{"id":"ac-04.04_odp.01","props":[{"name":"alt-identifier","value":"ac-4.4_prm_1"},{"name":"label","value":"AC-04(04)_ODP[01]","class":"sp800-53a"}],"label":"information flow control mechanisms","guidelines":[{"prose":"information flow control mechanisms that encrypted information is prevented from bypassing are defined;"}]},{"id":"ac-04.04_odp.02","props":[{"name":"alt-identifier","value":"ac-4.4_prm_2"},{"name":"label","value":"AC-04(04)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["decrypting the information","blocking the flow of the encrypted information","terminating communications sessions attempting to pass encrypted information","{{ insert: param, ac-04.04_odp.03 }} "]}},{"id":"ac-04.04_odp.03","props":[{"name":"alt-identifier","value":"ac-4.4_prm_3"},{"name":"alt-label","value":"procedure or method","class":"sp800-53"},{"name":"label","value":"AC-04(04)_ODP[03]","class":"sp800-53a"}],"label":"organization-defined procedure or method","guidelines":[{"prose":"the organization-defined procedure or method used to prevent encrypted information from bypassing information flow control mechanisms is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-4(4)"},{"name":"label","value":"AC-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-4.4_smt","name":"statement","prose":"Prevent encrypted information from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}."},{"id":"ac-4.4_gdn","name":"guidance","prose":"Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms."},{"id":"ac-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(04)","class":"sp800-53a"}],"prose":"encrypted information is prevented from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.","links":[{"href":"#ac-4.4_smt","rel":"assessment-for"}]},{"id":"ac-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.5","class":"SP800-53-enhancement","title":"Embedded Data Types","params":[{"id":"ac-04.05_odp","props":[{"name":"alt-identifier","value":"ac-4.5_prm_1"},{"name":"label","value":"AC-04(05)_ODP","class":"sp800-53a"}],"label":"limitations","guidelines":[{"prose":"limitations on embedding data types within other data types are defined;"}]}],"props":[{"name":"label","value":"AC-4(5)"},{"name":"label","value":"AC-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.5_smt","name":"statement","prose":"Enforce {{ insert: param, ac-04.05_odp }} on embedding data types within other data types."},{"id":"ac-4.5_gdn","name":"guidance","prose":"Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes inserting files as objects within other files and using compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools."},{"id":"ac-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(05)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-04.05_odp }} are enforced on embedding data types within other data types.","links":[{"href":"#ac-4.5_smt","rel":"assessment-for"}]},{"id":"ac-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of limitations to be enforced on embedding data types within other data types\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.6","class":"SP800-53-enhancement","title":"Metadata","params":[{"id":"ac-04.06_odp","props":[{"name":"alt-identifier","value":"ac-4.6_prm_1"},{"name":"label","value":"AC-04(06)_ODP","class":"sp800-53a"}],"label":"metadata","guidelines":[{"prose":"metadata on which to base enforcement of information flow control is defined;"}]}],"props":[{"name":"label","value":"AC-4(6)"},{"name":"label","value":"AC-04(06)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#ac-16","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ac-4.6_smt","name":"statement","prose":"Enforce information flow control based on {{ insert: param, ac-04.06_odp }}."},{"id":"ac-4.6_gdn","name":"guidance","prose":"Metadata is information that describes the characteristics of data. Metadata can include structural metadata describing data structures or descriptive metadata describing data content. Enforcement of allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., employing sufficiently strong binding techniques with appropriate assurance)."},{"id":"ac-4.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(06)","class":"sp800-53a"}],"prose":"information flow control enforcement is based on {{ insert: param, ac-04.06_odp }}.","links":[{"href":"#ac-4.6_smt","rel":"assessment-for"}]},{"id":"ac-4.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ntypes of metadata used to enforce information flow control decisions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.7","class":"SP800-53-enhancement","title":"One-way Flow Mechanisms","props":[{"name":"label","value":"AC-4(7)"},{"name":"label","value":"AC-04(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.7_smt","name":"statement","prose":"Enforce one-way information flows through hardware-based flow control mechanisms."},{"id":"ac-4.7_gdn","name":"guidance","prose":"One-way flow mechanisms may also be referred to as a unidirectional network, unidirectional security gateway, or data diode. One-way flow mechanisms can be used to prevent data from being exported from a higher impact or classified domain or system while permitting data from a lower impact or unclassified domain or system to be imported."},{"id":"ac-4.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(07)","class":"sp800-53a"}],"prose":"one-way information flows are enforced through hardware-based flow control mechanisms.","links":[{"href":"#ac-4.7_smt","rel":"assessment-for"}]},{"id":"ac-4.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem hardware mechanisms and associated configurations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Hardware mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.8","class":"SP800-53-enhancement","title":"Security and Privacy Policy Filters","params":[{"id":"ac-4.8_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.08_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.08_odp.02"}],"label":"organization-defined security or privacy policy filters"},{"id":"ac-4.8_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.08_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.08_odp.04"}],"label":"organization-defined information flows"},{"id":"ac-4.8_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.08_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.08_odp.07"}],"label":"organization-defined security or privacy policy"},{"id":"ac-04.08_odp.01","props":[{"name":"label","value":"AC-04(08)_ODP[01]","class":"sp800-53a"}],"label":"security policy filter","guidelines":[{"prose":"security policy filters to be used as a basis for enforcing information flow control are defined;"}]},{"id":"ac-04.08_odp.02","props":[{"name":"label","value":"AC-04(08)_ODP[02]","class":"sp800-53a"}],"label":"privacy policy filter","guidelines":[{"prose":"privacy policy filters to be used as a basis for enforcing information flow control are defined;"}]},{"id":"ac-04.08_odp.03","props":[{"name":"label","value":"AC-04(08)_ODP[03]","class":"sp800-53a"}],"label":"information flows","guidelines":[{"prose":"information flows for which information flow control is enforced by security filters are defined;"}]},{"id":"ac-04.08_odp.04","props":[{"name":"label","value":"AC-04(08)_ODP[04]","class":"sp800-53a"}],"label":"information flows","guidelines":[{"prose":"information flows for which information flow control is enforced by privacy filters are defined;"}]},{"id":"ac-04.08_odp.05","props":[{"name":"alt-identifier","value":"ac-4.8_prm_3"},{"name":"label","value":"AC-04(08)_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["block","strip","modify","quarantine"]}},{"id":"ac-04.08_odp.06","props":[{"name":"label","value":"AC-04(08)_ODP[06]","class":"sp800-53a"}],"label":"security policy","guidelines":[{"prose":"security policy identifying actions to be taken after a filter processing failure are defined;"}]},{"id":"ac-04.08_odp.07","props":[{"name":"label","value":"AC-04(08)_ODP[07]","class":"sp800-53a"}],"label":"privacy policy","guidelines":[{"prose":"privacy policy identifying actions to be taken after a filter processing failure are defined;"}]}],"props":[{"name":"label","value":"AC-4(8)"},{"name":"label","value":"AC-04(08)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.8_smt","name":"statement","parts":[{"id":"ac-4.8_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Enforce information flow control using {{ insert: param, ac-4.8_prm_1 }} as a basis for flow control decisions for {{ insert: param, ac-4.8_prm_2 }} ; and"},{"id":"ac-4.8_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-4.8_prm_4 }}."}]},{"id":"ac-4.8_gdn","name":"guidance","prose":"Organization-defined security or privacy policy filters can address data structures and content. For example, security or privacy policy filters for data structures can check for maximum file lengths, maximum field sizes, and data\/file types (for structured and unstructured data). Security or privacy policy filters for data content can check for specific words, enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data refers to digital information without a data structure or with a data structure that does not facilitate the development of rule sets to address the impact or classification level of the information conveyed by the data or the flow enforcement decisions. Unstructured data consists of bitmap objects that are inherently non-language-based (i.e., image, video, or audio files) and textual objects that are based on written or printed languages. Organizations can implement more than one security or privacy policy filter to meet information flow control objectives."},{"id":"ac-4.8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(08)","class":"sp800-53a"}],"parts":[{"id":"ac-4.8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-04(08)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-4.8_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(08)(a)[01]","class":"sp800-53a"}],"prose":"information flow control is enforced using {{ insert: param, ac-04.08_odp.01 }} as a basis for flow control decisions for {{ insert: param, ac-04.08_odp.03 }};","links":[{"href":"#ac-4.8_smt.a","rel":"assessment-for"}]},{"id":"ac-4.8_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(08)(a)[02]","class":"sp800-53a"}],"prose":"information flow control is enforced using {{ insert: param, ac-04.08_odp.02 }} as a basis for flow control decisions for {{ insert: param, ac-04.08_odp.04 }};","links":[{"href":"#ac-4.8_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-4.8_smt.a","rel":"assessment-for"}]},{"id":"ac-4.8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-04(08)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-04.08_odp.06 }};\n\n{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-04.08_odp.07 }}.","links":[{"href":"#ac-4.8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-4.8_smt","rel":"assessment-for"}]},{"id":"ac-4.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security policy filters regulating flow control decisions\n\nlist of privacy policy filters regulating flow control decisions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy\n\nsecurity and privacy policy filters"}]}]},{"id":"ac-4.9","class":"SP800-53-enhancement","title":"Human Reviews","params":[{"id":"ac-04.09_odp.01","props":[{"name":"alt-identifier","value":"ac-4.9_prm_1"},{"name":"label","value":"AC-04(09)_ODP[01]","class":"sp800-53a"}],"label":"information flows","guidelines":[{"prose":"information flows requiring the use of human reviews are defined;"}]},{"id":"ac-04.09_odp.02","props":[{"name":"alt-identifier","value":"ac-4.9_prm_2"},{"name":"label","value":"AC-04(09)_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions under which the use of human reviews for information flows are to be enforced are defined;"}]}],"props":[{"name":"label","value":"AC-4(9)"},{"name":"label","value":"AC-04(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.9_smt","name":"statement","prose":"Enforce the use of human reviews for {{ insert: param, ac-04.09_odp.01 }} under the following conditions: {{ insert: param, ac-04.09_odp.02 }}."},{"id":"ac-4.9_gdn","name":"guidance","prose":"Organizations define security or privacy policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of or as a complement to automated security or privacy policy filtering. Human reviews may also be employed as deemed necessary by organizations."},{"id":"ac-4.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(09)","class":"sp800-53a"}],"prose":"human reviews are used for {{ insert: param, ac-04.09_odp.01 }} under {{ insert: param, ac-04.09_odp.02 }}.","links":[{"href":"#ac-4.9_smt","rel":"assessment-for"}]},{"id":"ac-4.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of human reviews regarding information flows\n\nlist of information flows requiring the use of human reviews\n\nlist of conditions requiring human reviews for information flows\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with information flow enforcement responsibilities\n\nsystem developers"}]},{"id":"ac-4.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms enforcing the use of human reviews"}]}]},{"id":"ac-4.10","class":"SP800-53-enhancement","title":"Enable and Disable Security or Privacy Policy Filters","params":[{"id":"ac-4.10_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.10_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.10_odp.02"}],"label":"organization-defined security or privacy policy filters"},{"id":"ac-4.10_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.10_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.10_odp.04"}],"label":"organization-defined conditions"},{"id":"ac-04.10_odp.01","props":[{"name":"label","value":"AC-04(10)_ODP[01]","class":"sp800-53a"}],"label":"security filters","guidelines":[{"prose":"security policy filters that privileged administrators have the capability to enable and disable are defined;"}]},{"id":"ac-04.10_odp.02","props":[{"name":"label","value":"AC-04(10)_ODP[02]","class":"sp800-53a"}],"label":"privacy filters","guidelines":[{"prose":"privacy policy filters that privileged administrators have the capability to enable and disable are defined;"}]},{"id":"ac-04.10_odp.03","props":[{"name":"label","value":"AC-04(10)_ODP[03]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions under which privileged administrators have the capability to enable and disable security policy filters are defined;"}]},{"id":"ac-04.10_odp.04","props":[{"name":"label","value":"AC-04(10)_ODP[04]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions under which privileged administrators have the capability to enable and disable privacy policy filters are defined;"}]}],"props":[{"name":"label","value":"AC-4(10)"},{"name":"label","value":"AC-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.10_smt","name":"statement","prose":"Provide the capability for privileged administrators to enable and disable {{ insert: param, ac-4.10_prm_1 }} under the following conditions: {{ insert: param, ac-4.10_prm_2 }}."},{"id":"ac-4.10_gdn","name":"guidance","prose":"For example, as allowed by the system authorization, administrators can enable security or privacy policy filters to accommodate approved data types. Administrators also have the capability to select the filters that are executed on a specific data flow based on the type of data that is being transferred, the source and destination security domains, and other security or privacy relevant features, as needed."},{"id":"ac-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(10)","class":"sp800-53a"}],"parts":[{"id":"ac-4.10_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(10)[01]","class":"sp800-53a"}],"prose":"capability is provided for privileged administrators to enable and disable {{ insert: param, ac-04.10_odp.01 }} under {{ insert: param, ac-04.10_odp.03 }};","links":[{"href":"#ac-4.10_smt","rel":"assessment-for"}]},{"id":"ac-4.10_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(10)[02]","class":"sp800-53a"}],"prose":"capability is provided for privileged administrators to enable and disable {{ insert: param, ac-04.10_odp.02 }} under {{ insert: param, ac-04.10_odp.04 }}.","links":[{"href":"#ac-4.10_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-4.10_smt","rel":"assessment-for"}]},{"id":"ac-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow information policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security policy filters enabled\/disabled by privileged administrators\n\nlist of privacy policy filters enabled\/disabled by privileged administrators\n\nlist of approved data types for enabling\/disabling by privileged administrators\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for enabling\/disabling security and privacy policy filters\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy\n\nsecurity and privacy policy filters"}]}]},{"id":"ac-4.11","class":"SP800-53-enhancement","title":"Configuration of Security or Privacy Policy Filters","params":[{"id":"ac-4.11_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.11_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.11_odp.02"}],"label":"organization-defined security or privacy policy filters"},{"id":"ac-04.11_odp.01","props":[{"name":"label","value":"AC-04(11)_ODP[01]","class":"sp800-53a"}],"label":"security policy filters","guidelines":[{"prose":"security policy filters that privileged administrators have the capability to configure to support different security and privacy policies are defined;"}]},{"id":"ac-04.11_odp.02","props":[{"name":"label","value":"AC-04(11)_ODP[02]","class":"sp800-53a"}],"label":"privacy policy filters","guidelines":[{"prose":"privacy policy filters that privileged administrators have the capability to configure to support different security and privacy policies are defined;"}]}],"props":[{"name":"label","value":"AC-4(11)"},{"name":"label","value":"AC-04(11)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.11_smt","name":"statement","prose":"Provide the capability for privileged administrators to configure {{ insert: param, ac-4.11_prm_1 }} to support different security or privacy policies."},{"id":"ac-4.11_gdn","name":"guidance","prose":"Documentation contains detailed information for configuring security or privacy policy filters. For example, administrators can configure security or privacy policy filters to include the list of inappropriate words that security or privacy policy mechanisms check in accordance with the definitions provided by organizations."},{"id":"ac-4.11_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(11)","class":"sp800-53a"}],"parts":[{"id":"ac-4.11_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(11)[01]","class":"sp800-53a"}],"prose":"capability is provided for privileged administrators to configure {{ insert: param, ac-04.11_odp.01 }} to support different security or privacy policies;","links":[{"href":"#ac-4.11_smt","rel":"assessment-for"}]},{"id":"ac-4.11_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(11)[02]","class":"sp800-53a"}],"prose":"capability is provided for privileged administrators to configure {{ insert: param, ac-04.11_odp.02 }} to support different security or privacy policies.","links":[{"href":"#ac-4.11_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-4.11_smt","rel":"assessment-for"}]},{"id":"ac-4.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security policy filters\n\nlist of privacy policy filters\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for configuring security and privacy policy filters\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy\n\nsecurity and privacy policy filters"}]}]},{"id":"ac-4.12","class":"SP800-53-enhancement","title":"Data Type Identifiers","params":[{"id":"ac-04.12_odp","props":[{"name":"alt-identifier","value":"ac-4.12_prm_1"},{"name":"label","value":"AC-04(12)_ODP","class":"sp800-53a"}],"label":"data type identifiers","guidelines":[{"prose":"data type identifiers to be used to validate data essential for information flow decisions are defined;"}]}],"props":[{"name":"label","value":"AC-4(12)"},{"name":"label","value":"AC-04(12)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.12_smt","name":"statement","prose":"When transferring information between different security domains, use {{ insert: param, ac-04.12_odp }} to validate data essential for information flow decisions."},{"id":"ac-4.12_gdn","name":"guidance","prose":"Data type identifiers include filenames, file types, file signatures or tokens, and multiple internal file signatures or tokens. Systems only allow transfer of data that is compliant with data type format specifications. Identification and validation of data types is based on defined specifications associated with each allowed data format. The filename and number alone are not used for data type identification. Content is validated syntactically and semantically against its specification to ensure that it is the proper data type."},{"id":"ac-4.12_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(12)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, {{ insert: param, ac-04.12_odp }} are used to validate data essential for information flow decisions.","links":[{"href":"#ac-4.12_smt","rel":"assessment-for"}]},{"id":"ac-4.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of data type identifiers\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.13","class":"SP800-53-enhancement","title":"Decomposition into Policy-relevant Subcomponents","params":[{"id":"ac-04.13_odp","props":[{"name":"alt-identifier","value":"ac-4.13_prm_1"},{"name":"label","value":"AC-04(13)_ODP","class":"sp800-53a"}],"label":"policy-relevant subcomponents","guidelines":[{"prose":"policy-relevant subcomponents into which to decompose information for submission to policy enforcement mechanisms are defined;"}]}],"props":[{"name":"label","value":"AC-4(13)"},{"name":"label","value":"AC-04(13)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.13_smt","name":"statement","prose":"When transferring information between different security domains, decompose information into {{ insert: param, ac-04.13_odp }} for submission to policy enforcement mechanisms."},{"id":"ac-4.13_gdn","name":"guidance","prose":"Decomposing information into policy-relevant subcomponents prior to information transfer facilitates policy decisions on source, destination, certificates, classification, attachments, and other security- or privacy-related component differentiators. Policy enforcement mechanisms apply filtering, inspection, and\/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains."},{"id":"ac-4.13_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(13)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, information is decomposed into {{ insert: param, ac-04.13_odp }} for submission to policy enforcement mechanisms.","links":[{"href":"#ac-4.13_smt","rel":"assessment-for"}]},{"id":"ac-4.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.14","class":"SP800-53-enhancement","title":"Security or Privacy Policy Filter Constraints","params":[{"id":"ac-4.14_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.14_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.14_odp.02"}],"label":"organization-defined security or privacy policy filters"},{"id":"ac-04.14_odp.01","props":[{"name":"label","value":"AC-04(14)_ODP[01]","class":"sp800-53a"}],"label":"security policy filters","guidelines":[{"prose":"security policy filters to be implemented that require fully enumerated formats restricting data structure and content have been defined;"}]},{"id":"ac-04.14_odp.02","props":[{"name":"label","value":"AC-04(14)_ODP[02]","class":"sp800-53a"}],"label":"privacy policy filters","guidelines":[{"prose":"privacy policy filters to be implemented that require fully enumerated formats restricting data structure and content are defined;"}]}],"props":[{"name":"label","value":"AC-4(14)"},{"name":"label","value":"AC-04(14)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.14_smt","name":"statement","prose":"When transferring information between different security domains, implement {{ insert: param, ac-4.14_prm_1 }} requiring fully enumerated formats that restrict data structure and content."},{"id":"ac-4.14_gdn","name":"guidance","prose":"Data structure and content restrictions reduce the range of potential malicious or unsanctioned content in cross-domain transactions. Security or privacy policy filters that restrict data structures include restricting file sizes and field lengths. Data content policy filters include encoding formats for character sets, restricting character data fields to only contain alpha-numeric characters, prohibiting special characters, and validating schema structures."},{"id":"ac-4.14_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(14)","class":"sp800-53a"}],"parts":[{"id":"ac-4.14_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(14)[01]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, implemented {{ insert: param, ac-04.14_odp.01 }} require fully enumerated formats that restrict data structure and content;","links":[{"href":"#ac-4.14_smt","rel":"assessment-for"}]},{"id":"ac-4.14_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(14)[02]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, implemented {{ insert: param, ac-04.14_odp.02 }} require fully enumerated formats that restrict data structure and content.","links":[{"href":"#ac-4.14_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-4.14_smt","rel":"assessment-for"}]},{"id":"ac-4.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security and privacy policy filters\n\nlist of data structure policy filters\n\nlist of data content policy filters\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy\n\nsecurity and privacy policy filters"}]}]},{"id":"ac-4.15","class":"SP800-53-enhancement","title":"Detection of Unsanctioned Information","params":[{"id":"ac-4.15_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.15_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.15_odp.03"}],"label":"organization-defined security or privacy policy"},{"id":"ac-04.15_odp.01","props":[{"name":"alt-identifier","value":"ac-4.15_prm_1"},{"name":"label","value":"AC-04(15)_ODP[01]","class":"sp800-53a"}],"label":"unsanctioned information","guidelines":[{"prose":"unsanctioned information to be detected is defined;"}]},{"id":"ac-04.15_odp.02","props":[{"name":"label","value":"AC-04(15)_ODP[02]","class":"sp800-53a"}],"label":"security policy","guidelines":[{"prose":"security policy that requires the transfer of unsanctioned information between different security domains to be prohibited is defined (if selected);"}]},{"id":"ac-04.15_odp.03","props":[{"name":"label","value":"AC-04(15)_ODP[03]","class":"sp800-53a"}],"label":"privacy policy","guidelines":[{"prose":"privacy policy that requires the transfer of organization-defined unsanctioned information between different security domains to be prohibited is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-4(15)"},{"name":"label","value":"AC-04(15)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"ac-4.15_smt","name":"statement","prose":"When transferring information between different security domains, examine the information for the presence of {{ insert: param, ac-04.15_odp.01 }} and prohibit the transfer of such information in accordance with the {{ insert: param, ac-4.15_prm_2 }}."},{"id":"ac-4.15_gdn","name":"guidance","prose":"Unsanctioned information includes malicious code, information that is inappropriate for release from the source network, or executable code that could disrupt or harm the services or systems on the destination network."},{"id":"ac-4.15_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(15)","class":"sp800-53a"}],"parts":[{"id":"ac-4.15_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(15)[01]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, information is examined for the presence of {{ insert: param, ac-04.15_odp.01 }};","links":[{"href":"#ac-4.15_smt","rel":"assessment-for"}]},{"id":"ac-4.15_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(15)[02]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, transfer of {{ insert: param, ac-04.15_odp.01 }} is prohibited in accordance with the {{ insert: param, ac-04.15_odp.02 }};","links":[{"href":"#ac-4.15_smt","rel":"assessment-for"}]},{"id":"ac-4.15_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-04(15)[03]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, transfer of {{ insert: param, ac-04.15_odp.01 }} is prohibited in accordance with the {{ insert: param, ac-04.15_odp.03 }}.","links":[{"href":"#ac-4.15_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-4.15_smt","rel":"assessment-for"}]},{"id":"ac-4.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of unsanctioned information types and associated information\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.16","class":"SP800-53-enhancement","title":"Information Transfers on Interconnected Systems","props":[{"name":"label","value":"AC-4(16)"},{"name":"label","value":"AC-04(16)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.16"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-4","rel":"incorporated-into"}]},{"id":"ac-4.17","class":"SP800-53-enhancement","title":"Domain Authentication","params":[{"id":"ac-04.17_odp","props":[{"name":"alt-identifier","value":"ac-4.17_prm_1"},{"name":"label","value":"AC-04(17)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization, system, application, service, individual"]}}],"props":[{"name":"label","value":"AC-4(17)"},{"name":"label","value":"AC-04(17)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-9","rel":"related"}],"parts":[{"id":"ac-4.17_smt","name":"statement","prose":"Uniquely identify and authenticate source and destination points by {{ insert: param, ac-04.17_odp }} for information transfer."},{"id":"ac-4.17_gdn","name":"guidance","prose":"Attribution is a critical component of a security and privacy concept of operations. The ability to identify source and destination points for information flowing within systems allows the forensic reconstruction of events and encourages policy compliance by attributing policy violations to specific organizations or individuals. Successful domain authentication requires that system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information. Attribution also allows organizations to better maintain the lineage of personally identifiable information processing as it flows through systems and can facilitate consent tracking, as well as correction, deletion, or access requests from individuals."},{"id":"ac-4.17_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(17)","class":"sp800-53a"}],"prose":"source and destination points are uniquely identified and authenticated by {{ insert: param, ac-04.17_odp }} for information transfer.","links":[{"href":"#ac-4.17_smt","rel":"assessment-for"}]},{"id":"ac-4.17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(17)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nprocedures addressing source and destination domain identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system labels\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(17)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(17)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement policy"}]}]},{"id":"ac-4.18","class":"SP800-53-enhancement","title":"Security Attribute Binding","props":[{"name":"label","value":"AC-4(18)"},{"name":"label","value":"AC-04(18)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.18"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-16","rel":"incorporated-into"}]},{"id":"ac-4.19","class":"SP800-53-enhancement","title":"Validation of Metadata","params":[{"id":"ac-4.19_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.19_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.19_odp.02"}],"label":"organization-defined security or privacy policy filters"},{"id":"ac-04.19_odp.01","props":[{"name":"label","value":"AC-04(19)_ODP[01]","class":"sp800-53a"}],"label":"security policy filters","guidelines":[{"prose":"security policy filters to be implemented on metadata are defined (if selected);"}]},{"id":"ac-04.19_odp.02","props":[{"name":"label","value":"AC-04(19)_ODP[02]","class":"sp800-53a"}],"label":"privacy policy filters","guidelines":[{"prose":"privacy policy filters to be implemented on metadata are defined (if selected);"}]}],"props":[{"name":"label","value":"AC-4(19)"},{"name":"label","value":"AC-04(19)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.19_smt","name":"statement","prose":"When transferring information between different security domains, implement {{ insert: param, ac-4.19_prm_1 }} on metadata."},{"id":"ac-4.19_gdn","name":"guidance","prose":"All information (including metadata and the data to which the metadata applies) is subject to filtering and inspection. Some organizations distinguish between metadata and data payloads (i.e., only the data to which the metadata is bound). Other organizations do not make such distinctions and consider metadata and the data to which the metadata applies to be part of the payload."},{"id":"ac-4.19_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(19)","class":"sp800-53a"}],"parts":[{"id":"ac-4.19_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(19)[01]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, {{ insert: param, ac-04.19_odp.01 }} are implemented on metadata;","links":[{"href":"#ac-4.19_smt","rel":"assessment-for"}]},{"id":"ac-4.19_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(19)[02]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, {{ insert: param, ac-04.19_odp.02 }} are implemented on metadata.","links":[{"href":"#ac-4.19_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-4.19_smt","rel":"assessment-for"}]},{"id":"ac-4.19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(19)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security policy filtering criteria applied to metadata and data payloads\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-4.19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(19)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities\n\nsystem developers"}]},{"id":"ac-4.19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(19)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions\n\nsecurity and policy filters"}]}]},{"id":"ac-4.20","class":"SP800-53-enhancement","title":"Approved Solutions","params":[{"id":"ac-04.20_odp.01","props":[{"name":"alt-identifier","value":"ac-4.20_prm_1"},{"name":"label","value":"AC-04(20)_ODP[01]","class":"sp800-53a"}],"label":"solutions in approved configurations","guidelines":[{"prose":"solutions in approved configurations to control the flow of information across security domains are defined;"}]},{"id":"ac-04.20_odp.02","props":[{"name":"alt-identifier","value":"ac-4.20_prm_2"},{"name":"label","value":"AC-04(20)_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be controlled when it flows across security domains is defined;"}]}],"props":[{"name":"label","value":"AC-4(20)"},{"name":"label","value":"AC-04(20)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.20_smt","name":"statement","prose":"Employ {{ insert: param, ac-04.20_odp.01 }} to control the flow of {{ insert: param, ac-04.20_odp.02 }} across security domains."},{"id":"ac-4.20_gdn","name":"guidance","prose":"Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The National Security Agency (NSA) National Cross Domain Strategy and Management Office provides a listing of approved cross-domain solutions. Contact [ncdsmo@nsa.gov](mailto:ncdsmo@nsa.gov) for more information."},{"id":"ac-4.20_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(20)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-04.20_odp.01 }} are employed to control the flow of {{ insert: param, ac-04.20_odp.02 }} across security domains.","links":[{"href":"#ac-4.20_smt","rel":"assessment-for"}]},{"id":"ac-4.20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(20)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of solutions in approved configurations\n\napproved configuration baselines\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(20)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(20)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.21","class":"SP800-53-enhancement","title":"Physical or Logical Separation of Information Flows","params":[{"id":"ac-4.21_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.21_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-04.21_odp.02"}],"label":"organization-defined mechanisms and\/or techniques"},{"id":"ac-04.21_odp.01","props":[{"name":"label","value":"AC-04(21)_ODP[01]","class":"sp800-53a"}],"label":"mechanisms and\/or techniques","guidelines":[{"prose":"mechanisms and\/or techniques used to logically separate information flows are defined (if selected);"}]},{"id":"ac-04.21_odp.02","props":[{"name":"label","value":"AC-04(21)_ODP[02]","class":"sp800-53a"}],"label":"mechanisms and\/or techniques","guidelines":[{"prose":"mechanisms and\/or techniques used to physically separate information flows are defined (if selected);"}]},{"id":"ac-04.21_odp.03","props":[{"name":"alt-identifier","value":"ac-4.21_prm_2"},{"name":"alt-label","value":"required separations by types of information","class":"sp800-53"},{"name":"label","value":"AC-04(21)_ODP[03]","class":"sp800-53a"}],"label":"required separations","guidelines":[{"prose":"required separations by types of information are defined;"}]}],"props":[{"name":"label","value":"AC-4(21)"},{"name":"label","value":"AC-04(21)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#sc-32","rel":"related"}],"parts":[{"id":"ac-4.21_smt","name":"statement","prose":"Separate information flows logically or physically using {{ insert: param, ac-4.21_prm_1 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}."},{"id":"ac-4.21_gdn","name":"guidance","prose":"Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels."},{"id":"ac-4.21_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(21)","class":"sp800-53a"}],"parts":[{"id":"ac-4.21_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(21)[01]","class":"sp800-53a"}],"prose":"information flows are separated logically using {{ insert: param, ac-04.21_odp.01 }} to accomplish {{ insert: param, ac-04.21_odp.03 }};","links":[{"href":"#ac-4.21_smt","rel":"assessment-for"}]},{"id":"ac-4.21_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(21)[02]","class":"sp800-53a"}],"prose":"information flows are separated physically using {{ insert: param, ac-04.21_odp.02 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}.","links":[{"href":"#ac-4.21_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-4.21_smt","rel":"assessment-for"}]},{"id":"ac-4.21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(21)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\ninformation flow control policies\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of required separation of information flows by information types\n\nlist of mechanisms and\/or techniques used to logically or physically separate information flows\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(21)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-4.21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(21)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.22","class":"SP800-53-enhancement","title":"Access Only","props":[{"name":"label","value":"AC-4(22)"},{"name":"label","value":"AC-04(22)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.22_smt","name":"statement","prose":"Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains."},{"id":"ac-4.22_gdn","name":"guidance","prose":"The system provides a capability for users to access each connected security domain without providing any mechanisms to allow users to transfer data or information between the different security domains. An example of an access-only solution is a terminal that provides a user access to information with different security classifications while assuredly keeping the information separate."},{"id":"ac-4.22_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(22)","class":"sp800-53a"}],"prose":"access is provided from a single device to computing platforms, applications, or data that reside in multiple different security domains while preventing information flow between the different security domains.","links":[{"href":"#ac-4.22_smt","rel":"assessment-for"}]},{"id":"ac-4.22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(22)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(22)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(22)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.23","class":"SP800-53-enhancement","title":"Modify Non-releasable Information","params":[{"id":"ac-04.23_odp","props":[{"name":"alt-identifier","value":"ac-4.23_prm_1"},{"name":"label","value":"AC-04(23)_ODP","class":"sp800-53a"}],"label":"modification action","guidelines":[{"prose":"modification action implemented on non-releasable information is defined;"}]}],"props":[{"name":"label","value":"AC-4(23)"},{"name":"label","value":"AC-04(23)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.23_smt","name":"statement","prose":"When transferring information between different security domains, modify non-releasable information by implementing {{ insert: param, ac-04.23_odp }}."},{"id":"ac-4.23_gdn","name":"guidance","prose":"Modifying non-releasable information can help prevent a data spill or attack when information is transferred across security domains. Modification actions include masking, permutation, alteration, removal, or redaction."},{"id":"ac-4.23_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(23)","class":"sp800-53a"}],"prose":"when transferring information between security domains, non-releasable information is modified by implementing {{ insert: param, ac-04.23_odp }}.","links":[{"href":"#ac-4.23_smt","rel":"assessment-for"}]},{"id":"ac-4.23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(23)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(23)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(23)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.24","class":"SP800-53-enhancement","title":"Internal Normalized Format","props":[{"name":"label","value":"AC-4(24)"},{"name":"label","value":"AC-04(24)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.24_smt","name":"statement","prose":"When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification."},{"id":"ac-4.24_gdn","name":"guidance","prose":"Converting data into normalized forms is one of most of effective mechanisms to stop malicious attacks and large classes of data exfiltration."},{"id":"ac-4.24_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(24)","class":"sp800-53a"}],"parts":[{"id":"ac-4.24_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(24)[01]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, incoming data is parsed into an internal, normalized format;","links":[{"href":"#ac-4.24_smt","rel":"assessment-for"}]},{"id":"ac-4.24_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(24)[02]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, the data is regenerated to be consistent with its intended specification.","links":[{"href":"#ac-4.24_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-4.24_smt","rel":"assessment-for"}]},{"id":"ac-4.24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(24)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(24)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(24)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.25","class":"SP800-53-enhancement","title":"Data Sanitization","params":[{"id":"ac-04.25_odp.01","props":[{"name":"alt-identifier","value":"ac-4.25_prm_1"},{"name":"label","value":"AC-04(25)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography-encoded data","spillage of sensitive information"]}},{"id":"ac-04.25_odp.02","props":[{"name":"alt-identifier","value":"ac-4.25_prm_2"},{"name":"label","value":"AC-04(25)_ODP[02]","class":"sp800-53a"}],"label":"policy","guidelines":[{"prose":"policy for sanitizing data is defined;"}]}],"props":[{"name":"label","value":"AC-4(25)"},{"name":"label","value":"AC-04(25)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#mp-6","rel":"related"}],"parts":[{"id":"ac-4.25_smt","name":"statement","prose":"When transferring information between different security domains, sanitize data to minimize {{ insert: param, ac-04.25_odp.01 }} in accordance with {{ insert: param, ac-04.25_odp.02 }}."},{"id":"ac-4.25_gdn","name":"guidance","prose":"Data sanitization is the process of irreversibly removing or destroying data stored on a memory device (e.g., hard drives, flash memory\/solid state drives, mobile devices, CDs, and DVDs) or in hard copy form."},{"id":"ac-4.25_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(25)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, data is sanitized to minimize {{ insert: param, ac-04.25_odp.01 }} in accordance with {{ insert: param, ac-04.25_odp.02 }}.","links":[{"href":"#ac-4.25_smt","rel":"assessment-for"}]},{"id":"ac-4.25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(25)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(25)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(25)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.26","class":"SP800-53-enhancement","title":"Audit Filtering Actions","props":[{"name":"label","value":"AC-4(26)"},{"name":"label","value":"AC-04(26)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.26"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"ac-4.26_smt","name":"statement","prose":"When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered."},{"id":"ac-4.26_gdn","name":"guidance","prose":"Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. Content filtering actions and the results of filtering actions are recorded for individual messages to ensure that the correct filter actions were applied. Content filter reports are used to assist in troubleshooting actions by, for example, determining why message content was modified and\/or why it failed the filtering process. Audit events are defined in [AU-2](#au-2) . Audit records are generated in [AU-12](#au-12)."},{"id":"ac-4.26_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(26)","class":"sp800-53a"}],"parts":[{"id":"ac-4.26_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(26)[01]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, content-filtering actions are recorded and audited;","links":[{"href":"#ac-4.26_smt","rel":"assessment-for"}]},{"id":"ac-4.26_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(26)[02]","class":"sp800-53a"}],"prose":"when transferring information between different security domains, results for the information being filtered are recorded and audited.","links":[{"href":"#ac-4.26_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-4.26_smt","rel":"assessment-for"}]},{"id":"ac-4.26_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(26)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.26_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(26)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.26_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(26)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing content filtering\n\nmechanisms recording and auditing content filtering"}]}]},{"id":"ac-4.27","class":"SP800-53-enhancement","title":"Redundant\/Independent Filtering Mechanisms","props":[{"name":"label","value":"AC-4(27)"},{"name":"label","value":"AC-04(27)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.27"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.27_smt","name":"statement","prose":"When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type."},{"id":"ac-4.27_gdn","name":"guidance","prose":"Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. Redundant and independent content filtering eliminates a single point of failure filtering system. Independence is defined as the implementation of a content filter that uses a different code base and supporting libraries (e.g., two JPEG filters using different vendors’ JPEG libraries) and multiple, independent system processes."},{"id":"ac-4.27_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(27)","class":"sp800-53a"}],"prose":"when transferring information between security domains, implemented content filtering solutions provide redundant and independent filtering mechanisms for each data type.","links":[{"href":"#ac-4.27_smt","rel":"assessment-for"}]},{"id":"ac-4.27_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(27)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.27_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(27)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.27_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(27)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.28","class":"SP800-53-enhancement","title":"Linear Filter Pipelines","props":[{"name":"label","value":"AC-4(28)"},{"name":"label","value":"AC-04(28)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.28_smt","name":"statement","prose":"When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls."},{"id":"ac-4.28_gdn","name":"guidance","prose":"Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. The use of linear content filter pipelines ensures that filter processes are non-bypassable and always invoked. In general, the use of parallel filtering architectures for content filtering of a single data type introduces bypass and non-invocation issues."},{"id":"ac-4.28_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(28)","class":"sp800-53a"}],"prose":"when transferring information between security domains, a linear content filter pipeline is implemented that is enforced with discretionary and mandatory access controls.","links":[{"href":"#ac-4.28_smt","rel":"assessment-for"}]},{"id":"ac-4.28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(28)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(28)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(28)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing linear content filters"}]}]},{"id":"ac-4.29","class":"SP800-53-enhancement","title":"Filter Orchestration Engines","params":[{"id":"ac-04.29_odp","props":[{"name":"alt-identifier","value":"ac-4.29_prm_1"},{"name":"label","value":"AC-04(29)_ODP","class":"sp800-53a"}],"label":"policy","guidelines":[{"prose":"policy for content-filtering actions is defined;"}]}],"props":[{"name":"label","value":"AC-4(29)"},{"name":"label","value":"AC-04(29)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.29"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.29_smt","name":"statement","prose":"When transferring information between different security domains, employ content filter orchestration engines to ensure that:","parts":[{"id":"ac-4.29_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Content filtering mechanisms successfully complete execution without errors; and"},{"id":"ac-4.29_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Content filtering actions occur in the correct order and comply with {{ insert: param, ac-04.29_odp }}."}]},{"id":"ac-4.29_gdn","name":"guidance","prose":"Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined security policy. An orchestration engine coordinates the sequencing of activities (manual and automated) in a content filtering process. Errors are defined as either anomalous actions or unexpected termination of the content filter process. This is not the same as a filter failing content due to non-compliance with policy. Content filter reports are a commonly used mechanism to ensure that expected filtering actions are completed successfully."},{"id":"ac-4.29_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(29)","class":"sp800-53a"}],"parts":[{"id":"ac-4.29_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-04(29)(a)","class":"sp800-53a"}],"prose":"when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering mechanisms successfully complete execution without errors;","links":[{"href":"#ac-4.29_smt.a","rel":"assessment-for"}]},{"id":"ac-4.29_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-04(29)(b)","class":"sp800-53a"}],"parts":[{"id":"ac-4.29_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AC-04(29)(b)[01]","class":"sp800-53a"}],"prose":"when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions occur in the correct order;","links":[{"href":"#ac-4.29_smt.b","rel":"assessment-for"}]},{"id":"ac-4.29_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AC-04(29)(b)[02]","class":"sp800-53a"}],"prose":"when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions comply with {{ insert: param, ac-04.29_odp }}.","links":[{"href":"#ac-4.29_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-4.29_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-4.29_smt","rel":"assessment-for"}]},{"id":"ac-4.29_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(29)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.29_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(29)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.29_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(29)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing content filter orchestration engines"}]}]},{"id":"ac-4.30","class":"SP800-53-enhancement","title":"Filter Mechanisms Using Multiple Processes","props":[{"name":"label","value":"AC-4(30)"},{"name":"label","value":"AC-04(30)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.30"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.30_smt","name":"statement","prose":"When transferring information between different security domains, implement content filtering mechanisms using multiple processes."},{"id":"ac-4.30_gdn","name":"guidance","prose":"The use of multiple processes to implement content filtering mechanisms reduces the likelihood of a single point of failure."},{"id":"ac-4.30_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(30)","class":"sp800-53a"}],"prose":"when transferring information between security domains, content-filtering mechanisms using multiple processes are implemented.","links":[{"href":"#ac-4.30_smt","rel":"assessment-for"}]},{"id":"ac-4.30_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(30)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.30_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(30)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.30_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(30)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing content filtering"}]}]},{"id":"ac-4.31","class":"SP800-53-enhancement","title":"Failed Content Transfer Prevention","props":[{"name":"label","value":"AC-4(31)"},{"name":"label","value":"AC-04(31)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.31"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.31_smt","name":"statement","prose":"When transferring information between different security domains, prevent the transfer of failed content to the receiving domain."},{"id":"ac-4.31_gdn","name":"guidance","prose":"Content that failed filtering checks can corrupt the system if transferred to the receiving domain."},{"id":"ac-4.31_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(31)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, the transfer of failed content to the receiving domain is prevented.","links":[{"href":"#ac-4.31_smt","rel":"assessment-for"}]},{"id":"ac-4.31_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(31)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.31_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(31)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.31_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(31)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions"}]}]},{"id":"ac-4.32","class":"SP800-53-enhancement","title":"Process Requirements for Information Transfer","props":[{"name":"label","value":"AC-4(32)"},{"name":"label","value":"AC-04(32)","class":"sp800-53a"},{"name":"sort-id","value":"ac-04.32"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-4","rel":"required"}],"parts":[{"id":"ac-4.32_smt","name":"statement","prose":"When transferring information between different security domains, the process that transfers information between filter pipelines:","parts":[{"id":"ac-4.32_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Does not filter message content;"},{"id":"ac-4.32_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Validates filtering metadata;"},{"id":"ac-4.32_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Ensures the content associated with the filtering metadata has successfully completed filtering; and"},{"id":"ac-4.32_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Transfers the content to the destination filter pipeline."}]},{"id":"ac-4.32_gdn","name":"guidance","prose":"The processes transferring information between filter pipelines have minimum complexity and functionality to provide assurance that the processes operate correctly."},{"id":"ac-4.32_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-04(32)","class":"sp800-53a"}],"parts":[{"id":"ac-4.32_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-04(32)(a)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, the process that transfers information between filter pipelines does not filter message content;","links":[{"href":"#ac-4.32_smt.a","rel":"assessment-for"}]},{"id":"ac-4.32_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-04(32)(b)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, the process that transfers information between filter pipelines validates filtering metadata;","links":[{"href":"#ac-4.32_smt.b","rel":"assessment-for"}]},{"id":"ac-4.32_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-04(32)(c)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, the process that transfers information between filter pipelines ensures that the content with the filtering metadata has successfully completed filtering;","links":[{"href":"#ac-4.32_smt.c","rel":"assessment-for"}]},{"id":"ac-4.32_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-04(32)(d)","class":"sp800-53a"}],"prose":"when transferring information between different security domains, the process that transfers information between filter pipelines transfers the content to the destination filter pipeline.","links":[{"href":"#ac-4.32_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ac-4.32_smt","rel":"assessment-for"}]},{"id":"ac-4.32_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-04(32)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information flow enforcement policy\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-4.32_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-04(32)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information flow enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-4.32_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-04(32)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing information flow enforcement functions\n\nmechanisms implementing content filtering"}]}]}]},{"id":"ac-5","class":"SP800-53","title":"Separation of Duties","params":[{"id":"ac-05_odp","props":[{"name":"alt-identifier","value":"ac-5_prm_1"},{"name":"alt-label","value":"duties of individuals requiring separation","class":"sp800-53"},{"name":"label","value":"AC-05_ODP","class":"sp800-53a"}],"label":"duties of individuals","guidelines":[{"prose":"duties of individuals requiring separation are defined;"}]}],"props":[{"name":"label","value":"AC-5"},{"name":"label","value":"AC-05","class":"sp800-53a"},{"name":"sort-id","value":"ac-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-12","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"}],"parts":[{"id":"ac-5_smt","name":"statement","parts":[{"id":"ac-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document {{ insert: param, ac-05_odp }} ; and"},{"id":"ac-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define system access authorizations to support separation of duties."}]},{"id":"ac-5_gdn","name":"guidance","prose":"Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in [AC-2](#ac-2) , access control mechanisms in [AC-3](#ac-3) , and identity management activities in [IA-2](#ia-2), [IA-4](#ia-4) , and [IA-12](#ia-12)."},{"id":"ac-5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-05","class":"sp800-53a"}],"parts":[{"id":"ac-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-05a.","class":"sp800-53a"}],"prose":"{{ insert: param, ac-05_odp }} are identified and documented;","links":[{"href":"#ac-5_smt.a","rel":"assessment-for"}]},{"id":"ac-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-05b.","class":"sp800-53a"}],"prose":"system access authorizations to support separation of duties are defined.","links":[{"href":"#ac-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-5_smt","rel":"assessment-for"}]},{"id":"ac-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing divisions of responsibility and separation of duties\n\nsystem configuration settings and associated documentation\n\nlist of divisions of responsibility and separation of duties\n\nsystem access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing separation of duties policy"}]}]},{"id":"ac-6","class":"SP800-53","title":"Least Privilege","props":[{"name":"label","value":"AC-6"},{"name":"label","value":"AC-06","class":"sp800-53a"},{"name":"sort-id","value":"ac-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-38","rel":"related"}],"parts":[{"id":"ac-6_smt","name":"statement","prose":"Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."},{"id":"ac-6_gdn","name":"guidance","prose":"Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems."},{"id":"ac-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06","class":"sp800-53a"}],"prose":"the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.","links":[{"href":"#ac-6_smt","rel":"assessment-for"}]},{"id":"ac-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of assigned access authorizations (user privileges)\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}],"controls":[{"id":"ac-6.1","class":"SP800-53-enhancement","title":"Authorize Access to Security Functions","params":[{"id":"ac-6.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-06.01_odp.04"}],"label":"organization-defined security functions (deployed in hardware, software, and firmware)"},{"id":"ac-06.01_odp.01","props":[{"name":"alt-identifier","value":"ac-6.1_prm_1"},{"name":"alt-label","value":"individuals or roles","class":"sp800-53"},{"name":"label","value":"AC-06(01)_ODP[01]","class":"sp800-53a"}],"label":"individuals and roles","guidelines":[{"prose":"individuals and roles with authorized access to security functions and security-relevant information are defined;"}]},{"id":"ac-06.01_odp.02","props":[{"name":"label","value":"AC-06(01)_ODP[02]","class":"sp800-53a"}],"label":"security functions (deployed in hardware)","guidelines":[{"prose":"security functions (deployed in hardware) for authorized access are defined;"}]},{"id":"ac-06.01_odp.03","props":[{"name":"label","value":"AC-06(01)_ODP[03]","class":"sp800-53a"}],"label":"security functions (deployed in software)","guidelines":[{"prose":"security functions (deployed in software) for authorized access are defined;"}]},{"id":"ac-06.01_odp.04","props":[{"name":"label","value":"AC-06(01)_ODP[04]","class":"sp800-53a"}],"label":"security functions (deployed in firmware)","guidelines":[{"prose":"security functions (deployed in firmware) for authorized access are defined;"}]},{"id":"ac-06.01_odp.05","props":[{"name":"alt-identifier","value":"ac-6.1_prm_3"},{"name":"label","value":"AC-06(01)_ODP[05]","class":"sp800-53a"}],"label":"security-relevant information","guidelines":[{"prose":"security-relevant information for authorized access is defined;"}]}],"props":[{"name":"label","value":"AC-6(1)"},{"name":"label","value":"AC-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#pe-2","rel":"related"}],"parts":[{"id":"ac-6.1_smt","name":"statement","prose":"Authorize access for {{ insert: param, ac-06.01_odp.01 }} to:","parts":[{"id":"ac-6.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"{{ insert: param, ac-6.1_prm_2 }} ; and"},{"id":"ac-6.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"{{ insert: param, ac-06.01_odp.05 }}."}]},{"id":"ac-6.1_gdn","name":"guidance","prose":"Security functions include establishing system accounts, configuring access authorizations (i.e., permissions, privileges), configuring settings for events to be audited, and establishing intrusion detection parameters. Security-relevant information includes filtering rules for routers or firewalls, configuration parameters for security services, cryptographic key management information, and access control lists. Authorized personnel include security administrators, system administrators, system security officers, system programmers, and other privileged users."},{"id":"ac-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)","class":"sp800-53a"}],"parts":[{"id":"ac-6.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-6.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[01]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};","links":[{"href":"#ac-6.1_smt.a","rel":"assessment-for"}]},{"id":"ac-6.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[02]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};","links":[{"href":"#ac-6.1_smt.a","rel":"assessment-for"}]},{"id":"ac-6.1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(a)[03]","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};","links":[{"href":"#ac-6.1_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-6.1_smt.a","rel":"assessment-for"}]},{"id":"ac-6.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-06(01)(b)","class":"sp800-53a"}],"prose":"access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}.","links":[{"href":"#ac-6.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-6.1_smt","rel":"assessment-for"}]},{"id":"ac-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.2","class":"SP800-53-enhancement","title":"Non-privileged Access for Nonsecurity Functions","params":[{"id":"ac-06.02_odp","props":[{"name":"alt-identifier","value":"ac-6.2_prm_1"},{"name":"label","value":"AC-06(02)_ODP","class":"sp800-53a"}],"label":"security functions or security-relevant information","guidelines":[{"prose":"security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;"}]}],"props":[{"name":"label","value":"AC-6(2)"},{"name":"label","value":"AC-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#pl-4","rel":"related"}],"parts":[{"id":"ac-6.2_smt","name":"statement","prose":"Require that users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} use non-privileged accounts or roles, when accessing nonsecurity functions."},{"id":"ac-6.2_gdn","name":"guidance","prose":"Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account."},{"id":"ac-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(02)","class":"sp800-53a"}],"prose":"users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions.","links":[{"href":"#ac-6.2_smt","rel":"assessment-for"}]},{"id":"ac-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated security functions or security-relevant information assigned to system accounts or roles\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.3","class":"SP800-53-enhancement","title":"Network Access to Privileged Commands","params":[{"id":"ac-06.03_odp.01","props":[{"name":"alt-identifier","value":"ac-6.3_prm_1"},{"name":"label","value":"AC-06(03)_ODP[01]","class":"sp800-53a"}],"label":"privileged commands","guidelines":[{"prose":"privileged commands to which network access is to be authorized only for compelling operational needs are defined;"}]},{"id":"ac-06.03_odp.02","props":[{"name":"alt-identifier","value":"ac-6.3_prm_2"},{"name":"label","value":"AC-06(03)_ODP[02]","class":"sp800-53a"}],"label":"compelling operational needs","guidelines":[{"prose":"compelling operational needs necessitating network access to privileged commands are defined;"}]}],"props":[{"name":"label","value":"AC-6(3)"},{"name":"label","value":"AC-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"}],"parts":[{"id":"ac-6.3_smt","name":"statement","prose":"Authorize network access to {{ insert: param, ac-06.03_odp.01 }} only for {{ insert: param, ac-06.03_odp.02 }} and document the rationale for such access in the security plan for the system."},{"id":"ac-6.3_gdn","name":"guidance","prose":"Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device)."},{"id":"ac-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(03)","class":"sp800-53a"}],"parts":[{"id":"ac-6.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-06(03)[01]","class":"sp800-53a"}],"prose":"network access to {{ insert: param, ac-06.03_odp.01 }} is authorized only for {{ insert: param, ac-06.03_odp.02 }};","links":[{"href":"#ac-6.3_smt","rel":"assessment-for"}]},{"id":"ac-6.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-06(03)[02]","class":"sp800-53a"}],"prose":"the rationale for authorizing network access to privileged commands is documented in the security plan for the system.","links":[{"href":"#ac-6.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-6.3_smt","rel":"assessment-for"}]},{"id":"ac-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of operational needs for authorizing network access to privileged commands\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.4","class":"SP800-53-enhancement","title":"Separate Processing Domains","props":[{"name":"label","value":"AC-6(4)"},{"name":"label","value":"AC-06(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-4","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"}],"parts":[{"id":"ac-6.4_smt","name":"statement","prose":"Provide separate processing domains to enable finer-grained allocation of user privileges."},{"id":"ac-6.4_gdn","name":"guidance","prose":"Providing separate processing domains for finer-grained allocation of user privileges includes using virtualization techniques to permit additional user privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying physical machine, implementing separate physical domains, and employing hardware or software domain separation mechanisms."},{"id":"ac-6.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(04)","class":"sp800-53a"}],"prose":"separate processing domains are provided to enable finer-grain allocation of user privileges.","links":[{"href":"#ac-6.4_smt","rel":"assessment-for"}]},{"id":"ac-6.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-6.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.5","class":"SP800-53-enhancement","title":"Privileged Accounts","params":[{"id":"ac-06.05_odp","props":[{"name":"alt-identifier","value":"ac-6.5_prm_1"},{"name":"label","value":"AC-06(05)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to which privileged accounts on the system are to be restricted is\/are defined;"}]}],"props":[{"name":"label","value":"AC-6(5)"},{"name":"label","value":"AC-06(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"}],"parts":[{"id":"ac-6.5_smt","name":"statement","prose":"Restrict privileged accounts on the system to {{ insert: param, ac-06.05_odp }}."},{"id":"ac-6.5_gdn","name":"guidance","prose":"Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk."},{"id":"ac-6.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(05)","class":"sp800-53a"}],"prose":"privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}.","links":[{"href":"#ac-6.5_smt","rel":"assessment-for"}]},{"id":"ac-6.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of system administration personnel\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions"}]}]},{"id":"ac-6.6","class":"SP800-53-enhancement","title":"Privileged Access by Non-organizational Users","props":[{"name":"label","value":"AC-6(6)"},{"name":"label","value":"AC-06(06)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ac-6.6_smt","name":"statement","prose":"Prohibit privileged access to the system by non-organizational users."},{"id":"ac-6.6_gdn","name":"guidance","prose":"An organizational user is an employee or an individual considered by the organization to have the equivalent status of an employee. Organizational users include contractors, guest researchers, or individuals detailed from other organizations. A non-organizational user is a user who is not an organizational user. Policies and procedures for granting equivalent status of employees to individuals include a need-to-know, citizenship, and the relationship to the organization."},{"id":"ac-6.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(06)","class":"sp800-53a"}],"prose":"privileged access to the system by non-organizational users is prohibited.","links":[{"href":"#ac-6.6_smt","rel":"assessment-for"}]},{"id":"ac-6.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated privileged accounts\n\nlist of non-organizational users\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms prohibiting privileged access to the system"}]}]},{"id":"ac-6.7","class":"SP800-53-enhancement","title":"Review of User Privileges","params":[{"id":"ac-06.07_odp.01","props":[{"name":"alt-identifier","value":"ac-6.7_prm_1"},{"name":"label","value":"AC-06(07)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the privileges assigned to roles or classes of users is defined;"}]},{"id":"ac-06.07_odp.02","props":[{"name":"alt-identifier","value":"ac-6.7_prm_2"},{"name":"alt-label","value":"roles or classes of users","class":"sp800-53"},{"name":"label","value":"AC-06(07)_ODP[02]","class":"sp800-53a"}],"label":"roles and classes","guidelines":[{"prose":"roles or classes of users to which privileges are assigned are defined;"}]}],"props":[{"name":"label","value":"AC-6(7)"},{"name":"label","value":"AC-06(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#ca-7","rel":"related"}],"parts":[{"id":"ac-6.7_smt","name":"statement","parts":[{"id":"ac-6.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Review {{ insert: param, ac-06.07_odp.01 }} the privileges assigned to {{ insert: param, ac-06.07_odp.02 }} to validate the need for such privileges; and"},{"id":"ac-6.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs."}]},{"id":"ac-6.7_gdn","name":"guidance","prose":"The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid. If the need cannot be revalidated, organizations take appropriate corrective actions."},{"id":"ac-6.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)","class":"sp800-53a"}],"parts":[{"id":"ac-6.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)(a)","class":"sp800-53a"}],"prose":"privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;","links":[{"href":"#ac-6.7_smt.a","rel":"assessment-for"}]},{"id":"ac-6.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-06(07)(b)","class":"sp800-53a"}],"prose":"privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.","links":[{"href":"#ac-6.7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-6.7_smt","rel":"assessment-for"}]},{"id":"ac-6.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of system-generated roles or classes of users and assigned privileges\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation reviews of privileges assigned to roles or classes or users\n\nrecords of privilege removals or reassignments for roles or classes of users\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ac-6.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing review of user privileges"}]}]},{"id":"ac-6.8","class":"SP800-53-enhancement","title":"Privilege Levels for Code Execution","params":[{"id":"ac-06.08_odp","props":[{"name":"alt-identifier","value":"ac-6.8_prm_1"},{"name":"label","value":"AC-06(08)_ODP","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be prevented from executing at higher privilege levels than users executing the software is defined;"}]}],"props":[{"name":"label","value":"AC-6(8)"},{"name":"label","value":"AC-06(08)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"}],"parts":[{"id":"ac-6.8_smt","name":"statement","prose":"Prevent the following software from executing at higher privilege levels than users executing the software: {{ insert: param, ac-06.08_odp }}."},{"id":"ac-6.8_gdn","name":"guidance","prose":"In certain situations, software applications or programs need to execute with elevated privileges to perform required functions. However, depending on the software functionality and configuration, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications or programs, those users may indirectly be provided with greater privileges than assigned."},{"id":"ac-6.8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(08)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-06.08_odp }} is prevented from executing at higher privilege levels than users executing the software.","links":[{"href":"#ac-6.8_smt","rel":"assessment-for"}]},{"id":"ac-6.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nlist of software that should not execute at higher privilege levels than users executing software\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ac-6.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions for software execution"}]}]},{"id":"ac-6.9","class":"SP800-53-enhancement","title":"Log Use of Privileged Functions","props":[{"name":"label","value":"AC-6(9)"},{"name":"label","value":"AC-06(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"ac-6.9_smt","name":"statement","prose":"Log the execution of privileged functions."},{"id":"ac-6.9_gdn","name":"guidance","prose":"The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat."},{"id":"ac-6.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(09)","class":"sp800-53a"}],"prose":"the execution of privileged functions is logged.","links":[{"href":"#ac-6.9_smt","rel":"assessment-for"}]},{"id":"ac-6.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions to be audited\n\nlist of audited events\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ac-6.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms auditing the execution of least privilege functions"}]}]},{"id":"ac-6.10","class":"SP800-53-enhancement","title":"Prohibit Non-privileged Users from Executing Privileged Functions","props":[{"name":"label","value":"AC-6(10)"},{"name":"label","value":"AC-06(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-06.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"required"}],"parts":[{"id":"ac-6.10_smt","name":"statement","prose":"Prevent non-privileged users from executing privileged functions."},{"id":"ac-6.10_gdn","name":"guidance","prose":"Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by [AC-3](#ac-3)."},{"id":"ac-6.10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-06(10)","class":"sp800-53a"}],"prose":"non-privileged users are prevented from executing privileged functions.","links":[{"href":"#ac-6.10_smt","rel":"assessment-for"}]},{"id":"ac-6.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-06(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing least privilege\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of privileged functions and associated user account assignments\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-6.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-06(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-6.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-06(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing least privilege functions for non-privileged users"}]}]}]},{"id":"ac-7","class":"SP800-53","title":"Unsuccessful Logon Attempts","params":[{"id":"ac-07_odp.01","props":[{"name":"alt-identifier","value":"ac-7_prm_1"},{"name":"label","value":"AC-07_ODP[01]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of consecutive invalid logon attempts by a user allowed during a time period is defined;"}]},{"id":"ac-07_odp.02","props":[{"name":"alt-identifier","value":"ac-7_prm_2"},{"name":"label","value":"AC-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;"}]},{"id":"ac-07_odp.03","props":[{"name":"alt-identifier","value":"ac-7_prm_3"},{"name":"label","value":"AC-07_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["lock the account or node for {{ insert: param, ac-07_odp.04 }} ","lock the account or node until released by an administrator","delay next logon prompt per {{ insert: param, ac-07_odp.05 }} ","notify system administrator","take other {{ insert: param, ac-07_odp.06 }} "]}},{"id":"ac-07_odp.04","props":[{"name":"alt-identifier","value":"ac-7_prm_4"},{"name":"label","value":"AC-07_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for an account or node to be locked is defined (if selected);"}]},{"id":"ac-07_odp.05","props":[{"name":"alt-identifier","value":"ac-7_prm_5"},{"name":"label","value":"AC-07_ODP[05]","class":"sp800-53a"}],"label":"delay algorithm","guidelines":[{"prose":"delay algorithm for the next logon prompt is defined (if selected);"}]},{"id":"ac-07_odp.06","props":[{"name":"alt-identifier","value":"ac-7_prm_6"},{"name":"label","value":"AC-07_ODP[06]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-7"},{"name":"label","value":"AC-07","class":"sp800-53a"},{"name":"sort-id","value":"ac-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"ac-7_smt","name":"statement","parts":[{"id":"ac-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during a {{ insert: param, ac-07_odp.02 }} ; and"},{"id":"ac-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."}]},{"id":"ac-7_gdn","name":"guidance","prose":"The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need."},{"id":"ac-7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-07","class":"sp800-53a"}],"parts":[{"id":"ac-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-07a.","class":"sp800-53a"}],"prose":"a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;","links":[{"href":"#ac-7_smt.a","rel":"assessment-for"}]},{"id":"ac-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-07b.","class":"sp800-53a"}],"prose":"automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.","links":[{"href":"#ac-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-7_smt","rel":"assessment-for"}]},{"id":"ac-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem developers\n\nsystem\/network administrators"}]},{"id":"ac-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for unsuccessful logon attempts"}]}],"controls":[{"id":"ac-7.1","class":"SP800-53-enhancement","title":"Automatic Account Lock","props":[{"name":"label","value":"AC-7(1)"},{"name":"label","value":"AC-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-07.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-7","rel":"incorporated-into"}]},{"id":"ac-7.2","class":"SP800-53-enhancement","title":"Purge or Wipe Mobile Device","params":[{"id":"ac-07.02_odp.01","props":[{"name":"alt-identifier","value":"ac-7.2_prm_1"},{"name":"label","value":"AC-07(02)_ODP[01]","class":"sp800-53a"}],"label":"mobile devices","guidelines":[{"prose":"mobile devices to be purged or wiped of information are defined;"}]},{"id":"ac-07.02_odp.02","props":[{"name":"alt-identifier","value":"ac-7.2_prm_2"},{"name":"alt-label","value":"purging or wiping requirements and techniques","class":"sp800-53"},{"name":"label","value":"AC-07(02)_ODP[02]","class":"sp800-53a"}],"label":"purging or wiping requirements and techniques","guidelines":[{"prose":"purging and wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined;"}]},{"id":"ac-07.02_odp.03","props":[{"name":"alt-identifier","value":"ac-7.2_prm_3"},{"name":"label","value":"AC-07(02)_ODP[03]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of consecutive, unsuccessful logon attempts before the information is purged or wiped from mobile devices is defined;"}]}],"props":[{"name":"label","value":"AC-7(2)"},{"name":"label","value":"AC-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-7","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#mp-6","rel":"related"}],"parts":[{"id":"ac-7.2_smt","name":"statement","prose":"Purge or wipe information from {{ insert: param, ac-07.02_odp.01 }} based on {{ insert: param, ac-07.02_odp.02 }} after {{ insert: param, ac-07.02_odp.03 }} consecutive, unsuccessful device logon attempts."},{"id":"ac-7.2_gdn","name":"guidance","prose":"A mobile device is a computing device that has a small form factor such that it can be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Purging or wiping the device applies only to mobile devices for which the organization-defined number of unsuccessful logons occurs. The logon is to the mobile device, not to any one account on the device. Successful logons to accounts on mobile devices reset the unsuccessful logon count to zero. Purging or wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms."},{"id":"ac-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-07(02)","class":"sp800-53a"}],"prose":"information is purged or wiped from {{ insert: param, ac-07.02_odp.01 }} based on {{ insert: param, ac-07.02_odp.02 }} after {{ insert: param, ac-07.02_odp.03 }} consecutive, unsuccessful device logon attempts.","links":[{"href":"#ac-7.2_smt","rel":"assessment-for"}]},{"id":"ac-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts on mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of mobile devices to be purged\/wiped after organization-defined consecutive, unsuccessful device logon attempts\n\nlist of purging\/wiping requirements or techniques for mobile devices\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for unsuccessful device logon attempts"}]}]},{"id":"ac-7.3","class":"SP800-53-enhancement","title":"Biometric Attempt Limiting","params":[{"id":"ac-07.03_odp","props":[{"name":"alt-identifier","value":"ac-7.3_prm_1"},{"name":"label","value":"AC-07(03)_ODP","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of unsuccessful biometric logon attempts is defined;"}]}],"props":[{"name":"label","value":"AC-7(3)"},{"name":"label","value":"AC-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-7","rel":"required"},{"href":"#ia-3","rel":"related"}],"parts":[{"id":"ac-7.3_smt","name":"statement","prose":"Limit the number of unsuccessful biometric logon attempts to {{ insert: param, ac-07.03_odp }}."},{"id":"ac-7.3_gdn","name":"guidance","prose":"Biometrics are probabilistic in nature. The ability to successfully authenticate can be impacted by many factors, including matching performance and presentation attack detection mechanisms. Organizations select the appropriate number of attempts for users based on organizationally-defined factors."},{"id":"ac-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-07(03)","class":"sp800-53a"}],"prose":"unsuccessful biometric logon attempts are limited to {{ insert: param, ac-07.03_odp }}.","links":[{"href":"#ac-7.3_smt","rel":"assessment-for"}]},{"id":"ac-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts on biometric devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-7.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-07(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for unsuccessful logon attempts"}]}]},{"id":"ac-7.4","class":"SP800-53-enhancement","title":"Use of Alternate Authentication Factor","params":[{"id":"ac-07.04_odp.01","props":[{"name":"alt-identifier","value":"ac-7.4_prm_1"},{"name":"label","value":"AC-07(04)_ODP[01]","class":"sp800-53a"}],"label":"authentication factors","guidelines":[{"prose":"authentication factors allowed to be used that are different from the primary authentication factors are defined;"}]},{"id":"ac-07.04_odp.02","props":[{"name":"alt-identifier","value":"ac-7.4_prm_2"},{"name":"label","value":"AC-07(04)_ODP[02]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of consecutive, invalid logon attempts through the use of alternative factors for which to enforce a limit by a user is defined;"}]},{"id":"ac-07.04_odp.03","props":[{"name":"alt-identifier","value":"ac-7.4_prm_3"},{"name":"label","value":"AC-07(04)_ODP[03]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period during which a user can attempt logons through alternative factors is defined;"}]}],"props":[{"name":"label","value":"AC-7(4)"},{"name":"label","value":"AC-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-7","rel":"required"},{"href":"#ia-3","rel":"related"}],"parts":[{"id":"ac-7.4_smt","name":"statement","parts":[{"id":"ac-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Allow the use of {{ insert: param, ac-07.04_odp.01 }} that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and"},{"id":"ac-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforce a limit of {{ insert: param, ac-07.04_odp.02 }} consecutive invalid logon attempts through use of the alternative factors by a user during a {{ insert: param, ac-07.04_odp.03 }}."}]},{"id":"ac-7.4_gdn","name":"guidance","prose":"The use of alternate authentication factors supports the objective of availability and allows a user who has inadvertently been locked out to use additional authentication factors to bypass the lockout."},{"id":"ac-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-07(04)","class":"sp800-53a"}],"parts":[{"id":"ac-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-07(04)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-07.04_odp.01 }} that are different from the primary authentication factors are allowed to be used after the number of organization-defined consecutive invalid logon attempts have been exceeded;","links":[{"href":"#ac-7.4_smt.a","rel":"assessment-for"}]},{"id":"ac-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-07(04)(b)","class":"sp800-53a"}],"prose":"a limit of {{ insert: param, ac-07.04_odp.02 }} consecutive invalid logon attempts through the use of the alternative factors by the user during a {{ insert: param, ac-07.04_odp.03 }} is enforced.","links":[{"href":"#ac-7.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-7.4_smt","rel":"assessment-for"}]},{"id":"ac-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing unsuccessful logon attempts for primary and alternate authentication factors\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for unsuccessful logon attempts"}]}]}]},{"id":"ac-8","class":"SP800-53","title":"System Use Notification","params":[{"id":"ac-08_odp.01","props":[{"name":"alt-identifier","value":"ac-8_prm_1"},{"name":"alt-label","value":"system use notification message or banner","class":"sp800-53"},{"name":"label","value":"AC-08_ODP[01]","class":"sp800-53a"}],"label":"system use notification","guidelines":[{"prose":"system use notification message or banner to be displayed by the system to users before granting access to the system is defined;"}]},{"id":"ac-08_odp.02","props":[{"name":"alt-identifier","value":"ac-8_prm_2"},{"name":"label","value":"AC-08_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions for system use to be displayed by the system before granting further access are defined;"}]}],"props":[{"name":"label","value":"AC-8"},{"name":"label","value":"AC-08","class":"sp800-53a"},{"name":"sort-id","value":"ac-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-14","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-8_smt","name":"statement","parts":[{"id":"ac-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Display {{ insert: param, ac-08_odp.01 }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:","parts":[{"id":"ac-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Users are accessing a U.S. Government system;"},{"id":"ac-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"System usage may be monitored, recorded, and subject to audit;"},{"id":"ac-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"},{"id":"ac-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Use of the system indicates consent to monitoring and recording;"}]},{"id":"ac-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and"},{"id":"ac-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"For publicly accessible systems:","parts":[{"id":"ac-8_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Display system use information {{ insert: param, ac-08_odp.02 }} , before granting further access to the publicly accessible system;"},{"id":"ac-8_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and"},{"id":"ac-8_smt.c.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Include a description of the authorized uses of the system."}]}]},{"id":"ac-8_gdn","name":"guidance","prose":"System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content."},{"id":"ac-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-08","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.","class":"sp800-53a"}],"prose":"{{ insert: param, ac-08_odp.01 }} is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","parts":[{"id":"ac-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.01","class":"sp800-53a"}],"prose":"the system use notification states that users are accessing a U.S. Government system;","links":[{"href":"#ac-8_smt.a.1","rel":"assessment-for"}]},{"id":"ac-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.02","class":"sp800-53a"}],"prose":"the system use notification states that system usage may be monitored, recorded, and subject to audit;","links":[{"href":"#ac-8_smt.a.2","rel":"assessment-for"}]},{"id":"ac-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.03","class":"sp800-53a"}],"prose":"the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and","links":[{"href":"#ac-8_smt.a.3","rel":"assessment-for"}]},{"id":"ac-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"AC-08a.04","class":"sp800-53a"}],"prose":"the system use notification states that use of the system indicates consent to monitoring and recording;","links":[{"href":"#ac-8_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#ac-8_smt.a","rel":"assessment-for"}]},{"id":"ac-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-08b.","class":"sp800-53a"}],"prose":"the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;","links":[{"href":"#ac-8_smt.b","rel":"assessment-for"}]},{"id":"ac-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.","class":"sp800-53a"}],"parts":[{"id":"ac-8_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.01","class":"sp800-53a"}],"prose":"for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;","links":[{"href":"#ac-8_smt.c.1","rel":"assessment-for"}]},{"id":"ac-8_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.02","class":"sp800-53a"}],"prose":"for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;","links":[{"href":"#ac-8_smt.c.2","rel":"assessment-for"}]},{"id":"ac-8_obj.c.3","name":"assessment-objective","props":[{"name":"label","value":"AC-08c.03","class":"sp800-53a"}],"prose":"for publicly accessible systems, a description of the authorized uses of the system is included.","links":[{"href":"#ac-8_smt.c.3","rel":"assessment-for"}]}],"links":[{"href":"#ac-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ac-8_smt","rel":"assessment-for"}]},{"id":"ac-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprivacy and security policies, procedures addressing system use notification\n\ndocumented approval of system use notification messages or banners\n\nsystem audit records\n\nuser acknowledgements of notification message or banner\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem use notification messages\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy assessment report\n\nother relevant documents or records"}]},{"id":"ac-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem developers"}]},{"id":"ac-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system use notification"}]}]},{"id":"ac-9","class":"SP800-53","title":"Previous Logon Notification","props":[{"name":"label","value":"AC-9"},{"name":"label","value":"AC-09","class":"sp800-53a"},{"name":"sort-id","value":"ac-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-7","rel":"related"},{"href":"#pl-4","rel":"related"}],"parts":[{"id":"ac-9_smt","name":"statement","prose":"Notify the user, upon successful logon to the system, of the date and time of the last logon."},{"id":"ac-9_gdn","name":"guidance","prose":"Previous logon notification is applicable to system access via human user interfaces and access to systems that occurs in other types of architectures. Information about the last successful logon allows the user to recognize if the date and time provided is not consistent with the user’s last access."},{"id":"ac-9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-09","class":"sp800-53a"}],"prose":"the user is notified, upon successful logon to the system, of the date and time of the last logon.","links":[{"href":"#ac-9_smt","rel":"assessment-for"}]},{"id":"ac-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem notification messages\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for previous logon notification"}]}],"controls":[{"id":"ac-9.1","class":"SP800-53-enhancement","title":"Unsuccessful Logons","props":[{"name":"label","value":"AC-9(1)"},{"name":"label","value":"AC-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-9","rel":"required"}],"parts":[{"id":"ac-9.1_smt","name":"statement","prose":"Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon."},{"id":"ac-9.1_gdn","name":"guidance","prose":"Information about the number of unsuccessful logon attempts since the last successful logon allows the user to recognize if the number of unsuccessful logon attempts is consistent with the user’s actual logon attempts."},{"id":"ac-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-09(01)","class":"sp800-53a"}],"prose":"the user is notified, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.","links":[{"href":"#ac-9.1_smt","rel":"assessment-for"}]},{"id":"ac-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for previous logon notification"}]}]},{"id":"ac-9.2","class":"SP800-53-enhancement","title":"Successful and Unsuccessful Logons","params":[{"id":"ac-09.02_odp.01","props":[{"name":"alt-identifier","value":"ac-9.2_prm_1"},{"name":"label","value":"AC-09(02)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["successful logons","unsuccessful logon attempts","both"]}},{"id":"ac-09.02_odp.02","props":[{"name":"alt-identifier","value":"ac-9.2_prm_2"},{"name":"label","value":"AC-09(02)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period for which the system notifies the user of the number of successful logons, unsuccessful logon attempts, or both is defined;"}]}],"props":[{"name":"label","value":"AC-9(2)"},{"name":"label","value":"AC-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-9","rel":"required"}],"parts":[{"id":"ac-9.2_smt","name":"statement","prose":"Notify the user, upon successful logon, of the number of {{ insert: param, ac-09.02_odp.01 }} during {{ insert: param, ac-09.02_odp.02 }}."},{"id":"ac-9.2_gdn","name":"guidance","prose":"Information about the number of successful and unsuccessful logon attempts within a specified time period allows the user to recognize if the number and type of logon attempts are consistent with the user’s actual logon attempts."},{"id":"ac-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-09(02)","class":"sp800-53a"}],"prose":"the user is notified, upon successful logon, of the number of {{ insert: param, ac-09.02_odp.01 }} during {{ insert: param, ac-09.02_odp.02 }}.","links":[{"href":"#ac-9.2_smt","rel":"assessment-for"}]},{"id":"ac-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-9.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-09(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for previous logon notification"}]}]},{"id":"ac-9.3","class":"SP800-53-enhancement","title":"Notification of Account Changes","params":[{"id":"ac-09.03_odp.01","props":[{"name":"alt-identifier","value":"ac-9.3_prm_1"},{"name":"alt-label","value":"security-related characteristics or parameters of the user’s account","class":"sp800-53"},{"name":"label","value":"AC-09(03)_ODP[01]","class":"sp800-53a"}],"label":"security-related characteristics or parameters","guidelines":[{"prose":"changes to security-related characteristics or parameters of the user’s account that require notification are defined;"}]},{"id":"ac-09.03_odp.02","props":[{"name":"alt-identifier","value":"ac-9.3_prm_2"},{"name":"label","value":"AC-09(03)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period for which the system notifies the user of changes to security-related characteristics or parameters of the user’s account is defined;"}]}],"props":[{"name":"label","value":"AC-9(3)"},{"name":"label","value":"AC-09(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-09.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-9","rel":"required"}],"parts":[{"id":"ac-9.3_smt","name":"statement","prose":"Notify the user, upon successful logon, of changes to {{ insert: param, ac-09.03_odp.01 }} during {{ insert: param, ac-09.03_odp.02 }}."},{"id":"ac-9.3_gdn","name":"guidance","prose":"Information about changes to security-related account characteristics within a specified time period allows users to recognize if changes were made without their knowledge."},{"id":"ac-9.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-09(03)","class":"sp800-53a"}],"prose":"the user is notified, upon successful logon, of changes to {{ insert: param, ac-09.03_odp.01 }} during {{ insert: param, ac-09.03_odp.02 }}.","links":[{"href":"#ac-9.3_smt","rel":"assessment-for"}]},{"id":"ac-9.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-09(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-9.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-09(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-9.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-09(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for previous logon notification"}]}]},{"id":"ac-9.4","class":"SP800-53-enhancement","title":"Additional Logon Information","params":[{"id":"ac-09.04_odp","props":[{"name":"alt-identifier","value":"ac-9.4_prm_1"},{"name":"label","value":"AC-09(04)_ODP","class":"sp800-53a"}],"label":"additional information","guidelines":[{"prose":"additional information about which to notify the user is defined;"}]}],"props":[{"name":"label","value":"AC-9(4)"},{"name":"label","value":"AC-09(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-09.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-9","rel":"required"}],"parts":[{"id":"ac-9.4_smt","name":"statement","prose":"Notify the user, upon successful logon, of the following additional information: {{ insert: param, ac-09.04_odp }}."},{"id":"ac-9.4_gdn","name":"guidance","prose":"Organizations can specify additional information to be provided to users upon logon, including the location of the last logon. User location is defined as information that can be determined by systems, such as Internet Protocol (IP) addresses from which network logons occurred, notifications of local logons, or device identifiers."},{"id":"ac-9.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-09(04)","class":"sp800-53a"}],"prose":"the user is notified, upon successful logon, of {{ insert: param, ac-09.04_odp }}.","links":[{"href":"#ac-9.4_smt","rel":"assessment-for"}]},{"id":"ac-9.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-09(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing previous logon notification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-9.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-09(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-9.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-09(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for previous logon notification"}]}]}]},{"id":"ac-10","class":"SP800-53","title":"Concurrent Session Control","params":[{"id":"ac-10_odp.01","props":[{"name":"alt-identifier","value":"ac-10_prm_1"},{"name":"alt-label","value":"account and\/or account type","class":"sp800-53"},{"name":"label","value":"AC-10_ODP[01]","class":"sp800-53a"}],"label":"account and\/or account types","guidelines":[{"prose":"accounts and\/or account types for which to limit the number of concurrent sessions is defined;"}]},{"id":"ac-10_odp.02","props":[{"name":"alt-identifier","value":"ac-10_prm_2"},{"name":"label","value":"AC-10_ODP[02]","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of concurrent sessions to be allowed for each account and\/or account type is defined;"}]}],"props":[{"name":"label","value":"AC-10"},{"name":"label","value":"AC-10","class":"sp800-53a"},{"name":"sort-id","value":"ac-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-23","rel":"related"}],"parts":[{"id":"ac-10_smt","name":"statement","prose":"Limit the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} to {{ insert: param, ac-10_odp.02 }}."},{"id":"ac-10_gdn","name":"guidance","prose":"Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts."},{"id":"ac-10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-10","class":"sp800-53a"}],"prose":"the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}.","links":[{"href":"#ac-10_smt","rel":"assessment-for"}]},{"id":"ac-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing concurrent session control\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for concurrent session control"}]}]},{"id":"ac-11","class":"SP800-53","title":"Device Lock","params":[{"id":"ac-11_odp.01","props":[{"name":"alt-identifier","value":"ac-11_prm_1"},{"name":"label","value":"AC-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["initiating a device lock after {{ insert: param, ac-11_odp.02 }} of inactivity","requiring the user to initiate a device lock before leaving the system unattended"]}},{"id":"ac-11_odp.02","props":[{"name":"alt-identifier","value":"ac-11_prm_2"},{"name":"label","value":"AC-11_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period of inactivity after which a device lock is initiated is defined (if selected);"}]}],"props":[{"name":"label","value":"AC-11"},{"name":"label","value":"AC-11","class":"sp800-53a"},{"name":"sort-id","value":"ac-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#pl-4","rel":"related"}],"parts":[{"id":"ac-11_smt","name":"statement","parts":[{"id":"ac-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and"},{"id":"ac-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the device lock until the user reestablishes access using established identification and authentication procedures."}]},{"id":"ac-11_gdn","name":"guidance","prose":"Device locks are temporary actions taken to prevent logical access to organizational systems when users stop work and move away from the immediate vicinity of those systems but do not want to log out because of the temporary nature of their absences. Device locks can be implemented at the operating system level or at the application level. A proximity lock may be used to initiate the device lock (e.g., via a Bluetooth-enabled device or dongle). User-initiated device locking is behavior or policy-based and, as such, requires users to take physical action to initiate the device lock. Device locks are not an acceptable substitute for logging out of systems, such as when organizations require users to log out at the end of workdays."},{"id":"ac-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-11","class":"sp800-53a"}],"parts":[{"id":"ac-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-11a.","class":"sp800-53a"}],"prose":"further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};","links":[{"href":"#ac-11_smt.a","rel":"assessment-for"}]},{"id":"ac-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-11b.","class":"sp800-53a"}],"prose":"device lock is retained until the user re-establishes access using established identification and authentication procedures.","links":[{"href":"#ac-11_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-11_smt","rel":"assessment-for"}]},{"id":"ac-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session lock\n\nprocedures addressing identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access control policy for session lock"}]}],"controls":[{"id":"ac-11.1","class":"SP800-53-enhancement","title":"Pattern-hiding Displays","props":[{"name":"label","value":"AC-11(1)"},{"name":"label","value":"AC-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-11","rel":"required"}],"parts":[{"id":"ac-11.1_smt","name":"statement","prose":"Conceal, via the device lock, information previously visible on the display with a publicly viewable image."},{"id":"ac-11.1_gdn","name":"guidance","prose":"The pattern-hiding display can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen with the caveat that controlled unclassified information is not displayed."},{"id":"ac-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-11(01)","class":"sp800-53a"}],"prose":"information previously visible on the display is concealed, via device lock, with a publicly viewable image.","links":[{"href":"#ac-11.1_smt","rel":"assessment-for"}]},{"id":"ac-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session lock\n\ndisplay screen with session lock activated\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System session lock mechanisms"}]}]}]},{"id":"ac-12","class":"SP800-53","title":"Session Termination","params":[{"id":"ac-12_odp","props":[{"name":"alt-identifier","value":"ac-12_prm_1"},{"name":"alt-label","value":"conditions or trigger events requiring session disconnect","class":"sp800-53"},{"name":"label","value":"AC-12_ODP","class":"sp800-53a"}],"label":"conditions or trigger events","guidelines":[{"prose":"conditions or trigger events requiring session disconnect are defined;"}]}],"props":[{"name":"label","value":"AC-12"},{"name":"label","value":"AC-12","class":"sp800-53a"},{"name":"sort-id","value":"ac-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"ac-12_smt","name":"statement","prose":"Automatically terminate a user session after {{ insert: param, ac-12_odp }}."},{"id":"ac-12_gdn","name":"guidance","prose":"Session termination addresses the termination of user-initiated logical sessions (in contrast to [SC-10](#sc-10) , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use."},{"id":"ac-12_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-12","class":"sp800-53a"}],"prose":"a user session is automatically terminated after {{ insert: param, ac-12_odp }}.","links":[{"href":"#ac-12_smt","rel":"assessment-for"}]},{"id":"ac-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of conditions or trigger events requiring session disconnect\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing user session termination"}]}],"controls":[{"id":"ac-12.1","class":"SP800-53-enhancement","title":"User-initiated Logouts","params":[{"id":"ac-12.01_odp","props":[{"name":"alt-identifier","value":"ac-12.1_prm_1"},{"name":"label","value":"AC-12(01)_ODP","class":"sp800-53a"}],"label":"information resources","guidelines":[{"prose":"information resources for which a logout capability for user-initiated communications sessions is required are defined;"}]}],"props":[{"name":"label","value":"AC-12(1)"},{"name":"label","value":"AC-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-12","rel":"required"}],"parts":[{"id":"ac-12.1_smt","name":"statement","prose":"Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.01_odp }}."},{"id":"ac-12.1_gdn","name":"guidance","prose":"Information resources to which users gain access via authentication include local workstations, databases, and password-protected websites or web-based services."},{"id":"ac-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-12(01)","class":"sp800-53a"}],"prose":"a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.01_odp }}.","links":[{"href":"#ac-12.1_smt","rel":"assessment-for"}]},{"id":"ac-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session termination\n\nuser logout messages\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System session termination mechanisms\n\nlogout capabilities for user-initiated communications sessions"}]}]},{"id":"ac-12.2","class":"SP800-53-enhancement","title":"Termination Message","props":[{"name":"label","value":"AC-12(2)"},{"name":"label","value":"AC-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-12","rel":"required"}],"parts":[{"id":"ac-12.2_smt","name":"statement","prose":"Display an explicit logout message to users indicating the termination of authenticated communications sessions."},{"id":"ac-12.2_gdn","name":"guidance","prose":"Logout messages for web access can be displayed after authenticated sessions have been terminated. However, for certain types of sessions, including file transfer protocol (FTP) sessions, systems typically send logout messages as final messages prior to terminating sessions."},{"id":"ac-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-12(02)","class":"sp800-53a"}],"prose":"an explicit logout message is displayed to users indicating the termination of authenticated communication sessions.","links":[{"href":"#ac-12.2_smt","rel":"assessment-for"}]},{"id":"ac-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session termination\n\nuser logout messages\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System session termination mechanisms\n\ndisplay of logout messages"}]}]},{"id":"ac-12.3","class":"SP800-53-enhancement","title":"Timeout Warning Message","params":[{"id":"ac-12.03_odp","props":[{"name":"alt-identifier","value":"ac-12.3_prm_1"},{"name":"alt-label","value":"time until end of session","class":"sp800-53"},{"name":"label","value":"AC-12(03)_ODP","class":"sp800-53a"}],"label":"time","guidelines":[{"prose":"time until the end of session for display to users is defined;"}]}],"props":[{"name":"label","value":"AC-12(3)"},{"name":"label","value":"AC-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-12","rel":"required"}],"parts":[{"id":"ac-12.3_smt","name":"statement","prose":"Display an explicit message to users indicating that the session will end in {{ insert: param, ac-12.03_odp }}."},{"id":"ac-12.3_gdn","name":"guidance","prose":"To increase usability, notify users of pending session termination and prompt users to continue the session. The pending session termination time period is based on the parameters defined in the [AC-12](#ac-12) base control."},{"id":"ac-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-12(03)","class":"sp800-53a"}],"prose":"an explicit message to users is displayed indicating that the session will end in {{ insert: param, ac-12.03_odp }}.","links":[{"href":"#ac-12.3_smt","rel":"assessment-for"}]},{"id":"ac-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing session termination\n\ntime until end of session messages\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System session termination mechanisms\n\ndisplay of end of session time"}]}]}]},{"id":"ac-13","class":"SP800-53","title":"Supervision and Review — Access Control","props":[{"name":"label","value":"AC-13"},{"name":"label","value":"AC-13","class":"sp800-53a"},{"name":"sort-id","value":"ac-13"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-2","rel":"incorporated-into"},{"href":"#au-6","rel":"incorporated-into"}]},{"id":"ac-14","class":"SP800-53","title":"Permitted Actions Without Identification or Authentication","params":[{"id":"ac-14_odp","props":[{"name":"alt-identifier","value":"ac-14_prm_1"},{"name":"label","value":"AC-14_ODP","class":"sp800-53a"}],"label":"user actions","guidelines":[{"prose":"user actions that can be performed on the system without identification or authentication are defined;"}]}],"props":[{"name":"label","value":"AC-14"},{"name":"label","value":"AC-14","class":"sp800-53a"},{"name":"sort-id","value":"ac-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"ac-14_smt","name":"statement","parts":[{"id":"ac-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and"},{"id":"ac-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."}]},{"id":"ac-14_gdn","name":"guidance","prose":"Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be \"none.\" "},{"id":"ac-14_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-14","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-14a.","class":"sp800-53a"}],"prose":"{{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;","links":[{"href":"#ac-14_smt.a","rel":"assessment-for"}]},{"id":"ac-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.","class":"sp800-53a"}],"parts":[{"id":"ac-14_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[01]","class":"sp800-53a"}],"prose":"user actions not requiring identification or authentication are documented in the security plan for the system;","links":[{"href":"#ac-14_smt.b","rel":"assessment-for"}]},{"id":"ac-14_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AC-14b.[02]","class":"sp800-53a"}],"prose":"a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.","links":[{"href":"#ac-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-14_smt","rel":"assessment-for"}]},{"id":"ac-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing permitted actions without identification or authentication\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nlist of user actions that can be performed without identification or authentication\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]}],"controls":[{"id":"ac-14.1","class":"SP800-53-enhancement","title":"Necessary Uses","props":[{"name":"label","value":"AC-14(1)"},{"name":"label","value":"AC-14(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-14.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-14","rel":"incorporated-into"}]}]},{"id":"ac-15","class":"SP800-53","title":"Automated Marking","props":[{"name":"label","value":"AC-15"},{"name":"label","value":"AC-15","class":"sp800-53a"},{"name":"sort-id","value":"ac-15"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-3","rel":"incorporated-into"}]},{"id":"ac-16","class":"SP800-53","title":"Security and Privacy Attributes","params":[{"id":"ac-16_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.02"}],"label":"organization-defined types of security and privacy attributes"},{"id":"ac-16_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.04"}],"label":"organization-defined security and privacy attribute values"},{"id":"ac-16_prm_3","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.06"}],"label":"organization-defined systems"},{"id":"ac-16_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.08"}],"label":"organization-defined security and privacy attributes"},{"id":"ac-16_prm_6","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.08"}],"label":"organization-defined security and privacy attributes"},{"id":"ac-16_prm_7","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.10"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16_odp.11"}],"label":"organization-defined frequency"},{"id":"ac-16_odp.01","props":[{"name":"label","value":"AC-16_ODP[01]","class":"sp800-53a"}],"label":"types of security attributes","guidelines":[{"prose":"types of security attributes to be associated with information security attribute values for information in storage, in process, and\/or in transmission are defined;"}]},{"id":"ac-16_odp.02","props":[{"name":"label","value":"AC-16_ODP[02]","class":"sp800-53a"}],"label":"types of privacy attributes","guidelines":[{"prose":"types of privacy attributes to be associated with privacy attribute values for information in storage, in process, and\/or in transmission are defined;"}]},{"id":"ac-16_odp.03","props":[{"name":"label","value":"AC-16_ODP[03]","class":"sp800-53a"}],"label":"security attribute values","guidelines":[{"prose":"security attribute values for types of security attributes are defined;"}]},{"id":"ac-16_odp.04","props":[{"name":"label","value":"AC-16_ODP[04]","class":"sp800-53a"}],"label":"privacy attribute values","guidelines":[{"prose":"privacy attribute values for types of privacy attributes are defined;"}]},{"id":"ac-16_odp.05","props":[{"name":"label","value":"AC-16_ODP[05]","class":"sp800-53a"}],"label":"systems","guidelines":[{"prose":"systems for which permitted security attributes are to be established are defined;"}]},{"id":"ac-16_odp.06","props":[{"name":"label","value":"AC-16_ODP[06]","class":"sp800-53a"}],"label":"systems","guidelines":[{"prose":"systems for which permitted privacy attributes are to be established are defined;"}]},{"id":"ac-16_odp.07","props":[{"name":"label","value":"AC-16_ODP[07]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes defined as part of AC-16a that are permitted for systems are defined;"}]},{"id":"ac-16_odp.08","props":[{"name":"label","value":"AC-16_ODP[08]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes defined as part of AC-16a that are permitted for systems are defined;"}]},{"id":"ac-16_odp.09","props":[{"name":"alt-identifier","value":"ac-16_prm_5"},{"name":"alt-label","value":"attribute values or ranges for established attributes","class":"sp800-53"},{"name":"label","value":"AC-16_ODP[09]","class":"sp800-53a"}],"label":"attribute values or ranges","guidelines":[{"prose":"attribute values or ranges for established attributes are defined;"}]},{"id":"ac-16_odp.10","props":[{"name":"label","value":"AC-16_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review security attributes for applicability is defined;"}]},{"id":"ac-16_odp.11","props":[{"name":"label","value":"AC-16_ODP[11]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review privacy attributes for applicability is defined;"}]}],"props":[{"name":"label","value":"AC-16"},{"name":"label","value":"AC-16","class":"sp800-53a"},{"name":"sort-id","value":"ac-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-21","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#pe-22","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#sc-11","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"ac-16_smt","name":"statement","parts":[{"id":"ac-16_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide the means to associate {{ insert: param, ac-16_prm_1 }} with {{ insert: param, ac-16_prm_2 }} for information in storage, in process, and\/or in transmission;"},{"id":"ac-16_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensure that the attribute associations are made and retained with the information;"},{"id":"ac-16_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establish the following permitted security and privacy attributes from the attributes defined in [AC-16a](#ac-16_smt.a) for {{ insert: param, ac-16_prm_3 }}: {{ insert: param, ac-16_prm_4 }};"},{"id":"ac-16_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Determine the following permitted attribute values or ranges for each of the established attributes: {{ insert: param, ac-16_odp.09 }};"},{"id":"ac-16_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Audit changes to attributes; and"},{"id":"ac-16_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Review {{ insert: param, ac-16_prm_6 }} for applicability {{ insert: param, ac-16_prm_7 }}."}]},{"id":"ac-16_gdn","name":"guidance","prose":"Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures, such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions that represent the basic properties or characteristics of active and passive entities with respect to safeguarding information. Privacy attributes, which may be used independently or in conjunction with security attributes, represent the basic properties or characteristics of active or passive entities with respect to the management of personally identifiable information. Attributes can be either explicitly or implicitly associated with the information contained in organizational systems or system components.\n\nAttributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, cause information to flow among objects, or change the system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of attributes to subjects and objects by a system is referred to as binding and is inclusive of setting the attribute value and the attribute type. Attributes, when bound to data or information, permit the enforcement of security and privacy policies for access control and information flow control, including data retention limits, permitted uses of personally identifiable information, and identification of personal information within data objects. Such enforcement occurs through organizational processes or system functions or mechanisms. The binding techniques implemented by systems affect the strength of attribute binding to information. Binding strength and the assurance associated with binding techniques play important parts in the trust that organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. The content or assigned values of attributes can directly affect the ability of individuals to access organizational information.\n\nOrganizations can define the types of attributes needed for systems to support missions or business functions. There are many values that can be assigned to a security attribute. By specifying the permitted attribute ranges and values, organizations ensure that attribute values are meaningful and relevant. Labeling refers to the association of attributes with the subjects and objects represented by the internal data structures within systems. This facilitates system-based enforcement of information security and privacy policies. Labels include classification of information in accordance with legal and compliance requirements (e.g., top secret, secret, confidential, controlled unclassified), information impact level; high value asset information, access authorizations, nationality; data life cycle protection (i.e., encryption and data expiration), personally identifiable information processing permissions, including individual consent to personally identifiable information processing, and contractor affiliation. A related term to labeling is marking. Marking refers to the association of attributes with objects in a human-readable form and displayed on system media. Marking enables manual, procedural, or process-based enforcement of information security and privacy policies. Security and privacy labels may have the same value as media markings (e.g., top secret, secret, confidential). See [MP-3](#mp-3) (Media Marking)."},{"id":"ac-16_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16","class":"sp800-53a"}],"parts":[{"id":"ac-16_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-16a.","class":"sp800-53a"}],"parts":[{"id":"ac-16_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16a.[01]","class":"sp800-53a"}],"prose":"the means to associate {{ insert: param, ac-16_odp.01 }} with {{ insert: param, ac-16_odp.03 }} for information in storage, in process, and\/or in transmission are provided;","links":[{"href":"#ac-16_smt.a","rel":"assessment-for"}]},{"id":"ac-16_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16a.[02]","class":"sp800-53a"}],"prose":"the means to associate {{ insert: param, ac-16_odp.02 }} with {{ insert: param, ac-16_odp.04 }} for information in storage, in process, and\/or in transmission are provided;","links":[{"href":"#ac-16_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-16_smt.a","rel":"assessment-for"}]},{"id":"ac-16_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-16b.","class":"sp800-53a"}],"parts":[{"id":"ac-16_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16b.[01]","class":"sp800-53a"}],"prose":"attribute associations are made;","links":[{"href":"#ac-16_smt.b","rel":"assessment-for"}]},{"id":"ac-16_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16b.[02]","class":"sp800-53a"}],"prose":"attribute associations are retained with the information;","links":[{"href":"#ac-16_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-16_smt.b","rel":"assessment-for"}]},{"id":"ac-16_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-16c.","class":"sp800-53a"}],"parts":[{"id":"ac-16_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16c.[01]","class":"sp800-53a"}],"prose":"the following permitted security attributes are established from the attributes defined in AC-16_ODP[01] for {{ insert: param, ac-16_odp.05 }}: {{ insert: param, ac-16_odp.07 }};","links":[{"href":"#ac-16_smt.c","rel":"assessment-for"}]},{"id":"ac-16_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16c.[02]","class":"sp800-53a"}],"prose":"the following permitted privacy attributes are established from the attributes defined in AC-16_ODP[02] for {{ insert: param, ac-16_odp.06 }}: {{ insert: param, ac-16_odp.08 }};","links":[{"href":"#ac-16_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ac-16_smt.c","rel":"assessment-for"}]},{"id":"ac-16_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-16d.","class":"sp800-53a"}],"prose":"the following permitted attribute values or ranges for each of the established attributes are determined: {{ insert: param, ac-16_odp.09 }};","links":[{"href":"#ac-16_smt.d","rel":"assessment-for"}]},{"id":"ac-16_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AC-16e.","class":"sp800-53a"}],"prose":"changes to attributes are audited;","links":[{"href":"#ac-16_smt.e","rel":"assessment-for"}]},{"id":"ac-16_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AC-16f.","class":"sp800-53a"}],"parts":[{"id":"ac-16_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16f.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-16_odp.07 }} are reviewed for applicability {{ insert: param, ac-16_odp.10 }};","links":[{"href":"#ac-16_smt.f","rel":"assessment-for"}]},{"id":"ac-16_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16f.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-16_odp.08 }} are reviewed for applicability {{ insert: param, ac-16_odp.11 }}.","links":[{"href":"#ac-16_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ac-16_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ac-16_smt","rel":"assessment-for"}]},{"id":"ac-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the association of security and privacy attributes to information in storage, in process, and in transmission\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational capability supporting and maintaining the association of security and privacy attributes to information in storage, in process, and in transmission"}]}],"controls":[{"id":"ac-16.1","class":"SP800-53-enhancement","title":"Dynamic Attribute Association","params":[{"id":"ac-16.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.01_odp.04"}],"label":"organization-defined subjects and objects"},{"id":"ac-16.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.01_odp.06"}],"label":"organization-defined security and privacy policies"},{"id":"ac-16.01_odp.01","props":[{"name":"label","value":"AC-16(01)_ODP[01]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects with which security attributes are to be dynamically associated as information is created and combined are defined;"}]},{"id":"ac-16.01_odp.02","props":[{"name":"label","value":"AC-16(01)_ODP[02]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects with which security attributes are to be dynamically associated as information is created and combined are defined;"}]},{"id":"ac-16.01_odp.03","props":[{"name":"label","value":"AC-16(01)_ODP[03]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects with which privacy attributes are to be dynamically associated as information is created and combined are defined;"}]},{"id":"ac-16.01_odp.04","props":[{"name":"label","value":"AC-16(01)_ODP[04]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects with which privacy attributes are to be dynamically associated as information is created and combined are defined;"}]},{"id":"ac-16.01_odp.05","props":[{"name":"label","value":"AC-16(01)_ODP[05]","class":"sp800-53a"}],"label":"security policies","guidelines":[{"prose":"security policies requiring dynamic association of security attributes with subjects and objects are defined;"}]},{"id":"ac-16.01_odp.06","props":[{"name":"label","value":"AC-16(01)_ODP[06]","class":"sp800-53a"}],"label":"privacy policies","guidelines":[{"prose":"privacy policies requiring dynamic association of privacy attributes with subjects and objects are defined;"}]}],"props":[{"name":"label","value":"AC-16(1)"},{"name":"label","value":"AC-16(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.1_smt","name":"statement","prose":"Dynamically associate security and privacy attributes with {{ insert: param, ac-16.1_prm_1 }} in accordance with the following security and privacy policies as information is created and combined: {{ insert: param, ac-16.1_prm_2 }}."},{"id":"ac-16.1_gdn","name":"guidance","prose":"Dynamic association of attributes is appropriate whenever the security or privacy characteristics of information change over time. Attributes may change due to information aggregation issues (i.e., characteristics of individual data elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), changes in the security category of information, or changes in security or privacy policies. Attributes may also change situationally."},{"id":"ac-16.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(01)","class":"sp800-53a"}],"parts":[{"id":"ac-16.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(01)[01]","class":"sp800-53a"}],"prose":"security attributes are dynamically associated with {{ insert: param, ac-16.01_odp.01 }} in accordance with the following security policies as information is created and combined: {{ insert: param, ac-16.01_odp.05 }};","links":[{"href":"#ac-16.1_smt","rel":"assessment-for"}]},{"id":"ac-16.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(01)[02]","class":"sp800-53a"}],"prose":"security attributes are dynamically associated with {{ insert: param, ac-16.01_odp.02 }} in accordance with the following security policies as information is created and combined: {{ insert: param, ac-16.01_odp.05 }};","links":[{"href":"#ac-16.1_smt","rel":"assessment-for"}]},{"id":"ac-16.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-16(01)[03]","class":"sp800-53a"}],"prose":"privacy attributes are dynamically associated with {{ insert: param, ac-16.01_odp.03 }} in accordance with the following privacy policies as information is created and combined: {{ insert: param, ac-16.01_odp.06 }};","links":[{"href":"#ac-16.1_smt","rel":"assessment-for"}]},{"id":"ac-16.1_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-16(01)[04]","class":"sp800-53a"}],"prose":"privacy attributes are dynamically associated with {{ insert: param, ac-16.01_odp.04 }} in accordance with the following privacy policies as information is created and combined: {{ insert: param, ac-16.01_odp.06 }}.","links":[{"href":"#ac-16.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-16.1_smt","rel":"assessment-for"}]},{"id":"ac-16.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing dynamic association of security and privacy attributes to information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing dynamic association of security and privacy attributes to information"}]}]},{"id":"ac-16.2","class":"SP800-53-enhancement","title":"Attribute Value Changes by Authorized Individuals","props":[{"name":"label","value":"AC-16(2)"},{"name":"label","value":"AC-16(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.2_smt","name":"statement","prose":"Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes."},{"id":"ac-16.2_gdn","name":"guidance","prose":"The content or assigned values of attributes can directly affect the ability of individuals to access organizational information. Therefore, it is important for systems to be able to limit the ability to create or modify attributes to authorized individuals."},{"id":"ac-16.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(02)","class":"sp800-53a"}],"parts":[{"id":"ac-16.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(02)[01]","class":"sp800-53a"}],"prose":"authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated security attributes;","links":[{"href":"#ac-16.2_smt","rel":"assessment-for"}]},{"id":"ac-16.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(02)[02]","class":"sp800-53a"}],"prose":"authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated privacy attributes.","links":[{"href":"#ac-16.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-16.2_smt","rel":"assessment-for"}]},{"id":"ac-16.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the change of security and privacy attribute values\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of individuals authorized to change security and privacy attributes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for changing values of security and privacy attributes\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms permitting changes to values of security and privacy attributes"}]}]},{"id":"ac-16.3","class":"SP800-53-enhancement","title":"Maintenance of Attribute Associations by System","params":[{"id":"ac-16.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.03_odp.02"}],"label":"organization-defined security and privacy attributes"},{"id":"ac-16.3_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.03_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.03_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.03_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.03_odp.06"}],"label":"organization-defined subjects and objects"},{"id":"ac-16.03_odp.01","props":[{"name":"label","value":"AC-16(03)_ODP[01]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes that require association and integrity maintenance are defined;"}]},{"id":"ac-16.03_odp.02","props":[{"name":"label","value":"AC-16(03)_ODP[02]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes that require association and integrity maintenance are defined;"}]},{"id":"ac-16.03_odp.03","props":[{"name":"label","value":"AC-16(03)_ODP[03]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects requiring the association and integrity of security attributes to such subjects to be maintained are defined;"}]},{"id":"ac-16.03_odp.04","props":[{"name":"label","value":"AC-16(03)_ODP[04]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects requiring the association and integrity of security attributes to such objects to be maintained are defined;"}]},{"id":"ac-16.03_odp.05","props":[{"name":"label","value":"AC-16(03)_ODP[05]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects requiring the association and integrity of privacy attributes to such subjects to be maintained are defined;"}]},{"id":"ac-16.03_odp.06","props":[{"name":"label","value":"AC-16(03)_ODP[06]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects requiring the association and integrity of privacy attributes to such objects to be maintained are defined;"}]}],"props":[{"name":"label","value":"AC-16(3)"},{"name":"label","value":"AC-16(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.3_smt","name":"statement","prose":"Maintain the association and integrity of {{ insert: param, ac-16.3_prm_1 }} to {{ insert: param, ac-16.3_prm_2 }}."},{"id":"ac-16.3_gdn","name":"guidance","prose":"Maintaining the association and integrity of security and privacy attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. The integrity of specific items, such as security configuration files, may be maintained through the use of an integrity monitoring mechanism that detects anomalies and changes that deviate from \"known good\" baselines. Automated policy actions include retention date expirations, access control decisions, information flow control decisions, and information disclosure decisions."},{"id":"ac-16.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(03)","class":"sp800-53a"}],"parts":[{"id":"ac-16.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(03)[01]","class":"sp800-53a"}],"prose":"the association and integrity of {{ insert: param, ac-16.03_odp.01 }} to {{ insert: param, ac-16.03_odp.03 }} is maintained;","links":[{"href":"#ac-16.3_smt","rel":"assessment-for"}]},{"id":"ac-16.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(03)[02]","class":"sp800-53a"}],"prose":"the association and integrity of {{ insert: param, ac-16.03_odp.01 }} to {{ insert: param, ac-16.03_odp.04 }} is maintained.","links":[{"href":"#ac-16.3_smt","rel":"assessment-for"}]},{"id":"ac-16.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-16(03)[03]","class":"sp800-53a"}],"prose":"the association and integrity of {{ insert: param, ac-16.03_odp.02 }} to {{ insert: param, ac-16.03_odp.05 }} is maintained;","links":[{"href":"#ac-16.3_smt","rel":"assessment-for"}]},{"id":"ac-16.3_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-16(03)[04]","class":"sp800-53a"}],"prose":"the association and integrity of {{ insert: param, ac-16.03_odp.02 }} to {{ insert: param, ac-16.03_odp.06 }} is maintained.","links":[{"href":"#ac-16.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-16.3_smt","rel":"assessment-for"}]},{"id":"ac-16.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the association of security and privacy attributes to information\n\nprocedures addressing labeling or marking\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms maintaining association and integrity of security and privacy attributes to information"}]}]},{"id":"ac-16.4","class":"SP800-53-enhancement","title":"Association of Attributes by Authorized Individuals","params":[{"id":"ac-16.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.04"}],"label":"organization-defined security and privacy attributes"},{"id":"ac-16.4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.04_odp.08"}],"label":"organization-defined subjects and objects"},{"id":"ac-16.04_odp.01","props":[{"name":"label","value":"AC-16(04)_ODP[01]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined;"}]},{"id":"ac-16.04_odp.02","props":[{"name":"label","value":"AC-16(04)_ODP[02]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined;"}]},{"id":"ac-16.04_odp.03","props":[{"name":"label","value":"AC-16(04)_ODP[03]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined;"}]},{"id":"ac-16.04_odp.04","props":[{"name":"label","value":"AC-16(04)_ODP[04]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined;"}]},{"id":"ac-16.04_odp.05","props":[{"name":"label","value":"AC-16(04)_ODP[05]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined;"}]},{"id":"ac-16.04_odp.06","props":[{"name":"label","value":"AC-16(04)_ODP[06]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined;"}]},{"id":"ac-16.04_odp.07","props":[{"name":"label","value":"AC-16(04)_ODP[07]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined;"}]},{"id":"ac-16.04_odp.08","props":[{"name":"label","value":"AC-16(04)_ODP[08]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined;"}]}],"props":[{"name":"label","value":"AC-16(4)"},{"name":"label","value":"AC-16(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.4_smt","name":"statement","prose":"Provide the capability to associate {{ insert: param, ac-16.4_prm_1 }} with {{ insert: param, ac-16.4_prm_2 }} by authorized individuals (or processes acting on behalf of individuals)."},{"id":"ac-16.4_gdn","name":"guidance","prose":"Systems, in general, provide the capability for privileged users to assign security and privacy attributes to system-defined subjects (e.g., users) and objects (e.g., directories, files, and ports). Some systems provide additional capability for general users to assign security and privacy attributes to additional objects (e.g., files, emails). The association of attributes by authorized individuals is described in the design documentation. The support provided by systems can include prompting users to select security and privacy attributes to be associated with information objects, employing automated mechanisms to categorize information with attributes based on defined policies, or ensuring that the combination of the security or privacy attributes selected is valid. Organizations consider the creation, deletion, or modification of attributes when defining auditable events."},{"id":"ac-16.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(04)","class":"sp800-53a"}],"parts":[{"id":"ac-16.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(04)[01]","class":"sp800-53a"}],"prose":"authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.01 }} with {{ insert: param, ac-16.04_odp.05 }};","links":[{"href":"#ac-16.4_smt","rel":"assessment-for"}]},{"id":"ac-16.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(04)[02]","class":"sp800-53a"}],"prose":"authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.02 }} with {{ insert: param, ac-16.04_odp.06 }};","links":[{"href":"#ac-16.4_smt","rel":"assessment-for"}]},{"id":"ac-16.4_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-16(04)[03]","class":"sp800-53a"}],"prose":"authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.03 }} with {{ insert: param, ac-16.04_odp.07 }};","links":[{"href":"#ac-16.4_smt","rel":"assessment-for"}]},{"id":"ac-16.4_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-16(04)[04]","class":"sp800-53a"}],"prose":"authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.04 }} with {{ insert: param, ac-16.04_odp.08 }}.","links":[{"href":"#ac-16.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-16.4_smt","rel":"assessment-for"}]},{"id":"ac-16.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the association of security and privacy attributes to information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of users authorized to associate security and privacy attributes to information\n\nsystem prompts for privileged users to select security and privacy attributes to be associated with information objects\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for associating security and privacy attributes to information\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting user associations of security and privacy attributes to information"}]}]},{"id":"ac-16.5","class":"SP800-53-enhancement","title":"Attribute Displays on Objects to Be Output","params":[{"id":"ac-16.05_odp.01","props":[{"name":"alt-identifier","value":"ac-16.5_prm_1"},{"name":"alt-label","value":"special dissemination, handling, or distribution instructions","class":"sp800-53"},{"name":"label","value":"AC-16(05)_ODP[01]","class":"sp800-53a"}],"label":"instructions","guidelines":[{"prose":"special dissemination, handling, or distribution instructions to be used for each object that the system transmits to output devices are defined;"}]},{"id":"ac-16.05_odp.02","props":[{"name":"alt-identifier","value":"ac-16.5_prm_2"},{"name":"alt-label","value":"human-readable, standard naming conventions","class":"sp800-53"},{"name":"label","value":"AC-16(05)_ODP[02]","class":"sp800-53a"}],"label":"naming conventions","guidelines":[{"prose":"human-readable, standard naming conventions for the security and privacy attributes to be displayed in human-readable form on each object that the system transmits to output devices are defined;"}]}],"props":[{"name":"label","value":"AC-16(5)"},{"name":"label","value":"AC-16(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.5_smt","name":"statement","prose":"Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }}."},{"id":"ac-16.5_gdn","name":"guidance","prose":"System outputs include printed pages, screens, or equivalent items. System output devices include printers, notebook computers, video displays, smart phones, and tablets. To mitigate the risk of unauthorized exposure of information (e.g., shoulder surfing), the outputs display full attribute values when unmasked by the subscriber."},{"id":"ac-16.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(05)","class":"sp800-53a"}],"parts":[{"id":"ac-16.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(05)[01]","class":"sp800-53a"}],"prose":"security attributes are displayed in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }};","links":[{"href":"#ac-16.5_smt","rel":"assessment-for"}]},{"id":"ac-16.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(05)[02]","class":"sp800-53a"}],"prose":"privacy attributes are displayed in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }}.","links":[{"href":"#ac-16.5_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-16.5_smt","rel":"assessment-for"}]},{"id":"ac-16.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing display of security and privacy attributes in human-readable form\n\nspecial dissemination, handling, or distribution instructions\n\ntypes of human-readable, standard naming conventions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System output devices displaying security and privacy attributes in human-readable form on each object"}]}]},{"id":"ac-16.6","class":"SP800-53-enhancement","title":"Maintenance of Attribute Association","params":[{"id":"ac-16.6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.04"}],"label":"organization-defined security and privacy attributes"},{"id":"ac-16.6_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.08"}],"label":"organization-defined subjects and objects"},{"id":"ac-16.6_prm_3","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.09"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.06_odp.10"}],"label":"organization-defined security and privacy policies"},{"id":"ac-16.06_odp.01","props":[{"name":"label","value":"AC-16(06)_ODP[01]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes to be associated with subjects are defined;"}]},{"id":"ac-16.06_odp.02","props":[{"name":"label","value":"AC-16(06)_ODP[02]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes to be associated with objects are defined;"}]},{"id":"ac-16.06_odp.03","props":[{"name":"label","value":"AC-16(06)_ODP[03]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes to be associated with subjects are defined;"}]},{"id":"ac-16.06_odp.04","props":[{"name":"label","value":"AC-16(06)_ODP[04]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes to be associated with objects are defined;"}]},{"id":"ac-16.06_odp.05","props":[{"name":"label","value":"AC-16(06)_ODP[05]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects to be associated with information security attributes are defined;"}]},{"id":"ac-16.06_odp.06","props":[{"name":"label","value":"AC-16(06)_ODP[06]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects to be associated with information security attributes are defined;"}]},{"id":"ac-16.06_odp.07","props":[{"name":"label","value":"AC-16(06)_ODP[07]","class":"sp800-53a"}],"label":"subjects","guidelines":[{"prose":"subjects to be associated with privacy attributes are defined;"}]},{"id":"ac-16.06_odp.08","props":[{"name":"label","value":"AC-16(06)_ODP[08]","class":"sp800-53a"}],"label":"objects","guidelines":[{"prose":"objects to be associated with privacy attributes are defined;"}]},{"id":"ac-16.06_odp.09","props":[{"name":"label","value":"AC-16(06)_ODP[09]","class":"sp800-53a"}],"label":"security policies","guidelines":[{"prose":"security policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects;"}]},{"id":"ac-16.06_odp.10","props":[{"name":"label","value":"AC-16(06)_ODP[10]","class":"sp800-53a"}],"label":"privacy policies","guidelines":[{"prose":"privacy policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects;"}]}],"props":[{"name":"label","value":"AC-16(6)"},{"name":"label","value":"AC-16(06)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.6_smt","name":"statement","prose":"Require personnel to associate and maintain the association of {{ insert: param, ac-16.6_prm_1 }} with {{ insert: param, ac-16.6_prm_2 }} in accordance with {{ insert: param, ac-16.6_prm_3 }}."},{"id":"ac-16.6_gdn","name":"guidance","prose":"Maintaining attribute association requires individual users (as opposed to the system) to maintain associations of defined security and privacy attributes with subjects and objects."},{"id":"ac-16.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(06)","class":"sp800-53a"}],"parts":[{"id":"ac-16.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(06)[01]","class":"sp800-53a"}],"prose":"personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.01 }} with {{ insert: param, ac-16.06_odp.05 }} in accordance with {{ insert: param, ac-16.06_odp.09 }};","links":[{"href":"#ac-16.6_smt","rel":"assessment-for"}]},{"id":"ac-16.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(06)[02]","class":"sp800-53a"}],"prose":"personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.02 }} with {{ insert: param, ac-16.06_odp.06 }} in accordance with {{ insert: param, ac-16.06_odp.09 }};","links":[{"href":"#ac-16.6_smt","rel":"assessment-for"}]},{"id":"ac-16.6_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AC-16(06)[03]","class":"sp800-53a"}],"prose":"personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.03 }} with {{ insert: param, ac-16.06_odp.07 }} in accordance with {{ insert: param, ac-16.06_odp.10 }};","links":[{"href":"#ac-16.6_smt","rel":"assessment-for"}]},{"id":"ac-16.6_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AC-16(06)[04]","class":"sp800-53a"}],"prose":"personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.04 }} with {{ insert: param, ac-16.06_odp.08 }} in accordance with {{ insert: param, ac-16.06_odp.10 }}.","links":[{"href":"#ac-16.6_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-16.6_smt","rel":"assessment-for"}]},{"id":"ac-16.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing association of security and privacy attributes with subjects and objects\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for associating and maintaining association of security and privacy attributes with subjects and objects\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting associations of security and privacy attributes to subjects and objects"}]}]},{"id":"ac-16.7","class":"SP800-53-enhancement","title":"Consistent Attribute Interpretation","props":[{"name":"label","value":"AC-16(7)"},{"name":"label","value":"AC-16(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.7_smt","name":"statement","prose":"Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components."},{"id":"ac-16.7_gdn","name":"guidance","prose":"To enforce security and privacy policies across multiple system components in distributed systems, organizations provide a consistent interpretation of security and privacy attributes employed in access enforcement and flow enforcement decisions. Organizations can establish agreements and processes to help ensure that distributed system components implement attributes with consistent interpretations in automated access enforcement and flow enforcement actions."},{"id":"ac-16.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(07)","class":"sp800-53a"}],"parts":[{"id":"ac-16.7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(07)[01]","class":"sp800-53a"}],"prose":"a consistent interpretation of security attributes transmitted between distributed system components is provided;","links":[{"href":"#ac-16.7_smt","rel":"assessment-for"}]},{"id":"ac-16.7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(07)[02]","class":"sp800-53a"}],"prose":"a consistent interpretation of privacy attributes transmitted between distributed system components is provided.","links":[{"href":"#ac-16.7_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-16.7_smt","rel":"assessment-for"}]},{"id":"ac-16.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policies and procedures\n\nprocedures addressing consistent interpretation of security and privacy attributes transmitted between distributed system components\n\nprocedures addressing access enforcement\n\nprocedures addressing information flow enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy access control policy\n\nother relevant documents or records"}]},{"id":"ac-16.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for providing consistent interpretation of security and privacy attributes used in access enforcement and information flow enforcement actions\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement and information flow enforcement functions"}]}]},{"id":"ac-16.8","class":"SP800-53-enhancement","title":"Association Techniques and Technologies","params":[{"id":"ac-16.8_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.08_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.08_odp.02"}],"label":"organization-defined techniques and technologies"},{"id":"ac-16.08_odp.01","props":[{"name":"label","value":"AC-16(08)_ODP[01]","class":"sp800-53a"}],"label":"techniques and technologies","guidelines":[{"prose":"techniques and technologies to be implemented in associating security attributes to information are defined;"}]},{"id":"ac-16.08_odp.02","props":[{"name":"label","value":"AC-16(08)_ODP[02]","class":"sp800-53a"}],"label":"techniques and technologies","guidelines":[{"prose":"techniques and technologies to be implemented in associating privacy attributes to information are defined;"}]}],"props":[{"name":"label","value":"AC-16(8)"},{"name":"label","value":"AC-16(08)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-16","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-16.8_smt","name":"statement","prose":"Implement {{ insert: param, ac-16.8_prm_1 }} in associating security and privacy attributes to information."},{"id":"ac-16.8_gdn","name":"guidance","prose":"The association of security and privacy attributes to information within systems is important for conducting automated access enforcement and flow enforcement actions. The association of such attributes to information (i.e., binding) can be accomplished with technologies and techniques that provide different levels of assurance. For example, systems can cryptographically bind attributes to information using digital signatures that support cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust)."},{"id":"ac-16.8_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(08)","class":"sp800-53a"}],"parts":[{"id":"ac-16.8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(08)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-16.08_odp.01 }} are implemented in associating security attributes to information;","links":[{"href":"#ac-16.8_smt","rel":"assessment-for"}]},{"id":"ac-16.8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(08)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ac-16.08_odp.02 }} are implemented in associating privacy attributes to information.","links":[{"href":"#ac-16.8_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-16.8_smt","rel":"assessment-for"}]},{"id":"ac-16.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing association of security and privacy attributes to information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for associating security and privacy attributes to information\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing techniques or technologies associating security and privacy attributes to information"}]}]},{"id":"ac-16.9","class":"SP800-53-enhancement","title":"Attribute Reassignment — Regrading Mechanisms","params":[{"id":"ac-16.9_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.09_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-16.09_odp.02"}],"label":"organization-defined techniques or procedures"},{"id":"ac-16.09_odp.01","props":[{"name":"label","value":"AC-16(09)_ODP[01]","class":"sp800-53a"}],"label":"techniques or procedures","guidelines":[{"prose":"techniques or procedures used to validate regrading mechanisms for security attributes are defined;"}]},{"id":"ac-16.09_odp.02","props":[{"name":"label","value":"AC-16(09)_ODP[02]","class":"sp800-53a"}],"label":"techniques or procedures","guidelines":[{"prose":"techniques or procedures used to validate regrading mechanisms for privacy attributes are defined;"}]}],"props":[{"name":"label","value":"AC-16(9)"},{"name":"label","value":"AC-16(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.9_smt","name":"statement","prose":"Change security and privacy attributes associated with information only via regrading mechanisms validated using {{ insert: param, ac-16.9_prm_1 }}."},{"id":"ac-16.9_gdn","name":"guidance","prose":"A regrading mechanism is a trusted process authorized to re-classify and re-label data in accordance with a defined policy exception. Validated regrading mechanisms are used by organizations to provide the requisite levels of assurance for attribute reassignment activities. The validation is facilitated by ensuring that regrading mechanisms are single purpose and of limited function. Since security and privacy attribute changes can directly affect policy enforcement actions, implementing trustworthy regrading mechanisms is necessary to help ensure that such mechanisms perform in a consistent and correct mode of operation."},{"id":"ac-16.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(09)","class":"sp800-53a"}],"parts":[{"id":"ac-16.9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(09)[01]","class":"sp800-53a"}],"prose":"security attributes associated with information are changed only via regrading mechanisms validated using {{ insert: param, ac-16.09_odp.01 }};","links":[{"href":"#ac-16.9_smt","rel":"assessment-for"}]},{"id":"ac-16.9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(09)[02]","class":"sp800-53a"}],"prose":"privacy attributes associated with information are changed only via regrading mechanisms validated using {{ insert: param, ac-16.09_odp.02 }}.","links":[{"href":"#ac-16.9_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-16.9_smt","rel":"assessment-for"}]},{"id":"ac-16.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing reassignment of security attributes to information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reassigning association of security and privacy attributes to information\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing techniques or procedures for reassigning association of security and privacy attributes to information"}]}]},{"id":"ac-16.10","class":"SP800-53-enhancement","title":"Attribute Configuration by Authorized Individuals","props":[{"name":"label","value":"AC-16(10)"},{"name":"label","value":"AC-16(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-16.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-16","rel":"required"}],"parts":[{"id":"ac-16.10_smt","name":"statement","prose":"Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects."},{"id":"ac-16.10_gdn","name":"guidance","prose":"The content or assigned values of security and privacy attributes can directly affect the ability of individuals to access organizational information. Thus, it is important for systems to be able to limit the ability to create or modify the type and value of attributes available for association with subjects and objects to authorized individuals only."},{"id":"ac-16.10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-16(10)","class":"sp800-53a"}],"parts":[{"id":"ac-16.10_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-16(10)[01]","class":"sp800-53a"}],"prose":"authorized individuals are provided with the capability to define or change the type and value of security attributes available for association with subjects and objects;","links":[{"href":"#ac-16.10_smt","rel":"assessment-for"}]},{"id":"ac-16.10_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-16(10)[02]","class":"sp800-53a"}],"prose":"authorized individuals are provided with the capability to define or change the type and value of privacy attributes available for association with subjects and objects.","links":[{"href":"#ac-16.10_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-16.10_smt","rel":"assessment-for"}]},{"id":"ac-16.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-16(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing configuration of security and privacy attributes by authorized individuals\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-16.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-16(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining or changing security and privacy attributes associated with information\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-16.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-16(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing capability for defining or changing security and privacy attributes"}]}]}]},{"id":"ac-17","class":"SP800-53","title":"Remote Access","props":[{"name":"label","value":"AC-17"},{"name":"label","value":"AC-17","class":"sp800-53a"},{"name":"sort-id","value":"ac-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#83b9d63b-66b1-467c-9f3b-3a0b108771e9","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#d17ebd7a-ffab-499d-bfff-e705bbb01fa6","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-17_smt","name":"statement","parts":[{"id":"ac-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document usage restrictions, configuration\/connection requirements, and implementation guidance for each type of remote access allowed; and"},{"id":"ac-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of remote access to the system prior to allowing such connections."}]},{"id":"ac-17_gdn","name":"guidance","prose":"Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of [CA-3](#ca-3) . Enforcing access restrictions for remote access is addressed via [AC-3](#ac-3)."},{"id":"ac-17_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.","class":"sp800-53a"}],"parts":[{"id":"ac-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[01]","class":"sp800-53a"}],"prose":"usage restrictions are established and documented for each type of remote access allowed;","links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]},{"id":"ac-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[02]","class":"sp800-53a"}],"prose":"configuration\/connection requirements are established and documented for each type of remote access allowed;","links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]},{"id":"ac-17_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-17a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established and documented for each type of remote access allowed;","links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-17_smt.a","rel":"assessment-for"}]},{"id":"ac-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-17b.","class":"sp800-53a"}],"prose":"each type of remote access to the system is authorized prior to allowing such connections.","links":[{"href":"#ac-17_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-17_smt","rel":"assessment-for"}]},{"id":"ac-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nremote access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing remote access connections\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Remote access management capability for the system"}]}],"controls":[{"id":"ac-17.1","class":"SP800-53-enhancement","title":"Monitoring and Control","props":[{"name":"label","value":"AC-17(1)"},{"name":"label","value":"AC-17(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"}],"parts":[{"id":"ac-17.1_smt","name":"statement","prose":"Employ automated mechanisms to monitor and control remote access methods."},{"id":"ac-17.1_gdn","name":"guidance","prose":"Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a)."},{"id":"ac-17.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)","class":"sp800-53a"}],"parts":[{"id":"ac-17.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)[01]","class":"sp800-53a"}],"prose":"automated mechanisms are employed to monitor remote access methods;","links":[{"href":"#ac-17.1_smt","rel":"assessment-for"}]},{"id":"ac-17.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17(01)[02]","class":"sp800-53a"}],"prose":"automated mechanisms are employed to control remote access methods.","links":[{"href":"#ac-17.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-17.1_smt","rel":"assessment-for"}]},{"id":"ac-17.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem monitoring records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms monitoring and controlling remote access methods"}]}]},{"id":"ac-17.2","class":"SP800-53-enhancement","title":"Protection of Confidentiality and Integrity Using Encryption","props":[{"name":"label","value":"AC-17(2)"},{"name":"label","value":"AC-17(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-17.2_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."},{"id":"ac-17.2_gdn","name":"guidance","prose":"Virtual private networks can be used to protect the confidentiality and integrity of remote access sessions. Transport Layer Security (TLS) is an example of a cryptographic protocol that provides end-to-end communications security over networks and is used for Internet communications and online transactions."},{"id":"ac-17.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(02)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.","links":[{"href":"#ac-17.2_smt","rel":"assessment-for"}]},{"id":"ac-17.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms protecting confidentiality and integrity of remote access sessions"}]}]},{"id":"ac-17.3","class":"SP800-53-enhancement","title":"Managed Access Control Points","props":[{"name":"label","value":"AC-17(3)"},{"name":"label","value":"AC-17(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-17.3_smt","name":"statement","prose":"Route remote accesses through authorized and managed network access control points."},{"id":"ac-17.3_gdn","name":"guidance","prose":"Organizations consider the Trusted Internet Connections (TIC) initiative [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces."},{"id":"ac-17.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(03)","class":"sp800-53a"}],"prose":"remote accesses are routed through authorized and managed network access control points.","links":[{"href":"#ac-17.3_smt","rel":"assessment-for"}]},{"id":"ac-17.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem design documentation\n\nlist of all managed network access control points\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms routing all remote accesses through managed network access control points"}]}]},{"id":"ac-17.4","class":"SP800-53-enhancement","title":"Privileged Commands and Access","params":[{"id":"ac-17.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-17.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-17.04_odp.02"}],"label":"organization-defined needs"},{"id":"ac-17.04_odp.01","props":[{"name":"label","value":"AC-17(04)_ODP[01]","class":"sp800-53a"}],"label":"needs requiring remote access","guidelines":[{"prose":"needs requiring execution of privileged commands via remote access are defined;"}]},{"id":"ac-17.04_odp.02","props":[{"name":"label","value":"AC-17(04)_ODP[02]","class":"sp800-53a"}],"label":"needs requiring remote access","guidelines":[{"prose":"needs requiring access to security-relevant information via remote access are defined;"}]}],"props":[{"name":"label","value":"AC-17(4)"},{"name":"label","value":"AC-17(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#ac-6","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-17.4_smt","name":"statement","parts":[{"id":"ac-17.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: {{ insert: param, ac-17.4_prm_1 }} ; and"},{"id":"ac-17.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Document the rationale for remote access in the security plan for the system."}]},{"id":"ac-17.4_gdn","name":"guidance","prose":"Remote access to systems represents a significant potential vulnerability that can be exploited by adversaries. As such, restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and the susceptibility to threats by adversaries to the remote access capability."},{"id":"ac-17.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)","class":"sp800-53a"}],"parts":[{"id":"ac-17.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)","class":"sp800-53a"}],"parts":[{"id":"ac-17.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[01]","class":"sp800-53a"}],"prose":"the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;","links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]},{"id":"ac-17.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[02]","class":"sp800-53a"}],"prose":"access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;","links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]},{"id":"ac-17.4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[03]","class":"sp800-53a"}],"prose":"the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};","links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]},{"id":"ac-17.4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(a)[04]","class":"sp800-53a"}],"prose":"access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};","links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-17.4_smt.a","rel":"assessment-for"}]},{"id":"ac-17.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-17(04)(b)","class":"sp800-53a"}],"prose":"the rationale for remote access is documented in the security plan for the system.","links":[{"href":"#ac-17.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-17.4_smt","rel":"assessment-for"}]},{"id":"ac-17.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-17.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing remote access management"}]}]},{"id":"ac-17.5","class":"SP800-53-enhancement","title":"Monitoring for Unauthorized Connections","props":[{"name":"label","value":"AC-17(5)"},{"name":"label","value":"AC-17(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-4","rel":"incorporated-into"}]},{"id":"ac-17.6","class":"SP800-53-enhancement","title":"Protection of Mechanism Information","props":[{"name":"label","value":"AC-17(6)"},{"name":"label","value":"AC-17(06)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"ac-17.6_smt","name":"statement","prose":"Protect information about remote access mechanisms from unauthorized use and disclosure."},{"id":"ac-17.6_gdn","name":"guidance","prose":"Remote access to organizational information by non-organizational entities can increase the risk of unauthorized use and disclosure about remote access mechanisms. The organization considers including remote access requirements in the information exchange agreements with other organizations, as applicable. Remote access requirements can also be included in rules of behavior (see [PL-4](#pl-4) ) and access agreements (see [PS-6](#ps-6))."},{"id":"ac-17.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(06)","class":"sp800-53a"}],"prose":"information about remote access mechanisms is protected from unauthorized use and disclosure.","links":[{"href":"#ac-17.6_smt","rel":"assessment-for"}]},{"id":"ac-17.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing remote access to the system\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for implementing or monitoring remote access to the system\n\nsystem users with knowledge of information about remote access mechanisms\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ac-17.7","class":"SP800-53-enhancement","title":"Additional Protection for Security Function Access","props":[{"name":"label","value":"AC-17(7)"},{"name":"label","value":"AC-17(07)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-3.10","rel":"incorporated-into"}]},{"id":"ac-17.8","class":"SP800-53-enhancement","title":"Disable Nonsecure Network Protocols","props":[{"name":"label","value":"AC-17(8)"},{"name":"label","value":"AC-17(08)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.08"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-7","rel":"incorporated-into"}]},{"id":"ac-17.9","class":"SP800-53-enhancement","title":"Disconnect or Disable Access","params":[{"id":"ac-17.09_odp","props":[{"name":"alt-identifier","value":"ac-17.9_prm_1"},{"name":"label","value":"AC-17(09)_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which to disconnect or disable remote access to the system is defined;"}]}],"props":[{"name":"label","value":"AC-17(9)"},{"name":"label","value":"AC-17(09)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"required"}],"parts":[{"id":"ac-17.9_smt","name":"statement","prose":"Provide the capability to disconnect or disable remote access to the system within {{ insert: param, ac-17.09_odp }}."},{"id":"ac-17.9_gdn","name":"guidance","prose":"The speed of system disconnect or disablement varies based on the criticality of missions or business functions and the need to eliminate immediate or future remote access to systems."},{"id":"ac-17.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(09)","class":"sp800-53a"}],"prose":"the capability to disconnect or disable remote access to the system within {{ insert: param, ac-17.09_odp }} is provided.","links":[{"href":"#ac-17.9_smt","rel":"assessment-for"}]},{"id":"ac-17.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing disconnecting or disabling remote access to the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan, system audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing capability to disconnect or disable remote access to system"}]}]},{"id":"ac-17.10","class":"SP800-53-enhancement","title":"Authenticate Remote Commands","params":[{"id":"ac-17.10_odp.01","props":[{"name":"alt-identifier","value":"ac-17.10_prm_1"},{"name":"label","value":"AC-17(10)_ODP[01]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms implemented to authenticate remote commands are defined;"}]},{"id":"ac-17.10_odp.02","props":[{"name":"alt-identifier","value":"ac-17.10_prm_2"},{"name":"label","value":"AC-17(10)_ODP[02]","class":"sp800-53a"}],"label":"remote commands","guidelines":[{"prose":"remote commands to be authenticated by mechanisms are defined;"}]}],"props":[{"name":"label","value":"AC-17(10)"},{"name":"label","value":"AC-17(10)","class":"sp800-53a"},{"name":"sort-id","value":"ac-17.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"ac-17.10_smt","name":"statement","prose":"Implement {{ insert: param, ac-17.10_odp.01 }} to authenticate {{ insert: param, ac-17.10_odp.02 }}."},{"id":"ac-17.10_gdn","name":"guidance","prose":"Authenticating remote commands protects against unauthorized commands and the replay of authorized commands. The ability to authenticate remote commands is important for remote systems for which loss, malfunction, misdirection, or exploitation would have immediate or serious consequences, such as injury, death, property damage, loss of high value assets, failure of mission or business functions, or compromise of classified or controlled unclassified information. Authentication mechanisms for remote commands ensure that systems accept and execute commands in the order intended, execute only authorized commands, and reject unauthorized commands. Cryptographic mechanisms can be used, for example, to authenticate remote commands."},{"id":"ac-17.10_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-17(10)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-17.10_odp.01 }} are implemented to authenticate {{ insert: param, ac-17.10_odp.02 }}.","links":[{"href":"#ac-17.10_smt","rel":"assessment-for"}]},{"id":"ac-17.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-17(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing authentication of remote commands\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-17.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-17(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-17.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-17(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing authentication of remote commands"}]}]}]},{"id":"ac-18","class":"SP800-53","title":"Wireless Access","props":[{"name":"label","value":"AC-18"},{"name":"label","value":"AC-18","class":"sp800-53a"},{"name":"sort-id","value":"ac-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#03fb73bc-1b12-4182-bd96-e5719254ea61","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-18_smt","name":"statement","parts":[{"id":"ac-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and"},{"id":"ac-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize each type of wireless access to the system prior to allowing such connections."}]},{"id":"ac-18_gdn","name":"guidance","prose":"Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication."},{"id":"ac-18_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.","class":"sp800-53a"}],"parts":[{"id":"ac-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for each type of wireless access;","links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]},{"id":"ac-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for each type of wireless access;","links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]},{"id":"ac-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-18a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for each type of wireless access;","links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-18_smt.a","rel":"assessment-for"}]},{"id":"ac-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-18b.","class":"sp800-53a"}],"prose":"each type of wireless access to the system is authorized prior to allowing such connections.","links":[{"href":"#ac-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-18_smt","rel":"assessment-for"}]},{"id":"ac-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless access implementation and usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nwireless access authorizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing wireless access connections\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Wireless access management capability for the system"}]}],"controls":[{"id":"ac-18.1","class":"SP800-53-enhancement","title":"Authentication and Encryption","params":[{"id":"ac-18.01_odp","props":[{"name":"alt-identifier","value":"ac-18.1_prm_1"},{"name":"label","value":"AC-18(01)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["users","devices"]}}],"props":[{"name":"label","value":"AC-18(1)"},{"name":"label","value":"AC-18(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-18","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ac-18.1_smt","name":"statement","prose":"Protect wireless access to the system using authentication of {{ insert: param, ac-18.01_odp }} and encryption."},{"id":"ac-18.1_gdn","name":"guidance","prose":"Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies."},{"id":"ac-18.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)","class":"sp800-53a"}],"parts":[{"id":"ac-18.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)[01]","class":"sp800-53a"}],"prose":"wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};","links":[{"href":"#ac-18.1_smt","rel":"assessment-for"}]},{"id":"ac-18.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18(01)[02]","class":"sp800-53a"}],"prose":"wireless access to the system is protected using encryption.","links":[{"href":"#ac-18.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-18.1_smt","rel":"assessment-for"}]},{"id":"ac-18.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-18.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing wireless access protections to the system"}]}]},{"id":"ac-18.2","class":"SP800-53-enhancement","title":"Monitoring Unauthorized Connections","props":[{"name":"label","value":"AC-18(2)"},{"name":"label","value":"AC-18(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-4","rel":"incorporated-into"}]},{"id":"ac-18.3","class":"SP800-53-enhancement","title":"Disable Wireless Networking","props":[{"name":"label","value":"AC-18(3)"},{"name":"label","value":"AC-18(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-18","rel":"required"}],"parts":[{"id":"ac-18.3_smt","name":"statement","prose":"Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment."},{"id":"ac-18.3_gdn","name":"guidance","prose":"Wireless networking capabilities that are embedded within system components represent a significant potential vulnerability that can be exploited by adversaries. Disabling wireless capabilities when not needed for essential organizational missions or functions can reduce susceptibility to threats by adversaries involving wireless technologies."},{"id":"ac-18.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(03)","class":"sp800-53a"}],"prose":"when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.","links":[{"href":"#ac-18.3_smt","rel":"assessment-for"}]},{"id":"ac-18.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing the disabling of wireless networking capabilities internally embedded within system components"}]}]},{"id":"ac-18.4","class":"SP800-53-enhancement","title":"Restrict Configurations by Users","props":[{"name":"label","value":"AC-18(4)"},{"name":"label","value":"AC-18(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-18","rel":"required"},{"href":"#sc-7","rel":"related"},{"href":"#sc-15","rel":"related"}],"parts":[{"id":"ac-18.4_smt","name":"statement","prose":"Identify and explicitly authorize users allowed to independently configure wireless networking capabilities."},{"id":"ac-18.4_gdn","name":"guidance","prose":"Organizational authorizations to allow selected users to configure wireless networking capabilities are enforced, in part, by the access enforcement mechanisms employed within organizational systems."},{"id":"ac-18.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(04)","class":"sp800-53a"}],"parts":[{"id":"ac-18.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18(04)[01]","class":"sp800-53a"}],"prose":"users allowed to independently configure wireless networking capabilities are identified;","links":[{"href":"#ac-18.4_smt","rel":"assessment-for"}]},{"id":"ac-18.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18(04)[02]","class":"sp800-53a"}],"prose":"users allowed to independently configure wireless networking capabilities are explicitly authorized.","links":[{"href":"#ac-18.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-18.4_smt","rel":"assessment-for"}]},{"id":"ac-18.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms authorizing independent user configuration of wireless networking capabilities"}]}]},{"id":"ac-18.5","class":"SP800-53-enhancement","title":"Antennas and Transmission Power Levels","props":[{"name":"label","value":"AC-18(5)"},{"name":"label","value":"AC-18(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-18.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-18","rel":"required"},{"href":"#pe-19","rel":"related"}],"parts":[{"id":"ac-18.5_smt","name":"statement","prose":"Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries."},{"id":"ac-18.5_gdn","name":"guidance","prose":"Actions that may be taken to limit unauthorized use of wireless communications outside of organization-controlled boundaries include reducing the power of wireless transmissions so that the transmissions are less likely to emit a signal that can be captured outside of the physical perimeters of the organization, employing measures such as emissions security to control wireless emanations, and using directional or beamforming antennas that reduce the likelihood that unintended receivers will be able to intercept signals. Prior to taking such mitigating actions, organizations can conduct periodic wireless surveys to understand the radio frequency profile of organizational systems as well as other systems that may be operating in the area."},{"id":"ac-18.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-18(05)","class":"sp800-53a"}],"parts":[{"id":"ac-18.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-18(05)[01]","class":"sp800-53a"}],"prose":"radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;","links":[{"href":"#ac-18.5_smt","rel":"assessment-for"}]},{"id":"ac-18.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-18(05)[02]","class":"sp800-53a"}],"prose":"transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.","links":[{"href":"#ac-18.5_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-18.5_smt","rel":"assessment-for"}]},{"id":"ac-18.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-18(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing wireless implementation and usage (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-18.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-18(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-18.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-18(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Calibration of transmission power levels for wireless access\n\nradio antenna signals for wireless access\n\nwireless access reception outside of organization-controlled boundaries"}]}]}]},{"id":"ac-19","class":"SP800-53","title":"Access Control for Mobile Devices","props":[{"name":"label","value":"AC-19"},{"name":"label","value":"AC-19","class":"sp800-53a"},{"name":"sort-id","value":"ac-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#42e37e51-7cc0-4ffa-81c9-0ac942da7e99","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ac-19_smt","name":"statement","parts":[{"id":"ac-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and"},{"id":"ac-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize the connection of mobile devices to organizational systems."}]},{"id":"ac-19_gdn","name":"guidance","prose":"A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and\/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook\/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.\n\nDue to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.\n\nUsage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in [AC-19](#ac-19) . Many safeguards for mobile devices are reflected in other controls. [AC-20](#ac-20) addresses mobile devices that are not organization-controlled."},{"id":"ac-19_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.","class":"sp800-53a"}],"parts":[{"id":"ac-19_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[01]","class":"sp800-53a"}],"prose":"configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;","links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]},{"id":"ac-19_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[02]","class":"sp800-53a"}],"prose":"connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;","links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]},{"id":"ac-19_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AC-19a.[03]","class":"sp800-53a"}],"prose":"implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;","links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ac-19_smt.a","rel":"assessment-for"}]},{"id":"ac-19_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-19b.","class":"sp800-53a"}],"prose":"the connection of mobile devices to organizational systems is authorized.","links":[{"href":"#ac-19_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-19_smt","rel":"assessment-for"}]},{"id":"ac-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control for mobile device usage (including restrictions)\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorizations for mobile device connections to organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel using mobile devices to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control capability for mobile device connections to organizational systems\n\nconfigurations of mobile devices"}]}],"controls":[{"id":"ac-19.1","class":"SP800-53-enhancement","title":"Use of Writable and Portable Storage Devices","props":[{"name":"label","value":"AC-19(1)"},{"name":"label","value":"AC-19(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-19.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-7","rel":"incorporated-into"}]},{"id":"ac-19.2","class":"SP800-53-enhancement","title":"Use of Personally Owned Portable Storage Devices","props":[{"name":"label","value":"AC-19(2)"},{"name":"label","value":"AC-19(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-19.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-7","rel":"incorporated-into"}]},{"id":"ac-19.3","class":"SP800-53-enhancement","title":"Use of Portable Storage Devices with No Identifiable Owner","props":[{"name":"label","value":"AC-19(3)"},{"name":"label","value":"AC-19(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-19.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-7","rel":"incorporated-into"}]},{"id":"ac-19.4","class":"SP800-53-enhancement","title":"Restrictions for Classified Information","params":[{"id":"ac-19.04_odp.01","props":[{"name":"alt-identifier","value":"ac-19.4_prm_1"},{"name":"label","value":"AC-19(04)_ODP[01]","class":"sp800-53a"}],"label":"security officials","guidelines":[{"prose":"security officials responsible for the review and inspection of unclassified mobile devices and the information stored on those devices are defined;"}]},{"id":"ac-19.04_odp.02","props":[{"name":"alt-identifier","value":"ac-19.4_prm_2"},{"name":"label","value":"AC-19(04)_ODP[02]","class":"sp800-53a"}],"label":"security policies","guidelines":[{"prose":"security policies restricting the connection of classified mobile devices to classified systems are defined;"}]}],"props":[{"name":"label","value":"AC-19(4)"},{"name":"label","value":"AC-19(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-19.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-19","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#ir-4","rel":"related"}],"parts":[{"id":"ac-19.4_smt","name":"statement","parts":[{"id":"ac-19.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and"},{"id":"ac-19.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information:","parts":[{"id":"ac-19.4_smt.b.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Connection of unclassified mobile devices to classified systems is prohibited;"},{"id":"ac-19.4_smt.b.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official;"},{"id":"ac-19.4_smt.b.3","name":"item","props":[{"name":"label","value":"(3)"}],"prose":"Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and"},{"id":"ac-19.4_smt.b.4","name":"item","props":[{"name":"label","value":"(4)"}],"prose":"Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by {{ insert: param, ac-19.04_odp.01 }} , and if classified information is found, the incident handling policy is followed."}]},{"id":"ac-19.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Restrict the connection of classified mobile devices to classified systems in accordance with {{ insert: param, ac-19.04_odp.02 }}."}]},{"id":"ac-19.4_gdn","name":"guidance","prose":"None."},{"id":"ac-19.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)","class":"sp800-53a"}],"parts":[{"id":"ac-19.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(a)","class":"sp800-53a"}],"prose":"the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information is prohibited unless specifically permitted by the authorizing official;","links":[{"href":"#ac-19.4_smt.a","rel":"assessment-for"}]},{"id":"ac-19.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(b)","class":"sp800-53a"}],"parts":[{"id":"ac-19.4_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(b)(01)","class":"sp800-53a"}],"prose":"prohibition of the connection of unclassified mobile devices to classified systems is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;","links":[{"href":"#ac-19.4_smt.b.1","rel":"assessment-for"}]},{"id":"ac-19.4_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(b)(02)","class":"sp800-53a"}],"prose":"approval by the authorizing official for the connection of unclassified mobile devices to unclassified systems is enforced on individuals permitted to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;","links":[{"href":"#ac-19.4_smt.b.2","rel":"assessment-for"}]},{"id":"ac-19.4_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(b)(03)","class":"sp800-53a"}],"prose":"prohibition of the use of internal or external modems or wireless interfaces within unclassified mobile devices is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;","links":[{"href":"#ac-19.4_smt.b.3","rel":"assessment-for"}]},{"id":"ac-19.4_obj.b.4","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(b)(04)","class":"sp800-53a"}],"parts":[{"id":"ac-19.4_obj.b.4-1","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(b)(04)[01]","class":"sp800-53a"}],"prose":"random review and inspection of unclassified mobile devices and the information stored on those devices by {{ insert: param, ac-19.04_odp.01 }} are enforced;","links":[{"href":"#ac-19.4_smt.b.4","rel":"assessment-for"}]},{"id":"ac-19.4_obj.b.4-2","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(b)(04)[02]","class":"sp800-53a"}],"prose":"following of the incident handling policy is enforced if classified information is found during a random review and inspection of unclassified mobile devices;","links":[{"href":"#ac-19.4_smt.b.4","rel":"assessment-for"}]}],"links":[{"href":"#ac-19.4_smt.b.4","rel":"assessment-for"}]}],"links":[{"href":"#ac-19.4_smt.b","rel":"assessment-for"}]},{"id":"ac-19.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-19(04)(c)","class":"sp800-53a"}],"prose":"the connection of classified mobile devices to classified systems is restricted in accordance with {{ insert: param, ac-19.04_odp.02 }}.","links":[{"href":"#ac-19.4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ac-19.4_smt","rel":"assessment-for"}]},{"id":"ac-19.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nincident handling policy\n\nprocedures addressing access control for mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nevidentiary documentation for random inspections and reviews of mobile devices\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for random reviews\/inspections of mobile devices\n\norganizational personnel using mobile devices in facilities containing systems processing, storing, or transmitting classified information\n\norganizational personnel with incident response responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms prohibiting the use of internal or external modems or wireless interfaces with mobile devices"}]}]},{"id":"ac-19.5","class":"SP800-53-enhancement","title":"Full Device or Container-based Encryption","params":[{"id":"ac-19.05_odp.01","props":[{"name":"alt-identifier","value":"ac-19.5_prm_1"},{"name":"label","value":"AC-19(05)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["full-device encryption","container-based encryption"]}},{"id":"ac-19.05_odp.02","props":[{"name":"alt-identifier","value":"ac-19.5_prm_2"},{"name":"label","value":"AC-19(05)_ODP[02]","class":"sp800-53a"}],"label":"mobile devices","guidelines":[{"prose":"mobile devices on which to employ encryption are defined;"}]}],"props":[{"name":"label","value":"AC-19(5)"},{"name":"label","value":"AC-19(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-19.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-19","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"ac-19.5_smt","name":"statement","prose":"Employ {{ insert: param, ac-19.05_odp.01 }} to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}."},{"id":"ac-19.5_gdn","name":"guidance","prose":"Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields."},{"id":"ac-19.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-19(05)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.","links":[{"href":"#ac-19.5_smt","rel":"assessment-for"}]},{"id":"ac-19.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-19(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control for mobile devices\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nencryption mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-19.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-19(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access control responsibilities for mobile devices\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-19.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-19(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Encryption mechanisms protecting confidentiality and integrity of information on mobile devices"}]}]}]},{"id":"ac-20","class":"SP800-53","title":"Use of External Systems","params":[{"id":"ac-20_odp.01","props":[{"name":"alt-identifier","value":"ac-20_prm_1"},{"name":"label","value":"AC-20_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["establish {{ insert: param, ac-20_odp.02 }} ","identify {{ insert: param, ac-20_odp.03 }} "]}},{"id":"ac-20_odp.02","props":[{"name":"alt-identifier","value":"ac-20_prm_2"},{"name":"label","value":"AC-20_ODP[02]","class":"sp800-53a"}],"label":"terms and conditions","guidelines":[{"prose":"terms and conditions consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.03","props":[{"name":"alt-identifier","value":"ac-20_prm_3"},{"name":"alt-label","value":"controls asserted to be implemented on external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[03]","class":"sp800-53a"}],"label":"controls asserted","guidelines":[{"prose":"controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems are defined (if selected);"}]},{"id":"ac-20_odp.04","props":[{"name":"alt-identifier","value":"ac-20_prm_4"},{"name":"alt-label","value":"organizationally-defined types of external systems","class":"sp800-53"},{"name":"label","value":"AC-20_ODP[04]","class":"sp800-53a"}],"label":"prohibited types of external systems","guidelines":[{"prose":"types of external systems prohibited from use are defined;"}]}],"props":[{"name":"label","value":"AC-20"},{"name":"label","value":"AC-20","class":"sp800-53a"},{"name":"sort-id","value":"ac-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ac-20_smt","name":"statement","parts":[{"id":"ac-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"{{ insert: param, ac-20_odp.01 }} , consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to:","parts":[{"id":"ac-20_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Access the system from external systems; and"},{"id":"ac-20_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Process, store, or transmit organization-controlled information using external systems; or"}]},{"id":"ac-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of {{ insert: param, ac-20_odp.04 }}."}]},{"id":"ac-20_gdn","name":"guidance","prose":"External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).\n\nFor some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.\n\nExternal systems used to access public interfaces to organizational systems are outside the scope of [AC-20](#ac-20) . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems."},{"id":"ac-20_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.","class":"sp800-53a"}],"parts":[{"id":"ac-20_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.01","class":"sp800-53a"}],"prose":"{{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);","links":[{"href":"#ac-20_smt.a.1","rel":"assessment-for"}]},{"id":"ac-20_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AC-20a.02","class":"sp800-53a"}],"prose":"{{ insert: param, ac-20_odp.01 }} is\/are consistent with the trust relationships established with other organizations owning, operating, and\/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);","links":[{"href":"#ac-20_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#ac-20_smt.a","rel":"assessment-for"}]},{"id":"ac-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-20b.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).","links":[{"href":"#ac-20_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-20_smt","rel":"assessment-for"}]},{"id":"ac-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nexternal systems terms and conditions\n\nlist of types of applications accessible from external systems\n\nmaximum security categorization for information processed, stored, or transmitted on external systems\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing terms and conditions on the use of external systems"}]}],"controls":[{"id":"ac-20.1","class":"SP800-53-enhancement","title":"Limits on Authorized Use","props":[{"name":"label","value":"AC-20(1)"},{"name":"label","value":"AC-20(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"},{"href":"#ca-2","rel":"related"}],"parts":[{"id":"ac-20.1_smt","name":"statement","prose":"Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:","parts":[{"id":"ac-20.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or"},{"id":"ac-20.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Retention of approved system connection or processing agreements with the organizational entity hosting the external system."}]},{"id":"ac-20.1_gdn","name":"guidance","prose":"Limiting authorized use recognizes circumstances where individuals using external systems may need to access organizational systems. Organizations need assurance that the external systems contain the necessary controls so as not to compromise, damage, or otherwise harm organizational systems. Verification that the required controls have been implemented can be achieved by external, independent assessments, attestations, or other means, depending on the confidence level required by organizations."},{"id":"ac-20.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)","class":"sp800-53a"}],"parts":[{"id":"ac-20.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)(a)","class":"sp800-53a"}],"prose":"authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);","links":[{"href":"#ac-20.1_smt.a","rel":"assessment-for"}]},{"id":"ac-20.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-20(01)(b)","class":"sp800-53a"}],"prose":"authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).","links":[{"href":"#ac-20.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-20.1_smt","rel":"assessment-for"}]},{"id":"ac-20.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing limits on use of external systems"}]}]},{"id":"ac-20.2","class":"SP800-53-enhancement","title":"Portable Storage Devices — Restricted Use","params":[{"id":"ac-20.02_odp","props":[{"name":"alt-identifier","value":"ac-20.2_prm_1"},{"name":"label","value":"AC-20(02)_ODP","class":"sp800-53a"}],"label":"restrictions","guidelines":[{"prose":"restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;"}]}],"props":[{"name":"label","value":"AC-20(2)"},{"name":"label","value":"AC-20(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"},{"href":"#mp-7","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"ac-20.2_smt","name":"statement","prose":"Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ insert: param, ac-20.02_odp }}."},{"id":"ac-20.2_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used."},{"id":"ac-20.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(02)","class":"sp800-53a"}],"prose":"the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}.","links":[{"href":"#ac-20.2_smt","rel":"assessment-for"}]},{"id":"ac-20.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for restricting or prohibiting the use of organization-controlled storage devices on external systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on the use of portable storage devices"}]}]},{"id":"ac-20.3","class":"SP800-53-enhancement","title":"Non-organizationally Owned Systems — Restricted Use","params":[{"id":"ac-20.03_odp","props":[{"name":"alt-identifier","value":"ac-20.3_prm_1"},{"name":"label","value":"AC-20(03)_ODP","class":"sp800-53a"}],"label":"restrictions","guidelines":[{"prose":"restrictions on the use of non-organizationally owned systems or system components to process, store, or transmit organizational information are defined;"}]}],"props":[{"name":"label","value":"AC-20(3)"},{"name":"label","value":"AC-20(03)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"}],"parts":[{"id":"ac-20.3_smt","name":"statement","prose":"Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using {{ insert: param, ac-20.03_odp }}."},{"id":"ac-20.3_gdn","name":"guidance","prose":"Non-organizationally owned systems or system components include systems or system components owned by other organizations as well as personally owned devices. There are potential risks to using non-organizationally owned systems or components. In some cases, the risk is sufficiently high as to prohibit such use (see [AC-20 b.](#ac-20_smt.b) ). In other cases, the use of such systems or system components may be allowed but restricted in some way. Restrictions include requiring the implementation of approved controls prior to authorizing the connection of non-organizationally owned systems and components; limiting access to types of information, services, or applications; using virtualization techniques to limit processing and storage activities to servers or system components provisioned by the organization; and agreeing to the terms and conditions for usage. Organizations consult with the Office of the General Counsel regarding legal issues associated with using personally owned devices, including requirements for conducting forensic analyses during investigations after an incident."},{"id":"ac-20.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(03)","class":"sp800-53a"}],"prose":"the use of non-organizationally owned systems or system components to process, store, or transmit organizational information is restricted using {{ insert: param, ac-20.03_odp }}.","links":[{"href":"#ac-20.3_smt","rel":"assessment-for"}]},{"id":"ac-20.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing the use of external systems\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\naccount management documents\n\nsystem audit records, other relevant documents or records"}]},{"id":"ac-20.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for restricting or prohibiting the use of non-organizationally owned systems, system components, or devices\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on the use of non-organizationally owned systems, components, or devices"}]}]},{"id":"ac-20.4","class":"SP800-53-enhancement","title":"Network Accessible Storage Devices — Prohibited Use","params":[{"id":"ac-20.04_odp","props":[{"name":"alt-identifier","value":"ac-20.4_prm_1"},{"name":"alt-label","value":"network accessible storage devices","class":"sp800-53"},{"name":"label","value":"AC-20(04)_ODP","class":"sp800-53a"}],"label":"network-accessible storage devices","guidelines":[{"prose":"network-accessible storage devices prohibited from use in external systems are defined;"}]}],"props":[{"name":"label","value":"AC-20(4)"},{"name":"label","value":"AC-20(04)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"}],"parts":[{"id":"ac-20.4_smt","name":"statement","prose":"Prohibit the use of {{ insert: param, ac-20.04_odp }} in external systems."},{"id":"ac-20.4_gdn","name":"guidance","prose":"Network-accessible storage devices in external systems include online storage devices in public, hybrid, or community cloud-based systems."},{"id":"ac-20.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(04)","class":"sp800-53a"}],"prose":"the use of {{ insert: param, ac-20.04_odp }} is prohibited in external systems.","links":[{"href":"#ac-20.4_smt","rel":"assessment-for"}]},{"id":"ac-20.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing use of network-accessible storage devices in external systems\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\nlist of network-accessible storage devices prohibited from use in external systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for prohibiting the use of network-accessible storage devices in external systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-20.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-20(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms prohibiting the use of network-accessible storage devices in external systems"}]}]},{"id":"ac-20.5","class":"SP800-53-enhancement","title":"Portable Storage Devices — Prohibited Use","props":[{"name":"label","value":"AC-20(5)"},{"name":"label","value":"AC-20(05)","class":"sp800-53a"},{"name":"sort-id","value":"ac-20.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-20","rel":"required"},{"href":"#mp-7","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"ac-20.5_smt","name":"statement","prose":"Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems."},{"id":"ac-20.5_gdn","name":"guidance","prose":"Limits on the use of organization-controlled portable storage devices in external systems include a complete prohibition of the use of such devices. Prohibiting such use is enforced using technical methods and\/or nontechnical (i.e., process-based) methods."},{"id":"ac-20.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-20(05)","class":"sp800-53a"}],"prose":"the use of organization-controlled portable storage devices by authorized individuals is prohibited on external systems.","links":[{"href":"#ac-20.5_smt","rel":"assessment-for"}]},{"id":"ac-20.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-20(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing use of portable storage devices in external systems\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem connection or processing agreements\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-20.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-20(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for prohibiting the use of portable storage devices in external systems\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ac-21","class":"SP800-53","title":"Information Sharing","params":[{"id":"ac-21_odp.01","props":[{"name":"alt-identifier","value":"ac-21_prm_1"},{"name":"alt-label","value":"information sharing circumstances where user discretion is required","class":"sp800-53"},{"name":"label","value":"AC-21_ODP[01]","class":"sp800-53a"}],"label":"information-sharing circumstances","guidelines":[{"prose":"information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;"}]},{"id":"ac-21_odp.02","props":[{"name":"alt-identifier","value":"ac-21_prm_2"},{"name":"alt-label","value":"automated mechanisms or manual processes","class":"sp800-53"},{"name":"label","value":"AC-21_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;"}]}],"props":[{"name":"label","value":"AC-21"},{"name":"label","value":"AC-21","class":"sp800-53a"},{"name":"sort-id","value":"ac-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-15","rel":"related"}],"parts":[{"id":"ac-21_smt","name":"statement","parts":[{"id":"ac-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }} ; and"},{"id":"ac-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ {{ insert: param, ac-21_odp.02 }} to assist users in making information sharing and collaboration decisions."}]},{"id":"ac-21_gdn","name":"guidance","prose":"Information sharing applies to information that may be restricted in some manner based on some formal or administrative determination. Examples of such information include, contract-sensitive information, classified information related to special access programs or compartments, privileged information, proprietary information, and personally identifiable information. Security and privacy risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to these determinations. Depending on the circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program or compartment. Access restrictions may include non-disclosure agreements (NDA). Information flow techniques and security attributes may be used to provide automated assistance to users making sharing and collaboration decisions."},{"id":"ac-21_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-21","class":"sp800-53a"}],"parts":[{"id":"ac-21_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-21a.","class":"sp800-53a"}],"prose":"authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};","links":[{"href":"#ac-21_smt.a","rel":"assessment-for"}]},{"id":"ac-21_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-21b.","class":"sp800-53a"}],"prose":"{{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions.","links":[{"href":"#ac-21_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ac-21_smt","rel":"assessment-for"}]},{"id":"ac-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of users authorized to make information-sharing\/collaboration decisions\n\nlist of information-sharing circumstances requiring user discretion\n\nnon-disclosure agreements\n\nacquisitions\/contractual agreements\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nsecurity and privacy risk assessments\n\nother relevant documents or records"}]},{"id":"ac-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information-sharing\/collaboration decisions\n\norganizational personnel with responsibility for acquisitions\/contractual agreements\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ac-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms or manual process implementing access authorizations supporting information-sharing\/user collaboration decisions"}]}],"controls":[{"id":"ac-21.1","class":"SP800-53-enhancement","title":"Automated Decision Support","params":[{"id":"ac-21.01_odp","props":[{"name":"alt-identifier","value":"ac-21.1_prm_1"},{"name":"label","value":"AC-21(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms employed to enforce information-sharing decisions by authorized users are defined;"}]}],"props":[{"name":"label","value":"AC-21(1)"},{"name":"label","value":"AC-21(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-21.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-21","rel":"required"}],"parts":[{"id":"ac-21.1_smt","name":"statement","prose":"Employ {{ insert: param, ac-21.01_odp }} to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared."},{"id":"ac-21.1_gdn","name":"guidance","prose":"Automated mechanisms are used to enforce information sharing decisions."},{"id":"ac-21.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-21(01)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-21.01_odp }} are employed to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.","links":[{"href":"#ac-21.1_smt","rel":"assessment-for"}]},{"id":"ac-21.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-21(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of users authorized to make information-sharing\/collaboration decisions\n\nsystem-generated list of sharing partners and access authorizations\n\nsystem-generated list of access restrictions regarding information to be shared\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-21.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-21(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-21.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-21(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing access authorizations supporting information-sharing\/user collaboration decisions"}]}]},{"id":"ac-21.2","class":"SP800-53-enhancement","title":"Information Search and Retrieval","params":[{"id":"ac-21.02_odp","props":[{"name":"alt-identifier","value":"ac-21.2_prm_1"},{"name":"alt-label","value":"information sharing restrictions","class":"sp800-53"},{"name":"label","value":"AC-21(02)_ODP","class":"sp800-53a"}],"label":"information-sharing restrictions","guidelines":[{"prose":"information-sharing restrictions to be enforced by information search and retrieval services are defined;"}]}],"props":[{"name":"label","value":"AC-21(2)"},{"name":"label","value":"AC-21(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-21.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-21","rel":"required"}],"parts":[{"id":"ac-21.2_smt","name":"statement","prose":"Implement information search and retrieval services that enforce {{ insert: param, ac-21.02_odp }}."},{"id":"ac-21.2_gdn","name":"guidance","prose":"Information search and retrieval services identify information system resources relevant to an information need."},{"id":"ac-21.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-21(02)","class":"sp800-53a"}],"prose":"information search and retrieval services that enforce {{ insert: param, ac-21.02_odp }} are implemented.","links":[{"href":"#ac-21.2_smt","rel":"assessment-for"}]},{"id":"ac-21.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-21(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing user-based collaboration and information sharing (including restrictions)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of access restrictions regarding information to be shared\n\ninformation search and retrieval records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-21.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-21(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities for system search and retrieval services\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-21.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-21(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System search and retrieval services enforcing information-sharing restrictions"}]}]}]},{"id":"ac-22","class":"SP800-53","title":"Publicly Accessible Content","params":[{"id":"ac-22_odp","props":[{"name":"alt-identifier","value":"ac-22_prm_1"},{"name":"label","value":"AC-22_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the content on the publicly accessible system for non-public information is defined;"}]}],"props":[{"name":"label","value":"AC-22"},{"name":"label","value":"AC-22","class":"sp800-53a"},{"name":"sort-id","value":"ac-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"ac-22_smt","name":"statement","parts":[{"id":"ac-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Designate individuals authorized to make information publicly accessible;"},{"id":"ac-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;"},{"id":"ac-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and"},{"id":"ac-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered."}]},{"id":"ac-22_gdn","name":"guidance","prose":"In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible."},{"id":"ac-22_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-22","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AC-22a.","class":"sp800-53a"}],"prose":"designated individuals are authorized to make information publicly accessible;","links":[{"href":"#ac-22_smt.a","rel":"assessment-for"}]},{"id":"ac-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AC-22b.","class":"sp800-53a"}],"prose":"authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;","links":[{"href":"#ac-22_smt.b","rel":"assessment-for"}]},{"id":"ac-22_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AC-22c.","class":"sp800-53a"}],"prose":"the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;","links":[{"href":"#ac-22_smt.c","rel":"assessment-for"}]},{"id":"ac-22_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.","class":"sp800-53a"}],"parts":[{"id":"ac-22_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[01]","class":"sp800-53a"}],"prose":"the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};","links":[{"href":"#ac-22_smt.d","rel":"assessment-for"}]},{"id":"ac-22_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"AC-22d.[02]","class":"sp800-53a"}],"prose":"non-public information is removed from the publicly accessible system, if discovered.","links":[{"href":"#ac-22_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ac-22_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ac-22_smt","rel":"assessment-for"}]},{"id":"ac-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing publicly accessible content\n\nlist of users authorized to post publicly accessible content on organizational systems\n\ntraining materials and\/or records\n\nrecords of publicly accessible information reviews\n\nrecords of response to non-public information on public websites\n\nsystem audit logs\n\nsecurity awareness training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing management of publicly accessible content"}]}]},{"id":"ac-23","class":"SP800-53","title":"Data Mining Protection","params":[{"id":"ac-23_odp.01","props":[{"name":"alt-identifier","value":"ac-23_prm_1"},{"name":"alt-label","value":"data mining prevention and detection techniques","class":"sp800-53"},{"name":"label","value":"AC-23_ODP[01]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"data mining prevention and detection techniques are defined;"}]},{"id":"ac-23_odp.02","props":[{"name":"alt-identifier","value":"ac-23_prm_2"},{"name":"label","value":"AC-23_ODP[02]","class":"sp800-53a"}],"label":"data storage objects","guidelines":[{"prose":"data storage objects to be protected against unauthorized data mining are defined;"}]}],"props":[{"name":"label","value":"AC-23"},{"name":"label","value":"AC-23","class":"sp800-53a"},{"name":"sort-id","value":"ac-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#0af071a6-cf8e-48ee-8c82-fe91efa20f94","rel":"reference"},{"href":"#pm-12","rel":"related"},{"href":"#pt-2","rel":"related"}],"parts":[{"id":"ac-23_smt","name":"statement","prose":"Employ {{ insert: param, ac-23_odp.01 }} for {{ insert: param, ac-23_odp.02 }} to detect and protect against unauthorized data mining."},{"id":"ac-23_gdn","name":"guidance","prose":"Data mining is an analytical process that attempts to find correlations or patterns in large data sets for the purpose of data or knowledge discovery. Data storage objects include database records and database fields. Sensitive information can be extracted from data mining operations. When information is personally identifiable information, it may lead to unanticipated revelations about individuals and give rise to privacy risks. Prior to performing data mining activities, organizations determine whether such activities are authorized. Organizations may be subject to applicable laws, executive orders, directives, regulations, or policies that address data mining requirements. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.\n\nData mining prevention and detection techniques include limiting the number and frequency of database queries to increase the work factor needed to determine the contents of databases, limiting types of responses provided to database queries, applying differential privacy techniques or homomorphic encryption, and notifying personnel when atypical database queries or accesses occur. Data mining protection focuses on protecting information from data mining while such information resides in organizational data stores. In contrast, [AU-13](#au-13) focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is available as open-source information residing on external sites, such as social networking or social media websites.\n\n[EO 13587](#0af071a6-cf8e-48ee-8c82-fe91efa20f94) requires the establishment of an insider threat program for deterring, detecting, and mitigating insider threats, including the safeguarding of sensitive information from exploitation, compromise, or other unauthorized disclosure. Data mining protection requires organizations to identify appropriate techniques to prevent and detect unnecessary or unauthorized data mining. Data mining can be used by an insider to collect organizational information for the purpose of exfiltration."},{"id":"ac-23_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-23","class":"sp800-53a"}],"prose":"{{ insert: param, ac-23_odp.01 }} are employed for {{ insert: param, ac-23_odp.02 }} to detect and protect against unauthorized data mining.","links":[{"href":"#ac-23_smt","rel":"assessment-for"}]},{"id":"ac-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures for preventing and detecting data mining\n\npolicies and procedures addressing authorized data mining techniques\n\nprocedures addressing protection of data storage objects against data mining\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit logs\n\nsystem audit records\n\nprocedures addressing differential privacy techniques\n\nnotifications of atypical database queries or accesses\n\ndocumentation or reports of insider threat program\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for implementing data mining detection and prevention techniques for data storage objects\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-23-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing data mining prevention and detection"}]}]},{"id":"ac-24","class":"SP800-53","title":"Access Control Decisions","params":[{"id":"ac-24_odp.01","props":[{"name":"alt-identifier","value":"ac-24_prm_1"},{"name":"label","value":"AC-24_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["establish procedures","implement mechanisms"]}},{"id":"ac-24_odp.02","props":[{"name":"alt-identifier","value":"ac-24_prm_2"},{"name":"label","value":"AC-24_ODP[02]","class":"sp800-53a"}],"label":"access control decisions","guidelines":[{"prose":"access control decisions applied to each access request prior to access enforcement are defined;"}]}],"props":[{"name":"label","value":"AC-24"},{"name":"label","value":"AC-24","class":"sp800-53a"},{"name":"sort-id","value":"ac-24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#2956e175-f674-43f4-b1b9-e074ad9fc39c","rel":"reference"},{"href":"#388a3aa2-5d85-4bad-b8a3-77db80d63c4f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"ac-24_smt","name":"statement","prose":"{{ insert: param, ac-24_odp.01 }} to ensure {{ insert: param, ac-24_odp.02 }} are applied to each access request prior to access enforcement."},{"id":"ac-24_gdn","name":"guidance","prose":"Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when systems enforce access control decisions. While it is common to have access control decisions and access enforcement implemented by the same entity, it is not required, and it is not always an optimal implementation choice. For some architectures and distributed systems, different entities may make access control decisions and enforce access."},{"id":"ac-24_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-24","class":"sp800-53a"}],"prose":"{{ insert: param, ac-24_odp.01 }} are taken to ensure that {{ insert: param, ac-24_odp.02 }} are applied to each access request prior to access enforcement.","links":[{"href":"#ac-24_smt","rel":"assessment-for"}]},{"id":"ac-24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-24-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access control decisions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-24-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for establishing procedures regarding access control decisions to the system\n\norganizational personnel with information security responsibilities"}]},{"id":"ac-24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-24-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms applying established access control decisions and procedures"}]}],"controls":[{"id":"ac-24.1","class":"SP800-53-enhancement","title":"Transmit Access Authorization Information","params":[{"id":"ac-24.01_odp.01","props":[{"name":"alt-identifier","value":"ac-24.1_prm_1"},{"name":"label","value":"AC-24(01)_ODP[01]","class":"sp800-53a"}],"label":"access authorization information","guidelines":[{"prose":"access authorization information transmitted to systems that enforce access control decisions is defined;"}]},{"id":"ac-24.01_odp.02","props":[{"name":"alt-identifier","value":"ac-24.1_prm_2"},{"name":"label","value":"AC-24(01)_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be used when authorization information is transmitted to systems that enforce access control decisions are defined;"}]},{"id":"ac-24.01_odp.03","props":[{"name":"alt-identifier","value":"ac-24.1_prm_3"},{"name":"label","value":"AC-24(01)_ODP[03]","class":"sp800-53a"}],"label":"systems","guidelines":[{"prose":"systems that enforce access control decisions are defined;"}]}],"props":[{"name":"label","value":"AC-24(1)"},{"name":"label","value":"AC-24(01)","class":"sp800-53a"},{"name":"sort-id","value":"ac-24.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-24","rel":"required"},{"href":"#au-10","rel":"related"}],"parts":[{"id":"ac-24.1_smt","name":"statement","prose":"Transmit {{ insert: param, ac-24.01_odp.01 }} using {{ insert: param, ac-24.01_odp.02 }} to {{ insert: param, ac-24.01_odp.03 }} that enforce access control decisions."},{"id":"ac-24.1_gdn","name":"guidance","prose":"Authorization processes and access control decisions may occur in separate parts of systems or in separate systems. In such instances, authorization information is transmitted securely (e.g., using cryptographic mechanisms) so that timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information supporting security and privacy attributes. This is because in distributed systems, there are various access control decisions that need to be made, and different entities make these decisions in a serial fashion, each requiring those attributes to make the decisions. Protecting access authorization information ensures that such information cannot be altered, spoofed, or compromised during transmission."},{"id":"ac-24.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-24(01)","class":"sp800-53a"}],"prose":"{{ insert: param, ac-24.01_odp.01 }} is transmitted using {{ insert: param, ac-24.01_odp.02 }} to {{ insert: param, ac-24.01_odp.03 }} that enforce access control decisions.","links":[{"href":"#ac-24.1_smt","rel":"assessment-for"}]},{"id":"ac-24.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-24(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-24.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-24(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-24.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-24(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]},{"id":"ac-24.2","class":"SP800-53-enhancement","title":"No User or Process Identity","params":[{"id":"ac-24.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-24.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ac-24.02_odp.02"}],"label":"organization-defined security or privacy attributes"},{"id":"ac-24.02_odp.01","props":[{"name":"label","value":"AC-24(02)_ODP[01]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes that do not include the identity of the user or process acting on behalf of the user are defined (if selected);"}]},{"id":"ac-24.02_odp.02","props":[{"name":"label","value":"AC-24(02)_ODP[02]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes that do not include the identity of the user or process acting on behalf of the user are defined (if selected);"}]}],"props":[{"name":"label","value":"AC-24(2)"},{"name":"label","value":"AC-24(02)","class":"sp800-53a"},{"name":"sort-id","value":"ac-24.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-24","rel":"required"}],"parts":[{"id":"ac-24.2_smt","name":"statement","prose":"Enforce access control decisions based on {{ insert: param, ac-24.2_prm_1 }} that do not include the identity of the user or process acting on behalf of the user."},{"id":"ac-24.2_gdn","name":"guidance","prose":"In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions, and especially in the case of distributed systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish. MAC, RBAC, ABAC, and label-based control policies, for example, might not include user identity as an attribute."},{"id":"ac-24.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-24(02)","class":"sp800-53a"}],"parts":[{"id":"ac-24.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AC-24(02)[01]","class":"sp800-53a"}],"prose":"access control decisions are enforced based on {{ insert: param, ac-24.02_odp.01 }} that do not include the identity of the user or process acting on behalf of the user (if selected);","links":[{"href":"#ac-24.2_smt","rel":"assessment-for"}]},{"id":"ac-24.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AC-24(02)[02]","class":"sp800-53a"}],"prose":"access control decisions are enforced based on {{ insert: param, ac-24.02_odp.02 }} that do not include the identity of the user or process acting on behalf of the user (if selected).","links":[{"href":"#ac-24.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#ac-24.2_smt","rel":"assessment-for"}]},{"id":"ac-24.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-24(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ac-24.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-24(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"ac-24.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-24(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]}]},{"id":"ac-25","class":"SP800-53","title":"Reference Monitor","params":[{"id":"ac-25_odp","props":[{"name":"alt-identifier","value":"ac-25_prm_1"},{"name":"label","value":"AC-25_ODP","class":"sp800-53a"}],"label":"access control policies","guidelines":[{"prose":"access control policies for which a reference monitor is implemented are defined;"}]}],"props":[{"name":"label","value":"AC-25"},{"name":"label","value":"AC-25","class":"sp800-53a"},{"name":"sort-id","value":"ac-25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-11","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"ac-25_smt","name":"statement","prose":"Implement a reference monitor for {{ insert: param, ac-25_odp }} that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured."},{"id":"ac-25_gdn","name":"guidance","prose":"A reference monitor is a set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects. A reference validation mechanism is always invoked, tamper-proof, and small enough to be subject to analysis and tests, the completeness of which can be assured (i.e., verifiable). Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are associated with data structures, such as records, buffers, communications ports, tables, files, and inter-process pipes. Reference monitors enforce access control policies that restrict access to objects based on the identity of subjects or groups to which the subjects belong. The system enforces the access control policy based on the rule set established by the policy. The tamper-proof property of the reference monitor prevents determined adversaries from compromising the functioning of the reference validation mechanism. The always invoked property prevents adversaries from bypassing the mechanism and violating the security policy. The smallness property helps to ensure completeness in the analysis and testing of the mechanism to detect any weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy."},{"id":"ac-25_obj","name":"assessment-objective","props":[{"name":"label","value":"AC-25","class":"sp800-53a"}],"prose":"a reference monitor is implemented for {{ insert: param, ac-25_odp }} that is tamper-proof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.","links":[{"href":"#ac-25_smt","rel":"assessment-for"}]},{"id":"ac-25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AC-25-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing access enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ac-25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AC-25-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ac-25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AC-25-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access enforcement functions"}]}]}]},{"id":"at","class":"family","title":"Awareness and Training","controls":[{"id":"at-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"at-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"at-01_odp.01","props":[{"name":"label","value":"AT-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training policy is to be disseminated is\/are defined;"}]},{"id":"at-01_odp.02","props":[{"name":"label","value":"AT-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the awareness and training procedures are to be disseminated is\/are defined;"}]},{"id":"at-01_odp.03","props":[{"name":"alt-identifier","value":"at-1_prm_2"},{"name":"label","value":"AT-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"at-01_odp.04","props":[{"name":"alt-identifier","value":"at-1_prm_3"},{"name":"label","value":"AT-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the awareness and training policy and procedures is defined;"}]},{"id":"at-01_odp.05","props":[{"name":"alt-identifier","value":"at-1_prm_4"},{"name":"label","value":"AT-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training policy is reviewed and updated is defined;"}]},{"id":"at-01_odp.06","props":[{"name":"alt-identifier","value":"at-1_prm_5"},{"name":"label","value":"AT-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current awareness and training policy to be reviewed and updated are defined;"}]},{"id":"at-01_odp.07","props":[{"name":"alt-identifier","value":"at-1_prm_6"},{"name":"label","value":"AT-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current awareness and training procedures are reviewed and updated is defined;"}]},{"id":"at-01_odp.08","props":[{"name":"alt-identifier","value":"at-1_prm_7"},{"name":"label","value":"AT-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AT-1"},{"name":"label","value":"AT-01","class":"sp800-53a"},{"name":"sort-id","value":"at-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-1_smt","name":"statement","parts":[{"id":"at-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:","parts":[{"id":"at-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, at-01_odp.03 }} awareness and training policy that:","parts":[{"id":"at-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"at-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"at-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;"}]},{"id":"at-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and"},{"id":"at-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current awareness and training:","parts":[{"id":"at-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and"},{"id":"at-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}."}]}]},{"id":"at-1_gdn","name":"guidance","prose":"Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"at-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[01]","class":"sp800-53a"}],"prose":"an awareness and training policy is developed and documented; ","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[02]","class":"sp800-53a"}],"prose":"the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[03]","class":"sp800-53a"}],"prose":"awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.[04]","class":"sp800-53a"}],"prose":"the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.","links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and","links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"at-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and","links":[{"href":"#at-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.a","rel":"assessment-for"}]},{"id":"at-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;","links":[{"href":"#at-1_smt.b","rel":"assessment-for"}]},{"id":"at-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[01]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ","links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]},{"id":"at-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.01[02]","class":"sp800-53a"}],"prose":"the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};","links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c.1","rel":"assessment-for"}]},{"id":"at-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02","class":"sp800-53a"}],"parts":[{"id":"at-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[01]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};","links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]},{"id":"at-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-01c.02[02]","class":"sp800-53a"}],"prose":"the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.","links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-1_smt","rel":"assessment-for"}]},{"id":"at-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nawareness and training policy and procedures\n\nother relevant documents or records"}]},{"id":"at-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with awareness and training responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2","class":"SP800-53","title":"Literacy Training and Awareness","params":[{"id":"at-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.02"}],"label":"organization-defined frequency"},{"id":"at-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-02_odp.04"}],"label":"organization-defined events"},{"id":"at-02_odp.01","props":[{"name":"label","value":"AT-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.02","props":[{"name":"label","value":"AT-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;"}]},{"id":"at-02_odp.03","props":[{"name":"label","value":"AT-02_ODP[03]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require security literacy training for system users are defined;"}]},{"id":"at-02_odp.04","props":[{"name":"label","value":"AT-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require privacy literacy training for system users are defined;"}]},{"id":"at-02_odp.05","props":[{"name":"alt-identifier","value":"at-2_prm_3"},{"name":"label","value":"AT-02_ODP[05]","class":"sp800-53a"}],"label":"awareness techniques","guidelines":[{"prose":"techniques to be employed to increase the security and privacy awareness of system users are defined;"}]},{"id":"at-02_odp.06","props":[{"name":"alt-identifier","value":"at-2_prm_4"},{"name":"label","value":"AT-02_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update literacy training and awareness content is defined;"}]},{"id":"at-02_odp.07","props":[{"name":"alt-identifier","value":"at-2_prm_5"},{"name":"label","value":"AT-02_ODP[07]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require literacy training and awareness content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-2"},{"name":"label","value":"AT-02","class":"sp800-53a"},{"name":"sort-id","value":"at-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#89f2a08d-fc49-46d0-856e-bf974c9b1573","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-16","rel":"related"}],"parts":[{"id":"at-2_smt","name":"statement","parts":[{"id":"at-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):","parts":[{"id":"at-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and"},{"id":"at-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes or following {{ insert: param, at-2_prm_2 }};"}]},{"id":"at-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};"},{"id":"at-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and"},{"id":"at-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques."}]},{"id":"at-2_gdn","name":"guidance","prose":"Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.\n\nAwareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[03]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.01[04]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;","links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a.1","rel":"assessment-for"}]},{"id":"at-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[01]","class":"sp800-53a"}],"prose":"security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};","links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]},{"id":"at-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02a.02[02]","class":"sp800-53a"}],"prose":"privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};","links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.a","rel":"assessment-for"}]},{"id":"at-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-02b.","class":"sp800-53a"}],"prose":"{{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;","links":[{"href":"#at-2_smt.b","rel":"assessment-for"}]},{"id":"at-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.","class":"sp800-53a"}],"parts":[{"id":"at-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[01]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};","links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]},{"id":"at-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02c.[02]","class":"sp800-53a"}],"prose":"literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};","links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt.c","rel":"assessment-for"}]},{"id":"at-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AT-02d.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.","links":[{"href":"#at-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#at-2_smt","rel":"assessment-for"}]},{"id":"at-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nappropriate codes of federal regulations\n\nsecurity and privacy literacy training curriculum\n\nsecurity and privacy literacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel comprising the general system user community"}]},{"id":"at-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing information security and privacy literacy training"}]}],"controls":[{"id":"at-2.1","class":"SP800-53-enhancement","title":"Practical Exercises","props":[{"name":"label","value":"AT-2(1)"},{"name":"label","value":"AT-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-3","rel":"related"}],"parts":[{"id":"at-2.1_smt","name":"statement","prose":"Provide practical exercises in literacy training that simulate events and incidents."},{"id":"at-2.1_gdn","name":"guidance","prose":"Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links."},{"id":"at-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(01)","class":"sp800-53a"}],"prose":"practical exercises in literacy training that simulate events and incidents are provided.","links":[{"href":"#at-2.1_smt","rel":"assessment-for"}]},{"id":"at-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nsecurity awareness and training policy\n\nprocedures addressing security awareness training implementation\n\nsecurity awareness training curriculum\n\nsecurity awareness training materials\n\nother relevant documents or records"}]},{"id":"at-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for security awareness training\n\norganizational personnel with information security responsibilities"}]},{"id":"at-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing cyber-attack simulations in practical exercises"}]}]},{"id":"at-2.2","class":"SP800-53-enhancement","title":"Insider Threat","props":[{"name":"label","value":"AT-2(2)"},{"name":"label","value":"AT-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"},{"href":"#pm-12","rel":"related"}],"parts":[{"id":"at-2.2_smt","name":"statement","prose":"Provide literacy training on recognizing and reporting potential indicators of insider threat."},{"id":"at-2.2_gdn","name":"guidance","prose":"Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations."},{"id":"at-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)","class":"sp800-53a"}],"parts":[{"id":"at-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[01]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential indicators of insider threat is provided;","links":[{"href":"#at-2.2_smt","rel":"assessment-for"}]},{"id":"at-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02(02)[02]","class":"sp800-53a"}],"prose":"literacy training on reporting potential indicators of insider threat is provided.","links":[{"href":"#at-2.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#at-2.2_smt","rel":"assessment-for"}]},{"id":"at-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2.3","class":"SP800-53-enhancement","title":"Social Engineering and Mining","props":[{"name":"label","value":"AT-2(3)"},{"name":"label","value":"AT-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"}],"parts":[{"id":"at-2.3_smt","name":"statement","prose":"Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining."},{"id":"at-2.3_gdn","name":"guidance","prose":"Social engineering is an attempt to trick an individual into revealing information or taking an action that can be used to breach, compromise, or otherwise adversely impact a system. Social engineering includes phishing, pretexting, impersonation, baiting, quid pro quo, thread-jacking, social media exploitation, and tailgating. Social mining is an attempt to gather information about the organization that may be used to support future attacks. Literacy training includes information on how to communicate the concerns of employees and management regarding potential and actual instances of social engineering and data mining through organizational channels based on established policies and procedures."},{"id":"at-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)","class":"sp800-53a"}],"parts":[{"id":"at-2.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[01]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential and actual instances of social engineering is provided;","links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]},{"id":"at-2.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[02]","class":"sp800-53a"}],"prose":"literacy training on reporting potential and actual instances of social engineering is provided;","links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]},{"id":"at-2.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[03]","class":"sp800-53a"}],"prose":"literacy training on recognizing potential and actual instances of social mining is provided;","links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]},{"id":"at-2.3_obj-4","name":"assessment-objective","props":[{"name":"label","value":"AT-02(03)[04]","class":"sp800-53a"}],"prose":"literacy training on reporting potential and actual instances of social mining is provided.","links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#at-2.3_smt","rel":"assessment-for"}]},{"id":"at-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2.4","class":"SP800-53-enhancement","title":"Suspicious Communications and Anomalous System Behavior","params":[{"id":"at-02.04_odp","props":[{"name":"alt-identifier","value":"at-2.4_prm_1"},{"name":"label","value":"AT-02(04)_ODP","class":"sp800-53a"}],"label":"indicators of malicious code","guidelines":[{"prose":"indicators of malicious code are defined;"}]}],"props":[{"name":"label","value":"AT-2(4)"},{"name":"label","value":"AT-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"}],"parts":[{"id":"at-2.4_smt","name":"statement","prose":"Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using {{ insert: param, at-02.04_odp }}."},{"id":"at-2.4_gdn","name":"guidance","prose":"A well-trained workforce provides another organizational control that can be employed as part of a defense-in-depth strategy to protect against malicious code coming into organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender that appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to suspicious email or web communications. For this process to work effectively, personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in systems can provide organizations with early warning for the presence of malicious code. Recognition of anomalous behavior by organizational personnel can supplement malicious code detection and protection tools and systems employed by organizations."},{"id":"at-2.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(04)","class":"sp800-53a"}],"prose":"literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using {{ insert: param, at-02.04_odp }} is provided.","links":[{"href":"#at-2.4_smt","rel":"assessment-for"}]},{"id":"at-2.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for basic literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2.5","class":"SP800-53-enhancement","title":"Advanced Persistent Threat","props":[{"name":"label","value":"AT-2(5)"},{"name":"label","value":"AT-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"}],"parts":[{"id":"at-2.5_smt","name":"statement","prose":"Provide literacy training on the advanced persistent threat."},{"id":"at-2.5_gdn","name":"guidance","prose":"An effective way to detect advanced persistent threats (APT) and to preclude successful attacks is to provide specific literacy training for individuals. Threat literacy training includes educating individuals on the various ways that APTs can infiltrate the organization (e.g., through websites, emails, advertisement pop-ups, articles, and social engineering). Effective training includes techniques for recognizing suspicious emails, use of removable systems in non-secure settings, and the potential targeting of individuals at home."},{"id":"at-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(05)","class":"sp800-53a"}],"prose":"literacy training on the advanced persistent threat is provided.","links":[{"href":"#at-2.5_smt","rel":"assessment-for"}]},{"id":"at-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for basic literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"at-2.6","class":"SP800-53-enhancement","title":"Cyber Threat Environment","props":[{"name":"label","value":"AT-2(6)"},{"name":"label","value":"AT-02(06)","class":"sp800-53a"},{"name":"sort-id","value":"at-02.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"at-2.6_smt","name":"statement","parts":[{"id":"at-2.6_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Provide literacy training on the cyber threat environment; and"},{"id":"at-2.6_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Reflect current cyber threat information in system operations."}]},{"id":"at-2.6_gdn","name":"guidance","prose":"Since threats continue to change over time, threat literacy training by the organization is dynamic. Moreover, threat literacy training is not performed in isolation from the system operations that support organizational mission and business functions."},{"id":"at-2.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-02(06)","class":"sp800-53a"}],"parts":[{"id":"at-2.6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-02(06)(a)","class":"sp800-53a"}],"prose":"literacy training on the cyber threat environment is provided;","links":[{"href":"#at-2.6_smt.a","rel":"assessment-for"}]},{"id":"at-2.6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-02(06)(b)","class":"sp800-53a"}],"prose":"system operations reflects current cyber threat information.","links":[{"href":"#at-2.6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#at-2.6_smt","rel":"assessment-for"}]},{"id":"at-2.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-02(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nliteracy training and awareness policy\n\nprocedures addressing literacy training and awareness training implementation\n\nliteracy training and awareness curriculum\n\nliteracy training and awareness materials\n\nother relevant documents or records"}]},{"id":"at-2.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-02(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel who receive literacy training and awareness\n\norganizational personnel with responsibilities for basic literacy training and awareness\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"at-3","class":"SP800-53","title":"Role-based Training","params":[{"id":"at-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"at-03_odp.02"}],"label":"organization-defined roles and responsibilities"},{"id":"at-03_odp.01","props":[{"name":"label","value":"AT-03_ODP[01]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based security training are defined;"}]},{"id":"at-03_odp.02","props":[{"name":"label","value":"AT-03_ODP[02]","class":"sp800-53a"}],"label":"roles and responsibilities","guidelines":[{"prose":"roles and responsibilities for role-based privacy training are defined;"}]},{"id":"at-03_odp.03","props":[{"name":"alt-identifier","value":"at-3_prm_2"},{"name":"label","value":"AT-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;"}]},{"id":"at-03_odp.04","props":[{"name":"alt-identifier","value":"at-3_prm_3"},{"name":"label","value":"AT-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update role-based training content is defined;"}]},{"id":"at-03_odp.05","props":[{"name":"alt-identifier","value":"at-3_prm_4"},{"name":"label","value":"AT-03_ODP[05]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require role-based training content to be updated are defined;"}]}],"props":[{"name":"label","value":"AT-3"},{"name":"label","value":"AT-03","class":"sp800-53a"},{"name":"sort-id","value":"at-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-22","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-13","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"at-3_smt","name":"statement","parts":[{"id":"at-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:","parts":[{"id":"at-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and"},{"id":"at-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes;"}]},{"id":"at-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and"},{"id":"at-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from internal or external security incidents or breaches into role-based training."}]},{"id":"at-3_gdn","name":"guidance","prose":"Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency\/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.\n\nComprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"at-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[03]","class":"sp800-53a"}],"prose":"role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.01[04]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;","links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a.1","rel":"assessment-for"}]},{"id":"at-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[01]","class":"sp800-53a"}],"prose":"role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;","links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]},{"id":"at-3_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03a.02[02]","class":"sp800-53a"}],"prose":"role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;","links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.a","rel":"assessment-for"}]},{"id":"at-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.","class":"sp800-53a"}],"parts":[{"id":"at-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[01]","class":"sp800-53a"}],"prose":"role-based training content is updated {{ insert: param, at-03_odp.04 }};","links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]},{"id":"at-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03b.[02]","class":"sp800-53a"}],"prose":"role-based training content is updated following {{ insert: param, at-03_odp.05 }};","links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt.b","rel":"assessment-for"}]},{"id":"at-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AT-03c.","class":"sp800-53a"}],"prose":"lessons learned from internal or external security incidents or breaches are incorporated into role-based training.","links":[{"href":"#at-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#at-3_smt","rel":"assessment-for"}]},{"id":"at-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nsecurity and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\ncodes of federal regulations\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with assigned system security and privacy roles and responsibilities"}]},{"id":"at-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing role-based security and privacy training"}]}],"controls":[{"id":"at-3.1","class":"SP800-53-enhancement","title":"Environmental Controls","params":[{"id":"at-03.01_odp.01","props":[{"name":"alt-identifier","value":"at-3.1_prm_1"},{"name":"label","value":"AT-03(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be provided with initial and refresher training in the employment and operation of environmental controls are defined;"}]},{"id":"at-03.01_odp.02","props":[{"name":"alt-identifier","value":"at-3.1_prm_2"},{"name":"label","value":"AT-03(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide refresher training in the employment and operation of environmental controls is defined;"}]}],"props":[{"name":"label","value":"AT-3(1)"},{"name":"label","value":"AT-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"at-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-3","rel":"required"},{"href":"#pe-1","rel":"related"},{"href":"#pe-11","rel":"related"},{"href":"#pe-13","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-15","rel":"related"}],"parts":[{"id":"at-3.1_smt","name":"statement","prose":"Provide {{ insert: param, at-03.01_odp.01 }} with initial and {{ insert: param, at-03.01_odp.02 }} training in the employment and operation of environmental controls."},{"id":"at-3.1_gdn","name":"guidance","prose":"Environmental controls include fire suppression and detection devices or systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature or humidity, heating, ventilation, air conditioning, and power within the facility."},{"id":"at-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03(01)","class":"sp800-53a"}],"prose":"{{ insert: param, at-03.01_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.01_odp.02 }} in the employment and operation of environmental controls.","links":[{"href":"#at-3.1_smt","rel":"assessment-for"}]},{"id":"at-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\nsystem security plan\n\nprivacy plan\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with responsibilities for employing and operating environmental controls"}]}]},{"id":"at-3.2","class":"SP800-53-enhancement","title":"Physical Security Controls","params":[{"id":"at-03.02_odp.01","props":[{"name":"alt-identifier","value":"at-3.2_prm_1"},{"name":"label","value":"AT-03(02)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be provided with initial and refresher training in the employment and operation of physical security controls is\/are defined;"}]},{"id":"at-03.02_odp.02","props":[{"name":"alt-identifier","value":"at-3.2_prm_2"},{"name":"label","value":"AT-03(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide refresher training in the employment and operation of physical security controls is defined;"}]}],"props":[{"name":"label","value":"AT-3(2)"},{"name":"label","value":"AT-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"at-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-3","rel":"required"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"}],"parts":[{"id":"at-3.2_smt","name":"statement","prose":"Provide {{ insert: param, at-03.02_odp.01 }} with initial and {{ insert: param, at-03.02_odp.02 }} training in the employment and operation of physical security controls."},{"id":"at-3.2_gdn","name":"guidance","prose":"Physical security controls include physical access control devices, physical intrusion and detection alarms, operating procedures for facility security guards, and monitoring or surveillance equipment."},{"id":"at-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03(02)","class":"sp800-53a"}],"prose":"{{ insert: param, at-03.02_odp.01 }} is\/are provided with initial and refresher training {{ insert: param, at-03.02_odp.02 }} in the employment and operation of physical security controls.","links":[{"href":"#at-3.2_smt","rel":"assessment-for"}]},{"id":"at-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training implementation\n\nsecurity and privacy training curriculum\n\nsecurity and privacy training materials\n\nsystem security plan\n\nprivacy plan\n\ntraining records\n\nother relevant documents or records"}]},{"id":"at-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel with responsibilities for employing and operating physical security controls"}]}]},{"id":"at-3.3","class":"SP800-53-enhancement","title":"Practical Exercises","props":[{"name":"label","value":"AT-3(3)"},{"name":"label","value":"AT-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"at-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-3","rel":"required"}],"parts":[{"id":"at-3.3_smt","name":"statement","prose":"Provide practical exercises in security and privacy training that reinforce training objectives."},{"id":"at-3.3_gdn","name":"guidance","prose":"Practical exercises for security include training for software developers that addresses simulated attacks that exploit common software vulnerabilities or spear or whale phishing attacks targeted at senior leaders or executives. Practical exercises for privacy include modules with quizzes on identifying and processing personally identifiable information in various scenarios or scenarios on conducting privacy impact assessments."},{"id":"at-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03(03)","class":"sp800-53a"}],"parts":[{"id":"at-3.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AT-03(03)[01]","class":"sp800-53a"}],"prose":"practical exercises in security training that reinforce training objectives are provided;","links":[{"href":"#at-3.3_smt","rel":"assessment-for"}]},{"id":"at-3.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AT-03(03)[02]","class":"sp800-53a"}],"prose":"practical exercises in privacy training that reinforce training objectives are provided.","links":[{"href":"#at-3.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#at-3.3_smt","rel":"assessment-for"}]},{"id":"at-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy awareness training implementation\n\nsecurity and privacy awareness training curriculum\n\nsecurity and privacy awareness training materials\n\nsecurity and privacy awareness training reports and results\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"at-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel who participate in security and privacy awareness training"}]}]},{"id":"at-3.4","class":"SP800-53-enhancement","title":"Suspicious Communications and Anomalous System Behavior","props":[{"name":"label","value":"AT-3(4)"},{"name":"label","value":"AT-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"at-03.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#at-2.4","rel":"moved-to"}]},{"id":"at-3.5","class":"SP800-53-enhancement","title":"Processing Personally Identifiable Information","params":[{"id":"at-03.05_odp.01","props":[{"name":"alt-identifier","value":"at-3.5_prm_1"},{"name":"label","value":"AT-03(05)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be provided with initial and refresher training in the employment and operation of personally identifiable information processing and transparency controls is\/are defined;"}]},{"id":"at-03.05_odp.02","props":[{"name":"alt-identifier","value":"at-3.5_prm_2"},{"name":"label","value":"AT-03(05)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to provide refresher training in the employment and operation of personally identifiable information processing and transparency controls is defined;"}]}],"props":[{"name":"label","value":"AT-3(5)"},{"name":"label","value":"AT-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"at-03.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-3","rel":"required"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"}],"parts":[{"id":"at-3.5_smt","name":"statement","prose":"Provide {{ insert: param, at-03.05_odp.01 }} with initial and {{ insert: param, at-03.05_odp.02 }} training in the employment and operation of personally identifiable information processing and transparency controls."},{"id":"at-3.5_gdn","name":"guidance","prose":"Personally identifiable information processing and transparency controls include the organization’s authority to process personally identifiable information and personally identifiable information processing purposes. Role-based training for federal agencies addresses the types of information that may constitute personally identifiable information and the risks, considerations, and obligations associated with its processing. Such training also considers the authority to process personally identifiable information documented in privacy policies and notices, system of records notices, computer matching agreements and notices, privacy impact assessments, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, contracts, information sharing agreements, memoranda of understanding, and\/or other documentation."},{"id":"at-3.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-03(05)","class":"sp800-53a"}],"prose":"{{ insert: param, at-03.05_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.05_odp.02 }} in the employment and operation of personally identifiable information processing and transparency controls.","links":[{"href":"#at-3.5_smt","rel":"assessment-for"}]},{"id":"at-3.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-03(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy awareness training implementation\n\nsecurity and privacy awareness training curriculum\n\nsecurity and privacy awareness training materials\n\nsystem security plan\n\nprivacy plan\n\norganizational privacy notices\n\norganizational policies\n\nsystem of records notices\n\nPrivacy Act statements\n\ncomputer matching agreements and notices\n\nprivacy impact assessments\n\ninformation sharing agreements\n\nother relevant documents or records"}]},{"id":"at-3.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-03(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for role-based security and privacy training\n\norganizational personnel who participate in security and privacy awareness training"}]}]}]},{"id":"at-4","class":"SP800-53","title":"Training Records","params":[{"id":"at-04_odp","props":[{"name":"alt-identifier","value":"at-4_prm_1"},{"name":"label","value":"AT-04_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for retaining individual training records is defined;"}]}],"props":[{"name":"label","value":"AT-4"},{"name":"label","value":"AT-04","class":"sp800-53a"},{"name":"sort-id","value":"at-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"at-4_smt","name":"statement","parts":[{"id":"at-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and"},{"id":"at-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain individual training records for {{ insert: param, at-04_odp }}."}]},{"id":"at-4_gdn","name":"guidance","prose":"Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies."},{"id":"at-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-04","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.","class":"sp800-53a"}],"parts":[{"id":"at-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[01]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;","links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]},{"id":"at-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AT-04a.[02]","class":"sp800-53a"}],"prose":"information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;","links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#at-4_smt.a","rel":"assessment-for"}]},{"id":"at-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AT-04b.","class":"sp800-53a"}],"prose":"individual training records are retained for {{ insert: param, at-04_odp }}.","links":[{"href":"#at-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#at-4_smt","rel":"assessment-for"}]},{"id":"at-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy awareness and training policy\n\nprocedures addressing security and privacy training records\n\nsecurity and privacy awareness and training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"at-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy training record retention responsibilities"}]},{"id":"at-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the management of security and privacy training records"}]}]},{"id":"at-5","class":"SP800-53","title":"Contacts with Security Groups and Associations","props":[{"name":"label","value":"AT-5"},{"name":"label","value":"AT-05","class":"sp800-53a"},{"name":"sort-id","value":"at-05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pm-15","rel":"incorporated-into"}]},{"id":"at-6","class":"SP800-53","title":"Training Feedback","params":[{"id":"at-06_odp.01","props":[{"name":"alt-identifier","value":"at-6_prm_1"},{"name":"label","value":"AT-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide feedback on organizational training results is defined;"}]},{"id":"at-06_odp.02","props":[{"name":"alt-identifier","value":"at-6_prm_2"},{"name":"label","value":"AT-06_ODP[02]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom feedback on organizational training results will be provided is\/are assigned;"}]}],"props":[{"name":"label","value":"AT-6"},{"name":"label","value":"AT-06","class":"sp800-53a"},{"name":"sort-id","value":"at-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"parts":[{"id":"at-6_smt","name":"statement","prose":"Provide feedback on organizational training results to the following personnel {{ insert: param, at-06_odp.01 }}: {{ insert: param, at-06_odp.02 }}."},{"id":"at-6_gdn","name":"guidance","prose":"Training feedback includes awareness training results and role-based training results. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. Therefore, it is important that senior managers are made aware of such situations so that they can take appropriate response actions. Training feedback supports the evaluation and update of organizational training described in [AT-2b](#at-2_smt.b) and [AT-3b](#at-3_smt.b)."},{"id":"at-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AT-06","class":"sp800-53a"}],"prose":"feedback on organizational training results is provided {{ insert: param, at-06_odp.01 }} to {{ insert: param, at-06_odp.02 }}.","links":[{"href":"#at-6_smt","rel":"assessment-for"}]},{"id":"at-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AT-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security awareness and training policy\n\nprocedures addressing security training records\n\nsecurity awareness and training records\n\nsecurity plan\n\nother relevant documents or records"}]},{"id":"at-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AT-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security training record retention responsibilities"}]},{"id":"at-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AT-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the management of security training records"}]}]}]},{"id":"au","class":"family","title":"Audit and Accountability","controls":[{"id":"au-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"au-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"au-01_odp.01","props":[{"name":"label","value":"AU-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability policy is to be disseminated is\/are defined;"}]},{"id":"au-01_odp.02","props":[{"name":"label","value":"AU-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the audit and accountability procedures are to be disseminated is\/are defined;"}]},{"id":"au-01_odp.03","props":[{"name":"alt-identifier","value":"au-1_prm_2"},{"name":"label","value":"AU-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"au-01_odp.04","props":[{"name":"alt-identifier","value":"au-1_prm_3"},{"name":"label","value":"AU-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the audit and accountability policy and procedures is defined;"}]},{"id":"au-01_odp.05","props":[{"name":"alt-identifier","value":"au-1_prm_4"},{"name":"label","value":"AU-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability policy is reviewed and updated is defined;"}]},{"id":"au-01_odp.06","props":[{"name":"alt-identifier","value":"au-1_prm_5"},{"name":"label","value":"AU-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current audit and accountability policy to be reviewed and updated are defined;"}]},{"id":"au-01_odp.07","props":[{"name":"alt-identifier","value":"au-1_prm_6"},{"name":"label","value":"AU-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current audit and accountability procedures are reviewed and updated is defined;"}]},{"id":"au-01_odp.08","props":[{"name":"alt-identifier","value":"au-1_prm_7"},{"name":"label","value":"AU-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require audit and accountability procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"AU-1"},{"name":"label","value":"AU-01","class":"sp800-53a"},{"name":"sort-id","value":"au-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-1_smt","name":"statement","parts":[{"id":"au-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, au-1_prm_1 }}:","parts":[{"id":"au-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, au-01_odp.03 }} audit and accountability policy that:","parts":[{"id":"au-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"au-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"au-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;"}]},{"id":"au-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, au-01_odp.04 }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and"},{"id":"au-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current audit and accountability:","parts":[{"id":"au-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, au-01_odp.05 }} and following {{ insert: param, au-01_odp.06 }} ; and"},{"id":"au-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, au-01_odp.07 }} and following {{ insert: param, au-01_odp.08 }}."}]}]},{"id":"au-1_gdn","name":"guidance","prose":"Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"au-1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[01]","class":"sp800-53a"}],"prose":"an audit and accountability policy is developed and documented;","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[02]","class":"sp800-53a"}],"prose":"the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[03]","class":"sp800-53a"}],"prose":"audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.[04]","class":"sp800-53a"}],"prose":"the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};","links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;","links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"au-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#au-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.a","rel":"assessment-for"}]},{"id":"au-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;","links":[{"href":"#au-1_smt.b","rel":"assessment-for"}]},{"id":"au-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[01]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};","links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]},{"id":"au-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.01[02]","class":"sp800-53a"}],"prose":"the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};","links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c.1","rel":"assessment-for"}]},{"id":"au-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02","class":"sp800-53a"}],"parts":[{"id":"au-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[01]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};","links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]},{"id":"au-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"AU-01c.02[02]","class":"sp800-53a"}],"prose":"the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.","links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-1_smt","rel":"assessment-for"}]},{"id":"au-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"au-2","class":"SP800-53","title":"Event Logging","params":[{"id":"au-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"au-02_odp.03"}],"label":"organization-defined event types (subset of the event types defined in [AU-2a.](#au-2_smt.a)) along with the frequency of (or situation requiring) logging for each identified event type"},{"id":"au-02_odp.01","props":[{"name":"alt-identifier","value":"au-2_prm_1"},{"name":"alt-label","value":"event types that the system is capable of logging","class":"sp800-53"},{"name":"label","value":"AU-02_ODP[01]","class":"sp800-53a"}],"label":"event types","guidelines":[{"prose":"the event types that the system is capable of logging in support of the audit function are defined;"}]},{"id":"au-02_odp.02","props":[{"name":"label","value":"AU-02_ODP[02]","class":"sp800-53a"}],"label":"event types (subset of AU-02_ODP[01])","guidelines":[{"prose":"the event types (subset of AU-02_ODP[01]) for logging within the system are defined;"}]},{"id":"au-02_odp.03","props":[{"name":"label","value":"AU-02_ODP[03]","class":"sp800-53a"}],"label":"frequency or situation","guidelines":[{"prose":"the frequency or situation requiring logging for each specified event type is defined;"}]},{"id":"au-02_odp.04","props":[{"name":"alt-identifier","value":"au-2_prm_3"},{"name":"label","value":"AU-02_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of event types selected for logging are reviewed and updated;"}]}],"props":[{"name":"label","value":"AU-2"},{"name":"label","value":"AU-02","class":"sp800-53a"},{"name":"sort-id","value":"au-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pm-21","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-2_smt","name":"statement","parts":[{"id":"au-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, au-02_odp.01 }};"},{"id":"au-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"},{"id":"au-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Specify the following event types for logging within the system: {{ insert: param, au-2_prm_2 }};"},{"id":"au-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and"},{"id":"au-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Review and update the event types selected for logging {{ insert: param, au-02_odp.04 }}."}]},{"id":"au-2_gdn","name":"guidance","prose":"An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.\n\nTo balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.\n\nEvent logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include [AC-2(4)](#ac-2.4), [AC-3(10)](#ac-3.10), [AC-6(9)](#ac-6.9), [AC-17(1)](#ac-17.1), [CM-3f](#cm-3_smt.f), [CM-5(1)](#cm-5.1), [IA-3(3)(b)](#ia-3.3_smt.b), [MA-4(1)](#ma-4.1), [MP-4(2)](#mp-4.2), [PE-3](#pe-3), [PM-21](#pm-21), [PT-7](#pt-7), [RA-8](#ra-8), [SC-7(9)](#sc-7.9), [SC-7(15)](#sc-7.15), [SI-3(8)](#si-3.8), [SI-4(22)](#si-4.22), [SI-7(8)](#si-7.8) , and [SI-10(1)](#si-10.1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures."},{"id":"au-2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-02","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-02a.","class":"sp800-53a"}],"prose":"{{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;","links":[{"href":"#au-2_smt.a","rel":"assessment-for"}]},{"id":"au-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-02b.","class":"sp800-53a"}],"prose":"the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;","links":[{"href":"#au-2_smt.b","rel":"assessment-for"}]},{"id":"au-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.","class":"sp800-53a"}],"parts":[{"id":"au-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, au-02_odp.02 }} are specified for logging within the system;","links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]},{"id":"au-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"AU-02c.[02]","class":"sp800-53a"}],"prose":"the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};","links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-2_smt.c","rel":"assessment-for"}]},{"id":"au-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-02d.","class":"sp800-53a"}],"prose":"a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;","links":[{"href":"#au-2_smt.d","rel":"assessment-for"}]},{"id":"au-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-02e.","class":"sp800-53a"}],"prose":"the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.","links":[{"href":"#au-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#au-2_smt","rel":"assessment-for"}]},{"id":"au-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing auditable events\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem auditable events\n\nother relevant documents or records"}]},{"id":"au-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing"}]}],"controls":[{"id":"au-2.1","class":"SP800-53-enhancement","title":"Compilation of Audit Records from Multiple Sources","props":[{"name":"label","value":"AU-2(1)"},{"name":"label","value":"AU-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-02.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#au-12","rel":"incorporated-into"}]},{"id":"au-2.2","class":"SP800-53-enhancement","title":"Selection of Audit Events by Component","props":[{"name":"label","value":"AU-2(2)"},{"name":"label","value":"AU-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-02.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#au-12","rel":"incorporated-into"}]},{"id":"au-2.3","class":"SP800-53-enhancement","title":"Reviews and Updates","props":[{"name":"label","value":"AU-2(3)"},{"name":"label","value":"AU-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-02.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#au-2","rel":"incorporated-into"}]},{"id":"au-2.4","class":"SP800-53-enhancement","title":"Privileged Functions","props":[{"name":"label","value":"AU-2(4)"},{"name":"label","value":"AU-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-02.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-6.9","rel":"incorporated-into"}]}]},{"id":"au-3","class":"SP800-53","title":"Content of Audit Records","props":[{"name":"label","value":"AU-3"},{"name":"label","value":"AU-03","class":"sp800-53a"},{"name":"sort-id","value":"au-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"au-3_smt","name":"statement","prose":"Ensure that audit records contain information that establishes the following:","parts":[{"id":"au-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"What type of event occurred;"},{"id":"au-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"When the event occurred;"},{"id":"au-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Where the event occurred;"},{"id":"au-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Source of the event;"},{"id":"au-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Outcome of the event; and"},{"id":"au-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Identity of any individuals, subjects, or objects\/entities associated with the event."}]},{"id":"au-3_gdn","name":"guidance","prose":"Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage."},{"id":"au-3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03","class":"sp800-53a"}],"parts":[{"id":"au-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-03a.","class":"sp800-53a"}],"prose":"audit records contain information that establishes what type of event occurred;","links":[{"href":"#au-3_smt.a","rel":"assessment-for"}]},{"id":"au-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-03b.","class":"sp800-53a"}],"prose":"audit records contain information that establishes when the event occurred;","links":[{"href":"#au-3_smt.b","rel":"assessment-for"}]},{"id":"au-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-03c.","class":"sp800-53a"}],"prose":"audit records contain information that establishes where the event occurred;","links":[{"href":"#au-3_smt.c","rel":"assessment-for"}]},{"id":"au-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"AU-03d.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the source of the event;","links":[{"href":"#au-3_smt.d","rel":"assessment-for"}]},{"id":"au-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"AU-03e.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the outcome of the event;","links":[{"href":"#au-3_smt.e","rel":"assessment-for"}]},{"id":"au-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"AU-03f.","class":"sp800-53a"}],"prose":"audit records contain information that establishes the identity of any individuals, subjects, or objects\/entities associated with the event.","links":[{"href":"#au-3_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#au-3_smt","rel":"assessment-for"}]},{"id":"au-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nsystem incident reports\n\nother relevant documents or records"}]},{"id":"au-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system auditing of auditable events"}]}],"controls":[{"id":"au-3.1","class":"SP800-53-enhancement","title":"Additional Audit Information","params":[{"id":"au-03.01_odp","props":[{"name":"alt-identifier","value":"au-3.1_prm_1"},{"name":"label","value":"AU-03(01)_ODP","class":"sp800-53a"}],"label":"additional information","guidelines":[{"prose":"additional information to be included in audit records is defined;"}]}],"props":[{"name":"label","value":"AU-3(1)"},{"name":"label","value":"AU-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-3","rel":"required"}],"parts":[{"id":"au-3.1_smt","name":"statement","prose":"Generate audit records containing the following additional information: {{ insert: param, au-03.01_odp }}."},{"id":"au-3.1_gdn","name":"guidance","prose":"The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy."},{"id":"au-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03(01)","class":"sp800-53a"}],"prose":"generated audit records contain the following {{ insert: param, au-03.01_odp }}.","links":[{"href":"#au-3.1_smt","rel":"assessment-for"}]},{"id":"au-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing content of audit records\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"system audit capability"}]}]},{"id":"au-3.2","class":"SP800-53-enhancement","title":"Centralized Management of Planned Audit Record Content","props":[{"name":"label","value":"AU-3(2)"},{"name":"label","value":"AU-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-03.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-9","rel":"incorporated-into"}]},{"id":"au-3.3","class":"SP800-53-enhancement","title":"Limit Personally Identifiable Information Elements","params":[{"id":"au-03.03_odp","props":[{"name":"alt-identifier","value":"au-3.3_prm_1"},{"name":"label","value":"AU-03(03)_ODP","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements identified in the privacy risk assessment are defined;"}]}],"props":[{"name":"label","value":"AU-3(3)"},{"name":"label","value":"AU-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-3","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"au-3.3_smt","name":"statement","prose":"Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: {{ insert: param, au-03.03_odp }}."},{"id":"au-3.3_gdn","name":"guidance","prose":"Limiting personally identifiable information in audit records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system."},{"id":"au-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-03(03)","class":"sp800-53a"}],"prose":"personally identifiable information contained in audit records is limited to {{ insert: param, au-03.03_odp }} identified in the privacy risk assessment.","links":[{"href":"#au-3.3_smt","rel":"assessment-for"}]},{"id":"au-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprivacy risk assessment\n\nprivacy risk assessment results\n\nprocedures addressing content of audit records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of organization-defined auditable events\n\nsystem audit records\n\nthird party contracts\n\nother relevant documents or records"}]},{"id":"au-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"system audit capability"}]}]}]},{"id":"au-4","class":"SP800-53","title":"Audit Log Storage Capacity","params":[{"id":"au-04_odp","props":[{"name":"alt-identifier","value":"au-4_prm_1"},{"name":"label","value":"AU-04_ODP","class":"sp800-53a"}],"label":"audit log retention requirements","guidelines":[{"prose":"audit log retention requirements are defined;"}]}],"props":[{"name":"label","value":"AU-4"},{"name":"label","value":"AU-04","class":"sp800-53a"},{"name":"sort-id","value":"au-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-4_smt","name":"statement","prose":"Allocate audit log storage capacity to accommodate {{ insert: param, au-04_odp }}."},{"id":"au-4_gdn","name":"guidance","prose":"Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability."},{"id":"au-4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-04","class":"sp800-53a"}],"prose":"audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.","links":[{"href":"#au-4_smt","rel":"assessment-for"}]},{"id":"au-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit storage capacity\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record storage requirements\n\naudit record storage capability for system components\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit record storage capacity and related configuration settings"}]}],"controls":[{"id":"au-4.1","class":"SP800-53-enhancement","title":"Transfer to Alternate Storage","params":[{"id":"au-04.01_odp","props":[{"name":"alt-identifier","value":"au-4.1_prm_1"},{"name":"label","value":"AU-04(01)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of audit logs transferred to a different system, system component, or media other than the system or system component conducting the logging is defined;"}]}],"props":[{"name":"label","value":"AU-4(1)"},{"name":"label","value":"AU-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-4","rel":"required"}],"parts":[{"id":"au-4.1_smt","name":"statement","prose":"Transfer audit logs {{ insert: param, au-04.01_odp }} to a different system, system component, or media other than the system or system component conducting the logging."},{"id":"au-4.1_gdn","name":"guidance","prose":"Audit log transfer, also known as off-loading, is a common process in systems with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log storage is only used in a transitory fashion until the system can communicate with the secondary or alternate system allocated to audit log storage, at which point the audit logs are transferred. Transferring audit logs to alternate storage is similar to [AU-9(2)](#au-9.2) in that audit logs are transferred to a different entity. However, the purpose of selecting [AU-9(2)](#au-9.2) is to protect the confidentiality and integrity of audit records. Organizations can select either control enhancement to obtain the benefit of increased audit log storage capacity and preserving the confidentiality, integrity, and availability of audit records and logs."},{"id":"au-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-04(01)","class":"sp800-53a"}],"prose":"audit logs are transferred {{ insert: param, au-04.01_odp }} to a different system, system component, or media other than the system or system component conducting the logging.","links":[{"href":"#au-4.1_smt","rel":"assessment-for"}]},{"id":"au-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit storage capacity\n\nprocedures addressing transfer of system audit records to secondary or alternate systems\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlogs of audit record transfers to secondary or alternate systems\n\nsystem audit records transferred to secondary or alternate systems\n\nother relevant documents or records"}]},{"id":"au-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit storage capacity planning responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the transfer of audit records onto a different system"}]}]}]},{"id":"au-5","class":"SP800-53","title":"Response to Audit Logging Process Failures","params":[{"id":"au-05_odp.01","props":[{"name":"alt-identifier","value":"au-5_prm_1"},{"name":"label","value":"AU-05_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles receiving audit logging process failure alerts are defined;"}]},{"id":"au-05_odp.02","props":[{"name":"alt-identifier","value":"au-5_prm_2"},{"name":"label","value":"AU-05_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel or roles receiving audit logging process failure alerts is defined;"}]},{"id":"au-05_odp.03","props":[{"name":"alt-identifier","value":"au-5_prm_3"},{"name":"label","value":"AU-05_ODP[03]","class":"sp800-53a"}],"label":"additional actions","guidelines":[{"prose":"additional actions to be taken in the event of an audit logging process failure are defined;"}]}],"props":[{"name":"label","value":"AU-5"},{"name":"label","value":"AU-05","class":"sp800-53a"},{"name":"sort-id","value":"au-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-5_smt","name":"statement","parts":[{"id":"au-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Alert {{ insert: param, au-05_odp.01 }} within {{ insert: param, au-05_odp.02 }} in the event of an audit logging process failure; and"},{"id":"au-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Take the following additional actions: {{ insert: param, au-05_odp.03 }}."}]},{"id":"au-5_gdn","name":"guidance","prose":"Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel."},{"id":"au-5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05","class":"sp800-53a"}],"parts":[{"id":"au-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-05a.","class":"sp800-53a"}],"prose":"{{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};","links":[{"href":"#au-5_smt.a","rel":"assessment-for"}]},{"id":"au-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-05b.","class":"sp800-53a"}],"prose":"{{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.","links":[{"href":"#au-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-5_smt","rel":"assessment-for"}]},{"id":"au-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nlist of personnel to be notified in case of an audit processing failure\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing system response to audit processing failures"}]}],"controls":[{"id":"au-5.1","class":"SP800-53-enhancement","title":"Storage Capacity Warning","params":[{"id":"au-05.01_odp.01","props":[{"name":"alt-identifier","value":"au-5.1_prm_1"},{"name":"label","value":"AU-05(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel, roles, and\/or locations","guidelines":[{"prose":"personnel, roles, and\/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity."}]},{"id":"au-05.01_odp.02","props":[{"name":"alt-identifier","value":"au-5.1_prm_2"},{"name":"label","value":"AU-05(01)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for defined personnel, roles, and\/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined;"}]},{"id":"au-05.01_odp.03","props":[{"name":"alt-identifier","value":"au-5.1_prm_3"},{"name":"label","value":"AU-05(01)_ODP[03]","class":"sp800-53a"}],"label":"percentage","guidelines":[{"prose":"percentage of repository maximum audit log storage capacity is defined;"}]}],"props":[{"name":"label","value":"AU-5(1)"},{"name":"label","value":"AU-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-5","rel":"required"}],"parts":[{"id":"au-5.1_smt","name":"statement","prose":"Provide a warning to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity."},{"id":"au-5.1_gdn","name":"guidance","prose":"Organizations may have multiple audit log storage repositories distributed across multiple system components with each repository having different storage volume capacities."},{"id":"au-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05(01)","class":"sp800-53a"}],"prose":"a warning is provided to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity.","links":[{"href":"#au-5.1_smt","rel":"assessment-for"}]},{"id":"au-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy system configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit storage limit warnings"}]}]},{"id":"au-5.2","class":"SP800-53-enhancement","title":"Real-time Alerts","params":[{"id":"au-05.02_odp.01","props":[{"name":"alt-identifier","value":"au-5.2_prm_1"},{"name":"label","value":"AU-05(02)_ODP[01]","class":"sp800-53a"}],"label":"real-time period","guidelines":[{"prose":"real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined;"}]},{"id":"au-05.02_odp.02","props":[{"name":"alt-identifier","value":"au-5.2_prm_2"},{"name":"label","value":"AU-05(02)_ODP[02]","class":"sp800-53a"}],"label":"personnel, roles, and\/or locations","guidelines":[{"prose":"personnel, roles, and\/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is\/are defined;"}]},{"id":"au-05.02_odp.03","props":[{"name":"alt-identifier","value":"au-5.2_prm_3"},{"name":"label","value":"AU-05(02)_ODP[03]","class":"sp800-53a"}],"label":"audit logging failure events requiring real-time alerts","guidelines":[{"prose":"audit logging failure events requiring real-time alerts are defined;"}]}],"props":[{"name":"label","value":"AU-5(2)"},{"name":"label","value":"AU-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-5","rel":"required"}],"parts":[{"id":"au-5.2_smt","name":"statement","prose":"Provide an alert within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when the following audit failure events occur: {{ insert: param, au-05.02_odp.03 }}."},{"id":"au-5.2_gdn","name":"guidance","prose":"Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less)."},{"id":"au-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05(02)","class":"sp800-53a"}],"prose":"an alert is provided within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when {{ insert: param, au-05.02_odp.03 }} occur.","links":[{"href":"#au-5.2_smt","rel":"assessment-for"}]},{"id":"au-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]}]},{"id":"au-5.3","class":"SP800-53-enhancement","title":"Configurable Traffic Volume Thresholds","params":[{"id":"au-05.03_odp","props":[{"name":"alt-identifier","value":"au-5.3_prm_1"},{"name":"label","value":"AU-05(03)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["reject","delay"]}}],"props":[{"name":"label","value":"AU-5(3)"},{"name":"label","value":"AU-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-05.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-5","rel":"required"}],"parts":[{"id":"au-5.3_smt","name":"statement","prose":"Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and {{ insert: param, au-05.03_odp }} network traffic above those thresholds."},{"id":"au-5.3_gdn","name":"guidance","prose":"Organizations have the capability to reject or delay the processing of network communications traffic if audit logging information about such traffic is determined to exceed the storage capacity of the system audit logging function. The rejection or delay response is triggered by the established organizational traffic volume thresholds that can be adjusted based on changes to audit log storage capacity."},{"id":"au-5.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05(03)","class":"sp800-53a"}],"parts":[{"id":"au-5.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-05(03)[01]","class":"sp800-53a"}],"prose":"configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity are enforced;","links":[{"href":"#au-5.3_smt","rel":"assessment-for"}]},{"id":"au-5.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-05(03)[02]","class":"sp800-53a"}],"prose":"network traffic is {{ insert: param, au-05.03_odp }} if network traffic volume is above configured thresholds.","links":[{"href":"#au-5.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#au-5.3_smt","rel":"assessment-for"}]},{"id":"au-5.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]}]},{"id":"au-5.4","class":"SP800-53-enhancement","title":"Shutdown on Failure","params":[{"id":"au-05.04_odp.01","props":[{"name":"alt-identifier","value":"au-5.4_prm_1"},{"name":"label","value":"AU-05(04)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["full system shutdown","partial system shutdown","degraded operational mode with limited mission or business functionality available"]}},{"id":"au-05.04_odp.02","props":[{"name":"alt-identifier","value":"au-5.4_prm_2"},{"name":"label","value":"AU-05(04)_ODP[02]","class":"sp800-53a"}],"label":"audit logging failures","guidelines":[{"prose":"audit logging failures that trigger a change in operational mode are defined;"}]}],"props":[{"name":"label","value":"AU-5(4)"},{"name":"label","value":"AU-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-05.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-5","rel":"required"},{"href":"#au-15","rel":"related"}],"parts":[{"id":"au-5.4_smt","name":"statement","prose":"Invoke a {{ insert: param, au-05.04_odp.01 }} in the event of {{ insert: param, au-05.04_odp.02 }} , unless an alternate audit logging capability exists."},{"id":"au-5.4_gdn","name":"guidance","prose":"Organizations determine the types of audit logging failures that can trigger automatic system shutdowns or degraded operations. Because of the importance of ensuring mission and business continuity, organizations may determine that the nature of the audit logging failure is not so severe that it warrants a complete shutdown of the system supporting the core organizational mission and business functions. In those instances, partial system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives."},{"id":"au-5.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05(04)","class":"sp800-53a"}],"prose":"{{ insert: param, au-05.04_odp.01 }} is\/are invoked in the event of {{ insert: param, au-05.04_odp.02 }} , unless an alternate audit logging capability exists.","links":[{"href":"#au-5.4_smt","rel":"assessment-for"}]},{"id":"au-5.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System capability invoking system shutdown or degraded operational mode in the event of an audit processing failure"}]}]},{"id":"au-5.5","class":"SP800-53-enhancement","title":"Alternate Audit Logging Capability","params":[{"id":"au-05.05_odp","props":[{"name":"alt-identifier","value":"au-5.5_prm_1"},{"name":"label","value":"AU-05(05)_ODP","class":"sp800-53a"}],"label":"alternate audit logging functionality","guidelines":[{"prose":"an alternate audit logging functionality in the event of a failure in primary audit logging capability is defined;"}]}],"props":[{"name":"label","value":"AU-5(5)"},{"name":"label","value":"AU-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"au-05.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-5","rel":"required"},{"href":"#au-9","rel":"related"}],"parts":[{"id":"au-5.5_smt","name":"statement","prose":"Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements {{ insert: param, au-05.05_odp }}."},{"id":"au-5.5_gdn","name":"guidance","prose":"Since an alternate audit logging capability may be a short-term protection solution employed until the failure in the primary audit logging capability is corrected, organizations may determine that the alternate audit logging capability need only provide a subset of the primary audit logging functionality that is impacted by the failure."},{"id":"au-5.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-05(05)","class":"sp800-53a"}],"prose":"an alternate audit logging capability is provided in the event of a failure in primary audit logging capability that implements {{ insert: param, au-05.05_odp }}.","links":[{"href":"#au-5.5_smt","rel":"assessment-for"}]},{"id":"au-5.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-05(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing response to audit processing failures\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-5.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-05(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-5.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-05(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Alternate audit logging capability"}]}]}]},{"id":"au-6","class":"SP800-53","title":"Audit Record Review, Analysis, and Reporting","params":[{"id":"au-06_odp.01","props":[{"name":"alt-identifier","value":"au-6_prm_1"},{"name":"label","value":"AU-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which system audit records are reviewed and analyzed is defined;"}]},{"id":"au-06_odp.02","props":[{"name":"alt-identifier","value":"au-6_prm_2"},{"name":"label","value":"AU-06_ODP[02]","class":"sp800-53a"}],"label":"inappropriate or unusual activity","guidelines":[{"prose":"inappropriate or unusual activity is defined;"}]},{"id":"au-06_odp.03","props":[{"name":"alt-identifier","value":"au-6_prm_3"},{"name":"label","value":"AU-06_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive findings from reviews and analyses of system records is\/are defined;"}]}],"props":[{"name":"label","value":"AU-6"},{"name":"label","value":"AU-06","class":"sp800-53a"},{"name":"sort-id","value":"au-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"au-6_smt","name":"statement","parts":[{"id":"au-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and analyze system audit records {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"},{"id":"au-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report findings to {{ insert: param, au-06_odp.03 }} ; and"},{"id":"au-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."}]},{"id":"au-6_gdn","name":"guidance","prose":"Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and\/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received."},{"id":"au-6_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06","class":"sp800-53a"}],"parts":[{"id":"au-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-06a.","class":"sp800-53a"}],"prose":"system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;","links":[{"href":"#au-6_smt.a","rel":"assessment-for"}]},{"id":"au-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-06b.","class":"sp800-53a"}],"prose":"findings are reported to {{ insert: param, au-06_odp.03 }};","links":[{"href":"#au-6_smt.b","rel":"assessment-for"}]},{"id":"au-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-06c.","class":"sp800-53a"}],"prose":"the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.","links":[{"href":"#au-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-6_smt","rel":"assessment-for"}]},{"id":"au-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nreports of audit findings\n\nrecords of actions taken in response to reviews\/analyses of audit records\n\nother relevant documents or records"}]},{"id":"au-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"au-6.1","class":"SP800-53-enhancement","title":"Automated Process Integration","params":[{"id":"au-06.01_odp","props":[{"name":"alt-identifier","value":"au-6.1_prm_1"},{"name":"label","value":"AU-06(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;"}]}],"props":[{"name":"label","value":"AU-6(1)"},{"name":"label","value":"AU-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#pm-7","rel":"related"}],"parts":[{"id":"au-6.1_smt","name":"statement","prose":"Integrate audit record review, analysis, and reporting processes using {{ insert: param, au-06.01_odp }}."},{"id":"au-6.1_gdn","name":"guidance","prose":"Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits."},{"id":"au-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(01)","class":"sp800-53a"}],"prose":"audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}.","links":[{"href":"#au-6.1_smt","rel":"assessment-for"}]},{"id":"au-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing investigation and response to suspicious activities\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms integrating audit review, analysis, and reporting processes"}]}]},{"id":"au-6.2","class":"SP800-53-enhancement","title":"Automated Security Alerts","props":[{"name":"label","value":"AU-6(2)"},{"name":"label","value":"AU-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-4","rel":"incorporated-into"}]},{"id":"au-6.3","class":"SP800-53-enhancement","title":"Correlate Audit Record Repositories","props":[{"name":"label","value":"AU-6(3)"},{"name":"label","value":"AU-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"}],"parts":[{"id":"au-6.3_smt","name":"statement","prose":"Analyze and correlate audit records across different repositories to gain organization-wide situational awareness."},{"id":"au-6.3_gdn","name":"guidance","prose":"Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission\/business process level, and information system level) and supports cross-organization awareness."},{"id":"au-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(03)","class":"sp800-53a"}],"prose":"audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.","links":[{"href":"#au-6.3_smt","rel":"assessment-for"}]},{"id":"au-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records across different repositories\n\nother relevant documents or records"}]},{"id":"au-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the analysis and correlation of audit records"}]}]},{"id":"au-6.4","class":"SP800-53-enhancement","title":"Central Review and Analysis","props":[{"name":"label","value":"AU-6(4)"},{"name":"label","value":"AU-06(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"au-6.4_smt","name":"statement","prose":"Provide and implement the capability to centrally review and analyze audit records from multiple components within the system."},{"id":"au-6.4_gdn","name":"guidance","prose":"Automated mechanisms for centralized reviews and analyses include Security Information and Event Management products."},{"id":"au-6.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(04)","class":"sp800-53a"}],"parts":[{"id":"au-6.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-06(04)[01]","class":"sp800-53a"}],"prose":"the capability to centrally review and analyze audit records from multiple components within the system is provided;","links":[{"href":"#au-6.4_smt","rel":"assessment-for"}]},{"id":"au-6.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-06(04)[02]","class":"sp800-53a"}],"prose":"the capability to centrally review and analyze audit records from multiple components within the system is implemented.","links":[{"href":"#au-6.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#au-6.4_smt","rel":"assessment-for"}]},{"id":"au-6.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-6.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"au-6.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System capability to centralize review and analysis of audit records"}]}]},{"id":"au-6.5","class":"SP800-53-enhancement","title":"Integrated Analysis of Audit Records","params":[{"id":"au-06.05_odp.01","props":[{"name":"alt-identifier","value":"au-6.5_prm_1"},{"name":"label","value":"AU-06(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["vulnerability scanning information","performance data","system monitoring information","{{ insert: param, au-06.05_odp.02 }} "]}},{"id":"au-06.05_odp.02","props":[{"name":"alt-identifier","value":"au-6.5_prm_2"},{"name":"label","value":"AU-06(05)_ODP[02]","class":"sp800-53a"}],"label":"data\/information collected from other sources","guidelines":[{"prose":"data\/information collected from other sources to be analyzed is defined (if selected);"}]}],"props":[{"name":"label","value":"AU-6(5)"},{"name":"label","value":"AU-06(05)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#au-12","rel":"related"},{"href":"#ir-4","rel":"related"}],"parts":[{"id":"au-6.5_smt","name":"statement","prose":"Integrate analysis of audit records with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity."},{"id":"au-6.5_gdn","name":"guidance","prose":"Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial-of-service attacks or other types of attacks that result in the unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations."},{"id":"au-6.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(05)","class":"sp800-53a"}],"prose":"analysis of audit records is integrated with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity.","links":[{"href":"#au-6.5_smt","rel":"assessment-for"}]},{"id":"au-6.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrated analysis of audit records, vulnerability scanning information, performance data, network monitoring information, and associated documentation\n\nother relevant documents or records"}]},{"id":"au-6.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the capability to integrate analysis of audit records with analysis of data\/information sources"}]}]},{"id":"au-6.6","class":"SP800-53-enhancement","title":"Correlation with Physical Monitoring","props":[{"name":"label","value":"AU-6(6)"},{"name":"label","value":"AU-06(06)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"}],"parts":[{"id":"au-6.6_smt","name":"statement","prose":"Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."},{"id":"au-6.6_gdn","name":"guidance","prose":"The correlation of physical audit record information and the audit records from systems may assist organizations in identifying suspicious behavior or supporting evidence of such behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional physical security information that the individual was present at the facility when the logical access occurred may be useful in investigations."},{"id":"au-6.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(06)","class":"sp800-53a"}],"prose":"information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.","links":[{"href":"#au-6.6_smt","rel":"assessment-for"}]},{"id":"au-6.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nprocedures addressing physical access monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing evidence of correlated information obtained from audit records and physical access monitoring records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-6.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the capability to correlate information from audit records with information from monitoring physical access"}]}]},{"id":"au-6.7","class":"SP800-53-enhancement","title":"Permitted Actions","params":[{"id":"au-06.07_odp","props":[{"name":"alt-identifier","value":"au-6.7_prm_1"},{"name":"label","value":"AU-06(07)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["system process","role","user"]}}],"props":[{"name":"label","value":"AU-6(7)"},{"name":"label","value":"AU-06(07)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"}],"parts":[{"id":"au-6.7_smt","name":"statement","prose":"Specify the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information."},{"id":"au-6.7_gdn","name":"guidance","prose":"Organizations specify permitted actions for system processes, roles, and users associated with the review, analysis, and reporting of audit records through system account management activities. Specifying permitted actions on audit record information is a way to enforce the principle of least privilege. Permitted actions are enforced by the system and include read, write, execute, append, and delete."},{"id":"au-6.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(07)","class":"sp800-53a"}],"prose":"the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information are specified.","links":[{"href":"#au-6.7_smt","rel":"assessment-for"}]},{"id":"au-6.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing process, role and\/or user permitted actions from audit review, analysis, and reporting\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-6.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting permitted actions for the review, analysis, and reporting of audit information"}]}]},{"id":"au-6.8","class":"SP800-53-enhancement","title":"Full Text Analysis of Privileged Commands","props":[{"name":"label","value":"AU-6(8)"},{"name":"label","value":"AU-06(08)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#au-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"au-6.8_smt","name":"statement","prose":"Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis."},{"id":"au-6.8_gdn","name":"guidance","prose":"Full text analysis of privileged commands requires a distinct environment for the analysis of audit record information related to privileged users without compromising such information on the system where the users have elevated privileges, including the capability to execute privileged commands. Full text analysis refers to analysis that considers the full text of privileged commands (i.e., commands and parameters) as opposed to analysis that considers only the name of the command. Full text analysis includes the use of pattern matching and heuristics."},{"id":"au-6.8_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(08)","class":"sp800-53a"}],"prose":"a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system or other system that is dedicated to that analysis is performed.","links":[{"href":"#au-6.8_smt","rel":"assessment-for"}]},{"id":"au-6.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ntext analysis tools and techniques\n\ntext analysis documentation of audited privileged commands\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"au-6.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the capability to perform a full text analysis of audited privilege commands"}]}]},{"id":"au-6.9","class":"SP800-53-enhancement","title":"Correlation with Information from Nontechnical Sources","props":[{"name":"label","value":"AU-6(9)"},{"name":"label","value":"AU-06(09)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-6","rel":"required"},{"href":"#pm-12","rel":"related"}],"parts":[{"id":"au-6.9_smt","name":"statement","prose":"Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness."},{"id":"au-6.9_gdn","name":"guidance","prose":"Nontechnical sources include records that document organizational policy violations related to harassment incidents and the improper use of information assets. Such information can lead to a directed analytical effort to detect potential malicious insider activity. Organizations limit access to information that is available from nontechnical sources due to its sensitive nature. Limited access minimizes the potential for inadvertent release of privacy-related information to individuals who do not have a need to know. The correlation of information from nontechnical sources with audit record information generally occurs only when individuals are suspected of being involved in an incident. Organizations obtain legal advice prior to initiating such actions."},{"id":"au-6.9_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-06(09)","class":"sp800-53a"}],"prose":"information from non-technical sources is correlated with audit record information to enhance organization-wide situational awareness.","links":[{"href":"#au-6.9_smt","rel":"assessment-for"}]},{"id":"au-6.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-06(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit review, analysis, and reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing evidence of correlated information obtained from audit records and organization-defined non-technical sources\n\nlist of information types from non-technical sources for correlation with audit information\n\nother relevant documents or records"}]},{"id":"au-6.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-06(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit review, analysis, and reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-6.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-06(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing capability to correlate information from non-technical sources"}]}]},{"id":"au-6.10","class":"SP800-53-enhancement","title":"Audit Level Adjustment","props":[{"name":"label","value":"AU-6(10)"},{"name":"label","value":"AU-06(10)","class":"sp800-53a"},{"name":"sort-id","value":"au-06.10"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#au-6","rel":"incorporated-into"}]}]},{"id":"au-7","class":"SP800-53","title":"Audit Record Reduction and Report Generation","props":[{"name":"label","value":"AU-7"},{"name":"label","value":"AU-07","class":"sp800-53a"},{"name":"sort-id","value":"au-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-7_smt","name":"statement","prose":"Provide and implement an audit record reduction and report generation capability that:","parts":[{"id":"au-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and"},{"id":"au-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Does not alter the original content or time ordering of audit records."}]},{"id":"au-7_gdn","name":"guidance","prose":"Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient."},{"id":"au-7_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-07","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.[01]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;","links":[{"href":"#au-7_smt.a","rel":"assessment-for"}]},{"id":"au-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07a.[02]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;","links":[{"href":"#au-7_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#au-7_smt.a","rel":"assessment-for"}]},{"id":"au-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.","class":"sp800-53a"}],"parts":[{"id":"au-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.[01]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;","links":[{"href":"#au-7_smt.b","rel":"assessment-for"}]},{"id":"au-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07b.[02]","class":"sp800-53a"}],"prose":"an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.","links":[{"href":"#au-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-7_smt","rel":"assessment-for"}]},{"id":"au-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit reduction and report generation capability"}]}],"controls":[{"id":"au-7.1","class":"SP800-53-enhancement","title":"Automatic Processing","params":[{"id":"au-07.01_odp","props":[{"name":"alt-identifier","value":"au-7.1_prm_1"},{"name":"label","value":"AU-07(01)_ODP","class":"sp800-53a"}],"label":"fields within audit records","guidelines":[{"prose":"fields within audit records that can be processed, sorted, or searched are defined;"}]}],"props":[{"name":"label","value":"AU-7(1)"},{"name":"label","value":"AU-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-7","rel":"required"}],"parts":[{"id":"au-7.1_smt","name":"statement","prose":"Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ insert: param, au-07.01_odp }}."},{"id":"au-7.1_gdn","name":"guidance","prose":"Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component."},{"id":"au-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)","class":"sp800-53a"}],"parts":[{"id":"au-7.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)[01]","class":"sp800-53a"}],"prose":"the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;","links":[{"href":"#au-7.1_smt","rel":"assessment-for"}]},{"id":"au-7.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-07(01)[02]","class":"sp800-53a"}],"prose":"the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented.","links":[{"href":"#au-7.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#au-7.1_smt","rel":"assessment-for"}]},{"id":"au-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit reduction and report generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit reduction, review, analysis, and reporting tools\n\naudit record criteria (fields) establishing events of interest\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit reduction and report generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"au-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit reduction and report generation capability"}]}]},{"id":"au-7.2","class":"SP800-53-enhancement","title":"Automatic Sort and Search","props":[{"name":"label","value":"AU-7(2)"},{"name":"label","value":"AU-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-07.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#au-7.1","rel":"incorporated-into"}]}]},{"id":"au-8","class":"SP800-53","title":"Time Stamps","params":[{"id":"au-08_odp","props":[{"name":"alt-identifier","value":"au-8_prm_1"},{"name":"label","value":"AU-08_ODP","class":"sp800-53a"}],"label":"granularity of time measurement","guidelines":[{"prose":"granularity of time measurement for audit record timestamps is defined;"}]}],"props":[{"name":"label","value":"AU-8"},{"name":"label","value":"AU-08","class":"sp800-53a"},{"name":"sort-id","value":"au-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-3","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#sc-45","rel":"related"}],"parts":[{"id":"au-8_smt","name":"statement","parts":[{"id":"au-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use internal system clocks to generate time stamps for audit records; and"},{"id":"au-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Record time stamps for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp."}]},{"id":"au-8_gdn","name":"guidance","prose":"Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities."},{"id":"au-8_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-08","class":"sp800-53a"}],"parts":[{"id":"au-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-08a.","class":"sp800-53a"}],"prose":"internal system clocks are used to generate timestamps for audit records;","links":[{"href":"#au-8_smt.a","rel":"assessment-for"}]},{"id":"au-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-08b.","class":"sp800-53a"}],"prose":"timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.","links":[{"href":"#au-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-8_smt","rel":"assessment-for"}]},{"id":"au-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing timestamp generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing timestamp generation"}]}],"controls":[{"id":"au-8.1","class":"SP800-53-enhancement","title":"Synchronization with Authoritative Time Source","props":[{"name":"label","value":"AU-8(1)"},{"name":"label","value":"AU-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-08.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-45.1","rel":"moved-to"}]},{"id":"au-8.2","class":"SP800-53-enhancement","title":"Secondary Authoritative Time Source","props":[{"name":"label","value":"AU-8(2)"},{"name":"label","value":"AU-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-08.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-45.2","rel":"moved-to"}]}]},{"id":"au-9","class":"SP800-53","title":"Protection of Audit Information","params":[{"id":"au-09_odp","props":[{"name":"alt-identifier","value":"au-9_prm_1"},{"name":"label","value":"AU-09_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is\/are defined;"}]}],"props":[{"name":"label","value":"AU-9"},{"name":"label","value":"AU-09","class":"sp800-53a"},{"name":"sort-id","value":"au-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#au-15","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-9_smt","name":"statement","parts":[{"id":"au-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and"},{"id":"au-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Alert {{ insert: param, au-09_odp }} upon detection of unauthorized access, modification, or deletion of audit information."}]},{"id":"au-9_gdn","name":"guidance","prose":"Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls."},{"id":"au-9_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09","class":"sp800-53a"}],"parts":[{"id":"au-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-09a.","class":"sp800-53a"}],"prose":"audit information and audit logging tools are protected from unauthorized access, modification, and deletion;","links":[{"href":"#au-9_smt.a","rel":"assessment-for"}]},{"id":"au-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-09b.","class":"sp800-53a"}],"prose":"{{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.","links":[{"href":"#au-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-9_smt","rel":"assessment-for"}]},{"id":"au-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\naudit tools\n\nother relevant documents or records"}]},{"id":"au-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit information protection"}]}],"controls":[{"id":"au-9.1","class":"SP800-53-enhancement","title":"Hardware Write-once Media","props":[{"name":"label","value":"AU-9(1)"},{"name":"label","value":"AU-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"}],"parts":[{"id":"au-9.1_smt","name":"statement","prose":"Write audit trails to hardware-enforced, write-once media."},{"id":"au-9.1_gdn","name":"guidance","prose":"Writing audit trails to hardware-enforced, write-once media applies to the initial generation of audit trails (i.e., the collection of audit records that represents the information to be used for detection, analysis, and reporting purposes) and to the backup of those audit trails. Writing audit trails to hardware-enforced, write-once media does not apply to the initial generation of audit records prior to being written to an audit trail. Write-once, read-many (WORM) media includes Compact Disc-Recordable (CD-R), Blu-Ray Disc Recordable (BD-R), and Digital Versatile Disc-Recordable (DVD-R). In contrast, the use of switchable write-protection media, such as tape cartridges, Universal Serial Bus (USB) drives, Compact Disc Re-Writeable (CD-RW), and Digital Versatile Disc-Read Write (DVD-RW) results in write-protected but not write-once media."},{"id":"au-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(01)","class":"sp800-53a"}],"prose":"audit trails are written to hardware-enforced, write-once media.","links":[{"href":"#au-9.1_smt","rel":"assessment-for"}]},{"id":"au-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem hardware settings\n\nsystem configuration settings and associated documentation\n\nsystem storage media\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media storing audit trails"}]}]},{"id":"au-9.2","class":"SP800-53-enhancement","title":"Store on Separate Physical Systems or Components","params":[{"id":"au-09.02_odp","props":[{"name":"alt-identifier","value":"au-9.2_prm_1"},{"name":"label","value":"AU-09(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of storing audit records in a repository is defined;"}]}],"props":[{"name":"label","value":"AU-9(2)"},{"name":"label","value":"AU-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"}],"parts":[{"id":"au-9.2_smt","name":"statement","prose":"Store audit records {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited."},{"id":"au-9.2_gdn","name":"guidance","prose":"Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records."},{"id":"au-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(02)","class":"sp800-53a"}],"prose":"audit records are stored {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited.","links":[{"href":"#au-9.2_smt","rel":"assessment-for"}]},{"id":"au-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem or media storing backups of system audit records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the backing up of audit records"}]}]},{"id":"au-9.3","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"AU-9(3)"},{"name":"label","value":"AU-09(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#au-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"au-9.3_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect the integrity of audit information and audit tools."},{"id":"au-9.3_gdn","name":"guidance","prose":"Cryptographic mechanisms used for protecting the integrity of audit information include signed hash functions using asymmetric cryptography. This enables the distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash."},{"id":"au-9.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(03)","class":"sp800-53a"}],"prose":"cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.","links":[{"href":"#au-9.3_smt","rel":"assessment-for"}]},{"id":"au-9.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem hardware settings\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-9.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms protecting the integrity of audit information and tools"}]}]},{"id":"au-9.4","class":"SP800-53-enhancement","title":"Access by Subset of Privileged Users","params":[{"id":"au-09.04_odp","props":[{"name":"alt-identifier","value":"au-9.4_prm_1"},{"name":"label","value":"AU-09(04)_ODP","class":"sp800-53a"}],"label":"subset of privileged users or roles","guidelines":[{"prose":"a subset of privileged users or roles authorized to access management of audit logging functionality is defined;"}]}],"props":[{"name":"label","value":"AU-9(4)"},{"name":"label","value":"AU-09(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"au-9.4_smt","name":"statement","prose":"Authorize access to management of audit logging functionality to only {{ insert: param, au-09.04_odp }}."},{"id":"au-9.4_gdn","name":"guidance","prose":"Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges."},{"id":"au-9.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(04)","class":"sp800-53a"}],"prose":"access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}.","links":[{"href":"#au-9.4_smt","rel":"assessment-for"}]},{"id":"au-9.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged users with access to management of audit functionality\n\naccess authorizations\n\naccess control list\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-9.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing access to audit functionality"}]}]},{"id":"au-9.5","class":"SP800-53-enhancement","title":"Dual Authorization","params":[{"id":"au-09.05_odp.01","props":[{"name":"alt-identifier","value":"au-9.5_prm_1"},{"name":"label","value":"AU-09(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["movement","deletion"]}},{"id":"au-09.05_odp.02","props":[{"name":"alt-identifier","value":"au-9.5_prm_2"},{"name":"label","value":"AU-09(05)_ODP[02]","class":"sp800-53a"}],"label":"audit information","guidelines":[{"prose":"audit information for which dual authorization is to be enforced is defined;"}]}],"props":[{"name":"label","value":"AU-9(5)"},{"name":"label","value":"AU-09(05)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"au-9.5_smt","name":"statement","prose":"Enforce dual authorization for {{ insert: param, au-09.05_odp.01 }} of {{ insert: param, au-09.05_odp.02 }}."},{"id":"au-9.5_gdn","name":"guidance","prose":"Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms (also known as two-person control) require the approval of two authorized individuals to execute audit functions. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety."},{"id":"au-9.5_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(05)","class":"sp800-53a"}],"prose":"dual authorization is enforced for the {{ insert: param, au-09.05_odp.01 }} of {{ insert: param, au-09.05_odp.02 }}.","links":[{"href":"#au-9.5_smt","rel":"assessment-for"}]},{"id":"au-9.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naccess authorizations\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-9.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the enforcement of dual authorization"}]}]},{"id":"au-9.6","class":"SP800-53-enhancement","title":"Read-only Access","params":[{"id":"au-09.06_odp","props":[{"name":"alt-identifier","value":"au-9.6_prm_1"},{"name":"label","value":"AU-09(06)_ODP","class":"sp800-53a"}],"label":"subset of privileged users or roles","guidelines":[{"prose":"a subset of privileged users or roles with authorized read-only access to audit information is defined;"}]}],"props":[{"name":"label","value":"AU-9(6)"},{"name":"label","value":"AU-09(06)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-9","rel":"required"}],"parts":[{"id":"au-9.6_smt","name":"statement","prose":"Authorize read-only access to audit information to {{ insert: param, au-09.06_odp }}."},{"id":"au-9.6_gdn","name":"guidance","prose":"Restricting privileged user or role authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users or roles, such as deleting audit records to cover up malicious activity."},{"id":"au-9.6_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(06)","class":"sp800-53a"}],"prose":"read-only access to audit information is authorized to {{ insert: param, au-09.06_odp }}.","links":[{"href":"#au-9.6_smt","rel":"assessment-for"}]},{"id":"au-9.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of privileged users with read-only access to audit information\n\naccess authorizations\n\naccess control list\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-9.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms managing access to audit information"}]}]},{"id":"au-9.7","class":"SP800-53-enhancement","title":"Store on Component with Different Operating System","props":[{"name":"label","value":"AU-9(7)"},{"name":"label","value":"AU-09(07)","class":"sp800-53a"},{"name":"sort-id","value":"au-09.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-9","rel":"required"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#sc-29","rel":"related"}],"parts":[{"id":"au-9.7_smt","name":"statement","prose":"Store audit information on a component running a different operating system than the system or component being audited."},{"id":"au-9.7_gdn","name":"guidance","prose":"Storing auditing information on a system component running a different operating system reduces the risk of a vulnerability specific to the system, resulting in a compromise of the audit records."},{"id":"au-9.7_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-09(07)","class":"sp800-53a"}],"prose":"audit information is stored on a component running a different operating system than the system or component being audited.","links":[{"href":"#au-9.7_smt","rel":"assessment-for"}]},{"id":"au-9.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-09(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naccess control policy and procedures\n\nprocedures addressing protection of audit information\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-9.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-09(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit and accountability responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-9.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-09(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing operating system verification capability\n\nmechanisms verifying audit information storage location"}]}]}]},{"id":"au-10","class":"SP800-53","title":"Non-repudiation","params":[{"id":"au-10_odp","props":[{"name":"alt-identifier","value":"au-10_prm_1"},{"name":"alt-label","value":"actions to be covered by non-repudiation","class":"sp800-53"},{"name":"label","value":"AU-10_ODP","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be covered by non-repudiation are defined;"}]}],"props":[{"name":"label","value":"AU-10"},{"name":"label","value":"AU-10","class":"sp800-53a"},{"name":"sort-id","value":"au-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#au-9","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"au-10_smt","name":"statement","prose":"Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}."},{"id":"au-10_gdn","name":"guidance","prose":"Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts."},{"id":"au-10_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-10","class":"sp800-53a"}],"prose":"irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}.","links":[{"href":"#au-10_smt","rel":"assessment-for"}]},{"id":"au-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing non-repudiation capability"}]}],"controls":[{"id":"au-10.1","class":"SP800-53-enhancement","title":"Association of Identities","params":[{"id":"au-10.01_odp","props":[{"name":"alt-identifier","value":"au-10.1_prm_1"},{"name":"label","value":"AU-10(01)_ODP","class":"sp800-53a"}],"label":"strength of binding","guidelines":[{"prose":"the strength of binding between the identity of the information producer and the information is defined;"}]}],"props":[{"name":"label","value":"AU-10(1)"},{"name":"label","value":"AU-10(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-10.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-10","rel":"required"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"au-10.1_smt","name":"statement","parts":[{"id":"au-10.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Bind the identity of the information producer with the information to {{ insert: param, au-10.01_odp }} ; and"},{"id":"au-10.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Provide the means for authorized individuals to determine the identity of the producer of the information."}]},{"id":"au-10.1_gdn","name":"guidance","prose":"Binding identities to the information supports audit requirements that provide organizational personnel with the means to identify who produced specific information in the event of an information transfer. Organizations determine and approve the strength of attribute binding between the information producer and the information based on the security category of the information and other relevant risk factors."},{"id":"au-10.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-10(01)","class":"sp800-53a"}],"parts":[{"id":"au-10.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-10(01)(a)","class":"sp800-53a"}],"prose":"the identity of the information producer is bound with the information to {{ insert: param, au-10.01_odp }};","links":[{"href":"#au-10.1_smt.a","rel":"assessment-for"}]},{"id":"au-10.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-10(01)(b)","class":"sp800-53a"}],"prose":"the means for authorized individuals to determine the identity of the producer of the information is provided.","links":[{"href":"#au-10.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-10.1_smt","rel":"assessment-for"}]},{"id":"au-10.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-10(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-10.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-10(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-10.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-10(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing non-repudiation capability"}]}]},{"id":"au-10.2","class":"SP800-53-enhancement","title":"Validate Binding of Information Producer Identity","params":[{"id":"au-10.02_odp.01","props":[{"name":"alt-identifier","value":"au-10.2_prm_1"},{"name":"label","value":"AU-10(02)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to validate the binding of the information producer identity to the information is defined;"}]},{"id":"au-10.02_odp.02","props":[{"name":"alt-identifier","value":"au-10.2_prm_2"},{"name":"label","value":"AU-10(02)_ODP[02]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"the actions to be performed in the event of a validation error are defined;"}]}],"props":[{"name":"label","value":"AU-10(2)"},{"name":"label","value":"AU-10(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-10.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-10","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"au-10.2_smt","name":"statement","parts":[{"id":"au-10.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Validate the binding of the information producer identity to the information at {{ insert: param, au-10.02_odp.01 }} ; and"},{"id":"au-10.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Perform {{ insert: param, au-10.02_odp.02 }} in the event of a validation error."}]},{"id":"au-10.2_gdn","name":"guidance","prose":"Validating the binding of the information producer identity to the information prevents the modification of information between production and review. The validation of bindings can be achieved by, for example, using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically."},{"id":"au-10.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-10(02)","class":"sp800-53a"}],"parts":[{"id":"au-10.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-10(02)(a)","class":"sp800-53a"}],"prose":"the binding of the information producer identity to the information is validated at {{ insert: param, au-10.02_odp.01 }};","links":[{"href":"#au-10.2_smt.a","rel":"assessment-for"}]},{"id":"au-10.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-10(02)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, au-10.02_odp.02 }} in the event of a validation error are performed.","links":[{"href":"#au-10.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-10.2_smt","rel":"assessment-for"}]},{"id":"au-10.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-10(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-10.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-10(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-10.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-10(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing non-repudiation capability"}]}]},{"id":"au-10.3","class":"SP800-53-enhancement","title":"Chain of Custody","props":[{"name":"label","value":"AU-10(3)"},{"name":"label","value":"AU-10(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-10.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-10","rel":"required"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"au-10.3_smt","name":"statement","prose":"Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released."},{"id":"au-10.3_gdn","name":"guidance","prose":"Chain of custody is a process that tracks the movement of evidence through its collection, safeguarding, and analysis life cycle by documenting each individual who handled the evidence, the date and time the evidence was collected or transferred, and the purpose for the transfer. If the reviewer is a human or if the review function is automated but separate from the release or transfer function, the system associates the identity of the reviewer of the information to be released with the information and the information label. In the case of human reviews, maintaining the credentials of reviewers or releasers provides the organization with the means to identify who reviewed and released the information. In the case of automated reviews, it ensures that only approved review functions are used."},{"id":"au-10.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-10(03)","class":"sp800-53a"}],"prose":"reviewer or releaser credentials are maintained within the established chain of custody for information reviewed or released.","links":[{"href":"#au-10.3_smt","rel":"assessment-for"}]},{"id":"au-10.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-10(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of information reviews and releases\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-10.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-10(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-10.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-10(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing non-repudiation capability"}]}]},{"id":"au-10.4","class":"SP800-53-enhancement","title":"Validate Binding of Information Reviewer Identity","params":[{"id":"au-10.04_odp.01","props":[{"name":"alt-identifier","value":"au-10.4_prm_1"},{"name":"label","value":"AU-10(04)_ODP[01]","class":"sp800-53a"}],"label":"security domains","guidelines":[{"prose":"security domains for which the binding of the information reviewer identity to the information is to be validated at transfer or release are defined;"}]},{"id":"au-10.04_odp.02","props":[{"name":"alt-identifier","value":"au-10.4_prm_2"},{"name":"label","value":"AU-10(04)_ODP[02]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be performed in the event of a validation error are defined;"}]}],"props":[{"name":"label","value":"AU-10(4)"},{"name":"label","value":"AU-10(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-10.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-10","rel":"required"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"au-10.4_smt","name":"statement","parts":[{"id":"au-10.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between {{ insert: param, au-10.04_odp.01 }} ; and"},{"id":"au-10.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Perform {{ insert: param, au-10.04_odp.02 }} in the event of a validation error."}]},{"id":"au-10.4_gdn","name":"guidance","prose":"Validating the binding of the information reviewer identity to the information at transfer or release points prevents the unauthorized modification of information between review and the transfer or release. The validation of bindings can be achieved by using cryptographic checksums. Organizations determine if validations are in response to user requests or generated automatically."},{"id":"au-10.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-10(04)","class":"sp800-53a"}],"parts":[{"id":"au-10.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-10(04)(a)","class":"sp800-53a"}],"prose":"the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between {{ insert: param, au-10.04_odp.01 }} is validated;","links":[{"href":"#au-10.4_smt.a","rel":"assessment-for"}]},{"id":"au-10.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-10(04)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, au-10.04_odp.02 }} are performed in the event of a validation error.","links":[{"href":"#au-10.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-10.4_smt","rel":"assessment-for"}]},{"id":"au-10.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-10(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing non-repudiation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nvalidation records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-10.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-10(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-10.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-10(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing non-repudiation capability"}]}]},{"id":"au-10.5","class":"SP800-53-enhancement","title":"Digital Signatures","props":[{"name":"label","value":"AU-10(5)"},{"name":"label","value":"AU-10(05)","class":"sp800-53a"},{"name":"sort-id","value":"au-10.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-7","rel":"incorporated-into"}]}]},{"id":"au-11","class":"SP800-53","title":"Audit Record Retention","params":[{"id":"au-11_odp","props":[{"name":"alt-identifier","value":"au-11_prm_1"},{"name":"alt-label","value":"time period consistent with records retention policy","class":"sp800-53"},{"name":"label","value":"AU-11_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period to retain audit records that is consistent with the records retention policy is defined;"}]}],"props":[{"name":"label","value":"AU-11"},{"name":"label","value":"AU-11","class":"sp800-53a"},{"name":"sort-id","value":"au-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"au-11_smt","name":"statement","prose":"Retain audit records for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."},{"id":"au-11_gdn","name":"guidance","prose":"Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention."},{"id":"au-11_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-11","class":"sp800-53a"}],"prose":"audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.","links":[{"href":"#au-11_smt","rel":"assessment-for"}]},{"id":"au-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsecurity plan\n\norganization-defined retention period for audit records\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"id":"au-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]}],"controls":[{"id":"au-11.1","class":"SP800-53-enhancement","title":"Long-term Retrieval Capability","params":[{"id":"au-11.01_odp","props":[{"name":"alt-identifier","value":"au-11.1_prm_1"},{"name":"label","value":"AU-11(01)_ODP","class":"sp800-53a"}],"label":"measures","guidelines":[{"prose":"measures to be employed to ensure that long-term audit records generated by the system can be retrieved are defined;"}]}],"props":[{"name":"label","value":"AU-11(1)"},{"name":"label","value":"AU-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-11","rel":"required"}],"parts":[{"id":"au-11.1_smt","name":"statement","prose":"Employ {{ insert: param, au-11.01_odp }} to ensure that long-term audit records generated by the system can be retrieved."},{"id":"au-11.1_gdn","name":"guidance","prose":"Organizations need to access and read audit records requiring long-term storage (on the order of years). Measures employed to help facilitate the retrieval of audit records include converting records to newer formats, retaining equipment capable of reading the records, and retaining the necessary documentation to help personnel understand how to interpret the records."},{"id":"au-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-11(01)","class":"sp800-53a"}],"prose":"{{ insert: param, au-11.01_odp }} are employed to ensure that long-term audit records generated by the system can be retrieved.","links":[{"href":"#au-11.1_smt","rel":"assessment-for"}]},{"id":"au-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\naudit record retention policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit record archives\n\naudit logs\n\naudit records\n\nother relevant documents or records"}]},{"id":"au-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record retention responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"au-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record retention capability"}]}]}]},{"id":"au-12","class":"SP800-53","title":"Audit Record Generation","params":[{"id":"au-12_odp.01","props":[{"name":"alt-identifier","value":"au-12_prm_1"},{"name":"label","value":"AU-12_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;"}]},{"id":"au-12_odp.02","props":[{"name":"alt-identifier","value":"au-12_prm_2"},{"name":"label","value":"AU-12_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles allowed to select the event types that are to be logged by specific components of the system is\/are defined;"}]}],"props":[{"name":"label","value":"AU-12"},{"name":"label","value":"AU-12","class":"sp800-53a"},{"name":"sort-id","value":"au-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"au-12_smt","name":"statement","parts":[{"id":"au-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on {{ insert: param, au-12_odp.01 }};"},{"id":"au-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow {{ insert: param, au-12_odp.02 }} to select the event types that are to be logged by specific components of the system; and"},{"id":"au-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3)."}]},{"id":"au-12_gdn","name":"guidance","prose":"Audit records can be generated from many different system components. The event types specified in [AU-2d](#au-2_smt.d) are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records."},{"id":"au-12_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12","class":"sp800-53a"}],"parts":[{"id":"au-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-12a.","class":"sp800-53a"}],"prose":"audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};","links":[{"href":"#au-12_smt.a","rel":"assessment-for"}]},{"id":"au-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-12b.","class":"sp800-53a"}],"prose":"{{ insert: param, au-12_odp.02 }} is\/are allowed to select the event types that are to be logged by specific components of the system;","links":[{"href":"#au-12_smt.b","rel":"assessment-for"}]},{"id":"au-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"AU-12c.","class":"sp800-53a"}],"prose":"audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.","links":[{"href":"#au-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#au-12_smt","rel":"assessment-for"}]},{"id":"au-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nprocedures addressing audit record generation\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of auditable events\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}],"controls":[{"id":"au-12.1","class":"SP800-53-enhancement","title":"System-wide and Time-correlated Audit Trail","params":[{"id":"au-12.01_odp.01","props":[{"name":"alt-identifier","value":"au-12.1_prm_1"},{"name":"label","value":"AU-12(01)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined;"}]},{"id":"au-12.01_odp.02","props":[{"name":"alt-identifier","value":"au-12.1_prm_2"},{"name":"alt-label","value":"level of tolerance for the relationship between time stamps of individual records in the audit trail","class":"sp800-53"},{"name":"label","value":"AU-12(01)_ODP[02]","class":"sp800-53a"}],"label":"level of tolerance","guidelines":[{"prose":"level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;"}]}],"props":[{"name":"label","value":"AU-12(1)"},{"name":"label","value":"AU-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-12","rel":"required"},{"href":"#au-8","rel":"related"},{"href":"#sc-45","rel":"related"}],"parts":[{"id":"au-12.1_smt","name":"statement","prose":"Compile audit records from {{ insert: param, au-12.01_odp.01 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}."},{"id":"au-12.1_gdn","name":"guidance","prose":"Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances."},{"id":"au-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12(01)","class":"sp800-53a"}],"prose":"audit records from {{ insert: param, au-12.01_odp.01 }} are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}.","links":[{"href":"#au-12.1_smt","rel":"assessment-for"}]},{"id":"au-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-wide audit trail (logical or physical)\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]},{"id":"au-12.2","class":"SP800-53-enhancement","title":"Standardized Formats","props":[{"name":"label","value":"AU-12(2)"},{"name":"label","value":"AU-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-12","rel":"required"}],"parts":[{"id":"au-12.2_smt","name":"statement","prose":"Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format."},{"id":"au-12.2_gdn","name":"guidance","prose":"Audit records that follow common standards promote interoperability and information exchange between devices and systems. Promoting interoperability and information exchange facilitates the production of event information that can be readily analyzed and correlated. If logging mechanisms do not conform to standardized formats, systems may convert individual audit records into standardized formats when compiling system-wide audit trails."},{"id":"au-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12(02)","class":"sp800-53a"}],"prose":"a system-wide (logical or physical) audit trail composed of audit records is produced in a standardized format.","links":[{"href":"#au-12.2_smt","rel":"assessment-for"}]},{"id":"au-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-wide audit trail (logical or physical)\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]},{"id":"au-12.3","class":"SP800-53-enhancement","title":"Changes by Authorized Individuals","params":[{"id":"au-12.03_odp.01","props":[{"name":"alt-identifier","value":"au-12.3_prm_1"},{"name":"label","value":"AU-12(03)_ODP[01]","class":"sp800-53a"}],"label":"individuals or roles","guidelines":[{"prose":"individuals or roles authorized to change the logging on system components are defined;"}]},{"id":"au-12.03_odp.02","props":[{"name":"alt-identifier","value":"au-12.3_prm_2"},{"name":"label","value":"AU-12(03)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components on which logging is to be performed are defined;"}]},{"id":"au-12.03_odp.03","props":[{"name":"alt-identifier","value":"au-12.3_prm_3"},{"name":"label","value":"AU-12(03)_ODP[03]","class":"sp800-53a"}],"label":"selectable event criteria","guidelines":[{"prose":"selectable event criteria with which change logging is to be performed are defined;"}]},{"id":"au-12.03_odp.04","props":[{"name":"alt-identifier","value":"au-12.3_prm_4"},{"name":"label","value":"AU-12(03)_ODP[04]","class":"sp800-53a"}],"label":"time thresholds","guidelines":[{"prose":"time thresholds in which logging actions are to change is defined;"}]}],"props":[{"name":"label","value":"AU-12(3)"},{"name":"label","value":"AU-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-12","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"au-12.3_smt","name":"statement","prose":"Provide and implement the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }}."},{"id":"au-12.3_gdn","name":"guidance","prose":"Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours)."},{"id":"au-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12(03)","class":"sp800-53a"}],"parts":[{"id":"au-12.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-12(03)[01]","class":"sp800-53a"}],"prose":"the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is provided;","links":[{"href":"#au-12.3_smt","rel":"assessment-for"}]},{"id":"au-12.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-12(03)[02]","class":"sp800-53a"}],"prose":"the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is implemented.","links":[{"href":"#au-12.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#au-12.3_smt","rel":"assessment-for"}]},{"id":"au-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem-generated list of individuals or roles authorized to change auditing to be performed\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]},{"id":"au-12.4","class":"SP800-53-enhancement","title":"Query Parameter Audits of Personally Identifiable Information","props":[{"name":"label","value":"AU-12(4)"},{"name":"label","value":"AU-12(04)","class":"sp800-53a"},{"name":"sort-id","value":"au-12.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-12","rel":"required"}],"parts":[{"id":"au-12.4_smt","name":"statement","prose":"Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information."},{"id":"au-12.4_gdn","name":"guidance","prose":"Query parameters are explicit criteria that an individual or automated system submits to a system to retrieve data. Auditing of query parameters for datasets that contain personally identifiable information augments the capability of an organization to track and understand the access, usage, or sharing of personally identifiable information by authorized personnel."},{"id":"au-12.4_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-12(04)","class":"sp800-53a"}],"parts":[{"id":"au-12.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-12(04)[01]","class":"sp800-53a"}],"prose":"the capability to audit the parameters of user query events for data sets containing personally identifiable information is provided;","links":[{"href":"#au-12.4_smt","rel":"assessment-for"}]},{"id":"au-12.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-12(04)[02]","class":"sp800-53a"}],"prose":"the capability to audit the parameters of user query events for data sets containing personally identifiable information is implemented.","links":[{"href":"#au-12.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#au-12.4_smt","rel":"assessment-for"}]},{"id":"au-12.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-12(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing audit record generation\n\nquery event records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmap of system data actions\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-12.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-12(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with audit record generation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-12.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-12(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing audit record generation capability"}]}]}]},{"id":"au-13","class":"SP800-53","title":"Monitoring for Information Disclosure","params":[{"id":"au-13_odp.01","props":[{"name":"alt-identifier","value":"au-13_prm_1"},{"name":"label","value":"AU-13_ODP[01]","class":"sp800-53a"}],"label":"open-source information and\/or information sites","guidelines":[{"prose":"open-source information and\/or information sites to be monitored for evidence of unauthorized disclosure of organizational information is\/are defined;"}]},{"id":"au-13_odp.02","props":[{"name":"alt-identifier","value":"au-13_prm_2"},{"name":"label","value":"AU-13_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which open-source information and\/or information sites are monitored for evidence of unauthorized disclosure of organizational information is defined;"}]},{"id":"au-13_odp.03","props":[{"name":"alt-identifier","value":"au-13_prm_3"},{"name":"label","value":"AU-13_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified if an information disclosure is discovered is\/are defined;"}]},{"id":"au-13_odp.04","props":[{"name":"alt-identifier","value":"au-13_prm_4"},{"name":"label","value":"AU-13_ODP[04]","class":"sp800-53a"}],"label":"additional actions","guidelines":[{"prose":"additional actions to be taken if an information disclosure is discovered are defined;"}]}],"props":[{"name":"label","value":"AU-13"},{"name":"label","value":"AU-13","class":"sp800-53a"},{"name":"sort-id","value":"au-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-22","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-20","rel":"related"}],"parts":[{"id":"au-13_smt","name":"statement","parts":[{"id":"au-13_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor {{ insert: param, au-13_odp.01 }} {{ insert: param, au-13_odp.02 }} for evidence of unauthorized disclosure of organizational information; and"},{"id":"au-13_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"If an information disclosure is discovered:","parts":[{"id":"au-13_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Notify {{ insert: param, au-13_odp.03 }} ; and"},{"id":"au-13_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Take the following additional actions: {{ insert: param, au-13_odp.04 }}."}]}]},{"id":"au-13_gdn","name":"guidance","prose":"Unauthorized disclosure of information is a form of data leakage. Open-source information includes social networking sites and code-sharing platforms and repositories. Examples of organizational information include personally identifiable information retained by the organization or proprietary information generated by the organization."},{"id":"au-13_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-13","class":"sp800-53a"}],"parts":[{"id":"au-13_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-13a.","class":"sp800-53a"}],"prose":"{{ insert: param, au-13_odp.01 }} is\/are monitored {{ insert: param, au-13_odp.02 }} for evidence of unauthorized disclosure of organizational information;","links":[{"href":"#au-13_smt.a","rel":"assessment-for"}]},{"id":"au-13_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-13b.","class":"sp800-53a"}],"parts":[{"id":"au-13_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"AU-13b.01","class":"sp800-53a"}],"prose":"{{ insert: param, au-13_odp.03 }} are notified if an information disclosure is discovered;","links":[{"href":"#au-13_smt.b.1","rel":"assessment-for"}]},{"id":"au-13_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"AU-13b.02","class":"sp800-53a"}],"prose":"{{ insert: param, au-13_odp.04 }} are taken if an information disclosure is discovered.","links":[{"href":"#au-13_smt.b.2","rel":"assessment-for"}]}],"links":[{"href":"#au-13_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-13_smt","rel":"assessment-for"}]},{"id":"au-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing information disclosure monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmonitoring records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for monitoring open-source information and\/or information sites\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"au-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing monitoring for information disclosure"}]}],"controls":[{"id":"au-13.1","class":"SP800-53-enhancement","title":"Use of Automated Tools","params":[{"id":"au-13.01_odp","props":[{"name":"alt-identifier","value":"au-13.1_prm_1"},{"name":"label","value":"AU-13(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms for monitoring open-source information and information sites are defined;"}]}],"props":[{"name":"label","value":"AU-13(1)"},{"name":"label","value":"AU-13(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-13.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-13","rel":"required"}],"parts":[{"id":"au-13.1_smt","name":"statement","prose":"Monitor open-source information and information sites using {{ insert: param, au-13.01_odp }}."},{"id":"au-13.1_gdn","name":"guidance","prose":"Automated mechanisms include commercial services that provide notifications and alerts to organizations and automated scripts to monitor new posts on websites."},{"id":"au-13.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-13(01)","class":"sp800-53a"}],"prose":"open-source information and information sites are monitored using {{ insert: param, au-13.01_odp }}.","links":[{"href":"#au-13.1_smt","rel":"assessment-for"}]},{"id":"au-13.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-13(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing information disclosure monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nautomated monitoring tools\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-13.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-13(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for monitoring information disclosures\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-13.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-13(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing monitoring for information disclosure"}]}]},{"id":"au-13.2","class":"SP800-53-enhancement","title":"Review of Monitored Sites","params":[{"id":"au-13.02_odp","props":[{"name":"alt-identifier","value":"au-13.2_prm_1"},{"name":"label","value":"AU-13(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the open-source information sites being monitored is defined;"}]}],"props":[{"name":"label","value":"AU-13(2)"},{"name":"label","value":"AU-13(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-13.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-13","rel":"required"}],"parts":[{"id":"au-13.2_smt","name":"statement","prose":"Review the list of open-source information sites being monitored {{ insert: param, au-13.02_odp }}."},{"id":"au-13.2_gdn","name":"guidance","prose":"Reviewing the current list of open-source information sites being monitored on a regular basis helps to ensure that the selected sites remain relevant. The review also provides the opportunity to add new open-source information sites with the potential to provide evidence of unauthorized disclosure of organizational information. The list of sites monitored can be guided and informed by threat intelligence of other credible sources of information."},{"id":"au-13.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-13(02)","class":"sp800-53a"}],"prose":"the list of open-source information sites being monitored is reviewed {{ insert: param, au-13.02_odp }}.","links":[{"href":"#au-13.2_smt","rel":"assessment-for"}]},{"id":"au-13.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-13(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing information disclosure monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nreviews for open-source information sites being monitored\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-13.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-13(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for monitoring open-source information sites\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-13.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-13(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing monitoring for information disclosure"}]}]},{"id":"au-13.3","class":"SP800-53-enhancement","title":"Unauthorized Replication of Information","props":[{"name":"label","value":"AU-13(3)"},{"name":"label","value":"AU-13(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-13.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-13","rel":"required"}],"parts":[{"id":"au-13.3_smt","name":"statement","prose":"Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner."},{"id":"au-13.3_gdn","name":"guidance","prose":"The unauthorized use or replication of organizational information by external entities can cause adverse impacts on organizational operations and assets, including damage to reputation. Such activity can include the replication of an organizational website by an adversary or hostile threat actor who attempts to impersonate the web-hosting organization. Discovery tools, techniques, and processes used to determine if external entities are replicating organizational information in an unauthorized manner include scanning external websites, monitoring social media, and training staff to recognize the unauthorized use of organizational information."},{"id":"au-13.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-13(03)","class":"sp800-53a"}],"prose":"discovery techniques, processes, and tools are employed to determine if external entities are replicating organizational information in an unauthorized manner.","links":[{"href":"#au-13.3_smt","rel":"assessment-for"}]},{"id":"au-13.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-13(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing information disclosure monitoring\n\nprocedures addressing information replication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\ntraining resources for staff to recognize the unauthorized use of organizational information\n\nother relevant documents or records"}]},{"id":"au-13.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-13(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for monitoring unauthorized replication of information\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-13.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-13(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Discovery tools for identifying unauthorized information replication"}]}]}]},{"id":"au-14","class":"SP800-53","title":"Session Audit","params":[{"id":"au-14_odp.01","props":[{"name":"alt-identifier","value":"au-14_prm_1"},{"name":"label","value":"AU-14_ODP[01]","class":"sp800-53a"}],"label":"users or roles","guidelines":[{"prose":"users or roles who can audit the content of a user session are defined;"}]},{"id":"au-14_odp.02","props":[{"name":"alt-identifier","value":"au-14_prm_2"},{"name":"label","value":"AU-14_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["record","view","hear","log"]}},{"id":"au-14_odp.03","props":[{"name":"alt-identifier","value":"au-14_prm_3"},{"name":"label","value":"AU-14_ODP[03]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances under which the content of a user session can be audited are defined;"}]}],"props":[{"name":"label","value":"AU-14"},{"name":"label","value":"AU-14","class":"sp800-53a"},{"name":"sort-id","value":"au-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"au-14_smt","name":"statement","parts":[{"id":"au-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide and implement the capability for {{ insert: param, au-14_odp.01 }} to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }} ; and"},{"id":"au-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."}]},{"id":"au-14_gdn","name":"guidance","prose":"Session audits can include monitoring keystrokes, tracking websites visited, and recording information and\/or file transfers. Session audit capability is implemented in addition to event logging and may involve implementation of specialized session capture technology. Organizations consider how session auditing can reveal information about individuals that may give rise to privacy risk as well as how to mitigate those risks. Because session auditing can impact system and network performance, organizations activate the capability under well-defined situations (e.g., the organization is suspicious of a specific individual). Organizations consult with legal counsel, civil liberties officials, and privacy officials to ensure that any legal, privacy, civil rights, or civil liberties issues, including the use of personally identifiable information, are appropriately addressed."},{"id":"au-14_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-14","class":"sp800-53a"}],"parts":[{"id":"au-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"AU-14a.","class":"sp800-53a"}],"parts":[{"id":"au-14_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"AU-14a.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, au-14_odp.01 }} are provided with the capability to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }};","links":[{"href":"#au-14_smt.a","rel":"assessment-for"}]},{"id":"au-14_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"AU-14a.[02]","class":"sp800-53a"}],"prose":"the capability for {{ insert: param, au-14_odp.01 }} to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }} is implemented;","links":[{"href":"#au-14_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#au-14_smt.a","rel":"assessment-for"}]},{"id":"au-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"AU-14b.","class":"sp800-53a"}],"parts":[{"id":"au-14_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"AU-14b.[01]","class":"sp800-53a"}],"prose":"session auditing activities are developed in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#au-14_smt.b","rel":"assessment-for"}]},{"id":"au-14_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"AU-14b.[02]","class":"sp800-53a"}],"prose":"session auditing activities are integrated in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#au-14_smt.b","rel":"assessment-for"}]},{"id":"au-14_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"AU-14b.[03]","class":"sp800-53a"}],"prose":"session auditing activities are used in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#au-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#au-14_smt","rel":"assessment-for"}]},{"id":"au-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user session auditing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nlegal counsel\n\npersonnel with civil liberties responsibilities"}]},{"id":"au-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing user session auditing capability"}]}],"controls":[{"id":"au-14.1","class":"SP800-53-enhancement","title":"System Start-up","props":[{"name":"label","value":"AU-14(1)"},{"name":"label","value":"AU-14(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-14.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-14","rel":"required"}],"parts":[{"id":"au-14.1_smt","name":"statement","prose":"Initiate session audits automatically at system start-up."},{"id":"au-14.1_gdn","name":"guidance","prose":"The automatic initiation of session audits at startup helps to ensure that the information being captured on selected individuals is complete and not subject to compromise through tampering by malicious threat actors."},{"id":"au-14.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-14(01)","class":"sp800-53a"}],"prose":"session audits are initiated automatically at system start-up.","links":[{"href":"#au-14.1_smt","rel":"assessment-for"}]},{"id":"au-14.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-14(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user session auditing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-14.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-14(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"au-14.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-14(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing user session auditing capability"}]}]},{"id":"au-14.2","class":"SP800-53-enhancement","title":"Capture and Record Content","props":[{"name":"label","value":"AU-14(2)"},{"name":"label","value":"AU-14(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-14.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#au-14","rel":"incorporated-into"}]},{"id":"au-14.3","class":"SP800-53-enhancement","title":"Remote Viewing and Listening","props":[{"name":"label","value":"AU-14(3)"},{"name":"label","value":"AU-14(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-14.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-14","rel":"required"},{"href":"#ac-17","rel":"related"}],"parts":[{"id":"au-14.3_smt","name":"statement","prose":"Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time."},{"id":"au-14.3_gdn","name":"guidance","prose":"None."},{"id":"au-14.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-14(03)","class":"sp800-53a"}],"parts":[{"id":"au-14.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"AU-14(03)[01]","class":"sp800-53a"}],"prose":"the capability for authorized users to remotely view and hear content related to an established user session in real time is provided;","links":[{"href":"#au-14.3_smt","rel":"assessment-for"}]},{"id":"au-14.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"AU-14(03)[02]","class":"sp800-53a"}],"prose":"the capability for authorized users to remotely view and hear content related to an established user session in real time is implemented.","links":[{"href":"#au-14.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#au-14.3_smt","rel":"assessment-for"}]},{"id":"au-14.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-14(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user session auditing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-14.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-14(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nlegal counsel\n\npersonnel with civil liberties responsibilities"}]},{"id":"au-14.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-14(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing user session auditing capability"}]}]}]},{"id":"au-15","class":"SP800-53","title":"Alternate Audit Logging Capability","props":[{"name":"label","value":"AU-15"},{"name":"label","value":"AU-15","class":"sp800-53a"},{"name":"sort-id","value":"au-15"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#au-5.5","rel":"moved-to"}]},{"id":"au-16","class":"SP800-53","title":"Cross-organizational Audit Logging","params":[{"id":"au-16_odp.01","props":[{"name":"alt-identifier","value":"au-16_prm_1"},{"name":"label","value":"AU-16_ODP[01]","class":"sp800-53a"}],"label":"methods","guidelines":[{"prose":"methods for coordinating audit information among external organizations when audit information is transmitted across organizational boundaries are defined;"}]},{"id":"au-16_odp.02","props":[{"name":"alt-identifier","value":"au-16_prm_2"},{"name":"label","value":"AU-16_ODP[02]","class":"sp800-53a"}],"label":"audit information","guidelines":[{"prose":"audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries is defined;"}]}],"props":[{"name":"label","value":"AU-16"},{"name":"label","value":"AU-16","class":"sp800-53a"},{"name":"sort-id","value":"au-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#pt-7","rel":"related"}],"parts":[{"id":"au-16_smt","name":"statement","prose":"Employ {{ insert: param, au-16_odp.01 }} for coordinating {{ insert: param, au-16_odp.02 }} among external organizations when audit information is transmitted across organizational boundaries."},{"id":"au-16_gdn","name":"guidance","prose":"When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of individuals who request specific services across organizational boundaries may often be difficult, and doing so may prove to have significant performance and privacy ramifications. Therefore, it is often the case that cross-organizational audit logging simply captures the identity of individuals who issue requests at the initial system, and subsequent systems record that the requests originated from authorized individuals. Organizations consider including processes for coordinating audit information requirements and protection of audit information in information exchange agreements."},{"id":"au-16_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-16","class":"sp800-53a"}],"prose":"{{ insert: param, au-16_odp.01 }} for coordinating {{ insert: param, au-16_odp.02 }} among external organizations when audit information is transmitted across organizational boundaries are employed.","links":[{"href":"#au-16_smt","rel":"assessment-for"}]},{"id":"au-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing methods for coordinating audit information among external organizations\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for coordinating audit information among external organizations\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing cross-organizational auditing"}]}],"controls":[{"id":"au-16.1","class":"SP800-53-enhancement","title":"Identity Preservation","props":[{"name":"label","value":"AU-16(1)"},{"name":"label","value":"AU-16(01)","class":"sp800-53a"},{"name":"sort-id","value":"au-16.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-16","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"au-16.1_smt","name":"statement","prose":"Preserve the identity of individuals in cross-organizational audit trails."},{"id":"au-16.1_gdn","name":"guidance","prose":"Identity preservation is applied when there is a need to be able to trace actions that are performed across organizational boundaries to a specific individual."},{"id":"au-16.1_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-16(01)","class":"sp800-53a"}],"prose":"the identity of individuals in cross-organizational audit trails is preserved.","links":[{"href":"#au-16.1_smt","rel":"assessment-for"}]},{"id":"au-16.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-16(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing cross-organizational audit trails\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-16.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-16(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with cross-organizational audit responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-16.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-16(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing cross-organizational auditing (if applicable)"}]}]},{"id":"au-16.2","class":"SP800-53-enhancement","title":"Sharing of Audit Information","params":[{"id":"au-16.02_odp.01","props":[{"name":"alt-identifier","value":"au-16.2_prm_1"},{"name":"label","value":"AU-16(02)_ODP[01]","class":"sp800-53a"}],"label":"organizations","guidelines":[{"prose":"organizations with which cross-organizational audit information is to be shared are defined;"}]},{"id":"au-16.02_odp.02","props":[{"name":"alt-identifier","value":"au-16.2_prm_2"},{"name":"label","value":"AU-16(02)_ODP[02]","class":"sp800-53a"}],"label":"cross-organizational sharing agreements","guidelines":[{"prose":"cross-organizational sharing agreements to be used when providing cross-organizational audit information to organizations are defined;"}]}],"props":[{"name":"label","value":"AU-16(2)"},{"name":"label","value":"AU-16(02)","class":"sp800-53a"},{"name":"sort-id","value":"au-16.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-16","rel":"required"},{"href":"#ir-4","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"au-16.2_smt","name":"statement","prose":"Provide cross-organizational audit information to {{ insert: param, au-16.02_odp.01 }} based on {{ insert: param, au-16.02_odp.02 }}."},{"id":"au-16.2_gdn","name":"guidance","prose":"Due to the distributed nature of the audit information, cross-organization sharing of audit information may be essential for effective analysis of the auditing being performed. For example, the audit records of one organization may not provide sufficient information to determine the appropriate or inappropriate use of organizational information resources by individuals in other organizations. In some instances, only individuals’ home organizations have the appropriate knowledge to make such determinations, thus requiring the sharing of audit information among organizations."},{"id":"au-16.2_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-16(02)","class":"sp800-53a"}],"prose":"cross-organizational audit information is provided to {{ insert: param, au-16.02_odp.01 }} based on {{ insert: param, au-16.02_odp.02 }}.","links":[{"href":"#au-16.2_smt","rel":"assessment-for"}]},{"id":"au-16.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-16(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing cross-organizational sharing of audit information\n\ninformation sharing agreements\n\nother relevant documents or records"}]},{"id":"au-16.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-16(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for sharing cross-organizational audit information\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"au-16.3","class":"SP800-53-enhancement","title":"Disassociability","params":[{"id":"au-16.03_odp","props":[{"name":"alt-identifier","value":"au-16.3_prm_1"},{"name":"label","value":"AU-16(03)_ODP","class":"sp800-53a"}],"label":"measures","guidelines":[{"prose":"measures to disassociate individuals from audit information transmitted across organizational boundaries are defined;"}]}],"props":[{"name":"label","value":"AU-16(3)"},{"name":"label","value":"AU-16(03)","class":"sp800-53a"},{"name":"sort-id","value":"au-16.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#au-16","rel":"required"}],"parts":[{"id":"au-16.3_smt","name":"statement","prose":"Implement {{ insert: param, au-16.03_odp }} to disassociate individuals from audit information transmitted across organizational boundaries."},{"id":"au-16.3_gdn","name":"guidance","prose":"Preserving identities in audit trails could have privacy ramifications, such as enabling the tracking and profiling of individuals, but may not be operationally necessary. These risks could be further amplified when transmitting information across organizational boundaries. Implementing privacy-enhancing cryptographic techniques can disassociate individuals from audit information and reduce privacy risk while maintaining accountability."},{"id":"au-16.3_obj","name":"assessment-objective","props":[{"name":"label","value":"AU-16(03)","class":"sp800-53a"}],"prose":"{{ insert: param, au-16.03_odp }} are implemented to disassociate individuals from audit information transmitted across organizational boundaries.","links":[{"href":"#au-16.3_smt","rel":"assessment-for"}]},{"id":"au-16.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"AU-16(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Audit and accountability policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing cross-organizational sharing of audit information\n\npolicy and\/or procedures regarding the deidentification of PII\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"au-16.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"AU-16(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for sharing cross-organizational audit information\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"au-16.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"AU-16(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing disassociability"}]}]}]}]},{"id":"ca","class":"family","title":"Assessment, Authorization, and Monitoring","controls":[{"id":"ca-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ca-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ca-01_odp.01","props":[{"name":"label","value":"CA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.02","props":[{"name":"label","value":"CA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is\/are defined;"}]},{"id":"ca-01_odp.03","props":[{"name":"alt-identifier","value":"ca-1_prm_2"},{"name":"label","value":"CA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ca-01_odp.04","props":[{"name":"alt-identifier","value":"ca-1_prm_3"},{"name":"label","value":"CA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the assessment, authorization, and monitoring policy and procedures is defined;"}]},{"id":"ca-01_odp.05","props":[{"name":"alt-identifier","value":"ca-1_prm_4"},{"name":"label","value":"CA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;"}]},{"id":"ca-01_odp.06","props":[{"name":"alt-identifier","value":"ca-1_prm_5"},{"name":"label","value":"CA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;"}]},{"id":"ca-01_odp.07","props":[{"name":"alt-identifier","value":"ca-1_prm_6"},{"name":"label","value":"CA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;"}]},{"id":"ca-01_odp.08","props":[{"name":"alt-identifier","value":"ca-1_prm_7"},{"name":"label","value":"CA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CA-1"},{"name":"label","value":"CA-01","class":"sp800-53a"},{"name":"sort-id","value":"ca-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#62ea77ca-e450-4323-b210-e0d75390e785","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-1_smt","name":"statement","parts":[{"id":"ca-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ca-1_prm_1 }}:","parts":[{"id":"ca-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy that:","parts":[{"id":"ca-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ca-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ca-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;"}]},{"id":"ca-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ca-01_odp.04 }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and"},{"id":"ca-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current assessment, authorization, and monitoring:","parts":[{"id":"ca-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ca-01_odp.05 }} and following {{ insert: param, ca-01_odp.06 }} ; and"},{"id":"ca-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ca-01_odp.07 }} and following {{ insert: param, ca-01_odp.08 }}."}]}]},{"id":"ca-1_gdn","name":"guidance","prose":"Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ca-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[01]","class":"sp800-53a"}],"prose":"an assessment, authorization, and monitoring policy is developed and documented;","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[02]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[03]","class":"sp800-53a"}],"prose":"assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.[04]","class":"sp800-53a"}],"prose":"the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};","links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;","links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ca-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ca-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.a","rel":"assessment-for"}]},{"id":"ca-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;","links":[{"href":"#ca-1_smt.b","rel":"assessment-for"}]},{"id":"ca-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ","links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]},{"id":"ca-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.01[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};","links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c.1","rel":"assessment-for"}]},{"id":"ca-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ca-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[01]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ","links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]},{"id":"ca-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CA-01c.02[02]","class":"sp800-53a"}],"prose":"the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.","links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ca-1_smt","rel":"assessment-for"}]},{"id":"ca-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment, authorization, and monitoring policy responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-2","class":"SP800-53","title":"Control Assessments","params":[{"id":"ca-02_odp.01","props":[{"name":"alt-identifier","value":"ca-2_prm_1"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"CA-02_ODP[01]","class":"sp800-53a"}],"label":"assessment frequency","guidelines":[{"prose":"the frequency at which to assess controls in the system and its environment of operation is defined;"}]},{"id":"ca-02_odp.02","props":[{"name":"alt-identifier","value":"ca-2_prm_2"},{"name":"label","value":"CA-02_ODP[02]","class":"sp800-53a"}],"label":"individuals or roles","guidelines":[{"prose":"individuals or roles to whom control assessment results are to be provided are defined;"}]}],"props":[{"name":"label","value":"CA-2"},{"name":"label","value":"CA-02","class":"sp800-53a"},{"name":"sort-id","value":"ca-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"ca-2_smt","name":"statement","parts":[{"id":"ca-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Select the appropriate assessor or assessment team for the type of assessment to be conducted;"},{"id":"ca-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop a control assessment plan that describes the scope of the assessment including:","parts":[{"id":"ca-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Controls and control enhancements under assessment;"},{"id":"ca-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Assessment procedures to be used to determine control effectiveness; and"},{"id":"ca-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Assessment environment, assessment team, and assessment roles and responsibilities;"}]},{"id":"ca-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"},{"id":"ca-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Assess the controls in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;"},{"id":"ca-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Produce a control assessment report that document the results of the assessment; and"},{"id":"ca-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Provide the results of the control assessment to {{ insert: param, ca-02_odp.02 }}."}]},{"id":"ca-2_gdn","name":"guidance","prose":"Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.\n\nOrganizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.\n\nOrganizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.\n\nOrganizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.\n\nTo satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of [CA-2](#ca-2)."},{"id":"ca-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-02a.","class":"sp800-53a"}],"prose":"an appropriate assessor or assessment team is selected for the type of assessment to be conducted;","links":[{"href":"#ca-2_smt.a","rel":"assessment-for"}]},{"id":"ca-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.01","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;","links":[{"href":"#ca-2_smt.b.1","rel":"assessment-for"}]},{"id":"ca-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.02","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;","links":[{"href":"#ca-2_smt.b.2","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[01]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[02]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including the assessment team;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]},{"id":"ca-2_obj.b.3-3","name":"assessment-objective","props":[{"name":"label","value":"CA-02b.03[03]","class":"sp800-53a"}],"prose":"a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;","links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.b","rel":"assessment-for"}]},{"id":"ca-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-02c.","class":"sp800-53a"}],"prose":"the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;","links":[{"href":"#ca-2_smt.c","rel":"assessment-for"}]},{"id":"ca-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.","class":"sp800-53a"}],"parts":[{"id":"ca-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[01]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;","links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]},{"id":"ca-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CA-02d.[02]","class":"sp800-53a"}],"prose":"controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;","links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt.d","rel":"assessment-for"}]},{"id":"ca-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-02e.","class":"sp800-53a"}],"prose":"a control assessment report is produced that documents the results of the assessment;","links":[{"href":"#ca-2_smt.e","rel":"assessment-for"}]},{"id":"ca-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-02f.","class":"sp800-53a"}],"prose":"the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.","links":[{"href":"#ca-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ca-2_smt","rel":"assessment-for"}]},{"id":"ca-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing assessment planning\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting control assessment, control assessment plan development, and\/or control assessment reporting"}]}],"controls":[{"id":"ca-2.1","class":"SP800-53-enhancement","title":"Independent Assessors","props":[{"name":"label","value":"CA-2(1)"},{"name":"label","value":"CA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-2","rel":"required"}],"parts":[{"id":"ca-2.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to conduct control assessments."},{"id":"ca-2.1_gdn","name":"guidance","prose":"Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of systems. Impartiality means that assessors are free from any perceived or actual conflicts of interest regarding the development, operation, sustainment, or management of the systems under assessment or the determination of control effectiveness. To achieve impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in positions of advocacy for the organizations acquiring their services.\n\nIndependent assessments can be obtained from elements within organizations or be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of systems and\/or the risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. Assessor independence determination includes whether contracted assessment services have sufficient independence, such as when system owners are not directly involved in contracting processes or cannot influence the impartiality of the assessors conducting the assessments. During the system design and development phase, having independent assessors is analogous to having independent SMEs involved in design reviews.\n\nWhen organizations that own the systems are small or the structures of the organizations require that assessments be conducted by individuals that are in the developmental, operational, or management chain of the system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Assessments performed for purposes other than to support authorization decisions are more likely to be useable for such decisions when performed by assessors with sufficient independence, thereby reducing the need to repeat assessments."},{"id":"ca-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02(01)","class":"sp800-53a"}],"prose":"independent assessors or assessment teams are employed to conduct control assessments.","links":[{"href":"#ca-2.1_smt","rel":"assessment-for"}]},{"id":"ca-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\nprevious control assessment plan\n\nprevious control assessment report\n\nplan of action and milestones\n\nexisting authorization statement\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-2.2","class":"SP800-53-enhancement","title":"Specialized Assessments","params":[{"id":"ca-02.02_odp.01","props":[{"name":"alt-identifier","value":"ca-2.2_prm_1"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"CA-02(02)_ODP[01]","class":"sp800-53a"}],"label":"specialized assessment frequency","guidelines":[{"prose":"frequency at which to include specialized assessments as part of the control assessment is defined;"}]},{"id":"ca-02.02_odp.02","props":[{"name":"alt-identifier","value":"ca-2.2_prm_2"},{"name":"label","value":"CA-02(02)_ODP[02]","class":"sp800-53a"}],"select":{"choice":["announced","unannounced"]}},{"id":"ca-02.02_odp.03","props":[{"name":"alt-identifier","value":"ca-2.2_prm_3"},{"name":"label","value":"CA-02(02)_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["in-depth monitoring","security instrumentation","automated security test cases","vulnerability scanning","malicious user testing","insider threat assessment","performance and load testing","data leakage or data loss assessment","{{ insert: param, ca-02.02_odp.04 }} "]}},{"id":"ca-02.02_odp.04","props":[{"name":"alt-identifier","value":"ca-2.2_prm_4"},{"name":"label","value":"CA-02(02)_ODP[04]","class":"sp800-53a"}],"label":"other forms of assessment","guidelines":[{"prose":"other forms of assessment are defined (if selected);"}]}],"props":[{"name":"label","value":"CA-2(2)"},{"name":"label","value":"CA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ca-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-2","rel":"required"},{"href":"#pe-3","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"ca-2.2_smt","name":"statement","prose":"Include as part of control assessments, {{ insert: param, ca-02.02_odp.01 }}, {{ insert: param, ca-02.02_odp.02 }}, {{ insert: param, ca-02.02_odp.03 }}."},{"id":"ca-2.2_gdn","name":"guidance","prose":"Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle (e.g., during initial design, development, and unit testing)."},{"id":"ca-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02(02)","class":"sp800-53a"}],"prose":"{{ insert: param, ca-02.02_odp.01 }} {{ insert: param, ca-02.02_odp.02 }} {{ insert: param, ca-02.02_odp.03 }} are included as part of control assessments.","links":[{"href":"#ca-2.2_smt","rel":"assessment-for"}]},{"id":"ca-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting control assessment"}]}]},{"id":"ca-2.3","class":"SP800-53-enhancement","title":"Leveraging Results from External Organizations","params":[{"id":"ca-02.03_odp.01","props":[{"name":"alt-identifier","value":"ca-2.3_prm_1"},{"name":"alt-label","value":"external organization","class":"sp800-53"},{"name":"label","value":"CA-02(03)_ODP[01]","class":"sp800-53a"}],"label":"external organization(s)","guidelines":[{"prose":"external organization(s) from which the results of control assessments are leveraged are defined;"}]},{"id":"ca-02.03_odp.02","props":[{"name":"alt-identifier","value":"ca-2.3_prm_2"},{"name":"label","value":"CA-02(03)_ODP[02]","class":"sp800-53a"}],"label":"system","guidelines":[{"prose":"system on which a control assessment was performed by an external organization is defined;"}]},{"id":"ca-02.03_odp.03","props":[{"name":"alt-identifier","value":"ca-2.3_prm_3"},{"name":"label","value":"CA-02(03)_ODP[03]","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements to be met by the control assessment performed by an external organization on the system are defined;"}]}],"props":[{"name":"label","value":"CA-2(3)"},{"name":"label","value":"CA-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"ca-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-2","rel":"required"},{"href":"#sa-4","rel":"related"}],"parts":[{"id":"ca-2.3_smt","name":"statement","prose":"Leverage the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} when the assessment meets {{ insert: param, ca-02.03_odp.03 }}."},{"id":"ca-2.3_gdn","name":"guidance","prose":"Organizations may rely on control assessments of organizational systems by other (external) organizations. Using such assessments and reusing existing assessment evidence can decrease the time and resources required for assessments by limiting the independent assessment activities that organizations need to perform. The factors that organizations consider in determining whether to accept assessment results from external organizations can vary. Such factors include the organization’s past experience with the organization that conducted the assessment, the reputation of the assessment organization, the level of detail of supporting assessment evidence provided, and mandates imposed by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Accredited testing laboratories that support the Common Criteria Program [ISO 15408-1](#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73) , the NIST Cryptographic Module Validation Program (CMVP), or the NIST Cryptographic Algorithm Validation Program (CAVP) can provide independent assessment results that organizations can leverage."},{"id":"ca-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-02(03)","class":"sp800-53a"}],"prose":"the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} are leveraged when the assessment meets {{ insert: param, ca-02.03_odp.03 }}.","links":[{"href":"#ca-2.3_smt","rel":"assessment-for"}]},{"id":"ca-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing control assessments\n\ncontrol assessment requirements\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel performing control assessments for the specified external organization"}]}]}]},{"id":"ca-3","class":"SP800-53","title":"Information Exchange","params":[{"id":"ca-03_odp.01","props":[{"name":"alt-identifier","value":"ca-3_prm_1"},{"name":"label","value":"CA-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["interconnection security agreements","information exchange security agreements","memoranda of understanding or agreement","service level agreements","user agreements","non-disclosure agreements","{{ insert: param, ca-03_odp.02 }} "]}},{"id":"ca-03_odp.02","props":[{"name":"alt-identifier","value":"ca-3_prm_2"},{"name":"label","value":"CA-03_ODP[02]","class":"sp800-53a"}],"label":"type of agreement","guidelines":[{"prose":"the type of agreement used to approve and manage the exchange of information is defined (if selected);"}]},{"id":"ca-03_odp.03","props":[{"name":"alt-identifier","value":"ca-3_prm_3"},{"name":"label","value":"CA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update agreements is defined;"}]}],"props":[{"name":"label","value":"CA-3"},{"name":"label","value":"CA-03","class":"sp800-53a"},{"name":"sort-id","value":"ca-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#c3a76872-e160-4267-99e8-6952de967d04","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-16","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-3_smt","name":"statement","parts":[{"id":"ca-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and manage the exchange of information between the system and other systems using {{ insert: param, ca-03_odp.01 }};"},{"id":"ca-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and"},{"id":"ca-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the agreements {{ insert: param, ca-03_odp.03 }}."}]},{"id":"ca-3_gdn","name":"guidance","prose":"System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in [CA-6(1)](#ca-6.1) or [CA-6(2)](#ca-6.2) , may help to communicate and reduce risk.\n\nAuthorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from [CA-3a](#ca-3_smt.a) in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks."},{"id":"ca-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-03","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-03a.","class":"sp800-53a"}],"prose":"the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};","links":[{"href":"#ca-3_smt.a","rel":"assessment-for"}]},{"id":"ca-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.","class":"sp800-53a"}],"parts":[{"id":"ca-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[01]","class":"sp800-53a"}],"prose":"the interface characteristics are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[02]","class":"sp800-53a"}],"prose":"security requirements are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[03]","class":"sp800-53a"}],"prose":"privacy requirements are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[04]","class":"sp800-53a"}],"prose":"controls are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[05]","class":"sp800-53a"}],"prose":"responsibilities for each system are documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.b-6","name":"assessment-objective","props":[{"name":"label","value":"CA-03b.[06]","class":"sp800-53a"}],"prose":"the impact level of the information communicated is documented as part of each exchange agreement;","links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-3_smt.b","rel":"assessment-for"}]},{"id":"ca-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-03c.","class":"sp800-53a"}],"prose":"agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.","links":[{"href":"#ca-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ca-3_smt","rel":"assessment-for"}]},{"id":"ca-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection security agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nenterprise architecture\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel managing the system(s) to which the interconnection security agreement applies"}]}],"controls":[{"id":"ca-3.1","class":"SP800-53-enhancement","title":"Unclassified National Security System Connections","props":[{"name":"label","value":"CA-3(1)"},{"name":"label","value":"CA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7.25","rel":"moved-to"}]},{"id":"ca-3.2","class":"SP800-53-enhancement","title":"Classified National Security System Connections","props":[{"name":"label","value":"CA-3(2)"},{"name":"label","value":"CA-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7.26","rel":"moved-to"}]},{"id":"ca-3.3","class":"SP800-53-enhancement","title":"Unclassified Non-national Security System Connections","props":[{"name":"label","value":"CA-3(3)"},{"name":"label","value":"CA-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7.27","rel":"moved-to"}]},{"id":"ca-3.4","class":"SP800-53-enhancement","title":"Connections to Public Networks","props":[{"name":"label","value":"CA-3(4)"},{"name":"label","value":"CA-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7.28","rel":"moved-to"}]},{"id":"ca-3.5","class":"SP800-53-enhancement","title":"Restrictions on External System Connections","props":[{"name":"label","value":"CA-3(5)"},{"name":"label","value":"CA-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7.5","rel":"moved-to"}]},{"id":"ca-3.6","class":"SP800-53-enhancement","title":"Transfer Authorizations","props":[{"name":"label","value":"CA-3(6)"},{"name":"label","value":"CA-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-3","rel":"required"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"}],"parts":[{"id":"ca-3.6_smt","name":"statement","prose":"Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data."},{"id":"ca-3.6_gdn","name":"guidance","prose":"To prevent unauthorized individuals and systems from making information transfers to protected systems, the protected system verifies—via independent means— whether the individual or system attempting to transfer information is authorized to do so. Verification of the authorization to transfer information also applies to control plane traffic (e.g., routing and DNS) and services (e.g., authenticated SMTP relays)."},{"id":"ca-3.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-03(06)","class":"sp800-53a"}],"prose":"individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.","links":[{"href":"#ca-3.6_smt","rel":"assessment-for"}]},{"id":"ca-3.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-03(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontrol assessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-3.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-03(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing connections to external systems\n\nnetwork administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-3.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-03(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on external system connections"}]}]},{"id":"ca-3.7","class":"SP800-53-enhancement","title":"Transitive Information Exchanges","props":[{"name":"label","value":"CA-3(7)"},{"name":"label","value":"CA-03(07)","class":"sp800-53a"},{"name":"sort-id","value":"ca-03.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-3","rel":"required"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"ca-3.7_smt","name":"statement","parts":[{"id":"ca-3.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identify transitive (downstream) information exchanges with other systems through the systems identified in [CA-3a](#ca-3_smt.a) ; and"},{"id":"ca-3.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated."}]},{"id":"ca-3.7_gdn","name":"guidance","prose":"Transitive or \"downstream\" information exchanges are information exchanges between the system or systems with which the organizational system exchanges information and other systems. For mission-essential systems, services, and applications, including high value assets, it is necessary to identify such information exchanges. The transparency of the controls or protection measures in place in such downstream systems connected directly or indirectly to organizational systems is essential to understanding the security and privacy risks resulting from those information exchanges. Organizational systems can inherit risk from downstream systems through transitive connections and information exchanges, which can make the organizational systems more susceptible to threats, hazards, and adverse impacts."},{"id":"ca-3.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-03(07)","class":"sp800-53a"}],"parts":[{"id":"ca-3.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-03(07)(a)","class":"sp800-53a"}],"prose":"transitive (downstream) information exchanges with other systems through the systems identified in CA-03a are identified;","links":[{"href":"#ca-3.7_smt.a","rel":"assessment-for"}]},{"id":"ca-3.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-03(07)(b)","class":"sp800-53a"}],"prose":"measures are taken to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated.","links":[{"href":"#ca-3.7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-3.7_smt","rel":"assessment-for"}]},{"id":"ca-3.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-03(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Access control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem interconnection agreements\n\ninformation exchange security agreements\n\nmemoranda of understanding or agreements\n\nservice level agreements\n\nnon-disclosure agreements\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontrol assessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-3.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-03(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing connections to external systems\n\nnetwork administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-3.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-03(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing restrictions on external system connections"}]}]}]},{"id":"ca-4","class":"SP800-53","title":"Security Certification","props":[{"name":"label","value":"CA-4"},{"name":"label","value":"CA-04","class":"sp800-53a"},{"name":"sort-id","value":"ca-04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ca-2","rel":"incorporated-into"}]},{"id":"ca-5","class":"SP800-53","title":"Plan of Action and Milestones","params":[{"id":"ca-05_odp","props":[{"name":"alt-identifier","value":"ca-5_prm_1"},{"name":"label","value":"CA-05_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;"}]}],"props":[{"name":"label","value":"CA-5"},{"name":"label","value":"CA-05","class":"sp800-53a"},{"name":"sort-id","value":"ca-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-5_smt","name":"statement","parts":[{"id":"ca-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and"},{"id":"ca-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update existing plan of action and milestones {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."}]},{"id":"ca-5_gdn","name":"guidance","prose":"Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB."},{"id":"ca-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-05","class":"sp800-53a"}],"parts":[{"id":"ca-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-05a.","class":"sp800-53a"}],"prose":"a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;","links":[{"href":"#ca-5_smt.a","rel":"assessment-for"}]},{"id":"ca-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-05b.","class":"sp800-53a"}],"prose":"existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.","links":[{"href":"#ca-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-5_smt","rel":"assessment-for"}]},{"id":"ca-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\ncontrol assessment plan\n\ncontrol assessment report\n\ncontrol assessment evidence\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for developing, implementing, and maintaining plan of action and milestones"}]}],"controls":[{"id":"ca-5.1","class":"SP800-53-enhancement","title":"Automation Support for Accuracy and Currency","params":[{"id":"ca-05.01_odp","props":[{"name":"alt-identifier","value":"ca-5.1_prm_1"},{"name":"label","value":"CA-05(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system are defined;"}]}],"props":[{"name":"label","value":"CA-5(1)"},{"name":"label","value":"CA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-5","rel":"required"}],"parts":[{"id":"ca-5.1_smt","name":"statement","prose":"Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using {{ insert: param, ca-05.01_odp }}."},{"id":"ca-5.1_gdn","name":"guidance","prose":"Using automated tools helps maintain the accuracy, currency, and availability of the plan of action and milestones and facilitates the coordination and sharing of security and privacy information throughout the organization. Such coordination and information sharing help to identify systemic weaknesses or deficiencies in organizational systems and ensure that appropriate resources are directed at the most critical system vulnerabilities in a timely manner."},{"id":"ca-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-05(01)","class":"sp800-53a"}],"prose":"{{ insert: param, ca-05.01_odp }} are used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system.","links":[{"href":"#ca-5.1_smt","rel":"assessment-for"}]},{"id":"ca-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing plan of action and milestones\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nplan of action and milestones\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with plan of action and milestones development and implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for developing, implementing, and maintaining a plan of action and milestones"}]}]}]},{"id":"ca-6","class":"SP800-53","title":"Authorization","params":[{"id":"ca-06_odp","props":[{"name":"alt-identifier","value":"ca-6_prm_1"},{"name":"label","value":"CA-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to update the authorizations is defined;"}]}],"props":[{"name":"label","value":"CA-6"},{"name":"label","value":"CA-06","class":"sp800-53a"},{"name":"sort-id","value":"ca-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-6_smt","name":"statement","parts":[{"id":"ca-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a senior official as the authorizing official for the system;"},{"id":"ca-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;"},{"id":"ca-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensure that the authorizing official for the system, before commencing operations:","parts":[{"id":"ca-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accepts the use of common controls inherited by the system; and"},{"id":"ca-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Authorizes the system to operate;"}]},{"id":"ca-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"},{"id":"ca-6_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the authorizations {{ insert: param, ca-06_odp }}."}]},{"id":"ca-6_gdn","name":"guidance","prose":"Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.\n\nAuthorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions."},{"id":"ca-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-06","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-06a.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for the system;","links":[{"href":"#ca-6_smt.a","rel":"assessment-for"}]},{"id":"ca-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-06b.","class":"sp800-53a"}],"prose":"a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;","links":[{"href":"#ca-6_smt.b","rel":"assessment-for"}]},{"id":"ca-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.","class":"sp800-53a"}],"parts":[{"id":"ca-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.01","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;","links":[{"href":"#ca-6_smt.c.1","rel":"assessment-for"}]},{"id":"ca-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CA-06c.02","class":"sp800-53a"}],"prose":"before commencing operations, the authorizing official for the system authorizes the system to operate;","links":[{"href":"#ca-6_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ca-6_smt.c","rel":"assessment-for"}]},{"id":"ca-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-06d.","class":"sp800-53a"}],"prose":"the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;","links":[{"href":"#ca-6_smt.d","rel":"assessment-for"}]},{"id":"ca-6_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-06e.","class":"sp800-53a"}],"prose":"the authorizations are updated {{ insert: param, ca-06_odp }}.","links":[{"href":"#ca-6_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ca-6_smt","rel":"assessment-for"}]},{"id":"ca-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan, privacy plan, assessment report, plan of action and milestones\n\nauthorization statement\n\nother relevant documents or records"}]},{"id":"ca-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that facilitate authorizations and updates"}]}],"controls":[{"id":"ca-6.1","class":"SP800-53-enhancement","title":"Joint Authorization — Intra-organization","props":[{"name":"label","value":"CA-6(1)"},{"name":"label","value":"CA-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-6","rel":"required"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ca-6.1_smt","name":"statement","prose":"Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization."},{"id":"ca-6.1_gdn","name":"guidance","prose":"Assigning multiple authorizing officials from the same organization to serve as co-authorizing officials for the system increases the level of independence in the risk-based decision-making process. It also implements the concepts of separation of duties and dual authorization as applied to the system authorization process. The intra-organization joint authorization process is most relevant for connected systems, shared systems, and systems with multiple information owners."},{"id":"ca-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-06(01)","class":"sp800-53a"}],"parts":[{"id":"ca-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-06(01)[01]","class":"sp800-53a"}],"prose":"a joint authorization process is employed for the system;","links":[{"href":"#ca-6.1_smt","rel":"assessment-for"}]},{"id":"ca-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-06(01)[02]","class":"sp800-53a"}],"prose":"the joint authorization process employed for the system includes multiple authorizing officials from the same organization conducting the authorization.","links":[{"href":"#ca-6.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ca-6.1_smt","rel":"assessment-for"}]},{"id":"ca-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan\n\nprivacy plan\n\nassessment report\n\nplan of action and milestones\n\nauthorization statement\n\nother relevant documents or records"}]},{"id":"ca-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that facilitate authorizations and updates"}]}]},{"id":"ca-6.2","class":"SP800-53-enhancement","title":"Joint Authorization — Inter-organization","props":[{"name":"label","value":"CA-6(2)"},{"name":"label","value":"CA-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"ca-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-6","rel":"required"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ca-6.2_smt","name":"statement","prose":"Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization."},{"id":"ca-6.2_gdn","name":"guidance","prose":"Assigning multiple authorizing officials, at least one of whom comes from an external organization, to serve as co-authorizing officials for the system increases the level of independence in the risk-based decision-making process. It implements the concepts of separation of duties and dual authorization as applied to the system authorization process. Employing authorizing officials from external organizations to supplement the authorizing official from the organization that owns or hosts the system may be necessary when the external organizations have a vested interest or equities in the outcome of the authorization decision. The inter-organization joint authorization process is relevant and appropriate for connected systems, shared systems or services, and systems with multiple information owners. The authorizing officials from the external organizations are key stakeholders of the system undergoing authorization."},{"id":"ca-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-06(02)","class":"sp800-53a"}],"parts":[{"id":"ca-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-06(02)[01]","class":"sp800-53a"}],"prose":"a joint authorization process is employed for the system;","links":[{"href":"#ca-6.2_smt","rel":"assessment-for"}]},{"id":"ca-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-06(02)[02]","class":"sp800-53a"}],"prose":"the joint authorization process employed for the system includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization.","links":[{"href":"#ca-6.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#ca-6.2_smt","rel":"assessment-for"}]},{"id":"ca-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing authorization\n\nsystem security plan\n\nprivacy plan\n\nassessment report\n\nplan of action and milestones\n\nauthorization statement\n\nother relevant documents or records"}]},{"id":"ca-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authorization responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that facilitate authorizations and updates"}]}]}]},{"id":"ca-7","class":"SP800-53","title":"Continuous Monitoring","params":[{"id":"ca-7_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.06"}],"label":"organization-defined personnel or roles"},{"id":"ca-7_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07_odp.07"}],"label":"organization-defined frequency"},{"id":"ca-07_odp.01","props":[{"name":"alt-identifier","value":"ca-7_prm_1"},{"name":"label","value":"CA-07_ODP[01]","class":"sp800-53a"}],"label":"system-level metrics","guidelines":[{"prose":"system-level metrics to be monitored are defined;"}]},{"id":"ca-07_odp.02","props":[{"name":"alt-identifier","value":"ca-7_prm_2"},{"name":"label","value":"CA-07_ODP[02]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to monitor control effectiveness are defined;"}]},{"id":"ca-07_odp.03","props":[{"name":"alt-identifier","value":"ca-7_prm_3"},{"name":"label","value":"CA-07_ODP[03]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"frequencies at which to assess control effectiveness are defined;"}]},{"id":"ca-07_odp.04","props":[{"name":"label","value":"CA-07_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the security status of the system is reported are defined;"}]},{"id":"ca-07_odp.05","props":[{"name":"label","value":"CA-07_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the security status of the system is reported is defined;"}]},{"id":"ca-07_odp.06","props":[{"name":"label","value":"CA-07_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the privacy status of the system is reported are defined;"}]},{"id":"ca-07_odp.07","props":[{"name":"label","value":"CA-07_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which the privacy status of the system is reported is defined;"}]}],"props":[{"name":"label","value":"CA-7"},{"name":"label","value":"CA-07","class":"sp800-53a"},{"name":"sort-id","value":"ca-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#bbac9fc2-df5b-4f2d-bf99-90d0ade45349","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pm-31","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"ca-7_smt","name":"statement","prose":"Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:","parts":[{"id":"ca-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishing the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"},{"id":"ca-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, ca-07_odp.02 }} for monitoring and {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"},{"id":"ca-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing control assessments in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"ca-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"ca-7_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"ca-7_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Reporting the security and privacy status of the system to {{ insert: param, ca-7_prm_4 }} {{ insert: param, ca-7_prm_5 }}."}]},{"id":"ca-7_gdn","name":"guidance","prose":"Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.\n\nAutomation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PM-31](#pm-31), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SR-4](#sr-4), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) , and [SI-4](#si-4)."},{"id":"ca-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07[01]","class":"sp800-53a"}],"prose":"a system-level continuous monitoring strategy is developed;","links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;","links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07a.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};","links":[{"href":"#ca-7_smt.a","rel":"assessment-for"}]},{"id":"ca-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;","links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]},{"id":"ca-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07b.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;","links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt.b","rel":"assessment-for"}]},{"id":"ca-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07c.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;","links":[{"href":"#ca-7_smt.c","rel":"assessment-for"}]},{"id":"ca-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-07d.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;","links":[{"href":"#ca-7_smt.d","rel":"assessment-for"}]},{"id":"ca-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CA-07e.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;","links":[{"href":"#ca-7_smt.e","rel":"assessment-for"}]},{"id":"ca-7_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CA-07f.","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;","links":[{"href":"#ca-7_smt.f","rel":"assessment-for"}]},{"id":"ca-7_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.","class":"sp800-53a"}],"parts":[{"id":"ca-7_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[01]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};","links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]},{"id":"ca-7_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07g.[02]","class":"sp800-53a"}],"prose":"system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.","links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#ca-7_smt","rel":"assessment-for"}]},{"id":"ca-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nprocedures addressing configuration management\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nconfiguration management records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing continuous monitoring\n\nmechanisms supporting response actions to address assessment and monitoring results\n\nmechanisms supporting security and privacy status reporting"}]}],"controls":[{"id":"ca-7.1","class":"SP800-53-enhancement","title":"Independent Assessment","props":[{"name":"label","value":"CA-7(1)"},{"name":"label","value":"CA-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.1_smt","name":"statement","prose":"Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis."},{"id":"ca-7.1_gdn","name":"guidance","prose":"Organizations maximize the value of control assessments by requiring that assessments be conducted by assessors with appropriate levels of independence. The level of required independence is based on organizational continuous monitoring strategies. Assessor independence provides a degree of impartiality to the monitoring process. To achieve such impartiality, assessors do not create a mutual or conflicting interest with the organizations where the assessments are being conducted, assess their own work, act as management or employees of the organizations they are serving, or place themselves in advocacy positions for the organizations acquiring their services."},{"id":"ca-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(01)","class":"sp800-53a"}],"prose":"independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.","links":[{"href":"#ca-7.1_smt","rel":"assessment-for"}]},{"id":"ca-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\ncontrol assessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-7.2","class":"SP800-53-enhancement","title":"Types of Assessments","props":[{"name":"label","value":"CA-7(2)"},{"name":"label","value":"CA-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ca-2","rel":"incorporated-into"}]},{"id":"ca-7.3","class":"SP800-53-enhancement","title":"Trend Analyses","props":[{"name":"label","value":"CA-7(3)"},{"name":"label","value":"CA-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.3_smt","name":"statement","prose":"Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data."},{"id":"ca-7.3_gdn","name":"guidance","prose":"Trend analyses include examining recent threat information that addresses the types of threat events that have occurred in the organization or the Federal Government, success rates of certain types of attacks, emerging vulnerabilities in technologies, evolving social engineering techniques, the effectiveness of configuration settings, results from multiple control assessments, and findings from Inspectors General or auditors."},{"id":"ca-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(03)","class":"sp800-53a"}],"parts":[{"id":"ca-7.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07(03)[01]","class":"sp800-53a"}],"prose":"trend analysis is employed to determine if control implementations used in the continuous monitoring process need to be modified based on empirical data;","links":[{"href":"#ca-7.3_smt","rel":"assessment-for"}]},{"id":"ca-7.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07(03)[02]","class":"sp800-53a"}],"prose":"trend analysis is employed to determine if the frequency of continuous monitoring activities used in the continuous monitoring process needs to be modified based on empirical data;","links":[{"href":"#ca-7.3_smt","rel":"assessment-for"}]},{"id":"ca-7.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CA-07(03)[03]","class":"sp800-53a"}],"prose":"trend analysis is employed to determine if the types of activities used in the continuous monitoring process need to be modified based on empirical data.","links":[{"href":"#ca-7.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#ca-7.3_smt","rel":"assessment-for"}]},{"id":"ca-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nassessment, authorization, and monitoring policy\n\nprocedures addressing continuous monitoring of system controls\n\nprivacy controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting trend analyses"}]}]},{"id":"ca-7.4","class":"SP800-53-enhancement","title":"Risk Monitoring","props":[{"name":"label","value":"CA-7(4)"},{"name":"label","value":"CA-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.4_smt","name":"statement","prose":"Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:","parts":[{"id":"ca-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Effectiveness monitoring;"},{"id":"ca-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Compliance monitoring; and"},{"id":"ca-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Change monitoring."}]},{"id":"ca-7.4_gdn","name":"guidance","prose":"Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk."},{"id":"ca-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)","class":"sp800-53a"}],"prose":"risk monitoring is an integral part of the continuous monitoring strategy;","parts":[{"id":"ca-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(a)","class":"sp800-53a"}],"prose":"effectiveness monitoring is included in risk monitoring;","links":[{"href":"#ca-7.4_smt.a","rel":"assessment-for"}]},{"id":"ca-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(b)","class":"sp800-53a"}],"prose":"compliance monitoring is included in risk monitoring;","links":[{"href":"#ca-7.4_smt.b","rel":"assessment-for"}]},{"id":"ca-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-07(04)(c)","class":"sp800-53a"}],"prose":"change monitoring is included in risk monitoring.","links":[{"href":"#ca-7.4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ca-7.4_smt","rel":"assessment-for"}]},{"id":"ca-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting risk monitoring"}]}]},{"id":"ca-7.5","class":"SP800-53-enhancement","title":"Consistency Analysis","params":[{"id":"ca-7.5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07.05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ca-07.05_odp.02"}],"label":"organization-defined actions"},{"id":"ca-07.05_odp.01","props":[{"name":"label","value":"CA-07(05)_ODP[01]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to validate that policies are established are defined;"}]},{"id":"ca-07.05_odp.02","props":[{"name":"label","value":"CA-07(05)_ODP[02]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to validate that implemented controls are operating in a consistent manner are defined;"}]}],"props":[{"name":"label","value":"CA-7(5)"},{"name":"label","value":"CA-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.5_smt","name":"statement","prose":"Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: {{ insert: param, ca-7.5_prm_1 }}."},{"id":"ca-7.5_gdn","name":"guidance","prose":"Security and privacy controls are often added incrementally to a system. As a result, policies for selecting and implementing controls may be inconsistent, and the controls could fail to work together in a consistent or coordinated manner. At a minimum, the lack of consistency and coordination could mean that there are unacceptable security and privacy gaps in the system. At worst, it could mean that some of the controls implemented in one location or by one component are actually impeding the functionality of other controls (e.g., encrypting internal network traffic can impede monitoring). In other situations, failing to consistently monitor all implemented network protocols (e.g., a dual stack of IPv4 and IPv6) may create unintended vulnerabilities in the system that could be exploited by adversaries. It is important to validate—through testing, monitoring, and analysis—that the implemented controls are operating in a consistent, coordinated, non-interfering manner."},{"id":"ca-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(05)","class":"sp800-53a"}],"parts":[{"id":"ca-7.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-07(05)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ca-07.05_odp.01 }} are employed to validate that policies are established;","links":[{"href":"#ca-7.5_smt","rel":"assessment-for"}]},{"id":"ca-7.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-07(05)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ca-07.05_odp.02 }} are employed to validate that implemented controls are operating in a consistent manner.","links":[{"href":"#ca-7.5_smt","rel":"assessment-for"}]}],"links":[{"href":"#ca-7.5_smt","rel":"assessment-for"}]},{"id":"ca-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system security controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nsecurity impact analyses\n\nstatus reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ca-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting consistency analyses"}]}]},{"id":"ca-7.6","class":"SP800-53-enhancement","title":"Automation Support for Monitoring","params":[{"id":"ca-07.06_odp","props":[{"name":"alt-identifier","value":"ca-7.6_prm_1"},{"name":"label","value":"CA-07(06)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to ensure the accuracy, currency, and availability of monitoring results for the system are defined;"}]}],"props":[{"name":"label","value":"CA-7(6)"},{"name":"label","value":"CA-07(06)","class":"sp800-53a"},{"name":"sort-id","value":"ca-07.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-7","rel":"required"}],"parts":[{"id":"ca-7.6_smt","name":"statement","prose":"Ensure the accuracy, currency, and availability of monitoring results for the system using {{ insert: param, ca-07.06_odp }}."},{"id":"ca-7.6_gdn","name":"guidance","prose":"Using automated tools for monitoring helps to maintain the accuracy, currency, and availability of monitoring information which in turns helps to increase the level of ongoing awareness of the system security and privacy posture in support of organizational risk management decisions."},{"id":"ca-7.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-07(06)","class":"sp800-53a"}],"prose":"{{ insert: param, ca-07.06_odp }} are used to ensure the accuracy, currency, and availability of monitoring results for the system.","links":[{"href":"#ca-7.6_smt","rel":"assessment-for"}]},{"id":"ca-7.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-07(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\norganizational continuous monitoring strategy\n\nsystem-level continuous monitoring strategy\n\nprocedures addressing continuous monitoring of system controls\n\nassessment report\n\nplan of action and milestones\n\nsystem monitoring records\n\nimpact analyses\n\nstatus reports\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-7.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-07(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with continuous monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-7.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-07(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting automated monitoring"}]}]}]},{"id":"ca-8","class":"SP800-53","title":"Penetration Testing","params":[{"id":"ca-08_odp.01","props":[{"name":"alt-identifier","value":"ca-8_prm_1"},{"name":"label","value":"CA-08_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct penetration testing on systems or system components is defined;"}]},{"id":"ca-08_odp.02","props":[{"name":"alt-identifier","value":"ca-8_prm_2"},{"name":"alt-label","value":"systems or system components","class":"sp800-53"},{"name":"label","value":"CA-08_ODP[02]","class":"sp800-53a"}],"label":"system(s) or system components","guidelines":[{"prose":"systems or system components on which penetration testing is to be conducted are defined;"}]}],"props":[{"name":"label","value":"CA-8"},{"name":"label","value":"CA-08","class":"sp800-53a"},{"name":"sort-id","value":"ca-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"ca-8_smt","name":"statement","prose":"Conduct penetration testing {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}."},{"id":"ca-8_gdn","name":"guidance","prose":"Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and\/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).\n\nOrganizations can use the results of vulnerability analyses to support penetration testing activities. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls. A standard method for penetration testing includes a pretest analysis based on full knowledge of the system, pretest identification of potential vulnerabilities based on the pretest analysis, and testing designed to determine the exploitability of vulnerabilities. All parties agree to the rules of engagement before commencing penetration testing scenarios. Organizations correlate the rules of engagement for the penetration tests with the tools, techniques, and procedures that are anticipated to be employed by adversaries. Penetration testing may result in the exposure of information that is protected by laws or regulations, to individuals conducting the testing. Rules of engagement, contracts, or other appropriate mechanisms can be used to communicate expectations for how to protect this information. Risk assessments guide the decisions on the level of independence required for the personnel conducting penetration testing."},{"id":"ca-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-08","class":"sp800-53a"}],"prose":"penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.","links":[{"href":"#ca-8_smt","rel":"assessment-for"}]},{"id":"ca-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with control assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting penetration testing"}]}],"controls":[{"id":"ca-8.1","class":"SP800-53-enhancement","title":"Independent Penetration Testing Agent or Team","props":[{"name":"label","value":"CA-8(1)"},{"name":"label","value":"CA-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-8","rel":"required"},{"href":"#ca-2","rel":"related"}],"parts":[{"id":"ca-8.1_smt","name":"statement","prose":"Employ an independent penetration testing agent or team to perform penetration testing on the system or system components."},{"id":"ca-8.1_gdn","name":"guidance","prose":"Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. [CA-2(1)](#ca-2.1) provides additional information on independent assessments that can be applied to penetration testing."},{"id":"ca-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-08(01)","class":"sp800-53a"}],"prose":"an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.","links":[{"href":"#ca-8.1_smt","rel":"assessment-for"}]},{"id":"ca-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nassessment plan\n\npenetration test report\n\nassessment report\n\nsecurity assessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ca-8.2","class":"SP800-53-enhancement","title":"Red Team Exercises","params":[{"id":"ca-08.02_odp","props":[{"name":"alt-identifier","value":"ca-8.2_prm_1"},{"name":"label","value":"CA-08(02)_ODP","class":"sp800-53a"}],"label":"red team exercises","guidelines":[{"prose":"red team exercises to simulate attempts by adversaries to compromise organizational systems are defined;"}]}],"props":[{"name":"label","value":"CA-8(2)"},{"name":"label","value":"CA-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"ca-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-8","rel":"required"}],"parts":[{"id":"ca-8.2_smt","name":"statement","prose":"Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: {{ insert: param, ca-08.02_odp }}."},{"id":"ca-8.2_gdn","name":"guidance","prose":"Red team exercises extend the objectives of penetration testing by examining the security and privacy posture of organizations and the capability to implement effective cyber defenses. Red team exercises simulate attempts by adversaries to compromise mission and business functions and provide a comprehensive assessment of the security and privacy posture of systems and organizations. Such attempts may include technology-based attacks and social engineering-based attacks. Technology-based attacks include interactions with hardware, software, or firmware components and\/or mission and business processes. Social engineering-based attacks include interactions via email, telephone, shoulder surfing, or personal conversations. Red team exercises are most effective when conducted by penetration testing agents and teams with knowledge of and experience with current adversarial tactics, techniques, procedures, and tools. While penetration testing may be primarily laboratory-based testing, organizations can use red team exercises to provide more comprehensive assessments that reflect real-world conditions. The results from red team exercises can be used by organizations to improve security and privacy awareness and training and to assess control effectiveness."},{"id":"ca-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-08(02)","class":"sp800-53a"}],"prose":"{{ insert: param, ca-08.02_odp }} are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.","links":[{"href":"#ca-8.2_smt","rel":"assessment-for"}]},{"id":"ca-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nprocedures addressing red team exercises\n\nassessment plan\n\nresults of red team exercises\n\npenetration test report\n\nassessment report\n\nrules of engagement\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting the employment of red team exercises"}]}]},{"id":"ca-8.3","class":"SP800-53-enhancement","title":"Facility Penetration Testing","params":[{"id":"ca-08.03_odp.01","props":[{"name":"alt-identifier","value":"ca-8.3_prm_1"},{"name":"label","value":"CA-08(03)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to employ penetration testing that attempts to bypass or circumvent controls associated with physical access points to the facility is defined;"}]},{"id":"ca-08.03_odp.02","props":[{"name":"alt-identifier","value":"ca-8.3_prm_2"},{"name":"label","value":"CA-08(03)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["announced","unannounced"]}}],"props":[{"name":"label","value":"CA-8(3)"},{"name":"label","value":"CA-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"ca-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-8","rel":"required"},{"href":"#ca-2","rel":"related"},{"href":"#pe-3","rel":"related"}],"parts":[{"id":"ca-8.3_smt","name":"statement","prose":"Employ a penetration testing process that includes {{ insert: param, ca-08.03_odp.01 }} {{ insert: param, ca-08.03_odp.02 }} attempts to bypass or circumvent controls associated with physical access points to the facility."},{"id":"ca-8.3_gdn","name":"guidance","prose":"Penetration testing of physical access points can provide information on critical vulnerabilities in the operating environments of organizational systems. Such information can be used to correct weaknesses or deficiencies in physical controls that are necessary to protect organizational systems."},{"id":"ca-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-08(03)","class":"sp800-53a"}],"prose":"the penetration testing process includes {{ insert: param, ca-08.03_odp.01 }} {{ insert: param, ca-08.03_odp.02 }} attempts to bypass or circumvent controls associated with physical access points to facility.","links":[{"href":"#ca-8.3_smt","rel":"assessment-for"}]},{"id":"ca-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\nprocedures addressing penetration testing\n\nprocedures addressing red team exercises\n\nassessment plan\n\nresults of red team exercises\n\npenetration test report\n\nassessment report\n\nrules of engagement\n\nassessment evidence\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"ca-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting the employment of red team exercises"}]}]}]},{"id":"ca-9","class":"SP800-53","title":"Internal System Connections","params":[{"id":"ca-09_odp.01","props":[{"name":"alt-identifier","value":"ca-9_prm_1"},{"name":"alt-label","value":"system components or classes of components","class":"sp800-53"},{"name":"label","value":"CA-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components or classes of components requiring internal connections to the system are defined;"}]},{"id":"ca-09_odp.02","props":[{"name":"alt-identifier","value":"ca-9_prm_2"},{"name":"label","value":"CA-09_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions requiring termination of internal connections are defined;"}]},{"id":"ca-09_odp.03","props":[{"name":"alt-identifier","value":"ca-9_prm_3"},{"name":"label","value":"CA-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the continued need for each internal connection is defined;"}]}],"props":[{"name":"label","value":"CA-9"},{"name":"label","value":"CA-09","class":"sp800-53a"},{"name":"sort-id","value":"ca-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ca-9_smt","name":"statement","parts":[{"id":"ca-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize internal connections of {{ insert: param, ca-09_odp.01 }} to the system;"},{"id":"ca-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;"},{"id":"ca-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Terminate internal system connections after {{ insert: param, ca-09_odp.02 }} ; and"},{"id":"ca-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review {{ insert: param, ca-09_odp.03 }} the continued need for each internal connection."}]},{"id":"ca-9_gdn","name":"guidance","prose":"Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and\/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions."},{"id":"ca-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-09","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CA-09a.","class":"sp800-53a"}],"prose":"internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;","links":[{"href":"#ca-9_smt.a","rel":"assessment-for"}]},{"id":"ca-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.","class":"sp800-53a"}],"parts":[{"id":"ca-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[01]","class":"sp800-53a"}],"prose":"for each internal connection, the interface characteristics are documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[02]","class":"sp800-53a"}],"prose":"for each internal connection, the security requirements are documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[03]","class":"sp800-53a"}],"prose":"for each internal connection, the privacy requirements are documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CA-09b.[04]","class":"sp800-53a"}],"prose":"for each internal connection, the nature of the information communicated is documented;","links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ca-9_smt.b","rel":"assessment-for"}]},{"id":"ca-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CA-09c.","class":"sp800-53a"}],"prose":"internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};","links":[{"href":"#ca-9_smt.c","rel":"assessment-for"}]},{"id":"ca-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CA-09d.","class":"sp800-53a"}],"prose":"the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.","links":[{"href":"#ca-9_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ca-9_smt","rel":"assessment-for"}]},{"id":"ca-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting internal system connections"}]}],"controls":[{"id":"ca-9.1","class":"SP800-53-enhancement","title":"Compliance Checks","props":[{"name":"label","value":"CA-9(1)"},{"name":"label","value":"CA-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"ca-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-9","rel":"required"},{"href":"#cm-6","rel":"related"}],"parts":[{"id":"ca-9.1_smt","name":"statement","prose":"Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection."},{"id":"ca-9.1_gdn","name":"guidance","prose":"Compliance checks include verification of the relevant baseline configuration."},{"id":"ca-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CA-09(01)","class":"sp800-53a"}],"parts":[{"id":"ca-9.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CA-09(01)[01]","class":"sp800-53a"}],"prose":"security compliance checks are performed on constituent system components prior to the establishment of the internal connection;","links":[{"href":"#ca-9.1_smt","rel":"assessment-for"}]},{"id":"ca-9.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CA-09(01)[02]","class":"sp800-53a"}],"prose":"privacy compliance checks are performed on constituent system components prior to the establishment of the internal connection.","links":[{"href":"#ca-9.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ca-9.1_smt","rel":"assessment-for"}]},{"id":"ca-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CA-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Assessment, authorization, and monitoring policy\n\naccess control policy\n\nprocedures addressing system connections\n\nsystem and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of components or classes of components authorized as internal system connections\n\nassessment report\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ca-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CA-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ca-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CA-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting compliance checks"}]}]}]}]},{"id":"cm","class":"family","title":"Configuration Management","controls":[{"id":"cm-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cm-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cm-01_odp.01","props":[{"name":"label","value":"CM-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management policy is to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.02","props":[{"name":"label","value":"CM-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the configuration management procedures are to be disseminated is\/are defined;"}]},{"id":"cm-01_odp.03","props":[{"name":"alt-identifier","value":"cm-1_prm_2"},{"name":"label","value":"CM-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cm-01_odp.04","props":[{"name":"alt-identifier","value":"cm-1_prm_3"},{"name":"label","value":"CM-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the configuration management policy and procedures is defined;"}]},{"id":"cm-01_odp.05","props":[{"name":"alt-identifier","value":"cm-1_prm_4"},{"name":"label","value":"CM-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management policy is reviewed and updated is defined;"}]},{"id":"cm-01_odp.06","props":[{"name":"alt-identifier","value":"cm-1_prm_5"},{"name":"label","value":"CM-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current configuration management policy to be reviewed and updated are defined;"}]},{"id":"cm-01_odp.07","props":[{"name":"alt-identifier","value":"cm-1_prm_6"},{"name":"label","value":"CM-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current configuration management procedures are reviewed and updated is defined;"}]},{"id":"cm-01_odp.08","props":[{"name":"alt-identifier","value":"cm-1_prm_7"},{"name":"label","value":"CM-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require configuration management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CM-1"},{"name":"label","value":"CM-01","class":"sp800-53a"},{"name":"sort-id","value":"cm-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-1_smt","name":"statement","parts":[{"id":"cm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:","parts":[{"id":"cm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, cm-01_odp.03 }} configuration management policy that:","parts":[{"id":"cm-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cm-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;"}]},{"id":"cm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and"},{"id":"cm-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current configuration management:","parts":[{"id":"cm-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and"},{"id":"cm-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}."}]}]},{"id":"cm-1_gdn","name":"guidance","prose":"Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cm-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[01]","class":"sp800-53a"}],"prose":"a configuration management policy is developed and documented;","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[02]","class":"sp800-53a"}],"prose":"the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[03]","class":"sp800-53a"}],"prose":"configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.[04]","class":"sp800-53a"}],"prose":"the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};","links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;","links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cm-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01a.01(b)","class":"sp800-53a"}],"prose":"the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#cm-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.a","rel":"assessment-for"}]},{"id":"cm-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;","links":[{"href":"#cm-1_smt.b","rel":"assessment-for"}]},{"id":"cm-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[01]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ","links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]},{"id":"cm-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.01[02]","class":"sp800-53a"}],"prose":"the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};","links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c.1","rel":"assessment-for"}]},{"id":"cm-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02","class":"sp800-53a"}],"parts":[{"id":"cm-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[01]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ","links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]},{"id":"cm-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CM-01c.02[02]","class":"sp800-53a"}],"prose":"the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.","links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-1_smt","rel":"assessment-for"}]},{"id":"cm-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy and procedures\n\nsecurity and privacy program policies and procedures\n\nassessment or audit findings\n\ndocumentation of security incidents or breaches\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy\n\nother relevant artifacts, documents, or records"}]},{"id":"cm-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cm-2","class":"SP800-53","title":"Baseline Configuration","params":[{"id":"cm-02_odp.01","props":[{"name":"alt-identifier","value":"cm-2_prm_1"},{"name":"label","value":"CM-02_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of baseline configuration review and update is defined;"}]},{"id":"cm-02_odp.02","props":[{"name":"alt-identifier","value":"cm-2_prm_2"},{"name":"label","value":"CM-02_ODP[02]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"the circumstances requiring baseline configuration review and update are defined;"}]}],"props":[{"name":"label","value":"CM-2"},{"name":"label","value":"CM-02","class":"sp800-53a"},{"name":"sort-id","value":"cm-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-1","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-18","rel":"related"}],"parts":[{"id":"cm-2_smt","name":"statement","parts":[{"id":"cm-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and maintain under configuration control, a current baseline configuration of the system; and"},{"id":"cm-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the baseline configuration of the system:","parts":[{"id":"cm-2_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, cm-02_odp.01 }};"},{"id":"cm-2_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required due to {{ insert: param, cm-02_odp.02 }} ; and"},{"id":"cm-2_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"When system components are installed or upgraded."}]}]},{"id":"cm-2_gdn","name":"guidance","prose":"Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture."},{"id":"cm-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[01]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is developed and documented;","links":[{"href":"#cm-2_smt.a","rel":"assessment-for"}]},{"id":"cm-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02a.[02]","class":"sp800-53a"}],"prose":"a current baseline configuration of the system is maintained under configuration control;","links":[{"href":"#cm-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-2_smt.a","rel":"assessment-for"}]},{"id":"cm-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.","class":"sp800-53a"}],"parts":[{"id":"cm-2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.01","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};","links":[{"href":"#cm-2_smt.b.1","rel":"assessment-for"}]},{"id":"cm-2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.02","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};","links":[{"href":"#cm-2_smt.b.2","rel":"assessment-for"}]},{"id":"cm-2_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"CM-02b.03","class":"sp800-53a"}],"prose":"the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.","links":[{"href":"#cm-2_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#cm-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-2_smt","rel":"assessment-for"}]},{"id":"cm-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nenterprise architecture documentation\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nother relevant documents or records"}]},{"id":"cm-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration"}]}],"controls":[{"id":"cm-2.1","class":"SP800-53-enhancement","title":"Reviews and Updates","props":[{"name":"label","value":"CM-2(1)"},{"name":"label","value":"CM-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-2","rel":"incorporated-into"}]},{"id":"cm-2.2","class":"SP800-53-enhancement","title":"Automation Support for Accuracy and Currency","params":[{"id":"cm-02.02_odp","props":[{"name":"alt-identifier","value":"cm-2.2_prm_1"},{"name":"label","value":"CM-02(02)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms for maintaining baseline configuration of the system are defined;"}]}],"props":[{"name":"label","value":"CM-2(2)"},{"name":"label","value":"CM-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"},{"href":"#cm-7","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ra-5","rel":"related"}],"parts":[{"id":"cm-2.2_smt","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ insert: param, cm-02.02_odp }}."},{"id":"cm-2.2_gdn","name":"guidance","prose":"Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of [CM-8(2)](#cm-8.2) for organizations that combine system component inventory and baseline configuration activities."},{"id":"cm-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)","class":"sp800-53a"}],"parts":[{"id":"cm-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[01]","class":"sp800-53a"}],"prose":"the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};","links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]},{"id":"cm-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[02]","class":"sp800-53a"}],"prose":"the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};","links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]},{"id":"cm-2.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[03]","class":"sp800-53a"}],"prose":"the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};","links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]},{"id":"cm-2.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-02(02)[04]","class":"sp800-53a"}],"prose":"the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}.","links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-2.2_smt","rel":"assessment-for"}]},{"id":"cm-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nconfiguration change control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nautomated mechanisms implementing baseline configuration maintenance"}]}]},{"id":"cm-2.3","class":"SP800-53-enhancement","title":"Retention of Previous Configurations","params":[{"id":"cm-02.03_odp","props":[{"name":"alt-identifier","value":"cm-2.3_prm_1"},{"name":"label","value":"CM-02(03)_ODP","class":"sp800-53a"}],"label":"number","guidelines":[{"prose":"the number of previous baseline configuration versions to be retained is defined;"}]}],"props":[{"name":"label","value":"CM-2(3)"},{"name":"label","value":"CM-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"}],"parts":[{"id":"cm-2.3_smt","name":"statement","prose":"Retain {{ insert: param, cm-02.03_odp }} of previous versions of baseline configurations of the system to support rollback."},{"id":"cm-2.3_gdn","name":"guidance","prose":"Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation."},{"id":"cm-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(03)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is\/are retained to support rollback.","links":[{"href":"#cm-2.3_smt","rel":"assessment-for"}]},{"id":"cm-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncopies of previous baseline configuration versions\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations"}]}]},{"id":"cm-2.4","class":"SP800-53-enhancement","title":"Unauthorized Software","props":[{"name":"label","value":"CM-2(4)"},{"name":"label","value":"CM-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-7.4","rel":"incorporated-into"}]},{"id":"cm-2.5","class":"SP800-53-enhancement","title":"Authorized Software","props":[{"name":"label","value":"CM-2(5)"},{"name":"label","value":"CM-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-7.5","rel":"incorporated-into"}]},{"id":"cm-2.6","class":"SP800-53-enhancement","title":"Development and Test Environments","props":[{"name":"label","value":"CM-2(6)"},{"name":"label","value":"CM-02(06)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"},{"href":"#cm-4","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cm-2.6_smt","name":"statement","prose":"Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration."},{"id":"cm-2.6_gdn","name":"guidance","prose":"Establishing separate baseline configurations for development, testing, and operational environments protects systems from unplanned or unexpected events related to development and testing activities. Separate baseline configurations allow organizations to apply the configuration management that is most appropriate for each type of configuration. For example, the management of operational configurations typically emphasizes the need for stability, while the management of development or test configurations requires greater flexibility. Configurations in the test environment mirror configurations in the operational environment to the extent practicable so that the results of the testing are representative of the proposed changes to the operational systems. Separate baseline configurations do not necessarily require separate physical environments."},{"id":"cm-2.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(06)","class":"sp800-53a"}],"parts":[{"id":"cm-2.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-02(06)[01]","class":"sp800-53a"}],"prose":"a baseline configuration for system development environments that is managed separately from the operational baseline configuration is maintained;","links":[{"href":"#cm-2.6_smt","rel":"assessment-for"}]},{"id":"cm-2.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-02(06)[02]","class":"sp800-53a"}],"prose":"a baseline configuration for test environments that is managed separately from the operational baseline configuration is maintained.","links":[{"href":"#cm-2.6_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-2.6_smt","rel":"assessment-for"}]},{"id":"cm-2.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations\n\nmechanisms implementing separate baseline configurations for development, test, and operational environments"}]}]},{"id":"cm-2.7","class":"SP800-53-enhancement","title":"Configure Systems and Components for High-risk Areas","params":[{"id":"cm-02.07_odp.01","props":[{"name":"alt-identifier","value":"cm-2.7_prm_1"},{"name":"label","value":"CM-02(07)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"the systems or system components to be issued when individuals travel to high-risk areas are defined;"}]},{"id":"cm-02.07_odp.02","props":[{"name":"alt-identifier","value":"cm-2.7_prm_2"},{"name":"label","value":"CM-02(07)_ODP[02]","class":"sp800-53a"}],"label":"configurations","guidelines":[{"prose":"configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;"}]},{"id":"cm-02.07_odp.03","props":[{"name":"alt-identifier","value":"cm-2.7_prm_3"},{"name":"label","value":"CM-02(07)_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"the controls to be applied when the individuals return from travel are defined;"}]}],"props":[{"name":"label","value":"CM-2(7)"},{"name":"label","value":"CM-02(07)","class":"sp800-53a"},{"name":"sort-id","value":"cm-02.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"required"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}],"parts":[{"id":"cm-2.7_smt","name":"statement","parts":[{"id":"cm-2.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} to individuals traveling to locations that the organization deems to be of significant risk; and"},{"id":"cm-2.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Apply the following controls to the systems or components when the individuals return from travel: {{ insert: param, cm-02.07_odp.03 }}."}]},{"id":"cm-2.7_gdn","name":"guidance","prose":"When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the [MP](#mp) (Media Protection) family."},{"id":"cm-2.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)","class":"sp800-53a"}],"parts":[{"id":"cm-2.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;","links":[{"href":"#cm-2.7_smt.a","rel":"assessment-for"}]},{"id":"cm-2.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-02(07)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel.","links":[{"href":"#cm-2.7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-2.7_smt","rel":"assessment-for"}]},{"id":"cm-2.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-02(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing the baseline configuration of the system\n\nprocedures addressing system component installations and upgrades\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nrecords of system baseline configuration reviews and updates\n\nsystem component installations\/upgrades and associated records\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-2.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-02(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-2.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-02(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing baseline configurations"}]}]}]},{"id":"cm-3","class":"SP800-53","title":"Configuration Change Control","params":[{"id":"cm-03_odp.01","props":[{"name":"alt-identifier","value":"cm-3_prm_1"},{"name":"label","value":"CM-03_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to retain records of configuration-controlled changes is defined;"}]},{"id":"cm-03_odp.02","props":[{"name":"alt-identifier","value":"cm-3_prm_2"},{"name":"label","value":"CM-03_ODP[02]","class":"sp800-53a"}],"label":"configuration change control element","guidelines":[{"prose":"the configuration change control element responsible for coordinating and overseeing change control activities is defined;"}]},{"id":"cm-03_odp.03","props":[{"name":"alt-identifier","value":"cm-3_prm_3"},{"name":"label","value":"CM-03_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, cm-03_odp.04 }} ","when {{ insert: param, cm-03_odp.05 }} "]}},{"id":"cm-03_odp.04","props":[{"name":"alt-identifier","value":"cm-3_prm_4"},{"name":"label","value":"CM-03_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the configuration control element convenes is defined (if selected);"}]},{"id":"cm-03_odp.05","props":[{"name":"alt-identifier","value":"cm-3_prm_5"},{"name":"label","value":"CM-03_ODP[05]","class":"sp800-53a"}],"label":"configuration change conditions","guidelines":[{"prose":"configuration change conditions that prompt the configuration control element to convene are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-3"},{"name":"label","value":"CM-03","class":"sp800-53a"},{"name":"sort-id","value":"cm-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"cm-3_smt","name":"statement","parts":[{"id":"cm-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the types of changes to the system that are configuration-controlled;"},{"id":"cm-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;"},{"id":"cm-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document configuration change decisions associated with the system;"},{"id":"cm-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement approved configuration-controlled changes to the system;"},{"id":"cm-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }};"},{"id":"cm-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Monitor and review activities associated with configuration-controlled changes to the system; and"},{"id":"cm-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: param, cm-03_odp.03 }}."}]},{"id":"cm-3_gdn","name":"guidance","prose":"Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also [SA-10](#sa-10)."},{"id":"cm-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-03a.","class":"sp800-53a"}],"prose":"the types of changes to the system that are configuration-controlled are determined and documented;","links":[{"href":"#cm-3_smt.a","rel":"assessment-for"}]},{"id":"cm-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.[01]","class":"sp800-53a"}],"prose":"proposed configuration-controlled changes to the system are reviewed;","links":[{"href":"#cm-3_smt.b","rel":"assessment-for"}]},{"id":"cm-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03b.[02]","class":"sp800-53a"}],"prose":"proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;","links":[{"href":"#cm-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-3_smt.b","rel":"assessment-for"}]},{"id":"cm-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-03c.","class":"sp800-53a"}],"prose":"configuration change decisions associated with the system are documented;","links":[{"href":"#cm-3_smt.c","rel":"assessment-for"}]},{"id":"cm-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-03d.","class":"sp800-53a"}],"prose":"approved configuration-controlled changes to the system are implemented;","links":[{"href":"#cm-3_smt.d","rel":"assessment-for"}]},{"id":"cm-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-03e.","class":"sp800-53a"}],"prose":"records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};","links":[{"href":"#cm-3_smt.e","rel":"assessment-for"}]},{"id":"cm-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.[01]","class":"sp800-53a"}],"prose":"activities associated with configuration-controlled changes to the system are monitored;","links":[{"href":"#cm-3_smt.f","rel":"assessment-for"}]},{"id":"cm-3_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03f.[02]","class":"sp800-53a"}],"prose":"activities associated with configuration-controlled changes to the system are reviewed;","links":[{"href":"#cm-3_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#cm-3_smt.f","rel":"assessment-for"}]},{"id":"cm-3_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.","class":"sp800-53a"}],"parts":[{"id":"cm-3_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.[01]","class":"sp800-53a"}],"prose":"configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};","links":[{"href":"#cm-3_smt.g","rel":"assessment-for"}]},{"id":"cm-3_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03g.[02]","class":"sp800-53a"}],"prose":"the configuration control element convenes {{ insert: param, cm-03_odp.03 }}.","links":[{"href":"#cm-3_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#cm-3_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#cm-3_smt","rel":"assessment-for"}]},{"id":"cm-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nchange control records\n\nsystem audit records\n\nchange control audit and review reports\n\nagenda\/minutes\/documentation from configuration change control oversight meetings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessments\n\nsystem of records notices\n\nother relevant documents or records"}]},{"id":"cm-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nmechanisms that implement configuration change control"}]}],"controls":[{"id":"cm-3.1","class":"SP800-53-enhancement","title":"Automated Documentation, Notification, and Prohibition of Changes","params":[{"id":"cm-03.01_odp.01","props":[{"name":"alt-identifier","value":"cm-3.1_prm_1"},{"name":"label","value":"CM-03(01)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"mechanisms used to automate configuration change control are defined;"}]},{"id":"cm-03.01_odp.02","props":[{"name":"alt-identifier","value":"cm-3.1_prm_2"},{"name":"label","value":"CM-03(01)_ODP[02]","class":"sp800-53a"}],"label":"approval authorities","guidelines":[{"prose":"approval authorities to be notified of and request approval for proposed changes to the system are defined;"}]},{"id":"cm-03.01_odp.03","props":[{"name":"alt-identifier","value":"cm-3.1_prm_3"},{"name":"label","value":"CM-03(01)_ODP[03]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period after which to highlight changes that have not been approved or disapproved is defined;"}]},{"id":"cm-03.01_odp.04","props":[{"name":"alt-identifier","value":"cm-3.1_prm_4"},{"name":"label","value":"CM-03(01)_ODP[04]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to be notified when approved changes are complete is\/are defined;"}]}],"props":[{"name":"label","value":"CM-3(1)"},{"name":"label","value":"CM-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.1_smt","name":"statement","prose":"Use {{ insert: param, cm-03.01_odp.01 }} to:","parts":[{"id":"cm-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Document proposed changes to the system;"},{"id":"cm-3.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;"},{"id":"cm-3.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};"},{"id":"cm-3.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Prohibit changes to the system until designated approvals are received;"},{"id":"cm-3.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Document all changes to the system; and"},{"id":"cm-3.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed."}]},{"id":"cm-3.1_gdn","name":"guidance","prose":"None."},{"id":"cm-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)","class":"sp800-53a"}],"parts":[{"id":"cm-3.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.01_odp.01 }} are used to document proposed changes to the system;","links":[{"href":"#cm-3.1_smt.a","rel":"assessment-for"}]},{"id":"cm-3.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;","links":[{"href":"#cm-3.1_smt.b","rel":"assessment-for"}]},{"id":"cm-3.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(c)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.01_odp.01 }} are used to highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};","links":[{"href":"#cm-3.1_smt.c","rel":"assessment-for"}]},{"id":"cm-3.1_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(d)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.01_odp.01 }} are used to prohibit changes to the system until designated approvals are received;","links":[{"href":"#cm-3.1_smt.d","rel":"assessment-for"}]},{"id":"cm-3.1_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(e)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.01_odp.01 }} are used to document all changes to the system;","links":[{"href":"#cm-3.1_smt.e","rel":"assessment-for"}]},{"id":"cm-3.1_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CM-03(01)(f)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed.","links":[{"href":"#cm-3.1_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#cm-3.1_smt","rel":"assessment-for"}]},{"id":"cm-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nautomated configuration control mechanisms\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nchange approval requests\n\nchange approvals\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms implementing configuration change control activities"}]}]},{"id":"cm-3.2","class":"SP800-53-enhancement","title":"Testing, Validation, and Documentation of Changes","props":[{"name":"label","value":"CM-3(2)"},{"name":"label","value":"CM-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.2_smt","name":"statement","prose":"Test, validate, and document changes to the system before finalizing the implementation of the changes."},{"id":"cm-3.2_gdn","name":"guidance","prose":"Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in [CM-6](#cm-6) . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls."},{"id":"cm-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)","class":"sp800-53a"}],"parts":[{"id":"cm-3.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[01]","class":"sp800-53a"}],"prose":"changes to the system are tested before finalizing the implementation of the changes;","links":[{"href":"#cm-3.2_smt","rel":"assessment-for"}]},{"id":"cm-3.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[02]","class":"sp800-53a"}],"prose":"changes to the system are validated before finalizing the implementation of the changes;","links":[{"href":"#cm-3.2_smt","rel":"assessment-for"}]},{"id":"cm-3.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-03(02)[03]","class":"sp800-53a"}],"prose":"changes to the system are documented before finalizing the implementation of the changes.","links":[{"href":"#cm-3.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-3.2_smt","rel":"assessment-for"}]},{"id":"cm-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ntest records\n\nvalidation records\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nmechanisms supporting and\/or implementing, testing, validating, and documenting system changes"}]}]},{"id":"cm-3.3","class":"SP800-53-enhancement","title":"Automated Change Implementation","params":[{"id":"cm-03.03_odp","props":[{"name":"alt-identifier","value":"cm-3.3_prm_1"},{"name":"label","value":"CM-03(03)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"mechanisms used to automate the implementation of changes and deployment of the updated baseline across the installed base are defined;"}]}],"props":[{"name":"label","value":"CM-3(3)"},{"name":"label","value":"CM-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.3_smt","name":"statement","prose":"Implement changes to the current system baseline and deploy the updated baseline across the installed base using {{ insert: param, cm-03.03_odp }}."},{"id":"cm-3.3_gdn","name":"guidance","prose":"Automated tools can improve the accuracy, consistency, and availability of configuration baseline information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization."},{"id":"cm-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(03)","class":"sp800-53a"}],"parts":[{"id":"cm-3.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03(03)[01]","class":"sp800-53a"}],"prose":"changes to the current system baseline are implemented using {{ insert: param, cm-03.03_odp }};","links":[{"href":"#cm-3.3_smt","rel":"assessment-for"}]},{"id":"cm-3.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03(03)[02]","class":"sp800-53a"}],"prose":"the updated baseline is deployed across the installed base using {{ insert: param, cm-03.03_odp }}.","links":[{"href":"#cm-3.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-3.3_smt","rel":"assessment-for"}]},{"id":"cm-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nconfiguration management plan\n\nprocedures addressing system configuration change control\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nautomated configuration control mechanisms\n\nchange control records\n\nsystem component inventory\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms implementing changes to current system baseline"}]}]},{"id":"cm-3.4","class":"SP800-53-enhancement","title":"Security and Privacy Representatives","params":[{"id":"cm-3.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-03.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-03.04_odp.02"}],"label":"organization-defined security and privacy representatives"},{"id":"cm-03.04_odp.01","props":[{"name":"label","value":"CM-03(04)_ODP[01]","class":"sp800-53a"}],"label":"security representatives","guidelines":[{"prose":"security representatives required to be members of the change control element are defined;"}]},{"id":"cm-03.04_odp.02","props":[{"name":"label","value":"CM-03(04)_ODP[02]","class":"sp800-53a"}],"label":"privacy representatives","guidelines":[{"prose":"privacy representatives required to be members of the change control element are defined;"}]},{"id":"cm-03.04_odp.03","props":[{"name":"alt-identifier","value":"cm-3.4_prm_2"},{"name":"label","value":"CM-03(04)_ODP[03]","class":"sp800-53a"}],"label":"configuration change control element","guidelines":[{"prose":"the configuration change control element of which the security and privacy representatives are to be members is defined;"}]}],"props":[{"name":"label","value":"CM-3(4)"},{"name":"label","value":"CM-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.4_smt","name":"statement","prose":"Require {{ insert: param, cm-3.4_prm_1 }} to be members of the {{ insert: param, cm-03.04_odp.03 }}."},{"id":"cm-3.4_gdn","name":"guidance","prose":"Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in [CM-3g](#cm-3_smt.g)."},{"id":"cm-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)","class":"sp800-53a"}],"parts":[{"id":"cm-3.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};","links":[{"href":"#cm-3.4_smt","rel":"assessment-for"}]},{"id":"cm-3.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-03(04)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}.","links":[{"href":"#cm-3.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-3.4_smt","rel":"assessment-for"}]},{"id":"cm-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of change control board or similar"}]},{"id":"cm-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control"}]}]},{"id":"cm-3.5","class":"SP800-53-enhancement","title":"Automated Security Response","params":[{"id":"cm-03.05_odp","props":[{"name":"alt-identifier","value":"cm-3.5_prm_1"},{"name":"label","value":"CM-03(05)_ODP","class":"sp800-53a"}],"label":"security responses","guidelines":[{"prose":"security responses to be automatically implemented are defined;"}]}],"props":[{"name":"label","value":"CM-3(5)"},{"name":"label","value":"CM-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.5_smt","name":"statement","prose":"Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: {{ insert: param, cm-03.05_odp }}."},{"id":"cm-3.5_gdn","name":"guidance","prose":"Automated security responses include halting selected system functions, halting system processing, and issuing alerts or notifications to organizational personnel when there is an unauthorized modification of a configuration item."},{"id":"cm-3.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(05)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-03.05_odp }} are automatically implemented if baseline configurations are changed in an unauthorized manner.","links":[{"href":"#cm-3.5_smt","rel":"assessment-for"}]},{"id":"cm-3.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nconfiguration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nalerts\/notifications of unauthorized baseline configuration changes\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"cm-3.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nautomated mechanisms implementing security responses to unauthorized changes to the baseline configurations"}]}]},{"id":"cm-3.6","class":"SP800-53-enhancement","title":"Cryptography Management","params":[{"id":"cm-03.06_odp","props":[{"name":"alt-identifier","value":"cm-3.6_prm_1"},{"name":"label","value":"CM-03(06)_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls provided by cryptographic mechanisms that are to be under configuration management are defined;"}]}],"props":[{"name":"label","value":"CM-3(6)"},{"name":"label","value":"CM-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"required"},{"href":"#sc-12","rel":"related"}],"parts":[{"id":"cm-3.6_smt","name":"statement","prose":"Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: {{ insert: param, cm-03.06_odp }}."},{"id":"cm-3.6_gdn","name":"guidance","prose":"The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates."},{"id":"cm-3.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(06)","class":"sp800-53a"}],"prose":"cryptographic mechanisms used to provide {{ insert: param, cm-03.06_odp }} are under configuration management.","links":[{"href":"#cm-3.6_smt","rel":"assessment-for"}]},{"id":"cm-3.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nmembers of change control board or similar"}]},{"id":"cm-3.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\ncryptographic mechanisms implementing organizational security safeguards (controls)"}]}]},{"id":"cm-3.7","class":"SP800-53-enhancement","title":"Review System Changes","params":[{"id":"cm-03.07_odp.01","props":[{"name":"alt-identifier","value":"cm-3.7_prm_1"},{"name":"label","value":"CM-03(07)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which changes are to be reviewed is defined;"}]},{"id":"cm-03.07_odp.02","props":[{"name":"alt-identifier","value":"cm-3.7_prm_2"},{"name":"label","value":"CM-03(07)_ODP[02]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"the circumstances under which changes are to be reviewed are defined;"}]}],"props":[{"name":"label","value":"CM-3(7)"},{"name":"label","value":"CM-03(07)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#cm-3","rel":"related"}],"parts":[{"id":"cm-3.7_smt","name":"statement","prose":"Review changes to the system {{ insert: param, cm-03.07_odp.01 }} or when {{ insert: param, cm-03.07_odp.02 }} to determine whether unauthorized changes have occurred."},{"id":"cm-3.7_gdn","name":"guidance","prose":"Indications that warrant a review of changes to the system and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process or continuous monitoring process."},{"id":"cm-3.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(07)","class":"sp800-53a"}],"prose":"changes to the system are reviewed {{ insert: param, cm-03.07_odp.01 }} or when {{ insert: param, cm-03.07_odp.02 }} to determine whether unauthorized changes have occurred.","links":[{"href":"#cm-3.7_smt","rel":"assessment-for"}]},{"id":"cm-3.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nchange control records\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-3.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-03(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with configuration change control responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-3.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-03(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for configuration change control\n\nmechanisms implementing audit records for changes"}]}]},{"id":"cm-3.8","class":"SP800-53-enhancement","title":"Prevent or Restrict Configuration Changes","params":[{"id":"cm-03.08_odp","props":[{"name":"alt-identifier","value":"cm-3.8_prm_1"},{"name":"label","value":"CM-03(08)_ODP","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"the circumstances under which changes are to be prevented or restricted are defined;"}]}],"props":[{"name":"label","value":"CM-3(8)"},{"name":"label","value":"CM-03(08)","class":"sp800-53a"},{"name":"sort-id","value":"cm-03.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-3","rel":"required"}],"parts":[{"id":"cm-3.8_smt","name":"statement","prose":"Prevent or restrict changes to the configuration of the system under the following circumstances: {{ insert: param, cm-03.08_odp }}."},{"id":"cm-3.8_gdn","name":"guidance","prose":"System configuration changes can adversely affect critical system security and privacy functionality. Change restrictions can be enforced through automated mechanisms."},{"id":"cm-3.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-03(08)","class":"sp800-53a"}],"prose":"changes to the configuration of the system are prevented or restricted under {{ insert: param, cm-03.08_odp }}.","links":[{"href":"#cm-3.8_smt","rel":"assessment-for"}]},{"id":"cm-3.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-03(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system configuration change control\n\nconfiguration management plan\n\nchange control records\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]}]}]},{"id":"cm-4","class":"SP800-53","title":"Impact Analyses","props":[{"name":"label","value":"CM-4"},{"name":"label","value":"CM-04","class":"sp800-53a"},{"name":"sort-id","value":"cm-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"cm-4_smt","name":"statement","prose":"Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."},{"id":"cm-4_gdn","name":"guidance","prose":"Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required."},{"id":"cm-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04","class":"sp800-53a"}],"parts":[{"id":"cm-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04[01]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential security impacts prior to change implementation;","links":[{"href":"#cm-4_smt","rel":"assessment-for"}]},{"id":"cm-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04[02]","class":"sp800-53a"}],"prose":"changes to the system are analyzed to determine potential privacy impacts prior to change implementation.","links":[{"href":"#cm-4_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-4_smt","rel":"assessment-for"}]},{"id":"cm-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation, system design documentation\n\nanalysis tools and associated outputs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security impact analyses\n\norganizational personnel with responsibility for conducting privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security impact analyses\n\norganizational processes for privacy impact analyses"}]}],"controls":[{"id":"cm-4.1","class":"SP800-53-enhancement","title":"Separate Test Environments","props":[{"name":"label","value":"CM-4(1)"},{"name":"label","value":"CM-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-4","rel":"required"},{"href":"#sa-11","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cm-4.1_smt","name":"statement","prose":"Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice."},{"id":"cm-4.1_gdn","name":"guidance","prose":"A separate test environment requires an environment that is physically or logically separate and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment and that information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not implemented, organizations determine the strength of mechanism required when implementing logical separation."},{"id":"cm-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)","class":"sp800-53a"}],"parts":[{"id":"cm-4.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[01]","class":"sp800-53a"}],"prose":"changes to the system are analyzed in a separate test environment before implementation in an operational environment;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[02]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to flaws;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[03]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to flaws;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[04]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to weaknesses;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[05]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to weaknesses;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[06]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to incompatibility;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-7","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[07]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to incompatibility;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-8","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[08]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for security impacts due to intentional malice;","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_obj-9","name":"assessment-objective","props":[{"name":"label","value":"CM-04(01)[09]","class":"sp800-53a"}],"prose":"changes to the system are analyzed for privacy impacts due to intentional malice.","links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-4.1_smt","rel":"assessment-for"}]},{"id":"cm-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nconfiguration management plan\n\nsecurity impact analysis documentation\n\nprivacy impact analysis documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nanalysis tools and associated outputs system design documentation\n\nsystem architecture and configuration documentation\n\nchange control records\n\nprocedures addressing the authority to test with PII\n\nsystem audit records\n\ndocumentation of separate test and operational environments\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nmembers of change control board or similar"}]},{"id":"cm-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and\/or implementing security and privacy impact analyses of changes"}]}]},{"id":"cm-4.2","class":"SP800-53-enhancement","title":"Verification of Controls","props":[{"name":"label","value":"CM-4(2)"},{"name":"label","value":"CM-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-4","rel":"required"},{"href":"#sa-11","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"cm-4.2_smt","name":"statement","prose":"After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system."},{"id":"cm-4.2_gdn","name":"guidance","prose":"Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls."},{"id":"cm-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)","class":"sp800-53a"}],"parts":[{"id":"cm-4.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[01]","class":"sp800-53a"}],"prose":"the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[02]","class":"sp800-53a"}],"prose":"the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[03]","class":"sp800-53a"}],"prose":"the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[04]","class":"sp800-53a"}],"prose":"the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[05]","class":"sp800-53a"}],"prose":"the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-04(02)[06]","class":"sp800-53a"}],"prose":"the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.","links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-4.2_smt","rel":"assessment-for"}]},{"id":"cm-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing security impact analyses for changes to the system\n\nprocedures addressing privacy impact analyses for changes to the system\n\nprivacy risk assessment documentation\n\nconfiguration management plan\n\nsecurity and privacy impact analysis documentation\n\nprivacy impact assessment\n\nanalysis tools and associated outputs\n\nchange control records\n\ncontrol assessment results\n\nsystem audit records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for conducting security and privacy impact analyses\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsecurity and privacy assessors"}]},{"id":"cm-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy impact analyses\n\nmechanisms supporting and\/or implementing security and privacy impact analyses of changes"}]}]}]},{"id":"cm-5","class":"SP800-53","title":"Access Restrictions for Change","props":[{"name":"label","value":"CM-5"},{"name":"label","value":"CM-05","class":"sp800-53a"},{"name":"sort-id","value":"cm-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-10","rel":"related"}],"parts":[{"id":"cm-5_smt","name":"statement","prose":"Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system."},{"id":"cm-5_gdn","name":"guidance","prose":"Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times)."},{"id":"cm-5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05","class":"sp800-53a"}],"parts":[{"id":"cm-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-05[01]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are defined and documented;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-05[02]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are approved;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-05[03]","class":"sp800-53a"}],"prose":"physical access restrictions associated with changes to the system are enforced;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-05[04]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are defined and documented;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-5","name":"assessment-objective","props":[{"name":"label","value":"CM-05[05]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are approved;","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_obj-6","name":"assessment-objective","props":[{"name":"label","value":"CM-05[06]","class":"sp800-53a"}],"prose":"logical access restrictions associated with changes to the system are enforced.","links":[{"href":"#cm-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-5_smt","rel":"assessment-for"}]},{"id":"cm-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nlogical access approvals\n\nphysical access approvals\n\naccess credentials\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nmechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system"}]}],"controls":[{"id":"cm-5.1","class":"SP800-53-enhancement","title":"Automated Access Enforcement and Audit Records","params":[{"id":"cm-05.01_odp","props":[{"name":"alt-identifier","value":"cm-5.1_prm_1"},{"name":"label","value":"CM-05(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"mechanisms used to automate the enforcement of access restrictions are defined;"}]}],"props":[{"name":"label","value":"CM-5(1)"},{"name":"label","value":"CM-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-5","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-5.1_smt","name":"statement","parts":[{"id":"cm-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Enforce access restrictions using {{ insert: param, cm-05.01_odp }} ; and"},{"id":"cm-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Automatically generate audit records of the enforcement actions."}]},{"id":"cm-5.1_gdn","name":"guidance","prose":"Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes."},{"id":"cm-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05(01)","class":"sp800-53a"}],"parts":[{"id":"cm-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-05(01)(a)","class":"sp800-53a"}],"prose":"access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};","links":[{"href":"#cm-5.1_smt.a","rel":"assessment-for"}]},{"id":"cm-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-05(01)(b)","class":"sp800-53a"}],"prose":"audit records of enforcement actions are automatically generated.","links":[{"href":"#cm-5.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-5.1_smt","rel":"assessment-for"}]},{"id":"cm-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with logical access control responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nautomated mechanisms implementing the enforcement of access restrictions for changes to the system\n\nautomated mechanisms supporting auditing of enforcement actions"}]}]},{"id":"cm-5.2","class":"SP800-53-enhancement","title":"Review System Changes","props":[{"name":"label","value":"CM-5(2)"},{"name":"label","value":"CM-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-3.7","rel":"incorporated-into"}]},{"id":"cm-5.3","class":"SP800-53-enhancement","title":"Signed Components","props":[{"name":"label","value":"CM-5(3)"},{"name":"label","value":"CM-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-14","rel":"moved-to"}]},{"id":"cm-5.4","class":"SP800-53-enhancement","title":"Dual Authorization","params":[{"id":"cm-5.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-05.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-05.04_odp.02"}],"label":"organization-defined system components and system-level information"},{"id":"cm-05.04_odp.01","props":[{"name":"label","value":"CM-05(04)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring dual authorization for changes are defined;"}]},{"id":"cm-05.04_odp.02","props":[{"name":"label","value":"CM-05(04)_ODP[02]","class":"sp800-53a"}],"label":"system-level information","guidelines":[{"prose":"system-level information requiring dual authorization for changes is defined;"}]}],"props":[{"name":"label","value":"CM-5(4)"},{"name":"label","value":"CM-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-5","rel":"required"},{"href":"#ac-2","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#cm-3","rel":"related"}],"parts":[{"id":"cm-5.4_smt","name":"statement","prose":"Enforce dual authorization for implementing changes to {{ insert: param, cm-5.4_prm_1 }}."},{"id":"cm-5.4_gdn","name":"guidance","prose":"Organizations employ dual authorization to help ensure that any changes to selected system components and information cannot occur unless two qualified individuals approve and implement such changes. The two individuals possess the skills and expertise to determine if the proposed changes are correct implementations of approved changes. The individuals are also accountable for the changes. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. System-level information includes operational procedures."},{"id":"cm-5.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05(04)","class":"sp800-53a"}],"parts":[{"id":"cm-5.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-05(04)[01]","class":"sp800-53a"}],"prose":"dual authorization for implementing changes to {{ insert: param, cm-05.04_odp.01 }} is enforced;","links":[{"href":"#cm-5.4_smt","rel":"assessment-for"}]},{"id":"cm-5.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-05(04)[02]","class":"sp800-53a"}],"prose":"dual authorization for implementing changes to {{ insert: param, cm-05.04_odp.02 }} is enforced.","links":[{"href":"#cm-5.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-5.4_smt","rel":"assessment-for"}]},{"id":"cm-5.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem audit records\n\nsystem component inventory\n\nsystem information types information\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with dual authorization enforcement responsibilities for implementing system changes\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nmechanisms implementing dual authorization enforcement"}]}]},{"id":"cm-5.5","class":"SP800-53-enhancement","title":"Privilege Limitation for Production and Operation","params":[{"id":"cm-5.5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-05.05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-05.05_odp.02"}],"label":"organization-defined frequency"},{"id":"cm-05.05_odp.01","props":[{"name":"label","value":"CM-05(05)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review privileges is defined;"}]},{"id":"cm-05.05_odp.02","props":[{"name":"label","value":"CM-05(05)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to reevaluate privileges is defined;"}]}],"props":[{"name":"label","value":"CM-5(5)"},{"name":"label","value":"CM-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-5","rel":"required"},{"href":"#ac-2","rel":"related"}],"parts":[{"id":"cm-5.5_smt","name":"statement","parts":[{"id":"cm-5.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Limit privileges to change system components and system-related information within a production or operational environment; and"},{"id":"cm-5.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Review and reevaluate privileges {{ insert: param, cm-5.5_prm_1 }}."}]},{"id":"cm-5.5_gdn","name":"guidance","prose":"In many organizations, systems support multiple mission and business functions. Limiting privileges to change system components with respect to operational systems is necessary because changes to a system component may have far-reaching effects on mission and business processes supported by the system. The relationships between systems and mission\/business processes are, in some cases, unknown to developers. System-related information includes operational procedures."},{"id":"cm-5.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05(05)","class":"sp800-53a"}],"parts":[{"id":"cm-5.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-05(05)(a)","class":"sp800-53a"}],"parts":[{"id":"cm-5.5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-05(05)(a)[01]","class":"sp800-53a"}],"prose":"privileges to change system components within a production or operational environment are limited;","links":[{"href":"#cm-5.5_smt.a","rel":"assessment-for"}]},{"id":"cm-5.5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-05(05)(a)[02]","class":"sp800-53a"}],"prose":"privileges to change system-related information within a production or operational environment are limited;","links":[{"href":"#cm-5.5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-5.5_smt.a","rel":"assessment-for"}]},{"id":"cm-5.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-05(05)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-5.5_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-05(05)(b)[01]","class":"sp800-53a"}],"prose":"privileges are reviewed {{ insert: param, cm-05.05_odp.01 }};","links":[{"href":"#cm-5.5_smt.b","rel":"assessment-for"}]},{"id":"cm-5.5_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-05(05)(b)[02]","class":"sp800-53a"}],"prose":"privileges are reevaluated {{ insert: param, cm-05.05_odp.02 }}.","links":[{"href":"#cm-5.5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-5.5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-5.5_smt","rel":"assessment-for"}]},{"id":"cm-5.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nuser privilege reviews\n\nuser privilege recertifications\n\nsystem component inventory\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nmechanisms supporting and\/or implementing access restrictions for change"}]}]},{"id":"cm-5.6","class":"SP800-53-enhancement","title":"Limit Library Privileges","props":[{"name":"label","value":"CM-5(6)"},{"name":"label","value":"CM-05(06)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-5","rel":"required"},{"href":"#ac-2","rel":"related"}],"parts":[{"id":"cm-5.6_smt","name":"statement","prose":"Limit privileges to change software resident within software libraries."},{"id":"cm-5.6_gdn","name":"guidance","prose":"Software libraries include privileged programs."},{"id":"cm-5.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-05(06)","class":"sp800-53a"}],"prose":"privileges to change software resident within software libraries are limited.","links":[{"href":"#cm-5.6_smt","rel":"assessment-for"}]},{"id":"cm-5.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-05(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing access restrictions for changes to the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-5.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-05(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-5.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-05(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing access restrictions to change\n\nmechanisms supporting and\/or implementing access restrictions for change"}]}]},{"id":"cm-5.7","class":"SP800-53-enhancement","title":"Automatic Implementation of Security Safeguards","props":[{"name":"label","value":"CM-5(7)"},{"name":"label","value":"CM-05(07)","class":"sp800-53a"},{"name":"sort-id","value":"cm-05.07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-7","rel":"incorporated-into"}]}]},{"id":"cm-6","class":"SP800-53","title":"Configuration Settings","params":[{"id":"cm-06_odp.01","props":[{"name":"alt-identifier","value":"cm-6_prm_1"},{"name":"label","value":"CM-06_ODP[01]","class":"sp800-53a"}],"label":"common secure configurations","guidelines":[{"prose":"common secure configurations to establish and document configuration settings for components employed within the system are defined;"}]},{"id":"cm-06_odp.02","props":[{"name":"alt-identifier","value":"cm-6_prm_2"},{"name":"label","value":"CM-06_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which approval of deviations is needed are defined;"}]},{"id":"cm-06_odp.03","props":[{"name":"alt-identifier","value":"cm-6_prm_3"},{"name":"label","value":"CM-06_ODP[03]","class":"sp800-53a"}],"label":"operational requirements","guidelines":[{"prose":"operational requirements necessitating approval of deviations are defined;"}]}],"props":[{"name":"label","value":"CM-6"},{"name":"label","value":"CM-06","class":"sp800-53a"},{"name":"sort-id","value":"cm-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#98498928-3ca3-44b3-8b1e-f48685373087","rel":"reference"},{"href":"#d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","rel":"reference"},{"href":"#aa66e14f-e7cb-4a37-99d2-07578dfd4608","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"cm-6_smt","name":"statement","parts":[{"id":"cm-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, cm-06_odp.01 }};"},{"id":"cm-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the configuration settings;"},{"id":"cm-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: param, cm-06_odp.03 }} ; and"},{"id":"cm-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitor and control changes to the configuration settings in accordance with organizational policies and procedures."}]},{"id":"cm-6_gdn","name":"guidance","prose":"Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input\/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.\n\nCommon secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.\n\nImplementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of [CM-6](#cm-6) and other controls such as [AC-19](#ac-19) and [CM-7](#cm-7) . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings."},{"id":"cm-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-06a.","class":"sp800-53a"}],"prose":"configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};","links":[{"href":"#cm-6_smt.a","rel":"assessment-for"}]},{"id":"cm-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-06b.","class":"sp800-53a"}],"prose":"the configuration settings documented in CM-06a are implemented;","links":[{"href":"#cm-6_smt.b","rel":"assessment-for"}]},{"id":"cm-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[01]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};","links":[{"href":"#cm-6_smt.c","rel":"assessment-for"}]},{"id":"cm-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06c.[02]","class":"sp800-53a"}],"prose":"any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;","links":[{"href":"#cm-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-6_smt.c","rel":"assessment-for"}]},{"id":"cm-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.","class":"sp800-53a"}],"parts":[{"id":"cm-6_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[01]","class":"sp800-53a"}],"prose":"changes to the configuration settings are monitored in accordance with organizational policies and procedures;","links":[{"href":"#cm-6_smt.d","rel":"assessment-for"}]},{"id":"cm-6_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06d.[02]","class":"sp800-53a"}],"prose":"changes to the configuration settings are controlled in accordance with organizational policies and procedures.","links":[{"href":"#cm-6_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cm-6_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cm-6_smt","rel":"assessment-for"}]},{"id":"cm-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\nsystem component inventory\n\nevidence supporting approved deviations from established configuration settings\n\nchange control records\n\nsystem data processing and retention permissions\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with privacy configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing configuration settings\n\nmechanisms that implement, monitor, and\/or control system configuration settings\n\nmechanisms that identify and\/or document deviations from established configuration settings"}]}],"controls":[{"id":"cm-6.1","class":"SP800-53-enhancement","title":"Automated Management, Application, and Verification","params":[{"id":"cm-6.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-06.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-06.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-06.01_odp.04"}],"label":"organization-defined automated mechanisms"},{"id":"cm-06.01_odp.01","props":[{"name":"alt-identifier","value":"cm-6.1_prm_1"},{"name":"label","value":"CM-06(01)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which to manage, apply, and verify configuration settings are defined;"}]},{"id":"cm-06.01_odp.02","props":[{"name":"label","value":"CM-06(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to manage configuration settings are defined;"}]},{"id":"cm-06.01_odp.03","props":[{"name":"label","value":"CM-06(01)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to apply configuration settings are defined;"}]},{"id":"cm-06.01_odp.04","props":[{"name":"label","value":"CM-06(01)_ODP[04]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to verify configuration settings are defined;"}]}],"props":[{"name":"label","value":"CM-6(1)"},{"name":"label","value":"CM-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-6","rel":"required"},{"href":"#ca-7","rel":"related"}],"parts":[{"id":"cm-6.1_smt","name":"statement","prose":"Manage, apply, and verify configuration settings for {{ insert: param, cm-06.01_odp.01 }} using {{ insert: param, cm-6.1_prm_2 }}."},{"id":"cm-6.1_gdn","name":"guidance","prose":"Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization."},{"id":"cm-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)","class":"sp800-53a"}],"parts":[{"id":"cm-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)[01]","class":"sp800-53a"}],"prose":"configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};","links":[{"href":"#cm-6.1_smt","rel":"assessment-for"}]},{"id":"cm-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)[02]","class":"sp800-53a"}],"prose":"configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};","links":[{"href":"#cm-6.1_smt","rel":"assessment-for"}]},{"id":"cm-6.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-06(01)[03]","class":"sp800-53a"}],"prose":"configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}.","links":[{"href":"#cm-6.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-6.1_smt","rel":"assessment-for"}]},{"id":"cm-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing configuration settings\n\nautomated mechanisms implemented to manage, apply, and verify system configuration settings"}]}]},{"id":"cm-6.2","class":"SP800-53-enhancement","title":"Respond to Unauthorized Changes","params":[{"id":"cm-06.02_odp.01","props":[{"name":"alt-identifier","value":"cm-6.2_prm_2"},{"name":"label","value":"CM-06(02)_ODP[01]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken upon an unauthorized change are defined;"}]},{"id":"cm-06.02_odp.02","props":[{"name":"alt-identifier","value":"cm-6.2_prm_1"},{"name":"label","value":"CM-06(02)_ODP[02]","class":"sp800-53a"}],"label":"configuration settings","guidelines":[{"prose":"configuration settings requiring action upon an unauthorized change are defined;"}]}],"props":[{"name":"label","value":"CM-6(2)"},{"name":"label","value":"CM-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-6","rel":"required"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-6.2_smt","name":"statement","prose":"Take the following actions in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}: {{ insert: param, cm-06.02_odp.01 }}."},{"id":"cm-6.2_gdn","name":"guidance","prose":"Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or—in extreme cases—halting affected system processing."},{"id":"cm-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-06(02)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-06.02_odp.01 }} are taken in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}.","links":[{"href":"#cm-6.2_smt","rel":"assessment-for"}]},{"id":"cm-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nprivacy plan\n\nconfiguration management policy\n\nprocedures addressing configuration settings for the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts\/notifications of unauthorized changes to system configuration settings\n\nsystem component inventory\n\ndocumented responses to unauthorized changes to system configuration settings\n\nchange control records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"cm-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for responding to unauthorized changes to system configuration settings\n\nmechanisms supporting and\/or implementing actions in response to unauthorized changes"}]}]},{"id":"cm-6.3","class":"SP800-53-enhancement","title":"Unauthorized Change Detection","props":[{"name":"label","value":"CM-6(3)"},{"name":"label","value":"CM-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-06.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-7","rel":"incorporated-into"}]},{"id":"cm-6.4","class":"SP800-53-enhancement","title":"Conformance Demonstration","props":[{"name":"label","value":"CM-6(4)"},{"name":"label","value":"CM-06(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-06.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-4","rel":"incorporated-into"}]}]},{"id":"cm-7","class":"SP800-53","title":"Least Functionality","params":[{"id":"cm-7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07_odp.06"}],"label":"organization-defined prohibited or restricted functions, system ports, protocols, software, and\/or services"},{"id":"cm-07_odp.01","props":[{"name":"alt-identifier","value":"cm-7_prm_1"},{"name":"alt-label","value":"mission essential capabilities","class":"sp800-53"},{"name":"label","value":"CM-07_ODP[01]","class":"sp800-53a"}],"label":"mission-essential capabilities","guidelines":[{"prose":"mission-essential capabilities for the system are defined;"}]},{"id":"cm-07_odp.02","props":[{"name":"label","value":"CM-07_ODP[02]","class":"sp800-53a"}],"label":"functions","guidelines":[{"prose":"functions to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.03","props":[{"name":"label","value":"CM-07_ODP[03]","class":"sp800-53a"}],"label":"ports","guidelines":[{"prose":"ports to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.04","props":[{"name":"label","value":"CM-07_ODP[04]","class":"sp800-53a"}],"label":"protocols","guidelines":[{"prose":"protocols to be prohibited or restricted are defined;"}]},{"id":"cm-07_odp.05","props":[{"name":"label","value":"CM-07_ODP[05]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be prohibited or restricted is defined;"}]},{"id":"cm-07_odp.06","props":[{"name":"label","value":"CM-07_ODP[06]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services to be prohibited or restricted are defined;"}]}],"props":[{"name":"label","value":"CM-7"},{"name":"label","value":"CM-07","class":"sp800-53a"},{"name":"sort-id","value":"cm-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#38f39739-1ebd-43b1-8b8c-00f591d89ebd","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"cm-7_smt","name":"statement","parts":[{"id":"cm-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and"},{"id":"cm-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit or restrict the use of the following functions, ports, protocols, software, and\/or services: {{ insert: param, cm-7_prm_2 }}."}]},{"id":"cm-7_gdn","name":"guidance","prose":"Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see [SA-8](#sa-8), [SC-2](#sc-2) , and [SC-3](#sc-3))."},{"id":"cm-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07a.","class":"sp800-53a"}],"prose":"the system is configured to provide only {{ insert: param, cm-07_odp.01 }};","links":[{"href":"#cm-7_smt.a","rel":"assessment-for"}]},{"id":"cm-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.","class":"sp800-53a"}],"parts":[{"id":"cm-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[01]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[02]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[03]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[04]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]},{"id":"cm-7_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CM-07b.[05]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.","links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7_smt","rel":"assessment-for"}]},{"id":"cm-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security configuration management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes prohibiting or restricting functions, ports, protocols, software, and\/or services\n\nmechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and\/or services"}]}],"controls":[{"id":"cm-7.1","class":"SP800-53-enhancement","title":"Periodic Review","params":[{"id":"cm-7.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-07.01_odp.06"}],"label":"organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and\/or nonsecure"},{"id":"cm-07.01_odp.01","props":[{"name":"alt-identifier","value":"cm-7.1_prm_1"},{"name":"label","value":"CM-07(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review the system to identify unnecessary and\/or non-secure functions, ports, protocols, software, and\/or services is defined;"}]},{"id":"cm-07.01_odp.02","props":[{"name":"label","value":"CM-07(01)_ODP[02]","class":"sp800-53a"}],"label":"functions","guidelines":[{"prose":"functions to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.03","props":[{"name":"label","value":"CM-07(01)_ODP[03]","class":"sp800-53a"}],"label":"ports","guidelines":[{"prose":"ports to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.04","props":[{"name":"label","value":"CM-07(01)_ODP[04]","class":"sp800-53a"}],"label":"protocols","guidelines":[{"prose":"protocols to be disabled or removed when deemed unnecessary or non-secure are defined;"}]},{"id":"cm-07.01_odp.05","props":[{"name":"label","value":"CM-07(01)_ODP[05]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software to be disabled or removed when deemed unnecessary or non-secure is defined;"}]},{"id":"cm-07.01_odp.06","props":[{"name":"label","value":"CM-07(01)_ODP[06]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services to be disabled or removed when deemed unnecessary or non-secure are defined;"}]}],"props":[{"name":"label","value":"CM-7(1)"},{"name":"label","value":"CM-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"cm-7.1_smt","name":"statement","parts":[{"id":"cm-7.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and\/or nonsecure functions, ports, protocols, software, and services; and"},{"id":"cm-7.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Disable or remove {{ insert: param, cm-7.1_prm_2 }}."}]},{"id":"cm-7.1_gdn","name":"guidance","prose":"Organizations review functions, ports, protocols, and services provided by systems or system components to determine the functions and services that are candidates for elimination. Such reviews are especially important during transition periods from older technologies to newer technologies (e.g., transition from IPv4 to IPv6). These technology transitions may require implementing the older and newer technologies simultaneously during the transition period and returning to minimum essential functions, ports, protocols, and services at the earliest opportunity. Organizations can either decide the relative security of the function, port, protocol, and\/or service or base the security decision on the assessment of other entities. Unsecure protocols include Bluetooth, FTP, and peer-to-peer networking."},{"id":"cm-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)","class":"sp800-53a"}],"parts":[{"id":"cm-7.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(a)","class":"sp800-53a"}],"prose":"the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and\/or non-secure functions, ports, protocols, software, and services:","links":[{"href":"#cm-7.1_smt.a","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-7.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and\/or non-secure are disabled or removed;","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and\/or non-secure are disabled or removed;","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and\/or non-secure are disabled or removed;","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[04]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and\/or non-secure is disabled or removed;","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]},{"id":"cm-7.1_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"CM-07(01)(b)[05]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and\/or non-secure are disabled or removed.","links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7.1_smt","rel":"assessment-for"}]},{"id":"cm-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncommon secure configuration checklists\n\ndocumented reviews of functions, ports, protocols, and\/or services\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing or disabling functions, ports, protocols, and services on the system\n\nmechanisms implementing review and disabling of functions, ports, protocols, and\/or services"}]}]},{"id":"cm-7.2","class":"SP800-53-enhancement","title":"Prevent Program Execution","params":[{"id":"cm-07.02_odp.01","props":[{"name":"alt-identifier","value":"cm-7.2_prm_1"},{"name":"label","value":"CM-07(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, cm-07.02_odp.02 }} ","rules authorizing the terms and conditions of software program usage"]}},{"id":"cm-07.02_odp.02","props":[{"name":"alt-identifier","value":"cm-7.2_prm_2"},{"name":"label","value":"CM-07(02)_ODP[02]","class":"sp800-53a"}],"label":"policies, rules of behavior, and\/or access agreements regarding software program usage and restrictions","guidelines":[{"prose":"policies, rules of behavior, and\/or access agreements regarding software program usage and restrictions are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-7(2)"},{"name":"label","value":"CM-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"cm-7.2_smt","name":"statement","prose":"Prevent program execution in accordance with {{ insert: param, cm-07.02_odp.01 }}."},{"id":"cm-7.2_gdn","name":"guidance","prose":"Prevention of program execution addresses organizational policies, rules of behavior, and\/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time."},{"id":"cm-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(02)","class":"sp800-53a"}],"prose":"program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}.","links":[{"href":"#cm-7.2_smt","rel":"assessment-for"}]},{"id":"cm-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nspecifications for preventing software program execution\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes preventing program execution on the system\n\norganizational processes for software program usage and restrictions\n\nmechanisms preventing program execution on the system\n\nmechanisms supporting and\/or implementing software program usage and restrictions"}]}]},{"id":"cm-7.3","class":"SP800-53-enhancement","title":"Registration Compliance","params":[{"id":"cm-07.03_odp","props":[{"name":"alt-identifier","value":"cm-7.3_prm_1"},{"name":"alt-label","value":"registration requirements for functions, ports, protocols, and services","class":"sp800-53"},{"name":"label","value":"CM-07(03)_ODP","class":"sp800-53a"}],"label":"registration requirements","guidelines":[{"prose":"registration requirements for functions, ports, protocols, and services are defined;"}]}],"props":[{"name":"label","value":"CM-7(3)"},{"name":"label","value":"CM-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-7","rel":"required"}],"parts":[{"id":"cm-7.3_smt","name":"statement","prose":"Ensure compliance with {{ insert: param, cm-07.03_odp }}."},{"id":"cm-7.3_gdn","name":"guidance","prose":"Organizations use the registration process to manage, track, and provide oversight for systems and implemented functions, ports, protocols, and services."},{"id":"cm-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(03)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.03_odp }} are complied with.","links":[{"href":"#cm-7.3_smt","rel":"assessment-for"}]},{"id":"cm-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nconfiguration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem configuration settings and associated documentation\n\nsystem component inventory\n\naudit and compliance reviews\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"cm-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes ensuring compliance with registration requirements for functions, ports, protocols, and\/or services\n\nmechanisms implementing compliance with registration requirements for functions, ports, protocols, and\/or services"}]}]},{"id":"cm-7.4","class":"SP800-53-enhancement","title":"Unauthorized Software — Deny-by-exception","params":[{"id":"cm-07.04_odp.01","props":[{"name":"alt-identifier","value":"cm-7.4_prm_1"},{"name":"alt-label","value":"software programs not authorized to execute on the system","class":"sp800-53"},{"name":"label","value":"CM-07(04)_ODP[01]","class":"sp800-53a"}],"label":"software programs","guidelines":[{"prose":"software programs not authorized to execute on the system are defined;"}]},{"id":"cm-07.04_odp.02","props":[{"name":"alt-identifier","value":"cm-7.4_prm_2"},{"name":"label","value":"CM-07(04)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the list of unauthorized software programs is defined;"}]}],"props":[{"name":"label","value":"CM-7(4)"},{"name":"label","value":"CM-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"}],"parts":[{"id":"cm-7.4_smt","name":"statement","parts":[{"id":"cm-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identify {{ insert: param, cm-07.04_odp.01 }};"},{"id":"cm-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and"},{"id":"cm-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Review and update the list of unauthorized software programs {{ insert: param, cm-07.04_odp.02 }}."}]},{"id":"cm-7.4_gdn","name":"guidance","prose":"Unauthorized software programs can be limited to specific versions or from a specific source. The concept of prohibiting the execution of unauthorized software may also be applied to user actions, system ports and protocols, IP addresses\/ranges, websites, and MAC addresses."},{"id":"cm-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(04)","class":"sp800-53a"}],"parts":[{"id":"cm-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(04)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.04_odp.01 }} are identified;","links":[{"href":"#cm-7.4_smt.a","rel":"assessment-for"}]},{"id":"cm-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(04)(b)","class":"sp800-53a"}],"prose":"an allow-all, deny-by-exception policy is employed to prohibit the execution of unauthorized software programs on the system;","links":[{"href":"#cm-7.4_smt.b","rel":"assessment-for"}]},{"id":"cm-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-07(04)(c)","class":"sp800-53a"}],"prose":"the list of unauthorized software programs is reviewed and updated {{ insert: param, cm-07.04_odp.02 }}.","links":[{"href":"#cm-7.4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-7.4_smt","rel":"assessment-for"}]},{"id":"cm-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software programs not authorized to execute on the system\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nreview and update records associated with list of unauthorized software programs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for identifying software not authorized to execute on the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for identifying, reviewing, and updating programs not authorized to execute on the system\n\norganizational process for implementing unauthorized software policy\n\nmechanisms supporting and\/or implementing unauthorized software policy"}]}]},{"id":"cm-7.5","class":"SP800-53-enhancement","title":"Authorized Software — Allow-by-exception","params":[{"id":"cm-07.05_odp.01","props":[{"name":"alt-identifier","value":"cm-7.5_prm_1"},{"name":"alt-label","value":"software programs authorized to execute on the system","class":"sp800-53"},{"name":"label","value":"CM-07(05)_ODP[01]","class":"sp800-53a"}],"label":"software programs","guidelines":[{"prose":"software programs authorized to execute on the system are defined;"}]},{"id":"cm-07.05_odp.02","props":[{"name":"alt-identifier","value":"cm-7.5_prm_2"},{"name":"label","value":"CM-07(05)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the list of authorized software programs is defined;"}]}],"props":[{"name":"label","value":"CM-7(5)"},{"name":"label","value":"CM-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-7.5_smt","name":"statement","parts":[{"id":"cm-7.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identify {{ insert: param, cm-07.05_odp.01 }};"},{"id":"cm-7.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and"},{"id":"cm-7.5_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Review and update the list of authorized software programs {{ insert: param, cm-07.05_odp.02 }}."}]},{"id":"cm-7.5_gdn","name":"guidance","prose":"Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses\/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in [CA-3(5)](#ca-3.5) and [SC-7](#sc-7)."},{"id":"cm-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)","class":"sp800-53a"}],"parts":[{"id":"cm-7.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.05_odp.01 }} are identified;","links":[{"href":"#cm-7.5_smt.a","rel":"assessment-for"}]},{"id":"cm-7.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(b)","class":"sp800-53a"}],"prose":"a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;","links":[{"href":"#cm-7.5_smt.b","rel":"assessment-for"}]},{"id":"cm-7.5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-07(05)(c)","class":"sp800-53a"}],"prose":"the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}.","links":[{"href":"#cm-7.5_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-7.5_smt","rel":"assessment-for"}]},{"id":"cm-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software programs authorized to execute on the system\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nreview and update records associated with list of authorized software programs\n\nchange control records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for identifying software authorized to execute on the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for identifying, reviewing, and updating programs authorized to execute on the system\n\norganizational process for implementing authorized software policy\n\nmechanisms supporting and\/or implementing authorized software policy"}]}]},{"id":"cm-7.6","class":"SP800-53-enhancement","title":"Confined Environments with Limited Privileges","params":[{"id":"cm-07.06_odp","props":[{"name":"alt-identifier","value":"cm-7.6_prm_1"},{"name":"label","value":"CM-07(06)_ODP","class":"sp800-53a"}],"label":"user-installed software","guidelines":[{"prose":"user-installed software required to be executed in a confined environment is defined;"}]}],"props":[{"name":"label","value":"CM-7(6)"},{"name":"label","value":"CM-07(06)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-11","rel":"related"},{"href":"#sc-44","rel":"related"}],"parts":[{"id":"cm-7.6_smt","name":"statement","prose":"Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: {{ insert: param, cm-07.06_odp }}."},{"id":"cm-7.6_gdn","name":"guidance","prose":"Organizations identify software that may be of concern regarding its origin or potential for containing malicious code. For this type of software, user installations occur in confined environments of operation to limit or contain damage from malicious code that may be executed."},{"id":"cm-7.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(06)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.06_odp }} is required to be executed in a confined physical or virtual machine environment with limited privileges.","links":[{"href":"#cm-7.6_smt","rel":"assessment-for"}]},{"id":"cm-7.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist or record of software required to execute in a confined environment\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for identifying and\/or managing user-installed software and associated privileges\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-7.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for identifying user-installed software required to execute in a confined environment\n\nmechanisms supporting and\/or implementing the confinement of user-installed software to physical or virtual machine environments\n\nmechanisms supporting and\/or implementing privilege limitations on user-installed software"}]}]},{"id":"cm-7.7","class":"SP800-53-enhancement","title":"Code Execution in Protected Environments","params":[{"id":"cm-07.07_odp","props":[{"name":"alt-identifier","value":"cm-7.7_prm_1"},{"name":"label","value":"CM-07(07)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to explicitly approve execution of binary or machine-executable code is\/are defined;"}]}],"props":[{"name":"label","value":"CM-7(7)"},{"name":"label","value":"CM-07(07)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#cm-10","rel":"related"},{"href":"#sc-44","rel":"related"}],"parts":[{"id":"cm-7.7_smt","name":"statement","prose":"Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of {{ insert: param, cm-07.07_odp }} when such code is:","parts":[{"id":"cm-7.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Obtained from sources with limited or no warranty; and\/or"},{"id":"cm-7.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Without the provision of source code."}]},{"id":"cm-7.7_gdn","name":"guidance","prose":"Code execution in protected environments applies to all sources of binary or machine-executable code, including commercial software and firmware and open-source software."},{"id":"cm-7.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(07)","class":"sp800-53a"}],"prose":"the execution of binary or machine-executable code is only allowed in confined physical or virtual machine environments;","parts":[{"id":"cm-7.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(07)(a)","class":"sp800-53a"}],"prose":"the execution of binary or machine-executable code obtained from sources with limited or no warranty is only allowed with the explicit approval of {{ insert: param, cm-07.07_odp }};","links":[{"href":"#cm-7.7_smt.a","rel":"assessment-for"}]},{"id":"cm-7.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(07)(b)","class":"sp800-53a"}],"prose":"the execution of binary or machine-executable code without the provision of source code is only allowed with the explicit approval of {{ insert: param, cm-07.07_odp }}.","links":[{"href":"#cm-7.7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7.7_smt","rel":"assessment-for"}]},{"id":"cm-7.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist or record of binary or machine-executable code\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for approving execution of binary or machine-executable code\n\norganizational personnel with information security responsibilities\n\norganizational personnel with software management responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-7.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for approving execution of binary or machine-executable code\n\norganizational process for confining binary or machine-executable code to physical or virtual machine environments\n\nmechanisms supporting and\/or implementing the confinement of binary or machine-executable code to physical or virtual machine environments"}]}]},{"id":"cm-7.8","class":"SP800-53-enhancement","title":"Binary or Machine Executable Code","props":[{"name":"label","value":"CM-7(8)"},{"name":"label","value":"CM-07(08)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-7","rel":"required"},{"href":"#sa-5","rel":"related"},{"href":"#sa-22","rel":"related"}],"parts":[{"id":"cm-7.8_smt","name":"statement","parts":[{"id":"cm-7.8_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and"},{"id":"cm-7.8_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official."}]},{"id":"cm-7.8_gdn","name":"guidance","prose":"Binary or machine executable code applies to all sources of binary or machine-executable code, including commercial software and firmware and open-source software. Organizations assess software products without accompanying source code or from sources with limited or no warranty for potential security impacts. The assessments address the fact that software products without the provision of source code may be difficult to review, repair, or extend. In addition, there may be no owners to make such repairs on behalf of organizations. If open-source software is used, the assessments address the fact that there is no warranty, the open-source software could contain back doors or malware, and there may be no support available."},{"id":"cm-7.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(08)","class":"sp800-53a"}],"parts":[{"id":"cm-7.8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(08)(a)","class":"sp800-53a"}],"prose":"the use of binary or machine-executable code is prohibited when it originates from sources with limited or no warranty or without the provision of source code;","links":[{"href":"#cm-7.8_smt.a","rel":"assessment-for"}]},{"id":"cm-7.8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(08)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-7.8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-07(08)(b)[01]","class":"sp800-53a"}],"prose":"exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only for compelling mission or operational requirements;","links":[{"href":"#cm-7.8_smt.b","rel":"assessment-for"}]},{"id":"cm-7.8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-07(08)(b)[02]","class":"sp800-53a"}],"prose":"exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only with the approval of the authorizing official.","links":[{"href":"#cm-7.8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7.8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-7.8_smt","rel":"assessment-for"}]},{"id":"cm-7.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing least functionality in the system\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist or record of binary or machine-executable code\n\nsystem component inventory\n\ncommon secure configuration checklists\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for determining mission and operational requirements\n\nauthorizing official for the system\n\norganizational personnel with information security responsibilities\n\norganizational personnel with software management responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-7.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for approving execution of binary or machine-executable code\n\nmechanisms supporting and\/or implementing the prohibition of binary or machine-executable code"}]}]},{"id":"cm-7.9","class":"SP800-53-enhancement","title":"Prohibiting The Use of Unauthorized Hardware","params":[{"id":"cm-07.09_odp.01","props":[{"name":"alt-identifier","value":"cm-7.9_prm_1"},{"name":"alt-label","value":"hardware components authorized for system use","class":"sp800-53"},{"name":"label","value":"CM-07(09)_ODP[01]","class":"sp800-53a"}],"label":"hardware components","guidelines":[{"prose":"hardware components authorized for system use are defined;"}]},{"id":"cm-07.09_odp.02","props":[{"name":"alt-identifier","value":"cm-7.9_prm_2"},{"name":"label","value":"CM-07(09)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the list of authorized hardware components is defined;"}]}],"props":[{"name":"label","value":"CM-7(9)"},{"name":"label","value":"CM-07(09)","class":"sp800-53a"},{"name":"sort-id","value":"cm-07.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-7","rel":"required"}],"parts":[{"id":"cm-7.9_smt","name":"statement","parts":[{"id":"cm-7.9_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identify {{ insert: param, cm-07.09_odp.01 }};"},{"id":"cm-7.9_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Prohibit the use or connection of unauthorized hardware components;"},{"id":"cm-7.9_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Review and update the list of authorized hardware components {{ insert: param, cm-07.09_odp.02 }}."}]},{"id":"cm-7.9_gdn","name":"guidance","prose":"Hardware components provide the foundation for organizational systems and the platform for the execution of authorized software programs. Managing the inventory of hardware components and controlling which hardware components are permitted to be installed or connected to organizational systems is essential in order to provide adequate security."},{"id":"cm-7.9_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-07(09)","class":"sp800-53a"}],"parts":[{"id":"cm-7.9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-07(09)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-07.09_odp.01 }} are identified;","links":[{"href":"#cm-7.9_smt.a","rel":"assessment-for"}]},{"id":"cm-7.9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-07(09)(b)","class":"sp800-53a"}],"prose":"the use or connection of unauthorized hardware components is prohibited;","links":[{"href":"#cm-7.9_smt.b","rel":"assessment-for"}]},{"id":"cm-7.9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-07(09)(c)","class":"sp800-53a"}],"prose":"the list of authorized hardware components is reviewed and updated {{ insert: param, cm-07.09_odp.02 }}.","links":[{"href":"#cm-7.9_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-7.9_smt","rel":"assessment-for"}]},{"id":"cm-7.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-07(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nnetwork connection policy and procedures\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-7.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-07(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system hardware management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-7.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-07(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for approving execution of binary or machine-executable code\n\nmechanisms supporting and\/or implementing the prohibition of binary or machine-executable code"}]}]}]},{"id":"cm-8","class":"SP800-53","title":"System Component Inventory","params":[{"id":"cm-08_odp.01","props":[{"name":"alt-identifier","value":"cm-8_prm_1"},{"name":"alt-label","value":"information deemed necessary to achieve effective system component accountability","class":"sp800-53"},{"name":"label","value":"CM-08_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information deemed necessary to achieve effective system component accountability is defined;"}]},{"id":"cm-08_odp.02","props":[{"name":"alt-identifier","value":"cm-8_prm_2"},{"name":"label","value":"CM-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update the system component inventory is defined;"}]}],"props":[{"name":"label","value":"CM-8"},{"name":"label","value":"CM-08","class":"sp800-53a"},{"name":"sort-id","value":"cm-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#70402863-5078-43af-9a6c-e11b0f3ec370","rel":"reference"},{"href":"#996241f8-f692-42d5-91f1-ce8b752e39e6","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"cm-8_smt","name":"statement","parts":[{"id":"cm-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document an inventory of system components that:","parts":[{"id":"cm-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Accurately reflects the system;"},{"id":"cm-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes all components within the system;"},{"id":"cm-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Does not include duplicate accounting of components or components assigned to any other system;"},{"id":"cm-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Is at the level of granularity deemed necessary for tracking and reporting; and"},{"id":"cm-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and"}]},{"id":"cm-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}."}]},{"id":"cm-8_gdn","name":"guidance","prose":"System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.\n\nPreventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of [CM-8(7)](#cm-8.7) can help to eliminate duplicate accounting of components."},{"id":"cm-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.","class":"sp800-53a"}],"parts":[{"id":"cm-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.01","class":"sp800-53a"}],"prose":"an inventory of system components that accurately reflects the system is developed and documented;","links":[{"href":"#cm-8_smt.a.1","rel":"assessment-for"}]},{"id":"cm-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.02","class":"sp800-53a"}],"prose":"an inventory of system components that includes all components within the system is developed and documented;","links":[{"href":"#cm-8_smt.a.2","rel":"assessment-for"}]},{"id":"cm-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.03","class":"sp800-53a"}],"prose":"an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;","links":[{"href":"#cm-8_smt.a.3","rel":"assessment-for"}]},{"id":"cm-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.04","class":"sp800-53a"}],"prose":"an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;","links":[{"href":"#cm-8_smt.a.4","rel":"assessment-for"}]},{"id":"cm-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CM-08a.05","class":"sp800-53a"}],"prose":"an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;","links":[{"href":"#cm-8_smt.a.5","rel":"assessment-for"}]}],"links":[{"href":"#cm-8_smt.a","rel":"assessment-for"}]},{"id":"cm-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08b.","class":"sp800-53a"}],"prose":"the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.","links":[{"href":"#cm-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-8_smt","rel":"assessment-for"}]},{"id":"cm-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\ninventory reviews and update records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory"}]}],"controls":[{"id":"cm-8.1","class":"SP800-53-enhancement","title":"Updates During Installation and Removal","props":[{"name":"label","value":"CM-8(1)"},{"name":"label","value":"CM-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#pm-16","rel":"related"}],"parts":[{"id":"cm-8.1_smt","name":"statement","prose":"Update the inventory of system components as part of component installations, removals, and system updates."},{"id":"cm-8.1_gdn","name":"guidance","prose":"Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components."},{"id":"cm-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)","class":"sp800-53a"}],"parts":[{"id":"cm-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[01]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of component installations;","links":[{"href":"#cm-8.1_smt","rel":"assessment-for"}]},{"id":"cm-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[02]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of component removals;","links":[{"href":"#cm-8.1_smt","rel":"assessment-for"}]},{"id":"cm-8.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(01)[03]","class":"sp800-53a"}],"prose":"the inventory of system components is updated as part of system updates.","links":[{"href":"#cm-8.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.1_smt","rel":"assessment-for"}]},{"id":"cm-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\ninventory reviews and update records\n\nchange control records\n\ncomponent installation records\n\ncomponent removal records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory updating responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for updating the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory updates"}]}]},{"id":"cm-8.2","class":"SP800-53-enhancement","title":"Automated Maintenance","params":[{"id":"cm-8.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.02_odp.04"}],"label":"organization-defined automated mechanisms"},{"id":"cm-08.02_odp.01","props":[{"name":"label","value":"CM-08(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the currency of the system component inventory are defined;"}]},{"id":"cm-08.02_odp.02","props":[{"name":"label","value":"CM-08(02)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the completeness of the system component inventory are defined;"}]},{"id":"cm-08.02_odp.03","props":[{"name":"label","value":"CM-08(02)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the accuracy of the system component inventory are defined;"}]},{"id":"cm-08.02_odp.04","props":[{"name":"label","value":"CM-08(02)_ODP[04]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain the availability of the system component inventory are defined;"}]}],"props":[{"name":"label","value":"CM-8(2)"},{"name":"label","value":"CM-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"}],"parts":[{"id":"cm-8.2_smt","name":"statement","prose":"Maintain the currency, completeness, accuracy, and availability of the inventory of system components using {{ insert: param, cm-8.2_prm_1 }}."},{"id":"cm-8.2_gdn","name":"guidance","prose":"Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of [CM-2(2)](#cm-2.2) for organizations that combine system component inventory and baseline configuration activities."},{"id":"cm-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)","class":"sp800-53a"}],"parts":[{"id":"cm-8.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.02_odp.01 }} are used to maintain the currency of the system component inventory;","links":[{"href":"#cm-8.2_smt","rel":"assessment-for"}]},{"id":"cm-8.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.02_odp.02 }} are used to maintain the completeness of the system component inventory;","links":[{"href":"#cm-8.2_smt","rel":"assessment-for"}]},{"id":"cm-8.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.02_odp.03 }} are used to maintain the accuracy of the system component inventory;","links":[{"href":"#cm-8.2_smt","rel":"assessment-for"}]},{"id":"cm-8.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"CM-08(02)[04]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.02_odp.04 }} are used to maintain the availability of the system component inventory.","links":[{"href":"#cm-8.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.2_smt","rel":"assessment-for"}]},{"id":"cm-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining the system component inventory\n\nautomated mechanisms supporting and\/or implementing the system component inventory"}]}]},{"id":"cm-8.3","class":"SP800-53-enhancement","title":"Automated Unauthorized Component Detection","params":[{"id":"cm-8.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-08.03_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"cm-08.03_odp.01","props":[{"name":"label","value":"CM-08(03)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;"}]},{"id":"cm-08.03_odp.02","props":[{"name":"label","value":"CM-08(03)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized software within the system are defined;"}]},{"id":"cm-08.03_odp.03","props":[{"name":"label","value":"CM-08(03)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;"}]},{"id":"cm-08.03_odp.04","props":[{"name":"alt-identifier","value":"cm-8.3_prm_2"},{"name":"label","value":"CM-08(03)_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;"}]},{"id":"cm-08.03_odp.05","props":[{"name":"alt-identifier","value":"cm-8.3_prm_3"},{"name":"label","value":"CM-08(03)_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["disable network access by unauthorized components","isolate unauthorized components","notify {{ insert: param, cm-08.03_odp.06 }} "]}},{"id":"cm-08.03_odp.06","props":[{"name":"alt-identifier","value":"cm-8.3_prm_4"},{"name":"label","value":"CM-08(03)_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when unauthorized components are detected is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"CM-8(3)"},{"name":"label","value":"CM-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-8.3_smt","name":"statement","parts":[{"id":"cm-8.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ insert: param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04 }} ; and"},{"id":"cm-8.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Take the following actions when unauthorized components are detected: {{ insert: param, cm-08.03_odp.05 }}."}]},{"id":"cm-8.3_gdn","name":"guidance","prose":"Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see [CM-7(9)](#cm-7.9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as \"sandboxing.\" "},{"id":"cm-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[01]","class":"sp800-53a"}],"prose":"the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};","links":[{"href":"#cm-8.3_smt.a","rel":"assessment-for"}]},{"id":"cm-8.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[02]","class":"sp800-53a"}],"prose":"the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};","links":[{"href":"#cm-8.3_smt.a","rel":"assessment-for"}]},{"id":"cm-8.3_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(a)[03]","class":"sp800-53a"}],"prose":"the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};","links":[{"href":"#cm-8.3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.3_smt.a","rel":"assessment-for"}]},{"id":"cm-8.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)","class":"sp800-53a"}],"parts":[{"id":"cm-8.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;","links":[{"href":"#cm-8.3_smt.b","rel":"assessment-for"}]},{"id":"cm-8.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;","links":[{"href":"#cm-8.3_smt.b","rel":"assessment-for"}]},{"id":"cm-8.3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"CM-08(03)(b)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected.","links":[{"href":"#cm-8.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.3_smt","rel":"assessment-for"}]},{"id":"cm-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nchange control records\n\nalerts\/notifications of unauthorized components within the system\n\nsystem monitoring records\n\nsystem maintenance records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with responsibilities for managing the automated mechanisms implementing unauthorized system component detection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for detection of unauthorized system components\n\norganizational processes for taking action when unauthorized system components are detected\n\nautomated mechanisms supporting and\/or implementing the detection of unauthorized system components\n\nautomated mechanisms supporting and\/or implementing actions taken when unauthorized system components are detected"}]}]},{"id":"cm-8.4","class":"SP800-53-enhancement","title":"Accountability Information","params":[{"id":"cm-08.04_odp","props":[{"name":"alt-identifier","value":"cm-8.4_prm_1"},{"name":"label","value":"CM-08(04)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["name","position","role"]}}],"props":[{"name":"label","value":"CM-8(4)"},{"name":"label","value":"CM-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"cm-8.4_smt","name":"statement","prose":"Include in the system component inventory information, a means for identifying by {{ insert: param, cm-08.04_odp }} , individuals responsible and accountable for administering those components."},{"id":"cm-8.4_gdn","name":"guidance","prose":"Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required (e.g., when the component is determined to be the source of a breach, needs to be recalled or replaced, or needs to be relocated)."},{"id":"cm-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(04)","class":"sp800-53a"}],"prose":"individuals responsible and accountable for administering system components are identified by {{ insert: param, cm-08.04_odp }} in the system component inventory.","links":[{"href":"#cm-8.4_smt","rel":"assessment-for"}]},{"id":"cm-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing the system component inventory"}]}]},{"id":"cm-8.5","class":"SP800-53-enhancement","title":"No Duplicate Accounting of Components","props":[{"name":"label","value":"CM-8(5)"},{"name":"label","value":"CM-08(05)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-8","rel":"incorporated-into"}]},{"id":"cm-8.6","class":"SP800-53-enhancement","title":"Assessed Configurations and Approved Deviations","props":[{"name":"label","value":"CM-8(6)"},{"name":"label","value":"CM-08(06)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"}],"parts":[{"id":"cm-8.6_smt","name":"statement","prose":"Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory."},{"id":"cm-8.6_gdn","name":"guidance","prose":"Assessed configurations and approved deviations focus on configuration settings established by organizations for system components, the specific components that have been assessed to determine compliance with the required configuration settings, and any approved deviations from established configuration settings."},{"id":"cm-8.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(06)","class":"sp800-53a"}],"parts":[{"id":"cm-8.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-08(06)[01]","class":"sp800-53a"}],"prose":"assessed component configurations are included in the system component inventory;","links":[{"href":"#cm-8.6_smt","rel":"assessment-for"}]},{"id":"cm-8.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-08(06)[02]","class":"sp800-53a"}],"prose":"any approved deviations to current deployed configurations are included in the system component inventory.","links":[{"href":"#cm-8.6_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.6_smt","rel":"assessment-for"}]},{"id":"cm-8.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with assessment responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory"}]}]},{"id":"cm-8.7","class":"SP800-53-enhancement","title":"Centralized Repository","props":[{"name":"label","value":"CM-8(7)"},{"name":"label","value":"CM-08(07)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"}],"parts":[{"id":"cm-8.7_smt","name":"statement","prose":"Provide a centralized repository for the inventory of system components."},{"id":"cm-8.7_gdn","name":"guidance","prose":"Organizations may implement centralized system component inventories that include components from all organizational systems. Centralized repositories of component inventories provide opportunities for efficiencies in accounting for organizational hardware, software, and firmware assets. Such repositories may also help organizations rapidly identify the location and responsible individuals of components that have been compromised, breached, or are otherwise in need of mitigation actions. Organizations ensure that the resulting centralized inventories include system-specific information required for proper component accountability."},{"id":"cm-8.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(07)","class":"sp800-53a"}],"prose":"a centralized repository for the system component inventory is provided.","links":[{"href":"#cm-8.7_smt","rel":"assessment-for"}]},{"id":"cm-8.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nsystem component inventory\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with security responsibilities\n\n"}]},{"id":"cm-8.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nmechanisms supporting and\/or implementing system component inventory"}]}]},{"id":"cm-8.8","class":"SP800-53-enhancement","title":"Automated Location Tracking","params":[{"id":"cm-08.08_odp","props":[{"name":"alt-identifier","value":"cm-8.8_prm_1"},{"name":"label","value":"CM-08(08)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms for tracking components are defined;"}]}],"props":[{"name":"label","value":"CM-8(8)"},{"name":"label","value":"CM-08(08)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"}],"parts":[{"id":"cm-8.8_smt","name":"statement","prose":"Support the tracking of system components by geographic location using {{ insert: param, cm-08.08_odp }}."},{"id":"cm-8.8_gdn","name":"guidance","prose":"The use of automated mechanisms to track the location of system components can increase the accuracy of component inventories. Such capability may help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions. The use of tracking mechanisms can be coordinated with senior agency officials for privacy if there are implications that affect individual privacy."},{"id":"cm-8.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(08)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-08.08_odp }} are used to support the tracking of system components by geographic location.","links":[{"href":"#cm-8.8_smt","rel":"assessment-for"}]},{"id":"cm-8.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem component inventory\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-8.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-8.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the system component inventory\n\nautomated mechanisms supporting and\/or implementing system component inventory\n\nautomated mechanisms supporting and\/or implementing tracking of components by geographic locations"}]}]},{"id":"cm-8.9","class":"SP800-53-enhancement","title":"Assignment of Components to Systems","params":[{"id":"cm-08.09_odp","props":[{"name":"alt-identifier","value":"cm-8.9_prm_1"},{"name":"label","value":"CM-08(09)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles from which to receive an acknowledgement is\/are defined;"}]}],"props":[{"name":"label","value":"CM-8(9)"},{"name":"label","value":"CM-08(09)","class":"sp800-53a"},{"name":"sort-id","value":"cm-08.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-8","rel":"required"}],"parts":[{"id":"cm-8.9_smt","name":"statement","parts":[{"id":"cm-8.9_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Assign system components to a system; and"},{"id":"cm-8.9_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Receive an acknowledgement from {{ insert: param, cm-08.09_odp }} of this assignment."}]},{"id":"cm-8.9_gdn","name":"guidance","prose":"System components that are not assigned to a system may be unmanaged, lack the required protection, and become an organizational vulnerability."},{"id":"cm-8.9_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-08(09)","class":"sp800-53a"}],"parts":[{"id":"cm-8.9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-08(09)(a)","class":"sp800-53a"}],"prose":"system components are assigned to a system;","links":[{"href":"#cm-8.9_smt.a","rel":"assessment-for"}]},{"id":"cm-8.9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-08(09)(b)","class":"sp800-53a"}],"prose":"an acknowledgement of the component assignment is received from {{ insert: param, cm-08.09_odp }}.","links":[{"href":"#cm-8.9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-8.9_smt","rel":"assessment-for"}]},{"id":"cm-8.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-08(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing system component inventory\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem component inventory\n\nchange control records\n\nacknowledgements of system component assignments\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-8.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-08(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component inventory management responsibilities\n\nsystem owner\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-8.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-08(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assigning components to systems\n\norganizational processes for acknowledging assignment of components to systems\n\nmechanisms implementing assignment of components to the system\n\nmechanisms implementing acknowledgment of assignment of components to the system"}]}]}]},{"id":"cm-9","class":"SP800-53","title":"Configuration Management Plan","params":[{"id":"cm-09_odp","props":[{"name":"alt-identifier","value":"cm-9_prm_1"},{"name":"label","value":"CM-09_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to review and approve the configuration management plan is\/are defined;"}]}],"props":[{"name":"label","value":"CM-9"},{"name":"label","value":"CM-09","class":"sp800-53a"},{"name":"sort-id","value":"cm-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cm-9_smt","name":"statement","prose":"Develop, document, and implement a configuration management plan for the system that:","parts":[{"id":"cm-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Addresses roles, responsibilities, and configuration management processes and procedures;"},{"id":"cm-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;"},{"id":"cm-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Defines the configuration items for the system and places the configuration items under configuration management;"},{"id":"cm-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and"},{"id":"cm-9_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protects the configuration management plan from unauthorized disclosure and modification."}]},{"id":"cm-9_gdn","name":"guidance","prose":"Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.\n\nConfiguration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.\n\nOrganizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control."},{"id":"cm-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-09","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09[01]","class":"sp800-53a"}],"prose":"a configuration management plan for the system is developed and documented;","links":[{"href":"#cm-9_smt","rel":"assessment-for"}]},{"id":"cm-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09[02]","class":"sp800-53a"}],"prose":"a configuration management plan for the system is implemented;","links":[{"href":"#cm-9_smt","rel":"assessment-for"}]},{"id":"cm-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[01]","class":"sp800-53a"}],"prose":"the configuration management plan addresses roles;","links":[{"href":"#cm-9_smt.a","rel":"assessment-for"}]},{"id":"cm-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[02]","class":"sp800-53a"}],"prose":"the configuration management plan addresses responsibilities;","links":[{"href":"#cm-9_smt.a","rel":"assessment-for"}]},{"id":"cm-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-09a.[03]","class":"sp800-53a"}],"prose":"the configuration management plan addresses configuration management processes and procedures;","links":[{"href":"#cm-9_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt.a","rel":"assessment-for"}]},{"id":"cm-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.[01]","class":"sp800-53a"}],"prose":"the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;","links":[{"href":"#cm-9_smt.b","rel":"assessment-for"}]},{"id":"cm-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09b.[02]","class":"sp800-53a"}],"prose":"the configuration management plan establishes a process for managing the configuration of the configuration items;","links":[{"href":"#cm-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt.b","rel":"assessment-for"}]},{"id":"cm-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.[01]","class":"sp800-53a"}],"prose":"the configuration management plan defines the configuration items for the system;","links":[{"href":"#cm-9_smt.c","rel":"assessment-for"}]},{"id":"cm-9_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09c.[02]","class":"sp800-53a"}],"prose":"the configuration management plan places the configuration items under configuration management;","links":[{"href":"#cm-9_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt.c","rel":"assessment-for"}]},{"id":"cm-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CM-09d.","class":"sp800-53a"}],"prose":"the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};","links":[{"href":"#cm-9_smt.d","rel":"assessment-for"}]},{"id":"cm-9_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.","class":"sp800-53a"}],"parts":[{"id":"cm-9_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.[01]","class":"sp800-53a"}],"prose":"the configuration management plan is protected from unauthorized disclosure;","links":[{"href":"#cm-9_smt.e","rel":"assessment-for"}]},{"id":"cm-9_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"CM-09e.[02]","class":"sp800-53a"}],"prose":"the configuration management plan is protected from unauthorized modification.","links":[{"href":"#cm-9_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#cm-9_smt","rel":"assessment-for"}]},{"id":"cm-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing configuration management planning\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing the configuration management plan\n\norganizational personnel with responsibilities for implementing and managing processes defined in the configuration management plan\n\norganizational personnel with responsibilities for protecting the configuration management plan\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing and documenting the configuration management plan\n\norganizational processes for identifying and managing configuration items\n\norganizational processes for protecting the configuration management plan\n\nmechanisms implementing the configuration management plan\n\nmechanisms for managing configuration items\n\nmechanisms for protecting the configuration management plan"}]}],"controls":[{"id":"cm-9.1","class":"SP800-53-enhancement","title":"Assignment of Responsibility","props":[{"name":"label","value":"CM-9(1)"},{"name":"label","value":"CM-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-9","rel":"required"}],"parts":[{"id":"cm-9.1_smt","name":"statement","prose":"Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development."},{"id":"cm-9.1_gdn","name":"guidance","prose":"In the absence of dedicated configuration management teams assigned within organizations, system developers may be tasked with developing configuration management processes using personnel who are not directly involved in system development or system integration. This separation of duties ensures that organizations establish and maintain a sufficient degree of independence between the system development and integration processes and configuration management processes to facilitate quality control and more effective oversight."},{"id":"cm-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-09(01)","class":"sp800-53a"}],"prose":"the responsibility for developing the configuration management process is assigned to organizational personnel who are not directly involved in system development.","links":[{"href":"#cm-9.1_smt","rel":"assessment-for"}]},{"id":"cm-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing responsibilities for configuration management process development\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for configuration management process development\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cm-10","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"label","value":"CM-10"},{"name":"label","value":"CM-10","class":"sp800-53a"},{"name":"sort-id","value":"cm-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cm-10_smt","name":"statement","parts":[{"id":"cm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Use software and associated documentation in accordance with contract agreements and copyright laws;"},{"id":"cm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and"},{"id":"cm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."}]},{"id":"cm-10_gdn","name":"guidance","prose":"Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements."},{"id":"cm-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-10","class":"sp800-53a"}],"parts":[{"id":"cm-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-10a.","class":"sp800-53a"}],"prose":"software and associated documentation are used in accordance with contract agreements and copyright laws;","links":[{"href":"#cm-10_smt.a","rel":"assessment-for"}]},{"id":"cm-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-10b.","class":"sp800-53a"}],"prose":"the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;","links":[{"href":"#cm-10_smt.b","rel":"assessment-for"}]},{"id":"cm-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-10c.","class":"sp800-53a"}],"prose":"the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.","links":[{"href":"#cm-10_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-10_smt","rel":"assessment-for"}]},{"id":"cm-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling\/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}],"controls":[{"id":"cm-10.1","class":"SP800-53-enhancement","title":"Open-source Software","params":[{"id":"cm-10.01_odp","props":[{"name":"alt-identifier","value":"cm-10.1_prm_1"},{"name":"label","value":"CM-10(01)_ODP","class":"sp800-53a"}],"label":"restrictions","guidelines":[{"prose":"restrictions on the use of open-source software are defined;"}]}],"props":[{"name":"label","value":"CM-10(1)"},{"name":"label","value":"CM-10(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-10.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-10","rel":"required"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-10.1_smt","name":"statement","prose":"Establish the following restrictions on the use of open-source software: {{ insert: param, cm-10.01_odp }}."},{"id":"cm-10.1_gdn","name":"guidance","prose":"Open-source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open-source software is that it provides organizations with the ability to examine the source code. In some cases, there is an online community associated with the software that inspects, tests, updates, and reports on issues found in software on an ongoing basis. However, remediating vulnerabilities in open-source software may be problematic. There may also be licensing issues associated with open-source software, including the constraints on derivative use of such software. Open-source software that is available only in binary form may increase the level of risk in using such software."},{"id":"cm-10.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-10(01)","class":"sp800-53a"}],"prose":"{{ insert: param, cm-10.01_odp }} are established for the use of open-source software.","links":[{"href":"#cm-10.1_smt","rel":"assessment-for"}]},{"id":"cm-10.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-10(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nsoftware usage restrictions\n\nsoftware contract agreements and copyright laws\n\nsite license documentation\n\nlist of software usage restrictions\n\nsoftware license tracking reports\n\nconfiguration management plan\n\nsystem security plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-10.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-10(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel with software license management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-10.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-10(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for tracking the use of software protected by quantity licenses\n\norganizational processes for controlling\/documenting the use of peer-to-peer file sharing technology\n\nmechanisms implementing software license tracking\n\nmechanisms implementing and controlling the use of peer-to-peer files sharing technology"}]}]}]},{"id":"cm-11","class":"SP800-53","title":"User-installed Software","params":[{"id":"cm-11_odp.01","props":[{"name":"alt-identifier","value":"cm-11_prm_1"},{"name":"label","value":"CM-11_ODP[01]","class":"sp800-53a"}],"label":"policies","guidelines":[{"prose":"policies governing the installation of software by users are defined;"}]},{"id":"cm-11_odp.02","props":[{"name":"alt-identifier","value":"cm-11_prm_2"},{"name":"label","value":"CM-11_ODP[02]","class":"sp800-53a"}],"label":"methods","guidelines":[{"prose":"methods used to enforce software installation policies are defined;"}]},{"id":"cm-11_odp.03","props":[{"name":"alt-identifier","value":"cm-11_prm_3"},{"name":"label","value":"CM-11_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to monitor compliance is defined;"}]}],"props":[{"name":"label","value":"CM-11"},{"name":"label","value":"CM-11","class":"sp800-53a"},{"name":"sort-id","value":"cm-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-11_smt","name":"statement","parts":[{"id":"cm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;"},{"id":"cm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and"},{"id":"cm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Monitor policy compliance {{ insert: param, cm-11_odp.03 }}."}]},{"id":"cm-11_gdn","name":"guidance","prose":"If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved \"app stores.\" Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods."},{"id":"cm-11_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-11","class":"sp800-53a"}],"parts":[{"id":"cm-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-11a.","class":"sp800-53a"}],"prose":"{{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;","links":[{"href":"#cm-11_smt.a","rel":"assessment-for"}]},{"id":"cm-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-11b.","class":"sp800-53a"}],"prose":"software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};","links":[{"href":"#cm-11_smt.b","rel":"assessment-for"}]},{"id":"cm-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-11c.","class":"sp800-53a"}],"prose":"compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.","links":[{"href":"#cm-11_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-11_smt","rel":"assessment-for"}]},{"id":"cm-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing user-installed software on the system\n\nmechanisms enforcing policies and methods for governing the installation of software by users\n\nmechanisms monitoring policy compliance"}]}],"controls":[{"id":"cm-11.1","class":"SP800-53-enhancement","title":"Alerts for Unauthorized Installations","props":[{"name":"label","value":"CM-11(1)"},{"name":"label","value":"CM-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-11.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-8.3","rel":"incorporated-into"}]},{"id":"cm-11.2","class":"SP800-53-enhancement","title":"Software Installation with Privileged Status","props":[{"name":"label","value":"CM-11(2)"},{"name":"label","value":"CM-11(02)","class":"sp800-53a"},{"name":"sort-id","value":"cm-11.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cm-11","rel":"required"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"cm-11.2_smt","name":"statement","prose":"Allow user installation of software only with explicit privileged status."},{"id":"cm-11.2_gdn","name":"guidance","prose":"Privileged status can be obtained, for example, by serving in the role of system administrator."},{"id":"cm-11.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-11(02)","class":"sp800-53a"}],"prose":"user installation of software is allowed only with explicit privileged status.","links":[{"href":"#cm-11.2_smt","rel":"assessment-for"}]},{"id":"cm-11.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-11(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts\/notifications of unauthorized software installations\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-11.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-11(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-11.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-11(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing user-installed software on the system\n\nmechanisms for prohibiting installation of software without privileged status (e.g., access controls)"}]}]},{"id":"cm-11.3","class":"SP800-53-enhancement","title":"Automated Enforcement and Monitoring","params":[{"id":"cm-11.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-11.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-11.03_odp.02"}],"label":"organization-defined automated mechanisms"},{"id":"cm-11.03_odp.01","props":[{"name":"label","value":"CM-11(03)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to enforce compliance are defined;"}]},{"id":"cm-11.03_odp.02","props":[{"name":"label","value":"CM-11(03)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to monitor compliance are defined;"}]}],"props":[{"name":"label","value":"CM-11(3)"},{"name":"label","value":"CM-11(03)","class":"sp800-53a"},{"name":"sort-id","value":"cm-11.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-11","rel":"required"}],"parts":[{"id":"cm-11.3_smt","name":"statement","prose":"Enforce and monitor compliance with software installation policies using {{ insert: param, cm-11.3_prm_1 }}."},{"id":"cm-11.3_gdn","name":"guidance","prose":"Organizations enforce and monitor compliance with software installation policies using automated mechanisms to more quickly detect and respond to unauthorized software installation which can be an indicator of an internal or external hostile attack."},{"id":"cm-11.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-11(03)","class":"sp800-53a"}],"parts":[{"id":"cm-11.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-11(03)[01]","class":"sp800-53a"}],"prose":"compliance with software installation policies is enforced using {{ insert: param, cm-11.03_odp.01 }};","links":[{"href":"#cm-11.3_smt","rel":"assessment-for"}]},{"id":"cm-11.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-11(03)[02]","class":"sp800-53a"}],"prose":"compliance with software installation policies is monitored using {{ insert: param, cm-11.03_odp.02 }}.","links":[{"href":"#cm-11.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-11.3_smt","rel":"assessment-for"}]},{"id":"cm-11.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-11(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing user-installed software\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of rules governing user installed software\n\nsystem monitoring records\n\nsystem audit records\n\ncontinuous monitoring strategy\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-11.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-11(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for governing user-installed software\n\norganizational personnel operating, using, and\/or maintaining the system\n\norganizational personnel monitoring compliance with user-installed software policy\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"cm-11.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-11(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing user-installed software on the system\n\nautomated mechanisms enforcing policies on installation of software by users\n\nautomated mechanisms monitoring policy compliance"}]}]}]},{"id":"cm-12","class":"SP800-53","title":"Information Location","params":[{"id":"cm-12_odp","props":[{"name":"alt-identifier","value":"cm-12_prm_1"},{"name":"label","value":"CM-12_ODP","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information for which the location is to be identified and documented is defined;"}]}],"props":[{"name":"label","value":"CM-12"},{"name":"label","value":"CM-12","class":"sp800-53a"},{"name":"sort-id","value":"cm-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-23","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-4","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-12_smt","name":"statement","parts":[{"id":"cm-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and stored;"},{"id":"cm-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identify and document the users who have access to the system and system components where the information is processed and stored; and"},{"id":"cm-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document changes to the location (i.e., system or system components) where the information is processed and stored."}]},{"id":"cm-12_gdn","name":"guidance","prose":"Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see [SA-4](#sa-4), [SA-8](#sa-8), [SA-17](#sa-17))."},{"id":"cm-12_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-12","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[01]","class":"sp800-53a"}],"prose":"the location of {{ insert: param, cm-12_odp }} is identified and documented;","links":[{"href":"#cm-12_smt.a","rel":"assessment-for"}]},{"id":"cm-12_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[02]","class":"sp800-53a"}],"prose":"the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;","links":[{"href":"#cm-12_smt.a","rel":"assessment-for"}]},{"id":"cm-12_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CM-12a.[03]","class":"sp800-53a"}],"prose":"the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;","links":[{"href":"#cm-12_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cm-12_smt.a","rel":"assessment-for"}]},{"id":"cm-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.[01]","class":"sp800-53a"}],"prose":"the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;","links":[{"href":"#cm-12_smt.b","rel":"assessment-for"}]},{"id":"cm-12_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12b.[02]","class":"sp800-53a"}],"prose":"the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;","links":[{"href":"#cm-12_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cm-12_smt.b","rel":"assessment-for"}]},{"id":"cm-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.","class":"sp800-53a"}],"parts":[{"id":"cm-12_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.[01]","class":"sp800-53a"}],"prose":"changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;","links":[{"href":"#cm-12_smt.c","rel":"assessment-for"}]},{"id":"cm-12_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CM-12c.[02]","class":"sp800-53a"}],"prose":"changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented.","links":[{"href":"#cm-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cm-12_smt","rel":"assessment-for"}]},{"id":"cm-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\naudit records\n\nlist of users with system and system component access\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing information location and user access to information\n\norganizational personnel with responsibilities for operating, using, and\/or maintaining the system\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location"}]}],"controls":[{"id":"cm-12.1","class":"SP800-53-enhancement","title":"Automated Tools to Support Information Location","params":[{"id":"cm-12.01_odp.01","props":[{"name":"alt-identifier","value":"cm-12.1_prm_1"},{"name":"label","value":"CM-12(01)_ODP[01]","class":"sp800-53a"}],"label":"information by information type","guidelines":[{"prose":"information to be protected is defined by information type;"}]},{"id":"cm-12.01_odp.02","props":[{"name":"alt-identifier","value":"cm-12.1_prm_2"},{"name":"label","value":"CM-12(01)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components where the information is located are defined;"}]}],"props":[{"name":"label","value":"CM-12(1)"},{"name":"label","value":"CM-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"cm-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-12","rel":"required"}],"parts":[{"id":"cm-12.1_smt","name":"statement","prose":"Use automated tools to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure controls are in place to protect organizational information and individual privacy."},{"id":"cm-12.1_gdn","name":"guidance","prose":"The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions."},{"id":"cm-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-12(01)","class":"sp800-53a"}],"prose":"automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy.","links":[{"href":"#cm-12.1_smt","rel":"assessment-for"}]},{"id":"cm-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing identification and documentation of information location\n\nconfiguration management plan\n\nsystem design documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cm-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing information location\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nautomated mechanisms enforcing policies and methods for governing information location\n\nautomated tools used to identify information on system components"}]}]}]},{"id":"cm-13","class":"SP800-53","title":"Data Action Mapping","props":[{"name":"label","value":"CM-13"},{"name":"label","value":"CM-13","class":"sp800-53a"},{"name":"sort-id","value":"cm-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-27","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"}],"parts":[{"id":"cm-13_smt","name":"statement","prose":"Develop and document a map of system data actions."},{"id":"cm-13_gdn","name":"guidance","prose":"Data actions are system operations that process personally identifiable information. The processing of such information encompasses the full information life cycle, which includes collection, generation, transformation, use, disclosure, retention, and disposal. A map of system data actions includes discrete data actions, elements of personally identifiable information being processed in the data actions, system components involved in the data actions, and the owners or operators of the system components. Understanding what personally identifiable information is being processed (e.g., the sensitivity of the personally identifiable information), how personally identifiable information is being processed (e.g., if the data action is visible to the individual or is processed in another part of the system), and by whom (e.g., individuals may have different privacy perceptions based on the entity that is processing the personally identifiable information) provides a number of contextual factors that are important to assessing the degree of privacy risk created by the system. Data maps can be illustrated in different ways, and the level of detail may vary based on the mission and business needs of the organization. The data map may be an overlay of any system design artifact that the organization is using. The development of this map may necessitate coordination between the privacy and security programs regarding the covered data actions and the components that are identified as part of the system."},{"id":"cm-13_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-13","class":"sp800-53a"}],"prose":"a map of system data actions is developed and documented.","links":[{"href":"#cm-13_smt","rel":"assessment-for"}]},{"id":"cm-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures for identification and documentation of information location\n\nprocedures for mapping data actions\n\nconfiguration management plan\n\nsystem security plan\n\nprivacy plan\n\nsystem design documentation\n\nPII inventory documentation\n\ndata mapping documentation\n\nchange control records\n\nsystem component inventory\n\nother relevant documents or records"}]},{"id":"cm-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for managing information location\n\norganizational personnel responsible for data action mapping\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nmechanisms supporting or implementing data action mapping"}]}]},{"id":"cm-14","class":"SP800-53","title":"Signed Components","params":[{"id":"cm-14_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-14_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cm-14_odp.02"}],"label":"organization-defined software and firmware components"},{"id":"cm-14_odp.01","props":[{"name":"label","value":"CM-14_ODP[01]","class":"sp800-53a"}],"label":"software components","guidelines":[{"prose":"software components requiring verification of a digitally signed certificate before installation are defined;"}]},{"id":"cm-14_odp.02","props":[{"name":"label","value":"CM-14_ODP[02]","class":"sp800-53a"}],"label":"firmware components","guidelines":[{"prose":"firmware components requiring verification of a digitally signed certificate before installation are defined;"}]}],"props":[{"name":"label","value":"CM-14"},{"name":"label","value":"CM-14","class":"sp800-53a"},{"name":"sort-id","value":"cm-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#cm-7","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"cm-14_smt","name":"statement","prose":"Prevent the installation of {{ insert: param, cm-14_prm_1 }} without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization."},{"id":"cm-14_gdn","name":"guidance","prose":"Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input\/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication."},{"id":"cm-14_obj","name":"assessment-objective","props":[{"name":"label","value":"CM-14","class":"sp800-53a"}],"parts":[{"id":"cm-14_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CM-14[01]","class":"sp800-53a"}],"prose":"the installation of {{ insert: param, cm-14_odp.01 }} is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization;","links":[{"href":"#cm-14_smt","rel":"assessment-for"}]},{"id":"cm-14_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CM-14[02]","class":"sp800-53a"}],"prose":"the installation of {{ insert: param, cm-14_odp.02 }} is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization.","links":[{"href":"#cm-14_smt","rel":"assessment-for"}]}],"links":[{"href":"#cm-14_smt","rel":"assessment-for"}]},{"id":"cm-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CM-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Configuration management policy\n\nprocedures addressing digitally signed certificates for software and firmware components\n\nconfiguration management plan\n\nsystem security plan\n\nsystem design documentation\n\nchange control records\n\nsystem component inventory\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cm-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CM-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for verifying digitally signed certificates for software and firmware component installation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cm-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CM-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes governing information location\n\nmechanisms enforcing policies and methods for governing information location\n\nautomated tools supporting or implementing digitally signatures for software and firmware components\n\nautomated tools supporting or implementing verification of digital signatures for software and firmware component installation"}]}]}]},{"id":"cp","class":"family","title":"Contingency Planning","controls":[{"id":"cp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"cp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-01_odp.01","props":[{"name":"label","value":"CP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning policy is to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.02","props":[{"name":"label","value":"CP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the contingency planning procedures are to be disseminated is\/are defined;"}]},{"id":"cp-01_odp.03","props":[{"name":"alt-identifier","value":"cp-1_prm_2"},{"name":"label","value":"CP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"cp-01_odp.04","props":[{"name":"alt-identifier","value":"cp-1_prm_3"},{"name":"label","value":"CP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the contingency planning policy and procedures is defined;"}]},{"id":"cp-01_odp.05","props":[{"name":"alt-identifier","value":"cp-1_prm_4"},{"name":"label","value":"CP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning policy is reviewed and updated is defined;"}]},{"id":"cp-01_odp.06","props":[{"name":"alt-identifier","value":"cp-1_prm_5"},{"name":"label","value":"CP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current contingency planning policy to be reviewed and updated are defined;"}]},{"id":"cp-01_odp.07","props":[{"name":"alt-identifier","value":"cp-1_prm_6"},{"name":"label","value":"CP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current contingency planning procedures are reviewed and updated is defined;"}]},{"id":"cp-01_odp.08","props":[{"name":"alt-identifier","value":"cp-1_prm_7"},{"name":"label","value":"CP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"CP-1"},{"name":"label","value":"CP-01","class":"sp800-53a"},{"name":"sort-id","value":"cp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-1_smt","name":"statement","parts":[{"id":"cp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, cp-1_prm_1 }}:","parts":[{"id":"cp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, cp-01_odp.03 }} contingency planning policy that:","parts":[{"id":"cp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"cp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"cp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;"}]},{"id":"cp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, cp-01_odp.04 }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and"},{"id":"cp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current contingency planning:","parts":[{"id":"cp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, cp-01_odp.05 }} and following {{ insert: param, cp-01_odp.06 }} ; and"},{"id":"cp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, cp-01_odp.07 }} and following {{ insert: param, cp-01_odp.08 }}."}]}]},{"id":"cp-1_gdn","name":"guidance","prose":"Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"cp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[01]","class":"sp800-53a"}],"prose":"a contingency planning policy is developed and documented;","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[02]","class":"sp800-53a"}],"prose":"the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[03]","class":"sp800-53a"}],"prose":"contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.[04]","class":"sp800-53a"}],"prose":"the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};","links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;","links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"cp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#cp-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.a","rel":"assessment-for"}]},{"id":"cp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;","links":[{"href":"#cp-1_smt.b","rel":"assessment-for"}]},{"id":"cp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[01]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};","links":[{"href":"#cp-1_smt.c.1","rel":"assessment-for"}]},{"id":"cp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.01[02]","class":"sp800-53a"}],"prose":"the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};","links":[{"href":"#cp-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.c.1","rel":"assessment-for"}]},{"id":"cp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02","class":"sp800-53a"}],"parts":[{"id":"cp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[01]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};","links":[{"href":"#cp-1_smt.c.2","rel":"assessment-for"}]},{"id":"cp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-01c.02[02]","class":"sp800-53a"}],"prose":"the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.","links":[{"href":"#cp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-1_smt","rel":"assessment-for"}]},{"id":"cp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"cp-2","class":"SP800-53","title":"Contingency Plan","params":[{"id":"cp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"cp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.04"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-2_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-02_odp.07"}],"label":"organization-defined key contingency personnel (identified by name and\/or by role) and organizational elements"},{"id":"cp-02_odp.01","props":[{"name":"label","value":"CP-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to review a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.02","props":[{"name":"label","value":"CP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to approve a contingency plan is\/are defined;"}]},{"id":"cp-02_odp.03","props":[{"name":"label","value":"CP-02_ODP[03]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to whom copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.04","props":[{"name":"label","value":"CP-02_ODP[04]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to which copies of the contingency plan are distributed are defined;"}]},{"id":"cp-02_odp.05","props":[{"name":"alt-identifier","value":"cp-2_prm_3"},{"name":"label","value":"CP-02_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of contingency plan review is defined;"}]},{"id":"cp-02_odp.06","props":[{"name":"label","value":"CP-02_ODP[06]","class":"sp800-53a"}],"label":"key contingency personnel","guidelines":[{"prose":"key contingency personnel (identified by name and\/or by role) to communicate changes to are defined;"}]},{"id":"cp-02_odp.07","props":[{"name":"label","value":"CP-02_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"key contingency organizational elements to communicate changes to are defined;"}]}],"props":[{"name":"label","value":"CP-2"},{"name":"label","value":"CP-02","class":"sp800-53a"},{"name":"sort-id","value":"cp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#cp-13","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"cp-2_smt","name":"statement","parts":[{"id":"cp-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a contingency plan for the system that:","parts":[{"id":"cp-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifies essential mission and business functions and associated contingency requirements;"},{"id":"cp-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides recovery objectives, restoration priorities, and metrics;"},{"id":"cp-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Addresses contingency roles, responsibilities, assigned individuals with contact information;"},{"id":"cp-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"},{"id":"cp-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;"},{"id":"cp-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Addresses the sharing of contingency information; and"},{"id":"cp-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Is reviewed and approved by {{ insert: param, cp-2_prm_1 }};"}]},{"id":"cp-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the contingency plan to {{ insert: param, cp-2_prm_2 }};"},{"id":"cp-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate contingency planning activities with incident handling activities;"},{"id":"cp-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review the contingency plan for the system {{ insert: param, cp-02_odp.05 }};"},{"id":"cp-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;"},{"id":"cp-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Communicate contingency plan changes to {{ insert: param, cp-2_prm_4 }};"},{"id":"cp-2_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and"},{"id":"cp-2_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Protect the contingency plan from unauthorized disclosure and modification."}]},{"id":"cp-2_gdn","name":"guidance","prose":"Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.\n\nActions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in [IR-4(5)](#ir-4.5) . Incident response planning is part of contingency planning for organizations and is addressed in the [IR](#ir) (Incident Response) family."},{"id":"cp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.01","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;","links":[{"href":"#cp-2_smt.a.1","rel":"assessment-for"}]},{"id":"cp-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides recovery objectives;","links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]},{"id":"cp-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides restoration priorities;","links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]},{"id":"cp-2_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.02[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that provides metrics;","links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a.2","rel":"assessment-for"}]},{"id":"cp-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency roles;","links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]},{"id":"cp-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses contingency responsibilities;","links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]},{"id":"cp-2_obj.a.3-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.03[03]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses assigned individuals with contact information;","links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a.3","rel":"assessment-for"}]},{"id":"cp-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.04","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;","links":[{"href":"#cp-2_smt.a.4","rel":"assessment-for"}]},{"id":"cp-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.05","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;","links":[{"href":"#cp-2_smt.a.5","rel":"assessment-for"}]},{"id":"cp-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.06","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that addresses the sharing of contingency information;","links":[{"href":"#cp-2_smt.a.6","rel":"assessment-for"}]},{"id":"cp-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[01]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};","links":[{"href":"#cp-2_smt.a.7","rel":"assessment-for"}]},{"id":"cp-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02a.07[02]","class":"sp800-53a"}],"prose":"a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};","links":[{"href":"#cp-2_smt.a.7","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a.7","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.a","rel":"assessment-for"}]},{"id":"cp-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[01]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};","links":[{"href":"#cp-2_smt.b","rel":"assessment-for"}]},{"id":"cp-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02b.[02]","class":"sp800-53a"}],"prose":"copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};","links":[{"href":"#cp-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.b","rel":"assessment-for"}]},{"id":"cp-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-02c.","class":"sp800-53a"}],"prose":"contingency planning activities are coordinated with incident handling activities;","links":[{"href":"#cp-2_smt.c","rel":"assessment-for"}]},{"id":"cp-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-02d.","class":"sp800-53a"}],"prose":"the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};","links":[{"href":"#cp-2_smt.d","rel":"assessment-for"}]},{"id":"cp-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[01]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address changes to the organization, system, or environment of operation;","links":[{"href":"#cp-2_smt.e","rel":"assessment-for"}]},{"id":"cp-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02e.[02]","class":"sp800-53a"}],"prose":"the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;","links":[{"href":"#cp-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.e","rel":"assessment-for"}]},{"id":"cp-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[01]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};","links":[{"href":"#cp-2_smt.f","rel":"assessment-for"}]},{"id":"cp-2_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02f.[02]","class":"sp800-53a"}],"prose":"contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};","links":[{"href":"#cp-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.f","rel":"assessment-for"}]},{"id":"cp-2_obj.g","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[01]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;","links":[{"href":"#cp-2_smt.g","rel":"assessment-for"}]},{"id":"cp-2_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02g.[02]","class":"sp800-53a"}],"prose":"lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;","links":[{"href":"#cp-2_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.g","rel":"assessment-for"}]},{"id":"cp-2_obj.h","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.","class":"sp800-53a"}],"parts":[{"id":"cp-2_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[01]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized disclosure;","links":[{"href":"#cp-2_smt.h","rel":"assessment-for"}]},{"id":"cp-2_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02h.[02]","class":"sp800-53a"}],"prose":"the contingency plan is protected from unauthorized modification.","links":[{"href":"#cp-2_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#cp-2_smt","rel":"assessment-for"}]},{"id":"cp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nevidence of contingency plan reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with incident handling responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan development, review, update, and protection\n\nmechanisms for developing, reviewing, updating, and\/or protecting the contingency plan"}]}],"controls":[{"id":"cp-2.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-2(1)"},{"name":"label","value":"CP-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.1_smt","name":"statement","prose":"Coordinate contingency plan development with organizational elements responsible for related plans."},{"id":"cp-2.1_gdn","name":"guidance","prose":"Plans that are related to contingency plans include Business Continuity Plans, Disaster Recovery Plans, Critical Infrastructure Plans, Continuity of Operations Plans, Crisis Communications Plans, Insider Threat Implementation Plans, Data Breach Response Plans, Cyber Incident Response Plans, Breach Response Plans, and Occupant Emergency Plans."},{"id":"cp-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(01)","class":"sp800-53a"}],"prose":"contingency plan development is coordinated with organizational elements responsible for related plans.","links":[{"href":"#cp-2.1_smt","rel":"assessment-for"}]},{"id":"cp-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness contingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plan\n\ninsider threat implementation plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\npersonnel with responsibility for related plans"}]}]},{"id":"cp-2.2","class":"SP800-53-enhancement","title":"Capacity Planning","props":[{"name":"label","value":"CP-2(2)"},{"name":"label","value":"CP-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"},{"href":"#pe-11","rel":"related"},{"href":"#pe-12","rel":"related"},{"href":"#pe-13","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#sc-5","rel":"related"}],"parts":[{"id":"cp-2.2_smt","name":"statement","prose":"Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations."},{"id":"cp-2.2_gdn","name":"guidance","prose":"Capacity planning is needed because different threats can result in a reduction of the available processing, telecommunications, and support services intended to support essential mission and business functions. Organizations anticipate degraded operations during contingency operations and factor the degradation into capacity planning. For capacity planning, environmental support refers to any environmental factor for which the organization determines that it needs to provide support in a contingency situation, even if in a degraded state. Such determinations are based on an organizational assessment of risk, system categorization (impact level), and organizational risk tolerance."},{"id":"cp-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)","class":"sp800-53a"}],"parts":[{"id":"cp-2.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)[01]","class":"sp800-53a"}],"prose":"capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;","links":[{"href":"#cp-2.2_smt","rel":"assessment-for"}]},{"id":"cp-2.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)[02]","class":"sp800-53a"}],"prose":"capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;","links":[{"href":"#cp-2.2_smt","rel":"assessment-for"}]},{"id":"cp-2.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"CP-02(02)[03]","class":"sp800-53a"}],"prose":"capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.","links":[{"href":"#cp-2.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-2.2_smt","rel":"assessment-for"}]},{"id":"cp-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\ncapacity planning documents\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel responsible for capacity planning\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2.3","class":"SP800-53-enhancement","title":"Resume Mission and Business Functions","params":[{"id":"cp-02.03_odp.01","props":[{"name":"alt-identifier","value":"cp-2.3_prm_1"},{"name":"label","value":"CP-02(03)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["all","essential"]}},{"id":"cp-02.03_odp.02","props":[{"name":"alt-identifier","value":"cp-2.3_prm_2"},{"name":"label","value":"CP-02(03)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the contingency plan activation time period within which to resume mission and business functions is defined;"}]}],"props":[{"name":"label","value":"CP-2(3)"},{"name":"label","value":"CP-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.3_smt","name":"statement","prose":"Plan for the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation."},{"id":"cp-2.3_gdn","name":"guidance","prose":"Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure."},{"id":"cp-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(03)","class":"sp800-53a"}],"prose":"the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.","links":[{"href":"#cp-2.3_smt","rel":"assessment-for"}]},{"id":"cp-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nprivacy plan\n\nother related plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions"}]},{"id":"cp-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for resumption of missions and business functions"}]}]},{"id":"cp-2.4","class":"SP800-53-enhancement","title":"Resume All Mission and Business Functions","props":[{"name":"label","value":"CP-2(4)"},{"name":"label","value":"CP-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cp-2.3","rel":"incorporated-into"}]},{"id":"cp-2.5","class":"SP800-53-enhancement","title":"Continue Mission and Business Functions","params":[{"id":"cp-02.05_odp","props":[{"name":"alt-identifier","value":"cp-2.5_prm_1"},{"name":"label","value":"CP-02(05)_ODP","class":"sp800-53a"}],"select":{"choice":["all","essential"]}}],"props":[{"name":"label","value":"CP-2(5)"},{"name":"label","value":"CP-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.5_smt","name":"statement","prose":"Plan for the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and\/or storage sites."},{"id":"cp-2.5_gdn","name":"guidance","prose":"Organizations may choose to conduct the contingency planning activities to continue mission and business functions as part of business continuity planning or business impact analyses. Primary processing and\/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency."},{"id":"cp-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(05)","class":"sp800-53a"}],"parts":[{"id":"cp-2.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02(05)[01]","class":"sp800-53a"}],"prose":"the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity is planned for;","links":[{"href":"#cp-2.5_smt","rel":"assessment-for"}]},{"id":"cp-2.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02(05)[02]","class":"sp800-53a"}],"prose":"continuity is sustained until full system restoration at primary processing and\/or storage sites.","links":[{"href":"#cp-2.5_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-2.5_smt","rel":"assessment-for"}]},{"id":"cp-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nprimary processing site agreements\n\nprimary storage site agreements\n\nalternate processing site agreements\n\nalternate storage site agreements\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-2.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for continuing missions and business functions"}]}]},{"id":"cp-2.6","class":"SP800-53-enhancement","title":"Alternate Processing and Storage Sites","params":[{"id":"cp-02.06_odp","props":[{"name":"alt-identifier","value":"cp-2.6_prm_1"},{"name":"label","value":"CP-02(06)_ODP","class":"sp800-53a"}],"select":{"choice":["all","essential"]}}],"props":[{"name":"label","value":"CP-2(6)"},{"name":"label","value":"CP-02(06)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"}],"parts":[{"id":"cp-2.6_smt","name":"statement","prose":"Plan for the transfer of {{ insert: param, cp-02.06_odp }} mission and business functions to alternate processing and\/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and\/or storage sites."},{"id":"cp-2.6_gdn","name":"guidance","prose":"Organizations may choose to conduct contingency planning activities for alternate processing and storage sites as part of business continuity planning or business impact analyses. Primary processing and\/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency."},{"id":"cp-2.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(06)","class":"sp800-53a"}],"parts":[{"id":"cp-2.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-02(06)[01]","class":"sp800-53a"}],"prose":"the transfer of {{ insert: param, cp-02.06_odp }} mission and business functions to alternate processing and\/or storage sites with minimal or no loss of operational continuity is planned for;","links":[{"href":"#cp-2.6_smt","rel":"assessment-for"}]},{"id":"cp-2.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-02(06)[02]","class":"sp800-53a"}],"prose":"operational continuity is sustained until full system restoration at primary processing and\/or storage sites.","links":[{"href":"#cp-2.6_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-2.6_smt","rel":"assessment-for"}]},{"id":"cp-2.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nalternate processing site agreements\n\nalternate storage site agreements\n\ncontingency plan testing documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-2.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-02(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for transfer of essential mission and business functions to alternate processing\/storage sites"}]}]},{"id":"cp-2.7","class":"SP800-53-enhancement","title":"Coordinate with External Service Providers","props":[{"name":"label","value":"CP-2(7)"},{"name":"label","value":"CP-02(07)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"},{"href":"#sa-9","rel":"related"}],"parts":[{"id":"cp-2.7_smt","name":"statement","prose":"Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied."},{"id":"cp-2.7_gdn","name":"guidance","prose":"When the capability of an organization to carry out its mission and business functions is dependent on external service providers, developing a comprehensive and timely contingency plan may become more challenging. When mission and business functions are dependent on external service providers, organizations coordinate contingency planning activities with the external entities to ensure that the individual plans reflect the overall contingency needs of the organization."},{"id":"cp-2.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(07)","class":"sp800-53a"}],"prose":"the contingency plan is coordinated with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.","links":[{"href":"#cp-2.7_smt","rel":"assessment-for"}]},{"id":"cp-2.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\ncontingency plans of external\n\nservice providers\n\nservice level agreements\n\ncontingency plan requirements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\nexternal service providers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-2.8","class":"SP800-53-enhancement","title":"Identify Critical Assets","params":[{"id":"cp-02.08_odp","props":[{"name":"alt-identifier","value":"cp-2.8_prm_1"},{"name":"label","value":"CP-02(08)_ODP","class":"sp800-53a"}],"select":{"choice":["all","essential"]}}],"props":[{"name":"label","value":"CP-2(8)"},{"name":"label","value":"CP-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"cp-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"required"},{"href":"#cm-8","rel":"related"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"cp-2.8_smt","name":"statement","prose":"Identify critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions."},{"id":"cp-2.8_gdn","name":"guidance","prose":"Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and\/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing [CP-2(7)](#cp-2.7) as a control enhancement."},{"id":"cp-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-02(08)","class":"sp800-53a"}],"prose":"critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified.","links":[{"href":"#cp-2.8_smt","rel":"assessment-for"}]},{"id":"cp-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency operations for the system\n\ncontingency plan\n\nbusiness impact assessment\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-3","class":"SP800-53","title":"Contingency Training","params":[{"id":"cp-03_odp.01","props":[{"name":"alt-identifier","value":"cp-3_prm_1"},{"name":"label","value":"CP-03_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.02","props":[{"name":"alt-identifier","value":"cp-3_prm_2"},{"name":"label","value":"CP-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide training to system users with a contingency role or responsibility is defined;"}]},{"id":"cp-03_odp.03","props":[{"name":"alt-identifier","value":"cp-3_prm_3"},{"name":"label","value":"CP-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update contingency training content is defined;"}]},{"id":"cp-03_odp.04","props":[{"name":"alt-identifier","value":"cp-3_prm_4"},{"name":"label","value":"CP-03_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events necessitating review and update of contingency training are defined;"}]}],"props":[{"name":"label","value":"CP-3"},{"name":"label","value":"CP-03","class":"sp800-53a"},{"name":"sort-id","value":"cp-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"cp-3_smt","name":"statement","parts":[{"id":"cp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide contingency training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"cp-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"},{"id":"cp-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"cp-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"{{ insert: param, cp-03_odp.02 }} thereafter; and"}]},{"id":"cp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update contingency training content {{ insert: param, cp-03_odp.03 }} and following {{ insert: param, cp-03_odp.04 }}."}]},{"id":"cp-3_gdn","name":"guidance","prose":"Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements."},{"id":"cp-3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-03","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.01","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;","links":[{"href":"#cp-3_smt.a.1","rel":"assessment-for"}]},{"id":"cp-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.02","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;","links":[{"href":"#cp-3_smt.a.2","rel":"assessment-for"}]},{"id":"cp-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"CP-03a.03","class":"sp800-53a"}],"prose":"contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;","links":[{"href":"#cp-3_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#cp-3_smt.a","rel":"assessment-for"}]},{"id":"cp-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.","class":"sp800-53a"}],"parts":[{"id":"cp-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[01]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};","links":[{"href":"#cp-3_smt.b","rel":"assessment-for"}]},{"id":"cp-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-03b.[02]","class":"sp800-53a"}],"prose":"the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.","links":[{"href":"#cp-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-3_smt","rel":"assessment-for"}]},{"id":"cp-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\ncontingency training records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency training"}]}],"controls":[{"id":"cp-3.1","class":"SP800-53-enhancement","title":"Simulated Events","props":[{"name":"label","value":"CP-3(1)"},{"name":"label","value":"CP-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-3","rel":"required"}],"parts":[{"id":"cp-3.1_smt","name":"statement","prose":"Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations."},{"id":"cp-3.1_gdn","name":"guidance","prose":"The use of simulated events creates an environment for personnel to experience actual threat events, including cyber-attacks that disable websites, ransomware attacks that encrypt organizational data on servers, hurricanes that damage or destroy organizational facilities, or hardware or software failures."},{"id":"cp-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-03(01)","class":"sp800-53a"}],"prose":"simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.","links":[{"href":"#cp-3.1_smt","rel":"assessment-for"}]},{"id":"cp-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency training\n\nmechanisms for simulating contingency events"}]}]},{"id":"cp-3.2","class":"SP800-53-enhancement","title":"Mechanisms Used in Training Environments","props":[{"name":"label","value":"CP-3(2)"},{"name":"label","value":"CP-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-3","rel":"required"}],"parts":[{"id":"cp-3.2_smt","name":"statement","prose":"Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment."},{"id":"cp-3.2_gdn","name":"guidance","prose":"Operational mechanisms refer to processes that have been established to accomplish an organizational goal or a system that supports a particular organizational mission or business objective. Actual mission and business processes, systems, and\/or facilities may be used to generate simulated events and enhance the realism of simulated events during contingency training."},{"id":"cp-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-03(02)","class":"sp800-53a"}],"prose":"mechanisms used in operations are employed to provide a more thorough and realistic contingency training environment.","links":[{"href":"#cp-3.2_smt","rel":"assessment-for"}]},{"id":"cp-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency training\n\ncontingency plan\n\ncontingency training curriculum\n\ncontingency training material\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and training responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency training\n\nmechanisms for providing contingency training environments"}]}]}]},{"id":"cp-4","class":"SP800-53","title":"Contingency Plan Testing","params":[{"id":"cp-4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-04_odp.03"}],"label":"organization-defined tests"},{"id":"cp-04_odp.01","props":[{"name":"alt-identifier","value":"cp-4_prm_1"},{"name":"label","value":"CP-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency of testing the contingency plan for the system is defined;"}]},{"id":"cp-04_odp.02","props":[{"name":"label","value":"CP-04_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining the effectiveness of the contingency plan are defined;"}]},{"id":"cp-04_odp.03","props":[{"name":"label","value":"CP-04_ODP[03]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests for determining readiness to execute the contingency plan are defined;"}]}],"props":[{"name":"label","value":"CP-4"},{"name":"label","value":"CP-04","class":"sp800-53a"},{"name":"sort-id","value":"cp-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"cp-4_smt","name":"statement","parts":[{"id":"cp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Test the contingency plan for the system {{ insert: param, cp-04_odp.01 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, cp-4_prm_2 }}."},{"id":"cp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review the contingency plan test results; and"},{"id":"cp-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Initiate corrective actions, if needed."}]},{"id":"cp-4_gdn","name":"guidance","prose":"Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions."},{"id":"cp-4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.","class":"sp800-53a"}],"parts":[{"id":"cp-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[01]","class":"sp800-53a"}],"prose":"the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};","links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]},{"id":"cp-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;","links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]},{"id":"cp-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"CP-04a.[03]","class":"sp800-53a"}],"prose":"{{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;","links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-4_smt.a","rel":"assessment-for"}]},{"id":"cp-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-04b.","class":"sp800-53a"}],"prose":"the contingency plan test results are reviewed;","links":[{"href":"#cp-4_smt.b","rel":"assessment-for"}]},{"id":"cp-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-04c.","class":"sp800-53a"}],"prose":"corrective actions are initiated, if needed.","links":[{"href":"#cp-4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-4_smt","rel":"assessment-for"}]},{"id":"cp-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and\/or contingency plan testing"}]}],"controls":[{"id":"cp-4.1","class":"SP800-53-enhancement","title":"Coordinate with Related Plans","props":[{"name":"label","value":"CP-4(1)"},{"name":"label","value":"CP-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"},{"href":"#ir-8","rel":"related"},{"href":"#pm-8","rel":"related"}],"parts":[{"id":"cp-4.1_smt","name":"statement","prose":"Coordinate contingency plan testing with organizational elements responsible for related plans."},{"id":"cp-4.1_gdn","name":"guidance","prose":"Plans related to contingency planning for organizational systems include Business Continuity Plans, Disaster Recovery Plans, Continuity of Operations Plans, Crisis Communications Plans, Critical Infrastructure Plans, Cyber Incident Response Plans, and Occupant Emergency Plans. Coordination of contingency plan testing does not require organizations to create organizational elements to handle related plans or to align such elements with specific plans. However, it does require that if such organizational elements are responsible for related plans, organizations coordinate with those elements."},{"id":"cp-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(01)","class":"sp800-53a"}],"prose":"contingency plan testing is coordinated with organizational elements responsible for related plans.","links":[{"href":"#cp-4.1_smt","rel":"assessment-for"}]},{"id":"cp-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nincident response policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan testing documentation\n\ncontingency plan\n\nbusiness continuity plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\ncyber incident response plans\n\noccupant emergency plans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\npersonnel with responsibilities for related plans\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-4.2","class":"SP800-53-enhancement","title":"Alternate Processing Site","props":[{"name":"label","value":"CP-4(2)"},{"name":"label","value":"CP-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"cp-4.2_smt","name":"statement","prose":"Test the contingency plan at the alternate processing site:","parts":[{"id":"cp-4.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"To familiarize contingency personnel with the facility and available resources; and"},{"id":"cp-4.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"To evaluate the capabilities of the alternate processing site to support contingency operations."}]},{"id":"cp-4.2_gdn","name":"guidance","prose":"Conditions at the alternate processing site may be significantly different than the conditions at the primary site. Having the opportunity to visit the alternate site and experience the actual capabilities available at the site can provide valuable information on potential vulnerabilities that could affect essential organizational mission and business functions. The on-site visit can also provide an opportunity to refine the contingency plan to address the vulnerabilities discovered during testing."},{"id":"cp-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(02)","class":"sp800-53a"}],"parts":[{"id":"cp-4.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-04(02)(a)","class":"sp800-53a"}],"prose":"the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;","links":[{"href":"#cp-4.2_smt.a","rel":"assessment-for"}]},{"id":"cp-4.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-04(02)(b)","class":"sp800-53a"}],"prose":"the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.","links":[{"href":"#cp-4.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-4.2_smt","rel":"assessment-for"}]},{"id":"cp-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting the contingency plan and\/or contingency plan testing"}]}]},{"id":"cp-4.3","class":"SP800-53-enhancement","title":"Automated Testing","params":[{"id":"cp-04.03_odp","props":[{"name":"alt-identifier","value":"cp-4.3_prm_1"},{"name":"label","value":"CP-04(03)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms for contingency plan testing are defined;"}]}],"props":[{"name":"label","value":"CP-4(3)"},{"name":"label","value":"CP-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"}],"parts":[{"id":"cp-4.3_smt","name":"statement","prose":"Test the contingency plan using {{ insert: param, cp-04.03_odp }}."},{"id":"cp-4.3_gdn","name":"guidance","prose":"Automated mechanisms facilitate thorough and effective testing of contingency plans by providing more complete coverage of contingency issues, selecting more realistic test scenarios and environments, and effectively stressing the system and supported mission and business functions."},{"id":"cp-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(03)","class":"sp800-53a"}],"prose":"the contingency plan is tested using {{ insert: param, cp-04.03_odp }}.","links":[{"href":"#cp-4.3_smt","rel":"assessment-for"}]},{"id":"cp-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing contingency plan testing\n\ncontingency plan\n\nautomated mechanisms supporting contingency plan testing\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nautomated mechanisms supporting contingency plan testing"}]}]},{"id":"cp-4.4","class":"SP800-53-enhancement","title":"Full Recovery and Reconstitution","props":[{"name":"label","value":"CP-4(4)"},{"name":"label","value":"CP-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"},{"href":"#cp-10","rel":"related"},{"href":"#sc-24","rel":"related"}],"parts":[{"id":"cp-4.4_smt","name":"statement","prose":"Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing."},{"id":"cp-4.4_gdn","name":"guidance","prose":"Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Organizations establish a known state for systems that includes system state information for hardware, software programs, and data. Preserving system state information facilitates system restart and return to the operational mode of organizations with less disruption of mission and business processes."},{"id":"cp-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(04)","class":"sp800-53a"}],"parts":[{"id":"cp-4.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-04(04)[01]","class":"sp800-53a"}],"prose":"a full recovery of the system to a known state is included as part of contingency plan testing;","links":[{"href":"#cp-4.4_smt","rel":"assessment-for"}]},{"id":"cp-4.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-04(04)[02]","class":"sp800-53a"}],"prose":"a full reconstitution of the system to a known state is included as part of contingency plan testing.","links":[{"href":"#cp-4.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-4.4_smt","rel":"assessment-for"}]},{"id":"cp-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting contingency plan testing\n\nmechanisms supporting recovery and reconstitution of the system"}]}]},{"id":"cp-4.5","class":"SP800-53-enhancement","title":"Self-challenge","params":[{"id":"cp-04.05_odp.01","props":[{"name":"alt-identifier","value":"cp-4.5_prm_1"},{"name":"label","value":"CP-04(05)_ODP[01]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms employed to disrupt and adversely affect the system or system component are defined;"}]},{"id":"cp-04.05_odp.02","props":[{"name":"alt-identifier","value":"cp-4.5_prm_2"},{"name":"label","value":"CP-04(05)_ODP[02]","class":"sp800-53a"}],"label":"system or system component","guidelines":[{"prose":"system or system component on which to apply disruption mechanisms are defined;"}]}],"props":[{"name":"label","value":"CP-4(5)"},{"name":"label","value":"CP-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-4","rel":"required"}],"parts":[{"id":"cp-4.5_smt","name":"statement","prose":"Employ {{ insert: param, cp-04.05_odp.01 }} to {{ insert: param, cp-04.05_odp.02 }} to disrupt and adversely affect the system or system component."},{"id":"cp-4.5_gdn","name":"guidance","prose":"Often, the best method of assessing system resilience is to disrupt the system in some manner. The mechanisms used by the organization could disrupt system functions or system services in many ways, including terminating or disabling critical system components, changing the configuration of system components, degrading critical functionality (e.g., restricting network bandwidth), or altering privileges. Automated, on-going, and simulated cyber-attacks and service disruptions can reveal unexpected functional dependencies and help the organization determine its ability to ensure resilience in the face of an actual cyber-attack."},{"id":"cp-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-04(05)","class":"sp800-53a"}],"prose":"{{ insert: param, cp-04.05_odp.01 }} are employed to disrupt and adversely affect the {{ insert: param, cp-04.05_odp.02 }}.","links":[{"href":"#cp-4.5_smt","rel":"assessment-for"}]},{"id":"cp-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting contingency plan testing"}]}]}]},{"id":"cp-5","class":"SP800-53","title":"Contingency Plan Update","props":[{"name":"label","value":"CP-5"},{"name":"label","value":"CP-05","class":"sp800-53a"},{"name":"sort-id","value":"cp-05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cp-2","rel":"incorporated-into"}]},{"id":"cp-6","class":"SP800-53","title":"Alternate Storage Site","props":[{"name":"label","value":"CP-6"},{"name":"label","value":"CP-06","class":"sp800-53a"},{"name":"sort-id","value":"cp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-6_smt","name":"statement","parts":[{"id":"cp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and"},{"id":"cp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensure that the alternate storage site provides controls equivalent to that of the primary site."}]},{"id":"cp-6_gdn","name":"guidance","prose":"Alternate storage sites are geographically distinct from primary storage sites and maintain duplicate copies of information and data if the primary storage site is not available. Similarly, alternate processing sites provide processing capability if the primary processing site is not available. Geographically distributed architectures that support contingency requirements may be considered alternate storage sites. Items covered by alternate storage site agreements include environmental conditions at the alternate sites, access rules for systems and facilities, physical and environmental protection requirements, and coordination of delivery and retrieval of backup media. Alternate storage sites reflect the requirements in contingency plans so that organizations can maintain essential mission and business functions despite compromise, failure, or disruption in organizational systems."},{"id":"cp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06","class":"sp800-53a"}],"parts":[{"id":"cp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.","class":"sp800-53a"}],"parts":[{"id":"cp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.[01]","class":"sp800-53a"}],"prose":"an alternate storage site is established;","links":[{"href":"#cp-6_smt.a","rel":"assessment-for"}]},{"id":"cp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06a.[02]","class":"sp800-53a"}],"prose":"establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;","links":[{"href":"#cp-6_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-6_smt.a","rel":"assessment-for"}]},{"id":"cp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-06b.","class":"sp800-53a"}],"prose":"the alternate storage site provides controls equivalent to that of the primary site.","links":[{"href":"#cp-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-6_smt","rel":"assessment-for"}]},{"id":"cp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing and retrieving system backup information at the alternate storage site\n\nmechanisms supporting and\/or implementing the storage and retrieval of system backup information at the alternate storage site"}]}],"controls":[{"id":"cp-6.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-6(1)"},{"name":"label","value":"CP-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-6.1_smt","name":"statement","prose":"Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats."},{"id":"cp-6.1_gdn","name":"guidance","prose":"Threats that affect alternate storage sites are defined in organizational risk assessments and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate storage sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."},{"id":"cp-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(01)","class":"sp800-53a"}],"prose":"an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.","links":[{"href":"#cp-6.1_smt","rel":"assessment-for"}]},{"id":"cp-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nprimary storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-6.2","class":"SP800-53-enhancement","title":"Recovery Time and Recovery Point Objectives","props":[{"name":"label","value":"CP-6(2)"},{"name":"label","value":"CP-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"}],"parts":[{"id":"cp-6.2_smt","name":"statement","prose":"Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives."},{"id":"cp-6.2_gdn","name":"guidance","prose":"Organizations establish recovery time and recovery point objectives as part of contingency planning. Configuration of the alternate storage site includes physical facilities and the systems supporting recovery operations that ensure accessibility and correct execution."},{"id":"cp-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(02)","class":"sp800-53a"}],"parts":[{"id":"cp-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06(02)[01]","class":"sp800-53a"}],"prose":"the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;","links":[{"href":"#cp-6.2_smt","rel":"assessment-for"}]},{"id":"cp-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06(02)[02]","class":"sp800-53a"}],"prose":"the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.","links":[{"href":"#cp-6.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-6.2_smt","rel":"assessment-for"}]},{"id":"cp-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nalternate storage site agreements\n\nalternate storage site configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan testing responsibilities\n\norganizational personnel with responsibilities for testing related plans\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for contingency plan testing\n\nmechanisms supporting recovery time and point objectives"}]}]},{"id":"cp-6.3","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-6(3)"},{"name":"label","value":"CP-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-6","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-6.3_smt","name":"statement","prose":"Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions."},{"id":"cp-6.3_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk. Explicit mitigation actions include duplicating backup information at other alternate storage sites if access problems occur at originally designated alternate sites or planning for physical access to retrieve backup information if electronic accessibility to the alternate site is disrupted."},{"id":"cp-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)","class":"sp800-53a"}],"parts":[{"id":"cp-6.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)[01]","class":"sp800-53a"}],"prose":"potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;","links":[{"href":"#cp-6.3_smt","rel":"assessment-for"}]},{"id":"cp-6.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-06(03)[02]","class":"sp800-53a"}],"prose":"explicit mitigation actions to address identified accessibility problems are outlined.","links":[{"href":"#cp-6.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-6.3_smt","rel":"assessment-for"}]},{"id":"cp-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate storage sites\n\ncontingency plan\n\nalternate storage site\n\nlist of potential accessibility problems to alternate storage site\n\nmitigation actions for accessibility problems to alternate storage site\n\norganizational risk assessments\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate storage site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-7","class":"SP800-53","title":"Alternate Processing Site","params":[{"id":"cp-07_odp.01","props":[{"name":"alt-identifier","value":"cp-7_prm_1"},{"name":"label","value":"CP-07_ODP[01]","class":"sp800-53a"}],"label":"system operations","guidelines":[{"prose":"system operations for essential mission and business functions are defined;"}]},{"id":"cp-07_odp.02","props":[{"name":"alt-identifier","value":"cp-7_prm_2"},{"name":"alt-label","value":"time period consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-7"},{"name":"label","value":"CP-07","class":"sp800-53a"},{"name":"sort-id","value":"cp-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-11","rel":"related"},{"href":"#pe-12","rel":"related"},{"href":"#pe-17","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-7_smt","name":"statement","parts":[{"id":"cp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;"},{"id":"cp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and"},{"id":"cp-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Provide controls at the alternate processing site that are equivalent to those at the primary site."}]},{"id":"cp-7_gdn","name":"guidance","prose":"Alternate processing sites are geographically distinct from primary processing sites and provide processing capability if the primary processing site is not available. The alternate processing capability may be addressed using a physical processing site or other alternatives, such as failover to a cloud-based service provider or other internally or externally provided processing service. Geographically distributed architectures that support contingency requirements may also be considered alternate processing sites. Controls that are covered by alternate processing site agreements include the environmental conditions at alternate sites, access rules, physical and environmental protection requirements, and the coordination for the transfer and assignment of personnel. Requirements are allocated to alternate processing sites that reflect the requirements in contingency plans to maintain essential mission and business functions despite disruption, compromise, or failure in organizational systems."},{"id":"cp-7_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07","class":"sp800-53a"}],"parts":[{"id":"cp-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-07a.","class":"sp800-53a"}],"prose":"an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;","links":[{"href":"#cp-7_smt.a","rel":"assessment-for"}]},{"id":"cp-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.","class":"sp800-53a"}],"parts":[{"id":"cp-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.[01]","class":"sp800-53a"}],"prose":"the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;","links":[{"href":"#cp-7_smt.b","rel":"assessment-for"}]},{"id":"cp-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"CP-07b.[02]","class":"sp800-53a"}],"prose":"the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;","links":[{"href":"#cp-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-7_smt.b","rel":"assessment-for"}]},{"id":"cp-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-07c.","class":"sp800-53a"}],"prose":"controls provided at the alternate processing site are equivalent to those at the primary site.","links":[{"href":"#cp-7_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-7_smt","rel":"assessment-for"}]},{"id":"cp-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nspare equipment and supplies inventory at alternate processing site\n\nequipment and supply contracts\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for contingency planning and\/or alternate site arrangements\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for recovery at the alternate site\n\nmechanisms supporting and\/or implementing recovery at the alternate processing site"}]}],"controls":[{"id":"cp-7.1","class":"SP800-53-enhancement","title":"Separation from Primary Site","props":[{"name":"label","value":"CP-7(1)"},{"name":"label","value":"CP-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-7.1_smt","name":"statement","prose":"Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats."},{"id":"cp-7.1_gdn","name":"guidance","prose":"Threats that affect alternate processing sites are defined in organizational assessments of risk and include natural disasters, structural failures, hostile attacks, and errors of omission or commission. Organizations determine what is considered a sufficient degree of separation between primary and alternate processing sites based on the types of threats that are of concern. For threats such as hostile attacks, the degree of separation between sites is less relevant."},{"id":"cp-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(01)","class":"sp800-53a"}],"prose":"an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.","links":[{"href":"#cp-7.1_smt","rel":"assessment-for"}]},{"id":"cp-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.2","class":"SP800-53-enhancement","title":"Accessibility","props":[{"name":"label","value":"CP-7(2)"},{"name":"label","value":"CP-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"cp-7.2_smt","name":"statement","prose":"Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."},{"id":"cp-7.2_gdn","name":"guidance","prose":"Area-wide disruptions refer to those types of disruptions that are broad in geographic scope with such determinations made by organizations based on organizational assessments of risk."},{"id":"cp-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)","class":"sp800-53a"}],"parts":[{"id":"cp-7.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)[01]","class":"sp800-53a"}],"prose":"potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;","links":[{"href":"#cp-7.2_smt","rel":"assessment-for"}]},{"id":"cp-7.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-07(02)[02]","class":"sp800-53a"}],"prose":"explicit mitigation actions to address identified accessibility problems are outlined.","links":[{"href":"#cp-7.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-7.2_smt","rel":"assessment-for"}]},{"id":"cp-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nprimary processing site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-7.3","class":"SP800-53-enhancement","title":"Priority of Service","props":[{"name":"label","value":"CP-7(3)"},{"name":"label","value":"CP-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"}],"parts":[{"id":"cp-7.3_smt","name":"statement","prose":"Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives)."},{"id":"cp-7.3_gdn","name":"guidance","prose":"Priority of service agreements refer to negotiated agreements with service providers that ensure that organizations receive priority treatment consistent with their availability requirements and the availability of information resources for logical alternate processing and\/or at the physical alternate processing site. Organizations establish recovery time objectives as part of contingency planning."},{"id":"cp-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(03)","class":"sp800-53a"}],"prose":"alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.","links":[{"href":"#cp-7.3_smt","rel":"assessment-for"}]},{"id":"cp-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site agreements\n\nservice-level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]},{"id":"cp-7.4","class":"SP800-53-enhancement","title":"Preparation for Use","props":[{"name":"label","value":"CP-7(4)"},{"name":"label","value":"CP-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-7.4_smt","name":"statement","prose":"Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions."},{"id":"cp-7.4_gdn","name":"guidance","prose":"Site preparation includes establishing configuration settings for systems at the alternate processing site consistent with the requirements for such settings at the primary site and ensuring that essential supplies and logistical considerations are in place."},{"id":"cp-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(04)","class":"sp800-53a"}],"prose":"the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.","links":[{"href":"#cp-7.4_smt","rel":"assessment-for"}]},{"id":"cp-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nalternate processing site configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan alternate processing site responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing recovery at the alternate processing site"}]}]},{"id":"cp-7.5","class":"SP800-53-enhancement","title":"Equivalent Information Security Safeguards","props":[{"name":"label","value":"CP-7(5)"},{"name":"label","value":"CP-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cp-7","rel":"incorporated-into"}]},{"id":"cp-7.6","class":"SP800-53-enhancement","title":"Inability to Return to Primary Site","props":[{"name":"label","value":"CP-7(6)"},{"name":"label","value":"CP-07(06)","class":"sp800-53a"},{"name":"sort-id","value":"cp-07.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-7","rel":"required"}],"parts":[{"id":"cp-7.6_smt","name":"statement","prose":"Plan and prepare for circumstances that preclude returning to the primary processing site."},{"id":"cp-7.6_gdn","name":"guidance","prose":"There may be situations that preclude an organization from returning to the primary processing site such as if a natural disaster (e.g., flood or a hurricane) damaged or destroyed a facility and it was determined that rebuilding in the same location was not prudent."},{"id":"cp-7.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-07(06)","class":"sp800-53a"}],"parts":[{"id":"cp-7.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-07(06)[01]","class":"sp800-53a"}],"prose":"circumstances that preclude returning to the primary processing site are planned for;","links":[{"href":"#cp-7.6_smt","rel":"assessment-for"}]},{"id":"cp-7.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-07(06)[02]","class":"sp800-53a"}],"prose":"circumstances that preclude returning to the primary processing site are prepared for.","links":[{"href":"#cp-7.6_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-7.6_smt","rel":"assessment-for"}]},{"id":"cp-7.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-07(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate processing sites\n\ncontingency plan\n\nalternate processing site\n\nalternate processing site agreements\n\nalternate processing site configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-7.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-07(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"cp-8","class":"SP800-53","title":"Telecommunications Services","params":[{"id":"cp-08_odp.01","props":[{"name":"alt-identifier","value":"cp-8_prm_1"},{"name":"label","value":"CP-08_ODP[01]","class":"sp800-53a"}],"label":"system operations","guidelines":[{"prose":"system operations to be resumed for essential mission and business functions are defined;"}]},{"id":"cp-08_odp.02","props":[{"name":"alt-identifier","value":"cp-8_prm_2"},{"name":"label","value":"CP-08_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;"}]}],"props":[{"name":"label","value":"CP-8"},{"name":"label","value":"CP-08","class":"sp800-53a"},{"name":"sort-id","value":"cp-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"cp-8_smt","name":"statement","prose":"Establish alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."},{"id":"cp-8_gdn","name":"guidance","prose":"Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for [CP-8](#cp-8) . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements."},{"id":"cp-8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08","class":"sp800-53a"}],"prose":"alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.","links":[{"href":"#cp-8_smt","rel":"assessment-for"}]},{"id":"cp-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with knowledge of requirements for mission and business functions\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"id":"cp-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting telecommunications"}]}],"controls":[{"id":"cp-8.1","class":"SP800-53-enhancement","title":"Priority of Service Provisions","props":[{"name":"label","value":"CP-8(1)"},{"name":"label","value":"CP-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.1_smt","name":"statement","parts":[{"id":"cp-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and"},{"id":"cp-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and\/or alternate telecommunications services are provided by a common carrier."}]},{"id":"cp-8.1_gdn","name":"guidance","prose":"Organizations consider the potential mission or business impact in situations where telecommunications service providers are servicing other organizations with similar priority of service provisions. Telecommunications Service Priority (TSP) is a Federal Communications Commission (FCC) program that directs telecommunications service providers (e.g., wireline and wireless phone companies) to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. The FCC sets the rules and policies for the TSP program, and the Department of Homeland Security manages the TSP program. The TSP program is always in effect and not contingent on a major disaster or attack taking place. Federal sponsorship is required to enroll in the TSP program."},{"id":"cp-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)","class":"sp800-53a"}],"parts":[{"id":"cp-8.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)","class":"sp800-53a"}],"parts":[{"id":"cp-8.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)[01]","class":"sp800-53a"}],"prose":"primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;","links":[{"href":"#cp-8.1_smt.a","rel":"assessment-for"}]},{"id":"cp-8.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(a)[02]","class":"sp800-53a"}],"prose":"alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;","links":[{"href":"#cp-8.1_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-8.1_smt.a","rel":"assessment-for"}]},{"id":"cp-8.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-08(01)(b)","class":"sp800-53a"}],"prose":"Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and\/or alternate telecommunications services are provided by a common carrier.","links":[{"href":"#cp-8.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#cp-8.1_smt","rel":"assessment-for"}]},{"id":"cp-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nTelecommunications Service Priority documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]},{"id":"cp-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting telecommunications"}]}]},{"id":"cp-8.2","class":"SP800-53-enhancement","title":"Single Points of Failure","props":[{"name":"label","value":"CP-8(2)"},{"name":"label","value":"CP-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.2_smt","name":"statement","prose":"Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."},{"id":"cp-8.2_gdn","name":"guidance","prose":"In certain circumstances, telecommunications service providers or services may share the same physical lines, which increases the vulnerability of a single failure point. It is important to have provider transparency for the actual physical transmission capability for telecommunication services."},{"id":"cp-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(02)","class":"sp800-53a"}],"prose":"alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.","links":[{"href":"#cp-8.2_smt","rel":"assessment-for"}]},{"id":"cp-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-8.3","class":"SP800-53-enhancement","title":"Separation of Primary and Alternate Providers","props":[{"name":"label","value":"CP-8(3)"},{"name":"label","value":"CP-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"}],"parts":[{"id":"cp-8.3_smt","name":"statement","prose":"Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats."},{"id":"cp-8.3_gdn","name":"guidance","prose":"Threats that affect telecommunications services are defined in organizational assessments of risk and include natural disasters, structural failures, cyber or physical attacks, and errors of omission or commission. Organizations can reduce common susceptibilities by minimizing shared infrastructure among telecommunications service providers and achieving sufficient geographic separation between services. Organizations may consider using a single service provider in situations where the service provider can provide alternate telecommunications services that meet the separation needs addressed in the risk assessment."},{"id":"cp-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(03)","class":"sp800-53a"}],"prose":"alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.","links":[{"href":"#cp-8.3_smt","rel":"assessment-for"}]},{"id":"cp-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprimary and alternate telecommunications service agreements\n\nalternate telecommunications service provider site\n\nprimary telecommunications service provider site\n\nother relevant documents or records"}]},{"id":"cp-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency plan telecommunications responsibilities\n\norganizational personnel with system recovery responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-8.4","class":"SP800-53-enhancement","title":"Provider Contingency Plan","params":[{"id":"cp-8.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-08.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-08.04_odp.02"}],"label":"organization-defined frequency"},{"id":"cp-08.04_odp.01","props":[{"name":"label","value":"CP-08(04)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to obtain evidence of contingency testing by providers is defined;"}]},{"id":"cp-08.04_odp.02","props":[{"name":"label","value":"CP-08(04)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to obtain evidence of contingency training by providers is defined;"}]}],"props":[{"name":"label","value":"CP-8(4)"},{"name":"label","value":"CP-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-8.4_smt","name":"statement","parts":[{"id":"cp-8.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Require primary and alternate telecommunications service providers to have contingency plans;"},{"id":"cp-8.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and"},{"id":"cp-8.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Obtain evidence of contingency testing and training by providers {{ insert: param, cp-8.4_prm_1 }}."}]},{"id":"cp-8.4_gdn","name":"guidance","prose":"Reviews of provider contingency plans consider the proprietary nature of such plans. In some situations, a summary of provider contingency plans may be sufficient evidence for organizations to satisfy the review requirement. Telecommunications service providers may also participate in ongoing disaster recovery exercises in coordination with the Department of Homeland Security and state and local governments. Organizations may use these types of activities to satisfy evidentiary requirements related to service provider contingency plan reviews, testing, and training."},{"id":"cp-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)","class":"sp800-53a"}],"parts":[{"id":"cp-8.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(a)","class":"sp800-53a"}],"parts":[{"id":"cp-8.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(a)[01]","class":"sp800-53a"}],"prose":"primary telecommunications service providers are required to have contingency plans;","links":[{"href":"#cp-8.4_smt.a","rel":"assessment-for"}]},{"id":"cp-8.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(a)[02]","class":"sp800-53a"}],"prose":"alternate telecommunications service providers are required to have contingency plans;","links":[{"href":"#cp-8.4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#cp-8.4_smt.a","rel":"assessment-for"}]},{"id":"cp-8.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(b)","class":"sp800-53a"}],"prose":"provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;","links":[{"href":"#cp-8.4_smt.b","rel":"assessment-for"}]},{"id":"cp-8.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(c)","class":"sp800-53a"}],"parts":[{"id":"cp-8.4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(c)[01]","class":"sp800-53a"}],"prose":"evidence of contingency testing by providers is obtained {{ insert: param, cp-08.04_odp.01 }}.","links":[{"href":"#cp-8.4_smt.c","rel":"assessment-for"}]},{"id":"cp-8.4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"CP-08(04)(c)[02]","class":"sp800-53a"}],"prose":"evidence of contingency training by providers is obtained {{ insert: param, cp-08.04_odp.02 }}.","links":[{"href":"#cp-8.4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-8.4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#cp-8.4_smt","rel":"assessment-for"}]},{"id":"cp-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing primary and alternate telecommunications services\n\ncontingency plan\n\nprovider contingency plans\n\nevidence of contingency testing\/training by providers\n\nprimary and alternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and testing responsibilities\n\nprimary and alternate telecommunications service providers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for acquisitions\/contractual agreements"}]}]},{"id":"cp-8.5","class":"SP800-53-enhancement","title":"Alternate Telecommunication Service Testing","params":[{"id":"cp-08.05_odp","props":[{"name":"alt-identifier","value":"cp-8.5_prm_1"},{"name":"label","value":"CP-08(05)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which alternate telecommunications services are tested is defined;"}]}],"props":[{"name":"label","value":"CP-8(5)"},{"name":"label","value":"CP-08(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-08.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-8","rel":"required"},{"href":"#cp-3","rel":"related"}],"parts":[{"id":"cp-8.5_smt","name":"statement","prose":"Test alternate telecommunication services {{ insert: param, cp-08.05_odp }}."},{"id":"cp-8.5_gdn","name":"guidance","prose":"Alternate telecommunications services testing is arranged through contractual agreements with service providers. The testing may occur in parallel with normal operations to ensure that there is no degradation in organizational missions or functions."},{"id":"cp-8.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-08(05)","class":"sp800-53a"}],"prose":"alternate telecommunications services are tested {{ insert: param, cp-08.05_odp }}.","links":[{"href":"#cp-8.5_smt","rel":"assessment-for"}]},{"id":"cp-8.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-08(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate telecommunications services\n\ncontingency plan\n\nevidence of testing alternate telecommunications services\n\nalternate telecommunications service agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-8.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-08(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, plan implementation, and testing responsibilities\n\nalternate telecommunications service providers\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-8.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-08(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting testing alternate telecommunications services"}]}]}]},{"id":"cp-9","class":"SP800-53","title":"System Backup","params":[{"id":"cp-09_odp.01","props":[{"name":"alt-identifier","value":"cp-9_prm_1"},{"name":"label","value":"CP-09_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which to conduct backups of user-level information is defined;"}]},{"id":"cp-09_odp.02","props":[{"name":"alt-identifier","value":"cp-9_prm_2"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.03","props":[{"name":"alt-identifier","value":"cp-9_prm_3"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09_odp.04","props":[{"name":"alt-identifier","value":"cp-9_prm_4"},{"name":"alt-label","value":"frequency consistent with recovery time and recovery point objectives","class":"sp800-53"},{"name":"label","value":"CP-09_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-9"},{"name":"label","value":"CP-09","class":"sp800-53a"},{"name":"sort-id","value":"cp-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#3653e316-8923-430e-8943-b3b2b2562fc6","rel":"reference"},{"href":"#2494df28-9049-4196-b233-540e7440993f","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-9_smt","name":"statement","parts":[{"id":"cp-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} {{ insert: param, cp-09_odp.02 }};"},{"id":"cp-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conduct backups of system-level information contained in the system {{ insert: param, cp-09_odp.03 }};"},{"id":"cp-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, cp-09_odp.04 }} ; and"},{"id":"cp-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Protect the confidentiality, integrity, and availability of backup information."}]},{"id":"cp-9_gdn","name":"guidance","prose":"System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by [MP-5](#mp-5) and [SC-8](#sc-8) . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"cp-9_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"CP-09a.","class":"sp800-53a"}],"prose":"backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};","links":[{"href":"#cp-9_smt.a","rel":"assessment-for"}]},{"id":"cp-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"CP-09b.","class":"sp800-53a"}],"prose":"backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};","links":[{"href":"#cp-9_smt.b","rel":"assessment-for"}]},{"id":"cp-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"CP-09c.","class":"sp800-53a"}],"prose":"backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};","links":[{"href":"#cp-9_smt.c","rel":"assessment-for"}]},{"id":"cp-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.","class":"sp800-53a"}],"parts":[{"id":"cp-9_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[01]","class":"sp800-53a"}],"prose":"the confidentiality of backup information is protected;","links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]},{"id":"cp-9_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[02]","class":"sp800-53a"}],"prose":"the integrity of backup information is protected;","links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]},{"id":"cp-9_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"CP-09d.[03]","class":"sp800-53a"}],"prose":"the availability of backup information is protected.","links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cp-9_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#cp-9_smt","rel":"assessment-for"}]},{"id":"cp-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"cp-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"cp-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}],"controls":[{"id":"cp-9.1","class":"SP800-53-enhancement","title":"Testing for Reliability and Integrity","params":[{"id":"cp-9.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.01_odp.02"}],"label":"organization-defined frequency"},{"id":"cp-09.01_odp.01","props":[{"name":"label","value":"CP-09(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test backup information for media reliability is defined;"}]},{"id":"cp-09.01_odp.02","props":[{"name":"label","value":"CP-09(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test backup information for information integrity is defined;"}]}],"props":[{"name":"label","value":"CP-9(1)"},{"name":"label","value":"CP-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-9.1_smt","name":"statement","prose":"Test backup information {{ insert: param, cp-9.1_prm_1 }} to verify media reliability and information integrity."},{"id":"cp-9.1_gdn","name":"guidance","prose":"Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance."},{"id":"cp-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)","class":"sp800-53a"}],"parts":[{"id":"cp-9.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)[01]","class":"sp800-53a"}],"prose":"backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;","links":[{"href":"#cp-9.1_smt","rel":"assessment-for"}]},{"id":"cp-9.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09(01)[02]","class":"sp800-53a"}],"prose":"backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity.","links":[{"href":"#cp-9.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-9.1_smt","rel":"assessment-for"}]},{"id":"cp-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}]},{"id":"cp-9.2","class":"SP800-53-enhancement","title":"Test Restoration Using Sampling","props":[{"name":"label","value":"CP-9(2)"},{"name":"label","value":"CP-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-4","rel":"related"}],"parts":[{"id":"cp-9.2_smt","name":"statement","prose":"Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing."},{"id":"cp-9.2_gdn","name":"guidance","prose":"Organizations need assurance that system functions can be restored correctly and can support established organizational missions. To ensure that the selected system functions are thoroughly exercised during contingency plan testing, a sample of backup information is retrieved to determine whether the functions are operating as intended. Organizations can determine the sample size for the functions and backup information based on the level of assurance needed."},{"id":"cp-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(02)","class":"sp800-53a"}],"prose":"a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.","links":[{"href":"#cp-9.2_smt","rel":"assessment-for"}]},{"id":"cp-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with contingency planning\/contingency plan testing responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}]},{"id":"cp-9.3","class":"SP800-53-enhancement","title":"Separate Storage for Critical Information","params":[{"id":"cp-09.03_odp","props":[{"name":"alt-identifier","value":"cp-9.3_prm_1"},{"name":"label","value":"CP-09(03)_ODP","class":"sp800-53a"}],"label":"critical system software and other security-related information","guidelines":[{"prose":"critical system software and other security-related information backups to be stored in a separate facility are defined;"}]}],"props":[{"name":"label","value":"CP-9(3)"},{"name":"label","value":"CP-09(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"}],"parts":[{"id":"cp-9.3_smt","name":"statement","prose":"Store backup copies of {{ insert: param, cp-09.03_odp }} in a separate facility or in a fire rated container that is not collocated with the operational system."},{"id":"cp-9.3_gdn","name":"guidance","prose":"Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire rated containers."},{"id":"cp-9.3_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(03)","class":"sp800-53a"}],"prose":"backup copies of {{ insert: param, cp-09.03_odp }} are stored in a separate facility or in a fire rated container that is not collocated with the operational system.","links":[{"href":"#cp-9.3_smt","rel":"assessment-for"}]},{"id":"cp-9.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nbackup storage location(s)\n\nsystem backup configurations and associated documentation\n\nsystem backup logs or records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"cp-9.4","class":"SP800-53-enhancement","title":"Protection from Unauthorized Modification","props":[{"name":"label","value":"CP-9(4)"},{"name":"label","value":"CP-09(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cp-9","rel":"incorporated-into"}]},{"id":"cp-9.5","class":"SP800-53-enhancement","title":"Transfer to Alternate Storage Site","params":[{"id":"cp-9.5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-09.05_odp.02"}],"label":"organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives"},{"id":"cp-09.05_odp.01","props":[{"name":"label","value":"CP-09(05)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives is defined;"}]},{"id":"cp-09.05_odp.02","props":[{"name":"label","value":"CP-09(05)_ODP[02]","class":"sp800-53a"}],"label":"transfer rate","guidelines":[{"prose":"transfer rate consistent with recovery time and recovery point objectives is defined;"}]}],"props":[{"name":"label","value":"CP-9(5)"},{"name":"label","value":"CP-09(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-7","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"}],"parts":[{"id":"cp-9.5_smt","name":"statement","prose":"Transfer system backup information to the alternate storage site {{ insert: param, cp-9.5_prm_1 }}."},{"id":"cp-9.5_gdn","name":"guidance","prose":"System backup information can be transferred to alternate storage sites either electronically or by the physical shipment of storage media."},{"id":"cp-9.5_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(05)","class":"sp800-53a"}],"parts":[{"id":"cp-9.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09(05)[01]","class":"sp800-53a"}],"prose":"system backup information is transferred to the alternate storage site for {{ insert: param, cp-09.05_odp.01 }};","links":[{"href":"#cp-9.5_smt","rel":"assessment-for"}]},{"id":"cp-9.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09(05)[02]","class":"sp800-53a"}],"prose":"system backup information is transferred to the alternate storage site {{ insert: param, cp-09.05_odp.02 }}.","links":[{"href":"#cp-9.5_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-9.5_smt","rel":"assessment-for"}]},{"id":"cp-9.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup logs or records\n\nevidence of system backup information transferred to alternate storage site\n\nalternate storage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for transferring system backups to the alternate storage site\n\nmechanisms supporting and\/or implementing system backups\n\nmechanisms supporting and\/or implementing information transfer to the alternate storage site"}]}]},{"id":"cp-9.6","class":"SP800-53-enhancement","title":"Redundant Secondary System","props":[{"name":"label","value":"CP-9(6)"},{"name":"label","value":"CP-09(06)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"cp-9.6_smt","name":"statement","prose":"Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations."},{"id":"cp-9.6_gdn","name":"guidance","prose":"The effect of system backup can be achieved by maintaining a redundant secondary system that mirrors the primary system, including the replication of information. If this type of redundancy is in place and there is sufficient geographic separation between the two systems, the secondary system can also serve as the alternate processing site."},{"id":"cp-9.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(06)","class":"sp800-53a"}],"parts":[{"id":"cp-9.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-09(06)[01]","class":"sp800-53a"}],"prose":"system backup is conducted by maintaining a redundant secondary system that is not collocated with the primary system;","links":[{"href":"#cp-9.6_smt","rel":"assessment-for"}]},{"id":"cp-9.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-09(06)[02]","class":"sp800-53a"}],"prose":"system backup is conducted by maintaining a redundant secondary system that can be activated without loss of information or disruption to operations.","links":[{"href":"#cp-9.6_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-9.6_smt","rel":"assessment-for"}]},{"id":"cp-9.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for the redundant secondary system"}]},{"id":"cp-9.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining redundant secondary systems\n\nmechanisms supporting and\/or implementing system backups\n\nmechanisms supporting and\/or implementing information transfer to a redundant secondary system"}]}]},{"id":"cp-9.7","class":"SP800-53-enhancement","title":"Dual Authorization for Deletion or Destruction","params":[{"id":"cp-09.07_odp","props":[{"name":"alt-identifier","value":"cp-9.7_prm_1"},{"name":"label","value":"CP-09(07)_ODP","class":"sp800-53a"}],"label":"backup information","guidelines":[{"prose":"backup information for which to enforce dual authorization in order to delete or destroy is defined;"}]}],"props":[{"name":"label","value":"CP-9(7)"},{"name":"label","value":"CP-09(07)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#mp-2","rel":"related"}],"parts":[{"id":"cp-9.7_smt","name":"statement","prose":"Enforce dual authorization for the deletion or destruction of {{ insert: param, cp-09.07_odp }}."},{"id":"cp-9.7_gdn","name":"guidance","prose":"Dual authorization ensures that deletion or destruction of backup information cannot occur unless two qualified individuals carry out the task. Individuals deleting or destroying backup information possess the skills or expertise to determine if the proposed deletion or destruction of information reflects organizational policies and procedures. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals."},{"id":"cp-9.7_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(07)","class":"sp800-53a"}],"prose":"dual authorization for the deletion or destruction of {{ insert: param, cp-09.07_odp }} is enforced.","links":[{"href":"#cp-9.7_smt","rel":"assessment-for"}]},{"id":"cp-9.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem generated list of dual authorization credentials or rules\n\nlogs or records of deletion or destruction of backup information\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing dual authorization\n\nmechanisms supporting and\/or implementing the deletion\/destruction of backup information"}]}]},{"id":"cp-9.8","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"cp-09.08_odp","props":[{"name":"alt-identifier","value":"cp-9.8_prm_1"},{"name":"label","value":"CP-09(08)_ODP","class":"sp800-53a"}],"label":"backup information","guidelines":[{"prose":"backup information to protect against unauthorized disclosure and modification is defined;"}]}],"props":[{"name":"label","value":"CP-9(8)"},{"name":"label","value":"CP-09(08)","class":"sp800-53a"},{"name":"sort-id","value":"cp-09.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-9","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"cp-9.8_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}."},{"id":"cp-9.8_gdn","name":"guidance","prose":"The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions."},{"id":"cp-9.8_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-09(08)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.","links":[{"href":"#cp-9.8_smt","rel":"assessment-for"}]},{"id":"cp-9.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-09(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-9.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-09(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system backup responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-9.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-09(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic protection of backup information"}]}]}]},{"id":"cp-10","class":"SP800-53","title":"System Recovery and Reconstitution","params":[{"id":"cp-10_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"cp-10_odp.02"}],"label":"organization-defined time period consistent with recovery time and recovery point objectives"},{"id":"cp-10_odp.01","props":[{"name":"label","value":"CP-10_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;"}]},{"id":"cp-10_odp.02","props":[{"name":"label","value":"CP-10_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;"}]}],"props":[{"name":"label","value":"CP-10"},{"name":"label","value":"CP-10","class":"sp800-53a"},{"name":"sort-id","value":"cp-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-24","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-10_smt","name":"statement","prose":"Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, cp-10_prm_1 }} after a disruption, compromise, or failure."},{"id":"cp-10_gdn","name":"guidance","prose":"Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning."},{"id":"cp-10_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10","class":"sp800-53a"}],"parts":[{"id":"cp-10_obj-1","name":"assessment-objective","props":[{"name":"label","value":"CP-10[01]","class":"sp800-53a"}],"prose":"the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;","links":[{"href":"#cp-10_smt","rel":"assessment-for"}]},{"id":"cp-10_obj-2","name":"assessment-objective","props":[{"name":"label","value":"CP-10[02]","class":"sp800-53a"}],"prose":"a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.","links":[{"href":"#cp-10_smt","rel":"assessment-for"}]}],"links":[{"href":"#cp-10_smt","rel":"assessment-for"}]},{"id":"cp-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system backup\n\ncontingency plan\n\nsystem backup test results\n\ncontingency plan test results\n\ncontingency plan test documentation\n\nredundant secondary system for system backups\n\nlocation(s) of redundant secondary backup system(s)\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning, recovery, and\/or reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes implementing system recovery and reconstitution operations\n\nmechanisms supporting and\/or implementing system recovery and reconstitution operations"}]}],"controls":[{"id":"cp-10.1","class":"SP800-53-enhancement","title":"Contingency Plan Testing","props":[{"name":"label","value":"CP-10(1)"},{"name":"label","value":"CP-10(01)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cp-4","rel":"incorporated-into"}]},{"id":"cp-10.2","class":"SP800-53-enhancement","title":"Transaction Recovery","props":[{"name":"label","value":"CP-10(2)"},{"name":"label","value":"CP-10(02)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-10","rel":"required"}],"parts":[{"id":"cp-10.2_smt","name":"statement","prose":"Implement transaction recovery for systems that are transaction-based."},{"id":"cp-10.2_gdn","name":"guidance","prose":"Transaction-based systems include database management systems and transaction processing systems. Mechanisms supporting transaction recovery include transaction rollback and transaction journaling."},{"id":"cp-10.2_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10(02)","class":"sp800-53a"}],"prose":"transaction recovery is implemented for systems that are transaction-based.","links":[{"href":"#cp-10.2_smt","rel":"assessment-for"}]},{"id":"cp-10.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem transaction recovery records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for transaction recovery\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing transaction recovery capability"}]}]},{"id":"cp-10.3","class":"SP800-53-enhancement","title":"Compensating Security Controls","props":[{"name":"label","value":"CP-10(3)"},{"name":"label","value":"CP-10(03)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.03"},{"name":"status","value":"withdrawn"}],"parts":[{"id":"cp-10.3_smt","name":"statement","prose":"Addressed through tailoring."}]},{"id":"cp-10.4","class":"SP800-53-enhancement","title":"Restore Within Time Period","params":[{"id":"cp-10.04_odp","props":[{"name":"alt-identifier","value":"cp-10.4_prm_1"},{"name":"label","value":"CP-10(04)_ODP","class":"sp800-53a"}],"label":"restoration time periods","guidelines":[{"prose":"restoration time period within which to restore system components to a known, operational state is defined;"}]}],"props":[{"name":"label","value":"CP-10(4)"},{"name":"label","value":"CP-10(04)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-10","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"}],"parts":[{"id":"cp-10.4_smt","name":"statement","prose":"Provide the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components."},{"id":"cp-10.4_gdn","name":"guidance","prose":"Restoration of system components includes reimaging, which restores the components to known, operational states."},{"id":"cp-10.4_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10(04)","class":"sp800-53a"}],"prose":"the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.","links":[{"href":"#cp-10.4_smt","rel":"assessment-for"}]},{"id":"cp-10.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nevidence of system recovery and reconstitution operations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the recovery\/reconstitution of system information"}]}]},{"id":"cp-10.5","class":"SP800-53-enhancement","title":"Failover Capability","props":[{"name":"label","value":"CP-10(5)"},{"name":"label","value":"CP-10(05)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-13","rel":"incorporated-into"}]},{"id":"cp-10.6","class":"SP800-53-enhancement","title":"Component Protection","props":[{"name":"label","value":"CP-10(6)"},{"name":"label","value":"CP-10(06)","class":"sp800-53a"},{"name":"sort-id","value":"cp-10.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-10","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"cp-10.6_smt","name":"statement","prose":"Protect system components used for recovery and reconstitution."},{"id":"cp-10.6_gdn","name":"guidance","prose":"Protection of system recovery and reconstitution components (i.e., hardware, firmware, and software) includes physical and technical controls. Backup and restoration components used for recovery and reconstitution include router tables, compilers, and other system software."},{"id":"cp-10.6_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-10(06)","class":"sp800-53a"}],"prose":"system components used for recovery and reconstitution are protected.","links":[{"href":"#cp-10.6_smt","rel":"assessment-for"}]},{"id":"cp-10.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-10(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing system recovery and reconstitution\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlogical access credentials\n\nphysical access credentials\n\nlogical access authorization records\n\nphysical access authorization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-10.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-10(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system recovery and reconstitution responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-10.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-10(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for protecting backup and restoration of hardware, firmware, and software\n\nmechanisms supporting and\/or implementing protection of backups and restoration of hardware, firmware, and software"}]}]}]},{"id":"cp-11","class":"SP800-53","title":"Alternate Communications Protocols","params":[{"id":"cp-11_odp","props":[{"name":"alt-identifier","value":"cp-11_prm_1"},{"name":"label","value":"CP-11_ODP","class":"sp800-53a"}],"label":"alternative communications protocols","guidelines":[{"prose":"alternative communications protocols in support of maintaining continuity of operations are defined;"}]}],"props":[{"name":"label","value":"CP-11"},{"name":"label","value":"CP-11","class":"sp800-53a"},{"name":"sort-id","value":"cp-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-13","rel":"related"}],"parts":[{"id":"cp-11_smt","name":"statement","prose":"Provide the capability to employ {{ insert: param, cp-11_odp }} in support of maintaining continuity of operations."},{"id":"cp-11_gdn","name":"guidance","prose":"Contingency plans and the contingency training or testing associated with those plans incorporate an alternate communications protocol capability as part of establishing resilience in organizational systems. Switching communications protocols may affect software applications and operational aspects of systems. Organizations assess the potential side effects of introducing alternate communications protocols prior to implementation."},{"id":"cp-11_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-11","class":"sp800-53a"}],"prose":"the capability to employ {{ insert: param, cp-11_odp }} are provided in support of maintaining continuity of operations.","links":[{"href":"#cp-11_smt","rel":"assessment-for"}]},{"id":"cp-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternative communications protocols\n\ncontingency plan\n\ncontinuity of operations plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of alternative communications protocols supporting continuity of operations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with contingency planning and plan implementation responsibilities\n\norganizational personnel with continuity of operations planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cp-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms employing alternative communications protocols"}]}]},{"id":"cp-12","class":"SP800-53","title":"Safe Mode","params":[{"id":"cp-12_odp.01","props":[{"name":"alt-identifier","value":"cp-12_prm_2"},{"name":"alt-label","value":"restrictions of safe mode of operation","class":"sp800-53"},{"name":"label","value":"CP-12_ODP[01]","class":"sp800-53a"}],"label":"restrictions","guidelines":[{"prose":"restrictions for safe mode of operation are defined;"}]},{"id":"cp-12_odp.02","props":[{"name":"alt-identifier","value":"cp-12_prm_1"},{"name":"label","value":"CP-12_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions detected to enter a safe mode of operation are defined;"}]}],"props":[{"name":"label","value":"CP-12"},{"name":"label","value":"CP-12","class":"sp800-53a"},{"name":"sort-id","value":"cp-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cm-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-24","rel":"related"},{"href":"#si-13","rel":"related"},{"href":"#si-17","rel":"related"}],"parts":[{"id":"cp-12_smt","name":"statement","prose":"When {{ insert: param, cp-12_odp.02 }} are detected, enter a safe mode of operation with {{ insert: param, cp-12_odp.01 }}."},{"id":"cp-12_gdn","name":"guidance","prose":"For systems that support critical mission and business functions—including military operations, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments)—organizations can identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated either automatically or manually, restricts the operations that systems can execute when those conditions are encountered. Restriction includes allowing only selected functions to execute that can be carried out under limited power or with reduced communications bandwidth."},{"id":"cp-12_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-12","class":"sp800-53a"}],"prose":"a safe mode of operation is entered with {{ insert: param, cp-12_odp.01 }} when {{ insert: param, cp-12_odp.02 }} are detected.","links":[{"href":"#cp-12_smt","rel":"assessment-for"}]},{"id":"cp-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing safe mode of operation for the system\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem administration manuals\n\nsystem operation manuals\n\nsystem installation manuals\n\ncontingency plan test records\n\nincident handling records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operation responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"cp-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing safe mode of operation"}]}]},{"id":"cp-13","class":"SP800-53","title":"Alternative Security Mechanisms","params":[{"id":"cp-13_odp.01","props":[{"name":"alt-identifier","value":"cp-13_prm_1"},{"name":"label","value":"CP-13_ODP[01]","class":"sp800-53a"}],"label":"alternative or supplemental security mechanisms","guidelines":[{"prose":"alternative or supplemental security mechanisms are defined;"}]},{"id":"cp-13_odp.02","props":[{"name":"alt-identifier","value":"cp-13_prm_2"},{"name":"label","value":"CP-13_ODP[02]","class":"sp800-53a"}],"label":"security functions","guidelines":[{"prose":"security functions are defined;"}]}],"props":[{"name":"label","value":"CP-13"},{"name":"label","value":"CP-13","class":"sp800-53a"},{"name":"sort-id","value":"cp-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-11","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"cp-13_smt","name":"statement","prose":"Employ {{ insert: param, cp-13_odp.01 }} for satisfying {{ insert: param, cp-13_odp.02 }} when the primary means of implementing the security function is unavailable or compromised."},{"id":"cp-13_gdn","name":"guidance","prose":"Use of alternative security mechanisms supports system resiliency, contingency planning, and continuity of operations. To ensure mission and business continuity, organizations can implement alternative or supplemental security mechanisms. The mechanisms may be less effective than the primary mechanisms. However, having the capability to readily employ alternative or supplemental mechanisms enhances mission and business continuity that might otherwise be adversely impacted if operations had to be curtailed until the primary means of implementing the functions was restored. Given the cost and level of effort required to provide such alternative capabilities, the alternative or supplemental mechanisms are only applied to critical security capabilities provided by systems, system components, or system services. For example, an organization may issue one-time pads to senior executives, officials, and system administrators if multi-factor tokens—the standard means for achieving secure authentication— are compromised."},{"id":"cp-13_obj","name":"assessment-objective","props":[{"name":"label","value":"CP-13","class":"sp800-53a"}],"prose":"{{ insert: param, cp-13_odp.01 }} are employed for satisfying {{ insert: param, cp-13_odp.02 }} when the primary means of implementing the security function is unavailable or compromised.","links":[{"href":"#cp-13_smt","rel":"assessment-for"}]},{"id":"cp-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"CP-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contingency planning policy\n\nprocedures addressing alternate security mechanisms\n\ncontingency plan\n\ncontinuity of operations plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncontingency plan test records\n\ncontingency plan test results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"cp-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"CP-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"cp-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"CP-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"system capability implementing alternative security mechanisms"}]}]}]},{"id":"ia","class":"family","title":"Identification and Authentication","controls":[{"id":"ia-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ia-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ia-01_odp.01","props":[{"name":"label","value":"IA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication policy is to be disseminated are defined;"}]},{"id":"ia-01_odp.02","props":[{"name":"label","value":"IA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the identification and authentication procedures are to be disseminated is\/are defined;"}]},{"id":"ia-01_odp.03","props":[{"name":"alt-identifier","value":"ia-1_prm_2"},{"name":"label","value":"IA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ia-01_odp.04","props":[{"name":"alt-identifier","value":"ia-1_prm_3"},{"name":"label","value":"IA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the identification and authentication policy and procedures is defined;"}]},{"id":"ia-01_odp.05","props":[{"name":"alt-identifier","value":"ia-1_prm_4"},{"name":"label","value":"IA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication policy is reviewed and updated is defined;"}]},{"id":"ia-01_odp.06","props":[{"name":"alt-identifier","value":"ia-1_prm_5"},{"name":"label","value":"IA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current identification and authentication policy to be reviewed and updated are defined;"}]},{"id":"ia-01_odp.07","props":[{"name":"alt-identifier","value":"ia-1_prm_6"},{"name":"label","value":"IA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current identification and authentication procedures are reviewed and updated is defined;"}]},{"id":"ia-01_odp.08","props":[{"name":"alt-identifier","value":"ia-1_prm_7"},{"name":"label","value":"IA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require identification and authentication procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IA-1"},{"name":"label","value":"IA-01","class":"sp800-53a"},{"name":"sort-id","value":"ia-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#ac-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ia-1_smt","name":"statement","parts":[{"id":"ia-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}:","parts":[{"id":"ia-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ia-01_odp.03 }} identification and authentication policy that:","parts":[{"id":"ia-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ia-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ia-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;"}]},{"id":"ia-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and"},{"id":"ia-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current identification and authentication:","parts":[{"id":"ia-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and"},{"id":"ia-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}."}]}]},{"id":"ia-1_gdn","name":"guidance","prose":"Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ia-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[01]","class":"sp800-53a"}],"prose":"an identification and authentication policy is developed and documented;","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[02]","class":"sp800-53a"}],"prose":"the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[03]","class":"sp800-53a"}],"prose":"identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.[04]","class":"sp800-53a"}],"prose":"the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};","links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;","links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ia-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ia-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.a","rel":"assessment-for"}]},{"id":"ia-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;","links":[{"href":"#ia-1_smt.b","rel":"assessment-for"}]},{"id":"ia-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[01]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};","links":[{"href":"#ia-1_smt.c.1","rel":"assessment-for"}]},{"id":"ia-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.01[02]","class":"sp800-53a"}],"prose":"the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};","links":[{"href":"#ia-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.c.1","rel":"assessment-for"}]},{"id":"ia-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ia-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[01]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};","links":[{"href":"#ia-1_smt.c.2","rel":"assessment-for"}]},{"id":"ia-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IA-01c.02[02]","class":"sp800-53a"}],"prose":"the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.","links":[{"href":"#ia-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ia-1_smt","rel":"assessment-for"}]},{"id":"ia-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\nlist of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings)\n\nother relevant documents or records"}]},{"id":"ia-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ia-2","class":"SP800-53","title":"Identification and Authentication (Organizational Users)","props":[{"name":"label","value":"IA-2"},{"name":"label","value":"IA-02","class":"sp800-53a"},{"name":"sort-id","value":"ia-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#d9e036ba-6eec-46a6-9340-b0bf1fea23b4","rel":"reference"},{"href":"#e8552d48-cf41-40aa-8b06-f45f7fb4706c","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#7f473f21-fdbf-4a6c-81a1-0ab95919609d","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-1","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"ia-2_smt","name":"statement","prose":"Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users."},{"id":"ia-2_gdn","name":"guidance","prose":"Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12](#f16e438e-7114-4144-bfe2-2dfcad8cb2d0) . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in [AC-14](#ac-14) and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.\n\nOrganizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.\n\nThe use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in [IA-8](#ia-8)."},{"id":"ia-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02","class":"sp800-53a"}],"parts":[{"id":"ia-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-02[01]","class":"sp800-53a"}],"prose":"organizational users are uniquely identified and authenticated;","links":[{"href":"#ia-2_smt","rel":"assessment-for"}]},{"id":"ia-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-02[02]","class":"sp800-53a"}],"prose":"the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.","links":[{"href":"#ia-2_smt","rel":"assessment-for"}]}],"links":[{"href":"#ia-2_smt","rel":"assessment-for"}]},{"id":"ia-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan, system design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\nsystem developers"}]},{"id":"ia-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for uniquely identifying and authenticating users\n\nmechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-2.1","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Privileged Accounts","props":[{"name":"label","value":"IA-2(1)"},{"name":"label","value":"IA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ia-2.1_smt","name":"statement","prose":"Implement multi-factor authentication for access to privileged accounts."},{"id":"ia-2.1_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(01)","class":"sp800-53a"}],"prose":"multi-factor authentication is implemented for access to privileged accounts.","links":[{"href":"#ia-2.1_smt","rel":"assessment-for"}]},{"id":"ia-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.2","class":"SP800-53-enhancement","title":"Multi-factor Authentication to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(2)"},{"name":"label","value":"IA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"ia-2.2_smt","name":"statement","prose":"Implement multi-factor authentication for access to non-privileged accounts."},{"id":"ia-2.2_gdn","name":"guidance","prose":"Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access."},{"id":"ia-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(02)","class":"sp800-53a"}],"prose":"multi-factor authentication for access to non-privileged accounts is implemented.","links":[{"href":"#ia-2.2_smt","rel":"assessment-for"}]},{"id":"ia-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a multi-factor authentication capability"}]}]},{"id":"ia-2.3","class":"SP800-53-enhancement","title":"Local Access to Privileged Accounts","props":[{"name":"label","value":"IA-2(3)"},{"name":"label","value":"IA-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-2.1","rel":"incorporated-into"}]},{"id":"ia-2.4","class":"SP800-53-enhancement","title":"Local Access to Non-privileged Accounts","props":[{"name":"label","value":"IA-2(4)"},{"name":"label","value":"IA-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-2.2","rel":"incorporated-into"}]},{"id":"ia-2.5","class":"SP800-53-enhancement","title":"Individual Authentication with Group Authentication","props":[{"name":"label","value":"IA-2(5)"},{"name":"label","value":"IA-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.5_smt","name":"statement","prose":"When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources."},{"id":"ia-2.5_gdn","name":"guidance","prose":"Individual authentication prior to shared group authentication mitigates the risk of using group accounts or authenticators."},{"id":"ia-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(05)","class":"sp800-53a"}],"prose":"users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.","links":[{"href":"#ia-2.5_smt","rel":"assessment-for"}]},{"id":"ia-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an authentication capability for group accounts"}]}]},{"id":"ia-2.6","class":"SP800-53-enhancement","title":"Access to Accounts —separate Device","params":[{"id":"ia-02.06_odp.01","props":[{"name":"alt-identifier","value":"ia-2.6_prm_1"},{"name":"label","value":"IA-02(06)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["local","network","remote"]}},{"id":"ia-02.06_odp.02","props":[{"name":"alt-identifier","value":"ia-2.6_prm_2"},{"name":"label","value":"IA-02(06)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["privileged accounts","non-privileged accounts"]}},{"id":"ia-02.06_odp.03","props":[{"name":"alt-identifier","value":"ia-2.6_prm_3"},{"name":"label","value":"IA-02(06)_ODP[03]","class":"sp800-53a"}],"label":"strength of mechanism requirements","guidelines":[{"prose":"the strength of mechanism requirements to be enforced by a device separate from the system gaining access to accounts is defined;"}]}],"props":[{"name":"label","value":"IA-2(6)"},{"name":"label","value":"IA-02(06)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ia-2.6_smt","name":"statement","prose":"Implement multi-factor authentication for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that:","parts":[{"id":"ia-2.6_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"One of the factors is provided by a device separate from the system gaining access; and"},{"id":"ia-2.6_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"The device meets {{ insert: param, ia-02.06_odp.03 }}."}]},{"id":"ia-2.6_gdn","name":"guidance","prose":"The purpose of requiring a device that is separate from the system to which the user is attempting to gain access for one of the factors during multi-factor authentication is to reduce the likelihood of compromising authenticators or credentials stored on the system. Adversaries may be able to compromise such authenticators or credentials and subsequently impersonate authorized users. Implementing one of the factors on a separate device (e.g., a hardware token), provides a greater strength of mechanism and an increased level of assurance in the authentication process."},{"id":"ia-2.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(06)","class":"sp800-53a"}],"parts":[{"id":"ia-2.6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-02(06)(a)","class":"sp800-53a"}],"prose":"multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that one of the factors is provided by a device separate from the system gaining access;","links":[{"href":"#ia-2.6_smt.a","rel":"assessment-for"}]},{"id":"ia-2.6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-02(06)(b)","class":"sp800-53a"}],"prose":"multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that the device meets {{ insert: param, ia-02.06_odp.03 }}.","links":[{"href":"#ia-2.6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-2.6_smt","rel":"assessment-for"}]},{"id":"ia-2.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing multi-factor authentication capability"}]}]},{"id":"ia-2.7","class":"SP800-53-enhancement","title":"Network Access to Non-privileged Accounts — Separate Device","props":[{"name":"label","value":"IA-2(7)"},{"name":"label","value":"IA-02(07)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-2.6","rel":"incorporated-into"}]},{"id":"ia-2.8","class":"SP800-53-enhancement","title":"Access to Accounts — Replay Resistant","params":[{"id":"ia-02.08_odp","props":[{"name":"alt-identifier","value":"ia-2.8_prm_1"},{"name":"label","value":"IA-02(08)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["privileged accounts","non-privileged accounts"]}}],"props":[{"name":"label","value":"IA-2(8)"},{"name":"label","value":"IA-02(08)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.8_smt","name":"statement","prose":"Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}."},{"id":"ia-2.8_gdn","name":"guidance","prose":"Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators."},{"id":"ia-2.8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(08)","class":"sp800-53a"}],"prose":"replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.","links":[{"href":"#ia-2.8_smt","rel":"assessment-for"}]},{"id":"ia-2.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of privileged system accounts\n\nother relevant documents or records"}]},{"id":"ia-2.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nMechanisms supporting and\/or implementing replay-resistant authentication mechanisms"}]}]},{"id":"ia-2.9","class":"SP800-53-enhancement","title":"Network Access to Non-privileged Accounts — Replay Resistant","props":[{"name":"label","value":"IA-2(9)"},{"name":"label","value":"IA-02(09)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.09"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-2.8","rel":"incorporated-into"}]},{"id":"ia-2.10","class":"SP800-53-enhancement","title":"Single Sign-on","params":[{"id":"ia-02.10_odp","props":[{"name":"alt-identifier","value":"ia-2.10_prm_1"},{"name":"label","value":"IA-02(10)_ODP","class":"sp800-53a"}],"label":"system accounts and services","guidelines":[{"prose":"system accounts and services for which a single sign-on capability must be provided are defined;"}]}],"props":[{"name":"label","value":"IA-2(10)"},{"name":"label","value":"IA-02(10)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.10_smt","name":"statement","prose":"Provide a single sign-on capability for {{ insert: param, ia-02.10_odp }}."},{"id":"ia-2.10_gdn","name":"guidance","prose":"Single sign-on enables users to log in once and gain access to multiple system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the risk introduced by allowing access to multiple systems via a single authentication event. Single sign-on can present opportunities to improve system security, for example by providing the ability to add multi-factor authentication for applications and systems (existing and new) that may not be able to natively support multi-factor authentication."},{"id":"ia-2.10_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(10)","class":"sp800-53a"}],"prose":"a single sign-on capability is provided for {{ insert: param, ia-02.10_odp }}.","links":[{"href":"#ia-2.10_smt","rel":"assessment-for"}]},{"id":"ia-2.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing single sign-on capability for system accounts and services\n\nprocedures addressing identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts and services requiring single sign-on capability\n\nother relevant documents or records"}]},{"id":"ia-2.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms supporting and\/or implementing single sign-on capability for system accounts and services"}]}]},{"id":"ia-2.11","class":"SP800-53-enhancement","title":"Remote Access — Separate Device","props":[{"name":"label","value":"IA-2(11)"},{"name":"label","value":"IA-02(11)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.11"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-2.6","rel":"incorporated-into"}]},{"id":"ia-2.12","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials","props":[{"name":"label","value":"IA-2(12)"},{"name":"label","value":"IA-02(12)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"}],"parts":[{"id":"ia-2.12_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials."},{"id":"ia-2.12_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03) . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in [SP 800-166](#e8552d48-cf41-40aa-8b06-f45f7fb4706c) . The DOD Common Access Card (CAC) is an example of a PIV credential."},{"id":"ia-2.12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(12)","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials are accepted and electronically verified.","links":[{"href":"#ia-2.12_smt","rel":"assessment-for"}]},{"id":"ia-2.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-2.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing acceptance and verification of PIV credentials"}]}]},{"id":"ia-2.13","class":"SP800-53-enhancement","title":"Out-of-band Authentication","params":[{"id":"ia-02.13_odp.01","props":[{"name":"alt-identifier","value":"ia-2.13_prm_2"},{"name":"label","value":"IA-02(13)_ODP[01]","class":"sp800-53a"}],"label":"out-of-band authentication","guidelines":[{"prose":"out-of-band authentication mechanisms to be implemented are defined;"}]},{"id":"ia-02.13_odp.02","props":[{"name":"alt-identifier","value":"ia-2.13_prm_1"},{"name":"label","value":"IA-02(13)_ODP[02]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions under which out-of-band authentication is to be implemented are defined;"}]}],"props":[{"name":"label","value":"IA-2(13)"},{"name":"label","value":"IA-02(13)","class":"sp800-53a"},{"name":"sort-id","value":"ia-02.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-2","rel":"required"},{"href":"#ia-10","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ia-2.13_smt","name":"statement","prose":"Implement the following out-of-band authentication mechanisms under {{ insert: param, ia-02.13_odp.02 }}: {{ insert: param, ia-02.13_odp.01 }}."},{"id":"ia-2.13_gdn","name":"guidance","prose":"Out-of-band authentication refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path) is used to identify and authenticate users or devices and is generally the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and\/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user’s cell phone to verify that the requested action originated from the user. The user may confirm the intended action to an individual on the telephone or provide an authentication code via the telephone. Out-of-band authentication can be used to mitigate actual or suspected \"man-in the-middle\" attacks. The conditions or criteria for activation include suspicious activities, new threat indicators, elevated threat levels, or the impact or classification level of information in requested transactions."},{"id":"ia-2.13_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-02(13)","class":"sp800-53a"}],"prose":"{{ insert: param, ia-02.13_odp.01 }} mechanisms are implemented under {{ insert: param, ia-02.13_odp.02 }}.","links":[{"href":"#ia-2.13_smt","rel":"assessment-for"}]},{"id":"ia-2.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-02(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem-generated list of out-of-band authentication paths\n\nother relevant documents or records"}]},{"id":"ia-2.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-02(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-2.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-02(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing out-of-band authentication capability"}]}]}]},{"id":"ia-3","class":"SP800-53","title":"Device Identification and Authentication","params":[{"id":"ia-03_odp.01","props":[{"name":"alt-identifier","value":"ia-3_prm_1"},{"name":"label","value":"IA-03_ODP[01]","class":"sp800-53a"}],"label":"devices and\/or types of devices","guidelines":[{"prose":"devices and\/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;"}]},{"id":"ia-03_odp.02","props":[{"name":"alt-identifier","value":"ia-3_prm_2"},{"name":"label","value":"IA-03_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["local","remote","network"]}}],"props":[{"name":"label","value":"IA-3"},{"name":"label","value":"IA-03","class":"sp800-53a"},{"name":"sort-id","value":"ia-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ia-3_smt","name":"statement","prose":"Uniquely identify and authenticate {{ insert: param, ia-03_odp.01 }} before establishing a {{ insert: param, ia-03_odp.02 }} connection."},{"id":"ia-3_gdn","name":"guidance","prose":"Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol\/Internet Protocol [TCP\/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number\/type of devices based on mission or business needs."},{"id":"ia-3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-03","class":"sp800-53a"}],"prose":"{{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection.","links":[{"href":"#ia-3_smt","rel":"assessment-for"}]},{"id":"ia-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing device identification and authentication capabilities"}]}],"controls":[{"id":"ia-3.1","class":"SP800-53-enhancement","title":"Cryptographic Bidirectional Authentication","params":[{"id":"ia-03.01_odp.01","props":[{"name":"alt-identifier","value":"ia-3.1_prm_1"},{"name":"label","value":"IA-03(01)_ODP[01]","class":"sp800-53a"}],"label":"devices and\/or types of devices","guidelines":[{"prose":"devices and\/or types of devices requiring use of cryptographically based, bidirectional authentication to authenticate before establishing one or more connections are defined;"}]},{"id":"ia-03.01_odp.02","props":[{"name":"alt-identifier","value":"ia-3.1_prm_2"},{"name":"label","value":"IA-03(01)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["local","remote","network"]}}],"props":[{"name":"label","value":"IA-3(1)"},{"name":"label","value":"IA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-3","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-3.1_smt","name":"statement","prose":"Authenticate {{ insert: param, ia-03.01_odp.01 }} before establishing {{ insert: param, ia-03.01_odp.02 }} connection using bidirectional authentication that is cryptographically based."},{"id":"ia-3.1_gdn","name":"guidance","prose":"A local connection is a connection with a device that communicates without the use of a network. A network connection is a connection with a device that communicates through a network. A remote connection is a connection with a device that communicates through an external network. Bidirectional authentication provides stronger protection to validate the identity of other devices for connections that are of greater risk."},{"id":"ia-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-03(01)","class":"sp800-53a"}],"prose":"{{ insert: param, ia-03.01_odp.01 }} are authenticated before establishing {{ insert: param, ia-03.01_odp.02 }} connection using bidirectional authentication that is cryptographically based.","links":[{"href":"#ia-3.1_smt","rel":"assessment-for"}]},{"id":"ia-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nlist of devices requiring unique identification and authentication\n\ndevice connection reports\n\nsystem configuration settings and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing device authentication capability\n\ncryptographically based bidirectional authentication mechanisms"}]}]},{"id":"ia-3.2","class":"SP800-53-enhancement","title":"Cryptographic Bidirectional Network Authentication","props":[{"name":"label","value":"IA-3(2)"},{"name":"label","value":"IA-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-03.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-3.1","rel":"incorporated-into"}]},{"id":"ia-3.3","class":"SP800-53-enhancement","title":"Dynamic Address Allocation","params":[{"id":"ia-3.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-03.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-03.03_odp.02"}],"label":"organization-defined lease information and lease duration"},{"id":"ia-03.03_odp.01","props":[{"name":"label","value":"IA-03(03)_ODP[01]","class":"sp800-53a"}],"label":"lease information","guidelines":[{"prose":"lease information to be employed to standardize dynamic address allocation for devices is defined;"}]},{"id":"ia-03.03_odp.02","props":[{"name":"label","value":"IA-03(03)_ODP[02]","class":"sp800-53a"}],"label":"lease duration","guidelines":[{"prose":"lease duration to be employed to standardize dynamic address allocation for devices is defined;"}]}],"props":[{"name":"label","value":"IA-3(3)"},{"name":"label","value":"IA-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-3","rel":"required"},{"href":"#au-2","rel":"related"}],"parts":[{"id":"ia-3.3_smt","name":"statement","parts":[{"id":"ia-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with {{ insert: param, ia-3.3_prm_1 }} ; and"},{"id":"ia-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Audit lease information when assigned to a device."}]},{"id":"ia-3.3_gdn","name":"guidance","prose":"The Dynamic Host Configuration Protocol (DHCP) is an example of a means by which clients can dynamically receive network address assignments."},{"id":"ia-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-03(03)","class":"sp800-53a"}],"parts":[{"id":"ia-3.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-03(03)(a)","class":"sp800-53a"}],"parts":[{"id":"ia-3.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-03(03)(a)[01]","class":"sp800-53a"}],"prose":"dynamic address allocation lease information assigned to devices where addresses are allocated dynamically are standardized in accordance with {{ insert: param, ia-03.03_odp.01 }};","links":[{"href":"#ia-3.3_smt.a","rel":"assessment-for"}]},{"id":"ia-3.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-03(03)(a)[02]","class":"sp800-53a"}],"prose":"dynamic address allocation lease duration assigned to devices where addresses are allocated dynamically are standardized in accordance with {{ insert: param, ia-03.03_odp.02 }};","links":[{"href":"#ia-3.3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ia-3.3_smt.a","rel":"assessment-for"}]},{"id":"ia-3.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-03(03)(b)","class":"sp800-53a"}],"prose":"lease information is audited when assigned to a device.","links":[{"href":"#ia-3.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-3.3_smt","rel":"assessment-for"}]},{"id":"ia-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nevidence of lease information and lease duration assigned to devices\n\ndevice connection reports\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing device identification and authentication capabilities\n\nmechanisms supporting and\/or implementing dynamic address allocation\n\nmechanisms supporting and\/or implanting auditing of lease information"}]}]},{"id":"ia-3.4","class":"SP800-53-enhancement","title":"Device Attestation","params":[{"id":"ia-03.04_odp","props":[{"name":"alt-identifier","value":"ia-3.4_prm_1"},{"name":"label","value":"IA-03(04)_ODP","class":"sp800-53a"}],"label":"configuration management process","guidelines":[{"prose":"configuration management process to be employed to handle device identification and authentication based on attestation is defined;"}]}],"props":[{"name":"label","value":"IA-3(4)"},{"name":"label","value":"IA-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-3","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"}],"parts":[{"id":"ia-3.4_smt","name":"statement","prose":"Handle device identification and authentication based on attestation by {{ insert: param, ia-03.04_odp }}."},{"id":"ia-3.4_gdn","name":"guidance","prose":"Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. Device attestation can be determined via a cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the patches and updates are done securely and do not disrupt identification and authentication to other devices."},{"id":"ia-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-03(04)","class":"sp800-53a"}],"prose":"device identification and authentication are handled based on attestation by {{ insert: param, ia-03.04_odp }}.","links":[{"href":"#ia-3.4_smt","rel":"assessment-for"}]},{"id":"ia-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing device identification and authentication\n\nprocedures addressing device configuration management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nconfiguration management records\n\nchange control records\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with operational responsibilities for device identification and authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing device identification and authentication capabilities\n\nmechanisms supporting and\/or implementing configuration management\n\ncryptographic mechanisms supporting device attestation"}]}]}]},{"id":"ia-4","class":"SP800-53","title":"Identifier Management","params":[{"id":"ia-04_odp.01","props":[{"name":"alt-identifier","value":"ia-4_prm_1"},{"name":"label","value":"IA-04_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles from whom authorization must be received to assign an identifier are defined;"}]},{"id":"ia-04_odp.02","props":[{"name":"alt-identifier","value":"ia-4_prm_2"},{"name":"label","value":"IA-04_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period for preventing reuse of identifiers is defined;"}]}],"props":[{"name":"label","value":"IA-4"},{"name":"label","value":"IA-04","class":"sp800-53a"},{"name":"sort-id","value":"ia-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-12","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#sc-37","rel":"related"}],"parts":[{"id":"ia-4_smt","name":"statement","prose":"Manage system identifiers by:","parts":[{"id":"ia-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier;"},{"id":"ia-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Selecting an identifier that identifies an individual, group, role, service, or device;"},{"id":"ia-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assigning the identifier to the intended individual, group, role, service, or device; and"},{"id":"ia-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."}]},{"id":"ia-4_gdn","name":"guidance","prose":"Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of [AC-2](#ac-2) use account names provided by [IA-4](#ia-4) . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices."},{"id":"ia-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04","class":"sp800-53a"}],"parts":[{"id":"ia-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-04a.","class":"sp800-53a"}],"prose":"system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;","links":[{"href":"#ia-4_smt.a","rel":"assessment-for"}]},{"id":"ia-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-04b.","class":"sp800-53a"}],"prose":"system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;","links":[{"href":"#ia-4_smt.b","rel":"assessment-for"}]},{"id":"ia-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-04c.","class":"sp800-53a"}],"prose":"system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;","links":[{"href":"#ia-4_smt.c","rel":"assessment-for"}]},{"id":"ia-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-04d.","class":"sp800-53a"}],"prose":"system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.","links":[{"href":"#ia-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ia-4_smt","rel":"assessment-for"}]},{"id":"ia-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system accounts\n\nlist of identifiers generated from physical access control devices\n\nother relevant documents or records"}]},{"id":"ia-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}],"controls":[{"id":"ia-4.1","class":"SP800-53-enhancement","title":"Prohibit Account Identifiers as Public Identifiers","props":[{"name":"label","value":"IA-4(1)"},{"name":"label","value":"IA-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-4","rel":"required"},{"href":"#at-2","rel":"related"},{"href":"#pt-7","rel":"related"}],"parts":[{"id":"ia-4.1_smt","name":"statement","prose":"Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts."},{"id":"ia-4.1_gdn","name":"guidance","prose":"Prohibiting account identifiers as public identifiers applies to any publicly disclosed account identifier used for communication such as, electronic mail and instant messaging. Prohibiting the use of systems account identifiers that are the same as some public identifier, such as the individual identifier section of an electronic mail address, makes it more difficult for adversaries to guess user identifiers. Prohibiting account identifiers as public identifiers without the implementation of other supporting controls only complicates guessing of identifiers. Additional protections are required for authenticators and credentials to protect the account."},{"id":"ia-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(01)","class":"sp800-53a"}],"prose":"the use of system account identifiers that are the same as public identifiers is prohibited for individual accounts.","links":[{"href":"#ia-4.1_smt","rel":"assessment-for"}]},{"id":"ia-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-4.2","class":"SP800-53-enhancement","title":"Supervisor Authorization","props":[{"name":"label","value":"IA-4(2)"},{"name":"label","value":"IA-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-12.1","rel":"incorporated-into"}]},{"id":"ia-4.3","class":"SP800-53-enhancement","title":"Multiple Forms of Certification","props":[{"name":"label","value":"IA-4(3)"},{"name":"label","value":"IA-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-12.2","rel":"incorporated-into"}]},{"id":"ia-4.4","class":"SP800-53-enhancement","title":"Identify User Status","params":[{"id":"ia-04.04_odp","props":[{"name":"alt-identifier","value":"ia-4.4_prm_1"},{"name":"alt-label","value":"characteristic identifying individual status","class":"sp800-53"},{"name":"label","value":"IA-04(04)_ODP","class":"sp800-53a"}],"label":"characteristics","guidelines":[{"prose":"characteristics used to identify individual status is defined;"}]}],"props":[{"name":"label","value":"IA-4(4)"},{"name":"label","value":"IA-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-4","rel":"required"}],"parts":[{"id":"ia-4.4_smt","name":"statement","prose":"Manage individual identifiers by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}."},{"id":"ia-4.4_gdn","name":"guidance","prose":"Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor."},{"id":"ia-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(04)","class":"sp800-53a"}],"prose":"individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.","links":[{"href":"#ia-4.4_smt","rel":"assessment-for"}]},{"id":"ia-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nlist of characteristics identifying individual status\n\nother relevant documents or records"}]},{"id":"ia-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-4.5","class":"SP800-53-enhancement","title":"Dynamic Management","params":[{"id":"ia-04.05_odp","props":[{"name":"alt-identifier","value":"ia-4.5_prm_1"},{"name":"label","value":"IA-04(05)_ODP","class":"sp800-53a"}],"label":"dynamic identifier policy","guidelines":[{"prose":"a dynamic identifier policy for managing individual identifiers is defined;"}]}],"props":[{"name":"label","value":"IA-4(5)"},{"name":"label","value":"IA-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-4","rel":"required"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"ia-4.5_smt","name":"statement","prose":"Manage individual identifiers dynamically in accordance with {{ insert: param, ia-04.05_odp }}."},{"id":"ia-4.5_gdn","name":"guidance","prose":"In contrast to conventional approaches to identification that presume static accounts for preregistered users, many distributed systems establish identifiers at runtime for entities that were previously unknown. When identifiers are established at runtime for previously unknown entities, organizations can anticipate and provision for the dynamic establishment of identifiers. Pre-established trust relationships and mechanisms with appropriate authorities to validate credentials and related identifiers are essential."},{"id":"ia-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(05)","class":"sp800-53a"}],"prose":"individual identifiers are dynamically managed in accordance with {{ insert: param, ia-04.05_odp }}.","links":[{"href":"#ia-4.5_smt","rel":"assessment-for"}]},{"id":"ia-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing dynamic identifier management"}]}]},{"id":"ia-4.6","class":"SP800-53-enhancement","title":"Cross-organization Management","params":[{"id":"ia-04.06_odp","props":[{"name":"alt-identifier","value":"ia-4.6_prm_1"},{"name":"label","value":"IA-04(06)_ODP","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations with whom to coordinate the cross-organization management of identifiers are defined;"}]}],"props":[{"name":"label","value":"IA-4(6)"},{"name":"label","value":"IA-04(06)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-4","rel":"required"},{"href":"#au-16","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"ia-4.6_smt","name":"statement","prose":"Coordinate with the following external organizations for cross-organization management of identifiers: {{ insert: param, ia-04.06_odp }}."},{"id":"ia-4.6_gdn","name":"guidance","prose":"Cross-organization identifier management provides the capability to identify individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information."},{"id":"ia-4.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(06)","class":"sp800-53a"}],"prose":"cross-organization management of identifiers is coordinated with {{ insert: param, ia-04.06_odp }}.","links":[{"href":"#ia-4.6_smt","rel":"assessment-for"}]},{"id":"ia-4.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-4.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ia-4.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-4.7","class":"SP800-53-enhancement","title":"In-person Registration","props":[{"name":"label","value":"IA-4(7)"},{"name":"label","value":"IA-04(07)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-12.4","rel":"incorporated-into"}]},{"id":"ia-4.8","class":"SP800-53-enhancement","title":"Pairwise Pseudonymous Identifiers","props":[{"name":"label","value":"IA-4(8)"},{"name":"label","value":"IA-04(08)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-4","rel":"required"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"ia-4.8_smt","name":"statement","prose":"Generate pairwise pseudonymous identifiers."},{"id":"ia-4.8_gdn","name":"guidance","prose":"A pairwise pseudonymous identifier is an opaque unguessable subscriber identifier generated by an identity provider for use at a specific individual relying party. Generating distinct pairwise pseudonymous identifiers with no identifying information about a subscriber discourages subscriber activity tracking and profiling beyond the operational requirements established by an organization. The pairwise pseudonymous identifiers are unique to each relying party except in situations where relying parties can show a demonstrable relationship justifying an operational need for correlation, or all parties consent to being correlated in such a manner."},{"id":"ia-4.8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(08)","class":"sp800-53a"}],"prose":"pairwise pseudonymous identifiers are generated.","links":[{"href":"#ia-4.8_smt","rel":"assessment-for"}]},{"id":"ia-4.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-4.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ia-4.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]},{"id":"ia-4.9","class":"SP800-53-enhancement","title":"Attribute Maintenance and Protection","params":[{"id":"ia-04.09_odp","props":[{"name":"alt-identifier","value":"ia-4.9_prm_1"},{"name":"label","value":"IA-04(09)_ODP","class":"sp800-53a"}],"label":"protected central storage","guidelines":[{"prose":"protected central storage used to maintain the attributes for each uniquely identified individual, device, or service is defined;"}]}],"props":[{"name":"label","value":"IA-4(9)"},{"name":"label","value":"IA-04(09)","class":"sp800-53a"},{"name":"sort-id","value":"ia-04.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-4","rel":"required"}],"parts":[{"id":"ia-4.9_smt","name":"statement","prose":"Maintain the attributes for each uniquely identified individual, device, or service in {{ insert: param, ia-04.09_odp }}."},{"id":"ia-4.9_gdn","name":"guidance","prose":"For each of the entities covered in [IA-2](#ia-2), [IA-3](#ia-3), [IA-8](#ia-8) , and [IA-9](#ia-9) , it is important to maintain the attributes for each authenticated entity on an ongoing basis in a central (protected) store."},{"id":"ia-4.9_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-04(09)","class":"sp800-53a"}],"prose":"the attributes for each uniquely identified individual, device, or service are maintained in {{ insert: param, ia-04.09_odp }}.","links":[{"href":"#ia-4.9_smt","rel":"assessment-for"}]},{"id":"ia-4.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-04(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing identifier management\n\nprocedures addressing account management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-4.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-04(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ia-4.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-04(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identifier management"}]}]}]},{"id":"ia-5","class":"SP800-53","title":"Authenticator Management","params":[{"id":"ia-05_odp.01","props":[{"name":"alt-identifier","value":"ia-5_prm_1"},{"name":"label","value":"IA-05_ODP[01]","class":"sp800-53a"}],"label":"time period by authenticator type","guidelines":[{"prose":"a time period for changing or refreshing authenticators by authenticator type is defined;"}]},{"id":"ia-05_odp.02","props":[{"name":"alt-identifier","value":"ia-5_prm_2"},{"name":"label","value":"IA-05_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that trigger the change or refreshment of authenticators are defined;"}]}],"props":[{"name":"label","value":"IA-5"},{"name":"label","value":"IA-05","class":"sp800-53a"},{"name":"sort-id","value":"ia-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#91701292-8bcd-4d2e-a5bd-59ab61e34b3c","rel":"reference"},{"href":"#4f5f51ac-2b8d-4b90-a3c7-46f56e967617","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-5_smt","name":"statement","prose":"Manage system authenticators by:","parts":[{"id":"ia-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;"},{"id":"ia-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing initial authenticator content for any authenticators issued by the organization;"},{"id":"ia-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ensuring that authenticators have sufficient strength of mechanism for their intended use;"},{"id":"ia-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;"},{"id":"ia-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Changing default authenticators prior to first use;"},{"id":"ia-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"},{"id":"ia-5_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Protecting authenticator content from unauthorized disclosure and modification;"},{"id":"ia-5_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and"},{"id":"ia-5_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Changing authenticators for group or role accounts when membership to those accounts changes."}]},{"id":"ia-5_gdn","name":"guidance","prose":"Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control [PL-4](#pl-4) or [PS-6](#ps-6) for authenticators in the possession of individuals and by controls [AC-3](#ac-3), [AC-6](#ac-6) , and [SC-28](#sc-28) for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.\n\nSystems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed."},{"id":"ia-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05a.","class":"sp800-53a"}],"prose":"system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;","links":[{"href":"#ia-5_smt.a","rel":"assessment-for"}]},{"id":"ia-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05b.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;","links":[{"href":"#ia-5_smt.b","rel":"assessment-for"}]},{"id":"ia-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05c.","class":"sp800-53a"}],"prose":"system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;","links":[{"href":"#ia-5_smt.c","rel":"assessment-for"}]},{"id":"ia-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05d.","class":"sp800-53a"}],"prose":"system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;","links":[{"href":"#ia-5_smt.d","rel":"assessment-for"}]},{"id":"ia-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05e.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of default authenticators prior to first use;","links":[{"href":"#ia-5_smt.e","rel":"assessment-for"}]},{"id":"ia-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05f.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;","links":[{"href":"#ia-5_smt.f","rel":"assessment-for"}]},{"id":"ia-5_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05g.","class":"sp800-53a"}],"prose":"system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;","links":[{"href":"#ia-5_smt.g","rel":"assessment-for"}]},{"id":"ia-5_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.","class":"sp800-53a"}],"parts":[{"id":"ia-5_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[01]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;","links":[{"href":"#ia-5_smt.h","rel":"assessment-for"}]},{"id":"ia-5_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"IA-05h.[02]","class":"sp800-53a"}],"prose":"system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;","links":[{"href":"#ia-5_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#ia-5_smt.h","rel":"assessment-for"}]},{"id":"ia-5_obj.i","name":"assessment-objective","props":[{"name":"label","value":"IA-05i.","class":"sp800-53a"}],"prose":"system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.","links":[{"href":"#ia-5_smt.i","rel":"assessment-for"}]}],"links":[{"href":"#ia-5_smt","rel":"assessment-for"}]},{"id":"ia-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\naddressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system authenticator types\n\nchange control records associated with managing system authenticators\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability"}]}],"controls":[{"id":"ia-5.1","class":"SP800-53-enhancement","title":"Password-based Authentication","params":[{"id":"ia-05.01_odp.01","props":[{"name":"alt-identifier","value":"ia-5.1_prm_1"},{"name":"label","value":"IA-05(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;"}]},{"id":"ia-05.01_odp.02","props":[{"name":"alt-identifier","value":"ia-5.1_prm_2"},{"name":"label","value":"IA-05(01)_ODP[02]","class":"sp800-53a"}],"label":"composition and complexity rules","guidelines":[{"prose":"authenticator composition and complexity rules are defined;"}]}],"props":[{"name":"label","value":"IA-5(1)"},{"name":"label","value":"IA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-6","rel":"related"}],"parts":[{"id":"ia-5.1_smt","name":"statement","prose":"For password-based authentication:","parts":[{"id":"ia-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"},{"id":"ia-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);"},{"id":"ia-5.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Transmit passwords only over cryptographically-protected channels;"},{"id":"ia-5.1_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Store passwords using an approved salted key derivation function, preferably using a keyed hash;"},{"id":"ia-5.1_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Require immediate selection of a new password upon account recovery;"},{"id":"ia-5.1_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Allow user selection of long passwords and passphrases, including spaces and all printable characters;"},{"id":"ia-5.1_smt.g","name":"item","props":[{"name":"label","value":"(g)"}],"prose":"Employ automated tools to assist the user in selecting strong password authenticators; and"},{"id":"ia-5.1_smt.h","name":"item","props":[{"name":"label","value":"(h)"}],"prose":"Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}."}]},{"id":"ia-5.1_gdn","name":"guidance","prose":"Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof."},{"id":"ia-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)","class":"sp800-53a"}],"parts":[{"id":"ia-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(a)","class":"sp800-53a"}],"prose":"for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;","links":[{"href":"#ia-5.1_smt.a","rel":"assessment-for"}]},{"id":"ia-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(b)","class":"sp800-53a"}],"prose":"for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);","links":[{"href":"#ia-5.1_smt.b","rel":"assessment-for"}]},{"id":"ia-5.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(c)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are only transmitted over cryptographically protected channels;","links":[{"href":"#ia-5.1_smt.c","rel":"assessment-for"}]},{"id":"ia-5.1_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(d)","class":"sp800-53a"}],"prose":"for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;","links":[{"href":"#ia-5.1_smt.d","rel":"assessment-for"}]},{"id":"ia-5.1_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(e)","class":"sp800-53a"}],"prose":"for password-based authentication, immediate selection of a new password is required upon account recovery;","links":[{"href":"#ia-5.1_smt.e","rel":"assessment-for"}]},{"id":"ia-5.1_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(f)","class":"sp800-53a"}],"prose":"for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;","links":[{"href":"#ia-5.1_smt.f","rel":"assessment-for"}]},{"id":"ia-5.1_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(g)","class":"sp800-53a"}],"prose":"for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;","links":[{"href":"#ia-5.1_smt.g","rel":"assessment-for"}]},{"id":"ia-5.1_obj.h","name":"assessment-objective","props":[{"name":"label","value":"IA-05(01)(h)","class":"sp800-53a"}],"prose":"for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.","links":[{"href":"#ia-5.1_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#ia-5.1_smt","rel":"assessment-for"}]},{"id":"ia-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\npassword policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npassword configurations and associated documentation\n\nother relevant documents or records"}]},{"id":"ia-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing password-based authenticator management capability"}]}]},{"id":"ia-5.2","class":"SP800-53-enhancement","title":"Public Key-based Authentication","props":[{"name":"label","value":"IA-5(2)"},{"name":"label","value":"IA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-3","rel":"related"},{"href":"#sc-17","rel":"related"}],"parts":[{"id":"ia-5.2_smt","name":"statement","parts":[{"id":"ia-5.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"For public key-based authentication:","parts":[{"id":"ia-5.2_smt.a.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Enforce authorized access to the corresponding private key; and"},{"id":"ia-5.2_smt.a.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Map the authenticated identity to the account of the individual or group; and"}]},{"id":"ia-5.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"When public key infrastructure (PKI) is used:","parts":[{"id":"ia-5.2_smt.b.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and"},{"id":"ia-5.2_smt.b.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Implement a local cache of revocation data to support path discovery and validation."}]}]},{"id":"ia-5.2_gdn","name":"guidance","prose":"Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lists or certificate status protocol responses. For PIV cards, certificate validation involves the construction and verification of a certification path to the Common Policy Root trust anchor, which includes certificate policy processing. Implementing a local cache of revocation data to support path discovery and validation also supports system availability in situations where organizations are unable to access revocation information via the network."},{"id":"ia-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)(01)","class":"sp800-53a"}],"prose":"authorized access to the corresponding private key is enforced for public key-based authentication;","links":[{"href":"#ia-5.2_smt.a.1","rel":"assessment-for"}]},{"id":"ia-5.2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(a)(02)","class":"sp800-53a"}],"prose":"the authenticated identity is mapped to the account of the individual or group for public key-based authentication;","links":[{"href":"#ia-5.2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#ia-5.2_smt.a","rel":"assessment-for"}]},{"id":"ia-5.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ia-5.2_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)(01)","class":"sp800-53a"}],"prose":"when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;","links":[{"href":"#ia-5.2_smt.b.1","rel":"assessment-for"}]},{"id":"ia-5.2_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"IA-05(02)(b)(02)","class":"sp800-53a"}],"prose":"when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.","links":[{"href":"#ia-5.2_smt.b.2","rel":"assessment-for"}]}],"links":[{"href":"#ia-5.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-5.2_smt","rel":"assessment-for"}]},{"id":"ia-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nPKI certification validation records\n\nPKI certification revocation lists\n\nother relevant documents or records"}]},{"id":"ia-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with PKI-based, authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing PKI-based, authenticator management capability"}]}]},{"id":"ia-5.3","class":"SP800-53-enhancement","title":"In-person or Trusted External Party Registration","props":[{"name":"label","value":"IA-5(3)"},{"name":"label","value":"IA-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-12.4","rel":"incorporated-into"}]},{"id":"ia-5.4","class":"SP800-53-enhancement","title":"Automated Support for Password Strength Determination","props":[{"name":"label","value":"IA-5(4)"},{"name":"label","value":"IA-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-5.1","rel":"incorporated-into"}]},{"id":"ia-5.5","class":"SP800-53-enhancement","title":"Change Authenticators Prior to Delivery","props":[{"name":"label","value":"IA-5(5)"},{"name":"label","value":"IA-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"}],"parts":[{"id":"ia-5.5_smt","name":"statement","prose":"Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation."},{"id":"ia-5.5_gdn","name":"guidance","prose":"Changing authenticators prior to the delivery and installation of system components extends the requirement for organizations to change default authenticators upon system installation by requiring developers and\/or installers to provide unique authenticators or change default authenticators for system components prior to delivery and\/or installation. However, it typically does not apply to developers of commercial off-the-shelf information technology products. Requirements for unique authenticators can be included in acquisition documents prepared by organizations when procuring systems or system components."},{"id":"ia-5.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(05)","class":"sp800-53a"}],"prose":"developers and installers of system components are required to provide unique authenticators or change default authenticators prior to delivery and installation.","links":[{"href":"#ia-5.5_smt","rel":"assessment-for"}]},{"id":"ia-5.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nsystem and services acquisition policy\n\nprocedures addressing authenticator management\n\nprocedures addressing the integration of security requirements into the acquisition process\n\nacquisition documentation\n\nacquisition contracts for system procurements or services\n\nother relevant documents or records"}]},{"id":"ia-5.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security, acquisition, and contracting responsibilities\n\nsystem developers"}]},{"id":"ia-5.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability"}]}]},{"id":"ia-5.6","class":"SP800-53-enhancement","title":"Protection of Authenticators","props":[{"name":"label","value":"IA-5(6)"},{"name":"label","value":"IA-05(06)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ra-2","rel":"related"}],"parts":[{"id":"ia-5.6_smt","name":"statement","prose":"Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access."},{"id":"ia-5.6_gdn","name":"guidance","prose":"For systems that contain multiple security categories of information without reliable physical or logical separation between categories, authenticators used to grant access to the systems are protected commensurate with the highest security category of information on the systems. Security categories of information are determined as part of the security categorization process."},{"id":"ia-5.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(06)","class":"sp800-53a"}],"prose":"authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.","links":[{"href":"#ia-5.6_smt","rel":"assessment-for"}]},{"id":"ia-5.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsecurity categorization documentation for the system\n\nsecurity assessments of authenticator protections\n\nrisk assessment results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-5.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel implementing and\/or maintaining authenticator protections\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability\n\nmechanisms protecting authenticators"}]}]},{"id":"ia-5.7","class":"SP800-53-enhancement","title":"No Embedded Unencrypted Static Authenticators","props":[{"name":"label","value":"IA-5(7)"},{"name":"label","value":"IA-05(07)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"}],"parts":[{"id":"ia-5.7_smt","name":"statement","prose":"Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage."},{"id":"ia-5.7_gdn","name":"guidance","prose":"In addition to applications, other forms of static storage include access scripts and function keys. Organizations exercise caution when determining whether embedded or stored authenticators are in encrypted or unencrypted form. If authenticators are used in the manner stored, then those representations are considered unencrypted authenticators."},{"id":"ia-5.7_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(07)","class":"sp800-53a"}],"prose":"unencrypted static authenticators are not embedded in applications or other forms of static storage.","links":[{"href":"#ia-5.7_smt","rel":"assessment-for"}]},{"id":"ia-5.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlogical access scripts\n\napplication code reviews for detecting unencrypted static authenticators\n\nother relevant documents or records"}]},{"id":"ia-5.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability\n\nmechanisms implementing authentication in applications"}]}]},{"id":"ia-5.8","class":"SP800-53-enhancement","title":"Multiple System Accounts","params":[{"id":"ia-05.08_odp","props":[{"name":"alt-identifier","value":"ia-5.8_prm_1"},{"name":"label","value":"IA-05(08)_ODP","class":"sp800-53a"}],"label":"security controls","guidelines":[{"prose":"security controls implemented to manage the risk of compromise due to individuals having accounts on multiple systems are defined;"}]}],"props":[{"name":"label","value":"IA-5(8)"},{"name":"label","value":"IA-05(08)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"ia-5.8_smt","name":"statement","prose":"Implement {{ insert: param, ia-05.08_odp }} to manage the risk of compromise due to individuals having accounts on multiple systems."},{"id":"ia-5.8_gdn","name":"guidance","prose":"When individuals have accounts on multiple systems and use the same authenticators such as passwords, there is the risk that a compromise of one account may lead to the compromise of other accounts. Alternative approaches include having different authenticators (passwords) on all systems, employing a single sign-on or federation mechanism, or using some form of one-time passwords on all systems. Organizations can also use rules of behavior (see [PL-4](#pl-4) ) and access agreements (see [PS-6](#ps-6) ) to mitigate the risk of multiple system accounts."},{"id":"ia-5.8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(08)","class":"sp800-53a"}],"prose":"{{ insert: param, ia-05.08_odp }} are implemented to manage the risk of compromise due to individuals having accounts on multiple systems.","links":[{"href":"#ia-5.8_smt","rel":"assessment-for"}]},{"id":"ia-5.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nlist of individuals having accounts on multiple systems\n\nlist of security safeguards intended to manage risk of compromise due to individuals having accounts on multiple systems\n\nother relevant documents or records"}]},{"id":"ia-5.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing safeguards for authenticator management"}]}]},{"id":"ia-5.9","class":"SP800-53-enhancement","title":"Federated Credential Management","params":[{"id":"ia-05.09_odp","props":[{"name":"alt-identifier","value":"ia-5.9_prm_1"},{"name":"label","value":"IA-05(09)_ODP","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations to be used for federating credentials are defined;"}]}],"props":[{"name":"label","value":"IA-5(9)"},{"name":"label","value":"IA-05(09)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#au-7","rel":"related"},{"href":"#au-16","rel":"related"}],"parts":[{"id":"ia-5.9_smt","name":"statement","prose":"Use the following external organizations to federate credentials: {{ insert: param, ia-05.09_odp }}."},{"id":"ia-5.9_gdn","name":"guidance","prose":"Federation provides organizations with the capability to authenticate individuals and devices when conducting cross-organization activities involving the processing, storage, or transmission of information. Using a specific list of approved external organizations for authentication helps to ensure that those organizations are vetted and trusted."},{"id":"ia-5.9_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(09)","class":"sp800-53a"}],"prose":"{{ insert: param, ia-05.09_odp }} are used to federate credentials.","links":[{"href":"#ia-5.9_smt","rel":"assessment-for"}]},{"id":"ia-5.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nprocedures addressing account management\n\nsystem security plan\n\nsecurity agreements\n\nother relevant documents or records"}]},{"id":"ia-5.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing safeguards for authenticator management"}]}]},{"id":"ia-5.10","class":"SP800-53-enhancement","title":"Dynamic Credential Binding","params":[{"id":"ia-05.10_odp","props":[{"name":"alt-identifier","value":"ia-5.10_prm_1"},{"name":"label","value":"IA-05(10)_ODP","class":"sp800-53a"}],"label":"binding rules","guidelines":[{"prose":"rules for dynamically binding identities and authenticators are defined;"}]}],"props":[{"name":"label","value":"IA-5(10)"},{"name":"label","value":"IA-05(10)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#au-16","rel":"related"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"ia-5.10_smt","name":"statement","prose":"Bind identities and authenticators dynamically using the following rules: {{ insert: param, ia-05.10_odp }}."},{"id":"ia-5.10_gdn","name":"guidance","prose":"Authentication requires some form of binding between an identity and the authenticator that is used to confirm the identity. In conventional approaches, binding is established by pre-provisioning both the identity and the authenticator to the system. For example, the binding between a username (i.e., identity) and a password (i.e., authenticator) is accomplished by provisioning the identity and authenticator as a pair in the system. New authentication techniques allow the binding between the identity and the authenticator to be implemented external to a system. For example, with smartcard credentials, the identity and authenticator are bound together on the smartcard. Using these credentials, systems can authenticate identities that have not been pre-provisioned, dynamically provisioning the identity after authentication. In these situations, organizations can anticipate the dynamic provisioning of identities. Pre-established trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential."},{"id":"ia-5.10_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(10)","class":"sp800-53a"}],"prose":"identities and authenticators are dynamically bound using {{ insert: param, ia-05.10_odp }}.","links":[{"href":"#ia-5.10_smt","rel":"assessment-for"}]},{"id":"ia-5.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nautomated mechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identifier management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing identifier management capability\n\nautomated mechanisms implementing dynamic binding of identities and authenticators"}]}]},{"id":"ia-5.11","class":"SP800-53-enhancement","title":"Hardware Token-based Authentication","props":[{"name":"label","value":"IA-5(11)"},{"name":"label","value":"IA-05(11)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.11"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-2.1","rel":"incorporated-into"},{"href":"#ia-2.2","rel":"incorporated-into"}]},{"id":"ia-5.12","class":"SP800-53-enhancement","title":"Biometric Authentication Performance","params":[{"id":"ia-05.12_odp","props":[{"name":"alt-identifier","value":"ia-5.12_prm_1"},{"name":"label","value":"IA-05(12)_ODP","class":"sp800-53a"}],"label":"biometric quality requirements","guidelines":[{"prose":"biometric quality requirements for biometric-based authentication are defined;"}]}],"props":[{"name":"label","value":"IA-5(12)"},{"name":"label","value":"IA-05(12)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ac-7","rel":"related"}],"parts":[{"id":"ia-5.12_smt","name":"statement","prose":"For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements {{ insert: param, ia-05.12_odp }}."},{"id":"ia-5.12_gdn","name":"guidance","prose":"Unlike password-based authentication, which provides exact matches of user-input passwords to stored passwords, biometric authentication does not provide exact matches. Depending on the type of biometric and the type of collection mechanism, there is likely to be some divergence from the presented biometric and the stored biometric that serves as the basis for comparison. Matching performance is the rate at which a biometric algorithm correctly results in a match for a genuine user and rejects other users. Biometric performance requirements include the match rate, which reflects the accuracy of the biometric matching algorithm used by a system."},{"id":"ia-5.12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(12)","class":"sp800-53a"}],"prose":"mechanisms that satisfy {{ insert: param, ia-05.12_odp }} are employed for biometric-based authentication.","links":[{"href":"#ia-5.12_smt","rel":"assessment-for"}]},{"id":"ia-5.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms employing biometric-based authentication for the system\n\nlist of biometric quality requirements\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing biometric-based authenticator management capability"}]}]},{"id":"ia-5.13","class":"SP800-53-enhancement","title":"Expiration of Cached Authenticators","params":[{"id":"ia-05.13_odp","props":[{"name":"alt-identifier","value":"ia-5.13_prm_1"},{"name":"label","value":"IA-05(13)_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period after which the use of cached authenticators is prohibited is defined;"}]}],"props":[{"name":"label","value":"IA-5(13)"},{"name":"label","value":"IA-05(13)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"}],"parts":[{"id":"ia-5.13_smt","name":"statement","prose":"Prohibit the use of cached authenticators after {{ insert: param, ia-05.13_odp }}."},{"id":"ia-5.13_gdn","name":"guidance","prose":"Cached authenticators are used to authenticate to the local machine when the network is not available. If cached authentication information is out of date, the validity of the authentication information may be questionable."},{"id":"ia-5.13_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(13)","class":"sp800-53a"}],"prose":"the use of cached authenticators is prohibited after {{ insert: param, ia-05.13_odp }}.","links":[{"href":"#ia-5.13_smt","rel":"assessment-for"}]},{"id":"ia-5.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing authenticator management capability"}]}]},{"id":"ia-5.14","class":"SP800-53-enhancement","title":"Managing Content of PKI Trust Stores","props":[{"name":"label","value":"IA-5(14)"},{"name":"label","value":"IA-05(14)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"}],"parts":[{"id":"ia-5.14_smt","name":"statement","prose":"For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications."},{"id":"ia-5.14_gdn","name":"guidance","prose":"An organization-wide methodology for managing the content of PKI trust stores helps improve the accuracy and currency of PKI-based authentication credentials across the organization."},{"id":"ia-5.14_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(14)","class":"sp800-53a"}],"prose":"an organization-wide methodology for managing the content of PKI trust stores is employed across all platforms, including networks, operating systems, browsers, and applications for PKI-based authentication.","links":[{"href":"#ia-5.14_smt","rel":"assessment-for"}]},{"id":"ia-5.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing authenticator management\n\nsystem security plan\n\norganizational methodology for managing content of PKI trust stores across installed all platforms\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nenterprise architecture documentation\n\nother relevant documents or records"}]},{"id":"ia-5.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with authenticator management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-5.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing PKI-based authenticator management capability\n\nmechanisms supporting and\/or implementing the PKI trust store capability"}]}]},{"id":"ia-5.15","class":"SP800-53-enhancement","title":"GSA-approved Products and Services","props":[{"name":"label","value":"IA-5(15)"},{"name":"label","value":"IA-05(15)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"}],"parts":[{"id":"ia-5.15_smt","name":"statement","prose":"Use only General Services Administration-approved products and services for identity, credential, and access management."},{"id":"ia-5.15_gdn","name":"guidance","prose":"General Services Administration (GSA)-approved products and services are products and services that have been approved through the GSA conformance program, where applicable, and posted to the GSA Approved Products List. GSA provides guidance for teams to design and build functional and secure systems that comply with Federal Identity, Credential, and Access Management (FICAM) policies, technologies, and implementation patterns."},{"id":"ia-5.15_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(15)","class":"sp800-53a"}],"prose":"only General Services Administration-approved products and services are used for identity, credential, and access management.","links":[{"href":"#ia-5.15_smt","rel":"assessment-for"}]},{"id":"ia-5.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing account management capability\n\nmechanisms supporting and\/or implementing identification and authentication management capabilities for the system"}]}]},{"id":"ia-5.16","class":"SP800-53-enhancement","title":"In-person or Trusted External Party Authenticator Issuance","params":[{"id":"ia-05.16_odp.01","props":[{"name":"alt-identifier","value":"ia-5.16_prm_1"},{"name":"label","value":"IA-05(16)_ODP[01]","class":"sp800-53a"}],"label":"types of and\/or specific authenticators","guidelines":[{"prose":"types of and\/or specific authenticators to be issued are defined;"}]},{"id":"ia-05.16_odp.02","props":[{"name":"alt-identifier","value":"ia-5.16_prm_2"},{"name":"label","value":"IA-05(16)_ODP[02]","class":"sp800-53a"}],"select":{"choice":["in person","by a trusted external party"]}},{"id":"ia-05.16_odp.03","props":[{"name":"alt-identifier","value":"ia-5.16_prm_3"},{"name":"label","value":"IA-05(16)_ODP[03]","class":"sp800-53a"}],"label":"registration authority","guidelines":[{"prose":"the registration authority that issues authenticators is defined;"}]},{"id":"ia-05.16_odp.04","props":[{"name":"alt-identifier","value":"ia-5.16_prm_4"},{"name":"label","value":"IA-05(16)_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"the personnel or roles who authorize the issuance of authenticators are defined;"}]}],"props":[{"name":"label","value":"IA-5(16)"},{"name":"label","value":"IA-05(16)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ia-12","rel":"related"}],"parts":[{"id":"ia-5.16_smt","name":"statement","prose":"Require that the issuance of {{ insert: param, ia-05.16_odp.01 }} be conducted {{ insert: param, ia-05.16_odp.02 }} before {{ insert: param, ia-05.16_odp.03 }} with authorization by {{ insert: param, ia-05.16_odp.04 }}."},{"id":"ia-5.16_gdn","name":"guidance","prose":"Issuing authenticators in person or by a trusted external party enhances and reinforces the trustworthiness of the identity proofing process."},{"id":"ia-5.16_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(16)","class":"sp800-53a"}],"prose":"the issuance of {{ insert: param, ia-05.16_odp.01 }} is required to be conducted {{ insert: param, ia-05.16_odp.02 }} before {{ insert: param, ia-05.16_odp.03 }} with authorization by {{ insert: param, ia-05.16_odp.04 }}.","links":[{"href":"#ia-5.16_smt","rel":"assessment-for"}]},{"id":"ia-5.16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(16)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5.16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(16)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(16)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing account management capability\n\nmechanisms supporting and\/or implementing identification and authentication management capabilities for the system"}]}]},{"id":"ia-5.17","class":"SP800-53-enhancement","title":"Presentation Attack Detection for Biometric Authenticators","props":[{"name":"label","value":"IA-5(17)"},{"name":"label","value":"IA-05(17)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"},{"href":"#ac-7","rel":"related"}],"parts":[{"id":"ia-5.17_smt","name":"statement","prose":"Employ presentation attack detection mechanisms for biometric-based authentication."},{"id":"ia-5.17_gdn","name":"guidance","prose":"Biometric characteristics do not constitute secrets. Such characteristics can be obtained by online web accesses, taking a picture of someone with a camera phone to obtain facial images with or without their knowledge, lifting from objects that someone has touched (e.g., a latent fingerprint), or capturing a high-resolution image (e.g., an iris pattern). Presentation attack detection technologies including liveness detection, can mitigate the risk of these types of attacks by making it difficult to produce artifacts intended to defeat the biometric sensor."},{"id":"ia-5.17_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(17)","class":"sp800-53a"}],"prose":"presentation attack detection mechanisms are employed for biometric-based authentication.","links":[{"href":"#ia-5.17_smt","rel":"assessment-for"}]},{"id":"ia-5.17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(17)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5.17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(17)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(17)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing account management capability\n\nmechanisms supporting and\/or implementing identification and authentication management capabilities for the system"}]}]},{"id":"ia-5.18","class":"SP800-53-enhancement","title":"Password Managers","params":[{"id":"ia-05.18_odp.01","props":[{"name":"alt-identifier","value":"ia-5.18_prm_1"},{"name":"label","value":"IA-05(18)_ODP[01]","class":"sp800-53a"}],"label":"password managers","guidelines":[{"prose":"password managers employed for generating and managing passwords are defined;"}]},{"id":"ia-05.18_odp.02","props":[{"name":"alt-identifier","value":"ia-5.18_prm_2"},{"name":"label","value":"IA-05(18)_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls for protecting passwords are defined;"}]}],"props":[{"name":"label","value":"IA-5(18)"},{"name":"label","value":"IA-05(18)","class":"sp800-53a"},{"name":"sort-id","value":"ia-05.18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-5","rel":"required"}],"parts":[{"id":"ia-5.18_smt","name":"statement","parts":[{"id":"ia-5.18_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ {{ insert: param, ia-05.18_odp.01 }} to generate and manage passwords; and"},{"id":"ia-5.18_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Protect the passwords using {{ insert: param, ia-05.18_odp.02 }}."}]},{"id":"ia-5.18_gdn","name":"guidance","prose":"For systems where static passwords are employed, it is often a challenge to ensure that the passwords are suitably complex and that the same passwords are not employed on multiple systems. A password manager is a solution to this problem as it automatically generates and stores strong and different passwords for various accounts. A potential risk of using password managers is that adversaries can target the collection of passwords generated by the password manager. Therefore, the collection of passwords requires protection including encrypting the passwords (see [IA-5(1)(d)](#ia-5.1_smt.d) ) and storing the collection offline in a token."},{"id":"ia-5.18_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-05(18)","class":"sp800-53a"}],"parts":[{"id":"ia-5.18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-05(18)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, ia-05.18_odp.01 }} are employed to generate and manage passwords;","links":[{"href":"#ia-5.18_smt.a","rel":"assessment-for"}]},{"id":"ia-5.18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-05(18)(b)","class":"sp800-53a"}],"prose":"the passwords are protected using {{ insert: param, ia-05.18_odp.02 }}.","links":[{"href":"#ia-5.18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-5.18_smt","rel":"assessment-for"}]},{"id":"ia-5.18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-05(18)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identifier management\n\nsystem security plan\n\nsystem design documentation\n\nmechanisms providing dynamic binding of identifiers and authenticators\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-5.18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-05(18)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with identification and authentication management responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ia-5.18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-05(18)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing account management capability\n\nmechanisms supporting and\/or implementing identification and authentication management capabilities for the system"}]}]}]},{"id":"ia-6","class":"SP800-53","title":"Authentication Feedback","props":[{"name":"label","value":"IA-6"},{"name":"label","value":"IA-06","class":"sp800-53a"},{"name":"sort-id","value":"ia-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"}],"parts":[{"id":"ia-6_smt","name":"statement","prose":"Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."},{"id":"ia-6_gdn","name":"guidance","prose":"Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it."},{"id":"ia-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-06","class":"sp800-53a"}],"prose":"the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.","links":[{"href":"#ia-6_smt","rel":"assessment-for"}]},{"id":"ia-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing authenticator feedback\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the obscuring of feedback of authentication information during authentication"}]}]},{"id":"ia-7","class":"SP800-53","title":"Cryptographic Module Authentication","props":[{"name":"label","value":"IA-7"},{"name":"label","value":"IA-07","class":"sp800-53a"},{"name":"sort-id","value":"ia-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-7_smt","name":"statement","prose":"Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."},{"id":"ia-7_gdn","name":"guidance","prose":"Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role."},{"id":"ia-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-07","class":"sp800-53a"}],"prose":"mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.","links":[{"href":"#ia-7_smt","rel":"assessment-for"}]},{"id":"ia-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing cryptographic module authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for cryptographic module authentication\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"ia-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic module authentication"}]}]},{"id":"ia-8","class":"SP800-53","title":"Identification and Authentication (Non-organizational Users)","props":[{"name":"label","value":"IA-8"},{"name":"label","value":"IA-08","class":"sp800-53a"},{"name":"sort-id","value":"ia-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a1555677-2b9d-4868-a97b-a1363aff32f5","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ia-11","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"ia-8_smt","name":"statement","prose":"Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users."},{"id":"ia-8_gdn","name":"guidance","prose":"Non-organizational users include system users other than organizational users explicitly covered by [IA-2](#ia-2) . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in [AC-14](#ac-14) . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk."},{"id":"ia-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08","class":"sp800-53a"}],"prose":"non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.","links":[{"href":"#ia-8_smt","rel":"assessment-for"}]},{"id":"ia-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of system accounts\n\nother relevant documents or records"}]},{"id":"ia-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-8.1","class":"SP800-53-enhancement","title":"Acceptance of PIV Credentials from Other Agencies","props":[{"name":"label","value":"IA-8(1)"},{"name":"label","value":"IA-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"},{"href":"#pe-3","rel":"related"}],"parts":[{"id":"ia-8.1_smt","name":"statement","prose":"Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies."},{"id":"ia-8.1_gdn","name":"guidance","prose":"Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using [SP 800-79-2](#10963761-58fc-4b20-b3d6-b44a54daba03)."},{"id":"ia-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)","class":"sp800-53a"}],"parts":[{"id":"ia-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[01]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are accepted;","links":[{"href":"#ia-8.1_smt","rel":"assessment-for"}]},{"id":"ia-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(01)[02]","class":"sp800-53a"}],"prose":"Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.","links":[{"href":"#ia-8.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ia-8.1_smt","rel":"assessment-for"}]},{"id":"ia-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV verification records\n\nevidence of PIV credentials\n\nPIV credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV credentials"}]}]},{"id":"ia-8.2","class":"SP800-53-enhancement","title":"Acceptance of External Authenticators","props":[{"name":"label","value":"IA-8(2)"},{"name":"label","value":"IA-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.2_smt","name":"statement","parts":[{"id":"ia-8.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Accept only external authenticators that are NIST-compliant; and"},{"id":"ia-8.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Document and maintain a list of accepted external authenticators."}]},{"id":"ia-8.2_gdn","name":"guidance","prose":"Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level."},{"id":"ia-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(a)","class":"sp800-53a"}],"prose":"only external authenticators that are NIST-compliant are accepted;","links":[{"href":"#ia-8.2_smt.a","rel":"assessment-for"}]},{"id":"ia-8.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ia-8.2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[01]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is documented;","links":[{"href":"#ia-8.2_smt.b","rel":"assessment-for"}]},{"id":"ia-8.2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(02)(b)[02]","class":"sp800-53a"}],"prose":"a list of accepted external authenticators is maintained.","links":[{"href":"#ia-8.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-8.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ia-8.2_smt","rel":"assessment-for"}]},{"id":"ia-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of third-party credentialing products, components, or services procured and implemented by organization\n\nthird-party credential verification records\n\nevidence of third-party credentials\n\nthird-party credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept external credentials"}]}]},{"id":"ia-8.3","class":"SP800-53-enhancement","title":"Use of FICAM-approved Products","props":[{"name":"label","value":"IA-8(3)"},{"name":"label","value":"IA-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-8.2","rel":"incorporated-into"}]},{"id":"ia-8.4","class":"SP800-53-enhancement","title":"Use of Defined Profiles","params":[{"id":"ia-08.04_odp","props":[{"name":"alt-identifier","value":"ia-8.4_prm_1"},{"name":"label","value":"IA-08(04)_ODP","class":"sp800-53a"}],"label":"identity management profiles","guidelines":[{"prose":"identity management profiles are defined;"}]}],"props":[{"name":"label","value":"IA-8(4)"},{"name":"label","value":"IA-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.4_smt","name":"statement","prose":"Conform to the following profiles for identity management {{ insert: param, ia-08.04_odp }}."},{"id":"ia-8.4_gdn","name":"guidance","prose":"Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"ia-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(04)","class":"sp800-53a"}],"prose":"there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.","links":[{"href":"#ia-8.4_smt","rel":"assessment-for"}]},{"id":"ia-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms supporting and\/or implementing conformance with profiles"}]}]},{"id":"ia-8.5","class":"SP800-53-enhancement","title":"Acceptance of PIV-I Credentials","params":[{"id":"ia-08.05_odp","props":[{"name":"alt-identifier","value":"ia-8.5_prm_1"},{"name":"label","value":"IA-08(05)_ODP","class":"sp800-53a"}],"label":"policy","guidelines":[{"prose":"a policy for using federated or PKI credentials is defined;"}]}],"props":[{"name":"label","value":"IA-8(5)"},{"name":"label","value":"IA-08(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.5_smt","name":"statement","prose":"Accept and verify federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }}."},{"id":"ia-8.5_gdn","name":"guidance","prose":"Acceptance of PIV-I credentials can be implemented by PIV, PIV-I, and other commercial or external identity providers. The acceptance and verification of PIV-I-compliant credentials apply to both logical and physical access control systems. The acceptance and verification of PIV-I credentials address nonfederal issuers of identity cards that desire to interoperate with United States Government PIV systems and that can be trusted by Federal Government-relying parties. The X.509 certificate policy for the Federal Bridge Certification Authority (FBCA) addresses PIV-I requirements. The PIV-I card is commensurate with the PIV credentials as defined in cited references. PIV-I credentials are the credentials issued by a PIV-I provider whose PIV-I certificate policy maps to the Federal Bridge PIV-I Certificate Policy. A PIV-I provider is cross-certified with the FBCA (directly or through another PKI bridge) with policies that have been mapped and approved as meeting the requirements of the PIV-I policies defined in the FBCA certificate policy."},{"id":"ia-8.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(05)","class":"sp800-53a"}],"parts":[{"id":"ia-8.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-08(05)[01]","class":"sp800-53a"}],"prose":"federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }} are accepted;","links":[{"href":"#ia-8.5_smt","rel":"assessment-for"}]},{"id":"ia-8.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-08(05)[02]","class":"sp800-53a"}],"prose":"federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }} are verified.","links":[{"href":"#ia-8.5_smt","rel":"assessment-for"}]}],"links":[{"href":"#ia-8.5_smt","rel":"assessment-for"}]},{"id":"ia-8.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nPIV-I verification records\n\nevidence of PIV-I credentials\n\nPIV-I credential authorizations\n\nother relevant documents or records"}]},{"id":"ia-8.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities\n\nmechanisms that accept and verify PIV-I credentials"}]}]},{"id":"ia-8.6","class":"SP800-53-enhancement","title":"Disassociability","params":[{"id":"ia-08.06_odp","props":[{"name":"alt-identifier","value":"ia-8.6_prm_1"},{"name":"label","value":"IA-08(06)_ODP","class":"sp800-53a"}],"label":"measures","guidelines":[{"prose":"disassociability measures are defined;"}]}],"props":[{"name":"label","value":"IA-8(6)"},{"name":"label","value":"IA-08(06)","class":"sp800-53a"},{"name":"sort-id","value":"ia-08.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-8","rel":"required"}],"parts":[{"id":"ia-8.6_smt","name":"statement","prose":"Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: {{ insert: param, ia-08.06_odp }}."},{"id":"ia-8.6_gdn","name":"guidance","prose":"Federated identity solutions can create increased privacy risks due to the tracking and profiling of individuals. Using identifier mapping tables or cryptographic techniques to blind credential service providers and relying parties from each other or to make identity attributes less visible to transmitting parties can reduce these privacy risks."},{"id":"ia-8.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-08(06)","class":"sp800-53a"}],"prose":"{{ insert: param, ia-08.06_odp }} to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties are implemented.","links":[{"href":"#ia-8.6_smt","rel":"assessment-for"}]},{"id":"ia-8.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-08(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nsystem security plan\n\nprivacy plan\n\nprocedures addressing user identification and authentication\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-8.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-08(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with account management responsibilities"}]},{"id":"ia-8.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-08(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]}]},{"id":"ia-9","class":"SP800-53","title":"Service Identification and Authentication","params":[{"id":"ia-09_odp","props":[{"name":"alt-identifier","value":"ia-9_prm_1"},{"name":"label","value":"IA-09_ODP","class":"sp800-53a"}],"label":"system services and applications","guidelines":[{"prose":"system services and applications to be uniquely identified and authenticated are defined;"}]}],"props":[{"name":"label","value":"IA-9"},{"name":"label","value":"IA-09","class":"sp800-53a"},{"name":"sort-id","value":"ia-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"ia-9_smt","name":"statement","prose":"Uniquely identify and authenticate {{ insert: param, ia-09_odp }} before establishing communications with devices, users, or other services or applications."},{"id":"ia-9_gdn","name":"guidance","prose":"Services that may require identification and authentication include web applications using digital certificates or services or applications that query a database. Identification and authentication methods for system services and applications include information or code signing, provenance graphs, and electronic signatures that indicate the sources of services. Decisions regarding the validity of identification and authentication claims can be made by services separate from the services acting on those decisions. This can occur in distributed system architectures. In such situations, the identification and authentication decisions (instead of actual identifiers and authentication data) are provided to the services that need to act on those decisions."},{"id":"ia-9_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-09","class":"sp800-53a"}],"prose":"{{ insert: param, ia-09_odp }} are uniquely identified and authenticated before establishing communications with devices, users, or other services or applications.","links":[{"href":"#ia-9_smt","rel":"assessment-for"}]},{"id":"ia-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing service identification and authentication\n\nsystem security plan\n\nsystem design documentation\n\nsecurity safeguards used to identify and authenticate system services\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security safeguards implementing service identification and authentication capabilities"}]}],"controls":[{"id":"ia-9.1","class":"SP800-53-enhancement","title":"Information Exchange","props":[{"name":"label","value":"IA-9(1)"},{"name":"label","value":"IA-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-09.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-9","rel":"incorporated-into"}]},{"id":"ia-9.2","class":"SP800-53-enhancement","title":"Transmission of Decisions","props":[{"name":"label","value":"IA-9(2)"},{"name":"label","value":"IA-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-09.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ia-9","rel":"incorporated-into"}]}]},{"id":"ia-10","class":"SP800-53","title":"Adaptive Authentication","params":[{"id":"ia-10_odp.01","props":[{"name":"alt-identifier","value":"ia-10_prm_1"},{"name":"label","value":"IA-10_ODP[01]","class":"sp800-53a"}],"label":"supplemental authentication techniques or mechanisms","guidelines":[{"prose":"supplemental authentication techniques or mechanisms to be employed when accessing the system under specific circumstances or situations are defined;"}]},{"id":"ia-10_odp.02","props":[{"name":"alt-identifier","value":"ia-10_prm_2"},{"name":"label","value":"IA-10_ODP[02]","class":"sp800-53a"}],"label":"circumstances or situations","guidelines":[{"prose":"circumstances or situations that require individuals accessing the system to employ supplemental authentication techniques or mechanisms are defined;"}]}],"props":[{"name":"label","value":"IA-10"},{"name":"label","value":"IA-10","class":"sp800-53a"},{"name":"sort-id","value":"ia-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-10_smt","name":"statement","prose":"Require individuals accessing the system to employ {{ insert: param, ia-10_odp.01 }} under specific {{ insert: param, ia-10_odp.02 }}."},{"id":"ia-10_gdn","name":"guidance","prose":"Adversaries may compromise individual authentication mechanisms employed by organizations and subsequently attempt to impersonate legitimate users. To address this threat, organizations may employ specific techniques or mechanisms and establish protocols to assess suspicious behavior. Suspicious behavior may include accessing information that individuals do not typically access as part of their duties, roles, or responsibilities; accessing greater quantities of information than individuals would routinely access; or attempting to access information from suspicious network addresses. When pre-established conditions or triggers occur, organizations can require individuals to provide additional authentication information. Another potential use for adaptive authentication is to increase the strength of mechanism based on the number or types of records being accessed. Adaptive authentication does not replace and is not used to avoid the use of multi-factor authentication mechanisms but can augment implementations of multi-factor authentication."},{"id":"ia-10_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-10","class":"sp800-53a"}],"prose":"individuals accessing the system are required to employ {{ insert: param, ia-10_odp.01 }} under specific {{ insert: param, ia-10_odp.02 }}.","links":[{"href":"#ia-10_smt","rel":"assessment-for"}]},{"id":"ia-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing adaptive\/supplemental identification and authentication techniques or mechanisms\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsupplemental identification and authentication techniques or mechanisms\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-11","class":"SP800-53","title":"Re-authentication","params":[{"id":"ia-11_odp","props":[{"name":"alt-identifier","value":"ia-11_prm_1"},{"name":"alt-label","value":"circumstances or situations requiring re-authentication","class":"sp800-53"},{"name":"label","value":"IA-11_ODP","class":"sp800-53a"}],"label":"circumstances or situations","guidelines":[{"prose":"circumstances or situations requiring re-authentication are defined;"}]}],"props":[{"name":"label","value":"IA-11"},{"name":"label","value":"IA-11","class":"sp800-53a"},{"name":"sort-id","value":"ia-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-11_smt","name":"statement","prose":"Require users to re-authenticate when {{ insert: param, ia-11_odp }}."},{"id":"ia-11_gdn","name":"guidance","prose":"In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically."},{"id":"ia-11_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-11","class":"sp800-53a"}],"prose":"users are required to re-authenticate when {{ insert: param, ia-11_odp }}.","links":[{"href":"#ia-11_smt","rel":"assessment-for"}]},{"id":"ia-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing user and device re-authentication\n\nsystem security plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of circumstances or situations requiring re-authentication\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ia-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12","class":"SP800-53","title":"Identity Proofing","props":[{"name":"label","value":"IA-12"},{"name":"label","value":"IA-12","class":"sp800-53a"},{"name":"sort-id","value":"ia-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#9099ed2c-922a-493d-bcb4-d896192243ff","rel":"reference"},{"href":"#10963761-58fc-4b20-b3d6-b44a54daba03","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#ia-1","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-6","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-13","rel":"related"}],"parts":[{"id":"ia-12_smt","name":"statement","parts":[{"id":"ia-12_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;"},{"id":"ia-12_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Resolve user identities to a unique individual; and"},{"id":"ia-12_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Collect, validate, and verify identity evidence."}]},{"id":"ia-12_gdn","name":"guidance","prose":"Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include [SP 800-63-3](#737513fa-6758-403f-831d-5ddab5e23cb3) and [SP 800-63A](#9099ed2c-922a-493d-bcb4-d896192243ff) . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"ia-12_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12","class":"sp800-53a"}],"parts":[{"id":"ia-12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IA-12a.","class":"sp800-53a"}],"prose":"users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;","links":[{"href":"#ia-12_smt.a","rel":"assessment-for"}]},{"id":"ia-12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IA-12b.","class":"sp800-53a"}],"prose":"user identities are resolved to a unique individual;","links":[{"href":"#ia-12_smt.b","rel":"assessment-for"}]},{"id":"ia-12_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.","class":"sp800-53a"}],"parts":[{"id":"ia-12_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[01]","class":"sp800-53a"}],"prose":"identity evidence is collected;","links":[{"href":"#ia-12_smt.c","rel":"assessment-for"}]},{"id":"ia-12_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[02]","class":"sp800-53a"}],"prose":"identity evidence is validated;","links":[{"href":"#ia-12_smt.c","rel":"assessment-for"}]},{"id":"ia-12_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"IA-12c.[03]","class":"sp800-53a"}],"prose":"identity evidence is verified.","links":[{"href":"#ia-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ia-12_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ia-12_smt","rel":"assessment-for"}]},{"id":"ia-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ia-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nlegal counsel\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}],"controls":[{"id":"ia-12.1","class":"SP800-53-enhancement","title":"Supervisor Authorization","props":[{"name":"label","value":"IA-12(1)"},{"name":"label","value":"IA-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.1_smt","name":"statement","prose":"Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization."},{"id":"ia-12.1_gdn","name":"guidance","prose":"Including supervisor or sponsor authorization as part of the registration process provides an additional level of scrutiny to ensure that the user’s management chain is aware of the account, the account is essential to carry out organizational missions and functions, and the user’s privileges are appropriate for the anticipated responsibilities and authorities within the organization."},{"id":"ia-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(01)","class":"sp800-53a"}],"prose":"the registration process to receive an account for logical access includes supervisor or sponsor authorization.","links":[{"href":"#ia-12.1_smt","rel":"assessment-for"}]},{"id":"ia-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.2","class":"SP800-53-enhancement","title":"Identity Evidence","props":[{"name":"label","value":"IA-12(2)"},{"name":"label","value":"IA-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.2_smt","name":"statement","prose":"Require evidence of individual identification be presented to the registration authority."},{"id":"ia-12.2_gdn","name":"guidance","prose":"Identity evidence, such as documentary evidence or a combination of documents and biometrics, reduces the likelihood of individuals using fraudulent identification to establish an identity or at least increases the work factor of potential adversaries. The forms of acceptable evidence are consistent with the risks to the systems, roles, and privileges associated with the user’s account."},{"id":"ia-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(02)","class":"sp800-53a"}],"prose":"evidence of individual identification is presented to the registration authority.","links":[{"href":"#ia-12.2_smt","rel":"assessment-for"}]},{"id":"ia-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.3","class":"SP800-53-enhancement","title":"Identity Evidence Validation and Verification","params":[{"id":"ia-12.03_odp","props":[{"name":"alt-identifier","value":"ia-12.3_prm_1"},{"name":"alt-label","value":"organizational defined methods of validation and verification","class":"sp800-53"},{"name":"label","value":"IA-12(03)_ODP","class":"sp800-53a"}],"label":"methods of validation and verification","guidelines":[{"prose":"methods of validation and verification of identity evidence are defined;"}]}],"props":[{"name":"label","value":"IA-12(3)"},{"name":"label","value":"IA-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.3_smt","name":"statement","prose":"Require that the presented identity evidence be validated and verified through {{ insert: param, ia-12.03_odp }}."},{"id":"ia-12.3_gdn","name":"guidance","prose":"Validation and verification of identity evidence increases the assurance that accounts and identifiers are being established for the correct user and authenticators are being bound to that user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risks to the systems, roles, and privileges associated with the users account."},{"id":"ia-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(03)","class":"sp800-53a"}],"prose":"the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}.","links":[{"href":"#ia-12.3_smt","rel":"assessment-for"}]},{"id":"ia-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.4","class":"SP800-53-enhancement","title":"In-person Validation and Verification","props":[{"name":"label","value":"IA-12(4)"},{"name":"label","value":"IA-12(04)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"}],"parts":[{"id":"ia-12.4_smt","name":"statement","prose":"Require that the validation and verification of identity evidence be conducted in person before a designated registration authority."},{"id":"ia-12.4_gdn","name":"guidance","prose":"In-person proofing reduces the likelihood of fraudulent credentials being issued because it requires the physical presence of individuals, the presentation of physical identity documents, and actual face-to-face interactions with designated registration authorities."},{"id":"ia-12.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(04)","class":"sp800-53a"}],"prose":"the validation and verification of identity evidence is conducted in person before a designated registration authority.","links":[{"href":"#ia-12.4_smt","rel":"assessment-for"}]},{"id":"ia-12.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.5","class":"SP800-53-enhancement","title":"Address Confirmation","params":[{"id":"ia-12.05_odp","props":[{"name":"alt-identifier","value":"ia-12.5_prm_1"},{"name":"label","value":"IA-12(05)_ODP","class":"sp800-53a"}],"select":{"choice":["registration code","notice of proofing"]}}],"props":[{"name":"label","value":"IA-12(5)"},{"name":"label","value":"IA-12(05)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"},{"href":"#ia-12","rel":"related"}],"parts":[{"id":"ia-12.5_smt","name":"statement","prose":"Require that a {{ insert: param, ia-12.05_odp }} be delivered through an out-of-band channel to verify the users address (physical or digital) of record."},{"id":"ia-12.5_gdn","name":"guidance","prose":"To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses."},{"id":"ia-12.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(05)","class":"sp800-53a"}],"prose":"a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.","links":[{"href":"#ia-12.5_smt","rel":"assessment-for"}]},{"id":"ia-12.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]},{"id":"ia-12.6","class":"SP800-53-enhancement","title":"Accept Externally-proofed Identities","params":[{"id":"ia-12.06_odp","props":[{"name":"alt-identifier","value":"ia-12.6_prm_1"},{"name":"label","value":"IA-12(06)_ODP","class":"sp800-53a"}],"label":"identity assurance level","guidelines":[{"prose":"an identity assurance level for accepting externally proofed identities is defined;"}]}],"props":[{"name":"label","value":"IA-12(6)"},{"name":"label","value":"IA-12(06)","class":"sp800-53a"},{"name":"sort-id","value":"ia-12.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ia-12","rel":"required"},{"href":"#ia-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"ia-12.6_smt","name":"statement","prose":"Accept externally-proofed identities at {{ insert: param, ia-12.06_odp }}."},{"id":"ia-12.6_gdn","name":"guidance","prose":"To limit unnecessary re-proofing of identities, particularly of non-PIV users, organizations accept proofing conducted at a commensurate level of assurance by other agencies or organizations. Proofing is consistent with organizational security policy and the identity assurance level appropriate for the system, application, or information accessed. Accepting externally-proofed identities is a fundamental component of managing federated identities across agencies and organizations."},{"id":"ia-12.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-12(06)","class":"sp800-53a"}],"prose":"externally proofed identities are accepted {{ insert: param, ia-12.06_odp }}.","links":[{"href":"#ia-12.6_smt","rel":"assessment-for"}]},{"id":"ia-12.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-12(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy\n\nprocedures addressing identity proofing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ia-12.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-12(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with identification and authentication responsibilities"}]},{"id":"ia-12.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-12(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities"}]}]}]},{"id":"ia-13","class":"SP800-53","title":"Identity Providers and Authorization Servers","params":[{"id":"ia-13_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-13_odp.01"}],"label":"organization-defined identification and authentication policy"},{"id":"ia-13_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ia-13_odp.02"}],"label":"organization-defined mechanisms"},{"id":"ia-13_odp.01","props":[{"name":"label","value":"IA-13_ODP[01]","class":"sp800-53a"}],"label":"policy","guidelines":[{"prose":"identification and authentication policy is defined;"}]},{"id":"ia-13_odp.02","props":[{"name":"label","value":"IA-13_ODP[02]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms supporting authentication and authorization decisions are defined;"}]}],"props":[{"name":"label","value":"IA-13"},{"name":"label","value":"IA-13","class":"sp800-53a"},{"name":"sort-id","value":"ia-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ia-12","rel":"related"}],"parts":[{"id":"ia-13_smt","name":"statement","prose":"Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions in accordance with {{ insert: param, ia-13_prm_1 }} using {{ insert: param, ia-13_prm_2 }}."},{"id":"ia-13_gdn","name":"guidance","prose":"Identity providers, both internal and external to the organization, manage the user, device, and NPE authenticators and issue statements, often called identity assertions, attesting to identities of other systems or systems components. Authorization servers create and issue access tokens to identified and authenticated users and devices that can be used to gain access to system or information resources. For example, single sign-on (SSO) provides identity provider and authorization server functions. Authenticator management (to include credential management) is covered by IA-05."},{"id":"ia-13_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-13","class":"sp800-53a"}],"parts":[{"id":"ia-13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-13[01]","class":"sp800-53a"}],"prose":"identity providers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authentication decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};","links":[{"href":"#ia-13_smt","rel":"assessment-for"}]},{"id":"ia-13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-13[02]","class":"sp800-53a"}],"prose":"identity providers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authorization decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};","links":[{"href":"#ia-13_smt","rel":"assessment-for"}]},{"id":"ia-13_obj-3","name":"assessment-objective","props":[{"name":"label","value":"IA-13[03]","class":"sp800-53a"}],"prose":"authorization servers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authentication decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};","links":[{"href":"#ia-13_smt","rel":"assessment-for"}]},{"id":"ia-13_obj-4","name":"assessment-objective","props":[{"name":"label","value":"IA-13[04]","class":"sp800-53a"}],"prose":"authorization servers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authorization decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};","links":[{"href":"#ia-13_smt","rel":"assessment-for"}]}]},{"id":"ia-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":" Identification and authentication policy;\n\nprocedures addressing user and device identification and authentication;\n\nsystem security plan;\n\nsystem design documentation;\n\nsystem configuration settings and associated documentation;\n\nother relevant documents or records"}]},{"id":"ia-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities;\n\norganizational personnel with information security responsibilities;\n\nsystem\/network administrators;\n\norganizational personnel with account management responsibilities;\n\nsystem developers"}]},{"id":"ia-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing identification and authentication capabilities and access rights"}]}],"controls":[{"id":"ia-13.1","class":"SP800-53-enhancement","title":"Protection of Cryptographic Keys","props":[{"name":"label","value":"IA-13(1)"},{"name":"label","value":"IA-13(01)","class":"sp800-53a"},{"name":"sort-id","value":"ia-13.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-13","rel":"required"},{"href":"#ia-13","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ia-13.1_smt","name":"statement","prose":"Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse."},{"id":"ia-13.1_gdn","name":"guidance","prose":"Identity assertions and access tokens are typically digitally signed. The private keys used to sign these assertions and tokens are protected commensurate with the impact of the system and information resources that can be accessed. "},{"id":"ia-13.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-13(01)","class":"sp800-53a"}],"parts":[{"id":"ia-13.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-13(01)[01]","class":"sp800-53a"}],"prose":"cryptographic keys that protect access tokens are generated;","links":[{"href":"#ia-13.1_smt","rel":"assessment-for"}]},{"id":"ia-13.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-13(01)[02]","class":"sp800-53a"}],"prose":"cryptographic keys that protect access tokens are managed;","links":[{"href":"#ia-13.1_smt","rel":"assessment-for"}]},{"id":"ia-13.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"IA-13(01)[03]","class":"sp800-53a"}],"prose":"cryptographic keys that protect access tokens are protected from disclosure; and","links":[{"href":"#ia-13.1_smt","rel":"assessment-for"}]},{"id":"ia-13.1_obj-4","name":"assessment-objective","props":[{"name":"label","value":"IA-13(01)[04]","class":"sp800-53a"}],"prose":"cryptographic keys that protect access tokens are protected from disclosure and misuse","links":[{"href":"#ia-13.1_smt","rel":"assessment-for"}]}]},{"id":"ia-13.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-13(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy;\n\nprocedures addressing cryptographic key establishment and management;\n\nsystem design documentation;\n\ncryptographic mechanisms;\n\nsystem configuration settings and associated documentation;\n\nsystem security plan;\n\nother relevant documents or records"}]},{"id":"ia-13.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-13(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators;\n\norganizational personnel with information security responsibilities;\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"id":"ia-13.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-13(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for cryptographic key management;\n\ncryptographic modules generating, storing, and using cryptographic keys"}]}]},{"id":"ia-13.2","class":"SP800-53-enhancement","title":"Verification of Identity Assertions and Access Tokens","props":[{"name":"label","value":"IA-13(2)"},{"name":"label","value":"IA-13(02)","class":"sp800-53a"},{"name":"sort-id","value":"ia-13.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ia-13","rel":"required"},{"href":"#ia-13","rel":"related"}],"parts":[{"id":"ia-13.2_smt","name":"statement","prose":"The source and integrity of identity assertions and access tokens are verified before granting access to system and information resources."},{"id":"ia-13.2_gdn","name":"guidance","prose":"This includes verification of digital signatures protecting identity assertions and access tokens, as well as included metadata. Metadata includes information about the access request such as information unique to user, system or information resource being accessed, or the transaction itself such as time. Protected system and information resources could include connected networks, applications, and APIs."},{"id":"ia-13.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-13(02)","class":"sp800-53a"}],"parts":[{"id":"ia-13.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IA-13(02)[01]","class":"sp800-53a"}],"prose":"the source of identity assertions is verified before granting access to system and information resources;","links":[{"href":"#ia-13.2_smt","rel":"assessment-for"}]},{"id":"ia-13.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IA-13(02)[02]","class":"sp800-53a"}],"prose":"the source of access tokens is verified before granting access to system and information resources;","links":[{"href":"#ia-13.2_smt","rel":"assessment-for"}]},{"id":"ia-13.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"IA-13(02)[03]","class":"sp800-53a"}],"prose":"the integrity of identity assertions is verified before granting access to system and information resources;","links":[{"href":"#ia-13.2_smt","rel":"assessment-for"}]},{"id":"ia-13.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"IA-13(02)[04]","class":"sp800-53a"}],"prose":"the integrity of access tokens is verified before granting access to system and information resources","links":[{"href":"#ia-13.2_smt","rel":"assessment-for"}]}]},{"id":"ia-13.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-13(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy;\n\nsystem security plan; system design documentation;\n\nsystem configuration settings and associated documentation;\n\nother relevant documents or records"}]},{"id":"ia-13.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-13(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities;\n\norganizational personnel with information security responsibilities;\n\nsystem\/ network administrators;\n\norganizational personnel with account management responsibilities;\n\nsystem developers"}]},{"id":"ia-13.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-13(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identity provider mechanisms supporting and\/or implementing identification and authentication capabilities and access rights"}]}]},{"id":"ia-13.3","class":"SP800-53-enhancement","title":"Token Management","props":[{"name":"label","value":"IA-13(3)"},{"name":"label","value":"IA-13(03)","class":"sp800-53a"},{"name":"sort-id","value":"ia-13.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#ff989cdc-649d-4f45-8f61-9309c9680933","rel":"reference"},{"href":"#e9d6c5f2-b3aa-4a28-8bea-a0135718d453","rel":"reference"},{"href":"#ia-13","rel":"required"},{"href":"#ia-13","rel":"related"}],"parts":[{"id":"ia-13.3_smt","name":"statement","prose":"In accordance with {{ insert: param, ia-13_prm_1 }}, assertions and access tokens are:","parts":[{"id":"ac-13.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"generated;"},{"id":"ac-13.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"issued;"},{"id":"ac-13.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"refreshed;"},{"id":"ac-13.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"revoked;"},{"id":"ac-13.3_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"time-restricted; and"},{"id":"ac-13.3_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"audience-restricted."}]},{"id":"ia-13.3_gdn","name":"guidance","prose":"An access token is a piece of data that represents the authorization granted to a user or NPE to access specific systems or information resources. Access tokens enable controlled access to services and resources. Properly managing the lifecycle of access tokens, including their issuance, validation, and revocation, is crucial to maintaining confidentiality of data and systems. Restricting token validity to a specific audience, e.g., an application or security domain, and restricting token validity lifetimes are important practices. Access tokens are revoked or invalidated if they are compromised, lost, or are no longer needed to mitigate the risks associated with stolen or misused tokens."},{"id":"ia-13.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IA-13(03)","class":"sp800-53a"}],"parts":[{"id":"ia-13.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IA-13(03)(a)[01]","class":"sp800-53a"}],"prose":"assertions are generated in accordance with {{ insert: param, ia-13_odp.01 }};","links":[{"href":"#ia-13.3_smt.a","rel":"assessment-for"}]},{"id":"ia-13.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IA-13(03)(a)[02]","class":"sp800-53a"}],"prose":"access tokens are generated in accordance with {{ insert: param, ia-13_odp.01 }};","links":[{"href":"#ia-13.3_smt.a","rel":"assessment-for"}]},{"id":"ia-13.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IA-13(03)(b)[01]","class":"sp800-53a"}],"prose":"assertions are issued in accordance with {{ insert: param, ia-13_odp.01 }};","links":[{"href":"#ia-13.3_smt.b","rel":"assessment-for"}]},{"id":"ia-13.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IA-13(03)(b)[02]","class":"sp800-53a"}],"prose":"access tokens are issued in accordance with {{ insert: param, ia-13_odp.01 }};","links":[{"href":"#ia-13.3_smt.b","rel":"assessment-for"}]},{"id":"ia-13.3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IA-13(03)(c)[01]","class":"sp800-53a"}],"prose":"assertions are refreshed in accordance with {{ insert: param, ia-13_odp.01 }};","links":[{"href":"#ia-13.3_smt.c","rel":"assessment-for"}]},{"id":"ia-13.3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IA-13(03)(c)[02]","class":"sp800-53a"}],"prose":"access tokens are refreshed in accordance with {{ insert: param, ia-13_odp.01 }};","links":[{"href":"#ia-13.3_smt.c","rel":"assessment-for"}]},{"id":"ia-13.3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IA-13(03)(d)[01]","class":"sp800-53a"}],"prose":"assertions are revoked in accordance with {{ insert: param, ia-13_odp.01 }};","links":[{"href":"#ia-13.3_smt.d","rel":"assessment-for"}]},{"id":"ia-13.3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IA-13(03)(d)[02]","class":"sp800-53a"}],"prose":"access tokens are revoked in accordance with {{ insert: param, ia-13_odp.01 }};","links":[{"href":"#ia-13.3_smt.d","rel":"assessment-for"}]},{"id":"ia-13.3_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"IA-13(03)(e)[01]","class":"sp800-53a"}],"prose":"assertions are time-restricted in accordance with {{ insert: param, ia-13_odp.01 }};","links":[{"href":"#ia-13.3_smt.e","rel":"assessment-for"}]},{"id":"ia-13.3_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"IA-13(03)(e)[02]","class":"sp800-53a"}],"prose":"access tokens are time-restricted in accordance with {{ insert: param, ia-13_odp.01 }};","links":[{"href":"#ia-13.3_smt.e","rel":"assessment-for"}]},{"id":"ia-13.3_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"IA-13(03)(f)[01]","class":"sp800-53a"}],"prose":"assertions are audience-restricted in accordance with {{ insert: param, ia-13_odp.01 }};","links":[{"href":"#ia-13.3_smt.f","rel":"assessment-for"}]},{"id":"ia-13.3_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"IA-13(03)(f)[02]","class":"sp800-53a"}],"prose":"access tokens are audience-restricted in accordance with {{ insert: param, ia-13_odp.01 }};","links":[{"href":"#ia-13.3_smt.f","rel":"assessment-for"}]}]},{"id":"ia-13.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IA-13(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Identification and authentication policy;\n\naccess control policy;\n\nprocedures for assertion and token management;\n\nsystem design documentation;\n\nsystem configuration settings and associated documentation;\n\nother relevant documents or records"}]},{"id":"ia-13.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IA-13(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system operations responsibilities;\n\norganizational personnel with information security responsibilities;\n\nsystem\/ network administrators;\n\norganizational personnel with account management responsibilities;\n\nsystem developers"}]},{"id":"ia-13.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IA-13(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms and software supporting and\/or implementing token generation"}]}]}]}]},{"id":"ir","class":"family","title":"Incident Response","controls":[{"id":"ir-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ir-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ir-01_odp.01","props":[{"name":"label","value":"IR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response policy is to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.02","props":[{"name":"label","value":"IR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the incident response procedures are to be disseminated is\/are defined;"}]},{"id":"ir-01_odp.03","props":[{"name":"alt-identifier","value":"ir-1_prm_2"},{"name":"label","value":"IR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ir-01_odp.04","props":[{"name":"alt-identifier","value":"ir-1_prm_3"},{"name":"label","value":"IR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the incident response policy and procedures is defined;"}]},{"id":"ir-01_odp.05","props":[{"name":"alt-identifier","value":"ir-1_prm_4"},{"name":"label","value":"IR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response policy is reviewed and updated is defined;"}]},{"id":"ir-01_odp.06","props":[{"name":"alt-identifier","value":"ir-1_prm_5"},{"name":"label","value":"IR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current incident response policy to be reviewed and updated are defined;"}]},{"id":"ir-01_odp.07","props":[{"name":"alt-identifier","value":"ir-1_prm_6"},{"name":"label","value":"IR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current incident response procedures are reviewed and updated is defined;"}]},{"id":"ir-01_odp.08","props":[{"name":"alt-identifier","value":"ir-1_prm_7"},{"name":"label","value":"IR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the incident response procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"IR-1"},{"name":"label","value":"IR-01","class":"sp800-53a"},{"name":"sort-id","value":"ir-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ir-1_smt","name":"statement","parts":[{"id":"ir-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ir-1_prm_1 }}:","parts":[{"id":"ir-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ir-01_odp.03 }} incident response policy that:","parts":[{"id":"ir-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ir-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ir-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;"}]},{"id":"ir-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ir-01_odp.04 }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and"},{"id":"ir-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current incident response:","parts":[{"id":"ir-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ir-01_odp.05 }} and following {{ insert: param, ir-01_odp.06 }} ; and"},{"id":"ir-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ir-01_odp.07 }} and following {{ insert: param, ir-01_odp.08 }}."}]}]},{"id":"ir-1_gdn","name":"guidance","prose":"Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ir-1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[01]","class":"sp800-53a"}],"prose":"an incident response policy is developed and documented;","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[02]","class":"sp800-53a"}],"prose":"the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[03]","class":"sp800-53a"}],"prose":"incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.[04]","class":"sp800-53a"}],"prose":"the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};","links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;","links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ir-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ir-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.a","rel":"assessment-for"}]},{"id":"ir-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;","links":[{"href":"#ir-1_smt.b","rel":"assessment-for"}]},{"id":"ir-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[01]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};","links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]},{"id":"ir-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.01[02]","class":"sp800-53a"}],"prose":"the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};","links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c.1","rel":"assessment-for"}]},{"id":"ir-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02","class":"sp800-53a"}],"parts":[{"id":"ir-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[01]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};","links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]},{"id":"ir-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"IR-01c.02[02]","class":"sp800-53a"}],"prose":"the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.","links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ir-1_smt","rel":"assessment-for"}]},{"id":"ir-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-2","class":"SP800-53","title":"Incident Response Training","params":[{"id":"ir-02_odp.01","props":[{"name":"alt-identifier","value":"ir-2_prm_1"},{"name":"label","value":"IR-02_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;"}]},{"id":"ir-02_odp.02","props":[{"name":"alt-identifier","value":"ir-2_prm_2"},{"name":"label","value":"IR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide incident response training to users is defined;"}]},{"id":"ir-02_odp.03","props":[{"name":"alt-identifier","value":"ir-2_prm_3"},{"name":"label","value":"IR-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review and update incident response training content is defined;"}]},{"id":"ir-02_odp.04","props":[{"name":"alt-identifier","value":"ir-2_prm_4"},{"name":"label","value":"IR-02_ODP[04]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that initiate a review of the incident response training content are defined;"}]}],"props":[{"name":"label","value":"IR-2"},{"name":"label","value":"IR-02","class":"sp800-53a"},{"name":"sort-id","value":"ir-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#511f6832-23ca-49a3-8c0f-ce493373cab8","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-2_smt","name":"statement","parts":[{"id":"ir-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide incident response training to system users consistent with assigned roles and responsibilities:","parts":[{"id":"ir-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"},{"id":"ir-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"When required by system changes; and"},{"id":"ir-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"{{ insert: param, ir-02_odp.02 }} thereafter; and"}]},{"id":"ir-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update incident response training content {{ insert: param, ir-02_odp.03 }} and following {{ insert: param, ir-02_odp.04 }}."}]},{"id":"ir-2_gdn","name":"guidance","prose":"Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of [AT-2](#at-2) or [AT-3](#at-3) . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"ir-2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.01","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;","links":[{"href":"#ir-2_smt.a.1","rel":"assessment-for"}]},{"id":"ir-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.02","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;","links":[{"href":"#ir-2_smt.a.2","rel":"assessment-for"}]},{"id":"ir-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-02a.03","class":"sp800-53a"}],"prose":"incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;","links":[{"href":"#ir-2_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt.a","rel":"assessment-for"}]},{"id":"ir-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.","class":"sp800-53a"}],"parts":[{"id":"ir-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[01]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};","links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]},{"id":"ir-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-02b.[02]","class":"sp800-53a"}],"prose":"incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.","links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-2_smt","rel":"assessment-for"}]},{"id":"ir-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nprivacy plan\n\nincident response plan\n\nincident response training records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"ir-2.1","class":"SP800-53-enhancement","title":"Simulated Events","props":[{"name":"label","value":"IR-2(1)"},{"name":"label","value":"IR-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-2","rel":"required"}],"parts":[{"id":"ir-2.1_smt","name":"statement","prose":"Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations."},{"id":"ir-2.1_gdn","name":"guidance","prose":"Organizations establish requirements for responding to incidents in incident response plans. Incorporating simulated events into incident response training helps to ensure that personnel understand their individual responsibilities and what specific actions to take in crisis situations."},{"id":"ir-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02(01)","class":"sp800-53a"}],"prose":"simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.","links":[{"href":"#ir-2.1_smt","rel":"assessment-for"}]},{"id":"ir-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that support and\/or implement simulated events for incident response training"}]}]},{"id":"ir-2.2","class":"SP800-53-enhancement","title":"Automated Training Environments","params":[{"id":"ir-02.02_odp","props":[{"name":"alt-identifier","value":"ir-2.2_prm_1"},{"name":"label","value":"IR-02(02)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used in an incident response training environment are defined;"}]}],"props":[{"name":"label","value":"IR-2(2)"},{"name":"label","value":"IR-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-2","rel":"required"}],"parts":[{"id":"ir-2.2_smt","name":"statement","prose":"Provide an incident response training environment using {{ insert: param, ir-02.02_odp }}."},{"id":"ir-2.2_gdn","name":"guidance","prose":"Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues, selecting more realistic training scenarios and environments, and stressing the response capability."},{"id":"ir-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02(02)","class":"sp800-53a"}],"prose":"an incident response training environment is provided using {{ insert: param, ir-02.02_odp }}.","links":[{"href":"#ir-2.2_smt","rel":"assessment-for"}]},{"id":"ir-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response training\n\nincident response training curriculum\n\nincident response training materials\n\nautomated mechanisms supporting incident response training\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training and operational responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms that provide a thorough and realistic incident response training environment"}]}]},{"id":"ir-2.3","class":"SP800-53-enhancement","title":"Breach","props":[{"name":"label","value":"IR-2(3)"},{"name":"label","value":"IR-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-2","rel":"required"}],"parts":[{"id":"ir-2.3_smt","name":"statement","prose":"Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach."},{"id":"ir-2.3_gdn","name":"guidance","prose":"For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. The incident response training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Incident response training includes tabletop exercises that simulate a breach. See [IR-2(1)](#ir-2.1)."},{"id":"ir-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-02(03)","class":"sp800-53a"}],"parts":[{"id":"ir-2.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-02(03)[01]","class":"sp800-53a"}],"prose":"incident response training on how to identify and respond to a breach is provided;","links":[{"href":"#ir-2.3_smt","rel":"assessment-for"}]},{"id":"ir-2.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-02(03)[02]","class":"sp800-53a"}],"prose":"incident response training on the organization’s process for reporting a breach is provided.","links":[{"href":"#ir-2.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-2.3_smt","rel":"assessment-for"}]},{"id":"ir-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ir-3","class":"SP800-53","title":"Incident Response Testing","params":[{"id":"ir-03_odp.01","props":[{"name":"alt-identifier","value":"ir-3_prm_1"},{"name":"label","value":"IR-03_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to test the effectiveness of the incident response capability for the system is defined;"}]},{"id":"ir-03_odp.02","props":[{"name":"alt-identifier","value":"ir-3_prm_2"},{"name":"label","value":"IR-03_ODP[02]","class":"sp800-53a"}],"label":"tests","guidelines":[{"prose":"tests used to test the effectiveness of the incident response capability for the system are defined;"}]}],"props":[{"name":"label","value":"IR-3"},{"name":"label","value":"IR-03","class":"sp800-53a"},{"name":"sort-id","value":"ir-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#53be2fcf-cfd1-4bcb-896b-9a3b65c22098","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-14","rel":"related"}],"parts":[{"id":"ir-3_smt","name":"statement","prose":"Test the effectiveness of the incident response capability for the system {{ insert: param, ir-03_odp.01 }} using the following tests: {{ insert: param, ir-03_odp.02 }}."},{"id":"ir-3_gdn","name":"guidance","prose":"Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes."},{"id":"ir-3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03","class":"sp800-53a"}],"prose":"the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.","links":[{"href":"#ir-3_smt","rel":"assessment-for"}]},{"id":"ir-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing material\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}],"controls":[{"id":"ir-3.1","class":"SP800-53-enhancement","title":"Automated Testing","params":[{"id":"ir-03.01_odp","props":[{"name":"alt-identifier","value":"ir-3.1_prm_1"},{"name":"label","value":"IR-03(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to test the incident response capability are defined;"}]}],"props":[{"name":"label","value":"IR-3(1)"},{"name":"label","value":"IR-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-3","rel":"required"}],"parts":[{"id":"ir-3.1_smt","name":"statement","prose":"Test the incident response capability using {{ insert: param, ir-03.01_odp }}."},{"id":"ir-3.1_gdn","name":"guidance","prose":"Organizations use automated mechanisms to more thoroughly and effectively test incident response capabilities. This can be accomplished by providing more complete coverage of incident response issues, selecting realistic test scenarios and environments, and stressing the response capability."},{"id":"ir-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03(01)","class":"sp800-53a"}],"prose":"the incident response capability is tested using {{ insert: param, ir-03.01_odp }}.","links":[{"href":"#ir-3.1_smt","rel":"assessment-for"}]},{"id":"ir-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nprocedures addressing contingency plan testing\n\nincident response testing documentation\n\nincident response test results\n\nincident response test plan\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nautomated mechanisms supporting incident response tests\n\nother relevant documents or records"}]},{"id":"ir-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms that more thoroughly and effectively test the incident response capability"}]}]},{"id":"ir-3.2","class":"SP800-53-enhancement","title":"Coordination with Related Plans","props":[{"name":"label","value":"IR-3(2)"},{"name":"label","value":"IR-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-3","rel":"required"}],"parts":[{"id":"ir-3.2_smt","name":"statement","prose":"Coordinate incident response testing with organizational elements responsible for related plans."},{"id":"ir-3.2_gdn","name":"guidance","prose":"Organizational plans related to incident response testing include business continuity plans, disaster recovery plans, continuity of operations plans, contingency plans, crisis communications plans, critical infrastructure plans, and occupant emergency plans."},{"id":"ir-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03(02)","class":"sp800-53a"}],"prose":"incident response testing is coordinated with organizational elements responsible for related plans.","links":[{"href":"#ir-3.2_smt","rel":"assessment-for"}]},{"id":"ir-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ir-3.3","class":"SP800-53-enhancement","title":"Continuous Improvement","props":[{"name":"label","value":"IR-3(3)"},{"name":"label","value":"IR-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-3","rel":"required"}],"parts":[{"id":"ir-3.3_smt","name":"statement","prose":"Use qualitative and quantitative data from testing to:","parts":[{"id":"ir-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Determine the effectiveness of incident response processes;"},{"id":"ir-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Continuously improve incident response processes; and"},{"id":"ir-3.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format."}]},{"id":"ir-3.3_gdn","name":"guidance","prose":"To help incident response activities function as intended, organizations may use metrics and evaluation criteria to assess incident response programs as part of an effort to continually improve response performance. These efforts facilitate improvement in incident response efficacy and lessen the impact of incidents."},{"id":"ir-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)","class":"sp800-53a"}],"parts":[{"id":"ir-3.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(a)","class":"sp800-53a"}],"parts":[{"id":"ir-3.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(a)[01]","class":"sp800-53a"}],"prose":"qualitative data from testing are used to determine the effectiveness of incident response processes;","links":[{"href":"#ir-3.3_smt.a","rel":"assessment-for"}]},{"id":"ir-3.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(a)[02]","class":"sp800-53a"}],"prose":"quantitative data from testing are used to determine the effectiveness of incident response processes;","links":[{"href":"#ir-3.3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ir-3.3_smt.a","rel":"assessment-for"}]},{"id":"ir-3.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(b)","class":"sp800-53a"}],"parts":[{"id":"ir-3.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(b)[01]","class":"sp800-53a"}],"prose":"qualitative data from testing are used to continuously improve incident response processes;","links":[{"href":"#ir-3.3_smt.b","rel":"assessment-for"}]},{"id":"ir-3.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(b)[02]","class":"sp800-53a"}],"prose":"quantitative data from testing are used to continuously improve incident response processes;","links":[{"href":"#ir-3.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-3.3_smt.b","rel":"assessment-for"}]},{"id":"ir-3.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(c)","class":"sp800-53a"}],"parts":[{"id":"ir-3.3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(c)[01]","class":"sp800-53a"}],"prose":"qualitative data from testing are used to provide incident response measures and metrics that are accurate;","links":[{"href":"#ir-3.3_smt.c","rel":"assessment-for"}]},{"id":"ir-3.3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(c)[02]","class":"sp800-53a"}],"prose":"quantitative data from testing are used to provide incident response measures and metrics that are accurate;","links":[{"href":"#ir-3.3_smt.c","rel":"assessment-for"}]},{"id":"ir-3.3_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(c)[03]","class":"sp800-53a"}],"prose":"qualitative data from testing are used to provide incident response measures and metrics that are consistent;","links":[{"href":"#ir-3.3_smt.c","rel":"assessment-for"}]},{"id":"ir-3.3_obj.c-4","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(c)[04]","class":"sp800-53a"}],"prose":"quantitative data from testing are used to provide incident response measures and metrics that are consistent;","links":[{"href":"#ir-3.3_smt.c","rel":"assessment-for"}]},{"id":"ir-3.3_obj.c-5","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(c)[05]","class":"sp800-53a"}],"prose":"qualitative data from testing are used to provide incident response measures and metrics in a reproducible format;","links":[{"href":"#ir-3.3_smt.c","rel":"assessment-for"}]},{"id":"ir-3.3_obj.c-6","name":"assessment-objective","props":[{"name":"label","value":"IR-03(03)(c)[06]","class":"sp800-53a"}],"prose":"quantitative data from testing are used to provide incident response measures and metrics in a reproducible format.","links":[{"href":"#ir-3.3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ir-3.3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ir-3.3_smt","rel":"assessment-for"}]},{"id":"ir-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident response testing\n\nincident response testing documentation\n\nincident response plan\n\nbusiness continuity plans\n\ncontingency plans\n\ndisaster recovery plans\n\ncontinuity of operations plans\n\ncrisis communications plans\n\ncritical infrastructure plans\n\noccupant emergency plans\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response testing responsibilities\n\norganizational personnel with responsibilities for testing organizational plans related to incident response testing\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ir-4","class":"SP800-53","title":"Incident Handling","props":[{"name":"label","value":"IR-4"},{"name":"label","value":"IR-04","class":"sp800-53a"},{"name":"sort-id","value":"ir-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cfdb1858-c473-46b3-89f9-a700308d0be2","rel":"reference"},{"href":"#10cf2fad-a216-41f9-bb1a-531b7e3119e3","rel":"reference"},{"href":"#9ef4b43c-42a4-4316-87dc-ffaf528bc05c","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#31ae65ab-3f26-46b7-9d64-f25a4dac5778","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-2","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-4_smt","name":"statement","parts":[{"id":"ir-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;"},{"id":"ir-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Coordinate incident handling activities with contingency planning activities;"},{"id":"ir-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and"},{"id":"ir-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization."}]},{"id":"ir-4_gdn","name":"guidance","prose":"Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes."},{"id":"ir-4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[01]","class":"sp800-53a"}],"prose":"an incident handling capability for incidents is implemented that is consistent with the incident response plan;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[02]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes preparation;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[03]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes detection and analysis;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[04]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes containment;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[05]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes eradication;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"IR-04a.[06]","class":"sp800-53a"}],"prose":"the incident handling capability for incidents includes recovery;","links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.a","rel":"assessment-for"}]},{"id":"ir-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-04b.","class":"sp800-53a"}],"prose":"incident handling activities are coordinated with contingency planning activities;","links":[{"href":"#ir-4_smt.b","rel":"assessment-for"}]},{"id":"ir-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[01]","class":"sp800-53a"}],"prose":"lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;","links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]},{"id":"ir-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04c.[02]","class":"sp800-53a"}],"prose":"the changes resulting from the incorporated lessons learned are implemented accordingly;","links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.c","rel":"assessment-for"}]},{"id":"ir-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.","class":"sp800-53a"}],"parts":[{"id":"ir-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[01]","class":"sp800-53a"}],"prose":"the rigor of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[02]","class":"sp800-53a"}],"prose":"the intensity of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[03]","class":"sp800-53a"}],"prose":"the scope of incident handling activities is comparable and predictable across the organization;","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]},{"id":"ir-4_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"IR-04d.[04]","class":"sp800-53a"}],"prose":"the results of incident handling activities are comparable and predictable across the organization.","links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-4_smt","rel":"assessment-for"}]},{"id":"ir-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident handling capability for the organization"}]}],"controls":[{"id":"ir-4.1","class":"SP800-53-enhancement","title":"Automated Incident Handling Processes","params":[{"id":"ir-04.01_odp","props":[{"name":"alt-identifier","value":"ir-4.1_prm_1"},{"name":"label","value":"IR-04(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to support the incident handling process are defined;"}]}],"props":[{"name":"label","value":"IR-4(1)"},{"name":"label","value":"IR-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.1_smt","name":"statement","prose":"Support the incident handling process using {{ insert: param, ir-04.01_odp }}."},{"id":"ir-4.1_gdn","name":"guidance","prose":"Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis."},{"id":"ir-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(01)","class":"sp800-53a"}],"prose":"the incident handling process is supported using {{ insert: param, ir-04.01_odp }}.","links":[{"href":"#ir-4.1_smt","rel":"assessment-for"}]},{"id":"ir-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms that support and\/or implement the incident handling process"}]}]},{"id":"ir-4.2","class":"SP800-53-enhancement","title":"Dynamic Reconfiguration","params":[{"id":"ir-04.02_odp.01","props":[{"name":"alt-identifier","value":"ir-4.2_prm_2"},{"name":"label","value":"IR-04(02)_ODP[01]","class":"sp800-53a"}],"label":"types of dynamic reconfiguration","guidelines":[{"prose":"types of dynamic reconfiguration for system components are defined;"}]},{"id":"ir-04.02_odp.02","props":[{"name":"alt-identifier","value":"ir-4.2_prm_1"},{"name":"label","value":"IR-04(02)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components that require dynamic reconfiguration are defined;"}]}],"props":[{"name":"label","value":"IR-4(2)"},{"name":"label","value":"IR-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"},{"href":"#ac-2","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#cm-2","rel":"related"}],"parts":[{"id":"ir-4.2_smt","name":"statement","prose":"Include the following types of dynamic reconfiguration for {{ insert: param, ir-04.02_odp.02 }} as part of the incident response capability: {{ insert: param, ir-04.02_odp.01 }}."},{"id":"ir-4.2_gdn","name":"guidance","prose":"Dynamic reconfiguration includes changes to router rules, access control lists, intrusion detection or prevention system parameters, and filter rules for guards or firewalls. Organizations may perform dynamic reconfiguration of systems to stop attacks, misdirect attackers, and isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include specific time frames for achieving the reconfiguration of systems in the definition of the reconfiguration capability, considering the potential need for rapid response to effectively address cyber threats."},{"id":"ir-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(02)","class":"sp800-53a"}],"prose":"{{ insert: param, ir-04.02_odp.01 }} for {{ insert: param, ir-04.02_odp.02 }} are included as part of the incident response capability.","links":[{"href":"#ir-4.2_smt","rel":"assessment-for"}]},{"id":"ir-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nmechanisms supporting incident handling\n\nlist of system components to be dynamically reconfigured as part of incident response capability\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that support and\/or implement the dynamic reconfiguration of components as part of incident response"}]}]},{"id":"ir-4.3","class":"SP800-53-enhancement","title":"Continuity of Operations","params":[{"id":"ir-04.03_odp.01","props":[{"name":"alt-identifier","value":"ir-4.3_prm_1"},{"name":"label","value":"IR-04(03)_ODP[01]","class":"sp800-53a"}],"label":"classes of incidents","guidelines":[{"prose":"classes of incidents requiring an organization-defined action (defined in IR-04(03)_ODP[02]) to be taken are defined;"}]},{"id":"ir-04.03_odp.02","props":[{"name":"alt-identifier","value":"ir-4.3_prm_2"},{"name":"alt-label","value":"actions to take in response to classes of incidents","class":"sp800-53"},{"name":"label","value":"IR-04(03)_ODP[02]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken in response to organization-defined classes of incidents are defined;"}]}],"props":[{"name":"label","value":"IR-4(3)"},{"name":"label","value":"IR-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.3_smt","name":"statement","prose":"Identify {{ insert: param, ir-04.03_odp.01 }} and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: {{ insert: param, ir-04.03_odp.02 }}."},{"id":"ir-4.3_gdn","name":"guidance","prose":"Classes of incidents include malfunctions due to design or implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Incident response actions include orderly system degradation, system shutdown, fall back to manual mode or activation of alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved for when systems are under attack. Organizations consider whether continuity of operations requirements during an incident conflict with the capability to automatically disable the system as specified as part of [IR-4(5)](#ir-4.5)."},{"id":"ir-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(03)","class":"sp800-53a"}],"parts":[{"id":"ir-4.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04(03)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ir-04.03_odp.01 }} are identified;","links":[{"href":"#ir-4.3_smt","rel":"assessment-for"}]},{"id":"ir-4.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04(03)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ir-04.03_odp.02 }} are taken in response to those incidents (defined in IR-04(03)_ODP[01]) to ensure the continuation of organizational mission and business functions.","links":[{"href":"#ir-4.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-4.3_smt","rel":"assessment-for"}]},{"id":"ir-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\nprivacy plan\n\nlist of classes of incidents\n\nlist of appropriate incident response actions\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that support and\/or implement continuity of operations"}]}]},{"id":"ir-4.4","class":"SP800-53-enhancement","title":"Information Correlation","props":[{"name":"label","value":"IR-4(4)"},{"name":"label","value":"IR-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.4_smt","name":"statement","prose":"Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response."},{"id":"ir-4.4_gdn","name":"guidance","prose":"Sometimes, a threat event, such as a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations."},{"id":"ir-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(04)","class":"sp800-53a"}],"prose":"incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.","links":[{"href":"#ir-4.4_smt","rel":"assessment-for"}]},{"id":"ir-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\nprivacy plan\n\nmechanisms supporting incident and event correlation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nincident management correlation logs\n\nevent management correlation logs\n\nsecurity information and event management logs\n\nincident management correlation reports\n\nevent management correlation reports\n\nsecurity information and event management reports\n\naudit records\n\nother relevant documents or records"}]},{"id":"ir-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with whom incident information and individual incident responses are to be correlated"}]},{"id":"ir-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for correlating incident information and individual incident responses\n\nmechanisms that support and or implement the correlation of incident response information with individual incident responses"}]}]},{"id":"ir-4.5","class":"SP800-53-enhancement","title":"Automatic Disabling of System","params":[{"id":"ir-04.05_odp","props":[{"name":"alt-identifier","value":"ir-4.5_prm_1"},{"name":"label","value":"IR-04(05)_ODP","class":"sp800-53a"}],"label":"security violations","guidelines":[{"prose":"security violations that automatically disable a system are defined;"}]}],"props":[{"name":"label","value":"IR-4(5)"},{"name":"label","value":"IR-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.5_smt","name":"statement","prose":"Implement a configurable capability to automatically disable the system if {{ insert: param, ir-04.05_odp }} are detected."},{"id":"ir-4.5_gdn","name":"guidance","prose":"Organizations consider whether the capability to automatically disable the system conflicts with continuity of operations requirements specified as part of [CP-2](#cp-2) or [IR-4(3)](#ir-4.3) . Security violations include cyber-attacks that have compromised the integrity of the system or exfiltrated organizational information and serious errors in software programs that could adversely impact organizational missions or functions or jeopardize the safety of individuals."},{"id":"ir-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(05)","class":"sp800-53a"}],"prose":"a configurable capability is implemented to automatically disable the system if {{ insert: param, ir-04.05_odp }} are detected.","links":[{"href":"#ir-4.5_smt","rel":"assessment-for"}]},{"id":"ir-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nincident response plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"ir-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident handling capability for the organization\n\nautomated mechanisms supporting and\/or implementing automatic disabling of the system"}]}]},{"id":"ir-4.6","class":"SP800-53-enhancement","title":"Insider Threats","props":[{"name":"label","value":"IR-4(6)"},{"name":"label","value":"IR-04(06)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.6_smt","name":"statement","prose":"Implement an incident handling capability for incidents involving insider threats."},{"id":"ir-4.6_gdn","name":"guidance","prose":"Explicit focus on handling incidents involving insider threats provides additional emphasis on this type of threat and the need for specific incident handling capabilities to provide appropriate and timely responses."},{"id":"ir-4.6_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(06)","class":"sp800-53a"}],"prose":"an incident handling capability is implemented for incidents involving insider threats.","links":[{"href":"#ir-4.6_smt","rel":"assessment-for"}]},{"id":"ir-4.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nmechanisms supporting incident handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\naudit records\n\nother relevant documents or records"}]},{"id":"ir-4.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident handling capability for the organization"}]}]},{"id":"ir-4.7","class":"SP800-53-enhancement","title":"Insider Threats — Intra-organization Coordination","params":[{"id":"ir-04.07_odp","props":[{"name":"alt-identifier","value":"ir-4.7_prm_1"},{"name":"label","value":"IR-04(07)_ODP","class":"sp800-53a"}],"label":"entities","guidelines":[{"prose":"entities that require coordination for an incident handling capability for insider threats are defined;"}]}],"props":[{"name":"label","value":"IR-4(7)"},{"name":"label","value":"IR-04(07)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.7_smt","name":"statement","prose":"Coordinate an incident handling capability for insider threats that includes the following organizational entities {{ insert: param, ir-04.07_odp }}."},{"id":"ir-4.7_gdn","name":"guidance","prose":"Incident handling for insider threat incidents (e.g., preparation, detection and analysis, containment, eradication, and recovery) requires coordination among many organizational entities, including mission or business owners, system owners, human resources offices, procurement offices, personnel offices, physical security offices, senior agency information security officer, operations personnel, risk executive (function), senior agency official for privacy, and legal counsel. In addition, organizations may require external support from federal, state, and local law enforcement agencies."},{"id":"ir-4.7_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(07)","class":"sp800-53a"}],"parts":[{"id":"ir-4.7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04(07)[01]","class":"sp800-53a"}],"prose":"an incident handling capability is coordinated for insider threats;","links":[{"href":"#ir-4.7_smt","rel":"assessment-for"}]},{"id":"ir-4.7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04(07)[02]","class":"sp800-53a"}],"prose":"the coordinated incident handling capability includes {{ insert: param, ir-04.07_odp }}.","links":[{"href":"#ir-4.7_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-4.7_smt","rel":"assessment-for"}]},{"id":"ir-4.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nincident response plan\n\ninsider threat program plan\n\ninsider threat CONOPS\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel\/elements with whom the incident handling capability is to be coordinated"}]},{"id":"ir-4.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for coordinating incident handling"}]}]},{"id":"ir-4.8","class":"SP800-53-enhancement","title":"Correlation with External Organizations","params":[{"id":"ir-04.08_odp.01","props":[{"name":"alt-identifier","value":"ir-4.8_prm_1"},{"name":"label","value":"IR-04(08)_ODP[01]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations with whom organizational incident information is to be coordinated and shared are defined;"}]},{"id":"ir-04.08_odp.02","props":[{"name":"alt-identifier","value":"ir-4.8_prm_2"},{"name":"label","value":"IR-04(08)_ODP[02]","class":"sp800-53a"}],"label":"incident information","guidelines":[{"prose":"incident information to be correlated and shared with organization-defined external organizations are defined;"}]}],"props":[{"name":"label","value":"IR-4(8)"},{"name":"label","value":"IR-04(08)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"},{"href":"#au-16","rel":"related"},{"href":"#pm-16","rel":"related"}],"parts":[{"id":"ir-4.8_smt","name":"statement","prose":"Coordinate with {{ insert: param, ir-04.08_odp.01 }} to correlate and share {{ insert: param, ir-04.08_odp.02 }} to achieve a cross-organization perspective on incident awareness and more effective incident responses."},{"id":"ir-4.8_gdn","name":"guidance","prose":"The coordination of incident information with external organizations—including mission or business partners, military or coalition partners, customers, and developers—can provide significant benefits. Cross-organizational coordination can serve as an important risk management capability. This capability allows organizations to leverage information from a variety of sources to effectively respond to incidents and breaches that could potentially affect the organization’s operations, assets, and individuals."},{"id":"ir-4.8_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(08)","class":"sp800-53a"}],"prose":"there is coordination with {{ insert: param, ir-04.08_odp.01 }} to correlate and share {{ insert: param, ir-04.08_odp.02 }} to achieve a cross-organization perspective on incident awareness and more effective incident responses.","links":[{"href":"#ir-4.8_smt","rel":"assessment-for"}]},{"id":"ir-4.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nlist of external organizations\n\nrecords of incident handling coordination with external organizations\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel from external organizations with whom incident response information is to be coordinated, shared, and correlated"}]},{"id":"ir-4.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for coordinating incident handling information with external organizations"}]}]},{"id":"ir-4.9","class":"SP800-53-enhancement","title":"Dynamic Response Capability","params":[{"id":"ir-04.09_odp","props":[{"name":"alt-identifier","value":"ir-4.9_prm_1"},{"name":"label","value":"IR-04(09)_ODP","class":"sp800-53a"}],"label":"dynamic response capabilities","guidelines":[{"prose":"dynamic response capabilities to be employed to respond to incidents are defined;"}]}],"props":[{"name":"label","value":"IR-4(9)"},{"name":"label","value":"IR-04(09)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.9_smt","name":"statement","prose":"Employ {{ insert: param, ir-04.09_odp }} to respond to incidents."},{"id":"ir-4.9_gdn","name":"guidance","prose":"The dynamic response capability addresses the timely deployment of new or replacement organizational capabilities in response to incidents. This includes capabilities implemented at the mission and business process level and at the system level."},{"id":"ir-4.9_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(09)","class":"sp800-53a"}],"prose":"{{ insert: param, ir-04.09_odp }} are employed to respond to incidents.","links":[{"href":"#ir-4.9_smt","rel":"assessment-for"}]},{"id":"ir-4.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nautomated mechanisms supporting dynamic response capabilities\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\naudit records\n\nother relevant documents or records"}]},{"id":"ir-4.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for dynamic response capability\n\nautomated mechanisms supporting and\/or implementing the dynamic response capability for the organization"}]}]},{"id":"ir-4.10","class":"SP800-53-enhancement","title":"Supply Chain Coordination","props":[{"name":"label","value":"IR-4(10)"},{"name":"label","value":"IR-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"},{"href":"#ca-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-4.10_smt","name":"statement","prose":"Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain."},{"id":"ir-4.10_gdn","name":"guidance","prose":"Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Supply chain incidents can occur anywhere through or to the supply chain and include compromises or breaches that involve primary or sub-tier providers, information technology products, system components, development processes or personnel, and distribution processes or warehousing facilities. Organizations consider including processes for protecting and sharing incident information in information exchange agreements and their obligations for reporting incidents to government oversight bodies (e.g., Federal Acquisition Security Council)."},{"id":"ir-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(10)","class":"sp800-53a"}],"prose":"incident handling activities involving supply chain events are coordinated with other organizations involved in the supply chain.","links":[{"href":"#ir-4.10_smt","rel":"assessment-for"}]},{"id":"ir-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council\n\nacquisition contracts\n\nservice-level agreements\n\nincident response plan\n\nsupply chain risk management plan\n\nsystem security plan\n\nincident response plans of other organization involved in supply chain activities\n\nother relevant documents or records"}]},{"id":"ir-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with mission and business responsibilities\n\norganizational personnel with legal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with acquisition responsibilities"}]}]},{"id":"ir-4.11","class":"SP800-53-enhancement","title":"Integrated Incident Response Team","params":[{"id":"ir-04.11_odp","props":[{"name":"alt-identifier","value":"ir-4.11_prm_1"},{"name":"label","value":"IR-04(11)_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which an integrated incident response team can be deployed is defined;"}]}],"props":[{"name":"label","value":"IR-4(11)"},{"name":"label","value":"IR-04(11)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"ir-4.11_smt","name":"statement","prose":"Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}."},{"id":"ir-4.11_gdn","name":"guidance","prose":"An integrated incident response team is a team of experts that assesses, documents, and responds to incidents so that organizational systems and networks can recover quickly and implement the necessary controls to avoid future incidents. Incident response team personnel include forensic and malicious code analysts, tool developers, systems security and privacy engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. For some organizations, the incident response team can be a cross-organizational entity.\n\nAn integrated incident response team facilitates information sharing and allows organizational personnel (e.g., developers, implementers, and operators) to leverage team knowledge of the threat and implement defensive measures that enable organizations to deter intrusions more effectively. Moreover, integrated teams promote the rapid detection of intrusions, the development of appropriate mitigations, and the deployment of effective defensive measures. For example, when an intrusion is detected, the integrated team can rapidly develop an appropriate response for operators to implement, correlate the new incident with information on past intrusions, and augment ongoing cyber intelligence development. Integrated incident response teams are better able to identify adversary tactics, techniques, and procedures that are linked to the operations tempo or specific mission and business functions and to define responsive actions in a way that does not disrupt those mission and business functions. Incident response teams can be distributed within organizations to make the capability resilient."},{"id":"ir-4.11_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(11)","class":"sp800-53a"}],"parts":[{"id":"ir-4.11_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04(11)[01]","class":"sp800-53a"}],"prose":"an integrated incident response team is established and maintained;","links":[{"href":"#ir-4.11_smt","rel":"assessment-for"}]},{"id":"ir-4.11_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04(11)[02]","class":"sp800-53a"}],"prose":"the integrated incident response team can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}.","links":[{"href":"#ir-4.11_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-4.11_smt","rel":"assessment-for"}]},{"id":"ir-4.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-4.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nmembers of the integrated incident response team"}]}]},{"id":"ir-4.12","class":"SP800-53-enhancement","title":"Malicious Code and Forensic Analysis","props":[{"name":"label","value":"IR-4(12)"},{"name":"label","value":"IR-04(12)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.12_smt","name":"statement","prose":"Analyze malicious code and\/or other residual artifacts remaining in the system after the incident."},{"id":"ir-4.12_gdn","name":"guidance","prose":"When conducted carefully in an isolated environment, analysis of malicious code and other residual artifacts of a security incident or breach can give the organization insight into adversary tactics, techniques, and procedures. It can also indicate the identity or some defining characteristics of the adversary. In addition, malicious code analysis can help the organization develop responses to future incidents."},{"id":"ir-4.12_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(12)","class":"sp800-53a"}],"parts":[{"id":"ir-4.12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04(12)[01]","class":"sp800-53a"}],"prose":"malicious code remaining in the system is analyzed after the incident;","links":[{"href":"#ir-4.12_smt","rel":"assessment-for"}]},{"id":"ir-4.12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04(12)[02]","class":"sp800-53a"}],"prose":"other residual artifacts remaining in the system (if any) are analyzed after the incident.","links":[{"href":"#ir-4.12_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-4.12_smt","rel":"assessment-for"}]},{"id":"ir-4.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident handling\n\nprocedures addressing code and forensic analysis\n\nprocedures addressing incident response\n\nincident response plan\n\nsystem design documentation\n\nmalicious code protection mechanisms, tools, and techniques\n\nresults from malicious code analyses\n\nsystem security plan\n\nsystem audit records\n\nother relevant documents or records"}]},{"id":"ir-4.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel with responsibility for malicious code protection\n\norganizational personnel responsible for incident response\/management"}]},{"id":"ir-4.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for incident response\n\norganizational processes for conducting forensic analysis\n\ntools and techniques for analysis of malicious code characteristics and behavior"}]}]},{"id":"ir-4.13","class":"SP800-53-enhancement","title":"Behavior Analysis","params":[{"id":"ir-04.13_odp","props":[{"name":"alt-identifier","value":"ir-4.13_prm_1"},{"name":"label","value":"IR-04(13)_ODP","class":"sp800-53a"}],"label":"environments or resources","guidelines":[{"prose":"environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined;"}]}],"props":[{"name":"label","value":"IR-4(13)"},{"name":"label","value":"IR-04(13)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.13_smt","name":"statement","prose":"Analyze anomalous or suspected adversarial behavior in or related to {{ insert: param, ir-04.13_odp }}."},{"id":"ir-4.13_gdn","name":"guidance","prose":"If the organization maintains a deception environment, an analysis of behaviors in that environment, including resources targeted by the adversary and timing of the incident or event, can provide insight into adversarial tactics, techniques, and procedures. External to a deception environment, the analysis of anomalous adversarial behavior (e.g., changes in system performance or usage patterns) or suspected behavior (e.g., changes in searches for the location of specific resources) can give the organization such insight."},{"id":"ir-4.13_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(13)","class":"sp800-53a"}],"prose":"anomalous or suspected adversarial behavior in or related to {{ insert: param, ir-04.13_odp }} are analyzed.","links":[{"href":"#ir-4.13_smt","rel":"assessment-for"}]},{"id":"ir-4.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing system monitoring tools and techniques\n\nincident response plan\n\nsystem monitoring logs or records\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsecurity plan\n\nsystem component inventory\n\nnetwork diagram\n\nsystem protocols documentation\n\nlist of acceptable thresholds for false positives and false negatives\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ir-4.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for detecting anomalous behavior"}]}]},{"id":"ir-4.14","class":"SP800-53-enhancement","title":"Security Operations Center","props":[{"name":"label","value":"IR-4(14)"},{"name":"label","value":"IR-04(14)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.14_smt","name":"statement","prose":"Establish and maintain a security operations center."},{"id":"ir-4.14_gdn","name":"guidance","prose":"A security operations center (SOC) is the focal point for security operations and computer network defense for an organization. The purpose of the SOC is to defend and monitor an organization’s systems and networks (i.e., cyber infrastructure) on an ongoing basis. The SOC is also responsible for detecting, analyzing, and responding to cybersecurity incidents in a timely manner. The organization staffs the SOC with skilled technical and operational personnel (e.g., security analysts, incident response personnel, systems security engineers) and implements a combination of technical, management, and operational controls (including monitoring, scanning, and forensics tools) to monitor, fuse, correlate, analyze, and respond to threat and security-relevant event data from multiple sources. These sources include perimeter defenses, network devices (e.g., routers, switches), and endpoint agent data feeds. The SOC provides a holistic situational awareness capability to help organizations determine the security posture of the system and organization. A SOC capability can be obtained in a variety of ways. Larger organizations may implement a dedicated SOC while smaller organizations may employ third-party organizations to provide such a capability."},{"id":"ir-4.14_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(14)","class":"sp800-53a"}],"parts":[{"id":"ir-4.14_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-04(14)[01]","class":"sp800-53a"}],"prose":"a security operations center is established;","links":[{"href":"#ir-4.14_smt","rel":"assessment-for"}]},{"id":"ir-4.14_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-04(14)[02]","class":"sp800-53a"}],"prose":"a security operations center is maintained.","links":[{"href":"#ir-4.14_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-4.14_smt","rel":"assessment-for"}]},{"id":"ir-4.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\ncontingency planning policy\n\nprocedures addressing incident handling\n\nprocedures addressing the security operations center operations\n\nmechanisms supporting dynamic response capabilities\n\nincident response plan\n\ncontingency plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with contingency planning responsibilities\n\nsecurity operations center personnel\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-4.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-04(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms that support and\/or implement the security operations center capability\n\nmechanisms that support and\/or implement the incident handling process"}]}]},{"id":"ir-4.15","class":"SP800-53-enhancement","title":"Public Relations and Reputation Repair","props":[{"name":"label","value":"IR-4(15)"},{"name":"label","value":"IR-04(15)","class":"sp800-53a"},{"name":"sort-id","value":"ir-04.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-4","rel":"required"}],"parts":[{"id":"ir-4.15_smt","name":"statement","parts":[{"id":"ir-4.15_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Manage public relations associated with an incident; and"},{"id":"ir-4.15_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employ measures to repair the reputation of the organization."}]},{"id":"ir-4.15_gdn","name":"guidance","prose":"It is important for an organization to have a strategy in place for addressing incidents that have been brought to the attention of the general public, have cast the organization in a negative light, or have affected the organization’s constituents (e.g., partners, customers). Such publicity can be extremely harmful to the organization and affect its ability to carry out its mission and business functions. Taking proactive steps to repair the organization’s reputation is an essential aspect of reestablishing the trust and confidence of its constituents."},{"id":"ir-4.15_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-04(15)","class":"sp800-53a"}],"parts":[{"id":"ir-4.15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-04(15)(a)","class":"sp800-53a"}],"prose":"public relations associated with an incident are managed;","links":[{"href":"#ir-4.15_smt.a","rel":"assessment-for"}]},{"id":"ir-4.15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-04(15)(b)","class":"sp800-53a"}],"prose":"measures are employed to repair the reputation of the organization.","links":[{"href":"#ir-4.15_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-4.15_smt","rel":"assessment-for"}]},{"id":"ir-4.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-04(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing incident handling\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-4.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-04(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident handling responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with communications or public relations responsibilities"}]}]}]},{"id":"ir-5","class":"SP800-53","title":"Incident Monitoring","props":[{"name":"label","value":"IR-5"},{"name":"label","value":"IR-05","class":"sp800-53a"},{"name":"sort-id","value":"ir-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ir-5_smt","name":"statement","prose":"Track and document incidents."},{"id":"ir-5_gdn","name":"guidance","prose":"Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. [IR-4](#ir-4) provides information on the types of incidents that are appropriate for monitoring."},{"id":"ir-5_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-05","class":"sp800-53a"}],"parts":[{"id":"ir-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-05[01]","class":"sp800-53a"}],"prose":"incidents are tracked;","links":[{"href":"#ir-5_smt","rel":"assessment-for"}]},{"id":"ir-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-05[02]","class":"sp800-53a"}],"prose":"incidents are documented.","links":[{"href":"#ir-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-5_smt","rel":"assessment-for"}]},{"id":"ir-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nmechanisms supporting and\/or implementing the tracking and documenting of system security incidents"}]}],"controls":[{"id":"ir-5.1","class":"SP800-53-enhancement","title":"Automated Tracking, Data Collection, and Analysis","params":[{"id":"ir-5.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-05.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-05.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-05.01_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"ir-05.01_odp.01","props":[{"name":"label","value":"IR-05(01)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to track incidents are defined;"}]},{"id":"ir-05.01_odp.02","props":[{"name":"label","value":"IR-05(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to collect incident information are defined;"}]},{"id":"ir-05.01_odp.03","props":[{"name":"label","value":"IR-05(01)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to analyze incident information are defined;"}]}],"props":[{"name":"label","value":"IR-5(1)"},{"name":"label","value":"IR-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-5","rel":"required"}],"parts":[{"id":"ir-5.1_smt","name":"statement","prose":"Track incidents and collect and analyze incident information using {{ insert: param, ir-5.1_prm_1 }}."},{"id":"ir-5.1_gdn","name":"guidance","prose":"Automated mechanisms for tracking incidents and collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices."},{"id":"ir-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)","class":"sp800-53a"}],"parts":[{"id":"ir-5.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)[01]","class":"sp800-53a"}],"prose":"incidents are tracked using {{ insert: param, ir-05.01_odp.01 }};","links":[{"href":"#ir-5.1_smt","rel":"assessment-for"}]},{"id":"ir-5.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)[02]","class":"sp800-53a"}],"prose":"incident information is collected using {{ insert: param, ir-05.01_odp.02 }};","links":[{"href":"#ir-5.1_smt","rel":"assessment-for"}]},{"id":"ir-5.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"IR-05(01)[03]","class":"sp800-53a"}],"prose":"incident information is analyzed using {{ insert: param, ir-05.01_odp.03 }}.","links":[{"href":"#ir-5.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-5.1_smt","rel":"assessment-for"}]},{"id":"ir-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident monitoring\n\nincident response records and documentation\n\nsystem security plan\n\nincident response plan\n\nother relevant documents or records"}]},{"id":"ir-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident monitoring responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident monitoring capability for the organization\n\nautomated mechanisms supporting and\/or implementing the tracking and documenting of system security incidents"}]}]}]},{"id":"ir-6","class":"SP800-53","title":"Incident Reporting","params":[{"id":"ir-06_odp.01","props":[{"name":"alt-identifier","value":"ir-6_prm_1"},{"name":"label","value":"IR-06_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for personnel to report suspected incidents to the organizational incident response capability is defined;"}]},{"id":"ir-06_odp.02","props":[{"name":"alt-identifier","value":"ir-6_prm_2"},{"name":"label","value":"IR-06_ODP[02]","class":"sp800-53a"}],"label":"authorities","guidelines":[{"prose":"authorities to whom incident information is to be reported are defined;"}]}],"props":[{"name":"label","value":"IR-6"},{"name":"label","value":"IR-06","class":"sp800-53a"},{"name":"sort-id","value":"ir-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#40b78258-c892-480e-9af8-77ac36648301","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ir-9","rel":"related"}],"parts":[{"id":"ir-6_smt","name":"statement","parts":[{"id":"ir-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }} ; and"},{"id":"ir-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report incident information to {{ insert: param, ir-06_odp.02 }}."}]},{"id":"ir-6_gdn","name":"guidance","prose":"The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products."},{"id":"ir-6_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06","class":"sp800-53a"}],"parts":[{"id":"ir-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-06a.","class":"sp800-53a"}],"prose":"personnel is\/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};","links":[{"href":"#ir-6_smt.a","rel":"assessment-for"}]},{"id":"ir-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-06b.","class":"sp800-53a"}],"prose":"incident information is reported to {{ insert: param, ir-06_odp.02 }}.","links":[{"href":"#ir-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-6_smt","rel":"assessment-for"}]},{"id":"ir-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident reporting records and documentation\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel who have\/should have reported incidents\n\npersonnel (authorities) to whom incident information is to be reported\n\nsystem users"}]},{"id":"ir-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nmechanisms supporting and\/or implementing incident reporting"}]}],"controls":[{"id":"ir-6.1","class":"SP800-53-enhancement","title":"Automated Reporting","params":[{"id":"ir-06.01_odp","props":[{"name":"alt-identifier","value":"ir-6.1_prm_1"},{"name":"label","value":"IR-06(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used for reporting incidents are defined;"}]}],"props":[{"name":"label","value":"IR-6(1)"},{"name":"label","value":"IR-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-6","rel":"required"},{"href":"#ir-7","rel":"related"}],"parts":[{"id":"ir-6.1_smt","name":"statement","prose":"Report incidents using {{ insert: param, ir-06.01_odp }}."},{"id":"ir-6.1_gdn","name":"guidance","prose":"The recipients of incident reports are specified in [IR-6b](#ir-6_smt.b) . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs."},{"id":"ir-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06(01)","class":"sp800-53a"}],"prose":"incidents are reported using {{ insert: param, ir-06.01_odp }}.","links":[{"href":"#ir-6.1_smt","rel":"assessment-for"}]},{"id":"ir-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nautomated mechanisms supporting incident reporting\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nautomated mechanisms supporting and\/or implementing the reporting of security incidents"}]}]},{"id":"ir-6.2","class":"SP800-53-enhancement","title":"Vulnerabilities Related to Incidents","params":[{"id":"ir-06.02_odp","props":[{"name":"alt-identifier","value":"ir-6.2_prm_1"},{"name":"label","value":"IR-06(02)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom system vulnerabilities associated with reported incidents are reported to is\/are defined;"}]}],"props":[{"name":"label","value":"IR-6(2)"},{"name":"label","value":"IR-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-6","rel":"required"}],"parts":[{"id":"ir-6.2_smt","name":"statement","prose":"Report system vulnerabilities associated with reported incidents to {{ insert: param, ir-06.02_odp }}."},{"id":"ir-6.2_gdn","name":"guidance","prose":"Reported incidents that uncover system vulnerabilities are analyzed by organizational personnel including system owners, mission and business owners, senior agency information security officers, senior agency officials for privacy, authorizing officials, and the risk executive (function). The analysis can serve to prioritize and initiate mitigation actions to address the discovered system vulnerability."},{"id":"ir-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06(02)","class":"sp800-53a"}],"prose":"system vulnerabilities associated with reported incidents are reported to {{ insert: param, ir-06.02_odp }}.","links":[{"href":"#ir-6.2_smt","rel":"assessment-for"}]},{"id":"ir-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident reporting\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nsecurity incident reports and associated system vulnerabilities\n\nother relevant documents or records"}]},{"id":"ir-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\npersonnel to whom vulnerabilities associated with security incidents are to be reported"}]},{"id":"ir-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\nmechanisms supporting and\/or implementing the reporting of vulnerabilities associated with security incidents"}]}]},{"id":"ir-6.3","class":"SP800-53-enhancement","title":"Supply Chain Coordination","props":[{"name":"label","value":"IR-6(3)"},{"name":"label","value":"IR-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-6","rel":"required"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-6.3_smt","name":"statement","prose":"Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident."},{"id":"ir-6.3_gdn","name":"guidance","prose":"Organizations involved in supply chain activities include product developers, system integrators, manufacturers, packagers, assemblers, distributors, vendors, and resellers. Entities that provide supply chain governance include the Federal Acquisition Security Council (FASC). Supply chain incidents include compromises or breaches that involve information technology products, system components, development processes or personnel, distribution processes, or warehousing facilities. Organizations determine the appropriate information to share and consider the value gained from informing external organizations about supply chain incidents, including the ability to improve processes or to identify the root cause of an incident."},{"id":"ir-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-06(03)","class":"sp800-53a"}],"prose":"incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.","links":[{"href":"#ir-6.3_smt","rel":"assessment-for"}]},{"id":"ir-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing supply chain coordination and supply chain risk information sharing with the Federal Acquisition Security Council\n\nacquisition policy\n\nacquisition contracts\n\nservice-level agreements\n\nincident response plan\n\nsupply chain risk management plan\n\nsystem security plan\n\nplans of other organizations involved in supply chain activities\n\nother relevant documents or records"}]},{"id":"ir-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident reporting responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganization personnel with acquisition responsibilities"}]},{"id":"ir-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident reporting\n\norganizational processes for supply chain risk information sharing\n\nmechanisms supporting and\/or implementing the reporting of incident information involved in the supply chain"}]}]}]},{"id":"ir-7","class":"SP800-53","title":"Incident Response Assistance","props":[{"name":"label","value":"IR-7"},{"name":"label","value":"IR-07","class":"sp800-53a"},{"name":"sort-id","value":"ir-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#2be7b163-e50a-435c-8906-f1162f2a457a","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-26","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"ir-7_smt","name":"statement","prose":"Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents."},{"id":"ir-7_gdn","name":"guidance","prose":"Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required."},{"id":"ir-7_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07","class":"sp800-53a"}],"parts":[{"id":"ir-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"IR-07[01]","class":"sp800-53a"}],"prose":"an incident response support resource, integral to the organizational incident response capability, is provided;","links":[{"href":"#ir-7_smt","rel":"assessment-for"}]},{"id":"ir-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"IR-07[02]","class":"sp800-53a"}],"prose":"the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.","links":[{"href":"#ir-7_smt","rel":"assessment-for"}]}],"links":[{"href":"#ir-7_smt","rel":"assessment-for"}]},{"id":"ir-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response assistance and support responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nmechanisms supporting and\/or implementing incident response assistance"}]}],"controls":[{"id":"ir-7.1","class":"SP800-53-enhancement","title":"Automation Support for Availability of Information and Support","params":[{"id":"ir-07.01_odp","props":[{"name":"alt-identifier","value":"ir-7.1_prm_1"},{"name":"label","value":"IR-07(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to increase the availability of incident response information and support are defined;"}]}],"props":[{"name":"label","value":"IR-7(1)"},{"name":"label","value":"IR-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-7","rel":"required"}],"parts":[{"id":"ir-7.1_smt","name":"statement","prose":"Increase the availability of incident response information and support using {{ insert: param, ir-07.01_odp }}."},{"id":"ir-7.1_gdn","name":"guidance","prose":"Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support."},{"id":"ir-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07(01)","class":"sp800-53a"}],"prose":"the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}.","links":[{"href":"#ir-7.1_smt","rel":"assessment-for"}]},{"id":"ir-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nautomated mechanisms supporting incident response support and assistance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response support and assistance responsibilities\n\norganizational personnel with access to incident response support and assistance capability\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incident response assistance\n\nautomated mechanisms supporting and\/or implementing an increase in the availability of incident response information and support"}]}]},{"id":"ir-7.2","class":"SP800-53-enhancement","title":"Coordination with External Providers","props":[{"name":"label","value":"IR-7(2)"},{"name":"label","value":"IR-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-7","rel":"required"}],"parts":[{"id":"ir-7.2_smt","name":"statement","parts":[{"id":"ir-7.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and"},{"id":"ir-7.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Identify organizational incident response team members to the external providers."}]},{"id":"ir-7.2_gdn","name":"guidance","prose":"External providers of a system protection capability include the Computer Network Defense program within the U.S. Department of Defense. External providers help to protect, monitor, analyze, detect, and respond to unauthorized activity within organizational information systems and networks. It may be beneficial to have agreements in place with external providers to clarify the roles and responsibilities of each party before an incident occurs."},{"id":"ir-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-07(02)","class":"sp800-53a"}],"parts":[{"id":"ir-7.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-07(02)(a)","class":"sp800-53a"}],"prose":"a direct, cooperative relationship is established between its incident response capability and external providers of the system protection capability;","links":[{"href":"#ir-7.2_smt.a","rel":"assessment-for"}]},{"id":"ir-7.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-07(02)(b)","class":"sp800-53a"}],"prose":"organizational incident response team members are identified to the external providers.","links":[{"href":"#ir-7.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-7.2_smt","rel":"assessment-for"}]},{"id":"ir-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response assistance\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ir-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response support and assistance responsibilities\n\nexternal providers of system protection capability\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"ir-8","class":"SP800-53","title":"Incident Response Plan","params":[{"id":"ir-8_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ir-08_odp.07"}],"label":"organization-defined incident response personnel (identified by name and\/or by role) and organizational elements"},{"id":"ir-08_odp.01","props":[{"name":"alt-identifier","value":"ir-8_prm_1"},{"name":"label","value":"IR-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles that review and approve the incident response plan is\/are identified;"}]},{"id":"ir-08_odp.02","props":[{"name":"alt-identifier","value":"ir-8_prm_2"},{"name":"label","value":"IR-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and approve the incident response plan is defined;"}]},{"id":"ir-08_odp.03","props":[{"name":"alt-identifier","value":"ir-8_prm_3"},{"name":"label","value":"IR-08_ODP[03]","class":"sp800-53a"}],"label":"entities, personnel, or roles","guidelines":[{"prose":"entities, personnel, or roles with designated responsibility for incident response are defined;"}]},{"id":"ir-08_odp.04","props":[{"name":"alt-identifier","value":"ir-8_prm_4"},{"name":"alt-label","value":"incident response personnel (identified by name and\/or by role) and organizational elements","class":"sp800-53"},{"name":"label","value":"IR-08_ODP[04]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom copies of the incident response plan are to be distributed is\/are defined;"}]},{"id":"ir-08_odp.05","props":[{"name":"label","value":"IR-08_ODP[05]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which copies of the incident response plan are to be distributed are defined;"}]},{"id":"ir-08_odp.06","props":[{"name":"label","value":"IR-08_ODP[06]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to whom changes to the incident response plan is\/are communicated are defined;"}]},{"id":"ir-08_odp.07","props":[{"name":"label","value":"IR-08_ODP[07]","class":"sp800-53a"}],"label":"organizational elements","guidelines":[{"prose":"organizational elements to which changes to the incident response plan are communicated are defined;"}]}],"props":[{"name":"label","value":"IR-8"},{"name":"label","value":"IR-08","class":"sp800-53a"},{"name":"sort-id","value":"ir-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#5f4705ac-8d17-438c-b23a-ac7f12362ae4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"ir-8_smt","name":"statement","parts":[{"id":"ir-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop an incident response plan that:","parts":[{"id":"ir-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides the organization with a roadmap for implementing its incident response capability;"},{"id":"ir-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describes the structure and organization of the incident response capability;"},{"id":"ir-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Provides a high-level approach for how the incident response capability fits into the overall organization;"},{"id":"ir-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;"},{"id":"ir-8_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Defines reportable incidents;"},{"id":"ir-8_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provides metrics for measuring the incident response capability within the organization;"},{"id":"ir-8_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Defines the resources and management support needed to effectively maintain and mature an incident response capability;"},{"id":"ir-8_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Addresses the sharing of incident information;"},{"id":"ir-8_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }} ; and"},{"id":"ir-8_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."}]},{"id":"ir-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the incident response plan to {{ insert: param, ir-08_odp.04 }};"},{"id":"ir-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"},{"id":"ir-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Communicate incident response plan changes to {{ insert: param, ir-8_prm_5 }} ; and"},{"id":"ir-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the incident response plan from unauthorized disclosure and modification."}]},{"id":"ir-8_gdn","name":"guidance","prose":"It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly."},{"id":"ir-8_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-08","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.01","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;","links":[{"href":"#ir-8_smt.a.1","rel":"assessment-for"}]},{"id":"ir-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.02","class":"sp800-53a"}],"prose":"an incident response plan is developed that describes the structure and organization of the incident response capability;","links":[{"href":"#ir-8_smt.a.2","rel":"assessment-for"}]},{"id":"ir-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.03","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;","links":[{"href":"#ir-8_smt.a.3","rel":"assessment-for"}]},{"id":"ir-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.04","class":"sp800-53a"}],"prose":"an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;","links":[{"href":"#ir-8_smt.a.4","rel":"assessment-for"}]},{"id":"ir-8_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.05","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines reportable incidents;","links":[{"href":"#ir-8_smt.a.5","rel":"assessment-for"}]},{"id":"ir-8_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.06","class":"sp800-53a"}],"prose":"an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;","links":[{"href":"#ir-8_smt.a.6","rel":"assessment-for"}]},{"id":"ir-8_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.07","class":"sp800-53a"}],"prose":"an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;","links":[{"href":"#ir-8_smt.a.7","rel":"assessment-for"}]},{"id":"ir-8_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.08","class":"sp800-53a"}],"prose":"an incident response plan is developed that addresses the sharing of incident information;","links":[{"href":"#ir-8_smt.a.8","rel":"assessment-for"}]},{"id":"ir-8_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.09","class":"sp800-53a"}],"prose":"an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};","links":[{"href":"#ir-8_smt.a.9","rel":"assessment-for"}]},{"id":"ir-8_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"IR-08a.10","class":"sp800-53a"}],"prose":"an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.","links":[{"href":"#ir-8_smt.a.10","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.a","rel":"assessment-for"}]},{"id":"ir-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[01]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};","links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]},{"id":"ir-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08b.[02]","class":"sp800-53a"}],"prose":"copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};","links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.b","rel":"assessment-for"}]},{"id":"ir-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-08c.","class":"sp800-53a"}],"prose":"the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;","links":[{"href":"#ir-8_smt.c","rel":"assessment-for"}]},{"id":"ir-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[01]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};","links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]},{"id":"ir-8_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08d.[02]","class":"sp800-53a"}],"prose":"incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};","links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.d","rel":"assessment-for"}]},{"id":"ir-8_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.","class":"sp800-53a"}],"parts":[{"id":"ir-8_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[01]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized disclosure;","links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]},{"id":"ir-8_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"IR-08e.[02]","class":"sp800-53a"}],"prose":"the incident response plan is protected from unauthorized modification.","links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ir-8_smt","rel":"assessment-for"}]},{"id":"ir-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"id":"ir-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational incident response plan and related organizational processes"}]}],"controls":[{"id":"ir-8.1","class":"SP800-53-enhancement","title":"Breaches","props":[{"name":"label","value":"IR-8(1)"},{"name":"label","value":"IR-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-8","rel":"required"},{"href":"#pt-1","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-7","rel":"related"}],"parts":[{"id":"ir-8.1_smt","name":"statement","prose":"Include the following in the Incident Response Plan for breaches involving personally identifiable information:","parts":[{"id":"ir-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;"},{"id":"ir-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and"},{"id":"ir-8.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Identification of applicable privacy requirements."}]},{"id":"ir-8.1_gdn","name":"guidance","prose":"Organizations may be required by law, regulation, or policy to follow specific procedures relating to breaches, including notice to individuals, affected organizations, and oversight bodies; standards of harm; and mitigation or other specific requirements."},{"id":"ir-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)","class":"sp800-53a"}],"parts":[{"id":"ir-8.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)(a)","class":"sp800-53a"}],"prose":"the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;","links":[{"href":"#ir-8.1_smt.a","rel":"assessment-for"}]},{"id":"ir-8.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)(b)","class":"sp800-53a"}],"prose":"the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;","links":[{"href":"#ir-8.1_smt.b","rel":"assessment-for"}]},{"id":"ir-8.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-08(01)(c)","class":"sp800-53a"}],"prose":"the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements.","links":[{"href":"#ir-8.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ir-8.1_smt","rel":"assessment-for"}]},{"id":"ir-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response planning\n\nincident response plan\n\nsystem security plan\n\nprivacy plan\n\nrecords of incident response plan reviews and approvals\n\nother relevant documents or records"}]},{"id":"ir-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ir-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational incident response plan and related organizational processes"}]}]}]},{"id":"ir-9","class":"SP800-53","title":"Information Spillage Response","params":[{"id":"ir-09_odp.01","props":[{"name":"alt-identifier","value":"ir-9_prm_1"},{"name":"label","value":"IR-09_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles assigned the responsibility for responding to information spills is\/are defined;"}]},{"id":"ir-09_odp.02","props":[{"name":"alt-identifier","value":"ir-9_prm_2"},{"name":"label","value":"IR-09_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is\/are defined;"}]},{"id":"ir-09_odp.03","props":[{"name":"alt-identifier","value":"ir-9_prm_3"},{"name":"label","value":"IR-09_ODP[03]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be performed are defined;"}]}],"props":[{"name":"label","value":"IR-9"},{"name":"label","value":"IR-09","class":"sp800-53a"},{"name":"sort-id","value":"ir-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#pm-26","rel":"related"},{"href":"#pm-27","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-7","rel":"related"}],"parts":[{"id":"ir-9_smt","name":"statement","prose":"Respond to information spills by:","parts":[{"id":"ir-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assigning {{ insert: param, ir-09_odp.01 }} with responsibility for responding to information spills;"},{"id":"ir-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identifying the specific information involved in the system contamination;"},{"id":"ir-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Alerting {{ insert: param, ir-09_odp.02 }} of the information spill using a method of communication not associated with the spill;"},{"id":"ir-9_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Isolating the contaminated system or system component;"},{"id":"ir-9_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Eradicating the information from the contaminated system or component;"},{"id":"ir-9_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Identifying other systems or system components that may have been subsequently contaminated; and"},{"id":"ir-9_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Performing the following additional actions: {{ insert: param, ir-09_odp.03 }}."}]},{"id":"ir-9_gdn","name":"guidance","prose":"Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of a higher classification or impact level. At that point, corrective action is required. The nature of the response is based on the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of the contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicated."},{"id":"ir-9_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-09","class":"sp800-53a"}],"parts":[{"id":"ir-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"IR-09a.","class":"sp800-53a"}],"prose":"{{ insert: param, ir-09_odp.01 }} is\/are assigned the responsibility to respond to information spills;","links":[{"href":"#ir-9_smt.a","rel":"assessment-for"}]},{"id":"ir-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"IR-09b.","class":"sp800-53a"}],"prose":"the specific information involved in the system contamination is identified in response to information spills;","links":[{"href":"#ir-9_smt.b","rel":"assessment-for"}]},{"id":"ir-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"IR-09c.","class":"sp800-53a"}],"prose":"{{ insert: param, ir-09_odp.02 }} is\/are alerted of the information spill using a method of communication not associated with the spill;","links":[{"href":"#ir-9_smt.c","rel":"assessment-for"}]},{"id":"ir-9_obj.d","name":"assessment-objective","props":[{"name":"label","value":"IR-09d.","class":"sp800-53a"}],"prose":"the contaminated system or system component is isolated in response to information spills;","links":[{"href":"#ir-9_smt.d","rel":"assessment-for"}]},{"id":"ir-9_obj.e","name":"assessment-objective","props":[{"name":"label","value":"IR-09e.","class":"sp800-53a"}],"prose":"the information is eradicated from the contaminated system or component in response to information spills;","links":[{"href":"#ir-9_smt.e","rel":"assessment-for"}]},{"id":"ir-9_obj.f","name":"assessment-objective","props":[{"name":"label","value":"IR-09f.","class":"sp800-53a"}],"prose":"other systems or system components that may have been subsequently contaminated are identified in response to information spills;","links":[{"href":"#ir-9_smt.f","rel":"assessment-for"}]},{"id":"ir-9_obj.g","name":"assessment-objective","props":[{"name":"label","value":"IR-09g.","class":"sp800-53a"}],"prose":"{{ insert: param, ir-09_odp.03 }} are performed in response to information spills.","links":[{"href":"#ir-9_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#ir-9_smt","rel":"assessment-for"}]},{"id":"ir-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nrecords of information spillage alerts\/notifications\n\nlist of personnel who should receive alerts of information spillage\n\nlist of actions to be performed regarding information spillage\n\nother relevant documents or records"}]},{"id":"ir-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information spillage response\n\nmechanisms supporting and\/or implementing information spillage response actions and related communications"}]}],"controls":[{"id":"ir-9.1","class":"SP800-53-enhancement","title":"Responsible Personnel","props":[{"name":"label","value":"IR-9(1)"},{"name":"label","value":"IR-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"ir-09.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ir-9","rel":"incorporated-into"}]},{"id":"ir-9.2","class":"SP800-53-enhancement","title":"Training","params":[{"id":"ir-09.02_odp","props":[{"name":"alt-identifier","value":"ir-9.2_prm_1"},{"name":"label","value":"IR-09(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide information spillage response training is defined;"}]}],"props":[{"name":"label","value":"IR-9(2)"},{"name":"label","value":"IR-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"ir-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-9","rel":"required"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cp-3","rel":"related"},{"href":"#ir-2","rel":"related"}],"parts":[{"id":"ir-9.2_smt","name":"statement","prose":"Provide information spillage response training {{ insert: param, ir-09.02_odp }}."},{"id":"ir-9.2_gdn","name":"guidance","prose":"Organizations establish requirements for responding to information spillage incidents in incident response plans. Incident response training on a regular basis helps to ensure that organizational personnel understand their individual responsibilities and what specific actions to take when spillage incidents occur."},{"id":"ir-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-09(02)","class":"sp800-53a"}],"prose":"information spillage response training is provided {{ insert: param, ir-09.02_odp }}.","links":[{"href":"#ir-9.2_smt","rel":"assessment-for"}]},{"id":"ir-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing information spillage response training\n\ninformation spillage response training curriculum\n\ninformation spillage response training materials\n\nincident response plan\n\nsystem security plan\n\ninformation spillage response training records\n\nother relevant documents or records"}]},{"id":"ir-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response training responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ir-9.3","class":"SP800-53-enhancement","title":"Post-spill Operations","params":[{"id":"ir-09.03_odp","props":[{"name":"alt-identifier","value":"ir-9.3_prm_1"},{"name":"label","value":"IR-09(03)_ODP","class":"sp800-53a"}],"label":"procedures","guidelines":[{"prose":"procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions are defined;"}]}],"props":[{"name":"label","value":"IR-9(3)"},{"name":"label","value":"IR-09(03)","class":"sp800-53a"},{"name":"sort-id","value":"ir-09.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-9","rel":"required"}],"parts":[{"id":"ir-9.3_smt","name":"statement","prose":"Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: {{ insert: param, ir-09.03_odp }}."},{"id":"ir-9.3_gdn","name":"guidance","prose":"Corrective actions for systems contaminated due to information spillages may be time-consuming. Personnel may not have access to the contaminated systems while corrective actions are being taken, which may potentially affect their ability to conduct organizational business."},{"id":"ir-9.3_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-09(03)","class":"sp800-53a"}],"prose":"{{ insert: param, ir-09.03_odp }} are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.","links":[{"href":"#ir-9.3_smt","rel":"assessment-for"}]},{"id":"ir-9.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-09(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ir-9.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-09(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-9.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-09(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for post-spill operations"}]}]},{"id":"ir-9.4","class":"SP800-53-enhancement","title":"Exposure to Unauthorized Personnel","params":[{"id":"ir-09.04_odp","props":[{"name":"alt-identifier","value":"ir-9.4_prm_1"},{"name":"label","value":"IR-09(04)_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls employed for personnel exposed to information not within assigned access authorizations are defined;"}]}],"props":[{"name":"label","value":"IR-9(4)"},{"name":"label","value":"IR-09(04)","class":"sp800-53a"},{"name":"sort-id","value":"ir-09.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ir-9","rel":"required"}],"parts":[{"id":"ir-9.4_smt","name":"statement","prose":"Employ the following controls for personnel exposed to information not within assigned access authorizations: {{ insert: param, ir-09.04_odp }}."},{"id":"ir-9.4_gdn","name":"guidance","prose":"Controls include ensuring that personnel who are exposed to spilled information are made aware of the laws, executive orders, directives, regulations, policies, standards, and guidelines regarding the information and the restrictions imposed based on exposure to such information."},{"id":"ir-9.4_obj","name":"assessment-objective","props":[{"name":"label","value":"IR-09(04)","class":"sp800-53a"}],"prose":"{{ insert: param, ir-09.04_odp }} are employed for personnel exposed to information not within assigned access authorizations.","links":[{"href":"#ir-9.4_smt","rel":"assessment-for"}]},{"id":"ir-9.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"IR-09(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Incident response policy\n\nprocedures addressing incident response\n\nprocedures addressing information spillage\n\nincident response plan\n\nsystem security plan\n\nsecurity safeguards regarding information spillage\/exposure to unauthorized personnel\n\nother relevant documents or records"}]},{"id":"ir-9.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"IR-09(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ir-9.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"IR-09(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for dealing with information exposed to unauthorized personnel\n\nmechanisms supporting and\/or implementing safeguards for personnel exposed to information not within assigned access authorizations"}]}]}]},{"id":"ir-10","class":"SP800-53","title":"Integrated Information Security Analysis Team","props":[{"name":"label","value":"IR-10"},{"name":"label","value":"IR-10","class":"sp800-53a"},{"name":"sort-id","value":"ir-10"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ir-4.11","rel":"moved-to"}]}]},{"id":"ma","class":"family","title":"Maintenance","controls":[{"id":"ma-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ma-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ma-01_odp.01","props":[{"name":"label","value":"MA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance policy is to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.02","props":[{"name":"label","value":"MA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the maintenance procedures are to be disseminated is\/are defined;"}]},{"id":"ma-01_odp.03","props":[{"name":"alt-identifier","value":"ma-1_prm_2"},{"name":"label","value":"MA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ma-01_odp.04","props":[{"name":"alt-identifier","value":"ma-1_prm_3"},{"name":"label","value":"MA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the maintenance policy and procedures is defined;"}]},{"id":"ma-01_odp.05","props":[{"name":"alt-identifier","value":"ma-1_prm_4"},{"name":"label","value":"MA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance policy is reviewed and updated is defined;"}]},{"id":"ma-01_odp.06","props":[{"name":"alt-identifier","value":"ma-1_prm_5"},{"name":"label","value":"MA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current maintenance policy to be reviewed and updated are defined;"}]},{"id":"ma-01_odp.07","props":[{"name":"alt-identifier","value":"ma-1_prm_6"},{"name":"label","value":"MA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current maintenance procedures are reviewed and updated is defined;"}]},{"id":"ma-01_odp.08","props":[{"name":"alt-identifier","value":"ma-1_prm_7"},{"name":"label","value":"MA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the maintenance procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MA-1"},{"name":"label","value":"MA-01","class":"sp800-53a"},{"name":"sort-id","value":"ma-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ma-1_smt","name":"statement","parts":[{"id":"ma-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ma-1_prm_1 }}:","parts":[{"id":"ma-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ma-01_odp.03 }} maintenance policy that:","parts":[{"id":"ma-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ma-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ma-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;"}]},{"id":"ma-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ma-01_odp.04 }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and"},{"id":"ma-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current maintenance:","parts":[{"id":"ma-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ma-01_odp.05 }} and following {{ insert: param, ma-01_odp.06 }} ; and"},{"id":"ma-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ma-01_odp.07 }} and following {{ insert: param, ma-01_odp.08 }}."}]}]},{"id":"ma-1_gdn","name":"guidance","prose":"Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ma-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[01]","class":"sp800-53a"}],"prose":"a maintenance policy is developed and documented;","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[02]","class":"sp800-53a"}],"prose":"the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[03]","class":"sp800-53a"}],"prose":"maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.[04]","class":"sp800-53a"}],"prose":"the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};","links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;","links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ma-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ma-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.a","rel":"assessment-for"}]},{"id":"ma-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;","links":[{"href":"#ma-1_smt.b","rel":"assessment-for"}]},{"id":"ma-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[01]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};","links":[{"href":"#ma-1_smt.c.1","rel":"assessment-for"}]},{"id":"ma-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.01[02]","class":"sp800-53a"}],"prose":"the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};","links":[{"href":"#ma-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.c.1","rel":"assessment-for"}]},{"id":"ma-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ma-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[01]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};","links":[{"href":"#ma-1_smt.c.2","rel":"assessment-for"}]},{"id":"ma-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MA-01c.02[02]","class":"sp800-53a"}],"prose":"the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.","links":[{"href":"#ma-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ma-1_smt","rel":"assessment-for"}]},{"id":"ma-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"ma-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with maintenance responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"ma-2","class":"SP800-53","title":"Controlled Maintenance","params":[{"id":"ma-02_odp.01","props":[{"name":"alt-identifier","value":"ma-2_prm_1"},{"name":"label","value":"MA-02_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is\/are defined;"}]},{"id":"ma-02_odp.02","props":[{"name":"alt-identifier","value":"ma-2_prm_2"},{"name":"label","value":"MA-02_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;"}]},{"id":"ma-02_odp.03","props":[{"name":"alt-identifier","value":"ma-2_prm_3"},{"name":"label","value":"MA-02_ODP[03]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be included in organizational maintenance records is defined;"}]}],"props":[{"name":"label","value":"MA-2"},{"name":"label","value":"MA-02","class":"sp800-53a"},{"name":"sort-id","value":"ma-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ma-2_smt","name":"statement","parts":[{"id":"ma-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and\/or organizational requirements;"},{"id":"ma-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;"},{"id":"ma-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Require that {{ insert: param, ma-02_odp.01 }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"},{"id":"ma-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, ma-02_odp.02 }};"},{"id":"ma-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and"},{"id":"ma-2_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Include the following information in organizational maintenance records: {{ insert: param, ma-02_odp.03 }}."}]},{"id":"ma-2_gdn","name":"guidance","prose":"Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems."},{"id":"ma-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-02","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[01]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and\/or organizational requirements;","links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]},{"id":"ma-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[02]","class":"sp800-53a"}],"prose":"maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and\/or organizational requirements;","links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]},{"id":"ma-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02a.[03]","class":"sp800-53a"}],"prose":"records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and\/or organizational requirements;","links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-2_smt.a","rel":"assessment-for"}]},{"id":"ma-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.","class":"sp800-53a"}],"parts":[{"id":"ma-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[01]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;","links":[{"href":"#ma-2_smt.b","rel":"assessment-for"}]},{"id":"ma-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02b.[02]","class":"sp800-53a"}],"prose":"all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;","links":[{"href":"#ma-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-2_smt.b","rel":"assessment-for"}]},{"id":"ma-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-02c.","class":"sp800-53a"}],"prose":"{{ insert: param, ma-02_odp.01 }} is\/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;","links":[{"href":"#ma-2_smt.c","rel":"assessment-for"}]},{"id":"ma-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-02d.","class":"sp800-53a"}],"prose":"equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;","links":[{"href":"#ma-2_smt.d","rel":"assessment-for"}]},{"id":"ma-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-02e.","class":"sp800-53a"}],"prose":"all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;","links":[{"href":"#ma-2_smt.e","rel":"assessment-for"}]},{"id":"ma-2_obj.f","name":"assessment-objective","props":[{"name":"label","value":"MA-02f.","class":"sp800-53a"}],"prose":"{{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.","links":[{"href":"#ma-2_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ma-2_smt","rel":"assessment-for"}]},{"id":"ma-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nmaintenance records\n\nmanufacturer\/vendor maintenance specifications\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system\n\norganizational processes for sanitizing system components\n\nmechanisms supporting and\/or implementing controlled maintenance\n\nmechanisms implementing the sanitization of system components"}]}],"controls":[{"id":"ma-2.1","class":"SP800-53-enhancement","title":"Record Content","props":[{"name":"label","value":"MA-2(1)"},{"name":"label","value":"MA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-02.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ma-2","rel":"incorporated-into"}]},{"id":"ma-2.2","class":"SP800-53-enhancement","title":"Automated Maintenance Activities","params":[{"id":"ma-2.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-02.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-02.02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-02.02_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"ma-02.02_odp.01","props":[{"name":"label","value":"MA-02(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to schedule maintenance, repair, and replacement actions for the system are defined;"}]},{"id":"ma-02.02_odp.02","props":[{"name":"label","value":"MA-02(02)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to conduct maintenance, repair, and replacement actions for the system are defined;"}]},{"id":"ma-02.02_odp.03","props":[{"name":"label","value":"MA-02(02)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to document maintenance, repair, and replacement actions for the system are defined;"}]}],"props":[{"name":"label","value":"MA-2(2)"},{"name":"label","value":"MA-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-2","rel":"required"},{"href":"#ma-3","rel":"related"}],"parts":[{"id":"ma-2.2_smt","name":"statement","parts":[{"id":"ma-2.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Schedule, conduct, and document maintenance, repair, and replacement actions for the system using {{ insert: param, ma-2.2_prm_1 }} ; and"},{"id":"ma-2.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Produce up-to date, accurate, and complete records of all maintenance, repair, and replacement actions requested, scheduled, in process, and completed."}]},{"id":"ma-2.2_gdn","name":"guidance","prose":"The use of automated mechanisms to manage and control system maintenance programs and activities helps to ensure the generation of timely, accurate, complete, and consistent maintenance records."},{"id":"ma-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)","class":"sp800-53a"}],"parts":[{"id":"ma-2.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)","class":"sp800-53a"}],"parts":[{"id":"ma-2.2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ma-02.02_odp.01 }} are used to schedule maintenance, repair, and replacement actions for the system;","links":[{"href":"#ma-2.2_smt.a","rel":"assessment-for"}]},{"id":"ma-2.2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ma-02.02_odp.02 }} are used to conduct maintenance, repair, and replacement actions for the system;","links":[{"href":"#ma-2.2_smt.a","rel":"assessment-for"}]},{"id":"ma-2.2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(a)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, ma-02.02_odp.03 }} are used to document maintenance, repair, and replacement actions for the system;","links":[{"href":"#ma-2.2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-2.2_smt.a","rel":"assessment-for"}]},{"id":"ma-2.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)","class":"sp800-53a"}],"parts":[{"id":"ma-2.2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)[01]","class":"sp800-53a"}],"prose":"up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced.","links":[{"href":"#ma-2.2_smt.b","rel":"assessment-for"}]},{"id":"ma-2.2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)[02]","class":"sp800-53a"}],"prose":"up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced.","links":[{"href":"#ma-2.2_smt.b","rel":"assessment-for"}]},{"id":"ma-2.2_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"MA-02(02)(b)[03]","class":"sp800-53a"}],"prose":"up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced.","links":[{"href":"#ma-2.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-2.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-2.2_smt","rel":"assessment-for"}]},{"id":"ma-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing controlled system maintenance\n\nautomated mechanisms supporting system maintenance activities\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing controlled maintenance\n\nautomated mechanisms supporting and\/or implementing the production of records of maintenance and repair actions"}]}]}]},{"id":"ma-3","class":"SP800-53","title":"Maintenance Tools","params":[{"id":"ma-03_odp","props":[{"name":"alt-identifier","value":"ma-3_prm_1"},{"name":"label","value":"MA-03_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review previously approved system maintenance tools is defined;"}]}],"props":[{"name":"label","value":"MA-3"},{"name":"label","value":"MA-03","class":"sp800-53a"},{"name":"sort-id","value":"ma-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#ma-2","rel":"related"},{"href":"#pe-16","rel":"related"}],"parts":[{"id":"ma-3_smt","name":"statement","parts":[{"id":"ma-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve, control, and monitor the use of system maintenance tools; and"},{"id":"ma-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review previously approved system maintenance tools {{ insert: param, ma-03_odp }}."}]},{"id":"ma-3_gdn","name":"guidance","prose":"Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as \"ping,\" \"ls,\" \"ipconfig,\" or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools."},{"id":"ma-3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03","class":"sp800-53a"}],"parts":[{"id":"ma-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.","class":"sp800-53a"}],"parts":[{"id":"ma-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[01]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is approved;","links":[{"href":"#ma-3_smt.a","rel":"assessment-for"}]},{"id":"ma-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[02]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is controlled;","links":[{"href":"#ma-3_smt.a","rel":"assessment-for"}]},{"id":"ma-3_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MA-03a.[03]","class":"sp800-53a"}],"prose":"the use of system maintenance tools is monitored;","links":[{"href":"#ma-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-3_smt.a","rel":"assessment-for"}]},{"id":"ma-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-03b.","class":"sp800-53a"}],"prose":"previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}.","links":[{"href":"#ma-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-3_smt","rel":"assessment-for"}]},{"id":"ma-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for approving, controlling, and monitoring maintenance tools\n\nmechanisms supporting and\/or implementing the approval, control, and\/or monitoring of maintenance tools"}]}],"controls":[{"id":"ma-3.1","class":"SP800-53-enhancement","title":"Inspect Tools","props":[{"name":"label","value":"MA-3(1)"},{"name":"label","value":"MA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ma-3.1_smt","name":"statement","prose":"Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications."},{"id":"ma-3.1_gdn","name":"guidance","prose":"Maintenance tools can be directly brought into a facility by maintenance personnel or downloaded from a vendor’s website. If, upon inspection of the maintenance tools, organizations determine that the tools have been modified in an improper manner or the tools contain malicious code, the incident is handled consistent with organizational policies and procedures for incident handling."},{"id":"ma-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(01)","class":"sp800-53a"}],"prose":"maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.","links":[{"href":"#ma-3.1_smt","rel":"assessment-for"}]},{"id":"ma-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance tool inspection records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for inspecting maintenance tools\n\nmechanisms supporting and\/or implementing the inspection of maintenance tools"}]}]},{"id":"ma-3.2","class":"SP800-53-enhancement","title":"Inspect Media","props":[{"name":"label","value":"MA-3(2)"},{"name":"label","value":"MA-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"ma-3.2_smt","name":"statement","prose":"Check media containing diagnostic and test programs for malicious code before the media are used in the system."},{"id":"ma-3.2_gdn","name":"guidance","prose":"If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures."},{"id":"ma-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(02)","class":"sp800-53a"}],"prose":"media containing diagnostic and test programs are checked for malicious code before the media are used in the system.","links":[{"href":"#ma-3.2_smt","rel":"assessment-for"}]},{"id":"ma-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for inspecting media for malicious code\n\nmechanisms supporting and\/or implementing the inspection of media used for maintenance"}]}]},{"id":"ma-3.3","class":"SP800-53-enhancement","title":"Prevent Unauthorized Removal","params":[{"id":"ma-03.03_odp","props":[{"name":"alt-identifier","value":"ma-3.3_prm_1"},{"name":"label","value":"MA-03(03)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles who can authorize removal of equipment from the facility is\/are defined;"}]}],"props":[{"name":"label","value":"MA-3(3)"},{"name":"label","value":"MA-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#mp-6","rel":"related"}],"parts":[{"id":"ma-3.3_smt","name":"statement","prose":"Prevent the removal of maintenance equipment containing organizational information by:","parts":[{"id":"ma-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Verifying that there is no organizational information contained on the equipment;"},{"id":"ma-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Sanitizing or destroying the equipment;"},{"id":"ma-3.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Retaining the equipment within the facility; or"},{"id":"ma-3.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility."}]},{"id":"ma-3.3_gdn","name":"guidance","prose":"Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards."},{"id":"ma-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)","class":"sp800-53a"}],"parts":[{"id":"ma-3.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(a)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or","links":[{"href":"#ma-3.3_smt.a","rel":"assessment-for"}]},{"id":"ma-3.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(b)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or","links":[{"href":"#ma-3.3_smt.b","rel":"assessment-for"}]},{"id":"ma-3.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(c)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or","links":[{"href":"#ma-3.3_smt.c","rel":"assessment-for"}]},{"id":"ma-3.3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-03(03)(d)","class":"sp800-53a"}],"prose":"the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.","links":[{"href":"#ma-3.3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ma-3.3_smt","rel":"assessment-for"}]},{"id":"ma-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nmaintenance records\n\nequipment sanitization records\n\nmedia sanitization records\n\nexemptions for equipment removal\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization"}]},{"id":"ma-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for preventing unauthorized removal of information\n\nmechanisms supporting media sanitization or destruction of equipment\n\nmechanisms supporting verification of media sanitization"}]}]},{"id":"ma-3.4","class":"SP800-53-enhancement","title":"Restricted Tool Use","props":[{"name":"label","value":"MA-3(4)"},{"name":"label","value":"MA-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ma-3.4_smt","name":"statement","prose":"Restrict the use of maintenance tools to authorized personnel only."},{"id":"ma-3.4_gdn","name":"guidance","prose":"Restricting the use of maintenance tools to only authorized personnel applies to systems that are used to carry out maintenance functions."},{"id":"ma-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(04)","class":"sp800-53a"}],"prose":"the use of maintenance tools is restricted to authorized personnel only.","links":[{"href":"#ma-3.4_smt","rel":"assessment-for"}]},{"id":"ma-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nlist of personnel authorized to use maintenance tools\n\nmaintenance tool usage records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for restricting the use of maintenance tools\n\nmechanisms supporting and\/or implementing the restricted use of maintenance tools"}]}]},{"id":"ma-3.5","class":"SP800-53-enhancement","title":"Execution with Privilege","props":[{"name":"label","value":"MA-3(5)"},{"name":"label","value":"MA-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ma-3.5_smt","name":"statement","prose":"Monitor the use of maintenance tools that execute with increased privilege."},{"id":"ma-3.5_gdn","name":"guidance","prose":"Maintenance tools that execute with increased system privilege can result in unauthorized access to organizational information and assets that would otherwise be inaccessible."},{"id":"ma-3.5_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(05)","class":"sp800-53a"}],"prose":"the use of maintenance tools that execute with increased privilege is monitored.","links":[{"href":"#ma-3.5_smt","rel":"assessment-for"}]},{"id":"ma-3.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nlist of personnel authorized to use maintenance tools\n\nmaintenance tool usage records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for restricting the use of maintenance tools\n\norganizational process for monitoring maintenance tools and maintenance tool usage\n\nmechanisms monitoring the use of maintenance tools"}]}]},{"id":"ma-3.6","class":"SP800-53-enhancement","title":"Software Updates and Patches","props":[{"name":"label","value":"MA-3(6)"},{"name":"label","value":"MA-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"ma-03.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-3","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"ma-3.6_smt","name":"statement","prose":"Inspect maintenance tools to ensure the latest software updates and patches are installed."},{"id":"ma-3.6_gdn","name":"guidance","prose":"Maintenance tools using outdated and\/or unpatched software can provide a threat vector for adversaries and result in a significant vulnerability for organizations."},{"id":"ma-3.6_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-03(06)","class":"sp800-53a"}],"prose":"maintenance tools are inspected to ensure that the latest software updates and patches are installed.","links":[{"href":"#ma-3.6_smt","rel":"assessment-for"}]},{"id":"ma-3.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-03(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance tools\n\nsystem maintenance tools and associated documentation\n\nlist of personnel authorized to use maintenance tools\n\nmaintenance tool usage records\n\nmaintenance records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-3.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-03(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-3.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-03(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for inspecting maintenance tools\n\norganizational processes for maintenance tools updates\n\nmechanisms supporting and\/or implementing the inspection of maintenance tools\n\nmechanisms supporting and\/or implementing maintenance tool updates."}]}]}]},{"id":"ma-4","class":"SP800-53","title":"Nonlocal Maintenance","props":[{"name":"label","value":"MA-4"},{"name":"label","value":"MA-04","class":"sp800-53a"},{"name":"sort-id","value":"ma-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#736d6310-e403-4b57-a79d-9967970c66d7","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-10","rel":"related"}],"parts":[{"id":"ma-4_smt","name":"statement","parts":[{"id":"ma-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Approve and monitor nonlocal maintenance and diagnostic activities;"},{"id":"ma-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;"},{"id":"ma-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;"},{"id":"ma-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Maintain records for nonlocal maintenance and diagnostic activities; and"},{"id":"ma-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Terminate session and network connections when nonlocal maintenance is completed."}]},{"id":"ma-4_gdn","name":"guidance","prose":"Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in [IA-2](#ia-2) . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in [MA-4](#ma-4) is accomplished, in part, by other controls. [SP 800-63B](#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce) provides additional guidance on strong authentication and authenticators."},{"id":"ma-4_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[01]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are approved;","links":[{"href":"#ma-4_smt.a","rel":"assessment-for"}]},{"id":"ma-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04a.[02]","class":"sp800-53a"}],"prose":"nonlocal maintenance and diagnostic activities are monitored;","links":[{"href":"#ma-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt.a","rel":"assessment-for"}]},{"id":"ma-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[01]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;","links":[{"href":"#ma-4_smt.b","rel":"assessment-for"}]},{"id":"ma-4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04b.[02]","class":"sp800-53a"}],"prose":"the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;","links":[{"href":"#ma-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt.b","rel":"assessment-for"}]},{"id":"ma-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-04c.","class":"sp800-53a"}],"prose":"strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;","links":[{"href":"#ma-4_smt.c","rel":"assessment-for"}]},{"id":"ma-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MA-04d.","class":"sp800-53a"}],"prose":"records for nonlocal maintenance and diagnostic activities are maintained;","links":[{"href":"#ma-4_smt.d","rel":"assessment-for"}]},{"id":"ma-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.","class":"sp800-53a"}],"parts":[{"id":"ma-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[01]","class":"sp800-53a"}],"prose":"session connections are terminated when nonlocal maintenance is completed;","links":[{"href":"#ma-4_smt.e","rel":"assessment-for"}]},{"id":"ma-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04e.[02]","class":"sp800-53a"}],"prose":"network connections are terminated when nonlocal maintenance is completed.","links":[{"href":"#ma-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ma-4_smt","rel":"assessment-for"}]},{"id":"ma-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nremote access policy\n\nremote access procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\nrecords of remote access\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing nonlocal maintenance\n\nmechanisms implementing, supporting, and\/or managing nonlocal maintenance\n\nmechanisms for strong authentication of nonlocal maintenance diagnostic sessions\n\nmechanisms for terminating nonlocal maintenance sessions and network connections"}]}],"controls":[{"id":"ma-4.1","class":"SP800-53-enhancement","title":"Logging and Review","params":[{"id":"ma-4.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-04.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ma-04.01_odp.02"}],"label":"organization-defined audit events"},{"id":"ma-04.01_odp.01","props":[{"name":"label","value":"MA-04(01)_ODP[01]","class":"sp800-53a"}],"label":"audit events","guidelines":[{"prose":"audit events to be logged for nonlocal maintenance are defined;"}]},{"id":"ma-04.01_odp.02","props":[{"name":"label","value":"MA-04(01)_ODP[02]","class":"sp800-53a"}],"label":"audit events","guidelines":[{"prose":"audit events to be logged for diagnostic sessions are defined;"}]}],"props":[{"name":"label","value":"MA-4(1)"},{"name":"label","value":"MA-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-4","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"ma-4.1_smt","name":"statement","parts":[{"id":"ma-4.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Log {{ insert: param, ma-4.1_prm_1 }} for nonlocal maintenance and diagnostic sessions; and"},{"id":"ma-4.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior."}]},{"id":"ma-4.1_gdn","name":"guidance","prose":"Audit logging for nonlocal maintenance is enforced by [AU-2](#au-2) . Audit events are defined in [AU-2a](#au-2_smt.a)."},{"id":"ma-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04(01)","class":"sp800-53a"}],"parts":[{"id":"ma-4.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04(01)(a)","class":"sp800-53a"}],"parts":[{"id":"ma-4.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(01)(a)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ma-04.01_odp.01 }} are logged for nonlocal maintenance sessions;","links":[{"href":"#ma-4.1_smt.a","rel":"assessment-for"}]},{"id":"ma-4.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(01)(a)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ma-04.01_odp.02 }} are logged for nonlocal diagnostic sessions;","links":[{"href":"#ma-4.1_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-4.1_smt.a","rel":"assessment-for"}]},{"id":"ma-4.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04(01)(b)","class":"sp800-53a"}],"parts":[{"id":"ma-4.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(01)(b)[01]","class":"sp800-53a"}],"prose":"the audit records of the maintenance sessions are reviewed to detect anomalous behavior;","links":[{"href":"#ma-4.1_smt.b","rel":"assessment-for"}]},{"id":"ma-4.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(01)(b)[02]","class":"sp800-53a"}],"prose":"the audit records of the diagnostic sessions are reviewed to detect anomalous behavior.","links":[{"href":"#ma-4.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-4.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-4.1_smt","rel":"assessment-for"}]},{"id":"ma-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nlist of audit events\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nreviews of maintenance and diagnostic session records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with audit and review responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for audit and review of nonlocal maintenance\n\nmechanisms supporting and\/or implementing audit and review of nonlocal maintenance"}]}]},{"id":"ma-4.2","class":"SP800-53-enhancement","title":"Document Nonlocal Maintenance","props":[{"name":"label","value":"MA-4(2)"},{"name":"label","value":"MA-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ma-1","rel":"incorporated-into"},{"href":"#ma-4","rel":"incorporated-into"}]},{"id":"ma-4.3","class":"SP800-53-enhancement","title":"Comparable Security and Sanitization","props":[{"name":"label","value":"MA-4(3)"},{"name":"label","value":"MA-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-4","rel":"required"},{"href":"#mp-6","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"ma-4.3_smt","name":"statement","parts":[{"id":"ma-4.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or"},{"id":"ma-4.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Remove the component to be serviced from the system prior to nonlocal maintenance or diagnostic services; sanitize the component (for organizational information); and after the service is performed, inspect and sanitize the component (for potentially malicious software) before reconnecting the component to the system."}]},{"id":"ma-4.3_gdn","name":"guidance","prose":"Comparable security capability on systems, diagnostic tools, and equipment providing maintenance services implies that the implemented controls on those systems, tools, and equipment are at least as comprehensive as the controls on the system being serviced."},{"id":"ma-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)","class":"sp800-53a"}],"parts":[{"id":"ma-4.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(a)","class":"sp800-53a"}],"parts":[{"id":"ma-4.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(a)[01]","class":"sp800-53a"}],"prose":"nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;","links":[{"href":"#ma-4.3_smt.a","rel":"assessment-for"}]},{"id":"ma-4.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(a)[02]","class":"sp800-53a"}],"prose":"nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or","links":[{"href":"#ma-4.3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-4.3_smt.a","rel":"assessment-for"}]},{"id":"ma-4.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)","class":"sp800-53a"}],"parts":[{"id":"ma-4.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)[01]","class":"sp800-53a"}],"prose":"the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;","links":[{"href":"#ma-4.3_smt.b","rel":"assessment-for"}]},{"id":"ma-4.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)[02]","class":"sp800-53a"}],"prose":"the component to be serviced is sanitized (for organizational information);","links":[{"href":"#ma-4.3_smt.b","rel":"assessment-for"}]},{"id":"ma-4.3_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"MA-04(03)(b)[03]","class":"sp800-53a"}],"prose":"the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.","links":[{"href":"#ma-4.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-4.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-4.3_smt","rel":"assessment-for"}]},{"id":"ma-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nservice provider contracts and\/or service-level agreements\n\nmaintenance records\n\ninspection records\n\naudit records\n\nequipment sanitization records\n\nmedia sanitization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\nsystem maintenance provider\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for comparable security and sanitization for nonlocal maintenance\n\norganizational processes for the removal, sanitization, and inspection of components serviced via nonlocal maintenance\n\nmechanisms supporting and\/or implementing component sanitization and inspection"}]}]},{"id":"ma-4.4","class":"SP800-53-enhancement","title":"Authentication and Separation of Maintenance Sessions","params":[{"id":"ma-04.04_odp","props":[{"name":"alt-identifier","value":"ma-4.4_prm_1"},{"name":"label","value":"MA-04(04)_ODP","class":"sp800-53a"}],"label":"authenticators that are replay resistant","guidelines":[{"prose":"authenticators that are replay resistant are defined;"}]}],"props":[{"name":"label","value":"MA-4(4)"},{"name":"label","value":"MA-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-4","rel":"required"}],"parts":[{"id":"ma-4.4_smt","name":"statement","prose":"Protect nonlocal maintenance sessions by:","parts":[{"id":"ma-4.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employing {{ insert: param, ma-04.04_odp }} ; and"},{"id":"ma-4.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Separating the maintenance sessions from other network sessions with the system by either:","parts":[{"id":"ma-4.4_smt.b.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Physically separated communications paths; or"},{"id":"ma-4.4_smt.b.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Logically separated communications paths."}]}]},{"id":"ma-4.4_gdn","name":"guidance","prose":"Communications paths can be logically separated using encryption."},{"id":"ma-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04(04)","class":"sp800-53a"}],"parts":[{"id":"ma-4.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04(04)(a)","class":"sp800-53a"}],"prose":"nonlocal maintenance sessions are protected by employing {{ insert: param, ma-04.04_odp }};","links":[{"href":"#ma-4.4_smt.a","rel":"assessment-for"}]},{"id":"ma-4.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04(04)(b)","class":"sp800-53a"}],"parts":[{"id":"ma-4.4_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(04)(b)(01)","class":"sp800-53a"}],"prose":"nonlocal maintenance sessions are protected by separating maintenance sessions from other network sessions with the system by physically separated communication paths; or","links":[{"href":"#ma-4.4_smt.b.1","rel":"assessment-for"}]},{"id":"ma-4.4_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(04)(b)(02)","class":"sp800-53a"}],"prose":"nonlocal maintenance sessions are protected by logically separated communication paths.","links":[{"href":"#ma-4.4_smt.b.2","rel":"assessment-for"}]}],"links":[{"href":"#ma-4.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-4.4_smt","rel":"assessment-for"}]},{"id":"ma-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\nnetwork engineers\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for protecting nonlocal maintenance sessions\n\nmechanisms implementing replay-resistant authenticators\n\nmechanisms implementing logically separated\/encrypted communication paths"}]}]},{"id":"ma-4.5","class":"SP800-53-enhancement","title":"Approvals and Notifications","params":[{"id":"ma-04.05_odp.01","props":[{"name":"alt-identifier","value":"ma-4.5_prm_1"},{"name":"label","value":"MA-04(05)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles required to approve each nonlocal maintenance session is\/are defined;"}]},{"id":"ma-04.05_odp.02","props":[{"name":"alt-identifier","value":"ma-4.5_prm_2"},{"name":"alt-label","value":"personnel or roles","class":"sp800-53"},{"name":"label","value":"MA-04(05)_ODP[02]","class":"sp800-53a"}],"label":"personnel and roles","guidelines":[{"prose":"personnel and roles to be notified of the date and time of planned nonlocal maintenance is\/are defined;"}]}],"props":[{"name":"label","value":"MA-4(5)"},{"name":"label","value":"MA-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-4","rel":"required"}],"parts":[{"id":"ma-4.5_smt","name":"statement","parts":[{"id":"ma-4.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Require the approval of each nonlocal maintenance session by {{ insert: param, ma-04.05_odp.01 }} ; and"},{"id":"ma-4.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Notify the following personnel or roles of the date and time of planned nonlocal maintenance: {{ insert: param, ma-04.05_odp.02 }}."}]},{"id":"ma-4.5_gdn","name":"guidance","prose":"Notification may be performed by maintenance personnel. Approval of nonlocal maintenance is accomplished by personnel with sufficient information security and system knowledge to determine the appropriateness of the proposed maintenance."},{"id":"ma-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04(05)","class":"sp800-53a"}],"parts":[{"id":"ma-4.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-04(05)(a)","class":"sp800-53a"}],"prose":"the approval of each nonlocal maintenance session is required by {{ insert: param, ma-04.05_odp.01 }};","links":[{"href":"#ma-4.5_smt.a","rel":"assessment-for"}]},{"id":"ma-4.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-04(05)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, ma-04.05_odp.02 }} is\/are notified of the date and time of planned nonlocal maintenance.","links":[{"href":"#ma-4.5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-4.5_smt","rel":"assessment-for"}]},{"id":"ma-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nnotifications supporting nonlocal maintenance sessions\n\nmaintenance records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with notification responsibilities\n\norganizational personnel with approval responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for approving and notifying personnel regarding nonlocal maintenance\n\nmechanisms supporting the notification and approval of nonlocal maintenance"}]}]},{"id":"ma-4.6","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"ma-04.06_odp","props":[{"name":"alt-identifier","value":"ma-4.6_prm_1"},{"name":"label","value":"MA-04(06)_ODP","class":"sp800-53a"}],"label":"cryptographic mechanisms","guidelines":[{"prose":"cryptographic mechanisms to be implemented to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications are defined;"}]}],"props":[{"name":"label","value":"MA-4(6)"},{"name":"label","value":"MA-04(06)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-4","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"ma-4.6_smt","name":"statement","prose":"Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: {{ insert: param, ma-04.06_odp }}."},{"id":"ma-4.6_gdn","name":"guidance","prose":"Failure to protect nonlocal maintenance and diagnostic communications can result in unauthorized individuals gaining access to organizational information. Unauthorized access during remote maintenance sessions can result in a variety of hostile actions, including malicious code insertion, unauthorized changes to system parameters, and exfiltration of organizational information. Such actions can result in the loss or degradation of mission or business capabilities."},{"id":"ma-4.6_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04(06)","class":"sp800-53a"}],"parts":[{"id":"ma-4.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(06)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ma-04.06_odp }} are implemented to protect the integrity of nonlocal maintenance and diagnostic communications;","links":[{"href":"#ma-4.6_smt","rel":"assessment-for"}]},{"id":"ma-4.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(06)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ma-04.06_odp }} are implemented to protect the confidentiality of nonlocal maintenance and diagnostic communications.","links":[{"href":"#ma-4.6_smt","rel":"assessment-for"}]}],"links":[{"href":"#ma-4.6_smt","rel":"assessment-for"}]},{"id":"ma-4.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms protecting nonlocal maintenance activities\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\nnetwork engineers\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms protecting nonlocal maintenance and diagnostic communications"}]}]},{"id":"ma-4.7","class":"SP800-53-enhancement","title":"Disconnect Verification","props":[{"name":"label","value":"MA-4(7)"},{"name":"label","value":"MA-04(07)","class":"sp800-53a"},{"name":"sort-id","value":"ma-04.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ma-4","rel":"required"},{"href":"#ac-12","rel":"related"}],"parts":[{"id":"ma-4.7_smt","name":"statement","prose":"Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions."},{"id":"ma-4.7_gdn","name":"guidance","prose":"Verifying the termination of a connection once maintenance is completed ensures that connections established during nonlocal maintenance and diagnostic sessions have been terminated and are no longer available for use."},{"id":"ma-4.7_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-04(07)","class":"sp800-53a"}],"parts":[{"id":"ma-4.7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MA-04(07)[01]","class":"sp800-53a"}],"prose":"session connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions;","links":[{"href":"#ma-4.7_smt","rel":"assessment-for"}]},{"id":"ma-4.7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MA-04(07)[02]","class":"sp800-53a"}],"prose":"network connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions.","links":[{"href":"#ma-4.7_smt","rel":"assessment-for"}]}],"links":[{"href":"#ma-4.7_smt","rel":"assessment-for"}]},{"id":"ma-4.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-04(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing nonlocal system maintenance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsession\/network termination logs\n\ncryptographic mechanisms protecting nonlocal maintenance activities\n\nmaintenance records\n\ndiagnostic records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-4.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-04(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\nnetwork engineers\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-4.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-04(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing remote disconnect verifications of terminated nonlocal maintenance and diagnostic sessions"}]}]}]},{"id":"ma-5","class":"SP800-53","title":"Maintenance Personnel","props":[{"name":"label","value":"MA-5"},{"name":"label","value":"MA-05","class":"sp800-53a"},{"name":"sort-id","value":"ma-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"ma-5_smt","name":"statement","parts":[{"id":"ma-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;"},{"id":"ma-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and"},{"id":"ma-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."}]},{"id":"ma-5_gdn","name":"guidance","prose":"Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while [PE-2](#pe-2) addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods."},{"id":"ma-5_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.","class":"sp800-53a"}],"parts":[{"id":"ma-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[01]","class":"sp800-53a"}],"prose":"a process for maintenance personnel authorization is established;","links":[{"href":"#ma-5_smt.a","rel":"assessment-for"}]},{"id":"ma-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MA-05a.[02]","class":"sp800-53a"}],"prose":"a list of authorized maintenance organizations or personnel is maintained;","links":[{"href":"#ma-5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ma-5_smt.a","rel":"assessment-for"}]},{"id":"ma-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-05b.","class":"sp800-53a"}],"prose":"non-escorted personnel performing maintenance on the system possess the required access authorizations;","links":[{"href":"#ma-5_smt.b","rel":"assessment-for"}]},{"id":"ma-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MA-05c.","class":"sp800-53a"}],"prose":"organizational personnel with required access authorizations and technical competence is\/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.","links":[{"href":"#ma-5_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ma-5_smt","rel":"assessment-for"}]},{"id":"ma-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nservice provider contracts\n\nservice-level agreements\n\nlist of authorized personnel\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing and managing maintenance personnel\n\nmechanisms supporting and\/or implementing authorization of maintenance personnel"}]}],"controls":[{"id":"ma-5.1","class":"SP800-53-enhancement","title":"Individuals Without Appropriate Access","params":[{"id":"ma-05.01_odp","props":[{"name":"alt-identifier","value":"ma-5.1_prm_1"},{"name":"label","value":"MA-05(01)_ODP","class":"sp800-53a"}],"label":"alternate controls","guidelines":[{"prose":"alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined;"}]}],"props":[{"name":"label","value":"MA-5(1)"},{"name":"label","value":"MA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-5","rel":"required"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"ma-5.1_smt","name":"statement","parts":[{"id":"ma-5.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:","parts":[{"id":"ma-5.1_smt.a.1","name":"item","props":[{"name":"label","value":"(1)"}],"prose":"Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified; and"},{"id":"ma-5.1_smt.a.2","name":"item","props":[{"name":"label","value":"(2)"}],"prose":"Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and"}]},{"id":"ma-5.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Develop and implement {{ insert: param, ma-05.01_odp }} in the event a system component cannot be sanitized, removed, or disconnected from the system."}]},{"id":"ma-5.1_gdn","name":"guidance","prose":"Procedures for individuals who lack appropriate security clearances or who are not U.S. citizens are intended to deny visual and electronic access to classified or controlled unclassified information contained on organizational systems. Procedures for the use of maintenance personnel can be documented in security plans for the systems."},{"id":"ma-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)","class":"sp800-53a"}],"parts":[{"id":"ma-5.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(a)","class":"sp800-53a"}],"parts":[{"id":"ma-5.1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(a)(01)","class":"sp800-53a"}],"prose":"procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;","links":[{"href":"#ma-5.1_smt.a.1","rel":"assessment-for"}]},{"id":"ma-5.1_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(a)(02)","class":"sp800-53a"}],"prose":"procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;","links":[{"href":"#ma-5.1_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#ma-5.1_smt.a","rel":"assessment-for"}]},{"id":"ma-5.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-05(01)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.","links":[{"href":"#ma-5.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-5.1_smt","rel":"assessment-for"}]},{"id":"ma-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\nphysical and environmental protection policy\n\nlist of maintenance personnel requiring escort\/supervision\n\nmaintenance records\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for media sanitization\n\nsystem\/network administrators"}]},{"id":"ma-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing maintenance personnel without appropriate access\n\nmechanisms supporting and\/or implementing alternative security safeguards\n\nmechanisms supporting and\/or implementing information storage component sanitization"}]}]},{"id":"ma-5.2","class":"SP800-53-enhancement","title":"Security Clearances for Classified Systems","props":[{"name":"label","value":"MA-5(2)"},{"name":"label","value":"MA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-5","rel":"required"},{"href":"#ps-3","rel":"related"}],"parts":[{"id":"ma-5.2_smt","name":"statement","prose":"Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals for at least the highest classification level and for compartments of information on the system."},{"id":"ma-5.2_gdn","name":"guidance","prose":"Personnel who conduct maintenance on organizational systems may be exposed to classified information during the course of their maintenance activities. To mitigate the inherent risk of such exposure, organizations use maintenance personnel that are cleared (i.e., possess security clearances) to the classification level of the information stored on the system."},{"id":"ma-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05(02)","class":"sp800-53a"}],"parts":[{"id":"ma-5.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MA-05(02)[01]","class":"sp800-53a"}],"prose":"personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances for at least the highest classification level and for compartments of information on the system;","links":[{"href":"#ma-5.2_smt","rel":"assessment-for"}]},{"id":"ma-5.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MA-05(02)[02]","class":"sp800-53a"}],"prose":"personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess formal access approvals for at least the highest classification level and for compartments of information on the system.","links":[{"href":"#ma-5.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#ma-5.2_smt","rel":"assessment-for"}]},{"id":"ma-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\npersonnel records\n\nmaintenance records\n\naccess control records\n\naccess credentials\n\naccess authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing security clearances for maintenance personnel"}]}]},{"id":"ma-5.3","class":"SP800-53-enhancement","title":"Citizenship Requirements for Classified Systems","props":[{"name":"label","value":"MA-5(3)"},{"name":"label","value":"MA-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"ma-05.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-5","rel":"required"},{"href":"#ps-3","rel":"related"}],"parts":[{"id":"ma-5.3_smt","name":"statement","prose":"Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens."},{"id":"ma-5.3_gdn","name":"guidance","prose":"Personnel who conduct maintenance on organizational systems may be exposed to classified information during the course of their maintenance activities. If access to classified information on organizational systems is restricted to U.S. citizens, the same restriction is applied to personnel performing maintenance on those systems."},{"id":"ma-5.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05(03)","class":"sp800-53a"}],"prose":"personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens.","links":[{"href":"#ma-5.3_smt","rel":"assessment-for"}]},{"id":"ma-5.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\npersonnel records\n\nmaintenance records\n\naccess control records\n\naccess credentials\n\naccess authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ma-5.4","class":"SP800-53-enhancement","title":"Foreign Nationals","props":[{"name":"label","value":"MA-5(4)"},{"name":"label","value":"MA-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"ma-05.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-5","rel":"required"},{"href":"#ps-3","rel":"related"}],"parts":[{"id":"ma-5.4_smt","name":"statement","prose":"Ensure that:","parts":[{"id":"ma-5.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments; and"},{"id":"ma-5.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements."}]},{"id":"ma-5.4_gdn","name":"guidance","prose":"Personnel who conduct maintenance and diagnostic activities on organizational systems may be exposed to classified information. If non-U.S. citizens are permitted to perform maintenance and diagnostics activities on classified systems, then additional vetting is required to ensure agreements and restrictions are not being violated."},{"id":"ma-5.4_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05(04)","class":"sp800-53a"}],"parts":[{"id":"ma-5.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MA-05(04)(a)","class":"sp800-53a"}],"prose":"foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments or owned and operated solely by foreign allied governments;","links":[{"href":"#ma-5.4_smt.a","rel":"assessment-for"}]},{"id":"ma-5.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MA-05(04)(b)","class":"sp800-53a"}],"parts":[{"id":"ma-5.4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MA-05(04)(b)[01]","class":"sp800-53a"}],"prose":"approvals regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;","links":[{"href":"#ma-5.4_smt.b","rel":"assessment-for"}]},{"id":"ma-5.4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MA-05(04)(b)[02]","class":"sp800-53a"}],"prose":"consents regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;","links":[{"href":"#ma-5.4_smt.b","rel":"assessment-for"}]},{"id":"ma-5.4_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"MA-05(04)(b)[03]","class":"sp800-53a"}],"prose":"detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.","links":[{"href":"#ma-5.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-5.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ma-5.4_smt","rel":"assessment-for"}]},{"id":"ma-5.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmemorandum of agreement\n\nmaintenance records\n\naccess control records\n\naccess credentials\n\naccess authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities, organizational personnel with personnel security responsibilities\n\norganizational personnel managing memoranda of agreements\n\norganizational personnel with information security responsibilities"}]},{"id":"ma-5.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-05(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing foreign national maintenance personnel"}]}]},{"id":"ma-5.5","class":"SP800-53-enhancement","title":"Non-system Maintenance","props":[{"name":"label","value":"MA-5(5)"},{"name":"label","value":"MA-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"ma-05.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-5","rel":"required"}],"parts":[{"id":"ma-5.5_smt","name":"statement","prose":"Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations."},{"id":"ma-5.5_gdn","name":"guidance","prose":"Personnel who perform maintenance activities in other capacities not directly related to the system include physical plant personnel and custodial personnel."},{"id":"ma-5.5_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-05(05)","class":"sp800-53a"}],"prose":"non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system have required access authorizations.","links":[{"href":"#ma-5.5_smt","rel":"assessment-for"}]},{"id":"ma-5.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-05(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing maintenance personnel\n\nsystem media protection policy\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmaintenance records\n\naccess control records\n\naccess authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-5.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-05(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with personnel security responsibilities\n\norganizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"ma-6","class":"SP800-53","title":"Timely Maintenance","params":[{"id":"ma-06_odp.01","props":[{"name":"alt-identifier","value":"ma-6_prm_1"},{"name":"label","value":"MA-06_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which maintenance support and\/or spare parts are obtained are defined;"}]},{"id":"ma-06_odp.02","props":[{"name":"alt-identifier","value":"ma-6_prm_2"},{"name":"label","value":"MA-06_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which maintenance support and\/or spare parts are to be obtained after a failure are defined;"}]}],"props":[{"name":"label","value":"MA-6"},{"name":"label","value":"MA-06","class":"sp800-53a"},{"name":"sort-id","value":"ma-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-8","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-13","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"ma-6_smt","name":"statement","prose":"Obtain maintenance support and\/or spare parts for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure."},{"id":"ma-6_gdn","name":"guidance","prose":"Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place."},{"id":"ma-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-06","class":"sp800-53a"}],"prose":"maintenance support and\/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.","links":[{"href":"#ma-6_smt","rel":"assessment-for"}]},{"id":"ma-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\ninventory and availability of spare parts\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for ensuring timely maintenance"}]}],"controls":[{"id":"ma-6.1","class":"SP800-53-enhancement","title":"Preventive Maintenance","params":[{"id":"ma-06.01_odp.01","props":[{"name":"alt-identifier","value":"ma-6.1_prm_1"},{"name":"label","value":"MA-06(01)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components on which preventive maintenance is to be performed are defined;"}]},{"id":"ma-06.01_odp.02","props":[{"name":"alt-identifier","value":"ma-6.1_prm_2"},{"name":"label","value":"MA-06(01)_ODP[02]","class":"sp800-53a"}],"label":"time intervals","guidelines":[{"prose":"time intervals within which preventive maintenance is to be performed on system components are defined;"}]}],"props":[{"name":"label","value":"MA-6(1)"},{"name":"label","value":"MA-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ma-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-6","rel":"required"}],"parts":[{"id":"ma-6.1_smt","name":"statement","prose":"Perform preventive maintenance on {{ insert: param, ma-06.01_odp.01 }} at {{ insert: param, ma-06.01_odp.02 }}."},{"id":"ma-6.1_gdn","name":"guidance","prose":"Preventive maintenance includes proactive care and the servicing of system components to maintain organizational equipment and facilities in satisfactory operating condition. Such maintenance provides for the systematic inspection, tests, measurements, adjustments, parts replacement, detection, and correction of incipient failures either before they occur or before they develop into major defects. The primary goal of preventive maintenance is to avoid or mitigate the consequences of equipment failures. Preventive maintenance is designed to preserve and restore equipment reliability by replacing worn components before they fail. Methods of determining what preventive (or other) failure management policies to apply include original equipment manufacturer recommendations; statistical failure records; expert opinion; maintenance that has already been conducted on similar equipment; requirements of codes, laws, or regulations within a jurisdiction; or measured values and performance indications."},{"id":"ma-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-06(01)","class":"sp800-53a"}],"prose":"preventive maintenance is performed on {{ insert: param, ma-06.01_odp.01 }} at {{ insert: param, ma-06.01_odp.02 }}.","links":[{"href":"#ma-6.1_smt","rel":"assessment-for"}]},{"id":"ma-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\nmaintenance records\n\nlist of system components requiring preventive maintenance\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for preventive maintenance\n\nmechanisms supporting and\/or implementing preventive maintenance"}]}]},{"id":"ma-6.2","class":"SP800-53-enhancement","title":"Predictive Maintenance","params":[{"id":"ma-06.02_odp.01","props":[{"name":"alt-identifier","value":"ma-6.2_prm_1"},{"name":"label","value":"MA-06(02)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components on which predictive maintenance is to be performed are defined;"}]},{"id":"ma-06.02_odp.02","props":[{"name":"alt-identifier","value":"ma-6.2_prm_2"},{"name":"label","value":"MA-06(02)_ODP[02]","class":"sp800-53a"}],"label":"time intervals","guidelines":[{"prose":"time intervals within which predictive maintenance is to be performed are defined;"}]}],"props":[{"name":"label","value":"MA-6(2)"},{"name":"label","value":"MA-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"ma-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-6","rel":"required"}],"parts":[{"id":"ma-6.2_smt","name":"statement","prose":"Perform predictive maintenance on {{ insert: param, ma-06.02_odp.01 }} at {{ insert: param, ma-06.02_odp.02 }}."},{"id":"ma-6.2_gdn","name":"guidance","prose":"Predictive maintenance evaluates the condition of equipment by performing periodic or continuous (online) equipment condition monitoring. The goal of predictive maintenance is to perform maintenance at a scheduled time when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold. The predictive component of predictive maintenance stems from the objective of predicting the future trend of the equipment's condition. The predictive maintenance approach employs principles of statistical process control to determine at what point in the future maintenance activities will be appropriate. Most predictive maintenance inspections are performed while equipment is in service, thus minimizing disruption of normal system operations. Predictive maintenance can result in substantial cost savings and higher system reliability."},{"id":"ma-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-06(02)","class":"sp800-53a"}],"prose":"predictive maintenance is performed on {{ insert: param, ma-06.02_odp.01 }} at {{ insert: param, ma-06.02_odp.02 }}.","links":[{"href":"#ma-6.2_smt","rel":"assessment-for"}]},{"id":"ma-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\nmaintenance records\n\nlist of system components requiring predictive maintenance\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for predictive maintenance\n\nmechanisms supporting and\/or implementing predictive maintenance"}]}]},{"id":"ma-6.3","class":"SP800-53-enhancement","title":"Automated Support for Predictive Maintenance","params":[{"id":"ma-06.03_odp","props":[{"name":"alt-identifier","value":"ma-6.3_prm_1"},{"name":"label","value":"MA-06(03)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to transfer predictive maintenance data to a maintenance management system are defined;"}]}],"props":[{"name":"label","value":"MA-6(3)"},{"name":"label","value":"MA-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"ma-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-6","rel":"required"}],"parts":[{"id":"ma-6.3_smt","name":"statement","prose":"Transfer predictive maintenance data to a maintenance management system using {{ insert: param, ma-06.03_odp }}."},{"id":"ma-6.3_gdn","name":"guidance","prose":"A computerized maintenance management system maintains a database of information about the maintenance operations of organizations and automates the processing of equipment condition data to trigger maintenance planning, execution, and reporting."},{"id":"ma-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-06(03)","class":"sp800-53a"}],"prose":"predictive maintenance data is transferred to a maintenance management system using {{ insert: param, ma-06.03_odp }}.","links":[{"href":"#ma-6.3_smt","rel":"assessment-for"}]},{"id":"ma-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing system maintenance\n\nservice provider contracts\n\nservice-level agreements\n\nmaintenance records\n\nlist of system components requiring predictive maintenance\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ma-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms implementing the transfer of predictive maintenance data to a computerized maintenance management system\n\noperations of the computer maintenance management system"}]}]}]},{"id":"ma-7","class":"SP800-53","title":"Field Maintenance","params":[{"id":"ma-07_odp.01","props":[{"name":"alt-identifier","value":"ma-7_prm_1"},{"name":"label","value":"MA-07_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components on which field maintenance is restricted or prohibited to trusted maintenance facilities are defined;"}]},{"id":"ma-07_odp.02","props":[{"name":"alt-identifier","value":"ma-7_prm_2"},{"name":"label","value":"MA-07_ODP[02]","class":"sp800-53a"}],"label":"trusted maintenance facilities","guidelines":[{"prose":"trusted maintenance facilities that are not restricted or prohibited from conducting field maintenance are defined;"}]}],"props":[{"name":"label","value":"MA-7"},{"name":"label","value":"MA-07","class":"sp800-53a"},{"name":"sort-id","value":"ma-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"}],"parts":[{"id":"ma-7_smt","name":"statement","prose":"Restrict or prohibit field maintenance on {{ insert: param, ma-07_odp.01 }} to {{ insert: param, ma-07_odp.02 }}."},{"id":"ma-7_gdn","name":"guidance","prose":"Field maintenance is the type of maintenance conducted on a system or system component after the system or component has been deployed to a specific site (i.e., operational environment). In certain instances, field maintenance (i.e., local maintenance at the site) may not be executed with the same degree of rigor or with the same quality control checks as depot maintenance. For critical systems designated as such by the organization, it may be necessary to restrict or prohibit field maintenance at the local site and require that such maintenance be conducted in trusted facilities with additional controls."},{"id":"ma-7_obj","name":"assessment-objective","props":[{"name":"label","value":"MA-07","class":"sp800-53a"}],"prose":"field maintenance on {{ insert: param, ma-07_odp.01 }} are restricted or prohibited to {{ insert: param, ma-07_odp.02 }}.","links":[{"href":"#ma-7_smt","rel":"assessment-for"}]},{"id":"ma-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Maintenance policy\n\nprocedures addressing field maintenance\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmaintenance records\n\ndiagnostic records\n\nsystem security plan\n\nother relevant documents or records."}]},{"id":"ma-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system maintenance responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"ma-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing field maintenance\n\nmechanisms implementing, supporting, and\/or managing field maintenance\n\nmechanisms for strong authentication of field maintenance diagnostic sessions\n\nmechanisms for terminating field maintenance sessions and network connections"}]}]}]},{"id":"mp","class":"family","title":"Media Protection","controls":[{"id":"mp-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"mp-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"mp-01_odp.01","props":[{"name":"label","value":"MP-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection policy is to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.02","props":[{"name":"label","value":"MP-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the media protection procedures are to be disseminated is\/are defined;"}]},{"id":"mp-01_odp.03","props":[{"name":"alt-identifier","value":"mp-1_prm_2"},{"name":"label","value":"MP-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"mp-01_odp.04","props":[{"name":"alt-identifier","value":"mp-1_prm_3"},{"name":"label","value":"MP-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the media protection policy and procedures is defined;"}]},{"id":"mp-01_odp.05","props":[{"name":"alt-identifier","value":"mp-1_prm_4"},{"name":"label","value":"MP-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection policy is reviewed and updated is defined;"}]},{"id":"mp-01_odp.06","props":[{"name":"alt-identifier","value":"mp-1_prm_5"},{"name":"label","value":"MP-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current media protection policy to be reviewed and updated are defined;"}]},{"id":"mp-01_odp.07","props":[{"name":"alt-identifier","value":"mp-1_prm_6"},{"name":"label","value":"MP-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current media protection procedures are reviewed and updated is defined;"}]},{"id":"mp-01_odp.08","props":[{"name":"alt-identifier","value":"mp-1_prm_7"},{"name":"label","value":"MP-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require media protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"MP-1"},{"name":"label","value":"MP-01","class":"sp800-53a"},{"name":"sort-id","value":"mp-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-1_smt","name":"statement","parts":[{"id":"mp-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, mp-1_prm_1 }}:","parts":[{"id":"mp-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, mp-01_odp.03 }} media protection policy that:","parts":[{"id":"mp-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"mp-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"mp-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;"}]},{"id":"mp-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, mp-01_odp.04 }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and"},{"id":"mp-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current media protection:","parts":[{"id":"mp-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, mp-01_odp.05 }} and following {{ insert: param, mp-01_odp.06 }} ; and"},{"id":"mp-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, mp-01_odp.07 }} and following {{ insert: param, mp-01_odp.08 }}."}]}]},{"id":"mp-1_gdn","name":"guidance","prose":"Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"mp-1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[01]","class":"sp800-53a"}],"prose":"a media protection policy is developed and documented;","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[02]","class":"sp800-53a"}],"prose":"the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[03]","class":"sp800-53a"}],"prose":"media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.[04]","class":"sp800-53a"}],"prose":"the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};","links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;","links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"mp-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01a.01(b)","class":"sp800-53a"}],"prose":"the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#mp-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.a","rel":"assessment-for"}]},{"id":"mp-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.","links":[{"href":"#mp-1_smt.b","rel":"assessment-for"}]},{"id":"mp-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[01]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ","links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]},{"id":"mp-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.01[02]","class":"sp800-53a"}],"prose":"the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};","links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c.1","rel":"assessment-for"}]},{"id":"mp-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02","class":"sp800-53a"}],"parts":[{"id":"mp-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[01]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ","links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]},{"id":"mp-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"MP-01c.02[02]","class":"sp800-53a"}],"prose":"the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.","links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#mp-1_smt","rel":"assessment-for"}]},{"id":"mp-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Media protection policy and procedures\n\norganizational risk management strategy\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"mp-2","class":"SP800-53","title":"Media Access","params":[{"id":"mp-2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.03"}],"label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-2_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-02_odp.04"}],"label":"organization-defined personnel or roles"},{"id":"mp-02_odp.01","props":[{"name":"label","value":"MP-02_ODP[01]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.02","props":[{"name":"label","value":"MP-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access digital media is\/are defined;"}]},{"id":"mp-02_odp.03","props":[{"name":"label","value":"MP-02_ODP[03]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to which access is restricted are defined;"}]},{"id":"mp-02_odp.04","props":[{"name":"label","value":"MP-02_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles authorized to access non-digital media is\/are defined;"}]}],"props":[{"name":"label","value":"MP-2"},{"name":"label","value":"MP-02","class":"sp800-53a"},{"name":"sort-id","value":"mp-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-2_smt","name":"statement","prose":"Restrict access to {{ insert: param, mp-2_prm_1 }} to {{ insert: param, mp-2_prm_2 }}."},{"id":"mp-2_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media."},{"id":"mp-2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-02","class":"sp800-53a"}],"parts":[{"id":"mp-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-02[01]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};","links":[{"href":"#mp-2_smt","rel":"assessment-for"}]},{"id":"mp-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-02[02]","class":"sp800-53a"}],"prose":"access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.","links":[{"href":"#mp-2_smt","rel":"assessment-for"}]}],"links":[{"href":"#mp-2_smt","rel":"assessment-for"}]},{"id":"mp-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media access restrictions\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nmedia storage facilities\n\naccess control records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for restricting information media\n\nmechanisms supporting and\/or implementing media access restrictions"}]}],"controls":[{"id":"mp-2.1","class":"SP800-53-enhancement","title":"Automated Restricted Access","props":[{"name":"label","value":"MP-2(1)"},{"name":"label","value":"MP-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"mp-02.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-4.2","rel":"incorporated-into"}]},{"id":"mp-2.2","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"MP-2(2)"},{"name":"label","value":"MP-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"mp-02.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-28.1","rel":"incorporated-into"}]}]},{"id":"mp-3","class":"SP800-53","title":"Media Marking","params":[{"id":"mp-03_odp.01","props":[{"name":"alt-identifier","value":"mp-3_prm_1"},{"name":"alt-label","value":"types of system media","class":"sp800-53"},{"name":"label","value":"MP-03_ODP[01]","class":"sp800-53a"}],"label":"types of media exempted from marking","guidelines":[{"prose":"types of system media exempt from marking when remaining in controlled areas are defined;"}]},{"id":"mp-03_odp.02","props":[{"name":"alt-identifier","value":"mp-3_prm_2"},{"name":"label","value":"MP-03_ODP[02]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas where media is exempt from marking are defined;"}]}],"props":[{"name":"label","value":"MP-3"},{"name":"label","value":"MP-03","class":"sp800-53a"},{"name":"sort-id","value":"mp-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#34a5571f-e252-4309-a8a1-2fdb2faefbcd","rel":"reference"},{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-22","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-3_smt","name":"statement","parts":[{"id":"mp-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and"},{"id":"mp-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Exempt {{ insert: param, mp-03_odp.01 }} from marking if the media remain within {{ insert: param, mp-03_odp.02 }}."}]},{"id":"mp-3_gdn","name":"guidance","prose":"Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"mp-3_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-03","class":"sp800-53a"}],"parts":[{"id":"mp-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-03a.","class":"sp800-53a"}],"prose":"system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;","links":[{"href":"#mp-3_smt.a","rel":"assessment-for"}]},{"id":"mp-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-03b.","class":"sp800-53a"}],"prose":"{{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}.","links":[{"href":"#mp-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-3_smt","rel":"assessment-for"}]},{"id":"mp-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media marking\n\nphysical and environmental protection policy and procedures\n\nlist of system media marking security attributes\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and marking responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for marking information media\n\nmechanisms supporting and\/or implementing media marking"}]}]},{"id":"mp-4","class":"SP800-53","title":"Media Storage","params":[{"id":"mp-4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.04"}],"label":"organization-defined types of digital and\/or non-digital media"},{"id":"mp-4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04_odp.06"}],"label":"organization-defined controlled areas"},{"id":"mp-04_odp.01","props":[{"name":"label","value":"MP-04_ODP[01]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to be physically controlled are defined (if selected);"}]},{"id":"mp-04_odp.02","props":[{"name":"label","value":"MP-04_ODP[02]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to be physically controlled are defined (if selected);"}]},{"id":"mp-04_odp.03","props":[{"name":"label","value":"MP-04_ODP[03]","class":"sp800-53a"}],"label":"types of digital media","guidelines":[{"prose":"types of digital media to be securely stored are defined (if selected);"}]},{"id":"mp-04_odp.04","props":[{"name":"label","value":"MP-04_ODP[04]","class":"sp800-53a"}],"label":"types of non-digital media","guidelines":[{"prose":"types of non-digital media to be securely stored are defined (if selected);"}]},{"id":"mp-04_odp.05","props":[{"name":"label","value":"MP-04_ODP[05]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas within which to securely store digital media are defined;"}]},{"id":"mp-04_odp.06","props":[{"name":"label","value":"MP-04_ODP[06]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas within which to securely store non-digital media are defined;"}]}],"props":[{"name":"label","value":"MP-4"},{"name":"label","value":"MP-04","class":"sp800-53a"},{"name":"sort-id","value":"mp-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"mp-4_smt","name":"statement","parts":[{"id":"mp-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Physically control and securely store {{ insert: param, mp-4_prm_1 }} within {{ insert: param, mp-4_prm_2 }} ; and"},{"id":"mp-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques, and procedures."}]},{"id":"mp-4_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Physically controlling stored media includes conducting inventories, ensuring procedures are in place to allow individuals to check out and return media to the library, and maintaining accountability for stored media. Secure storage includes a locked drawer, desk, or cabinet or a controlled media library. The type of media storage is commensurate with the security category or classification of the information on the media. Controlled areas are spaces that provide physical and procedural controls to meet the requirements established for protecting information and systems. Fewer controls may be needed for media that contains information determined to be in the public domain, publicly releasable, or have limited adverse impacts on organizations, operations, or individuals if accessed by other than authorized personnel. In these situations, physical access controls provide adequate protection."},{"id":"mp-4_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-04","class":"sp800-53a"}],"parts":[{"id":"mp-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.","class":"sp800-53a"}],"parts":[{"id":"mp-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-04_odp.01 }} are physically controlled;","links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]},{"id":"mp-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-04_odp.02 }} are physically controlled;","links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]},{"id":"mp-4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[03]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};","links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]},{"id":"mp-4_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"MP-04a.[04]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};","links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-4_smt.a","rel":"assessment-for"}]},{"id":"mp-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-04b.","class":"sp800-53a"}],"prose":"system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.","links":[{"href":"#mp-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-4_smt","rel":"assessment-for"}]},{"id":"mp-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing information media\n\nmechanisms supporting and\/or implementing secure media storage\/media protection"}]}],"controls":[{"id":"mp-4.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"MP-4(1)"},{"name":"label","value":"MP-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"mp-04.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-28.1","rel":"incorporated-into"}]},{"id":"mp-4.2","class":"SP800-53-enhancement","title":"Automated Restricted Access","params":[{"id":"mp-4.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04.02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-04.02_odp.03"}],"label":"organization-defined automated mechanisms"},{"id":"mp-04.02_odp.01","props":[{"name":"label","value":"MP-04(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to restrict access to media storage areas are defined;"}]},{"id":"mp-04.02_odp.02","props":[{"name":"label","value":"MP-04(02)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to log access attempts to media storage areas are defined;"}]},{"id":"mp-04.02_odp.03","props":[{"name":"label","value":"MP-04(02)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to log access granted to media storage areas are defined;"}]}],"props":[{"name":"label","value":"MP-4(2)"},{"name":"label","value":"MP-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"mp-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-4","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#pe-3","rel":"related"}],"parts":[{"id":"mp-4.2_smt","name":"statement","prose":"Restrict access to media storage areas and log access attempts and access granted using {{ insert: param, mp-4.2_prm_1 }}."},{"id":"mp-4.2_gdn","name":"guidance","prose":"Automated mechanisms include keypads, biometric readers, or card readers on the external entries to media storage areas."},{"id":"mp-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-04(02)","class":"sp800-53a"}],"parts":[{"id":"mp-4.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-04(02)[01]","class":"sp800-53a"}],"prose":"access to media storage areas is restricted using {{ insert: param, mp-04.02_odp.01 }};","links":[{"href":"#mp-4.2_smt","rel":"assessment-for"}]},{"id":"mp-4.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-04(02)[02]","class":"sp800-53a"}],"prose":"access attempts to media storage areas are logged using {{ insert: param, mp-04.02_odp.02 }};","links":[{"href":"#mp-4.2_smt","rel":"assessment-for"}]},{"id":"mp-4.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"MP-04(02)[03]","class":"sp800-53a"}],"prose":"access granted to media storage areas is logged using {{ insert: param, mp-04.02_odp.03 }}.","links":[{"href":"#mp-4.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#mp-4.2_smt","rel":"assessment-for"}]},{"id":"mp-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media storage\n\naccess control policy and procedures\n\nphysical and environmental protection policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nmedia storage facilities\n\naccess control devices\n\naccess control records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms restricting access to media storage areas\n\nautomated mechanisms auditing access attempts and access granted to media storage areas"}]}]}]},{"id":"mp-5","class":"SP800-53","title":"Media Transport","params":[{"id":"mp-5_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-05_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-05_odp.03"}],"label":"organization-defined controls"},{"id":"mp-05_odp.01","props":[{"name":"alt-identifier","value":"mp-5_prm_1"},{"name":"label","value":"MP-05_ODP[01]","class":"sp800-53a"}],"label":"types of system media","guidelines":[{"prose":"types of system media to protect and control during transport outside of controlled areas are defined;"}]},{"id":"mp-05_odp.02","props":[{"name":"label","value":"MP-05_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls used to protect system media outside of controlled areas are defined;"}]},{"id":"mp-05_odp.03","props":[{"name":"label","value":"MP-05_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls used to control system media outside of controlled areas are defined;"}]}],"props":[{"name":"label","value":"MP-5"},{"name":"label","value":"MP-05","class":"sp800-53a"},{"name":"sort-id","value":"mp-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#ac-7","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-34","rel":"related"}],"parts":[{"id":"mp-5_smt","name":"statement","parts":[{"id":"mp-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Protect and control {{ insert: param, mp-05_odp.01 }} during transport outside of controlled areas using {{ insert: param, mp-5_prm_2 }};"},{"id":"mp-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain accountability for system media during transport outside of controlled areas;"},{"id":"mp-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document activities associated with the transport of system media; and"},{"id":"mp-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Restrict the activities associated with the transport of system media to authorized personnel."}]},{"id":"mp-5_gdn","name":"guidance","prose":"System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and\/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records."},{"id":"mp-5_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-05","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};","links":[{"href":"#mp-5_smt.a","rel":"assessment-for"}]},{"id":"mp-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-05a.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};","links":[{"href":"#mp-5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-5_smt.a","rel":"assessment-for"}]},{"id":"mp-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-05b.","class":"sp800-53a"}],"prose":"accountability for system media is maintained during transport outside of controlled areas;","links":[{"href":"#mp-5_smt.b","rel":"assessment-for"}]},{"id":"mp-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-05c.","class":"sp800-53a"}],"prose":"activities associated with the transport of system media are documented;","links":[{"href":"#mp-5_smt.c","rel":"assessment-for"}]},{"id":"mp-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.","class":"sp800-53a"}],"parts":[{"id":"mp-5_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.[01]","class":"sp800-53a"}],"prose":"personnel authorized to conduct media transport activities is\/are identified;","links":[{"href":"#mp-5_smt.d","rel":"assessment-for"}]},{"id":"mp-5_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"MP-05d.[02]","class":"sp800-53a"}],"prose":"activities associated with the transport of system media are restricted to identified authorized personnel.","links":[{"href":"#mp-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#mp-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#mp-5_smt","rel":"assessment-for"}]},{"id":"mp-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media storage\n\nphysical and environmental protection policy and procedures\n\naccess control policy and procedures\n\nauthorized personnel list\n\nsystem media\n\ndesignated controlled areas\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media protection and storage responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for storing information media\n\nmechanisms supporting and\/or implementing media storage\/media protection"}]}],"controls":[{"id":"mp-5.1","class":"SP800-53-enhancement","title":"Protection Outside of Controlled Areas","props":[{"name":"label","value":"MP-5(1)"},{"name":"label","value":"MP-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"mp-05.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-5","rel":"incorporated-into"}]},{"id":"mp-5.2","class":"SP800-53-enhancement","title":"Documentation of Activities","props":[{"name":"label","value":"MP-5(2)"},{"name":"label","value":"MP-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"mp-05.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-5","rel":"incorporated-into"}]},{"id":"mp-5.3","class":"SP800-53-enhancement","title":"Custodians","props":[{"name":"label","value":"MP-5(3)"},{"name":"label","value":"MP-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"mp-05.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-5","rel":"required"}],"parts":[{"id":"mp-5.3_smt","name":"statement","prose":"Employ an identified custodian during transport of system media outside of controlled areas."},{"id":"mp-5.3_gdn","name":"guidance","prose":"Identified custodians provide organizations with specific points of contact during the media transport process and facilitate individual accountability. Custodial responsibilities can be transferred from one individual to another if an unambiguous custodian is identified."},{"id":"mp-5.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-05(03)","class":"sp800-53a"}],"parts":[{"id":"mp-5.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-05(03)[01]","class":"sp800-53a"}],"prose":"a custodian to transport system media outside of controlled areas is identified;","links":[{"href":"#mp-5.3_smt","rel":"assessment-for"}]},{"id":"mp-5.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-05(03)[02]","class":"sp800-53a"}],"prose":"the identified custodian is employed during the transport of system media outside of controlled areas.","links":[{"href":"#mp-5.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#mp-5.3_smt","rel":"assessment-for"}]},{"id":"mp-5.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-05(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media transport\n\nphysical and environmental protection policy and procedures\n\nsystem media transport records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-5.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-05(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media transport responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-5.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-05(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying and employing a custodian to transport media outside of controlled areas"}]}]},{"id":"mp-5.4","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"MP-5(4)"},{"name":"label","value":"MP-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"mp-05.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-28.1","rel":"incorporated-into"}]}]},{"id":"mp-6","class":"SP800-53","title":"Media Sanitization","params":[{"id":"mp-6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.03"}],"label":"organization-defined system media"},{"id":"mp-6_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06_odp.06"}],"label":"organization-defined sanitization techniques and procedures"},{"id":"mp-06_odp.01","props":[{"name":"label","value":"MP-06_ODP[01]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to disposal is defined;"}]},{"id":"mp-06_odp.02","props":[{"name":"label","value":"MP-06_ODP[02]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release from organizational control is defined;"}]},{"id":"mp-06_odp.03","props":[{"name":"label","value":"MP-06_ODP[03]","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized prior to release for reuse is defined;"}]},{"id":"mp-06_odp.04","props":[{"name":"label","value":"MP-06_ODP[04]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to disposal are defined;"}]},{"id":"mp-06_odp.05","props":[{"name":"label","value":"MP-06_ODP[05]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;"}]},{"id":"mp-06_odp.06","props":[{"name":"label","value":"MP-06_ODP[06]","class":"sp800-53a"}],"label":"sanitization techniques and procedures","guidelines":[{"prose":"sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;"}]}],"props":[{"name":"label","value":"MP-6"},{"name":"label","value":"MP-06","class":"sp800-53a"},{"name":"sort-id","value":"mp-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"},{"href":"#si-19","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"mp-6_smt","name":"statement","parts":[{"id":"mp-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }} ; and"},{"id":"mp-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."}]},{"id":"mp-6_gdn","name":"guidance","prose":"Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information."},{"id":"mp-6_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.","class":"sp800-53a"}],"parts":[{"id":"mp-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"MP-06a.[03]","class":"sp800-53a"}],"prose":"{{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;","links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-6_smt.a","rel":"assessment-for"}]},{"id":"mp-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-06b.","class":"sp800-53a"}],"prose":"sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.","links":[{"href":"#mp-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-6_smt","rel":"assessment-for"}]},{"id":"mp-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\napplicable federal standards and policies addressing media sanitization policy\n\nmedia sanitization records\n\nsystem audit records\n\nsystem design documentation\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization"}]}],"controls":[{"id":"mp-6.1","class":"SP800-53-enhancement","title":"Review, Approve, Track, Document, and Verify","props":[{"name":"label","value":"MP-6(1)"},{"name":"label","value":"MP-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"}],"parts":[{"id":"mp-6.1_smt","name":"statement","prose":"Review, approve, track, document, and verify media sanitization and disposal actions."},{"id":"mp-6.1_gdn","name":"guidance","prose":"Organizations review and approve media to be sanitized to ensure compliance with records retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken and personnel who performed the verification, and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal."},{"id":"mp-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)","class":"sp800-53a"}],"parts":[{"id":"mp-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[01]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are reviewed;","links":[{"href":"#mp-6.1_smt","rel":"assessment-for"}]},{"id":"mp-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[02]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are approved;","links":[{"href":"#mp-6.1_smt","rel":"assessment-for"}]},{"id":"mp-6.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[03]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are tracked;","links":[{"href":"#mp-6.1_smt","rel":"assessment-for"}]},{"id":"mp-6.1_obj-4","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[04]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are documented;","links":[{"href":"#mp-6.1_smt","rel":"assessment-for"}]},{"id":"mp-6.1_obj-5","name":"assessment-objective","props":[{"name":"label","value":"MP-06(01)[05]","class":"sp800-53a"}],"prose":"media sanitization and disposal actions are verified.","links":[{"href":"#mp-6.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#mp-6.1_smt","rel":"assessment-for"}]},{"id":"mp-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nmedia sanitization and disposal records\n\nreview records for media sanitization and disposal actions\n\napprovals for media sanitization and disposal actions\n\ntracking records\n\nverification records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization and disposal responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization\n\nmechanisms supporting and\/or implementing verification of media sanitization"}]}]},{"id":"mp-6.2","class":"SP800-53-enhancement","title":"Equipment Testing","params":[{"id":"mp-6.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-06.02_odp.02"}],"label":"organization-defined frequency"},{"id":"mp-06.02_odp.01","props":[{"name":"label","value":"MP-06(02)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to test sanitization equipment is defined;"}]},{"id":"mp-06.02_odp.02","props":[{"name":"label","value":"MP-06(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to test sanitization procedures is defined;"}]}],"props":[{"name":"label","value":"MP-6(2)"},{"name":"label","value":"MP-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"}],"parts":[{"id":"mp-6.2_smt","name":"statement","prose":"Test sanitization equipment and procedures {{ insert: param, mp-6.2_prm_1 }} to ensure that the intended sanitization is being achieved."},{"id":"mp-6.2_gdn","name":"guidance","prose":"Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers."},{"id":"mp-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(02)","class":"sp800-53a"}],"parts":[{"id":"mp-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-06(02)[01]","class":"sp800-53a"}],"prose":"sanitization equipment is tested {{ insert: param, mp-06.02_odp.01 }} to ensure that the intended sanitization is being achieved;","links":[{"href":"#mp-6.2_smt","rel":"assessment-for"}]},{"id":"mp-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-06(02)[02]","class":"sp800-53a"}],"prose":"sanitization procedures are tested {{ insert: param, mp-06.02_odp.02 }} to ensure that the intended sanitization is being achieved.","links":[{"href":"#mp-6.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#mp-6.2_smt","rel":"assessment-for"}]},{"id":"mp-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nprocedures addressing testing of media sanitization equipment\n\nresults of media sanitization equipment and procedures testing\n\nsystem audit records\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"mp-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with records retention and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"mp-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization\n\nautomated mechanisms supporting and\/or implementing media sanitization procedures\n\nsanitization equipment"}]}]},{"id":"mp-6.3","class":"SP800-53-enhancement","title":"Nondestructive Techniques","params":[{"id":"mp-06.03_odp","props":[{"name":"alt-identifier","value":"mp-6.3_prm_1"},{"name":"alt-label","value":"circumstances requiring sanitization of portable storage devices","class":"sp800-53"},{"name":"label","value":"MP-06(03)_ODP","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances requiring sanitization of portable storage devices are defined;"}]}],"props":[{"name":"label","value":"MP-6(3)"},{"name":"label","value":"MP-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"}],"parts":[{"id":"mp-6.3_smt","name":"statement","prose":"Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: {{ insert: param, mp-06.03_odp }}."},{"id":"mp-6.3_gdn","name":"guidance","prose":"Portable storage devices include external or removable hard disk drives (e.g., solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices."},{"id":"mp-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(03)","class":"sp800-53a"}],"prose":"non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under {{ insert: param, mp-06.03_odp }}.","links":[{"href":"#mp-6.3_smt","rel":"assessment-for"}]},{"id":"mp-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\ninformation on portable storage devices for the system\n\nlist of circumstances requiring sanitization of portable storage devices\n\nmedia sanitization records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media sanitization of portable storage devices\n\nmechanisms supporting and\/or implementing media sanitization"}]}]},{"id":"mp-6.4","class":"SP800-53-enhancement","title":"Controlled Unclassified Information","props":[{"name":"label","value":"MP-6(4)"},{"name":"label","value":"MP-06(04)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-6","rel":"incorporated-into"}]},{"id":"mp-6.5","class":"SP800-53-enhancement","title":"Classified Information","props":[{"name":"label","value":"MP-6(5)"},{"name":"label","value":"MP-06(05)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-6","rel":"incorporated-into"}]},{"id":"mp-6.6","class":"SP800-53-enhancement","title":"Media Destruction","props":[{"name":"label","value":"MP-6(6)"},{"name":"label","value":"MP-06(06)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-6","rel":"incorporated-into"}]},{"id":"mp-6.7","class":"SP800-53-enhancement","title":"Dual Authorization","params":[{"id":"mp-06.07_odp","props":[{"name":"alt-identifier","value":"mp-6.7_prm_1"},{"name":"label","value":"MP-06(07)_ODP","class":"sp800-53a"}],"label":"system media","guidelines":[{"prose":"system media to be sanitized using dual authorization is defined;"}]}],"props":[{"name":"label","value":"MP-6(7)"},{"name":"label","value":"MP-06(07)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#mp-2","rel":"related"}],"parts":[{"id":"mp-6.7_smt","name":"statement","prose":"Enforce dual authorization for the sanitization of {{ insert: param, mp-06.07_odp }}."},{"id":"mp-6.7_gdn","name":"guidance","prose":"Organizations employ dual authorization to help ensure that system media sanitization cannot occur unless two technically qualified individuals conduct the designated task. Individuals who sanitize system media possess sufficient skills and expertise to determine if the proposed sanitization reflects applicable federal and organizational standards, policies, and procedures. Dual authorization also helps to ensure that sanitization occurs as intended, protecting against errors and false claims of having performed the sanitization actions. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals."},{"id":"mp-6.7_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(07)","class":"sp800-53a"}],"prose":"dual authorization for sanitization of {{ insert: param, mp-06.07_odp }} is enforced.","links":[{"href":"#mp-6.7_smt","rel":"assessment-for"}]},{"id":"mp-6.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\ndual authorization policy and procedures\n\nlist of system media requiring dual authorization for sanitization\n\nauthorization records\n\nmedia sanitization records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-6.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes requiring dual authorization for media sanitization\n\nmechanisms supporting and\/or implementing media sanitization\n\nmechanisms supporting and\/or implementing dual authorization"}]}]},{"id":"mp-6.8","class":"SP800-53-enhancement","title":"Remote Purging or Wiping of Information","params":[{"id":"mp-06.08_odp.01","props":[{"name":"alt-identifier","value":"mp-6.8_prm_1"},{"name":"label","value":"MP-06(08)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components to purge or wipe information either remotely or under specific conditions are defined;"}]},{"id":"mp-06.08_odp.02","props":[{"name":"alt-identifier","value":"mp-6.8_prm_2"},{"name":"label","value":"MP-06(08)_ODP[02]","class":"sp800-53a"}],"select":{"choice":["remotely","under {{ insert: param, mp-06.08_odp.03 }} "]}},{"id":"mp-06.08_odp.03","props":[{"name":"alt-identifier","value":"mp-6.8_prm_3"},{"name":"label","value":"MP-06(08)_ODP[03]","class":"sp800-53a"}],"label":"conditions","guidelines":[{"prose":"conditions under which information is to be purged or wiped are defined (if selected);"}]}],"props":[{"name":"label","value":"MP-6(8)"},{"name":"label","value":"MP-06(08)","class":"sp800-53a"},{"name":"sort-id","value":"mp-06.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-6","rel":"required"}],"parts":[{"id":"mp-6.8_smt","name":"statement","prose":"Provide the capability to purge or wipe information from {{ insert: param, mp-06.08_odp.01 }} {{ insert: param, mp-06.08_odp.02 }}."},{"id":"mp-6.8_gdn","name":"guidance","prose":"Remote purging or wiping of information protects information on organizational systems and system components if systems or components are obtained by unauthorized individuals. Remote purge or wipe commands require strong authentication to help mitigate the risk of unauthorized individuals purging or wiping the system, component, or device. The purge or wipe function can be implemented in a variety of ways, including by overwriting data or information multiple times or by destroying the key necessary to decrypt encrypted data."},{"id":"mp-6.8_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-06(08)","class":"sp800-53a"}],"prose":"the capability to purge or wipe information from {{ insert: param, mp-06.08_odp.01 }} {{ insert: param, mp-06.08_odp.02 }} is provided.","links":[{"href":"#mp-6.8_smt","rel":"assessment-for"}]},{"id":"mp-6.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-06(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media sanitization and disposal\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nauthorization records\n\nmedia sanitization records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-6.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-06(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media sanitization responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-6.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-06(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for purging\/wiping media\n\nmechanisms supporting and\/or implementing purge\/wipe capabilities"}]}]}]},{"id":"mp-7","class":"SP800-53","title":"Media Use","params":[{"id":"mp-07_odp.01","props":[{"name":"alt-identifier","value":"mp-7_prm_2"},{"name":"label","value":"MP-07_ODP[01]","class":"sp800-53a"}],"label":"types of system media","guidelines":[{"prose":"types of system media to be restricted or prohibited from use on systems or system components are defined;"}]},{"id":"mp-07_odp.02","props":[{"name":"alt-identifier","value":"mp-7_prm_1"},{"name":"label","value":"MP-07_ODP[02]","class":"sp800-53a"}],"select":{"choice":["restrict","prohibit"]}},{"id":"mp-07_odp.03","props":[{"name":"alt-identifier","value":"mp-7_prm_3"},{"name":"label","value":"MP-07_ODP[03]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;"}]},{"id":"mp-07_odp.04","props":[{"name":"alt-identifier","value":"mp-7_prm_4"},{"name":"label","value":"MP-07_ODP[04]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;"}]}],"props":[{"name":"label","value":"MP-7"},{"name":"label","value":"MP-07","class":"sp800-53a"},{"name":"sort-id","value":"mp-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#sc-41","rel":"related"}],"parts":[{"id":"mp-7_smt","name":"statement","parts":[{"id":"mp-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"{{ insert: param, mp-07_odp.02 }} the use of {{ insert: param, mp-07_odp.01 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }} ; and"},{"id":"mp-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner."}]},{"id":"mp-7_gdn","name":"guidance","prose":"System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to [MP-2](#mp-2) , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices."},{"id":"mp-7_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-07","class":"sp800-53a"}],"parts":[{"id":"mp-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-07a.","class":"sp800-53a"}],"prose":"the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};","links":[{"href":"#mp-7_smt.a","rel":"assessment-for"}]},{"id":"mp-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-07b.","class":"sp800-53a"}],"prose":"the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.","links":[{"href":"#mp-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-7_smt","rel":"assessment-for"}]},{"id":"mp-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media use\n\nmechanisms restricting or prohibiting the use of system media on systems or system components"}]}],"controls":[{"id":"mp-7.1","class":"SP800-53-enhancement","title":"Prohibit Use Without Owner","props":[{"name":"label","value":"MP-7(1)"},{"name":"label","value":"MP-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"mp-07.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-7","rel":"incorporated-into"}]},{"id":"mp-7.2","class":"SP800-53-enhancement","title":"Prohibit Use of Sanitization-resistant Media","props":[{"name":"label","value":"MP-7(2)"},{"name":"label","value":"MP-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"mp-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-7","rel":"required"},{"href":"#mp-6","rel":"related"}],"parts":[{"id":"mp-7.2_smt","name":"statement","prose":"Prohibit the use of sanitization-resistant media in organizational systems."},{"id":"mp-7.2_gdn","name":"guidance","prose":"Sanitization resistance refers to how resistant media are to non-destructive sanitization techniques with respect to the capability to purge information from media. Certain types of media do not support sanitization commands, or if supported, the interfaces are not supported in a standardized way across these devices. Sanitization-resistant media includes compact flash, embedded flash on boards and devices, solid state drives, and USB removable media."},{"id":"mp-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-07(02)","class":"sp800-53a"}],"parts":[{"id":"mp-7.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-07(02)[01]","class":"sp800-53a"}],"prose":"sanitization-resistant media is identified;","links":[{"href":"#mp-7.2_smt","rel":"assessment-for"}]},{"id":"mp-7.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-07(02)[02]","class":"sp800-53a"}],"prose":"the use of sanitization-resistant media in organizational systems is prohibited.","links":[{"href":"#mp-7.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#mp-7.2_smt","rel":"assessment-for"}]},{"id":"mp-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nsystem use policy\n\nprocedures addressing media usage restrictions\n\nrules of behavior\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media use responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media use\n\nmechanisms prohibiting use of media on systems or system components"}]}]}]},{"id":"mp-8","class":"SP800-53","title":"Media Downgrading","params":[{"id":"mp-08_odp.01","props":[{"name":"alt-identifier","value":"mp-8_prm_1"},{"name":"label","value":"MP-08_ODP[01]","class":"sp800-53a"}],"label":"system media downgrading process","guidelines":[{"prose":"a system media downgrading process is defined;"}]},{"id":"mp-08_odp.02","props":[{"name":"alt-identifier","value":"mp-8_prm_2"},{"name":"label","value":"MP-08_ODP[02]","class":"sp800-53a"}],"label":"system media requiring downgrading","guidelines":[{"prose":"system media requiring downgrading is defined;"}]}],"props":[{"name":"label","value":"MP-8"},{"name":"label","value":"MP-08","class":"sp800-53a"},{"name":"sort-id","value":"mp-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","rel":"reference"}],"parts":[{"id":"mp-8_smt","name":"statement","parts":[{"id":"mp-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish {{ insert: param, mp-08_odp.01 }} that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;"},{"id":"mp-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Verify that the system media downgrading process is commensurate with the security category and\/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;"},{"id":"mp-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify {{ insert: param, mp-08_odp.02 }} ; and"},{"id":"mp-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Downgrade the identified system media using the established process."}]},{"id":"mp-8_gdn","name":"guidance","prose":"Media downgrading applies to digital and non-digital media subject to release outside of the organization, whether the media is considered removable or not. When applied to system media, the downgrading process removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading ensures that empty space on the media is devoid of information."},{"id":"mp-8_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-08","class":"sp800-53a"}],"parts":[{"id":"mp-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"MP-08a.","class":"sp800-53a"}],"parts":[{"id":"mp-8_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"MP-08a.[01]","class":"sp800-53a"}],"prose":"a {{ insert: param, mp-08_odp.01 }} is established;","links":[{"href":"#mp-8_smt.a","rel":"assessment-for"}]},{"id":"mp-8_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"MP-08a.[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, mp-08_odp.01 }} includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;","links":[{"href":"#mp-8_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#mp-8_smt.a","rel":"assessment-for"}]},{"id":"mp-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"MP-08b.","class":"sp800-53a"}],"parts":[{"id":"mp-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"MP-08b.[01]","class":"sp800-53a"}],"prose":"there is verification that the system media downgrading process is commensurate with the security category and\/or classification level of the information to be removed;","links":[{"href":"#mp-8_smt.b","rel":"assessment-for"}]},{"id":"mp-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"MP-08b.[02]","class":"sp800-53a"}],"prose":"there is verification that the system media downgrading process is commensurate with the access authorizations of the potential recipients of the downgraded information;","links":[{"href":"#mp-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#mp-8_smt.b","rel":"assessment-for"}]},{"id":"mp-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"MP-08c.","class":"sp800-53a"}],"prose":"{{ insert: param, mp-08_odp.02 }} is identified;","links":[{"href":"#mp-8_smt.c","rel":"assessment-for"}]},{"id":"mp-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"MP-08d.","class":"sp800-53a"}],"prose":"the identified system media is downgraded using the {{ insert: param, mp-08_odp.01 }}.","links":[{"href":"#mp-8_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#mp-8_smt","rel":"assessment-for"}]},{"id":"mp-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media downgrading\n\nsystem categorization documentation\n\nlist of media requiring downgrading\n\nrecords of media downgrading\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media downgrading\n\nmechanisms supporting and\/or implementing media downgrading"}]}],"controls":[{"id":"mp-8.1","class":"SP800-53-enhancement","title":"Documentation of Process","props":[{"name":"label","value":"MP-8(1)"},{"name":"label","value":"MP-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"mp-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-8","rel":"required"}],"parts":[{"id":"mp-8.1_smt","name":"statement","prose":"Document system media downgrading actions."},{"id":"mp-8.1_gdn","name":"guidance","prose":"Organizations can document the media downgrading process by providing information, such as the downgrading technique employed, the identification number of the downgraded media, and the identity of the individual that authorized and\/or performed the downgrading action."},{"id":"mp-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-08(01)","class":"sp800-53a"}],"prose":"system media downgrading actions are documented.","links":[{"href":"#mp-8.1_smt","rel":"assessment-for"}]},{"id":"mp-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media downgrading\n\nsystem categorization documentation\n\nlist of media requiring downgrading\n\nrecords of media downgrading\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"mp-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media downgrading\n\nmechanisms supporting and\/or implementing media downgrading"}]}]},{"id":"mp-8.2","class":"SP800-53-enhancement","title":"Equipment Testing","params":[{"id":"mp-8.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-08.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"mp-08.02_odp.02"}],"label":"organization-defined frequency"},{"id":"mp-08.02_odp.01","props":[{"name":"label","value":"MP-08(02)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which to test downgrading equipment is defined;"}]},{"id":"mp-08.02_odp.02","props":[{"name":"label","value":"MP-08(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which to test downgrading procedures is defined;"}]}],"props":[{"name":"label","value":"MP-8(2)"},{"name":"label","value":"MP-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"mp-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-8","rel":"required"}],"parts":[{"id":"mp-8.2_smt","name":"statement","prose":"Test downgrading equipment and procedures {{ insert: param, mp-8.2_prm_1 }} to ensure that downgrading actions are being achieved."},{"id":"mp-8.2_gdn","name":"guidance","prose":"None."},{"id":"mp-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-08(02)","class":"sp800-53a"}],"parts":[{"id":"mp-8.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-08(02)[01]","class":"sp800-53a"}],"prose":"downgrading equipment is tested {{ insert: param, mp-08.02_odp.01 }} to ensure that downgrading actions are being achieved;","links":[{"href":"#mp-8.2_smt","rel":"assessment-for"}]},{"id":"mp-8.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-08(02)[02]","class":"sp800-53a"}],"prose":"downgrading procedures are tested {{ insert: param, mp-08.02_odp.02 }} to ensure that downgrading actions are being achieved.","links":[{"href":"#mp-8.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#mp-8.2_smt","rel":"assessment-for"}]},{"id":"mp-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\nprocedures addressing media downgrading\n\nprocedures addressing testing of media downgrading equipment\n\nresults of downgrading equipment and procedures testing\n\nrecords of media downgrading\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media downgrading\n\nmechanisms supporting and\/or implementing media downgrading"}]}]},{"id":"mp-8.3","class":"SP800-53-enhancement","title":"Controlled Unclassified Information","props":[{"name":"label","value":"MP-8(3)"},{"name":"label","value":"MP-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"mp-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-8","rel":"required"}],"parts":[{"id":"mp-8.3_smt","name":"statement","prose":"Downgrade system media containing controlled unclassified information prior to public release."},{"id":"mp-8.3_gdn","name":"guidance","prose":"The downgrading of controlled unclassified information uses approved sanitization tools, techniques, and procedures."},{"id":"mp-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-08(03)","class":"sp800-53a"}],"parts":[{"id":"mp-8.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-08(03)[01]","class":"sp800-53a"}],"prose":"system media containing controlled unclassified information is identified;","links":[{"href":"#mp-8.3_smt","rel":"assessment-for"}]},{"id":"mp-8.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-08(03)[02]","class":"sp800-53a"}],"prose":"system media containing controlled unclassified information is downgraded prior to public release.","links":[{"href":"#mp-8.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#mp-8.3_smt","rel":"assessment-for"}]},{"id":"mp-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\naccess authorization policy\n\nprocedures addressing downgrading of media containing CUI\n\napplicable federal and organizational standards and policies regarding protection of CUI\n\nmedia downgrading records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media downgrading\n\nmechanisms supporting and\/or implementing media downgrading"}]}]},{"id":"mp-8.4","class":"SP800-53-enhancement","title":"Classified Information","props":[{"name":"label","value":"MP-8(4)"},{"name":"label","value":"MP-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"mp-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#mp-8","rel":"required"}],"parts":[{"id":"mp-8.4_smt","name":"statement","prose":"Downgrade system media containing classified information prior to release to individuals without required access authorizations."},{"id":"mp-8.4_gdn","name":"guidance","prose":"Downgrading of classified information uses approved sanitization tools, techniques, and procedures to transfer information confirmed to be unclassified from classified systems to unclassified media."},{"id":"mp-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"MP-08(04)","class":"sp800-53a"}],"parts":[{"id":"mp-8.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"MP-08(04)[01]","class":"sp800-53a"}],"prose":"system media containing classified information is identified;","links":[{"href":"#mp-8.4_smt","rel":"assessment-for"}]},{"id":"mp-8.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"MP-08(04)[02]","class":"sp800-53a"}],"prose":"system media containing classified information is downgraded prior to release to individuals without required access authorizations.","links":[{"href":"#mp-8.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#mp-8.4_smt","rel":"assessment-for"}]},{"id":"mp-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"MP-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System media protection policy\n\naccess authorization policy\n\nprocedures addressing downgrading of media containing classified information\n\nprocedures addressing handling of classified information\n\nNSA standards and policies regarding protection of classified information\n\nmedia downgrading records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"mp-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"MP-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system media downgrading responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"mp-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"MP-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for media downgrading\n\nmechanisms supporting and\/or implementing media downgrading"}]}]}]}]},{"id":"pe","class":"family","title":"Physical and Environmental Protection","controls":[{"id":"pe-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pe-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pe-01_odp.01","props":[{"name":"label","value":"PE-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection policy is to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.02","props":[{"name":"label","value":"PE-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the physical and environmental protection procedures are to be disseminated is\/are defined;"}]},{"id":"pe-01_odp.03","props":[{"name":"alt-identifier","value":"pe-1_prm_2"},{"name":"label","value":"PE-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pe-01_odp.04","props":[{"name":"alt-identifier","value":"pe-1_prm_3"},{"name":"label","value":"PE-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the physical and environmental protection policy and procedures is defined;"}]},{"id":"pe-01_odp.05","props":[{"name":"alt-identifier","value":"pe-1_prm_4"},{"name":"label","value":"PE-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;"}]},{"id":"pe-01_odp.06","props":[{"name":"alt-identifier","value":"pe-1_prm_5"},{"name":"label","value":"PE-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current physical and environmental protection policy to be reviewed and updated are defined;"}]},{"id":"pe-01_odp.07","props":[{"name":"alt-identifier","value":"pe-1_prm_6"},{"name":"label","value":"PE-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;"}]},{"id":"pe-01_odp.08","props":[{"name":"alt-identifier","value":"pe-1_prm_7"},{"name":"label","value":"PE-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the physical and environmental protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PE-1"},{"name":"label","value":"PE-01","class":"sp800-53a"},{"name":"sort-id","value":"pe-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pe-1_smt","name":"statement","parts":[{"id":"pe-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pe-1_prm_1 }}:","parts":[{"id":"pe-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, pe-01_odp.03 }} physical and environmental protection policy that:","parts":[{"id":"pe-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pe-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pe-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;"}]},{"id":"pe-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pe-01_odp.04 }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and"},{"id":"pe-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current physical and environmental protection:","parts":[{"id":"pe-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pe-01_odp.05 }} and following {{ insert: param, pe-01_odp.06 }} ; and"},{"id":"pe-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pe-01_odp.07 }} and following {{ insert: param, pe-01_odp.08 }}."}]}]},{"id":"pe-1_gdn","name":"guidance","prose":"Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pe-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[01]","class":"sp800-53a"}],"prose":"a physical and environmental protection policy is developed and documented;","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[02]","class":"sp800-53a"}],"prose":"the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[03]","class":"sp800-53a"}],"prose":"physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.[04]","class":"sp800-53a"}],"prose":"the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};","links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;","links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pe-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#pe-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.a","rel":"assessment-for"}]},{"id":"pe-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;","links":[{"href":"#pe-1_smt.b","rel":"assessment-for"}]},{"id":"pe-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};","links":[{"href":"#pe-1_smt.c.1","rel":"assessment-for"}]},{"id":"pe-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.01[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};","links":[{"href":"#pe-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.c.1","rel":"assessment-for"}]},{"id":"pe-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02","class":"sp800-53a"}],"parts":[{"id":"pe-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[01]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};","links":[{"href":"#pe-1_smt.c.2","rel":"assessment-for"}]},{"id":"pe-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PE-01c.02[02]","class":"sp800-53a"}],"prose":"the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.","links":[{"href":"#pe-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-1_smt","rel":"assessment-for"}]},{"id":"pe-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy and procedures\n\nsystem security plan\n\nprivacy plan\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"pe-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical and environmental protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pe-2","class":"SP800-53","title":"Physical Access Authorizations","params":[{"id":"pe-02_odp","props":[{"name":"alt-identifier","value":"pe-2_prm_1"},{"name":"label","value":"PE-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the access list detailing authorized facility access by individuals is defined;"}]}],"props":[{"name":"label","value":"PE-2"},{"name":"label","value":"PE-02","class":"sp800-53a"},{"name":"sort-id","value":"pe-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"pe-2_smt","name":"statement","parts":[{"id":"pe-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;"},{"id":"pe-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Issue authorization credentials for facility access;"},{"id":"pe-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the access list detailing authorized facility access by individuals {{ insert: param, pe-02_odp }} ; and"},{"id":"pe-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remove individuals from the facility access list when access is no longer required."}]},{"id":"pe-2_gdn","name":"guidance","prose":"Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible."},{"id":"pe-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-02","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.","class":"sp800-53a"}],"parts":[{"id":"pe-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[01]","class":"sp800-53a"}],"prose":"a list of individuals with authorized access to the facility where the system resides has been developed;","links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]},{"id":"pe-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[02]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been approved;","links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]},{"id":"pe-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-02a.[03]","class":"sp800-53a"}],"prose":"the list of individuals with authorized access to the facility where the system resides has been maintained;","links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pe-2_smt.a","rel":"assessment-for"}]},{"id":"pe-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-02b.","class":"sp800-53a"}],"prose":"authorization credentials are issued for facility access;","links":[{"href":"#pe-2_smt.b","rel":"assessment-for"}]},{"id":"pe-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-02c.","class":"sp800-53a"}],"prose":"the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};","links":[{"href":"#pe-2_smt.c","rel":"assessment-for"}]},{"id":"pe-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-02d.","class":"sp800-53a"}],"prose":"individuals are removed from the facility access list when access is no longer required.","links":[{"href":"#pe-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pe-2_smt","rel":"assessment-for"}]},{"id":"pe-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nauthorization credentials\n\nphysical access list reviews\n\nphysical access termination records and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access authorizations\n\nmechanisms supporting and\/or implementing physical access authorizations"}]}],"controls":[{"id":"pe-2.1","class":"SP800-53-enhancement","title":"Access by Position or Role","props":[{"name":"label","value":"PE-2(1)"},{"name":"label","value":"PE-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-2","rel":"required"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"pe-2.1_smt","name":"statement","prose":"Authorize physical access to the facility where the system resides based on position or role."},{"id":"pe-2.1_gdn","name":"guidance","prose":"Role-based facility access includes access by authorized permanent and regular\/routine maintenance personnel, duty officers, and emergency medical staff."},{"id":"pe-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-02(01)","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is authorized based on position or role.","links":[{"href":"#pe-2.1_smt","rel":"assessment-for"}]},{"id":"pe-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nphysical access control logs or records\n\nlist of positions\/roles and corresponding physical access authorizations\n\nsystem entry and exit points\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to system facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access authorizations\n\nmechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-2.2","class":"SP800-53-enhancement","title":"Two Forms of Identification","params":[{"id":"pe-02.02_odp","props":[{"name":"alt-identifier","value":"pe-2.2_prm_1"},{"name":"label","value":"PE-02(02)_ODP","class":"sp800-53a"}],"label":"list of acceptable forms of identification","guidelines":[{"prose":"a list of acceptable forms of identification for visitor access to the facility where the system resides is defined;"}]}],"props":[{"name":"label","value":"PE-2(2)"},{"name":"label","value":"PE-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-2","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"}],"parts":[{"id":"pe-2.2_smt","name":"statement","prose":"Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: {{ insert: param, pe-02.02_odp }}."},{"id":"pe-2.2_gdn","name":"guidance","prose":"Acceptable forms of identification include passports, REAL ID-compliant drivers’ licenses, and Personal Identity Verification (PIV) cards. For gaining access to facilities using automated mechanisms, organizations may use PIV cards, key cards, PINs, and biometrics."},{"id":"pe-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-02(02)","class":"sp800-53a"}],"prose":"two forms of identification are required from {{ insert: param, pe-02.02_odp }} for visitor access to the facility where the system resides.","links":[{"href":"#pe-2.2_smt","rel":"assessment-for"}]},{"id":"pe-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nlist of acceptable forms of identification for visitor access to the facility where the system resides\n\naccess authorization forms\n\naccess credentials\n\nphysical access control logs or records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to the system facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access authorizations\n\nmechanisms supporting and\/or implementing physical access authorizations"}]}]},{"id":"pe-2.3","class":"SP800-53-enhancement","title":"Restrict Unescorted Access","params":[{"id":"pe-02.03_odp.01","props":[{"name":"alt-identifier","value":"pe-2.3_prm_1"},{"name":"label","value":"PE-02(03)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security clearances for all information contained within the system","formal access authorizations for all information contained within the system","need for access to all information contained within the system","{{ insert: param, pe-02.03_odp.02 }} "]}},{"id":"pe-02.03_odp.02","props":[{"name":"alt-identifier","value":"pe-2.3_prm_2"},{"name":"label","value":"PE-02(03)_ODP[02]","class":"sp800-53a"}],"label":"physical access authorizations","guidelines":[{"prose":"physical access authorizations for unescorted access to the facility where the system resides are defined (if selected);"}]}],"props":[{"name":"label","value":"PE-2(3)"},{"name":"label","value":"PE-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"pe-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-2","rel":"required"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"}],"parts":[{"id":"pe-2.3_smt","name":"statement","prose":"Restrict unescorted access to the facility where the system resides to personnel with {{ insert: param, pe-02.03_odp.01 }}."},{"id":"pe-2.3_gdn","name":"guidance","prose":"Individuals without required security clearances, access approvals, or need to know are escorted by individuals with appropriate physical access authorizations to ensure that information is not exposed or otherwise compromised."},{"id":"pe-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-02(03)","class":"sp800-53a"}],"prose":"unescorted access to the facility where the system resides is restricted to personnel with {{ insert: param, pe-02.03_odp.01 }}.","links":[{"href":"#pe-2.3_smt","rel":"assessment-for"}]},{"id":"pe-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access authorizations\n\nauthorized personnel access list\n\nsecurity clearances\n\naccess authorizations\n\naccess credentials\n\nphysical access control logs or records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with physical access to the system facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access authorizations\n\nmechanisms supporting and\/or implementing physical access authorizations"}]}]}]},{"id":"pe-3","class":"SP800-53","title":"Physical Access Control","params":[{"id":"pe-3_prm_9","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.09"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-03_odp.10"}],"label":"organization-defined frequency"},{"id":"pe-03_odp.01","props":[{"name":"alt-identifier","value":"pe-3_prm_1"},{"name":"alt-label","value":"entry and exit points to the facility where the system resides","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[01]","class":"sp800-53a"}],"label":"entry and exit points","guidelines":[{"prose":"entry and exit points to the facility in which the system resides are defined;"}]},{"id":"pe-03_odp.02","props":[{"name":"alt-identifier","value":"pe-3_prm_2"},{"name":"label","value":"PE-03_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, pe-03_odp.03 }} ","guards"]}},{"id":"pe-03_odp.03","props":[{"name":"alt-identifier","value":"pe-3_prm_3"},{"name":"alt-label","value":"physical access control systems or devices","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[03]","class":"sp800-53a"}],"label":"systems or devices","guidelines":[{"prose":"physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);"}]},{"id":"pe-03_odp.04","props":[{"name":"alt-identifier","value":"pe-3_prm_4"},{"name":"label","value":"PE-03_ODP[04]","class":"sp800-53a"}],"label":"entry or exit points","guidelines":[{"prose":"entry or exit points for which physical access logs are maintained are defined;"}]},{"id":"pe-03_odp.05","props":[{"name":"alt-identifier","value":"pe-3_prm_5"},{"name":"label","value":"PE-03_ODP[05]","class":"sp800-53a"}],"label":"physical access controls","guidelines":[{"prose":"physical access controls to control access to areas within the facility designated as publicly accessible are defined;"}]},{"id":"pe-03_odp.06","props":[{"name":"alt-identifier","value":"pe-3_prm_6"},{"name":"alt-label","value":"circumstances requiring visitor escorts and control of visitor activity","class":"sp800-53"},{"name":"label","value":"PE-03_ODP[06]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances requiring visitor escorts and control of visitor activity are defined;"}]},{"id":"pe-03_odp.07","props":[{"name":"alt-identifier","value":"pe-3_prm_7"},{"name":"label","value":"PE-03_ODP[07]","class":"sp800-53a"}],"label":"physical access devices","guidelines":[{"prose":"physical access devices to be inventoried are defined;"}]},{"id":"pe-03_odp.08","props":[{"name":"alt-identifier","value":"pe-3_prm_8"},{"name":"label","value":"PE-03_ODP[08]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inventory physical access devices is defined;"}]},{"id":"pe-03_odp.09","props":[{"name":"label","value":"PE-03_ODP[09]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change combinations is defined;"}]},{"id":"pe-03_odp.10","props":[{"name":"label","value":"PE-03_ODP[10]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to change keys is defined;"}]}],"props":[{"name":"label","value":"PE-3"},{"name":"label","value":"PE-03","class":"sp800-53a"},{"name":"sort-id","value":"pe-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#2100332a-16a5-4598-bacf-7261baea9711","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"pe-3_smt","name":"statement","parts":[{"id":"pe-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Enforce physical access authorizations at {{ insert: param, pe-03_odp.01 }} by:","parts":[{"id":"pe-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Verifying individual access authorizations before granting access to the facility; and"},{"id":"pe-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"}]},{"id":"pe-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain physical access audit logs for {{ insert: param, pe-03_odp.04 }};"},{"id":"pe-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, pe-03_odp.05 }};"},{"id":"pe-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Escort visitors and control visitor activity {{ insert: param, pe-03_odp.06 }};"},{"id":"pe-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Secure keys, combinations, and other physical access devices;"},{"id":"pe-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Inventory {{ insert: param, pe-03_odp.07 }} every {{ insert: param, pe-03_odp.08 }} ; and"},{"id":"pe-3_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Change combinations and keys {{ insert: param, pe-3_prm_9 }} and\/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated."}]},{"id":"pe-3_gdn","name":"guidance","prose":"Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs\/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components."},{"id":"pe-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.01","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;","links":[{"href":"#pe-3_smt.a.1","rel":"assessment-for"}]},{"id":"pe-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PE-03a.02","class":"sp800-53a"}],"prose":"physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};","links":[{"href":"#pe-3_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.a","rel":"assessment-for"}]},{"id":"pe-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-03b.","class":"sp800-53a"}],"prose":"physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};","links":[{"href":"#pe-3_smt.b","rel":"assessment-for"}]},{"id":"pe-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-03c.","class":"sp800-53a"}],"prose":"access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};","links":[{"href":"#pe-3_smt.c","rel":"assessment-for"}]},{"id":"pe-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[01]","class":"sp800-53a"}],"prose":"visitors are escorted;","links":[{"href":"#pe-3_smt.d","rel":"assessment-for"}]},{"id":"pe-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03d.[02]","class":"sp800-53a"}],"prose":"visitor activity is controlled {{ insert: param, pe-03_odp.06 }};","links":[{"href":"#pe-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.d","rel":"assessment-for"}]},{"id":"pe-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[01]","class":"sp800-53a"}],"prose":"keys are secured;","links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]},{"id":"pe-3_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[02]","class":"sp800-53a"}],"prose":"combinations are secured;","links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]},{"id":"pe-3_obj.e-3","name":"assessment-objective","props":[{"name":"label","value":"PE-03e.[03]","class":"sp800-53a"}],"prose":"other physical access devices are secured;","links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.e","rel":"assessment-for"}]},{"id":"pe-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"PE-03f.","class":"sp800-53a"}],"prose":"{{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};","links":[{"href":"#pe-3_smt.f","rel":"assessment-for"}]},{"id":"pe-3_obj.g","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.","class":"sp800-53a"}],"parts":[{"id":"pe-3_obj.g-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[01]","class":"sp800-53a"}],"prose":"combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;","links":[{"href":"#pe-3_smt.g","rel":"assessment-for"}]},{"id":"pe-3_obj.g-2","name":"assessment-objective","props":[{"name":"label","value":"PE-03g.[02]","class":"sp800-53a"}],"prose":"keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.","links":[{"href":"#pe-3_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#pe-3_smt","rel":"assessment-for"}]},{"id":"pe-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\ninventory records of physical access control devices\n\nsystem entry and exit points\n\nrecords of key and lock combination changes\n\nstorage locations for physical access control devices\n\nphysical access control devices\n\nlist of security safeguards controlling access to designated publicly accessible areas within facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control\n\nmechanisms supporting and\/or implementing physical access control\n\nphysical access control devices"}]}],"controls":[{"id":"pe-3.1","class":"SP800-53-enhancement","title":"System Access","params":[{"id":"pe-03.01_odp","props":[{"name":"alt-identifier","value":"pe-3.1_prm_1"},{"name":"alt-label","value":"physical spaces containing one or more components of the system","class":"sp800-53"},{"name":"label","value":"PE-03(01)_ODP","class":"sp800-53a"}],"label":"physical spaces","guidelines":[{"prose":"physical spaces containing one or more components of the system are defined;"}]}],"props":[{"name":"label","value":"PE-3(1)"},{"name":"label","value":"PE-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"}],"parts":[{"id":"pe-3.1_smt","name":"statement","prose":"Enforce physical access authorizations to the system in addition to the physical access controls for the facility at {{ insert: param, pe-03.01_odp }}."},{"id":"pe-3.1_gdn","name":"guidance","prose":"Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components."},{"id":"pe-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(01)","class":"sp800-53a"}],"parts":[{"id":"pe-3.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-03(01)[01]","class":"sp800-53a"}],"prose":"physical access authorizations to the system are enforced;","links":[{"href":"#pe-3.1_smt","rel":"assessment-for"}]},{"id":"pe-3.1_obj.2","name":"assessment-objective","props":[{"name":"label","value":"PE-03(01)[02]","class":"sp800-53a"}],"prose":"physical access controls are enforced for the facility at {{ insert: param, pe-03.01_odp }}.","links":[{"href":"#pe-3.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-3.1_smt","rel":"assessment-for"}]},{"id":"pe-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nsystem entry and exit points\n\nlist of areas within the facility containing concentrations of system components or system components requiring additional physical protection\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access authorization responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control to the information system\/components\n\nmechanisms supporting and\/or implementing physical access control for facility areas containing system components"}]}]},{"id":"pe-3.2","class":"SP800-53-enhancement","title":"Facility and Systems","params":[{"id":"pe-03.02_odp","props":[{"name":"alt-identifier","value":"pe-3.2_prm_1"},{"name":"label","value":"PE-03(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to perform security checks at the physical perimeter of the facility or system for exfiltration of information or removal of system components is defined;"}]}],"props":[{"name":"label","value":"PE-3(2)"},{"name":"label","value":"PE-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"},{"href":"#ac-4","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"pe-3.2_smt","name":"statement","prose":"Perform security checks {{ insert: param, pe-03.02_odp }} at the physical perimeter of the facility or system for exfiltration of information or removal of system components."},{"id":"pe-3.2_gdn","name":"guidance","prose":"Organizations determine the extent, frequency, and\/or randomness of security checks to adequately mitigate risk associated with exfiltration."},{"id":"pe-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(02)","class":"sp800-53a"}],"prose":"security checks are performed {{ insert: param, pe-03.02_odp }} at the physical perimeter of the facility or system for exfiltration of information or removal of system components.","links":[{"href":"#pe-3.2_smt","rel":"assessment-for"}]},{"id":"pe-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nrecords of security checks\n\nsecurity audit reports\n\nsecurity inspection reports\n\nfacility layout documentation\n\nsystem entry and exit points\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control to the facility and\/or system\n\nmechanisms supporting and\/or implementing physical access control for the facility or system\n\nmechanisms supporting and\/or implementing security checks for the unauthorized exfiltration of information"}]}]},{"id":"pe-3.3","class":"SP800-53-enhancement","title":"Continuous Guards","params":[{"id":"pe-03.03_odp","props":[{"name":"alt-identifier","value":"pe-3.3_prm_1"},{"name":"label","value":"PE-03(03)_ODP","class":"sp800-53a"}],"label":"physical access points","guidelines":[{"prose":"physical access points to the facility where the system resides are defined;"}]}],"props":[{"name":"label","value":"PE-3(3)"},{"name":"label","value":"PE-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"pe-3.3_smt","name":"statement","prose":"Employ guards to control {{ insert: param, pe-03.03_odp }} to the facility where the system resides 24 hours per day, 7 days per week."},{"id":"pe-3.3_gdn","name":"guidance","prose":"Employing guards at selected physical access points to the facility provides a more rapid response capability for organizations. Guards also provide the opportunity for human surveillance in areas of the facility not covered by video surveillance."},{"id":"pe-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(03)","class":"sp800-53a"}],"prose":"guards are employed to control {{ insert: param, pe-03.03_odp }} to the facility where the system resides 24 hours per day, 7 days per week.","links":[{"href":"#pe-3.3_smt","rel":"assessment-for"}]},{"id":"pe-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nphysical access control logs or records\n\nphysical access control devices\n\nfacility surveillance records\n\nfacility layout documentation\n\nsystem entry and exit points\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for physical access control to the facility where the system resides\n\nmechanisms supporting and\/or implementing physical access control for the facility where the system resides"}]}]},{"id":"pe-3.4","class":"SP800-53-enhancement","title":"Lockable Casings","params":[{"id":"pe-03.04_odp","props":[{"name":"alt-identifier","value":"pe-3.4_prm_1"},{"name":"label","value":"PE-03(04)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to be protected from unauthorized physical access are defined;"}]}],"props":[{"name":"label","value":"PE-3(4)"},{"name":"label","value":"PE-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"}],"parts":[{"id":"pe-3.4_smt","name":"statement","prose":"Use lockable physical casings to protect {{ insert: param, pe-03.04_odp }} from unauthorized physical access."},{"id":"pe-3.4_gdn","name":"guidance","prose":"The greatest risk from the use of portable devices—such as smart phones, tablets, and notebook computers—is theft. Organizations can employ lockable, physical casings to reduce or eliminate the risk of equipment theft. Such casings come in a variety of sizes, from units that protect a single notebook computer to full cabinets that can protect multiple servers, computers, and peripherals. Lockable physical casings can be used in conjunction with cable locks or lockdown plates to prevent the theft of the locked casing containing the computer equipment."},{"id":"pe-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(04)","class":"sp800-53a"}],"prose":"lockable physical casings are used to protect {{ insert: param, pe-03.04_odp }} from unauthorized access.","links":[{"href":"#pe-3.4_smt","rel":"assessment-for"}]},{"id":"pe-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nlist of system components requiring protection through lockable physical casings\n\nlockable physical casings\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Lockable physical casings"}]}]},{"id":"pe-3.5","class":"SP800-53-enhancement","title":"Tamper Protection","params":[{"id":"pe-03.05_odp.01","props":[{"name":"alt-identifier","value":"pe-3.5_prm_1"},{"name":"label","value":"PE-03(05)_ODP[01]","class":"sp800-53a"}],"label":"anti-tamper technologies","guidelines":[{"prose":"anti-tamper technologies to be employed are defined;"}]},{"id":"pe-03.05_odp.02","props":[{"name":"alt-identifier","value":"pe-3.5_prm_2"},{"name":"label","value":"PE-03(05)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["detect","prevent"]}},{"id":"pe-03.05_odp.03","props":[{"name":"alt-identifier","value":"pe-3.5_prm_3"},{"name":"label","value":"PE-03(05)_ODP[03]","class":"sp800-53a"}],"label":"hardware components","guidelines":[{"prose":"hardware components to be protected from physical tampering or alteration are defined;"}]}],"props":[{"name":"label","value":"PE-3(5)"},{"name":"label","value":"PE-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"},{"href":"#sa-16","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"pe-3.5_smt","name":"statement","prose":"Employ {{ insert: param, pe-03.05_odp.01 }} to {{ insert: param, pe-03.05_odp.02 }} physical tampering or alteration of {{ insert: param, pe-03.05_odp.03 }} within the system."},{"id":"pe-3.5_gdn","name":"guidance","prose":"Organizations can implement tamper detection and prevention at selected hardware components or implement tamper detection at some components and tamper prevention at other components. Detection and prevention activities can employ many types of anti-tamper technologies, including tamper-detection seals and anti-tamper coatings. Anti-tamper programs help to detect hardware alterations through counterfeiting and other supply chain-related risks."},{"id":"pe-3.5_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(05)","class":"sp800-53a"}],"prose":"{{ insert: param, pe-03.05_odp.01 }} are employed to {{ insert: param, pe-03.05_odp.02 }} physical tampering or alteration of {{ insert: param, pe-03.05_odp.03 }} within the system.","links":[{"href":"#pe-3.5_smt","rel":"assessment-for"}]},{"id":"pe-3.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nlist of security safeguards to detect\/prevent physical tampering or alteration of system hardware components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes to detect\/prevent physical tampering or alteration of system hardware components\n\nmechanisms\/security safeguards supporting and\/or implementing the detection\/prevention of physical tampering\/alternation of system hardware components"}]}]},{"id":"pe-3.6","class":"SP800-53-enhancement","title":"Facility Penetration Testing","props":[{"name":"label","value":"PE-3(6)"},{"name":"label","value":"PE-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ca-8","rel":"incorporated-into"}]},{"id":"pe-3.7","class":"SP800-53-enhancement","title":"Physical Barriers","props":[{"name":"label","value":"PE-3(7)"},{"name":"label","value":"PE-03(07)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"}],"parts":[{"id":"pe-3.7_smt","name":"statement","prose":"Limit access using physical barriers."},{"id":"pe-3.7_gdn","name":"guidance","prose":"Physical barriers include bollards, concrete slabs, jersey walls, and hydraulic active vehicle barriers."},{"id":"pe-3.7_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(07)","class":"sp800-53a"}],"prose":"physical barriers are used to limit access.","links":[{"href":"#pe-3.7_smt","rel":"assessment-for"}]},{"id":"pe-3.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nlist of physical barriers to limit access to the system\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pe-3.8","class":"SP800-53-enhancement","title":"Access Control Vestibules","params":[{"id":"pe-03.08_odp","props":[{"name":"alt-identifier","value":"pe-3.8_prm_1"},{"name":"alt-label","value":"locations within the facility","class":"sp800-53"},{"name":"label","value":"PE-03(08)_ODP","class":"sp800-53a"}],"label":"locations","guidelines":[{"prose":"locations within the facility where access control vestibules are to be employed are defined;"}]}],"props":[{"name":"label","value":"PE-3(8)"},{"name":"label","value":"PE-03(08)","class":"sp800-53a"},{"name":"sort-id","value":"pe-03.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-3","rel":"required"}],"parts":[{"id":"pe-3.8_smt","name":"statement","prose":"Employ access control vestibules at {{ insert: param, pe-03.08_odp }}."},{"id":"pe-3.8_gdn","name":"guidance","prose":"An access control vestibule is part of a physical access control system that typically provides a space between two sets of interlocking doors. Vestibules are designed to prevent unauthorized individuals from following authorized individuals into facilities with controlled access. This activity, also known as piggybacking or tailgating, results in unauthorized access to the facility. Interlocking door controllers can be used to limit the number of individuals who enter controlled access points and to provide containment areas while authorization for physical access is verified. Interlocking door controllers can be fully automated (i.e., controlling the opening and closing of the doors) or partially automated (i.e., using security guards to control the number of individuals entering the containment area)."},{"id":"pe-3.8_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-03(08)","class":"sp800-53a"}],"prose":"access control vestibules are employed at {{ insert: param, pe-03.08_odp }}.","links":[{"href":"#pe-3.8_smt","rel":"assessment-for"}]},{"id":"pe-3.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-03(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nlist of access control vestibules and locations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-3.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-03(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-3.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-03(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vestibules to prevent unauthorized access."}]}]}]},{"id":"pe-4","class":"SP800-53","title":"Access Control for Transmission","params":[{"id":"pe-04_odp.01","props":[{"name":"alt-identifier","value":"pe-4_prm_1"},{"name":"label","value":"PE-04_ODP[01]","class":"sp800-53a"}],"label":"system distribution and transmission lines","guidelines":[{"prose":"system distribution and transmission lines requiring physical access controls are defined;"}]},{"id":"pe-04_odp.02","props":[{"name":"alt-identifier","value":"pe-4_prm_2"},{"name":"label","value":"PE-04_ODP[02]","class":"sp800-53a"}],"label":"security controls","guidelines":[{"prose":"security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;"}]}],"props":[{"name":"label","value":"PE-4"},{"name":"label","value":"PE-04","class":"sp800-53a"},{"name":"sort-id","value":"pe-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-9","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"pe-4_smt","name":"statement","prose":"Control physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities using {{ insert: param, pe-04_odp.02 }}."},{"id":"pe-4_gdn","name":"guidance","prose":"Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors."},{"id":"pe-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-04","class":"sp800-53a"}],"prose":"physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}.","links":[{"href":"#pe-4_smt","rel":"assessment-for"}]},{"id":"pe-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for transmission mediums\n\nsystem design documentation\n\nfacility communications and wiring diagrams\n\nlist of physical security safeguards applied to system distribution and transmission lines\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access control to distribution and transmission lines\n\nmechanisms\/security safeguards supporting and\/or implementing access control to distribution and transmission lines"}]}]},{"id":"pe-5","class":"SP800-53","title":"Access Control for Output Devices","params":[{"id":"pe-05_odp","props":[{"name":"alt-identifier","value":"pe-5_prm_1"},{"name":"label","value":"PE-05_ODP","class":"sp800-53a"}],"label":"output devices","guidelines":[{"prose":"output devices that require physical access control to output are defined;"}]}],"props":[{"name":"label","value":"PE-5"},{"name":"label","value":"PE-05","class":"sp800-53a"},{"name":"sort-id","value":"pe-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#pe-18","rel":"related"}],"parts":[{"id":"pe-5_smt","name":"statement","prose":"Control physical access to output from {{ insert: param, pe-05_odp }} to prevent unauthorized individuals from obtaining the output."},{"id":"pe-5_gdn","name":"guidance","prose":"Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers."},{"id":"pe-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-05","class":"sp800-53a"}],"prose":"physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output.","links":[{"href":"#pe-5_smt","rel":"assessment-for"}]},{"id":"pe-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing access control for display medium\n\nfacility layout of system components\n\nactual displays from system components\n\nlist of output devices and associated outputs requiring physical access controls\n\nphysical access control logs or records for areas containing output devices and related outputs\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access control to output devices\n\nmechanisms supporting and\/or implementing access control to output devices"}]}],"controls":[{"id":"pe-5.1","class":"SP800-53-enhancement","title":"Access to Output by Authorized Individuals","props":[{"name":"label","value":"PE-5(1)"},{"name":"label","value":"PE-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-05.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pe-5","rel":"incorporated-into"}]},{"id":"pe-5.2","class":"SP800-53-enhancement","title":"Link to Individual Identity","props":[{"name":"label","value":"PE-5(2)"},{"name":"label","value":"PE-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#pe-5","rel":"required"}],"parts":[{"id":"pe-5.2_smt","name":"statement","prose":"Link individual identity to receipt of output from output devices."},{"id":"pe-5.2_gdn","name":"guidance","prose":"Methods for linking individual identity to the receipt of output from output devices include installing security functionality on facsimile machines, copiers, and printers. Such functionality allows organizations to implement authentication on output devices prior to the release of output to individuals."},{"id":"pe-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-05(02)","class":"sp800-53a"}],"prose":"individual identity is linked to the receipt of output from output devices.","links":[{"href":"#pe-5.2_smt","rel":"assessment-for"}]},{"id":"pe-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access control\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of output devices and associated outputs requiring physical access controls\n\nphysical access control logs or records for areas containing output devices and related outputs\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access control responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\nsystem developers"}]},{"id":"pe-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access control to output devices\n\nmechanisms supporting and\/or implementing access control to output devices"}]}]},{"id":"pe-5.3","class":"SP800-53-enhancement","title":"Marking Output Devices","props":[{"name":"label","value":"PE-5(3)"},{"name":"label","value":"PE-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"pe-05.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pe-22","rel":"incorporated-into"}]}]},{"id":"pe-6","class":"SP800-53","title":"Monitoring Physical Access","params":[{"id":"pe-06_odp.01","props":[{"name":"alt-identifier","value":"pe-6_prm_1"},{"name":"label","value":"PE-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review physical access logs is defined;"}]},{"id":"pe-06_odp.02","props":[{"name":"alt-identifier","value":"pe-6_prm_2"},{"name":"alt-label","value":"events or potential indications of events","class":"sp800-53"},{"name":"label","value":"PE-06_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events or potential indication of events requiring physical access logs to be reviewed are defined;"}]}],"props":[{"name":"label","value":"PE-6"},{"name":"label","value":"PE-06","class":"sp800-53a"},{"name":"sort-id","value":"pe-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"pe-6_smt","name":"statement","parts":[{"id":"pe-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;"},{"id":"pe-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review physical access logs {{ insert: param, pe-06_odp.01 }} and upon occurrence of {{ insert: param, pe-06_odp.02 }} ; and"},{"id":"pe-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Coordinate results of reviews and investigations with the organizational incident response capability."}]},{"id":"pe-6_gdn","name":"guidance","prose":"Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as [AU-2](#au-2) , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses."},{"id":"pe-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-06a.","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;","links":[{"href":"#pe-6_smt.a","rel":"assessment-for"}]},{"id":"pe-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[01]","class":"sp800-53a"}],"prose":"physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};","links":[{"href":"#pe-6_smt.b","rel":"assessment-for"}]},{"id":"pe-6_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06b.[02]","class":"sp800-53a"}],"prose":"physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};","links":[{"href":"#pe-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-6_smt.b","rel":"assessment-for"}]},{"id":"pe-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.","class":"sp800-53a"}],"parts":[{"id":"pe-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[01]","class":"sp800-53a"}],"prose":"results of reviews are coordinated with organizational incident response capabilities;","links":[{"href":"#pe-6_smt.c","rel":"assessment-for"}]},{"id":"pe-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06c.[02]","class":"sp800-53a"}],"prose":"results of investigations are coordinated with organizational incident response capabilities.","links":[{"href":"#pe-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-6_smt","rel":"assessment-for"}]},{"id":"pe-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing the review of physical access logs"}]}],"controls":[{"id":"pe-6.1","class":"SP800-53-enhancement","title":"Intrusion Alarms and Surveillance Equipment","props":[{"name":"label","value":"PE-6(1)"},{"name":"label","value":"PE-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-6","rel":"required"}],"parts":[{"id":"pe-6.1_smt","name":"statement","prose":"Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment."},{"id":"pe-6.1_gdn","name":"guidance","prose":"Physical intrusion alarms can be employed to alert security personnel when unauthorized access to the facility is attempted. Alarm systems work in conjunction with physical barriers, physical access control systems, and security guards by triggering a response when these other forms of security have been compromised or breached. Physical intrusion alarms can include different types of sensor devices, such as motion sensors, contact sensors, and broken glass sensors. Surveillance equipment includes video cameras installed at strategic locations throughout the facility."},{"id":"pe-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)","class":"sp800-53a"}],"parts":[{"id":"pe-6.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)[01]","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored using physical intrusion alarms;","links":[{"href":"#pe-6.1_smt","rel":"assessment-for"}]},{"id":"pe-6.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06(01)[02]","class":"sp800-53a"}],"prose":"physical access to the facility where the system resides is monitored using physical surveillance equipment.","links":[{"href":"#pe-6.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-6.1_smt","rel":"assessment-for"}]},{"id":"pe-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access logs or records\n\nphysical access monitoring records\n\nphysical access log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with incident response responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical intrusion alarms and surveillance equipment\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing physical intrusion alarms and surveillance equipment"}]}]},{"id":"pe-6.2","class":"SP800-53-enhancement","title":"Automated Intrusion Recognition and Responses","params":[{"id":"pe-06.02_odp.01","props":[{"name":"alt-identifier","value":"pe-6.2_prm_1"},{"name":"label","value":"PE-06(02)_ODP[01]","class":"sp800-53a"}],"label":"classes or types of intrusions","guidelines":[{"prose":"classes or types of intrusions to be recognized by automated mechanisms are defined;"}]},{"id":"pe-06.02_odp.02","props":[{"name":"alt-identifier","value":"pe-6.2_prm_2"},{"name":"label","value":"PE-06(02)_ODP[02]","class":"sp800-53a"}],"label":"response actions","guidelines":[{"prose":"response actions to be initiated by automated mechanisms when organization-defined classes or types of intrusions are recognized are defined;"}]},{"id":"pe-06.02_odp.03","props":[{"name":"alt-identifier","value":"pe-6.2_prm_3"},{"name":"label","value":"PE-06(02)_ODP[03]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to recognize classes or types of intrusions and initiate response actions (defined in [PE-06(02)_ODP](#pe-06.02_odp.02)) are defined;"}]}],"props":[{"name":"label","value":"PE-6(2)"},{"name":"label","value":"PE-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-6","rel":"required"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"pe-6.2_smt","name":"statement","prose":"Recognize {{ insert: param, pe-06.02_odp.01 }} and initiate {{ insert: param, pe-06.02_odp.02 }} using {{ insert: param, pe-06.02_odp.03 }}."},{"id":"pe-6.2_gdn","name":"guidance","prose":"Response actions can include notifying selected organizational personnel or law enforcement personnel. Automated mechanisms implemented to initiate response actions include system alert notifications, email and text messages, and activating door locking mechanisms. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide integrated threat coverage for the organization."},{"id":"pe-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06(02)","class":"sp800-53a"}],"parts":[{"id":"pe-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-06(02)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, pe-06.02_odp.01 }} are recognized;","links":[{"href":"#pe-6.2_smt","rel":"assessment-for"}]},{"id":"pe-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-06(02)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, pe-06.02_odp.02 }} are initiated using {{ insert: param, pe-06.02_odp.03 }}.","links":[{"href":"#pe-6.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-6.2_smt","rel":"assessment-for"}]},{"id":"pe-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of response actions to be initiated when specific classes\/types of intrusions are recognized\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access\n\nautomated mechanisms supporting and\/or implementing physical access monitoring\n\nautomated mechanisms supporting and\/or implementing recognition of classes\/types of intrusions and initiation of a response"}]}]},{"id":"pe-6.3","class":"SP800-53-enhancement","title":"Video Surveillance","params":[{"id":"pe-06.03_odp.01","props":[{"name":"alt-identifier","value":"pe-6.3_prm_1"},{"name":"label","value":"PE-06(03)_ODP[01]","class":"sp800-53a"}],"label":"operational areas","guidelines":[{"prose":"operational areas where video surveillance is to be employed are defined;"}]},{"id":"pe-06.03_odp.02","props":[{"name":"alt-identifier","value":"pe-6.3_prm_2"},{"name":"label","value":"PE-06(03)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review video recordings is defined;"}]},{"id":"pe-06.03_odp.03","props":[{"name":"alt-identifier","value":"pe-6.3_prm_3"},{"name":"label","value":"PE-06(03)_ODP[03]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for which to retain video recordings is defined;"}]}],"props":[{"name":"label","value":"PE-6(3)"},{"name":"label","value":"PE-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"pe-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-6","rel":"required"}],"parts":[{"id":"pe-6.3_smt","name":"statement","parts":[{"id":"pe-6.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ video surveillance of {{ insert: param, pe-06.03_odp.01 }};"},{"id":"pe-6.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Review video recordings {{ insert: param, pe-06.03_odp.02 }} ; and"},{"id":"pe-6.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Retain video recordings for {{ insert: param, pe-06.03_odp.03 }}."}]},{"id":"pe-6.3_gdn","name":"guidance","prose":"Video surveillance focuses on recording activity in specified areas for the purposes of subsequent review, if circumstances so warrant. Video recordings are typically reviewed to detect anomalous events or incidents. Monitoring the surveillance video is not required, although organizations may choose to do so. There may be legal considerations when performing and retaining video surveillance, especially if such surveillance is in a public location."},{"id":"pe-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06(03)","class":"sp800-53a"}],"parts":[{"id":"pe-6.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-06(03)(a)","class":"sp800-53a"}],"prose":"video surveillance of {{ insert: param, pe-06.03_odp.01 }} is employed;","links":[{"href":"#pe-6.3_smt.a","rel":"assessment-for"}]},{"id":"pe-6.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-06(03)(b)","class":"sp800-53a"}],"prose":"video recordings are reviewed {{ insert: param, pe-06.03_odp.02 }};","links":[{"href":"#pe-6.3_smt.b","rel":"assessment-for"}]},{"id":"pe-6.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-06(03)(c)","class":"sp800-53a"}],"prose":"video recordings are retained for {{ insert: param, pe-06.03_odp.03 }}.","links":[{"href":"#pe-6.3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-6.3_smt","rel":"assessment-for"}]},{"id":"pe-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nvideo surveillance equipment used to monitor operational areas\n\nvideo recordings of operational areas where video surveillance is employed\n\nvideo surveillance equipment logs or records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access\n\nmechanisms supporting and\/or implementing physical access monitoring\n\nmechanisms supporting and\/or implementing video surveillance"}]}]},{"id":"pe-6.4","class":"SP800-53-enhancement","title":"Monitoring Physical Access to Systems","params":[{"id":"pe-06.04_odp","props":[{"name":"alt-identifier","value":"pe-6.4_prm_1"},{"name":"alt-label","value":"physical spaces containing one or more components of the system","class":"sp800-53"},{"name":"label","value":"PE-06(04)_ODP","class":"sp800-53a"}],"label":"physical spaces","guidelines":[{"prose":"physical spaces containing one or more components of the system are defined;"}]}],"props":[{"name":"label","value":"PE-6(4)"},{"name":"label","value":"PE-06(04)","class":"sp800-53a"},{"name":"sort-id","value":"pe-06.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-6","rel":"required"}],"parts":[{"id":"pe-6.4_smt","name":"statement","prose":"Monitor physical access to the system in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}."},{"id":"pe-6.4_gdn","name":"guidance","prose":"Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization."},{"id":"pe-6.4_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-06(04)","class":"sp800-53a"}],"prose":"physical access to the system is monitored in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}.","links":[{"href":"#pe-6.4_smt","rel":"assessment-for"}]},{"id":"pe-6.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-06(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing physical access monitoring\n\nphysical access control logs or records\n\nphysical access control devices\n\naccess authorizations\n\naccess credentials\n\nlist of areas within the facility containing concentrations of system components or system components requiring additional physical access monitoring\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-6.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-06(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with physical access monitoring responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-6.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-06(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring physical access to the system\n\nmechanisms supporting and\/or implementing physical access monitoring for facility areas containing system components"}]}]}]},{"id":"pe-7","class":"SP800-53","title":"Visitor Control","props":[{"name":"label","value":"PE-7"},{"name":"label","value":"PE-07","class":"sp800-53a"},{"name":"sort-id","value":"pe-07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pe-2","rel":"incorporated-into"},{"href":"#pe-3","rel":"incorporated-into"}]},{"id":"pe-8","class":"SP800-53","title":"Visitor Access Records","params":[{"id":"pe-08_odp.01","props":[{"name":"alt-identifier","value":"pe-8_prm_1"},{"name":"label","value":"PE-08_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for which to maintain visitor access records for the facility where the system resides is defined;"}]},{"id":"pe-08_odp.02","props":[{"name":"alt-identifier","value":"pe-8_prm_2"},{"name":"label","value":"PE-08_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review visitor access records is defined;"}]},{"id":"pe-08_odp.03","props":[{"name":"alt-identifier","value":"pe-8_prm_3"},{"name":"label","value":"PE-08_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom visitor access records anomalies are reported to is\/are defined;"}]}],"props":[{"name":"label","value":"PE-8"},{"name":"label","value":"PE-08","class":"sp800-53a"},{"name":"sort-id","value":"pe-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"pe-8_smt","name":"statement","parts":[{"id":"pe-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain visitor access records to the facility where the system resides for {{ insert: param, pe-08_odp.01 }};"},{"id":"pe-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review visitor access records {{ insert: param, pe-08_odp.02 }} ; and"},{"id":"pe-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Report anomalies in visitor access records to {{ insert: param, pe-08_odp.03 }}."}]},{"id":"pe-8_gdn","name":"guidance","prose":"Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas."},{"id":"pe-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08","class":"sp800-53a"}],"parts":[{"id":"pe-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-08a.","class":"sp800-53a"}],"prose":"visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};","links":[{"href":"#pe-8_smt.a","rel":"assessment-for"}]},{"id":"pe-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-08b.","class":"sp800-53a"}],"prose":"visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};","links":[{"href":"#pe-8_smt.b","rel":"assessment-for"}]},{"id":"pe-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-08c.","class":"sp800-53a"}],"prose":"visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.","links":[{"href":"#pe-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-8_smt","rel":"assessment-for"}]},{"id":"pe-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nvisitor access control logs or records\n\nvisitor access record or log reviews\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"pe-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nmechanisms supporting and\/or implementing the maintenance and review of visitor access records"}]}],"controls":[{"id":"pe-8.1","class":"SP800-53-enhancement","title":"Automated Records Maintenance and Review","params":[{"id":"pe-8.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-08.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-08.01_odp.02"}],"label":"organization-defined automated mechanisms"},{"id":"pe-08.01_odp.01","props":[{"name":"label","value":"PE-08(01)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to maintain visitor access records are defined;"}]},{"id":"pe-08.01_odp.02","props":[{"name":"label","value":"PE-08(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to review visitor access records are defined;"}]}],"props":[{"name":"label","value":"PE-8(1)"},{"name":"label","value":"PE-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-8","rel":"required"}],"parts":[{"id":"pe-8.1_smt","name":"statement","prose":"Maintain and review visitor access records using {{ insert: param, pe-8.1_prm_1 }}."},{"id":"pe-8.1_gdn","name":"guidance","prose":"Visitor access records may be stored and maintained in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on a regular basis to determine if access authorizations are current and still required to support organizational mission and business functions."},{"id":"pe-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08(01)","class":"sp800-53a"}],"parts":[{"id":"pe-8.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-08(01)[01]","class":"sp800-53a"}],"prose":"visitor access records are maintained using {{ insert: param, pe-08.01_odp.01 }};","links":[{"href":"#pe-8.1_smt","rel":"assessment-for"}]},{"id":"pe-8.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-08(01)[02]","class":"sp800-53a"}],"prose":"visitor access records are reviewed using {{ insert: param, pe-08.01_odp.02 }}.","links":[{"href":"#pe-8.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-8.1_smt","rel":"assessment-for"}]},{"id":"pe-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing visitor access records\n\nautomated mechanisms supporting management of visitor access records\n\nvisitor access control logs or records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access record responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records\n\nautomated mechanisms supporting and\/or implementing the maintenance and review of visitor access records"}]}]},{"id":"pe-8.2","class":"SP800-53-enhancement","title":"Physical Access Records","props":[{"name":"label","value":"PE-8(2)"},{"name":"label","value":"PE-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-08.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pe-2","rel":"incorporated-into"}]},{"id":"pe-8.3","class":"SP800-53-enhancement","title":"Limit Personally Identifiable Information Elements","params":[{"id":"pe-08.03_odp","props":[{"name":"alt-identifier","value":"pe-8.3_prm_1"},{"name":"label","value":"PE-08(03)_ODP","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements identified in the privacy risk assessment to limit personally identifiable information contained in visitor access logs are defined;"}]}],"props":[{"name":"label","value":"PE-8(3)"},{"name":"label","value":"PE-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"pe-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-8","rel":"required"},{"href":"#ra-3","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pe-8.3_smt","name":"statement","prose":"Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: {{ insert: param, pe-08.03_odp }}."},{"id":"pe-8.3_gdn","name":"guidance","prose":"Organizations may have requirements that specify the contents of visitor access records. Limiting personally identifiable information in visitor access records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system."},{"id":"pe-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-08(03)","class":"sp800-53a"}],"prose":"personally identifiable information contained in visitor access records is limited to {{ insert: param, pe-08.03_odp }} identified in the privacy risk assessment.","links":[{"href":"#pe-8.3_smt","rel":"assessment-for"}]},{"id":"pe-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\npersonally identifiable information processing policy\n\nprivacy risk assessment documentation\n\nprivacy impact assessment\n\nvisitor access records\n\npersonally identifiable information inventory\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with visitor access records responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maintaining and reviewing visitor access records"}]}]}]},{"id":"pe-9","class":"SP800-53","title":"Power Equipment and Cabling","props":[{"name":"label","value":"PE-9"},{"name":"label","value":"PE-09","class":"sp800-53a"},{"name":"sort-id","value":"pe-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-4","rel":"related"}],"parts":[{"id":"pe-9_smt","name":"statement","prose":"Protect power equipment and power cabling for the system from damage and destruction."},{"id":"pe-9_gdn","name":"guidance","prose":"Organizations determine the types of protection necessary for the power equipment and cabling employed at different locations that are both internal and external to organizational facilities and environments of operation. Types of power equipment and cabling include internal cabling and uninterruptable power sources in offices or data centers, generators and power cabling outside of buildings, and power sources for self-contained components such as satellites, vehicles, and other deployable systems."},{"id":"pe-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-09","class":"sp800-53a"}],"parts":[{"id":"pe-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-09[01]","class":"sp800-53a"}],"prose":"power equipment for the system is protected from damage and destruction;","links":[{"href":"#pe-9_smt","rel":"assessment-for"}]},{"id":"pe-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-09[02]","class":"sp800-53a"}],"prose":"power cabling for the system is protected from damage and destruction.","links":[{"href":"#pe-9_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-9_smt","rel":"assessment-for"}]},{"id":"pe-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power equipment\/cabling protection\n\nfacilities housing power equipment\/cabling\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility to protect power equipment\/cabling\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the protection of power equipment\/cabling"}]}],"controls":[{"id":"pe-9.1","class":"SP800-53-enhancement","title":"Redundant Cabling","params":[{"id":"pe-09.01_odp","props":[{"name":"alt-identifier","value":"pe-9.1_prm_1"},{"name":"label","value":"PE-09(01)_ODP","class":"sp800-53a"}],"label":"distance","guidelines":[{"prose":"distance by which redundant power cabling paths are to be physically separated is defined;"}]}],"props":[{"name":"label","value":"PE-9(1)"},{"name":"label","value":"PE-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-9","rel":"required"}],"parts":[{"id":"pe-9.1_smt","name":"statement","prose":"Employ redundant power cabling paths that are physically separated by {{ insert: param, pe-09.01_odp }}."},{"id":"pe-9.1_gdn","name":"guidance","prose":"Physically separate and redundant power cables ensure that power continues to flow in the event that one of the cables is cut or otherwise damaged."},{"id":"pe-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-09(01)","class":"sp800-53a"}],"prose":"redundant power cabling paths that are physically separated by {{ insert: param, pe-09.01_odp }} are employed.","links":[{"href":"#pe-9.1_smt","rel":"assessment-for"}]},{"id":"pe-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power equipment\/cabling protection\n\nfacilities housing power equipment\/cabling\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility to protect power equipment\/cabling\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the protection of power equipment\/cabling"}]}]},{"id":"pe-9.2","class":"SP800-53-enhancement","title":"Automatic Voltage Controls","params":[{"id":"pe-09.02_odp","props":[{"name":"alt-identifier","value":"pe-9.2_prm_1"},{"name":"label","value":"PE-09(02)_ODP","class":"sp800-53a"}],"label":"critical system components","guidelines":[{"prose":"the critical system components that require automatic voltage controls are defined;"}]}],"props":[{"name":"label","value":"PE-9(2)"},{"name":"label","value":"PE-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-9","rel":"required"}],"parts":[{"id":"pe-9.2_smt","name":"statement","prose":"Employ automatic voltage controls for {{ insert: param, pe-09.02_odp }}."},{"id":"pe-9.2_gdn","name":"guidance","prose":"Automatic voltage controls can monitor and control voltage. Such controls include voltage regulators, voltage conditioners, and voltage stabilizers."},{"id":"pe-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-09(02)","class":"sp800-53a"}],"prose":"automatic voltage controls for {{ insert: param, pe-09.02_odp }} are employed.","links":[{"href":"#pe-9.2_smt","rel":"assessment-for"}]},{"id":"pe-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing voltage control\n\nsecurity plan\n\nlist of critical system components requiring automatic voltage controls\n\nautomatic voltage control mechanisms and associated configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for environmental protection of system components\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-9.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-09(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing automatic voltage controls"}]}]}]},{"id":"pe-10","class":"SP800-53","title":"Emergency Shutoff","params":[{"id":"pe-10_odp.01","props":[{"name":"alt-identifier","value":"pe-10_prm_1"},{"name":"label","value":"PE-10_ODP[01]","class":"sp800-53a"}],"label":"system or individual system components","guidelines":[{"prose":"system or individual system components that require the capability to shut off power in emergency situations is\/are defined;"}]},{"id":"pe-10_odp.02","props":[{"name":"alt-identifier","value":"pe-10_prm_2"},{"name":"alt-label","value":"location by system or system component","class":"sp800-53"},{"name":"label","value":"PE-10_ODP[02]","class":"sp800-53a"}],"label":"location","guidelines":[{"prose":"location of emergency shutoff switches or devices by system or system component is defined;"}]}],"props":[{"name":"label","value":"PE-10"},{"name":"label","value":"PE-10","class":"sp800-53a"},{"name":"sort-id","value":"pe-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-15","rel":"related"}],"parts":[{"id":"pe-10_smt","name":"statement","parts":[{"id":"pe-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide the capability of shutting off power to {{ insert: param, pe-10_odp.01 }} in emergency situations;"},{"id":"pe-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Place emergency shutoff switches or devices in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel; and"},{"id":"pe-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect emergency power shutoff capability from unauthorized activation."}]},{"id":"pe-10_gdn","name":"guidance","prose":"Emergency power shutoff primarily applies to organizational facilities that contain concentrations of system resources, including data centers, mainframe computer rooms, server rooms, and areas with computer-controlled machinery."},{"id":"pe-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-10","class":"sp800-53a"}],"parts":[{"id":"pe-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-10a.","class":"sp800-53a"}],"prose":"the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;","links":[{"href":"#pe-10_smt.a","rel":"assessment-for"}]},{"id":"pe-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-10b.","class":"sp800-53a"}],"prose":"emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;","links":[{"href":"#pe-10_smt.b","rel":"assessment-for"}]},{"id":"pe-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-10c.","class":"sp800-53a"}],"prose":"the emergency power shutoff capability is protected from unauthorized activation.","links":[{"href":"#pe-10_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-10_smt","rel":"assessment-for"}]},{"id":"pe-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing power source emergency shutoff\n\nemergency shutoff controls or switches\n\nlocations housing emergency shutoff switches and devices\n\nsecurity safeguards protecting the emergency power shutoff capability from unauthorized activation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for the emergency power shutoff capability (both implementing and using the capability)\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing emergency power shutoff"}]}],"controls":[{"id":"pe-10.1","class":"SP800-53-enhancement","title":"Accidental and Unauthorized Activation","props":[{"name":"label","value":"PE-10(1)"},{"name":"label","value":"PE-10(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-10.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pe-10","rel":"incorporated-into"}]}]},{"id":"pe-11","class":"SP800-53","title":"Emergency Power","params":[{"id":"pe-11_odp","props":[{"name":"alt-identifier","value":"pe-11_prm_1"},{"name":"label","value":"PE-11_ODP","class":"sp800-53a"}],"select":{"choice":["an orderly shutdown of the system","transition of the system to long-term alternate power"]}}],"props":[{"name":"label","value":"PE-11"},{"name":"label","value":"PE-11","class":"sp800-53a"},{"name":"sort-id","value":"pe-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-11_smt","name":"statement","prose":"Provide an uninterruptible power supply to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss."},{"id":"pe-11_gdn","name":"guidance","prose":"An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system."},{"id":"pe-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-11","class":"sp800-53a"}],"prose":"an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss.","links":[{"href":"#pe-11_smt","rel":"assessment-for"}]},{"id":"pe-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nuninterruptible power supply\n\nuninterruptible power supply documentation\n\nuninterruptible power supply test records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an uninterruptible power supply\n\nthe uninterruptable power supply"}]}],"controls":[{"id":"pe-11.1","class":"SP800-53-enhancement","title":"Alternate Power Supply — Minimal Operational Capability","params":[{"id":"pe-11.01_odp","props":[{"name":"alt-identifier","value":"pe-11.1_prm_1"},{"name":"label","value":"PE-11(01)_ODP","class":"sp800-53a"}],"select":{"choice":["manually","automatically"]}}],"props":[{"name":"label","value":"PE-11(1)"},{"name":"label","value":"PE-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-11","rel":"required"}],"parts":[{"id":"pe-11.1_smt","name":"statement","prose":"Provide an alternate power supply for the system that is activated {{ insert: param, pe-11.01_odp }} and that can maintain minimally required operational capability in the event of an extended loss of the primary power source."},{"id":"pe-11.1_gdn","name":"guidance","prose":"Provision of an alternate power supply with minimal operating capability can be satisfied by accessing a secondary commercial power supply or other external power supply."},{"id":"pe-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-11(01)","class":"sp800-53a"}],"parts":[{"id":"pe-11.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-11(01)[01]","class":"sp800-53a"}],"prose":"an alternate power supply provided for the system is activated {{ insert: param, pe-11.01_odp }};","links":[{"href":"#pe-11.1_smt","rel":"assessment-for"}]},{"id":"pe-11.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-11(01)[02]","class":"sp800-53a"}],"prose":"the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.","links":[{"href":"#pe-11.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-11.1_smt","rel":"assessment-for"}]},{"id":"pe-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nalternate power supply\n\nalternate power supply documentation\n\nalternate power supply test records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an alternate power supply\n\nthe alternate power supply"}]}]},{"id":"pe-11.2","class":"SP800-53-enhancement","title":"Alternate Power Supply — Self-contained","params":[{"id":"pe-11.02_odp.01","props":[{"name":"alt-identifier","value":"pe-11.2_prm_1"},{"name":"label","value":"PE-11(02)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["manually","automatically"]}},{"id":"pe-11.02_odp.02","props":[{"name":"alt-identifier","value":"pe-11.2_prm_2"},{"name":"label","value":"PE-11(02)_ODP[02]","class":"sp800-53a"}],"select":{"choice":["minimally required operational capability","full operational capability"]}}],"props":[{"name":"label","value":"PE-11(2)"},{"name":"label","value":"PE-11(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-11.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-11","rel":"required"}],"parts":[{"id":"pe-11.2_smt","name":"statement","prose":"Provide an alternate power supply for the system that is activated {{ insert: param, pe-11.02_odp.01 }} and that is:","parts":[{"id":"pe-11.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Self-contained;"},{"id":"pe-11.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Not reliant on external power generation; and"},{"id":"pe-11.2_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Capable of maintaining {{ insert: param, pe-11.02_odp.02 }} in the event of an extended loss of the primary power source."}]},{"id":"pe-11.2_gdn","name":"guidance","prose":"The provision of a long-term, self-contained power supply can be satisfied by using one or more generators with sufficient capacity to meet the needs of the organization."},{"id":"pe-11.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-11(02)","class":"sp800-53a"}],"prose":"an alternate power supply provided for the system is activated {{ insert: param, pe-11.02_odp.01 }};","parts":[{"id":"pe-11.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-11(02)(a)","class":"sp800-53a"}],"prose":"the alternate power supply provided for the system is self-contained;","links":[{"href":"#pe-11.2_smt.a","rel":"assessment-for"}]},{"id":"pe-11.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-11(02)(b)","class":"sp800-53a"}],"prose":"the alternate power supply provided for the system is not reliant on external power generation;","links":[{"href":"#pe-11.2_smt.b","rel":"assessment-for"}]},{"id":"pe-11.2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-11(02)(c)","class":"sp800-53a"}],"prose":"the alternate power supply provided for the system is capable of maintaining {{ insert: param, pe-11.02_odp.02 }} in the event of an extended loss of the primary power source.","links":[{"href":"#pe-11.2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pe-11.2_smt","rel":"assessment-for"}]},{"id":"pe-11.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-11(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency power\n\nalternate power supply\n\nalternate power supply documentation\n\nalternate power supply test records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-11.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-11(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency power and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-11.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-11(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an alternate power supply\n\nthe alternate power supply"}]}]}]},{"id":"pe-12","class":"SP800-53","title":"Emergency Lighting","props":[{"name":"label","value":"PE-12"},{"name":"label","value":"PE-12","class":"sp800-53a"},{"name":"sort-id","value":"pe-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-12_smt","name":"statement","prose":"Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."},{"id":"pe-12_gdn","name":"guidance","prose":"The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies."},{"id":"pe-12_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-12","class":"sp800-53a"}],"parts":[{"id":"pe-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-12[01]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-12[02]","class":"sp800-53a"}],"prose":"automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-12[03]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers emergency exits within the facility;","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-12[04]","class":"sp800-53a"}],"prose":"automatic emergency lighting for the system covers evacuation routes within the facility.","links":[{"href":"#pe-12_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-12_smt","rel":"assessment-for"}]},{"id":"pe-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an emergency lighting capability"}]}],"controls":[{"id":"pe-12.1","class":"SP800-53-enhancement","title":"Essential Mission and Business Functions","props":[{"name":"label","value":"PE-12(1)"},{"name":"label","value":"PE-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-12","rel":"required"}],"parts":[{"id":"pe-12.1_smt","name":"statement","prose":"Provide emergency lighting for all areas within the facility supporting essential mission and business functions."},{"id":"pe-12.1_gdn","name":"guidance","prose":"Organizations define their essential missions and functions."},{"id":"pe-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-12(01)","class":"sp800-53a"}],"prose":"emergency lighting is provided for all areas within the facility supporting essential mission and business functions.","links":[{"href":"#pe-12.1_smt","rel":"assessment-for"}]},{"id":"pe-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing emergency lighting\n\nemergency lighting documentation\n\nemergency lighting test records\n\nemergency exits and evacuation routes\n\nareas\/locations within facility supporting essential missions and business functions\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for emergency lighting and\/or planning\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the emergency lighting capability"}]}]}]},{"id":"pe-13","class":"SP800-53","title":"Fire Protection","props":[{"name":"label","value":"PE-13"},{"name":"label","value":"PE-13","class":"sp800-53a"},{"name":"sort-id","value":"pe-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"}],"parts":[{"id":"pe-13_smt","name":"statement","prose":"Employ and maintain fire detection and suppression systems that are supported by an independent energy source."},{"id":"pe-13_gdn","name":"guidance","prose":"The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility."},{"id":"pe-13_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13","class":"sp800-53a"}],"parts":[{"id":"pe-13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13[01]","class":"sp800-53a"}],"prose":"fire detection systems are employed;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13[02]","class":"sp800-53a"}],"prose":"employed fire detection systems are supported by an independent energy source;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13[03]","class":"sp800-53a"}],"prose":"employed fire detection systems are maintained;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-13[04]","class":"sp800-53a"}],"prose":"fire suppression systems are employed;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PE-13[05]","class":"sp800-53a"}],"prose":"employed fire suppression systems are supported by an independent energy source;","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PE-13[06]","class":"sp800-53a"}],"prose":"employed fire suppression systems are maintained.","links":[{"href":"#pe-13_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-13_smt","rel":"assessment-for"}]},{"id":"pe-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\ntest records of fire suppression and detection devices\/systems\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing fire suppression\/detection devices\/systems"}]}],"controls":[{"id":"pe-13.1","class":"SP800-53-enhancement","title":"Detection Systems — Automatic Activation and Notification","params":[{"id":"pe-13.01_odp.01","props":[{"name":"alt-identifier","value":"pe-13.1_prm_1"},{"name":"label","value":"PE-13(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified in the event of a fire is\/are defined;"}]},{"id":"pe-13.01_odp.02","props":[{"name":"alt-identifier","value":"pe-13.1_prm_2"},{"name":"label","value":"PE-13(01)_ODP[02]","class":"sp800-53a"}],"label":"emergency responders","guidelines":[{"prose":"emergency responders to be notified in the event of a fire are defined;"}]}],"props":[{"name":"label","value":"PE-13(1)"},{"name":"label","value":"PE-13(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-13.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-13","rel":"required"}],"parts":[{"id":"pe-13.1_smt","name":"statement","prose":"Employ fire detection systems that activate automatically and notify {{ insert: param, pe-13.01_odp.01 }} and {{ insert: param, pe-13.01_odp.02 }} in the event of a fire."},{"id":"pe-13.1_gdn","name":"guidance","prose":"Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire."},{"id":"pe-13.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)","class":"sp800-53a"}],"parts":[{"id":"pe-13.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[01]","class":"sp800-53a"}],"prose":"fire detection systems that activate automatically are employed in the event of a fire;","links":[{"href":"#pe-13.1_smt","rel":"assessment-for"}]},{"id":"pe-13.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[02]","class":"sp800-53a"}],"prose":"fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;","links":[{"href":"#pe-13.1_smt","rel":"assessment-for"}]},{"id":"pe-13.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13(01)[03]","class":"sp800-53a"}],"prose":"fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire.","links":[{"href":"#pe-13.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-13.1_smt","rel":"assessment-for"}]},{"id":"pe-13.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the information system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nfire suppression and detection devices\/systems documentation\n\nalerts\/notifications of fire events\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for notifying appropriate personnel, roles, and emergency responders of fires\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing fire detection devices\/systems\n\nactivation of fire detection devices\/systems (simulated)\n\nautomated notifications"}]}]},{"id":"pe-13.2","class":"SP800-53-enhancement","title":"Suppression Systems — Automatic Activation and Notification","params":[{"id":"pe-13.02_odp.01","props":[{"name":"alt-identifier","value":"pe-13.2_prm_1"},{"name":"label","value":"PE-13(02)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified in the event of a fire is\/are defined;"}]},{"id":"pe-13.02_odp.02","props":[{"name":"alt-identifier","value":"pe-13.2_prm_2"},{"name":"label","value":"PE-13(02)_ODP[02]","class":"sp800-53a"}],"label":"emergency responders","guidelines":[{"prose":"emergency responders to be notified in the event of a fire are defined;"}]}],"props":[{"name":"label","value":"PE-13(2)"},{"name":"label","value":"PE-13(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-13.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-13","rel":"required"}],"parts":[{"id":"pe-13.2_smt","name":"statement","parts":[{"id":"pe-13.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ fire suppression systems that activate automatically and notify {{ insert: param, pe-13.02_odp.01 }} and {{ insert: param, pe-13.02_odp.02 }} ; and"},{"id":"pe-13.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employ an automatic fire suppression capability when the facility is not staffed on a continuous basis."}]},{"id":"pe-13.2_gdn","name":"guidance","prose":"Organizations can identify specific personnel, roles, and emergency responders if individuals on the notification list need to have appropriate access authorizations and\/or clearances (e.g., to enter to facilities where access is restricted due to the impact level or classification of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire."},{"id":"pe-13.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)","class":"sp800-53a"}],"parts":[{"id":"pe-13.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)","class":"sp800-53a"}],"parts":[{"id":"pe-13.2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)[01]","class":"sp800-53a"}],"prose":"fire suppression systems that activate automatically are employed;","links":[{"href":"#pe-13.2_smt.a","rel":"assessment-for"}]},{"id":"pe-13.2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)[02]","class":"sp800-53a"}],"prose":"fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;","links":[{"href":"#pe-13.2_smt.a","rel":"assessment-for"}]},{"id":"pe-13.2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(a)[03]","class":"sp800-53a"}],"prose":"fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;","links":[{"href":"#pe-13.2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pe-13.2_smt.a","rel":"assessment-for"}]},{"id":"pe-13.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-13(02)(b)","class":"sp800-53a"}],"prose":"an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.","links":[{"href":"#pe-13.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-13.2_smt","rel":"assessment-for"}]},{"id":"pe-13.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfire suppression and detection devices\/systems documentation\n\nfacility housing the system\n\nalarm service-level agreements\n\ntest records of fire suppression and detection devices\/systems\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for fire detection and suppression devices\/systems\n\norganizational personnel with responsibilities for providing automatic notifications of any activation of fire suppression devices\/systems to appropriate personnel, roles, and emergency responders\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-13.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-13(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing fire suppression devices\/systems\n\nactivation of fire suppression devices\/systems (simulated)\n\nautomated notifications"}]}]},{"id":"pe-13.3","class":"SP800-53-enhancement","title":"Automatic Fire Suppression","props":[{"name":"label","value":"PE-13(3)"},{"name":"label","value":"PE-13(03)","class":"sp800-53a"},{"name":"sort-id","value":"pe-13.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pe-13.2","rel":"incorporated-into"}]},{"id":"pe-13.4","class":"SP800-53-enhancement","title":"Inspections","params":[{"id":"pe-13.04_odp.01","props":[{"name":"alt-identifier","value":"pe-13.4_prm_1"},{"name":"label","value":"PE-13(04)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for conducting fire protection inspections on the facility is defined;"}]},{"id":"pe-13.04_odp.02","props":[{"name":"alt-identifier","value":"pe-13.4_prm_2"},{"name":"label","value":"PE-13(04)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period for resolving deficiencies identified by fire protection inspections is defined;"}]}],"props":[{"name":"label","value":"PE-13(4)"},{"name":"label","value":"PE-13(04)","class":"sp800-53a"},{"name":"sort-id","value":"pe-13.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-13","rel":"required"}],"parts":[{"id":"pe-13.4_smt","name":"statement","prose":"Ensure that the facility undergoes {{ insert: param, pe-13.04_odp.01 }} fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within {{ insert: param, pe-13.04_odp.02 }}."},{"id":"pe-13.4_gdn","name":"guidance","prose":"Authorized and qualified personnel within the jurisdiction of the organization include state, county, and city fire inspectors and fire marshals. Organizations provide escorts during inspections in situations where the systems that reside within the facilities contain sensitive information."},{"id":"pe-13.4_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-13(04)","class":"sp800-53a"}],"parts":[{"id":"pe-13.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-13(04)[01]","class":"sp800-53a"}],"prose":"the facility undergoes fire protection inspections {{ insert: param, pe-13.04_odp.01 }} by authorized and qualified inspectors;","links":[{"href":"#pe-13.4_smt","rel":"assessment-for"}]},{"id":"pe-13.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-13(04)[02]","class":"sp800-53a"}],"prose":"the identified deficiencies from fire protection inspections are resolved within {{ insert: param, pe-13.04_odp.02 }}.","links":[{"href":"#pe-13.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-13.4_smt","rel":"assessment-for"}]},{"id":"pe-13.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-13(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing fire protection\n\nfacility housing the system\n\ninspection plans\n\ninspection results\n\ninspect reports\n\ntest records of fire suppression and detection devices\/systems\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-13.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-13(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for planning, approving, and executing fire inspections\n\norganizational personnel with information security responsibilities"}]}]}]},{"id":"pe-14","class":"SP800-53","title":"Environmental Controls","params":[{"id":"pe-14_odp.01","props":[{"name":"alt-identifier","value":"pe-14_prm_1"},{"name":"label","value":"PE-14_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["temperature","humidity","pressure","radiation","{{ insert: param, pe-14_odp.02 }} "]}},{"id":"pe-14_odp.02","props":[{"name":"alt-identifier","value":"pe-14_prm_2"},{"name":"label","value":"PE-14_ODP[02]","class":"sp800-53a"}],"label":"environmental control","guidelines":[{"prose":"environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);"}]},{"id":"pe-14_odp.03","props":[{"name":"alt-identifier","value":"pe-14_prm_3"},{"name":"label","value":"PE-14_ODP[03]","class":"sp800-53a"}],"label":"acceptable levels","guidelines":[{"prose":"acceptable levels for environmental controls are defined;"}]},{"id":"pe-14_odp.04","props":[{"name":"alt-identifier","value":"pe-14_prm_4"},{"name":"label","value":"PE-14_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to monitor environmental control levels is defined;"}]}],"props":[{"name":"label","value":"PE-14"},{"name":"label","value":"PE-14","class":"sp800-53a"},{"name":"sort-id","value":"pe-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#cp-2","rel":"related"}],"parts":[{"id":"pe-14_smt","name":"statement","parts":[{"id":"pe-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Maintain {{ insert: param, pe-14_odp.01 }} levels within the facility where the system resides at {{ insert: param, pe-14_odp.03 }} ; and"},{"id":"pe-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Monitor environmental control levels {{ insert: param, pe-14_odp.04 }}."}]},{"id":"pe-14_gdn","name":"guidance","prose":"The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions."},{"id":"pe-14_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-14","class":"sp800-53a"}],"parts":[{"id":"pe-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-14a.","class":"sp800-53a"}],"prose":"{{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;","links":[{"href":"#pe-14_smt.a","rel":"assessment-for"}]},{"id":"pe-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-14b.","class":"sp800-53a"}],"prose":"environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.","links":[{"href":"#pe-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-14_smt","rel":"assessment-for"}]},{"id":"pe-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity control\n\ntemperature and humidity controls\n\nfacility housing the system\n\ntemperature and humidity controls documentation\n\ntemperature and humidity records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the maintenance and monitoring of temperature and humidity levels"}]}],"controls":[{"id":"pe-14.1","class":"SP800-53-enhancement","title":"Automatic Controls","params":[{"id":"pe-14.01_odp","props":[{"name":"alt-identifier","value":"pe-14.1_prm_1"},{"name":"label","value":"PE-14(01)_ODP","class":"sp800-53a"}],"label":"automatic environmental controls","guidelines":[{"prose":"automatic environmental controls to prevent fluctuations that are potentially harmful to the system are defined;"}]}],"props":[{"name":"label","value":"PE-14(1)"},{"name":"label","value":"PE-14(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-14.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-14","rel":"required"}],"parts":[{"id":"pe-14.1_smt","name":"statement","prose":"Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: {{ insert: param, pe-14.01_odp }}."},{"id":"pe-14.1_gdn","name":"guidance","prose":"The implementation of automatic environmental controls provides an immediate response to environmental conditions that can damage, degrade, or destroy organizational systems or systems components."},{"id":"pe-14.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-14(01)","class":"sp800-53a"}],"prose":"{{ insert: param, pe-14.01_odp }} are employed in the facility to prevent fluctuations that are potentially harmful to the system.","links":[{"href":"#pe-14.1_smt","rel":"assessment-for"}]},{"id":"pe-14.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-14(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity controls\n\nfacility housing the system\n\nautomated mechanisms for temperature and humidity\n\ntemperature and humidity controls\n\ntemperature and humidity documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-14.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-14(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-14.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-14(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing temperature and humidity levels"}]}]},{"id":"pe-14.2","class":"SP800-53-enhancement","title":"Monitoring with Alarms and Notifications","params":[{"id":"pe-14.02_odp","props":[{"name":"alt-identifier","value":"pe-14.2_prm_1"},{"name":"label","value":"PE-14(02)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified by environmental control monitoring when environmental changes are potentially harmful to personnel or equipment is\/are defined;"}]}],"props":[{"name":"label","value":"PE-14(2)"},{"name":"label","value":"PE-14(02)","class":"sp800-53a"},{"name":"sort-id","value":"pe-14.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-14","rel":"required"}],"parts":[{"id":"pe-14.2_smt","name":"statement","prose":"Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to {{ insert: param, pe-14.02_odp }}."},{"id":"pe-14.2_gdn","name":"guidance","prose":"The alarm or notification may be an audible alarm or a visual message in real time to personnel or roles defined by the organization. Such alarms and notifications can help minimize harm to individuals and damage to organizational assets by facilitating a timely incident response."},{"id":"pe-14.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-14(02)","class":"sp800-53a"}],"parts":[{"id":"pe-14.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-14(02)[01]","class":"sp800-53a"}],"prose":"environmental control monitoring is employed;","links":[{"href":"#pe-14.2_smt","rel":"assessment-for"}]},{"id":"pe-14.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-14(02)[02]","class":"sp800-53a"}],"prose":"the environmental control monitoring capability provides an alarm or notification to {{ insert: param, pe-14.02_odp }} when changes are potentially harmful to personnel or equipment.","links":[{"href":"#pe-14.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-14.2_smt","rel":"assessment-for"}]},{"id":"pe-14.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-14(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing temperature and humidity monitoring\n\nfacility housing the system\n\nlogs or records of temperature and humidity monitoring\n\nrecords of changes to temperature and humidity levels that generate alarms or notifications\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-14.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-14(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-14.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-14(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing temperature and humidity monitoring"}]}]}]},{"id":"pe-15","class":"SP800-53","title":"Water Damage Protection","props":[{"name":"label","value":"PE-15"},{"name":"label","value":"PE-15","class":"sp800-53a"},{"name":"sort-id","value":"pe-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#at-3","rel":"related"},{"href":"#pe-10","rel":"related"}],"parts":[{"id":"pe-15_smt","name":"statement","prose":"Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."},{"id":"pe-15_gdn","name":"guidance","prose":"The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations."},{"id":"pe-15_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-15","class":"sp800-53a"}],"parts":[{"id":"pe-15_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-15[01]","class":"sp800-53a"}],"prose":"the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-15[02]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are accessible;","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-15[03]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are working properly;","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PE-15[04]","class":"sp800-53a"}],"prose":"the master shutoff or isolation valves are known to key personnel.","links":[{"href":"#pe-15_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-15_smt","rel":"assessment-for"}]},{"id":"pe-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nmaster shutoff valves\n\nlist of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system\n\nmaster shutoff valve documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Master water-shutoff valves\n\norganizational process for activating master water shutoff"}]}],"controls":[{"id":"pe-15.1","class":"SP800-53-enhancement","title":"Automation Support","params":[{"id":"pe-15.01_odp.01","props":[{"name":"alt-identifier","value":"pe-15.1_prm_1"},{"name":"label","value":"PE-15(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when the presence of water is detected near the system is\/are defined;"}]},{"id":"pe-15.01_odp.02","props":[{"name":"alt-identifier","value":"pe-15.1_prm_2"},{"name":"label","value":"PE-15(01)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to detect the presence of water near the system are defined;"}]}],"props":[{"name":"label","value":"PE-15(1)"},{"name":"label","value":"PE-15(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-15.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-15","rel":"required"}],"parts":[{"id":"pe-15.1_smt","name":"statement","prose":"Detect the presence of water near the system and alert {{ insert: param, pe-15.01_odp.01 }} using {{ insert: param, pe-15.01_odp.02 }}."},{"id":"pe-15.1_gdn","name":"guidance","prose":"Automated mechanisms include notification systems, water detection sensors, and alarms."},{"id":"pe-15.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-15(01)","class":"sp800-53a"}],"parts":[{"id":"pe-15.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-15(01)[01]","class":"sp800-53a"}],"prose":"the presence of water near the system can be detected automatically;","links":[{"href":"#pe-15.1_smt","rel":"assessment-for"}]},{"id":"pe-15.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-15(01)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, pe-15.01_odp.01 }} is\/are alerted using {{ insert: param, pe-15.01_odp.02 }}.","links":[{"href":"#pe-15.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-15.1_smt","rel":"assessment-for"}]},{"id":"pe-15.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-15(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing water damage protection\n\nfacility housing the system\n\nautomated mechanisms for water shutoff valves\n\nautomated mechanisms for detecting the presence of water in the vicinity of the system\n\nalerts\/notifications of water detection in system facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-15.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-15(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-15.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-15(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing water detection capabilities and alerts for the system"}]}]}]},{"id":"pe-16","class":"SP800-53","title":"Delivery and Removal","params":[{"id":"pe-16_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pe-16_odp.02"}],"label":"organization-defined types of system components"},{"id":"pe-16_odp.01","props":[{"name":"label","value":"PE-16_ODP[01]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when entering the facility are defined;"}]},{"id":"pe-16_odp.02","props":[{"name":"label","value":"PE-16_ODP[02]","class":"sp800-53a"}],"label":"types of system components","guidelines":[{"prose":"types of system components to be authorized and controlled when exiting the facility are defined;"}]}],"props":[{"name":"label","value":"PE-16"},{"name":"label","value":"PE-16","class":"sp800-53a"},{"name":"sort-id","value":"pe-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"pe-16_smt","name":"statement","parts":[{"id":"pe-16_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Authorize and control {{ insert: param, pe-16_prm_1 }} entering and exiting the facility; and"},{"id":"pe-16_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Maintain records of the system components."}]},{"id":"pe-16_gdn","name":"guidance","prose":"Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries."},{"id":"pe-16_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-16","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.","class":"sp800-53a"}],"parts":[{"id":"pe-16_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[03]","class":"sp800-53a"}],"prose":"{{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PE-16a.[04]","class":"sp800-53a"}],"prose":"{{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;","links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pe-16_smt.a","rel":"assessment-for"}]},{"id":"pe-16_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-16b.","class":"sp800-53a"}],"prose":"records of the system components are maintained.","links":[{"href":"#pe-16_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-16_smt","rel":"assessment-for"}]},{"id":"pe-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing the delivery and removal of system components from the facility\n\nfacility housing the system\n\nrecords of items entering and exiting the facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for controlling system components entering and exiting the facility\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility\n\nmechanisms supporting and\/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility"}]}]},{"id":"pe-17","class":"SP800-53","title":"Alternate Work Site","params":[{"id":"pe-17_odp.01","props":[{"name":"alt-identifier","value":"pe-17_prm_1"},{"name":"label","value":"PE-17_ODP[01]","class":"sp800-53a"}],"label":"alternate work sites","guidelines":[{"prose":"alternate work sites allowed for use by employees are defined;"}]},{"id":"pe-17_odp.02","props":[{"name":"alt-identifier","value":"pe-17_prm_2"},{"name":"label","value":"PE-17_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed at alternate work sites are defined;"}]}],"props":[{"name":"label","value":"PE-17"},{"name":"label","value":"PE-17","class":"sp800-53a"},{"name":"sort-id","value":"pe-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#83b9d63b-66b1-467c-9f3b-3a0b108771e9","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#cp-7","rel":"related"}],"parts":[{"id":"pe-17_smt","name":"statement","parts":[{"id":"pe-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the {{ insert: param, pe-17_odp.01 }} allowed for use by employees;"},{"id":"pe-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls at alternate work sites: {{ insert: param, pe-17_odp.02 }};"},{"id":"pe-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Assess the effectiveness of controls at alternate work sites; and"},{"id":"pe-17_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Provide a means for employees to communicate with information security and privacy personnel in case of incidents."}]},{"id":"pe-17_gdn","name":"guidance","prose":"Alternate work sites include government facilities or the private residences of employees. While distinct from alternative processing sites, alternate work sites can provide readily available alternate locations during contingency operations. Organizations can define different sets of controls for specific alternate work sites or types of sites depending on the work-related activities conducted at the sites. Implementing and assessing the effectiveness of organization-defined controls and providing a means to communicate incidents at alternate work sites supports the contingency planning activities of organizations."},{"id":"pe-17_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-17","class":"sp800-53a"}],"parts":[{"id":"pe-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-17a.","class":"sp800-53a"}],"prose":"{{ insert: param, pe-17_odp.01 }} are determined and documented;","links":[{"href":"#pe-17_smt.a","rel":"assessment-for"}]},{"id":"pe-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-17b.","class":"sp800-53a"}],"prose":"{{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;","links":[{"href":"#pe-17_smt.b","rel":"assessment-for"}]},{"id":"pe-17_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PE-17c.","class":"sp800-53a"}],"prose":"the effectiveness of controls at alternate work sites is assessed;","links":[{"href":"#pe-17_smt.c","rel":"assessment-for"}]},{"id":"pe-17_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PE-17d.","class":"sp800-53a"}],"prose":"a means for employees to communicate with information security and privacy personnel in case of incidents is provided.","links":[{"href":"#pe-17_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pe-17_smt","rel":"assessment-for"}]},{"id":"pe-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing alternate work sites for organizational personnel\n\nlist of security controls required for alternate work sites\n\nassessments of security controls at alternate work sites\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel approving the use of alternate work sites\n\norganizational personnel using alternate work sites\n\norganizational personnel assessing controls at alternate work sites\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy at alternate work sites\n\nmechanisms supporting alternate work sites\n\nsecurity and privacy controls employed at alternate work sites\n\nmeans of communication between personnel at alternate work sites and security and privacy personnel"}]}]},{"id":"pe-18","class":"SP800-53","title":"Location of System Components","params":[{"id":"pe-18_odp","props":[{"name":"alt-identifier","value":"pe-18_prm_1"},{"name":"label","value":"PE-18_ODP","class":"sp800-53a"}],"label":"physical and environmental hazards","guidelines":[{"prose":"physical and environmental hazards that could result in potential damage to system components within the facility are defined;"}]}],"props":[{"name":"label","value":"PE-18"},{"name":"label","value":"PE-18","class":"sp800-53a"},{"name":"sort-id","value":"pe-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#pe-5","rel":"related"},{"href":"#pe-19","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"pe-18_smt","name":"statement","prose":"Position system components within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access."},{"id":"pe-18_gdn","name":"guidance","prose":"Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information."},{"id":"pe-18_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-18","class":"sp800-53a"}],"prose":"system components are positioned within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access.","links":[{"href":"#pe-18_smt","rel":"assessment-for"}]},{"id":"pe-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing the positioning of system components\n\ndocumentation providing the location and position of system components within the facility\n\nlocations housing system components within the facility\n\nlist of physical and environmental hazards with the potential to damage system components within the facility\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for positioning system components\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for positioning system components"}]}],"controls":[{"id":"pe-18.1","class":"SP800-53-enhancement","title":"Facility Site","props":[{"name":"label","value":"PE-18(1)"},{"name":"label","value":"PE-18(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-18.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pe-23","rel":"moved-to"}]}]},{"id":"pe-19","class":"SP800-53","title":"Information Leakage","props":[{"name":"label","value":"PE-19"},{"name":"label","value":"PE-19","class":"sp800-53a"},{"name":"sort-id","value":"pe-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#ac-18","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pe-20","rel":"related"}],"parts":[{"id":"pe-19_smt","name":"statement","prose":"Protect the system from information leakage due to electromagnetic signals emanations."},{"id":"pe-19_gdn","name":"guidance","prose":"Information leakage is the intentional or unintentional release of data or information to an untrusted environment from electromagnetic signals emanations. The security categories or classifications of systems (with respect to confidentiality), organizational security policies, and risk tolerance guide the selection of controls employed to protect systems against information leakage due to electromagnetic signals emanations."},{"id":"pe-19_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-19","class":"sp800-53a"}],"prose":"the system is protected from information leakage due to electromagnetic signal emanations.","links":[{"href":"#pe-19_smt","rel":"assessment-for"}]},{"id":"pe-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing information leakage due to electromagnetic signal emanations\n\nmechanisms protecting the system against electronic signal emanations\n\nfacility housing the system\n\nrecords from electromagnetic signal emanation tests\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-19-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing protection from information leakage due to electromagnetic signal emanations"}]}],"controls":[{"id":"pe-19.1","class":"SP800-53-enhancement","title":"National Emissions Policies and Procedures","props":[{"name":"label","value":"PE-19(1)"},{"name":"label","value":"PE-19(01)","class":"sp800-53a"},{"name":"sort-id","value":"pe-19.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-19","rel":"required"}],"parts":[{"id":"pe-19.1_smt","name":"statement","prose":"Protect system components, associated data communications, and networks in accordance with national Emissions Security policies and procedures based on the security category or classification of the information."},{"id":"pe-19.1_gdn","name":"guidance","prose":"Emissions Security (EMSEC) policies include the former TEMPEST policies."},{"id":"pe-19.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-19(01)","class":"sp800-53a"}],"parts":[{"id":"pe-19.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PE-19(01)[01]","class":"sp800-53a"}],"prose":"system components are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;","links":[{"href":"#pe-19.1_smt","rel":"assessment-for"}]},{"id":"pe-19.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PE-19(01)[02]","class":"sp800-53a"}],"prose":"associated data communications are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;","links":[{"href":"#pe-19.1_smt","rel":"assessment-for"}]},{"id":"pe-19.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PE-19(01)[03]","class":"sp800-53a"}],"prose":"networks are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information.","links":[{"href":"#pe-19.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pe-19.1_smt","rel":"assessment-for"}]},{"id":"pe-19.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-19(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing information leakage that comply with national emissions and TEMPEST policies and procedures\n\nsystem component design documentation\n\nsystem configuration settings and associated documentation system security plan\n\nother relevant documents or records"}]},{"id":"pe-19.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-19(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for system environmental controls\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-19.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-19(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information system components for compliance with national emissions and TEMPEST policies and procedures"}]}]}]},{"id":"pe-20","class":"SP800-53","title":"Asset Monitoring and Tracking","params":[{"id":"pe-20_odp.01","props":[{"name":"alt-identifier","value":"pe-20_prm_1"},{"name":"label","value":"PE-20_ODP[01]","class":"sp800-53a"}],"label":"asset location technologies","guidelines":[{"prose":"asset location technologies to be employed to track and monitor the location and movement of assets is defined;"}]},{"id":"pe-20_odp.02","props":[{"name":"alt-identifier","value":"pe-20_prm_2"},{"name":"label","value":"PE-20_ODP[02]","class":"sp800-53a"}],"label":"assets","guidelines":[{"prose":"assets whose location and movement are to be tracked and monitored are defined;"}]},{"id":"pe-20_odp.03","props":[{"name":"alt-identifier","value":"pe-20_prm_3"},{"name":"label","value":"PE-20_ODP[03]","class":"sp800-53a"}],"label":"controlled areas","guidelines":[{"prose":"controlled areas within which asset location and movement are to be tracked and monitored are defined;"}]}],"props":[{"name":"label","value":"PE-20"},{"name":"label","value":"PE-20","class":"sp800-53a"},{"name":"sort-id","value":"pe-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cm-8","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pm-8","rel":"related"}],"parts":[{"id":"pe-20_smt","name":"statement","prose":"Employ {{ insert: param, pe-20_odp.01 }} to track and monitor the location and movement of {{ insert: param, pe-20_odp.02 }} within {{ insert: param, pe-20_odp.03 }}."},{"id":"pe-20_gdn","name":"guidance","prose":"Asset location technologies can help ensure that critical assets—including vehicles, equipment, and system components—remain in authorized locations. Organizations consult with the Office of the General Counsel and senior agency official for privacy regarding the deployment and use of asset location technologies to address potential privacy concerns."},{"id":"pe-20_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-20","class":"sp800-53a"}],"prose":"{{ insert: param, pe-20_odp.01 }} are employed to track and monitor the location and movement of {{ insert: param, pe-20_odp.02 }} within {{ insert: param, pe-20_odp.03 }}.","links":[{"href":"#pe-20_smt","rel":"assessment-for"}]},{"id":"pe-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing asset monitoring and tracking\n\ndocumentation showing the use of asset location technologies\n\nsystem configuration documentation\n\nlist of organizational assets requiring tracking and monitoring\n\nasset monitoring and tracking records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pe-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with asset monitoring and tracking responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pe-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for tracking and monitoring assets\n\nmechanisms supporting and\/or implementing the tracking and monitoring of assets"}]}]},{"id":"pe-21","class":"SP800-53","title":"Electromagnetic Pulse Protection","params":[{"id":"pe-21_odp.01","props":[{"name":"alt-identifier","value":"pe-21_prm_1"},{"name":"label","value":"PE-21_ODP[01]","class":"sp800-53a"}],"label":"protective measures","guidelines":[{"prose":"protective measures to be employed against electromagnetic pulse damage are defined;"}]},{"id":"pe-21_odp.02","props":[{"name":"alt-identifier","value":"pe-21_prm_2"},{"name":"alt-label","value":"systems and system components","class":"sp800-53"},{"name":"label","value":"PE-21_ODP[02]","class":"sp800-53a"}],"label":"system and system components","guidelines":[{"prose":"system and system components requiring protection against electromagnetic pulse damage are defined;"}]}],"props":[{"name":"label","value":"PE-21"},{"name":"label","value":"PE-21","class":"sp800-53a"},{"name":"sort-id","value":"pe-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pe-18","rel":"related"},{"href":"#pe-19","rel":"related"}],"parts":[{"id":"pe-21_smt","name":"statement","prose":"Employ {{ insert: param, pe-21_odp.01 }} against electromagnetic pulse damage for {{ insert: param, pe-21_odp.02 }}."},{"id":"pe-21_gdn","name":"guidance","prose":"An electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is spread over a range of frequencies. Such energy bursts may be natural or man-made. EMP interference may be disruptive or damaging to electronic equipment. Protective measures used to mitigate EMP risk include shielding, surge suppressors, ferro-resonant transformers, and earth grounding. EMP protection may be especially significant for systems and applications that are part of the U.S. critical infrastructure."},{"id":"pe-21_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-21","class":"sp800-53a"}],"prose":"{{ insert: param, pe-21_odp.01 }} are employed against electromagnetic pulse damage for {{ insert: param, pe-21_odp.02 }}.","links":[{"href":"#pe-21_smt","rel":"assessment-for"}]},{"id":"pe-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing protective measures to mitigate EMP risk to systems and components\n\ndocumentation detailing protective measures to mitigate EMP risk\n\nlist of locations where protective measures to mitigate EMP risk are implemented\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for physical and environmental protection\n\nsystem developers\/integrators\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for mitigating EMP risk"}]}]},{"id":"pe-22","class":"SP800-53","title":"Component Marking","params":[{"id":"pe-22_odp","props":[{"name":"alt-identifier","value":"pe-22_prm_1"},{"name":"label","value":"PE-22_ODP","class":"sp800-53a"}],"label":"system hardware components","guidelines":[{"prose":"system hardware components to be marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component are defined;"}]}],"props":[{"name":"label","value":"PE-22"},{"name":"label","value":"PE-22","class":"sp800-53a"},{"name":"sort-id","value":"pe-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#mp-3","rel":"related"}],"parts":[{"id":"pe-22_smt","name":"statement","prose":"Mark {{ insert: param, pe-22_odp }} indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component."},{"id":"pe-22_gdn","name":"guidance","prose":"Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printers, monitors\/video displays, facsimile machines, scanners, copiers, and audio devices. Permissions controlling output to the output devices are addressed in [AC-3](#ac-3) or [AC-4](#ac-4) . Components are marked to indicate the impact level or classification level of the system to which the devices are connected, or the impact level or classification level of the information permitted to be output. Security marking refers to the use of human-readable security attributes. Security labeling refers to the use of security attributes for internal system data structures. Security marking is generally not required for hardware components that process, store, or transmit information determined by organizations to be in the public domain or to be publicly releasable. However, organizations may require markings for hardware components that process, store, or transmit public information in order to indicate that such information is publicly releasable. Marking of system hardware components reflects applicable laws, executive orders, directives, policies, regulations, and standards."},{"id":"pe-22_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-22","class":"sp800-53a"}],"prose":"{{ insert: param, pe-22_odp }} are marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.","links":[{"href":"#pe-22_smt","rel":"assessment-for"}]},{"id":"pe-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nprocedures addressing component marking\n\nlist of component marking security attributes\n\ncomponent inventory\n\ninformation types and their impact\/classification level\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with component marking responsibilities\n\norganizational personnel with component inventory responsibilities\n\norganizational personnel with information categorization\/classification responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for component marking\n\nautomated mechanisms supporting and\/or implementing component marking"}]}]},{"id":"pe-23","class":"SP800-53","title":"Facility Location","props":[{"name":"label","value":"PE-23"},{"name":"label","value":"PE-23","class":"sp800-53a"},{"name":"sort-id","value":"pe-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pe-19","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"pe-23_smt","name":"statement","parts":[{"id":"pe-23_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Plan the location or site of the facility where the system resides considering physical and environmental hazards; and"},{"id":"pe-23_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"For existing facilities, consider the physical and environmental hazards in the organizational risk management strategy."}]},{"id":"pe-23_gdn","name":"guidance","prose":"Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. The location of system components within the facility is addressed in [PE-18](#pe-18)."},{"id":"pe-23_obj","name":"assessment-objective","props":[{"name":"label","value":"PE-23","class":"sp800-53a"}],"parts":[{"id":"pe-23_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PE-23a.","class":"sp800-53a"}],"prose":"the location or site of the facility where the system resides is planned considering physical and environmental hazards;","links":[{"href":"#pe-23_smt.a","rel":"assessment-for"}]},{"id":"pe-23_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PE-23b.","class":"sp800-53a"}],"prose":"for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy.","links":[{"href":"#pe-23_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pe-23_smt","rel":"assessment-for"}]},{"id":"pe-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PE-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Physical and environmental protection policy\n\nphysical site planning documents\n\norganizational assessment of risk\n\ncontingency plan\n\nrisk mitigation strategy documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"pe-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PE-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with site selection responsibilities for the facility housing the system\n\norganizational personnel with risk mitigation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pe-23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PE-23-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for site planning"}]}]}]},{"id":"pl","class":"family","title":"Planning","controls":[{"id":"pl-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pl-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pl-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pl-01_odp.01","props":[{"name":"label","value":"PL-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning policy is to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.02","props":[{"name":"label","value":"PL-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the planning procedures are to be disseminated is\/are defined;"}]},{"id":"pl-01_odp.03","props":[{"name":"alt-identifier","value":"pl-1_prm_2"},{"name":"label","value":"PL-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pl-01_odp.04","props":[{"name":"alt-identifier","value":"pl-1_prm_3"},{"name":"label","value":"PL-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the planning policy and procedures is defined;"}]},{"id":"pl-01_odp.05","props":[{"name":"alt-identifier","value":"pl-1_prm_4"},{"name":"label","value":"PL-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning policy is reviewed and updated is defined;"}]},{"id":"pl-01_odp.06","props":[{"name":"alt-identifier","value":"pl-1_prm_5"},{"name":"label","value":"PL-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current planning policy to be reviewed and updated are defined;"}]},{"id":"pl-01_odp.07","props":[{"name":"alt-identifier","value":"pl-1_prm_6"},{"name":"label","value":"PL-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency with which the current planning procedures are reviewed and updated is defined;"}]},{"id":"pl-01_odp.08","props":[{"name":"alt-identifier","value":"pl-1_prm_7"},{"name":"label","value":"PL-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PL-1"},{"name":"label","value":"PL-01","class":"sp800-53a"},{"name":"sort-id","value":"pl-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-1_smt","name":"statement","parts":[{"id":"pl-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pl-1_prm_1 }}:","parts":[{"id":"pl-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, pl-01_odp.03 }} planning policy that:","parts":[{"id":"pl-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pl-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pl-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the planning policy and the associated planning controls;"}]},{"id":"pl-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pl-01_odp.04 }} to manage the development, documentation, and dissemination of the planning policy and procedures; and"},{"id":"pl-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current planning:","parts":[{"id":"pl-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pl-01_odp.05 }} and following {{ insert: param, pl-01_odp.06 }} ; and"},{"id":"pl-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pl-01_odp.07 }} and following {{ insert: param, pl-01_odp.08 }}."}]}]},{"id":"pl-1_gdn","name":"guidance","prose":"Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pl-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[01]","class":"sp800-53a"}],"prose":"a planning policy is developed and documented.","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[02]","class":"sp800-53a"}],"prose":"the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[03]","class":"sp800-53a"}],"prose":"planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.[04]","class":"sp800-53a"}],"prose":"the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};","links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;","links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pl-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#pl-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.a","rel":"assessment-for"}]},{"id":"pl-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;","links":[{"href":"#pl-1_smt.b","rel":"assessment-for"}]},{"id":"pl-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[01]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};","links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]},{"id":"pl-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.01[02]","class":"sp800-53a"}],"prose":"the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};","links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c.1","rel":"assessment-for"}]},{"id":"pl-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02","class":"sp800-53a"}],"parts":[{"id":"pl-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[01]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};","links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]},{"id":"pl-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-01c.02[02]","class":"sp800-53a"}],"prose":"the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.","links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-1_smt","rel":"assessment-for"}]},{"id":"pl-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Planning policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with planning responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pl-2","class":"SP800-53","title":"System Security and Privacy Plans","params":[{"id":"pl-02_odp.01","props":[{"name":"alt-identifier","value":"pl-2_prm_1"},{"name":"label","value":"PL-02_ODP[01]","class":"sp800-53a"}],"label":"individuals or groups","guidelines":[{"prose":"individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is\/are assigned;"}]},{"id":"pl-02_odp.02","props":[{"name":"alt-identifier","value":"pl-2_prm_2"},{"name":"label","value":"PL-02_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to receive distributed copies of the system security and privacy plans is\/are assigned;"}]},{"id":"pl-02_odp.03","props":[{"name":"alt-identifier","value":"pl-2_prm_3"},{"name":"label","value":"PL-02_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency to review system security and privacy plans is defined;"}]}],"props":[{"name":"label","value":"PL-2"},{"name":"label","value":"PL-02","class":"sp800-53a"},{"name":"sort-id","value":"pl-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-14","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"pl-2_smt","name":"statement","parts":[{"id":"pl-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy plans for the system that:","parts":[{"id":"pl-2_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are consistent with the organization’s enterprise architecture;"},{"id":"pl-2_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Explicitly define the constituent system components;"},{"id":"pl-2_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe the operational context of the system in terms of mission and business processes;"},{"id":"pl-2_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Identify the individuals that fulfill system roles and responsibilities;"},{"id":"pl-2_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Identify the information types processed, stored, and transmitted by the system;"},{"id":"pl-2_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Provide the security categorization of the system, including supporting rationale;"},{"id":"pl-2_smt.a.7","name":"item","props":[{"name":"label","value":"7."}],"prose":"Describe any specific threats to the system that are of concern to the organization;"},{"id":"pl-2_smt.a.8","name":"item","props":[{"name":"label","value":"8."}],"prose":"Provide the results of a privacy risk assessment for systems processing personally identifiable information;"},{"id":"pl-2_smt.a.9","name":"item","props":[{"name":"label","value":"9."}],"prose":"Describe the operational environment for the system and any dependencies on or connections to other systems or system components;"},{"id":"pl-2_smt.a.10","name":"item","props":[{"name":"label","value":"10."}],"prose":"Provide an overview of the security and privacy requirements for the system;"},{"id":"pl-2_smt.a.11","name":"item","props":[{"name":"label","value":"11."}],"prose":"Identify any relevant control baselines or overlays, if applicable;"},{"id":"pl-2_smt.a.12","name":"item","props":[{"name":"label","value":"12."}],"prose":"Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;"},{"id":"pl-2_smt.a.13","name":"item","props":[{"name":"label","value":"13."}],"prose":"Include risk determinations for security and privacy architecture and design decisions;"},{"id":"pl-2_smt.a.14","name":"item","props":[{"name":"label","value":"14."}],"prose":"Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }} ; and"},{"id":"pl-2_smt.a.15","name":"item","props":[{"name":"label","value":"15."}],"prose":"Are reviewed and approved by the authorizing official or designated representative prior to plan implementation."}]},{"id":"pl-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, pl-02_odp.02 }};"},{"id":"pl-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review the plans {{ insert: param, pl-02_odp.03 }};"},{"id":"pl-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and"},{"id":"pl-2_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Protect the plans from unauthorized disclosure and modification."}]},{"id":"pl-2_gdn","name":"guidance","prose":"System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). [Section 2.1](#c3397cc9-83c6-4459-adb2-836739dc1b94) describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.\n\nOrganizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.\n\nSecurity and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.\n\nSecurity- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate."},{"id":"pl-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is consistent with the organization’s enterprise architecture;","links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]},{"id":"pl-2_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.01[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;","links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.1","rel":"assessment-for"}]},{"id":"pl-2_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that explicitly defines the constituent system components;","links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]},{"id":"pl-2_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.02[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that explicitly defines the constituent system components;","links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.2","rel":"assessment-for"}]},{"id":"pl-2_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;","links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]},{"id":"pl-2_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.03[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;","links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.3","rel":"assessment-for"}]},{"id":"pl-2_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;","links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]},{"id":"pl-2_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.04[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;","links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.4","rel":"assessment-for"}]},{"id":"pl-2_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.5-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;","links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]},{"id":"pl-2_obj.a.5-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.05[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;","links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.5","rel":"assessment-for"}]},{"id":"pl-2_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.6-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;","links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]},{"id":"pl-2_obj.a.6-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.06[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;","links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.6","rel":"assessment-for"}]},{"id":"pl-2_obj.a.7","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.7-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;","links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]},{"id":"pl-2_obj.a.7-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.07[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;","links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.7","rel":"assessment-for"}]},{"id":"pl-2_obj.a.8","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.8-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;","links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]},{"id":"pl-2_obj.a.8-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.08[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;","links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.8","rel":"assessment-for"}]},{"id":"pl-2_obj.a.9","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.9-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;","links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]},{"id":"pl-2_obj.a.9-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.09[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;","links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.9","rel":"assessment-for"}]},{"id":"pl-2_obj.a.10","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.10-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that provides an overview of the security requirements for the system;","links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]},{"id":"pl-2_obj.a.10-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.10[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;","links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.10","rel":"assessment-for"}]},{"id":"pl-2_obj.a.11","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.11-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;","links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]},{"id":"pl-2_obj.a.11-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.11[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;","links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.11","rel":"assessment-for"}]},{"id":"pl-2_obj.a.12","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.12-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;","links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]},{"id":"pl-2_obj.a.12-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.12[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;","links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.12","rel":"assessment-for"}]},{"id":"pl-2_obj.a.13","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.13-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes risk determinations for security architecture and design decisions;","links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]},{"id":"pl-2_obj.a.13-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.13[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;","links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.13","rel":"assessment-for"}]},{"id":"pl-2_obj.a.14","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.14-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};","links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]},{"id":"pl-2_obj.a.14-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.14[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};","links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.14","rel":"assessment-for"}]},{"id":"pl-2_obj.a.15","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.a.15-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[01]","class":"sp800-53a"}],"prose":"a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;","links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]},{"id":"pl-2_obj.a.15-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02a.15[02]","class":"sp800-53a"}],"prose":"a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.","links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a.15","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.a","rel":"assessment-for"}]},{"id":"pl-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[01]","class":"sp800-53a"}],"prose":"copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};","links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]},{"id":"pl-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02b.[02]","class":"sp800-53a"}],"prose":"subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};","links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.b","rel":"assessment-for"}]},{"id":"pl-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-02c.","class":"sp800-53a"}],"prose":"plans are reviewed {{ insert: param, pl-02_odp.03 }};","links":[{"href":"#pl-2_smt.c","rel":"assessment-for"}]},{"id":"pl-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[01]","class":"sp800-53a"}],"prose":"plans are updated to address changes to the system and environment of operations;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[02]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during the plan implementation;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"PL-02d.[03]","class":"sp800-53a"}],"prose":"plans are updated to address problems identified during control assessments;","links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.d","rel":"assessment-for"}]},{"id":"pl-2_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.","class":"sp800-53a"}],"parts":[{"id":"pl-2_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[01]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized disclosure;","links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]},{"id":"pl-2_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PL-02e.[02]","class":"sp800-53a"}],"prose":"plans are protected from unauthorized modification.","links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pl-2_smt","rel":"assessment-for"}]},{"id":"pl-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing security and privacy plan reviews and updates\n\nenterprise architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nsecurity and privacy architecture and design documentation\n\nrisk assessments\n\nrisk assessment results\n\ncontrol assessment documentation\n\nother relevant documents or records"}]},{"id":"pl-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system security and privacy planning and plan implementation responsibilities\n\nsystem developers\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system security and privacy plan development, review, update, and approval\n\nmechanisms supporting the system security and privacy plan"}]}],"controls":[{"id":"pl-2.1","class":"SP800-53-enhancement","title":"Concept of Operations","props":[{"name":"label","value":"PL-2(1)"},{"name":"label","value":"PL-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"pl-02.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-7","rel":"incorporated-into"}]},{"id":"pl-2.2","class":"SP800-53-enhancement","title":"Functional Architecture","props":[{"name":"label","value":"PL-2(2)"},{"name":"label","value":"PL-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"pl-02.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-8","rel":"incorporated-into"}]},{"id":"pl-2.3","class":"SP800-53-enhancement","title":"Plan and Coordinate with Other Organizational Entities","props":[{"name":"label","value":"PL-2(3)"},{"name":"label","value":"PL-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"pl-02.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-2","rel":"incorporated-into"}]}]},{"id":"pl-3","class":"SP800-53","title":"System Security Plan Update","props":[{"name":"label","value":"PL-3"},{"name":"label","value":"PL-03","class":"sp800-53a"},{"name":"sort-id","value":"pl-03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-2","rel":"incorporated-into"}]},{"id":"pl-4","class":"SP800-53","title":"Rules of Behavior","params":[{"id":"pl-04_odp.01","props":[{"name":"alt-identifier","value":"pl-4_prm_1"},{"name":"label","value":"PL-04_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for reviewing and updating the rules of behavior is defined;"}]},{"id":"pl-04_odp.02","props":[{"name":"alt-identifier","value":"pl-4_prm_2"},{"name":"label","value":"PL-04_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, pl-04_odp.03 }} ","when the rules are revised or updated"]}},{"id":"pl-04_odp.03","props":[{"name":"alt-identifier","value":"pl-4_prm_3"},{"name":"label","value":"PL-04_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);"}]}],"props":[{"name":"label","value":"PL-4"},{"name":"label","value":"PL-04","class":"sp800-53a"},{"name":"sort-id","value":"pl-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#30eb758a-2707-4bca-90ad-949a74d4eb16","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-9","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-4_smt","name":"statement","parts":[{"id":"pl-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;"},{"id":"pl-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;"},{"id":"pl-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and"},{"id":"pl-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}."}]},{"id":"pl-4_gdn","name":"guidance","prose":"Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see [PS-6](#ps-6) ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in [AC-8](#ac-8) . The related controls section provides a list of controls that are relevant to organizational rules of behavior. [PL-4b](#pl-4_smt.b) , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons."},{"id":"pl-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.","class":"sp800-53a"}],"parts":[{"id":"pl-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[01]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;","links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]},{"id":"pl-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-04a.[02]","class":"sp800-53a"}],"prose":"rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;","links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pl-4_smt.a","rel":"assessment-for"}]},{"id":"pl-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04b.","class":"sp800-53a"}],"prose":"before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;","links":[{"href":"#pl-4_smt.b","rel":"assessment-for"}]},{"id":"pl-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04c.","class":"sp800-53a"}],"prose":"rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};","links":[{"href":"#pl-4_smt.c","rel":"assessment-for"}]},{"id":"pl-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PL-04d.","class":"sp800-53a"}],"prose":"individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.","links":[{"href":"#pl-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pl-4_smt","rel":"assessment-for"}]},{"id":"pl-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\nsigned acknowledgements\n\nrecords for rules of behavior reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed and resigned rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior\n\nmechanisms supporting and\/or implementing the establishment, review, dissemination, and update of rules of behavior"}]}],"controls":[{"id":"pl-4.1","class":"SP800-53-enhancement","title":"Social Media and External Site\/Application Usage Restrictions","props":[{"name":"label","value":"PL-4(1)"},{"name":"label","value":"PL-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"pl-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-4","rel":"required"},{"href":"#ac-22","rel":"related"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"pl-4.1_smt","name":"statement","prose":"Include in the rules of behavior, restrictions on:","parts":[{"id":"pl-4.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Use of social media, social networking sites, and external sites\/applications;"},{"id":"pl-4.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Posting organizational information on public websites; and"},{"id":"pl-4.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications."}]},{"id":"pl-4.1_gdn","name":"guidance","prose":"Social media, social networking, and external site\/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information."},{"id":"pl-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)","class":"sp800-53a"}],"parts":[{"id":"pl-4.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(a)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of social media, social networking sites, and external sites\/applications;","links":[{"href":"#pl-4.1_smt.a","rel":"assessment-for"}]},{"id":"pl-4.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(b)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on posting organizational information on public websites;","links":[{"href":"#pl-4.1_smt.b","rel":"assessment-for"}]},{"id":"pl-4.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-04(01)(c)","class":"sp800-53a"}],"prose":"the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites\/applications.","links":[{"href":"#pl-4.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-4.1_smt","rel":"assessment-for"}]},{"id":"pl-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing rules of behavior for system users\n\nrules of behavior\n\ntraining policy\n\nother relevant documents or records"}]},{"id":"pl-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior\n\norganizational personnel with responsibility for literacy training and awareness and role-based training\n\norganizational personnel who are authorized users of the system and have signed rules of behavior\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing rules of behavior\n\nmechanisms supporting and\/or implementing the establishment of rules of behavior"}]}]}]},{"id":"pl-5","class":"SP800-53","title":"Privacy Impact Assessment","props":[{"name":"label","value":"PL-5"},{"name":"label","value":"PL-05","class":"sp800-53a"},{"name":"sort-id","value":"pl-05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ra-8","rel":"incorporated-into"}]},{"id":"pl-6","class":"SP800-53","title":"Security-related Activity Planning","props":[{"name":"label","value":"PL-6"},{"name":"label","value":"PL-06","class":"sp800-53a"},{"name":"sort-id","value":"pl-06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-2","rel":"incorporated-into"}]},{"id":"pl-7","class":"SP800-53","title":"Concept of Operations","params":[{"id":"pl-07_odp","props":[{"name":"alt-identifier","value":"pl-7_prm_1"},{"name":"label","value":"PL-07_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for review and update of the Concept of Operations (CONOPS) is defined;"}]}],"props":[{"name":"label","value":"PL-7"},{"name":"label","value":"PL-07","class":"sp800-53a"},{"name":"sort-id","value":"pl-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pl-7_smt","name":"statement","parts":[{"id":"pl-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and"},{"id":"pl-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the CONOPS {{ insert: param, pl-07_odp }}."}]},{"id":"pl-7_gdn","name":"guidance","prose":"The CONOPS may be included in the security or privacy plans for the system or in other system development life cycle documents. The CONOPS is a living document that requires updating throughout the system development life cycle. For example, during system design reviews, the concept of operations is checked to ensure that it remains consistent with the design for controls, the system architecture, and the operational procedures. Changes to the CONOPS are reflected in ongoing updates to the security and privacy plans, security and privacy architectures, and other organizational documents, such as procurement specifications, system development life cycle documents, and systems engineering documents."},{"id":"pl-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-07","class":"sp800-53a"}],"parts":[{"id":"pl-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-07a.","class":"sp800-53a"}],"prose":"a CONOPS for the system describing how the organization intends to operate the system from the perspective of information security and privacy is developed;","links":[{"href":"#pl-7_smt.a","rel":"assessment-for"}]},{"id":"pl-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-07b.","class":"sp800-53a"}],"prose":"the CONOPS is reviewed and updated {{ insert: param, pl-07_odp }}.","links":[{"href":"#pl-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pl-7_smt","rel":"assessment-for"}]},{"id":"pl-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing security and privacy CONOPS development\n\nprocedures addressing security and privacy CONOPS reviews and updates\n\nsecurity and privacy CONOPS for the system\n\nsystem security plan\n\nprivacy plan\n\nrecords of security and privacy CONOPS reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, reviewing, and updating the security CONOPS\n\nmechanisms supporting and\/or implementing the development, review, and update of the security CONOPS"}]}]},{"id":"pl-8","class":"SP800-53","title":"Security and Privacy Architectures","params":[{"id":"pl-08_odp","props":[{"name":"alt-identifier","value":"pl-8_prm_1"},{"name":"label","value":"PL-08_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency for review and update to reflect changes in the enterprise architecture;"}]}],"props":[{"name":"label","value":"PL-8"},{"name":"label","value":"PL-08","class":"sp800-53a"},{"name":"sort-id","value":"pl-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-7","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"pl-8_smt","name":"statement","parts":[{"id":"pl-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop security and privacy architectures for the system that:","parts":[{"id":"pl-8_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"},{"id":"pl-8_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"},{"id":"pl-8_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Describe how the architectures are integrated into and support the enterprise architecture; and"},{"id":"pl-8_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Describe any assumptions about, and dependencies on, external systems and services;"}]},{"id":"pl-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and"},{"id":"pl-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions."}]},{"id":"pl-8_gdn","name":"guidance","prose":"The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in [PM-7](#pm-7) , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.\n\n[SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provides guidance on the use of security architectures as part of the system development life cycle process. [OMB M-19-03](#c5e11048-1d38-4af3-b00b-0d88dc26860c) requires the use of the systems security engineering concepts described in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).\n\nIn today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.\n\n[PL-8](#pl-8) is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, [SA-17](#sa-17) is primarily directed at the external information technology product and system developers and integrators. [SA-17](#sa-17) , which is complementary to [PL-8](#pl-8) , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures."},{"id":"pl-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-08","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.01","class":"sp800-53a"}],"prose":"a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;","links":[{"href":"#pl-8_smt.a.1","rel":"assessment-for"}]},{"id":"pl-8_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.02","class":"sp800-53a"}],"prose":"a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;","links":[{"href":"#pl-8_smt.a.2","rel":"assessment-for"}]},{"id":"pl-8_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;","links":[{"href":"#pl-8_smt.a.3","rel":"assessment-for"}]},{"id":"pl-8_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.03[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;","links":[{"href":"#pl-8_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.a.3","rel":"assessment-for"}]},{"id":"pl-8_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[01]","class":"sp800-53a"}],"prose":"a security architecture for the system describes any assumptions about and dependencies on external systems and services;","links":[{"href":"#pl-8_smt.a.4","rel":"assessment-for"}]},{"id":"pl-8_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08a.04[02]","class":"sp800-53a"}],"prose":"a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;","links":[{"href":"#pl-8_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.a","rel":"assessment-for"}]},{"id":"pl-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-08b.","class":"sp800-53a"}],"prose":"changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;","links":[{"href":"#pl-8_smt.b","rel":"assessment-for"}]},{"id":"pl-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.","class":"sp800-53a"}],"parts":[{"id":"pl-8_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[01]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the security plan;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[02]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the privacy plan;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[03]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in the Concept of Operations (CONOPS);","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-4","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[04]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in criticality analysis;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-5","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[05]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in organizational procedures;","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]},{"id":"pl-8_obj.c-6","name":"assessment-objective","props":[{"name":"label","value":"PL-08c.[06]","class":"sp800-53a"}],"prose":"planned architecture changes are reflected in procurements and acquisitions.","links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pl-8_smt","rel":"assessment-for"}]},{"id":"pl-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nprocedures addressing information security and privacy architecture reviews and updates\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nrecords of information security and privacy architecture reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, reviewing, and updating the information security and privacy architecture\n\nmechanisms supporting and\/or implementing the development, review, and update of the information security and privacy architecture"}]}],"controls":[{"id":"pl-8.1","class":"SP800-53-enhancement","title":"Defense in Depth","params":[{"id":"pl-08.01_odp.01","props":[{"name":"alt-identifier","value":"pl-8.1_prm_1"},{"name":"label","value":"PL-08(01)_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be allocated are defined;"}]},{"id":"pl-08.01_odp.02","props":[{"name":"alt-identifier","value":"pl-8.1_prm_2"},{"name":"label","value":"PL-08(01)_ODP[02]","class":"sp800-53a"}],"label":"locations and architectural layers","guidelines":[{"prose":"locations and architectural layers are defined;"}]}],"props":[{"name":"label","value":"PL-8(1)"},{"name":"label","value":"PL-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"pl-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-8","rel":"required"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-29","rel":"related"},{"href":"#sc-36","rel":"related"}],"parts":[{"id":"pl-8.1_smt","name":"statement","prose":"Design the security and privacy architectures for the system using a defense-in-depth approach that:","parts":[{"id":"pl-8.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }} ; and"},{"id":"pl-8.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner."}]},{"id":"pl-8.1_gdn","name":"guidance","prose":"Organizations strategically allocate security and privacy controls in the security and privacy architectures so that adversaries must overcome multiple controls to achieve their objective. Requiring adversaries to defeat multiple controls makes it more difficult to attack information resources by increasing the work factor of the adversary; it also increases the likelihood of detection. The coordination of allocated controls is essential to ensure that an attack that involves one control does not create adverse, unintended consequences by interfering with other controls. Unintended consequences can include system lockout and cascading alarms. The placement of controls in systems and organizations is an important activity that requires thoughtful analysis. The value of organizational assets is an important consideration in providing additional layering. Defense-in-depth architectural approaches include modularity and layering (see [SA-8(3)](#sa-8.3) ), separation of system and user functionality (see [SC-2](#sc-2) ), and security function isolation (see [SC-3](#sc-3))."},{"id":"pl-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-08(01)","class":"sp800-53a"}],"parts":[{"id":"pl-8.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PL-08(01)(a)","class":"sp800-53a"}],"parts":[{"id":"pl-8.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08(01)(a)[01]","class":"sp800-53a"}],"prose":"the security architecture for the system is designed using a defense-in-depth approach that allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }};","links":[{"href":"#pl-8.1_smt.a","rel":"assessment-for"}]},{"id":"pl-8.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08(01)(a)[02]","class":"sp800-53a"}],"prose":"the privacy architecture for the system is designed using a defense-in-depth approach that allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }};","links":[{"href":"#pl-8.1_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pl-8.1_smt.a","rel":"assessment-for"}]},{"id":"pl-8.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PL-08(01)(b)","class":"sp800-53a"}],"parts":[{"id":"pl-8.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PL-08(01)(b)[01]","class":"sp800-53a"}],"prose":"the security architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner;","links":[{"href":"#pl-8.1_smt.b","rel":"assessment-for"}]},{"id":"pl-8.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PL-08(01)(b)[02]","class":"sp800-53a"}],"prose":"the privacy architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner.","links":[{"href":"#pl-8.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pl-8.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pl-8.1_smt","rel":"assessment-for"}]},{"id":"pl-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nother relevant documents or records"}]},{"id":"pl-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for designing the information security and privacy architecture\n\nmechanisms supporting and\/or implementing the design of the information security and privacy architecture"}]}]},{"id":"pl-8.2","class":"SP800-53-enhancement","title":"Supplier Diversity","params":[{"id":"pl-08.02_odp.01","props":[{"name":"alt-identifier","value":"pl-8.2_prm_1"},{"name":"label","value":"PL-08(02)_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be allocated are defined;"}]},{"id":"pl-08.02_odp.02","props":[{"name":"alt-identifier","value":"pl-8.2_prm_2"},{"name":"label","value":"PL-08(02)_ODP[02]","class":"sp800-53a"}],"label":"locations and architectural layers","guidelines":[{"prose":"locations and architectural layers are defined;"}]}],"props":[{"name":"label","value":"PL-8(2)"},{"name":"label","value":"PL-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"pl-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-8","rel":"required"},{"href":"#sc-29","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"pl-8.2_smt","name":"statement","prose":"Require that {{ insert: param, pl-08.02_odp.01 }} allocated to {{ insert: param, pl-08.02_odp.02 }} are obtained from different suppliers."},{"id":"pl-8.2_gdn","name":"guidance","prose":"Information technology products have different strengths and weaknesses. Providing a broad spectrum of products complements the individual offerings. For example, vendors offering malicious code protection typically update their products at different times, often developing solutions for known viruses, Trojans, or worms based on their priorities and development schedules. By deploying different products at different locations, there is an increased likelihood that at least one of the products will detect the malicious code. With respect to privacy, vendors may offer products that track personally identifiable information in systems. Products may use different tracking methods. Using multiple products may result in more assurance that personally identifiable information is inventoried."},{"id":"pl-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-08(02)","class":"sp800-53a"}],"prose":"{{ insert: param, pl-08.02_odp.01 }} that are allocated to {{ insert: param, pl-08.02_odp.02 }} are required to be obtained from different suppliers.","links":[{"href":"#pl-8.2_smt","rel":"assessment-for"}]},{"id":"pl-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing information security and privacy architecture development\n\nenterprise architecture documentation\n\ninformation security and privacy architecture documentation\n\nsystem security plan\n\nprivacy plan\n\nsecurity and privacy CONOPS for the system\n\nIT acquisitions policy\n\nother relevant documents or records"}]},{"id":"pl-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy architecture development responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for obtaining information security and privacy safeguards from different suppliers"}]}]}]},{"id":"pl-9","class":"SP800-53","title":"Central Management","params":[{"id":"pl-09_odp","props":[{"name":"alt-identifier","value":"pl-9_prm_1"},{"name":"label","value":"PL-09_ODP","class":"sp800-53a"}],"label":"controls and related processes","guidelines":[{"prose":"security and privacy controls and related processes to be centrally managed are defined;"}]}],"props":[{"name":"label","value":"PL-9"},{"name":"label","value":"PL-09","class":"sp800-53a"},{"name":"sort-id","value":"pl-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#pl-8","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"pl-9_smt","name":"statement","prose":"Centrally manage {{ insert: param, pl-09_odp }}."},{"id":"pl-9_gdn","name":"guidance","prose":"Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes. As the central management of controls is generally associated with the concept of common (inherited) controls, such management promotes and facilitates standardization of control implementations and management and the judicious use of organizational resources. Centrally managed controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate and as part of organizational continuous monitoring.\n\nAutomated tools (e.g., security information and event management tools or enterprise security monitoring and management tools) can improve the accuracy, consistency, and availability of information associated with centrally managed controls and processes. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision-making within the organization.\n\nAs part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include but are not limited to: [AC-2(1)](#ac-2.1), [AC-2(2)](#ac-2.2), [AC-2(3)](#ac-2.3), [AC-2(4)](#ac-2.4), [AC-4(all)](#ac-4), [AC-17(1)](#ac-17.1), [AC-17(2)](#ac-17.2), [AC-17(3)](#ac-17.3), [AC-17(9)](#ac-17.9), [AC-18(1)](#ac-18.1), [AC-18(3)](#ac-18.3), [AC-18(4)](#ac-18.4), [AC-18(5)](#ac-18.5), [AC-19(4)](#ac-19.4), [AC-22](#ac-22), [AC-23](#ac-23), [AT-2(1)](#at-2.1), [AT-2(2)](#at-2.2), [AT-3(1)](#at-3.1), [AT-3(2)](#at-3.2), [AT-3(3)](#at-3.3), [AT-4](#at-4), [AU-3](#au-3), [AU-6(1)](#au-6.1), [AU-6(3)](#au-6.3), [AU-6(5)](#au-6.5), [AU-6(6)](#au-6.6), [AU-6(9)](#au-6.9), [AU-7(1)](#au-7.1), [AU-7(2)](#au-7.2), [AU-11](#au-11), [AU-13](#au-13), [AU-16](#au-16), [CA-2(1)](#ca-2.1), [CA-2(2)](#ca-2.2), [CA-2(3)](#ca-2.3), [CA-3(1)](#ca-3.1), [CA-3(2)](#ca-3.2), [CA-3(3)](#ca-3.3), [CA-7(1)](#ca-7.1), [CA-9](#ca-9), [CM-2(2)](#cm-2.2), [CM-3(1)](#cm-3.1), [CM-3(4)](#cm-3.4), [CM-4](#cm-4), [CM-6](#cm-6), [CM-6(1)](#cm-6.1), [CM-7(2)](#cm-7.2), [CM-7(4)](#cm-7.4), [CM-7(5)](#cm-7.5), [CM-8(all)](#cm-8), [CM-9(1)](#cm-9.1), [CM-10](#cm-10), [CM-11](#cm-11), [CP-7(all)](#cp-7), [CP-8(all)](#cp-8), [SC-43](#sc-43), [SI-2](#si-2), [SI-3](#si-3), [SI-4(all)](#si-4), [SI-7](#si-7), [SI-8](#si-8)."},{"id":"pl-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-09","class":"sp800-53a"}],"prose":"{{ insert: param, pl-09_odp }} are centrally managed.","links":[{"href":"#pl-9_smt","rel":"assessment-for"}]},{"id":"pl-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing security and privacy plan development and implementation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with responsibilities for planning\/implementing central management of controls and related processes\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pl-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PL-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the central management of controls and related processes\n\nmechanisms supporting and\/or implementing central management of controls and related processes"}]}]},{"id":"pl-10","class":"SP800-53","title":"Baseline Selection","props":[{"name":"label","value":"PL-10"},{"name":"label","value":"PL-10","class":"sp800-53a"},{"name":"sort-id","value":"pl-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-10_smt","name":"statement","prose":"Select a control baseline for the system."},{"id":"pl-10_gdn","name":"guidance","prose":"Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see [PL-11](#pl-11) ). Federal control baselines are provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) are based on the requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9) and [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides guidance on control baselines for national security systems."},{"id":"pl-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-10","class":"sp800-53a"}],"prose":"a control baseline for the system is selected.","links":[{"href":"#pl-10_smt","rel":"assessment-for"}]},{"id":"pl-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nprocedures addressing system security and privacy plan reviews and updates\n\nsystem design documentation\n\nsystem architecture and configuration documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pl-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with responsibility for organizational risk management activities"}]}]},{"id":"pl-11","class":"SP800-53","title":"Baseline Tailoring","props":[{"name":"label","value":"PL-11"},{"name":"label","value":"PL-11","class":"sp800-53a"},{"name":"sort-id","value":"pl-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#46d9e201-840e-440e-987c-2c773333c752","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#pl-10","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pl-11_smt","name":"statement","prose":"Tailor the selected control baseline by applying specified tailoring actions."},{"id":"pl-11_gdn","name":"guidance","prose":"The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) in accordance with the security and privacy requirements from [FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752) to specialize or customize the controls that represent the specific needs and concerns of those entities."},{"id":"pl-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PL-11","class":"sp800-53a"}],"prose":"the selected control baseline is tailored by applying specified tailoring actions.","links":[{"href":"#pl-11_smt","rel":"assessment-for"}]},{"id":"pl-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PL-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Security and privacy planning policy\n\nprocedures addressing system security and privacy plan development and implementation\n\nsystem design documentation\n\nsystem categorization decision\n\ninformation types stored, transmitted, and processed by the system\n\nsystem element\/component information\n\nstakeholder needs analysis\n\nlist of security and privacy requirements allocated to the system, system elements, and environment of operation\n\nlist of contractual requirements allocated to external providers of the system or system element\n\nbusiness impact analysis or criticality analysis\n\nrisk assessments\n\nrisk management strategy\n\norganizational security and privacy policy\n\nfederal or organization-approved or mandated baselines or overlays\n\nbaseline tailoring rationale\n\nsystem security plan\n\nprivacy plan\n\nrecords of system security and privacy plan reviews and updates\n\nother relevant documents or records"}]},{"id":"pl-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PL-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy planning and plan implementation responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]}]},{"id":"pm","class":"family","title":"Program Management","parts":[{"id":"pm_ovw","name":"overview","title":"Program Management Controls","prose":"[FISMA](#0c67b2a9-bede-43d2-b86d-5f35b8be36e9), [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) , and [OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) require federal agencies to develop, implement, and provide oversight for organization-wide information security and privacy programs to help ensure the confidentiality, integrity, and availability of federal information processed, stored, and transmitted by federal information systems and to protect individual privacy. The program management (PM) controls described in this section are implemented at the organization level and not directed at individual information systems. The PM controls have been designed to facilitate organizational compliance with applicable federal laws, executive orders, directives, policies, regulations, and standards. The controls are independent of [FIPS 200](#599fb53d-5041-444e-a7fe-640d6d30ad05) impact levels and, therefore, are not associated with the control baselines described in [SP 800-53B](#46d9e201-840e-440e-987c-2c773333c752).\n\nOrganizations document program management controls in the information security and privacy program plans. The organization-wide information security program plan (see [PM-1](#pm-1) ) and privacy program plan (see [PM-18](#pm-18) ) supplement system security and privacy plans (see [PL-2](#pl-2) ) developed for organizational information systems. Together, the system security and privacy plans for the individual information systems and the information security and privacy program plans cover the totality of security and privacy controls employed by the organization."}],"controls":[{"id":"pm-1","class":"SP800-53","title":"Information Security Program Plan","params":[{"id":"pm-01_odp.01","props":[{"name":"alt-identifier","value":"pm-1_prm_1"},{"name":"label","value":"PM-01_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the organization-wide information security program plan is defined;"}]},{"id":"pm-01_odp.02","props":[{"name":"alt-identifier","value":"pm-1_prm_2"},{"name":"label","value":"PM-01_ODP[02]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that trigger the review and update of the organization-wide information security program plan are defined;"}]}],"props":[{"name":"label","value":"PM-1"},{"name":"label","value":"PM-01","class":"sp800-53a"},{"name":"sort-id","value":"pm-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#0c67b2a9-bede-43d2-b86d-5f35b8be36e9","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#pm-18","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"pm-1_smt","name":"statement","parts":[{"id":"pm-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and disseminate an organization-wide information security program plan that:","parts":[{"id":"pm-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements;"},{"id":"pm-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance;"},{"id":"pm-1_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Reflects the coordination among organizational entities responsible for information security; and"},{"id":"pm-1_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"}]},{"id":"pm-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the organization-wide information security program plan {{ insert: param, pm-01_odp.01 }} and following {{ insert: param, pm-01_odp.02 }} ; and"},{"id":"pm-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect the information security program plan from unauthorized disclosure and modification."}]},{"id":"pm-1_gdn","name":"guidance","prose":"An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. An information security program plan can be represented in a single document or compilations of documents. Privacy program plans and supply chain risk management plans are addressed separately in [PM-18](#pm-18) and [SR-2](#sr-2) , respectively.\n\nAn information security program plan documents implementation details about program management and common controls. The plan provides sufficient information about the controls (including specification of parameters for assignment and selection operations, explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended. Updates to information security program plans include organizational changes and problems identified during plan implementation or control assessments.\n\nProgram management controls may be implemented at the organization level or the mission or business process level, and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular system. Together, the individual system security plans and the organization-wide information security program plan provide complete coverage for the security controls employed within the organization.\n\nCommon controls available for inheritance by organizational systems are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls.\n\nEvents that may precipitate an update to the information security program plan include, but are not limited to, organization-wide assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"pm-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-01","class":"sp800-53a"}],"parts":[{"id":"pm-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.","class":"sp800-53a"}],"parts":[{"id":"pm-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.[01]","class":"sp800-53a"}],"prose":"an organization-wide information security program plan is developed;","links":[{"href":"#pm-1_smt.a","rel":"assessment-for"}]},{"id":"pm-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.[02]","class":"sp800-53a"}],"prose":"the information security program plan is disseminated;","links":[{"href":"#pm-1_smt.a","rel":"assessment-for"}]},{"id":"pm-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.01","class":"sp800-53a"}],"parts":[{"id":"pm-1_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.01[01]","class":"sp800-53a"}],"prose":"the information security program plan provides an overview of the requirements for the security program;","links":[{"href":"#pm-1_smt.a.1","rel":"assessment-for"}]},{"id":"pm-1_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.01[02]","class":"sp800-53a"}],"prose":"the information security program plan provides a description of the security program management controls in place or planned for meeting those requirements;","links":[{"href":"#pm-1_smt.a.1","rel":"assessment-for"}]},{"id":"pm-1_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.01[03]","class":"sp800-53a"}],"prose":"the information security program plan provides a description of the common controls in place or planned for meeting those requirements;","links":[{"href":"#pm-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pm-1_smt.a.1","rel":"assessment-for"}]},{"id":"pm-1_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.02","class":"sp800-53a"}],"parts":[{"id":"pm-1_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.02[01]","class":"sp800-53a"}],"prose":"the information security program plan includes the identification and assignment of roles;","links":[{"href":"#pm-1_smt.a.2","rel":"assessment-for"}]},{"id":"pm-1_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.02[02]","class":"sp800-53a"}],"prose":"the information security program plan includes the identification and assignment of responsibilities;","links":[{"href":"#pm-1_smt.a.2","rel":"assessment-for"}]},{"id":"pm-1_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.02[03]","class":"sp800-53a"}],"prose":"the information security program plan addresses management commitment;","links":[{"href":"#pm-1_smt.a.2","rel":"assessment-for"}]},{"id":"pm-1_obj.a.2-4","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.02[04]","class":"sp800-53a"}],"prose":"the information security program plan addresses coordination among organizational entities;","links":[{"href":"#pm-1_smt.a.2","rel":"assessment-for"}]},{"id":"pm-1_obj.a.2-5","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.02[05]","class":"sp800-53a"}],"prose":"the information security program plan addresses compliance;","links":[{"href":"#pm-1_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-1_smt.a.2","rel":"assessment-for"}]},{"id":"pm-1_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.03","class":"sp800-53a"}],"prose":"the information security program plan reflects the coordination among the organizational entities responsible for information security;","links":[{"href":"#pm-1_smt.a.3","rel":"assessment-for"}]},{"id":"pm-1_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PM-01a.04","class":"sp800-53a"}],"prose":"the information security program plan is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;","links":[{"href":"#pm-1_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pm-1_smt.a","rel":"assessment-for"}]},{"id":"pm-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-01b.","class":"sp800-53a"}],"parts":[{"id":"pm-1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-01b.[01]","class":"sp800-53a"}],"prose":"the information security program plan is reviewed and updated {{ insert: param, pm-01_odp.01 }};","links":[{"href":"#pm-1_smt.b","rel":"assessment-for"}]},{"id":"pm-1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-01b.[02]","class":"sp800-53a"}],"prose":"the information security program plan is reviewed and updated following {{ insert: param, pm-01_odp.02 }};","links":[{"href":"#pm-1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-1_smt.b","rel":"assessment-for"}]},{"id":"pm-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-01c.","class":"sp800-53a"}],"parts":[{"id":"pm-1_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-01c.[01]","class":"sp800-53a"}],"prose":"the information security program plan is protected from unauthorized disclosure;","links":[{"href":"#pm-1_smt.c","rel":"assessment-for"}]},{"id":"pm-1_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-01c.[02]","class":"sp800-53a"}],"prose":"the information security program plan is protected from unauthorized modification.","links":[{"href":"#pm-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-1_smt","rel":"assessment-for"}]},{"id":"pm-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprocedures addressing program plan development and implementation\n\nprocedures addressing program plan reviews and updates\n\nprocedures addressing coordination of the program plan with relevant entities\n\nprocedures for program plan approvals\n\nrecords of program plan reviews and updates\n\nother relevant documents or records"}]},{"id":"pm-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security program planning and plan implementation responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"pm-1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-01-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information security program plan development, review, update, and approval\n\nmechanisms supporting and\/or implementing the information security program plan"}]}]},{"id":"pm-2","class":"SP800-53","title":"Information Security Program Leadership Role","props":[{"name":"label","value":"PM-2"},{"name":"label","value":"PM-02","class":"sp800-53a"},{"name":"sort-id","value":"pm-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#81c44706-0227-4258-a920-620a4d259990","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"}],"parts":[{"id":"pm-2_smt","name":"statement","prose":"Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program."},{"id":"pm-2_gdn","name":"guidance","prose":"The senior agency information security officer is an organizational official. For federal agencies (as defined by applicable laws, executive orders, regulations, directives, policies, and standards), this official is the senior agency information security officer. Organizations may also refer to this official as the senior information security officer or chief information security officer."},{"id":"pm-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-02","class":"sp800-53a"}],"parts":[{"id":"pm-2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-02[01]","class":"sp800-53a"}],"prose":"a senior agency information security officer is appointed;","links":[{"href":"#pm-2_smt","rel":"assessment-for"}]},{"id":"pm-2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-02[02]","class":"sp800-53a"}],"prose":"the senior agency information security officer is provided with the mission and resources to coordinate an organization-wide information security program;","links":[{"href":"#pm-2_smt","rel":"assessment-for"}]},{"id":"pm-2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-02[03]","class":"sp800-53a"}],"prose":"the senior agency information security officer is provided with the mission and resources to develop an organization-wide information security program;","links":[{"href":"#pm-2_smt","rel":"assessment-for"}]},{"id":"pm-2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-02[04]","class":"sp800-53a"}],"prose":"the senior agency information security officer is provided with the mission and resources to implement an organization-wide information security program;","links":[{"href":"#pm-2_smt","rel":"assessment-for"}]},{"id":"pm-2_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-02[05]","class":"sp800-53a"}],"prose":"the senior agency information security officer is provided with the mission and resources to maintain an organization-wide information security program.","links":[{"href":"#pm-2_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-2_smt","rel":"assessment-for"}]},{"id":"pm-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprocedures addressing program plan development and implementation\n\nprocedures addressing program plan reviews and updates\n\nprocedures addressing coordination of the program plan with relevant entities\n\nother relevant documents or records"}]},{"id":"pm-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security program planning and plan implementation responsibilities\n\nsenior information security officer\n\norganizational personnel with information security responsibilities"}]}]},{"id":"pm-3","class":"SP800-53","title":"Information Security and Privacy Resources","props":[{"name":"label","value":"PM-3"},{"name":"label","value":"PM-03","class":"sp800-53a"},{"name":"sort-id","value":"pm-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-4","rel":"related"},{"href":"#sa-2","rel":"related"}],"parts":[{"id":"pm-3_smt","name":"statement","parts":[{"id":"pm-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement;"},{"id":"pm-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and"},{"id":"pm-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Make available for expenditure, the planned information security and privacy resources."}]},{"id":"pm-3_gdn","name":"guidance","prose":"Organizations consider establishing champions for information security and privacy and, as part of including the necessary resources, assign specialized expertise and resources as needed. Organizations may designate and empower an Investment Review Board or similar group to manage and provide oversight for the information security and privacy aspects of the capital planning and investment control process."},{"id":"pm-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-03","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-03a.","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-03a.[01]","class":"sp800-53a"}],"prose":"the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented;","links":[{"href":"#pm-3_smt.a","rel":"assessment-for"}]},{"id":"pm-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-03a.[02]","class":"sp800-53a"}],"prose":"the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented;","links":[{"href":"#pm-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-3_smt.a","rel":"assessment-for"}]},{"id":"pm-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-03b.","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-03b.[01]","class":"sp800-53a"}],"prose":"the documentation required for addressing the information security program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;","links":[{"href":"#pm-3_smt.b","rel":"assessment-for"}]},{"id":"pm-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-03b.[02]","class":"sp800-53a"}],"prose":"the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;","links":[{"href":"#pm-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-3_smt.b","rel":"assessment-for"}]},{"id":"pm-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-03c.","class":"sp800-53a"}],"parts":[{"id":"pm-3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-03c.[01]","class":"sp800-53a"}],"prose":"information security resources are made available for expenditure as planned;","links":[{"href":"#pm-3_smt.c","rel":"assessment-for"}]},{"id":"pm-3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-03c.[02]","class":"sp800-53a"}],"prose":"privacy resources are made available for expenditure as planned.","links":[{"href":"#pm-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-3_smt","rel":"assessment-for"}]},{"id":"pm-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nExhibit 300\n\nExhibit 53\n\nbusiness cases for capital planning and investment\n\nprocedures for capital planning and investment\n\ndocumentation of exceptions to capital planning requirements\n\nother relevant documents or records"}]},{"id":"pm-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security program planning responsibilities\n\norganizational personnel with privacy program planning responsibilities\n\norganizational personnel responsible for capital planning and investment\n\norganizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for capital planning and investment\n\norganizational processes for business case, Exhibit 300, and Exhibit 53 development\n\nmechanisms supporting the capital planning and investment process"}]}]},{"id":"pm-4","class":"SP800-53","title":"Plan of Action and Milestones Process","props":[{"name":"label","value":"PM-4"},{"name":"label","value":"PM-04","class":"sp800-53a"},{"name":"sort-id","value":"pm-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pm-3","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pm-4_smt","name":"statement","parts":[{"id":"pm-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems:","parts":[{"id":"pm-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are developed and maintained;"},{"id":"pm-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and"},{"id":"pm-4_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Are reported in accordance with established reporting requirements."}]},{"id":"pm-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-4_gdn","name":"guidance","prose":"The plan of action and milestones is a key organizational document and is subject to reporting requirements established by the Office of Management and Budget. Organizations develop plans of action and milestones with an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple plans of action and milestones corresponding to the information system level, mission\/business process level, and organizational\/governance level. While plans of action and milestones are required for federal organizations, other types of organizations can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones at the system level is provided in [CA-5](#ca-5)."},{"id":"pm-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-04","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[01]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed;","links":[{"href":"#pm-4_smt.a.1","rel":"assessment-for"}]},{"id":"pm-4_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[02]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security program and associated organizational systems are maintained;","links":[{"href":"#pm-4_smt.a.1","rel":"assessment-for"}]},{"id":"pm-4_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[03]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed;","links":[{"href":"#pm-4_smt.a.1","rel":"assessment-for"}]},{"id":"pm-4_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[04]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained;","links":[{"href":"#pm-4_smt.a.1","rel":"assessment-for"}]},{"id":"pm-4_obj.a.1-5","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[05]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed;","links":[{"href":"#pm-4_smt.a.1","rel":"assessment-for"}]},{"id":"pm-4_obj.a.1-6","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.01[06]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained;","links":[{"href":"#pm-4_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pm-4_smt.a.1","rel":"assessment-for"}]},{"id":"pm-4_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02[01]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security program and associated organizational systems document remedial information security risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;","links":[{"href":"#pm-4_smt.a.2","rel":"assessment-for"}]},{"id":"pm-4_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02[02]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;","links":[{"href":"#pm-4_smt.a.2","rel":"assessment-for"}]},{"id":"pm-4_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.02[03]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;","links":[{"href":"#pm-4_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-4_smt.a.2","rel":"assessment-for"}]},{"id":"pm-4_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03[01]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the information security risk management programs and associated organizational systems are reported in accordance with established reporting requirements;","links":[{"href":"#pm-4_smt.a.3","rel":"assessment-for"}]},{"id":"pm-4_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03[02]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements;","links":[{"href":"#pm-4_smt.a.3","rel":"assessment-for"}]},{"id":"pm-4_obj.a.3-3","name":"assessment-objective","props":[{"name":"label","value":"PM-04a.03[03]","class":"sp800-53a"}],"prose":"a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements;","links":[{"href":"#pm-4_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pm-4_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pm-4_smt.a","rel":"assessment-for"}]},{"id":"pm-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-04b.","class":"sp800-53a"}],"parts":[{"id":"pm-4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-04b.[01]","class":"sp800-53a"}],"prose":"plans of action and milestones are reviewed for consistency with the organizational risk management strategy;","links":[{"href":"#pm-4_smt.b","rel":"assessment-for"}]},{"id":"pm-4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-04b.[02]","class":"sp800-53a"}],"prose":"plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions.","links":[{"href":"#pm-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-4_smt","rel":"assessment-for"}]},{"id":"pm-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nplans of action and milestones\n\nprocedures addressing plans of action and milestones development and maintenance\n\nprocedures addressing plans of action and milestones reporting\n\nprocedures for reviewing plans of action and milestones for consistency with risk management strategy and risk response priorities\n\nresults of risk assessments associated with plans of action and milestones\n\nOMB FISMA reporting requirements\n\nother relevant documents or records"}]},{"id":"pm-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing, maintaining, reviewing, and reporting plans of action and milestones\n\norganizational personnel with information security responsibilities"}]},{"id":"pm-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for plan of action and milestones development, review, maintenance, and reporting\n\nmechanisms supporting plans of action and milestones"}]}]},{"id":"pm-5","class":"SP800-53","title":"System Inventory","params":[{"id":"pm-05_odp","props":[{"name":"alt-identifier","value":"pm-5_prm_1"},{"name":"label","value":"PM-05_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the inventory of organizational systems is defined;"}]}],"props":[{"name":"label","value":"PM-5"},{"name":"label","value":"PM-05","class":"sp800-53a"},{"name":"sort-id","value":"pm-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"}],"parts":[{"id":"pm-5_smt","name":"statement","prose":"Develop and update {{ insert: param, pm-05_odp }} an inventory of organizational systems."},{"id":"pm-5_gdn","name":"guidance","prose":"[OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) provides guidance on developing systems inventories and associated reporting requirements. System inventory refers to an organization-wide inventory of systems, not system components as described in [CM-8](#cm-8)."},{"id":"pm-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-05","class":"sp800-53a"}],"parts":[{"id":"pm-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-05[01]","class":"sp800-53a"}],"prose":"an inventory of organizational systems is developed;","links":[{"href":"#pm-5_smt","rel":"assessment-for"}]},{"id":"pm-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-05[02]","class":"sp800-53a"}],"prose":"the inventory of organizational systems is updated {{ insert: param, pm-05_odp }}.","links":[{"href":"#pm-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-5_smt","rel":"assessment-for"}]},{"id":"pm-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nsystem inventory\n\nprocedures addressing system inventory development and maintenance\n\nOMB FISMA reporting guidance\n\nother relevant documents or records"}]},{"id":"pm-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing and maintaining the system inventory\n\norganizational personnel with information security responsibilities"}]},{"id":"pm-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system inventory development and maintenance\n\nmechanisms supporting the system inventory"}]}],"controls":[{"id":"pm-5.1","class":"SP800-53-enhancement","title":"Inventory of Personally Identifiable Information","params":[{"id":"pm-05.01_odp","props":[{"name":"alt-identifier","value":"pm-5.1_prm_1"},{"name":"label","value":"PM-05(01)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the inventory of systems, applications, and projects that process personally identifiable information is defined;"}]}],"props":[{"name":"label","value":"PM-5(1)"},{"name":"label","value":"PM-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"pm-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pm-5","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pm-5.1_smt","name":"statement","prose":"Establish, maintain, and update {{ insert: param, pm-05.01_odp }} an inventory of all systems, applications, and projects that process personally identifiable information."},{"id":"pm-5.1_gdn","name":"guidance","prose":"An inventory of systems, applications, and projects that process personally identifiable information supports the mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein."},{"id":"pm-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)","class":"sp800-53a"}],"parts":[{"id":"pm-5.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)[01]","class":"sp800-53a"}],"prose":"an inventory of all systems, applications, and projects that process personally identifiable information is established;","links":[{"href":"#pm-5.1_smt","rel":"assessment-for"}]},{"id":"pm-5.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)[02]","class":"sp800-53a"}],"prose":"an inventory of all systems, applications, and projects that process personally identifiable information is maintained;","links":[{"href":"#pm-5.1_smt","rel":"assessment-for"}]},{"id":"pm-5.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-05(01)[03]","class":"sp800-53a"}],"prose":"an inventory of all systems, applications, and projects that process personally identifiable information is updated {{ insert: param, pm-05.01_odp }}.","links":[{"href":"#pm-5.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-5.1_smt","rel":"assessment-for"}]},{"id":"pm-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing system inventory development, maintenance, and updates\n\nOMB FISMA reporting guidance\n\nprivacy program plan\n\ninformation security program plan\n\npersonally identifiable information processing policy\n\nsystem inventory\n\npersonally identifiable information inventory\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"pm-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing and maintaining the system inventory\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system inventory development, maintenance, and updates\n\nmechanisms supporting the system inventory"}]}]}]},{"id":"pm-6","class":"SP800-53","title":"Measures of Performance","props":[{"name":"label","value":"PM-6"},{"name":"label","value":"PM-06","class":"sp800-53a"},{"name":"sort-id","value":"pm-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#7798067b-4ed0-4adc-a505-79dad4741693","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"pm-6_smt","name":"statement","prose":"Develop, monitor, and report on the results of information security and privacy measures of performance."},{"id":"pm-6_gdn","name":"guidance","prose":"Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security and privacy programs and the controls employed in support of the program. To facilitate security and privacy risk management, organizations consider aligning measures of performance with the organizational risk tolerance as defined in the risk management strategy."},{"id":"pm-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-06","class":"sp800-53a"}],"parts":[{"id":"pm-6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-06[01]","class":"sp800-53a"}],"prose":"information security measures of performance are developed;","links":[{"href":"#pm-6_smt","rel":"assessment-for"}]},{"id":"pm-6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-06[02]","class":"sp800-53a"}],"prose":"information security measures of performance are monitored;","links":[{"href":"#pm-6_smt","rel":"assessment-for"}]},{"id":"pm-6_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-06[03]","class":"sp800-53a"}],"prose":"the results of information security measures of performance are reported;","links":[{"href":"#pm-6_smt","rel":"assessment-for"}]},{"id":"pm-6_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-06[04]","class":"sp800-53a"}],"prose":"privacy measures of performance are developed;","links":[{"href":"#pm-6_smt","rel":"assessment-for"}]},{"id":"pm-6_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-06[05]","class":"sp800-53a"}],"prose":"privacy measures of performance are monitored;","links":[{"href":"#pm-6_smt","rel":"assessment-for"}]},{"id":"pm-6_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PM-06[06]","class":"sp800-53a"}],"prose":"the results of privacy measures of performance are reported.","links":[{"href":"#pm-6_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-6_smt","rel":"assessment-for"}]},{"id":"pm-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\ninformation security measures of performance\n\nprivacy measures of performance\n\nprocedures addressing the development, monitoring, and reporting of information security and privacy measures of performance\n\nrisk management strategy\n\nother relevant documents or records"}]},{"id":"pm-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing, monitoring, and reporting information security and privacy measures of performance\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, monitoring, and reporting information security and privacy measures of performance\n\nmechanisms supporting the development, monitoring, and reporting of information security and privacy measures of performance"}]}]},{"id":"pm-7","class":"SP800-53","title":"Enterprise Architecture","props":[{"name":"label","value":"PM-7"},{"name":"label","value":"PM-07","class":"sp800-53a"},{"name":"sort-id","value":"pm-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#au-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"}],"parts":[{"id":"pm-7_smt","name":"statement","prose":"Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation."},{"id":"pm-7_gdn","name":"guidance","prose":"The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture and the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For [PL-8](#pl-8) , the security and privacy architectures are developed at a level that represents an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework [SP 800-37](#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8) and supporting security standards and guidelines."},{"id":"pm-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-07","class":"sp800-53a"}],"parts":[{"id":"pm-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-07[01]","class":"sp800-53a"}],"prose":"an enterprise architecture is developed with consideration for information security;","links":[{"href":"#pm-7_smt","rel":"assessment-for"}]},{"id":"pm-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-07[02]","class":"sp800-53a"}],"prose":"an enterprise architecture is maintained with consideration for information security;","links":[{"href":"#pm-7_smt","rel":"assessment-for"}]},{"id":"pm-7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-07[03]","class":"sp800-53a"}],"prose":"an enterprise architecture is developed with consideration for privacy;","links":[{"href":"#pm-7_smt","rel":"assessment-for"}]},{"id":"pm-7_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-07[04]","class":"sp800-53a"}],"prose":"an enterprise architecture is maintained with consideration for privacy;","links":[{"href":"#pm-7_smt","rel":"assessment-for"}]},{"id":"pm-7_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-07[05]","class":"sp800-53a"}],"prose":"an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation;","links":[{"href":"#pm-7_smt","rel":"assessment-for"}]},{"id":"pm-7_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PM-07[06]","class":"sp800-53a"}],"prose":"an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.","links":[{"href":"#pm-7_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-7_smt","rel":"assessment-for"}]},{"id":"pm-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nprocedures addressing enterprise architecture development\n\nresults of risk assessments of enterprise architecture\n\nother relevant documents or records"}]},{"id":"pm-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing enterprise architecture\n\norganizational personnel responsible for risk assessments of enterprise architecture\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for enterprise architecture development\n\nmechanisms supporting the enterprise architecture and its development"}]}],"controls":[{"id":"pm-7.1","class":"SP800-53-enhancement","title":"Offloading","params":[{"id":"pm-07.01_odp","props":[{"name":"alt-identifier","value":"pm-7.1_prm_1"},{"name":"label","value":"PM-07(01)_ODP","class":"sp800-53a"}],"label":"non-essential functions or services","guidelines":[{"prose":"non-essential functions or services to be offloaded are defined;"}]}],"props":[{"name":"label","value":"PM-7(1)"},{"name":"label","value":"PM-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"pm-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pm-7","rel":"required"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"pm-7.1_smt","name":"statement","prose":"Offload {{ insert: param, pm-07.01_odp }} to other systems, system components, or an external provider."},{"id":"pm-7.1_gdn","name":"guidance","prose":"Not every function or service that a system provides is essential to organizational mission or business functions. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services that support essential mission or business functions. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission-essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services."},{"id":"pm-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-07(01)","class":"sp800-53a"}],"prose":"{{ insert: param, pm-07.01_odp }} are offloaded to other systems, system components, or an external provider.","links":[{"href":"#pm-7.1_smt","rel":"assessment-for"}]},{"id":"pm-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nprocedures addressing enterprise architecture development\n\nprocedures for identifying and offloading functions or services\n\nresults of risk assessments of enterprise architecture\n\nother relevant documents or records"}]},{"id":"pm-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing enterprise architecture\n\norganizational personnel responsible for risk assessments of enterprise architecture\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for enterprise architecture development\n\nmechanisms supporting the enterprise architecture and its development\n\nmechanisms for offloading functions and services"}]}]}]},{"id":"pm-8","class":"SP800-53","title":"Critical Infrastructure Plan","props":[{"name":"label","value":"PM-8"},{"name":"label","value":"PM-08","class":"sp800-53a"},{"name":"sort-id","value":"pm-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#3406fdc0-d61c-44a9-a5ca-84180544c83a","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#488d6934-00b2-4252-bf23-1b3c2d71eb13","rel":"reference"},{"href":"#b9951d04-6385-478c-b1a3-ab68c19d9041","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#pm-18","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pm-8_smt","name":"statement","prose":"Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan."},{"id":"pm-8_gdn","name":"guidance","prose":"Protection strategies are based on the prioritization of critical assets and resources. The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"pm-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-08","class":"sp800-53a"}],"parts":[{"id":"pm-8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-08[01]","class":"sp800-53a"}],"prose":"information security issues are addressed in the development of a critical infrastructure and key resources protection plan;","links":[{"href":"#pm-8_smt","rel":"assessment-for"}]},{"id":"pm-8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-08[02]","class":"sp800-53a"}],"prose":"information security issues are addressed in the documentation of a critical infrastructure and key resources protection plan;","links":[{"href":"#pm-8_smt","rel":"assessment-for"}]},{"id":"pm-8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-08[03]","class":"sp800-53a"}],"prose":"information security issues are addressed in the update of a critical infrastructure and key resources protection plan;","links":[{"href":"#pm-8_smt","rel":"assessment-for"}]},{"id":"pm-8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-08[04]","class":"sp800-53a"}],"prose":"privacy issues are addressed in the development of a critical infrastructure and key resources protection plan;","links":[{"href":"#pm-8_smt","rel":"assessment-for"}]},{"id":"pm-8_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-08[05]","class":"sp800-53a"}],"prose":"privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan;","links":[{"href":"#pm-8_smt","rel":"assessment-for"}]},{"id":"pm-8_obj-6","name":"assessment-objective","props":[{"name":"label","value":"PM-08[06]","class":"sp800-53a"}],"prose":"privacy issues are addressed in the update of a critical infrastructure and key resources protection plan.","links":[{"href":"#pm-8_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-8_smt","rel":"assessment-for"}]},{"id":"pm-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\ncritical infrastructure and key resources protection plan\n\nprocedures addressing the development, documentation, and updating of the critical infrastructure and key resources protection plan\n\nHSPD 7\n\nNational Infrastructure Protection Plan\n\nother relevant documents or records"}]},{"id":"pm-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for developing, documenting, and updating the critical infrastructure and key resources protection plan\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developing, documenting, and updating the critical infrastructure and key resources protection plan\n\nmechanisms supporting the development, documentation, and updating of the critical infrastructure and key resources protection plan"}]}]},{"id":"pm-9","class":"SP800-53","title":"Risk Management Strategy","params":[{"id":"pm-09_odp","props":[{"name":"alt-identifier","value":"pm-9_prm_1"},{"name":"label","value":"PM-09_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the risk management strategy is defined;"}]}],"props":[{"name":"label","value":"PM-9"},{"name":"label","value":"PM-09","class":"sp800-53a"},{"name":"sort-id","value":"pm-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-1","rel":"related"},{"href":"#au-1","rel":"related"},{"href":"#at-1","rel":"related"},{"href":"#ca-1","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-1","rel":"related"},{"href":"#cp-1","rel":"related"},{"href":"#ia-1","rel":"related"},{"href":"#ir-1","rel":"related"},{"href":"#ma-1","rel":"related"},{"href":"#mp-1","rel":"related"},{"href":"#pe-1","rel":"related"},{"href":"#pl-1","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-2","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-18","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ps-1","rel":"related"},{"href":"#pt-1","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-1","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-1","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sc-1","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-1","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-1","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"pm-9_smt","name":"statement","parts":[{"id":"pm-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develops a comprehensive strategy to manage:","parts":[{"id":"pm-9_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems; and"},{"id":"pm-9_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Privacy risk to individuals resulting from the authorized processing of personally identifiable information;"}]},{"id":"pm-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the risk management strategy consistently across the organization; and"},{"id":"pm-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the risk management strategy {{ insert: param, pm-09_odp }} or as required, to address organizational changes."}]},{"id":"pm-9_gdn","name":"guidance","prose":"An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure that the strategy is broad-based and comprehensive. The supply chain risk management strategy described in [PM-30](#pm-30) can also provide useful inputs to the organization-wide risk management strategy."},{"id":"pm-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-09","class":"sp800-53a"}],"parts":[{"id":"pm-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-09a.","class":"sp800-53a"}],"parts":[{"id":"pm-9_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-09a.01","class":"sp800-53a"}],"prose":"a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems;","links":[{"href":"#pm-9_smt.a.1","rel":"assessment-for"}]},{"id":"pm-9_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-09a.02","class":"sp800-53a"}],"prose":"a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information;","links":[{"href":"#pm-9_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-9_smt.a","rel":"assessment-for"}]},{"id":"pm-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-09b.","class":"sp800-53a"}],"prose":"the risk management strategy is implemented consistently across the organization;","links":[{"href":"#pm-9_smt.b","rel":"assessment-for"}]},{"id":"pm-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-09c.","class":"sp800-53a"}],"prose":"the risk management strategy is reviewed and updated {{ insert: param, pm-09_odp }} or as required to address organizational changes.","links":[{"href":"#pm-9_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-9_smt","rel":"assessment-for"}]},{"id":"pm-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nrisk management strategy\n\nsupply chain risk management strategy\n\nprocedures addressing the development, implementation, review, and update of the risk management strategy\n\nrisk assessment results relevant to the risk management strategy\n\nother relevant documents or records"}]},{"id":"pm-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for the development, implementation, review, and update of the risk management strategy\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the development, implementation, review, and update of the risk management strategy\n\nmechanisms supporting the development, implementation, review, and update of the risk management strategy"}]}]},{"id":"pm-10","class":"SP800-53","title":"Authorization Process","props":[{"name":"label","value":"PM-10"},{"name":"label","value":"PM-10","class":"sp800-53a"},{"name":"sort-id","value":"pm-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"pm-10_smt","name":"statement","parts":[{"id":"pm-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;"},{"id":"pm-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and"},{"id":"pm-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Integrate the authorization processes into an organization-wide risk management program."}]},{"id":"pm-10_gdn","name":"guidance","prose":"Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The authorization processes for the organization are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation."},{"id":"pm-10_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-10","class":"sp800-53a"}],"parts":[{"id":"pm-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-10a.","class":"sp800-53a"}],"parts":[{"id":"pm-10_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-10a.[01]","class":"sp800-53a"}],"prose":"the security state of organizational systems and the environments in which those systems operate are managed through authorization processes;","links":[{"href":"#pm-10_smt.a","rel":"assessment-for"}]},{"id":"pm-10_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-10a.[02]","class":"sp800-53a"}],"prose":"the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes;","links":[{"href":"#pm-10_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-10_smt.a","rel":"assessment-for"}]},{"id":"pm-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-10b.","class":"sp800-53a"}],"prose":"individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process;","links":[{"href":"#pm-10_smt.b","rel":"assessment-for"}]},{"id":"pm-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-10c.","class":"sp800-53a"}],"prose":"the authorization processes are integrated into an organization-wide risk management program.","links":[{"href":"#pm-10_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-10_smt","rel":"assessment-for"}]},{"id":"pm-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nprocedures addressing management (i.e., documentation, tracking, and reporting) of the authorization process\n\nassessment, authorization, and monitoring policy\n\nassessment, authorization, and monitoring procedures\n\nsystem authorization documentation\n\nlists or other documentation about authorization process roles and responsibilities\n\nrisk assessment results relevant to the authorization process and the organization-wide risk management program\n\norganizational risk management strategy\n\nother relevant documents or records"}]},{"id":"pm-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for management of the authorization process\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorization\n\nmechanisms supporting the authorization process"}]}]},{"id":"pm-11","class":"SP800-53","title":"Mission and Business Process Definition","params":[{"id":"pm-11_odp","props":[{"name":"alt-identifier","value":"pm-11_prm_1"},{"name":"label","value":"PM-11_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and revise the mission and business processes is defined;"}]}],"props":[{"name":"label","value":"PM-11"},{"name":"label","value":"PM-11","class":"sp800-53a"},{"name":"sort-id","value":"pm-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-2","rel":"related"}],"parts":[{"id":"pm-11_smt","name":"statement","parts":[{"id":"pm-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and"},{"id":"pm-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and"},{"id":"pm-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and revise the mission and business processes {{ insert: param, pm-11_odp }}."}]},{"id":"pm-11_gdn","name":"guidance","prose":"Protection needs are technology-independent capabilities that are required to counter threats to organizations, individuals, systems, and the Nation through the compromise of information (i.e., loss of confidentiality, integrity, availability, or privacy). Information protection and personally identifiable information processing needs are derived from the mission and business needs defined by organizational stakeholders, the mission and business processes designed to meet those needs, and the organizational risk management strategy. Information protection and personally identifiable information processing needs determine the required controls for the organization and the systems. Inherent to defining protection and personally identifiable information processing needs is an understanding of the adverse impact that could result if a compromise or breach of information occurs. The categorization process is used to make such potential impact determinations. Privacy risks to individuals can arise from the compromise of personally identifiable information, but they can also arise as unintended consequences or a byproduct of the processing of personally identifiable information at any stage of the information life cycle. Privacy risk assessments are used to prioritize the risks that are created for individuals from system processing of personally identifiable information. These risk assessments enable the selection of the required privacy controls for the organization and systems. Mission and business process definitions and the associated protection requirements are documented in accordance with organizational policies and procedures."},{"id":"pm-11_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-11","class":"sp800-53a"}],"parts":[{"id":"pm-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.","class":"sp800-53a"}],"parts":[{"id":"pm-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.[01]","class":"sp800-53a"}],"prose":"organizational mission and business processes are defined with consideration for information security;","links":[{"href":"#pm-11_smt.a","rel":"assessment-for"}]},{"id":"pm-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.[02]","class":"sp800-53a"}],"prose":"organizational mission and business processes are defined with consideration for privacy;","links":[{"href":"#pm-11_smt.a","rel":"assessment-for"}]},{"id":"pm-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PM-11a.[03]","class":"sp800-53a"}],"prose":"organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;","links":[{"href":"#pm-11_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-11_smt.a","rel":"assessment-for"}]},{"id":"pm-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-11b.","class":"sp800-53a"}],"parts":[{"id":"pm-11_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-11b.[01]","class":"sp800-53a"}],"prose":"information protection needs arising from the defined mission and business processes are determined;","links":[{"href":"#pm-11_smt.b","rel":"assessment-for"}]},{"id":"pm-11_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-11b.[02]","class":"sp800-53a"}],"prose":"personally identifiable information processing needs arising from the defined mission and business processes are determined;","links":[{"href":"#pm-11_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-11_smt.b","rel":"assessment-for"}]},{"id":"pm-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-11c.","class":"sp800-53a"}],"prose":"the mission and business processes are reviewed and revised {{ insert: param, pm-11_odp }}.","links":[{"href":"#pm-11_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-11_smt","rel":"assessment-for"}]},{"id":"pm-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nrisk management strategy\n\nprocedures for determining mission and business protection needs\n\ninformation security and privacy risk assessment results relevant to the determination of mission and business protection needs\n\npersonally identifiable information processing policy\n\npersonally identifiable information inventory\n\nother relevant documents or records"}]},{"id":"pm-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for enterprise risk management\n\norganizational personnel responsible for determining information protection needs for mission and business processes\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining mission and business processes and their information protection needs"}]}]},{"id":"pm-12","class":"SP800-53","title":"Insider Threat Program","props":[{"name":"label","value":"PM-12"},{"name":"label","value":"PM-12","class":"sp800-53a"},{"name":"sort-id","value":"pm-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#0af071a6-cf8e-48ee-8c82-fe91efa20f94","rel":"reference"},{"href":"#528135e3-c65b-461a-93d3-46513610f792","rel":"reference"},{"href":"#06d74ea9-2178-449c-a9c5-b2980f804ac8","rel":"reference"},{"href":"#ac-6","rel":"related"},{"href":"#at-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#mp-7","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-16","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#pm-14","rel":"related"}],"parts":[{"id":"pm-12_smt","name":"statement","prose":"Implement an insider threat program that includes a cross-discipline insider threat incident handling team."},{"id":"pm-12_gdn","name":"guidance","prose":"Organizations that handle classified information are required, under Executive Order 13587 [EO 13587](#0af071a6-cf8e-48ee-8c82-fe91efa20f94) and the National Insider Threat Policy [ODNI NITP](#06d74ea9-2178-449c-a9c5-b2980f804ac8) , to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and nontechnical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans, conduct host-based user monitoring of individual employee activities on government-owned classified computers, provide insider threat awareness training to employees, receive access to information from offices in the department or agency for insider threat analysis, and conduct self-assessments of department or agency insider threat posture.\n\nInsider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"pm-12_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-12","class":"sp800-53a"}],"prose":"an insider threat program that includes a cross-discipline insider threat incident handling team is implemented.","links":[{"href":"#pm-12_smt","rel":"assessment-for"}]},{"id":"pm-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for the insider threat program\n\nmembers of the cross-discipline insider threat incident handling team\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing the insider threat program and the cross-discipline insider threat incident handling team\n\nmechanisms supporting and\/or implementing the insider threat program and the cross-discipline insider threat incident handling team"}]}]},{"id":"pm-13","class":"SP800-53","title":"Security and Privacy Workforce","props":[{"name":"label","value":"PM-13"},{"name":"label","value":"PM-13","class":"sp800-53a"},{"name":"sort-id","value":"pm-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"pm-13_smt","name":"statement","prose":"Establish a security and privacy workforce development and improvement program."},{"id":"pm-13_gdn","name":"guidance","prose":"Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals."},{"id":"pm-13_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-13","class":"sp800-53a"}],"parts":[{"id":"pm-13_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-13[01]","class":"sp800-53a"}],"prose":"a security workforce development and improvement program is established;","links":[{"href":"#pm-13_smt","rel":"assessment-for"}]},{"id":"pm-13_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-13[02]","class":"sp800-53a"}],"prose":"a privacy workforce development and improvement program is established.","links":[{"href":"#pm-13_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-13_smt","rel":"assessment-for"}]},{"id":"pm-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\ninformation security and privacy workforce development and improvement program documentation\n\nprocedures for the information security and privacy workforce development and improvement program\n\ninformation security and privacy role-based training program documentation\n\nother relevant documents or records"}]},{"id":"pm-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for the information security and privacy workforce development and improvement program\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing the information security and privacy workforce development and improvement program\n\nmechanisms supporting and\/or implementing the information security and privacy workforce development and improvement program"}]}]},{"id":"pm-14","class":"SP800-53","title":"Testing, Training, and Monitoring","props":[{"name":"label","value":"PM-14"},{"name":"label","value":"PM-14","class":"sp800-53a"},{"name":"sort-id","value":"pm-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-3","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"pm-14_smt","name":"statement","parts":[{"id":"pm-14_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:","parts":[{"id":"pm-14_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Are developed and maintained; and"},{"id":"pm-14_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Continue to be executed; and"}]},{"id":"pm-14_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions."}]},{"id":"pm-14_gdn","name":"guidance","prose":"A process for organization-wide security and privacy testing, training, and monitoring helps ensure that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments."},{"id":"pm-14_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-14","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[01]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed;","links":[{"href":"#pm-14_smt.a.1","rel":"assessment-for"}]},{"id":"pm-14_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[02]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained;","links":[{"href":"#pm-14_smt.a.1","rel":"assessment-for"}]},{"id":"pm-14_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[03]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed;","links":[{"href":"#pm-14_smt.a.1","rel":"assessment-for"}]},{"id":"pm-14_obj.a.1-4","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.01[04]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained;","links":[{"href":"#pm-14_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pm-14_smt.a.1","rel":"assessment-for"}]},{"id":"pm-14_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.02","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.02[01]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed;","links":[{"href":"#pm-14_smt.a.2","rel":"assessment-for"}]},{"id":"pm-14_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-14a.02[02]","class":"sp800-53a"}],"prose":"a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed;","links":[{"href":"#pm-14_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-14_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-14_smt.a","rel":"assessment-for"}]},{"id":"pm-14_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.","class":"sp800-53a"}],"parts":[{"id":"pm-14_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[01]","class":"sp800-53a"}],"prose":"testing plans are reviewed for consistency with the organizational risk management strategy;","links":[{"href":"#pm-14_smt.b","rel":"assessment-for"}]},{"id":"pm-14_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[02]","class":"sp800-53a"}],"prose":"training plans are reviewed for consistency with the organizational risk management strategy;","links":[{"href":"#pm-14_smt.b","rel":"assessment-for"}]},{"id":"pm-14_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[03]","class":"sp800-53a"}],"prose":"monitoring plans are reviewed for consistency with the organizational risk management strategy;","links":[{"href":"#pm-14_smt.b","rel":"assessment-for"}]},{"id":"pm-14_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[04]","class":"sp800-53a"}],"prose":"testing plans are reviewed for consistency with organization-wide priorities for risk response actions;","links":[{"href":"#pm-14_smt.b","rel":"assessment-for"}]},{"id":"pm-14_obj.b-5","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[05]","class":"sp800-53a"}],"prose":"training plans are reviewed for consistency with organization-wide priorities for risk response actions;","links":[{"href":"#pm-14_smt.b","rel":"assessment-for"}]},{"id":"pm-14_obj.b-6","name":"assessment-objective","props":[{"name":"label","value":"PM-14b.[06]","class":"sp800-53a"}],"prose":"monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions.","links":[{"href":"#pm-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-14_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-14_smt","rel":"assessment-for"}]},{"id":"pm-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nplans for conducting security and privacy testing, training, and monitoring activities\n\norganizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities\n\nrisk management strategy\n\nprocedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities\n\nresults of risk assessments associated with conducting security and privacy testing, training, and monitoring activities\n\ndocumentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities\n\nother relevant documents or records"}]},{"id":"pm-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pm-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities\n\nmechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities"}]}]},{"id":"pm-15","class":"SP800-53","title":"Security and Privacy Groups and Associations","props":[{"name":"label","value":"PM-15"},{"name":"label","value":"PM-15","class":"sp800-53a"},{"name":"sort-id","value":"pm-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#sa-11","rel":"related"},{"href":"#si-5","rel":"related"}],"parts":[{"id":"pm-15_smt","name":"statement","prose":"Establish and institutionalize contact with selected groups and associations within the security and privacy communities:","parts":[{"id":"pm-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"To facilitate ongoing security and privacy education and training for organizational personnel;"},{"id":"pm-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"To maintain currency with recommended security and privacy practices, techniques, and technologies; and"},{"id":"pm-15_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"To share current security and privacy information, including threats, vulnerabilities, and incidents."}]},{"id":"pm-15_gdn","name":"guidance","prose":"Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users’ groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on mission and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines."},{"id":"pm-15_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-15","class":"sp800-53a"}],"parts":[{"id":"pm-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-15a.","class":"sp800-53a"}],"parts":[{"id":"pm-15_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-15a.[01]","class":"sp800-53a"}],"prose":"contact is established and institutionalized with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel;","links":[{"href":"#pm-15_smt.a","rel":"assessment-for"}]},{"id":"pm-15_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-15a.[02]","class":"sp800-53a"}],"prose":"contact is established and institutionalized with selected groups and associations within the privacy community to facilitate ongoing privacy education and training for organizational personnel;","links":[{"href":"#pm-15_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-15_smt.a","rel":"assessment-for"}]},{"id":"pm-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-15b.","class":"sp800-53a"}],"parts":[{"id":"pm-15_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-15b.[01]","class":"sp800-53a"}],"prose":"contact is established and institutionalized with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies;","links":[{"href":"#pm-15_smt.b","rel":"assessment-for"}]},{"id":"pm-15_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-15b.[02]","class":"sp800-53a"}],"prose":"contact is established and institutionalized with selected groups and associations within the privacy community to maintain currency with recommended privacy practices, techniques, and technologies;","links":[{"href":"#pm-15_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-15_smt.b","rel":"assessment-for"}]},{"id":"pm-15_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-15c.","class":"sp800-53a"}],"parts":[{"id":"pm-15_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-15c.[01]","class":"sp800-53a"}],"prose":"contact is established and institutionalized with selected groups and associations within the security community to share current security information, including threats, vulnerabilities, and incidents;","links":[{"href":"#pm-15_smt.c","rel":"assessment-for"}]},{"id":"pm-15_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-15c.[02]","class":"sp800-53a"}],"prose":"contact is established and institutionalized with selected groups and associations within the privacy community to share current privacy information, including threats, vulnerabilities, and incidents.","links":[{"href":"#pm-15_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-15_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-15_smt","rel":"assessment-for"}]},{"id":"pm-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nrisk management strategy\n\nprocedures for establishing and institutionalizing contacts with security and privacy groups and associations\n\nlists or other records of contacts with and\/or membership in security and privacy groups and associations\n\nother relevant documents or records"}]},{"id":"pm-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for establishing and institutionalizing contact with security and privacy groups and associations\n\norganizational personnel with information security and privacy responsibilities\n\npersonnel from selected groups and associations with which the organization has established and institutionalized contact"}]},{"id":"pm-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing and institutionalizing contact with security and privacy groups and associations\n\nmechanisms supporting contact with security and privacy groups and associations"}]}]},{"id":"pm-16","class":"SP800-53","title":"Threat Awareness Program","props":[{"name":"label","value":"PM-16"},{"name":"label","value":"PM-16","class":"sp800-53a"},{"name":"sort-id","value":"pm-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ir-4","rel":"related"},{"href":"#pm-12","rel":"related"}],"parts":[{"id":"pm-16_smt","name":"statement","prose":"Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence."},{"id":"pm-16_gdn","name":"guidance","prose":"Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information, including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may require special agreements and protection, or it may be freely shared."},{"id":"pm-16_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-16","class":"sp800-53a"}],"prose":"a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence is implemented.","links":[{"href":"#pm-16_smt","rel":"assessment-for"}]},{"id":"pm-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nthreat awareness program policy\n\nthreat awareness program procedures\n\nrisk assessment results relevant to threat awareness\n\ndocumentation about the cross-organization information-sharing capability\n\nother relevant documents or records"}]},{"id":"pm-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for the threat awareness program\n\norganizational personnel responsible for the cross-organization information-sharing capability\n\norganizational personnel with information security and privacy responsibilities\n\nexternal personnel with whom threat awareness information is shared by the organization"}]},{"id":"pm-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing the threat awareness program\n\norganizational processes for implementing the cross-organization information-sharing capability\n\nmechanisms supporting and\/or implementing the threat awareness program\n\nmechanisms supporting and\/or implementing the cross-organization information-sharing capability"}]}],"controls":[{"id":"pm-16.1","class":"SP800-53-enhancement","title":"Automated Means for Sharing Threat Intelligence","props":[{"name":"label","value":"PM-16(1)"},{"name":"label","value":"PM-16(01)","class":"sp800-53a"},{"name":"sort-id","value":"pm-16.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pm-16","rel":"required"}],"parts":[{"id":"pm-16.1_smt","name":"statement","prose":"Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information."},{"id":"pm-16.1_gdn","name":"guidance","prose":"To maximize the effectiveness of monitoring, it is important to know what threat observables and indicators the sensors need to be searching for. By using well-established frameworks, services, and automated tools, organizations improve their ability to rapidly share and feed the relevant threat detection signatures into monitoring tools."},{"id":"pm-16.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-16(01)","class":"sp800-53a"}],"prose":"automated mechanisms are employed to maximize the effectiveness of sharing threat intelligence information.","links":[{"href":"#pm-16.1_smt","rel":"assessment-for"}]},{"id":"pm-16.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-16(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nthreat awareness program policy\n\nthreat awareness program procedures\n\nrisk assessment results related to threat awareness\n\ndocumentation about the cross-organization information-sharing capability\n\nother relevant documents or records"}]},{"id":"pm-16.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-16(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy program planning and plan implementation responsibilities\n\norganizational personnel responsible for the threat awareness program\n\norganizational personnel responsible for the cross-organization information-sharing capability\n\norganizational personnel with information security and privacy responsibilities\n\nexternal personnel with whom threat awareness information is shared by the organization"}]},{"id":"pm-16.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-16(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing the threat awareness program\n\norganizational processes for implementing the cross-organization information-sharing capability\n\nautomated mechanisms supporting and\/or implementing the threat awareness program\n\nautomated mechanisms supporting and\/or implementing the cross-organization information-sharing capability"}]}]}]},{"id":"pm-17","class":"SP800-53","title":"Protecting Controlled Unclassified Information on External Systems","params":[{"id":"pm-17_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-17_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-17_odp.02"}],"label":"organization-defined frequency"},{"id":"pm-17_odp.01","props":[{"name":"label","value":"PM-17_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the policy is defined;"}]},{"id":"pm-17_odp.02","props":[{"name":"label","value":"PM-17_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the procedures is defined;"}]}],"props":[{"name":"label","value":"PM-17"},{"name":"label","value":"PM-17","class":"sp800-53a"},{"name":"sort-id","value":"pm-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#91f992fb-f668-4c91-a50f-0f05b95ccee3","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#ca-6","rel":"related"},{"href":"#pm-10","rel":"related"}],"parts":[{"id":"pm-17_smt","name":"statement","parts":[{"id":"pm-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and"},{"id":"pm-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the policy and procedures {{ insert: param, pm-17_prm_1 }}."}]},{"id":"pm-17_gdn","name":"guidance","prose":"Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in [32 CFR 2002](#91f992fb-f668-4c91-a50f-0f05b95ccee3) and, specifically for systems external to the federal organization, [32 CFR 2002.14h](https:\/\/www.govinfo.gov\/content\/pkg\/CFR-2017-title32-vol6\/xml\/CFR-2017-title32-vol6-part2002.xml) . The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes."},{"id":"pm-17_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-17","class":"sp800-53a"}],"parts":[{"id":"pm-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-17a.","class":"sp800-53a"}],"parts":[{"id":"pm-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-17a.[01]","class":"sp800-53a"}],"prose":"policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;","links":[{"href":"#pm-17_smt.a","rel":"assessment-for"}]},{"id":"pm-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-17a.[02]","class":"sp800-53a"}],"prose":"procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;","links":[{"href":"#pm-17_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-17_smt.a","rel":"assessment-for"}]},{"id":"pm-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-17b.","class":"sp800-53a"}],"parts":[{"id":"pm-17_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-17b.[01]","class":"sp800-53a"}],"prose":"policy is reviewed and updated {{ insert: param, pm-17_odp.01 }};","links":[{"href":"#pm-17_smt.b","rel":"assessment-for"}]},{"id":"pm-17_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-17b.[02]","class":"sp800-53a"}],"prose":"procedures are reviewed and updated {{ insert: param, pm-17_odp.02 }} ","links":[{"href":"#pm-17_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-17_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-17_smt","rel":"assessment-for"}]},{"id":"pm-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Controlled unclassified information policy\n\ncontrolled unclassified information procedures\n\nother relevant documents or records."}]},{"id":"pm-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with controlled unclassified information responsibilities\n\norganizational personnel with information security responsibilities."}]}]},{"id":"pm-18","class":"SP800-53","title":"Privacy Program Plan","params":[{"id":"pm-18_odp","props":[{"name":"alt-identifier","value":"pm-18_prm_1"},{"name":"label","value":"PM-18_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of updates to the privacy program plan is defined;"}]}],"props":[{"name":"label","value":"PM-18"},{"name":"label","value":"PM-18","class":"sp800-53a"},{"name":"sort-id","value":"pm-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-19","rel":"related"}],"parts":[{"id":"pm-18_smt","name":"statement","parts":[{"id":"pm-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and:","parts":[{"id":"pm-18_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;"},{"id":"pm-18_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;"},{"id":"pm-18_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;"},{"id":"pm-18_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;"},{"id":"pm-18_smt.a.5","name":"item","props":[{"name":"label","value":"5."}],"prose":"Reflects coordination among organizational entities responsible for the different aspects of privacy; and"},{"id":"pm-18_smt.a.6","name":"item","props":[{"name":"label","value":"6."}],"prose":"Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and"}]},{"id":"pm-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update the plan {{ insert: param, pm-18_odp }} and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments."}]},{"id":"pm-18_gdn","name":"guidance","prose":"A privacy program plan is a formal document that provides an overview of an organization’s privacy program, including a description of the structure of the privacy program, the resources dedicated to the privacy program, the role of the senior agency official for privacy and other privacy officials and staff, the strategic goals and objectives of the privacy program, and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.\n\nThe senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection operations explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.\n\nProgram management controls are generally implemented at the organization level and are essential for managing the organization’s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. Together, the privacy plans for individual systems and the organization-wide privacy program plan provide complete coverage for the privacy controls employed within the organization.\n\nCommon controls are documented in an appendix to the organization’s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls."},{"id":"pm-18_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-18","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.[01]","class":"sp800-53a"}],"prose":"an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed;","links":[{"href":"#pm-18_smt.a","rel":"assessment-for"}]},{"id":"pm-18_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.01","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.01[01]","class":"sp800-53a"}],"prose":"the privacy program plan includes a description of the structure of the privacy program;","links":[{"href":"#pm-18_smt.a.1","rel":"assessment-for"}]},{"id":"pm-18_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.01[02]","class":"sp800-53a"}],"prose":"the privacy program plan includes a description of the resources dedicated to the privacy program;","links":[{"href":"#pm-18_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pm-18_smt.a.1","rel":"assessment-for"}]},{"id":"pm-18_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02[01]","class":"sp800-53a"}],"prose":"the privacy program plan provides an overview of the requirements for the privacy program;","links":[{"href":"#pm-18_smt.a.2","rel":"assessment-for"}]},{"id":"pm-18_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02[02]","class":"sp800-53a"}],"prose":"the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program;","links":[{"href":"#pm-18_smt.a.2","rel":"assessment-for"}]},{"id":"pm-18_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.02[03]","class":"sp800-53a"}],"prose":"the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program;","links":[{"href":"#pm-18_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-18_smt.a.2","rel":"assessment-for"}]},{"id":"pm-18_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.03","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.03[01]","class":"sp800-53a"}],"prose":"the privacy program plan includes the role of the senior agency official for privacy;","links":[{"href":"#pm-18_smt.a.3","rel":"assessment-for"}]},{"id":"pm-18_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.03[02]","class":"sp800-53a"}],"prose":"the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities;","links":[{"href":"#pm-18_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pm-18_smt.a.3","rel":"assessment-for"}]},{"id":"pm-18_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.a.4-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04[01]","class":"sp800-53a"}],"prose":"the privacy program plan describes management commitment;","links":[{"href":"#pm-18_smt.a.4","rel":"assessment-for"}]},{"id":"pm-18_obj.a.4-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04[02]","class":"sp800-53a"}],"prose":"the privacy program plan describes compliance;","links":[{"href":"#pm-18_smt.a.4","rel":"assessment-for"}]},{"id":"pm-18_obj.a.4-3","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.04[03]","class":"sp800-53a"}],"prose":"the privacy program plan describes the strategic goals and objectives of the privacy program;","links":[{"href":"#pm-18_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pm-18_smt.a.4","rel":"assessment-for"}]},{"id":"pm-18_obj.a.5","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.05","class":"sp800-53a"}],"prose":"the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy;","links":[{"href":"#pm-18_smt.a.5","rel":"assessment-for"}]},{"id":"pm-18_obj.a.6","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.06","class":"sp800-53a"}],"prose":"the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;","links":[{"href":"#pm-18_smt.a.6","rel":"assessment-for"}]},{"id":"pm-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18a.[02]","class":"sp800-53a"}],"prose":"the privacy program plan is disseminated;","links":[{"href":"#pm-18_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-18_smt.a","rel":"assessment-for"}]},{"id":"pm-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.","class":"sp800-53a"}],"parts":[{"id":"pm-18_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[01]","class":"sp800-53a"}],"prose":"the privacy program plan is updated {{ insert: param, pm-18_odp }};","links":[{"href":"#pm-18_smt.b","rel":"assessment-for"}]},{"id":"pm-18_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[02]","class":"sp800-53a"}],"prose":"the privacy program plan is updated to address changes in federal privacy laws and policies;","links":[{"href":"#pm-18_smt.b","rel":"assessment-for"}]},{"id":"pm-18_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[03]","class":"sp800-53a"}],"prose":"the privacy program plan is updated to address organizational changes;","links":[{"href":"#pm-18_smt.b","rel":"assessment-for"}]},{"id":"pm-18_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"PM-18b.[04]","class":"sp800-53a"}],"prose":"the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments.","links":[{"href":"#pm-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-18_smt","rel":"assessment-for"}]},{"id":"pm-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprocedures addressing program plan development and implementation\n\nprocedures addressing program plan reviews, updates, and approvals\n\nprocedures addressing coordination of the program plan with relevant entities\n\nrecords of program plan reviews, updates, and approvals\n\nother relevant documents or records"}]},{"id":"pm-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program planning and plan implementation responsibilities\n\norganizational personnel with privacy responsibilities"}]}]},{"id":"pm-19","class":"SP800-53","title":"Privacy Program Leadership Role","props":[{"name":"label","value":"PM-19"},{"name":"label","value":"PM-19","class":"sp800-53a"},{"name":"sort-id","value":"pm-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-18","rel":"related"},{"href":"#pm-20","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#pm-27","rel":"related"}],"parts":[{"id":"pm-19_smt","name":"statement","prose":"Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program."},{"id":"pm-19_gdn","name":"guidance","prose":"The privacy officer is an organizational official. For federal agencies—as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines—this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has roles on the data management board (see [PM-23](#pm-23) ) and the data integrity board (see [PM-24](#pm-24))."},{"id":"pm-19_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-19","class":"sp800-53a"}],"parts":[{"id":"pm-19_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-19[01]","class":"sp800-53a"}],"prose":"a senior agency official for privacy with authority, mission, accountability, and resources is appointed;","links":[{"href":"#pm-19_smt","rel":"assessment-for"}]},{"id":"pm-19_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-19[02]","class":"sp800-53a"}],"prose":"the senior agency official for privacy coordinates applicable privacy requirements;","links":[{"href":"#pm-19_smt","rel":"assessment-for"}]},{"id":"pm-19_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-19[03]","class":"sp800-53a"}],"prose":"the senior agency official for privacy develops applicable privacy requirements;","links":[{"href":"#pm-19_smt","rel":"assessment-for"}]},{"id":"pm-19_obj-4","name":"assessment-objective","props":[{"name":"label","value":"PM-19[04]","class":"sp800-53a"}],"prose":"the senior agency official for privacy implements applicable privacy requirements;","links":[{"href":"#pm-19_smt","rel":"assessment-for"}]},{"id":"pm-19_obj-5","name":"assessment-objective","props":[{"name":"label","value":"PM-19[05]","class":"sp800-53a"}],"prose":"the senior agency official for privacy manages privacy risks through the organization-wide privacy program.","links":[{"href":"#pm-19_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-19_smt","rel":"assessment-for"}]},{"id":"pm-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program documents, including policies, procedures, plans, and reports\n\npublic privacy notices, including Federal Register notices\n\nprivacy impact assessments\n\nprivacy risk assessments\n\nPrivacy Act statements\n\nsystem of records notices\n\ncomputer matching agreements and notices\n\ncontracts, information sharing agreements, and memoranda of understanding\n\ngoverning requirements, including laws, executive orders, regulations, standards, and guidance\n\nother relevant documents or records"}]},{"id":"pm-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program planning and plan implementation responsibilities\n\norganizational personnel with privacy responsibilities\n\nsenior agency official for privacy\n\nprivacy officials"}]}]},{"id":"pm-20","class":"SP800-53","title":"Dissemination of Privacy Program Information","props":[{"name":"label","value":"PM-20"},{"name":"label","value":"PM-20","class":"sp800-53a"},{"name":"sort-id","value":"pm-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#206a3284-6a7e-423c-8ea9-25b22542541d","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#pm-19","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"}],"parts":[{"id":"pm-20_smt","name":"statement","prose":"Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that:","parts":[{"id":"pm-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;"},{"id":"pm-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Ensures that organizational privacy practices and reports are publicly available; and"},{"id":"pm-20_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employs publicly facing email addresses and\/or phone lines to enable the public to provide feedback and\/or direct questions to privacy offices regarding privacy practices."}]},{"id":"pm-20_gdn","name":"guidance","prose":"For federal agencies, the webpage is located at www.[agency].gov\/privacy. Federal agencies include public privacy impact assessments, system of records notices, computer matching notices and agreements, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) exemption and implementation rules, privacy reports, privacy policies, instructions for individuals making an access or amendment request, email addresses for questions\/complaints, blogs, and periodic publications."},{"id":"pm-20_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-20","class":"sp800-53a"}],"parts":[{"id":"pm-20_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20[01]","class":"sp800-53a"}],"prose":"a central resource webpage is maintained on the organization’s principal public website;","links":[{"href":"#pm-20_smt","rel":"assessment-for"}]},{"id":"pm-20_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20[02]","class":"sp800-53a"}],"prose":"the webpage serves as a central source of information about the organization’s privacy program;","links":[{"href":"#pm-20_smt","rel":"assessment-for"}]},{"id":"pm-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-20a.","class":"sp800-53a"}],"parts":[{"id":"pm-20_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20a.[01]","class":"sp800-53a"}],"prose":"the webpage ensures that the public has access to information about organizational privacy activities;","links":[{"href":"#pm-20_smt.a","rel":"assessment-for"}]},{"id":"pm-20_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20a.[02]","class":"sp800-53a"}],"prose":"the webpage ensures that the public can communicate with its senior agency official for privacy;","links":[{"href":"#pm-20_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-20_smt.a","rel":"assessment-for"}]},{"id":"pm-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-20b.","class":"sp800-53a"}],"parts":[{"id":"pm-20_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20b.[01]","class":"sp800-53a"}],"prose":"the webpage ensures that organizational privacy practices are publicly available;","links":[{"href":"#pm-20_smt.b","rel":"assessment-for"}]},{"id":"pm-20_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20b.[02]","class":"sp800-53a"}],"prose":"the webpage ensures that organizational privacy reports are publicly available;","links":[{"href":"#pm-20_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-20_smt.b","rel":"assessment-for"}]},{"id":"pm-20_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-20c.","class":"sp800-53a"}],"prose":"the webpage employs publicly facing email addresses and\/or phone numbers to enable the public to provide feedback and\/or direct questions to privacy offices regarding privacy practices.","links":[{"href":"#pm-20_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-20_smt","rel":"assessment-for"}]},{"id":"pm-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Public website\n\npublicly posted privacy program documents, including policies, procedures, plans, and reports\n\nposition description of the senior agency official for privacy\n\npublic privacy notices, including Federal Register notices\n\nprivacy impact assessments\n\nprivacy risk assessments\n\nPrivacy Act statements and system of records notices\n\ncomputer matching agreements and notices\n\nother relevant documents or records"}]},{"id":"pm-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program information dissemination responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Location, access, availability, and functionality of privacy resource webpage"}]}],"controls":[{"id":"pm-20.1","class":"SP800-53-enhancement","title":"Privacy Policies on Websites, Applications, and Digital Services","props":[{"name":"label","value":"PM-20(1)"},{"name":"label","value":"PM-20(01)","class":"sp800-53a"},{"name":"sort-id","value":"pm-20.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pm-20","rel":"required"}],"parts":[{"id":"pm-20.1_smt","name":"statement","prose":"Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:","parts":[{"id":"pm-20.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Are written in plain language and organized in a way that is easy to understand and navigate;"},{"id":"pm-20.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and"},{"id":"pm-20.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Are updated whenever the organization makes a substantive change to the practices it describes and includes a time\/date stamp to inform the public of the date of the most recent changes."}]},{"id":"pm-20.1_gdn","name":"guidance","prose":"Organizations post privacy policies on all external-facing websites, mobile applications, and other digital services. Organizations post a link to the relevant privacy policy on any known, major entry points to the website, application, or digital service. In addition, organizations provide a link to the privacy policy on any webpage that collects personally identifiable information. Organizations may be subject to applicable laws, executive orders, directives, regulations, or policies that require the provision of specific information to the public. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements."},{"id":"pm-20.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)[01]","class":"sp800-53a"}],"prose":"privacy policies are developed and posted on all external-facing websites;","links":[{"href":"#pm-20.1_smt","rel":"assessment-for"}]},{"id":"pm-20.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)[02]","class":"sp800-53a"}],"prose":"privacy policies are developed and posted on all mobile applications;","links":[{"href":"#pm-20.1_smt","rel":"assessment-for"}]},{"id":"pm-20.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)[03]","class":"sp800-53a"}],"prose":"privacy policies are developed and posted on all other digital services;","links":[{"href":"#pm-20.1_smt","rel":"assessment-for"}]},{"id":"pm-20.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(a)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(a)[01]","class":"sp800-53a"}],"prose":"the privacy policies are written in plain language;","links":[{"href":"#pm-20.1_smt.a","rel":"assessment-for"}]},{"id":"pm-20.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(a)[02]","class":"sp800-53a"}],"prose":"the privacy policies are organized in a way that is easy to understand and navigate;","links":[{"href":"#pm-20.1_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-20.1_smt.a","rel":"assessment-for"}]},{"id":"pm-20.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(b)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(b)[01]","class":"sp800-53a"}],"prose":"the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization;","links":[{"href":"#pm-20.1_smt.b","rel":"assessment-for"}]},{"id":"pm-20.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(b)[02]","class":"sp800-53a"}],"prose":"the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization;","links":[{"href":"#pm-20.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-20.1_smt.b","rel":"assessment-for"}]},{"id":"pm-20.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(c)","class":"sp800-53a"}],"parts":[{"id":"pm-20.1_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(c)[01]","class":"sp800-53a"}],"prose":"the privacy policies are updated whenever the organization makes a substantive change to the practices it describes;","links":[{"href":"#pm-20.1_smt.c","rel":"assessment-for"}]},{"id":"pm-20.1_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-20(01)(c)[02]","class":"sp800-53a"}],"prose":"the privacy policies include a time\/date stamp to inform the public of the date of the most recent changes.","links":[{"href":"#pm-20.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-20.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-20.1_smt","rel":"assessment-for"}]},{"id":"pm-20.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-20(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprivacy policies on the agency website, mobile applications, and\/or other digital services"}]},{"id":"pm-20.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-20(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program information dissemination responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-20.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-20(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing\n\norganizational procedures and practices for disseminating privacy program information\n\nmechanisms supporting the dissemination of privacy program information"}]}]}]},{"id":"pm-21","class":"SP800-53","title":"Accounting of Disclosures","props":[{"name":"label","value":"PM-21"},{"name":"label","value":"PM-21","class":"sp800-53a"},{"name":"sort-id","value":"pm-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#pt-2","rel":"related"}],"parts":[{"id":"pm-21_smt","name":"statement","parts":[{"id":"pm-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:","parts":[{"id":"pm-21_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Date, nature, and purpose of each disclosure; and"},{"id":"pm-21_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Name and address, or other contact information of the individual or organization to which the disclosure was made;"}]},{"id":"pm-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and"},{"id":"pm-21_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request."}]},{"id":"pm-21_gdn","name":"guidance","prose":"The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information, and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) ; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.\n\nOrganizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services that provide notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing the disclosure or dissemination of information and dissemination restrictions."},{"id":"pm-21_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-21","class":"sp800-53a"}],"parts":[{"id":"pm-21_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.","class":"sp800-53a"}],"prose":"an accurate accounting of disclosures of personally identifiable information is developed and maintained;","parts":[{"id":"pm-21_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01","class":"sp800-53a"}],"parts":[{"id":"pm-21_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01[01]","class":"sp800-53a"}],"prose":"the accounting includes the date of each disclosure;","links":[{"href":"#pm-21_smt.a.1","rel":"assessment-for"}]},{"id":"pm-21_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01[02]","class":"sp800-53a"}],"prose":"the accounting includes the nature of each disclosure;","links":[{"href":"#pm-21_smt.a.1","rel":"assessment-for"}]},{"id":"pm-21_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.01[03]","class":"sp800-53a"}],"prose":"the accounting includes the purpose of each disclosure;","links":[{"href":"#pm-21_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pm-21_smt.a.1","rel":"assessment-for"}]},{"id":"pm-21_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.02","class":"sp800-53a"}],"parts":[{"id":"pm-21_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.02[01]","class":"sp800-53a"}],"prose":"the accounting includes the name of the individual or organization to whom the disclosure was made;","links":[{"href":"#pm-21_smt.a.2","rel":"assessment-for"}]},{"id":"pm-21_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-21a.02[02]","class":"sp800-53a"}],"prose":"the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made;","links":[{"href":"#pm-21_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-21_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-21_smt.a","rel":"assessment-for"}]},{"id":"pm-21_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-21b.","class":"sp800-53a"}],"prose":"the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;","links":[{"href":"#pm-21_smt.b","rel":"assessment-for"}]},{"id":"pm-21_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-21c.","class":"sp800-53a"}],"prose":"the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request.","links":[{"href":"#pm-21_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-21_smt","rel":"assessment-for"}]},{"id":"pm-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\ndisclosure policies and procedures\n\nrecords of disclosures\n\naudit logs\n\nPrivacy Act policies and procedures\n\nsystem of records notice\n\nPrivacy Act exemption rules."}]},{"id":"pm-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities."}]},{"id":"pm-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for disclosures\n\nmechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts."}]}]},{"id":"pm-22","class":"SP800-53","title":"Personally Identifiable Information Quality Management","props":[{"name":"label","value":"PM-22"},{"name":"label","value":"PM-22","class":"sp800-53a"},{"name":"sort-id","value":"pm-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#227063d4-431e-435f-9e8f-009b6dbc20f4","rel":"reference"},{"href":"#c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","rel":"reference"},{"href":"#pm-23","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pm-22_smt","name":"statement","prose":"Develop and document organization-wide policies and procedures for:","parts":[{"id":"pm-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;"},{"id":"pm-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Correcting or deleting inaccurate or outdated personally identifiable information;"},{"id":"pm-22_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and"},{"id":"pm-22_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Appeals of adverse decisions on correction or deletion requests."}]},{"id":"pm-22_gdn","name":"guidance","prose":"Personally identifiable information quality management includes steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.\n\nThe senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.\n\nOrganizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to the complexity of data flows and storage, other entities may need to be informed of the correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem."},{"id":"pm-22_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-22","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22[01]","class":"sp800-53a"}],"prose":"organization-wide policies for personally identifiable information quality management are developed and documented;","links":[{"href":"#pm-22_smt","rel":"assessment-for"}]},{"id":"pm-22_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22[02]","class":"sp800-53a"}],"prose":"organization-wide procedures for personally identifiable information quality management are developed and documented;","links":[{"href":"#pm-22_smt","rel":"assessment-for"}]},{"id":"pm-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[01]","class":"sp800-53a"}],"prose":"the policies address reviewing the accuracy of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[02]","class":"sp800-53a"}],"prose":"the policies address reviewing the relevance of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[03]","class":"sp800-53a"}],"prose":"the policies address reviewing the timeliness of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[04]","class":"sp800-53a"}],"prose":"the policies address reviewing the completeness of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[05]","class":"sp800-53a"}],"prose":"the procedures address reviewing the accuracy of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[06]","class":"sp800-53a"}],"prose":"the procedures address reviewing the relevance of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[07]","class":"sp800-53a"}],"prose":"the procedures address reviewing the timeliness of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"PM-22a.[08]","class":"sp800-53a"}],"prose":"the procedures address reviewing the completeness of personally identifiable information across the information life cycle;","links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-22_smt.a","rel":"assessment-for"}]},{"id":"pm-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-22b.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22b.[01]","class":"sp800-53a"}],"prose":"the policies address correcting or deleting inaccurate or outdated personally identifiable information;","links":[{"href":"#pm-22_smt.b","rel":"assessment-for"}]},{"id":"pm-22_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22b.[02]","class":"sp800-53a"}],"prose":"the procedures address correcting or deleting inaccurate or outdated personally identifiable information;","links":[{"href":"#pm-22_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-22_smt.b","rel":"assessment-for"}]},{"id":"pm-22_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-22c.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22c.[01]","class":"sp800-53a"}],"prose":"the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;","links":[{"href":"#pm-22_smt.c","rel":"assessment-for"}]},{"id":"pm-22_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22c.[02]","class":"sp800-53a"}],"prose":"the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;","links":[{"href":"#pm-22_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-22_smt.c","rel":"assessment-for"}]},{"id":"pm-22_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-22d.","class":"sp800-53a"}],"parts":[{"id":"pm-22_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PM-22d.[01]","class":"sp800-53a"}],"prose":"the policies address appeals of adverse decisions on correction or deletion requests;","links":[{"href":"#pm-22_smt.d","rel":"assessment-for"}]},{"id":"pm-22_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PM-22d.[02]","class":"sp800-53a"}],"prose":"the procedures address appeals of adverse decisions on correction or deletion requests.","links":[{"href":"#pm-22_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pm-22_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pm-22_smt","rel":"assessment-for"}]},{"id":"pm-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\npolicies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion\n\nrecords of monitoring PII quality management practices\n\ndocumentation of reviews and updates of policies and procedures"}]},{"id":"pm-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program information dissemination responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"[Organizational processes for data quality and personally identifiable information quality management procedures\n\nmechanisms supporting and\/or implementing quality management requirements"}]}]},{"id":"pm-23","class":"SP800-53","title":"Data Governance Body","params":[{"id":"pm-23_odp.01","props":[{"name":"alt-identifier","value":"pm-23_prm_1"},{"name":"label","value":"PM-23_ODP[01]","class":"sp800-53a"}],"label":"roles","guidelines":[{"prose":"the roles of a Data Governance Body are defined;"}]},{"id":"pm-23_odp.02","props":[{"name":"alt-identifier","value":"pm-23_prm_2"},{"name":"label","value":"PM-23_ODP[02]","class":"sp800-53a"}],"label":"responsibilities","guidelines":[{"prose":"the responsibilities of a Data Governance Body are defined;"}]}],"props":[{"name":"label","value":"PM-23"},{"name":"label","value":"PM-23","class":"sp800-53a"},{"name":"sort-id","value":"pm-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#511da9ca-604d-43f7-be41-b862085420a9","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#d886c141-c832-4ad7-ac6d-4b94f4b550d3","rel":"reference"},{"href":"#c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pm-19","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-19","rel":"related"}],"parts":[{"id":"pm-23_smt","name":"statement","prose":"Establish a Data Governance Body consisting of {{ insert: param, pm-23_odp.01 }} with {{ insert: param, pm-23_odp.02 }}."},{"id":"pm-23_gdn","name":"guidance","prose":"A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines that support data modeling, quality, integrity, and the de-identification needs of personally identifiable information across the information life cycle as well as reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the [EVIDACT](#511da9ca-604d-43f7-be41-b862085420a9) and policies set forth under [OMB M-19-23](#d886c141-c832-4ad7-ac6d-4b94f4b550d3)."},{"id":"pm-23_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-23","class":"sp800-53a"}],"prose":"a Data Governance Body consisting of {{ insert: param, pm-23_odp.01 }} with {{ insert: param, pm-23_odp.02 }} is established.","links":[{"href":"#pm-23_smt","rel":"assessment-for"}]},{"id":"pm-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\ndocumentation relating to the Data Governance Body, including documents establishing such a body, its charter of operations, and any plans and reports\n\nrecords of board meetings and decisions\n\nrecords of requests to review data\n\npolicies, procedures, and standards that facilitate data governance"}]},{"id":"pm-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Officials serving on the Data Governance Body (e.g., chief information officer, senior agency information security officer, and senior agency official for privacy)"}]}]},{"id":"pm-24","class":"SP800-53","title":"Data Integrity Board","props":[{"name":"label","value":"PM-24"},{"name":"label","value":"PM-24","class":"sp800-53a"},{"name":"sort-id","value":"pm-24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#pm-19","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-8","rel":"related"}],"parts":[{"id":"pm-24_smt","name":"statement","prose":"Establish a Data Integrity Board to:","parts":[{"id":"pm-24_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review proposals to conduct or participate in a matching program; and"},{"id":"pm-24_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Conduct an annual review of all matching programs in which the agency has participated."}]},{"id":"pm-24_gdn","name":"guidance","prose":"A Data Integrity Board is the board of senior officials designated by the head of a federal agency and is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy."},{"id":"pm-24_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-24","class":"sp800-53a"}],"prose":"a Data Integrity Board is established;","parts":[{"id":"pm-24_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-24a.","class":"sp800-53a"}],"prose":"the Data Integrity Board reviews proposals to conduct or participate in a matching program;","links":[{"href":"#pm-24_smt.a","rel":"assessment-for"}]},{"id":"pm-24_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-24b.","class":"sp800-53a"}],"prose":"the Data Integrity Board conducts an annual review of all matching programs in which the agency has participated.","links":[{"href":"#pm-24_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-24_smt","rel":"assessment-for"}]},{"id":"pm-24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-24-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprivacy program documents relating to the Data Integrity Board, including documents establishing the board, its charter of operations, and any plans and reports\n\ncomputer matching agreements and notices\n\ninformation sharing agreements\n\nmemoranda of understanding\n\nrecords documenting annual reviews\n\ngoverning requirements, including laws, executive orders, regulations, standards, and guidance"}]},{"id":"pm-24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-24-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"members of the Data Integrity Board (e.g., the chief information officer, senior information security officer, senior agency official for privacy, and agency Inspector General)"}]}]},{"id":"pm-25","class":"SP800-53","title":"Minimization of Personally Identifiable Information Used in Testing, Training, and Research","params":[{"id":"pm-25_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-25_odp.04"}],"label":"organization-defined frequency"},{"id":"pm-25_odp.01","props":[{"name":"label","value":"PM-25_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing policies that address the use of personally identifiable information for internal testing, training, and research is defined;"}]},{"id":"pm-25_odp.02","props":[{"name":"label","value":"PM-25_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating policies that address the use of personally identifiable information for internal testing, training, and research is defined;"}]},{"id":"pm-25_odp.03","props":[{"name":"label","value":"PM-25_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing procedures that address the use of personally identifiable information for internal testing, training, and research is defined;"}]},{"id":"pm-25_odp.04","props":[{"name":"label","value":"PM-25_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating procedures that address the use of personally identifiable information for internal testing, training, and research is defined;"}]}],"props":[{"name":"label","value":"PM-25"},{"name":"label","value":"PM-25","class":"sp800-53a"},{"name":"sort-id","value":"pm-25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#pm-23","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"pm-25_smt","name":"statement","parts":[{"id":"pm-25_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;"},{"id":"pm-25_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;"},{"id":"pm-25_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and"},{"id":"pm-25_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review and update policies and procedures {{ insert: param, pm-25_prm_1 }}."}]},{"id":"pm-25_gdn","name":"guidance","prose":"The use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and\/or legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research."},{"id":"pm-25_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-25","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[01]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal testing are developed and documented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[02]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal training are developed and documented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[03]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal research are developed and documented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[04]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal testing are developed and documented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[05]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal training are developed and documented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[06]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal research are developed and documented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[07]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for internal testing, are implemented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[08]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for training are implemented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-9","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[09]","class":"sp800-53a"}],"prose":"policies that address the use of personally identifiable information for research are implemented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-10","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[10]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for internal testing are implemented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-11","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[11]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for training are implemented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.a-12","name":"assessment-objective","props":[{"name":"label","value":"PM-25a.[12]","class":"sp800-53a"}],"prose":"procedures that address the use of personally identifiable information for research are implemented;","links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-25_smt.a","rel":"assessment-for"}]},{"id":"pm-25_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.[01]","class":"sp800-53a"}],"prose":"the amount of personally identifiable information used for internal testing purposes is limited or minimized;","links":[{"href":"#pm-25_smt.b","rel":"assessment-for"}]},{"id":"pm-25_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.[02]","class":"sp800-53a"}],"prose":"the amount of personally identifiable information used for internal training purposes is limited or minimized;","links":[{"href":"#pm-25_smt.b","rel":"assessment-for"}]},{"id":"pm-25_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25b.[03]","class":"sp800-53a"}],"prose":"the amount of personally identifiable information used for internal research purposes is limited or minimized;","links":[{"href":"#pm-25_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-25_smt.b","rel":"assessment-for"}]},{"id":"pm-25_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.[01]","class":"sp800-53a"}],"prose":"the required use of personally identifiable information for internal testing is authorized;","links":[{"href":"#pm-25_smt.c","rel":"assessment-for"}]},{"id":"pm-25_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.[02]","class":"sp800-53a"}],"prose":"the required use of personally identifiable information for internal training is authorized;","links":[{"href":"#pm-25_smt.c","rel":"assessment-for"}]},{"id":"pm-25_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25c.[03]","class":"sp800-53a"}],"prose":"the required use of personally identifiable information for internal research is authorized;","links":[{"href":"#pm-25_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-25_smt.c","rel":"assessment-for"}]},{"id":"pm-25_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.","class":"sp800-53a"}],"parts":[{"id":"pm-25_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[01]","class":"sp800-53a"}],"prose":"policies are reviewed {{ insert: param, pm-25_odp.01 }};","links":[{"href":"#pm-25_smt.d","rel":"assessment-for"}]},{"id":"pm-25_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[02]","class":"sp800-53a"}],"prose":"policies are updated {{ insert: param, pm-25_odp.02 }};","links":[{"href":"#pm-25_smt.d","rel":"assessment-for"}]},{"id":"pm-25_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[03]","class":"sp800-53a"}],"prose":"procedures are reviewed {{ insert: param, pm-25_odp.03 }};","links":[{"href":"#pm-25_smt.d","rel":"assessment-for"}]},{"id":"pm-25_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"PM-25d.[04]","class":"sp800-53a"}],"prose":"procedures are updated {{ insert: param, pm-25_odp.04 }}.","links":[{"href":"#pm-25_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pm-25_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pm-25_smt","rel":"assessment-for"}]},{"id":"pm-25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-25-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\npolicies and procedures for the minimization of personally identifiable information used in testing, training, and research\n\ndocumentation supporting policy implementation (e.g., templates for testing, training, and research\n\nprivacy threshold analysis\n\nprivacy risk assessment)\n\ndata sets used for testing, training, and research"}]},{"id":"pm-25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-25-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities\n\nsystem developers\n\npersonnel with IRB responsibilities"}]},{"id":"pm-25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-25-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for data quality and personally identifiable information management\n\nmechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information"}]}]},{"id":"pm-26","class":"SP800-53","title":"Complaint Management","params":[{"id":"pm-26_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-26_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-26_odp.02"}],"label":"organization-defined time period"},{"id":"pm-26_odp.01","props":[{"name":"label","value":"PM-26_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period in which complaints (including concerns or questions) from individuals are to be reviewed is defined;"}]},{"id":"pm-26_odp.02","props":[{"name":"label","value":"PM-26_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period in which complaints (including concerns or questions) from individuals are to be addressed is defined;"}]},{"id":"pm-26_odp.03","props":[{"name":"alt-identifier","value":"pm-26_prm_2"},{"name":"label","value":"PM-26_ODP[03]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period for acknowledging the receipt of complaints is defined;"}]},{"id":"pm-26_odp.04","props":[{"name":"alt-identifier","value":"pm-26_prm_3"},{"name":"label","value":"PM-26_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period for responding to complaints is defined;"}]}],"props":[{"name":"label","value":"PM-26"},{"name":"label","value":"PM-26","class":"sp800-53a"},{"name":"sort-id","value":"pm-26"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ir-7","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pm-26_smt","name":"statement","prose":"Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes:","parts":[{"id":"pm-26_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Mechanisms that are easy to use and readily accessible by the public;"},{"id":"pm-26_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"All information necessary for successfully filing complaints;"},{"id":"pm-26_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ insert: param, pm-26_prm_1 }};"},{"id":"pm-26_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }} ; and"},{"id":"pm-26_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Response to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}."}]},{"id":"pm-26_gdn","name":"guidance","prose":"Complaints, concerns, and questions from individuals can serve as valuable sources of input to organizations and ultimately improve operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information which is handled in accordance with relevant policies and processes."},{"id":"pm-26_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-26","class":"sp800-53a"}],"parts":[{"id":"pm-26_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-26[01]","class":"sp800-53a"}],"prose":"a process for receiving complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;","links":[{"href":"#pm-26_smt","rel":"assessment-for"}]},{"id":"pm-26_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-26[02]","class":"sp800-53a"}],"prose":"a process for responding to complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;","links":[{"href":"#pm-26_smt","rel":"assessment-for"}]},{"id":"pm-26_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-26a.","class":"sp800-53a"}],"parts":[{"id":"pm-26_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-26a.[01]","class":"sp800-53a"}],"prose":"the complaint management process includes mechanisms that are easy to use by the public;","links":[{"href":"#pm-26_smt.a","rel":"assessment-for"}]},{"id":"pm-26_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-26a.[02]","class":"sp800-53a"}],"prose":"the complaint management process includes mechanisms that are readily accessible by the public;","links":[{"href":"#pm-26_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-26_smt.a","rel":"assessment-for"}]},{"id":"pm-26_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-26b.","class":"sp800-53a"}],"prose":"the complaint management process includes all information necessary for successfully filing complaints;","links":[{"href":"#pm-26_smt.b","rel":"assessment-for"}]},{"id":"pm-26_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-26c.","class":"sp800-53a"}],"parts":[{"id":"pm-26_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PM-26c.[01]","class":"sp800-53a"}],"prose":"the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within {{ insert: param, pm-26_odp.01 }};","links":[{"href":"#pm-26_smt.c","rel":"assessment-for"}]},{"id":"pm-26_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PM-26c.[02]","class":"sp800-53a"}],"prose":"the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within {{ insert: param, pm-26_odp.02 }};","links":[{"href":"#pm-26_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-26_smt.c","rel":"assessment-for"}]},{"id":"pm-26_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-26d.","class":"sp800-53a"}],"prose":"the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }};","links":[{"href":"#pm-26_smt.d","rel":"assessment-for"}]},{"id":"pm-26_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PM-26e.","class":"sp800-53a"}],"prose":"the complaint management process includes responding to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}.","links":[{"href":"#pm-26_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pm-26_smt","rel":"assessment-for"}]},{"id":"pm-26_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-26-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\nprocedures addressing complaint management\n\ncomplaint documentation\n\nprocedures addressing the reviews of complaints\n\nother relevant documents or records"}]},{"id":"pm-26_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-26-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"pm-26_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-26-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for complaint management\n\nmechanisms supporting complaint management\n\ntools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms"}]}]},{"id":"pm-27","class":"SP800-53","title":"Privacy Reporting","params":[{"id":"pm-27_odp.01","props":[{"name":"alt-identifier","value":"pm-27_prm_1"},{"name":"label","value":"PM-27_ODP[01]","class":"sp800-53a"}],"label":"privacy reports","guidelines":[{"prose":"privacy reports are defined;"}]},{"id":"pm-27_odp.02","props":[{"name":"alt-identifier","value":"pm-27_prm_2"},{"name":"label","value":"PM-27_ODP[02]","class":"sp800-53a"}],"label":"oversight bodies","guidelines":[{"prose":"privacy oversight bodies are defined;"}]},{"id":"pm-27_odp.03","props":[{"name":"alt-identifier","value":"pm-27_prm_3"},{"name":"label","value":"PM-27_ODP[03]","class":"sp800-53a"}],"label":"officials","guidelines":[{"prose":"officials responsible for monitoring privacy program compliance are defined;"}]},{"id":"pm-27_odp.04","props":[{"name":"alt-identifier","value":"pm-27_prm_4"},{"name":"label","value":"PM-27_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing and updating privacy reports is defined;"}]}],"props":[{"name":"label","value":"PM-27"},{"name":"label","value":"PM-27","class":"sp800-53a"},{"name":"sort-id","value":"pm-27"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#0c67b2a9-bede-43d2-b86d-5f35b8be36e9","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#ir-9","rel":"related"},{"href":"#pm-19","rel":"related"}],"parts":[{"id":"pm-27_smt","name":"statement","parts":[{"id":"pm-27_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop {{ insert: param, pm-27_odp.01 }} and disseminate to:","parts":[{"id":"pm-27_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and"},{"id":"pm-27_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"{{ insert: param, pm-27_odp.03 }} and other personnel with responsibility for monitoring privacy program compliance; and"}]},{"id":"pm-27_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update privacy reports {{ insert: param, pm-27_odp.04 }}."}]},{"id":"pm-27_gdn","name":"guidance","prose":"Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. For federal agencies, privacy reports include annual senior agency official for privacy reports to OMB, reports to Congress required by Implementing Regulations of the 9\/11 Commission Act, and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements."},{"id":"pm-27_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-27","class":"sp800-53a"}],"parts":[{"id":"pm-27_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.","class":"sp800-53a"}],"prose":"{{ insert: param, pm-27_odp.01 }} are developed;","parts":[{"id":"pm-27_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.01","class":"sp800-53a"}],"prose":"the privacy reports are disseminated to {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates;","links":[{"href":"#pm-27_smt.a.1","rel":"assessment-for"}]},{"id":"pm-27_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.02","class":"sp800-53a"}],"parts":[{"id":"pm-27_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.02[01]","class":"sp800-53a"}],"prose":"the privacy reports are disseminated to {{ insert: param, pm-27_odp.03 }};","links":[{"href":"#pm-27_smt.a.2","rel":"assessment-for"}]},{"id":"pm-27_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-27a.02[02]","class":"sp800-53a"}],"prose":"the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance;","links":[{"href":"#pm-27_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-27_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-27_smt.a","rel":"assessment-for"}]},{"id":"pm-27_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-27b.","class":"sp800-53a"}],"prose":"the privacy reports are reviewed and updated {{ insert: param, pm-27_odp.04 }}.","links":[{"href":"#pm-27_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-27_smt","rel":"assessment-for"}]},{"id":"pm-27_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-27-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Privacy program plan\n\ninternal and external privacy reports\n\nprivacy program plan\n\nannual senior agency official for privacy reports to OMB\n\nreports to Congress required by law, regulation, or policy, including internal policies\n\nrecords documenting the dissemination of reports to oversight bodies and officials responsible for monitoring privacy program compliance\n\nrecords of review and updates of privacy reports."}]},{"id":"pm-27_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-27-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with privacy program responsibilities\n\norganizational personnel with privacy responsibilities\n\nlegal counsel."}]}]},{"id":"pm-28","class":"SP800-53","title":"Risk Framing","params":[{"id":"pm-28_odp.01","props":[{"name":"alt-identifier","value":"pm-28_prm_1"},{"name":"label","value":"PM-28_ODP[01]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"the personnel to receive the results of risk framing activities is\/are defined;"}]},{"id":"pm-28_odp.02","props":[{"name":"alt-identifier","value":"pm-28_prm_2"},{"name":"label","value":"PM-28_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing and updating risk framing considerations is defined;"}]}],"props":[{"name":"label","value":"PM-28"},{"name":"label","value":"PM-28","class":"sp800-53a"},{"name":"sort-id","value":"pm-28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"}],"parts":[{"id":"pm-28_smt","name":"statement","parts":[{"id":"pm-28_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document:","parts":[{"id":"pm-28_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Assumptions affecting risk assessments, risk responses, and risk monitoring;"},{"id":"pm-28_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Constraints affecting risk assessments, risk responses, and risk monitoring;"},{"id":"pm-28_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Priorities and trade-offs considered by the organization for managing risk; and"},{"id":"pm-28_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Organizational risk tolerance;"}]},{"id":"pm-28_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute the results of risk framing activities to {{ insert: param, pm-28_odp.01 }} ; and"},{"id":"pm-28_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update risk framing considerations {{ insert: param, pm-28_odp.02 }}."}]},{"id":"pm-28_gdn","name":"guidance","prose":"Risk framing is most effective when conducted at the organization level and in consultation with stakeholders throughout the organization including mission, business, and system owners. The assumptions, constraints, risk tolerance, priorities, and trade-offs identified as part of the risk framing process inform the risk management strategy, which in turn informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel, including mission and business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management."},{"id":"pm-28_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-28","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01[01]","class":"sp800-53a"}],"prose":"assumptions affecting risk assessments are identified and documented;","links":[{"href":"#pm-28_smt.a.1","rel":"assessment-for"}]},{"id":"pm-28_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01[02]","class":"sp800-53a"}],"prose":"assumptions affecting risk responses are identified and documented;","links":[{"href":"#pm-28_smt.a.1","rel":"assessment-for"}]},{"id":"pm-28_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.01[03]","class":"sp800-53a"}],"prose":"assumptions affecting risk monitoring are identified and documented;","links":[{"href":"#pm-28_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pm-28_smt.a.1","rel":"assessment-for"}]},{"id":"pm-28_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02[01]","class":"sp800-53a"}],"prose":"constraints affecting risk assessments are identified and documented;","links":[{"href":"#pm-28_smt.a.2","rel":"assessment-for"}]},{"id":"pm-28_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02[02]","class":"sp800-53a"}],"prose":"constraints affecting risk responses are identified and documented;","links":[{"href":"#pm-28_smt.a.2","rel":"assessment-for"}]},{"id":"pm-28_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.02[03]","class":"sp800-53a"}],"prose":"constraints affecting risk monitoring are identified and documented;","links":[{"href":"#pm-28_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#pm-28_smt.a.2","rel":"assessment-for"}]},{"id":"pm-28_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.03","class":"sp800-53a"}],"parts":[{"id":"pm-28_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.03[01]","class":"sp800-53a"}],"prose":"priorities considered by the organization for managing risk are identified and documented;","links":[{"href":"#pm-28_smt.a.3","rel":"assessment-for"}]},{"id":"pm-28_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.03[02]","class":"sp800-53a"}],"prose":"trade-offs considered by the organization for managing risk are identified and documented;","links":[{"href":"#pm-28_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#pm-28_smt.a.3","rel":"assessment-for"}]},{"id":"pm-28_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"PM-28a.04","class":"sp800-53a"}],"prose":"organizational risk tolerance is identified and documented;","links":[{"href":"#pm-28_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#pm-28_smt.a","rel":"assessment-for"}]},{"id":"pm-28_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-28b.","class":"sp800-53a"}],"prose":"the results of risk framing activities are distributed to {{ insert: param, pm-28_odp.01 }};","links":[{"href":"#pm-28_smt.b","rel":"assessment-for"}]},{"id":"pm-28_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-28c.","class":"sp800-53a"}],"prose":"risk framing considerations are reviewed and updated {{ insert: param, pm-28_odp.02 }}.","links":[{"href":"#pm-28_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-28_smt","rel":"assessment-for"}]},{"id":"pm-28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-28-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nsupply chain risk management strategy\n\ndocumentation of risk framing activities\n\npolicies and procedures for risk framing activities\n\nrisk management strategy"}]},{"id":"pm-28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-28-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel (including mission, business, and system owners or stewards\n\nauthorizing officials\n\nsenior agency information security officer\n\nsenior agency official for privacy\n\nand senior accountable official for risk management)"}]},{"id":"pm-28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-28-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing\n\norganizational processes for risk framing\n\nmechanisms supporting the development, review, update, and approval of risk framing"}]}]},{"id":"pm-29","class":"SP800-53","title":"Risk Management Program Leadership Roles","props":[{"name":"label","value":"PM-29"},{"name":"label","value":"PM-29","class":"sp800-53a"},{"name":"sort-id","value":"pm-29"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#pm-2","rel":"related"},{"href":"#pm-19","rel":"related"}],"parts":[{"id":"pm-29_smt","name":"statement","parts":[{"id":"pm-29_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and"},{"id":"pm-29_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization."}]},{"id":"pm-29_gdn","name":"guidance","prose":"The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities."},{"id":"pm-29_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-29","class":"sp800-53a"}],"parts":[{"id":"pm-29_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-29a.","class":"sp800-53a"}],"parts":[{"id":"pm-29_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-29a.[01]","class":"sp800-53a"}],"prose":"a Senior Accountable Official for Risk Management is appointed;","links":[{"href":"#pm-29_smt.a","rel":"assessment-for"}]},{"id":"pm-29_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-29a.[02]","class":"sp800-53a"}],"prose":"a Senior Accountable Official for Risk Management aligns information security and privacy management processes with strategic, operational, and budgetary planning processes;","links":[{"href":"#pm-29_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-29_smt.a","rel":"assessment-for"}]},{"id":"pm-29_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-29b.","class":"sp800-53a"}],"parts":[{"id":"pm-29_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-29b.[01]","class":"sp800-53a"}],"prose":"a Risk Executive (function) is established;","links":[{"href":"#pm-29_smt.b","rel":"assessment-for"}]},{"id":"pm-29_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-29b.[02]","class":"sp800-53a"}],"prose":"a Risk Executive (function) views and analyzes risk from an organization-wide perspective;","links":[{"href":"#pm-29_smt.b","rel":"assessment-for"}]},{"id":"pm-29_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"PM-29b.[03]","class":"sp800-53a"}],"prose":"a Risk Executive (function) ensures that the management of risk is consistent across the organization.","links":[{"href":"#pm-29_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-29_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-29_smt","rel":"assessment-for"}]},{"id":"pm-29_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-29-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nrisk management strategy\n\nsupply chain risk management strategy\n\ndocumentation of appointment, roles, and responsibilities of a Senior Accountable Official for Risk Management\n\ndocumentation of actions taken by the Official\n\ndocumentation of the establishment, policies, and procedures of a Risk Executive (function)"}]},{"id":"pm-29_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-29-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Senior Accountable Official for Risk Management\n\nchief information officer\n\nsenior agency information security officer\n\nsenior agency official for privacy\n\norganizational personnel with information security and privacy program responsibilities"}]}]},{"id":"pm-30","class":"SP800-53","title":"Supply Chain Risk Management Strategy","params":[{"id":"pm-30_odp","props":[{"name":"alt-identifier","value":"pm-30_prm_1"},{"name":"label","value":"PM-30_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for reviewing and updating the supply chain risk management strategy is defined;"}]}],"props":[{"name":"label","value":"PM-30"},{"name":"label","value":"PM-30","class":"sp800-53a"},{"name":"sort-id","value":"pm-30"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#206a3284-6a7e-423c-8ea9-25b22542541d","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#cm-10","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#sr-1","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-7","rel":"related"},{"href":"#sr-8","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"pm-30_smt","name":"statement","parts":[{"id":"pm-30_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;"},{"id":"pm-30_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the supply chain risk management strategy consistently across the organization; and"},{"id":"pm-30_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the supply chain risk management strategy on {{ insert: param, pm-30_odp }} or as required, to address organizational changes."}]},{"id":"pm-30_gdn","name":"guidance","prose":"An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of the security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans. In addition, the use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organization and mission\/business levels, whereas the supply chain risk management plan (see [SR-2](#sr-2) ) is implemented at the system level."},{"id":"pm-30_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-30","class":"sp800-53a"}],"parts":[{"id":"pm-30_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.","class":"sp800-53a"}],"parts":[{"id":"pm-30_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[01]","class":"sp800-53a"}],"prose":"an organization-wide strategy for managing supply chain risks is developed;","links":[{"href":"#pm-30_smt.a","rel":"assessment-for"}]},{"id":"pm-30_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the development of systems;","links":[{"href":"#pm-30_smt.a","rel":"assessment-for"}]},{"id":"pm-30_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[03]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the development of system components;","links":[{"href":"#pm-30_smt.a","rel":"assessment-for"}]},{"id":"pm-30_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the development of system services;","links":[{"href":"#pm-30_smt.a","rel":"assessment-for"}]},{"id":"pm-30_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[05]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the acquisition of systems;","links":[{"href":"#pm-30_smt.a","rel":"assessment-for"}]},{"id":"pm-30_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[06]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the acquisition of system components;","links":[{"href":"#pm-30_smt.a","rel":"assessment-for"}]},{"id":"pm-30_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[07]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the acquisition of system services;","links":[{"href":"#pm-30_smt.a","rel":"assessment-for"}]},{"id":"pm-30_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[08]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the maintenance of systems;","links":[{"href":"#pm-30_smt.a","rel":"assessment-for"}]},{"id":"pm-30_obj.a-9","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[09]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the maintenance of system components;","links":[{"href":"#pm-30_smt.a","rel":"assessment-for"}]},{"id":"pm-30_obj.a-10","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[10]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the maintenance of system services;","links":[{"href":"#pm-30_smt.a","rel":"assessment-for"}]},{"id":"pm-30_obj.a-11","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[11]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the disposal of systems;","links":[{"href":"#pm-30_smt.a","rel":"assessment-for"}]},{"id":"pm-30_obj.a-12","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[12]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the disposal of system components;","links":[{"href":"#pm-30_smt.a","rel":"assessment-for"}]},{"id":"pm-30_obj.a-13","name":"assessment-objective","props":[{"name":"label","value":"PM-30a.[13]","class":"sp800-53a"}],"prose":"the supply chain risk management strategy addresses risks associated with the disposal of system services;","links":[{"href":"#pm-30_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pm-30_smt.a","rel":"assessment-for"}]},{"id":"pm-30_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-30b.","class":"sp800-53a"}],"prose":"the supply chain risk management strategy is implemented consistently across the organization;","links":[{"href":"#pm-30_smt.b","rel":"assessment-for"}]},{"id":"pm-30_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-30c.","class":"sp800-53a"}],"prose":"the supply chain risk management strategy is reviewed and updated {{ insert: param, pm-30_odp }} or as required to address organizational changes.","links":[{"href":"#pm-30_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pm-30_smt","rel":"assessment-for"}]},{"id":"pm-30_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-30-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management strategy\n\norganizational risk management strategy\n\nenterprise risk management documents\n\nother relevant documents or records"}]},{"id":"pm-30_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-30-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities"}]}],"controls":[{"id":"pm-30.1","class":"SP800-53-enhancement","title":"Suppliers of Critical or Mission-essential Items","props":[{"name":"label","value":"PM-30(1)"},{"name":"label","value":"PM-30(01)","class":"sp800-53a"},{"name":"sort-id","value":"pm-30.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pm-30","rel":"required"},{"href":"#ra-3","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"pm-30.1_smt","name":"statement","prose":"Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services."},{"id":"pm-30.1_gdn","name":"guidance","prose":"The identification and prioritization of suppliers of critical or mission-essential technologies, products, and services is paramount to the mission\/business success of organizations. The assessment of suppliers is conducted using supplier reviews (see [SR-6](#sr-6) ) and supply chain risk assessment processes (see [RA-3(1)](#ra-3.1) ). An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required."},{"id":"pm-30.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-30(01)","class":"sp800-53a"}],"parts":[{"id":"pm-30.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PM-30(01)[01]","class":"sp800-53a"}],"prose":"suppliers of critical or mission-essential technologies, products, and services are identified;","links":[{"href":"#pm-30.1_smt","rel":"assessment-for"}]},{"id":"pm-30.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PM-30(01)[02]","class":"sp800-53a"}],"prose":"suppliers of critical or mission-essential technologies, products, and services are prioritized;","links":[{"href":"#pm-30.1_smt","rel":"assessment-for"}]},{"id":"pm-30.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PM-30(01)[03]","class":"sp800-53a"}],"prose":"suppliers of critical or mission-essential technologies, products, and services are assessed.","links":[{"href":"#pm-30.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#pm-30.1_smt","rel":"assessment-for"}]},{"id":"pm-30.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-30(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management strategy\n\norganization-wide risk management strategy\n\nenterprise risk management documents\n\ninventory records or suppliers\n\nassessment and prioritization documentation\n\ncritical or mission-essential technologies, products, and service documents or records\n\nother relevant documents or records"}]},{"id":"pm-30.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-30(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities"}]},{"id":"pm-30.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-30(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, prioritizing, and assessing critical or mission-essential technologies, products, and services\n\norganizational processes for maintaining an inventory of suppliers\n\norganizational process for associating suppliers with critical or mission-essential technologies, products, and services"}]}]}]},{"id":"pm-31","class":"SP800-53","title":"Continuous Monitoring Strategy","params":[{"id":"pm-31_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.05"}],"label":"organization-defined personnel or roles"},{"id":"pm-31_prm_5","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pm-31_odp.07"}],"label":"organization-defined frequency"},{"id":"pm-31_odp.01","props":[{"name":"alt-identifier","value":"pm-31_prm_1"},{"name":"label","value":"PM-31_ODP[01]","class":"sp800-53a"}],"label":"metrics","guidelines":[{"prose":"the metrics for organization-wide continuous monitoring are defined;"}]},{"id":"pm-31_odp.02","props":[{"name":"alt-identifier","value":"pm-31_prm_2"},{"name":"alt-label","value":"frequencies","class":"sp800-53"},{"name":"label","value":"PM-31_ODP[02]","class":"sp800-53a"}],"label":"monitoring frequencies","guidelines":[{"prose":"the frequencies for monitoring are defined;"}]},{"id":"pm-31_odp.03","props":[{"name":"alt-identifier","value":"pm-31_prm_3"},{"name":"alt-label","value":"frequencies","class":"sp800-53"},{"name":"label","value":"PM-31_ODP[03]","class":"sp800-53a"}],"label":"assessment frequencies","guidelines":[{"prose":"the frequencies for assessing control effectiveness are defined;"}]},{"id":"pm-31_odp.04","props":[{"name":"label","value":"PM-31_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"the personnel or roles for reporting the security status of organizational systems to is\/are defined;"}]},{"id":"pm-31_odp.05","props":[{"name":"label","value":"PM-31_ODP[05]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"the personnel or roles for reporting the privacy status of organizational systems to is\/are defined;"}]},{"id":"pm-31_odp.06","props":[{"name":"label","value":"PM-31_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to report the security status of organizational systems is defined;"}]},{"id":"pm-31_odp.07","props":[{"name":"label","value":"PM-31_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to report the privacy status of organizational systems is defined;"}]}],"props":[{"name":"label","value":"PM-31"},{"name":"label","value":"PM-31","class":"sp800-53a"},{"name":"sort-id","value":"pm-31"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#62ea77ca-e450-4323-b210-e0d75390e785","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#at-4","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#pe-14","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pe-20","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-6","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-10","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"pm-31_smt","name":"statement","prose":"Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:","parts":[{"id":"pm-31_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establishing the following organization-wide metrics to be monitored: {{ insert: param, pm-31_odp.01 }};"},{"id":"pm-31_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establishing {{ insert: param, pm-31_odp.02 }} and {{ insert: param, pm-31_odp.03 }} for control effectiveness;"},{"id":"pm-31_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;"},{"id":"pm-31_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Correlation and analysis of information generated by control assessments and monitoring;"},{"id":"pm-31_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Response actions to address results of the analysis of control assessment and monitoring information; and"},{"id":"pm-31_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Reporting the security and privacy status of organizational systems to {{ insert: param, pm-31_prm_4 }} {{ insert: param, pm-31_prm_5 }}."}]},{"id":"pm-31_gdn","name":"guidance","prose":"Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms \"continuous\" and \"ongoing\" imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective, timely, and informed risk management decisions, including ongoing authorization decisions. To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy. Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as, [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-2(7)(b)](#ac-2.7_smt.b), [AC-2(7)(c)](#ac-2.7_smt.c), [AC-17(1)](#ac-17.1), [AT-4a](#at-4_smt.a), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CA-7](#ca-7), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [CM-11c](#cm-11_smt.c), [IR-5](#ir-5), [MA-2b](#ma-2_smt.b), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [PE-3d](#pe-3_smt.d), [PE-6](#pe-6), [PE-14b](#pe-14_smt.b), [PE-16](#pe-16), [PE-20](#pe-20), [PM-6](#pm-6), [PM-23](#pm-23), [PS-7e](#ps-7_smt.e), [SA-9c](#sa-9_smt.c), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b), [SI-4](#si-4)."},{"id":"pm-31_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-31","class":"sp800-53a"}],"prose":"an organization-wide continuous monitoring strategy is developed;","parts":[{"id":"pm-31_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PM-31a.","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include establishing {{ insert: param, pm-31_odp.01 }} to be monitored;","links":[{"href":"#pm-31_smt.a","rel":"assessment-for"}]},{"id":"pm-31_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PM-31b.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31b.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.02 }} for monitoring;","links":[{"href":"#pm-31_smt.b","rel":"assessment-for"}]},{"id":"pm-31_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31b.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;","links":[{"href":"#pm-31_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pm-31_smt.b","rel":"assessment-for"}]},{"id":"pm-31_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PM-31c.","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include monitoring {{ insert: param, pm-31_odp.01 }} on an ongoing basis in accordance with the continuous monitoring strategy;","links":[{"href":"#pm-31_smt.c","rel":"assessment-for"}]},{"id":"pm-31_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PM-31d.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31d.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring;","links":[{"href":"#pm-31_smt.d","rel":"assessment-for"}]},{"id":"pm-31_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31d.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring;","links":[{"href":"#pm-31_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pm-31_smt.d","rel":"assessment-for"}]},{"id":"pm-31_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PM-31e.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31e.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information;","links":[{"href":"#pm-31_smt.e","rel":"assessment-for"}]},{"id":"pm-31_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31e.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information;","links":[{"href":"#pm-31_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pm-31_smt.e","rel":"assessment-for"}]},{"id":"pm-31_obj.f","name":"assessment-objective","props":[{"name":"label","value":"PM-31f.","class":"sp800-53a"}],"parts":[{"id":"pm-31_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"PM-31f.[01]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include reporting the security status of organizational systems to {{ insert: param, pm-31_odp.04 }} {{ insert: param, pm-31_odp.06 }};","links":[{"href":"#pm-31_smt.f","rel":"assessment-for"}]},{"id":"pm-31_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"PM-31f.[02]","class":"sp800-53a"}],"prose":"continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to {{ insert: param, pm-31_odp.05 }} {{ insert: param, pm-31_odp.07 }}.","links":[{"href":"#pm-31_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#pm-31_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#pm-31_smt","rel":"assessment-for"}]},{"id":"pm-31_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-31-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nsupply chain risk management plan\n\ncontinuous monitoring strategy\n\nrisk management strategy\n\ninformation security continuous monitoring program documentation, reporting, metrics, and artifacts\n\ninformation security continuous monitoring program assessment documentation, reporting, metrics, and artifacts\n\nassessment and authorization policy\n\nprocedures addressing the continuous monitoring of controls\n\nprivacy program continuous monitoring documentation, reporting, metrics, and artifacts\n\ncontinuous monitoring program records, security, and privacy impact analyses\n\nstatus reports\n\nrisk response documentation\n\nother relevant documents or records."}]},{"id":"pm-31_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-31-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Senior Accountable Official for Risk Management\n\nchief information officer\n\nsenior agency information security officer\n\nsenior agency official for privacy\n\norganizational personnel with information security, privacy, and supply chain risk management program responsibilities"}]},{"id":"pm-31_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PM-31-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring"}]}]},{"id":"pm-32","class":"SP800-53","title":"Purposing","params":[{"id":"pm-32_odp","props":[{"name":"alt-identifier","value":"pm-32_prm_1"},{"name":"alt-label","value":"systems or systems components","class":"sp800-53"},{"name":"label","value":"PM-32_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"the systems or system components supporting mission-essential services or functions are defined;"}]}],"props":[{"name":"label","value":"PM-32"},{"name":"label","value":"PM-32","class":"sp800-53a"},{"name":"sort-id","value":"pm-32"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"pm-32_smt","name":"statement","prose":"Analyze {{ insert: param, pm-32_odp }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose."},{"id":"pm-32_gdn","name":"guidance","prose":"Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside of the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are more vulnerable to compromise, which can ultimately impact the services and functions for which they were intended. This is especially impactful for mission-essential services and functions. By analyzing resource use, organizations can identify such potential exposures."},{"id":"pm-32_obj","name":"assessment-objective","props":[{"name":"label","value":"PM-32","class":"sp800-53a"}],"prose":"{{ insert: param, pm-32_odp }} supporting mission-essential services or functions are analyzed to ensure that the information resources are being used in a manner that is consistent with their intended purpose.","links":[{"href":"#pm-32_smt","rel":"assessment-for"}]},{"id":"pm-32_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PM-32-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Information security program plan\n\nprivacy program plan\n\nlist of essential services and functions\n\norganizational analysis of information resources\n\nrisk management strategy\n\nother relevant documents or records."}]},{"id":"pm-32_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PM-32-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security, privacy, and supply chain risk management program responsibilities"}]}]}]},{"id":"ps","class":"family","title":"Personnel Security","controls":[{"id":"ps-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ps-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ps-01_odp.01","props":[{"name":"label","value":"PS-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security policy is to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.02","props":[{"name":"label","value":"PS-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personnel security procedures are to be disseminated is\/are defined;"}]},{"id":"ps-01_odp.03","props":[{"name":"alt-identifier","value":"ps-1_prm_2"},{"name":"label","value":"PS-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ps-01_odp.04","props":[{"name":"alt-identifier","value":"ps-1_prm_3"},{"name":"label","value":"PS-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the personnel security policy and procedures is defined;"}]},{"id":"ps-01_odp.05","props":[{"name":"alt-identifier","value":"ps-1_prm_4"},{"name":"label","value":"PS-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security policy is reviewed and updated is defined;"}]},{"id":"ps-01_odp.06","props":[{"name":"alt-identifier","value":"ps-1_prm_5"},{"name":"label","value":"PS-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current personnel security policy to be reviewed and updated are defined;"}]},{"id":"ps-01_odp.07","props":[{"name":"alt-identifier","value":"ps-1_prm_6"},{"name":"label","value":"PS-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personnel security procedures are reviewed and updated is defined;"}]},{"id":"ps-01_odp.08","props":[{"name":"alt-identifier","value":"ps-1_prm_7"},{"name":"label","value":"PS-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the personnel security procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PS-1"},{"name":"label","value":"PS-01","class":"sp800-53a"},{"name":"sort-id","value":"ps-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-1_smt","name":"statement","parts":[{"id":"ps-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}:","parts":[{"id":"ps-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ps-01_odp.03 }} personnel security policy that:","parts":[{"id":"ps-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ps-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ps-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;"}]},{"id":"ps-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and"},{"id":"ps-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current personnel security:","parts":[{"id":"ps-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and"},{"id":"ps-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}."}]}]},{"id":"ps-1_gdn","name":"guidance","prose":"Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission\/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ps-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[01]","class":"sp800-53a"}],"prose":"a personnel security policy is developed and documented;","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[02]","class":"sp800-53a"}],"prose":"the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[03]","class":"sp800-53a"}],"prose":"personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.[04]","class":"sp800-53a"}],"prose":"the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};","links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;","links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ps-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ps-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.a","rel":"assessment-for"}]},{"id":"ps-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;","links":[{"href":"#ps-1_smt.b","rel":"assessment-for"}]},{"id":"ps-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[01]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};","links":[{"href":"#ps-1_smt.c.1","rel":"assessment-for"}]},{"id":"ps-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.01[02]","class":"sp800-53a"}],"prose":"the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};","links":[{"href":"#ps-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.c.1","rel":"assessment-for"}]},{"id":"ps-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02","class":"sp800-53a"}],"parts":[{"id":"ps-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[01]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};","links":[{"href":"#ps-1_smt.c.2","rel":"assessment-for"}]},{"id":"ps-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PS-01c.02[02]","class":"sp800-53a"}],"prose":"the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.","links":[{"href":"#ps-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ps-1_smt","rel":"assessment-for"}]},{"id":"ps-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"ps-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]}]},{"id":"ps-2","class":"SP800-53","title":"Position Risk Designation","params":[{"id":"ps-02_odp","props":[{"name":"alt-identifier","value":"ps-2_prm_1"},{"name":"label","value":"PS-02_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update position risk designations is defined;"}]}],"props":[{"name":"label","value":"PS-2"},{"name":"label","value":"PS-02","class":"sp800-53a"},{"name":"sort-id","value":"ps-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#a5ef5e56-5c1a-4911-b419-37dddc1b3581","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#ac-5","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-2_smt","name":"statement","parts":[{"id":"ps-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Assign a risk designation to all organizational positions;"},{"id":"ps-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Establish screening criteria for individuals filling those positions; and"},{"id":"ps-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update position risk designations {{ insert: param, ps-02_odp }}."}]},{"id":"ps-2_gdn","name":"guidance","prose":"Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions."},{"id":"ps-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-02","class":"sp800-53a"}],"parts":[{"id":"ps-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-02a.","class":"sp800-53a"}],"prose":"a risk designation is assigned to all organizational positions;","links":[{"href":"#ps-2_smt.a","rel":"assessment-for"}]},{"id":"ps-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-02b.","class":"sp800-53a"}],"prose":"screening criteria are established for individuals filling organizational positions;","links":[{"href":"#ps-2_smt.b","rel":"assessment-for"}]},{"id":"ps-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-02c.","class":"sp800-53a"}],"prose":"position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.","links":[{"href":"#ps-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ps-2_smt","rel":"assessment-for"}]},{"id":"ps-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing position categorization\n\nappropriate codes of federal regulations\n\nlist of risk designations for organizational positions\n\nrecords of position risk designation reviews and updates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assigning, reviewing, and updating position risk designations\n\norganizational processes for establishing screening criteria"}]}]},{"id":"ps-3","class":"SP800-53","title":"Personnel Screening","params":[{"id":"ps-3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ps-03_odp.02"}],"label":"organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening"},{"id":"ps-03_odp.01","props":[{"name":"label","value":"PS-03_ODP[01]","class":"sp800-53a"}],"label":"conditions requiring rescreening","guidelines":[{"prose":"conditions requiring rescreening of individuals are defined;"}]},{"id":"ps-03_odp.02","props":[{"name":"label","value":"PS-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency of rescreening individuals where it is so indicated is defined;"}]}],"props":[{"name":"label","value":"PS-3"},{"name":"label","value":"PS-03","class":"sp800-53a"},{"name":"sort-id","value":"ps-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#55b0c93a-5e48-457a-baa6-5ce81c239c49","rel":"reference"},{"href":"#0af071a6-cf8e-48ee-8c82-fe91efa20f94","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#7af2e6ec-9f7e-4232-ad3f-09888eb0793a","rel":"reference"},{"href":"#828856bd-d7c4-427b-8b51-815517ec382d","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-3_smt","name":"statement","parts":[{"id":"ps-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Screen individuals prior to authorizing access to the system; and"},{"id":"ps-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Rescreen individuals in accordance with {{ insert: param, ps-3_prm_1 }}."}]},{"id":"ps-3_gdn","name":"guidance","prose":"Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems."},{"id":"ps-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-03a.","class":"sp800-53a"}],"prose":"individuals are screened prior to authorizing access to the system;","links":[{"href":"#ps-3_smt.a","rel":"assessment-for"}]},{"id":"ps-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.","class":"sp800-53a"}],"parts":[{"id":"ps-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[01]","class":"sp800-53a"}],"prose":"individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};","links":[{"href":"#ps-3_smt.b","rel":"assessment-for"}]},{"id":"ps-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PS-03b.[02]","class":"sp800-53a"}],"prose":"where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.","links":[{"href":"#ps-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-3_smt","rel":"assessment-for"}]},{"id":"ps-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel screening"}]}],"controls":[{"id":"ps-3.1","class":"SP800-53-enhancement","title":"Classified Information","props":[{"name":"label","value":"PS-3(1)"},{"name":"label","value":"PS-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ps-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ps-3","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"}],"parts":[{"id":"ps-3.1_smt","name":"statement","prose":"Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system."},{"id":"ps-3.1_gdn","name":"guidance","prose":"Classified information is the most sensitive information that the Federal Government processes, stores, or transmits. It is imperative that individuals have the requisite security clearances and system access authorizations prior to gaining access to such information. Access authorizations are enforced by system access controls (see [AC-3](#ac-3) ) and flow controls (see [AC-4](#ac-4))."},{"id":"ps-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03(01)","class":"sp800-53a"}],"parts":[{"id":"ps-3.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PS-03(01)[01]","class":"sp800-53a"}],"prose":"individuals accessing a system processing, storing, or transmitting classified information are cleared;","links":[{"href":"#ps-3.1_smt","rel":"assessment-for"}]},{"id":"ps-3.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PS-03(01)[02]","class":"sp800-53a"}],"prose":"individuals accessing a system processing, storing, or transmitting classified information are indoctrinated to the highest classification level of the information to which they have access on the system.","links":[{"href":"#ps-3.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#ps-3.1_smt","rel":"assessment-for"}]},{"id":"ps-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for clearing and indoctrinating personnel for access to classified information"}]}]},{"id":"ps-3.2","class":"SP800-53-enhancement","title":"Formal Indoctrination","props":[{"name":"label","value":"PS-3(2)"},{"name":"label","value":"PS-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ps-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ps-3","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"}],"parts":[{"id":"ps-3.2_smt","name":"statement","prose":"Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant types of information to which they have access on the system."},{"id":"ps-3.2_gdn","name":"guidance","prose":"Types of classified information that require formal indoctrination include Special Access Program (SAP), Restricted Data (RD), and Sensitive Compartmented Information (SCI)."},{"id":"ps-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03(02)","class":"sp800-53a"}],"prose":"individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination are formally indoctrinated for all of the relevant types of information to which they have access on the system.","links":[{"href":"#ps-3.2_smt","rel":"assessment-for"}]},{"id":"ps-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel screening\n\nindoctrination documents\n\nrecords of screened personnel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for formal indoctrination for all relevant types of information to which personnel have access"}]}]},{"id":"ps-3.3","class":"SP800-53-enhancement","title":"Information Requiring Special Protective Measures","params":[{"id":"ps-03.03_odp","props":[{"name":"alt-identifier","value":"ps-3.3_prm_1"},{"name":"label","value":"PS-03(03)_ODP","class":"sp800-53a"}],"label":"additional personnel screening criteria","guidelines":[{"prose":"additional personnel screening criteria to be satisfied for individuals accessing a system processing, storing, or transmitting information requiring special protection are defined;"}]}],"props":[{"name":"label","value":"PS-3(3)"},{"name":"label","value":"PS-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ps-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ps-3","rel":"required"}],"parts":[{"id":"ps-3.3_smt","name":"statement","prose":"Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection:","parts":[{"id":"ps-3.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Have valid access authorizations that are demonstrated by assigned official government duties; and"},{"id":"ps-3.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Satisfy {{ insert: param, ps-03.03_odp }}."}]},{"id":"ps-3.3_gdn","name":"guidance","prose":"Organizational information that requires special protection includes controlled unclassified information. Personnel security criteria include position sensitivity background screening requirements."},{"id":"ps-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03(03)","class":"sp800-53a"}],"parts":[{"id":"ps-3.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-03(03)(a)","class":"sp800-53a"}],"prose":"individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;","links":[{"href":"#ps-3.3_smt.a","rel":"assessment-for"}]},{"id":"ps-3.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-03(03)(b)","class":"sp800-53a"}],"prose":"individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy {{ insert: param, ps-03.03_odp }}.","links":[{"href":"#ps-3.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-3.3_smt","rel":"assessment-for"}]},{"id":"ps-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\naccess control policy, procedures addressing personnel screening\n\nrecords of screened personnel\n\nscreening criteria\n\nrecords of access authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for ensuring valid access authorizations for information requiring special protection\n\norganizational process for additional personnel screening for information requiring special protection"}]}]},{"id":"ps-3.4","class":"SP800-53-enhancement","title":"Citizenship Requirements","params":[{"id":"ps-03.04_odp.01","props":[{"name":"alt-identifier","value":"ps-3.4_prm_1"},{"name":"label","value":"PS-03(04)_ODP[01]","class":"sp800-53a"}],"label":"information types","guidelines":[{"prose":"information types that are processed, stored, or transmitted by a system that require individuals accessing the system to meet {{ insert: param, ps-03.04_odp.02 }} are defined;"}]},{"id":"ps-03.04_odp.02","props":[{"name":"alt-identifier","value":"ps-3.4_prm_2"},{"name":"label","value":"PS-03(04)_ODP[02]","class":"sp800-53a"}],"label":"citizenship requirements","guidelines":[{"prose":"citizenship requirements to be met by individuals to access a system processing, storing, or transmitting information are defined;"}]}],"props":[{"name":"label","value":"PS-3(4)"},{"name":"label","value":"PS-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"ps-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ps-3","rel":"required"}],"parts":[{"id":"ps-3.4_smt","name":"statement","prose":"Verify that individuals accessing a system processing, storing, or transmitting {{ insert: param, ps-03.04_odp.01 }} meet {{ insert: param, ps-03.04_odp.02 }}."},{"id":"ps-3.4_gdn","name":"guidance","prose":"None."},{"id":"ps-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-03(04)","class":"sp800-53a"}],"prose":"individuals accessing a system processing, storing, or transmitting {{ insert: param, ps-03.04_odp.01 }} meet {{ insert: param, ps-03.04_odp.02 }}.","links":[{"href":"#ps-3.4_smt","rel":"assessment-for"}]},{"id":"ps-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\naccess control policy, procedures addressing personnel screening\n\nrecords of screened personnel\n\nscreening criteria\n\nrecords of access authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for ensuring valid access authorizations for information requiring citizenship\n\norganizational process for additional personnel screening for information requiring citizenship"}]}]}]},{"id":"ps-4","class":"SP800-53","title":"Personnel Termination","params":[{"id":"ps-04_odp.01","props":[{"name":"alt-identifier","value":"ps-4_prm_1"},{"name":"label","value":"PS-04_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period within which to disable system access is defined;"}]},{"id":"ps-04_odp.02","props":[{"name":"alt-identifier","value":"ps-4_prm_2"},{"name":"label","value":"PS-04_ODP[02]","class":"sp800-53a"}],"label":"information security topics","guidelines":[{"prose":"information security topics to be discussed when conducting exit interviews are defined;"}]}],"props":[{"name":"label","value":"PS-4"},{"name":"label","value":"PS-04","class":"sp800-53a"},{"name":"sort-id","value":"ps-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-4_smt","name":"statement","prose":"Upon termination of individual employment:","parts":[{"id":"ps-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Disable system access within {{ insert: param, ps-04_odp.01 }};"},{"id":"ps-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Terminate or revoke any authenticators and credentials associated with the individual;"},{"id":"ps-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Conduct exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }};"},{"id":"ps-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Retrieve all security-related organizational system-related property; and"},{"id":"ps-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Retain access to organizational information and systems formerly controlled by terminated individual."}]},{"id":"ps-4_gdn","name":"guidance","prose":"System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified."},{"id":"ps-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-04","class":"sp800-53a"}],"parts":[{"id":"ps-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-04a.","class":"sp800-53a"}],"prose":"upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};","links":[{"href":"#ps-4_smt.a","rel":"assessment-for"}]},{"id":"ps-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-04b.","class":"sp800-53a"}],"prose":"upon termination of individual employment, any authenticators and credentials are terminated or revoked;","links":[{"href":"#ps-4_smt.b","rel":"assessment-for"}]},{"id":"ps-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-04c.","class":"sp800-53a"}],"prose":"upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;","links":[{"href":"#ps-4_smt.c","rel":"assessment-for"}]},{"id":"ps-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-04d.","class":"sp800-53a"}],"prose":"upon termination of individual employment, all security-related organizational system-related property is retrieved;","links":[{"href":"#ps-4_smt.d","rel":"assessment-for"}]},{"id":"ps-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-04e.","class":"sp800-53a"}],"prose":"upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.","links":[{"href":"#ps-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ps-4_smt","rel":"assessment-for"}]},{"id":"ps-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nrecords of personnel termination actions\n\nlist of system accounts\n\nrecords of terminated or revoked authenticators\/credentials\n\nrecords of exit interviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel termination\n\nmechanisms supporting and\/or implementing personnel termination notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}],"controls":[{"id":"ps-4.1","class":"SP800-53-enhancement","title":"Post-employment Requirements","props":[{"name":"label","value":"PS-4(1)"},{"name":"label","value":"PS-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"ps-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ps-4","rel":"required"}],"parts":[{"id":"ps-4.1_smt","name":"statement","parts":[{"id":"ps-4.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and"},{"id":"ps-4.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Require terminated individuals to sign an acknowledgment of post-employment requirements as part of the organizational termination process."}]},{"id":"ps-4.1_gdn","name":"guidance","prose":"Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals."},{"id":"ps-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-04(01)","class":"sp800-53a"}],"parts":[{"id":"ps-4.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-04(01)(a)","class":"sp800-53a"}],"prose":"terminated individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information;","links":[{"href":"#ps-4.1_smt.a","rel":"assessment-for"}]},{"id":"ps-4.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-04(01)(b)","class":"sp800-53a"}],"prose":"terminated individuals are required to sign an acknowledgement of post-employment requirements as part of the organizational termination process.","links":[{"href":"#ps-4.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-4.1_smt","rel":"assessment-for"}]},{"id":"ps-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nsigned post-employment acknowledgement forms\n\nlist of applicable, legally binding post-employment requirements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for post-employment requirements"}]}]},{"id":"ps-4.2","class":"SP800-53-enhancement","title":"Automated Actions","params":[{"id":"ps-04.02_odp.01","props":[{"name":"alt-identifier","value":"ps-4.2_prm_1"},{"name":"label","value":"PS-04(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to notify personnel or roles of individual termination actions and\/or to disable access to system resources are defined;"}]},{"id":"ps-04.02_odp.02","props":[{"name":"alt-identifier","value":"ps-4.2_prm_2"},{"name":"label","value":"PS-04(02)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["notify {{ insert: param, ps-04.02_odp.03 }} of individual termination actions","disable access to system resources"]}},{"id":"ps-04.02_odp.03","props":[{"name":"alt-identifier","value":"ps-4.2_prm_3"},{"name":"label","value":"PS-04(02)_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified upon termination of an individual is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"PS-4(2)"},{"name":"label","value":"PS-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"ps-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ps-4","rel":"required"}],"parts":[{"id":"ps-4.2_smt","name":"statement","prose":"Use {{ insert: param, ps-04.02_odp.01 }} to {{ insert: param, ps-04.02_odp.02 }}."},{"id":"ps-4.2_gdn","name":"guidance","prose":"In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications, or if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including via telephone, electronic mail, text message, or websites. Automated mechanisms can also be employed to quickly and thoroughly disable access to system resources after an employee is terminated."},{"id":"ps-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-04(02)","class":"sp800-53a"}],"prose":"{{ insert: param, ps-04.02_odp.01 }} are used to {{ insert: param, ps-04.02_odp.02 }}.","links":[{"href":"#ps-4.2_smt","rel":"assessment-for"}]},{"id":"ps-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel termination\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of personnel termination actions\n\nautomated notifications of employee terminations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel termination\n\nautomated mechanisms supporting and\/or implementing personnel termination notifications"}]}]}]},{"id":"ps-5","class":"SP800-53","title":"Personnel Transfer","params":[{"id":"ps-05_odp.01","props":[{"name":"alt-identifier","value":"ps-5_prm_1"},{"name":"label","value":"PS-05_ODP[01]","class":"sp800-53a"}],"label":"transfer or reassignment actions","guidelines":[{"prose":"transfer or reassignment actions to be initiated following transfer or reassignment are defined;"}]},{"id":"ps-05_odp.02","props":[{"name":"alt-identifier","value":"ps-5_prm_2"},{"name":"label","value":"PS-05_ODP[02]","class":"sp800-53a"}],"label":"time period following the formal transfer action","guidelines":[{"prose":"the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;"}]},{"id":"ps-05_odp.03","props":[{"name":"alt-identifier","value":"ps-5_prm_3"},{"name":"label","value":"PS-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is\/are defined;"}]},{"id":"ps-05_odp.04","props":[{"name":"alt-identifier","value":"ps-5_prm_4"},{"name":"label","value":"PS-05_ODP[04]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;"}]}],"props":[{"name":"label","value":"PS-5"},{"name":"label","value":"PS-05","class":"sp800-53a"},{"name":"sort-id","value":"ps-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ac-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-7","rel":"related"}],"parts":[{"id":"ps-5_smt","name":"statement","parts":[{"id":"ps-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;"},{"id":"ps-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }};"},{"id":"ps-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and"},{"id":"ps-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}."}]},{"id":"ps-5_gdn","name":"guidance","prose":"Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts."},{"id":"ps-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-05","class":"sp800-53a"}],"parts":[{"id":"ps-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-05a.","class":"sp800-53a"}],"prose":"the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;","links":[{"href":"#ps-5_smt.a","rel":"assessment-for"}]},{"id":"ps-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-05b.","class":"sp800-53a"}],"prose":"{{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};","links":[{"href":"#ps-5_smt.b","rel":"assessment-for"}]},{"id":"ps-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-05c.","class":"sp800-53a"}],"prose":"access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;","links":[{"href":"#ps-5_smt.c","rel":"assessment-for"}]},{"id":"ps-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-05d.","class":"sp800-53a"}],"prose":"{{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.","links":[{"href":"#ps-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#ps-5_smt","rel":"assessment-for"}]},{"id":"ps-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing personnel transfer\n\nrecords of personnel transfer actions\n\nlist of system and facility access authorizations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with account management responsibilities\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personnel transfer\n\nmechanisms supporting and\/or implementing personnel transfer notifications\n\nmechanisms for disabling system access\/revoking authenticators"}]}]},{"id":"ps-6","class":"SP800-53","title":"Access Agreements","params":[{"id":"ps-06_odp.01","props":[{"name":"alt-identifier","value":"ps-6_prm_1"},{"name":"label","value":"PS-06_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update access agreements is defined;"}]},{"id":"ps-06_odp.02","props":[{"name":"alt-identifier","value":"ps-6_prm_2"},{"name":"label","value":"PS-06_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to re-sign access agreements to maintain access to organizational information is defined;"}]}],"props":[{"name":"label","value":"PS-6"},{"name":"label","value":"PS-06","class":"sp800-53a"},{"name":"sort-id","value":"ps-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#pe-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ps-6_smt","name":"statement","parts":[{"id":"ps-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and document access agreements for organizational systems;"},{"id":"ps-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the access agreements {{ insert: param, ps-06_odp.01 }} ; and"},{"id":"ps-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that individuals requiring access to organizational information and systems:","parts":[{"id":"ps-6_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Sign appropriate access agreements prior to being granted access; and"},{"id":"ps-6_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."}]}]},{"id":"ps-6_gdn","name":"guidance","prose":"Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy."},{"id":"ps-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-06","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-06a.","class":"sp800-53a"}],"prose":"access agreements are developed and documented for organizational systems;","links":[{"href":"#ps-6_smt.a","rel":"assessment-for"}]},{"id":"ps-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-06b.","class":"sp800-53a"}],"prose":"the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};","links":[{"href":"#ps-6_smt.b","rel":"assessment-for"}]},{"id":"ps-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.","class":"sp800-53a"}],"parts":[{"id":"ps-6_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.01","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;","links":[{"href":"#ps-6_smt.c.1","rel":"assessment-for"}]},{"id":"ps-6_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PS-06c.02","class":"sp800-53a"}],"prose":"individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.","links":[{"href":"#ps-6_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ps-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ps-6_smt","rel":"assessment-for"}]},{"id":"ps-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing access agreements for organizational information and systems\n\naccess control policy\n\naccess control procedures\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\ndocumentation of access agreement reviews, updates, and re-signing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ps-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed\/resigned access agreements\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing, updating, and re-signing access agreements\n\nmechanisms supporting the reviewing, updating, and re-signing of access agreements"}]}],"controls":[{"id":"ps-6.1","class":"SP800-53-enhancement","title":"Information Requiring Special Protection","props":[{"name":"label","value":"PS-6(1)"},{"name":"label","value":"PS-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"ps-06.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ps-3","rel":"incorporated-into"}]},{"id":"ps-6.2","class":"SP800-53-enhancement","title":"Classified Information Requiring Special Protection","props":[{"name":"label","value":"PS-6(2)"},{"name":"label","value":"PS-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"ps-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ps-6","rel":"required"}],"parts":[{"id":"ps-6.2_smt","name":"statement","prose":"Verify that access to classified information requiring special protection is granted only to individuals who:","parts":[{"id":"ps-6.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Have a valid access authorization that is demonstrated by assigned official government duties;"},{"id":"ps-6.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Satisfy associated personnel security criteria; and"},{"id":"ps-6.2_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Have read, understood, and signed a nondisclosure agreement."}]},{"id":"ps-6.2_gdn","name":"guidance","prose":"Classified information that requires special protection includes collateral information, Special Access Program (SAP) information, and Sensitive Compartmented Information (SCI). Personnel security criteria reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"ps-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-06(02)","class":"sp800-53a"}],"parts":[{"id":"ps-6.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-06(02)(a)","class":"sp800-53a"}],"prose":"access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties;","links":[{"href":"#ps-6.2_smt.a","rel":"assessment-for"}]},{"id":"ps-6.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-06(02)(b)","class":"sp800-53a"}],"prose":"access to classified information requiring special protection is granted only to individuals who satisfy associated personnel security criteria;","links":[{"href":"#ps-6.2_smt.b","rel":"assessment-for"}]},{"id":"ps-6.2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-06(02)(c)","class":"sp800-53a"}],"prose":"access to classified information requiring special protection is granted only to individuals who have read, understood, and signed a non-disclosure agreement.","links":[{"href":"#ps-6.2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ps-6.2_smt","rel":"assessment-for"}]},{"id":"ps-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing access agreements for organizational information and systems\n\naccess agreements\n\naccess authorizations\n\npersonnel security criteria\n\nsigned non-disclosure agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed non-disclosure agreements\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for access to classified information requiring special protection"}]}]},{"id":"ps-6.3","class":"SP800-53-enhancement","title":"Post-employment Requirements","props":[{"name":"label","value":"PS-6(3)"},{"name":"label","value":"PS-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"ps-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ps-6","rel":"required"},{"href":"#ps-4","rel":"related"}],"parts":[{"id":"ps-6.3_smt","name":"statement","parts":[{"id":"ps-6.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and"},{"id":"ps-6.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Require individuals to sign an acknowledgment of these requirements, if applicable, as part of granting initial access to covered information."}]},{"id":"ps-6.3_gdn","name":"guidance","prose":"Organizations consult with the Office of the General Counsel regarding matters of post-employment requirements on terminated individuals."},{"id":"ps-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-06(03)","class":"sp800-53a"}],"parts":[{"id":"ps-6.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-06(03)(a)","class":"sp800-53a"}],"prose":"individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information;","links":[{"href":"#ps-6.3_smt.a","rel":"assessment-for"}]},{"id":"ps-6.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-06(03)(b)","class":"sp800-53a"}],"prose":"individuals are required to sign an acknowledgement of applicable, legally binding post-employment requirements as part of being granted initial access to covered information.","links":[{"href":"#ps-6.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-6.3_smt","rel":"assessment-for"}]},{"id":"ps-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing access agreements for organizational information and systems\n\nsigned post-employment acknowledgement forms\n\naccess agreements\n\nlist of applicable, legally binding post-employment requirements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel who have signed access agreements that include post-employment requirements\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for post-employment requirements\n\nmechanisms supporting notifications and individual acknowledgements of post-employment requirements"}]}]}]},{"id":"ps-7","class":"SP800-53","title":"External Personnel Security","params":[{"id":"ps-07_odp.01","props":[{"name":"alt-identifier","value":"ps-7_prm_1"},{"name":"label","value":"PS-07_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is\/are defined;"}]},{"id":"ps-07_odp.02","props":[{"name":"alt-identifier","value":"ps-7_prm_2"},{"name":"label","value":"PS-07_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges is defined;"}]}],"props":[{"name":"label","value":"PS-7"},{"name":"label","value":"PS-07","class":"sp800-53a"},{"name":"sort-id","value":"ps-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-4","rel":"related"},{"href":"#ps-5","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-21","rel":"related"}],"parts":[{"id":"ps-7_smt","name":"statement","parts":[{"id":"ps-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish personnel security requirements, including security roles and responsibilities for external providers;"},{"id":"ps-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Require external providers to comply with personnel security policies and procedures established by the organization;"},{"id":"ps-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document personnel security requirements;"},{"id":"ps-7_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and"},{"id":"ps-7_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Monitor provider compliance with personnel security requirements."}]},{"id":"ps-7_gdn","name":"guidance","prose":"External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network\/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals."},{"id":"ps-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-07","class":"sp800-53a"}],"parts":[{"id":"ps-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-07a.","class":"sp800-53a"}],"prose":"personnel security requirements are established, including security roles and responsibilities for external providers;","links":[{"href":"#ps-7_smt.a","rel":"assessment-for"}]},{"id":"ps-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-07b.","class":"sp800-53a"}],"prose":"external providers are required to comply with personnel security policies and procedures established by the organization;","links":[{"href":"#ps-7_smt.b","rel":"assessment-for"}]},{"id":"ps-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PS-07c.","class":"sp800-53a"}],"prose":"personnel security requirements are documented;","links":[{"href":"#ps-7_smt.c","rel":"assessment-for"}]},{"id":"ps-7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PS-07d.","class":"sp800-53a"}],"prose":"external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and\/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};","links":[{"href":"#ps-7_smt.d","rel":"assessment-for"}]},{"id":"ps-7_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PS-07e.","class":"sp800-53a"}],"prose":"provider compliance with personnel security requirements is monitored.","links":[{"href":"#ps-7_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#ps-7_smt","rel":"assessment-for"}]},{"id":"ps-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\nprocedures addressing external personnel security\n\nlist of personnel security requirements\n\nacquisition documents\n\nservice-level agreements\n\ncompliance monitoring process\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ps-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nexternal providers\n\nsystem\/network administrators\n\norganizational personnel with account management responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"ps-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing and monitoring external personnel security\n\nmechanisms supporting and\/or implementing the monitoring of provider compliance"}]}]},{"id":"ps-8","class":"SP800-53","title":"Personnel Sanctions","params":[{"id":"ps-08_odp.01","props":[{"name":"alt-identifier","value":"ps-8_prm_1"},{"name":"label","value":"PS-08_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be notified when a formal employee sanctions process is initiated is\/are defined;"}]},{"id":"ps-08_odp.02","props":[{"name":"alt-identifier","value":"ps-8_prm_2"},{"name":"label","value":"PS-08_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;"}]}],"props":[{"name":"label","value":"PS-8"},{"name":"label","value":"PS-08","class":"sp800-53a"},{"name":"sort-id","value":"ps-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pl-4","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-1","rel":"related"}],"parts":[{"id":"ps-8_smt","name":"statement","parts":[{"id":"ps-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and"},{"id":"ps-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Notify {{ insert: param, ps-08_odp.01 }} within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."}]},{"id":"ps-8_gdn","name":"guidance","prose":"Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and\/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions."},{"id":"ps-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-08","class":"sp800-53a"}],"parts":[{"id":"ps-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PS-08a.","class":"sp800-53a"}],"prose":"a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;","links":[{"href":"#ps-8_smt.a","rel":"assessment-for"}]},{"id":"ps-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PS-08b.","class":"sp800-53a"}],"prose":"{{ insert: param, ps-08_odp.01 }} is\/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.","links":[{"href":"#ps-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ps-8_smt","rel":"assessment-for"}]},{"id":"ps-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing personnel sanctions\n\naccess agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements)\n\nlist of personnel or roles to be notified of formal employee sanctions\n\nrecords or notifications of formal employee sanctions\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records"}]},{"id":"ps-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\nlegal counsel\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"ps-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing formal employee sanctions\n\nmechanisms supporting and\/or implementing formal employee sanctions notifications"}]}]},{"id":"ps-9","class":"SP800-53","title":"Position Descriptions","props":[{"name":"label","value":"PS-9"},{"name":"label","value":"PS-09","class":"sp800-53a"},{"name":"sort-id","value":"ps-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"}],"parts":[{"id":"ps-9_smt","name":"statement","prose":"Incorporate security and privacy roles and responsibilities into organizational position descriptions."},{"id":"ps-9_gdn","name":"guidance","prose":"Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles."},{"id":"ps-9_obj","name":"assessment-objective","props":[{"name":"label","value":"PS-09","class":"sp800-53a"}],"parts":[{"id":"ps-9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PS-09[01]","class":"sp800-53a"}],"prose":"security roles and responsibilities are incorporated into organizational position descriptions;","links":[{"href":"#ps-9_smt","rel":"assessment-for"}]},{"id":"ps-9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PS-09[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are incorporated into organizational position descriptions.","links":[{"href":"#ps-9_smt","rel":"assessment-for"}]}],"links":[{"href":"#ps-9_smt","rel":"assessment-for"}]},{"id":"ps-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PS-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personnel security policy\n\npersonnel security procedures\n\nprocedures addressing position descriptions\n\nsecurity and privacy position descriptions\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"ps-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PS-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personnel security responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with human capital management responsibilities"}]},{"id":"ps-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PS-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing position descriptions"}]}]}]},{"id":"pt","class":"family","title":"Personally Identifiable Information Processing and Transparency","controls":[{"id":"pt-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"pt-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pt-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"pt-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"pt-01_odp.01","props":[{"name":"label","value":"PT-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personally identifiable information processing and transparency policy is to be disseminated is\/are defined;"}]},{"id":"pt-01_odp.02","props":[{"name":"label","value":"PT-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the personally identifiable information processing and transparency procedures are to be disseminated is\/are defined;"}]},{"id":"pt-01_odp.03","props":[{"name":"alt-identifier","value":"pt-1_prm_2"},{"name":"label","value":"PT-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"pt-01_odp.04","props":[{"name":"alt-identifier","value":"pt-1_prm_3"},{"name":"label","value":"PT-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the personally identifiable information processing and transparency policy and procedures is defined;"}]},{"id":"pt-01_odp.05","props":[{"name":"alt-identifier","value":"pt-1_prm_4"},{"name":"label","value":"PT-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personally identifiable information processing and transparency policy is reviewed and updated is defined;"}]},{"id":"pt-01_odp.06","props":[{"name":"alt-identifier","value":"pt-1_prm_5"},{"name":"label","value":"PT-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current personally identifiable information processing and transparency policy to be reviewed and updated are defined;"}]},{"id":"pt-01_odp.07","props":[{"name":"alt-identifier","value":"pt-1_prm_6"},{"name":"label","value":"PT-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current personally identifiable information processing and transparency procedures are reviewed and updated is defined;"}]},{"id":"pt-01_odp.08","props":[{"name":"alt-identifier","value":"pt-1_prm_7"},{"name":"label","value":"PT-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the personally identifiable information processing and transparency procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"PT-1"},{"name":"label","value":"PT-01","class":"sp800-53a"},{"name":"sort-id","value":"pt-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"}],"parts":[{"id":"pt-1_smt","name":"statement","parts":[{"id":"pt-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, pt-1_prm_1 }}:","parts":[{"id":"pt-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy that:","parts":[{"id":"pt-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"pt-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"pt-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and the associated personally identifiable information processing and transparency controls;"}]},{"id":"pt-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, pt-01_odp.04 }} to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and"},{"id":"pt-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current personally identifiable information processing and transparency:","parts":[{"id":"pt-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, pt-01_odp.05 }} and following {{ insert: param, pt-01_odp.06 }} ; and"},{"id":"pt-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, pt-01_odp.07 }} and following {{ insert: param, pt-01_odp.08 }}."}]}]},{"id":"pt-1_gdn","name":"guidance","prose":"Personally identifiable information processing and transparency policy and procedures address the controls in the PT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of personally identifiable information processing and transparency policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personally identifiable information processing and transparency policy and procedures include assessment or audit findings, breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"pt-1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-01","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[01]","class":"sp800-53a"}],"prose":"a personally identifiable information processing and transparency policy is developed and documented;","links":[{"href":"#pt-1_smt.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[02]","class":"sp800-53a"}],"prose":"the personally identifiable information processing and transparency policy is disseminated to {{ insert: param, pt-01_odp.01 }};","links":[{"href":"#pt-1_smt.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[03]","class":"sp800-53a"}],"prose":"personally identifiable information processing and transparency procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and associated personally identifiable information processing and transparency controls are developed and documented;","links":[{"href":"#pt-1_smt.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.[04]","class":"sp800-53a"}],"prose":"the personally identifiable information processing and transparency procedures are disseminated to {{ insert: param, pt-01_odp.02 }};","links":[{"href":"#pt-1_smt.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses purpose;","links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses scope;","links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses roles;","links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses responsibilities;","links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses management commitment;","links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses coordination among organizational entities;","links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses compliance;","links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#pt-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"pt-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"PT-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#pt-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#pt-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#pt-1_smt.a","rel":"assessment-for"}]},{"id":"pt-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures;","links":[{"href":"#pt-1_smt.b","rel":"assessment-for"}]},{"id":"pt-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.01","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.01[01]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency policy is reviewed and updated {{ insert: param, pt-01_odp.05 }};","links":[{"href":"#pt-1_smt.c.1","rel":"assessment-for"}]},{"id":"pt-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.01[02]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency policy is reviewed and updated following {{ insert: param, pt-01_odp.06 }};","links":[{"href":"#pt-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#pt-1_smt.c.1","rel":"assessment-for"}]},{"id":"pt-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.02","class":"sp800-53a"}],"parts":[{"id":"pt-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.02[01]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency procedures are reviewed and updated {{ insert: param, pt-01_odp.07 }};","links":[{"href":"#pt-1_smt.c.2","rel":"assessment-for"}]},{"id":"pt-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"PT-01c.02[02]","class":"sp800-53a"}],"prose":"the current personally identifiable information processing and transparency procedures are reviewed and updated following {{ insert: param, pt-01_odp.08 }}.","links":[{"href":"#pt-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pt-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#pt-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pt-1_smt","rel":"assessment-for"}]},{"id":"pt-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"pt-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"pt-2","class":"SP800-53","title":"Authority to Process Personally Identifiable Information","params":[{"id":"pt-02_odp.01","props":[{"name":"alt-identifier","value":"pt-2_prm_1"},{"name":"label","value":"PT-02_ODP[01]","class":"sp800-53a"}],"label":"authority","guidelines":[{"prose":"the authority to permit the processing (defined in PT-02_ODP[02]) of personally identifiable information is defined;"}]},{"id":"pt-02_odp.02","props":[{"name":"alt-identifier","value":"pt-2_prm_2"},{"name":"label","value":"PT-02_ODP[02]","class":"sp800-53a"}],"label":"processing","guidelines":[{"prose":"the type of processing of personally identifiable information is defined;"}]},{"id":"pt-02_odp.03","props":[{"name":"alt-identifier","value":"pt-2_prm_3"},{"name":"label","value":"PT-02_ODP[03]","class":"sp800-53a"}],"label":"processing","guidelines":[{"prose":"the type of processing of personally identifiable information to be restricted is defined;"}]}],"props":[{"name":"label","value":"PT-2"},{"name":"label","value":"PT-02","class":"sp800-53a"},{"name":"sort-id","value":"pt-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#pt-1","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pt-2_smt","name":"statement","parts":[{"id":"pt-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine and document the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information; and"},{"id":"pt-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Restrict the {{ insert: param, pt-02_odp.03 }} of personally identifiable information to only that which is authorized."}]},{"id":"pt-2_gdn","name":"guidance","prose":"The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information across the information life cycle. Processing includes but is not limited to creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining.\n\nOrganizations may be subject to laws, executive orders, directives, regulations, or policies that establish the organization’s authority and thereby limit certain types of processing of personally identifiable information or establish other requirements related to the processing. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such authority, particularly if the organization is subject to multiple jurisdictions or sources of authority. For organizations whose processing is not determined according to legal authorities, the organization’s policies and determinations govern how they process personally identifiable information. While processing of personally identifiable information may be legally permissible, privacy risks may still arise. Privacy risk assessments can identify the privacy risks associated with the authorized processing of personally identifiable information and support solutions to manage such risks.\n\nOrganizations consider applicable requirements and organizational policies to determine how to document this authority. For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and other documentation.\n\nOrganizations take steps to ensure that personally identifiable information is only processed for authorized purposes, including training organizational personnel on the authorized processing of personally identifiable information and monitoring and auditing organizational use of personally identifiable information."},{"id":"pt-2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-02","class":"sp800-53a"}],"parts":[{"id":"pt-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-02a.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information is determined and documented;","links":[{"href":"#pt-2_smt.a","rel":"assessment-for"}]},{"id":"pt-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-02b.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-02_odp.03 }} of personally identifiable information is restricted to only that which is authorized.","links":[{"href":"#pt-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pt-2_smt","rel":"assessment-for"}]},{"id":"pt-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing the processing of personally identifiable information\n\nmechanisms supporting and\/or implementing the restriction of personally identifiable information processing"}]}],"controls":[{"id":"pt-2.1","class":"SP800-53-enhancement","title":"Data Tagging","params":[{"id":"pt-02.01_odp.01","props":[{"name":"alt-identifier","value":"pt-2.1_prm_1"},{"name":"label","value":"PT-02(01)_ODP[01]","class":"sp800-53a"}],"label":"authorized processing","guidelines":[{"prose":"the authorized processing of personally identifiable information is defined;"}]},{"id":"pt-02.01_odp.02","props":[{"name":"alt-identifier","value":"pt-2.1_prm_2"},{"name":"label","value":"PT-02(01)_ODP[02]","class":"sp800-53a"}],"label":"elements of personally identifiable information","guidelines":[{"prose":"elements of personally identifiable information to be tagged are defined;"}]}],"props":[{"name":"label","value":"PT-2(1)"},{"name":"label","value":"PT-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pt-2","rel":"required"},{"href":"#ac-16","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-15","rel":"related"},{"href":"#si-19","rel":"related"}],"parts":[{"id":"pt-2.1_smt","name":"statement","prose":"Attach data tags containing {{ insert: param, pt-02.01_odp.01 }} to {{ insert: param, pt-02.01_odp.02 }}."},{"id":"pt-2.1_gdn","name":"guidance","prose":"Data tags support the tracking and enforcement of authorized processing by conveying the types of processing that are authorized along with the relevant elements of personally identifiable information throughout the system. Data tags may also support the use of automated tools."},{"id":"pt-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-02(01)","class":"sp800-53a"}],"prose":"data tags containing {{ insert: param, pt-02.01_odp.01 }} are attached to {{ insert: param, pt-02.01_odp.02 }}.","links":[{"href":"#pt-2.1_smt","rel":"assessment-for"}]},{"id":"pt-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures including procedures addressing data tagging\n\ndata tag definitions\n\ndocumented requirements for use and monitoring of data tagging\n\ndata extracts with corresponding data tags\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing the processing of personally identifiable information\n\norganizational processes for data tagging\n\nmechanisms for applying and monitoring data tagging\n\nmechanisms supporting and\/or implementing the restriction of personally identifiable information processing"}]}]},{"id":"pt-2.2","class":"SP800-53-enhancement","title":"Automation","params":[{"id":"pt-02.02_odp","props":[{"name":"alt-identifier","value":"pt-2.2_prm_1"},{"name":"label","value":"PT-02(02)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to manage enforcement of the authorized processing of personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-2(2)"},{"name":"label","value":"PT-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pt-2","rel":"required"},{"href":"#ca-6","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-15","rel":"related"},{"href":"#si-19","rel":"related"}],"parts":[{"id":"pt-2.2_smt","name":"statement","prose":"Manage enforcement of the authorized processing of personally identifiable information using {{ insert: param, pt-02.02_odp }}."},{"id":"pt-2.2_gdn","name":"guidance","prose":"Automated mechanisms augment verification that only authorized processing is occurring."},{"id":"pt-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-02(02)","class":"sp800-53a"}],"prose":"enforcement of the authorized processing of personally identifiable information is managed using {{ insert: param, pt-02.02_odp }}.","links":[{"href":"#pt-2.2_smt","rel":"assessment-for"}]},{"id":"pt-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing the processing of personally identifiable information\n\nautomated mechanisms supporting and\/or implementing the management of authorized personally identifiable information processing"}]}]}]},{"id":"pt-3","class":"SP800-53","title":"Personally Identifiable Information Processing Purposes","params":[{"id":"pt-03_odp.01","props":[{"name":"alt-identifier","value":"pt-3_prm_1"},{"name":"label","value":"PT-03_ODP[01]","class":"sp800-53a"}],"label":"purpose(s)","guidelines":[{"prose":"the purpose(s) for processing personally identifiable information is\/are defined;"}]},{"id":"pt-03_odp.02","props":[{"name":"alt-identifier","value":"pt-3_prm_2"},{"name":"label","value":"PT-03_ODP[02]","class":"sp800-53a"}],"label":"processing","guidelines":[{"prose":"the processing of personally identifiable information to be restricted is defined;"}]},{"id":"pt-03_odp.03","props":[{"name":"alt-identifier","value":"pt-3_prm_3"},{"name":"label","value":"PT-03_ODP[03]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms to be implemented for ensuring any changes in the processing of personally identifiable information are made in accordance with requirements are defined;"}]},{"id":"pt-03_odp.04","props":[{"name":"alt-identifier","value":"pt-3_prm_4"},{"name":"label","value":"PT-03_ODP[04]","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements for changing the processing of personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-3"},{"name":"label","value":"PT-03","class":"sp800-53a"},{"name":"sort-id","value":"pt-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-25","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#pt-6","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pt-3_smt","name":"statement","parts":[{"id":"pt-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify and document the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information;"},{"id":"pt-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Describe the purpose(s) in the public privacy notices and policies of the organization;"},{"id":"pt-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Restrict the {{ insert: param, pt-03_odp.02 }} of personally identifiable information to only that which is compatible with the identified purpose(s); and"},{"id":"pt-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Monitor changes in processing personally identifiable information and implement {{ insert: param, pt-03_odp.03 }} to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}."}]},{"id":"pt-3_gdn","name":"guidance","prose":"Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term \"process\" includes every step of the information life cycle, including creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and documenting the purpose of processing is a prerequisite to enabling owners and operators of the system and individuals whose information is processed by the system to understand how the information will be processed. This enables individuals to make informed decisions about their engagement with information systems and organizations and to manage their privacy interests. Once the specific processing purpose has been identified, the purpose is described in the organization’s privacy notices, policies, and any related privacy compliance documentation, including privacy impact assessments, system of records notices, [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements, computer matching notices, and other applicable Federal Register notices.\n\nOrganizations take steps to help ensure that personally identifiable information is processed only for identified purposes, including training organizational personnel and monitoring and auditing organizational processing of personally identifiable information.\n\nOrganizations monitor for changes in personally identifiable information processing. Organizational personnel consult with the senior agency official for privacy and legal counsel to ensure that any new purposes that arise from changes in processing are compatible with the purpose for which the information was collected, or if the new purpose is not compatible, implement mechanisms in accordance with defined requirements to allow for the new processing, if appropriate. Mechanisms may include obtaining consent from individuals, revising privacy policies, or other measures to manage privacy risks that arise from changes in personally identifiable information processing purposes."},{"id":"pt-3_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-03","class":"sp800-53a"}],"parts":[{"id":"pt-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-03a.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information is\/are identified and documented;","links":[{"href":"#pt-3_smt.a","rel":"assessment-for"}]},{"id":"pt-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-03b.","class":"sp800-53a"}],"parts":[{"id":"pt-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PT-03b.[01]","class":"sp800-53a"}],"prose":"the purpose(s) is\/are described in the public privacy notices of the organization;","links":[{"href":"#pt-3_smt.b","rel":"assessment-for"}]},{"id":"pt-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PT-03b.[02]","class":"sp800-53a"}],"prose":"the purpose(s) is\/are described in the policies of the organization;","links":[{"href":"#pt-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pt-3_smt.b","rel":"assessment-for"}]},{"id":"pt-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-03c.","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-03_odp.02 }} of personally identifiable information are restricted to only that which is compatible with the identified purpose(s);","links":[{"href":"#pt-3_smt.c","rel":"assessment-for"}]},{"id":"pt-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PT-03d.","class":"sp800-53a"}],"parts":[{"id":"pt-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"PT-03d.[01]","class":"sp800-53a"}],"prose":"changes in the processing of personally identifiable information are monitored;","links":[{"href":"#pt-3_smt.d","rel":"assessment-for"}]},{"id":"pt-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"PT-03d.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, pt-03_odp.03 }} are implemented to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}.","links":[{"href":"#pt-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pt-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#pt-3_smt","rel":"assessment-for"}]},{"id":"pt-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nconfiguration management plan\n\norganizational privacy notices\n\norganizational policies\n\nPrivacy Act statements\n\ncomputer matching notices\n\napplicable Federal Register notices\n\ndocumented requirements for enforcing and monitoring the processing of personally identifiable information\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing the processing of personally identifiable information\n\nmechanisms supporting and\/or implementing the management of authorized personally identifiable information processing\n\norganizational processes for monitoring changes in processing personally identifiable information"}]}],"controls":[{"id":"pt-3.1","class":"SP800-53-enhancement","title":"Data Tagging","params":[{"id":"pt-03.01_odp.01","props":[{"name":"alt-identifier","value":"pt-3.1_prm_2"},{"name":"label","value":"PT-03(01)_ODP[01]","class":"sp800-53a"}],"label":"processing purposes","guidelines":[{"prose":"processing purposes to be contained in data tags are defined;"}]},{"id":"pt-03.01_odp.02","props":[{"name":"alt-identifier","value":"pt-3.1_prm_1"},{"name":"label","value":"PT-03(01)_ODP[02]","class":"sp800-53a"}],"label":"elements of personally identifiable information","guidelines":[{"prose":"elements of personally identifiable information to be tagged are defined;"}]}],"props":[{"name":"label","value":"PT-3(1)"},{"name":"label","value":"PT-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pt-3","rel":"required"},{"href":"#ca-6","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-15","rel":"related"},{"href":"#si-19","rel":"related"}],"parts":[{"id":"pt-3.1_smt","name":"statement","prose":"Attach data tags containing the following purposes to {{ insert: param, pt-03.01_odp.02 }}: {{ insert: param, pt-03.01_odp.01 }}."},{"id":"pt-3.1_gdn","name":"guidance","prose":"Data tags support the tracking of processing purposes by conveying the purposes along with the relevant elements of personally identifiable information throughout the system. By conveying the processing purposes in a data tag along with the personally identifiable information as the information transits a system, a system owner or operator can identify whether a change in processing would be compatible with the identified and documented purposes. Data tags may also support the use of automated tools."},{"id":"pt-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-03(01)","class":"sp800-53a"}],"prose":"data tags containing {{ insert: param, pt-03.01_odp.01 }} are attached to {{ insert: param, pt-03.01_odp.02 }}.","links":[{"href":"#pt-3.1_smt","rel":"assessment-for"}]},{"id":"pt-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\ndocumented description of how data tags are used to identify personally identifiable information data elements and their authorized uses\n\ndata tag schema\n\ndata extracts with corresponding data tags\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with data tagging responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing the processing of personally identifiable information\n\nmechanisms supporting and\/or implementing data tagging"}]}]},{"id":"pt-3.2","class":"SP800-53-enhancement","title":"Automation","params":[{"id":"pt-03.02_odp","props":[{"name":"alt-identifier","value":"pt-3.2_prm_1"},{"name":"label","value":"PT-03(02)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms for tracking the processing purposes of personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-3(2)"},{"name":"label","value":"PT-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pt-3","rel":"required"},{"href":"#ca-6","rel":"related"},{"href":"#cm-12","rel":"related"},{"href":"#pm-5","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-10","rel":"related"},{"href":"#si-15","rel":"related"},{"href":"#si-19","rel":"related"}],"parts":[{"id":"pt-3.2_smt","name":"statement","prose":"Track processing purposes of personally identifiable information using {{ insert: param, pt-03.02_odp }}."},{"id":"pt-3.2_gdn","name":"guidance","prose":"Automated mechanisms augment tracking of the processing purposes."},{"id":"pt-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-03(02)","class":"sp800-53a"}],"prose":"the processing purposes of personally identifiable information are tracked using {{ insert: param, pt-03.02_odp }}.","links":[{"href":"#pt-3.2_smt","rel":"assessment-for"}]},{"id":"pt-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\ndata extracts with corresponding data tags\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the enforcement of authorized processing of personally identifiable information\n\nautomated tracking mechanisms"}]}]}]},{"id":"pt-4","class":"SP800-53","title":"Consent","params":[{"id":"pt-04_odp","props":[{"name":"alt-identifier","value":"pt-4_prm_1"},{"name":"label","value":"PT-04_ODP","class":"sp800-53a"}],"label":"tools or mechanisms","guidelines":[{"prose":"the tools or mechanisms to be implemented for individuals to consent to the processing of their personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-4"},{"name":"label","value":"PT-04","class":"sp800-53a"},{"name":"sort-id","value":"pt-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-5","rel":"related"}],"parts":[{"id":"pt-4_smt","name":"statement","prose":"Implement {{ insert: param, pt-04_odp }} for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making."},{"id":"pt-4_gdn","name":"guidance","prose":"Consent allows individuals to participate in making decisions about the processing of their information and transfers some of the risk that arises from the processing of personally identifiable information from the organization to an individual. Consent may be required by applicable laws, executive orders, directives, regulations, policies, standards, or guidelines. Otherwise, when selecting consent as a control, organizations consider whether individuals can be reasonably expected to understand and accept the privacy risks that arise from their authorization. Organizations consider whether other controls may more effectively mitigate privacy risk either alone or in conjunction with consent. Organizations also consider any demographic or contextual factors that may influence the understanding or behavior of individuals with respect to the processing carried out by the system or organization. When soliciting consent from individuals, organizations consider the appropriate mechanism for obtaining consent, including the type of consent (e.g., opt-in, opt-out), how to properly authenticate and identity proof individuals and how to obtain consent through electronic means. In addition, organizations consider providing a mechanism for individuals to revoke consent once it has been provided, as appropriate. Finally, organizations consider usability factors to help individuals understand the risks being accepted when providing consent, including the use of plain language and avoiding technical jargon."},{"id":"pt-4_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-04","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-04_odp }} are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.","links":[{"href":"#pt-4_smt","rel":"assessment-for"}]},{"id":"pt-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nconsent policies and procedures\n\nconsent tools and mechanisms\n\nconsent presentation or display (user interface)\n\nevidence of individuals’ consent\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the collection of personally identifiable information\n\nconsent tools or mechanisms for users to authorize the processing of their personally identifiable information\n\nmechanisms implementing consent"}]}],"controls":[{"id":"pt-4.1","class":"SP800-53-enhancement","title":"Tailored Consent","params":[{"id":"pt-04.01_odp","props":[{"name":"alt-identifier","value":"pt-4.1_prm_1"},{"name":"label","value":"PT-04(01)_ODP","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"tailoring mechanisms for processing selected elements of personally identifiable information permissions are defined;"}]}],"props":[{"name":"label","value":"PT-4(1)"},{"name":"label","value":"PT-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-4","rel":"required"},{"href":"#pt-2","rel":"related"}],"parts":[{"id":"pt-4.1_smt","name":"statement","prose":"Provide {{ insert: param, pt-04.01_odp }} to allow individuals to tailor processing permissions to selected elements of personally identifiable information."},{"id":"pt-4.1_gdn","name":"guidance","prose":"While some processing may be necessary for the basic functionality of the product or service, other processing may not. In these circumstances, organizations allow individuals to select how specific personally identifiable information elements may be processed. More tailored consent may help reduce privacy risk, increase individual satisfaction, and avoid adverse behaviors, such as abandonment of the product or service."},{"id":"pt-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-04(01)","class":"sp800-53a"}],"prose":"{{ insert: param, pt-04.01_odp }} are provided to allow individuals to tailor processing permissions to selected elements of personally identifiable information.","links":[{"href":"#pt-4.1_smt","rel":"assessment-for"}]},{"id":"pt-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nconsent policies and procedures\n\nconsent tools and mechanisms\n\nconsent presentation or display (user interface)\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with user interface or user experience responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for consenting to the processing of personally identifiable information\n\nconsent tools or mechanisms\n\nmechanisms implementing consent"}]}]},{"id":"pt-4.2","class":"SP800-53-enhancement","title":"Just-in-time Consent","params":[{"id":"pt-04.02_odp.01","props":[{"name":"alt-identifier","value":"pt-4.2_prm_1"},{"name":"label","value":"PT-04(02)_ODP[01]","class":"sp800-53a"}],"label":"consent mechanisms","guidelines":[{"prose":"consent mechanisms to be presented to individuals are defined;"}]},{"id":"pt-04.02_odp.02","props":[{"name":"alt-identifier","value":"pt-4.2_prm_2"},{"name":"label","value":"PT-04(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to present consent mechanisms to individuals is defined;"}]},{"id":"pt-04.02_odp.03","props":[{"name":"alt-identifier","value":"pt-4.2_prm_3"},{"name":"label","value":"PT-04(02)_ODP[03]","class":"sp800-53a"}],"label":"personally identifiable information processing","guidelines":[{"prose":"personally identifiable information processing to be presented in conjunction with organization-defined consent mechanisms is defined;"}]}],"props":[{"name":"label","value":"PT-4(2)"},{"name":"label","value":"PT-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-4","rel":"required"},{"href":"#pt-2","rel":"related"}],"parts":[{"id":"pt-4.2_smt","name":"statement","prose":"Present {{ insert: param, pt-04.02_odp.01 }} to individuals at {{ insert: param, pt-04.02_odp.02 }} and in conjunction with {{ insert: param, pt-04.02_odp.03 }}."},{"id":"pt-4.2_gdn","name":"guidance","prose":"Just-in-time consent enables individuals to participate in how their personally identifiable information is being processed at the time or in conjunction with specific types of data processing when such participation may be most useful to the individual. Individual assumptions about how personally identifiable information is being processed might not be accurate or reliable if time has passed since the individual last gave consent or the type of processing creates significant privacy risk. Organizations use discretion to determine when to use just-in-time consent and may use supporting information on demographics, focus groups, or surveys to learn more about individuals’ privacy interests and concerns."},{"id":"pt-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-04(02)","class":"sp800-53a"}],"prose":"{{ insert: param, pt-04.02_odp.01 }} are presented to individuals {{ insert: param, pt-04.02_odp.02 }} and in conjunction with {{ insert: param, pt-04.02_odp.03 }}.","links":[{"href":"#pt-4.2_smt","rel":"assessment-for"}]},{"id":"pt-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nconsent policies and procedures\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with user interface or user experience responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the collection of personally identifiable information\n\nmechanisms for obtaining just-in-time consent from users for the processing of their personally identifiable information\n\nmechanisms implementing just-in-time consent"}]}]},{"id":"pt-4.3","class":"SP800-53-enhancement","title":"Revocation","params":[{"id":"pt-04.03_odp","props":[{"name":"alt-identifier","value":"pt-4.3_prm_1"},{"name":"label","value":"PT-04(03)_ODP","class":"sp800-53a"}],"label":"tools or mechanisms","guidelines":[{"prose":"the tools or mechanisms to be implemented for revoking consent to the processing of personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-4(3)"},{"name":"label","value":"PT-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"pt-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-4","rel":"required"},{"href":"#pt-2","rel":"related"}],"parts":[{"id":"pt-4.3_smt","name":"statement","prose":"Implement {{ insert: param, pt-04.03_odp }} for individuals to revoke consent to the processing of their personally identifiable information."},{"id":"pt-4.3_gdn","name":"guidance","prose":"Revocation of consent enables individuals to exercise control over their initial consent decision when circumstances change. Organizations consider usability factors in enabling easy-to-use revocation capabilities."},{"id":"pt-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-04(03)","class":"sp800-53a"}],"prose":"the {{ insert: param, pt-04.03_odp }} are implemented for individuals to revoke consent to the processing of their personally identifiable information.","links":[{"href":"#pt-4.3_smt","rel":"assessment-for"}]},{"id":"pt-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nconsent revocation policies and procedures\n\nconsent revocation user interface or user experience\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with user interface or user experience responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for consenting to the processing of personally identifiable information\n\ntools or mechanisms for implementing consent revocation"}]}]}]},{"id":"pt-5","class":"SP800-53","title":"Privacy Notice","params":[{"id":"pt-05_odp.01","props":[{"name":"alt-identifier","value":"pt-5_prm_1"},{"name":"label","value":"PT-05_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which a notice is provided to individuals after initial interaction with an organization is defined;"}]},{"id":"pt-05_odp.02","props":[{"name":"alt-identifier","value":"pt-5_prm_2"},{"name":"label","value":"PT-05_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be included with the notice about the processing of personally identifiable information is defined;"}]}],"props":[{"name":"label","value":"PT-5"},{"name":"label","value":"PT-05","class":"sp800-53a"},{"name":"sort-id","value":"pt-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#pm-20","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sc-42","rel":"related"},{"href":"#si-18","rel":"related"}],"parts":[{"id":"pt-5_smt","name":"statement","prose":"Provide notice to individuals about the processing of personally identifiable information that:","parts":[{"id":"pt-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Is available to individuals upon first interacting with an organization, and subsequently at {{ insert: param, pt-05_odp.01 }};"},{"id":"pt-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Is clear and easy-to-understand, expressing information about personally identifiable information processing in plain language;"},{"id":"pt-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identifies the authority that authorizes the processing of personally identifiable information;"},{"id":"pt-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Identifies the purposes for which personally identifiable information is to be processed; and"},{"id":"pt-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Includes {{ insert: param, pt-05_odp.02 }}."}]},{"id":"pt-5_gdn","name":"guidance","prose":"Privacy notices help inform individuals about how their personally identifiable information is being processed by the system or organization. Organizations use privacy notices to inform individuals about how, under what authority, and for what purpose their personally identifiable information is processed, as well as other information such as choices individuals might have with respect to that processing and other parties with whom information is shared. Laws, executive orders, directives, regulations, or policies may require that privacy notices include specific elements or be provided in specific formats. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding when and where to provide privacy notices, as well as elements to include in privacy notices and required formats. In circumstances where laws or government-wide policies do not require privacy notices, organizational policies and determinations may require privacy notices and may serve as a source of the elements to include in privacy notices.\n\nPrivacy risk assessments identify the privacy risks associated with the processing of personally identifiable information and may help organizations determine appropriate elements to include in a privacy notice to manage such risks. To help individuals understand how their information is being processed, organizations write materials in plain language and avoid technical jargon."},{"id":"pt-5_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-05","class":"sp800-53a"}],"parts":[{"id":"pt-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-05a.","class":"sp800-53a"}],"parts":[{"id":"pt-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-05a.[01]","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information is provided such that the notice is available to individuals upon first interacting with an organization;","links":[{"href":"#pt-5_smt.a","rel":"assessment-for"}]},{"id":"pt-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-05a.[02]","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals {{ insert: param, pt-05_odp.01 }};","links":[{"href":"#pt-5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pt-5_smt.a","rel":"assessment-for"}]},{"id":"pt-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-05b.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information is provided that is clear, easy-to-understand, and expresses information about personally identifiable information processing in plain language;","links":[{"href":"#pt-5_smt.b","rel":"assessment-for"}]},{"id":"pt-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-05c.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information is provided;","links":[{"href":"#pt-5_smt.c","rel":"assessment-for"}]},{"id":"pt-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PT-05d.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information that identifies the purpose for which personally identifiable information is to be processed is provided;","links":[{"href":"#pt-5_smt.d","rel":"assessment-for"}]},{"id":"pt-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PT-05e.","class":"sp800-53a"}],"prose":"a notice to individuals about the processing of personally identifiable information which includes {{ insert: param, pt-05_odp.02 }} is provided.","links":[{"href":"#pt-5_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pt-5_smt","rel":"assessment-for"}]},{"id":"pt-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act statements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with user interface or user experience responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes and implementation support or mechanisms for providing notice to individuals regarding the processing of their personally identifiable information"}]}],"controls":[{"id":"pt-5.1","class":"SP800-53-enhancement","title":"Just-in-time Notice","params":[{"id":"pt-05.01_odp","props":[{"name":"alt-identifier","value":"pt-5.1_prm_1"},{"name":"label","value":"PT-05(01)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to present a notice of personally identifiable information processing is defined;"}]}],"props":[{"name":"label","value":"PT-5(1)"},{"name":"label","value":"PT-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-5","rel":"required"},{"href":"#pm-21","rel":"related"}],"parts":[{"id":"pt-5.1_smt","name":"statement","prose":"Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or {{ insert: param, pt-05.01_odp }}."},{"id":"pt-5.1_gdn","name":"guidance","prose":"Just-in-time notices inform individuals of how organizations process their personally identifiable information at a time when such notices may be most useful to the individuals. Individual assumptions about how personally identifiable information will be processed might not be accurate or reliable if time has passed since the organization last presented notice or the circumstances under which the individual was last provided notice have changed. A just-in-time notice can explain data actions that organizations have identified as potentially giving rise to greater privacy risk for individuals. Organizations can use a just-in-time notice to update or remind individuals about specific data actions as they occur or highlight specific changes that occurred since last presenting notice. A just-in-time notice can be used in conjunction with just-in-time consent to explain what will occur if consent is declined. Organizations use discretion to determine when to use a just-in-time notice and may use supporting information on user demographics, focus groups, or surveys to learn about users’ privacy interests and concerns."},{"id":"pt-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-05(01)","class":"sp800-53a"}],"prose":"a notice of personally identifiable information processing is presented to individuals at a time and location where the individual provides personally identifiable information, in conjunction with a data action, or {{ insert: param, pt-05.01_odp }}.","links":[{"href":"#pt-5.1_smt","rel":"assessment-for"}]},{"id":"pt-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with user interface or user experience responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes and implementation support or mechanisms for providing notice to individuals regarding the processing of their personally identifiable information"}]}]},{"id":"pt-5.2","class":"SP800-53-enhancement","title":"Privacy Act Statements","props":[{"name":"label","value":"PT-5(2)"},{"name":"label","value":"PT-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-5","rel":"required"},{"href":"#pt-6","rel":"related"}],"parts":[{"id":"pt-5.2_smt","name":"statement","prose":"Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals."},{"id":"pt-5.2_gdn","name":"guidance","prose":"If a federal agency asks individuals to supply information that will become part of a system of records, the agency is required to provide a [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statement on the form used to collect the information or on a separate form that can be retained by the individual. The agency provides a [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statement in such circumstances regardless of whether the information will be collected on a paper or electronic form, on a website, on a mobile application, over the telephone, or through some other medium. This requirement ensures that the individual is provided with sufficient information about the request for information to make an informed decision on whether or not to respond.\n\n[PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) statements provide formal notice to individuals of the authority that authorizes the solicitation of the information; whether providing the information is mandatory or voluntary; the principal purpose(s) for which the information is to be used; the published routine uses to which the information is subject; the effects on the individual, if any, of not providing all or any part of the information requested; and an appropriate citation and link to the relevant system of records notice. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding the notice provisions of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455)."},{"id":"pt-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-05(02)","class":"sp800-53a"}],"prose":"Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or Privacy Act statements are provided on separate forms that can be retained by individuals.","links":[{"href":"#pt-5.2_smt","rel":"assessment-for"}]},{"id":"pt-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nforms that include Privacy Act statements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for including Privacy Act statements on forms that collect information or on separate forms that can be retained by individuals"}]}]}]},{"id":"pt-6","class":"SP800-53","title":"System of Records Notice","props":[{"name":"label","value":"PT-6"},{"name":"label","value":"PT-06","class":"sp800-53a"},{"name":"sort-id","value":"pt-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#pm-20","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"}],"parts":[{"id":"pt-6_smt","name":"statement","prose":"For systems that process information that will be maintained in a Privacy Act system of records:","parts":[{"id":"pt-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Draft system of records notices in accordance with OMB guidance and submit new and significantly modified system of records notices to the OMB and appropriate congressional committees for advance review;"},{"id":"pt-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Publish system of records notices in the Federal Register; and"},{"id":"pt-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Keep system of records notices accurate, up-to-date, and scoped in accordance with policy."}]},{"id":"pt-6_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and\/or modification of a [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in [OMB A-108](#3671ff20-c17c-44d6-8a88-7de203fa74aa)."},{"id":"pt-6_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-06","class":"sp800-53a"}],"parts":[{"id":"pt-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-06a.","class":"sp800-53a"}],"parts":[{"id":"pt-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-06a.[01]","class":"sp800-53a"}],"prose":"system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records;","links":[{"href":"#pt-6_smt.a","rel":"assessment-for"}]},{"id":"pt-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-06a.[02]","class":"sp800-53a"}],"prose":"new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records;","links":[{"href":"#pt-6_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pt-6_smt.a","rel":"assessment-for"}]},{"id":"pt-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-06b.","class":"sp800-53a"}],"prose":"system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records;","links":[{"href":"#pt-6_smt.b","rel":"assessment-for"}]},{"id":"pt-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-06c.","class":"sp800-53a"}],"prose":"system of records notices are kept accurate, up-to-date, and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records.","links":[{"href":"#pt-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pt-6_smt","rel":"assessment-for"}]},{"id":"pt-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nFederal Register notices\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for Privacy Act system of records maintenance"}]}],"controls":[{"id":"pt-6.1","class":"SP800-53-enhancement","title":"Routine Uses","params":[{"id":"pt-06.01_odp","props":[{"name":"alt-identifier","value":"pt-6.1_prm_1"},{"name":"label","value":"PT-06(01)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review all routine uses published in the system of records notice is defined;"}]}],"props":[{"name":"label","value":"PT-6(1)"},{"name":"label","value":"PT-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-6","rel":"required"}],"parts":[{"id":"pt-6.1_smt","name":"statement","prose":"Review all routine uses published in the system of records notice at {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected."},{"id":"pt-6.1_gdn","name":"guidance","prose":"A [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) routine use is a particular kind of disclosure of a record outside of the federal agency maintaining the system of records. A routine use is an exception to the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) prohibition on the disclosure of a record in a system of records without the prior written consent of the individual to whom the record pertains. To qualify as a routine use, the disclosure must be for a purpose that is compatible with the purpose for which the information was originally collected. The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) requires agencies to describe each routine use of the records maintained in the system of records, including the categories of users of the records and the purpose of the use. Agencies may only establish routine uses by explicitly publishing them in the relevant system of records notice."},{"id":"pt-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-06(01)","class":"sp800-53a"}],"prose":"all routine uses published in the system of records notice are reviewed {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.","links":[{"href":"#pt-6.1_smt","rel":"assessment-for"}]},{"id":"pt-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reviewing system of records notices"}]}]},{"id":"pt-6.2","class":"SP800-53-enhancement","title":"Exemption Rules","params":[{"id":"pt-06.02_odp","props":[{"name":"alt-identifier","value":"pt-6.2_prm_1"},{"name":"label","value":"PT-06(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review all Privacy Act exemptions claimed for the system of records is defined;"}]}],"props":[{"name":"label","value":"PT-6(2)"},{"name":"label","value":"PT-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-6","rel":"required"}],"parts":[{"id":"pt-6.2_smt","name":"statement","prose":"Review all Privacy Act exemptions claimed for the system of records at {{ insert: param, pt-06.02_odp }} to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice."},{"id":"pt-6.2_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) includes two sets of provisions that allow federal agencies to claim exemptions from certain requirements in the statute. In certain circumstances, these provisions allow agencies to promulgate regulations to exempt a system of records from select provisions of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) . At a minimum, organizations’ [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) exemption regulations include the specific name(s) of any system(s) of records that will be exempt, the specific provisions of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) from which the system(s) of records is to be exempted, the reasons for the exemption, and an explanation for why the exemption is both necessary and appropriate."},{"id":"pt-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)","class":"sp800-53a"}],"parts":[{"id":"pt-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)[01]","class":"sp800-53a"}],"prose":"all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they remain appropriate and necessary in accordance with law;","links":[{"href":"#pt-6.2_smt","rel":"assessment-for"}]},{"id":"pt-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)[02]","class":"sp800-53a"}],"prose":"all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they have been promulgated as regulations;","links":[{"href":"#pt-6.2_smt","rel":"assessment-for"}]},{"id":"pt-6.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"PT-06(02)[03]","class":"sp800-53a"}],"prose":"all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they are accurately described in the system of records notice.","links":[{"href":"#pt-6.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#pt-6.2_smt","rel":"assessment-for"}]},{"id":"pt-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nPrivacy Act exemptions\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for Privacy Act system of records maintenance"}]}]}]},{"id":"pt-7","class":"SP800-53","title":"Specific Categories of Personally Identifiable Information","params":[{"id":"pt-07_odp","props":[{"name":"alt-identifier","value":"pt-7_prm_1"},{"name":"label","value":"PT-07_ODP","class":"sp800-53a"}],"label":"processing conditions","guidelines":[{"prose":"processing conditions to be applied for specific categories of personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"PT-7"},{"name":"label","value":"PT-07","class":"sp800-53a"},{"name":"sort-id","value":"pt-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#ir-9","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"pt-7_smt","name":"statement","prose":"Apply {{ insert: param, pt-07_odp }} for specific categories of personally identifiable information."},{"id":"pt-7_gdn","name":"guidance","prose":"Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from the results of privacy risk assessments that factor in contextual changes that may result in an organizational determination that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary."},{"id":"pt-7_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-07","class":"sp800-53a"}],"prose":"{{ insert: param, pt-07_odp }} are applied for specific categories of personally identifiable information.","links":[{"href":"#pt-7_smt","rel":"assessment-for"}]},{"id":"pt-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\ncomputer matching agreements and notices\n\ncontracts\n\nprivacy information sharing agreements\n\nmemoranda of understanding\n\ngoverning requirements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for supporting and\/or implementing personally identifiable information processing"}]}],"controls":[{"id":"pt-7.1","class":"SP800-53-enhancement","title":"Social Security Numbers","props":[{"name":"label","value":"PT-7(1)"},{"name":"label","value":"PT-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"pt-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-7","rel":"required"},{"href":"#ia-4","rel":"related"}],"parts":[{"id":"pt-7.1_smt","name":"statement","prose":"When a system processes Social Security numbers:","parts":[{"id":"pt-7.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier;"},{"id":"pt-7.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Do not deny any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his or her Social Security number; and"},{"id":"pt-7.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Inform any individual who is asked to disclose his or her Social Security number whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it."}]},{"id":"pt-7.1_gdn","name":"guidance","prose":"Federal law and policy establish specific requirements for organizations’ processing of Social Security numbers. Organizations take steps to eliminate unnecessary uses of Social Security numbers and other sensitive information and observe any particular requirements that apply."},{"id":"pt-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)","class":"sp800-53a"}],"parts":[{"id":"pt-7.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(a)","class":"sp800-53a"}],"parts":[{"id":"pt-7.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(a)[01]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, the unnecessary collection, maintenance, and use of Social Security numbers are eliminated;","links":[{"href":"#pt-7.1_smt.a","rel":"assessment-for"}]},{"id":"pt-7.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(a)[02]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored;","links":[{"href":"#pt-7.1_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#pt-7.1_smt.a","rel":"assessment-for"}]},{"id":"pt-7.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(b)","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, individual rights, benefits, or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number;","links":[{"href":"#pt-7.1_smt.b","rel":"assessment-for"}]},{"id":"pt-7.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)","class":"sp800-53a"}],"parts":[{"id":"pt-7.1_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)[01]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it;","links":[{"href":"#pt-7.1_smt.c","rel":"assessment-for"}]},{"id":"pt-7.1_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)[02]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited;","links":[{"href":"#pt-7.1_smt.c","rel":"assessment-for"}]},{"id":"pt-7.1_obj.c-3","name":"assessment-objective","props":[{"name":"label","value":"PT-07(01)(c)[03]","class":"sp800-53a"}],"prose":"when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it.","links":[{"href":"#pt-7.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pt-7.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#pt-7.1_smt","rel":"assessment-for"}]},{"id":"pt-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nprivacy notice\n\nseparate notice regarding the use of Social Security numbers\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, reviewing, and taking action to control the unnecessary use of Social Security numbers\n\nimplementation of an alternative to Social Security numbers as identifiers"}]}]},{"id":"pt-7.2","class":"SP800-53-enhancement","title":"First Amendment Information","props":[{"name":"label","value":"PT-7(2)"},{"name":"label","value":"PT-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"pt-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#pt-7","rel":"required"}],"parts":[{"id":"pt-7.2_smt","name":"statement","prose":"Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity."},{"id":"pt-7.2_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) limits agencies’ ability to process information that describes how individuals exercise rights guaranteed by the First Amendment. Organizations consult with the senior agency official for privacy and legal counsel regarding these requirements."},{"id":"pt-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-07(02)","class":"sp800-53a"}],"prose":"the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.","links":[{"href":"#pt-7.2_smt","rel":"assessment-for"}]},{"id":"pt-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for supporting and\/or implementing personally identifiable information processing"}]}]}]},{"id":"pt-8","class":"SP800-53","title":"Computer Matching Requirements","props":[{"name":"label","value":"PT-8"},{"name":"label","value":"PT-08","class":"sp800-53a"},{"name":"sort-id","value":"pt-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#94c64e1a-456c-457f-86da-83ac0dfc85ac","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#3671ff20-c17c-44d6-8a88-7de203fa74aa","rel":"reference"},{"href":"#pm-24","rel":"related"}],"parts":[{"id":"pt-8_smt","name":"statement","prose":"When a system or organization processes information for the purpose of conducting a matching program:","parts":[{"id":"pt-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtain approval from the Data Integrity Board to conduct the matching program;"},{"id":"pt-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Develop and enter into a computer matching agreement;"},{"id":"pt-8_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Publish a matching notice in the Federal Register;"},{"id":"pt-8_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and"},{"id":"pt-8_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual."}]},{"id":"pt-8_gdn","name":"guidance","prose":"The [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) establishes requirements for federal and non-federal agencies if they engage in a matching program. In general, a matching program is a computerized comparison of records from two or more automated [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to federal benefit programs or federal personnel or payroll records. A federal benefit match is performed to determine or verify eligibility for payments under federal benefit programs or to recoup payments or delinquent debts under federal benefit programs. A matching program involves not just the matching activity itself but also the investigative follow-up and ultimate action, if any."},{"id":"pt-8_obj","name":"assessment-objective","props":[{"name":"label","value":"PT-08","class":"sp800-53a"}],"parts":[{"id":"pt-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"PT-08a.","class":"sp800-53a"}],"prose":"approval to conduct the matching program is obtained from the Data Integrity Board when a system or organization processes information for the purpose of conducting a matching program;","links":[{"href":"#pt-8_smt.a","rel":"assessment-for"}]},{"id":"pt-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"PT-08b.","class":"sp800-53a"}],"parts":[{"id":"pt-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"PT-08b.[01]","class":"sp800-53a"}],"prose":"a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program;","links":[{"href":"#pt-8_smt.b","rel":"assessment-for"}]},{"id":"pt-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"PT-08b.[02]","class":"sp800-53a"}],"prose":"a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program;","links":[{"href":"#pt-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#pt-8_smt.b","rel":"assessment-for"}]},{"id":"pt-8_obj.c","name":"assessment-objective","props":[{"name":"label","value":"PT-08c.","class":"sp800-53a"}],"prose":"a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program;","links":[{"href":"#pt-8_smt.c","rel":"assessment-for"}]},{"id":"pt-8_obj.d","name":"assessment-objective","props":[{"name":"label","value":"PT-08d.","class":"sp800-53a"}],"prose":"the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program;","links":[{"href":"#pt-8_smt.d","rel":"assessment-for"}]},{"id":"pt-8_obj.e","name":"assessment-objective","props":[{"name":"label","value":"PT-08e.","class":"sp800-53a"}],"parts":[{"id":"pt-8_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"PT-08e.[01]","class":"sp800-53a"}],"prose":"individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program;","links":[{"href":"#pt-8_smt.e","rel":"assessment-for"}]},{"id":"pt-8_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"PT-08e.[02]","class":"sp800-53a"}],"prose":"individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program.","links":[{"href":"#pt-8_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pt-8_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#pt-8_smt","rel":"assessment-for"}]},{"id":"pt-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"PT-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Personally identifiable information processing and transparency policy and procedures\n\nprivacy notice\n\nPrivacy Act system of records\n\nFederal Register notices\n\nData Integrity Board determinations\n\ncontracts\n\ninformation sharing agreements\n\nmemoranda of understanding\n\ngoverning requirements\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"pt-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"PT-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with personally identifiable information processing and transparency responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"pt-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"PT-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for supporting and\/or implementing personally identifiable information processing\n\nmatching program"}]}]}]},{"id":"ra","class":"family","title":"Risk Assessment","controls":[{"id":"ra-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"ra-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"ra-01_odp.01","props":[{"name":"label","value":"RA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment policy is to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.02","props":[{"name":"label","value":"RA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the risk assessment procedures are to be disseminated is\/are defined;"}]},{"id":"ra-01_odp.03","props":[{"name":"alt-identifier","value":"ra-1_prm_2"},{"name":"label","value":"RA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"ra-01_odp.04","props":[{"name":"alt-identifier","value":"ra-1_prm_3"},{"name":"label","value":"RA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the risk assessment policy and procedures is defined;"}]},{"id":"ra-01_odp.05","props":[{"name":"alt-identifier","value":"ra-1_prm_4"},{"name":"label","value":"RA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment policy is reviewed and updated is defined;"}]},{"id":"ra-01_odp.06","props":[{"name":"alt-identifier","value":"ra-1_prm_5"},{"name":"label","value":"RA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current risk assessment policy to be reviewed and updated are defined;"}]},{"id":"ra-01_odp.07","props":[{"name":"alt-identifier","value":"ra-1_prm_6"},{"name":"label","value":"RA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current risk assessment procedures are reviewed and updated is defined;"}]},{"id":"ra-01_odp.08","props":[{"name":"alt-identifier","value":"ra-1_prm_7"},{"name":"label","value":"RA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require risk assessment procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"RA-1"},{"name":"label","value":"RA-01","class":"sp800-53a"},{"name":"sort-id","value":"ra-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-1_smt","name":"statement","parts":[{"id":"ra-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, ra-1_prm_1 }}:","parts":[{"id":"ra-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, ra-01_odp.03 }} risk assessment policy that:","parts":[{"id":"ra-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"ra-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"ra-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;"}]},{"id":"ra-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, ra-01_odp.04 }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and"},{"id":"ra-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current risk assessment:","parts":[{"id":"ra-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, ra-01_odp.05 }} and following {{ insert: param, ra-01_odp.06 }} ; and"},{"id":"ra-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, ra-01_odp.07 }} and following {{ insert: param, ra-01_odp.08 }}."}]}]},{"id":"ra-1_gdn","name":"guidance","prose":"Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"ra-1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[01]","class":"sp800-53a"}],"prose":"a risk assessment policy is developed and documented;","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[02]","class":"sp800-53a"}],"prose":"the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[03]","class":"sp800-53a"}],"prose":"risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.[04]","class":"sp800-53a"}],"prose":"the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};","links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;","links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"ra-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#ra-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.a","rel":"assessment-for"}]},{"id":"ra-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;","links":[{"href":"#ra-1_smt.b","rel":"assessment-for"}]},{"id":"ra-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[01]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};","links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]},{"id":"ra-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.01[02]","class":"sp800-53a"}],"prose":"the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};","links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c.1","rel":"assessment-for"}]},{"id":"ra-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02","class":"sp800-53a"}],"parts":[{"id":"ra-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[01]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};","links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]},{"id":"ra-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"RA-01c.02[02]","class":"sp800-53a"}],"prose":"the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.","links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ra-1_smt","rel":"assessment-for"}]},{"id":"ra-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy and procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]}]},{"id":"ra-2","class":"SP800-53","title":"Security Categorization","props":[{"name":"label","value":"RA-2"},{"name":"label","value":"RA-02","class":"sp800-53a"},{"name":"sort-id","value":"ra-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#4e4fbc93-333d-45e6-a875-de36b878b6b9","rel":"reference"},{"href":"#c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","rel":"reference"},{"href":"#cm-8","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#ra-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-2_smt","name":"statement","parts":[{"id":"ra-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Categorize the system and information it processes, stores, and transmits;"},{"id":"ra-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document the security categorization results, including supporting rationale, in the security plan for the system; and"},{"id":"ra-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."}]},{"id":"ra-2_gdn","name":"guidance","prose":"Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) provides additional guidance on categorization for national security systems.\n\nOrganizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with [USA PATRIOT](#13f0c39d-eaf7-417a-baef-69a041878bb5) and Homeland Security Presidential Directives, potential national-level adverse impacts.\n\nSecurity categorization processes facilitate the development of inventories of information assets and, along with [CM-8](#cm-8) , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant."},{"id":"ra-2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-02","class":"sp800-53a"}],"parts":[{"id":"ra-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-02a.","class":"sp800-53a"}],"prose":"the system and the information it processes, stores, and transmits are categorized;","links":[{"href":"#ra-2_smt.a","rel":"assessment-for"}]},{"id":"ra-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-02b.","class":"sp800-53a"}],"prose":"the security categorization results, including supporting rationale, are documented in the security plan for the system;","links":[{"href":"#ra-2_smt.b","rel":"assessment-for"}]},{"id":"ra-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-02c.","class":"sp800-53a"}],"prose":"the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.","links":[{"href":"#ra-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#ra-2_smt","rel":"assessment-for"}]},{"id":"ra-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security categorization"}]}],"controls":[{"id":"ra-2.1","class":"SP800-53-enhancement","title":"Impact-level Prioritization","props":[{"name":"label","value":"RA-2(1)"},{"name":"label","value":"RA-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"ra-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#ra-2","rel":"required"}],"parts":[{"id":"ra-2.1_smt","name":"statement","prose":"Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels."},{"id":"ra-2.1_gdn","name":"guidance","prose":"Organizations apply the \"high-water mark\" concept to each system categorized in accordance with [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) , resulting in systems designated as low impact, moderate impact, or high impact. Organizations that desire additional granularity in the system impact designations for risk-based decision-making, can further partition the systems into sub-categories of the initial system categorization. For example, an impact-level prioritization on a moderate-impact system can produce three new sub-categories: low-moderate systems, moderate-moderate systems, and high-moderate systems. Impact-level prioritization and the resulting sub-categories of the system give organizations an opportunity to focus their investments related to security control selection and the tailoring of control baselines in responding to identified risks. Impact-level prioritization can also be used to determine those systems that may be of heightened interest or value to adversaries or represent a critical loss to the federal enterprise, sometimes described as high value assets. For such high value assets, organizations may be more focused on complexity, aggregation, and information exchanges. Systems with high value assets can be prioritized by partitioning high-impact systems into low-high systems, moderate-high systems, and high-high systems. Alternatively, organizations can apply the guidance in [CNSSI 1253](#4e4fbc93-333d-45e6-a875-de36b878b6b9) for security objective-related categorization."},{"id":"ra-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-02(01)","class":"sp800-53a"}],"prose":"an impact-level prioritization of organizational systems is conducted to obtain additional granularity on system impact levels.","links":[{"href":"#ra-2.1_smt","rel":"assessment-for"}]},{"id":"ra-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing security categorization of organizational information and systems\n\nsecurity categorization documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security categorization and risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security categorization"}]}]}]},{"id":"ra-3","class":"SP800-53","title":"Risk Assessment","params":[{"id":"ra-03_odp.01","props":[{"name":"alt-identifier","value":"ra-3_prm_1"},{"name":"label","value":"RA-03_ODP[01]","class":"sp800-53a"}],"select":{"choice":["security and privacy plans","risk assessment report","{{ insert: param, ra-03_odp.02 }} "]}},{"id":"ra-03_odp.02","props":[{"name":"alt-identifier","value":"ra-3_prm_2"},{"name":"label","value":"RA-03_ODP[02]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);"}]},{"id":"ra-03_odp.03","props":[{"name":"alt-identifier","value":"ra-3_prm_3"},{"name":"label","value":"RA-03_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to review risk assessment results is defined;"}]},{"id":"ra-03_odp.04","props":[{"name":"alt-identifier","value":"ra-3_prm_4"},{"name":"label","value":"RA-03_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom risk assessment results are to be disseminated is\/are defined;"}]},{"id":"ra-03_odp.05","props":[{"name":"alt-identifier","value":"ra-3_prm_5"},{"name":"label","value":"RA-03_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency to update the risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3"},{"name":"label","value":"RA-03","class":"sp800-53a"},{"name":"sort-id","value":"ra-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-3","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ma-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-8","rel":"related"},{"href":"#pe-18","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"ra-3_smt","name":"statement","parts":[{"id":"ra-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Conduct a risk assessment, including:","parts":[{"id":"ra-3_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Identifying threats to and vulnerabilities in the system;"},{"id":"ra-3_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and"},{"id":"ra-3_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"}]},{"id":"ra-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;"},{"id":"ra-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document risk assessment results in {{ insert: param, ra-03_odp.01 }};"},{"id":"ra-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Review risk assessment results {{ insert: param, ra-03_odp.03 }};"},{"id":"ra-3_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Disseminate risk assessment results to {{ insert: param, ra-03_odp.04 }} ; and"},{"id":"ra-3_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Update the risk assessment {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."}]},{"id":"ra-3_gdn","name":"guidance","prose":"Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.\n\nOrganizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission\/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.\n\nRisk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination."},{"id":"ra-3_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.","class":"sp800-53a"}],"parts":[{"id":"ra-3_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.01","class":"sp800-53a"}],"prose":"a risk assessment is conducted to identify threats to and vulnerabilities in the system;","links":[{"href":"#ra-3_smt.a.1","rel":"assessment-for"}]},{"id":"ra-3_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.02","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;","links":[{"href":"#ra-3_smt.a.2","rel":"assessment-for"}]},{"id":"ra-3_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"RA-03a.03","class":"sp800-53a"}],"prose":"a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;","links":[{"href":"#ra-3_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#ra-3_smt.a","rel":"assessment-for"}]},{"id":"ra-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03b.","class":"sp800-53a"}],"prose":"risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;","links":[{"href":"#ra-3_smt.b","rel":"assessment-for"}]},{"id":"ra-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-03c.","class":"sp800-53a"}],"prose":"risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};","links":[{"href":"#ra-3_smt.c","rel":"assessment-for"}]},{"id":"ra-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-03d.","class":"sp800-53a"}],"prose":"risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};","links":[{"href":"#ra-3_smt.d","rel":"assessment-for"}]},{"id":"ra-3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-03e.","class":"sp800-53a"}],"prose":"risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};","links":[{"href":"#ra-3_smt.e","rel":"assessment-for"}]},{"id":"ra-3_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-03f.","class":"sp800-53a"}],"prose":"the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.","links":[{"href":"#ra-3_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ra-3_smt","rel":"assessment-for"}]},{"id":"ra-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nrisk assessment procedures\n\nsecurity and privacy planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}],"controls":[{"id":"ra-3.1","class":"SP800-53-enhancement","title":"Supply Chain Risk Assessment","params":[{"id":"ra-03.01_odp.01","props":[{"name":"alt-identifier","value":"ra-3.1_prm_1"},{"name":"label","value":"RA-03(01)_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, and system services","guidelines":[{"prose":"systems, system components, and system services to assess supply chain risks are defined;"}]},{"id":"ra-03.01_odp.02","props":[{"name":"alt-identifier","value":"ra-3.1_prm_2"},{"name":"label","value":"RA-03(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to update the supply chain risk assessment is defined;"}]}],"props":[{"name":"label","value":"RA-3(1)"},{"name":"label","value":"RA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"ra-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-3","rel":"required"},{"href":"#ra-2","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#pm-17","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-3.1_smt","name":"statement","parts":[{"id":"ra-3.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Assess supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} ; and"},{"id":"ra-3.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Update the supply chain risk assessment {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."}]},{"id":"ra-3.1_gdn","name":"guidance","prose":"Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required."},{"id":"ra-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)","class":"sp800-53a"}],"parts":[{"id":"ra-3.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(a)","class":"sp800-53a"}],"prose":"supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;","links":[{"href":"#ra-3.1_smt.a","rel":"assessment-for"}]},{"id":"ra-3.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-03(01)(b)","class":"sp800-53a"}],"prose":"the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.","links":[{"href":"#ra-3.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ra-3.1_smt","rel":"assessment-for"}]},{"id":"ra-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\ninventory of critical systems, system components, and system services\n\nrisk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of supply chain risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nacquisition policy\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"ra-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"ra-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment"}]}]},{"id":"ra-3.2","class":"SP800-53-enhancement","title":"Use of All-source Intelligence","props":[{"name":"label","value":"RA-3(2)"},{"name":"label","value":"RA-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"ra-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-3","rel":"required"}],"parts":[{"id":"ra-3.2_smt","name":"statement","prose":"Use all-source intelligence to assist in the analysis of risk."},{"id":"ra-3.2_gdn","name":"guidance","prose":"Organizations employ all-source intelligence to inform engineering, acquisition, and risk management decisions. All-source intelligence consists of information derived from all available sources, including publicly available or open-source information, measurement and signature intelligence, human intelligence, signals intelligence, and imagery intelligence. All-source intelligence is used to analyze the risk of vulnerabilities (both intentional and unintentional) from development, manufacturing, and delivery processes, people, and the environment. The risk analysis may be performed on suppliers at multiple tiers in the supply chain sufficient to manage risks. Organizations may develop agreements to share all-source intelligence information or resulting decisions with other organizations, as appropriate."},{"id":"ra-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03(02)","class":"sp800-53a"}],"prose":"all-source intelligence is used to assist in the analysis of risk.","links":[{"href":"#ra-3.2_smt","rel":"assessment-for"}]},{"id":"ra-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nrisk intelligence reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}]},{"id":"ra-3.3","class":"SP800-53-enhancement","title":"Dynamic Threat Awareness","params":[{"id":"ra-03.03_odp","props":[{"name":"alt-identifier","value":"ra-3.3_prm_1"},{"name":"label","value":"RA-03(03)_ODP","class":"sp800-53a"}],"label":"means","guidelines":[{"prose":"means to determine the current cyber threat environment on an ongoing basis;"}]}],"props":[{"name":"label","value":"RA-3(3)"},{"name":"label","value":"RA-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"ra-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-3","rel":"required"},{"href":"#at-2","rel":"related"}],"parts":[{"id":"ra-3.3_smt","name":"statement","prose":"Determine the current cyber threat environment on an ongoing basis using {{ insert: param, ra-03.03_odp }}."},{"id":"ra-3.3_gdn","name":"guidance","prose":"The threat awareness information that is gathered feeds into the organization’s information security operations to ensure that procedures are updated in response to the changing threat environment. For example, at higher threat levels, organizations may change the privilege or authentication thresholds required to perform certain operations."},{"id":"ra-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03(03)","class":"sp800-53a"}],"prose":"the current cyber threat environment is determined on an ongoing basis using {{ insert: param, ra-03.03_odp }}.","links":[{"href":"#ra-3.3_smt","rel":"assessment-for"}]},{"id":"ra-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nrisk reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}]},{"id":"ra-3.4","class":"SP800-53-enhancement","title":"Predictive Cyber Analytics","params":[{"id":"ra-3.4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-03.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-03.04_odp.03"}],"label":"organization-defined advanced automation and analytics capabilities"},{"id":"ra-03.04_odp.01","props":[{"name":"label","value":"RA-03(04)_ODP[01]","class":"sp800-53a"}],"label":"advanced automation capabilities","guidelines":[{"prose":"advanced automation capabilities to predict and identify risks are defined;"}]},{"id":"ra-03.04_odp.02","props":[{"name":"alt-identifier","value":"ra-3.4_prm_1"},{"name":"label","value":"RA-03(04)_ODP[02]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components where advanced automation and analytics capabilities are to be employed are defined;"}]},{"id":"ra-03.04_odp.03","props":[{"name":"label","value":"RA-03(04)_ODP[03]","class":"sp800-53a"}],"label":"advanced analytics capabilities","guidelines":[{"prose":"advanced analytics capabilities to predict and identify risks are defined;"}]}],"props":[{"name":"label","value":"RA-3(4)"},{"name":"label","value":"RA-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"ra-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-3","rel":"required"}],"parts":[{"id":"ra-3.4_smt","name":"statement","prose":"Employ the following advanced automation and analytics capabilities to predict and identify risks to {{ insert: param, ra-03.04_odp.02 }}: {{ insert: param, ra-3.4_prm_2 }}."},{"id":"ra-3.4_gdn","name":"guidance","prose":"A properly resourced Security Operations Center (SOC) or Computer Incident Response Team (CIRT) may be overwhelmed by the volume of information generated by the proliferation of security tools and appliances unless it employs advanced automation and analytics to analyze the data. Advanced automation and analytics capabilities are typically supported by artificial intelligence concepts, including machine learning. Examples include Automated Threat Discovery and Response (which includes broad-based collection, context-based analysis, and adaptive response capabilities), automated workflow operations, and machine assisted decision tools. Note, however, that sophisticated adversaries may be able to extract information related to analytic parameters and retrain the machine learning to classify malicious activity as benign. Accordingly, machine learning is augmented by human monitoring to ensure that sophisticated adversaries are not able to conceal their activities."},{"id":"ra-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-03(04)","class":"sp800-53a"}],"parts":[{"id":"ra-3.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-03(04)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, ra-03.04_odp.01 }} are employed to predict and identify risks to {{ insert: param, ra-03.04_odp.02 }};","links":[{"href":"#ra-3.4_smt","rel":"assessment-for"}]},{"id":"ra-3.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-03(04)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ra-03.04_odp.03 }} are employed to predict and identify risks to {{ insert: param, ra-03.04_odp.02 }}.","links":[{"href":"#ra-3.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#ra-3.4_smt","rel":"assessment-for"}]},{"id":"ra-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity planning policy and procedures\n\nprocedures addressing organizational assessments of risk\n\nrisk assessment\n\nrisk assessment results\n\nrisk assessment reviews\n\nrisk assessment updates\n\nrisk reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for risk assessment\n\nmechanisms supporting and\/or conducting, documenting, reviewing, disseminating, and updating the risk assessment"}]}]}]},{"id":"ra-4","class":"SP800-53","title":"Risk Assessment Update","props":[{"name":"label","value":"RA-4"},{"name":"label","value":"RA-04","class":"sp800-53a"},{"name":"sort-id","value":"ra-04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ra-3","rel":"incorporated-into"}]},{"id":"ra-5","class":"SP800-53","title":"Vulnerability Monitoring and Scanning","params":[{"id":"ra-5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"ra-05_odp.02"}],"label":"organization-defined frequency and\/or randomly in accordance with organization-defined process"},{"id":"ra-05_odp.01","props":[{"name":"label","value":"RA-05_ODP[01]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for monitoring systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.02","props":[{"name":"label","value":"RA-05_ODP[02]","class":"sp800-53a"}],"label":"frequency and\/or randomly in accordance with organization-defined process","guidelines":[{"prose":"frequency for scanning systems and hosted applications for vulnerabilities is defined;"}]},{"id":"ra-05_odp.03","props":[{"name":"alt-identifier","value":"ra-5_prm_2"},{"name":"label","value":"RA-05_ODP[03]","class":"sp800-53a"}],"label":"response times","guidelines":[{"prose":"response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;"}]},{"id":"ra-05_odp.04","props":[{"name":"alt-identifier","value":"ra-5_prm_3"},{"name":"label","value":"RA-05_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;"}]}],"props":[{"name":"label","value":"RA-5"},{"name":"label","value":"RA-05","class":"sp800-53a"},{"name":"sort-id","value":"ra-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#8df72805-2e5c-4731-a73e-81db0f0318d0","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#122177fa-c4ed-485d-8345-3082c0fb9a06","rel":"reference"},{"href":"#8016d2ed-d30f-4416-9c45-0f42c7aa3232","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#d2ebec9b-f868-4ee1-a2bd-0b2282aed248","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-8","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"ra-5_smt","name":"statement","parts":[{"id":"ra-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, ra-5_prm_1 }} and when new vulnerabilities potentially affecting the system are identified and reported;"},{"id":"ra-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:","parts":[{"id":"ra-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Enumerating platforms, software flaws, and improper configurations;"},{"id":"ra-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Formatting checklists and test procedures; and"},{"id":"ra-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Measuring vulnerability impact;"}]},{"id":"ra-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Analyze vulnerability scan reports and results from vulnerability monitoring;"},{"id":"ra-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Remediate legitimate vulnerabilities {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"},{"id":"ra-5_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems; and"},{"id":"ra-5_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned."}]},{"id":"ra-5_gdn","name":"guidance","prose":"Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.\n\nVulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).\n\nVulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.\n\nOrganizations may also employ the use of financial incentives (also known as \"bug bounties\" ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points."},{"id":"ra-5_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.","class":"sp800-53a"}],"parts":[{"id":"ra-5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[01]","class":"sp800-53a"}],"prose":"systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;","links":[{"href":"#ra-5_smt.a","rel":"assessment-for"}]},{"id":"ra-5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"RA-05a.[02]","class":"sp800-53a"}],"prose":"systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;","links":[{"href":"#ra-5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#ra-5_smt.a","rel":"assessment-for"}]},{"id":"ra-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;","parts":[{"id":"ra-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.01","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;","links":[{"href":"#ra-5_smt.b.1","rel":"assessment-for"}]},{"id":"ra-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.02","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;","links":[{"href":"#ra-5_smt.b.2","rel":"assessment-for"}]},{"id":"ra-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"RA-05b.03","class":"sp800-53a"}],"prose":"vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;","links":[{"href":"#ra-5_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#ra-5_smt.b","rel":"assessment-for"}]},{"id":"ra-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"RA-05c.","class":"sp800-53a"}],"prose":"vulnerability scan reports and results from vulnerability monitoring are analyzed;","links":[{"href":"#ra-5_smt.c","rel":"assessment-for"}]},{"id":"ra-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"RA-05d.","class":"sp800-53a"}],"prose":"legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;","links":[{"href":"#ra-5_smt.d","rel":"assessment-for"}]},{"id":"ra-5_obj.e","name":"assessment-objective","props":[{"name":"label","value":"RA-05e.","class":"sp800-53a"}],"prose":"information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;","links":[{"href":"#ra-5_smt.e","rel":"assessment-for"}]},{"id":"ra-5_obj.f","name":"assessment-objective","props":[{"name":"label","value":"RA-05f.","class":"sp800-53a"}],"prose":"vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.","links":[{"href":"#ra-5_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#ra-5_smt","rel":"assessment-for"}]},{"id":"ra-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with vulnerability remediation responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning, analysis, remediation, and information sharing\n\nmechanisms supporting and\/or implementing vulnerability scanning, analysis, remediation, and information sharing"}]}],"controls":[{"id":"ra-5.1","class":"SP800-53-enhancement","title":"Update Tool Capability","props":[{"name":"label","value":"RA-5(1)"},{"name":"label","value":"RA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ra-5","rel":"incorporated-into"}]},{"id":"ra-5.2","class":"SP800-53-enhancement","title":"Update Vulnerabilities to Be Scanned","params":[{"id":"ra-05.02_odp.01","props":[{"name":"alt-identifier","value":"ra-5.2_prm_1"},{"name":"label","value":"RA-05(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, ra-05.02_odp.02 }} ","prior to a new scan","when new vulnerabilities are identified and reported"]}},{"id":"ra-05.02_odp.02","props":[{"name":"alt-identifier","value":"ra-5.2_prm_2"},{"name":"label","value":"RA-05(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for updating the system vulnerabilities to be scanned is defined (if selected);"}]}],"props":[{"name":"label","value":"RA-5(2)"},{"name":"label","value":"RA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"},{"href":"#si-5","rel":"related"}],"parts":[{"id":"ra-5.2_smt","name":"statement","prose":"Update the system vulnerabilities to be scanned {{ insert: param, ra-05.02_odp.01 }}."},{"id":"ra-5.2_gdn","name":"guidance","prose":"Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner."},{"id":"ra-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(02)","class":"sp800-53a"}],"prose":"the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.","links":[{"href":"#ra-5.2_smt","rel":"assessment-for"}]},{"id":"ra-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities\n\nsystem\/network administrators"}]},{"id":"ra-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.3","class":"SP800-53-enhancement","title":"Breadth and Depth of Coverage","props":[{"name":"label","value":"RA-5(3)"},{"name":"label","value":"RA-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.3_smt","name":"statement","prose":"Define the breadth and depth of vulnerability scanning coverage."},{"id":"ra-5.3_gdn","name":"guidance","prose":"The breadth of vulnerability scanning coverage can be expressed as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design that the organization intends to monitor (e.g., component, module, subsystem, element). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors. Scanning tools and how the tools are configured may affect the depth and coverage. Multiple scanning tools may be needed to achieve the desired depth and coverage. [SP 800-53A](#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d) provides additional information on the breadth and depth of coverage."},{"id":"ra-5.3_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(03)","class":"sp800-53a"}],"prose":"the breadth and depth of vulnerability scanning coverage are defined.","links":[{"href":"#ra-5.3_smt","rel":"assessment-for"}]},{"id":"ra-5.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\nvulnerability scanning tools and associated configuration documentation\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.4","class":"SP800-53-enhancement","title":"Discoverable Information","params":[{"id":"ra-05.04_odp","props":[{"name":"alt-identifier","value":"ra-5.4_prm_1"},{"name":"label","value":"RA-05(04)_ODP","class":"sp800-53a"}],"label":"corrective actions","guidelines":[{"prose":"corrective actions to be taken if information about the system is discoverable are defined;"}]}],"props":[{"name":"label","value":"RA-5(4)"},{"name":"label","value":"RA-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"},{"href":"#au-13","rel":"related"},{"href":"#sc-26","rel":"related"}],"parts":[{"id":"ra-5.4_smt","name":"statement","prose":"Determine information about the system that is discoverable and take {{ insert: param, ra-05.04_odp }}."},{"id":"ra-5.4_gdn","name":"guidance","prose":"Discoverable information includes information that adversaries could obtain without compromising or breaching the system, such as by collecting information that the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization."},{"id":"ra-5.4_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(04)","class":"sp800-53a"}],"parts":[{"id":"ra-5.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-05(04)[01]","class":"sp800-53a"}],"prose":"information about the system is discoverable;","links":[{"href":"#ra-5.4_smt","rel":"assessment-for"}]},{"id":"ra-5.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-05(04)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, ra-05.04_odp }} are taken when information about the system is confirmed as discoverable.","links":[{"href":"#ra-5.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#ra-5.4_smt","rel":"assessment-for"}]},{"id":"ra-5.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Procedures addressing vulnerability scanning\n\nassessment report\n\npenetration test results\n\nvulnerability scanning results\n\nrisk assessment report\n\nrecords of corrective actions taken\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning and\/or penetration testing responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel responsible for risk response\n\norganizational personnel responsible for incident management and response\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for risk response\n\norganizational processes for incident management and response\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms supporting and\/or implementing risk response\n\nmechanisms supporting and\/or implementing incident management and response"}]}]},{"id":"ra-5.5","class":"SP800-53-enhancement","title":"Privileged Access","params":[{"id":"ra-05.05_odp.01","props":[{"name":"alt-identifier","value":"ra-5.5_prm_1"},{"name":"label","value":"RA-05(05)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to which privileged access is authorized for selected vulnerability scanning activities are defined;"}]},{"id":"ra-05.05_odp.02","props":[{"name":"alt-identifier","value":"ra-5.5_prm_2"},{"name":"label","value":"RA-05(05)_ODP[02]","class":"sp800-53a"}],"label":"vulnerability scanning activities","guidelines":[{"prose":"vulnerability scanning activities selected for privileged access authorization to system components are defined;"}]}],"props":[{"name":"label","value":"RA-5(5)"},{"name":"label","value":"RA-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.5_smt","name":"statement","prose":"Implement privileged access authorization to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}."},{"id":"ra-5.5_gdn","name":"guidance","prose":"In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning."},{"id":"ra-5.5_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(05)","class":"sp800-53a"}],"prose":"privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.","links":[{"href":"#ra-5.5_smt","rel":"assessment-for"}]},{"id":"ra-5.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components for vulnerability scanning\n\npersonnel access authorization list\n\nauthorization credentials\n\naccess authorization records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\nsystem\/network administrators\n\norganizational personnel responsible for access control to the system\n\norganizational personnel responsible for configuration management of the system\n\nsystem developers\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\norganizational processes for access control\n\nmechanisms supporting and\/or implementing access control\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning"}]}]},{"id":"ra-5.6","class":"SP800-53-enhancement","title":"Automated Trend Analyses","params":[{"id":"ra-05.06_odp","props":[{"name":"alt-identifier","value":"ra-5.6_prm_1"},{"name":"label","value":"RA-05(06)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to compare the results of multiple vulnerability scans are defined;"}]}],"props":[{"name":"label","value":"RA-5(6)"},{"name":"label","value":"RA-05(06)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.6_smt","name":"statement","prose":"Compare the results of multiple vulnerability scans using {{ insert: param, ra-05.06_odp }}."},{"id":"ra-5.6_gdn","name":"guidance","prose":"Using automated mechanisms to analyze multiple vulnerability scans over time can help determine trends in system vulnerabilities and identify patterns of attack."},{"id":"ra-5.6_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(06)","class":"sp800-53a"}],"prose":"the results of multiple vulnerability scans are compared using {{ insert: param, ra-05.06_odp }}.","links":[{"href":"#ra-5.6_smt","rel":"assessment-for"}]},{"id":"ra-5.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nsystem design documentation\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nautomated mechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nautomated mechanisms supporting and\/or implementing trend analysis of vulnerability scan results"}]}]},{"id":"ra-5.7","class":"SP800-53-enhancement","title":"Automated Detection and Notification of Unauthorized Components","props":[{"name":"label","value":"RA-5(7)"},{"name":"label","value":"RA-05(07)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-8","rel":"incorporated-into"}]},{"id":"ra-5.8","class":"SP800-53-enhancement","title":"Review Historic Audit Logs","params":[{"id":"ra-05.08_odp.01","props":[{"name":"alt-identifier","value":"ra-5.8_prm_1"},{"name":"label","value":"RA-05(08)_ODP[01]","class":"sp800-53a"}],"label":"system","guidelines":[{"prose":"a system whose historic audit logs are to be reviewed is defined;"}]},{"id":"ra-05.08_odp.02","props":[{"name":"alt-identifier","value":"ra-5.8_prm_2"},{"name":"label","value":"RA-05(08)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period for a potential previous exploit of a system is defined;"}]}],"props":[{"name":"label","value":"RA-5(8)"},{"name":"label","value":"RA-05(08)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"},{"href":"#au-6","rel":"related"},{"href":"#au-11","rel":"related"}],"parts":[{"id":"ra-5.8_smt","name":"statement","prose":"Review historic audit logs to determine if a vulnerability identified in a {{ insert: param, ra-05.08_odp.01 }} has been previously exploited within an {{ insert: param, ra-05.08_odp.02 }}."},{"id":"ra-5.8_gdn","name":"guidance","prose":"Reviewing historic audit logs to determine if a recently detected vulnerability in a system has been previously exploited by an adversary can provide important information for forensic analyses. Such analyses can help identify, for example, the extent of a previous intrusion, the trade craft employed during the attack, organizational information exfiltrated or modified, mission or business capabilities affected, and the duration of the attack."},{"id":"ra-5.8_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(08)","class":"sp800-53a"}],"prose":"historic audit logs are reviewed to determine if a vulnerability identified in a {{ insert: param, ra-05.08_odp.01 }} has been previously exploited within {{ insert: param, ra-05.08_odp.02 }}.","links":[{"href":"#ra-5.8_smt","rel":"assessment-for"}]},{"id":"ra-5.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\naudit logs\n\nrecords of audit log reviews\n\nvulnerability scanning results\n\npatch and vulnerability management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with audit record review responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\norganizational process for audit record review and response\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms supporting and\/or implementing audit record review"}]}]},{"id":"ra-5.9","class":"SP800-53-enhancement","title":"Penetration Testing and Analyses","props":[{"name":"label","value":"RA-5(9)"},{"name":"label","value":"RA-05(09)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.09"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ca-8","rel":"incorporated-into"}]},{"id":"ra-5.10","class":"SP800-53-enhancement","title":"Correlate Scanning Information","props":[{"name":"label","value":"RA-5(10)"},{"name":"label","value":"RA-05(10)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.10_smt","name":"statement","prose":"Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors."},{"id":"ra-5.10_gdn","name":"guidance","prose":"An attack vector is a path or means by which an adversary can gain access to a system in order to deliver malicious code or exfiltrate information. Organizations can use attack trees to show how hostile activities by adversaries interact and combine to produce adverse impacts or negative consequences to systems and organizations. Such information, together with correlated data from vulnerability scanning tools, can provide greater clarity regarding multi-vulnerability and multi-hop attack vectors. The correlation of vulnerability scanning information is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). During such transitions, some system components may inadvertently be unmanaged and create opportunities for adversary exploitation."},{"id":"ra-5.10_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(10)","class":"sp800-53a"}],"prose":"the output from vulnerability scanning tools is correlated to determine the presence of multi-vulnerability and multi-hop attack vectors.","links":[{"href":"#ra-5.10_smt","rel":"assessment-for"}]},{"id":"ra-5.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\nevent\/vulnerability correlation logs\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms implementing the correlation of vulnerability scan results"}]}]},{"id":"ra-5.11","class":"SP800-53-enhancement","title":"Public Disclosure Program","props":[{"name":"label","value":"RA-5(11)"},{"name":"label","value":"RA-05(11)","class":"sp800-53a"},{"name":"sort-id","value":"ra-05.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ra-5","rel":"required"}],"parts":[{"id":"ra-5.11_smt","name":"statement","prose":"Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components."},{"id":"ra-5.11_gdn","name":"guidance","prose":"The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability."},{"id":"ra-5.11_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-05(11)","class":"sp800-53a"}],"prose":"a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.","links":[{"href":"#ra-5.11_smt","rel":"assessment-for"}]},{"id":"ra-5.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-05(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing vulnerability scanning\n\nrisk assessment\n\nvulnerability scanning tools and techniques documentation\n\nvulnerability scanning results\n\nvulnerability management records\n\naudit records\n\npublic reporting channel\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-5.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-05(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with vulnerability scanning responsibilities\n\norganizational personnel with vulnerability scan analysis responsibilities\n\norganizational personnel with security responsibilities"}]},{"id":"ra-5.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-05(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability scanning\n\nmechanisms\/tools supporting and\/or implementing vulnerability scanning\n\nmechanisms implementing the public reporting of vulnerabilities"}]}]}]},{"id":"ra-6","class":"SP800-53","title":"Technical Surveillance Countermeasures Survey","params":[{"id":"ra-06_odp.01","props":[{"name":"alt-identifier","value":"ra-6_prm_1"},{"name":"label","value":"RA-06_ODP[01]","class":"sp800-53a"}],"label":"locations","guidelines":[{"prose":"locations to employ technical surveillance countermeasure surveys are defined;"}]},{"id":"ra-06_odp.02","props":[{"name":"alt-identifier","value":"ra-6_prm_2"},{"name":"label","value":"RA-06_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, ra-06_odp.03 }} ","when {{ insert: param, ra-06_odp.04 }} "]}},{"id":"ra-06_odp.03","props":[{"name":"alt-identifier","value":"ra-6_prm_3"},{"name":"label","value":"RA-06_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to employ technical surveillance countermeasure surveys is defined (if selected);"}]},{"id":"ra-06_odp.04","props":[{"name":"alt-identifier","value":"ra-6_prm_4"},{"name":"label","value":"RA-06_ODP[04]","class":"sp800-53a"}],"label":"events or indicators","guidelines":[{"prose":"events or indicators which, if they occur, trigger a technical surveillance countermeasures survey are defined (if selected);"}]}],"props":[{"name":"label","value":"RA-6"},{"name":"label","value":"RA-06","class":"sp800-53a"},{"name":"sort-id","value":"ra-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"parts":[{"id":"ra-6_smt","name":"statement","prose":"Employ a technical surveillance countermeasures survey at {{ insert: param, ra-06_odp.01 }} {{ insert: param, ra-06_odp.02 }}."},{"id":"ra-6_gdn","name":"guidance","prose":"A technical surveillance countermeasures survey is a service provided by qualified personnel to detect the presence of technical surveillance devices and hazards and to identify technical security weaknesses that could be used in the conduct of a technical penetration of the surveyed facility. Technical surveillance countermeasures surveys also provide evaluations of the technical security posture of organizations and facilities and include visual, electronic, and physical examinations of surveyed facilities, internally and externally. The surveys also provide useful input for risk assessments and information regarding organizational exposure to potential adversaries."},{"id":"ra-6_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-06","class":"sp800-53a"}],"prose":"a technical surveillance countermeasures survey is employed at {{ insert: param, ra-06_odp.01 }} {{ insert: param, ra-06_odp.02 }}.","links":[{"href":"#ra-6_smt","rel":"assessment-for"}]},{"id":"ra-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nprocedures addressing technical surveillance countermeasures surveys\n\naudit records\/event logs\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with technical surveillance countermeasures surveys responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security responsibilities"}]},{"id":"ra-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for technical surveillance countermeasures surveys\n\nmechanisms\/tools supporting and\/or implementing technical surveillance countermeasure surveys"}]}]},{"id":"ra-7","class":"SP800-53","title":"Risk Response","props":[{"name":"label","value":"RA-7"},{"name":"label","value":"RA-07","class":"sp800-53a"},{"name":"sort-id","value":"ra-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#ir-9","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-28","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"ra-7_smt","name":"statement","prose":"Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."},{"id":"ra-7_gdn","name":"guidance","prose":"Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated."},{"id":"ra-7_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-07","class":"sp800-53a"}],"parts":[{"id":"ra-7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"RA-07[01]","class":"sp800-53a"}],"prose":"findings from security assessments are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"RA-07[02]","class":"sp800-53a"}],"prose":"findings from privacy assessments are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-3","name":"assessment-objective","props":[{"name":"label","value":"RA-07[03]","class":"sp800-53a"}],"prose":"findings from monitoring are responded to in accordance with organizational risk tolerance;","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_obj-4","name":"assessment-objective","props":[{"name":"label","value":"RA-07[04]","class":"sp800-53a"}],"prose":"findings from audits are responded to in accordance with organizational risk tolerance.","links":[{"href":"#ra-7_smt","rel":"assessment-for"}]}],"links":[{"href":"#ra-7_smt","rel":"assessment-for"}]},{"id":"ra-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\naudit records\/event logs\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]},{"id":"ra-8","class":"SP800-53","title":"Privacy Impact Assessments","props":[{"name":"label","value":"RA-8"},{"name":"label","value":"RA-08","class":"sp800-53a"},{"name":"sort-id","value":"ra-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#7b0b9634-741a-4335-b6fa-161228c3a76e","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#d229ae60-51dd-4d7b-a8bf-1f7195cc7561","rel":"reference"},{"href":"#cm-4","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cm-13","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#pt-5","rel":"related"},{"href":"#ra-1","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"}],"parts":[{"id":"ra-8_smt","name":"statement","prose":"Conduct privacy impact assessments for systems, programs, or other activities before:","parts":[{"id":"ra-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Developing or procuring information technology that processes personally identifiable information; and"},{"id":"ra-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Initiating a new collection of personally identifiable information that:","parts":[{"id":"ra-8_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Will be processed using information technology; and"},{"id":"ra-8_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government."}]}]},{"id":"ra-8_gdn","name":"guidance","prose":"A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks. A privacy impact assessment is both an analysis and a formal document that details the process and the outcome of the analysis.\n\nOrganizations conduct and develop a privacy impact assessment with sufficient clarity and specificity to demonstrate that the organization fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the organization’s activity and throughout the information life cycle. In order to conduct a meaningful privacy impact assessment, the organization’s senior agency official for privacy works closely with program managers, system owners, information technology experts, security officials, counsel, and other relevant organization personnel. Moreover, a privacy impact assessment is not a time-restricted activity that is limited to a particular milestone or stage of the information system or personally identifiable information life cycles. Rather, the privacy analysis continues throughout the system and personally identifiable information life cycles. Accordingly, a privacy impact assessment is a living document that organizations update whenever changes to the information technology, changes to the organization’s practices, or other factors alter the privacy risks associated with the use of such information technology.\n\nTo conduct the privacy impact assessment, organizations can use security and privacy risk assessments. Organizations may also use other related processes that may have different names, including privacy threshold analyses. A privacy impact assessment can also serve as notice to the public regarding the organization’s practices with respect to privacy. Although conducting and publishing privacy impact assessments may be required by law, organizations may develop such policies in the absence of applicable laws. For federal agencies, privacy impact assessments may be required by [EGOV](#7b0b9634-741a-4335-b6fa-161228c3a76e) ; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision."},{"id":"ra-8_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-08","class":"sp800-53a"}],"parts":[{"id":"ra-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-08a.","class":"sp800-53a"}],"prose":"privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information;","links":[{"href":"#ra-8_smt.a","rel":"assessment-for"}]},{"id":"ra-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-08b.","class":"sp800-53a"}],"parts":[{"id":"ra-8_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"RA-08b.[01]","class":"sp800-53a"}],"prose":"privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology;","links":[{"href":"#ra-8_smt.b","rel":"assessment-for"}]},{"id":"ra-8_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"RA-08b.[02]","class":"sp800-53a"}],"prose":"privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.","links":[{"href":"#ra-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ra-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ra-8_smt","rel":"assessment-for"}]},{"id":"ra-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nsecurity and privacy risk assessment reports\n\nacquisitions documents\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"ra-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\nprogram managers\n\nlegal counsel\n\norganizational personnel with security and privacy responsibilities"}]},{"id":"ra-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]},{"id":"ra-9","class":"SP800-53","title":"Criticality Analysis","params":[{"id":"ra-09_odp.01","props":[{"name":"alt-identifier","value":"ra-9_prm_1"},{"name":"label","value":"RA-09_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services to be analyzed for criticality are defined;"}]},{"id":"ra-09_odp.02","props":[{"name":"alt-identifier","value":"ra-9_prm_2"},{"name":"label","value":"RA-09_ODP[02]","class":"sp800-53a"}],"label":"decision points in the system development life cycle","guidelines":[{"prose":"decision points in the system development life cycle when a criticality analysis is to be performed are defined;"}]}],"props":[{"name":"label","value":"RA-9"},{"name":"label","value":"RA-09","class":"sp800-53a"},{"name":"sort-id","value":"ra-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#pm-1","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"ra-9_smt","name":"statement","prose":"Identify critical system components and functions by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}."},{"id":"ra-9_gdn","name":"guidance","prose":"Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.\n\nThe operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.\n\nCriticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in [RA-2](#ra-2)."},{"id":"ra-9_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-09","class":"sp800-53a"}],"prose":"critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.","links":[{"href":"#ra-9_smt","rel":"assessment-for"}]},{"id":"ra-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\ncriticality analysis\/finalized criticality for each component\/subcomponent\n\naudit records\/event logs\n\nanalysis reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with assessment and auditing responsibilities\n\norganizational personnel with criticality analysis responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security responsibilities"}]},{"id":"ra-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing assessments and auditing"}]}]},{"id":"ra-10","class":"SP800-53","title":"Threat Hunting","params":[{"id":"ra-10_odp","props":[{"name":"alt-identifier","value":"ra-10_prm_1"},{"name":"label","value":"RA-10_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to employ the threat hunting capability is defined;"}]}],"props":[{"name":"label","value":"RA-10"},{"name":"label","value":"RA-10","class":"sp800-53a"},{"name":"sort-id","value":"ra-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-8","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-6","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"ra-10_smt","name":"statement","parts":[{"id":"ra-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish and maintain a cyber threat hunting capability to:","parts":[{"id":"ra-10_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Search for indicators of compromise in organizational systems; and"},{"id":"ra-10_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Detect, track, and disrupt threats that evade existing controls; and"}]},{"id":"ra-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the threat hunting capability {{ insert: param, ra-10_odp }}."}]},{"id":"ra-10_gdn","name":"guidance","prose":"Threat hunting is an active means of cyber defense in contrast to traditional protection measures, such as firewalls, intrusion detection and prevention systems, quarantining malicious code in sandboxes, and Security Information and Event Management technologies and systems. Cyber threat hunting involves proactively searching organizational systems, networks, and infrastructure for advanced threats. The objective is to track and disrupt cyber adversaries as early as possible in the attack sequence and to measurably improve the speed and accuracy of organizational responses. Indications of compromise include unusual network traffic, unusual file changes, and the presence of malicious code. Threat hunting teams leverage existing threat intelligence and may create new threat intelligence, which is shared with peer organizations, Information Sharing and Analysis Organizations (ISAO), Information Sharing and Analysis Centers (ISAC), and relevant government departments and agencies."},{"id":"ra-10_obj","name":"assessment-objective","props":[{"name":"label","value":"RA-10","class":"sp800-53a"}],"parts":[{"id":"ra-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"RA-10a.","class":"sp800-53a"}],"parts":[{"id":"ra-10_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"RA-10a.01","class":"sp800-53a"}],"prose":"a cyber threat capability is established and maintained to search for indicators of compromise in organizational systems;","links":[{"href":"#ra-10_smt.a.1","rel":"assessment-for"}]},{"id":"ra-10_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"RA-10a.02","class":"sp800-53a"}],"prose":"a cyber threat capability is established and maintained to detect, track, and disrupt threats that evade existing controls;","links":[{"href":"#ra-10_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#ra-10_smt.a","rel":"assessment-for"}]},{"id":"ra-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"RA-10b.","class":"sp800-53a"}],"prose":"the threat hunting capability is employed {{ insert: param, ra-10_odp }}.","links":[{"href":"#ra-10_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#ra-10_smt","rel":"assessment-for"}]},{"id":"ra-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"RA-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Risk assessment policy\n\nassessment reports\n\naudit records\/event logs\n\nthreat hunting capability\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"ra-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"RA-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with threat hunting responsibilities\n\nsystem\/network administrators\n\norganizational personnel with security responsibilities"}]},{"id":"ra-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"RA-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for assessments and audits\n\nmechanisms\/tools supporting and\/or implementing threat hunting capabilities"}]}]}]},{"id":"sa","class":"family","title":"System and Services Acquisition","controls":[{"id":"sa-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sa-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sa-01_odp.01","props":[{"name":"label","value":"SA-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition policy is to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.02","props":[{"name":"label","value":"SA-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and services acquisition procedures are to be disseminated is\/are defined;"}]},{"id":"sa-01_odp.03","props":[{"name":"alt-identifier","value":"sa-1_prm_2"},{"name":"label","value":"SA-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sa-01_odp.04","props":[{"name":"alt-identifier","value":"sa-1_prm_3"},{"name":"label","value":"SA-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and services acquisition policy and procedures is defined;"}]},{"id":"sa-01_odp.05","props":[{"name":"alt-identifier","value":"sa-1_prm_4"},{"name":"label","value":"SA-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition policy is reviewed and updated is defined;"}]},{"id":"sa-01_odp.06","props":[{"name":"alt-identifier","value":"sa-1_prm_5"},{"name":"label","value":"SA-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and services acquisition policy to be reviewed and updated are defined;"}]},{"id":"sa-01_odp.07","props":[{"name":"alt-identifier","value":"sa-1_prm_6"},{"name":"label","value":"SA-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;"}]},{"id":"sa-01_odp.08","props":[{"name":"alt-identifier","value":"sa-1_prm_7"},{"name":"label","value":"SA-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and services acquisition procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SA-1"},{"name":"label","value":"SA-01","class":"sp800-53a"},{"name":"sort-id","value":"sa-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sa-1_smt","name":"statement","parts":[{"id":"sa-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sa-1_prm_1 }}:","parts":[{"id":"sa-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, sa-01_odp.03 }} system and services acquisition policy that:","parts":[{"id":"sa-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sa-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sa-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;"}]},{"id":"sa-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sa-01_odp.04 }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and"},{"id":"sa-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and services acquisition:","parts":[{"id":"sa-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sa-01_odp.05 }} and following {{ insert: param, sa-01_odp.06 }} ; and"},{"id":"sa-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sa-01_odp.07 }} and following {{ insert: param, sa-01_odp.08 }}."}]}]},{"id":"sa-1_gdn","name":"guidance","prose":"System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sa-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[01]","class":"sp800-53a"}],"prose":"a system and services acquisition policy is developed and documented;","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[02]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[03]","class":"sp800-53a"}],"prose":"system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.[04]","class":"sp800-53a"}],"prose":"the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};","links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;","links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sa-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#sa-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.a","rel":"assessment-for"}]},{"id":"sa-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;","links":[{"href":"#sa-1_smt.b","rel":"assessment-for"}]},{"id":"sa-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[01]","class":"sp800-53a"}],"prose":"the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};","links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]},{"id":"sa-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};","links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c.1","rel":"assessment-for"}]},{"id":"sa-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02","class":"sp800-53a"}],"parts":[{"id":"sa-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};","links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]},{"id":"sa-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.","links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-1_smt","rel":"assessment-for"}]},{"id":"sa-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsupply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-2","class":"SP800-53","title":"Allocation of Resources","props":[{"name":"label","value":"SA-2"},{"name":"label","value":"SA-02","class":"sp800-53a"},{"name":"sort-id","value":"sa-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pl-7","rel":"related"},{"href":"#pm-3","rel":"related"},{"href":"#pm-11","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-2_smt","name":"statement","parts":[{"id":"sa-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;"},{"id":"sa-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and"},{"id":"sa-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation."}]},{"id":"sa-2_gdn","name":"guidance","prose":"Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle."},{"id":"sa-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-02","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[01]","class":"sp800-53a"}],"prose":"the high-level information security requirements for the system or system service are determined in mission and business process planning;","links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]},{"id":"sa-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02a.[02]","class":"sp800-53a"}],"prose":"the high-level privacy requirements for the system or system service are determined in mission and business process planning;","links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.a","rel":"assessment-for"}]},{"id":"sa-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[01]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;","links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]},{"id":"sa-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02b.[02]","class":"sp800-53a"}],"prose":"the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;","links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.b","rel":"assessment-for"}]},{"id":"sa-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.","class":"sp800-53a"}],"parts":[{"id":"sa-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[01]","class":"sp800-53a"}],"prose":"a discrete line item for information security is established in organizational programming and budgeting documentation;","links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]},{"id":"sa-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-02c.[02]","class":"sp800-53a"}],"prose":"a discrete line item for privacy is established in organizational programming and budgeting documentation.","links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-2_smt","rel":"assessment-for"}]},{"id":"sa-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nsystem and services acquisition strategy and plans\n\nprocedures addressing the allocation of resources to information security and privacy requirements\n\nprocedures addressing capital planning and investment control\n\norganizational programming and budgeting documentation\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management policy\n\nother relevant documents or records"}]},{"id":"sa-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining information security and privacy requirements\n\norganizational processes for capital planning, programming, and budgeting\n\nmechanisms supporting and\/or implementing organizational capital planning, programming, and budgeting"}]}]},{"id":"sa-3","class":"SP800-53","title":"System Development Life Cycle","params":[{"id":"sa-03_odp","props":[{"name":"alt-identifier","value":"sa-3_prm_1"},{"name":"alt-label","value":"system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-03_ODP","class":"sp800-53a"}],"label":"system-development life cycle","guidelines":[{"prose":"system development life cycle is defined;"}]}],"props":[{"name":"label","value":"SA-3"},{"name":"label","value":"SA-03","class":"sp800-53a"},{"name":"sort-id","value":"sa-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-22","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-3_smt","name":"statement","parts":[{"id":"sa-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Acquire, develop, and manage the system using {{ insert: param, sa-03_odp }} that incorporates information security and privacy considerations;"},{"id":"sa-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document information security and privacy roles and responsibilities throughout the system development life cycle;"},{"id":"sa-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Identify individuals having information security and privacy roles and responsibilities; and"},{"id":"sa-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Integrate the organizational information security and privacy risk management process into system development life cycle activities."}]},{"id":"sa-3_gdn","name":"guidance","prose":"A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in [SA-8](#sa-8) help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.\n\nThe effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle."},{"id":"sa-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[01]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;","links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]},{"id":"sa-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03a.[02]","class":"sp800-53a"}],"prose":"the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;","links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.a","rel":"assessment-for"}]},{"id":"sa-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[01]","class":"sp800-53a"}],"prose":"information security roles and responsibilities are defined and documented throughout the system development life cycle;","links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]},{"id":"sa-3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03b.[02]","class":"sp800-53a"}],"prose":"privacy roles and responsibilities are defined and documented throughout the system development life cycle;","links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.b","rel":"assessment-for"}]},{"id":"sa-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[01]","class":"sp800-53a"}],"prose":"individuals with information security roles and responsibilities are identified;","links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]},{"id":"sa-3_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03c.[02]","class":"sp800-53a"}],"prose":"individuals with privacy roles and responsibilities are identified;","links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.c","rel":"assessment-for"}]},{"id":"sa-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.","class":"sp800-53a"}],"parts":[{"id":"sa-3_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[01]","class":"sp800-53a"}],"prose":"organizational information security risk management processes are integrated into system development life cycle activities;","links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]},{"id":"sa-3_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03d.[02]","class":"sp800-53a"}],"prose":"organizational privacy risk management processes are integrated into system development life cycle activities.","links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-3_smt","rel":"assessment-for"}]},{"id":"sa-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\norganizational risk management strategy\n\ninformation security and privacy risk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nenterprise architecture documentation\n\nrole-based security and privacy training program documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"sa-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle\n\nmechanisms supporting and\/or implementing the system development life cycle"}]}],"controls":[{"id":"sa-3.1","class":"SP800-53-enhancement","title":"Manage Preproduction Environment","props":[{"name":"label","value":"SA-3(1)"},{"name":"label","value":"SA-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-3","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-4","rel":"related"}],"parts":[{"id":"sa-3.1_smt","name":"statement","prose":"Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service."},{"id":"sa-3.1_gdn","name":"guidance","prose":"The preproduction environment includes development, test, and integration environments. The program protection planning processes established by the Department of Defense are examples of managing the preproduction environment for defense contractors. Criticality analysis and the application of controls on developers also contribute to a more secure system development environment."},{"id":"sa-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03(01)","class":"sp800-53a"}],"prose":"system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component, or system service.","links":[{"href":"#sa-3.1_smt","rel":"assessment-for"}]},{"id":"sa-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of security and supply chain risk management into the system development life cycle process\n\nsystem development life cycle documentation\n\nprocedures addressing program protection planning\n\ncriticality analysis results\n\nsecurity and supply chain risk management strategy\/program documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and system life cycle development responsibilities\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational process for integrating security risk management into the system development life cycle\n\nmechanisms supporting and\/or implementing the system development life cycle"}]}]},{"id":"sa-3.2","class":"SP800-53-enhancement","title":"Use of Live or Operational Data","props":[{"name":"label","value":"SA-3(2)"},{"name":"label","value":"SA-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-3","rel":"required"},{"href":"#pm-25","rel":"related"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"sa-3.2_smt","name":"statement","parts":[{"id":"sa-3.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and"},{"id":"sa-3.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Protect preproduction environments for the system, system component, or system service at the same impact or classification level as any live data in use within the preproduction environments."}]},{"id":"sa-3.2_gdn","name":"guidance","prose":"Live data is also referred to as operational data. The use of live or operational data in preproduction (i.e., development, test, and integration) environments can result in significant risks to organizations. In addition, the use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Therefore, it is important for the organization to manage any additional risks that may result from the use of live or operational data. Organizations can minimize such risks by using test or dummy data during the design, development, and testing of systems, system components, and system services. Risk assessment techniques may be used to determine if the risk of using live or operational data is acceptable."},{"id":"sa-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03(02)","class":"sp800-53a"}],"parts":[{"id":"sa-3.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-03(02)a.","class":"sp800-53a"}],"parts":[{"id":"sa-3.2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03(02)a.[01]","class":"sp800-53a"}],"prose":"the use of live data in pre-production environments is approved for the system, system component, or system service;","links":[{"href":"#sa-3.2_smt.a","rel":"assessment-for"}]},{"id":"sa-3.2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03(02)a.[02]","class":"sp800-53a"}],"prose":"the use of live data in pre-production environments is documented for the system, system component, or system service;","links":[{"href":"#sa-3.2_smt.a","rel":"assessment-for"}]},{"id":"sa-3.2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-03(02)a.[03]","class":"sp800-53a"}],"prose":"the use of live data in pre-production environments is controlled for the system, system component, or system service;","links":[{"href":"#sa-3.2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-3.2_smt.a","rel":"assessment-for"}]},{"id":"sa-3.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-03(02)b.","class":"sp800-53a"}],"prose":"pre-production environments for the system, system component, or system service are protected at the same impact or classification level as any live data in use within the pre-production environments.","links":[{"href":"#sa-3.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-3.2_smt","rel":"assessment-for"}]},{"id":"sa-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security and privacy into the system development life cycle process\n\nsystem development life cycle documentation\n\nsecurity risk assessment documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nsystem security plan\n\nprivacy plan\n\ndata mapping documentation\n\npersonally identifiable information processing policy\n\nprocedures addressing the authority to test with personally identifiable information\n\nprocedures addressing the minimization of personally identifiable information used in testing, training, and research\n\nother relevant documents or records"}]},{"id":"sa-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibility\n\norganizational personnel with system life cycle development responsibilities"}]},{"id":"sa-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes the use of live data in pre-production environments\n\nmechanisms for protecting live data in pre-production environments"}]}]},{"id":"sa-3.3","class":"SP800-53-enhancement","title":"Technology Refresh","props":[{"name":"label","value":"SA-3(3)"},{"name":"label","value":"SA-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-3","rel":"required"},{"href":"#ma-6","rel":"related"}],"parts":[{"id":"sa-3.3_smt","name":"statement","prose":"Plan for and implement a technology refresh schedule for the system throughout the system development life cycle."},{"id":"sa-3.3_gdn","name":"guidance","prose":"Technology refresh planning may encompass hardware, software, firmware, processes, personnel skill sets, suppliers, service providers, and facilities. The use of obsolete or nearing obsolete technology may increase the security and privacy risks associated with unsupported components, counterfeit or repurposed components, components unable to implement security or privacy requirements, slow or inoperable components, components from untrusted sources, inadvertent personnel error, or increased complexity. Technology refreshes typically occur during the operations and maintenance stage of the system development life cycle."},{"id":"sa-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-03(03)","class":"sp800-53a"}],"parts":[{"id":"sa-3.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-03(03)[01]","class":"sp800-53a"}],"prose":"a technology refresh schedule is planned for the system throughout the system development life cycle;","links":[{"href":"#sa-3.3_smt","rel":"assessment-for"}]},{"id":"sa-3.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-03(03)[02]","class":"sp800-53a"}],"prose":"a technology refresh schedule is implemented for the system throughout the system development life cycle.","links":[{"href":"#sa-3.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-3.3_smt","rel":"assessment-for"}]},{"id":"sa-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing technology refresh planning and implementation\n\nsystem development life cycle documentation\n\ntechnology refresh schedule\n\nsecurity risk assessment documentation\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle development responsibilities"}]},{"id":"sa-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle\n\norganizational processes for identifying system development life cycle roles and responsibilities\n\norganizational processes for integrating security and privacy risk management into the system development life cycle\n\nmechanisms supporting and\/or implementing the system development life cycle"}]}]}]},{"id":"sa-4","class":"SP800-53","title":"Acquisition Process","params":[{"id":"sa-04_odp.01","props":[{"name":"alt-identifier","value":"sa-4_prm_1"},{"name":"label","value":"SA-04_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["standardized contract language","{{ insert: param, sa-04_odp.02 }} "]}},{"id":"sa-04_odp.02","props":[{"name":"alt-identifier","value":"sa-4_prm_2"},{"name":"label","value":"SA-04_ODP[02]","class":"sp800-53a"}],"label":"contract language","guidelines":[{"prose":"contract language is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-4"},{"name":"label","value":"SA-04","class":"sp800-53a"},{"name":"sort-id","value":"sa-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","rel":"reference"},{"href":"#87087451-2af5-43d4-88c1-d66ad850f614","rel":"reference"},{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#06ce9216-bd54-4054-a422-94f358b50a5d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7ba1d91c-3934-4d5a-8532-b32f864ad34c","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#858705be-3c1f-48aa-a328-0ce398d95ef0","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#4b38e961-1125-4a5b-aa35-1d6c02846dad","rel":"reference"},{"href":"#604774da-9e1d-48eb-9c62-4e959dc80737","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#795aff72-3e6c-4b6b-a80a-b14d84b7f544","rel":"reference"},{"href":"#3d575737-98cb-459d-b41c-d7e82b73ad78","rel":"reference"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-21","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-4_smt","name":"statement","prose":"Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service:","parts":[{"id":"sa-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Security and privacy functional requirements;"},{"id":"sa-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Strength of mechanism requirements;"},{"id":"sa-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Security and privacy assurance requirements;"},{"id":"sa-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Controls needed to satisfy the security and privacy requirements."},{"id":"sa-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Security and privacy documentation requirements;"},{"id":"sa-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Requirements for protecting security and privacy documentation;"},{"id":"sa-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Description of the system development environment and environment in which the system is intended to operate;"},{"id":"sa-4_smt.h","name":"item","props":[{"name":"label","value":"h."}],"prose":"Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and"},{"id":"sa-4_smt.i","name":"item","props":[{"name":"label","value":"i."}],"prose":"Acceptance criteria."}]},{"id":"sa-4_gdn","name":"guidance","prose":"Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in [SA-2](#sa-2) . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) describes the process of requirements engineering as part of the system development life cycle.\n\nControls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.\n\nSecurity and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement."},{"id":"sa-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[01]","class":"sp800-53a"}],"prose":"security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]},{"id":"sa-4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04a.[02]","class":"sp800-53a"}],"prose":"privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.a","rel":"assessment-for"}]},{"id":"sa-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04b.","class":"sp800-53a"}],"prose":"strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.b","rel":"assessment-for"}]},{"id":"sa-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[01]","class":"sp800-53a"}],"prose":"security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]},{"id":"sa-4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04c.[02]","class":"sp800-53a"}],"prose":"privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.c","rel":"assessment-for"}]},{"id":"sa-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[01]","class":"sp800-53a"}],"prose":"controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]},{"id":"sa-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04d.[02]","class":"sp800-53a"}],"prose":"controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.d","rel":"assessment-for"}]},{"id":"sa-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[01]","class":"sp800-53a"}],"prose":"security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]},{"id":"sa-4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04e.[02]","class":"sp800-53a"}],"prose":"privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.e","rel":"assessment-for"}]},{"id":"sa-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.f-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[01]","class":"sp800-53a"}],"prose":"requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]},{"id":"sa-4_obj.f-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04f.[02]","class":"sp800-53a"}],"prose":"requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.f","rel":"assessment-for"}]},{"id":"sa-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SA-04g.","class":"sp800-53a"}],"prose":"the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.g","rel":"assessment-for"}]},{"id":"sa-4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.","class":"sp800-53a"}],"parts":[{"id":"sa-4_obj.h-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[01]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.h-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[02]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.h-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04h.[03]","class":"sp800-53a"}],"prose":"the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};","links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt.h","rel":"assessment-for"}]},{"id":"sa-4_obj.i","name":"assessment-objective","props":[{"name":"label","value":"SA-04i.","class":"sp800-53a"}],"prose":"acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.","links":[{"href":"#sa-4_smt.i","rel":"assessment-for"}]}],"links":[{"href":"#sa-4_smt","rel":"assessment-for"}]},{"id":"sa-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process\n\nconfiguration management plan\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security and privacy functional, strength, and assurance requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}],"controls":[{"id":"sa-4.1","class":"SP800-53-enhancement","title":"Functional Properties of Controls","props":[{"name":"label","value":"SA-4(1)"},{"name":"label","value":"SA-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented."},{"id":"sa-4.1_gdn","name":"guidance","prose":"Functional properties of security and privacy controls describe the functionality (i.e., security or privacy capability, functions, or mechanisms) visible at the interfaces of the controls and specifically exclude functionality and data structures internal to the operation of the controls."},{"id":"sa-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(01)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.","links":[{"href":"#sa-4.1_smt","rel":"assessment-for"}]},{"id":"sa-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system services\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers"}]},{"id":"sa-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining system security functional requirements\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing acquisitions and the inclusion of security and privacy requirements in contracts"}]}]},{"id":"sa-4.2","class":"SP800-53-enhancement","title":"Design and Implementation Information for Controls","params":[{"id":"sa-04.02_odp.01","props":[{"name":"alt-identifier","value":"sa-4.2_prm_1"},{"name":"label","value":"SA-04(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security-relevant external system interfaces","high-level design","low-level design","source code or hardware schematics","{{ insert: param, sa-04.02_odp.02 }} "]}},{"id":"sa-04.02_odp.02","props":[{"name":"alt-identifier","value":"sa-4.2_prm_2"},{"name":"label","value":"SA-04(02)_ODP[02]","class":"sp800-53a"}],"label":"design and implementation information","guidelines":[{"prose":"design and implementation information is defined (if selected);"}]},{"id":"sa-04.02_odp.03","props":[{"name":"alt-identifier","value":"sa-4.2_prm_3"},{"name":"label","value":"SA-04(02)_ODP[03]","class":"sp800-53a"}],"label":"level of detail","guidelines":[{"prose":"level of detail is defined;"}]}],"props":[{"name":"label","value":"SA-4(2)"},{"name":"label","value":"SA-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.2_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}."},{"id":"sa-4.2_gdn","name":"guidance","prose":"Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system."},{"id":"sa-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(02)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}.","links":[{"href":"#sa-4.2_smt","rel":"assessment-for"}]},{"id":"sa-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system components, or system services\n\ndesign and implementation information for controls employed in the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining the level of detail for system design and controls\n\norganizational processes for developing acquisition contracts\n\nmechanisms supporting and\/or implementing the development of system design details"}]}]},{"id":"sa-4.3","class":"SP800-53-enhancement","title":"Development Methods, Techniques, and Practices","params":[{"id":"sa-04.03_odp.01","props":[{"name":"alt-identifier","value":"sa-4.3_prm_1"},{"name":"label","value":"SA-04(03)_ODP[01]","class":"sp800-53a"}],"label":"systems engineering methods","guidelines":[{"prose":"systems engineering methods are defined;"}]},{"id":"sa-04.03_odp.02","props":[{"name":"alt-identifier","value":"sa-4.3_prm_2"},{"name":"alt-label","value":"[Selection (one or more): systems security; privacy] engineering methods","class":"sp800-53"},{"name":"label","value":"SA-04(03)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, sa-04.03_odp.03 }} ","{{ insert: param, sa-04.03_odp.04 }} "]}},{"id":"sa-04.03_odp.03","props":[{"name":"label","value":"SA-04(03)_ODP[03]","class":"sp800-53a"}],"label":"system security engineering methods","guidelines":[{"prose":"system security engineering methods are defined (if selected);"}]},{"id":"sa-04.03_odp.04","props":[{"name":"label","value":"SA-04(03)_ODP[04]","class":"sp800-53a"}],"label":"privacy engineering methods","guidelines":[{"prose":"privacy engineering methods are defined (if selected);"}]},{"id":"sa-04.03_odp.05","props":[{"name":"alt-identifier","value":"sa-4.3_prm_3"},{"name":"alt-label","value":"software development methods; testing, evaluation, assessment, verification, and validation methods; and quality control processes","class":"sp800-53"},{"name":"label","value":"SA-04(03)_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, sa-04.03_odp.06 }} ","{{ insert: param, sa-04.03_odp.07 }} ","{{ insert: param, sa-04.03_odp.08 }} "]}},{"id":"sa-04.03_odp.06","props":[{"name":"label","value":"SA-04(03)_ODP[06]","class":"sp800-53a"}],"label":"software development methods","guidelines":[{"prose":"software development methods are defined (if selected);"}]},{"id":"sa-04.03_odp.07","props":[{"name":"label","value":"SA-04(03)_ODP[07]","class":"sp800-53a"}],"label":"testing, evaluation, assessment, verification, and validation methods","guidelines":[{"prose":"testing, evaluation, assessment, verification, and validation methods are defined (if selected);"}]},{"id":"sa-04.03_odp.08","props":[{"name":"label","value":"SA-04(03)_ODP[08]","class":"sp800-53a"}],"label":"quality control processes","guidelines":[{"prose":"quality control processes are defined (if selected);"}]}],"props":[{"name":"label","value":"SA-4(3)"},{"name":"label","value":"SA-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.3_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes:","parts":[{"id":"sa-4.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"{{ insert: param, sa-04.03_odp.01 }};"},{"id":"sa-4.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"{{ insert: param, sa-04.03_odp.02 }} ; and"},{"id":"sa-4.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"{{ insert: param, sa-04.03_odp.05 }}."}]},{"id":"sa-4.3_gdn","name":"guidance","prose":"Following a system development life cycle that includes state-of-the-practice software development methods, systems engineering methods, systems security and privacy engineering methods, and quality control processes helps to reduce the number and severity of latent errors within systems, system components, and system services. Reducing the number and severity of such errors reduces the number of vulnerabilities in those systems, components, and services. Transparency in the methods and techniques that developers select and implement for systems engineering, systems security and privacy engineering, software development, component and system assessments, and quality control processes provides an increased level of assurance in the trustworthiness of the system, system component, or system service being acquired."},{"id":"sa-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(03)","class":"sp800-53a"}],"parts":[{"id":"sa-4.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04(03)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.01 }};","links":[{"href":"#sa-4.3_smt.a","rel":"assessment-for"}]},{"id":"sa-4.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04(03)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.02 }};","links":[{"href":"#sa-4.3_smt.b","rel":"assessment-for"}]},{"id":"sa-4.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-04(03)(c)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.05 }}.","links":[{"href":"#sa-4.3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-4.3_smt","rel":"assessment-for"}]},{"id":"sa-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of security and privacy requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nlist of systems security and privacy engineering methods to be included in the developer’s system development life cycle process\n\nlist of software development methods to be included in the developer’s system development life cycle process\n\nlist of testing, evaluation, or validation techniques to be included in the developer’s system development life cycle process\n\nlist of quality control processes to be included in the developer’s system development life cycle process\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system life cycle responsibilities\n\nsystem developers or service provider"}]},{"id":"sa-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for development methods, techniques, and processes"}]}]},{"id":"sa-4.4","class":"SP800-53-enhancement","title":"Assignment of Components to Systems","props":[{"name":"label","value":"SA-4(4)"},{"name":"label","value":"SA-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-8.9","rel":"incorporated-into"}]},{"id":"sa-4.5","class":"SP800-53-enhancement","title":"System, Component, and Service Configurations","params":[{"id":"sa-04.05_odp","props":[{"name":"alt-identifier","value":"sa-4.5_prm_1"},{"name":"label","value":"SA-04(05)_ODP","class":"sp800-53a"}],"label":"security configurations","guidelines":[{"prose":"security configurations for the system, component, or service are defined;"}]}],"props":[{"name":"label","value":"SA-4(5)"},{"name":"label","value":"SA-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.5_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-4.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented; and"},{"id":"sa-4.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade."}]},{"id":"sa-4.5_gdn","name":"guidance","prose":"Examples of security configurations include the U.S. Government Configuration Baseline (USGCB), Security Technical Implementation Guides (STIGs), and any limitations on functions, ports, protocols, and services. Security characteristics can include requiring that default passwords have been changed."},{"id":"sa-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(05)","class":"sp800-53a"}],"parts":[{"id":"sa-4.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04(05)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented;","links":[{"href":"#sa-4.5_smt.a","rel":"assessment-for"}]},{"id":"sa-4.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04(05)(b)","class":"sp800-53a"}],"prose":"the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade.","links":[{"href":"#sa-4.5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-4.5_smt","rel":"assessment-for"}]},{"id":"sa-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nsecurity configurations to be implemented by the developer of the system, system component, or system service\n\nservice level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\nsystem developers or service provider\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms used to verify that the configuration of the system, component, or service is delivered as specified"}]}]},{"id":"sa-4.6","class":"SP800-53-enhancement","title":"Use of Information Assurance Products","props":[{"name":"label","value":"SA-4(6)"},{"name":"label","value":"SA-04(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sa-4.6_smt","name":"statement","parts":[{"id":"sa-4.6_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted; and"},{"id":"sa-4.6_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Ensure that these products have been evaluated and\/or validated by NSA or in accordance with NSA-approved procedures."}]},{"id":"sa-4.6_gdn","name":"guidance","prose":"Commercial off-the-shelf IA or IA-enabled information technology products used to protect classified information by cryptographic means may be required to use NSA-approved key management. See [NSA CSFC](#3d575737-98cb-459d-b41c-d7e82b73ad78)."},{"id":"sa-4.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(06)","class":"sp800-53a"}],"parts":[{"id":"sa-4.6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04(06)(a)","class":"sp800-53a"}],"prose":"only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted are employed;","links":[{"href":"#sa-4.6_smt.a","rel":"assessment-for"}]},{"id":"sa-4.6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04(06)(b)","class":"sp800-53a"}],"prose":"these products have been evaluated and\/or validated by NSA or in accordance with NSA-approved procedures.","links":[{"href":"#sa-4.6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-4.6_smt","rel":"assessment-for"}]},{"id":"sa-4.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nsecurity configurations to be implemented by the developer of the system, system component, or system service\n\nservice level agreements\n\nlist of deployed IT products\/solutions\n\nNSA-approved list\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility to determine system security requirements\n\norganizational personnel responsible for ensuring information assurance products are NSA-approved and are evaluated and\/or validated products in accordance with NSA-approved procedures\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for selecting and employing evaluated and\/or validated information assurance products and services that compose an NSA-approved solution to protect classified information"}]}]},{"id":"sa-4.7","class":"SP800-53-enhancement","title":"NIAP-approved Protection Profiles ","props":[{"name":"label","value":"SA-4(7)"},{"name":"label","value":"SA-04(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#ia-7","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sa-4.7_smt","name":"statement","parts":[{"id":"sa-4.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists; and"},{"id":"sa-4.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Require, if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that the cryptographic module is FIPS-validated or NSA-approved."}]},{"id":"sa-4.7_gdn","name":"guidance","prose":"See [NIAP CCEVS](#795aff72-3e6c-4b6b-a80a-b14d84b7f544) for additional information on NIAP. See [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) for additional information on FIPS-validated cryptographic modules."},{"id":"sa-4.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(07)","class":"sp800-53a"}],"parts":[{"id":"sa-4.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04(07)(a)","class":"sp800-53a"}],"prose":"the use of commercially provided information assurance and information assurance-enabled information technology products is limited to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists;","links":[{"href":"#sa-4.7_smt.a","rel":"assessment-for"}]},{"id":"sa-4.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04(07)(b)","class":"sp800-53a"}],"prose":"if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that cryptographic module is required to be FIPS-validated or NSA-approved.","links":[{"href":"#sa-4.7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-4.7_smt","rel":"assessment-for"}]},{"id":"sa-4.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documents\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nlist of deployed IT products\/solutions\n\nNAIP-approved protection profiles\n\nFIPS-validation information for cryptographic functionality\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel responsible for ensuring that information assurance products have been evaluated against a NIAP-approved protection profile or for ensuring products relying on cryptographic functionality are FIPS-validated\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for selecting and employing products\/services evaluated against a NIAP-approved protection profile or FIPS-validated products"}]}]},{"id":"sa-4.8","class":"SP800-53-enhancement","title":"Continuous Monitoring Plan for Controls","props":[{"name":"label","value":"SA-4(8)"},{"name":"label","value":"SA-04(08)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#ca-7","rel":"related"}],"parts":[{"id":"sa-4.8_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization."},{"id":"sa-4.8_gdn","name":"guidance","prose":"The objective of continuous monitoring plans is to determine if the planned, required, and deployed controls within the system, system component, or system service continue to be effective over time based on the inevitable changes that occur. Developer continuous monitoring plans include a sufficient level of detail such that the information can be incorporated into continuous monitoring programs implemented by organizations. Continuous monitoring plans can include the types of control assessment and monitoring activities planned, frequency of control monitoring, and actions to be taken when controls fail or become ineffective."},{"id":"sa-4.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(08)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a plan for the continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.","links":[{"href":"#sa-4.8_smt","rel":"assessment-for"}]},{"id":"sa-4.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing developer continuous monitoring plans\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\ndeveloper continuous monitoring plans\n\nsecurity assessment plans\n\nacquisition contracts for the system, system component, or system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Vendor processes for continuous monitoring\n\nmechanisms supporting and\/or implementing developer continuous monitoring"}]}]},{"id":"sa-4.9","class":"SP800-53-enhancement","title":"Functions, Ports, Protocols, and Services in Use","props":[{"name":"label","value":"SA-4(9)"},{"name":"label","value":"SA-04(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#cm-7","rel":"related"},{"href":"#sa-9","rel":"related"}],"parts":[{"id":"sa-4.9_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use."},{"id":"sa-4.9_gdn","name":"guidance","prose":"The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. [SA-9](#sa-9) describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources."},{"id":"sa-4.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)","class":"sp800-53a"}],"parts":[{"id":"sa-4.9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the functions intended for organizational use;","links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]},{"id":"sa-4.9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the ports intended for organizational use;","links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]},{"id":"sa-4.9_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;","links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]},{"id":"sa-4.9_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-04(09)[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to identify the services intended for organizational use.","links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-4.9_smt","rel":"assessment-for"}]},{"id":"sa-4.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsystem design documentation\n\nsystem documentation, including functions, ports, protocols, and services intended for organizational use\n\nacquisition contracts for systems or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements, descriptions, and criteria for developers of systems, system components, and system services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\nsystem\/network administrators\n\norganizational personnel operating, using, and\/or maintaining the system\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]}]},{"id":"sa-4.10","class":"SP800-53-enhancement","title":"Use of Approved PIV Products","props":[{"name":"label","value":"SA-4(10)"},{"name":"label","value":"SA-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pm-9","rel":"related"}],"parts":[{"id":"sa-4.10_smt","name":"statement","prose":"Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems."},{"id":"sa-4.10_gdn","name":"guidance","prose":"Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations."},{"id":"sa-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(10)","class":"sp800-53a"}],"prose":"only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.","links":[{"href":"#sa-4.10_smt","rel":"assessment-for"}]},{"id":"sa-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nFIPS 201 approved products list\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security requirements\n\norganizational personnel with the responsibility for ensuring that only FIPS 201- approved products are implemented\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-4.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for selecting and employing FIPS 201-approved products"}]}]},{"id":"sa-4.11","class":"SP800-53-enhancement","title":"System of Records","params":[{"id":"sa-04.11_odp","props":[{"name":"alt-identifier","value":"sa-4.11_prm_1"},{"name":"label","value":"SA-04(11)_ODP","class":"sp800-53a"}],"label":"Privacy Act requirements","guidelines":[{"prose":"Privacy Act requirements for the operation of a system of records are defined;"}]}],"props":[{"name":"label","value":"SA-4(11)"},{"name":"label","value":"SA-04(11)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"},{"href":"#pt-6","rel":"related"}],"parts":[{"id":"sa-4.11_smt","name":"statement","prose":"Include {{ insert: param, sa-04.11_odp }} in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function."},{"id":"sa-4.11_gdn","name":"guidance","prose":"When, by contract, an organization provides for the operation of a system of records to accomplish an organizational mission or function, the organization, consistent with its authority, causes the requirements of the [PRIVACT](#18e71fec-c6fd-475a-925a-5d8495cf8455) to be applied to the system of records."},{"id":"sa-4.11_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(11)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-04.11_odp }} are defined in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.","links":[{"href":"#sa-4.11_smt","rel":"assessment-for"}]},{"id":"sa-4.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of Privacy Act requirements into systems of records operated by external organizations\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nservice level agreements\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-4.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"sa-4.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contract management processes to verify Privacy Act requirements are defined for the operation of a system of records\n\nvendor processes for demonstrating incorporation of Privacy Act requirements in its operation of a system of records"}]}]},{"id":"sa-4.12","class":"SP800-53-enhancement","title":"Data Ownership","params":[{"id":"sa-04.12_odp","props":[{"name":"alt-identifier","value":"sa-4.12_prm_1"},{"name":"label","value":"SA-04(12)_ODP","class":"sp800-53a"}],"label":"time frame","guidelines":[{"prose":"time frame to remove data from a contractor system and return it to the organization is defined;"}]}],"props":[{"name":"label","value":"SA-4(12)"},{"name":"label","value":"SA-04(12)","class":"sp800-53a"},{"name":"sort-id","value":"sa-04.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-4","rel":"required"}],"parts":[{"id":"sa-4.12_smt","name":"statement","parts":[{"id":"sa-4.12_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Include organizational data ownership requirements in the acquisition contract; and"},{"id":"sa-4.12_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Require all data to be removed from the contractor’s system and returned to the organization within {{ insert: param, sa-04.12_odp }}."}]},{"id":"sa-4.12_gdn","name":"guidance","prose":"Contractors who operate a system that contains data owned by an organization initiating the contract have policies and procedures in place to remove the data from their systems and\/or return the data in a time frame defined by the contract."},{"id":"sa-4.12_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-04(12)","class":"sp800-53a"}],"parts":[{"id":"sa-4.12_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-04(12)(a)","class":"sp800-53a"}],"prose":"organizational data ownership requirements are included in the acquisition contract;","links":[{"href":"#sa-4.12_smt.a","rel":"assessment-for"}]},{"id":"sa-4.12_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-04(12)(b)","class":"sp800-53a"}],"prose":"all data to be removed from the contractor’s system and returned to the organization is required within {{ insert: param, sa-04.12_odp }}.","links":[{"href":"#sa-4.12_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-4.12_smt","rel":"assessment-for"}]},{"id":"sa-4.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-04(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements, descriptions, and criteria into the acquisition process\n\nprocedures addressing the disposition of personally identifiable information\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system or system service\n\npersonally identifiable information processing policy\n\nservice level agreements\n\ninformation sharing agreements\n\nmemoranda of understanding\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-4.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-04(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for data management and processing requirements\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"sa-4.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-04(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Contract management processes to verify that data is removed as required\n\nvendor processes for removing data in required timeframe\n\nmechanisms verifying the removal and return of data"}]}]}]},{"id":"sa-5","class":"SP800-53","title":"System Documentation","params":[{"id":"sa-05_odp.01","props":[{"name":"alt-identifier","value":"sa-5_prm_1"},{"name":"label","value":"SA-05_ODP[01]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;"}]},{"id":"sa-05_odp.02","props":[{"name":"alt-identifier","value":"sa-5_prm_2"},{"name":"label","value":"SA-05_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to distribute system documentation to is\/are defined;"}]}],"props":[{"name":"label","value":"SA-5"},{"name":"label","value":"SA-05","class":"sp800-53a"},{"name":"sort-id","value":"sa-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-16","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-12","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"sa-5_smt","name":"statement","parts":[{"id":"sa-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Obtain or develop administrator documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Secure configuration, installation, and operation of the system, component, or service;"},{"id":"sa-5_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Effective use and maintenance of security and privacy functions and mechanisms; and"},{"id":"sa-5_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Known vulnerabilities regarding configuration and use of administrative or privileged functions;"}]},{"id":"sa-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Obtain or develop user documentation for the system, system component, or system service that describes:","parts":[{"id":"sa-5_smt.b.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;"},{"id":"sa-5_smt.b.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and"},{"id":"sa-5_smt.b.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;"}]},{"id":"sa-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, sa-05_odp.01 }} in response; and"},{"id":"sa-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Distribute documentation to {{ insert: param, sa-05_odp.02 }}."}]},{"id":"sa-5_gdn","name":"guidance","prose":"System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation."},{"id":"sa-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-05","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]},{"id":"sa-5_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]},{"id":"sa-5_obj.a.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.01[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a.1","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[03]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.2-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.02[04]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a.2","rel":"assessment-for"}]},{"id":"sa-5_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[01]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;","links":[{"href":"#sa-5_smt.a.3","rel":"assessment-for"}]},{"id":"sa-5_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05a.03[02]","class":"sp800-53a"}],"prose":"administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;","links":[{"href":"#sa-5_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.a","rel":"assessment-for"}]},{"id":"sa-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.1-3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[03]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.1-4","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.01[04]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;","links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b.1","rel":"assessment-for"}]},{"id":"sa-5_obj.b.2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;","links":[{"href":"#sa-5_smt.b.2","rel":"assessment-for"}]},{"id":"sa-5_obj.b.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.02[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;","links":[{"href":"#sa-5_smt.b.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b.2","rel":"assessment-for"}]},{"id":"sa-5_obj.b.3","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.b.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[01]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;","links":[{"href":"#sa-5_smt.b.3","rel":"assessment-for"}]},{"id":"sa-5_obj.b.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05b.03[02]","class":"sp800-53a"}],"prose":"user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;","links":[{"href":"#sa-5_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.b","rel":"assessment-for"}]},{"id":"sa-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.","class":"sp800-53a"}],"parts":[{"id":"sa-5_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[01]","class":"sp800-53a"}],"prose":"attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;","links":[{"href":"#sa-5_smt.c","rel":"assessment-for"}]},{"id":"sa-5_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-05c.[02]","class":"sp800-53a"}],"prose":"after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;","links":[{"href":"#sa-5_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt.c","rel":"assessment-for"}]},{"id":"sa-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-05d.","class":"sp800-53a"}],"prose":"documentation is distributed to {{ insert: param, sa-05_odp.02 }}.","links":[{"href":"#sa-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-5_smt","rel":"assessment-for"}]},{"id":"sa-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system documentation\n\nsystem documentation, including administrator and user guides\n\nsystem design documentation\n\nrecords documenting attempts to obtain unavailable or nonexistent system documentation\n\nlist of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation\n\nrisk management strategy documentation\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\norganizational personnel responsible for operating, using, and\/or maintaining the system\n\nsystem developers"}]},{"id":"sa-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for obtaining, protecting, and distributing system administrator and user documentation"}]}],"controls":[{"id":"sa-5.1","class":"SP800-53-enhancement","title":"Functional Properties of Security Controls","props":[{"name":"label","value":"SA-5(1)"},{"name":"label","value":"SA-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-05.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-4.1","rel":"incorporated-into"}]},{"id":"sa-5.2","class":"SP800-53-enhancement","title":"Security-relevant External System Interfaces","props":[{"name":"label","value":"SA-5(2)"},{"name":"label","value":"SA-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-05.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-4.2","rel":"incorporated-into"}]},{"id":"sa-5.3","class":"SP800-53-enhancement","title":"High-level Design","props":[{"name":"label","value":"SA-5(3)"},{"name":"label","value":"SA-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-05.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-4.2","rel":"incorporated-into"}]},{"id":"sa-5.4","class":"SP800-53-enhancement","title":"Low-level Design","props":[{"name":"label","value":"SA-5(4)"},{"name":"label","value":"SA-05(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-05.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-4.2","rel":"incorporated-into"}]},{"id":"sa-5.5","class":"SP800-53-enhancement","title":"Source Code","props":[{"name":"label","value":"SA-5(5)"},{"name":"label","value":"SA-05(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-05.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-4.2","rel":"incorporated-into"}]}]},{"id":"sa-6","class":"SP800-53","title":"Software Usage Restrictions","props":[{"name":"label","value":"SA-6"},{"name":"label","value":"SA-06","class":"sp800-53a"},{"name":"sort-id","value":"sa-06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-10","rel":"incorporated-into"},{"href":"#si-7","rel":"incorporated-into"}]},{"id":"sa-7","class":"SP800-53","title":"User-installed Software","props":[{"name":"label","value":"SA-7"},{"name":"label","value":"SA-07","class":"sp800-53a"},{"name":"sort-id","value":"sa-07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-11","rel":"incorporated-into"},{"href":"#si-7","rel":"incorporated-into"}]},{"id":"sa-8","class":"SP800-53","title":"Security and Privacy Engineering Principles","params":[{"id":"sa-8_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08_odp.02"}],"label":"organization-defined systems security and privacy engineering principles"},{"id":"sa-08_odp.01","props":[{"name":"label","value":"SA-08_ODP[01]","class":"sp800-53a"}],"label":"systems security engineering principles","guidelines":[{"prose":"systems security engineering principles are defined;"}]},{"id":"sa-08_odp.02","props":[{"name":"label","value":"SA-08_ODP[02]","class":"sp800-53a"}],"label":"privacy engineering principles","guidelines":[{"prose":"privacy engineering principles are defined;"}]}],"props":[{"name":"label","value":"SA-8"},{"name":"label","value":"SA-08","class":"sp800-53a"},{"name":"sort-id","value":"sa-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#18e71fec-c6fd-475a-925a-5d8495cf8455","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#599fb53d-5041-444e-a7fe-640d6d30ad05","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","rel":"reference"},{"href":"#9be5d661-421f-41ad-854e-86f98b811891","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#98d415ca-7281-4064-9931-0c366637e324","rel":"reference"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sa-20","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-8_smt","name":"statement","prose":"Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, sa-8_prm_1 }}."},{"id":"sa-8_gdn","name":"guidance","prose":"Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see [SA-3](#sa-3) ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.\n\nThe application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.\n\nOrganizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design."},{"id":"sa-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08","class":"sp800-53a"}],"parts":[{"id":"sa-8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-08[03]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-08[04]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-5","name":"assessment-objective","props":[{"name":"label","value":"SA-08[05]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-6","name":"assessment-objective","props":[{"name":"label","value":"SA-08[06]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-7","name":"assessment-objective","props":[{"name":"label","value":"SA-08[07]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-8","name":"assessment-objective","props":[{"name":"label","value":"SA-08[08]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-9","name":"assessment-objective","props":[{"name":"label","value":"SA-08[09]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_obj-10","name":"assessment-objective","props":[{"name":"label","value":"SA-08[10]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.","links":[{"href":"#sa-8_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-8_smt","rel":"assessment-for"}]},{"id":"sa-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nassessment and authorization procedures\n\nprocedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification"}]}],"controls":[{"id":"sa-8.1","class":"SP800-53-enhancement","title":"Clear Abstractions","props":[{"name":"label","value":"SA-8(1)"},{"name":"label","value":"SA-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.1_smt","name":"statement","prose":"Implement the security design principle of clear abstractions."},{"id":"sa-8.1_gdn","name":"guidance","prose":"The principle of clear abstractions states that a system has simple, well-defined interfaces and functions that provide a consistent and intuitive view of the data and how the data is managed. The clarity, simplicity, necessity, and sufficiency of the system interfaces— combined with a precise definition of their functional behavior—promotes ease of analysis, inspection, and testing as well as the correct and secure use of the system. The clarity of an abstraction is subjective. Examples that reflect the application of this principle include avoidance of redundant, unused interfaces; information hiding; and avoidance of semantic overloading of interfaces or their parameters. Information hiding (i.e., representation-independent programming), is a design discipline used to ensure that the internal representation of information in one system component is not visible to another system component invoking or calling the first component, such that the published abstraction is not influenced by how the data may be managed internally."},{"id":"sa-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(01)","class":"sp800-53a"}],"prose":"the security design principle of clear abstractions is implemented.","links":[{"href":"#sa-8.1_smt","rel":"assessment-for"}]},{"id":"sa-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of clear abstractions used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of clear abstractions to system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of clear abstractions to system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.2","class":"SP800-53-enhancement","title":"Least Common Mechanism","params":[{"id":"sa-08.02_odp","props":[{"name":"alt-identifier","value":"sa-8.2_prm_1"},{"name":"label","value":"SA-08(02)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of least common mechanism are defined;"}]}],"props":[{"name":"label","value":"SA-8(2)"},{"name":"label","value":"SA-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.2_smt","name":"statement","prose":"Implement the security design principle of least common mechanism in {{ insert: param, sa-08.02_odp }}."},{"id":"sa-8.2_gdn","name":"guidance","prose":"The principle of least common mechanism states that the amount of mechanism common to more than one user and depended on by all users is minimized [POPEK74](#79453f84-26a4-4995-8257-d32d37aefea3) . Mechanism minimization implies that different components of a system refrain from using the same mechanism to access a system resource. Every shared mechanism (especially a mechanism involving shared variables) represents a potential information path between users and is designed with care to ensure that it does not unintentionally compromise security [SALTZER75](#c9495d6e-ef64-4090-8509-e58c3b9009ff) . Implementing the principle of least common mechanism helps to reduce the adverse consequences of sharing the system state among different programs. A single program that corrupts a shared state (including shared variables) has the potential to corrupt other programs that are dependent on the state. The principle of least common mechanism also supports the principle of simplicity of design and addresses the issue of covert storage channels [LAMPSON73](#d1cdab13-4218-400d-91a9-c3818dfa5ec8)."},{"id":"sa-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(02)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.02_odp }} implement the security design principle of least common mechanism.","links":[{"href":"#sa-8.2_smt","rel":"assessment-for"}]},{"id":"sa-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of least common mechanism used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of least common mechanism in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of least common mechanism in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.3","class":"SP800-53-enhancement","title":"Modularity and Layering","params":[{"id":"sa-8.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08.03_odp.02"}],"label":"organization-defined systems or system components"},{"id":"sa-08.03_odp.01","props":[{"name":"label","value":"SA-08(03)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of modularity are defined;"}]},{"id":"sa-08.03_odp.02","props":[{"name":"label","value":"SA-08(03)_ODP[02]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of layering are defined;"}]}],"props":[{"name":"label","value":"SA-8(3)"},{"name":"label","value":"SA-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"}],"parts":[{"id":"sa-8.3_smt","name":"statement","prose":"Implement the security design principles of modularity and layering in {{ insert: param, sa-8.3_prm_1 }}."},{"id":"sa-8.3_gdn","name":"guidance","prose":"The principles of modularity and layering are fundamental across system engineering disciplines. Modularity and layering derived from functional decomposition are effective in managing system complexity by making it possible to comprehend the structure of the system. Modular decomposition, or refinement in system design, is challenging and resists general statements of principle. Modularity serves to isolate functions and related data structures into well-defined logical units. Layering allows the relationships of these units to be better understood so that dependencies are clear and undesired complexity can be avoided. The security design principle of modularity extends functional modularity to include considerations based on trust, trustworthiness, privilege, and security policy. Security-informed modular decomposition includes the allocation of policies to systems in a network, separation of system applications into processes with distinct address spaces, allocation of system policies to layers, and separation of processes into subjects with distinct privileges based on hardware-supported privilege domains."},{"id":"sa-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(03)","class":"sp800-53a"}],"parts":[{"id":"sa-8.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08(03)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.03_odp.01 }} implement the security design principle of modularity;","links":[{"href":"#sa-8.3_smt","rel":"assessment-for"}]},{"id":"sa-8.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08(03)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.03_odp.02 }} implement the security design principle of layering.","links":[{"href":"#sa-8.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-8.3_smt","rel":"assessment-for"}]},{"id":"sa-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principles of modularity and layering used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principles of modularity and layering in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principles of modularity and layering in system specification, design, development, implementation, and modification\n\nmechanisms supporting and\/or implementing an isolation boundary"}]}]},{"id":"sa-8.4","class":"SP800-53-enhancement","title":"Partially Ordered Dependencies","params":[{"id":"sa-08.04_odp","props":[{"name":"alt-identifier","value":"sa-8.4_prm_1"},{"name":"label","value":"SA-08(04)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of partially ordered dependencies are defined;"}]}],"props":[{"name":"label","value":"SA-8(4)"},{"name":"label","value":"SA-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.4_smt","name":"statement","prose":"Implement the security design principle of partially ordered dependencies in {{ insert: param, sa-08.04_odp }}."},{"id":"sa-8.4_gdn","name":"guidance","prose":"The principle of partially ordered dependencies states that the synchronization, calling, and other dependencies in the system are partially ordered. A fundamental concept in system design is layering, whereby the system is organized into well-defined, functionally related modules or components. The layers are linearly ordered with respect to inter-layer dependencies, such that higher layers are dependent on lower layers. While providing functionality to higher layers, some layers can be self-contained and not dependent on lower layers. While a partial ordering of all functions in a given system may not be possible, if circular dependencies are constrained to occur within layers, the inherent problems of circularity can be more easily managed. Partially ordered dependencies and system layering contribute significantly to the simplicity and coherency of the system design. Partially ordered dependencies also facilitate system testing and analysis."},{"id":"sa-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(04)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.04_odp }} implement the security design principle of partially ordered dependencies.","links":[{"href":"#sa-8.4_smt","rel":"assessment-for"}]},{"id":"sa-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of partially ordered dependencies used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of partially ordered dependencies in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of partially ordered dependencies in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.5","class":"SP800-53-enhancement","title":"Efficiently Mediated Access","params":[{"id":"sa-08.05_odp","props":[{"name":"alt-identifier","value":"sa-8.5_prm_1"},{"name":"label","value":"SA-08(05)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of efficiently mediated access are defined;"}]}],"props":[{"name":"label","value":"SA-8(5)"},{"name":"label","value":"SA-08(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#ac-25","rel":"related"}],"parts":[{"id":"sa-8.5_smt","name":"statement","prose":"Implement the security design principle of efficiently mediated access in {{ insert: param, sa-08.05_odp }}."},{"id":"sa-8.5_gdn","name":"guidance","prose":"The principle of efficiently mediated access states that policy enforcement mechanisms utilize the least common mechanism available while satisfying stakeholder requirements within expressed constraints. The mediation of access to system resources (i.e., CPU, memory, devices, communication ports, services, infrastructure, data, and information) is often the predominant security function of secure systems. It also enables the realization of protections for the capability provided to stakeholders by the system. Mediation of resource access can result in performance bottlenecks if the system is not designed correctly. For example, by using hardware mechanisms, efficiently mediated access can be achieved. Once access to a low-level resource such as memory has been obtained, hardware protection mechanisms can ensure that out-of-bounds access does not occur."},{"id":"sa-8.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(05)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.05_odp }} implement the security design principle of efficiently mediated access.","links":[{"href":"#sa-8.5_smt","rel":"assessment-for"}]},{"id":"sa-8.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of efficiently mediated access used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition\/contracting responsibilities\n\norganizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of efficiently mediated access in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of efficiently mediated access in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.6","class":"SP800-53-enhancement","title":"Minimized Sharing","params":[{"id":"sa-08.06_odp","props":[{"name":"alt-identifier","value":"sa-8.6_prm_1"},{"name":"label","value":"SA-08(06)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of minimized sharing are defined;"}]}],"props":[{"name":"label","value":"SA-8(6)"},{"name":"label","value":"SA-08(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#sc-31","rel":"related"}],"parts":[{"id":"sa-8.6_smt","name":"statement","prose":"Implement the security design principle of minimized sharing in {{ insert: param, sa-08.06_odp }}."},{"id":"sa-8.6_gdn","name":"guidance","prose":"The principle of minimized sharing states that no computer resource is shared between system components (e.g., subjects, processes, functions) unless it is absolutely necessary to do so. Minimized sharing helps to simplify system design and implementation. In order to protect user-domain resources from arbitrary active entities, no resource is shared unless that sharing has been explicitly requested and granted. The need for resource sharing can be motivated by the design principle of least common mechanism in the case of internal entities or driven by stakeholder requirements. However, internal sharing is carefully designed to avoid performance and covert storage and timing channel problems. Sharing via common mechanism can increase the susceptibility of data and information to unauthorized access, disclosure, use, or modification and can adversely affect the inherent capability provided by the system. To minimize sharing induced by common mechanisms, such mechanisms can be designed to be reentrant or virtualized to preserve separation. Moreover, the use of global data to share information is carefully scrutinized. The lack of encapsulation may obfuscate relationships among the sharing entities."},{"id":"sa-8.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(06)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.06_odp }} implement the security design principle of minimized sharing.","links":[{"href":"#sa-8.6_smt","rel":"assessment-for"}]},{"id":"sa-8.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of minimized sharing used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of minimized sharing in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of minimized sharing in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.7","class":"SP800-53-enhancement","title":"Reduced Complexity","params":[{"id":"sa-08.07_odp","props":[{"name":"alt-identifier","value":"sa-8.7_prm_1"},{"name":"label","value":"SA-08(07)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of reduced complexity are defined;"}]}],"props":[{"name":"label","value":"SA-8(7)"},{"name":"label","value":"SA-08(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.7_smt","name":"statement","prose":"Implement the security design principle of reduced complexity in {{ insert: param, sa-08.07_odp }}."},{"id":"sa-8.7_gdn","name":"guidance","prose":"The principle of reduced complexity states that the system design is as simple and small as possible. A small and simple design is more understandable, more analyzable, and less prone to error. The reduced complexity principle applies to any aspect of a system, but it has particular importance for security due to the various analyses performed to obtain evidence about the emergent security property of the system. For such analyses to be successful, a small and simple design is essential. Application of the principle of reduced complexity contributes to the ability of system developers to understand the correctness and completeness of system security functions. It also facilitates the identification of potential vulnerabilities. The corollary of reduced complexity states that the simplicity of the system is directly related to the number of vulnerabilities it will contain; that is, simpler systems contain fewer vulnerabilities. An benefit of reduced complexity is that it is easier to understand whether the intended security policy has been captured in the system design and that fewer vulnerabilities are likely to be introduced during engineering development. An additional benefit is that any such conclusion about correctness, completeness, and the existence of vulnerabilities can be reached with a higher degree of assurance in contrast to conclusions reached in situations where the system design is inherently more complex. Transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6) may require implementing the older and newer technologies simultaneously during the transition period. This may result in a temporary increase in system complexity during the transition."},{"id":"sa-8.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(07)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.07_odp }} implement the security design principle of reduced complexity.","links":[{"href":"#sa-8.7_smt","rel":"assessment-for"}]},{"id":"sa-8.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of reduced complexity used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of reduced complexity in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of reduced complexity in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.8","class":"SP800-53-enhancement","title":"Secure Evolvability","params":[{"id":"sa-08.08_odp","props":[{"name":"alt-identifier","value":"sa-8.8_prm_1"},{"name":"label","value":"SA-08(08)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of secure evolvability are defined;"}]}],"props":[{"name":"label","value":"SA-8(8)"},{"name":"label","value":"SA-08(08)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#cm-3","rel":"related"}],"parts":[{"id":"sa-8.8_smt","name":"statement","prose":"Implement the security design principle of secure evolvability in {{ insert: param, sa-08.08_odp }}."},{"id":"sa-8.8_gdn","name":"guidance","prose":"The principle of secure evolvability states that a system is developed to facilitate the maintenance of its security properties when there are changes to the system’s structure, interfaces, interconnections (i.e., system architecture), functionality, or configuration (i.e., security policy enforcement). Changes include a new, enhanced, or upgraded system capability; maintenance and sustainment activities; and reconfiguration. Although it is not possible to plan for every aspect of system evolution, system upgrades and changes can be anticipated by analyses of mission or business strategic direction, anticipated changes in the threat environment, and anticipated maintenance and sustainment needs. It is unrealistic to expect that complex systems remain secure in contexts not envisioned during development, whether such contexts are related to the operational environment or to usage. A system may be secure in some new contexts, but there is no guarantee that its emergent behavior will always be secure. It is easier to build trustworthiness into a system from the outset, and it follows that the sustainment of system trustworthiness requires planning for change as opposed to adapting in an ad hoc or non-methodical manner. The benefits of this principle include reduced vendor life cycle costs, reduced cost of ownership, improved system security, more effective management of security risk, and less risk uncertainty."},{"id":"sa-8.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(08)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.08_odp }} implement the security design principle of secure evolvability.","links":[{"href":"#sa-8.8_smt","rel":"assessment-for"}]},{"id":"sa-8.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of secure evolvability used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of secure evolvability in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of secure evolvability in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.9","class":"SP800-53-enhancement","title":"Trusted Components","params":[{"id":"sa-08.09_odp","props":[{"name":"alt-identifier","value":"sa-8.9_prm_1"},{"name":"label","value":"SA-08(09)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of trusted components are defined;"}]}],"props":[{"name":"label","value":"SA-8(9)"},{"name":"label","value":"SA-08(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.9_smt","name":"statement","prose":"Implement the security design principle of trusted components in {{ insert: param, sa-08.09_odp }}."},{"id":"sa-8.9_gdn","name":"guidance","prose":"The principle of trusted components states that a component is trustworthy to at least a level commensurate with the security dependencies it supports (i.e., how much it is trusted to perform its security functions by other components). This principle enables the composition of components such that trustworthiness is not inadvertently diminished and the trust is not consequently misplaced. Ultimately, this principle demands some metric by which the trust in a component and the trustworthiness of a component can be measured on the same abstract scale. The principle of trusted components is particularly relevant when considering systems and components in which there are complex chains of trust dependencies. A trust dependency is also referred to as a trust relationship and there may be chains of trust relationships.\n\nThe principle of trusted components also applies to a compound component that consists of subcomponents (e.g., a subsystem), which may have varying levels of trustworthiness. The conservative assumption is that the trustworthiness of a compound component is that of its least trustworthy subcomponent. It may be possible to provide a security engineering rationale that the trustworthiness of a particular compound component is greater than the conservative assumption. However, any such rationale reflects logical reasoning based on a clear statement of the trustworthiness objectives as well as relevant and credible evidence. The trustworthiness of a compound component is not the same as increased application of defense-in-depth layering within the component or a replication of components. Defense-in-depth techniques do not increase the trustworthiness of the whole above that of the least trustworthy component."},{"id":"sa-8.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(09)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.09_odp }} implement the security design principle of trusted components.","links":[{"href":"#sa-8.9_smt","rel":"assessment-for"}]},{"id":"sa-8.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the security design principle of trusted components used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity, supply chain risk management, and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nprocedures for determining component assurance\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-8.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of trusted components in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of trusted components in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.10","class":"SP800-53-enhancement","title":"Hierarchical Trust","params":[{"id":"sa-08.10_odp","props":[{"name":"alt-identifier","value":"sa-8.10_prm_1"},{"name":"label","value":"SA-08(10)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of hierarchical trust are defined;"}]}],"props":[{"name":"label","value":"SA-8(10)"},{"name":"label","value":"SA-08(10)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.10_smt","name":"statement","prose":"Implement the security design principle of hierarchical trust in {{ insert: param, sa-08.10_odp }}."},{"id":"sa-8.10_gdn","name":"guidance","prose":"The principle of hierarchical trust for components builds on the principle of trusted components and states that the security dependencies in a system will form a partial ordering if they preserve the principle of trusted components. The partial ordering provides the basis for trustworthiness reasoning or an assurance case (assurance argument) when composing a secure system from heterogeneously trustworthy components. To analyze a system composed of heterogeneously trustworthy components for its trustworthiness, it is essential to eliminate circular dependencies with regard to the trustworthiness. If a more trustworthy component located in a lower layer of the system were to depend on a less trustworthy component in a higher layer, this would, in effect, put the components in the same \"less trustworthy\" equivalence class per the principle of trusted components. Trust relationships, or chains of trust, can have various manifestations. For example, the root certificate of a certificate hierarchy is the most trusted node in the hierarchy, whereas the leaves in the hierarchy may be the least trustworthy nodes. Another example occurs in a layered high-assurance system where the security kernel (including the hardware base), which is located at the lowest layer of the system, is the most trustworthy component. The principle of hierarchical trust, however, does not prohibit the use of overly trustworthy components. There may be cases in a system of low trustworthiness where it is reasonable to employ a highly trustworthy component rather than one that is less trustworthy (e.g., due to availability or other cost-benefit driver). For such a case, any dependency of the highly trustworthy component upon a less trustworthy component does not degrade the trustworthiness of the resulting low-trust system."},{"id":"sa-8.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(10)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.10_odp }} implement the security design principle of hierarchical trust.","links":[{"href":"#sa-8.10_smt","rel":"assessment-for"}]},{"id":"sa-8.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of hierarchical trust used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of hierarchical trust in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of hierarchical trust in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.11","class":"SP800-53-enhancement","title":"Inverse Modification Threshold","params":[{"id":"sa-08.11_odp","props":[{"name":"alt-identifier","value":"sa-8.11_prm_1"},{"name":"label","value":"SA-08(11)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of inverse modification threshold are defined;"}]}],"props":[{"name":"label","value":"SA-8(11)"},{"name":"label","value":"SA-08(11)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.11_smt","name":"statement","prose":"Implement the security design principle of inverse modification threshold in {{ insert: param, sa-08.11_odp }}."},{"id":"sa-8.11_gdn","name":"guidance","prose":"The principle of inverse modification threshold builds on the principle of trusted components and the principle of hierarchical trust and states that the degree of protection provided to a component is commensurate with its trustworthiness. As the trust placed in a component increases, the protection against unauthorized modification of the component also increases to the same degree. Protection from unauthorized modification can come in the form of the component’s own self-protection and innate trustworthiness, or it can come from the protections afforded to the component from other elements or attributes of the security architecture (to include protections in the environment of operation)."},{"id":"sa-8.11_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(11)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.11_odp }} implement the security design principle of inverse modification threshold.","links":[{"href":"#sa-8.11_smt","rel":"assessment-for"}]},{"id":"sa-8.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of inverse modification threshold used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of inverse modification threshold in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of inverse modification threshold in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.12","class":"SP800-53-enhancement","title":"Hierarchical Protection","params":[{"id":"sa-08.12_odp","props":[{"name":"alt-identifier","value":"sa-8.12_prm_1"},{"name":"label","value":"SA-08(12)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of hierarchical protection are defined;"}]}],"props":[{"name":"label","value":"SA-8(12)"},{"name":"label","value":"SA-08(12)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.12_smt","name":"statement","prose":"Implement the security design principle of hierarchical protection in {{ insert: param, sa-08.12_odp }}."},{"id":"sa-8.12_gdn","name":"guidance","prose":"The principle of hierarchical protection states that a component need not be protected from more trustworthy components. In the degenerate case of the most trusted component, it protects itself from all other components. For example, if an operating system kernel is deemed the most trustworthy component in a system, then it protects itself from all untrusted applications it supports, but the applications, conversely, do not need to protect themselves from the kernel. The trustworthiness of users is a consideration for applying the principle of hierarchical protection. A trusted system need not protect itself from an equally trustworthy user, reflecting use of untrusted systems in \"system high\" environments where users are highly trustworthy and where other protections are put in place to bound and protect the \"system high\" execution environment."},{"id":"sa-8.12_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(12)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.12_odp }} implement the security design principle of hierarchical protection.","links":[{"href":"#sa-8.12_smt","rel":"assessment-for"}]},{"id":"sa-8.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of hierarchical protection used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of hierarchical protection in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of hierarchical protection in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.13","class":"SP800-53-enhancement","title":"Minimized Security Elements","params":[{"id":"sa-08.13_odp","props":[{"name":"alt-identifier","value":"sa-8.13_prm_1"},{"name":"label","value":"SA-08(13)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of minimized security elements are defined;"}]}],"props":[{"name":"label","value":"SA-8(13)"},{"name":"label","value":"SA-08(13)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.13_smt","name":"statement","prose":"Implement the security design principle of minimized security elements in {{ insert: param, sa-08.13_odp }}."},{"id":"sa-8.13_gdn","name":"guidance","prose":"The principle of minimized security elements states that the system does not have extraneous trusted components. The principle of minimized security elements has two aspects: the overall cost of security analysis and the complexity of security analysis. Trusted components are generally costlier to construct and implement, owing to the increased rigor of development processes. Trusted components require greater security analysis to qualify their trustworthiness. Thus, to reduce the cost and decrease the complexity of the security analysis, a system contains as few trustworthy components as possible. The analysis of the interaction of trusted components with other components of the system is one of the most important aspects of system security verification. If the interactions between components are unnecessarily complex, the security of the system will also be more difficult to ascertain than one whose internal trust relationships are simple and elegantly constructed. In general, fewer trusted components result in fewer internal trust relationships and a simpler system."},{"id":"sa-8.13_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(13)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.13_odp }} implement the security design principle of minimized security elements.","links":[{"href":"#sa-8.13_smt","rel":"assessment-for"}]},{"id":"sa-8.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of minimized security elements used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of minimized security elements in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of minimized security elements in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.14","class":"SP800-53-enhancement","title":"Least Privilege","params":[{"id":"sa-08.14_odp","props":[{"name":"alt-identifier","value":"sa-8.14_prm_1"},{"name":"label","value":"SA-08(14)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of least privilege are defined;"}]}],"props":[{"name":"label","value":"SA-8(14)"},{"name":"label","value":"SA-08(14)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#ac-6","rel":"related"},{"href":"#cm-7","rel":"related"}],"parts":[{"id":"sa-8.14_smt","name":"statement","prose":"Implement the security design principle of least privilege in {{ insert: param, sa-08.14_odp }}."},{"id":"sa-8.14_gdn","name":"guidance","prose":"The principle of least privilege states that each system component is allocated sufficient privileges to accomplish its specified functions but no more. Applying the principle of least privilege limits the scope of the component’s actions, which has two desirable effects: the security impact of a failure, corruption, or misuse of the component will have a minimized security impact, and the security analysis of the component will be simplified. Least privilege is a pervasive principle that is reflected in all aspects of the secure system design. Interfaces used to invoke component capability are available to only certain subsets of the user population, and component design supports a sufficiently fine granularity of privilege decomposition. For example, in the case of an audit mechanism, there may be an interface for the audit manager, who configures the audit settings; an interface for the audit operator, who ensures that audit data is safely collected and stored; and, finally, yet another interface for the audit reviewer, who only has need to view the audit data that has been collected but no need to perform operations on that data.\n\nIn addition to its manifestations at the system interface, least privilege can be used as a guiding principle for the internal structure of the system itself. One aspect of internal least privilege is to construct modules so that only the elements encapsulated by the module are directly operated on by the functions within the module. Elements external to a module that may be affected by the module’s operation are indirectly accessed through interaction (e.g., via a function call) with the module that contains those elements. Another aspect of internal least privilege is that the scope of a given module or component includes only those system elements that are necessary for its functionality and that the access modes for the elements (e.g., read, write) are minimal."},{"id":"sa-8.14_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(14)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.14_odp }} implement the security design principle of least privilege.","links":[{"href":"#sa-8.14_smt","rel":"assessment-for"}]},{"id":"sa-8.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of least privilege used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of least privilege in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of least privilege in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.15","class":"SP800-53-enhancement","title":"Predicate Permission","params":[{"id":"sa-08.15_odp","props":[{"name":"alt-identifier","value":"sa-8.15_prm_1"},{"name":"label","value":"SA-08(15)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of predicate permission are defined;"}]}],"props":[{"name":"label","value":"SA-8(15)"},{"name":"label","value":"SA-08(15)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#ac-5","rel":"related"}],"parts":[{"id":"sa-8.15_smt","name":"statement","prose":"Implement the security design principle of predicate permission in {{ insert: param, sa-08.15_odp }}."},{"id":"sa-8.15_gdn","name":"guidance","prose":"The principle of predicate permission states that system designers consider requiring multiple authorized entities to provide consent before a highly critical operation or access to highly sensitive data, information, or resources is allowed to proceed. [SALTZER75](#c9495d6e-ef64-4090-8509-e58c3b9009ff) originally named predicate permission the separation of privilege. It is also equivalent to separation of duty. The division of privilege among multiple parties decreases the likelihood of abuse and provides the safeguard that no single accident, deception, or breach of trust is sufficient to enable an unrecoverable action that can lead to significantly damaging effects. The design options for such a mechanism may require simultaneous action (e.g., the firing of a nuclear weapon requires two different authorized individuals to give the correct command within a small time window) or a sequence of operations where each successive action is enabled by some prior action, but no single individual is able to enable more than one action."},{"id":"sa-8.15_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(15)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.15_odp }} implement the security design principle of predicate permission.","links":[{"href":"#sa-8.15_smt","rel":"assessment-for"}]},{"id":"sa-8.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of predicate permission used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of predicate permission in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of predicate permission in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.16","class":"SP800-53-enhancement","title":"Self-reliant Trustworthiness","params":[{"id":"sa-08.16_odp","props":[{"name":"alt-identifier","value":"sa-8.16_prm_1"},{"name":"label","value":"SA-08(16)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of self-reliant trustworthiness are defined;"}]}],"props":[{"name":"label","value":"SA-8(16)"},{"name":"label","value":"SA-08(16)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.16_smt","name":"statement","prose":"Implement the security design principle of self-reliant trustworthiness in {{ insert: param, sa-08.16_odp }}."},{"id":"sa-8.16_gdn","name":"guidance","prose":"The principle of self-reliant trustworthiness states that systems minimize their reliance on other systems for their own trustworthiness. A system is trustworthy by default, and any connection to an external entity is used to supplement its function. If a system were required to maintain a connection with another external entity in order to maintain its trustworthiness, then that system would be vulnerable to malicious and non-malicious threats that could result in the loss or degradation of that connection. The benefit of the principle of self-reliant trustworthiness is that the isolation of a system will make it less vulnerable to attack. A corollary to this principle relates to the ability of the system (or system component) to operate in isolation and then resynchronize with other components when it is rejoined with them."},{"id":"sa-8.16_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(16)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.16_odp }} implement the security design principle of self-reliant trustworthiness.","links":[{"href":"#sa-8.16_smt","rel":"assessment-for"}]},{"id":"sa-8.16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(16)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of self-reliant trustworthiness used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(16)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(16)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of self-reliant trustworthiness in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of self-reliant trustworthiness in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.17","class":"SP800-53-enhancement","title":"Secure Distributed Composition","params":[{"id":"sa-08.17_odp","props":[{"name":"alt-identifier","value":"sa-8.17_prm_1"},{"name":"label","value":"SA-08(17)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of secure distributed composition are defined;"}]}],"props":[{"name":"label","value":"SA-8(17)"},{"name":"label","value":"SA-08(17)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.17_smt","name":"statement","prose":"Implement the security design principle of secure distributed composition in {{ insert: param, sa-08.17_odp }}."},{"id":"sa-8.17_gdn","name":"guidance","prose":"The principle of secure distributed composition states that the composition of distributed components that enforce the same system security policy result in a system that enforces that policy at least as well as the individual components do. Many of the design principles for secure systems deal with how components can or should interact. The need to create or enable a capability from the composition of distributed components can magnify the relevancy of these principles. In particular, the translation of security policy from a stand-alone to a distributed system or a system-of-systems can have unexpected or emergent results. Communication protocols and distributed data consistency mechanisms help to ensure consistent policy enforcement across a distributed system. To ensure a system-wide level of assurance of correct policy enforcement, the security architecture of a distributed composite system is thoroughly analyzed."},{"id":"sa-8.17_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(17)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.17_odp }} implement the security design principle of secure distributed composition.","links":[{"href":"#sa-8.17_smt","rel":"assessment-for"}]},{"id":"sa-8.17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(17)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of secure distributed composition used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(17)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(17)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of secure distributed composition in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of secure distributed composition in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.18","class":"SP800-53-enhancement","title":"Trusted Communications Channels","params":[{"id":"sa-08.18_odp","props":[{"name":"alt-identifier","value":"sa-8.18_prm_1"},{"name":"label","value":"SA-08(18)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of trusted communications channels are defined;"}]}],"props":[{"name":"label","value":"SA-8(18)"},{"name":"label","value":"SA-08(18)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sa-8.18_smt","name":"statement","prose":"Implement the security design principle of trusted communications channels in {{ insert: param, sa-08.18_odp }}."},{"id":"sa-8.18_gdn","name":"guidance","prose":"The principle of trusted communication channels states that when composing a system where there is a potential threat to communications between components (i.e., the interconnections between components), each communication channel is trustworthy to a level commensurate with the security dependencies it supports (i.e., how much it is trusted by other components to perform its security functions). Trusted communication channels are achieved by a combination of restricting access to the communication channel (to ensure an acceptable match in the trustworthiness of the endpoints involved in the communication) and employing end-to-end protections for the data transmitted over the communication channel (to protect against interception and modification and to further increase the assurance of proper end-to-end communication)."},{"id":"sa-8.18_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(18)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.18_odp }} implement the security design principle of trusted communications channels.","links":[{"href":"#sa-8.18_smt","rel":"assessment-for"}]},{"id":"sa-8.18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(18)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of trusted communications channels used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(18)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(18)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of trusted communications channels in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of trusted communications channels in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.19","class":"SP800-53-enhancement","title":"Continuous Protection","params":[{"id":"sa-08.19_odp","props":[{"name":"alt-identifier","value":"sa-8.19_prm_1"},{"name":"label","value":"SA-08(19)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of continuous protection are defined;"}]}],"props":[{"name":"label","value":"SA-8(19)"},{"name":"label","value":"SA-08(19)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#ac-25","rel":"related"}],"parts":[{"id":"sa-8.19_smt","name":"statement","prose":"Implement the security design principle of continuous protection in {{ insert: param, sa-08.19_odp }}."},{"id":"sa-8.19_gdn","name":"guidance","prose":"The principle of continuous protection states that components and data used to enforce the security policy have uninterrupted protection that is consistent with the security policy and the security architecture assumptions. No assurances that the system can provide the confidentiality, integrity, availability, and privacy protections for its design capability can be made if there are gaps in the protection. Any assurances about the ability to secure a delivered capability require that data and information are continuously protected. That is, there are no periods during which data and information are left unprotected while under control of the system (i.e., during the creation, storage, processing, or communication of the data and information, as well as during system initialization, execution, failure, interruption, and shutdown). Continuous protection requires adherence to the precepts of the reference monitor concept (i.e., every request is validated by the reference monitor; the reference monitor is able to protect itself from tampering; and sufficient assurance of the correctness and completeness of the mechanism can be ascertained from analysis and testing) and the principle of secure failure and recovery (i.e., preservation of a secure state during error, fault, failure, and successful attack; preservation of a secure state during recovery to normal, degraded, or alternative operational modes).\n\nContinuous protection also applies to systems designed to operate in varying configurations, including those that deliver full operational capability and degraded-mode configurations that deliver partial operational capability. The continuous protection principle requires that changes to the system security policies be traceable to the operational need that drives the configuration and be verifiable (i.e., it is possible to verify that the proposed changes will not put the system into an insecure state). Insufficient traceability and verification may lead to inconsistent states or protection discontinuities due to the complex or undecidable nature of the problem. The use of pre-verified configuration definitions that reflect the new security policy enables analysis to determine that a transition from old to new policies is essentially atomic and that any residual effects from the old policy are guaranteed to not conflict with the new policy. The ability to demonstrate continuous protection is rooted in the clear articulation of life cycle protection needs as stakeholder security requirements."},{"id":"sa-8.19_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(19)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.19_odp }} implement the security design principle of continuous protection.","links":[{"href":"#sa-8.19_smt","rel":"assessment-for"}]},{"id":"sa-8.19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(19)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\naccess control policy\n\nsystem and communications protection policy\n\nprocedures addressing boundary protection\n\nprocedures addressing the security design principle of continuous protection used in the specification, design, development, implementation, and modification of the system\n\nsystem configuration settings and associated documentation\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(19)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\norganizational personnel with access enforcement responsibilities\n\nsystem\/network administrators\n\nsystem developers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sa-8.19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(19)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of continuous protection in system specification, design, development, implementation, and modification\n\nmechanisms implementing access enforcement functions\n\nmechanisms supporting the application of the security design principle of continuous protection in system specification, design, development, implementation, and modification\n\nmechanisms supporting and\/or implementing secure failure"}]}]},{"id":"sa-8.20","class":"SP800-53-enhancement","title":"Secure Metadata Management","params":[{"id":"sa-08.20_odp","props":[{"name":"alt-identifier","value":"sa-8.20_prm_1"},{"name":"label","value":"SA-08(20)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of secure metadata management are defined;"}]}],"props":[{"name":"label","value":"SA-8(20)"},{"name":"label","value":"SA-08(20)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.20_smt","name":"statement","prose":"Implement the security design principle of secure metadata management in {{ insert: param, sa-08.20_odp }}."},{"id":"sa-8.20_gdn","name":"guidance","prose":"The principle of secure metadata management states that metadata are \"first class\" objects with respect to security policy when the policy requires either complete protection of information or that the security subsystem be self-protecting. The principle of secure metadata management is driven by the recognition that a system, subsystem, or component cannot achieve self-protection unless it protects the data it relies on for correct execution. Data is generally not interpreted by the system that stores it. It may have semantic value (i.e., it comprises information) to users and programs that process the data. In contrast, metadata is information about data, such as a file name or the date when the file was created. Metadata is bound to the target data that it describes in a way that the system can interpret, but it need not be stored inside of or proximate to its target data. There may be metadata whose target is itself metadata (e.g., the classification level or impact level of a file name), including self-referential metadata.\n\nThe apparent secondary nature of metadata can lead to neglect of its legitimate need for protection, resulting in a violation of the security policy that includes the exfiltration of information. A particular concern associated with insufficient protections for metadata is associated with multilevel secure (MLS) systems. MLS systems mediate access by a subject to an object based on relative sensitivity levels. It follows that all subjects and objects in the scope of control of the MLS system are either directly labeled or indirectly attributed with sensitivity levels. The corollary of labeled metadata for MLS systems states that objects containing metadata are labeled. As with protection needs assessments for data, attention is given to ensure that the confidentiality and integrity protections are individually assessed, specified, and allocated to metadata, as would be done for mission, business, and system data."},{"id":"sa-8.20_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(20)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.20_odp }} implement the security design principle of secure metadata management.","links":[{"href":"#sa-8.20_smt","rel":"assessment-for"}]},{"id":"sa-8.20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(20)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of metadata management used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(20)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(20)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of metadata management in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of metadata management in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.21","class":"SP800-53-enhancement","title":"Self-analysis","params":[{"id":"sa-08.21_odp","props":[{"name":"alt-identifier","value":"sa-8.21_prm_1"},{"name":"label","value":"SA-08(21)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of self-analysis are defined;"}]}],"props":[{"name":"label","value":"SA-8(21)"},{"name":"label","value":"SA-08(21)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#ca-7","rel":"related"}],"parts":[{"id":"sa-8.21_smt","name":"statement","prose":"Implement the security design principle of self-analysis in {{ insert: param, sa-08.21_odp }}."},{"id":"sa-8.21_gdn","name":"guidance","prose":"The principle of self-analysis states that a system component is able to assess its internal state and functionality to a limited extent at various stages of execution, and that this self-analysis capability is commensurate with the level of trustworthiness invested in the system. At the system level, self-analysis can be achieved through hierarchical assessments of trustworthiness established in a bottom-up fashion. In this approach, the lower-level components check for data integrity and correct functionality (to a limited extent) of higher-level components. For example, trusted boot sequences involve a trusted lower-level component that attests to the trustworthiness of the next higher-level components so that a transitive chain of trust can be established. At the root, a component attests to itself, which usually involves an axiomatic or environmentally enforced assumption about its integrity. Results of the self-analyses can be used to guard against externally induced errors, internal malfunction, or transient errors. By following this principle, some simple malfunctions or errors can be detected without allowing the effects of the error or malfunction to propagate outside of the component. Further, the self-test can be used to attest to the configuration of the component, detecting any potential conflicts in configuration with respect to the expected configuration."},{"id":"sa-8.21_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(21)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.21_odp }} implement the security design principle of self-analysis.","links":[{"href":"#sa-8.21_smt","rel":"assessment-for"}]},{"id":"sa-8.21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(21)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of self-analysis used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(21)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(21)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of self-analysis in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of self-analysis in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.22","class":"SP800-53-enhancement","title":"Accountability and Traceability","params":[{"id":"sa-8.22_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08.22_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08.22_odp.02"}],"label":"organization-defined systems or system components"},{"id":"sa-08.22_odp.01","props":[{"name":"label","value":"SA-08(22)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of accountability are defined;"}]},{"id":"sa-08.22_odp.02","props":[{"name":"label","value":"SA-08(22)_ODP[02]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of traceability are defined;"}]}],"props":[{"name":"label","value":"SA-8(22)"},{"name":"label","value":"SA-08(22)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#ac-6","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ir-4","rel":"related"}],"parts":[{"id":"sa-8.22_smt","name":"statement","prose":"Implement the security design principle of accountability and traceability in {{ insert: param, sa-8.22_prm_1 }}."},{"id":"sa-8.22_gdn","name":"guidance","prose":"The principle of accountability and traceability states that it is possible to trace security-relevant actions (i.e., subject-object interactions) to the entity on whose behalf the action is being taken. The principle of accountability and traceability requires a trustworthy infrastructure that can record details about actions that affect system security (e.g., an audit subsystem). To record the details about actions, the system is able to uniquely identify the entity on whose behalf the action is being carried out and also record the relevant sequence of actions that are carried out. The accountability policy also requires that audit trail itself be protected from unauthorized access and modification. The principle of least privilege assists in tracing the actions to particular entities, as it increases the granularity of accountability. Associating specific actions with system entities, and ultimately with users, and making the audit trail secure against unauthorized access and modifications provide non-repudiation because once an action is recorded, it is not possible to change the audit trail. Another important function that accountability and traceability serves is in the routine and forensic analysis of events associated with the violation of security policy. Analysis of audit logs may provide additional information that may be helpful in determining the path or component that allowed the violation of the security policy and the actions of individuals associated with the violation of the security policy."},{"id":"sa-8.22_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(22)","class":"sp800-53a"}],"parts":[{"id":"sa-8.22_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08(22)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.22_odp.01 }} implement the security design principle of accountability;","links":[{"href":"#sa-8.22_smt","rel":"assessment-for"}]},{"id":"sa-8.22_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08(22)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.22_odp.02 }} implement the security design principle of traceability.","links":[{"href":"#sa-8.22_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-8.22_smt","rel":"assessment-for"}]},{"id":"sa-8.22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(22)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\naudit and accountability policy\n\naccess control policy\n\nprocedures addressing least privilege\n\nprocedures addressing auditable events\n\nidentification and authentication policy\n\nprocedures addressing user identification and authentication\n\nprocedures addressing the security design principle of accountability and traceability used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsystem audit records\n\nsystem auditable events\n\nsystem configuration settings and associated documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(22)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with audit and accountability responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(22)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of accountability and traceability in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of accountability and traceability in system specification, design, development, implementation, and modification\n\nmechanisms implementing information system auditing\n\nmechanisms implementing least privilege functions"}]}]},{"id":"sa-8.23","class":"SP800-53-enhancement","title":"Secure Defaults","params":[{"id":"sa-08.23_odp","props":[{"name":"alt-identifier","value":"sa-8.23_prm_1"},{"name":"label","value":"SA-08(23)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of secure defaults are defined;"}]}],"props":[{"name":"label","value":"SA-8(23)"},{"name":"label","value":"SA-08(23)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#sa-4","rel":"related"}],"parts":[{"id":"sa-8.23_smt","name":"statement","prose":"Implement the security design principle of secure defaults in {{ insert: param, sa-08.23_odp }}."},{"id":"sa-8.23_gdn","name":"guidance","prose":"The principle of secure defaults states that the default configuration of a system (including its constituent subsystems, components, and mechanisms) reflects a restrictive and conservative enforcement of security policy. The principle of secure defaults applies to the initial (i.e., default) configuration of a system as well as to the security engineering and design of access control and other security functions that follow a \"deny unless explicitly authorized\" strategy. The initial configuration aspect of this principle requires that any \"as shipped\" configuration of a system, subsystem, or system component does not aid in the violation of the security policy and can prevent the system from operating in the default configuration for those cases where the security policy itself requires configuration by the operational user.\n\nRestrictive defaults mean that the system will operate \"as-shipped\" with adequate self-protection and be able to prevent security breaches before the intended security policy and system configuration is established. In cases where the protection provided by the \"as-shipped\" product is inadequate, stakeholders assess the risk of using it prior to establishing a secure initial state. Adherence to the principle of secure defaults guarantees that a system is established in a secure state upon successfully completing initialization. In situations where the system fails to complete initialization, either it will perform a requested operation using secure defaults or it will not perform the operation. Refer to the principles of continuous protection and secure failure and recovery that parallel this principle to provide the ability to detect and recover from failure.\n\nThe security engineering approach to this principle states that security mechanisms deny requests unless the request is found to be well-formed and consistent with the security policy. The insecure alternative is to allow a request unless it is shown to be inconsistent with the policy. In a large system, the conditions that are satisfied to grant a request that is denied by default are often far more compact and complete than those that would need to be checked in order to deny a request that is granted by default."},{"id":"sa-8.23_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(23)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.23_odp }} implement the security design principle of secure defaults.","links":[{"href":"#sa-8.23_smt","rel":"assessment-for"}]},{"id":"sa-8.23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(23)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nconfiguration management policy\n\nprocedures addressing the security design principle of secure defaults used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nprocedures addressing system documentation\n\nsystem documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(23)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(23)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of secure defaults in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of secure defaults in system specification, design, development, implementation, and modification\n\norganizational processes for managing baseline configurations\n\nmechanisms supporting configuration control of the baseline configuration"}]}]},{"id":"sa-8.24","class":"SP800-53-enhancement","title":"Secure Failure and Recovery","params":[{"id":"sa-8.24_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08.24_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-08.24_odp.02"}],"label":"organization-defined systems or system components"},{"id":"sa-08.24_odp.01","props":[{"name":"label","value":"SA-08(24)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of secure failure are defined;"}]},{"id":"sa-08.24_odp.02","props":[{"name":"label","value":"SA-08(24)_ODP[02]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of secure recovery are defined;"}]}],"props":[{"name":"label","value":"SA-8(24)"},{"name":"label","value":"SA-08(24)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-24","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"sa-8.24_smt","name":"statement","prose":"Implement the security design principle of secure failure and recovery in {{ insert: param, sa-8.24_prm_1 }}."},{"id":"sa-8.24_gdn","name":"guidance","prose":"The principle of secure failure and recovery states that neither a failure in a system function or mechanism nor any recovery action in response to failure leads to a violation of security policy. The principle of secure failure and recovery parallels the principle of continuous protection to ensure that a system is capable of detecting (within limits) actual and impending failure at any stage of its operation (i.e., initialization, normal operation, shutdown, and maintenance) and to take appropriate steps to ensure that security policies are not violated. In addition, when specified, the system is capable of recovering from impending or actual failure to resume normal, degraded, or alternative secure operations while ensuring that a secure state is maintained such that security policies are not violated.\n\nFailure is a condition in which the behavior of a component deviates from its specified or expected behavior for an explicitly documented input. Once a failed security function is detected, the system may reconfigure itself to circumvent the failed component while maintaining security and provide all or part of the functionality of the original system, or it may completely shut itself down to prevent any further violation of security policies. For this to occur, the reconfiguration functions of the system are designed to ensure continuous enforcement of security policy during the various phases of reconfiguration.\n\nAnother technique that can be used to recover from failures is to perform a rollback to a secure state (which may be the initial state) and then either shutdown or replace the service or component that failed such that secure operations may resume. Failure of a component may or may not be detectable to the components using it. The principle of secure failure indicates that components fail in a state that denies rather than grants access. For example, a nominally \"atomic\" operation interrupted before completion does not violate security policy and is designed to handle interruption events by employing higher-level atomicity and rollback mechanisms (e.g., transactions). If a service is being used, its atomicity properties are well-documented and characterized so that the component availing itself of that service can detect and handle interruption events appropriately. For example, a system is designed to gracefully respond to disconnection and support resynchronization and data consistency after disconnection.\n\nFailure protection strategies that employ replication of policy enforcement mechanisms, sometimes called defense in depth, can allow the system to continue in a secure state even when one mechanism has failed to protect the system. If the mechanisms are similar, however, the additional protection may be illusory, as the adversary can simply attack in series. Similarly, in a networked system, breaking the security on one system or service may enable an attacker to do the same on other similar replicated systems and services. By employing multiple protection mechanisms whose features are significantly different, the possibility of attack replication or repetition can be reduced. Analyses are conducted to weigh the costs and benefits of such redundancy techniques against increased resource usage and adverse effects on the overall system performance. Additional analyses are conducted as the complexity of these mechanisms increases, as could be the case for dynamic behaviors. Increased complexity generally reduces trustworthiness. When a resource cannot be continuously protected, it is critical to detect and repair any security breaches before the resource is once again used in a secure context."},{"id":"sa-8.24_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(24)","class":"sp800-53a"}],"parts":[{"id":"sa-8.24_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-08(24)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.24_odp.01 }} implement the security design principle of secure failure;","links":[{"href":"#sa-8.24_smt","rel":"assessment-for"}]},{"id":"sa-8.24_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-08(24)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.24_odp.02 }} implement the security design principle of secure recovery.","links":[{"href":"#sa-8.24_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-8.24_smt","rel":"assessment-for"}]},{"id":"sa-8.24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(24)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and communications protection policy\n\ncontingency planning policy\n\nprocedures addressing information system recovery and reconstitution\n\nprocedures addressing the security design principle of secure failure and recovery used in the specification, design, development, implementation, and modification of the system\n\ncontingency plan\n\nprocedures addressing system backup\n\ncontingency plan test documentation\n\ncontingency plan test results\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(24)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\norganizational personnel with contingency plan testing responsibilities\n\norganizational personnel with system recovery and reconstitution responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities\n\norganizational personnel with information system backup responsibilities"}]},{"id":"sa-8.24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(24)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of secure failure and recovery in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of secure failure and recovery in system specification, design, development, implementation, and modification\n\nmechanisms supporting and\/or implementing secure failure\n\norganizational processes for contingency plan testing\n\nmechanisms supporting contingency plan testing\n\nmechanisms supporting recovery and reconstitution of the system\n\norganizational processes for conducting system backups\n\nmechanisms supporting and\/or implementing system backups"}]}]},{"id":"sa-8.25","class":"SP800-53-enhancement","title":"Economic Security","params":[{"id":"sa-08.25_odp","props":[{"name":"alt-identifier","value":"sa-8.25_prm_1"},{"name":"label","value":"SA-08(25)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of economic security are defined;"}]}],"props":[{"name":"label","value":"SA-8(25)"},{"name":"label","value":"SA-08(25)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"sa-8.25_smt","name":"statement","prose":"Implement the security design principle of economic security in {{ insert: param, sa-08.25_odp }}."},{"id":"sa-8.25_gdn","name":"guidance","prose":"The principle of economic security states that security mechanisms are not costlier than the potential damage that could occur from a security breach. This is the security-relevant form of the cost-benefit analyses used in risk management. The cost assumptions of cost-benefit analysis prevent the system designer from incorporating security mechanisms of greater strength than necessary, where strength of mechanism is proportional to cost. The principle of economic security also requires analysis of the benefits of assurance relative to the cost of that assurance in terms of the effort expended to obtain relevant and credible evidence as well as the necessary analyses to assess and draw trustworthiness and risk conclusions from the evidence."},{"id":"sa-8.25_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(25)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.25_odp }} implement the security design principle of economic security.","links":[{"href":"#sa-8.25_smt","rel":"assessment-for"}]},{"id":"sa-8.25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(25)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of economic security used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\ncost-benefit analysis\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(25)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(25)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of economic security in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of economic security in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.26","class":"SP800-53-enhancement","title":"Performance Security","params":[{"id":"sa-08.26_odp","props":[{"name":"alt-identifier","value":"sa-8.26_prm_1"},{"name":"label","value":"SA-08(26)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of performance security are defined;"}]}],"props":[{"name":"label","value":"SA-8(26)"},{"name":"label","value":"SA-08(26)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.26"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sa-8.26_smt","name":"statement","prose":"Implement the security design principle of performance security in {{ insert: param, sa-08.26_odp }}."},{"id":"sa-8.26_gdn","name":"guidance","prose":"The principle of performance security states that security mechanisms are constructed so that they do not degrade system performance unnecessarily. Stakeholder and system design requirements for performance and security are precisely articulated and prioritized. For the system implementation to meet its design requirements and be found acceptable to stakeholders (i.e., validation against stakeholder requirements), the designers adhere to the specified constraints that capability performance needs place on protection needs. The overall impact of computationally intensive security services (e.g., cryptography) are assessed and demonstrated to pose no significant impact to higher-priority performance considerations or are deemed to provide an acceptable trade-off of performance for trustworthy protection. The trade-off considerations include less computationally intensive security services unless they are unavailable or insufficient. The insufficiency of a security service is determined by functional capability and strength of mechanism. The strength of mechanism is selected with respect to security requirements, performance-critical overhead issues (e.g., cryptographic key management), and an assessment of the capability of the threat.\n\nThe principle of performance security leads to the incorporation of features that help in the enforcement of security policy but incur minimum overhead, such as low-level hardware mechanisms upon which higher-level services can be built. Such low-level mechanisms are usually very specific, have very limited functionality, and are optimized for performance. For example, once access rights to a portion of memory is granted, many systems use hardware mechanisms to ensure that all further accesses involve the correct memory address and access mode. Application of this principle reinforces the need to design security into the system from the ground up and to incorporate simple mechanisms at the lower layers that can be used as building blocks for higher-level mechanisms."},{"id":"sa-8.26_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(26)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.26_odp }} implement the security design principle of performance security.","links":[{"href":"#sa-8.26_smt","rel":"assessment-for"}]},{"id":"sa-8.26_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(26)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of performance security used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\ntrade-off analysis between performance and security\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.26_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(26)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.26_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(26)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of performance security in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of performance security in system specification, design, development, implementation, and modification"}]}]},{"id":"sa-8.27","class":"SP800-53-enhancement","title":"Human Factored Security","params":[{"id":"sa-08.27_odp","props":[{"name":"alt-identifier","value":"sa-8.27_prm_1"},{"name":"label","value":"SA-08(27)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of human factored security are defined;"}]}],"props":[{"name":"label","value":"SA-8(27)"},{"name":"label","value":"SA-08(27)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.27"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.27_smt","name":"statement","prose":"Implement the security design principle of human factored security in {{ insert: param, sa-08.27_odp }}."},{"id":"sa-8.27_gdn","name":"guidance","prose":"The principle of human factored security states that the user interface for security functions and supporting services is intuitive, user-friendly, and provides feedback for user actions that affect such policy and its enforcement. The mechanisms that enforce security policy are not intrusive to the user and are designed not to degrade user efficiency. Security policy enforcement mechanisms also provide the user with meaningful, clear, and relevant feedback and warnings when insecure choices are being made. Particular attention is given to interfaces through which personnel responsible for system administration and operation configure and set up the security policies. Ideally, these personnel are able to understand the impact of their choices. Personnel with system administrative and operational responsibilities are able to configure systems before start-up and administer them during runtime with confidence that their intent is correctly mapped to the system’s mechanisms. Security services, functions, and mechanisms do not impede or unnecessarily complicate the intended use of the system. There is a trade-off between system usability and the strictness necessary for security policy enforcement. If security mechanisms are frustrating or difficult to use, then users may disable them, avoid them, or use them in ways inconsistent with the security requirements and protection needs that the mechanisms were designed to satisfy."},{"id":"sa-8.27_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(27)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.27_odp }} implement the security design principle of human factored security.","links":[{"href":"#sa-8.27_smt","rel":"assessment-for"}]},{"id":"sa-8.27_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(27)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of human factored security used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nusability analysis\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.27_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(27)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with human factored security responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.27_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(27)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of human factored security in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of human factored security in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security policies"}]}]},{"id":"sa-8.28","class":"SP800-53-enhancement","title":"Acceptable Security","params":[{"id":"sa-08.28_odp","props":[{"name":"alt-identifier","value":"sa-8.28_prm_1"},{"name":"label","value":"SA-08(28)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of acceptable security are defined;"}]}],"props":[{"name":"label","value":"SA-8(28)"},{"name":"label","value":"SA-08(28)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.28_smt","name":"statement","prose":"Implement the security design principle of acceptable security in {{ insert: param, sa-08.28_odp }}."},{"id":"sa-8.28_gdn","name":"guidance","prose":"The principle of acceptable security requires that the level of privacy and performance that the system provides is consistent with the users’ expectations. The perception of personal privacy may affect user behavior, morale, and effectiveness. Based on the organizational privacy policy and the system design, users should be able to restrict their actions to protect their privacy. When systems fail to provide intuitive interfaces or meet privacy and performance expectations, users may either choose to completely avoid the system or use it in ways that may be inefficient or even insecure."},{"id":"sa-8.28_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(28)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.28_odp }} implement the security design principle of acceptable security.","links":[{"href":"#sa-8.28_smt","rel":"assessment-for"}]},{"id":"sa-8.28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(28)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the security design principle of acceptable security used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\npersonally identifiable information processing policy\n\nprivacy notifications provided to users\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8.28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(28)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8.28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(28)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of acceptable security in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of acceptable security in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security policies"}]}]},{"id":"sa-8.29","class":"SP800-53-enhancement","title":"Repeatable and Documented Procedures","params":[{"id":"sa-08.29_odp","props":[{"name":"alt-identifier","value":"sa-8.29_prm_1"},{"name":"label","value":"SA-08(29)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of repeatable and documented procedures are defined;"}]}],"props":[{"name":"label","value":"SA-8(29)"},{"name":"label","value":"SA-08(29)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.29"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#cm-1","rel":"related"},{"href":"#sa-1","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-1","rel":"related"},{"href":"#si-1","rel":"related"}],"parts":[{"id":"sa-8.29_smt","name":"statement","prose":"Implement the security design principle of repeatable and documented procedures in {{ insert: param, sa-08.29_odp }}."},{"id":"sa-8.29_gdn","name":"guidance","prose":"The principle of repeatable and documented procedures states that the techniques and methods employed to construct a system component permit the same component to be completely and correctly reconstructed at a later time. Repeatable and documented procedures support the development of a component that is identical to the component created earlier, which may be in widespread use. In the case of other system artifacts (e.g., documentation and testing results), repeatability supports consistency and the ability to inspect the artifacts. Repeatable and documented procedures can be introduced at various stages within the system development life cycle and contribute to the ability to evaluate assurance claims for the system. Examples include systematic procedures for code development and review, procedures for the configuration management of development tools and system artifacts, and procedures for system delivery."},{"id":"sa-8.29_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(29)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.29_odp }} implement the security design principle of repeatable and documented procedures.","links":[{"href":"#sa-8.29_smt","rel":"assessment-for"}]},{"id":"sa-8.29_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(29)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of repeatable and documented procedures used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.29_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(29)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.29_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(29)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of repeatable and documented procedures in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of repeatable and documented procedures in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security policies"}]}]},{"id":"sa-8.30","class":"SP800-53-enhancement","title":"Procedural Rigor","params":[{"id":"sa-08.30_odp","props":[{"name":"alt-identifier","value":"sa-8.30_prm_1"},{"name":"label","value":"SA-08(30)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of procedural rigor are defined;"}]}],"props":[{"name":"label","value":"SA-8(30)"},{"name":"label","value":"SA-08(30)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.30"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"}],"parts":[{"id":"sa-8.30_smt","name":"statement","prose":"Implement the security design principle of procedural rigor in {{ insert: param, sa-08.30_odp }}."},{"id":"sa-8.30_gdn","name":"guidance","prose":"The principle of procedural rigor states that the rigor of a system life cycle process is commensurate with its intended trustworthiness. Procedural rigor defines the scope, depth, and detail of the system life cycle procedures. Rigorous system life cycle procedures contribute to the assurance that the system is correct and free of unintended functionality in several ways. First, the procedures impose checks and balances on the life cycle process such that the introduction of unspecified functionality is prevented.\n\nSecond, rigorous procedures applied to systems security engineering activities that produce specifications and other system design documents contribute to the ability to understand the system as it has been built rather than trusting that the component, as implemented, is the authoritative (and potentially misleading) specification.\n\nFinally, modifications to an existing system component are easier when there are detailed specifications that describe its current design instead of studying source code or schematics to try to understand how it works. Procedural rigor helps ensure that security functional and assurance requirements have been satisfied, and it contributes to a better-informed basis for the determination of trustworthiness and risk posture. Procedural rigor is commensurate with the degree of assurance desired for the system. If the required trustworthiness of the system is low, a high level of procedural rigor may add unnecessary cost, whereas when high trustworthiness is critical, the cost of high procedural rigor is merited."},{"id":"sa-8.30_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(30)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.30_odp }} implement the security design principle of procedural rigor.","links":[{"href":"#sa-8.30_smt","rel":"assessment-for"}]},{"id":"sa-8.30_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(30)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of procedural rigor used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.30_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(30)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.30_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(30)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of procedural rigor in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of procedural rigor in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security policies"}]}]},{"id":"sa-8.31","class":"SP800-53-enhancement","title":"Secure System Modification","params":[{"id":"sa-08.31_odp","props":[{"name":"alt-identifier","value":"sa-8.31_prm_1"},{"name":"label","value":"SA-08(31)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of secure system modification are defined;"}]}],"props":[{"name":"label","value":"SA-8(31)"},{"name":"label","value":"SA-08(31)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.31"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"}],"parts":[{"id":"sa-8.31_smt","name":"statement","prose":"Implement the security design principle of secure system modification in {{ insert: param, sa-08.31_odp }}."},{"id":"sa-8.31_gdn","name":"guidance","prose":"The principle of secure system modification states that system modification maintains system security with respect to the security requirements and risk tolerance of stakeholders. Upgrades or modifications to systems can transform secure systems into systems that are not secure. The procedures for system modification ensure that if the system is to maintain its trustworthiness, the same rigor that was applied to its initial development is applied to any system changes. Because modifications can affect the ability of the system to maintain its secure state, a careful security analysis of the modification is needed prior to its implementation and deployment. This principle parallels the principle of secure evolvability."},{"id":"sa-8.31_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(31)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.31_odp }} implement the security design principle of secure system modification.","links":[{"href":"#sa-8.31_smt","rel":"assessment-for"}]},{"id":"sa-8.31_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(31)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nconfiguration management policy and procedures\n\nprocedures addressing the security design principle of secure system modification used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.31_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(31)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.31_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(31)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of secure system modification in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of secure system modification in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security policies\n\norganizational processes for managing change configuration\n\nmechanisms supporting configuration control"}]}]},{"id":"sa-8.32","class":"SP800-53-enhancement","title":"Sufficient Documentation","params":[{"id":"sa-08.32_odp","props":[{"name":"alt-identifier","value":"sa-8.32_prm_1"},{"name":"label","value":"SA-08(32)_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that implement the security design principle of sufficient documentation are defined;"}]}],"props":[{"name":"label","value":"SA-8(32)"},{"name":"label","value":"SA-08(32)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.32"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#sa-5","rel":"related"}],"parts":[{"id":"sa-8.32_smt","name":"statement","prose":"Implement the security design principle of sufficient documentation in {{ insert: param, sa-08.32_odp }}."},{"id":"sa-8.32_gdn","name":"guidance","prose":"The principle of sufficient documentation states that organizational personnel with responsibilities to interact with the system are provided with adequate documentation and other information such that the personnel contribute to rather than detract from system security. Despite attempts to comply with principles such as human factored security and acceptable security, systems are inherently complex, and the design intent for the use of security mechanisms and the ramifications of the misuse or misconfiguration of security mechanisms are not always intuitively obvious. Uninformed and insufficiently trained users can introduce vulnerabilities due to errors of omission and commission. The availability of documentation and training can help to ensure a knowledgeable cadre of personnel, all of whom have a critical role in the achievement of principles such as continuous protection. Documentation is written clearly and supported by training that provides security awareness and understanding of security-relevant responsibilities."},{"id":"sa-8.32_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(32)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-08.32_odp }} implement the security design principle of sufficient documentation.","links":[{"href":"#sa-8.32_smt","rel":"assessment-for"}]},{"id":"sa-8.32_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(32)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the security design principle of sufficient documentation used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\nsecurity and privacy requirements and specifications for the system\n\nsystem security and privacy documentation\n\nsystem security and privacy architecture\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-8.32_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(32)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with the responsibility for determining system security and privacy requirements\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers\n\norganizational personnel with information security responsibilities"}]},{"id":"sa-8.32_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(32)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the security design principle of sufficient documentation in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of sufficient documentation in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security policies\n\norganizational processes for managing change configuration\n\nmechanisms supporting configuration control"}]}]},{"id":"sa-8.33","class":"SP800-53-enhancement","title":"Minimization","params":[{"id":"sa-08.33_odp","props":[{"name":"alt-identifier","value":"sa-8.33_prm_1"},{"name":"label","value":"SA-08(33)_ODP","class":"sp800-53a"}],"label":"processes","guidelines":[{"prose":"processes that implement the privacy principle of minimization are defined;"}]}],"props":[{"name":"label","value":"SA-8(33)"},{"name":"label","value":"SA-08(33)","class":"sp800-53a"},{"name":"sort-id","value":"sa-08.33"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-8","rel":"required"},{"href":"#pe-8","rel":"related"},{"href":"#pm-25","rel":"related"},{"href":"#sc-42","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sa-8.33_smt","name":"statement","prose":"Implement the privacy principle of minimization using {{ insert: param, sa-08.33_odp }}."},{"id":"sa-8.33_gdn","name":"guidance","prose":"The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization."},{"id":"sa-8.33_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-08(33)","class":"sp800-53a"}],"prose":"the privacy principle of minimization is implemented using {{ insert: param, sa-08.33_odp }}.","links":[{"href":"#sa-8.33_smt","rel":"assessment-for"}]},{"id":"sa-8.33_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-08(33)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\npersonally identifiable information processing policy\n\nprocedures addressing the minimization of personally identifiable information in system design\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nchange control records\n\ninformation security and privacy requirements and specifications for the system\n\nsystem security and privacy architecture\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-8.33_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-08(33)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with system specification, design, development, implementation, and modification responsibilities\n\nsystem developers"}]},{"id":"sa-8.33_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-08(33)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for applying the privacy design principle of minimization in system specification, design, development, implementation, and modification\n\nmechanisms supporting the application of the security design principle of sufficient documentation in system specification, design, development, implementation, and modification\n\nmechanisms that enforce security and privacy policy\n\norganizational processes for managing change configuration\n\nmechanisms supporting configuration control"}]}]}]},{"id":"sa-9","class":"SP800-53","title":"External System Services","params":[{"id":"sa-09_odp.01","props":[{"name":"alt-identifier","value":"sa-9_prm_1"},{"name":"label","value":"SA-09_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed by external system service providers are defined;"}]},{"id":"sa-09_odp.02","props":[{"name":"alt-identifier","value":"sa-9_prm_2"},{"name":"label","value":"SA-09_ODP[02]","class":"sp800-53a"}],"label":"processes, methods, and techniques","guidelines":[{"prose":"processes, methods, and techniques employed to monitor control compliance by external service providers are defined;"}]}],"props":[{"name":"label","value":"SA-9"},{"name":"label","value":"SA-09","class":"sp800-53a"},{"name":"sort-id","value":"sa-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#77faf0bc-c394-44ad-9154-bbac3b79c8ad","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","rel":"reference"},{"href":"#ac-20","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-7","rel":"related"},{"href":"#pl-10","rel":"related"},{"href":"#pl-11","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sa-9_smt","name":"statement","parts":[{"id":"sa-9_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, sa-09_odp.01 }};"},{"id":"sa-9_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Define and document organizational oversight and user roles and responsibilities with regard to external system services; and"},{"id":"sa-9_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, sa-09_odp.02 }}."}]},{"id":"sa-9_gdn","name":"guidance","prose":"External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance."},{"id":"sa-9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[01]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational security requirements;","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[02]","class":"sp800-53a"}],"prose":"providers of external system services comply with organizational privacy requirements;","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-09a.[03]","class":"sp800-53a"}],"prose":"providers of external system services employ {{ insert: param, sa-09_odp.01 }};","links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt.a","rel":"assessment-for"}]},{"id":"sa-9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.","class":"sp800-53a"}],"parts":[{"id":"sa-9_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[01]","class":"sp800-53a"}],"prose":"organizational oversight with regard to external system services are defined and documented;","links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]},{"id":"sa-9_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09b.[02]","class":"sp800-53a"}],"prose":"user roles and responsibilities with regard to external system services are defined and documented;","links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt.b","rel":"assessment-for"}]},{"id":"sa-9_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-09c.","class":"sp800-53a"}],"prose":"{{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.","links":[{"href":"#sa-9_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-9_smt","rel":"assessment-for"}]},{"id":"sa-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing methods and techniques for monitoring control compliance by external service providers of system services\n\nacquisition documentation\n\ncontracts\n\nservice level agreements\n\ninteragency agreements\n\nlicensing agreements\n\nlist of organizational security and privacy requirements for external provider services\n\ncontrol assessment results or reports from external providers of system services\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis\n\nmechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis"}]}],"controls":[{"id":"sa-9.1","class":"SP800-53-enhancement","title":"Risk Assessments and Organizational Approvals","params":[{"id":"sa-09.01_odp","props":[{"name":"alt-identifier","value":"sa-9.1_prm_1"},{"name":"label","value":"SA-09(01)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles that approve the acquisition or outsourcing of dedicated information security services is\/are defined;"}]}],"props":[{"name":"label","value":"SA-9(1)"},{"name":"label","value":"SA-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#ca-6","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-8","rel":"related"}],"parts":[{"id":"sa-9.1_smt","name":"statement","parts":[{"id":"sa-9.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and"},{"id":"sa-9.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Verify that the acquisition or outsourcing of dedicated information security services is approved by {{ insert: param, sa-09.01_odp }}."}]},{"id":"sa-9.1_gdn","name":"guidance","prose":"Information security services include the operation of security devices, such as firewalls or key management services as well as incident monitoring, analysis, and response. Risks assessed can include system, mission or business, security, privacy, or supply chain risks."},{"id":"sa-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(01)","class":"sp800-53a"}],"parts":[{"id":"sa-9.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-09(01)(a)","class":"sp800-53a"}],"prose":"an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services;","links":[{"href":"#sa-9.1_smt.a","rel":"assessment-for"}]},{"id":"sa-9.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-09(01)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-09.01_odp }} approve the acquisition or outsourcing of dedicated information security services.","links":[{"href":"#sa-9.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-9.1_smt","rel":"assessment-for"}]},{"id":"sa-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nrisk assessment reports\n\napproval records for the acquisition or outsourcing of dedicated security services\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with system security responsibilities\n\nexternal providers of system services\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting a risk assessment prior to acquiring or outsourcing dedicated security services\n\norganizational processes for approving the outsourcing of dedicated security services\n\nmechanisms supporting and\/or implementing risk assessment\n\nmechanisms supporting and\/or implementing approval processes"}]}]},{"id":"sa-9.2","class":"SP800-53-enhancement","title":"Identification of Functions, Ports, Protocols, and Services","params":[{"id":"sa-09.02_odp","props":[{"name":"alt-identifier","value":"sa-9.2_prm_1"},{"name":"label","value":"SA-09(02)_ODP","class":"sp800-53a"}],"label":"external system services","guidelines":[{"prose":"external system services that require the identification of functions, ports, protocols, and other services are defined;"}]}],"props":[{"name":"label","value":"SA-9(2)"},{"name":"label","value":"SA-09(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#cm-6","rel":"related"},{"href":"#cm-7","rel":"related"}],"parts":[{"id":"sa-9.2_smt","name":"statement","prose":"Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: {{ insert: param, sa-09.02_odp }}."},{"id":"sa-9.2_gdn","name":"guidance","prose":"Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols."},{"id":"sa-9.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(02)","class":"sp800-53a"}],"prose":"providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services.","links":[{"href":"#sa-9.2_smt","rel":"assessment-for"}]},{"id":"sa-9.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsupply chain risk management policy and procedures\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\norganizational security requirements and security specifications for external service providers\n\nlist of required functions, ports, protocols, and other services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-9.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nexternal providers of system services"}]}]},{"id":"sa-9.3","class":"SP800-53-enhancement","title":"Establish and Maintain Trust Relationship with Providers","params":[{"id":"sa-9.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-09.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-09.03_odp.02"}],"label":"organization-defined security and privacy requirements, properties, factors, or conditions defining acceptable trust relationships"},{"id":"sa-09.03_odp.01","props":[{"name":"label","value":"SA-09(03)_ODP[01]","class":"sp800-53a"}],"label":"security requirements, properties, factors, or conditions","guidelines":[{"prose":"security requirements, properties, factors, or conditions defining acceptable trust relationships on which a trust relationship is maintained are defined;"}]},{"id":"sa-09.03_odp.02","props":[{"name":"label","value":"SA-09(03)_ODP[02]","class":"sp800-53a"}],"label":"privacy requirements, properties, factors, or conditions","guidelines":[{"prose":"privacy requirements, properties, factors, or conditions defining acceptable trust relationships on which a trust relationship is maintained are defined;"}]}],"props":[{"name":"label","value":"SA-9(3)"},{"name":"label","value":"SA-09(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"sa-9.3_smt","name":"statement","prose":"Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: {{ insert: param, sa-9.3_prm_1 }}."},{"id":"sa-9.3_gdn","name":"guidance","prose":"Trust relationships between organizations and external service providers reflect the degree of confidence that the risk from using external services is at an acceptable level. Trust relationships can help organizations gain increased levels of confidence that service providers are providing adequate protection for the services rendered and can also be useful when conducting incident response or when planning for upgrades or obsolescence. Trust relationships can be complicated due to the potentially large number of entities participating in the consumer-provider interactions, subordinate relationships and levels of trust, and types of interactions between the parties. In some cases, the degree of trust is based on the level of control that organizations can exert on external service providers regarding the controls necessary for the protection of the service, information, or individual privacy and the evidence brought forth as to the effectiveness of the implemented controls. The level of control is established by the terms and conditions of the contracts or service-level agreements."},{"id":"sa-9.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(03)","class":"sp800-53a"}],"parts":[{"id":"sa-9.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-09(03)[01]","class":"sp800-53a"}],"prose":"trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.01 }} are established and documented;","links":[{"href":"#sa-9.3_smt","rel":"assessment-for"}]},{"id":"sa-9.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-09(03)[02]","class":"sp800-53a"}],"prose":"trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.01 }} are maintained;","links":[{"href":"#sa-9.3_smt","rel":"assessment-for"}]},{"id":"sa-9.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-09(03)[03]","class":"sp800-53a"}],"prose":"trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.02 }} are established and documented;","links":[{"href":"#sa-9.3_smt","rel":"assessment-for"}]},{"id":"sa-9.3_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SA-09(03)[04]","class":"sp800-53a"}],"prose":"trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.02 }} are maintained.","links":[{"href":"#sa-9.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-9.3_smt","rel":"assessment-for"}]},{"id":"sa-9.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nacquisition contracts for the system, system component, or system service\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\nmemorandum of understanding\n\nmemorandum of agreements\n\nlist of organizational security and privacy requirements, properties, factors, or conditions for external provider services\n\ndocumentation of trust relationships with external service providers\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nexternal providers of system services\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-9.4","class":"SP800-53-enhancement","title":"Consistent Interests of Consumers and Providers","params":[{"id":"sa-09.04_odp.01","props":[{"name":"alt-identifier","value":"sa-9.4_prm_1"},{"name":"label","value":"SA-09(04)_ODP[01]","class":"sp800-53a"}],"label":"external service providers","guidelines":[{"prose":"external service providers are defined;"}]},{"id":"sa-09.04_odp.02","props":[{"name":"alt-identifier","value":"sa-9.4_prm_2"},{"name":"label","value":"SA-09(04)_ODP[02]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken to verify that the interests of external service providers are consistent with and reflect organizational interests are defined;"}]}],"props":[{"name":"label","value":"SA-9(4)"},{"name":"label","value":"SA-09(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"}],"parts":[{"id":"sa-9.4_smt","name":"statement","prose":"Take the following actions to verify that the interests of {{ insert: param, sa-09.04_odp.01 }} are consistent with and reflect organizational interests: {{ insert: param, sa-09.04_odp.02 }}."},{"id":"sa-9.4_gdn","name":"guidance","prose":"As organizations increasingly use external service providers, it is possible that the interests of the service providers may diverge from organizational interests. In such situations, simply having the required technical, management, or operational controls in place may not be sufficient if the providers that implement and manage those controls are not operating in a manner consistent with the interests of the consuming organizations. Actions that organizations take to address such concerns include requiring background checks for selected service provider personnel; examining ownership records; employing only trustworthy service providers, such as providers with which organizations have had successful trust relationships; and conducting routine, periodic, unscheduled visits to service provider facilities."},{"id":"sa-9.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(04)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-09.04_odp.02 }} are taken to verify that the interests of {{ insert: param, sa-09.04_odp.01 }} are consistent with and reflect organizational interests.","links":[{"href":"#sa-9.4_smt","rel":"assessment-for"}]},{"id":"sa-9.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\norganizational security requirements\/safeguards for external service providers\n\npersonnel security policies for external service providers\n\nassessments performed on external service providers\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nexternal providers of system services\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing safeguards to ensure consistent interests with external service providers\n\nmechanisms supporting and\/or implementing safeguards to ensure consistent interests with external service providers"}]}]},{"id":"sa-9.5","class":"SP800-53-enhancement","title":"Processing, Storage, and Service Location","params":[{"id":"sa-09.05_odp.01","props":[{"name":"alt-identifier","value":"sa-9.5_prm_1"},{"name":"label","value":"SA-09(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["information processing","information or data","system services"]}},{"id":"sa-09.05_odp.02","props":[{"name":"alt-identifier","value":"sa-9.5_prm_2"},{"name":"label","value":"SA-09(05)_ODP[02]","class":"sp800-53a"}],"label":"locations","guidelines":[{"prose":"locations where {{ insert: param, sa-09.05_odp.01 }} is\/are to be restricted are defined;"}]},{"id":"sa-09.05_odp.03","props":[{"name":"alt-identifier","value":"sa-9.5_prm_3"},{"name":"alt-label","value":"requirements or conditions","class":"sp800-53"},{"name":"label","value":"SA-09(05)_ODP[03]","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements or conditions for restricting the location of {{ insert: param, sa-09.05_odp.01 }} are defined;"}]}],"props":[{"name":"label","value":"SA-9(5)"},{"name":"label","value":"SA-09(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#sa-5","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"sa-9.5_smt","name":"statement","prose":"Restrict the location of {{ insert: param, sa-09.05_odp.01 }} to {{ insert: param, sa-09.05_odp.02 }} based on {{ insert: param, sa-09.05_odp.03 }}."},{"id":"sa-9.5_gdn","name":"guidance","prose":"The location of information processing, information and data storage, or system services can have a direct impact on the ability of organizations to successfully execute their mission and business functions. The impact occurs when external providers control the location of processing, storage, or services. The criteria that external providers use for the selection of processing, storage, or service locations may be different from the criteria that organizations use. For example, organizations may desire that data or information storage locations be restricted to certain locations to help facilitate incident response activities in case of information security incidents or breaches. Incident response activities, including forensic analyses and after-the-fact investigations, may be adversely affected by the governing laws, policies, or protocols in the locations where processing and storage occur and\/or the locations from which system services emanate."},{"id":"sa-9.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(05)","class":"sp800-53a"}],"prose":"based on {{ insert: param, sa-09.05_odp.03 }}, {{ insert: param, sa-09.05_odp.01 }} is\/are restricted to {{ insert: param, sa-09.05_odp.02 }}.","links":[{"href":"#sa-9.5_smt","rel":"assessment-for"}]},{"id":"sa-9.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nrestricted locations for information processing\n\ninformation\/data and\/or system services\n\ninformation processing, information\/data, and\/or system services to be maintained in restricted locations\n\norganizational security requirements or conditions for external providers\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nexternal providers of system services\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining the requirements to restrict locations of information processing, information\/data, or information services\n\norganizational processes for ensuring the location is restricted in accordance with requirements or conditions"}]}]},{"id":"sa-9.6","class":"SP800-53-enhancement","title":"Organization-controlled Cryptographic Keys","props":[{"name":"label","value":"SA-9(6)"},{"name":"label","value":"SA-09(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sa-9.6_smt","name":"statement","prose":"Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system."},{"id":"sa-9.6_gdn","name":"guidance","prose":"Maintaining exclusive control of cryptographic keys in an external system prevents decryption of organizational data by external system staff. Organizational control of cryptographic keys can be implemented by encrypting and decrypting data inside the organization as data is sent to and received from the external system or by employing a component that permits encryption and decryption functions to be local to the external system but allows exclusive organizational access to the encryption keys."},{"id":"sa-9.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(06)","class":"sp800-53a"}],"prose":"exclusive control of cryptographic keys is maintained for encrypted material stored or transmitted through an external system.","links":[{"href":"#sa-9.6_smt","rel":"assessment-for"}]},{"id":"sa-9.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nprocedures addressing organization-controlled cryptographic key management\n\norganizational security requirements or conditions for external providers\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganization personnel with cryptographic key management responsibilities\n\nexternal providers of system services\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for cryptographic key management\n\nmechanisms for supporting and implementing the management of organization-controlled cryptographic keys"}]}]},{"id":"sa-9.7","class":"SP800-53-enhancement","title":"Organization-controlled Integrity Checking","props":[{"name":"label","value":"SA-9(7)"},{"name":"label","value":"SA-09(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sa-9.7_smt","name":"statement","prose":"Provide the capability to check the integrity of information while it resides in the external system."},{"id":"sa-9.7_gdn","name":"guidance","prose":"Storage of organizational information in an external system could limit visibility into the security status of its data. The ability of the organization to verify and validate the integrity of its stored data without transferring it out of the external system provides such visibility."},{"id":"sa-9.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(07)","class":"sp800-53a"}],"prose":"the capability is provided to check the integrity of information while it resides in the external system.","links":[{"href":"#sa-9.7_smt","rel":"assessment-for"}]},{"id":"sa-9.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nprocedures addressing organization-controlled integrity checking\n\ninformation\/data and\/or system services\n\norganizational security requirements or conditions for external providers\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganization personnel with integrity checking responsibilities\n\nexternal providers of system services\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-9.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for integrity checking\n\nmechanisms for supporting and implementing integrity checking of information in external systems"}]}]},{"id":"sa-9.8","class":"SP800-53-enhancement","title":"Processing and Storage Location — U.S. Jurisdiction","props":[{"name":"label","value":"SA-9(8)"},{"name":"label","value":"SA-09(08)","class":"sp800-53a"},{"name":"sort-id","value":"sa-09.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-9","rel":"required"},{"href":"#sa-5","rel":"related"},{"href":"#sr-4","rel":"related"}],"parts":[{"id":"sa-9.8_smt","name":"statement","prose":"Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States."},{"id":"sa-9.8_gdn","name":"guidance","prose":"The geographic location of information processing and data storage can have a direct impact on the ability of organizations to successfully execute their mission and business functions. A compromise or breach of high impact information and systems can have severe or catastrophic adverse impacts on organizational assets and operations, individuals, other organizations, and the Nation. Restricting the processing and storage of high-impact information to facilities within the legal jurisdictional boundary of the United States provides greater control over such processing and storage."},{"id":"sa-9.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-09(08)","class":"sp800-53a"}],"prose":"the geographic location of information processing and data storage is restricted to facilities located within the legal jurisdictional boundary of the United States.","links":[{"href":"#sa-9.8_smt","rel":"assessment-for"}]},{"id":"sa-9.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-09(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing external system services\n\nacquisition contracts for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nprocedures addressing determining jurisdiction restrictions for processing and storage location\n\ninformation\/data and\/or system services\n\norganizational security requirements or conditions for external providers\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-9.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-09(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganization personnel with supply chain risk management responsibilities\n\nexternal providers of system services"}]},{"id":"sa-9.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-09(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes restricting external system service providers to process and store information within the legal jurisdictional boundary of the United States"}]}]}]},{"id":"sa-10","class":"SP800-53","title":"Developer Configuration Management","params":[{"id":"sa-10_odp.01","props":[{"name":"alt-identifier","value":"sa-10_prm_1"},{"name":"label","value":"SA-10_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["design","development","implementation","operation","disposal"]}},{"id":"sa-10_odp.02","props":[{"name":"alt-identifier","value":"sa-10_prm_2"},{"name":"alt-label","value":"configuration items under configuration management","class":"sp800-53"},{"name":"label","value":"SA-10_ODP[02]","class":"sp800-53a"}],"label":"configuration items","guidelines":[{"prose":"configuration items under configuration management are defined;"}]},{"id":"sa-10_odp.03","props":[{"name":"alt-identifier","value":"sa-10_prm_3"},{"name":"label","value":"SA-10_ODP[03]","class":"sp800-53a"}],"label":"personnel","guidelines":[{"prose":"personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is\/are defined;"}]}],"props":[{"name":"label","value":"SA-10"},{"name":"label","value":"SA-10","class":"sp800-53a"},{"name":"sort-id","value":"sa-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cm-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"sa-10_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-10_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};"},{"id":"sa-10_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Document, manage, and control the integrity of changes to {{ insert: param, sa-10_odp.02 }};"},{"id":"sa-10_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Implement only organization-approved changes to the system, component, or service;"},{"id":"sa-10_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Document approved changes to the system, component, or service and the potential security and privacy impacts of such changes; and"},{"id":"sa-10_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Track security flaws and flaw resolution within the system, component, or service and report findings to {{ insert: param, sa-10_odp.03 }}."}]},{"id":"sa-10_gdn","name":"guidance","prose":"Organizations consider the quality and completeness of configuration management activities conducted by developers as direct evidence of applying effective security controls. Controls include protecting the master copies of material used to generate security-relevant portions of the system hardware, software, and firmware from unauthorized modification or destruction. Maintaining the integrity of changes to the system, system component, or system service requires strict configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes.\n\nThe configuration items that are placed under configuration management include the formal model; the functional, high-level, and low-level design specifications; other design data; implementation documentation; source code and hardware schematics; the current running version of the object code; tools for comparing new versions of security-relevant hardware descriptions and source code with previous versions; and test fixtures and documentation. Depending on the mission and business needs of organizations and the nature of the contractual relationships in place, developers may provide configuration management support during the operations and maintenance stage of the system development life cycle."},{"id":"sa-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-10a.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};","links":[{"href":"#sa-10_smt.a","rel":"assessment-for"}]},{"id":"sa-10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};","links":[{"href":"#sa-10_smt.b","rel":"assessment-for"}]},{"id":"sa-10_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};","links":[{"href":"#sa-10_smt.b","rel":"assessment-for"}]},{"id":"sa-10_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10b.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};","links":[{"href":"#sa-10_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-10_smt.b","rel":"assessment-for"}]},{"id":"sa-10_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-10c.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;","links":[{"href":"#sa-10_smt.c","rel":"assessment-for"}]},{"id":"sa-10_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;","links":[{"href":"#sa-10_smt.d","rel":"assessment-for"}]},{"id":"sa-10_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;","links":[{"href":"#sa-10_smt.d","rel":"assessment-for"}]},{"id":"sa-10_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10d.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;","links":[{"href":"#sa-10_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-10_smt.d","rel":"assessment-for"}]},{"id":"sa-10_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.","class":"sp800-53a"}],"parts":[{"id":"sa-10_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;","links":[{"href":"#sa-10_smt.e","rel":"assessment-for"}]},{"id":"sa-10_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;","links":[{"href":"#sa-10_smt.e","rel":"assessment-for"}]},{"id":"sa-10_obj.e-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10e.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}.","links":[{"href":"#sa-10_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-10_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-10_smt","rel":"assessment-for"}]},{"id":"sa-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nsecurity flaw and flaw resolution tracking records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}],"controls":[{"id":"sa-10.1","class":"SP800-53-enhancement","title":"Software and Firmware Integrity Verification","props":[{"name":"label","value":"SA-10(1)"},{"name":"label","value":"SA-10(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-10.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-10","rel":"required"},{"href":"#si-7","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sa-10.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components."},{"id":"sa-10.1_gdn","name":"guidance","prose":"Software and firmware integrity verification allows organizations to detect unauthorized changes to software and firmware components using developer-provided tools, techniques, and mechanisms. The integrity checking mechanisms can also address counterfeiting of software and firmware components. Organizations verify the integrity of software and firmware components, for example, through secure one-way hashes provided by developers. Delivered software and firmware components also include any updates to such components."},{"id":"sa-10.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10(01)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to enable integrity verification of software and firmware components.","links":[{"href":"#sa-10.1_smt","rel":"assessment-for"}]},{"id":"sa-10.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nsoftware and firmware integrity verification records\n\nsystem change authorization records\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-10.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-10.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-10.2","class":"SP800-53-enhancement","title":"Alternative Configuration Management Processes","props":[{"name":"label","value":"SA-10(2)"},{"name":"label","value":"SA-10(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-10.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-10","rel":"required"}],"parts":[{"id":"sa-10.2_smt","name":"statement","prose":"Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team."},{"id":"sa-10.2_gdn","name":"guidance","prose":"Alternate configuration management processes may be required when organizations use commercial off-the-shelf information technology products. Alternate configuration management processes include organizational personnel who review and approve proposed changes to systems, system components, and system services and conduct security and privacy impact analyses prior to the implementation of changes to systems, components, or services."},{"id":"sa-10.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10(02)","class":"sp800-53a"}],"prose":"an alternate configuration management process has been provided using organizational personnel in the absence of a dedicated developer configuration management team.","links":[{"href":"#sa-10.2_smt","rel":"assessment-for"}]},{"id":"sa-10.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nconfiguration management policy\n\nconfiguration management plan\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nsecurity impact analyses\n\nprivacy impact analyses\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-10.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-10.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-10.3","class":"SP800-53-enhancement","title":"Hardware Integrity Verification","props":[{"name":"label","value":"SA-10(3)"},{"name":"label","value":"SA-10(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-10.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-10","rel":"required"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sa-10.3_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to enable integrity verification of hardware components."},{"id":"sa-10.3_gdn","name":"guidance","prose":"Hardware integrity verification allows organizations to detect unauthorized changes to hardware components using developer-provided tools, techniques, methods, and mechanisms. Organizations may verify the integrity of hardware components with hard-to-copy labels, verifiable serial numbers provided by developers, and by requiring the use of anti-tamper technologies. Delivered hardware components also include hardware and firmware updates to such components."},{"id":"sa-10.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10(03)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to enable integrity verification of hardware components.","links":[{"href":"#sa-10.3_smt","rel":"assessment-for"}]},{"id":"sa-10.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nhardware integrity verification records\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-10.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-10.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-10.4","class":"SP800-53-enhancement","title":"Trusted Generation","props":[{"name":"label","value":"SA-10(4)"},{"name":"label","value":"SA-10(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-10.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-10","rel":"required"}],"parts":[{"id":"sa-10.4_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions, source code, and object code with previous versions."},{"id":"sa-10.4_gdn","name":"guidance","prose":"The trusted generation of descriptions, source code, and object code addresses authorized changes to hardware, software, and firmware components between versions during development. The focus is on the efficacy of the configuration management process by the developer to ensure that newly generated versions of security-relevant hardware descriptions, source code, and object code continue to enforce the security policy for the system, system component, or system service. In contrast, [SA-10(1)](#sa-10.1) and [SA-10(3)](#sa-10.3) allow organizations to detect unauthorized changes to hardware, software, and firmware components using tools, techniques, or mechanisms provided by developers."},{"id":"sa-10.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10(04)","class":"sp800-53a"}],"parts":[{"id":"sa-10.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10(04)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of security-relevant hardware descriptions with previous versions;","links":[{"href":"#sa-10.4_smt","rel":"assessment-for"}]},{"id":"sa-10.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10(04)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of source code with previous versions;","links":[{"href":"#sa-10.4_smt","rel":"assessment-for"}]},{"id":"sa-10.4_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-10(04)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of object code with previous versions.","links":[{"href":"#sa-10.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-10.4_smt","rel":"assessment-for"}]},{"id":"sa-10.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nchange control records\n\nconfiguration management records\n\nconfiguration control audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-10.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-10.5","class":"SP800-53-enhancement","title":"Mapping Integrity for Version Control","props":[{"name":"label","value":"SA-10(5)"},{"name":"label","value":"SA-10(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-10.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-10","rel":"required"}],"parts":[{"id":"sa-10.5_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version."},{"id":"sa-10.5_gdn","name":"guidance","prose":"Mapping integrity for version control addresses changes to hardware, software, and firmware components during both initial development and system development life cycle updates. Maintaining the integrity between the master copies of security-relevant hardware, software, and firmware (including designs, hardware drawings, source code) and the equivalent data in master copies in operational environments is essential to ensuring the availability of organizational systems that support critical mission and business functions."},{"id":"sa-10.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10(05)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.","links":[{"href":"#sa-10.5_smt","rel":"assessment-for"}]},{"id":"sa-10.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nchange control records\n\nconfiguration management records\n\nversion control change\/update records\n\nintegrity verification records between master copies of security-relevant hardware, software, and firmware (including designs and source code)\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-10.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-10.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-10.6","class":"SP800-53-enhancement","title":"Trusted Distribution","props":[{"name":"label","value":"SA-10(6)"},{"name":"label","value":"SA-10(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-10.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-10","rel":"required"}],"parts":[{"id":"sa-10.6_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies."},{"id":"sa-10.6_gdn","name":"guidance","prose":"The trusted distribution of security-relevant hardware, software, and firmware updates help to ensure that the updates are correct representations of the master copies maintained by the developer and have not been tampered with during distribution."},{"id":"sa-10.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10(06)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.","links":[{"href":"#sa-10.6_smt","rel":"assessment-for"}]},{"id":"sa-10.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer configuration management\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-10.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-10.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-10(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer configuration management\n\nmechanisms supporting and\/or implementing the monitoring of developer configuration management"}]}]},{"id":"sa-10.7","class":"SP800-53-enhancement","title":"Security and Privacy Representatives","params":[{"id":"sa-10.7_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-10.07_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-10.07_odp.02"}],"label":"organization-defined security and privacy representatives"},{"id":"sa-10.7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-10.07_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-10.07_odp.04"}],"label":"organization-defined configuration change management and control process"},{"id":"sa-10.07_odp.01","props":[{"name":"label","value":"SA-10(07)_ODP[01]","class":"sp800-53a"}],"label":"security representatives","guidelines":[{"prose":"security representatives to be included in the configuration change management and control process are defined;"}]},{"id":"sa-10.07_odp.02","props":[{"name":"label","value":"SA-10(07)_ODP[02]","class":"sp800-53a"}],"label":"privacy representatives","guidelines":[{"prose":"privacy representatives to be included in the configuration change management and control process are defined;"}]},{"id":"sa-10.07_odp.03","props":[{"name":"label","value":"SA-10(07)_ODP[03]","class":"sp800-53a"}],"label":"configuration change management and control processes","guidelines":[{"prose":"configuration change management and control processes in which security representatives are required to be included are defined;"}]},{"id":"sa-10.07_odp.04","props":[{"name":"label","value":"SA-10(07)_ODP[04]","class":"sp800-53a"}],"label":"configuration change management and control processes","guidelines":[{"prose":"configuration change management and control processes in which privacy representatives are required to be included are defined;"}]}],"props":[{"name":"label","value":"SA-10(7)"},{"name":"label","value":"SA-10(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-10.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-10","rel":"required"}],"parts":[{"id":"sa-10.7_smt","name":"statement","prose":"Require {{ insert: param, sa-10.7_prm_1 }} to be included in the {{ insert: param, sa-10.7_prm_2 }}."},{"id":"sa-10.7_gdn","name":"guidance","prose":"Information security and privacy representatives can include system security officers, senior agency information security officers, senior agency officials for privacy, and system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change management and control process in this control enhancement refers to the change management and control process defined by organizations in [SA-10b](#sa-10_smt.b)."},{"id":"sa-10.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-10(07)","class":"sp800-53a"}],"parts":[{"id":"sa-10.7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-10(07)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-10.07_odp.01 }} are required to be included in the {{ insert: param, sa-10.07_odp.03 }};","links":[{"href":"#sa-10.7_smt","rel":"assessment-for"}]},{"id":"sa-10.7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-10(07)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sa-10.07_odp.02 }} are required to be included in the {{ insert: param, sa-10.07_odp.04 }}.","links":[{"href":"#sa-10.7_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-10.7_smt","rel":"assessment-for"}]},{"id":"sa-10.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-10(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nconfiguration management policy\n\nconfiguration management plan\n\nsolicitation documentation requiring representatives for security and privacy\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer configuration management plan\n\nchange control records\n\nconfiguration management records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-10.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-10(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]}]}]},{"id":"sa-11","class":"SP800-53","title":"Developer Testing and Evaluation","params":[{"id":"sa-11_odp.01","props":[{"name":"alt-identifier","value":"sa-11_prm_1"},{"name":"label","value":"SA-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["unit","integration","system","regression"]}},{"id":"sa-11_odp.02","props":[{"name":"alt-identifier","value":"sa-11_prm_2"},{"name":"alt-label","value":"frequency","class":"sp800-53"},{"name":"label","value":"SA-11_ODP[02]","class":"sp800-53a"}],"label":"frequency to conduct","guidelines":[{"prose":"frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]},{"id":"sa-11_odp.03","props":[{"name":"alt-identifier","value":"sa-11_prm_3"},{"name":"label","value":"SA-11_ODP[03]","class":"sp800-53a"}],"label":"depth and coverage","guidelines":[{"prose":"depth and coverage of {{ insert: param, sa-11_odp.01 }} testing\/evaluation is defined;"}]}],"props":[{"name":"label","value":"SA-11"},{"name":"label","value":"SA-11","class":"sp800-53a"},{"name":"sort-id","value":"sa-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","rel":"reference"},{"href":"#708b94e1-3d5e-4b22-ab43-1c69f3a97e37","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-7","rel":"related"}],"parts":[{"id":"sa-11_smt","name":"statement","prose":"Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to:","parts":[{"id":"sa-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement a plan for ongoing security and privacy control assessments;"},{"id":"sa-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"},{"id":"sa-11_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Produce evidence of the execution of the assessment plan and the results of the testing and evaluation;"},{"id":"sa-11_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement a verifiable flaw remediation process; and"},{"id":"sa-11_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Correct flaws identified during testing and evaluation."}]},{"id":"sa-11_gdn","name":"guidance","prose":"Developmental testing and evaluation confirms that the required controls are implemented correctly, operating as intended, enforcing the desired security and privacy policies, and meeting established security and privacy requirements. Security properties of systems and the privacy of individuals may be affected by the interconnection of system components or changes to those components. The interconnections or changes—including upgrading or replacing applications, operating systems, and firmware—may adversely affect previously implemented controls. Ongoing assessment during development allows for additional types of testing and evaluation that developers can conduct to reduce or eliminate potential flaws. Testing custom software applications may require approaches such as manual code review, security architecture review, and penetration testing, as well as and static analysis, dynamic analysis, binary analysis, or a hybrid of the three analysis approaches.\n\nDevelopers can use the analysis approaches, along with security instrumentation and fuzzing, in a variety of tools and in source code reviews. The security and privacy assessment plans include the specific activities that developers plan to carry out, including the types of analyses, testing, evaluation, and reviews of software and firmware components; the degree of rigor to be applied; the frequency of the ongoing testing and evaluation; and the types of artifacts produced during those processes. The depth of testing and evaluation refers to the rigor and level of detail associated with the assessment process. The coverage of testing and evaluation refers to the scope (i.e., number and type) of the artifacts included in the assessment process. Contracts specify the acceptance criteria for security and privacy assessment plans, flaw remediation processes, and the evidence that the plans and processes have been diligently applied. Methods for reviewing and protecting assessment plans, evidence, and documentation are commensurate with the security category or classification level of the system. Contracts may specify protection requirements for documentation."},{"id":"sa-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-11a.[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;","links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-11_smt.a","rel":"assessment-for"}]},{"id":"sa-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-11b.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing\/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};","links":[{"href":"#sa-11_smt.b","rel":"assessment-for"}]},{"id":"sa-11_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.","class":"sp800-53a"}],"parts":[{"id":"sa-11_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;","links":[{"href":"#sa-11_smt.c","rel":"assessment-for"}]},{"id":"sa-11_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11c.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;","links":[{"href":"#sa-11_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-11_smt.c","rel":"assessment-for"}]},{"id":"sa-11_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-11d.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;","links":[{"href":"#sa-11_smt.d","rel":"assessment-for"}]},{"id":"sa-11_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-11e.","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.","links":[{"href":"#sa-11_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-11_smt","rel":"assessment-for"}]},{"id":"sa-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security and privacy testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of developer security and privacy assessments for the system, system component, or system service\n\nsecurity and privacy flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\nsystem developers"}]},{"id":"sa-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security and privacy testing and evaluation"}]}],"controls":[{"id":"sa-11.1","class":"SP800-53-enhancement","title":"Static Code Analysis","props":[{"name":"label","value":"SA-11(1)"},{"name":"label","value":"SA-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"}],"parts":[{"id":"sa-11.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis."},{"id":"sa-11.1_gdn","name":"guidance","prose":"Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources."},{"id":"sa-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(01)","class":"sp800-53a"}],"parts":[{"id":"sa-11.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(01)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws;","links":[{"href":"#sa-11.1_smt","rel":"assessment-for"}]},{"id":"sa-11.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(01)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis.","links":[{"href":"#sa-11.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-11.1_smt","rel":"assessment-for"}]},{"id":"sa-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsecurity and privacy architecture\n\nsystem design documentation\n\nsystem developer security and privacy assessment plans\n\nresults of system developer security and privacy assessments\n\nsecurity flaw and remediation tracking records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security and privacy testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation\n\nstatic code analysis tools"}]}]},{"id":"sa-11.2","class":"SP800-53-enhancement","title":"Threat Modeling and Vulnerability Analyses","params":[{"id":"sa-11.2_prm_3","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.02_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.02_odp.04"}],"label":"organization-defined breadth and depth of modeling and analyses"},{"id":"sa-11.2_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.02_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.02_odp.06"}],"label":"organization-defined acceptance criteria"},{"id":"sa-11.02_odp.01","props":[{"name":"alt-identifier","value":"sa-11.2_prm_1"},{"name":"alt-label","value":"information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels","class":"sp800-53"},{"name":"label","value":"SA-11(02)_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined;"}]},{"id":"sa-11.02_odp.02","props":[{"name":"alt-identifier","value":"sa-11.2_prm_2"},{"name":"label","value":"SA-11(02)_ODP[02]","class":"sp800-53a"}],"label":"tools and methods","guidelines":[{"prose":"the tools and methods to be employed for threat modeling and vulnerability analyses are defined;"}]},{"id":"sa-11.02_odp.03","props":[{"name":"label","value":"SA-11(02)_ODP[03]","class":"sp800-53a"}],"label":"breadth and depth","guidelines":[{"prose":"the breadth and depth of threat modeling to be conducted is defined;"}]},{"id":"sa-11.02_odp.04","props":[{"name":"label","value":"SA-11(02)_ODP[04]","class":"sp800-53a"}],"label":"breadth and depth","guidelines":[{"prose":"the breadth and depth of vulnerability analyses to be conducted is defined;"}]},{"id":"sa-11.02_odp.05","props":[{"name":"label","value":"SA-11(02)_ODP[05]","class":"sp800-53a"}],"label":"acceptance criteria","guidelines":[{"prose":"acceptance criteria to be met by produced evidence for threat modeling are defined;"}]},{"id":"sa-11.02_odp.06","props":[{"name":"label","value":"SA-11(02)_ODP[06]","class":"sp800-53a"}],"label":"acceptance criteria","guidelines":[{"prose":"acceptance criteria to be met by produced evidence for vulnerability analyses are defined;"}]}],"props":[{"name":"label","value":"SA-11(2)"},{"name":"label","value":"SA-11(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"},{"href":"#pm-15","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"}],"parts":[{"id":"sa-11.2_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:","parts":[{"id":"sa-11.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Uses the following contextual information: {{ insert: param, sa-11.02_odp.01 }};"},{"id":"sa-11.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Employs the following tools and methods: {{ insert: param, sa-11.02_odp.02 }};"},{"id":"sa-11.2_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Conducts the modeling and analyses at the following level of rigor: {{ insert: param, sa-11.2_prm_3 }} ; and"},{"id":"sa-11.2_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Produces evidence that meets the following acceptance criteria: {{ insert: param, sa-11.2_prm_4 }}."}]},{"id":"sa-11.2_gdn","name":"guidance","prose":"Systems, system components, and system services may deviate significantly from the functional and design specifications created during the requirements and design stages of the system development life cycle. Therefore, updates to threat modeling and vulnerability analyses of those systems, system components, and system services during development and prior to delivery are critical to the effective operation of those systems, components, and services. Threat modeling and vulnerability analyses at this stage of the system development life cycle ensure that design and implementation changes have been accounted for and that vulnerabilities created because of those changes have been reviewed and mitigated."},{"id":"sa-11.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)","class":"sp800-53a"}],"parts":[{"id":"sa-11.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(a)","class":"sp800-53a"}],"parts":[{"id":"sa-11.2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(a)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};","links":[{"href":"#sa-11.2_smt.a","rel":"assessment-for"}]},{"id":"sa-11.2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(a)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};","links":[{"href":"#sa-11.2_smt.a","rel":"assessment-for"}]},{"id":"sa-11.2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(a)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};","links":[{"href":"#sa-11.2_smt.a","rel":"assessment-for"}]},{"id":"sa-11.2_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(a)[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};","links":[{"href":"#sa-11.2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-11.2_smt.a","rel":"assessment-for"}]},{"id":"sa-11.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(b)","class":"sp800-53a"}],"parts":[{"id":"sa-11.2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(b)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};","links":[{"href":"#sa-11.2_smt.b","rel":"assessment-for"}]},{"id":"sa-11.2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(b)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};","links":[{"href":"#sa-11.2_smt.b","rel":"assessment-for"}]},{"id":"sa-11.2_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(b)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};","links":[{"href":"#sa-11.2_smt.b","rel":"assessment-for"}]},{"id":"sa-11.2_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(b)[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};","links":[{"href":"#sa-11.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-11.2_smt.b","rel":"assessment-for"}]},{"id":"sa-11.2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(c)","class":"sp800-53a"}],"parts":[{"id":"sa-11.2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(c)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform threat modeling at {{ insert: param, sa-11.02_odp.03 }} during development of the system, component, or service;","links":[{"href":"#sa-11.2_smt.c","rel":"assessment-for"}]},{"id":"sa-11.2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(c)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at {{ insert: param, sa-11.02_odp.04 }};","links":[{"href":"#sa-11.2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-11.2_smt.c","rel":"assessment-for"}]},{"id":"sa-11.2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(d)","class":"sp800-53a"}],"parts":[{"id":"sa-11.2_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(d)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};","links":[{"href":"#sa-11.2_smt.d","rel":"assessment-for"}]},{"id":"sa-11.2_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(d)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};","links":[{"href":"#sa-11.2_smt.d","rel":"assessment-for"}]},{"id":"sa-11.2_obj.d-3","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(d)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }};","links":[{"href":"#sa-11.2_smt.d","rel":"assessment-for"}]},{"id":"sa-11.2_obj.d-4","name":"assessment-objective","props":[{"name":"label","value":"SA-11(02)(d)[04]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }}.","links":[{"href":"#sa-11.2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-11.2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-11.2_smt","rel":"assessment-for"}]},{"id":"sa-11.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security test plans\n\nrecords of developer security testing results for the system, system component, or system service\n\nvulnerability scanning results\n\nsystem risk assessment reports\n\nthreat and vulnerability analysis reports\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-11.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-11.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation"}]}]},{"id":"sa-11.3","class":"SP800-53-enhancement","title":"Independent Verification of Assessment Plans and Evidence","params":[{"id":"sa-11.03_odp","props":[{"name":"alt-identifier","value":"sa-11.3_prm_1"},{"name":"label","value":"SA-11(03)_ODP","class":"sp800-53a"}],"label":"independence criteria","guidelines":[{"prose":"independence criteria to be satisfied by an independent agent are defined;"}]}],"props":[{"name":"label","value":"SA-11(3)"},{"name":"label","value":"SA-11(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"},{"href":"#at-3","rel":"related"},{"href":"#ra-5","rel":"related"}],"parts":[{"id":"sa-11.3_smt","name":"statement","parts":[{"id":"sa-11.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Require an independent agent satisfying {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and"},{"id":"sa-11.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Verify that the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information."}]},{"id":"sa-11.3_gdn","name":"guidance","prose":"Independent agents have the qualifications—including the expertise, skills, training, certifications, and experience—to verify the correct implementation of developer security and privacy assessment plans."},{"id":"sa-11.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(03)","class":"sp800-53a"}],"parts":[{"id":"sa-11.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-11(03)(a)","class":"sp800-53a"}],"parts":[{"id":"sa-11.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(03)(a)[01]","class":"sp800-53a"}],"prose":"an independent agent is required to satisfy {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer security assessment plan and the evidence produced during testing and evaluation;","links":[{"href":"#sa-11.3_smt.a","rel":"assessment-for"}]},{"id":"sa-11.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(03)(a)[02]","class":"sp800-53a"}],"prose":"an independent agent is required to satisfy {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer privacy assessment plan and the evidence produced during testing and evaluation;","links":[{"href":"#sa-11.3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-11.3_smt.a","rel":"assessment-for"}]},{"id":"sa-11.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-11(03)(b)","class":"sp800-53a"}],"prose":"the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.","links":[{"href":"#sa-11.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-11.3_smt","rel":"assessment-for"}]},{"id":"sa-11.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nindependent verification and validation reports\n\nsecurity and privacy assessment plans\n\nresults of security and privacy assessments for the system, system component, or system service\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"sa-11.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers\n\nindependent verification agent"}]},{"id":"sa-11.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation"}]}]},{"id":"sa-11.4","class":"SP800-53-enhancement","title":"Manual Code Reviews","params":[{"id":"sa-11.04_odp.01","props":[{"name":"alt-identifier","value":"sa-11.4_prm_1"},{"name":"label","value":"SA-11(04)_ODP[01]","class":"sp800-53a"}],"label":"specific code","guidelines":[{"prose":"specific code requiring manual code review is defined;"}]},{"id":"sa-11.04_odp.02","props":[{"name":"alt-identifier","value":"sa-11.4_prm_2"},{"name":"label","value":"SA-11(04)_ODP[02]","class":"sp800-53a"}],"label":"processes, procedures, and\/or techniques","guidelines":[{"prose":"processes, procedures, and\/or techniques used for manual code reviews are defined;"}]}],"props":[{"name":"label","value":"SA-11(4)"},{"name":"label","value":"SA-11(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"}],"parts":[{"id":"sa-11.4_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform a manual code review of {{ insert: param, sa-11.04_odp.01 }} using the following processes, procedures, and\/or techniques: {{ insert: param, sa-11.04_odp.02 }}."},{"id":"sa-11.4_gdn","name":"guidance","prose":"Manual code reviews are usually reserved for the critical software and firmware components of systems. Manual code reviews are effective at identifying weaknesses that require knowledge of the application’s requirements or context that, in most cases, is unavailable to automated analytic tools and techniques, such as static and dynamic analysis. The benefits of manual code review include the ability to verify access control matrices against application controls and review detailed aspects of cryptographic implementations and controls."},{"id":"sa-11.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(04)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a manual code review of {{ insert: param, sa-11.04_odp.01 }} using {{ insert: param, sa-11.04_odp.02 }}.","links":[{"href":"#sa-11.4_smt","rel":"assessment-for"}]},{"id":"sa-11.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocesses, procedures, and\/or techniques for performing manual code reviews\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security testing and evaluation plans\n\nsystem developer security testing and evaluation results\n\nlist of code requiring manual reviews\n\nrecords of manual code reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-11.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers\n\nindependent verification agent"}]},{"id":"sa-11.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer testing and evaluation"}]}]},{"id":"sa-11.5","class":"SP800-53-enhancement","title":"Penetration Testing","params":[{"id":"sa-11.5_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.05_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.05_odp.02"}],"label":"organization-defined breadth and depth of testing"},{"id":"sa-11.05_odp.01","props":[{"name":"label","value":"SA-11(05)_ODP[01]","class":"sp800-53a"}],"label":"breadth","guidelines":[{"prose":"the breadth of penetration testing is defined;"}]},{"id":"sa-11.05_odp.02","props":[{"name":"label","value":"SA-11(05)_ODP[02]","class":"sp800-53a"}],"label":"depth","guidelines":[{"prose":"the depth of penetration testing is defined;"}]},{"id":"sa-11.05_odp.03","props":[{"name":"alt-identifier","value":"sa-11.5_prm_2"},{"name":"label","value":"SA-11(05)_ODP[03]","class":"sp800-53a"}],"label":"constraints","guidelines":[{"prose":"constraints of penetration testing are defined;"}]}],"props":[{"name":"label","value":"SA-11(5)"},{"name":"label","value":"SA-11(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"},{"href":"#ca-8","rel":"related"},{"href":"#pm-14","rel":"related"},{"href":"#pm-25","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"sa-11.5_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform penetration testing:","parts":[{"id":"sa-11.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"At the following level of rigor: {{ insert: param, sa-11.5_prm_1 }} ; and"},{"id":"sa-11.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Under the following constraints: {{ insert: param, sa-11.05_odp.03 }}."}]},{"id":"sa-11.5_gdn","name":"guidance","prose":"Penetration testing is an assessment methodology in which assessors, using all available information technology product or system documentation and working under specific constraints, attempt to circumvent the implemented security and privacy features of information technology products and systems. Useful information for assessors who conduct penetration testing includes product and system design specifications, source code, and administrator and operator manuals. Penetration testing can include white-box, gray-box, or black-box testing with analyses performed by skilled professionals who simulate adversary actions. The objective of penetration testing is to discover vulnerabilities in systems, system components, and services that result from implementation errors, configuration faults, or other operational weaknesses or deficiencies. Penetration tests can be performed in conjunction with automated and manual code reviews to provide a greater level of analysis than would ordinarily be possible. When user session information and other personally identifiable information is captured or recorded during penetration testing, such information is handled appropriately to protect privacy."},{"id":"sa-11.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(05)","class":"sp800-53a"}],"parts":[{"id":"sa-11.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-11(05)(a)","class":"sp800-53a"}],"parts":[{"id":"sa-11.5_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(05)(a)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: {{ insert: param, sa-11.05_odp.01 }};","links":[{"href":"#sa-11.5_smt.a","rel":"assessment-for"}]},{"id":"sa-11.5_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(05)(a)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: {{ insert: param, sa-11.05_odp.02 }};","links":[{"href":"#sa-11.5_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-11.5_smt.a","rel":"assessment-for"}]},{"id":"sa-11.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-11(05)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform penetration testing under {{ insert: param, sa-11.05_odp.03 }}.","links":[{"href":"#sa-11.5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-11.5_smt","rel":"assessment-for"}]},{"id":"sa-11.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer penetration testing and evaluation plans\n\nsystem developer penetration testing and evaluation results\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records"}]},{"id":"sa-11.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers\n\nindependent verification agent"}]},{"id":"sa-11.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security and privacy assessments\n\nmechanisms supporting and\/or implementing the monitoring of developer security and privacy assessments"}]}]},{"id":"sa-11.6","class":"SP800-53-enhancement","title":"Attack Surface Reviews","props":[{"name":"label","value":"SA-11(6)"},{"name":"label","value":"SA-11(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"},{"href":"#sa-15","rel":"related"}],"parts":[{"id":"sa-11.6_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform attack surface reviews."},{"id":"sa-11.6_gdn","name":"guidance","prose":"Attack surfaces of systems and system components are exposed areas that make those systems more vulnerable to attacks. Attack surfaces include any accessible areas where weaknesses or deficiencies in the hardware, software, and firmware components provide opportunities for adversaries to exploit vulnerabilities. Attack surface reviews ensure that developers analyze the design and implementation changes to systems and mitigate attack vectors generated as a result of the changes. The correction of identified flaws includes deprecation of unsafe functions."},{"id":"sa-11.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(06)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform attack surface reviews.","links":[{"href":"#sa-11.6_smt","rel":"assessment-for"}]},{"id":"sa-11.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security testing and evaluation plans\n\nsystem developer security testing and evaluation results\n\nrecords of attack surface reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-11.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-11.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation"}]}]},{"id":"sa-11.7","class":"SP800-53-enhancement","title":"Verify Scope of Testing and Evaluation","params":[{"id":"sa-11.7_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.07_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-11.07_odp.02"}],"label":"organization-defined breadth and depth of testing and evaluation"},{"id":"sa-11.07_odp.01","props":[{"name":"label","value":"SA-11(07)_ODP[01]","class":"sp800-53a"}],"label":"breadth","guidelines":[{"prose":"the breadth of testing and evaluation of required controls is defined;"}]},{"id":"sa-11.07_odp.02","props":[{"name":"label","value":"SA-11(07)_ODP[02]","class":"sp800-53a"}],"label":"depth","guidelines":[{"prose":"the depth of testing and evaluation of required controls is defined;"}]}],"props":[{"name":"label","value":"SA-11(7)"},{"name":"label","value":"SA-11(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"},{"href":"#sa-15","rel":"related"}],"parts":[{"id":"sa-11.7_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: {{ insert: param, sa-11.7_prm_1 }}."},{"id":"sa-11.7_gdn","name":"guidance","prose":"Verifying that testing and evaluation provides complete coverage of required controls can be accomplished by a variety of analytic techniques ranging from informal to formal. Each of these techniques provides an increasing level of assurance that corresponds to the degree of formality of the analysis. Rigorously demonstrating control coverage at the highest levels of assurance can be achieved using formal modeling and analysis techniques, including correlation between control implementation and corresponding test cases."},{"id":"sa-11.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(07)","class":"sp800-53a"}],"parts":[{"id":"sa-11.7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(07)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at {{ insert: param, sa-11.07_odp.01 }};","links":[{"href":"#sa-11.7_smt","rel":"assessment-for"}]},{"id":"sa-11.7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(07)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at {{ insert: param, sa-11.07_odp.02 }}.","links":[{"href":"#sa-11.7_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-11.7_smt","rel":"assessment-for"}]},{"id":"sa-11.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security testing and evaluation plans\n\nsystem developer security testing and evaluation results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-11.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\nsystem developers\n\nindependent verification agent"}]},{"id":"sa-11.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation"}]}]},{"id":"sa-11.8","class":"SP800-53-enhancement","title":"Dynamic Code Analysis","props":[{"name":"label","value":"SA-11(8)"},{"name":"label","value":"SA-11(08)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"}],"parts":[{"id":"sa-11.8_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis."},{"id":"sa-11.8_gdn","name":"guidance","prose":"Dynamic code analysis provides runtime verification of software programs using tools capable of monitoring programs for memory corruption, user privilege issues, and other potential security problems. Dynamic code analysis employs runtime tools to ensure that security functionality performs in the way it was designed. A type of dynamic analysis, known as fuzz testing, induces program failures by deliberately introducing malformed or random data into software programs. Fuzz testing strategies are derived from the intended use of applications and the functional and design specifications for the applications. To understand the scope of dynamic code analysis and the assurance provided, organizations may also consider conducting code coverage analysis (i.e., checking the degree to which the code has been tested using metrics such as percent of subroutines tested or percent of program statements called during execution of the test suite) and\/or concordance analysis (i.e., checking for words that are out of place in software code, such as non-English language words or derogatory terms)."},{"id":"sa-11.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(08)","class":"sp800-53a"}],"parts":[{"id":"sa-11.8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(08)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to employ dynamic code analysis tools to identify common flaws;","links":[{"href":"#sa-11.8_smt","rel":"assessment-for"}]},{"id":"sa-11.8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(08)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the results of the analysis.","links":[{"href":"#sa-11.8_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-11.8_smt","rel":"assessment-for"}]},{"id":"sa-11.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocedures addressing flaw remediation\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security test and evaluation plans\n\nsecurity test and evaluation results\n\nsecurity flaw and remediation tracking reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-11.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-11.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for monitoring developer security testing and evaluation\n\nmechanisms supporting and\/or implementing the monitoring of developer security testing and evaluation"}]}]},{"id":"sa-11.9","class":"SP800-53-enhancement","title":"Interactive Application Security Testing","props":[{"name":"label","value":"SA-11(9)"},{"name":"label","value":"SA-11(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-11.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-11","rel":"required"}],"parts":[{"id":"sa-11.9_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results."},{"id":"sa-11.9_gdn","name":"guidance","prose":"Interactive (also known as instrumentation-based) application security testing is a method of detecting vulnerabilities by observing applications as they run during testing. The use of instrumentation relies on direct measurements of the actual running applications and uses access to the code, user interaction, libraries, frameworks, backend connections, and configurations to directly measure control effectiveness. When combined with analysis techniques, interactive application security testing can identify a broad range of potential vulnerabilities and confirm control effectiveness. Instrumentation-based testing works in real time and can be used continuously throughout the system development life cycle."},{"id":"sa-11.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-11(09)","class":"sp800-53a"}],"parts":[{"id":"sa-11.9_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-11(09)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to employ interactive application security testing tools to identify flaws;","links":[{"href":"#sa-11.9_smt","rel":"assessment-for"}]},{"id":"sa-11.9_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-11(09)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to document the results of flaw identification.","links":[{"href":"#sa-11.9_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-11.9_smt","rel":"assessment-for"}]},{"id":"sa-11.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-11(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing system developer security testing\n\nprocedures addressing interactive application security testing\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer security test and evaluation plans\n\nsecurity test and evaluation results\n\nsecurity flaw and remediation tracking reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-11.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-11(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with developer security testing responsibilities\n\norganizational personnel with configuration management responsibilities\n\nsystem developers"}]},{"id":"sa-11.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-11(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for interactive application security testing\n\nmechanisms supporting and\/or implementing interactive application security testing"}]}]}]},{"id":"sa-12","class":"SP800-53","title":"Supply Chain Protection","props":[{"name":"label","value":"SA-12"},{"name":"label","value":"SA-12","class":"sp800-53a"},{"name":"sort-id","value":"sa-12"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr","rel":"incorporated-into"}],"controls":[{"id":"sa-12.1","class":"SP800-53-enhancement","title":"Acquisition Strategies \/ Tools \/ Methods","props":[{"name":"label","value":"SA-12(1)"},{"name":"label","value":"SA-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-5","rel":"moved-to"}]},{"id":"sa-12.2","class":"SP800-53-enhancement","title":"Supplier Reviews","props":[{"name":"label","value":"SA-12(2)"},{"name":"label","value":"SA-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-6","rel":"moved-to"}]},{"id":"sa-12.3","class":"SP800-53-enhancement","title":"Trusted Shipping and Warehousing","props":[{"name":"label","value":"SA-12(3)"},{"name":"label","value":"SA-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-3","rel":"incorporated-into"}]},{"id":"sa-12.4","class":"SP800-53-enhancement","title":"Diversity of Suppliers","props":[{"name":"label","value":"SA-12(4)"},{"name":"label","value":"SA-12(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-3.1","rel":"moved-to"}]},{"id":"sa-12.5","class":"SP800-53-enhancement","title":"Limitation of Harm","props":[{"name":"label","value":"SA-12(5)"},{"name":"label","value":"SA-12(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-3.2","rel":"moved-to"}]},{"id":"sa-12.6","class":"SP800-53-enhancement","title":"Minimizing Procurement Time","props":[{"name":"label","value":"SA-12(6)"},{"name":"label","value":"SA-12(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-5.1","rel":"incorporated-into"}]},{"id":"sa-12.7","class":"SP800-53-enhancement","title":"Assessments Prior to Selection \/ Acceptance \/ Update","props":[{"name":"label","value":"SA-12(7)"},{"name":"label","value":"SA-12(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-5.2","rel":"moved-to"}]},{"id":"sa-12.8","class":"SP800-53-enhancement","title":"Use of All-source Intelligence","props":[{"name":"label","value":"SA-12(8)"},{"name":"label","value":"SA-12(08)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.08"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ra-3.2","rel":"incorporated-into"}]},{"id":"sa-12.9","class":"SP800-53-enhancement","title":"Operations Security","props":[{"name":"label","value":"SA-12(9)"},{"name":"label","value":"SA-12(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.09"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-7","rel":"moved-to"}]},{"id":"sa-12.10","class":"SP800-53-enhancement","title":"Validate as Genuine and Not Altered","props":[{"name":"label","value":"SA-12(10)"},{"name":"label","value":"SA-12(10)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.10"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-4.3","rel":"moved-to"}]},{"id":"sa-12.11","class":"SP800-53-enhancement","title":"Penetration Testing \/ Analysis of Elements, Processes, and Actors","props":[{"name":"label","value":"SA-12(11)"},{"name":"label","value":"SA-12(11)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.11"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-6.1","rel":"moved-to"}]},{"id":"sa-12.12","class":"SP800-53-enhancement","title":"Inter-organizational Agreements","props":[{"name":"label","value":"SA-12(12)"},{"name":"label","value":"SA-12(12)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.12"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-8","rel":"moved-to"}]},{"id":"sa-12.13","class":"SP800-53-enhancement","title":"Critical Information System Components","props":[{"name":"label","value":"SA-12(13)"},{"name":"label","value":"SA-12(13)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.13"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ma-6","rel":"incorporated-into"},{"href":"#ra-9","rel":"incorporated-into"}]},{"id":"sa-12.14","class":"SP800-53-enhancement","title":"Identity and Traceability","props":[{"name":"label","value":"SA-12(14)"},{"name":"label","value":"SA-12(14)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.14"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-4.1","rel":"incorporated-into"},{"href":"#sr-4.2","rel":"incorporated-into"}]},{"id":"sa-12.15","class":"SP800-53-enhancement","title":"Processes to Address Weaknesses or Deficiencies","props":[{"name":"label","value":"SA-12(15)"},{"name":"label","value":"SA-12(15)","class":"sp800-53a"},{"name":"sort-id","value":"sa-12.15"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-3","rel":"incorporated-into"}]}]},{"id":"sa-13","class":"SP800-53","title":"Trustworthiness","props":[{"name":"label","value":"SA-13"},{"name":"label","value":"SA-13","class":"sp800-53a"},{"name":"sort-id","value":"sa-13"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-8","rel":"incorporated-into"}]},{"id":"sa-14","class":"SP800-53","title":"Criticality Analysis","props":[{"name":"label","value":"SA-14"},{"name":"label","value":"SA-14","class":"sp800-53a"},{"name":"sort-id","value":"sa-14"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ra-9","rel":"incorporated-into"}],"controls":[{"id":"sa-14.1","class":"SP800-53-enhancement","title":"Critical Components with No Viable Alternative Sourcing","props":[{"name":"label","value":"SA-14(1)"},{"name":"label","value":"SA-14(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-14.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-20","rel":"incorporated-into"}]}]},{"id":"sa-15","class":"SP800-53","title":"Development Process, Standards, and Tools","params":[{"id":"sa-15_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15_odp.03"}],"label":"organization-defined security and privacy requirements"},{"id":"sa-15_odp.01","props":[{"name":"alt-identifier","value":"sa-15_prm_1"},{"name":"label","value":"SA-15_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;"}]},{"id":"sa-15_odp.02","props":[{"name":"label","value":"SA-15_ODP[02]","class":"sp800-53a"}],"label":"security requirements","guidelines":[{"prose":"security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;"}]},{"id":"sa-15_odp.03","props":[{"name":"label","value":"SA-15_ODP[03]","class":"sp800-53a"}],"label":"privacy requirements","guidelines":[{"prose":"privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;"}]}],"props":[{"name":"label","value":"SA-15"},{"name":"label","value":"SA-15","class":"sp800-53a"},{"name":"sort-id","value":"sa-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#ma-6","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"}],"parts":[{"id":"sa-15_smt","name":"statement","parts":[{"id":"sa-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Require the developer of the system, system component, or system service to follow a documented development process that:","parts":[{"id":"sa-15_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Explicitly addresses security and privacy requirements;"},{"id":"sa-15_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Identifies the standards and tools used in the development process;"},{"id":"sa-15_smt.a.3","name":"item","props":[{"name":"label","value":"3."}],"prose":"Documents the specific tool options and tool configurations used in the development process; and"},{"id":"sa-15_smt.a.4","name":"item","props":[{"name":"label","value":"4."}],"prose":"Documents, manages, and ensures the integrity of changes to the process and\/or tools used in development; and"}]},{"id":"sa-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review the development process, standards, tools, tool options, and tool configurations {{ insert: param, sa-15_odp.01 }} to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: {{ insert: param, sa-15_prm_2 }}."}]},{"id":"sa-15_gdn","name":"guidance","prose":"Development tools include programming languages and computer-aided design systems. Reviews of development processes include the use of maturity models to determine the potential effectiveness of such processes. Maintaining the integrity of changes to tools and processes facilitates effective supply chain risk assessment and mitigation. Such integrity requires configuration control throughout the system development life cycle to track authorized changes and prevent unauthorized changes."},{"id":"sa-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.1-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;","links":[{"href":"#sa-15_smt.a.1","rel":"assessment-for"}]},{"id":"sa-15_obj.a.1-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.01[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;","links":[{"href":"#sa-15_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.a.1","rel":"assessment-for"}]},{"id":"sa-15_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;","links":[{"href":"#sa-15_smt.a.2","rel":"assessment-for"}]},{"id":"sa-15_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.02[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;","links":[{"href":"#sa-15_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.a.2","rel":"assessment-for"}]},{"id":"sa-15_obj.a.3","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.a.3-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;","links":[{"href":"#sa-15_smt.a.3","rel":"assessment-for"}]},{"id":"sa-15_obj.a.3-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.03[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;","links":[{"href":"#sa-15_smt.a.3","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.a.3","rel":"assessment-for"}]},{"id":"sa-15_obj.a.4","name":"assessment-objective","props":[{"name":"label","value":"SA-15a.04","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and\/or tools used in development;","links":[{"href":"#sa-15_smt.a.4","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.a","rel":"assessment-for"}]},{"id":"sa-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.","class":"sp800-53a"}],"parts":[{"id":"sa-15_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};","links":[{"href":"#sa-15_smt.b","rel":"assessment-for"}]},{"id":"sa-15_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15b.[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}.","links":[{"href":"#sa-15_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-15_smt","rel":"assessment-for"}]},{"id":"sa-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security and privacy requirements during the development process\n\nsolicitation documentation\n\nacquisition documentation\n\ncritical component inventory documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem developer documentation listing tool options\/configuration guides\n\nconfiguration management policy\n\nconfiguration management records\n\ndocumentation of development process reviews using maturity models\n\nchange control records\n\nconfiguration control records\n\ndocumented reviews of the development process, standards, tools, and tool options\/configurations\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]}],"controls":[{"id":"sa-15.1","class":"SP800-53-enhancement","title":"Quality Metrics","params":[{"id":"sa-15.01_odp.01","props":[{"name":"alt-identifier","value":"sa-15.1_prm_1"},{"name":"label","value":"SA-15(01)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, sa-15.01_odp.02 }} ","{{ insert: param, sa-15.01_odp.03 }} ","upon delivery"]}},{"id":"sa-15.01_odp.02","props":[{"name":"alt-identifier","value":"sa-15.1_prm_2"},{"name":"label","value":"SA-15(01)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to provide evidence of meeting the quality metrics is defined (if selected);"}]},{"id":"sa-15.01_odp.03","props":[{"name":"alt-identifier","value":"sa-15.1_prm_3"},{"name":"alt-label","value":"program review milestones","class":"sp800-53"},{"name":"label","value":"SA-15(01)_ODP[03]","class":"sp800-53a"}],"label":"program review","guidelines":[{"prose":"program review milestones are defined (if selected);"}]}],"props":[{"name":"label","value":"SA-15(1)"},{"name":"label","value":"SA-15(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"}],"parts":[{"id":"sa-15.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-15.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Define quality metrics at the beginning of the development process; and"},{"id":"sa-15.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Provide evidence of meeting the quality metrics {{ insert: param, sa-15.01_odp.01 }}."}]},{"id":"sa-15.1_gdn","name":"guidance","prose":"Organizations use quality metrics to establish acceptable levels of system quality. Metrics can include quality gates, which are collections of completion criteria or sufficiency standards that represent the satisfactory execution of specific phases of the system development project. For example, a quality gate may require the elimination of all compiler warnings or a determination that such warnings have no impact on the effectiveness of required security or privacy capabilities. During the execution phases of development projects, quality gates provide clear, unambiguous indications of progress. Other metrics apply to the entire development project. Metrics can include defining the severity thresholds of vulnerabilities in accordance with organizational risk tolerance, such as requiring no known vulnerabilities in the delivered system with a Common Vulnerability Scoring System (CVSS) severity of medium or high."},{"id":"sa-15.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(01)","class":"sp800-53a"}],"parts":[{"id":"sa-15.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15(01)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to define quality metrics at the beginning of the development process;","links":[{"href":"#sa-15.1_smt.a","rel":"assessment-for"}]},{"id":"sa-15.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15(01)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide evidence of meeting the quality metrics {{ insert: param, sa-15.01_odp.01 }}.","links":[{"href":"#sa-15.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-15.1_smt","rel":"assessment-for"}]},{"id":"sa-15.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of quality metrics\n\ndocumentation evidence of meeting quality metrics\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-15.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]}]},{"id":"sa-15.2","class":"SP800-53-enhancement","title":"Security and Privacy Tracking Tools","props":[{"name":"label","value":"SA-15(2)"},{"name":"label","value":"SA-15(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#sa-11","rel":"related"}],"parts":[{"id":"sa-15.2_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process."},{"id":"sa-15.2_gdn","name":"guidance","prose":"System development teams select and deploy security and privacy tracking tools, including vulnerability or work item tracking systems that facilitate assignment, sorting, filtering, and tracking of completed work items or tasks associated with development processes."},{"id":"sa-15.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(02)","class":"sp800-53a"}],"parts":[{"id":"sa-15.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15(02)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to select and employ security tracking tools for use during the development process;","links":[{"href":"#sa-15.2_smt","rel":"assessment-for"}]},{"id":"sa-15.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15(02)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to select and employ privacy tracking tools for use during the development process.","links":[{"href":"#sa-15.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-15.2_smt","rel":"assessment-for"}]},{"id":"sa-15.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing the integration of security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ndocumentation of the selection of security and privacy tracking tools\n\nevidence of employing security and privacy tracking tools\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-15.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with privacy responsibilities"}]}]},{"id":"sa-15.3","class":"SP800-53-enhancement","title":"Criticality Analysis","params":[{"id":"sa-15.3_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-15.03_odp.03"}],"label":"organization-defined breadth and depth of criticality analysis"},{"id":"sa-15.03_odp.01","props":[{"name":"alt-identifier","value":"sa-15.3_prm_1"},{"name":"alt-label","value":"decision points in the system development life cycle","class":"sp800-53"},{"name":"label","value":"SA-15(03)_ODP[01]","class":"sp800-53a"}],"label":"decision points","guidelines":[{"prose":"decision points in the system development life cycle are defined;"}]},{"id":"sa-15.03_odp.02","props":[{"name":"label","value":"SA-15(03)_ODP[02]","class":"sp800-53a"}],"label":"breadth","guidelines":[{"prose":"the breadth of criticality analysis is defined;"}]},{"id":"sa-15.03_odp.03","props":[{"name":"label","value":"SA-15(03)_ODP[03]","class":"sp800-53a"}],"label":"depth","guidelines":[{"prose":"the depth of criticality analysis is defined;"}]}],"props":[{"name":"label","value":"SA-15(3)"},{"name":"label","value":"SA-15(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"sa-15.3_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to perform a criticality analysis:","parts":[{"id":"sa-15.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"At the following decision points in the system development life cycle: {{ insert: param, sa-15.03_odp.01 }} ; and"},{"id":"sa-15.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"At the following level of rigor: {{ insert: param, sa-15.3_prm_2 }}."}]},{"id":"sa-15.3_gdn","name":"guidance","prose":"Criticality analysis performed by the developer provides input to the criticality analysis performed by organizations. Developer input is essential to organizational criticality analysis because organizations may not have access to detailed design documentation for system components that are developed as commercial off-the-shelf products. Such design documentation includes functional specifications, high-level designs, low-level designs, source code, and hardware schematics. Criticality analysis is important for organizational systems that are designated as high value assets. High value assets can be moderate- or high-impact systems due to heightened adversarial interest or potential adverse effects on the federal enterprise. Developer input is especially important when organizations conduct supply chain criticality analyses."},{"id":"sa-15.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)","class":"sp800-53a"}],"parts":[{"id":"sa-15.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;","links":[{"href":"#sa-15.3_smt.a","rel":"assessment-for"}]},{"id":"sa-15.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)","class":"sp800-53a"}],"parts":[{"id":"sa-15.3_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};","links":[{"href":"#sa-15.3_smt.b","rel":"assessment-for"}]},{"id":"sa-15.3_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15(03)(b)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} .","links":[{"href":"#sa-15.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-15.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-15.3_smt","rel":"assessment-for"}]},{"id":"sa-15.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing criticality analysis requirements for the system, system component, or system service\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ncriticality analysis documentation\n\nbusiness impact analysis documentation\n\nsoftware development life cycle documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-15.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for performing criticality analysis\n\nsystem developer\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sa-15.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-15(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for performing criticality analysis\n\nmechanisms supporting and\/or implementing criticality analysis"}]}]},{"id":"sa-15.4","class":"SP800-53-enhancement","title":"Threat Modeling and Vulnerability Analysis","props":[{"name":"label","value":"SA-15(4)"},{"name":"label","value":"SA-15(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-11.2","rel":"incorporated-into"}]},{"id":"sa-15.5","class":"SP800-53-enhancement","title":"Attack Surface Reduction","params":[{"id":"sa-15.05_odp","props":[{"name":"alt-identifier","value":"sa-15.5_prm_1"},{"name":"label","value":"SA-15(05)_ODP","class":"sp800-53a"}],"label":"thresholds","guidelines":[{"prose":"thresholds to which attack surfaces are to be reduced are defined;"}]}],"props":[{"name":"label","value":"SA-15(5)"},{"name":"label","value":"SA-15(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#ac-6","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-11","rel":"related"}],"parts":[{"id":"sa-15.5_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to reduce attack surfaces to {{ insert: param, sa-15.05_odp }}."},{"id":"sa-15.5_gdn","name":"guidance","prose":"Attack surface reduction is closely aligned with threat and vulnerability analyses and system architecture and design. Attack surface reduction is a means of reducing risk to organizations by giving attackers less opportunity to exploit weaknesses or deficiencies (i.e., potential vulnerabilities) within systems, system components, and system services. Attack surface reduction includes implementing the concept of layered defenses, applying the principles of least privilege and least functionality, applying secure software development practices, deprecating unsafe functions, reducing entry points available to unauthorized users, reducing the amount of code that executes, and eliminating application programming interfaces (APIs) that are vulnerable to attacks."},{"id":"sa-15.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(05)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to reduce attack surfaces to {{ insert: param, sa-15.05_odp }}.","links":[{"href":"#sa-15.5_smt","rel":"assessment-for"}]},{"id":"sa-15.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nprocedures addressing attack surface reduction\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system or system service\n\nsystem design documentation\n\nnetwork diagram\n\nsystem configuration settings and associated documentation establishing\/enforcing organization-defined thresholds for reducing attack surfaces\n\nlist of restricted ports, protocols, functions, and services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-15.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for attack surface reduction thresholds\n\nsystem developer"}]},{"id":"sa-15.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-15(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining attack surface reduction thresholds"}]}]},{"id":"sa-15.6","class":"SP800-53-enhancement","title":"Continuous Improvement","props":[{"name":"label","value":"SA-15(6)"},{"name":"label","value":"SA-15(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"}],"parts":[{"id":"sa-15.6_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process."},{"id":"sa-15.6_gdn","name":"guidance","prose":"Developers of systems, system components, and system services consider the effectiveness and efficiency of their development processes for meeting quality objectives and addressing the security and privacy capabilities in current threat environments."},{"id":"sa-15.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(06)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to implement an explicit process to continuously improve the development process.","links":[{"href":"#sa-15.6_smt","rel":"assessment-for"}]},{"id":"sa-15.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing development process, standards, and tools\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nquality goals and metrics for improving the system development process\n\nsecurity assessments\n\nquality control reviews of system development process\n\nplans of action and milestones for improving the system development process\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-15.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]}]},{"id":"sa-15.7","class":"SP800-53-enhancement","title":"Automated Vulnerability Analysis","params":[{"id":"sa-15.07_odp.01","props":[{"name":"alt-identifier","value":"sa-15.7_prm_1"},{"name":"label","value":"SA-15(07)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to conduct vulnerability analysis is defined;"}]},{"id":"sa-15.07_odp.02","props":[{"name":"alt-identifier","value":"sa-15.7_prm_2"},{"name":"label","value":"SA-15(07)_ODP[02]","class":"sp800-53a"}],"label":"tools","guidelines":[{"prose":"tools used to perform automated vulnerability analysis are defined;"}]},{"id":"sa-15.07_odp.03","props":[{"name":"alt-identifier","value":"sa-15.7_prm_3"},{"name":"label","value":"SA-15(07)_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the outputs of tools and results of the analysis are to be delivered is\/are defined;"}]}],"props":[{"name":"label","value":"SA-15(7)"},{"name":"label","value":"SA-15(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"}],"parts":[{"id":"sa-15.7_smt","name":"statement","prose":"Require the developer of the system, system component, or system service {{ insert: param, sa-15.07_odp.01 }} to:","parts":[{"id":"sa-15.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Perform an automated vulnerability analysis using {{ insert: param, sa-15.07_odp.02 }};"},{"id":"sa-15.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Determine the exploitation potential for discovered vulnerabilities;"},{"id":"sa-15.7_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Determine potential risk mitigations for delivered vulnerabilities; and"},{"id":"sa-15.7_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Deliver the outputs of the tools and results of the analysis to {{ insert: param, sa-15.07_odp.03 }}."}]},{"id":"sa-15.7_gdn","name":"guidance","prose":"Automated tools can be more effective at analyzing exploitable weaknesses or deficiencies in large and complex systems, prioritizing vulnerabilities by severity, and providing recommendations for risk mitigations."},{"id":"sa-15.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(07)","class":"sp800-53a"}],"parts":[{"id":"sa-15.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-15(07)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to perform automated vulnerability analysis {{ insert: param, sa-15.07_odp.01 }} using {{ insert: param, sa-15.07_odp.02 }};","links":[{"href":"#sa-15.7_smt.a","rel":"assessment-for"}]},{"id":"sa-15.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-15(07)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to determine the exploitation potential for discovered vulnerabilities {{ insert: param, sa-15.07_odp.01 }};","links":[{"href":"#sa-15.7_smt.b","rel":"assessment-for"}]},{"id":"sa-15.7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-15(07)(c)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to determine potential risk mitigations {{ insert: param, sa-15.07_odp.01 }} for delivered vulnerabilities;","links":[{"href":"#sa-15.7_smt.c","rel":"assessment-for"}]},{"id":"sa-15.7_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-15(07)(d)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to deliver the outputs of the tools and results of the analysis {{ insert: param, sa-15.07_odp.01 }} to {{ insert: param, sa-15.07_odp.03 }}.","links":[{"href":"#sa-15.7_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sa-15.7_smt","rel":"assessment-for"}]},{"id":"sa-15.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nvulnerability analysis tools and associated documentation\n\nrisk assessment reports\n\nvulnerability analysis results\n\nvulnerability mitigation reports\n\nrisk mitigation strategy documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-15.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel performing automated vulnerability analysis on the system"}]},{"id":"sa-15.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-15(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for vulnerability analysis of systems, system components, or system services under development\n\nmechanisms supporting and\/or implementing vulnerability analysis of systems, system components, or system services under development"}]}]},{"id":"sa-15.8","class":"SP800-53-enhancement","title":"Reuse of Threat and Vulnerability Information","props":[{"name":"label","value":"SA-15(8)"},{"name":"label","value":"SA-15(08)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"}],"parts":[{"id":"sa-15.8_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process."},{"id":"sa-15.8_gdn","name":"guidance","prose":"Analysis of vulnerabilities found in similar software applications can inform potential design and implementation issues for systems under development. Similar systems or system components may exist within developer organizations. Vulnerability information is available from a variety of public and private sector sources, including the NIST National Vulnerability Database."},{"id":"sa-15.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(08)","class":"sp800-53a"}],"parts":[{"id":"sa-15.8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15(08)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to use threat modeling from similar systems, components, or services to inform the current development process;","links":[{"href":"#sa-15.8_smt","rel":"assessment-for"}]},{"id":"sa-15.8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15(08)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to use vulnerability analyses from similar systems, components, or services to inform the current development process.","links":[{"href":"#sa-15.8_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-15.8_smt","rel":"assessment-for"}]},{"id":"sa-15.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsupply chain risk management plan\n\nprocedures addressing development process, standards, and tools\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nthreat modeling and vulnerability analyses from similar systems, system components, or system services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-15.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-15.9","class":"SP800-53-enhancement","title":"Use of Live Data","props":[{"name":"label","value":"SA-15(9)"},{"name":"label","value":"SA-15(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.09"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-3.2","rel":"incorporated-into"}]},{"id":"sa-15.10","class":"SP800-53-enhancement","title":"Incident Response Plan","props":[{"name":"label","value":"SA-15(10)"},{"name":"label","value":"SA-15(10)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"sa-15.10_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan."},{"id":"sa-15.10_gdn","name":"guidance","prose":"The incident response plan provided by developers may provide information not readily available to organizations and be incorporated into organizational incident response plans. Developer information may also be extremely helpful, such as when organizations respond to vulnerabilities in commercial off-the-shelf products."},{"id":"sa-15.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(10)","class":"sp800-53a"}],"parts":[{"id":"sa-15.10_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SA-15(10)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide an incident response plan;","links":[{"href":"#sa-15.10_smt","rel":"assessment-for"}]},{"id":"sa-15.10_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SA-15(10)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to implement an incident response plan;","links":[{"href":"#sa-15.10_smt","rel":"assessment-for"}]},{"id":"sa-15.10_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SA-15(10)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to test an incident response plan.","links":[{"href":"#sa-15.10_smt","rel":"assessment-for"}]}],"links":[{"href":"#sa-15.10_smt","rel":"assessment-for"}]},{"id":"sa-15.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing incident response, standards, and tools\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system components or services\n\nacquisition documentation\n\nsolicitation documentation\n\nservice level agreements\n\ndeveloper incident response plan\n\nsystem security plan\n\nprivacy plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-15.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with supply chain risk management responsibilities"}]}]},{"id":"sa-15.11","class":"SP800-53-enhancement","title":"Archive System or Component","props":[{"name":"label","value":"SA-15(11)"},{"name":"label","value":"SA-15(11)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#cm-2","rel":"related"}],"parts":[{"id":"sa-15.11_smt","name":"statement","prose":"Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review."},{"id":"sa-15.11_gdn","name":"guidance","prose":"Archiving system or system components requires the developer to retain key development artifacts, including hardware specifications, source code, object code, and relevant documentation from the development process that can provide a readily available configuration baseline for system and component upgrades or modifications."},{"id":"sa-15.11_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(11)","class":"sp800-53a"}],"prose":"the developer of the system or system component is required to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.","links":[{"href":"#sa-15.11_smt","rel":"assessment-for"}]},{"id":"sa-15.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing development process, standards, and tools\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system or system component\n\nevidence of archived system or component\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-15.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with privacy responsibilities"}]}]},{"id":"sa-15.12","class":"SP800-53-enhancement","title":"Minimize Personally Identifiable Information","props":[{"name":"label","value":"SA-15(12)"},{"name":"label","value":"SA-15(12)","class":"sp800-53a"},{"name":"sort-id","value":"sa-15.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-15","rel":"required"},{"href":"#pm-25","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"sa-15.12_smt","name":"statement","prose":"Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments."},{"id":"sa-15.12_gdn","name":"guidance","prose":"Organizations can minimize the risk to an individual’s privacy by using techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information in development and test environments helps reduce the level of privacy risk created by a system."},{"id":"sa-15.12_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-15(12)","class":"sp800-53a"}],"prose":"the developer of the system or system component is required to minimize the use of personally identifiable information in development and test environments.","links":[{"href":"#sa-15.12_smt","rel":"assessment-for"}]},{"id":"sa-15.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-15(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the development process\n\nprocedures addressing the minimization of personally identifiable information in testing, training, and research\n\npersonally identifiable information processing policy\n\nprocedures addressing the authority to test with personally identifiable information\n\nstandards and tools\n\nsolicitation documentation\n\nservice level agreements\n\nacquisition contracts for the system or services\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-15.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-15(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]},{"id":"sa-15.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-15(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the minimization of personally identifiable information in development and test environments\n\nmechanisms to facilitate the minimization of personally identifiable information in development and test environments"}]}]}]},{"id":"sa-16","class":"SP800-53","title":"Developer-provided Training","params":[{"id":"sa-16_odp","props":[{"name":"alt-identifier","value":"sa-16_prm_1"},{"name":"label","value":"SA-16_ODP","class":"sp800-53a"}],"label":"training","guidelines":[{"prose":"training on the correct use and operation of the implemented security and privacy functions, controls, and\/or mechanisms provided by the developer of the system, system component, or system service is defined;"}]}],"props":[{"name":"label","value":"SA-16"},{"name":"label","value":"SA-16","class":"sp800-53a"},{"name":"sort-id","value":"sa-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#at-2","rel":"related"},{"href":"#at-3","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"}],"parts":[{"id":"sa-16_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and\/or mechanisms: {{ insert: param, sa-16_odp }}."},{"id":"sa-16_gdn","name":"guidance","prose":"Developer-provided training applies to external and internal (in-house) developers. Training personnel is essential to ensuring the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms."},{"id":"sa-16_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-16","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide {{ insert: param, sa-16_odp }} on the correct use and operation of the implemented security and privacy functions, controls, and\/or mechanisms.","links":[{"href":"#sa-16_smt","rel":"assessment-for"}]},{"id":"sa-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing developer-provided training\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\norganizational security and privacy training policy\n\ndeveloper-provided training materials\n\ntraining records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"sa-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\nexternal or internal (in-house) developers with training responsibilities for the system, system component, or information system service"}]}]},{"id":"sa-17","class":"SP800-53","title":"Developer Security and Privacy Architecture and Design","props":[{"name":"label","value":"SA-17"},{"name":"label","value":"SA-17","class":"sp800-53a"},{"name":"sort-id","value":"sa-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#87087451-2af5-43d4-88c1-d66ad850f614","rel":"reference"},{"href":"#4452efc0-e79e-47b8-aa30-b54f3ef61c2f","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#pl-2","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-7","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"sa-17_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that:","parts":[{"id":"sa-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Is consistent with the organization’s security and privacy architecture that is an integral part the organization’s enterprise architecture;"},{"id":"sa-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Accurately and completely describes the required security and privacy functionality, and the allocation of controls among physical and logical components; and"},{"id":"sa-17_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection."}]},{"id":"sa-17_gdn","name":"guidance","prose":"Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, [PL-8](#pl-8) is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and [PL-8](#pl-8) is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. [ISO 15408-2](#87087451-2af5-43d4-88c1-d66ad850f614), [ISO 15408-3](#4452efc0-e79e-47b8-aa30-b54f3ef61c2f) , and [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing."},{"id":"sa-17_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-17(a)","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(a)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;","links":[{"href":"#sa-17_smt.a","rel":"assessment-for"}]},{"id":"sa-17_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(a)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;","links":[{"href":"#sa-17_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-17_smt.a","rel":"assessment-for"}]},{"id":"sa-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-17(b)","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(b)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;","links":[{"href":"#sa-17_smt.b","rel":"assessment-for"}]},{"id":"sa-17_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(b)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;","links":[{"href":"#sa-17_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-17_smt.b","rel":"assessment-for"}]},{"id":"sa-17_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-17(c)","class":"sp800-53a"}],"parts":[{"id":"sa-17_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(c)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;","links":[{"href":"#sa-17_smt.c","rel":"assessment-for"}]},{"id":"sa-17_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(c)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.","links":[{"href":"#sa-17_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-17_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sa-17_smt","rel":"assessment-for"}]},{"id":"sa-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nenterprise architecture policy\n\nenterprise architecture documentation\n\nprocedures addressing developer security and privacy architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\ninformation system configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]}],"controls":[{"id":"sa-17.1","class":"SP800-53-enhancement","title":"Formal Policy Model","params":[{"id":"sa-17.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-17.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sa-17.01_odp.02"}],"label":"organization-defined elements of organizational security and privacy policy"},{"id":"sa-17.01_odp.01","props":[{"name":"label","value":"SA-17(01)_ODP[01]","class":"sp800-53a"}],"label":"organizational security policy","guidelines":[{"prose":"organizational security policy to be enforced is defined;"}]},{"id":"sa-17.01_odp.02","props":[{"name":"label","value":"SA-17(01)_ODP[02]","class":"sp800-53a"}],"label":"organizational privacy policy","guidelines":[{"prose":"organizational privacy policy to be enforced is defined;"}]}],"props":[{"name":"label","value":"SA-17(1)"},{"name":"label","value":"SA-17(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-25","rel":"related"}],"parts":[{"id":"sa-17.1_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-17.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Produce, as an integral part of the development process, a formal policy model describing the {{ insert: param, sa-17.1_prm_1 }} to be enforced; and"},{"id":"sa-17.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security and privacy policy when implemented."}]},{"id":"sa-17.1_gdn","name":"guidance","prose":"Formal models describe specific behaviors or security and privacy policies using formal languages, thus enabling the correctness of those behaviors and policies to be formally proven. Not all components of systems can be modeled. Generally, formal specifications are scoped to the behaviors or policies of interest, such as nondiscretionary access control policies. Organizations choose the formal modeling language and approach based on the nature of the behaviors and policies to be described and the available tools."},{"id":"sa-17.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(01)","class":"sp800-53a"}],"parts":[{"id":"sa-17.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-17(01)(a)","class":"sp800-53a"}],"parts":[{"id":"sa-17.1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(01)(a)[01]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the {{ insert: param, sa-17.01_odp.01 }} to be enforced;","links":[{"href":"#sa-17.1_smt.a","rel":"assessment-for"}]},{"id":"sa-17.1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(01)(a)[02]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the {{ insert: param, sa-17.01_odp.02 }} to be enforced;","links":[{"href":"#sa-17.1_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-17.1_smt.a","rel":"assessment-for"}]},{"id":"sa-17.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-17(01)(b)","class":"sp800-53a"}],"parts":[{"id":"sa-17.1_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(01)(b)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented;","links":[{"href":"#sa-17.1_smt.b","rel":"assessment-for"}]},{"id":"sa-17.1_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(01)(b)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational privacy policy when implemented.","links":[{"href":"#sa-17.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-17.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-17.1_smt","rel":"assessment-for"}]},{"id":"sa-17.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nsystem and services acquisition procedures\n\nenterprise architecture policy\n\nenterprise architecture documentation\n\nprocedures addressing developer security and privacy architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-17.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]}]},{"id":"sa-17.2","class":"SP800-53-enhancement","title":"Security-relevant Components","props":[{"name":"label","value":"SA-17(2)"},{"name":"label","value":"SA-17(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"},{"href":"#ac-25","rel":"related"},{"href":"#sa-5","rel":"related"}],"parts":[{"id":"sa-17.2_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-17.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Define security-relevant hardware, software, and firmware; and"},{"id":"sa-17.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Provide a rationale that the definition for security-relevant hardware, software, and firmware is complete."}]},{"id":"sa-17.2_gdn","name":"guidance","prose":"The security-relevant hardware, software, and firmware represent the portion of the system, component, or service that is trusted to perform correctly to maintain required security properties."},{"id":"sa-17.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(02)","class":"sp800-53a"}],"parts":[{"id":"sa-17.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-17(02)(a)","class":"sp800-53a"}],"parts":[{"id":"sa-17.2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(02)(a)[01]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to define security-relevant hardware;","links":[{"href":"#sa-17.2_smt.a","rel":"assessment-for"}]},{"id":"sa-17.2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(02)(a)[02]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to define security-relevant software;","links":[{"href":"#sa-17.2_smt.a","rel":"assessment-for"}]},{"id":"sa-17.2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-17(02)(a)[03]","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to define security-relevant firmware;","links":[{"href":"#sa-17.2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-17.2_smt.a","rel":"assessment-for"}]},{"id":"sa-17.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-17(02)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.","links":[{"href":"#sa-17.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-17.2_smt","rel":"assessment-for"}]},{"id":"sa-17.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of security-relevant hardware, software, and firmware components\n\ndocumented rationale of completeness regarding definitions provided for security-relevant hardware, software, and firmware\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-17.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel with information security architecture and design responsibilities"}]}]},{"id":"sa-17.3","class":"SP800-53-enhancement","title":"Formal Correspondence","props":[{"name":"label","value":"SA-17(3)"},{"name":"label","value":"SA-17(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"}],"parts":[{"id":"sa-17.3_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-17.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;"},{"id":"sa-17.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Show via proof to the extent feasible with additional informal demonstration as necessary, that the formal top-level specification is consistent with the formal policy model;"},{"id":"sa-17.3_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Show via informal demonstration, that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;"},{"id":"sa-17.3_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware; and"},{"id":"sa-17.3_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification but strictly internal to the security-relevant hardware, software, and firmware."}]},{"id":"sa-17.3_gdn","name":"guidance","prose":"Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that any additional code or implementation details that are present have no impact on the behaviors or policies being modeled. Formal methods can be used to show that the high-level security properties are satisfied by the formal system description, and that the formal system description is correctly implemented by a description of some lower level, including a hardware description. Consistency between the formal top-level specification and the formal policy models is generally not amenable to being fully proven. Therefore, a combination of formal and informal methods may be needed to demonstrate such consistency. Consistency between the formal top-level specification and the actual implementation may require the use of an informal demonstration due to limitations on the applicability of formal methods to prove that the specification accurately reflects the implementation. Hardware, software, and firmware mechanisms internal to security-relevant components include mapping registers and direct memory input and output."},{"id":"sa-17.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)","class":"sp800-53a"}],"parts":[{"id":"sa-17.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(a)","class":"sp800-53a"}],"parts":[{"id":"sa-17.3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(a)[01]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions;","links":[{"href":"#sa-17.3_smt.a","rel":"assessment-for"}]},{"id":"sa-17.3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(a)[02]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages;","links":[{"href":"#sa-17.3_smt.a","rel":"assessment-for"}]},{"id":"sa-17.3_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(a)[03]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects;","links":[{"href":"#sa-17.3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-17.3_smt.a","rel":"assessment-for"}]},{"id":"sa-17.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to show proof that the formal top-level specification is consistent with the formal policy model to the extent feasible with additional informal demonstration as necessary;","links":[{"href":"#sa-17.3_smt.b","rel":"assessment-for"}]},{"id":"sa-17.3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(c)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to show via informal demonstration that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;","links":[{"href":"#sa-17.3_smt.c","rel":"assessment-for"}]},{"id":"sa-17.3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(d)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware;","links":[{"href":"#sa-17.3_smt.d","rel":"assessment-for"}]},{"id":"sa-17.3_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-17(03)(e)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the formal top-level specification but are strictly internal to the security-relevant hardware, software, and firmware.","links":[{"href":"#sa-17.3_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-17.3_smt","rel":"assessment-for"}]},{"id":"sa-17.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nformal policy model\n\nprocedures addressing developer security architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nformal top-level specification documentation\n\nsystem security architecture and design documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation describing security-relevant hardware, software, and firmware mechanisms not addressed in the formal top-level specification documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-17.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with information security architecture and design responsibilities"}]}]},{"id":"sa-17.4","class":"SP800-53-enhancement","title":"Informal Correspondence","params":[{"id":"sa-17.04_odp","props":[{"name":"alt-identifier","value":"sa-17.4_prm_1"},{"name":"label","value":"SA-17(04)_ODP","class":"sp800-53a"}],"select":{"choice":["informal demonstration, convincing argument with formal methods as feasible"]}}],"props":[{"name":"label","value":"SA-17(4)"},{"name":"label","value":"SA-17(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"}],"parts":[{"id":"sa-17.4_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-17.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions, error messages, and effects;"},{"id":"sa-17.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Show via {{ insert: param, sa-17.04_odp }} that the descriptive top-level specification is consistent with the formal policy model;"},{"id":"sa-17.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Show via informal demonstration, that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;"},{"id":"sa-17.4_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware; and"},{"id":"sa-17.4_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Describe the security-relevant hardware, software, and firmware mechanisms not addressed in the descriptive top-level specification but strictly internal to the security-relevant hardware, software, and firmware."}]},{"id":"sa-17.4_gdn","name":"guidance","prose":"Correspondence is an important part of the assurance gained through modeling. It demonstrates that the implementation is an accurate transformation of the model, and that additional code or implementation detail has no impact on the behaviors or policies being modeled. Consistency between the descriptive top-level specification (i.e., high-level\/low-level design) and the formal policy model is generally not amenable to being fully proven. Therefore, a combination of formal and informal methods may be needed to show such consistency. Hardware, software, and firmware mechanisms strictly internal to security-relevant hardware, software, and firmware include mapping registers and direct memory input and output."},{"id":"sa-17.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)","class":"sp800-53a"}],"parts":[{"id":"sa-17.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(a)","class":"sp800-53a"}],"parts":[{"id":"sa-17.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(a)[01]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions;","links":[{"href":"#sa-17.4_smt.a","rel":"assessment-for"}]},{"id":"sa-17.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(a)[02]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages;","links":[{"href":"#sa-17.4_smt.a","rel":"assessment-for"}]},{"id":"sa-17.4_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(a)[03]","class":"sp800-53a"}],"prose":"as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects;","links":[{"href":"#sa-17.4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sa-17.4_smt.a","rel":"assessment-for"}]},{"id":"sa-17.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to show via {{ insert: param, sa-17.04_odp }} that the descriptive top-level specification is consistent with the formal policy model;","links":[{"href":"#sa-17.4_smt.b","rel":"assessment-for"}]},{"id":"sa-17.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(c)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to show via informal demonstration that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;","links":[{"href":"#sa-17.4_smt.c","rel":"assessment-for"}]},{"id":"sa-17.4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(d)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware;","links":[{"href":"#sa-17.4_smt.d","rel":"assessment-for"}]},{"id":"sa-17.4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SA-17(04)(e)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the descriptive top-level specification but are strictly internal to the security-relevant hardware, software, and firmware.","links":[{"href":"#sa-17.4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sa-17.4_smt","rel":"assessment-for"}]},{"id":"sa-17.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nformal policy model\n\nprocedures addressing developer security architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninformal, descriptive top-level specification documentation\n\nsystem security architecture and design documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation describing security-relevant hardware, software, and firmware mechanisms not addressed in the informal, descriptive top-level specification documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-17.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with information security architecture and design responsibilities"}]}]},{"id":"sa-17.5","class":"SP800-53-enhancement","title":"Conceptually Simple Design","props":[{"name":"label","value":"SA-17(5)"},{"name":"label","value":"SA-17(05)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"},{"href":"#ac-25","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-3","rel":"related"}],"parts":[{"id":"sa-17.5_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to:","parts":[{"id":"sa-17.5_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics; and"},{"id":"sa-17.5_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism."}]},{"id":"sa-17.5_gdn","name":"guidance","prose":"The principle of reduced complexity states that the system design is as simple and small as possible (see [SA-8(7)](#sa-8.7) ). A small and simple design is easier to understand and analyze and is also less prone to error (see [AC-25](#ac-25), [SA-8(13)](#sa-8.13) ). The principle of reduced complexity applies to any aspect of a system, but it has particular importance for security due to the various analyses performed to obtain evidence about the emergent security property of the system. For such analyses to be successful, a small and simple design is essential. Application of the principle of reduced complexity contributes to the ability of system developers to understand the correctness and completeness of system security functions and facilitates the identification of potential vulnerabilities. The corollary of reduced complexity states that the simplicity of the system is directly related to the number of vulnerabilities it will contain. That is, simpler systems contain fewer vulnerabilities. An important benefit of reduced complexity is that it is easier to understand whether the security policy has been captured in the system design and that fewer vulnerabilities are likely to be introduced during engineering development. An additional benefit is that any such conclusion about correctness, completeness, and existence of vulnerabilities can be reached with a higher degree of assurance in contrast to conclusions reached in situations where the system design is inherently more complex."},{"id":"sa-17.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(05)","class":"sp800-53a"}],"parts":[{"id":"sa-17.5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-17(05)(a)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics;","links":[{"href":"#sa-17.5_smt.a","rel":"assessment-for"}]},{"id":"sa-17.5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-17(05)(b)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.","links":[{"href":"#sa-17.5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-17.5_smt","rel":"assessment-for"}]},{"id":"sa-17.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security architecture documentation\n\nsystem configuration settings and associated documentation\n\ndeveloper documentation describing the design and structure of security-relevant hardware, software, and firmware components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-17.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with information security architecture and design responsibilities"}]}]},{"id":"sa-17.6","class":"SP800-53-enhancement","title":"Structure for Testing","props":[{"name":"label","value":"SA-17(6)"},{"name":"label","value":"SA-17(06)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"},{"href":"#sa-5","rel":"related"},{"href":"#sa-11","rel":"related"}],"parts":[{"id":"sa-17.6_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing."},{"id":"sa-17.6_gdn","name":"guidance","prose":"Applying the security design principles in [SP 800-160-1](#e3cc0520-a366-4fc9-abc2-5272db7e3564) promotes complete, consistent, and comprehensive testing and evaluation of systems, system components, and services. The thoroughness of such testing contributes to the evidence produced to generate an effective assurance case or argument as to the trustworthiness of the system, system component, or service."},{"id":"sa-17.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(06)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate testing.","links":[{"href":"#sa-17.6_smt","rel":"assessment-for"}]},{"id":"sa-17.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security architecture documentation\n\nprivacy architecture documentation\n\nsystem configuration settings and associated documentation\n\ndeveloper documentation describing the design and structure of security-relevant hardware, software, and firmware components to facilitate testing\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-17.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\norganizational personnel with information security and privacy architecture and design responsibilities"}]}]},{"id":"sa-17.7","class":"SP800-53-enhancement","title":"Structure for Least Privilege","props":[{"name":"label","value":"SA-17(7)"},{"name":"label","value":"SA-17(07)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"},{"href":"#ac-5","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"sa-17.7_smt","name":"statement","prose":"Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege."},{"id":"sa-17.7_gdn","name":"guidance","prose":"The principle of least privilege states that each component is allocated sufficient privileges to accomplish its specified functions but no more (see [SA-8(14)](#sa-8.14) ). Applying the principle of least privilege limits the scope of the component’s actions, which has two desirable effects. First, the security impact of a failure, corruption, or misuse of the system component results in a minimized security impact. Second, the security analysis of the component is simplified. Least privilege is a pervasive principle that is reflected in all aspects of the secure system design. Interfaces used to invoke component capability are available to only certain subsets of the user population, and component design supports a sufficiently fine granularity of privilege decomposition. For example, in the case of an audit mechanism, there may be an interface for the audit manager, who configures the audit settings; an interface for the audit operator, who ensures that audit data is safely collected and stored; and, finally, yet another interface for the audit reviewer, who only has a need to view the audit data that has been collected but no need to perform operations on that data.\n\nIn addition to its manifestations at the system interface, least privilege can be used as a guiding principle for the internal structure of the system itself. One aspect of internal least privilege is to construct modules so that only the elements encapsulated by the module are directly operated upon by the functions within the module. Elements external to a module that may be affected by the module’s operation are indirectly accessed through interaction (e.g., via a function call) with the module that contains those elements. Another aspect of internal least privilege is that the scope of a given module or component includes only those system elements that are necessary for its functionality, and the access modes to the elements (e.g., read, write) are minimal."},{"id":"sa-17.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(07)","class":"sp800-53a"}],"prose":"the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.","links":[{"href":"#sa-17.7_smt","rel":"assessment-for"}]},{"id":"sa-17.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security architecture and design specifications for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security architecture documentation\n\nsystem configuration settings and associated documentation\n\ndeveloper documentation describing the design and structure of security-relevant hardware, software, and firmware components to facilitate controlling access with least privilege\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-17.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with information security architecture and design responsibilities"}]}]},{"id":"sa-17.8","class":"SP800-53-enhancement","title":"Orchestration","params":[{"id":"sa-17.08_odp.01","props":[{"name":"alt-identifier","value":"sa-17.8_prm_1"},{"name":"alt-label","value":"critical systems or system components","class":"sp800-53"},{"name":"label","value":"SA-17(08)_ODP[01]","class":"sp800-53a"}],"label":"critical systems","guidelines":[{"prose":"critical systems or system components are defined;"}]},{"id":"sa-17.08_odp.02","props":[{"name":"alt-identifier","value":"sa-17.8_prm_2"},{"name":"alt-label","value":"capabilities, by system or component","class":"sp800-53"},{"name":"label","value":"SA-17(08)_ODP[02]","class":"sp800-53a"}],"label":"capabilities","guidelines":[{"prose":"capabilities to be implemented by systems or components are defined;"}]}],"props":[{"name":"label","value":"SA-17(8)"},{"name":"label","value":"SA-17(08)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"}],"parts":[{"id":"sa-17.8_smt","name":"statement","prose":"Design {{ insert: param, sa-17.08_odp.01 }} with coordinated behavior to implement the following capabilities: {{ insert: param, sa-17.08_odp.02 }}."},{"id":"sa-17.8_gdn","name":"guidance","prose":"Security resources that are distributed, located at different layers or in different system elements, or are implemented to support different aspects of trustworthiness can interact in unforeseen or incorrect ways. Adverse consequences can include cascading failures, interference, or coverage gaps. Coordination of the behavior of security resources (e.g., by ensuring that one patch is installed across all resources before making a configuration change that assumes that the patch is propagated) can avert such negative interactions."},{"id":"sa-17.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(08)","class":"sp800-53a"}],"prose":"{{ insert: param, sa-17.08_odp.01 }} are designed with coordinated behavior to implement {{ insert: param, sa-17.08_odp.02 }}.","links":[{"href":"#sa-17.8_smt","rel":"assessment-for"}]},{"id":"sa-17.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security and privacy architecture and design\n\nenterprise architecture\n\nsecurity architecture\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndeveloper documentation describing design orchestration\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sa-17.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\norganizational personnel with information security architecture responsibilities"}]}]},{"id":"sa-17.9","class":"SP800-53-enhancement","title":"Design Diversity","params":[{"id":"sa-17.09_odp","props":[{"name":"alt-identifier","value":"sa-17.9_prm_1"},{"name":"alt-label","value":"critical systems or system components","class":"sp800-53"},{"name":"label","value":"SA-17(09)_ODP","class":"sp800-53a"}],"label":"critical systems","guidelines":[{"prose":"critical systems or system components to be designed differently are defined;"}]}],"props":[{"name":"label","value":"SA-17(9)"},{"name":"label","value":"SA-17(09)","class":"sp800-53a"},{"name":"sort-id","value":"sa-17.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sa-17","rel":"required"}],"parts":[{"id":"sa-17.9_smt","name":"statement","prose":"Use different designs for {{ insert: param, sa-17.09_odp }} to satisfy a common set of requirements or to provide equivalent functionality."},{"id":"sa-17.9_gdn","name":"guidance","prose":"Design diversity is achieved by supplying the same requirements specification to multiple developers, each of whom is responsible for developing a variant of the system or system component that meets the requirements. Variants can be in software design, in hardware design, or in both hardware and a software design. Differences in the designs of the variants can result from developer experience (e.g., prior use of a design pattern), design style (e.g., when decomposing a required function into smaller tasks, determining what constitutes a separate task and how far to decompose tasks into sub-tasks), selection of libraries to incorporate into the variant, and the development environment (e.g., different design tools make some design patterns easier to visualize). Hardware design diversity includes making different decisions about what information to keep in analog form and what information to convert to digital form, transmitting the same information at different times, and introducing delays in sampling (temporal diversity). Design diversity is commonly used to support fault tolerance."},{"id":"sa-17.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-17(09)","class":"sp800-53a"}],"prose":"different designs are used for {{ insert: param, sa-17.09_odp }} to satisfy a common set of requirements or to provide equivalent functionality.","links":[{"href":"#sa-17.9_smt","rel":"assessment-for"}]},{"id":"sa-17.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-17(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nenterprise architecture policy\n\nprocedures addressing developer security architecture and design diversity for the system\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem design documentation\n\nsystem security architecture documentation\n\nsystem configuration settings and associated documentation\n\ndeveloper documentation describing design diversity\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-17.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-17(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with information security architecture responsibilities"}]}]}]},{"id":"sa-18","class":"SP800-53","title":"Tamper Resistance and Detection","props":[{"name":"label","value":"SA-18"},{"name":"label","value":"SA-18","class":"sp800-53a"},{"name":"sort-id","value":"sa-18"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-9","rel":"moved-to"}],"controls":[{"id":"sa-18.1","class":"SP800-53-enhancement","title":"Multiple Phases of System Development Life Cycle","props":[{"name":"label","value":"SA-18(1)"},{"name":"label","value":"SA-18(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-18.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-9.1","rel":"moved-to"}]},{"id":"sa-18.2","class":"SP800-53-enhancement","title":"Inspection of Systems or Components","props":[{"name":"label","value":"SA-18(2)"},{"name":"sort-id","value":"sa-18.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-10","rel":"moved-to"}]}]},{"id":"sa-19","class":"SP800-53","title":"Component Authenticity","props":[{"name":"label","value":"SA-19"},{"name":"label","value":"SA-19","class":"sp800-53a"},{"name":"sort-id","value":"sa-19"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-11","rel":"moved-to"}],"controls":[{"id":"sa-19.1","class":"SP800-53-enhancement","title":"Anti-counterfeit Training","props":[{"name":"label","value":"SA-19(1)"},{"name":"label","value":"SA-19(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-19.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-11.1","rel":"moved-to"}]},{"id":"sa-19.2","class":"SP800-53-enhancement","title":"Configuration Control for Component Service and Repair","props":[{"name":"label","value":"SA-19(2)"},{"name":"label","value":"SA-19(02)","class":"sp800-53a"},{"name":"sort-id","value":"sa-19.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-11.2","rel":"moved-to"}]},{"id":"sa-19.3","class":"SP800-53-enhancement","title":"Component Disposal","props":[{"name":"label","value":"SA-19(3)"},{"name":"label","value":"SA-19(03)","class":"sp800-53a"},{"name":"sort-id","value":"sa-19.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-12","rel":"moved-to"}]},{"id":"sa-19.4","class":"SP800-53-enhancement","title":"Anti-counterfeit Scanning","props":[{"name":"label","value":"SA-19(4)"},{"name":"label","value":"SA-19(04)","class":"sp800-53a"},{"name":"sort-id","value":"sa-19.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-11.3","rel":"moved-to"}]}]},{"id":"sa-20","class":"SP800-53","title":"Customized Development of Critical Components","params":[{"id":"sa-20_odp","props":[{"name":"alt-identifier","value":"sa-20_prm_1"},{"name":"alt-label","value":"critical system components","class":"sp800-53"},{"name":"label","value":"SA-20_ODP","class":"sp800-53a"}],"label":"critical system","guidelines":[{"prose":"critical system components to be reimplemented or custom-developed are defined;"}]}],"props":[{"name":"label","value":"SA-20"},{"name":"label","value":"SA-20","class":"sp800-53a"},{"name":"sort-id","value":"sa-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"sa-20_smt","name":"statement","prose":"Reimplement or custom develop the following critical system components: {{ insert: param, sa-20_odp }}."},{"id":"sa-20_gdn","name":"guidance","prose":"Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to adequately mitigate risk. Reimplementation or custom development of such components may satisfy requirements for higher assurance and is carried out by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed. In situations where no alternative sourcing is available and organizations choose not to reimplement or custom develop critical system components, additional controls can be employed. Controls include enhanced auditing, restrictions on source code and system utility access, and protection from deletion of system and application files."},{"id":"sa-20_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-20","class":"sp800-53a"}],"prose":"{{ insert: param, sa-20_odp }} are reimplemented or custom-developed.","links":[{"href":"#sa-20_smt","rel":"assessment-for"}]},{"id":"sa-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing the customized development of critical system components\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem development life cycle documentation addressing the custom development of critical system components\n\nconfiguration management records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sa-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibility for the reimplementation or customized development of critical system components"}]},{"id":"sa-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the reimplementation or customized development of critical system components\n\nmechanisms supporting and\/or implementing the reimplementation or customized development of critical system components"}]}]},{"id":"sa-21","class":"SP800-53","title":"Developer Screening","params":[{"id":"sa-21_odp.01","props":[{"name":"alt-identifier","value":"sa-21_prm_1"},{"name":"alt-label","value":"system, system component, or system service","class":"sp800-53"},{"name":"label","value":"SA-21_ODP[01]","class":"sp800-53a"}],"label":"system, systems component, or system service","guidelines":[{"prose":"the system, systems component, or system service that the developer has access to is\/are defined;"}]},{"id":"sa-21_odp.02","props":[{"name":"alt-identifier","value":"sa-21_prm_2"},{"name":"label","value":"SA-21_ODP[02]","class":"sp800-53a"}],"label":"official government duties","guidelines":[{"prose":"official government duties assigned to the developer are defined;"}]},{"id":"sa-21_odp.03","props":[{"name":"alt-identifier","value":"sa-21_prm_3"},{"name":"label","value":"SA-21_ODP[03]","class":"sp800-53a"}],"label":"additional personnel screening criteria","guidelines":[{"prose":"additional personnel screening criteria for the developer are defined;"}]}],"props":[{"name":"label","value":"SA-21"},{"name":"label","value":"SA-21","class":"sp800-53a"},{"name":"sort-id","value":"sa-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ps-2","rel":"related"},{"href":"#ps-3","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#ps-7","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"sa-21_smt","name":"statement","prose":"Require that the developer of {{ insert: param, sa-21_odp.01 }}:","parts":[{"id":"sa-21_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Has appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }} ; and"},{"id":"sa-21_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Satisfies the following additional personnel screening criteria: {{ insert: param, sa-21_odp.03 }}."}]},{"id":"sa-21_gdn","name":"guidance","prose":"Developer screening is directed at external developers. Internal developer screening is addressed by [PS-3](#ps-3) . Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals who access the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships that the company has with entities that may potentially affect the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements."},{"id":"sa-21_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-21","class":"sp800-53a"}],"parts":[{"id":"sa-21_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-21a.","class":"sp800-53a"}],"prose":"the developer of {{ insert: param, sa-21_odp.01 }} is required to have appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }};","links":[{"href":"#sa-21_smt.a","rel":"assessment-for"}]},{"id":"sa-21_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-21b.","class":"sp800-53a"}],"prose":"the developer of {{ insert: param, sa-21_odp.01 }} is required to satisfy {{ insert: param, sa-21_odp.03 }}.","links":[{"href":"#sa-21_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-21_smt","rel":"assessment-for"}]},{"id":"sa-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\npersonnel security policy and procedures\n\nprocedures addressing personnel screening\n\nsystem design documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for developer services\n\nsystem configuration settings and associated documentation\n\nlist of appropriate access authorizations required by the developers of the system\n\npersonnel screening criteria and associated documentation\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel responsible for developer screening"}]},{"id":"sa-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for developer screening\n\nmechanisms supporting developer screening"}]}],"controls":[{"id":"sa-21.1","class":"SP800-53-enhancement","title":"Validation of Screening","props":[{"name":"label","value":"SA-21(1)"},{"name":"label","value":"SA-21(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-21.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-21","rel":"incorporated-into"}]}]},{"id":"sa-22","class":"SP800-53","title":"Unsupported System Components","params":[{"id":"sa-22_odp.01","props":[{"name":"alt-identifier","value":"sa-22_prm_1"},{"name":"label","value":"SA-22_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["in-house support","{{ insert: param, sa-22_odp.02 }} "]}},{"id":"sa-22_odp.02","props":[{"name":"alt-identifier","value":"sa-22_prm_2"},{"name":"label","value":"SA-22_ODP[02]","class":"sp800-53a"}],"label":"support from external providers","guidelines":[{"prose":"support from external providers is defined (if selected);"}]}],"props":[{"name":"label","value":"SA-22"},{"name":"label","value":"SA-22","class":"sp800-53a"},{"name":"sort-id","value":"sa-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#pl-2","rel":"related"},{"href":"#sa-3","rel":"related"}],"parts":[{"id":"sa-22_smt","name":"statement","parts":[{"id":"sa-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or"},{"id":"sa-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, sa-22_odp.01 }}."}]},{"id":"sa-22_gdn","name":"guidance","prose":"Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.\n\nAlternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation."},{"id":"sa-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-22","class":"sp800-53a"}],"parts":[{"id":"sa-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SA-22a.","class":"sp800-53a"}],"prose":"system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;","links":[{"href":"#sa-22_smt.a","rel":"assessment-for"}]},{"id":"sa-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SA-22b.","class":"sp800-53a"}],"prose":"{{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.","links":[{"href":"#sa-22_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sa-22_smt","rel":"assessment-for"}]},{"id":"sa-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing the replacement or continued use of unsupported system components\n\ndocumented evidence of replacing unsupported system components\n\ndocumented approvals (including justification) for the continued use of unsupported system components\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for the system development life cycle\n\norganizational personnel responsible for component replacement"}]},{"id":"sa-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for replacing unsupported system components\n\nmechanisms supporting and\/or implementing the replacement of unsupported system components"}]}],"controls":[{"id":"sa-22.1","class":"SP800-53-enhancement","title":"Alternative Sources for Continued Support","props":[{"name":"label","value":"SA-22(1)"},{"name":"label","value":"SA-22(01)","class":"sp800-53a"},{"name":"sort-id","value":"sa-22.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sa-22","rel":"incorporated-into"}]}]},{"id":"sa-23","class":"SP800-53","title":"Specialization","params":[{"id":"sa-23_odp.01","props":[{"name":"alt-identifier","value":"sa-23_prm_1"},{"name":"label","value":"SA-23_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["design modification","augmentation","reconfiguration"]}},{"id":"sa-23_odp.02","props":[{"name":"alt-identifier","value":"sa-23_prm_2"},{"name":"label","value":"SA-23_ODP[02]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components supporting mission-essential services or functions are defined;"}]}],"props":[{"name":"label","value":"SA-23"},{"name":"label","value":"SA-23","class":"sp800-53a"},{"name":"sort-id","value":"sa-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#ra-9","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"sa-23_smt","name":"statement","prose":"Employ {{ insert: param, sa-23_odp.01 }} on {{ insert: param, sa-23_odp.02 }} supporting mission essential services or functions to increase the trustworthiness in those systems or components."},{"id":"sa-23_gdn","name":"guidance","prose":"It is often necessary for a system or system component that supports mission-essential services or functions to be enhanced to maximize the trustworthiness of the resource. Sometimes this enhancement is done at the design level. In other instances, it is done post-design, either through modifications of the system in question or by augmenting the system with additional components. For example, supplemental authentication or non-repudiation functions may be added to the system to enhance the identity of critical resources to other resources that depend on the organization-defined resources."},{"id":"sa-23_obj","name":"assessment-objective","props":[{"name":"label","value":"SA-23","class":"sp800-53a"}],"prose":"{{ insert: param, sa-23_odp.01 }} is employed on {{ insert: param, sa-23_odp.02 }} supporting essential services or functions to increase the trustworthiness in those systems or components.","links":[{"href":"#sa-23_smt","rel":"assessment-for"}]},{"id":"sa-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SA-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and services acquisition policy\n\nprocedures addressing design modification, augmentation, or reconfiguration of systems or system components\n\ndocumented evidence of design modification, augmentation, or reconfiguration\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"sa-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SA-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility for security architecture\n\norganizational personnel responsible for configuration management"}]},{"id":"sa-23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SA-23-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the modification of design, augmentation, or reconfiguration of systems or system components\n\nmechanisms supporting and\/or implementing design modification, augmentation, or reconfiguration of systems or system components"}]}]}]},{"id":"sc","class":"family","title":"System and Communications Protection","controls":[{"id":"sc-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sc-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sc-01_odp.01","props":[{"name":"label","value":"SC-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection policy is to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.02","props":[{"name":"label","value":"SC-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and communications protection procedures are to be disseminated is\/are defined;"}]},{"id":"sc-01_odp.03","props":[{"name":"alt-identifier","value":"sc-1_prm_2"},{"name":"label","value":"SC-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business-process-level","system-level"]}},{"id":"sc-01_odp.04","props":[{"name":"alt-identifier","value":"sc-1_prm_3"},{"name":"label","value":"SC-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and communications protection policy and procedures is defined;"}]},{"id":"sc-01_odp.05","props":[{"name":"alt-identifier","value":"sc-1_prm_4"},{"name":"label","value":"SC-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection policy is reviewed and updated is defined;"}]},{"id":"sc-01_odp.06","props":[{"name":"alt-identifier","value":"sc-1_prm_5"},{"name":"label","value":"SC-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and communications protection policy to be reviewed and updated are defined;"}]},{"id":"sc-01_odp.07","props":[{"name":"alt-identifier","value":"sc-1_prm_6"},{"name":"label","value":"SC-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and communications protection procedures are reviewed and updated is defined;"}]},{"id":"sc-01_odp.08","props":[{"name":"alt-identifier","value":"sc-1_prm_7"},{"name":"label","value":"SC-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and communications protection procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SC-1"},{"name":"label","value":"SC-01","class":"sp800-53a"},{"name":"sort-id","value":"sc-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sc-1_smt","name":"statement","parts":[{"id":"sc-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:","parts":[{"id":"sc-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, sc-01_odp.03 }} system and communications protection policy that:","parts":[{"id":"sc-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sc-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sc-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;"}]},{"id":"sc-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and"},{"id":"sc-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and communications protection:","parts":[{"id":"sc-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and"},{"id":"sc-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}."}]}]},{"id":"sc-1_gdn","name":"guidance","prose":"System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sc-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[01]","class":"sp800-53a"}],"prose":"a system and communications protection policy is developed and documented;","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[02]","class":"sp800-53a"}],"prose":"the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[03]","class":"sp800-53a"}],"prose":"system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.[04]","class":"sp800-53a"}],"prose":"the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};","links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;","links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sc-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#sc-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.a","rel":"assessment-for"}]},{"id":"sc-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;","links":[{"href":"#sc-1_smt.b","rel":"assessment-for"}]},{"id":"sc-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};","links":[{"href":"#sc-1_smt.c.1","rel":"assessment-for"}]},{"id":"sc-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};","links":[{"href":"#sc-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.c.1","rel":"assessment-for"}]},{"id":"sc-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02","class":"sp800-53a"}],"parts":[{"id":"sc-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};","links":[{"href":"#sc-1_smt.c.2","rel":"assessment-for"}]},{"id":"sc-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SC-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.","links":[{"href":"#sc-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sc-1_smt","rel":"assessment-for"}]},{"id":"sc-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem and communications protection procedures\n\nsystem security plan\n\nprivacy plan\n\nrisk management strategy documentation\n\naudit findings\n\nother relevant documents or records"}]},{"id":"sc-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and communications protection responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"sc-2","class":"SP800-53","title":"Separation of System and User Functionality","props":[{"name":"label","value":"SC-2"},{"name":"label","value":"SC-02","class":"sp800-53a"},{"name":"sort-id","value":"sc-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-22","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"}],"parts":[{"id":"sc-2_smt","name":"statement","prose":"Separate user functionality, including user interface services, from system management functionality."},{"id":"sc-2_gdn","name":"guidance","prose":"System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)."},{"id":"sc-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-02","class":"sp800-53a"}],"prose":"user functionality, including user interface services, is separated from system management functionality.","links":[{"href":"#sc-2_smt","rel":"assessment-for"}]},{"id":"sc-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing application partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of user functionality from system management functionality"}]}],"controls":[{"id":"sc-2.1","class":"SP800-53-enhancement","title":"Interfaces for Non-privileged Users","props":[{"name":"label","value":"SC-2(1)"},{"name":"label","value":"SC-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-2","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"sc-2.1_smt","name":"statement","prose":"Prevent the presentation of system management functionality at interfaces to non-privileged users."},{"id":"sc-2.1_gdn","name":"guidance","prose":"Preventing the presentation of system management functionality at interfaces to non-privileged users ensures that system administration options, including administrator privileges, are not available to the general user population. Restricting user access also prohibits the use of the grey-out option commonly used to eliminate accessibility to such information. One potential solution is to withhold system administration options until users establish sessions with administrator privileges."},{"id":"sc-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-02(01)","class":"sp800-53a"}],"prose":"the presentation of system management functionality is prevented at interfaces to non-privileged users.","links":[{"href":"#sc-2.1_smt","rel":"assessment-for"}]},{"id":"sc-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing application partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nnon-privileged users of the system\n\nsystem developer"}]},{"id":"sc-2.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-02(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of user functionality from system management functionality"}]}]},{"id":"sc-2.2","class":"SP800-53-enhancement","title":"Disassociability","props":[{"name":"label","value":"SC-2(2)"},{"name":"label","value":"SC-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-2","rel":"required"}],"parts":[{"id":"sc-2.2_smt","name":"statement","prose":"Store state information from applications and software separately."},{"id":"sc-2.2_gdn","name":"guidance","prose":"If a system is compromised, storing applications and software separately from state information about users’ interactions with an application may better protect individuals’ privacy."},{"id":"sc-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-02(02)","class":"sp800-53a"}],"prose":"state information is stored separately from applications and software.","links":[{"href":"#sc-2.2_smt","rel":"assessment-for"}]},{"id":"sc-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing application and software partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]},{"id":"sc-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of application state information from software"}]}]}]},{"id":"sc-3","class":"SP800-53","title":"Security Function Isolation","props":[{"name":"label","value":"SC-3"},{"name":"label","value":"SC-03","class":"sp800-53a"},{"name":"sort-id","value":"sc-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-3_smt","name":"statement","prose":"Isolate security functions from nonsecurity functions."},{"id":"sc-3_gdn","name":"guidance","prose":"Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform system security functions. Systems implement code separation in many ways, such as through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in [SA-8](#sa-8) , including [SA-8(1)](#sa-8.1), [SA-8(3)](#sa-8.3), [SA-8(4)](#sa-8.4), [SA-8(10)](#sa-8.10), [SA-8(12)](#sa-8.12), [SA-8(13)](#sa-8.13), [SA-8(14)](#sa-8.14) , and [SA-8(18)](#sa-8.18)."},{"id":"sc-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-03","class":"sp800-53a"}],"prose":"security functions are isolated from non-security functions.","links":[{"href":"#sc-3_smt","rel":"assessment-for"}]},{"id":"sc-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nlist of security functions to be isolated from non-security functions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of security functions from non-security functions within the system"}]}],"controls":[{"id":"sc-3.1","class":"SP800-53-enhancement","title":"Hardware Separation","props":[{"name":"label","value":"SC-3(1)"},{"name":"label","value":"SC-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-3","rel":"required"}],"parts":[{"id":"sc-3.1_smt","name":"statement","prose":"Employ hardware separation mechanisms to implement security function isolation."},{"id":"sc-3.1_gdn","name":"guidance","prose":"Hardware separation mechanisms include hardware ring architectures that are implemented within microprocessors and hardware-enforced address segmentation used to support logically distinct storage objects with separate attributes (i.e., readable, writeable)."},{"id":"sc-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-03(01)","class":"sp800-53a"}],"prose":"hardware separation mechanisms are employed to implement security function isolation.","links":[{"href":"#sc-3.1_smt","rel":"assessment-for"}]},{"id":"sc-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nsystem design documentation\n\nhardware separation mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Separation of security functions from non-security functions within the system"}]}]},{"id":"sc-3.2","class":"SP800-53-enhancement","title":"Access and Flow Control Functions","props":[{"name":"label","value":"SC-3(2)"},{"name":"label","value":"SC-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-3","rel":"required"}],"parts":[{"id":"sc-3.2_smt","name":"statement","prose":"Isolate security functions enforcing access and information flow control from nonsecurity functions and from other security functions."},{"id":"sc-3.2_gdn","name":"guidance","prose":"Security function isolation occurs because of implementation. The functions can still be scanned and monitored. Security functions that are potentially isolated from access and flow control enforcement functions include auditing, intrusion detection, and malicious code protection functions."},{"id":"sc-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-03(02)","class":"sp800-53a"}],"parts":[{"id":"sc-3.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-03(02)[01]","class":"sp800-53a"}],"prose":"security functions enforcing access control are isolated from non-security functions;","links":[{"href":"#sc-3.2_smt","rel":"assessment-for"}]},{"id":"sc-3.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-03(02)[02]","class":"sp800-53a"}],"prose":"security functions enforcing access control are isolated from other security functions;","links":[{"href":"#sc-3.2_smt","rel":"assessment-for"}]},{"id":"sc-3.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-03(02)[03]","class":"sp800-53a"}],"prose":"security functions enforcing information flow control are isolated from non-security functions;","links":[{"href":"#sc-3.2_smt","rel":"assessment-for"}]},{"id":"sc-3.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SC-03(02)[04]","class":"sp800-53a"}],"prose":"security functions enforcing information flow control are isolated from other security functions.","links":[{"href":"#sc-3.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-3.2_smt","rel":"assessment-for"}]},{"id":"sc-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nlist of critical security functions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records system security plan\n\nother relevant documents or records"}]},{"id":"sc-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Isolation of security functions enforcing access and information flow control"}]}]},{"id":"sc-3.3","class":"SP800-53-enhancement","title":"Minimize Nonsecurity Functionality","props":[{"name":"label","value":"SC-3(3)"},{"name":"label","value":"SC-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-3","rel":"required"}],"parts":[{"id":"sc-3.3_smt","name":"statement","prose":"Minimize the number of nonsecurity functions included within the isolation boundary containing security functions."},{"id":"sc-3.3_gdn","name":"guidance","prose":"Where it is not feasible to achieve strict isolation of nonsecurity functions from security functions, it is necessary to take actions to minimize nonsecurity-relevant functions within the security function boundary. Nonsecurity functions contained within the isolation boundary are considered security-relevant because errors or malicious code in the software can directly impact the security functions of systems. The fundamental design objective is that the specific portions of systems that provide information security are of minimal size and complexity. Minimizing the number of nonsecurity functions in the security-relevant system components allows designers and implementers to focus only on those functions which are necessary to provide the desired security capability (typically access enforcement). By minimizing the nonsecurity functions within the isolation boundaries, the amount of code that is trusted to enforce security policies is significantly reduced, thus contributing to understandability."},{"id":"sc-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-03(03)","class":"sp800-53a"}],"prose":"the number of non-security functions included within the isolation boundary containing security functions is minimized.","links":[{"href":"#sc-3.3_smt","rel":"assessment-for"}]},{"id":"sc-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing an isolation boundary"}]}]},{"id":"sc-3.4","class":"SP800-53-enhancement","title":"Module Coupling and Cohesiveness","props":[{"name":"label","value":"SC-3(4)"},{"name":"label","value":"SC-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-3","rel":"required"}],"parts":[{"id":"sc-3.4_smt","name":"statement","prose":"Implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules."},{"id":"sc-3.4_gdn","name":"guidance","prose":"The reduction of inter-module interactions helps to constrain security functions and manage complexity. The concepts of coupling and cohesion are important with respect to modularity in software design. Coupling refers to the dependencies that one module has on other modules. Cohesion refers to the relationship between functions within a module. Best practices in software engineering and systems security engineering rely on layering, minimization, and modular decomposition to reduce and manage complexity. This produces software modules that are highly cohesive and loosely coupled."},{"id":"sc-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-03(04)","class":"sp800-53a"}],"parts":[{"id":"sc-3.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-03(04)[01]","class":"sp800-53a"}],"prose":"security functions are implemented as largely independent modules that maximize internal cohesiveness within modules;","links":[{"href":"#sc-3.4_smt","rel":"assessment-for"}]},{"id":"sc-3.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-03(04)[02]","class":"sp800-53a"}],"prose":"security functions are implemented as largely independent modules that minimize coupling between modules.","links":[{"href":"#sc-3.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-3.4_smt","rel":"assessment-for"}]},{"id":"sc-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for maximizing internal cohesiveness within modules and minimizing coupling between modules\n\nmechanisms supporting and\/or implementing security functions as independent modules"}]}]},{"id":"sc-3.5","class":"SP800-53-enhancement","title":"Layered Structures","props":[{"name":"label","value":"SC-3(5)"},{"name":"label","value":"SC-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-03.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-3","rel":"required"}],"parts":[{"id":"sc-3.5_smt","name":"statement","prose":"Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers."},{"id":"sc-3.5_gdn","name":"guidance","prose":"The implementation of layered structures with minimized interactions among security functions and non-looping layers (i.e., lower-layer functions do not depend on higher-layer functions) enables the isolation of security functions and the management of complexity."},{"id":"sc-3.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-03(05)","class":"sp800-53a"}],"prose":"security functions are implemented as a layered structure, minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.","links":[{"href":"#sc-3.5_smt","rel":"assessment-for"}]},{"id":"sc-3.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-03(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing security function isolation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-3.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-03(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-3.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-03(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing security functions as a layered structure that minimizes interactions between layers and avoids dependence by lower layers on functionality\/correctness of higher layers\n\nmechanisms supporting and\/or implementing security functions as a layered structure"}]}]}]},{"id":"sc-4","class":"SP800-53","title":"Information in Shared System Resources","props":[{"name":"label","value":"SC-4"},{"name":"label","value":"SC-04","class":"sp800-53a"},{"name":"sort-id","value":"sc-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#sa-8","rel":"related"}],"parts":[{"id":"sc-4_smt","name":"statement","prose":"Prevent unauthorized and unintended information transfer via shared system resources."},{"id":"sc-4_gdn","name":"guidance","prose":"Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles."},{"id":"sc-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-04","class":"sp800-53a"}],"parts":[{"id":"sc-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-04[01]","class":"sp800-53a"}],"prose":"unauthorized information transfer via shared system resources is prevented;","links":[{"href":"#sc-4_smt","rel":"assessment-for"}]},{"id":"sc-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-04[02]","class":"sp800-53a"}],"prose":"unintended information transfer via shared system resources is prevented.","links":[{"href":"#sc-4_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-4_smt","rel":"assessment-for"}]},{"id":"sc-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms preventing the unauthorized and unintended transfer of information via shared system resources"}]}],"controls":[{"id":"sc-4.1","class":"SP800-53-enhancement","title":"Security Levels","props":[{"name":"label","value":"SC-4(1)"},{"name":"label","value":"SC-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-04.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-4","rel":"incorporated-into"}]},{"id":"sc-4.2","class":"SP800-53-enhancement","title":"Multilevel or Periods Processing","params":[{"id":"sc-04.02_odp","props":[{"name":"alt-identifier","value":"sc-4.2_prm_1"},{"name":"label","value":"SC-04(02)_ODP","class":"sp800-53a"}],"label":"procedures","guidelines":[{"prose":"procedures to prevent unauthorized information transfer via shared resources are defined;"}]}],"props":[{"name":"label","value":"SC-4(2)"},{"name":"label","value":"SC-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-4","rel":"required"}],"parts":[{"id":"sc-4.2_smt","name":"statement","prose":"Prevent unauthorized information transfer via shared resources in accordance with {{ insert: param, sc-04.02_odp }} when system processing explicitly switches between different information classification levels or security categories."},{"id":"sc-4.2_gdn","name":"guidance","prose":"Changes in processing levels can occur during multilevel or periods processing with information at different classification levels or security categories. It can also occur during serial reuse of hardware components at different classification levels. Organization-defined procedures can include approved sanitization processes for electronically stored information."},{"id":"sc-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-04(02)","class":"sp800-53a"}],"prose":"unauthorized information transfer via shared resources is prevented in accordance with {{ insert: param, sc-04.02_odp }} when system processing explicitly switches between different information classification levels or security categories.","links":[{"href":"#sc-4.2_smt","rel":"assessment-for"}]},{"id":"sc-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing information protection in shared system resources\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms preventing the unauthorized transfer of information via shared system resources"}]}]}]},{"id":"sc-5","class":"SP800-53","title":"Denial-of-service Protection","params":[{"id":"sc-05_odp.01","props":[{"name":"alt-identifier","value":"sc-5_prm_2"},{"name":"label","value":"SC-05_ODP[01]","class":"sp800-53a"}],"label":"types of denial-of-service events","guidelines":[{"prose":"types of denial-of-service events to be protected against or limited are defined;"}]},{"id":"sc-05_odp.02","props":[{"name":"alt-identifier","value":"sc-5_prm_1"},{"name":"label","value":"SC-05_ODP[02]","class":"sp800-53a"}],"select":{"choice":["protect against","limit"]}},{"id":"sc-05_odp.03","props":[{"name":"alt-identifier","value":"sc-5_prm_3"},{"name":"label","value":"SC-05_ODP[03]","class":"sp800-53a"}],"label":"controls by type of denial-of-service event","guidelines":[{"prose":"controls to achieve the denial-of-service objective by type of denial-of-service event are defined;"}]}],"props":[{"name":"label","value":"SC-5"},{"name":"label","value":"SC-05","class":"sp800-53a"},{"name":"sort-id","value":"sc-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#sc-6","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-40","rel":"related"}],"parts":[{"id":"sc-5_smt","name":"statement","parts":[{"id":"sc-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"{{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and"},{"id":"sc-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}."}]},{"id":"sc-5_gdn","name":"guidance","prose":"Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events."},{"id":"sc-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-05","class":"sp800-53a"}],"parts":[{"id":"sc-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-05a.","class":"sp800-53a"}],"prose":"the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};","links":[{"href":"#sc-5_smt.a","rel":"assessment-for"}]},{"id":"sc-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-05b.","class":"sp800-53a"}],"prose":"{{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.","links":[{"href":"#sc-5_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-5_smt","rel":"assessment-for"}]},{"id":"sc-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks\n\nlist of security safeguards protecting against or limiting the effects of denial-of-service attacks\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"id":"sc-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms protecting against or limiting the effects of denial-of-service attacks"}]}],"controls":[{"id":"sc-5.1","class":"SP800-53-enhancement","title":"Restrict Ability to Attack Other Systems","params":[{"id":"sc-05.01_odp","props":[{"name":"alt-identifier","value":"sc-5.1_prm_1"},{"name":"label","value":"SC-05(01)_ODP","class":"sp800-53a"}],"label":"denial-of-service attacks","guidelines":[{"prose":"denial-of-service attacks for which to restrict the ability of individuals to launch are defined;"}]}],"props":[{"name":"label","value":"SC-5(1)"},{"name":"label","value":"SC-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-5","rel":"required"}],"parts":[{"id":"sc-5.1_smt","name":"statement","prose":"Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: {{ insert: param, sc-05.01_odp }}."},{"id":"sc-5.1_gdn","name":"guidance","prose":"Restricting the ability of individuals to launch denial-of-service attacks requires the mechanisms commonly used for such attacks to be unavailable. Individuals of concern include hostile insiders or external adversaries who have breached or compromised the system and are using it to launch a denial-of-service attack. Organizations can restrict the ability of individuals to connect and transmit arbitrary information on the transport medium (i.e., wired networks, wireless networks, spoofed Internet protocol packets). Organizations can also limit the ability of individuals to use excessive system resources. Protection against individuals having the ability to launch denial-of-service attacks may be implemented on specific systems or boundary devices that prohibit egress to potential target systems."},{"id":"sc-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-05(01)","class":"sp800-53a"}],"prose":"the ability of individuals to launch {{ insert: param, sc-05.01_odp }} against other systems is restricted.","links":[{"href":"#sc-5.1_smt","rel":"assessment-for"}]},{"id":"sc-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nlist of denial-of-service attacks launched by individuals against systems\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"id":"sc-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms restricting the ability to launch denial-of-service attacks against other systems"}]}]},{"id":"sc-5.2","class":"SP800-53-enhancement","title":"Capacity, Bandwidth, and Redundancy","props":[{"name":"label","value":"SC-5(2)"},{"name":"label","value":"SC-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-5","rel":"required"}],"parts":[{"id":"sc-5.2_smt","name":"statement","prose":"Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks."},{"id":"sc-5.2_gdn","name":"guidance","prose":"Managing capacity ensures that sufficient capacity is available to counter flooding attacks. Managing capacity includes establishing selected usage priorities, quotas, partitioning, or load balancing."},{"id":"sc-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-05(02)","class":"sp800-53a"}],"prose":"capacity, bandwidth, or other redundancies to limit the effects of information flooding denial-of-service attacks are managed.","links":[{"href":"#sc-5.2_smt","rel":"assessment-for"}]},{"id":"sc-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities\n\nsystem developer"}]},{"id":"sc-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing the management of system bandwidth, capacity, and redundancy to limit the effects of information flooding denial-of-service attacks"}]}]},{"id":"sc-5.3","class":"SP800-53-enhancement","title":"Detection and Monitoring","params":[{"id":"sc-05.03_odp.01","props":[{"name":"alt-identifier","value":"sc-5.3_prm_1"},{"name":"label","value":"SC-05(03)_ODP[01]","class":"sp800-53a"}],"label":"monitoring tools","guidelines":[{"prose":"monitoring tools for detecting indicators of denial-of-service attacks are defined;"}]},{"id":"sc-05.03_odp.02","props":[{"name":"alt-identifier","value":"sc-5.3_prm_2"},{"name":"label","value":"SC-05(03)_ODP[02]","class":"sp800-53a"}],"label":"system resources","guidelines":[{"prose":"system resources to be monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks are defined;"}]}],"props":[{"name":"label","value":"SC-5(3)"},{"name":"label","value":"SC-05(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-05.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-5","rel":"required"},{"href":"#ca-7","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-5.3_smt","name":"statement","parts":[{"id":"sc-5.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: {{ insert: param, sc-05.03_odp.01 }} ; and"},{"id":"sc-5.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: {{ insert: param, sc-05.03_odp.02 }}."}]},{"id":"sc-5.3_gdn","name":"guidance","prose":"Organizations consider the utilization and capacity of system resources when managing risk associated with a denial of service due to malicious attacks. Denial-of-service attacks can originate from external or internal sources. System resources that are sensitive to denial of service include physical disk storage, memory, and CPU cycles. Techniques used to prevent denial-of-service attacks related to storage utilization and capacity include instituting disk quotas, configuring systems to automatically alert administrators when specific storage capacity thresholds are reached, using file compression technologies to maximize available storage space, and imposing separate partitions for system and user data."},{"id":"sc-5.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-05(03)","class":"sp800-53a"}],"parts":[{"id":"sc-5.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-05(03)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-05.03_odp.01 }} are employed to detect indicators of denial-of-service attacks against or launched from the system;","links":[{"href":"#sc-5.3_smt.a","rel":"assessment-for"}]},{"id":"sc-5.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-05(03)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-05.03_odp.02 }} are monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks.","links":[{"href":"#sc-5.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-5.3_smt","rel":"assessment-for"}]},{"id":"sc-5.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-05(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing denial-of-service protection\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-5.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-05(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with detection and monitoring responsibilities"}]},{"id":"sc-5.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-05(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms\/tools implementing system monitoring for denial-of-service attacks"}]}]}]},{"id":"sc-6","class":"SP800-53","title":"Resource Availability","params":[{"id":"sc-06_odp.01","props":[{"name":"alt-identifier","value":"sc-6_prm_1"},{"name":"label","value":"SC-06_ODP[01]","class":"sp800-53a"}],"label":"resources","guidelines":[{"prose":"resources to be allocated to protect the availability of resources are defined;"}]},{"id":"sc-06_odp.02","props":[{"name":"alt-identifier","value":"sc-6_prm_2"},{"name":"label","value":"SC-06_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["priority","quota","{{ insert: param, sc-06_odp.03 }} "]}},{"id":"sc-06_odp.03","props":[{"name":"alt-identifier","value":"sc-6_prm_3"},{"name":"label","value":"SC-06_ODP[03]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to protect the availability of resources are defined (if selected);"}]}],"props":[{"name":"label","value":"SC-6"},{"name":"label","value":"SC-06","class":"sp800-53a"},{"name":"sort-id","value":"sc-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#047b041a-b4b0-4537-ab2d-2b36283eeda0","rel":"reference"},{"href":"#4f42ee6e-86cc-403b-a51f-76c2b4f81b54","rel":"reference"},{"href":"#sc-5","rel":"related"}],"parts":[{"id":"sc-6_smt","name":"statement","prose":"Protect the availability of resources by allocating {{ insert: param, sc-06_odp.01 }} by {{ insert: param, sc-06_odp.02 }}."},{"id":"sc-6_gdn","name":"guidance","prose":"Priority protection prevents lower-priority processes from delaying or interfering with the system that services higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources."},{"id":"sc-6_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-06","class":"sp800-53a"}],"prose":"the availability of resources is protected by allocating {{ insert: param, sc-06_odp.01 }} by {{ insert: param, sc-06_odp.02 }}.","links":[{"href":"#sc-6_smt","rel":"assessment-for"}]},{"id":"sc-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing prioritization of system resources\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a resource allocation capability\n\nsafeguards employed to protect availability of resources"}]}]},{"id":"sc-7","class":"SP800-53","title":"Boundary Protection","params":[{"id":"sc-07_odp","props":[{"name":"alt-identifier","value":"sc-7_prm_1"},{"name":"label","value":"SC-07_ODP","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}}],"props":[{"name":"label","value":"SC-7"},{"name":"label","value":"SC-07","class":"sp800-53a"},{"name":"sort-id","value":"sc-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","rel":"reference"},{"href":"#a7f0e897-29a3-45c4-bd88-40dfef0e034a","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ac-20","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-10","rel":"related"},{"href":"#cp-8","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-17","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-32","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-43","rel":"related"}],"parts":[{"id":"sc-7_smt","name":"statement","parts":[{"id":"sc-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;"},{"id":"sc-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and"},{"id":"sc-7_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."}]},{"id":"sc-7_gdn","name":"guidance","prose":"Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary)."},{"id":"sc-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.","class":"sp800-53a"}],"parts":[{"id":"sc-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[01]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are monitored;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[02]","class":"sp800-53a"}],"prose":"communications at external managed interfaces to the system are controlled;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[03]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are monitored;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-07a.[04]","class":"sp800-53a"}],"prose":"communications at key internal managed interfaces within the system are controlled;","links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-7_smt.a","rel":"assessment-for"}]},{"id":"sc-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07b.","class":"sp800-53a"}],"prose":"subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;","links":[{"href":"#sc-7_smt.b","rel":"assessment-for"}]},{"id":"sc-7_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07c.","class":"sp800-53a"}],"prose":"external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.","links":[{"href":"#sc-7_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sc-7_smt","rel":"assessment-for"}]},{"id":"sc-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nenterprise security architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities"}]}],"controls":[{"id":"sc-7.1","class":"SP800-53-enhancement","title":"Physically Separated Subnetworks","props":[{"name":"label","value":"SC-7(1)"},{"name":"label","value":"SC-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7","rel":"incorporated-into"}]},{"id":"sc-7.2","class":"SP800-53-enhancement","title":"Public Access","props":[{"name":"label","value":"SC-7(2)"},{"name":"label","value":"SC-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7","rel":"incorporated-into"}]},{"id":"sc-7.3","class":"SP800-53-enhancement","title":"Access Points","props":[{"name":"label","value":"SC-7(3)"},{"name":"label","value":"SC-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.3_smt","name":"statement","prose":"Limit the number of external network connections to the system."},{"id":"sc-7.3_gdn","name":"guidance","prose":"Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system."},{"id":"sc-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(03)","class":"sp800-53a"}],"prose":"the number of external network connections to the system is limited.","links":[{"href":"#sc-7.3_smt","rel":"assessment-for"}]},{"id":"sc-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\ncommunications and network traffic monitoring logs\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities\n\nmechanisms limiting the number of external network connections to the system"}]}]},{"id":"sc-7.4","class":"SP800-53-enhancement","title":"External Telecommunications Services","params":[{"id":"sc-07.04_odp","props":[{"name":"alt-identifier","value":"sc-7.4_prm_1"},{"name":"label","value":"SC-07(04)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review exceptions to traffic flow policy is defined;"}]}],"props":[{"name":"label","value":"SC-7(4)"},{"name":"label","value":"SC-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-7.4_smt","name":"statement","parts":[{"id":"sc-7.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Implement a managed interface for each external telecommunication service;"},{"id":"sc-7.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Establish a traffic flow policy for each managed interface;"},{"id":"sc-7.4_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Protect the confidentiality and integrity of the information being transmitted across each interface;"},{"id":"sc-7.4_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;"},{"id":"sc-7.4_smt.e","name":"item","props":[{"name":"label","value":"(e)"}],"prose":"Review exceptions to the traffic flow policy {{ insert: param, sc-07.04_odp }} and remove exceptions that are no longer supported by an explicit mission or business need;"},{"id":"sc-7.4_smt.f","name":"item","props":[{"name":"label","value":"(f)"}],"prose":"Prevent unauthorized exchange of control plane traffic with external networks;"},{"id":"sc-7.4_smt.g","name":"item","props":[{"name":"label","value":"(g)"}],"prose":"Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and"},{"id":"sc-7.4_smt.h","name":"item","props":[{"name":"label","value":"(h)"}],"prose":"Filter unauthorized control plane traffic from external networks."}]},{"id":"sc-7.4_gdn","name":"guidance","prose":"External telecommunications services can provide data and\/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements."},{"id":"sc-7.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(a)","class":"sp800-53a"}],"prose":"a managed interface is implemented for each external telecommunication service;","links":[{"href":"#sc-7.4_smt.a","rel":"assessment-for"}]},{"id":"sc-7.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(b)","class":"sp800-53a"}],"prose":"a traffic flow policy is established for each managed interface;","links":[{"href":"#sc-7.4_smt.b","rel":"assessment-for"}]},{"id":"sc-7.4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)[01]","class":"sp800-53a"}],"prose":"the confidentiality of the information being transmitted across each interface is protected;","links":[{"href":"#sc-7.4_smt.c","rel":"assessment-for"}]},{"id":"sc-7.4_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(c)[02]","class":"sp800-53a"}],"prose":"the integrity of the information being transmitted across each interface is protected;","links":[{"href":"#sc-7.4_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.4_smt.c","rel":"assessment-for"}]},{"id":"sc-7.4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(d)","class":"sp800-53a"}],"prose":"each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;","links":[{"href":"#sc-7.4_smt.d","rel":"assessment-for"}]},{"id":"sc-7.4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)","class":"sp800-53a"}],"parts":[{"id":"sc-7.4_obj.e-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)[01]","class":"sp800-53a"}],"prose":"exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};","links":[{"href":"#sc-7.4_smt.e","rel":"assessment-for"}]},{"id":"sc-7.4_obj.e-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(e)[02]","class":"sp800-53a"}],"prose":"exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;","links":[{"href":"#sc-7.4_smt.e","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.4_smt.e","rel":"assessment-for"}]},{"id":"sc-7.4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(f)","class":"sp800-53a"}],"prose":"unauthorized exchanges of control plan traffic with external networks are prevented;","links":[{"href":"#sc-7.4_smt.f","rel":"assessment-for"}]},{"id":"sc-7.4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(g)","class":"sp800-53a"}],"prose":"information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;","links":[{"href":"#sc-7.4_smt.g","rel":"assessment-for"}]},{"id":"sc-7.4_obj.h","name":"assessment-objective","props":[{"name":"label","value":"SC-07(04)(h)","class":"sp800-53a"}],"prose":"unauthorized control plane traffic is filtered from external networks.","links":[{"href":"#sc-7.4_smt.h","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.4_smt","rel":"assessment-for"}]},{"id":"sc-7.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\ntraffic flow policy\n\ninformation flow control policy\n\nprocedures addressing boundary protection\n\nsystem security architecture\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem architecture and configuration documentation\n\nsystem configuration settings and associated documentation\n\nrecords of traffic flow policy exceptions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for documenting and reviewing exceptions to the traffic flow policy\n\norganizational processes for removing exceptions to the traffic flow policy\n\nmechanisms implementing boundary protection capabilities\n\nmanaged interfaces implementing traffic flow policy"}]}]},{"id":"sc-7.5","class":"SP800-53-enhancement","title":"Deny by Default — Allow by Exception","params":[{"id":"sc-07.05_odp.01","props":[{"name":"alt-identifier","value":"sc-7.5_prm_1"},{"name":"label","value":"SC-07(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at managed interfaces","for {{ insert: param, sc-07.05_odp.02 }} "]}},{"id":"sc-07.05_odp.02","props":[{"name":"alt-identifier","value":"sc-7.5_prm_2"},{"name":"label","value":"SC-07(05)_ODP[02]","class":"sp800-53a"}],"label":"systems","guidelines":[{"prose":"systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected)."}]}],"props":[{"name":"label","value":"SC-7(5)"},{"name":"label","value":"SC-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.5_smt","name":"statement","prose":"Deny network communications traffic by default and allow network communications traffic by exception {{ insert: param, sc-07.05_odp.01 }}."},{"id":"sc-7.5_gdn","name":"guidance","prose":"Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system."},{"id":"sc-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)","class":"sp800-53a"}],"parts":[{"id":"sc-7.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)[01]","class":"sp800-53a"}],"prose":"network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};","links":[{"href":"#sc-7.5_smt","rel":"assessment-for"}]},{"id":"sc-7.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(05)[02]","class":"sp800-53a"}],"prose":"network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}.","links":[{"href":"#sc-7.5_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.5_smt","rel":"assessment-for"}]},{"id":"sc-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing traffic management at managed interfaces"}]}]},{"id":"sc-7.6","class":"SP800-53-enhancement","title":"Response to Recognized Failures","props":[{"name":"label","value":"SC-7(6)"},{"name":"label","value":"SC-07(06)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7.18","rel":"incorporated-into"}]},{"id":"sc-7.7","class":"SP800-53-enhancement","title":"Split Tunneling for Remote Devices","params":[{"id":"sc-07.07_odp","props":[{"name":"alt-identifier","value":"sc-7.7_prm_1"},{"name":"label","value":"SC-07(07)_ODP","class":"sp800-53a"}],"label":"safeguards","guidelines":[{"prose":"safeguards to securely provision split tunneling are defined;"}]}],"props":[{"name":"label","value":"SC-7(7)"},{"name":"label","value":"SC-07(07)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.7_smt","name":"statement","prose":"Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}."},{"id":"sc-7.7_gdn","name":"guidance","prose":"Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control."},{"id":"sc-7.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(07)","class":"sp800-53a"}],"prose":"split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.","links":[{"href":"#sc-7.7_smt","rel":"assessment-for"}]},{"id":"sc-7.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities\n\nmechanisms supporting\/restricting non-remote connections"}]}]},{"id":"sc-7.8","class":"SP800-53-enhancement","title":"Route Traffic to Authenticated Proxy Servers","params":[{"id":"sc-07.08_odp.01","props":[{"name":"alt-identifier","value":"sc-7.8_prm_1"},{"name":"label","value":"SC-07(08)_ODP[01]","class":"sp800-53a"}],"label":"internal communications traffic","guidelines":[{"prose":"internal communications traffic to be routed to external networks is defined;"}]},{"id":"sc-07.08_odp.02","props":[{"name":"alt-identifier","value":"sc-7.8_prm_2"},{"name":"label","value":"SC-07(08)_ODP[02]","class":"sp800-53a"}],"label":"external networks","guidelines":[{"prose":"external networks to which internal communications traffic is to be routed are defined;"}]}],"props":[{"name":"label","value":"SC-7(8)"},{"name":"label","value":"SC-07(08)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"sc-7.8_smt","name":"statement","prose":"Route {{ insert: param, sc-07.08_odp.01 }} to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces."},{"id":"sc-7.8_gdn","name":"guidance","prose":"External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for \"man-in-the-middle\" attacks (depending on the implementation)."},{"id":"sc-7.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(08)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.","links":[{"href":"#sc-7.8_smt","rel":"assessment-for"}]},{"id":"sc-7.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing traffic management through authenticated proxy servers at managed interfaces"}]}]},{"id":"sc-7.9","class":"SP800-53-enhancement","title":"Restrict Threatening Outgoing Communications Traffic","props":[{"name":"label","value":"SC-7(9)"},{"name":"label","value":"SC-07(09)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-7.9_smt","name":"statement","parts":[{"id":"sc-7.9_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Detect and deny outgoing communications traffic posing a threat to external systems; and"},{"id":"sc-7.9_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Audit the identity of internal users associated with denied communications."}]},{"id":"sc-7.9_gdn","name":"guidance","prose":"Detecting outgoing communications traffic from internal actions that may pose threats to external systems is known as extrusion detection. Extrusion detection is carried out within the system at managed interfaces. Extrusion detection includes the analysis of incoming and outgoing communications traffic while searching for indications of internal threats to the security of external systems. Internal threats to external systems include traffic indicative of denial-of-service attacks, traffic with spoofed source addresses, and traffic that contains malicious code. Organizations have criteria to determine, update, and manage identified threats related to extrusion detection."},{"id":"sc-7.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(09)","class":"sp800-53a"}],"parts":[{"id":"sc-7.9_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07(09)(a)","class":"sp800-53a"}],"parts":[{"id":"sc-7.9_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(09)(a)[01]","class":"sp800-53a"}],"prose":"outgoing communications traffic posing a threat to external systems is detected;","links":[{"href":"#sc-7.9_smt.a","rel":"assessment-for"}]},{"id":"sc-7.9_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(09)(a)[02]","class":"sp800-53a"}],"prose":"outgoing communications traffic posing a threat to external systems is denied;","links":[{"href":"#sc-7.9_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.9_smt.a","rel":"assessment-for"}]},{"id":"sc-7.9_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07(09)(b)","class":"sp800-53a"}],"prose":"the identity of internal users associated with denied communications is audited.","links":[{"href":"#sc-7.9_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.9_smt","rel":"assessment-for"}]},{"id":"sc-7.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities\n\nmechanisms implementing the detection and denial of threatening outgoing communications traffic\n\nmechanisms implementing auditing of outgoing communications traffic"}]}]},{"id":"sc-7.10","class":"SP800-53-enhancement","title":"Prevent Exfiltration","params":[{"id":"sc-07.10_odp","props":[{"name":"alt-identifier","value":"sc-7.10_prm_1"},{"name":"label","value":"SC-07(10)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency for conducting exfiltration tests is defined;"}]}],"props":[{"name":"label","value":"SC-7(10)"},{"name":"label","value":"SC-07(10)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-2","rel":"related"},{"href":"#ca-8","rel":"related"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"sc-7.10_smt","name":"statement","parts":[{"id":"sc-7.10_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Prevent the exfiltration of information; and"},{"id":"sc-7.10_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Conduct exfiltration tests {{ insert: param, sc-07.10_odp }}."}]},{"id":"sc-7.10_gdn","name":"guidance","prose":"Prevention of exfiltration applies to both the intentional and unintentional exfiltration of information. Techniques used to prevent the exfiltration of information from systems may be implemented at internal endpoints, external boundaries, and across managed interfaces and include adherence to protocol formats, monitoring for beaconing activity from systems, disconnecting external network interfaces except when explicitly needed, employing traffic profile analysis to detect deviations from the volume and types of traffic expected, call backs to command and control centers, conducting penetration testing, monitoring for steganography, disassembling and reassembling packet headers, and using data loss and data leakage prevention tools. Devices that enforce strict adherence to protocol formats include deep packet inspection firewalls and Extensible Markup Language (XML) gateways. The devices verify adherence to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices that operate at the network or transport layers. The prevention of exfiltration is similar to data loss prevention or data leakage prevention and is closely associated with cross-domain solutions and system guards that enforce information flow requirements."},{"id":"sc-7.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(10)","class":"sp800-53a"}],"parts":[{"id":"sc-7.10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07(10)(a)","class":"sp800-53a"}],"prose":"the exfiltration of information is prevented;","links":[{"href":"#sc-7.10_smt.a","rel":"assessment-for"}]},{"id":"sc-7.10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07(10)(b)","class":"sp800-53a"}],"prose":"exfiltration tests are conducted {{ insert: param, sc-07.10_odp }}.","links":[{"href":"#sc-7.10_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.10_smt","rel":"assessment-for"}]},{"id":"sc-7.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities that prevent the unauthorized exfiltration of information across managed interfaces"}]}]},{"id":"sc-7.11","class":"SP800-53-enhancement","title":"Restrict Incoming Communications Traffic","params":[{"id":"sc-07.11_odp.01","props":[{"name":"alt-identifier","value":"sc-7.11_prm_1"},{"name":"label","value":"SC-07(11)_ODP[01]","class":"sp800-53a"}],"label":"authorized sources","guidelines":[{"prose":"authorized sources of incoming communications to be routed are defined;"}]},{"id":"sc-07.11_odp.02","props":[{"name":"alt-identifier","value":"sc-7.11_prm_2"},{"name":"label","value":"SC-07(11)_ODP[02]","class":"sp800-53a"}],"label":"authorized destinations","guidelines":[{"prose":"authorized destinations to which incoming communications from authorized sources may be routed are defined;"}]}],"props":[{"name":"label","value":"SC-7(11)"},{"name":"label","value":"SC-07(11)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-3","rel":"related"}],"parts":[{"id":"sc-7.11_smt","name":"statement","prose":"Only allow incoming communications from {{ insert: param, sc-07.11_odp.01 }} to be routed to {{ insert: param, sc-07.11_odp.02 }}."},{"id":"sc-7.11_gdn","name":"guidance","prose":"General source address validation techniques are applied to restrict the use of illegal and unallocated source addresses as well as source addresses that should only be used within the system. The restriction of incoming communications traffic provides determinations that source and destination address pairs represent authorized or allowed communications. Determinations can be based on several factors, including the presence of such address pairs in the lists of authorized or allowed communications, the absence of such address pairs in lists of unauthorized or disallowed pairs, or meeting more general rules for authorized or allowed source and destination pairs. Strong authentication of network addresses is not possible without the use of explicit security protocols, and thus, addresses can often be spoofed. Further, identity-based incoming traffic restriction methods can be employed, including router access control lists and firewall rules."},{"id":"sc-7.11_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(11)","class":"sp800-53a"}],"prose":"only incoming communications from {{ insert: param, sc-07.11_odp.01 }} are allowed to be routed to {{ insert: param, sc-07.11_odp.02 }}.","links":[{"href":"#sc-7.11_smt","rel":"assessment-for"}]},{"id":"sc-7.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities with respect to source\/destination address pairs"}]}]},{"id":"sc-7.12","class":"SP800-53-enhancement","title":"Host-based Protection","params":[{"id":"sc-07.12_odp.01","props":[{"name":"alt-identifier","value":"sc-7.12_prm_1"},{"name":"label","value":"SC-07(12)_ODP[01]","class":"sp800-53a"}],"label":"host-based boundary protection mechanisms","guidelines":[{"prose":"host-based boundary protection mechanisms to be implemented are defined;"}]},{"id":"sc-07.12_odp.02","props":[{"name":"alt-identifier","value":"sc-7.12_prm_2"},{"name":"label","value":"SC-07(12)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components where host-based boundary protection mechanisms are to be implemented are defined;"}]}],"props":[{"name":"label","value":"SC-7(12)"},{"name":"label","value":"SC-07(12)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.12_smt","name":"statement","prose":"Implement {{ insert: param, sc-07.12_odp.01 }} at {{ insert: param, sc-07.12_odp.02 }}."},{"id":"sc-7.12_gdn","name":"guidance","prose":"Host-based boundary protection mechanisms include host-based firewalls. System components that employ host-based boundary protection mechanisms include servers, workstations, notebook computers, and mobile devices."},{"id":"sc-7.12_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(12)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-07.12_odp.01 }} are implemented at {{ insert: param, sc-07.12_odp.02 }}.","links":[{"href":"#sc-7.12_smt","rel":"assessment-for"}]},{"id":"sc-7.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nboundary protection hardware and software\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities\n\nsystem users"}]},{"id":"sc-7.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing host-based boundary protection capabilities"}]}]},{"id":"sc-7.13","class":"SP800-53-enhancement","title":"Isolation of Security Tools, Mechanisms, and Support Components","params":[{"id":"sc-07.13_odp","props":[{"name":"alt-identifier","value":"sc-7.13_prm_1"},{"name":"label","value":"SC-07(13)_ODP","class":"sp800-53a"}],"label":"information security tools, mechanisms, and support components","guidelines":[{"prose":"information security tools, mechanisms, and support components to be isolated from other internal system components are defined;"}]}],"props":[{"name":"label","value":"SC-7(13)"},{"name":"label","value":"SC-07(13)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"}],"parts":[{"id":"sc-7.13_smt","name":"statement","prose":"Isolate {{ insert: param, sc-07.13_odp }} from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system."},{"id":"sc-7.13_gdn","name":"guidance","prose":"Physically separate subnetworks with managed interfaces are useful in isolating computer network defenses from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques employed by organizations."},{"id":"sc-7.13_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(13)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-07.13_odp }} are isolated from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.","links":[{"href":"#sc-7.13_smt","rel":"assessment-for"}]},{"id":"sc-7.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nlist of security tools and support components to be isolated from other internal system components\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the isolation of information security tools, mechanisms, and support components"}]}]},{"id":"sc-7.14","class":"SP800-53-enhancement","title":"Protect Against Unauthorized Physical Connections","params":[{"id":"sc-07.14_odp","props":[{"name":"alt-identifier","value":"sc-7.14_prm_1"},{"name":"label","value":"SC-07(14)_ODP","class":"sp800-53a"}],"label":"managed interfaces","guidelines":[{"prose":"managed interfaces to be protected against unauthorized physical connections are defined;"}]}],"props":[{"name":"label","value":"SC-7(14)"},{"name":"label","value":"SC-07(14)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#pe-4","rel":"related"},{"href":"#pe-19","rel":"related"}],"parts":[{"id":"sc-7.14_smt","name":"statement","prose":"Protect against unauthorized physical connections at {{ insert: param, sc-07.14_odp }}."},{"id":"sc-7.14_gdn","name":"guidance","prose":"Systems that operate at different security categories or classification levels may share common physical and environmental controls, since the systems may share space within the same facilities. In practice, it is possible that these separate systems may share common equipment rooms, wiring closets, and cable distribution paths. Protection against unauthorized physical connections can be achieved by using clearly identified and physically separated cable trays, connection frames, and patch panels for each side of managed interfaces with physical access controls that enforce limited authorized access to these items."},{"id":"sc-7.14_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(14)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-07.14_odp }} are protected against unauthorized physical connections.","links":[{"href":"#sc-7.14_smt","rel":"assessment-for"}]},{"id":"sc-7.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nfacility communications and wiring diagram system security plan\n\nother relevant documents or records"}]},{"id":"sc-7.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing protection against unauthorized physical connections"}]}]},{"id":"sc-7.15","class":"SP800-53-enhancement","title":"Networked Privileged Accesses","props":[{"name":"label","value":"SC-7(15)"},{"name":"label","value":"SC-07(15)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-7.15_smt","name":"statement","prose":"Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing."},{"id":"sc-7.15_gdn","name":"guidance","prose":"Privileged access provides greater accessibility to system functions, including security functions. Adversaries attempt to gain privileged access to systems through remote access to cause adverse mission or business impacts, such as by exfiltrating information or bringing down a critical system capability. Routing networked, privileged access requests through a dedicated, managed interface further restricts privileged access for increased access control and auditing."},{"id":"sc-7.15_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(15)","class":"sp800-53a"}],"parts":[{"id":"sc-7.15_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(15)[01]","class":"sp800-53a"}],"prose":"networked, privileged accesses are routed through a dedicated, managed interface for purposes of access control;","links":[{"href":"#sc-7.15_smt","rel":"assessment-for"}]},{"id":"sc-7.15_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(15)[02]","class":"sp800-53a"}],"prose":"networked, privileged accesses are routed through a dedicated, managed interface for purposes of auditing.","links":[{"href":"#sc-7.15_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.15_smt","rel":"assessment-for"}]},{"id":"sc-7.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\naudit logs\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the routing of networked, privileged access through dedicated, managed interfaces"}]}]},{"id":"sc-7.16","class":"SP800-53-enhancement","title":"Prevent Discovery of System Components","props":[{"name":"label","value":"SC-7(16)"},{"name":"label","value":"SC-07(16)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.16_smt","name":"statement","prose":"Prevent the discovery of specific system components that represent a managed interface."},{"id":"sc-7.16_gdn","name":"guidance","prose":"Preventing the discovery of system components representing a managed interface helps protect network addresses of those components from discovery through common tools and techniques used to identify devices on networks. Network addresses are not available for discovery and require prior knowledge for access. Preventing the discovery of components and devices can be accomplished by not publishing network addresses, using network address translation, or not entering the addresses in domain name systems. Another prevention technique is to periodically change network addresses."},{"id":"sc-7.16_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(16)","class":"sp800-53a"}],"prose":"the discovery of specific system components that represent a managed interface is prevented.","links":[{"href":"#sc-7.16_smt","rel":"assessment-for"}]},{"id":"sc-7.16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(16)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(16)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(16)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the prevention of discovery of system components at managed interfaces"}]}]},{"id":"sc-7.17","class":"SP800-53-enhancement","title":"Automated Enforcement of Protocol Formats","props":[{"name":"label","value":"SC-7(17)"},{"name":"label","value":"SC-07(17)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#sc-4","rel":"related"}],"parts":[{"id":"sc-7.17_smt","name":"statement","prose":"Enforce adherence to protocol formats."},{"id":"sc-7.17_gdn","name":"guidance","prose":"System components that enforce protocol formats include deep packet inspection firewalls and XML gateways. The components verify adherence to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices operating at the network or transport layers."},{"id":"sc-7.17_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(17)","class":"sp800-53a"}],"prose":"adherence to protocol formats is enforced.","links":[{"href":"#sc-7.17_smt","rel":"assessment-for"}]},{"id":"sc-7.17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(17)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(17)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(17)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the enforcement of adherence to protocol formats"}]}]},{"id":"sc-7.18","class":"SP800-53-enhancement","title":"Fail Secure","props":[{"name":"label","value":"SC-7(18)"},{"name":"label","value":"SC-07(18)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#cp-2","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#sc-24","rel":"related"}],"parts":[{"id":"sc-7.18_smt","name":"statement","prose":"Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device."},{"id":"sc-7.18_gdn","name":"guidance","prose":"Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways that reside on protected subnetworks (commonly referred to as demilitarized zones). Failures of boundary protection devices cannot lead to or cause information external to the devices to enter the devices nor can failures permit unauthorized information releases."},{"id":"sc-7.18_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(18)","class":"sp800-53a"}],"prose":"systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.","links":[{"href":"#sc-7.18_smt","rel":"assessment-for"}]},{"id":"sc-7.18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(18)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(18)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(18)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing secure failure"}]}]},{"id":"sc-7.19","class":"SP800-53-enhancement","title":"Block Communication from Non-organizationally Configured Hosts","params":[{"id":"sc-07.19_odp","props":[{"name":"alt-identifier","value":"sc-7.19_prm_1"},{"name":"label","value":"SC-07(19)_ODP","class":"sp800-53a"}],"label":"communication clients","guidelines":[{"prose":"communication clients that are independently configured by end users and external service providers are defined;"}]}],"props":[{"name":"label","value":"SC-7(19)"},{"name":"label","value":"SC-07(19)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.19_smt","name":"statement","prose":"Block inbound and outbound communications traffic between {{ insert: param, sc-07.19_odp }} that are independently configured by end users and external service providers."},{"id":"sc-7.19_gdn","name":"guidance","prose":"Communication clients independently configured by end users and external service providers include instant messaging clients and video conferencing software and applications. Traffic blocking does not apply to communication clients that are configured by organizations to perform authorized functions."},{"id":"sc-7.19_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(19)","class":"sp800-53a"}],"parts":[{"id":"sc-7.19_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(19)[01]","class":"sp800-53a"}],"prose":"inbound communications traffic is blocked between {{ insert: param, sc-07.19_odp }} that are independently configured by end users and external service providers;","links":[{"href":"#sc-7.19_smt","rel":"assessment-for"}]},{"id":"sc-7.19_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(19)[02]","class":"sp800-53a"}],"prose":"outbound communications traffic is blocked between {{ insert: param, sc-07.19_odp }} that are independently configured by end users and external service providers.","links":[{"href":"#sc-7.19_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.19_smt","rel":"assessment-for"}]},{"id":"sc-7.19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(19)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nlist of communication clients independently configured by end users and external service providers\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(19)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(19)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the blocking of inbound and outbound communications traffic between communication clients independently configured by end users and external service providers"}]}]},{"id":"sc-7.20","class":"SP800-53-enhancement","title":"Dynamic Isolation and Segregation","params":[{"id":"sc-07.20_odp","props":[{"name":"alt-identifier","value":"sc-7.20_prm_1"},{"name":"label","value":"SC-07(20)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to be dynamically isolated from other system components are defined;"}]}],"props":[{"name":"label","value":"SC-7(20)"},{"name":"label","value":"SC-07(20)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.20_smt","name":"statement","prose":"Provide the capability to dynamically isolate {{ insert: param, sc-07.20_odp }} from other system components."},{"id":"sc-7.20_gdn","name":"guidance","prose":"The capability to dynamically isolate certain internal system components is useful when it is necessary to partition or separate system components of questionable origin from components that possess greater trustworthiness. Component isolation reduces the attack surface of organizational systems. Isolating selected system components can also limit the damage from successful attacks when such attacks occur."},{"id":"sc-7.20_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(20)","class":"sp800-53a"}],"prose":"the capability to dynamically isolate {{ insert: param, sc-07.20_odp }} from other system components is provided.","links":[{"href":"#sc-7.20_smt","rel":"assessment-for"}]},{"id":"sc-7.20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(20)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nlist of system components to be dynamically isolated\/segregated from other components of the system\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(20)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(20)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the capability to dynamically isolate\/segregate system components"}]}]},{"id":"sc-7.21","class":"SP800-53-enhancement","title":"Isolation of System Components","params":[{"id":"sc-07.21_odp.01","props":[{"name":"alt-identifier","value":"sc-7.21_prm_1"},{"name":"label","value":"SC-07(21)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to be isolated by boundary protection mechanisms are defined;"}]},{"id":"sc-07.21_odp.02","props":[{"name":"alt-identifier","value":"sc-7.21_prm_2"},{"name":"label","value":"SC-07(21)_ODP[02]","class":"sp800-53a"}],"label":"missions and\/or business functions","guidelines":[{"prose":"missions and\/or business functions to be supported by system components isolated by boundary protection mechanisms are defined;"}]}],"props":[{"name":"label","value":"SC-7(21)"},{"name":"label","value":"SC-07(21)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#ca-9","rel":"related"}],"parts":[{"id":"sc-7.21_smt","name":"statement","prose":"Employ boundary protection mechanisms to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}."},{"id":"sc-7.21_gdn","name":"guidance","prose":"Organizations can isolate system components that perform different mission or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber-attacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls that separate system components into physically separate networks or subnetworks; cross-domain devices that separate subnetworks; virtualization techniques; and the encryption of information flows among system components using distinct encryption keys."},{"id":"sc-7.21_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(21)","class":"sp800-53a"}],"prose":"boundary protection mechanisms are employed to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}.","links":[{"href":"#sc-7.21_smt","rel":"assessment-for"}]},{"id":"sc-7.21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(21)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nenterprise architecture documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(21)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(21)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the capability to separate system components supporting organizational missions and\/or business functions"}]}]},{"id":"sc-7.22","class":"SP800-53-enhancement","title":"Separate Subnets for Connecting to Different Security Domains","props":[{"name":"label","value":"SC-7(22)"},{"name":"label","value":"SC-07(22)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.22_smt","name":"statement","prose":"Implement separate network addresses to connect to systems in different security domains."},{"id":"sc-7.22_gdn","name":"guidance","prose":"The decomposition of systems into subnetworks (i.e., subnets) helps to provide the appropriate level of protection for network connections to different security domains that contain information with different security categories or classification levels."},{"id":"sc-7.22_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(22)","class":"sp800-53a"}],"prose":"separate network addresses are implemented to connect to systems in different security domains.","links":[{"href":"#sc-7.22_smt","rel":"assessment-for"}]},{"id":"sc-7.22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(22)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(22)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(22)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing separate network addresses\/different subnets"}]}]},{"id":"sc-7.23","class":"SP800-53-enhancement","title":"Disable Sender Feedback on Protocol Validation Failure","props":[{"name":"label","value":"SC-7(23)"},{"name":"label","value":"SC-07(23)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.23_smt","name":"statement","prose":"Disable feedback to senders on protocol format validation failure."},{"id":"sc-7.23_gdn","name":"guidance","prose":"Disabling feedback to senders when there is a failure in protocol validation format prevents adversaries from obtaining information that would otherwise be unavailable."},{"id":"sc-7.23_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(23)","class":"sp800-53a"}],"prose":"feedback to senders is disabled on protocol format validation failure.","links":[{"href":"#sc-7.23_smt","rel":"assessment-for"}]},{"id":"sc-7.23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(23)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(23)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(23)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the disabling of feedback to senders on protocol format validation failure"}]}]},{"id":"sc-7.24","class":"SP800-53-enhancement","title":"Personally Identifiable Information","params":[{"id":"sc-07.24_odp","props":[{"name":"alt-identifier","value":"sc-7.24_prm_1"},{"name":"label","value":"SC-07(24)_ODP","class":"sp800-53a"}],"label":"processing rules","guidelines":[{"prose":"processing rules for systems that process personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"SC-7(24)"},{"name":"label","value":"SC-07(24)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"},{"href":"#pt-2","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"sc-7.24_smt","name":"statement","prose":"For systems that process personally identifiable information:","parts":[{"id":"sc-7.24_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Apply the following processing rules to data elements of personally identifiable information: {{ insert: param, sc-07.24_odp }};"},{"id":"sc-7.24_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;"},{"id":"sc-7.24_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Document each processing exception; and"},{"id":"sc-7.24_smt.d","name":"item","props":[{"name":"label","value":"(d)"}],"prose":"Review and remove exceptions that are no longer supported."}]},{"id":"sc-7.24_gdn","name":"guidance","prose":"Managing the processing of personally identifiable information is an important aspect of protecting an individual’s privacy. Applying, monitoring for, and documenting exceptions to processing rules ensure that personally identifiable information is processed only in accordance with established privacy requirements."},{"id":"sc-7.24_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)","class":"sp800-53a"}],"parts":[{"id":"sc-7.24_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-07.24_odp }} are applied to data elements of personally identifiable information on systems that process personally identifiable information;","links":[{"href":"#sc-7.24_smt.a","rel":"assessment-for"}]},{"id":"sc-7.24_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(b)","class":"sp800-53a"}],"parts":[{"id":"sc-7.24_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(b)[01]","class":"sp800-53a"}],"prose":"permitted processing is monitored at the external interfaces to the systems that process personally identifiable information;","links":[{"href":"#sc-7.24_smt.b","rel":"assessment-for"}]},{"id":"sc-7.24_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(b)[02]","class":"sp800-53a"}],"prose":"permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information;","links":[{"href":"#sc-7.24_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.24_smt.b","rel":"assessment-for"}]},{"id":"sc-7.24_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(c)","class":"sp800-53a"}],"prose":"each processing exception is documented for systems that process personally identifiable information;","links":[{"href":"#sc-7.24_smt.c","rel":"assessment-for"}]},{"id":"sc-7.24_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(d)","class":"sp800-53a"}],"parts":[{"id":"sc-7.24_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(d)[01]","class":"sp800-53a"}],"prose":"exceptions for systems that process personally identifiable information are reviewed;","links":[{"href":"#sc-7.24_smt.d","rel":"assessment-for"}]},{"id":"sc-7.24_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SC-07(24)(d)[02]","class":"sp800-53a"}],"prose":"exceptions for systems that process personally identifiable information that are no longer supported are removed.","links":[{"href":"#sc-7.24_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.24_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#sc-7.24_smt","rel":"assessment-for"}]},{"id":"sc-7.24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(24)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\npersonally identifiable information processing policies\n\nlist of key internal boundaries of the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nenterprise security and privacy architecture documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information inventory documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"sc-7.24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(24)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(24)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing boundary protection capabilities"}]}]},{"id":"sc-7.25","class":"SP800-53-enhancement","title":"Unclassified National Security System Connections","params":[{"id":"sc-07.25_odp.01","props":[{"name":"alt-identifier","value":"sc-7.25_prm_1"},{"name":"label","value":"SC-07(25)_ODP[01]","class":"sp800-53a"}],"label":"unclassified national security system","guidelines":[{"prose":"the unclassified national security system prohibited from directly connecting to an external network is defined;"}]},{"id":"sc-07.25_odp.02","props":[{"name":"alt-identifier","value":"sc-7.25_prm_2"},{"name":"label","value":"SC-07(25)_ODP[02]","class":"sp800-53a"}],"label":"boundary protection device","guidelines":[{"prose":"the boundary protection device required for a direct connection to an external network is defined;"}]}],"props":[{"name":"label","value":"SC-7(25)"},{"name":"label","value":"SC-07(25)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.25_smt","name":"statement","prose":"Prohibit the direct connection of {{ insert: param, sc-07.25_odp.01 }} to an external network without the use of {{ insert: param, sc-07.25_odp.02 }}."},{"id":"sc-7.25_gdn","name":"guidance","prose":"A direct connection is a dedicated physical or virtual connection between two or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices (e.g., firewalls, gateways, and routers) mediate communications and information flows between unclassified national security systems and external networks."},{"id":"sc-7.25_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(25)","class":"sp800-53a"}],"prose":"the direct connection of {{ insert: param, sc-07.25_odp.01 }} to an external network without the use of {{ insert: param, sc-07.25_odp.02 }} is prohibited.","links":[{"href":"#sc-7.25_smt","rel":"assessment-for"}]},{"id":"sc-7.25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(25)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(25)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(25)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms prohibiting the direct connection of unclassified national security systems to an external network"}]}]},{"id":"sc-7.26","class":"SP800-53-enhancement","title":"Classified National Security System Connections","params":[{"id":"sc-07.26_odp","props":[{"name":"alt-identifier","value":"sc-7.26_prm_1"},{"name":"label","value":"SC-07(26)_ODP","class":"sp800-53a"}],"label":"boundary protection device","guidelines":[{"prose":"the boundary protection device required for a direct connection to an external network is defined;"}]}],"props":[{"name":"label","value":"SC-7(26)"},{"name":"label","value":"SC-07(26)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.26"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.26_smt","name":"statement","prose":"Prohibit the direct connection of a classified national security system to an external network without the use of {{ insert: param, sc-07.26_odp }}."},{"id":"sc-7.26_gdn","name":"guidance","prose":"A direct connection is a dedicated physical or virtual connection between two or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices (e.g., firewalls, gateways, and routers) mediate communications and information flows between classified national security systems and external networks. In addition, approved boundary protection devices (typically managed interface or cross-domain systems) provide information flow enforcement from systems to external networks."},{"id":"sc-7.26_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(26)","class":"sp800-53a"}],"prose":"the direct connection of classified national security system to an external network without the use of a {{ insert: param, sc-07.26_odp }} is prohibited.","links":[{"href":"#sc-7.26_smt","rel":"assessment-for"}]},{"id":"sc-7.26_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(26)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.26_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(26)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.26_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(26)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms prohibiting the direct connection of classified national security systems to an external network"}]}]},{"id":"sc-7.27","class":"SP800-53-enhancement","title":"Unclassified Non-national Security System Connections","params":[{"id":"sc-07.27_odp.01","props":[{"name":"alt-identifier","value":"sc-7.27_prm_1"},{"name":"alt-label","value":"unclassified non-national security system","class":"sp800-53"},{"name":"label","value":"SC-07(27)_ODP[01]","class":"sp800-53a"}],"label":"unclassified, non-national security system","guidelines":[{"prose":"the unclassified, non-national security system prohibited from directly connecting to an external network is defined;"}]},{"id":"sc-07.27_odp.02","props":[{"name":"alt-identifier","value":"sc-7.27_prm_2"},{"name":"label","value":"SC-07(27)_ODP[02]","class":"sp800-53a"}],"label":"boundary protection device","guidelines":[{"prose":"the boundary protection device required for a direct connection of unclassified, non-national security system to an external network is defined;"}]}],"props":[{"name":"label","value":"SC-7(27)"},{"name":"label","value":"SC-07(27)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.27"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.27_smt","name":"statement","prose":"Prohibit the direct connection of {{ insert: param, sc-07.27_odp.01 }} to an external network without the use of {{ insert: param, sc-07.27_odp.02 }}."},{"id":"sc-7.27_gdn","name":"guidance","prose":"A direct connection is a dedicated physical or virtual connection between two or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices (e.g., firewalls, gateways, and routers) mediate communications and information flows between unclassified non-national security systems and external networks."},{"id":"sc-7.27_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(27)","class":"sp800-53a"}],"prose":"the direct connection of {{ insert: param, sc-07.27_odp.01 }} to an external network without the use of a {{ insert: param, sc-07.27_odp.02 }} is prohibited.","links":[{"href":"#sc-7.27_smt","rel":"assessment-for"}]},{"id":"sc-7.27_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(27)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.27_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(27)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.27_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(27)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms prohibiting the direct connection of unclassified, non-national security systems to an external network"}]}]},{"id":"sc-7.28","class":"SP800-53-enhancement","title":"Connections to Public Networks","params":[{"id":"sc-07.28_odp","props":[{"name":"alt-identifier","value":"sc-7.28_prm_1"},{"name":"label","value":"SC-07(28)_ODP","class":"sp800-53a"}],"label":"system","guidelines":[{"prose":"the system that is prohibited from directly connecting to a public network is defined;"}]}],"props":[{"name":"label","value":"SC-7(28)"},{"name":"label","value":"SC-07(28)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.28_smt","name":"statement","prose":"Prohibit the direct connection of {{ insert: param, sc-07.28_odp }} to a public network."},{"id":"sc-7.28_gdn","name":"guidance","prose":"A direct connection is a dedicated physical or virtual connection between two or more systems. A public network is a network accessible to the public, including the Internet and organizational extranets with public access."},{"id":"sc-7.28_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(28)","class":"sp800-53a"}],"prose":"the direct connection of the {{ insert: param, sc-07.28_odp }} to a public network is prohibited.","links":[{"href":"#sc-7.28_smt","rel":"assessment-for"}]},{"id":"sc-7.28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(28)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(28)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(28)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms prohibiting the direct connection of systems to an external network"}]}]},{"id":"sc-7.29","class":"SP800-53-enhancement","title":"Separate Subnets to Isolate Functions","params":[{"id":"sc-07.29_odp.01","props":[{"name":"alt-identifier","value":"sc-7.29_prm_1"},{"name":"label","value":"SC-07(29)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}},{"id":"sc-07.29_odp.02","props":[{"name":"alt-identifier","value":"sc-7.29_prm_2"},{"name":"label","value":"SC-07(29)_ODP[02]","class":"sp800-53a"}],"label":"critical system components and functions","guidelines":[{"prose":"critical system components and functions to be isolated are defined;"}]}],"props":[{"name":"label","value":"SC-7(29)"},{"name":"label","value":"SC-07(29)","class":"sp800-53a"},{"name":"sort-id","value":"sc-07.29"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"required"}],"parts":[{"id":"sc-7.29_smt","name":"statement","prose":"Implement {{ insert: param, sc-07.29_odp.01 }} separate subnetworks to isolate the following critical system components and functions: {{ insert: param, sc-07.29_odp.02 }}."},{"id":"sc-7.29_gdn","name":"guidance","prose":"Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions."},{"id":"sc-7.29_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-07(29)","class":"sp800-53a"}],"prose":"subnetworks are separated {{ insert: param, sc-07.29_odp.01 }} to isolate {{ insert: param, sc-07.29_odp.02 }}.","links":[{"href":"#sc-7.29_smt","rel":"assessment-for"}]},{"id":"sc-7.29_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-07(29)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing boundary protection\n\nsystem design documentation\n\nsystem hardware and software\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\ncriticality analysis\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-7.29_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-07(29)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with boundary protection responsibilities"}]},{"id":"sc-7.29_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-07(29)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms separating critical system components and functions"}]}]}]},{"id":"sc-8","class":"SP800-53","title":"Transmission Confidentiality and Integrity","params":[{"id":"sc-08_odp","props":[{"name":"alt-identifier","value":"sc-8_prm_1"},{"name":"label","value":"SC-08_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}}],"props":[{"name":"label","value":"SC-8"},{"name":"label","value":"SC-08","class":"sp800-53a"},{"name":"sort-id","value":"sc-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#736d6310-e403-4b57-a79d-9967970c66d7","rel":"reference"},{"href":"#7537638e-2837-407d-844b-40fb3fafdd99","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#4c501da5-9d79-4cb6-ba80-97260e1ce327","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#ia-9","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pe-4","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-16","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-28","rel":"related"}],"parts":[{"id":"sc-8_smt","name":"statement","prose":"Protect the {{ insert: param, sc-08_odp }} of transmitted information."},{"id":"sc-8_gdn","name":"guidance","prose":"Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.\n\nOrganizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls."},{"id":"sc-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-08_odp }} of transmitted information is\/are protected.","links":[{"href":"#sc-8_smt","rel":"assessment-for"}]},{"id":"sc-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity"}]}],"controls":[{"id":"sc-8.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"sc-08.01_odp","props":[{"name":"alt-identifier","value":"sc-8.1_prm_1"},{"name":"label","value":"SC-08(01)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["prevent unauthorized disclosure of information","detect changes to information"]}}],"props":[{"name":"label","value":"SC-8(1)"},{"name":"label","value":"SC-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-08.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-8","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-8.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission."},{"id":"sc-8.1_gdn","name":"guidance","prose":"Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes."},{"id":"sc-8.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08(01)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.","links":[{"href":"#sc-8.1_smt","rel":"assessment-for"}]},{"id":"sc-8.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity\n\nmechanisms supporting and\/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards"}]}]},{"id":"sc-8.2","class":"SP800-53-enhancement","title":"Pre- and Post-transmission Handling","params":[{"id":"sc-08.02_odp","props":[{"name":"alt-identifier","value":"sc-8.2_prm_1"},{"name":"label","value":"SC-08(02)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}}],"props":[{"name":"label","value":"SC-8(2)"},{"name":"label","value":"SC-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-8","rel":"required"}],"parts":[{"id":"sc-8.2_smt","name":"statement","prose":"Maintain the {{ insert: param, sc-08.02_odp }} of information during preparation for transmission and during reception."},{"id":"sc-8.2_gdn","name":"guidance","prose":"Information can be unintentionally or maliciously disclosed or modified during preparation for transmission or during reception, including during aggregation, at protocol transformation points, and during packing and unpacking. Such unauthorized disclosures or modifications compromise the confidentiality or integrity of the information."},{"id":"sc-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08(02)","class":"sp800-53a"}],"parts":[{"id":"sc-8.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-08(02)[01]","class":"sp800-53a"}],"prose":"information {{ insert: param, sc-08.02_odp }} is\/are maintained during preparation for transmission;","links":[{"href":"#sc-8.2_smt","rel":"assessment-for"}]},{"id":"sc-8.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-08(02)[02]","class":"sp800-53a"}],"prose":"information {{ insert: param, sc-08.02_odp }} is\/are maintained during reception.","links":[{"href":"#sc-8.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-8.2_smt","rel":"assessment-for"}]},{"id":"sc-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity"}]}]},{"id":"sc-8.3","class":"SP800-53-enhancement","title":"Cryptographic Protection for Message Externals","params":[{"id":"sc-08.03_odp","props":[{"name":"alt-identifier","value":"sc-8.3_prm_1"},{"name":"label","value":"SC-08(03)_ODP","class":"sp800-53a"}],"label":"alternative physical controls","guidelines":[{"prose":"alternative physical controls to protect message externals are defined;"}]}],"props":[{"name":"label","value":"SC-8(3)"},{"name":"label","value":"SC-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-8","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-8.3_smt","name":"statement","prose":"Implement cryptographic mechanisms to protect message externals unless otherwise protected by {{ insert: param, sc-08.03_odp }}."},{"id":"sc-8.3_gdn","name":"guidance","prose":"Cryptographic protection for message externals addresses protection from the unauthorized disclosure of information. Message externals include message headers and routing information. Cryptographic protection prevents the exploitation of message externals and applies to internal and external networks or links that may be visible to individuals who are not authorized users. Header and routing information is sometimes transmitted in clear text (i.e., unencrypted) because the information is not identified by organizations as having significant value or because encrypting the information can result in lower network performance or higher costs. Alternative physical controls include protected distribution systems."},{"id":"sc-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08(03)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to protect message externals unless otherwise protected by {{ insert: param, sc-08.03_odp }}.","links":[{"href":"#sc-8.3_smt","rel":"assessment-for"}]},{"id":"sc-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms supporting and\/or implementing transmission confidentiality and\/or integrity for message externals\n\nmechanisms supporting and\/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards"}]}]},{"id":"sc-8.4","class":"SP800-53-enhancement","title":"Conceal or Randomize Communications","params":[{"id":"sc-08.04_odp","props":[{"name":"alt-identifier","value":"sc-8.4_prm_1"},{"name":"label","value":"SC-08(04)_ODP","class":"sp800-53a"}],"label":"alternative physical controls","guidelines":[{"prose":"alternative physical controls to protect against unauthorized disclosure of communication patterns are defined;"}]}],"props":[{"name":"label","value":"SC-8(4)"},{"name":"label","value":"SC-08(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-08.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-8","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-8.4_smt","name":"statement","prose":"Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by {{ insert: param, sc-08.04_odp }}."},{"id":"sc-8.4_gdn","name":"guidance","prose":"Concealing or randomizing communication patterns addresses protection from unauthorized disclosure of information. Communication patterns include frequency, periods, predictability, and amount. Changes to communications patterns can reveal information with intelligence value, especially when combined with other available information related to the mission and business functions of the organization. Concealing or randomizing communications prevents the derivation of intelligence based on communications patterns and applies to both internal and external networks or links that may be visible to individuals who are not authorized users. Encrypting the links and transmitting in continuous, fixed, or random patterns prevents the derivation of intelligence from the system communications patterns. Alternative physical controls include protected distribution systems."},{"id":"sc-8.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08(04)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to conceal or randomize communication patterns unless otherwise protected by {{ insert: param, sc-08.04_odp }}.","links":[{"href":"#sc-8.4_smt","rel":"assessment-for"}]},{"id":"sc-8.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms supporting and\/or implementing concealment or randomization of communication patterns\n\nmechanisms supporting and\/or implementing alternative physical safeguards\n\norganizational processes for defining and implementing alternative physical safeguards"}]}]},{"id":"sc-8.5","class":"SP800-53-enhancement","title":"Protected Distribution System","params":[{"id":"sc-08.05_odp.01","props":[{"name":"alt-identifier","value":"sc-8.5_prm_1"},{"name":"label","value":"SC-08(05)_ODP[01]","class":"sp800-53a"}],"label":"protected distribution system","guidelines":[{"prose":"the protected distribution system is defined;"}]},{"id":"sc-08.05_odp.02","props":[{"name":"alt-identifier","value":"sc-8.5_prm_2"},{"name":"label","value":"SC-08(05)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["prevent unauthorized disclosure of information","detect changes to information"]}}],"props":[{"name":"label","value":"SC-8(5)"},{"name":"label","value":"SC-08(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-08.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-8","rel":"required"}],"parts":[{"id":"sc-8.5_smt","name":"statement","prose":"Implement {{ insert: param, sc-08.05_odp.01 }} to {{ insert: param, sc-08.05_odp.02 }} during transmission."},{"id":"sc-8.5_gdn","name":"guidance","prose":"The purpose of a protected distribution system is to deter, detect, and\/or make difficult physical access to the communication lines that carry national security information."},{"id":"sc-8.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-08(05)","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-08.05_odp.01 }} is implemented to {{ insert: param, sc-08.05_odp.02 }} during transmission.","links":[{"href":"#sc-8.5_smt","rel":"assessment-for"}]},{"id":"sc-8.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-08(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing transmission confidentiality and integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-8.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-08(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-8.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-08(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms supporting and\/or implementing concealment or randomization of communication patterns\n\nmechanisms supporting and\/or implementing protected distribution systems"}]}]}]},{"id":"sc-9","class":"SP800-53","title":"Transmission Confidentiality","props":[{"name":"label","value":"SC-9"},{"name":"label","value":"SC-09","class":"sp800-53a"},{"name":"sort-id","value":"sc-09"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-8","rel":"incorporated-into"}]},{"id":"sc-10","class":"SP800-53","title":"Network Disconnect","params":[{"id":"sc-10_odp","props":[{"name":"alt-identifier","value":"sc-10_prm_1"},{"name":"label","value":"SC-10_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"a time period of inactivity after which the system terminates a network connection associated with a communication session is defined;"}]}],"props":[{"name":"label","value":"SC-10"},{"name":"label","value":"SC-10","class":"sp800-53a"},{"name":"sort-id","value":"sc-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-17","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"sc-10_smt","name":"statement","prose":"Terminate the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity."},{"id":"sc-10_gdn","name":"guidance","prose":"Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP\/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses."},{"id":"sc-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-10","class":"sp800-53a"}],"prose":"the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.","links":[{"href":"#sc-10_smt","rel":"assessment-for"}]},{"id":"sc-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing network disconnect\n\nsystem design documentation\n\nsecurity plan\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing a network disconnect capability"}]}]},{"id":"sc-11","class":"SP800-53","title":"Trusted Path","params":[{"id":"sc-11_odp.01","props":[{"name":"alt-identifier","value":"sc-11_prm_1"},{"name":"label","value":"SC-11_ODP[01]","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}},{"id":"sc-11_odp.02","props":[{"name":"alt-identifier","value":"sc-11_prm_2"},{"name":"label","value":"SC-11_ODP[02]","class":"sp800-53a"}],"label":"security functions","guidelines":[{"prose":"security functions of the system are defined;"}]}],"props":[{"name":"label","value":"SC-11"},{"name":"label","value":"SC-11","class":"sp800-53a"},{"name":"sort-id","value":"sc-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-23","rel":"related"}],"parts":[{"id":"sc-11_smt","name":"statement","parts":[{"id":"sc-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide a {{ insert: param, sc-11_odp.01 }} isolated trusted communications path for communications between the user and the trusted components of the system; and"},{"id":"sc-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: {{ insert: param, sc-11_odp.02 }}."}]},{"id":"sc-11_gdn","name":"guidance","prose":"Trusted paths are mechanisms by which users can communicate (using input devices such as keyboards) directly with the security functions of systems with the requisite assurance to support security policies. Trusted path mechanisms can only be activated by users or the security functions of organizational systems. User responses that occur via trusted paths are protected from modification by and disclosure to untrusted applications. Organizations employ trusted paths for trustworthy, high-assurance connections between security functions of systems and users, including during system logons. The original implementations of trusted paths employed an out-of-band signal to initiate the path, such as using the <BREAK> key, which does not transmit characters that can be spoofed. In later implementations, a key combination that could not be hijacked was used (e.g., the <CTRL> + <ALT> + <DEL> keys). Such key combinations, however, are platform-specific and may not provide a trusted path implementation in every case. The enforcement of trusted communications paths is provided by a specific implementation that meets the reference monitor concept."},{"id":"sc-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-11","class":"sp800-53a"}],"parts":[{"id":"sc-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-11a.","class":"sp800-53a"}],"prose":"a {{ insert: param, sc-11_odp.01 }} isolated trusted communication path is provided for communications between the user and the trusted components of the system;","links":[{"href":"#sc-11_smt.a","rel":"assessment-for"}]},{"id":"sc-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-11b.","class":"sp800-53a"}],"prose":"users are permitted to invoke the trusted communication path for communications between the user and the {{ insert: param, sc-11_odp.02 }} of the system, including authentication and re-authentication, at a minimum.","links":[{"href":"#sc-11_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-11_smt","rel":"assessment-for"}]},{"id":"sc-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing trusted communication paths\n\nsecurity plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nassessment results from independent, testing organizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing trusted communication paths"}]}],"controls":[{"id":"sc-11.1","class":"SP800-53-enhancement","title":"Irrefutable Communications Path","params":[{"id":"sc-11.01_odp","props":[{"name":"alt-identifier","value":"sc-11.1_prm_1"},{"name":"label","value":"SC-11(01)_ODP","class":"sp800-53a"}],"label":"security functions","guidelines":[{"prose":"security functions of the system are defined;"}]}],"props":[{"name":"label","value":"SC-11(1)"},{"name":"label","value":"SC-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-11","rel":"required"}],"parts":[{"id":"sc-11.1_smt","name":"statement","parts":[{"id":"sc-11.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Provide a trusted communications path that is irrefutably distinguishable from other communications paths; and"},{"id":"sc-11.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Initiate the trusted communications path for communications between the {{ insert: param, sc-11.01_odp }} of the system and the user."}]},{"id":"sc-11.1_gdn","name":"guidance","prose":"An irrefutable communications path permits the system to initiate a trusted path, which necessitates that the user can unmistakably recognize the source of the communication as a trusted system component. For example, the trusted path may appear in an area of the display that other applications cannot access or be based on the presence of an identifier that cannot be spoofed."},{"id":"sc-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-11(01)","class":"sp800-53a"}],"parts":[{"id":"sc-11.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-11(01)(a)","class":"sp800-53a"}],"prose":"a trusted communication path that is irrefutably distinguishable from other communication paths is provided;","links":[{"href":"#sc-11.1_smt.a","rel":"assessment-for"}]},{"id":"sc-11.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-11(01)(b)","class":"sp800-53a"}],"prose":"the trusted communication path for communications between the {{ insert: param, sc-11.01_odp }} of the system and the user is initiated.","links":[{"href":"#sc-11.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-11.1_smt","rel":"assessment-for"}]},{"id":"sc-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing trusted communication paths\n\nsecurity plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nassessment results from independent, testing organizations\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing trusted communication paths"}]}]}]},{"id":"sc-12","class":"SP800-53","title":"Cryptographic Key Establishment and Management","params":[{"id":"sc-12_odp","props":[{"name":"alt-identifier","value":"sc-12_prm_1"},{"name":"alt-label","value":"requirements for key generation, distribution, storage, access, and destruction","class":"sp800-53"},{"name":"label","value":"SC-12_ODP","class":"sp800-53a"}],"label":"requirements","guidelines":[{"prose":"requirements for key generation, distribution, storage, access, and destruction are defined;"}]}],"props":[{"name":"label","value":"SC-12"},{"name":"label","value":"SC-12","class":"sp800-53a"},{"name":"sort-id","value":"sc-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#849b2358-683f-4d97-b111-1cc3d522ded5","rel":"reference"},{"href":"#3915a084-b87b-4f02-83d4-c369e746292f","rel":"reference"},{"href":"#ac-17","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-11","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-17","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-12_smt","name":"statement","prose":"Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}."},{"id":"sc-12_gdn","name":"guidance","prose":"Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. [NIST CMVP](#1acdc775-aafb-4d11-9341-dc6a822e9d38) and [NIST CAVP](#84dc1b0c-acb7-4269-84c4-00dbabacd78c) provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment."},{"id":"sc-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12","class":"sp800-53a"}],"parts":[{"id":"sc-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-12[01]","class":"sp800-53a"}],"prose":"cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};","links":[{"href":"#sc-12_smt","rel":"assessment-for"}]},{"id":"sc-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-12[02]","class":"sp800-53a"}],"prose":"cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.","links":[{"href":"#sc-12_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-12_smt","rel":"assessment-for"}]},{"id":"sc-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\ncryptographic mechanisms\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment and\/or management"}]},{"id":"sc-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}],"controls":[{"id":"sc-12.1","class":"SP800-53-enhancement","title":"Availability","props":[{"name":"label","value":"SC-12(1)"},{"name":"label","value":"SC-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-12","rel":"required"}],"parts":[{"id":"sc-12.1_smt","name":"statement","prose":"Maintain availability of information in the event of the loss of cryptographic keys by users."},{"id":"sc-12.1_gdn","name":"guidance","prose":"Escrowing of encryption keys is a common practice for ensuring availability in the event of key loss. A forgotten passphrase is an example of losing a cryptographic key."},{"id":"sc-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12(01)","class":"sp800-53a"}],"prose":"information availability is maintained in the event of the loss of cryptographic keys by users.","links":[{"href":"#sc-12.1_smt","rel":"assessment-for"}]},{"id":"sc-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment, management, and recovery\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment or management"}]},{"id":"sc-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]},{"id":"sc-12.2","class":"SP800-53-enhancement","title":"Symmetric Keys","params":[{"id":"sc-12.02_odp","props":[{"name":"alt-identifier","value":"sc-12.2_prm_1"},{"name":"label","value":"SC-12(02)_ODP","class":"sp800-53a"}],"select":{"choice":["NIST FIPS-validated","NSA-approved"]}}],"props":[{"name":"label","value":"SC-12(2)"},{"name":"label","value":"SC-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-12","rel":"required"}],"parts":[{"id":"sc-12.2_smt","name":"statement","prose":"Produce, control, and distribute symmetric cryptographic keys using {{ insert: param, sc-12.02_odp }} key management technology and processes."},{"id":"sc-12.2_gdn","name":"guidance","prose":"[SP 800-56A](#20957dbb-6a1e-40a2-b38a-66f67d33ac2e), [SP 800-56B](#0d083d8a-5cc6-46f1-8d79-3081d42bcb75) , and [SP 800-56C](#eef62b16-c796-4554-955c-505824135b8a) provide guidance on cryptographic key establishment schemes and key derivation methods. [SP 800-57-1](#110e26af-4765-49e1-8740-6750f83fcda1), [SP 800-57-2](#e7942589-e267-4a5a-a3d9-f39a7aae81f0) , and [SP 800-57-3](#8306620b-1920-4d73-8b21-12008528595f) provide guidance on cryptographic key management."},{"id":"sc-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12(02)","class":"sp800-53a"}],"parts":[{"id":"sc-12.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-12(02)[01]","class":"sp800-53a"}],"prose":"symmetric cryptographic keys are produced using {{ insert: param, sc-12.02_odp }} key management technology and processes;","links":[{"href":"#sc-12.2_smt","rel":"assessment-for"}]},{"id":"sc-12.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-12(02)[02]","class":"sp800-53a"}],"prose":"symmetric cryptographic keys are controlled using {{ insert: param, sc-12.02_odp }} key management technology and processes;","links":[{"href":"#sc-12.2_smt","rel":"assessment-for"}]},{"id":"sc-12.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-12(02)[03]","class":"sp800-53a"}],"prose":"symmetric cryptographic keys are distributed using {{ insert: param, sc-12.02_odp }} key management technology and processes.","links":[{"href":"#sc-12.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-12.2_smt","rel":"assessment-for"}]},{"id":"sc-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of FIPS-validated cryptographic products\n\nlist of NSA-approved cryptographic products\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic key establishment or management"}]},{"id":"sc-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing symmetric cryptographic key establishment and management"}]}]},{"id":"sc-12.3","class":"SP800-53-enhancement","title":"Asymmetric Keys","params":[{"id":"sc-12.03_odp","props":[{"name":"alt-identifier","value":"sc-12.3_prm_1"},{"name":"label","value":"SC-12(03)_ODP","class":"sp800-53a"}],"select":{"choice":["NSA-approved key management technology and processes","prepositioned keying material","DoD-approved or DoD-issued Medium Assurance PKI certificates","DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key","certificates issued in accordance with organization-defined requirements"]}}],"props":[{"name":"label","value":"SC-12(3)"},{"name":"label","value":"SC-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-12","rel":"required"}],"parts":[{"id":"sc-12.3_smt","name":"statement","prose":"Produce, control, and distribute asymmetric cryptographic keys using {{ insert: param, sc-12.03_odp }}."},{"id":"sc-12.3_gdn","name":"guidance","prose":"[SP 800-56A](#20957dbb-6a1e-40a2-b38a-66f67d33ac2e), [SP 800-56B](#0d083d8a-5cc6-46f1-8d79-3081d42bcb75) , and [SP 800-56C](#eef62b16-c796-4554-955c-505824135b8a) provide guidance on cryptographic key establishment schemes and key derivation methods. [SP 800-57-1](#110e26af-4765-49e1-8740-6750f83fcda1), [SP 800-57-2](#e7942589-e267-4a5a-a3d9-f39a7aae81f0) , and [SP 800-57-3](#8306620b-1920-4d73-8b21-12008528595f) provide guidance on cryptographic key management."},{"id":"sc-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12(03)","class":"sp800-53a"}],"parts":[{"id":"sc-12.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-12(03)[01]","class":"sp800-53a"}],"prose":"asymmetric cryptographic keys are produced using {{ insert: param, sc-12.03_odp }};","links":[{"href":"#sc-12.3_smt","rel":"assessment-for"}]},{"id":"sc-12.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-12(03)[02]","class":"sp800-53a"}],"prose":"asymmetric cryptographic keys are controlled using {{ insert: param, sc-12.03_odp }};","links":[{"href":"#sc-12.3_smt","rel":"assessment-for"}]},{"id":"sc-12.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-12(03)[03]","class":"sp800-53a"}],"prose":"asymmetric cryptographic keys are distributed using {{ insert: param, sc-12.03_odp }}.","links":[{"href":"#sc-12.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-12.3_smt","rel":"assessment-for"}]},{"id":"sc-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment and management\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of NSA-approved cryptographic products\n\nlist of approved PKI Class 3 and Class 4 certificates\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic key establishment or management\n\norganizational personnel with responsibilities for PKI certificates"}]},{"id":"sc-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing asymmetric cryptographic key establishment and management"}]}]},{"id":"sc-12.4","class":"SP800-53-enhancement","title":"PKI Certificates","props":[{"name":"label","value":"SC-12(4)"},{"name":"label","value":"SC-12(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-12.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-12.3","rel":"incorporated-into"}]},{"id":"sc-12.5","class":"SP800-53-enhancement","title":"PKI Certificates \/ Hardware Tokens","props":[{"name":"label","value":"SC-12(5)"},{"name":"label","value":"SC-12(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-12.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-12.3","rel":"incorporated-into"}]},{"id":"sc-12.6","class":"SP800-53-enhancement","title":"Physical Control of Keys","props":[{"name":"label","value":"SC-12(6)"},{"name":"label","value":"SC-12(06)","class":"sp800-53a"},{"name":"sort-id","value":"sc-12.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-12","rel":"required"}],"parts":[{"id":"sc-12.6_smt","name":"statement","prose":"Maintain physical control of cryptographic keys when stored information is encrypted by external service providers."},{"id":"sc-12.6_gdn","name":"guidance","prose":"For organizations that use external service providers (e.g., cloud service or data center providers), physical control of cryptographic keys provides additional assurance that information stored by such external providers is not subject to unauthorized disclosure or modification."},{"id":"sc-12.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-12(06)","class":"sp800-53a"}],"prose":"physical control of cryptographic keys is maintained when stored information is encrypted by external service providers.","links":[{"href":"#sc-12.6_smt","rel":"assessment-for"}]},{"id":"sc-12.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-12(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic key establishment, management, and recovery\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-12.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-12(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for cryptographic key establishment or management"}]},{"id":"sc-12.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-12(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic key establishment and management"}]}]}]},{"id":"sc-13","class":"SP800-53","title":"Cryptographic Protection","params":[{"id":"sc-13_odp.01","props":[{"name":"alt-identifier","value":"sc-13_prm_1"},{"name":"label","value":"SC-13_ODP[01]","class":"sp800-53a"}],"label":"cryptographic uses","guidelines":[{"prose":"cryptographic uses are defined;"}]},{"id":"sc-13_odp.02","props":[{"name":"alt-identifier","value":"sc-13_prm_2"},{"name":"alt-label","value":"types of cryptography for each specified cryptographic use","class":"sp800-53"},{"name":"label","value":"SC-13_ODP[02]","class":"sp800-53a"}],"label":"types of cryptography","guidelines":[{"prose":"types of cryptography for each specified cryptographic use are defined;"}]}],"props":[{"name":"label","value":"SC-13"},{"name":"label","value":"SC-13","class":"sp800-53a"},{"name":"sort-id","value":"sc-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-7","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-10","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#ia-3","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ia-7","rel":"related"},{"href":"#ia-13","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-40","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-13_smt","name":"statement","parts":[{"id":"sc-13_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine the {{ insert: param, sc-13_odp.01 }} ; and"},{"id":"sc-13_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}."}]},{"id":"sc-13_gdn","name":"guidance","prose":"Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"sc-13_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-13","class":"sp800-53a"}],"parts":[{"id":"sc-13_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-13a.","class":"sp800-53a"}],"prose":"{{ insert: param, sc-13_odp.01 }} are identified;","links":[{"href":"#sc-13_smt.a","rel":"assessment-for"}]},{"id":"sc-13_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-13b.","class":"sp800-53a"}],"prose":"{{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.","links":[{"href":"#sc-13_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-13_smt","rel":"assessment-for"}]},{"id":"sc-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cryptographic protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic module validation certificates\n\nlist of FIPS-validated cryptographic modules\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for cryptographic protection"}]},{"id":"sc-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cryptographic protection"}]}],"controls":[{"id":"sc-13.1","class":"SP800-53-enhancement","title":"FIPS-validated Cryptography","props":[{"name":"label","value":"SC-13(1)"},{"name":"label","value":"SC-13(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-13.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-13","rel":"incorporated-into"}]},{"id":"sc-13.2","class":"SP800-53-enhancement","title":"NSA-approved Cryptography","props":[{"name":"label","value":"SC-13(2)"},{"name":"label","value":"SC-13(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-13.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-13","rel":"incorporated-into"}]},{"id":"sc-13.3","class":"SP800-53-enhancement","title":"Individuals Without Formal Access Approvals","props":[{"name":"label","value":"SC-13(3)"},{"name":"label","value":"SC-13(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-13.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-13","rel":"incorporated-into"}]},{"id":"sc-13.4","class":"SP800-53-enhancement","title":"Digital Signatures","props":[{"name":"label","value":"SC-13(4)"},{"name":"label","value":"SC-13(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-13.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-13","rel":"incorporated-into"}]}]},{"id":"sc-14","class":"SP800-53","title":"Public Access Protections","props":[{"name":"label","value":"SC-14"},{"name":"label","value":"SC-14","class":"sp800-53a"},{"name":"sort-id","value":"sc-14"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-2","rel":"incorporated-into"},{"href":"#ac-3","rel":"incorporated-into"},{"href":"#ac-5","rel":"incorporated-into"},{"href":"#ac-6","rel":"incorporated-into"},{"href":"#si-3","rel":"incorporated-into"},{"href":"#si-4","rel":"incorporated-into"},{"href":"#si-5","rel":"incorporated-into"},{"href":"#si-7","rel":"incorporated-into"},{"href":"#si-10","rel":"incorporated-into"}]},{"id":"sc-15","class":"SP800-53","title":"Collaborative Computing Devices and Applications","params":[{"id":"sc-15_odp","props":[{"name":"alt-identifier","value":"sc-15_prm_1"},{"name":"label","value":"SC-15_ODP","class":"sp800-53a"}],"label":"exceptions where remote activation is to be allowed","guidelines":[{"prose":"exceptions where remote activation is to be allowed are defined;"}]}],"props":[{"name":"label","value":"SC-15"},{"name":"label","value":"SC-15","class":"sp800-53a"},{"name":"sort-id","value":"sc-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-21","rel":"related"},{"href":"#sc-42","rel":"related"}],"parts":[{"id":"sc-15_smt","name":"statement","parts":[{"id":"sc-15_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and"},{"id":"sc-15_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide an explicit indication of use to users physically present at the devices."}]},{"id":"sc-15_gdn","name":"guidance","prose":"Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated."},{"id":"sc-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-15","class":"sp800-53a"}],"parts":[{"id":"sc-15_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-15a.","class":"sp800-53a"}],"prose":"remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};","links":[{"href":"#sc-15_smt.a","rel":"assessment-for"}]},{"id":"sc-15_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-15b.","class":"sp800-53a"}],"prose":"an explicit indication of use is provided to users physically present at the devices.","links":[{"href":"#sc-15_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-15_smt","rel":"assessment-for"}]},{"id":"sc-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"id":"sc-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of remote activation of collaborative computing devices\n\nmechanisms providing an indication of use of collaborative computing devices"}]}],"controls":[{"id":"sc-15.1","class":"SP800-53-enhancement","title":"Physical or Logical Disconnect","params":[{"id":"sc-15.01_odp","props":[{"name":"alt-identifier","value":"sc-15.1_prm_1"},{"name":"label","value":"SC-15(01)_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["physical","logical"]}}],"props":[{"name":"label","value":"SC-15(1)"},{"name":"label","value":"SC-15(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-15.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-15","rel":"required"}],"parts":[{"id":"sc-15.1_smt","name":"statement","prose":"Provide {{ insert: param, sc-15.01_odp }} disconnect of collaborative computing devices in a manner that supports ease of use."},{"id":"sc-15.1_gdn","name":"guidance","prose":"Failing to disconnect from collaborative computing devices can result in subsequent compromises of organizational information. Providing easy methods to disconnect from such devices after a collaborative computing session ensures that participants carry out the disconnect activity without having to go through complex and tedious procedures. Disconnect from collaborative computing devices can be manual or automatic."},{"id":"sc-15.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-15(01)","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-15.01_odp }} disconnect of collaborative computing devices is\/are provided in a manner that supports ease of use.","links":[{"href":"#sc-15.1_smt","rel":"assessment-for"}]},{"id":"sc-15.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-15(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-15.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-15(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"id":"sc-15.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-15(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the physical disconnect of collaborative computing devices"}]}]},{"id":"sc-15.2","class":"SP800-53-enhancement","title":"Blocking Inbound and Outbound Communications Traffic","props":[{"name":"label","value":"SC-15(2)"},{"name":"label","value":"SC-15(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-15.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-7","rel":"incorporated-into"}]},{"id":"sc-15.3","class":"SP800-53-enhancement","title":"Disabling and Removal in Secure Work Areas","params":[{"id":"sc-15.03_odp.01","props":[{"name":"alt-identifier","value":"sc-15.3_prm_1"},{"name":"label","value":"SC-15(03)_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components from which collaborative computing devices are to be disabled or removed are defined;"}]},{"id":"sc-15.03_odp.02","props":[{"name":"alt-identifier","value":"sc-15.3_prm_2"},{"name":"label","value":"SC-15(03)_ODP[02]","class":"sp800-53a"}],"label":"secure work areas","guidelines":[{"prose":"secure work areas where collaborative computing devices are to be disabled or removed from systems or system components are defined;"}]}],"props":[{"name":"label","value":"SC-15(3)"},{"name":"label","value":"SC-15(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-15.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-15","rel":"required"}],"parts":[{"id":"sc-15.3_smt","name":"statement","prose":"Disable or remove collaborative computing devices and applications from {{ insert: param, sc-15.03_odp.01 }} in {{ insert: param, sc-15.03_odp.02 }}."},{"id":"sc-15.3_gdn","name":"guidance","prose":"Failing to disable or remove collaborative computing devices and applications from systems or system components can result in compromises of information, including eavesdropping on conversations. A Sensitive Compartmented Information Facility (SCIF) is an example of a secure work area."},{"id":"sc-15.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-15(03)","class":"sp800-53a"}],"prose":"collaborative computing devices and applications are disabled or removed from {{ insert: param, sc-15.03_odp.01 }} in {{ insert: param, sc-15.03_odp.02 }}.","links":[{"href":"#sc-15.3_smt","rel":"assessment-for"}]},{"id":"sc-15.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-15(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of secure work areas\n\nsystems or system components in secured work areas where collaborative computing devices are to be disabled or removed\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-15.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-15(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"id":"sc-15.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-15(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the capability to disable collaborative computing devices"}]}]},{"id":"sc-15.4","class":"SP800-53-enhancement","title":"Explicitly Indicate Current Participants","params":[{"id":"sc-15.04_odp","props":[{"name":"alt-identifier","value":"sc-15.4_prm_1"},{"name":"label","value":"SC-15(04)_ODP","class":"sp800-53a"}],"label":"online meetings and teleconferences","guidelines":[{"prose":"online meetings and teleconferences for which an explicit indication of current participants is to be provided are defined;"}]}],"props":[{"name":"label","value":"SC-15(4)"},{"name":"label","value":"SC-15(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-15.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-15","rel":"required"}],"parts":[{"id":"sc-15.4_smt","name":"statement","prose":"Provide an explicit indication of current participants in {{ insert: param, sc-15.04_odp }}."},{"id":"sc-15.4_gdn","name":"guidance","prose":"Explicitly indicating current participants prevents unauthorized individuals from participating in collaborative computing sessions without the explicit knowledge of other participants."},{"id":"sc-15.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-15(04)","class":"sp800-53a"}],"prose":"an explicit indication of current participants in {{ insert: param, sc-15.04_odp }} is provided.","links":[{"href":"#sc-15.4_smt","rel":"assessment-for"}]},{"id":"sc-15.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-15(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing collaborative computing\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nlist of types of meetings and teleconferences requiring explicit indication of current participants\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-15.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-15(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing collaborative computing devices"}]},{"id":"sc-15.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-15(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the capability to indicate participants on collaborative computing devices"}]}]}]},{"id":"sc-16","class":"SP800-53","title":"Transmission of Security and Privacy Attributes","params":[{"id":"sc-16_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-16_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-16_odp.02"}],"label":"organization-defined security and privacy attributes"},{"id":"sc-16_odp.01","props":[{"name":"label","value":"SC-16_ODP[01]","class":"sp800-53a"}],"label":"security attributes","guidelines":[{"prose":"security attributes to be associated with information exchanged are defined;"}]},{"id":"sc-16_odp.02","props":[{"name":"label","value":"SC-16_ODP[02]","class":"sp800-53a"}],"label":"privacy attributes","guidelines":[{"prose":"privacy attributes to be associated with information exchanged are defined;"}]}],"props":[{"name":"label","value":"SC-16"},{"name":"label","value":"SC-16","class":"sp800-53a"},{"name":"sort-id","value":"sc-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-16","rel":"related"}],"parts":[{"id":"sc-16_smt","name":"statement","prose":"Associate {{ insert: param, sc-16_prm_1 }} with information exchanged between systems and between system components."},{"id":"sc-16_gdn","name":"guidance","prose":"Security and privacy attributes can be explicitly or implicitly associated with the information contained in organizational systems or system components. Attributes are abstractions that represent the basic properties or characteristics of an entity with respect to protecting information or the management of personally identifiable information. Attributes are typically associated with internal data structures, including records, buffers, and files within the system. Security and privacy attributes are used to implement access control and information flow control policies; reflect special dissemination, management, or distribution instructions, including permitted uses of personally identifiable information; or support other aspects of the information security and privacy policies. Privacy attributes may be used independently or in conjunction with security attributes."},{"id":"sc-16_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-16","class":"sp800-53a"}],"parts":[{"id":"sc-16_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-16[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-16_odp.01 }} are associated with information exchanged between systems;","links":[{"href":"#sc-16_smt","rel":"assessment-for"}]},{"id":"sc-16_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-16[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-16_odp.01 }} are associated with information exchanged between system components;","links":[{"href":"#sc-16_smt","rel":"assessment-for"}]},{"id":"sc-16_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-16[03]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-16_odp.02 }} are associated with information exchanged between systems;","links":[{"href":"#sc-16_smt","rel":"assessment-for"}]},{"id":"sc-16_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SC-16[04]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-16_odp.02 }} are associated with information exchanged between system components.","links":[{"href":"#sc-16_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-16_smt","rel":"assessment-for"}]},{"id":"sc-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the transmission of security and privacy attributes\n\naccess control policy and procedures\n\ninformation flow control policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"sc-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the transmission of security and privacy attributes between systems"}]}],"controls":[{"id":"sc-16.1","class":"SP800-53-enhancement","title":"Integrity Verification","props":[{"name":"label","value":"SC-16(1)"},{"name":"label","value":"SC-16(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-16.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-16","rel":"required"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"}],"parts":[{"id":"sc-16.1_smt","name":"statement","prose":"Verify the integrity of transmitted security and privacy attributes."},{"id":"sc-16.1_gdn","name":"guidance","prose":"Part of verifying the integrity of transmitted information is ensuring that security and privacy attributes that are associated with such information have not been modified in an unauthorized manner. Unauthorized modification of security or privacy attributes can result in a loss of integrity for transmitted information."},{"id":"sc-16.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-16(01)","class":"sp800-53a"}],"parts":[{"id":"sc-16.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-16(01)[01]","class":"sp800-53a"}],"prose":"the integrity of transmitted security attributes is verified;","links":[{"href":"#sc-16.1_smt","rel":"assessment-for"}]},{"id":"sc-16.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-16(01)[02]","class":"sp800-53a"}],"prose":"the integrity of transmitted privacy attributes is verified.","links":[{"href":"#sc-16.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-16.1_smt","rel":"assessment-for"}]},{"id":"sc-16.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-16(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the transmission of security and privacy attributes\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-16.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-16(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"sc-16.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-16(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing verification of the integrity of transmitted security and privacy attributes"}]}]},{"id":"sc-16.2","class":"SP800-53-enhancement","title":"Anti-spoofing Mechanisms","props":[{"name":"label","value":"SC-16(2)"},{"name":"label","value":"SC-16(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-16.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-16","rel":"required"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-16.2_smt","name":"statement","prose":"Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indicating the successful application of the security process."},{"id":"sc-16.2_gdn","name":"guidance","prose":"Some attack vectors operate by altering the security attributes of an information system to intentionally and maliciously implement an insufficient level of security within the system. The alteration of attributes leads organizations to believe that a greater number of security functions are in place and operational than have actually been implemented."},{"id":"sc-16.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-16(02)","class":"sp800-53a"}],"prose":"anti-spoofing mechanisms are implemented to prevent adversaries from falsifying the security attributes indicating the successful application of the security process.","links":[{"href":"#sc-16.2_smt","rel":"assessment-for"}]},{"id":"sc-16.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-16(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the transmission of security and privacy attributes\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-16.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-16(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-16.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-16(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing anti-spoofing mechanisms"}]}]},{"id":"sc-16.3","class":"SP800-53-enhancement","title":"Cryptographic Binding","params":[{"id":"sc-16.03_odp","props":[{"name":"alt-identifier","value":"sc-16.3_prm_1"},{"name":"label","value":"SC-16(03)_ODP","class":"sp800-53a"}],"label":"mechanisms or techniques","guidelines":[{"prose":"mechanisms or techniques to bind security and privacy attributes to transmitted information are defined;"}]}],"props":[{"name":"label","value":"SC-16(3)"},{"name":"label","value":"SC-16(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-16.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-16","rel":"required"},{"href":"#ac-16","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-16.3_smt","name":"statement","prose":"Implement {{ insert: param, sc-16.03_odp }} to bind security and privacy attributes to transmitted information."},{"id":"sc-16.3_gdn","name":"guidance","prose":"Cryptographic mechanisms and techniques can provide strong security and privacy attribute binding to transmitted information to help ensure the integrity of such information."},{"id":"sc-16.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-16(03)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-16.03_odp }} are implemented to bind security and privacy attributes to transmitted information.","links":[{"href":"#sc-16.3_smt","rel":"assessment-for"}]},{"id":"sc-16.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-16(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the transmission of security and privacy attributes\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-16.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-16(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-16.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-16(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing anti-spoofing mechanisms"}]}]}]},{"id":"sc-17","class":"SP800-53","title":"Public Key Infrastructure Certificates","params":[{"id":"sc-17_odp","props":[{"name":"alt-identifier","value":"sc-17_prm_1"},{"name":"label","value":"SC-17_ODP","class":"sp800-53a"}],"label":"certificate policy","guidelines":[{"prose":"a certificate policy for issuing public key certificates is defined;"}]}],"props":[{"name":"label","value":"SC-17"},{"name":"label","value":"SC-17","class":"sp800-53a"},{"name":"sort-id","value":"sc-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#8cb338a4-e493-4177-818f-3af18983ddc5","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#737513fa-6758-403f-831d-5ddab5e23cb3","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#sc-12","rel":"related"}],"parts":[{"id":"sc-17_smt","name":"statement","parts":[{"id":"sc-17_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and"},{"id":"sc-17_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Include only approved trust anchors in trust stores or certificate stores managed by the organization."}]},{"id":"sc-17_gdn","name":"guidance","prose":"Public key infrastructure (PKI) certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates."},{"id":"sc-17_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-17","class":"sp800-53a"}],"parts":[{"id":"sc-17_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-17a.","class":"sp800-53a"}],"prose":"public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;","links":[{"href":"#sc-17_smt.a","rel":"assessment-for"}]},{"id":"sc-17_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-17b.","class":"sp800-53a"}],"prose":"only approved trust anchors are included in trust stores or certificate stores managed by the organization.","links":[{"href":"#sc-17_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-17_smt","rel":"assessment-for"}]},{"id":"sc-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing public key infrastructure certificates\n\npublic key certificate policy or policies\n\npublic key issuing process\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for issuing public key certificates\n\nservice providers"}]},{"id":"sc-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of public key infrastructure certificates"}]}]},{"id":"sc-18","class":"SP800-53","title":"Mobile Code","props":[{"name":"label","value":"SC-18"},{"name":"label","value":"SC-18","class":"sp800-53a"},{"name":"sort-id","value":"sc-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#f641309f-a3ad-48be-8c67-2b318648b2f5","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#cm-2","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"sc-18_smt","name":"statement","parts":[{"id":"sc-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Define acceptable and unacceptable mobile code and mobile code technologies; and"},{"id":"sc-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize, monitor, and control the use of mobile code within the system."}]},{"id":"sc-18_gdn","name":"guidance","prose":"Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source."},{"id":"sc-18_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[01]","class":"sp800-53a"}],"prose":"acceptable mobile code is defined;","links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]},{"id":"sc-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[02]","class":"sp800-53a"}],"prose":"unacceptable mobile code is defined;","links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]},{"id":"sc-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[03]","class":"sp800-53a"}],"prose":"acceptable mobile code technologies are defined;","links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]},{"id":"sc-18_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SC-18a.[04]","class":"sp800-53a"}],"prose":"unacceptable mobile code technologies are defined;","links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-18_smt.a","rel":"assessment-for"}]},{"id":"sc-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.","class":"sp800-53a"}],"parts":[{"id":"sc-18_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[01]","class":"sp800-53a"}],"prose":"the use of mobile code is authorized within the system;","links":[{"href":"#sc-18_smt.b","rel":"assessment-for"}]},{"id":"sc-18_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[02]","class":"sp800-53a"}],"prose":"the use of mobile code is monitored within the system;","links":[{"href":"#sc-18_smt.b","rel":"assessment-for"}]},{"id":"sc-18_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SC-18b.[03]","class":"sp800-53a"}],"prose":"the use of mobile code is controlled within the system.","links":[{"href":"#sc-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-18_smt","rel":"assessment-for"}]},{"id":"sc-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code implementation policy and procedures\n\nlist of acceptable mobile code and mobile code technologies\n\nlist of unacceptable mobile code and mobile technologies\n\nauthorization records\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code"}]},{"id":"sc-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for authorizing, monitoring, and controlling mobile code\n\nmechanisms supporting and\/or implementing the management of mobile code\n\nmechanisms supporting and\/or implementing the monitoring of mobile code"}]}],"controls":[{"id":"sc-18.1","class":"SP800-53-enhancement","title":"Identify Unacceptable Code and Take Corrective Actions","params":[{"id":"sc-18.01_odp.01","props":[{"name":"alt-identifier","value":"sc-18.1_prm_1"},{"name":"label","value":"SC-18(01)_ODP[01]","class":"sp800-53a"}],"label":"unacceptable mobile code","guidelines":[{"prose":"unacceptable mobile code to be identified is defined;"}]},{"id":"sc-18.01_odp.02","props":[{"name":"alt-identifier","value":"sc-18.1_prm_2"},{"name":"label","value":"SC-18(01)_ODP[02]","class":"sp800-53a"}],"label":"corrective actions","guidelines":[{"prose":"corrective actions to be taken when unacceptable mobile code is identified are defined;"}]}],"props":[{"name":"label","value":"SC-18(1)"},{"name":"label","value":"SC-18(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-18.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-18","rel":"required"}],"parts":[{"id":"sc-18.1_smt","name":"statement","prose":"Identify {{ insert: param, sc-18.01_odp.01 }} and take {{ insert: param, sc-18.01_odp.02 }}."},{"id":"sc-18.1_gdn","name":"guidance","prose":"Corrective actions when unacceptable mobile code is detected include blocking, quarantine, or alerting administrators. Blocking includes preventing the transmission of word processing files with embedded macros when such macros have been determined to be unacceptable mobile code."},{"id":"sc-18.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18(01)","class":"sp800-53a"}],"parts":[{"id":"sc-18.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18(01)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-18.01_odp.01 }} is identified;","links":[{"href":"#sc-18.1_smt","rel":"assessment-for"}]},{"id":"sc-18.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18(01)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-18.01_odp.02 }} are taken if unacceptable mobile code is identified.","links":[{"href":"#sc-18.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-18.1_smt","rel":"assessment-for"}]},{"id":"sc-18.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code usage restrictions\n\nmobile code implementation policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of unacceptable mobile code\n\nlist of corrective actions to be taken when unacceptable mobile code is identified\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing mobile code"}]},{"id":"sc-18.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing mobile code detection, inspection, and corrective capabilities"}]}]},{"id":"sc-18.2","class":"SP800-53-enhancement","title":"Acquisition, Development, and Use","params":[{"id":"sc-18.02_odp","props":[{"name":"alt-identifier","value":"sc-18.2_prm_1"},{"name":"label","value":"SC-18(02)_ODP","class":"sp800-53a"}],"label":"mobile code requirements","guidelines":[{"prose":"mobile code requirements for the acquisition, development, and use of mobile code to be deployed in the system are defined;"}]}],"props":[{"name":"label","value":"SC-18(2)"},{"name":"label","value":"SC-18(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-18.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-18","rel":"required"}],"parts":[{"id":"sc-18.2_smt","name":"statement","prose":"Verify that the acquisition, development, and use of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }}."},{"id":"sc-18.2_gdn","name":"guidance","prose":"None."},{"id":"sc-18.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18(02)","class":"sp800-53a"}],"parts":[{"id":"sc-18.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18(02)[01]","class":"sp800-53a"}],"prose":"the acquisition of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }};","links":[{"href":"#sc-18.2_smt","rel":"assessment-for"}]},{"id":"sc-18.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18(02)[02]","class":"sp800-53a"}],"prose":"the development of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }};","links":[{"href":"#sc-18.2_smt","rel":"assessment-for"}]},{"id":"sc-18.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-18(02)[03]","class":"sp800-53a"}],"prose":"the use of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }}.","links":[{"href":"#sc-18.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-18.2_smt","rel":"assessment-for"}]},{"id":"sc-18.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code requirements\n\nmobile code usage restrictions\n\nmobile code implementation policy and procedures\n\nacquisition documentation\n\nacquisition contracts for system, system component, or system service\n\nsystem development life cycle documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing mobile code\n\norganizational personnel with acquisition and contracting responsibilities"}]},{"id":"sc-18.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the acquisition, development, and use of mobile code"}]}]},{"id":"sc-18.3","class":"SP800-53-enhancement","title":"Prevent Downloading and Execution","params":[{"id":"sc-18.03_odp","props":[{"name":"alt-identifier","value":"sc-18.3_prm_1"},{"name":"label","value":"SC-18(03)_ODP","class":"sp800-53a"}],"label":"unacceptable mobile code","guidelines":[{"prose":"unacceptable mobile code to be prevented from downloading and executing is defined;"}]}],"props":[{"name":"label","value":"SC-18(3)"},{"name":"label","value":"SC-18(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-18.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-18","rel":"required"}],"parts":[{"id":"sc-18.3_smt","name":"statement","prose":"Prevent the download and execution of {{ insert: param, sc-18.03_odp }}."},{"id":"sc-18.3_gdn","name":"guidance","prose":"None."},{"id":"sc-18.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18(03)","class":"sp800-53a"}],"parts":[{"id":"sc-18.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18(03)[01]","class":"sp800-53a"}],"prose":"the download of {{ insert: param, sc-18.03_odp }} is prevented;","links":[{"href":"#sc-18.3_smt","rel":"assessment-for"}]},{"id":"sc-18.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18(03)[02]","class":"sp800-53a"}],"prose":"the execution of {{ insert: param, sc-18.03_odp }} is prevented.","links":[{"href":"#sc-18.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-18.3_smt","rel":"assessment-for"}]},{"id":"sc-18.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code usage restrictions\n\nmobile code implementation policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing mobile code"}]},{"id":"sc-18.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms preventing the download and execution of unacceptable mobile code"}]}]},{"id":"sc-18.4","class":"SP800-53-enhancement","title":"Prevent Automatic Execution","params":[{"id":"sc-18.04_odp.01","props":[{"name":"alt-identifier","value":"sc-18.4_prm_1"},{"name":"label","value":"SC-18(04)_ODP[01]","class":"sp800-53a"}],"label":"software applications","guidelines":[{"prose":"software applications in which the automatic execution of mobile code is to be prevented are defined;"}]},{"id":"sc-18.04_odp.02","props":[{"name":"alt-identifier","value":"sc-18.4_prm_2"},{"name":"label","value":"SC-18(04)_ODP[02]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be enforced by the system prior to executing mobile code are defined;"}]}],"props":[{"name":"label","value":"SC-18(4)"},{"name":"label","value":"SC-18(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-18.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-18","rel":"required"}],"parts":[{"id":"sc-18.4_smt","name":"statement","prose":"Prevent the automatic execution of mobile code in {{ insert: param, sc-18.04_odp.01 }} and enforce {{ insert: param, sc-18.04_odp.02 }} prior to executing the code."},{"id":"sc-18.4_gdn","name":"guidance","prose":"Actions enforced before executing mobile code include prompting users prior to opening email attachments or clicking on web links. Preventing the automatic execution of mobile code includes disabling auto-execute features on system components that employ portable storage devices, such as compact discs, digital versatile discs, and universal serial bus devices."},{"id":"sc-18.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18(04)","class":"sp800-53a"}],"parts":[{"id":"sc-18.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-18(04)[01]","class":"sp800-53a"}],"prose":"the automatic execution of mobile code in {{ insert: param, sc-18.04_odp.01 }} is prevented;","links":[{"href":"#sc-18.4_smt","rel":"assessment-for"}]},{"id":"sc-18.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-18(04)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-18.04_odp.02 }} are enforced prior to executing mobile code.","links":[{"href":"#sc-18.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-18.4_smt","rel":"assessment-for"}]},{"id":"sc-18.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code usage restrictions\n\nmobile code implementation policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of software applications in which the automatic execution of mobile code must be prohibited\n\nlist of actions required before execution of mobile code\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing mobile code"}]},{"id":"sc-18.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms preventing the automatic execution of unacceptable mobile code\n\nmechanisms enforcing actions to be taken prior to the execution of the mobile code"}]}]},{"id":"sc-18.5","class":"SP800-53-enhancement","title":"Allow Execution Only in Confined Environments","props":[{"name":"label","value":"SC-18(5)"},{"name":"label","value":"SC-18(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-18.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-18","rel":"required"},{"href":"#sc-44","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-18.5_smt","name":"statement","prose":"Allow execution of permitted mobile code only in confined virtual machine environments."},{"id":"sc-18.5_gdn","name":"guidance","prose":"Permitting the execution of mobile code only in confined virtual machine environments helps prevent the introduction of malicious code into other systems and system components."},{"id":"sc-18.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-18(05)","class":"sp800-53a"}],"prose":"execution of permitted mobile code is allowed only in confined virtual machine environments.","links":[{"href":"#sc-18.5_smt","rel":"assessment-for"}]},{"id":"sc-18.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-18(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing mobile code\n\nmobile code usage allowances\n\nmobile code usage restrictions\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of confined virtual machine environments in which the execution of organizationally acceptable mobile code is allowed\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-18.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-18(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel with responsibilities for managing mobile code"}]},{"id":"sc-18.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-18(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms allowing for the execution of permitted mobile code in confined virtual machine environments"}]}]}]},{"id":"sc-19","class":"SP800-53","title":"Voice Over Internet Protocol","props":[{"name":"label","value":"SC-19"},{"name":"label","value":"SC-19","class":"sp800-53a"},{"name":"sort-id","value":"sc-19"},{"name":"status","value":"withdrawn"}],"parts":[{"id":"sc-19_smt","name":"statement","prose":"Technology-specific; addressed as any other technology or protocol."}]},{"id":"sc-20","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Authoritative Source)","props":[{"name":"label","value":"SC-20"},{"name":"label","value":"SC-20","class":"sp800-53a"},{"name":"sort-id","value":"sc-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-20_smt","name":"statement","parts":[{"id":"sc-20_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name\/address resolution queries; and"},{"id":"sc-20_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."}]},{"id":"sc-20_gdn","name":"guidance","prose":"Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host\/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data."},{"id":"sc-20_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-20","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[01]","class":"sp800-53a"}],"prose":"additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;","links":[{"href":"#sc-20_smt.a","rel":"assessment-for"}]},{"id":"sc-20_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20a.[02]","class":"sp800-53a"}],"prose":"integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name\/address resolution queries;","links":[{"href":"#sc-20_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sc-20_smt.a","rel":"assessment-for"}]},{"id":"sc-20_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.","class":"sp800-53a"}],"parts":[{"id":"sc-20_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[01]","class":"sp800-53a"}],"prose":"the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;","links":[{"href":"#sc-20_smt.b","rel":"assessment-for"}]},{"id":"sc-20_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20b.[02]","class":"sp800-53a"}],"prose":"the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.","links":[{"href":"#sc-20_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-20_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-20_smt","rel":"assessment-for"}]},{"id":"sc-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing secure name\/address resolution services"}]}],"controls":[{"id":"sc-20.1","class":"SP800-53-enhancement","title":"Child Subspaces","props":[{"name":"label","value":"SC-20(1)"},{"name":"label","value":"SC-20(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-20.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-20","rel":"incorporated-into"}]},{"id":"sc-20.2","class":"SP800-53-enhancement","title":"Data Origin and Integrity","props":[{"name":"label","value":"SC-20(2)"},{"name":"label","value":"SC-20(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-20.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-20","rel":"required"}],"parts":[{"id":"sc-20.2_smt","name":"statement","prose":"Provide data origin and integrity protection artifacts for internal name\/address resolution queries."},{"id":"sc-20.2_gdn","name":"guidance","prose":"None."},{"id":"sc-20.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-20(02)","class":"sp800-53a"}],"parts":[{"id":"sc-20.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-20(02)[01]","class":"sp800-53a"}],"prose":"data origin artifacts are provided for internal name\/address resolution queries;","links":[{"href":"#sc-20.2_smt","rel":"assessment-for"}]},{"id":"sc-20.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-20(02)[02]","class":"sp800-53a"}],"prose":"integrity protection artifacts are provided for internal name\/address resolution queries.","links":[{"href":"#sc-20.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-20.2_smt","rel":"assessment-for"}]},{"id":"sc-20.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-20(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (authoritative source)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-20.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-20(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-20.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-20(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing data origin and integrity protection for internal name\/address resolution service queries"}]}]}]},{"id":"sc-21","class":"SP800-53","title":"Secure Name\/Address Resolution Service (Recursive or Caching Resolver)","props":[{"name":"label","value":"SC-21"},{"name":"label","value":"SC-21","class":"sp800-53a"},{"name":"sort-id","value":"sc-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-20","rel":"related"},{"href":"#sc-22","rel":"related"}],"parts":[{"id":"sc-21_smt","name":"statement","prose":"Request and perform data origin authentication and data integrity verification on the name\/address resolution responses the system receives from authoritative sources."},{"id":"sc-21_gdn","name":"guidance","prose":"Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data."},{"id":"sc-21_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-21","class":"sp800-53a"}],"parts":[{"id":"sc-21_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-21[01]","class":"sp800-53a"}],"prose":"data origin authentication is requested for the name\/address resolution responses that the system receives from authoritative sources;","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-21[02]","class":"sp800-53a"}],"prose":"data origin authentication is performed on the name\/address resolution responses that the system receives from authoritative sources;","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-21[03]","class":"sp800-53a"}],"prose":"data integrity verification is requested for the name\/address resolution responses that the system receives from authoritative sources;","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SC-21[04]","class":"sp800-53a"}],"prose":"data integrity verification is performed on the name\/address resolution responses that the system receives from authoritative sources.","links":[{"href":"#sc-21_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-21_smt","rel":"assessment-for"}]},{"id":"sc-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing secure name\/address resolution services (recursive or caching resolver)\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing data origin authentication and data integrity verification for name\/address resolution services"}]}],"controls":[{"id":"sc-21.1","class":"SP800-53-enhancement","title":"Data Origin and Integrity","props":[{"name":"label","value":"SC-21(1)"},{"name":"label","value":"SC-21(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-21.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-21","rel":"incorporated-into"}]}]},{"id":"sc-22","class":"SP800-53","title":"Architecture and Provisioning for Name\/Address Resolution Service","props":[{"name":"label","value":"SC-22"},{"name":"label","value":"SC-22","class":"sp800-53a"},{"name":"sort-id","value":"sc-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#fe209006-bfd4-4033-a79a-9fee1adaf372","rel":"reference"},{"href":"#sc-2","rel":"related"},{"href":"#sc-20","rel":"related"},{"href":"#sc-21","rel":"related"},{"href":"#sc-24","rel":"related"}],"parts":[{"id":"sc-22_smt","name":"statement","prose":"Ensure the systems that collectively provide name\/address resolution service for an organization are fault-tolerant and implement internal and external role separation."},{"id":"sc-22_gdn","name":"guidance","prose":"Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists)."},{"id":"sc-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-22","class":"sp800-53a"}],"parts":[{"id":"sc-22_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-22[01]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization are fault-tolerant;","links":[{"href":"#sc-22_smt","rel":"assessment-for"}]},{"id":"sc-22_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-22[02]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement internal role separation;","links":[{"href":"#sc-22_smt","rel":"assessment-for"}]},{"id":"sc-22_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-22[03]","class":"sp800-53a"}],"prose":"the systems that collectively provide name\/address resolution services for an organization implement external role separation.","links":[{"href":"#sc-22_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-22_smt","rel":"assessment-for"}]},{"id":"sc-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing architecture and provisioning for name\/address resolution services\n\naccess control policy and procedures\n\nsystem design documentation\n\nassessment results from independent testing organizations\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for managing DNS"}]},{"id":"sc-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing name\/address resolution services for fault tolerance and role separation"}]}]},{"id":"sc-23","class":"SP800-53","title":"Session Authenticity","props":[{"name":"label","value":"SC-23"},{"name":"label","value":"SC-23","class":"sp800-53a"},{"name":"sort-id","value":"sc-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#7537638e-2837-407d-844b-40fb3fafdd99","rel":"reference"},{"href":"#d4d7c760-2907-403b-8b2a-767ca5370ecd","rel":"reference"},{"href":"#a6b9907a-2a14-4bb4-a142-d4c73026a8b4","rel":"reference"},{"href":"#6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","rel":"reference"},{"href":"#au-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-10","rel":"related"},{"href":"#sc-11","rel":"related"}],"parts":[{"id":"sc-23_smt","name":"statement","prose":"Protect the authenticity of communications sessions."},{"id":"sc-23_gdn","name":"guidance","prose":"Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against \"man-in-the-middle\" attacks, session hijacking, and the insertion of false information into sessions."},{"id":"sc-23_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-23","class":"sp800-53a"}],"prose":"the authenticity of communication sessions is protected.","links":[{"href":"#sc-23_smt","rel":"assessment-for"}]},{"id":"sc-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-23-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing session authenticity"}]}],"controls":[{"id":"sc-23.1","class":"SP800-53-enhancement","title":"Invalidate Session Identifiers at Logout","props":[{"name":"label","value":"SC-23(1)"},{"name":"label","value":"SC-23(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-23.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-23","rel":"required"}],"parts":[{"id":"sc-23.1_smt","name":"statement","prose":"Invalidate session identifiers upon user logout or other session termination."},{"id":"sc-23.1_gdn","name":"guidance","prose":"Invalidating session identifiers at logout curtails the ability of adversaries to capture and continue to employ previously valid session IDs."},{"id":"sc-23.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-23(01)","class":"sp800-53a"}],"prose":"session identifiers are invalidated upon user logout or other session termination.","links":[{"href":"#sc-23.1_smt","rel":"assessment-for"}]},{"id":"sc-23.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-23(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-23.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-23(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-23.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-23(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing session identifier invalidation upon session termination"}]}]},{"id":"sc-23.2","class":"SP800-53-enhancement","title":"User-initiated Logouts and Message Displays","props":[{"name":"label","value":"SC-23(2)"},{"name":"label","value":"SC-23(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-23.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-12.1","rel":"incorporated-into"}]},{"id":"sc-23.3","class":"SP800-53-enhancement","title":"Unique System-generated Session Identifiers","params":[{"id":"sc-23.03_odp","props":[{"name":"alt-identifier","value":"sc-23.3_prm_1"},{"name":"label","value":"SC-23(03)_ODP","class":"sp800-53a"}],"label":"randomness requirements","guidelines":[{"prose":"randomness requirements for generating a unique session identifier for each session are defined;"}]}],"props":[{"name":"label","value":"SC-23(3)"},{"name":"label","value":"SC-23(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-23.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-23","rel":"required"},{"href":"#ac-10","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-23.3_smt","name":"statement","prose":"Generate a unique session identifier for each session with {{ insert: param, sc-23.03_odp }} and recognize only session identifiers that are system-generated."},{"id":"sc-23.3_gdn","name":"guidance","prose":"Generating unique session identifiers curtails the ability of adversaries to reuse previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers protects against brute-force attacks to determine future session identifiers."},{"id":"sc-23.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-23(03)","class":"sp800-53a"}],"parts":[{"id":"sc-23.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-23(03)[01]","class":"sp800-53a"}],"prose":"a unique session identifier is generated for each session with {{ insert: param, sc-23.03_odp }};","links":[{"href":"#sc-23.3_smt","rel":"assessment-for"}]},{"id":"sc-23.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-23(03)[02]","class":"sp800-53a"}],"prose":"only system-generated session identifiers are recognized.","links":[{"href":"#sc-23.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-23.3_smt","rel":"assessment-for"}]},{"id":"sc-23.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-23(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-23.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-23(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-23.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-23(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting, implementing, generating, and monitoring unique session identifiers\n\nmechanisms supporting and\/or implementing randomness requirements"}]}]},{"id":"sc-23.4","class":"SP800-53-enhancement","title":"Unique Session Identifiers with Randomization","props":[{"name":"label","value":"SC-23(4)"},{"name":"label","value":"SC-23(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-23.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-23.3","rel":"incorporated-into"}]},{"id":"sc-23.5","class":"SP800-53-enhancement","title":"Allowed Certificate Authorities","params":[{"id":"sc-23.05_odp","props":[{"name":"alt-identifier","value":"sc-23.5_prm_1"},{"name":"alt-label","value":"certificate authorities","class":"sp800-53"},{"name":"label","value":"SC-23(05)_ODP","class":"sp800-53a"}],"label":"certificated authorities","guidelines":[{"prose":"certificate authorities to be allowed for verification of the establishment of protected sessions are defined;"}]}],"props":[{"name":"label","value":"SC-23(5)"},{"name":"label","value":"SC-23(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-23.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-23","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-23.5_smt","name":"statement","prose":"Only allow the use of {{ insert: param, sc-23.05_odp }} for verification of the establishment of protected sessions."},{"id":"sc-23.5_gdn","name":"guidance","prose":"Reliance on certificate authorities for the establishment of secure sessions includes the use of Transport Layer Security (TLS) certificates. These certificates, after verification by their respective certificate authorities, facilitate the establishment of protected sessions between web clients and web servers."},{"id":"sc-23.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-23(05)","class":"sp800-53a"}],"prose":"only the use of {{ insert: param, sc-23.05_odp }} for verification of the establishment of protected sessions is allowed.","links":[{"href":"#sc-23.5_smt","rel":"assessment-for"}]},{"id":"sc-23.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-23(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing session authenticity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of certificate authorities allowed for verification of the establishment of protected sessions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-23.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-23(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-23.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-23(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the management of certificate authorities"}]}]}]},{"id":"sc-24","class":"SP800-53","title":"Fail in Known State","params":[{"id":"sc-24_odp.01","props":[{"name":"alt-identifier","value":"sc-24_prm_3"},{"name":"alt-label","value":"list of organization-defined types of system failures on organization-defined system components","class":"sp800-53"},{"name":"label","value":"SC-24_ODP[01]","class":"sp800-53a"}],"label":"types of system failures on system components","guidelines":[{"prose":"types of system failures for which the system components fail to a known state are defined;"}]},{"id":"sc-24_odp.02","props":[{"name":"alt-identifier","value":"sc-24_prm_1"},{"name":"label","value":"SC-24_ODP[02]","class":"sp800-53a"}],"label":"known system state","guidelines":[{"prose":"known system state to which system components fail in the event of a system failure is defined;"}]},{"id":"sc-24_odp.03","props":[{"name":"alt-identifier","value":"sc-24_prm_2"},{"name":"label","value":"SC-24_ODP[03]","class":"sp800-53a"}],"label":"system state information","guidelines":[{"prose":"system state information to be preserved in the event of a system failure is defined;"}]}],"props":[{"name":"label","value":"SC-24"},{"name":"label","value":"SC-24","class":"sp800-53a"},{"name":"sort-id","value":"sc-24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-12","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-22","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"sc-24_smt","name":"statement","prose":"Fail to a {{ insert: param, sc-24_odp.02 }} for the following failures on the indicated components while preserving {{ insert: param, sc-24_odp.03 }} in failure: {{ insert: param, sc-24_odp.01 }}."},{"id":"sc-24_gdn","name":"guidance","prose":"Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes."},{"id":"sc-24_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-24","class":"sp800-53a"}],"prose":"{{ insert: param, sc-24_odp.01 }} fail to a {{ insert: param, sc-24_odp.02 }} while preserving {{ insert: param, sc-24_odp.03 }} in failure.","links":[{"href":"#sc-24_smt","rel":"assessment-for"}]},{"id":"sc-24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-24-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing system failure to known state\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of failures requiring system to fail in a known state\n\nstate information to be preserved in system failure\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-24-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-24-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the fail in known state capability\n\nmechanisms preserving system state information in the event of a system failure"}]}]},{"id":"sc-25","class":"SP800-53","title":"Thin Nodes","params":[{"id":"sc-25_odp","props":[{"name":"alt-identifier","value":"sc-25_prm_1"},{"name":"label","value":"SC-25_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to be employed with minimal functionality and information storage are defined;"}]}],"props":[{"name":"label","value":"SC-25"},{"name":"label","value":"SC-25","class":"sp800-53a"},{"name":"sort-id","value":"sc-25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-30","rel":"related"},{"href":"#sc-44","rel":"related"}],"parts":[{"id":"sc-25_smt","name":"statement","prose":"Employ minimal functionality and information storage on the following system components: {{ insert: param, sc-25_odp }}."},{"id":"sc-25_gdn","name":"guidance","prose":"The deployment of system components with minimal functionality reduces the need to secure every endpoint and may reduce the exposure of information, systems, and services to attacks. Reduced or minimal functionality includes diskless nodes and thin client technologies."},{"id":"sc-25_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-25","class":"sp800-53a"}],"parts":[{"id":"sc-25_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-25[01]","class":"sp800-53a"}],"prose":"minimal functionality for {{ insert: param, sc-25_odp }} is employed;","links":[{"href":"#sc-25_smt","rel":"assessment-for"}]},{"id":"sc-25_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-25[02]","class":"sp800-53a"}],"prose":"minimal information storage on {{ insert: param, sc-25_odp }} is allocated.","links":[{"href":"#sc-25_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-25_smt","rel":"assessment-for"}]},{"id":"sc-25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-25-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing use of thin nodes\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-25-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-25-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing thin nodes"}]}]},{"id":"sc-26","class":"SP800-53","title":"Decoys","props":[{"name":"label","value":"SC-26"},{"name":"label","value":"SC-26","class":"sp800-53a"},{"name":"sort-id","value":"sc-26"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-26_smt","name":"statement","prose":"Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks."},{"id":"sc-26_gdn","name":"guidance","prose":"Decoys (i.e., honeypots, honeynets, or deception nets) are established to attract adversaries and deflect attacks away from the operational systems that support organizational mission and business functions. Use of decoys requires some supporting isolation measures to ensure that any deflected malicious code does not infect organizational systems. Depending on the specific usage of the decoy, consultation with the Office of the General Counsel before deployment may be needed."},{"id":"sc-26_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-26","class":"sp800-53a"}],"parts":[{"id":"sc-26_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-26[01]","class":"sp800-53a"}],"prose":"components within organizational systems specifically designed to be the target of malicious attacks are included to detect such attacks;","links":[{"href":"#sc-26_smt","rel":"assessment-for"}]},{"id":"sc-26_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-26[02]","class":"sp800-53a"}],"prose":"components within organizational systems specifically designed to be the target of malicious attacks are included to deflect such attacks;","links":[{"href":"#sc-26_smt","rel":"assessment-for"}]},{"id":"sc-26_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SC-26[03]","class":"sp800-53a"}],"prose":"components within organizational systems specifically designed to be the target of malicious attacks are included to analyze such attacks.","links":[{"href":"#sc-26_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-26_smt","rel":"assessment-for"}]},{"id":"sc-26_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-26-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the use of decoys\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-26_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-26-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-26_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-26-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing decoys"}]}],"controls":[{"id":"sc-26.1","class":"SP800-53-enhancement","title":"Detection of Malicious Code","props":[{"name":"label","value":"SC-26(1)"},{"name":"label","value":"SC-26(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-26.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-35","rel":"incorporated-into"}]}]},{"id":"sc-27","class":"SP800-53","title":"Platform-independent Applications","params":[{"id":"sc-27_odp","props":[{"name":"alt-identifier","value":"sc-27_prm_1"},{"name":"label","value":"SC-27_ODP","class":"sp800-53a"}],"label":"platform-independent applications","guidelines":[{"prose":"platform-independent applications to be included within organizational systems are defined;"}]}],"props":[{"name":"label","value":"SC-27"},{"name":"label","value":"SC-27","class":"sp800-53a"},{"name":"sort-id","value":"sc-27"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-29","rel":"related"}],"parts":[{"id":"sc-27_smt","name":"statement","prose":"Include within organizational systems the following platform independent applications: {{ insert: param, sc-27_odp }}."},{"id":"sc-27_gdn","name":"guidance","prose":"Platforms are combinations of hardware, firmware, and software components used to execute software applications. Platforms include operating systems, the underlying computer architectures, or both. Platform-independent applications are applications with the capability to execute on multiple platforms. Such applications promote portability and reconstitution on different platforms. Application portability and the ability to reconstitute on different platforms increase the availability of mission-essential functions within organizations in situations where systems with specific operating systems are under attack."},{"id":"sc-27_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-27","class":"sp800-53a"}],"prose":"{{ insert: param, sc-27_odp }} are included within organizational systems.","links":[{"href":"#sc-27_smt","rel":"assessment-for"}]},{"id":"sc-27_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-27-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing platform-independent applications\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of platform-independent applications\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-27_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-27-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-27_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-27-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing platform-independent applications"}]}]},{"id":"sc-28","class":"SP800-53","title":"Protection of Information at Rest","params":[{"id":"sc-28_odp.01","props":[{"name":"alt-identifier","value":"sc-28_prm_1"},{"name":"label","value":"SC-28_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["confidentiality","integrity"]}},{"id":"sc-28_odp.02","props":[{"name":"alt-identifier","value":"sc-28_prm_2"},{"name":"label","value":"SC-28_ODP[02]","class":"sp800-53a"}],"label":"information at rest","guidelines":[{"prose":"information at rest requiring protection is defined;"}]}],"props":[{"name":"label","value":"SC-28"},{"name":"label","value":"SC-28","class":"sp800-53a"},{"name":"sort-id","value":"sc-28"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#20957dbb-6a1e-40a2-b38a-66f67d33ac2e","rel":"reference"},{"href":"#0d083d8a-5cc6-46f1-8d79-3081d42bcb75","rel":"reference"},{"href":"#eef62b16-c796-4554-955c-505824135b8a","rel":"reference"},{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#22f2d4f0-4365-4e88-a30d-275c1f5473ea","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cp-9","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-28_smt","name":"statement","prose":"Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}."},{"id":"sc-28_gdn","name":"guidance","prose":"Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage."},{"id":"sc-28_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is\/are protected.","links":[{"href":"#sc-28_smt","rel":"assessment-for"}]},{"id":"sc-28_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nlist of information at rest requiring confidentiality and integrity protections\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-28_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing confidentiality and integrity protections for information at rest"}]}],"controls":[{"id":"sc-28.1","class":"SP800-53-enhancement","title":"Cryptographic Protection","params":[{"id":"sc-28.01_odp.01","props":[{"name":"alt-identifier","value":"sc-28.1_prm_2"},{"name":"label","value":"SC-28(01)_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information requiring cryptographic protection is defined;"}]},{"id":"sc-28.01_odp.02","props":[{"name":"alt-identifier","value":"sc-28.1_prm_1"},{"name":"label","value":"SC-28(01)_ODP[02]","class":"sp800-53a"}],"label":"system components or media","guidelines":[{"prose":"system components or media requiring cryptographic protection is\/are defined;"}]}],"props":[{"name":"label","value":"SC-28(1)"},{"name":"label","value":"SC-28(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-28.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-28","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-28.1_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.01 }}."},{"id":"sc-28.1_gdn","name":"guidance","prose":"The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields."},{"id":"sc-28.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)","class":"sp800-53a"}],"parts":[{"id":"sc-28.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)[01]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};","links":[{"href":"#sc-28.1_smt","rel":"assessment-for"}]},{"id":"sc-28.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-28(01)[02]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.","links":[{"href":"#sc-28.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-28.1_smt","rel":"assessment-for"}]},{"id":"sc-28.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"sc-28.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms implementing confidentiality and integrity protections for information at rest"}]}]},{"id":"sc-28.2","class":"SP800-53-enhancement","title":"Offline Storage","params":[{"id":"sc-28.02_odp","props":[{"name":"alt-identifier","value":"sc-28.2_prm_1"},{"name":"label","value":"SC-28(02)_ODP","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information to be removed from online storage and stored offline in a secure location is defined;"}]}],"props":[{"name":"label","value":"SC-28(2)"},{"name":"label","value":"SC-28(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-28.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-28","rel":"required"}],"parts":[{"id":"sc-28.2_smt","name":"statement","prose":"Remove the following information from online storage and store offline in a secure location: {{ insert: param, sc-28.02_odp }}."},{"id":"sc-28.2_gdn","name":"guidance","prose":"Removing organizational information from online storage to offline storage eliminates the possibility of individuals gaining unauthorized access to the information through a network. Therefore, organizations may choose to move information to offline storage in lieu of protecting such information in online storage."},{"id":"sc-28.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28(02)","class":"sp800-53a"}],"parts":[{"id":"sc-28.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-28(02)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-28.02_odp }} is removed from online storage;","links":[{"href":"#sc-28.2_smt","rel":"assessment-for"}]},{"id":"sc-28.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-28(02)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-28.02_odp }} is stored offline in a secure location.","links":[{"href":"#sc-28.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-28.2_smt","rel":"assessment-for"}]},{"id":"sc-28.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\noffline storage locations for information at rest\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-28.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the removal of information from online storage\n\nmechanisms supporting and\/or implementing storage of information offline"}]}]},{"id":"sc-28.3","class":"SP800-53-enhancement","title":"Cryptographic Keys","params":[{"id":"sc-28.03_odp.01","props":[{"name":"alt-identifier","value":"sc-28.3_prm_1"},{"name":"label","value":"SC-28(03)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["{{ insert: param, sc-28.03_odp.02 }} ","hardware-protected key store"]}},{"id":"sc-28.03_odp.02","props":[{"name":"alt-identifier","value":"sc-28.3_prm_2"},{"name":"label","value":"SC-28(03)_ODP[02]","class":"sp800-53a"}],"label":"safeguards","guidelines":[{"prose":"safeguards for protecting the storage of cryptographic keys are defined (if selected);"}]}],"props":[{"name":"label","value":"SC-28(3)"},{"name":"label","value":"SC-28(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-28.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-28","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-28.3_smt","name":"statement","prose":"Provide protected storage for cryptographic keys {{ insert: param, sc-28.03_odp.01 }}."},{"id":"sc-28.3_gdn","name":"guidance","prose":"A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys."},{"id":"sc-28.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-28(03)","class":"sp800-53a"}],"prose":"protected storage for cryptographic keys is provided using {{ insert: param, sc-28.03_odp.01 }}.","links":[{"href":"#sc-28.3_smt","rel":"assessment-for"}]},{"id":"sc-28.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-28(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the protection of information at rest\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated configuration documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-28.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-28(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"sc-28.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-28(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing hardware-based key store protection"}]}]}]},{"id":"sc-29","class":"SP800-53","title":"Heterogeneity","params":[{"id":"sc-29_odp","props":[{"name":"alt-identifier","value":"sc-29_prm_1"},{"name":"label","value":"SC-29_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring a diverse set of information technologies to be employed in the implementation of the system are defined;"}]}],"props":[{"name":"label","value":"SC-29"},{"name":"label","value":"SC-29","class":"sp800-53a"},{"name":"sort-id","value":"sc-29"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#au-9","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#sc-27","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sr-3","rel":"related"}],"parts":[{"id":"sc-29_smt","name":"statement","prose":"Employ a diverse set of information technologies for the following system components in the implementation of the system: {{ insert: param, sc-29_odp }}."},{"id":"sc-29_gdn","name":"guidance","prose":"Increasing the diversity of information technologies within organizational systems reduces the impact of potential exploitations or compromises of specific technologies. Such diversity protects against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one system component will be effective against other system components, thus further increasing the adversary work factor to successfully complete planned attacks. An increase in diversity may add complexity and management overhead that could ultimately lead to mistakes and unauthorized configurations."},{"id":"sc-29_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-29","class":"sp800-53a"}],"prose":"a diverse set of information technologies is employed for {{ insert: param, sc-29_odp }} in the implementation of the system.","links":[{"href":"#sc-29_smt","rel":"assessment-for"}]},{"id":"sc-29_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-29-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of technologies deployed in the system\n\nacquisition documentation\n\nacquisition contracts for system components or services\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-29_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-29-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with system acquisition, development, and implementation responsibilities"}]},{"id":"sc-29_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-29-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the employment of a diverse set of information technologies"}]}],"controls":[{"id":"sc-29.1","class":"SP800-53-enhancement","title":"Virtualization Techniques","params":[{"id":"sc-29.01_odp","props":[{"name":"alt-identifier","value":"sc-29.1_prm_1"},{"name":"label","value":"SC-29(01)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to change the diversity of operating systems and applications deployed using virtualization techniques is defined;"}]}],"props":[{"name":"label","value":"SC-29(1)"},{"name":"label","value":"SC-29(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-29.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-29","rel":"required"}],"parts":[{"id":"sc-29.1_smt","name":"statement","prose":"Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed {{ insert: param, sc-29.01_odp }}."},{"id":"sc-29.1_gdn","name":"guidance","prose":"While frequent changes to operating systems and applications can pose significant configuration management challenges, the changes can result in an increased work factor for adversaries to conduct successful attacks. Changing virtual operating systems or applications, as opposed to changing actual operating systems or applications, provides virtual changes that impede attacker success while reducing configuration management efforts. Virtualization techniques can assist in isolating untrustworthy software or software of dubious provenance into confined execution environments."},{"id":"sc-29.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-29(01)","class":"sp800-53a"}],"prose":"virtualization techniques are employed to support the deployment of a diverse range of operating systems and applications that are changed {{ insert: param, sc-29.01_odp }}.","links":[{"href":"#sc-29.1_smt","rel":"assessment-for"}]},{"id":"sc-29.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-29(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nconfiguration management policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of operating systems and applications deployed using virtualization techniques\n\nchange control records\n\nconfiguration management records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-29.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-29(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with responsibilities for implementing approved virtualization techniques to the system"}]},{"id":"sc-29.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-29(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the employment of a diverse set of information technologies\n\nmechanisms supporting and\/or implementing virtualization techniques"}]}]}]},{"id":"sc-30","class":"SP800-53","title":"Concealment and Misdirection","params":[{"id":"sc-30_odp.01","props":[{"name":"alt-identifier","value":"sc-30_prm_3"},{"name":"label","value":"SC-30_ODP[01]","class":"sp800-53a"}],"label":"concealment and misdirection techniques","guidelines":[{"prose":"concealment and misdirection techniques to be employed to confuse and mislead adversaries potentially targeting systems are defined;"}]},{"id":"sc-30_odp.02","props":[{"name":"alt-identifier","value":"sc-30_prm_1"},{"name":"label","value":"SC-30_ODP[02]","class":"sp800-53a"}],"label":"systems","guidelines":[{"prose":"systems for which concealment and misdirection techniques are to be employed are defined;"}]},{"id":"sc-30_odp.03","props":[{"name":"alt-identifier","value":"sc-30_prm_2"},{"name":"label","value":"SC-30_ODP[03]","class":"sp800-53a"}],"label":"time periods","guidelines":[{"prose":"time periods to employ concealment and misdirection techniques for systems are defined;"}]}],"props":[{"name":"label","value":"SC-30"},{"name":"label","value":"SC-30","class":"sp800-53a"},{"name":"sort-id","value":"sc-30"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-6","rel":"related"},{"href":"#sc-25","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-29","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-14","rel":"related"}],"parts":[{"id":"sc-30_smt","name":"statement","prose":"Employ the following concealment and misdirection techniques for {{ insert: param, sc-30_odp.02 }} at {{ insert: param, sc-30_odp.03 }} to confuse and mislead adversaries: {{ insert: param, sc-30_odp.01 }}."},{"id":"sc-30_gdn","name":"guidance","prose":"Concealment and misdirection techniques can significantly reduce the targeting capabilities of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. For example, virtualization techniques provide organizations with the ability to disguise systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. The increased use of concealment and misdirection techniques and methods—including randomness, uncertainty, and virtualization—may sufficiently confuse and mislead adversaries and subsequently increase the risk of discovery and\/or exposing tradecraft. Concealment and misdirection techniques may provide additional time to perform core mission and business functions. The implementation of concealment and misdirection techniques may add to the complexity and management overhead required for the system."},{"id":"sc-30_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-30","class":"sp800-53a"}],"prose":"{{ insert: param, sc-30_odp.01 }} are employed for {{ insert: param, sc-30_odp.02 }} for {{ insert: param, sc-30_odp.03 }} to confuse and mislead adversaries.","links":[{"href":"#sc-30_smt","rel":"assessment-for"}]},{"id":"sc-30_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-30-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing concealment and misdirection techniques for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of concealment and misdirection techniques to be employed for organizational systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-30_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-30-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility to implement concealment and misdirection techniques for systems"}]},{"id":"sc-30_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-30-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing concealment and misdirection techniques"}]}],"controls":[{"id":"sc-30.1","class":"SP800-53-enhancement","title":"Virtualization Techniques","props":[{"name":"label","value":"SC-30(1)"},{"name":"label","value":"SC-30(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-30.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-29.1","rel":"incorporated-into"}]},{"id":"sc-30.2","class":"SP800-53-enhancement","title":"Randomness","params":[{"id":"sc-30.02_odp","props":[{"name":"alt-identifier","value":"sc-30.2_prm_1"},{"name":"label","value":"SC-30(02)_ODP","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques employed to introduce randomness into organizational operations and assets are defined;"}]}],"props":[{"name":"label","value":"SC-30(2)"},{"name":"label","value":"SC-30(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-30.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-30","rel":"required"}],"parts":[{"id":"sc-30.2_smt","name":"statement","prose":"Employ {{ insert: param, sc-30.02_odp }} to introduce randomness into organizational operations and assets."},{"id":"sc-30.2_gdn","name":"guidance","prose":"Randomness introduces increased levels of uncertainty for adversaries regarding the actions that organizations take to defend their systems against attacks. Such actions may impede the ability of adversaries to correctly target information resources of organizations that support critical missions or business functions. Uncertainty may also cause adversaries to hesitate before initiating or continuing attacks. Misdirection techniques that involve randomness include performing certain routine actions at different times of day, employing different information technologies, using different suppliers, and rotating roles and responsibilities of organizational personnel."},{"id":"sc-30.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-30(02)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-30.02_odp }} are employed to introduce randomness into organizational operations and assets.","links":[{"href":"#sc-30.2_smt","rel":"assessment-for"}]},{"id":"sc-30.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-30(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing concealment and misdirection techniques for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of techniques to be employed to introduce randomness into organizational operations and assets\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-30.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-30(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility to implement concealment and misdirection techniques for systems"}]},{"id":"sc-30.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-30(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing randomness as a concealment and misdirection technique"}]}]},{"id":"sc-30.3","class":"SP800-53-enhancement","title":"Change Processing and Storage Locations","params":[{"id":"sc-30.03_odp.01","props":[{"name":"alt-identifier","value":"sc-30.3_prm_1"},{"name":"label","value":"SC-30(03)_ODP[01]","class":"sp800-53a"}],"label":"processing and\/or storage","guidelines":[{"prose":"processing and\/or storage locations to be changed are defined;"}]},{"id":"sc-30.03_odp.02","props":[{"name":"alt-identifier","value":"sc-30.3_prm_2"},{"name":"label","value":"SC-30(03)_ODP[02]","class":"sp800-53a"}],"select":{"choice":["{{ insert: param, sc-30.03_odp.03 }} ","random time intervals"]}},{"id":"sc-30.03_odp.03","props":[{"name":"alt-identifier","value":"sc-30.3_prm_3"},{"name":"label","value":"SC-30(03)_ODP[03]","class":"sp800-53a"}],"label":"time frequency","guidelines":[{"prose":"time frequency at which to change the location of processing and\/or storage is defined (if selected);"}]}],"props":[{"name":"label","value":"SC-30(3)"},{"name":"label","value":"SC-30(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-30.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-30","rel":"required"}],"parts":[{"id":"sc-30.3_smt","name":"statement","prose":"Change the location of {{ insert: param, sc-30.03_odp.01 }} {{ insert: param, sc-30.03_odp.02 }}]."},{"id":"sc-30.3_gdn","name":"guidance","prose":"Adversaries target critical mission and business functions and the systems that support those mission and business functions while also trying to minimize the exposure of their existence and tradecraft. The static, homogeneous, and deterministic nature of organizational systems targeted by adversaries make such systems more susceptible to attacks with less adversary cost and effort to be successful. Changing processing and storage locations (also referred to as moving target defense) addresses the advanced persistent threat using techniques such as virtualization, distributed processing, and replication. This enables organizations to relocate the system components (i.e., processing, storage) that support critical mission and business functions. Changing the locations of processing activities and\/or storage sites introduces a degree of uncertainty into the targeting activities of adversaries. The targeting uncertainty increases the work factor of adversaries and makes compromises or breaches of the organizational systems more difficult and time-consuming. It also increases the chances that adversaries may inadvertently disclose certain aspects of their tradecraft while attempting to locate critical organizational resources."},{"id":"sc-30.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-30(03)","class":"sp800-53a"}],"prose":"the location of {{ insert: param, sc-30.03_odp.01 }} is changed {{ insert: param, sc-30.03_odp.02 }}.","links":[{"href":"#sc-30.3_smt","rel":"assessment-for"}]},{"id":"sc-30.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-30(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nconfiguration management policy and procedures\n\nprocedures addressing concealment and misdirection techniques for the system\n\nlist of processing\/storage locations to be changed at organizational time intervals\n\nchange control records\n\nconfiguration management records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-30.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-30(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility to change processing and\/or storage locations"}]},{"id":"sc-30.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-30(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing changing processing and\/or storage locations"}]}]},{"id":"sc-30.4","class":"SP800-53-enhancement","title":"Misleading Information","params":[{"id":"sc-30.04_odp","props":[{"name":"alt-identifier","value":"sc-30.4_prm_1"},{"name":"label","value":"SC-30(04)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which realistic but misleading information about their security state or posture is employed are defined;"}]}],"props":[{"name":"label","value":"SC-30(4)"},{"name":"label","value":"SC-30(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-30.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-30","rel":"required"}],"parts":[{"id":"sc-30.4_smt","name":"statement","prose":"Employ realistic, but misleading information in {{ insert: param, sc-30.04_odp }} about its security state or posture."},{"id":"sc-30.4_gdn","name":"guidance","prose":"Employing misleading information is intended to confuse potential adversaries regarding the nature and extent of controls deployed by organizations. Thus, adversaries may employ incorrect and ineffective attack techniques. One technique for misleading adversaries is for organizations to place misleading information regarding the specific controls deployed in external systems that are known to be targeted by adversaries. Another technique is the use of deception nets that mimic actual aspects of organizational systems but use, for example, out-of-date software configurations."},{"id":"sc-30.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-30(04)","class":"sp800-53a"}],"prose":"realistic but misleading information about the security state or posture of {{ insert: param, sc-30.04_odp }} is employed.","links":[{"href":"#sc-30.4_smt","rel":"assessment-for"}]},{"id":"sc-30.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-30(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nconfiguration management policy and procedures\n\nprocedures addressing concealment and misdirection techniques for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-30.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-30(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility to define and employ realistic but misleading information about the security posture of system components"}]},{"id":"sc-30.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-30(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the employment of realistic but misleading information about the security posture of system components"}]}]},{"id":"sc-30.5","class":"SP800-53-enhancement","title":"Concealment of System Components","params":[{"id":"sc-30.05_odp.01","props":[{"name":"alt-identifier","value":"sc-30.5_prm_2"},{"name":"label","value":"SC-30(05)_ODP[01]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques to be employed to hide or conceal system components are defined;"}]},{"id":"sc-30.05_odp.02","props":[{"name":"alt-identifier","value":"sc-30.5_prm_1"},{"name":"label","value":"SC-30(05)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to be hidden or concealed using techniques (defined in SC-30(05)_ODP[01]) are defined;"}]}],"props":[{"name":"label","value":"SC-30(5)"},{"name":"label","value":"SC-30(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-30.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-30","rel":"required"}],"parts":[{"id":"sc-30.5_smt","name":"statement","prose":"Employ the following techniques to hide or conceal {{ insert: param, sc-30.05_odp.02 }}: {{ insert: param, sc-30.05_odp.01 }}."},{"id":"sc-30.5_gdn","name":"guidance","prose":"By hiding, disguising, or concealing critical system components, organizations may be able to decrease the probability that adversaries target and successfully compromise those assets. Potential means to hide, disguise, or conceal system components include the configuration of routers or the use of encryption or virtualization techniques."},{"id":"sc-30.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-30(05)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-30.05_odp.01 }} are employed to hide or conceal {{ insert: param, sc-30.05_odp.02 }}.","links":[{"href":"#sc-30.5_smt","rel":"assessment-for"}]},{"id":"sc-30.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-30(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nconfiguration management policy and procedures\n\nprocedures addressing concealment and misdirection techniques for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of techniques employed to hide or conceal system components\n\nlist of system components to be hidden or concealed\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-30.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-30(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with the responsibility to conceal system components"}]},{"id":"sc-30.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-30(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing techniques for the concealment of system components"}]}]}]},{"id":"sc-31","class":"SP800-53","title":"Covert Channel Analysis","params":[{"id":"sc-31_odp","props":[{"name":"alt-identifier","value":"sc-31_prm_1"},{"name":"label","value":"SC-31_ODP","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["storage","timing"]}}],"props":[{"name":"label","value":"SC-31"},{"name":"label","value":"SC-31","class":"sp800-53a"},{"name":"sort-id","value":"sc-31"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"sc-31_smt","name":"statement","parts":[{"id":"sc-31_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert {{ insert: param, sc-31_odp }} channels; and"},{"id":"sc-31_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Estimate the maximum bandwidth of those channels."}]},{"id":"sc-31_gdn","name":"guidance","prose":"Developers are in the best position to identify potential areas within systems that might lead to covert channels. Covert channel analysis is a meaningful activity when there is the potential for unauthorized information flows across security domains, such as in the case of systems that contain export-controlled information and have connections to external networks (i.e., networks that are not controlled by organizations). Covert channel analysis is also useful for multilevel secure systems, multiple security level systems, and cross-domain systems."},{"id":"sc-31_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-31","class":"sp800-53a"}],"parts":[{"id":"sc-31_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-31a.","class":"sp800-53a"}],"prose":"a covert channel analysis is performed to identify those aspects of communications within the system that are potential avenues for covert {{ insert: param, sc-31_odp }} channels;","links":[{"href":"#sc-31_smt.a","rel":"assessment-for"}]},{"id":"sc-31_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-31b.","class":"sp800-53a"}],"prose":"the maximum bandwidth of those channels is estimated.","links":[{"href":"#sc-31_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-31_smt","rel":"assessment-for"}]},{"id":"sc-31_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-31-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing covert channel analysis\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncovert channel analysis documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-31_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-31-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with covert channel analysis responsibilities\n\nsystem developers\/integrators"}]},{"id":"sc-31_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-31-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for conducting covert channel analysis\n\nmechanisms supporting and\/or implementing covert channel analysis\n\nmechanisms supporting and\/or implementing the capability to estimate the bandwidth of covert channels"}]}],"controls":[{"id":"sc-31.1","class":"SP800-53-enhancement","title":"Test Covert Channels for Exploitability","props":[{"name":"label","value":"SC-31(1)"},{"name":"label","value":"SC-31(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-31.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-31","rel":"required"}],"parts":[{"id":"sc-31.1_smt","name":"statement","prose":"Test a subset of the identified covert channels to determine the channels that are exploitable."},{"id":"sc-31.1_gdn","name":"guidance","prose":"None."},{"id":"sc-31.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-31(01)","class":"sp800-53a"}],"prose":"a subset of the identified covert channels is tested to determine the channels that are exploitable.","links":[{"href":"#sc-31.1_smt","rel":"assessment-for"}]},{"id":"sc-31.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-31(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing covert channel analysis\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of covert channels\n\ncovert channel analysis documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-31.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-31(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with covert channel analysis responsibilities"}]},{"id":"sc-31.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-31(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for testing covert channels\n\nmechanisms supporting and\/or implementing the testing of covert channel analysis"}]}]},{"id":"sc-31.2","class":"SP800-53-enhancement","title":"Maximum Bandwidth","params":[{"id":"sc-31.02_odp.01","props":[{"name":"alt-identifier","value":"sc-31.2_prm_1"},{"name":"label","value":"SC-31(02)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["storage","timing"]}},{"id":"sc-31.02_odp.02","props":[{"name":"alt-identifier","value":"sc-31.2_prm_2"},{"name":"label","value":"SC-31(02)_ODP[02]","class":"sp800-53a"}],"label":"values","guidelines":[{"prose":"values for the maximum bandwidth for identified covert channels are defined;"}]}],"props":[{"name":"label","value":"SC-31(2)"},{"name":"label","value":"SC-31(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-31.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-31","rel":"required"}],"parts":[{"id":"sc-31.2_smt","name":"statement","prose":"Reduce the maximum bandwidth for identified covert {{ insert: param, sc-31.02_odp.01 }} channels to {{ insert: param, sc-31.02_odp.02 }}."},{"id":"sc-31.2_gdn","name":"guidance","prose":"The complete elimination of covert channels, especially covert timing channels, is usually not possible without significant performance impacts."},{"id":"sc-31.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-31(02)","class":"sp800-53a"}],"prose":"the maximum bandwidth for identified covert {{ insert: param, sc-31.02_odp.01 }} channels is reduced to {{ insert: param, sc-31.02_odp.02 }}.","links":[{"href":"#sc-31.2_smt","rel":"assessment-for"}]},{"id":"sc-31.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-31(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing covert channel analysis\n\nacquisition contracts for systems or services\n\nacquisition documentation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncovert channel analysis documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-31.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-31(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with covert channel analysis responsibilities\n\nsystem developers\/integrators"}]},{"id":"sc-31.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-31(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for conducting covert channel analysis\n\nmechanisms supporting and\/or implementing covert channel analysis\n\nmechanisms supporting and\/or implementing the capability to reduce the bandwidth of covert channels"}]}]},{"id":"sc-31.3","class":"SP800-53-enhancement","title":"Measure Bandwidth in Operational Environments","params":[{"id":"sc-31.03_odp","props":[{"name":"alt-identifier","value":"sc-31.3_prm_1"},{"name":"label","value":"SC-31(03)_ODP","class":"sp800-53a"}],"label":"subset of identified covert channels","guidelines":[{"prose":"subset of identified covert channels whose bandwidth is to be measured in the operational environment of the system is defined;"}]}],"props":[{"name":"label","value":"SC-31(3)"},{"name":"label","value":"SC-31(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-31.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-31","rel":"required"}],"parts":[{"id":"sc-31.3_smt","name":"statement","prose":"Measure the bandwidth of {{ insert: param, sc-31.03_odp }} in the operational environment of the system."},{"id":"sc-31.3_gdn","name":"guidance","prose":"Measuring covert channel bandwidth in specified operational environments helps organizations determine how much information can be covertly leaked before such leakage adversely affects mission or business functions. Covert channel bandwidth may be significantly different when measured in settings that are independent of the specific environments of operation, including laboratories or system development environments."},{"id":"sc-31.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-31(03)","class":"sp800-53a"}],"prose":"the bandwidth of {{ insert: param, sc-31.03_odp }} is measured in the operational environment of the system.","links":[{"href":"#sc-31.3_smt","rel":"assessment-for"}]},{"id":"sc-31.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-31(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing covert channel analysis\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncovert channel analysis documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-31.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-31(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel with covert channel analysis responsibilities\n\nsystem developers\/integrators"}]},{"id":"sc-31.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-31(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for conducting covert channel analysis\n\nmechanisms supporting and\/or implementing covert channel analysis\n\nmechanisms supporting and\/or implementing the capability to measure the bandwidth of covert channels"}]}]}]},{"id":"sc-32","class":"SP800-53","title":"System Partitioning","params":[{"id":"sc-32_odp.01","props":[{"name":"alt-identifier","value":"sc-32_prm_1"},{"name":"label","value":"SC-32_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to reside in separate physical or logical domains or environments based on circumstances for the physical or logical separation of components are defined;"}]},{"id":"sc-32_odp.02","props":[{"name":"alt-identifier","value":"sc-32_prm_2"},{"name":"label","value":"SC-32_ODP[02]","class":"sp800-53a"}],"select":{"choice":["physical","logical"]}},{"id":"sc-32_odp.03","props":[{"name":"alt-identifier","value":"sc-32_prm_3"},{"name":"alt-label","value":"circumstances for physical or logical separation of components","class":"sp800-53"},{"name":"label","value":"SC-32_ODP[03]","class":"sp800-53a"}],"label":"circumstances for the physical or logical separation of components","guidelines":[{"prose":"circumstances for the physical or logical separation of components are defined;"}]}],"props":[{"name":"label","value":"SC-32"},{"name":"label","value":"SC-32","class":"sp800-53a"},{"name":"sort-id","value":"sc-32"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#628d22a1-6a11-4784-bc59-5cd9497b5445","rel":"reference"},{"href":"#d4296805-2dca-4c63-a95f-eeccaa826aec","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-36","rel":"related"}],"parts":[{"id":"sc-32_smt","name":"statement","prose":"Partition the system into {{ insert: param, sc-32_odp.01 }} residing in separate {{ insert: param, sc-32_odp.02 }} domains or environments based on {{ insert: param, sc-32_odp.03 }}."},{"id":"sc-32_gdn","name":"guidance","prose":"System partitioning is part of a defense-in-depth protection strategy. Organizations determine the degree of physical separation of system components. Physical separation options include physically distinct components in separate racks in the same room, critical components in separate rooms, and geographical separation of critical components. Security categorization can guide the selection of candidates for domain partitioning. Managed interfaces restrict or prohibit network access and information flow among partitioned system components."},{"id":"sc-32_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-32","class":"sp800-53a"}],"prose":"the system is partitioned into {{ insert: param, sc-32_odp.01 }} residing in separate {{ insert: param, sc-32_odp.02 }} domains or environments based on {{ insert: param, sc-32_odp.03 }}.","links":[{"href":"#sc-32_smt","rel":"assessment-for"}]},{"id":"sc-32_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-32-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing system partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of system physical domains (or environments)\n\nsystem facility diagrams\n\nsystem network diagrams\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-32_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-32-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-32_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-32-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the physical separation of system components"}]}],"controls":[{"id":"sc-32.1","class":"SP800-53-enhancement","title":"Separate Physical Domains for Privileged Functions","props":[{"name":"label","value":"SC-32(1)"},{"name":"label","value":"SC-32(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-32.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-32","rel":"required"}],"parts":[{"id":"sc-32.1_smt","name":"statement","prose":"Partition privileged functions into separate physical domains."},{"id":"sc-32.1_gdn","name":"guidance","prose":"Privileged functions that operate in a single physical domain may represent a single point of failure if that domain becomes compromised or experiences a denial of service."},{"id":"sc-32.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-32(01)","class":"sp800-53a"}],"prose":"privileged functions are partitioned into separate physical domains.","links":[{"href":"#sc-32.1_smt","rel":"assessment-for"}]},{"id":"sc-32.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-32-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing system partitioning\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of system physical domains (or environments)\n\nsystem facility diagrams\n\nsystem network diagrams\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-32.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-32-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-32.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-32-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the physical separation of system components"}]}]}]},{"id":"sc-33","class":"SP800-53","title":"Transmission Preparation Integrity","props":[{"name":"label","value":"SC-33"},{"name":"label","value":"SC-33","class":"sp800-53a"},{"name":"sort-id","value":"sc-33"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-8","rel":"incorporated-into"}]},{"id":"sc-34","class":"SP800-53","title":"Non-modifiable Executable Programs","params":[{"id":"sc-34_odp.01","props":[{"name":"alt-identifier","value":"sc-34_prm_1"},{"name":"label","value":"SC-34_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which the operating environment and applications are to be loaded and executed from hardware-enforced, read-only media are defined;"}]},{"id":"sc-34_odp.02","props":[{"name":"alt-identifier","value":"sc-34_prm_2"},{"name":"label","value":"SC-34_ODP[02]","class":"sp800-53a"}],"label":"applications","guidelines":[{"prose":"applications to be loaded and executed from hardware-enforced, read-only media are defined;"}]}],"props":[{"name":"label","value":"SC-34"},{"name":"label","value":"SC-34","class":"sp800-53a"},{"name":"sort-id","value":"sc-34"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-3","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-14","rel":"related"}],"parts":[{"id":"sc-34_smt","name":"statement","prose":"For {{ insert: param, sc-34_odp.01 }} , load and execute:","parts":[{"id":"sc-34_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"The operating environment from hardware-enforced, read-only media; and"},{"id":"sc-34_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"The following applications from hardware-enforced, read-only media: {{ insert: param, sc-34_odp.02 }}."}]},{"id":"sc-34_gdn","name":"guidance","prose":"The operating environment for a system contains the code that hosts applications, including operating systems, executives, or virtual machine monitors (i.e., hypervisors). It can also include certain applications that run directly on hardware platforms. Hardware-enforced, read-only media include Compact Disc-Recordable (CD-R) and Digital Versatile Disc-Recordable (DVD-R) disk drives as well as one-time, programmable, read-only memory. The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable, read-only memory can be accepted as read-only media provided that integrity can be adequately protected from the point of initial writing to the insertion of the memory into the system, and there are reliable hardware protections against reprogramming the memory while installed in organizational systems."},{"id":"sc-34_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-34","class":"sp800-53a"}],"parts":[{"id":"sc-34_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-34a.","class":"sp800-53a"}],"prose":"the operating environment for {{ insert: param, sc-34_odp.01 }} is loaded and executed from hardware-enforced, read-only media;","links":[{"href":"#sc-34_smt.a","rel":"assessment-for"}]},{"id":"sc-34_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-34b.","class":"sp800-53a"}],"prose":"{{ insert: param, sc-34_odp.02 }} for {{ insert: param, sc-34_odp.01 }} are loaded and executed from hardware-enforced, read-only media.","links":[{"href":"#sc-34_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-34_smt","rel":"assessment-for"}]},{"id":"sc-34_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-34-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing non-modifiable executable programs\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of operating system components to be loaded from hardware-enforced, read-only media\n\nlist of applications to be loaded from hardware-enforced, read-only media\n\nmedia used to load and execute the system operating environment\n\nmedia used to load and execute system applications\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-34_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-34-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-34_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-34-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing, loading, and executing the operating environment from hardware-enforced, read-only media\n\nmechanisms supporting and\/or implementing, loading, and executing applications from hardware-enforced, read-only media"}]}],"controls":[{"id":"sc-34.1","class":"SP800-53-enhancement","title":"No Writable Storage","params":[{"id":"sc-34.01_odp","props":[{"name":"alt-identifier","value":"sc-34.1_prm_1"},{"name":"label","value":"SC-34(01)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components to be employed with no writeable storage are defined;"}]}],"props":[{"name":"label","value":"SC-34(1)"},{"name":"label","value":"SC-34(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-34.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-34","rel":"required"},{"href":"#ac-19","rel":"related"},{"href":"#mp-7","rel":"related"}],"parts":[{"id":"sc-34.1_smt","name":"statement","prose":"Employ {{ insert: param, sc-34.01_odp }} with no writeable storage that is persistent across component restart or power on\/off."},{"id":"sc-34.1_gdn","name":"guidance","prose":"Disallowing writeable storage eliminates the possibility of malicious code insertion via persistent, writeable storage within the designated system components. The restriction applies to fixed and removable storage, with the latter being addressed either directly or as specific restrictions imposed through access controls for mobile devices."},{"id":"sc-34.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-34(01)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-34.01_odp }} are employed with no writeable storage that is persistent across component restart or power on\/off.","links":[{"href":"#sc-34.1_smt","rel":"assessment-for"}]},{"id":"sc-34.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-34(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing non-modifiable executable programs\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of system components to be employed without writeable storage capabilities\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-34.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-34(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-34.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-34(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the employment of components with no writeable storage\n\nmechanisms supporting and\/or implementing persistent non-writeable storage across component restart and power on\/off"}]}]},{"id":"sc-34.2","class":"SP800-53-enhancement","title":"Integrity Protection on Read-only Media","props":[{"name":"label","value":"SC-34(2)"},{"name":"label","value":"SC-34(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-34.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-34","rel":"required"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-5","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#si-3","rel":"related"}],"parts":[{"id":"sc-34.2_smt","name":"statement","prose":"Protect the integrity of information prior to storage on read-only media and control the media after such information has been recorded onto the media."},{"id":"sc-34.2_gdn","name":"guidance","prose":"Controls prevent the substitution of media into systems or the reprogramming of programmable read-only media prior to installation into the systems. Integrity protection controls include a combination of prevention, detection, and response."},{"id":"sc-34.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-34(02)","class":"sp800-53a"}],"parts":[{"id":"sc-34.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-34(02)[01]","class":"sp800-53a"}],"prose":"the integrity of information is protected prior to storage on read-only media;","links":[{"href":"#sc-34.2_smt","rel":"assessment-for"}]},{"id":"sc-34.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-34(02)[02]","class":"sp800-53a"}],"prose":"the media is controlled after such information has been recorded onto the media;","links":[{"href":"#sc-34.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-34.2_smt","rel":"assessment-for"}]},{"id":"sc-34.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-34(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing non-modifiable executable programs\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-34.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-34(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-34.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-34(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the capability to protect information integrity on read-only media prior to storage and after information has been recorded onto the media"}]}]},{"id":"sc-34.3","class":"SP800-53-enhancement","title":"Hardware-based Protection","props":[{"name":"label","value":"SC-34(3)"},{"name":"label","value":"SC-34(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-34.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-51","rel":"moved-to"}]}]},{"id":"sc-35","class":"SP800-53","title":"External Malicious Code Identification","props":[{"name":"label","value":"SC-35"},{"name":"label","value":"SC-35","class":"sp800-53a"},{"name":"sort-id","value":"sc-35"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-7","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-35_smt","name":"statement","prose":"Include system components that proactively seek to identify network-based malicious code or malicious websites."},{"id":"sc-35_gdn","name":"guidance","prose":"External malicious code identification differs from decoys in [SC-26](#sc-26) in that the components actively probe networks, including the Internet, in search of malicious code contained on external websites. Like decoys, the use of external malicious code identification techniques requires some supporting isolation measures to ensure that any malicious code discovered during the search and subsequently executed does not infect organizational systems. Virtualization is a common technique for achieving such isolation."},{"id":"sc-35_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-35","class":"sp800-53a"}],"prose":"system components that proactively seek to identify network-based malicious code or malicious websites are included.","links":[{"href":"#sc-35_smt","rel":"assessment-for"}]},{"id":"sc-35_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-35-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing external malicious code identification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem components deployed to identify malicious websites and\/or web-based malicious code\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-35_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-35-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-35_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-35-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing external malicious code identification"}]}]},{"id":"sc-36","class":"SP800-53","title":"Distributed Processing and Storage","params":[{"id":"sc-36_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-36_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-36_odp.04"}],"select":{"choice":["physical locations","logical domains"]}},{"id":"sc-36_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-36_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-36_odp.03"}],"label":"organization-defined processing and storage components"},{"id":"sc-36_odp.01","props":[{"name":"label","value":"SC-36_ODP[01]","class":"sp800-53a"}],"label":"processing components","guidelines":[{"prose":"processing components to be distributed across multiple locations\/domains are defined;"}]},{"id":"sc-36_odp.02","props":[{"name":"label","value":"SC-36_ODP[02]","class":"sp800-53a"}],"select":{"choice":["physical locations","logical domains"]}},{"id":"sc-36_odp.03","props":[{"name":"label","value":"SC-36_ODP[03]","class":"sp800-53a"}],"label":"storage components","guidelines":[{"prose":"storage components to be distributed across multiple locations\/domains are defined;"}]},{"id":"sc-36_odp.04","props":[{"name":"label","value":"SC-36_ODP[04]","class":"sp800-53a"}],"select":{"choice":["physical locations","logical domains"]}}],"props":[{"name":"label","value":"SC-36"},{"name":"label","value":"SC-36","class":"sp800-53a"},{"name":"sort-id","value":"sc-36"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#sc-32","rel":"related"}],"parts":[{"id":"sc-36_smt","name":"statement","prose":"Distribute the following processing and storage components across multiple {{ insert: param, sc-36_prm_1 }}: {{ insert: param, sc-36_prm_2 }}."},{"id":"sc-36_gdn","name":"guidance","prose":"Distributing processing and storage across multiple physical locations or logical domains provides a degree of redundancy or overlap for organizations. The redundancy and overlap increase the work factor of adversaries to adversely impact organizational operations, assets, and individuals. The use of distributed processing and storage does not assume a single primary processing or storage location. Therefore, it allows for parallel processing and storage."},{"id":"sc-36_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-36","class":"sp800-53a"}],"parts":[{"id":"sc-36_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-36[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-36_odp.01 }} are distributed across {{ insert: param, sc-36_odp.02 }};","links":[{"href":"#sc-36_smt","rel":"assessment-for"}]},{"id":"sc-36_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-36[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sc-36_odp.03 }} are distributed across {{ insert: param, sc-36_odp.04 }}.","links":[{"href":"#sc-36_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-36_smt","rel":"assessment-for"}]},{"id":"sc-36_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-36-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\ncontingency planning policy and procedures\n\ncontingency plan\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of system physical locations (or environments) with distributed processing and storage\n\nsystem facility diagrams\n\nprocessing site agreements\n\nstorage site agreements\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-36_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-36-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel with contingency planning and plan implementation responsibilities\n\nsystem developers\/integrators"}]},{"id":"sc-36_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-36-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for distributed processing and storage across multiple physical locations\n\nmechanisms supporting and\/or implementing the capability to distribute processing and storage across multiple physical locations"}]}],"controls":[{"id":"sc-36.1","class":"SP800-53-enhancement","title":"Polling Techniques","params":[{"id":"sc-36.01_odp.01","props":[{"name":"alt-identifier","value":"sc-36.1_prm_1"},{"name":"label","value":"SC-36(01)_ODP[01]","class":"sp800-53a"}],"label":"distributed processing and storage components","guidelines":[{"prose":"distributed processing and storage components for which polling techniques are to be employed to identify potential faults, errors, or compromises are defined;"}]},{"id":"sc-36.01_odp.02","props":[{"name":"alt-identifier","value":"sc-36.1_prm_2"},{"name":"label","value":"SC-36(01)_ODP[02]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken in response to identified faults, errors, or compromise are defined;"}]}],"props":[{"name":"label","value":"SC-36(1)"},{"name":"label","value":"SC-36(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-36.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-36","rel":"required"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-36.1_smt","name":"statement","parts":[{"id":"sc-36.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: {{ insert: param, sc-36.01_odp.01 }} ; and"},{"id":"sc-36.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Take the following actions in response to identified faults, errors, or compromises: {{ insert: param, sc-36.01_odp.02 }}."}]},{"id":"sc-36.1_gdn","name":"guidance","prose":"Distributed processing and\/or storage may be used to reduce opportunities for adversaries to compromise the confidentiality, integrity, or availability of organizational information and systems. However, the distribution of processing and storage components does not prevent adversaries from compromising one or more of the components. Polling compares the processing results and\/or storage content from the distributed components and subsequently votes on the outcomes. Polling identifies potential faults, compromises, or errors in the distributed processing and storage components."},{"id":"sc-36.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-36(01)","class":"sp800-53a"}],"parts":[{"id":"sc-36.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-36(01)(a)","class":"sp800-53a"}],"prose":"polling techniques are employed to identify potential faults, errors, or compromises to {{ insert: param, sc-36.01_odp.01 }};","links":[{"href":"#sc-36.1_smt.a","rel":"assessment-for"}]},{"id":"sc-36.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-36(01)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-36.01_odp.02 }} are taken in response to identified faults, errors, or compromise.","links":[{"href":"#sc-36.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-36.1_smt","rel":"assessment-for"}]},{"id":"sc-36.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-36(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of distributed processing and storage components subject to polling\n\nsystem polling techniques and associated documentation or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-36.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-36(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-36.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-36(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing polling techniques"}]}]},{"id":"sc-36.2","class":"SP800-53-enhancement","title":"Synchronization","params":[{"id":"sc-36.02_odp","props":[{"name":"alt-identifier","value":"sc-36.2_prm_1"},{"name":"label","value":"SC-36(02)_ODP","class":"sp800-53a"}],"label":"duplicate systems or system components","guidelines":[{"prose":"duplicate systems or system components to be synchronized are defined;"}]}],"props":[{"name":"label","value":"SC-36(2)"},{"name":"label","value":"SC-36(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-36.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-36","rel":"required"},{"href":"#cp-9","rel":"related"}],"parts":[{"id":"sc-36.2_smt","name":"statement","prose":"Synchronize the following duplicate systems or system components: {{ insert: param, sc-36.02_odp }}."},{"id":"sc-36.2_gdn","name":"guidance","prose":"[SC-36](#sc-36) and [CP-9(6)](#cp-9.6) require the duplication of systems or system components in distributed locations. The synchronization of duplicated and redundant services and data helps to ensure that information contained in the distributed locations can be used in the mission or business functions of organizations, as needed."},{"id":"sc-36.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-36(02)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-36.02_odp }} are synchronized.","links":[{"href":"#sc-36.2_smt","rel":"assessment-for"}]},{"id":"sc-36.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-36(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of distributed processing and storage components subject to polling\n\nsystem polling techniques and associated documentation or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-36.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-36(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-36.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-36(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing duplicate system or system component synchronization"}]}]}]},{"id":"sc-37","class":"SP800-53","title":"Out-of-band Channels","params":[{"id":"sc-37_odp.01","props":[{"name":"alt-identifier","value":"sc-37_prm_3"},{"name":"label","value":"SC-37_ODP[01]","class":"sp800-53a"}],"label":"out-of-band channels","guidelines":[{"prose":"out-of-band channels to be employed for the physical delivery or electronic transmission of information, system components, or devices to individuals or the system are defined;"}]},{"id":"sc-37_odp.02","props":[{"name":"alt-identifier","value":"sc-37_prm_1"},{"name":"label","value":"SC-37_ODP[02]","class":"sp800-53a"}],"label":"information, system components, or devices","guidelines":[{"prose":"information, system components, or devices to employ out-of-band-channels for physical delivery or electronic transmission are defined;"}]},{"id":"sc-37_odp.03","props":[{"name":"alt-identifier","value":"sc-37_prm_2"},{"name":"label","value":"SC-37_ODP[03]","class":"sp800-53a"}],"label":"individuals or systems","guidelines":[{"prose":"individuals or systems to which physical delivery or electronic transmission of information, system components, or devices is to be achieved via the employment of out-of-band channels are defined;"}]}],"props":[{"name":"label","value":"SC-37"},{"name":"label","value":"SC-37","class":"sp800-53a"},{"name":"sort-id","value":"sc-37"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#110e26af-4765-49e1-8740-6750f83fcda1","rel":"reference"},{"href":"#e7942589-e267-4a5a-a3d9-f39a7aae81f0","rel":"reference"},{"href":"#8306620b-1920-4d73-8b21-12008528595f","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-4","rel":"related"},{"href":"#ia-5","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-37_smt","name":"statement","prose":"Employ the following out-of-band channels for the physical delivery or electronic transmission of {{ insert: param, sc-37_odp.02 }} to {{ insert: param, sc-37_odp.03 }}: {{ insert: param, sc-37_odp.01 }}."},{"id":"sc-37_gdn","name":"guidance","prose":"Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates. For example, cryptographic keys for encrypted files are delivered using a different channel than the file."},{"id":"sc-37_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-37","class":"sp800-53a"}],"prose":"{{ insert: param, sc-37_odp.01 }} are employed for the physical delivery or electronic transmission of {{ insert: param, sc-37_odp.02 }} to {{ insert: param, sc-37_odp.03 }}.","links":[{"href":"#sc-37_smt","rel":"assessment-for"}]},{"id":"sc-37_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-37-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the use of out-of-band channels\n\naccess control policy and procedures\n\nidentification and authentication policy and procedures\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nlist of out-of-band channels\n\ntypes of information, system components, or devices requiring the use of out-of-band channels for physical delivery or electronic transmission to authorized individuals or systems\n\nphysical delivery records\n\nelectronic transmission records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-37_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-37-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel authorizing, installing, configuring, operating, and\/or using out-of-band channels\n\nsystem developers\/integrators"}]},{"id":"sc-37_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-37-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the use of out-of-band channels\n\nmechanisms supporting and\/or implementing the use of out-of-band channels"}]}],"controls":[{"id":"sc-37.1","class":"SP800-53-enhancement","title":"Ensure Delivery and Transmission","params":[{"id":"sc-37.01_odp.01","props":[{"name":"alt-identifier","value":"sc-37.1_prm_1"},{"name":"label","value":"SC-37(01)_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be employed to ensure that only designated individuals or systems receive specific information, system components, or devices are defined;"}]},{"id":"sc-37.01_odp.02","props":[{"name":"alt-identifier","value":"sc-37.1_prm_2"},{"name":"label","value":"SC-37(01)_ODP[02]","class":"sp800-53a"}],"label":"individuals or systems","guidelines":[{"prose":"individuals or systems designated to receive specific information, system components, or devices are defined;"}]},{"id":"sc-37.01_odp.03","props":[{"name":"alt-identifier","value":"sc-37.1_prm_3"},{"name":"label","value":"SC-37(01)_ODP[03]","class":"sp800-53a"}],"label":"information, system components, or devices","guidelines":[{"prose":"information, system components, or devices that only individuals or systems are designated to receive are defined;"}]}],"props":[{"name":"label","value":"SC-37(1)"},{"name":"label","value":"SC-37(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-37.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-37","rel":"required"}],"parts":[{"id":"sc-37.1_smt","name":"statement","prose":"Employ {{ insert: param, sc-37.01_odp.01 }} to ensure that only {{ insert: param, sc-37.01_odp.02 }} receive the following information, system components, or devices: {{ insert: param, sc-37.01_odp.03 }}."},{"id":"sc-37.1_gdn","name":"guidance","prose":"Techniques employed by organizations to ensure that only designated systems or individuals receive certain information, system components, or devices include sending authenticators via an approved courier service but requiring recipients to show some form of government-issued photographic identification as a condition of receipt."},{"id":"sc-37.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-37(01)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-37.01_odp.01 }} are employed to ensure that only {{ insert: param, sc-37.01_odp.02 }} receive {{ insert: param, sc-37.01_odp.03 }}.","links":[{"href":"#sc-37.1_smt","rel":"assessment-for"}]},{"id":"sc-37.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-37(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing the use of out-of-band channels\n\naccess control policy and procedures\n\nidentification and authentication policy and procedures\n\nsystem design documentation\n\nsystem architecture\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards to be employed to ensure that designated individuals or systems receive organization-defined information, system components, or devices\n\nlist of security safeguards for delivering designated information, system components, or devices to designated individuals or systems\n\nlist of information, system components, or devices to be delivered to designated individuals or systems\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-37.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-37(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel authorizing, installing, configuring, operating, and\/or using out-of-band channels\n\nsystem developers\/integrators"}]},{"id":"sc-37.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-37(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the use of out-of-band channels\n\nmechanisms supporting and\/or implementing the use of out-of-band channels\n\nmechanisms supporting\/implementing safeguards to ensure the delivery of designated information, system components, or devices"}]}]}]},{"id":"sc-38","class":"SP800-53","title":"Operations Security","params":[{"id":"sc-38_odp","props":[{"name":"alt-identifier","value":"sc-38_prm_1"},{"name":"label","value":"SC-38_ODP","class":"sp800-53a"}],"label":"operations security controls","guidelines":[{"prose":"operations security controls to be employed to protect key organizational information throughout the system development life cycle are defined;"}]}],"props":[{"name":"label","value":"SC-38"},{"name":"label","value":"SC-38","class":"sp800-53a"},{"name":"sort-id","value":"sc-38"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#pl-1","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-7","rel":"related"}],"parts":[{"id":"sc-38_smt","name":"statement","prose":"Employ the following operations security controls to protect key organizational information throughout the system development life cycle: {{ insert: param, sc-38_odp }}."},{"id":"sc-38_gdn","name":"guidance","prose":"Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities. The OPSEC process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and the application of appropriate countermeasures. OPSEC controls are applied to organizational systems and the environments in which those systems operate. OPSEC controls protect the confidentiality of information, including limiting the sharing of information with suppliers, potential suppliers, and other non-organizational elements and individuals. Information critical to organizational mission and business functions includes user identities, element uses, suppliers, supply chain processes, functional requirements, security requirements, system design specifications, testing and evaluation protocols, and security control implementation details."},{"id":"sc-38_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-38","class":"sp800-53a"}],"prose":"{{ insert: param, sc-38_odp }} are employed to protect key organizational information throughout the system development life cycle.","links":[{"href":"#sc-38_smt","rel":"assessment-for"}]},{"id":"sc-38_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-38-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing operations security\n\nsecurity plan\n\nlist of operations security safeguards\n\nsecurity control assessments\n\nrisk assessments\n\nthreat and vulnerability assessments\n\nplans of action and milestones\n\nsystem development life cycle documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-38_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-38-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-38_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-38-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for protecting organizational information throughout the system development life cycle\n\nmechanisms supporting and\/or implementing safeguards to protect organizational information throughout the system development life cycle"}]}]},{"id":"sc-39","class":"SP800-53","title":"Process Isolation","props":[{"name":"label","value":"SC-39"},{"name":"label","value":"SC-39","class":"sp800-53a"},{"name":"sort-id","value":"sc-39"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-6","rel":"related"},{"href":"#ac-25","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"sc-39_smt","name":"statement","prose":"Maintain a separate execution domain for each executing system process."},{"id":"sc-39_gdn","name":"guidance","prose":"Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies."},{"id":"sc-39_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-39","class":"sp800-53a"}],"prose":"a separate execution domain is maintained for each executing system process.","links":[{"href":"#sc-39_smt","rel":"assessment-for"}]},{"id":"sc-39_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-39-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System design documentation\n\nsystem architecture\n\nindependent verification and validation documentation\n\ntesting and evaluation documentation\n\nother relevant documents or records"}]},{"id":"sc-39_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-39-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System developers\/integrators\n\nsystem security architect"}]},{"id":"sc-39_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-39-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing separate execution domains for each executing process"}]}],"controls":[{"id":"sc-39.1","class":"SP800-53-enhancement","title":"Hardware Separation","props":[{"name":"label","value":"SC-39(1)"},{"name":"label","value":"SC-39(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-39.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-39","rel":"required"}],"parts":[{"id":"sc-39.1_smt","name":"statement","prose":"Implement hardware separation mechanisms to facilitate process isolation."},{"id":"sc-39.1_gdn","name":"guidance","prose":"Hardware-based separation of system processes is generally less susceptible to compromise than software-based separation, thus providing greater assurance that the separation will be enforced. Hardware separation mechanisms include hardware memory management."},{"id":"sc-39.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-39(01)","class":"sp800-53a"}],"prose":"hardware separation is implemented to facilitate process isolation.","links":[{"href":"#sc-39.1_smt","rel":"assessment-for"}]},{"id":"sc-39.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-39(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem documentation for hardware separation mechanisms\n\nsystem documentation from vendors, manufacturers, or developers\n\nindependent verification and validation documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-39.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-39(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-39.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-39(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System capability implementing underlying hardware separation mechanisms for process separation"}]}]},{"id":"sc-39.2","class":"SP800-53-enhancement","title":"Separate Execution Domain Per Thread","params":[{"id":"sc-39.02_odp","props":[{"name":"alt-identifier","value":"sc-39.2_prm_1"},{"name":"label","value":"SC-39(02)_ODP","class":"sp800-53a"}],"label":"multi-threaded processing","guidelines":[{"prose":"multi-thread processing for which a separate execution domain is to be maintained for each thread is defined;"}]}],"props":[{"name":"label","value":"SC-39(2)"},{"name":"label","value":"SC-39(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-39.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-39","rel":"required"}],"parts":[{"id":"sc-39.2_smt","name":"statement","prose":"Maintain a separate execution domain for each thread in {{ insert: param, sc-39.02_odp }}."},{"id":"sc-39.2_gdn","name":"guidance","prose":"None."},{"id":"sc-39.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-39(02)","class":"sp800-53a"}],"prose":"a separate execution domain is maintained for each thread in {{ insert: param, sc-39.02_odp }}.","links":[{"href":"#sc-39.2_smt","rel":"assessment-for"}]},{"id":"sc-39.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-39(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of system execution domains for each thread in multi-threaded processing\n\nsystem documentation for multi-threaded processing\n\nsystem documentation from vendors, manufacturers, or developers\n\nindependent verification and validation documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-39.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-39(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-39.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-39(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System capability implementing a separate execution domain for each thread in multi-threaded processing"}]}]}]},{"id":"sc-40","class":"SP800-53","title":"Wireless Link Protection","params":[{"id":"sc-40_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-40_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-40_odp.03"}],"label":"organization-defined wireless links"},{"id":"sc-40_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-40_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sc-40_odp.04"}],"label":"organization-defined types of signal parameter attacks or references to sources for such attacks"},{"id":"sc-40_odp.01","props":[{"name":"label","value":"SC-40_ODP[01]","class":"sp800-53a"}],"label":"wireless links","guidelines":[{"prose":"external wireless links to be protected from particular types of signal parameter attacks are defined;"}]},{"id":"sc-40_odp.02","props":[{"name":"label","value":"SC-40_ODP[02]","class":"sp800-53a"}],"label":"types of signal parameter attacks or references to sources for such attacks","guidelines":[{"prose":"types of signal parameter attacks or references to sources for such attacks from which to protect external wireless links are defined;"}]},{"id":"sc-40_odp.03","props":[{"name":"label","value":"SC-40_ODP[03]","class":"sp800-53a"}],"label":"wireless links","guidelines":[{"prose":"internal wireless links to be protected from particular types of signal parameter attacks are defined;"}]},{"id":"sc-40_odp.04","props":[{"name":"label","value":"SC-40_ODP[04]","class":"sp800-53a"}],"label":"types of signal parameter attacks or references to sources for such attacks","guidelines":[{"prose":"types of signal parameter attacks or references to sources for such attacks from which to protect internal wireless links are defined;"}]}],"props":[{"name":"label","value":"SC-40"},{"name":"label","value":"SC-40","class":"sp800-53a"},{"name":"sort-id","value":"sc-40"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-18","rel":"related"},{"href":"#sc-5","rel":"related"}],"parts":[{"id":"sc-40_smt","name":"statement","prose":"Protect external and internal {{ insert: param, sc-40_prm_1 }} from the following signal parameter attacks: {{ insert: param, sc-40_prm_2 }}."},{"id":"sc-40_gdn","name":"guidance","prose":"Wireless link protection applies to internal and external wireless communication links that may be visible to individuals who are not authorized system users. Adversaries can exploit the signal parameters of wireless links if such links are not adequately protected. There are many ways to exploit the signal parameters of wireless links to gain intelligence, deny service, or spoof system users. Protection of wireless links reduces the impact of attacks that are unique to wireless systems. If organizations rely on commercial service providers for transmission services as commodity items rather than as fully dedicated services, it may not be possible to implement wireless link protections to the extent necessary to meet organizational security requirements."},{"id":"sc-40_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-40","class":"sp800-53a"}],"parts":[{"id":"sc-40_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SC-40[01]","class":"sp800-53a"}],"prose":"external {{ insert: param, sc-40_odp.01 }} are protected from {{ insert: param, sc-40_odp.02 }}.","links":[{"href":"#sc-40_smt","rel":"assessment-for"}]},{"id":"sc-40_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SC-40[02]","class":"sp800-53a"}],"prose":"internal {{ insert: param, sc-40_odp.03 }} are protected from {{ insert: param, sc-40_odp.04 }}.","links":[{"href":"#sc-40_smt","rel":"assessment-for"}]}],"links":[{"href":"#sc-40_smt","rel":"assessment-for"}]},{"id":"sc-40_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-40-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing wireless link protection\n\nsystem design documentation\n\nwireless network diagrams\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of internal and external wireless links\n\nlist of signal parameter attacks or references to sources for attacks\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-40_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-40-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel authorizing, installing, configuring, and\/or maintaining internal and external wireless links"}]},{"id":"sc-40_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-40-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the protection of wireless links"}]}],"controls":[{"id":"sc-40.1","class":"SP800-53-enhancement","title":"Electromagnetic Interference","params":[{"id":"sc-40.01_odp","props":[{"name":"alt-identifier","value":"sc-40.1_prm_1"},{"name":"label","value":"SC-40(01)_ODP","class":"sp800-53a"}],"label":"level of protection","guidelines":[{"prose":"level of protection to be employed against the effects of intentional electromagnetic interference is defined;"}]}],"props":[{"name":"label","value":"SC-40(1)"},{"name":"label","value":"SC-40(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-40.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-40","rel":"required"},{"href":"#pe-21","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-40.1_smt","name":"statement","prose":"Implement cryptographic mechanisms that achieve {{ insert: param, sc-40.01_odp }} against the effects of intentional electromagnetic interference."},{"id":"sc-40.1_gdn","name":"guidance","prose":"The implementation of cryptographic mechanisms for electromagnetic interference protects systems against intentional jamming that might deny or impair communications by ensuring that wireless spread spectrum waveforms used to provide anti-jam protection are not predictable by unauthorized individuals. The implementation of cryptographic mechanisms may also coincidentally mitigate the effects of unintentional jamming due to interference from legitimate transmitters that share the same spectrum. Mission requirements, projected threats, concept of operations, and laws, executive orders, directives, regulations, policies, and standards determine levels of wireless link availability, cryptography needed, and performance."},{"id":"sc-40.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-40(01)","class":"sp800-53a"}],"prose":"cryptographic mechanisms that achieve {{ insert: param, sc-40.01_odp }} against the effects of intentional electromagnetic interference are implemented.","links":[{"href":"#sc-40.1_smt","rel":"assessment-for"}]},{"id":"sc-40.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-40(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing wireless link protection\n\nsystem design documentation\n\nwireless network diagrams\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem communications hardware and software\n\nsecurity categorization results\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-40.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-40(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel authorizing, installing, configuring, and\/or maintaining internal and external wireless links"}]},{"id":"sc-40.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-40(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms enforcing protections against effects of intentional electromagnetic interference"}]}]},{"id":"sc-40.2","class":"SP800-53-enhancement","title":"Reduce Detection Potential","params":[{"id":"sc-40.02_odp","props":[{"name":"alt-identifier","value":"sc-40.2_prm_1"},{"name":"label","value":"SC-40(02)_ODP","class":"sp800-53a"}],"label":"level of reduction","guidelines":[{"prose":"the level of reduction to be achieved to reduce the detection potential of wireless links is defined;"}]}],"props":[{"name":"label","value":"SC-40(2)"},{"name":"label","value":"SC-40(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-40.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-40","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-40.2_smt","name":"statement","prose":"Implement cryptographic mechanisms to reduce the detection potential of wireless links to {{ insert: param, sc-40.02_odp }}."},{"id":"sc-40.2_gdn","name":"guidance","prose":"The implementation of cryptographic mechanisms to reduce detection potential is used for covert communications and to protect wireless transmitters from geo-location. It also ensures that the spread spectrum waveforms used to achieve a low probability of detection are not predictable by unauthorized individuals. Mission requirements, projected threats, concept of operations, and applicable laws, executive orders, directives, regulations, policies, and standards determine the levels to which wireless links are undetectable."},{"id":"sc-40.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-40(02)","class":"sp800-53a"}],"prose":"cryptographic mechanisms to reduce the detection potential of wireless links to {{ insert: param, sc-40.02_odp }} are implemented.","links":[{"href":"#sc-40.2_smt","rel":"assessment-for"}]},{"id":"sc-40.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-40(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing wireless link protection\n\nsystem design documentation\n\nwireless network diagrams\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem communications hardware and software\n\nsecurity categorization results\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-40.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-40(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel authorizing, installing, configuring, and\/or maintaining internal and external wireless links"}]},{"id":"sc-40.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-40(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms enforcing protections to reduce the detection of wireless links"}]}]},{"id":"sc-40.3","class":"SP800-53-enhancement","title":"Imitative or Manipulative Communications Deception","props":[{"name":"label","value":"SC-40(3)"},{"name":"label","value":"SC-40(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-40.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-40","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-40.3_smt","name":"statement","prose":"Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters."},{"id":"sc-40.3_gdn","name":"guidance","prose":"The implementation of cryptographic mechanisms to identify and reject imitative or manipulative communications ensures that the signal parameters of wireless transmissions are not predictable by unauthorized individuals. Such unpredictability reduces the probability of imitative or manipulative communications deception based on signal parameters alone."},{"id":"sc-40.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-40(03)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.","links":[{"href":"#sc-40.3_smt","rel":"assessment-for"}]},{"id":"sc-40.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-40(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing system design documentation\n\nwireless network diagrams\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem communications hardware and software\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-40.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-40(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel authorizing, installing, configuring, and\/or maintaining internal and external wireless links"}]},{"id":"sc-40.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-40(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms enforcing wireless link protections against imitative or manipulative communications deception"}]}]},{"id":"sc-40.4","class":"SP800-53-enhancement","title":"Signal Parameter Identification","params":[{"id":"sc-40.04_odp","props":[{"name":"alt-identifier","value":"sc-40.4_prm_1"},{"name":"label","value":"SC-40(04)_ODP","class":"sp800-53a"}],"label":"wireless transmitters","guidelines":[{"prose":"wireless transmitters for which cryptographic mechanisms are to be implemented are defined;"}]}],"props":[{"name":"label","value":"SC-40(4)"},{"name":"label","value":"SC-40(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-40.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-40","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"sc-40.4_smt","name":"statement","prose":"Implement cryptographic mechanisms to prevent the identification of {{ insert: param, sc-40.04_odp }} by using the transmitter signal parameters."},{"id":"sc-40.4_gdn","name":"guidance","prose":"The implementation of cryptographic mechanisms to prevent the identification of wireless transmitters protects against the unique identification of wireless transmitters for the purposes of intelligence exploitation by ensuring that anti-fingerprinting alterations to signal parameters are not predictable by unauthorized individuals. It also provides anonymity when required. Radio fingerprinting techniques identify the unique signal parameters of transmitters to fingerprint such transmitters for purposes of tracking and mission or user identification."},{"id":"sc-40.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-40(04)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to prevent the identification of {{ insert: param, sc-40.04_odp }} by using the transmitter signal parameters.","links":[{"href":"#sc-40.4_smt","rel":"assessment-for"}]},{"id":"sc-40.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-40(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing system design documentation\n\nwireless network diagrams\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem communications hardware and software\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-40.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-40(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel authorizing, installing, configuring, and\/or maintaining internal and external wireless links"}]},{"id":"sc-40.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-40(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms preventing the identification of wireless transmitters"}]}]}]},{"id":"sc-41","class":"SP800-53","title":"Port and I\/O Device Access","params":[{"id":"sc-41_odp.01","props":[{"name":"alt-identifier","value":"sc-41_prm_2"},{"name":"label","value":"SC-41_ODP[01]","class":"sp800-53a"}],"label":"connection ports or input\/output devices","guidelines":[{"prose":"connection ports or input\/output devices to be disabled or removed are defined;"}]},{"id":"sc-41_odp.02","props":[{"name":"alt-identifier","value":"sc-41_prm_1"},{"name":"label","value":"SC-41_ODP[02]","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}},{"id":"sc-41_odp.03","props":[{"name":"alt-identifier","value":"sc-41_prm_3"},{"name":"label","value":"SC-41_ODP[03]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components with connection ports or input\/output devices to be disabled or removed are defined;"}]}],"props":[{"name":"label","value":"SC-41"},{"name":"label","value":"SC-41","class":"sp800-53a"},{"name":"sort-id","value":"sc-41"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#ac-20","rel":"related"},{"href":"#mp-7","rel":"related"}],"parts":[{"id":"sc-41_smt","name":"statement","prose":"{{ insert: param, sc-41_odp.02 }} disable or remove {{ insert: param, sc-41_odp.01 }} on the following systems or system components: {{ insert: param, sc-41_odp.03 }}."},{"id":"sc-41_gdn","name":"guidance","prose":"Connection ports include Universal Serial Bus (USB), Thunderbolt, and Firewire (IEEE 1394). Input\/output (I\/O) devices include compact disc and digital versatile disc drives. Disabling or removing such connection ports and I\/O devices helps prevent the exfiltration of information from systems and the introduction of malicious code from those ports or devices. Physically disabling or removing ports and\/or devices is the stronger action."},{"id":"sc-41_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-41","class":"sp800-53a"}],"prose":"{{ insert: param, sc-41_odp.01 }} are {{ insert: param, sc-41_odp.02 }} disabled or removed on {{ insert: param, sc-41_odp.03 }}.","links":[{"href":"#sc-41_smt","rel":"assessment-for"}]},{"id":"sc-41_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-41-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing port and input\/output device access\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystems or system components\n\nlist of connection ports or input\/output devices to be physically disabled or removed on systems or system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-41_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-41-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-41_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-41-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the disabling of connection ports or input\/output devices"}]}]},{"id":"sc-42","class":"SP800-53","title":"Sensor Capability and Data","params":[{"id":"sc-42_odp.01","props":[{"name":"alt-identifier","value":"sc-42_prm_1"},{"name":"label","value":"SC-42_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["the use of devices possessing {{ insert: param, sc-42_odp.02 }} in {{ insert: param, sc-42_odp.03 }} ","the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions: {{ insert: param, sc-42_odp.04 }} "]}},{"id":"sc-42_odp.02","props":[{"name":"alt-identifier","value":"sc-42_prm_2"},{"name":"label","value":"SC-42_ODP[02]","class":"sp800-53a"}],"label":"environmental sensing capabilities","guidelines":[{"prose":"environmental sensing capabilities in devices are defined (if selected);"}]},{"id":"sc-42_odp.03","props":[{"name":"alt-identifier","value":"sc-42_prm_3"},{"name":"label","value":"SC-42_ODP[03]","class":"sp800-53a"}],"label":"facilities, areas, or systems","guidelines":[{"prose":"facilities, areas, or systems where the use of devices possessing environmental sensing capabilities is prohibited are defined (if selected);"}]},{"id":"sc-42_odp.04","props":[{"name":"alt-identifier","value":"sc-42_prm_4"},{"name":"label","value":"SC-42_ODP[04]","class":"sp800-53a"}],"label":"exceptions where remote activation of sensors is allowed","guidelines":[{"prose":"exceptions where remote activation of sensors is allowed are defined (if selected);"}]},{"id":"sc-42_odp.05","props":[{"name":"alt-identifier","value":"sc-42_prm_5"},{"name":"label","value":"SC-42_ODP[05]","class":"sp800-53a"}],"label":"group of users","guidelines":[{"prose":"group of users to whom an explicit indication of sensor use is to be provided is defined;"}]}],"props":[{"name":"label","value":"SC-42"},{"name":"label","value":"SC-42","class":"sp800-53a"},{"name":"sort-id","value":"sc-42"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#sc-15","rel":"related"}],"parts":[{"id":"sc-42_smt","name":"statement","parts":[{"id":"sc-42_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Prohibit {{ insert: param, sc-42_odp.01 }} ; and"},{"id":"sc-42_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide an explicit indication of sensor use to {{ insert: param, sc-42_odp.05 }}."}]},{"id":"sc-42_gdn","name":"guidance","prose":"Sensor capability and data applies to types of systems or system components characterized as mobile devices, such as cellular telephones, smart phones, and tablets. Mobile devices often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include microphones, cameras, Global Positioning System (GPS) mechanisms, and accelerometers. While the sensors on mobiles devices provide an important function, if activated covertly, such devices can potentially provide a means for adversaries to learn valuable information about individuals and organizations. For example, remotely activating the GPS function on a mobile device could provide an adversary with the ability to track the movements of an individual. Organizations may prohibit individuals from bringing cellular telephones or digital cameras into certain designated facilities or controlled areas within facilities where classified information is stored or sensitive conversations are taking place."},{"id":"sc-42_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-42","class":"sp800-53a"}],"parts":[{"id":"sc-42_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-42a.","class":"sp800-53a"}],"prose":"{{ insert: param, sc-42_odp.01 }} is\/are prohibited;","links":[{"href":"#sc-42_smt.a","rel":"assessment-for"}]},{"id":"sc-42_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-42b.","class":"sp800-53a"}],"prose":"an explicit indication of sensor use is provided to {{ insert: param, sc-42_odp.05 }}.","links":[{"href":"#sc-42_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-42_smt","rel":"assessment-for"}]},{"id":"sc-42_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-42-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing sensor capabilities and data collection\n\naccess control policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-42_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-42-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for sensor capabilities"}]},{"id":"sc-42_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-42-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing access controls for the remote activation of system sensor capabilities\n\nmechanisms implementing the capability to indicate sensor use"}]}],"controls":[{"id":"sc-42.1","class":"SP800-53-enhancement","title":"Reporting to Authorized Individuals or Roles","params":[{"id":"sc-42.01_odp","props":[{"name":"alt-identifier","value":"sc-42.1_prm_1"},{"name":"alt-identifier","value":"sc-42.2_prm_1"},{"name":"label","value":"SC-42(01)_ODP","class":"sp800-53a"}],"label":"sensors","guidelines":[{"prose":"sensors to be used to collect data or information are defined;"}]}],"props":[{"name":"label","value":"SC-42(1)"},{"name":"label","value":"SC-42(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-42.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-42","rel":"required"}],"parts":[{"id":"sc-42.1_smt","name":"statement","prose":"Verify that the system is configured so that data or information collected by the {{ insert: param, sc-42.01_odp }} is only reported to authorized individuals or roles."},{"id":"sc-42.1_gdn","name":"guidance","prose":"In situations where sensors are activated by authorized individuals, it is still possible that the data or information collected by the sensors will be sent to unauthorized entities."},{"id":"sc-42.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-42(01)","class":"sp800-53a"}],"prose":"the system is configured so that data or information collected by the {{ insert: param, sc-42.01_odp }} is only reported to authorized individuals or roles.","links":[{"href":"#sc-42.1_smt","rel":"assessment-for"}]},{"id":"sc-42.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-42(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\nprocedures addressing sensor capability and data collection\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-42.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-42(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for the sensor capabilities"}]},{"id":"sc-42.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-42(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms restricting the reporting of sensor information to those authorized\n\nsensor data collection and reporting capabilities for the system"}]}]},{"id":"sc-42.2","class":"SP800-53-enhancement","title":"Authorized Use","params":[{"id":"sc-42.02_odp","props":[{"name":"alt-identifier","value":"sc-42.2_prm_2"},{"name":"label","value":"SC-42(02)_ODP","class":"sp800-53a"}],"label":"measures","guidelines":[{"prose":"measures to be employed so that data or information collected by sensors is only used for authorized purposes are defined;"}]}],"props":[{"name":"label","value":"SC-42(2)"},{"name":"label","value":"SC-42(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-42.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-42","rel":"required"},{"href":"#sc-42.1","rel":"required"},{"href":"#pt-2","rel":"related"}],"parts":[{"id":"sc-42.2_smt","name":"statement","prose":"Employ the following measures so that data or information collected by {{ insert: param, sc-42.01_odp }} is only used for authorized purposes: {{ insert: param, sc-42.02_odp }}."},{"id":"sc-42.2_gdn","name":"guidance","prose":"Information collected by sensors for a specific authorized purpose could be misused for some unauthorized purpose. For example, GPS sensors that are used to support traffic navigation could be misused to track the movements of individuals. Measures to mitigate such activities include additional training to help ensure that authorized individuals do not abuse their authority and, in the case where sensor data is maintained by external parties, contractual restrictions on the use of such data."},{"id":"sc-42.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-42(02)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-42.02_odp }} are employed so that data or information collected by {{ insert: param, sc-42.01_odp }} is only used for authorized purposes.","links":[{"href":"#sc-42.2_smt","rel":"assessment-for"}]},{"id":"sc-42.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-42(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\npersonally identifiable information processing policy\n\nsensor capability and data collection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nlist of measures to be employed to that the ensure data or information collected by sensors is only used for authorized purposes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-42.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-42(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for sensor capabilities"}]},{"id":"sc-42.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-42(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing measures to ensure that sensor information is only used for authorized purposes\n\nsensor information collection capability for the system"}]}]},{"id":"sc-42.3","class":"SP800-53-enhancement","title":"Prohibit Use of Devices","props":[{"name":"label","value":"SC-42(3)"},{"name":"label","value":"SC-42(03)","class":"sp800-53a"},{"name":"sort-id","value":"sc-42.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sc-42","rel":"incorporated-into"}]},{"id":"sc-42.4","class":"SP800-53-enhancement","title":"Notice of Collection","params":[{"id":"sc-42.04_odp.01","props":[{"name":"alt-identifier","value":"sc-42.4_prm_2"},{"name":"label","value":"SC-42(04)_ODP[01]","class":"sp800-53a"}],"label":"measures","guidelines":[{"prose":"measures to facilitate an individual’s awareness that personally identifiable information is being collected are defined;"}]},{"id":"sc-42.04_odp.02","props":[{"name":"alt-identifier","value":"sc-42.4_prm_1"},{"name":"label","value":"SC-42(04)_ODP[02]","class":"sp800-53a"}],"label":"sensors","guidelines":[{"prose":"sensors that collect personally identifiable information are defined;"}]}],"props":[{"name":"label","value":"SC-42(4)"},{"name":"label","value":"SC-42(04)","class":"sp800-53a"},{"name":"sort-id","value":"sc-42.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-42","rel":"required"},{"href":"#pt-1","rel":"related"},{"href":"#pt-4","rel":"related"},{"href":"#pt-5","rel":"related"}],"parts":[{"id":"sc-42.4_smt","name":"statement","prose":"Employ the following measures to facilitate an individual’s awareness that personally identifiable information is being collected by {{ insert: param, sc-42.04_odp.02 }}: {{ insert: param, sc-42.04_odp.01 }}."},{"id":"sc-42.4_gdn","name":"guidance","prose":"Awareness that organizational sensors are collecting data enables individuals to more effectively engage in managing their privacy. Measures can include conventional written notices and sensor configurations that make individuals directly or indirectly aware through other devices that the sensor is collecting information. The usability and efficacy of the notice are important considerations."},{"id":"sc-42.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-42(04)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-42.04_odp.01 }} are employed to facilitate an individual’s awareness that personally identifiable information is being collected by {{ insert: param, sc-42.04_odp.02 }} ","links":[{"href":"#sc-42.4_smt","rel":"assessment-for"}]},{"id":"sc-42.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-42(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\npersonally identifiable information processing policy\n\nsensor capability and data collection policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nprivacy risk assessment documentation\n\nprivacy impact assessments\n\nsystem architecture\n\nlist of measures to be employed to ensure that individuals are aware that personally identifiable information is being collected by sensors\n\nexamples of notifications provided to individuals that personally identifiable information is being collected by sensors\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-42.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-42(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for sensor capabilities"}]},{"id":"sc-42.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-42(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing measures to facilitate an individual’s awareness that personally identifiable information is being collected by sensors\n\nsensor information collection capabilities for the system"}]}]},{"id":"sc-42.5","class":"SP800-53-enhancement","title":"Collection Minimization","params":[{"id":"sc-42.05_odp","props":[{"name":"alt-identifier","value":"sc-42.5_prm_1"},{"name":"label","value":"SC-42(05)_ODP","class":"sp800-53a"}],"label":"sensors","guidelines":[{"prose":"the sensors that are configured to minimize the collection of unneeded information about individuals are defined;"}]}],"props":[{"name":"label","value":"SC-42(5)"},{"name":"label","value":"SC-42(05)","class":"sp800-53a"},{"name":"sort-id","value":"sc-42.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#sc-42","rel":"required"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sc-42.5_smt","name":"statement","prose":"Employ {{ insert: param, sc-42.05_odp }} that are configured to minimize the collection of information about individuals that is not needed."},{"id":"sc-42.5_gdn","name":"guidance","prose":"Although policies to control for authorized use can be applied to information once it is collected, minimizing the collection of information that is not needed mitigates privacy risk at the system entry point and mitigates the risk of policy control failures. Sensor configurations include the obscuring of human features, such as blurring or pixelating flesh tones."},{"id":"sc-42.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-42(05)","class":"sp800-53a"}],"prose":"the {{ insert: param, sc-42.05_odp }} configured to minimize the collection of information about individuals that is not needed are employed.","links":[{"href":"#sc-42.5_smt","rel":"assessment-for"}]},{"id":"sc-42.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-42(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\naccess control policy and procedures\n\npersonally identifiable information processing policy\n\nsensor capability and data collection policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nprivacy risk assessment documentation\n\nprivacy impact assessments\n\nsystem architecture\n\nlist of information being collected by sensors\n\nlist of sensor configurations that minimize the collection of personally identifiable information (e.g., obscure human features)\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sc-42.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-42(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for sensor capabilities"}]},{"id":"sc-42.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-42(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing measures to facilitate the review of information that is being collected by sensors\n\nsensor information collection capabilities for the system"}]}]}]},{"id":"sc-43","class":"SP800-53","title":"Usage Restrictions","params":[{"id":"sc-43_odp","props":[{"name":"alt-identifier","value":"sc-43_prm_1"},{"name":"alt-label","value":"system components","class":"sp800-53"},{"name":"label","value":"SC-43_ODP","class":"sp800-53a"}],"label":"components","guidelines":[{"prose":"the components for which usage restrictions and implementation guidance are to be established are defined;"}]}],"props":[{"name":"label","value":"SC-43"},{"name":"label","value":"SC-43","class":"sp800-53a"},{"name":"sort-id","value":"sc-43"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#0f66be67-85e7-4ca6-bd19-39453e9f4394","rel":"reference"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"}],"parts":[{"id":"sc-43_smt","name":"statement","parts":[{"id":"sc-43_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish usage restrictions and implementation guidelines for the following system components: {{ insert: param, sc-43_odp }} ; and"},{"id":"sc-43_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Authorize, monitor, and control the use of such components within the system."}]},{"id":"sc-43_gdn","name":"guidance","prose":"Usage restrictions apply to all system components including but not limited to mobile code, mobile devices, wireless access, and wired and wireless peripheral components (e.g., copiers, printers, scanners, optical devices, and other similar technologies). The usage restrictions and implementation guidelines are based on the potential for system components to cause damage to the system and help to ensure that only authorized system use occurs."},{"id":"sc-43_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-43","class":"sp800-53a"}],"parts":[{"id":"sc-43_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-43a.","class":"sp800-53a"}],"prose":"usage restrictions and implementation guidelines are established for {{ insert: param, sc-43_odp }};","links":[{"href":"#sc-43_smt.a","rel":"assessment-for"}]},{"id":"sc-43_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-43b.","class":"sp800-53a"}],"parts":[{"id":"sc-43_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-43b.[01]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, sc-43_odp }} is authorized within the system;","links":[{"href":"#sc-43_smt.b","rel":"assessment-for"}]},{"id":"sc-43_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-43b.[02]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, sc-43_odp }} is monitored within the system;","links":[{"href":"#sc-43_smt.b","rel":"assessment-for"}]},{"id":"sc-43_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SC-43b.[03]","class":"sp800-53a"}],"prose":"the use of {{ insert: param, sc-43_odp }} is controlled within the system.","links":[{"href":"#sc-43_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-43_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-43_smt","rel":"assessment-for"}]},{"id":"sc-43_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-43-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nusage restrictions\n\nprocedures addressing usage restrictions\n\nimplementation policy and procedures\n\nauthorization records\n\nsystem monitoring records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-43_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-43-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-43_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-43-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for authorizing, monitoring, and controlling the use of components with usage restrictions\n\nmechanisms supporting and\/or implementing, authorizing, monitoring, and controlling the use of components with usage restrictions"}]}]},{"id":"sc-44","class":"SP800-53","title":"Detonation Chambers","params":[{"id":"sc-44_odp","props":[{"name":"alt-identifier","value":"sc-44_prm_1"},{"name":"label","value":"SC-44_ODP","class":"sp800-53a"}],"label":"system, system component, or location","guidelines":[{"prose":"the system, system component, or location where a detonation chamber capability is to be employed is defined;"}]}],"props":[{"name":"label","value":"SC-44"},{"name":"label","value":"SC-44","class":"sp800-53a"},{"name":"sort-id","value":"sc-44"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-25","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-39","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sc-44_smt","name":"statement","prose":"Employ a detonation chamber capability within {{ insert: param, sc-44_odp }}."},{"id":"sc-44_gdn","name":"guidance","prose":"Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator requests in the safety of an isolated environment or a virtualized sandbox. Protected and isolated execution environments provide a means of determining whether the associated attachments or applications contain malicious code. While related to the concept of deception nets, the employment of detonation chambers is not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, detonation chambers are intended to quickly identify malicious code and either reduce the likelihood that the code is propagated to user environments of operation or prevent such propagation completely."},{"id":"sc-44_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-44","class":"sp800-53a"}],"prose":"a detonation chamber capability is employed within the {{ insert: param, sc-44_odp }}.","links":[{"href":"#sc-44_smt","rel":"assessment-for"}]},{"id":"sc-44_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-44-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing detonation chambers\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-44_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-44-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-44_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-44-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the detonation chamber capability"}]}]},{"id":"sc-45","class":"SP800-53","title":"System Time Synchronization","props":[{"name":"label","value":"SC-45"},{"name":"label","value":"SC-45","class":"sp800-53a"},{"name":"sort-id","value":"sc-45"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#e4d37285-1e79-4029-8b6a-42df39cace30","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#au-8","rel":"related"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"}],"parts":[{"id":"sc-45_smt","name":"statement","prose":"Synchronize system clocks within and between systems and system components."},{"id":"sc-45_gdn","name":"guidance","prose":"Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities—such as access control and identification and authentication—depending on the nature of the mechanisms used to support the capabilities."},{"id":"sc-45_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-45","class":"sp800-53a"}],"prose":"system clocks are synchronized within and between systems and system components.","links":[{"href":"#sc-45_smt","rel":"assessment-for"}]},{"id":"sc-45_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-45-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing time synchronization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-45_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-45-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-45_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-45-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing system time synchronization"}]}],"controls":[{"id":"sc-45.1","class":"SP800-53-enhancement","title":"Synchronization with Authoritative Time Source","params":[{"id":"sc-45.01_odp.01","props":[{"name":"alt-identifier","value":"sc-45.1_prm_1"},{"name":"label","value":"SC-45(01)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to compare the internal system clocks with the authoritative time source is defined;"}]},{"id":"sc-45.01_odp.02","props":[{"name":"alt-identifier","value":"sc-45.1_prm_2"},{"name":"label","value":"SC-45(01)_ODP[02]","class":"sp800-53a"}],"label":"authoritative time source","guidelines":[{"prose":"the authoritative time source to which internal system clocks are to be compared is defined;"}]},{"id":"sc-45.01_odp.03","props":[{"name":"alt-identifier","value":"sc-45.1_prm_3"},{"name":"label","value":"SC-45(01)_ODP[03]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period to compare the internal system clocks with the authoritative time source is defined;"}]}],"props":[{"name":"label","value":"SC-45(1)"},{"name":"label","value":"SC-45(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-45.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-45","rel":"required"}],"parts":[{"id":"sc-45.1_smt","name":"statement","parts":[{"id":"sc-45.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Compare the internal system clocks {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }} ; and"},{"id":"sc-45.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Synchronize the internal system clocks to the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}."}]},{"id":"sc-45.1_gdn","name":"guidance","prose":"Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network."},{"id":"sc-45.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-45(01)","class":"sp800-53a"}],"parts":[{"id":"sc-45.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-45(01)(a)","class":"sp800-53a"}],"prose":"the internal system clocks are compared {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }};","links":[{"href":"#sc-45.1_smt.a","rel":"assessment-for"}]},{"id":"sc-45.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-45(01)(b)","class":"sp800-53a"}],"prose":"the internal system clocks are synchronized with the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}.","links":[{"href":"#sc-45.1_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-45.1_smt","rel":"assessment-for"}]},{"id":"sc-45.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-45(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing time synchronization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-45.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-45(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-45.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-45(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing system time synchronization"}]}]},{"id":"sc-45.2","class":"SP800-53-enhancement","title":"Secondary Authoritative Time Source","props":[{"name":"label","value":"SC-45(2)"},{"name":"label","value":"SC-45(02)","class":"sp800-53a"},{"name":"sort-id","value":"sc-45.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-45","rel":"required"}],"parts":[{"id":"sc-45.2_smt","name":"statement","parts":[{"id":"sc-45.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source; and"},{"id":"sc-45.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Synchronize the internal system clocks to the secondary authoritative time source if the primary authoritative time source is unavailable."}]},{"id":"sc-45.2_gdn","name":"guidance","prose":"It may be necessary to employ geolocation information to determine that the secondary authoritative time source is in a different geographic region."},{"id":"sc-45.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-45(02)","class":"sp800-53a"}],"parts":[{"id":"sc-45.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-45(02)(a)","class":"sp800-53a"}],"prose":"a secondary authoritative time source is identified that is in a different geographic region than the primary authoritative time source;","links":[{"href":"#sc-45.2_smt.a","rel":"assessment-for"}]},{"id":"sc-45.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-45(02)(b)","class":"sp800-53a"}],"prose":"the internal system clocks are synchronized to the secondary authoritative time source if the primary authoritative time source is unavailable.","links":[{"href":"#sc-45.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-45.2_smt","rel":"assessment-for"}]},{"id":"sc-45.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-45(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing time synchronization\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-45.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-45(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-45.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-45(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing system time synchronization with secondary authoritative time sources"}]}]}]},{"id":"sc-46","class":"SP800-53","title":"Cross Domain Policy Enforcement","params":[{"id":"sc-46_odp","props":[{"name":"alt-identifier","value":"sc-46_prm_1"},{"name":"label","value":"SC-46_ODP","class":"sp800-53a"}],"select":{"choice":["physically","logically"]}}],"props":[{"name":"label","value":"SC-46"},{"name":"label","value":"SC-46","class":"sp800-53a"},{"name":"sort-id","value":"sc-46"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#sc-7","rel":"related"}],"parts":[{"id":"sc-46_smt","name":"statement","prose":"Implement a policy enforcement mechanism {{ insert: param, sc-46_odp }} between the physical and\/or network interfaces for the connecting security domains."},{"id":"sc-46_gdn","name":"guidance","prose":"For logical policy enforcement mechanisms, organizations avoid creating a logical path between interfaces to prevent the ability to bypass the policy enforcement mechanism. For physical policy enforcement mechanisms, the robustness of physical isolation afforded by the physical implementation of policy enforcement to preclude the presence of logical covert channels penetrating the security domain may be needed. Contact [ncdsmo@nsa.gov](mailto:ncdsmo@nsa.gov) for more information."},{"id":"sc-46_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-46","class":"sp800-53a"}],"prose":"a policy enforcement mechanism is {{ insert: param, sc-46_odp }} implemented between the physical and\/or network interfaces for the connecting security domains.","links":[{"href":"#sc-46_smt","rel":"assessment-for"}]},{"id":"sc-46_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-46-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cross-domain policy enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-46_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-46-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-46_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-46-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing cross-domain policy enforcement"}]}]},{"id":"sc-47","class":"SP800-53","title":"Alternate Communications Paths","params":[{"id":"sc-47_odp","props":[{"name":"alt-identifier","value":"sc-47_prm_1"},{"name":"alt-label","value":"alternate communications paths","class":"sp800-53"},{"name":"label","value":"SC-47_ODP","class":"sp800-53a"}],"label":"alternate communication paths","guidelines":[{"prose":"alternate communication paths for system operations and operational command and control are defined;"}]}],"props":[{"name":"label","value":"SC-47"},{"name":"label","value":"SC-47","class":"sp800-53a"},{"name":"sort-id","value":"sc-47"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#bc39f179-c735-4da2-b7a7-b2b622119755","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#cp-2","rel":"related"},{"href":"#cp-8","rel":"related"}],"parts":[{"id":"sc-47_smt","name":"statement","prose":"Establish {{ insert: param, sc-47_odp }} for system operations organizational command and control."},{"id":"sc-47_gdn","name":"guidance","prose":"An incident, whether adversarial- or nonadversarial-based, can disrupt established communications paths used for system operations and organizational command and control. Alternate communications paths reduce the risk of all communications paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about disruptions or to provide timely direction to operational elements after a communications path incident, can impact the ability of the organization to respond to such incidents in a timely manner. Establishing alternate communications paths for command and control purposes, including designating alternative decision makers if primary decision makers are unavailable and establishing the extent and limitations of their actions, can greatly facilitate the organization’s ability to continue to operate and take appropriate actions during an incident."},{"id":"sc-47_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-47","class":"sp800-53a"}],"prose":"{{ insert: param, sc-47_odp }} are established for system operations and operational command and control.","links":[{"href":"#sc-47_smt","rel":"assessment-for"}]},{"id":"sc-47_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-47-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing communication paths\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-47_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-47-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers"}]},{"id":"sc-47_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-47-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing alternate communication paths for system operations"}]}]},{"id":"sc-48","class":"SP800-53","title":"Sensor Relocation","params":[{"id":"sc-48_odp.01","props":[{"name":"alt-identifier","value":"sc-48_prm_1"},{"name":"label","value":"SC-48_ODP[01]","class":"sp800-53a"}],"label":"sensors and monitoring capabilities","guidelines":[{"prose":"sensors and monitoring capabilities to be relocated are defined;"}]},{"id":"sc-48_odp.02","props":[{"name":"alt-identifier","value":"sc-48_prm_2"},{"name":"label","value":"SC-48_ODP[02]","class":"sp800-53a"}],"label":"locations","guidelines":[{"prose":"locations to where sensors and monitoring capabilities are to be relocated are defined;"}]},{"id":"sc-48_odp.03","props":[{"name":"alt-identifier","value":"sc-48_prm_3"},{"name":"label","value":"SC-48_ODP[03]","class":"sp800-53a"}],"label":"conditions or circumstances","guidelines":[{"prose":"conditions or circumstances for relocating sensors and monitoring capabilities are defined;"}]}],"props":[{"name":"label","value":"SC-48"},{"name":"label","value":"SC-48","class":"sp800-53a"},{"name":"sort-id","value":"sc-48"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#au-2","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sc-48_smt","name":"statement","prose":"Relocate {{ insert: param, sc-48_odp.01 }} to {{ insert: param, sc-48_odp.02 }} under the following conditions or circumstances: {{ insert: param, sc-48_odp.03 }}."},{"id":"sc-48_gdn","name":"guidance","prose":"Adversaries may take various paths and use different approaches as they move laterally through an organization (including its systems) to reach their target or as they attempt to exfiltrate information from the organization. The organization often only has a limited set of monitoring and detection capabilities, and they may be focused on the critical or likely infiltration or exfiltration paths. By using communications paths that the organization typically does not monitor, the adversary can increase its chances of achieving its desired goals. By relocating its sensors or monitoring capabilities to new locations, the organization can impede the adversary’s ability to achieve its goals. The relocation of the sensors or monitoring capabilities might be done based on threat information that the organization has acquired or randomly to confuse the adversary and make its lateral transition through the system or organization more challenging."},{"id":"sc-48_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-48","class":"sp800-53a"}],"prose":"{{ insert: param, sc-48_odp.01 }} are relocated to {{ insert: param, sc-48_odp.02 }} under {{ insert: param, sc-48_odp.03 }}.","links":[{"href":"#sc-48_smt","rel":"assessment-for"}]},{"id":"sc-48_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-48-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing sensor and monitoring capability relocation\n\nlist of sensors\/monitoring capabilities to be relocated\n\nchange control records\n\nconfiguration management records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-48_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-48-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-48_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-48-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing sensor relocation"}]}],"controls":[{"id":"sc-48.1","class":"SP800-53-enhancement","title":"Dynamic Relocation of Sensors or Monitoring Capabilities","params":[{"id":"sc-48.01_odp.01","props":[{"name":"alt-identifier","value":"sc-48.1_prm_1"},{"name":"label","value":"SC-48(01)_ODP[01]","class":"sp800-53a"}],"label":"sensors and monitoring capabilities","guidelines":[{"prose":"sensors and monitoring capabilities to be dynamically relocated are defined;"}]},{"id":"sc-48.01_odp.02","props":[{"name":"alt-identifier","value":"sc-48.1_prm_2"},{"name":"label","value":"SC-48(01)_ODP[02]","class":"sp800-53a"}],"label":"locations","guidelines":[{"prose":"locations to where sensors and monitoring capabilities are to be dynamically relocated are defined;"}]},{"id":"sc-48.01_odp.03","props":[{"name":"alt-identifier","value":"sc-48.1_prm_3"},{"name":"label","value":"SC-48(01)_ODP[03]","class":"sp800-53a"}],"label":"conditions or circumstances","guidelines":[{"prose":"conditions or circumstances for dynamically relocating sensors and monitoring capabilities are defined;"}]}],"props":[{"name":"label","value":"SC-48(1)"},{"name":"label","value":"SC-48(01)","class":"sp800-53a"},{"name":"sort-id","value":"sc-48.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#sc-48","rel":"required"}],"parts":[{"id":"sc-48.1_smt","name":"statement","prose":"Dynamically relocate {{ insert: param, sc-48.01_odp.01 }} to {{ insert: param, sc-48.01_odp.02 }} under the following conditions or circumstances: {{ insert: param, sc-48.01_odp.03 }}."},{"id":"sc-48.1_gdn","name":"guidance","prose":"None."},{"id":"sc-48.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-48(01)","class":"sp800-53a"}],"prose":"{{ insert: param, sc-48.01_odp.01 }} are dynamically relocated to {{ insert: param, sc-48.01_odp.02 }} under {{ insert: param, sc-48.01_odp.03 }}.","links":[{"href":"#sc-48.1_smt","rel":"assessment-for"}]},{"id":"sc-48.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-48(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing sensor and monitoring capability relocation\n\nlist of sensors\/monitoring capabilities to be relocated\n\nchange control records\n\nconfiguration management records\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-48.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-48(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-48.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-48(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"SELECT FROM: Mechanisms supporting and\/or implementing sensor relocation"}]}]}]},{"id":"sc-49","class":"SP800-53","title":"Hardware-enforced Separation and Policy Enforcement","params":[{"id":"sc-49_odp","props":[{"name":"alt-identifier","value":"sc-49_prm_1"},{"name":"label","value":"SC-49_ODP","class":"sp800-53a"}],"label":"security domains","guidelines":[{"prose":"security domains requiring hardware-enforced separation and policy enforcement mechanisms are defined;"}]}],"props":[{"name":"label","value":"SC-49"},{"name":"label","value":"SC-49","class":"sp800-53a"},{"name":"sort-id","value":"sc-49"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-50","rel":"related"}],"parts":[{"id":"sc-49_smt","name":"statement","prose":"Implement hardware-enforced separation and policy enforcement mechanisms between {{ insert: param, sc-49_odp }}."},{"id":"sc-49_gdn","name":"guidance","prose":"System owners may require additional strength of mechanism and robustness to ensure domain separation and policy enforcement for specific types of threats and environments of operation. Hardware-enforced separation and policy enforcement provide greater strength of mechanism than software-enforced separation and policy enforcement."},{"id":"sc-49_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-49","class":"sp800-53a"}],"prose":"hardware-enforced separation and policy enforcement mechanisms are implemented between {{ insert: param, sc-49_odp }}.","links":[{"href":"#sc-49_smt","rel":"assessment-for"}]},{"id":"sc-49_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-49-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cross-domain policy enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-49_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-49-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-49_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-49-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing hardware-enforced security domain separation and policy enforcement"}]}]},{"id":"sc-50","class":"SP800-53","title":"Software-enforced Separation and Policy Enforcement","params":[{"id":"sc-50_odp","props":[{"name":"alt-identifier","value":"sc-50_prm_1"},{"name":"label","value":"SC-50_ODP","class":"sp800-53a"}],"label":"security domains","guidelines":[{"prose":"security domains requiring software-enforced separation and policy enforcement mechanisms are defined;"}]}],"props":[{"name":"label","value":"SC-50"},{"name":"label","value":"SC-50","class":"sp800-53a"},{"name":"sort-id","value":"sc-50"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-2","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#sc-49","rel":"related"}],"parts":[{"id":"sc-50_smt","name":"statement","prose":"Implement software-enforced separation and policy enforcement mechanisms between {{ insert: param, sc-50_odp }}."},{"id":"sc-50_gdn","name":"guidance","prose":"System owners may require additional strength of mechanism to ensure domain separation and policy enforcement for specific types of threats and environments of operation."},{"id":"sc-50_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-50","class":"sp800-53a"}],"prose":"software-enforced separation and policy enforcement mechanisms are implemented between {{ insert: param, sc-50_odp }}.","links":[{"href":"#sc-50_smt","rel":"assessment-for"}]},{"id":"sc-50_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-50-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing cross-domain policy enforcement\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-50_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-50-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system"}]},{"id":"sc-50_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-50-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing software-enforced separation and policy enforcement"}]}]},{"id":"sc-51","class":"SP800-53","title":"Hardware-based Protection","params":[{"id":"sc-51_odp.01","props":[{"name":"alt-identifier","value":"sc-51_prm_1"},{"name":"label","value":"SC-51_ODP[01]","class":"sp800-53a"}],"label":"system firmware components","guidelines":[{"prose":"system firmware components requiring hardware-based write-protect are defined;"}]},{"id":"sc-51_odp.02","props":[{"name":"alt-identifier","value":"sc-51_prm_2"},{"name":"label","value":"SC-51_ODP[02]","class":"sp800-53a"}],"label":"authorized individuals","guidelines":[{"prose":"authorized individuals requiring procedures for disabling and re-enabling hardware write-protect are defined;"}]}],"props":[{"name":"label","value":"SC-51"},{"name":"label","value":"SC-51","class":"sp800-53a"},{"name":"sort-id","value":"sc-51"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"parts":[{"id":"sc-51_smt","name":"statement","parts":[{"id":"sc-51_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ hardware-based, write-protect for {{ insert: param, sc-51_odp.01 }} ; and"},{"id":"sc-51_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Implement specific procedures for {{ insert: param, sc-51_odp.02 }} to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode."}]},{"id":"sc-51_gdn","name":"guidance","prose":"None."},{"id":"sc-51_obj","name":"assessment-objective","props":[{"name":"label","value":"SC-51","class":"sp800-53a"}],"parts":[{"id":"sc-51_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SC-51a.","class":"sp800-53a"}],"prose":"hardware-based write-protect for {{ insert: param, sc-51_odp.01 }} is employed;","links":[{"href":"#sc-51_smt.a","rel":"assessment-for"}]},{"id":"sc-51_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SC-51b.","class":"sp800-53a"}],"parts":[{"id":"sc-51_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SC-51b.[01]","class":"sp800-53a"}],"prose":"specific procedures are implemented for {{ insert: param, sc-51_odp.02 }} to manually disable hardware write-protect for firmware modifications;","links":[{"href":"#sc-51_smt.b","rel":"assessment-for"}]},{"id":"sc-51_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SC-51b.[02]","class":"sp800-53a"}],"prose":"specific procedures are implemented for {{ insert: param, sc-51_odp.02 }} to re-enable the write-protect prior to returning to operational mode.","links":[{"href":"#sc-51_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-51_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sc-51_smt","rel":"assessment-for"}]},{"id":"sc-51_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SC-51-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and communications protection policy\n\nprocedures addressing firmware modifications\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem architecture\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sc-51_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SC-51-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\nsystem developers\/integrators"}]},{"id":"sc-51_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SC-51-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for modifying system firmware\n\nmechanisms supporting and\/or implementing hardware-based write-protection for system firmware"}]}]}]},{"id":"si","class":"family","title":"System and Information Integrity","controls":[{"id":"si-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"si-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"si-01_odp.01","props":[{"name":"label","value":"SI-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity policy is to be disseminated is\/are defined;"}]},{"id":"si-01_odp.02","props":[{"name":"label","value":"SI-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom the system and information integrity procedures are to be disseminated is\/are defined;"}]},{"id":"si-01_odp.03","props":[{"name":"alt-identifier","value":"si-1_prm_2"},{"name":"label","value":"SI-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"si-01_odp.04","props":[{"name":"alt-identifier","value":"si-1_prm_3"},{"name":"label","value":"SI-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the system and information integrity policy and procedures is defined;"}]},{"id":"si-01_odp.05","props":[{"name":"alt-identifier","value":"si-1_prm_4"},{"name":"label","value":"SI-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity policy is reviewed and updated is defined;"}]},{"id":"si-01_odp.06","props":[{"name":"alt-identifier","value":"si-1_prm_5"},{"name":"label","value":"SI-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the current system and information integrity policy to be reviewed and updated are defined;"}]},{"id":"si-01_odp.07","props":[{"name":"alt-identifier","value":"si-1_prm_6"},{"name":"label","value":"SI-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current system and information integrity procedures are reviewed and updated is defined;"}]},{"id":"si-01_odp.08","props":[{"name":"alt-identifier","value":"si-1_prm_7"},{"name":"label","value":"SI-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that would require the system and information integrity procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SI-1"},{"name":"label","value":"SI-01","class":"sp800-53a"},{"name":"sort-id","value":"si-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"si-1_smt","name":"statement","parts":[{"id":"si-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, si-1_prm_1 }}:","parts":[{"id":"si-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, si-01_odp.03 }} system and information integrity policy that:","parts":[{"id":"si-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"si-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"si-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;"}]},{"id":"si-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, si-01_odp.04 }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and"},{"id":"si-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current system and information integrity:","parts":[{"id":"si-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, si-01_odp.05 }} and following {{ insert: param, si-01_odp.06 }} ; and"},{"id":"si-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, si-01_odp.07 }} and following {{ insert: param, si-01_odp.08 }}."}]}]},{"id":"si-1_gdn","name":"guidance","prose":"System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"si-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[01]","class":"sp800-53a"}],"prose":"a system and information integrity policy is developed and documented;","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[02]","class":"sp800-53a"}],"prose":"the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[03]","class":"sp800-53a"}],"prose":"system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.[04]","class":"sp800-53a"}],"prose":"the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};","links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[03]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;","links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"si-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#si-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.a","rel":"assessment-for"}]},{"id":"si-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;","links":[{"href":"#si-1_smt.b","rel":"assessment-for"}]},{"id":"si-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[01]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};","links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]},{"id":"si-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.01[02]","class":"sp800-53a"}],"prose":"the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};","links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c.1","rel":"assessment-for"}]},{"id":"si-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02","class":"sp800-53a"}],"parts":[{"id":"si-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[01]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};","links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]},{"id":"si-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-01c.02[02]","class":"sp800-53a"}],"prose":"the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.","links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#si-1_smt","rel":"assessment-for"}]},{"id":"si-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and information integrity responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]}]},{"id":"si-2","class":"SP800-53","title":"Flaw Remediation","params":[{"id":"si-02_odp","props":[{"name":"alt-identifier","value":"si-2_prm_1"},{"name":"label","value":"SI-02_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period within which to install security-relevant software updates after the release of the updates is defined;"}]}],"props":[{"name":"label","value":"SI-2"},{"name":"label","value":"SI-02","class":"sp800-53a"},{"name":"sort-id","value":"si-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#20db4e66-e257-450c-b2e4-2bb9a62a2c88","rel":"reference"},{"href":"#aa5d04e0-6090-4e17-84d4-b9963d55fc2c","rel":"reference"},{"href":"#ca-5","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-5","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"si-2_smt","name":"statement","parts":[{"id":"si-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify, report, and correct system flaws;"},{"id":"si-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;"},{"id":"si-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Install security-relevant software and firmware updates within {{ insert: param, si-02_odp }} of the release of the updates; and"},{"id":"si-2_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Incorporate flaw remediation into the organizational configuration management process."}]},{"id":"si-2_gdn","name":"guidance","prose":"The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.\n\nOrganization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures."},{"id":"si-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[01]","class":"sp800-53a"}],"prose":"system flaws are identified;","links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]},{"id":"si-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[02]","class":"sp800-53a"}],"prose":"system flaws are reported;","links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]},{"id":"si-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02a.[03]","class":"sp800-53a"}],"prose":"system flaws are corrected;","links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt.a","rel":"assessment-for"}]},{"id":"si-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[01]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for effectiveness before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[02]","class":"sp800-53a"}],"prose":"software updates related to flaw remediation are tested for potential side effects before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[03]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for effectiveness before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.b-4","name":"assessment-objective","props":[{"name":"label","value":"SI-02b.[04]","class":"sp800-53a"}],"prose":"firmware updates related to flaw remediation are tested for potential side effects before installation;","links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt.b","rel":"assessment-for"}]},{"id":"si-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.","class":"sp800-53a"}],"parts":[{"id":"si-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[01]","class":"sp800-53a"}],"prose":"security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;","links":[{"href":"#si-2_smt.c","rel":"assessment-for"}]},{"id":"si-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SI-02c.[02]","class":"sp800-53a"}],"prose":"security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;","links":[{"href":"#si-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt.c","rel":"assessment-for"}]},{"id":"si-2_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-02d.","class":"sp800-53a"}],"prose":"flaw remediation is incorporated into the organizational configuration management process.","links":[{"href":"#si-2_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-2_smt","rel":"assessment-for"}]},{"id":"si-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nprocedures addressing configuration management\n\nlist of flaws and vulnerabilities potentially affecting the system\n\nlist of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)\n\ntest results from the installation of software and firmware updates to correct system flaws\n\ninstallation\/change control records for security-relevant software and firmware updates\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel responsible for installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, reporting, and correcting system flaws\n\norganizational process for installing software and firmware updates\n\nmechanisms supporting and\/or implementing the reporting and correcting of system flaws\n\nmechanisms supporting and\/or implementing testing software and firmware updates"}]}],"controls":[{"id":"si-2.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-2(1)"},{"name":"label","value":"SI-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-9","rel":"incorporated-into"}]},{"id":"si-2.2","class":"SP800-53-enhancement","title":"Automated Flaw Remediation Status","params":[{"id":"si-02.02_odp.01","props":[{"name":"alt-identifier","value":"si-2.2_prm_1"},{"name":"label","value":"SI-02(02)_ODP[01]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;"}]},{"id":"si-02.02_odp.02","props":[{"name":"alt-identifier","value":"si-2.2_prm_2"},{"name":"label","value":"SI-02(02)_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;"}]}],"props":[{"name":"label","value":"SI-2(2)"},{"name":"label","value":"SI-02(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-2","rel":"required"},{"href":"#ca-7","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-2.2_smt","name":"statement","prose":"Determine if system components have applicable security-relevant software and firmware updates installed using {{ insert: param, si-02.02_odp.01 }} {{ insert: param, si-02.02_odp.02 }}."},{"id":"si-2.2_gdn","name":"guidance","prose":"Automated mechanisms can track and determine the status of known flaws for system components."},{"id":"si-2.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02(02)","class":"sp800-53a"}],"prose":"system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}.","links":[{"href":"#si-2.2_smt","rel":"assessment-for"}]},{"id":"si-2.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nautomated mechanisms supporting centralized management of flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-2.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation"}]},{"id":"si-2.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms used to determine the state of system components with regard to flaw remediation"}]}]},{"id":"si-2.3","class":"SP800-53-enhancement","title":"Time to Remediate Flaws and Benchmarks for Corrective Actions","params":[{"id":"si-02.03_odp","props":[{"name":"alt-identifier","value":"si-2.3_prm_1"},{"name":"label","value":"SI-02(03)_ODP","class":"sp800-53a"}],"label":"benchmarks","guidelines":[{"prose":"the benchmarks for taking corrective actions are defined;"}]}],"props":[{"name":"label","value":"SI-2(3)"},{"name":"label","value":"SI-02(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-2","rel":"required"}],"parts":[{"id":"si-2.3_smt","name":"statement","parts":[{"id":"si-2.3_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Measure the time between flaw identification and flaw remediation; and"},{"id":"si-2.3_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Establish the following benchmarks for taking corrective actions: {{ insert: param, si-02.03_odp }}."}]},{"id":"si-2.3_gdn","name":"guidance","prose":"Organizations determine the time it takes on average to correct system flaws after such flaws have been identified and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type of flaw or the severity of the potential vulnerability if the flaw can be exploited."},{"id":"si-2.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02(03)","class":"sp800-53a"}],"parts":[{"id":"si-2.3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-02(03)(a)","class":"sp800-53a"}],"prose":"the time between flaw identification and flaw remediation is measured;","links":[{"href":"#si-2.3_smt.a","rel":"assessment-for"}]},{"id":"si-2.3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-02(03)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, si-02.03_odp }} for taking corrective actions have been established.","links":[{"href":"#si-2.3_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-2.3_smt","rel":"assessment-for"}]},{"id":"si-2.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of benchmarks for taking corrective action on identified flaws\n\nrecords that provide timestamps of flaw identification and subsequent flaw remediation activities\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-2.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation"}]},{"id":"si-2.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying, reporting, and correcting system flaws\n\nmechanisms used to measure the time between flaw identification and flaw remediation"}]}]},{"id":"si-2.4","class":"SP800-53-enhancement","title":"Automated Patch Management Tools","params":[{"id":"si-02.04_odp","props":[{"name":"alt-identifier","value":"si-2.4_prm_1"},{"name":"alt-label","value":"system components","class":"sp800-53"},{"name":"label","value":"SI-02(04)_ODP","class":"sp800-53a"}],"label":"components","guidelines":[{"prose":"the system components requiring automated patch management tools to facilitate flaw remediation are defined;"}]}],"props":[{"name":"label","value":"SI-2(4)"},{"name":"label","value":"SI-02(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-2","rel":"required"}],"parts":[{"id":"si-2.4_smt","name":"statement","prose":"Employ automated patch management tools to facilitate flaw remediation to the following system components: {{ insert: param, si-02.04_odp }}."},{"id":"si-2.4_gdn","name":"guidance","prose":"Using automated tools to support patch management helps to ensure the timeliness and completeness of system patching operations."},{"id":"si-2.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02(04)","class":"sp800-53a"}],"prose":"automated patch management tools are employed to facilitate flaw remediation to {{ insert: param, si-02.04_odp }}.","links":[{"href":"#si-2.4_smt","rel":"assessment-for"}]},{"id":"si-2.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nmechanisms supporting flaw remediation and automatic software\/firmware updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of system flaws\n\nrecords of recent security-relevant software and firmware updates that are automatically installed to system components\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-2.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation"}]},{"id":"si-2.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated patch management tools\n\nmechanisms implementing automatic software\/firmware updates\n\nmechanisms facilitating flaw remediation to system components"}]}]},{"id":"si-2.5","class":"SP800-53-enhancement","title":"Automatic Software and Firmware Updates","params":[{"id":"si-02.05_odp.01","props":[{"name":"alt-identifier","value":"si-2.5_prm_1"},{"name":"label","value":"SI-02(05)_ODP[01]","class":"sp800-53a"}],"label":"security-relevant software and firmware updates","guidelines":[{"prose":"security-relevant software and firmware updates to be automatically installed to system components are defined;"}]},{"id":"si-02.05_odp.02","props":[{"name":"alt-identifier","value":"si-2.5_prm_2"},{"name":"label","value":"SI-02(05)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring security-relevant software updates to be automatically installed are defined;"}]}],"props":[{"name":"label","value":"SI-2(5)"},{"name":"label","value":"SI-02(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-2","rel":"required"}],"parts":[{"id":"si-2.5_smt","name":"statement","prose":"Install {{ insert: param, si-02.05_odp.01 }} automatically to {{ insert: param, si-02.05_odp.02 }}."},{"id":"si-2.5_gdn","name":"guidance","prose":"Due to system integrity and availability concerns, organizations consider the methodology used to carry out automatic updates. Organizations balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and control with any mission or operational impacts that automatic updates might impose."},{"id":"si-2.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02(05)","class":"sp800-53a"}],"prose":"{{ insert: param, si-02.05_odp.01 }} are installed automatically to {{ insert: param, si-02.05_odp.02 }}.","links":[{"href":"#si-2.5_smt","rel":"assessment-for"}]},{"id":"si-2.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nmechanisms supporting flaw remediation and automatic software\/firmware updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of recent security-relevant software and firmware updates automatically installed to system components\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-2.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation"}]},{"id":"si-2.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms implementing automatic software\/firmware updates"}]}]},{"id":"si-2.6","class":"SP800-53-enhancement","title":"Removal of Previous Versions of Software and Firmware","params":[{"id":"si-02.06_odp","props":[{"name":"alt-identifier","value":"si-2.6_prm_1"},{"name":"label","value":"SI-02(06)_ODP","class":"sp800-53a"}],"label":"software and firmware components","guidelines":[{"prose":"software and firmware components to be removed after updated versions have been installed are defined;"}]}],"props":[{"name":"label","value":"SI-2(6)"},{"name":"label","value":"SI-02(06)","class":"sp800-53a"},{"name":"sort-id","value":"si-02.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-2","rel":"required"}],"parts":[{"id":"si-2.6_smt","name":"statement","prose":"Remove previous versions of {{ insert: param, si-02.06_odp }} after updated versions have been installed."},{"id":"si-2.6_gdn","name":"guidance","prose":"Previous versions of software or firmware components that are not removed from the system after updates have been installed may be exploited by adversaries. Some products may automatically remove previous versions of software and firmware from the system."},{"id":"si-2.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-02(06)","class":"sp800-53a"}],"prose":"previous versions of {{ insert: param, si-02.06_odp }} are removed after updated versions have been installed.","links":[{"href":"#si-2.6_smt","rel":"assessment-for"}]},{"id":"si-2.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-02(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing flaw remediation\n\nmechanisms supporting flaw remediation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nrecords of software and firmware component removals after updated versions are installed\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-2.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-02(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for flaw remediation"}]},{"id":"si-2.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-02(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the removal of previous versions of software\/firmware"}]}]}]},{"id":"si-3","class":"SP800-53","title":"Malicious Code Protection","params":[{"id":"si-03_odp.01","props":[{"name":"alt-identifier","value":"si-3_prm_1"},{"name":"label","value":"SI-03_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["signature-based","non-signature-based"]}},{"id":"si-03_odp.02","props":[{"name":"alt-identifier","value":"si-3_prm_2"},{"name":"label","value":"SI-03_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which malicious code protection mechanisms perform scans is defined;"}]},{"id":"si-03_odp.03","props":[{"name":"alt-identifier","value":"si-3_prm_3"},{"name":"label","value":"SI-03_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["endpoint","network entry and exit points"]}},{"id":"si-03_odp.04","props":[{"name":"alt-identifier","value":"si-3_prm_4"},{"name":"label","value":"SI-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["block malicious code","quarantine malicious code","take {{ insert: param, si-03_odp.05 }} "]}},{"id":"si-03_odp.05","props":[{"name":"alt-identifier","value":"si-3_prm_5"},{"name":"label","value":"SI-03_ODP[05]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"action to be taken in response to malicious code detection are defined (if selected);"}]},{"id":"si-03_odp.06","props":[{"name":"alt-identifier","value":"si-3_prm_6"},{"name":"label","value":"SI-03_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when malicious code is detected is\/are defined;"}]}],"props":[{"name":"label","value":"SI-3"},{"name":"label","value":"SI-03","class":"sp800-53a"},{"name":"sort-id","value":"si-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#88660532-2dcf-442e-845c-03340ce48999","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#ac-19","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-23","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-44","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#si-8","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"si-3_smt","name":"statement","parts":[{"id":"si-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;"},{"id":"si-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;"},{"id":"si-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Configure malicious code protection mechanisms to:","parts":[{"id":"si-3_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and"},{"id":"si-3_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"{{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and"}]},{"id":"si-3_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system."}]},{"id":"si-3_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.\n\nMalicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.\n\nIn situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files."},{"id":"si-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;","links":[{"href":"#si-3_smt.a","rel":"assessment-for"}]},{"id":"si-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03a.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;","links":[{"href":"#si-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.a","rel":"assessment-for"}]},{"id":"si-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-03b.","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;","links":[{"href":"#si-3_smt.b","rel":"assessment-for"}]},{"id":"si-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};","links":[{"href":"#si-3_smt.c.1","rel":"assessment-for"}]},{"id":"si-3_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.01[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;","links":[{"href":"#si-3_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.c.1","rel":"assessment-for"}]},{"id":"si-3_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02","class":"sp800-53a"}],"parts":[{"id":"si-3_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[01]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;","links":[{"href":"#si-3_smt.c.2","rel":"assessment-for"}]},{"id":"si-3_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03c.02[02]","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;","links":[{"href":"#si-3_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt.c","rel":"assessment-for"}]},{"id":"si-3_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-03d.","class":"sp800-53a"}],"prose":"the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.","links":[{"href":"#si-3_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-3_smt","rel":"assessment-for"}]},{"id":"si-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policy and procedures\n\nprocedures addressing malicious code protection\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscan results from malicious code protection mechanisms\n\nrecord of actions initiated by malicious code protection mechanisms in response to malicious code detection\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel with configuration management responsibilities"}]},{"id":"si-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for employing, updating, and configuring malicious code protection mechanisms\n\norganizational processes for addressing false positives and resulting potential impacts\n\nmechanisms supporting and\/or implementing, employing, updating, and configuring malicious code protection mechanisms\n\nmechanisms supporting and\/or implementing malicious code scanning and subsequent actions"}]}],"controls":[{"id":"si-3.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-3(1)"},{"name":"label","value":"SI-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-9","rel":"incorporated-into"}]},{"id":"si-3.2","class":"SP800-53-enhancement","title":"Automatic Updates","props":[{"name":"label","value":"SI-3(2)"},{"name":"label","value":"SI-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-3","rel":"incorporated-into"}]},{"id":"si-3.3","class":"SP800-53-enhancement","title":"Non-privileged Users","props":[{"name":"label","value":"SI-3(3)"},{"name":"label","value":"SI-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.03"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-6.10","rel":"incorporated-into"}]},{"id":"si-3.4","class":"SP800-53-enhancement","title":"Updates Only by Privileged Users","props":[{"name":"label","value":"SI-3(4)"},{"name":"label","value":"SI-03(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-3","rel":"required"},{"href":"#cm-5","rel":"related"}],"parts":[{"id":"si-3.4_smt","name":"statement","prose":"Update malicious code protection mechanisms only when directed by a privileged user."},{"id":"si-3.4_gdn","name":"guidance","prose":"Protection mechanisms for malicious code are typically categorized as security-related software and, as such, are only updated by organizational personnel with appropriate access privileges."},{"id":"si-3.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03(04)","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are updated only when directed by a privileged user.","links":[{"href":"#si-3.4_smt","rel":"assessment-for"}]},{"id":"si-3.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing malicious code protection\n\nlist of privileged users on system\n\nsystem design documentation\n\nmalicious code protection mechanisms\n\nrecords of malicious code protection updates\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection"}]},{"id":"si-3.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing malicious code protection capabilities"}]}]},{"id":"si-3.5","class":"SP800-53-enhancement","title":"Portable Storage Devices","props":[{"name":"label","value":"SI-3(5)"},{"name":"label","value":"SI-03(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.05"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#mp-7","rel":"incorporated-into"}]},{"id":"si-3.6","class":"SP800-53-enhancement","title":"Testing and Verification","params":[{"id":"si-03.06_odp","props":[{"name":"alt-identifier","value":"si-3.6_prm_1"},{"name":"label","value":"SI-03(06)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to test malicious code protection mechanisms is defined;"}]}],"props":[{"name":"label","value":"SI-3(6)"},{"name":"label","value":"SI-03(06)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-3","rel":"required"},{"href":"#ca-2","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ra-5","rel":"related"}],"parts":[{"id":"si-3.6_smt","name":"statement","parts":[{"id":"si-3.6_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Test malicious code protection mechanisms {{ insert: param, si-03.06_odp }} by introducing known benign code into the system; and"},{"id":"si-3.6_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Verify that the detection of the code and the associated incident reporting occur."}]},{"id":"si-3.6_gdn","name":"guidance","prose":"None."},{"id":"si-3.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03(06)","class":"sp800-53a"}],"parts":[{"id":"si-3.6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-03(06)(a)","class":"sp800-53a"}],"prose":"malicious code protection mechanisms are tested {{ insert: param, si-03.06_odp }} by introducing known benign code into the system;","links":[{"href":"#si-3.6_smt.a","rel":"assessment-for"}]},{"id":"si-3.6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-03(06)(b)","class":"sp800-53a"}],"parts":[{"id":"si-3.6_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03(06)(b)[01]","class":"sp800-53a"}],"prose":"the detection of (benign test) code occurs;","links":[{"href":"#si-3.6_smt.b","rel":"assessment-for"}]},{"id":"si-3.6_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03(06)(b)[02]","class":"sp800-53a"}],"prose":"the associated incident reporting occurs.","links":[{"href":"#si-3.6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-3.6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-3.6_smt","rel":"assessment-for"}]},{"id":"si-3.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing malicious code protection\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ntest cases\n\nrecords providing evidence of test cases executed on malicious code protection mechanisms\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection"}]},{"id":"si-3.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the testing and verification of malicious code protection capabilities"}]}]},{"id":"si-3.7","class":"SP800-53-enhancement","title":"Nonsignature-based Detection","props":[{"name":"label","value":"SI-3(7)"},{"name":"label","value":"SI-03(07)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.07"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-3","rel":"incorporated-into"}]},{"id":"si-3.8","class":"SP800-53-enhancement","title":"Detect Unauthorized Commands","params":[{"id":"si-03.08_odp.01","props":[{"name":"alt-identifier","value":"si-3.8_prm_2"},{"name":"label","value":"SI-03(08)_ODP[01]","class":"sp800-53a"}],"label":"unauthorized operating system commands","guidelines":[{"prose":"system hardware components for which unauthorized operating system commands are to be detected through the kernel application programming interface are defined;"}]},{"id":"si-03.08_odp.02","props":[{"name":"alt-identifier","value":"si-3.8_prm_1"},{"name":"label","value":"SI-03(08)_ODP[02]","class":"sp800-53a"}],"label":"system hardware components","guidelines":[{"prose":"unauthorized operating system commands to be detected are defined;"}]},{"id":"si-03.08_odp.03","props":[{"name":"alt-identifier","value":"si-3.8_prm_3"},{"name":"label","value":"SI-03(08)_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["issue a warning","audit the command execution","prevent the execution of the command"]}}],"props":[{"name":"label","value":"SI-3(8)"},{"name":"label","value":"SI-03(08)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-3","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"si-3.8_smt","name":"statement","parts":[{"id":"si-3.8_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Detect the following unauthorized operating system commands through the kernel application programming interface on {{ insert: param, si-03.08_odp.02 }}: {{ insert: param, si-03.08_odp.01 }} ; and"},{"id":"si-3.8_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"{{ insert: param, si-03.08_odp.03 }}."}]},{"id":"si-3.8_gdn","name":"guidance","prose":"Detecting unauthorized commands can be applied to critical interfaces other than kernel-based interfaces, including interfaces with virtual machines and privileged applications. Unauthorized operating system commands include commands for kernel functions from system processes that are not trusted to initiate such commands as well as commands for kernel functions that are suspicious even though commands of that type are reasonable for processes to initiate. Organizations can define the malicious commands to be detected by a combination of command types, command classes, or specific instances of commands. Organizations can also define hardware components by component type, component, component location in the network, or a combination thereof. Organizations may select different actions for different types, classes, or instances of malicious commands."},{"id":"si-3.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03(08)","class":"sp800-53a"}],"parts":[{"id":"si-3.8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-03(08)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, si-03.08_odp.01 }} are detected through the kernel application programming interface on {{ insert: param, si-03.08_odp.02 }};","links":[{"href":"#si-3.8_smt.a","rel":"assessment-for"}]},{"id":"si-3.8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-03(08)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, si-03.08_odp.03 }} is\/are performed.","links":[{"href":"#si-3.8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-3.8_smt","rel":"assessment-for"}]},{"id":"si-3.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing malicious code protection\n\nsystem design documentation\n\nmalicious code protection mechanisms\n\nwarning messages sent upon the detection of unauthorized operating system command execution\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection"}]},{"id":"si-3.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing malicious code protection capabilities\n\nmechanisms supporting and\/or implementing the detection of unauthorized operating system commands through the kernel application programming interface"}]}]},{"id":"si-3.9","class":"SP800-53-enhancement","title":"Authenticate Remote Commands","props":[{"name":"label","value":"SI-3(9)"},{"name":"label","value":"SI-03(09)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.09"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-17.10","rel":"moved-to"}]},{"id":"si-3.10","class":"SP800-53-enhancement","title":"Malicious Code Analysis","params":[{"id":"si-03.10_odp","props":[{"name":"alt-identifier","value":"si-3.10_prm_1"},{"name":"label","value":"SI-03(10)_ODP","class":"sp800-53a"}],"label":"tools and techniques","guidelines":[{"prose":"tools and techniques to be employed to analyze the characteristics and behavior of malicious code are defined;"}]}],"props":[{"name":"label","value":"SI-3(10)"},{"name":"label","value":"SI-03(10)","class":"sp800-53a"},{"name":"sort-id","value":"si-03.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-3","rel":"required"}],"parts":[{"id":"si-3.10_smt","name":"statement","parts":[{"id":"si-3.10_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: {{ insert: param, si-03.10_odp }} ; and"},{"id":"si-3.10_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Incorporate the results from malicious code analysis into organizational incident response and flaw remediation processes."}]},{"id":"si-3.10_gdn","name":"guidance","prose":"The use of malicious code analysis tools provides organizations with a more in-depth understanding of adversary tradecraft (i.e., tactics, techniques, and procedures) and the functionality and purpose of specific instances of malicious code. Understanding the characteristics of malicious code facilitates effective organizational responses to current and future threats. Organizations can conduct malicious code analyses by employing reverse engineering techniques or by monitoring the behavior of executing code."},{"id":"si-3.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-03(10)","class":"sp800-53a"}],"parts":[{"id":"si-3.10_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-03(10)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, si-03.10_odp }} are employed to analyze the characteristics and behavior of malicious code;","links":[{"href":"#si-3.10_smt.a","rel":"assessment-for"}]},{"id":"si-3.10_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-03(10)(b)","class":"sp800-53a"}],"parts":[{"id":"si-3.10_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-03(10)(b)[01]","class":"sp800-53a"}],"prose":"the results from malicious code analysis are incorporated into organizational incident response processes;","links":[{"href":"#si-3.10_smt.b","rel":"assessment-for"}]},{"id":"si-3.10_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-03(10)(b)[02]","class":"sp800-53a"}],"prose":"the results from malicious code analysis are incorporated into organizational flaw remediation processes.","links":[{"href":"#si-3.10_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-3.10_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-3.10_smt","rel":"assessment-for"}]},{"id":"si-3.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-03(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing malicious code protection\n\nprocedures addressing incident response\n\nprocedures addressing flaw remediation\n\nsystem design documentation\n\nmalicious code protection mechanisms, tools, and techniques\n\nsystem configuration settings and associated documentation\n\nresults from malicious code analyses\n\nrecords of flaw remediation events resulting from malicious code analyses\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-3.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-03(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for malicious code protection\n\norganizational personnel responsible for flaw remediation\n\norganizational personnel responsible for incident response\/management"}]},{"id":"si-3.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-03(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational process for incident response\n\norganizational process for flaw remediation\n\nmechanisms supporting and\/or implementing malicious code protection capabilities\n\ntools and techniques for the analysis of malicious code characteristics and behavior"}]}]}]},{"id":"si-4","class":"SP800-53","title":"System Monitoring","params":[{"id":"si-04_odp.01","props":[{"name":"alt-identifier","value":"si-4_prm_1"},{"name":"label","value":"SI-04_ODP[01]","class":"sp800-53a"}],"label":"monitoring objectives","guidelines":[{"prose":"monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;"}]},{"id":"si-04_odp.02","props":[{"name":"alt-identifier","value":"si-4_prm_2"},{"name":"label","value":"SI-04_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods used to identify unauthorized use of the system are defined;"}]},{"id":"si-04_odp.03","props":[{"name":"alt-identifier","value":"si-4_prm_3"},{"name":"label","value":"SI-04_ODP[03]","class":"sp800-53a"}],"label":"system monitoring information","guidelines":[{"prose":"system monitoring information to be provided to personnel or roles is defined;"}]},{"id":"si-04_odp.04","props":[{"name":"alt-identifier","value":"si-4_prm_4"},{"name":"label","value":"SI-04_ODP[04]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom system monitoring information is to be provided is\/are defined;"}]},{"id":"si-04_odp.05","props":[{"name":"alt-identifier","value":"si-4_prm_5"},{"name":"label","value":"SI-04_ODP[05]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["as needed","{{ insert: param, si-04_odp.06 }} "]}},{"id":"si-04_odp.06","props":[{"name":"alt-identifier","value":"si-4_prm_6"},{"name":"label","value":"SI-04_ODP[06]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"a frequency for providing system monitoring to personnel or roles is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-4"},{"name":"label","value":"SI-04","class":"sp800-53a"},{"name":"sort-id","value":"si-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","rel":"reference"},{"href":"#3dd249b0-f57d-44ba-a03e-c3eab1b835ff","rel":"reference"},{"href":"#5eee45d8-3313-4fdc-8d54-1742092bbdd6","rel":"reference"},{"href":"#25e3e57b-dc2f-4934-af9b-050b020c6f0e","rel":"reference"},{"href":"#067223d8-1ec7-45c5-b21b-c848da6de8fb","rel":"reference"},{"href":"#ac-2","rel":"related"},{"href":"#ac-3","rel":"related"},{"href":"#ac-4","rel":"related"},{"href":"#ac-8","rel":"related"},{"href":"#ac-17","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-7","rel":"related"},{"href":"#au-9","rel":"related"},{"href":"#au-12","rel":"related"},{"href":"#au-13","rel":"related"},{"href":"#au-14","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#cm-11","rel":"related"},{"href":"#ia-10","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#pl-9","rel":"related"},{"href":"#pm-12","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#ra-10","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-18","rel":"related"},{"href":"#sc-26","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#sc-35","rel":"related"},{"href":"#sc-36","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#sc-43","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-6","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"si-4_smt","name":"statement","parts":[{"id":"si-4_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Monitor the system to detect:","parts":[{"id":"si-4_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and"},{"id":"si-4_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Unauthorized local, network, and remote connections;"}]},{"id":"si-4_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }};"},{"id":"si-4_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Invoke internal monitoring capabilities or deploy monitoring devices:","parts":[{"id":"si-4_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Strategically within the system to collect organization-determined essential information; and"},{"id":"si-4_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"At ad hoc locations within the system to track specific types of transactions of interest to the organization;"}]},{"id":"si-4_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Analyze detected events and anomalies;"},{"id":"si-4_smt.e","name":"item","props":[{"name":"label","value":"e."}],"prose":"Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"},{"id":"si-4_smt.f","name":"item","props":[{"name":"label","value":"f."}],"prose":"Obtain legal opinion regarding system monitoring activities; and"},{"id":"si-4_smt.g","name":"item","props":[{"name":"label","value":"g."}],"prose":"Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."}]},{"id":"si-4_gdn","name":"guidance","prose":"System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.\n\nDepending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls [SC-7](#sc-7) and [AC-17](#ac-17) . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., [AC-2g](#ac-2_smt.g), [AC-2(7)](#ac-2.7), [AC-2(12)(a)](#ac-2.12_smt.a), [AC-17(1)](#ac-17.1), [AU-13](#au-13), [AU-13(1)](#au-13.1), [AU-13(2)](#au-13.2), [CM-3f](#cm-3_smt.f), [CM-6d](#cm-6_smt.d), [MA-3a](#ma-3_smt.a), [MA-4a](#ma-4_smt.a), [SC-5(3)(b)](#sc-5.3_smt.b), [SC-7a](#sc-7_smt.a), [SC-7(24)(b)](#sc-7.24_smt.b), [SC-18b](#sc-18_smt.b), [SC-43b](#sc-43_smt.b) ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"si-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.01","class":"sp800-53a"}],"prose":"the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};","links":[{"href":"#si-4_smt.a.1","rel":"assessment-for"}]},{"id":"si-4_obj.a.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.a.2-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[01]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized local connections;","links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]},{"id":"si-4_obj.a.2-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[02]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized network connections;","links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]},{"id":"si-4_obj.a.2-3","name":"assessment-objective","props":[{"name":"label","value":"SI-04a.02[03]","class":"sp800-53a"}],"prose":"the system is monitored to detect unauthorized remote connections;","links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.a.2","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.a","rel":"assessment-for"}]},{"id":"si-4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04b.","class":"sp800-53a"}],"prose":"unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};","links":[{"href":"#si-4_smt.b","rel":"assessment-for"}]},{"id":"si-4_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.01","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;","links":[{"href":"#si-4_smt.c.1","rel":"assessment-for"}]},{"id":"si-4_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SI-04c.02","class":"sp800-53a"}],"prose":"internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;","links":[{"href":"#si-4_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.c","rel":"assessment-for"}]},{"id":"si-4_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.","class":"sp800-53a"}],"parts":[{"id":"si-4_obj.d-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[01]","class":"sp800-53a"}],"prose":"detected events are analyzed;","links":[{"href":"#si-4_smt.d","rel":"assessment-for"}]},{"id":"si-4_obj.d-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04d.[02]","class":"sp800-53a"}],"prose":"detected anomalies are analyzed;","links":[{"href":"#si-4_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt.d","rel":"assessment-for"}]},{"id":"si-4_obj.e","name":"assessment-objective","props":[{"name":"label","value":"SI-04e.","class":"sp800-53a"}],"prose":"the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;","links":[{"href":"#si-4_smt.e","rel":"assessment-for"}]},{"id":"si-4_obj.f","name":"assessment-objective","props":[{"name":"label","value":"SI-04f.","class":"sp800-53a"}],"prose":"a legal opinion regarding system monitoring activities is obtained;","links":[{"href":"#si-4_smt.f","rel":"assessment-for"}]},{"id":"si-4_obj.g","name":"assessment-objective","props":[{"name":"label","value":"SI-04g.","class":"sp800-53a"}],"prose":"{{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.","links":[{"href":"#si-4_smt.g","rel":"assessment-for"}]}],"links":[{"href":"#si-4_smt","rel":"assessment-for"}]},{"id":"si-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\ncontinuous monitoring strategy\n\nfacility diagram\/layout\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nlocations within the system where monitoring devices are deployed\n\nsystem configuration settings and associated documentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing system monitoring capabilities"}]}],"controls":[{"id":"si-4.1","class":"SP800-53-enhancement","title":"System-wide Intrusion Detection System","props":[{"name":"label","value":"SI-4(1)"},{"name":"label","value":"SI-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.1_smt","name":"statement","prose":"Connect and configure individual intrusion detection tools into a system-wide intrusion detection system."},{"id":"si-4.1_gdn","name":"guidance","prose":"Linking individual intrusion detection tools into a system-wide intrusion detection system provides additional coverage and effective detection capabilities. The information contained in one intrusion detection tool can be shared widely across the organization, making the system-wide detection capability more robust and powerful."},{"id":"si-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(01)","class":"sp800-53a"}],"parts":[{"id":"si-4.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(01)[01]","class":"sp800-53a"}],"prose":"individual intrusion detection tools are connected to a system-wide intrusion detection system;","links":[{"href":"#si-4.1_smt","rel":"assessment-for"}]},{"id":"si-4.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(01)[02]","class":"sp800-53a"}],"prose":"individual intrusion detection tools are configured into a system-wide intrusion detection system.","links":[{"href":"#si-4.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-4.1_smt","rel":"assessment-for"}]},{"id":"si-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection capabilities"}]}]},{"id":"si-4.2","class":"SP800-53-enhancement","title":"Automated Tools and Mechanisms for Real-time Analysis","props":[{"name":"label","value":"SI-4(2)"},{"name":"label","value":"SI-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#pm-23","rel":"related"},{"href":"#pm-25","rel":"related"}],"parts":[{"id":"si-4.2_smt","name":"statement","prose":"Employ automated tools and mechanisms to support near real-time analysis of events."},{"id":"si-4.2_gdn","name":"guidance","prose":"Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan."},{"id":"si-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(02)","class":"sp800-53a"}],"prose":"automated tools and mechanisms are employed to support a near real-time analysis of events.","links":[{"href":"#si-4.2_smt","rel":"assessment-for"}]},{"id":"si-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk management documentation\n\nother relevant documents or records"}]},{"id":"si-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for incident response\/management"}]},{"id":"si-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the near real-time analysis of events\n\norganizational processes for system monitoring\n\nmechanisms supporting and\/or implementing system monitoring\n\nmechanisms\/tools supporting and\/or implementing an analysis of events"}]}]},{"id":"si-4.3","class":"SP800-53-enhancement","title":"Automated Tool and Mechanism Integration","props":[{"name":"label","value":"SI-4(3)"},{"name":"label","value":"SI-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#pm-23","rel":"related"},{"href":"#pm-25","rel":"related"}],"parts":[{"id":"si-4.3_smt","name":"statement","prose":"Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms."},{"id":"si-4.3_gdn","name":"guidance","prose":"Using automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access and flow control mechanisms facilitates a rapid response to attacks by enabling the reconfiguration of mechanisms in support of attack isolation and elimination."},{"id":"si-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(03)","class":"sp800-53a"}],"parts":[{"id":"si-4.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(03)[01]","class":"sp800-53a"}],"prose":"automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into access control mechanisms;","links":[{"href":"#si-4.3_smt","rel":"assessment-for"}]},{"id":"si-4.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(03)[02]","class":"sp800-53a"}],"prose":"automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into flow control mechanisms.","links":[{"href":"#si-4.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-4.3_smt","rel":"assessment-for"}]},{"id":"si-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing the intrusion detection and system monitoring capability\n\nmechanisms and tools supporting and\/or implementing the access and flow control capabilities\n\nmechanisms and tools supporting and\/or implementing the integration of intrusion detection tools into the access and flow control mechanisms"}]}]},{"id":"si-4.4","class":"SP800-53-enhancement","title":"Inbound and Outbound Communications Traffic","params":[{"id":"si-4.4_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.03"}],"label":"organization-defined frequency"},{"id":"si-4.4_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-04.04_odp.04"}],"label":"organization-defined unusual or unauthorized activities or conditions"},{"id":"si-04.04_odp.01","props":[{"name":"label","value":"SI-04(04)_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;"}]},{"id":"si-04.04_odp.02","props":[{"name":"label","value":"SI-04(04)_ODP[02]","class":"sp800-53a"}],"label":"unusual or unauthorized activities or conditions","guidelines":[{"prose":"unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;"}]},{"id":"si-04.04_odp.03","props":[{"name":"label","value":"SI-04(04)_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;"}]},{"id":"si-04.04_odp.04","props":[{"name":"label","value":"SI-04(04)_ODP[04]","class":"sp800-53a"}],"label":"unusual or unauthorized activities or conditions","guidelines":[{"prose":"unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;"}]}],"props":[{"name":"label","value":"SI-4(4)"},{"name":"label","value":"SI-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.4_smt","name":"statement","parts":[{"id":"si-4.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;"},{"id":"si-4.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Monitor inbound and outbound communications traffic {{ insert: param, si-4.4_prm_1 }} for {{ insert: param, si-4.4_prm_2 }}."}]},{"id":"si-4.4_gdn","name":"guidance","prose":"Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components."},{"id":"si-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)[01]","class":"sp800-53a"}],"prose":"criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;","links":[{"href":"#si-4.4_smt.a","rel":"assessment-for"}]},{"id":"si-4.4_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(a)[02]","class":"sp800-53a"}],"prose":"criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;","links":[{"href":"#si-4.4_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-4.4_smt.a","rel":"assessment-for"}]},{"id":"si-4.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)","class":"sp800-53a"}],"parts":[{"id":"si-4.4_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)[01]","class":"sp800-53a"}],"prose":"inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};","links":[{"href":"#si-4.4_smt.b","rel":"assessment-for"}]},{"id":"si-4.4_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(04)(b)[02]","class":"sp800-53a"}],"prose":"outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}.","links":[{"href":"#si-4.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-4.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-4.4_smt","rel":"assessment-for"}]},{"id":"si-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the monitoring of inbound and outbound communications traffic"}]}]},{"id":"si-4.5","class":"SP800-53-enhancement","title":"System-generated Alerts","params":[{"id":"si-04.05_odp.01","props":[{"name":"alt-identifier","value":"si-4.5_prm_1"},{"name":"label","value":"SI-04(05)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when indications of compromise or potential compromise occur is\/are defined;"}]},{"id":"si-04.05_odp.02","props":[{"name":"alt-identifier","value":"si-4.5_prm_2"},{"name":"label","value":"SI-04(05)_ODP[02]","class":"sp800-53a"}],"label":"compromise indicators","guidelines":[{"prose":"compromise indicators are defined;"}]}],"props":[{"name":"label","value":"SI-4(5)"},{"name":"label","value":"SI-04(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#au-4","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#pe-6","rel":"related"}],"parts":[{"id":"si-4.5_smt","name":"statement","prose":"Alert {{ insert: param, si-04.05_odp.01 }} when the following system-generated indications of compromise or potential compromise occur: {{ insert: param, si-04.05_odp.02 }}."},{"id":"si-4.5_gdn","name":"guidance","prose":"Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners\/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in [SI-4(12)](#si-4.12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats."},{"id":"si-4.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(05)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur.","links":[{"href":"#si-4.5_smt","rel":"assessment-for"}]},{"id":"si-4.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of personnel selected to receive alerts\n\ndocumentation of alerts generated based on compromise indicators\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-4.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel on the system alert notification list\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing alerts for compromise indicators"}]}]},{"id":"si-4.6","class":"SP800-53-enhancement","title":"Restrict Non-privileged Users","props":[{"name":"label","value":"SI-4(6)"},{"name":"label","value":"SI-04(06)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.06"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-6.10","rel":"incorporated-into"}]},{"id":"si-4.7","class":"SP800-53-enhancement","title":"Automated Response to Suspicious Events","params":[{"id":"si-04.07_odp.01","props":[{"name":"alt-identifier","value":"si-4.7_prm_1"},{"name":"alt-label","value":"incident response personnel (identified by name and\/or by role)","class":"sp800-53"},{"name":"label","value":"SI-04(07)_ODP[01]","class":"sp800-53a"}],"label":"incident response personnel","guidelines":[{"prose":"incident response personnel (identified by name and\/or by role) to be notified of detected suspicious events is\/are defined;"}]},{"id":"si-04.07_odp.02","props":[{"name":"alt-identifier","value":"si-4.7_prm_2"},{"name":"alt-label","value":"least-disruptive actions to terminate suspicious events","class":"sp800-53"},{"name":"label","value":"SI-04(07)_ODP[02]","class":"sp800-53a"}],"label":"least-disruptive actions","guidelines":[{"prose":"least-disruptive actions to terminate suspicious events are defined;"}]}],"props":[{"name":"label","value":"SI-4(7)"},{"name":"label","value":"SI-04(07)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.7_smt","name":"statement","parts":[{"id":"si-4.7_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Notify {{ insert: param, si-04.07_odp.01 }} of detected suspicious events; and"},{"id":"si-4.7_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Take the following actions upon detection: {{ insert: param, si-04.07_odp.02 }}."}]},{"id":"si-4.7_gdn","name":"guidance","prose":"Least-disruptive actions include initiating requests for human responses."},{"id":"si-4.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(07)","class":"sp800-53a"}],"parts":[{"id":"si-4.7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04(07)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.07_odp.01 }} are notified of detected suspicious events;","links":[{"href":"#si-4.7_smt.a","rel":"assessment-for"}]},{"id":"si-4.7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04(07)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.07_odp.02 }} are taken upon the detection of suspicious events.","links":[{"href":"#si-4.7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-4.7_smt","rel":"assessment-for"}]},{"id":"si-4.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nalerts and notifications generated based on detected suspicious events\n\nrecords of actions taken to terminate suspicious events\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing notifications to incident response personnel\n\nmechanisms supporting and\/or implementing actions to terminate suspicious events"}]}]},{"id":"si-4.8","class":"SP800-53-enhancement","title":"Protection of Monitoring Information","props":[{"name":"label","value":"SI-4(8)"},{"name":"label","value":"SI-04(08)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.08"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-4","rel":"incorporated-into"}]},{"id":"si-4.9","class":"SP800-53-enhancement","title":"Testing of Monitoring Tools and Mechanisms","params":[{"id":"si-04.09_odp","props":[{"name":"alt-identifier","value":"si-4.9_prm_1"},{"name":"label","value":"SI-04(09)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"a frequency at which to test intrusion-monitoring tools and mechanisms is defined;"}]}],"props":[{"name":"label","value":"SI-4(9)"},{"name":"label","value":"SI-04(09)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.9_smt","name":"statement","prose":"Test intrusion-monitoring tools and mechanisms {{ insert: param, si-04.09_odp }}."},{"id":"si-4.9_gdn","name":"guidance","prose":"Testing intrusion-monitoring tools and mechanisms is necessary to ensure that the tools and mechanisms are operating correctly and continue to satisfy the monitoring objectives of organizations. The frequency and depth of testing depends on the types of tools and mechanisms used by organizations and the methods of deployment."},{"id":"si-4.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(09)","class":"sp800-53a"}],"prose":"intrusion-monitoring tools and mechanisms are tested {{ insert: param, si-04.09_odp }}.","links":[{"href":"#si-4.9_smt","rel":"assessment-for"}]},{"id":"si-4.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing the testing of system monitoring tools and techniques\n\ndocumentation providing evidence of testing intrusion-monitoring tools\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the testing of intrusion-monitoring tools"}]}]},{"id":"si-4.10","class":"SP800-53-enhancement","title":"Visibility of Encrypted Communications","params":[{"id":"si-04.10_odp.01","props":[{"name":"alt-identifier","value":"si-4.10_prm_1"},{"name":"label","value":"SI-04(10)_ODP[01]","class":"sp800-53a"}],"label":"encrypted communications traffic","guidelines":[{"prose":"encrypted communications traffic to be made visible to system monitoring tools and mechanisms is defined;"}]},{"id":"si-04.10_odp.02","props":[{"name":"alt-identifier","value":"si-4.10_prm_2"},{"name":"label","value":"SI-04(10)_ODP[02]","class":"sp800-53a"}],"label":"system monitoring tools and mechanisms","guidelines":[{"prose":"system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined;"}]}],"props":[{"name":"label","value":"SI-4(10)"},{"name":"label","value":"SI-04(10)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.10_smt","name":"statement","prose":"Make provisions so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}."},{"id":"si-4.10_gdn","name":"guidance","prose":"Organizations balance the need to encrypt communications traffic to protect data confidentiality with the need to maintain visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types."},{"id":"si-4.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(10)","class":"sp800-53a"}],"prose":"provisions are made so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}.","links":[{"href":"#si-4.10_smt","rel":"assessment-for"}]},{"id":"si-4.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the visibility of encrypted communications traffic to monitoring tools"}]}]},{"id":"si-4.11","class":"SP800-53-enhancement","title":"Analyze Communications Traffic Anomalies","params":[{"id":"si-04.11_odp","props":[{"name":"alt-identifier","value":"si-4.11_prm_1"},{"name":"alt-label","value":"interior points within the system","class":"sp800-53"},{"name":"label","value":"SI-04(11)_ODP","class":"sp800-53a"}],"label":"interior points","guidelines":[{"prose":"interior points within the system where communications traffic is to be analyzed are defined;"}]}],"props":[{"name":"label","value":"SI-4(11)"},{"name":"label","value":"SI-04(11)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.11_smt","name":"statement","prose":"Analyze outbound communications traffic at the external interfaces to the system and selected {{ insert: param, si-04.11_odp }} to discover anomalies."},{"id":"si-4.11_gdn","name":"guidance","prose":"Organization-defined interior points include subnetworks and subsystems. Anomalies within organizational systems include large file transfers, long-time persistent connections, attempts to access information from unexpected locations, the use of unusual protocols and ports, the use of unmonitored network protocols (e.g., IPv6 usage during IPv4 transition), and attempted communications with suspected malicious external addresses."},{"id":"si-4.11_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(11)","class":"sp800-53a"}],"parts":[{"id":"si-4.11_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(11)[01]","class":"sp800-53a"}],"prose":"outbound communications traffic at the external interfaces to the system is analyzed to discover anomalies;","links":[{"href":"#si-4.11_smt","rel":"assessment-for"}]},{"id":"si-4.11_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(11)[02]","class":"sp800-53a"}],"prose":"outbound communications traffic at {{ insert: param, si-04.11_odp }} is analyzed to discover anomalies.","links":[{"href":"#si-4.11_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-4.11_smt","rel":"assessment-for"}]},{"id":"si-4.11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(11)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nnetwork diagram\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(11)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(11)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the analysis of communications traffic"}]}]},{"id":"si-4.12","class":"SP800-53-enhancement","title":"Automated Organization-generated Alerts","params":[{"id":"si-04.12_odp.01","props":[{"name":"alt-identifier","value":"si-4.12_prm_1"},{"name":"label","value":"SI-04(12)_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted when indications of inappropriate or unusual activity with security or privacy implications occur is\/are defined;"}]},{"id":"si-04.12_odp.02","props":[{"name":"alt-identifier","value":"si-4.12_prm_2"},{"name":"label","value":"SI-04(12)_ODP[02]","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to alert personnel or roles are defined;"}]},{"id":"si-04.12_odp.03","props":[{"name":"alt-identifier","value":"si-4.12_prm_3"},{"name":"label","value":"SI-04(12)_ODP[03]","class":"sp800-53a"}],"label":"activities that trigger alerts","guidelines":[{"prose":"activities that trigger alerts to personnel or are defined;"}]}],"props":[{"name":"label","value":"SI-4(12)"},{"name":"label","value":"SI-04(12)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.12_smt","name":"statement","prose":"Alert {{ insert: param, si-04.12_odp.01 }} using {{ insert: param, si-04.12_odp.02 }} when the following indications of inappropriate or unusual activities with security or privacy implications occur: {{ insert: param, si-04.12_odp.03 }}."},{"id":"si-4.12_gdn","name":"guidance","prose":"Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. Automated organization-generated alerts are the security alerts generated by organizations and transmitted using automated means. The sources for organization-generated alerts are focused on other entities such as suspicious activity reports and reports on potential insider threats. In contrast to alerts generated by the organization, alerts generated by the system in [SI-4(5)](#si-4.5) focus on information sources that are internal to the systems, such as audit records."},{"id":"si-4.12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(12)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.12_odp.01 }} is\/are alerted using {{ insert: param, si-04.12_odp.02 }} when {{ insert: param, si-04.12_odp.03 }} indicate inappropriate or unusual activities with security or privacy implications.","links":[{"href":"#si-4.12_smt","rel":"assessment-for"}]},{"id":"si-4.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of inappropriate or unusual activities with security and privacy implications that trigger alerts\n\nsuspicious activity reports\n\nalerts provided to security and privacy personnel\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-4.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developers\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nautomated mechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nautomated mechanisms supporting and\/or implementing automated alerts to security personnel"}]}]},{"id":"si-4.13","class":"SP800-53-enhancement","title":"Analyze Traffic and Event Patterns","props":[{"name":"label","value":"SI-4(13)"},{"name":"label","value":"SI-04(13)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.13_smt","name":"statement","parts":[{"id":"si-4.13_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Analyze communications traffic and event patterns for the system;"},{"id":"si-4.13_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Develop profiles representing common traffic and event patterns; and"},{"id":"si-4.13_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Use the traffic and event profiles in tuning system-monitoring devices."}]},{"id":"si-4.13_gdn","name":"guidance","prose":"Identifying and understanding common communications traffic and event patterns help organizations provide useful information to system monitoring devices to more effectively identify suspicious or anomalous traffic and events when they occur. Such information can help reduce the number of false positives and false negatives during system monitoring."},{"id":"si-4.13_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)","class":"sp800-53a"}],"parts":[{"id":"si-4.13_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(a)","class":"sp800-53a"}],"parts":[{"id":"si-4.13_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(a)[01]","class":"sp800-53a"}],"prose":"communications traffic for the system is analyzed;","links":[{"href":"#si-4.13_smt.a","rel":"assessment-for"}]},{"id":"si-4.13_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(a)[02]","class":"sp800-53a"}],"prose":"event patterns for the system are analyzed;","links":[{"href":"#si-4.13_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-4.13_smt.a","rel":"assessment-for"}]},{"id":"si-4.13_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(b)","class":"sp800-53a"}],"parts":[{"id":"si-4.13_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(b)[01]","class":"sp800-53a"}],"prose":"profiles representing common traffic are developed;","links":[{"href":"#si-4.13_smt.b","rel":"assessment-for"}]},{"id":"si-4.13_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(b)[02]","class":"sp800-53a"}],"prose":"profiles representing event patterns are developed;","links":[{"href":"#si-4.13_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-4.13_smt.b","rel":"assessment-for"}]},{"id":"si-4.13_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(c)","class":"sp800-53a"}],"parts":[{"id":"si-4.13_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(c)[01]","class":"sp800-53a"}],"prose":"traffic profiles are used in tuning system-monitoring devices;","links":[{"href":"#si-4.13_smt.c","rel":"assessment-for"}]},{"id":"si-4.13_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(13)(c)[02]","class":"sp800-53a"}],"prose":"event profiles are used in tuning system-monitoring devices.","links":[{"href":"#si-4.13_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#si-4.13_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#si-4.13_smt","rel":"assessment-for"}]},{"id":"si-4.13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(13)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of profiles representing common traffic patterns and\/or events\n\nsystem protocols documentation\n\nlist of acceptable thresholds for false positives and false negatives\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(13)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(13)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the analysis of communications traffic and event patterns"}]}]},{"id":"si-4.14","class":"SP800-53-enhancement","title":"Wireless Intrusion Detection","props":[{"name":"label","value":"SI-4(14)"},{"name":"label","value":"SI-04(14)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"},{"href":"#ia-3","rel":"related"}],"parts":[{"id":"si-4.14_smt","name":"statement","prose":"Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system."},{"id":"si-4.14_gdn","name":"guidance","prose":"Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems."},{"id":"si-4.14_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)","class":"sp800-53a"}],"parts":[{"id":"si-4.14_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)[01]","class":"sp800-53a"}],"prose":"a wireless intrusion detection system is employed to identify rogue wireless devices;","links":[{"href":"#si-4.14_smt","rel":"assessment-for"}]},{"id":"si-4.14_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)[02]","class":"sp800-53a"}],"prose":"a wireless intrusion detection system is employed to detect attack attempts on the system;","links":[{"href":"#si-4.14_smt","rel":"assessment-for"}]},{"id":"si-4.14_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-04(14)[03]","class":"sp800-53a"}],"prose":"a wireless intrusion detection system is employed to detect potential compromises or breaches to the system.","links":[{"href":"#si-4.14_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-4.14_smt","rel":"assessment-for"}]},{"id":"si-4.14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(14)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(14)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(14)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection\n\nmechanisms supporting and\/or implementing a wireless intrusion detection capability"}]}]},{"id":"si-4.15","class":"SP800-53-enhancement","title":"Wireless to Wireline Communications","props":[{"name":"label","value":"SI-4(15)"},{"name":"label","value":"SI-04(15)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"si-4.15_smt","name":"statement","prose":"Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks."},{"id":"si-4.15_gdn","name":"guidance","prose":"Wireless networks are inherently less secure than wired networks. For example, wireless networks are more susceptible to eavesdroppers or traffic analysis than wireline networks. When wireless to wireline communications exist, the wireless network could become a port of entry into the wired network. Given the greater facility of unauthorized network access via wireless access points compared to unauthorized wired network access from within the physical boundaries of the system, additional monitoring of transitioning traffic between wireless and wired networks may be necessary to detect malicious activities. Employing intrusion detection systems to monitor wireless communications traffic helps to ensure that the traffic does not contain malicious code prior to transitioning to the wireline network."},{"id":"si-4.15_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(15)","class":"sp800-53a"}],"prose":"an intrusion detection system is employed to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.","links":[{"href":"#si-4.15_smt","rel":"assessment-for"}]},{"id":"si-4.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem protocols documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing a wireless intrusion detection capability"}]}]},{"id":"si-4.16","class":"SP800-53-enhancement","title":"Correlate Monitoring Information","props":[{"name":"label","value":"SI-4(16)"},{"name":"label","value":"SI-04(16)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#au-6","rel":"related"}],"parts":[{"id":"si-4.16_smt","name":"statement","prose":"Correlate information from monitoring tools and mechanisms employed throughout the system."},{"id":"si-4.16_gdn","name":"guidance","prose":"Correlating information from different system monitoring tools and mechanisms can provide a more comprehensive view of system activity. Correlating system monitoring tools and mechanisms that typically work in isolation—including malicious code protection software, host monitoring, and network monitoring—can provide an organization-wide monitoring view and may reveal otherwise unseen attack patterns. Understanding the capabilities and limitations of diverse monitoring tools and mechanisms and how to maximize the use of information generated by those tools and mechanisms can help organizations develop, operate, and maintain effective monitoring programs. The correlation of monitoring information is especially important during the transition from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols)."},{"id":"si-4.16_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(16)","class":"sp800-53a"}],"prose":"information from monitoring tools and mechanisms employed throughout the system is correlated.","links":[{"href":"#si-4.16_smt","rel":"assessment-for"}]},{"id":"si-4.16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(16)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nevent correlation logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(16)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(16)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the correlation of information from monitoring tools"}]}]},{"id":"si-4.17","class":"SP800-53-enhancement","title":"Integrated Situational Awareness","props":[{"name":"label","value":"SI-4(17)"},{"name":"label","value":"SI-04(17)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#au-16","rel":"related"},{"href":"#pe-6","rel":"related"},{"href":"#sr-2","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-6","rel":"related"}],"parts":[{"id":"si-4.17_smt","name":"statement","prose":"Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness."},{"id":"si-4.17_gdn","name":"guidance","prose":"Correlating monitoring information from a more diverse set of information sources helps to achieve integrated situational awareness. Integrated situational awareness from a combination of physical, cyber, and supply chain monitoring activities enhances the capability of organizations to more quickly detect sophisticated attacks and investigate the methods and techniques employed to carry out such attacks. In contrast to [SI-4(16)](#si-4.16) , which correlates the various cyber monitoring information, integrated situational awareness is intended to correlate monitoring beyond the cyber domain. Correlation of monitoring information from multiple activities may help reveal attacks on organizations that are operating across multiple attack vectors."},{"id":"si-4.17_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(17)","class":"sp800-53a"}],"prose":"information from monitoring physical, cyber, and supply chain activities are correlated to achieve integrated, organization-wide situational awareness.","links":[{"href":"#si-4.17_smt","rel":"assessment-for"}]},{"id":"si-4.17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(17)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nevent correlation logs or records resulting from physical, cyber, and supply chain activities\n\nsystem audit records\n\nsystem security plan\n\nsupply chain risk management plan\n\nother relevant documents or records"}]},{"id":"si-4.17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(17)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(17)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing the correlation of information from monitoring tools"}]}]},{"id":"si-4.18","class":"SP800-53-enhancement","title":"Analyze Traffic and Covert Exfiltration","params":[{"id":"si-04.18_odp","props":[{"name":"alt-identifier","value":"si-4.18_prm_1"},{"name":"alt-label","value":"interior points within the system","class":"sp800-53"},{"name":"label","value":"SI-04(18)_ODP","class":"sp800-53a"}],"label":"interior points","guidelines":[{"prose":"interior points within the system where communications traffic is to be analyzed are defined;"}]}],"props":[{"name":"label","value":"SI-4(18)"},{"name":"label","value":"SI-04(18)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.18_smt","name":"statement","prose":"Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: {{ insert: param, si-04.18_odp }}."},{"id":"si-4.18_gdn","name":"guidance","prose":"Organization-defined interior points include subnetworks and subsystems. Covert means that can be used to exfiltrate information include steganography."},{"id":"si-4.18_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(18)","class":"sp800-53a"}],"parts":[{"id":"si-4.18_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(18)[01]","class":"sp800-53a"}],"prose":"outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information;","links":[{"href":"#si-4.18_smt","rel":"assessment-for"}]},{"id":"si-4.18_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(18)[02]","class":"sp800-53a"}],"prose":"outbound communications traffic is analyzed at {{ insert: param, si-04.18_odp }} to detect covert exfiltration of information.","links":[{"href":"#si-4.18_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-4.18_smt","rel":"assessment-for"}]},{"id":"si-4.18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(18)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nnetwork diagram\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(18)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\norganizational personnel responsible for the intrusion detection system"}]},{"id":"si-4.18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(18)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for intrusion detection and system monitoring\n\nmechanisms supporting and\/or implementing intrusion detection and system monitoring capabilities\n\nmechanisms supporting and\/or implementing an analysis of outbound communications traffic"}]}]},{"id":"si-4.19","class":"SP800-53-enhancement","title":"Risk for Individuals","params":[{"id":"si-04.19_odp.01","props":[{"name":"alt-identifier","value":"si-4.19_prm_1"},{"name":"label","value":"SI-04(19)_ODP[01]","class":"sp800-53a"}],"label":"additional monitoring","guidelines":[{"prose":"additional monitoring of individuals who have been identified as posing an increased level of risk is defined;"}]},{"id":"si-04.19_odp.02","props":[{"name":"alt-identifier","value":"si-4.19_prm_2"},{"name":"label","value":"SI-04(19)_ODP[02]","class":"sp800-53a"}],"label":"sources","guidelines":[{"prose":"sources that identify individuals who pose an increased level of risk are defined;"}]}],"props":[{"name":"label","value":"SI-4(19)"},{"name":"label","value":"SI-04(19)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.19_smt","name":"statement","prose":"Implement {{ insert: param, si-04.19_odp.01 }} of individuals who have been identified by {{ insert: param, si-04.19_odp.02 }} as posing an increased level of risk."},{"id":"si-4.19_gdn","name":"guidance","prose":"Indications of increased risk from individuals can be obtained from different sources, including personnel records, intelligence agencies, law enforcement organizations, and other sources. The monitoring of individuals is coordinated with the management, legal, security, privacy, and human resource officials who conduct such monitoring. Monitoring is conducted in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines."},{"id":"si-4.19_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(19)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.19_odp.01 }} is implemented on individuals who have been identified by {{ insert: param, si-04.19_odp.02 }} as posing an increased level of risk.","links":[{"href":"#si-4.19_smt","rel":"assessment-for"}]},{"id":"si-4.19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(19)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-4.19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(19)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system\n\nlegal counsel\n\nhuman resource officials\n\norganizational personnel with personnel security responsibilities"}]},{"id":"si-4.19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(19)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing a system monitoring capability"}]}]},{"id":"si-4.20","class":"SP800-53-enhancement","title":"Privileged Users","params":[{"id":"si-04.20_odp","props":[{"name":"alt-identifier","value":"si-4.20_prm_1"},{"name":"label","value":"SI-04(20)_ODP","class":"sp800-53a"}],"label":"additional monitoring","guidelines":[{"prose":"additional monitoring of privileged users is defined;"}]}],"props":[{"name":"label","value":"SI-4(20)"},{"name":"label","value":"SI-04(20)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"si-4.20_smt","name":"statement","prose":"Implement the following additional monitoring of privileged users: {{ insert: param, si-04.20_odp }}."},{"id":"si-4.20_gdn","name":"guidance","prose":"Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions."},{"id":"si-4.20_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(20)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.20_odp }} of privileged users is implemented.","links":[{"href":"#si-4.20_smt","rel":"assessment-for"}]},{"id":"si-4.20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(20)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(20)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4.20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(20)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing a system monitoring capability"}]}]},{"id":"si-4.21","class":"SP800-53-enhancement","title":"Probationary Periods","params":[{"id":"si-04.21_odp.01","props":[{"name":"alt-identifier","value":"si-4.21_prm_2"},{"name":"label","value":"SI-04(21)_ODP[01]","class":"sp800-53a"}],"label":"additional monitoring","guidelines":[{"prose":"additional monitoring to be implemented on individuals during probationary periods is defined;"}]},{"id":"si-04.21_odp.02","props":[{"name":"alt-identifier","value":"si-4.21_prm_1"},{"name":"label","value":"SI-04(21)_ODP[02]","class":"sp800-53a"}],"label":"probationary period","guidelines":[{"prose":"the probationary period of individuals is defined;"}]}],"props":[{"name":"label","value":"SI-4(21)"},{"name":"label","value":"SI-04(21)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"si-4.21_smt","name":"statement","prose":"Implement the following additional monitoring of individuals during {{ insert: param, si-04.21_odp.02 }}: {{ insert: param, si-04.21_odp.01 }}."},{"id":"si-4.21_gdn","name":"guidance","prose":"During probationary periods, employees do not have permanent employment status within organizations. Without such status or access to information that is resident on the system, additional monitoring can help identify any potentially malicious activity or inappropriate behavior."},{"id":"si-4.21_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(21)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.21_odp.01 }} of individuals is implemented during {{ insert: param, si-04.21_odp.02 }}.","links":[{"href":"#si-4.21_smt","rel":"assessment-for"}]},{"id":"si-4.21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(21)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(21)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4.21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(21)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing a system monitoring capability"}]}]},{"id":"si-4.22","class":"SP800-53-enhancement","title":"Unauthorized Network Services","params":[{"id":"si-04.22_odp.01","props":[{"name":"alt-identifier","value":"si-4.22_prm_1"},{"name":"label","value":"SI-04(22)_ODP[01]","class":"sp800-53a"}],"label":"authorization or approval processes","guidelines":[{"prose":"authorization or approval processes for network services are defined;"}]},{"id":"si-04.22_odp.02","props":[{"name":"alt-identifier","value":"si-4.22_prm_2"},{"name":"label","value":"SI-04(22)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["audit","alert {{ insert: param, si-04.22_odp.03 }} "]}},{"id":"si-04.22_odp.03","props":[{"name":"alt-identifier","value":"si-4.22_prm_3"},{"name":"label","value":"SI-04(22)_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-4(22)"},{"name":"label","value":"SI-04(22)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#cm-7","rel":"related"}],"parts":[{"id":"si-4.22_smt","name":"statement","parts":[{"id":"si-4.22_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Detect network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} ; and"},{"id":"si-4.22_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"{{ insert: param, si-04.22_odp.02 }} when detected."}]},{"id":"si-4.22_gdn","name":"guidance","prose":"Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and may therefore be unreliable or serve as malicious rogues for valid services."},{"id":"si-4.22_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(22)","class":"sp800-53a"}],"parts":[{"id":"si-4.22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-04(22)(a)","class":"sp800-53a"}],"prose":"network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} are detected;","links":[{"href":"#si-4.22_smt.a","rel":"assessment-for"}]},{"id":"si-4.22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-04(22)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.22_odp.02 }} is\/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.","links":[{"href":"#si-4.22_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-4.22_smt","rel":"assessment-for"}]},{"id":"si-4.22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(22)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\ndocumented authorization\/approval of network services\n\nnotifications or alerts of unauthorized network services\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(22)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring the system"}]},{"id":"si-4.22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(22)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing a system monitoring capability\n\nmechanisms for auditing network services\n\nmechanisms for providing alerts"}]}]},{"id":"si-4.23","class":"SP800-53-enhancement","title":"Host-based Devices","params":[{"id":"si-04.23_odp.01","props":[{"name":"alt-identifier","value":"si-4.23_prm_2"},{"name":"label","value":"SI-04(23)_ODP[01]","class":"sp800-53a"}],"label":"host-based monitoring mechanisms","guidelines":[{"prose":"host-based monitoring mechanisms to be implemented on system components are defined;"}]},{"id":"si-04.23_odp.02","props":[{"name":"alt-identifier","value":"si-4.23_prm_1"},{"name":"label","value":"SI-04(23)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components where host-based monitoring is to be implemented are defined;"}]}],"props":[{"name":"label","value":"SI-4(23)"},{"name":"label","value":"SI-04(23)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"},{"href":"#ac-19","rel":"related"}],"parts":[{"id":"si-4.23_smt","name":"statement","prose":"Implement the following host-based monitoring mechanisms at {{ insert: param, si-04.23_odp.02 }}: {{ insert: param, si-04.23_odp.01 }}."},{"id":"si-4.23_gdn","name":"guidance","prose":"Host-based monitoring collects information about the host (or system in which it resides). System components in which host-based monitoring can be implemented include servers, notebook computers, and mobile devices. Organizations may consider employing host-based monitoring mechanisms from multiple product developers or vendors."},{"id":"si-4.23_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(23)","class":"sp800-53a"}],"prose":"{{ insert: param, si-04.23_odp.01 }} are implemented on {{ insert: param, si-04.23_odp.02 }}.","links":[{"href":"#si-4.23_smt","rel":"assessment-for"}]},{"id":"si-4.23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(23)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring tools and techniques\n\nsystem design documentation\n\nhost-based monitoring mechanisms\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nlist of system components requiring host-based monitoring\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(23)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring system hosts"}]},{"id":"si-4.23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(23)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\nmechanisms supporting and\/or implementing a host-based monitoring capability"}]}]},{"id":"si-4.24","class":"SP800-53-enhancement","title":"Indicators of Compromise","params":[{"id":"si-04.24_odp.01","props":[{"name":"alt-identifier","value":"si-4.24_prm_2"},{"name":"label","value":"SI-04(24)_ODP[01]","class":"sp800-53a"}],"label":"sources","guidelines":[{"prose":"sources that provide indicators of compromise are defined;"}]},{"id":"si-04.24_odp.02","props":[{"name":"alt-identifier","value":"si-4.24_prm_1"},{"name":"label","value":"SI-04(24)_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom indicators of compromise are to be distributed is\/are defined;"}]}],"props":[{"name":"label","value":"SI-4(24)"},{"name":"label","value":"SI-04(24)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.24"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"},{"href":"#ac-18","rel":"related"}],"parts":[{"id":"si-4.24_smt","name":"statement","prose":"Discover, collect, and distribute to {{ insert: param, si-04.24_odp.02 }} , indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }}."},{"id":"si-4.24_gdn","name":"guidance","prose":"Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational systems at the host or network level. IOCs provide valuable information on systems that have been compromised. IOCs can include the creation of registry key values. IOCs for network traffic include Universal Resource Locator or protocol elements that indicate malicious code command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that systems and organizations are vulnerable to the same exploit or attack. Threat indicators, signatures, tactics, techniques, procedures, and other indicators of compromise may be available via government and non-government cooperatives, including the Forum of Incident Response and Security Teams, the United States Computer Emergency Readiness Team, the Defense Industrial Base Cybersecurity Information Sharing Program, and the CERT Coordination Center."},{"id":"si-4.24_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(24)","class":"sp800-53a"}],"parts":[{"id":"si-4.24_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(24)[01]","class":"sp800-53a"}],"prose":"indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are discovered;","links":[{"href":"#si-4.24_smt","rel":"assessment-for"}]},{"id":"si-4.24_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(24)[02]","class":"sp800-53a"}],"prose":"indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are collected;","links":[{"href":"#si-4.24_smt","rel":"assessment-for"}]},{"id":"si-4.24_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-04(24)[03]","class":"sp800-53a"}],"prose":"indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are distributed to {{ insert: param, si-04.24_odp.02 }}.","links":[{"href":"#si-4.24_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-4.24_smt","rel":"assessment-for"}]},{"id":"si-4.24_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(24)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.24_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(24)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring system hosts"}]},{"id":"si-4.24_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(24)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\norganizational processes for the discovery, collection, distribution, and use of indicators of compromise\n\nmechanisms supporting and\/or implementing a system monitoring capability\n\nmechanisms supporting and\/or implementing the discovery, collection, distribution, and use of indicators of compromise"}]}]},{"id":"si-4.25","class":"SP800-53-enhancement","title":"Optimize Network Traffic Analysis","props":[{"name":"label","value":"SI-4(25)"},{"name":"label","value":"SI-04(25)","class":"sp800-53a"},{"name":"sort-id","value":"si-04.25"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-4","rel":"required"}],"parts":[{"id":"si-4.25_smt","name":"statement","prose":"Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices."},{"id":"si-4.25_gdn","name":"guidance","prose":"Encrypted traffic, asymmetric routing architectures, capacity and latency limitations, and transitioning from older to newer technologies (e.g., IPv4 to IPv6 network protocol transition) may result in blind spots for organizations when analyzing network traffic. Collecting, decrypting, pre-processing, and distributing only relevant traffic to monitoring devices can streamline the efficiency and use of devices and optimize traffic analysis."},{"id":"si-4.25_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-04(25)","class":"sp800-53a"}],"parts":[{"id":"si-4.25_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-04(25)[01]","class":"sp800-53a"}],"prose":"visibility into network traffic at external system interfaces is provided to optimize the effectiveness of monitoring devices;","links":[{"href":"#si-4.25_smt","rel":"assessment-for"}]},{"id":"si-4.25_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-04(25)[02]","class":"sp800-53a"}],"prose":"visibility into network traffic at key internal system interfaces is provided to optimize the effectiveness of monitoring devices.","links":[{"href":"#si-4.25_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-4.25_smt","rel":"assessment-for"}]},{"id":"si-4.25_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-04(25)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system monitoring\n\nsystem design documentation\n\nsystem monitoring tools and techniques documentation\n\nsystem configuration settings and associated documentation\n\nsystem monitoring logs or records\n\nsystem architecture\n\nsystem audit records\n\nnetwork traffic reports\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-4.25_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-04(25)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System\/network administrators\n\norganizational personnel with information security responsibilities\n\nsystem developer\n\norganizational personnel installing, configuring, and\/or maintaining the system\n\norganizational personnel responsible for monitoring system hosts"}]},{"id":"si-4.25_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-04(25)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for system monitoring\n\norganizational processes for the discovery, collection, distribution, and use of indicators of compromise\n\nmechanisms supporting and\/or implementing a system monitoring capability\n\nmechanisms supporting and\/or implementing the discovery, collection, distribution, and use of indicators of compromise"}]}]}]},{"id":"si-5","class":"SP800-53","title":"Security Alerts, Advisories, and Directives","params":[{"id":"si-05_odp.01","props":[{"name":"alt-identifier","value":"si-5_prm_1"},{"name":"label","value":"SI-05_ODP[01]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;"}]},{"id":"si-05_odp.02","props":[{"name":"alt-identifier","value":"si-5_prm_2"},{"name":"label","value":"SI-05_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, si-05_odp.03 }} ","{{ insert: param, si-05_odp.04 }} ","{{ insert: param, si-05_odp.05 }} "]}},{"id":"si-05_odp.03","props":[{"name":"alt-identifier","value":"si-5_prm_3"},{"name":"label","value":"SI-05_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom security alerts, advisories, and directives are to be disseminated is\/are defined (if selected);"}]},{"id":"si-05_odp.04","props":[{"name":"alt-identifier","value":"si-5_prm_4"},{"name":"alt-label","value":"elements within the organization","class":"sp800-53"},{"name":"label","value":"SI-05_ODP[04]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]},{"id":"si-05_odp.05","props":[{"name":"alt-identifier","value":"si-5_prm_5"},{"name":"label","value":"SI-05_ODP[05]","class":"sp800-53a"}],"label":"external organizations","guidelines":[{"prose":"external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-5"},{"name":"label","value":"SI-05","class":"sp800-53a"},{"name":"sort-id","value":"si-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#155f941a-cba9-4afd-9ca6-5d040d697ba9","rel":"reference"},{"href":"#pm-15","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"si-5_smt","name":"statement","parts":[{"id":"si-5_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Receive system security alerts, advisories, and directives from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"},{"id":"si-5_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Generate internal security alerts, advisories, and directives as deemed necessary;"},{"id":"si-5_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Disseminate security alerts, advisories, and directives to: {{ insert: param, si-05_odp.02 }} ; and"},{"id":"si-5_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance."}]},{"id":"si-5_gdn","name":"guidance","prose":"The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations."},{"id":"si-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-05","class":"sp800-53a"}],"parts":[{"id":"si-5_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-05a.","class":"sp800-53a"}],"prose":"system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;","links":[{"href":"#si-5_smt.a","rel":"assessment-for"}]},{"id":"si-5_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-05b.","class":"sp800-53a"}],"prose":"internal security alerts, advisories, and directives are generated as deemed necessary;","links":[{"href":"#si-5_smt.b","rel":"assessment-for"}]},{"id":"si-5_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-05c.","class":"sp800-53a"}],"prose":"security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};","links":[{"href":"#si-5_smt.c","rel":"assessment-for"}]},{"id":"si-5_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-05d.","class":"sp800-53a"}],"prose":"security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.","links":[{"href":"#si-5_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-5_smt","rel":"assessment-for"}]},{"id":"si-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nrecords of security alerts and advisories\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts, advisories, and directives are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"si-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives\n\nmechanisms supporting and\/or implementing security directives"}]}],"controls":[{"id":"si-5.1","class":"SP800-53-enhancement","title":"Automated Alerts and Advisories","params":[{"id":"si-05.01_odp","props":[{"name":"alt-identifier","value":"si-5.1_prm_1"},{"name":"label","value":"SI-05(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined;"}]}],"props":[{"name":"label","value":"SI-5(1)"},{"name":"label","value":"SI-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-5","rel":"required"}],"parts":[{"id":"si-5.1_smt","name":"statement","prose":"Broadcast security alert and advisory information throughout the organization using {{ insert: param, si-05.01_odp }}."},{"id":"si-5.1_gdn","name":"guidance","prose":"The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational mission and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of risk, including the governance level, mission and business process level, and the information system level."},{"id":"si-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-05(01)","class":"sp800-53a"}],"prose":"{{ insert: param, si-05.01_odp }} are used to broadcast security alert and advisory information throughout the organization.","links":[{"href":"#si-5.1_smt","rel":"assessment-for"}]},{"id":"si-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security alerts, advisories, and directives\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nautomated mechanisms supporting the distribution of security alert and advisory information\n\nrecords of security alerts and advisories\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security alert and advisory responsibilities\n\norganizational personnel implementing, operating, maintaining, and using the system\n\norganizational personnel, organizational elements, and\/or external organizations to whom alerts and advisories are to be disseminated\n\nsystem\/network administrators\n\norganizational personnel with information security responsibilities"}]},{"id":"si-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories\n\nautomated mechanisms supporting and\/or implementing the dissemination of security alerts and advisories"}]}]}]},{"id":"si-6","class":"SP800-53","title":"Security and Privacy Function Verification","params":[{"id":"si-6_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-06_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-06_odp.02"}],"label":"organization-defined security and privacy functions"},{"id":"si-06_odp.01","props":[{"name":"label","value":"SI-06_ODP[01]","class":"sp800-53a"}],"label":"security functions","guidelines":[{"prose":"security functions to be verified for correct operation are defined;"}]},{"id":"si-06_odp.02","props":[{"name":"label","value":"SI-06_ODP[02]","class":"sp800-53a"}],"label":"privacy functions","guidelines":[{"prose":"privacy functions to be verified for correct operation are defined;"}]},{"id":"si-06_odp.03","props":[{"name":"alt-identifier","value":"si-6_prm_2"},{"name":"label","value":"SI-06_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["{{ insert: param, si-06_odp.04 }} ","upon command by user with appropriate privilege","{{ insert: param, si-06_odp.05 }} "]}},{"id":"si-06_odp.04","props":[{"name":"alt-identifier","value":"si-6_prm_3"},{"name":"label","value":"SI-06_ODP[04]","class":"sp800-53a"}],"label":"system transitional states","guidelines":[{"prose":"system transitional states requiring the verification of security and privacy functions are defined; (if selected)"}]},{"id":"si-06_odp.05","props":[{"name":"alt-identifier","value":"si-6_prm_4"},{"name":"label","value":"SI-06_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to verify the correct operation of security and privacy functions is defined; (if selected)"}]},{"id":"si-06_odp.06","props":[{"name":"alt-identifier","value":"si-6_prm_5"},{"name":"label","value":"SI-06_ODP[06]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted of failed security and privacy verification tests is\/are defined;"}]},{"id":"si-06_odp.07","props":[{"name":"alt-identifier","value":"si-6_prm_6"},{"name":"label","value":"SI-06_ODP[07]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["shut the system down","restart the system","{{ insert: param, si-06_odp.08 }} "]}},{"id":"si-06_odp.08","props":[{"name":"alt-identifier","value":"si-6_prm_7"},{"name":"label","value":"SI-06_ODP[08]","class":"sp800-53a"}],"label":"alternative action(s)","guidelines":[{"prose":"alternative action(s) to be performed when anomalies are discovered are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-6"},{"name":"label","value":"SI-06","class":"sp800-53a"},{"name":"sort-id","value":"si-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ca-7","rel":"related"},{"href":"#cm-4","rel":"related"},{"href":"#cm-6","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"si-6_smt","name":"statement","parts":[{"id":"si-6_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Verify the correct operation of {{ insert: param, si-6_prm_1 }};"},{"id":"si-6_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Perform the verification of the functions specified in SI-6a {{ insert: param, si-06_odp.03 }};"},{"id":"si-6_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Alert {{ insert: param, si-06_odp.06 }} to failed security and privacy verification tests; and"},{"id":"si-6_smt.d","name":"item","props":[{"name":"label","value":"d."}],"prose":"{{ insert: param, si-06_odp.07 }} when anomalies are discovered."}]},{"id":"si-6_gdn","name":"guidance","prose":"Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected."},{"id":"si-6_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-06","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-06a.","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06a.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, si-06_odp.01 }} are verified to be operating correctly;","links":[{"href":"#si-6_smt.a","rel":"assessment-for"}]},{"id":"si-6_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06a.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-06_odp.02 }} are verified to be operating correctly;","links":[{"href":"#si-6_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-6_smt.a","rel":"assessment-for"}]},{"id":"si-6_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-06b.","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06b.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, si-06_odp.01 }} are verified {{ insert: param, si-06_odp.03 }};","links":[{"href":"#si-6_smt.b","rel":"assessment-for"}]},{"id":"si-6_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06b.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-06_odp.02 }} are verified {{ insert: param, si-06_odp.03 }};","links":[{"href":"#si-6_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-6_smt.b","rel":"assessment-for"}]},{"id":"si-6_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-06c.","class":"sp800-53a"}],"parts":[{"id":"si-6_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06c.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, si-06_odp.06 }} is\/are alerted to failed security verification tests;","links":[{"href":"#si-6_smt.c","rel":"assessment-for"}]},{"id":"si-6_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06c.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-06_odp.06 }} is\/are alerted to failed privacy verification tests;","links":[{"href":"#si-6_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#si-6_smt.c","rel":"assessment-for"}]},{"id":"si-6_obj.d","name":"assessment-objective","props":[{"name":"label","value":"SI-06d.","class":"sp800-53a"}],"prose":"{{ insert: param, si-06_odp.07 }} is\/are initiated when anomalies are discovered.","links":[{"href":"#si-6_smt.d","rel":"assessment-for"}]}],"links":[{"href":"#si-6_smt","rel":"assessment-for"}]},{"id":"si-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security and privacy function verification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nalerts\/notifications of failed security verification tests\n\nlist of system transition states requiring security functionality verification\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy function verification responsibilities\n\norganizational personnel implementing, operating, and maintaining the system\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities\n\nsystem developer"}]},{"id":"si-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy function verification\n\nmechanisms supporting and\/or implementing the security and privacy function verification capability"}]}],"controls":[{"id":"si-6.1","class":"SP800-53-enhancement","title":"Notification of Failed Security Tests","props":[{"name":"label","value":"SI-6(1)"},{"name":"label","value":"SI-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-06.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-6","rel":"incorporated-into"}]},{"id":"si-6.2","class":"SP800-53-enhancement","title":"Automation Support for Distributed Testing","props":[{"name":"label","value":"SI-6(2)"},{"name":"label","value":"SI-06(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-06.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-6","rel":"required"},{"href":"#si-2","rel":"related"}],"parts":[{"id":"si-6.2_smt","name":"statement","prose":"Implement automated mechanisms to support the management of distributed security and privacy function testing."},{"id":"si-6.2_gdn","name":"guidance","prose":"The use of automated mechanisms to support the management of distributed function testing helps to ensure the integrity, timeliness, completeness, and efficacy of such testing."},{"id":"si-6.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-06(02)","class":"sp800-53a"}],"parts":[{"id":"si-6.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06(02)[01]","class":"sp800-53a"}],"prose":"automated mechanisms are implemented to support the management of distributed security function testing;","links":[{"href":"#si-6.2_smt","rel":"assessment-for"}]},{"id":"si-6.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06(02)[02]","class":"sp800-53a"}],"prose":"automated mechanisms are implemented to support the management of distributed privacy function testing.","links":[{"href":"#si-6.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-6.2_smt","rel":"assessment-for"}]},{"id":"si-6.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-06(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security and privacy function verification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-6.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-06(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy function verification responsibilities\n\norganizational personnel implementing, operating, and maintaining the system\n\nsystem\/network administrators\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-6.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-06(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for security and privacy function verification\n\nautomated mechanisms supporting and\/or implementing the management of distributed security and privacy testing"}]}]},{"id":"si-6.3","class":"SP800-53-enhancement","title":"Report Verification Results","params":[{"id":"si-06.03_odp","props":[{"name":"alt-identifier","value":"si-6.3_prm_1"},{"name":"label","value":"SI-06(03)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles designated to receive the results of security and privacy function verification is\/are defined;"}]}],"props":[{"name":"label","value":"SI-6(3)"},{"name":"label","value":"SI-06(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-06.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-6","rel":"required"},{"href":"#si-4","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"si-6.3_smt","name":"statement","prose":"Report the results of security and privacy function verification to {{ insert: param, si-06.03_odp }}."},{"id":"si-6.3_gdn","name":"guidance","prose":"Organizational personnel with potential interest in the results of the verification of security and privacy functions include systems security officers, senior agency information security officers, and senior agency officials for privacy."},{"id":"si-6.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-06(03)","class":"sp800-53a"}],"parts":[{"id":"si-6.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-06(03)[01]","class":"sp800-53a"}],"prose":"the results of security function verification are reported to {{ insert: param, si-06.03_odp }};","links":[{"href":"#si-6.3_smt","rel":"assessment-for"}]},{"id":"si-6.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-06(03)[02]","class":"sp800-53a"}],"prose":"the results of privacy function verification are reported to {{ insert: param, si-06.03_odp }}.","links":[{"href":"#si-6.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-6.3_smt","rel":"assessment-for"}]},{"id":"si-6.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-06(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing security and privacy function verification\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nreports of security and privacy function verification results\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-6.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-06(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with security and privacy function verification responsibilities\n\norganizational personnel who are recipients of security and privacy function verification reports\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-6.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-06(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for reporting security and privacy function verification results\n\nmechanisms supporting and\/or implementing the reporting of security and privacy function verification results"}]}]}]},{"id":"si-7","class":"SP800-53","title":"Software, Firmware, and Information Integrity","params":[{"id":"si-7_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.03"}],"label":"organization-defined software, firmware, and information"},{"id":"si-7_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07_odp.06"}],"label":"organization-defined actions"},{"id":"si-07_odp.01","props":[{"name":"label","value":"SI-07_ODP[01]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.02","props":[{"name":"label","value":"SI-07_ODP[02]","class":"sp800-53a"}],"label":"firmware","guidelines":[{"prose":"firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.03","props":[{"name":"label","value":"SI-07_ODP[03]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information requiring integrity verification tools to be employed to detect unauthorized changes is defined;"}]},{"id":"si-07_odp.04","props":[{"name":"label","value":"SI-07_ODP[04]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to software are detected are defined;"}]},{"id":"si-07_odp.05","props":[{"name":"label","value":"SI-07_ODP[05]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to firmware are detected are defined;"}]},{"id":"si-07_odp.06","props":[{"name":"label","value":"SI-07_ODP[06]","class":"sp800-53a"}],"label":"actions","guidelines":[{"prose":"actions to be taken when unauthorized changes to information are detected are defined;"}]}],"props":[{"name":"label","value":"SI-7"},{"name":"label","value":"SI-07","class":"sp800-53a"},{"name":"sort-id","value":"si-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#4895b4cd-34c5-4667-bf8a-27d443c12047","rel":"reference"},{"href":"#e47ee630-9cbc-4133-880e-e013f83ccd51","rel":"reference"},{"href":"#ac-4","rel":"related"},{"href":"#cm-3","rel":"related"},{"href":"#cm-7","rel":"related"},{"href":"#cm-8","rel":"related"},{"href":"#ma-3","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sc-8","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"},{"href":"#sc-28","rel":"related"},{"href":"#sc-37","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"si-7_smt","name":"statement","parts":[{"id":"si-7_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: {{ insert: param, si-7_prm_1 }} ; and"},{"id":"si-7_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Take the following actions when unauthorized changes to the software, firmware, and information are detected: {{ insert: param, si-7_prm_2 }}."}]},{"id":"si-7_gdn","name":"guidance","prose":"Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input\/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications."},{"id":"si-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[01]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};","links":[{"href":"#si-7_smt.a","rel":"assessment-for"}]},{"id":"si-7_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[02]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};","links":[{"href":"#si-7_smt.a","rel":"assessment-for"}]},{"id":"si-7_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07a.[03]","class":"sp800-53a"}],"prose":"integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};","links":[{"href":"#si-7_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-7_smt.a","rel":"assessment-for"}]},{"id":"si-7_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.","class":"sp800-53a"}],"parts":[{"id":"si-7_obj.b-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[01]","class":"sp800-53a"}],"prose":"{{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;","links":[{"href":"#si-7_smt.b","rel":"assessment-for"}]},{"id":"si-7_obj.b-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;","links":[{"href":"#si-7_smt.b","rel":"assessment-for"}]},{"id":"si-7_obj.b-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07b.[03]","class":"sp800-53a"}],"prose":"{{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected.","links":[{"href":"#si-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-7_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-7_smt","rel":"assessment-for"}]},{"id":"si-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem\/network administrators"}]},{"id":"si-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools"}]}],"controls":[{"id":"si-7.1","class":"SP800-53-enhancement","title":"Integrity Checks","params":[{"id":"si-7.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.05"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.09"}],"label":"organization-defined software, firmware, and information"},{"id":"si-7.1_prm_2","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.06"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.10"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-7.1_prm_3 }} ","{{ insert: param, si-7.1_prm_4 }} "]}},{"id":"si-7.1_prm_3","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.07"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.11"}],"label":"organization-defined transitional states or security-relevant events"},{"id":"si-7.1_prm_4","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.04"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.08"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-07.01_odp.12"}],"label":"organization-defined frequency"},{"id":"si-07.01_odp.01","props":[{"name":"label","value":"SI-07(01)_ODP[01]","class":"sp800-53a"}],"label":"software","guidelines":[{"prose":"software on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.02","props":[{"name":"label","value":"SI-07(01)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.03 }} ","{{ insert: param, si-07.01_odp.04 }} "]}},{"id":"si-07.01_odp.03","props":[{"name":"label","value":"SI-07(01)_ODP[03]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);"}]},{"id":"si-07.01_odp.04","props":[{"name":"label","value":"SI-07(01)_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (on software) is defined (if selected);"}]},{"id":"si-07.01_odp.05","props":[{"name":"label","value":"SI-07(01)_ODP[05]","class":"sp800-53a"}],"label":"firmware","guidelines":[{"prose":"firmware on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.06","props":[{"name":"label","value":"SI-07(01)_ODP[06]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.07 }} ","{{ insert: param, si-07.01_odp.08 }} "]}},{"id":"si-07.01_odp.07","props":[{"name":"label","value":"SI-07(01)_ODP[07]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);"}]},{"id":"si-07.01_odp.08","props":[{"name":"label","value":"SI-07(01)_ODP[08]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (on firmware) is defined (if selected);"}]},{"id":"si-07.01_odp.09","props":[{"name":"label","value":"SI-07(01)_ODP[09]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"information on which an integrity check is to be performed is defined;"}]},{"id":"si-07.01_odp.10","props":[{"name":"label","value":"SI-07(01)_ODP[10]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at startup","at {{ insert: param, si-07.01_odp.11 }} ","{{ insert: param, si-07.01_odp.12 }} "]}},{"id":"si-07.01_odp.11","props":[{"name":"label","value":"SI-07(01)_ODP[11]","class":"sp800-53a"}],"label":"transitional states or security-relevant events","guidelines":[{"prose":"transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);"}]},{"id":"si-07.01_odp.12","props":[{"name":"label","value":"SI-07(01)_ODP[12]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency with which to perform an integrity check (of information) is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-7(1)"},{"name":"label","value":"SI-07(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.1_smt","name":"statement","prose":"Perform an integrity check of {{ insert: param, si-7.1_prm_1 }} {{ insert: param, si-7.1_prm_2 }}."},{"id":"si-7.1_gdn","name":"guidance","prose":"Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort."},{"id":"si-7.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)","class":"sp800-53a"}],"parts":[{"id":"si-7.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[01]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};","links":[{"href":"#si-7.1_smt","rel":"assessment-for"}]},{"id":"si-7.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[02]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};","links":[{"href":"#si-7.1_smt","rel":"assessment-for"}]},{"id":"si-7.1_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07(01)[03]","class":"sp800-53a"}],"prose":"an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}.","links":[{"href":"#si-7.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-7.1_smt","rel":"assessment-for"}]},{"id":"si-7.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity testing\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools"}]}]},{"id":"si-7.2","class":"SP800-53-enhancement","title":"Automated Notifications of Integrity Violations","params":[{"id":"si-07.02_odp","props":[{"name":"alt-identifier","value":"si-7.2_prm_1"},{"name":"label","value":"SI-07(02)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is\/are defined;"}]}],"props":[{"name":"label","value":"SI-7(2)"},{"name":"label","value":"SI-07(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.2_smt","name":"statement","prose":"Employ automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification."},{"id":"si-7.2_gdn","name":"guidance","prose":"The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel with an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, system administrators, software developers, systems integrators, information security officers, and privacy officers."},{"id":"si-7.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(02)","class":"sp800-53a"}],"prose":"automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification are employed.","links":[{"href":"#si-7.2_smt","rel":"assessment-for"}]},{"id":"si-7.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nautomated tools supporting alerts and notifications for integrity discrepancies\n\nnotifications provided upon discovering discrepancies during integrity verifications\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-7.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security and privacy responsibilities\n\nsystem administrators\n\nsoftware developers"}]},{"id":"si-7.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms providing integrity discrepancy notifications"}]}]},{"id":"si-7.3","class":"SP800-53-enhancement","title":"Centrally Managed Integrity Tools","props":[{"name":"label","value":"SI-7(3)"},{"name":"label","value":"SI-07(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#au-3","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-8","rel":"related"}],"parts":[{"id":"si-7.3_smt","name":"statement","prose":"Employ centrally managed integrity verification tools."},{"id":"si-7.3_gdn","name":"guidance","prose":"Centrally managed integrity verification tools provides greater consistency in the application of such tools and can facilitate more comprehensive coverage of integrity verification actions."},{"id":"si-7.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(03)","class":"sp800-53a"}],"prose":"centrally managed integrity verification tools are employed.","links":[{"href":"#si-7.3_smt","rel":"assessment-for"}]},{"id":"si-7.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for the central management of integrity verification tools\n\norganizational personnel with information security responsibilities"}]},{"id":"si-7.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing the central management of integrity verification tools"}]}]},{"id":"si-7.4","class":"SP800-53-enhancement","title":"Tamper-evident Packaging","props":[{"name":"label","value":"SI-7(4)"},{"name":"label","value":"SI-07(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.04"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#sr-9","rel":"incorporated-into"}]},{"id":"si-7.5","class":"SP800-53-enhancement","title":"Automated Response to Integrity Violations","params":[{"id":"si-07.05_odp.01","props":[{"name":"alt-identifier","value":"si-7.5_prm_1"},{"name":"label","value":"SI-07(05)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["shut down the system","restart the system","implement {{ insert: param, si-07.05_odp.02 }} "]}},{"id":"si-07.05_odp.02","props":[{"name":"alt-identifier","value":"si-7.5_prm_2"},{"name":"label","value":"SI-07(05)_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be implemented automatically when integrity violations are discovered are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-7(5)"},{"name":"label","value":"SI-07(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.5_smt","name":"statement","prose":"Automatically {{ insert: param, si-07.05_odp.01 }} when integrity violations are discovered."},{"id":"si-7.5_gdn","name":"guidance","prose":"Organizations may define different integrity-checking responses by type of information, specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur."},{"id":"si-7.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(05)","class":"sp800-53a"}],"prose":"{{ insert: param, si-07.05_odp.01 }} are automatically performed when integrity violations are discovered.","links":[{"href":"#si-7.5_smt","rel":"assessment-for"}]},{"id":"si-7.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nrecords of integrity checks and responses to integrity violations\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms providing an automated response to integrity violations\n\nmechanisms supporting and\/or implementing security safeguards to be implemented when integrity violations are discovered"}]}]},{"id":"si-7.6","class":"SP800-53-enhancement","title":"Cryptographic Protection","props":[{"name":"label","value":"SI-7(6)"},{"name":"label","value":"SI-07(06)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"si-7.6_smt","name":"statement","prose":"Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information."},{"id":"si-7.6_gdn","name":"guidance","prose":"Cryptographic mechanisms used to protect integrity include digital signatures and the computation and application of signed hashes using asymmetric cryptography, protecting the confidentiality of the key used to generate the hash, and using the public key to verify the hash information. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions."},{"id":"si-7.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(06)","class":"sp800-53a"}],"parts":[{"id":"si-7.6_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07(06)[01]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to detect unauthorized changes to software;","links":[{"href":"#si-7.6_smt","rel":"assessment-for"}]},{"id":"si-7.6_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07(06)[02]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to detect unauthorized changes to firmware;","links":[{"href":"#si-7.6_smt","rel":"assessment-for"}]},{"id":"si-7.6_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-07(06)[03]","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to detect unauthorized changes to information.","links":[{"href":"#si-7.6_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-7.6_smt","rel":"assessment-for"}]},{"id":"si-7.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated documentation\n\nrecords of detected unauthorized changes to software, firmware, and information\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\ncryptographic mechanisms implementing software, firmware, and information integrity"}]}]},{"id":"si-7.7","class":"SP800-53-enhancement","title":"Integration of Detection and Response","params":[{"id":"si-07.07_odp","props":[{"name":"alt-identifier","value":"si-7.7_prm_1"},{"name":"alt-label","value":"security-relevant changes to the system","class":"sp800-53"},{"name":"label","value":"SI-07(07)_ODP","class":"sp800-53a"}],"label":"changes","guidelines":[{"prose":"security-relevant changes to the system are defined;"}]}],"props":[{"name":"label","value":"SI-7(7)"},{"name":"label","value":"SI-07(07)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ir-5","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-7.7_smt","name":"statement","prose":"Incorporate the detection of the following unauthorized changes into the organizational incident response capability: {{ insert: param, si-07.07_odp }}."},{"id":"si-7.7_gdn","name":"guidance","prose":"Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges."},{"id":"si-7.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(07)","class":"sp800-53a"}],"prose":"the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability.","links":[{"href":"#si-7.7_smt","rel":"assessment-for"}]},{"id":"si-7.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nprocedures addressing incident response\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nincident response records\n\naudit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\norganizational personnel with incident response responsibilities"}]},{"id":"si-7.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability\n\nsoftware, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability"}]}]},{"id":"si-7.8","class":"SP800-53-enhancement","title":"Auditing Capability for Significant Events","params":[{"id":"si-07.08_odp.01","props":[{"name":"alt-identifier","value":"si-7.8_prm_1"},{"name":"label","value":"SI-07(08)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["generate an audit record","alert current user","alert {{ insert: param, si-07.08_odp.02 }} ","{{ insert: param, si-07.08_odp.03 }} "]}},{"id":"si-07.08_odp.02","props":[{"name":"alt-identifier","value":"si-7.8_prm_2"},{"name":"label","value":"SI-07(08)_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to be alerted upon the detection of a potential integrity violation is\/are defined (if selected);"}]},{"id":"si-07.08_odp.03","props":[{"name":"alt-identifier","value":"si-7.8_prm_3"},{"name":"label","value":"SI-07(08)_ODP[03]","class":"sp800-53a"}],"label":"other actions","guidelines":[{"prose":"other actions to be taken upon the detection of a potential integrity violation are defined (if selected);"}]}],"props":[{"name":"label","value":"SI-7(8)"},{"name":"label","value":"SI-07(08)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#au-2","rel":"related"},{"href":"#au-6","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"si-7.8_smt","name":"statement","prose":"Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: {{ insert: param, si-07.08_odp.01 }}."},{"id":"si-7.8_gdn","name":"guidance","prose":"Organizations select response actions based on types of software, specific software, or information for which there are potential integrity violations."},{"id":"si-7.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(08)","class":"sp800-53a"}],"parts":[{"id":"si-7.8_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-07(08)[01]","class":"sp800-53a"}],"prose":"the capability to audit an event upon the detection of a potential integrity violation is provided;","links":[{"href":"#si-7.8_smt","rel":"assessment-for"}]},{"id":"si-7.8_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-07(08)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-07.08_odp.01 }} is\/are initiated upon the detection of a potential integrity violation.","links":[{"href":"#si-7.8_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-7.8_smt","rel":"assessment-for"}]},{"id":"si-7.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity scans\n\nincident response records\n\nlist of security-relevant changes to the system\n\nautomated tools supporting alerts and notifications if unauthorized security changes are detected\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing the capability to audit potential integrity violations\n\nmechanisms supporting and\/or implementing alerts about potential integrity violations"}]}]},{"id":"si-7.9","class":"SP800-53-enhancement","title":"Verify Boot Process","params":[{"id":"si-07.09_odp","props":[{"name":"alt-identifier","value":"si-7.9_prm_1"},{"name":"label","value":"SI-07(09)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring integrity verification of the boot process are defined;"}]}],"props":[{"name":"label","value":"SI-7(9)"},{"name":"label","value":"SI-07(09)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"si-7.9_smt","name":"statement","prose":"Verify the integrity of the boot process of the following system components: {{ insert: param, si-07.09_odp }}."},{"id":"si-7.9_gdn","name":"guidance","prose":"Ensuring the integrity of boot processes is critical to starting system components in known, trustworthy states. Integrity verification mechanisms provide a level of assurance that only trusted code is executed during boot processes."},{"id":"si-7.9_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(09)","class":"sp800-53a"}],"prose":"the integrity of the boot process of {{ insert: param, si-07.09_odp }} is verified.","links":[{"href":"#si-7.9_smt","rel":"assessment-for"}]},{"id":"si-7.9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(09)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\ndocumentation\n\nrecords of integrity verification scans\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(09)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem developer"}]},{"id":"si-7.9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(09)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing integrity verification of the boot process"}]}]},{"id":"si-7.10","class":"SP800-53-enhancement","title":"Protection of Boot Firmware","params":[{"id":"si-07.10_odp.01","props":[{"name":"alt-identifier","value":"si-7.10_prm_2"},{"name":"label","value":"SI-07(10)_ODP[01]","class":"sp800-53a"}],"label":"mechanisms","guidelines":[{"prose":"mechanisms to be implemented to protect the integrity of boot firmware in system components are defined;"}]},{"id":"si-07.10_odp.02","props":[{"name":"alt-identifier","value":"si-7.10_prm_1"},{"name":"label","value":"SI-07(10)_ODP[02]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring mechanisms to protect the integrity of boot firmware are defined;"}]}],"props":[{"name":"label","value":"SI-7(10)"},{"name":"label","value":"SI-07(10)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#si-6","rel":"related"}],"parts":[{"id":"si-7.10_smt","name":"statement","prose":"Implement the following mechanisms to protect the integrity of boot firmware in {{ insert: param, si-07.10_odp.02 }}: {{ insert: param, si-07.10_odp.01 }}."},{"id":"si-7.10_gdn","name":"guidance","prose":"Unauthorized modifications to boot firmware may indicate a sophisticated, targeted attack. These types of targeted attacks can result in a permanent denial of service or a persistent malicious code presence. These situations can occur if the firmware is corrupted or if the malicious code is embedded within the firmware. System components can protect the integrity of boot firmware in organizational systems by verifying the integrity and authenticity of all updates to the firmware prior to applying changes to the system component and preventing unauthorized processes from modifying the boot firmware."},{"id":"si-7.10_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(10)","class":"sp800-53a"}],"prose":"{{ insert: param, si-07.10_odp.01 }} are implemented to protect the integrity of boot firmware in {{ insert: param, si-07.10_odp.02 }}.","links":[{"href":"#si-7.10_smt","rel":"assessment-for"}]},{"id":"si-7.10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(10)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification tools and associated documentation\n\nrecords of integrity verification scans\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(10)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(10)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing protection of the integrity of boot firmware\n\nsafeguards implementing protection of the integrity of boot firmware"}]}]},{"id":"si-7.11","class":"SP800-53-enhancement","title":"Confined Environments with Limited Privileges","props":[{"name":"label","value":"SI-7(11)"},{"name":"label","value":"SI-07(11)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.11"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-7.6","rel":"moved-to"}]},{"id":"si-7.12","class":"SP800-53-enhancement","title":"Integrity Verification","params":[{"id":"si-07.12_odp","props":[{"name":"alt-identifier","value":"si-7.12_prm_1"},{"name":"label","value":"SI-07(12)_ODP","class":"sp800-53a"}],"label":"user-installed software","guidelines":[{"prose":"user-installed software requiring integrity verification prior to execution is defined;"}]}],"props":[{"name":"label","value":"SI-7(12)"},{"name":"label","value":"SI-07(12)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#cm-11","rel":"related"}],"parts":[{"id":"si-7.12_smt","name":"statement","prose":"Require that the integrity of the following user-installed software be verified prior to execution: {{ insert: param, si-07.12_odp }}."},{"id":"si-7.12_gdn","name":"guidance","prose":"Organizations verify the integrity of user-installed software prior to execution to reduce the likelihood of executing malicious code or programs that contains errors from unauthorized modifications. Organizations consider the practicality of approaches to verifying software integrity, including the availability of trustworthy checksums from software developers and vendors."},{"id":"si-7.12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(12)","class":"sp800-53a"}],"prose":"the integrity of {{ insert: param, si-07.12_odp }} is verified prior to execution.","links":[{"href":"#si-7.12_smt","rel":"assessment-for"}]},{"id":"si-7.12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(12)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nintegrity verification records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(12)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities"}]},{"id":"si-7.12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(12)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing verification of the integrity of user-installed software prior to execution"}]}]},{"id":"si-7.13","class":"SP800-53-enhancement","title":"Code Execution in Protected Environments","props":[{"name":"label","value":"SI-7(13)"},{"name":"label","value":"SI-07(13)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.13"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-7.7","rel":"moved-to"}]},{"id":"si-7.14","class":"SP800-53-enhancement","title":"Binary or Machine Executable Code","props":[{"name":"label","value":"SI-7(14)"},{"name":"label","value":"SI-07(14)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.14"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#cm-7.8","rel":"moved-to"}]},{"id":"si-7.15","class":"SP800-53-enhancement","title":"Code Authentication","params":[{"id":"si-07.15_odp","props":[{"name":"alt-identifier","value":"si-7.15_prm_1"},{"name":"label","value":"SI-07(15)_ODP","class":"sp800-53a"}],"label":"software or firmware components","guidelines":[{"prose":"software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined;"}]}],"props":[{"name":"label","value":"SI-7(15)"},{"name":"label","value":"SI-07(15)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#cm-5","rel":"related"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"si-7.15_smt","name":"statement","prose":"Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: {{ insert: param, si-07.15_odp }}."},{"id":"si-7.15_gdn","name":"guidance","prose":"Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions."},{"id":"si-7.15_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(15)","class":"sp800-53a"}],"prose":"cryptographic mechanisms are implemented to authenticate {{ insert: param, si-07.15_odp }} prior to installation.","links":[{"href":"#si-7.15_smt","rel":"assessment-for"}]},{"id":"si-7.15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(15)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software, firmware, and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ncryptographic mechanisms and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(15)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(15)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Cryptographic mechanisms authenticating software and firmware prior to installation"}]}]},{"id":"si-7.16","class":"SP800-53-enhancement","title":"Time Limit on Process Execution Without Supervision","params":[{"id":"si-07.16_odp","props":[{"name":"alt-identifier","value":"si-7.16_prm_1"},{"name":"label","value":"SI-07(16)_ODP","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the maximum time period permitted for processes to execute without supervision is defined;"}]}],"props":[{"name":"label","value":"SI-7(16)"},{"name":"label","value":"SI-07(16)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"}],"parts":[{"id":"si-7.16_smt","name":"statement","prose":"Prohibit processes from executing without supervision for more than {{ insert: param, si-07.16_odp }}."},{"id":"si-7.16_gdn","name":"guidance","prose":"Placing a time limit on process execution without supervision is intended to apply to processes for which typical or normal execution periods can be determined and situations in which organizations exceed such periods. Supervision includes timers on operating systems, automated responses, and manual oversight and response when system process anomalies occur."},{"id":"si-7.16_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(16)","class":"sp800-53a"}],"prose":"processes are prohibited from executing without supervision for more than {{ insert: param, si-07.16_odp }}.","links":[{"href":"#si-7.16_smt","rel":"assessment-for"}]},{"id":"si-7.16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(16)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(16)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(16)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing time limits on process execution without supervision"}]}]},{"id":"si-7.17","class":"SP800-53-enhancement","title":"Runtime Application Self-protection","params":[{"id":"si-07.17_odp","props":[{"name":"alt-identifier","value":"si-7.17_prm_1"},{"name":"label","value":"SI-07(17)_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be implemented for application self-protection at runtime are defined;"}]}],"props":[{"name":"label","value":"SI-7(17)"},{"name":"label","value":"SI-07(17)","class":"sp800-53a"},{"name":"sort-id","value":"si-07.17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-7","rel":"required"},{"href":"#si-16","rel":"related"}],"parts":[{"id":"si-7.17_smt","name":"statement","prose":"Implement {{ insert: param, si-07.17_odp }} for application self-protection at runtime."},{"id":"si-7.17_gdn","name":"guidance","prose":"Runtime application self-protection employs runtime instrumentation to detect and block the exploitation of software vulnerabilities by taking advantage of information from the software in execution. Runtime exploit prevention differs from traditional perimeter-based protections such as guards and firewalls which can only detect and block attacks by using network information without contextual awareness. Runtime application self-protection technology can reduce the susceptibility of software to attacks by monitoring its inputs and blocking those inputs that could allow attacks. It can also help protect the runtime environment from unwanted changes and tampering. When a threat is detected, runtime application self-protection technology can prevent exploitation and take other actions (e.g., sending a warning message to the user, terminating the user's session, terminating the application, or sending an alert to organizational personnel). Runtime application self-protection solutions can be deployed in either a monitor or protection mode."},{"id":"si-7.17_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-07(17)","class":"sp800-53a"}],"prose":"{{ insert: param, si-07.17_odp }} are implemented for application self-protection at runtime.","links":[{"href":"#si-7.17_smt","rel":"assessment-for"}]},{"id":"si-7.17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-07(17)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing software and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of known vulnerabilities addressed by runtime instrumentation\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-7.17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-07(17)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for software, firmware, and\/or information integrity\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-7.17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-07(17)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Software, firmware, and information integrity verification tools\n\nmechanisms supporting and\/or implementing runtime application self-protection"}]}]}]},{"id":"si-8","class":"SP800-53","title":"Spam Protection","props":[{"name":"label","value":"SI-8"},{"name":"label","value":"SI-08","class":"sp800-53a"},{"name":"sort-id","value":"si-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#314e33cb-3681-4b50-a2a2-3fae9604accd","rel":"reference"},{"href":"#1c71b420-2bd9-4e52-9fc8-390f58b85b59","rel":"reference"},{"href":"#pl-9","rel":"related"},{"href":"#sc-5","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-8_smt","name":"statement","parts":[{"id":"si-8_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and"},{"id":"si-8_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."}]},{"id":"si-8_gdn","name":"guidance","prose":"System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions."},{"id":"si-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-08","class":"sp800-53a"}],"parts":[{"id":"si-8_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.","class":"sp800-53a"}],"parts":[{"id":"si-8_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[01]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system entry points to detect unsolicited messages;","links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]},{"id":"si-8_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[02]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system exit points to detect unsolicited messages;","links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]},{"id":"si-8_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[03]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system entry points to act on unsolicited messages;","links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]},{"id":"si-8_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-08a.[04]","class":"sp800-53a"}],"prose":"spam protection mechanisms are employed at system exit points to act on unsolicited messages;","links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-8_smt.a","rel":"assessment-for"}]},{"id":"si-8_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-08b.","class":"sp800-53a"}],"prose":"spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.","links":[{"href":"#si-8_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-8_smt","rel":"assessment-for"}]},{"id":"si-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nconfiguration management policies and procedures (CM-01)\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for implementing spam protection\n\nmechanisms supporting and\/or implementing spam protection"}]}],"controls":[{"id":"si-8.1","class":"SP800-53-enhancement","title":"Central Management","props":[{"name":"label","value":"SI-8(1)"},{"name":"label","value":"SI-08(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-08.01"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#pl-9","rel":"incorporated-into"}]},{"id":"si-8.2","class":"SP800-53-enhancement","title":"Automatic Updates","params":[{"id":"si-08.02_odp","props":[{"name":"alt-identifier","value":"si-8.2_prm_1"},{"name":"label","value":"SI-08(02)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to automatically update spam protection mechanisms is defined;"}]}],"props":[{"name":"label","value":"SI-8(2)"},{"name":"label","value":"SI-08(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-08.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-8","rel":"required"}],"parts":[{"id":"si-8.2_smt","name":"statement","prose":"Automatically update spam protection mechanisms {{ insert: param, si-08.02_odp }}."},{"id":"si-8.2_gdn","name":"guidance","prose":"Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities."},{"id":"si-8.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-08(02)","class":"sp800-53a"}],"prose":"spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}.","links":[{"href":"#si-8.2_smt","rel":"assessment-for"}]},{"id":"si-8.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-08(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nrecords of spam protection updates\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-8.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-08(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-8.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-08(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for spam protection\n\nmechanisms supporting and\/or implementing automatic updates to spam protection mechanisms"}]}]},{"id":"si-8.3","class":"SP800-53-enhancement","title":"Continuous Learning Capability","props":[{"name":"label","value":"SI-8(3)"},{"name":"label","value":"SI-08(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-08.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-8","rel":"required"}],"parts":[{"id":"si-8.3_smt","name":"statement","prose":"Implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic."},{"id":"si-8.3_gdn","name":"guidance","prose":"Learning mechanisms include Bayesian filters that respond to user inputs that identify specific traffic as spam or legitimate by updating algorithm parameters and thereby more accurately separating types of traffic."},{"id":"si-8.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-08(03)","class":"sp800-53a"}],"prose":"spam protection mechanisms with a learning capability are implemented to more effectively identify legitimate communications traffic.","links":[{"href":"#si-8.3_smt","rel":"assessment-for"}]},{"id":"si-8.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-08(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing spam protection\n\nspam protection mechanisms\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-8.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-08(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for spam protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-8.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-08(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for spam protection\n\nmechanisms supporting and\/or implementing spam protection mechanisms with a learning capability"}]}]}]},{"id":"si-9","class":"SP800-53","title":"Information Input Restrictions","props":[{"name":"label","value":"SI-9"},{"name":"label","value":"SI-09","class":"sp800-53a"},{"name":"sort-id","value":"si-09"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#ac-2","rel":"incorporated-into"},{"href":"#ac-3","rel":"incorporated-into"},{"href":"#ac-5","rel":"incorporated-into"},{"href":"#ac-6","rel":"incorporated-into"}]},{"id":"si-10","class":"SP800-53","title":"Information Input Validation","params":[{"id":"si-10_odp","props":[{"name":"alt-identifier","value":"si-10_prm_1"},{"name":"alt-identifier","value":"si-10.1_prm_1"},{"name":"alt-label","value":"information inputs to the system","class":"sp800-53"},{"name":"label","value":"SI-10_ODP","class":"sp800-53a"}],"label":"information inputs","guidelines":[{"prose":"information inputs to the system requiring validity checks are defined;"}]}],"props":[{"name":"label","value":"SI-10"},{"name":"label","value":"SI-10","class":"sp800-53a"},{"name":"sort-id","value":"si-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"}],"parts":[{"id":"si-10_smt","name":"statement","prose":"Check the validity of the following information inputs: {{ insert: param, si-10_odp }}."},{"id":"si-10_gdn","name":"guidance","prose":"Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of \"387,\" \"abc,\" or \"%K%\" are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks."},{"id":"si-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10","class":"sp800-53a"}],"prose":"the validity of the {{ insert: param, si-10_odp }} is checked.","links":[{"href":"#si-10_smt","rel":"assessment-for"}]},{"id":"si-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\ndocumentation for automated tools and applications to verify the validity of information\n\nlist of information inputs requiring validity checks\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms supporting and\/or implementing validity checks on information inputs"}]}],"controls":[{"id":"si-10.1","class":"SP800-53-enhancement","title":"Manual Override Capability","params":[{"id":"si-10.01_odp","props":[{"name":"alt-identifier","value":"si-10.1_prm_2"},{"name":"label","value":"SI-10(01)_ODP","class":"sp800-53a"}],"label":"authorized individuals","guidelines":[{"prose":"authorized individuals who can use the manual override capability are defined;"}]}],"props":[{"name":"label","value":"SI-10(1)"},{"name":"label","value":"SI-10(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-10.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-10","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#au-2","rel":"related"},{"href":"#au-12","rel":"related"}],"parts":[{"id":"si-10.1_smt","name":"statement","parts":[{"id":"si-10.1_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Provide a manual override capability for input validation of the following information inputs: {{ insert: param, si-10_odp }};"},{"id":"si-10.1_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Restrict the use of the manual override capability to only {{ insert: param, si-10.01_odp }} ; and"},{"id":"si-10.1_smt.c","name":"item","props":[{"name":"label","value":"(c)"}],"prose":"Audit the use of the manual override capability."}]},{"id":"si-10.1_gdn","name":"guidance","prose":"In certain situations, such as during events that are defined in contingency plans, a manual override capability for input validation may be needed. Manual overrides are used only in limited circumstances and with the inputs defined by the organization."},{"id":"si-10.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10(01)","class":"sp800-53a"}],"parts":[{"id":"si-10.1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-10(01)(a)","class":"sp800-53a"}],"prose":"a manual override capability for the validation of {{ insert: param, si-10_odp }} is provided;","links":[{"href":"#si-10.1_smt.a","rel":"assessment-for"}]},{"id":"si-10.1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-10(01)(b)","class":"sp800-53a"}],"prose":"the use of the manual override capability is restricted to only {{ insert: param, si-10.01_odp }};","links":[{"href":"#si-10.1_smt.b","rel":"assessment-for"}]},{"id":"si-10.1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SI-10(01)(c)","class":"sp800-53a"}],"prose":"the use of the manual override capability is audited.","links":[{"href":"#si-10.1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#si-10.1_smt","rel":"assessment-for"}]},{"id":"si-10.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\naccess control policy and procedures\n\nseparation of duties policy and procedures\n\nprocedures addressing information input validation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the use of a manual override capability\n\nmechanisms supporting and\/or implementing a manual override capability for input validation\n\nmechanisms supporting and\/or implementing auditing of the use of a manual override capability"}]}]},{"id":"si-10.2","class":"SP800-53-enhancement","title":"Review and Resolve Errors","params":[{"id":"si-10.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-10.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-10.02_odp.02"}],"label":"organization-defined time period"},{"id":"si-10.02_odp.01","props":[{"name":"label","value":"SI-10(02)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which input validation errors are to be reviewed is defined;"}]},{"id":"si-10.02_odp.02","props":[{"name":"label","value":"SI-10(02)_ODP[02]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"the time period within which input validation errors are to be resolved is defined;"}]}],"props":[{"name":"label","value":"SI-10(2)"},{"name":"label","value":"SI-10(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-10.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-10","rel":"required"}],"parts":[{"id":"si-10.2_smt","name":"statement","prose":"Review and resolve input validation errors within {{ insert: param, si-10.2_prm_1 }}."},{"id":"si-10.2_gdn","name":"guidance","prose":"Resolution of input validation errors includes correcting systemic causes of errors and resubmitting transactions with corrected input. Input validation errors are those related to the information inputs defined by the organization in the base control ( [SI-10](#si-10))."},{"id":"si-10.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10(02)","class":"sp800-53a"}],"parts":[{"id":"si-10.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-10(02)[01]","class":"sp800-53a"}],"prose":"input validation errors are reviewed within {{ insert: param, si-10.02_odp.01 }};","links":[{"href":"#si-10.2_smt","rel":"assessment-for"}]},{"id":"si-10.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-10(02)[02]","class":"sp800-53a"}],"prose":"input validation errors are resolved within {{ insert: param, si-10.02_odp.02 }}.","links":[{"href":"#si-10.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-10.2_smt","rel":"assessment-for"}]},{"id":"si-10.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing information input validation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nreview records of information input validation errors and resulting resolutions\n\ninformation input validation error logs or records\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators"}]},{"id":"si-10.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the review and resolution of input validation errors\n\nmechanisms supporting and\/or implementing the review and resolution of input validation errors"}]}]},{"id":"si-10.3","class":"SP800-53-enhancement","title":"Predictable Behavior","props":[{"name":"label","value":"SI-10(3)"},{"name":"label","value":"SI-10(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-10.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-10","rel":"required"}],"parts":[{"id":"si-10.3_smt","name":"statement","prose":"Verify that the system behaves in a predictable and documented manner when invalid inputs are received."},{"id":"si-10.3_gdn","name":"guidance","prose":"A common vulnerability in organizational systems is unpredictable behavior when invalid inputs are received. Verification of system predictability helps ensure that the system behaves as expected when invalid inputs are received. This occurs by specifying system responses that allow the system to transition to known states without adverse, unintended side effects. The invalid inputs are those related to the information inputs defined by the organization in the base control ( [SI-10](#si-10))."},{"id":"si-10.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10(03)","class":"sp800-53a"}],"parts":[{"id":"si-10.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-10(03)[01]","class":"sp800-53a"}],"prose":"the system behaves in a predictable manner when invalid inputs are received;","links":[{"href":"#si-10.3_smt","rel":"assessment-for"}]},{"id":"si-10.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-10(03)[02]","class":"sp800-53a"}],"prose":"the system behaves in a documented manner when invalid inputs are received.","links":[{"href":"#si-10.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-10.3_smt","rel":"assessment-for"}]},{"id":"si-10.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing information input validation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing predictable behavior when invalid inputs are received"}]}]},{"id":"si-10.4","class":"SP800-53-enhancement","title":"Timing Interactions","props":[{"name":"label","value":"SI-10(4)"},{"name":"label","value":"SI-10(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-10.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-10","rel":"required"}],"parts":[{"id":"si-10.4_smt","name":"statement","prose":"Account for timing interactions among system components in determining appropriate responses for invalid inputs."},{"id":"si-10.4_gdn","name":"guidance","prose":"In addressing invalid system inputs received across protocol interfaces, timing interactions become relevant, where one protocol needs to consider the impact of the error response on other protocols in the protocol stack. For example, 802.11 standard wireless network protocols do not interact well with Transmission Control Protocols (TCP) when packets are dropped (which could be due to invalid packet input). TCP assumes packet losses are due to congestion, while packets lost over 802.11 links are typically dropped due to noise or collisions on the link. If TCP makes a congestion response, it takes the wrong action in response to a collision event. Adversaries may be able to use what appear to be acceptable individual behaviors of the protocols in concert to achieve adverse effects through suitable construction of invalid input. The invalid inputs are those related to the information inputs defined by the organization in the base control ( [SI-10](#si-10))."},{"id":"si-10.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10(04)","class":"sp800-53a"}],"prose":"timing interactions among system components are accounted for in determining appropriate responses for invalid inputs.","links":[{"href":"#si-10.4_smt","rel":"assessment-for"}]},{"id":"si-10.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing information input validation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for determining appropriate responses to invalid inputs\n\nautomated mechanisms supporting and\/or implementing responses to invalid inputs"}]}]},{"id":"si-10.5","class":"SP800-53-enhancement","title":"Restrict Inputs to Trusted Sources and Approved Formats","params":[{"id":"si-10.05_odp.01","props":[{"name":"alt-identifier","value":"si-10.5_prm_1"},{"name":"label","value":"SI-10(05)_ODP[01]","class":"sp800-53a"}],"label":"trusted sources","guidelines":[{"prose":"trusted sources to which the use of information inputs is to be restricted are defined;"}]},{"id":"si-10.05_odp.02","props":[{"name":"alt-identifier","value":"si-10.5_prm_2"},{"name":"label","value":"SI-10(05)_ODP[02]","class":"sp800-53a"}],"label":"formats","guidelines":[{"prose":"formats to which the use of information inputs is to be restricted are defined;"}]}],"props":[{"name":"label","value":"SI-10(5)"},{"name":"label","value":"SI-10(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-10.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-10","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"si-10.5_smt","name":"statement","prose":"Restrict the use of information inputs to {{ insert: param, si-10.05_odp.01 }} and\/or {{ insert: param, si-10.05_odp.02 }}."},{"id":"si-10.5_gdn","name":"guidance","prose":"Restricting the use of inputs to trusted sources and in trusted formats applies the concept of authorized or permitted software to information inputs. Specifying known trusted sources for information inputs and acceptable formats for such inputs can reduce the probability of malicious activity. The information inputs are those defined by the organization in the base control ( [SI-10](#si-10))."},{"id":"si-10.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10(05)","class":"sp800-53a"}],"prose":"the use of information inputs is restricted to {{ insert: param, si-10.05_odp.01 }} and\/or {{ insert: param, si-10.05_odp.02 }}.","links":[{"href":"#si-10.5_smt","rel":"assessment-for"}]},{"id":"si-10.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing information input validation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of trusted sources for information inputs\n\nlist of acceptable formats for input restrictions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for restricting information inputs\n\nautomated mechanisms supporting and\/or implementing restriction of information inputs"}]}]},{"id":"si-10.6","class":"SP800-53-enhancement","title":"Injection Prevention","props":[{"name":"label","value":"SI-10(6)"},{"name":"label","value":"SI-10(06)","class":"sp800-53a"},{"name":"sort-id","value":"si-10.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-10","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-6","rel":"related"}],"parts":[{"id":"si-10.6_smt","name":"statement","prose":"Prevent untrusted data injections."},{"id":"si-10.6_gdn","name":"guidance","prose":"Untrusted data injections may be prevented using a parameterized interface or output escaping (output encoding). Parameterized interfaces separate data from code so that injections of malicious or unintended data cannot change the semantics of commands being sent. Output escaping uses specified characters to inform the interpreter’s parser whether data is trusted. Prevention of untrusted data injections are with respect to the information inputs defined by the organization in the base control ( [SI-10](#si-10))."},{"id":"si-10.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-10(06)","class":"sp800-53a"}],"prose":"untrusted data injections are prevented.","links":[{"href":"#si-10.6_smt","rel":"assessment-for"}]},{"id":"si-10.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-10(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing information input validation\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of trusted sources for information inputs\n\nlist of acceptable formats for input restrictions\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-10.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-10(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-10.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-10(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for preventing untrusted data injections\n\nautomated mechanisms supporting and\/or implementing injection prevention"}]}]}]},{"id":"si-11","class":"SP800-53","title":"Error Handling","params":[{"id":"si-11_odp","props":[{"name":"alt-identifier","value":"si-11_prm_1"},{"name":"label","value":"SI-11_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom error messages are to be revealed is\/are defined;"}]}],"props":[{"name":"label","value":"SI-11"},{"name":"label","value":"SI-11","class":"sp800-53a"},{"name":"sort-id","value":"si-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#au-2","rel":"related"},{"href":"#au-3","rel":"related"},{"href":"#sc-31","rel":"related"},{"href":"#si-2","rel":"related"},{"href":"#si-15","rel":"related"}],"parts":[{"id":"si-11_smt","name":"statement","parts":[{"id":"si-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and"},{"id":"si-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Reveal error messages only to {{ insert: param, si-11_odp }}."}]},{"id":"si-11_gdn","name":"guidance","prose":"Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information."},{"id":"si-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-11","class":"sp800-53a"}],"parts":[{"id":"si-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-11a.","class":"sp800-53a"}],"prose":"error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;","links":[{"href":"#si-11_smt.a","rel":"assessment-for"}]},{"id":"si-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-11b.","class":"sp800-53a"}],"prose":"error messages are revealed only to {{ insert: param, si-11_odp }}.","links":[{"href":"#si-11_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-11_smt","rel":"assessment-for"}]},{"id":"si-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing system error handling\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation providing the structure and content of error messages\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for information input validation\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for error handling\n\nautomated mechanisms supporting and\/or implementing error handling\n\nautomated mechanisms supporting and\/or implementing the management of error messages"}]}]},{"id":"si-12","class":"SP800-53","title":"Information Management and Retention","props":[{"name":"label","value":"SI-12"},{"name":"label","value":"SI-12","class":"sp800-53a"},{"name":"sort-id","value":"si-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#e922fc50-b1f9-469f-92ef-ed7d9803611c","rel":"reference"},{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#ac-16","rel":"related"},{"href":"#au-5","rel":"related"},{"href":"#au-11","rel":"related"},{"href":"#ca-2","rel":"related"},{"href":"#ca-3","rel":"related"},{"href":"#ca-5","rel":"related"},{"href":"#ca-6","rel":"related"},{"href":"#ca-7","rel":"related"},{"href":"#ca-9","rel":"related"},{"href":"#cm-5","rel":"related"},{"href":"#cm-9","rel":"related"},{"href":"#cp-2","rel":"related"},{"href":"#ir-8","rel":"related"},{"href":"#mp-2","rel":"related"},{"href":"#mp-3","rel":"related"},{"href":"#mp-4","rel":"related"},{"href":"#mp-6","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pl-4","rel":"related"},{"href":"#pm-4","rel":"related"},{"href":"#pm-8","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#ps-2","rel":"related"},{"href":"#ps-6","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#pt-3","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sr-2","rel":"related"}],"parts":[{"id":"si-12_smt","name":"statement","prose":"Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."},{"id":"si-12_gdn","name":"guidance","prose":"Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, [AC-6(9)](#ac-6.9), [AT-4](#at-4), [AU-12](#au-12), [CA-2](#ca-2), [CA-3](#ca-3), [CA-5](#ca-5), [CA-6](#ca-6), [CA-7](#ca-7), [CA-8](#ca-8), [CA-9](#ca-9), [CM-2](#cm-2), [CM-3](#cm-3), [CM-4](#cm-4), [CM-6](#cm-6), [CM-8](#cm-8), [CM-9](#cm-9), [CM-12](#cm-12), [CM-13](#cm-13), [CP-2](#cp-2), [IR-6](#ir-6), [IR-8](#ir-8), [MA-2](#ma-2), [MA-4](#ma-4), [PE-2](#pe-2), [PE-8](#pe-8), [PE-16](#pe-16), [PE-17](#pe-17), [PL-2](#pl-2), [PL-4](#pl-4), [PL-7](#pl-7), [PL-8](#pl-8), [PM-5](#pm-5), [PM-8](#pm-8), [PM-9](#pm-9), [PM-18](#pm-18), [PM-21](#pm-21), [PM-27](#pm-27), [PM-28](#pm-28), [PM-30](#pm-30), [PM-31](#pm-31), [PS-2](#ps-2), [PS-6](#ps-6), [PS-7](#ps-7), [PT-2](#pt-2), [PT-3](#pt-3), [PT-7](#pt-7), [RA-2](#ra-2), [RA-3](#ra-3), [RA-5](#ra-5), [RA-8](#ra-8), [SA-4](#sa-4), [SA-5](#sa-5), [SA-8](#sa-8), [SA-10](#sa-10), [SI-4](#si-4), [SR-2](#sr-2), [SR-4](#sr-4), [SR-8](#sr-8)."},{"id":"si-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12","class":"sp800-53a"}],"parts":[{"id":"si-12_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12[01]","class":"sp800-53a"}],"prose":"information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12[02]","class":"sp800-53a"}],"prose":"information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12[03]","class":"sp800-53a"}],"prose":"information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;","links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SI-12[04]","class":"sp800-53a"}],"prose":"information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.","links":[{"href":"#si-12_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-12_smt","rel":"assessment-for"}]},{"id":"si-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention\n\nmedia protection policy\n\nmedia protection procedures\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\npersonally identifiable information inventory\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information management, retention, and disposition\n\nautomated mechanisms supporting and\/or implementing information management, retention, and disposition"}]}],"controls":[{"id":"si-12.1","class":"SP800-53-enhancement","title":"Limit Personally Identifiable Information Elements","params":[{"id":"si-12.01_odp","props":[{"name":"alt-identifier","value":"si-12.1_prm_1"},{"name":"label","value":"SI-12(01)_ODP","class":"sp800-53a"}],"label":"elements of personally identifiable information","guidelines":[{"prose":"elements of personally identifiable information being processed in the information life cycle are defined;"}]}],"props":[{"name":"label","value":"SI-12(1)"},{"name":"label","value":"SI-12(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-12.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-12","rel":"required"},{"href":"#pm-25","rel":"related"}],"parts":[{"id":"si-12.1_smt","name":"statement","prose":"Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: {{ insert: param, si-12.01_odp }}."},{"id":"si-12.1_gdn","name":"guidance","prose":"Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for operational purposes helps to reduce the level of privacy risk created by a system. The information life cycle includes information creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining which elements of personally identifiable information may create risk."},{"id":"si-12.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12(01)","class":"sp800-53a"}],"prose":"personally identifiable information being processed in the information life cycle is limited to {{ insert: param, si-12.01_odp }}.","links":[{"href":"#si-12.1_smt","rel":"assessment-for"}]},{"id":"si-12.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\npersonally identifiable information processing procedures\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to limiting personally identifiable information elements\n\npersonally identifiable information inventory\n\nsystem audit records\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\ndata mapping documentation\n\nother relevant documents or records"}]},{"id":"si-12.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information management and retention (including limiting personally identifiable information processing)\n\nautomated mechanisms supporting and\/or implementing limits to personally identifiable information processing"}]}]},{"id":"si-12.2","class":"SP800-53-enhancement","title":"Minimize Personally Identifiable Information in Testing, Training, and Research","params":[{"id":"si-12.2_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.02_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.02_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.02_odp.03"}],"label":"organization-defined techniques"},{"id":"si-12.02_odp.01","props":[{"name":"label","value":"SI-12(02)_ODP[01]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to minimize the use of personally identifiable information for research are defined;"}]},{"id":"si-12.02_odp.02","props":[{"name":"label","value":"SI-12(02)_ODP[02]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to minimize the use of personally identifiable information for testing are defined;"}]},{"id":"si-12.02_odp.03","props":[{"name":"label","value":"SI-12(02)_ODP[03]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to minimize the use of personally identifiable information for training are defined;"}]}],"props":[{"name":"label","value":"SI-12(2)"},{"name":"label","value":"SI-12(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-12.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-12","rel":"required"},{"href":"#pm-22","rel":"related"},{"href":"#pm-25","rel":"related"},{"href":"#si-19","rel":"related"}],"parts":[{"id":"si-12.2_smt","name":"statement","prose":"Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: {{ insert: param, si-12.2_prm_1 }}."},{"id":"si-12.2_gdn","name":"guidance","prose":"Organizations can minimize the risk to an individual’s privacy by employing techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for research, testing, or training helps reduce the level of privacy risk created by a system. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining the techniques to use and when to use them."},{"id":"si-12.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)","class":"sp800-53a"}],"parts":[{"id":"si-12.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, si-12.02_odp.01 }} are used to minimize the use of personally identifiable information for research;","links":[{"href":"#si-12.2_smt","rel":"assessment-for"}]},{"id":"si-12.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-12.02_odp.02 }} are used to minimize the use of personally identifiable information for testing;","links":[{"href":"#si-12.2_smt","rel":"assessment-for"}]},{"id":"si-12.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12(02)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, si-12.02_odp.03 }} are used to minimize the use of personally identifiable information for training.","links":[{"href":"#si-12.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-12.2_smt","rel":"assessment-for"}]},{"id":"si-12.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\npersonally identifiable information processing procedures\n\nfederal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to minimizing the use of personally identifiable information in testing, training, and research\n\npolicy for the minimization of personally identifiable information used in testing, training, and research\n\nprocedures for the minimization of personally identifiable information used in testing, training, and research\n\ndocumentation supporting minimization policy implementation (e.g., templates for testing, training, and research)\n\ndata sets used for testing, training, and research\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators\n\nsystem developers\n\npersonnel with IRB responsibilities"}]},{"id":"si-12.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the minimization of personally identifiable information used in testing, training, and research\n\nautomated mechanisms supporting and\/or implementing the minimization of personally identifiable information used in testing, training, and research"}]}]},{"id":"si-12.3","class":"SP800-53-enhancement","title":"Information Disposal","params":[{"id":"si-12.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.03_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-12.03_odp.03"}],"label":"organization-defined techniques"},{"id":"si-12.03_odp.01","props":[{"name":"label","value":"SI-12(03)_ODP[01]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to dispose of information following the retention period are defined;"}]},{"id":"si-12.03_odp.02","props":[{"name":"label","value":"SI-12(03)_ODP[02]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to destroy information following the retention period are defined;"}]},{"id":"si-12.03_odp.03","props":[{"name":"label","value":"SI-12(03)_ODP[03]","class":"sp800-53a"}],"label":"techniques","guidelines":[{"prose":"techniques used to erase information following the retention period are defined;"}]}],"props":[{"name":"label","value":"SI-12(3)"},{"name":"label","value":"SI-12(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-12.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-12","rel":"required"}],"parts":[{"id":"si-12.3_smt","name":"statement","prose":"Use the following techniques to dispose of, destroy, or erase information following the retention period: {{ insert: param, si-12.3_prm_1 }}."},{"id":"si-12.3_gdn","name":"guidance","prose":"Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. The disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information."},{"id":"si-12.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)","class":"sp800-53a"}],"parts":[{"id":"si-12.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, si-12.03_odp.01 }} are used to dispose of information following the retention period;","links":[{"href":"#si-12.3_smt","rel":"assessment-for"}]},{"id":"si-12.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, si-12.03_odp.02 }} are used to destroy information following the retention period;","links":[{"href":"#si-12.3_smt","rel":"assessment-for"}]},{"id":"si-12.3_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-12(03)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, si-12.03_odp.03 }} are used to erase information following the retention period.","links":[{"href":"#si-12.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-12.3_smt","rel":"assessment-for"}]},{"id":"si-12.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-12(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\npersonally identifiable information processing procedures\n\nrecords retention and disposition policy\n\nrecords retention and disposition procedures\n\nlaws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information disposal\n\nmedia protection policy\n\nmedia protection procedures\n\nsystem audit records\n\naudit findings\n\ninformation disposal records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-12.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-12(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information and records management, retention, and disposition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\nnetwork administrators"}]},{"id":"si-12.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-12(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for information disposition\n\nautomated mechanisms supporting and\/or implementing information disposition"}]}]}]},{"id":"si-13","class":"SP800-53","title":"Predictable Failure Prevention","params":[{"id":"si-13_odp.01","props":[{"name":"alt-identifier","value":"si-13_prm_1"},{"name":"label","value":"SI-13_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components for which mean time to failure (MTTF) should be determined are defined;"}]},{"id":"si-13_odp.02","props":[{"name":"alt-identifier","value":"si-13_prm_2"},{"name":"alt-label","value":"MTTF substitution criteria","class":"sp800-53"},{"name":"label","value":"SI-13_ODP[02]","class":"sp800-53a"}],"label":"mean time to failure (MTTF) substitution criteria","guidelines":[{"prose":"mean time to failure (MTTF) substitution criteria to be used as a means to exchange active and standby components are defined;"}]}],"props":[{"name":"label","value":"SI-13"},{"name":"label","value":"SI-13","class":"sp800-53a"},{"name":"sort-id","value":"si-13"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-2","rel":"related"},{"href":"#cp-10","rel":"related"},{"href":"#cp-13","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sc-6","rel":"related"}],"parts":[{"id":"si-13_smt","name":"statement","parts":[{"id":"si-13_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Determine mean time to failure (MTTF) for the following system components in specific environments of operation: {{ insert: param, si-13_odp.01 }} ; and"},{"id":"si-13_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: {{ insert: param, si-13_odp.02 }}."}]},{"id":"si-13_gdn","name":"guidance","prose":"While MTTF is primarily a reliability issue, predictable failure prevention is intended to address potential failures of system components that provide security capabilities. Failure rates reflect installation-specific consideration rather than the industry-average. Organizations define the criteria for the substitution of system components based on the MTTF value with consideration for the potential harm from component failures. The transfer of responsibilities between active and standby components does not compromise safety, operational readiness, or security capabilities. The preservation of system state variables is also critical to help ensure a successful transfer process. Standby components remain available at all times except for maintenance issues or recovery failures in progress."},{"id":"si-13_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-13","class":"sp800-53a"}],"parts":[{"id":"si-13_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-13a.","class":"sp800-53a"}],"prose":"mean time to failure (MTTF) is determined for {{ insert: param, si-13_odp.01 }} in specific environments of operation;","links":[{"href":"#si-13_smt.a","rel":"assessment-for"}]},{"id":"si-13_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-13b.","class":"sp800-53a"}],"prose":"substitute system components and a means to exchange active and standby components are provided in accordance with {{ insert: param, si-13_odp.02 }}.","links":[{"href":"#si-13_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-13_smt","rel":"assessment-for"}]},{"id":"si-13_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-13-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing predictable failure prevention\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of MTTF substitution criteria\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-13_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-13-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for MTTF determinations and activities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with contingency planning responsibilities"}]},{"id":"si-13_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-13-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing MTTF"}]}],"controls":[{"id":"si-13.1","class":"SP800-53-enhancement","title":"Transferring Component Responsibilities","params":[{"id":"si-13.01_odp","props":[{"name":"alt-identifier","value":"si-13.1_prm_1"},{"name":"label","value":"SI-13(01)_ODP","class":"sp800-53a"}],"label":"fraction or percentage","guidelines":[{"prose":"the fraction or percentage of mean time to failure within which to transfer the responsibilities of a system component to a substitute component is defined;"}]}],"props":[{"name":"label","value":"SI-13(1)"},{"name":"label","value":"SI-13(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-13.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-13","rel":"required"}],"parts":[{"id":"si-13.1_smt","name":"statement","prose":"Take system components out of service by transferring component responsibilities to substitute components no later than {{ insert: param, si-13.01_odp }} of mean time to failure."},{"id":"si-13.1_gdn","name":"guidance","prose":"Transferring primary system component responsibilities to other substitute components prior to primary component failure is important to reduce the risk of degraded or debilitated mission or business functions. Making such transfers based on a percentage of mean time to failure allows organizations to be proactive based on their risk tolerance. However, the premature replacement of system components can result in the increased cost of system operations."},{"id":"si-13.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-13(01)","class":"sp800-53a"}],"prose":"system components are taken out of service by transferring component responsibilities to substitute components no later than {{ insert: param, si-13.01_odp }} of mean time to failure.","links":[{"href":"#si-13.1_smt","rel":"assessment-for"}]},{"id":"si-13.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-13(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing predictable failure prevention\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-13.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-13(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for MTTF activities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with contingency planning responsibilities"}]},{"id":"si-13.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-13(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing MTTF\n\nautomated mechanisms supporting and\/or implementing the transfer of component responsibilities to substitute components"}]}]},{"id":"si-13.2","class":"SP800-53-enhancement","title":"Time Limit on Process Execution Without Supervision","props":[{"name":"label","value":"SI-13(2)"},{"name":"label","value":"SI-13(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-13.02"},{"name":"status","value":"withdrawn"}],"links":[{"href":"#si-7.16","rel":"incorporated-into"}]},{"id":"si-13.3","class":"SP800-53-enhancement","title":"Manual Transfer Between Components","params":[{"id":"si-13.03_odp","props":[{"name":"alt-identifier","value":"si-13.3_prm_1"},{"name":"label","value":"SI-13(03)_ODP","class":"sp800-53a"}],"label":"percentage","guidelines":[{"prose":"the percentage of the mean time to failure for transfers to be manually initiated is defined;"}]}],"props":[{"name":"label","value":"SI-13(3)"},{"name":"label","value":"SI-13(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-13.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-13","rel":"required"}],"parts":[{"id":"si-13.3_smt","name":"statement","prose":"Manually initiate transfers between active and standby system components when the use of the active component reaches {{ insert: param, si-13.03_odp }} of the mean time to failure."},{"id":"si-13.3_gdn","name":"guidance","prose":"For example, if the MTTF for a system component is 100 days and the MTTF percentage defined by the organization is 90 percent, the manual transfer would occur after 90 days."},{"id":"si-13.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-13(03)","class":"sp800-53a"}],"prose":"transfers are initiated manually between active and standby system components when the use of the active component reaches {{ insert: param, si-13.03_odp }} of the mean time to failure.","links":[{"href":"#si-13.3_smt","rel":"assessment-for"}]},{"id":"si-13.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-13(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing predictable failure prevention\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-13.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-13(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for MTTF activities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with contingency planning responsibilities"}]},{"id":"si-13.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-13(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing MTTF and conducting the manual transfer between active and standby components"}]}]},{"id":"si-13.4","class":"SP800-53-enhancement","title":"Standby Component Installation and Notification","params":[{"id":"si-13.04_odp.01","props":[{"name":"alt-identifier","value":"si-13.4_prm_1"},{"name":"label","value":"SI-13(04)_ODP[01]","class":"sp800-53a"}],"label":"time period","guidelines":[{"prose":"time period for standby components to be installed is defined;"}]},{"id":"si-13.04_odp.02","props":[{"name":"alt-identifier","value":"si-13.4_prm_2"},{"name":"label","value":"SI-13(04)_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["activate {{ insert: param, si-13.04_odp.03 }} ","automatically shut down the system","{{ insert: param, si-13.04_odp.04 }} "]}},{"id":"si-13.04_odp.03","props":[{"name":"alt-identifier","value":"si-13.4_prm_3"},{"name":"label","value":"SI-13(04)_ODP[03]","class":"sp800-53a"}],"label":"alarm","guidelines":[{"prose":"alarm to be activated when system component failures are detected is defined (if selected);"}]},{"id":"si-13.04_odp.04","props":[{"name":"alt-identifier","value":"si-13.4_prm_4"},{"name":"label","value":"SI-13(04)_ODP[04]","class":"sp800-53a"}],"label":"action","guidelines":[{"prose":"action to be taken when system component failures are detected is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-13(4)"},{"name":"label","value":"SI-13(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-13.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-13","rel":"required"}],"parts":[{"id":"si-13.4_smt","name":"statement","prose":"If system component failures are detected:","parts":[{"id":"si-13.4_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Ensure that the standby components are successfully and transparently installed within {{ insert: param, si-13.04_odp.01 }} ; and"},{"id":"si-13.4_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"{{ insert: param, si-13.04_odp.02 }}."}]},{"id":"si-13.4_gdn","name":"guidance","prose":"Automatic or manual transfer of components from standby to active mode can occur upon the detection of component failures."},{"id":"si-13.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-13(04)","class":"sp800-53a"}],"parts":[{"id":"si-13.4_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-13(04)(a)","class":"sp800-53a"}],"prose":"the standby components are successfully and transparently installed within {{ insert: param, si-13.04_odp.01 }} if system component failures are detected;","links":[{"href":"#si-13.4_smt.a","rel":"assessment-for"}]},{"id":"si-13.4_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-13(04)(b)","class":"sp800-53a"}],"prose":"{{ insert: param, si-13.04_odp.02 }} are performed if system component failures are detected.","links":[{"href":"#si-13.4_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-13.4_smt","rel":"assessment-for"}]},{"id":"si-13.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-13(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing predictable failure prevention\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of actions to be taken once system component failure is detected\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-13.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-13(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for MTTF activities\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with contingency planning responsibilities"}]},{"id":"si-13.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-13(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing MTTF\n\nautomated mechanisms supporting and\/or implementing the transparent installation of standby components\n\nautomated mechanisms supporting and\/or implementing alarms or system shutdown if component failures are detected"}]}]},{"id":"si-13.5","class":"SP800-53-enhancement","title":"Failover Capability","params":[{"id":"si-13.05_odp.01","props":[{"name":"alt-identifier","value":"si-13.5_prm_1"},{"name":"label","value":"SI-13(05)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["real-time","near real-time"]}},{"id":"si-13.05_odp.02","props":[{"name":"alt-identifier","value":"si-13.5_prm_2"},{"name":"label","value":"SI-13(05)_ODP[02]","class":"sp800-53a"}],"label":"failover capability","guidelines":[{"prose":"a failover capability for the system has been defined;"}]}],"props":[{"name":"label","value":"SI-13(5)"},{"name":"label","value":"SI-13(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-13.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-13","rel":"required"},{"href":"#cp-6","rel":"related"},{"href":"#cp-7","rel":"related"},{"href":"#cp-9","rel":"related"}],"parts":[{"id":"si-13.5_smt","name":"statement","prose":"Provide {{ insert: param, si-13.05_odp.01 }} {{ insert: param, si-13.05_odp.02 }} for the system."},{"id":"si-13.5_gdn","name":"guidance","prose":"Failover refers to the automatic switchover to an alternate system upon the failure of the primary system. Failover capability includes incorporating mirrored system operations at alternate processing sites or periodic data mirroring at regular intervals defined by the recovery time periods of organizations."},{"id":"si-13.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-13(05)","class":"sp800-53a"}],"prose":"{{ insert: param, si-13.05_odp.01 }} {{ insert: param, si-13.05_odp.02 }} is provided for the system.","links":[{"href":"#si-13.5_smt","rel":"assessment-for"}]},{"id":"si-13.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-13(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing predictable failure prevention\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ndocumentation describing the failover capability provided for the system\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-13.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-13(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for the failover capability\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\norganizational personnel with contingency planning responsibilities"}]},{"id":"si-13.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-13(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for managing the failover capability\n\nautomated mechanisms supporting and\/or implementing the failover capability"}]}]}]},{"id":"si-14","class":"SP800-53","title":"Non-persistence","params":[{"id":"si-14_odp.01","props":[{"name":"alt-identifier","value":"si-14_prm_1"},{"name":"label","value":"SI-14_ODP[01]","class":"sp800-53a"}],"label":"system components and services","guidelines":[{"prose":"non-persistent system components and services to be implemented are defined;"}]},{"id":"si-14_odp.02","props":[{"name":"alt-identifier","value":"si-14_prm_2"},{"name":"label","value":"SI-14_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["upon end of session of use","{{ insert: param, si-14_odp.03 }} "]}},{"id":"si-14_odp.03","props":[{"name":"alt-identifier","value":"si-14_prm_3"},{"name":"label","value":"SI-14_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to terminate non-persistent components and services that are initiated in a known state is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-14"},{"name":"label","value":"SI-14","class":"sp800-53a"},{"name":"sort-id","value":"si-14"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sc-30","rel":"related"},{"href":"#sc-34","rel":"related"},{"href":"#si-21","rel":"related"}],"parts":[{"id":"si-14_smt","name":"statement","prose":"Implement non-persistent {{ insert: param, si-14_odp.01 }} that are initiated in a known state and terminated {{ insert: param, si-14_odp.02 }}."},{"id":"si-14_gdn","name":"guidance","prose":"Implementation of non-persistent components and services mitigates risk from advanced persistent threats (APTs) by reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. By implementing the concept of non-persistence for selected system components, organizations can provide a trusted, known state computing resource for a specific time period that does not give adversaries sufficient time to exploit vulnerabilities in organizational systems or operating environments. Since the APT is a high-end, sophisticated threat with regard to capability, intent, and targeting, organizations assume that over an extended period, a percentage of attacks will be successful. Non-persistent system components and services are activated as required using protected information and terminated periodically or at the end of sessions. Non-persistence increases the work factor of adversaries attempting to compromise or breach organizational systems.\n\nNon-persistence can be achieved by refreshing system components, periodically reimaging components, or using a variety of common virtualization techniques. Non-persistent services can be implemented by using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent). The benefit of periodic refreshes of system components and services is that it does not require organizations to first determine whether compromises of components or services have occurred (something that may often be difficult to determine). The refresh of selected system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not with such frequency that it makes the system unstable. Refreshes of critical components and services may be done periodically to hinder the ability of adversaries to exploit optimum windows of vulnerabilities."},{"id":"si-14_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-14","class":"sp800-53a"}],"parts":[{"id":"si-14_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-14[01]","class":"sp800-53a"}],"prose":"non-persistent {{ insert: param, si-14_odp.01 }} that are initiated in a known state are implemented;","links":[{"href":"#si-14_smt","rel":"assessment-for"}]},{"id":"si-14_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-14[02]","class":"sp800-53a"}],"prose":"non-persistent {{ insert: param, si-14_odp.01 }} are terminated {{ insert: param, si-14_odp.02 }}.","links":[{"href":"#si-14_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-14_smt","rel":"assessment-for"}]},{"id":"si-14_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-14-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing non-persistence for system components\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-14_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-14-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for non-persistence\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-14_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-14-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing the initiation and termination of non-persistent components"}]}],"controls":[{"id":"si-14.1","class":"SP800-53-enhancement","title":"Refresh from Trusted Sources","params":[{"id":"si-14.01_odp","props":[{"name":"alt-identifier","value":"si-14.1_prm_1"},{"name":"label","value":"SI-14(01)_ODP","class":"sp800-53a"}],"label":"trusted sources","guidelines":[{"prose":"trusted sources to obtain software and data for system component and service refreshes are defined;"}]}],"props":[{"name":"label","value":"SI-14(1)"},{"name":"label","value":"SI-14(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-14.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-14","rel":"required"}],"parts":[{"id":"si-14.1_smt","name":"statement","prose":"Obtain software and data employed during system component and service refreshes from the following trusted sources: {{ insert: param, si-14.01_odp }}."},{"id":"si-14.1_gdn","name":"guidance","prose":"Trusted sources include software and data from write-once, read-only media or from selected offline secure storage facilities."},{"id":"si-14.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-14(01)","class":"sp800-53a"}],"prose":"the software and data employed during system component and service refreshes are obtained from {{ insert: param, si-14.01_odp }}.","links":[{"href":"#si-14.1_smt","rel":"assessment-for"}]},{"id":"si-14.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-14(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing non-persistence for system components\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-14.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-14(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for obtaining component and service refreshes from trusted sources\n\norganizational personnel with information security responsibilities"}]},{"id":"si-14.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-14(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and obtaining component and service refreshes from trusted sources\n\nautomated mechanisms supporting and\/or implementing component and service refreshes"}]}]},{"id":"si-14.2","class":"SP800-53-enhancement","title":"Non-persistent Information","params":[{"id":"si-14.02_odp.01","props":[{"name":"alt-identifier","value":"si-14.2_prm_1"},{"name":"label","value":"SI-14(02)_ODP[01]","class":"sp800-53a"}],"select":{"choice":["refresh {{ insert: param, si-14.02_odp.02 }} {{ insert: param, si-14.02_odp.03 }} ","generate {{ insert: param, si-14.02_odp.04 }} on demand"]}},{"id":"si-14.02_odp.02","props":[{"name":"alt-identifier","value":"si-14.2_prm_2"},{"name":"label","value":"SI-14(02)_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"the information to be refreshed is defined (if selected);"}]},{"id":"si-14.02_odp.03","props":[{"name":"alt-identifier","value":"si-14.2_prm_3"},{"name":"label","value":"SI-14(02)_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to refresh information is defined (if selected);"}]},{"id":"si-14.02_odp.04","props":[{"name":"alt-identifier","value":"si-14.2_prm_4"},{"name":"label","value":"SI-14(02)_ODP[04]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"the information to be generated is defined (if selected);"}]}],"props":[{"name":"label","value":"SI-14(2)"},{"name":"label","value":"SI-14(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-14.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-14","rel":"required"}],"parts":[{"id":"si-14.2_smt","name":"statement","parts":[{"id":"si-14.2_smt.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"{{ insert: param, si-14.02_odp.01 }} ; and"},{"id":"si-14.2_smt.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Delete information when no longer needed."}]},{"id":"si-14.2_gdn","name":"guidance","prose":"Retaining information longer than is needed makes the information a potential target for advanced adversaries searching for high value assets to compromise through unauthorized disclosure, unauthorized modification, or exfiltration. For system-related information, unnecessary retention provides advanced adversaries information that can assist in their reconnaissance and lateral movement through the system."},{"id":"si-14.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-14(02)","class":"sp800-53a"}],"parts":[{"id":"si-14.2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-14(02)(a)","class":"sp800-53a"}],"prose":"{{ insert: param, si-14.02_odp.01 }} is performed;","links":[{"href":"#si-14.2_smt.a","rel":"assessment-for"}]},{"id":"si-14.2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-14(02)(b)","class":"sp800-53a"}],"prose":"information is deleted when no longer needed.","links":[{"href":"#si-14.2_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-14.2_smt","rel":"assessment-for"}]},{"id":"si-14.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-14(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing non-persistence for system components\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-14.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-14(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for ensuring that information is and remains non-persistent\n\norganizational personnel with information security responsibilities"}]},{"id":"si-14.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-14(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for ensuring that information is and remains non-persistent\n\nautomated mechanisms supporting and\/or implementing component and service refreshes"}]}]},{"id":"si-14.3","class":"SP800-53-enhancement","title":"Non-persistent Connectivity","params":[{"id":"si-14.03_odp","props":[{"name":"alt-identifier","value":"si-14.3_prm_1"},{"name":"label","value":"SI-14(03)_ODP","class":"sp800-53a"}],"select":{"choice":["completion of a request","a period of non-use"]}}],"props":[{"name":"label","value":"SI-14(3)"},{"name":"label","value":"SI-14(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-14.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-14","rel":"required"},{"href":"#sc-10","rel":"related"}],"parts":[{"id":"si-14.3_smt","name":"statement","prose":"Establish connections to the system on demand and terminate connections after {{ insert: param, si-14.03_odp }}."},{"id":"si-14.3_gdn","name":"guidance","prose":"Persistent connections to systems can provide advanced adversaries with paths to move laterally through systems and potentially position themselves closer to high value assets. Limiting the availability of such connections impedes the adversary’s ability to move freely through organizational systems."},{"id":"si-14.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-14(03)","class":"sp800-53a"}],"parts":[{"id":"si-14.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-14(03)[01]","class":"sp800-53a"}],"prose":"connections to the system are established on demand;","links":[{"href":"#si-14.3_smt","rel":"assessment-for"}]},{"id":"si-14.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-14(03)[02]","class":"sp800-53a"}],"prose":"connections to the system are terminated after {{ insert: param, si-14.03_odp }}.","links":[{"href":"#si-14.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-14.3_smt","rel":"assessment-for"}]},{"id":"si-14.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-14(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing non-persistence for system components\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-14.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-14(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for limiting persistent connections\n\norganizational personnel with information security responsibilities"}]},{"id":"si-14.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-14(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for limiting persistent connections\n\nautomated mechanisms supporting and\/or implementing non-persistent connectivity"}]}]}]},{"id":"si-15","class":"SP800-53","title":"Information Output Filtering","params":[{"id":"si-15_odp","props":[{"name":"alt-identifier","value":"si-15_prm_1"},{"name":"label","value":"SI-15_ODP","class":"sp800-53a"}],"label":"software programs and\/or applications","guidelines":[{"prose":"software programs and\/or applications whose information output requires validation are defined;"}]}],"props":[{"name":"label","value":"SI-15"},{"name":"label","value":"SI-15","class":"sp800-53a"},{"name":"sort-id","value":"si-15"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#si-3","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-11","rel":"related"}],"parts":[{"id":"si-15_smt","name":"statement","prose":"Validate information output from the following software programs and\/or applications to ensure that the information is consistent with the expected content: {{ insert: param, si-15_odp }}."},{"id":"si-15_gdn","name":"guidance","prose":"Certain types of attacks, including SQL injections, produce output results that are unexpected or inconsistent with the output results that would be expected from software programs or applications. Information output filtering focuses on detecting extraneous content, preventing such extraneous content from being displayed, and then alerting monitoring tools that anomalous behavior has been discovered."},{"id":"si-15_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-15","class":"sp800-53a"}],"prose":"information output from {{ insert: param, si-15_odp }} is validated to ensure that the information is consistent with the expected content.","links":[{"href":"#si-15_smt","rel":"assessment-for"}]},{"id":"si-15_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-15-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing information output filtering\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-15_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-15-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for validating information output\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-15_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-15-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for validating information output\n\nautomated mechanisms supporting and\/or implementing information output validation"}]}]},{"id":"si-16","class":"SP800-53","title":"Memory Protection","params":[{"id":"si-16_odp","props":[{"name":"alt-identifier","value":"si-16_prm_1"},{"name":"label","value":"SI-16_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to be implemented to protect the system memory from unauthorized code execution are defined;"}]}],"props":[{"name":"label","value":"SI-16"},{"name":"label","value":"SI-16","class":"sp800-53a"},{"name":"sort-id","value":"si-16"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#ac-25","rel":"related"},{"href":"#sc-3","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"si-16_smt","name":"statement","prose":"Implement the following controls to protect the system memory from unauthorized code execution: {{ insert: param, si-16_odp }}."},{"id":"si-16_gdn","name":"guidance","prose":"Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism."},{"id":"si-16_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-16","class":"sp800-53a"}],"prose":"{{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution.","links":[{"href":"#si-16_smt","rel":"assessment-for"}]},{"id":"si-16_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-16-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\nprocedures addressing memory protection for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards protecting system memory from unauthorized code execution\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-16_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-16-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for memory protection\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-16_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-16-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing safeguards to protect the system memory from unauthorized code execution"}]}]},{"id":"si-17","class":"SP800-53","title":"Fail-safe Procedures","params":[{"id":"si-17_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-17_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-17_odp.02"}],"label":"organization-defined list of failure conditions and associated fail-safe procedures"},{"id":"si-17_odp.01","props":[{"name":"label","value":"SI-17_ODP[01]","class":"sp800-53a"}],"label":"fail-safe procedures","guidelines":[{"prose":"fail-safe procedures associated with failure conditions are defined;"}]},{"id":"si-17_odp.02","props":[{"name":"label","value":"SI-17_ODP[02]","class":"sp800-53a"}],"label":"list of failure conditions","guidelines":[{"prose":"a list of failure conditions requiring fail-safe procedures is defined;"}]}],"props":[{"name":"label","value":"SI-17"},{"name":"label","value":"SI-17","class":"sp800-53a"},{"name":"sort-id","value":"si-17"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#cp-12","rel":"related"},{"href":"#cp-13","rel":"related"},{"href":"#sc-24","rel":"related"},{"href":"#si-13","rel":"related"}],"parts":[{"id":"si-17_smt","name":"statement","prose":"Implement the indicated fail-safe procedures when the indicated failures occur: {{ insert: param, si-17_prm_1 }}."},{"id":"si-17_gdn","name":"guidance","prose":"Failure conditions include the loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include alerting operator personnel and providing specific instructions on subsequent steps to take. Subsequent steps may include doing nothing, reestablishing system settings, shutting down processes, restarting the system, or contacting designated organizational personnel."},{"id":"si-17_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-17","class":"sp800-53a"}],"prose":"{{ insert: param, si-17_odp.01 }} are implemented when {{ insert: param, si-17_odp.02 }} occur.","links":[{"href":"#si-17_smt","rel":"assessment-for"}]},{"id":"si-17_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-17-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\ndocumentation addressing fail-safe procedures for the system\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of security safeguards protecting the system memory from unauthorized code execution\n\nsystem audit records\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"si-17_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-17-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for fail-safe procedures\n\norganizational personnel with information security responsibilities\n\nsystem\/network administrators\n\nsystem developer"}]},{"id":"si-17_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-17-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational fail-safe procedures\n\nautomated mechanisms supporting and\/or implementing fail-safe procedures"}]}]},{"id":"si-18","class":"SP800-53","title":"Personally Identifiable Information Quality Operations","params":[{"id":"si-18_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.02"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.03"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"si-18_odp.04"}],"label":"organization-defined frequency"},{"id":"si-18_odp.01","props":[{"name":"label","value":"SI-18_ODP[01]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the accuracy of personally identifiable information across the information life cycle is defined;"}]},{"id":"si-18_odp.02","props":[{"name":"label","value":"SI-18_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the relevance of personally identifiable information across the information life cycle is defined;"}]},{"id":"si-18_odp.03","props":[{"name":"label","value":"SI-18_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the timeliness of personally identifiable information across the information life cycle is defined;"}]},{"id":"si-18_odp.04","props":[{"name":"label","value":"SI-18_ODP[04]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to check the completeness of personally identifiable information across the information life cycle is defined;"}]}],"props":[{"name":"label","value":"SI-18"},{"name":"label","value":"SI-18","class":"sp800-53a"},{"name":"sort-id","value":"si-18"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#227063d4-431e-435f-9e8f-009b6dbc20f4","rel":"reference"},{"href":"#c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#pm-22","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#pt-2","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"si-18_smt","name":"statement","parts":[{"id":"si-18_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle {{ insert: param, si-18_prm_1 }} ; and"},{"id":"si-18_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Correct or delete inaccurate or outdated personally identifiable information."}]},{"id":"si-18_gdn","name":"guidance","prose":"Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and the potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes."},{"id":"si-18_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18","class":"sp800-53a"}],"parts":[{"id":"si-18_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.","class":"sp800-53a"}],"parts":[{"id":"si-18_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[01]","class":"sp800-53a"}],"prose":"the accuracy of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.01 }};","links":[{"href":"#si-18_smt.a","rel":"assessment-for"}]},{"id":"si-18_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[02]","class":"sp800-53a"}],"prose":"the relevance of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.02 }};","links":[{"href":"#si-18_smt.a","rel":"assessment-for"}]},{"id":"si-18_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[03]","class":"sp800-53a"}],"prose":"the timeliness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.03 }};","links":[{"href":"#si-18_smt.a","rel":"assessment-for"}]},{"id":"si-18_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SI-18a.[04]","class":"sp800-53a"}],"prose":"the completeness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.04 }};","links":[{"href":"#si-18_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#si-18_smt.a","rel":"assessment-for"}]},{"id":"si-18_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-18b.","class":"sp800-53a"}],"prose":"inaccurate or outdated personally identifiable information is corrected or deleted.","links":[{"href":"#si-18_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-18_smt","rel":"assessment-for"}]},{"id":"si-18_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\ndocumentation addressing personally identifiable information quality operations\n\nquality reports\n\nmaintenance logs\n\nsystem audit records\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for performing personally identifiable information quality inspections\n\norganizational personnel with information security responsibilities\n\norganizational personnel with privacy responsibilities"}]},{"id":"si-18_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personally identifiable information quality inspection\n\nautomated mechanisms supporting and\/or implementing personally identifiable information quality operations"}]}],"controls":[{"id":"si-18.1","class":"SP800-53-enhancement","title":"Automation Support","params":[{"id":"si-18.01_odp","props":[{"name":"alt-identifier","value":"si-18.1_prm_1"},{"name":"label","value":"SI-18(01)_ODP","class":"sp800-53a"}],"label":"automated mechanisms","guidelines":[{"prose":"automated mechanisms used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified are defined;"}]}],"props":[{"name":"label","value":"SI-18(1)"},{"name":"label","value":"SI-18(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-18.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-18","rel":"required"},{"href":"#pm-18","rel":"related"},{"href":"#ra-8","rel":"related"}],"parts":[{"id":"si-18.1_smt","name":"statement","prose":"Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using {{ insert: param, si-18.01_odp }}."},{"id":"si-18.1_gdn","name":"guidance","prose":"The use of automated mechanisms to improve data quality may inadvertently create privacy risks. Automated tools may connect to external or otherwise unrelated systems, and the matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessments and make determinations that are in alignment with their privacy program plans.\n\nAs data is obtained and used across the information life cycle, it is important to confirm the accuracy and relevance of personally identifiable information. Automated mechanisms can augment existing data quality processes and procedures and enable an organization to better identify and manage personally identifiable information in large-scale systems. For example, automated tools can greatly improve efforts to consistently normalize data or identify malformed data. Automated tools can also be used to improve the auditing of data and detect errors that may incorrectly alter personally identifiable information or incorrectly associate such information with the wrong individual. Automated capabilities backstop processes and procedures at-scale and enable more fine-grained detection and correction of data quality errors."},{"id":"si-18.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18(01)","class":"sp800-53a"}],"prose":"{{ insert: param, si-18.01_odp }} are used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified.","links":[{"href":"#si-18.1_smt","rel":"assessment-for"}]},{"id":"si-18.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\ndocumentation addressing personally identifiable information quality operations\n\nquality reports\n\nmaintenance logs\n\nsystem audit records\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for performing personally identifiable information quality inspections\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-18.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for personally identifiable information quality inspection\n\nautomated mechanisms supporting and\/or implementing personally identifiable information quality operations"}]}]},{"id":"si-18.2","class":"SP800-53-enhancement","title":"Data Tags","props":[{"name":"label","value":"SI-18(2)"},{"name":"label","value":"SI-18(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-18.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-18","rel":"required"},{"href":"#ac-3","rel":"related"},{"href":"#ac-16","rel":"related"},{"href":"#sc-16","rel":"related"}],"parts":[{"id":"si-18.2_smt","name":"statement","prose":"Employ data tags to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems."},{"id":"si-18.2_gdn","name":"guidance","prose":"Data tagging personally identifiable information includes tags that note processing permissions, authority to process, de-identification, impact level, information life cycle stage, and retention or last updated dates. Employing data tags for personally identifiable information can support the use of automation tools to correct or delete relevant personally identifiable information."},{"id":"si-18.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18(02)","class":"sp800-53a"}],"prose":"data tags are employed to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems.","links":[{"href":"#si-18.2_smt","rel":"assessment-for"}]},{"id":"si-18.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nprocedures addressing data tagging\n\npersonally identifiable information inventory\n\nsystem audit records\n\naudit findings\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for tagging data\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-18.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Data tagging mechanisms\n\nautomated mechanisms supporting and\/or implementing data tagging"}]}]},{"id":"si-18.3","class":"SP800-53-enhancement","title":"Collection","props":[{"name":"label","value":"SI-18(3)"},{"name":"label","value":"SI-18(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-18.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-18","rel":"required"}],"parts":[{"id":"si-18.3_smt","name":"statement","prose":"Collect personally identifiable information directly from the individual."},{"id":"si-18.3_gdn","name":"guidance","prose":"Individuals or their designated representatives can be sources of correct personally identifiable information. Organizations consider contextual factors that may incentivize individuals to provide correct data versus false data. Additional steps may be necessary to validate collected information based on the nature and context of the personally identifiable information, how it is to be used, and how it was obtained. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than the measures taken to validate less sensitive personally identifiable information."},{"id":"si-18.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18(03)","class":"sp800-53a"}],"prose":"personally identifiable information is collected directly from the individual.","links":[{"href":"#si-18.3_smt","rel":"assessment-for"}]},{"id":"si-18.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nsystem configuration documentation\n\nsystem audit records\n\nuser interface where personally identifiable information is collected\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for data collection\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-18.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Data collection mechanisms\n\nautomated mechanisms supporting and\/or validating collection directly from the individual"}]}]},{"id":"si-18.4","class":"SP800-53-enhancement","title":"Individual Requests","props":[{"name":"label","value":"SI-18(4)"},{"name":"label","value":"SI-18(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-18.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-18","rel":"required"}],"parts":[{"id":"si-18.4_smt","name":"statement","prose":"Correct or delete personally identifiable information upon request by individuals or their designated representatives."},{"id":"si-18.4_gdn","name":"guidance","prose":"Inaccurate personally identifiable information maintained by organizations may cause problems for individuals, especially in those business functions where inaccurate information may result in inappropriate decisions or the denial of benefits and services to individuals. Even correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of an organization maintaining the information. Organizations use discretion when determining if personally identifiable information is to be corrected or deleted based on the scope of requests, the changes sought, the impact of the changes, and laws, regulations, and policies. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding appropriate instances of correction or deletion."},{"id":"si-18.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18(04)","class":"sp800-53a"}],"prose":"personally identifiable information is corrected or deleted upon request by individuals or their designated representatives.","links":[{"href":"#si-18.4_smt","rel":"assessment-for"}]},{"id":"si-18.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nsystem configuration\n\nindividual requests\n\nrecords of correction or deletion actions performed\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for responding to individual requests for personally identifiable information correction or deletion\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-18.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Request mechanisms\n\nautomated mechanisms supporting and\/or implementing individual requests for correction or deletion"}]}]},{"id":"si-18.5","class":"SP800-53-enhancement","title":"Notice of Correction or Deletion","params":[{"id":"si-18.05_odp","props":[{"name":"alt-identifier","value":"si-18.5_prm_1"},{"name":"alt-label","value":"recipients of personally identifiable information","class":"sp800-53"},{"name":"label","value":"SI-18(05)_ODP","class":"sp800-53a"}],"label":"recipients","guidelines":[{"prose":"recipients of personally identifiable information to be notified when the personally identifiable information has been corrected or deleted are defined;"}]}],"props":[{"name":"label","value":"SI-18(5)"},{"name":"label","value":"SI-18(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-18.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-18","rel":"required"}],"parts":[{"id":"si-18.5_smt","name":"statement","prose":"Notify {{ insert: param, si-18.05_odp }} and individuals that the personally identifiable information has been corrected or deleted."},{"id":"si-18.5_gdn","name":"guidance","prose":"When personally identifiable information is corrected or deleted, organizations take steps to ensure that all authorized recipients of such information, and the individual with whom the information is associated or their designated representatives, are informed of the corrected or deleted information."},{"id":"si-18.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-18(05)","class":"sp800-53a"}],"prose":"{{ insert: param, si-18.05_odp }} and individuals are notified when the personally identifiable information has been corrected or deleted.","links":[{"href":"#si-18.5_smt","rel":"assessment-for"}]},{"id":"si-18.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-18(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nsystem configuration\n\nindividual requests for corrections or deletions\n\nnotifications of correction or deletion action\n\nsystem audit records\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-18.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-18(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for sending correction or deletion notices\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-18.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-18(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for notifications of correction or deletion\n\nautomated mechanisms supporting and\/or implementing notifications of correction or deletion"}]}]}]},{"id":"si-19","class":"SP800-53","title":"De-identification","params":[{"id":"si-19_odp.01","props":[{"name":"alt-identifier","value":"si-19_prm_1"},{"name":"alt-label","value":"elements of personally identifiable information","class":"sp800-53"},{"name":"label","value":"SI-19_ODP[01]","class":"sp800-53a"}],"label":"elements","guidelines":[{"prose":"elements of personally identifiable information to be removed from datasets are defined;"}]},{"id":"si-19_odp.02","props":[{"name":"alt-identifier","value":"si-19_prm_2"},{"name":"label","value":"SI-19_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to evaluate the effectiveness of de-identification is defined;"}]}],"props":[{"name":"label","value":"SI-19"},{"name":"label","value":"SI-19","class":"sp800-53a"},{"name":"sort-id","value":"si-19"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","rel":"reference"},{"href":"#mp-6","rel":"related"},{"href":"#pm-22","rel":"related"},{"href":"#pm-23","rel":"related"},{"href":"#pm-24","rel":"related"},{"href":"#ra-2","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"si-19_smt","name":"statement","parts":[{"id":"si-19_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Remove the following elements of personally identifiable information from datasets: {{ insert: param, si-19_odp.01 }} ; and"},{"id":"si-19_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Evaluate {{ insert: param, si-19_odp.02 }} for effectiveness of de-identification."}]},{"id":"si-19_gdn","name":"guidance","prose":"De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk."},{"id":"si-19_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19","class":"sp800-53a"}],"parts":[{"id":"si-19_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-19a.","class":"sp800-53a"}],"prose":"{{ insert: param, si-19_odp.01 }} are removed from datasets;","links":[{"href":"#si-19_smt.a","rel":"assessment-for"}]},{"id":"si-19_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-19b.","class":"sp800-53a"}],"prose":"the effectiveness of de-identification is evaluated {{ insert: param, si-19_odp.02 }}.","links":[{"href":"#si-19_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-19_smt","rel":"assessment-for"}]},{"id":"si-19_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration\n\ndatasets with personally identifiable information removed\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for identifying unnecessary identifiers\n\norganizational personnel responsible for removing personally identifiable information from datasets\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing the removal of personally identifiable information elements"}]}],"controls":[{"id":"si-19.1","class":"SP800-53-enhancement","title":"Collection","props":[{"name":"label","value":"SI-19(1)"},{"name":"label","value":"SI-19(01)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-19","rel":"required"}],"parts":[{"id":"si-19.1_smt","name":"statement","prose":"De-identify the dataset upon collection by not collecting personally identifiable information."},{"id":"si-19.1_gdn","name":"guidance","prose":"If a data source contains personally identifiable information but the information will not be used, the dataset can be de-identified when it is created by not collecting the data elements that contain the personally identifiable information. For example, if an organization does not intend to use the social security number of an applicant, then application forms do not ask for a social security number."},{"id":"si-19.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(01)","class":"sp800-53a"}],"prose":"the dataset is de-identified upon collection by not collecting personally identifiable information.","links":[{"href":"#si-19.1_smt","rel":"assessment-for"}]},{"id":"si-19.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nprocedures for minimizing the collection of personally identifiable information\n\nsystem configuration\n\ndata collection mechanisms\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms preventing the collection of personally identifiable information"}]}]},{"id":"si-19.2","class":"SP800-53-enhancement","title":"Archiving","props":[{"name":"label","value":"SI-19(2)"},{"name":"label","value":"SI-19(02)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-19","rel":"required"}],"parts":[{"id":"si-19.2_smt","name":"statement","prose":"Prohibit archiving of personally identifiable information elements if those elements in a dataset will not be needed after the dataset is archived."},{"id":"si-19.2_gdn","name":"guidance","prose":"Datasets can be archived for many reasons. The envisioned purposes for the archived dataset are specified, and if personally identifiable information elements are not required, the elements are not archived. For example, social security numbers may have been collected for record linkage, but the archived dataset may include the required elements from the linked records. In this case, it is not necessary to archive the social security numbers."},{"id":"si-19.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(02)","class":"sp800-53a"}],"prose":"the archiving of personally identifiable information elements is prohibited if those elements in a dataset will not be needed after the dataset is archived.","links":[{"href":"#si-19.2_smt","rel":"assessment-for"}]},{"id":"si-19.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration documentation\n\ndata archiving mechanisms\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with dataset archival responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms prohibiting the archival of personally identifiable information elements"}]}]},{"id":"si-19.3","class":"SP800-53-enhancement","title":"Release","props":[{"name":"label","value":"SI-19(3)"},{"name":"label","value":"SI-19(03)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-19","rel":"required"}],"parts":[{"id":"si-19.3_smt","name":"statement","prose":"Remove personally identifiable information elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release."},{"id":"si-19.3_gdn","name":"guidance","prose":"Prior to releasing a dataset, a data custodian considers the intended uses of the dataset and determines if it is necessary to release personally identifiable information. If the personally identifiable information is not necessary, the information can be removed using de-identification techniques."},{"id":"si-19.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(03)","class":"sp800-53a"}],"prose":"personally identifiable information elements are removed from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.","links":[{"href":"#si-19.3_smt","rel":"assessment-for"}]},{"id":"si-19.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nprocedures for minimizing the release of personally identifiable information\n\nsystem configuration\n\ndata release mechanisms\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing the removal of personally identifiable information elements from a dataset"}]}]},{"id":"si-19.4","class":"SP800-53-enhancement","title":"Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers","props":[{"name":"label","value":"SI-19(4)"},{"name":"label","value":"SI-19(04)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-19","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"si-19.4_smt","name":"statement","prose":"Remove, mask, encrypt, hash, or replace direct identifiers in a dataset."},{"id":"si-19.4_gdn","name":"guidance","prose":"There are many possible processes for removing direct identifiers from a dataset. Columns in a dataset that contain a direct identifier can be removed. In masking, the direct identifier is transformed into a repeating character, such as XXXXXX or 999999. Identifiers can be encrypted or hashed so that the linked records remain linked. In the case of encryption or hashing, algorithms are employed that require the use of a key, including the Advanced Encryption Standard or a Hash-based Message Authentication Code. Implementations may use the same key for all identifiers or use a different key for each identifier. Using a different key for each identifier provides a higher degree of security and privacy. Identifiers can alternatively be replaced with a keyword, including transforming \"George Washington\" to \"PATIENT\" or replacing it with a surrogate value, such as transforming \"George Washington\" to \"Abraham Polk.\" "},{"id":"si-19.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(04)","class":"sp800-53a"}],"prose":"direct identifiers in a dataset are removed, masked, encrypted, hashed, or replaced.","links":[{"href":"#si-19.4_smt","rel":"assessment-for"}]},{"id":"si-19.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration\n\ndocumentation of de-identified datasets\n\ntools for the removal, masking, encryption, hashing or replacement of direct identifiers\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing the removal, masking, encryption, hashing or replacement of direct identifiers"}]}]},{"id":"si-19.5","class":"SP800-53-enhancement","title":"Statistical Disclosure Control","props":[{"name":"label","value":"SI-19(5)"},{"name":"label","value":"SI-19(05)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-19","rel":"required"}],"parts":[{"id":"si-19.5_smt","name":"statement","prose":"Manipulate numerical data, contingency tables, and statistical findings so that no individual or organization is identifiable in the results of the analysis."},{"id":"si-19.5_gdn","name":"guidance","prose":"Many types of statistical analyses can result in the disclosure of information about individuals even if only summary information is provided. For example, if a school that publishes a monthly table with the number of minority students enrolled, reports that it has 10-19 such students in January, and subsequently reports that it has 20-29 such students in March, then it can be inferred that the student who enrolled in February was a minority."},{"id":"si-19.5_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(05)","class":"sp800-53a"}],"parts":[{"id":"si-19.5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-19(05)[01]","class":"sp800-53a"}],"prose":"numerical data is manipulated so that no individual or organization is identifiable in the results of the analysis;","links":[{"href":"#si-19.5_smt","rel":"assessment-for"}]},{"id":"si-19.5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-19(05)[02]","class":"sp800-53a"}],"prose":"contingency tables are manipulated so that no individual or organization is identifiable in the results of the analysis;","links":[{"href":"#si-19.5_smt","rel":"assessment-for"}]},{"id":"si-19.5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SI-19(05)[03]","class":"sp800-53a"}],"prose":"statistical findings are manipulated so that no individual or organization is identifiable in the results of the analysis.","links":[{"href":"#si-19.5_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-19.5_smt","rel":"assessment-for"}]},{"id":"si-19.5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(05)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration\n\nde-identified datasets\n\nstatistical analysis report\n\ntools for the control of statistical disclosure\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(05)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(05)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms supporting and\/or implementing the control of statistical disclosure"}]}]},{"id":"si-19.6","class":"SP800-53-enhancement","title":"Differential Privacy","props":[{"name":"label","value":"SI-19(6)"},{"name":"label","value":"SI-19(06)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-19","rel":"required"},{"href":"#sc-12","rel":"related"},{"href":"#sc-13","rel":"related"}],"parts":[{"id":"si-19.6_smt","name":"statement","prose":"Prevent disclosure of personally identifiable information by adding non-deterministic noise to the results of mathematical operations before the results are reported."},{"id":"si-19.6_gdn","name":"guidance","prose":"The mathematical definition for differential privacy holds that the result of a dataset analysis should be approximately the same before and after the addition or removal of a single data record (which is assumed to be the data from a single individual). In its most basic form, differential privacy applies only to online query systems. However, it can also be used to produce machine-learning statistical classifiers and synthetic data. Differential privacy comes at the cost of decreased accuracy of results, forcing organizations to quantify the trade-off between privacy protection and the overall accuracy, usefulness, and utility of the de-identified dataset. Non-deterministic noise can include adding small, random values to the results of mathematical operations in dataset analysis."},{"id":"si-19.6_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(06)","class":"sp800-53a"}],"prose":"the disclosure of personally identifiable information is prevented by adding non-deterministic noise to the results of mathematical operations before the results are reported.","links":[{"href":"#si-19.6_smt","rel":"assessment-for"}]},{"id":"si-19.6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(06)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration\n\nde-identified datasets\n\ndifferential privacy tools\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(06)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(06)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Online query systems\n\nautomated mechanisms supporting and\/or implementing differential privacy"}]}]},{"id":"si-19.7","class":"SP800-53-enhancement","title":"Validated Algorithms and Software","props":[{"name":"label","value":"SI-19(7)"},{"name":"label","value":"SI-19(07)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"}],"links":[{"href":"#si-19","rel":"required"}],"parts":[{"id":"si-19.7_smt","name":"statement","prose":"Perform de-identification using validated algorithms and software that is validated to implement the algorithms."},{"id":"si-19.7_gdn","name":"guidance","prose":"Algorithms that appear to remove personally identifiable information from a dataset may in fact leave information that is personally identifiable or data that is re-identifiable. Software that is claimed to implement a validated algorithm may contain bugs or implement a different algorithm. Software may de-identify one type of data, such as integers, but not de-identify another type of data, such as floating point numbers. For these reasons, de-identification is performed using algorithms and software that are validated."},{"id":"si-19.7_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(07)","class":"sp800-53a"}],"parts":[{"id":"si-19.7_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SI-19(07)[01]","class":"sp800-53a"}],"prose":"de-identification is performed using validated algorithms;","links":[{"href":"#si-19.7_smt","rel":"assessment-for"}]},{"id":"si-19.7_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SI-19(07)[02]","class":"sp800-53a"}],"prose":"de-identification is performed using software that is validated to implement the algorithms.","links":[{"href":"#si-19.7_smt","rel":"assessment-for"}]}],"links":[{"href":"#si-19.7_smt","rel":"assessment-for"}]},{"id":"si-19.7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(07)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration\n\nde-identified datasets\n\nalgorithm and software validation tools\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(07)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(07)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Validated algorithms and software"}]}]},{"id":"si-19.8","class":"SP800-53-enhancement","title":"Motivated Intruder","props":[{"name":"label","value":"SI-19(8)"},{"name":"label","value":"SI-19(08)","class":"sp800-53a"},{"name":"sort-id","value":"si-19.08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"}],"links":[{"href":"#si-19","rel":"required"}],"parts":[{"id":"si-19.8_smt","name":"statement","prose":"Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified."},{"id":"si-19.8_gdn","name":"guidance","prose":"A motivated intruder test is a test in which an individual or group takes a data release and specified resources and attempts to re-identify one or more individuals in the de-identified dataset. Such tests specify the amount of inside knowledge, computational resources, financial resources, data, and skills that intruders possess to conduct the tests. A motivated intruder test can determine if the de-identification is insufficient. It can also be a useful diagnostic tool to assess if de-identification is likely to be sufficient. However, the test alone cannot prove that de-identification is sufficient."},{"id":"si-19.8_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-19(08)","class":"sp800-53a"}],"prose":"a motivated intruder test is performed on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.","links":[{"href":"#si-19.8_smt","rel":"assessment-for"}]},{"id":"si-19.8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-19(08)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nde-identification procedures\n\nsystem configuration\n\nmotivated intruder test procedures\n\nde-identified datasets\n\nsystem security plan\n\nprivacy plan\n\nprivacy impact assessment\n\nprivacy risk assessment documentation\n\nother relevant documents or records"}]},{"id":"si-19.8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-19(08)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for de-identifying the dataset\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-19.8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-19(08)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Motivated intruder test"}]}]}]},{"id":"si-20","class":"SP800-53","title":"Tainting","params":[{"id":"si-20_odp","props":[{"name":"alt-identifier","value":"si-20_prm_1"},{"name":"label","value":"SI-20_ODP","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"the systems or system components with data or capabilities to be embedded are defined;"}]}],"props":[{"name":"label","value":"SI-20"},{"name":"label","value":"SI-20","class":"sp800-53a"},{"name":"sort-id","value":"si-20"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#au-13","rel":"related"}],"parts":[{"id":"si-20_smt","name":"statement","prose":"Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: {{ insert: param, si-20_odp }}."},{"id":"si-20_gdn","name":"guidance","prose":"Many cyber-attacks target organizational information, or information that the organization holds on behalf of other entities (e.g., personally identifiable information), and exfiltrate that data. In addition, insider attacks and erroneous user procedures can remove information from the system that is in violation of the organizational policies. Tainting approaches can range from passive to active. A passive tainting approach can be as simple as adding false email names and addresses to an internal database. If the organization receives email at one of the false email addresses, it knows that the database has been compromised. Moreover, the organization knows that the email was sent by an unauthorized entity, so any packets it includes potentially contain malicious code, and that the unauthorized entity may have potentially obtained a copy of the database. Another tainting approach can include embedding false data or steganographic data in files to enable the data to be found via open-source analysis. Finally, an active tainting approach can include embedding software in the data that is able to \"call home,\" thereby alerting the organization to its \"capture,\" and possibly its location, and the path by which it was exfiltrated or removed."},{"id":"si-20_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-20","class":"sp800-53a"}],"prose":"data or capabilities are embedded in {{ insert: param, si-20_odp }} to determine if organizational data has been exfiltrated or improperly removed from the organization.","links":[{"href":"#si-20_smt","rel":"assessment-for"}]},{"id":"si-20_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-20-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nprocedures addressing software and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\npolicy and procedures addressing the systems security engineering technique of deception\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-20_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-20-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for detecting tainted data\n\norganizational personnel with systems security engineering responsibilities\n\norganizational personnel with information security and privacy responsibilities"}]},{"id":"si-20_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-20-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated mechanisms for post-breach detection\n\ndecoys, traps, lures, and methods for deceiving adversaries\n\ndetection and notification mechanisms"}]}]},{"id":"si-21","class":"SP800-53","title":"Information Refresh","params":[{"id":"si-21_odp.01","props":[{"name":"alt-identifier","value":"si-21_prm_1"},{"name":"label","value":"SI-21_ODP[01]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"the information to be refreshed is defined;"}]},{"id":"si-21_odp.02","props":[{"name":"alt-identifier","value":"si-21_prm_2"},{"name":"label","value":"SI-21_ODP[02]","class":"sp800-53a"}],"label":"frequencies","guidelines":[{"prose":"the frequencies at which to refresh information are defined;"}]}],"props":[{"name":"label","value":"SI-21"},{"name":"label","value":"SI-21","class":"sp800-53a"},{"name":"sort-id","value":"si-21"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#27847491-5ce1-4f6a-a1e4-9e483782f0ef","rel":"reference"},{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"},{"href":"#si-14","rel":"related"}],"parts":[{"id":"si-21_smt","name":"statement","prose":"Refresh {{ insert: param, si-21_odp.01 }} at {{ insert: param, si-21_odp.02 }} or generate the information on demand and delete the information when no longer needed."},{"id":"si-21_gdn","name":"guidance","prose":"Retaining information for longer than it is needed makes it an increasingly valuable and enticing target for adversaries. Keeping information available for the minimum period of time needed to support organizational missions or business functions reduces the opportunity for adversaries to compromise, capture, and exfiltrate that information."},{"id":"si-21_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-21","class":"sp800-53a"}],"prose":"the {{ insert: param, si-21_odp.01 }} is refreshed {{ insert: param, si-21_odp.02 }} or is generated on demand and deleted when no longer needed.","links":[{"href":"#si-21_smt","rel":"assessment-for"}]},{"id":"si-21_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-21-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nprocedures addressing software and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\ninformation refresh procedures\n\nlist of information to be refreshed\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-21_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-21-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel responsible for refreshing information\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with systems security engineering responsibilities\n\nsystem developers"}]},{"id":"si-21_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-21-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Mechanisms for information refresh\n\norganizational processes for information refresh"}]}]},{"id":"si-22","class":"SP800-53","title":"Information Diversity","params":[{"id":"si-22_odp.01","props":[{"name":"alt-identifier","value":"si-22_prm_2"},{"name":"label","value":"SI-22_ODP[01]","class":"sp800-53a"}],"label":"alternative information sources","guidelines":[{"prose":"alternative information sources for essential functions and services are defined;"}]},{"id":"si-22_odp.02","props":[{"name":"alt-identifier","value":"si-22_prm_1"},{"name":"label","value":"SI-22_ODP[02]","class":"sp800-53a"}],"label":"essential functions and services","guidelines":[{"prose":"essential functions and services that require alternative sources of information are defined;"}]},{"id":"si-22_odp.03","props":[{"name":"alt-identifier","value":"si-22_prm_3"},{"name":"label","value":"SI-22_ODP[03]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that require an alternative information source for the execution of essential functions or services are defined;"}]}],"props":[{"name":"label","value":"SI-22"},{"name":"label","value":"SI-22","class":"sp800-53a"},{"name":"sort-id","value":"si-22"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"}],"parts":[{"id":"si-22_smt","name":"statement","parts":[{"id":"si-22_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Identify the following alternative sources of information for {{ insert: param, si-22_odp.02 }}: {{ insert: param, si-22_odp.01 }} ; and"},{"id":"si-22_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Use an alternative information source for the execution of essential functions or services on {{ insert: param, si-22_odp.03 }} when the primary source of information is corrupted or unavailable."}]},{"id":"si-22_gdn","name":"guidance","prose":"Actions taken by a system service or a function are often driven by the information it receives. Corruption, fabrication, modification, or deletion of that information could impact the ability of the service function to properly carry out its intended actions. By having multiple sources of input, the service or function can continue operation if one source is corrupted or no longer available. It is possible that the alternative sources of information may be less precise or less accurate than the primary source of information. But having such sub-optimal information sources may still provide a sufficient level of quality that the essential service or function can be carried out, even in a degraded or debilitated manner."},{"id":"si-22_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-22","class":"sp800-53a"}],"parts":[{"id":"si-22_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-22a.","class":"sp800-53a"}],"prose":"{{ insert: param, si-22_odp.01 }} for {{ insert: param, si-22_odp.02 }} are identified;","links":[{"href":"#si-22_smt.a","rel":"assessment-for"}]},{"id":"si-22_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-22b.","class":"sp800-53a"}],"prose":"an alternative information source is used for the execution of essential functions or services on {{ insert: param, si-22_odp.03 }} when the primary source of information is corrupted or unavailable.","links":[{"href":"#si-22_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-22_smt","rel":"assessment-for"}]},{"id":"si-22_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-22-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nlist of information sources\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-22_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-22-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with systems security engineering responsibilities\n\nsystem developers"}]},{"id":"si-22_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-22-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Automated methods and mechanisms to convert information from an analog to digital medium"}]}]},{"id":"si-23","class":"SP800-53","title":"Information Fragmentation","params":[{"id":"si-23_odp.01","props":[{"name":"alt-identifier","value":"si-23_prm_1"},{"name":"label","value":"SI-23_ODP[01]","class":"sp800-53a"}],"label":"circumstances","guidelines":[{"prose":"circumstances that require information fragmentation are defined;"}]},{"id":"si-23_odp.02","props":[{"name":"alt-identifier","value":"si-23_prm_2"},{"name":"label","value":"SI-23_ODP[02]","class":"sp800-53a"}],"label":"information","guidelines":[{"prose":"the information to be fragmented is defined;"}]},{"id":"si-23_odp.03","props":[{"name":"alt-identifier","value":"si-23_prm_3"},{"name":"label","value":"SI-23_ODP[03]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components across which the fragmented information is to be distributed are defined;"}]}],"props":[{"name":"label","value":"SI-23"},{"name":"label","value":"SI-23","class":"sp800-53a"},{"name":"sort-id","value":"si-23"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#61ccf0f4-d3e7-42db-9796-ce6cb1c85989","rel":"reference"}],"parts":[{"id":"si-23_smt","name":"statement","prose":"Based on {{ insert: param, si-23_odp.01 }}:","parts":[{"id":"si-23_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Fragment the following information: {{ insert: param, si-23_odp.02 }} ; and"},{"id":"si-23_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Distribute the fragmented information across the following systems or system components: {{ insert: param, si-23_odp.03 }}."}]},{"id":"si-23_gdn","name":"guidance","prose":"One objective of the advanced persistent threat is to exfiltrate valuable information. Once exfiltrated, there is generally no way for the organization to recover the lost information. Therefore, organizations may consider dividing the information into disparate elements and distributing those elements across multiple systems or system components and locations. Such actions will increase the adversary’s work factor to capture and exfiltrate the desired information and, in so doing, increase the probability of detection. The fragmentation of information impacts the organization’s ability to access the information in a timely manner. The extent of the fragmentation is dictated by the impact or classification level (and value) of the information, threat intelligence information received, and whether data tainting is used (i.e., data tainting-derived information about the exfiltration of some information could result in the fragmentation of the remaining information)."},{"id":"si-23_obj","name":"assessment-objective","props":[{"name":"label","value":"SI-23","class":"sp800-53a"}],"parts":[{"id":"si-23_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SI-23a.","class":"sp800-53a"}],"prose":"under {{ insert: param, si-23_odp.01 }}, {{ insert: param, si-23_odp.02 }} is fragmented;","links":[{"href":"#si-23_smt.a","rel":"assessment-for"}]},{"id":"si-23_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SI-23b.","class":"sp800-53a"}],"prose":"under {{ insert: param, si-23_odp.01 }} , the fragmented information is distributed across {{ insert: param, si-23_odp.03 }}.","links":[{"href":"#si-23_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#si-23_smt","rel":"assessment-for"}]},{"id":"si-23_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SI-23-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System and information integrity policy\n\nsystem and information integrity procedures\n\npersonally identifiable information processing policy\n\nprocedures addressing software and information integrity\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nprocedures to identify information for fragmentation and distribution across systems\/system components\n\nlist of distributed and fragmented information\n\nlist of circumstances requiring information fragmentation\n\nenterprise architecture\n\nsystem security architecture\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"si-23_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SI-23-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security and privacy responsibilities\n\norganizational personnel with systems security engineering responsibilities\n\nsystem developers\n\nsecurity architects"}]},{"id":"si-23_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SI-23-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes to identify information for fragmentation and distribution across systems\/system components\n\nautomated mechanisms supporting and\/or implementing information fragmentation and distribution across systems\/system components"}]}]}]},{"id":"sr","class":"family","title":"Supply Chain Risk Management","controls":[{"id":"sr-1","class":"SP800-53","title":"Policy and Procedures","params":[{"id":"sr-1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-01_odp.02"}],"label":"organization-defined personnel or roles"},{"id":"sr-01_odp.01","props":[{"name":"label","value":"SR-01_ODP[01]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management policy is to be disseminated to is\/are defined;"}]},{"id":"sr-01_odp.02","props":[{"name":"label","value":"SR-01_ODP[02]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom supply chain risk management procedures are disseminated to is\/are defined;"}]},{"id":"sr-01_odp.03","props":[{"name":"alt-identifier","value":"sr-1_prm_2"},{"name":"label","value":"SR-01_ODP[03]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organization-level","mission\/business process-level","system-level"]}},{"id":"sr-01_odp.04","props":[{"name":"alt-identifier","value":"sr-1_prm_3"},{"name":"label","value":"SR-01_ODP[04]","class":"sp800-53a"}],"label":"official","guidelines":[{"prose":"an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;"}]},{"id":"sr-01_odp.05","props":[{"name":"alt-identifier","value":"sr-1_prm_4"},{"name":"label","value":"SR-01_ODP[05]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management policy is reviewed and updated is defined;"}]},{"id":"sr-01_odp.06","props":[{"name":"alt-identifier","value":"sr-1_prm_5"},{"name":"label","value":"SR-01_ODP[06]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the current supply chain risk management policy to be reviewed and updated are defined;"}]},{"id":"sr-01_odp.07","props":[{"name":"alt-identifier","value":"sr-1_prm_6"},{"name":"label","value":"SR-01_ODP[07]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;"}]},{"id":"sr-01_odp.08","props":[{"name":"alt-identifier","value":"sr-1_prm_7"},{"name":"label","value":"SR-01_ODP[08]","class":"sp800-53a"}],"label":"events","guidelines":[{"prose":"events that require the supply chain risk management procedures to be reviewed and updated are defined;"}]}],"props":[{"name":"label","value":"SR-1"},{"name":"label","value":"SR-01","class":"sp800-53a"},{"name":"sort-id","value":"sr-01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ps-8","rel":"related"},{"href":"#si-12","rel":"related"}],"parts":[{"id":"sr-1_smt","name":"statement","parts":[{"id":"sr-1_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop, document, and disseminate to {{ insert: param, sr-1_prm_1 }}:","parts":[{"id":"sr-1_smt.a.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"{{ insert: param, sr-01_odp.03 }} supply chain risk management policy that:","parts":[{"id":"sr-1_smt.a.1.a","name":"item","props":[{"name":"label","value":"(a)"}],"prose":"Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and"},{"id":"sr-1_smt.a.1.b","name":"item","props":[{"name":"label","value":"(b)"}],"prose":"Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and"}]},{"id":"sr-1_smt.a.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;"}]},{"id":"sr-1_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Designate an {{ insert: param, sr-01_odp.04 }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and"},{"id":"sr-1_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Review and update the current supply chain risk management:","parts":[{"id":"sr-1_smt.c.1","name":"item","props":[{"name":"label","value":"1."}],"prose":"Policy {{ insert: param, sr-01_odp.05 }} and following {{ insert: param, sr-01_odp.06 }} ; and"},{"id":"sr-1_smt.c.2","name":"item","props":[{"name":"label","value":"2."}],"prose":"Procedures {{ insert: param, sr-01_odp.07 }} and following {{ insert: param, sr-01_odp.08 }}."}]}]},{"id":"sr-1_gdn","name":"guidance","prose":"Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure."},{"id":"sr-1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[01]","class":"sp800-53a"}],"prose":"a supply chain risk management policy is developed and documented;","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[03]","class":"sp800-53a"}],"prose":"supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.","links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.a.1.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[01]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[02]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[03]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[04]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[05]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[06]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(a)[07]","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.","links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.a.1.a","rel":"assessment-for"}]},{"id":"sr-1_obj.a.1.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01a.01(b)","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;","links":[{"href":"#sr-1_smt.a.1.b","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.a.1","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.a","rel":"assessment-for"}]},{"id":"sr-1_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-01b.","class":"sp800-53a"}],"prose":"the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;","links":[{"href":"#sr-1_smt.b","rel":"assessment-for"}]},{"id":"sr-1_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.1-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};","links":[{"href":"#sr-1_smt.c.1","rel":"assessment-for"}]},{"id":"sr-1_obj.c.1-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.01[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};","links":[{"href":"#sr-1_smt.c.1","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.c.1","rel":"assessment-for"}]},{"id":"sr-1_obj.c.2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02","class":"sp800-53a"}],"parts":[{"id":"sr-1_obj.c.2-1","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[01]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};","links":[{"href":"#sr-1_smt.c.2","rel":"assessment-for"}]},{"id":"sr-1_obj.c.2-2","name":"assessment-objective","props":[{"name":"label","value":"SR-01c.02[02]","class":"sp800-53a"}],"prose":"the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.","links":[{"href":"#sr-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.c.2","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-1_smt","rel":"assessment-for"}]},{"id":"sr-1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-01-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-01-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with supply chain risk management responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with acquisition responsibilities\n\norganizational personnel with enterprise risk management responsibilities"}]}]},{"id":"sr-2","class":"SP800-53","title":"Supply Chain Risk Management Plan","params":[{"id":"sr-02_odp.01","props":[{"name":"alt-identifier","value":"sr-2_prm_1"},{"name":"label","value":"SR-02_ODP[01]","class":"sp800-53a"}],"label":"systems, system components, or system services","guidelines":[{"prose":"systems, system components, or system services for which a supply chain risk management plan is developed are defined;"}]},{"id":"sr-02_odp.02","props":[{"name":"alt-identifier","value":"sr-2_prm_2"},{"name":"label","value":"SR-02_ODP[02]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to review and update the supply chain risk management plan is defined;"}]}],"props":[{"name":"label","value":"SR-2"},{"name":"label","value":"SR-02","class":"sp800-53a"},{"name":"sort-id","value":"sr-02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#031cc4b7-9adf-4835-98f1-f1ca493519cf","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#cec037f3-8aba-4c97-84b4-4082f9e515d2","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#276bd50a-7e58-48e5-a405-8c8cb91d7a5f","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#cp-4","rel":"related"},{"href":"#ir-4","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"},{"href":"#pm-9","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#ra-3","rel":"related"},{"href":"#ra-7","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sr-2_smt","name":"statement","parts":[{"id":"sr-2_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, sr-02_odp.01 }};"},{"id":"sr-2_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Review and update the supply chain risk management plan {{ insert: param, sr-02_odp.02 }} or as required, to address threat, organizational or environmental changes; and"},{"id":"sr-2_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Protect the supply chain risk management plan from unauthorized disclosure and modification."}]},{"id":"sr-2_gdn","name":"guidance","prose":"The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development\/sustainment of systems across the SDLC to support mission and business functions.\n\nBecause supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see [SA-8](#sa-8))."},{"id":"sr-2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[01]","class":"sp800-53a"}],"prose":"a plan for managing supply chain risks is developed;","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[03]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[04]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-5","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[05]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-6","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[06]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-7","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[07]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-8","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[08]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.a-9","name":"assessment-objective","props":[{"name":"label","value":"SR-02a.[09]","class":"sp800-53a"}],"prose":"the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};","links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-2_smt.a","rel":"assessment-for"}]},{"id":"sr-2_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-02b.","class":"sp800-53a"}],"prose":"the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;","links":[{"href":"#sr-2_smt.b","rel":"assessment-for"}]},{"id":"sr-2_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.","class":"sp800-53a"}],"parts":[{"id":"sr-2_obj.c-1","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[01]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized disclosure;","links":[{"href":"#sr-2_smt.c","rel":"assessment-for"}]},{"id":"sr-2_obj.c-2","name":"assessment-objective","props":[{"name":"label","value":"SR-02c.[02]","class":"sp800-53a"}],"prose":"the supply chain risk management plan is protected from unauthorized modification.","links":[{"href":"#sr-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-2_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-2_smt","rel":"assessment-for"}]},{"id":"sr-2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures for protecting the supply chain risk management plan from unauthorized disclosure and modification\n\nsystem development life cycle procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nlist of supply chain threats\n\nlist of safeguards to be taken against supply chain threats\n\nsystem life cycle documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nprivacy plan\n\nprivacy program plan\n\nother relevant documents or records"}]},{"id":"sr-2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-02-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and documenting the system development life cycle (SDLC)\n\norganizational processes for identifying SDLC roles and responsibilities\n\norganizational processes for integrating supply chain risk management into the SDLC\n\nmechanisms supporting and\/or implementing the SDLC"}]}],"controls":[{"id":"sr-2.1","class":"SP800-53-enhancement","title":"Establish SCRM Team","params":[{"id":"sr-02.01_odp.01","props":[{"name":"alt-identifier","value":"sr-2.1_prm_1"},{"name":"alt-label","value":"personnel, roles, and responsibilities","class":"sp800-53"},{"name":"label","value":"SR-02(01)_ODP[01]","class":"sp800-53a"}],"label":"personnel, roles and responsibilities","guidelines":[{"prose":"the personnel, roles, and responsibilities of the supply chain risk management team are defined;"}]},{"id":"sr-02.01_odp.02","props":[{"name":"alt-identifier","value":"sr-2.1_prm_2"},{"name":"label","value":"SR-02(01)_ODP[02]","class":"sp800-53a"}],"label":"supply chain risk management activities","guidelines":[{"prose":"supply chain risk management activities are defined;"}]}],"props":[{"name":"label","value":"SR-2(1)"},{"name":"label","value":"SR-02(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-02.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-2","rel":"required"}],"parts":[{"id":"sr-2.1_smt","name":"statement","prose":"Establish a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} to lead and support the following SCRM activities: {{ insert: param, sr-02.01_odp.02 }}."},{"id":"sr-2.1_gdn","name":"guidance","prose":"To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team."},{"id":"sr-2.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-02(01)","class":"sp800-53a"}],"prose":"a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.","links":[{"href":"#sr-2.1_smt","rel":"assessment-for"}]},{"id":"sr-2.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-02(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management team charter documentation\n\nsupply chain risk management strategy\n\nsupply chain risk management implementation plan\n\nprocedures addressing supply chain protection\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-2.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-02(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with enterprise risk management responsibilities\n\nlegal counsel\n\norganizational personnel with business continuity responsibilities"}]}]}]},{"id":"sr-3","class":"SP800-53","title":"Supply Chain Controls and Processes","params":[{"id":"sr-03_odp.01","props":[{"name":"alt-identifier","value":"sr-3_prm_1"},{"name":"label","value":"SR-03_ODP[01]","class":"sp800-53a"}],"label":"system or system component","guidelines":[{"prose":"the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;"}]},{"id":"sr-03_odp.02","props":[{"name":"alt-identifier","value":"sr-3_prm_2"},{"name":"label","value":"SR-03_ODP[02]","class":"sp800-53a"}],"label":"supply chain personnel","guidelines":[{"prose":"supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is\/are defined;"}]},{"id":"sr-03_odp.03","props":[{"name":"alt-identifier","value":"sr-3_prm_3"},{"name":"label","value":"SR-03_ODP[03]","class":"sp800-53a"}],"label":"supply chain controls","guidelines":[{"prose":"supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;"}]},{"id":"sr-03_odp.04","props":[{"name":"alt-identifier","value":"sr-3_prm_4"},{"name":"label","value":"SR-03_ODP[04]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["security and privacy plans","supply chain risk management plan","{{ insert: param, sr-03_odp.05 }} "]}},{"id":"sr-03_odp.05","props":[{"name":"alt-identifier","value":"sr-3_prm_5"},{"name":"label","value":"SR-03_ODP[05]","class":"sp800-53a"}],"label":"document","guidelines":[{"prose":"the document identifying the selected and implemented supply chain processes and controls is defined (if selected);"}]}],"props":[{"name":"label","value":"SR-3"},{"name":"label","value":"SR-03","class":"sp800-53a"},{"name":"sort-id","value":"sr-03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"system"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ca-2","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#pe-3","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-8","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sc-7","rel":"related"},{"href":"#sc-29","rel":"related"},{"href":"#sc-30","rel":"related"},{"href":"#sc-38","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-3_smt","name":"statement","parts":[{"id":"sr-3_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} in coordination with {{ insert: param, sr-03_odp.02 }};"},{"id":"sr-3_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, sr-03_odp.03 }} ; and"},{"id":"sr-3_smt.c","name":"item","props":[{"name":"label","value":"c."}],"prose":"Document the selected and implemented supply chain processes and controls in {{ insert: param, sr-03_odp.04 }}."}]},{"id":"sr-3_gdn","name":"guidance","prose":"Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain."},{"id":"sr-3_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-03","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.","class":"sp800-53a"}],"parts":[{"id":"sr-3_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[01]","class":"sp800-53a"}],"prose":"a process or processes is\/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};","links":[{"href":"#sr-3_smt.a","rel":"assessment-for"}]},{"id":"sr-3_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-03a.[02]","class":"sp800-53a"}],"prose":"the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is\/are coordinated with {{ insert: param, sr-03_odp.02 }};","links":[{"href":"#sr-3_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-3_smt.a","rel":"assessment-for"}]},{"id":"sr-3_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-03b.","class":"sp800-53a"}],"prose":"{{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;","links":[{"href":"#sr-3_smt.b","rel":"assessment-for"}]},{"id":"sr-3_obj.c","name":"assessment-objective","props":[{"name":"label","value":"SR-03c.","class":"sp800-53a"}],"prose":"the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.","links":[{"href":"#sr-3_smt.c","rel":"assessment-for"}]}],"links":[{"href":"#sr-3_smt","rel":"assessment-for"}]},{"id":"sr-3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-03-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystems and critical system components inventory documentation\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems or services\n\nrisk register documentation\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-03-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-03-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying and addressing supply chain element and process deficiencies"}]}],"controls":[{"id":"sr-3.1","class":"SP800-53-enhancement","title":"Diverse Supply Base","params":[{"id":"sr-3.1_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-03.01_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-03.01_odp.02"}],"label":"organization-defined system components and services"},{"id":"sr-03.01_odp.01","props":[{"name":"label","value":"SR-03(01)_ODP[01]","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components with a diverse set of sources are defined;"}]},{"id":"sr-03.01_odp.02","props":[{"name":"label","value":"SR-03(01)_ODP[02]","class":"sp800-53a"}],"label":"services","guidelines":[{"prose":"services with a diverse set of sources are defined;"}]}],"props":[{"name":"label","value":"SR-3(1)"},{"name":"label","value":"SR-03(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-03.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-3","rel":"required"}],"parts":[{"id":"sr-3.1_smt","name":"statement","prose":"Employ a diverse set of sources for the following system components and services: {{ insert: param, sr-3.1_prm_1 }}."},{"id":"sr-3.1_gdn","name":"guidance","prose":"Diversifying the supply of systems, system components, and services can reduce the probability that adversaries will successfully identify and target the supply chain and can reduce the impact of a supply chain event or compromise. Identifying multiple suppliers for replacement components can reduce the probability that the replacement component will become unavailable. Employing a diverse set of developers or logistics service providers can reduce the impact of a natural disaster or other supply chain event. Organizations consider designing the system to include diverse materials and components."},{"id":"sr-3.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-03(01)","class":"sp800-53a"}],"parts":[{"id":"sr-3.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-03(01)[01]","class":"sp800-53a"}],"prose":"a diverse set of sources is employed for {{ insert: param, sr-03.01_odp.01 }};","links":[{"href":"#sr-3.1_smt","rel":"assessment-for"}]},{"id":"sr-3.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-03(01)[02]","class":"sp800-53a"}],"prose":"a diverse set of sources is employed for {{ insert: param, sr-03.01_odp.02 }}.","links":[{"href":"#sr-3.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-3.1_smt","rel":"assessment-for"}]},{"id":"sr-3.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-03(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsystem and services acquisition policy\n\nplanning policy\n\nprocedures addressing supply chain protection\n\nphysical inventory of critical systems and system components\n\ninventory of critical suppliers, service providers, developers, and contracts\n\ninventory records of critical system components\n\nlist of security safeguards ensuring an adequate supply of critical system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-3.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-03(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-3.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-03(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing security safeguards to ensure an adequate supply of critical system components\n\nprocesses to identify critical suppliers\n\nmechanisms supporting and\/or implementing the security safeguards that ensure an adequate supply of critical system components"}]}]},{"id":"sr-3.2","class":"SP800-53-enhancement","title":"Limitation of Harm","params":[{"id":"sr-03.02_odp","props":[{"name":"alt-identifier","value":"sr-3.2_prm_1"},{"name":"label","value":"SR-03(02)_ODP","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to limit harm from potential supply chain adversaries are defined;"}]}],"props":[{"name":"label","value":"SR-3(2)"},{"name":"label","value":"SR-03(02)","class":"sp800-53a"},{"name":"sort-id","value":"sr-03.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-3","rel":"required"}],"parts":[{"id":"sr-3.2_smt","name":"statement","prose":"Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: {{ insert: param, sr-03.02_odp }}."},{"id":"sr-3.2_gdn","name":"guidance","prose":"Controls that can be implemented to reduce the probability of adversaries successfully identifying and targeting the supply chain include avoiding the purchase of custom or non-standardized configurations, employing approved vendor lists with standing reputations in industry, following pre-agreed maintenance schedules and update and patch delivery mechanisms, maintaining a contingency plan in case of a supply chain event, using procurement carve-outs that provide exclusions to commitments or obligations, using diverse delivery routes, and minimizing the time between purchase decisions and delivery."},{"id":"sr-3.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-03(02)","class":"sp800-53a"}],"prose":"{{ insert: param, sr-03.02_odp }} are employed to limit harm from potential adversaries identifying and targeting the organizational supply chain.","links":[{"href":"#sr-3.2_smt","rel":"assessment-for"}]},{"id":"sr-3.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-03(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nconfiguration management policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nprocedures addressing the baseline configuration of the system\n\nconfiguration management plan\n\nsystem design documentation\n\nsystem architecture and associated configuration documentation\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nthreat assessments\n\nvulnerability assessments\n\nlist of security safeguards to be taken to protect the organizational supply chain against potential supply chain threats\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-3.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-03(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-3.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-03(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing safeguards to limit harm from adversaries of the organizational supply chain\n\nmechanisms supporting and\/or implementing the definition and employment of safeguards to protect the organizational supply chain"}]}]},{"id":"sr-3.3","class":"SP800-53-enhancement","title":"Sub-tier Flow Down","props":[{"name":"label","value":"SR-3(3)"},{"name":"label","value":"SR-03(03)","class":"sp800-53a"},{"name":"sort-id","value":"sr-03.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-3","rel":"required"},{"href":"#sr-5","rel":"related"},{"href":"#sr-8","rel":"related"}],"parts":[{"id":"sr-3.3_smt","name":"statement","prose":"Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors."},{"id":"sr-3.3_gdn","name":"guidance","prose":"To manage supply chain risk effectively and holistically, it is important that organizations ensure that supply chain risk management controls are included at all tiers in the supply chain. This includes ensuring that Tier 1 (prime) contractors have implemented processes to facilitate the \"flow down\" of supply chain risk management controls to sub-tier contractors. The controls subject to flow down are identified in [SR-3b](#sr-3_smt.b)."},{"id":"sr-3.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-03(03)","class":"sp800-53a"}],"prose":"the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.","links":[{"href":"#sr-3.3_smt","rel":"assessment-for"}]},{"id":"sr-3.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-03(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-3.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-03(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-3.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-03(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities"}]}]}]},{"id":"sr-4","class":"SP800-53","title":"Provenance","params":[{"id":"sr-04_odp","props":[{"name":"alt-identifier","value":"sr-4_prm_1"},{"name":"label","value":"SR-04_ODP","class":"sp800-53a"}],"label":"systems, system components, and associated data","guidelines":[{"prose":"systems, system components, and associated data that require valid provenance are defined;"}]}],"props":[{"name":"label","value":"SR-4"},{"name":"label","value":"SR-04","class":"sp800-53a"},{"name":"sort-id","value":"sr-04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#e3cc0520-a366-4fc9-abc2-5272db7e3564","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#a2590922-82f3-4277-83c0-ca5bee06dba4","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#cm-8","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-6","rel":"related"},{"href":"#ra-9","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sr-4_smt","name":"statement","prose":"Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: {{ insert: param, sr-04_odp }}."},{"id":"sr-4_gdn","name":"guidance","prose":"Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data. Organizations consider developing procedures (see [SR-1](#sr-1) ) for allocating responsibilities for the creation, maintenance, and monitoring of provenance for systems and system components; transferring provenance documentation and responsibility between organizations; and preventing and monitoring for unauthorized changes to the provenance records. Organizations have methods to document, monitor, and maintain valid provenance baselines for systems, system components, and related data. These actions help track, assess, and document any changes to the provenance, including changes in supply chain elements or configuration, and help ensure non-repudiation of provenance information and the provenance change records. Provenance considerations are addressed throughout the system development life cycle and incorporated into contracts and other arrangements, as appropriate."},{"id":"sr-4_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-04","class":"sp800-53a"}],"parts":[{"id":"sr-4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-04[01]","class":"sp800-53a"}],"prose":"valid provenance is documented for {{ insert: param, sr-04_odp }};","links":[{"href":"#sr-4_smt","rel":"assessment-for"}]},{"id":"sr-4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-04[02]","class":"sp800-53a"}],"prose":"valid provenance is monitored for {{ insert: param, sr-04_odp }};","links":[{"href":"#sr-4_smt","rel":"assessment-for"}]},{"id":"sr-4_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SR-04[03]","class":"sp800-53a"}],"prose":"valid provenance is maintained for {{ insert: param, sr-04_odp }}.","links":[{"href":"#sr-4_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-4_smt","rel":"assessment-for"}]},{"id":"sr-4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-04-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\ndocumentation of critical systems, critical system components, and associated data\n\ndocumentation showing the history of ownership, custody, and location of and changes to critical systems or critical system components\n\nsystem architecture\n\ninter-organizational agreements and procedures\n\ncontracts\n\nsystem security plan\n\nprivacy plan\n\npersonally identifiable information processing policy\n\nother relevant documents or records"}]},{"id":"sr-4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-04-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-04-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying the provenance of critical systems and critical system components\n\nmechanisms used to document, monitor, or maintain provenance"}]}],"controls":[{"id":"sr-4.1","class":"SP800-53-enhancement","title":"Identity","params":[{"id":"sr-04.01_odp","props":[{"name":"alt-identifier","value":"sr-4.1_prm_1"},{"name":"alt-label","value":"supply chain elements, processes, and personnel associated with organization-defined systems and critical system components","class":"sp800-53"},{"name":"label","value":"SR-04(01)_ODP","class":"sp800-53a"}],"label":"supply chain elements, processes, and personnel","guidelines":[{"prose":"supply chain elements, processes, and personnel associated with systems and critical system components that require unique identification are defined;"}]}],"props":[{"name":"label","value":"SR-4(1)"},{"name":"label","value":"SR-04(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-04.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-4","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pe-16","rel":"related"}],"parts":[{"id":"sr-4.1_smt","name":"statement","prose":"Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: {{ insert: param, sr-04.01_odp }}."},{"id":"sr-4.1_gdn","name":"guidance","prose":"Knowing who and what is in the supply chains of organizations is critical to gaining visibility into supply chain activities. Visibility into supply chain activities is also important for monitoring and identifying high-risk events and activities. Without reasonable visibility into supply chains elements, processes, and personnel, it is very difficult for organizations to understand and manage risk and reduce their susceptibility to adverse events. Supply chain elements include organizations, entities, or tools used for the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems and system components. Supply chain processes include development processes for hardware, software, and firmware; shipping and handling procedures; configuration management tools, techniques, and measures to maintain provenance; personnel and physical security programs; or other programs, processes, or procedures associated with the production and distribution of supply chain elements. Supply chain personnel are individuals with specific roles and responsibilities related to the secure the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of a system or system component. Identification methods are sufficient to support an investigation in case of a supply chain change (e.g. if a supply company is purchased), compromise, or event."},{"id":"sr-4.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-04(01)","class":"sp800-53a"}],"parts":[{"id":"sr-4.1_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-04(01)[01]","class":"sp800-53a"}],"prose":"unique identification of {{ insert: param, sr-04.01_odp }} is established;","links":[{"href":"#sr-4.1_smt","rel":"assessment-for"}]},{"id":"sr-4.1_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-04(01)[02]","class":"sp800-53a"}],"prose":"unique identification of {{ insert: param, sr-04.01_odp }} is maintained.","links":[{"href":"#sr-4.1_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-4.1_smt","rel":"assessment-for"}]},{"id":"sr-4.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-04(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nlist of supply chain elements, processes, and actors (associated with the system, system component, or system service) requiring implementation of unique identification processes, procedures, tools, mechanisms, equipment, techniques, and\/or configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-4.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-04(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities\n\norganizational personnel with responsibilities for establishing and retaining the unique identification of supply chain elements, processes, and actors"}]},{"id":"sr-4.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-04(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, establishing, and retaining unique identification for supply chain elements, processes, and actors\n\nmechanisms supporting and\/or implementing the definition, establishment, and retention of unique identification for supply chain elements, processes, and actors"}]}]},{"id":"sr-4.2","class":"SP800-53-enhancement","title":"Track and Trace","params":[{"id":"sr-04.02_odp","props":[{"name":"alt-identifier","value":"sr-4.2_prm_1"},{"name":"label","value":"SR-04(02)_ODP","class":"sp800-53a"}],"label":"systems and critical system components","guidelines":[{"prose":"systems and critical system components that require unique identification for tracking through the supply chain are defined;"}]}],"props":[{"name":"label","value":"SR-4(2)"},{"name":"label","value":"SR-04(02)","class":"sp800-53a"},{"name":"sort-id","value":"sr-04.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-4","rel":"required"},{"href":"#ia-2","rel":"related"},{"href":"#ia-8","rel":"related"},{"href":"#pe-16","rel":"related"},{"href":"#pl-2","rel":"related"}],"parts":[{"id":"sr-4.2_smt","name":"statement","prose":"Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: {{ insert: param, sr-04.02_odp }}."},{"id":"sr-4.2_gdn","name":"guidance","prose":"Tracking the unique identification of systems and system components during development and transport activities provides a foundational identity structure for the establishment and maintenance of provenance. For example, system components may be labeled using serial numbers or tagged using radio-frequency identification tags. Labels and tags can help provide better visibility into the provenance of a system or system component. A system or system component may have more than one unique identifier. Identification methods are sufficient to support a forensic investigation after a supply chain compromise or event."},{"id":"sr-4.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-04(02)","class":"sp800-53a"}],"parts":[{"id":"sr-4.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-04(02)[01]","class":"sp800-53a"}],"prose":"the unique identification of {{ insert: param, sr-04.02_odp }} is established for tracking through the supply chain;","links":[{"href":"#sr-4.2_smt","rel":"assessment-for"}]},{"id":"sr-4.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-04(02)[02]","class":"sp800-53a"}],"prose":"the unique identification of {{ insert: param, sr-04.02_odp }} is maintained for tracking through the supply chain.","links":[{"href":"#sr-4.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-4.2_smt","rel":"assessment-for"}]},{"id":"sr-4.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-04(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nsupply chain risk management plan\n\nlist of supply chain elements, processes, and actors (associated with the system, system component, or system service) requiring implementation of unique identification processes, procedures, tools, mechanisms, equipment, techniques, and\/or configurations\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-4.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-04(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities\n\norganizational personnel with responsibilities for establishing and retaining the unique identification of supply chain elements, processes, and actors"}]},{"id":"sr-4.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-04(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining, establishing, and retaining unique identification for supply chain elements, processes, and actors\n\nmechanisms supporting and\/or implementing the definition, establishment, and retention of unique identification for supply chain elements, processes, and actors"}]}]},{"id":"sr-4.3","class":"SP800-53-enhancement","title":"Validate as Genuine and Not Altered","params":[{"id":"sr-4.3_prm_1","props":[{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-04.03_odp.01"},{"name":"aggregates","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"sr-04.03_odp.02"}],"label":"organization-defined controls"},{"id":"sr-04.03_odp.01","props":[{"name":"label","value":"SR-04(03)_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to validate that the system or system component received is genuine are defined;"}]},{"id":"sr-04.03_odp.02","props":[{"name":"label","value":"SR-04(03)_ODP[02]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to validate that the system or system component received has not been altered are defined;"}]}],"props":[{"name":"label","value":"SR-4(3)"},{"name":"label","value":"SR-04(03)","class":"sp800-53a"},{"name":"sort-id","value":"sr-04.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-4","rel":"required"},{"href":"#at-3","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-4.3_smt","name":"statement","prose":"Employ the following controls to validate that the system or system component received is genuine and has not been altered: {{ insert: param, sr-4.3_prm_1 }}."},{"id":"sr-4.3_gdn","name":"guidance","prose":"For many systems and system components, especially hardware, there are technical means to determine if the items are genuine or have been altered, including optical and nanotechnology tagging, physically unclonable functions, side-channel analysis, cryptographic hash verifications or digital signatures, and visible anti-tamper labels or stickers. Controls can also include monitoring for out of specification performance, which can be an indicator of tampering or counterfeits. Organizations may leverage supplier and contractor processes for validating that a system or component is genuine and has not been altered and for replacing a suspect system or component. Some indications of tampering may be visible and addressable before accepting delivery, such as inconsistent packaging, broken seals, and incorrect labels. When a system or system component is suspected of being altered or counterfeit, the supplier, contractor, or original equipment manufacturer may be able to replace the item or provide a forensic capability to determine the origin of the counterfeit or altered item. Organizations can provide training to personnel on how to identify suspicious system or component deliveries."},{"id":"sr-4.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-04(03)","class":"sp800-53a"}],"parts":[{"id":"sr-4.3_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-04(03)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-04.03_odp.01 }} are employed to validate that the system or system component received is genuine;","links":[{"href":"#sr-4.3_smt","rel":"assessment-for"}]},{"id":"sr-4.3_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-04(03)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-04.03_odp.02 }} are employed to validate that the system or system component received has not been altered.","links":[{"href":"#sr-4.3_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-4.3_smt","rel":"assessment-for"}]},{"id":"sr-4.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-04(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the security design principle of trusted components used in the specification, design, development, implementation, and modification of the system\n\nsystem design documentation\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nevidentiary documentation (including applicable configurations) indicating that the system or system component is genuine and has not been altered\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-4.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-04(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-4.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-04(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing validation safeguards\n\nmechanisms supporting and\/or implementing the definition and employment of validation safeguards\n\nmechanisms supporting the application of the security design principle of trusted components in system specification, design, development, implementation, and modification"}]}]},{"id":"sr-4.4","class":"SP800-53-enhancement","title":"Supply Chain Integrity — Pedigree","params":[{"id":"sr-04.04_odp.01","props":[{"name":"alt-identifier","value":"sr-4.4_prm_1"},{"name":"label","value":"SR-04(04)_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls employed to ensure that the integrity of the system and system component are defined;"}]},{"id":"sr-04.04_odp.02","props":[{"name":"alt-identifier","value":"sr-4.4_prm_2"},{"name":"alt-label","value":"analysis","class":"sp800-53"},{"name":"label","value":"SR-04(04)_ODP[02]","class":"sp800-53a"}],"label":"analysis method","guidelines":[{"prose":"an analysis method to be conducted to validate the internal composition and provenance of critical or mission-essential technologies, products, and services to ensure the integrity of the system and system component is defined;"}]}],"props":[{"name":"label","value":"SR-4(4)"},{"name":"label","value":"SR-04(04)","class":"sp800-53a"},{"name":"sort-id","value":"sr-04.04"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-4","rel":"required"},{"href":"#ra-3","rel":"related"}],"parts":[{"id":"sr-4.4_smt","name":"statement","prose":"Employ {{ insert: param, sr-04.04_odp.01 }} and conduct {{ insert: param, sr-04.04_odp.02 }} to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services."},{"id":"sr-4.4_gdn","name":"guidance","prose":"Authoritative information regarding the internal composition of system components and the provenance of technology, products, and services provides a strong basis for trust. The validation of the internal composition and provenance of technologies, products, and services is referred to as the pedigree. For microelectronics, this includes material composition of components. For software this includes the composition of open-source and proprietary code, including the version of the component at a given point in time. Pedigrees increase the assurance that the claims suppliers assert about the internal composition and provenance of the products, services, and technologies they provide are valid. The validation of the internal composition and provenance can be achieved by various evidentiary artifacts or records that manufacturers and suppliers produce during the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of technology, products, and services. Evidentiary artifacts include, but are not limited to, software identification (SWID) tags, software component inventory, the manufacturers’ declarations of platform attributes (e.g., serial numbers, hardware component inventory), and measurements (e.g., firmware hashes) that are tightly bound to the hardware itself."},{"id":"sr-4.4_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-04(04)","class":"sp800-53a"}],"parts":[{"id":"sr-4.4_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-04(04)[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-04.04_odp.01 }} are employed to ensure the integrity of the system and system components;","links":[{"href":"#sr-4.4_smt","rel":"assessment-for"}]},{"id":"sr-4.4_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-04(04)[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-04.04_odp.02 }} is conducted to ensure the integrity of the system and system components.","links":[{"href":"#sr-4.4_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-4.4_smt","rel":"assessment-for"}]},{"id":"sr-4.4_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-04(04)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nbill of materials for critical systems or system components\n\nacquisition documentation\n\nsoftware identification tags\n\nmanufacturer declarations of platform attributes (e.g., serial numbers, hardware component inventory) and measurements (e.g., firmware hashes) that are tightly bound to the hardware itself\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-4.4_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-04(04)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-4.4_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-04(04)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for identifying pedigree information\n\norganizational processes to determine and validate the integrity of the internal composition of critical systems and critical system components\n\nmechanisms to determine and validate the integrity of the internal composition of critical systems and critical system components"}]}]}]},{"id":"sr-5","class":"SP800-53","title":"Acquisition Strategies, Tools, and Methods","params":[{"id":"sr-05_odp","props":[{"name":"alt-identifier","value":"sr-5_prm_1"},{"name":"alt-label","value":"acquisition strategies, contract tools, and procurement methods","class":"sp800-53"},{"name":"label","value":"SR-05_ODP","class":"sp800-53a"}],"label":"strategies, tools, and methods","guidelines":[{"prose":"acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;"}]}],"props":[{"name":"label","value":"SR-5"},{"name":"label","value":"SR-05","class":"sp800-53a"},{"name":"sort-id","value":"sr-05"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#sa-2","rel":"related"},{"href":"#sa-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#sa-5","rel":"related"},{"href":"#sa-8","rel":"related"},{"href":"#sa-9","rel":"related"},{"href":"#sa-10","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#sr-6","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-5_smt","name":"statement","prose":"Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, sr-05_odp }}."},{"id":"sr-5_gdn","name":"guidance","prose":"The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements."},{"id":"sr-5_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-05","class":"sp800-53a"}],"parts":[{"id":"sr-5_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-05[01]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;","links":[{"href":"#sr-5_smt","rel":"assessment-for"}]},{"id":"sr-5_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-05[02]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-05_odp }} are employed to identify supply chain risks;","links":[{"href":"#sr-5_smt","rel":"assessment-for"}]},{"id":"sr-5_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SR-05[03]","class":"sp800-53a"}],"prose":"{{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.","links":[{"href":"#sr-5_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-5_smt","rel":"assessment-for"}]},{"id":"sr-5_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-05-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy\n\nsupply chain risk management procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security and privacy requirements into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation (including purchase orders)\n\nservice level agreements\n\nacquisition contracts for systems, system components, or services\n\ndocumentation of training, education, and awareness programs for personnel regarding supply chain risk\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-5_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-05-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-5_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-05-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and\/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods"}]}],"controls":[{"id":"sr-5.1","class":"SP800-53-enhancement","title":"Adequate Supply","params":[{"id":"sr-05.01_odp.01","props":[{"name":"alt-identifier","value":"sr-5.1_prm_2"},{"name":"label","value":"SR-05(01)_ODP[01]","class":"sp800-53a"}],"label":"controls","guidelines":[{"prose":"controls to ensure an adequate supply of critical system components are defined;"}]},{"id":"sr-05.01_odp.02","props":[{"name":"alt-identifier","value":"sr-5.1_prm_1"},{"name":"label","value":"SR-05(01)_ODP[02]","class":"sp800-53a"}],"label":"critical system components","guidelines":[{"prose":"critical system components of which an adequate supply is required are defined;"}]}],"props":[{"name":"label","value":"SR-5(1)"},{"name":"label","value":"SR-05(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-05.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-5","rel":"required"},{"href":"#ra-9","rel":"related"}],"parts":[{"id":"sr-5.1_smt","name":"statement","prose":"Employ the following controls to ensure an adequate supply of {{ insert: param, sr-05.01_odp.02 }}: {{ insert: param, sr-05.01_odp.01 }}."},{"id":"sr-5.1_gdn","name":"guidance","prose":"Adversaries can attempt to impede organizational operations by disrupting the supply of critical system components or corrupting supplier operations. Organizations may track systems and component mean time to failure to mitigate the loss of temporary or permanent system function. Controls to ensure that adequate supplies of critical system components include the use of multiple suppliers throughout the supply chain for the identified critical components, stockpiling spare components to ensure operation during mission-critical times, and the identification of functionally identical or similar components that may be used, if necessary."},{"id":"sr-5.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-05(01)","class":"sp800-53a"}],"prose":"{{ insert: param, sr-05.01_odp.01 }} are employed to ensure an adequate supply of {{ insert: param, sr-05.01_odp.02 }}.","links":[{"href":"#sr-5.1_smt","rel":"assessment-for"}]},{"id":"sr-5.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-05(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\ncontingency planning documents\n\ninventory of critical systems and system components\n\ndetermination of adequate supply\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nprocedures addressing the integration of acquisition strategies, contract tools, and procurement methods into the acquisition process\n\nsolicitation documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for systems or services\n\npurchase orders\/requisitions for the system, system component, or system service from suppliers\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-5.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-05(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-5.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-05(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods\n\nmechanisms supporting and\/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods"}]}]},{"id":"sr-5.2","class":"SP800-53-enhancement","title":"Assessments Prior to Selection, Acceptance, Modification, or Update","props":[{"name":"label","value":"SR-5(2)"},{"name":"label","value":"SR-05(02)","class":"sp800-53a"},{"name":"sort-id","value":"sr-05.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-5","rel":"required"},{"href":"#ca-8","rel":"related"},{"href":"#ra-5","rel":"related"},{"href":"#sa-11","rel":"related"},{"href":"#si-7","rel":"related"}],"parts":[{"id":"sr-5.2_smt","name":"statement","prose":"Assess the system, system component, or system service prior to selection, acceptance, modification, or update."},{"id":"sr-5.2_gdn","name":"guidance","prose":"Organizational personnel or independent, external entities conduct assessments of systems, components, products, tools, and services to uncover evidence of tampering, unintentional and intentional vulnerabilities, or evidence of non-compliance with supply chain controls. These include malicious code, malicious processes, defective software, backdoors, and counterfeits. Assessments can include evaluations; design proposal reviews; visual or physical inspection; static and dynamic analyses; visual, x-ray, or magnetic particle inspections; simulations; white, gray, or black box testing; fuzz testing; stress testing; and penetration testing (see [SR-6(1)](#sr-6.1) ). Evidence generated during assessments is documented for follow-on actions by organizations. The evidence generated during the organizational or independent assessments of supply chain elements may be used to improve supply chain processes and inform the supply chain risk management process. The evidence can be leveraged in follow-on assessments. Evidence and other documentation may be shared in accordance with organizational agreements."},{"id":"sr-5.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-05(02)","class":"sp800-53a"}],"parts":[{"id":"sr-5.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-05(02)[01]","class":"sp800-53a"}],"prose":"the system, system component, or system service is assessed prior to selection;","links":[{"href":"#sr-5.2_smt","rel":"assessment-for"}]},{"id":"sr-5.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-05(02)[02]","class":"sp800-53a"}],"prose":"the system, system component, or system service is assessed prior to acceptance;","links":[{"href":"#sr-5.2_smt","rel":"assessment-for"}]},{"id":"sr-5.2_obj-3","name":"assessment-objective","props":[{"name":"label","value":"SR-05(02)[03]","class":"sp800-53a"}],"prose":"the system, system component, or system service is assessed prior to modification;","links":[{"href":"#sr-5.2_smt","rel":"assessment-for"}]},{"id":"sr-5.2_obj-4","name":"assessment-objective","props":[{"name":"label","value":"SR-05(02)[04]","class":"sp800-53a"}],"prose":"the system, system component, or system service is assessed prior to update.","links":[{"href":"#sr-5.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-5.2_smt","rel":"assessment-for"}]},{"id":"sr-5.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-05(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"System security plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nsecurity test and evaluation results\n\nvulnerability assessment results\n\npenetration testing results\n\norganizational risk assessment results\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-5.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-05(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-5.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-05(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting assessments prior to selection, acceptance, or update\n\nmechanisms supporting and\/or implementing the conducting of assessments prior to selection, acceptance, or update"}]}]}]},{"id":"sr-6","class":"SP800-53","title":"Supplier Assessments and Reviews","params":[{"id":"sr-06_odp","props":[{"name":"alt-identifier","value":"sr-6_prm_1"},{"name":"label","value":"SR-06_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;"}]}],"props":[{"name":"label","value":"SR-6"},{"name":"label","value":"SR-06","class":"sp800-53a"},{"name":"sort-id","value":"sr-06"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#678e3d6c-150b-4393-aec5-6e3481eb1e00","rel":"reference"},{"href":"#eea3c092-42ed-4382-a6f4-1adadef01b9d","rel":"reference"},{"href":"#7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","rel":"reference"},{"href":"#a295ca19-8c75-4b4c-8800-98024732e181","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#38ff38f0-1366-4f50-a4c9-26a39aacee16","rel":"reference"},{"href":"#sr-3","rel":"related"},{"href":"#sr-5","rel":"related"}],"parts":[{"id":"sr-6_smt","name":"statement","prose":"Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide {{ insert: param, sr-06_odp }}."},{"id":"sr-6_gdn","name":"guidance","prose":"An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts."},{"id":"sr-6_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-06","class":"sp800-53a"}],"prose":"the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}.","links":[{"href":"#sr-6_smt","rel":"assessment-for"}]},{"id":"sr-6_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-06-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management strategy\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing the integration of information security requirements into the acquisition process\n\nrecords of supplier due diligence reviews\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-6_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-06-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-6_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-06-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for conducting supplier reviews\n\nmechanisms supporting and\/or implementing supplier reviews"}]}],"controls":[{"id":"sr-6.1","class":"SP800-53-enhancement","title":"Testing and Analysis","params":[{"id":"sr-06.01_odp.01","props":[{"name":"alt-identifier","value":"sr-6.1_prm_1"},{"name":"label","value":"SR-06(01)_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["organizational analysis","independent third-party analysis","organizational testing","independent third-party testing"]}},{"id":"sr-06.01_odp.02","props":[{"name":"alt-identifier","value":"sr-6.1_prm_2"},{"name":"label","value":"SR-06(01)_ODP[02]","class":"sp800-53a"}],"label":"supply chain elements, processes, and actors","guidelines":[{"prose":"supply chain elements, processes, and actors to be analyzed and tested are defined;"}]}],"props":[{"name":"label","value":"SR-6(1)"},{"name":"label","value":"SR-06(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-06.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-6","rel":"required"},{"href":"#ca-8","rel":"related"},{"href":"#si-4","rel":"related"}],"parts":[{"id":"sr-6.1_smt","name":"statement","prose":"Employ {{ insert: param, sr-06.01_odp.01 }} of the following supply chain elements, processes, and actors associated with the system, system component, or system service: {{ insert: param, sr-06.01_odp.02 }}."},{"id":"sr-6.1_gdn","name":"guidance","prose":"Relationships between entities and procedures within the supply chain, including development and delivery, are considered. Supply chain elements include organizations, entities, or tools that are used for the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems, system components, or system services. Supply chain processes include supply chain risk management programs; SCRM strategies and implementation plans; personnel and physical security programs; hardware, software, and firmware development processes; configuration management tools, techniques, and measures to maintain provenance; shipping and handling procedures; and programs, processes, or procedures associated with the production and distribution of supply chain elements. Supply chain actors are individuals with specific roles and responsibilities in the supply chain. The evidence generated and collected during analyses and testing of supply chain elements, processes, and actors is documented and used to inform organizational risk management activities and decisions."},{"id":"sr-6.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-06(01)","class":"sp800-53a"}],"prose":"{{ insert: param, sr-06.01_odp.01 }} is\/are employed on {{ insert: param, sr-06.01_odp.02 }} associated with the system, system component, or system service.","links":[{"href":"#sr-6.1_smt","rel":"assessment-for"}]},{"id":"sr-6.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-06(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nevidence of organizational analysis, independent third-party analysis, organizational penetration testing, and\/or independent third-party penetration testing\n\nlist of supply chain elements, processes, and actors (associated with the system, system component, or system service) subject to analysis and\/or testing\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-6.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-06(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for analyzing and\/or testing supply chain elements, processes, and actors"}]},{"id":"sr-6.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-06(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing methods of analysis\/testing of supply chain elements, processes, and actors\n\nmechanisms supporting and\/or implementing the analysis\/testing of supply chain elements, processes, and actors"}]}]}]},{"id":"sr-7","class":"SP800-53","title":"Supply Chain Operations Security","params":[{"id":"sr-07_odp","props":[{"name":"alt-identifier","value":"sr-7_prm_1"},{"name":"alt-label","value":"Operations Security (OPSEC) controls","class":"sp800-53"},{"name":"label","value":"SR-07_ODP","class":"sp800-53a"}],"label":"OPSEC controls","guidelines":[{"prose":"Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service are defined;"}]}],"props":[{"name":"label","value":"SR-7"},{"name":"label","value":"SR-07","class":"sp800-53a"},{"name":"sort-id","value":"sr-07"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#sc-38","rel":"related"}],"parts":[{"id":"sr-7_smt","name":"statement","prose":"Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: {{ insert: param, sr-07_odp }}."},{"id":"sr-7_gdn","name":"guidance","prose":"Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information, analyzing friendly actions related to operations and other activities to identify actions that can be observed by potential adversaries, determining indicators that potential adversaries might obtain that could be interpreted or pieced together to derive information in sufficient time to cause harm to organizations, implementing safeguards or countermeasures to eliminate or reduce exploitable vulnerabilities and risk to an acceptable level, and considering how aggregated information may expose users or specific uses of the supply chain. Supply chain information includes user identities; uses for systems, system components, and system services; supplier identities; security and privacy requirements; system and component configurations; supplier processes; design specifications; and testing and evaluation results. Supply chain OPSEC may require organizations to withhold mission or business information from suppliers and may include the use of intermediaries to hide the end use or users of systems, system components, or system services."},{"id":"sr-7_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-07","class":"sp800-53a"}],"prose":"{{ insert: param, sr-07_odp }} are employed to protect supply chain-related information for the system, system component, or system service.","links":[{"href":"#sr-7_smt","rel":"assessment-for"}]},{"id":"sr-7_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-07-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management plan\n\nsupply chain risk management procedures\n\nsystem and services acquisition policy\n\nsystem and services acquisition procedures\n\nprocedures addressing supply chain protection\n\nlist of OPSEC controls to be employed\n\nsolicitation documentation\n\nacquisition documentation\n\nacquisition contracts for the system, system component, or system service\n\nrecords of all-source intelligence analyses\n\nsystem security plan\n\nprivacy plan\n\nother relevant documents or records"}]},{"id":"sr-7_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-07-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with acquisition responsibilities\n\norganizational personnel with information security and privacy responsibilities\n\norganizational personnel with OPSEC responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-7_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-07-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for defining and employing OPSEC safeguards\n\nmechanisms supporting and\/or implementing the definition and employment of OPSEC safeguards"}]}]},{"id":"sr-8","class":"SP800-53","title":"Notification Agreements","params":[{"id":"sr-08_odp.01","props":[{"name":"alt-identifier","value":"sr-8_prm_1"},{"name":"label","value":"SR-08_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["notification of supply chain compromises","{{ insert: param, sr-08_odp.02 }} "]}},{"id":"sr-08_odp.02","props":[{"name":"alt-identifier","value":"sr-8_prm_2"},{"name":"alt-label","value":"information","class":"sp800-53"},{"name":"label","value":"SR-08_ODP[02]","class":"sp800-53a"}],"label":"results of assessments or audits","guidelines":[{"prose":"information for which agreements and procedures are to be established are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-8"},{"name":"label","value":"SR-08","class":"sp800-53a"},{"name":"sort-id","value":"sr-08"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#4ff10ed3-d8fe-4246-99e3-443045e27482","rel":"reference"},{"href":"#0f963c17-ab5a-432a-a867-91eac550309b","rel":"reference"},{"href":"#21caa535-1154-4369-ba7b-32c309fee0f7","rel":"reference"},{"href":"#863caf2a-978a-4260-9e8d-4a8929bce40c","rel":"reference"},{"href":"#08b07465-dbdc-48d6-8a0b-37279602ac16","rel":"reference"},{"href":"#e8e84963-14fc-4c3a-be05-b412a5d37cd2","rel":"reference"},{"href":"#e24b06cc-9129-4998-a76a-65c3d7a576ba","rel":"reference"},{"href":"#ir-4","rel":"related"},{"href":"#ir-6","rel":"related"},{"href":"#ir-8","rel":"related"}],"parts":[{"id":"sr-8_smt","name":"statement","prose":"Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}."},{"id":"sr-8_gdn","name":"guidance","prose":"The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes."},{"id":"sr-8_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-08","class":"sp800-53a"}],"prose":"agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.","links":[{"href":"#sr-8_smt","rel":"assessment-for"}]},{"id":"sr-8_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-08-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-8_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-08-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-8_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-08-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities"}]}]},{"id":"sr-9","class":"SP800-53","title":"Tamper Resistance and Detection","props":[{"name":"label","value":"SR-9"},{"name":"label","value":"SR-09","class":"sp800-53a"},{"name":"sort-id","value":"sr-09"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#pe-3","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#sa-15","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-10","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-9_smt","name":"statement","prose":"Implement a tamper protection program for the system, system component, or system service."},{"id":"sr-9_gdn","name":"guidance","prose":"Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and\/or tamper detection is essential to protecting systems and components during distribution and when in use."},{"id":"sr-9_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-09","class":"sp800-53a"}],"prose":"a tamper protection program is implemented for the system, system component, or system service.","links":[{"href":"#sr-9_smt","rel":"assessment-for"}]},{"id":"sr-9_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-09-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing supply chain protection\n\nprocedures addressing tamper resistance and detection\n\ntamper protection program documentation\n\ntamper protection tools and techniques documentation\n\ntamper resistance and detection tools and techniques documentation\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-9_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-09-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with tamper protection program responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-9_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-09-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for the implementation of the tamper protection program\n\nmechanisms supporting and\/or implementing the tamper protection program"}]}],"controls":[{"id":"sr-9.1","class":"SP800-53-enhancement","title":"Multiple Stages of System Development Life Cycle","props":[{"name":"label","value":"SR-9(1)"},{"name":"label","value":"SR-09(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-09.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-9","rel":"required"},{"href":"#sa-3","rel":"related"}],"parts":[{"id":"sr-9.1_smt","name":"statement","prose":"Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle."},{"id":"sr-9.1_gdn","name":"guidance","prose":"The system development life cycle includes research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal. Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations use obfuscation and self-checking to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage."},{"id":"sr-9.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-09(01)","class":"sp800-53a"}],"prose":"anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle.","links":[{"href":"#sr-9.1_smt","rel":"assessment-for"}]},{"id":"sr-9.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-09(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nprocedures addressing tamper resistance and detection\n\ntamper protection program documentation\n\ntamper protection tools and techniques documentation\n\ntamper resistance and detection tools (technologies) and techniques documentation\n\nsystem development life cycle documentation\n\nprocedures addressing supply chain protection\n\nsystem development life cycle procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-9.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-09(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with SDLC responsibilities"}]},{"id":"sr-9.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-09(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for employing anti-tamper technologies\n\nmechanisms supporting and\/or implementing anti-tamper technologies"}]}]}]},{"id":"sr-10","class":"SP800-53","title":"Inspection of Systems or Components","params":[{"id":"sr-10_odp.01","props":[{"name":"alt-identifier","value":"sr-10_prm_4"},{"name":"label","value":"SR-10_ODP[01]","class":"sp800-53a"}],"label":"systems or system components","guidelines":[{"prose":"systems or system components that require inspection are defined;"}]},{"id":"sr-10_odp.02","props":[{"name":"alt-identifier","value":"sr-10_prm_1"},{"name":"label","value":"SR-10_ODP[02]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["at random","at {{ insert: param, sr-10_odp.03 }} ","upon {{ insert: param, sr-10_odp.04 }} "]}},{"id":"sr-10_odp.03","props":[{"name":"alt-identifier","value":"sr-10_prm_2"},{"name":"label","value":"SR-10_ODP[03]","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"frequency at which to inspect systems or system components is defined (if selected);"}]},{"id":"sr-10_odp.04","props":[{"name":"alt-identifier","value":"sr-10_prm_3"},{"name":"label","value":"SR-10_ODP[04]","class":"sp800-53a"}],"label":"indications of need for inspection","guidelines":[{"prose":"indications of the need for an inspection of systems or system components are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-10"},{"name":"label","value":"SR-10","class":"sp800-53a"},{"name":"sort-id","value":"sr-10"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#at-3","rel":"related"},{"href":"#pm-30","rel":"related"},{"href":"#si-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-3","rel":"related"},{"href":"#sr-4","rel":"related"},{"href":"#sr-5","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-11","rel":"related"}],"parts":[{"id":"sr-10_smt","name":"statement","prose":"Inspect the following systems or system components {{ insert: param, sr-10_odp.02 }} to detect tampering: {{ insert: param, sr-10_odp.01 }}."},{"id":"sr-10_gdn","name":"guidance","prose":"The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations."},{"id":"sr-10_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-10","class":"sp800-53a"}],"prose":"{{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.","links":[{"href":"#sr-10_smt","rel":"assessment-for"}]},{"id":"sr-10_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-10-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nrecords of random inspections\n\ninspection reports\/results\n\nassessment reports\/results\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-10_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-10-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-10_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-10-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational processes to inspect for tampering"}]}]},{"id":"sr-11","class":"SP800-53","title":"Component Authenticity","params":[{"id":"sr-11_odp.01","props":[{"name":"alt-identifier","value":"sr-11_prm_1"},{"name":"label","value":"SR-11_ODP[01]","class":"sp800-53a"}],"select":{"how-many":"one-or-more","choice":["source of counterfeit component","{{ insert: param, sr-11_odp.02 }} ","{{ insert: param, sr-11_odp.03 }} "]}},{"id":"sr-11_odp.02","props":[{"name":"alt-identifier","value":"sr-11_prm_2"},{"name":"label","value":"SR-11_ODP[02]","class":"sp800-53a"}],"label":"external reporting organizations","guidelines":[{"prose":"external reporting organizations to whom counterfeit system components are to be reported is\/are defined (if selected);"}]},{"id":"sr-11_odp.03","props":[{"name":"alt-identifier","value":"sr-11_prm_3"},{"name":"label","value":"SR-11_ODP[03]","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles to whom counterfeit system components are to be reported is\/are defined (if selected);"}]}],"props":[{"name":"label","value":"SR-11"},{"name":"label","value":"SR-11","class":"sp800-53a"},{"name":"sort-id","value":"sr-11"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#15a95e24-65b6-4686-bc18-90855a10457d","rel":"reference"},{"href":"#pe-3","rel":"related"},{"href":"#sa-4","rel":"related"},{"href":"#si-7","rel":"related"},{"href":"#sr-9","rel":"related"},{"href":"#sr-10","rel":"related"}],"parts":[{"id":"sr-11_smt","name":"statement","parts":[{"id":"sr-11_smt.a","name":"item","props":[{"name":"label","value":"a."}],"prose":"Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and"},{"id":"sr-11_smt.b","name":"item","props":[{"name":"label","value":"b."}],"prose":"Report counterfeit system components to {{ insert: param, sr-11_odp.01 }}."}]},{"id":"sr-11_gdn","name":"guidance","prose":"Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA."},{"id":"sr-11_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.","class":"sp800-53a"}],"parts":[{"id":"sr-11_obj.a-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[01]","class":"sp800-53a"}],"prose":"an anti-counterfeit policy is developed and implemented;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.a-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[02]","class":"sp800-53a"}],"prose":"anti-counterfeit procedures are developed and implemented;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.a-3","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[03]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to detect counterfeit components entering the system;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.a-4","name":"assessment-objective","props":[{"name":"label","value":"SR-11a.[04]","class":"sp800-53a"}],"prose":"the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;","links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]}],"links":[{"href":"#sr-11_smt.a","rel":"assessment-for"}]},{"id":"sr-11_obj.b","name":"assessment-objective","props":[{"name":"label","value":"SR-11b.","class":"sp800-53a"}],"prose":"counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.","links":[{"href":"#sr-11_smt.b","rel":"assessment-for"}]}],"links":[{"href":"#sr-11_smt","rel":"assessment-for"}]},{"id":"sr-11_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\nreports notifying developers, manufacturers, vendors, contractors, and\/or external reporting organizations of counterfeit system components\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system, system component, or system service\n\ninter-organizational agreements and procedures\n\nrecords of reported counterfeit system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and service acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting"}]},{"id":"sr-11_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for counterfeit prevention, detection, and reporting\n\nmechanisms supporting and\/or implementing anti-counterfeit detection, prevention, and reporting"}]}],"controls":[{"id":"sr-11.1","class":"SP800-53-enhancement","title":"Anti-counterfeit Training","params":[{"id":"sr-11.01_odp","props":[{"name":"alt-identifier","value":"sr-11.1_prm_1"},{"name":"label","value":"SR-11(01)_ODP","class":"sp800-53a"}],"label":"personnel or roles","guidelines":[{"prose":"personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is\/are defined;"}]}],"props":[{"name":"label","value":"SR-11(1)"},{"name":"label","value":"SR-11(01)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.01"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#at-3","rel":"related"}],"parts":[{"id":"sr-11.1_smt","name":"statement","prose":"Train {{ insert: param, sr-11.01_odp }} to detect counterfeit system components (including hardware, software, and firmware)."},{"id":"sr-11.1_gdn","name":"guidance","prose":"None."},{"id":"sr-11.1_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(01)","class":"sp800-53a"}],"prose":"{{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).","links":[{"href":"#sr-11.1_smt","rel":"assessment-for"}]},{"id":"sr-11.1_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(01)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nsystem and services acquisition policy\n\nanti-counterfeit plan\n\nanti-counterfeit policy and procedures\n\nmedia disposal policy\n\nmedia protection policy\n\nincident response policy\n\ntraining materials addressing counterfeit system components\n\ntraining records on the detection and prevention of counterfeit components entering the system\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.1_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(01)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies, procedures, and training"}]},{"id":"sr-11.1_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(01)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for anti-counterfeit training"}]}]},{"id":"sr-11.2","class":"SP800-53-enhancement","title":"Configuration Control for Component Service and Repair","params":[{"id":"sr-11.02_odp","props":[{"name":"alt-identifier","value":"sr-11.2_prm_1"},{"name":"label","value":"SR-11(02)_ODP","class":"sp800-53a"}],"label":"system components","guidelines":[{"prose":"system components requiring configuration control are defined;"}]}],"props":[{"name":"label","value":"SR-11(2)"},{"name":"label","value":"SR-11(02)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.02"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#cm-3","rel":"related"},{"href":"#ma-2","rel":"related"},{"href":"#ma-4","rel":"related"},{"href":"#sa-10","rel":"related"}],"parts":[{"id":"sr-11.2_smt","name":"statement","prose":"Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, sr-11.02_odp }}."},{"id":"sr-11.2_gdn","name":"guidance","prose":"None."},{"id":"sr-11.2_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)","class":"sp800-53a"}],"parts":[{"id":"sr-11.2_obj-1","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[01]","class":"sp800-53a"}],"prose":"configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;","links":[{"href":"#sr-11.2_smt","rel":"assessment-for"}]},{"id":"sr-11.2_obj-2","name":"assessment-objective","props":[{"name":"label","value":"SR-11(02)[02]","class":"sp800-53a"}],"prose":"configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.","links":[{"href":"#sr-11.2_smt","rel":"assessment-for"}]}],"links":[{"href":"#sr-11.2_smt","rel":"assessment-for"}]},{"id":"sr-11.2_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(02)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nconfiguration control procedures\n\nacquisition documentation\n\nservice level agreements\n\nacquisition contracts for the system component\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.2_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(02)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities"}]},{"id":"sr-11.2_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(02)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities\n\norganizational configuration control processes"}]}]},{"id":"sr-11.3","class":"SP800-53-enhancement","title":"Anti-counterfeit Scanning","params":[{"id":"sr-11.03_odp","props":[{"name":"alt-identifier","value":"sr-11.3_prm_1"},{"name":"label","value":"SR-11(03)_ODP","class":"sp800-53a"}],"label":"frequency","guidelines":[{"prose":"the frequency at which to scan for counterfeit system components is defined;"}]}],"props":[{"name":"label","value":"SR-11(3)"},{"name":"label","value":"SR-11(03)","class":"sp800-53a"},{"name":"sort-id","value":"sr-11.03"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#sr-11","rel":"required"},{"href":"#ra-5","rel":"related"}],"parts":[{"id":"sr-11.3_smt","name":"statement","prose":"Scan for counterfeit system components {{ insert: param, sr-11.03_odp }}."},{"id":"sr-11.3_gdn","name":"guidance","prose":"The type of component determines the type of scanning to be conducted (e.g., web application scanning if the component is a web application)."},{"id":"sr-11.3_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-11(03)","class":"sp800-53a"}],"prose":"scanning for counterfeit system components is conducted {{ insert: param, sr-11.03_odp }}.","links":[{"href":"#sr-11.3_smt","rel":"assessment-for"}]},{"id":"sr-11.3_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-11(03)-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\nanti-counterfeit policy and procedures\n\nsystem design documentation\n\nsystem configuration settings and associated documentation\n\nscanning tools and associated documentation\n\nscanning results\n\nprocedures addressing supply chain protection\n\nacquisition documentation\n\ninter-organizational agreements and procedures\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-11.3_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-11(03)-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system and services acquisition responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain risk management responsibilities\n\norganizational personnel with responsibilities for anti-counterfeit policies and procedures\n\norganizational personnel with responsibility for anti-counterfeit scanning"}]},{"id":"sr-11.3_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-11(03)-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational processes for scanning for counterfeit system components\n\nmechanisms supporting and\/or implementing anti-counterfeit scanning"}]}]}]},{"id":"sr-12","class":"SP800-53","title":"Component Disposal","params":[{"id":"sr-12_odp.01","props":[{"name":"alt-identifier","value":"sr-12_prm_1"},{"name":"label","value":"SR-12_ODP[01]","class":"sp800-53a"}],"label":"data, documentation, tools, or system components","guidelines":[{"prose":"data, documentation, tools, or system components to be disposed of are defined;"}]},{"id":"sr-12_odp.02","props":[{"name":"alt-identifier","value":"sr-12_prm_2"},{"name":"label","value":"SR-12_ODP[02]","class":"sp800-53a"}],"label":"techniques and methods","guidelines":[{"prose":"techniques and methods for disposing of data, documentation, tools, or system components are defined;"}]}],"props":[{"name":"label","value":"SR-12"},{"name":"label","value":"SR-12","class":"sp800-53a"},{"name":"sort-id","value":"sr-12"},{"name":"implementation-level","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"organization"},{"name":"contributes-to-assurance","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"true"}],"links":[{"href":"#mp-6","rel":"related"}],"parts":[{"id":"sr-12_smt","name":"statement","prose":"Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}."},{"id":"sr-12_gdn","name":"guidance","prose":"Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations\/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market."},{"id":"sr-12_obj","name":"assessment-objective","props":[{"name":"label","value":"SR-12","class":"sp800-53a"}],"prose":"{{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.","links":[{"href":"#sr-12_smt","rel":"assessment-for"}]},{"id":"sr-12_asm-examine","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"EXAMINE"},{"name":"label","value":"SR-12-Examine","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Supply chain risk management policy and procedures\n\nsupply chain risk management plan\n\ndisposal procedures addressing supply chain protection\n\nmedia disposal policy\n\nmedia protection policy\n\ndisposal records for system components\n\ndocumentation of the system components identified for disposal\n\ndocumentation of the disposal techniques and methods employed for system components\n\nsystem security plan\n\nother relevant documents or records"}]},{"id":"sr-12_asm-interview","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"INTERVIEW"},{"name":"label","value":"SR-12-Interview","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational personnel with system component disposal responsibilities\n\norganizational personnel with information security responsibilities\n\norganizational personnel with supply chain protection responsibilities"}]},{"id":"sr-12_asm-test","name":"assessment-method","props":[{"name":"method","ns":"http:\/\/csrc.nist.gov\/ns\/rmf","value":"TEST"},{"name":"label","value":"SR-12-Test","class":"sp800-53a"}],"parts":[{"name":"assessment-objects","prose":"Organizational techniques and methods for system component disposal\n\nmechanisms supporting and\/or implementing system component disposal"}]}]}]}],"back-matter":{"resources":[{"uuid":"91f992fb-f668-4c91-a50f-0f05b95ccee3","title":"32 CFR 2002","citation":{"text":"Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002)."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/documents\/2016\/09\/14\/2016-21665\/controlled-unclassified-information"}]},{"uuid":"0f963c17-ab5a-432a-a867-91eac550309b","title":"41 CFR 201","citation":{"text":"\"Federal Acquisition Supply Chain Security Act; Rule,\" 85 Federal Register 54263 (September 1, 2020), pp 54263-54271."},"rlinks":[{"href":"https:\/\/www.federalregister.gov\/d\/2020-18939"}]},{"uuid":"a5ef5e56-5c1a-4911-b419-37dddc1b3581","title":"5 CFR 731","citation":{"text":"Code of Federal Regulations, Title 5, *Administrative Personnel* , Section 731.106, *Designation of Public Trust Positions and Investigative Requirements* (5 C.F.R. 731.106)."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/CFR-2012-title5-vol2\/pdf\/CFR-2012-title5-vol2-sec731-106.pdf"}]},{"uuid":"d3b71d4d-27c1-40f7-ad7f-1c1fe6d8bde8","title":"ATOM54","citation":{"text":"Atomic Energy Act (P.L. 83-703), August 1954."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-68\/pdf\/STATUTE-68-Pg919.pdf"}]},{"uuid":"94c64e1a-456c-457f-86da-83ac0dfc85ac","title":"CMPPA","citation":{"text":"Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503), October 1988."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-102\/pdf\/STATUTE-102-Pg2507.pdf"}]},{"uuid":"031cc4b7-9adf-4835-98f1-f1ca493519cf","title":"CNSSD 505","citation":{"text":"Committee on National Security Systems Directive No. 505, *Supply Chain Risk Management (SCRM)* , August 2017."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Directives.cfm"}]},{"uuid":"4e4fbc93-333d-45e6-a875-de36b878b6b9","title":"CNSSI 1253","citation":{"text":"Committee on National Security Systems Instruction No. 1253, *Security Categorization and Control Selection for National Security Systems* , March 2014."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Instructions.cfm"}]},{"uuid":"6f63a36d-24bb-44f3-885a-5a50b5e1ada0","title":"CNSSI 4009","citation":{"text":"Committee on National Security Systems Instruction No. 4009, *Committee on National Security Systems (CNSS) Glossary* , April 2015."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Instructions.cfm"}]},{"uuid":"8a687894-cdab-423d-b95b-8d9475e4b51e","title":"CNSSP 22","citation":{"text":"Committee on National Security Systems Policy No. 22, *Cybersecurity Risk Management Policy* , August 2016."},"rlinks":[{"href":"https:\/\/www.cnss.gov\/CNSS\/issuances\/Policies.cfm"}]},{"uuid":"b9951d04-6385-478c-b1a3-ab68c19d9041","title":"DHS NIPP","citation":{"text":"Department of Homeland Security, *National Infrastructure Protection Plan (NIPP)* , 2009."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/xlibrary\/assets\/NIPP_Plan.pdf"}]},{"uuid":"4f42ee6e-86cc-403b-a51f-76c2b4f81b54","title":"DHS TIC","citation":{"text":"Department of Homeland Security, *Trusted Internet Connections (TIC)*."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/trusted-internet-connections"}]},{"uuid":"aa66e14f-e7cb-4a37-99d2-07578dfd4608","title":"DOD STIG","citation":{"text":"Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*."},"rlinks":[{"href":"https:\/\/public.cyber.mil\/stigs"}]},{"uuid":"d6f8ff7f-4b71-47ba-b61b-a5ee3ffd3af0","title":"DODI 8510.01","citation":{"text":"Department of Defense Instruction 8510.01, *Risk Management Framework (RMF) for DoD Information Technology (IT)* , March 2014."},"rlinks":[{"href":"https:\/\/www.esd.whs.mil\/Portals\/54\/Documents\/DD\/issuances\/dodi\/851001p.pdf?ver=2019-02-26-101520-300"}]},{"uuid":"1c861e8c-cb40-463e-9cf2-693554107693","title":"DODTERMS","citation":{"text":"Department of Defense, *Dictionary of Military and Associated Terms*."},"rlinks":[{"href":"https:\/\/www.jcs.mil\/Portals\/36\/Documents\/Doctrine\/pubs\/dictionary.pdf"}]},{"uuid":"00db708b-4704-4fcb-b854-b66d1d756a58","title":"DSB 2017","citation":{"text":"Department of Defense, Defense Science Board, *Task Force on Cyber Deterrence* , February 2017."},"rlinks":[{"href":"https:\/\/dsb.cto.mil\/reports\/2010s\/DSB-CyberDeterrenceReport_02-28-17_Final.pdf"}]},{"uuid":"7b0b9634-741a-4335-b6fa-161228c3a76e","title":"EGOV","citation":{"text":"E-Government Act [includes FISMA] (P.L. 107-347), December 2002. "},"rlinks":[{"href":"https:\/\/www.congress.gov\/107\/plaws\/publ347\/PLAW-107publ347.pdf"}]},{"uuid":"55b0c93a-5e48-457a-baa6-5ce81c239c49","title":"EO 13526","citation":{"text":"Executive Order 13526, *Classified National Security Information* , December 2009."},"rlinks":[{"href":"https:\/\/www.archives.gov\/isoo\/policy-documents\/cnsi-eo.html"}]},{"uuid":"34a5571f-e252-4309-a8a1-2fdb2faefbcd","title":"EO 13556","citation":{"text":"Executive Order 13556, *Controlled Unclassified Information* , November 2010."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2010\/11\/04\/executive-order-13556-controlled-unclassified-information"}]},{"uuid":"0af071a6-cf8e-48ee-8c82-fe91efa20f94","title":"EO 13587","citation":{"text":"Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2011\/10\/07\/executive-order-13587-structural-reforms-improve-security-classified-net"}]},{"uuid":"3406fdc0-d61c-44a9-a5ca-84180544c83a","title":"EO 13636","citation":{"text":"Executive Order 13636, *Improving Critical Infrastructure Cybersecurity* , February 2013."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2013\/02\/12\/executive-order-improving-critical-infrastructure-cybersecurity"}]},{"uuid":"09afa3a7-e564-4c5f-865f-2679049563b0","title":"EO 13800","citation":{"text":"Executive Order 13800, *Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure* , May 2017."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/presidential-actions\/presidential-executive-order-strengthening-cybersecurity-federal-networks-critical-infrastructure"}]},{"uuid":"21caa535-1154-4369-ba7b-32c309fee0f7","title":"EO 13873","citation":{"text":"Executive Order 13873, *Executive Order on Securing the Information and Communications Technology and Services Supply Chain* , May 2019."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/presidential-actions\/executive-order-securing-information-communications-technology-services-supply-chain"}]},{"uuid":"511da9ca-604d-43f7-be41-b862085420a9","title":"EVIDACT","citation":{"text":"Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019."},"rlinks":[{"href":"https:\/\/www.congress.gov\/115\/plaws\/publ435\/PLAW-115publ435.pdf"}]},{"uuid":"4ff10ed3-d8fe-4246-99e3-443045e27482","title":"FASC18","citation":{"text":"Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018."},"rlinks":[{"href":"https:\/\/www.congress.gov\/bill\/115th-congress\/senate-bill\/3085"}]},{"uuid":"a1555677-2b9d-4868-a97b-a1363aff32f5","title":"FED PKI","citation":{"text":"General Services Administration, *Federal Public Key Infrastructure*."},"rlinks":[{"href":"https:\/\/www.idmanagement.gov\/topics\/fpki"}]},{"uuid":"678e3d6c-150b-4393-aec5-6e3481eb1e00","title":"FIPS 140-3","citation":{"text":"National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. "},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.140-3"}]},{"uuid":"eea3c092-42ed-4382-a6f4-1adadef01b9d","title":"FIPS 180-4","citation":{"text":"National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.180-4"}]},{"uuid":"7c37a38d-21d7-40d8-bc3d-b5e27eac17e1","title":"FIPS 186-4","citation":{"text":"National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.186-4"}]},{"uuid":"ff989cdc-649d-4f45-8f61-9309c9680933","title":"FIPS 196","citation":{"text":"National Institute of Standards and Technology (1997) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 196."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.196"}]},{"uuid":"736d6310-e403-4b57-a79d-9967970c66d7","title":"FIPS 197","citation":{"text":"National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.197"}]},{"uuid":"e9d6c5f2-b3aa-4a28-8bea-a0135718d453","title":"FIPS 198-1","citation":{"text":"National Institute of Standards and Technology (2008) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 198-1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.198-1"}]},{"uuid":"628d22a1-6a11-4784-bc59-5cd9497b5445","title":"FIPS 199","citation":{"text":"National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.199"}]},{"uuid":"599fb53d-5041-444e-a7fe-640d6d30ad05","title":"FIPS 200","citation":{"text":"National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.200"}]},{"uuid":"7ba1d91c-3934-4d5a-8532-b32f864ad34c","title":"FIPS 201-2","citation":{"text":"National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.201-2"}]},{"uuid":"a295ca19-8c75-4b4c-8800-98024732e181","title":"FIPS 202","citation":{"text":"National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.FIPS.202"}]},{"uuid":"d68867c0-2f21-4193-bef8-300f3270db56","title":"FISMA IMP","citation":{"text":"Federal Information Security Modernization Act (FISMA) Implementation Project."},"rlinks":[{"href":"https:\/\/nist.gov\/RMF"}]},{"uuid":"0c67b2a9-bede-43d2-b86d-5f35b8be36e9","title":"FISMA","citation":{"text":"Federal Information Security Modernization Act (P.L. 113-283), December 2014."},"rlinks":[{"href":"https:\/\/www.congress.gov\/113\/plaws\/publ283\/PLAW-113publ283.pdf"}]},{"uuid":"d9b1262c-9ee6-4c3e-846f-3a15f9d7eaa6","title":"FOIA96","citation":{"text":"Freedom of Information Act (FOIA), 5 U.S.C. § 552, As Amended By Public Law No. 104-231, 110 Stat. 3048, Electronic Freedom of Information Act Amendments of 1996."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/PLAW-104publ231\/pdf\/PLAW-104publ231.pdf"}]},{"uuid":"f16e438e-7114-4144-bfe2-2dfcad8cb2d0","title":"HSPD 12","citation":{"text":"Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/homeland-security-presidential-directive-12"}]},{"uuid":"488d6934-00b2-4252-bf23-1b3c2d71eb13","title":"HSPD 7","citation":{"text":"Homeland Security Presidential Directive 7, *Critical Infrastructure Identification, Prioritization, and Protection* , December 2003."},"rlinks":[{"href":"https:\/\/www.dhs.gov\/homeland-security-presidential-directive-7"}]},{"uuid":"7623635e-1a92-4250-a829-4a5c8a4da2bc","title":"IETF 4949","citation":{"text":"Internet Engineering Task Force (IETF), Request for Comments: 4949, *Internet Security Glossary, Version 2* , August 2007."},"rlinks":[{"href":"https:\/\/tools.ietf.org\/html\/rfc4949"}]},{"uuid":"e4d37285-1e79-4029-8b6a-42df39cace30","title":"IETF 5905","citation":{"text":"Internet Engineering Task Force (IETF), Request for Comments: 5905, *Network Time Protocol Version 4: Protocol and Algorithms Specification* , June 2010."},"rlinks":[{"href":"https:\/\/tools.ietf.org\/pdf\/rfc5905.pdf"}]},{"uuid":"15dc76ff-b17a-4eeb-8948-8ea8de3ccc2c","title":"IR 7539","citation":{"text":"Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7539"}]},{"uuid":"2be7b163-e50a-435c-8906-f1162f2a457a","title":"IR 7559","citation":{"text":"Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7559"}]},{"uuid":"e24b06cc-9129-4998-a76a-65c3d7a576ba","title":"IR 7622","citation":{"text":"Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7622"}]},{"uuid":"4b38e961-1125-4a5b-aa35-1d6c02846dad","title":"IR 7676","citation":{"text":"Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7676"}]},{"uuid":"aa5d04e0-6090-4e17-84d4-b9963d55fc2c","title":"IR 7788","citation":{"text":"Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7788"}]},{"uuid":"91701292-8bcd-4d2e-a5bd-59ab61e34b3c","title":"IR 7817","citation":{"text":"Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7817"}]},{"uuid":"4f5f51ac-2b8d-4b90-a3c7-46f56e967617","title":"IR 7849","citation":{"text":"Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7849"}]},{"uuid":"604774da-9e1d-48eb-9c62-4e959dc80737","title":"IR 7870","citation":{"text":"Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7870"}]},{"uuid":"7f473f21-fdbf-4a6c-81a1-0ab95919609d","title":"IR 7874","citation":{"text":"Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7874"}]},{"uuid":"849b2358-683f-4d97-b111-1cc3d522ded5","title":"IR 7956","citation":{"text":"Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7956"}]},{"uuid":"3915a084-b87b-4f02-83d4-c369e746292f","title":"IR 7966","citation":{"text":"Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.7966"}]},{"uuid":"bbac9fc2-df5b-4f2d-bf99-90d0ade45349","title":"IR 8011-1","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-1"}]},{"uuid":"70402863-5078-43af-9a6c-e11b0f3ec370","title":"IR 8011-2","citation":{"text":"Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-2"}]},{"uuid":"996241f8-f692-42d5-91f1-ce8b752e39e6","title":"IR 8011-3","citation":{"text":"Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-3"}]},{"uuid":"d2ebec9b-f868-4ee1-a2bd-0b2282aed248","title":"IR 8011-4","citation":{"text":"Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8011-4"}]},{"uuid":"4c501da5-9d79-4cb6-ba80-97260e1ce327","title":"IR 8023","citation":{"text":"Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8023"}]},{"uuid":"81aeb0a3-d0ee-4e44-b842-6bf28d2bd7f5","title":"IR 8040","citation":{"text":"Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8040"}]},{"uuid":"98d415ca-7281-4064-9931-0c366637e324","title":"IR 8062","citation":{"text":"Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8062"}]},{"uuid":"a2590922-82f3-4277-83c0-ca5bee06dba4","title":"IR 8112","citation":{"text":"Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8112"}]},{"uuid":"d4296805-2dca-4c63-a95f-eeccaa826aec","title":"IR 8179","citation":{"text":"Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8179"}]},{"uuid":"38ff38f0-1366-4f50-a4c9-26a39aacee16","title":"IR 8272","citation":{"text":"Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.IR.8272"}]},{"uuid":"0c559766-0df1-468f-a499-3577bb6dfa46","title":"ISO 15026-1","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission\/Institute of Electrical and Electronics Engineers (ISO\/IEC\/IEEE) 15026-1:2019, *Systems and software engineering — Systems and software assurance — Part 1: Concepts and vocabulary* , March 2019."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/73567.html"}]},{"uuid":"7d8ec7b7-dba0-4a17-981c-c959dbcc6c68","title":"ISO 15288","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission\/Institute of Electrical and Electronics Engineers (ISO\/IEC\/IEEE) 15288:2015, *Systems and software engineering —Systems life cycle processes* , May 2015."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/63711.html"}]},{"uuid":"6afc1b04-c9d6-4023-adbc-f8fbe33a3c73","title":"ISO 15408-1","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-1:2009, *Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART1V3.1R5.pdf"}]},{"uuid":"87087451-2af5-43d4-88c1-d66ad850f614","title":"ISO 15408-2","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-2:2008, *Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART2V3.1R5.pdf"}]},{"uuid":"4452efc0-e79e-47b8-aa30-b54f3ef61c2f","title":"ISO 15408-3","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 15408-3:2008, *Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements* , April 2017."},"rlinks":[{"href":"https:\/\/www.commoncriteriaportal.org\/files\/ccfiles\/CCPART3V3.1R5.pdf"}]},{"uuid":"15a95e24-65b6-4686-bc18-90855a10457d","title":"ISO 20243","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 20243-1:2018, *Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations* , February 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/74399.html"}]},{"uuid":"c22d2905-4087-4397-b574-c534b9e808c8","title":"ISO 25237","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 25237:2017, *Health informatics —Pseudonymization* , January 2017."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/63553.html"}]},{"uuid":"863caf2a-978a-4260-9e8d-4a8929bce40c","title":"ISO 27036","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 27036-1:2014, *Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts* , April 2014."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/59648.html"}]},{"uuid":"094ad8c9-960f-4091-acff-8c99a390f08d","title":"ISO 29100","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 29100:2011, *Information technology—Security techniques—Privacy framework* , December 2011."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/45123.html"}]},{"uuid":"8df72805-2e5c-4731-a73e-81db0f0318d0","title":"ISO 29147","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission 29147:2018, *Information technology—Security techniques—Vulnerability disclosure* , October 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72311.html"}]},{"uuid":"06ce9216-bd54-4054-a422-94f358b50a5d","title":"ISO 29148","citation":{"text":"International Organization for Standardization\/International Electrotechnical Commission\/Institute of Electrical and Electronics Engineers (ISO\/IEC\/IEEE) 29148:2018, *Systems and software engineering—Life cycle processes—Requirements engineering* , November 2018."},"rlinks":[{"href":"https:\/\/www.iso.org\/standard\/72089.html"}]},{"uuid":"d1cdab13-4218-400d-91a9-c3818dfa5ec8","title":"LAMPSON73","citation":{"text":"B. W. Lampson, *A Note on the Confinement Problem* , Communications of the ACM 16, 10, pp. 613-615, October 1973."}},{"uuid":"c28ae9a8-1121-42a9-a85e-00cfcc9b9a94","title":"NARA CUI","citation":{"text":"National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry."},"rlinks":[{"href":"https:\/\/www.archives.gov\/cui"}]},{"uuid":"d744d9a3-73eb-4085-b9ff-79e82e9e2d6e","title":"NCPR","citation":{"text":"National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at"},"rlinks":[{"href":"https:\/\/nvd.nist.gov\/ncp\/repository"}]},{"uuid":"aea5026f-e5c5-4256-8293-ffcdc487bcd5","title":"NEUM04","citation":{"text":"*Principled Assuredly Trustworthy Composable Architectures* , P. Neumann, CDRL A001 Final Report, SRI International, December 2004."},"rlinks":[{"href":"http:\/\/www.csl.sri.com\/users\/neumann\/chats4.pdf"}]},{"uuid":"795aff72-3e6c-4b6b-a80a-b14d84b7f544","title":"NIAP CCEVS","citation":{"text":"National Information Assurance Partnership, *Common Criteria Evaluation and Validation Scheme*."},"rlinks":[{"href":"https:\/\/www.niap-ccevs.org"}]},{"uuid":"84dc1b0c-acb7-4269-84c4-00dbabacd78c","title":"NIST CAVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Algorithm Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-algorithm-validation-program"}]},{"uuid":"1acdc775-aafb-4d11-9341-dc6a822e9d38","title":"NIST CMVP","citation":{"text":"National Institute of Standards and Technology (2020) *Cryptographic Module Validation Program* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/cryptographic-module-validation-program"}]},{"uuid":"a806de34-70a2-4239-8030-4ab286acc7b8","title":"NIST CSF","citation":{"text":"National Institute of Standards and Technology (2018) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. (National Institute of Standards and Technology, Gaithersburg, MD)."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.CSWP.04162018"}]},{"uuid":"956dcbb3-8109-4b6a-9058-ff0b909ec812","title":"NIST PF","citation":{"text":"National Institute of Standards and Technology (2020) Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0. (National Institute of Standards and Technology, Gaithersburg, MD)."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.CSWP.01162020"}]},{"uuid":"528135e3-c65b-461a-93d3-46513610f792","title":"NITP12","citation":{"text":"Presidential Memorandum for the Heads of Executive Departments and Agencies, *National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs* , November 2012."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/the-press-office\/2012\/11\/21\/presidential-memorandum-national-insider-threat-policy-and-minimum-stand"}]},{"uuid":"3d575737-98cb-459d-b41c-d7e82b73ad78","title":"NSA CSFC","citation":{"text":"National Security Agency, *Commercial Solutions for Classified Program (CSfC)*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/csfc"}]},{"uuid":"df9f87e9-71e7-4c74-9ac3-3cabd4e92f21","title":"NSA MEDIA","citation":{"text":"National Security Agency, *Media Destruction Guidance*."},"rlinks":[{"href":"https:\/\/www.nsa.gov\/resources\/everyone\/media-destruction"}]},{"uuid":"782a8c6d-39a4-45df-a6db-ad0b9226fa38","title":"NVD 800-53","citation":{"text":"National Institute of Standards and Technology (2020) *National Vulnerability Database: NIST Special Publication 800-53 [database of controls].* Available at"},"rlinks":[{"href":"https:\/\/nvd.nist.gov\/800-53"}]},{"uuid":"89f2a08d-fc49-46d0-856e-bf974c9b1573","title":"ODNI CTF","citation":{"text":"Office of the Director of National Intelligence (ODNI) Cyber Threat Framework."},"rlinks":[{"href":"https:\/\/www.dni.gov\/index.php\/cyber-threat-framework"}]},{"uuid":"06d74ea9-2178-449c-a9c5-b2980f804ac8","title":"ODNI NITP","citation":{"text":"Office of the Director National Intelligence, *National Insider Threat Policy* "},"rlinks":[{"href":"https:\/\/www.dni.gov\/files\/NCSC\/documents\/nittf\/National_Insider_Threat_Policy.pdf"}]},{"uuid":"3671ff20-c17c-44d6-8a88-7de203fa74aa","title":"OMB A-108","citation":{"text":"Office of Management and Budget Memorandum Circular A-108, *Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act* , December 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A108\/omb_circular_a-108.pdf"}]},{"uuid":"27847491-5ce1-4f6a-a1e4-9e483782f0ef","title":"OMB A-130","citation":{"text":"Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/circulars\/A130\/a130revised.pdf"}]},{"uuid":"d229ae60-51dd-4d7b-a8bf-1f7195cc7561","title":"OMB M-03-22","citation":{"text":"Office of Management and Budget Memorandum M-03-22, *OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002* , September 2003. [https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2003\/m03_22.pdf](https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2003\/m03_22.pdf) "},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2003\/m03_22.pdf"}]},{"uuid":"047b041a-b4b0-4537-ab2d-2b36283eeda0","title":"OMB M-08-05","citation":{"text":"Office of Management and Budget Memorandum M-08-05, *Implementation of Trusted Internet Connections (TIC)* , November 2007."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/sites\/default\/files\/omb\/assets\/omb\/memoranda\/fy2008\/m08-05.pdf"}]},{"uuid":"206a3284-6a7e-423c-8ea9-25b22542541d","title":"OMB M-17-06","citation":{"text":"Office of Management and Budget Memorandum M-17-06, *Policies for Federal Agency Public Websites and Digital Services* , November 2016."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2017\/m-17-06.pdf"}]},{"uuid":"5f4705ac-8d17-438c-b23a-ac7f12362ae4","title":"OMB M-17-12","citation":{"text":"Office of Management and Budget Memorandum M-17-12, *Preparing for and Responding to a Breach of Personally Identifiable Information* , January 2017."},"rlinks":[{"href":"https:\/\/obamawhitehouse.archives.gov\/sites\/default\/files\/omb\/memoranda\/2017\/m-17-12_0.pdf"}]},{"uuid":"81c44706-0227-4258-a920-620a4d259990","title":"OMB M-17-25","citation":{"text":"Office of Management and Budget Memorandum M-17-25, *Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure* , May 2017."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/sites\/whitehouse.gov\/files\/omb\/memoranda\/2017\/M-17-25.pdf"}]},{"uuid":"c5e11048-1d38-4af3-b00b-0d88dc26860c","title":"OMB M-19-03","citation":{"text":"Office of Management and Budget Memorandum M-19-03, *Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program* , December 2018."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2018\/12\/M-19-03.pdf"}]},{"uuid":"227063d4-431e-435f-9e8f-009b6dbc20f4","title":"OMB M-19-15","citation":{"text":"Office of Management and Budget Memorandum M-19-15, *Improving Implementation of the Information Quality Act* , April 2019."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2019\/04\/M-19-15.pdf"}]},{"uuid":"d886c141-c832-4ad7-ac6d-4b94f4b550d3","title":"OMB M-19-23","citation":{"text":"Office of Management and Budget Memorandum M-19-23, *Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance* , July 2019."},"rlinks":[{"href":"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2019\/07\/M-19-23.pdf"}]},{"uuid":"79453f84-26a4-4995-8257-d32d37aefea3","title":"POPEK74","citation":{"text":"G. Popek, *The Principle of Kernel Design* , in 1974 NCC, AFIPS Cong. Proc., Vol. 43, pp. 977-978."}},{"uuid":"18e71fec-c6fd-475a-925a-5d8495cf8455","title":"PRIVACT","citation":{"text":"Privacy Act (P.L. 93-579), December 1974."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/STATUTE-88\/pdf\/STATUTE-88-Pg1896.pdf"}]},{"uuid":"c9495d6e-ef64-4090-8509-e58c3b9009ff","title":"SALTZER75","citation":{"text":"J. Saltzer and M. Schroeder, *The Protection of Information in Computer Systems* , in Proceedings of the IEEE 63(9), September 1975, pp. 1278-1308."}},{"uuid":"4c0ec2ee-a0d6-428a-9043-4504bc3ade6f","title":"SP 800-100","citation":{"text":"Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-100"}]},{"uuid":"10cf2fad-a216-41f9-bb1a-531b7e3119e3","title":"SP 800-101","citation":{"text":"Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-101r1"}]},{"uuid":"22f2d4f0-4365-4e88-a30d-275c1f5473ea","title":"SP 800-111","citation":{"text":"Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-111"}]},{"uuid":"6bc4d137-aece-42a8-8081-9ecb1ebe9fb4","title":"SP 800-113","citation":{"text":"Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-113"}]},{"uuid":"42e37e51-7cc0-4ffa-81c9-0ac942da7e99","title":"SP 800-114","citation":{"text":"Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-114r1"}]},{"uuid":"122177fa-c4ed-485d-8345-3082c0fb9a06","title":"SP 800-115","citation":{"text":"Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-115"}]},{"uuid":"2100332a-16a5-4598-bacf-7261baea9711","title":"SP 800-116","citation":{"text":"Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-116r1"}]},{"uuid":"d17ebd7a-ffab-499d-bfff-e705bbb01fa6","title":"SP 800-121","citation":{"text":"Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-121r2"}]},{"uuid":"0f66be67-85e7-4ca6-bd19-39453e9f4394","title":"SP 800-124","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-124r1"}]},{"uuid":"88660532-2dcf-442e-845c-03340ce48999","title":"SP 800-125B","citation":{"text":"Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-125B"}]},{"uuid":"8016d2ed-d30f-4416-9c45-0f42c7aa3232","title":"SP 800-126","citation":{"text":"Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-126r3"}]},{"uuid":"20db4e66-e257-450c-b2e4-2bb9a62a2c88","title":"SP 800-128","citation":{"text":"Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-128"}]},{"uuid":"c7ac44e8-10db-4b64-b2b9-9e32ec1efed0","title":"SP 800-12","citation":{"text":"Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-12r1"}]},{"uuid":"3653e316-8923-430e-8943-b3b2b2562fc6","title":"SP 800-130","citation":{"text":"Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-130"}]},{"uuid":"62ea77ca-e450-4323-b210-e0d75390e785","title":"SP 800-137A","citation":{"text":"Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137A"}]},{"uuid":"067223d8-1ec7-45c5-b21b-c848da6de8fb","title":"SP 800-137","citation":{"text":"Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-137"}]},{"uuid":"e47ee630-9cbc-4133-880e-e013f83ccd51","title":"SP 800-147","citation":{"text":"Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-147"}]},{"uuid":"9ef4b43c-42a4-4316-87dc-ffaf528bc05c","title":"SP 800-150","citation":{"text":"Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-150"}]},{"uuid":"2494df28-9049-4196-b233-540e7440993f","title":"SP 800-152","citation":{"text":"Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-152"}]},{"uuid":"708b94e1-3d5e-4b22-ab43-1c69f3a97e37","title":"SP 800-154","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154."},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-154\/draft"}]},{"uuid":"d9e036ba-6eec-46a6-9340-b0bf1fea23b4","title":"SP 800-156","citation":{"text":"Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-156"}]},{"uuid":"e3cc0520-a366-4fc9-abc2-5272db7e3564","title":"SP 800-160-1","citation":{"text":"Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v1"}]},{"uuid":"61ccf0f4-d3e7-42db-9796-ce6cb1c85989","title":"SP 800-160-2","citation":{"text":"Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-160v2"}]},{"uuid":"e8e84963-14fc-4c3a-be05-b412a5d37cd2","title":"SP 800-161","citation":{"text":"Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-161"}]},{"uuid":"2956e175-f674-43f4-b1b9-e074ad9fc39c","title":"SP 800-162","citation":{"text":"Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-162"}]},{"uuid":"e8552d48-cf41-40aa-8b06-f45f7fb4706c","title":"SP 800-166","citation":{"text":"Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-166"}]},{"uuid":"38f39739-1ebd-43b1-8b8c-00f591d89ebd","title":"SP 800-167","citation":{"text":"Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-167"}]},{"uuid":"7dbd6d9f-29d6-4d1d-9766-f2d77ff3c849","title":"SP 800-171","citation":{"text":"Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-171r2"}]},{"uuid":"f26af0d0-6d72-4a9d-8ecd-01bc21fd4f0e","title":"SP 800-172","citation":{"text":"Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-172-draft"}]},{"uuid":"1c71b420-2bd9-4e52-9fc8-390f58b85b59","title":"SP 800-177","citation":{"text":"Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-177r1"}]},{"uuid":"388a3aa2-5d85-4bad-b8a3-77db80d63c4f","title":"SP 800-178","citation":{"text":"Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-178"}]},{"uuid":"276bd50a-7e58-48e5-a405-8c8cb91d7a5f","title":"SP 800-181","citation":{"text":"Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-181r1"}]},{"uuid":"31ae65ab-3f26-46b7-9d64-f25a4dac5778","title":"SP 800-184","citation":{"text":"Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-184"}]},{"uuid":"c15bfc12-a61e-4ca5-bf35-fa9ce3ccb5d2","title":"SP 800-188","citation":{"text":"Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188."},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-188\/draft"}]},{"uuid":"f5edfe51-d1f2-422e-9b27-5d0e90b49c72","title":"SP 800-189","citation":{"text":"Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-189"}]},{"uuid":"30eb758a-2707-4bca-90ad-949a74d4eb16","title":"SP 800-18","citation":{"text":"Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-18r1"}]},{"uuid":"53df282b-8b3f-483a-bad1-6a8b8ac00114","title":"SP 800-192","citation":{"text":"Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies\/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-192"}]},{"uuid":"f641309f-a3ad-48be-8c67-2b318648b2f5","title":"SP 800-28","citation":{"text":"Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-28ver2"}]},{"uuid":"08b07465-dbdc-48d6-8a0b-37279602ac16","title":"SP 800-30","citation":{"text":"Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-30r1"}]},{"uuid":"8cb338a4-e493-4177-818f-3af18983ddc5","title":"SP 800-32","citation":{"text":"Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-32"}]},{"uuid":"bc39f179-c735-4da2-b7a7-b2b622119755","title":"SP 800-34","citation":{"text":"Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-34r1"}]},{"uuid":"77faf0bc-c394-44ad-9154-bbac3b79c8ad","title":"SP 800-35","citation":{"text":"Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-35"}]},{"uuid":"482e4c99-9dc4-41ad-bba8-0f3f0032c1f8","title":"SP 800-37","citation":{"text":"Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-37r2"}]},{"uuid":"cec037f3-8aba-4c97-84b4-4082f9e515d2","title":"SP 800-39","citation":{"text":"Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-39"}]},{"uuid":"155f941a-cba9-4afd-9ca6-5d040d697ba9","title":"SP 800-40","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-40r3"}]},{"uuid":"a7f0e897-29a3-45c4-bd88-40dfef0e034a","title":"SP 800-41","citation":{"text":"Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-41r1"}]},{"uuid":"314e33cb-3681-4b50-a2a2-3fae9604accd","title":"SP 800-45","citation":{"text":"Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-45ver2"}]},{"uuid":"83b9d63b-66b1-467c-9f3b-3a0b108771e9","title":"SP 800-46","citation":{"text":"Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-46r2"}]},{"uuid":"c3a76872-e160-4267-99e8-6952de967d04","title":"SP 800-47","citation":{"text":"Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-47"}]},{"uuid":"511f6832-23ca-49a3-8c0f-ce493373cab8","title":"SP 800-50","citation":{"text":"Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-50"}]},{"uuid":"7537638e-2837-407d-844b-40fb3fafdd99","title":"SP 800-52","citation":{"text":"McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-52r2"}]},{"uuid":"4e0d3c99-0f4e-496f-8951-d4f57c122fc2","title":"SP 800-53 RES","citation":{"text":"NIST Special Publication 800-53, Revision 5 Resource Center."},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-53\/rev-5\/final"}]},{"uuid":"a21aef46-7330-48a0-b2e1-c5bb8b2dd11d","title":"SP 800-53A","citation":{"text":"Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53Ar4"}]},{"uuid":"46d9e201-840e-440e-987c-2c773333c752","title":"SP 800-53B","citation":{"text":"Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53B"}]},{"uuid":"7798067b-4ed0-4adc-a505-79dad4741693","title":"SP 800-55","citation":{"text":"Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-55r1"}]},{"uuid":"20957dbb-6a1e-40a2-b38a-66f67d33ac2e","title":"SP 800-56A","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Ar3"}]},{"uuid":"0d083d8a-5cc6-46f1-8d79-3081d42bcb75","title":"SP 800-56B","citation":{"text":"Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Br2"}]},{"uuid":"eef62b16-c796-4554-955c-505824135b8a","title":"SP 800-56C","citation":{"text":"Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-56Cr2"}]},{"uuid":"110e26af-4765-49e1-8740-6750f83fcda1","title":"SP 800-57-1","citation":{"text":"Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt1r5"}]},{"uuid":"e7942589-e267-4a5a-a3d9-f39a7aae81f0","title":"SP 800-57-2","citation":{"text":"Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt2r1"}]},{"uuid":"8306620b-1920-4d73-8b21-12008528595f","title":"SP 800-57-3","citation":{"text":"Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-57pt3r1"}]},{"uuid":"e72fde0b-6fc2-497e-a9db-d8fce5a11b8a","title":"SP 800-60-1","citation":{"text":"Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v1r1"}]},{"uuid":"9be5d661-421f-41ad-854e-86f98b811891","title":"SP 800-60-2","citation":{"text":"Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-60v2r1"}]},{"uuid":"49b8aa2d-a88c-4bff-9f20-876ccb8f7dcb","title":"SP 800-61","citation":{"text":"Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-61r2"}]},{"uuid":"737513fa-6758-403f-831d-5ddab5e23cb3","title":"SP 800-63-3","citation":{"text":"Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63-3"}]},{"uuid":"9099ed2c-922a-493d-bcb4-d896192243ff","title":"SP 800-63A","citation":{"text":"Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63a"}]},{"uuid":"e59c5a7c-8b1f-49ca-8de0-6ee0882180ce","title":"SP 800-63B","citation":{"text":"Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-63b"}]},{"uuid":"4895b4cd-34c5-4667-bf8a-27d443c12047","title":"SP 800-70","citation":{"text":"Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-70r4"}]},{"uuid":"858705be-3c1f-48aa-a328-0ce398d95ef0","title":"SP 800-73-4","citation":{"text":"Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-73-4"}]},{"uuid":"7af2e6ec-9f7e-4232-ad3f-09888eb0793a","title":"SP 800-76-2","citation":{"text":"Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-76-2"}]},{"uuid":"d4d7c760-2907-403b-8b2a-767ca5370ecd","title":"SP 800-77","citation":{"text":"Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-77r1"}]},{"uuid":"828856bd-d7c4-427b-8b51-815517ec382d","title":"SP 800-78-4","citation":{"text":"Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-78-4"}]},{"uuid":"10963761-58fc-4b20-b3d6-b44a54daba03","title":"SP 800-79-2","citation":{"text":"Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-79-2"}]},{"uuid":"fe209006-bfd4-4033-a79a-9fee1adaf372","title":"SP 800-81-2","citation":{"text":"Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-81-2"}]},{"uuid":"6264c85d-19f5-408a-aa44-d737daaf311e","title":"SP 800-82","citation":{"text":"Stouffer KA, Lightman S, Pillitteri VY, Abrams M, Hahn A (2015) Guide to Industrial Control Systems (ICS) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-82, Rev. 2."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-82r2"}]},{"uuid":"3dd249b0-f57d-44ba-a03e-c3eab1b835ff","title":"SP 800-83","citation":{"text":"Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-83r1"}]},{"uuid":"53be2fcf-cfd1-4bcb-896b-9a3b65c22098","title":"SP 800-84","citation":{"text":"Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-84"}]},{"uuid":"cfdb1858-c473-46b3-89f9-a700308d0be2","title":"SP 800-86","citation":{"text":"Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-86"}]},{"uuid":"a5b1d18d-e670-4586-9e6d-4a88b7ba3df6","title":"SP 800-88","citation":{"text":"Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-88r1"}]},{"uuid":"5eee45d8-3313-4fdc-8d54-1742092bbdd6","title":"SP 800-92","citation":{"text":"Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-92"}]},{"uuid":"25e3e57b-dc2f-4934-af9b-050b020c6f0e","title":"SP 800-94","citation":{"text":"Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-94"}]},{"uuid":"a6b9907a-2a14-4bb4-a142-d4c73026a8b4","title":"SP 800-95","citation":{"text":"Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-95"}]},{"uuid":"03fb73bc-1b12-4182-bd96-e5719254ea61","title":"SP 800-97","citation":{"text":"Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97."},"rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-97"}]},{"uuid":"13f0c39d-eaf7-417a-baef-69a041878bb5","title":"USA PATRIOT","citation":{"text":"USA Patriot Act (P.L. 107-56), October 2001."},"rlinks":[{"href":"https:\/\/www.congress.gov\/107\/plaws\/publ56\/PLAW-107publ56.pdf"}]},{"uuid":"dd1a42a3-20c0-43ba-bbdb-6ea3624f1d38","title":"USC 11101","citation":{"text":"\"Definitions,\" Title 40 U.S. Code, Sec. 11101. 2018 ed."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/app\/details\/USCODE-2018-title40\/USCODE-2018-title40-subtitleIII-chap111-sec11101"}]},{"uuid":"e922fc50-b1f9-469f-92ef-ed7d9803611c","title":"USC 2901","citation":{"text":"United States Code, 2008 Edition, Title 44 - *Public Printing and Documents* , Chapters 29, 31, and 33, January 2012."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2011-title44\/pdf\/USCODE-2011-title44-chap29-sec2901.pdf"}]},{"uuid":"82460f0b-1060-420e-9181-554e2dc921df","title":"USC 3502","citation":{"text":"\"Definitions,\" Title 44 U.S. Code, Sec. 3502. 2011 ed."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/app\/details\/USCODE-2011-title44\/USCODE-2011-title44-chap35-subchapI-sec3502"}]},{"uuid":"ef3550b5-60a0-4489-8d4e-08223a929c7a","title":"USC 552","citation":{"text":"United States Code, 2006 Edition, Supplement 4, Title 5 - *Government Organization and Employees* , January 2011."},"rlinks":[{"href":"https:\/\/www.govinfo.gov\/content\/pkg\/USCODE-2010-title5\/pdf\/USCODE-2010-title5-partI-chap5-subchapII-sec552a.pdf"}]},{"uuid":"40b78258-c892-480e-9af8-77ac36648301","title":"USCERT IR","citation":{"text":"Department of Homeland Security, *US-CERT Federal Incident Notification Guidelines* , April 2017."},"rlinks":[{"href":"https:\/\/us-cert.cisa.gov\/incident-notification-guidelines"}]},{"uuid":"98498928-3ca3-44b3-8b1e-f48685373087","title":"USGCB","citation":{"text":"National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at"},"rlinks":[{"href":"https:\/\/csrc.nist.gov\/projects\/united-states-government-configuration-baseline"}]},{"uuid":"c3397cc9-83c6-4459-adb2-836739dc1b94","title":"NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (PDF)","rlinks":[{"href":"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r5.pdf","media-type":"application\/pdf"}]},{"uuid":"f7cf488d-bc64-4a91-a994-810e153ee481","title":"NIST Special Publication 800-53, Revision 5: * Security and Privacy Controls for Information Systems and Organizations* (DOI link)","rlinks":[{"href":"https:\/\/doi.org\/10.6028\/NIST.SP.800-53r5","media-type":"application\/pdf"}]},{"uuid":"5a5ffcb9-2272-484e-8d47-4483a0585dec","title":"NIST SP 800-53 content and other OSCAL content examples","rlinks":[{"href":"https:\/\/github.com\/usnistgov\/oscal-content\/releases\/"}]}]}}}
\ No newline at end of file
diff --git a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
index 8c283116..91e426d3 100644
--- a/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
+++ b/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_catalog.json
@@ -1,11 +1,39 @@
 {
   "catalog": {
-    "uuid": "0e9e8558-4d93-4a7f-8c87-34d4d4f9e7bd",
+    "uuid": "1f2fcda3-408f-422c-aecd-b1717c3f7843",
     "metadata": {
-      "title": "Electronic Version of NIST SP 800-53 Rev 5 Controls and SP 800-53A Rev 5 Assessment Procedures",
-      "last-modified": "2023-10-12T00:00:00.000000-04:00",
-      "version": "5.1.1",
+      "title": "Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures",
+      "last-modified": "2023-12-04T13:16:10.000000-04:00",
+      "version": "5.1.1+u2",
       "oscal-version": "1.1.1",
+      "revisions": [
+        {
+          "title": "Electronic Version of NIST SP 800-53 Rev 5 Controls and SP 800-53A Rev 5 Assessment Procedures",
+          "last-modified": "2023-10-12T00:00:00.000000-04:00",
+          "version": "5.1.1",
+          "oscal-version": "1.1.1",
+          "links": [
+            {
+              "href": "#5a5ffcb9-2272-484e-8d47-4483a0585dec",
+              "rel": "version-history"
+            }
+          ],
+          "remarks": "This revison of the SP 800-53 Revision 5 Catalog includes metadata and tagging reflecting richer control semantics, such as organizational vs system-level controls as indicated in SP800-53 Rev 5.1 Appendix C, and minor bug fixes in its content."
+        },
+        {
+          "title": "Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures",
+          "last-modified": "2023-11-14T00:00:00.000000-04:00",
+          "version": "5.1.1+u1",
+          "oscal-version": "1.1.1",
+          "links": [
+            {
+              "href": "#5a5ffcb9-2272-484e-8d47-4483a0585dec",
+              "rel": "version-history"
+            }
+          ],
+          "remarks": "This revision of the SP 800-53 Revision 5 Catalog is the finalized changes to NIST SP 800-53 Revision 5.1.1 on November, 7, 2023."
+        }
+      ],
       "props": [
         {
           "name": "keywords",
@@ -472,7 +500,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an access control policy is developed and documented;"
+                        "prose": "an access control policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-2",
@@ -484,7 +518,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};"
+                        "prose": "the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-3",
@@ -496,7 +536,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;"
+                        "prose": "access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a-4",
@@ -508,7 +554,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};"
+                        "prose": "the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-1_obj.a.1",
@@ -542,7 +594,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-2",
@@ -554,7 +612,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-3",
@@ -566,7 +630,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-4",
@@ -578,7 +648,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-5",
@@ -590,7 +666,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-6",
@@ -602,7 +684,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-1_obj.a.1.a-7",
@@ -614,7 +702,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;"
+                                "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ac-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -628,10 +728,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -644,7 +762,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;"
+                    "prose": "the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-1_obj.c",
@@ -678,7 +802,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};"
+                            "prose": "the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-1_obj.c.1-2",
@@ -690,7 +820,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};"
+                            "prose": "the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -715,7 +857,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};"
+                            "prose": "the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-1_obj.c.2-2",
@@ -727,12 +875,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}."
+                            "prose": "the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ac-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -1414,7 +1586,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account types allowed for use within the system are defined and documented;"
+                        "prose": "account types allowed for use within the system are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.a-2",
@@ -1426,7 +1604,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account types specifically prohibited for use within the system are defined and documented;"
+                        "prose": "account types specifically prohibited for use within the system are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1440,7 +1630,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "account managers are assigned;"
+                    "prose": "account managers are assigned;",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.c",
@@ -1452,7 +1648,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-02_odp.01 }} for group and role membership are required;"
+                    "prose": "{{ insert: param, ac-02_odp.01 }} for group and role membership are required;",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.d",
@@ -1475,7 +1677,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized users of the system are specified;"
+                        "prose": "authorized users of the system are specified;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.d.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.d.2",
@@ -1487,7 +1695,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "group and role membership are specified;"
+                        "prose": "group and role membership are specified;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.d.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.d.3",
@@ -1510,7 +1724,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access authorizations (i.e., privileges) are specified for each account;"
+                            "prose": "access authorizations (i.e., privileges) are specified for each account;",
+                            "links": [
+                              {
+                                "href": "#ac-2_smt.d.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-2_obj.d.3-2",
@@ -1522,10 +1742,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ac-02_odp.02 }} are specified for each account;"
+                            "prose": "{{ insert: param, ac-02_odp.02 }} are specified for each account;",
+                            "links": [
+                              {
+                                "href": "#ac-2_smt.d.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.d.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.d",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -1538,7 +1776,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;"
+                    "prose": "approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.f",
@@ -1561,7 +1805,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-2",
@@ -1573,7 +1823,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-3",
@@ -1585,7 +1841,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-4",
@@ -1597,7 +1859,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.f-5",
@@ -1609,7 +1877,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};"
+                        "prose": "accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1623,7 +1903,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of accounts is monitored; "
+                    "prose": "the use of accounts is monitored; ",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.h",
@@ -1646,7 +1932,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;"
+                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.h.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.h.2",
@@ -1658,7 +1950,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;"
+                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.h.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.h.3",
@@ -1670,7 +1968,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;"
+                        "prose": "account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.h.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1695,7 +2005,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to the system is authorized based on a valid access authorization;"
+                        "prose": "access to the system is authorized based on a valid access authorization;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.i.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.i.2",
@@ -1707,7 +2023,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to the system is authorized based on intended system usage;"
+                        "prose": "access to the system is authorized based on intended system usage;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.i.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.i.3",
@@ -1719,7 +2041,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};"
+                        "prose": "access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.i.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.i",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1733,7 +2067,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};"
+                    "prose": "accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};",
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.j",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2_obj.k",
@@ -1756,7 +2096,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"
+                        "prose": "a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.k",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.k-2",
@@ -1768,7 +2114,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;"
+                        "prose": "a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.k",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.k",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -1793,7 +2151,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account management processes are aligned with personnel termination processes;"
+                        "prose": "account management processes are aligned with personnel termination processes;",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.l",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2_obj.l-2",
@@ -1805,10 +2169,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account management processes are aligned with personnel transfer processes."
+                        "prose": "account management processes are aligned with personnel transfer processes.",
+                        "links": [
+                          {
+                            "href": "#ac-2_smt.l",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2_smt.l",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -1952,7 +2334,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}."
+                    "prose": "the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.1_asm-examine",
@@ -2120,7 +2508,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}."
+                    "prose": "temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.2_asm-examine",
@@ -2340,7 +2734,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;"
+                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;",
+                        "links": [
+                          {
+                            "href": "#ac-2.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.3_obj.b",
@@ -2352,7 +2752,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;"
+                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;",
+                        "links": [
+                          {
+                            "href": "#ac-2.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.3_obj.c",
@@ -2364,7 +2770,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;"
+                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;",
+                        "links": [
+                          {
+                            "href": "#ac-2.3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.3_obj.d",
@@ -2376,7 +2788,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}."
+                        "prose": "accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-2.3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -2518,7 +2942,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account creation is automatically audited;"
+                        "prose": "account creation is automatically audited;",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.4_obj-2",
@@ -2530,7 +2960,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account modification is automatically audited;"
+                        "prose": "account modification is automatically audited;",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.4_obj-3",
@@ -2542,7 +2978,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account enabling is automatically audited;"
+                        "prose": "account enabling is automatically audited;",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.4_obj-4",
@@ -2554,7 +2996,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account disabling is automatically audited;"
+                        "prose": "account disabling is automatically audited;",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.4_obj-5",
@@ -2566,7 +3014,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "account removal actions are automatically audited."
+                        "prose": "account removal actions are automatically audited.",
+                        "links": [
+                          {
+                            "href": "#ac-2.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -2720,7 +3180,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "users are required to log out when {{ insert: param, ac-02.05_odp }}."
+                    "prose": "users are required to log out when {{ insert: param, ac-02.05_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-2.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.5_asm-examine",
@@ -2845,7 +3311,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-02.06_odp }} are implemented."
+                    "prose": "{{ insert: param, ac-02.06_odp }} are implemented.",
+                    "links": [
+                      {
+                        "href": "#ac-2.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.6_asm-examine",
@@ -3044,7 +3516,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privileged user accounts are established and administered in accordance with {{ insert: param, ac-02.07_odp }};"
+                        "prose": "privileged user accounts are established and administered in accordance with {{ insert: param, ac-02.07_odp }};",
+                        "links": [
+                          {
+                            "href": "#ac-2.7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.7_obj.b",
@@ -3056,7 +3534,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privileged role or attribute assignments are monitored;"
+                        "prose": "privileged role or attribute assignments are monitored;",
+                        "links": [
+                          {
+                            "href": "#ac-2.7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.7_obj.c",
@@ -3068,7 +3552,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to roles or attributes are monitored;"
+                        "prose": "changes to roles or attributes are monitored;",
+                        "links": [
+                          {
+                            "href": "#ac-2.7_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.7_obj.d",
@@ -3080,7 +3570,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access is revoked when privileged role or attribute assignments are no longer appropriate."
+                        "prose": "access is revoked when privileged role or attribute assignments are no longer appropriate.",
+                        "links": [
+                          {
+                            "href": "#ac-2.7_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -3240,7 +3742,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-02.08_odp }} are created dynamically;"
+                        "prose": "{{ insert: param, ac-02.08_odp }} are created dynamically;",
+                        "links": [
+                          {
+                            "href": "#ac-2.8_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.8_obj-2",
@@ -3252,7 +3760,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-02.08_odp }} are activated dynamically;"
+                        "prose": "{{ insert: param, ac-02.08_odp }} are activated dynamically;",
+                        "links": [
+                          {
+                            "href": "#ac-2.8_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.8_obj-3",
@@ -3264,7 +3778,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-02.08_odp }} are managed dynamically;"
+                        "prose": "{{ insert: param, ac-02.08_odp }} are managed dynamically;",
+                        "links": [
+                          {
+                            "href": "#ac-2.8_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.8_obj-4",
@@ -3276,7 +3796,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-02.08_odp }} are deactivated dynamically."
+                        "prose": "{{ insert: param, ac-02.08_odp }} are deactivated dynamically.",
+                        "links": [
+                          {
+                            "href": "#ac-2.8_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2.8_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -3426,7 +3958,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of shared and group accounts is only permitted if {{ insert: param, ac-02.09_odp }} are met."
+                    "prose": "the use of shared and group accounts is only permitted if {{ insert: param, ac-02.09_odp }} are met.",
+                    "links": [
+                      {
+                        "href": "#ac-2.9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.9_asm-examine",
@@ -3619,7 +4157,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }} are enforced."
+                    "prose": "{{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }} are enforced.",
+                    "links": [
+                      {
+                        "href": "#ac-2.11_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.11_asm-examine",
@@ -3841,7 +4385,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; "
+                        "prose": "system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; ",
+                        "links": [
+                          {
+                            "href": "#ac-2.12_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-2.12_obj.b",
@@ -3853,7 +4403,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}."
+                        "prose": "atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-2.12_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-2.12_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -4026,7 +4588,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}."
+                    "prose": "accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-2.13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-2.13_asm-examine",
@@ -4251,6 +4819,10 @@
                 "href": "#ia-11",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-3",
                 "rel": "related"
@@ -4349,7 +4921,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies."
+                "prose": "approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.",
+                "links": [
+                  {
+                    "href": "#ac-3_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-3_asm-examine",
@@ -4535,7 +5113,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "dual authorization is enforced for {{ insert: param, ac-03.02_odp }}."
+                    "prose": "dual authorization is enforced for {{ insert: param, ac-03.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-3.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-3.2_asm-examine",
@@ -4853,7 +5437,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-03.03_odp.01 }} is enforced over the set of covered subjects specified in the policy;"
+                        "prose": "{{ insert: param, ac-03.03_odp.01 }} is enforced over the set of covered subjects specified in the policy;",
+                        "links": [
+                          {
+                            "href": "#ac-3.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.3_obj-2",
@@ -4865,7 +5455,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-03.03_odp.02 }} is enforced over the set of covered objects specified in the policy;"
+                        "prose": "{{ insert: param, ac-03.03_odp.02 }} is enforced over the set of covered objects specified in the policy;",
+                        "links": [
+                          {
+                            "href": "#ac-3.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.3_obj.a",
@@ -4888,7 +5484,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ac-03.03_odp.01 }} is uniformly enforced across the covered subjects within the system;"
+                            "prose": "{{ insert: param, ac-03.03_odp.01 }} is uniformly enforced across the covered subjects within the system;",
+                            "links": [
+                              {
+                                "href": "#ac-3.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-3.3_obj.a-2",
@@ -4900,7 +5502,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ac-03.03_odp.02 }} is uniformly enforced across the covered objects within the system;"
+                            "prose": "{{ insert: param, ac-03.03_odp.02 }} is uniformly enforced across the covered objects within the system;",
+                            "links": [
+                              {
+                                "href": "#ac-3.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-3.3_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -4925,7 +5539,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects are enforced;"
+                            "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects are enforced;",
+                            "links": [
+                              {
+                                "href": "#ac-3.3_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-3.3_obj.b.2",
@@ -4937,7 +5557,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from granting its privileges to other subjects are enforced;"
+                            "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from granting its privileges to other subjects are enforced;",
+                            "links": [
+                              {
+                                "href": "#ac-3.3_smt.b.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-3.3_obj.b.3",
@@ -4949,7 +5575,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from changing one of more security attributes (specified by the policy) on subjects, objects, the system, or system components are enforced;"
+                            "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from changing one of more security attributes (specified by the policy) on subjects, objects, the system, or system components are enforced;",
+                            "links": [
+                              {
+                                "href": "#ac-3.3_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-3.3_obj.b.4",
@@ -4961,7 +5593,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects are enforced;"
+                            "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects are enforced;",
+                            "links": [
+                              {
+                                "href": "#ac-3.3_smt.b.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-3.3_obj.b.5",
@@ -4973,7 +5611,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from changing the rules governing access control are enforced;"
+                            "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from changing the rules governing access control are enforced;",
+                            "links": [
+                              {
+                                "href": "#ac-3.3_smt.b.5",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-3.3_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -4987,7 +5637,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that {{ insert: param, ac-03.03_odp.03 }} may explicitly be granted {{ insert: param, ac-03.03_odp.04 }} such that they are not limited by any defined subset (or all) of the above constraints are enforced."
+                        "prose": "{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that {{ insert: param, ac-03.03_odp.03 }} may explicitly be granted {{ insert: param, ac-03.03_odp.04 }} such that they are not limited by any defined subset (or all) of the above constraints are enforced.",
+                        "links": [
+                          {
+                            "href": "#ac-3.3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-3.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -5228,7 +5890,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-03.04_odp.01 }} is enforced over the set of covered subjects specified in the policy;"
+                        "prose": "{{ insert: param, ac-03.04_odp.01 }} is enforced over the set of covered subjects specified in the policy;",
+                        "links": [
+                          {
+                            "href": "#ac-3.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.4_obj-2",
@@ -5240,7 +5908,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-03.04_odp.02 }} is enforced over the set of covered objects specified in the policy;"
+                        "prose": "{{ insert: param, ac-03.04_odp.02 }} is enforced over the set of covered objects specified in the policy;",
+                        "links": [
+                          {
+                            "href": "#ac-3.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.4_obj.a",
@@ -5252,7 +5926,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can pass the information to any other subjects or objects;"
+                        "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can pass the information to any other subjects or objects;",
+                        "links": [
+                          {
+                            "href": "#ac-3.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.4_obj.b",
@@ -5264,7 +5944,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects;"
+                        "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects;",
+                        "links": [
+                          {
+                            "href": "#ac-3.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.4_obj.c",
@@ -5276,7 +5962,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can change security attributes on subjects, objects, the system, or the system’s components;"
+                        "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can change security attributes on subjects, objects, the system, or the system’s components;",
+                        "links": [
+                          {
+                            "href": "#ac-3.4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.4_obj.d",
@@ -5288,7 +5980,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can choose the security attributes to be associated with newly created or revised objects;"
+                        "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can choose the security attributes to be associated with newly created or revised objects;",
+                        "links": [
+                          {
+                            "href": "#ac-3.4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.4_obj.e",
@@ -5300,7 +5998,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can change the rules governing access control."
+                        "prose": "{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can change the rules governing access control.",
+                        "links": [
+                          {
+                            "href": "#ac-3.4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-3.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -5453,7 +6163,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to {{ insert: param, ac-03.05_odp }} is prevented except during secure, non-operable system states."
+                    "prose": "access to {{ insert: param, ac-03.05_odp }} is prevented except during secure, non-operable system states.",
+                    "links": [
+                      {
+                        "href": "#ac-3.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-3.5_asm-examine",
@@ -5674,7 +6390,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a role-based access control policy is enforced over defined subjects;"
+                        "prose": "a role-based access control policy is enforced over defined subjects;",
+                        "links": [
+                          {
+                            "href": "#ac-3.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.7_obj-2",
@@ -5686,7 +6408,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a role-based access control policy is enforced over defined objects;"
+                        "prose": "a role-based access control policy is enforced over defined objects;",
+                        "links": [
+                          {
+                            "href": "#ac-3.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.7_obj-3",
@@ -5698,7 +6426,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access is controlled based on {{ insert: param, ac-03.07_odp.01 }} and {{ insert: param, ac-03.07_odp.02 }}."
+                        "prose": "access is controlled based on {{ insert: param, ac-03.07_odp.01 }} and {{ insert: param, ac-03.07_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-3.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-3.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -5864,7 +6604,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "revocation of access authorizations is enforced, resulting from changes to the security attributes of subjects based on {{ insert: param, ac-03.08_odp }};"
+                        "prose": "revocation of access authorizations is enforced, resulting from changes to the security attributes of subjects based on {{ insert: param, ac-03.08_odp }};",
+                        "links": [
+                          {
+                            "href": "#ac-3.8_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.8_obj-2",
@@ -5876,7 +6622,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "revocation of access authorizations is enforced resulting from changes to the security attributes of objects based on {{ insert: param, ac-03.08_odp }}."
+                        "prose": "revocation of access authorizations is enforced resulting from changes to the security attributes of objects based on {{ insert: param, ac-03.08_odp }}.",
+                        "links": [
+                          {
+                            "href": "#ac-3.8_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-3.8_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -6121,7 +6879,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information is released outside of the system only if the receiving {{ insert: param, ac-03.09_odp.01 }} provides {{ insert: param, ac-03.09_odp.02 }};"
+                        "prose": "information is released outside of the system only if the receiving {{ insert: param, ac-03.09_odp.01 }} provides {{ insert: param, ac-03.09_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ac-3.9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.9_obj.b",
@@ -6133,7 +6897,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information is released outside of the system only if {{ insert: param, ac-03.09_odp.03 }} are used to validate the appropriateness of the information designated for release."
+                        "prose": "information is released outside of the system only if {{ insert: param, ac-03.09_odp.03 }} are used to validate the appropriateness of the information designated for release.",
+                        "links": [
+                          {
+                            "href": "#ac-3.9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-3.9_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -6318,7 +7094,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an audited override of automated access control mechanisms is employed under {{ insert: param, ac-03.10_odp.01 }} by {{ insert: param, ac-03.10_odp.02 }}."
+                    "prose": "an audited override of automated access control mechanisms is employed under {{ insert: param, ac-03.10_odp.01 }} by {{ insert: param, ac-03.10_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-3.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-3.10_asm-examine",
@@ -6477,7 +7259,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to data repositories containing {{ insert: param, ac-03.11_odp }} is restricted."
+                    "prose": "access to data repositories containing {{ insert: param, ac-03.11_odp }} is restricted.",
+                    "links": [
+                      {
+                        "href": "#ac-3.11_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-3.11_asm-examine",
@@ -6669,7 +7457,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "as part of the installation process, applications are required to assert the access needed to the following system applications and functions: {{ insert: param, ac-03.12_odp }};"
+                        "prose": "as part of the installation process, applications are required to assert the access needed to the following system applications and functions: {{ insert: param, ac-03.12_odp }};",
+                        "links": [
+                          {
+                            "href": "#ac-3.12_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.12_obj.b",
@@ -6681,7 +7475,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an enforcement mechanism to prevent unauthorized access is provided; "
+                        "prose": "an enforcement mechanism to prevent unauthorized access is provided; ",
+                        "links": [
+                          {
+                            "href": "#ac-3.12_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.12_obj.c",
@@ -6693,7 +7493,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access changes after initial installation of the application are approved."
+                        "prose": "access changes after initial installation of the application are approved.",
+                        "links": [
+                          {
+                            "href": "#ac-3.12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-3.12_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -6854,7 +7666,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the attribute-based access control policy is enforced over defined subjects;"
+                        "prose": "the attribute-based access control policy is enforced over defined subjects;",
+                        "links": [
+                          {
+                            "href": "#ac-3.13_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.13_obj-2",
@@ -6866,7 +7684,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the attribute-based access control policy is enforced over defined objects;"
+                        "prose": "the attribute-based access control policy is enforced over defined objects;",
+                        "links": [
+                          {
+                            "href": "#ac-3.13_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-3.13_obj-3",
@@ -6878,7 +7702,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access is controlled based on {{ insert: param, ac-03.13_odp }}."
+                        "prose": "access is controlled based on {{ insert: param, ac-03.13_odp }}.",
+                        "links": [
+                          {
+                            "href": "#ac-3.13_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-3.13_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -7063,7 +7899,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-03.14_odp.01 }} are provided to enable individuals to have access to {{ insert: param, ac-03.14_odp.02 }} of their personally identifiable information."
+                    "prose": "{{ insert: param, ac-03.14_odp.01 }} are provided to enable individuals to have access to {{ insert: param, ac-03.14_odp.02 }} of their personally identifiable information.",
+                    "links": [
+                      {
+                        "href": "#ac-3.14_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-3.14_asm-examine",
@@ -7339,7 +8181,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ac-03.15_odp.01 }} is enforced over the set of covered subjects specified in the policy;"
+                            "prose": "{{ insert: param, ac-03.15_odp.01 }} is enforced over the set of covered subjects specified in the policy;",
+                            "links": [
+                              {
+                                "href": "#ac-3.15_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-3.15_obj.a-2",
@@ -7351,7 +8199,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ac-03.15_odp.02 }} is enforced over the set of covered objects specified in the policy;"
+                            "prose": "{{ insert: param, ac-03.15_odp.02 }} is enforced over the set of covered objects specified in the policy;",
+                            "links": [
+                              {
+                                "href": "#ac-3.15_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-3.15_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -7376,7 +8236,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ac-03.15_odp.03 }} is enforced over the set of covered subjects specified in the policy;"
+                            "prose": "{{ insert: param, ac-03.15_odp.03 }} is enforced over the set of covered subjects specified in the policy;",
+                            "links": [
+                              {
+                                "href": "#ac-3.15_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-3.15_obj.b-2",
@@ -7388,10 +8254,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ac-03.15_odp.04 }} is enforced over the set of covered objects specified in the policy."
+                            "prose": "{{ insert: param, ac-03.15_odp.04 }} is enforced over the set of covered objects specified in the policy.",
+                            "links": [
+                              {
+                                "href": "#ac-3.15_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-3.15_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-3.15_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -7617,7 +8501,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}."
+                "prose": "approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.",
+                "links": [
+                  {
+                    "href": "#ac-4_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-4_asm-examine",
@@ -7951,7 +8841,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-04.01_odp.01 }} associated with {{ insert: param, ac-04.01_odp.03 }}, {{ insert: param, ac-04.01_odp.05 }} , and {{ insert: param, ac-04.01_odp.07 }} are used to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions;"
+                        "prose": "{{ insert: param, ac-04.01_odp.01 }} associated with {{ insert: param, ac-04.01_odp.03 }}, {{ insert: param, ac-04.01_odp.05 }} , and {{ insert: param, ac-04.01_odp.07 }} are used to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions;",
+                        "links": [
+                          {
+                            "href": "#ac-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-4.1_obj-2",
@@ -7963,7 +8859,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-04.01_odp.02 }} associated with {{ insert: param, ac-04.01_odp.04 }}, {{ insert: param, ac-04.01_odp.06 }} , and {{ insert: param, ac-04.01_odp.08 }} are used to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions."
+                        "prose": "{{ insert: param, ac-04.01_odp.02 }} associated with {{ insert: param, ac-04.01_odp.04 }}, {{ insert: param, ac-04.01_odp.06 }} , and {{ insert: param, ac-04.01_odp.08 }} are used to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions.",
+                        "links": [
+                          {
+                            "href": "#ac-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-4.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -8112,7 +9020,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "protected processing domains are used to enforce {{ insert: param, ac-04.02_odp }} as a basis for flow control decisions."
+                    "prose": "protected processing domains are used to enforce {{ insert: param, ac-04.02_odp }} as a basis for flow control decisions.",
+                    "links": [
+                      {
+                        "href": "#ac-4.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.2_asm-examine",
@@ -8259,7 +9173,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-04.03_odp }} are enforced."
+                    "prose": "{{ insert: param, ac-04.03_odp }} are enforced.",
+                    "links": [
+                      {
+                        "href": "#ac-4.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.3_asm-examine",
@@ -8454,7 +9374,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "encrypted information is prevented from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}."
+                    "prose": "encrypted information is prevented from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-4.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.4_asm-examine",
@@ -8597,7 +9523,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-04.05_odp }} are enforced on embedding data types within other data types."
+                    "prose": "{{ insert: param, ac-04.05_odp }} are enforced on embedding data types within other data types.",
+                    "links": [
+                      {
+                        "href": "#ac-4.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.5_asm-examine",
@@ -8748,7 +9680,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information flow control enforcement is based on {{ insert: param, ac-04.06_odp }}."
+                    "prose": "information flow control enforcement is based on {{ insert: param, ac-04.06_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-4.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.6_asm-examine",
@@ -8869,7 +9807,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "one-way information flows are enforced through hardware-based flow control mechanisms."
+                    "prose": "one-way information flows are enforced through hardware-based flow control mechanisms.",
+                    "links": [
+                      {
+                        "href": "#ac-4.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.7_asm-examine",
@@ -9204,7 +10148,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "information flow control is enforced using {{ insert: param, ac-04.08_odp.01 }} as a basis for flow control decisions for {{ insert: param, ac-04.08_odp.03 }};"
+                            "prose": "information flow control is enforced using {{ insert: param, ac-04.08_odp.01 }} as a basis for flow control decisions for {{ insert: param, ac-04.08_odp.03 }};",
+                            "links": [
+                              {
+                                "href": "#ac-4.8_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-4.8_obj.a-2",
@@ -9216,7 +10166,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "information flow control is enforced using {{ insert: param, ac-04.08_odp.02 }} as a basis for flow control decisions for {{ insert: param, ac-04.08_odp.04 }};"
+                            "prose": "information flow control is enforced using {{ insert: param, ac-04.08_odp.02 }} as a basis for flow control decisions for {{ insert: param, ac-04.08_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#ac-4.8_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-4.8_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -9230,7 +10192,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-04.08_odp.06 }};\n\n{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-04.08_odp.07 }}."
+                        "prose": "{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-04.08_odp.06 }};\n\n{{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-04.08_odp.07 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-4.8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-4.8_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -9400,7 +10374,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "human reviews are used for {{ insert: param, ac-04.09_odp.01 }} under {{ insert: param, ac-04.09_odp.02 }}."
+                    "prose": "human reviews are used for {{ insert: param, ac-04.09_odp.01 }} under {{ insert: param, ac-04.09_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-4.9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.9_asm-examine",
@@ -9630,7 +10610,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "capability is provided for privileged administrators to enable and disable {{ insert: param, ac-04.10_odp.01 }} under {{ insert: param, ac-04.10_odp.03 }};"
+                        "prose": "capability is provided for privileged administrators to enable and disable {{ insert: param, ac-04.10_odp.01 }} under {{ insert: param, ac-04.10_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#ac-4.10_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-4.10_obj-2",
@@ -9642,7 +10628,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "capability is provided for privileged administrators to enable and disable {{ insert: param, ac-04.10_odp.02 }} under {{ insert: param, ac-04.10_odp.04 }}."
+                        "prose": "capability is provided for privileged administrators to enable and disable {{ insert: param, ac-04.10_odp.02 }} under {{ insert: param, ac-04.10_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-4.10_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-4.10_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -9826,7 +10824,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "capability is provided for privileged administrators to configure {{ insert: param, ac-04.11_odp.01 }} to support different security or privacy policies;"
+                        "prose": "capability is provided for privileged administrators to configure {{ insert: param, ac-04.11_odp.01 }} to support different security or privacy policies;",
+                        "links": [
+                          {
+                            "href": "#ac-4.11_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-4.11_obj-2",
@@ -9838,7 +10842,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "capability is provided for privileged administrators to configure {{ insert: param, ac-04.11_odp.02 }} to support different security or privacy policies."
+                        "prose": "capability is provided for privileged administrators to configure {{ insert: param, ac-04.11_odp.02 }} to support different security or privacy policies.",
+                        "links": [
+                          {
+                            "href": "#ac-4.11_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-4.11_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -9983,7 +10999,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "when transferring information between different security domains, {{ insert: param, ac-04.12_odp }} are used to validate data essential for information flow decisions."
+                    "prose": "when transferring information between different security domains, {{ insert: param, ac-04.12_odp }} are used to validate data essential for information flow decisions.",
+                    "links": [
+                      {
+                        "href": "#ac-4.12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.12_asm-examine",
@@ -10126,7 +11148,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "when transferring information between different security domains, information is decomposed into {{ insert: param, ac-04.13_odp }} for submission to policy enforcement mechanisms."
+                    "prose": "when transferring information between different security domains, information is decomposed into {{ insert: param, ac-04.13_odp }} for submission to policy enforcement mechanisms.",
+                    "links": [
+                      {
+                        "href": "#ac-4.13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.13_asm-examine",
@@ -10308,7 +11336,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, implemented {{ insert: param, ac-04.14_odp.01 }} require fully enumerated formats that restrict data structure and content;"
+                        "prose": "when transferring information between different security domains, implemented {{ insert: param, ac-04.14_odp.01 }} require fully enumerated formats that restrict data structure and content;",
+                        "links": [
+                          {
+                            "href": "#ac-4.14_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-4.14_obj-2",
@@ -10320,7 +11354,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, implemented {{ insert: param, ac-04.14_odp.02 }} require fully enumerated formats that restrict data structure and content."
+                        "prose": "when transferring information between different security domains, implemented {{ insert: param, ac-04.14_odp.02 }} require fully enumerated formats that restrict data structure and content.",
+                        "links": [
+                          {
+                            "href": "#ac-4.14_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-4.14_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -10528,7 +11574,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, information is examined for the presence of {{ insert: param, ac-04.15_odp.01 }};"
+                        "prose": "when transferring information between different security domains, information is examined for the presence of {{ insert: param, ac-04.15_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ac-4.15_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-4.15_obj-2",
@@ -10540,7 +11592,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, transfer of {{ insert: param, ac-04.15_odp.01 }} is prohibited in accordance with the {{ insert: param, ac-04.15_odp.02 }};"
+                        "prose": "when transferring information between different security domains, transfer of {{ insert: param, ac-04.15_odp.01 }} is prohibited in accordance with the {{ insert: param, ac-04.15_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ac-4.15_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-4.15_obj-3",
@@ -10552,7 +11610,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, transfer of {{ insert: param, ac-04.15_odp.01 }} is prohibited in accordance with the {{ insert: param, ac-04.15_odp.03 }}."
+                        "prose": "when transferring information between different security domains, transfer of {{ insert: param, ac-04.15_odp.01 }} is prohibited in accordance with the {{ insert: param, ac-04.15_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-4.15_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-4.15_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -10739,7 +11809,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "source and destination points are uniquely identified and authenticated by {{ insert: param, ac-04.17_odp }} for information transfer."
+                    "prose": "source and destination points are uniquely identified and authenticated by {{ insert: param, ac-04.17_odp }} for information transfer.",
+                    "links": [
+                      {
+                        "href": "#ac-4.17_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.17_asm-examine",
@@ -10951,7 +12027,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, {{ insert: param, ac-04.19_odp.01 }} are implemented on metadata;"
+                        "prose": "when transferring information between different security domains, {{ insert: param, ac-04.19_odp.01 }} are implemented on metadata;",
+                        "links": [
+                          {
+                            "href": "#ac-4.19_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-4.19_obj-2",
@@ -10963,7 +12045,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, {{ insert: param, ac-04.19_odp.02 }} are implemented on metadata."
+                        "prose": "when transferring information between different security domains, {{ insert: param, ac-04.19_odp.02 }} are implemented on metadata.",
+                        "links": [
+                          {
+                            "href": "#ac-4.19_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-4.19_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -11128,7 +12222,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-04.20_odp.01 }} are employed to control the flow of {{ insert: param, ac-04.20_odp.02 }} across security domains."
+                    "prose": "{{ insert: param, ac-04.20_odp.01 }} are employed to control the flow of {{ insert: param, ac-04.20_odp.02 }} across security domains.",
+                    "links": [
+                      {
+                        "href": "#ac-4.20_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.20_asm-examine",
@@ -11344,7 +12444,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information flows are separated logically using {{ insert: param, ac-04.21_odp.01 }} to accomplish {{ insert: param, ac-04.21_odp.03 }};"
+                        "prose": "information flows are separated logically using {{ insert: param, ac-04.21_odp.01 }} to accomplish {{ insert: param, ac-04.21_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#ac-4.21_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-4.21_obj-2",
@@ -11356,7 +12462,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information flows are separated physically using {{ insert: param, ac-04.21_odp.02 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}."
+                        "prose": "information flows are separated physically using {{ insert: param, ac-04.21_odp.02 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-4.21_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-4.21_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -11479,7 +12597,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access is provided from a single device to computing platforms, applications, or data that reside in multiple different security domains while preventing information flow between the different security domains."
+                    "prose": "access is provided from a single device to computing platforms, applications, or data that reside in multiple different security domains while preventing information flow between the different security domains.",
+                    "links": [
+                      {
+                        "href": "#ac-4.22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.22_asm-examine",
@@ -11627,7 +12751,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "when transferring information between security domains, non-releasable information is modified by implementing {{ insert: param, ac-04.23_odp }}."
+                    "prose": "when transferring information between security domains, non-releasable information is modified by implementing {{ insert: param, ac-04.23_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-4.23_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.23_asm-examine",
@@ -11759,7 +12889,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, incoming data is parsed into an internal, normalized format;"
+                        "prose": "when transferring information between different security domains, incoming data is parsed into an internal, normalized format;",
+                        "links": [
+                          {
+                            "href": "#ac-4.24_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-4.24_obj-2",
@@ -11771,7 +12907,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, the data is regenerated to be consistent with its intended specification."
+                        "prose": "when transferring information between different security domains, the data is regenerated to be consistent with its intended specification.",
+                        "links": [
+                          {
+                            "href": "#ac-4.24_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-4.24_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -11941,7 +13089,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "when transferring information between different security domains, data is sanitized to minimize {{ insert: param, ac-04.25_odp.01 }} in accordance with {{ insert: param, ac-04.25_odp.02 }}."
+                    "prose": "when transferring information between different security domains, data is sanitized to minimize {{ insert: param, ac-04.25_odp.01 }} in accordance with {{ insert: param, ac-04.25_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-4.25_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.25_asm-examine",
@@ -12090,7 +13244,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, content-filtering actions are recorded and audited;"
+                        "prose": "when transferring information between different security domains, content-filtering actions are recorded and audited;",
+                        "links": [
+                          {
+                            "href": "#ac-4.26_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-4.26_obj-2",
@@ -12102,7 +13262,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, results for the information being filtered are recorded and audited."
+                        "prose": "when transferring information between different security domains, results for the information being filtered are recorded and audited.",
+                        "links": [
+                          {
+                            "href": "#ac-4.26_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-4.26_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -12225,7 +13397,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "when transferring information between security domains, implemented content filtering solutions provide redundant and independent filtering mechanisms for each data type."
+                    "prose": "when transferring information between security domains, implemented content filtering solutions provide redundant and independent filtering mechanisms for each data type.",
+                    "links": [
+                      {
+                        "href": "#ac-4.27_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.27_asm-examine",
@@ -12346,7 +13524,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "when transferring information between security domains, a linear content filter pipeline is implemented that is enforced with discretionary and mandatory access controls."
+                    "prose": "when transferring information between security domains, a linear content filter pipeline is implemented that is enforced with discretionary and mandatory access controls.",
+                    "links": [
+                      {
+                        "href": "#ac-4.28_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.28_asm-examine",
@@ -12529,7 +13713,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering mechanisms successfully complete execution without errors;"
+                        "prose": "when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering mechanisms successfully complete execution without errors;",
+                        "links": [
+                          {
+                            "href": "#ac-4.29_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-4.29_obj.b",
@@ -12552,7 +13742,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions occur in the correct order;"
+                            "prose": "when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions occur in the correct order;",
+                            "links": [
+                              {
+                                "href": "#ac-4.29_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-4.29_obj.b-2",
@@ -12564,10 +13760,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions comply with {{ insert: param, ac-04.29_odp }}."
+                            "prose": "when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions comply with {{ insert: param, ac-04.29_odp }}.",
+                            "links": [
+                              {
+                                "href": "#ac-4.29_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-4.29_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-4.29_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -12689,7 +13903,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "when transferring information between security domains, content-filtering mechanisms using multiple processes are implemented."
+                    "prose": "when transferring information between security domains, content-filtering mechanisms using multiple processes are implemented.",
+                    "links": [
+                      {
+                        "href": "#ac-4.30_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.30_asm-examine",
@@ -12810,7 +14030,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "when transferring information between different security domains, the transfer of failed content to the receiving domain is prevented."
+                    "prose": "when transferring information between different security domains, the transfer of failed content to the receiving domain is prevented.",
+                    "links": [
+                      {
+                        "href": "#ac-4.31_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-4.31_asm-examine",
@@ -12988,7 +14214,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, the process that transfers information between filter pipelines does not filter message content;"
+                        "prose": "when transferring information between different security domains, the process that transfers information between filter pipelines does not filter message content;",
+                        "links": [
+                          {
+                            "href": "#ac-4.32_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-4.32_obj.b",
@@ -13000,7 +14232,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, the process that transfers information between filter pipelines validates filtering metadata;"
+                        "prose": "when transferring information between different security domains, the process that transfers information between filter pipelines validates filtering metadata;",
+                        "links": [
+                          {
+                            "href": "#ac-4.32_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-4.32_obj.c",
@@ -13012,7 +14250,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, the process that transfers information between filter pipelines ensures that the content with the filtering metadata has successfully completed filtering;"
+                        "prose": "when transferring information between different security domains, the process that transfers information between filter pipelines ensures that the content with the filtering metadata has successfully completed filtering;",
+                        "links": [
+                          {
+                            "href": "#ac-4.32_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-4.32_obj.d",
@@ -13024,7 +14268,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when transferring information between different security domains, the process that transfers information between filter pipelines transfers the content to the destination filter pipeline."
+                        "prose": "when transferring information between different security domains, the process that transfers information between filter pipelines transfers the content to the destination filter pipeline.",
+                        "links": [
+                          {
+                            "href": "#ac-4.32_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-4.32_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -13270,7 +14526,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-05_odp }} are identified and documented;"
+                    "prose": "{{ insert: param, ac-05_odp }} are identified and documented;",
+                    "links": [
+                      {
+                        "href": "#ac-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-5_obj.b",
@@ -13282,7 +14544,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system access authorizations to support separation of duties are defined."
+                    "prose": "system access authorizations to support separation of duties are defined.",
+                    "links": [
+                      {
+                        "href": "#ac-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -13449,7 +14723,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks."
+                "prose": "the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.",
+                "links": [
+                  {
+                    "href": "#ac-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-6_asm-examine",
@@ -13752,7 +15032,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};"
+                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#ac-6.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-6.1_obj.a-2",
@@ -13764,7 +15050,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};"
+                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};",
+                            "links": [
+                              {
+                                "href": "#ac-6.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-6.1_obj.a-3",
@@ -13776,7 +15068,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};"
+                            "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#ac-6.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-6.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -13790,7 +15094,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}."
+                        "prose": "access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-6.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-6.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -13951,7 +15267,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions."
+                    "prose": "users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions.",
+                    "links": [
+                      {
+                        "href": "#ac-6.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.2_asm-examine",
@@ -14137,7 +15459,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network access to {{ insert: param, ac-06.03_odp.01 }} is authorized only for {{ insert: param, ac-06.03_odp.02 }};"
+                        "prose": "network access to {{ insert: param, ac-06.03_odp.01 }} is authorized only for {{ insert: param, ac-06.03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ac-6.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-6.3_obj-2",
@@ -14149,7 +15477,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rationale for authorizing network access to privileged commands is documented in the security plan for the system."
+                        "prose": "the rationale for authorizing network access to privileged commands is documented in the security plan for the system.",
+                        "links": [
+                          {
+                            "href": "#ac-6.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-6.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -14301,7 +15641,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "separate processing domains are provided to enable finer-grain allocation of user privileges."
+                    "prose": "separate processing domains are provided to enable finer-grain allocation of user privileges.",
+                    "links": [
+                      {
+                        "href": "#ac-6.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.4_asm-examine",
@@ -14456,7 +15802,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}."
+                    "prose": "privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-6.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.5_asm-examine",
@@ -14593,7 +15945,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privileged access to the system by non-organizational users is prohibited."
+                    "prose": "privileged access to the system by non-organizational users is prohibited.",
+                    "links": [
+                      {
+                        "href": "#ac-6.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.6_asm-examine",
@@ -14799,7 +16157,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;"
+                        "prose": "privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;",
+                        "links": [
+                          {
+                            "href": "#ac-6.7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-6.7_obj.b",
@@ -14811,7 +16175,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs."
+                        "prose": "privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.",
+                        "links": [
+                          {
+                            "href": "#ac-6.7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-6.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -14956,7 +16332,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-06.08_odp }} is prevented from executing at higher privilege levels than users executing the software."
+                    "prose": "{{ insert: param, ac-06.08_odp }} is prevented from executing at higher privilege levels than users executing the software.",
+                    "links": [
+                      {
+                        "href": "#ac-6.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.8_asm-examine",
@@ -15089,7 +16471,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the execution of privileged functions is logged."
+                    "prose": "the execution of privileged functions is logged.",
+                    "links": [
+                      {
+                        "href": "#ac-6.9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.9_asm-examine",
@@ -15210,7 +16598,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "non-privileged users are prevented from executing privileged functions."
+                    "prose": "non-privileged users are prevented from executing privileged functions.",
+                    "links": [
+                      {
+                        "href": "#ac-6.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-6.10_asm-examine",
@@ -15517,7 +16911,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;"
+                    "prose": "a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;",
+                    "links": [
+                      {
+                        "href": "#ac-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-7_obj.b",
@@ -15529,7 +16929,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded."
+                    "prose": "automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.",
+                    "links": [
+                      {
+                        "href": "#ac-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -15674,10 +17086,10 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "label": "purging or wiping requirements or techniques",
+                    "label": "purging or wiping requirements and techniques",
                     "guidelines": [
                       {
-                        "prose": "purging or wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined;"
+                        "prose": "purging and wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined;"
                       }
                     ]
                   },
@@ -15761,7 +17173,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information is purged or wiped from {{ insert: param, ac-07.02_odp.01 }} based on {{ insert: param, ac-07.02_odp.02 }} after {{ insert: param, ac-07.02_odp.03 }} consecutive, unsuccessful device logon attempts."
+                    "prose": "information is purged or wiped from {{ insert: param, ac-07.02_odp.01 }} based on {{ insert: param, ac-07.02_odp.02 }} after {{ insert: param, ac-07.02_odp.03 }} consecutive, unsuccessful device logon attempts.",
+                    "links": [
+                      {
+                        "href": "#ac-7.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-7.2_asm-examine",
@@ -15908,7 +17326,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "unsuccessful biometric logon attempts are limited to {{ insert: param, ac-07.03_odp }}."
+                    "prose": "unsuccessful biometric logon attempts are limited to {{ insert: param, ac-07.03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-7.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-7.3_asm-examine",
@@ -16134,7 +17558,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-07.04_odp.01 }} that are different from the primary authentication factors are allowed to be used after the number of organization-defined consecutive invalid logon attempts have been exceeded;"
+                        "prose": "{{ insert: param, ac-07.04_odp.01 }} that are different from the primary authentication factors are allowed to be used after the number of organization-defined consecutive invalid logon attempts have been exceeded;",
+                        "links": [
+                          {
+                            "href": "#ac-7.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-7.4_obj.b",
@@ -16146,7 +17576,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a limit of {{ insert: param, ac-07.04_odp.02 }} consecutive invalid logon attempts through the use of the alternative factors by the user during a {{ insert: param, ac-07.04_odp.03 }} is enforced."
+                        "prose": "a limit of {{ insert: param, ac-07.04_odp.02 }} consecutive invalid logon attempts through the use of the alternative factors by the user during a {{ insert: param, ac-07.04_odp.03 }} is enforced.",
+                        "links": [
+                          {
+                            "href": "#ac-7.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-7.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -16469,7 +17911,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that users are accessing a U.S. Government system;"
+                        "prose": "the system use notification states that users are accessing a U.S. Government system;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.a.2",
@@ -16481,7 +17929,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;"
+                        "prose": "the system use notification states that system usage may be monitored, recorded, and subject to audit;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.a.3",
@@ -16493,7 +17947,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and"
+                        "prose": "the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.a.4",
@@ -16505,7 +17965,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;"
+                        "prose": "the system use notification states that use of the system indicates consent to monitoring and recording;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -16519,7 +17991,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;"
+                    "prose": "the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;",
+                    "links": [
+                      {
+                        "href": "#ac-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-8_obj.c",
@@ -16542,7 +18020,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;"
+                        "prose": "for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.c.2",
@@ -16554,7 +18038,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;"
+                        "prose": "for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-8_obj.c.3",
@@ -16566,10 +18056,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for publicly accessible systems, a description of the authorized uses of the system is included."
+                        "prose": "for publicly accessible systems, a description of the authorized uses of the system is included.",
+                        "links": [
+                          {
+                            "href": "#ac-8_smt.c.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-8_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -16695,7 +18203,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the user is notified, upon successful logon to the system, of the date and time of the last logon."
+                "prose": "the user is notified, upon successful logon to the system, of the date and time of the last logon.",
+                "links": [
+                  {
+                    "href": "#ac-9_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-9_asm-examine",
@@ -16816,7 +18330,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the user is notified, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon."
+                    "prose": "the user is notified, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.",
+                    "links": [
+                      {
+                        "href": "#ac-9.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-9.1_asm-examine",
@@ -16980,7 +18500,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the user is notified, upon successful logon, of the number of {{ insert: param, ac-09.02_odp.01 }} during {{ insert: param, ac-09.02_odp.02 }}."
+                    "prose": "the user is notified, upon successful logon, of the number of {{ insert: param, ac-09.02_odp.01 }} during {{ insert: param, ac-09.02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-9.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-9.2_asm-examine",
@@ -17148,7 +18674,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the user is notified, upon successful logon, of changes to {{ insert: param, ac-09.03_odp.01 }} during {{ insert: param, ac-09.03_odp.02 }}."
+                    "prose": "the user is notified, upon successful logon, of changes to {{ insert: param, ac-09.03_odp.01 }} during {{ insert: param, ac-09.03_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-9.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-9.3_asm-examine",
@@ -17291,7 +18823,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the user is notified, upon successful logon, of {{ insert: param, ac-09.04_odp }}."
+                    "prose": "the user is notified, upon successful logon, of {{ insert: param, ac-09.04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-9.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-9.4_asm-examine",
@@ -17461,7 +18999,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}."
+                "prose": "the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#ac-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-10_asm-examine",
@@ -17671,7 +19215,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};"
+                    "prose": "further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ac-11_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-11_obj.b",
@@ -17683,7 +19233,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "device lock is retained until the user re-establishes access using established identification and authentication procedures."
+                    "prose": "device lock is retained until the user re-establishes access using established identification and authentication procedures.",
+                    "links": [
+                      {
+                        "href": "#ac-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -17806,7 +19368,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information previously visible on the display is concealed, via device lock, with a publicly viewable image."
+                    "prose": "information previously visible on the display is concealed, via device lock, with a publicly viewable image.",
+                    "links": [
+                      {
+                        "href": "#ac-11.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-11.1_asm-examine",
@@ -17964,7 +19532,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a user session is automatically terminated after {{ insert: param, ac-12_odp }}."
+                "prose": "a user session is automatically terminated after {{ insert: param, ac-12_odp }}.",
+                "links": [
+                  {
+                    "href": "#ac-12_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-12_asm-examine",
@@ -18112,7 +19686,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.01_odp }}."
+                    "prose": "a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-12.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-12.1_asm-examine",
@@ -18233,7 +19813,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an explicit logout message is displayed to users indicating the termination of authenticated communication sessions."
+                    "prose": "an explicit logout message is displayed to users indicating the termination of authenticated communication sessions.",
+                    "links": [
+                      {
+                        "href": "#ac-12.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-12.2_asm-examine",
@@ -18381,7 +19967,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an explicit message to users is displayed indicating that the session will end in {{ insert: param, ac-12.03_odp }}."
+                    "prose": "an explicit message to users is displayed indicating that the session will end in {{ insert: param, ac-12.03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-12.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-12.3_asm-examine",
@@ -18602,7 +20194,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;"
+                    "prose": "{{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;",
+                    "links": [
+                      {
+                        "href": "#ac-14_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-14_obj.b",
@@ -18625,7 +20223,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;"
+                        "prose": "user actions not requiring identification or authentication are documented in the security plan for the system;",
+                        "links": [
+                          {
+                            "href": "#ac-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-14_obj.b-2",
@@ -18637,10 +20241,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system."
+                        "prose": "a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.",
+                        "links": [
+                          {
+                            "href": "#ac-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-14_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-14_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -19254,7 +20876,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the means to associate {{ insert: param, ac-16_odp.01 }} with {{ insert: param, ac-16_odp.03 }} for information in storage, in process, and/or in transmission are provided;"
+                        "prose": "the means to associate {{ insert: param, ac-16_odp.01 }} with {{ insert: param, ac-16_odp.03 }} for information in storage, in process, and/or in transmission are provided;",
+                        "links": [
+                          {
+                            "href": "#ac-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16_obj.a-2",
@@ -19266,7 +20894,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the means to associate {{ insert: param, ac-16_odp.02 }} with {{ insert: param, ac-16_odp.04 }} for information in storage, in process, and/or in transmission are provided;"
+                        "prose": "the means to associate {{ insert: param, ac-16_odp.02 }} with {{ insert: param, ac-16_odp.04 }} for information in storage, in process, and/or in transmission are provided;",
+                        "links": [
+                          {
+                            "href": "#ac-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-16_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -19291,7 +20931,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "attribute associations are made;"
+                        "prose": "attribute associations are made;",
+                        "links": [
+                          {
+                            "href": "#ac-16_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16_obj.b-2",
@@ -19303,7 +20949,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "attribute associations are retained with the information;"
+                        "prose": "attribute associations are retained with the information;",
+                        "links": [
+                          {
+                            "href": "#ac-16_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-16_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -19328,7 +20986,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the following permitted security attributes are established from the attributes defined in AC-16_ODP[01] for {{ insert: param, ac-16_odp.05 }}: {{ insert: param, ac-16_odp.07 }};"
+                        "prose": "the following permitted security attributes are established from the attributes defined in AC-16_ODP[01] for {{ insert: param, ac-16_odp.05 }}: {{ insert: param, ac-16_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#ac-16_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16_obj.c-2",
@@ -19340,7 +21004,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the following permitted privacy attributes are established from the attributes defined in AC-16_ODP[02] for {{ insert: param, ac-16_odp.06 }}: {{ insert: param, ac-16_odp.08 }};"
+                        "prose": "the following permitted privacy attributes are established from the attributes defined in AC-16_ODP[02] for {{ insert: param, ac-16_odp.06 }}: {{ insert: param, ac-16_odp.08 }};",
+                        "links": [
+                          {
+                            "href": "#ac-16_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-16_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -19354,7 +21030,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the following permitted attribute values or ranges for each of the established attributes are determined: {{ insert: param, ac-16_odp.09 }};"
+                    "prose": "the following permitted attribute values or ranges for each of the established attributes are determined: {{ insert: param, ac-16_odp.09 }};",
+                    "links": [
+                      {
+                        "href": "#ac-16_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-16_obj.e",
@@ -19366,7 +21048,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes to attributes are audited;"
+                    "prose": "changes to attributes are audited;",
+                    "links": [
+                      {
+                        "href": "#ac-16_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-16_obj.f",
@@ -19389,7 +21077,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-16_odp.07 }} are reviewed for applicability {{ insert: param, ac-16_odp.10 }};"
+                        "prose": "{{ insert: param, ac-16_odp.07 }} are reviewed for applicability {{ insert: param, ac-16_odp.10 }};",
+                        "links": [
+                          {
+                            "href": "#ac-16_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16_obj.f-2",
@@ -19401,10 +21095,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-16_odp.08 }} are reviewed for applicability {{ insert: param, ac-16_odp.11 }}."
+                        "prose": "{{ insert: param, ac-16_odp.08 }} are reviewed for applicability {{ insert: param, ac-16_odp.11 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-16_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-16_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-16_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -19677,7 +21389,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security attributes are dynamically associated with {{ insert: param, ac-16.01_odp.01 }} in accordance with the following security policies as information is created and combined: {{ insert: param, ac-16.01_odp.05 }};"
+                        "prose": "security attributes are dynamically associated with {{ insert: param, ac-16.01_odp.01 }} in accordance with the following security policies as information is created and combined: {{ insert: param, ac-16.01_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#ac-16.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.1_obj-2",
@@ -19689,7 +21407,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security attributes are dynamically associated with {{ insert: param, ac-16.01_odp.02 }} in accordance with the following security policies as information is created and combined: {{ insert: param, ac-16.01_odp.05 }};"
+                        "prose": "security attributes are dynamically associated with {{ insert: param, ac-16.01_odp.02 }} in accordance with the following security policies as information is created and combined: {{ insert: param, ac-16.01_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#ac-16.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.1_obj-3",
@@ -19701,7 +21425,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy attributes are dynamically associated with {{ insert: param, ac-16.01_odp.03 }} in accordance with the following privacy policies as information is created and combined: {{ insert: param, ac-16.01_odp.06 }};"
+                        "prose": "privacy attributes are dynamically associated with {{ insert: param, ac-16.01_odp.03 }} in accordance with the following privacy policies as information is created and combined: {{ insert: param, ac-16.01_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#ac-16.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.1_obj-4",
@@ -19713,7 +21443,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy attributes are dynamically associated with {{ insert: param, ac-16.01_odp.04 }} in accordance with the following privacy policies as information is created and combined: {{ insert: param, ac-16.01_odp.06 }}."
+                        "prose": "privacy attributes are dynamically associated with {{ insert: param, ac-16.01_odp.04 }} in accordance with the following privacy policies as information is created and combined: {{ insert: param, ac-16.01_odp.06 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-16.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-16.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -19847,7 +21589,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated security attributes;"
+                        "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated security attributes;",
+                        "links": [
+                          {
+                            "href": "#ac-16.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.2_obj-2",
@@ -19859,7 +21607,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated privacy attributes."
+                        "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated privacy attributes.",
+                        "links": [
+                          {
+                            "href": "#ac-16.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-16.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -20133,7 +21893,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the association and integrity of {{ insert: param, ac-16.03_odp.01 }} to {{ insert: param, ac-16.03_odp.03 }} is maintained;"
+                        "prose": "the association and integrity of {{ insert: param, ac-16.03_odp.01 }} to {{ insert: param, ac-16.03_odp.03 }} is maintained;",
+                        "links": [
+                          {
+                            "href": "#ac-16.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.3_obj-2",
@@ -20145,7 +21911,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the association and integrity of {{ insert: param, ac-16.03_odp.01 }} to {{ insert: param, ac-16.03_odp.04 }} is maintained."
+                        "prose": "the association and integrity of {{ insert: param, ac-16.03_odp.01 }} to {{ insert: param, ac-16.03_odp.04 }} is maintained.",
+                        "links": [
+                          {
+                            "href": "#ac-16.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.3_obj-3",
@@ -20157,7 +21929,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the association and integrity of {{ insert: param, ac-16.03_odp.02 }} to {{ insert: param, ac-16.03_odp.05 }} is maintained;"
+                        "prose": "the association and integrity of {{ insert: param, ac-16.03_odp.02 }} to {{ insert: param, ac-16.03_odp.05 }} is maintained;",
+                        "links": [
+                          {
+                            "href": "#ac-16.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.3_obj-4",
@@ -20169,7 +21947,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the association and integrity of {{ insert: param, ac-16.03_odp.02 }} to {{ insert: param, ac-16.03_odp.06 }} is maintained."
+                        "prose": "the association and integrity of {{ insert: param, ac-16.03_odp.02 }} to {{ insert: param, ac-16.03_odp.06 }} is maintained.",
+                        "links": [
+                          {
+                            "href": "#ac-16.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-16.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -20485,7 +22275,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.01 }} with {{ insert: param, ac-16.04_odp.05 }};"
+                        "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.01 }} with {{ insert: param, ac-16.04_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#ac-16.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.4_obj-2",
@@ -20497,7 +22293,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.02 }} with {{ insert: param, ac-16.04_odp.06 }};"
+                        "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.02 }} with {{ insert: param, ac-16.04_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#ac-16.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.4_obj-3",
@@ -20509,7 +22311,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.03 }} with {{ insert: param, ac-16.04_odp.07 }};"
+                        "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.03 }} with {{ insert: param, ac-16.04_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#ac-16.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.4_obj-4",
@@ -20521,7 +22329,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.04 }} with {{ insert: param, ac-16.04_odp.08 }}."
+                        "prose": "authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.04 }} with {{ insert: param, ac-16.04_odp.08 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-16.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-16.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -20707,7 +22527,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security attributes are displayed in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }};"
+                        "prose": "security attributes are displayed in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ac-16.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.5_obj-2",
@@ -20719,7 +22545,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy attributes are displayed in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }}."
+                        "prose": "privacy attributes are displayed in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-16.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-16.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -21083,7 +22921,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.01 }} with {{ insert: param, ac-16.06_odp.05 }} in accordance with {{ insert: param, ac-16.06_odp.09 }};"
+                        "prose": "personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.01 }} with {{ insert: param, ac-16.06_odp.05 }} in accordance with {{ insert: param, ac-16.06_odp.09 }};",
+                        "links": [
+                          {
+                            "href": "#ac-16.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.6_obj-2",
@@ -21095,7 +22939,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.02 }} with {{ insert: param, ac-16.06_odp.06 }} in accordance with {{ insert: param, ac-16.06_odp.09 }};"
+                        "prose": "personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.02 }} with {{ insert: param, ac-16.06_odp.06 }} in accordance with {{ insert: param, ac-16.06_odp.09 }};",
+                        "links": [
+                          {
+                            "href": "#ac-16.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.6_obj-3",
@@ -21107,7 +22957,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.03 }} with {{ insert: param, ac-16.06_odp.07 }} in accordance with {{ insert: param, ac-16.06_odp.10 }};"
+                        "prose": "personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.03 }} with {{ insert: param, ac-16.06_odp.07 }} in accordance with {{ insert: param, ac-16.06_odp.10 }};",
+                        "links": [
+                          {
+                            "href": "#ac-16.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.6_obj-4",
@@ -21119,7 +22975,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.04 }} with {{ insert: param, ac-16.06_odp.08 }} in accordance with {{ insert: param, ac-16.06_odp.10 }}."
+                        "prose": "personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.04 }} with {{ insert: param, ac-16.06_odp.08 }} in accordance with {{ insert: param, ac-16.06_odp.10 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-16.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-16.6_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -21253,7 +23121,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a consistent interpretation of security attributes transmitted between distributed system components is provided;"
+                        "prose": "a consistent interpretation of security attributes transmitted between distributed system components is provided;",
+                        "links": [
+                          {
+                            "href": "#ac-16.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.7_obj-2",
@@ -21265,7 +23139,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a consistent interpretation of privacy attributes transmitted between distributed system components is provided."
+                        "prose": "a consistent interpretation of privacy attributes transmitted between distributed system components is provided.",
+                        "links": [
+                          {
+                            "href": "#ac-16.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-16.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -21457,7 +23343,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-16.08_odp.01 }} are implemented in associating security attributes to information;"
+                        "prose": "{{ insert: param, ac-16.08_odp.01 }} are implemented in associating security attributes to information;",
+                        "links": [
+                          {
+                            "href": "#ac-16.8_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.8_obj-2",
@@ -21469,7 +23361,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-16.08_odp.02 }} are implemented in associating privacy attributes to information."
+                        "prose": "{{ insert: param, ac-16.08_odp.02 }} are implemented in associating privacy attributes to information.",
+                        "links": [
+                          {
+                            "href": "#ac-16.8_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-16.8_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -21653,7 +23557,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security attributes associated with information are changed only via regrading mechanisms validated using {{ insert: param, ac-16.09_odp.01 }};"
+                        "prose": "security attributes associated with information are changed only via regrading mechanisms validated using {{ insert: param, ac-16.09_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ac-16.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.9_obj-2",
@@ -21665,7 +23575,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy attributes associated with information are changed only via regrading mechanisms validated using {{ insert: param, ac-16.09_odp.02 }}."
+                        "prose": "privacy attributes associated with information are changed only via regrading mechanisms validated using {{ insert: param, ac-16.09_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-16.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-16.9_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -21799,7 +23721,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized individuals are provided with the capability to define or change the type and value of security attributes available for association with subjects and objects;"
+                        "prose": "authorized individuals are provided with the capability to define or change the type and value of security attributes available for association with subjects and objects;",
+                        "links": [
+                          {
+                            "href": "#ac-16.10_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-16.10_obj-2",
@@ -21811,7 +23739,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized individuals are provided with the capability to define or change the type and value of privacy attributes available for association with subjects and objects."
+                        "prose": "authorized individuals are provided with the capability to define or change the type and value of privacy attributes available for association with subjects and objects.",
+                        "links": [
+                          {
+                            "href": "#ac-16.10_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-16.10_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22077,7 +24017,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "usage restrictions are established and documented for each type of remote access allowed;"
+                        "prose": "usage restrictions are established and documented for each type of remote access allowed;",
+                        "links": [
+                          {
+                            "href": "#ac-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-17_obj.a-2",
@@ -22089,7 +24035,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;"
+                        "prose": "configuration/connection requirements are established and documented for each type of remote access allowed;",
+                        "links": [
+                          {
+                            "href": "#ac-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-17_obj.a-3",
@@ -22101,7 +24053,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "implementation guidance is established and documented for each type of remote access allowed;"
+                        "prose": "implementation guidance is established and documented for each type of remote access allowed;",
+                        "links": [
+                          {
+                            "href": "#ac-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-17_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22115,7 +24079,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "each type of remote access to the system is authorized prior to allowing such connections."
+                    "prose": "each type of remote access to the system is authorized prior to allowing such connections.",
+                    "links": [
+                      {
+                        "href": "#ac-17_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-17_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -22270,7 +24246,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "automated mechanisms are employed to monitor remote access methods;"
+                        "prose": "automated mechanisms are employed to monitor remote access methods;",
+                        "links": [
+                          {
+                            "href": "#ac-17.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-17.1_obj-2",
@@ -22282,7 +24264,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "automated mechanisms are employed to control remote access methods."
+                        "prose": "automated mechanisms are employed to control remote access methods.",
+                        "links": [
+                          {
+                            "href": "#ac-17.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-17.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22417,7 +24411,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions."
+                    "prose": "cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.",
+                    "links": [
+                      {
+                        "href": "#ac-17.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-17.2_asm-examine",
@@ -22542,7 +24542,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "remote accesses are routed through authorized and managed network access control points."
+                    "prose": "remote accesses are routed through authorized and managed network access control points.",
+                    "links": [
+                      {
+                        "href": "#ac-17.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-17.3_asm-examine",
@@ -22770,7 +24776,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;"
+                            "prose": "the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;",
+                            "links": [
+                              {
+                                "href": "#ac-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-17.4_obj.a-2",
@@ -22782,7 +24794,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;"
+                            "prose": "access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;",
+                            "links": [
+                              {
+                                "href": "#ac-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-17.4_obj.a-3",
@@ -22794,7 +24812,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};"
+                            "prose": "the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#ac-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-17.4_obj.a-4",
@@ -22806,7 +24830,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};"
+                            "prose": "access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#ac-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-17.4_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -22820,7 +24856,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rationale for remote access is documented in the security plan for the system."
+                        "prose": "the rationale for remote access is documented in the security plan for the system.",
+                        "links": [
+                          {
+                            "href": "#ac-17.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-17.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -22985,7 +25033,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information about remote access mechanisms is protected from unauthorized use and disclosure."
+                    "prose": "information about remote access mechanisms is protected from unauthorized use and disclosure.",
+                    "links": [
+                      {
+                        "href": "#ac-17.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-17.6_asm-examine",
@@ -23166,7 +25220,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the capability to disconnect or disable remote access to the system within {{ insert: param, ac-17.09_odp }} is provided."
+                    "prose": "the capability to disconnect or disable remote access to the system within {{ insert: param, ac-17.09_odp }} is provided.",
+                    "links": [
+                      {
+                        "href": "#ac-17.9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-17.9_asm-examine",
@@ -23341,7 +25401,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-17.10_odp.01 }} are implemented to authenticate {{ insert: param, ac-17.10_odp.02 }}."
+                    "prose": "{{ insert: param, ac-17.10_odp.01 }} are implemented to authenticate {{ insert: param, ac-17.10_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-17.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-17.10_asm-examine",
@@ -23565,7 +25631,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration requirements are established for each type of wireless access;"
+                        "prose": "configuration requirements are established for each type of wireless access;",
+                        "links": [
+                          {
+                            "href": "#ac-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18_obj.a-2",
@@ -23577,7 +25649,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "connection requirements are established for each type of wireless access;"
+                        "prose": "connection requirements are established for each type of wireless access;",
+                        "links": [
+                          {
+                            "href": "#ac-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18_obj.a-3",
@@ -23589,7 +25667,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "implementation guidance is established for each type of wireless access;"
+                        "prose": "implementation guidance is established for each type of wireless access;",
+                        "links": [
+                          {
+                            "href": "#ac-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-18_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -23603,7 +25693,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "each type of wireless access to the system is authorized prior to allowing such connections."
+                    "prose": "each type of wireless access to the system is authorized prior to allowing such connections.",
+                    "links": [
+                      {
+                        "href": "#ac-18_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-18_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -23772,7 +25874,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};"
+                        "prose": "wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};",
+                        "links": [
+                          {
+                            "href": "#ac-18.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18.1_obj-2",
@@ -23784,7 +25892,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "wireless access to the system is protected using encryption."
+                        "prose": "wireless access to the system is protected using encryption.",
+                        "links": [
+                          {
+                            "href": "#ac-18.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-18.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -23942,7 +26062,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment."
+                    "prose": "when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.",
+                    "links": [
+                      {
+                        "href": "#ac-18.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-18.3_asm-examine",
@@ -24082,7 +26208,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "users allowed to independently configure wireless networking capabilities are identified;"
+                        "prose": "users allowed to independently configure wireless networking capabilities are identified;",
+                        "links": [
+                          {
+                            "href": "#ac-18.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18.4_obj-2",
@@ -24094,7 +26226,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "users allowed to independently configure wireless networking capabilities are explicitly authorized."
+                        "prose": "users allowed to independently configure wireless networking capabilities are explicitly authorized.",
+                        "links": [
+                          {
+                            "href": "#ac-18.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-18.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -24232,7 +26376,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;"
+                        "prose": "radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;",
+                        "links": [
+                          {
+                            "href": "#ac-18.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-18.5_obj-2",
@@ -24244,7 +26394,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries."
+                        "prose": "transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.",
+                        "links": [
+                          {
+                            "href": "#ac-18.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-18.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -24506,7 +26668,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"
+                        "prose": "configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;",
+                        "links": [
+                          {
+                            "href": "#ac-19_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-19_obj.a-2",
@@ -24518,7 +26686,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"
+                        "prose": "connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;",
+                        "links": [
+                          {
+                            "href": "#ac-19_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-19_obj.a-3",
@@ -24530,7 +26704,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;"
+                        "prose": "implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;",
+                        "links": [
+                          {
+                            "href": "#ac-19_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-19_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -24544,7 +26730,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the connection of mobile devices to organizational systems is authorized."
+                    "prose": "the connection of mobile devices to organizational systems is authorized.",
+                    "links": [
+                      {
+                        "href": "#ac-19_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-19_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -24898,7 +27096,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information is prohibited unless specifically permitted by the authorizing official;"
+                        "prose": "the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information is prohibited unless specifically permitted by the authorizing official;",
+                        "links": [
+                          {
+                            "href": "#ac-19.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-19.4_obj.b",
@@ -24921,7 +27125,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "prohibition of the connection of unclassified mobile devices to classified systems is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;"
+                            "prose": "prohibition of the connection of unclassified mobile devices to classified systems is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;",
+                            "links": [
+                              {
+                                "href": "#ac-19.4_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-19.4_obj.b.2",
@@ -24933,7 +27143,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "approval by the authorizing official for the connection of unclassified mobile devices to unclassified systems is enforced on individuals permitted to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;"
+                            "prose": "approval by the authorizing official for the connection of unclassified mobile devices to unclassified systems is enforced on individuals permitted to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;",
+                            "links": [
+                              {
+                                "href": "#ac-19.4_smt.b.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-19.4_obj.b.3",
@@ -24945,7 +27161,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "prohibition of the use of internal or external modems or wireless interfaces within unclassified mobile devices is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;"
+                            "prose": "prohibition of the use of internal or external modems or wireless interfaces within unclassified mobile devices is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;",
+                            "links": [
+                              {
+                                "href": "#ac-19.4_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ac-19.4_obj.b.4",
@@ -24968,7 +27190,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "random review and inspection of unclassified mobile devices and the information stored on those devices by {{ insert: param, ac-19.04_odp.01 }} are enforced;"
+                                "prose": "random review and inspection of unclassified mobile devices and the information stored on those devices by {{ insert: param, ac-19.04_odp.01 }} are enforced;",
+                                "links": [
+                                  {
+                                    "href": "#ac-19.4_smt.b.4",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ac-19.4_obj.b.4-2",
@@ -24980,10 +27208,28 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "following of the incident handling policy is enforced if classified information is found during a random review and inspection of unclassified mobile devices;"
+                                "prose": "following of the incident handling policy is enforced if classified information is found during a random review and inspection of unclassified mobile devices;",
+                                "links": [
+                                  {
+                                    "href": "#ac-19.4_smt.b.4",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ac-19.4_smt.b.4",
+                                "rel": "assessment-for"
                               }
                             ]
                           }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ac-19.4_smt.b",
+                            "rel": "assessment-for"
+                          }
                         ]
                       },
                       {
@@ -24996,7 +27242,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the connection of classified mobile devices to classified systems is restricted in accordance with {{ insert: param, ac-19.04_odp.02 }}."
+                        "prose": "the connection of classified mobile devices to classified systems is restricted in accordance with {{ insert: param, ac-19.04_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ac-19.4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-19.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -25173,7 +27431,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}."
+                    "prose": "{{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ac-19.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-19.5_asm-examine",
@@ -25498,11 +27762,17 @@
                         "props": [
                           {
                             "name": "label",
-                            "value": "AC-20a.1",
+                            "value": "AC-20a.01",
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);"
+                        "prose": "{{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);",
+                        "links": [
+                          {
+                            "href": "#ac-20_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-20_obj.a.2",
@@ -25510,11 +27780,23 @@
                         "props": [
                           {
                             "name": "label",
-                            "value": "AC-20a.2",
+                            "value": "AC-20a.02",
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);"
+                        "prose": "{{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);",
+                        "links": [
+                          {
+                            "href": "#ac-20_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-20_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -25528,7 +27810,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable)."
+                    "prose": "the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).",
+                    "links": [
+                      {
+                        "href": "#ac-20_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-20_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -25690,7 +27984,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);"
+                        "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);",
+                        "links": [
+                          {
+                            "href": "#ac-20.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-20.1_obj.b",
@@ -25702,7 +28002,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable)."
+                        "prose": "authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).",
+                        "links": [
+                          {
+                            "href": "#ac-20.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-20.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -25855,7 +28167,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}."
+                    "prose": "the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-20.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-20.2_asm-examine",
@@ -25998,7 +28316,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of non-organizationally owned systems or system components to process, store, or transmit organizational information is restricted using {{ insert: param, ac-20.03_odp }}."
+                    "prose": "the use of non-organizationally owned systems or system components to process, store, or transmit organizational information is restricted using {{ insert: param, ac-20.03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ac-20.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-20.3_asm-examine",
@@ -26146,7 +28470,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of {{ insert: param, ac-20.04_odp }} is prohibited in external systems."
+                    "prose": "the use of {{ insert: param, ac-20.04_odp }} is prohibited in external systems.",
+                    "links": [
+                      {
+                        "href": "#ac-20.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-20.4_asm-examine",
@@ -26283,7 +28613,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of organization-controlled portable storage devices by authorized individuals is prohibited on external systems."
+                    "prose": "the use of organization-controlled portable storage devices by authorized individuals is prohibited on external systems.",
+                    "links": [
+                      {
+                        "href": "#ac-20.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-20.5_asm-examine",
@@ -26506,7 +28842,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};"
+                    "prose": "authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ac-21_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-21_obj.b",
@@ -26518,7 +28860,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions."
+                    "prose": "{{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions.",
+                    "links": [
+                      {
+                        "href": "#ac-21_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-21_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -26663,7 +29017,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-21.01_odp }} are employed to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared."
+                    "prose": "{{ insert: param, ac-21.01_odp }} are employed to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.",
+                    "links": [
+                      {
+                        "href": "#ac-21.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-21.1_asm-examine",
@@ -26811,7 +29171,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information search and retrieval services that enforce {{ insert: param, ac-21.02_odp }} are implemented."
+                    "prose": "information search and retrieval services that enforce {{ insert: param, ac-21.02_odp }} are implemented.",
+                    "links": [
+                      {
+                        "href": "#ac-21.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-21.2_asm-examine",
@@ -27028,7 +29394,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "designated individuals are authorized to make information publicly accessible;"
+                    "prose": "designated individuals are authorized to make information publicly accessible;",
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-22_obj.b",
@@ -27040,7 +29412,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;"
+                    "prose": "authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;",
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-22_obj.c",
@@ -27052,7 +29430,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;"
+                    "prose": "the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;",
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-22_obj.d",
@@ -27075,7 +29459,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};"
+                        "prose": "the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};",
+                        "links": [
+                          {
+                            "href": "#ac-22_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-22_obj.d-2",
@@ -27087,10 +29477,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "non-public information is removed from the publicly accessible system, if discovered."
+                        "prose": "non-public information is removed from the publicly accessible system, if discovered.",
+                        "links": [
+                          {
+                            "href": "#ac-22_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-22_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ac-22_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -27267,7 +29675,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, ac-23_odp.01 }} are employed for {{ insert: param, ac-23_odp.02 }} to detect and protect against unauthorized data mining."
+                "prose": "{{ insert: param, ac-23_odp.01 }} are employed for {{ insert: param, ac-23_odp.02 }} to detect and protect against unauthorized data mining.",
+                "links": [
+                  {
+                    "href": "#ac-23_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-23_asm-examine",
@@ -27443,7 +29857,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, ac-24_odp.01 }} are taken to ensure that {{ insert: param, ac-24_odp.02 }} are applied to each access request prior to access enforcement."
+                "prose": "{{ insert: param, ac-24_odp.01 }} are taken to ensure that {{ insert: param, ac-24_odp.02 }} are applied to each access request prior to access enforcement.",
+                "links": [
+                  {
+                    "href": "#ac-24_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-24_asm-examine",
@@ -27630,7 +30050,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ac-24.01_odp.01 }} is transmitted using {{ insert: param, ac-24.01_odp.02 }} to {{ insert: param, ac-24.01_odp.03 }} that enforce access control decisions."
+                    "prose": "{{ insert: param, ac-24.01_odp.01 }} is transmitted using {{ insert: param, ac-24.01_odp.02 }} to {{ insert: param, ac-24.01_odp.03 }} that enforce access control decisions.",
+                    "links": [
+                      {
+                        "href": "#ac-24.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ac-24.1_asm-examine",
@@ -27812,7 +30238,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access control decisions are enforced based on {{ insert: param, ac-24.02_odp.01 }} that do not include the identity of the user or process acting on behalf of the user (if selected);"
+                        "prose": "access control decisions are enforced based on {{ insert: param, ac-24.02_odp.01 }} that do not include the identity of the user or process acting on behalf of the user (if selected);",
+                        "links": [
+                          {
+                            "href": "#ac-24.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ac-24.2_obj-2",
@@ -27824,7 +30256,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access control decisions are enforced based on {{ insert: param, ac-24.02_odp.02 }} that do not include the identity of the user or process acting on behalf of the user (if selected)."
+                        "prose": "access control decisions are enforced based on {{ insert: param, ac-24.02_odp.02 }} that do not include the identity of the user or process acting on behalf of the user (if selected).",
+                        "links": [
+                          {
+                            "href": "#ac-24.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ac-24.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -28004,7 +30448,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a reference monitor is implemented for {{ insert: param, ac-25_odp }} that is tamper-proof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured."
+                "prose": "a reference monitor is implemented for {{ insert: param, ac-25_odp }} that is tamper-proof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.",
+                "links": [
+                  {
+                    "href": "#ac-25_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ac-25_asm-examine",
@@ -28469,7 +30919,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an awareness and training policy is developed and documented; "
+                        "prose": "an awareness and training policy is developed and documented; ",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-2",
@@ -28481,7 +30937,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};"
+                        "prose": "the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-3",
@@ -28493,7 +30955,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;"
+                        "prose": "awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a-4",
@@ -28505,7 +30973,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}."
+                        "prose": "the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-1_obj.a.1",
@@ -28539,7 +31013,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-2",
@@ -28551,7 +31031,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-3",
@@ -28563,7 +31049,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-4",
@@ -28575,7 +31067,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-5",
@@ -28587,7 +31085,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-6",
@@ -28599,7 +31103,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "at-1_obj.a.1.a-7",
@@ -28611,7 +31121,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and"
+                                "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and",
+                                "links": [
+                                  {
+                                    "href": "#at-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#at-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -28625,10 +31147,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and"
+                            "prose": "the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -28641,7 +31181,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;"
+                    "prose": "the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#at-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-1_obj.c",
@@ -28675,7 +31221,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; "
+                            "prose": "the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-1_obj.c.1-2",
@@ -28687,7 +31239,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};"
+                            "prose": "the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -28712,7 +31276,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};"
+                            "prose": "the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-1_obj.c.2-2",
@@ -28724,12 +31294,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}."
+                            "prose": "the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#at-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#at-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -29178,7 +31772,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-2",
@@ -29190,7 +31790,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-3",
@@ -29202,7 +31808,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.1-4",
@@ -29214,7 +31826,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-2_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -29239,7 +31863,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};"
+                            "prose": "security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-2_obj.a.2-2",
@@ -29251,10 +31881,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};"
+                            "prose": "privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#at-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-2_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -29267,7 +31915,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;"
+                    "prose": "{{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;",
+                    "links": [
+                      {
+                        "href": "#at-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-2_obj.c",
@@ -29290,7 +31944,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};"
+                        "prose": "literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#at-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2_obj.c-2",
@@ -29302,7 +31962,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};"
+                        "prose": "literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#at-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -29316,7 +31988,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques."
+                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.",
+                    "links": [
+                      {
+                        "href": "#at-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -29460,7 +32144,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "practical exercises in literacy training that simulate events and incidents are provided."
+                    "prose": "practical exercises in literacy training that simulate events and incidents are provided.",
+                    "links": [
+                      {
+                        "href": "#at-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-2.1_asm-examine",
@@ -29601,7 +32291,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on recognizing potential indicators of insider threat is provided;"
+                        "prose": "literacy training on recognizing potential indicators of insider threat is provided;",
+                        "links": [
+                          {
+                            "href": "#at-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2.2_obj-2",
@@ -29613,7 +32309,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on reporting potential indicators of insider threat is provided."
+                        "prose": "literacy training on reporting potential indicators of insider threat is provided.",
+                        "links": [
+                          {
+                            "href": "#at-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -29730,7 +32438,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on recognizing potential and actual instances of social engineering is provided;"
+                        "prose": "literacy training on recognizing potential and actual instances of social engineering is provided;",
+                        "links": [
+                          {
+                            "href": "#at-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2.3_obj-2",
@@ -29742,7 +32456,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on reporting potential and actual instances of social engineering is provided;"
+                        "prose": "literacy training on reporting potential and actual instances of social engineering is provided;",
+                        "links": [
+                          {
+                            "href": "#at-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2.3_obj-3",
@@ -29754,7 +32474,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on recognizing potential and actual instances of social mining is provided;"
+                        "prose": "literacy training on recognizing potential and actual instances of social mining is provided;",
+                        "links": [
+                          {
+                            "href": "#at-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2.3_obj-4",
@@ -29766,7 +32492,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on reporting potential and actual instances of social mining is provided."
+                        "prose": "literacy training on reporting potential and actual instances of social mining is provided.",
+                        "links": [
+                          {
+                            "href": "#at-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -29894,7 +32632,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using {{ insert: param, at-02.04_odp }} is provided."
+                    "prose": "literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using {{ insert: param, at-02.04_odp }} is provided.",
+                    "links": [
+                      {
+                        "href": "#at-2.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-2.4_asm-examine",
@@ -29998,7 +32742,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "literacy training on the advanced persistent threat is provided."
+                    "prose": "literacy training on the advanced persistent threat is provided.",
+                    "links": [
+                      {
+                        "href": "#at-2.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-2.5_asm-examine",
@@ -30140,7 +32890,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "literacy training on the cyber threat environment is provided;"
+                        "prose": "literacy training on the cyber threat environment is provided;",
+                        "links": [
+                          {
+                            "href": "#at-2.6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-2.6_obj.b",
@@ -30152,7 +32908,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system operations reflects current cyber threat information."
+                        "prose": "system operations reflects current cyber threat information.",
+                        "links": [
+                          {
+                            "href": "#at-2.6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-2.6_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -30557,7 +33325,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;"
+                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-2",
@@ -30569,7 +33343,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;"
+                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-3",
@@ -30581,7 +33361,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;"
+                            "prose": "role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.1-4",
@@ -30593,7 +33379,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;"
+                            "prose": "role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-3_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -30618,7 +33416,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;"
+                            "prose": "role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "at-3_obj.a.2-2",
@@ -30630,10 +33434,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;"
+                            "prose": "role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;",
+                            "links": [
+                              {
+                                "href": "#at-3_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#at-3_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-3_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -30657,7 +33479,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};"
+                        "prose": "role-based training content is updated {{ insert: param, at-03_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#at-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-3_obj.b-2",
@@ -30669,7 +33497,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};"
+                        "prose": "role-based training content is updated following {{ insert: param, at-03_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#at-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -30683,7 +33523,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training."
+                    "prose": "lessons learned from internal or external security incidents or breaches are incorporated into role-based training.",
+                    "links": [
+                      {
+                        "href": "#at-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -30873,7 +33725,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, at-03.01_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.01_odp.02 }} in the employment and operation of environmental controls."
+                    "prose": "{{ insert: param, at-03.01_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.01_odp.02 }} in the employment and operation of environmental controls.",
+                    "links": [
+                      {
+                        "href": "#at-3.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-3.1_asm-examine",
@@ -31031,7 +33889,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, at-03.02_odp.01 }} is/are provided with initial and refresher training {{ insert: param, at-03.02_odp.02 }} in the employment and operation of physical security controls."
+                    "prose": "{{ insert: param, at-03.02_odp.01 }} is/are provided with initial and refresher training {{ insert: param, at-03.02_odp.02 }} in the employment and operation of physical security controls.",
+                    "links": [
+                      {
+                        "href": "#at-3.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-3.2_asm-examine",
@@ -31146,7 +34010,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "practical exercises in security training that reinforce training objectives are provided;"
+                        "prose": "practical exercises in security training that reinforce training objectives are provided;",
+                        "links": [
+                          {
+                            "href": "#at-3.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-3.3_obj-2",
@@ -31158,7 +34028,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "practical exercises in privacy training that reinforce training objectives are provided."
+                        "prose": "practical exercises in privacy training that reinforce training objectives are provided.",
+                        "links": [
+                          {
+                            "href": "#at-3.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-3.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -31352,7 +34234,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, at-03.05_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.05_odp.02 }} in the employment and operation of personally identifiable information processing and transparency controls."
+                    "prose": "{{ insert: param, at-03.05_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.05_odp.02 }} in the employment and operation of personally identifiable information processing and transparency controls.",
+                    "links": [
+                      {
+                        "href": "#at-3.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "at-3.5_asm-examine",
@@ -31549,7 +34437,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;"
+                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;",
+                        "links": [
+                          {
+                            "href": "#at-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "at-4_obj.a-2",
@@ -31561,7 +34455,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;"
+                        "prose": "information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;",
+                        "links": [
+                          {
+                            "href": "#at-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#at-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -31575,7 +34481,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individual training records are retained for {{ insert: param, at-04_odp }}."
+                    "prose": "individual training records are retained for {{ insert: param, at-04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#at-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#at-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -31769,7 +34687,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "feedback on organizational training results is provided {{ insert: param, at-06_odp.01 }} to {{ insert: param, at-06_odp.02 }}."
+                "prose": "feedback on organizational training results is provided {{ insert: param, at-06_odp.01 }} to {{ insert: param, at-06_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#at-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "at-6_asm-examine",
@@ -32226,7 +35150,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit and accountability policy is developed and documented;"
+                        "prose": "an audit and accountability policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-2",
@@ -32238,7 +35168,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};"
+                        "prose": "the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-3",
@@ -32250,7 +35186,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;"
+                        "prose": "audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a-4",
@@ -32262,7 +35204,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};"
+                        "prose": "the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-1_obj.a.1",
@@ -32296,7 +35244,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-2",
@@ -32308,7 +35262,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-3",
@@ -32320,7 +35280,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-4",
@@ -32332,7 +35298,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-5",
@@ -32344,7 +35316,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-6",
@@ -32356,7 +35334,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "au-1_obj.a.1.a-7",
@@ -32368,7 +35352,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;"
+                                "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#au-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#au-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -32382,10 +35378,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -32398,7 +35412,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;"
+                    "prose": "the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#au-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-1_obj.c",
@@ -32432,7 +35452,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};"
+                            "prose": "the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "au-1_obj.c.1-2",
@@ -32444,7 +35470,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};"
+                            "prose": "the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -32469,7 +35507,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};"
+                            "prose": "the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "au-1_obj.c.2-2",
@@ -32481,12 +35525,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}."
+                            "prose": "the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#au-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#au-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#au-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -32888,7 +35956,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;"
+                    "prose": "{{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.b",
@@ -32900,7 +35974,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;"
+                    "prose": "the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.c",
@@ -32923,7 +36003,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, au-02_odp.02 }} are specified for logging within the system;"
+                        "prose": "{{ insert: param, au-02_odp.02 }} are specified for logging within the system;",
+                        "links": [
+                          {
+                            "href": "#au-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-2_obj.c-2",
@@ -32935,7 +36021,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};"
+                        "prose": "the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#au-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -32949,7 +36047,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;"
+                    "prose": "a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-2_obj.e",
@@ -32961,7 +36065,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}."
+                    "prose": "the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#au-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -33325,7 +36441,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes what type of event occurred;"
+                    "prose": "audit records contain information that establishes what type of event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.b",
@@ -33337,7 +36459,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes when the event occurred;"
+                    "prose": "audit records contain information that establishes when the event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.c",
@@ -33349,7 +36477,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes where the event occurred;"
+                    "prose": "audit records contain information that establishes where the event occurred;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.d",
@@ -33361,7 +36495,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the source of the event;"
+                    "prose": "audit records contain information that establishes the source of the event;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.e",
@@ -33373,7 +36513,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the outcome of the event;"
+                    "prose": "audit records contain information that establishes the outcome of the event;",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3_obj.f",
@@ -33385,7 +36531,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event."
+                    "prose": "audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.",
+                    "links": [
+                      {
+                        "href": "#au-3_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -33530,7 +36688,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "generated audit records contain the following {{ insert: param, au-03.01_odp }}."
+                    "prose": "generated audit records contain the following {{ insert: param, au-03.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#au-3.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3.1_asm-examine",
@@ -33707,7 +36871,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personally identifiable information contained in audit records is limited to {{ insert: param, au-03.03_odp }} identified in the privacy risk assessment."
+                    "prose": "personally identifiable information contained in audit records is limited to {{ insert: param, au-03.03_odp }} identified in the privacy risk assessment.",
+                    "links": [
+                      {
+                        "href": "#au-3.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-3.3_asm-examine",
@@ -33889,7 +37059,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}."
+                "prose": "audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.",
+                "links": [
+                  {
+                    "href": "#au-4_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "au-4_asm-examine",
@@ -34037,7 +37213,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit logs are transferred {{ insert: param, au-04.01_odp }} to a different system, system component, or media other than the system or system component conducting the logging."
+                    "prose": "audit logs are transferred {{ insert: param, au-04.01_odp }} to a different system, system component, or media other than the system or system component conducting the logging.",
+                    "links": [
+                      {
+                        "href": "#au-4.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-4.1_asm-examine",
@@ -34288,7 +37470,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};"
+                    "prose": "{{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#au-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-5_obj.b",
@@ -34300,7 +37488,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure."
+                    "prose": "{{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.",
+                    "links": [
+                      {
+                        "href": "#au-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -34485,7 +37685,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a warning is provided to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity."
+                    "prose": "a warning is provided to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity.",
+                    "links": [
+                      {
+                        "href": "#au-5.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-5.1_asm-examine",
@@ -34668,7 +37874,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an alert is provided within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when {{ insert: param, au-05.02_odp.03 }} occur."
+                    "prose": "an alert is provided within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when {{ insert: param, au-05.02_odp.03 }} occur.",
+                    "links": [
+                      {
+                        "href": "#au-5.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-5.2_asm-examine",
@@ -34801,7 +38013,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity are enforced;"
+                        "prose": "configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity are enforced;",
+                        "links": [
+                          {
+                            "href": "#au-5.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-5.3_obj-2",
@@ -34813,7 +38031,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network traffic is {{ insert: param, au-05.03_odp }} if network traffic volume is above configured thresholds."
+                        "prose": "network traffic is {{ insert: param, au-05.03_odp }} if network traffic volume is above configured thresholds.",
+                        "links": [
+                          {
+                            "href": "#au-5.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-5.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -34962,7 +38192,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, au-05.04_odp.01 }} is/are invoked in the event of {{ insert: param, au-05.04_odp.02 }} , unless an alternate audit logging capability exists."
+                    "prose": "{{ insert: param, au-05.04_odp.01 }} is/are invoked in the event of {{ insert: param, au-05.04_odp.02 }} , unless an alternate audit logging capability exists.",
+                    "links": [
+                      {
+                        "href": "#au-5.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-5.4_asm-examine",
@@ -35109,7 +38345,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an alternate audit logging capability is provided in the event of a failure in primary audit logging capability that implements {{ insert: param, au-05.05_odp }}."
+                    "prose": "an alternate audit logging capability is provided in the event of a failure in primary audit logging capability that implements {{ insert: param, au-05.05_odp }}.",
+                    "links": [
+                      {
+                        "href": "#au-5.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-5.5_asm-examine",
@@ -35468,7 +38710,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;"
+                    "prose": "system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;",
+                    "links": [
+                      {
+                        "href": "#au-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6_obj.b",
@@ -35480,7 +38728,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};"
+                    "prose": "findings are reported to {{ insert: param, au-06_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#au-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6_obj.c",
@@ -35492,7 +38746,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."
+                    "prose": "the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.",
+                    "links": [
+                      {
+                        "href": "#au-6_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -35624,7 +38890,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}."
+                    "prose": "audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#au-6.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6.1_asm-examine",
@@ -35788,7 +39060,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness."
+                    "prose": "audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.",
+                    "links": [
+                      {
+                        "href": "#au-6.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6.3_asm-examine",
@@ -35933,7 +39211,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability to centrally review and analyze audit records from multiple components within the system is provided;"
+                        "prose": "the capability to centrally review and analyze audit records from multiple components within the system is provided;",
+                        "links": [
+                          {
+                            "href": "#au-6.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-6.4_obj-2",
@@ -35945,7 +39229,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability to centrally review and analyze audit records from multiple components within the system is implemented."
+                        "prose": "the capability to centrally review and analyze audit records from multiple components within the system is implemented.",
+                        "links": [
+                          {
+                            "href": "#au-6.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-6.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -36126,7 +39422,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "analysis of audit records is integrated with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity."
+                    "prose": "analysis of audit records is integrated with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity.",
+                    "links": [
+                      {
+                        "href": "#au-6.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6.5_asm-examine",
@@ -36252,7 +39554,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."
+                    "prose": "information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.",
+                    "links": [
+                      {
+                        "href": "#au-6.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6.6_asm-examine",
@@ -36402,7 +39710,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information are specified."
+                    "prose": "the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information are specified.",
+                    "links": [
+                      {
+                        "href": "#au-6.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6.7_asm-examine",
@@ -36544,7 +39858,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system or other system that is dedicated to that analysis is performed."
+                    "prose": "a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system or other system that is dedicated to that analysis is performed.",
+                    "links": [
+                      {
+                        "href": "#au-6.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6.8_asm-examine",
@@ -36674,7 +39994,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information from non-technical sources is correlated with audit record information to enhance organization-wide situational awareness."
+                    "prose": "information from non-technical sources is correlated with audit record information to enhance organization-wide situational awareness.",
+                    "links": [
+                      {
+                        "href": "#au-6.9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-6.9_asm-examine",
@@ -36926,7 +40252,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;"
+                        "prose": "an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;",
+                        "links": [
+                          {
+                            "href": "#au-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-7_obj.a-2",
@@ -36938,7 +40270,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;"
+                        "prose": "an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;",
+                        "links": [
+                          {
+                            "href": "#au-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-7_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -36963,7 +40307,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;"
+                        "prose": "an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;",
+                        "links": [
+                          {
+                            "href": "#au-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-7_obj.b-2",
@@ -36975,10 +40325,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records."
+                        "prose": "an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.",
+                        "links": [
+                          {
+                            "href": "#au-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#au-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -37138,7 +40506,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;"
+                        "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;",
+                        "links": [
+                          {
+                            "href": "#au-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-7.1_obj-2",
@@ -37150,7 +40524,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented."
+                        "prose": "the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented.",
+                        "links": [
+                          {
+                            "href": "#au-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-7.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -37373,7 +40759,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal system clocks are used to generate timestamps for audit records;"
+                    "prose": "internal system clocks are used to generate timestamps for audit records;",
+                    "links": [
+                      {
+                        "href": "#au-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-8_obj.b",
@@ -37385,7 +40777,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp."
+                    "prose": "timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.",
+                    "links": [
+                      {
+                        "href": "#au-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -37690,7 +41094,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;"
+                    "prose": "audit information and audit logging tools are protected from unauthorized access, modification, and deletion;",
+                    "links": [
+                      {
+                        "href": "#au-9_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9_obj.b",
@@ -37702,7 +41112,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information."
+                    "prose": "{{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.",
+                    "links": [
+                      {
+                        "href": "#au-9_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -37833,7 +41255,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit trails are written to hardware-enforced, write-once media."
+                    "prose": "audit trails are written to hardware-enforced, write-once media.",
+                    "links": [
+                      {
+                        "href": "#au-9.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9.1_asm-examine",
@@ -37984,7 +41412,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records are stored {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited."
+                    "prose": "audit records are stored {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited.",
+                    "links": [
+                      {
+                        "href": "#au-9.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9.2_asm-examine",
@@ -38117,7 +41551,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented."
+                    "prose": "cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.",
+                    "links": [
+                      {
+                        "href": "#au-9.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9.3_asm-examine",
@@ -38264,7 +41704,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}."
+                    "prose": "access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#au-9.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9.4_asm-examine",
@@ -38437,7 +41883,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "dual authorization is enforced for the {{ insert: param, au-09.05_odp.01 }} of {{ insert: param, au-09.05_odp.02 }}."
+                    "prose": "dual authorization is enforced for the {{ insert: param, au-09.05_odp.01 }} of {{ insert: param, au-09.05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#au-9.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9.5_asm-examine",
@@ -38585,7 +42037,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "read-only access to audit information is authorized to {{ insert: param, au-09.06_odp }}."
+                    "prose": "read-only access to audit information is authorized to {{ insert: param, au-09.06_odp }}.",
+                    "links": [
+                      {
+                        "href": "#au-9.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9.6_asm-examine",
@@ -38722,7 +42180,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit information is stored on a component running a different operating system than the system or component being audited."
+                    "prose": "audit information is stored on a component running a different operating system than the system or component being audited.",
+                    "links": [
+                      {
+                        "href": "#au-9.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-9.7_asm-examine",
@@ -38929,7 +42393,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}."
+                "prose": "irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}.",
+                "links": [
+                  {
+                    "href": "#au-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "au-10_asm-examine",
@@ -39119,7 +42589,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the identity of the information producer is bound with the information to {{ insert: param, au-10.01_odp }};"
+                        "prose": "the identity of the information producer is bound with the information to {{ insert: param, au-10.01_odp }};",
+                        "links": [
+                          {
+                            "href": "#au-10.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-10.1_obj.b",
@@ -39131,7 +42607,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the means for authorized individuals to determine the identity of the producer of the information is provided."
+                        "prose": "the means for authorized individuals to determine the identity of the producer of the information is provided.",
+                        "links": [
+                          {
+                            "href": "#au-10.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-10.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -39347,7 +42835,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the binding of the information producer identity to the information is validated at {{ insert: param, au-10.02_odp.01 }};"
+                        "prose": "the binding of the information producer identity to the information is validated at {{ insert: param, au-10.02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#au-10.2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-10.2_obj.b",
@@ -39359,7 +42853,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, au-10.02_odp.02 }} in the event of a validation error are performed."
+                        "prose": "{{ insert: param, au-10.02_odp.02 }} in the event of a validation error are performed.",
+                        "links": [
+                          {
+                            "href": "#au-10.2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-10.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -39500,7 +43006,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "reviewer or releaser credentials are maintained within the established chain of custody for information reviewed or released."
+                    "prose": "reviewer or releaser credentials are maintained within the established chain of custody for information reviewed or released.",
+                    "links": [
+                      {
+                        "href": "#au-10.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-10.3_asm-examine",
@@ -39710,7 +43222,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between {{ insert: param, au-10.04_odp.01 }} is validated;"
+                        "prose": "the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between {{ insert: param, au-10.04_odp.01 }} is validated;",
+                        "links": [
+                          {
+                            "href": "#au-10.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-10.4_obj.b",
@@ -39722,7 +43240,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, au-10.04_odp.02 }} are performed in the event of a validation error."
+                        "prose": "{{ insert: param, au-10.04_odp.02 }} are performed in the event of a validation error.",
+                        "links": [
+                          {
+                            "href": "#au-10.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-10.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -39940,7 +43470,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."
+                "prose": "audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.",
+                "links": [
+                  {
+                    "href": "#au-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "au-11_asm-examine",
@@ -40066,7 +43602,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, au-11.01_odp }} are employed to ensure that long-term audit records generated by the system can be retrieved."
+                    "prose": "{{ insert: param, au-11.01_odp }} are employed to ensure that long-term audit records generated by the system can be retrieved.",
+                    "links": [
+                      {
+                        "href": "#au-11.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-11.1_asm-examine",
@@ -40348,7 +43890,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};"
+                    "prose": "audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#au-12_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-12_obj.b",
@@ -40360,7 +43908,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;"
+                    "prose": "{{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;",
+                    "links": [
+                      {
+                        "href": "#au-12_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-12_obj.c",
@@ -40372,7 +43926,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated."
+                    "prose": "audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.",
+                    "links": [
+                      {
+                        "href": "#au-12_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#au-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -40550,7 +44116,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "audit records from {{ insert: param, au-12.01_odp.01 }} are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}."
+                    "prose": "audit records from {{ insert: param, au-12.01_odp.01 }} are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#au-12.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-12.1_asm-examine",
@@ -40671,7 +44243,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a system-wide (logical or physical) audit trail composed of audit records is produced in a standardized format."
+                    "prose": "a system-wide (logical or physical) audit trail composed of audit records is produced in a standardized format.",
+                    "links": [
+                      {
+                        "href": "#au-12.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-12.2_asm-examine",
@@ -40889,7 +44467,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is provided;"
+                        "prose": "the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is provided;",
+                        "links": [
+                          {
+                            "href": "#au-12.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-12.3_obj-2",
@@ -40901,7 +44485,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is implemented."
+                        "prose": "the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is implemented.",
+                        "links": [
+                          {
+                            "href": "#au-12.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-12.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -41035,7 +44631,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability to audit the parameters of user query events for data sets containing personally identifiable information is provided;"
+                        "prose": "the capability to audit the parameters of user query events for data sets containing personally identifiable information is provided;",
+                        "links": [
+                          {
+                            "href": "#au-12.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-12.4_obj-2",
@@ -41047,7 +44649,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability to audit the parameters of user query events for data sets containing personally identifiable information is implemented."
+                        "prose": "the capability to audit the parameters of user query events for data sets containing personally identifiable information is implemented.",
+                        "links": [
+                          {
+                            "href": "#au-12.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-12.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -41337,7 +44951,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, au-13_odp.01 }} is/are monitored {{ insert: param, au-13_odp.02 }} for evidence of unauthorized disclosure of organizational information;"
+                    "prose": "{{ insert: param, au-13_odp.01 }} is/are monitored {{ insert: param, au-13_odp.02 }} for evidence of unauthorized disclosure of organizational information;",
+                    "links": [
+                      {
+                        "href": "#au-13_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-13_obj.b",
@@ -41360,7 +44980,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, au-13_odp.03 }} are notified if an information disclosure is discovered;"
+                        "prose": "{{ insert: param, au-13_odp.03 }} are notified if an information disclosure is discovered;",
+                        "links": [
+                          {
+                            "href": "#au-13_smt.b.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-13_obj.b.2",
@@ -41372,10 +44998,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, au-13_odp.04 }} are taken if an information disclosure is discovered."
+                        "prose": "{{ insert: param, au-13_odp.04 }} are taken if an information disclosure is discovered.",
+                        "links": [
+                          {
+                            "href": "#au-13_smt.b.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-13_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#au-13_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -41529,7 +45173,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "open-source information and information sites are monitored using {{ insert: param, au-13.01_odp }}."
+                    "prose": "open-source information and information sites are monitored using {{ insert: param, au-13.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#au-13.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-13.1_asm-examine",
@@ -41677,7 +45327,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the list of open-source information sites being monitored is reviewed {{ insert: param, au-13.02_odp }}."
+                    "prose": "the list of open-source information sites being monitored is reviewed {{ insert: param, au-13.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#au-13.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-13.2_asm-examine",
@@ -41808,7 +45464,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "discovery techniques, processes, and tools are employed to determine if external entities are replicating organizational information in an unauthorized manner."
+                    "prose": "discovery techniques, processes, and tools are employed to determine if external entities are replicating organizational information in an unauthorized manner.",
+                    "links": [
+                      {
+                        "href": "#au-13.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-13.3_asm-examine",
@@ -42082,7 +45744,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, au-14_odp.01 }} are provided with the capability to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }};"
+                        "prose": "{{ insert: param, au-14_odp.01 }} are provided with the capability to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#au-14_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-14_obj.a-2",
@@ -42094,7 +45762,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability for {{ insert: param, au-14_odp.01 }} to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }} is implemented;"
+                        "prose": "the capability for {{ insert: param, au-14_odp.01 }} to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }} is implemented;",
+                        "links": [
+                          {
+                            "href": "#au-14_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-14_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -42119,7 +45799,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "session auditing activities are developed in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                        "prose": "session auditing activities are developed in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                        "links": [
+                          {
+                            "href": "#au-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-14_obj.b-2",
@@ -42131,7 +45817,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "session auditing activities are integrated in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                        "prose": "session auditing activities are integrated in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                        "links": [
+                          {
+                            "href": "#au-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-14_obj.b-3",
@@ -42143,10 +45835,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "session auditing activities are used in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                        "prose": "session auditing activities are used in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                        "links": [
+                          {
+                            "href": "#au-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-14_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#au-14_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -42273,7 +45983,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "session audits are initiated automatically at system start-up."
+                    "prose": "session audits are initiated automatically at system start-up.",
+                    "links": [
+                      {
+                        "href": "#au-14.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-14.1_asm-examine",
@@ -42444,7 +46160,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability for authorized users to remotely view and hear content related to an established user session in real time is provided;"
+                        "prose": "the capability for authorized users to remotely view and hear content related to an established user session in real time is provided;",
+                        "links": [
+                          {
+                            "href": "#au-14.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "au-14.3_obj-2",
@@ -42456,7 +46178,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability for authorized users to remotely view and hear content related to an established user session in real time is implemented."
+                        "prose": "the capability for authorized users to remotely view and hear content related to an established user session in real time is implemented.",
+                        "links": [
+                          {
+                            "href": "#au-14.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#au-14.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -42669,7 +46403,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, au-16_odp.01 }} for coordinating {{ insert: param, au-16_odp.02 }} among external organizations when audit information is transmitted across organizational boundaries are employed."
+                "prose": "{{ insert: param, au-16_odp.01 }} for coordinating {{ insert: param, au-16_odp.02 }} among external organizations when audit information is transmitted across organizational boundaries are employed.",
+                "links": [
+                  {
+                    "href": "#au-16_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "au-16_asm-examine",
@@ -42806,7 +46546,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the identity of individuals in cross-organizational audit trails is preserved."
+                    "prose": "the identity of individuals in cross-organizational audit trails is preserved.",
+                    "links": [
+                      {
+                        "href": "#au-16.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-16.1_asm-examine",
@@ -42977,7 +46723,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cross-organizational audit information is provided to {{ insert: param, au-16.02_odp.01 }} based on {{ insert: param, au-16.02_odp.02 }}."
+                    "prose": "cross-organizational audit information is provided to {{ insert: param, au-16.02_odp.01 }} based on {{ insert: param, au-16.02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#au-16.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-16.2_asm-examine",
@@ -43098,7 +46850,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, au-16.03_odp }} are implemented to disassociate individuals from audit information transmitted across organizational boundaries."
+                    "prose": "{{ insert: param, au-16.03_odp }} are implemented to disassociate individuals from audit information transmitted across organizational boundaries.",
+                    "links": [
+                      {
+                        "href": "#au-16.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "au-16.3_asm-examine",
@@ -43581,7 +47339,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an assessment, authorization, and monitoring policy is developed and documented;"
+                        "prose": "an assessment, authorization, and monitoring policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-2",
@@ -43593,7 +47357,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};"
+                        "prose": "the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-3",
@@ -43605,7 +47375,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;"
+                        "prose": "assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a-4",
@@ -43617,7 +47393,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};"
+                        "prose": "the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-1_obj.a.1",
@@ -43651,7 +47433,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-2",
@@ -43663,7 +47451,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-3",
@@ -43675,7 +47469,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-4",
@@ -43687,7 +47487,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-5",
@@ -43699,7 +47505,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-6",
@@ -43711,7 +47523,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ca-1_obj.a.1.a-7",
@@ -43723,7 +47541,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;"
+                                "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ca-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -43737,10 +47567,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -43753,7 +47601,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;"
+                    "prose": "the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-1_obj.c",
@@ -43787,7 +47641,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; "
+                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-1_obj.c.1-2",
@@ -43799,7 +47659,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};"
+                            "prose": "the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -43824,7 +47696,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; "
+                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-1_obj.c.2-2",
@@ -43836,12 +47714,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}."
+                            "prose": "the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ca-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -44194,7 +48096,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;"
+                    "prose": "an appropriate assessor or assessment team is selected for the type of assessment to be conducted;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.b",
@@ -44217,7 +48125,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;"
+                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.b.2",
@@ -44229,7 +48143,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;"
+                        "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.b.3",
@@ -44252,7 +48172,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-2_obj.b.3-2",
@@ -44264,7 +48190,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including the assessment team;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ca-2_obj.b.3-3",
@@ -44276,10 +48208,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;"
+                            "prose": "a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#ca-2_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.b.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.b",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -44292,7 +48242,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;"
+                    "prose": "the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.d",
@@ -44315,7 +48271,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;"
+                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-2_obj.d-2",
@@ -44327,7 +48289,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;"
+                        "prose": "controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;",
+                        "links": [
+                          {
+                            "href": "#ca-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -44341,7 +48315,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a control assessment report is produced that documents the results of the assessment;"
+                    "prose": "a control assessment report is produced that documents the results of the assessment;",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2_obj.f",
@@ -44353,7 +48333,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}."
+                    "prose": "the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ca-2_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -44481,7 +48473,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "independent assessors or assessment teams are employed to conduct control assessments."
+                    "prose": "independent assessors or assessment teams are employed to conduct control assessments.",
+                    "links": [
+                      {
+                        "href": "#ca-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2.1_asm-examine",
@@ -44688,7 +48686,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ca-02.02_odp.01 }} {{ insert: param, ca-02.02_odp.02 }} {{ insert: param, ca-02.02_odp.03 }} are included as part of control assessments."
+                    "prose": "{{ insert: param, ca-02.02_odp.01 }} {{ insert: param, ca-02.02_odp.02 }} {{ insert: param, ca-02.02_odp.03 }} are included as part of control assessments.",
+                    "links": [
+                      {
+                        "href": "#ca-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2.2_asm-examine",
@@ -44781,10 +48785,10 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "label": "external organizations",
+                    "label": "external organization(s)",
                     "guidelines": [
                       {
-                        "prose": "external organizations from which the results of control assessments are leveraged are defined;"
+                        "prose": "external organization(s) from which the results of control assessments are leveraged are defined;"
                       }
                     ]
                   },
@@ -44885,7 +48889,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} are leveraged when the assessment meets {{ insert: param, ca-02.03_odp.03 }}."
+                    "prose": "the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} are leveraged when the assessment meets {{ insert: param, ca-02.03_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#ca-2.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-2.3_asm-examine",
@@ -45160,7 +49170,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};"
+                    "prose": "the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ca-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-3_obj.b",
@@ -45183,7 +49199,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the interface characteristics are documented as part of each exchange agreement;"
+                        "prose": "the interface characteristics are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-2",
@@ -45195,7 +49217,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security requirements are documented as part of each exchange agreement;"
+                        "prose": "security requirements are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-3",
@@ -45207,7 +49235,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy requirements are documented as part of each exchange agreement;"
+                        "prose": "privacy requirements are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-4",
@@ -45219,7 +49253,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls are documented as part of each exchange agreement;"
+                        "prose": "controls are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-5",
@@ -45231,7 +49271,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "responsibilities for each system are documented as part of each exchange agreement;"
+                        "prose": "responsibilities for each system are documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3_obj.b-6",
@@ -45243,7 +49289,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impact level of the information communicated is documented as part of each exchange agreement;"
+                        "prose": "the impact level of the information communicated is documented as part of each exchange agreement;",
+                        "links": [
+                          {
+                            "href": "#ca-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -45257,7 +49315,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}."
+                    "prose": "agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#ca-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -45530,7 +49600,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data."
+                    "prose": "individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.",
+                    "links": [
+                      {
+                        "href": "#ca-3.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-3.6_asm-examine",
@@ -45699,7 +49775,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "transitive (downstream) information exchanges with other systems through the systems identified in CA-03a are identified;"
+                        "prose": "transitive (downstream) information exchanges with other systems through the systems identified in CA-03a are identified;",
+                        "links": [
+                          {
+                            "href": "#ca-3.7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-3.7_obj.b",
@@ -45711,7 +49793,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "measures are taken to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated."
+                        "prose": "measures are taken to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated.",
+                        "links": [
+                          {
+                            "href": "#ca-3.7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-3.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -45959,7 +50053,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;"
+                    "prose": "a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;",
+                    "links": [
+                      {
+                        "href": "#ca-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-5_obj.b",
@@ -45971,7 +50071,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities."
+                    "prose": "existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.",
+                    "links": [
+                      {
+                        "href": "#ca-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -46121,7 +50233,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ca-05.01_odp }} are used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system."
+                    "prose": "{{ insert: param, ca-05.01_odp }} are used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system.",
+                    "links": [
+                      {
+                        "href": "#ca-5.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-5.1_asm-examine",
@@ -46402,7 +50520,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a senior official is assigned as the authorizing official for the system;"
+                    "prose": "a senior official is assigned as the authorizing official for the system;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.b",
@@ -46414,7 +50538,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;"
+                    "prose": "a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.c",
@@ -46437,7 +50567,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;"
+                        "prose": "before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;",
+                        "links": [
+                          {
+                            "href": "#ca-6_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-6_obj.c.2",
@@ -46449,7 +50585,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;"
+                        "prose": "before commencing operations, the authorizing official for the system authorizes the system to operate;",
+                        "links": [
+                          {
+                            "href": "#ca-6_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -46463,7 +50611,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;"
+                    "prose": "the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-6_obj.e",
@@ -46475,7 +50629,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}."
+                    "prose": "the authorizations are updated {{ insert: param, ca-06_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ca-6_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -46618,7 +50784,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a joint authorization process is employed for the system;"
+                        "prose": "a joint authorization process is employed for the system;",
+                        "links": [
+                          {
+                            "href": "#ca-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-6.1_obj-2",
@@ -46630,7 +50802,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the joint authorization process employed for the system includes multiple authorizing officials from the same organization conducting the authorization."
+                        "prose": "the joint authorization process employed for the system includes multiple authorizing officials from the same organization conducting the authorization.",
+                        "links": [
+                          {
+                            "href": "#ca-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-6.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -46773,7 +50957,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a joint authorization process is employed for the system;"
+                        "prose": "a joint authorization process is employed for the system;",
+                        "links": [
+                          {
+                            "href": "#ca-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-6.2_obj-2",
@@ -46785,7 +50975,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the joint authorization process employed for the system includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization."
+                        "prose": "the joint authorization process employed for the system includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization.",
+                        "links": [
+                          {
+                            "href": "#ca-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-6.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -47395,7 +51597,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a system-level continuous monitoring strategy is developed;"
+                    "prose": "a system-level continuous monitoring strategy is developed;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj-2",
@@ -47407,7 +51615,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.a",
@@ -47419,7 +51633,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};"
+                    "prose": "system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.b",
@@ -47442,7 +51662,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;"
+                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7_obj.b-2",
@@ -47454,7 +51680,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;"
+                        "prose": "system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -47468,7 +51706,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.d",
@@ -47480,7 +51724,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;"
+                    "prose": "system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.e",
@@ -47492,7 +51742,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;"
+                    "prose": "system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.f",
@@ -47504,7 +51760,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;"
+                    "prose": "system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;",
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7_obj.g",
@@ -47527,7 +51789,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};"
+                        "prose": "system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7_obj.g-2",
@@ -47539,10 +51807,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}."
+                        "prose": "system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.",
+                        "links": [
+                          {
+                            "href": "#ca-7_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -47669,7 +51955,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis."
+                    "prose": "independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.",
+                    "links": [
+                      {
+                        "href": "#ca-7.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7.1_asm-examine",
@@ -47814,7 +52106,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "trend analysis is employed to determine if control implementations used in the continuous monitoring process need to be modified based on empirical data;"
+                        "prose": "trend analysis is employed to determine if control implementations used in the continuous monitoring process need to be modified based on empirical data;",
+                        "links": [
+                          {
+                            "href": "#ca-7.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7.3_obj-2",
@@ -47826,7 +52124,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "trend analysis is employed to determine if the frequency of continuous monitoring activities used in the continuous monitoring process needs to be modified based on empirical data;"
+                        "prose": "trend analysis is employed to determine if the frequency of continuous monitoring activities used in the continuous monitoring process needs to be modified based on empirical data;",
+                        "links": [
+                          {
+                            "href": "#ca-7.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7.3_obj-3",
@@ -47838,7 +52142,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "trend analysis is employed to determine if the types of activities used in the continuous monitoring process need to be modified based on empirical data."
+                        "prose": "trend analysis is employed to determine if the types of activities used in the continuous monitoring process need to be modified based on empirical data.",
+                        "links": [
+                          {
+                            "href": "#ca-7.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -48018,7 +52334,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "effectiveness monitoring is included in risk monitoring;"
+                        "prose": "effectiveness monitoring is included in risk monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7.4_obj.b",
@@ -48030,7 +52352,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "compliance monitoring is included in risk monitoring;"
+                        "prose": "compliance monitoring is included in risk monitoring;",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7.4_obj.c",
@@ -48042,7 +52370,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "change monitoring is included in risk monitoring."
+                        "prose": "change monitoring is included in risk monitoring.",
+                        "links": [
+                          {
+                            "href": "#ca-7.4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -48231,7 +52571,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ca-07.05_odp.01 }} are employed to validate that policies are established;"
+                        "prose": "{{ insert: param, ca-07.05_odp.01 }} are employed to validate that policies are established;",
+                        "links": [
+                          {
+                            "href": "#ca-7.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-7.5_obj-2",
@@ -48243,7 +52589,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ca-07.05_odp.02 }} are employed to validate that implemented controls are operating in a consistent manner."
+                        "prose": "{{ insert: param, ca-07.05_odp.02 }} are employed to validate that implemented controls are operating in a consistent manner.",
+                        "links": [
+                          {
+                            "href": "#ca-7.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-7.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -48398,7 +52756,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ca-07.06_odp }} are used to ensure the accuracy, currency, and availability of monitoring results for the system."
+                    "prose": "{{ insert: param, ca-07.06_odp }} are used to ensure the accuracy, currency, and availability of monitoring results for the system.",
+                    "links": [
+                      {
+                        "href": "#ca-7.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-7.6_asm-examine",
@@ -48589,7 +52953,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}."
+                "prose": "penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#ca-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ca-8_asm-examine",
@@ -48719,7 +53089,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an independent penetration testing agent or team is employed to perform penetration testing on the system or system components."
+                    "prose": "an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.",
+                    "links": [
+                      {
+                        "href": "#ca-8.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-8.1_asm-examine",
@@ -48845,7 +53221,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ca-08.02_odp }} are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement."
+                    "prose": "{{ insert: param, ca-08.02_odp }} are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.",
+                    "links": [
+                      {
+                        "href": "#ca-8.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-8.2_asm-examine",
@@ -49022,7 +53404,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the penetration testing process includes {{ insert: param, ca-08.03_odp.01 }} {{ insert: param, ca-08.03_odp.02 }} attempts to bypass or circumvent controls associated with physical access points to facility."
+                    "prose": "the penetration testing process includes {{ insert: param, ca-08.03_odp.01 }} {{ insert: param, ca-08.03_odp.02 }} attempts to bypass or circumvent controls associated with physical access points to facility.",
+                    "links": [
+                      {
+                        "href": "#ca-8.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-8.3_asm-examine",
@@ -49309,7 +53697,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;"
+                    "prose": "internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;",
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-9_obj.b",
@@ -49332,7 +53726,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the interface characteristics are documented;"
+                        "prose": "for each internal connection, the interface characteristics are documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-9_obj.b-2",
@@ -49344,7 +53744,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the security requirements are documented;"
+                        "prose": "for each internal connection, the security requirements are documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-9_obj.b-3",
@@ -49356,7 +53762,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the privacy requirements are documented;"
+                        "prose": "for each internal connection, the privacy requirements are documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-9_obj.b-4",
@@ -49368,7 +53780,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for each internal connection, the nature of the information communicated is documented;"
+                        "prose": "for each internal connection, the nature of the information communicated is documented;",
+                        "links": [
+                          {
+                            "href": "#ca-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -49382,7 +53806,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};"
+                    "prose": "internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ca-9_obj.d",
@@ -49394,7 +53824,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}."
+                    "prose": "the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#ca-9_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ca-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -49542,7 +53984,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security compliance checks are performed on constituent system components prior to the establishment of the internal connection;"
+                        "prose": "security compliance checks are performed on constituent system components prior to the establishment of the internal connection;",
+                        "links": [
+                          {
+                            "href": "#ca-9.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ca-9.1_obj-2",
@@ -49554,7 +54002,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy compliance checks are performed on constituent system components prior to the establishment of the internal connection."
+                        "prose": "privacy compliance checks are performed on constituent system components prior to the establishment of the internal connection.",
+                        "links": [
+                          {
+                            "href": "#ca-9.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ca-9.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -50023,7 +54483,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a configuration management policy is developed and documented;"
+                        "prose": "a configuration management policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-2",
@@ -50035,7 +54501,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};"
+                        "prose": "the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-3",
@@ -50047,7 +54519,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;"
+                        "prose": "configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a-4",
@@ -50059,7 +54537,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};"
+                        "prose": "the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-1_obj.a.1",
@@ -50093,7 +54577,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-2",
@@ -50105,7 +54595,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-3",
@@ -50117,7 +54613,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-4",
@@ -50129,7 +54631,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-5",
@@ -50141,7 +54649,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-6",
@@ -50153,7 +54667,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cm-1_obj.a.1.a-7",
@@ -50165,7 +54685,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;"
+                                "prose": "the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#cm-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -50179,10 +54711,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -50195,7 +54745,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;"
+                    "prose": "the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-1_obj.c",
@@ -50229,7 +54785,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; "
+                            "prose": "the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-1_obj.c.1-2",
@@ -50241,7 +54803,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};"
+                            "prose": "the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -50266,7 +54840,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; "
+                            "prose": "the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-1_obj.c.2-2",
@@ -50278,12 +54858,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}."
+                            "prose": "the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#cm-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -50590,7 +55194,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a current baseline configuration of the system is developed and documented;"
+                        "prose": "a current baseline configuration of the system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2_obj.a-2",
@@ -50602,7 +55212,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a current baseline configuration of the system is maintained under configuration control;"
+                        "prose": "a current baseline configuration of the system is maintained under configuration control;",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -50627,7 +55249,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};"
+                        "prose": "the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.b.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2_obj.b.2",
@@ -50639,7 +55267,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};"
+                        "prose": "the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.b.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2_obj.b.3",
@@ -50651,10 +55285,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded."
+                        "prose": "the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.",
+                        "links": [
+                          {
+                            "href": "#cm-2_smt.b.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -50856,7 +55508,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"
+                        "prose": "the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};",
+                        "links": [
+                          {
+                            "href": "#cm-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2.2_obj-2",
@@ -50868,7 +55526,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"
+                        "prose": "the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};",
+                        "links": [
+                          {
+                            "href": "#cm-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2.2_obj-3",
@@ -50880,7 +55544,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};"
+                        "prose": "the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};",
+                        "links": [
+                          {
+                            "href": "#cm-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2.2_obj-4",
@@ -50892,7 +55562,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}."
+                        "prose": "the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}.",
+                        "links": [
+                          {
+                            "href": "#cm-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -51042,7 +55724,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is/are retained to support rollback."
+                    "prose": "{{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is/are retained to support rollback.",
+                    "links": [
+                      {
+                        "href": "#cm-2.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-2.3_asm-examine",
@@ -51251,7 +55939,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a baseline configuration for system development environments that is managed separately from the operational baseline configuration is maintained;"
+                        "prose": "a baseline configuration for system development environments that is managed separately from the operational baseline configuration is maintained;",
+                        "links": [
+                          {
+                            "href": "#cm-2.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2.6_obj-2",
@@ -51263,7 +55957,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a baseline configuration for test environments that is managed separately from the operational baseline configuration is maintained."
+                        "prose": "a baseline configuration for test environments that is managed separately from the operational baseline configuration is maintained.",
+                        "links": [
+                          {
+                            "href": "#cm-2.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2.6_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -51495,7 +56201,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;"
+                        "prose": "{{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;",
+                        "links": [
+                          {
+                            "href": "#cm-2.7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-2.7_obj.b",
@@ -51507,7 +56219,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel."
+                        "prose": "{{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel.",
+                        "links": [
+                          {
+                            "href": "#cm-2.7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-2.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -51929,7 +56653,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the types of changes to the system that are configuration-controlled are determined and documented;"
+                    "prose": "the types of changes to the system that are configuration-controlled are determined and documented;",
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3_obj.b",
@@ -51952,7 +56682,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "proposed configuration-controlled changes to the system are reviewed;"
+                        "prose": "proposed configuration-controlled changes to the system are reviewed;",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3_obj.b-2",
@@ -51964,7 +56700,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;"
+                        "prose": "proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -51978,7 +56726,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "configuration change decisions associated with the system are documented;"
+                    "prose": "configuration change decisions associated with the system are documented;",
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3_obj.d",
@@ -51990,7 +56744,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "approved configuration-controlled changes to the system are implemented;"
+                    "prose": "approved configuration-controlled changes to the system are implemented;",
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3_obj.e",
@@ -52002,7 +56762,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};"
+                    "prose": "records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3_obj.f",
@@ -52025,7 +56791,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "activities associated with configuration-controlled changes to the system are monitored;"
+                        "prose": "activities associated with configuration-controlled changes to the system are monitored;",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3_obj.f-2",
@@ -52037,7 +56809,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "activities associated with configuration-controlled changes to the system are reviewed;"
+                        "prose": "activities associated with configuration-controlled changes to the system are reviewed;",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -52062,7 +56846,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};"
+                        "prose": "configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3_obj.g-2",
@@ -52074,10 +56864,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration control element convenes {{ insert: param, cm-03_odp.03 }}."
+                        "prose": "the configuration control element convenes {{ insert: param, cm-03_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#cm-3_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -52365,7 +57173,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to document proposed changes to the system;"
+                        "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to document proposed changes to the system;",
+                        "links": [
+                          {
+                            "href": "#cm-3.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.1_obj.b",
@@ -52377,7 +57191,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;"
+                        "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;",
+                        "links": [
+                          {
+                            "href": "#cm-3.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.1_obj.c",
@@ -52389,7 +57209,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};"
+                        "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cm-3.1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.1_obj.d",
@@ -52401,7 +57227,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to prohibit changes to the system until designated approvals are received;"
+                        "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to prohibit changes to the system until designated approvals are received;",
+                        "links": [
+                          {
+                            "href": "#cm-3.1_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.1_obj.e",
@@ -52413,7 +57245,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to document all changes to the system;"
+                        "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to document all changes to the system;",
+                        "links": [
+                          {
+                            "href": "#cm-3.1_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.1_obj.f",
@@ -52425,7 +57263,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed."
+                        "prose": "{{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed.",
+                        "links": [
+                          {
+                            "href": "#cm-3.1_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -52564,7 +57414,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are tested before finalizing the implementation of the changes;"
+                        "prose": "changes to the system are tested before finalizing the implementation of the changes;",
+                        "links": [
+                          {
+                            "href": "#cm-3.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.2_obj-2",
@@ -52576,7 +57432,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are validated before finalizing the implementation of the changes;"
+                        "prose": "changes to the system are validated before finalizing the implementation of the changes;",
+                        "links": [
+                          {
+                            "href": "#cm-3.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.2_obj-3",
@@ -52588,7 +57450,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are documented before finalizing the implementation of the changes."
+                        "prose": "changes to the system are documented before finalizing the implementation of the changes.",
+                        "links": [
+                          {
+                            "href": "#cm-3.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -52744,7 +57618,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the current system baseline are implemented using {{ insert: param, cm-03.03_odp }};"
+                        "prose": "changes to the current system baseline are implemented using {{ insert: param, cm-03.03_odp }};",
+                        "links": [
+                          {
+                            "href": "#cm-3.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.3_obj-2",
@@ -52756,7 +57636,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the updated baseline is deployed across the installed base using {{ insert: param, cm-03.03_odp }}."
+                        "prose": "the updated baseline is deployed across the installed base using {{ insert: param, cm-03.03_odp }}.",
+                        "links": [
+                          {
+                            "href": "#cm-3.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -52960,7 +57852,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};"
+                        "prose": "{{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cm-3.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-3.4_obj-2",
@@ -52972,7 +57870,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}."
+                        "prose": "{{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#cm-3.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-3.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -53117,7 +58027,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, cm-03.05_odp }} are automatically implemented if baseline configurations are changed in an unauthorized manner."
+                    "prose": "{{ insert: param, cm-03.05_odp }} are automatically implemented if baseline configurations are changed in an unauthorized manner.",
+                    "links": [
+                      {
+                        "href": "#cm-3.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3.5_asm-examine",
@@ -53264,7 +58180,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms used to provide {{ insert: param, cm-03.06_odp }} are under configuration management."
+                    "prose": "cryptographic mechanisms used to provide {{ insert: param, cm-03.06_odp }} are under configuration management.",
+                    "links": [
+                      {
+                        "href": "#cm-3.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3.6_asm-examine",
@@ -53439,7 +58361,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes to the system are reviewed {{ insert: param, cm-03.07_odp.01 }} or when {{ insert: param, cm-03.07_odp.02 }} to determine whether unauthorized changes have occurred."
+                    "prose": "changes to the system are reviewed {{ insert: param, cm-03.07_odp.01 }} or when {{ insert: param, cm-03.07_odp.02 }} to determine whether unauthorized changes have occurred.",
+                    "links": [
+                      {
+                        "href": "#cm-3.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3.7_asm-examine",
@@ -53582,7 +58510,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes to the configuration of the system are prevented or restricted under {{ insert: param, cm-03.08_odp }}."
+                    "prose": "changes to the configuration of the system are prevented or restricted under {{ insert: param, cm-03.08_odp }}.",
+                    "links": [
+                      {
+                        "href": "#cm-3.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-3.8_asm-examine",
@@ -53725,7 +58659,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;"
+                    "prose": "changes to the system are analyzed to determine potential security impacts prior to change implementation;",
+                    "links": [
+                      {
+                        "href": "#cm-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-4_obj-2",
@@ -53737,7 +58677,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation."
+                    "prose": "changes to the system are analyzed to determine potential privacy impacts prior to change implementation.",
+                    "links": [
+                      {
+                        "href": "#cm-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -53884,7 +58836,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed in a separate test environment before implementation in an operational environment;"
+                        "prose": "changes to the system are analyzed in a separate test environment before implementation in an operational environment;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-2",
@@ -53896,7 +58854,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for security impacts due to flaws;"
+                        "prose": "changes to the system are analyzed for security impacts due to flaws;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-3",
@@ -53908,7 +58872,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for privacy impacts due to flaws;"
+                        "prose": "changes to the system are analyzed for privacy impacts due to flaws;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-4",
@@ -53920,7 +58890,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for security impacts due to weaknesses;"
+                        "prose": "changes to the system are analyzed for security impacts due to weaknesses;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-5",
@@ -53932,7 +58908,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for privacy impacts due to weaknesses;"
+                        "prose": "changes to the system are analyzed for privacy impacts due to weaknesses;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-6",
@@ -53944,7 +58926,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for security impacts due to incompatibility;"
+                        "prose": "changes to the system are analyzed for security impacts due to incompatibility;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-7",
@@ -53956,7 +58944,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for privacy impacts due to incompatibility;"
+                        "prose": "changes to the system are analyzed for privacy impacts due to incompatibility;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-8",
@@ -53968,7 +58962,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for security impacts due to intentional malice;"
+                        "prose": "changes to the system are analyzed for security impacts due to intentional malice;",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.1_obj-9",
@@ -53980,7 +58980,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the system are analyzed for privacy impacts due to intentional malice."
+                        "prose": "changes to the system are analyzed for privacy impacts due to intentional malice.",
+                        "links": [
+                          {
+                            "href": "#cm-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-4.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -54131,7 +59143,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;"
+                        "prose": "the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-2",
@@ -54143,7 +59161,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;"
+                        "prose": "the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-3",
@@ -54155,7 +59179,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;"
+                        "prose": "the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-4",
@@ -54167,7 +59197,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;"
+                        "prose": "the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-5",
@@ -54179,7 +59215,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;"
+                        "prose": "the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-4.2_obj-6",
@@ -54191,7 +59233,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes."
+                        "prose": "the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.",
+                        "links": [
+                          {
+                            "href": "#cm-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-4.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -54371,7 +59425,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access restrictions associated with changes to the system are defined and documented;"
+                    "prose": "physical access restrictions associated with changes to the system are defined and documented;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-2",
@@ -54383,7 +59443,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access restrictions associated with changes to the system are approved;"
+                    "prose": "physical access restrictions associated with changes to the system are approved;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-3",
@@ -54395,7 +59461,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access restrictions associated with changes to the system are enforced;"
+                    "prose": "physical access restrictions associated with changes to the system are enforced;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-4",
@@ -54407,7 +59479,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "logical access restrictions associated with changes to the system are defined and documented;"
+                    "prose": "logical access restrictions associated with changes to the system are defined and documented;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-5",
@@ -54419,7 +59497,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "logical access restrictions associated with changes to the system are approved;"
+                    "prose": "logical access restrictions associated with changes to the system are approved;",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5_obj-6",
@@ -54431,7 +59515,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "logical access restrictions associated with changes to the system are enforced."
+                    "prose": "logical access restrictions associated with changes to the system are enforced.",
+                    "links": [
+                      {
+                        "href": "#cm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -54638,7 +59734,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};"
+                        "prose": "access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};",
+                        "links": [
+                          {
+                            "href": "#cm-5.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-5.1_obj.b",
@@ -54650,7 +59752,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "audit records of enforcement actions are automatically generated."
+                        "prose": "audit records of enforcement actions are automatically generated.",
+                        "links": [
+                          {
+                            "href": "#cm-5.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-5.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -54911,7 +60025,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "dual authorization for implementing changes to {{ insert: param, cm-05.04_odp.01 }} is enforced;"
+                        "prose": "dual authorization for implementing changes to {{ insert: param, cm-05.04_odp.01 }} is enforced;",
+                        "links": [
+                          {
+                            "href": "#cm-5.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-5.4_obj-2",
@@ -54923,7 +60043,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "dual authorization for implementing changes to {{ insert: param, cm-05.04_odp.02 }} is enforced."
+                        "prose": "dual authorization for implementing changes to {{ insert: param, cm-05.04_odp.02 }} is enforced.",
+                        "links": [
+                          {
+                            "href": "#cm-5.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-5.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -55145,7 +60277,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privileges to change system components within a production or operational environment are limited;"
+                            "prose": "privileges to change system components within a production or operational environment are limited;",
+                            "links": [
+                              {
+                                "href": "#cm-5.5_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-5.5_obj.a-2",
@@ -55157,7 +60295,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privileges to change system-related information within a production or operational environment are limited;"
+                            "prose": "privileges to change system-related information within a production or operational environment are limited;",
+                            "links": [
+                              {
+                                "href": "#cm-5.5_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-5.5_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -55182,7 +60332,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privileges are reviewed {{ insert: param, cm-05.05_odp.01 }};"
+                            "prose": "privileges are reviewed {{ insert: param, cm-05.05_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#cm-5.5_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-5.5_obj.b-2",
@@ -55194,10 +60350,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "privileges are reevaluated {{ insert: param, cm-05.05_odp.02 }}."
+                            "prose": "privileges are reevaluated {{ insert: param, cm-05.05_odp.02 }}.",
+                            "links": [
+                              {
+                                "href": "#cm-5.5_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-5.5_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-5.5_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -55328,7 +60502,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privileges to change software resident within software libraries are limited."
+                    "prose": "privileges to change software resident within software libraries are limited.",
+                    "links": [
+                      {
+                        "href": "#cm-5.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-5.6_asm-examine",
@@ -55736,7 +60916,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};"
+                    "prose": "configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-6_obj.b",
@@ -55748,7 +60934,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the configuration settings documented in CM-06a are implemented;"
+                    "prose": "the configuration settings documented in CM-06a are implemented;",
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-6_obj.c",
@@ -55771,7 +60963,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};"
+                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-6_obj.c-2",
@@ -55783,7 +60981,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;"
+                        "prose": "any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -55808,7 +61018,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;"
+                        "prose": "changes to the configuration settings are monitored in accordance with organizational policies and procedures;",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-6_obj.d-2",
@@ -55820,10 +61036,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures."
+                        "prose": "changes to the configuration settings are controlled in accordance with organizational policies and procedures.",
+                        "links": [
+                          {
+                            "href": "#cm-6_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-6_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-6_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -56051,7 +61285,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};"
+                        "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cm-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-6.1_obj-2",
@@ -56063,7 +61303,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};"
+                        "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cm-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-6.1_obj-3",
@@ -56075,7 +61321,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}."
+                        "prose": "configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#cm-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-6.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -56252,7 +61510,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, cm-06.02_odp.01 }} are taken in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}."
+                    "prose": "{{ insert: param, cm-06.02_odp.01 }} are taken in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#cm-6.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-6.2_asm-examine",
@@ -56696,7 +61960,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};"
+                    "prose": "the system is configured to provide only {{ insert: param, cm-07_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#cm-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-7_obj.b",
@@ -56719,7 +61989,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-2",
@@ -56731,7 +62007,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-3",
@@ -56743,7 +62025,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-4",
@@ -56755,7 +62043,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;"
+                        "prose": "the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7_obj.b-5",
@@ -56767,10 +62061,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted."
+                        "prose": "the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.",
+                        "links": [
+                          {
+                            "href": "#cm-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -57068,7 +62380,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:"
+                        "prose": "the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:",
+                        "links": [
+                          {
+                            "href": "#cm-7.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.1_obj.b",
@@ -57091,7 +62409,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and/or non-secure are disabled or removed;"
+                            "prose": "{{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and/or non-secure are disabled or removed;",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-7.1_obj.b-2",
@@ -57103,7 +62427,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and/or non-secure are disabled or removed;"
+                            "prose": "{{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and/or non-secure are disabled or removed;",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-7.1_obj.b-3",
@@ -57115,7 +62445,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and/or non-secure are disabled or removed;"
+                            "prose": "{{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and/or non-secure are disabled or removed;",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-7.1_obj.b-4",
@@ -57127,7 +62463,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and/or non-secure is disabled or removed;"
+                            "prose": "{{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and/or non-secure is disabled or removed;",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-7.1_obj.b-5",
@@ -57139,10 +62481,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and/or non-secure are disabled or removed."
+                            "prose": "{{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and/or non-secure are disabled or removed.",
+                            "links": [
+                              {
+                                "href": "#cm-7.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-7.1_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-7.1_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -57327,7 +62687,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}."
+                    "prose": "program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#cm-7.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-7.2_asm-examine",
@@ -57475,7 +62841,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, cm-07.03_odp }} are complied with."
+                    "prose": "{{ insert: param, cm-07.03_odp }} are complied with.",
+                    "links": [
+                      {
+                        "href": "#cm-7.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-7.3_asm-examine",
@@ -57713,7 +63085,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-07.04_odp.01 }} are identified;"
+                        "prose": "{{ insert: param, cm-07.04_odp.01 }} are identified;",
+                        "links": [
+                          {
+                            "href": "#cm-7.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.4_obj.b",
@@ -57725,7 +63103,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an allow-all, deny-by-exception policy is employed to prohibit the execution of unauthorized software programs on the system;"
+                        "prose": "an allow-all, deny-by-exception policy is employed to prohibit the execution of unauthorized software programs on the system;",
+                        "links": [
+                          {
+                            "href": "#cm-7.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.4_obj.c",
@@ -57737,7 +63121,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the list of unauthorized software programs is reviewed and updated {{ insert: param, cm-07.04_odp.02 }}."
+                        "prose": "the list of unauthorized software programs is reviewed and updated {{ insert: param, cm-07.04_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#cm-7.4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-7.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -57993,7 +63389,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-07.05_odp.01 }} are identified;"
+                        "prose": "{{ insert: param, cm-07.05_odp.01 }} are identified;",
+                        "links": [
+                          {
+                            "href": "#cm-7.5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.5_obj.b",
@@ -58005,7 +63407,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;"
+                        "prose": "a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;",
+                        "links": [
+                          {
+                            "href": "#cm-7.5_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.5_obj.c",
@@ -58017,7 +63425,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}."
+                        "prose": "the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#cm-7.5_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-7.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -58175,7 +63595,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, cm-07.06_odp }} is required to be executed in a confined physical or virtual machine environment with limited privileges."
+                    "prose": "{{ insert: param, cm-07.06_odp }} is required to be executed in a confined physical or virtual machine environment with limited privileges.",
+                    "links": [
+                      {
+                        "href": "#cm-7.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-7.6_asm-examine",
@@ -58372,7 +63798,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the execution of binary or machine-executable code obtained from sources with limited or no warranty is only allowed with the explicit approval of {{ insert: param, cm-07.07_odp }};"
+                        "prose": "the execution of binary or machine-executable code obtained from sources with limited or no warranty is only allowed with the explicit approval of {{ insert: param, cm-07.07_odp }};",
+                        "links": [
+                          {
+                            "href": "#cm-7.7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.7_obj.b",
@@ -58384,7 +63816,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the execution of binary or machine-executable code without the provision of source code is only allowed with the explicit approval of {{ insert: param, cm-07.07_odp }}."
+                        "prose": "the execution of binary or machine-executable code without the provision of source code is only allowed with the explicit approval of {{ insert: param, cm-07.07_odp }}.",
+                        "links": [
+                          {
+                            "href": "#cm-7.7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-7.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -58559,7 +64003,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of binary or machine-executable code is prohibited when it originates from sources with limited or no warranty or without the provision of source code;"
+                        "prose": "the use of binary or machine-executable code is prohibited when it originates from sources with limited or no warranty or without the provision of source code;",
+                        "links": [
+                          {
+                            "href": "#cm-7.8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.8_obj.b",
@@ -58582,7 +64032,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only for compelling mission or operational requirements;"
+                            "prose": "exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only for compelling mission or operational requirements;",
+                            "links": [
+                              {
+                                "href": "#cm-7.8_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-7.8_obj.b-2",
@@ -58594,10 +64050,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only with the approval of the authorizing official."
+                            "prose": "exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only with the approval of the authorizing official.",
+                            "links": [
+                              {
+                                "href": "#cm-7.8_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-7.8_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-7.8_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -58821,7 +64295,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-07.09_odp.01 }} are identified;"
+                        "prose": "{{ insert: param, cm-07.09_odp.01 }} are identified;",
+                        "links": [
+                          {
+                            "href": "#cm-7.9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.9_obj.b",
@@ -58833,7 +64313,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use or connection of unauthorized hardware components is prohibited;"
+                        "prose": "the use or connection of unauthorized hardware components is prohibited;",
+                        "links": [
+                          {
+                            "href": "#cm-7.9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-7.9_obj.c",
@@ -58845,7 +64331,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the list of authorized hardware components is reviewed and updated {{ insert: param, cm-07.09_odp.02 }}."
+                        "prose": "the list of authorized hardware components is reviewed and updated {{ insert: param, cm-07.09_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#cm-7.9_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-7.9_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -59216,7 +64714,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that accurately reflects the system is developed and documented;"
+                        "prose": "an inventory of system components that accurately reflects the system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.2",
@@ -59228,7 +64732,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that includes all components within the system is developed and documented;"
+                        "prose": "an inventory of system components that includes all components within the system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.3",
@@ -59240,7 +64750,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;"
+                        "prose": "an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.4",
@@ -59252,7 +64768,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;"
+                        "prose": "an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8_obj.a.5",
@@ -59264,7 +64786,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;"
+                        "prose": "an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-8_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -59278,7 +64812,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}."
+                    "prose": "the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#cm-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -59421,7 +64967,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the inventory of system components is updated as part of component installations;"
+                        "prose": "the inventory of system components is updated as part of component installations;",
+                        "links": [
+                          {
+                            "href": "#cm-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8.1_obj-2",
@@ -59433,7 +64985,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the inventory of system components is updated as part of component removals;"
+                        "prose": "the inventory of system components is updated as part of component removals;",
+                        "links": [
+                          {
+                            "href": "#cm-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8.1_obj-3",
@@ -59445,7 +65003,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the inventory of system components is updated as part of system updates."
+                        "prose": "the inventory of system components is updated as part of system updates.",
+                        "links": [
+                          {
+                            "href": "#cm-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-8.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -59676,7 +65246,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-08.02_odp.01 }} are used to maintain the currency of the system component inventory;"
+                        "prose": "{{ insert: param, cm-08.02_odp.01 }} are used to maintain the currency of the system component inventory;",
+                        "links": [
+                          {
+                            "href": "#cm-8.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8.2_obj-2",
@@ -59688,7 +65264,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-08.02_odp.02 }} are used to maintain the completeness of the system component inventory;"
+                        "prose": "{{ insert: param, cm-08.02_odp.02 }} are used to maintain the completeness of the system component inventory;",
+                        "links": [
+                          {
+                            "href": "#cm-8.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8.2_obj-3",
@@ -59700,7 +65282,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-08.02_odp.03 }} are used to maintain the accuracy of the system component inventory;"
+                        "prose": "{{ insert: param, cm-08.02_odp.03 }} are used to maintain the accuracy of the system component inventory;",
+                        "links": [
+                          {
+                            "href": "#cm-8.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8.2_obj-4",
@@ -59712,7 +65300,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cm-08.02_odp.04 }} are used to maintain the availability of the system component inventory."
+                        "prose": "{{ insert: param, cm-08.02_odp.04 }} are used to maintain the availability of the system component inventory.",
+                        "links": [
+                          {
+                            "href": "#cm-8.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-8.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -60054,7 +65654,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};"
+                            "prose": "the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-8.3_obj.a-2",
@@ -60066,7 +65672,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};"
+                            "prose": "the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-8.3_obj.a-3",
@@ -60078,7 +65690,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};"
+                            "prose": "the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-8.3_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -60103,7 +65727,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;"
+                            "prose": "{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-8.3_obj.b-2",
@@ -60115,7 +65745,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;"
+                            "prose": "{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cm-8.3_obj.b-3",
@@ -60127,10 +65763,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected."
+                            "prose": "{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected.",
+                            "links": [
+                              {
+                                "href": "#cm-8.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cm-8.3_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-8.3_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -60285,7 +65939,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals responsible and accountable for administering system components are identified by {{ insert: param, cm-08.04_odp }} in the system component inventory."
+                    "prose": "individuals responsible and accountable for administering system components are identified by {{ insert: param, cm-08.04_odp }} in the system component inventory.",
+                    "links": [
+                      {
+                        "href": "#cm-8.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-8.4_asm-examine",
@@ -60452,7 +66112,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "assessed component configurations are included in the system component inventory;"
+                        "prose": "assessed component configurations are included in the system component inventory;",
+                        "links": [
+                          {
+                            "href": "#cm-8.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8.6_obj-2",
@@ -60464,7 +66130,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "any approved deviations to current deployed configurations are included in the system component inventory."
+                        "prose": "any approved deviations to current deployed configurations are included in the system component inventory.",
+                        "links": [
+                          {
+                            "href": "#cm-8.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-8.6_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -60592,7 +66270,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a centralized repository for the system component inventory is provided."
+                    "prose": "a centralized repository for the system component inventory is provided.",
+                    "links": [
+                      {
+                        "href": "#cm-8.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-8.7_asm-examine",
@@ -60740,7 +66424,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, cm-08.08_odp }} are used to support the tracking of system components by geographic location."
+                    "prose": "{{ insert: param, cm-08.08_odp }} are used to support the tracking of system components by geographic location.",
+                    "links": [
+                      {
+                        "href": "#cm-8.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-8.8_asm-examine",
@@ -60922,7 +66612,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system components are assigned to a system;"
+                        "prose": "system components are assigned to a system;",
+                        "links": [
+                          {
+                            "href": "#cm-8.9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-8.9_obj.b",
@@ -60934,7 +66630,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an acknowledgement of the component assignment is received from {{ insert: param, cm-08.09_odp }}."
+                        "prose": "an acknowledgement of the component assignment is received from {{ insert: param, cm-08.09_odp }}.",
+                        "links": [
+                          {
+                            "href": "#cm-8.9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-8.9_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -61185,7 +66893,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a configuration management plan for the system is developed and documented;"
+                    "prose": "a configuration management plan for the system is developed and documented;",
+                    "links": [
+                      {
+                        "href": "#cm-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-9_obj-2",
@@ -61197,7 +66911,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a configuration management plan for the system is implemented;"
+                    "prose": "a configuration management plan for the system is implemented;",
+                    "links": [
+                      {
+                        "href": "#cm-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-9_obj.a",
@@ -61220,7 +66940,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan addresses roles;"
+                        "prose": "the configuration management plan addresses roles;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.a-2",
@@ -61232,7 +66958,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan addresses responsibilities;"
+                        "prose": "the configuration management plan addresses responsibilities;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.a-3",
@@ -61244,7 +66976,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan addresses configuration management processes and procedures;"
+                        "prose": "the configuration management plan addresses configuration management processes and procedures;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -61269,7 +67013,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;"
+                        "prose": "the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.b-2",
@@ -61281,7 +67031,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan establishes a process for managing the configuration of the configuration items;"
+                        "prose": "the configuration management plan establishes a process for managing the configuration of the configuration items;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -61306,7 +67068,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan defines the configuration items for the system;"
+                        "prose": "the configuration management plan defines the configuration items for the system;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.c-2",
@@ -61318,7 +67086,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan places the configuration items under configuration management;"
+                        "prose": "the configuration management plan places the configuration items under configuration management;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -61332,7 +67112,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};"
+                    "prose": "the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};",
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-9_obj.e",
@@ -61355,7 +67141,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan is protected from unauthorized disclosure;"
+                        "prose": "the configuration management plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-9_obj.e-2",
@@ -61367,10 +67159,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configuration management plan is protected from unauthorized modification."
+                        "prose": "the configuration management plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#cm-9_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-9_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-9_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -61492,7 +67302,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the responsibility for developing the configuration management process is assigned to organizational personnel who are not directly involved in system development."
+                    "prose": "the responsibility for developing the configuration management process is assigned to organizational personnel who are not directly involved in system development.",
+                    "links": [
+                      {
+                        "href": "#cm-9.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-9.1_asm-examine",
@@ -61658,7 +67474,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;"
+                    "prose": "software and associated documentation are used in accordance with contract agreements and copyright laws;",
+                    "links": [
+                      {
+                        "href": "#cm-10_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-10_obj.b",
@@ -61670,7 +67492,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;"
+                    "prose": "the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;",
+                    "links": [
+                      {
+                        "href": "#cm-10_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-10_obj.c",
@@ -61682,7 +67510,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."
+                    "prose": "the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.",
+                    "links": [
+                      {
+                        "href": "#cm-10_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-10_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -61831,7 +67671,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, cm-10.01_odp }} are established for the use of open-source software."
+                    "prose": "{{ insert: param, cm-10.01_odp }} are established for the use of open-source software.",
+                    "links": [
+                      {
+                        "href": "#cm-10.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-10.1_asm-examine",
@@ -62101,7 +67947,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;"
+                    "prose": "{{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;",
+                    "links": [
+                      {
+                        "href": "#cm-11_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-11_obj.b",
@@ -62113,7 +67965,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};"
+                    "prose": "software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#cm-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-11_obj.c",
@@ -62125,7 +67983,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}."
+                    "prose": "compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#cm-11_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -62286,7 +68156,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "user installation of software is allowed only with explicit privileged status."
+                    "prose": "user installation of software is allowed only with explicit privileged status.",
+                    "links": [
+                      {
+                        "href": "#cm-11.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-11.2_asm-examine",
@@ -62473,7 +68349,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "compliance with software installation policies is enforced using {{ insert: param, cm-11.03_odp.01 }};"
+                        "prose": "compliance with software installation policies is enforced using {{ insert: param, cm-11.03_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cm-11.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-11.3_obj-2",
@@ -62485,7 +68367,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "compliance with software installation policies is monitored using {{ insert: param, cm-11.03_odp.02 }}."
+                        "prose": "compliance with software installation policies is monitored using {{ insert: param, cm-11.03_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#cm-11.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-11.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -62765,7 +68659,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the location of {{ insert: param, cm-12_odp }} is identified and documented;"
+                        "prose": "the location of {{ insert: param, cm-12_odp }} is identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-12_obj.a-2",
@@ -62777,7 +68677,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;"
+                        "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-12_obj.a-3",
@@ -62789,7 +68695,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;"
+                        "prose": "the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-12_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -62814,7 +68732,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;"
+                        "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-12_obj.b-2",
@@ -62826,7 +68750,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;"
+                        "prose": "the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-12_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -62851,7 +68787,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;"
+                        "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cm-12_obj.c-2",
@@ -62863,10 +68805,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented."
+                        "prose": "changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented.",
+                        "links": [
+                          {
+                            "href": "#cm-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cm-12_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-12_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -63035,7 +68995,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy."
+                    "prose": "automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy.",
+                    "links": [
+                      {
+                        "href": "#cm-12.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-12.1_asm-examine",
@@ -63190,7 +69156,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a map of system data actions is developed and documented."
+                "prose": "a map of system data actions is developed and documented.",
+                "links": [
+                  {
+                    "href": "#cm-13_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "cm-13_asm-examine",
@@ -63398,7 +69370,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the installation of {{ insert: param, cm-14_odp.01 }} is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization;"
+                    "prose": "the installation of {{ insert: param, cm-14_odp.01 }} is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization;",
+                    "links": [
+                      {
+                        "href": "#cm-14_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cm-14_obj-2",
@@ -63410,7 +69388,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the installation of {{ insert: param, cm-14_odp.02 }} is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization."
+                    "prose": "the installation of {{ insert: param, cm-14_odp.02 }} is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization.",
+                    "links": [
+                      {
+                        "href": "#cm-14_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cm-14_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -63877,7 +69867,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency planning policy is developed and documented;"
+                        "prose": "a contingency planning policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a-2",
@@ -63889,7 +69885,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};"
+                        "prose": "the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a-3",
@@ -63901,7 +69903,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;"
+                        "prose": "contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a-4",
@@ -63913,7 +69921,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};"
+                        "prose": "the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-1_obj.a.1",
@@ -63947,7 +69961,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-2",
@@ -63959,7 +69979,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-3",
@@ -63971,7 +69997,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-4",
@@ -63983,7 +70015,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-5",
@@ -63995,7 +70033,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-6",
@@ -64007,7 +70051,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "cp-1_obj.a.1.a-7",
@@ -64019,7 +70069,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;"
+                                "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#cp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -64033,10 +70095,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -64049,7 +70129,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;"
+                    "prose": "the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#cp-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-1_obj.c",
@@ -64083,7 +70169,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};"
+                            "prose": "the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-1_obj.c.1-2",
@@ -64095,7 +70187,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};"
+                            "prose": "the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -64120,7 +70224,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};"
+                            "prose": "the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-1_obj.c.2-2",
@@ -64132,12 +70242,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}."
+                            "prose": "the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#cp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -64697,7 +70831,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;"
+                        "prose": "a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.2",
@@ -64720,7 +70860,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that provides recovery objectives;"
+                            "prose": "a contingency plan for the system is developed that provides recovery objectives;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.2-2",
@@ -64732,7 +70878,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that provides restoration priorities;"
+                            "prose": "a contingency plan for the system is developed that provides restoration priorities;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.2-3",
@@ -64744,7 +70896,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that provides metrics;"
+                            "prose": "a contingency plan for the system is developed that provides metrics;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -64769,7 +70933,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that addresses contingency roles;"
+                            "prose": "a contingency plan for the system is developed that addresses contingency roles;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.3-2",
@@ -64781,7 +70951,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;"
+                            "prose": "a contingency plan for the system is developed that addresses contingency responsibilities;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.3-3",
@@ -64793,7 +70969,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;"
+                            "prose": "a contingency plan for the system is developed that addresses assigned individuals with contact information;",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -64807,7 +70995,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;"
+                        "prose": "a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.5",
@@ -64819,7 +71013,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;"
+                        "prose": "a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.6",
@@ -64831,7 +71031,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;"
+                        "prose": "a contingency plan for the system is developed that addresses the sharing of contingency information;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.6",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.a.7",
@@ -64854,7 +71060,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};"
+                            "prose": "a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-2_obj.a.7-2",
@@ -64866,10 +71078,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};"
+                            "prose": "a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#cp-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.a.7",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -64893,7 +71123,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};"
+                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.b-2",
@@ -64905,7 +71141,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};"
+                        "prose": "copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -64919,7 +71167,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "contingency planning activities are coordinated with incident handling activities;"
+                    "prose": "contingency planning activities are coordinated with incident handling activities;",
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2_obj.d",
@@ -64931,7 +71185,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};"
+                    "prose": "the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};",
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2_obj.e",
@@ -64954,7 +71214,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;"
+                        "prose": "the contingency plan is updated to address changes to the organization, system, or environment of operation;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.e-2",
@@ -64966,7 +71232,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;"
+                        "prose": "the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -64991,7 +71269,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};"
+                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.f-2",
@@ -65003,7 +71287,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};"
+                        "prose": "contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -65028,7 +71324,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;"
+                        "prose": "lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.g-2",
@@ -65040,7 +71342,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;"
+                        "prose": "lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -65065,7 +71379,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is protected from unauthorized disclosure;"
+                        "prose": "the contingency plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2_obj.h-2",
@@ -65077,10 +71397,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is protected from unauthorized modification."
+                        "prose": "the contingency plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#cp-2_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -65202,7 +71540,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "contingency plan development is coordinated with organizational elements responsible for related plans."
+                    "prose": "contingency plan development is coordinated with organizational elements responsible for related plans.",
+                    "links": [
+                      {
+                        "href": "#cp-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2.1_asm-examine",
@@ -65336,7 +71680,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;"
+                        "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;",
+                        "links": [
+                          {
+                            "href": "#cp-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2.2_obj-2",
@@ -65348,7 +71698,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;"
+                        "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;",
+                        "links": [
+                          {
+                            "href": "#cp-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2.2_obj-3",
@@ -65360,7 +71716,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support."
+                        "prose": "capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.",
+                        "links": [
+                          {
+                            "href": "#cp-2.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -65503,7 +71871,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation."
+                    "prose": "the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.",
+                    "links": [
+                      {
+                        "href": "#cp-2.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2.3_asm-examine",
@@ -65687,7 +72061,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity is planned for;"
+                        "prose": "the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity is planned for;",
+                        "links": [
+                          {
+                            "href": "#cp-2.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2.5_obj-2",
@@ -65699,7 +72079,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuity is sustained until full system restoration at primary processing and/or storage sites."
+                        "prose": "continuity is sustained until full system restoration at primary processing and/or storage sites.",
+                        "links": [
+                          {
+                            "href": "#cp-2.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -65855,7 +72247,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the transfer of {{ insert: param, cp-02.06_odp }} mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity is planned for;"
+                        "prose": "the transfer of {{ insert: param, cp-02.06_odp }} mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity is planned for;",
+                        "links": [
+                          {
+                            "href": "#cp-2.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-2.6_obj-2",
@@ -65867,7 +72265,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "operational continuity is sustained until full system restoration at primary processing and/or storage sites."
+                        "prose": "operational continuity is sustained until full system restoration at primary processing and/or storage sites.",
+                        "links": [
+                          {
+                            "href": "#cp-2.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-2.6_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -65994,7 +72404,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the contingency plan is coordinated with the contingency plans of external service providers to ensure that contingency requirements can be satisfied."
+                    "prose": "the contingency plan is coordinated with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.",
+                    "links": [
+                      {
+                        "href": "#cp-2.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2.7_asm-examine",
@@ -66123,7 +72539,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified."
+                    "prose": "critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified.",
+                    "links": [
+                      {
+                        "href": "#cp-2.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-2.8_asm-examine",
@@ -66427,7 +72849,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;"
+                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-3_obj.a.2",
@@ -66439,7 +72867,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"
+                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-3_obj.a.3",
@@ -66451,7 +72885,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;"
+                        "prose": "contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -66476,7 +72922,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};"
+                        "prose": "the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-3_obj.b-2",
@@ -66488,10 +72940,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}."
+                        "prose": "the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#cp-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -66618,7 +73088,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations."
+                    "prose": "simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.",
+                    "links": [
+                      {
+                        "href": "#cp-3.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-3.1_asm-examine",
@@ -66744,7 +73220,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "mechanisms used in operations are employed to provide a more thorough and realistic contingency training environment."
+                    "prose": "mechanisms used in operations are employed to provide a more thorough and realistic contingency training environment.",
+                    "links": [
+                      {
+                        "href": "#cp-3.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-3.2_asm-examine",
@@ -67050,7 +73532,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};"
+                        "prose": "the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-4_obj.a-2",
@@ -67062,7 +73550,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;"
+                        "prose": "{{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;",
+                        "links": [
+                          {
+                            "href": "#cp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-4_obj.a-3",
@@ -67074,7 +73568,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;"
+                        "prose": "{{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;",
+                        "links": [
+                          {
+                            "href": "#cp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -67088,7 +73594,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the contingency plan test results are reviewed;"
+                    "prose": "the contingency plan test results are reviewed;",
+                    "links": [
+                      {
+                        "href": "#cp-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-4_obj.c",
@@ -67100,7 +73612,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "corrective actions are initiated, if needed."
+                    "prose": "corrective actions are initiated, if needed.",
+                    "links": [
+                      {
+                        "href": "#cp-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -67236,7 +73760,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "contingency plan testing is coordinated with organizational elements responsible for related plans."
+                    "prose": "contingency plan testing is coordinated with organizational elements responsible for related plans.",
+                    "links": [
+                      {
+                        "href": "#cp-4.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-4.1_asm-examine",
@@ -67379,7 +73909,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;"
+                        "prose": "the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;",
+                        "links": [
+                          {
+                            "href": "#cp-4.2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-4.2_obj.b",
@@ -67391,7 +73927,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations."
+                        "prose": "the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.",
+                        "links": [
+                          {
+                            "href": "#cp-4.2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-4.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -67541,7 +74089,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the contingency plan is tested using {{ insert: param, cp-04.03_odp }}."
+                    "prose": "the contingency plan is tested using {{ insert: param, cp-04.03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#cp-4.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-4.3_asm-examine",
@@ -67686,7 +74240,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a full recovery of the system to a known state is included as part of contingency plan testing;"
+                        "prose": "a full recovery of the system to a known state is included as part of contingency plan testing;",
+                        "links": [
+                          {
+                            "href": "#cp-4.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-4.4_obj-2",
@@ -67698,7 +74258,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a full reconstitution of the system to a known state is included as part of contingency plan testing."
+                        "prose": "a full reconstitution of the system to a known state is included as part of contingency plan testing.",
+                        "links": [
+                          {
+                            "href": "#cp-4.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-4.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -67873,7 +74445,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, cp-04.05_odp.01 }} are employed to disrupt and adversely affect the {{ insert: param, cp-04.05_odp.02 }}."
+                    "prose": "{{ insert: param, cp-04.05_odp.01 }} are employed to disrupt and adversely affect the {{ insert: param, cp-04.05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#cp-4.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-4.5_asm-examine",
@@ -68111,7 +74689,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an alternate storage site is established;"
+                        "prose": "an alternate storage site is established;",
+                        "links": [
+                          {
+                            "href": "#cp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-6_obj.a-2",
@@ -68123,7 +74707,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;"
+                        "prose": "establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;",
+                        "links": [
+                          {
+                            "href": "#cp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-6_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -68137,7 +74733,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the alternate storage site provides controls equivalent to that of the primary site."
+                    "prose": "the alternate storage site provides controls equivalent to that of the primary site.",
+                    "links": [
+                      {
+                        "href": "#cp-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -68264,7 +74872,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats."
+                    "prose": "an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.",
+                    "links": [
+                      {
+                        "href": "#cp-6.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-6.1_asm-examine",
@@ -68374,7 +74988,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;"
+                        "prose": "the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;",
+                        "links": [
+                          {
+                            "href": "#cp-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-6.2_obj-2",
@@ -68386,7 +75006,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives."
+                        "prose": "the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.",
+                        "links": [
+                          {
+                            "href": "#cp-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-6.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -68524,7 +75156,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;"
+                        "prose": "potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;",
+                        "links": [
+                          {
+                            "href": "#cp-6.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-6.3_obj-2",
@@ -68536,7 +75174,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "explicit mitigation actions to address identified accessibility problems are outlined."
+                        "prose": "explicit mitigation actions to address identified accessibility problems are outlined.",
+                        "links": [
+                          {
+                            "href": "#cp-6.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-6.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -68779,7 +75429,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;"
+                    "prose": "an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;",
+                    "links": [
+                      {
+                        "href": "#cp-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-7_obj.b",
@@ -68802,7 +75458,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;"
+                        "prose": "the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;",
+                        "links": [
+                          {
+                            "href": "#cp-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-7_obj.b-2",
@@ -68814,7 +75476,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;"
+                        "prose": "the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;",
+                        "links": [
+                          {
+                            "href": "#cp-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -68828,7 +75502,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "controls provided at the alternate processing site are equivalent to those at the primary site."
+                    "prose": "controls provided at the alternate processing site are equivalent to those at the primary site.",
+                    "links": [
+                      {
+                        "href": "#cp-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -68955,7 +75641,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified."
+                    "prose": "an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.",
+                    "links": [
+                      {
+                        "href": "#cp-7.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-7.1_asm-examine",
@@ -69069,7 +75761,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;"
+                        "prose": "potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;",
+                        "links": [
+                          {
+                            "href": "#cp-7.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-7.2_obj-2",
@@ -69081,7 +75779,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "explicit mitigation actions to address identified accessibility problems are outlined."
+                        "prose": "explicit mitigation actions to address identified accessibility problems are outlined.",
+                        "links": [
+                          {
+                            "href": "#cp-7.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-7.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -69182,7 +75892,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed."
+                    "prose": "alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.",
+                    "links": [
+                      {
+                        "href": "#cp-7.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-7.3_asm-examine",
@@ -69293,7 +76009,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions."
+                    "prose": "the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.",
+                    "links": [
+                      {
+                        "href": "#cp-7.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-7.4_asm-examine",
@@ -69455,7 +76177,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "circumstances that preclude returning to the primary processing site are planned for;"
+                        "prose": "circumstances that preclude returning to the primary processing site are planned for;",
+                        "links": [
+                          {
+                            "href": "#cp-7.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-7.6_obj-2",
@@ -69467,7 +76195,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "circumstances that preclude returning to the primary processing site are prepared for."
+                        "prose": "circumstances that preclude returning to the primary processing site are prepared for.",
+                        "links": [
+                          {
+                            "href": "#cp-7.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-7.6_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -69632,7 +76372,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."
+                "prose": "alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.",
+                "links": [
+                  {
+                    "href": "#cp-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "cp-8_asm-examine",
@@ -69798,7 +76544,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;"
+                            "prose": "primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;",
+                            "links": [
+                              {
+                                "href": "#cp-8.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-8.1_obj.a-2",
@@ -69810,7 +76562,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;"
+                            "prose": "alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;",
+                            "links": [
+                              {
+                                "href": "#cp-8.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-8.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -69824,7 +76588,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier."
+                        "prose": "Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.",
+                        "links": [
+                          {
+                            "href": "#cp-8.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-8.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -69947,7 +76723,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained."
+                    "prose": "alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.",
+                    "links": [
+                      {
+                        "href": "#cp-8.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-8.2_asm-examine",
@@ -70046,7 +76828,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats."
+                    "prose": "alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.",
+                    "links": [
+                      {
+                        "href": "#cp-8.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-8.3_asm-examine",
@@ -70259,7 +77047,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "primary telecommunications service providers are required to have contingency plans;"
+                            "prose": "primary telecommunications service providers are required to have contingency plans;",
+                            "links": [
+                              {
+                                "href": "#cp-8.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-8.4_obj.a-2",
@@ -70271,7 +77065,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "alternate telecommunications service providers are required to have contingency plans;"
+                            "prose": "alternate telecommunications service providers are required to have contingency plans;",
+                            "links": [
+                              {
+                                "href": "#cp-8.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-8.4_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -70285,7 +77091,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;"
+                        "prose": "provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;",
+                        "links": [
+                          {
+                            "href": "#cp-8.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-8.4_obj.c",
@@ -70308,7 +77120,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "evidence of contingency testing by providers is obtained {{ insert: param, cp-08.04_odp.01 }}."
+                            "prose": "evidence of contingency testing by providers is obtained {{ insert: param, cp-08.04_odp.01 }}.",
+                            "links": [
+                              {
+                                "href": "#cp-8.4_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "cp-8.4_obj.c-2",
@@ -70320,10 +77138,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "evidence of contingency training by providers is obtained {{ insert: param, cp-08.04_odp.02 }}."
+                            "prose": "evidence of contingency training by providers is obtained {{ insert: param, cp-08.04_odp.02 }}.",
+                            "links": [
+                              {
+                                "href": "#cp-8.4_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#cp-8.4_smt.c",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-8.4_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -70449,7 +77285,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "alternate telecommunications services are tested {{ insert: param, cp-08.05_odp }}."
+                    "prose": "alternate telecommunications services are tested {{ insert: param, cp-08.05_odp }}.",
+                    "links": [
+                      {
+                        "href": "#cp-8.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-8.5_asm-examine",
@@ -70781,7 +77623,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};"
+                    "prose": "backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9_obj.b",
@@ -70793,7 +77641,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};"
+                    "prose": "backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9_obj.c",
@@ -70805,7 +77659,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};"
+                    "prose": "backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9_obj.d",
@@ -70828,7 +77688,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the confidentiality of backup information is protected;"
+                        "prose": "the confidentiality of backup information is protected;",
+                        "links": [
+                          {
+                            "href": "#cp-9_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-9_obj.d-2",
@@ -70840,7 +77706,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the integrity of backup information is protected;"
+                        "prose": "the integrity of backup information is protected;",
+                        "links": [
+                          {
+                            "href": "#cp-9_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-9_obj.d-3",
@@ -70852,10 +77724,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the availability of backup information is protected."
+                        "prose": "the availability of backup information is protected.",
+                        "links": [
+                          {
+                            "href": "#cp-9_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-9_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-9_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -71042,7 +77932,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;"
+                        "prose": "backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;",
+                        "links": [
+                          {
+                            "href": "#cp-9.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-9.1_obj-2",
@@ -71054,7 +77950,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity."
+                        "prose": "backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity.",
+                        "links": [
+                          {
+                            "href": "#cp-9.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-9.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -71181,7 +78089,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing."
+                    "prose": "a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.",
+                    "links": [
+                      {
+                        "href": "#cp-9.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9.2_asm-examine",
@@ -71336,7 +78250,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "backup copies of {{ insert: param, cp-09.03_odp }} are stored in a separate facility or in a fire rated container that is not collocated with the operational system."
+                    "prose": "backup copies of {{ insert: param, cp-09.03_odp }} are stored in a separate facility or in a fire rated container that is not collocated with the operational system.",
+                    "links": [
+                      {
+                        "href": "#cp-9.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9.3_asm-examine",
@@ -71542,7 +78462,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system backup information is transferred to the alternate storage site for {{ insert: param, cp-09.05_odp.01 }};"
+                        "prose": "system backup information is transferred to the alternate storage site for {{ insert: param, cp-09.05_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#cp-9.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-9.5_obj-2",
@@ -71554,7 +78480,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system backup information is transferred to the alternate storage site {{ insert: param, cp-09.05_odp.02 }}."
+                        "prose": "system backup information is transferred to the alternate storage site {{ insert: param, cp-09.05_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#cp-9.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-9.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -71692,7 +78630,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system backup is conducted by maintaining a redundant secondary system that is not collocated with the primary system;"
+                        "prose": "system backup is conducted by maintaining a redundant secondary system that is not collocated with the primary system;",
+                        "links": [
+                          {
+                            "href": "#cp-9.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "cp-9.6_obj-2",
@@ -71704,7 +78648,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system backup is conducted by maintaining a redundant secondary system that can be activated without loss of information or disruption to operations."
+                        "prose": "system backup is conducted by maintaining a redundant secondary system that can be activated without loss of information or disruption to operations.",
+                        "links": [
+                          {
+                            "href": "#cp-9.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#cp-9.6_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -71861,7 +78817,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "dual authorization for the deletion or destruction of {{ insert: param, cp-09.07_odp }} is enforced."
+                    "prose": "dual authorization for the deletion or destruction of {{ insert: param, cp-09.07_odp }} is enforced.",
+                    "links": [
+                      {
+                        "href": "#cp-9.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9.7_asm-examine",
@@ -72016,7 +78978,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}."
+                    "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.",
+                    "links": [
+                      {
+                        "href": "#cp-9.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-9.8_asm-examine",
@@ -72236,7 +79204,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;"
+                    "prose": "the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;",
+                    "links": [
+                      {
+                        "href": "#cp-10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-10_obj-2",
@@ -72248,7 +79222,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure."
+                    "prose": "a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.",
+                    "links": [
+                      {
+                        "href": "#cp-10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#cp-10_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -72401,7 +79387,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "transaction recovery is implemented for systems that are transaction-based."
+                    "prose": "transaction recovery is implemented for systems that are transaction-based.",
+                    "links": [
+                      {
+                        "href": "#cp-10.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-10.2_asm-examine",
@@ -72583,7 +79575,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided."
+                    "prose": "the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.",
+                    "links": [
+                      {
+                        "href": "#cp-10.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-10.4_asm-examine",
@@ -72758,7 +79756,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system components used for recovery and reconstitution are protected."
+                    "prose": "system components used for recovery and reconstitution are protected.",
+                    "links": [
+                      {
+                        "href": "#cp-10.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "cp-10.6_asm-examine",
@@ -72911,7 +79915,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the capability to employ {{ insert: param, cp-11_odp }} are provided in support of maintaining continuity of operations."
+                "prose": "the capability to employ {{ insert: param, cp-11_odp }} are provided in support of maintaining continuity of operations.",
+                "links": [
+                  {
+                    "href": "#cp-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "cp-11_asm-examine",
@@ -73100,7 +80110,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a safe mode of operation is entered with {{ insert: param, cp-12_odp.01 }} when {{ insert: param, cp-12_odp.02 }} are detected."
+                "prose": "a safe mode of operation is entered with {{ insert: param, cp-12_odp.01 }} when {{ insert: param, cp-12_odp.02 }} are detected.",
+                "links": [
+                  {
+                    "href": "#cp-12_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "cp-12_asm-examine",
@@ -73276,7 +80292,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, cp-13_odp.01 }} are employed for satisfying {{ insert: param, cp-13_odp.02 }} when the primary means of implementing the security function is unavailable or compromised."
+                "prose": "{{ insert: param, cp-13_odp.01 }} are employed for satisfying {{ insert: param, cp-13_odp.02 }} when the primary means of implementing the security function is unavailable or compromised.",
+                "links": [
+                  {
+                    "href": "#cp-13_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "cp-13_asm-examine",
@@ -73765,7 +80787,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an identification and authentication policy is developed and documented;"
+                        "prose": "an identification and authentication policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a-2",
@@ -73777,7 +80805,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};"
+                        "prose": "the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a-3",
@@ -73789,7 +80823,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;"
+                        "prose": "identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a-4",
@@ -73801,7 +80841,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};"
+                        "prose": "the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-1_obj.a.1",
@@ -73835,7 +80881,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-2",
@@ -73847,7 +80899,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-3",
@@ -73859,7 +80917,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-4",
@@ -73871,7 +80935,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-5",
@@ -73883,7 +80953,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-6",
@@ -73895,7 +80971,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ia-1_obj.a.1.a-7",
@@ -73907,7 +80989,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;"
+                                "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ia-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -73921,10 +81015,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -73937,7 +81049,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;"
+                    "prose": "the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ia-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-1_obj.c",
@@ -73971,7 +81089,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};"
+                            "prose": "the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-1_obj.c.1-2",
@@ -73983,7 +81107,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};"
+                            "prose": "the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -74008,7 +81144,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};"
+                            "prose": "the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-1_obj.c.2-2",
@@ -74020,12 +81162,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}."
+                            "prose": "the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ia-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -74216,6 +81382,10 @@
                 "href": "#ia-8",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-4",
                 "rel": "related"
@@ -74273,7 +81443,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "organizational users are uniquely identified and authenticated;"
+                    "prose": "organizational users are uniquely identified and authenticated;",
+                    "links": [
+                      {
+                        "href": "#ia-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2_obj-2",
@@ -74285,7 +81461,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users."
+                    "prose": "the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.",
+                    "links": [
+                      {
+                        "href": "#ia-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -74416,7 +81604,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "multi-factor authentication is implemented for access to privileged accounts."
+                    "prose": "multi-factor authentication is implemented for access to privileged accounts.",
+                    "links": [
+                      {
+                        "href": "#ia-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.1_asm-examine",
@@ -74541,7 +81735,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "multi-factor authentication for access to non-privileged accounts is implemented."
+                    "prose": "multi-factor authentication for access to non-privileged accounts is implemented.",
+                    "links": [
+                      {
+                        "href": "#ia-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.2_asm-examine",
@@ -74727,7 +81927,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed."
+                    "prose": "users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.",
+                    "links": [
+                      {
+                        "href": "#ia-2.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.5_asm-examine",
@@ -74952,7 +82158,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that one of the factors is provided by a device separate from the system gaining access;"
+                        "prose": "multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that one of the factors is provided by a device separate from the system gaining access;",
+                        "links": [
+                          {
+                            "href": "#ia-2.6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-2.6_obj.b",
@@ -74964,7 +82176,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that the device meets {{ insert: param, ia-02.06_odp.03 }}."
+                        "prose": "multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that the device meets {{ insert: param, ia-02.06_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#ia-2.6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-2.6_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -75140,7 +82364,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented."
+                    "prose": "replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.",
+                    "links": [
+                      {
+                        "href": "#ia-2.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.8_asm-examine",
@@ -75313,7 +82543,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a single sign-on capability is provided for {{ insert: param, ia-02.10_odp }}."
+                    "prose": "a single sign-on capability is provided for {{ insert: param, ia-02.10_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ia-2.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.10_asm-examine",
@@ -75464,7 +82700,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified."
+                    "prose": "Personal Identity Verification-compliant credentials are accepted and electronically verified.",
+                    "links": [
+                      {
+                        "href": "#ia-2.12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.12_asm-examine",
@@ -75639,7 +82881,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ia-02.13_odp.01 }} mechanisms are implemented under {{ insert: param, ia-02.13_odp.02 }}."
+                    "prose": "{{ insert: param, ia-02.13_odp.01 }} mechanisms are implemented under {{ insert: param, ia-02.13_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ia-2.13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-2.13_asm-examine",
@@ -75820,6 +83068,10 @@
                 "href": "#ia-11",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#si-4",
                 "rel": "related"
@@ -75846,7 +83098,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection."
+                "prose": "{{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection.",
+                "links": [
+                  {
+                    "href": "#ia-3_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-3_asm-examine",
@@ -76023,7 +83281,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ia-03.01_odp.01 }} are authenticated before establishing {{ insert: param, ia-03.01_odp.02 }} connection using bidirectional authentication that is cryptographically based."
+                    "prose": "{{ insert: param, ia-03.01_odp.01 }} are authenticated before establishing {{ insert: param, ia-03.01_odp.02 }} connection using bidirectional authentication that is cryptographically based.",
+                    "links": [
+                      {
+                        "href": "#ia-3.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-3.1_asm-examine",
@@ -76273,7 +83537,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "dynamic address allocation lease information assigned to devices where addresses are allocated dynamically are standardized in accordance with {{ insert: param, ia-03.03_odp.01 }};"
+                            "prose": "dynamic address allocation lease information assigned to devices where addresses are allocated dynamically are standardized in accordance with {{ insert: param, ia-03.03_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#ia-3.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-3.3_obj.a-2",
@@ -76285,7 +83555,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "dynamic address allocation lease duration assigned to devices where addresses are allocated dynamically are standardized in accordance with {{ insert: param, ia-03.03_odp.02 }};"
+                            "prose": "dynamic address allocation lease duration assigned to devices where addresses are allocated dynamically are standardized in accordance with {{ insert: param, ia-03.03_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#ia-3.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-3.3_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -76299,7 +83581,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "lease information is audited when assigned to a device."
+                        "prose": "lease information is audited when assigned to a device.",
+                        "links": [
+                          {
+                            "href": "#ia-3.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-3.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -76456,7 +83750,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "device identification and authentication are handled based on attestation by {{ insert: param, ia-03.04_odp }}."
+                    "prose": "device identification and authentication are handled based on attestation by {{ insert: param, ia-03.04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ia-3.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-3.4_asm-examine",
@@ -76762,7 +84062,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;"
+                    "prose": "system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4_obj.b",
@@ -76774,7 +84080,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;"
+                    "prose": "system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4_obj.c",
@@ -76786,7 +84098,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;"
+                    "prose": "system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4_obj.d",
@@ -76798,7 +84116,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}."
+                    "prose": "system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ia-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -76929,7 +84259,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of system account identifiers that are the same as public identifiers is prohibited for individual accounts."
+                    "prose": "the use of system account identifiers that are the same as public identifiers is prohibited for individual accounts.",
+                    "links": [
+                      {
+                        "href": "#ia-4.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4.1_asm-examine",
@@ -77137,7 +84473,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}."
+                    "prose": "individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ia-4.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4.4_asm-examine",
@@ -77284,7 +84626,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individual identifiers are dynamically managed in accordance with {{ insert: param, ia-04.05_odp }}."
+                    "prose": "individual identifiers are dynamically managed in accordance with {{ insert: param, ia-04.05_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ia-4.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4.5_asm-examine",
@@ -77439,7 +84787,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cross-organization management of identifiers is coordinated with {{ insert: param, ia-04.06_odp }}."
+                    "prose": "cross-organization management of identifiers is coordinated with {{ insert: param, ia-04.06_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ia-4.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4.6_asm-examine",
@@ -77594,7 +84948,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "pairwise pseudonymous identifiers are generated."
+                    "prose": "pairwise pseudonymous identifiers are generated.",
+                    "links": [
+                      {
+                        "href": "#ia-4.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4.8_asm-examine",
@@ -77742,7 +85102,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the attributes for each uniquely identified individual, device, or service are maintained in {{ insert: param, ia-04.09_odp }}."
+                    "prose": "the attributes for each uniquely identified individual, device, or service are maintained in {{ insert: param, ia-04.09_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ia-4.9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-4.9_asm-examine",
@@ -78124,7 +85490,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;"
+                    "prose": "system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.b",
@@ -78136,7 +85508,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;"
+                    "prose": "system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.c",
@@ -78148,7 +85526,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;"
+                    "prose": "system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.d",
@@ -78160,7 +85544,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;"
+                    "prose": "system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.e",
@@ -78172,7 +85562,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the change of default authenticators prior to first use;"
+                    "prose": "system authenticators are managed through the change of default authenticators prior to first use;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.f",
@@ -78184,7 +85580,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;"
+                    "prose": "system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.g",
@@ -78196,7 +85598,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;"
+                    "prose": "system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5_obj.h",
@@ -78219,7 +85627,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;"
+                        "prose": "system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;",
+                        "links": [
+                          {
+                            "href": "#ia-5_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5_obj.h-2",
@@ -78231,7 +85645,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;"
+                        "prose": "system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;",
+                        "links": [
+                          {
+                            "href": "#ia-5_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -78245,7 +85671,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes."
+                    "prose": "system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.",
+                    "links": [
+                      {
+                        "href": "#ia-5_smt.i",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -78520,7 +85958,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;"
+                        "prose": "for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.b",
@@ -78532,7 +85976,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);"
+                        "prose": "for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.c",
@@ -78544,7 +85994,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;"
+                        "prose": "for password-based authentication, passwords are only transmitted over cryptographically protected channels;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.d",
@@ -78556,7 +86012,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;"
+                        "prose": "for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.e",
@@ -78568,7 +86030,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;"
+                        "prose": "for password-based authentication, immediate selection of a new password is required upon account recovery;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.f",
@@ -78580,7 +86048,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;"
+                        "prose": "for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.g",
@@ -78592,7 +86066,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;"
+                        "prose": "for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.1_obj.h",
@@ -78604,7 +86084,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced."
+                        "prose": "for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.",
+                        "links": [
+                          {
+                            "href": "#ia-5.1_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-5.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -78828,7 +86320,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "authorized access to the corresponding private key is enforced for public key-based authentication;"
+                            "prose": "authorized access to the corresponding private key is enforced for public key-based authentication;",
+                            "links": [
+                              {
+                                "href": "#ia-5.2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-5.2_obj.a.2",
@@ -78840,7 +86338,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the authenticated identity is mapped to the account of the individual or group for public key-based authentication;"
+                            "prose": "the authenticated identity is mapped to the account of the individual or group for public key-based authentication;",
+                            "links": [
+                              {
+                                "href": "#ia-5.2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-5.2_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -78865,7 +86375,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;"
+                            "prose": "when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;",
+                            "links": [
+                              {
+                                "href": "#ia-5.2_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-5.2_obj.b.2",
@@ -78877,10 +86393,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation."
+                            "prose": "when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.",
+                            "links": [
+                              {
+                                "href": "#ia-5.2_smt.b.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-5.2_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-5.2_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -79062,7 +86596,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "developers and installers of system components are required to provide unique authenticators or change default authenticators prior to delivery and installation."
+                    "prose": "developers and installers of system components are required to provide unique authenticators or change default authenticators prior to delivery and installation.",
+                    "links": [
+                      {
+                        "href": "#ia-5.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5.5_asm-examine",
@@ -79187,7 +86727,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access."
+                    "prose": "authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.",
+                    "links": [
+                      {
+                        "href": "#ia-5.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5.6_asm-examine",
@@ -79308,7 +86854,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "unencrypted static authenticators are not embedded in applications or other forms of static storage."
+                    "prose": "unencrypted static authenticators are not embedded in applications or other forms of static storage.",
+                    "links": [
+                      {
+                        "href": "#ia-5.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5.7_asm-examine",
@@ -79455,7 +87007,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ia-05.08_odp }} are implemented to manage the risk of compromise due to individuals having accounts on multiple systems."
+                    "prose": "{{ insert: param, ia-05.08_odp }} are implemented to manage the risk of compromise due to individuals having accounts on multiple systems.",
+                    "links": [
+                      {
+                        "href": "#ia-5.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5.8_asm-examine",
@@ -79606,7 +87164,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ia-05.09_odp }} are used to federate credentials."
+                    "prose": "{{ insert: param, ia-05.09_odp }} are used to federate credentials.",
+                    "links": [
+                      {
+                        "href": "#ia-5.9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5.9_asm-examine",
@@ -79757,7 +87321,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "identities and authenticators are dynamically bound using {{ insert: param, ia-05.10_odp }}."
+                    "prose": "identities and authenticators are dynamically bound using {{ insert: param, ia-05.10_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ia-5.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5.10_asm-examine",
@@ -79938,7 +87508,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "mechanisms that satisfy {{ insert: param, ia-05.12_odp }} are employed for biometric-based authentication."
+                    "prose": "mechanisms that satisfy {{ insert: param, ia-05.12_odp }} are employed for biometric-based authentication.",
+                    "links": [
+                      {
+                        "href": "#ia-5.12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5.12_asm-examine",
@@ -80081,7 +87657,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of cached authenticators is prohibited after {{ insert: param, ia-05.13_odp }}."
+                    "prose": "the use of cached authenticators is prohibited after {{ insert: param, ia-05.13_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ia-5.13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5.13_asm-examine",
@@ -80202,7 +87784,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an organization-wide methodology for managing the content of PKI trust stores is employed across all platforms, including networks, operating systems, browsers, and applications for PKI-based authentication."
+                    "prose": "an organization-wide methodology for managing the content of PKI trust stores is employed across all platforms, including networks, operating systems, browsers, and applications for PKI-based authentication.",
+                    "links": [
+                      {
+                        "href": "#ia-5.14_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5.14_asm-examine",
@@ -80323,7 +87911,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "only General Services Administration-approved products and services are used for identity, credential, and access management."
+                    "prose": "only General Services Administration-approved products and services are used for identity, credential, and access management.",
+                    "links": [
+                      {
+                        "href": "#ia-5.15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5.15_asm-examine",
@@ -80530,7 +88124,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the issuance of {{ insert: param, ia-05.16_odp.01 }} is required to be conducted {{ insert: param, ia-05.16_odp.02 }} before {{ insert: param, ia-05.16_odp.03 }} with authorization by {{ insert: param, ia-05.16_odp.04 }}."
+                    "prose": "the issuance of {{ insert: param, ia-05.16_odp.01 }} is required to be conducted {{ insert: param, ia-05.16_odp.02 }} before {{ insert: param, ia-05.16_odp.03 }} with authorization by {{ insert: param, ia-05.16_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#ia-5.16_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5.16_asm-examine",
@@ -80655,7 +88255,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "presentation attack detection mechanisms are employed for biometric-based authentication."
+                    "prose": "presentation attack detection mechanisms are employed for biometric-based authentication.",
+                    "links": [
+                      {
+                        "href": "#ia-5.17_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-5.17_asm-examine",
@@ -80852,7 +88458,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ia-05.18_odp.01 }} are employed to generate and manage passwords;"
+                        "prose": "{{ insert: param, ia-05.18_odp.01 }} are employed to generate and manage passwords;",
+                        "links": [
+                          {
+                            "href": "#ia-5.18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-5.18_obj.b",
@@ -80864,7 +88476,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the passwords are protected using {{ insert: param, ia-05.18_odp.02 }}."
+                        "prose": "the passwords are protected using {{ insert: param, ia-05.18_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ia-5.18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-5.18_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -80989,7 +88613,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."
+                "prose": "the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.",
+                "links": [
+                  {
+                    "href": "#ia-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-6_asm-examine",
@@ -81130,7 +88760,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."
+                "prose": "mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.",
+                "links": [
+                  {
+                    "href": "#ia-7_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-7_asm-examine",
@@ -81297,6 +88933,10 @@
                 "href": "#ia-11",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-4",
                 "rel": "related"
@@ -81335,7 +88975,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated."
+                "prose": "non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.",
+                "links": [
+                  {
+                    "href": "#ia-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-8_asm-examine",
@@ -81471,7 +89117,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;"
+                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are accepted;",
+                        "links": [
+                          {
+                            "href": "#ia-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-8.1_obj-2",
@@ -81483,7 +89135,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified."
+                        "prose": "Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.",
+                        "links": [
+                          {
+                            "href": "#ia-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-8.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -81640,7 +89304,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "only external authenticators that are NIST-compliant are accepted;"
+                        "prose": "only external authenticators that are NIST-compliant are accepted;",
+                        "links": [
+                          {
+                            "href": "#ia-8.2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-8.2_obj.b",
@@ -81663,7 +89333,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a list of accepted external authenticators is documented;"
+                            "prose": "a list of accepted external authenticators is documented;",
+                            "links": [
+                              {
+                                "href": "#ia-8.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ia-8.2_obj.b-2",
@@ -81675,10 +89351,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a list of accepted external authenticators is maintained."
+                            "prose": "a list of accepted external authenticators is maintained.",
+                            "links": [
+                              {
+                                "href": "#ia-8.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ia-8.2_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-8.2_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -81852,7 +89546,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management."
+                    "prose": "there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.",
+                    "links": [
+                      {
+                        "href": "#ia-8.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-8.4_asm-examine",
@@ -82006,7 +89706,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }} are accepted;"
+                        "prose": "federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }} are accepted;",
+                        "links": [
+                          {
+                            "href": "#ia-8.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-8.5_obj-2",
@@ -82018,7 +89724,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }} are verified."
+                        "prose": "federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }} are verified.",
+                        "links": [
+                          {
+                            "href": "#ia-8.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-8.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -82163,7 +89881,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ia-08.06_odp }} to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties are implemented."
+                    "prose": "{{ insert: param, ia-08.06_odp }} to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties are implemented.",
+                    "links": [
+                      {
+                        "href": "#ia-8.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-8.6_asm-examine",
@@ -82299,6 +90023,10 @@
                 "href": "#ia-5",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#sc-8",
                 "rel": "related"
@@ -82325,7 +90053,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, ia-09_odp }} are uniquely identified and authenticated before establishing communications with devices, users, or other services or applications."
+                "prose": "{{ insert: param, ia-09_odp }} are uniquely identified and authenticated before establishing communications with devices, users, or other services or applications.",
+                "links": [
+                  {
+                    "href": "#ia-9_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-9_asm-examine",
@@ -82558,7 +90292,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "individuals accessing the system are required to employ {{ insert: param, ia-10_odp.01 }} under specific {{ insert: param, ia-10_odp.02 }}."
+                "prose": "individuals accessing the system are required to employ {{ insert: param, ia-10_odp.01 }} under specific {{ insert: param, ia-10_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#ia-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-10_asm-examine",
@@ -82731,7 +90471,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}."
+                "prose": "users are required to re-authenticate when {{ insert: param, ia-11_odp }}.",
+                "links": [
+                  {
+                    "href": "#ia-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ia-11_asm-examine",
@@ -82873,6 +90619,10 @@
               {
                 "href": "#ia-8",
                 "rel": "related"
+              },
+              {
+                "href": "#ia-13",
+                "rel": "related"
               }
             ],
             "parts": [
@@ -82941,7 +90691,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;"
+                    "prose": "users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;",
+                    "links": [
+                      {
+                        "href": "#ia-12_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12_obj.b",
@@ -82953,7 +90709,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "user identities are resolved to a unique individual;"
+                    "prose": "user identities are resolved to a unique individual;",
+                    "links": [
+                      {
+                        "href": "#ia-12_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12_obj.c",
@@ -82976,7 +90738,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "identity evidence is collected;"
+                        "prose": "identity evidence is collected;",
+                        "links": [
+                          {
+                            "href": "#ia-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-12_obj.c-2",
@@ -82988,7 +90756,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "identity evidence is validated;"
+                        "prose": "identity evidence is validated;",
+                        "links": [
+                          {
+                            "href": "#ia-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ia-12_obj.c-3",
@@ -83000,10 +90774,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "identity evidence is verified."
+                        "prose": "identity evidence is verified.",
+                        "links": [
+                          {
+                            "href": "#ia-12_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ia-12_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-12_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -83125,7 +90917,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the registration process to receive an account for logical access includes supervisor or sponsor authorization."
+                    "prose": "the registration process to receive an account for logical access includes supervisor or sponsor authorization.",
+                    "links": [
+                      {
+                        "href": "#ia-12.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12.1_asm-examine",
@@ -83246,7 +91044,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "evidence of individual identification is presented to the registration authority."
+                    "prose": "evidence of individual identification is presented to the registration authority.",
+                    "links": [
+                      {
+                        "href": "#ia-12.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12.2_asm-examine",
@@ -83394,7 +91198,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}."
+                    "prose": "the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ia-12.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12.3_asm-examine",
@@ -83515,7 +91325,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the validation and verification of identity evidence is conducted in person before a designated registration authority."
+                    "prose": "the validation and verification of identity evidence is conducted in person before a designated registration authority.",
+                    "links": [
+                      {
+                        "href": "#ia-12.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12.4_asm-examine",
@@ -83662,7 +91478,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record."
+                    "prose": "a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.",
+                    "links": [
+                      {
+                        "href": "#ia-12.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12.5_asm-examine",
@@ -83821,7 +91643,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "externally proofed identities are accepted {{ insert: param, ia-12.06_odp }}."
+                    "prose": "externally proofed identities are accepted {{ insert: param, ia-12.06_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ia-12.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ia-12.6_asm-examine",
@@ -83892,6 +91720,1124 @@
                 ]
               }
             ]
+          },
+          {
+            "id": "ia-13",
+            "class": "SP800-53",
+            "title": "Identity Providers and Authorization Servers",
+            "params": [
+              {
+                "id": "ia-13_prm_1",
+                "props": [
+                  {
+                    "name": "aggregates",
+                    "ns": "http://csrc.nist.gov/ns/rmf",
+                    "value": "ia-13_odp.01"
+                  }
+                ],
+                "label": "organization-defined identification and authentication policy"
+              },
+              {
+                "id": "ia-13_prm_2",
+                "props": [
+                  {
+                    "name": "aggregates",
+                    "ns": "http://csrc.nist.gov/ns/rmf",
+                    "value": "ia-13_odp.02"
+                  }
+                ],
+                "label": "organization-defined mechanisms"
+              },
+              {
+                "id": "ia-13_odp.01",
+                "props": [
+                  {
+                    "name": "label",
+                    "value": "IA-13_ODP[01]",
+                    "class": "sp800-53a"
+                  }
+                ],
+                "label": "policy",
+                "guidelines": [
+                  {
+                    "prose": "identification and authentication policy is defined;"
+                  }
+                ]
+              },
+              {
+                "id": "ia-13_odp.02",
+                "props": [
+                  {
+                    "name": "label",
+                    "value": "IA-13_ODP[02]",
+                    "class": "sp800-53a"
+                  }
+                ],
+                "label": "mechanisms",
+                "guidelines": [
+                  {
+                    "prose": "mechanisms supporting authentication and authorization decisions are defined;"
+                  }
+                ]
+              }
+            ],
+            "props": [
+              {
+                "name": "label",
+                "value": "IA-13"
+              },
+              {
+                "name": "label",
+                "value": "IA-13",
+                "class": "sp800-53a"
+              },
+              {
+                "name": "sort-id",
+                "value": "ia-13"
+              },
+              {
+                "name": "implementation-level",
+                "ns": "http://csrc.nist.gov/ns/rmf",
+                "value": "organization"
+              },
+              {
+                "name": "implementation-level",
+                "ns": "http://csrc.nist.gov/ns/rmf",
+                "value": "system"
+              }
+            ],
+            "links": [
+              {
+                "href": "#ac-3",
+                "rel": "related"
+              },
+              {
+                "href": "#ia-2",
+                "rel": "related"
+              },
+              {
+                "href": "#ia-3",
+                "rel": "related"
+              },
+              {
+                "href": "#ia-8",
+                "rel": "related"
+              },
+              {
+                "href": "#ia-9",
+                "rel": "related"
+              },
+              {
+                "href": "#ia-12",
+                "rel": "related"
+              }
+            ],
+            "parts": [
+              {
+                "id": "ia-13_smt",
+                "name": "statement",
+                "prose": "Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions in accordance with {{ insert: param, ia-13_prm_1 }} using {{ insert: param, ia-13_prm_2 }}."
+              },
+              {
+                "id": "ia-13_gdn",
+                "name": "guidance",
+                "prose": "Identity providers, both internal and external to the organization, manage the user, device, and NPE authenticators and issue statements, often called identity assertions, attesting to identities of other systems or systems components. Authorization servers create and issue access tokens to identified and authenticated users and devices that can be used to gain access to system or information resources. For example, single sign-on (SSO) provides identity provider and authorization server functions. Authenticator management (to include credential management) is covered by IA-05."
+              },
+              {
+                "id": "ia-13_obj",
+                "name": "assessment-objective",
+                "props": [
+                  {
+                    "name": "label",
+                    "value": "IA-13",
+                    "class": "sp800-53a"
+                  }
+                ],
+                "parts": [
+                  {
+                    "id": "ia-13_obj-1",
+                    "name": "assessment-objective",
+                    "props": [
+                      {
+                        "name": "label",
+                        "value": "IA-13[01]",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "prose": "identity providers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authentication decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ia-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  },
+                  {
+                    "id": "ia-13_obj-2",
+                    "name": "assessment-objective",
+                    "props": [
+                      {
+                        "name": "label",
+                        "value": "IA-13[02]",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "prose": "identity providers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authorization decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ia-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  },
+                  {
+                    "id": "ia-13_obj-3",
+                    "name": "assessment-objective",
+                    "props": [
+                      {
+                        "name": "label",
+                        "value": "IA-13[03]",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "prose": "authorization servers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authentication decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ia-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  },
+                  {
+                    "id": "ia-13_obj-4",
+                    "name": "assessment-objective",
+                    "props": [
+                      {
+                        "name": "label",
+                        "value": "IA-13[04]",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "prose": "authorization servers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authorization decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ia-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ]
+              },
+              {
+                "id": "ia-13_asm-examine",
+                "name": "assessment-method",
+                "props": [
+                  {
+                    "name": "method",
+                    "ns": "http://csrc.nist.gov/ns/rmf",
+                    "value": "EXAMINE"
+                  },
+                  {
+                    "name": "label",
+                    "value": "IA-13-Examine",
+                    "class": "sp800-53a"
+                  }
+                ],
+                "parts": [
+                  {
+                    "name": "assessment-objects",
+                    "prose": " Identification and authentication policy;\n\nprocedures addressing user and device identification and authentication;\n\nsystem security plan;\n\nsystem design documentation;\n\nsystem configuration settings and associated documentation;\n\nother relevant documents or records"
+                  }
+                ]
+              },
+              {
+                "id": "ia-13_asm-interview",
+                "name": "assessment-method",
+                "props": [
+                  {
+                    "name": "method",
+                    "ns": "http://csrc.nist.gov/ns/rmf",
+                    "value": "INTERVIEW"
+                  },
+                  {
+                    "name": "label",
+                    "value": "IA-13-Interview",
+                    "class": "sp800-53a"
+                  }
+                ],
+                "parts": [
+                  {
+                    "name": "assessment-objects",
+                    "prose": "Organizational personnel with system operations responsibilities;\n\norganizational personnel with information security responsibilities;\n\nsystem/network administrators;\n\norganizational personnel with account management responsibilities;\n\nsystem developers"
+                  }
+                ]
+              },
+              {
+                "id": "ia-13_asm-test",
+                "name": "assessment-method",
+                "props": [
+                  {
+                    "name": "method",
+                    "ns": "http://csrc.nist.gov/ns/rmf",
+                    "value": "TEST"
+                  },
+                  {
+                    "name": "label",
+                    "value": "IA-13-Test",
+                    "class": "sp800-53a"
+                  }
+                ],
+                "parts": [
+                  {
+                    "name": "assessment-objects",
+                    "prose": "Mechanisms supporting and/or implementing identification and authentication capabilities and access rights"
+                  }
+                ]
+              }
+            ],
+            "controls": [
+              {
+                "id": "ia-13.1",
+                "class": "SP800-53-enhancement",
+                "title": "Protection of Cryptographic Keys",
+                "props": [
+                  {
+                    "name": "label",
+                    "value": "IA-13(1)"
+                  },
+                  {
+                    "name": "label",
+                    "value": "IA-13(01)",
+                    "class": "sp800-53a"
+                  },
+                  {
+                    "name": "sort-id",
+                    "value": "ia-13.01"
+                  },
+                  {
+                    "name": "implementation-level",
+                    "ns": "http://csrc.nist.gov/ns/rmf",
+                    "value": "organization"
+                  },
+                  {
+                    "name": "implementation-level",
+                    "ns": "http://csrc.nist.gov/ns/rmf",
+                    "value": "system"
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-13",
+                    "rel": "required"
+                  },
+                  {
+                    "href": "#ia-13",
+                    "rel": "related"
+                  },
+                  {
+                    "href": "#sc-12",
+                    "rel": "related"
+                  },
+                  {
+                    "href": "#sc-13",
+                    "rel": "related"
+                  }
+                ],
+                "parts": [
+                  {
+                    "id": "ia-13.1_smt",
+                    "name": "statement",
+                    "prose": "Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse."
+                  },
+                  {
+                    "id": "ia-13.1_gdn",
+                    "name": "guidance",
+                    "prose": "Identity assertions and access tokens are typically digitally signed. The private keys used to sign these assertions and tokens are protected commensurate with the impact of the system and information resources that can be accessed. "
+                  },
+                  {
+                    "id": "ia-13.1_obj",
+                    "name": "assessment-objective",
+                    "props": [
+                      {
+                        "name": "label",
+                        "value": "IA-13(01)",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "parts": [
+                      {
+                        "id": "ia-13.1_obj-1",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(01)[01]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "cryptographic keys that protect access tokens are generated;",
+                        "links": [
+                          {
+                            "href": "#ia-13.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.1_obj-2",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(01)[02]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "cryptographic keys that protect access tokens are managed;",
+                        "links": [
+                          {
+                            "href": "#ia-13.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.1_obj-3",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(01)[03]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "cryptographic keys that protect access tokens are protected from disclosure; and",
+                        "links": [
+                          {
+                            "href": "#ia-13.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.1_obj-4",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(01)[04]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "cryptographic keys that protect access tokens are protected from disclosure and misuse",
+                        "links": [
+                          {
+                            "href": "#ia-13.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  {
+                    "id": "ia-13.1_asm-examine",
+                    "name": "assessment-method",
+                    "props": [
+                      {
+                        "name": "method",
+                        "ns": "http://csrc.nist.gov/ns/rmf",
+                        "value": "EXAMINE"
+                      },
+                      {
+                        "name": "label",
+                        "value": "IA-13(01)-Examine",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "parts": [
+                      {
+                        "name": "assessment-objects",
+                        "prose": "Identification and authentication policy;\n\nprocedures addressing cryptographic key establishment and management;\n\nsystem design documentation;\n\ncryptographic mechanisms;\n\nsystem configuration settings and associated documentation;\n\nsystem security plan;\n\nother relevant documents or records"
+                      }
+                    ]
+                  },
+                  {
+                    "id": "ia-13.1_asm-interview",
+                    "name": "assessment-method",
+                    "props": [
+                      {
+                        "name": "method",
+                        "ns": "http://csrc.nist.gov/ns/rmf",
+                        "value": "INTERVIEW"
+                      },
+                      {
+                        "name": "label",
+                        "value": "IA-13(01)-Interview",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "parts": [
+                      {
+                        "name": "assessment-objects",
+                        "prose": "System/network administrators;\n\norganizational personnel with information security responsibilities;\n\norganizational personnel with responsibilities for cryptographic key establishment and/or management"
+                      }
+                    ]
+                  },
+                  {
+                    "id": "ia-13.1_asm-test",
+                    "name": "assessment-method",
+                    "props": [
+                      {
+                        "name": "method",
+                        "ns": "http://csrc.nist.gov/ns/rmf",
+                        "value": "TEST"
+                      },
+                      {
+                        "name": "label",
+                        "value": "IA-13(01)-Test",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "parts": [
+                      {
+                        "name": "assessment-objects",
+                        "prose": "Organizational processes for cryptographic key management;\n\ncryptographic modules generating, storing, and using cryptographic keys"
+                      }
+                    ]
+                  }
+                ]
+              },
+              {
+                "id": "ia-13.2",
+                "class": "SP800-53-enhancement",
+                "title": "Verification of Identity Assertions and Access Tokens",
+                "props": [
+                  {
+                    "name": "label",
+                    "value": "IA-13(2)"
+                  },
+                  {
+                    "name": "label",
+                    "value": "IA-13(02)",
+                    "class": "sp800-53a"
+                  },
+                  {
+                    "name": "sort-id",
+                    "value": "ia-13.02"
+                  },
+                  {
+                    "name": "implementation-level",
+                    "ns": "http://csrc.nist.gov/ns/rmf",
+                    "value": "organization"
+                  },
+                  {
+                    "name": "implementation-level",
+                    "ns": "http://csrc.nist.gov/ns/rmf",
+                    "value": "system"
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ia-13",
+                    "rel": "required"
+                  },
+                  {
+                    "href": "#ia-13",
+                    "rel": "related"
+                  }
+                ],
+                "parts": [
+                  {
+                    "id": "ia-13.2_smt",
+                    "name": "statement",
+                    "prose": "The source and integrity of identity assertions and access tokens are verified before granting access to system and information resources."
+                  },
+                  {
+                    "id": "ia-13.2_gdn",
+                    "name": "guidance",
+                    "prose": "This includes verification of digital signatures protecting identity assertions and access tokens, as well as included metadata. Metadata includes information about the access request such as information unique to user, system or information resource being accessed, or the transaction itself such as time. Protected system and information resources could include connected networks, applications, and APIs."
+                  },
+                  {
+                    "id": "ia-13.2_obj",
+                    "name": "assessment-objective",
+                    "props": [
+                      {
+                        "name": "label",
+                        "value": "IA-13(02)",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "parts": [
+                      {
+                        "id": "ia-13.2_obj-1",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(02)[01]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "the source of identity assertions is verified before granting access to system and information resources;",
+                        "links": [
+                          {
+                            "href": "#ia-13.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.2_obj-2",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(02)[02]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "the source of access tokens is verified before granting access to system and information resources;",
+                        "links": [
+                          {
+                            "href": "#ia-13.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.2_obj-3",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(02)[03]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "the integrity of identity assertions is verified before granting access to system and information resources;",
+                        "links": [
+                          {
+                            "href": "#ia-13.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.2_obj-4",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(02)[04]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "the integrity of access tokens is verified before granting access to system and information resources",
+                        "links": [
+                          {
+                            "href": "#ia-13.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  {
+                    "id": "ia-13.2_asm-examine",
+                    "name": "assessment-method",
+                    "props": [
+                      {
+                        "name": "method",
+                        "ns": "http://csrc.nist.gov/ns/rmf",
+                        "value": "EXAMINE"
+                      },
+                      {
+                        "name": "label",
+                        "value": "IA-13(02)-Examine",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "parts": [
+                      {
+                        "name": "assessment-objects",
+                        "prose": "Identification and authentication policy;\n\nsystem security plan; system design documentation;\n\nsystem configuration settings and associated documentation;\n\nother relevant documents or records"
+                      }
+                    ]
+                  },
+                  {
+                    "id": "ia-13.2_asm-interview",
+                    "name": "assessment-method",
+                    "props": [
+                      {
+                        "name": "method",
+                        "ns": "http://csrc.nist.gov/ns/rmf",
+                        "value": "INTERVIEW"
+                      },
+                      {
+                        "name": "label",
+                        "value": "IA-13(02)-Interview",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "parts": [
+                      {
+                        "name": "assessment-objects",
+                        "prose": "Organizational personnel with system operations responsibilities;\n\norganizational personnel with information security responsibilities;\n\nsystem/ network administrators;\n\norganizational personnel with account management responsibilities;\n\nsystem developers"
+                      }
+                    ]
+                  },
+                  {
+                    "id": "ia-13.2_asm-test",
+                    "name": "assessment-method",
+                    "props": [
+                      {
+                        "name": "method",
+                        "ns": "http://csrc.nist.gov/ns/rmf",
+                        "value": "TEST"
+                      },
+                      {
+                        "name": "label",
+                        "value": "IA-13(02)-Test",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "parts": [
+                      {
+                        "name": "assessment-objects",
+                        "prose": "Identity provider mechanisms supporting and/or implementing identification and authentication capabilities and access rights"
+                      }
+                    ]
+                  }
+                ]
+              },
+              {
+                "id": "ia-13.3",
+                "class": "SP800-53-enhancement",
+                "title": "Token Management",
+                "props": [
+                  {
+                    "name": "label",
+                    "value": "IA-13(3)"
+                  },
+                  {
+                    "name": "label",
+                    "value": "IA-13(03)",
+                    "class": "sp800-53a"
+                  },
+                  {
+                    "name": "sort-id",
+                    "value": "ia-13.03"
+                  },
+                  {
+                    "name": "implementation-level",
+                    "ns": "http://csrc.nist.gov/ns/rmf",
+                    "value": "organization"
+                  },
+                  {
+                    "name": "implementation-level",
+                    "ns": "http://csrc.nist.gov/ns/rmf",
+                    "value": "system"
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#737513fa-6758-403f-831d-5ddab5e23cb3",
+                    "rel": "reference"
+                  },
+                  {
+                    "href": "#ff989cdc-649d-4f45-8f61-9309c9680933",
+                    "rel": "reference"
+                  },
+                  {
+                    "href": "#e9d6c5f2-b3aa-4a28-8bea-a0135718d453",
+                    "rel": "reference"
+                  },
+                  {
+                    "href": "#ia-13",
+                    "rel": "required"
+                  },
+                  {
+                    "href": "#ia-13",
+                    "rel": "related"
+                  }
+                ],
+                "parts": [
+                  {
+                    "id": "ia-13.3_smt",
+                    "name": "statement",
+                    "prose": "In accordance with {{ insert: param, ia-13_prm_1 }}, assertions and access tokens are:",
+                    "parts": [
+                      {
+                        "id": "ac-13.3_smt.a",
+                        "name": "item",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "(a)"
+                          }
+                        ],
+                        "prose": "generated;"
+                      },
+                      {
+                        "id": "ac-13.3_smt.b",
+                        "name": "item",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "(b)"
+                          }
+                        ],
+                        "prose": "issued;"
+                      },
+                      {
+                        "id": "ac-13.3_smt.c",
+                        "name": "item",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "(c)"
+                          }
+                        ],
+                        "prose": "refreshed;"
+                      },
+                      {
+                        "id": "ac-13.3_smt.d",
+                        "name": "item",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "(d)"
+                          }
+                        ],
+                        "prose": "revoked;"
+                      },
+                      {
+                        "id": "ac-13.3_smt.e",
+                        "name": "item",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "(e)"
+                          }
+                        ],
+                        "prose": "time-restricted; and"
+                      },
+                      {
+                        "id": "ac-13.3_smt.f",
+                        "name": "item",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "(f)"
+                          }
+                        ],
+                        "prose": "audience-restricted."
+                      }
+                    ]
+                  },
+                  {
+                    "id": "ia-13.3_gdn",
+                    "name": "guidance",
+                    "prose": "An access token is a piece of data that represents the authorization granted to a user or NPE to access specific systems or information resources. Access tokens enable controlled access to services and resources. Properly managing the lifecycle of access tokens, including their issuance, validation, and revocation, is crucial to maintaining confidentiality of data and systems. Restricting token validity to a specific audience, e.g., an application or security domain, and restricting token validity lifetimes are important practices. Access tokens are revoked or invalidated if they are compromised, lost, or are no longer needed to mitigate the risks associated with stolen or misused tokens."
+                  },
+                  {
+                    "id": "ia-13.3_obj",
+                    "name": "assessment-objective",
+                    "props": [
+                      {
+                        "name": "label",
+                        "value": "IA-13(03)",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "parts": [
+                      {
+                        "id": "ia-13.3_obj.a-1",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(03)(a)[01]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "assertions are generated in accordance with {{ insert: param, ia-13_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-13.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.3_obj.a-2",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(03)(a)[02]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "access tokens are generated in accordance with {{ insert: param, ia-13_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-13.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.3_obj.b-1",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(03)(b)[01]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "assertions are issued in accordance with {{ insert: param, ia-13_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-13.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.3_obj.b-2",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(03)(b)[02]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "access tokens are issued in accordance with {{ insert: param, ia-13_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-13.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.3_obj.c-1",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(03)(c)[01]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "assertions are refreshed in accordance with {{ insert: param, ia-13_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-13.3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.3_obj.c-2",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(03)(c)[02]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "access tokens are refreshed in accordance with {{ insert: param, ia-13_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-13.3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.3_obj.d-1",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(03)(d)[01]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "assertions are revoked in accordance with {{ insert: param, ia-13_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-13.3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.3_obj.d-2",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(03)(d)[02]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "access tokens are revoked in accordance with {{ insert: param, ia-13_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-13.3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.3_obj.e-1",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(03)(e)[01]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "assertions are time-restricted in accordance with {{ insert: param, ia-13_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-13.3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.3_obj.e-2",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(03)(e)[02]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "access tokens are time-restricted in accordance with {{ insert: param, ia-13_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-13.3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.3_obj.f-1",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(03)(f)[01]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "assertions are audience-restricted in accordance with {{ insert: param, ia-13_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-13.3_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      },
+                      {
+                        "id": "ia-13.3_obj.f-2",
+                        "name": "assessment-objective",
+                        "props": [
+                          {
+                            "name": "label",
+                            "value": "IA-13(03)(f)[02]",
+                            "class": "sp800-53a"
+                          }
+                        ],
+                        "prose": "access tokens are audience-restricted in accordance with {{ insert: param, ia-13_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ia-13.3_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  {
+                    "id": "ia-13.3_asm-examine",
+                    "name": "assessment-method",
+                    "props": [
+                      {
+                        "name": "method",
+                        "ns": "http://csrc.nist.gov/ns/rmf",
+                        "value": "EXAMINE"
+                      },
+                      {
+                        "name": "label",
+                        "value": "IA-13(03)-Examine",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "parts": [
+                      {
+                        "name": "assessment-objects",
+                        "prose": "Identification and authentication policy;\n\naccess control policy;\n\nprocedures for assertion and token management;\n\nsystem design documentation;\n\nsystem configuration settings and associated documentation;\n\nother relevant documents or records"
+                      }
+                    ]
+                  },
+                  {
+                    "id": "ia-13.3_asm-interview",
+                    "name": "assessment-method",
+                    "props": [
+                      {
+                        "name": "method",
+                        "ns": "http://csrc.nist.gov/ns/rmf",
+                        "value": "INTERVIEW"
+                      },
+                      {
+                        "name": "label",
+                        "value": "IA-13(03)-Interview",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "parts": [
+                      {
+                        "name": "assessment-objects",
+                        "prose": "Organizational personnel with system operations responsibilities;\n\norganizational personnel with information security responsibilities;\n\nsystem/ network administrators;\n\norganizational personnel with account management responsibilities;\n\nsystem developers"
+                      }
+                    ]
+                  },
+                  {
+                    "id": "ia-13.3_asm-test",
+                    "name": "assessment-method",
+                    "props": [
+                      {
+                        "name": "method",
+                        "ns": "http://csrc.nist.gov/ns/rmf",
+                        "value": "TEST"
+                      },
+                      {
+                        "name": "label",
+                        "value": "IA-13(03)-Test",
+                        "class": "sp800-53a"
+                      }
+                    ],
+                    "parts": [
+                      {
+                        "name": "assessment-objects",
+                        "prose": "Mechanisms and software supporting and/or implementing token generation"
+                      }
+                    ]
+                  }
+                ]
+              }
+            ]
           }
         ]
       },
@@ -84296,7 +93242,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response policy is developed and documented;"
+                        "prose": "an incident response policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-2",
@@ -84308,7 +93260,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};"
+                        "prose": "the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-3",
@@ -84320,7 +93278,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;"
+                        "prose": "incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a-4",
@@ -84332,7 +93296,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};"
+                        "prose": "the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-1_obj.a.1",
@@ -84366,7 +93336,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-2",
@@ -84378,7 +93354,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-3",
@@ -84390,7 +93372,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-4",
@@ -84402,7 +93390,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-5",
@@ -84414,7 +93408,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-6",
@@ -84426,7 +93426,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ir-1_obj.a.1.a-7",
@@ -84438,7 +93444,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;"
+                                "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ir-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -84452,10 +93470,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -84468,7 +93504,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;"
+                    "prose": "the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-1_obj.c",
@@ -84502,7 +93544,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};"
+                            "prose": "the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-1_obj.c.1-2",
@@ -84514,7 +93562,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};"
+                            "prose": "the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -84539,7 +93599,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};"
+                            "prose": "the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-1_obj.c.2-2",
@@ -84551,12 +93617,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}."
+                            "prose": "the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ir-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -84859,7 +93949,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.a.2",
@@ -84871,7 +93967,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.a.3",
@@ -84883,7 +93985,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;"
+                        "prose": "incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -84908,7 +94022,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};"
+                        "prose": "incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2_obj.b-2",
@@ -84920,10 +94040,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}."
+                        "prose": "incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#ir-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -85028,7 +94166,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations."
+                    "prose": "simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.",
+                    "links": [
+                      {
+                        "href": "#ir-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-2.1_asm-examine",
@@ -85176,7 +94320,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an incident response training environment is provided using {{ insert: param, ir-02.02_odp }}."
+                    "prose": "an incident response training environment is provided using {{ insert: param, ir-02.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ir-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-2.2_asm-examine",
@@ -85313,7 +94463,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training on how to identify and respond to a breach is provided;"
+                        "prose": "incident response training on how to identify and respond to a breach is provided;",
+                        "links": [
+                          {
+                            "href": "#ir-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-2.3_obj-2",
@@ -85325,7 +94481,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response training on the organization’s process for reporting a breach is provided."
+                        "prose": "incident response training on the organization’s process for reporting a breach is provided.",
+                        "links": [
+                          {
+                            "href": "#ir-2.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-2.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -85507,7 +94675,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}."
+                "prose": "the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#ir-3_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ir-3_asm-examine",
@@ -85633,7 +94807,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the incident response capability is tested using {{ insert: param, ir-03.01_odp }}."
+                    "prose": "the incident response capability is tested using {{ insert: param, ir-03.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ir-3.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-3.1_asm-examine",
@@ -85759,7 +94939,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident response testing is coordinated with organizational elements responsible for related plans."
+                    "prose": "incident response testing is coordinated with organizational elements responsible for related plans.",
+                    "links": [
+                      {
+                        "href": "#ir-3.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-3.2_asm-examine",
@@ -85920,7 +95106,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "qualitative data from testing are used to determine the effectiveness of incident response processes;"
+                            "prose": "qualitative data from testing are used to determine the effectiveness of incident response processes;",
+                            "links": [
+                              {
+                                "href": "#ir-3.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-3.3_obj.a-2",
@@ -85932,7 +95124,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "quantitative data from testing are used to determine the effectiveness of incident response processes;"
+                            "prose": "quantitative data from testing are used to determine the effectiveness of incident response processes;",
+                            "links": [
+                              {
+                                "href": "#ir-3.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-3.3_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -85957,7 +95161,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "qualitative data from testing are used to continuously improve incident response processes;"
+                            "prose": "qualitative data from testing are used to continuously improve incident response processes;",
+                            "links": [
+                              {
+                                "href": "#ir-3.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-3.3_obj.b-2",
@@ -85969,7 +95179,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "quantitative data from testing are used to continuously improve incident response processes;"
+                            "prose": "quantitative data from testing are used to continuously improve incident response processes;",
+                            "links": [
+                              {
+                                "href": "#ir-3.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-3.3_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -85994,7 +95216,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "qualitative data from testing are used to provide incident response measures and metrics that are accurate;"
+                            "prose": "qualitative data from testing are used to provide incident response measures and metrics that are accurate;",
+                            "links": [
+                              {
+                                "href": "#ir-3.3_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-3.3_obj.c-2",
@@ -86006,7 +95234,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "quantitative data from testing are used to provide incident response measures and metrics that are accurate;"
+                            "prose": "quantitative data from testing are used to provide incident response measures and metrics that are accurate;",
+                            "links": [
+                              {
+                                "href": "#ir-3.3_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-3.3_obj.c-3",
@@ -86018,7 +95252,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "qualitative data from testing are used to provide incident response measures and metrics that are consistent;"
+                            "prose": "qualitative data from testing are used to provide incident response measures and metrics that are consistent;",
+                            "links": [
+                              {
+                                "href": "#ir-3.3_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-3.3_obj.c-4",
@@ -86030,7 +95270,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "quantitative data from testing are used to provide incident response measures and metrics that are consistent;"
+                            "prose": "quantitative data from testing are used to provide incident response measures and metrics that are consistent;",
+                            "links": [
+                              {
+                                "href": "#ir-3.3_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-3.3_obj.c-5",
@@ -86042,7 +95288,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "qualitative data from testing are used to provide incident response measures and metrics in a reproducible format;"
+                            "prose": "qualitative data from testing are used to provide incident response measures and metrics in a reproducible format;",
+                            "links": [
+                              {
+                                "href": "#ir-3.3_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ir-3.3_obj.c-6",
@@ -86054,10 +95306,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "quantitative data from testing are used to provide incident response measures and metrics in a reproducible format."
+                            "prose": "quantitative data from testing are used to provide incident response measures and metrics in a reproducible format.",
+                            "links": [
+                              {
+                                "href": "#ir-3.3_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ir-3.3_smt.c",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-3.3_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -86346,7 +95616,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;"
+                        "prose": "an incident handling capability for incidents is implemented that is consistent with the incident response plan;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-2",
@@ -86358,7 +95634,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes preparation;"
+                        "prose": "the incident handling capability for incidents includes preparation;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-3",
@@ -86370,7 +95652,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes detection and analysis;"
+                        "prose": "the incident handling capability for incidents includes detection and analysis;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-4",
@@ -86382,7 +95670,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes containment;"
+                        "prose": "the incident handling capability for incidents includes containment;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-5",
@@ -86394,7 +95688,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes eradication;"
+                        "prose": "the incident handling capability for incidents includes eradication;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.a-6",
@@ -86406,7 +95706,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident handling capability for incidents includes recovery;"
+                        "prose": "the incident handling capability for incidents includes recovery;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -86420,7 +95732,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident handling activities are coordinated with contingency planning activities;"
+                    "prose": "incident handling activities are coordinated with contingency planning activities;",
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4_obj.c",
@@ -86443,7 +95761,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;"
+                        "prose": "lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.c-2",
@@ -86455,7 +95779,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;"
+                        "prose": "the changes resulting from the incorporated lessons learned are implemented accordingly;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -86480,7 +95816,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rigor of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the rigor of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-2",
@@ -86492,7 +95834,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the intensity of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the intensity of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-3",
@@ -86504,7 +95852,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the scope of incident handling activities is comparable and predictable across the organization;"
+                        "prose": "the scope of incident handling activities is comparable and predictable across the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4_obj.d-4",
@@ -86516,10 +95870,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the results of incident handling activities are comparable and predictable across the organization."
+                        "prose": "the results of incident handling activities are comparable and predictable across the organization.",
+                        "links": [
+                          {
+                            "href": "#ir-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-4_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -86663,7 +96035,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the incident handling process is supported using {{ insert: param, ir-04.01_odp }}."
+                    "prose": "the incident handling process is supported using {{ insert: param, ir-04.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ir-4.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4.1_asm-examine",
@@ -86838,7 +96216,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ir-04.02_odp.01 }} for {{ insert: param, ir-04.02_odp.02 }} are included as part of the incident response capability."
+                    "prose": "{{ insert: param, ir-04.02_odp.01 }} for {{ insert: param, ir-04.02_odp.02 }} are included as part of the incident response capability.",
+                    "links": [
+                      {
+                        "href": "#ir-4.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4.2_asm-examine",
@@ -87017,7 +96401,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ir-04.03_odp.01 }} are identified;"
+                        "prose": "{{ insert: param, ir-04.03_odp.01 }} are identified;",
+                        "links": [
+                          {
+                            "href": "#ir-4.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4.3_obj-2",
@@ -87029,7 +96419,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ir-04.03_odp.02 }} are taken in response to those incidents (defined in IR-04(03)_ODP[01]) to ensure the continuation of organizational mission and business functions."
+                        "prose": "{{ insert: param, ir-04.03_odp.02 }} are taken in response to those incidents (defined in IR-04(03)_ODP[01]) to ensure the continuation of organizational mission and business functions.",
+                        "links": [
+                          {
+                            "href": "#ir-4.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -87152,7 +96554,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response."
+                    "prose": "incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.",
+                    "links": [
+                      {
+                        "href": "#ir-4.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4.4_asm-examine",
@@ -87300,7 +96708,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a configurable capability is implemented to automatically disable the system if {{ insert: param, ir-04.05_odp }} are detected."
+                    "prose": "a configurable capability is implemented to automatically disable the system if {{ insert: param, ir-04.05_odp }} are detected.",
+                    "links": [
+                      {
+                        "href": "#ir-4.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4.5_asm-examine",
@@ -87421,7 +96835,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an incident handling capability is implemented for incidents involving insider threats."
+                    "prose": "an incident handling capability is implemented for incidents involving insider threats.",
+                    "links": [
+                      {
+                        "href": "#ir-4.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4.6_asm-examine",
@@ -87575,7 +96995,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident handling capability is coordinated for insider threats;"
+                        "prose": "an incident handling capability is coordinated for insider threats;",
+                        "links": [
+                          {
+                            "href": "#ir-4.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4.7_obj-2",
@@ -87587,7 +97013,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the coordinated incident handling capability includes {{ insert: param, ir-04.07_odp }}."
+                        "prose": "the coordinated incident handling capability includes {{ insert: param, ir-04.07_odp }}.",
+                        "links": [
+                          {
+                            "href": "#ir-4.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -87760,7 +97198,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "there is coordination with {{ insert: param, ir-04.08_odp.01 }} to correlate and share {{ insert: param, ir-04.08_odp.02 }} to achieve a cross-organization perspective on incident awareness and more effective incident responses."
+                    "prose": "there is coordination with {{ insert: param, ir-04.08_odp.01 }} to correlate and share {{ insert: param, ir-04.08_odp.02 }} to achieve a cross-organization perspective on incident awareness and more effective incident responses.",
+                    "links": [
+                      {
+                        "href": "#ir-4.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4.8_asm-examine",
@@ -87903,7 +97347,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ir-04.09_odp }} are employed to respond to incidents."
+                    "prose": "{{ insert: param, ir-04.09_odp }} are employed to respond to incidents.",
+                    "links": [
+                      {
+                        "href": "#ir-4.9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4.9_asm-examine",
@@ -88040,7 +97490,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident handling activities involving supply chain events are coordinated with other organizations involved in the supply chain."
+                    "prose": "incident handling activities involving supply chain events are coordinated with other organizations involved in the supply chain.",
+                    "links": [
+                      {
+                        "href": "#ir-4.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4.10_asm-examine",
@@ -88176,7 +97632,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an integrated incident response team is established and maintained;"
+                        "prose": "an integrated incident response team is established and maintained;",
+                        "links": [
+                          {
+                            "href": "#ir-4.11_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4.11_obj-2",
@@ -88188,7 +97650,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the integrated incident response team can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}."
+                        "prose": "the integrated incident response team can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}.",
+                        "links": [
+                          {
+                            "href": "#ir-4.11_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4.11_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -88300,7 +97774,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "malicious code remaining in the system is analyzed after the incident;"
+                        "prose": "malicious code remaining in the system is analyzed after the incident;",
+                        "links": [
+                          {
+                            "href": "#ir-4.12_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4.12_obj-2",
@@ -88312,7 +97792,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "other residual artifacts remaining in the system (if any) are analyzed after the incident."
+                        "prose": "other residual artifacts remaining in the system (if any) are analyzed after the incident.",
+                        "links": [
+                          {
+                            "href": "#ir-4.12_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4.12_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -88457,7 +97949,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "anomalous or suspected adversarial behavior in or related to {{ insert: param, ir-04.13_odp }} are analyzed."
+                    "prose": "anomalous or suspected adversarial behavior in or related to {{ insert: param, ir-04.13_odp }} are analyzed.",
+                    "links": [
+                      {
+                        "href": "#ir-4.13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-4.13_asm-examine",
@@ -88594,7 +98092,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a security operations center is established;"
+                        "prose": "a security operations center is established;",
+                        "links": [
+                          {
+                            "href": "#ir-4.14_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4.14_obj-2",
@@ -88606,7 +98110,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a security operations center is maintained."
+                        "prose": "a security operations center is maintained.",
+                        "links": [
+                          {
+                            "href": "#ir-4.14_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4.14_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -88763,7 +98279,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "public relations associated with an incident are managed;"
+                        "prose": "public relations associated with an incident are managed;",
+                        "links": [
+                          {
+                            "href": "#ir-4.15_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-4.15_obj.b",
@@ -88775,7 +98297,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "measures are employed to repair the reputation of the organization."
+                        "prose": "measures are employed to repair the reputation of the organization.",
+                        "links": [
+                          {
+                            "href": "#ir-4.15_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-4.15_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -88942,7 +98476,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incidents are tracked;"
+                    "prose": "incidents are tracked;",
+                    "links": [
+                      {
+                        "href": "#ir-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-5_obj-2",
@@ -88954,7 +98494,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incidents are documented."
+                    "prose": "incidents are documented.",
+                    "links": [
+                      {
+                        "href": "#ir-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -89164,7 +98716,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incidents are tracked using {{ insert: param, ir-05.01_odp.01 }};"
+                        "prose": "incidents are tracked using {{ insert: param, ir-05.01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ir-5.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-5.1_obj-2",
@@ -89176,7 +98734,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident information is collected using {{ insert: param, ir-05.01_odp.02 }};"
+                        "prose": "incident information is collected using {{ insert: param, ir-05.01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ir-5.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-5.1_obj-3",
@@ -89188,7 +98752,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident information is analyzed using {{ insert: param, ir-05.01_odp.03 }}."
+                        "prose": "incident information is analyzed using {{ insert: param, ir-05.01_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#ir-5.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-5.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -89425,7 +99001,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};"
+                    "prose": "personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ir-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-6_obj.b",
@@ -89437,7 +99019,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}."
+                    "prose": "incident information is reported to {{ insert: param, ir-06_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ir-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -89586,7 +99180,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incidents are reported using {{ insert: param, ir-06.01_odp }}."
+                    "prose": "incidents are reported using {{ insert: param, ir-06.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ir-6.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-6.1_asm-examine",
@@ -89729,7 +99329,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system vulnerabilities associated with reported incidents are reported to {{ insert: param, ir-06.02_odp }}."
+                    "prose": "system vulnerabilities associated with reported incidents are reported to {{ insert: param, ir-06.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ir-6.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-6.2_asm-examine",
@@ -89854,7 +99460,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident."
+                    "prose": "incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.",
+                    "links": [
+                      {
+                        "href": "#ir-6.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-6.3_asm-examine",
@@ -90028,7 +99640,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;"
+                    "prose": "an incident response support resource, integral to the organizational incident response capability, is provided;",
+                    "links": [
+                      {
+                        "href": "#ir-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-7_obj-2",
@@ -90040,7 +99658,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents."
+                    "prose": "the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.",
+                    "links": [
+                      {
+                        "href": "#ir-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -90185,7 +99815,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}."
+                    "prose": "the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ir-7.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-7.1_asm-examine",
@@ -90340,7 +99976,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a direct, cooperative relationship is established between its incident response capability and external providers of the system protection capability;"
+                        "prose": "a direct, cooperative relationship is established between its incident response capability and external providers of the system protection capability;",
+                        "links": [
+                          {
+                            "href": "#ir-7.2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-7.2_obj.b",
@@ -90352,7 +99994,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational incident response team members are identified to the external providers."
+                        "prose": "organizational incident response team members are identified to the external providers.",
+                        "links": [
+                          {
+                            "href": "#ir-7.2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-7.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -90853,7 +100507,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;"
+                        "prose": "an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.2",
@@ -90865,7 +100525,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;"
+                        "prose": "an incident response plan is developed that describes the structure and organization of the incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.3",
@@ -90877,7 +100543,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;"
+                        "prose": "an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.4",
@@ -90889,7 +100561,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;"
+                        "prose": "an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.5",
@@ -90901,7 +100579,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that defines reportable incidents;"
+                        "prose": "an incident response plan is developed that defines reportable incidents;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.6",
@@ -90913,7 +100597,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;"
+                        "prose": "an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.6",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.7",
@@ -90925,7 +100615,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;"
+                        "prose": "an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.7",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.8",
@@ -90937,7 +100633,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that addresses the sharing of incident information;"
+                        "prose": "an incident response plan is developed that addresses the sharing of incident information;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.8",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.9",
@@ -90949,7 +100651,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};"
+                        "prose": "an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.9",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.a.10",
@@ -90961,7 +100669,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}."
+                        "prose": "an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.a.10",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -90986,7 +100706,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};"
+                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.b-2",
@@ -90998,7 +100724,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};"
+                        "prose": "copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -91012,7 +100750,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;"
+                    "prose": "the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;",
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-8_obj.d",
@@ -91035,7 +100779,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};"
+                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.d-2",
@@ -91047,7 +100797,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};"
+                        "prose": "incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -91072,7 +100834,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan is protected from unauthorized disclosure;"
+                        "prose": "the incident response plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8_obj.e-2",
@@ -91084,10 +100852,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan is protected from unauthorized modification."
+                        "prose": "the incident response plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#ir-8_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -91279,7 +101065,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;"
+                        "prose": "the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;",
+                        "links": [
+                          {
+                            "href": "#ir-8.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8.1_obj.b",
@@ -91291,7 +101083,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;"
+                        "prose": "the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;",
+                        "links": [
+                          {
+                            "href": "#ir-8.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ir-8.1_obj.c",
@@ -91303,7 +101101,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements."
+                        "prose": "the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements.",
+                        "links": [
+                          {
+                            "href": "#ir-8.1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ir-8.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -91608,7 +101418,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ir-09_odp.01 }} is/are assigned the responsibility to respond to information spills;"
+                    "prose": "{{ insert: param, ir-09_odp.01 }} is/are assigned the responsibility to respond to information spills;",
+                    "links": [
+                      {
+                        "href": "#ir-9_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-9_obj.b",
@@ -91620,7 +101436,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the specific information involved in the system contamination is identified in response to information spills;"
+                    "prose": "the specific information involved in the system contamination is identified in response to information spills;",
+                    "links": [
+                      {
+                        "href": "#ir-9_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-9_obj.c",
@@ -91632,7 +101454,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ir-09_odp.02 }} is/are alerted of the information spill using a method of communication not associated with the spill;"
+                    "prose": "{{ insert: param, ir-09_odp.02 }} is/are alerted of the information spill using a method of communication not associated with the spill;",
+                    "links": [
+                      {
+                        "href": "#ir-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-9_obj.d",
@@ -91644,7 +101472,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the contaminated system or system component is isolated in response to information spills;"
+                    "prose": "the contaminated system or system component is isolated in response to information spills;",
+                    "links": [
+                      {
+                        "href": "#ir-9_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-9_obj.e",
@@ -91656,7 +101490,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the information is eradicated from the contaminated system or component in response to information spills;"
+                    "prose": "the information is eradicated from the contaminated system or component in response to information spills;",
+                    "links": [
+                      {
+                        "href": "#ir-9_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-9_obj.f",
@@ -91668,7 +101508,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "other systems or system components that may have been subsequently contaminated are identified in response to information spills;"
+                    "prose": "other systems or system components that may have been subsequently contaminated are identified in response to information spills;",
+                    "links": [
+                      {
+                        "href": "#ir-9_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-9_obj.g",
@@ -91680,7 +101526,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ir-09_odp.03 }} are performed in response to information spills."
+                    "prose": "{{ insert: param, ir-09_odp.03 }} are performed in response to information spills.",
+                    "links": [
+                      {
+                        "href": "#ir-9_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ir-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -91871,7 +101729,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information spillage response training is provided {{ insert: param, ir-09.02_odp }}."
+                    "prose": "information spillage response training is provided {{ insert: param, ir-09.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ir-9.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-9.2_asm-examine",
@@ -91992,7 +101856,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ir-09.03_odp }} are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions."
+                    "prose": "{{ insert: param, ir-09.03_odp }} are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.",
+                    "links": [
+                      {
+                        "href": "#ir-9.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-9.3_asm-examine",
@@ -92135,7 +102005,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ir-09.04_odp }} are employed for personnel exposed to information not within assigned access authorizations."
+                    "prose": "{{ insert: param, ir-09.04_odp }} are employed for personnel exposed to information not within assigned access authorizations.",
+                    "links": [
+                      {
+                        "href": "#ir-9.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ir-9.4_asm-examine",
@@ -92628,7 +102504,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a maintenance policy is developed and documented;"
+                        "prose": "a maintenance policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a-2",
@@ -92640,7 +102522,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};"
+                        "prose": "the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a-3",
@@ -92652,7 +102540,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;"
+                        "prose": "maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a-4",
@@ -92664,7 +102558,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};"
+                        "prose": "the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-1_obj.a.1",
@@ -92698,7 +102598,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-2",
@@ -92710,7 +102616,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-3",
@@ -92722,7 +102634,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-4",
@@ -92734,7 +102652,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-5",
@@ -92746,7 +102670,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-6",
@@ -92758,7 +102688,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ma-1_obj.a.1.a-7",
@@ -92770,7 +102706,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;"
+                                "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ma-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -92784,10 +102732,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -92800,7 +102766,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;"
+                    "prose": "the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ma-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-1_obj.c",
@@ -92834,7 +102806,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};"
+                            "prose": "the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-1_obj.c.1-2",
@@ -92846,7 +102824,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};"
+                            "prose": "the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -92871,7 +102861,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};"
+                            "prose": "the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-1_obj.c.2-2",
@@ -92883,12 +102879,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}."
+                            "prose": "the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ma-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -93191,7 +103211,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;"
+                        "prose": "maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-2_obj.a-2",
@@ -93203,7 +103229,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;"
+                        "prose": "maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-2_obj.a-3",
@@ -93215,7 +103247,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;"
+                        "prose": "records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -93240,7 +103284,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;"
+                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-2_obj.b-2",
@@ -93252,7 +103302,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;"
+                        "prose": "all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;",
+                        "links": [
+                          {
+                            "href": "#ma-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -93266,7 +103328,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;"
+                    "prose": "{{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-2_obj.d",
@@ -93278,7 +103346,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;"
+                    "prose": "equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-2_obj.e",
@@ -93290,7 +103364,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;"
+                    "prose": "all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-2_obj.f",
@@ -93302,7 +103382,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records."
+                    "prose": "{{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.",
+                    "links": [
+                      {
+                        "href": "#ma-2_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -93575,7 +103667,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ma-02.02_odp.01 }} are used to schedule maintenance, repair, and replacement actions for the system;"
+                            "prose": "{{ insert: param, ma-02.02_odp.01 }} are used to schedule maintenance, repair, and replacement actions for the system;",
+                            "links": [
+                              {
+                                "href": "#ma-2.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-2.2_obj.a-2",
@@ -93587,7 +103685,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ma-02.02_odp.02 }} are used to conduct maintenance, repair, and replacement actions for the system;"
+                            "prose": "{{ insert: param, ma-02.02_odp.02 }} are used to conduct maintenance, repair, and replacement actions for the system;",
+                            "links": [
+                              {
+                                "href": "#ma-2.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-2.2_obj.a-3",
@@ -93599,7 +103703,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ma-02.02_odp.03 }} are used to document maintenance, repair, and replacement actions for the system;"
+                            "prose": "{{ insert: param, ma-02.02_odp.03 }} are used to document maintenance, repair, and replacement actions for the system;",
+                            "links": [
+                              {
+                                "href": "#ma-2.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-2.2_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -93624,7 +103740,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced."
+                            "prose": "up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced.",
+                            "links": [
+                              {
+                                "href": "#ma-2.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-2.2_obj.b-2",
@@ -93636,7 +103758,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced."
+                            "prose": "up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced.",
+                            "links": [
+                              {
+                                "href": "#ma-2.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-2.2_obj.b-3",
@@ -93648,10 +103776,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced."
+                            "prose": "up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced.",
+                            "links": [
+                              {
+                                "href": "#ma-2.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-2.2_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-2.2_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -93850,7 +103996,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of system maintenance tools is approved;"
+                        "prose": "the use of system maintenance tools is approved;",
+                        "links": [
+                          {
+                            "href": "#ma-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3_obj.a-2",
@@ -93862,7 +104014,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of system maintenance tools is controlled;"
+                        "prose": "the use of system maintenance tools is controlled;",
+                        "links": [
+                          {
+                            "href": "#ma-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3_obj.a-3",
@@ -93874,7 +104032,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of system maintenance tools is monitored;"
+                        "prose": "the use of system maintenance tools is monitored;",
+                        "links": [
+                          {
+                            "href": "#ma-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -93888,7 +104058,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}."
+                    "prose": "previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ma-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -94015,7 +104197,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications."
+                    "prose": "maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.",
+                    "links": [
+                      {
+                        "href": "#ma-3.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-3.1_asm-examine",
@@ -94140,7 +104328,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "media containing diagnostic and test programs are checked for malicious code before the media are used in the system."
+                    "prose": "media containing diagnostic and test programs are checked for malicious code before the media are used in the system.",
+                    "links": [
+                      {
+                        "href": "#ma-3.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-3.2_asm-examine",
@@ -94344,7 +104538,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or"
+                        "prose": "the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or",
+                        "links": [
+                          {
+                            "href": "#ma-3.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3.3_obj.b",
@@ -94356,7 +104556,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or"
+                        "prose": "the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or",
+                        "links": [
+                          {
+                            "href": "#ma-3.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3.3_obj.c",
@@ -94368,7 +104574,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or"
+                        "prose": "the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or",
+                        "links": [
+                          {
+                            "href": "#ma-3.3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-3.3_obj.d",
@@ -94380,7 +104592,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility."
+                        "prose": "the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.",
+                        "links": [
+                          {
+                            "href": "#ma-3.3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-3.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -94520,7 +104744,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of maintenance tools is restricted to authorized personnel only."
+                    "prose": "the use of maintenance tools is restricted to authorized personnel only.",
+                    "links": [
+                      {
+                        "href": "#ma-3.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-3.4_asm-examine",
@@ -94654,7 +104884,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of maintenance tools that execute with increased privilege is monitored."
+                    "prose": "the use of maintenance tools that execute with increased privilege is monitored.",
+                    "links": [
+                      {
+                        "href": "#ma-3.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-3.5_asm-examine",
@@ -94788,7 +105024,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "maintenance tools are inspected to ensure that the latest software updates and patches are installed."
+                    "prose": "maintenance tools are inspected to ensure that the latest software updates and patches are installed.",
+                    "links": [
+                      {
+                        "href": "#ma-3.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-3.6_asm-examine",
@@ -95065,7 +105307,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "nonlocal maintenance and diagnostic activities are approved;"
+                        "prose": "nonlocal maintenance and diagnostic activities are approved;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4_obj.a-2",
@@ -95077,7 +105325,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "nonlocal maintenance and diagnostic activities are monitored;"
+                        "prose": "nonlocal maintenance and diagnostic activities are monitored;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -95102,7 +105362,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;"
+                        "prose": "the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4_obj.b-2",
@@ -95114,7 +105380,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;"
+                        "prose": "the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -95128,7 +105406,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;"
+                    "prose": "strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;",
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-4_obj.d",
@@ -95140,7 +105424,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "records for nonlocal maintenance and diagnostic activities are maintained;"
+                    "prose": "records for nonlocal maintenance and diagnostic activities are maintained;",
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-4_obj.e",
@@ -95163,7 +105453,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "session connections are terminated when nonlocal maintenance is completed;"
+                        "prose": "session connections are terminated when nonlocal maintenance is completed;",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4_obj.e-2",
@@ -95175,10 +105471,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network connections are terminated when nonlocal maintenance is completed."
+                        "prose": "network connections are terminated when nonlocal maintenance is completed.",
+                        "links": [
+                          {
+                            "href": "#ma-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-4_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -95403,7 +105717,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ma-04.01_odp.01 }} are logged for nonlocal maintenance sessions;"
+                            "prose": "{{ insert: param, ma-04.01_odp.01 }} are logged for nonlocal maintenance sessions;",
+                            "links": [
+                              {
+                                "href": "#ma-4.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-4.1_obj.a-2",
@@ -95415,7 +105735,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "{{ insert: param, ma-04.01_odp.02 }} are logged for nonlocal diagnostic sessions;"
+                            "prose": "{{ insert: param, ma-04.01_odp.02 }} are logged for nonlocal diagnostic sessions;",
+                            "links": [
+                              {
+                                "href": "#ma-4.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-4.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -95440,7 +105772,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the audit records of the maintenance sessions are reviewed to detect anomalous behavior;"
+                            "prose": "the audit records of the maintenance sessions are reviewed to detect anomalous behavior;",
+                            "links": [
+                              {
+                                "href": "#ma-4.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-4.1_obj.b-2",
@@ -95452,10 +105790,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the audit records of the diagnostic sessions are reviewed to detect anomalous behavior."
+                            "prose": "the audit records of the diagnostic sessions are reviewed to detect anomalous behavior.",
+                            "links": [
+                              {
+                                "href": "#ma-4.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-4.1_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4.1_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -95668,7 +106024,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;"
+                            "prose": "nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;",
+                            "links": [
+                              {
+                                "href": "#ma-4.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-4.3_obj.a-2",
@@ -95680,7 +106042,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or"
+                            "prose": "nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or",
+                            "links": [
+                              {
+                                "href": "#ma-4.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-4.3_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -95705,7 +106079,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;"
+                            "prose": "the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;",
+                            "links": [
+                              {
+                                "href": "#ma-4.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-4.3_obj.b-2",
@@ -95717,7 +106097,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the component to be serviced is sanitized (for organizational information);"
+                            "prose": "the component to be serviced is sanitized (for organizational information);",
+                            "links": [
+                              {
+                                "href": "#ma-4.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-4.3_obj.b-3",
@@ -95729,10 +106115,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system."
+                            "prose": "the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.",
+                            "links": [
+                              {
+                                "href": "#ma-4.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-4.3_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4.3_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -95935,7 +106339,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "nonlocal maintenance sessions are protected by employing {{ insert: param, ma-04.04_odp }};"
+                        "prose": "nonlocal maintenance sessions are protected by employing {{ insert: param, ma-04.04_odp }};",
+                        "links": [
+                          {
+                            "href": "#ma-4.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4.4_obj.b",
@@ -95958,7 +106368,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "nonlocal maintenance sessions are protected by separating maintenance sessions from other network sessions with the system by physically separated communication paths; or"
+                            "prose": "nonlocal maintenance sessions are protected by separating maintenance sessions from other network sessions with the system by physically separated communication paths; or",
+                            "links": [
+                              {
+                                "href": "#ma-4.4_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-4.4_obj.b.2",
@@ -95970,10 +106386,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "nonlocal maintenance sessions are protected by logically separated communication paths."
+                            "prose": "nonlocal maintenance sessions are protected by logically separated communication paths.",
+                            "links": [
+                              {
+                                "href": "#ma-4.4_smt.b.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-4.4_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4.4_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -96176,7 +106610,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the approval of each nonlocal maintenance session is required by {{ insert: param, ma-04.05_odp.01 }};"
+                        "prose": "the approval of each nonlocal maintenance session is required by {{ insert: param, ma-04.05_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ma-4.5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4.5_obj.b",
@@ -96188,7 +106628,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ma-04.05_odp.02 }} is/are notified of the date and time of planned nonlocal maintenance."
+                        "prose": "{{ insert: param, ma-04.05_odp.02 }} is/are notified of the date and time of planned nonlocal maintenance.",
+                        "links": [
+                          {
+                            "href": "#ma-4.5_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -96361,7 +106813,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ma-04.06_odp }} are implemented to protect the integrity of nonlocal maintenance and diagnostic communications;"
+                        "prose": "{{ insert: param, ma-04.06_odp }} are implemented to protect the integrity of nonlocal maintenance and diagnostic communications;",
+                        "links": [
+                          {
+                            "href": "#ma-4.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4.6_obj-2",
@@ -96373,7 +106831,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ma-04.06_odp }} are implemented to protect the confidentiality of nonlocal maintenance and diagnostic communications."
+                        "prose": "{{ insert: param, ma-04.06_odp }} are implemented to protect the confidentiality of nonlocal maintenance and diagnostic communications.",
+                        "links": [
+                          {
+                            "href": "#ma-4.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4.6_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -96511,7 +106981,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "session connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions;"
+                        "prose": "session connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions;",
+                        "links": [
+                          {
+                            "href": "#ma-4.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-4.7_obj-2",
@@ -96523,7 +106999,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions."
+                        "prose": "network connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions.",
+                        "links": [
+                          {
+                            "href": "#ma-4.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-4.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -96748,7 +107236,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process for maintenance personnel authorization is established;"
+                        "prose": "a process for maintenance personnel authorization is established;",
+                        "links": [
+                          {
+                            "href": "#ma-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-5_obj.a-2",
@@ -96760,7 +107254,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a list of authorized maintenance organizations or personnel is maintained;"
+                        "prose": "a list of authorized maintenance organizations or personnel is maintained;",
+                        "links": [
+                          {
+                            "href": "#ma-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-5_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -96774,7 +107280,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;"
+                    "prose": "non-escorted personnel performing maintenance on the system possess the required access authorizations;",
+                    "links": [
+                      {
+                        "href": "#ma-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-5_obj.c",
@@ -96786,7 +107298,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations."
+                    "prose": "organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.",
+                    "links": [
+                      {
+                        "href": "#ma-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ma-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -97008,7 +107532,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;"
+                            "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;",
+                            "links": [
+                              {
+                                "href": "#ma-5.1_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-5.1_obj.a.2",
@@ -97020,7 +107550,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;"
+                            "prose": "procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;",
+                            "links": [
+                              {
+                                "href": "#ma-5.1_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-5.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -97034,7 +107576,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system."
+                        "prose": "{{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.",
+                        "links": [
+                          {
+                            "href": "#ma-5.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-5.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -97172,7 +107726,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances for at least the highest classification level and for compartments of information on the system;"
+                        "prose": "personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances for at least the highest classification level and for compartments of information on the system;",
+                        "links": [
+                          {
+                            "href": "#ma-5.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-5.2_obj-2",
@@ -97184,7 +107744,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess formal access approvals for at least the highest classification level and for compartments of information on the system."
+                        "prose": "personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess formal access approvals for at least the highest classification level and for compartments of information on the system.",
+                        "links": [
+                          {
+                            "href": "#ma-5.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-5.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -97311,7 +107883,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens."
+                    "prose": "personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens.",
+                    "links": [
+                      {
+                        "href": "#ma-5.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-5.3_asm-examine",
@@ -97449,7 +108027,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments or owned and operated solely by foreign allied governments;"
+                        "prose": "foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments or owned and operated solely by foreign allied governments;",
+                        "links": [
+                          {
+                            "href": "#ma-5.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ma-5.4_obj.b",
@@ -97472,7 +108056,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "approvals regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;"
+                            "prose": "approvals regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;",
+                            "links": [
+                              {
+                                "href": "#ma-5.4_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-5.4_obj.b-2",
@@ -97484,7 +108074,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "consents regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;"
+                            "prose": "consents regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;",
+                            "links": [
+                              {
+                                "href": "#ma-5.4_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ma-5.4_obj.b-3",
@@ -97496,10 +108092,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements."
+                            "prose": "detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.",
+                            "links": [
+                              {
+                                "href": "#ma-5.4_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ma-5.4_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ma-5.4_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -97621,7 +108235,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system have required access authorizations."
+                    "prose": "non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system have required access authorizations.",
+                    "links": [
+                      {
+                        "href": "#ma-5.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-5.5_asm-examine",
@@ -97796,7 +108416,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "maintenance support and/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure."
+                "prose": "maintenance support and/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.",
+                "links": [
+                  {
+                    "href": "#ma-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ma-6_asm-examine",
@@ -97959,7 +108585,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "preventive maintenance is performed on {{ insert: param, ma-06.01_odp.01 }} at {{ insert: param, ma-06.01_odp.02 }}."
+                    "prose": "preventive maintenance is performed on {{ insert: param, ma-06.01_odp.01 }} at {{ insert: param, ma-06.01_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ma-6.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-6.1_asm-examine",
@@ -98122,7 +108754,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "predictive maintenance is performed on {{ insert: param, ma-06.02_odp.01 }} at {{ insert: param, ma-06.02_odp.02 }}."
+                    "prose": "predictive maintenance is performed on {{ insert: param, ma-06.02_odp.01 }} at {{ insert: param, ma-06.02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ma-6.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-6.2_asm-examine",
@@ -98265,7 +108903,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "predictive maintenance data is transferred to a maintenance management system using {{ insert: param, ma-06.03_odp }}."
+                    "prose": "predictive maintenance data is transferred to a maintenance management system using {{ insert: param, ma-06.03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ma-6.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ma-6.3_asm-examine",
@@ -98438,7 +109082,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "field maintenance on {{ insert: param, ma-07_odp.01 }} are restricted or prohibited to {{ insert: param, ma-07_odp.02 }}."
+                "prose": "field maintenance on {{ insert: param, ma-07_odp.01 }} are restricted or prohibited to {{ insert: param, ma-07_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#ma-7_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ma-7_asm-examine",
@@ -98899,7 +109549,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a media protection policy is developed and documented;"
+                        "prose": "a media protection policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-2",
@@ -98911,7 +109567,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};"
+                        "prose": "the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-3",
@@ -98923,7 +109585,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;"
+                        "prose": "media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a-4",
@@ -98935,7 +109603,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};"
+                        "prose": "the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-1_obj.a.1",
@@ -98969,7 +109643,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-2",
@@ -98981,7 +109661,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-3",
@@ -98993,7 +109679,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-4",
@@ -99005,7 +109697,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-5",
@@ -99017,7 +109715,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-6",
@@ -99029,7 +109733,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "mp-1_obj.a.1.a-7",
@@ -99041,7 +109751,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;"
+                                "prose": "the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;",
+                                "links": [
+                                  {
+                                    "href": "#mp-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -99055,10 +109777,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -99071,7 +109811,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures."
+                    "prose": "the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.",
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-1_obj.c",
@@ -99105,7 +109851,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; "
+                            "prose": "the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; ",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "mp-1_obj.c.1-2",
@@ -99117,7 +109869,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};"
+                            "prose": "the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -99142,7 +109906,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; "
+                            "prose": "the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; ",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "mp-1_obj.c.2-2",
@@ -99154,12 +109924,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}."
+                            "prose": "the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#mp-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#mp-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -99432,7 +110226,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};"
+                    "prose": "access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#mp-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-2_obj-2",
@@ -99444,7 +110244,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}."
+                    "prose": "access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#mp-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -99738,7 +110550,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;"
+                    "prose": "system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;",
+                    "links": [
+                      {
+                        "href": "#mp-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-3_obj.b",
@@ -99750,7 +110568,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}."
+                    "prose": "{{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#mp-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -100142,7 +110972,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, mp-04_odp.01 }} are physically controlled;"
+                        "prose": "{{ insert: param, mp-04_odp.01 }} are physically controlled;",
+                        "links": [
+                          {
+                            "href": "#mp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-4_obj.a-2",
@@ -100154,7 +110990,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, mp-04_odp.02 }} are physically controlled;"
+                        "prose": "{{ insert: param, mp-04_odp.02 }} are physically controlled;",
+                        "links": [
+                          {
+                            "href": "#mp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-4_obj.a-3",
@@ -100166,7 +111008,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};"
+                        "prose": "{{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};",
+                        "links": [
+                          {
+                            "href": "#mp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-4_obj.a-4",
@@ -100178,7 +111026,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};"
+                        "prose": "{{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#mp-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -100192,7 +111052,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures."
+                    "prose": "system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.",
+                    "links": [
+                      {
+                        "href": "#mp-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -100451,7 +111323,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to media storage areas is restricted using {{ insert: param, mp-04.02_odp.01 }};"
+                        "prose": "access to media storage areas is restricted using {{ insert: param, mp-04.02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#mp-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-4.2_obj-2",
@@ -100463,7 +111341,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access attempts to media storage areas are logged using {{ insert: param, mp-04.02_odp.02 }};"
+                        "prose": "access attempts to media storage areas are logged using {{ insert: param, mp-04.02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#mp-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-4.2_obj-3",
@@ -100475,7 +111359,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access granted to media storage areas is logged using {{ insert: param, mp-04.02_odp.03 }}."
+                        "prose": "access granted to media storage areas is logged using {{ insert: param, mp-04.02_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#mp-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-4.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -100793,7 +111689,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};"
+                        "prose": "{{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#mp-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-5_obj.a-2",
@@ -100805,7 +111707,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};"
+                        "prose": "{{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#mp-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-5_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -100819,7 +111733,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "accountability for system media is maintained during transport outside of controlled areas;"
+                    "prose": "accountability for system media is maintained during transport outside of controlled areas;",
+                    "links": [
+                      {
+                        "href": "#mp-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-5_obj.c",
@@ -100831,7 +111751,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "activities associated with the transport of system media are documented;"
+                    "prose": "activities associated with the transport of system media are documented;",
+                    "links": [
+                      {
+                        "href": "#mp-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-5_obj.d",
@@ -100854,7 +111780,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personnel authorized to conduct media transport activities is/are identified;"
+                        "prose": "personnel authorized to conduct media transport activities is/are identified;",
+                        "links": [
+                          {
+                            "href": "#mp-5_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-5_obj.d-2",
@@ -100866,10 +111798,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "activities associated with the transport of system media are restricted to identified authorized personnel."
+                        "prose": "activities associated with the transport of system media are restricted to identified authorized personnel.",
+                        "links": [
+                          {
+                            "href": "#mp-5_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-5_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-5_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -101062,7 +112012,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a custodian to transport system media outside of controlled areas is identified;"
+                        "prose": "a custodian to transport system media outside of controlled areas is identified;",
+                        "links": [
+                          {
+                            "href": "#mp-5.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-5.3_obj-2",
@@ -101074,7 +112030,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the identified custodian is employed during the transport of system media outside of controlled areas."
+                        "prose": "the identified custodian is employed during the transport of system media outside of controlled areas.",
+                        "links": [
+                          {
+                            "href": "#mp-5.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-5.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -101498,7 +112466,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;"
+                        "prose": "{{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6_obj.a-2",
@@ -101510,7 +112484,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;"
+                        "prose": "{{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6_obj.a-3",
@@ -101522,7 +112502,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;"
+                        "prose": "{{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;",
+                        "links": [
+                          {
+                            "href": "#mp-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-6_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -101536,7 +112528,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed."
+                    "prose": "sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.",
+                    "links": [
+                      {
+                        "href": "#mp-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -101670,7 +112674,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media sanitization and disposal actions are reviewed;"
+                        "prose": "media sanitization and disposal actions are reviewed;",
+                        "links": [
+                          {
+                            "href": "#mp-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6.1_obj-2",
@@ -101682,7 +112692,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media sanitization and disposal actions are approved;"
+                        "prose": "media sanitization and disposal actions are approved;",
+                        "links": [
+                          {
+                            "href": "#mp-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6.1_obj-3",
@@ -101694,7 +112710,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media sanitization and disposal actions are tracked;"
+                        "prose": "media sanitization and disposal actions are tracked;",
+                        "links": [
+                          {
+                            "href": "#mp-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6.1_obj-4",
@@ -101706,7 +112728,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media sanitization and disposal actions are documented;"
+                        "prose": "media sanitization and disposal actions are documented;",
+                        "links": [
+                          {
+                            "href": "#mp-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6.1_obj-5",
@@ -101718,7 +112746,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "media sanitization and disposal actions are verified."
+                        "prose": "media sanitization and disposal actions are verified.",
+                        "links": [
+                          {
+                            "href": "#mp-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-6.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -101902,7 +112942,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "sanitization equipment is tested {{ insert: param, mp-06.02_odp.01 }} to ensure that the intended sanitization is being achieved;"
+                        "prose": "sanitization equipment is tested {{ insert: param, mp-06.02_odp.01 }} to ensure that the intended sanitization is being achieved;",
+                        "links": [
+                          {
+                            "href": "#mp-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-6.2_obj-2",
@@ -101914,7 +112960,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "sanitization procedures are tested {{ insert: param, mp-06.02_odp.02 }} to ensure that the intended sanitization is being achieved."
+                        "prose": "sanitization procedures are tested {{ insert: param, mp-06.02_odp.02 }} to ensure that the intended sanitization is being achieved.",
+                        "links": [
+                          {
+                            "href": "#mp-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-6.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -102064,7 +113122,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under {{ insert: param, mp-06.03_odp }}."
+                    "prose": "non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under {{ insert: param, mp-06.03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#mp-6.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-6.3_asm-examine",
@@ -102305,7 +113369,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "dual authorization for sanitization of {{ insert: param, mp-06.07_odp }} is enforced."
+                    "prose": "dual authorization for sanitization of {{ insert: param, mp-06.07_odp }} is enforced.",
+                    "links": [
+                      {
+                        "href": "#mp-6.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-6.7_asm-examine",
@@ -102488,7 +113558,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the capability to purge or wipe information from {{ insert: param, mp-06.08_odp.01 }} {{ insert: param, mp-06.08_odp.02 }} is provided."
+                    "prose": "the capability to purge or wipe information from {{ insert: param, mp-06.08_odp.01 }} {{ insert: param, mp-06.08_odp.02 }} is provided.",
+                    "links": [
+                      {
+                        "href": "#mp-6.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-6.8_asm-examine",
@@ -102755,7 +113831,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};"
+                    "prose": "the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#mp-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-7_obj.b",
@@ -102767,7 +113849,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner."
+                    "prose": "the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.",
+                    "links": [
+                      {
+                        "href": "#mp-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -102935,7 +114029,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "sanitization-resistant media is identified;"
+                        "prose": "sanitization-resistant media is identified;",
+                        "links": [
+                          {
+                            "href": "#mp-7.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-7.2_obj-2",
@@ -102947,7 +114047,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of sanitization-resistant media in organizational systems is prohibited."
+                        "prose": "the use of sanitization-resistant media in organizational systems is prohibited.",
+                        "links": [
+                          {
+                            "href": "#mp-7.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-7.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -103185,7 +114297,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a {{ insert: param, mp-08_odp.01 }} is established;"
+                        "prose": "a {{ insert: param, mp-08_odp.01 }} is established;",
+                        "links": [
+                          {
+                            "href": "#mp-8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-8_obj.a-2",
@@ -103197,7 +114315,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the {{ insert: param, mp-08_odp.01 }} includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;"
+                        "prose": "the {{ insert: param, mp-08_odp.01 }} includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;",
+                        "links": [
+                          {
+                            "href": "#mp-8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -103222,7 +114352,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "there is verification that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed;"
+                        "prose": "there is verification that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed;",
+                        "links": [
+                          {
+                            "href": "#mp-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-8_obj.b-2",
@@ -103234,7 +114370,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "there is verification that the system media downgrading process is commensurate with the access authorizations of the potential recipients of the downgraded information;"
+                        "prose": "there is verification that the system media downgrading process is commensurate with the access authorizations of the potential recipients of the downgraded information;",
+                        "links": [
+                          {
+                            "href": "#mp-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-8_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -103248,7 +114396,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, mp-08_odp.02 }} is identified;"
+                    "prose": "{{ insert: param, mp-08_odp.02 }} is identified;",
+                    "links": [
+                      {
+                        "href": "#mp-8_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-8_obj.d",
@@ -103260,7 +114414,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the identified system media is downgraded using the {{ insert: param, mp-08_odp.01 }}."
+                    "prose": "the identified system media is downgraded using the {{ insert: param, mp-08_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#mp-8_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#mp-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -103383,7 +114549,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system media downgrading actions are documented."
+                    "prose": "system media downgrading actions are documented.",
+                    "links": [
+                      {
+                        "href": "#mp-8.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "mp-8.1_asm-examine",
@@ -103565,7 +114737,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "downgrading equipment is tested {{ insert: param, mp-08.02_odp.01 }} to ensure that downgrading actions are being achieved;"
+                        "prose": "downgrading equipment is tested {{ insert: param, mp-08.02_odp.01 }} to ensure that downgrading actions are being achieved;",
+                        "links": [
+                          {
+                            "href": "#mp-8.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-8.2_obj-2",
@@ -103577,7 +114755,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "downgrading procedures are tested {{ insert: param, mp-08.02_odp.02 }} to ensure that downgrading actions are being achieved."
+                        "prose": "downgrading procedures are tested {{ insert: param, mp-08.02_odp.02 }} to ensure that downgrading actions are being achieved.",
+                        "links": [
+                          {
+                            "href": "#mp-8.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-8.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -103711,7 +114901,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system media containing controlled unclassified information is identified;"
+                        "prose": "system media containing controlled unclassified information is identified;",
+                        "links": [
+                          {
+                            "href": "#mp-8.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-8.3_obj-2",
@@ -103723,7 +114919,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system media containing controlled unclassified information is downgraded prior to public release."
+                        "prose": "system media containing controlled unclassified information is downgraded prior to public release.",
+                        "links": [
+                          {
+                            "href": "#mp-8.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-8.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -103857,7 +115065,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system media containing classified information is identified;"
+                        "prose": "system media containing classified information is identified;",
+                        "links": [
+                          {
+                            "href": "#mp-8.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "mp-8.4_obj-2",
@@ -103869,7 +115083,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system media containing classified information is downgraded prior to release to individuals without required access authorizations."
+                        "prose": "system media containing classified information is downgraded prior to release to individuals without required access authorizations.",
+                        "links": [
+                          {
+                            "href": "#mp-8.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#mp-8.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -104334,7 +115560,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a physical and environmental protection policy is developed and documented;"
+                        "prose": "a physical and environmental protection policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a-2",
@@ -104346,7 +115578,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};"
+                        "prose": "the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a-3",
@@ -104358,7 +115596,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;"
+                        "prose": "physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a-4",
@@ -104370,7 +115614,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};"
+                        "prose": "the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-1_obj.a.1",
@@ -104404,7 +115654,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-2",
@@ -104416,7 +115672,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-3",
@@ -104428,7 +115690,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-4",
@@ -104440,7 +115708,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-5",
@@ -104452,7 +115726,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-6",
@@ -104464,7 +115744,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pe-1_obj.a.1.a-7",
@@ -104476,7 +115762,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;"
+                                "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#pe-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -104490,10 +115788,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -104506,7 +115822,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;"
+                    "prose": "the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#pe-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-1_obj.c",
@@ -104540,7 +115862,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};"
+                            "prose": "the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pe-1_obj.c.1-2",
@@ -104552,7 +115880,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};"
+                            "prose": "the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -104577,7 +115917,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};"
+                            "prose": "the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pe-1_obj.c.2-2",
@@ -104589,12 +115935,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}."
+                            "prose": "the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#pe-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pe-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -104851,7 +116221,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;"
+                        "prose": "a list of individuals with authorized access to the facility where the system resides has been developed;",
+                        "links": [
+                          {
+                            "href": "#pe-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-2_obj.a-2",
@@ -104863,7 +116239,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;"
+                        "prose": "the list of individuals with authorized access to the facility where the system resides has been approved;",
+                        "links": [
+                          {
+                            "href": "#pe-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-2_obj.a-3",
@@ -104875,7 +116257,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;"
+                        "prose": "the list of individuals with authorized access to the facility where the system resides has been maintained;",
+                        "links": [
+                          {
+                            "href": "#pe-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -104889,7 +116283,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "authorization credentials are issued for facility access;"
+                    "prose": "authorization credentials are issued for facility access;",
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-2_obj.c",
@@ -104901,7 +116301,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};"
+                    "prose": "the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};",
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-2_obj.d",
@@ -104913,7 +116319,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals are removed from the facility access list when access is no longer required."
+                    "prose": "individuals are removed from the facility access list when access is no longer required.",
+                    "links": [
+                      {
+                        "href": "#pe-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -105048,7 +116466,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access to the facility where the system resides is authorized based on position or role."
+                    "prose": "physical access to the facility where the system resides is authorized based on position or role.",
+                    "links": [
+                      {
+                        "href": "#pe-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-2.1_asm-examine",
@@ -105203,7 +116627,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "two forms of identification are required from {{ insert: param, pe-02.02_odp }} for visitor access to the facility where the system resides."
+                    "prose": "two forms of identification are required from {{ insert: param, pe-02.02_odp }} for visitor access to the facility where the system resides.",
+                    "links": [
+                      {
+                        "href": "#pe-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-2.2_asm-examine",
@@ -105377,7 +116807,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "unescorted access to the facility where the system resides is restricted to personnel with {{ insert: param, pe-02.03_odp.01 }}."
+                    "prose": "unescorted access to the facility where the system resides is restricted to personnel with {{ insert: param, pe-02.03_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#pe-2.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-2.3_asm-examine",
@@ -105958,7 +117394,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;"
+                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.a.2",
@@ -105970,7 +117412,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};"
+                        "prose": "physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -105984,7 +117438,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};"
+                    "prose": "physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3_obj.c",
@@ -105996,7 +117456,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};"
+                    "prose": "access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};",
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3_obj.d",
@@ -106019,7 +117485,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "visitors are escorted;"
+                        "prose": "visitors are escorted;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.d-2",
@@ -106031,7 +117503,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};"
+                        "prose": "visitor activity is controlled {{ insert: param, pe-03_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -106056,7 +117540,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "keys are secured;"
+                        "prose": "keys are secured;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.e-2",
@@ -106068,7 +117558,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "combinations are secured;"
+                        "prose": "combinations are secured;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.e-3",
@@ -106080,7 +117576,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "other physical access devices are secured;"
+                        "prose": "other physical access devices are secured;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -106094,7 +117602,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};"
+                    "prose": "{{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};",
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3_obj.g",
@@ -106117,7 +117631,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;"
+                        "prose": "combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3_obj.g-2",
@@ -106129,10 +117649,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated."
+                        "prose": "keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.",
+                        "links": [
+                          {
+                            "href": "#pe-3_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3_smt.g",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -106292,7 +117830,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access authorizations to the system are enforced;"
+                        "prose": "physical access authorizations to the system are enforced;",
+                        "links": [
+                          {
+                            "href": "#pe-3.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-3.1_obj.2",
@@ -106304,7 +117848,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access controls are enforced for the facility at {{ insert: param, pe-03.01_odp }}."
+                        "prose": "physical access controls are enforced for the facility at {{ insert: param, pe-03.01_odp }}.",
+                        "links": [
+                          {
+                            "href": "#pe-3.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-3.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -106457,7 +118013,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "security checks are performed {{ insert: param, pe-03.02_odp }} at the physical perimeter of the facility or system for exfiltration of information or removal of system components."
+                    "prose": "security checks are performed {{ insert: param, pe-03.02_odp }} at the physical perimeter of the facility or system for exfiltration of information or removal of system components.",
+                    "links": [
+                      {
+                        "href": "#pe-3.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3.2_asm-examine",
@@ -106612,7 +118174,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "guards are employed to control {{ insert: param, pe-03.03_odp }} to the facility where the system resides 24 hours per day, 7 days per week."
+                    "prose": "guards are employed to control {{ insert: param, pe-03.03_odp }} to the facility where the system resides 24 hours per day, 7 days per week.",
+                    "links": [
+                      {
+                        "href": "#pe-3.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3.3_asm-examine",
@@ -106755,7 +118323,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "lockable physical casings are used to protect {{ insert: param, pe-03.04_odp }} from unauthorized access."
+                    "prose": "lockable physical casings are used to protect {{ insert: param, pe-03.04_odp }} from unauthorized access.",
+                    "links": [
+                      {
+                        "href": "#pe-3.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3.4_asm-examine",
@@ -106951,7 +118525,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, pe-03.05_odp.01 }} are employed to {{ insert: param, pe-03.05_odp.02 }} physical tampering or alteration of {{ insert: param, pe-03.05_odp.03 }} within the system."
+                    "prose": "{{ insert: param, pe-03.05_odp.01 }} are employed to {{ insert: param, pe-03.05_odp.02 }} physical tampering or alteration of {{ insert: param, pe-03.05_odp.03 }} within the system.",
+                    "links": [
+                      {
+                        "href": "#pe-3.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3.5_asm-examine",
@@ -107102,7 +118682,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical barriers are used to limit access."
+                    "prose": "physical barriers are used to limit access.",
+                    "links": [
+                      {
+                        "href": "#pe-3.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3.7_asm-examine",
@@ -107228,7 +118814,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access control vestibules are employed at {{ insert: param, pe-03.08_odp }}."
+                    "prose": "access control vestibules are employed at {{ insert: param, pe-03.08_odp }}.",
+                    "links": [
+                      {
+                        "href": "#pe-3.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-3.8_asm-examine",
@@ -107429,7 +119021,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}."
+                "prose": "physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#pe-4_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-4_asm-examine",
@@ -107588,7 +119186,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output."
+                "prose": "physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output.",
+                "links": [
+                  {
+                    "href": "#pe-5_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-5_asm-examine",
@@ -107739,7 +119343,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individual identity is linked to the receipt of output from output devices."
+                    "prose": "individual identity is linked to the receipt of output from output devices.",
+                    "links": [
+                      {
+                        "href": "#pe-5.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-5.2_asm-examine",
@@ -108017,7 +119627,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;"
+                    "prose": "physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;",
+                    "links": [
+                      {
+                        "href": "#pe-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-6_obj.b",
@@ -108040,7 +119656,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};"
+                        "prose": "physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-6_obj.b-2",
@@ -108052,7 +119674,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};"
+                        "prose": "physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-6_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -108077,7 +119711,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "results of reviews are coordinated with organizational incident response capabilities;"
+                        "prose": "results of reviews are coordinated with organizational incident response capabilities;",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-6_obj.c-2",
@@ -108089,10 +119729,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "results of investigations are coordinated with organizational incident response capabilities."
+                        "prose": "results of investigations are coordinated with organizational incident response capabilities.",
+                        "links": [
+                          {
+                            "href": "#pe-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-6_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -108230,7 +119888,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access to the facility where the system resides is monitored using physical intrusion alarms;"
+                        "prose": "physical access to the facility where the system resides is monitored using physical intrusion alarms;",
+                        "links": [
+                          {
+                            "href": "#pe-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-6.1_obj-2",
@@ -108242,7 +119906,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "physical access to the facility where the system resides is monitored using physical surveillance equipment."
+                        "prose": "physical access to the facility where the system resides is monitored using physical surveillance equipment.",
+                        "links": [
+                          {
+                            "href": "#pe-6.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-6.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -108447,7 +120123,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, pe-06.02_odp.01 }} are recognized;"
+                        "prose": "{{ insert: param, pe-06.02_odp.01 }} are recognized;",
+                        "links": [
+                          {
+                            "href": "#pe-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-6.2_obj-2",
@@ -108459,7 +120141,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, pe-06.02_odp.02 }} are initiated using {{ insert: param, pe-06.02_odp.03 }}."
+                        "prose": "{{ insert: param, pe-06.02_odp.02 }} are initiated using {{ insert: param, pe-06.02_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#pe-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-6.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -108694,7 +120388,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "video surveillance of {{ insert: param, pe-06.03_odp.01 }} is employed;"
+                        "prose": "video surveillance of {{ insert: param, pe-06.03_odp.01 }} is employed;",
+                        "links": [
+                          {
+                            "href": "#pe-6.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-6.3_obj.b",
@@ -108706,7 +120406,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "video recordings are reviewed {{ insert: param, pe-06.03_odp.02 }};"
+                        "prose": "video recordings are reviewed {{ insert: param, pe-06.03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pe-6.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-6.3_obj.c",
@@ -108718,7 +120424,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "video recordings are retained for {{ insert: param, pe-06.03_odp.03 }}."
+                        "prose": "video recordings are retained for {{ insert: param, pe-06.03_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#pe-6.3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-6.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -108873,7 +120591,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical access to the system is monitored in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}."
+                    "prose": "physical access to the system is monitored in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#pe-6.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-6.4_asm-examine",
@@ -109150,7 +120874,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};"
+                    "prose": "visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-8_obj.b",
@@ -109162,7 +120892,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};"
+                    "prose": "visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-8_obj.c",
@@ -109174,7 +120910,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}."
+                    "prose": "visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#pe-8_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -109358,7 +121106,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "visitor access records are maintained using {{ insert: param, pe-08.01_odp.01 }};"
+                        "prose": "visitor access records are maintained using {{ insert: param, pe-08.01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pe-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-8.1_obj-2",
@@ -109370,7 +121124,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "visitor access records are reviewed using {{ insert: param, pe-08.01_odp.02 }}."
+                        "prose": "visitor access records are reviewed using {{ insert: param, pe-08.01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#pe-8.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-8.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -109553,7 +121319,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personally identifiable information contained in visitor access records is limited to {{ insert: param, pe-08.03_odp }} identified in the privacy risk assessment."
+                    "prose": "personally identifiable information contained in visitor access records is limited to {{ insert: param, pe-08.03_odp }} identified in the privacy risk assessment.",
+                    "links": [
+                      {
+                        "href": "#pe-8.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-8.3_asm-examine",
@@ -109687,7 +121459,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "power equipment for the system is protected from damage and destruction;"
+                    "prose": "power equipment for the system is protected from damage and destruction;",
+                    "links": [
+                      {
+                        "href": "#pe-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-9_obj-2",
@@ -109699,7 +121477,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "power cabling for the system is protected from damage and destruction."
+                    "prose": "power cabling for the system is protected from damage and destruction.",
+                    "links": [
+                      {
+                        "href": "#pe-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -109844,7 +121634,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "redundant power cabling paths that are physically separated by {{ insert: param, pe-09.01_odp }} are employed."
+                    "prose": "redundant power cabling paths that are physically separated by {{ insert: param, pe-09.01_odp }} are employed.",
+                    "links": [
+                      {
+                        "href": "#pe-9.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-9.1_asm-examine",
@@ -109987,7 +121783,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic voltage controls for {{ insert: param, pe-09.02_odp }} are employed."
+                    "prose": "automatic voltage controls for {{ insert: param, pe-09.02_odp }} are employed.",
+                    "links": [
+                      {
+                        "href": "#pe-9.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-9.2_asm-examine",
@@ -110202,7 +122004,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;"
+                    "prose": "the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;",
+                    "links": [
+                      {
+                        "href": "#pe-10_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-10_obj.b",
@@ -110214,7 +122022,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;"
+                    "prose": "emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;",
+                    "links": [
+                      {
+                        "href": "#pe-10_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-10_obj.c",
@@ -110226,7 +122040,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the emergency power shutoff capability is protected from unauthorized activation."
+                    "prose": "the emergency power shutoff capability is protected from unauthorized activation.",
+                    "links": [
+                      {
+                        "href": "#pe-10_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-10_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -110411,7 +122237,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss."
+                "prose": "an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss.",
+                "links": [
+                  {
+                    "href": "#pe-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-11_asm-examine",
@@ -110565,7 +122397,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an alternate power supply provided for the system is activated {{ insert: param, pe-11.01_odp }};"
+                        "prose": "an alternate power supply provided for the system is activated {{ insert: param, pe-11.01_odp }};",
+                        "links": [
+                          {
+                            "href": "#pe-11.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-11.1_obj-2",
@@ -110577,7 +122415,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source."
+                        "prose": "the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.",
+                        "links": [
+                          {
+                            "href": "#pe-11.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-11.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -110789,7 +122639,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the alternate power supply provided for the system is self-contained;"
+                        "prose": "the alternate power supply provided for the system is self-contained;",
+                        "links": [
+                          {
+                            "href": "#pe-11.2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-11.2_obj.b",
@@ -110801,7 +122657,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the alternate power supply provided for the system is not reliant on external power generation;"
+                        "prose": "the alternate power supply provided for the system is not reliant on external power generation;",
+                        "links": [
+                          {
+                            "href": "#pe-11.2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-11.2_obj.c",
@@ -110813,7 +122675,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the alternate power supply provided for the system is capable of maintaining {{ insert: param, pe-11.02_odp.02 }} in the event of an extended loss of the primary power source."
+                        "prose": "the alternate power supply provided for the system is capable of maintaining {{ insert: param, pe-11.02_odp.02 }} in the event of an extended loss of the primary power source.",
+                        "links": [
+                          {
+                            "href": "#pe-11.2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-11.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -110953,7 +122827,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;"
+                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-12_obj-2",
@@ -110965,7 +122845,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;"
+                    "prose": "automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-12_obj-3",
@@ -110977,7 +122863,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting for the system covers emergency exits within the facility;"
+                    "prose": "automatic emergency lighting for the system covers emergency exits within the facility;",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-12_obj-4",
@@ -110989,7 +122881,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automatic emergency lighting for the system covers evacuation routes within the facility."
+                    "prose": "automatic emergency lighting for the system covers evacuation routes within the facility.",
+                    "links": [
+                      {
+                        "href": "#pe-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -111112,7 +123016,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "emergency lighting is provided for all areas within the facility supporting essential mission and business functions."
+                    "prose": "emergency lighting is provided for all areas within the facility supporting essential mission and business functions.",
+                    "links": [
+                      {
+                        "href": "#pe-12.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-12.1_asm-examine",
@@ -111246,7 +123156,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "fire detection systems are employed;"
+                    "prose": "fire detection systems are employed;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-2",
@@ -111258,7 +123174,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire detection systems are supported by an independent energy source;"
+                    "prose": "employed fire detection systems are supported by an independent energy source;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-3",
@@ -111270,7 +123192,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire detection systems are maintained;"
+                    "prose": "employed fire detection systems are maintained;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-4",
@@ -111282,7 +123210,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "fire suppression systems are employed;"
+                    "prose": "fire suppression systems are employed;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-5",
@@ -111294,7 +123228,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire suppression systems are supported by an independent energy source;"
+                    "prose": "employed fire suppression systems are supported by an independent energy source;",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-13_obj-6",
@@ -111306,7 +123246,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "employed fire suppression systems are maintained."
+                    "prose": "employed fire suppression systems are maintained.",
+                    "links": [
+                      {
+                        "href": "#pe-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-13_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -111482,7 +123434,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "fire detection systems that activate automatically are employed in the event of a fire;"
+                        "prose": "fire detection systems that activate automatically are employed in the event of a fire;",
+                        "links": [
+                          {
+                            "href": "#pe-13.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-13.1_obj-2",
@@ -111494,7 +123452,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;"
+                        "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;",
+                        "links": [
+                          {
+                            "href": "#pe-13.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-13.1_obj-3",
@@ -111506,7 +123470,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire."
+                        "prose": "fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire.",
+                        "links": [
+                          {
+                            "href": "#pe-13.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-13.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -111716,7 +123692,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "fire suppression systems that activate automatically are employed;"
+                            "prose": "fire suppression systems that activate automatically are employed;",
+                            "links": [
+                              {
+                                "href": "#pe-13.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pe-13.2_obj.a-2",
@@ -111728,7 +123710,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;"
+                            "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;",
+                            "links": [
+                              {
+                                "href": "#pe-13.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pe-13.2_obj.a-3",
@@ -111740,7 +123728,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;"
+                            "prose": "fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;",
+                            "links": [
+                              {
+                                "href": "#pe-13.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pe-13.2_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -111754,7 +123754,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis."
+                        "prose": "an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.",
+                        "links": [
+                          {
+                            "href": "#pe-13.2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-13.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -111960,7 +123972,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the facility undergoes fire protection inspections {{ insert: param, pe-13.04_odp.01 }} by authorized and qualified inspectors;"
+                        "prose": "the facility undergoes fire protection inspections {{ insert: param, pe-13.04_odp.01 }} by authorized and qualified inspectors;",
+                        "links": [
+                          {
+                            "href": "#pe-13.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-13.4_obj-2",
@@ -111972,7 +123990,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the identified deficiencies from fire protection inspections are resolved within {{ insert: param, pe-13.04_odp.02 }}."
+                        "prose": "the identified deficiencies from fire protection inspections are resolved within {{ insert: param, pe-13.04_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#pe-13.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-13.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -112199,7 +124229,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;"
+                    "prose": "{{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;",
+                    "links": [
+                      {
+                        "href": "#pe-14_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-14_obj.b",
@@ -112211,7 +124247,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}."
+                    "prose": "environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#pe-14_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-14_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -112356,7 +124404,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, pe-14.01_odp }} are employed in the facility to prevent fluctuations that are potentially harmful to the system."
+                    "prose": "{{ insert: param, pe-14.01_odp }} are employed in the facility to prevent fluctuations that are potentially harmful to the system.",
+                    "links": [
+                      {
+                        "href": "#pe-14.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-14.1_asm-examine",
@@ -112510,7 +124564,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "environmental control monitoring is employed;"
+                        "prose": "environmental control monitoring is employed;",
+                        "links": [
+                          {
+                            "href": "#pe-14.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-14.2_obj-2",
@@ -112522,7 +124582,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the environmental control monitoring capability provides an alarm or notification to {{ insert: param, pe-14.02_odp }} when changes are potentially harmful to personnel or equipment."
+                        "prose": "the environmental control monitoring capability provides an alarm or notification to {{ insert: param, pe-14.02_odp }} when changes are potentially harmful to personnel or equipment.",
+                        "links": [
+                          {
+                            "href": "#pe-14.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-14.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -112662,7 +124734,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;"
+                    "prose": "the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-15_obj-2",
@@ -112674,7 +124752,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the master shutoff or isolation valves are accessible;"
+                    "prose": "the master shutoff or isolation valves are accessible;",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-15_obj-3",
@@ -112686,7 +124770,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the master shutoff or isolation valves are working properly;"
+                    "prose": "the master shutoff or isolation valves are working properly;",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-15_obj-4",
@@ -112698,7 +124788,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the master shutoff or isolation valves are known to key personnel."
+                    "prose": "the master shutoff or isolation valves are known to key personnel.",
+                    "links": [
+                      {
+                        "href": "#pe-15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-15_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -112874,7 +124976,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the presence of water near the system can be detected automatically;"
+                        "prose": "the presence of water near the system can be detected automatically;",
+                        "links": [
+                          {
+                            "href": "#pe-15.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-15.1_obj-2",
@@ -112886,7 +124994,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, pe-15.01_odp.01 }} is/are alerted using {{ insert: param, pe-15.01_odp.02 }}."
+                        "prose": "{{ insert: param, pe-15.01_odp.01 }} is/are alerted using {{ insert: param, pe-15.01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#pe-15.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-15.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -113142,7 +125262,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;"
+                        "prose": "{{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-16_obj.a-2",
@@ -113154,7 +125280,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;"
+                        "prose": "{{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-16_obj.a-3",
@@ -113166,7 +125298,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;"
+                        "prose": "{{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-16_obj.a-4",
@@ -113178,7 +125316,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;"
+                        "prose": "{{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;",
+                        "links": [
+                          {
+                            "href": "#pe-16_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-16_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -113192,7 +125342,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "records of the system components are maintained."
+                    "prose": "records of the system components are maintained.",
+                    "links": [
+                      {
+                        "href": "#pe-16_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-16_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -113425,7 +125587,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, pe-17_odp.01 }} are determined and documented;"
+                    "prose": "{{ insert: param, pe-17_odp.01 }} are determined and documented;",
+                    "links": [
+                      {
+                        "href": "#pe-17_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-17_obj.b",
@@ -113437,7 +125605,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;"
+                    "prose": "{{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;",
+                    "links": [
+                      {
+                        "href": "#pe-17_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-17_obj.c",
@@ -113449,7 +125623,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the effectiveness of controls at alternate work sites is assessed;"
+                    "prose": "the effectiveness of controls at alternate work sites is assessed;",
+                    "links": [
+                      {
+                        "href": "#pe-17_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-17_obj.d",
@@ -113461,7 +125641,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a means for employees to communicate with information security and privacy personnel in case of incidents is provided."
+                    "prose": "a means for employees to communicate with information security and privacy personnel in case of incidents is provided.",
+                    "links": [
+                      {
+                        "href": "#pe-17_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-17_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -113622,7 +125814,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "system components are positioned within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access."
+                "prose": "system components are positioned within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access.",
+                "links": [
+                  {
+                    "href": "#pe-18_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-18_asm-examine",
@@ -113787,7 +125985,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the system is protected from information leakage due to electromagnetic signal emanations."
+                "prose": "the system is protected from information leakage due to electromagnetic signal emanations.",
+                "links": [
+                  {
+                    "href": "#pe-19_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-19_asm-examine",
@@ -113919,7 +126123,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system components are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;"
+                        "prose": "system components are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;",
+                        "links": [
+                          {
+                            "href": "#pe-19.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-19.1_obj-2",
@@ -113931,7 +126141,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "associated data communications are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;"
+                        "prose": "associated data communications are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;",
+                        "links": [
+                          {
+                            "href": "#pe-19.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pe-19.1_obj-3",
@@ -113943,7 +126159,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "networks are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information."
+                        "prose": "networks are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information.",
+                        "links": [
+                          {
+                            "href": "#pe-19.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pe-19.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -114138,7 +126366,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, pe-20_odp.01 }} are employed to track and monitor the location and movement of {{ insert: param, pe-20_odp.02 }} within {{ insert: param, pe-20_odp.03 }}."
+                "prose": "{{ insert: param, pe-20_odp.01 }} are employed to track and monitor the location and movement of {{ insert: param, pe-20_odp.02 }} within {{ insert: param, pe-20_odp.03 }}.",
+                "links": [
+                  {
+                    "href": "#pe-20_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-20_asm-examine",
@@ -114310,7 +126544,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, pe-21_odp.01 }} are employed against electromagnetic pulse damage for {{ insert: param, pe-21_odp.02 }}."
+                "prose": "{{ insert: param, pe-21_odp.01 }} are employed against electromagnetic pulse damage for {{ insert: param, pe-21_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#pe-21_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-21_asm-examine",
@@ -114469,7 +126709,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, pe-22_odp }} are marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component."
+                "prose": "{{ insert: param, pe-22_odp }} are marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.",
+                "links": [
+                  {
+                    "href": "#pe-22_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pe-22_asm-examine",
@@ -114644,7 +126890,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the location or site of the facility where the system resides is planned considering physical and environmental hazards;"
+                    "prose": "the location or site of the facility where the system resides is planned considering physical and environmental hazards;",
+                    "links": [
+                      {
+                        "href": "#pe-23_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pe-23_obj.b",
@@ -114656,7 +126908,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy."
+                    "prose": "for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy.",
+                    "links": [
+                      {
+                        "href": "#pe-23_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pe-23_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -115123,7 +127387,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a planning policy is developed and documented."
+                        "prose": "a planning policy is developed and documented.",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-2",
@@ -115135,7 +127405,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};"
+                        "prose": "the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-3",
@@ -115147,7 +127423,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;"
+                        "prose": "planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a-4",
@@ -115159,7 +127441,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};"
+                        "prose": "the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-1_obj.a.1",
@@ -115193,7 +127481,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-2",
@@ -115205,7 +127499,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-3",
@@ -115217,7 +127517,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-4",
@@ -115229,7 +127535,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-5",
@@ -115241,7 +127553,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-6",
@@ -115253,7 +127571,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pl-1_obj.a.1.a-7",
@@ -115265,7 +127589,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;"
+                                "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#pl-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -115279,10 +127615,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -115295,7 +127649,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;"
+                    "prose": "the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-1_obj.c",
@@ -115329,7 +127689,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};"
+                            "prose": "the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-1_obj.c.1-2",
@@ -115341,7 +127707,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};"
+                            "prose": "the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -115366,7 +127744,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};"
+                            "prose": "the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-1_obj.c.2-2",
@@ -115378,12 +127762,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}."
+                            "prose": "the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#pl-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -115970,7 +128378,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;"
+                            "prose": "a security plan for the system is developed that is consistent with the organization’s enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.1-2",
@@ -115982,7 +128396,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;"
+                            "prose": "a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -116007,7 +128433,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that explicitly defines the constituent system components;"
+                            "prose": "a security plan for the system is developed that explicitly defines the constituent system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.2-2",
@@ -116019,7 +128451,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;"
+                            "prose": "a privacy plan for the system is developed that explicitly defines the constituent system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -116044,7 +128488,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"
+                            "prose": "a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.3-2",
@@ -116056,7 +128506,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;"
+                            "prose": "a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -116081,7 +128543,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"
+                            "prose": "a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.4-2",
@@ -116093,7 +128561,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;"
+                            "prose": "a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.4",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -116118,7 +128598,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"
+                            "prose": "a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.5",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.5-2",
@@ -116130,7 +128616,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;"
+                            "prose": "a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.5",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.5",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -116155,7 +128653,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;"
+                            "prose": "a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.6",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.6-2",
@@ -116167,7 +128671,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;"
+                            "prose": "a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.6",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.6",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -116192,7 +128708,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"
+                            "prose": "a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.7-2",
@@ -116204,7 +128726,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;"
+                            "prose": "a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.7",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.7",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -116229,7 +128763,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"
+                            "prose": "a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.8",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.8-2",
@@ -116241,7 +128781,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;"
+                            "prose": "a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.8",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.8",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -116266,7 +128818,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"
+                            "prose": "a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.9",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.9-2",
@@ -116278,7 +128836,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;"
+                            "prose": "a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.9",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.9",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -116303,7 +128873,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;"
+                            "prose": "a security plan for the system is developed that provides an overview of the security requirements for the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.10",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.10-2",
@@ -116315,7 +128891,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;"
+                            "prose": "a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.10",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.10",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -116340,7 +128928,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"
+                            "prose": "a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.11",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.11-2",
@@ -116352,7 +128946,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;"
+                            "prose": "a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.11",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.11",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -116377,7 +128983,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;"
+                            "prose": "a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.12",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.12-2",
@@ -116389,7 +129001,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;"
+                            "prose": "a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.12",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.12",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -116414,7 +129038,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;"
+                            "prose": "a security plan for the system is developed that includes risk determinations for security architecture and design decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.13",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.13-2",
@@ -116426,7 +129056,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;"
+                            "prose": "a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.13",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.13",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -116451,7 +129093,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"
+                            "prose": "a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.14",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.14-2",
@@ -116463,7 +129111,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};"
+                            "prose": "a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.14",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.14",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -116488,7 +129148,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;"
+                            "prose": "a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.15",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-2_obj.a.15-2",
@@ -116500,10 +129166,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation."
+                            "prose": "a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.",
+                            "links": [
+                              {
+                                "href": "#pl-2_smt.a.15",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.a.15",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -116527,7 +129211,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};"
+                        "prose": "copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.b-2",
@@ -116539,7 +129229,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};"
+                        "prose": "subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -116553,7 +129255,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};"
+                    "prose": "plans are reviewed {{ insert: param, pl-02_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-2_obj.d",
@@ -116576,7 +129284,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address changes to the system and environment of operations;"
+                        "prose": "plans are updated to address changes to the system and environment of operations;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.d-2",
@@ -116588,7 +129302,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address problems identified during the plan implementation;"
+                        "prose": "plans are updated to address problems identified during the plan implementation;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.d-3",
@@ -116600,7 +129320,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are updated to address problems identified during control assessments;"
+                        "prose": "plans are updated to address problems identified during control assessments;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -116625,7 +129357,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are protected from unauthorized disclosure;"
+                        "prose": "plans are protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-2_obj.e-2",
@@ -116637,10 +129375,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans are protected from unauthorized modification."
+                        "prose": "plans are protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#pl-2_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-2_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -117099,7 +129855,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;"
+                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;",
+                        "links": [
+                          {
+                            "href": "#pl-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4_obj.a-2",
@@ -117111,7 +129873,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;"
+                        "prose": "rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;",
+                        "links": [
+                          {
+                            "href": "#pl-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -117125,7 +129899,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;"
+                    "prose": "before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-4_obj.c",
@@ -117137,7 +129917,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};"
+                    "prose": "rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-4_obj.d",
@@ -117149,7 +129935,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}."
+                    "prose": "individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#pl-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -117331,7 +130129,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;"
+                        "prose": "the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4.1_obj.b",
@@ -117343,7 +130147,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on posting organizational information on public websites;"
+                        "prose": "the rules of behavior include restrictions on posting organizational information on public websites;",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-4.1_obj.c",
@@ -117355,7 +130165,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications."
+                        "prose": "the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.",
+                        "links": [
+                          {
+                            "href": "#pl-4.1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-4.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -117608,7 +130430,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a CONOPS for the system describing how the organization intends to operate the system from the perspective of information security and privacy is developed;"
+                    "prose": "a CONOPS for the system describing how the organization intends to operate the system from the perspective of information security and privacy is developed;",
+                    "links": [
+                      {
+                        "href": "#pl-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-7_obj.b",
@@ -117620,7 +130448,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the CONOPS is reviewed and updated {{ insert: param, pl-07_odp }}."
+                    "prose": "the CONOPS is reviewed and updated {{ insert: param, pl-07_odp }}.",
+                    "links": [
+                      {
+                        "href": "#pl-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -117932,7 +130772,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;"
+                        "prose": "a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.a.2",
@@ -117944,7 +130790,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;"
+                        "prose": "a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.a.3",
@@ -117967,7 +130819,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"
+                            "prose": "a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-8_obj.a.3-2",
@@ -117979,7 +130837,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;"
+                            "prose": "a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -118004,7 +130874,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;"
+                            "prose": "a security architecture for the system describes any assumptions about and dependencies on external systems and services;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-8_obj.a.4-2",
@@ -118016,10 +130892,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;"
+                            "prose": "a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;",
+                            "links": [
+                              {
+                                "href": "#pl-8_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.a.4",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-8_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -118032,7 +130926,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;"
+                    "prose": "changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;",
+                    "links": [
+                      {
+                        "href": "#pl-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-8_obj.c",
@@ -118055,7 +130955,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in the security plan;"
+                        "prose": "planned architecture changes are reflected in the security plan;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-2",
@@ -118067,7 +130973,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in the privacy plan;"
+                        "prose": "planned architecture changes are reflected in the privacy plan;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-3",
@@ -118079,7 +130991,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);"
+                        "prose": "planned architecture changes are reflected in the Concept of Operations (CONOPS);",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-4",
@@ -118091,7 +131009,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in criticality analysis;"
+                        "prose": "planned architecture changes are reflected in criticality analysis;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-5",
@@ -118103,7 +131027,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in organizational procedures;"
+                        "prose": "planned architecture changes are reflected in organizational procedures;",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pl-8_obj.c-6",
@@ -118115,10 +131045,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "planned architecture changes are reflected in procurements and acquisitions."
+                        "prose": "planned architecture changes are reflected in procurements and acquisitions.",
+                        "links": [
+                          {
+                            "href": "#pl-8_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-8_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pl-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -118349,7 +131297,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the security architecture for the system is designed using a defense-in-depth approach that allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }};"
+                            "prose": "the security architecture for the system is designed using a defense-in-depth approach that allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#pl-8.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-8.1_obj.a-2",
@@ -118361,7 +131315,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy architecture for the system is designed using a defense-in-depth approach that allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }};"
+                            "prose": "the privacy architecture for the system is designed using a defense-in-depth approach that allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#pl-8.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-8.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -118386,7 +131352,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the security architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner;"
+                            "prose": "the security architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner;",
+                            "links": [
+                              {
+                                "href": "#pl-8.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pl-8.1_obj.b-2",
@@ -118398,10 +131370,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner."
+                            "prose": "the privacy architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner.",
+                            "links": [
+                              {
+                                "href": "#pl-8.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pl-8.1_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pl-8.1_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -118578,7 +131568,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, pl-08.02_odp.01 }} that are allocated to {{ insert: param, pl-08.02_odp.02 }} are required to be obtained from different suppliers."
+                    "prose": "{{ insert: param, pl-08.02_odp.01 }} that are allocated to {{ insert: param, pl-08.02_odp.02 }} are required to be obtained from different suppliers.",
+                    "links": [
+                      {
+                        "href": "#pl-8.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pl-8.2_asm-examine",
@@ -118740,7 +131736,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, pl-09_odp }} are centrally managed."
+                "prose": "{{ insert: param, pl-09_odp }} are centrally managed.",
+                "links": [
+                  {
+                    "href": "#pl-9_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pl-9_asm-examine",
@@ -118917,7 +131919,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a control baseline for the system is selected."
+                "prose": "a control baseline for the system is selected.",
+                "links": [
+                  {
+                    "href": "#pl-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pl-10_asm-examine",
@@ -119072,7 +132080,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the selected control baseline is tailored by applying specified tailoring actions."
+                "prose": "the selected control baseline is tailored by applying specified tailoring actions.",
+                "links": [
+                  {
+                    "href": "#pl-11_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pl-11_asm-examine",
@@ -119366,7 +132380,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an organization-wide information security program plan is developed;"
+                        "prose": "an organization-wide information security program plan is developed;",
+                        "links": [
+                          {
+                            "href": "#pm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-1_obj.a-2",
@@ -119378,7 +132398,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the information security program plan is disseminated;"
+                        "prose": "the information security program plan is disseminated;",
+                        "links": [
+                          {
+                            "href": "#pm-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-1_obj.a.1",
@@ -119401,7 +132427,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the information security program plan provides an overview of the requirements for the security program;"
+                            "prose": "the information security program plan provides an overview of the requirements for the security program;",
+                            "links": [
+                              {
+                                "href": "#pm-1_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-1_obj.a.1-2",
@@ -119413,7 +132445,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the information security program plan provides a description of the security program management controls in place or planned for meeting those requirements;"
+                            "prose": "the information security program plan provides a description of the security program management controls in place or planned for meeting those requirements;",
+                            "links": [
+                              {
+                                "href": "#pm-1_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-1_obj.a.1-3",
@@ -119425,7 +132463,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the information security program plan provides a description of the common controls in place or planned for meeting those requirements;"
+                            "prose": "the information security program plan provides a description of the common controls in place or planned for meeting those requirements;",
+                            "links": [
+                              {
+                                "href": "#pm-1_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -119450,7 +132500,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the information security program plan includes the identification and assignment of roles;"
+                            "prose": "the information security program plan includes the identification and assignment of roles;",
+                            "links": [
+                              {
+                                "href": "#pm-1_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-1_obj.a.2-2",
@@ -119462,7 +132518,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the information security program plan includes the identification and assignment of responsibilities;"
+                            "prose": "the information security program plan includes the identification and assignment of responsibilities;",
+                            "links": [
+                              {
+                                "href": "#pm-1_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-1_obj.a.2-3",
@@ -119474,7 +132536,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the information security program plan addresses management commitment;"
+                            "prose": "the information security program plan addresses management commitment;",
+                            "links": [
+                              {
+                                "href": "#pm-1_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-1_obj.a.2-4",
@@ -119486,7 +132554,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the information security program plan addresses coordination among organizational entities;"
+                            "prose": "the information security program plan addresses coordination among organizational entities;",
+                            "links": [
+                              {
+                                "href": "#pm-1_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-1_obj.a.2-5",
@@ -119498,7 +132572,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the information security program plan addresses compliance;"
+                            "prose": "the information security program plan addresses compliance;",
+                            "links": [
+                              {
+                                "href": "#pm-1_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-1_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -119512,7 +132598,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the information security program plan reflects the coordination among the organizational entities responsible for information security;"
+                        "prose": "the information security program plan reflects the coordination among the organizational entities responsible for information security;",
+                        "links": [
+                          {
+                            "href": "#pm-1_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-1_obj.a.4",
@@ -119524,7 +132616,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the information security program plan is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"
+                        "prose": "the information security program plan is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;",
+                        "links": [
+                          {
+                            "href": "#pm-1_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-1_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -119549,7 +132653,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the information security program plan is reviewed and updated {{ insert: param, pm-01_odp.01 }};"
+                        "prose": "the information security program plan is reviewed and updated {{ insert: param, pm-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pm-1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-1_obj.b-2",
@@ -119561,7 +132671,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the information security program plan is reviewed and updated following {{ insert: param, pm-01_odp.02 }};"
+                        "prose": "the information security program plan is reviewed and updated following {{ insert: param, pm-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pm-1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-1_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -119586,7 +132708,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the information security program plan is protected from unauthorized disclosure;"
+                        "prose": "the information security program plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#pm-1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-1_obj.c-2",
@@ -119598,10 +132726,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the information security program plan is protected from unauthorized modification."
+                        "prose": "the information security program plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#pm-1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-1_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -119746,7 +132892,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a senior agency information security officer is appointed;"
+                    "prose": "a senior agency information security officer is appointed;",
+                    "links": [
+                      {
+                        "href": "#pm-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-2_obj-2",
@@ -119758,7 +132910,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the senior agency information security officer is provided with the mission and resources to coordinate an organization-wide information security program;"
+                    "prose": "the senior agency information security officer is provided with the mission and resources to coordinate an organization-wide information security program;",
+                    "links": [
+                      {
+                        "href": "#pm-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-2_obj-3",
@@ -119770,7 +132928,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the senior agency information security officer is provided with the mission and resources to develop an organization-wide information security program;"
+                    "prose": "the senior agency information security officer is provided with the mission and resources to develop an organization-wide information security program;",
+                    "links": [
+                      {
+                        "href": "#pm-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-2_obj-4",
@@ -119782,7 +132946,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the senior agency information security officer is provided with the mission and resources to implement an organization-wide information security program;"
+                    "prose": "the senior agency information security officer is provided with the mission and resources to implement an organization-wide information security program;",
+                    "links": [
+                      {
+                        "href": "#pm-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-2_obj-5",
@@ -119794,7 +132964,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the senior agency information security officer is provided with the mission and resources to maintain an organization-wide information security program."
+                    "prose": "the senior agency information security officer is provided with the mission and resources to maintain an organization-wide information security program.",
+                    "links": [
+                      {
+                        "href": "#pm-2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -119959,7 +133141,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented;"
+                        "prose": "the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented;",
+                        "links": [
+                          {
+                            "href": "#pm-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-3_obj.a-2",
@@ -119971,7 +133159,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented;"
+                        "prose": "the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented;",
+                        "links": [
+                          {
+                            "href": "#pm-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -119996,7 +133196,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the documentation required for addressing the information security program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;"
+                        "prose": "the documentation required for addressing the information security program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;",
+                        "links": [
+                          {
+                            "href": "#pm-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-3_obj.b-2",
@@ -120008,7 +133214,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;"
+                        "prose": "the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;",
+                        "links": [
+                          {
+                            "href": "#pm-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -120033,7 +133251,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security resources are made available for expenditure as planned;"
+                        "prose": "information security resources are made available for expenditure as planned;",
+                        "links": [
+                          {
+                            "href": "#pm-3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-3_obj.c-2",
@@ -120045,10 +133269,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy resources are made available for expenditure as planned."
+                        "prose": "privacy resources are made available for expenditure as planned.",
+                        "links": [
+                          {
+                            "href": "#pm-3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-3_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -120289,7 +133531,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed;"
+                            "prose": "a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.1-2",
@@ -120301,7 +133549,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the information security program and associated organizational systems are maintained;"
+                            "prose": "a process to ensure that plans of action and milestones for the information security program and associated organizational systems are maintained;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.1-3",
@@ -120313,7 +133567,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed;"
+                            "prose": "a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.1-4",
@@ -120325,7 +133585,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained;"
+                            "prose": "a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.1-5",
@@ -120337,7 +133603,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed;"
+                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.1-6",
@@ -120349,7 +133621,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained;"
+                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-4_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -120374,7 +133658,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the information security program and associated organizational systems document remedial information security risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;"
+                            "prose": "a process to ensure that plans of action and milestones for the information security program and associated organizational systems document remedial information security risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.2-2",
@@ -120386,7 +133676,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;"
+                            "prose": "a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.2-3",
@@ -120398,7 +133694,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;"
+                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-4_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -120423,7 +133731,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the information security risk management programs and associated organizational systems are reported in accordance with established reporting requirements;"
+                            "prose": "a process to ensure that plans of action and milestones for the information security risk management programs and associated organizational systems are reported in accordance with established reporting requirements;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.3-2",
@@ -120435,7 +133749,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements;"
+                            "prose": "a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-4_obj.a.3-3",
@@ -120447,10 +133767,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements;"
+                            "prose": "a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements;",
+                            "links": [
+                              {
+                                "href": "#pm-4_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-4_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-4_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -120474,7 +133812,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans of action and milestones are reviewed for consistency with the organizational risk management strategy;"
+                        "prose": "plans of action and milestones are reviewed for consistency with the organizational risk management strategy;",
+                        "links": [
+                          {
+                            "href": "#pm-4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-4_obj.b-2",
@@ -120486,10 +133830,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions."
+                        "prose": "plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions.",
+                        "links": [
+                          {
+                            "href": "#pm-4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-4_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-4_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -120648,7 +134010,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an inventory of organizational systems is developed;"
+                    "prose": "an inventory of organizational systems is developed;",
+                    "links": [
+                      {
+                        "href": "#pm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-5_obj-2",
@@ -120660,7 +134028,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the inventory of organizational systems is updated {{ insert: param, pm-05_odp }}."
+                    "prose": "the inventory of organizational systems is updated {{ insert: param, pm-05_odp }}.",
+                    "links": [
+                      {
+                        "href": "#pm-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -120856,7 +134236,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of all systems, applications, and projects that process personally identifiable information is established;"
+                        "prose": "an inventory of all systems, applications, and projects that process personally identifiable information is established;",
+                        "links": [
+                          {
+                            "href": "#pm-5.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-5.1_obj-2",
@@ -120868,7 +134254,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of all systems, applications, and projects that process personally identifiable information is maintained;"
+                        "prose": "an inventory of all systems, applications, and projects that process personally identifiable information is maintained;",
+                        "links": [
+                          {
+                            "href": "#pm-5.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-5.1_obj-3",
@@ -120880,7 +134272,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an inventory of all systems, applications, and projects that process personally identifiable information is updated {{ insert: param, pm-05.01_odp }}."
+                        "prose": "an inventory of all systems, applications, and projects that process personally identifiable information is updated {{ insert: param, pm-05.01_odp }}.",
+                        "links": [
+                          {
+                            "href": "#pm-5.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-5.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -121045,7 +134449,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information security measures of performance are developed;"
+                    "prose": "information security measures of performance are developed;",
+                    "links": [
+                      {
+                        "href": "#pm-6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-6_obj-2",
@@ -121057,7 +134467,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information security measures of performance are monitored;"
+                    "prose": "information security measures of performance are monitored;",
+                    "links": [
+                      {
+                        "href": "#pm-6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-6_obj-3",
@@ -121069,7 +134485,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the results of information security measures of performance are reported;"
+                    "prose": "the results of information security measures of performance are reported;",
+                    "links": [
+                      {
+                        "href": "#pm-6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-6_obj-4",
@@ -121081,7 +134503,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy measures of performance are developed;"
+                    "prose": "privacy measures of performance are developed;",
+                    "links": [
+                      {
+                        "href": "#pm-6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-6_obj-5",
@@ -121093,7 +134521,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy measures of performance are monitored;"
+                    "prose": "privacy measures of performance are monitored;",
+                    "links": [
+                      {
+                        "href": "#pm-6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-6_obj-6",
@@ -121105,7 +134539,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the results of privacy measures of performance are reported."
+                    "prose": "the results of privacy measures of performance are reported.",
+                    "links": [
+                      {
+                        "href": "#pm-6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -121287,7 +134733,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an enterprise architecture is developed with consideration for information security;"
+                    "prose": "an enterprise architecture is developed with consideration for information security;",
+                    "links": [
+                      {
+                        "href": "#pm-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-7_obj-2",
@@ -121299,7 +134751,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an enterprise architecture is maintained with consideration for information security;"
+                    "prose": "an enterprise architecture is maintained with consideration for information security;",
+                    "links": [
+                      {
+                        "href": "#pm-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-7_obj-3",
@@ -121311,7 +134769,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an enterprise architecture is developed with consideration for privacy;"
+                    "prose": "an enterprise architecture is developed with consideration for privacy;",
+                    "links": [
+                      {
+                        "href": "#pm-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-7_obj-4",
@@ -121323,7 +134787,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an enterprise architecture is maintained with consideration for privacy;"
+                    "prose": "an enterprise architecture is maintained with consideration for privacy;",
+                    "links": [
+                      {
+                        "href": "#pm-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-7_obj-5",
@@ -121335,7 +134805,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation;"
+                    "prose": "an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation;",
+                    "links": [
+                      {
+                        "href": "#pm-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-7_obj-6",
@@ -121347,7 +134823,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation."
+                    "prose": "an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.",
+                    "links": [
+                      {
+                        "href": "#pm-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -121496,7 +134984,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, pm-07.01_odp }} are offloaded to other systems, system components, or an external provider."
+                    "prose": "{{ insert: param, pm-07.01_odp }} are offloaded to other systems, system components, or an external provider.",
+                    "links": [
+                      {
+                        "href": "#pm-7.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-7.1_asm-examine",
@@ -121678,7 +135172,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information security issues are addressed in the development of a critical infrastructure and key resources protection plan;"
+                    "prose": "information security issues are addressed in the development of a critical infrastructure and key resources protection plan;",
+                    "links": [
+                      {
+                        "href": "#pm-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-8_obj-2",
@@ -121690,7 +135190,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information security issues are addressed in the documentation of a critical infrastructure and key resources protection plan;"
+                    "prose": "information security issues are addressed in the documentation of a critical infrastructure and key resources protection plan;",
+                    "links": [
+                      {
+                        "href": "#pm-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-8_obj-3",
@@ -121702,7 +135208,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information security issues are addressed in the update of a critical infrastructure and key resources protection plan;"
+                    "prose": "information security issues are addressed in the update of a critical infrastructure and key resources protection plan;",
+                    "links": [
+                      {
+                        "href": "#pm-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-8_obj-4",
@@ -121714,7 +135226,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy issues are addressed in the development of a critical infrastructure and key resources protection plan;"
+                    "prose": "privacy issues are addressed in the development of a critical infrastructure and key resources protection plan;",
+                    "links": [
+                      {
+                        "href": "#pm-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-8_obj-5",
@@ -121726,7 +135244,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan;"
+                    "prose": "privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan;",
+                    "links": [
+                      {
+                        "href": "#pm-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-8_obj-6",
@@ -121738,7 +135262,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy issues are addressed in the update of a critical infrastructure and key resources protection plan."
+                    "prose": "privacy issues are addressed in the update of a critical infrastructure and key resources protection plan.",
+                    "links": [
+                      {
+                        "href": "#pm-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -122136,7 +135672,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems;"
+                        "prose": "a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems;",
+                        "links": [
+                          {
+                            "href": "#pm-9_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-9_obj.a.2",
@@ -122148,7 +135690,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information;"
+                        "prose": "a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#pm-9_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-9_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -122162,7 +135716,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the risk management strategy is implemented consistently across the organization;"
+                    "prose": "the risk management strategy is implemented consistently across the organization;",
+                    "links": [
+                      {
+                        "href": "#pm-9_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-9_obj.c",
@@ -122174,7 +135734,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the risk management strategy is reviewed and updated {{ insert: param, pm-09_odp }} or as required to address organizational changes."
+                    "prose": "the risk management strategy is reviewed and updated {{ insert: param, pm-09_odp }} or as required to address organizational changes.",
+                    "links": [
+                      {
+                        "href": "#pm-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -122378,7 +135950,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the security state of organizational systems and the environments in which those systems operate are managed through authorization processes;"
+                        "prose": "the security state of organizational systems and the environments in which those systems operate are managed through authorization processes;",
+                        "links": [
+                          {
+                            "href": "#pm-10_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-10_obj.a-2",
@@ -122390,7 +135968,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes;"
+                        "prose": "the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes;",
+                        "links": [
+                          {
+                            "href": "#pm-10_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-10_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -122404,7 +135994,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process;"
+                    "prose": "individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process;",
+                    "links": [
+                      {
+                        "href": "#pm-10_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-10_obj.c",
@@ -122416,7 +136012,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorization processes are integrated into an organization-wide risk management program."
+                    "prose": "the authorization processes are integrated into an organization-wide risk management program.",
+                    "links": [
+                      {
+                        "href": "#pm-10_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-10_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -122669,7 +136277,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational mission and business processes are defined with consideration for information security;"
+                        "prose": "organizational mission and business processes are defined with consideration for information security;",
+                        "links": [
+                          {
+                            "href": "#pm-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-11_obj.a-2",
@@ -122681,7 +136295,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational mission and business processes are defined with consideration for privacy;"
+                        "prose": "organizational mission and business processes are defined with consideration for privacy;",
+                        "links": [
+                          {
+                            "href": "#pm-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-11_obj.a-3",
@@ -122693,7 +136313,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;"
+                        "prose": "organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;",
+                        "links": [
+                          {
+                            "href": "#pm-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-11_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -122718,7 +136350,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information protection needs arising from the defined mission and business processes are determined;"
+                        "prose": "information protection needs arising from the defined mission and business processes are determined;",
+                        "links": [
+                          {
+                            "href": "#pm-11_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-11_obj.b-2",
@@ -122730,7 +136368,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personally identifiable information processing needs arising from the defined mission and business processes are determined;"
+                        "prose": "personally identifiable information processing needs arising from the defined mission and business processes are determined;",
+                        "links": [
+                          {
+                            "href": "#pm-11_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-11_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -122744,7 +136394,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the mission and business processes are reviewed and revised {{ insert: param, pm-11_odp }}."
+                    "prose": "the mission and business processes are reviewed and revised {{ insert: param, pm-11_odp }}.",
+                    "links": [
+                      {
+                        "href": "#pm-11_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -122968,7 +136630,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "an insider threat program that includes a cross-discipline insider threat incident handling team is implemented."
+                "prose": "an insider threat program that includes a cross-discipline insider threat incident handling team is implemented.",
+                "links": [
+                  {
+                    "href": "#pm-12_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pm-12_asm-interview",
@@ -123090,7 +136758,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a security workforce development and improvement program is established;"
+                    "prose": "a security workforce development and improvement program is established;",
+                    "links": [
+                      {
+                        "href": "#pm-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-13_obj-2",
@@ -123102,7 +136776,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a privacy workforce development and improvement program is established."
+                    "prose": "a privacy workforce development and improvement program is established.",
+                    "links": [
+                      {
+                        "href": "#pm-13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-13_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -123358,7 +137044,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed;"
+                            "prose": "a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed;",
+                            "links": [
+                              {
+                                "href": "#pm-14_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-14_obj.a.1-2",
@@ -123370,7 +137062,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained;"
+                            "prose": "a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained;",
+                            "links": [
+                              {
+                                "href": "#pm-14_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-14_obj.a.1-3",
@@ -123382,7 +137080,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed;"
+                            "prose": "a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed;",
+                            "links": [
+                              {
+                                "href": "#pm-14_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-14_obj.a.1-4",
@@ -123394,7 +137098,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained;"
+                            "prose": "a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained;",
+                            "links": [
+                              {
+                                "href": "#pm-14_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -123419,7 +137135,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed;"
+                            "prose": "a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed;",
+                            "links": [
+                              {
+                                "href": "#pm-14_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-14_obj.a.2-2",
@@ -123431,10 +137153,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed;"
+                            "prose": "a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed;",
+                            "links": [
+                              {
+                                "href": "#pm-14_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-14_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -123458,7 +137198,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "testing plans are reviewed for consistency with the organizational risk management strategy;"
+                        "prose": "testing plans are reviewed for consistency with the organizational risk management strategy;",
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-14_obj.b-2",
@@ -123470,7 +137216,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "training plans are reviewed for consistency with the organizational risk management strategy;"
+                        "prose": "training plans are reviewed for consistency with the organizational risk management strategy;",
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-14_obj.b-3",
@@ -123482,7 +137234,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "monitoring plans are reviewed for consistency with the organizational risk management strategy;"
+                        "prose": "monitoring plans are reviewed for consistency with the organizational risk management strategy;",
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-14_obj.b-4",
@@ -123494,7 +137252,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "testing plans are reviewed for consistency with organization-wide priorities for risk response actions;"
+                        "prose": "testing plans are reviewed for consistency with organization-wide priorities for risk response actions;",
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-14_obj.b-5",
@@ -123506,7 +137270,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "training plans are reviewed for consistency with organization-wide priorities for risk response actions;"
+                        "prose": "training plans are reviewed for consistency with organization-wide priorities for risk response actions;",
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-14_obj.b-6",
@@ -123518,10 +137288,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions."
+                        "prose": "monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions.",
+                        "links": [
+                          {
+                            "href": "#pm-14_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-14_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-14_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -123708,7 +137496,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contact is established and institutionalized with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel;"
+                        "prose": "contact is established and institutionalized with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel;",
+                        "links": [
+                          {
+                            "href": "#pm-15_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-15_obj.a-2",
@@ -123720,7 +137514,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contact is established and institutionalized with selected groups and associations within the privacy community to facilitate ongoing privacy education and training for organizational personnel;"
+                        "prose": "contact is established and institutionalized with selected groups and associations within the privacy community to facilitate ongoing privacy education and training for organizational personnel;",
+                        "links": [
+                          {
+                            "href": "#pm-15_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-15_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -123745,7 +137551,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contact is established and institutionalized with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies;"
+                        "prose": "contact is established and institutionalized with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies;",
+                        "links": [
+                          {
+                            "href": "#pm-15_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-15_obj.b-2",
@@ -123757,7 +137569,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contact is established and institutionalized with selected groups and associations within the privacy community to maintain currency with recommended privacy practices, techniques, and technologies;"
+                        "prose": "contact is established and institutionalized with selected groups and associations within the privacy community to maintain currency with recommended privacy practices, techniques, and technologies;",
+                        "links": [
+                          {
+                            "href": "#pm-15_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-15_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -123782,7 +137606,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contact is established and institutionalized with selected groups and associations within the security community to share current security information, including threats, vulnerabilities, and incidents;"
+                        "prose": "contact is established and institutionalized with selected groups and associations within the security community to share current security information, including threats, vulnerabilities, and incidents;",
+                        "links": [
+                          {
+                            "href": "#pm-15_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-15_obj.c-2",
@@ -123794,10 +137624,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contact is established and institutionalized with selected groups and associations within the privacy community to share current privacy information, including threats, vulnerabilities, and incidents."
+                        "prose": "contact is established and institutionalized with selected groups and associations within the privacy community to share current privacy information, including threats, vulnerabilities, and incidents.",
+                        "links": [
+                          {
+                            "href": "#pm-15_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-15_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-15_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -123928,7 +137776,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence is implemented."
+                "prose": "a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence is implemented.",
+                "links": [
+                  {
+                    "href": "#pm-16_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pm-16_asm-examine",
@@ -124054,7 +137908,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automated mechanisms are employed to maximize the effectiveness of sharing threat intelligence information."
+                    "prose": "automated mechanisms are employed to maximize the effectiveness of sharing threat intelligence information.",
+                    "links": [
+                      {
+                        "href": "#pm-16.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-16.1_asm-examine",
@@ -124297,7 +138157,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;"
+                        "prose": "policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;",
+                        "links": [
+                          {
+                            "href": "#pm-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-17_obj.a-2",
@@ -124309,7 +138175,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;"
+                        "prose": "procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;",
+                        "links": [
+                          {
+                            "href": "#pm-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-17_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -124334,7 +138212,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policy is reviewed and updated {{ insert: param, pm-17_odp.01 }};"
+                        "prose": "policy is reviewed and updated {{ insert: param, pm-17_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pm-17_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-17_obj.b-2",
@@ -124346,10 +138230,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures are reviewed and updated {{ insert: param, pm-17_odp.02 }} "
+                        "prose": "procedures are reviewed and updated {{ insert: param, pm-17_odp.02 }} ",
+                        "links": [
+                          {
+                            "href": "#pm-17_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-17_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-17_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -124600,7 +138502,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed;"
+                        "prose": "an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed;",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-18_obj.a.1",
@@ -124623,7 +138531,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan includes a description of the structure of the privacy program;"
+                            "prose": "the privacy program plan includes a description of the structure of the privacy program;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-18_obj.a.1-2",
@@ -124635,7 +138549,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan includes a description of the resources dedicated to the privacy program;"
+                            "prose": "the privacy program plan includes a description of the resources dedicated to the privacy program;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -124660,7 +138586,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan provides an overview of the requirements for the privacy program;"
+                            "prose": "the privacy program plan provides an overview of the requirements for the privacy program;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-18_obj.a.2-2",
@@ -124672,7 +138604,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program;"
+                            "prose": "the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-18_obj.a.2-3",
@@ -124684,7 +138622,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program;"
+                            "prose": "the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -124709,7 +138659,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan includes the role of the senior agency official for privacy;"
+                            "prose": "the privacy program plan includes the role of the senior agency official for privacy;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-18_obj.a.3-2",
@@ -124721,7 +138677,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities;"
+                            "prose": "the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -124746,7 +138714,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan describes management commitment;"
+                            "prose": "the privacy program plan describes management commitment;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-18_obj.a.4-2",
@@ -124758,7 +138732,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan describes compliance;"
+                            "prose": "the privacy program plan describes compliance;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-18_obj.a.4-3",
@@ -124770,7 +138750,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy program plan describes the strategic goals and objectives of the privacy program;"
+                            "prose": "the privacy program plan describes the strategic goals and objectives of the privacy program;",
+                            "links": [
+                              {
+                                "href": "#pm-18_smt.a.4",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a.4",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -124784,7 +138776,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy;"
+                        "prose": "the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy;",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a.5",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-18_obj.a.6",
@@ -124796,7 +138794,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;"
+                        "prose": "the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a.6",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-18_obj.a-2",
@@ -124808,7 +138812,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy program plan is disseminated;"
+                        "prose": "the privacy program plan is disseminated;",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-18_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -124833,7 +138849,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy program plan is updated {{ insert: param, pm-18_odp }};"
+                        "prose": "the privacy program plan is updated {{ insert: param, pm-18_odp }};",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-18_obj.b-2",
@@ -124845,7 +138867,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy program plan is updated to address changes in federal privacy laws and policies;"
+                        "prose": "the privacy program plan is updated to address changes in federal privacy laws and policies;",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-18_obj.b-3",
@@ -124857,7 +138885,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy program plan is updated to address organizational changes;"
+                        "prose": "the privacy program plan is updated to address organizational changes;",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-18_obj.b-4",
@@ -124869,10 +138903,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments."
+                        "prose": "the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments.",
+                        "links": [
+                          {
+                            "href": "#pm-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-18_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-18_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -125003,7 +139055,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a senior agency official for privacy with authority, mission, accountability, and resources is appointed;"
+                    "prose": "a senior agency official for privacy with authority, mission, accountability, and resources is appointed;",
+                    "links": [
+                      {
+                        "href": "#pm-19_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-19_obj-2",
@@ -125015,7 +139073,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the senior agency official for privacy coordinates applicable privacy requirements;"
+                    "prose": "the senior agency official for privacy coordinates applicable privacy requirements;",
+                    "links": [
+                      {
+                        "href": "#pm-19_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-19_obj-3",
@@ -125027,7 +139091,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the senior agency official for privacy develops applicable privacy requirements;"
+                    "prose": "the senior agency official for privacy develops applicable privacy requirements;",
+                    "links": [
+                      {
+                        "href": "#pm-19_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-19_obj-4",
@@ -125039,7 +139109,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the senior agency official for privacy implements applicable privacy requirements;"
+                    "prose": "the senior agency official for privacy implements applicable privacy requirements;",
+                    "links": [
+                      {
+                        "href": "#pm-19_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-19_obj-5",
@@ -125051,7 +139127,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the senior agency official for privacy manages privacy risks through the organization-wide privacy program."
+                    "prose": "the senior agency official for privacy manages privacy risks through the organization-wide privacy program.",
+                    "links": [
+                      {
+                        "href": "#pm-19_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-19_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -125230,7 +139318,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a central resource webpage is maintained on the organization’s principal public website;"
+                    "prose": "a central resource webpage is maintained on the organization’s principal public website;",
+                    "links": [
+                      {
+                        "href": "#pm-20_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-20_obj-2",
@@ -125242,7 +139336,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the webpage serves as a central source of information about the organization’s privacy program;"
+                    "prose": "the webpage serves as a central source of information about the organization’s privacy program;",
+                    "links": [
+                      {
+                        "href": "#pm-20_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-20_obj.a",
@@ -125265,7 +139365,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the webpage ensures that the public has access to information about organizational privacy activities;"
+                        "prose": "the webpage ensures that the public has access to information about organizational privacy activities;",
+                        "links": [
+                          {
+                            "href": "#pm-20_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-20_obj.a-2",
@@ -125277,7 +139383,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the webpage ensures that the public can communicate with its senior agency official for privacy;"
+                        "prose": "the webpage ensures that the public can communicate with its senior agency official for privacy;",
+                        "links": [
+                          {
+                            "href": "#pm-20_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-20_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -125302,7 +139420,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the webpage ensures that organizational privacy practices are publicly available;"
+                        "prose": "the webpage ensures that organizational privacy practices are publicly available;",
+                        "links": [
+                          {
+                            "href": "#pm-20_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-20_obj.b-2",
@@ -125314,7 +139438,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the webpage ensures that organizational privacy reports are publicly available;"
+                        "prose": "the webpage ensures that organizational privacy reports are publicly available;",
+                        "links": [
+                          {
+                            "href": "#pm-20_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-20_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -125328,7 +139464,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the webpage employs publicly facing email addresses and/or phone numbers to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices."
+                    "prose": "the webpage employs publicly facing email addresses and/or phone numbers to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.",
+                    "links": [
+                      {
+                        "href": "#pm-20_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-20_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -125502,7 +139650,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy policies are developed and posted on all external-facing websites;"
+                        "prose": "privacy policies are developed and posted on all external-facing websites;",
+                        "links": [
+                          {
+                            "href": "#pm-20.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-20.1_obj-2",
@@ -125514,7 +139668,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy policies are developed and posted on all mobile applications;"
+                        "prose": "privacy policies are developed and posted on all mobile applications;",
+                        "links": [
+                          {
+                            "href": "#pm-20.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-20.1_obj-3",
@@ -125526,7 +139686,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy policies are developed and posted on all other digital services;"
+                        "prose": "privacy policies are developed and posted on all other digital services;",
+                        "links": [
+                          {
+                            "href": "#pm-20.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-20.1_obj.a",
@@ -125549,7 +139715,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy policies are written in plain language;"
+                            "prose": "the privacy policies are written in plain language;",
+                            "links": [
+                              {
+                                "href": "#pm-20.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-20.1_obj.a-2",
@@ -125561,7 +139733,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy policies are organized in a way that is easy to understand and navigate;"
+                            "prose": "the privacy policies are organized in a way that is easy to understand and navigate;",
+                            "links": [
+                              {
+                                "href": "#pm-20.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-20.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -125586,7 +139770,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization;"
+                            "prose": "the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization;",
+                            "links": [
+                              {
+                                "href": "#pm-20.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-20.1_obj.b-2",
@@ -125598,7 +139788,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization;"
+                            "prose": "the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization;",
+                            "links": [
+                              {
+                                "href": "#pm-20.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-20.1_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -125623,7 +139825,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy policies are updated whenever the organization makes a substantive change to the practices it describes;"
+                            "prose": "the privacy policies are updated whenever the organization makes a substantive change to the practices it describes;",
+                            "links": [
+                              {
+                                "href": "#pm-20.1_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-20.1_obj.c-2",
@@ -125635,10 +139843,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy policies include a time/date stamp to inform the public of the date of the most recent changes."
+                            "prose": "the privacy policies include a time/date stamp to inform the public of the date of the most recent changes.",
+                            "links": [
+                              {
+                                "href": "#pm-20.1_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-20.1_smt.c",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-20.1_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -125870,7 +140096,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the accounting includes the date of each disclosure;"
+                            "prose": "the accounting includes the date of each disclosure;",
+                            "links": [
+                              {
+                                "href": "#pm-21_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-21_obj.a.1-2",
@@ -125882,7 +140114,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the accounting includes the nature of each disclosure;"
+                            "prose": "the accounting includes the nature of each disclosure;",
+                            "links": [
+                              {
+                                "href": "#pm-21_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-21_obj.a.1-3",
@@ -125894,7 +140132,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the accounting includes the purpose of each disclosure;"
+                            "prose": "the accounting includes the purpose of each disclosure;",
+                            "links": [
+                              {
+                                "href": "#pm-21_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-21_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -125919,7 +140169,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the accounting includes the name of the individual or organization to whom the disclosure was made;"
+                            "prose": "the accounting includes the name of the individual or organization to whom the disclosure was made;",
+                            "links": [
+                              {
+                                "href": "#pm-21_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-21_obj.a.2-2",
@@ -125931,10 +140187,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made;"
+                            "prose": "the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made;",
+                            "links": [
+                              {
+                                "href": "#pm-21_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-21_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-21_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -125947,7 +140221,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;"
+                    "prose": "the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;",
+                    "links": [
+                      {
+                        "href": "#pm-21_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-21_obj.c",
@@ -125959,7 +140239,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request."
+                    "prose": "the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request.",
+                    "links": [
+                      {
+                        "href": "#pm-21_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-21_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -126160,7 +140452,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "organization-wide policies for personally identifiable information quality management are developed and documented;"
+                    "prose": "organization-wide policies for personally identifiable information quality management are developed and documented;",
+                    "links": [
+                      {
+                        "href": "#pm-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-22_obj-2",
@@ -126172,7 +140470,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "organization-wide procedures for personally identifiable information quality management are developed and documented;"
+                    "prose": "organization-wide procedures for personally identifiable information quality management are developed and documented;",
+                    "links": [
+                      {
+                        "href": "#pm-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-22_obj.a",
@@ -126195,7 +140499,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the policies address reviewing the accuracy of personally identifiable information across the information life cycle;"
+                        "prose": "the policies address reviewing the accuracy of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.a-2",
@@ -126207,7 +140517,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the policies address reviewing the relevance of personally identifiable information across the information life cycle;"
+                        "prose": "the policies address reviewing the relevance of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.a-3",
@@ -126219,7 +140535,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the policies address reviewing the timeliness of personally identifiable information across the information life cycle;"
+                        "prose": "the policies address reviewing the timeliness of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.a-4",
@@ -126231,7 +140553,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the policies address reviewing the completeness of personally identifiable information across the information life cycle;"
+                        "prose": "the policies address reviewing the completeness of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.a-5",
@@ -126243,7 +140571,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the procedures address reviewing the accuracy of personally identifiable information across the information life cycle;"
+                        "prose": "the procedures address reviewing the accuracy of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.a-6",
@@ -126255,7 +140589,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the procedures address reviewing the relevance of personally identifiable information across the information life cycle;"
+                        "prose": "the procedures address reviewing the relevance of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.a-7",
@@ -126267,7 +140607,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the procedures address reviewing the timeliness of personally identifiable information across the information life cycle;"
+                        "prose": "the procedures address reviewing the timeliness of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.a-8",
@@ -126279,7 +140625,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the procedures address reviewing the completeness of personally identifiable information across the information life cycle;"
+                        "prose": "the procedures address reviewing the completeness of personally identifiable information across the information life cycle;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-22_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -126304,7 +140662,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the policies address correcting or deleting inaccurate or outdated personally identifiable information;"
+                        "prose": "the policies address correcting or deleting inaccurate or outdated personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.b-2",
@@ -126316,7 +140680,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the procedures address correcting or deleting inaccurate or outdated personally identifiable information;"
+                        "prose": "the procedures address correcting or deleting inaccurate or outdated personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-22_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -126341,7 +140717,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;"
+                        "prose": "the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.c-2",
@@ -126353,7 +140735,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;"
+                        "prose": "the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-22_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -126378,7 +140772,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the policies address appeals of adverse decisions on correction or deletion requests;"
+                        "prose": "the policies address appeals of adverse decisions on correction or deletion requests;",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-22_obj.d-2",
@@ -126390,10 +140790,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the procedures address appeals of adverse decisions on correction or deletion requests."
+                        "prose": "the procedures address appeals of adverse decisions on correction or deletion requests.",
+                        "links": [
+                          {
+                            "href": "#pm-22_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-22_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-22_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -126606,7 +141024,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a Data Governance Body consisting of {{ insert: param, pm-23_odp.01 }} with {{ insert: param, pm-23_odp.02 }} is established."
+                "prose": "a Data Governance Body consisting of {{ insert: param, pm-23_odp.01 }} with {{ insert: param, pm-23_odp.02 }} is established.",
+                "links": [
+                  {
+                    "href": "#pm-23_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pm-23_asm-examine",
@@ -126774,7 +141198,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the Data Integrity Board reviews proposals to conduct or participate in a matching program;"
+                    "prose": "the Data Integrity Board reviews proposals to conduct or participate in a matching program;",
+                    "links": [
+                      {
+                        "href": "#pm-24_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-24_obj.b",
@@ -126786,7 +141216,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the Data Integrity Board conducts an annual review of all matching programs in which the agency has participated."
+                    "prose": "the Data Integrity Board conducts an annual review of all matching programs in which the agency has participated.",
+                    "links": [
+                      {
+                        "href": "#pm-24_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-24_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -127066,7 +141508,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies that address the use of personally identifiable information for internal testing are developed and documented;"
+                        "prose": "policies that address the use of personally identifiable information for internal testing are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-2",
@@ -127078,7 +141526,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies that address the use of personally identifiable information for internal training are developed and documented;"
+                        "prose": "policies that address the use of personally identifiable information for internal training are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-3",
@@ -127090,7 +141544,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies that address the use of personally identifiable information for internal research are developed and documented;"
+                        "prose": "policies that address the use of personally identifiable information for internal research are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-4",
@@ -127102,7 +141562,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures that address the use of personally identifiable information for internal testing are developed and documented;"
+                        "prose": "procedures that address the use of personally identifiable information for internal testing are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-5",
@@ -127114,7 +141580,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures that address the use of personally identifiable information for internal training are developed and documented;"
+                        "prose": "procedures that address the use of personally identifiable information for internal training are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-6",
@@ -127126,7 +141598,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures that address the use of personally identifiable information for internal research are developed and documented;"
+                        "prose": "procedures that address the use of personally identifiable information for internal research are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-7",
@@ -127138,7 +141616,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies that address the use of personally identifiable information for internal testing, are implemented;"
+                        "prose": "policies that address the use of personally identifiable information for internal testing, are implemented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-8",
@@ -127150,7 +141634,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies that address the use of personally identifiable information for training are implemented;"
+                        "prose": "policies that address the use of personally identifiable information for training are implemented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-9",
@@ -127162,7 +141652,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies that address the use of personally identifiable information for research are implemented;"
+                        "prose": "policies that address the use of personally identifiable information for research are implemented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-10",
@@ -127174,7 +141670,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures that address the use of personally identifiable information for internal testing are implemented;"
+                        "prose": "procedures that address the use of personally identifiable information for internal testing are implemented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-11",
@@ -127186,7 +141688,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures that address the use of personally identifiable information for training are implemented;"
+                        "prose": "procedures that address the use of personally identifiable information for training are implemented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.a-12",
@@ -127198,7 +141706,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures that address the use of personally identifiable information for research are implemented;"
+                        "prose": "procedures that address the use of personally identifiable information for research are implemented;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-25_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -127223,7 +141743,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the amount of personally identifiable information used for internal testing purposes is limited or minimized;"
+                        "prose": "the amount of personally identifiable information used for internal testing purposes is limited or minimized;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.b-2",
@@ -127235,7 +141761,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the amount of personally identifiable information used for internal training purposes is limited or minimized;"
+                        "prose": "the amount of personally identifiable information used for internal training purposes is limited or minimized;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.b-3",
@@ -127247,7 +141779,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the amount of personally identifiable information used for internal research purposes is limited or minimized;"
+                        "prose": "the amount of personally identifiable information used for internal research purposes is limited or minimized;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-25_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -127272,7 +141816,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the required use of personally identifiable information for internal testing is authorized;"
+                        "prose": "the required use of personally identifiable information for internal testing is authorized;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.c-2",
@@ -127284,7 +141834,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the required use of personally identifiable information for internal training is authorized;"
+                        "prose": "the required use of personally identifiable information for internal training is authorized;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.c-3",
@@ -127296,7 +141852,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the required use of personally identifiable information for internal research is authorized;"
+                        "prose": "the required use of personally identifiable information for internal research is authorized;",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-25_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -127321,7 +141889,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies are reviewed {{ insert: param, pm-25_odp.01 }};"
+                        "prose": "policies are reviewed {{ insert: param, pm-25_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.d-2",
@@ -127333,7 +141907,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "policies are updated {{ insert: param, pm-25_odp.02 }};"
+                        "prose": "policies are updated {{ insert: param, pm-25_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.d-3",
@@ -127345,7 +141925,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures are reviewed {{ insert: param, pm-25_odp.03 }};"
+                        "prose": "procedures are reviewed {{ insert: param, pm-25_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-25_obj.d-4",
@@ -127357,10 +141943,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "procedures are updated {{ insert: param, pm-25_odp.04 }}."
+                        "prose": "procedures are updated {{ insert: param, pm-25_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#pm-25_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-25_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-25_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -127656,7 +142260,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a process for receiving complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;"
+                    "prose": "a process for receiving complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;",
+                    "links": [
+                      {
+                        "href": "#pm-26_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-26_obj-2",
@@ -127668,7 +142278,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a process for responding to complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;"
+                    "prose": "a process for responding to complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;",
+                    "links": [
+                      {
+                        "href": "#pm-26_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-26_obj.a",
@@ -127691,7 +142307,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the complaint management process includes mechanisms that are easy to use by the public;"
+                        "prose": "the complaint management process includes mechanisms that are easy to use by the public;",
+                        "links": [
+                          {
+                            "href": "#pm-26_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-26_obj.a-2",
@@ -127703,7 +142325,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the complaint management process includes mechanisms that are readily accessible by the public;"
+                        "prose": "the complaint management process includes mechanisms that are readily accessible by the public;",
+                        "links": [
+                          {
+                            "href": "#pm-26_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-26_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -127717,7 +142351,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the complaint management process includes all information necessary for successfully filing complaints;"
+                    "prose": "the complaint management process includes all information necessary for successfully filing complaints;",
+                    "links": [
+                      {
+                        "href": "#pm-26_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-26_obj.c",
@@ -127740,7 +142380,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within {{ insert: param, pm-26_odp.01 }};"
+                        "prose": "the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within {{ insert: param, pm-26_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pm-26_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-26_obj.c-2",
@@ -127752,7 +142398,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within {{ insert: param, pm-26_odp.02 }};"
+                        "prose": "the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within {{ insert: param, pm-26_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pm-26_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-26_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -127766,7 +142424,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }};"
+                    "prose": "the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#pm-26_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-26_obj.e",
@@ -127778,7 +142442,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the complaint management process includes responding to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}."
+                    "prose": "the complaint management process includes responding to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#pm-26_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-26_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -128069,7 +142745,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the privacy reports are disseminated to {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates;"
+                        "prose": "the privacy reports are disseminated to {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates;",
+                        "links": [
+                          {
+                            "href": "#pm-27_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-27_obj.a.2",
@@ -128092,7 +142774,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy reports are disseminated to {{ insert: param, pm-27_odp.03 }};"
+                            "prose": "the privacy reports are disseminated to {{ insert: param, pm-27_odp.03 }};",
+                            "links": [
+                              {
+                                "href": "#pm-27_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-27_obj.a.2-2",
@@ -128104,10 +142792,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance;"
+                            "prose": "the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance;",
+                            "links": [
+                              {
+                                "href": "#pm-27_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-27_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-27_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -128120,7 +142826,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the privacy reports are reviewed and updated {{ insert: param, pm-27_odp.04 }}."
+                    "prose": "the privacy reports are reviewed and updated {{ insert: param, pm-27_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#pm-27_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-27_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -128401,7 +143119,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "assumptions affecting risk assessments are identified and documented;"
+                            "prose": "assumptions affecting risk assessments are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-28_obj.a.1-2",
@@ -128413,7 +143137,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "assumptions affecting risk responses are identified and documented;"
+                            "prose": "assumptions affecting risk responses are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-28_obj.a.1-3",
@@ -128425,7 +143155,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "assumptions affecting risk monitoring are identified and documented;"
+                            "prose": "assumptions affecting risk monitoring are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-28_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -128450,7 +143192,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "constraints affecting risk assessments are identified and documented;"
+                            "prose": "constraints affecting risk assessments are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-28_obj.a.2-2",
@@ -128462,7 +143210,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "constraints affecting risk responses are identified and documented;"
+                            "prose": "constraints affecting risk responses are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-28_obj.a.2-3",
@@ -128474,7 +143228,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "constraints affecting risk monitoring are identified and documented;"
+                            "prose": "constraints affecting risk monitoring are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-28_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -128499,7 +143265,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "priorities considered by the organization for managing risk are identified and documented;"
+                            "prose": "priorities considered by the organization for managing risk are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pm-28_obj.a.3-2",
@@ -128511,7 +143283,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "trade-offs considered by the organization for managing risk are identified and documented;"
+                            "prose": "trade-offs considered by the organization for managing risk are identified and documented;",
+                            "links": [
+                              {
+                                "href": "#pm-28_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pm-28_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -128525,7 +143309,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational risk tolerance is identified and documented;"
+                        "prose": "organizational risk tolerance is identified and documented;",
+                        "links": [
+                          {
+                            "href": "#pm-28_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-28_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -128539,7 +143335,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the results of risk framing activities are distributed to {{ insert: param, pm-28_odp.01 }};"
+                    "prose": "the results of risk framing activities are distributed to {{ insert: param, pm-28_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#pm-28_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-28_obj.c",
@@ -128551,7 +143353,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk framing considerations are reviewed and updated {{ insert: param, pm-28_odp.02 }}."
+                    "prose": "risk framing considerations are reviewed and updated {{ insert: param, pm-28_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#pm-28_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-28_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -128731,7 +143545,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a Senior Accountable Official for Risk Management is appointed;"
+                        "prose": "a Senior Accountable Official for Risk Management is appointed;",
+                        "links": [
+                          {
+                            "href": "#pm-29_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-29_obj.a-2",
@@ -128743,7 +143563,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a Senior Accountable Official for Risk Management aligns information security and privacy management processes with strategic, operational, and budgetary planning processes;"
+                        "prose": "a Senior Accountable Official for Risk Management aligns information security and privacy management processes with strategic, operational, and budgetary planning processes;",
+                        "links": [
+                          {
+                            "href": "#pm-29_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-29_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -128768,7 +143600,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a Risk Executive (function) is established;"
+                        "prose": "a Risk Executive (function) is established;",
+                        "links": [
+                          {
+                            "href": "#pm-29_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-29_obj.b-2",
@@ -128780,7 +143618,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a Risk Executive (function) views and analyzes risk from an organization-wide perspective;"
+                        "prose": "a Risk Executive (function) views and analyzes risk from an organization-wide perspective;",
+                        "links": [
+                          {
+                            "href": "#pm-29_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-29_obj.b-3",
@@ -128792,10 +143636,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a Risk Executive (function) ensures that the management of risk is consistent across the organization."
+                        "prose": "a Risk Executive (function) ensures that the management of risk is consistent across the organization.",
+                        "links": [
+                          {
+                            "href": "#pm-29_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-29_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-29_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -129066,7 +143928,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an organization-wide strategy for managing supply chain risks is developed;"
+                        "prose": "an organization-wide strategy for managing supply chain risks is developed;",
+                        "links": [
+                          {
+                            "href": "#pm-30_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-30_obj.a-2",
@@ -129078,7 +143946,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management strategy addresses risks associated with the development of systems;"
+                        "prose": "the supply chain risk management strategy addresses risks associated with the development of systems;",
+                        "links": [
+                          {
+                            "href": "#pm-30_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-30_obj.a-3",
@@ -129090,7 +143964,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management strategy addresses risks associated with the development of system components;"
+                        "prose": "the supply chain risk management strategy addresses risks associated with the development of system components;",
+                        "links": [
+                          {
+                            "href": "#pm-30_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-30_obj.a-4",
@@ -129102,7 +143982,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management strategy addresses risks associated with the development of system services;"
+                        "prose": "the supply chain risk management strategy addresses risks associated with the development of system services;",
+                        "links": [
+                          {
+                            "href": "#pm-30_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-30_obj.a-5",
@@ -129114,7 +144000,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management strategy addresses risks associated with the acquisition of systems;"
+                        "prose": "the supply chain risk management strategy addresses risks associated with the acquisition of systems;",
+                        "links": [
+                          {
+                            "href": "#pm-30_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-30_obj.a-6",
@@ -129126,7 +144018,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management strategy addresses risks associated with the acquisition of system components;"
+                        "prose": "the supply chain risk management strategy addresses risks associated with the acquisition of system components;",
+                        "links": [
+                          {
+                            "href": "#pm-30_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-30_obj.a-7",
@@ -129138,7 +144036,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management strategy addresses risks associated with the acquisition of system services;"
+                        "prose": "the supply chain risk management strategy addresses risks associated with the acquisition of system services;",
+                        "links": [
+                          {
+                            "href": "#pm-30_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-30_obj.a-8",
@@ -129150,7 +144054,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management strategy addresses risks associated with the maintenance of systems;"
+                        "prose": "the supply chain risk management strategy addresses risks associated with the maintenance of systems;",
+                        "links": [
+                          {
+                            "href": "#pm-30_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-30_obj.a-9",
@@ -129162,7 +144072,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management strategy addresses risks associated with the maintenance of system components;"
+                        "prose": "the supply chain risk management strategy addresses risks associated with the maintenance of system components;",
+                        "links": [
+                          {
+                            "href": "#pm-30_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-30_obj.a-10",
@@ -129174,7 +144090,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management strategy addresses risks associated with the maintenance of system services;"
+                        "prose": "the supply chain risk management strategy addresses risks associated with the maintenance of system services;",
+                        "links": [
+                          {
+                            "href": "#pm-30_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-30_obj.a-11",
@@ -129186,7 +144108,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management strategy addresses risks associated with the disposal of systems;"
+                        "prose": "the supply chain risk management strategy addresses risks associated with the disposal of systems;",
+                        "links": [
+                          {
+                            "href": "#pm-30_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-30_obj.a-12",
@@ -129198,7 +144126,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management strategy addresses risks associated with the disposal of system components;"
+                        "prose": "the supply chain risk management strategy addresses risks associated with the disposal of system components;",
+                        "links": [
+                          {
+                            "href": "#pm-30_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-30_obj.a-13",
@@ -129210,7 +144144,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management strategy addresses risks associated with the disposal of system services;"
+                        "prose": "the supply chain risk management strategy addresses risks associated with the disposal of system services;",
+                        "links": [
+                          {
+                            "href": "#pm-30_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-30_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -129224,7 +144170,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the supply chain risk management strategy is implemented consistently across the organization;"
+                    "prose": "the supply chain risk management strategy is implemented consistently across the organization;",
+                    "links": [
+                      {
+                        "href": "#pm-30_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-30_obj.c",
@@ -129236,7 +144188,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the supply chain risk management strategy is reviewed and updated {{ insert: param, pm-30_odp }} or as required to address organizational changes."
+                    "prose": "the supply chain risk management strategy is reviewed and updated {{ insert: param, pm-30_odp }} or as required to address organizational changes.",
+                    "links": [
+                      {
+                        "href": "#pm-30_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-30_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -129361,7 +144325,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "suppliers of critical or mission-essential technologies, products, and services are identified;"
+                        "prose": "suppliers of critical or mission-essential technologies, products, and services are identified;",
+                        "links": [
+                          {
+                            "href": "#pm-30.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-30.1_obj-2",
@@ -129373,7 +144343,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "suppliers of critical or mission-essential technologies, products, and services are prioritized;"
+                        "prose": "suppliers of critical or mission-essential technologies, products, and services are prioritized;",
+                        "links": [
+                          {
+                            "href": "#pm-30.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-30.1_obj-3",
@@ -129385,7 +144361,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "suppliers of critical or mission-essential technologies, products, and services are assessed."
+                        "prose": "suppliers of critical or mission-essential technologies, products, and services are assessed.",
+                        "links": [
+                          {
+                            "href": "#pm-30.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-30.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -129534,10 +144522,10 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "label": "frequency",
+                "label": "monitoring frequencies",
                 "guidelines": [
                   {
-                    "prose": "the frequency for monitoring is defined;"
+                    "prose": "the frequencies for monitoring are defined;"
                   }
                 ]
               },
@@ -129559,10 +144547,10 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "label": "frequency",
+                "label": "assessment frequencies",
                 "guidelines": [
                   {
-                    "prose": "the frequency for assessing control effectiveness is defined;"
+                    "prose": "the frequencies for assessing control effectiveness are defined;"
                   }
                 ]
               },
@@ -129895,7 +144883,7 @@
                         "value": "b."
                       }
                     ],
-                    "prose": "Establishing {{ insert: param, pm-31_odp.02 }} for monitoring and {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;"
+                    "prose": "Establishing {{ insert: param, pm-31_odp.02 }} and {{ insert: param, pm-31_odp.03 }} for control effectiveness;"
                   },
                   {
                     "id": "pm-31_smt.c",
@@ -129970,7 +144958,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "continuous monitoring programs are implemented that include establishing {{ insert: param, pm-31_odp.01 }} to be monitored;"
+                    "prose": "continuous monitoring programs are implemented that include establishing {{ insert: param, pm-31_odp.01 }} to be monitored;",
+                    "links": [
+                      {
+                        "href": "#pm-31_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-31_obj.b",
@@ -129993,7 +144987,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.02 }} for monitoring;"
+                        "prose": "continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.02 }} for monitoring;",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-31_obj.b-2",
@@ -130005,7 +145005,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;"
+                        "prose": "continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-31_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -130019,7 +145031,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "continuous monitoring programs are implemented that include monitoring {{ insert: param, pm-31_odp.01 }} on an ongoing basis in accordance with the continuous monitoring strategy;"
+                    "prose": "continuous monitoring programs are implemented that include monitoring {{ insert: param, pm-31_odp.01 }} on an ongoing basis in accordance with the continuous monitoring strategy;",
+                    "links": [
+                      {
+                        "href": "#pm-31_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pm-31_obj.d",
@@ -130042,7 +145060,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring;"
+                        "prose": "continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring;",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-31_obj.d-2",
@@ -130054,7 +145078,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring;"
+                        "prose": "continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring;",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-31_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -130079,7 +145115,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information;"
+                        "prose": "continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information;",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-31_obj.e-2",
@@ -130091,7 +145133,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information;"
+                        "prose": "continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information;",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-31_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -130116,7 +145170,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that include reporting the security status of organizational systems to {{ insert: param, pm-31_odp.04 }} {{ insert: param, pm-31_odp.06 }};"
+                        "prose": "continuous monitoring programs are implemented that include reporting the security status of organizational systems to {{ insert: param, pm-31_odp.04 }} {{ insert: param, pm-31_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pm-31_obj.f-2",
@@ -130128,10 +145188,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to {{ insert: param, pm-31_odp.05 }} {{ insert: param, pm-31_odp.07 }}."
+                        "prose": "continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to {{ insert: param, pm-31_odp.05 }} {{ insert: param, pm-31_odp.07 }}.",
+                        "links": [
+                          {
+                            "href": "#pm-31_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pm-31_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pm-31_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -130305,7 +145383,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, pm-32_odp }} supporting mission-essential services or functions are analyzed to ensure that the information resources are being used in a manner that is consistent with their intended purpose."
+                "prose": "{{ insert: param, pm-32_odp }} supporting mission-essential services or functions are analyzed to ensure that the information resources are being used in a manner that is consistent with their intended purpose.",
+                "links": [
+                  {
+                    "href": "#pm-32_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pm-32_asm-examine",
@@ -130740,7 +145824,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a personnel security policy is developed and documented;"
+                        "prose": "a personnel security policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a-2",
@@ -130752,7 +145842,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};"
+                        "prose": "the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a-3",
@@ -130764,7 +145860,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;"
+                        "prose": "personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a-4",
@@ -130776,7 +145878,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};"
+                        "prose": "the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-1_obj.a.1",
@@ -130810,7 +145918,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-2",
@@ -130822,7 +145936,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-3",
@@ -130834,7 +145954,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-4",
@@ -130846,7 +145972,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-5",
@@ -130858,7 +145990,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-6",
@@ -130870,7 +146008,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ps-1_obj.a.1.a-7",
@@ -130882,7 +146026,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;"
+                                "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ps-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -130896,10 +146052,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -130912,7 +146086,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;"
+                    "prose": "the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ps-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-1_obj.c",
@@ -130946,7 +146126,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};"
+                            "prose": "the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ps-1_obj.c.1-2",
@@ -130958,7 +146144,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};"
+                            "prose": "the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -130983,7 +146181,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};"
+                            "prose": "the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ps-1_obj.c.2-2",
@@ -130995,12 +146199,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}."
+                            "prose": "the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ps-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ps-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -131211,7 +146439,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a risk designation is assigned to all organizational positions;"
+                    "prose": "a risk designation is assigned to all organizational positions;",
+                    "links": [
+                      {
+                        "href": "#ps-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-2_obj.b",
@@ -131223,7 +146457,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "screening criteria are established for individuals filling organizational positions;"
+                    "prose": "screening criteria are established for individuals filling organizational positions;",
+                    "links": [
+                      {
+                        "href": "#ps-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-2_obj.c",
@@ -131235,7 +146475,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}."
+                    "prose": "position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ps-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -131510,7 +146762,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals are screened prior to authorizing access to the system;"
+                    "prose": "individuals are screened prior to authorizing access to the system;",
+                    "links": [
+                      {
+                        "href": "#ps-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-3_obj.b",
@@ -131533,7 +146791,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};"
+                        "prose": "individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ps-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-3_obj.b-2",
@@ -131545,10 +146809,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}."
+                        "prose": "where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ps-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -131689,7 +146971,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals accessing a system processing, storing, or transmitting classified information are cleared;"
+                        "prose": "individuals accessing a system processing, storing, or transmitting classified information are cleared;",
+                        "links": [
+                          {
+                            "href": "#ps-3.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-3.1_obj-2",
@@ -131701,7 +146989,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals accessing a system processing, storing, or transmitting classified information are indoctrinated to the highest classification level of the information to which they have access on the system."
+                        "prose": "individuals accessing a system processing, storing, or transmitting classified information are indoctrinated to the highest classification level of the information to which they have access on the system.",
+                        "links": [
+                          {
+                            "href": "#ps-3.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-3.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -131832,7 +147132,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination are formally indoctrinated for all of the relevant types of information to which they have access on the system."
+                    "prose": "individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination are formally indoctrinated for all of the relevant types of information to which they have access on the system.",
+                    "links": [
+                      {
+                        "href": "#ps-3.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-3.2_asm-examine",
@@ -132010,7 +147316,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;"
+                        "prose": "individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;",
+                        "links": [
+                          {
+                            "href": "#ps-3.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-3.3_obj.b",
@@ -132022,7 +147334,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy {{ insert: param, ps-03.03_odp }}."
+                        "prose": "individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy {{ insert: param, ps-03.03_odp }}.",
+                        "links": [
+                          {
+                            "href": "#ps-3.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-3.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -132187,7 +147511,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "individuals accessing a system processing, storing, or transmitting {{ insert: param, ps-03.04_odp.01 }} meet {{ insert: param, ps-03.04_odp.02 }}."
+                    "prose": "individuals accessing a system processing, storing, or transmitting {{ insert: param, ps-03.04_odp.01 }} meet {{ insert: param, ps-03.04_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ps-3.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-3.4_asm-examine",
@@ -132440,7 +147770,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};"
+                    "prose": "upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.b",
@@ -132452,7 +147788,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;"
+                    "prose": "upon termination of individual employment, any authenticators and credentials are terminated or revoked;",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.c",
@@ -132464,7 +147806,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;"
+                    "prose": "upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.d",
@@ -132476,7 +147824,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;"
+                    "prose": "upon termination of individual employment, all security-related organizational system-related property is retrieved;",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4_obj.e",
@@ -132488,7 +147842,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained."
+                    "prose": "upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.",
+                    "links": [
+                      {
+                        "href": "#ps-4_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -132645,7 +148011,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "terminated individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information;"
+                        "prose": "terminated individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information;",
+                        "links": [
+                          {
+                            "href": "#ps-4.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-4.1_obj.b",
@@ -132657,7 +148029,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "terminated individuals are required to sign an acknowledgement of post-employment requirements as part of the organizational termination process."
+                        "prose": "terminated individuals are required to sign an acknowledgement of post-employment requirements as part of the organizational termination process.",
+                        "links": [
+                          {
+                            "href": "#ps-4.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-4.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -132843,7 +148227,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ps-04.02_odp.01 }} are used to {{ insert: param, ps-04.02_odp.02 }}."
+                    "prose": "{{ insert: param, ps-04.02_odp.01 }} are used to {{ insert: param, ps-04.02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ps-4.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-4.2_asm-examine",
@@ -133124,7 +148514,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;"
+                    "prose": "the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-5_obj.b",
@@ -133136,7 +148532,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};"
+                    "prose": "{{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-5_obj.c",
@@ -133148,7 +148550,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;"
+                    "prose": "access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-5_obj.d",
@@ -133160,7 +148568,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}."
+                    "prose": "{{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#ps-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -133435,7 +148855,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "access agreements are developed and documented for organizational systems;"
+                    "prose": "access agreements are developed and documented for organizational systems;",
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-6_obj.b",
@@ -133447,7 +148873,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};"
+                    "prose": "the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-6_obj.c",
@@ -133470,7 +148902,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;"
+                        "prose": "individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;",
+                        "links": [
+                          {
+                            "href": "#ps-6_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-6_obj.c.2",
@@ -133482,10 +148920,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}."
+                        "prose": "individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ps-6_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-6_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -133688,7 +149144,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties;"
+                        "prose": "access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties;",
+                        "links": [
+                          {
+                            "href": "#ps-6.2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-6.2_obj.b",
@@ -133700,7 +149162,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to classified information requiring special protection is granted only to individuals who satisfy associated personnel security criteria;"
+                        "prose": "access to classified information requiring special protection is granted only to individuals who satisfy associated personnel security criteria;",
+                        "links": [
+                          {
+                            "href": "#ps-6.2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-6.2_obj.c",
@@ -133712,7 +149180,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "access to classified information requiring special protection is granted only to individuals who have read, understood, and signed a non-disclosure agreement."
+                        "prose": "access to classified information requiring special protection is granted only to individuals who have read, understood, and signed a non-disclosure agreement.",
+                        "links": [
+                          {
+                            "href": "#ps-6.2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-6.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -133878,7 +149358,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information;"
+                        "prose": "individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information;",
+                        "links": [
+                          {
+                            "href": "#ps-6.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ps-6.3_obj.b",
@@ -133890,7 +149376,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals are required to sign an acknowledgement of applicable, legally binding post-employment requirements as part of being granted initial access to covered information."
+                        "prose": "individuals are required to sign an acknowledgement of applicable, legally binding post-employment requirements as part of being granted initial access to covered information.",
+                        "links": [
+                          {
+                            "href": "#ps-6.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ps-6.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -134181,7 +149679,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;"
+                    "prose": "personnel security requirements are established, including security roles and responsibilities for external providers;",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.b",
@@ -134193,7 +149697,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;"
+                    "prose": "external providers are required to comply with personnel security policies and procedures established by the organization;",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.c",
@@ -134205,7 +149715,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personnel security requirements are documented;"
+                    "prose": "personnel security requirements are documented;",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.d",
@@ -134217,7 +149733,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};"
+                    "prose": "external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-7_obj.e",
@@ -134229,7 +149751,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "provider compliance with personnel security requirements is monitored."
+                    "prose": "provider compliance with personnel security requirements is monitored.",
+                    "links": [
+                      {
+                        "href": "#ps-7_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -134440,7 +149974,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;"
+                    "prose": "a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;",
+                    "links": [
+                      {
+                        "href": "#ps-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-8_obj.b",
@@ -134452,7 +149992,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."
+                    "prose": "{{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.",
+                    "links": [
+                      {
+                        "href": "#ps-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -134586,7 +150138,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "security roles and responsibilities are incorporated into organizational position descriptions;"
+                    "prose": "security roles and responsibilities are incorporated into organizational position descriptions;",
+                    "links": [
+                      {
+                        "href": "#ps-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ps-9_obj-2",
@@ -134598,7 +150156,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions."
+                    "prose": "privacy roles and responsibilities are incorporated into organizational position descriptions.",
+                    "links": [
+                      {
+                        "href": "#ps-9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ps-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -135033,7 +150603,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a personally identifiable information processing and transparency policy is developed and documented;"
+                        "prose": "a personally identifiable information processing and transparency policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pt-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-1_obj.a-2",
@@ -135045,7 +150621,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the personally identifiable information processing and transparency policy is disseminated to {{ insert: param, pt-01_odp.01 }};"
+                        "prose": "the personally identifiable information processing and transparency policy is disseminated to {{ insert: param, pt-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pt-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-1_obj.a-3",
@@ -135057,7 +150639,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "personally identifiable information processing and transparency procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and associated personally identifiable information processing and transparency controls are developed and documented;"
+                        "prose": "personally identifiable information processing and transparency procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and associated personally identifiable information processing and transparency controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#pt-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-1_obj.a-4",
@@ -135069,7 +150657,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the personally identifiable information processing and transparency procedures are disseminated to {{ insert: param, pt-01_odp.02 }};"
+                        "prose": "the personally identifiable information processing and transparency procedures are disseminated to {{ insert: param, pt-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#pt-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-1_obj.a.1",
@@ -135103,7 +150697,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses purpose;"
+                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#pt-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pt-1_obj.a.1.a-2",
@@ -135115,7 +150715,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses scope;"
+                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#pt-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pt-1_obj.a.1.a-3",
@@ -135127,7 +150733,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses roles;"
+                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#pt-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pt-1_obj.a.1.a-4",
@@ -135139,7 +150751,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#pt-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pt-1_obj.a.1.a-5",
@@ -135151,7 +150769,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses management commitment;"
+                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#pt-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pt-1_obj.a.1.a-6",
@@ -135163,7 +150787,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#pt-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "pt-1_obj.a.1.a-7",
@@ -135175,7 +150805,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses compliance;"
+                                "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#pt-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#pt-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -135189,10 +150831,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#pt-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pt-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -135205,7 +150865,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pt-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures;"
+                    "prose": "the {{ insert: param, pt-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#pt-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-1_obj.c",
@@ -135239,7 +150905,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personally identifiable information processing and transparency policy is reviewed and updated {{ insert: param, pt-01_odp.05 }};"
+                            "prose": "the current personally identifiable information processing and transparency policy is reviewed and updated {{ insert: param, pt-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#pt-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pt-1_obj.c.1-2",
@@ -135251,7 +150923,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personally identifiable information processing and transparency policy is reviewed and updated following {{ insert: param, pt-01_odp.06 }};"
+                            "prose": "the current personally identifiable information processing and transparency policy is reviewed and updated following {{ insert: param, pt-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#pt-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pt-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -135276,7 +150960,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personally identifiable information processing and transparency procedures are reviewed and updated {{ insert: param, pt-01_odp.07 }};"
+                            "prose": "the current personally identifiable information processing and transparency procedures are reviewed and updated {{ insert: param, pt-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#pt-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pt-1_obj.c.2-2",
@@ -135288,12 +150978,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current personally identifiable information processing and transparency procedures are reviewed and updated following {{ insert: param, pt-01_odp.08 }}."
+                            "prose": "the current personally identifiable information processing and transparency procedures are reviewed and updated following {{ insert: param, pt-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#pt-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pt-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pt-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -135558,7 +151272,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information is determined and documented;"
+                    "prose": "the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information is determined and documented;",
+                    "links": [
+                      {
+                        "href": "#pt-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-2_obj.b",
@@ -135570,7 +151290,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pt-02_odp.03 }} of personally identifiable information is restricted to only that which is authorized."
+                    "prose": "the {{ insert: param, pt-02_odp.03 }} of personally identifiable information is restricted to only that which is authorized.",
+                    "links": [
+                      {
+                        "href": "#pt-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pt-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -135784,7 +151516,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data tags containing {{ insert: param, pt-02.01_odp.01 }} are attached to {{ insert: param, pt-02.01_odp.02 }}."
+                    "prose": "data tags containing {{ insert: param, pt-02.01_odp.01 }} are attached to {{ insert: param, pt-02.01_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#pt-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-2.1_asm-examine",
@@ -135972,7 +151710,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "enforcement of the authorized processing of personally identifiable information is managed using {{ insert: param, pt-02.02_odp }}."
+                    "prose": "enforcement of the authorized processing of personally identifiable information is managed using {{ insert: param, pt-02.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#pt-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-2.2_asm-examine",
@@ -136301,7 +152045,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information is/are identified and documented;"
+                    "prose": "the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information is/are identified and documented;",
+                    "links": [
+                      {
+                        "href": "#pt-3_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-3_obj.b",
@@ -136324,7 +152074,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the purpose(s) is/are described in the public privacy notices of the organization;"
+                        "prose": "the purpose(s) is/are described in the public privacy notices of the organization;",
+                        "links": [
+                          {
+                            "href": "#pt-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-3_obj.b-2",
@@ -136336,7 +152092,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the purpose(s) is/are described in the policies of the organization;"
+                        "prose": "the purpose(s) is/are described in the policies of the organization;",
+                        "links": [
+                          {
+                            "href": "#pt-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -136350,7 +152118,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pt-03_odp.02 }} of personally identifiable information are restricted to only that which is compatible with the identified purpose(s);"
+                    "prose": "the {{ insert: param, pt-03_odp.02 }} of personally identifiable information are restricted to only that which is compatible with the identified purpose(s);",
+                    "links": [
+                      {
+                        "href": "#pt-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-3_obj.d",
@@ -136373,7 +152147,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "changes in the processing of personally identifiable information are monitored;"
+                        "prose": "changes in the processing of personally identifiable information are monitored;",
+                        "links": [
+                          {
+                            "href": "#pt-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-3_obj.d-2",
@@ -136385,10 +152165,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, pt-03_odp.03 }} are implemented to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}."
+                        "prose": "{{ insert: param, pt-03_odp.03 }} are implemented to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#pt-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-3_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pt-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -136593,7 +152391,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data tags containing {{ insert: param, pt-03.01_odp.01 }} are attached to {{ insert: param, pt-03.01_odp.02 }}."
+                    "prose": "data tags containing {{ insert: param, pt-03.01_odp.01 }} are attached to {{ insert: param, pt-03.01_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#pt-3.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-3.1_asm-examine",
@@ -136777,7 +152581,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the processing purposes of personally identifiable information are tracked using {{ insert: param, pt-03.02_odp }}."
+                    "prose": "the processing purposes of personally identifiable information are tracked using {{ insert: param, pt-03.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#pt-3.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-3.2_asm-examine",
@@ -136942,7 +152752,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the {{ insert: param, pt-04_odp }} are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making."
+                "prose": "the {{ insert: param, pt-04_odp }} are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.",
+                "links": [
+                  {
+                    "href": "#pt-4_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pt-4_asm-examine",
@@ -137089,7 +152905,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, pt-04.01_odp }} are provided to allow individuals to tailor processing permissions to selected elements of personally identifiable information."
+                    "prose": "{{ insert: param, pt-04.01_odp }} are provided to allow individuals to tailor processing permissions to selected elements of personally identifiable information.",
+                    "links": [
+                      {
+                        "href": "#pt-4.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-4.1_asm-examine",
@@ -137276,7 +153098,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, pt-04.02_odp.01 }} are presented to individuals {{ insert: param, pt-04.02_odp.02 }} and in conjunction with {{ insert: param, pt-04.02_odp.03 }}."
+                    "prose": "{{ insert: param, pt-04.02_odp.01 }} are presented to individuals {{ insert: param, pt-04.02_odp.02 }} and in conjunction with {{ insert: param, pt-04.02_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#pt-4.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-4.2_asm-examine",
@@ -137423,7 +153251,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, pt-04.03_odp }} are implemented for individuals to revoke consent to the processing of their personally identifiable information."
+                    "prose": "the {{ insert: param, pt-04.03_odp }} are implemented for individuals to revoke consent to the processing of their personally identifiable information.",
+                    "links": [
+                      {
+                        "href": "#pt-4.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-4.3_asm-examine",
@@ -137711,7 +153545,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a notice to individuals about the processing of personally identifiable information is provided such that the notice is available to individuals upon first interacting with an organization;"
+                        "prose": "a notice to individuals about the processing of personally identifiable information is provided such that the notice is available to individuals upon first interacting with an organization;",
+                        "links": [
+                          {
+                            "href": "#pt-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-5_obj.a-2",
@@ -137723,7 +153563,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals {{ insert: param, pt-05_odp.01 }};"
+                        "prose": "a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals {{ insert: param, pt-05_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#pt-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-5_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -137737,7 +153589,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a notice to individuals about the processing of personally identifiable information is provided that is clear, easy-to-understand, and expresses information about personally identifiable information processing in plain language;"
+                    "prose": "a notice to individuals about the processing of personally identifiable information is provided that is clear, easy-to-understand, and expresses information about personally identifiable information processing in plain language;",
+                    "links": [
+                      {
+                        "href": "#pt-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-5_obj.c",
@@ -137749,7 +153607,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information is provided;"
+                    "prose": "a notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information is provided;",
+                    "links": [
+                      {
+                        "href": "#pt-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-5_obj.d",
@@ -137761,7 +153625,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a notice to individuals about the processing of personally identifiable information that identifies the purpose for which personally identifiable information is to be processed is provided;"
+                    "prose": "a notice to individuals about the processing of personally identifiable information that identifies the purpose for which personally identifiable information is to be processed is provided;",
+                    "links": [
+                      {
+                        "href": "#pt-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-5_obj.e",
@@ -137773,7 +153643,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a notice to individuals about the processing of personally identifiable information which includes {{ insert: param, pt-05_odp.02 }} is provided."
+                    "prose": "a notice to individuals about the processing of personally identifiable information which includes {{ insert: param, pt-05_odp.02 }} is provided.",
+                    "links": [
+                      {
+                        "href": "#pt-5_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pt-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -137922,7 +153804,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a notice of personally identifiable information processing is presented to individuals at a time and location where the individual provides personally identifiable information, in conjunction with a data action, or {{ insert: param, pt-05.01_odp }}."
+                    "prose": "a notice of personally identifiable information processing is presented to individuals at a time and location where the individual provides personally identifiable information, in conjunction with a data action, or {{ insert: param, pt-05.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#pt-5.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-5.1_asm-examine",
@@ -138047,7 +153935,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or Privacy Act statements are provided on separate forms that can be retained by individuals."
+                    "prose": "Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or Privacy Act statements are provided on separate forms that can be retained by individuals.",
+                    "links": [
+                      {
+                        "href": "#pt-5.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-5.2_asm-examine",
@@ -138251,7 +154145,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records;"
+                        "prose": "system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records;",
+                        "links": [
+                          {
+                            "href": "#pt-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-6_obj.a-2",
@@ -138263,7 +154163,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records;"
+                        "prose": "new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records;",
+                        "links": [
+                          {
+                            "href": "#pt-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-6_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -138277,7 +154189,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records;"
+                    "prose": "system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records;",
+                    "links": [
+                      {
+                        "href": "#pt-6_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-6_obj.c",
@@ -138289,7 +154207,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system of records notices are kept accurate, up-to-date, and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records."
+                    "prose": "system of records notices are kept accurate, up-to-date, and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records.",
+                    "links": [
+                      {
+                        "href": "#pt-6_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#pt-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -138434,7 +154364,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "all routine uses published in the system of records notice are reviewed {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected."
+                    "prose": "all routine uses published in the system of records notice are reviewed {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.",
+                    "links": [
+                      {
+                        "href": "#pt-6.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-6.1_asm-examine",
@@ -138588,7 +154524,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they remain appropriate and necessary in accordance with law;"
+                        "prose": "all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they remain appropriate and necessary in accordance with law;",
+                        "links": [
+                          {
+                            "href": "#pt-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-6.2_obj-2",
@@ -138600,7 +154542,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they have been promulgated as regulations;"
+                        "prose": "all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they have been promulgated as regulations;",
+                        "links": [
+                          {
+                            "href": "#pt-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-6.2_obj-3",
@@ -138612,7 +154560,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they are accurately described in the system of records notice."
+                        "prose": "all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they are accurately described in the system of records notice.",
+                        "links": [
+                          {
+                            "href": "#pt-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-6.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -138787,7 +154747,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, pt-07_odp }} are applied for specific categories of personally identifiable information."
+                "prose": "{{ insert: param, pt-07_odp }} are applied for specific categories of personally identifiable information.",
+                "links": [
+                  {
+                    "href": "#pt-7_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "pt-7_asm-examine",
@@ -138969,7 +154935,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when a system processes Social Security numbers, the unnecessary collection, maintenance, and use of Social Security numbers are eliminated;"
+                            "prose": "when a system processes Social Security numbers, the unnecessary collection, maintenance, and use of Social Security numbers are eliminated;",
+                            "links": [
+                              {
+                                "href": "#pt-7.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pt-7.1_obj.a-2",
@@ -138981,7 +154953,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored;"
+                            "prose": "when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored;",
+                            "links": [
+                              {
+                                "href": "#pt-7.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pt-7.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -138995,7 +154979,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "when a system processes Social Security numbers, individual rights, benefits, or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number;"
+                        "prose": "when a system processes Social Security numbers, individual rights, benefits, or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number;",
+                        "links": [
+                          {
+                            "href": "#pt-7.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-7.1_obj.c",
@@ -139018,7 +155008,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it;"
+                            "prose": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it;",
+                            "links": [
+                              {
+                                "href": "#pt-7.1_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pt-7.1_obj.c-2",
@@ -139030,7 +155026,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited;"
+                            "prose": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited;",
+                            "links": [
+                              {
+                                "href": "#pt-7.1_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "pt-7.1_obj.c-3",
@@ -139042,10 +155044,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it."
+                            "prose": "when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it.",
+                            "links": [
+                              {
+                                "href": "#pt-7.1_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#pt-7.1_smt.c",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-7.1_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -139167,7 +155187,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity."
+                    "prose": "the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.",
+                    "links": [
+                      {
+                        "href": "#pt-7.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-7.2_asm-examine",
@@ -139374,7 +155400,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "approval to conduct the matching program is obtained from the Data Integrity Board when a system or organization processes information for the purpose of conducting a matching program;"
+                    "prose": "approval to conduct the matching program is obtained from the Data Integrity Board when a system or organization processes information for the purpose of conducting a matching program;",
+                    "links": [
+                      {
+                        "href": "#pt-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-8_obj.b",
@@ -139397,7 +155429,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program;"
+                        "prose": "a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program;",
+                        "links": [
+                          {
+                            "href": "#pt-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-8_obj.b-2",
@@ -139409,7 +155447,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program;"
+                        "prose": "a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program;",
+                        "links": [
+                          {
+                            "href": "#pt-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-8_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -139423,7 +155473,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program;"
+                    "prose": "a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program;",
+                    "links": [
+                      {
+                        "href": "#pt-8_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-8_obj.d",
@@ -139435,7 +155491,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program;"
+                    "prose": "the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program;",
+                    "links": [
+                      {
+                        "href": "#pt-8_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "pt-8_obj.e",
@@ -139458,7 +155520,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program;"
+                        "prose": "individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program;",
+                        "links": [
+                          {
+                            "href": "#pt-8_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "pt-8_obj.e-2",
@@ -139470,10 +155538,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program."
+                        "prose": "individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program.",
+                        "links": [
+                          {
+                            "href": "#pt-8_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#pt-8_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#pt-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -139935,7 +156021,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment policy is developed and documented;"
+                        "prose": "a risk assessment policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-2",
@@ -139947,7 +156039,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};"
+                        "prose": "the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-3",
@@ -139959,7 +156057,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;"
+                        "prose": "risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a-4",
@@ -139971,7 +156075,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};"
+                        "prose": "the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-1_obj.a.1",
@@ -140005,7 +156115,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-2",
@@ -140017,7 +156133,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-3",
@@ -140029,7 +156151,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-4",
@@ -140041,7 +156169,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-5",
@@ -140053,7 +156187,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-6",
@@ -140065,7 +156205,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "ra-1_obj.a.1.a-7",
@@ -140077,7 +156223,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;"
+                                "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#ra-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -140091,10 +156249,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -140107,7 +156283,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;"
+                    "prose": "the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-1_obj.c",
@@ -140141,7 +156323,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};"
+                            "prose": "the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ra-1_obj.c.1-2",
@@ -140153,7 +156341,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};"
+                            "prose": "the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -140178,7 +156378,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};"
+                            "prose": "the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "ra-1_obj.c.2-2",
@@ -140190,12 +156396,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}."
+                            "prose": "the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#ra-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#ra-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -140432,7 +156662,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system and the information it processes, stores, and transmits are categorized;"
+                    "prose": "the system and the information it processes, stores, and transmits are categorized;",
+                    "links": [
+                      {
+                        "href": "#ra-2_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-2_obj.b",
@@ -140444,7 +156680,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;"
+                    "prose": "the security categorization results, including supporting rationale, are documented in the security plan for the system;",
+                    "links": [
+                      {
+                        "href": "#ra-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-2_obj.c",
@@ -140456,7 +156698,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision."
+                    "prose": "the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.",
+                    "links": [
+                      {
+                        "href": "#ra-2_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -140579,7 +156833,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an impact-level prioritization of organizational systems is conducted to obtain additional granularity on system impact levels."
+                    "prose": "an impact-level prioritization of organizational systems is conducted to obtain additional granularity on system impact levels.",
+                    "links": [
+                      {
+                        "href": "#ra-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-2.1_asm-examine",
@@ -141062,7 +157322,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;"
+                        "prose": "a risk assessment is conducted to identify threats to and vulnerabilities in the system;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3_obj.a.2",
@@ -141074,7 +157340,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;"
+                        "prose": "a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3_obj.a.3",
@@ -141086,7 +157358,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;"
+                        "prose": "a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#ra-3_smt.a.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -141100,7 +157384,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;"
+                    "prose": "risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.c",
@@ -141112,7 +157402,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};"
+                    "prose": "risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.d",
@@ -141124,7 +157420,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};"
+                    "prose": "risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.e",
@@ -141136,7 +157438,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};"
+                    "prose": "risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3_obj.f",
@@ -141148,7 +157456,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system."
+                    "prose": "the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.",
+                    "links": [
+                      {
+                        "href": "#ra-3_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -141372,7 +157692,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;"
+                        "prose": "supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;",
+                        "links": [
+                          {
+                            "href": "#ra-3.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3.1_obj.b",
@@ -141384,7 +157710,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain."
+                        "prose": "the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.",
+                        "links": [
+                          {
+                            "href": "#ra-3.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-3.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -141512,7 +157850,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "all-source intelligence is used to assist in the analysis of risk."
+                    "prose": "all-source intelligence is used to assist in the analysis of risk.",
+                    "links": [
+                      {
+                        "href": "#ra-3.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3.2_asm-examine",
@@ -141664,7 +158008,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the current cyber threat environment is determined on an ongoing basis using {{ insert: param, ra-03.03_odp }}."
+                    "prose": "the current cyber threat environment is determined on an ongoing basis using {{ insert: param, ra-03.03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ra-3.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-3.3_asm-examine",
@@ -141871,7 +158221,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ra-03.04_odp.01 }} are employed to predict and identify risks to {{ insert: param, ra-03.04_odp.02 }};"
+                        "prose": "{{ insert: param, ra-03.04_odp.01 }} are employed to predict and identify risks to {{ insert: param, ra-03.04_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#ra-3.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-3.4_obj-2",
@@ -141883,7 +158239,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ra-03.04_odp.03 }} are employed to predict and identify risks to {{ insert: param, ra-03.04_odp.02 }}."
+                        "prose": "{{ insert: param, ra-03.04_odp.03 }} are employed to predict and identify risks to {{ insert: param, ra-03.04_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#ra-3.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-3.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -142357,7 +158725,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;"
+                        "prose": "systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-5_obj.a-2",
@@ -142369,7 +158743,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;"
+                        "prose": "systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -142395,7 +158781,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;"
+                        "prose": "vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.b.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-5_obj.b.2",
@@ -142407,7 +158799,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;"
+                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.b.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-5_obj.b.3",
@@ -142419,7 +158817,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;"
+                        "prose": "vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;",
+                        "links": [
+                          {
+                            "href": "#ra-5_smt.b.3",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -142433,7 +158843,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;"
+                    "prose": "vulnerability scan reports and results from vulnerability monitoring are analyzed;",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5_obj.d",
@@ -142445,7 +158861,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;"
+                    "prose": "legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5_obj.e",
@@ -142457,7 +158879,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;"
+                    "prose": "information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5_obj.f",
@@ -142469,7 +158897,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed."
+                    "prose": "vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.",
+                    "links": [
+                      {
+                        "href": "#ra-5_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -142675,7 +159115,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}."
+                    "prose": "the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#ra-5.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.2_asm-examine",
@@ -142801,7 +159247,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the breadth and depth of vulnerability scanning coverage are defined."
+                    "prose": "the breadth and depth of vulnerability scanning coverage are defined.",
+                    "links": [
+                      {
+                        "href": "#ra-5.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.3_asm-examine",
@@ -142968,7 +159420,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information about the system is discoverable;"
+                        "prose": "information about the system is discoverable;",
+                        "links": [
+                          {
+                            "href": "#ra-5.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-5.4_obj-2",
@@ -142980,7 +159438,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, ra-05.04_odp }} are taken when information about the system is confirmed as discoverable."
+                        "prose": "{{ insert: param, ra-05.04_odp }} are taken when information about the system is confirmed as discoverable.",
+                        "links": [
+                          {
+                            "href": "#ra-5.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-5.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -143150,7 +159620,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}."
+                    "prose": "privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ra-5.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.5_asm-examine",
@@ -143298,7 +159774,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the results of multiple vulnerability scans are compared using {{ insert: param, ra-05.06_odp }}."
+                    "prose": "the results of multiple vulnerability scans are compared using {{ insert: param, ra-05.06_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ra-5.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.6_asm-examine",
@@ -143504,7 +159986,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "historic audit logs are reviewed to determine if a vulnerability identified in a {{ insert: param, ra-05.08_odp.01 }} has been previously exploited within {{ insert: param, ra-05.08_odp.02 }}."
+                    "prose": "historic audit logs are reviewed to determine if a vulnerability identified in a {{ insert: param, ra-05.08_odp.01 }} has been previously exploited within {{ insert: param, ra-05.08_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#ra-5.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.8_asm-examine",
@@ -143660,7 +160148,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the output from vulnerability scanning tools is correlated to determine the presence of multi-vulnerability and multi-hop attack vectors."
+                    "prose": "the output from vulnerability scanning tools is correlated to determine the presence of multi-vulnerability and multi-hop attack vectors.",
+                    "links": [
+                      {
+                        "href": "#ra-5.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.10_asm-examine",
@@ -143786,7 +160280,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components."
+                    "prose": "a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.",
+                    "links": [
+                      {
+                        "href": "#ra-5.11_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-5.11_asm-examine",
@@ -143991,7 +160491,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a technical surveillance countermeasures survey is employed at {{ insert: param, ra-06_odp.01 }} {{ insert: param, ra-06_odp.02 }}."
+                "prose": "a technical surveillance countermeasures survey is employed at {{ insert: param, ra-06_odp.01 }} {{ insert: param, ra-06_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#ra-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ra-6_asm-examine",
@@ -144176,7 +160682,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from security assessments are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-2",
@@ -144188,7 +160700,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from privacy assessments are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-3",
@@ -144200,7 +160718,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;"
+                    "prose": "findings from monitoring are responded to in accordance with organizational risk tolerance;",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-7_obj-4",
@@ -144212,7 +160736,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "findings from audits are responded to in accordance with organizational risk tolerance."
+                    "prose": "findings from audits are responded to in accordance with organizational risk tolerance.",
+                    "links": [
+                      {
+                        "href": "#ra-7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -144447,7 +160983,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information;"
+                    "prose": "privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information;",
+                    "links": [
+                      {
+                        "href": "#ra-8_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "ra-8_obj.b",
@@ -144470,7 +161012,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology;"
+                        "prose": "privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology;",
+                        "links": [
+                          {
+                            "href": "#ra-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-8_obj.b-2",
@@ -144482,10 +161030,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government."
+                        "prose": "privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.",
+                        "links": [
+                          {
+                            "href": "#ra-8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-8_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-8_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -144693,7 +161259,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}."
+                "prose": "critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#ra-9_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "ra-9_asm-examine",
@@ -144943,7 +161515,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a cyber threat capability is established and maintained to search for indicators of compromise in organizational systems;"
+                        "prose": "a cyber threat capability is established and maintained to search for indicators of compromise in organizational systems;",
+                        "links": [
+                          {
+                            "href": "#ra-10_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "ra-10_obj.a.2",
@@ -144955,7 +161533,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a cyber threat capability is established and maintained to detect, track, and disrupt threats that evade existing controls;"
+                        "prose": "a cyber threat capability is established and maintained to detect, track, and disrupt threats that evade existing controls;",
+                        "links": [
+                          {
+                            "href": "#ra-10_smt.a.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#ra-10_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -144969,7 +161559,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the threat hunting capability is employed {{ insert: param, ra-10_odp }}."
+                    "prose": "the threat hunting capability is employed {{ insert: param, ra-10_odp }}.",
+                    "links": [
+                      {
+                        "href": "#ra-10_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#ra-10_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -145440,7 +162042,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a system and services acquisition policy is developed and documented;"
+                        "prose": "a system and services acquisition policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-2",
@@ -145452,7 +162060,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};"
+                        "prose": "the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-3",
@@ -145464,7 +162078,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;"
+                        "prose": "system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a-4",
@@ -145476,7 +162096,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};"
+                        "prose": "the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-1_obj.a.1",
@@ -145510,7 +162136,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-2",
@@ -145522,7 +162154,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-3",
@@ -145534,7 +162172,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-4",
@@ -145546,7 +162190,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-5",
@@ -145558,7 +162208,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-6",
@@ -145570,7 +162226,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sa-1_obj.a.1.a-7",
@@ -145582,7 +162244,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;"
+                                "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#sa-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -145596,10 +162270,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -145612,7 +162304,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;"
+                    "prose": "the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-1_obj.c",
@@ -145646,7 +162344,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};"
+                            "prose": "the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-1_obj.c.1-2",
@@ -145658,7 +162362,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};"
+                            "prose": "the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -145683,7 +162399,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};"
+                            "prose": "the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-1_obj.c.2-2",
@@ -145695,12 +162417,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}."
+                            "prose": "the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#sa-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -145893,7 +162639,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;"
+                        "prose": "the high-level information security requirements for the system or system service are determined in mission and business process planning;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.a-2",
@@ -145905,7 +162657,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;"
+                        "prose": "the high-level privacy requirements for the system or system service are determined in mission and business process planning;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -145930,7 +162694,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;"
+                        "prose": "the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.b-2",
@@ -145942,7 +162712,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;"
+                        "prose": "the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -145967,7 +162749,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;"
+                        "prose": "a discrete line item for information security is established in organizational programming and budgeting documentation;",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-2_obj.c-2",
@@ -145979,10 +162767,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation."
+                        "prose": "a discrete line item for privacy is established in organizational programming and budgeting documentation.",
+                        "links": [
+                          {
+                            "href": "#sa-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -146279,7 +163085,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;"
+                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.a-2",
@@ -146291,7 +163103,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;"
+                        "prose": "the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -146316,7 +163140,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;"
+                        "prose": "information security roles and responsibilities are defined and documented throughout the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.b-2",
@@ -146328,7 +163158,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;"
+                        "prose": "privacy roles and responsibilities are defined and documented throughout the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -146353,7 +163195,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals with information security roles and responsibilities are identified;"
+                        "prose": "individuals with information security roles and responsibilities are identified;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.c-2",
@@ -146365,7 +163213,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individuals with privacy roles and responsibilities are identified;"
+                        "prose": "individuals with privacy roles and responsibilities are identified;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -146390,7 +163250,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational information security risk management processes are integrated into system development life cycle activities;"
+                        "prose": "organizational information security risk management processes are integrated into system development life cycle activities;",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3_obj.d-2",
@@ -146402,10 +163268,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational privacy risk management processes are integrated into system development life cycle activities."
+                        "prose": "organizational privacy risk management processes are integrated into system development life cycle activities.",
+                        "links": [
+                          {
+                            "href": "#sa-3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-3_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -146552,7 +163436,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component, or system service."
+                    "prose": "system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component, or system service.",
+                    "links": [
+                      {
+                        "href": "#sa-3.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-3.1_asm-examine",
@@ -146731,7 +163621,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the use of live data in pre-production environments is approved for the system, system component, or system service;"
+                            "prose": "the use of live data in pre-production environments is approved for the system, system component, or system service;",
+                            "links": [
+                              {
+                                "href": "#sa-3.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-3.2_obj.a-2",
@@ -146743,7 +163639,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the use of live data in pre-production environments is documented for the system, system component, or system service;"
+                            "prose": "the use of live data in pre-production environments is documented for the system, system component, or system service;",
+                            "links": [
+                              {
+                                "href": "#sa-3.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-3.2_obj.a-3",
@@ -146755,7 +163657,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the use of live data in pre-production environments is controlled for the system, system component, or system service;"
+                            "prose": "the use of live data in pre-production environments is controlled for the system, system component, or system service;",
+                            "links": [
+                              {
+                                "href": "#sa-3.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-3.2_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -146769,7 +163683,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "pre-production environments for the system, system component, or system service are protected at the same impact or classification level as any live data in use within the pre-production environments."
+                        "prose": "pre-production environments for the system, system component, or system service are protected at the same impact or classification level as any live data in use within the pre-production environments.",
+                        "links": [
+                          {
+                            "href": "#sa-3.2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -146912,7 +163838,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a technology refresh schedule is planned for the system throughout the system development life cycle;"
+                        "prose": "a technology refresh schedule is planned for the system throughout the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#sa-3.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-3.3_obj-2",
@@ -146924,7 +163856,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a technology refresh schedule is implemented for the system throughout the system development life cycle."
+                        "prose": "a technology refresh schedule is implemented for the system throughout the system development life cycle.",
+                        "links": [
+                          {
+                            "href": "#sa-3.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-3.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -147356,7 +164300,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.a-2",
@@ -147368,7 +164318,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -147382,7 +164344,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                    "prose": "strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4_obj.c",
@@ -147405,7 +164373,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.c-2",
@@ -147417,7 +164391,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -147442,7 +164428,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.d-2",
@@ -147454,7 +164446,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -147479,7 +164483,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.e-2",
@@ -147491,7 +164501,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -147516,7 +164538,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.f-2",
@@ -147528,7 +164556,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.f",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -147542,7 +164582,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                    "prose": "the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4_obj.h",
@@ -147565,7 +164611,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;"
+                        "prose": "the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.h-2",
@@ -147577,7 +164629,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"
+                        "prose": "the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4_obj.h-3",
@@ -147589,7 +164647,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};"
+                        "prose": "the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.h",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -147603,7 +164673,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service."
+                    "prose": "acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.",
+                    "links": [
+                      {
+                        "href": "#sa-4_smt.i",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -147731,7 +164813,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented."
+                    "prose": "the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.",
+                    "links": [
+                      {
+                        "href": "#sa-4.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4.1_asm-examine",
@@ -147923,7 +165011,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}."
+                    "prose": "the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#sa-4.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4.2_asm-examine",
@@ -148250,7 +165344,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.01 }};"
+                        "prose": "the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-4.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.3_obj.b",
@@ -148262,7 +165362,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.02 }};"
+                        "prose": "the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-4.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.3_obj.c",
@@ -148274,7 +165380,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.05 }}."
+                        "prose": "the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.05 }}.",
+                        "links": [
+                          {
+                            "href": "#sa-4.3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -148489,7 +165607,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented;"
+                        "prose": "the developer of the system, system component, or system service is required to deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented;",
+                        "links": [
+                          {
+                            "href": "#sa-4.5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.5_obj.b",
@@ -148501,7 +165625,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade."
+                        "prose": "the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade.",
+                        "links": [
+                          {
+                            "href": "#sa-4.5_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -148675,7 +165811,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted are employed;"
+                        "prose": "only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted are employed;",
+                        "links": [
+                          {
+                            "href": "#sa-4.6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.6_obj.b",
@@ -148687,7 +165829,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures."
+                        "prose": "these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.",
+                        "links": [
+                          {
+                            "href": "#sa-4.6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4.6_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -148861,7 +166015,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of commercially provided information assurance and information assurance-enabled information technology products is limited to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists;"
+                        "prose": "the use of commercially provided information assurance and information assurance-enabled information technology products is limited to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists;",
+                        "links": [
+                          {
+                            "href": "#sa-4.7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.7_obj.b",
@@ -148873,7 +166033,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that cryptographic module is required to be FIPS-validated or NSA-approved."
+                        "prose": "if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that cryptographic module is required to be FIPS-validated or NSA-approved.",
+                        "links": [
+                          {
+                            "href": "#sa-4.7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -149005,7 +166177,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to produce a plan for the continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization."
+                    "prose": "the developer of the system, system component, or system service is required to produce a plan for the continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.",
+                    "links": [
+                      {
+                        "href": "#sa-4.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4.8_asm-examine",
@@ -149150,7 +166328,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to identify the functions intended for organizational use;"
+                        "prose": "the developer of the system, system component, or system service is required to identify the functions intended for organizational use;",
+                        "links": [
+                          {
+                            "href": "#sa-4.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.9_obj-2",
@@ -149162,7 +166346,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to identify the ports intended for organizational use;"
+                        "prose": "the developer of the system, system component, or system service is required to identify the ports intended for organizational use;",
+                        "links": [
+                          {
+                            "href": "#sa-4.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.9_obj-3",
@@ -149174,7 +166364,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;"
+                        "prose": "the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;",
+                        "links": [
+                          {
+                            "href": "#sa-4.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.9_obj-4",
@@ -149186,7 +166382,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to identify the services intended for organizational use."
+                        "prose": "the developer of the system, system component, or system service is required to identify the services intended for organizational use.",
+                        "links": [
+                          {
+                            "href": "#sa-4.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4.9_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -149304,7 +166512,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed."
+                    "prose": "only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.",
+                    "links": [
+                      {
+                        "href": "#sa-4.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4.10_asm-examine",
@@ -149456,7 +166670,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-04.11_odp }} are defined in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function."
+                    "prose": "{{ insert: param, sa-04.11_odp }} are defined in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.",
+                    "links": [
+                      {
+                        "href": "#sa-4.11_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-4.11_asm-examine",
@@ -149638,7 +166858,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational data ownership requirements are included in the acquisition contract;"
+                        "prose": "organizational data ownership requirements are included in the acquisition contract;",
+                        "links": [
+                          {
+                            "href": "#sa-4.12_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-4.12_obj.b",
@@ -149650,7 +166876,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "all data to be removed from the contractor’s system and returned to the organization is required within {{ insert: param, sa-04.12_odp }}."
+                        "prose": "all data to be removed from the contractor’s system and returned to the organization is required within {{ insert: param, sa-04.12_odp }}.",
+                        "links": [
+                          {
+                            "href": "#sa-4.12_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-4.12_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -150046,7 +167284,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.1-2",
@@ -150058,7 +167302,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.1-3",
@@ -150070,7 +167320,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -150095,7 +167357,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.2-2",
@@ -150107,7 +167375,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.2-3",
@@ -150119,7 +167393,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.2-4",
@@ -150131,7 +167411,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -150156,7 +167448,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.a.3-2",
@@ -150168,10 +167466,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;"
+                            "prose": "administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -150206,7 +167522,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.1-2",
@@ -150218,7 +167540,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.1-3",
@@ -150230,7 +167558,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.1-4",
@@ -150242,7 +167576,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.b.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -150267,7 +167613,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.2-2",
@@ -150279,7 +167631,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.b.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -150304,7 +167668,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-5_obj.b.3-2",
@@ -150316,10 +167686,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;"
+                            "prose": "user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;",
+                            "links": [
+                              {
+                                "href": "#sa-5_smt.b.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.b.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.b",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -150343,7 +167731,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;"
+                        "prose": "attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;",
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-5_obj.c-2",
@@ -150355,7 +167749,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;"
+                        "prose": "after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;",
+                        "links": [
+                          {
+                            "href": "#sa-5_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -150369,7 +167775,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}."
+                    "prose": "documentation is distributed to {{ insert: param, sa-05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sa-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -150886,7 +168304,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;"
+                    "prose": "{{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-2",
@@ -150898,7 +168322,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;"
+                    "prose": "{{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-3",
@@ -150910,7 +168340,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;"
+                    "prose": "{{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-4",
@@ -150922,7 +168358,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;"
+                    "prose": "{{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-5",
@@ -150934,7 +168376,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;"
+                    "prose": "{{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-6",
@@ -150946,7 +168394,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;"
+                    "prose": "{{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-7",
@@ -150958,7 +168412,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;"
+                    "prose": "{{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-8",
@@ -150970,7 +168430,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;"
+                    "prose": "{{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-9",
@@ -150982,7 +168448,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;"
+                    "prose": "{{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8_obj-10",
@@ -150994,7 +168466,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components."
+                    "prose": "{{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.",
+                    "links": [
+                      {
+                        "href": "#sa-8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -151127,7 +168611,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the security design principle of clear abstractions is implemented."
+                    "prose": "the security design principle of clear abstractions is implemented.",
+                    "links": [
+                      {
+                        "href": "#sa-8.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.1_asm-examine",
@@ -151280,7 +168770,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.02_odp }} implement the security design principle of least common mechanism."
+                    "prose": "{{ insert: param, sa-08.02_odp }} implement the security design principle of least common mechanism.",
+                    "links": [
+                      {
+                        "href": "#sa-8.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.2_asm-examine",
@@ -151480,7 +168976,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sa-08.03_odp.01 }} implement the security design principle of modularity;"
+                        "prose": "{{ insert: param, sa-08.03_odp.01 }} implement the security design principle of modularity;",
+                        "links": [
+                          {
+                            "href": "#sa-8.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-8.3_obj-2",
@@ -151492,7 +168994,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sa-08.03_odp.02 }} implement the security design principle of layering."
+                        "prose": "{{ insert: param, sa-08.03_odp.02 }} implement the security design principle of layering.",
+                        "links": [
+                          {
+                            "href": "#sa-8.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-8.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -151647,7 +169161,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.04_odp }} implement the security design principle of partially ordered dependencies."
+                    "prose": "{{ insert: param, sa-08.04_odp }} implement the security design principle of partially ordered dependencies.",
+                    "links": [
+                      {
+                        "href": "#sa-8.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.4_asm-examine",
@@ -151804,7 +169324,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.05_odp }} implement the security design principle of efficiently mediated access."
+                    "prose": "{{ insert: param, sa-08.05_odp }} implement the security design principle of efficiently mediated access.",
+                    "links": [
+                      {
+                        "href": "#sa-8.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.5_asm-examine",
@@ -151961,7 +169487,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.06_odp }} implement the security design principle of minimized sharing."
+                    "prose": "{{ insert: param, sa-08.06_odp }} implement the security design principle of minimized sharing.",
+                    "links": [
+                      {
+                        "href": "#sa-8.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.6_asm-examine",
@@ -152114,7 +169646,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.07_odp }} implement the security design principle of reduced complexity."
+                    "prose": "{{ insert: param, sa-08.07_odp }} implement the security design principle of reduced complexity.",
+                    "links": [
+                      {
+                        "href": "#sa-8.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.7_asm-examine",
@@ -152271,7 +169809,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.08_odp }} implement the security design principle of secure evolvability."
+                    "prose": "{{ insert: param, sa-08.08_odp }} implement the security design principle of secure evolvability.",
+                    "links": [
+                      {
+                        "href": "#sa-8.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.8_asm-examine",
@@ -152424,7 +169968,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.09_odp }} implement the security design principle of trusted components."
+                    "prose": "{{ insert: param, sa-08.09_odp }} implement the security design principle of trusted components.",
+                    "links": [
+                      {
+                        "href": "#sa-8.9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.9_asm-examine",
@@ -152577,7 +170127,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.10_odp }} implement the security design principle of hierarchical trust."
+                    "prose": "{{ insert: param, sa-08.10_odp }} implement the security design principle of hierarchical trust.",
+                    "links": [
+                      {
+                        "href": "#sa-8.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.10_asm-examine",
@@ -152730,7 +170286,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.11_odp }} implement the security design principle of inverse modification threshold."
+                    "prose": "{{ insert: param, sa-08.11_odp }} implement the security design principle of inverse modification threshold.",
+                    "links": [
+                      {
+                        "href": "#sa-8.11_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.11_asm-examine",
@@ -152883,7 +170445,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.12_odp }} implement the security design principle of hierarchical protection."
+                    "prose": "{{ insert: param, sa-08.12_odp }} implement the security design principle of hierarchical protection.",
+                    "links": [
+                      {
+                        "href": "#sa-8.12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.12_asm-examine",
@@ -153036,7 +170604,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.13_odp }} implement the security design principle of minimized security elements."
+                    "prose": "{{ insert: param, sa-08.13_odp }} implement the security design principle of minimized security elements.",
+                    "links": [
+                      {
+                        "href": "#sa-8.13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.13_asm-examine",
@@ -153197,7 +170771,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.14_odp }} implement the security design principle of least privilege."
+                    "prose": "{{ insert: param, sa-08.14_odp }} implement the security design principle of least privilege.",
+                    "links": [
+                      {
+                        "href": "#sa-8.14_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.14_asm-examine",
@@ -153354,7 +170934,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.15_odp }} implement the security design principle of predicate permission."
+                    "prose": "{{ insert: param, sa-08.15_odp }} implement the security design principle of predicate permission.",
+                    "links": [
+                      {
+                        "href": "#sa-8.15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.15_asm-examine",
@@ -153507,7 +171093,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.16_odp }} implement the security design principle of self-reliant trustworthiness."
+                    "prose": "{{ insert: param, sa-08.16_odp }} implement the security design principle of self-reliant trustworthiness.",
+                    "links": [
+                      {
+                        "href": "#sa-8.16_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.16_asm-examine",
@@ -153660,7 +171252,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.17_odp }} implement the security design principle of secure distributed composition."
+                    "prose": "{{ insert: param, sa-08.17_odp }} implement the security design principle of secure distributed composition.",
+                    "links": [
+                      {
+                        "href": "#sa-8.17_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.17_asm-examine",
@@ -153825,7 +171423,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.18_odp }} implement the security design principle of trusted communications channels."
+                    "prose": "{{ insert: param, sa-08.18_odp }} implement the security design principle of trusted communications channels.",
+                    "links": [
+                      {
+                        "href": "#sa-8.18_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.18_asm-examine",
@@ -153982,7 +171586,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.19_odp }} implement the security design principle of continuous protection."
+                    "prose": "{{ insert: param, sa-08.19_odp }} implement the security design principle of continuous protection.",
+                    "links": [
+                      {
+                        "href": "#sa-8.19_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.19_asm-examine",
@@ -154135,7 +171745,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.20_odp }} implement the security design principle of secure metadata management."
+                    "prose": "{{ insert: param, sa-08.20_odp }} implement the security design principle of secure metadata management.",
+                    "links": [
+                      {
+                        "href": "#sa-8.20_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.20_asm-examine",
@@ -154292,7 +171908,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.21_odp }} implement the security design principle of self-analysis."
+                    "prose": "{{ insert: param, sa-08.21_odp }} implement the security design principle of self-analysis.",
+                    "links": [
+                      {
+                        "href": "#sa-8.21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.21_asm-examine",
@@ -154520,7 +172142,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sa-08.22_odp.01 }} implement the security design principle of accountability;"
+                        "prose": "{{ insert: param, sa-08.22_odp.01 }} implement the security design principle of accountability;",
+                        "links": [
+                          {
+                            "href": "#sa-8.22_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-8.22_obj-2",
@@ -154532,7 +172160,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sa-08.22_odp.02 }} implement the security design principle of traceability."
+                        "prose": "{{ insert: param, sa-08.22_odp.02 }} implement the security design principle of traceability.",
+                        "links": [
+                          {
+                            "href": "#sa-8.22_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-8.22_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -154699,7 +172339,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.23_odp }} implement the security design principle of secure defaults."
+                    "prose": "{{ insert: param, sa-08.23_odp }} implement the security design principle of secure defaults.",
+                    "links": [
+                      {
+                        "href": "#sa-8.23_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.23_asm-examine",
@@ -154915,7 +172561,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sa-08.24_odp.01 }} implement the security design principle of secure failure;"
+                        "prose": "{{ insert: param, sa-08.24_odp.01 }} implement the security design principle of secure failure;",
+                        "links": [
+                          {
+                            "href": "#sa-8.24_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-8.24_obj-2",
@@ -154927,7 +172579,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sa-08.24_odp.02 }} implement the security design principle of secure recovery."
+                        "prose": "{{ insert: param, sa-08.24_odp.02 }} implement the security design principle of secure recovery.",
+                        "links": [
+                          {
+                            "href": "#sa-8.24_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-8.24_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -155086,7 +172750,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.25_odp }} implement the security design principle of economic security."
+                    "prose": "{{ insert: param, sa-08.25_odp }} implement the security design principle of economic security.",
+                    "links": [
+                      {
+                        "href": "#sa-8.25_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.25_asm-examine",
@@ -155255,7 +172925,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.26_odp }} implement the security design principle of performance security."
+                    "prose": "{{ insert: param, sa-08.26_odp }} implement the security design principle of performance security.",
+                    "links": [
+                      {
+                        "href": "#sa-8.26_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.26_asm-examine",
@@ -155408,7 +173084,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.27_odp }} implement the security design principle of human factored security."
+                    "prose": "{{ insert: param, sa-08.27_odp }} implement the security design principle of human factored security.",
+                    "links": [
+                      {
+                        "href": "#sa-8.27_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.27_asm-examine",
@@ -155561,7 +173243,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.28_odp }} implement the security design principle of acceptable security."
+                    "prose": "{{ insert: param, sa-08.28_odp }} implement the security design principle of acceptable security.",
+                    "links": [
+                      {
+                        "href": "#sa-8.28_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.28_asm-examine",
@@ -155746,7 +173434,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.29_odp }} implement the security design principle of repeatable and documented procedures."
+                    "prose": "{{ insert: param, sa-08.29_odp }} implement the security design principle of repeatable and documented procedures.",
+                    "links": [
+                      {
+                        "href": "#sa-8.29_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.29_asm-examine",
@@ -155899,7 +173593,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.30_odp }} implement the security design principle of procedural rigor."
+                    "prose": "{{ insert: param, sa-08.30_odp }} implement the security design principle of procedural rigor.",
+                    "links": [
+                      {
+                        "href": "#sa-8.30_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.30_asm-examine",
@@ -156060,7 +173760,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.31_odp }} implement the security design principle of secure system modification."
+                    "prose": "{{ insert: param, sa-08.31_odp }} implement the security design principle of secure system modification.",
+                    "links": [
+                      {
+                        "href": "#sa-8.31_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.31_asm-examine",
@@ -156225,7 +173931,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-08.32_odp }} implement the security design principle of sufficient documentation."
+                    "prose": "{{ insert: param, sa-08.32_odp }} implement the security design principle of sufficient documentation.",
+                    "links": [
+                      {
+                        "href": "#sa-8.32_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.32_asm-examine",
@@ -156394,7 +174106,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the privacy principle of minimization is implemented using {{ insert: param, sa-08.33_odp }}."
+                    "prose": "the privacy principle of minimization is implemented using {{ insert: param, sa-08.33_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sa-8.33_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-8.33_asm-examine",
@@ -156684,7 +174402,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services comply with organizational security requirements;"
+                        "prose": "providers of external system services comply with organizational security requirements;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.a-2",
@@ -156696,7 +174420,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services comply with organizational privacy requirements;"
+                        "prose": "providers of external system services comply with organizational privacy requirements;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.a-3",
@@ -156708,7 +174438,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};"
+                        "prose": "providers of external system services employ {{ insert: param, sa-09_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -156733,7 +174475,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "organizational oversight with regard to external system services are defined and documented;"
+                        "prose": "organizational oversight with regard to external system services are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9_obj.b-2",
@@ -156745,7 +174493,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "user roles and responsibilities with regard to external system services are defined and documented;"
+                        "prose": "user roles and responsibilities with regard to external system services are defined and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -156759,7 +174519,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis."
+                    "prose": "{{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.",
+                    "links": [
+                      {
+                        "href": "#sa-9_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-9_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -156955,7 +174727,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services;"
+                        "prose": "an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services;",
+                        "links": [
+                          {
+                            "href": "#sa-9.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9.1_obj.b",
@@ -156967,7 +174745,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sa-09.01_odp }} approve the acquisition or outsourcing of dedicated information security services."
+                        "prose": "{{ insert: param, sa-09.01_odp }} approve the acquisition or outsourcing of dedicated information security services.",
+                        "links": [
+                          {
+                            "href": "#sa-9.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-9.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -157125,7 +174915,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services."
+                    "prose": "providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services.",
+                    "links": [
+                      {
+                        "href": "#sa-9.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-9.2_asm-examine",
@@ -157294,7 +175090,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.01 }} are established and documented;"
+                        "prose": "trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.01 }} are established and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-9.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9.3_obj-2",
@@ -157306,7 +175108,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.01 }} are maintained;"
+                        "prose": "trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.01 }} are maintained;",
+                        "links": [
+                          {
+                            "href": "#sa-9.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9.3_obj-3",
@@ -157318,7 +175126,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.02 }} are established and documented;"
+                        "prose": "trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.02 }} are established and documented;",
+                        "links": [
+                          {
+                            "href": "#sa-9.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-9.3_obj-4",
@@ -157330,7 +175144,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.02 }} are maintained."
+                        "prose": "trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.02 }} are maintained.",
+                        "links": [
+                          {
+                            "href": "#sa-9.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-9.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -157478,7 +175304,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-09.04_odp.02 }} are taken to verify that the interests of {{ insert: param, sa-09.04_odp.01 }} are consistent with and reflect organizational interests."
+                    "prose": "{{ insert: param, sa-09.04_odp.02 }} are taken to verify that the interests of {{ insert: param, sa-09.04_odp.01 }} are consistent with and reflect organizational interests.",
+                    "links": [
+                      {
+                        "href": "#sa-9.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-9.4_asm-examine",
@@ -157681,7 +175513,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "based on {{ insert: param, sa-09.05_odp.03 }}, {{ insert: param, sa-09.05_odp.01 }} is/are restricted to {{ insert: param, sa-09.05_odp.02 }}."
+                    "prose": "based on {{ insert: param, sa-09.05_odp.03 }}, {{ insert: param, sa-09.05_odp.01 }} is/are restricted to {{ insert: param, sa-09.05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sa-9.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-9.5_asm-examine",
@@ -157819,7 +175657,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "exclusive control of cryptographic keys is maintained for encrypted material stored or transmitted through an external system."
+                    "prose": "exclusive control of cryptographic keys is maintained for encrypted material stored or transmitted through an external system.",
+                    "links": [
+                      {
+                        "href": "#sa-9.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-9.6_asm-examine",
@@ -157949,7 +175793,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the capability is provided to check the integrity of information while it resides in the external system."
+                    "prose": "the capability is provided to check the integrity of information while it resides in the external system.",
+                    "links": [
+                      {
+                        "href": "#sa-9.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-9.7_asm-examine",
@@ -158083,7 +175933,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the geographic location of information processing and data storage is restricted to facilities located within the legal jurisdictional boundary of the United States."
+                    "prose": "the geographic location of information processing and data storage is restricted to facilities located within the legal jurisdictional boundary of the United States.",
+                    "links": [
+                      {
+                        "href": "#sa-9.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-9.8_asm-examine",
@@ -158422,7 +176278,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};"
+                    "prose": "the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};",
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-10_obj.b",
@@ -158445,7 +176307,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};"
+                        "prose": "the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.b-2",
@@ -158457,7 +176325,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};"
+                        "prose": "the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.b-3",
@@ -158469,7 +176343,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};"
+                        "prose": "the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -158483,7 +176369,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;"
+                    "prose": "the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;",
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-10_obj.d",
@@ -158506,7 +176398,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;"
+                        "prose": "the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.d-2",
@@ -158518,7 +176416,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;"
+                        "prose": "the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.d-3",
@@ -158530,7 +176434,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;"
+                        "prose": "the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -158555,7 +176471,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;"
+                        "prose": "the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.e-2",
@@ -158567,7 +176489,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;"
+                        "prose": "the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10_obj.e-3",
@@ -158579,10 +176507,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}."
+                        "prose": "the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#sa-10_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-10_smt.e",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-10_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -158717,7 +176663,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to enable integrity verification of software and firmware components."
+                    "prose": "the developer of the system, system component, or system service is required to enable integrity verification of software and firmware components.",
+                    "links": [
+                      {
+                        "href": "#sa-10.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-10.1_asm-examine",
@@ -158843,7 +176795,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an alternate configuration management process has been provided using organizational personnel in the absence of a dedicated developer configuration management team."
+                    "prose": "an alternate configuration management process has been provided using organizational personnel in the absence of a dedicated developer configuration management team.",
+                    "links": [
+                      {
+                        "href": "#sa-10.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-10.2_asm-examine",
@@ -158973,7 +176931,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to enable integrity verification of hardware components."
+                    "prose": "the developer of the system, system component, or system service is required to enable integrity verification of hardware components.",
+                    "links": [
+                      {
+                        "href": "#sa-10.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-10.3_asm-examine",
@@ -159110,7 +177074,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of security-relevant hardware descriptions with previous versions;"
+                        "prose": "the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of security-relevant hardware descriptions with previous versions;",
+                        "links": [
+                          {
+                            "href": "#sa-10.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10.4_obj-2",
@@ -159122,7 +177092,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of source code with previous versions;"
+                        "prose": "the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of source code with previous versions;",
+                        "links": [
+                          {
+                            "href": "#sa-10.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10.4_obj-3",
@@ -159134,7 +177110,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of object code with previous versions."
+                        "prose": "the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of object code with previous versions.",
+                        "links": [
+                          {
+                            "href": "#sa-10.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-10.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -159240,7 +177228,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version."
+                    "prose": "the developer of the system, system component, or system service is required to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.",
+                    "links": [
+                      {
+                        "href": "#sa-10.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-10.5_asm-examine",
@@ -159366,7 +177360,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies."
+                    "prose": "the developer of the system, system component, or system service is required to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.",
+                    "links": [
+                      {
+                        "href": "#sa-10.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-10.6_asm-examine",
@@ -159601,7 +177601,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sa-10.07_odp.01 }} are required to be included in the {{ insert: param, sa-10.07_odp.03 }};"
+                        "prose": "{{ insert: param, sa-10.07_odp.01 }} are required to be included in the {{ insert: param, sa-10.07_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#sa-10.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-10.7_obj-2",
@@ -159613,7 +177619,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sa-10.07_odp.02 }} are required to be included in the {{ insert: param, sa-10.07_odp.04 }}."
+                        "prose": "{{ insert: param, sa-10.07_odp.02 }} are required to be included in the {{ insert: param, sa-10.07_odp.04 }}.",
+                        "links": [
+                          {
+                            "href": "#sa-10.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-10.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -159938,7 +177956,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.a-2",
@@ -159950,7 +177974,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.a-3",
@@ -159962,7 +177992,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.a-4",
@@ -159974,7 +178010,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -159988,7 +178036,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};"
+                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};",
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-11_obj.c",
@@ -160011,7 +178065,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11_obj.c-2",
@@ -160023,7 +178083,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;"
+                        "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;",
+                        "links": [
+                          {
+                            "href": "#sa-11_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -160037,7 +178109,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;"
+                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;",
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-11_obj.e",
@@ -160049,7 +178127,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation."
+                    "prose": "the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.",
+                    "links": [
+                      {
+                        "href": "#sa-11_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -160188,7 +178278,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws;"
+                        "prose": "the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws;",
+                        "links": [
+                          {
+                            "href": "#sa-11.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11.1_obj-2",
@@ -160200,7 +178296,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis."
+                        "prose": "the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis.",
+                        "links": [
+                          {
+                            "href": "#sa-11.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -160551,7 +178659,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#sa-11.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-11.2_obj.a-2",
@@ -160563,7 +178677,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#sa-11.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-11.2_obj.a-3",
@@ -160575,7 +178695,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#sa-11.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-11.2_obj.a-4",
@@ -160587,7 +178713,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#sa-11.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-11.2_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -160612,7 +178750,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#sa-11.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-11.2_obj.b-2",
@@ -160624,7 +178768,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#sa-11.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-11.2_obj.b-3",
@@ -160636,7 +178786,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#sa-11.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-11.2_obj.b-4",
@@ -160648,7 +178804,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#sa-11.2_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-11.2_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -160673,7 +178841,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform threat modeling at {{ insert: param, sa-11.02_odp.03 }} during development of the system, component, or service;"
+                            "prose": "the developer of the system, system component, or system service is required to perform threat modeling at {{ insert: param, sa-11.02_odp.03 }} during development of the system, component, or service;",
+                            "links": [
+                              {
+                                "href": "#sa-11.2_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-11.2_obj.c-2",
@@ -160685,7 +178859,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at {{ insert: param, sa-11.02_odp.04 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at {{ insert: param, sa-11.02_odp.04 }};",
+                            "links": [
+                              {
+                                "href": "#sa-11.2_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-11.2_smt.c",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -160710,7 +178896,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sa-11.2_smt.d",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-11.2_obj.d-2",
@@ -160722,7 +178914,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sa-11.2_smt.d",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-11.2_obj.d-3",
@@ -160734,7 +178932,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#sa-11.2_smt.d",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-11.2_obj.d-4",
@@ -160746,10 +178950,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }}."
+                            "prose": "the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }}.",
+                            "links": [
+                              {
+                                "href": "#sa-11.2_smt.d",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-11.2_smt.d",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11.2_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -160951,7 +179173,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "an independent agent is required to satisfy {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer security assessment plan and the evidence produced during testing and evaluation;"
+                            "prose": "an independent agent is required to satisfy {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer security assessment plan and the evidence produced during testing and evaluation;",
+                            "links": [
+                              {
+                                "href": "#sa-11.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-11.3_obj.a-2",
@@ -160963,7 +179191,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "an independent agent is required to satisfy {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer privacy assessment plan and the evidence produced during testing and evaluation;"
+                            "prose": "an independent agent is required to satisfy {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer privacy assessment plan and the evidence produced during testing and evaluation;",
+                            "links": [
+                              {
+                                "href": "#sa-11.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-11.3_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -160977,7 +179217,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information."
+                        "prose": "the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.",
+                        "links": [
+                          {
+                            "href": "#sa-11.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -161147,7 +179399,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to perform a manual code review of {{ insert: param, sa-11.04_odp.01 }} using {{ insert: param, sa-11.04_odp.02 }}."
+                    "prose": "the developer of the system, system component, or system service is required to perform a manual code review of {{ insert: param, sa-11.04_odp.01 }} using {{ insert: param, sa-11.04_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sa-11.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-11.4_asm-examine",
@@ -161417,7 +179675,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: {{ insert: param, sa-11.05_odp.01 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: {{ insert: param, sa-11.05_odp.01 }};",
+                            "links": [
+                              {
+                                "href": "#sa-11.5_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-11.5_obj.a-2",
@@ -161429,7 +179693,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: {{ insert: param, sa-11.05_odp.02 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: {{ insert: param, sa-11.05_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#sa-11.5_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-11.5_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -161443,7 +179719,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to perform penetration testing under {{ insert: param, sa-11.05_odp.03 }}."
+                        "prose": "the developer of the system, system component, or system service is required to perform penetration testing under {{ insert: param, sa-11.05_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#sa-11.5_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -161575,7 +179863,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to perform attack surface reviews."
+                    "prose": "the developer of the system, system component, or system service is required to perform attack surface reviews.",
+                    "links": [
+                      {
+                        "href": "#sa-11.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-11.6_asm-examine",
@@ -161766,7 +180060,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at {{ insert: param, sa-11.07_odp.01 }};"
+                        "prose": "the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at {{ insert: param, sa-11.07_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-11.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11.7_obj-2",
@@ -161778,7 +180078,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at {{ insert: param, sa-11.07_odp.02 }}."
+                        "prose": "the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at {{ insert: param, sa-11.07_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#sa-11.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -161917,7 +180229,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to employ dynamic code analysis tools to identify common flaws;"
+                        "prose": "the developer of the system, system component, or system service is required to employ dynamic code analysis tools to identify common flaws;",
+                        "links": [
+                          {
+                            "href": "#sa-11.8_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11.8_obj-2",
@@ -161929,7 +180247,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to document the results of the analysis."
+                        "prose": "the developer of the system, system component, or system service is required to document the results of the analysis.",
+                        "links": [
+                          {
+                            "href": "#sa-11.8_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11.8_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -162068,7 +180398,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to employ interactive application security testing tools to identify flaws;"
+                        "prose": "the developer of the system, system component, or system service is required to employ interactive application security testing tools to identify flaws;",
+                        "links": [
+                          {
+                            "href": "#sa-11.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-11.9_obj-2",
@@ -162080,7 +180416,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to document the results of flaw identification."
+                        "prose": "the developer of the system, system component, or system service is required to document the results of flaw identification.",
+                        "links": [
+                          {
+                            "href": "#sa-11.9_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-11.9_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -163012,7 +181360,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-15_obj.a.1-2",
@@ -163024,7 +181378,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -163049,7 +181415,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-15_obj.a.2-2",
@@ -163061,7 +181433,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -163086,7 +181470,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-15_obj.a.3-2",
@@ -163098,7 +181488,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;"
+                            "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;",
+                            "links": [
+                              {
+                                "href": "#sa-15_smt.a.3",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.a.3",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -163112,7 +181514,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;"
+                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;",
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.a.4",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-15_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -163137,7 +181551,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};"
+                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-15_obj.b-2",
@@ -163149,10 +181569,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}."
+                        "prose": "the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#sa-15_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-15_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-15_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -163361,7 +181799,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to define quality metrics at the beginning of the development process;"
+                        "prose": "the developer of the system, system component, or system service is required to define quality metrics at the beginning of the development process;",
+                        "links": [
+                          {
+                            "href": "#sa-15.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-15.1_obj.b",
@@ -163373,7 +181817,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to provide evidence of meeting the quality metrics {{ insert: param, sa-15.01_odp.01 }}."
+                        "prose": "the developer of the system, system component, or system service is required to provide evidence of meeting the quality metrics {{ insert: param, sa-15.01_odp.01 }}.",
+                        "links": [
+                          {
+                            "href": "#sa-15.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-15.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -163494,7 +181950,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to select and employ security tracking tools for use during the development process;"
+                        "prose": "the developer of the system, system component, or system service is required to select and employ security tracking tools for use during the development process;",
+                        "links": [
+                          {
+                            "href": "#sa-15.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-15.2_obj-2",
@@ -163506,7 +181968,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to select and employ privacy tracking tools for use during the development process."
+                        "prose": "the developer of the system, system component, or system service is required to select and employ privacy tracking tools for use during the development process.",
+                        "links": [
+                          {
+                            "href": "#sa-15.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-15.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -163726,7 +182200,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;"
+                        "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;",
+                        "links": [
+                          {
+                            "href": "#sa-15.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-15.3_obj.b",
@@ -163749,7 +182229,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};"
+                            "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#sa-15.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-15.3_obj.b-2",
@@ -163761,10 +182247,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} ."
+                            "prose": "the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} .",
+                            "links": [
+                              {
+                                "href": "#sa-15.3_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-15.3_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-15.3_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -163959,7 +182463,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to reduce attack surfaces to {{ insert: param, sa-15.05_odp }}."
+                    "prose": "the developer of the system, system component, or system service is required to reduce attack surfaces to {{ insert: param, sa-15.05_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sa-15.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-15.5_asm-examine",
@@ -164085,7 +182595,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to implement an explicit process to continuously improve the development process."
+                    "prose": "the developer of the system, system component, or system service is required to implement an explicit process to continuously improve the development process.",
+                    "links": [
+                      {
+                        "href": "#sa-15.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-15.6_asm-examine",
@@ -164316,7 +182832,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to perform automated vulnerability analysis {{ insert: param, sa-15.07_odp.01 }} using {{ insert: param, sa-15.07_odp.02 }};"
+                        "prose": "the developer of the system, system component, or system service is required to perform automated vulnerability analysis {{ insert: param, sa-15.07_odp.01 }} using {{ insert: param, sa-15.07_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sa-15.7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-15.7_obj.b",
@@ -164328,7 +182850,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to determine the exploitation potential for discovered vulnerabilities {{ insert: param, sa-15.07_odp.01 }};"
+                        "prose": "the developer of the system, system component, or system service is required to determine the exploitation potential for discovered vulnerabilities {{ insert: param, sa-15.07_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sa-15.7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-15.7_obj.c",
@@ -164340,7 +182868,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to determine potential risk mitigations {{ insert: param, sa-15.07_odp.01 }} for delivered vulnerabilities;"
+                        "prose": "the developer of the system, system component, or system service is required to determine potential risk mitigations {{ insert: param, sa-15.07_odp.01 }} for delivered vulnerabilities;",
+                        "links": [
+                          {
+                            "href": "#sa-15.7_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-15.7_obj.d",
@@ -164352,7 +182886,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to deliver the outputs of the tools and results of the analysis {{ insert: param, sa-15.07_odp.01 }} to {{ insert: param, sa-15.07_odp.03 }}."
+                        "prose": "the developer of the system, system component, or system service is required to deliver the outputs of the tools and results of the analysis {{ insert: param, sa-15.07_odp.01 }} to {{ insert: param, sa-15.07_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#sa-15.7_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-15.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -164491,7 +183037,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to use threat modeling from similar systems, components, or services to inform the current development process;"
+                        "prose": "the developer of the system, system component, or system service is required to use threat modeling from similar systems, components, or services to inform the current development process;",
+                        "links": [
+                          {
+                            "href": "#sa-15.8_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-15.8_obj-2",
@@ -164503,7 +183055,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to use vulnerability analyses from similar systems, components, or services to inform the current development process."
+                        "prose": "the developer of the system, system component, or system service is required to use vulnerability analyses from similar systems, components, or services to inform the current development process.",
+                        "links": [
+                          {
+                            "href": "#sa-15.8_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-15.8_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -164654,7 +183218,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to provide an incident response plan;"
+                        "prose": "the developer of the system, system component, or system service is required to provide an incident response plan;",
+                        "links": [
+                          {
+                            "href": "#sa-15.10_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-15.10_obj-2",
@@ -164666,7 +183236,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to implement an incident response plan;"
+                        "prose": "the developer of the system, system component, or system service is required to implement an incident response plan;",
+                        "links": [
+                          {
+                            "href": "#sa-15.10_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-15.10_obj-3",
@@ -164678,7 +183254,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to test an incident response plan."
+                        "prose": "the developer of the system, system component, or system service is required to test an incident response plan.",
+                        "links": [
+                          {
+                            "href": "#sa-15.10_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-15.10_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -164788,7 +183376,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system or system component is required to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review."
+                    "prose": "the developer of the system or system component is required to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.",
+                    "links": [
+                      {
+                        "href": "#sa-15.11_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-15.11_asm-examine",
@@ -164904,7 +183498,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system or system component is required to minimize the use of personally identifiable information in development and test environments."
+                    "prose": "the developer of the system or system component is required to minimize the use of personally identifiable information in development and test environments.",
+                    "links": [
+                      {
+                        "href": "#sa-15.12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-15.12_asm-examine",
@@ -165070,7 +183670,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the developer of the system, system component, or system service is required to provide {{ insert: param, sa-16_odp }} on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms."
+                "prose": "the developer of the system, system component, or system service is required to provide {{ insert: param, sa-16_odp }} on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.",
+                "links": [
+                  {
+                    "href": "#sa-16_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sa-16_asm-examine",
@@ -165267,7 +183873,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;"
+                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;",
+                        "links": [
+                          {
+                            "href": "#sa-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-17_obj.a-2",
@@ -165279,7 +183891,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;"
+                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;",
+                        "links": [
+                          {
+                            "href": "#sa-17_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-17_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -165304,7 +183928,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;"
+                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;",
+                        "links": [
+                          {
+                            "href": "#sa-17_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-17_obj.b-2",
@@ -165316,7 +183946,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;"
+                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;",
+                        "links": [
+                          {
+                            "href": "#sa-17_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-17_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -165341,7 +183983,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;"
+                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;",
+                        "links": [
+                          {
+                            "href": "#sa-17_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-17_obj.c-2",
@@ -165353,10 +184001,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection."
+                        "prose": "the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.",
+                        "links": [
+                          {
+                            "href": "#sa-17_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-17_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-17_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -165569,7 +184235,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the {{ insert: param, sa-17.01_odp.01 }} to be enforced;"
+                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the {{ insert: param, sa-17.01_odp.01 }} to be enforced;",
+                            "links": [
+                              {
+                                "href": "#sa-17.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-17.1_obj.a-2",
@@ -165581,7 +184253,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the {{ insert: param, sa-17.01_odp.02 }} to be enforced;"
+                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the {{ insert: param, sa-17.01_odp.02 }} to be enforced;",
+                            "links": [
+                              {
+                                "href": "#sa-17.1_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-17.1_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -165606,7 +184290,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented;"
+                            "prose": "the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented;",
+                            "links": [
+                              {
+                                "href": "#sa-17.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-17.1_obj.b-2",
@@ -165618,10 +184308,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational privacy policy when implemented."
+                            "prose": "the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational privacy policy when implemented.",
+                            "links": [
+                              {
+                                "href": "#sa-17.1_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-17.1_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-17.1_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -165780,7 +184488,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to define security-relevant hardware;"
+                            "prose": "the developer of the system, system component, or system service is required to define security-relevant hardware;",
+                            "links": [
+                              {
+                                "href": "#sa-17.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-17.2_obj.a-2",
@@ -165792,7 +184506,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to define security-relevant software;"
+                            "prose": "the developer of the system, system component, or system service is required to define security-relevant software;",
+                            "links": [
+                              {
+                                "href": "#sa-17.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-17.2_obj.a-3",
@@ -165804,7 +184524,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the developer of the system, system component, or system service is required to define security-relevant firmware;"
+                            "prose": "the developer of the system, system component, or system service is required to define security-relevant firmware;",
+                            "links": [
+                              {
+                                "href": "#sa-17.2_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-17.2_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -165818,7 +184550,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to provide a rationale that the definition for security-relevant hardware, software, and firmware is complete."
+                        "prose": "the developer of the system, system component, or system service is required to provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.",
+                        "links": [
+                          {
+                            "href": "#sa-17.2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-17.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -166023,7 +184767,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions;"
+                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions;",
+                            "links": [
+                              {
+                                "href": "#sa-17.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-17.3_obj.a-2",
@@ -166035,7 +184785,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages;"
+                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages;",
+                            "links": [
+                              {
+                                "href": "#sa-17.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-17.3_obj.a-3",
@@ -166047,7 +184803,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects;"
+                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects;",
+                            "links": [
+                              {
+                                "href": "#sa-17.3_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-17.3_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -166061,7 +184829,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to show proof that the formal top-level specification is consistent with the formal policy model to the extent feasible with additional informal demonstration as necessary;"
+                        "prose": "the developer of the system, system component, or system service is required to show proof that the formal top-level specification is consistent with the formal policy model to the extent feasible with additional informal demonstration as necessary;",
+                        "links": [
+                          {
+                            "href": "#sa-17.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-17.3_obj.c",
@@ -166073,7 +184847,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to show via informal demonstration that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;"
+                        "prose": "the developer of the system, system component, or system service is required to show via informal demonstration that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;",
+                        "links": [
+                          {
+                            "href": "#sa-17.3_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-17.3_obj.d",
@@ -166085,7 +184865,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware;"
+                        "prose": "the developer of the system, system component, or system service is required to show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware;",
+                        "links": [
+                          {
+                            "href": "#sa-17.3_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-17.3_obj.e",
@@ -166097,7 +184883,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the formal top-level specification but are strictly internal to the security-relevant hardware, software, and firmware."
+                        "prose": "the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the formal top-level specification but are strictly internal to the security-relevant hardware, software, and firmware.",
+                        "links": [
+                          {
+                            "href": "#sa-17.3_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-17.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -166323,7 +185121,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions;"
+                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions;",
+                            "links": [
+                              {
+                                "href": "#sa-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-17.4_obj.a-2",
@@ -166335,7 +185139,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages;"
+                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages;",
+                            "links": [
+                              {
+                                "href": "#sa-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sa-17.4_obj.a-3",
@@ -166347,7 +185157,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects;"
+                            "prose": "as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects;",
+                            "links": [
+                              {
+                                "href": "#sa-17.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sa-17.4_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -166361,7 +185183,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to show via {{ insert: param, sa-17.04_odp }} that the descriptive top-level specification is consistent with the formal policy model;"
+                        "prose": "the developer of the system, system component, or system service is required to show via {{ insert: param, sa-17.04_odp }} that the descriptive top-level specification is consistent with the formal policy model;",
+                        "links": [
+                          {
+                            "href": "#sa-17.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-17.4_obj.c",
@@ -166373,7 +185201,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to show via informal demonstration that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;"
+                        "prose": "the developer of the system, system component, or system service is required to show via informal demonstration that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;",
+                        "links": [
+                          {
+                            "href": "#sa-17.4_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-17.4_obj.d",
@@ -166385,7 +185219,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware;"
+                        "prose": "the developer of the system, system component, or system service is required to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware;",
+                        "links": [
+                          {
+                            "href": "#sa-17.4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-17.4_obj.e",
@@ -166397,7 +185237,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the descriptive top-level specification but are strictly internal to the security-relevant hardware, software, and firmware."
+                        "prose": "the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the descriptive top-level specification but are strictly internal to the security-relevant hardware, software, and firmware.",
+                        "links": [
+                          {
+                            "href": "#sa-17.4_smt.e",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-17.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -166550,7 +185402,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics;"
+                        "prose": "the developer of the system, system component, or system service is required to design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics;",
+                        "links": [
+                          {
+                            "href": "#sa-17.5_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sa-17.5_obj.b",
@@ -166562,7 +185420,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the developer of the system, system component, or system service is required to internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism."
+                        "prose": "the developer of the system, system component, or system service is required to internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.",
+                        "links": [
+                          {
+                            "href": "#sa-17.5_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sa-17.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -166676,7 +185546,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate testing."
+                    "prose": "the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate testing.",
+                    "links": [
+                      {
+                        "href": "#sa-17.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-17.6_asm-examine",
@@ -166792,7 +185668,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege."
+                    "prose": "the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.",
+                    "links": [
+                      {
+                        "href": "#sa-17.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-17.7_asm-examine",
@@ -166948,7 +185830,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-17.08_odp.01 }} are designed with coordinated behavior to implement {{ insert: param, sa-17.08_odp.02 }}."
+                    "prose": "{{ insert: param, sa-17.08_odp.01 }} are designed with coordinated behavior to implement {{ insert: param, sa-17.08_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sa-17.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-17.8_asm-examine",
@@ -167079,7 +185967,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "different designs are used for {{ insert: param, sa-17.09_odp }} to satisfy a common set of requirements or to provide equivalent functionality."
+                    "prose": "different designs are used for {{ insert: param, sa-17.09_odp }} to satisfy a common set of requirements or to provide equivalent functionality.",
+                    "links": [
+                      {
+                        "href": "#sa-17.9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-17.9_asm-examine",
@@ -167463,7 +186357,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, sa-20_odp }} are reimplemented or custom-developed."
+                "prose": "{{ insert: param, sa-20_odp }} are reimplemented or custom-developed.",
+                "links": [
+                  {
+                    "href": "#sa-20_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sa-20_asm-examine",
@@ -167711,7 +186611,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of {{ insert: param, sa-21_odp.01 }} is required to have appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }};"
+                    "prose": "the developer of {{ insert: param, sa-21_odp.01 }} is required to have appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#sa-21_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-21_obj.b",
@@ -167723,7 +186629,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the developer of {{ insert: param, sa-21_odp.01 }} is required to satisfy {{ insert: param, sa-21_odp.03 }}."
+                    "prose": "the developer of {{ insert: param, sa-21_odp.01 }} is required to satisfy {{ insert: param, sa-21_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#sa-21_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-21_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -167964,7 +186882,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;"
+                    "prose": "system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;",
+                    "links": [
+                      {
+                        "href": "#sa-22_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sa-22_obj.b",
@@ -167976,7 +186900,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components."
+                    "prose": "{{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.",
+                    "links": [
+                      {
+                        "href": "#sa-22_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sa-22_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -168192,7 +187128,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, sa-23_odp.01 }} is employed on {{ insert: param, sa-23_odp.02 }} supporting essential services or functions to increase the trustworthiness in those systems or components."
+                "prose": "{{ insert: param, sa-23_odp.01 }} is employed on {{ insert: param, sa-23_odp.02 }} supporting essential services or functions to increase the trustworthiness in those systems or components.",
+                "links": [
+                  {
+                    "href": "#sa-23_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sa-23_asm-examine",
@@ -168649,7 +187591,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a system and communications protection policy is developed and documented;"
+                        "prose": "a system and communications protection policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a-2",
@@ -168661,7 +187609,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};"
+                        "prose": "the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a-3",
@@ -168673,7 +187627,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;"
+                        "prose": "system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a-4",
@@ -168685,7 +187645,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};"
+                        "prose": "the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-1_obj.a.1",
@@ -168719,7 +187685,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-2",
@@ -168731,7 +187703,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-3",
@@ -168743,7 +187721,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-4",
@@ -168755,7 +187739,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-5",
@@ -168767,7 +187757,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-6",
@@ -168779,7 +187775,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sc-1_obj.a.1.a-7",
@@ -168791,7 +187793,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;"
+                                "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#sc-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -168805,10 +187819,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -168821,7 +187853,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;"
+                    "prose": "the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#sc-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-1_obj.c",
@@ -168855,7 +187893,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};"
+                            "prose": "the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-1_obj.c.1-2",
@@ -168867,7 +187911,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};"
+                            "prose": "the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -168892,7 +187948,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};"
+                            "prose": "the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-1_obj.c.2-2",
@@ -168904,12 +187966,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}."
+                            "prose": "the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#sc-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -169042,7 +188128,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "user functionality, including user interface services, is separated from system management functionality."
+                "prose": "user functionality, including user interface services, is separated from system management functionality.",
+                "links": [
+                  {
+                    "href": "#sc-2_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-2_asm-examine",
@@ -169172,7 +188264,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the presentation of system management functionality is prevented at interfaces to non-privileged users."
+                    "prose": "the presentation of system management functionality is prevented at interfaces to non-privileged users.",
+                    "links": [
+                      {
+                        "href": "#sc-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-2.1_asm-examine",
@@ -169298,7 +188396,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "state information is stored separately from applications and software."
+                    "prose": "state information is stored separately from applications and software.",
+                    "links": [
+                      {
+                        "href": "#sc-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-2.2_asm-examine",
@@ -169482,7 +188586,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "security functions are isolated from non-security functions."
+                "prose": "security functions are isolated from non-security functions.",
+                "links": [
+                  {
+                    "href": "#sc-3_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-3_asm-examine",
@@ -169608,7 +188718,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "hardware separation mechanisms are employed to implement security function isolation."
+                    "prose": "hardware separation mechanisms are employed to implement security function isolation.",
+                    "links": [
+                      {
+                        "href": "#sc-3.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-3.1_asm-examine",
@@ -169745,7 +188861,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security functions enforcing access control are isolated from non-security functions;"
+                        "prose": "security functions enforcing access control are isolated from non-security functions;",
+                        "links": [
+                          {
+                            "href": "#sc-3.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-3.2_obj-2",
@@ -169757,7 +188879,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security functions enforcing access control are isolated from other security functions;"
+                        "prose": "security functions enforcing access control are isolated from other security functions;",
+                        "links": [
+                          {
+                            "href": "#sc-3.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-3.2_obj-3",
@@ -169769,7 +188897,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security functions enforcing information flow control are isolated from non-security functions;"
+                        "prose": "security functions enforcing information flow control are isolated from non-security functions;",
+                        "links": [
+                          {
+                            "href": "#sc-3.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-3.2_obj-4",
@@ -169781,7 +188915,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security functions enforcing information flow control are isolated from other security functions."
+                        "prose": "security functions enforcing information flow control are isolated from other security functions.",
+                        "links": [
+                          {
+                            "href": "#sc-3.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-3.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -169914,7 +189060,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the number of non-security functions included within the isolation boundary containing security functions is minimized."
+                    "prose": "the number of non-security functions included within the isolation boundary containing security functions is minimized.",
+                    "links": [
+                      {
+                        "href": "#sc-3.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-3.3_asm-examine",
@@ -170056,7 +189208,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security functions are implemented as largely independent modules that maximize internal cohesiveness within modules;"
+                        "prose": "security functions are implemented as largely independent modules that maximize internal cohesiveness within modules;",
+                        "links": [
+                          {
+                            "href": "#sc-3.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-3.4_obj-2",
@@ -170068,7 +189226,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security functions are implemented as largely independent modules that minimize coupling between modules."
+                        "prose": "security functions are implemented as largely independent modules that minimize coupling between modules.",
+                        "links": [
+                          {
+                            "href": "#sc-3.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-3.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -170201,7 +189371,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "security functions are implemented as a layered structure, minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers."
+                    "prose": "security functions are implemented as a layered structure, minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.",
+                    "links": [
+                      {
+                        "href": "#sc-3.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-3.5_asm-examine",
@@ -170343,7 +189519,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "unauthorized information transfer via shared system resources is prevented;"
+                    "prose": "unauthorized information transfer via shared system resources is prevented;",
+                    "links": [
+                      {
+                        "href": "#sc-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-4_obj-2",
@@ -170355,7 +189537,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "unintended information transfer via shared system resources is prevented."
+                    "prose": "unintended information transfer via shared system resources is prevented.",
+                    "links": [
+                      {
+                        "href": "#sc-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -170530,7 +189724,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "unauthorized information transfer via shared resources is prevented in accordance with {{ insert: param, sc-04.02_odp }} when system processing explicitly switches between different information classification levels or security categories."
+                    "prose": "unauthorized information transfer via shared resources is prevented in accordance with {{ insert: param, sc-04.02_odp }} when system processing explicitly switches between different information classification levels or security categories.",
+                    "links": [
+                      {
+                        "href": "#sc-4.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-4.2_asm-examine",
@@ -170769,7 +189969,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};"
+                    "prose": "the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#sc-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-5_obj.b",
@@ -170781,7 +189987,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective."
+                    "prose": "{{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.",
+                    "links": [
+                      {
+                        "href": "#sc-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -170926,7 +190144,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the ability of individuals to launch {{ insert: param, sc-05.01_odp }} against other systems is restricted."
+                    "prose": "the ability of individuals to launch {{ insert: param, sc-05.01_odp }} against other systems is restricted.",
+                    "links": [
+                      {
+                        "href": "#sc-5.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-5.1_asm-examine",
@@ -171047,7 +190271,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "capacity, bandwidth, or other redundancies to limit the effects of information flooding denial-of-service attacks are managed."
+                    "prose": "capacity, bandwidth, or other redundancies to limit the effects of information flooding denial-of-service attacks are managed.",
+                    "links": [
+                      {
+                        "href": "#sc-5.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-5.2_asm-examine",
@@ -171252,7 +190482,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sc-05.03_odp.01 }} are employed to detect indicators of denial-of-service attacks against or launched from the system;"
+                        "prose": "{{ insert: param, sc-05.03_odp.01 }} are employed to detect indicators of denial-of-service attacks against or launched from the system;",
+                        "links": [
+                          {
+                            "href": "#sc-5.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-5.3_obj.b",
@@ -171264,7 +190500,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sc-05.03_odp.02 }} are monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks."
+                        "prose": "{{ insert: param, sc-05.03_odp.02 }} are monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks.",
+                        "links": [
+                          {
+                            "href": "#sc-5.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-5.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -171466,7 +190714,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the availability of resources is protected by allocating {{ insert: param, sc-06_odp.01 }} by {{ insert: param, sc-06_odp.02 }}."
+                "prose": "the availability of resources is protected by allocating {{ insert: param, sc-06_odp.01 }} by {{ insert: param, sc-06_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#sc-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-6_asm-examine",
@@ -171785,7 +191039,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at external managed interfaces to the system are monitored;"
+                        "prose": "communications at external managed interfaces to the system are monitored;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-2",
@@ -171797,7 +191057,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at external managed interfaces to the system are controlled;"
+                        "prose": "communications at external managed interfaces to the system are controlled;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-3",
@@ -171809,7 +191075,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at key internal managed interfaces within the system are monitored;"
+                        "prose": "communications at key internal managed interfaces within the system are monitored;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7_obj.a-4",
@@ -171821,7 +191093,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "communications at key internal managed interfaces within the system are controlled;"
+                        "prose": "communications at key internal managed interfaces within the system are controlled;",
+                        "links": [
+                          {
+                            "href": "#sc-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -171835,7 +191119,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;"
+                    "prose": "subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;",
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7_obj.c",
@@ -171847,7 +191137,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture."
+                    "prose": "external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.",
+                    "links": [
+                      {
+                        "href": "#sc-7_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-7_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -172030,7 +191332,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the number of external network connections to the system is limited."
+                    "prose": "the number of external network connections to the system is limited.",
+                    "links": [
+                      {
+                        "href": "#sc-7.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.3_asm-examine",
@@ -172293,7 +191601,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a managed interface is implemented for each external telecommunication service;"
+                        "prose": "a managed interface is implemented for each external telecommunication service;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.b",
@@ -172305,7 +191619,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a traffic flow policy is established for each managed interface;"
+                        "prose": "a traffic flow policy is established for each managed interface;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.c",
@@ -172328,7 +191648,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the confidentiality of the information being transmitted across each interface is protected;"
+                            "prose": "the confidentiality of the information being transmitted across each interface is protected;",
+                            "links": [
+                              {
+                                "href": "#sc-7.4_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-7.4_obj.c-2",
@@ -172340,7 +191666,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the integrity of the information being transmitted across each interface is protected;"
+                            "prose": "the integrity of the information being transmitted across each interface is protected;",
+                            "links": [
+                              {
+                                "href": "#sc-7.4_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.c",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -172354,7 +191692,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;"
+                        "prose": "each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.e",
@@ -172377,7 +191721,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};"
+                            "prose": "exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};",
+                            "links": [
+                              {
+                                "href": "#sc-7.4_smt.e",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-7.4_obj.e-2",
@@ -172389,7 +191739,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;"
+                            "prose": "exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;",
+                            "links": [
+                              {
+                                "href": "#sc-7.4_smt.e",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.e",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -172403,7 +191765,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "unauthorized exchanges of control plan traffic with external networks are prevented;"
+                        "prose": "unauthorized exchanges of control plan traffic with external networks are prevented;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.f",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.g",
@@ -172415,7 +191783,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;"
+                        "prose": "information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.g",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.4_obj.h",
@@ -172427,7 +191801,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "unauthorized control plane traffic is filtered from external networks."
+                        "prose": "unauthorized control plane traffic is filtered from external networks.",
+                        "links": [
+                          {
+                            "href": "#sc-7.4_smt.h",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -172604,7 +191990,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};"
+                        "prose": "network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sc-7.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.5_obj-2",
@@ -172616,7 +192008,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}."
+                        "prose": "network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}.",
+                        "links": [
+                          {
+                            "href": "#sc-7.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -172791,7 +192195,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}."
+                    "prose": "split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sc-7.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.7_asm-examine",
@@ -172958,7 +192368,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces."
+                    "prose": "{{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.",
+                    "links": [
+                      {
+                        "href": "#sc-7.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.8_asm-examine",
@@ -173152,7 +192568,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "outgoing communications traffic posing a threat to external systems is detected;"
+                            "prose": "outgoing communications traffic posing a threat to external systems is detected;",
+                            "links": [
+                              {
+                                "href": "#sc-7.9_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-7.9_obj.a-2",
@@ -173164,7 +192586,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "outgoing communications traffic posing a threat to external systems is denied;"
+                            "prose": "outgoing communications traffic posing a threat to external systems is denied;",
+                            "links": [
+                              {
+                                "href": "#sc-7.9_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-7.9_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -173178,7 +192612,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the identity of internal users associated with denied communications is audited."
+                        "prose": "the identity of internal users associated with denied communications is audited.",
+                        "links": [
+                          {
+                            "href": "#sc-7.9_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7.9_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -173369,7 +192815,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the exfiltration of information is prevented;"
+                        "prose": "the exfiltration of information is prevented;",
+                        "links": [
+                          {
+                            "href": "#sc-7.10_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.10_obj.b",
@@ -173381,7 +192833,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "exfiltration tests are conducted {{ insert: param, sc-07.10_odp }}."
+                        "prose": "exfiltration tests are conducted {{ insert: param, sc-07.10_odp }}.",
+                        "links": [
+                          {
+                            "href": "#sc-7.10_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7.10_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -173550,7 +193014,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "only incoming communications from {{ insert: param, sc-07.11_odp.01 }} are allowed to be routed to {{ insert: param, sc-07.11_odp.02 }}."
+                    "prose": "only incoming communications from {{ insert: param, sc-07.11_odp.01 }} are allowed to be routed to {{ insert: param, sc-07.11_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-7.11_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.11_asm-examine",
@@ -173713,7 +193183,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-07.12_odp.01 }} are implemented at {{ insert: param, sc-07.12_odp.02 }}."
+                    "prose": "{{ insert: param, sc-07.12_odp.01 }} are implemented at {{ insert: param, sc-07.12_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-7.12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.12_asm-examine",
@@ -173864,7 +193340,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-07.13_odp }} are isolated from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system."
+                    "prose": "{{ insert: param, sc-07.13_odp }} are isolated from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.",
+                    "links": [
+                      {
+                        "href": "#sc-7.13_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.13_asm-examine",
@@ -174015,7 +193497,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-07.14_odp }} are protected against unauthorized physical connections."
+                    "prose": "{{ insert: param, sc-07.14_odp }} are protected against unauthorized physical connections.",
+                    "links": [
+                      {
+                        "href": "#sc-7.14_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.14_asm-examine",
@@ -174163,7 +193651,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "networked, privileged accesses are routed through a dedicated, managed interface for purposes of access control;"
+                        "prose": "networked, privileged accesses are routed through a dedicated, managed interface for purposes of access control;",
+                        "links": [
+                          {
+                            "href": "#sc-7.15_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.15_obj-2",
@@ -174175,7 +193669,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "networked, privileged accesses are routed through a dedicated, managed interface for purposes of auditing."
+                        "prose": "networked, privileged accesses are routed through a dedicated, managed interface for purposes of auditing.",
+                        "links": [
+                          {
+                            "href": "#sc-7.15_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7.15_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -174298,7 +193804,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the discovery of specific system components that represent a managed interface is prevented."
+                    "prose": "the discovery of specific system components that represent a managed interface is prevented.",
+                    "links": [
+                      {
+                        "href": "#sc-7.16_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.16_asm-examine",
@@ -174423,7 +193935,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "adherence to protocol formats is enforced."
+                    "prose": "adherence to protocol formats is enforced.",
+                    "links": [
+                      {
+                        "href": "#sc-7.17_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.17_asm-examine",
@@ -174561,7 +194079,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device."
+                    "prose": "systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.",
+                    "links": [
+                      {
+                        "href": "#sc-7.18_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.18_asm-examine",
@@ -174715,7 +194239,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "inbound communications traffic is blocked between {{ insert: param, sc-07.19_odp }} that are independently configured by end users and external service providers;"
+                        "prose": "inbound communications traffic is blocked between {{ insert: param, sc-07.19_odp }} that are independently configured by end users and external service providers;",
+                        "links": [
+                          {
+                            "href": "#sc-7.19_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.19_obj-2",
@@ -174727,7 +194257,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "outbound communications traffic is blocked between {{ insert: param, sc-07.19_odp }} that are independently configured by end users and external service providers."
+                        "prose": "outbound communications traffic is blocked between {{ insert: param, sc-07.19_odp }} that are independently configured by end users and external service providers.",
+                        "links": [
+                          {
+                            "href": "#sc-7.19_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7.19_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -174872,7 +194414,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the capability to dynamically isolate {{ insert: param, sc-07.20_odp }} from other system components is provided."
+                    "prose": "the capability to dynamically isolate {{ insert: param, sc-07.20_odp }} from other system components is provided.",
+                    "links": [
+                      {
+                        "href": "#sc-7.20_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.20_asm-examine",
@@ -175049,7 +194597,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "boundary protection mechanisms are employed to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}."
+                    "prose": "boundary protection mechanisms are employed to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-7.21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.21_asm-examine",
@@ -175175,7 +194729,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "separate network addresses are implemented to connect to systems in different security domains."
+                    "prose": "separate network addresses are implemented to connect to systems in different security domains.",
+                    "links": [
+                      {
+                        "href": "#sc-7.22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.22_asm-examine",
@@ -175296,7 +194856,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "feedback to senders is disabled on protocol format validation failure."
+                    "prose": "feedback to senders is disabled on protocol format validation failure.",
+                    "links": [
+                      {
+                        "href": "#sc-7.23_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.23_asm-examine",
@@ -175509,7 +195075,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sc-07.24_odp }} are applied to data elements of personally identifiable information on systems that process personally identifiable information;"
+                        "prose": "{{ insert: param, sc-07.24_odp }} are applied to data elements of personally identifiable information on systems that process personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#sc-7.24_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.24_obj.b",
@@ -175532,7 +195104,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "permitted processing is monitored at the external interfaces to the systems that process personally identifiable information;"
+                            "prose": "permitted processing is monitored at the external interfaces to the systems that process personally identifiable information;",
+                            "links": [
+                              {
+                                "href": "#sc-7.24_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-7.24_obj.b-2",
@@ -175544,7 +195122,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information;"
+                            "prose": "permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information;",
+                            "links": [
+                              {
+                                "href": "#sc-7.24_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-7.24_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -175558,7 +195148,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "each processing exception is documented for systems that process personally identifiable information;"
+                        "prose": "each processing exception is documented for systems that process personally identifiable information;",
+                        "links": [
+                          {
+                            "href": "#sc-7.24_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-7.24_obj.d",
@@ -175581,7 +195177,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "exceptions for systems that process personally identifiable information are reviewed;"
+                            "prose": "exceptions for systems that process personally identifiable information are reviewed;",
+                            "links": [
+                              {
+                                "href": "#sc-7.24_smt.d",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sc-7.24_obj.d-2",
@@ -175593,10 +195195,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "exceptions for systems that process personally identifiable information that are no longer supported are removed."
+                            "prose": "exceptions for systems that process personally identifiable information that are no longer supported are removed.",
+                            "links": [
+                              {
+                                "href": "#sc-7.24_smt.d",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sc-7.24_smt.d",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-7.24_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -175760,7 +195380,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the direct connection of {{ insert: param, sc-07.25_odp.01 }} to an external network without the use of {{ insert: param, sc-07.25_odp.02 }} is prohibited."
+                    "prose": "the direct connection of {{ insert: param, sc-07.25_odp.01 }} to an external network without the use of {{ insert: param, sc-07.25_odp.02 }} is prohibited.",
+                    "links": [
+                      {
+                        "href": "#sc-7.25_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.25_asm-examine",
@@ -175903,7 +195529,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the direct connection of classified national security system to an external network without the use of a {{ insert: param, sc-07.26_odp }} is prohibited."
+                    "prose": "the direct connection of classified national security system to an external network without the use of a {{ insert: param, sc-07.26_odp }} is prohibited.",
+                    "links": [
+                      {
+                        "href": "#sc-7.26_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.26_asm-examine",
@@ -176071,7 +195703,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the direct connection of {{ insert: param, sc-07.27_odp.01 }} to an external network without the use of a {{ insert: param, sc-07.27_odp.02 }} is prohibited."
+                    "prose": "the direct connection of {{ insert: param, sc-07.27_odp.01 }} to an external network without the use of a {{ insert: param, sc-07.27_odp.02 }} is prohibited.",
+                    "links": [
+                      {
+                        "href": "#sc-7.27_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.27_asm-examine",
@@ -176214,7 +195852,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the direct connection of the {{ insert: param, sc-07.28_odp }} to a public network is prohibited."
+                    "prose": "the direct connection of the {{ insert: param, sc-07.28_odp }} to a public network is prohibited.",
+                    "links": [
+                      {
+                        "href": "#sc-7.28_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.28_asm-examine",
@@ -176377,7 +196021,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "subnetworks are separated {{ insert: param, sc-07.29_odp.01 }} to isolate {{ insert: param, sc-07.29_odp.02 }}."
+                    "prose": "subnetworks are separated {{ insert: param, sc-07.29_odp.01 }} to isolate {{ insert: param, sc-07.29_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-7.29_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-7.29_asm-examine",
@@ -176611,7 +196261,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected."
+                "prose": "the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.",
+                "links": [
+                  {
+                    "href": "#sc-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-8_asm-examine",
@@ -176763,7 +196419,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission."
+                    "prose": "cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.",
+                    "links": [
+                      {
+                        "href": "#sc-8.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-8.1_asm-examine",
@@ -176918,7 +196580,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information {{ insert: param, sc-08.02_odp }} is/are maintained during preparation for transmission;"
+                        "prose": "information {{ insert: param, sc-08.02_odp }} is/are maintained during preparation for transmission;",
+                        "links": [
+                          {
+                            "href": "#sc-8.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-8.2_obj-2",
@@ -176930,7 +196598,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information {{ insert: param, sc-08.02_odp }} is/are maintained during reception."
+                        "prose": "information {{ insert: param, sc-08.02_odp }} is/are maintained during reception.",
+                        "links": [
+                          {
+                            "href": "#sc-8.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-8.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -177083,7 +196763,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to protect message externals unless otherwise protected by {{ insert: param, sc-08.03_odp }}."
+                    "prose": "cryptographic mechanisms are implemented to protect message externals unless otherwise protected by {{ insert: param, sc-08.03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sc-8.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-8.3_asm-examine",
@@ -177234,7 +196920,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to conceal or randomize communication patterns unless otherwise protected by {{ insert: param, sc-08.04_odp }}."
+                    "prose": "cryptographic mechanisms are implemented to conceal or randomize communication patterns unless otherwise protected by {{ insert: param, sc-08.04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sc-8.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-8.4_asm-examine",
@@ -177398,7 +197090,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sc-08.05_odp.01 }} is implemented to {{ insert: param, sc-08.05_odp.02 }} during transmission."
+                    "prose": "the {{ insert: param, sc-08.05_odp.01 }} is implemented to {{ insert: param, sc-08.05_odp.02 }} during transmission.",
+                    "links": [
+                      {
+                        "href": "#sc-8.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-8.5_asm-examine",
@@ -177577,7 +197275,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity."
+                "prose": "the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.",
+                "links": [
+                  {
+                    "href": "#sc-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-10_asm-examine",
@@ -177795,7 +197499,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a {{ insert: param, sc-11_odp.01 }} isolated trusted communication path is provided for communications between the user and the trusted components of the system;"
+                    "prose": "a {{ insert: param, sc-11_odp.01 }} isolated trusted communication path is provided for communications between the user and the trusted components of the system;",
+                    "links": [
+                      {
+                        "href": "#sc-11_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-11_obj.b",
@@ -177807,7 +197517,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "users are permitted to invoke the trusted communication path for communications between the user and the {{ insert: param, sc-11_odp.02 }} of the system, including authentication and re-authentication, at a minimum."
+                    "prose": "users are permitted to invoke the trusted communication path for communications between the user and the {{ insert: param, sc-11_odp.02 }} of the system, including authentication and re-authentication, at a minimum.",
+                    "links": [
+                      {
+                        "href": "#sc-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -177991,7 +197713,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a trusted communication path that is irrefutably distinguishable from other communication paths is provided;"
+                        "prose": "a trusted communication path that is irrefutably distinguishable from other communication paths is provided;",
+                        "links": [
+                          {
+                            "href": "#sc-11.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-11.1_obj.b",
@@ -178003,7 +197731,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the trusted communication path for communications between the {{ insert: param, sc-11.01_odp }} of the system and the user is initiated."
+                        "prose": "the trusted communication path for communications between the {{ insert: param, sc-11.01_odp }} of the system and the user is initiated.",
+                        "links": [
+                          {
+                            "href": "#sc-11.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-11.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -178198,6 +197938,10 @@
                 "href": "#ia-7",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#sa-4",
                 "rel": "related"
@@ -178283,7 +198027,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};"
+                    "prose": "cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};",
+                    "links": [
+                      {
+                        "href": "#sc-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-12_obj-2",
@@ -178295,7 +198045,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}."
+                    "prose": "cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sc-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -178423,7 +198185,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information availability is maintained in the event of the loss of cryptographic keys by users."
+                    "prose": "information availability is maintained in the event of the loss of cryptographic keys by users.",
+                    "links": [
+                      {
+                        "href": "#sc-12.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-12.1_asm-examine",
@@ -178582,7 +198350,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "symmetric cryptographic keys are produced using {{ insert: param, sc-12.02_odp }} key management technology and processes;"
+                        "prose": "symmetric cryptographic keys are produced using {{ insert: param, sc-12.02_odp }} key management technology and processes;",
+                        "links": [
+                          {
+                            "href": "#sc-12.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-12.2_obj-2",
@@ -178594,7 +198368,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "symmetric cryptographic keys are controlled using {{ insert: param, sc-12.02_odp }} key management technology and processes;"
+                        "prose": "symmetric cryptographic keys are controlled using {{ insert: param, sc-12.02_odp }} key management technology and processes;",
+                        "links": [
+                          {
+                            "href": "#sc-12.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-12.2_obj-3",
@@ -178606,7 +198386,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "symmetric cryptographic keys are distributed using {{ insert: param, sc-12.02_odp }} key management technology and processes."
+                        "prose": "symmetric cryptographic keys are distributed using {{ insert: param, sc-12.02_odp }} key management technology and processes.",
+                        "links": [
+                          {
+                            "href": "#sc-12.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-12.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -178770,7 +198562,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "asymmetric cryptographic keys are produced using {{ insert: param, sc-12.03_odp }};"
+                        "prose": "asymmetric cryptographic keys are produced using {{ insert: param, sc-12.03_odp }};",
+                        "links": [
+                          {
+                            "href": "#sc-12.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-12.3_obj-2",
@@ -178782,7 +198580,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "asymmetric cryptographic keys are controlled using {{ insert: param, sc-12.03_odp }};"
+                        "prose": "asymmetric cryptographic keys are controlled using {{ insert: param, sc-12.03_odp }};",
+                        "links": [
+                          {
+                            "href": "#sc-12.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-12.3_obj-3",
@@ -178794,7 +198598,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "asymmetric cryptographic keys are distributed using {{ insert: param, sc-12.03_odp }}."
+                        "prose": "asymmetric cryptographic keys are distributed using {{ insert: param, sc-12.03_odp }}.",
+                        "links": [
+                          {
+                            "href": "#sc-12.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-12.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -178982,7 +198798,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "physical control of cryptographic keys is maintained when stored information is encrypted by external service providers."
+                    "prose": "physical control of cryptographic keys is maintained when stored information is encrypted by external service providers.",
+                    "links": [
+                      {
+                        "href": "#sc-12.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-12.6_asm-examine",
@@ -179182,6 +199004,10 @@
                 "href": "#ia-7",
                 "rel": "related"
               },
+              {
+                "href": "#ia-13",
+                "rel": "related"
+              },
               {
                 "href": "#ma-4",
                 "rel": "related"
@@ -179298,7 +199124,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-13_odp.01 }} are identified;"
+                    "prose": "{{ insert: param, sc-13_odp.01 }} are identified;",
+                    "links": [
+                      {
+                        "href": "#sc-13_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-13_obj.b",
@@ -179310,7 +199142,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented."
+                    "prose": "{{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.",
+                    "links": [
+                      {
+                        "href": "#sc-13_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-13_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -179677,7 +199521,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};"
+                    "prose": "remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};",
+                    "links": [
+                      {
+                        "href": "#sc-15_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-15_obj.b",
@@ -179689,7 +199539,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an explicit indication of use is provided to users physically present at the devices."
+                    "prose": "an explicit indication of use is provided to users physically present at the devices.",
+                    "links": [
+                      {
+                        "href": "#sc-15_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-15_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -179835,7 +199697,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sc-15.01_odp }} disconnect of collaborative computing devices is/are provided in a manner that supports ease of use."
+                    "prose": "the {{ insert: param, sc-15.01_odp }} disconnect of collaborative computing devices is/are provided in a manner that supports ease of use.",
+                    "links": [
+                      {
+                        "href": "#sc-15.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-15.1_asm-examine",
@@ -180028,7 +199896,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "collaborative computing devices and applications are disabled or removed from {{ insert: param, sc-15.03_odp.01 }} in {{ insert: param, sc-15.03_odp.02 }}."
+                    "prose": "collaborative computing devices and applications are disabled or removed from {{ insert: param, sc-15.03_odp.01 }} in {{ insert: param, sc-15.03_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-15.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-15.3_asm-examine",
@@ -180171,7 +200045,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an explicit indication of current participants in {{ insert: param, sc-15.04_odp }} is provided."
+                    "prose": "an explicit indication of current participants in {{ insert: param, sc-15.04_odp }} is provided.",
+                    "links": [
+                      {
+                        "href": "#sc-15.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-15.4_asm-examine",
@@ -180367,7 +200247,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-16_odp.01 }} are associated with information exchanged between systems;"
+                    "prose": "{{ insert: param, sc-16_odp.01 }} are associated with information exchanged between systems;",
+                    "links": [
+                      {
+                        "href": "#sc-16_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-16_obj-2",
@@ -180379,7 +200265,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-16_odp.01 }} are associated with information exchanged between system components;"
+                    "prose": "{{ insert: param, sc-16_odp.01 }} are associated with information exchanged between system components;",
+                    "links": [
+                      {
+                        "href": "#sc-16_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-16_obj-3",
@@ -180391,7 +200283,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-16_odp.02 }} are associated with information exchanged between systems;"
+                    "prose": "{{ insert: param, sc-16_odp.02 }} are associated with information exchanged between systems;",
+                    "links": [
+                      {
+                        "href": "#sc-16_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-16_obj-4",
@@ -180403,7 +200301,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-16_odp.02 }} are associated with information exchanged between system components."
+                    "prose": "{{ insert: param, sc-16_odp.02 }} are associated with information exchanged between system components.",
+                    "links": [
+                      {
+                        "href": "#sc-16_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-16_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -180545,7 +200455,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the integrity of transmitted security attributes is verified;"
+                        "prose": "the integrity of transmitted security attributes is verified;",
+                        "links": [
+                          {
+                            "href": "#sc-16.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-16.1_obj-2",
@@ -180557,7 +200473,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the integrity of transmitted privacy attributes is verified."
+                        "prose": "the integrity of transmitted privacy attributes is verified.",
+                        "links": [
+                          {
+                            "href": "#sc-16.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-16.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -180692,7 +200620,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "anti-spoofing mechanisms are implemented to prevent adversaries from falsifying the security attributes indicating the successful application of the security process."
+                    "prose": "anti-spoofing mechanisms are implemented to prevent adversaries from falsifying the security attributes indicating the successful application of the security process.",
+                    "links": [
+                      {
+                        "href": "#sc-16.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-16.2_asm-examine",
@@ -180847,7 +200781,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-16.03_odp }} are implemented to bind security and privacy attributes to transmitted information."
+                    "prose": "{{ insert: param, sc-16.03_odp }} are implemented to bind security and privacy attributes to transmitted information.",
+                    "links": [
+                      {
+                        "href": "#sc-16.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-16.3_asm-examine",
@@ -181059,7 +200999,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;"
+                    "prose": "public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;",
+                    "links": [
+                      {
+                        "href": "#sc-17_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-17_obj.b",
@@ -181071,7 +201017,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "only approved trust anchors are included in trust stores or certificate stores managed by the organization."
+                    "prose": "only approved trust anchors are included in trust stores or certificate stores managed by the organization.",
+                    "links": [
+                      {
+                        "href": "#sc-17_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-17_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -181259,7 +201217,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "acceptable mobile code is defined;"
+                        "prose": "acceptable mobile code is defined;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.a-2",
@@ -181271,7 +201235,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "unacceptable mobile code is defined;"
+                        "prose": "unacceptable mobile code is defined;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.a-3",
@@ -181283,7 +201253,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "acceptable mobile code technologies are defined;"
+                        "prose": "acceptable mobile code technologies are defined;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.a-4",
@@ -181295,7 +201271,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "unacceptable mobile code technologies are defined;"
+                        "prose": "unacceptable mobile code technologies are defined;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-18_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -181320,7 +201308,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of mobile code is authorized within the system;"
+                        "prose": "the use of mobile code is authorized within the system;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.b-2",
@@ -181332,7 +201326,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of mobile code is monitored within the system;"
+                        "prose": "the use of mobile code is monitored within the system;",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18_obj.b-3",
@@ -181344,10 +201344,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of mobile code is controlled within the system."
+                        "prose": "the use of mobile code is controlled within the system.",
+                        "links": [
+                          {
+                            "href": "#sc-18_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-18_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-18_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -181522,7 +201540,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sc-18.01_odp.01 }} is identified;"
+                        "prose": "{{ insert: param, sc-18.01_odp.01 }} is identified;",
+                        "links": [
+                          {
+                            "href": "#sc-18.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18.1_obj-2",
@@ -181534,7 +201558,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sc-18.01_odp.02 }} are taken if unacceptable mobile code is identified."
+                        "prose": "{{ insert: param, sc-18.01_odp.02 }} are taken if unacceptable mobile code is identified.",
+                        "links": [
+                          {
+                            "href": "#sc-18.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-18.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -181690,7 +201726,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the acquisition of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }};"
+                        "prose": "the acquisition of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }};",
+                        "links": [
+                          {
+                            "href": "#sc-18.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18.2_obj-2",
@@ -181702,7 +201744,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the development of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }};"
+                        "prose": "the development of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }};",
+                        "links": [
+                          {
+                            "href": "#sc-18.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18.2_obj-3",
@@ -181714,7 +201762,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }}."
+                        "prose": "the use of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }}.",
+                        "links": [
+                          {
+                            "href": "#sc-18.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-18.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -181870,7 +201930,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the download of {{ insert: param, sc-18.03_odp }} is prevented;"
+                        "prose": "the download of {{ insert: param, sc-18.03_odp }} is prevented;",
+                        "links": [
+                          {
+                            "href": "#sc-18.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18.3_obj-2",
@@ -181882,7 +201948,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the execution of {{ insert: param, sc-18.03_odp }} is prevented."
+                        "prose": "the execution of {{ insert: param, sc-18.03_odp }} is prevented.",
+                        "links": [
+                          {
+                            "href": "#sc-18.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-18.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -182058,7 +202136,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the automatic execution of mobile code in {{ insert: param, sc-18.04_odp.01 }} is prevented;"
+                        "prose": "the automatic execution of mobile code in {{ insert: param, sc-18.04_odp.01 }} is prevented;",
+                        "links": [
+                          {
+                            "href": "#sc-18.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-18.4_obj-2",
@@ -182070,7 +202154,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sc-18.04_odp.02 }} are enforced prior to executing mobile code."
+                        "prose": "{{ insert: param, sc-18.04_odp.02 }} are enforced prior to executing mobile code.",
+                        "links": [
+                          {
+                            "href": "#sc-18.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-18.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -182201,7 +202297,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "execution of permitted mobile code is allowed only in confined virtual machine environments."
+                    "prose": "execution of permitted mobile code is allowed only in confined virtual machine environments.",
+                    "links": [
+                      {
+                        "href": "#sc-18.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-18.5_asm-examine",
@@ -182432,7 +202534,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;"
+                        "prose": "additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-20_obj.a-2",
@@ -182444,7 +202552,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;"
+                        "prose": "integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-20_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -182469,7 +202589,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;"
+                        "prose": "the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-20_obj.b-2",
@@ -182481,10 +202607,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided."
+                        "prose": "the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.",
+                        "links": [
+                          {
+                            "href": "#sc-20_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-20_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-20_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -182647,7 +202791,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "data origin artifacts are provided for internal name/address resolution queries;"
+                        "prose": "data origin artifacts are provided for internal name/address resolution queries;",
+                        "links": [
+                          {
+                            "href": "#sc-20.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-20.2_obj-2",
@@ -182659,7 +202809,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "integrity protection artifacts are provided for internal name/address resolution queries."
+                        "prose": "integrity protection artifacts are provided for internal name/address resolution queries.",
+                        "links": [
+                          {
+                            "href": "#sc-20.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-20.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -182803,7 +202965,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;"
+                    "prose": "data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-21_obj-2",
@@ -182815,7 +202983,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;"
+                    "prose": "data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-21_obj-3",
@@ -182827,7 +203001,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;"
+                    "prose": "data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-21_obj-4",
@@ -182839,7 +203019,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources."
+                    "prose": "data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.",
+                    "links": [
+                      {
+                        "href": "#sc-21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-21_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -183021,7 +203213,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;"
+                    "prose": "the systems that collectively provide name/address resolution services for an organization are fault-tolerant;",
+                    "links": [
+                      {
+                        "href": "#sc-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-22_obj-2",
@@ -183033,7 +203231,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;"
+                    "prose": "the systems that collectively provide name/address resolution services for an organization implement internal role separation;",
+                    "links": [
+                      {
+                        "href": "#sc-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-22_obj-3",
@@ -183045,7 +203249,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation."
+                    "prose": "the systems that collectively provide name/address resolution services for an organization implement external role separation.",
+                    "links": [
+                      {
+                        "href": "#sc-22_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-22_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -183196,7 +203412,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the authenticity of communication sessions is protected."
+                "prose": "the authenticity of communication sessions is protected.",
+                "links": [
+                  {
+                    "href": "#sc-23_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-23_asm-examine",
@@ -183317,7 +203539,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "session identifiers are invalidated upon user logout or other session termination."
+                    "prose": "session identifiers are invalidated upon user logout or other session termination.",
+                    "links": [
+                      {
+                        "href": "#sc-23.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-23.1_asm-examine",
@@ -183513,7 +203741,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a unique session identifier is generated for each session with {{ insert: param, sc-23.03_odp }};"
+                        "prose": "a unique session identifier is generated for each session with {{ insert: param, sc-23.03_odp }};",
+                        "links": [
+                          {
+                            "href": "#sc-23.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-23.3_obj-2",
@@ -183525,7 +203759,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "only system-generated session identifiers are recognized."
+                        "prose": "only system-generated session identifiers are recognized.",
+                        "links": [
+                          {
+                            "href": "#sc-23.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-23.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -183713,7 +203959,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "only the use of {{ insert: param, sc-23.05_odp }} for verification of the establishment of protected sessions is allowed."
+                    "prose": "only the use of {{ insert: param, sc-23.05_odp }} for verification of the establishment of protected sessions is allowed.",
+                    "links": [
+                      {
+                        "href": "#sc-23.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-23.5_asm-examine",
@@ -183936,7 +204188,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, sc-24_odp.01 }} fail to a {{ insert: param, sc-24_odp.02 }} while preserving {{ insert: param, sc-24_odp.03 }} in failure."
+                "prose": "{{ insert: param, sc-24_odp.01 }} fail to a {{ insert: param, sc-24_odp.02 }} while preserving {{ insert: param, sc-24_odp.03 }} in failure.",
+                "links": [
+                  {
+                    "href": "#sc-24_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-24_asm-examine",
@@ -184094,7 +204352,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "minimal functionality for {{ insert: param, sc-25_odp }} is employed;"
+                    "prose": "minimal functionality for {{ insert: param, sc-25_odp }} is employed;",
+                    "links": [
+                      {
+                        "href": "#sc-25_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-25_obj-2",
@@ -184106,7 +204370,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "minimal information storage on {{ insert: param, sc-25_odp }} is allocated."
+                    "prose": "minimal information storage on {{ insert: param, sc-25_odp }} is allocated.",
+                    "links": [
+                      {
+                        "href": "#sc-25_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-25_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -184264,7 +204540,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "components within organizational systems specifically designed to be the target of malicious attacks are included to detect such attacks;"
+                    "prose": "components within organizational systems specifically designed to be the target of malicious attacks are included to detect such attacks;",
+                    "links": [
+                      {
+                        "href": "#sc-26_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-26_obj-2",
@@ -184276,7 +204558,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "components within organizational systems specifically designed to be the target of malicious attacks are included to deflect such attacks;"
+                    "prose": "components within organizational systems specifically designed to be the target of malicious attacks are included to deflect such attacks;",
+                    "links": [
+                      {
+                        "href": "#sc-26_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-26_obj-3",
@@ -184288,7 +204576,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "components within organizational systems specifically designed to be the target of malicious attacks are included to analyze such attacks."
+                    "prose": "components within organizational systems specifically designed to be the target of malicious attacks are included to analyze such attacks.",
+                    "links": [
+                      {
+                        "href": "#sc-26_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-26_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -184465,7 +204765,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, sc-27_odp }} are included within organizational systems."
+                "prose": "{{ insert: param, sc-27_odp }} are included within organizational systems.",
+                "links": [
+                  {
+                    "href": "#sc-27_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-27_asm-examine",
@@ -184737,7 +205043,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected."
+                "prose": "the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.",
+                "links": [
+                  {
+                    "href": "#sc-28_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-28_asm-examine",
@@ -184923,7 +205235,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};"
+                        "prose": "cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sc-28.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-28.1_obj-2",
@@ -184935,7 +205253,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}."
+                        "prose": "cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#sc-28.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-28.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -185091,7 +205421,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sc-28.02_odp }} is removed from online storage;"
+                        "prose": "{{ insert: param, sc-28.02_odp }} is removed from online storage;",
+                        "links": [
+                          {
+                            "href": "#sc-28.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-28.2_obj-2",
@@ -185103,7 +205439,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sc-28.02_odp }} is stored offline in a secure location."
+                        "prose": "{{ insert: param, sc-28.02_odp }} is stored offline in a secure location.",
+                        "links": [
+                          {
+                            "href": "#sc-28.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-28.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -185281,7 +205629,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "protected storage for cryptographic keys is provided using {{ insert: param, sc-28.03_odp.01 }}."
+                    "prose": "protected storage for cryptographic keys is provided using {{ insert: param, sc-28.03_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-28.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-28.3_asm-examine",
@@ -185447,7 +205801,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a diverse set of information technologies is employed for {{ insert: param, sc-29_odp }} in the implementation of the system."
+                "prose": "a diverse set of information technologies is employed for {{ insert: param, sc-29_odp }} in the implementation of the system.",
+                "links": [
+                  {
+                    "href": "#sc-29_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-29_asm-examine",
@@ -185595,7 +205955,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "virtualization techniques are employed to support the deployment of a diverse range of operating systems and applications that are changed {{ insert: param, sc-29.01_odp }}."
+                    "prose": "virtualization techniques are employed to support the deployment of a diverse range of operating systems and applications that are changed {{ insert: param, sc-29.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sc-29.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-29.1_asm-examine",
@@ -185805,7 +206171,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, sc-30_odp.01 }} are employed for {{ insert: param, sc-30_odp.02 }} for {{ insert: param, sc-30_odp.03 }} to confuse and mislead adversaries."
+                "prose": "{{ insert: param, sc-30_odp.01 }} are employed for {{ insert: param, sc-30_odp.02 }} for {{ insert: param, sc-30_odp.03 }} to confuse and mislead adversaries.",
+                "links": [
+                  {
+                    "href": "#sc-30_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-30_asm-examine",
@@ -185983,7 +206355,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-30.02_odp }} are employed to introduce randomness into organizational operations and assets."
+                    "prose": "{{ insert: param, sc-30.02_odp }} are employed to introduce randomness into organizational operations and assets.",
+                    "links": [
+                      {
+                        "href": "#sc-30.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-30.2_asm-examine",
@@ -186171,7 +206549,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the location of {{ insert: param, sc-30.03_odp.01 }} is changed {{ insert: param, sc-30.03_odp.02 }}."
+                    "prose": "the location of {{ insert: param, sc-30.03_odp.01 }} is changed {{ insert: param, sc-30.03_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-30.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-30.3_asm-examine",
@@ -186319,7 +206703,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "realistic but misleading information about the security state or posture of {{ insert: param, sc-30.04_odp }} is employed."
+                    "prose": "realistic but misleading information about the security state or posture of {{ insert: param, sc-30.04_odp }} is employed.",
+                    "links": [
+                      {
+                        "href": "#sc-30.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-30.4_asm-examine",
@@ -186487,7 +206877,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-30.05_odp.01 }} are employed to hide or conceal {{ insert: param, sc-30.05_odp.02 }}."
+                    "prose": "{{ insert: param, sc-30.05_odp.01 }} are employed to hide or conceal {{ insert: param, sc-30.05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-30.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-30.5_asm-examine",
@@ -186684,7 +207080,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a covert channel analysis is performed to identify those aspects of communications within the system that are potential avenues for covert {{ insert: param, sc-31_odp }} channels;"
+                    "prose": "a covert channel analysis is performed to identify those aspects of communications within the system that are potential avenues for covert {{ insert: param, sc-31_odp }} channels;",
+                    "links": [
+                      {
+                        "href": "#sc-31_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-31_obj.b",
@@ -186696,7 +207098,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the maximum bandwidth of those channels is estimated."
+                    "prose": "the maximum bandwidth of those channels is estimated.",
+                    "links": [
+                      {
+                        "href": "#sc-31_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-31_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -186824,7 +207238,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a subset of the identified covert channels is tested to determine the channels that are exploitable."
+                    "prose": "a subset of the identified covert channels is tested to determine the channels that are exploitable.",
+                    "links": [
+                      {
+                        "href": "#sc-31.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-31.1_asm-examine",
@@ -186993,7 +207413,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the maximum bandwidth for identified covert {{ insert: param, sc-31.02_odp.01 }} channels is reduced to {{ insert: param, sc-31.02_odp.02 }}."
+                    "prose": "the maximum bandwidth for identified covert {{ insert: param, sc-31.02_odp.01 }} channels is reduced to {{ insert: param, sc-31.02_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-31.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-31.2_asm-examine",
@@ -187141,7 +207567,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the bandwidth of {{ insert: param, sc-31.03_odp }} is measured in the operational environment of the system."
+                    "prose": "the bandwidth of {{ insert: param, sc-31.03_odp }} is measured in the operational environment of the system.",
+                    "links": [
+                      {
+                        "href": "#sc-31.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-31.3_asm-examine",
@@ -187373,7 +207805,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the system is partitioned into {{ insert: param, sc-32_odp.01 }} residing in separate {{ insert: param, sc-32_odp.02 }} domains or environments based on {{ insert: param, sc-32_odp.03 }}."
+                "prose": "the system is partitioned into {{ insert: param, sc-32_odp.01 }} residing in separate {{ insert: param, sc-32_odp.02 }} domains or environments based on {{ insert: param, sc-32_odp.03 }}.",
+                "links": [
+                  {
+                    "href": "#sc-32_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-32_asm-examine",
@@ -187504,7 +207942,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "privileged functions are partitioned into separate physical domains."
+                    "prose": "privileged functions are partitioned into separate physical domains.",
+                    "links": [
+                      {
+                        "href": "#sc-32.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-32.1_asm-examine",
@@ -187747,7 +208191,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the operating environment for {{ insert: param, sc-34_odp.01 }} is loaded and executed from hardware-enforced, read-only media;"
+                    "prose": "the operating environment for {{ insert: param, sc-34_odp.01 }} is loaded and executed from hardware-enforced, read-only media;",
+                    "links": [
+                      {
+                        "href": "#sc-34_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-34_obj.b",
@@ -187759,7 +208209,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-34_odp.02 }} for {{ insert: param, sc-34_odp.01 }} are loaded and executed from hardware-enforced, read-only media."
+                    "prose": "{{ insert: param, sc-34_odp.02 }} for {{ insert: param, sc-34_odp.01 }} are loaded and executed from hardware-enforced, read-only media.",
+                    "links": [
+                      {
+                        "href": "#sc-34_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-34_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -187917,7 +208379,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-34.01_odp }} are employed with no writeable storage that is persistent across component restart or power on/off."
+                    "prose": "{{ insert: param, sc-34.01_odp }} are employed with no writeable storage that is persistent across component restart or power on/off.",
+                    "links": [
+                      {
+                        "href": "#sc-34.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-34.1_asm-examine",
@@ -188086,7 +208554,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the integrity of information is protected prior to storage on read-only media;"
+                        "prose": "the integrity of information is protected prior to storage on read-only media;",
+                        "links": [
+                          {
+                            "href": "#sc-34.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-34.2_obj-2",
@@ -188098,7 +208572,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the media is controlled after such information has been recorded onto the media;"
+                        "prose": "the media is controlled after such information has been recorded onto the media;",
+                        "links": [
+                          {
+                            "href": "#sc-34.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-34.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -188269,7 +208755,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "system components that proactively seek to identify network-based malicious code or malicious websites are included."
+                "prose": "system components that proactively seek to identify network-based malicious code or malicious websites are included.",
+                "links": [
+                  {
+                    "href": "#sc-35_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-35_asm-examine",
@@ -188525,7 +209017,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-36_odp.01 }} are distributed across {{ insert: param, sc-36_odp.02 }};"
+                    "prose": "{{ insert: param, sc-36_odp.01 }} are distributed across {{ insert: param, sc-36_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#sc-36_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-36_obj-2",
@@ -188537,7 +209035,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-36_odp.03 }} are distributed across {{ insert: param, sc-36_odp.04 }}."
+                    "prose": "{{ insert: param, sc-36_odp.03 }} are distributed across {{ insert: param, sc-36_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-36_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-36_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -188745,7 +209255,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "polling techniques are employed to identify potential faults, errors, or compromises to {{ insert: param, sc-36.01_odp.01 }};"
+                        "prose": "polling techniques are employed to identify potential faults, errors, or compromises to {{ insert: param, sc-36.01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sc-36.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-36.1_obj.b",
@@ -188757,7 +209273,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sc-36.01_odp.02 }} are taken in response to identified faults, errors, or compromise."
+                        "prose": "{{ insert: param, sc-36.01_odp.02 }} are taken in response to identified faults, errors, or compromise.",
+                        "links": [
+                          {
+                            "href": "#sc-36.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-36.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -188911,7 +209439,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-36.02_odp }} are synchronized."
+                    "prose": "{{ insert: param, sc-36.02_odp }} are synchronized.",
+                    "links": [
+                      {
+                        "href": "#sc-36.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-36.2_asm-examine",
@@ -189145,7 +209679,7 @@
               {
                 "id": "sc-37_gdn",
                 "name": "guidance",
-                "prose": "Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates."
+                "prose": "Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates. For example, cryptographic keys for encrypted files are delivered using a different channel than the file."
               },
               {
                 "id": "sc-37_obj",
@@ -189157,7 +209691,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, sc-37_odp.01 }} are employed for the physical delivery or electronic transmission of {{ insert: param, sc-37_odp.02 }} to {{ insert: param, sc-37_odp.03 }}."
+                "prose": "{{ insert: param, sc-37_odp.01 }} are employed for the physical delivery or electronic transmission of {{ insert: param, sc-37_odp.02 }} to {{ insert: param, sc-37_odp.03 }}.",
+                "links": [
+                  {
+                    "href": "#sc-37_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-37_asm-examine",
@@ -189345,7 +209885,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-37.01_odp.01 }} are employed to ensure that only {{ insert: param, sc-37.01_odp.02 }} receive {{ insert: param, sc-37.01_odp.03 }}."
+                    "prose": "{{ insert: param, sc-37.01_odp.01 }} are employed to ensure that only {{ insert: param, sc-37.01_odp.02 }} receive {{ insert: param, sc-37.01_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-37.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-37.1_asm-examine",
@@ -189535,7 +210081,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, sc-38_odp }} are employed to protect key organizational information throughout the system development life cycle."
+                "prose": "{{ insert: param, sc-38_odp }} are employed to protect key organizational information throughout the system development life cycle.",
+                "links": [
+                  {
+                    "href": "#sc-38_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-38_asm-examine",
@@ -189693,7 +210245,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a separate execution domain is maintained for each executing system process."
+                "prose": "a separate execution domain is maintained for each executing system process.",
+                "links": [
+                  {
+                    "href": "#sc-39_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-39_asm-examine",
@@ -189819,7 +210377,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "hardware separation is implemented to facilitate process isolation."
+                    "prose": "hardware separation is implemented to facilitate process isolation.",
+                    "links": [
+                      {
+                        "href": "#sc-39.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-39.1_asm-examine",
@@ -189967,7 +210531,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a separate execution domain is maintained for each thread in {{ insert: param, sc-39.02_odp }}."
+                    "prose": "a separate execution domain is maintained for each thread in {{ insert: param, sc-39.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sc-39.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-39.2_asm-examine",
@@ -190203,7 +210773,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "external {{ insert: param, sc-40_odp.01 }} are protected from {{ insert: param, sc-40_odp.02 }}."
+                    "prose": "external {{ insert: param, sc-40_odp.01 }} are protected from {{ insert: param, sc-40_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-40_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-40_obj-2",
@@ -190215,7 +210791,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal {{ insert: param, sc-40_odp.03 }} are protected from {{ insert: param, sc-40_odp.04 }}."
+                    "prose": "internal {{ insert: param, sc-40_odp.03 }} are protected from {{ insert: param, sc-40_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-40_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-40_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -190372,7 +210960,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms that achieve {{ insert: param, sc-40.01_odp }} against the effects of intentional electromagnetic interference are implemented."
+                    "prose": "cryptographic mechanisms that achieve {{ insert: param, sc-40.01_odp }} against the effects of intentional electromagnetic interference are implemented.",
+                    "links": [
+                      {
+                        "href": "#sc-40.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-40.1_asm-examine",
@@ -190523,7 +211117,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms to reduce the detection potential of wireless links to {{ insert: param, sc-40.02_odp }} are implemented."
+                    "prose": "cryptographic mechanisms to reduce the detection potential of wireless links to {{ insert: param, sc-40.02_odp }} are implemented.",
+                    "links": [
+                      {
+                        "href": "#sc-40.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-40.2_asm-examine",
@@ -190656,7 +211256,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters."
+                    "prose": "cryptographic mechanisms are implemented to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.",
+                    "links": [
+                      {
+                        "href": "#sc-40.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-40.3_asm-examine",
@@ -190807,7 +211413,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to prevent the identification of {{ insert: param, sc-40.04_odp }} by using the transmitter signal parameters."
+                    "prose": "cryptographic mechanisms are implemented to prevent the identification of {{ insert: param, sc-40.04_odp }} by using the transmitter signal parameters.",
+                    "links": [
+                      {
+                        "href": "#sc-40.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-40.4_asm-examine",
@@ -191001,7 +211613,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, sc-41_odp.01 }} are {{ insert: param, sc-41_odp.02 }} disabled or removed on {{ insert: param, sc-41_odp.03 }}."
+                "prose": "{{ insert: param, sc-41_odp.01 }} are {{ insert: param, sc-41_odp.02 }} disabled or removed on {{ insert: param, sc-41_odp.03 }}.",
+                "links": [
+                  {
+                    "href": "#sc-41_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-41_asm-examine",
@@ -191267,7 +211885,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-42_odp.01 }} is/are prohibited;"
+                    "prose": "{{ insert: param, sc-42_odp.01 }} is/are prohibited;",
+                    "links": [
+                      {
+                        "href": "#sc-42_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-42_obj.b",
@@ -191279,7 +211903,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an explicit indication of sensor use is provided to {{ insert: param, sc-42_odp.05 }}."
+                    "prose": "an explicit indication of sensor use is provided to {{ insert: param, sc-42_odp.05 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-42_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-42_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -191428,7 +212064,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the system is configured so that data or information collected by the {{ insert: param, sc-42.01_odp }} is only reported to authorized individuals or roles."
+                    "prose": "the system is configured so that data or information collected by the {{ insert: param, sc-42.01_odp }} is only reported to authorized individuals or roles.",
+                    "links": [
+                      {
+                        "href": "#sc-42.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-42.1_asm-examine",
@@ -191579,7 +212221,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-42.02_odp }} are employed so that data or information collected by {{ insert: param, sc-42.01_odp }} is only used for authorized purposes."
+                    "prose": "{{ insert: param, sc-42.02_odp }} are employed so that data or information collected by {{ insert: param, sc-42.01_odp }} is only used for authorized purposes.",
+                    "links": [
+                      {
+                        "href": "#sc-42.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-42.2_asm-examine",
@@ -191784,7 +212432,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-42.04_odp.01 }} are employed to facilitate an individual’s awareness that personally identifiable information is being collected by {{ insert: param, sc-42.04_odp.02 }} "
+                    "prose": "{{ insert: param, sc-42.04_odp.01 }} are employed to facilitate an individual’s awareness that personally identifiable information is being collected by {{ insert: param, sc-42.04_odp.02 }} ",
+                    "links": [
+                      {
+                        "href": "#sc-42.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-42.4_asm-examine",
@@ -191935,7 +212589,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sc-42.05_odp }} configured to minimize the collection of information about individuals that is not needed are employed."
+                    "prose": "the {{ insert: param, sc-42.05_odp }} configured to minimize the collection of information about individuals that is not needed are employed.",
+                    "links": [
+                      {
+                        "href": "#sc-42.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-42.5_asm-examine",
@@ -192148,7 +212808,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "usage restrictions and implementation guidelines are established for {{ insert: param, sc-43_odp }};"
+                    "prose": "usage restrictions and implementation guidelines are established for {{ insert: param, sc-43_odp }};",
+                    "links": [
+                      {
+                        "href": "#sc-43_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-43_obj.b",
@@ -192171,7 +212837,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, sc-43_odp }} is authorized within the system;"
+                        "prose": "the use of {{ insert: param, sc-43_odp }} is authorized within the system;",
+                        "links": [
+                          {
+                            "href": "#sc-43_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-43_obj.b-2",
@@ -192183,7 +212855,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, sc-43_odp }} is monitored within the system;"
+                        "prose": "the use of {{ insert: param, sc-43_odp }} is monitored within the system;",
+                        "links": [
+                          {
+                            "href": "#sc-43_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-43_obj.b-3",
@@ -192195,10 +212873,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of {{ insert: param, sc-43_odp }} is controlled within the system."
+                        "prose": "the use of {{ insert: param, sc-43_odp }} is controlled within the system.",
+                        "links": [
+                          {
+                            "href": "#sc-43_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-43_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-43_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -192378,7 +213074,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a detonation chamber capability is employed within the {{ insert: param, sc-44_odp }}."
+                "prose": "a detonation chamber capability is employed within the {{ insert: param, sc-44_odp }}.",
+                "links": [
+                  {
+                    "href": "#sc-44_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-44_asm-examine",
@@ -192515,7 +213217,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "system clocks are synchronized within and between systems and system components."
+                "prose": "system clocks are synchronized within and between systems and system components.",
+                "links": [
+                  {
+                    "href": "#sc-45_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-45_asm-examine",
@@ -192732,7 +213440,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the internal system clocks are compared {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }};"
+                        "prose": "the internal system clocks are compared {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sc-45.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-45.1_obj.b",
@@ -192744,7 +213458,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the internal system clocks are synchronized with the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}."
+                        "prose": "the internal system clocks are synchronized with the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}.",
+                        "links": [
+                          {
+                            "href": "#sc-45.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-45.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -192901,7 +213627,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a secondary authoritative time source is identified that is in a different geographic region than the primary authoritative time source;"
+                        "prose": "a secondary authoritative time source is identified that is in a different geographic region than the primary authoritative time source;",
+                        "links": [
+                          {
+                            "href": "#sc-45.2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-45.2_obj.b",
@@ -192913,7 +213645,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the internal system clocks are synchronized to the secondary authoritative time source if the primary authoritative time source is unavailable."
+                        "prose": "the internal system clocks are synchronized to the secondary authoritative time source if the primary authoritative time source is unavailable.",
+                        "links": [
+                          {
+                            "href": "#sc-45.2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-45.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -193068,7 +213812,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a policy enforcement mechanism is {{ insert: param, sc-46_odp }} implemented between the physical and/or network interfaces for the connecting security domains."
+                "prose": "a policy enforcement mechanism is {{ insert: param, sc-46_odp }} implemented between the physical and/or network interfaces for the connecting security domains.",
+                "links": [
+                  {
+                    "href": "#sc-46_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-46_asm-examine",
@@ -193237,7 +213987,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, sc-47_odp }} are established for system operations and operational command and control."
+                "prose": "{{ insert: param, sc-47_odp }} are established for system operations and operational command and control.",
+                "links": [
+                  {
+                    "href": "#sc-47_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-47_asm-examine",
@@ -193437,7 +214193,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, sc-48_odp.01 }} are relocated to {{ insert: param, sc-48_odp.02 }} under {{ insert: param, sc-48_odp.03 }}."
+                "prose": "{{ insert: param, sc-48_odp.01 }} are relocated to {{ insert: param, sc-48_odp.02 }} under {{ insert: param, sc-48_odp.03 }}.",
+                "links": [
+                  {
+                    "href": "#sc-48_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-48_asm-examine",
@@ -193625,7 +214387,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sc-48.01_odp.01 }} are dynamically relocated to {{ insert: param, sc-48.01_odp.02 }} under {{ insert: param, sc-48.01_odp.03 }}."
+                    "prose": "{{ insert: param, sc-48.01_odp.01 }} are dynamically relocated to {{ insert: param, sc-48.01_odp.02 }} under {{ insert: param, sc-48.01_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#sc-48.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-48.1_asm-examine",
@@ -193792,7 +214560,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "hardware-enforced separation and policy enforcement mechanisms are implemented between {{ insert: param, sc-49_odp }}."
+                "prose": "hardware-enforced separation and policy enforcement mechanisms are implemented between {{ insert: param, sc-49_odp }}.",
+                "links": [
+                  {
+                    "href": "#sc-49_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-49_asm-examine",
@@ -193969,7 +214743,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "software-enforced separation and policy enforcement mechanisms are implemented between {{ insert: param, sc-50_odp }}."
+                "prose": "software-enforced separation and policy enforcement mechanisms are implemented between {{ insert: param, sc-50_odp }}.",
+                "links": [
+                  {
+                    "href": "#sc-50_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sc-50_asm-examine",
@@ -194170,7 +214950,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "hardware-based write-protect for {{ insert: param, sc-51_odp.01 }} is employed;"
+                    "prose": "hardware-based write-protect for {{ insert: param, sc-51_odp.01 }} is employed;",
+                    "links": [
+                      {
+                        "href": "#sc-51_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sc-51_obj.b",
@@ -194193,7 +214979,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "specific procedures are implemented for {{ insert: param, sc-51_odp.02 }} to manually disable hardware write-protect for firmware modifications;"
+                        "prose": "specific procedures are implemented for {{ insert: param, sc-51_odp.02 }} to manually disable hardware write-protect for firmware modifications;",
+                        "links": [
+                          {
+                            "href": "#sc-51_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sc-51_obj.b-2",
@@ -194205,10 +214997,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "specific procedures are implemented for {{ insert: param, sc-51_odp.02 }} to re-enable the write-protect prior to returning to operational mode."
+                        "prose": "specific procedures are implemented for {{ insert: param, sc-51_odp.02 }} to re-enable the write-protect prior to returning to operational mode.",
+                        "links": [
+                          {
+                            "href": "#sc-51_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sc-51_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sc-51_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -194666,7 +215476,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a system and information integrity policy is developed and documented;"
+                        "prose": "a system and information integrity policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-2",
@@ -194678,7 +215494,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};"
+                        "prose": "the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-3",
@@ -194690,7 +215512,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;"
+                        "prose": "system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a-4",
@@ -194702,7 +215530,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};"
+                        "prose": "the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-1_obj.a.1",
@@ -194736,7 +215570,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-2",
@@ -194748,7 +215588,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-3",
@@ -194760,7 +215606,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-4",
@@ -194772,7 +215624,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-5",
@@ -194784,7 +215642,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-6",
@@ -194796,7 +215660,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "si-1_obj.a.1.a-7",
@@ -194808,7 +215678,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;"
+                                "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;",
+                                "links": [
+                                  {
+                                    "href": "#si-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#si-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -194822,10 +215704,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -194838,7 +215738,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;"
+                    "prose": "the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#si-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-1_obj.c",
@@ -194872,7 +215778,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};"
+                            "prose": "the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-1_obj.c.1-2",
@@ -194884,7 +215796,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};"
+                            "prose": "the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -194909,7 +215833,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};"
+                            "prose": "the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-1_obj.c.2-2",
@@ -194921,12 +215851,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}."
+                            "prose": "the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#si-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#si-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -195199,7 +216153,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system flaws are identified;"
+                        "prose": "system flaws are identified;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.a-2",
@@ -195211,7 +216171,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system flaws are reported;"
+                        "prose": "system flaws are reported;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.a-3",
@@ -195223,7 +216189,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "system flaws are corrected;"
+                        "prose": "system flaws are corrected;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -195248,7 +216226,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "software updates related to flaw remediation are tested for effectiveness before installation;"
+                        "prose": "software updates related to flaw remediation are tested for effectiveness before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.b-2",
@@ -195260,7 +216244,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "software updates related to flaw remediation are tested for potential side effects before installation;"
+                        "prose": "software updates related to flaw remediation are tested for potential side effects before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.b-3",
@@ -195272,7 +216262,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;"
+                        "prose": "firmware updates related to flaw remediation are tested for effectiveness before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.b-4",
@@ -195284,7 +216280,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;"
+                        "prose": "firmware updates related to flaw remediation are tested for potential side effects before installation;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-2_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -195309,7 +216317,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"
+                        "prose": "security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2_obj.c-2",
@@ -195321,7 +216335,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;"
+                        "prose": "security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;",
+                        "links": [
+                          {
+                            "href": "#si-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -195335,7 +216361,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "flaw remediation is incorporated into the organizational configuration management process."
+                    "prose": "flaw remediation is incorporated into the organizational configuration management process.",
+                    "links": [
+                      {
+                        "href": "#si-2_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-2_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -195538,7 +216576,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}."
+                    "prose": "system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#si-2.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-2.2_asm-examine",
@@ -195715,7 +216759,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the time between flaw identification and flaw remediation is measured;"
+                        "prose": "the time between flaw identification and flaw remediation is measured;",
+                        "links": [
+                          {
+                            "href": "#si-2.3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-2.3_obj.b",
@@ -195727,7 +216777,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-02.03_odp }} for taking corrective actions have been established."
+                        "prose": "{{ insert: param, si-02.03_odp }} for taking corrective actions have been established.",
+                        "links": [
+                          {
+                            "href": "#si-2.3_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-2.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -195882,7 +216944,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automated patch management tools are employed to facilitate flaw remediation to {{ insert: param, si-02.04_odp }}."
+                    "prose": "automated patch management tools are employed to facilitate flaw remediation to {{ insert: param, si-02.04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#si-2.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-2.4_asm-examine",
@@ -196050,7 +217118,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-02.05_odp.01 }} are installed automatically to {{ insert: param, si-02.05_odp.02 }}."
+                    "prose": "{{ insert: param, si-02.05_odp.01 }} are installed automatically to {{ insert: param, si-02.05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#si-2.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-2.5_asm-examine",
@@ -196198,7 +217272,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "previous versions of {{ insert: param, si-02.06_odp }} are removed after updated versions have been installed."
+                    "prose": "previous versions of {{ insert: param, si-02.06_odp }} are removed after updated versions have been installed.",
+                    "links": [
+                      {
+                        "href": "#si-2.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-2.6_asm-examine",
@@ -196627,7 +217707,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;"
+                        "prose": "{{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;",
+                        "links": [
+                          {
+                            "href": "#si-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-3_obj.a-2",
@@ -196639,7 +217725,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;"
+                        "prose": "{{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;",
+                        "links": [
+                          {
+                            "href": "#si-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -196653,7 +217751,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;"
+                    "prose": "malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#si-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-3_obj.c",
@@ -196687,7 +217791,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};"
+                            "prose": "malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-3_obj.c.1-2",
@@ -196699,7 +217809,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;"
+                            "prose": "malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-3_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -196724,7 +217846,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;"
+                            "prose": "malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-3_obj.c.2-2",
@@ -196736,10 +217864,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;"
+                            "prose": "malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;",
+                            "links": [
+                              {
+                                "href": "#si-3_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-3_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-3_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -196752,7 +217898,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed."
+                    "prose": "the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.",
+                    "links": [
+                      {
+                        "href": "#si-3_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -196974,7 +218132,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "malicious code protection mechanisms are updated only when directed by a privileged user."
+                    "prose": "malicious code protection mechanisms are updated only when directed by a privileged user.",
+                    "links": [
+                      {
+                        "href": "#si-3.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-3.4_asm-examine",
@@ -197193,7 +218357,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "malicious code protection mechanisms are tested {{ insert: param, si-03.06_odp }} by introducing known benign code into the system;"
+                        "prose": "malicious code protection mechanisms are tested {{ insert: param, si-03.06_odp }} by introducing known benign code into the system;",
+                        "links": [
+                          {
+                            "href": "#si-3.6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-3.6_obj.b",
@@ -197216,7 +218386,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the detection of (benign test) code occurs;"
+                            "prose": "the detection of (benign test) code occurs;",
+                            "links": [
+                              {
+                                "href": "#si-3.6_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-3.6_obj.b-2",
@@ -197228,10 +218404,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the associated incident reporting occurs."
+                            "prose": "the associated incident reporting occurs.",
+                            "links": [
+                              {
+                                "href": "#si-3.6_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-3.6_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-3.6_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -197493,7 +218687,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-03.08_odp.01 }} are detected through the kernel application programming interface on {{ insert: param, si-03.08_odp.02 }};"
+                        "prose": "{{ insert: param, si-03.08_odp.01 }} are detected through the kernel application programming interface on {{ insert: param, si-03.08_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#si-3.8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-3.8_obj.b",
@@ -197505,7 +218705,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-03.08_odp.03 }} is/are performed."
+                        "prose": "{{ insert: param, si-03.08_odp.03 }} is/are performed.",
+                        "links": [
+                          {
+                            "href": "#si-3.8_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-3.8_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -197714,7 +218926,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-03.10_odp }} are employed to analyze the characteristics and behavior of malicious code;"
+                        "prose": "{{ insert: param, si-03.10_odp }} are employed to analyze the characteristics and behavior of malicious code;",
+                        "links": [
+                          {
+                            "href": "#si-3.10_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-3.10_obj.b",
@@ -197737,7 +218955,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the results from malicious code analysis are incorporated into organizational incident response processes;"
+                            "prose": "the results from malicious code analysis are incorporated into organizational incident response processes;",
+                            "links": [
+                              {
+                                "href": "#si-3.10_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-3.10_obj.b-2",
@@ -197749,10 +218973,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the results from malicious code analysis are incorporated into organizational flaw remediation processes."
+                            "prose": "the results from malicious code analysis are incorporated into organizational flaw remediation processes.",
+                            "links": [
+                              {
+                                "href": "#si-3.10_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-3.10_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-3.10_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -198337,7 +219579,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};"
+                        "prose": "the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.a.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4_obj.a.2",
@@ -198360,7 +219608,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system is monitored to detect unauthorized local connections;"
+                            "prose": "the system is monitored to detect unauthorized local connections;",
+                            "links": [
+                              {
+                                "href": "#si-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4_obj.a.2-2",
@@ -198372,7 +219626,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system is monitored to detect unauthorized network connections;"
+                            "prose": "the system is monitored to detect unauthorized network connections;",
+                            "links": [
+                              {
+                                "href": "#si-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4_obj.a.2-3",
@@ -198384,10 +219644,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the system is monitored to detect unauthorized remote connections;"
+                            "prose": "the system is monitored to detect unauthorized remote connections;",
+                            "links": [
+                              {
+                                "href": "#si-4_smt.a.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-4_smt.a.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -198400,7 +219678,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};"
+                    "prose": "unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4_obj.c",
@@ -198423,7 +219707,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;"
+                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.c.1",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4_obj.c.2",
@@ -198435,7 +219725,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;"
+                        "prose": "internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.c.2",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -198460,7 +219762,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "detected events are analyzed;"
+                        "prose": "detected events are analyzed;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4_obj.d-2",
@@ -198472,7 +219780,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "detected anomalies are analyzed;"
+                        "prose": "detected anomalies are analyzed;",
+                        "links": [
+                          {
+                            "href": "#si-4_smt.d",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4_smt.d",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -198486,7 +219806,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;"
+                    "prose": "the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.e",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4_obj.f",
@@ -198498,7 +219824,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a legal opinion regarding system monitoring activities is obtained;"
+                    "prose": "a legal opinion regarding system monitoring activities is obtained;",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.f",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4_obj.g",
@@ -198510,7 +219842,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}."
+                    "prose": "{{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.",
+                    "links": [
+                      {
+                        "href": "#si-4_smt.g",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -198654,7 +219998,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individual intrusion detection tools are connected to a system-wide intrusion detection system;"
+                        "prose": "individual intrusion detection tools are connected to a system-wide intrusion detection system;",
+                        "links": [
+                          {
+                            "href": "#si-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4.1_obj-2",
@@ -198666,7 +220016,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "individual intrusion detection tools are configured into a system-wide intrusion detection system."
+                        "prose": "individual intrusion detection tools are configured into a system-wide intrusion detection system.",
+                        "links": [
+                          {
+                            "href": "#si-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -198802,7 +220164,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automated tools and mechanisms are employed to support a near real-time analysis of events."
+                    "prose": "automated tools and mechanisms are employed to support a near real-time analysis of events.",
+                    "links": [
+                      {
+                        "href": "#si-4.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.2_asm-examine",
@@ -198947,7 +220315,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into access control mechanisms;"
+                        "prose": "automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into access control mechanisms;",
+                        "links": [
+                          {
+                            "href": "#si-4.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4.3_obj-2",
@@ -198959,7 +220333,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into flow control mechanisms."
+                        "prose": "automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into flow control mechanisms.",
+                        "links": [
+                          {
+                            "href": "#si-4.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -199230,7 +220616,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;"
+                            "prose": "criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;",
+                            "links": [
+                              {
+                                "href": "#si-4.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4.4_obj.a-2",
@@ -199242,7 +220634,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;"
+                            "prose": "criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;",
+                            "links": [
+                              {
+                                "href": "#si-4.4_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-4.4_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -199267,7 +220671,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};"
+                            "prose": "inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};",
+                            "links": [
+                              {
+                                "href": "#si-4.4_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4.4_obj.b-2",
@@ -199279,10 +220689,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}."
+                            "prose": "outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}.",
+                            "links": [
+                              {
+                                "href": "#si-4.4_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-4.4_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.4_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -199463,7 +220891,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur."
+                    "prose": "{{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur.",
+                    "links": [
+                      {
+                        "href": "#si-4.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.5_asm-examine",
@@ -199705,7 +221139,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-04.07_odp.01 }} are notified of detected suspicious events;"
+                        "prose": "{{ insert: param, si-04.07_odp.01 }} are notified of detected suspicious events;",
+                        "links": [
+                          {
+                            "href": "#si-4.7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4.7_obj.b",
@@ -199717,7 +221157,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-04.07_odp.02 }} are taken upon the detection of suspicious events."
+                        "prose": "{{ insert: param, si-04.07_odp.02 }} are taken upon the detection of suspicious events.",
+                        "links": [
+                          {
+                            "href": "#si-4.7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -199897,7 +221349,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "intrusion-monitoring tools and mechanisms are tested {{ insert: param, si-04.09_odp }}."
+                    "prose": "intrusion-monitoring tools and mechanisms are tested {{ insert: param, si-04.09_odp }}.",
+                    "links": [
+                      {
+                        "href": "#si-4.9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.9_asm-examine",
@@ -200065,7 +221523,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "provisions are made so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}."
+                    "prose": "provisions are made so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#si-4.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.10_asm-examine",
@@ -200234,7 +221698,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "outbound communications traffic at the external interfaces to the system is analyzed to discover anomalies;"
+                        "prose": "outbound communications traffic at the external interfaces to the system is analyzed to discover anomalies;",
+                        "links": [
+                          {
+                            "href": "#si-4.11_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4.11_obj-2",
@@ -200246,7 +221716,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "outbound communications traffic at {{ insert: param, si-04.11_odp }} is analyzed to discover anomalies."
+                        "prose": "outbound communications traffic at {{ insert: param, si-04.11_odp }} is analyzed to discover anomalies.",
+                        "links": [
+                          {
+                            "href": "#si-4.11_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.11_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -200441,7 +221923,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-04.12_odp.01 }} is/are alerted using {{ insert: param, si-04.12_odp.02 }} when {{ insert: param, si-04.12_odp.03 }} indicate inappropriate or unusual activities with security or privacy implications."
+                    "prose": "{{ insert: param, si-04.12_odp.01 }} is/are alerted using {{ insert: param, si-04.12_odp.02 }} when {{ insert: param, si-04.12_odp.03 }} indicate inappropriate or unusual activities with security or privacy implications.",
+                    "links": [
+                      {
+                        "href": "#si-4.12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.12_asm-examine",
@@ -200628,7 +222116,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "communications traffic for the system is analyzed;"
+                            "prose": "communications traffic for the system is analyzed;",
+                            "links": [
+                              {
+                                "href": "#si-4.13_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4.13_obj.a-2",
@@ -200640,7 +222134,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "event patterns for the system are analyzed;"
+                            "prose": "event patterns for the system are analyzed;",
+                            "links": [
+                              {
+                                "href": "#si-4.13_smt.a",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-4.13_smt.a",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -200665,7 +222171,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "profiles representing common traffic are developed;"
+                            "prose": "profiles representing common traffic are developed;",
+                            "links": [
+                              {
+                                "href": "#si-4.13_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4.13_obj.b-2",
@@ -200677,7 +222189,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "profiles representing event patterns are developed;"
+                            "prose": "profiles representing event patterns are developed;",
+                            "links": [
+                              {
+                                "href": "#si-4.13_smt.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-4.13_smt.b",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -200702,7 +222226,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "traffic profiles are used in tuning system-monitoring devices;"
+                            "prose": "traffic profiles are used in tuning system-monitoring devices;",
+                            "links": [
+                              {
+                                "href": "#si-4.13_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "si-4.13_obj.c-2",
@@ -200714,10 +222244,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "event profiles are used in tuning system-monitoring devices."
+                            "prose": "event profiles are used in tuning system-monitoring devices.",
+                            "links": [
+                              {
+                                "href": "#si-4.13_smt.c",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#si-4.13_smt.c",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.13_smt",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -200863,7 +222411,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a wireless intrusion detection system is employed to identify rogue wireless devices;"
+                        "prose": "a wireless intrusion detection system is employed to identify rogue wireless devices;",
+                        "links": [
+                          {
+                            "href": "#si-4.14_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4.14_obj-2",
@@ -200875,7 +222429,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a wireless intrusion detection system is employed to detect attack attempts on the system;"
+                        "prose": "a wireless intrusion detection system is employed to detect attack attempts on the system;",
+                        "links": [
+                          {
+                            "href": "#si-4.14_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4.14_obj-3",
@@ -200887,7 +222447,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a wireless intrusion detection system is employed to detect potential compromises or breaches to the system."
+                        "prose": "a wireless intrusion detection system is employed to detect potential compromises or breaches to the system.",
+                        "links": [
+                          {
+                            "href": "#si-4.14_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.14_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -201019,7 +222591,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an intrusion detection system is employed to monitor wireless communications traffic as the traffic passes from wireless to wireline networks."
+                    "prose": "an intrusion detection system is employed to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.",
+                    "links": [
+                      {
+                        "href": "#si-4.15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.15_asm-examine",
@@ -201154,7 +222732,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information from monitoring tools and mechanisms employed throughout the system is correlated."
+                    "prose": "information from monitoring tools and mechanisms employed throughout the system is correlated.",
+                    "links": [
+                      {
+                        "href": "#si-4.16_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.16_asm-examine",
@@ -201300,7 +222884,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information from monitoring physical, cyber, and supply chain activities are correlated to achieve integrated, organization-wide situational awareness."
+                    "prose": "information from monitoring physical, cyber, and supply chain activities are correlated to achieve integrated, organization-wide situational awareness.",
+                    "links": [
+                      {
+                        "href": "#si-4.17_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.17_asm-examine",
@@ -201469,7 +223059,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information;"
+                        "prose": "outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information;",
+                        "links": [
+                          {
+                            "href": "#si-4.18_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4.18_obj-2",
@@ -201481,7 +223077,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "outbound communications traffic is analyzed at {{ insert: param, si-04.18_odp }} to detect covert exfiltration of information."
+                        "prose": "outbound communications traffic is analyzed at {{ insert: param, si-04.18_odp }} to detect covert exfiltration of information.",
+                        "links": [
+                          {
+                            "href": "#si-4.18_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.18_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -201651,7 +223259,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-04.19_odp.01 }} is implemented on individuals who have been identified by {{ insert: param, si-04.19_odp.02 }} as posing an increased level of risk."
+                    "prose": "{{ insert: param, si-04.19_odp.01 }} is implemented on individuals who have been identified by {{ insert: param, si-04.19_odp.02 }} as posing an increased level of risk.",
+                    "links": [
+                      {
+                        "href": "#si-4.19_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.19_asm-examine",
@@ -201803,7 +223417,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-04.20_odp }} of privileged users is implemented."
+                    "prose": "{{ insert: param, si-04.20_odp }} of privileged users is implemented.",
+                    "links": [
+                      {
+                        "href": "#si-4.20_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.20_asm-examine",
@@ -201975,7 +223595,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-04.21_odp.01 }} of individuals is implemented during {{ insert: param, si-04.21_odp.02 }}."
+                    "prose": "{{ insert: param, si-04.21_odp.01 }} of individuals is implemented during {{ insert: param, si-04.21_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#si-4.21_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.21_asm-examine",
@@ -202202,7 +223828,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} are detected;"
+                        "prose": "network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} are detected;",
+                        "links": [
+                          {
+                            "href": "#si-4.22_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4.22_obj.b",
@@ -202214,7 +223846,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-04.22_odp.02 }} is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected."
+                        "prose": "{{ insert: param, si-04.22_odp.02 }} is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.",
+                        "links": [
+                          {
+                            "href": "#si-4.22_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.22_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -202392,7 +224036,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-04.23_odp.01 }} are implemented on {{ insert: param, si-04.23_odp.02 }}."
+                    "prose": "{{ insert: param, si-04.23_odp.01 }} are implemented on {{ insert: param, si-04.23_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#si-4.23_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-4.23_asm-examine",
@@ -202575,7 +224225,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are discovered;"
+                        "prose": "indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are discovered;",
+                        "links": [
+                          {
+                            "href": "#si-4.24_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4.24_obj-2",
@@ -202587,7 +224243,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are collected;"
+                        "prose": "indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are collected;",
+                        "links": [
+                          {
+                            "href": "#si-4.24_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4.24_obj-3",
@@ -202599,7 +224261,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are distributed to {{ insert: param, si-04.24_odp.02 }}."
+                        "prose": "indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are distributed to {{ insert: param, si-04.24_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#si-4.24_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.24_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -202738,7 +224412,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "visibility into network traffic at external system interfaces is provided to optimize the effectiveness of monitoring devices;"
+                        "prose": "visibility into network traffic at external system interfaces is provided to optimize the effectiveness of monitoring devices;",
+                        "links": [
+                          {
+                            "href": "#si-4.25_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-4.25_obj-2",
@@ -202750,7 +224430,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "visibility into network traffic at key internal system interfaces is provided to optimize the effectiveness of monitoring devices."
+                        "prose": "visibility into network traffic at key internal system interfaces is provided to optimize the effectiveness of monitoring devices.",
+                        "links": [
+                          {
+                            "href": "#si-4.25_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-4.25_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -203057,7 +224749,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;"
+                    "prose": "system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-5_obj.b",
@@ -203069,7 +224767,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;"
+                    "prose": "internal security alerts, advisories, and directives are generated as deemed necessary;",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-5_obj.c",
@@ -203081,7 +224785,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};"
+                    "prose": "security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-5_obj.d",
@@ -203093,7 +224803,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance."
+                    "prose": "security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.",
+                    "links": [
+                      {
+                        "href": "#si-5_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -203243,7 +224965,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-05.01_odp }} are used to broadcast security alert and advisory information throughout the organization."
+                    "prose": "{{ insert: param, si-05.01_odp }} are used to broadcast security alert and advisory information throughout the organization.",
+                    "links": [
+                      {
+                        "href": "#si-5.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-5.1_asm-examine",
@@ -203628,7 +225356,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-06_odp.01 }} are verified to be operating correctly;"
+                        "prose": "{{ insert: param, si-06_odp.01 }} are verified to be operating correctly;",
+                        "links": [
+                          {
+                            "href": "#si-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-6_obj.a-2",
@@ -203640,7 +225374,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-06_odp.02 }} are verified to be operating correctly;"
+                        "prose": "{{ insert: param, si-06_odp.02 }} are verified to be operating correctly;",
+                        "links": [
+                          {
+                            "href": "#si-6_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-6_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -203665,7 +225411,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-06_odp.01 }} are verified {{ insert: param, si-06_odp.03 }};"
+                        "prose": "{{ insert: param, si-06_odp.01 }} are verified {{ insert: param, si-06_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#si-6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-6_obj.b-2",
@@ -203677,7 +225429,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-06_odp.02 }} are verified {{ insert: param, si-06_odp.03 }};"
+                        "prose": "{{ insert: param, si-06_odp.02 }} are verified {{ insert: param, si-06_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#si-6_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-6_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -203702,7 +225466,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-06_odp.06 }} is/are alerted to failed security verification tests;"
+                        "prose": "{{ insert: param, si-06_odp.06 }} is/are alerted to failed security verification tests;",
+                        "links": [
+                          {
+                            "href": "#si-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-6_obj.c-2",
@@ -203714,7 +225484,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-06_odp.06 }} is/are alerted to failed privacy verification tests;"
+                        "prose": "{{ insert: param, si-06_odp.06 }} is/are alerted to failed privacy verification tests;",
+                        "links": [
+                          {
+                            "href": "#si-6_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-6_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -203728,7 +225510,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-06_odp.07 }} is/are initiated when anomalies are discovered."
+                    "prose": "{{ insert: param, si-06_odp.07 }} is/are initiated when anomalies are discovered.",
+                    "links": [
+                      {
+                        "href": "#si-6_smt.d",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-6_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -203896,7 +225690,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "automated mechanisms are implemented to support the management of distributed security function testing;"
+                        "prose": "automated mechanisms are implemented to support the management of distributed security function testing;",
+                        "links": [
+                          {
+                            "href": "#si-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-6.2_obj-2",
@@ -203908,7 +225708,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "automated mechanisms are implemented to support the management of distributed privacy function testing."
+                        "prose": "automated mechanisms are implemented to support the management of distributed privacy function testing.",
+                        "links": [
+                          {
+                            "href": "#si-6.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-6.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -204076,7 +225888,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the results of security function verification are reported to {{ insert: param, si-06.03_odp }};"
+                        "prose": "the results of security function verification are reported to {{ insert: param, si-06.03_odp }};",
+                        "links": [
+                          {
+                            "href": "#si-6.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-6.3_obj-2",
@@ -204088,7 +225906,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the results of privacy function verification are reported to {{ insert: param, si-06.03_odp }}."
+                        "prose": "the results of privacy function verification are reported to {{ insert: param, si-06.03_odp }}.",
+                        "links": [
+                          {
+                            "href": "#si-6.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-6.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -204524,7 +226354,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};"
+                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7_obj.a-2",
@@ -204536,7 +226372,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};"
+                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7_obj.a-3",
@@ -204548,7 +226390,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};"
+                        "prose": "integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-7_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -204573,7 +226427,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;"
+                        "prose": "{{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7_obj.b-2",
@@ -204585,7 +226445,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;"
+                        "prose": "{{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7_obj.b-3",
@@ -204597,10 +226463,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected."
+                        "prose": "{{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected.",
+                        "links": [
+                          {
+                            "href": "#si-7_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-7_smt.b",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#si-7_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -205029,7 +226913,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};"
+                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#si-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7.1_obj-2",
@@ -205041,7 +226931,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};"
+                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};",
+                        "links": [
+                          {
+                            "href": "#si-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7.1_obj-3",
@@ -205053,7 +226949,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}."
+                        "prose": "an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}.",
+                        "links": [
+                          {
+                            "href": "#si-7.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-7.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -205203,7 +227111,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification are employed."
+                    "prose": "automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification are employed.",
+                    "links": [
+                      {
+                        "href": "#si-7.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.2_asm-examine",
@@ -205341,7 +227255,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "centrally managed integrity verification tools are employed."
+                    "prose": "centrally managed integrity verification tools are employed.",
+                    "links": [
+                      {
+                        "href": "#si-7.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.3_asm-examine",
@@ -205541,7 +227461,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-07.05_odp.01 }} are automatically performed when integrity violations are discovered."
+                    "prose": "{{ insert: param, si-07.05_odp.01 }} are automatically performed when integrity violations are discovered.",
+                    "links": [
+                      {
+                        "href": "#si-7.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.5_asm-examine",
@@ -205686,7 +227612,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "cryptographic mechanisms are implemented to detect unauthorized changes to software;"
+                        "prose": "cryptographic mechanisms are implemented to detect unauthorized changes to software;",
+                        "links": [
+                          {
+                            "href": "#si-7.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7.6_obj-2",
@@ -205698,7 +227630,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "cryptographic mechanisms are implemented to detect unauthorized changes to firmware;"
+                        "prose": "cryptographic mechanisms are implemented to detect unauthorized changes to firmware;",
+                        "links": [
+                          {
+                            "href": "#si-7.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7.6_obj-3",
@@ -205710,7 +227648,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "cryptographic mechanisms are implemented to detect unauthorized changes to information."
+                        "prose": "cryptographic mechanisms are implemented to detect unauthorized changes to information.",
+                        "links": [
+                          {
+                            "href": "#si-7.6_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-7.6_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -205885,7 +227835,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability."
+                    "prose": "the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability.",
+                    "links": [
+                      {
+                        "href": "#si-7.7_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.7_asm-examine",
@@ -206099,7 +228055,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the capability to audit an event upon the detection of a potential integrity violation is provided;"
+                        "prose": "the capability to audit an event upon the detection of a potential integrity violation is provided;",
+                        "links": [
+                          {
+                            "href": "#si-7.8_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-7.8_obj-2",
@@ -206111,7 +228073,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-07.08_odp.01 }} is/are initiated upon the detection of a potential integrity violation."
+                        "prose": "{{ insert: param, si-07.08_odp.01 }} is/are initiated upon the detection of a potential integrity violation.",
+                        "links": [
+                          {
+                            "href": "#si-7.8_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-7.8_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -206265,7 +228239,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the integrity of the boot process of {{ insert: param, si-07.09_odp }} is verified."
+                    "prose": "the integrity of the boot process of {{ insert: param, si-07.09_odp }} is verified.",
+                    "links": [
+                      {
+                        "href": "#si-7.9_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.9_asm-examine",
@@ -206437,7 +228417,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-07.10_odp.01 }} are implemented to protect the integrity of boot firmware in {{ insert: param, si-07.10_odp.02 }}."
+                    "prose": "{{ insert: param, si-07.10_odp.01 }} are implemented to protect the integrity of boot firmware in {{ insert: param, si-07.10_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#si-7.10_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.10_asm-examine",
@@ -206624,7 +228610,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the integrity of {{ insert: param, si-07.12_odp }} is verified prior to execution."
+                    "prose": "the integrity of {{ insert: param, si-07.12_odp }} is verified prior to execution.",
+                    "links": [
+                      {
+                        "href": "#si-7.12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.12_asm-examine",
@@ -206844,7 +228836,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "cryptographic mechanisms are implemented to authenticate {{ insert: param, si-07.15_odp }} prior to installation."
+                    "prose": "cryptographic mechanisms are implemented to authenticate {{ insert: param, si-07.15_odp }} prior to installation.",
+                    "links": [
+                      {
+                        "href": "#si-7.15_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.15_asm-examine",
@@ -206992,7 +228990,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "processes are prohibited from executing without supervision for more than {{ insert: param, si-07.16_odp }}."
+                    "prose": "processes are prohibited from executing without supervision for more than {{ insert: param, si-07.16_odp }}.",
+                    "links": [
+                      {
+                        "href": "#si-7.16_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.16_asm-examine",
@@ -207149,7 +229153,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-07.17_odp }} are implemented for application self-protection at runtime."
+                    "prose": "{{ insert: param, si-07.17_odp }} are implemented for application self-protection at runtime.",
+                    "links": [
+                      {
+                        "href": "#si-7.17_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-7.17_asm-examine",
@@ -207345,7 +229355,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "spam protection mechanisms are employed at system entry points to detect unsolicited messages;"
+                        "prose": "spam protection mechanisms are employed at system entry points to detect unsolicited messages;",
+                        "links": [
+                          {
+                            "href": "#si-8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-8_obj.a-2",
@@ -207357,7 +229373,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "spam protection mechanisms are employed at system exit points to detect unsolicited messages;"
+                        "prose": "spam protection mechanisms are employed at system exit points to detect unsolicited messages;",
+                        "links": [
+                          {
+                            "href": "#si-8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-8_obj.a-3",
@@ -207369,7 +229391,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "spam protection mechanisms are employed at system entry points to act on unsolicited messages;"
+                        "prose": "spam protection mechanisms are employed at system entry points to act on unsolicited messages;",
+                        "links": [
+                          {
+                            "href": "#si-8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-8_obj.a-4",
@@ -207381,7 +229409,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "spam protection mechanisms are employed at system exit points to act on unsolicited messages;"
+                        "prose": "spam protection mechanisms are employed at system exit points to act on unsolicited messages;",
+                        "links": [
+                          {
+                            "href": "#si-8_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-8_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -207395,7 +229435,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures."
+                    "prose": "spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.",
+                    "links": [
+                      {
+                        "href": "#si-8_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-8_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -207570,7 +229622,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}."
+                    "prose": "spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}.",
+                    "links": [
+                      {
+                        "href": "#si-8.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-8.2_asm-examine",
@@ -207691,7 +229749,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "spam protection mechanisms with a learning capability are implemented to more effectively identify legitimate communications traffic."
+                    "prose": "spam protection mechanisms with a learning capability are implemented to more effectively identify legitimate communications traffic.",
+                    "links": [
+                      {
+                        "href": "#si-8.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-8.3_asm-examine",
@@ -207892,7 +229956,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the validity of the {{ insert: param, si-10_odp }} is checked."
+                "prose": "the validity of the {{ insert: param, si-10_odp }} is checked.",
+                "links": [
+                  {
+                    "href": "#si-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "si-10_asm-examine",
@@ -208102,7 +230172,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a manual override capability for the validation of {{ insert: param, si-10_odp }} is provided;"
+                        "prose": "a manual override capability for the validation of {{ insert: param, si-10_odp }} is provided;",
+                        "links": [
+                          {
+                            "href": "#si-10.1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-10.1_obj.b",
@@ -208114,7 +230190,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of the manual override capability is restricted to only {{ insert: param, si-10.01_odp }};"
+                        "prose": "the use of the manual override capability is restricted to only {{ insert: param, si-10.01_odp }};",
+                        "links": [
+                          {
+                            "href": "#si-10.1_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-10.1_obj.c",
@@ -208126,7 +230208,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the use of the manual override capability is audited."
+                        "prose": "the use of the manual override capability is audited.",
+                        "links": [
+                          {
+                            "href": "#si-10.1_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-10.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -208315,7 +230409,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "input validation errors are reviewed within {{ insert: param, si-10.02_odp.01 }};"
+                        "prose": "input validation errors are reviewed within {{ insert: param, si-10.02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-10.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-10.2_obj-2",
@@ -208327,7 +230427,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "input validation errors are resolved within {{ insert: param, si-10.02_odp.02 }}."
+                        "prose": "input validation errors are resolved within {{ insert: param, si-10.02_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#si-10.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-10.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -208471,7 +230583,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system behaves in a predictable manner when invalid inputs are received;"
+                        "prose": "the system behaves in a predictable manner when invalid inputs are received;",
+                        "links": [
+                          {
+                            "href": "#si-10.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-10.3_obj-2",
@@ -208483,7 +230601,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system behaves in a documented manner when invalid inputs are received."
+                        "prose": "the system behaves in a documented manner when invalid inputs are received.",
+                        "links": [
+                          {
+                            "href": "#si-10.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-10.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -208611,7 +230741,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "timing interactions among system components are accounted for in determining appropriate responses for invalid inputs."
+                    "prose": "timing interactions among system components are accounted for in determining appropriate responses for invalid inputs.",
+                    "links": [
+                      {
+                        "href": "#si-10.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-10.4_asm-examine",
@@ -208787,7 +230923,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the use of information inputs is restricted to {{ insert: param, si-10.05_odp.01 }} and/or {{ insert: param, si-10.05_odp.02 }}."
+                    "prose": "the use of information inputs is restricted to {{ insert: param, si-10.05_odp.01 }} and/or {{ insert: param, si-10.05_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#si-10.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-10.5_asm-examine",
@@ -208921,7 +231063,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "untrusted data injections are prevented."
+                    "prose": "untrusted data injections are prevented.",
+                    "links": [
+                      {
+                        "href": "#si-10.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-10.6_asm-examine",
@@ -209116,7 +231264,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;"
+                    "prose": "error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;",
+                    "links": [
+                      {
+                        "href": "#si-11_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-11_obj.b",
@@ -209128,7 +231282,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "error messages are revealed only to {{ insert: param, si-11_odp }}."
+                    "prose": "error messages are revealed only to {{ insert: param, si-11_odp }}.",
+                    "links": [
+                      {
+                        "href": "#si-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -209390,7 +231556,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-2",
@@ -209402,7 +231574,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-3",
@@ -209414,7 +231592,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;"
+                    "prose": "information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12_obj-4",
@@ -209426,7 +231610,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements."
+                    "prose": "information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.",
+                    "links": [
+                      {
+                        "href": "#si-12_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-12_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -209575,7 +231771,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personally identifiable information being processed in the information life cycle is limited to {{ insert: param, si-12.01_odp }}."
+                    "prose": "personally identifiable information being processed in the information life cycle is limited to {{ insert: param, si-12.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#si-12.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-12.1_asm-examine",
@@ -209790,7 +231992,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-12.02_odp.01 }} are used to minimize the use of personally identifiable information for research;"
+                        "prose": "{{ insert: param, si-12.02_odp.01 }} are used to minimize the use of personally identifiable information for research;",
+                        "links": [
+                          {
+                            "href": "#si-12.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-12.2_obj-2",
@@ -209802,7 +232010,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-12.02_odp.02 }} are used to minimize the use of personally identifiable information for testing;"
+                        "prose": "{{ insert: param, si-12.02_odp.02 }} are used to minimize the use of personally identifiable information for testing;",
+                        "links": [
+                          {
+                            "href": "#si-12.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-12.2_obj-3",
@@ -209814,7 +232028,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-12.02_odp.03 }} are used to minimize the use of personally identifiable information for training."
+                        "prose": "{{ insert: param, si-12.02_odp.03 }} are used to minimize the use of personally identifiable information for training.",
+                        "links": [
+                          {
+                            "href": "#si-12.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-12.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -210019,7 +232245,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-12.03_odp.01 }} are used to dispose of information following the retention period;"
+                        "prose": "{{ insert: param, si-12.03_odp.01 }} are used to dispose of information following the retention period;",
+                        "links": [
+                          {
+                            "href": "#si-12.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-12.3_obj-2",
@@ -210031,7 +232263,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-12.03_odp.02 }} are used to destroy information following the retention period;"
+                        "prose": "{{ insert: param, si-12.03_odp.02 }} are used to destroy information following the retention period;",
+                        "links": [
+                          {
+                            "href": "#si-12.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-12.3_obj-3",
@@ -210043,7 +232281,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-12.03_odp.03 }} are used to erase information following the retention period."
+                        "prose": "{{ insert: param, si-12.03_odp.03 }} are used to erase information following the retention period.",
+                        "links": [
+                          {
+                            "href": "#si-12.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-12.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -210278,7 +232528,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "mean time to failure (MTTF) is determined for {{ insert: param, si-13_odp.01 }} in specific environments of operation;"
+                    "prose": "mean time to failure (MTTF) is determined for {{ insert: param, si-13_odp.01 }} in specific environments of operation;",
+                    "links": [
+                      {
+                        "href": "#si-13_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-13_obj.b",
@@ -210290,7 +232546,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "substitute system components and a means to exchange active and standby components are provided in accordance with {{ insert: param, si-13_odp.02 }}."
+                    "prose": "substitute system components and a means to exchange active and standby components are provided in accordance with {{ insert: param, si-13_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#si-13_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-13_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -210440,7 +232708,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "system components are taken out of service by transferring component responsibilities to substitute components no later than {{ insert: param, si-13.01_odp }} of mean time to failure."
+                    "prose": "system components are taken out of service by transferring component responsibilities to substitute components no later than {{ insert: param, si-13.01_odp }} of mean time to failure.",
+                    "links": [
+                      {
+                        "href": "#si-13.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-13.1_asm-examine",
@@ -210618,7 +232892,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "transfers are initiated manually between active and standby system components when the use of the active component reaches {{ insert: param, si-13.03_odp }} of the mean time to failure."
+                    "prose": "transfers are initiated manually between active and standby system components when the use of the active component reaches {{ insert: param, si-13.03_odp }} of the mean time to failure.",
+                    "links": [
+                      {
+                        "href": "#si-13.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-13.3_asm-examine",
@@ -210868,7 +233148,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the standby components are successfully and transparently installed within {{ insert: param, si-13.04_odp.01 }} if system component failures are detected;"
+                        "prose": "the standby components are successfully and transparently installed within {{ insert: param, si-13.04_odp.01 }} if system component failures are detected;",
+                        "links": [
+                          {
+                            "href": "#si-13.4_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-13.4_obj.b",
@@ -210880,7 +233166,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-13.04_odp.02 }} are performed if system component failures are detected."
+                        "prose": "{{ insert: param, si-13.04_odp.02 }} are performed if system component failures are detected.",
+                        "links": [
+                          {
+                            "href": "#si-13.4_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-13.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -211062,7 +233360,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-13.05_odp.01 }} {{ insert: param, si-13.05_odp.02 }} is provided for the system."
+                    "prose": "{{ insert: param, si-13.05_odp.01 }} {{ insert: param, si-13.05_odp.02 }} is provided for the system.",
+                    "links": [
+                      {
+                        "href": "#si-13.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-13.5_asm-examine",
@@ -211272,7 +233576,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "non-persistent {{ insert: param, si-14_odp.01 }} that are initiated in a known state are implemented;"
+                    "prose": "non-persistent {{ insert: param, si-14_odp.01 }} that are initiated in a known state are implemented;",
+                    "links": [
+                      {
+                        "href": "#si-14_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-14_obj-2",
@@ -211284,7 +233594,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "non-persistent {{ insert: param, si-14_odp.01 }} are terminated {{ insert: param, si-14_odp.02 }}."
+                    "prose": "non-persistent {{ insert: param, si-14_odp.01 }} are terminated {{ insert: param, si-14_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#si-14_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-14_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -211434,7 +233756,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the software and data employed during system component and service refreshes are obtained from {{ insert: param, si-14.01_odp }}."
+                    "prose": "the software and data employed during system component and service refreshes are obtained from {{ insert: param, si-14.01_odp }}.",
+                    "links": [
+                      {
+                        "href": "#si-14.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-14.1_asm-examine",
@@ -211676,7 +234004,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, si-14.02_odp.01 }} is performed;"
+                        "prose": "{{ insert: param, si-14.02_odp.01 }} is performed;",
+                        "links": [
+                          {
+                            "href": "#si-14.2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-14.2_obj.b",
@@ -211688,7 +234022,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "information is deleted when no longer needed."
+                        "prose": "information is deleted when no longer needed.",
+                        "links": [
+                          {
+                            "href": "#si-14.2_smt.b",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-14.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -211853,7 +234199,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "connections to the system are established on demand;"
+                        "prose": "connections to the system are established on demand;",
+                        "links": [
+                          {
+                            "href": "#si-14.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-14.3_obj-2",
@@ -211865,7 +234217,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "connections to the system are terminated after {{ insert: param, si-14.03_odp }}."
+                        "prose": "connections to the system are terminated after {{ insert: param, si-14.03_odp }}.",
+                        "links": [
+                          {
+                            "href": "#si-14.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-14.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -212025,7 +234389,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "information output from {{ insert: param, si-15_odp }} is validated to ensure that the information is consistent with the expected content."
+                "prose": "information output from {{ insert: param, si-15_odp }} is validated to ensure that the information is consistent with the expected content.",
+                "links": [
+                  {
+                    "href": "#si-15_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "si-15_asm-examine",
@@ -212181,7 +234551,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution."
+                "prose": "{{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution.",
+                "links": [
+                  {
+                    "href": "#si-16_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "si-16_asm-examine",
@@ -212369,7 +234745,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, si-17_odp.01 }} are implemented when {{ insert: param, si-17_odp.02 }} occur."
+                "prose": "{{ insert: param, si-17_odp.01 }} are implemented when {{ insert: param, si-17_odp.02 }} occur.",
+                "links": [
+                  {
+                    "href": "#si-17_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "si-17_asm-examine",
@@ -212656,7 +235038,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the accuracy of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.01 }};"
+                        "prose": "the accuracy of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#si-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-18_obj.a-2",
@@ -212668,7 +235056,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the relevance of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.02 }};"
+                        "prose": "the relevance of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#si-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-18_obj.a-3",
@@ -212680,7 +235074,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the timeliness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.03 }};"
+                        "prose": "the timeliness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.03 }};",
+                        "links": [
+                          {
+                            "href": "#si-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-18_obj.a-4",
@@ -212692,7 +235092,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the completeness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.04 }};"
+                        "prose": "the completeness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.04 }};",
+                        "links": [
+                          {
+                            "href": "#si-18_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-18_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -212706,7 +235118,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "inaccurate or outdated personally identifiable information is corrected or deleted."
+                    "prose": "inaccurate or outdated personally identifiable information is corrected or deleted.",
+                    "links": [
+                      {
+                        "href": "#si-18_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-18_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -212864,7 +235288,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-18.01_odp }} are used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified."
+                    "prose": "{{ insert: param, si-18.01_odp }} are used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified.",
+                    "links": [
+                      {
+                        "href": "#si-18.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-18.1_asm-examine",
@@ -213002,7 +235432,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "data tags are employed to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems."
+                    "prose": "data tags are employed to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems.",
+                    "links": [
+                      {
+                        "href": "#si-18.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-18.2_asm-examine",
@@ -213128,7 +235564,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personally identifiable information is collected directly from the individual."
+                    "prose": "personally identifiable information is collected directly from the individual.",
+                    "links": [
+                      {
+                        "href": "#si-18.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-18.3_asm-examine",
@@ -213254,7 +235696,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personally identifiable information is corrected or deleted upon request by individuals or their designated representatives."
+                    "prose": "personally identifiable information is corrected or deleted upon request by individuals or their designated representatives.",
+                    "links": [
+                      {
+                        "href": "#si-18.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-18.4_asm-examine",
@@ -213407,7 +235855,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-18.05_odp }} and individuals are notified when the personally identifiable information has been corrected or deleted."
+                    "prose": "{{ insert: param, si-18.05_odp }} and individuals are notified when the personally identifiable information has been corrected or deleted.",
+                    "links": [
+                      {
+                        "href": "#si-18.5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-18.5_asm-examine",
@@ -213644,7 +236098,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-19_odp.01 }} are removed from datasets;"
+                    "prose": "{{ insert: param, si-19_odp.01 }} are removed from datasets;",
+                    "links": [
+                      {
+                        "href": "#si-19_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-19_obj.b",
@@ -213656,7 +236116,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the effectiveness of de-identification is evaluated {{ insert: param, si-19_odp.02 }}."
+                    "prose": "the effectiveness of de-identification is evaluated {{ insert: param, si-19_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#si-19_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-19_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -213784,7 +236256,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the dataset is de-identified upon collection by not collecting personally identifiable information."
+                    "prose": "the dataset is de-identified upon collection by not collecting personally identifiable information.",
+                    "links": [
+                      {
+                        "href": "#si-19.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-19.1_asm-examine",
@@ -213910,7 +236388,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the archiving of personally identifiable information elements is prohibited if those elements in a dataset will not be needed after the dataset is archived."
+                    "prose": "the archiving of personally identifiable information elements is prohibited if those elements in a dataset will not be needed after the dataset is archived.",
+                    "links": [
+                      {
+                        "href": "#si-19.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-19.2_asm-examine",
@@ -214036,7 +236520,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "personally identifiable information elements are removed from a dataset prior to its release if those elements in the dataset do not need to be part of the data release."
+                    "prose": "personally identifiable information elements are removed from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.",
+                    "links": [
+                      {
+                        "href": "#si-19.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-19.3_asm-examine",
@@ -214165,7 +236655,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "direct identifiers in a dataset are removed, masked, encrypted, hashed, or replaced."
+                    "prose": "direct identifiers in a dataset are removed, masked, encrypted, hashed, or replaced.",
+                    "links": [
+                      {
+                        "href": "#si-19.4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-19.4_asm-examine",
@@ -214302,7 +236798,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "numerical data is manipulated so that no individual or organization is identifiable in the results of the analysis;"
+                        "prose": "numerical data is manipulated so that no individual or organization is identifiable in the results of the analysis;",
+                        "links": [
+                          {
+                            "href": "#si-19.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-19.5_obj-2",
@@ -214314,7 +236816,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "contingency tables are manipulated so that no individual or organization is identifiable in the results of the analysis;"
+                        "prose": "contingency tables are manipulated so that no individual or organization is identifiable in the results of the analysis;",
+                        "links": [
+                          {
+                            "href": "#si-19.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-19.5_obj-3",
@@ -214326,7 +236834,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "statistical findings are manipulated so that no individual or organization is identifiable in the results of the analysis."
+                        "prose": "statistical findings are manipulated so that no individual or organization is identifiable in the results of the analysis.",
+                        "links": [
+                          {
+                            "href": "#si-19.5_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-19.5_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -214462,7 +236982,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the disclosure of personally identifiable information is prevented by adding non-deterministic noise to the results of mathematical operations before the results are reported."
+                    "prose": "the disclosure of personally identifiable information is prevented by adding non-deterministic noise to the results of mathematical operations before the results are reported.",
+                    "links": [
+                      {
+                        "href": "#si-19.6_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-19.6_asm-examine",
@@ -214594,7 +237120,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "de-identification is performed using validated algorithms;"
+                        "prose": "de-identification is performed using validated algorithms;",
+                        "links": [
+                          {
+                            "href": "#si-19.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "si-19.7_obj-2",
@@ -214606,7 +237138,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "de-identification is performed using software that is validated to implement the algorithms."
+                        "prose": "de-identification is performed using software that is validated to implement the algorithms.",
+                        "links": [
+                          {
+                            "href": "#si-19.7_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#si-19.7_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -214734,7 +237278,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a motivated intruder test is performed on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified."
+                    "prose": "a motivated intruder test is performed on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.",
+                    "links": [
+                      {
+                        "href": "#si-19.8_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-19.8_asm-examine",
@@ -214897,7 +237447,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "data or capabilities are embedded in {{ insert: param, si-20_odp }} to determine if organizational data has been exfiltrated or improperly removed from the organization."
+                "prose": "data or capabilities are embedded in {{ insert: param, si-20_odp }} to determine if organizational data has been exfiltrated or improperly removed from the organization.",
+                "links": [
+                  {
+                    "href": "#si-20_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "si-20_asm-examine",
@@ -215078,7 +237634,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the {{ insert: param, si-21_odp.01 }} is refreshed {{ insert: param, si-21_odp.02 }} or is generated on demand and deleted when no longer needed."
+                "prose": "the {{ insert: param, si-21_odp.01 }} is refreshed {{ insert: param, si-21_odp.02 }} or is generated on demand and deleted when no longer needed.",
+                "links": [
+                  {
+                    "href": "#si-21_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "si-21_asm-examine",
@@ -215305,7 +237867,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, si-22_odp.01 }} for {{ insert: param, si-22_odp.02 }} are identified;"
+                    "prose": "{{ insert: param, si-22_odp.01 }} for {{ insert: param, si-22_odp.02 }} are identified;",
+                    "links": [
+                      {
+                        "href": "#si-22_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-22_obj.b",
@@ -215317,7 +237885,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "an alternative information source is used for the execution of essential functions or services on {{ insert: param, si-22_odp.03 }} when the primary source of information is corrupted or unavailable."
+                    "prose": "an alternative information source is used for the execution of essential functions or services on {{ insert: param, si-22_odp.03 }} when the primary source of information is corrupted or unavailable.",
+                    "links": [
+                      {
+                        "href": "#si-22_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-22_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -215547,7 +238127,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "under {{ insert: param, si-23_odp.01 }}, {{ insert: param, si-23_odp.02 }} is fragmented;"
+                    "prose": "under {{ insert: param, si-23_odp.01 }}, {{ insert: param, si-23_odp.02 }} is fragmented;",
+                    "links": [
+                      {
+                        "href": "#si-23_smt.a",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "si-23_obj.b",
@@ -215559,7 +238145,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "under {{ insert: param, si-23_odp.01 }} , the fragmented information is distributed across {{ insert: param, si-23_odp.03 }}."
+                    "prose": "under {{ insert: param, si-23_odp.01 }} , the fragmented information is distributed across {{ insert: param, si-23_odp.03 }}.",
+                    "links": [
+                      {
+                        "href": "#si-23_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#si-23_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -216042,7 +238640,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a supply chain risk management policy is developed and documented;"
+                        "prose": "a supply chain risk management policy is developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a-2",
@@ -216054,7 +238658,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};"
+                        "prose": "the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a-3",
@@ -216066,7 +238676,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;"
+                        "prose": "supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a-4",
@@ -216078,7 +238694,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}."
+                        "prose": "the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-1_obj.a.1",
@@ -216112,7 +238734,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-2",
@@ -216124,7 +238752,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; "
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; ",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-3",
@@ -216136,7 +238770,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "{{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;"
+                                "prose": "{{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-4",
@@ -216148,7 +238788,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-5",
@@ -216160,7 +238806,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-6",
@@ -216172,7 +238824,13 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;"
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
                               },
                               {
                                 "id": "sr-1_obj.a.1.a-7",
@@ -216184,7 +238842,19 @@
                                     "class": "sp800-53a"
                                   }
                                 ],
-                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance."
+                                "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.",
+                                "links": [
+                                  {
+                                    "href": "#sr-1_smt.a.1.a",
+                                    "rel": "assessment-for"
+                                  }
+                                ]
+                              }
+                            ],
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.a.1.a",
+                                "rel": "assessment-for"
                               }
                             ]
                           },
@@ -216198,10 +238868,28 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;"
+                            "prose": "the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.a.1.b",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.a.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-1_smt.a",
+                        "rel": "assessment-for"
+                      }
                     ]
                   },
                   {
@@ -216214,7 +238902,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;"
+                    "prose": "the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;",
+                    "links": [
+                      {
+                        "href": "#sr-1_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-1_obj.c",
@@ -216248,7 +238942,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};"
+                            "prose": "the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sr-1_obj.c.1-2",
@@ -216260,7 +238960,19 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};"
+                            "prose": "the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.1",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.c.1",
+                            "rel": "assessment-for"
                           }
                         ]
                       },
@@ -216285,7 +238997,13 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};"
+                            "prose": "the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
                           },
                           {
                             "id": "sr-1_obj.c.2-2",
@@ -216297,12 +239015,36 @@
                                 "class": "sp800-53a"
                               }
                             ],
-                            "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}."
+                            "prose": "the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.",
+                            "links": [
+                              {
+                                "href": "#sr-1_smt.c.2",
+                                "rel": "assessment-for"
+                              }
+                            ]
+                          }
+                        ],
+                        "links": [
+                          {
+                            "href": "#sr-1_smt.c.2",
+                            "rel": "assessment-for"
                           }
                         ]
                       }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-1_smt.c",
+                        "rel": "assessment-for"
+                      }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-1_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -216597,7 +239339,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a plan for managing supply chain risks is developed;"
+                        "prose": "a plan for managing supply chain risks is developed;",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-2",
@@ -216609,7 +239357,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-3",
@@ -216621,7 +239375,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-4",
@@ -216633,7 +239393,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-5",
@@ -216645,7 +239411,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-6",
@@ -216657,7 +239429,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-7",
@@ -216669,7 +239447,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-8",
@@ -216681,7 +239465,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.a-9",
@@ -216693,7 +239483,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};"
+                        "prose": "the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-2_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -216707,7 +239509,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;"
+                    "prose": "the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;",
+                    "links": [
+                      {
+                        "href": "#sr-2_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-2_obj.c",
@@ -216730,7 +239538,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan is protected from unauthorized disclosure;"
+                        "prose": "the supply chain risk management plan is protected from unauthorized disclosure;",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-2_obj.c-2",
@@ -216742,10 +239556,28 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the supply chain risk management plan is protected from unauthorized modification."
+                        "prose": "the supply chain risk management plan is protected from unauthorized modification.",
+                        "links": [
+                          {
+                            "href": "#sr-2_smt.c",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-2_smt.c",
+                        "rel": "assessment-for"
                       }
                     ]
                   }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-2_smt",
+                    "rel": "assessment-for"
+                  }
                 ]
               },
               {
@@ -216919,7 +239751,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}."
+                    "prose": "a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sr-2.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-2.1_asm-examine",
@@ -217306,7 +240144,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};"
+                        "prose": "a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-3_obj.a-2",
@@ -217318,7 +240162,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};"
+                        "prose": "the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};",
+                        "links": [
+                          {
+                            "href": "#sr-3_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-3_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -217332,7 +240188,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;"
+                    "prose": "{{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;",
+                    "links": [
+                      {
+                        "href": "#sr-3_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-3_obj.c",
@@ -217344,7 +240206,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}."
+                    "prose": "the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.",
+                    "links": [
+                      {
+                        "href": "#sr-3_smt.c",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-3_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -217533,7 +240407,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a diverse set of sources is employed for {{ insert: param, sr-03.01_odp.01 }};"
+                        "prose": "a diverse set of sources is employed for {{ insert: param, sr-03.01_odp.01 }};",
+                        "links": [
+                          {
+                            "href": "#sr-3.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-3.1_obj-2",
@@ -217545,7 +240425,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "a diverse set of sources is employed for {{ insert: param, sr-03.01_odp.02 }}."
+                        "prose": "a diverse set of sources is employed for {{ insert: param, sr-03.01_odp.02 }}.",
+                        "links": [
+                          {
+                            "href": "#sr-3.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-3.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -217695,7 +240587,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sr-03.02_odp }} are employed to limit harm from potential adversaries identifying and targeting the organizational supply chain."
+                    "prose": "{{ insert: param, sr-03.02_odp }} are employed to limit harm from potential adversaries identifying and targeting the organizational supply chain.",
+                    "links": [
+                      {
+                        "href": "#sr-3.2_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-3.2_asm-examine",
@@ -217829,7 +240727,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "the controls included in the contracts of prime contractors are also included in the contracts of subcontractors."
+                    "prose": "the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.",
+                    "links": [
+                      {
+                        "href": "#sr-3.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-3.3_asm-examine",
@@ -218054,7 +240958,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "valid provenance is documented for {{ insert: param, sr-04_odp }};"
+                    "prose": "valid provenance is documented for {{ insert: param, sr-04_odp }};",
+                    "links": [
+                      {
+                        "href": "#sr-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-4_obj-2",
@@ -218066,7 +240976,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "valid provenance is monitored for {{ insert: param, sr-04_odp }};"
+                    "prose": "valid provenance is monitored for {{ insert: param, sr-04_odp }};",
+                    "links": [
+                      {
+                        "href": "#sr-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-4_obj-3",
@@ -218078,7 +240994,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "valid provenance is maintained for {{ insert: param, sr-04_odp }}."
+                    "prose": "valid provenance is maintained for {{ insert: param, sr-04_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sr-4_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-4_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -218256,7 +241184,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "unique identification of {{ insert: param, sr-04.01_odp }} is established;"
+                        "prose": "unique identification of {{ insert: param, sr-04.01_odp }} is established;",
+                        "links": [
+                          {
+                            "href": "#sr-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-4.1_obj-2",
@@ -218268,7 +241202,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "unique identification of {{ insert: param, sr-04.01_odp }} is maintained."
+                        "prose": "unique identification of {{ insert: param, sr-04.01_odp }} is maintained.",
+                        "links": [
+                          {
+                            "href": "#sr-4.1_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-4.1_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -218445,7 +241391,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the unique identification of {{ insert: param, sr-04.02_odp }} is established for tracking through the supply chain;"
+                        "prose": "the unique identification of {{ insert: param, sr-04.02_odp }} is established for tracking through the supply chain;",
+                        "links": [
+                          {
+                            "href": "#sr-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-4.2_obj-2",
@@ -218457,7 +241409,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the unique identification of {{ insert: param, sr-04.02_odp }} is maintained for tracking through the supply chain."
+                        "prose": "the unique identification of {{ insert: param, sr-04.02_odp }} is maintained for tracking through the supply chain.",
+                        "links": [
+                          {
+                            "href": "#sr-4.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-4.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -218662,7 +241626,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sr-04.03_odp.01 }} are employed to validate that the system or system component received is genuine;"
+                        "prose": "{{ insert: param, sr-04.03_odp.01 }} are employed to validate that the system or system component received is genuine;",
+                        "links": [
+                          {
+                            "href": "#sr-4.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-4.3_obj-2",
@@ -218674,7 +241644,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sr-04.03_odp.02 }} are employed to validate that the system or system component received has not been altered."
+                        "prose": "{{ insert: param, sr-04.03_odp.02 }} are employed to validate that the system or system component received has not been altered.",
+                        "links": [
+                          {
+                            "href": "#sr-4.3_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-4.3_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -218864,7 +241846,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sr-04.04_odp.01 }} are employed to ensure the integrity of the system and system components;"
+                        "prose": "{{ insert: param, sr-04.04_odp.01 }} are employed to ensure the integrity of the system and system components;",
+                        "links": [
+                          {
+                            "href": "#sr-4.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-4.4_obj-2",
@@ -218876,7 +241864,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "{{ insert: param, sr-04.04_odp.02 }} is conducted to ensure the integrity of the system and system components."
+                        "prose": "{{ insert: param, sr-04.04_odp.02 }} is conducted to ensure the integrity of the system and system components.",
+                        "links": [
+                          {
+                            "href": "#sr-4.4_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-4.4_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -219128,7 +242128,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;"
+                    "prose": "{{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;",
+                    "links": [
+                      {
+                        "href": "#sr-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-5_obj-2",
@@ -219140,7 +242146,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sr-05_odp }} are employed to identify supply chain risks;"
+                    "prose": "{{ insert: param, sr-05_odp }} are employed to identify supply chain risks;",
+                    "links": [
+                      {
+                        "href": "#sr-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-5_obj-3",
@@ -219152,7 +242164,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks."
+                    "prose": "{{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.",
+                    "links": [
+                      {
+                        "href": "#sr-5_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-5_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -219326,7 +242350,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sr-05.01_odp.01 }} are employed to ensure an adequate supply of {{ insert: param, sr-05.01_odp.02 }}."
+                    "prose": "{{ insert: param, sr-05.01_odp.01 }} are employed to ensure an adequate supply of {{ insert: param, sr-05.01_odp.02 }}.",
+                    "links": [
+                      {
+                        "href": "#sr-5.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-5.1_asm-examine",
@@ -219479,7 +242509,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system, system component, or system service is assessed prior to selection;"
+                        "prose": "the system, system component, or system service is assessed prior to selection;",
+                        "links": [
+                          {
+                            "href": "#sr-5.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-5.2_obj-2",
@@ -219491,7 +242527,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system, system component, or system service is assessed prior to acceptance;"
+                        "prose": "the system, system component, or system service is assessed prior to acceptance;",
+                        "links": [
+                          {
+                            "href": "#sr-5.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-5.2_obj-3",
@@ -219503,7 +242545,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system, system component, or system service is assessed prior to modification;"
+                        "prose": "the system, system component, or system service is assessed prior to modification;",
+                        "links": [
+                          {
+                            "href": "#sr-5.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-5.2_obj-4",
@@ -219515,7 +242563,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the system, system component, or system service is assessed prior to update."
+                        "prose": "the system, system component, or system service is assessed prior to update.",
+                        "links": [
+                          {
+                            "href": "#sr-5.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-5.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -219723,7 +242783,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}."
+                "prose": "the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}.",
+                "links": [
+                  {
+                    "href": "#sr-6_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-6_asm-examine",
@@ -219902,7 +242968,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sr-06.01_odp.01 }} is/are employed on {{ insert: param, sr-06.01_odp.02 }} associated with the system, system component, or system service."
+                    "prose": "{{ insert: param, sr-06.01_odp.01 }} is/are employed on {{ insert: param, sr-06.01_odp.02 }} associated with the system, system component, or system service.",
+                    "links": [
+                      {
+                        "href": "#sr-6.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-6.1_asm-examine",
@@ -220077,7 +243149,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, sr-07_odp }} are employed to protect supply chain-related information for the system, system component, or system service."
+                "prose": "{{ insert: param, sr-07_odp }} are employed to protect supply chain-related information for the system, system component, or system service.",
+                "links": [
+                  {
+                    "href": "#sr-7_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-7_asm-examine",
@@ -220287,7 +243365,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}."
+                "prose": "agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.",
+                "links": [
+                  {
+                    "href": "#sr-8_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-8_asm-examine",
@@ -220453,7 +243537,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "a tamper protection program is implemented for the system, system component, or system service."
+                "prose": "a tamper protection program is implemented for the system, system component, or system service.",
+                "links": [
+                  {
+                    "href": "#sr-9_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-9_asm-examine",
@@ -220583,7 +243673,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle."
+                    "prose": "anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle.",
+                    "links": [
+                      {
+                        "href": "#sr-9.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-9.1_asm-examine",
@@ -220831,7 +243927,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering."
+                "prose": "{{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.",
+                "links": [
+                  {
+                    "href": "#sr-10_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-10_asm-examine",
@@ -221086,7 +244188,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "an anti-counterfeit policy is developed and implemented;"
+                        "prose": "an anti-counterfeit policy is developed and implemented;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11_obj.a-2",
@@ -221098,7 +244206,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "anti-counterfeit procedures are developed and implemented;"
+                        "prose": "anti-counterfeit procedures are developed and implemented;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11_obj.a-3",
@@ -221110,7 +244224,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;"
+                        "prose": "the anti-counterfeit procedures include the means to detect counterfeit components entering the system;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11_obj.a-4",
@@ -221122,7 +244242,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;"
+                        "prose": "the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;",
+                        "links": [
+                          {
+                            "href": "#sr-11_smt.a",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-11_smt.a",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -221136,7 +244268,19 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}."
+                    "prose": "counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.",
+                    "links": [
+                      {
+                        "href": "#sr-11_smt.b",
+                        "rel": "assessment-for"
+                      }
+                    ]
+                  }
+                ],
+                "links": [
+                  {
+                    "href": "#sr-11_smt",
+                    "rel": "assessment-for"
                   }
                 ]
               },
@@ -221290,7 +244434,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "{{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware)."
+                    "prose": "{{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).",
+                    "links": [
+                      {
+                        "href": "#sr-11.1_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-11.1_asm-examine",
@@ -221465,7 +244615,13 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;"
+                        "prose": "configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;",
+                        "links": [
+                          {
+                            "href": "#sr-11.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
                       },
                       {
                         "id": "sr-11.2_obj-2",
@@ -221477,7 +244633,19 @@
                             "class": "sp800-53a"
                           }
                         ],
-                        "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained."
+                        "prose": "configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.",
+                        "links": [
+                          {
+                            "href": "#sr-11.2_smt",
+                            "rel": "assessment-for"
+                          }
+                        ]
+                      }
+                    ],
+                    "links": [
+                      {
+                        "href": "#sr-11.2_smt",
+                        "rel": "assessment-for"
                       }
                     ]
                   },
@@ -221631,7 +244799,13 @@
                         "class": "sp800-53a"
                       }
                     ],
-                    "prose": "scanning for counterfeit system components is conducted {{ insert: param, sr-11.03_odp }}."
+                    "prose": "scanning for counterfeit system components is conducted {{ insert: param, sr-11.03_odp }}.",
+                    "links": [
+                      {
+                        "href": "#sr-11.3_smt",
+                        "rel": "assessment-for"
+                      }
+                    ]
                   },
                   {
                     "id": "sr-11.3_asm-examine",
@@ -221801,7 +244975,13 @@
                     "class": "sp800-53a"
                   }
                 ],
-                "prose": "{{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}."
+                "prose": "{{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.",
+                "links": [
+                  {
+                    "href": "#sr-12_smt",
+                    "rel": "assessment-for"
+                  }
+                ]
               },
               {
                 "id": "sr-12_asm-examine",
@@ -222212,6 +245392,18 @@
             }
           ]
         },
+        {
+          "uuid": "ff989cdc-649d-4f45-8f61-9309c9680933",
+          "title": "FIPS 196",
+          "citation": {
+            "text": "National Institute of Standards and Technology (1997) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 196."
+          },
+          "rlinks": [
+            {
+              "href": "https://doi.org/10.6028/NIST.FIPS.196"
+            }
+          ]
+        },
         {
           "uuid": "736d6310-e403-4b57-a79d-9967970c66d7",
           "title": "FIPS 197",
@@ -222224,6 +245416,18 @@
             }
           ]
         },
+        {
+          "uuid": "e9d6c5f2-b3aa-4a28-8bea-a0135718d453",
+          "title": "FIPS 198-1",
+          "citation": {
+            "text": "National Institute of Standards and Technology (2008) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 198-1."
+          },
+          "rlinks": [
+            {
+              "href": "https://doi.org/10.6028/NIST.FIPS.198-1"
+            }
+          ]
+        },
         {
           "uuid": "628d22a1-6a11-4784-bc59-5cd9497b5445",
           "title": "FIPS 199",
@@ -224160,6 +247364,15 @@
               "media-type": "application/pdf"
             }
           ]
+        },
+        {
+          "uuid": "5a5ffcb9-2272-484e-8d47-4483a0585dec",
+          "title": "NIST SP 800-53 content and other OSCAL content examples",
+          "rlinks": [
+            {
+              "href": "https://github.com/usnistgov/oscal-content/releases/"
+            }
+          ]
         }
       ]
     }
diff --git a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.xml b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.xml
index 37864dd0..9f8a6819 100644
--- a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.xml
+++ b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.xml
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-          uuid="fa9322a2-ab84-423c-b677-8602000b4876">
+          uuid="283e5a73-1997-40fe-8d7e-38abfe6c6b2b">
    <metadata>
-      <title>NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE</title>
-      <last-modified>2023-11-02T11:49:45.431064-04:00</last-modified>
-      <version>Final</version>
+      <title>NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE</title>
+      <last-modified>2023-12-05T21:55:03.03012Z</last-modified>
+      <version>5.1.1+u2</version>
       <oscal-version>1.1.1</oscal-version>
       <prop name="resolution-tool"
              value="OSCAL Profile Resolver XSLT Pipeline OPRXP"/>
@@ -181,18 +181,22 @@
                <part id="ac-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[01]"/>
                   <p>an access control policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[02]"/>
                   <p>the access control policy is disseminated to <insert type="param" id-ref="ac-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[03]"/>
                   <p>access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[04]"/>
                   <p>the access control procedures are disseminated to <insert type="param" id-ref="ac-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.01"/>
@@ -201,41 +205,53 @@
                      <part id="ac-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                   </part>
                   <part id="ac-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ac-1_smt.a"/>
             </part>
             <part id="ac-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-01b."/>
                <p>the <insert type="param" id-ref="ac-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the access control policy and procedures;</p>
+               <link rel="assessment-for" href="#ac-1_smt.b"/>
             </part>
             <part id="ac-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-01c."/>
@@ -244,24 +260,32 @@
                   <part id="ac-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.01[01]"/>
                      <p>the current access control policy is reviewed and updated <insert type="param" id-ref="ac-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.1"/>
                   </part>
                   <part id="ac-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.01[02]"/>
                      <p>the current access control policy is reviewed and updated following <insert type="param" id-ref="ac-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-1_smt.c.1"/>
                </part>
                <part id="ac-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01c.02"/>
                   <part id="ac-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.02[01]"/>
                      <p>the current access control procedures are reviewed and updated <insert type="param" id-ref="ac-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.2"/>
                   </part>
                   <part id="ac-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.02[02]"/>
                      <p>the current access control procedures are reviewed and updated following <insert type="param" id-ref="ac-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ac-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ac-1_smt"/>
          </part>
          <part id="ac-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -503,131 +527,166 @@
                <part id="ac-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02a.[01]"/>
                   <p>account types allowed for use within the system are defined and documented;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.a"/>
                </part>
                <part id="ac-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02a.[02]"/>
                   <p>account types specifically prohibited for use within the system are defined and documented;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.a"/>
             </part>
             <part id="ac-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02b."/>
                <p>account managers are assigned;</p>
+               <link rel="assessment-for" href="#ac-2_smt.b"/>
             </part>
             <part id="ac-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02c."/>
                <p>
                   <insert type="param" id-ref="ac-02_odp.01"/> for group and role membership are required;</p>
+               <link rel="assessment-for" href="#ac-2_smt.c"/>
             </part>
             <part id="ac-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02d."/>
                <part id="ac-2_obj.d.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02d.01"/>
                   <p>authorized users of the system are specified;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.d.1"/>
                </part>
                <part id="ac-2_obj.d.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02d.02"/>
                   <p>group and role membership are specified;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.d.2"/>
                </part>
                <part id="ac-2_obj.d.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02d.03"/>
                   <part id="ac-2_obj.d.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-02d.03[01]"/>
                      <p>access authorizations (i.e., privileges) are specified for each account;</p>
+                     <link rel="assessment-for" href="#ac-2_smt.d.3"/>
                   </part>
                   <part id="ac-2_obj.d.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-02d.03[02]"/>
                      <p>
                         <insert type="param" id-ref="ac-02_odp.02"/> are specified for each account;</p>
+                     <link rel="assessment-for" href="#ac-2_smt.d.3"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-2_smt.d.3"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.d"/>
             </part>
             <part id="ac-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02e."/>
                <p>approvals are required by <insert type="param" id-ref="ac-02_odp.03"/> for requests to create accounts;</p>
+               <link rel="assessment-for" href="#ac-2_smt.e"/>
             </part>
             <part id="ac-2_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02f."/>
                <part id="ac-2_obj.f-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[01]"/>
                   <p>accounts are created in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
                <part id="ac-2_obj.f-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[02]"/>
                   <p>accounts are enabled in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
                <part id="ac-2_obj.f-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[03]"/>
                   <p>accounts are modified in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
                <part id="ac-2_obj.f-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[04]"/>
                   <p>accounts are disabled in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
                <part id="ac-2_obj.f-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[05]"/>
                   <p>accounts are removed in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.f"/>
             </part>
             <part id="ac-2_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02g."/>
                <p>the use of accounts is monitored; </p>
+               <link rel="assessment-for" href="#ac-2_smt.g"/>
             </part>
             <part id="ac-2_obj.h" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02h."/>
                <part id="ac-2_obj.h.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02h.01"/>
                   <p>account managers and <insert type="param" id-ref="ac-02_odp.05"/> are notified within <insert type="param" id-ref="ac-02_odp.06"/> when accounts are no longer required;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.h.1"/>
                </part>
                <part id="ac-2_obj.h.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02h.02"/>
                   <p>account managers and <insert type="param" id-ref="ac-02_odp.05"/> are notified within <insert type="param" id-ref="ac-02_odp.07"/> when users are terminated or transferred;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.h.2"/>
                </part>
                <part id="ac-2_obj.h.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02h.03"/>
                   <p>account managers and <insert type="param" id-ref="ac-02_odp.05"/> are notified within <insert type="param" id-ref="ac-02_odp.08"/> when system usage or the need to know changes for an individual;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.h.3"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.h"/>
             </part>
             <part id="ac-2_obj.i" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02i."/>
                <part id="ac-2_obj.i.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02i.01"/>
                   <p>access to the system is authorized based on a valid access authorization;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.i.1"/>
                </part>
                <part id="ac-2_obj.i.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02i.02"/>
                   <p>access to the system is authorized based on intended system usage;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.i.2"/>
                </part>
                <part id="ac-2_obj.i.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02i.03"/>
                   <p>access to the system is authorized based on <insert type="param" id-ref="ac-02_odp.09"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.i.3"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.i"/>
             </part>
             <part id="ac-2_obj.j" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02j."/>
                <p>accounts are reviewed for compliance with account management requirements <insert type="param" id-ref="ac-02_odp.10"/>;</p>
+               <link rel="assessment-for" href="#ac-2_smt.j"/>
             </part>
             <part id="ac-2_obj.k" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02k."/>
                <part id="ac-2_obj.k-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02k.[01]"/>
                   <p>a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.k"/>
                </part>
                <part id="ac-2_obj.k-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02k.[02]"/>
                   <p>a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.k"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.k"/>
             </part>
             <part id="ac-2_obj.l" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02l."/>
                <part id="ac-2_obj.l-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02l.[01]"/>
                   <p>account management processes are aligned with personnel termination processes;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.l"/>
                </part>
                <part id="ac-2_obj.l-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02l.[02]"/>
                   <p>account management processes are aligned with personnel transfer processes.</p>
+                  <link rel="assessment-for" href="#ac-2_smt.l"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.l"/>
             </part>
+            <link rel="assessment-for" href="#ac-2_smt"/>
          </part>
          <part id="ac-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -695,6 +754,7 @@
             <part id="ac-2.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02(01)"/>
                <p>the management of system accounts is supported using <insert type="param" id-ref="ac-02.01_odp"/>.</p>
+               <link rel="assessment-for" href="#ac-2.1_smt"/>
             </part>
             <part id="ac-2.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -764,6 +824,7 @@
             <part id="ac-2.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02(02)"/>
                <p>temporary and emergency accounts are automatically <insert type="param" id-ref="ac-02.02_odp.01"/> after <insert type="param" id-ref="ac-02.02_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ac-2.2_smt"/>
             </part>
             <part id="ac-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -850,19 +911,24 @@
                <part id="ac-2.3_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(03)(a)"/>
                   <p>accounts are disabled within <insert type="param" id-ref="ac-02.03_odp.01"/> when the accounts have expired;</p>
+                  <link rel="assessment-for" href="#ac-2.3_smt.a"/>
                </part>
                <part id="ac-2.3_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(03)(b)"/>
                   <p>accounts are disabled within <insert type="param" id-ref="ac-02.03_odp.01"/> when the accounts are no longer associated with a user or individual;</p>
+                  <link rel="assessment-for" href="#ac-2.3_smt.b"/>
                </part>
                <part id="ac-2.3_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(03)(c)"/>
                   <p>accounts are disabled within <insert type="param" id-ref="ac-02.03_odp.01"/> when the accounts are in violation of organizational policy;</p>
+                  <link rel="assessment-for" href="#ac-2.3_smt.c"/>
                </part>
                <part id="ac-2.3_obj.d" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(03)(d)"/>
                   <p>accounts are disabled within <insert type="param" id-ref="ac-02.03_odp.01"/> when the accounts have been inactive for <insert type="param" id-ref="ac-02.03_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#ac-2.3_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ac-2.3_smt"/>
             </part>
             <part id="ac-2.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -920,23 +986,29 @@
                <part id="ac-2.4_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(04)[01]"/>
                   <p>account creation is automatically audited;</p>
+                  <link rel="assessment-for" href="#ac-2.4_smt"/>
                </part>
                <part id="ac-2.4_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(04)[02]"/>
                   <p>account modification is automatically audited;</p>
+                  <link rel="assessment-for" href="#ac-2.4_smt"/>
                </part>
                <part id="ac-2.4_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(04)[03]"/>
                   <p>account enabling is automatically audited;</p>
+                  <link rel="assessment-for" href="#ac-2.4_smt"/>
                </part>
                <part id="ac-2.4_obj-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(04)[04]"/>
                   <p>account disabling is automatically audited;</p>
+                  <link rel="assessment-for" href="#ac-2.4_smt"/>
                </part>
                <part id="ac-2.4_obj-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(04)[05]"/>
                   <p>account removal actions are automatically audited.</p>
+                  <link rel="assessment-for" href="#ac-2.4_smt"/>
                </part>
+               <link rel="assessment-for" href="#ac-2.4_smt"/>
             </part>
             <part id="ac-2.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -999,6 +1071,7 @@
             <part id="ac-2.5_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02(05)"/>
                <p>users are required to log out when <insert type="param" id-ref="ac-02.05_odp"/>.</p>
+               <link rel="assessment-for" href="#ac-2.5_smt"/>
             </part>
             <part id="ac-2.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1060,6 +1133,7 @@
                <prop name="label" class="sp800-53a" value="AC-02(11)"/>
                <p>
                   <insert type="param" id-ref="ac-02.11_odp.01"/> for <insert type="param" id-ref="ac-02.11_odp.02"/> are enforced.</p>
+               <link rel="assessment-for" href="#ac-2.11_smt"/>
             </part>
             <part id="ac-2.11_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1144,11 +1218,14 @@
                <part id="ac-2.12_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(12)(a)"/>
                   <p>system accounts are monitored for <insert type="param" id-ref="ac-02.12_odp.01"/>; </p>
+                  <link rel="assessment-for" href="#ac-2.12_smt.a"/>
                </part>
                <part id="ac-2.12_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(12)(b)"/>
                   <p>atypical usage of system accounts is reported to <insert type="param" id-ref="ac-02.12_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#ac-2.12_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ac-2.12_smt"/>
             </part>
             <part id="ac-2.12_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1220,6 +1297,7 @@
             <part id="ac-2.13_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02(13)"/>
                <p>accounts of individuals are disabled within <insert type="param" id-ref="ac-02.13_odp.01"/> of discovery of <insert type="param" id-ref="ac-02.13_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ac-2.13_smt"/>
             </part>
             <part id="ac-2.13_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1294,6 +1372,7 @@
          <link rel="related" href="#ia-6"/>
          <link rel="related" href="#ia-7"/>
          <link rel="related" href="#ia-11"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#ma-3"/>
          <link rel="related" href="#ma-4"/>
          <link rel="related" href="#ma-5"/>
@@ -1322,6 +1401,7 @@
          <part id="ac-3_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03"/>
             <p>approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.</p>
+            <link rel="assessment-for" href="#ac-3_smt"/>
          </part>
          <part id="ac-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1403,6 +1483,7 @@
          <part id="ac-4_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04"/>
             <p>approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on <insert type="param" id-ref="ac-04_odp"/>.</p>
+            <link rel="assessment-for" href="#ac-4_smt"/>
          </part>
          <part id="ac-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1488,6 +1569,7 @@
             <part id="ac-4.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-04(04)"/>
                <p>encrypted information is prevented from bypassing <insert type="param" id-ref="ac-04.04_odp.01"/> by <insert type="param" id-ref="ac-04.04_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ac-4.4_smt"/>
             </part>
             <part id="ac-4.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1575,11 +1657,14 @@
                <prop name="label" class="sp800-53a" value="AC-05a."/>
                <p>
                   <insert type="param" id-ref="ac-05_odp"/> are identified and documented;</p>
+               <link rel="assessment-for" href="#ac-5_smt.a"/>
             </part>
             <part id="ac-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-05b."/>
                <p>system access authorizations to support separation of duties are defined.</p>
+               <link rel="assessment-for" href="#ac-5_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-5_smt"/>
          </part>
          <part id="ac-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1641,6 +1726,7 @@
          <part id="ac-6_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-06"/>
             <p>the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.</p>
+            <link rel="assessment-for" href="#ac-6_smt"/>
          </part>
          <part id="ac-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1758,20 +1844,26 @@
                   <part id="ac-6.1_obj.a-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-06(01)(a)[01]"/>
                      <p>access is authorized for <insert type="param" id-ref="ac-06.01_odp.01"/> to <insert type="param" id-ref="ac-06.01_odp.02"/>;</p>
+                     <link rel="assessment-for" href="#ac-6.1_smt.a"/>
                   </part>
                   <part id="ac-6.1_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-06(01)(a)[02]"/>
                      <p>access is authorized for <insert type="param" id-ref="ac-06.01_odp.01"/> to <insert type="param" id-ref="ac-06.01_odp.03"/>;</p>
+                     <link rel="assessment-for" href="#ac-6.1_smt.a"/>
                   </part>
                   <part id="ac-6.1_obj.a-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-06(01)(a)[03]"/>
                      <p>access is authorized for <insert type="param" id-ref="ac-06.01_odp.01"/> to <insert type="param" id-ref="ac-06.01_odp.04"/>;</p>
+                     <link rel="assessment-for" href="#ac-6.1_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-6.1_smt.a"/>
                </part>
                <part id="ac-6.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-06(01)(b)"/>
                   <p>access is authorized for <insert type="param" id-ref="ac-06.01_odp.01"/> to <insert type="param" id-ref="ac-06.01_odp.05"/>.</p>
+                  <link rel="assessment-for" href="#ac-6.1_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ac-6.1_smt"/>
             </part>
             <part id="ac-6.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1833,6 +1925,7 @@
             <part id="ac-6.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-06(02)"/>
                <p>users of system accounts (or roles) with access to <insert type="param" id-ref="ac-06.02_odp"/> are required to use non-privileged accounts or roles when accessing non-security functions.</p>
+               <link rel="assessment-for" href="#ac-6.2_smt"/>
             </part>
             <part id="ac-6.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1903,11 +1996,14 @@
                <part id="ac-6.3_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-06(03)[01]"/>
                   <p>network access to <insert type="param" id-ref="ac-06.03_odp.01"/> is authorized only for <insert type="param" id-ref="ac-06.03_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ac-6.3_smt"/>
                </part>
                <part id="ac-6.3_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-06(03)[02]"/>
                   <p>the rationale for authorizing network access to privileged commands is documented in the security plan for the system.</p>
+                  <link rel="assessment-for" href="#ac-6.3_smt"/>
                </part>
+               <link rel="assessment-for" href="#ac-6.3_smt"/>
             </part>
             <part id="ac-6.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1967,6 +2063,7 @@
             <part id="ac-6.5_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-06(05)"/>
                <p>privileged accounts on the system are restricted to <insert type="param" id-ref="ac-06.05_odp"/>.</p>
+               <link rel="assessment-for" href="#ac-6.5_smt"/>
             </part>
             <part id="ac-6.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2044,11 +2141,14 @@
                <part id="ac-6.7_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-06(07)(a)"/>
                   <p>privileges assigned to <insert type="param" id-ref="ac-06.07_odp.02"/> are reviewed <insert type="param" id-ref="ac-06.07_odp.01"/> to validate the need for such privileges;</p>
+                  <link rel="assessment-for" href="#ac-6.7_smt.a"/>
                </part>
                <part id="ac-6.7_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-06(07)(b)"/>
                   <p>privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.</p>
+                  <link rel="assessment-for" href="#ac-6.7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ac-6.7_smt"/>
             </part>
             <part id="ac-6.7_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2104,6 +2204,7 @@
             <part id="ac-6.9_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-06(09)"/>
                <p>the execution of privileged functions is logged.</p>
+               <link rel="assessment-for" href="#ac-6.9_smt"/>
             </part>
             <part id="ac-6.9_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2156,6 +2257,7 @@
             <part id="ac-6.10_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-06(10)"/>
                <p>non-privileged users are prevented from executing privileged functions.</p>
+               <link rel="assessment-for" href="#ac-6.10_smt"/>
             </part>
             <part id="ac-6.10_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2276,11 +2378,14 @@
             <part id="ac-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-07a."/>
                <p>a limit of <insert type="param" id-ref="ac-07_odp.01"/> consecutive invalid logon attempts by a user during <insert type="param" id-ref="ac-07_odp.02"/> is enforced;</p>
+               <link rel="assessment-for" href="#ac-7_smt.a"/>
             </part>
             <part id="ac-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-07b."/>
                <p>automatically <insert type="param" id-ref="ac-07_odp.03"/> when the maximum number of unsuccessful attempts is exceeded.</p>
+               <link rel="assessment-for" href="#ac-7_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-7_smt"/>
          </part>
          <part id="ac-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2399,39 +2504,50 @@
                <part id="ac-8_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08a.01"/>
                   <p>the system use notification states that users are accessing a U.S. Government system;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.a.1"/>
                </part>
                <part id="ac-8_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08a.02"/>
                   <p>the system use notification states that system usage may be monitored, recorded, and subject to audit;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.a.2"/>
                </part>
                <part id="ac-8_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08a.03"/>
                   <p>the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and</p>
+                  <link rel="assessment-for" href="#ac-8_smt.a.3"/>
                </part>
                <part id="ac-8_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08a.04"/>
                   <p>the system use notification states that use of the system indicates consent to monitoring and recording;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.a.4"/>
                </part>
+               <link rel="assessment-for" href="#ac-8_smt.a"/>
             </part>
             <part id="ac-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-08b."/>
                <p>the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;</p>
+               <link rel="assessment-for" href="#ac-8_smt.b"/>
             </part>
             <part id="ac-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-08c."/>
                <part id="ac-8_obj.c.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08c.01"/>
                   <p>for publicly accessible systems, system use information <insert type="param" id-ref="ac-08_odp.02"/> is displayed before granting further access to the publicly accessible system;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.c.1"/>
                </part>
                <part id="ac-8_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08c.02"/>
                   <p>for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.c.2"/>
                </part>
                <part id="ac-8_obj.c.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08c.03"/>
                   <p>for publicly accessible systems, a description of the authorized uses of the system is included.</p>
+                  <link rel="assessment-for" href="#ac-8_smt.c.3"/>
                </part>
+               <link rel="assessment-for" href="#ac-8_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ac-8_smt"/>
          </part>
          <part id="ac-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2507,6 +2623,7 @@
          <part id="ac-10_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-10"/>
             <p>the number of concurrent sessions for each <insert type="param" id-ref="ac-10_odp.01"/> is limited to <insert type="param" id-ref="ac-10_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ac-10_smt"/>
          </part>
          <part id="ac-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2584,11 +2701,14 @@
             <part id="ac-11_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-11a."/>
                <p>further access to the system is prevented by <insert type="param" id-ref="ac-11_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ac-11_smt.a"/>
             </part>
             <part id="ac-11_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-11b."/>
                <p>device lock is retained until the user re-establishes access using established identification and authentication procedures.</p>
+               <link rel="assessment-for" href="#ac-11_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-11_smt"/>
          </part>
          <part id="ac-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2638,6 +2758,7 @@
             <part id="ac-11.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-11(01)"/>
                <p>information previously visible on the display is concealed, via device lock, with a publicly viewable image.</p>
+               <link rel="assessment-for" href="#ac-11.1_smt"/>
             </part>
             <part id="ac-11.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2701,6 +2822,7 @@
          <part id="ac-12_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-12"/>
             <p>a user session is automatically terminated after <insert type="param" id-ref="ac-12_odp"/>.</p>
+            <link rel="assessment-for" href="#ac-12_smt"/>
          </part>
          <part id="ac-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2772,18 +2894,23 @@
                <prop name="label" class="sp800-53a" value="AC-14a."/>
                <p>
                   <insert type="param" id-ref="ac-14_odp"/> that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;</p>
+               <link rel="assessment-for" href="#ac-14_smt.a"/>
             </part>
             <part id="ac-14_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-14b."/>
                <part id="ac-14_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-14b.[01]"/>
                   <p>user actions not requiring identification or authentication are documented in the security plan for the system;</p>
+                  <link rel="assessment-for" href="#ac-14_smt.b"/>
                </part>
                <part id="ac-14_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-14b.[02]"/>
                   <p>a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.</p>
+                  <link rel="assessment-for" href="#ac-14_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ac-14_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-14_smt"/>
          </part>
          <part id="ac-14_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2861,20 +2988,26 @@
                <part id="ac-17_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17a.[01]"/>
                   <p>usage restrictions are established and documented for each type of remote access allowed;</p>
+                  <link rel="assessment-for" href="#ac-17_smt.a"/>
                </part>
                <part id="ac-17_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17a.[02]"/>
                   <p>configuration/connection requirements are established and documented for each type of remote access allowed;</p>
+                  <link rel="assessment-for" href="#ac-17_smt.a"/>
                </part>
                <part id="ac-17_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17a.[03]"/>
                   <p>implementation guidance is established and documented for each type of remote access allowed;</p>
+                  <link rel="assessment-for" href="#ac-17_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ac-17_smt.a"/>
             </part>
             <part id="ac-17_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-17b."/>
                <p>each type of remote access to the system is authorized prior to allowing such connections.</p>
+               <link rel="assessment-for" href="#ac-17_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-17_smt"/>
          </part>
          <part id="ac-17_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2933,11 +3066,14 @@
                <part id="ac-17.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17(01)[01]"/>
                   <p>automated mechanisms are employed to monitor remote access methods;</p>
+                  <link rel="assessment-for" href="#ac-17.1_smt"/>
                </part>
                <part id="ac-17.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17(01)[02]"/>
                   <p>automated mechanisms are employed to control remote access methods.</p>
+                  <link rel="assessment-for" href="#ac-17.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#ac-17.1_smt"/>
             </part>
             <part id="ac-17.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2991,6 +3127,7 @@
             <part id="ac-17.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-17(02)"/>
                <p>cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.</p>
+               <link rel="assessment-for" href="#ac-17.2_smt"/>
             </part>
             <part id="ac-17.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3042,6 +3179,7 @@
             <part id="ac-17.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-17(03)"/>
                <p>remote accesses are routed through authorized and managed network access control points.</p>
+               <link rel="assessment-for" href="#ac-17.3_smt"/>
             </part>
             <part id="ac-17.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3128,24 +3266,31 @@
                   <part id="ac-17.4_obj.a-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-17(04)(a)[01]"/>
                      <p>the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;</p>
+                     <link rel="assessment-for" href="#ac-17.4_smt.a"/>
                   </part>
                   <part id="ac-17.4_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-17(04)(a)[02]"/>
                      <p>access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;</p>
+                     <link rel="assessment-for" href="#ac-17.4_smt.a"/>
                   </part>
                   <part id="ac-17.4_obj.a-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-17(04)(a)[03]"/>
                      <p>the execution of privileged commands via remote access is authorized only for the following needs: <insert type="param" id-ref="ac-17.04_odp.01"/>;</p>
+                     <link rel="assessment-for" href="#ac-17.4_smt.a"/>
                   </part>
                   <part id="ac-17.4_obj.a-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-17(04)(a)[04]"/>
                      <p>access to security-relevant information via remote access is authorized only for the following needs: <insert type="param" id-ref="ac-17.04_odp.02"/>;</p>
+                     <link rel="assessment-for" href="#ac-17.4_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-17.4_smt.a"/>
                </part>
                <part id="ac-17.4_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17(04)(b)"/>
                   <p>the rationale for remote access is documented in the security plan for the system.</p>
+                  <link rel="assessment-for" href="#ac-17.4_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ac-17.4_smt"/>
             </part>
             <part id="ac-17.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3220,20 +3365,26 @@
                <part id="ac-18_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18a.[01]"/>
                   <p>configuration requirements are established for each type of wireless access;</p>
+                  <link rel="assessment-for" href="#ac-18_smt.a"/>
                </part>
                <part id="ac-18_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18a.[02]"/>
                   <p>connection requirements are established for each type of wireless access;</p>
+                  <link rel="assessment-for" href="#ac-18_smt.a"/>
                </part>
                <part id="ac-18_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18a.[03]"/>
                   <p>implementation guidance is established for each type of wireless access;</p>
+                  <link rel="assessment-for" href="#ac-18_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ac-18_smt.a"/>
             </part>
             <part id="ac-18_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-18b."/>
                <p>each type of wireless access to the system is authorized prior to allowing such connections.</p>
+               <link rel="assessment-for" href="#ac-18_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-18_smt"/>
          </part>
          <part id="ac-18_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3296,11 +3447,14 @@
                <part id="ac-18.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18(01)[01]"/>
                   <p>wireless access to the system is protected using authentication of <insert type="param" id-ref="ac-18.01_odp"/>;</p>
+                  <link rel="assessment-for" href="#ac-18.1_smt"/>
                </part>
                <part id="ac-18.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18(01)[02]"/>
                   <p>wireless access to the system is protected using encryption.</p>
+                  <link rel="assessment-for" href="#ac-18.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#ac-18.1_smt"/>
             </part>
             <part id="ac-18.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3353,6 +3507,7 @@
             <part id="ac-18.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-18(03)"/>
                <p>when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.</p>
+               <link rel="assessment-for" href="#ac-18.3_smt"/>
             </part>
             <part id="ac-18.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3405,11 +3560,14 @@
                <part id="ac-18.4_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18(04)[01]"/>
                   <p>users allowed to independently configure wireless networking capabilities are identified;</p>
+                  <link rel="assessment-for" href="#ac-18.4_smt"/>
                </part>
                <part id="ac-18.4_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18(04)[02]"/>
                   <p>users allowed to independently configure wireless networking capabilities are explicitly authorized.</p>
+                  <link rel="assessment-for" href="#ac-18.4_smt"/>
                </part>
+               <link rel="assessment-for" href="#ac-18.4_smt"/>
             </part>
             <part id="ac-18.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3461,11 +3619,14 @@
                <part id="ac-18.5_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18(05)[01]"/>
                   <p>radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;</p>
+                  <link rel="assessment-for" href="#ac-18.5_smt"/>
                </part>
                <part id="ac-18.5_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18(05)[02]"/>
                   <p>transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.</p>
+                  <link rel="assessment-for" href="#ac-18.5_smt"/>
                </part>
+               <link rel="assessment-for" href="#ac-18.5_smt"/>
             </part>
             <part id="ac-18.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3553,20 +3714,26 @@
                <part id="ac-19_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-19a.[01]"/>
                   <p>configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;</p>
+                  <link rel="assessment-for" href="#ac-19_smt.a"/>
                </part>
                <part id="ac-19_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-19a.[02]"/>
                   <p>connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;</p>
+                  <link rel="assessment-for" href="#ac-19_smt.a"/>
                </part>
                <part id="ac-19_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-19a.[03]"/>
                   <p>implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;</p>
+                  <link rel="assessment-for" href="#ac-19_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ac-19_smt.a"/>
             </part>
             <part id="ac-19_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-19b."/>
                <p>the connection of mobile devices to organizational systems is authorized.</p>
+               <link rel="assessment-for" href="#ac-19_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-19_smt"/>
          </part>
          <part id="ac-19_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3638,6 +3805,7 @@
                <prop name="label" class="sp800-53a" value="AC-19(05)"/>
                <p>
                   <insert type="param" id-ref="ac-19.05_odp.01"/> is employed to protect the confidentiality and integrity of information on <insert type="param" id-ref="ac-19.05_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ac-19.5_smt"/>
             </part>
             <part id="ac-19.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3760,20 +3928,25 @@
             <part id="ac-20_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-20a."/>
                <part id="ac-20_obj.a.1" name="assessment-objective">
-                  <prop name="label" class="sp800-53a" value="AC-20a.1"/>
+                  <prop name="label" class="sp800-53a" value="AC-20a.01"/>
                   <p>
                      <insert type="param" id-ref="ac-20_odp.01"/> is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);</p>
+                  <link rel="assessment-for" href="#ac-20_smt.a.1"/>
                </part>
                <part id="ac-20_obj.a.2" name="assessment-objective">
-                  <prop name="label" class="sp800-53a" value="AC-20a.2"/>
+                  <prop name="label" class="sp800-53a" value="AC-20a.02"/>
                   <p>
                      <insert type="param" id-ref="ac-20_odp.01"/> is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);</p>
+                  <link rel="assessment-for" href="#ac-20_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#ac-20_smt.a"/>
             </part>
             <part id="ac-20_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-20b."/>
                <p>the use of <insert type="param" id-ref="ac-20_odp.04"/> is prohibited (if applicable).</p>
+               <link rel="assessment-for" href="#ac-20_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-20_smt"/>
          </part>
          <part id="ac-20_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3834,11 +4007,14 @@
                <part id="ac-20.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-20(01)(a)"/>
                   <p>authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);</p>
+                  <link rel="assessment-for" href="#ac-20.1_smt.a"/>
                </part>
                <part id="ac-20.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-20(01)(b)"/>
                   <p>authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).</p>
+                  <link rel="assessment-for" href="#ac-20.1_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ac-20.1_smt"/>
             </part>
             <part id="ac-20.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3896,6 +4072,7 @@
             <part id="ac-20.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-20(02)"/>
                <p>the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using <insert type="param" id-ref="ac-20.02_odp"/>.</p>
+               <link rel="assessment-for" href="#ac-20.2_smt"/>
             </part>
             <part id="ac-20.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3986,12 +4163,15 @@
             <part id="ac-21_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-21a."/>
                <p>authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for <insert type="param" id-ref="ac-21_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ac-21_smt.a"/>
             </part>
             <part id="ac-21_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-21b."/>
                <p>
                   <insert type="param" id-ref="ac-21_odp.02"/> are employed to assist users in making information-sharing and collaboration decisions.</p>
+               <link rel="assessment-for" href="#ac-21_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-21_smt"/>
          </part>
          <part id="ac-21_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4077,26 +4257,33 @@
             <part id="ac-22_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-22a."/>
                <p>designated individuals are authorized to make information publicly accessible;</p>
+               <link rel="assessment-for" href="#ac-22_smt.a"/>
             </part>
             <part id="ac-22_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-22b."/>
                <p>authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;</p>
+               <link rel="assessment-for" href="#ac-22_smt.b"/>
             </part>
             <part id="ac-22_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-22c."/>
                <p>the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;</p>
+               <link rel="assessment-for" href="#ac-22_smt.c"/>
             </part>
             <part id="ac-22_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-22d."/>
                <part id="ac-22_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-22d.[01]"/>
                   <p>the content on the publicly accessible system is reviewed for non-public information <insert type="param" id-ref="ac-22_odp"/>;</p>
+                  <link rel="assessment-for" href="#ac-22_smt.d"/>
                </part>
                <part id="ac-22_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-22d.[02]"/>
                   <p>non-public information is removed from the publicly accessible system, if discovered.</p>
+                  <link rel="assessment-for" href="#ac-22_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ac-22_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ac-22_smt"/>
          </part>
          <part id="ac-22_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4274,18 +4461,22 @@
                <part id="at-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[01]"/>
                   <p>an awareness and training policy is developed and documented; </p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[02]"/>
                   <p>the awareness and training policy is disseminated to <insert type="param" id-ref="at-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[03]"/>
                   <p>awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[04]"/>
                   <p>the awareness and training procedures are disseminated to <insert type="param" id-ref="at-01_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.01"/>
@@ -4294,41 +4485,53 @@
                      <part id="at-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses scope;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses roles;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses compliance; and</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                   </part>
                   <part id="at-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and</p>
+                     <link rel="assessment-for" href="#at-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#at-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#at-1_smt.a"/>
             </part>
             <part id="at-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-01b."/>
                <p>the <insert type="param" id-ref="at-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;</p>
+               <link rel="assessment-for" href="#at-1_smt.b"/>
             </part>
             <part id="at-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-01c."/>
@@ -4337,24 +4540,32 @@
                   <part id="at-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.01[01]"/>
                      <p>the current awareness and training policy is reviewed and updated <insert type="param" id-ref="at-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#at-1_smt.c.1"/>
                   </part>
                   <part id="at-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.01[02]"/>
                      <p>the current awareness and training policy is reviewed and updated following <insert type="param" id-ref="at-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#at-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#at-1_smt.c.1"/>
                </part>
                <part id="at-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01c.02"/>
                   <part id="at-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.02[01]"/>
                      <p>the current awareness and training procedures are reviewed and updated <insert type="param" id-ref="at-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#at-1_smt.c.2"/>
                   </part>
                   <part id="at-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.02[02]"/>
                      <p>the current awareness and training procedures are reviewed and updated following <insert type="param" id-ref="at-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#at-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#at-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#at-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#at-1_smt"/>
          </part>
          <part id="at-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4517,52 +4728,67 @@
                   <part id="at-2_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[01]"/>
                      <p>security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
                   <part id="at-2_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[02]"/>
                      <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
                   <part id="at-2_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[03]"/>
                      <p>security literacy training is provided to system users (including managers, senior executives, and contractors) <insert type="param" id-ref="at-02_odp.01"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
                   <part id="at-2_obj.a.1-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[04]"/>
                      <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) <insert type="param" id-ref="at-02_odp.02"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#at-2_smt.a.1"/>
                </part>
                <part id="at-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02a.02"/>
                   <part id="at-2_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.02[01]"/>
                      <p>security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following <insert type="param" id-ref="at-02_odp.03"/>;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.2"/>
                   </part>
                   <part id="at-2_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.02[02]"/>
                      <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following <insert type="param" id-ref="at-02_odp.04"/>;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#at-2_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#at-2_smt.a"/>
             </part>
             <part id="at-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-02b."/>
                <p>
                   <insert type="param" id-ref="at-02_odp.05"/> are employed to increase the security and privacy awareness of system users;</p>
+               <link rel="assessment-for" href="#at-2_smt.b"/>
             </part>
             <part id="at-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-02c."/>
                <part id="at-2_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02c.[01]"/>
                   <p>literacy training and awareness content is updated <insert type="param" id-ref="at-02_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#at-2_smt.c"/>
                </part>
                <part id="at-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02c.[02]"/>
                   <p>literacy training and awareness content is updated following <insert type="param" id-ref="at-02_odp.07"/>;</p>
+                  <link rel="assessment-for" href="#at-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#at-2_smt.c"/>
             </part>
             <part id="at-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-02d."/>
                <p>lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.</p>
+               <link rel="assessment-for" href="#at-2_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#at-2_smt"/>
          </part>
          <part id="at-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4619,11 +4845,14 @@
                <part id="at-2.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02(02)[01]"/>
                   <p>literacy training on recognizing potential indicators of insider threat is provided;</p>
+                  <link rel="assessment-for" href="#at-2.2_smt"/>
                </part>
                <part id="at-2.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02(02)[02]"/>
                   <p>literacy training on reporting potential indicators of insider threat is provided.</p>
+                  <link rel="assessment-for" href="#at-2.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#at-2.2_smt"/>
             </part>
             <part id="at-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4671,19 +4900,24 @@
                <part id="at-2.3_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02(03)[01]"/>
                   <p>literacy training on recognizing potential and actual instances of social engineering is provided;</p>
+                  <link rel="assessment-for" href="#at-2.3_smt"/>
                </part>
                <part id="at-2.3_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02(03)[02]"/>
                   <p>literacy training on reporting potential and actual instances of social engineering is provided;</p>
+                  <link rel="assessment-for" href="#at-2.3_smt"/>
                </part>
                <part id="at-2.3_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02(03)[03]"/>
                   <p>literacy training on recognizing potential and actual instances of social mining is provided;</p>
+                  <link rel="assessment-for" href="#at-2.3_smt"/>
                </part>
                <part id="at-2.3_obj-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02(03)[04]"/>
                   <p>literacy training on reporting potential and actual instances of social mining is provided.</p>
+                  <link rel="assessment-for" href="#at-2.3_smt"/>
                </part>
+               <link rel="assessment-for" href="#at-2.3_smt"/>
             </part>
             <part id="at-2.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4827,49 +5061,63 @@
                   <part id="at-3_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[01]"/>
                      <p>role-based security training is provided to <insert type="param" id-ref="at-03_odp.01"/> before authorizing access to the system, information, or performing assigned duties;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
                   <part id="at-3_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[02]"/>
                      <p>role-based privacy training is provided to <insert type="param" id-ref="at-03_odp.02"/> before authorizing access to the system, information, or performing assigned duties;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
                   <part id="at-3_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[03]"/>
                      <p>role-based security training is provided to <insert type="param" id-ref="at-03_odp.01"/>
                         <insert type="param" id-ref="at-03_odp.03"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
                   <part id="at-3_obj.a.1-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[04]"/>
                      <p>role-based privacy training is provided to <insert type="param" id-ref="at-03_odp.02"/>
                         <insert type="param" id-ref="at-03_odp.03"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#at-3_smt.a.1"/>
                </part>
                <part id="at-3_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-03a.02"/>
                   <part id="at-3_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.02[01]"/>
                      <p>role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.2"/>
                   </part>
                   <part id="at-3_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.02[02]"/>
                      <p>role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#at-3_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#at-3_smt.a"/>
             </part>
             <part id="at-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-03b."/>
                <part id="at-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-03b.[01]"/>
                   <p>role-based training content is updated <insert type="param" id-ref="at-03_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#at-3_smt.b"/>
                </part>
                <part id="at-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-03b.[02]"/>
                   <p>role-based training content is updated following <insert type="param" id-ref="at-03_odp.05"/>;</p>
+                  <link rel="assessment-for" href="#at-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#at-3_smt.b"/>
             </part>
             <part id="at-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-03c."/>
                <p>lessons learned from internal or external security incidents or breaches are incorporated into role-based training.</p>
+               <link rel="assessment-for" href="#at-3_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#at-3_smt"/>
          </part>
          <part id="at-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4948,16 +5196,21 @@
                <part id="at-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-04a.[01]"/>
                   <p>information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;</p>
+                  <link rel="assessment-for" href="#at-4_smt.a"/>
                </part>
                <part id="at-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-04a.[02]"/>
                   <p>information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;</p>
+                  <link rel="assessment-for" href="#at-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#at-4_smt.a"/>
             </part>
             <part id="at-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-04b."/>
                <p>individual training records are retained for <insert type="param" id-ref="at-04_odp"/>.</p>
+               <link rel="assessment-for" href="#at-4_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#at-4_smt"/>
          </part>
          <part id="at-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5128,18 +5381,22 @@
                <part id="au-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[01]"/>
                   <p>an audit and accountability policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[02]"/>
                   <p>the audit and accountability policy is disseminated to <insert type="param" id-ref="au-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[03]"/>
                   <p>audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[04]"/>
                   <p>the audit and accountability procedures are disseminated to <insert type="param" id-ref="au-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.01"/>
@@ -5148,41 +5405,53 @@
                      <part id="au-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses scope;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses roles;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                   </part>
                   <part id="au-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#au-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#au-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#au-1_smt.a"/>
             </part>
             <part id="au-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-01b."/>
                <p>the <insert type="param" id-ref="au-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;</p>
+               <link rel="assessment-for" href="#au-1_smt.b"/>
             </part>
             <part id="au-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-01c."/>
@@ -5191,24 +5460,32 @@
                   <part id="au-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.01[01]"/>
                      <p>the current audit and accountability policy is reviewed and updated <insert type="param" id-ref="au-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.1"/>
                   </part>
                   <part id="au-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.01[02]"/>
                      <p>the current audit and accountability policy is reviewed and updated following <insert type="param" id-ref="au-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#au-1_smt.c.1"/>
                </part>
                <part id="au-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01c.02"/>
                   <part id="au-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.02[01]"/>
                      <p>the current audit and accountability procedures are reviewed and updated <insert type="param" id-ref="au-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.2"/>
                   </part>
                   <part id="au-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.02[02]"/>
                      <p>the current audit and accountability procedures are reviewed and updated following <insert type="param" id-ref="au-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#au-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#au-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#au-1_smt"/>
          </part>
          <part id="au-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5348,10 +5625,12 @@
                <prop name="label" class="sp800-53a" value="AU-02a."/>
                <p>
                   <insert type="param" id-ref="au-02_odp.01"/> that the system is capable of logging are identified in support of the audit logging function;</p>
+               <link rel="assessment-for" href="#au-2_smt.a"/>
             </part>
             <part id="au-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02b."/>
                <p>the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;</p>
+               <link rel="assessment-for" href="#au-2_smt.b"/>
             </part>
             <part id="au-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02c."/>
@@ -5359,20 +5638,26 @@
                   <prop name="label" class="sp800-53a" value="AU-02c.[01]"/>
                   <p>
                      <insert type="param" id-ref="au-02_odp.02"/> are specified for logging within the system;</p>
+                  <link rel="assessment-for" href="#au-2_smt.c"/>
                </part>
                <part id="au-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-02c.[02]"/>
                   <p>the specified event types are logged within the system <insert type="param" id-ref="au-02_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#au-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#au-2_smt.c"/>
             </part>
             <part id="au-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02d."/>
                <p>a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;</p>
+               <link rel="assessment-for" href="#au-2_smt.d"/>
             </part>
             <part id="au-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02e."/>
                <p>the event types selected for logging are reviewed and updated <insert type="param" id-ref="au-02_odp.04"/>.</p>
+               <link rel="assessment-for" href="#au-2_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#au-2_smt"/>
          </part>
          <part id="au-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5460,27 +5745,34 @@
             <part id="au-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03a."/>
                <p>audit records contain information that establishes what type of event occurred;</p>
+               <link rel="assessment-for" href="#au-3_smt.a"/>
             </part>
             <part id="au-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03b."/>
                <p>audit records contain information that establishes when the event occurred;</p>
+               <link rel="assessment-for" href="#au-3_smt.b"/>
             </part>
             <part id="au-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03c."/>
                <p>audit records contain information that establishes where the event occurred;</p>
+               <link rel="assessment-for" href="#au-3_smt.c"/>
             </part>
             <part id="au-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03d."/>
                <p>audit records contain information that establishes the source of the event;</p>
+               <link rel="assessment-for" href="#au-3_smt.d"/>
             </part>
             <part id="au-3_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03e."/>
                <p>audit records contain information that establishes the outcome of the event;</p>
+               <link rel="assessment-for" href="#au-3_smt.e"/>
             </part>
             <part id="au-3_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03f."/>
                <p>audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.</p>
+               <link rel="assessment-for" href="#au-3_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#au-3_smt"/>
          </part>
          <part id="au-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5540,6 +5832,7 @@
             <part id="au-3.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03(01)"/>
                <p>generated audit records contain the following <insert type="param" id-ref="au-03.01_odp"/>.</p>
+               <link rel="assessment-for" href="#au-3.1_smt"/>
             </part>
             <part id="au-3.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5612,6 +5905,7 @@
          <part id="au-4_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-04"/>
             <p>audit log storage capacity is allocated to accommodate <insert type="param" id-ref="au-04_odp"/>.</p>
+            <link rel="assessment-for" href="#au-4_smt"/>
          </part>
          <part id="au-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5707,12 +6001,15 @@
                <prop name="label" class="sp800-53a" value="AU-05a."/>
                <p>
                   <insert type="param" id-ref="au-05_odp.01"/> are alerted in the event of an audit logging process failure within <insert type="param" id-ref="au-05_odp.02"/>;</p>
+               <link rel="assessment-for" href="#au-5_smt.a"/>
             </part>
             <part id="au-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-05b."/>
                <p>
                   <insert type="param" id-ref="au-05_odp.03"/> are taken in the event of an audit logging process failure.</p>
+               <link rel="assessment-for" href="#au-5_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#au-5_smt"/>
          </part>
          <part id="au-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5788,6 +6085,7 @@
             <part id="au-5.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-05(01)"/>
                <p>a warning is provided to <insert type="param" id-ref="au-05.01_odp.01"/> within <insert type="param" id-ref="au-05.01_odp.02"/> when allocated audit log storage volume reaches <insert type="param" id-ref="au-05.01_odp.03"/> of repository maximum audit log storage capacity.</p>
+               <link rel="assessment-for" href="#au-5.1_smt"/>
             </part>
             <part id="au-5.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5862,6 +6160,7 @@
             <part id="au-5.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-05(02)"/>
                <p>an alert is provided within <insert type="param" id-ref="au-05.02_odp.01"/> to <insert type="param" id-ref="au-05.02_odp.02"/> when <insert type="param" id-ref="au-05.02_odp.03"/> occur.</p>
+               <link rel="assessment-for" href="#au-5.2_smt"/>
             </part>
             <part id="au-5.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5978,15 +6277,19 @@
             <part id="au-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06a."/>
                <p>system audit records are reviewed and analyzed <insert type="param" id-ref="au-06_odp.01"/> for indications of <insert type="param" id-ref="au-06_odp.02"/> and the potential impact of the inappropriate or unusual activity;</p>
+               <link rel="assessment-for" href="#au-6_smt.a"/>
             </part>
             <part id="au-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06b."/>
                <p>findings are reported to <insert type="param" id-ref="au-06_odp.03"/>;</p>
+               <link rel="assessment-for" href="#au-6_smt.b"/>
             </part>
             <part id="au-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06c."/>
                <p>the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.</p>
+               <link rel="assessment-for" href="#au-6_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#au-6_smt"/>
          </part>
          <part id="au-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6039,6 +6342,7 @@
             <part id="au-6.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06(01)"/>
                <p>audit record review, analysis, and reporting processes are integrated using <insert type="param" id-ref="au-06.01_odp"/>.</p>
+               <link rel="assessment-for" href="#au-6.1_smt"/>
             </part>
             <part id="au-6.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6094,6 +6398,7 @@
             <part id="au-6.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06(03)"/>
                <p>audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.</p>
+               <link rel="assessment-for" href="#au-6.3_smt"/>
             </part>
             <part id="au-6.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6168,6 +6473,7 @@
             <part id="au-6.5_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06(05)"/>
                <p>analysis of audit records is integrated with analysis of <insert type="param" id-ref="au-06.05_odp.01"/> to further enhance the ability to identify inappropriate or unusual activity.</p>
+               <link rel="assessment-for" href="#au-6.5_smt"/>
             </part>
             <part id="au-6.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6220,6 +6526,7 @@
             <part id="au-6.6_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06(06)"/>
                <p>information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.</p>
+               <link rel="assessment-for" href="#au-6.6_smt"/>
             </part>
             <part id="au-6.6_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6299,23 +6606,30 @@
                <part id="au-7_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-07a.[01]"/>
                   <p>an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;</p>
+                  <link rel="assessment-for" href="#au-7_smt.a"/>
                </part>
                <part id="au-7_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-07a.[02]"/>
                   <p>an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;</p>
+                  <link rel="assessment-for" href="#au-7_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#au-7_smt.a"/>
             </part>
             <part id="au-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-07b."/>
                <part id="au-7_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-07b.[01]"/>
                   <p>an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;</p>
+                  <link rel="assessment-for" href="#au-7_smt.b"/>
                </part>
                <part id="au-7_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-07b.[02]"/>
                   <p>an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.</p>
+                  <link rel="assessment-for" href="#au-7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#au-7_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#au-7_smt"/>
          </part>
          <part id="au-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6378,11 +6692,14 @@
                <part id="au-7.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-07(01)[01]"/>
                   <p>the capability to process, sort, and search audit records for events of interest based on <insert type="param" id-ref="au-07.01_odp"/> are provided;</p>
+                  <link rel="assessment-for" href="#au-7.1_smt"/>
                </part>
                <part id="au-7.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-07(01)[02]"/>
                   <p>the capability to process, sort, and search audit records for events of interest based on <insert type="param" id-ref="au-07.01_odp"/> are implemented.</p>
+                  <link rel="assessment-for" href="#au-7.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#au-7.1_smt"/>
             </part>
             <part id="au-7.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6456,11 +6773,14 @@
             <part id="au-8_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-08a."/>
                <p>internal system clocks are used to generate timestamps for audit records;</p>
+               <link rel="assessment-for" href="#au-8_smt.a"/>
             </part>
             <part id="au-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-08b."/>
                <p>timestamps are recorded for audit records that meet <insert type="param" id-ref="au-08_odp"/> and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.</p>
+               <link rel="assessment-for" href="#au-8_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#au-8_smt"/>
          </part>
          <part id="au-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6544,12 +6864,15 @@
             <part id="au-9_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-09a."/>
                <p>audit information and audit logging tools are protected from unauthorized access, modification, and deletion;</p>
+               <link rel="assessment-for" href="#au-9_smt.a"/>
             </part>
             <part id="au-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-09b."/>
                <p>
                   <insert type="param" id-ref="au-09_odp"/> are alerted upon detection of unauthorized access, modification, or deletion of audit information.</p>
+               <link rel="assessment-for" href="#au-9_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#au-9_smt"/>
          </part>
          <part id="au-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6612,6 +6935,7 @@
             <part id="au-9.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-09(02)"/>
                <p>audit records are stored <insert type="param" id-ref="au-09.02_odp"/> in a repository that is part of a physically different system or system component than the system or component being audited.</p>
+               <link rel="assessment-for" href="#au-9.2_smt"/>
             </part>
             <part id="au-9.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6667,6 +6991,7 @@
             <part id="au-9.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-09(03)"/>
                <p>cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.</p>
+               <link rel="assessment-for" href="#au-9.3_smt"/>
             </part>
             <part id="au-9.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6729,6 +7054,7 @@
             <part id="au-9.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-09(04)"/>
                <p>access to management of audit logging functionality is authorized only to <insert type="param" id-ref="au-09.04_odp"/>.</p>
+               <link rel="assessment-for" href="#au-9.4_smt"/>
             </part>
             <part id="au-9.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6811,6 +7137,7 @@
          <part id="au-10_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-10"/>
             <p>irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed <insert type="param" id-ref="au-10_odp"/>.</p>
+            <link rel="assessment-for" href="#au-10_smt"/>
          </part>
          <part id="au-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6881,6 +7208,7 @@
          <part id="au-11_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-11"/>
             <p>audit records are retained for <insert type="param" id-ref="au-11_odp"/> to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.</p>
+            <link rel="assessment-for" href="#au-11_smt"/>
          </part>
          <part id="au-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6973,16 +7301,20 @@
             <part id="au-12_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-12a."/>
                <p>audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by <insert type="param" id-ref="au-12_odp.01"/>;</p>
+               <link rel="assessment-for" href="#au-12_smt.a"/>
             </part>
             <part id="au-12_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-12b."/>
                <p>
                   <insert type="param" id-ref="au-12_odp.02"/> is/are allowed to select the event types that are to be logged by specific components of the system;</p>
+               <link rel="assessment-for" href="#au-12_smt.b"/>
             </part>
             <part id="au-12_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-12c."/>
                <p>audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.</p>
+               <link rel="assessment-for" href="#au-12_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#au-12_smt"/>
          </part>
          <part id="au-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7055,6 +7387,7 @@
             <part id="au-12.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-12(01)"/>
                <p>audit records from <insert type="param" id-ref="au-12.01_odp.01"/> are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within <insert type="param" id-ref="au-12.01_odp.02"/>.</p>
+               <link rel="assessment-for" href="#au-12.1_smt"/>
             </part>
             <part id="au-12.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7142,11 +7475,14 @@
                <part id="au-12.3_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-12(03)[01]"/>
                   <p>the capability for <insert type="param" id-ref="au-12.03_odp.01"/> to change the logging to be performed on <insert type="param" id-ref="au-12.03_odp.02"/> based on <insert type="param" id-ref="au-12.03_odp.03"/> within <insert type="param" id-ref="au-12.03_odp.04"/> is provided;</p>
+                  <link rel="assessment-for" href="#au-12.3_smt"/>
                </part>
                <part id="au-12.3_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-12(03)[02]"/>
                   <p>the capability for <insert type="param" id-ref="au-12.03_odp.01"/> to change the logging to be performed on <insert type="param" id-ref="au-12.03_odp.02"/> based on <insert type="param" id-ref="au-12.03_odp.03"/> within <insert type="param" id-ref="au-12.03_odp.04"/> is implemented.</p>
+                  <link rel="assessment-for" href="#au-12.3_smt"/>
                </part>
+               <link rel="assessment-for" href="#au-12.3_smt"/>
             </part>
             <part id="au-12.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7330,18 +7666,22 @@
                <part id="ca-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[01]"/>
                   <p>an assessment, authorization, and monitoring policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[02]"/>
                   <p>the assessment, authorization, and monitoring policy is disseminated to <insert type="param" id-ref="ca-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[03]"/>
                   <p>assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[04]"/>
                   <p>the assessment, authorization, and monitoring procedures are disseminated to <insert type="param" id-ref="ca-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.01"/>
@@ -7350,41 +7690,53 @@
                      <part id="ca-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                   </part>
                   <part id="ca-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ca-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ca-1_smt.a"/>
             </part>
             <part id="ca-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-01b."/>
                <p>the <insert type="param" id-ref="ca-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;</p>
+               <link rel="assessment-for" href="#ca-1_smt.b"/>
             </part>
             <part id="ca-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-01c."/>
@@ -7393,24 +7745,32 @@
                   <part id="ca-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.01[01]"/>
                      <p>the current assessment, authorization, and monitoring policy is reviewed and updated <insert type="param" id-ref="ca-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.1"/>
                   </part>
                   <part id="ca-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.01[02]"/>
                      <p>the current assessment, authorization, and monitoring policy is reviewed and updated following <insert type="param" id-ref="ca-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-1_smt.c.1"/>
                </part>
                <part id="ca-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01c.02"/>
                   <part id="ca-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.02[01]"/>
                      <p>the current assessment, authorization, and monitoring procedures are reviewed and updated <insert type="param" id-ref="ca-01_odp.07"/>; </p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.2"/>
                   </part>
                   <part id="ca-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.02[02]"/>
                      <p>the current assessment, authorization, and monitoring procedures are reviewed and updated following <insert type="param" id-ref="ca-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ca-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ca-1_smt"/>
          </part>
          <part id="ca-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7532,56 +7892,71 @@
             <part id="ca-2_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02a."/>
                <p>an appropriate assessor or assessment team is selected for the type of assessment to be conducted;</p>
+               <link rel="assessment-for" href="#ca-2_smt.a"/>
             </part>
             <part id="ca-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02b."/>
                <part id="ca-2_obj.b.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02b.01"/>
                   <p>a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.b.1"/>
                </part>
                <part id="ca-2_obj.b.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02b.02"/>
                   <p>a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.b.2"/>
                </part>
                <part id="ca-2_obj.b.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02b.03"/>
                   <part id="ca-2_obj.b.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-02b.03[01]"/>
                      <p>a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;</p>
+                     <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                   </part>
                   <part id="ca-2_obj.b.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-02b.03[02]"/>
                      <p>a control assessment plan is developed that describes the scope of the assessment, including the assessment team;</p>
+                     <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                   </part>
                   <part id="ca-2_obj.b.3-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-02b.03[03]"/>
                      <p>a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;</p>
+                     <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                </part>
+               <link rel="assessment-for" href="#ca-2_smt.b"/>
             </part>
             <part id="ca-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02c."/>
                <p>the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;</p>
+               <link rel="assessment-for" href="#ca-2_smt.c"/>
             </part>
             <part id="ca-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02d."/>
                <part id="ca-2_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02d.[01]"/>
                   <p>controls are assessed in the system and its environment of operation <insert type="param" id-ref="ca-02_odp.01"/> to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.d"/>
                </part>
                <part id="ca-2_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02d.[02]"/>
                   <p>controls are assessed in the system and its environment of operation <insert type="param" id-ref="ca-02_odp.01"/> to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ca-2_smt.d"/>
             </part>
             <part id="ca-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02e."/>
                <p>a control assessment report is produced that documents the results of the assessment;</p>
+               <link rel="assessment-for" href="#ca-2_smt.e"/>
             </part>
             <part id="ca-2_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02f."/>
                <p>the results of the control assessment are provided to <insert type="param" id-ref="ca-02_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ca-2_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#ca-2_smt"/>
          </part>
          <part id="ca-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7635,6 +8010,7 @@
             <part id="ca-2.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02(01)"/>
                <p>independent assessors or assessment teams are employed to conduct control assessments.</p>
+               <link rel="assessment-for" href="#ca-2.1_smt"/>
             </part>
             <part id="ca-2.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7728,6 +8104,7 @@
                   <insert type="param" id-ref="ca-02.02_odp.01"/>
                   <insert type="param" id-ref="ca-02.02_odp.02"/>
                   <insert type="param" id-ref="ca-02.02_odp.03"/> are included as part of control assessments.</p>
+               <link rel="assessment-for" href="#ca-2.2_smt"/>
             </part>
             <part id="ca-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7840,38 +8217,48 @@
             <part id="ca-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-03a."/>
                <p>the exchange of information between the system and other systems is approved and managed using <insert type="param" id-ref="ca-03_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ca-3_smt.a"/>
             </part>
             <part id="ca-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-03b."/>
                <part id="ca-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[01]"/>
                   <p>the interface characteristics are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[02]"/>
                   <p>security requirements are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[03]"/>
                   <p>privacy requirements are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[04]"/>
                   <p>controls are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[05]"/>
                   <p>responsibilities for each system are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[06]"/>
                   <p>the impact level of the information communicated is documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ca-3_smt.b"/>
             </part>
             <part id="ca-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-03c."/>
                <p>agreements are reviewed and updated <insert type="param" id-ref="ca-03_odp.03"/>.</p>
+               <link rel="assessment-for" href="#ca-3_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ca-3_smt"/>
          </part>
          <part id="ca-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7930,6 +8317,7 @@
             <part id="ca-3.6_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-03(06)"/>
                <p>individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.</p>
+               <link rel="assessment-for" href="#ca-3.6_smt"/>
             </part>
             <part id="ca-3.6_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8016,11 +8404,14 @@
             <part id="ca-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-05a."/>
                <p>a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;</p>
+               <link rel="assessment-for" href="#ca-5_smt.a"/>
             </part>
             <part id="ca-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-05b."/>
                <p>existing plan of action and milestones are updated <insert type="param" id-ref="ca-05_odp"/> based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.</p>
+               <link rel="assessment-for" href="#ca-5_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ca-5_smt"/>
          </part>
          <part id="ca-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8122,30 +8513,38 @@
             <part id="ca-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06a."/>
                <p>a senior official is assigned as the authorizing official for the system;</p>
+               <link rel="assessment-for" href="#ca-6_smt.a"/>
             </part>
             <part id="ca-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06b."/>
                <p>a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;</p>
+               <link rel="assessment-for" href="#ca-6_smt.b"/>
             </part>
             <part id="ca-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06c."/>
                <part id="ca-6_obj.c.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-06c.01"/>
                   <p>before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;</p>
+                  <link rel="assessment-for" href="#ca-6_smt.c.1"/>
                </part>
                <part id="ca-6_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-06c.02"/>
                   <p>before commencing operations, the authorizing official for the system authorizes the system to operate;</p>
+                  <link rel="assessment-for" href="#ca-6_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ca-6_smt.c"/>
             </part>
             <part id="ca-6_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06d."/>
                <p>the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;</p>
+               <link rel="assessment-for" href="#ca-6_smt.d"/>
             </part>
             <part id="ca-6_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06e."/>
                <p>the authorizations are updated <insert type="param" id-ref="ca-06_odp"/>.</p>
+               <link rel="assessment-for" href="#ca-6_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ca-6_smt"/>
          </part>
          <part id="ca-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8355,41 +8754,51 @@
             <part id="ca-7_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07[01]"/>
                <p>a system-level continuous monitoring strategy is developed;</p>
+               <link rel="assessment-for" href="#ca-7_smt"/>
             </part>
             <part id="ca-7_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07[02]"/>
                <p>system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;</p>
+               <link rel="assessment-for" href="#ca-7_smt"/>
             </part>
             <part id="ca-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07a."/>
                <p>system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: <insert type="param" id-ref="ca-07_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ca-7_smt.a"/>
             </part>
             <part id="ca-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07b."/>
                <part id="ca-7_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07b.[01]"/>
                   <p>system-level continuous monitoring includes established <insert type="param" id-ref="ca-07_odp.02"/> for monitoring;</p>
+                  <link rel="assessment-for" href="#ca-7_smt.b"/>
                </part>
                <part id="ca-7_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07b.[02]"/>
                   <p>system-level continuous monitoring includes established <insert type="param" id-ref="ca-07_odp.03"/> for assessment of control effectiveness;</p>
+                  <link rel="assessment-for" href="#ca-7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ca-7_smt.b"/>
             </part>
             <part id="ca-7_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07c."/>
                <p>system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;</p>
+               <link rel="assessment-for" href="#ca-7_smt.c"/>
             </part>
             <part id="ca-7_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07d."/>
                <p>system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;</p>
+               <link rel="assessment-for" href="#ca-7_smt.d"/>
             </part>
             <part id="ca-7_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07e."/>
                <p>system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;</p>
+               <link rel="assessment-for" href="#ca-7_smt.e"/>
             </part>
             <part id="ca-7_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07f."/>
                <p>system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;</p>
+               <link rel="assessment-for" href="#ca-7_smt.f"/>
             </part>
             <part id="ca-7_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07g."/>
@@ -8397,13 +8806,17 @@
                   <prop name="label" class="sp800-53a" value="CA-07g.[01]"/>
                   <p>system-level continuous monitoring includes reporting the security status of the system to <insert type="param" id-ref="ca-07_odp.04"/>
                      <insert type="param" id-ref="ca-07_odp.05"/>;</p>
+                  <link rel="assessment-for" href="#ca-7_smt.g"/>
                </part>
                <part id="ca-7_obj.g-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07g.[02]"/>
                   <p>system-level continuous monitoring includes reporting the privacy status of the system to <insert type="param" id-ref="ca-07_odp.06"/>
                      <insert type="param" id-ref="ca-07_odp.07"/>.</p>
+                  <link rel="assessment-for" href="#ca-7_smt.g"/>
                </part>
+               <link rel="assessment-for" href="#ca-7_smt.g"/>
             </part>
+            <link rel="assessment-for" href="#ca-7_smt"/>
          </part>
          <part id="ca-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8464,6 +8877,7 @@
             <part id="ca-7.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07(01)"/>
                <p>independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.</p>
+               <link rel="assessment-for" href="#ca-7.1_smt"/>
             </part>
             <part id="ca-7.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8531,15 +8945,19 @@
                <part id="ca-7.4_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07(04)(a)"/>
                   <p>effectiveness monitoring is included in risk monitoring;</p>
+                  <link rel="assessment-for" href="#ca-7.4_smt.a"/>
                </part>
                <part id="ca-7.4_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07(04)(b)"/>
                   <p>compliance monitoring is included in risk monitoring;</p>
+                  <link rel="assessment-for" href="#ca-7.4_smt.b"/>
                </part>
                <part id="ca-7.4_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07(04)(c)"/>
                   <p>change monitoring is included in risk monitoring.</p>
+                  <link rel="assessment-for" href="#ca-7.4_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#ca-7.4_smt"/>
             </part>
             <part id="ca-7.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8621,6 +9039,7 @@
          <part id="ca-8_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-08"/>
             <p>penetration testing is conducted <insert type="param" id-ref="ca-08_odp.01"/> on <insert type="param" id-ref="ca-08_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ca-8_smt"/>
          </part>
          <part id="ca-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8675,6 +9094,7 @@
             <part id="ca-8.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-08(01)"/>
                <p>an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.</p>
+               <link rel="assessment-for" href="#ca-8.1_smt"/>
             </part>
             <part id="ca-8.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8775,34 +9195,43 @@
             <part id="ca-9_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-09a."/>
                <p>internal connections of <insert type="param" id-ref="ca-09_odp.01"/> to the system are authorized;</p>
+               <link rel="assessment-for" href="#ca-9_smt.a"/>
             </part>
             <part id="ca-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-09b."/>
                <part id="ca-9_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-09b.[01]"/>
                   <p>for each internal connection, the interface characteristics are documented;</p>
+                  <link rel="assessment-for" href="#ca-9_smt.b"/>
                </part>
                <part id="ca-9_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-09b.[02]"/>
                   <p>for each internal connection, the security requirements are documented;</p>
+                  <link rel="assessment-for" href="#ca-9_smt.b"/>
                </part>
                <part id="ca-9_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-09b.[03]"/>
                   <p>for each internal connection, the privacy requirements are documented;</p>
+                  <link rel="assessment-for" href="#ca-9_smt.b"/>
                </part>
                <part id="ca-9_obj.b-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-09b.[04]"/>
                   <p>for each internal connection, the nature of the information communicated is documented;</p>
+                  <link rel="assessment-for" href="#ca-9_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ca-9_smt.b"/>
             </part>
             <part id="ca-9_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-09c."/>
                <p>internal system connections are terminated after <insert type="param" id-ref="ca-09_odp.02"/>;</p>
+               <link rel="assessment-for" href="#ca-9_smt.c"/>
             </part>
             <part id="ca-9_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-09d."/>
                <p>the continued need for each internal connection is reviewed <insert type="param" id-ref="ca-09_odp.03"/>.</p>
+               <link rel="assessment-for" href="#ca-9_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ca-9_smt"/>
          </part>
          <part id="ca-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8982,18 +9411,22 @@
                <part id="cm-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[01]"/>
                   <p>a configuration management policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[02]"/>
                   <p>the configuration management policy is disseminated to <insert type="param" id-ref="cm-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[03]"/>
                   <p>configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[04]"/>
                   <p>the configuration management procedures are disseminated to <insert type="param" id-ref="cm-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.01"/>
@@ -9002,41 +9435,53 @@
                      <part id="cm-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses scope;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses roles;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                   </part>
                   <part id="cm-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01a.01(b)"/>
                      <p>the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#cm-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#cm-1_smt.a"/>
             </part>
             <part id="cm-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-01b."/>
                <p>the <insert type="param" id-ref="cm-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;</p>
+               <link rel="assessment-for" href="#cm-1_smt.b"/>
             </part>
             <part id="cm-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-01c."/>
@@ -9045,24 +9490,32 @@
                   <part id="cm-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.01[01]"/>
                      <p>the current configuration management policy is reviewed and updated <insert type="param" id-ref="cm-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.1"/>
                   </part>
                   <part id="cm-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.01[02]"/>
                      <p>the current configuration management policy is reviewed and updated following <insert type="param" id-ref="cm-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-1_smt.c.1"/>
                </part>
                <part id="cm-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01c.02"/>
                   <part id="cm-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.02[01]"/>
                      <p>the current configuration management procedures are reviewed and updated <insert type="param" id-ref="cm-01_odp.07"/>; </p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.2"/>
                   </part>
                   <part id="cm-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.02[02]"/>
                      <p>the current configuration management procedures are reviewed and updated following <insert type="param" id-ref="cm-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#cm-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cm-1_smt"/>
          </part>
          <part id="cm-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9168,27 +9621,35 @@
                <part id="cm-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02a.[01]"/>
                   <p>a current baseline configuration of the system is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-2_smt.a"/>
                </part>
                <part id="cm-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02a.[02]"/>
                   <p>a current baseline configuration of the system is maintained under configuration control;</p>
+                  <link rel="assessment-for" href="#cm-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#cm-2_smt.a"/>
             </part>
             <part id="cm-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-02b."/>
                <part id="cm-2_obj.b.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02b.01"/>
                   <p>the baseline configuration of the system is reviewed and updated <insert type="param" id-ref="cm-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#cm-2_smt.b.1"/>
                </part>
                <part id="cm-2_obj.b.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02b.02"/>
                   <p>the baseline configuration of the system is reviewed and updated when required due to <insert type="param" id-ref="cm-02_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#cm-2_smt.b.2"/>
                </part>
                <part id="cm-2_obj.b.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02b.03"/>
                   <p>the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.</p>
+                  <link rel="assessment-for" href="#cm-2_smt.b.3"/>
                </part>
+               <link rel="assessment-for" href="#cm-2_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cm-2_smt"/>
          </part>
          <part id="cm-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9259,19 +9720,24 @@
                <part id="cm-2.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02(02)[01]"/>
                   <p>the currency of the baseline configuration of the system is maintained using <insert type="param" id-ref="cm-02.02_odp"/>;</p>
+                  <link rel="assessment-for" href="#cm-2.2_smt"/>
                </part>
                <part id="cm-2.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02(02)[02]"/>
                   <p>the completeness of the baseline configuration of the system is maintained using <insert type="param" id-ref="cm-02.02_odp"/>;</p>
+                  <link rel="assessment-for" href="#cm-2.2_smt"/>
                </part>
                <part id="cm-2.2_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02(02)[03]"/>
                   <p>the accuracy of the baseline configuration of the system is maintained using <insert type="param" id-ref="cm-02.02_odp"/>;</p>
+                  <link rel="assessment-for" href="#cm-2.2_smt"/>
                </part>
                <part id="cm-2.2_obj-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02(02)[04]"/>
                   <p>the availability of the baseline configuration of the system is maintained using <insert type="param" id-ref="cm-02.02_odp"/>.</p>
+                  <link rel="assessment-for" href="#cm-2.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#cm-2.2_smt"/>
             </part>
             <part id="cm-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9337,6 +9803,7 @@
                <prop name="label" class="sp800-53a" value="CM-02(03)"/>
                <p>
                   <insert type="param" id-ref="cm-02.03_odp"/> of previous baseline configuration version(s) of the system is/are retained to support rollback.</p>
+               <link rel="assessment-for" href="#cm-2.3_smt"/>
             </part>
             <part id="cm-2.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9426,12 +9893,15 @@
                   <prop name="label" class="sp800-53a" value="CM-02(07)(a)"/>
                   <p>
                      <insert type="param" id-ref="cm-02.07_odp.01"/> with <insert type="param" id-ref="cm-02.07_odp.02"/> are issued to individuals traveling to locations that the organization deems to be of significant risk;</p>
+                  <link rel="assessment-for" href="#cm-2.7_smt.a"/>
                </part>
                <part id="cm-2.7_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02(07)(b)"/>
                   <p>
                      <insert type="param" id-ref="cm-02.07_odp.03"/> are applied to the systems or system components when the individuals return from travel.</p>
+                  <link rel="assessment-for" href="#cm-2.7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-2.7_smt"/>
             </part>
             <part id="cm-2.7_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9587,52 +10057,66 @@
             <part id="cm-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03a."/>
                <p>the types of changes to the system that are configuration-controlled are determined and documented;</p>
+               <link rel="assessment-for" href="#cm-3_smt.a"/>
             </part>
             <part id="cm-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03b."/>
                <part id="cm-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03b.[01]"/>
                   <p>proposed configuration-controlled changes to the system are reviewed;</p>
+                  <link rel="assessment-for" href="#cm-3_smt.b"/>
                </part>
                <part id="cm-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03b.[02]"/>
                   <p>proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;</p>
+                  <link rel="assessment-for" href="#cm-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-3_smt.b"/>
             </part>
             <part id="cm-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03c."/>
                <p>configuration change decisions associated with the system are documented;</p>
+               <link rel="assessment-for" href="#cm-3_smt.c"/>
             </part>
             <part id="cm-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03d."/>
                <p>approved configuration-controlled changes to the system are implemented;</p>
+               <link rel="assessment-for" href="#cm-3_smt.d"/>
             </part>
             <part id="cm-3_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03e."/>
                <p>records of configuration-controlled changes to the system are retained for <insert type="param" id-ref="cm-03_odp.01"/>;</p>
+               <link rel="assessment-for" href="#cm-3_smt.e"/>
             </part>
             <part id="cm-3_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03f."/>
                <part id="cm-3_obj.f-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03f.[01]"/>
                   <p>activities associated with configuration-controlled changes to the system are monitored;</p>
+                  <link rel="assessment-for" href="#cm-3_smt.f"/>
                </part>
                <part id="cm-3_obj.f-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03f.[02]"/>
                   <p>activities associated with configuration-controlled changes to the system are reviewed;</p>
+                  <link rel="assessment-for" href="#cm-3_smt.f"/>
                </part>
+               <link rel="assessment-for" href="#cm-3_smt.f"/>
             </part>
             <part id="cm-3_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03g."/>
                <part id="cm-3_obj.g-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03g.[01]"/>
                   <p>configuration change control activities are coordinated and overseen by <insert type="param" id-ref="cm-03_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#cm-3_smt.g"/>
                </part>
                <part id="cm-3_obj.g-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03g.[02]"/>
                   <p>the configuration control element convenes <insert type="param" id-ref="cm-03_odp.03"/>.</p>
+                  <link rel="assessment-for" href="#cm-3_smt.g"/>
                </part>
+               <link rel="assessment-for" href="#cm-3_smt.g"/>
             </part>
+            <link rel="assessment-for" href="#cm-3_smt"/>
          </part>
          <part id="cm-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9751,32 +10235,39 @@
                   <prop name="label" class="sp800-53a" value="CM-03(01)(a)"/>
                   <p>
                      <insert type="param" id-ref="cm-03.01_odp.01"/> are used to document proposed changes to the system;</p>
+                  <link rel="assessment-for" href="#cm-3.1_smt.a"/>
                </part>
                <part id="cm-3.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03(01)(b)"/>
                   <p>
                      <insert type="param" id-ref="cm-03.01_odp.01"/> are used to notify <insert type="param" id-ref="cm-03.01_odp.02"/> of proposed changes to the system and request change approval;</p>
+                  <link rel="assessment-for" href="#cm-3.1_smt.b"/>
                </part>
                <part id="cm-3.1_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03(01)(c)"/>
                   <p>
                      <insert type="param" id-ref="cm-03.01_odp.01"/> are used to highlight proposed changes to the system that have not been approved or disapproved within <insert type="param" id-ref="cm-03.01_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#cm-3.1_smt.c"/>
                </part>
                <part id="cm-3.1_obj.d" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03(01)(d)"/>
                   <p>
                      <insert type="param" id-ref="cm-03.01_odp.01"/> are used to prohibit changes to the system until designated approvals are received;</p>
+                  <link rel="assessment-for" href="#cm-3.1_smt.d"/>
                </part>
                <part id="cm-3.1_obj.e" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03(01)(e)"/>
                   <p>
                      <insert type="param" id-ref="cm-03.01_odp.01"/> are used to document all changes to the system;</p>
+                  <link rel="assessment-for" href="#cm-3.1_smt.e"/>
                </part>
                <part id="cm-3.1_obj.f" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03(01)(f)"/>
                   <p>
                      <insert type="param" id-ref="cm-03.01_odp.01"/> are used to notify <insert type="param" id-ref="cm-03.01_odp.04"/> when approved changes to the system are completed.</p>
+                  <link rel="assessment-for" href="#cm-3.1_smt.f"/>
                </part>
+               <link rel="assessment-for" href="#cm-3.1_smt"/>
             </part>
             <part id="cm-3.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9840,15 +10331,19 @@
                <part id="cm-3.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03(02)[01]"/>
                   <p>changes to the system are tested before finalizing the implementation of the changes;</p>
+                  <link rel="assessment-for" href="#cm-3.2_smt"/>
                </part>
                <part id="cm-3.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03(02)[02]"/>
                   <p>changes to the system are validated before finalizing the implementation of the changes;</p>
+                  <link rel="assessment-for" href="#cm-3.2_smt"/>
                </part>
                <part id="cm-3.2_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03(02)[03]"/>
                   <p>changes to the system are documented before finalizing the implementation of the changes.</p>
+                  <link rel="assessment-for" href="#cm-3.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#cm-3.2_smt"/>
             </part>
             <part id="cm-3.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9940,12 +10435,15 @@
                   <prop name="label" class="sp800-53a" value="CM-03(04)[01]"/>
                   <p>
                      <insert type="param" id-ref="cm-03.04_odp.01"/> are required to be members of the <insert type="param" id-ref="cm-03.04_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#cm-3.4_smt"/>
                </part>
                <part id="cm-3.4_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03(04)[02]"/>
                   <p>
                      <insert type="param" id-ref="cm-03.04_odp.02"/> are required to be members of the <insert type="param" id-ref="cm-03.04_odp.03"/>.</p>
+                  <link rel="assessment-for" href="#cm-3.4_smt"/>
                </part>
+               <link rel="assessment-for" href="#cm-3.4_smt"/>
             </part>
             <part id="cm-3.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10003,6 +10501,7 @@
             <part id="cm-3.6_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03(06)"/>
                <p>cryptographic mechanisms used to provide <insert type="param" id-ref="cm-03.06_odp"/> are under configuration management.</p>
+               <link rel="assessment-for" href="#cm-3.6_smt"/>
             </part>
             <part id="cm-3.6_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10074,11 +10573,14 @@
             <part id="cm-4_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-04[01]"/>
                <p>changes to the system are analyzed to determine potential security impacts prior to change implementation;</p>
+               <link rel="assessment-for" href="#cm-4_smt"/>
             </part>
             <part id="cm-4_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-04[02]"/>
                <p>changes to the system are analyzed to determine potential privacy impacts prior to change implementation.</p>
+               <link rel="assessment-for" href="#cm-4_smt"/>
             </part>
+            <link rel="assessment-for" href="#cm-4_smt"/>
          </part>
          <part id="cm-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10145,39 +10647,49 @@
                <part id="cm-4.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(01)[01]"/>
                   <p>changes to the system are analyzed in a separate test environment before implementation in an operational environment;</p>
+                  <link rel="assessment-for" href="#cm-4.1_smt"/>
                </part>
                <part id="cm-4.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(01)[02]"/>
                   <p>changes to the system are analyzed for security impacts due to flaws;</p>
+                  <link rel="assessment-for" href="#cm-4.1_smt"/>
                </part>
                <part id="cm-4.1_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(01)[03]"/>
                   <p>changes to the system are analyzed for privacy impacts due to flaws;</p>
+                  <link rel="assessment-for" href="#cm-4.1_smt"/>
                </part>
                <part id="cm-4.1_obj-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(01)[04]"/>
                   <p>changes to the system are analyzed for security impacts due to weaknesses;</p>
+                  <link rel="assessment-for" href="#cm-4.1_smt"/>
                </part>
                <part id="cm-4.1_obj-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(01)[05]"/>
                   <p>changes to the system are analyzed for privacy impacts due to weaknesses;</p>
+                  <link rel="assessment-for" href="#cm-4.1_smt"/>
                </part>
                <part id="cm-4.1_obj-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(01)[06]"/>
                   <p>changes to the system are analyzed for security impacts due to incompatibility;</p>
+                  <link rel="assessment-for" href="#cm-4.1_smt"/>
                </part>
                <part id="cm-4.1_obj-7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(01)[07]"/>
                   <p>changes to the system are analyzed for privacy impacts due to incompatibility;</p>
+                  <link rel="assessment-for" href="#cm-4.1_smt"/>
                </part>
                <part id="cm-4.1_obj-8" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(01)[08]"/>
                   <p>changes to the system are analyzed for security impacts due to intentional malice;</p>
+                  <link rel="assessment-for" href="#cm-4.1_smt"/>
                </part>
                <part id="cm-4.1_obj-9" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(01)[09]"/>
                   <p>changes to the system are analyzed for privacy impacts due to intentional malice.</p>
+                  <link rel="assessment-for" href="#cm-4.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#cm-4.1_smt"/>
             </part>
             <part id="cm-4.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10247,27 +10759,34 @@
                <part id="cm-4.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(02)[01]"/>
                   <p>the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;</p>
+                  <link rel="assessment-for" href="#cm-4.2_smt"/>
                </part>
                <part id="cm-4.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(02)[02]"/>
                   <p>the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;</p>
+                  <link rel="assessment-for" href="#cm-4.2_smt"/>
                </part>
                <part id="cm-4.2_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(02)[03]"/>
                   <p>the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;</p>
+                  <link rel="assessment-for" href="#cm-4.2_smt"/>
                </part>
                <part id="cm-4.2_obj-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(02)[04]"/>
                   <p>the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;</p>
+                  <link rel="assessment-for" href="#cm-4.2_smt"/>
                </part>
                <part id="cm-4.2_obj-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(02)[05]"/>
                   <p>the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;</p>
+                  <link rel="assessment-for" href="#cm-4.2_smt"/>
                </part>
                <part id="cm-4.2_obj-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(02)[06]"/>
                   <p>the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.</p>
+                  <link rel="assessment-for" href="#cm-4.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#cm-4.2_smt"/>
             </part>
             <part id="cm-4.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10341,27 +10860,34 @@
             <part id="cm-5_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[01]"/>
                <p>physical access restrictions associated with changes to the system are defined and documented;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[02]"/>
                <p>physical access restrictions associated with changes to the system are approved;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[03]"/>
                <p>physical access restrictions associated with changes to the system are enforced;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[04]"/>
                <p>logical access restrictions associated with changes to the system are defined and documented;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-5" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[05]"/>
                <p>logical access restrictions associated with changes to the system are approved;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-6" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[06]"/>
                <p>logical access restrictions associated with changes to the system are enforced.</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
+            <link rel="assessment-for" href="#cm-5_smt"/>
          </part>
          <part id="cm-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10442,11 +10968,14 @@
                <part id="cm-5.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-05(01)(a)"/>
                   <p>access restrictions for change are enforced using <insert type="param" id-ref="cm-05.01_odp"/>;</p>
+                  <link rel="assessment-for" href="#cm-5.1_smt.a"/>
                </part>
                <part id="cm-5.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-05(01)(b)"/>
                   <p>audit records of enforcement actions are automatically generated.</p>
+                  <link rel="assessment-for" href="#cm-5.1_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-5.1_smt"/>
             </part>
             <part id="cm-5.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10581,33 +11110,42 @@
             <part id="cm-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-06a."/>
                <p>configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using <insert type="param" id-ref="cm-06_odp.01"/>;</p>
+               <link rel="assessment-for" href="#cm-6_smt.a"/>
             </part>
             <part id="cm-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-06b."/>
                <p>the configuration settings documented in CM-06a are implemented;</p>
+               <link rel="assessment-for" href="#cm-6_smt.b"/>
             </part>
             <part id="cm-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-06c."/>
                <part id="cm-6_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06c.[01]"/>
                   <p>any deviations from established configuration settings for <insert type="param" id-ref="cm-06_odp.02"/> are identified and documented based on <insert type="param" id-ref="cm-06_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#cm-6_smt.c"/>
                </part>
                <part id="cm-6_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06c.[02]"/>
                   <p>any deviations from established configuration settings for <insert type="param" id-ref="cm-06_odp.02"/> are approved;</p>
+                  <link rel="assessment-for" href="#cm-6_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#cm-6_smt.c"/>
             </part>
             <part id="cm-6_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-06d."/>
                <part id="cm-6_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06d.[01]"/>
                   <p>changes to the configuration settings are monitored in accordance with organizational policies and procedures;</p>
+                  <link rel="assessment-for" href="#cm-6_smt.d"/>
                </part>
                <part id="cm-6_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06d.[02]"/>
                   <p>changes to the configuration settings are controlled in accordance with organizational policies and procedures.</p>
+                  <link rel="assessment-for" href="#cm-6_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#cm-6_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#cm-6_smt"/>
          </part>
          <part id="cm-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10710,15 +11248,19 @@
                <part id="cm-6.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06(01)[01]"/>
                   <p>configuration settings for <insert type="param" id-ref="cm-06.01_odp.01"/> are managed using <insert type="param" id-ref="cm-06.01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#cm-6.1_smt"/>
                </part>
                <part id="cm-6.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06(01)[02]"/>
                   <p>configuration settings for <insert type="param" id-ref="cm-06.01_odp.01"/> are applied using <insert type="param" id-ref="cm-06.01_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#cm-6.1_smt"/>
                </part>
                <part id="cm-6.1_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06(01)[03]"/>
                   <p>configuration settings for <insert type="param" id-ref="cm-06.01_odp.01"/> are verified using <insert type="param" id-ref="cm-06.01_odp.04"/>.</p>
+                  <link rel="assessment-for" href="#cm-6.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#cm-6.1_smt"/>
             </part>
             <part id="cm-6.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10795,6 +11337,7 @@
                <prop name="label" class="sp800-53a" value="CM-06(02)"/>
                <p>
                   <insert type="param" id-ref="cm-06.02_odp.01"/> are taken in response to unauthorized changes to <insert type="param" id-ref="cm-06.02_odp.02"/>.</p>
+               <link rel="assessment-for" href="#cm-6.2_smt"/>
             </part>
             <part id="cm-6.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10949,30 +11492,38 @@
             <part id="cm-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-07a."/>
                <p>the system is configured to provide only <insert type="param" id-ref="cm-07_odp.01"/>;</p>
+               <link rel="assessment-for" href="#cm-7_smt.a"/>
             </part>
             <part id="cm-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-07b."/>
                <part id="cm-7_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[01]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.02"/> is prohibited or restricted;</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
                <part id="cm-7_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[02]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.03"/> is prohibited or restricted;</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
                <part id="cm-7_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[03]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.04"/> is prohibited or restricted;</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
                <part id="cm-7_obj.b-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[04]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.05"/> is prohibited or restricted;</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
                <part id="cm-7_obj.b-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[05]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.06"/> is prohibited or restricted.</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-7_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cm-7_smt"/>
          </part>
          <part id="cm-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11099,6 +11650,7 @@
                <part id="cm-7.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07(01)(a)"/>
                   <p>the system is reviewed <insert type="param" id-ref="cm-07.01_odp.01"/> to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:</p>
+                  <link rel="assessment-for" href="#cm-7.1_smt.a"/>
                </part>
                <part id="cm-7.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07(01)(b)"/>
@@ -11106,28 +11658,35 @@
                      <prop name="label" class="sp800-53a" value="CM-07(01)(b)[01]"/>
                      <p>
                         <insert type="param" id-ref="cm-07.01_odp.02"/> deemed to be unnecessary and/or non-secure are disabled or removed;</p>
+                     <link rel="assessment-for" href="#cm-7.1_smt.b"/>
                   </part>
                   <part id="cm-7.1_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-07(01)(b)[02]"/>
                      <p>
                         <insert type="param" id-ref="cm-07.01_odp.03"/> deemed to be unnecessary and/or non-secure are disabled or removed;</p>
+                     <link rel="assessment-for" href="#cm-7.1_smt.b"/>
                   </part>
                   <part id="cm-7.1_obj.b-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-07(01)(b)[03]"/>
                      <p>
                         <insert type="param" id-ref="cm-07.01_odp.04"/> deemed to be unnecessary and/or non-secure are disabled or removed;</p>
+                     <link rel="assessment-for" href="#cm-7.1_smt.b"/>
                   </part>
                   <part id="cm-7.1_obj.b-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-07(01)(b)[04]"/>
                      <p>
                         <insert type="param" id-ref="cm-07.01_odp.05"/> deemed to be unnecessary and/or non-secure is disabled or removed;</p>
+                     <link rel="assessment-for" href="#cm-7.1_smt.b"/>
                   </part>
                   <part id="cm-7.1_obj.b-5" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-07(01)(b)[05]"/>
                      <p>
                         <insert type="param" id-ref="cm-07.01_odp.06"/> deemed to be unnecessary and/or non-secure are disabled or removed.</p>
+                     <link rel="assessment-for" href="#cm-7.1_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-7.1_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-7.1_smt"/>
             </part>
             <part id="cm-7.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11206,6 +11765,7 @@
             <part id="cm-7.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-07(02)"/>
                <p>program execution is prevented in accordance with <insert type="param" id-ref="cm-07.02_odp.01"/>.</p>
+               <link rel="assessment-for" href="#cm-7.2_smt"/>
             </part>
             <part id="cm-7.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11308,15 +11868,19 @@
                   <prop name="label" class="sp800-53a" value="CM-07(05)(a)"/>
                   <p>
                      <insert type="param" id-ref="cm-07.05_odp.01"/> are identified;</p>
+                  <link rel="assessment-for" href="#cm-7.5_smt.a"/>
                </part>
                <part id="cm-7.5_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07(05)(b)"/>
                   <p>a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;</p>
+                  <link rel="assessment-for" href="#cm-7.5_smt.b"/>
                </part>
                <part id="cm-7.5_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07(05)(c)"/>
                   <p>the list of authorized software programs is reviewed and updated <insert type="param" id-ref="cm-07.05_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#cm-7.5_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#cm-7.5_smt"/>
             </part>
             <part id="cm-7.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11452,28 +12016,36 @@
                <part id="cm-8_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.01"/>
                   <p>an inventory of system components that accurately reflects the system is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.1"/>
                </part>
                <part id="cm-8_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.02"/>
                   <p>an inventory of system components that includes all components within the system is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.2"/>
                </part>
                <part id="cm-8_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.03"/>
                   <p>an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.3"/>
                </part>
                <part id="cm-8_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.04"/>
                   <p>an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.4"/>
                </part>
                <part id="cm-8_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.05"/>
                   <p>an inventory of system components that includes <insert type="param" id-ref="cm-08_odp.01"/> is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.5"/>
                </part>
+               <link rel="assessment-for" href="#cm-8_smt.a"/>
             </part>
             <part id="cm-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-08b."/>
                <p>the system component inventory is reviewed and updated <insert type="param" id-ref="cm-08_odp.02"/>.</p>
+               <link rel="assessment-for" href="#cm-8_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cm-8_smt"/>
          </part>
          <part id="cm-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11531,15 +12103,19 @@
                <part id="cm-8.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08(01)[01]"/>
                   <p>the inventory of system components is updated as part of component installations;</p>
+                  <link rel="assessment-for" href="#cm-8.1_smt"/>
                </part>
                <part id="cm-8.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08(01)[02]"/>
                   <p>the inventory of system components is updated as part of component removals;</p>
+                  <link rel="assessment-for" href="#cm-8.1_smt"/>
                </part>
                <part id="cm-8.1_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08(01)[03]"/>
                   <p>the inventory of system components is updated as part of system updates.</p>
+                  <link rel="assessment-for" href="#cm-8.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#cm-8.1_smt"/>
             </part>
             <part id="cm-8.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11643,22 +12219,27 @@
                   <prop name="label" class="sp800-53a" value="CM-08(02)[01]"/>
                   <p>
                      <insert type="param" id-ref="cm-08.02_odp.01"/> are used to maintain the currency of the system component inventory;</p>
+                  <link rel="assessment-for" href="#cm-8.2_smt"/>
                </part>
                <part id="cm-8.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08(02)[02]"/>
                   <p>
                      <insert type="param" id-ref="cm-08.02_odp.02"/> are used to maintain the completeness of the system component inventory;</p>
+                  <link rel="assessment-for" href="#cm-8.2_smt"/>
                </part>
                <part id="cm-8.2_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08(02)[03]"/>
                   <p>
                      <insert type="param" id-ref="cm-08.02_odp.03"/> are used to maintain the accuracy of the system component inventory;</p>
+                  <link rel="assessment-for" href="#cm-8.2_smt"/>
                </part>
                <part id="cm-8.2_obj-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08(02)[04]"/>
                   <p>
                      <insert type="param" id-ref="cm-08.02_odp.04"/> are used to maintain the availability of the system component inventory.</p>
+                  <link rel="assessment-for" href="#cm-8.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#cm-8.2_smt"/>
             </part>
             <part id="cm-8.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11799,17 +12380,21 @@
                      <prop name="label" class="sp800-53a" value="CM-08(03)(a)[01]"/>
                      <p>the presence of unauthorized hardware within the system is detected using <insert type="param" id-ref="cm-08.03_odp.01"/>
                         <insert type="param" id-ref="cm-08.03_odp.04"/>;</p>
+                     <link rel="assessment-for" href="#cm-8.3_smt.a"/>
                   </part>
                   <part id="cm-8.3_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-08(03)(a)[02]"/>
                      <p>the presence of unauthorized software within the system is detected using <insert type="param" id-ref="cm-08.03_odp.02"/>
                         <insert type="param" id-ref="cm-08.03_odp.04"/>;</p>
+                     <link rel="assessment-for" href="#cm-8.3_smt.a"/>
                   </part>
                   <part id="cm-8.3_obj.a-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-08(03)(a)[03]"/>
                      <p>the presence of unauthorized firmware within the system is detected using <insert type="param" id-ref="cm-08.03_odp.03"/>
                         <insert type="param" id-ref="cm-08.03_odp.04"/>;</p>
+                     <link rel="assessment-for" href="#cm-8.3_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-8.3_smt.a"/>
                </part>
                <part id="cm-8.3_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08(03)(b)"/>
@@ -11817,18 +12402,23 @@
                      <prop name="label" class="sp800-53a" value="CM-08(03)(b)[01]"/>
                      <p>
                         <insert type="param" id-ref="cm-08.03_odp.05"/> are taken when unauthorized hardware is detected;</p>
+                     <link rel="assessment-for" href="#cm-8.3_smt.b"/>
                   </part>
                   <part id="cm-8.3_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-08(03)(b)[02]"/>
                      <p>
                         <insert type="param" id-ref="cm-08.03_odp.05"/> are taken when unauthorized software is detected;</p>
+                     <link rel="assessment-for" href="#cm-8.3_smt.b"/>
                   </part>
                   <part id="cm-8.3_obj.b-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-08(03)(b)[03]"/>
                      <p>
                         <insert type="param" id-ref="cm-08.03_odp.05"/> are taken when unauthorized firmware is detected.</p>
+                     <link rel="assessment-for" href="#cm-8.3_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-8.3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-8.3_smt"/>
             </part>
             <part id="cm-8.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11902,6 +12492,7 @@
             <part id="cm-8.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-08(04)"/>
                <p>individuals responsible and accountable for administering system components are identified by <insert type="param" id-ref="cm-08.04_odp"/> in the system component inventory.</p>
+               <link rel="assessment-for" href="#cm-8.4_smt"/>
             </part>
             <part id="cm-8.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11994,63 +12585,80 @@
             <part id="cm-9_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-09[01]"/>
                <p>a configuration management plan for the system is developed and documented;</p>
+               <link rel="assessment-for" href="#cm-9_smt"/>
             </part>
             <part id="cm-9_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-09[02]"/>
                <p>a configuration management plan for the system is implemented;</p>
+               <link rel="assessment-for" href="#cm-9_smt"/>
             </part>
             <part id="cm-9_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-09a."/>
                <part id="cm-9_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09a.[01]"/>
                   <p>the configuration management plan addresses roles;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.a"/>
                </part>
                <part id="cm-9_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09a.[02]"/>
                   <p>the configuration management plan addresses responsibilities;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.a"/>
                </part>
                <part id="cm-9_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09a.[03]"/>
                   <p>the configuration management plan addresses configuration management processes and procedures;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#cm-9_smt.a"/>
             </part>
             <part id="cm-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-09b."/>
                <part id="cm-9_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09b.[01]"/>
                   <p>the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.b"/>
                </part>
                <part id="cm-9_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09b.[02]"/>
                   <p>the configuration management plan establishes a process for managing the configuration of the configuration items;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-9_smt.b"/>
             </part>
             <part id="cm-9_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-09c."/>
                <part id="cm-9_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09c.[01]"/>
                   <p>the configuration management plan defines the configuration items for the system;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.c"/>
                </part>
                <part id="cm-9_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09c.[02]"/>
                   <p>the configuration management plan places the configuration items under configuration management;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#cm-9_smt.c"/>
             </part>
             <part id="cm-9_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-09d."/>
                <p>the configuration management plan is reviewed and approved by <insert type="param" id-ref="cm-09_odp"/>;</p>
+               <link rel="assessment-for" href="#cm-9_smt.d"/>
             </part>
             <part id="cm-9_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-09e."/>
                <part id="cm-9_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09e.[01]"/>
                   <p>the configuration management plan is protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.e"/>
                </part>
                <part id="cm-9_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09e.[02]"/>
                   <p>the configuration management plan is protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#cm-9_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#cm-9_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#cm-9_smt"/>
          </part>
          <part id="cm-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12125,15 +12733,19 @@
             <part id="cm-10_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-10a."/>
                <p>software and associated documentation are used in accordance with contract agreements and copyright laws;</p>
+               <link rel="assessment-for" href="#cm-10_smt.a"/>
             </part>
             <part id="cm-10_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-10b."/>
                <p>the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;</p>
+               <link rel="assessment-for" href="#cm-10_smt.b"/>
             </part>
             <part id="cm-10_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-10c."/>
                <p>the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</p>
+               <link rel="assessment-for" href="#cm-10_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cm-10_smt"/>
          </part>
          <part id="cm-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12238,15 +12850,19 @@
                <prop name="label" class="sp800-53a" value="CM-11a."/>
                <p>
                   <insert type="param" id-ref="cm-11_odp.01"/> governing the installation of software by users are established;</p>
+               <link rel="assessment-for" href="#cm-11_smt.a"/>
             </part>
             <part id="cm-11_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-11b."/>
                <p>software installation policies are enforced through <insert type="param" id-ref="cm-11_odp.02"/>;</p>
+               <link rel="assessment-for" href="#cm-11_smt.b"/>
             </part>
             <part id="cm-11_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-11c."/>
                <p>compliance with <insert type="param" id-ref="cm-11_odp.01"/> is monitored <insert type="param" id-ref="cm-11_odp.03"/>.</p>
+               <link rel="assessment-for" href="#cm-11_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cm-11_smt"/>
          </part>
          <part id="cm-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12349,38 +12965,49 @@
                <part id="cm-12_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-12a.[01]"/>
                   <p>the location of <insert type="param" id-ref="cm-12_odp"/> is identified and documented;</p>
+                  <link rel="assessment-for" href="#cm-12_smt.a"/>
                </part>
                <part id="cm-12_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-12a.[02]"/>
                   <p>the specific system components on which <insert type="param" id-ref="cm-12_odp"/> is processed are identified and documented;</p>
+                  <link rel="assessment-for" href="#cm-12_smt.a"/>
                </part>
                <part id="cm-12_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-12a.[03]"/>
                   <p>the specific system components on which <insert type="param" id-ref="cm-12_odp"/> is stored are identified and documented;</p>
+                  <link rel="assessment-for" href="#cm-12_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#cm-12_smt.a"/>
             </part>
             <part id="cm-12_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-12b."/>
                <part id="cm-12_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-12b.[01]"/>
                   <p>the users who have access to the system and system components where <insert type="param" id-ref="cm-12_odp"/> is processed are identified and documented;</p>
+                  <link rel="assessment-for" href="#cm-12_smt.b"/>
                </part>
                <part id="cm-12_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-12b.[02]"/>
                   <p>the users who have access to the system and system components where <insert type="param" id-ref="cm-12_odp"/> is stored are identified and documented;</p>
+                  <link rel="assessment-for" href="#cm-12_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-12_smt.b"/>
             </part>
             <part id="cm-12_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-12c."/>
                <part id="cm-12_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-12c.[01]"/>
                   <p>changes to the location (i.e., system or system components) where <insert type="param" id-ref="cm-12_odp"/> is processed are documented;</p>
+                  <link rel="assessment-for" href="#cm-12_smt.c"/>
                </part>
                <part id="cm-12_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-12c.[02]"/>
                   <p>changes to the location (i.e., system or system components) where <insert type="param" id-ref="cm-12_odp"/> is stored are documented.</p>
+                  <link rel="assessment-for" href="#cm-12_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#cm-12_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cm-12_smt"/>
          </part>
          <part id="cm-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12458,6 +13085,7 @@
             <part id="cm-12.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-12(01)"/>
                <p>automated tools are used to identify <insert type="param" id-ref="cm-12.01_odp.01"/> on <insert type="param" id-ref="cm-12.01_odp.02"/> to ensure that controls are in place to protect organizational information and individual privacy.</p>
+               <link rel="assessment-for" href="#cm-12.1_smt"/>
             </part>
             <part id="cm-12.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12641,18 +13269,22 @@
                <part id="cp-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.[01]"/>
                   <p>a contingency planning policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#cp-1_smt.a"/>
                </part>
                <part id="cp-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.[02]"/>
                   <p>the contingency planning policy is disseminated to <insert type="param" id-ref="cp-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#cp-1_smt.a"/>
                </part>
                <part id="cp-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.[03]"/>
                   <p>contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#cp-1_smt.a"/>
                </part>
                <part id="cp-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.[04]"/>
                   <p>the contingency planning procedures are disseminated to <insert type="param" id-ref="cp-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#cp-1_smt.a"/>
                </part>
                <part id="cp-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.01"/>
@@ -12661,41 +13293,53 @@
                      <part id="cp-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses scope;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses roles;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                   </part>
                   <part id="cp-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#cp-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#cp-1_smt.a"/>
             </part>
             <part id="cp-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-01b."/>
                <p>the <insert type="param" id-ref="cp-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;</p>
+               <link rel="assessment-for" href="#cp-1_smt.b"/>
             </part>
             <part id="cp-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-01c."/>
@@ -12704,24 +13348,32 @@
                   <part id="cp-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01c.01[01]"/>
                      <p>the current contingency planning policy is reviewed and updated <insert type="param" id-ref="cp-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#cp-1_smt.c.1"/>
                   </part>
                   <part id="cp-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01c.01[02]"/>
                      <p>the current contingency planning policy is reviewed and updated following <insert type="param" id-ref="cp-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#cp-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-1_smt.c.1"/>
                </part>
                <part id="cp-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01c.02"/>
                   <part id="cp-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01c.02[01]"/>
                      <p>the current contingency planning procedures are reviewed and updated <insert type="param" id-ref="cp-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#cp-1_smt.c.2"/>
                   </part>
                   <part id="cp-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01c.02[02]"/>
                      <p>the current contingency planning procedures are reviewed and updated following <insert type="param" id-ref="cp-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#cp-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#cp-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cp-1_smt"/>
          </part>
          <part id="cp-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12927,124 +13579,158 @@
                <part id="cp-2_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.01"/>
                   <p>a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.a.1"/>
                </part>
                <part id="cp-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.02"/>
                   <part id="cp-2_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.02[01]"/>
                      <p>a contingency plan for the system is developed that provides recovery objectives;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.2"/>
                   </part>
                   <part id="cp-2_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.02[02]"/>
                      <p>a contingency plan for the system is developed that provides restoration priorities;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.2"/>
                   </part>
                   <part id="cp-2_obj.a.2-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.02[03]"/>
                      <p>a contingency plan for the system is developed that provides metrics;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-2_smt.a.2"/>
                </part>
                <part id="cp-2_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.03"/>
                   <part id="cp-2_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.03[01]"/>
                      <p>a contingency plan for the system is developed that addresses contingency roles;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.3"/>
                   </part>
                   <part id="cp-2_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.03[02]"/>
                      <p>a contingency plan for the system is developed that addresses contingency responsibilities;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.3"/>
                   </part>
                   <part id="cp-2_obj.a.3-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.03[03]"/>
                      <p>a contingency plan for the system is developed that addresses assigned individuals with contact information;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-2_smt.a.3"/>
                </part>
                <part id="cp-2_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.04"/>
                   <p>a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.a.4"/>
                </part>
                <part id="cp-2_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.05"/>
                   <p>a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.a.5"/>
                </part>
                <part id="cp-2_obj.a.6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.06"/>
                   <p>a contingency plan for the system is developed that addresses the sharing of contingency information;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.a.6"/>
                </part>
                <part id="cp-2_obj.a.7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.07"/>
                   <part id="cp-2_obj.a.7-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.07[01]"/>
                      <p>a contingency plan for the system is developed that is reviewed by <insert type="param" id-ref="cp-02_odp.01"/>;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.7"/>
                   </part>
                   <part id="cp-2_obj.a.7-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.07[02]"/>
                      <p>a contingency plan for the system is developed that is approved by <insert type="param" id-ref="cp-02_odp.02"/>;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.7"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-2_smt.a.7"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.a"/>
             </part>
             <part id="cp-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02b."/>
                <part id="cp-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02b.[01]"/>
                   <p>copies of the contingency plan are distributed to <insert type="param" id-ref="cp-02_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.b"/>
                </part>
                <part id="cp-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02b.[02]"/>
                   <p>copies of the contingency plan are distributed to <insert type="param" id-ref="cp-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.b"/>
             </part>
             <part id="cp-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02c."/>
                <p>contingency planning activities are coordinated with incident handling activities;</p>
+               <link rel="assessment-for" href="#cp-2_smt.c"/>
             </part>
             <part id="cp-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02d."/>
                <p>the contingency plan for the system is reviewed <insert type="param" id-ref="cp-02_odp.05"/>;</p>
+               <link rel="assessment-for" href="#cp-2_smt.d"/>
             </part>
             <part id="cp-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02e."/>
                <part id="cp-2_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02e.[01]"/>
                   <p>the contingency plan is updated to address changes to the organization, system, or environment of operation;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.e"/>
                </part>
                <part id="cp-2_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02e.[02]"/>
                   <p>the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.e"/>
             </part>
             <part id="cp-2_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02f."/>
                <part id="cp-2_obj.f-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02f.[01]"/>
                   <p>contingency plan changes are communicated to <insert type="param" id-ref="cp-02_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.f"/>
                </part>
                <part id="cp-2_obj.f-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02f.[02]"/>
                   <p>contingency plan changes are communicated to <insert type="param" id-ref="cp-02_odp.07"/>;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.f"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.f"/>
             </part>
             <part id="cp-2_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02g."/>
                <part id="cp-2_obj.g-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02g.[01]"/>
                   <p>lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.g"/>
                </part>
                <part id="cp-2_obj.g-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02g.[02]"/>
                   <p>lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.g"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.g"/>
             </part>
             <part id="cp-2_obj.h" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02h."/>
                <part id="cp-2_obj.h-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02h.[01]"/>
                   <p>the contingency plan is protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.h"/>
                </part>
                <part id="cp-2_obj.h-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02h.[02]"/>
                   <p>the contingency plan is protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#cp-2_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.h"/>
             </part>
+            <link rel="assessment-for" href="#cp-2_smt"/>
          </part>
          <part id="cp-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13094,6 +13780,7 @@
             <part id="cp-2.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02(01)"/>
                <p>contingency plan development is coordinated with organizational elements responsible for related plans.</p>
+               <link rel="assessment-for" href="#cp-2.1_smt"/>
             </part>
             <part id="cp-2.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13150,15 +13837,19 @@
                <part id="cp-2.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02(02)[01]"/>
                   <p>capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;</p>
+                  <link rel="assessment-for" href="#cp-2.2_smt"/>
                </part>
                <part id="cp-2.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02(02)[02]"/>
                   <p>capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;</p>
+                  <link rel="assessment-for" href="#cp-2.2_smt"/>
                </part>
                <part id="cp-2.2_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02(02)[03]"/>
                   <p>capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.</p>
+                  <link rel="assessment-for" href="#cp-2.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#cp-2.2_smt"/>
             </part>
             <part id="cp-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13216,6 +13907,7 @@
             <part id="cp-2.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02(03)"/>
                <p>the resumption of <insert type="param" id-ref="cp-02.03_odp.01"/> mission and business functions are planned for within <insert type="param" id-ref="cp-02.03_odp.02"/> of contingency plan activation.</p>
+               <link rel="assessment-for" href="#cp-2.3_smt"/>
             </part>
             <part id="cp-2.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13277,11 +13969,14 @@
                <part id="cp-2.5_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02(05)[01]"/>
                   <p>the continuance of <insert type="param" id-ref="cp-02.05_odp"/> mission and business functions with minimal or no loss of operational continuity is planned for;</p>
+                  <link rel="assessment-for" href="#cp-2.5_smt"/>
                </part>
                <part id="cp-2.5_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02(05)[02]"/>
                   <p>continuity is sustained until full system restoration at primary processing and/or storage sites.</p>
+                  <link rel="assessment-for" href="#cp-2.5_smt"/>
                </part>
+               <link rel="assessment-for" href="#cp-2.5_smt"/>
             </part>
             <part id="cp-2.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13346,6 +14041,7 @@
             <part id="cp-2.8_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02(08)"/>
                <p>critical system assets supporting <insert type="param" id-ref="cp-02.08_odp"/> mission and business functions are identified.</p>
+               <link rel="assessment-for" href="#cp-2.8_smt"/>
             </part>
             <part id="cp-2.8_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13456,27 +14152,35 @@
                <part id="cp-3_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03a.01"/>
                   <p>contingency training is provided to system users consistent with assigned roles and responsibilities within <insert type="param" id-ref="cp-03_odp.01"/> of assuming a contingency role or responsibility;</p>
+                  <link rel="assessment-for" href="#cp-3_smt.a.1"/>
                </part>
                <part id="cp-3_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03a.02"/>
                   <p>contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;</p>
+                  <link rel="assessment-for" href="#cp-3_smt.a.2"/>
                </part>
                <part id="cp-3_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03a.03"/>
                   <p>contingency training is provided to system users consistent with assigned roles and responsibilities <insert type="param" id-ref="cp-03_odp.02"/> thereafter;</p>
+                  <link rel="assessment-for" href="#cp-3_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#cp-3_smt.a"/>
             </part>
             <part id="cp-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-03b."/>
                <part id="cp-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03b.[01]"/>
                   <p>the contingency plan training content is reviewed and updated <insert type="param" id-ref="cp-03_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#cp-3_smt.b"/>
                </part>
                <part id="cp-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03b.[02]"/>
                   <p>the contingency plan training content is reviewed and updated following <insert type="param" id-ref="cp-03_odp.04"/>.</p>
+                  <link rel="assessment-for" href="#cp-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cp-3_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cp-3_smt"/>
          </part>
          <part id="cp-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13528,6 +14232,7 @@
             <part id="cp-3.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-03(01)"/>
                <p>simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.</p>
+               <link rel="assessment-for" href="#cp-3.1_smt"/>
             </part>
             <part id="cp-3.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13640,26 +14345,33 @@
                <part id="cp-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-04a.[01]"/>
                   <p>the contingency plan for the system is tested <insert type="param" id-ref="cp-04_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#cp-4_smt.a"/>
                </part>
                <part id="cp-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-04a.[02]"/>
                   <p>
                      <insert type="param" id-ref="cp-04_odp.02"/> are used to determine the effectiveness of the plan;</p>
+                  <link rel="assessment-for" href="#cp-4_smt.a"/>
                </part>
                <part id="cp-4_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-04a.[03]"/>
                   <p>
                      <insert type="param" id-ref="cp-04_odp.03"/> are used to determine the readiness to execute the plan;</p>
+                  <link rel="assessment-for" href="#cp-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#cp-4_smt.a"/>
             </part>
             <part id="cp-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-04b."/>
                <p>the contingency plan test results are reviewed;</p>
+               <link rel="assessment-for" href="#cp-4_smt.b"/>
             </part>
             <part id="cp-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-04c."/>
                <p>corrective actions are initiated, if needed.</p>
+               <link rel="assessment-for" href="#cp-4_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cp-4_smt"/>
          </part>
          <part id="cp-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13713,6 +14425,7 @@
             <part id="cp-4.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-04(01)"/>
                <p>contingency plan testing is coordinated with organizational elements responsible for related plans.</p>
+               <link rel="assessment-for" href="#cp-4.1_smt"/>
             </part>
             <part id="cp-4.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13776,11 +14489,14 @@
                <part id="cp-4.2_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-04(02)(a)"/>
                   <p>the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;</p>
+                  <link rel="assessment-for" href="#cp-4.2_smt.a"/>
                </part>
                <part id="cp-4.2_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-04(02)(b)"/>
                   <p>the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.</p>
+                  <link rel="assessment-for" href="#cp-4.2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cp-4.2_smt"/>
             </part>
             <part id="cp-4.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13854,16 +14570,21 @@
                <part id="cp-6_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-06a.[01]"/>
                   <p>an alternate storage site is established;</p>
+                  <link rel="assessment-for" href="#cp-6_smt.a"/>
                </part>
                <part id="cp-6_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-06a.[02]"/>
                   <p>establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;</p>
+                  <link rel="assessment-for" href="#cp-6_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#cp-6_smt.a"/>
             </part>
             <part id="cp-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-06b."/>
                <p>the alternate storage site provides controls equivalent to that of the primary site.</p>
+               <link rel="assessment-for" href="#cp-6_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cp-6_smt"/>
          </part>
          <part id="cp-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13914,6 +14635,7 @@
             <part id="cp-6.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-06(01)"/>
                <p>an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.</p>
+               <link rel="assessment-for" href="#cp-6.1_smt"/>
             </part>
             <part id="cp-6.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13959,11 +14681,14 @@
                <part id="cp-6.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-06(02)[01]"/>
                   <p>the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;</p>
+                  <link rel="assessment-for" href="#cp-6.2_smt"/>
                </part>
                <part id="cp-6.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-06(02)[02]"/>
                   <p>the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.</p>
+                  <link rel="assessment-for" href="#cp-6.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#cp-6.2_smt"/>
             </part>
             <part id="cp-6.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14018,11 +14743,14 @@
                <part id="cp-6.3_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-06(03)[01]"/>
                   <p>potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;</p>
+                  <link rel="assessment-for" href="#cp-6.3_smt"/>
                </part>
                <part id="cp-6.3_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-06(03)[02]"/>
                   <p>explicit mitigation actions to address identified accessibility problems are outlined.</p>
+                  <link rel="assessment-for" href="#cp-6.3_smt"/>
                </part>
+               <link rel="assessment-for" href="#cp-6.3_smt"/>
             </part>
             <part id="cp-6.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14112,22 +14840,28 @@
             <part id="cp-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-07a."/>
                <p>an alternate processing site, including necessary agreements to permit the transfer and resumption of <insert type="param" id-ref="cp-07_odp.01"/> for essential mission and business functions, is established within <insert type="param" id-ref="cp-07_odp.02"/> when the primary processing capabilities are unavailable;</p>
+               <link rel="assessment-for" href="#cp-7_smt.a"/>
             </part>
             <part id="cp-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-07b."/>
                <part id="cp-7_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-07b.[01]"/>
                   <p>the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within <insert type="param" id-ref="cp-07_odp.02"/> for transfer;</p>
+                  <link rel="assessment-for" href="#cp-7_smt.b"/>
                </part>
                <part id="cp-7_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-07b.[02]"/>
                   <p>the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within <insert type="param" id-ref="cp-07_odp.02"/> for resumption;</p>
+                  <link rel="assessment-for" href="#cp-7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cp-7_smt.b"/>
             </part>
             <part id="cp-7_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-07c."/>
                <p>controls provided at the alternate processing site are equivalent to those at the primary site.</p>
+               <link rel="assessment-for" href="#cp-7_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cp-7_smt"/>
          </part>
          <part id="cp-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14180,6 +14914,7 @@
             <part id="cp-7.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-07(01)"/>
                <p>an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.</p>
+               <link rel="assessment-for" href="#cp-7.1_smt"/>
             </part>
             <part id="cp-7.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14226,11 +14961,14 @@
                <part id="cp-7.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-07(02)[01]"/>
                   <p>potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;</p>
+                  <link rel="assessment-for" href="#cp-7.2_smt"/>
                </part>
                <part id="cp-7.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-07(02)[02]"/>
                   <p>explicit mitigation actions to address identified accessibility problems are outlined.</p>
+                  <link rel="assessment-for" href="#cp-7.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#cp-7.2_smt"/>
             </part>
             <part id="cp-7.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14274,6 +15012,7 @@
             <part id="cp-7.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-07(03)"/>
                <p>alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.</p>
+               <link rel="assessment-for" href="#cp-7.3_smt"/>
             </part>
             <part id="cp-7.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14320,6 +15059,7 @@
             <part id="cp-7.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-07(04)"/>
                <p>the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.</p>
+               <link rel="assessment-for" href="#cp-7.4_smt"/>
             </part>
             <part id="cp-7.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14392,6 +15132,7 @@
          <part id="cp-8_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-08"/>
             <p>alternate telecommunications services, including necessary agreements to permit the resumption of <insert type="param" id-ref="cp-08_odp.01"/> , are established for essential mission and business functions within <insert type="param" id-ref="cp-08_odp.02"/> when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.</p>
+            <link rel="assessment-for" href="#cp-8_smt"/>
          </part>
          <part id="cp-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14452,16 +15193,21 @@
                   <part id="cp-8.1_obj.a-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-08(01)(a)[01]"/>
                      <p>primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;</p>
+                     <link rel="assessment-for" href="#cp-8.1_smt.a"/>
                   </part>
                   <part id="cp-8.1_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-08(01)(a)[02]"/>
                      <p>alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;</p>
+                     <link rel="assessment-for" href="#cp-8.1_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-8.1_smt.a"/>
                </part>
                <part id="cp-8.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-08(01)(b)"/>
                   <p>Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.</p>
+                  <link rel="assessment-for" href="#cp-8.1_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cp-8.1_smt"/>
             </part>
             <part id="cp-8.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14512,6 +15258,7 @@
             <part id="cp-8.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-08(02)"/>
                <p>alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.</p>
+               <link rel="assessment-for" href="#cp-8.2_smt"/>
             </part>
             <part id="cp-8.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14554,6 +15301,7 @@
             <part id="cp-8.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-08(03)"/>
                <p>alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.</p>
+               <link rel="assessment-for" href="#cp-8.3_smt"/>
             </part>
             <part id="cp-8.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14637,27 +15385,35 @@
                   <part id="cp-8.4_obj.a-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-08(04)(a)[01]"/>
                      <p>primary telecommunications service providers are required to have contingency plans;</p>
+                     <link rel="assessment-for" href="#cp-8.4_smt.a"/>
                   </part>
                   <part id="cp-8.4_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-08(04)(a)[02]"/>
                      <p>alternate telecommunications service providers are required to have contingency plans;</p>
+                     <link rel="assessment-for" href="#cp-8.4_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-8.4_smt.a"/>
                </part>
                <part id="cp-8.4_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-08(04)(b)"/>
                   <p>provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;</p>
+                  <link rel="assessment-for" href="#cp-8.4_smt.b"/>
                </part>
                <part id="cp-8.4_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-08(04)(c)"/>
                   <part id="cp-8.4_obj.c-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-08(04)(c)[01]"/>
                      <p>evidence of contingency testing by providers is obtained <insert type="param" id-ref="cp-08.04_odp.01"/>.</p>
+                     <link rel="assessment-for" href="#cp-8.4_smt.c"/>
                   </part>
                   <part id="cp-8.4_obj.c-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-08(04)(c)[02]"/>
                      <p>evidence of contingency training by providers is obtained <insert type="param" id-ref="cp-08.04_odp.02"/>.</p>
+                     <link rel="assessment-for" href="#cp-8.4_smt.c"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-8.4_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#cp-8.4_smt"/>
             </part>
             <part id="cp-8.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14776,30 +15532,38 @@
             <part id="cp-9_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09a."/>
                <p>backups of user-level information contained in <insert type="param" id-ref="cp-09_odp.01"/> are conducted <insert type="param" id-ref="cp-09_odp.02"/>;</p>
+               <link rel="assessment-for" href="#cp-9_smt.a"/>
             </part>
             <part id="cp-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09b."/>
                <p>backups of system-level information contained in the system are conducted <insert type="param" id-ref="cp-09_odp.03"/>;</p>
+               <link rel="assessment-for" href="#cp-9_smt.b"/>
             </part>
             <part id="cp-9_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09c."/>
                <p>backups of system documentation, including security- and privacy-related documentation are conducted <insert type="param" id-ref="cp-09_odp.04"/>;</p>
+               <link rel="assessment-for" href="#cp-9_smt.c"/>
             </part>
             <part id="cp-9_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09d."/>
                <part id="cp-9_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09d.[01]"/>
                   <p>the confidentiality of backup information is protected;</p>
+                  <link rel="assessment-for" href="#cp-9_smt.d"/>
                </part>
                <part id="cp-9_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09d.[02]"/>
                   <p>the integrity of backup information is protected;</p>
+                  <link rel="assessment-for" href="#cp-9_smt.d"/>
                </part>
                <part id="cp-9_obj.d-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09d.[03]"/>
                   <p>the availability of backup information is protected.</p>
+                  <link rel="assessment-for" href="#cp-9_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#cp-9_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#cp-9_smt"/>
          </part>
          <part id="cp-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14875,11 +15639,14 @@
                <part id="cp-9.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09(01)[01]"/>
                   <p>backup information is tested <insert type="param" id-ref="cp-09.01_odp.01"/> to verify media reliability;</p>
+                  <link rel="assessment-for" href="#cp-9.1_smt"/>
                </part>
                <part id="cp-9.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09(01)[02]"/>
                   <p>backup information is tested <insert type="param" id-ref="cp-09.01_odp.02"/> to verify information integrity.</p>
+                  <link rel="assessment-for" href="#cp-9.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#cp-9.1_smt"/>
             </part>
             <part id="cp-9.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14931,6 +15698,7 @@
             <part id="cp-9.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09(02)"/>
                <p>a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.</p>
+               <link rel="assessment-for" href="#cp-9.2_smt"/>
             </part>
             <part id="cp-9.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14993,6 +15761,7 @@
             <part id="cp-9.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09(03)"/>
                <p>backup copies of <insert type="param" id-ref="cp-09.03_odp"/> are stored in a separate facility or in a fire rated container that is not collocated with the operational system.</p>
+               <link rel="assessment-for" href="#cp-9.3_smt"/>
             </part>
             <part id="cp-9.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15065,11 +15834,14 @@
                <part id="cp-9.5_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09(05)[01]"/>
                   <p>system backup information is transferred to the alternate storage site for <insert type="param" id-ref="cp-09.05_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#cp-9.5_smt"/>
                </part>
                <part id="cp-9.5_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09(05)[02]"/>
                   <p>system backup information is transferred to the alternate storage site <insert type="param" id-ref="cp-09.05_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#cp-9.5_smt"/>
                </part>
+               <link rel="assessment-for" href="#cp-9.5_smt"/>
             </part>
             <part id="cp-9.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15132,6 +15904,7 @@
             <part id="cp-9.8_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09(08)"/>
                <p>cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of <insert type="param" id-ref="cp-09.08_odp"/>.</p>
+               <link rel="assessment-for" href="#cp-9.8_smt"/>
             </part>
             <part id="cp-9.8_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15215,11 +15988,14 @@
             <part id="cp-10_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-10[01]"/>
                <p>the recovery of the system to a known state is provided within <insert type="param" id-ref="cp-10_odp.01"/> after a disruption, compromise, or failure;</p>
+               <link rel="assessment-for" href="#cp-10_smt"/>
             </part>
             <part id="cp-10_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-10[02]"/>
                <p>a reconstitution of the system to a known state is provided within <insert type="param" id-ref="cp-10_odp.02"/> after a disruption, compromise, or failure.</p>
+               <link rel="assessment-for" href="#cp-10_smt"/>
             </part>
+            <link rel="assessment-for" href="#cp-10_smt"/>
          </part>
          <part id="cp-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15271,6 +16047,7 @@
             <part id="cp-10.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-10(02)"/>
                <p>transaction recovery is implemented for systems that are transaction-based.</p>
+               <link rel="assessment-for" href="#cp-10.2_smt"/>
             </part>
             <part id="cp-10.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15333,6 +16110,7 @@
             <part id="cp-10.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-10(04)"/>
                <p>the capability to restore system components within <insert type="param" id-ref="cp-10.04_odp"/> from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.</p>
+               <link rel="assessment-for" href="#cp-10.4_smt"/>
             </part>
             <part id="cp-10.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15517,18 +16295,22 @@
                <part id="ia-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.[01]"/>
                   <p>an identification and authentication policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ia-1_smt.a"/>
                </part>
                <part id="ia-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.[02]"/>
                   <p>the identification and authentication policy is disseminated to <insert type="param" id-ref="ia-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ia-1_smt.a"/>
                </part>
                <part id="ia-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.[03]"/>
                   <p>identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ia-1_smt.a"/>
                </part>
                <part id="ia-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.[04]"/>
                   <p>the identification and authentication procedures are disseminated to <insert type="param" id-ref="ia-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ia-1_smt.a"/>
                </part>
                <part id="ia-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.01"/>
@@ -15537,41 +16319,53 @@
                      <part id="ia-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                   </part>
                   <part id="ia-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ia-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ia-1_smt.a"/>
             </part>
             <part id="ia-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-01b."/>
                <p>the <insert type="param" id-ref="ia-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;</p>
+               <link rel="assessment-for" href="#ia-1_smt.b"/>
             </part>
             <part id="ia-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-01c."/>
@@ -15580,24 +16374,32 @@
                   <part id="ia-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01c.01[01]"/>
                      <p>the current identification and authentication policy is reviewed and updated <insert type="param" id-ref="ia-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ia-1_smt.c.1"/>
                   </part>
                   <part id="ia-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01c.01[02]"/>
                      <p>the current identification and authentication policy is reviewed and updated following <insert type="param" id-ref="ia-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ia-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-1_smt.c.1"/>
                </part>
                <part id="ia-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01c.02"/>
                   <part id="ia-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01c.02[01]"/>
                      <p>the current identification and authentication procedures are reviewed and updated <insert type="param" id-ref="ia-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ia-1_smt.c.2"/>
                   </part>
                   <part id="ia-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01c.02[02]"/>
                      <p>the current identification and authentication procedures are reviewed and updated following <insert type="param" id-ref="ia-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ia-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ia-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ia-1_smt"/>
          </part>
          <part id="ia-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15659,6 +16461,7 @@
          <link rel="related" href="#ia-4"/>
          <link rel="related" href="#ia-5"/>
          <link rel="related" href="#ia-8"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#ma-4"/>
          <link rel="related" href="#ma-5"/>
          <link rel="related" href="#pe-2"/>
@@ -15678,11 +16481,14 @@
             <part id="ia-2_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02[01]"/>
                <p>organizational users are uniquely identified and authenticated;</p>
+               <link rel="assessment-for" href="#ia-2_smt"/>
             </part>
             <part id="ia-2_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02[02]"/>
                <p>the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.</p>
+               <link rel="assessment-for" href="#ia-2_smt"/>
             </part>
+            <link rel="assessment-for" href="#ia-2_smt"/>
          </part>
          <part id="ia-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15736,6 +16542,7 @@
             <part id="ia-2.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02(01)"/>
                <p>multi-factor authentication is implemented for access to privileged accounts.</p>
+               <link rel="assessment-for" href="#ia-2.1_smt"/>
             </part>
             <part id="ia-2.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15789,6 +16596,7 @@
             <part id="ia-2.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02(02)"/>
                <p>multi-factor authentication for access to non-privileged accounts is implemented.</p>
+               <link rel="assessment-for" href="#ia-2.2_smt"/>
             </part>
             <part id="ia-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15844,6 +16652,7 @@
             <part id="ia-2.5_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02(05)"/>
                <p>users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.</p>
+               <link rel="assessment-for" href="#ia-2.5_smt"/>
             </part>
             <part id="ia-2.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15904,6 +16713,7 @@
             <part id="ia-2.8_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02(08)"/>
                <p>replay-resistant authentication mechanisms for access to <insert type="param" id-ref="ia-02.08_odp"/> are implemented.</p>
+               <link rel="assessment-for" href="#ia-2.8_smt"/>
             </part>
             <part id="ia-2.8_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15957,6 +16767,7 @@
             <part id="ia-2.12_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02(12)"/>
                <p>Personal Identity Verification-compliant credentials are accepted and electronically verified.</p>
+               <link rel="assessment-for" href="#ia-2.12_smt"/>
             </part>
             <part id="ia-2.12_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16029,6 +16840,7 @@
          <link rel="related" href="#ia-5"/>
          <link rel="related" href="#ia-9"/>
          <link rel="related" href="#ia-11"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#si-4"/>
          <part name="statement" id="ia-3_smt">
             <p>Uniquely identify and authenticate <insert type="param" id-ref="ia-03_odp.01"/> before establishing a <insert type="param" id-ref="ia-03_odp.02"/> connection.</p>
@@ -16040,6 +16852,7 @@
             <prop name="label" class="sp800-53a" value="IA-03"/>
             <p>
                <insert type="param" id-ref="ia-03_odp.01"/> are uniquely identified and authenticated before establishing a <insert type="param" id-ref="ia-03_odp.02"/> connection.</p>
+            <link rel="assessment-for" href="#ia-3_smt"/>
          </part>
          <part id="ia-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16146,19 +16959,24 @@
             <part id="ia-4_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-04a."/>
                <p>system identifiers are managed by receiving authorization from <insert type="param" id-ref="ia-04_odp.01"/> to assign to an individual, group, role, or device identifier;</p>
+               <link rel="assessment-for" href="#ia-4_smt.a"/>
             </part>
             <part id="ia-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-04b."/>
                <p>system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;</p>
+               <link rel="assessment-for" href="#ia-4_smt.b"/>
             </part>
             <part id="ia-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-04c."/>
                <p>system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;</p>
+               <link rel="assessment-for" href="#ia-4_smt.c"/>
             </part>
             <part id="ia-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-04d."/>
                <p>system identifiers are managed by preventing reuse of identifiers for <insert type="param" id-ref="ia-04_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ia-4_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ia-4_smt"/>
          </part>
          <part id="ia-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16221,6 +17039,7 @@
             <part id="ia-4.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-04(04)"/>
                <p>individual identifiers are managed by uniquely identifying each individual as <insert type="param" id-ref="ia-04.04_odp"/>.</p>
+               <link rel="assessment-for" href="#ia-4.4_smt"/>
             </part>
             <part id="ia-4.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16353,46 +17172,58 @@
             <part id="ia-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05a."/>
                <p>system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;</p>
+               <link rel="assessment-for" href="#ia-5_smt.a"/>
             </part>
             <part id="ia-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05b."/>
                <p>system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;</p>
+               <link rel="assessment-for" href="#ia-5_smt.b"/>
             </part>
             <part id="ia-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05c."/>
                <p>system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;</p>
+               <link rel="assessment-for" href="#ia-5_smt.c"/>
             </part>
             <part id="ia-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05d."/>
                <p>system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;</p>
+               <link rel="assessment-for" href="#ia-5_smt.d"/>
             </part>
             <part id="ia-5_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05e."/>
                <p>system authenticators are managed through the change of default authenticators prior to first use;</p>
+               <link rel="assessment-for" href="#ia-5_smt.e"/>
             </part>
             <part id="ia-5_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05f."/>
                <p>system authenticators are managed through the change or refreshment of authenticators <insert type="param" id-ref="ia-05_odp.01"/> or when <insert type="param" id-ref="ia-05_odp.02"/> occur;</p>
+               <link rel="assessment-for" href="#ia-5_smt.f"/>
             </part>
             <part id="ia-5_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05g."/>
                <p>system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;</p>
+               <link rel="assessment-for" href="#ia-5_smt.g"/>
             </part>
             <part id="ia-5_obj.h" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05h."/>
                <part id="ia-5_obj.h-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05h.[01]"/>
                   <p>system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;</p>
+                  <link rel="assessment-for" href="#ia-5_smt.h"/>
                </part>
                <part id="ia-5_obj.h-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05h.[02]"/>
                   <p>system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;</p>
+                  <link rel="assessment-for" href="#ia-5_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#ia-5_smt.h"/>
             </part>
             <part id="ia-5_obj.i" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05i."/>
                <p>system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.</p>
+               <link rel="assessment-for" href="#ia-5_smt.i"/>
             </part>
+            <link rel="assessment-for" href="#ia-5_smt"/>
          </part>
          <part id="ia-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16497,35 +17328,44 @@
                <part id="ia-5.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(a)"/>
                   <p>for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated <insert type="param" id-ref="ia-05.01_odp.01"/> and when organizational passwords are suspected to have been compromised directly or indirectly;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.a"/>
                </part>
                <part id="ia-5.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(b)"/>
                   <p>for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.b"/>
                </part>
                <part id="ia-5.1_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(c)"/>
                   <p>for password-based authentication, passwords are only transmitted over cryptographically protected channels;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.c"/>
                </part>
                <part id="ia-5.1_obj.d" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(d)"/>
                   <p>for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.d"/>
                </part>
                <part id="ia-5.1_obj.e" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(e)"/>
                   <p>for password-based authentication, immediate selection of a new password is required upon account recovery;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.e"/>
                </part>
                <part id="ia-5.1_obj.f" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(f)"/>
                   <p>for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.f"/>
                </part>
                <part id="ia-5.1_obj.g" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(g)"/>
                   <p>for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.g"/>
                </part>
                <part id="ia-5.1_obj.h" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(h)"/>
                   <p>for password-based authentication, <insert type="param" id-ref="ia-05.01_odp.02"/> are enforced.</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#ia-5.1_smt"/>
             </part>
             <part id="ia-5.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16606,23 +17446,30 @@
                   <part id="ia-5.2_obj.a.1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-05(02)(a)(01)"/>
                      <p>authorized access to the corresponding private key is enforced for public key-based authentication;</p>
+                     <link rel="assessment-for" href="#ia-5.2_smt.a.1"/>
                   </part>
                   <part id="ia-5.2_obj.a.2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-05(02)(a)(02)"/>
                      <p>the authenticated identity is mapped to the account of the individual or group for public key-based authentication;</p>
+                     <link rel="assessment-for" href="#ia-5.2_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-5.2_smt.a"/>
                </part>
                <part id="ia-5.2_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(02)(b)"/>
                   <part id="ia-5.2_obj.b.1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-05(02)(b)(01)"/>
                      <p>when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;</p>
+                     <link rel="assessment-for" href="#ia-5.2_smt.b.1"/>
                   </part>
                   <part id="ia-5.2_obj.b.2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-05(02)(b)(02)"/>
                      <p>when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.</p>
+                     <link rel="assessment-for" href="#ia-5.2_smt.b.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-5.2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ia-5.2_smt"/>
             </part>
             <part id="ia-5.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16675,6 +17522,7 @@
             <part id="ia-5.6_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05(06)"/>
                <p>authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.</p>
+               <link rel="assessment-for" href="#ia-5.6_smt"/>
             </part>
             <part id="ia-5.6_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16727,6 +17575,7 @@
          <part id="ia-6_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-06"/>
             <p>the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.</p>
+            <link rel="assessment-for" href="#ia-6_smt"/>
          </part>
          <part id="ia-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16781,6 +17630,7 @@
          <part id="ia-7_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-07"/>
             <p>mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.</p>
+            <link rel="assessment-for" href="#ia-7_smt"/>
          </part>
          <part id="ia-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16839,6 +17689,7 @@
          <link rel="related" href="#ia-5"/>
          <link rel="related" href="#ia-10"/>
          <link rel="related" href="#ia-11"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#ma-4"/>
          <link rel="related" href="#ra-3"/>
          <link rel="related" href="#sa-4"/>
@@ -16852,6 +17703,7 @@
          <part id="ia-8_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-08"/>
             <p>non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.</p>
+            <link rel="assessment-for" href="#ia-8_smt"/>
          </part>
          <part id="ia-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16906,11 +17758,14 @@
                <part id="ia-8.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-08(01)[01]"/>
                   <p>Personal Identity Verification-compliant credentials from other federal agencies are accepted;</p>
+                  <link rel="assessment-for" href="#ia-8.1_smt"/>
                </part>
                <part id="ia-8.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-08(01)[02]"/>
                   <p>Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.</p>
+                  <link rel="assessment-for" href="#ia-8.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#ia-8.1_smt"/>
             </part>
             <part id="ia-8.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16975,18 +17830,23 @@
                <part id="ia-8.2_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-08(02)(a)"/>
                   <p>only external authenticators that are NIST-compliant are accepted;</p>
+                  <link rel="assessment-for" href="#ia-8.2_smt.a"/>
                </part>
                <part id="ia-8.2_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-08(02)(b)"/>
                   <part id="ia-8.2_obj.b-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-08(02)(b)[01]"/>
                      <p>a list of accepted external authenticators is documented;</p>
+                     <link rel="assessment-for" href="#ia-8.2_smt.b"/>
                   </part>
                   <part id="ia-8.2_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-08(02)(b)[02]"/>
                      <p>a list of accepted external authenticators is maintained.</p>
+                     <link rel="assessment-for" href="#ia-8.2_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-8.2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ia-8.2_smt"/>
             </part>
             <part id="ia-8.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17051,6 +17911,7 @@
             <part id="ia-8.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-08(04)"/>
                <p>there is conformance with <insert type="param" id-ref="ia-08.04_odp"/> for identity management.</p>
+               <link rel="assessment-for" href="#ia-8.4_smt"/>
             </part>
             <part id="ia-8.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17122,6 +17983,7 @@
          <part id="ia-11_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-11"/>
             <p>users are required to re-authenticate when <insert type="param" id-ref="ia-11_odp"/>.</p>
+            <link rel="assessment-for" href="#ia-11_smt"/>
          </part>
          <part id="ia-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17176,6 +18038,7 @@
          <link rel="related" href="#ia-5"/>
          <link rel="related" href="#ia-6"/>
          <link rel="related" href="#ia-8"/>
+         <link rel="related" href="#ia-13"/>
          <part name="statement" id="ia-12_smt">
             <part name="item" id="ia-12_smt.a">
                <prop name="label" value="a."/>
@@ -17198,26 +18061,33 @@
             <part id="ia-12_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-12a."/>
                <p>users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;</p>
+               <link rel="assessment-for" href="#ia-12_smt.a"/>
             </part>
             <part id="ia-12_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-12b."/>
                <p>user identities are resolved to a unique individual;</p>
+               <link rel="assessment-for" href="#ia-12_smt.b"/>
             </part>
             <part id="ia-12_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-12c."/>
                <part id="ia-12_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-12c.[01]"/>
                   <p>identity evidence is collected;</p>
+                  <link rel="assessment-for" href="#ia-12_smt.c"/>
                </part>
                <part id="ia-12_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-12c.[02]"/>
                   <p>identity evidence is validated;</p>
+                  <link rel="assessment-for" href="#ia-12_smt.c"/>
                </part>
                <part id="ia-12_obj.c-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-12c.[03]"/>
                   <p>identity evidence is verified.</p>
+                  <link rel="assessment-for" href="#ia-12_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#ia-12_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ia-12_smt"/>
          </part>
          <part id="ia-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17267,6 +18137,7 @@
             <part id="ia-12.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-12(02)"/>
                <p>evidence of individual identification is presented to the registration authority.</p>
+               <link rel="assessment-for" href="#ia-12.2_smt"/>
             </part>
             <part id="ia-12.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17326,6 +18197,7 @@
             <part id="ia-12.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-12(03)"/>
                <p>the presented identity evidence is validated and verified through <insert type="param" id-ref="ia-12.03_odp"/>.</p>
+               <link rel="assessment-for" href="#ia-12.3_smt"/>
             </part>
             <part id="ia-12.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17374,6 +18246,7 @@
             <part id="ia-12.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-12(04)"/>
                <p>the validation and verification of identity evidence is conducted in person before a designated registration authority.</p>
+               <link rel="assessment-for" href="#ia-12.4_smt"/>
             </part>
             <part id="ia-12.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17431,6 +18304,7 @@
             <part id="ia-12.5_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-12(05)"/>
                <p>a <insert type="param" id-ref="ia-12.05_odp"/> is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.</p>
+               <link rel="assessment-for" href="#ia-12.5_smt"/>
             </part>
             <part id="ia-12.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17608,18 +18482,22 @@
                <part id="ir-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[01]"/>
                   <p>an incident response policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[02]"/>
                   <p>the incident response policy is disseminated to <insert type="param" id-ref="ir-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[03]"/>
                   <p>incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[04]"/>
                   <p>the incident response procedures are disseminated to <insert type="param" id-ref="ir-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.01"/>
@@ -17628,41 +18506,53 @@
                      <part id="ir-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                   </part>
                   <part id="ir-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ir-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ir-1_smt.a"/>
             </part>
             <part id="ir-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-01b."/>
                <p>the <insert type="param" id-ref="ir-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;</p>
+               <link rel="assessment-for" href="#ir-1_smt.b"/>
             </part>
             <part id="ir-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-01c."/>
@@ -17671,24 +18561,32 @@
                   <part id="ir-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.01[01]"/>
                      <p>the current incident response policy is reviewed and updated <insert type="param" id-ref="ir-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.1"/>
                   </part>
                   <part id="ir-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.01[02]"/>
                      <p>the current incident response policy is reviewed and updated following <insert type="param" id-ref="ir-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ir-1_smt.c.1"/>
                </part>
                <part id="ir-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01c.02"/>
                   <part id="ir-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.02[01]"/>
                      <p>the current incident response procedures are reviewed and updated <insert type="param" id-ref="ir-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.2"/>
                   </part>
                   <part id="ir-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.02[02]"/>
                      <p>the current incident response procedures are reviewed and updated following <insert type="param" id-ref="ir-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ir-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ir-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ir-1_smt"/>
          </part>
          <part id="ir-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17795,27 +18693,35 @@
                <part id="ir-2_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02a.01"/>
                   <p>incident response training is provided to system users consistent with assigned roles and responsibilities within <insert type="param" id-ref="ir-02_odp.01"/> of assuming an incident response role or responsibility or acquiring system access;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.a.1"/>
                </part>
                <part id="ir-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02a.02"/>
                   <p>incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.a.2"/>
                </part>
                <part id="ir-2_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02a.03"/>
                   <p>incident response training is provided to system users consistent with assigned roles and responsibilities <insert type="param" id-ref="ir-02_odp.02"/> thereafter;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#ir-2_smt.a"/>
             </part>
             <part id="ir-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-02b."/>
                <part id="ir-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02b.[01]"/>
                   <p>incident response training content is reviewed and updated <insert type="param" id-ref="ir-02_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.b"/>
                </part>
                <part id="ir-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02b.[02]"/>
                   <p>incident response training content is reviewed and updated following <insert type="param" id-ref="ir-02_odp.04"/>.</p>
+                  <link rel="assessment-for" href="#ir-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ir-2_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ir-2_smt"/>
          </part>
          <part id="ir-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17862,6 +18768,7 @@
             <part id="ir-2.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-02(01)"/>
                <p>simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.</p>
+               <link rel="assessment-for" href="#ir-2.1_smt"/>
             </part>
             <part id="ir-2.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17922,6 +18829,7 @@
             <part id="ir-2.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-02(02)"/>
                <p>an incident response training environment is provided using <insert type="param" id-ref="ir-02.02_odp"/>.</p>
+               <link rel="assessment-for" href="#ir-2.2_smt"/>
             </part>
             <part id="ir-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18000,6 +18908,7 @@
          <part id="ir-3_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-03"/>
             <p>the effectiveness of the incident response capability for the system is tested <insert type="param" id-ref="ir-03_odp.01"/> using <insert type="param" id-ref="ir-03_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ir-3_smt"/>
          </part>
          <part id="ir-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18048,6 +18957,7 @@
             <part id="ir-3.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-03(02)"/>
                <p>incident response testing is coordinated with organizational elements responsible for related plans.</p>
+               <link rel="assessment-for" href="#ir-3.2_smt"/>
             </part>
             <part id="ir-3.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18148,62 +19058,79 @@
                <part id="ir-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[01]"/>
                   <p>an incident handling capability for incidents is implemented that is consistent with the incident response plan;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[02]"/>
                   <p>the incident handling capability for incidents includes preparation;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[03]"/>
                   <p>the incident handling capability for incidents includes detection and analysis;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[04]"/>
                   <p>the incident handling capability for incidents includes containment;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[05]"/>
                   <p>the incident handling capability for incidents includes eradication;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[06]"/>
                   <p>the incident handling capability for incidents includes recovery;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ir-4_smt.a"/>
             </part>
             <part id="ir-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04b."/>
                <p>incident handling activities are coordinated with contingency planning activities;</p>
+               <link rel="assessment-for" href="#ir-4_smt.b"/>
             </part>
             <part id="ir-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04c."/>
                <part id="ir-4_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04c.[01]"/>
                   <p>lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.c"/>
                </part>
                <part id="ir-4_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04c.[02]"/>
                   <p>the changes resulting from the incorporated lessons learned are implemented accordingly;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#ir-4_smt.c"/>
             </part>
             <part id="ir-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04d."/>
                <part id="ir-4_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[01]"/>
                   <p>the rigor of incident handling activities is comparable and predictable across the organization;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
                <part id="ir-4_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[02]"/>
                   <p>the intensity of incident handling activities is comparable and predictable across the organization;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
                <part id="ir-4_obj.d-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[03]"/>
                   <p>the scope of incident handling activities is comparable and predictable across the organization;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
                <part id="ir-4_obj.d-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[04]"/>
                   <p>the results of incident handling activities are comparable and predictable across the organization.</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ir-4_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ir-4_smt"/>
          </part>
          <part id="ir-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18261,6 +19188,7 @@
             <part id="ir-4.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04(01)"/>
                <p>the incident handling process is supported using <insert type="param" id-ref="ir-04.01_odp"/>.</p>
+               <link rel="assessment-for" href="#ir-4.1_smt"/>
             </part>
             <part id="ir-4.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18311,6 +19239,7 @@
             <part id="ir-4.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04(04)"/>
                <p>incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.</p>
+               <link rel="assessment-for" href="#ir-4.4_smt"/>
             </part>
             <part id="ir-4.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18383,11 +19312,14 @@
                <part id="ir-4.11_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04(11)[01]"/>
                   <p>an integrated incident response team is established and maintained;</p>
+                  <link rel="assessment-for" href="#ir-4.11_smt"/>
                </part>
                <part id="ir-4.11_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04(11)[02]"/>
                   <p>the integrated incident response team can be deployed to any location identified by the organization in <insert type="param" id-ref="ir-04.11_odp"/>.</p>
+                  <link rel="assessment-for" href="#ir-4.11_smt"/>
                </part>
+               <link rel="assessment-for" href="#ir-4.11_smt"/>
             </part>
             <part id="ir-4.11_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18448,11 +19380,14 @@
             <part id="ir-5_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-05[01]"/>
                <p>incidents are tracked;</p>
+               <link rel="assessment-for" href="#ir-5_smt"/>
             </part>
             <part id="ir-5_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-05[02]"/>
                <p>incidents are documented.</p>
+               <link rel="assessment-for" href="#ir-5_smt"/>
             </part>
+            <link rel="assessment-for" href="#ir-5_smt"/>
          </part>
          <part id="ir-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18539,15 +19474,19 @@
                <part id="ir-5.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-05(01)[01]"/>
                   <p>incidents are tracked using <insert type="param" id-ref="ir-05.01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ir-5.1_smt"/>
                </part>
                <part id="ir-5.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-05(01)[02]"/>
                   <p>incident information is collected using <insert type="param" id-ref="ir-05.01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ir-5.1_smt"/>
                </part>
                <part id="ir-5.1_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-05(01)[03]"/>
                   <p>incident information is analyzed using <insert type="param" id-ref="ir-05.01_odp.03"/>.</p>
+                  <link rel="assessment-for" href="#ir-5.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#ir-5.1_smt"/>
             </part>
             <part id="ir-5.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18631,11 +19570,14 @@
             <part id="ir-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-06a."/>
                <p>personnel is/are required to report suspected incidents to the organizational incident response capability within <insert type="param" id-ref="ir-06_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ir-6_smt.a"/>
             </part>
             <part id="ir-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-06b."/>
                <p>incident information is reported to <insert type="param" id-ref="ir-06_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ir-6_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ir-6_smt"/>
          </part>
          <part id="ir-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18696,6 +19638,7 @@
             <part id="ir-6.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-06(01)"/>
                <p>incidents are reported using <insert type="param" id-ref="ir-06.01_odp"/>.</p>
+               <link rel="assessment-for" href="#ir-6.1_smt"/>
             </part>
             <part id="ir-6.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18747,6 +19690,7 @@
             <part id="ir-6.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-06(03)"/>
                <p>incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.</p>
+               <link rel="assessment-for" href="#ir-6.3_smt"/>
             </part>
             <part id="ir-6.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18815,11 +19759,14 @@
             <part id="ir-7_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-07[01]"/>
                <p>an incident response support resource, integral to the organizational incident response capability, is provided;</p>
+               <link rel="assessment-for" href="#ir-7_smt"/>
             </part>
             <part id="ir-7_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-07[02]"/>
                <p>the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.</p>
+               <link rel="assessment-for" href="#ir-7_smt"/>
             </part>
+            <link rel="assessment-for" href="#ir-7_smt"/>
          </part>
          <part id="ir-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18876,6 +19823,7 @@
             <part id="ir-7.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-07(01)"/>
                <p>the availability of incident response information and support is increased using <insert type="param" id-ref="ir-07.01_odp"/>.</p>
+               <link rel="assessment-for" href="#ir-7.1_smt"/>
             </part>
             <part id="ir-7.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19073,82 +20021,104 @@
                <part id="ir-8_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.01"/>
                   <p>an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.1"/>
                </part>
                <part id="ir-8_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.02"/>
                   <p>an incident response plan is developed that describes the structure and organization of the incident response capability;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.2"/>
                </part>
                <part id="ir-8_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.03"/>
                   <p>an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.3"/>
                </part>
                <part id="ir-8_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.04"/>
                   <p>an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.4"/>
                </part>
                <part id="ir-8_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.05"/>
                   <p>an incident response plan is developed that defines reportable incidents;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.5"/>
                </part>
                <part id="ir-8_obj.a.6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.06"/>
                   <p>an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.6"/>
                </part>
                <part id="ir-8_obj.a.7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.07"/>
                   <p>an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.7"/>
                </part>
                <part id="ir-8_obj.a.8" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.08"/>
                   <p>an incident response plan is developed that addresses the sharing of incident information;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.8"/>
                </part>
                <part id="ir-8_obj.a.9" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.09"/>
                   <p>an incident response plan is developed that is reviewed and approved by <insert type="param" id-ref="ir-08_odp.01"/>
                      <insert type="param" id-ref="ir-08_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.9"/>
                </part>
                <part id="ir-8_obj.a.10" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.10"/>
                   <p>an incident response plan is developed that explicitly designates responsibility for incident response to <insert type="param" id-ref="ir-08_odp.03"/>.</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.10"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.a"/>
             </part>
             <part id="ir-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08b."/>
                <part id="ir-8_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08b.[01]"/>
                   <p>copies of the incident response plan are distributed to <insert type="param" id-ref="ir-08_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.b"/>
                </part>
                <part id="ir-8_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08b.[02]"/>
                   <p>copies of the incident response plan are distributed to <insert type="param" id-ref="ir-08_odp.05"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.b"/>
             </part>
             <part id="ir-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08c."/>
                <p>the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;</p>
+               <link rel="assessment-for" href="#ir-8_smt.c"/>
             </part>
             <part id="ir-8_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08d."/>
                <part id="ir-8_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08d.[01]"/>
                   <p>incident response plan changes are communicated to <insert type="param" id-ref="ir-08_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.d"/>
                </part>
                <part id="ir-8_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08d.[02]"/>
                   <p>incident response plan changes are communicated to <insert type="param" id-ref="ir-08_odp.07"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.d"/>
             </part>
             <part id="ir-8_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08e."/>
                <part id="ir-8_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08e.[01]"/>
                   <p>the incident response plan is protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.e"/>
                </part>
                <part id="ir-8_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08e.[02]"/>
                   <p>the incident response plan is protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#ir-8_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ir-8_smt"/>
          </part>
          <part id="ir-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19322,18 +20292,22 @@
                <part id="ma-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.[01]"/>
                   <p>a maintenance policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ma-1_smt.a"/>
                </part>
                <part id="ma-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.[02]"/>
                   <p>the maintenance policy is disseminated to <insert type="param" id-ref="ma-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ma-1_smt.a"/>
                </part>
                <part id="ma-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.[03]"/>
                   <p>maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ma-1_smt.a"/>
                </part>
                <part id="ma-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.[04]"/>
                   <p>the maintenance procedures are disseminated to <insert type="param" id-ref="ma-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ma-1_smt.a"/>
                </part>
                <part id="ma-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.01"/>
@@ -19342,41 +20316,53 @@
                      <part id="ma-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                   </part>
                   <part id="ma-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ma-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ma-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ma-1_smt.a"/>
             </part>
             <part id="ma-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-01b."/>
                <p>the <insert type="param" id-ref="ma-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;</p>
+               <link rel="assessment-for" href="#ma-1_smt.b"/>
             </part>
             <part id="ma-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-01c."/>
@@ -19385,24 +20371,32 @@
                   <part id="ma-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01c.01[01]"/>
                      <p>the current maintenance policy is reviewed and updated <insert type="param" id-ref="ma-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ma-1_smt.c.1"/>
                   </part>
                   <part id="ma-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01c.01[02]"/>
                      <p>the current maintenance policy is reviewed and updated following <insert type="param" id-ref="ma-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ma-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ma-1_smt.c.1"/>
                </part>
                <part id="ma-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01c.02"/>
                   <part id="ma-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01c.02[01]"/>
                      <p>the current maintenance procedures are reviewed and updated <insert type="param" id-ref="ma-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ma-1_smt.c.2"/>
                   </part>
                   <part id="ma-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01c.02[02]"/>
                      <p>the current maintenance procedures are reviewed and updated following <insert type="param" id-ref="ma-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ma-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ma-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ma-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ma-1_smt"/>
          </part>
          <part id="ma-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19506,45 +20500,57 @@
                <part id="ma-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02a.[01]"/>
                   <p>maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.a"/>
                </part>
                <part id="ma-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02a.[02]"/>
                   <p>maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.a"/>
                </part>
                <part id="ma-2_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02a.[03]"/>
                   <p>records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ma-2_smt.a"/>
             </part>
             <part id="ma-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02b."/>
                <part id="ma-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02b.[01]"/>
                   <p>all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.b"/>
                </part>
                <part id="ma-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02b.[02]"/>
                   <p>all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ma-2_smt.b"/>
             </part>
             <part id="ma-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02c."/>
                <p>
                   <insert type="param" id-ref="ma-02_odp.01"/> is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;</p>
+               <link rel="assessment-for" href="#ma-2_smt.c"/>
             </part>
             <part id="ma-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02d."/>
                <p>equipment is sanitized to remove <insert type="param" id-ref="ma-02_odp.02"/> from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;</p>
+               <link rel="assessment-for" href="#ma-2_smt.d"/>
             </part>
             <part id="ma-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02e."/>
                <p>all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;</p>
+               <link rel="assessment-for" href="#ma-2_smt.e"/>
             </part>
             <part id="ma-2_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02f."/>
                <p>
                   <insert type="param" id-ref="ma-02_odp.03"/> is included in organizational maintenance records.</p>
+               <link rel="assessment-for" href="#ma-2_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#ma-2_smt"/>
          </part>
          <part id="ma-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19644,33 +20650,42 @@
                      <prop name="label" class="sp800-53a" value="MA-02(02)(a)[01]"/>
                      <p>
                         <insert type="param" id-ref="ma-02.02_odp.01"/> are used to schedule maintenance, repair, and replacement actions for the system;</p>
+                     <link rel="assessment-for" href="#ma-2.2_smt.a"/>
                   </part>
                   <part id="ma-2.2_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-02(02)(a)[02]"/>
                      <p>
                         <insert type="param" id-ref="ma-02.02_odp.02"/> are used to conduct maintenance, repair, and replacement actions for the system;</p>
+                     <link rel="assessment-for" href="#ma-2.2_smt.a"/>
                   </part>
                   <part id="ma-2.2_obj.a-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-02(02)(a)[03]"/>
                      <p>
                         <insert type="param" id-ref="ma-02.02_odp.03"/> are used to document maintenance, repair, and replacement actions for the system;</p>
+                     <link rel="assessment-for" href="#ma-2.2_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#ma-2.2_smt.a"/>
                </part>
                <part id="ma-2.2_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02(02)(b)"/>
                   <part id="ma-2.2_obj.b-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-02(02)(b)[01]"/>
                      <p>up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced.</p>
+                     <link rel="assessment-for" href="#ma-2.2_smt.b"/>
                   </part>
                   <part id="ma-2.2_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-02(02)(b)[02]"/>
                      <p>up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced.</p>
+                     <link rel="assessment-for" href="#ma-2.2_smt.b"/>
                   </part>
                   <part id="ma-2.2_obj.b-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-02(02)(b)[03]"/>
                      <p>up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced.</p>
+                     <link rel="assessment-for" href="#ma-2.2_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ma-2.2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ma-2.2_smt"/>
             </part>
             <part id="ma-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19745,20 +20760,26 @@
                <part id="ma-3_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-03a.[01]"/>
                   <p>the use of system maintenance tools is approved;</p>
+                  <link rel="assessment-for" href="#ma-3_smt.a"/>
                </part>
                <part id="ma-3_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-03a.[02]"/>
                   <p>the use of system maintenance tools is controlled;</p>
+                  <link rel="assessment-for" href="#ma-3_smt.a"/>
                </part>
                <part id="ma-3_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-03a.[03]"/>
                   <p>the use of system maintenance tools is monitored;</p>
+                  <link rel="assessment-for" href="#ma-3_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ma-3_smt.a"/>
             </part>
             <part id="ma-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-03b."/>
                <p>previously approved system maintenance tools are reviewed <insert type="param" id-ref="ma-03_odp"/>.</p>
+               <link rel="assessment-for" href="#ma-3_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ma-3_smt"/>
          </part>
          <part id="ma-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19807,6 +20828,7 @@
             <part id="ma-3.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-03(01)"/>
                <p>maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.</p>
+               <link rel="assessment-for" href="#ma-3.1_smt"/>
             </part>
             <part id="ma-3.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19857,6 +20879,7 @@
             <part id="ma-3.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-03(02)"/>
                <p>media containing diagnostic and test programs are checked for malicious code before the media are used in the system.</p>
+               <link rel="assessment-for" href="#ma-3.2_smt"/>
             </part>
             <part id="ma-3.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19932,19 +20955,24 @@
                <part id="ma-3.3_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-03(03)(a)"/>
                   <p>the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or</p>
+                  <link rel="assessment-for" href="#ma-3.3_smt.a"/>
                </part>
                <part id="ma-3.3_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-03(03)(b)"/>
                   <p>the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or</p>
+                  <link rel="assessment-for" href="#ma-3.3_smt.b"/>
                </part>
                <part id="ma-3.3_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-03(03)(c)"/>
                   <p>the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or</p>
+                  <link rel="assessment-for" href="#ma-3.3_smt.c"/>
                </part>
                <part id="ma-3.3_obj.d" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-03(03)(d)"/>
                   <p>the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from <insert type="param" id-ref="ma-03.03_odp"/> explicitly authorizing removal of the equipment from the facility.</p>
+                  <link rel="assessment-for" href="#ma-3.3_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ma-3.3_smt"/>
             </part>
             <part id="ma-3.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20041,42 +21069,54 @@
                <part id="ma-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04a.[01]"/>
                   <p>nonlocal maintenance and diagnostic activities are approved;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.a"/>
                </part>
                <part id="ma-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04a.[02]"/>
                   <p>nonlocal maintenance and diagnostic activities are monitored;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ma-4_smt.a"/>
             </part>
             <part id="ma-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-04b."/>
                <part id="ma-4_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04b.[01]"/>
                   <p>the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.b"/>
                </part>
                <part id="ma-4_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04b.[02]"/>
                   <p>the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ma-4_smt.b"/>
             </part>
             <part id="ma-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-04c."/>
                <p>strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;</p>
+               <link rel="assessment-for" href="#ma-4_smt.c"/>
             </part>
             <part id="ma-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-04d."/>
                <p>records for nonlocal maintenance and diagnostic activities are maintained;</p>
+               <link rel="assessment-for" href="#ma-4_smt.d"/>
             </part>
             <part id="ma-4_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-04e."/>
                <part id="ma-4_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04e.[01]"/>
                   <p>session connections are terminated when nonlocal maintenance is completed;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.e"/>
                </part>
                <part id="ma-4_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04e.[02]"/>
                   <p>network connections are terminated when nonlocal maintenance is completed.</p>
+                  <link rel="assessment-for" href="#ma-4_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#ma-4_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ma-4_smt"/>
          </part>
          <part id="ma-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20146,27 +21186,35 @@
                   <part id="ma-4.3_obj.a-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-04(03)(a)[01]"/>
                      <p>nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;</p>
+                     <link rel="assessment-for" href="#ma-4.3_smt.a"/>
                   </part>
                   <part id="ma-4.3_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-04(03)(a)[02]"/>
                      <p>nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or</p>
+                     <link rel="assessment-for" href="#ma-4.3_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#ma-4.3_smt.a"/>
                </part>
                <part id="ma-4.3_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04(03)(b)"/>
                   <part id="ma-4.3_obj.b-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-04(03)(b)[01]"/>
                      <p>the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;</p>
+                     <link rel="assessment-for" href="#ma-4.3_smt.b"/>
                   </part>
                   <part id="ma-4.3_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-04(03)(b)[02]"/>
                      <p>the component to be serviced is sanitized (for organizational information);</p>
+                     <link rel="assessment-for" href="#ma-4.3_smt.b"/>
                   </part>
                   <part id="ma-4.3_obj.b-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-04(03)(b)[03]"/>
                      <p>the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.</p>
+                     <link rel="assessment-for" href="#ma-4.3_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ma-4.3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ma-4.3_smt"/>
             </part>
             <part id="ma-4.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20250,20 +21298,26 @@
                <part id="ma-5_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-05a.[01]"/>
                   <p>a process for maintenance personnel authorization is established;</p>
+                  <link rel="assessment-for" href="#ma-5_smt.a"/>
                </part>
                <part id="ma-5_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-05a.[02]"/>
                   <p>a list of authorized maintenance organizations or personnel is maintained;</p>
+                  <link rel="assessment-for" href="#ma-5_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ma-5_smt.a"/>
             </part>
             <part id="ma-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-05b."/>
                <p>non-escorted personnel performing maintenance on the system possess the required access authorizations;</p>
+               <link rel="assessment-for" href="#ma-5_smt.b"/>
             </part>
             <part id="ma-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-05c."/>
                <p>organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.</p>
+               <link rel="assessment-for" href="#ma-5_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ma-5_smt"/>
          </part>
          <part id="ma-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20343,17 +21397,22 @@
                   <part id="ma-5.1_obj.a.1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-05(01)(a)(01)"/>
                      <p>procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;</p>
+                     <link rel="assessment-for" href="#ma-5.1_smt.a.1"/>
                   </part>
                   <part id="ma-5.1_obj.a.2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-05(01)(a)(02)"/>
                      <p>procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;</p>
+                     <link rel="assessment-for" href="#ma-5.1_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ma-5.1_smt.a"/>
                </part>
                <part id="ma-5.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-05(01)(b)"/>
                   <p>
                      <insert type="param" id-ref="ma-05.01_odp"/> are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.</p>
+                  <link rel="assessment-for" href="#ma-5.1_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ma-5.1_smt"/>
             </part>
             <part id="ma-5.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20435,6 +21494,7 @@
          <part id="ma-6_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-06"/>
             <p>maintenance support and/or spare parts are obtained for <insert type="param" id-ref="ma-06_odp.01"/> within <insert type="param" id-ref="ma-06_odp.02"/> of failure.</p>
+            <link rel="assessment-for" href="#ma-6_smt"/>
          </part>
          <part id="ma-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20610,18 +21670,22 @@
                <part id="mp-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[01]"/>
                   <p>a media protection policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[02]"/>
                   <p>the media protection policy is disseminated to <insert type="param" id-ref="mp-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[03]"/>
                   <p>media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[04]"/>
                   <p>the media protection procedures are disseminated to <insert type="param" id-ref="mp-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.01"/>
@@ -20630,41 +21694,53 @@
                      <part id="mp-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses scope;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses roles;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy compliance;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                   </part>
                   <part id="mp-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01a.01(b)"/>
                      <p>the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#mp-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#mp-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#mp-1_smt.a"/>
             </part>
             <part id="mp-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-01b."/>
                <p>the <insert type="param" id-ref="mp-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.</p>
+               <link rel="assessment-for" href="#mp-1_smt.b"/>
             </part>
             <part id="mp-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-01c."/>
@@ -20673,24 +21749,32 @@
                   <part id="mp-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.01[01]"/>
                      <p>the current media protection policy is reviewed and updated <insert type="param" id-ref="mp-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.1"/>
                   </part>
                   <part id="mp-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.01[02]"/>
                      <p>the current media protection policy is reviewed and updated following <insert type="param" id-ref="mp-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#mp-1_smt.c.1"/>
                </part>
                <part id="mp-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01c.02"/>
                   <part id="mp-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.02[01]"/>
                      <p>the current media protection procedures are reviewed and updated <insert type="param" id-ref="mp-01_odp.07"/>; </p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.2"/>
                   </part>
                   <part id="mp-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.02[02]"/>
                      <p>the current media protection procedures are reviewed and updated following <insert type="param" id-ref="mp-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#mp-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#mp-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#mp-1_smt"/>
          </part>
          <part id="mp-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20794,11 +21878,14 @@
             <part id="mp-2_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-02[01]"/>
                <p>access to <insert type="param" id-ref="mp-02_odp.01"/> is restricted to <insert type="param" id-ref="mp-02_odp.02"/>;</p>
+               <link rel="assessment-for" href="#mp-2_smt"/>
             </part>
             <part id="mp-2_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-02[02]"/>
                <p>access to <insert type="param" id-ref="mp-02_odp.03"/> is restricted to <insert type="param" id-ref="mp-02_odp.04"/>.</p>
+               <link rel="assessment-for" href="#mp-2_smt"/>
             </part>
+            <link rel="assessment-for" href="#mp-2_smt"/>
          </part>
          <part id="mp-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20883,12 +21970,15 @@
             <part id="mp-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-03a."/>
                <p>system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;</p>
+               <link rel="assessment-for" href="#mp-3_smt.a"/>
             </part>
             <part id="mp-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-03b."/>
                <p>
                   <insert type="param" id-ref="mp-03_odp.01"/> remain within <insert type="param" id-ref="mp-03_odp.02"/>.</p>
+               <link rel="assessment-for" href="#mp-3_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#mp-3_smt"/>
          </part>
          <part id="mp-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21037,27 +22127,34 @@
                   <prop name="label" class="sp800-53a" value="MP-04a.[01]"/>
                   <p>
                      <insert type="param" id-ref="mp-04_odp.01"/> are physically controlled;</p>
+                  <link rel="assessment-for" href="#mp-4_smt.a"/>
                </part>
                <part id="mp-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-04a.[02]"/>
                   <p>
                      <insert type="param" id-ref="mp-04_odp.02"/> are physically controlled;</p>
+                  <link rel="assessment-for" href="#mp-4_smt.a"/>
                </part>
                <part id="mp-4_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-04a.[03]"/>
                   <p>
                      <insert type="param" id-ref="mp-04_odp.03"/> are securely stored within <insert type="param" id-ref="mp-04_odp.05"/>;</p>
+                  <link rel="assessment-for" href="#mp-4_smt.a"/>
                </part>
                <part id="mp-4_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-04a.[04]"/>
                   <p>
                      <insert type="param" id-ref="mp-04_odp.04"/> are securely stored within <insert type="param" id-ref="mp-04_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#mp-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#mp-4_smt.a"/>
             </part>
             <part id="mp-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-04b."/>
                <p>system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.</p>
+               <link rel="assessment-for" href="#mp-4_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#mp-4_smt"/>
          </part>
          <part id="mp-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21173,32 +22270,41 @@
                   <prop name="label" class="sp800-53a" value="MP-05a.[01]"/>
                   <p>
                      <insert type="param" id-ref="mp-05_odp.01"/> are protected during transport outside of controlled areas using <insert type="param" id-ref="mp-05_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#mp-5_smt.a"/>
                </part>
                <part id="mp-5_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-05a.[02]"/>
                   <p>
                      <insert type="param" id-ref="mp-05_odp.01"/> are controlled during transport outside of controlled areas using <insert type="param" id-ref="mp-05_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#mp-5_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#mp-5_smt.a"/>
             </part>
             <part id="mp-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-05b."/>
                <p>accountability for system media is maintained during transport outside of controlled areas;</p>
+               <link rel="assessment-for" href="#mp-5_smt.b"/>
             </part>
             <part id="mp-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-05c."/>
                <p>activities associated with the transport of system media are documented;</p>
+               <link rel="assessment-for" href="#mp-5_smt.c"/>
             </part>
             <part id="mp-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-05d."/>
                <part id="mp-5_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-05d.[01]"/>
                   <p>personnel authorized to conduct media transport activities is/are identified;</p>
+                  <link rel="assessment-for" href="#mp-5_smt.d"/>
                </part>
                <part id="mp-5_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-05d.[02]"/>
                   <p>activities associated with the transport of system media are restricted to identified authorized personnel.</p>
+                  <link rel="assessment-for" href="#mp-5_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#mp-5_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#mp-5_smt"/>
          </part>
          <part id="mp-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21350,22 +22456,28 @@
                   <prop name="label" class="sp800-53a" value="MP-06a.[01]"/>
                   <p>
                      <insert type="param" id-ref="mp-06_odp.01"/> is sanitized using <insert type="param" id-ref="mp-06_odp.04"/> prior to disposal;</p>
+                  <link rel="assessment-for" href="#mp-6_smt.a"/>
                </part>
                <part id="mp-6_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06a.[02]"/>
                   <p>
                      <insert type="param" id-ref="mp-06_odp.02"/> is sanitized using <insert type="param" id-ref="mp-06_odp.05"/> prior to release from organizational control;</p>
+                  <link rel="assessment-for" href="#mp-6_smt.a"/>
                </part>
                <part id="mp-6_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06a.[03]"/>
                   <p>
                      <insert type="param" id-ref="mp-06_odp.03"/> is sanitized using <insert type="param" id-ref="mp-06_odp.06"/> prior to release for reuse;</p>
+                  <link rel="assessment-for" href="#mp-6_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#mp-6_smt.a"/>
             </part>
             <part id="mp-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-06b."/>
                <p>sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.</p>
+               <link rel="assessment-for" href="#mp-6_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#mp-6_smt"/>
          </part>
          <part id="mp-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21423,23 +22535,29 @@
                <part id="mp-6.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06(01)[01]"/>
                   <p>media sanitization and disposal actions are reviewed;</p>
+                  <link rel="assessment-for" href="#mp-6.1_smt"/>
                </part>
                <part id="mp-6.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06(01)[02]"/>
                   <p>media sanitization and disposal actions are approved;</p>
+                  <link rel="assessment-for" href="#mp-6.1_smt"/>
                </part>
                <part id="mp-6.1_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06(01)[03]"/>
                   <p>media sanitization and disposal actions are tracked;</p>
+                  <link rel="assessment-for" href="#mp-6.1_smt"/>
                </part>
                <part id="mp-6.1_obj-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06(01)[04]"/>
                   <p>media sanitization and disposal actions are documented;</p>
+                  <link rel="assessment-for" href="#mp-6.1_smt"/>
                </part>
                <part id="mp-6.1_obj-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06(01)[05]"/>
                   <p>media sanitization and disposal actions are verified.</p>
+                  <link rel="assessment-for" href="#mp-6.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#mp-6.1_smt"/>
             </part>
             <part id="mp-6.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21523,11 +22641,14 @@
                <part id="mp-6.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06(02)[01]"/>
                   <p>sanitization equipment is tested <insert type="param" id-ref="mp-06.02_odp.01"/> to ensure that the intended sanitization is being achieved;</p>
+                  <link rel="assessment-for" href="#mp-6.2_smt"/>
                </part>
                <part id="mp-6.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06(02)[02]"/>
                   <p>sanitization procedures are tested <insert type="param" id-ref="mp-06.02_odp.02"/> to ensure that the intended sanitization is being achieved.</p>
+                  <link rel="assessment-for" href="#mp-6.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#mp-6.2_smt"/>
             </part>
             <part id="mp-6.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21594,6 +22715,7 @@
             <part id="mp-6.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-06(03)"/>
                <p>non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under <insert type="param" id-ref="mp-06.03_odp"/>.</p>
+               <link rel="assessment-for" href="#mp-6.3_smt"/>
             </part>
             <part id="mp-6.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21694,11 +22816,14 @@
             <part id="mp-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-07a."/>
                <p>the use of <insert type="param" id-ref="mp-07_odp.01"/> is <insert type="param" id-ref="mp-07_odp.02"/> on <insert type="param" id-ref="mp-07_odp.03"/> using <insert type="param" id-ref="mp-07_odp.04"/>;</p>
+               <link rel="assessment-for" href="#mp-7_smt.a"/>
             </part>
             <part id="mp-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-07b."/>
                <p>the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.</p>
+               <link rel="assessment-for" href="#mp-7_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#mp-7_smt"/>
          </part>
          <part id="mp-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21876,18 +23001,22 @@
                <part id="pe-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.[01]"/>
                   <p>a physical and environmental protection policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#pe-1_smt.a"/>
                </part>
                <part id="pe-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.[02]"/>
                   <p>the physical and environmental protection policy is disseminated to <insert type="param" id-ref="pe-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pe-1_smt.a"/>
                </part>
                <part id="pe-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.[03]"/>
                   <p>physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#pe-1_smt.a"/>
                </part>
                <part id="pe-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.[04]"/>
                   <p>the physical and environmental protection procedures are disseminated to <insert type="param" id-ref="pe-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pe-1_smt.a"/>
                </part>
                <part id="pe-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.01"/>
@@ -21896,41 +23025,53 @@
                      <part id="pe-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses scope;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses roles;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                   </part>
                   <part id="pe-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#pe-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#pe-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#pe-1_smt.a"/>
             </part>
             <part id="pe-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-01b."/>
                <p>the <insert type="param" id-ref="pe-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;</p>
+               <link rel="assessment-for" href="#pe-1_smt.b"/>
             </part>
             <part id="pe-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-01c."/>
@@ -21939,24 +23080,32 @@
                   <part id="pe-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01c.01[01]"/>
                      <p>the current physical and environmental protection policy is reviewed and updated <insert type="param" id-ref="pe-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#pe-1_smt.c.1"/>
                   </part>
                   <part id="pe-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01c.01[02]"/>
                      <p>the current physical and environmental protection policy is reviewed and updated following <insert type="param" id-ref="pe-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#pe-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pe-1_smt.c.1"/>
                </part>
                <part id="pe-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01c.02"/>
                   <part id="pe-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01c.02[01]"/>
                      <p>the current physical and environmental protection procedures are reviewed and updated <insert type="param" id-ref="pe-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#pe-1_smt.c.2"/>
                   </part>
                   <part id="pe-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01c.02[02]"/>
                      <p>the current physical and environmental protection procedures are reviewed and updated following <insert type="param" id-ref="pe-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#pe-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pe-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#pe-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pe-1_smt"/>
          </part>
          <part id="pe-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22040,28 +23189,36 @@
                <part id="pe-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-02a.[01]"/>
                   <p>a list of individuals with authorized access to the facility where the system resides has been developed;</p>
+                  <link rel="assessment-for" href="#pe-2_smt.a"/>
                </part>
                <part id="pe-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-02a.[02]"/>
                   <p>the list of individuals with authorized access to the facility where the system resides has been approved;</p>
+                  <link rel="assessment-for" href="#pe-2_smt.a"/>
                </part>
                <part id="pe-2_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-02a.[03]"/>
                   <p>the list of individuals with authorized access to the facility where the system resides has been maintained;</p>
+                  <link rel="assessment-for" href="#pe-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pe-2_smt.a"/>
             </part>
             <part id="pe-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-02b."/>
                <p>authorization credentials are issued for facility access;</p>
+               <link rel="assessment-for" href="#pe-2_smt.b"/>
             </part>
             <part id="pe-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-02c."/>
                <p>the access list detailing authorized facility access by individuals is reviewed <insert type="param" id-ref="pe-02_odp"/>;</p>
+               <link rel="assessment-for" href="#pe-2_smt.c"/>
             </part>
             <part id="pe-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-02d."/>
                <p>individuals are removed from the facility access list when access is no longer required.</p>
+               <link rel="assessment-for" href="#pe-2_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#pe-2_smt"/>
          </part>
          <part id="pe-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22277,62 +23434,79 @@
                <part id="pe-3_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03a.01"/>
                   <p>physical access authorizations are enforced at <insert type="param" id-ref="pe-03_odp.01"/> by verifying individual access authorizations before granting access to the facility;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.a.1"/>
                </part>
                <part id="pe-3_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03a.02"/>
                   <p>physical access authorizations are enforced at <insert type="param" id-ref="pe-03_odp.01"/> by controlling ingress and egress to the facility using <insert type="param" id-ref="pe-03_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#pe-3_smt.a"/>
             </part>
             <part id="pe-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03b."/>
                <p>physical access audit logs are maintained for <insert type="param" id-ref="pe-03_odp.04"/>;</p>
+               <link rel="assessment-for" href="#pe-3_smt.b"/>
             </part>
             <part id="pe-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03c."/>
                <p>access to areas within the facility designated as publicly accessible are maintained by implementing <insert type="param" id-ref="pe-03_odp.05"/>;</p>
+               <link rel="assessment-for" href="#pe-3_smt.c"/>
             </part>
             <part id="pe-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03d."/>
                <part id="pe-3_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03d.[01]"/>
                   <p>visitors are escorted;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.d"/>
                </part>
                <part id="pe-3_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03d.[02]"/>
                   <p>visitor activity is controlled <insert type="param" id-ref="pe-03_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#pe-3_smt.d"/>
             </part>
             <part id="pe-3_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03e."/>
                <part id="pe-3_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03e.[01]"/>
                   <p>keys are secured;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.e"/>
                </part>
                <part id="pe-3_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03e.[02]"/>
                   <p>combinations are secured;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.e"/>
                </part>
                <part id="pe-3_obj.e-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03e.[03]"/>
                   <p>other physical access devices are secured;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#pe-3_smt.e"/>
             </part>
             <part id="pe-3_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03f."/>
                <p>
                   <insert type="param" id-ref="pe-03_odp.07"/> are inventoried <insert type="param" id-ref="pe-03_odp.08"/>;</p>
+               <link rel="assessment-for" href="#pe-3_smt.f"/>
             </part>
             <part id="pe-3_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03g."/>
                <part id="pe-3_obj.g-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03g.[01]"/>
                   <p>combinations are changed <insert type="param" id-ref="pe-03_odp.09"/> , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.g"/>
                </part>
                <part id="pe-3_obj.g-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03g.[02]"/>
                   <p>keys are changed <insert type="param" id-ref="pe-03_odp.10"/> , when keys are lost, or when individuals possessing the keys are transferred or terminated.</p>
+                  <link rel="assessment-for" href="#pe-3_smt.g"/>
                </part>
+               <link rel="assessment-for" href="#pe-3_smt.g"/>
             </part>
+            <link rel="assessment-for" href="#pe-3_smt"/>
          </part>
          <part id="pe-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22399,11 +23573,14 @@
                <part id="pe-3.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03(01)[01]"/>
                   <p>physical access authorizations to the system are enforced;</p>
+                  <link rel="assessment-for" href="#pe-3.1_smt"/>
                </part>
                <part id="pe-3.1_obj.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03(01)[02]"/>
                   <p>physical access controls are enforced for the facility at <insert type="param" id-ref="pe-03.01_odp"/>.</p>
+                  <link rel="assessment-for" href="#pe-3.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#pe-3.1_smt"/>
             </part>
             <part id="pe-3.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22482,6 +23659,7 @@
          <part id="pe-4_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-04"/>
             <p>physical access to <insert type="param" id-ref="pe-04_odp.01"/> within organizational facilities is controlled using <insert type="param" id-ref="pe-04_odp.02"/>.</p>
+            <link rel="assessment-for" href="#pe-4_smt"/>
          </part>
          <part id="pe-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22543,6 +23721,7 @@
          <part id="pe-5_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-05"/>
             <p>physical access to output from <insert type="param" id-ref="pe-05_odp"/> is controlled to prevent unauthorized individuals from obtaining the output.</p>
+            <link rel="assessment-for" href="#pe-5_smt"/>
          </part>
          <part id="pe-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22635,29 +23814,37 @@
             <part id="pe-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-06a."/>
                <p>physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;</p>
+               <link rel="assessment-for" href="#pe-6_smt.a"/>
             </part>
             <part id="pe-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-06b."/>
                <part id="pe-6_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06b.[01]"/>
                   <p>physical access logs are reviewed <insert type="param" id-ref="pe-06_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pe-6_smt.b"/>
                </part>
                <part id="pe-6_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06b.[02]"/>
                   <p>physical access logs are reviewed upon occurrence of <insert type="param" id-ref="pe-06_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pe-6_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pe-6_smt.b"/>
             </part>
             <part id="pe-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-06c."/>
                <part id="pe-6_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06c.[01]"/>
                   <p>results of reviews are coordinated with organizational incident response capabilities;</p>
+                  <link rel="assessment-for" href="#pe-6_smt.c"/>
                </part>
                <part id="pe-6_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06c.[02]"/>
                   <p>results of investigations are coordinated with organizational incident response capabilities.</p>
+                  <link rel="assessment-for" href="#pe-6_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pe-6_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pe-6_smt"/>
          </part>
          <part id="pe-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22713,11 +23900,14 @@
                <part id="pe-6.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06(01)[01]"/>
                   <p>physical access to the facility where the system resides is monitored using physical intrusion alarms;</p>
+                  <link rel="assessment-for" href="#pe-6.1_smt"/>
                </part>
                <part id="pe-6.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06(01)[02]"/>
                   <p>physical access to the facility where the system resides is monitored using physical surveillance equipment.</p>
+                  <link rel="assessment-for" href="#pe-6.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#pe-6.1_smt"/>
             </part>
             <part id="pe-6.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22786,6 +23976,7 @@
             <part id="pe-6.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-06(04)"/>
                <p>physical access to the system is monitored in addition to the physical access monitoring of the facility at <insert type="param" id-ref="pe-06.04_odp"/>.</p>
+               <link rel="assessment-for" href="#pe-6.4_smt"/>
             </part>
             <part id="pe-6.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22883,15 +24074,19 @@
             <part id="pe-8_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-08a."/>
                <p>visitor access records for the facility where the system resides are maintained for <insert type="param" id-ref="pe-08_odp.01"/>;</p>
+               <link rel="assessment-for" href="#pe-8_smt.a"/>
             </part>
             <part id="pe-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-08b."/>
                <p>visitor access records are reviewed <insert type="param" id-ref="pe-08_odp.02"/>;</p>
+               <link rel="assessment-for" href="#pe-8_smt.b"/>
             </part>
             <part id="pe-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-08c."/>
                <p>visitor access records anomalies are reported to <insert type="param" id-ref="pe-08_odp.03"/>.</p>
+               <link rel="assessment-for" href="#pe-8_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pe-8_smt"/>
          </part>
          <part id="pe-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22967,11 +24162,14 @@
                <part id="pe-8.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-08(01)[01]"/>
                   <p>visitor access records are maintained using <insert type="param" id-ref="pe-08.01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pe-8.1_smt"/>
                </part>
                <part id="pe-8.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-08(01)[02]"/>
                   <p>visitor access records are reviewed using <insert type="param" id-ref="pe-08.01_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#pe-8.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#pe-8.1_smt"/>
             </part>
             <part id="pe-8.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23024,11 +24222,14 @@
             <part id="pe-9_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-09[01]"/>
                <p>power equipment for the system is protected from damage and destruction;</p>
+               <link rel="assessment-for" href="#pe-9_smt"/>
             </part>
             <part id="pe-9_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-09[02]"/>
                <p>power cabling for the system is protected from damage and destruction.</p>
+               <link rel="assessment-for" href="#pe-9_smt"/>
             </part>
+            <link rel="assessment-for" href="#pe-9_smt"/>
          </part>
          <part id="pe-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23107,15 +24308,19 @@
             <part id="pe-10_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-10a."/>
                <p>the capability to shut off power to <insert type="param" id-ref="pe-10_odp.01"/> in emergency situations is provided;</p>
+               <link rel="assessment-for" href="#pe-10_smt.a"/>
             </part>
             <part id="pe-10_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-10b."/>
                <p>emergency shutoff switches or devices are placed in <insert type="param" id-ref="pe-10_odp.02"/> to facilitate access for authorized personnel;</p>
+               <link rel="assessment-for" href="#pe-10_smt.b"/>
             </part>
             <part id="pe-10_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-10c."/>
                <p>the emergency power shutoff capability is protected from unauthorized activation.</p>
+               <link rel="assessment-for" href="#pe-10_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pe-10_smt"/>
          </part>
          <part id="pe-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23174,6 +24379,7 @@
          <part id="pe-11_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-11"/>
             <p>an uninterruptible power supply is provided to facilitate <insert type="param" id-ref="pe-11_odp"/> in the event of a primary power source loss.</p>
+            <link rel="assessment-for" href="#pe-11_smt"/>
          </part>
          <part id="pe-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23232,11 +24438,14 @@
                <part id="pe-11.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-11(01)[01]"/>
                   <p>an alternate power supply provided for the system is activated <insert type="param" id-ref="pe-11.01_odp"/>;</p>
+                  <link rel="assessment-for" href="#pe-11.1_smt"/>
                </part>
                <part id="pe-11.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-11(01)[02]"/>
                   <p>the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.</p>
+                  <link rel="assessment-for" href="#pe-11.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#pe-11.1_smt"/>
             </part>
             <part id="pe-11.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23290,19 +24499,24 @@
             <part id="pe-12_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-12[01]"/>
                <p>automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;</p>
+               <link rel="assessment-for" href="#pe-12_smt"/>
             </part>
             <part id="pe-12_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-12[02]"/>
                <p>automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;</p>
+               <link rel="assessment-for" href="#pe-12_smt"/>
             </part>
             <part id="pe-12_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-12[03]"/>
                <p>automatic emergency lighting for the system covers emergency exits within the facility;</p>
+               <link rel="assessment-for" href="#pe-12_smt"/>
             </part>
             <part id="pe-12_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-12[04]"/>
                <p>automatic emergency lighting for the system covers evacuation routes within the facility.</p>
+               <link rel="assessment-for" href="#pe-12_smt"/>
             </part>
+            <link rel="assessment-for" href="#pe-12_smt"/>
          </part>
          <part id="pe-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23353,27 +24567,34 @@
             <part id="pe-13_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[01]"/>
                <p>fire detection systems are employed;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[02]"/>
                <p>employed fire detection systems are supported by an independent energy source;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[03]"/>
                <p>employed fire detection systems are maintained;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[04]"/>
                <p>fire suppression systems are employed;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-5" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[05]"/>
                <p>employed fire suppression systems are supported by an independent energy source;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-6" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[06]"/>
                <p>employed fire suppression systems are maintained.</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
+            <link rel="assessment-for" href="#pe-13_smt"/>
          </part>
          <part id="pe-13_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23439,15 +24660,19 @@
                <part id="pe-13.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-13(01)[01]"/>
                   <p>fire detection systems that activate automatically are employed in the event of a fire;</p>
+                  <link rel="assessment-for" href="#pe-13.1_smt"/>
                </part>
                <part id="pe-13.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-13(01)[02]"/>
                   <p>fire detection systems that notify <insert type="param" id-ref="pe-13.01_odp.01"/> automatically are employed in the event of a fire;</p>
+                  <link rel="assessment-for" href="#pe-13.1_smt"/>
                </part>
                <part id="pe-13.1_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-13(01)[03]"/>
                   <p>fire detection systems that notify <insert type="param" id-ref="pe-13.01_odp.02"/> automatically are employed in the event of a fire.</p>
+                  <link rel="assessment-for" href="#pe-13.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#pe-13.1_smt"/>
             </part>
             <part id="pe-13.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23528,20 +24753,26 @@
                   <part id="pe-13.2_obj.a-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-13(02)(a)[01]"/>
                      <p>fire suppression systems that activate automatically are employed;</p>
+                     <link rel="assessment-for" href="#pe-13.2_smt.a"/>
                   </part>
                   <part id="pe-13.2_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-13(02)(a)[02]"/>
                      <p>fire suppression systems that notify <insert type="param" id-ref="pe-13.02_odp.01"/> automatically are employed;</p>
+                     <link rel="assessment-for" href="#pe-13.2_smt.a"/>
                   </part>
                   <part id="pe-13.2_obj.a-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-13(02)(a)[03]"/>
                      <p>fire suppression systems that notify <insert type="param" id-ref="pe-13.02_odp.02"/> automatically are employed;</p>
+                     <link rel="assessment-for" href="#pe-13.2_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#pe-13.2_smt.a"/>
                </part>
                <part id="pe-13.2_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-13(02)(b)"/>
                   <p>an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.</p>
+                  <link rel="assessment-for" href="#pe-13.2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pe-13.2_smt"/>
             </part>
             <part id="pe-13.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23643,11 +24874,14 @@
                <prop name="label" class="sp800-53a" value="PE-14a."/>
                <p>
                   <insert type="param" id-ref="pe-14_odp.01"/> levels are maintained at <insert type="param" id-ref="pe-14_odp.03"/> within the facility where the system resides;</p>
+               <link rel="assessment-for" href="#pe-14_smt.a"/>
             </part>
             <part id="pe-14_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-14b."/>
                <p>environmental control levels are monitored <insert type="param" id-ref="pe-14_odp.04"/>.</p>
+               <link rel="assessment-for" href="#pe-14_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pe-14_smt"/>
          </part>
          <part id="pe-14_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23700,19 +24934,24 @@
             <part id="pe-15_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-15[01]"/>
                <p>the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;</p>
+               <link rel="assessment-for" href="#pe-15_smt"/>
             </part>
             <part id="pe-15_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-15[02]"/>
                <p>the master shutoff or isolation valves are accessible;</p>
+               <link rel="assessment-for" href="#pe-15_smt"/>
             </part>
             <part id="pe-15_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-15[03]"/>
                <p>the master shutoff or isolation valves are working properly;</p>
+               <link rel="assessment-for" href="#pe-15_smt"/>
             </part>
             <part id="pe-15_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-15[04]"/>
                <p>the master shutoff or isolation valves are known to key personnel.</p>
+               <link rel="assessment-for" href="#pe-15_smt"/>
             </part>
+            <link rel="assessment-for" href="#pe-15_smt"/>
          </part>
          <part id="pe-15_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23780,12 +25019,15 @@
                <part id="pe-15.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-15(01)[01]"/>
                   <p>the presence of water near the system can be detected automatically;</p>
+                  <link rel="assessment-for" href="#pe-15.1_smt"/>
                </part>
                <part id="pe-15.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-15(01)[02]"/>
                   <p>
                      <insert type="param" id-ref="pe-15.01_odp.01"/> is/are alerted using <insert type="param" id-ref="pe-15.01_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#pe-15.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#pe-15.1_smt"/>
             </part>
             <part id="pe-15.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23880,27 +25122,34 @@
                   <prop name="label" class="sp800-53a" value="PE-16a.[01]"/>
                   <p>
                      <insert type="param" id-ref="pe-16_odp.01"/> are authorized when entering the facility;</p>
+                  <link rel="assessment-for" href="#pe-16_smt.a"/>
                </part>
                <part id="pe-16_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-16a.[02]"/>
                   <p>
                      <insert type="param" id-ref="pe-16_odp.01"/> are controlled when entering the facility;</p>
+                  <link rel="assessment-for" href="#pe-16_smt.a"/>
                </part>
                <part id="pe-16_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-16a.[03]"/>
                   <p>
                      <insert type="param" id-ref="pe-16_odp.02"/> are authorized when exiting the facility;</p>
+                  <link rel="assessment-for" href="#pe-16_smt.a"/>
                </part>
                <part id="pe-16_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-16a.[04]"/>
                   <p>
                      <insert type="param" id-ref="pe-16_odp.02"/> are controlled when exiting the facility;</p>
+                  <link rel="assessment-for" href="#pe-16_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pe-16_smt.a"/>
             </part>
             <part id="pe-16_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-16b."/>
                <p>records of the system components are maintained.</p>
+               <link rel="assessment-for" href="#pe-16_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pe-16_smt"/>
          </part>
          <part id="pe-16_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23986,20 +25235,25 @@
                <prop name="label" class="sp800-53a" value="PE-17a."/>
                <p>
                   <insert type="param" id-ref="pe-17_odp.01"/> are determined and documented;</p>
+               <link rel="assessment-for" href="#pe-17_smt.a"/>
             </part>
             <part id="pe-17_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-17b."/>
                <p>
                   <insert type="param" id-ref="pe-17_odp.02"/> are employed at alternate work sites;</p>
+               <link rel="assessment-for" href="#pe-17_smt.b"/>
             </part>
             <part id="pe-17_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-17c."/>
                <p>the effectiveness of controls at alternate work sites is assessed;</p>
+               <link rel="assessment-for" href="#pe-17_smt.c"/>
             </part>
             <part id="pe-17_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-17d."/>
                <p>a means for employees to communicate with information security and privacy personnel in case of incidents is provided.</p>
+               <link rel="assessment-for" href="#pe-17_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#pe-17_smt"/>
          </part>
          <part id="pe-17_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24065,6 +25319,7 @@
          <part id="pe-18_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-18"/>
             <p>system components are positioned within the facility to minimize potential damage from <insert type="param" id-ref="pe-18_odp"/> and to minimize the opportunity for unauthorized access.</p>
+            <link rel="assessment-for" href="#pe-18_smt"/>
          </part>
          <part id="pe-18_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24239,18 +25494,22 @@
                <part id="pl-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[01]"/>
                   <p>a planning policy is developed and documented.</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[02]"/>
                   <p>the planning policy is disseminated to <insert type="param" id-ref="pl-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[03]"/>
                   <p>planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[04]"/>
                   <p>the planning procedures are disseminated to <insert type="param" id-ref="pl-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.01"/>
@@ -24259,41 +25518,53 @@
                      <part id="pl-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses scope;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses roles;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                   </part>
                   <part id="pl-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#pl-1_smt.a"/>
             </part>
             <part id="pl-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-01b."/>
                <p>the <insert type="param" id-ref="pl-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the planning policy and procedures;</p>
+               <link rel="assessment-for" href="#pl-1_smt.b"/>
             </part>
             <part id="pl-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-01c."/>
@@ -24302,24 +25573,32 @@
                   <part id="pl-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.01[01]"/>
                      <p>the current planning policy is reviewed and updated <insert type="param" id-ref="pl-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.1"/>
                   </part>
                   <part id="pl-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.01[02]"/>
                      <p>the current planning policy is reviewed and updated following <insert type="param" id-ref="pl-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-1_smt.c.1"/>
                </part>
                <part id="pl-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01c.02"/>
                   <part id="pl-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.02[01]"/>
                      <p>the current planning procedures are reviewed and updated <insert type="param" id-ref="pl-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.2"/>
                   </part>
                   <part id="pl-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.02[02]"/>
                      <p>the current planning procedures are reviewed and updated following <insert type="param" id-ref="pl-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#pl-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pl-1_smt"/>
          </part>
          <part id="pl-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24514,208 +25793,266 @@
                   <part id="pl-2_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.01[01]"/>
                      <p>a security plan for the system is developed that is consistent with the organization’s enterprise architecture;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.1"/>
                   </part>
                   <part id="pl-2_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.01[02]"/>
                      <p>a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.1"/>
                </part>
                <part id="pl-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.02"/>
                   <part id="pl-2_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.02[01]"/>
                      <p>a security plan for the system is developed that explicitly defines the constituent system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.2"/>
                   </part>
                   <part id="pl-2_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.02[02]"/>
                      <p>a privacy plan for the system is developed that explicitly defines the constituent system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.2"/>
                </part>
                <part id="pl-2_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.03"/>
                   <part id="pl-2_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.03[01]"/>
                      <p>a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.3"/>
                   </part>
                   <part id="pl-2_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.03[02]"/>
                      <p>a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.3"/>
                </part>
                <part id="pl-2_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.04"/>
                   <part id="pl-2_obj.a.4-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.04[01]"/>
                      <p>a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.4"/>
                   </part>
                   <part id="pl-2_obj.a.4-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.04[02]"/>
                      <p>a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.4"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.4"/>
                </part>
                <part id="pl-2_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.05"/>
                   <part id="pl-2_obj.a.5-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.05[01]"/>
                      <p>a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.5"/>
                   </part>
                   <part id="pl-2_obj.a.5-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.05[02]"/>
                      <p>a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.5"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.5"/>
                </part>
                <part id="pl-2_obj.a.6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.06"/>
                   <part id="pl-2_obj.a.6-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.06[01]"/>
                      <p>a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.6"/>
                   </part>
                   <part id="pl-2_obj.a.6-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.06[02]"/>
                      <p>a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.6"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.6"/>
                </part>
                <part id="pl-2_obj.a.7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.07"/>
                   <part id="pl-2_obj.a.7-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.07[01]"/>
                      <p>a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.7"/>
                   </part>
                   <part id="pl-2_obj.a.7-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.07[02]"/>
                      <p>a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.7"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.7"/>
                </part>
                <part id="pl-2_obj.a.8" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.08"/>
                   <part id="pl-2_obj.a.8-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.08[01]"/>
                      <p>a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.8"/>
                   </part>
                   <part id="pl-2_obj.a.8-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.08[02]"/>
                      <p>a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.8"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.8"/>
                </part>
                <part id="pl-2_obj.a.9" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.09"/>
                   <part id="pl-2_obj.a.9-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.09[01]"/>
                      <p>a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.9"/>
                   </part>
                   <part id="pl-2_obj.a.9-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.09[02]"/>
                      <p>a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.9"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.9"/>
                </part>
                <part id="pl-2_obj.a.10" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.10"/>
                   <part id="pl-2_obj.a.10-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.10[01]"/>
                      <p>a security plan for the system is developed that provides an overview of the security requirements for the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.10"/>
                   </part>
                   <part id="pl-2_obj.a.10-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.10[02]"/>
                      <p>a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.10"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.10"/>
                </part>
                <part id="pl-2_obj.a.11" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.11"/>
                   <part id="pl-2_obj.a.11-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.11[01]"/>
                      <p>a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.11"/>
                   </part>
                   <part id="pl-2_obj.a.11-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.11[02]"/>
                      <p>a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.11"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.11"/>
                </part>
                <part id="pl-2_obj.a.12" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.12"/>
                   <part id="pl-2_obj.a.12-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.12[01]"/>
                      <p>a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.12"/>
                   </part>
                   <part id="pl-2_obj.a.12-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.12[02]"/>
                      <p>a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.12"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.12"/>
                </part>
                <part id="pl-2_obj.a.13" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.13"/>
                   <part id="pl-2_obj.a.13-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.13[01]"/>
                      <p>a security plan for the system is developed that includes risk determinations for security architecture and design decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.13"/>
                   </part>
                   <part id="pl-2_obj.a.13-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.13[02]"/>
                      <p>a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.13"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.13"/>
                </part>
                <part id="pl-2_obj.a.14" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.14"/>
                   <part id="pl-2_obj.a.14-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.14[01]"/>
                      <p>a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with <insert type="param" id-ref="pl-02_odp.01"/>;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.14"/>
                   </part>
                   <part id="pl-2_obj.a.14-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.14[02]"/>
                      <p>a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with <insert type="param" id-ref="pl-02_odp.01"/>;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.14"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.14"/>
                </part>
                <part id="pl-2_obj.a.15" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.15"/>
                   <part id="pl-2_obj.a.15-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.15[01]"/>
                      <p>a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.15"/>
                   </part>
                   <part id="pl-2_obj.a.15-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.15[02]"/>
                      <p>a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.15"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.15"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.a"/>
             </part>
             <part id="pl-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02b."/>
                <part id="pl-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02b.[01]"/>
                   <p>copies of the plans are distributed to <insert type="param" id-ref="pl-02_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.b"/>
                </part>
                <part id="pl-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02b.[02]"/>
                   <p>subsequent changes to the plans are communicated to <insert type="param" id-ref="pl-02_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.b"/>
             </part>
             <part id="pl-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02c."/>
                <p>plans are reviewed <insert type="param" id-ref="pl-02_odp.03"/>;</p>
+               <link rel="assessment-for" href="#pl-2_smt.c"/>
             </part>
             <part id="pl-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02d."/>
                <part id="pl-2_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02d.[01]"/>
                   <p>plans are updated to address changes to the system and environment of operations;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.d"/>
                </part>
                <part id="pl-2_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02d.[02]"/>
                   <p>plans are updated to address problems identified during the plan implementation;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.d"/>
                </part>
                <part id="pl-2_obj.d-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02d.[03]"/>
                   <p>plans are updated to address problems identified during control assessments;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.d"/>
             </part>
             <part id="pl-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02e."/>
                <part id="pl-2_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02e.[01]"/>
                   <p>plans are protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.e"/>
                </part>
                <part id="pl-2_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02e.[02]"/>
                   <p>plans are protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#pl-2_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt"/>
          </part>
          <part id="pl-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24839,24 +26176,31 @@
                <part id="pl-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04a.[01]"/>
                   <p>rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;</p>
+                  <link rel="assessment-for" href="#pl-4_smt.a"/>
                </part>
                <part id="pl-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04a.[02]"/>
                   <p>rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;</p>
+                  <link rel="assessment-for" href="#pl-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pl-4_smt.a"/>
             </part>
             <part id="pl-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-04b."/>
                <p>before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;</p>
+               <link rel="assessment-for" href="#pl-4_smt.b"/>
             </part>
             <part id="pl-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-04c."/>
                <p>rules of behavior are reviewed and updated <insert type="param" id-ref="pl-04_odp.01"/>;</p>
+               <link rel="assessment-for" href="#pl-4_smt.c"/>
             </part>
             <part id="pl-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-04d."/>
                <p>individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge <insert type="param" id-ref="pl-04_odp.02"/>.</p>
+               <link rel="assessment-for" href="#pl-4_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#pl-4_smt"/>
          </part>
          <part id="pl-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24925,15 +26269,19 @@
                <part id="pl-4.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04(01)(a)"/>
                   <p>the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;</p>
+                  <link rel="assessment-for" href="#pl-4.1_smt.a"/>
                </part>
                <part id="pl-4.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04(01)(b)"/>
                   <p>the rules of behavior include restrictions on posting organizational information on public websites;</p>
+                  <link rel="assessment-for" href="#pl-4.1_smt.b"/>
                </part>
                <part id="pl-4.1_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04(01)(c)"/>
                   <p>the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.</p>
+                  <link rel="assessment-for" href="#pl-4.1_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pl-4.1_smt"/>
             </part>
             <part id="pl-4.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25046,65 +26394,83 @@
                <part id="pl-8_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08a.01"/>
                   <p>a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.a.1"/>
                </part>
                <part id="pl-8_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08a.02"/>
                   <p>a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.a.2"/>
                </part>
                <part id="pl-8_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08a.03"/>
                   <part id="pl-8_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-08a.03[01]"/>
                      <p>a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;</p>
+                     <link rel="assessment-for" href="#pl-8_smt.a.3"/>
                   </part>
                   <part id="pl-8_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-08a.03[02]"/>
                      <p>a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;</p>
+                     <link rel="assessment-for" href="#pl-8_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-8_smt.a.3"/>
                </part>
                <part id="pl-8_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08a.04"/>
                   <part id="pl-8_obj.a.4-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-08a.04[01]"/>
                      <p>a security architecture for the system describes any assumptions about and dependencies on external systems and services;</p>
+                     <link rel="assessment-for" href="#pl-8_smt.a.4"/>
                   </part>
                   <part id="pl-8_obj.a.4-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-08a.04[02]"/>
                      <p>a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;</p>
+                     <link rel="assessment-for" href="#pl-8_smt.a.4"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-8_smt.a.4"/>
                </part>
+               <link rel="assessment-for" href="#pl-8_smt.a"/>
             </part>
             <part id="pl-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-08b."/>
                <p>changes in the enterprise architecture are reviewed and updated <insert type="param" id-ref="pl-08_odp"/> to reflect changes in the enterprise architecture;</p>
+               <link rel="assessment-for" href="#pl-8_smt.b"/>
             </part>
             <part id="pl-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-08c."/>
                <part id="pl-8_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[01]"/>
                   <p>planned architecture changes are reflected in the security plan;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[02]"/>
                   <p>planned architecture changes are reflected in the privacy plan;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[03]"/>
                   <p>planned architecture changes are reflected in the Concept of Operations (CONOPS);</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[04]"/>
                   <p>planned architecture changes are reflected in criticality analysis;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[05]"/>
                   <p>planned architecture changes are reflected in organizational procedures;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[06]"/>
                   <p>planned architecture changes are reflected in procurements and acquisitions.</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pl-8_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pl-8_smt"/>
          </part>
          <part id="pl-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25172,6 +26538,7 @@
          <part id="pl-10_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-10"/>
             <p>a control baseline for the system is selected.</p>
+            <link rel="assessment-for" href="#pl-10_smt"/>
          </part>
          <part id="pl-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25240,6 +26607,7 @@
          <part id="pl-11_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-11"/>
             <p>the selected control baseline is tailored by applying specified tailoring actions.</p>
+            <link rel="assessment-for" href="#pl-11_smt"/>
          </part>
          <part id="pl-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25417,18 +26785,22 @@
                <part id="ps-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.[01]"/>
                   <p>a personnel security policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ps-1_smt.a"/>
                </part>
                <part id="ps-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.[02]"/>
                   <p>the personnel security policy is disseminated to <insert type="param" id-ref="ps-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ps-1_smt.a"/>
                </part>
                <part id="ps-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.[03]"/>
                   <p>personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ps-1_smt.a"/>
                </part>
                <part id="ps-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.[04]"/>
                   <p>the personnel security procedures are disseminated to <insert type="param" id-ref="ps-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ps-1_smt.a"/>
                </part>
                <part id="ps-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.01"/>
@@ -25437,41 +26809,53 @@
                      <part id="ps-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                   </part>
                   <part id="ps-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ps-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ps-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ps-1_smt.a"/>
             </part>
             <part id="ps-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-01b."/>
                <p>the <insert type="param" id-ref="ps-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;</p>
+               <link rel="assessment-for" href="#ps-1_smt.b"/>
             </part>
             <part id="ps-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-01c."/>
@@ -25480,24 +26864,32 @@
                   <part id="ps-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01c.01[01]"/>
                      <p>the current personnel security policy is reviewed and updated <insert type="param" id-ref="ps-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ps-1_smt.c.1"/>
                   </part>
                   <part id="ps-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01c.01[02]"/>
                      <p>the current personnel security policy is reviewed and updated following <insert type="param" id-ref="ps-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ps-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ps-1_smt.c.1"/>
                </part>
                <part id="ps-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01c.02"/>
                   <part id="ps-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01c.02[01]"/>
                      <p>the current personnel security procedures are reviewed and updated <insert type="param" id-ref="ps-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ps-1_smt.c.2"/>
                   </part>
                   <part id="ps-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01c.02[02]"/>
                      <p>the current personnel security procedures are reviewed and updated following <insert type="param" id-ref="ps-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ps-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ps-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ps-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ps-1_smt"/>
          </part>
          <part id="ps-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25571,15 +26963,19 @@
             <part id="ps-2_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-02a."/>
                <p>a risk designation is assigned to all organizational positions;</p>
+               <link rel="assessment-for" href="#ps-2_smt.a"/>
             </part>
             <part id="ps-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-02b."/>
                <p>screening criteria are established for individuals filling organizational positions;</p>
+               <link rel="assessment-for" href="#ps-2_smt.b"/>
             </part>
             <part id="ps-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-02c."/>
                <p>position risk designations are reviewed and updated <insert type="param" id-ref="ps-02_odp"/>.</p>
+               <link rel="assessment-for" href="#ps-2_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ps-2_smt"/>
          </part>
          <part id="ps-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25678,18 +27074,23 @@
             <part id="ps-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-03a."/>
                <p>individuals are screened prior to authorizing access to the system;</p>
+               <link rel="assessment-for" href="#ps-3_smt.a"/>
             </part>
             <part id="ps-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-03b."/>
                <part id="ps-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-03b.[01]"/>
                   <p>individuals are rescreened in accordance with <insert type="param" id-ref="ps-03_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ps-3_smt.b"/>
                </part>
                <part id="ps-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-03b.[02]"/>
                   <p>where rescreening is so indicated, individuals are rescreened <insert type="param" id-ref="ps-03_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#ps-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ps-3_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ps-3_smt"/>
          </part>
          <part id="ps-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25779,23 +27180,29 @@
             <part id="ps-4_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04a."/>
                <p>upon termination of individual employment, system access is disabled within <insert type="param" id-ref="ps-04_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ps-4_smt.a"/>
             </part>
             <part id="ps-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04b."/>
                <p>upon termination of individual employment, any authenticators and credentials are terminated or revoked;</p>
+               <link rel="assessment-for" href="#ps-4_smt.b"/>
             </part>
             <part id="ps-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04c."/>
                <p>upon termination of individual employment, exit interviews that include a discussion of <insert type="param" id-ref="ps-04_odp.02"/> are conducted;</p>
+               <link rel="assessment-for" href="#ps-4_smt.c"/>
             </part>
             <part id="ps-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04d."/>
                <p>upon termination of individual employment, all security-related organizational system-related property is retrieved;</p>
+               <link rel="assessment-for" href="#ps-4_smt.d"/>
             </part>
             <part id="ps-4_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04e."/>
                <p>upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.</p>
+               <link rel="assessment-for" href="#ps-4_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ps-4_smt"/>
          </part>
          <part id="ps-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25873,6 +27280,7 @@
                <prop name="label" class="sp800-53a" value="PS-04(02)"/>
                <p>
                   <insert type="param" id-ref="ps-04.02_odp.01"/> are used to <insert type="param" id-ref="ps-04.02_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ps-4.2_smt"/>
             </part>
             <part id="ps-4.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25978,21 +27386,26 @@
             <part id="ps-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-05a."/>
                <p>the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;</p>
+               <link rel="assessment-for" href="#ps-5_smt.a"/>
             </part>
             <part id="ps-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-05b."/>
                <p>
                   <insert type="param" id-ref="ps-05_odp.01"/> are initiated within <insert type="param" id-ref="ps-05_odp.02"/>;</p>
+               <link rel="assessment-for" href="#ps-5_smt.b"/>
             </part>
             <part id="ps-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-05c."/>
                <p>access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;</p>
+               <link rel="assessment-for" href="#ps-5_smt.c"/>
             </part>
             <part id="ps-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-05d."/>
                <p>
                   <insert type="param" id-ref="ps-05_odp.03"/> are notified within <insert type="param" id-ref="ps-05_odp.04"/>.</p>
+               <link rel="assessment-for" href="#ps-5_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ps-5_smt"/>
          </part>
          <part id="ps-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26093,22 +27506,28 @@
             <part id="ps-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-06a."/>
                <p>access agreements are developed and documented for organizational systems;</p>
+               <link rel="assessment-for" href="#ps-6_smt.a"/>
             </part>
             <part id="ps-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-06b."/>
                <p>the access agreements are reviewed and updated <insert type="param" id-ref="ps-06_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ps-6_smt.b"/>
             </part>
             <part id="ps-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-06c."/>
                <part id="ps-6_obj.c.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-06c.01"/>
                   <p>individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;</p>
+                  <link rel="assessment-for" href="#ps-6_smt.c.1"/>
                </part>
                <part id="ps-6_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-06c.02"/>
                   <p>individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or <insert type="param" id-ref="ps-06_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#ps-6_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ps-6_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ps-6_smt"/>
          </part>
          <part id="ps-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26215,23 +27634,29 @@
             <part id="ps-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07a."/>
                <p>personnel security requirements are established, including security roles and responsibilities for external providers;</p>
+               <link rel="assessment-for" href="#ps-7_smt.a"/>
             </part>
             <part id="ps-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07b."/>
                <p>external providers are required to comply with personnel security policies and procedures established by the organization;</p>
+               <link rel="assessment-for" href="#ps-7_smt.b"/>
             </part>
             <part id="ps-7_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07c."/>
                <p>personnel security requirements are documented;</p>
+               <link rel="assessment-for" href="#ps-7_smt.c"/>
             </part>
             <part id="ps-7_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07d."/>
                <p>external providers are required to notify <insert type="param" id-ref="ps-07_odp.01"/> of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within <insert type="param" id-ref="ps-07_odp.02"/>;</p>
+               <link rel="assessment-for" href="#ps-7_smt.d"/>
             </part>
             <part id="ps-7_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07e."/>
                <p>provider compliance with personnel security requirements is monitored.</p>
+               <link rel="assessment-for" href="#ps-7_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ps-7_smt"/>
          </part>
          <part id="ps-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26313,12 +27738,15 @@
             <part id="ps-8_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-08a."/>
                <p>a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;</p>
+               <link rel="assessment-for" href="#ps-8_smt.a"/>
             </part>
             <part id="ps-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-08b."/>
                <p>
                   <insert type="param" id-ref="ps-08_odp.01"/> is/are notified within <insert type="param" id-ref="ps-08_odp.02"/> when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.</p>
+               <link rel="assessment-for" href="#ps-8_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ps-8_smt"/>
          </part>
          <part id="ps-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26374,11 +27802,14 @@
             <part id="ps-9_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-09[01]"/>
                <p>security roles and responsibilities are incorporated into organizational position descriptions;</p>
+               <link rel="assessment-for" href="#ps-9_smt"/>
             </part>
             <part id="ps-9_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-09[02]"/>
                <p>privacy roles and responsibilities are incorporated into organizational position descriptions.</p>
+               <link rel="assessment-for" href="#ps-9_smt"/>
             </part>
+            <link rel="assessment-for" href="#ps-9_smt"/>
          </part>
          <part id="ps-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26554,18 +27985,22 @@
                <part id="ra-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[01]"/>
                   <p>a risk assessment policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[02]"/>
                   <p>the risk assessment policy is disseminated to <insert type="param" id-ref="ra-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[03]"/>
                   <p>risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[04]"/>
                   <p>the risk assessment procedures are disseminated to <insert type="param" id-ref="ra-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.01"/>
@@ -26574,41 +28009,53 @@
                      <part id="ra-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                   </part>
                   <part id="ra-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ra-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ra-1_smt.a"/>
             </part>
             <part id="ra-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-01b."/>
                <p>the <insert type="param" id-ref="ra-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;</p>
+               <link rel="assessment-for" href="#ra-1_smt.b"/>
             </part>
             <part id="ra-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-01c."/>
@@ -26617,24 +28064,32 @@
                   <part id="ra-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.01[01]"/>
                      <p>the current risk assessment policy is reviewed and updated <insert type="param" id-ref="ra-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.1"/>
                   </part>
                   <part id="ra-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.01[02]"/>
                      <p>the current risk assessment policy is reviewed and updated following <insert type="param" id-ref="ra-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ra-1_smt.c.1"/>
                </part>
                <part id="ra-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01c.02"/>
                   <part id="ra-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.02[01]"/>
                      <p>the current risk assessment procedures are reviewed and updated <insert type="param" id-ref="ra-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.2"/>
                   </part>
                   <part id="ra-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.02[02]"/>
                      <p>the current risk assessment procedures are reviewed and updated following <insert type="param" id-ref="ra-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ra-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ra-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ra-1_smt"/>
          </part>
          <part id="ra-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26711,15 +28166,19 @@
             <part id="ra-2_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-02a."/>
                <p>the system and the information it processes, stores, and transmits are categorized;</p>
+               <link rel="assessment-for" href="#ra-2_smt.a"/>
             </part>
             <part id="ra-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-02b."/>
                <p>the security categorization results, including supporting rationale, are documented in the security plan for the system;</p>
+               <link rel="assessment-for" href="#ra-2_smt.b"/>
             </part>
             <part id="ra-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-02c."/>
                <p>the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.</p>
+               <link rel="assessment-for" href="#ra-2_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ra-2_smt"/>
          </part>
          <part id="ra-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26887,36 +28346,46 @@
                <part id="ra-3_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03a.01"/>
                   <p>a risk assessment is conducted to identify threats to and vulnerabilities in the system;</p>
+                  <link rel="assessment-for" href="#ra-3_smt.a.1"/>
                </part>
                <part id="ra-3_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03a.02"/>
                   <p>a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;</p>
+                  <link rel="assessment-for" href="#ra-3_smt.a.2"/>
                </part>
                <part id="ra-3_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03a.03"/>
                   <p>a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;</p>
+                  <link rel="assessment-for" href="#ra-3_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#ra-3_smt.a"/>
             </part>
             <part id="ra-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03b."/>
                <p>risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;</p>
+               <link rel="assessment-for" href="#ra-3_smt.b"/>
             </part>
             <part id="ra-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03c."/>
                <p>risk assessment results are documented in <insert type="param" id-ref="ra-03_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ra-3_smt.c"/>
             </part>
             <part id="ra-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03d."/>
                <p>risk assessment results are reviewed <insert type="param" id-ref="ra-03_odp.03"/>;</p>
+               <link rel="assessment-for" href="#ra-3_smt.d"/>
             </part>
             <part id="ra-3_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03e."/>
                <p>risk assessment results are disseminated to <insert type="param" id-ref="ra-03_odp.04"/>;</p>
+               <link rel="assessment-for" href="#ra-3_smt.e"/>
             </part>
             <part id="ra-3_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03f."/>
                <p>the risk assessment is updated <insert type="param" id-ref="ra-03_odp.05"/> or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.</p>
+               <link rel="assessment-for" href="#ra-3_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#ra-3_smt"/>
          </part>
          <part id="ra-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27002,11 +28471,14 @@
                <part id="ra-3.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03(01)(a)"/>
                   <p>supply chain risks associated with <insert type="param" id-ref="ra-03.01_odp.01"/> are assessed;</p>
+                  <link rel="assessment-for" href="#ra-3.1_smt.a"/>
                </part>
                <part id="ra-3.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03(01)(b)"/>
                   <p>the supply chain risk assessment is updated <insert type="param" id-ref="ra-03.01_odp.02"/> , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.</p>
+                  <link rel="assessment-for" href="#ra-3.1_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ra-3.1_smt"/>
             </part>
             <part id="ra-3.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27173,11 +28645,14 @@
                <part id="ra-5_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05a.[01]"/>
                   <p>systems and hosted applications are monitored for vulnerabilities <insert type="param" id-ref="ra-05_odp.01"/> and when new vulnerabilities potentially affecting the system are identified and reported;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.a"/>
                </part>
                <part id="ra-5_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05a.[02]"/>
                   <p>systems and hosted applications are scanned for vulnerabilities <insert type="param" id-ref="ra-05_odp.02"/> and when new vulnerabilities potentially affecting the system are identified and reported;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ra-5_smt.a"/>
             </part>
             <part id="ra-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05b."/>
@@ -27185,32 +28660,41 @@
                <part id="ra-5_obj.b.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05b.01"/>
                   <p>vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.b.1"/>
                </part>
                <part id="ra-5_obj.b.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05b.02"/>
                   <p>vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.b.2"/>
                </part>
                <part id="ra-5_obj.b.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05b.03"/>
                   <p>vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.b.3"/>
                </part>
+               <link rel="assessment-for" href="#ra-5_smt.b"/>
             </part>
             <part id="ra-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05c."/>
                <p>vulnerability scan reports and results from vulnerability monitoring are analyzed;</p>
+               <link rel="assessment-for" href="#ra-5_smt.c"/>
             </part>
             <part id="ra-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05d."/>
                <p>legitimate vulnerabilities are remediated <insert type="param" id-ref="ra-05_odp.03"/> in accordance with an organizational assessment of risk;</p>
+               <link rel="assessment-for" href="#ra-5_smt.d"/>
             </part>
             <part id="ra-5_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05e."/>
                <p>information obtained from the vulnerability monitoring process and control assessments is shared with <insert type="param" id-ref="ra-05_odp.04"/> to help eliminate similar vulnerabilities in other systems;</p>
+               <link rel="assessment-for" href="#ra-5_smt.e"/>
             </part>
             <part id="ra-5_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05f."/>
                <p>vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.</p>
+               <link rel="assessment-for" href="#ra-5_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#ra-5_smt"/>
          </part>
          <part id="ra-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27287,6 +28771,7 @@
             <part id="ra-5.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05(02)"/>
                <p>the system vulnerabilities to be scanned are updated <insert type="param" id-ref="ra-05.02_odp.01"/>.</p>
+               <link rel="assessment-for" href="#ra-5.2_smt"/>
             </part>
             <part id="ra-5.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27353,12 +28838,15 @@
                <part id="ra-5.4_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05(04)[01]"/>
                   <p>information about the system is discoverable;</p>
+                  <link rel="assessment-for" href="#ra-5.4_smt"/>
                </part>
                <part id="ra-5.4_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05(04)[02]"/>
                   <p>
                      <insert type="param" id-ref="ra-05.04_odp"/> are taken when information about the system is confirmed as discoverable.</p>
+                  <link rel="assessment-for" href="#ra-5.4_smt"/>
                </part>
+               <link rel="assessment-for" href="#ra-5.4_smt"/>
             </part>
             <part id="ra-5.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27437,6 +28925,7 @@
             <part id="ra-5.5_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05(05)"/>
                <p>privileged access authorization is implemented to <insert type="param" id-ref="ra-05.05_odp.01"/> for <insert type="param" id-ref="ra-05.05_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ra-5.5_smt"/>
             </part>
             <part id="ra-5.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27498,6 +28987,7 @@
             <part id="ra-5.11_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05(11)"/>
                <p>a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.</p>
+               <link rel="assessment-for" href="#ra-5.11_smt"/>
             </part>
             <part id="ra-5.11_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27570,19 +29060,24 @@
             <part id="ra-7_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[01]"/>
                <p>findings from security assessments are responded to in accordance with organizational risk tolerance;</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
             <part id="ra-7_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[02]"/>
                <p>findings from privacy assessments are responded to in accordance with organizational risk tolerance;</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
             <part id="ra-7_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[03]"/>
                <p>findings from monitoring are responded to in accordance with organizational risk tolerance;</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
             <part id="ra-7_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[04]"/>
                <p>findings from audits are responded to in accordance with organizational risk tolerance.</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
+            <link rel="assessment-for" href="#ra-7_smt"/>
          </part>
          <part id="ra-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27661,6 +29156,7 @@
          <part id="ra-9_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-09"/>
             <p>critical system components and functions are identified by performing a criticality analysis for <insert type="param" id-ref="ra-09_odp.01"/> at <insert type="param" id-ref="ra-09_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ra-9_smt"/>
          </part>
          <part id="ra-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27839,18 +29335,22 @@
                <part id="sa-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[01]"/>
                   <p>a system and services acquisition policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[02]"/>
                   <p>the system and services acquisition policy is disseminated to <insert type="param" id-ref="sa-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[03]"/>
                   <p>system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[04]"/>
                   <p>the system and services acquisition procedures are disseminated to <insert type="param" id-ref="sa-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.01"/>
@@ -27859,41 +29359,53 @@
                      <part id="sa-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses scope;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses roles;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                   </part>
                   <part id="sa-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#sa-1_smt.a"/>
             </part>
             <part id="sa-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-01b."/>
                <p>the <insert type="param" id-ref="sa-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;</p>
+               <link rel="assessment-for" href="#sa-1_smt.b"/>
             </part>
             <part id="sa-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-01c."/>
@@ -27902,24 +29414,32 @@
                   <part id="sa-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.01[01]"/>
                      <p>the system and services acquisition policy is reviewed and updated <insert type="param" id-ref="sa-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.1"/>
                   </part>
                   <part id="sa-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.01[02]"/>
                      <p>the current system and services acquisition policy is reviewed and updated following <insert type="param" id-ref="sa-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-1_smt.c.1"/>
                </part>
                <part id="sa-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01c.02"/>
                   <part id="sa-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.02[01]"/>
                      <p>the current system and services acquisition procedures are reviewed and updated <insert type="param" id-ref="sa-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.2"/>
                   </part>
                   <part id="sa-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.02[02]"/>
                      <p>the current system and services acquisition procedures are reviewed and updated following <insert type="param" id-ref="sa-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#sa-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sa-1_smt"/>
          </part>
          <part id="sa-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27989,34 +29509,44 @@
                <part id="sa-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02a.[01]"/>
                   <p>the high-level information security requirements for the system or system service are determined in mission and business process planning;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.a"/>
                </part>
                <part id="sa-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02a.[02]"/>
                   <p>the high-level privacy requirements for the system or system service are determined in mission and business process planning;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-2_smt.a"/>
             </part>
             <part id="sa-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-02b."/>
                <part id="sa-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02b.[01]"/>
                   <p>the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.b"/>
                </part>
                <part id="sa-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02b.[02]"/>
                   <p>the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-2_smt.b"/>
             </part>
             <part id="sa-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-02c."/>
                <part id="sa-2_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02c.[01]"/>
                   <p>a discrete line item for information security is established in organizational programming and budgeting documentation;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.c"/>
                </part>
                <part id="sa-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02c.[02]"/>
                   <p>a discrete line item for privacy is established in organizational programming and budgeting documentation.</p>
+                  <link rel="assessment-for" href="#sa-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-2_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sa-2_smt"/>
          </part>
          <part id="sa-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28124,45 +29654,58 @@
                <part id="sa-3_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03a.[01]"/>
                   <p>the system is acquired, developed, and managed using <insert type="param" id-ref="sa-03_odp"/> that incorporates information security considerations;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.a"/>
                </part>
                <part id="sa-3_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03a.[02]"/>
                   <p>the system is acquired, developed, and managed using <insert type="param" id-ref="sa-03_odp"/> that incorporates privacy considerations;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.a"/>
             </part>
             <part id="sa-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-03b."/>
                <part id="sa-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03b.[01]"/>
                   <p>information security roles and responsibilities are defined and documented throughout the system development life cycle;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.b"/>
                </part>
                <part id="sa-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03b.[02]"/>
                   <p>privacy roles and responsibilities are defined and documented throughout the system development life cycle;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.b"/>
             </part>
             <part id="sa-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-03c."/>
                <part id="sa-3_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03c.[01]"/>
                   <p>individuals with information security roles and responsibilities are identified;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.c"/>
                </part>
                <part id="sa-3_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03c.[02]"/>
                   <p>individuals with privacy roles and responsibilities are identified;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.c"/>
             </part>
             <part id="sa-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-03d."/>
                <part id="sa-3_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03d.[01]"/>
                   <p>organizational information security risk management processes are integrated into system development life cycle activities;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.d"/>
                </part>
                <part id="sa-3_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03d.[02]"/>
                   <p>organizational privacy risk management processes are integrated into system development life cycle activities.</p>
+                  <link rel="assessment-for" href="#sa-3_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#sa-3_smt"/>
          </part>
          <part id="sa-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28318,83 +29861,106 @@
                <part id="sa-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04a.[01]"/>
                   <p>security functional requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.a"/>
                </part>
                <part id="sa-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04a.[02]"/>
                   <p>privacy functional requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.a"/>
             </part>
             <part id="sa-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04b."/>
                <p>strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+               <link rel="assessment-for" href="#sa-4_smt.b"/>
             </part>
             <part id="sa-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04c."/>
                <part id="sa-4_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04c.[01]"/>
                   <p>security assurance requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.c"/>
                </part>
                <part id="sa-4_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04c.[02]"/>
                   <p>privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.c"/>
             </part>
             <part id="sa-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04d."/>
                <part id="sa-4_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04d.[01]"/>
                   <p>controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.d"/>
                </part>
                <part id="sa-4_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04d.[02]"/>
                   <p>controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.d"/>
             </part>
             <part id="sa-4_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04e."/>
                <part id="sa-4_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04e.[01]"/>
                   <p>security documentation requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.e"/>
                </part>
                <part id="sa-4_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04e.[02]"/>
                   <p>privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.e"/>
             </part>
             <part id="sa-4_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04f."/>
                <part id="sa-4_obj.f-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04f.[01]"/>
                   <p>requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.f"/>
                </part>
                <part id="sa-4_obj.f-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04f.[02]"/>
                   <p>requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.f"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.f"/>
             </part>
             <part id="sa-4_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04g."/>
                <p>the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+               <link rel="assessment-for" href="#sa-4_smt.g"/>
             </part>
             <part id="sa-4_obj.h" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04h."/>
                <part id="sa-4_obj.h-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04h.[01]"/>
                   <p>the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.h"/>
                </part>
                <part id="sa-4_obj.h-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04h.[02]"/>
                   <p>the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.h"/>
                </part>
                <part id="sa-4_obj.h-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04h.[03]"/>
                   <p>the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.h"/>
             </part>
             <part id="sa-4_obj.i" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04i."/>
                <p>acceptance criteria requirements and descriptions are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service.</p>
+               <link rel="assessment-for" href="#sa-4_smt.i"/>
             </part>
+            <link rel="assessment-for" href="#sa-4_smt"/>
          </part>
          <part id="sa-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28452,6 +30018,7 @@
             <part id="sa-4.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04(01)"/>
                <p>the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.</p>
+               <link rel="assessment-for" href="#sa-4.1_smt"/>
             </part>
             <part id="sa-4.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28537,6 +30104,7 @@
             <part id="sa-4.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04(02)"/>
                <p>the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using <insert type="param" id-ref="sa-04.02_odp.01"/> at <insert type="param" id-ref="sa-04.02_odp.03"/>.</p>
+               <link rel="assessment-for" href="#sa-4.2_smt"/>
             </part>
             <part id="sa-4.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28612,11 +30180,14 @@
                <part id="sa-4.5_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04(05)(a)"/>
                   <p>the developer of the system, system component, or system service is required to deliver the system, component, or service with <insert type="param" id-ref="sa-04.05_odp"/> implemented;</p>
+                  <link rel="assessment-for" href="#sa-4.5_smt.a"/>
                </part>
                <part id="sa-4.5_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04(05)(b)"/>
                   <p>the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade.</p>
+                  <link rel="assessment-for" href="#sa-4.5_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-4.5_smt"/>
             </part>
             <part id="sa-4.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28676,19 +30247,24 @@
                <part id="sa-4.9_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04(09)[01]"/>
                   <p>the developer of the system, system component, or system service is required to identify the functions intended for organizational use;</p>
+                  <link rel="assessment-for" href="#sa-4.9_smt"/>
                </part>
                <part id="sa-4.9_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04(09)[02]"/>
                   <p>the developer of the system, system component, or system service is required to identify the ports intended for organizational use;</p>
+                  <link rel="assessment-for" href="#sa-4.9_smt"/>
                </part>
                <part id="sa-4.9_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04(09)[03]"/>
                   <p>the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;</p>
+                  <link rel="assessment-for" href="#sa-4.9_smt"/>
                </part>
                <part id="sa-4.9_obj-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04(09)[04]"/>
                   <p>the developer of the system, system component, or system service is required to identify the services intended for organizational use.</p>
+                  <link rel="assessment-for" href="#sa-4.9_smt"/>
                </part>
+               <link rel="assessment-for" href="#sa-4.9_smt"/>
             </part>
             <part id="sa-4.9_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28744,6 +30320,7 @@
             <part id="sa-4.10_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04(10)"/>
                <p>only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.</p>
+               <link rel="assessment-for" href="#sa-4.10_smt"/>
             </part>
             <part id="sa-4.10_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28881,46 +30458,59 @@
                   <part id="sa-5_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.01[01]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.1"/>
                   </part>
                   <part id="sa-5_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.01[02]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.1"/>
                   </part>
                   <part id="sa-5_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.01[03]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.a.1"/>
                </part>
                <part id="sa-5_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05a.02"/>
                   <part id="sa-5_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.02[01]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                   </part>
                   <part id="sa-5_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.02[02]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                   </part>
                   <part id="sa-5_obj.a.2-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.02[03]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                   </part>
                   <part id="sa-5_obj.a.2-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.02[04]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                </part>
                <part id="sa-5_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05a.03"/>
                   <part id="sa-5_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.03[01]"/>
                      <p>administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.3"/>
                   </part>
                   <part id="sa-5_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.03[02]"/>
                      <p>administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#sa-5_smt.a"/>
             </part>
             <part id="sa-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-05b."/>
@@ -28929,58 +30519,75 @@
                   <part id="sa-5_obj.b.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.01[01]"/>
                      <p>user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                   </part>
                   <part id="sa-5_obj.b.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.01[02]"/>
                      <p>user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                   </part>
                   <part id="sa-5_obj.b.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.01[03]"/>
                      <p>user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                   </part>
                   <part id="sa-5_obj.b.1-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.01[04]"/>
                      <p>user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                </part>
                <part id="sa-5_obj.b.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05b.02"/>
                   <part id="sa-5_obj.b.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.02[01]"/>
                      <p>user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.2"/>
                   </part>
                   <part id="sa-5_obj.b.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.02[02]"/>
                      <p>user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.b.2"/>
                </part>
                <part id="sa-5_obj.b.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05b.03"/>
                   <part id="sa-5_obj.b.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.03[01]"/>
                      <p>user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.3"/>
                   </part>
                   <part id="sa-5_obj.b.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.03[02]"/>
                      <p>user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.3"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.b.3"/>
                </part>
+               <link rel="assessment-for" href="#sa-5_smt.b"/>
             </part>
             <part id="sa-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-05c."/>
                <part id="sa-5_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05c.[01]"/>
                   <p>attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;</p>
+                  <link rel="assessment-for" href="#sa-5_smt.c"/>
                </part>
                <part id="sa-5_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05c.[02]"/>
                   <p>after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, <insert type="param" id-ref="sa-05_odp.01"/> are taken in response;</p>
+                  <link rel="assessment-for" href="#sa-5_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-5_smt.c"/>
             </part>
             <part id="sa-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-05d."/>
                <p>documentation is distributed to <insert type="param" id-ref="sa-05_odp.02"/>.</p>
+               <link rel="assessment-for" href="#sa-5_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#sa-5_smt"/>
          </part>
          <part id="sa-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29096,52 +30703,63 @@
                <prop name="label" class="sp800-53a" value="SA-08[01]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the specification of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[02]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the design of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[03]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the development of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[04]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the implementation of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-5" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[05]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the modification of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-6" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[06]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the specification of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-7" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[07]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the design of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-8" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[08]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the development of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-9" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[09]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the implementation of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-10" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[10]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the modification of the system and system components.</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
+            <link rel="assessment-for" href="#sa-8_smt"/>
          </part>
          <part id="sa-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29247,32 +30865,41 @@
                <part id="sa-9_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09a.[01]"/>
                   <p>providers of external system services comply with organizational security requirements;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.a"/>
                </part>
                <part id="sa-9_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09a.[02]"/>
                   <p>providers of external system services comply with organizational privacy requirements;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.a"/>
                </part>
                <part id="sa-9_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09a.[03]"/>
                   <p>providers of external system services employ <insert type="param" id-ref="sa-09_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-9_smt.a"/>
             </part>
             <part id="sa-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-09b."/>
                <part id="sa-9_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09b.[01]"/>
                   <p>organizational oversight with regard to external system services are defined and documented;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.b"/>
                </part>
                <part id="sa-9_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09b.[02]"/>
                   <p>user roles and responsibilities with regard to external system services are defined and documented;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-9_smt.b"/>
             </part>
             <part id="sa-9_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-09c."/>
                <p>
                   <insert type="param" id-ref="sa-09_odp.02"/> are employed to monitor control compliance by external service providers on an ongoing basis.</p>
+               <link rel="assessment-for" href="#sa-9_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sa-9_smt"/>
          </part>
          <part id="sa-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29343,6 +30970,7 @@
             <part id="sa-9.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-09(02)"/>
                <p>providers of <insert type="param" id-ref="sa-09.02_odp"/> are required to identify the functions, ports, protocols, and other services required for the use of such services.</p>
+               <link rel="assessment-for" href="#sa-9.2_smt"/>
             </part>
             <part id="sa-9.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29465,56 +31093,71 @@
             <part id="sa-10_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-10a."/>
                <p>the developer of the system, system component, or system service is required to perform configuration management during system, component, or service <insert type="param" id-ref="sa-10_odp.01"/>;</p>
+               <link rel="assessment-for" href="#sa-10_smt.a"/>
             </part>
             <part id="sa-10_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-10b."/>
                <part id="sa-10_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10b.[01]"/>
                   <p>the developer of the system, system component, or system service is required to document the integrity of changes to <insert type="param" id-ref="sa-10_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.b"/>
                </part>
                <part id="sa-10_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10b.[02]"/>
                   <p>the developer of the system, system component, or system service is required to manage the integrity of changes to <insert type="param" id-ref="sa-10_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.b"/>
                </part>
                <part id="sa-10_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10b.[03]"/>
                   <p>the developer of the system, system component, or system service is required to control the integrity of changes to <insert type="param" id-ref="sa-10_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-10_smt.b"/>
             </part>
             <part id="sa-10_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-10c."/>
                <p>the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;</p>
+               <link rel="assessment-for" href="#sa-10_smt.c"/>
             </part>
             <part id="sa-10_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-10d."/>
                <part id="sa-10_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10d.[01]"/>
                   <p>the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.d"/>
                </part>
                <part id="sa-10_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10d.[02]"/>
                   <p>the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.d"/>
                </part>
                <part id="sa-10_obj.d-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10d.[03]"/>
                   <p>the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#sa-10_smt.d"/>
             </part>
             <part id="sa-10_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-10e."/>
                <part id="sa-10_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10e.[01]"/>
                   <p>the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.e"/>
                </part>
                <part id="sa-10_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10e.[02]"/>
                   <p>the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.e"/>
                </part>
                <part id="sa-10_obj.e-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10e.[03]"/>
                   <p>the developer of the system, system component, or system service is required to report findings to <insert type="param" id-ref="sa-10_odp.03"/>.</p>
+                  <link rel="assessment-for" href="#sa-10_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#sa-10_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#sa-10_smt"/>
          </part>
          <part id="sa-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29644,43 +31287,55 @@
                <part id="sa-11_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11a.[01]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.a"/>
                </part>
                <part id="sa-11_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11a.[02]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.a"/>
                </part>
                <part id="sa-11_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11a.[03]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.a"/>
                </part>
                <part id="sa-11_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11a.[04]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-11_smt.a"/>
             </part>
             <part id="sa-11_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-11b."/>
                <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform <insert type="param" id-ref="sa-11_odp.01"/> testing/evaluation <insert type="param" id-ref="sa-11_odp.02"/> at <insert type="param" id-ref="sa-11_odp.03"/>;</p>
+               <link rel="assessment-for" href="#sa-11_smt.b"/>
             </part>
             <part id="sa-11_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-11c."/>
                <part id="sa-11_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11c.[01]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.c"/>
                </part>
                <part id="sa-11_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11c.[02]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-11_smt.c"/>
             </part>
             <part id="sa-11_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-11d."/>
                <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;</p>
+               <link rel="assessment-for" href="#sa-11_smt.d"/>
             </part>
             <part id="sa-11_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-11e."/>
                <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.</p>
+               <link rel="assessment-for" href="#sa-11_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#sa-11_smt"/>
          </part>
          <part id="sa-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29818,50 +31473,65 @@
                   <part id="sa-15_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15a.01[01]"/>
                      <p>the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;</p>
+                     <link rel="assessment-for" href="#sa-15_smt.a.1"/>
                   </part>
                   <part id="sa-15_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15a.01[02]"/>
                      <p>the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;</p>
+                     <link rel="assessment-for" href="#sa-15_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-15_smt.a.1"/>
                </part>
                <part id="sa-15_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-15a.02"/>
                   <part id="sa-15_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15a.02[01]"/>
                      <p>the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;</p>
+                     <link rel="assessment-for" href="#sa-15_smt.a.2"/>
                   </part>
                   <part id="sa-15_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15a.02[02]"/>
                      <p>the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;</p>
+                     <link rel="assessment-for" href="#sa-15_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-15_smt.a.2"/>
                </part>
                <part id="sa-15_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-15a.03"/>
                   <part id="sa-15_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15a.03[01]"/>
                      <p>the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;</p>
+                     <link rel="assessment-for" href="#sa-15_smt.a.3"/>
                   </part>
                   <part id="sa-15_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15a.03[02]"/>
                      <p>the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;</p>
+                     <link rel="assessment-for" href="#sa-15_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-15_smt.a.3"/>
                </part>
                <part id="sa-15_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-15a.04"/>
                   <p>the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;</p>
+                  <link rel="assessment-for" href="#sa-15_smt.a.4"/>
                </part>
+               <link rel="assessment-for" href="#sa-15_smt.a"/>
             </part>
             <part id="sa-15_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-15b."/>
                <part id="sa-15_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-15b.[01]"/>
                   <p>the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed <insert type="param" id-ref="sa-15_odp.01"/> to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy <insert type="param" id-ref="sa-15_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sa-15_smt.b"/>
                </part>
                <part id="sa-15_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-15b.[02]"/>
                   <p>the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed <insert type="param" id-ref="sa-15_odp.01"/> to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy <insert type="param" id-ref="sa-15_odp.03"/>.</p>
+                  <link rel="assessment-for" href="#sa-15_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-15_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sa-15_smt"/>
          </part>
          <part id="sa-15_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29965,18 +31635,23 @@
                <part id="sa-15.3_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-15(03)(a)"/>
                   <p>the developer of the system, system component, or system service is required to perform a criticality analysis at <insert type="param" id-ref="sa-15.03_odp.01"/> in the system development life cycle;</p>
+                  <link rel="assessment-for" href="#sa-15.3_smt.a"/>
                </part>
                <part id="sa-15.3_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-15(03)(b)"/>
                   <part id="sa-15.3_obj.b-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15(03)(b)[01]"/>
                      <p>the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: <insert type="param" id-ref="sa-15.03_odp.02"/>;</p>
+                     <link rel="assessment-for" href="#sa-15.3_smt.b"/>
                   </part>
                   <part id="sa-15.3_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15(03)(b)[02]"/>
                      <p>the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: <insert type="param" id-ref="sa-15.03_odp.03"/> .</p>
+                     <link rel="assessment-for" href="#sa-15.3_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-15.3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-15.3_smt"/>
             </part>
             <part id="sa-15.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30051,6 +31726,7 @@
          <part id="sa-16_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-16"/>
             <p>the developer of the system, system component, or system service is required to provide <insert type="param" id-ref="sa-16_odp"/> on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.</p>
+            <link rel="assessment-for" href="#sa-16_smt"/>
          </part>
          <part id="sa-16_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30130,34 +31806,44 @@
                <part id="sa-17_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-17(a)[01]"/>
                   <p>the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;</p>
+                  <link rel="assessment-for" href="#sa-17_smt.a"/>
                </part>
                <part id="sa-17_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-17(a)[02]"/>
                   <p>the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;</p>
+                  <link rel="assessment-for" href="#sa-17_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-17_smt.a"/>
             </part>
             <part id="sa-17_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-17(b)"/>
                <part id="sa-17_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-17(b)[01]"/>
                   <p>the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;</p>
+                  <link rel="assessment-for" href="#sa-17_smt.b"/>
                </part>
                <part id="sa-17_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-17(b)[02]"/>
                   <p>the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;</p>
+                  <link rel="assessment-for" href="#sa-17_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-17_smt.b"/>
             </part>
             <part id="sa-17_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-17(c)"/>
                <part id="sa-17_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-17(c)[01]"/>
                   <p>the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;</p>
+                  <link rel="assessment-for" href="#sa-17_smt.c"/>
                </part>
                <part id="sa-17_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-17(c)[02]"/>
                   <p>the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.</p>
+                  <link rel="assessment-for" href="#sa-17_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-17_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sa-17_smt"/>
          </part>
          <part id="sa-17_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30252,11 +31938,14 @@
             <part id="sa-21_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-21a."/>
                <p>the developer of <insert type="param" id-ref="sa-21_odp.01"/> is required to have appropriate access authorizations as determined by assigned <insert type="param" id-ref="sa-21_odp.02"/>;</p>
+               <link rel="assessment-for" href="#sa-21_smt.a"/>
             </part>
             <part id="sa-21_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-21b."/>
                <p>the developer of <insert type="param" id-ref="sa-21_odp.01"/> is required to satisfy <insert type="param" id-ref="sa-21_odp.03"/>.</p>
+               <link rel="assessment-for" href="#sa-21_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sa-21_smt"/>
          </part>
          <part id="sa-21_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30345,12 +32034,15 @@
             <part id="sa-22_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-22a."/>
                <p>system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;</p>
+               <link rel="assessment-for" href="#sa-22_smt.a"/>
             </part>
             <part id="sa-22_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-22b."/>
                <p>
                   <insert type="param" id-ref="sa-22_odp.01"/> provide options for alternative sources for continued support for unsupported components.</p>
+               <link rel="assessment-for" href="#sa-22_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sa-22_smt"/>
          </part>
          <part id="sa-22_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30526,18 +32218,22 @@
                <part id="sc-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.[01]"/>
                   <p>a system and communications protection policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#sc-1_smt.a"/>
                </part>
                <part id="sc-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.[02]"/>
                   <p>the system and communications protection policy is disseminated to <insert type="param" id-ref="sc-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sc-1_smt.a"/>
                </part>
                <part id="sc-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.[03]"/>
                   <p>system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#sc-1_smt.a"/>
                </part>
                <part id="sc-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.[04]"/>
                   <p>the system and communications protection procedures are disseminated to <insert type="param" id-ref="sc-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sc-1_smt.a"/>
                </part>
                <part id="sc-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.01"/>
@@ -30546,41 +32242,53 @@
                      <part id="sc-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses scope;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses roles;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                   </part>
                   <part id="sc-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#sc-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#sc-1_smt.a"/>
             </part>
             <part id="sc-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-01b."/>
                <p>the <insert type="param" id-ref="sc-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;</p>
+               <link rel="assessment-for" href="#sc-1_smt.b"/>
             </part>
             <part id="sc-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-01c."/>
@@ -30589,24 +32297,32 @@
                   <part id="sc-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01c.01[01]"/>
                      <p>the current system and communications protection policy is reviewed and updated <insert type="param" id-ref="sc-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#sc-1_smt.c.1"/>
                   </part>
                   <part id="sc-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01c.01[02]"/>
                      <p>the current system and communications protection policy is reviewed and updated following <insert type="param" id-ref="sc-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#sc-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-1_smt.c.1"/>
                </part>
                <part id="sc-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01c.02"/>
                   <part id="sc-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01c.02[01]"/>
                      <p>the current system and communications protection procedures are reviewed and updated <insert type="param" id-ref="sc-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#sc-1_smt.c.2"/>
                   </part>
                   <part id="sc-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01c.02[02]"/>
                      <p>the current system and communications protection procedures are reviewed and updated following <insert type="param" id-ref="sc-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#sc-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#sc-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sc-1_smt"/>
          </part>
          <part id="sc-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30658,6 +32374,7 @@
          <part id="sc-2_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-02"/>
             <p>user functionality, including user interface services, is separated from system management functionality.</p>
+            <link rel="assessment-for" href="#sc-2_smt"/>
          </part>
          <part id="sc-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30724,6 +32441,7 @@
          <part id="sc-3_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-03"/>
             <p>security functions are isolated from non-security functions.</p>
+            <link rel="assessment-for" href="#sc-3_smt"/>
          </part>
          <part id="sc-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30778,11 +32496,14 @@
             <part id="sc-4_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-04[01]"/>
                <p>unauthorized information transfer via shared system resources is prevented;</p>
+               <link rel="assessment-for" href="#sc-4_smt"/>
             </part>
             <part id="sc-4_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-04[02]"/>
                <p>unintended information transfer via shared system resources is prevented.</p>
+               <link rel="assessment-for" href="#sc-4_smt"/>
             </part>
+            <link rel="assessment-for" href="#sc-4_smt"/>
          </part>
          <part id="sc-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30871,12 +32592,15 @@
             <part id="sc-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-05a."/>
                <p>the effects of <insert type="param" id-ref="sc-05_odp.01"/> are <insert type="param" id-ref="sc-05_odp.02"/>;</p>
+               <link rel="assessment-for" href="#sc-5_smt.a"/>
             </part>
             <part id="sc-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-05b."/>
                <p>
                   <insert type="param" id-ref="sc-05_odp.03"/> are employed to achieve the denial-of-service protection objective.</p>
+               <link rel="assessment-for" href="#sc-5_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-5_smt"/>
          </part>
          <part id="sc-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30982,28 +32706,36 @@
                <part id="sc-7_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[01]"/>
                   <p>communications at external managed interfaces to the system are monitored;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
                <part id="sc-7_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[02]"/>
                   <p>communications at external managed interfaces to the system are controlled;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
                <part id="sc-7_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[03]"/>
                   <p>communications at key internal managed interfaces within the system are monitored;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
                <part id="sc-7_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[04]"/>
                   <p>communications at key internal managed interfaces within the system are controlled;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sc-7_smt.a"/>
             </part>
             <part id="sc-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-07b."/>
                <p>subnetworks for publicly accessible system components are <insert type="param" id-ref="sc-07_odp"/> separated from internal organizational networks;</p>
+               <link rel="assessment-for" href="#sc-7_smt.b"/>
             </part>
             <part id="sc-7_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-07c."/>
                <p>external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.</p>
+               <link rel="assessment-for" href="#sc-7_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sc-7_smt"/>
          </part>
          <part id="sc-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31056,6 +32788,7 @@
             <part id="sc-7.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-07(03)"/>
                <p>the number of external network connections to the system is limited.</p>
+               <link rel="assessment-for" href="#sc-7.3_smt"/>
             </part>
             <part id="sc-7.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31155,49 +32888,62 @@
                <part id="sc-7.4_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(a)"/>
                   <p>a managed interface is implemented for each external telecommunication service;</p>
+                  <link rel="assessment-for" href="#sc-7.4_smt.a"/>
                </part>
                <part id="sc-7.4_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(b)"/>
                   <p>a traffic flow policy is established for each managed interface;</p>
+                  <link rel="assessment-for" href="#sc-7.4_smt.b"/>
                </part>
                <part id="sc-7.4_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(c)"/>
                   <part id="sc-7.4_obj.c-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-07(04)(c)[01]"/>
                      <p>the confidentiality of the information being transmitted across each interface is protected;</p>
+                     <link rel="assessment-for" href="#sc-7.4_smt.c"/>
                   </part>
                   <part id="sc-7.4_obj.c-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-07(04)(c)[02]"/>
                      <p>the integrity of the information being transmitted across each interface is protected;</p>
+                     <link rel="assessment-for" href="#sc-7.4_smt.c"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-7.4_smt.c"/>
                </part>
                <part id="sc-7.4_obj.d" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(d)"/>
                   <p>each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;</p>
+                  <link rel="assessment-for" href="#sc-7.4_smt.d"/>
                </part>
                <part id="sc-7.4_obj.e" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(e)"/>
                   <part id="sc-7.4_obj.e-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-07(04)(e)[01]"/>
                      <p>exceptions to the traffic flow policy are reviewed <insert type="param" id-ref="sc-07.04_odp"/>;</p>
+                     <link rel="assessment-for" href="#sc-7.4_smt.e"/>
                   </part>
                   <part id="sc-7.4_obj.e-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-07(04)(e)[02]"/>
                      <p>exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;</p>
+                     <link rel="assessment-for" href="#sc-7.4_smt.e"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-7.4_smt.e"/>
                </part>
                <part id="sc-7.4_obj.f" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(f)"/>
                   <p>unauthorized exchanges of control plan traffic with external networks are prevented;</p>
+                  <link rel="assessment-for" href="#sc-7.4_smt.f"/>
                </part>
                <part id="sc-7.4_obj.g" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(g)"/>
                   <p>information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;</p>
+                  <link rel="assessment-for" href="#sc-7.4_smt.g"/>
                </part>
                <part id="sc-7.4_obj.h" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(h)"/>
                   <p>unauthorized control plane traffic is filtered from external networks.</p>
+                  <link rel="assessment-for" href="#sc-7.4_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#sc-7.4_smt"/>
             </part>
             <part id="sc-7.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31275,11 +33021,14 @@
                <part id="sc-7.5_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(05)[01]"/>
                   <p>network communications traffic is denied by default <insert type="param" id-ref="sc-07.05_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sc-7.5_smt"/>
                </part>
                <part id="sc-7.5_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(05)[02]"/>
                   <p>network communications traffic is allowed by exception <insert type="param" id-ref="sc-07.05_odp.01"/>.</p>
+                  <link rel="assessment-for" href="#sc-7.5_smt"/>
                </part>
+               <link rel="assessment-for" href="#sc-7.5_smt"/>
             </part>
             <part id="sc-7.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31338,6 +33087,7 @@
             <part id="sc-7.7_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-07(07)"/>
                <p>split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using <insert type="param" id-ref="sc-07.07_odp"/>.</p>
+               <link rel="assessment-for" href="#sc-7.7_smt"/>
             </part>
             <part id="sc-7.7_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31409,6 +33159,7 @@
                <prop name="label" class="sp800-53a" value="SC-07(08)"/>
                <p>
                   <insert type="param" id-ref="sc-07.08_odp.01"/> is routed to <insert type="param" id-ref="sc-07.08_odp.02"/> through authenticated proxy servers at managed interfaces.</p>
+               <link rel="assessment-for" href="#sc-7.8_smt"/>
             </part>
             <part id="sc-7.8_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31467,6 +33218,7 @@
             <part id="sc-7.18_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-07(18)"/>
                <p>systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.</p>
+               <link rel="assessment-for" href="#sc-7.18_smt"/>
             </part>
             <part id="sc-7.18_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31541,6 +33293,7 @@
             <part id="sc-7.21_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-07(21)"/>
                <p>boundary protection mechanisms are employed to isolate <insert type="param" id-ref="sc-07.21_odp.01"/> supporting <insert type="param" id-ref="sc-07.21_odp.02"/>.</p>
+               <link rel="assessment-for" href="#sc-7.21_smt"/>
             </part>
             <part id="sc-7.21_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31625,6 +33378,7 @@
          <part id="sc-8_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-08"/>
             <p>the <insert type="param" id-ref="sc-08_odp"/> of transmitted information is/are protected.</p>
+            <link rel="assessment-for" href="#sc-8_smt"/>
          </part>
          <part id="sc-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31683,6 +33437,7 @@
             <part id="sc-8.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-08(01)"/>
                <p>cryptographic mechanisms are implemented to <insert type="param" id-ref="sc-08.01_odp"/> during transmission.</p>
+               <link rel="assessment-for" href="#sc-8.1_smt"/>
             </part>
             <part id="sc-8.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31744,6 +33499,7 @@
          <part id="sc-10_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-10"/>
             <p>the network connection associated with a communication session is terminated at the end of the session or after <insert type="param" id-ref="sc-10_odp"/> of inactivity.</p>
+            <link rel="assessment-for" href="#sc-10_smt"/>
          </part>
          <part id="sc-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31814,6 +33570,7 @@
          <link rel="related" href="#cm-3"/>
          <link rel="related" href="#ia-3"/>
          <link rel="related" href="#ia-7"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#sa-4"/>
          <link rel="related" href="#sa-8"/>
          <link rel="related" href="#sa-9"/>
@@ -31838,11 +33595,14 @@
             <part id="sc-12_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-12[01]"/>
                <p>cryptographic keys are established when cryptography is employed within the system in accordance with <insert type="param" id-ref="sc-12_odp"/>;</p>
+               <link rel="assessment-for" href="#sc-12_smt"/>
             </part>
             <part id="sc-12_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-12[02]"/>
                <p>cryptographic keys are managed when cryptography is employed within the system in accordance with <insert type="param" id-ref="sc-12_odp"/>.</p>
+               <link rel="assessment-for" href="#sc-12_smt"/>
             </part>
+            <link rel="assessment-for" href="#sc-12_smt"/>
          </part>
          <part id="sc-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31895,6 +33655,7 @@
             <part id="sc-12.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-12(01)"/>
                <p>information availability is maintained in the event of the loss of cryptographic keys by users.</p>
+               <link rel="assessment-for" href="#sc-12.1_smt"/>
             </part>
             <part id="sc-12.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31968,6 +33729,7 @@
          <link rel="related" href="#ia-3"/>
          <link rel="related" href="#ia-5"/>
          <link rel="related" href="#ia-7"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#ma-4"/>
          <link rel="related" href="#mp-2"/>
          <link rel="related" href="#mp-4"/>
@@ -32002,12 +33764,15 @@
                <prop name="label" class="sp800-53a" value="SC-13a."/>
                <p>
                   <insert type="param" id-ref="sc-13_odp.01"/> are identified;</p>
+               <link rel="assessment-for" href="#sc-13_smt.a"/>
             </part>
             <part id="sc-13_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-13b."/>
                <p>
                   <insert type="param" id-ref="sc-13_odp.02"/> for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.</p>
+               <link rel="assessment-for" href="#sc-13_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-13_smt"/>
          </part>
          <part id="sc-13_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32078,11 +33843,14 @@
             <part id="sc-15_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-15a."/>
                <p>remote activation of collaborative computing devices and applications is prohibited except <insert type="param" id-ref="sc-15_odp"/>;</p>
+               <link rel="assessment-for" href="#sc-15_smt.a"/>
             </part>
             <part id="sc-15_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-15b."/>
                <p>an explicit indication of use is provided to users physically present at the devices.</p>
+               <link rel="assessment-for" href="#sc-15_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-15_smt"/>
          </part>
          <part id="sc-15_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32162,11 +33930,14 @@
             <part id="sc-17_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-17a."/>
                <p>public key certificates are issued under <insert type="param" id-ref="sc-17_odp"/> , or public key certificates are obtained from an approved service provider;</p>
+               <link rel="assessment-for" href="#sc-17_smt.a"/>
             </part>
             <part id="sc-17_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-17b."/>
                <p>only approved trust anchors are included in trust stores or certificate stores managed by the organization.</p>
+               <link rel="assessment-for" href="#sc-17_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-17_smt"/>
          </part>
          <part id="sc-17_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32232,35 +34003,45 @@
                <part id="sc-18_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-18a.[01]"/>
                   <p>acceptable mobile code is defined;</p>
+                  <link rel="assessment-for" href="#sc-18_smt.a"/>
                </part>
                <part id="sc-18_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-18a.[02]"/>
                   <p>unacceptable mobile code is defined;</p>
+                  <link rel="assessment-for" href="#sc-18_smt.a"/>
                </part>
                <part id="sc-18_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-18a.[03]"/>
                   <p>acceptable mobile code technologies are defined;</p>
+                  <link rel="assessment-for" href="#sc-18_smt.a"/>
                </part>
                <part id="sc-18_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-18a.[04]"/>
                   <p>unacceptable mobile code technologies are defined;</p>
+                  <link rel="assessment-for" href="#sc-18_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sc-18_smt.a"/>
             </part>
             <part id="sc-18_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-18b."/>
                <part id="sc-18_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-18b.[01]"/>
                   <p>the use of mobile code is authorized within the system;</p>
+                  <link rel="assessment-for" href="#sc-18_smt.b"/>
                </part>
                <part id="sc-18_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-18b.[02]"/>
                   <p>the use of mobile code is monitored within the system;</p>
+                  <link rel="assessment-for" href="#sc-18_smt.b"/>
                </part>
                <part id="sc-18_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-18b.[03]"/>
                   <p>the use of mobile code is controlled within the system.</p>
+                  <link rel="assessment-for" href="#sc-18_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sc-18_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-18_smt"/>
          </part>
          <part id="sc-18_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32334,23 +34115,30 @@
                <part id="sc-20_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-20a.[01]"/>
                   <p>additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;</p>
+                  <link rel="assessment-for" href="#sc-20_smt.a"/>
                </part>
                <part id="sc-20_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-20a.[02]"/>
                   <p>integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;</p>
+                  <link rel="assessment-for" href="#sc-20_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sc-20_smt.a"/>
             </part>
             <part id="sc-20_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-20b."/>
                <part id="sc-20_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-20b.[01]"/>
                   <p>the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;</p>
+                  <link rel="assessment-for" href="#sc-20_smt.b"/>
                </part>
                <part id="sc-20_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-20b.[02]"/>
                   <p>the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.</p>
+                  <link rel="assessment-for" href="#sc-20_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sc-20_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-20_smt"/>
          </part>
          <part id="sc-20_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32403,19 +34191,24 @@
             <part id="sc-21_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-21[01]"/>
                <p>data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;</p>
+               <link rel="assessment-for" href="#sc-21_smt"/>
             </part>
             <part id="sc-21_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-21[02]"/>
                <p>data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;</p>
+               <link rel="assessment-for" href="#sc-21_smt"/>
             </part>
             <part id="sc-21_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-21[03]"/>
                <p>data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;</p>
+               <link rel="assessment-for" href="#sc-21_smt"/>
             </part>
             <part id="sc-21_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-21[04]"/>
                <p>data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.</p>
+               <link rel="assessment-for" href="#sc-21_smt"/>
             </part>
+            <link rel="assessment-for" href="#sc-21_smt"/>
          </part>
          <part id="sc-21_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32471,15 +34264,19 @@
             <part id="sc-22_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-22[01]"/>
                <p>the systems that collectively provide name/address resolution services for an organization are fault-tolerant;</p>
+               <link rel="assessment-for" href="#sc-22_smt"/>
             </part>
             <part id="sc-22_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-22[02]"/>
                <p>the systems that collectively provide name/address resolution services for an organization implement internal role separation;</p>
+               <link rel="assessment-for" href="#sc-22_smt"/>
             </part>
             <part id="sc-22_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-22[03]"/>
                <p>the systems that collectively provide name/address resolution services for an organization implement external role separation.</p>
+               <link rel="assessment-for" href="#sc-22_smt"/>
             </part>
+            <link rel="assessment-for" href="#sc-22_smt"/>
          </part>
          <part id="sc-22_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32538,6 +34335,7 @@
          <part id="sc-23_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-23"/>
             <p>the authenticity of communication sessions is protected.</p>
+            <link rel="assessment-for" href="#sc-23_smt"/>
          </part>
          <part id="sc-23_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32624,6 +34422,7 @@
             <prop name="label" class="sp800-53a" value="SC-24"/>
             <p>
                <insert type="param" id-ref="sc-24_odp.01"/> fail to a <insert type="param" id-ref="sc-24_odp.02"/> while preserving <insert type="param" id-ref="sc-24_odp.03"/> in failure.</p>
+            <link rel="assessment-for" href="#sc-24_smt"/>
          </part>
          <part id="sc-24_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32719,6 +34518,7 @@
          <part id="sc-28_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-28"/>
             <p>the <insert type="param" id-ref="sc-28_odp.01"/> of <insert type="param" id-ref="sc-28_odp.02"/> is/are protected.</p>
+            <link rel="assessment-for" href="#sc-28_smt"/>
          </part>
          <part id="sc-28_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32789,11 +34589,14 @@
                <part id="sc-28.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-28(01)[01]"/>
                   <p>cryptographic mechanisms are implemented to prevent unauthorized disclosure of <insert type="param" id-ref="sc-28.01_odp.01"/> at rest on <insert type="param" id-ref="sc-28.01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sc-28.1_smt"/>
                </part>
                <part id="sc-28.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-28(01)[02]"/>
                   <p>cryptographic mechanisms are implemented to prevent unauthorized modification of <insert type="param" id-ref="sc-28.01_odp.01"/> at rest on <insert type="param" id-ref="sc-28.01_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#sc-28.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#sc-28.1_smt"/>
             </part>
             <part id="sc-28.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32856,6 +34659,7 @@
          <part id="sc-39_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-39"/>
             <p>a separate execution domain is maintained for each executing system process.</p>
+            <link rel="assessment-for" href="#sc-39_smt"/>
          </part>
          <part id="sc-39_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33026,18 +34830,22 @@
                <part id="si-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[01]"/>
                   <p>a system and information integrity policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[02]"/>
                   <p>the system and information integrity policy is disseminated to <insert type="param" id-ref="si-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[03]"/>
                   <p>system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[04]"/>
                   <p>the system and information integrity procedures are disseminated to <insert type="param" id-ref="si-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.01"/>
@@ -33046,41 +34854,53 @@
                      <part id="si-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses scope;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses roles;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                   </part>
                   <part id="si-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#si-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#si-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#si-1_smt.a"/>
             </part>
             <part id="si-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-01b."/>
                <p>the <insert type="param" id-ref="si-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;</p>
+               <link rel="assessment-for" href="#si-1_smt.b"/>
             </part>
             <part id="si-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-01c."/>
@@ -33089,24 +34909,32 @@
                   <part id="si-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.01[01]"/>
                      <p>the current system and information integrity policy is reviewed and updated <insert type="param" id-ref="si-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.1"/>
                   </part>
                   <part id="si-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.01[02]"/>
                      <p>the current system and information integrity policy is reviewed and updated following <insert type="param" id-ref="si-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#si-1_smt.c.1"/>
                </part>
                <part id="si-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01c.02"/>
                   <part id="si-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.02[01]"/>
                      <p>the current system and information integrity procedures are reviewed and updated <insert type="param" id-ref="si-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.2"/>
                   </part>
                   <part id="si-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.02[02]"/>
                      <p>the current system and information integrity procedures are reviewed and updated following <insert type="param" id-ref="si-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#si-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#si-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#si-1_smt"/>
          </part>
          <part id="si-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33195,50 +35023,64 @@
                <part id="si-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02a.[01]"/>
                   <p>system flaws are identified;</p>
+                  <link rel="assessment-for" href="#si-2_smt.a"/>
                </part>
                <part id="si-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02a.[02]"/>
                   <p>system flaws are reported;</p>
+                  <link rel="assessment-for" href="#si-2_smt.a"/>
                </part>
                <part id="si-2_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02a.[03]"/>
                   <p>system flaws are corrected;</p>
+                  <link rel="assessment-for" href="#si-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#si-2_smt.a"/>
             </part>
             <part id="si-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-02b."/>
                <part id="si-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02b.[01]"/>
                   <p>software updates related to flaw remediation are tested for effectiveness before installation;</p>
+                  <link rel="assessment-for" href="#si-2_smt.b"/>
                </part>
                <part id="si-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02b.[02]"/>
                   <p>software updates related to flaw remediation are tested for potential side effects before installation;</p>
+                  <link rel="assessment-for" href="#si-2_smt.b"/>
                </part>
                <part id="si-2_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02b.[03]"/>
                   <p>firmware updates related to flaw remediation are tested for effectiveness before installation;</p>
+                  <link rel="assessment-for" href="#si-2_smt.b"/>
                </part>
                <part id="si-2_obj.b-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02b.[04]"/>
                   <p>firmware updates related to flaw remediation are tested for potential side effects before installation;</p>
+                  <link rel="assessment-for" href="#si-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#si-2_smt.b"/>
             </part>
             <part id="si-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-02c."/>
                <part id="si-2_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02c.[01]"/>
                   <p>security-relevant software updates are installed within <insert type="param" id-ref="si-02_odp"/> of the release of the updates;</p>
+                  <link rel="assessment-for" href="#si-2_smt.c"/>
                </part>
                <part id="si-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02c.[02]"/>
                   <p>security-relevant firmware updates are installed within <insert type="param" id-ref="si-02_odp"/> of the release of the updates;</p>
+                  <link rel="assessment-for" href="#si-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#si-2_smt.c"/>
             </part>
             <part id="si-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-02d."/>
                <p>flaw remediation is incorporated into the organizational configuration management process.</p>
+               <link rel="assessment-for" href="#si-2_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#si-2_smt"/>
          </part>
          <part id="si-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33315,6 +35157,7 @@
             <part id="si-2.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-02(02)"/>
                <p>system components have applicable security-relevant software and firmware updates installed <insert type="param" id-ref="si-02.02_odp.02"/> using <insert type="param" id-ref="si-02.02_odp.01"/>.</p>
+               <link rel="assessment-for" href="#si-2.2_smt"/>
             </part>
             <part id="si-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33473,16 +35316,20 @@
                   <prop name="label" class="sp800-53a" value="SI-03a.[01]"/>
                   <p>
                      <insert type="param" id-ref="si-03_odp.01"/> malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;</p>
+                  <link rel="assessment-for" href="#si-3_smt.a"/>
                </part>
                <part id="si-3_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-03a.[02]"/>
                   <p>
                      <insert type="param" id-ref="si-03_odp.01"/> malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;</p>
+                  <link rel="assessment-for" href="#si-3_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#si-3_smt.a"/>
             </part>
             <part id="si-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-03b."/>
                <p>malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;</p>
+               <link rel="assessment-for" href="#si-3_smt.b"/>
             </part>
             <part id="si-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-03c."/>
@@ -33491,28 +35338,37 @@
                   <part id="si-3_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-03c.01[01]"/>
                      <p>malicious code protection mechanisms are configured to perform periodic scans of the system <insert type="param" id-ref="si-03_odp.02"/>;</p>
+                     <link rel="assessment-for" href="#si-3_smt.c.1"/>
                   </part>
                   <part id="si-3_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-03c.01[02]"/>
                      <p>malicious code protection mechanisms are configured to perform real-time scans of files from external sources at <insert type="param" id-ref="si-03_odp.03"/> as the files are downloaded, opened, or executed in accordance with organizational policy;</p>
+                     <link rel="assessment-for" href="#si-3_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#si-3_smt.c.1"/>
                </part>
                <part id="si-3_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-03c.02"/>
                   <part id="si-3_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-03c.02[01]"/>
                      <p>malicious code protection mechanisms are configured to <insert type="param" id-ref="si-03_odp.04"/> in response to malicious code detection;</p>
+                     <link rel="assessment-for" href="#si-3_smt.c.2"/>
                   </part>
                   <part id="si-3_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-03c.02[02]"/>
                      <p>malicious code protection mechanisms are configured to send alerts to <insert type="param" id-ref="si-03_odp.06"/> in response to malicious code detection;</p>
+                     <link rel="assessment-for" href="#si-3_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#si-3_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#si-3_smt.c"/>
             </part>
             <part id="si-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-03d."/>
                <p>the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.</p>
+               <link rel="assessment-for" href="#si-3_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#si-3_smt"/>
          </part>
          <part id="si-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33723,63 +35579,80 @@
                <part id="si-4_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04a.01"/>
                   <p>the system is monitored to detect attacks and indicators of potential attacks in accordance with <insert type="param" id-ref="si-04_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#si-4_smt.a.1"/>
                </part>
                <part id="si-4_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04a.02"/>
                   <part id="si-4_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04a.02[01]"/>
                      <p>the system is monitored to detect unauthorized local connections;</p>
+                     <link rel="assessment-for" href="#si-4_smt.a.2"/>
                   </part>
                   <part id="si-4_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04a.02[02]"/>
                      <p>the system is monitored to detect unauthorized network connections;</p>
+                     <link rel="assessment-for" href="#si-4_smt.a.2"/>
                   </part>
                   <part id="si-4_obj.a.2-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04a.02[03]"/>
                      <p>the system is monitored to detect unauthorized remote connections;</p>
+                     <link rel="assessment-for" href="#si-4_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#si-4_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#si-4_smt.a"/>
             </part>
             <part id="si-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04b."/>
                <p>unauthorized use of the system is identified through <insert type="param" id-ref="si-04_odp.02"/>;</p>
+               <link rel="assessment-for" href="#si-4_smt.b"/>
             </part>
             <part id="si-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04c."/>
                <part id="si-4_obj.c.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04c.01"/>
                   <p>internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;</p>
+                  <link rel="assessment-for" href="#si-4_smt.c.1"/>
                </part>
                <part id="si-4_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04c.02"/>
                   <p>internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;</p>
+                  <link rel="assessment-for" href="#si-4_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#si-4_smt.c"/>
             </part>
             <part id="si-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04d."/>
                <part id="si-4_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04d.[01]"/>
                   <p>detected events are analyzed;</p>
+                  <link rel="assessment-for" href="#si-4_smt.d"/>
                </part>
                <part id="si-4_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04d.[02]"/>
                   <p>detected anomalies are analyzed;</p>
+                  <link rel="assessment-for" href="#si-4_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#si-4_smt.d"/>
             </part>
             <part id="si-4_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04e."/>
                <p>the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;</p>
+               <link rel="assessment-for" href="#si-4_smt.e"/>
             </part>
             <part id="si-4_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04f."/>
                <p>a legal opinion regarding system monitoring activities is obtained;</p>
+               <link rel="assessment-for" href="#si-4_smt.f"/>
             </part>
             <part id="si-4_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04g."/>
                <p>
                   <insert type="param" id-ref="si-04_odp.03"/> is provided to <insert type="param" id-ref="si-04_odp.04"/>
                   <insert type="param" id-ref="si-04_odp.05"/>.</p>
+               <link rel="assessment-for" href="#si-4_smt.g"/>
             </part>
+            <link rel="assessment-for" href="#si-4_smt"/>
          </part>
          <part id="si-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33839,6 +35712,7 @@
             <part id="si-4.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04(02)"/>
                <p>automated tools and mechanisms are employed to support a near real-time analysis of events.</p>
+               <link rel="assessment-for" href="#si-4.2_smt"/>
             </part>
             <part id="si-4.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33959,23 +35833,30 @@
                   <part id="si-4.4_obj.a-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04(04)(a)[01]"/>
                      <p>criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;</p>
+                     <link rel="assessment-for" href="#si-4.4_smt.a"/>
                   </part>
                   <part id="si-4.4_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04(04)(a)[02]"/>
                      <p>criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;</p>
+                     <link rel="assessment-for" href="#si-4.4_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#si-4.4_smt.a"/>
                </part>
                <part id="si-4.4_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04(04)(b)"/>
                   <part id="si-4.4_obj.b-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04(04)(b)[01]"/>
                      <p>inbound communications traffic is monitored <insert type="param" id-ref="si-04.04_odp.01"/> for <insert type="param" id-ref="si-04.04_odp.02"/>;</p>
+                     <link rel="assessment-for" href="#si-4.4_smt.b"/>
                   </part>
                   <part id="si-4.4_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04(04)(b)[02]"/>
                      <p>outbound communications traffic is monitored <insert type="param" id-ref="si-04.04_odp.03"/> for <insert type="param" id-ref="si-04.04_odp.04"/>.</p>
+                     <link rel="assessment-for" href="#si-4.4_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#si-4.4_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#si-4.4_smt"/>
             </part>
             <part id="si-4.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34055,6 +35936,7 @@
                <prop name="label" class="sp800-53a" value="SI-04(05)"/>
                <p>
                   <insert type="param" id-ref="si-04.05_odp.01"/> are alerted when system-generated <insert type="param" id-ref="si-04.05_odp.02"/> occur.</p>
+               <link rel="assessment-for" href="#si-4.5_smt"/>
             </part>
             <part id="si-4.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34133,6 +36015,7 @@
             <part id="si-4.10_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04(10)"/>
                <p>provisions are made so that <insert type="param" id-ref="si-04.10_odp.01"/> is visible to <insert type="param" id-ref="si-04.10_odp.02"/>.</p>
+               <link rel="assessment-for" href="#si-4.10_smt"/>
             </part>
             <part id="si-4.10_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34219,6 +36102,7 @@
                <prop name="label" class="sp800-53a" value="SI-04(12)"/>
                <p>
                   <insert type="param" id-ref="si-04.12_odp.01"/> is/are alerted using <insert type="param" id-ref="si-04.12_odp.02"/> when <insert type="param" id-ref="si-04.12_odp.03"/> indicate inappropriate or unusual activities with security or privacy implications.</p>
+               <link rel="assessment-for" href="#si-4.12_smt"/>
             </part>
             <part id="si-4.12_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34287,15 +36171,19 @@
                <part id="si-4.14_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04(14)[01]"/>
                   <p>a wireless intrusion detection system is employed to identify rogue wireless devices;</p>
+                  <link rel="assessment-for" href="#si-4.14_smt"/>
                </part>
                <part id="si-4.14_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04(14)[02]"/>
                   <p>a wireless intrusion detection system is employed to detect attack attempts on the system;</p>
+                  <link rel="assessment-for" href="#si-4.14_smt"/>
                </part>
                <part id="si-4.14_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04(14)[03]"/>
                   <p>a wireless intrusion detection system is employed to detect potential compromises or breaches to the system.</p>
+                  <link rel="assessment-for" href="#si-4.14_smt"/>
                </part>
+               <link rel="assessment-for" href="#si-4.14_smt"/>
             </part>
             <part id="si-4.14_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34364,6 +36252,7 @@
                <prop name="label" class="sp800-53a" value="SI-04(20)"/>
                <p>
                   <insert type="param" id-ref="si-04.20_odp"/> of privileged users is implemented.</p>
+               <link rel="assessment-for" href="#si-4.20_smt"/>
             </part>
             <part id="si-4.20_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34457,12 +36346,15 @@
                <part id="si-4.22_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04(22)(a)"/>
                   <p>network services that have not been authorized or approved by <insert type="param" id-ref="si-04.22_odp.01"/> are detected;</p>
+                  <link rel="assessment-for" href="#si-4.22_smt.a"/>
                </part>
                <part id="si-4.22_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04(22)(b)"/>
                   <p>
                      <insert type="param" id-ref="si-04.22_odp.02"/> is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.</p>
+                  <link rel="assessment-for" href="#si-4.22_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#si-4.22_smt"/>
             </part>
             <part id="si-4.22_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34596,19 +36488,24 @@
             <part id="si-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-05a."/>
                <p>system security alerts, advisories, and directives are received from <insert type="param" id-ref="si-05_odp.01"/> on an ongoing basis;</p>
+               <link rel="assessment-for" href="#si-5_smt.a"/>
             </part>
             <part id="si-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-05b."/>
                <p>internal security alerts, advisories, and directives are generated as deemed necessary;</p>
+               <link rel="assessment-for" href="#si-5_smt.b"/>
             </part>
             <part id="si-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-05c."/>
                <p>security alerts, advisories, and directives are disseminated to <insert type="param" id-ref="si-05_odp.02"/>;</p>
+               <link rel="assessment-for" href="#si-5_smt.c"/>
             </part>
             <part id="si-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-05d."/>
                <p>security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.</p>
+               <link rel="assessment-for" href="#si-5_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#si-5_smt"/>
          </part>
          <part id="si-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34672,6 +36569,7 @@
                <prop name="label" class="sp800-53a" value="SI-05(01)"/>
                <p>
                   <insert type="param" id-ref="si-05.01_odp"/> are used to broadcast security alert and advisory information throughout the organization.</p>
+               <link rel="assessment-for" href="#si-5.1_smt"/>
             </part>
             <part id="si-5.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34835,12 +36733,15 @@
                   <prop name="label" class="sp800-53a" value="SI-06a.[01]"/>
                   <p>
                      <insert type="param" id-ref="si-06_odp.01"/> are verified to be operating correctly;</p>
+                  <link rel="assessment-for" href="#si-6_smt.a"/>
                </part>
                <part id="si-6_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-06a.[02]"/>
                   <p>
                      <insert type="param" id-ref="si-06_odp.02"/> are verified to be operating correctly;</p>
+                  <link rel="assessment-for" href="#si-6_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#si-6_smt.a"/>
             </part>
             <part id="si-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-06b."/>
@@ -34848,12 +36749,15 @@
                   <prop name="label" class="sp800-53a" value="SI-06b.[01]"/>
                   <p>
                      <insert type="param" id-ref="si-06_odp.01"/> are verified <insert type="param" id-ref="si-06_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#si-6_smt.b"/>
                </part>
                <part id="si-6_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-06b.[02]"/>
                   <p>
                      <insert type="param" id-ref="si-06_odp.02"/> are verified <insert type="param" id-ref="si-06_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#si-6_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#si-6_smt.b"/>
             </part>
             <part id="si-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-06c."/>
@@ -34861,18 +36765,23 @@
                   <prop name="label" class="sp800-53a" value="SI-06c.[01]"/>
                   <p>
                      <insert type="param" id-ref="si-06_odp.06"/> is/are alerted to failed security verification tests;</p>
+                  <link rel="assessment-for" href="#si-6_smt.c"/>
                </part>
                <part id="si-6_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-06c.[02]"/>
                   <p>
                      <insert type="param" id-ref="si-06_odp.06"/> is/are alerted to failed privacy verification tests;</p>
+                  <link rel="assessment-for" href="#si-6_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#si-6_smt.c"/>
             </part>
             <part id="si-6_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-06d."/>
                <p>
                   <insert type="param" id-ref="si-06_odp.07"/> is/are initiated when anomalies are discovered.</p>
+               <link rel="assessment-for" href="#si-6_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#si-6_smt"/>
          </part>
          <part id="si-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35041,15 +36950,19 @@
                <part id="si-7_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07a.[01]"/>
                   <p>integrity verification tools are employed to detect unauthorized changes to <insert type="param" id-ref="si-07_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#si-7_smt.a"/>
                </part>
                <part id="si-7_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07a.[02]"/>
                   <p>integrity verification tools are employed to detect unauthorized changes to <insert type="param" id-ref="si-07_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#si-7_smt.a"/>
                </part>
                <part id="si-7_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07a.[03]"/>
                   <p>integrity verification tools are employed to detect unauthorized changes to <insert type="param" id-ref="si-07_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#si-7_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#si-7_smt.a"/>
             </part>
             <part id="si-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-07b."/>
@@ -35057,18 +36970,23 @@
                   <prop name="label" class="sp800-53a" value="SI-07b.[01]"/>
                   <p>
                      <insert type="param" id-ref="si-07_odp.04"/> are taken when unauthorized changes to the software, are detected;</p>
+                  <link rel="assessment-for" href="#si-7_smt.b"/>
                </part>
                <part id="si-7_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07b.[02]"/>
                   <p>
                      <insert type="param" id-ref="si-07_odp.05"/> are taken when unauthorized changes to the firmware are detected;</p>
+                  <link rel="assessment-for" href="#si-7_smt.b"/>
                </part>
                <part id="si-7_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07b.[03]"/>
                   <p>
                      <insert type="param" id-ref="si-07_odp.06"/> are taken when unauthorized changes to the information are detected.</p>
+                  <link rel="assessment-for" href="#si-7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#si-7_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#si-7_smt"/>
          </part>
          <part id="si-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35279,15 +37197,19 @@
                <part id="si-7.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07(01)[01]"/>
                   <p>an integrity check of <insert type="param" id-ref="si-07.01_odp.01"/> is performed <insert type="param" id-ref="si-07.01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#si-7.1_smt"/>
                </part>
                <part id="si-7.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07(01)[02]"/>
                   <p>an integrity check of <insert type="param" id-ref="si-07.01_odp.05"/> is performed <insert type="param" id-ref="si-07.01_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#si-7.1_smt"/>
                </part>
                <part id="si-7.1_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07(01)[03]"/>
                   <p>an integrity check of <insert type="param" id-ref="si-07.01_odp.09"/> is performed <insert type="param" id-ref="si-07.01_odp.10"/>.</p>
+                  <link rel="assessment-for" href="#si-7.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#si-7.1_smt"/>
             </part>
             <part id="si-7.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35351,6 +37273,7 @@
             <part id="si-7.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-07(02)"/>
                <p>automated tools that provide notification to <insert type="param" id-ref="si-07.02_odp"/> upon discovering discrepancies during integrity verification are employed.</p>
+               <link rel="assessment-for" href="#si-7.2_smt"/>
             </part>
             <part id="si-7.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35431,6 +37354,7 @@
                <prop name="label" class="sp800-53a" value="SI-07(05)"/>
                <p>
                   <insert type="param" id-ref="si-07.05_odp.01"/> are automatically performed when integrity violations are discovered.</p>
+               <link rel="assessment-for" href="#si-7.5_smt"/>
             </part>
             <part id="si-7.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35506,6 +37430,7 @@
             <part id="si-7.7_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-07(07)"/>
                <p>the detection of <insert type="param" id-ref="si-07.07_odp"/> are incorporated into the organizational incident response capability.</p>
+               <link rel="assessment-for" href="#si-7.7_smt"/>
             </part>
             <part id="si-7.7_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35574,6 +37499,7 @@
             <part id="si-7.15_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-07(15)"/>
                <p>cryptographic mechanisms are implemented to authenticate <insert type="param" id-ref="si-07.15_odp"/> prior to installation.</p>
+               <link rel="assessment-for" href="#si-7.15_smt"/>
             </part>
             <part id="si-7.15_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35645,24 +37571,31 @@
                <part id="si-8_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-08a.[01]"/>
                   <p>spam protection mechanisms are employed at system entry points to detect unsolicited messages;</p>
+                  <link rel="assessment-for" href="#si-8_smt.a"/>
                </part>
                <part id="si-8_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-08a.[02]"/>
                   <p>spam protection mechanisms are employed at system exit points to detect unsolicited messages;</p>
+                  <link rel="assessment-for" href="#si-8_smt.a"/>
                </part>
                <part id="si-8_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-08a.[03]"/>
                   <p>spam protection mechanisms are employed at system entry points to act on unsolicited messages;</p>
+                  <link rel="assessment-for" href="#si-8_smt.a"/>
                </part>
                <part id="si-8_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-08a.[04]"/>
                   <p>spam protection mechanisms are employed at system exit points to act on unsolicited messages;</p>
+                  <link rel="assessment-for" href="#si-8_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#si-8_smt.a"/>
             </part>
             <part id="si-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-08b."/>
                <p>spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.</p>
+               <link rel="assessment-for" href="#si-8_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#si-8_smt"/>
          </part>
          <part id="si-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35725,6 +37658,7 @@
             <part id="si-8.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-08(02)"/>
                <p>spam protection mechanisms are automatically updated <insert type="param" id-ref="si-08.02_odp"/>.</p>
+               <link rel="assessment-for" href="#si-8.2_smt"/>
             </part>
             <part id="si-8.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35796,6 +37730,7 @@
          <part id="si-10_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-10"/>
             <p>the validity of the <insert type="param" id-ref="si-10_odp"/> is checked.</p>
+            <link rel="assessment-for" href="#si-10_smt"/>
          </part>
          <part id="si-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35872,11 +37807,14 @@
             <part id="si-11_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-11a."/>
                <p>error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;</p>
+               <link rel="assessment-for" href="#si-11_smt.a"/>
             </part>
             <part id="si-11_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-11b."/>
                <p>error messages are revealed only to <insert type="param" id-ref="si-11_odp"/>.</p>
+               <link rel="assessment-for" href="#si-11_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#si-11_smt"/>
          </part>
          <part id="si-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35965,19 +37903,24 @@
             <part id="si-12_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[01]"/>
                <p>information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
             <part id="si-12_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[02]"/>
                <p>information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
             <part id="si-12_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[03]"/>
                <p>information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
             <part id="si-12_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[04]"/>
                <p>information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
+            <link rel="assessment-for" href="#si-12_smt"/>
          </part>
          <part id="si-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36051,6 +37994,7 @@
             <prop name="label" class="sp800-53a" value="SI-16"/>
             <p>
                <insert type="param" id-ref="si-16_odp"/> are implemented to protect the system memory from unauthorized code execution.</p>
+            <link rel="assessment-for" href="#si-16_smt"/>
          </part>
          <part id="si-16_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36233,18 +38177,22 @@
                <part id="sr-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.[01]"/>
                   <p>a supply chain risk management policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#sr-1_smt.a"/>
                </part>
                <part id="sr-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.[02]"/>
                   <p>the supply chain risk management policy is disseminated to <insert type="param" id-ref="sr-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-1_smt.a"/>
                </part>
                <part id="sr-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.[03]"/>
                   <p>supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#sr-1_smt.a"/>
                </part>
                <part id="sr-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.[04]"/>
                   <p>the supply chain risk management procedures are disseminated to <insert type="param" id-ref="sr-01_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#sr-1_smt.a"/>
                </part>
                <part id="sr-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.01"/>
@@ -36253,42 +38201,54 @@
                      <part id="sr-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses scope; </p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[03]"/>
                         <p>
                            <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses roles;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses compliance.</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                   </part>
                   <part id="sr-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#sr-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#sr-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#sr-1_smt.a"/>
             </part>
             <part id="sr-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-01b."/>
                <p>the <insert type="param" id-ref="sr-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;</p>
+               <link rel="assessment-for" href="#sr-1_smt.b"/>
             </part>
             <part id="sr-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-01c."/>
@@ -36297,24 +38257,32 @@
                   <part id="sr-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01c.01[01]"/>
                      <p>the current supply chain risk management policy is reviewed and updated <insert type="param" id-ref="sr-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#sr-1_smt.c.1"/>
                   </part>
                   <part id="sr-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01c.01[02]"/>
                      <p>the current supply chain risk management policy is reviewed and updated following <insert type="param" id-ref="sr-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#sr-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sr-1_smt.c.1"/>
                </part>
                <part id="sr-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01c.02"/>
                   <part id="sr-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01c.02[01]"/>
                      <p>the current supply chain risk management procedures are reviewed and updated <insert type="param" id-ref="sr-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#sr-1_smt.c.2"/>
                   </part>
                   <part id="sr-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01c.02[02]"/>
                      <p>the current supply chain risk management procedures are reviewed and updated following <insert type="param" id-ref="sr-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#sr-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sr-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#sr-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sr-1_smt"/>
          </part>
          <part id="sr-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36414,55 +38382,70 @@
                <part id="sr-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[01]"/>
                   <p>a plan for managing supply chain risks is developed;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[02]"/>
                   <p>the supply chain risk management plan addresses risks associated with the research and development of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[03]"/>
                   <p>the supply chain risk management plan addresses risks associated with the design of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[04]"/>
                   <p>the supply chain risk management plan addresses risks associated with the manufacturing of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[05]"/>
                   <p>the supply chain risk management plan addresses risks associated with the acquisition of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[06]"/>
                   <p>the supply chain risk management plan addresses risks associated with the delivery of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[07]"/>
                   <p>the supply chain risk management plan addresses risks associated with the integration of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-8" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[08]"/>
                   <p>the supply chain risk management plan addresses risks associated with the operation and maintenance of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-9" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[09]"/>
                   <p>the supply chain risk management plan addresses risks associated with the disposal of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sr-2_smt.a"/>
             </part>
             <part id="sr-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-02b."/>
                <p>the supply chain risk management plan is reviewed and updated <insert type="param" id-ref="sr-02_odp.02"/> or as required to address threat, organizational, or environmental changes;</p>
+               <link rel="assessment-for" href="#sr-2_smt.b"/>
             </part>
             <part id="sr-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-02c."/>
                <part id="sr-2_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02c.[01]"/>
                   <p>the supply chain risk management plan is protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.c"/>
                </part>
                <part id="sr-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02c.[02]"/>
                   <p>the supply chain risk management plan is protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#sr-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sr-2_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sr-2_smt"/>
          </part>
          <part id="sr-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36549,6 +38532,7 @@
             <part id="sr-2.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-02(01)"/>
                <p>a supply chain risk management team consisting of <insert type="param" id-ref="sr-02.01_odp.01"/> is established to lead and support <insert type="param" id-ref="sr-02.01_odp.02"/>.</p>
+               <link rel="assessment-for" href="#sr-2.1_smt"/>
             </part>
             <part id="sr-2.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36690,21 +38674,27 @@
                <part id="sr-3_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-03a.[01]"/>
                   <p>a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of <insert type="param" id-ref="sr-03_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-3_smt.a"/>
                </part>
                <part id="sr-3_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-03a.[02]"/>
                   <p>the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of <insert type="param" id-ref="sr-03_odp.01"/> is/are coordinated with <insert type="param" id-ref="sr-03_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sr-3_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sr-3_smt.a"/>
             </part>
             <part id="sr-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-03b."/>
                <p>
                   <insert type="param" id-ref="sr-03_odp.03"/> are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;</p>
+               <link rel="assessment-for" href="#sr-3_smt.b"/>
             </part>
             <part id="sr-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-03c."/>
                <p>the selected and implemented supply chain processes and controls are documented in <insert type="param" id-ref="sr-03_odp.04"/>.</p>
+               <link rel="assessment-for" href="#sr-3_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sr-3_smt"/>
          </part>
          <part id="sr-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36801,17 +38791,21 @@
                <prop name="label" class="sp800-53a" value="SR-05[01]"/>
                <p>
                   <insert type="param" id-ref="sr-05_odp"/> are employed to protect against supply chain risks;</p>
+               <link rel="assessment-for" href="#sr-5_smt"/>
             </part>
             <part id="sr-5_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-05[02]"/>
                <p>
                   <insert type="param" id-ref="sr-05_odp"/> are employed to identify supply chain risks;</p>
+               <link rel="assessment-for" href="#sr-5_smt"/>
             </part>
             <part id="sr-5_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-05[03]"/>
                <p>
                   <insert type="param" id-ref="sr-05_odp"/> are employed to mitigate supply chain risks.</p>
+               <link rel="assessment-for" href="#sr-5_smt"/>
             </part>
+            <link rel="assessment-for" href="#sr-5_smt"/>
          </part>
          <part id="sr-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36895,6 +38889,7 @@
          <part id="sr-6_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-06"/>
             <p>the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed <insert type="param" id-ref="sr-06_odp"/>.</p>
+            <link rel="assessment-for" href="#sr-6_smt"/>
          </part>
          <part id="sr-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36978,6 +38973,7 @@
          <part id="sr-8_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-08"/>
             <p>agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for <insert type="param" id-ref="sr-08_odp.01"/>.</p>
+            <link rel="assessment-for" href="#sr-8_smt"/>
          </part>
          <part id="sr-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37043,6 +39039,7 @@
          <part id="sr-9_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-09"/>
             <p>a tamper protection program is implemented for the system, system component, or system service.</p>
+            <link rel="assessment-for" href="#sr-9_smt"/>
          </part>
          <part id="sr-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37102,6 +39099,7 @@
             <part id="sr-9.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-09(01)"/>
                <p>anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle.</p>
+               <link rel="assessment-for" href="#sr-9.1_smt"/>
             </part>
             <part id="sr-9.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37211,6 +39209,7 @@
             <prop name="label" class="sp800-53a" value="SR-10"/>
             <p>
                <insert type="param" id-ref="sr-10_odp.01"/> are inspected <insert type="param" id-ref="sr-10_odp.02"/> to detect tampering.</p>
+            <link rel="assessment-for" href="#sr-10_smt"/>
          </part>
          <part id="sr-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37314,24 +39313,31 @@
                <part id="sr-11_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11a.[01]"/>
                   <p>an anti-counterfeit policy is developed and implemented;</p>
+                  <link rel="assessment-for" href="#sr-11_smt.a"/>
                </part>
                <part id="sr-11_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11a.[02]"/>
                   <p>anti-counterfeit procedures are developed and implemented;</p>
+                  <link rel="assessment-for" href="#sr-11_smt.a"/>
                </part>
                <part id="sr-11_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11a.[03]"/>
                   <p>the anti-counterfeit procedures include the means to detect counterfeit components entering the system;</p>
+                  <link rel="assessment-for" href="#sr-11_smt.a"/>
                </part>
                <part id="sr-11_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11a.[04]"/>
                   <p>the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;</p>
+                  <link rel="assessment-for" href="#sr-11_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sr-11_smt.a"/>
             </part>
             <part id="sr-11_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-11b."/>
                <p>counterfeit system components are reported to <insert type="param" id-ref="sr-11_odp.01"/>.</p>
+               <link rel="assessment-for" href="#sr-11_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sr-11_smt"/>
          </part>
          <part id="sr-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37404,6 +39410,7 @@
                <prop name="label" class="sp800-53a" value="SR-11(01)"/>
                <p>
                   <insert type="param" id-ref="sr-11.01_odp"/> are trained to detect counterfeit system components (including hardware, software, and firmware).</p>
+               <link rel="assessment-for" href="#sr-11.1_smt"/>
             </part>
             <part id="sr-11.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37475,11 +39482,14 @@
                <part id="sr-11.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11(02)[01]"/>
                   <p>configuration control over <insert type="param" id-ref="sr-11.02_odp"/> awaiting service or repair is maintained;</p>
+                  <link rel="assessment-for" href="#sr-11.2_smt"/>
                </part>
                <part id="sr-11.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11(02)[02]"/>
                   <p>configuration control over serviced or repaired <insert type="param" id-ref="sr-11.02_odp"/> awaiting return to service is maintained.</p>
+                  <link rel="assessment-for" href="#sr-11.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#sr-11.2_smt"/>
             </part>
             <part id="sr-11.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37553,6 +39563,7 @@
             <prop name="label" class="sp800-53a" value="SR-12"/>
             <p>
                <insert type="param" id-ref="sr-12_odp.01"/> are disposed of using <insert type="param" id-ref="sr-12_odp.02"/>.</p>
+            <link rel="assessment-for" href="#sr-12_smt"/>
          </part>
          <part id="sr-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
diff --git a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_HIGH-baseline_profile.xml b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_HIGH-baseline_profile.xml
index 4861891c..66731c2b 100644
--- a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_HIGH-baseline_profile.xml
+++ b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_HIGH-baseline_profile.xml
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <?xml-model schematypens="http://www.w3.org/2001/XMLSchema" type="application/xml" href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.1/oscal_complete_schema.xsd"?>
 <profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-         uuid="beade175-48ad-47c0-ac38-e9c2514cba22">
+         uuid="cd073316-7c58-4c34-9f5c-9eb5aa722683">
    <metadata>
-      <title>NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE</title>
-      <last-modified>2023-10-12T00:00:00.000000-04:00</last-modified>
-      <version>Final</version>
+      <title>NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE</title>
+      <last-modified>2023-12-04T14:55:00.000000-04:00</last-modified>
+      <version>5.1.1+u2</version>
       <oscal-version>1.1.1</oscal-version>
       <role id="creator">
          <title>Document Creator</title>
diff --git a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.xml b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.xml
index 3b88b9cd..28a622ad 100644
--- a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.xml
+++ b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.xml
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-          uuid="8a6a307c-2c1d-47ef-9bcb-6362480d31cb">
+          uuid="64d89a61-c70c-49bc-9e1b-b620e2b3d855">
    <metadata>
-      <title>NIST Special Publication 800-53 Revision 5 LOW IMPACT BASELINE</title>
-      <last-modified>2023-11-02T11:49:44.518316-04:00</last-modified>
-      <version>Final</version>
+      <title>NIST Special Publication 800-53 Revision 5.1.1 LOW IMPACT BASELINE</title>
+      <last-modified>2023-12-05T21:54:50.284874Z</last-modified>
+      <version>5.1.1+u2</version>
       <oscal-version>1.1.1</oscal-version>
       <prop name="resolution-tool"
              value="OSCAL Profile Resolver XSLT Pipeline OPRXP"/>
@@ -181,18 +181,22 @@
                <part id="ac-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[01]"/>
                   <p>an access control policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[02]"/>
                   <p>the access control policy is disseminated to <insert type="param" id-ref="ac-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[03]"/>
                   <p>access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[04]"/>
                   <p>the access control procedures are disseminated to <insert type="param" id-ref="ac-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.01"/>
@@ -201,41 +205,53 @@
                      <part id="ac-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                   </part>
                   <part id="ac-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ac-1_smt.a"/>
             </part>
             <part id="ac-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-01b."/>
                <p>the <insert type="param" id-ref="ac-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the access control policy and procedures;</p>
+               <link rel="assessment-for" href="#ac-1_smt.b"/>
             </part>
             <part id="ac-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-01c."/>
@@ -244,24 +260,32 @@
                   <part id="ac-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.01[01]"/>
                      <p>the current access control policy is reviewed and updated <insert type="param" id-ref="ac-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.1"/>
                   </part>
                   <part id="ac-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.01[02]"/>
                      <p>the current access control policy is reviewed and updated following <insert type="param" id-ref="ac-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-1_smt.c.1"/>
                </part>
                <part id="ac-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01c.02"/>
                   <part id="ac-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.02[01]"/>
                      <p>the current access control procedures are reviewed and updated <insert type="param" id-ref="ac-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.2"/>
                   </part>
                   <part id="ac-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.02[02]"/>
                      <p>the current access control procedures are reviewed and updated following <insert type="param" id-ref="ac-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ac-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ac-1_smt"/>
          </part>
          <part id="ac-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -503,131 +527,166 @@
                <part id="ac-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02a.[01]"/>
                   <p>account types allowed for use within the system are defined and documented;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.a"/>
                </part>
                <part id="ac-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02a.[02]"/>
                   <p>account types specifically prohibited for use within the system are defined and documented;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.a"/>
             </part>
             <part id="ac-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02b."/>
                <p>account managers are assigned;</p>
+               <link rel="assessment-for" href="#ac-2_smt.b"/>
             </part>
             <part id="ac-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02c."/>
                <p>
                   <insert type="param" id-ref="ac-02_odp.01"/> for group and role membership are required;</p>
+               <link rel="assessment-for" href="#ac-2_smt.c"/>
             </part>
             <part id="ac-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02d."/>
                <part id="ac-2_obj.d.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02d.01"/>
                   <p>authorized users of the system are specified;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.d.1"/>
                </part>
                <part id="ac-2_obj.d.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02d.02"/>
                   <p>group and role membership are specified;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.d.2"/>
                </part>
                <part id="ac-2_obj.d.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02d.03"/>
                   <part id="ac-2_obj.d.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-02d.03[01]"/>
                      <p>access authorizations (i.e., privileges) are specified for each account;</p>
+                     <link rel="assessment-for" href="#ac-2_smt.d.3"/>
                   </part>
                   <part id="ac-2_obj.d.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-02d.03[02]"/>
                      <p>
                         <insert type="param" id-ref="ac-02_odp.02"/> are specified for each account;</p>
+                     <link rel="assessment-for" href="#ac-2_smt.d.3"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-2_smt.d.3"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.d"/>
             </part>
             <part id="ac-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02e."/>
                <p>approvals are required by <insert type="param" id-ref="ac-02_odp.03"/> for requests to create accounts;</p>
+               <link rel="assessment-for" href="#ac-2_smt.e"/>
             </part>
             <part id="ac-2_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02f."/>
                <part id="ac-2_obj.f-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[01]"/>
                   <p>accounts are created in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
                <part id="ac-2_obj.f-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[02]"/>
                   <p>accounts are enabled in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
                <part id="ac-2_obj.f-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[03]"/>
                   <p>accounts are modified in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
                <part id="ac-2_obj.f-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[04]"/>
                   <p>accounts are disabled in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
                <part id="ac-2_obj.f-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[05]"/>
                   <p>accounts are removed in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.f"/>
             </part>
             <part id="ac-2_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02g."/>
                <p>the use of accounts is monitored; </p>
+               <link rel="assessment-for" href="#ac-2_smt.g"/>
             </part>
             <part id="ac-2_obj.h" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02h."/>
                <part id="ac-2_obj.h.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02h.01"/>
                   <p>account managers and <insert type="param" id-ref="ac-02_odp.05"/> are notified within <insert type="param" id-ref="ac-02_odp.06"/> when accounts are no longer required;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.h.1"/>
                </part>
                <part id="ac-2_obj.h.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02h.02"/>
                   <p>account managers and <insert type="param" id-ref="ac-02_odp.05"/> are notified within <insert type="param" id-ref="ac-02_odp.07"/> when users are terminated or transferred;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.h.2"/>
                </part>
                <part id="ac-2_obj.h.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02h.03"/>
                   <p>account managers and <insert type="param" id-ref="ac-02_odp.05"/> are notified within <insert type="param" id-ref="ac-02_odp.08"/> when system usage or the need to know changes for an individual;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.h.3"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.h"/>
             </part>
             <part id="ac-2_obj.i" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02i."/>
                <part id="ac-2_obj.i.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02i.01"/>
                   <p>access to the system is authorized based on a valid access authorization;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.i.1"/>
                </part>
                <part id="ac-2_obj.i.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02i.02"/>
                   <p>access to the system is authorized based on intended system usage;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.i.2"/>
                </part>
                <part id="ac-2_obj.i.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02i.03"/>
                   <p>access to the system is authorized based on <insert type="param" id-ref="ac-02_odp.09"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.i.3"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.i"/>
             </part>
             <part id="ac-2_obj.j" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02j."/>
                <p>accounts are reviewed for compliance with account management requirements <insert type="param" id-ref="ac-02_odp.10"/>;</p>
+               <link rel="assessment-for" href="#ac-2_smt.j"/>
             </part>
             <part id="ac-2_obj.k" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02k."/>
                <part id="ac-2_obj.k-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02k.[01]"/>
                   <p>a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.k"/>
                </part>
                <part id="ac-2_obj.k-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02k.[02]"/>
                   <p>a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.k"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.k"/>
             </part>
             <part id="ac-2_obj.l" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02l."/>
                <part id="ac-2_obj.l-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02l.[01]"/>
                   <p>account management processes are aligned with personnel termination processes;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.l"/>
                </part>
                <part id="ac-2_obj.l-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02l.[02]"/>
                   <p>account management processes are aligned with personnel transfer processes.</p>
+                  <link rel="assessment-for" href="#ac-2_smt.l"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.l"/>
             </part>
+            <link rel="assessment-for" href="#ac-2_smt"/>
          </part>
          <part id="ac-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -710,6 +769,7 @@
          <link rel="related" href="#ia-6"/>
          <link rel="related" href="#ia-7"/>
          <link rel="related" href="#ia-11"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#ma-3"/>
          <link rel="related" href="#ma-4"/>
          <link rel="related" href="#ma-5"/>
@@ -738,6 +798,7 @@
          <part id="ac-3_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03"/>
             <p>approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.</p>
+            <link rel="assessment-for" href="#ac-3_smt"/>
          </part>
          <part id="ac-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -859,11 +920,14 @@
             <part id="ac-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-07a."/>
                <p>a limit of <insert type="param" id-ref="ac-07_odp.01"/> consecutive invalid logon attempts by a user during <insert type="param" id-ref="ac-07_odp.02"/> is enforced;</p>
+               <link rel="assessment-for" href="#ac-7_smt.a"/>
             </part>
             <part id="ac-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-07b."/>
                <p>automatically <insert type="param" id-ref="ac-07_odp.03"/> when the maximum number of unsuccessful attempts is exceeded.</p>
+               <link rel="assessment-for" href="#ac-7_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-7_smt"/>
          </part>
          <part id="ac-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -982,39 +1046,50 @@
                <part id="ac-8_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08a.01"/>
                   <p>the system use notification states that users are accessing a U.S. Government system;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.a.1"/>
                </part>
                <part id="ac-8_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08a.02"/>
                   <p>the system use notification states that system usage may be monitored, recorded, and subject to audit;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.a.2"/>
                </part>
                <part id="ac-8_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08a.03"/>
                   <p>the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and</p>
+                  <link rel="assessment-for" href="#ac-8_smt.a.3"/>
                </part>
                <part id="ac-8_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08a.04"/>
                   <p>the system use notification states that use of the system indicates consent to monitoring and recording;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.a.4"/>
                </part>
+               <link rel="assessment-for" href="#ac-8_smt.a"/>
             </part>
             <part id="ac-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-08b."/>
                <p>the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;</p>
+               <link rel="assessment-for" href="#ac-8_smt.b"/>
             </part>
             <part id="ac-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-08c."/>
                <part id="ac-8_obj.c.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08c.01"/>
                   <p>for publicly accessible systems, system use information <insert type="param" id-ref="ac-08_odp.02"/> is displayed before granting further access to the publicly accessible system;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.c.1"/>
                </part>
                <part id="ac-8_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08c.02"/>
                   <p>for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.c.2"/>
                </part>
                <part id="ac-8_obj.c.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08c.03"/>
                   <p>for publicly accessible systems, a description of the authorized uses of the system is included.</p>
+                  <link rel="assessment-for" href="#ac-8_smt.c.3"/>
                </part>
+               <link rel="assessment-for" href="#ac-8_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ac-8_smt"/>
          </part>
          <part id="ac-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1092,18 +1167,23 @@
                <prop name="label" class="sp800-53a" value="AC-14a."/>
                <p>
                   <insert type="param" id-ref="ac-14_odp"/> that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;</p>
+               <link rel="assessment-for" href="#ac-14_smt.a"/>
             </part>
             <part id="ac-14_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-14b."/>
                <part id="ac-14_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-14b.[01]"/>
                   <p>user actions not requiring identification or authentication are documented in the security plan for the system;</p>
+                  <link rel="assessment-for" href="#ac-14_smt.b"/>
                </part>
                <part id="ac-14_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-14b.[02]"/>
                   <p>a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.</p>
+                  <link rel="assessment-for" href="#ac-14_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ac-14_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-14_smt"/>
          </part>
          <part id="ac-14_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1181,20 +1261,26 @@
                <part id="ac-17_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17a.[01]"/>
                   <p>usage restrictions are established and documented for each type of remote access allowed;</p>
+                  <link rel="assessment-for" href="#ac-17_smt.a"/>
                </part>
                <part id="ac-17_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17a.[02]"/>
                   <p>configuration/connection requirements are established and documented for each type of remote access allowed;</p>
+                  <link rel="assessment-for" href="#ac-17_smt.a"/>
                </part>
                <part id="ac-17_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17a.[03]"/>
                   <p>implementation guidance is established and documented for each type of remote access allowed;</p>
+                  <link rel="assessment-for" href="#ac-17_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ac-17_smt.a"/>
             </part>
             <part id="ac-17_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-17b."/>
                <p>each type of remote access to the system is authorized prior to allowing such connections.</p>
+               <link rel="assessment-for" href="#ac-17_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-17_smt"/>
          </part>
          <part id="ac-17_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1270,20 +1356,26 @@
                <part id="ac-18_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18a.[01]"/>
                   <p>configuration requirements are established for each type of wireless access;</p>
+                  <link rel="assessment-for" href="#ac-18_smt.a"/>
                </part>
                <part id="ac-18_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18a.[02]"/>
                   <p>connection requirements are established for each type of wireless access;</p>
+                  <link rel="assessment-for" href="#ac-18_smt.a"/>
                </part>
                <part id="ac-18_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18a.[03]"/>
                   <p>implementation guidance is established for each type of wireless access;</p>
+                  <link rel="assessment-for" href="#ac-18_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ac-18_smt.a"/>
             </part>
             <part id="ac-18_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-18b."/>
                <p>each type of wireless access to the system is authorized prior to allowing such connections.</p>
+               <link rel="assessment-for" href="#ac-18_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-18_smt"/>
          </part>
          <part id="ac-18_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1370,20 +1462,26 @@
                <part id="ac-19_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-19a.[01]"/>
                   <p>configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;</p>
+                  <link rel="assessment-for" href="#ac-19_smt.a"/>
                </part>
                <part id="ac-19_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-19a.[02]"/>
                   <p>connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;</p>
+                  <link rel="assessment-for" href="#ac-19_smt.a"/>
                </part>
                <part id="ac-19_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-19a.[03]"/>
                   <p>implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;</p>
+                  <link rel="assessment-for" href="#ac-19_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ac-19_smt.a"/>
             </part>
             <part id="ac-19_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-19b."/>
                <p>the connection of mobile devices to organizational systems is authorized.</p>
+               <link rel="assessment-for" href="#ac-19_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-19_smt"/>
          </part>
          <part id="ac-19_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1507,20 +1605,25 @@
             <part id="ac-20_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-20a."/>
                <part id="ac-20_obj.a.1" name="assessment-objective">
-                  <prop name="label" class="sp800-53a" value="AC-20a.1"/>
+                  <prop name="label" class="sp800-53a" value="AC-20a.01"/>
                   <p>
                      <insert type="param" id-ref="ac-20_odp.01"/> is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);</p>
+                  <link rel="assessment-for" href="#ac-20_smt.a.1"/>
                </part>
                <part id="ac-20_obj.a.2" name="assessment-objective">
-                  <prop name="label" class="sp800-53a" value="AC-20a.2"/>
+                  <prop name="label" class="sp800-53a" value="AC-20a.02"/>
                   <p>
                      <insert type="param" id-ref="ac-20_odp.01"/> is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);</p>
+                  <link rel="assessment-for" href="#ac-20_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#ac-20_smt.a"/>
             </part>
             <part id="ac-20_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-20b."/>
                <p>the use of <insert type="param" id-ref="ac-20_odp.04"/> is prohibited (if applicable).</p>
+               <link rel="assessment-for" href="#ac-20_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-20_smt"/>
          </part>
          <part id="ac-20_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1600,26 +1703,33 @@
             <part id="ac-22_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-22a."/>
                <p>designated individuals are authorized to make information publicly accessible;</p>
+               <link rel="assessment-for" href="#ac-22_smt.a"/>
             </part>
             <part id="ac-22_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-22b."/>
                <p>authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;</p>
+               <link rel="assessment-for" href="#ac-22_smt.b"/>
             </part>
             <part id="ac-22_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-22c."/>
                <p>the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;</p>
+               <link rel="assessment-for" href="#ac-22_smt.c"/>
             </part>
             <part id="ac-22_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-22d."/>
                <part id="ac-22_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-22d.[01]"/>
                   <p>the content on the publicly accessible system is reviewed for non-public information <insert type="param" id-ref="ac-22_odp"/>;</p>
+                  <link rel="assessment-for" href="#ac-22_smt.d"/>
                </part>
                <part id="ac-22_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-22d.[02]"/>
                   <p>non-public information is removed from the publicly accessible system, if discovered.</p>
+                  <link rel="assessment-for" href="#ac-22_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ac-22_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ac-22_smt"/>
          </part>
          <part id="ac-22_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1797,18 +1907,22 @@
                <part id="at-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[01]"/>
                   <p>an awareness and training policy is developed and documented; </p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[02]"/>
                   <p>the awareness and training policy is disseminated to <insert type="param" id-ref="at-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[03]"/>
                   <p>awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[04]"/>
                   <p>the awareness and training procedures are disseminated to <insert type="param" id-ref="at-01_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.01"/>
@@ -1817,41 +1931,53 @@
                      <part id="at-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses scope;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses roles;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses compliance; and</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                   </part>
                   <part id="at-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and</p>
+                     <link rel="assessment-for" href="#at-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#at-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#at-1_smt.a"/>
             </part>
             <part id="at-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-01b."/>
                <p>the <insert type="param" id-ref="at-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;</p>
+               <link rel="assessment-for" href="#at-1_smt.b"/>
             </part>
             <part id="at-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-01c."/>
@@ -1860,24 +1986,32 @@
                   <part id="at-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.01[01]"/>
                      <p>the current awareness and training policy is reviewed and updated <insert type="param" id-ref="at-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#at-1_smt.c.1"/>
                   </part>
                   <part id="at-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.01[02]"/>
                      <p>the current awareness and training policy is reviewed and updated following <insert type="param" id-ref="at-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#at-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#at-1_smt.c.1"/>
                </part>
                <part id="at-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01c.02"/>
                   <part id="at-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.02[01]"/>
                      <p>the current awareness and training procedures are reviewed and updated <insert type="param" id-ref="at-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#at-1_smt.c.2"/>
                   </part>
                   <part id="at-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.02[02]"/>
                      <p>the current awareness and training procedures are reviewed and updated following <insert type="param" id-ref="at-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#at-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#at-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#at-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#at-1_smt"/>
          </part>
          <part id="at-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2040,52 +2174,67 @@
                   <part id="at-2_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[01]"/>
                      <p>security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
                   <part id="at-2_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[02]"/>
                      <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
                   <part id="at-2_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[03]"/>
                      <p>security literacy training is provided to system users (including managers, senior executives, and contractors) <insert type="param" id-ref="at-02_odp.01"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
                   <part id="at-2_obj.a.1-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[04]"/>
                      <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) <insert type="param" id-ref="at-02_odp.02"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#at-2_smt.a.1"/>
                </part>
                <part id="at-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02a.02"/>
                   <part id="at-2_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.02[01]"/>
                      <p>security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following <insert type="param" id-ref="at-02_odp.03"/>;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.2"/>
                   </part>
                   <part id="at-2_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.02[02]"/>
                      <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following <insert type="param" id-ref="at-02_odp.04"/>;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#at-2_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#at-2_smt.a"/>
             </part>
             <part id="at-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-02b."/>
                <p>
                   <insert type="param" id-ref="at-02_odp.05"/> are employed to increase the security and privacy awareness of system users;</p>
+               <link rel="assessment-for" href="#at-2_smt.b"/>
             </part>
             <part id="at-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-02c."/>
                <part id="at-2_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02c.[01]"/>
                   <p>literacy training and awareness content is updated <insert type="param" id-ref="at-02_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#at-2_smt.c"/>
                </part>
                <part id="at-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02c.[02]"/>
                   <p>literacy training and awareness content is updated following <insert type="param" id-ref="at-02_odp.07"/>;</p>
+                  <link rel="assessment-for" href="#at-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#at-2_smt.c"/>
             </part>
             <part id="at-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-02d."/>
                <p>lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.</p>
+               <link rel="assessment-for" href="#at-2_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#at-2_smt"/>
          </part>
          <part id="at-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2142,11 +2291,14 @@
                <part id="at-2.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02(02)[01]"/>
                   <p>literacy training on recognizing potential indicators of insider threat is provided;</p>
+                  <link rel="assessment-for" href="#at-2.2_smt"/>
                </part>
                <part id="at-2.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02(02)[02]"/>
                   <p>literacy training on reporting potential indicators of insider threat is provided.</p>
+                  <link rel="assessment-for" href="#at-2.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#at-2.2_smt"/>
             </part>
             <part id="at-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2290,49 +2442,63 @@
                   <part id="at-3_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[01]"/>
                      <p>role-based security training is provided to <insert type="param" id-ref="at-03_odp.01"/> before authorizing access to the system, information, or performing assigned duties;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
                   <part id="at-3_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[02]"/>
                      <p>role-based privacy training is provided to <insert type="param" id-ref="at-03_odp.02"/> before authorizing access to the system, information, or performing assigned duties;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
                   <part id="at-3_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[03]"/>
                      <p>role-based security training is provided to <insert type="param" id-ref="at-03_odp.01"/>
                         <insert type="param" id-ref="at-03_odp.03"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
                   <part id="at-3_obj.a.1-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[04]"/>
                      <p>role-based privacy training is provided to <insert type="param" id-ref="at-03_odp.02"/>
                         <insert type="param" id-ref="at-03_odp.03"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#at-3_smt.a.1"/>
                </part>
                <part id="at-3_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-03a.02"/>
                   <part id="at-3_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.02[01]"/>
                      <p>role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.2"/>
                   </part>
                   <part id="at-3_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.02[02]"/>
                      <p>role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#at-3_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#at-3_smt.a"/>
             </part>
             <part id="at-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-03b."/>
                <part id="at-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-03b.[01]"/>
                   <p>role-based training content is updated <insert type="param" id-ref="at-03_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#at-3_smt.b"/>
                </part>
                <part id="at-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-03b.[02]"/>
                   <p>role-based training content is updated following <insert type="param" id-ref="at-03_odp.05"/>;</p>
+                  <link rel="assessment-for" href="#at-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#at-3_smt.b"/>
             </part>
             <part id="at-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-03c."/>
                <p>lessons learned from internal or external security incidents or breaches are incorporated into role-based training.</p>
+               <link rel="assessment-for" href="#at-3_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#at-3_smt"/>
          </part>
          <part id="at-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2411,16 +2577,21 @@
                <part id="at-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-04a.[01]"/>
                   <p>information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;</p>
+                  <link rel="assessment-for" href="#at-4_smt.a"/>
                </part>
                <part id="at-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-04a.[02]"/>
                   <p>information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;</p>
+                  <link rel="assessment-for" href="#at-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#at-4_smt.a"/>
             </part>
             <part id="at-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-04b."/>
                <p>individual training records are retained for <insert type="param" id-ref="at-04_odp"/>.</p>
+               <link rel="assessment-for" href="#at-4_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#at-4_smt"/>
          </part>
          <part id="at-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2591,18 +2762,22 @@
                <part id="au-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[01]"/>
                   <p>an audit and accountability policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[02]"/>
                   <p>the audit and accountability policy is disseminated to <insert type="param" id-ref="au-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[03]"/>
                   <p>audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[04]"/>
                   <p>the audit and accountability procedures are disseminated to <insert type="param" id-ref="au-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.01"/>
@@ -2611,41 +2786,53 @@
                      <part id="au-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses scope;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses roles;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                   </part>
                   <part id="au-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#au-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#au-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#au-1_smt.a"/>
             </part>
             <part id="au-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-01b."/>
                <p>the <insert type="param" id-ref="au-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;</p>
+               <link rel="assessment-for" href="#au-1_smt.b"/>
             </part>
             <part id="au-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-01c."/>
@@ -2654,24 +2841,32 @@
                   <part id="au-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.01[01]"/>
                      <p>the current audit and accountability policy is reviewed and updated <insert type="param" id-ref="au-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.1"/>
                   </part>
                   <part id="au-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.01[02]"/>
                      <p>the current audit and accountability policy is reviewed and updated following <insert type="param" id-ref="au-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#au-1_smt.c.1"/>
                </part>
                <part id="au-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01c.02"/>
                   <part id="au-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.02[01]"/>
                      <p>the current audit and accountability procedures are reviewed and updated <insert type="param" id-ref="au-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.2"/>
                   </part>
                   <part id="au-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.02[02]"/>
                      <p>the current audit and accountability procedures are reviewed and updated following <insert type="param" id-ref="au-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#au-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#au-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#au-1_smt"/>
          </part>
          <part id="au-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2811,10 +3006,12 @@
                <prop name="label" class="sp800-53a" value="AU-02a."/>
                <p>
                   <insert type="param" id-ref="au-02_odp.01"/> that the system is capable of logging are identified in support of the audit logging function;</p>
+               <link rel="assessment-for" href="#au-2_smt.a"/>
             </part>
             <part id="au-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02b."/>
                <p>the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;</p>
+               <link rel="assessment-for" href="#au-2_smt.b"/>
             </part>
             <part id="au-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02c."/>
@@ -2822,20 +3019,26 @@
                   <prop name="label" class="sp800-53a" value="AU-02c.[01]"/>
                   <p>
                      <insert type="param" id-ref="au-02_odp.02"/> are specified for logging within the system;</p>
+                  <link rel="assessment-for" href="#au-2_smt.c"/>
                </part>
                <part id="au-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-02c.[02]"/>
                   <p>the specified event types are logged within the system <insert type="param" id-ref="au-02_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#au-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#au-2_smt.c"/>
             </part>
             <part id="au-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02d."/>
                <p>a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;</p>
+               <link rel="assessment-for" href="#au-2_smt.d"/>
             </part>
             <part id="au-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02e."/>
                <p>the event types selected for logging are reviewed and updated <insert type="param" id-ref="au-02_odp.04"/>.</p>
+               <link rel="assessment-for" href="#au-2_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#au-2_smt"/>
          </part>
          <part id="au-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2923,27 +3126,34 @@
             <part id="au-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03a."/>
                <p>audit records contain information that establishes what type of event occurred;</p>
+               <link rel="assessment-for" href="#au-3_smt.a"/>
             </part>
             <part id="au-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03b."/>
                <p>audit records contain information that establishes when the event occurred;</p>
+               <link rel="assessment-for" href="#au-3_smt.b"/>
             </part>
             <part id="au-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03c."/>
                <p>audit records contain information that establishes where the event occurred;</p>
+               <link rel="assessment-for" href="#au-3_smt.c"/>
             </part>
             <part id="au-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03d."/>
                <p>audit records contain information that establishes the source of the event;</p>
+               <link rel="assessment-for" href="#au-3_smt.d"/>
             </part>
             <part id="au-3_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03e."/>
                <p>audit records contain information that establishes the outcome of the event;</p>
+               <link rel="assessment-for" href="#au-3_smt.e"/>
             </part>
             <part id="au-3_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03f."/>
                <p>audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.</p>
+               <link rel="assessment-for" href="#au-3_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#au-3_smt"/>
          </part>
          <part id="au-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3015,6 +3225,7 @@
          <part id="au-4_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-04"/>
             <p>audit log storage capacity is allocated to accommodate <insert type="param" id-ref="au-04_odp"/>.</p>
+            <link rel="assessment-for" href="#au-4_smt"/>
          </part>
          <part id="au-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3110,12 +3321,15 @@
                <prop name="label" class="sp800-53a" value="AU-05a."/>
                <p>
                   <insert type="param" id-ref="au-05_odp.01"/> are alerted in the event of an audit logging process failure within <insert type="param" id-ref="au-05_odp.02"/>;</p>
+               <link rel="assessment-for" href="#au-5_smt.a"/>
             </part>
             <part id="au-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-05b."/>
                <p>
                   <insert type="param" id-ref="au-05_odp.03"/> are taken in the event of an audit logging process failure.</p>
+               <link rel="assessment-for" href="#au-5_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#au-5_smt"/>
          </part>
          <part id="au-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3239,15 +3453,19 @@
             <part id="au-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06a."/>
                <p>system audit records are reviewed and analyzed <insert type="param" id-ref="au-06_odp.01"/> for indications of <insert type="param" id-ref="au-06_odp.02"/> and the potential impact of the inappropriate or unusual activity;</p>
+               <link rel="assessment-for" href="#au-6_smt.a"/>
             </part>
             <part id="au-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06b."/>
                <p>findings are reported to <insert type="param" id-ref="au-06_odp.03"/>;</p>
+               <link rel="assessment-for" href="#au-6_smt.b"/>
             </part>
             <part id="au-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06c."/>
                <p>the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.</p>
+               <link rel="assessment-for" href="#au-6_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#au-6_smt"/>
          </part>
          <part id="au-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3309,11 +3527,14 @@
             <part id="au-8_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-08a."/>
                <p>internal system clocks are used to generate timestamps for audit records;</p>
+               <link rel="assessment-for" href="#au-8_smt.a"/>
             </part>
             <part id="au-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-08b."/>
                <p>timestamps are recorded for audit records that meet <insert type="param" id-ref="au-08_odp"/> and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.</p>
+               <link rel="assessment-for" href="#au-8_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#au-8_smt"/>
          </part>
          <part id="au-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3397,12 +3618,15 @@
             <part id="au-9_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-09a."/>
                <p>audit information and audit logging tools are protected from unauthorized access, modification, and deletion;</p>
+               <link rel="assessment-for" href="#au-9_smt.a"/>
             </part>
             <part id="au-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-09b."/>
                <p>
                   <insert type="param" id-ref="au-09_odp"/> are alerted upon detection of unauthorized access, modification, or deletion of audit information.</p>
+               <link rel="assessment-for" href="#au-9_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#au-9_smt"/>
          </part>
          <part id="au-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3476,6 +3700,7 @@
          <part id="au-11_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-11"/>
             <p>audit records are retained for <insert type="param" id-ref="au-11_odp"/> to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.</p>
+            <link rel="assessment-for" href="#au-11_smt"/>
          </part>
          <part id="au-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3568,16 +3793,20 @@
             <part id="au-12_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-12a."/>
                <p>audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by <insert type="param" id-ref="au-12_odp.01"/>;</p>
+               <link rel="assessment-for" href="#au-12_smt.a"/>
             </part>
             <part id="au-12_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-12b."/>
                <p>
                   <insert type="param" id-ref="au-12_odp.02"/> is/are allowed to select the event types that are to be logged by specific components of the system;</p>
+               <link rel="assessment-for" href="#au-12_smt.b"/>
             </part>
             <part id="au-12_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-12c."/>
                <p>audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.</p>
+               <link rel="assessment-for" href="#au-12_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#au-12_smt"/>
          </part>
          <part id="au-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3760,18 +3989,22 @@
                <part id="ca-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[01]"/>
                   <p>an assessment, authorization, and monitoring policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[02]"/>
                   <p>the assessment, authorization, and monitoring policy is disseminated to <insert type="param" id-ref="ca-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[03]"/>
                   <p>assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[04]"/>
                   <p>the assessment, authorization, and monitoring procedures are disseminated to <insert type="param" id-ref="ca-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.01"/>
@@ -3780,41 +4013,53 @@
                      <part id="ca-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                   </part>
                   <part id="ca-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ca-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ca-1_smt.a"/>
             </part>
             <part id="ca-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-01b."/>
                <p>the <insert type="param" id-ref="ca-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;</p>
+               <link rel="assessment-for" href="#ca-1_smt.b"/>
             </part>
             <part id="ca-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-01c."/>
@@ -3823,24 +4068,32 @@
                   <part id="ca-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.01[01]"/>
                      <p>the current assessment, authorization, and monitoring policy is reviewed and updated <insert type="param" id-ref="ca-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.1"/>
                   </part>
                   <part id="ca-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.01[02]"/>
                      <p>the current assessment, authorization, and monitoring policy is reviewed and updated following <insert type="param" id-ref="ca-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-1_smt.c.1"/>
                </part>
                <part id="ca-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01c.02"/>
                   <part id="ca-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.02[01]"/>
                      <p>the current assessment, authorization, and monitoring procedures are reviewed and updated <insert type="param" id-ref="ca-01_odp.07"/>; </p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.2"/>
                   </part>
                   <part id="ca-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.02[02]"/>
                      <p>the current assessment, authorization, and monitoring procedures are reviewed and updated following <insert type="param" id-ref="ca-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ca-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ca-1_smt"/>
          </part>
          <part id="ca-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3962,56 +4215,71 @@
             <part id="ca-2_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02a."/>
                <p>an appropriate assessor or assessment team is selected for the type of assessment to be conducted;</p>
+               <link rel="assessment-for" href="#ca-2_smt.a"/>
             </part>
             <part id="ca-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02b."/>
                <part id="ca-2_obj.b.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02b.01"/>
                   <p>a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.b.1"/>
                </part>
                <part id="ca-2_obj.b.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02b.02"/>
                   <p>a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.b.2"/>
                </part>
                <part id="ca-2_obj.b.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02b.03"/>
                   <part id="ca-2_obj.b.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-02b.03[01]"/>
                      <p>a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;</p>
+                     <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                   </part>
                   <part id="ca-2_obj.b.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-02b.03[02]"/>
                      <p>a control assessment plan is developed that describes the scope of the assessment, including the assessment team;</p>
+                     <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                   </part>
                   <part id="ca-2_obj.b.3-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-02b.03[03]"/>
                      <p>a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;</p>
+                     <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                </part>
+               <link rel="assessment-for" href="#ca-2_smt.b"/>
             </part>
             <part id="ca-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02c."/>
                <p>the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;</p>
+               <link rel="assessment-for" href="#ca-2_smt.c"/>
             </part>
             <part id="ca-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02d."/>
                <part id="ca-2_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02d.[01]"/>
                   <p>controls are assessed in the system and its environment of operation <insert type="param" id-ref="ca-02_odp.01"/> to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.d"/>
                </part>
                <part id="ca-2_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02d.[02]"/>
                   <p>controls are assessed in the system and its environment of operation <insert type="param" id-ref="ca-02_odp.01"/> to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ca-2_smt.d"/>
             </part>
             <part id="ca-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02e."/>
                <p>a control assessment report is produced that documents the results of the assessment;</p>
+               <link rel="assessment-for" href="#ca-2_smt.e"/>
             </part>
             <part id="ca-2_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02f."/>
                <p>the results of the control assessment are provided to <insert type="param" id-ref="ca-02_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ca-2_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#ca-2_smt"/>
          </part>
          <part id="ca-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4123,38 +4391,48 @@
             <part id="ca-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-03a."/>
                <p>the exchange of information between the system and other systems is approved and managed using <insert type="param" id-ref="ca-03_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ca-3_smt.a"/>
             </part>
             <part id="ca-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-03b."/>
                <part id="ca-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[01]"/>
                   <p>the interface characteristics are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[02]"/>
                   <p>security requirements are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[03]"/>
                   <p>privacy requirements are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[04]"/>
                   <p>controls are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[05]"/>
                   <p>responsibilities for each system are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[06]"/>
                   <p>the impact level of the information communicated is documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ca-3_smt.b"/>
             </part>
             <part id="ca-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-03c."/>
                <p>agreements are reviewed and updated <insert type="param" id-ref="ca-03_odp.03"/>.</p>
+               <link rel="assessment-for" href="#ca-3_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ca-3_smt"/>
          </part>
          <part id="ca-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4233,11 +4511,14 @@
             <part id="ca-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-05a."/>
                <p>a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;</p>
+               <link rel="assessment-for" href="#ca-5_smt.a"/>
             </part>
             <part id="ca-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-05b."/>
                <p>existing plan of action and milestones are updated <insert type="param" id-ref="ca-05_odp"/> based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.</p>
+               <link rel="assessment-for" href="#ca-5_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ca-5_smt"/>
          </part>
          <part id="ca-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4339,30 +4620,38 @@
             <part id="ca-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06a."/>
                <p>a senior official is assigned as the authorizing official for the system;</p>
+               <link rel="assessment-for" href="#ca-6_smt.a"/>
             </part>
             <part id="ca-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06b."/>
                <p>a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;</p>
+               <link rel="assessment-for" href="#ca-6_smt.b"/>
             </part>
             <part id="ca-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06c."/>
                <part id="ca-6_obj.c.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-06c.01"/>
                   <p>before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;</p>
+                  <link rel="assessment-for" href="#ca-6_smt.c.1"/>
                </part>
                <part id="ca-6_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-06c.02"/>
                   <p>before commencing operations, the authorizing official for the system authorizes the system to operate;</p>
+                  <link rel="assessment-for" href="#ca-6_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ca-6_smt.c"/>
             </part>
             <part id="ca-6_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06d."/>
                <p>the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;</p>
+               <link rel="assessment-for" href="#ca-6_smt.d"/>
             </part>
             <part id="ca-6_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06e."/>
                <p>the authorizations are updated <insert type="param" id-ref="ca-06_odp"/>.</p>
+               <link rel="assessment-for" href="#ca-6_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ca-6_smt"/>
          </part>
          <part id="ca-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4572,41 +4861,51 @@
             <part id="ca-7_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07[01]"/>
                <p>a system-level continuous monitoring strategy is developed;</p>
+               <link rel="assessment-for" href="#ca-7_smt"/>
             </part>
             <part id="ca-7_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07[02]"/>
                <p>system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;</p>
+               <link rel="assessment-for" href="#ca-7_smt"/>
             </part>
             <part id="ca-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07a."/>
                <p>system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: <insert type="param" id-ref="ca-07_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ca-7_smt.a"/>
             </part>
             <part id="ca-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07b."/>
                <part id="ca-7_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07b.[01]"/>
                   <p>system-level continuous monitoring includes established <insert type="param" id-ref="ca-07_odp.02"/> for monitoring;</p>
+                  <link rel="assessment-for" href="#ca-7_smt.b"/>
                </part>
                <part id="ca-7_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07b.[02]"/>
                   <p>system-level continuous monitoring includes established <insert type="param" id-ref="ca-07_odp.03"/> for assessment of control effectiveness;</p>
+                  <link rel="assessment-for" href="#ca-7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ca-7_smt.b"/>
             </part>
             <part id="ca-7_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07c."/>
                <p>system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;</p>
+               <link rel="assessment-for" href="#ca-7_smt.c"/>
             </part>
             <part id="ca-7_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07d."/>
                <p>system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;</p>
+               <link rel="assessment-for" href="#ca-7_smt.d"/>
             </part>
             <part id="ca-7_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07e."/>
                <p>system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;</p>
+               <link rel="assessment-for" href="#ca-7_smt.e"/>
             </part>
             <part id="ca-7_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07f."/>
                <p>system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;</p>
+               <link rel="assessment-for" href="#ca-7_smt.f"/>
             </part>
             <part id="ca-7_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07g."/>
@@ -4614,13 +4913,17 @@
                   <prop name="label" class="sp800-53a" value="CA-07g.[01]"/>
                   <p>system-level continuous monitoring includes reporting the security status of the system to <insert type="param" id-ref="ca-07_odp.04"/>
                      <insert type="param" id-ref="ca-07_odp.05"/>;</p>
+                  <link rel="assessment-for" href="#ca-7_smt.g"/>
                </part>
                <part id="ca-7_obj.g-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07g.[02]"/>
                   <p>system-level continuous monitoring includes reporting the privacy status of the system to <insert type="param" id-ref="ca-07_odp.06"/>
                      <insert type="param" id-ref="ca-07_odp.07"/>.</p>
+                  <link rel="assessment-for" href="#ca-7_smt.g"/>
                </part>
+               <link rel="assessment-for" href="#ca-7_smt.g"/>
             </part>
+            <link rel="assessment-for" href="#ca-7_smt"/>
          </part>
          <part id="ca-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4699,15 +5002,19 @@
                <part id="ca-7.4_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07(04)(a)"/>
                   <p>effectiveness monitoring is included in risk monitoring;</p>
+                  <link rel="assessment-for" href="#ca-7.4_smt.a"/>
                </part>
                <part id="ca-7.4_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07(04)(b)"/>
                   <p>compliance monitoring is included in risk monitoring;</p>
+                  <link rel="assessment-for" href="#ca-7.4_smt.b"/>
                </part>
                <part id="ca-7.4_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07(04)(c)"/>
                   <p>change monitoring is included in risk monitoring.</p>
+                  <link rel="assessment-for" href="#ca-7.4_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#ca-7.4_smt"/>
             </part>
             <part id="ca-7.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4818,34 +5125,43 @@
             <part id="ca-9_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-09a."/>
                <p>internal connections of <insert type="param" id-ref="ca-09_odp.01"/> to the system are authorized;</p>
+               <link rel="assessment-for" href="#ca-9_smt.a"/>
             </part>
             <part id="ca-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-09b."/>
                <part id="ca-9_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-09b.[01]"/>
                   <p>for each internal connection, the interface characteristics are documented;</p>
+                  <link rel="assessment-for" href="#ca-9_smt.b"/>
                </part>
                <part id="ca-9_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-09b.[02]"/>
                   <p>for each internal connection, the security requirements are documented;</p>
+                  <link rel="assessment-for" href="#ca-9_smt.b"/>
                </part>
                <part id="ca-9_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-09b.[03]"/>
                   <p>for each internal connection, the privacy requirements are documented;</p>
+                  <link rel="assessment-for" href="#ca-9_smt.b"/>
                </part>
                <part id="ca-9_obj.b-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-09b.[04]"/>
                   <p>for each internal connection, the nature of the information communicated is documented;</p>
+                  <link rel="assessment-for" href="#ca-9_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ca-9_smt.b"/>
             </part>
             <part id="ca-9_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-09c."/>
                <p>internal system connections are terminated after <insert type="param" id-ref="ca-09_odp.02"/>;</p>
+               <link rel="assessment-for" href="#ca-9_smt.c"/>
             </part>
             <part id="ca-9_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-09d."/>
                <p>the continued need for each internal connection is reviewed <insert type="param" id-ref="ca-09_odp.03"/>.</p>
+               <link rel="assessment-for" href="#ca-9_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ca-9_smt"/>
          </part>
          <part id="ca-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5025,18 +5341,22 @@
                <part id="cm-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[01]"/>
                   <p>a configuration management policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[02]"/>
                   <p>the configuration management policy is disseminated to <insert type="param" id-ref="cm-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[03]"/>
                   <p>configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[04]"/>
                   <p>the configuration management procedures are disseminated to <insert type="param" id-ref="cm-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.01"/>
@@ -5045,41 +5365,53 @@
                      <part id="cm-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses scope;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses roles;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                   </part>
                   <part id="cm-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01a.01(b)"/>
                      <p>the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#cm-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#cm-1_smt.a"/>
             </part>
             <part id="cm-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-01b."/>
                <p>the <insert type="param" id-ref="cm-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;</p>
+               <link rel="assessment-for" href="#cm-1_smt.b"/>
             </part>
             <part id="cm-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-01c."/>
@@ -5088,24 +5420,32 @@
                   <part id="cm-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.01[01]"/>
                      <p>the current configuration management policy is reviewed and updated <insert type="param" id-ref="cm-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.1"/>
                   </part>
                   <part id="cm-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.01[02]"/>
                      <p>the current configuration management policy is reviewed and updated following <insert type="param" id-ref="cm-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-1_smt.c.1"/>
                </part>
                <part id="cm-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01c.02"/>
                   <part id="cm-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.02[01]"/>
                      <p>the current configuration management procedures are reviewed and updated <insert type="param" id-ref="cm-01_odp.07"/>; </p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.2"/>
                   </part>
                   <part id="cm-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.02[02]"/>
                      <p>the current configuration management procedures are reviewed and updated following <insert type="param" id-ref="cm-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#cm-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cm-1_smt"/>
          </part>
          <part id="cm-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5211,27 +5551,35 @@
                <part id="cm-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02a.[01]"/>
                   <p>a current baseline configuration of the system is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-2_smt.a"/>
                </part>
                <part id="cm-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02a.[02]"/>
                   <p>a current baseline configuration of the system is maintained under configuration control;</p>
+                  <link rel="assessment-for" href="#cm-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#cm-2_smt.a"/>
             </part>
             <part id="cm-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-02b."/>
                <part id="cm-2_obj.b.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02b.01"/>
                   <p>the baseline configuration of the system is reviewed and updated <insert type="param" id-ref="cm-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#cm-2_smt.b.1"/>
                </part>
                <part id="cm-2_obj.b.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02b.02"/>
                   <p>the baseline configuration of the system is reviewed and updated when required due to <insert type="param" id-ref="cm-02_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#cm-2_smt.b.2"/>
                </part>
                <part id="cm-2_obj.b.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02b.03"/>
                   <p>the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.</p>
+                  <link rel="assessment-for" href="#cm-2_smt.b.3"/>
                </part>
+               <link rel="assessment-for" href="#cm-2_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cm-2_smt"/>
          </part>
          <part id="cm-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5304,11 +5652,14 @@
             <part id="cm-4_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-04[01]"/>
                <p>changes to the system are analyzed to determine potential security impacts prior to change implementation;</p>
+               <link rel="assessment-for" href="#cm-4_smt"/>
             </part>
             <part id="cm-4_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-04[02]"/>
                <p>changes to the system are analyzed to determine potential privacy impacts prior to change implementation.</p>
+               <link rel="assessment-for" href="#cm-4_smt"/>
             </part>
+            <link rel="assessment-for" href="#cm-4_smt"/>
          </part>
          <part id="cm-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5382,27 +5733,34 @@
             <part id="cm-5_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[01]"/>
                <p>physical access restrictions associated with changes to the system are defined and documented;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[02]"/>
                <p>physical access restrictions associated with changes to the system are approved;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[03]"/>
                <p>physical access restrictions associated with changes to the system are enforced;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[04]"/>
                <p>logical access restrictions associated with changes to the system are defined and documented;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-5" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[05]"/>
                <p>logical access restrictions associated with changes to the system are approved;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-6" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[06]"/>
                <p>logical access restrictions associated with changes to the system are enforced.</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
+            <link rel="assessment-for" href="#cm-5_smt"/>
          </part>
          <part id="cm-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5539,33 +5897,42 @@
             <part id="cm-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-06a."/>
                <p>configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using <insert type="param" id-ref="cm-06_odp.01"/>;</p>
+               <link rel="assessment-for" href="#cm-6_smt.a"/>
             </part>
             <part id="cm-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-06b."/>
                <p>the configuration settings documented in CM-06a are implemented;</p>
+               <link rel="assessment-for" href="#cm-6_smt.b"/>
             </part>
             <part id="cm-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-06c."/>
                <part id="cm-6_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06c.[01]"/>
                   <p>any deviations from established configuration settings for <insert type="param" id-ref="cm-06_odp.02"/> are identified and documented based on <insert type="param" id-ref="cm-06_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#cm-6_smt.c"/>
                </part>
                <part id="cm-6_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06c.[02]"/>
                   <p>any deviations from established configuration settings for <insert type="param" id-ref="cm-06_odp.02"/> are approved;</p>
+                  <link rel="assessment-for" href="#cm-6_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#cm-6_smt.c"/>
             </part>
             <part id="cm-6_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-06d."/>
                <part id="cm-6_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06d.[01]"/>
                   <p>changes to the configuration settings are monitored in accordance with organizational policies and procedures;</p>
+                  <link rel="assessment-for" href="#cm-6_smt.d"/>
                </part>
                <part id="cm-6_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06d.[02]"/>
                   <p>changes to the configuration settings are controlled in accordance with organizational policies and procedures.</p>
+                  <link rel="assessment-for" href="#cm-6_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#cm-6_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#cm-6_smt"/>
          </part>
          <part id="cm-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5722,30 +6089,38 @@
             <part id="cm-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-07a."/>
                <p>the system is configured to provide only <insert type="param" id-ref="cm-07_odp.01"/>;</p>
+               <link rel="assessment-for" href="#cm-7_smt.a"/>
             </part>
             <part id="cm-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-07b."/>
                <part id="cm-7_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[01]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.02"/> is prohibited or restricted;</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
                <part id="cm-7_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[02]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.03"/> is prohibited or restricted;</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
                <part id="cm-7_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[03]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.04"/> is prohibited or restricted;</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
                <part id="cm-7_obj.b-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[04]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.05"/> is prohibited or restricted;</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
                <part id="cm-7_obj.b-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[05]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.06"/> is prohibited or restricted.</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-7_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cm-7_smt"/>
          </part>
          <part id="cm-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5876,28 +6251,36 @@
                <part id="cm-8_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.01"/>
                   <p>an inventory of system components that accurately reflects the system is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.1"/>
                </part>
                <part id="cm-8_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.02"/>
                   <p>an inventory of system components that includes all components within the system is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.2"/>
                </part>
                <part id="cm-8_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.03"/>
                   <p>an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.3"/>
                </part>
                <part id="cm-8_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.04"/>
                   <p>an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.4"/>
                </part>
                <part id="cm-8_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.05"/>
                   <p>an inventory of system components that includes <insert type="param" id-ref="cm-08_odp.01"/> is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.5"/>
                </part>
+               <link rel="assessment-for" href="#cm-8_smt.a"/>
             </part>
             <part id="cm-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-08b."/>
                <p>the system component inventory is reviewed and updated <insert type="param" id-ref="cm-08_odp.02"/>.</p>
+               <link rel="assessment-for" href="#cm-8_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cm-8_smt"/>
          </part>
          <part id="cm-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5968,15 +6351,19 @@
             <part id="cm-10_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-10a."/>
                <p>software and associated documentation are used in accordance with contract agreements and copyright laws;</p>
+               <link rel="assessment-for" href="#cm-10_smt.a"/>
             </part>
             <part id="cm-10_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-10b."/>
                <p>the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;</p>
+               <link rel="assessment-for" href="#cm-10_smt.b"/>
             </part>
             <part id="cm-10_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-10c."/>
                <p>the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</p>
+               <link rel="assessment-for" href="#cm-10_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cm-10_smt"/>
          </part>
          <part id="cm-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6081,15 +6468,19 @@
                <prop name="label" class="sp800-53a" value="CM-11a."/>
                <p>
                   <insert type="param" id-ref="cm-11_odp.01"/> governing the installation of software by users are established;</p>
+               <link rel="assessment-for" href="#cm-11_smt.a"/>
             </part>
             <part id="cm-11_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-11b."/>
                <p>software installation policies are enforced through <insert type="param" id-ref="cm-11_odp.02"/>;</p>
+               <link rel="assessment-for" href="#cm-11_smt.b"/>
             </part>
             <part id="cm-11_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-11c."/>
                <p>compliance with <insert type="param" id-ref="cm-11_odp.01"/> is monitored <insert type="param" id-ref="cm-11_odp.03"/>.</p>
+               <link rel="assessment-for" href="#cm-11_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cm-11_smt"/>
          </part>
          <part id="cm-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6274,18 +6665,22 @@
                <part id="cp-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.[01]"/>
                   <p>a contingency planning policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#cp-1_smt.a"/>
                </part>
                <part id="cp-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.[02]"/>
                   <p>the contingency planning policy is disseminated to <insert type="param" id-ref="cp-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#cp-1_smt.a"/>
                </part>
                <part id="cp-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.[03]"/>
                   <p>contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#cp-1_smt.a"/>
                </part>
                <part id="cp-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.[04]"/>
                   <p>the contingency planning procedures are disseminated to <insert type="param" id-ref="cp-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#cp-1_smt.a"/>
                </part>
                <part id="cp-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.01"/>
@@ -6294,41 +6689,53 @@
                      <part id="cp-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses scope;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses roles;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                   </part>
                   <part id="cp-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#cp-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#cp-1_smt.a"/>
             </part>
             <part id="cp-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-01b."/>
                <p>the <insert type="param" id-ref="cp-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;</p>
+               <link rel="assessment-for" href="#cp-1_smt.b"/>
             </part>
             <part id="cp-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-01c."/>
@@ -6337,24 +6744,32 @@
                   <part id="cp-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01c.01[01]"/>
                      <p>the current contingency planning policy is reviewed and updated <insert type="param" id-ref="cp-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#cp-1_smt.c.1"/>
                   </part>
                   <part id="cp-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01c.01[02]"/>
                      <p>the current contingency planning policy is reviewed and updated following <insert type="param" id-ref="cp-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#cp-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-1_smt.c.1"/>
                </part>
                <part id="cp-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01c.02"/>
                   <part id="cp-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01c.02[01]"/>
                      <p>the current contingency planning procedures are reviewed and updated <insert type="param" id-ref="cp-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#cp-1_smt.c.2"/>
                   </part>
                   <part id="cp-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01c.02[02]"/>
                      <p>the current contingency planning procedures are reviewed and updated following <insert type="param" id-ref="cp-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#cp-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#cp-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cp-1_smt"/>
          </part>
          <part id="cp-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6560,124 +6975,158 @@
                <part id="cp-2_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.01"/>
                   <p>a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.a.1"/>
                </part>
                <part id="cp-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.02"/>
                   <part id="cp-2_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.02[01]"/>
                      <p>a contingency plan for the system is developed that provides recovery objectives;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.2"/>
                   </part>
                   <part id="cp-2_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.02[02]"/>
                      <p>a contingency plan for the system is developed that provides restoration priorities;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.2"/>
                   </part>
                   <part id="cp-2_obj.a.2-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.02[03]"/>
                      <p>a contingency plan for the system is developed that provides metrics;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-2_smt.a.2"/>
                </part>
                <part id="cp-2_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.03"/>
                   <part id="cp-2_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.03[01]"/>
                      <p>a contingency plan for the system is developed that addresses contingency roles;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.3"/>
                   </part>
                   <part id="cp-2_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.03[02]"/>
                      <p>a contingency plan for the system is developed that addresses contingency responsibilities;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.3"/>
                   </part>
                   <part id="cp-2_obj.a.3-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.03[03]"/>
                      <p>a contingency plan for the system is developed that addresses assigned individuals with contact information;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-2_smt.a.3"/>
                </part>
                <part id="cp-2_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.04"/>
                   <p>a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.a.4"/>
                </part>
                <part id="cp-2_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.05"/>
                   <p>a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.a.5"/>
                </part>
                <part id="cp-2_obj.a.6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.06"/>
                   <p>a contingency plan for the system is developed that addresses the sharing of contingency information;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.a.6"/>
                </part>
                <part id="cp-2_obj.a.7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.07"/>
                   <part id="cp-2_obj.a.7-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.07[01]"/>
                      <p>a contingency plan for the system is developed that is reviewed by <insert type="param" id-ref="cp-02_odp.01"/>;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.7"/>
                   </part>
                   <part id="cp-2_obj.a.7-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.07[02]"/>
                      <p>a contingency plan for the system is developed that is approved by <insert type="param" id-ref="cp-02_odp.02"/>;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.7"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-2_smt.a.7"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.a"/>
             </part>
             <part id="cp-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02b."/>
                <part id="cp-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02b.[01]"/>
                   <p>copies of the contingency plan are distributed to <insert type="param" id-ref="cp-02_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.b"/>
                </part>
                <part id="cp-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02b.[02]"/>
                   <p>copies of the contingency plan are distributed to <insert type="param" id-ref="cp-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.b"/>
             </part>
             <part id="cp-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02c."/>
                <p>contingency planning activities are coordinated with incident handling activities;</p>
+               <link rel="assessment-for" href="#cp-2_smt.c"/>
             </part>
             <part id="cp-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02d."/>
                <p>the contingency plan for the system is reviewed <insert type="param" id-ref="cp-02_odp.05"/>;</p>
+               <link rel="assessment-for" href="#cp-2_smt.d"/>
             </part>
             <part id="cp-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02e."/>
                <part id="cp-2_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02e.[01]"/>
                   <p>the contingency plan is updated to address changes to the organization, system, or environment of operation;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.e"/>
                </part>
                <part id="cp-2_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02e.[02]"/>
                   <p>the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.e"/>
             </part>
             <part id="cp-2_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02f."/>
                <part id="cp-2_obj.f-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02f.[01]"/>
                   <p>contingency plan changes are communicated to <insert type="param" id-ref="cp-02_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.f"/>
                </part>
                <part id="cp-2_obj.f-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02f.[02]"/>
                   <p>contingency plan changes are communicated to <insert type="param" id-ref="cp-02_odp.07"/>;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.f"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.f"/>
             </part>
             <part id="cp-2_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02g."/>
                <part id="cp-2_obj.g-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02g.[01]"/>
                   <p>lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.g"/>
                </part>
                <part id="cp-2_obj.g-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02g.[02]"/>
                   <p>lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.g"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.g"/>
             </part>
             <part id="cp-2_obj.h" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02h."/>
                <part id="cp-2_obj.h-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02h.[01]"/>
                   <p>the contingency plan is protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.h"/>
                </part>
                <part id="cp-2_obj.h-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02h.[02]"/>
                   <p>the contingency plan is protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#cp-2_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.h"/>
             </part>
+            <link rel="assessment-for" href="#cp-2_smt"/>
          </part>
          <part id="cp-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6796,27 +7245,35 @@
                <part id="cp-3_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03a.01"/>
                   <p>contingency training is provided to system users consistent with assigned roles and responsibilities within <insert type="param" id-ref="cp-03_odp.01"/> of assuming a contingency role or responsibility;</p>
+                  <link rel="assessment-for" href="#cp-3_smt.a.1"/>
                </part>
                <part id="cp-3_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03a.02"/>
                   <p>contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;</p>
+                  <link rel="assessment-for" href="#cp-3_smt.a.2"/>
                </part>
                <part id="cp-3_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03a.03"/>
                   <p>contingency training is provided to system users consistent with assigned roles and responsibilities <insert type="param" id-ref="cp-03_odp.02"/> thereafter;</p>
+                  <link rel="assessment-for" href="#cp-3_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#cp-3_smt.a"/>
             </part>
             <part id="cp-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-03b."/>
                <part id="cp-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03b.[01]"/>
                   <p>the contingency plan training content is reviewed and updated <insert type="param" id-ref="cp-03_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#cp-3_smt.b"/>
                </part>
                <part id="cp-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03b.[02]"/>
                   <p>the contingency plan training content is reviewed and updated following <insert type="param" id-ref="cp-03_odp.04"/>.</p>
+                  <link rel="assessment-for" href="#cp-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cp-3_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cp-3_smt"/>
          </part>
          <part id="cp-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6928,26 +7385,33 @@
                <part id="cp-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-04a.[01]"/>
                   <p>the contingency plan for the system is tested <insert type="param" id-ref="cp-04_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#cp-4_smt.a"/>
                </part>
                <part id="cp-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-04a.[02]"/>
                   <p>
                      <insert type="param" id-ref="cp-04_odp.02"/> are used to determine the effectiveness of the plan;</p>
+                  <link rel="assessment-for" href="#cp-4_smt.a"/>
                </part>
                <part id="cp-4_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-04a.[03]"/>
                   <p>
                      <insert type="param" id-ref="cp-04_odp.03"/> are used to determine the readiness to execute the plan;</p>
+                  <link rel="assessment-for" href="#cp-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#cp-4_smt.a"/>
             </part>
             <part id="cp-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-04b."/>
                <p>the contingency plan test results are reviewed;</p>
+               <link rel="assessment-for" href="#cp-4_smt.b"/>
             </part>
             <part id="cp-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-04c."/>
                <p>corrective actions are initiated, if needed.</p>
+               <link rel="assessment-for" href="#cp-4_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cp-4_smt"/>
          </part>
          <part id="cp-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7070,30 +7534,38 @@
             <part id="cp-9_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09a."/>
                <p>backups of user-level information contained in <insert type="param" id-ref="cp-09_odp.01"/> are conducted <insert type="param" id-ref="cp-09_odp.02"/>;</p>
+               <link rel="assessment-for" href="#cp-9_smt.a"/>
             </part>
             <part id="cp-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09b."/>
                <p>backups of system-level information contained in the system are conducted <insert type="param" id-ref="cp-09_odp.03"/>;</p>
+               <link rel="assessment-for" href="#cp-9_smt.b"/>
             </part>
             <part id="cp-9_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09c."/>
                <p>backups of system documentation, including security- and privacy-related documentation are conducted <insert type="param" id-ref="cp-09_odp.04"/>;</p>
+               <link rel="assessment-for" href="#cp-9_smt.c"/>
             </part>
             <part id="cp-9_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09d."/>
                <part id="cp-9_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09d.[01]"/>
                   <p>the confidentiality of backup information is protected;</p>
+                  <link rel="assessment-for" href="#cp-9_smt.d"/>
                </part>
                <part id="cp-9_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09d.[02]"/>
                   <p>the integrity of backup information is protected;</p>
+                  <link rel="assessment-for" href="#cp-9_smt.d"/>
                </part>
                <part id="cp-9_obj.d-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09d.[03]"/>
                   <p>the availability of backup information is protected.</p>
+                  <link rel="assessment-for" href="#cp-9_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#cp-9_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#cp-9_smt"/>
          </part>
          <part id="cp-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7178,11 +7650,14 @@
             <part id="cp-10_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-10[01]"/>
                <p>the recovery of the system to a known state is provided within <insert type="param" id-ref="cp-10_odp.01"/> after a disruption, compromise, or failure;</p>
+               <link rel="assessment-for" href="#cp-10_smt"/>
             </part>
             <part id="cp-10_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-10[02]"/>
                <p>a reconstitution of the system to a known state is provided within <insert type="param" id-ref="cp-10_odp.02"/> after a disruption, compromise, or failure.</p>
+               <link rel="assessment-for" href="#cp-10_smt"/>
             </part>
+            <link rel="assessment-for" href="#cp-10_smt"/>
          </part>
          <part id="cp-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7367,18 +7842,22 @@
                <part id="ia-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.[01]"/>
                   <p>an identification and authentication policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ia-1_smt.a"/>
                </part>
                <part id="ia-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.[02]"/>
                   <p>the identification and authentication policy is disseminated to <insert type="param" id-ref="ia-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ia-1_smt.a"/>
                </part>
                <part id="ia-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.[03]"/>
                   <p>identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ia-1_smt.a"/>
                </part>
                <part id="ia-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.[04]"/>
                   <p>the identification and authentication procedures are disseminated to <insert type="param" id-ref="ia-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ia-1_smt.a"/>
                </part>
                <part id="ia-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.01"/>
@@ -7387,41 +7866,53 @@
                      <part id="ia-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                   </part>
                   <part id="ia-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ia-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ia-1_smt.a"/>
             </part>
             <part id="ia-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-01b."/>
                <p>the <insert type="param" id-ref="ia-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;</p>
+               <link rel="assessment-for" href="#ia-1_smt.b"/>
             </part>
             <part id="ia-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-01c."/>
@@ -7430,24 +7921,32 @@
                   <part id="ia-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01c.01[01]"/>
                      <p>the current identification and authentication policy is reviewed and updated <insert type="param" id-ref="ia-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ia-1_smt.c.1"/>
                   </part>
                   <part id="ia-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01c.01[02]"/>
                      <p>the current identification and authentication policy is reviewed and updated following <insert type="param" id-ref="ia-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ia-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-1_smt.c.1"/>
                </part>
                <part id="ia-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01c.02"/>
                   <part id="ia-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01c.02[01]"/>
                      <p>the current identification and authentication procedures are reviewed and updated <insert type="param" id-ref="ia-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ia-1_smt.c.2"/>
                   </part>
                   <part id="ia-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01c.02[02]"/>
                      <p>the current identification and authentication procedures are reviewed and updated following <insert type="param" id-ref="ia-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ia-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ia-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ia-1_smt"/>
          </part>
          <part id="ia-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7509,6 +8008,7 @@
          <link rel="related" href="#ia-4"/>
          <link rel="related" href="#ia-5"/>
          <link rel="related" href="#ia-8"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#ma-4"/>
          <link rel="related" href="#ma-5"/>
          <link rel="related" href="#pe-2"/>
@@ -7528,11 +8028,14 @@
             <part id="ia-2_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02[01]"/>
                <p>organizational users are uniquely identified and authenticated;</p>
+               <link rel="assessment-for" href="#ia-2_smt"/>
             </part>
             <part id="ia-2_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02[02]"/>
                <p>the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.</p>
+               <link rel="assessment-for" href="#ia-2_smt"/>
             </part>
+            <link rel="assessment-for" href="#ia-2_smt"/>
          </part>
          <part id="ia-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7586,6 +8089,7 @@
             <part id="ia-2.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02(01)"/>
                <p>multi-factor authentication is implemented for access to privileged accounts.</p>
+               <link rel="assessment-for" href="#ia-2.1_smt"/>
             </part>
             <part id="ia-2.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7639,6 +8143,7 @@
             <part id="ia-2.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02(02)"/>
                <p>multi-factor authentication for access to non-privileged accounts is implemented.</p>
+               <link rel="assessment-for" href="#ia-2.2_smt"/>
             </part>
             <part id="ia-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7699,6 +8204,7 @@
             <part id="ia-2.8_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02(08)"/>
                <p>replay-resistant authentication mechanisms for access to <insert type="param" id-ref="ia-02.08_odp"/> are implemented.</p>
+               <link rel="assessment-for" href="#ia-2.8_smt"/>
             </part>
             <part id="ia-2.8_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7752,6 +8258,7 @@
             <part id="ia-2.12_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02(12)"/>
                <p>Personal Identity Verification-compliant credentials are accepted and electronically verified.</p>
+               <link rel="assessment-for" href="#ia-2.12_smt"/>
             </part>
             <part id="ia-2.12_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7862,19 +8369,24 @@
             <part id="ia-4_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-04a."/>
                <p>system identifiers are managed by receiving authorization from <insert type="param" id-ref="ia-04_odp.01"/> to assign to an individual, group, role, or device identifier;</p>
+               <link rel="assessment-for" href="#ia-4_smt.a"/>
             </part>
             <part id="ia-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-04b."/>
                <p>system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;</p>
+               <link rel="assessment-for" href="#ia-4_smt.b"/>
             </part>
             <part id="ia-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-04c."/>
                <p>system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;</p>
+               <link rel="assessment-for" href="#ia-4_smt.c"/>
             </part>
             <part id="ia-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-04d."/>
                <p>system identifiers are managed by preventing reuse of identifiers for <insert type="param" id-ref="ia-04_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ia-4_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ia-4_smt"/>
          </part>
          <part id="ia-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8010,46 +8522,58 @@
             <part id="ia-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05a."/>
                <p>system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;</p>
+               <link rel="assessment-for" href="#ia-5_smt.a"/>
             </part>
             <part id="ia-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05b."/>
                <p>system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;</p>
+               <link rel="assessment-for" href="#ia-5_smt.b"/>
             </part>
             <part id="ia-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05c."/>
                <p>system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;</p>
+               <link rel="assessment-for" href="#ia-5_smt.c"/>
             </part>
             <part id="ia-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05d."/>
                <p>system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;</p>
+               <link rel="assessment-for" href="#ia-5_smt.d"/>
             </part>
             <part id="ia-5_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05e."/>
                <p>system authenticators are managed through the change of default authenticators prior to first use;</p>
+               <link rel="assessment-for" href="#ia-5_smt.e"/>
             </part>
             <part id="ia-5_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05f."/>
                <p>system authenticators are managed through the change or refreshment of authenticators <insert type="param" id-ref="ia-05_odp.01"/> or when <insert type="param" id-ref="ia-05_odp.02"/> occur;</p>
+               <link rel="assessment-for" href="#ia-5_smt.f"/>
             </part>
             <part id="ia-5_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05g."/>
                <p>system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;</p>
+               <link rel="assessment-for" href="#ia-5_smt.g"/>
             </part>
             <part id="ia-5_obj.h" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05h."/>
                <part id="ia-5_obj.h-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05h.[01]"/>
                   <p>system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;</p>
+                  <link rel="assessment-for" href="#ia-5_smt.h"/>
                </part>
                <part id="ia-5_obj.h-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05h.[02]"/>
                   <p>system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;</p>
+                  <link rel="assessment-for" href="#ia-5_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#ia-5_smt.h"/>
             </part>
             <part id="ia-5_obj.i" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05i."/>
                <p>system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.</p>
+               <link rel="assessment-for" href="#ia-5_smt.i"/>
             </part>
+            <link rel="assessment-for" href="#ia-5_smt"/>
          </part>
          <part id="ia-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8154,35 +8678,44 @@
                <part id="ia-5.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(a)"/>
                   <p>for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated <insert type="param" id-ref="ia-05.01_odp.01"/> and when organizational passwords are suspected to have been compromised directly or indirectly;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.a"/>
                </part>
                <part id="ia-5.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(b)"/>
                   <p>for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.b"/>
                </part>
                <part id="ia-5.1_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(c)"/>
                   <p>for password-based authentication, passwords are only transmitted over cryptographically protected channels;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.c"/>
                </part>
                <part id="ia-5.1_obj.d" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(d)"/>
                   <p>for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.d"/>
                </part>
                <part id="ia-5.1_obj.e" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(e)"/>
                   <p>for password-based authentication, immediate selection of a new password is required upon account recovery;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.e"/>
                </part>
                <part id="ia-5.1_obj.f" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(f)"/>
                   <p>for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.f"/>
                </part>
                <part id="ia-5.1_obj.g" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(g)"/>
                   <p>for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.g"/>
                </part>
                <part id="ia-5.1_obj.h" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(h)"/>
                   <p>for password-based authentication, <insert type="param" id-ref="ia-05.01_odp.02"/> are enforced.</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#ia-5.1_smt"/>
             </part>
             <part id="ia-5.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8235,6 +8768,7 @@
          <part id="ia-6_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-06"/>
             <p>the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.</p>
+            <link rel="assessment-for" href="#ia-6_smt"/>
          </part>
          <part id="ia-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8289,6 +8823,7 @@
          <part id="ia-7_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-07"/>
             <p>mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.</p>
+            <link rel="assessment-for" href="#ia-7_smt"/>
          </part>
          <part id="ia-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8347,6 +8882,7 @@
          <link rel="related" href="#ia-5"/>
          <link rel="related" href="#ia-10"/>
          <link rel="related" href="#ia-11"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#ma-4"/>
          <link rel="related" href="#ra-3"/>
          <link rel="related" href="#sa-4"/>
@@ -8360,6 +8896,7 @@
          <part id="ia-8_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-08"/>
             <p>non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.</p>
+            <link rel="assessment-for" href="#ia-8_smt"/>
          </part>
          <part id="ia-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8414,11 +8951,14 @@
                <part id="ia-8.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-08(01)[01]"/>
                   <p>Personal Identity Verification-compliant credentials from other federal agencies are accepted;</p>
+                  <link rel="assessment-for" href="#ia-8.1_smt"/>
                </part>
                <part id="ia-8.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-08(01)[02]"/>
                   <p>Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.</p>
+                  <link rel="assessment-for" href="#ia-8.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#ia-8.1_smt"/>
             </part>
             <part id="ia-8.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8483,18 +9023,23 @@
                <part id="ia-8.2_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-08(02)(a)"/>
                   <p>only external authenticators that are NIST-compliant are accepted;</p>
+                  <link rel="assessment-for" href="#ia-8.2_smt.a"/>
                </part>
                <part id="ia-8.2_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-08(02)(b)"/>
                   <part id="ia-8.2_obj.b-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-08(02)(b)[01]"/>
                      <p>a list of accepted external authenticators is documented;</p>
+                     <link rel="assessment-for" href="#ia-8.2_smt.b"/>
                   </part>
                   <part id="ia-8.2_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-08(02)(b)[02]"/>
                      <p>a list of accepted external authenticators is maintained.</p>
+                     <link rel="assessment-for" href="#ia-8.2_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-8.2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ia-8.2_smt"/>
             </part>
             <part id="ia-8.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8559,6 +9104,7 @@
             <part id="ia-8.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-08(04)"/>
                <p>there is conformance with <insert type="param" id-ref="ia-08.04_odp"/> for identity management.</p>
+               <link rel="assessment-for" href="#ia-8.4_smt"/>
             </part>
             <part id="ia-8.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8630,6 +9176,7 @@
          <part id="ia-11_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-11"/>
             <p>users are required to re-authenticate when <insert type="param" id-ref="ia-11_odp"/>.</p>
+            <link rel="assessment-for" href="#ia-11_smt"/>
          </part>
          <part id="ia-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8810,18 +9357,22 @@
                <part id="ir-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[01]"/>
                   <p>an incident response policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[02]"/>
                   <p>the incident response policy is disseminated to <insert type="param" id-ref="ir-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[03]"/>
                   <p>incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[04]"/>
                   <p>the incident response procedures are disseminated to <insert type="param" id-ref="ir-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.01"/>
@@ -8830,41 +9381,53 @@
                      <part id="ir-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                   </part>
                   <part id="ir-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ir-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ir-1_smt.a"/>
             </part>
             <part id="ir-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-01b."/>
                <p>the <insert type="param" id-ref="ir-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;</p>
+               <link rel="assessment-for" href="#ir-1_smt.b"/>
             </part>
             <part id="ir-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-01c."/>
@@ -8873,24 +9436,32 @@
                   <part id="ir-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.01[01]"/>
                      <p>the current incident response policy is reviewed and updated <insert type="param" id-ref="ir-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.1"/>
                   </part>
                   <part id="ir-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.01[02]"/>
                      <p>the current incident response policy is reviewed and updated following <insert type="param" id-ref="ir-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ir-1_smt.c.1"/>
                </part>
                <part id="ir-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01c.02"/>
                   <part id="ir-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.02[01]"/>
                      <p>the current incident response procedures are reviewed and updated <insert type="param" id-ref="ir-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.2"/>
                   </part>
                   <part id="ir-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.02[02]"/>
                      <p>the current incident response procedures are reviewed and updated following <insert type="param" id-ref="ir-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ir-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ir-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ir-1_smt"/>
          </part>
          <part id="ir-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8997,27 +9568,35 @@
                <part id="ir-2_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02a.01"/>
                   <p>incident response training is provided to system users consistent with assigned roles and responsibilities within <insert type="param" id-ref="ir-02_odp.01"/> of assuming an incident response role or responsibility or acquiring system access;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.a.1"/>
                </part>
                <part id="ir-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02a.02"/>
                   <p>incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.a.2"/>
                </part>
                <part id="ir-2_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02a.03"/>
                   <p>incident response training is provided to system users consistent with assigned roles and responsibilities <insert type="param" id-ref="ir-02_odp.02"/> thereafter;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#ir-2_smt.a"/>
             </part>
             <part id="ir-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-02b."/>
                <part id="ir-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02b.[01]"/>
                   <p>incident response training content is reviewed and updated <insert type="param" id-ref="ir-02_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.b"/>
                </part>
                <part id="ir-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02b.[02]"/>
                   <p>incident response training content is reviewed and updated following <insert type="param" id-ref="ir-02_odp.04"/>.</p>
+                  <link rel="assessment-for" href="#ir-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ir-2_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ir-2_smt"/>
          </part>
          <part id="ir-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9111,62 +9690,79 @@
                <part id="ir-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[01]"/>
                   <p>an incident handling capability for incidents is implemented that is consistent with the incident response plan;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[02]"/>
                   <p>the incident handling capability for incidents includes preparation;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[03]"/>
                   <p>the incident handling capability for incidents includes detection and analysis;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[04]"/>
                   <p>the incident handling capability for incidents includes containment;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[05]"/>
                   <p>the incident handling capability for incidents includes eradication;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[06]"/>
                   <p>the incident handling capability for incidents includes recovery;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ir-4_smt.a"/>
             </part>
             <part id="ir-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04b."/>
                <p>incident handling activities are coordinated with contingency planning activities;</p>
+               <link rel="assessment-for" href="#ir-4_smt.b"/>
             </part>
             <part id="ir-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04c."/>
                <part id="ir-4_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04c.[01]"/>
                   <p>lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.c"/>
                </part>
                <part id="ir-4_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04c.[02]"/>
                   <p>the changes resulting from the incorporated lessons learned are implemented accordingly;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#ir-4_smt.c"/>
             </part>
             <part id="ir-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04d."/>
                <part id="ir-4_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[01]"/>
                   <p>the rigor of incident handling activities is comparable and predictable across the organization;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
                <part id="ir-4_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[02]"/>
                   <p>the intensity of incident handling activities is comparable and predictable across the organization;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
                <part id="ir-4_obj.d-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[03]"/>
                   <p>the scope of incident handling activities is comparable and predictable across the organization;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
                <part id="ir-4_obj.d-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[04]"/>
                   <p>the results of incident handling activities are comparable and predictable across the organization.</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ir-4_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ir-4_smt"/>
          </part>
          <part id="ir-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9234,11 +9830,14 @@
             <part id="ir-5_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-05[01]"/>
                <p>incidents are tracked;</p>
+               <link rel="assessment-for" href="#ir-5_smt"/>
             </part>
             <part id="ir-5_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-05[02]"/>
                <p>incidents are documented.</p>
+               <link rel="assessment-for" href="#ir-5_smt"/>
             </part>
+            <link rel="assessment-for" href="#ir-5_smt"/>
          </part>
          <part id="ir-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9322,11 +9921,14 @@
             <part id="ir-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-06a."/>
                <p>personnel is/are required to report suspected incidents to the organizational incident response capability within <insert type="param" id-ref="ir-06_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ir-6_smt.a"/>
             </part>
             <part id="ir-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-06b."/>
                <p>incident information is reported to <insert type="param" id-ref="ir-06_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ir-6_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ir-6_smt"/>
          </part>
          <part id="ir-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9391,11 +9993,14 @@
             <part id="ir-7_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-07[01]"/>
                <p>an incident response support resource, integral to the organizational incident response capability, is provided;</p>
+               <link rel="assessment-for" href="#ir-7_smt"/>
             </part>
             <part id="ir-7_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-07[02]"/>
                <p>the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.</p>
+               <link rel="assessment-for" href="#ir-7_smt"/>
             </part>
+            <link rel="assessment-for" href="#ir-7_smt"/>
          </part>
          <part id="ir-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9590,82 +10195,104 @@
                <part id="ir-8_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.01"/>
                   <p>an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.1"/>
                </part>
                <part id="ir-8_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.02"/>
                   <p>an incident response plan is developed that describes the structure and organization of the incident response capability;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.2"/>
                </part>
                <part id="ir-8_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.03"/>
                   <p>an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.3"/>
                </part>
                <part id="ir-8_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.04"/>
                   <p>an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.4"/>
                </part>
                <part id="ir-8_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.05"/>
                   <p>an incident response plan is developed that defines reportable incidents;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.5"/>
                </part>
                <part id="ir-8_obj.a.6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.06"/>
                   <p>an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.6"/>
                </part>
                <part id="ir-8_obj.a.7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.07"/>
                   <p>an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.7"/>
                </part>
                <part id="ir-8_obj.a.8" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.08"/>
                   <p>an incident response plan is developed that addresses the sharing of incident information;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.8"/>
                </part>
                <part id="ir-8_obj.a.9" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.09"/>
                   <p>an incident response plan is developed that is reviewed and approved by <insert type="param" id-ref="ir-08_odp.01"/>
                      <insert type="param" id-ref="ir-08_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.9"/>
                </part>
                <part id="ir-8_obj.a.10" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.10"/>
                   <p>an incident response plan is developed that explicitly designates responsibility for incident response to <insert type="param" id-ref="ir-08_odp.03"/>.</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.10"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.a"/>
             </part>
             <part id="ir-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08b."/>
                <part id="ir-8_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08b.[01]"/>
                   <p>copies of the incident response plan are distributed to <insert type="param" id-ref="ir-08_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.b"/>
                </part>
                <part id="ir-8_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08b.[02]"/>
                   <p>copies of the incident response plan are distributed to <insert type="param" id-ref="ir-08_odp.05"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.b"/>
             </part>
             <part id="ir-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08c."/>
                <p>the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;</p>
+               <link rel="assessment-for" href="#ir-8_smt.c"/>
             </part>
             <part id="ir-8_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08d."/>
                <part id="ir-8_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08d.[01]"/>
                   <p>incident response plan changes are communicated to <insert type="param" id-ref="ir-08_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.d"/>
                </part>
                <part id="ir-8_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08d.[02]"/>
                   <p>incident response plan changes are communicated to <insert type="param" id-ref="ir-08_odp.07"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.d"/>
             </part>
             <part id="ir-8_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08e."/>
                <part id="ir-8_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08e.[01]"/>
                   <p>the incident response plan is protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.e"/>
                </part>
                <part id="ir-8_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08e.[02]"/>
                   <p>the incident response plan is protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#ir-8_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ir-8_smt"/>
          </part>
          <part id="ir-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9839,18 +10466,22 @@
                <part id="ma-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.[01]"/>
                   <p>a maintenance policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ma-1_smt.a"/>
                </part>
                <part id="ma-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.[02]"/>
                   <p>the maintenance policy is disseminated to <insert type="param" id-ref="ma-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ma-1_smt.a"/>
                </part>
                <part id="ma-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.[03]"/>
                   <p>maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ma-1_smt.a"/>
                </part>
                <part id="ma-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.[04]"/>
                   <p>the maintenance procedures are disseminated to <insert type="param" id-ref="ma-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ma-1_smt.a"/>
                </part>
                <part id="ma-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.01"/>
@@ -9859,41 +10490,53 @@
                      <part id="ma-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                   </part>
                   <part id="ma-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ma-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ma-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ma-1_smt.a"/>
             </part>
             <part id="ma-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-01b."/>
                <p>the <insert type="param" id-ref="ma-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;</p>
+               <link rel="assessment-for" href="#ma-1_smt.b"/>
             </part>
             <part id="ma-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-01c."/>
@@ -9902,24 +10545,32 @@
                   <part id="ma-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01c.01[01]"/>
                      <p>the current maintenance policy is reviewed and updated <insert type="param" id-ref="ma-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ma-1_smt.c.1"/>
                   </part>
                   <part id="ma-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01c.01[02]"/>
                      <p>the current maintenance policy is reviewed and updated following <insert type="param" id-ref="ma-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ma-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ma-1_smt.c.1"/>
                </part>
                <part id="ma-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01c.02"/>
                   <part id="ma-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01c.02[01]"/>
                      <p>the current maintenance procedures are reviewed and updated <insert type="param" id-ref="ma-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ma-1_smt.c.2"/>
                   </part>
                   <part id="ma-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01c.02[02]"/>
                      <p>the current maintenance procedures are reviewed and updated following <insert type="param" id-ref="ma-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ma-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ma-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ma-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ma-1_smt"/>
          </part>
          <part id="ma-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10023,45 +10674,57 @@
                <part id="ma-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02a.[01]"/>
                   <p>maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.a"/>
                </part>
                <part id="ma-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02a.[02]"/>
                   <p>maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.a"/>
                </part>
                <part id="ma-2_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02a.[03]"/>
                   <p>records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ma-2_smt.a"/>
             </part>
             <part id="ma-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02b."/>
                <part id="ma-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02b.[01]"/>
                   <p>all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.b"/>
                </part>
                <part id="ma-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02b.[02]"/>
                   <p>all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ma-2_smt.b"/>
             </part>
             <part id="ma-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02c."/>
                <p>
                   <insert type="param" id-ref="ma-02_odp.01"/> is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;</p>
+               <link rel="assessment-for" href="#ma-2_smt.c"/>
             </part>
             <part id="ma-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02d."/>
                <p>equipment is sanitized to remove <insert type="param" id-ref="ma-02_odp.02"/> from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;</p>
+               <link rel="assessment-for" href="#ma-2_smt.d"/>
             </part>
             <part id="ma-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02e."/>
                <p>all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;</p>
+               <link rel="assessment-for" href="#ma-2_smt.e"/>
             </part>
             <part id="ma-2_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02f."/>
                <p>
                   <insert type="param" id-ref="ma-02_odp.03"/> is included in organizational maintenance records.</p>
+               <link rel="assessment-for" href="#ma-2_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#ma-2_smt"/>
          </part>
          <part id="ma-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10158,42 +10821,54 @@
                <part id="ma-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04a.[01]"/>
                   <p>nonlocal maintenance and diagnostic activities are approved;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.a"/>
                </part>
                <part id="ma-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04a.[02]"/>
                   <p>nonlocal maintenance and diagnostic activities are monitored;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ma-4_smt.a"/>
             </part>
             <part id="ma-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-04b."/>
                <part id="ma-4_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04b.[01]"/>
                   <p>the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.b"/>
                </part>
                <part id="ma-4_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04b.[02]"/>
                   <p>the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ma-4_smt.b"/>
             </part>
             <part id="ma-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-04c."/>
                <p>strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;</p>
+               <link rel="assessment-for" href="#ma-4_smt.c"/>
             </part>
             <part id="ma-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-04d."/>
                <p>records for nonlocal maintenance and diagnostic activities are maintained;</p>
+               <link rel="assessment-for" href="#ma-4_smt.d"/>
             </part>
             <part id="ma-4_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-04e."/>
                <part id="ma-4_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04e.[01]"/>
                   <p>session connections are terminated when nonlocal maintenance is completed;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.e"/>
                </part>
                <part id="ma-4_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04e.[02]"/>
                   <p>network connections are terminated when nonlocal maintenance is completed.</p>
+                  <link rel="assessment-for" href="#ma-4_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#ma-4_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ma-4_smt"/>
          </part>
          <part id="ma-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10276,20 +10951,26 @@
                <part id="ma-5_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-05a.[01]"/>
                   <p>a process for maintenance personnel authorization is established;</p>
+                  <link rel="assessment-for" href="#ma-5_smt.a"/>
                </part>
                <part id="ma-5_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-05a.[02]"/>
                   <p>a list of authorized maintenance organizations or personnel is maintained;</p>
+                  <link rel="assessment-for" href="#ma-5_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ma-5_smt.a"/>
             </part>
             <part id="ma-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-05b."/>
                <p>non-escorted personnel performing maintenance on the system possess the required access authorizations;</p>
+               <link rel="assessment-for" href="#ma-5_smt.b"/>
             </part>
             <part id="ma-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-05c."/>
                <p>organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.</p>
+               <link rel="assessment-for" href="#ma-5_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ma-5_smt"/>
          </part>
          <part id="ma-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10466,18 +11147,22 @@
                <part id="mp-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[01]"/>
                   <p>a media protection policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[02]"/>
                   <p>the media protection policy is disseminated to <insert type="param" id-ref="mp-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[03]"/>
                   <p>media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[04]"/>
                   <p>the media protection procedures are disseminated to <insert type="param" id-ref="mp-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.01"/>
@@ -10486,41 +11171,53 @@
                      <part id="mp-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses scope;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses roles;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy compliance;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                   </part>
                   <part id="mp-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01a.01(b)"/>
                      <p>the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#mp-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#mp-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#mp-1_smt.a"/>
             </part>
             <part id="mp-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-01b."/>
                <p>the <insert type="param" id-ref="mp-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.</p>
+               <link rel="assessment-for" href="#mp-1_smt.b"/>
             </part>
             <part id="mp-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-01c."/>
@@ -10529,24 +11226,32 @@
                   <part id="mp-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.01[01]"/>
                      <p>the current media protection policy is reviewed and updated <insert type="param" id-ref="mp-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.1"/>
                   </part>
                   <part id="mp-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.01[02]"/>
                      <p>the current media protection policy is reviewed and updated following <insert type="param" id-ref="mp-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#mp-1_smt.c.1"/>
                </part>
                <part id="mp-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01c.02"/>
                   <part id="mp-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.02[01]"/>
                      <p>the current media protection procedures are reviewed and updated <insert type="param" id-ref="mp-01_odp.07"/>; </p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.2"/>
                   </part>
                   <part id="mp-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.02[02]"/>
                      <p>the current media protection procedures are reviewed and updated following <insert type="param" id-ref="mp-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#mp-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#mp-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#mp-1_smt"/>
          </part>
          <part id="mp-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10650,11 +11355,14 @@
             <part id="mp-2_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-02[01]"/>
                <p>access to <insert type="param" id-ref="mp-02_odp.01"/> is restricted to <insert type="param" id-ref="mp-02_odp.02"/>;</p>
+               <link rel="assessment-for" href="#mp-2_smt"/>
             </part>
             <part id="mp-2_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-02[02]"/>
                <p>access to <insert type="param" id-ref="mp-02_odp.03"/> is restricted to <insert type="param" id-ref="mp-02_odp.04"/>.</p>
+               <link rel="assessment-for" href="#mp-2_smt"/>
             </part>
+            <link rel="assessment-for" href="#mp-2_smt"/>
          </part>
          <part id="mp-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10805,22 +11513,28 @@
                   <prop name="label" class="sp800-53a" value="MP-06a.[01]"/>
                   <p>
                      <insert type="param" id-ref="mp-06_odp.01"/> is sanitized using <insert type="param" id-ref="mp-06_odp.04"/> prior to disposal;</p>
+                  <link rel="assessment-for" href="#mp-6_smt.a"/>
                </part>
                <part id="mp-6_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06a.[02]"/>
                   <p>
                      <insert type="param" id-ref="mp-06_odp.02"/> is sanitized using <insert type="param" id-ref="mp-06_odp.05"/> prior to release from organizational control;</p>
+                  <link rel="assessment-for" href="#mp-6_smt.a"/>
                </part>
                <part id="mp-6_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06a.[03]"/>
                   <p>
                      <insert type="param" id-ref="mp-06_odp.03"/> is sanitized using <insert type="param" id-ref="mp-06_odp.06"/> prior to release for reuse;</p>
+                  <link rel="assessment-for" href="#mp-6_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#mp-6_smt.a"/>
             </part>
             <part id="mp-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-06b."/>
                <p>sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.</p>
+               <link rel="assessment-for" href="#mp-6_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#mp-6_smt"/>
          </part>
          <part id="mp-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10926,11 +11640,14 @@
             <part id="mp-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-07a."/>
                <p>the use of <insert type="param" id-ref="mp-07_odp.01"/> is <insert type="param" id-ref="mp-07_odp.02"/> on <insert type="param" id-ref="mp-07_odp.03"/> using <insert type="param" id-ref="mp-07_odp.04"/>;</p>
+               <link rel="assessment-for" href="#mp-7_smt.a"/>
             </part>
             <part id="mp-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-07b."/>
                <p>the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.</p>
+               <link rel="assessment-for" href="#mp-7_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#mp-7_smt"/>
          </part>
          <part id="mp-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11108,18 +11825,22 @@
                <part id="pe-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.[01]"/>
                   <p>a physical and environmental protection policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#pe-1_smt.a"/>
                </part>
                <part id="pe-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.[02]"/>
                   <p>the physical and environmental protection policy is disseminated to <insert type="param" id-ref="pe-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pe-1_smt.a"/>
                </part>
                <part id="pe-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.[03]"/>
                   <p>physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#pe-1_smt.a"/>
                </part>
                <part id="pe-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.[04]"/>
                   <p>the physical and environmental protection procedures are disseminated to <insert type="param" id-ref="pe-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pe-1_smt.a"/>
                </part>
                <part id="pe-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.01"/>
@@ -11128,41 +11849,53 @@
                      <part id="pe-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses scope;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses roles;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                   </part>
                   <part id="pe-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#pe-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#pe-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#pe-1_smt.a"/>
             </part>
             <part id="pe-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-01b."/>
                <p>the <insert type="param" id-ref="pe-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;</p>
+               <link rel="assessment-for" href="#pe-1_smt.b"/>
             </part>
             <part id="pe-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-01c."/>
@@ -11171,24 +11904,32 @@
                   <part id="pe-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01c.01[01]"/>
                      <p>the current physical and environmental protection policy is reviewed and updated <insert type="param" id-ref="pe-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#pe-1_smt.c.1"/>
                   </part>
                   <part id="pe-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01c.01[02]"/>
                      <p>the current physical and environmental protection policy is reviewed and updated following <insert type="param" id-ref="pe-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#pe-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pe-1_smt.c.1"/>
                </part>
                <part id="pe-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01c.02"/>
                   <part id="pe-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01c.02[01]"/>
                      <p>the current physical and environmental protection procedures are reviewed and updated <insert type="param" id-ref="pe-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#pe-1_smt.c.2"/>
                   </part>
                   <part id="pe-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01c.02[02]"/>
                      <p>the current physical and environmental protection procedures are reviewed and updated following <insert type="param" id-ref="pe-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#pe-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pe-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#pe-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pe-1_smt"/>
          </part>
          <part id="pe-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11272,28 +12013,36 @@
                <part id="pe-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-02a.[01]"/>
                   <p>a list of individuals with authorized access to the facility where the system resides has been developed;</p>
+                  <link rel="assessment-for" href="#pe-2_smt.a"/>
                </part>
                <part id="pe-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-02a.[02]"/>
                   <p>the list of individuals with authorized access to the facility where the system resides has been approved;</p>
+                  <link rel="assessment-for" href="#pe-2_smt.a"/>
                </part>
                <part id="pe-2_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-02a.[03]"/>
                   <p>the list of individuals with authorized access to the facility where the system resides has been maintained;</p>
+                  <link rel="assessment-for" href="#pe-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pe-2_smt.a"/>
             </part>
             <part id="pe-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-02b."/>
                <p>authorization credentials are issued for facility access;</p>
+               <link rel="assessment-for" href="#pe-2_smt.b"/>
             </part>
             <part id="pe-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-02c."/>
                <p>the access list detailing authorized facility access by individuals is reviewed <insert type="param" id-ref="pe-02_odp"/>;</p>
+               <link rel="assessment-for" href="#pe-2_smt.c"/>
             </part>
             <part id="pe-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-02d."/>
                <p>individuals are removed from the facility access list when access is no longer required.</p>
+               <link rel="assessment-for" href="#pe-2_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#pe-2_smt"/>
          </part>
          <part id="pe-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11509,62 +12258,79 @@
                <part id="pe-3_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03a.01"/>
                   <p>physical access authorizations are enforced at <insert type="param" id-ref="pe-03_odp.01"/> by verifying individual access authorizations before granting access to the facility;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.a.1"/>
                </part>
                <part id="pe-3_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03a.02"/>
                   <p>physical access authorizations are enforced at <insert type="param" id-ref="pe-03_odp.01"/> by controlling ingress and egress to the facility using <insert type="param" id-ref="pe-03_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#pe-3_smt.a"/>
             </part>
             <part id="pe-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03b."/>
                <p>physical access audit logs are maintained for <insert type="param" id-ref="pe-03_odp.04"/>;</p>
+               <link rel="assessment-for" href="#pe-3_smt.b"/>
             </part>
             <part id="pe-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03c."/>
                <p>access to areas within the facility designated as publicly accessible are maintained by implementing <insert type="param" id-ref="pe-03_odp.05"/>;</p>
+               <link rel="assessment-for" href="#pe-3_smt.c"/>
             </part>
             <part id="pe-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03d."/>
                <part id="pe-3_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03d.[01]"/>
                   <p>visitors are escorted;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.d"/>
                </part>
                <part id="pe-3_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03d.[02]"/>
                   <p>visitor activity is controlled <insert type="param" id-ref="pe-03_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#pe-3_smt.d"/>
             </part>
             <part id="pe-3_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03e."/>
                <part id="pe-3_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03e.[01]"/>
                   <p>keys are secured;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.e"/>
                </part>
                <part id="pe-3_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03e.[02]"/>
                   <p>combinations are secured;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.e"/>
                </part>
                <part id="pe-3_obj.e-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03e.[03]"/>
                   <p>other physical access devices are secured;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#pe-3_smt.e"/>
             </part>
             <part id="pe-3_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03f."/>
                <p>
                   <insert type="param" id-ref="pe-03_odp.07"/> are inventoried <insert type="param" id-ref="pe-03_odp.08"/>;</p>
+               <link rel="assessment-for" href="#pe-3_smt.f"/>
             </part>
             <part id="pe-3_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03g."/>
                <part id="pe-3_obj.g-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03g.[01]"/>
                   <p>combinations are changed <insert type="param" id-ref="pe-03_odp.09"/> , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.g"/>
                </part>
                <part id="pe-3_obj.g-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03g.[02]"/>
                   <p>keys are changed <insert type="param" id-ref="pe-03_odp.10"/> , when keys are lost, or when individuals possessing the keys are transferred or terminated.</p>
+                  <link rel="assessment-for" href="#pe-3_smt.g"/>
                </part>
+               <link rel="assessment-for" href="#pe-3_smt.g"/>
             </part>
+            <link rel="assessment-for" href="#pe-3_smt"/>
          </part>
          <part id="pe-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11661,29 +12427,37 @@
             <part id="pe-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-06a."/>
                <p>physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;</p>
+               <link rel="assessment-for" href="#pe-6_smt.a"/>
             </part>
             <part id="pe-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-06b."/>
                <part id="pe-6_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06b.[01]"/>
                   <p>physical access logs are reviewed <insert type="param" id-ref="pe-06_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pe-6_smt.b"/>
                </part>
                <part id="pe-6_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06b.[02]"/>
                   <p>physical access logs are reviewed upon occurrence of <insert type="param" id-ref="pe-06_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pe-6_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pe-6_smt.b"/>
             </part>
             <part id="pe-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-06c."/>
                <part id="pe-6_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06c.[01]"/>
                   <p>results of reviews are coordinated with organizational incident response capabilities;</p>
+                  <link rel="assessment-for" href="#pe-6_smt.c"/>
                </part>
                <part id="pe-6_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06c.[02]"/>
                   <p>results of investigations are coordinated with organizational incident response capabilities.</p>
+                  <link rel="assessment-for" href="#pe-6_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pe-6_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pe-6_smt"/>
          </part>
          <part id="pe-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11777,15 +12551,19 @@
             <part id="pe-8_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-08a."/>
                <p>visitor access records for the facility where the system resides are maintained for <insert type="param" id-ref="pe-08_odp.01"/>;</p>
+               <link rel="assessment-for" href="#pe-8_smt.a"/>
             </part>
             <part id="pe-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-08b."/>
                <p>visitor access records are reviewed <insert type="param" id-ref="pe-08_odp.02"/>;</p>
+               <link rel="assessment-for" href="#pe-8_smt.b"/>
             </part>
             <part id="pe-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-08c."/>
                <p>visitor access records anomalies are reported to <insert type="param" id-ref="pe-08_odp.03"/>.</p>
+               <link rel="assessment-for" href="#pe-8_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pe-8_smt"/>
          </part>
          <part id="pe-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11840,19 +12618,24 @@
             <part id="pe-12_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-12[01]"/>
                <p>automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;</p>
+               <link rel="assessment-for" href="#pe-12_smt"/>
             </part>
             <part id="pe-12_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-12[02]"/>
                <p>automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;</p>
+               <link rel="assessment-for" href="#pe-12_smt"/>
             </part>
             <part id="pe-12_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-12[03]"/>
                <p>automatic emergency lighting for the system covers emergency exits within the facility;</p>
+               <link rel="assessment-for" href="#pe-12_smt"/>
             </part>
             <part id="pe-12_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-12[04]"/>
                <p>automatic emergency lighting for the system covers evacuation routes within the facility.</p>
+               <link rel="assessment-for" href="#pe-12_smt"/>
             </part>
+            <link rel="assessment-for" href="#pe-12_smt"/>
          </part>
          <part id="pe-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11903,27 +12686,34 @@
             <part id="pe-13_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[01]"/>
                <p>fire detection systems are employed;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[02]"/>
                <p>employed fire detection systems are supported by an independent energy source;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[03]"/>
                <p>employed fire detection systems are maintained;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[04]"/>
                <p>fire suppression systems are employed;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-5" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[05]"/>
                <p>employed fire suppression systems are supported by an independent energy source;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-6" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[06]"/>
                <p>employed fire suppression systems are maintained.</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
+            <link rel="assessment-for" href="#pe-13_smt"/>
          </part>
          <part id="pe-13_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12020,11 +12810,14 @@
                <prop name="label" class="sp800-53a" value="PE-14a."/>
                <p>
                   <insert type="param" id-ref="pe-14_odp.01"/> levels are maintained at <insert type="param" id-ref="pe-14_odp.03"/> within the facility where the system resides;</p>
+               <link rel="assessment-for" href="#pe-14_smt.a"/>
             </part>
             <part id="pe-14_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-14b."/>
                <p>environmental control levels are monitored <insert type="param" id-ref="pe-14_odp.04"/>.</p>
+               <link rel="assessment-for" href="#pe-14_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pe-14_smt"/>
          </part>
          <part id="pe-14_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12077,19 +12870,24 @@
             <part id="pe-15_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-15[01]"/>
                <p>the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;</p>
+               <link rel="assessment-for" href="#pe-15_smt"/>
             </part>
             <part id="pe-15_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-15[02]"/>
                <p>the master shutoff or isolation valves are accessible;</p>
+               <link rel="assessment-for" href="#pe-15_smt"/>
             </part>
             <part id="pe-15_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-15[03]"/>
                <p>the master shutoff or isolation valves are working properly;</p>
+               <link rel="assessment-for" href="#pe-15_smt"/>
             </part>
             <part id="pe-15_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-15[04]"/>
                <p>the master shutoff or isolation valves are known to key personnel.</p>
+               <link rel="assessment-for" href="#pe-15_smt"/>
             </part>
+            <link rel="assessment-for" href="#pe-15_smt"/>
          </part>
          <part id="pe-15_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12184,27 +12982,34 @@
                   <prop name="label" class="sp800-53a" value="PE-16a.[01]"/>
                   <p>
                      <insert type="param" id-ref="pe-16_odp.01"/> are authorized when entering the facility;</p>
+                  <link rel="assessment-for" href="#pe-16_smt.a"/>
                </part>
                <part id="pe-16_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-16a.[02]"/>
                   <p>
                      <insert type="param" id-ref="pe-16_odp.01"/> are controlled when entering the facility;</p>
+                  <link rel="assessment-for" href="#pe-16_smt.a"/>
                </part>
                <part id="pe-16_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-16a.[03]"/>
                   <p>
                      <insert type="param" id-ref="pe-16_odp.02"/> are authorized when exiting the facility;</p>
+                  <link rel="assessment-for" href="#pe-16_smt.a"/>
                </part>
                <part id="pe-16_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-16a.[04]"/>
                   <p>
                      <insert type="param" id-ref="pe-16_odp.02"/> are controlled when exiting the facility;</p>
+                  <link rel="assessment-for" href="#pe-16_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pe-16_smt.a"/>
             </part>
             <part id="pe-16_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-16b."/>
                <p>records of the system components are maintained.</p>
+               <link rel="assessment-for" href="#pe-16_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pe-16_smt"/>
          </part>
          <part id="pe-16_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12379,18 +13184,22 @@
                <part id="pl-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[01]"/>
                   <p>a planning policy is developed and documented.</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[02]"/>
                   <p>the planning policy is disseminated to <insert type="param" id-ref="pl-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[03]"/>
                   <p>planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[04]"/>
                   <p>the planning procedures are disseminated to <insert type="param" id-ref="pl-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.01"/>
@@ -12399,41 +13208,53 @@
                      <part id="pl-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses scope;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses roles;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                   </part>
                   <part id="pl-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#pl-1_smt.a"/>
             </part>
             <part id="pl-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-01b."/>
                <p>the <insert type="param" id-ref="pl-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the planning policy and procedures;</p>
+               <link rel="assessment-for" href="#pl-1_smt.b"/>
             </part>
             <part id="pl-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-01c."/>
@@ -12442,24 +13263,32 @@
                   <part id="pl-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.01[01]"/>
                      <p>the current planning policy is reviewed and updated <insert type="param" id-ref="pl-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.1"/>
                   </part>
                   <part id="pl-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.01[02]"/>
                      <p>the current planning policy is reviewed and updated following <insert type="param" id-ref="pl-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-1_smt.c.1"/>
                </part>
                <part id="pl-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01c.02"/>
                   <part id="pl-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.02[01]"/>
                      <p>the current planning procedures are reviewed and updated <insert type="param" id-ref="pl-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.2"/>
                   </part>
                   <part id="pl-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.02[02]"/>
                      <p>the current planning procedures are reviewed and updated following <insert type="param" id-ref="pl-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#pl-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pl-1_smt"/>
          </part>
          <part id="pl-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12654,208 +13483,266 @@
                   <part id="pl-2_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.01[01]"/>
                      <p>a security plan for the system is developed that is consistent with the organization’s enterprise architecture;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.1"/>
                   </part>
                   <part id="pl-2_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.01[02]"/>
                      <p>a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.1"/>
                </part>
                <part id="pl-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.02"/>
                   <part id="pl-2_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.02[01]"/>
                      <p>a security plan for the system is developed that explicitly defines the constituent system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.2"/>
                   </part>
                   <part id="pl-2_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.02[02]"/>
                      <p>a privacy plan for the system is developed that explicitly defines the constituent system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.2"/>
                </part>
                <part id="pl-2_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.03"/>
                   <part id="pl-2_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.03[01]"/>
                      <p>a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.3"/>
                   </part>
                   <part id="pl-2_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.03[02]"/>
                      <p>a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.3"/>
                </part>
                <part id="pl-2_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.04"/>
                   <part id="pl-2_obj.a.4-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.04[01]"/>
                      <p>a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.4"/>
                   </part>
                   <part id="pl-2_obj.a.4-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.04[02]"/>
                      <p>a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.4"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.4"/>
                </part>
                <part id="pl-2_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.05"/>
                   <part id="pl-2_obj.a.5-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.05[01]"/>
                      <p>a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.5"/>
                   </part>
                   <part id="pl-2_obj.a.5-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.05[02]"/>
                      <p>a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.5"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.5"/>
                </part>
                <part id="pl-2_obj.a.6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.06"/>
                   <part id="pl-2_obj.a.6-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.06[01]"/>
                      <p>a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.6"/>
                   </part>
                   <part id="pl-2_obj.a.6-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.06[02]"/>
                      <p>a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.6"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.6"/>
                </part>
                <part id="pl-2_obj.a.7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.07"/>
                   <part id="pl-2_obj.a.7-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.07[01]"/>
                      <p>a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.7"/>
                   </part>
                   <part id="pl-2_obj.a.7-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.07[02]"/>
                      <p>a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.7"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.7"/>
                </part>
                <part id="pl-2_obj.a.8" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.08"/>
                   <part id="pl-2_obj.a.8-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.08[01]"/>
                      <p>a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.8"/>
                   </part>
                   <part id="pl-2_obj.a.8-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.08[02]"/>
                      <p>a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.8"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.8"/>
                </part>
                <part id="pl-2_obj.a.9" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.09"/>
                   <part id="pl-2_obj.a.9-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.09[01]"/>
                      <p>a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.9"/>
                   </part>
                   <part id="pl-2_obj.a.9-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.09[02]"/>
                      <p>a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.9"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.9"/>
                </part>
                <part id="pl-2_obj.a.10" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.10"/>
                   <part id="pl-2_obj.a.10-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.10[01]"/>
                      <p>a security plan for the system is developed that provides an overview of the security requirements for the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.10"/>
                   </part>
                   <part id="pl-2_obj.a.10-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.10[02]"/>
                      <p>a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.10"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.10"/>
                </part>
                <part id="pl-2_obj.a.11" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.11"/>
                   <part id="pl-2_obj.a.11-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.11[01]"/>
                      <p>a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.11"/>
                   </part>
                   <part id="pl-2_obj.a.11-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.11[02]"/>
                      <p>a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.11"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.11"/>
                </part>
                <part id="pl-2_obj.a.12" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.12"/>
                   <part id="pl-2_obj.a.12-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.12[01]"/>
                      <p>a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.12"/>
                   </part>
                   <part id="pl-2_obj.a.12-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.12[02]"/>
                      <p>a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.12"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.12"/>
                </part>
                <part id="pl-2_obj.a.13" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.13"/>
                   <part id="pl-2_obj.a.13-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.13[01]"/>
                      <p>a security plan for the system is developed that includes risk determinations for security architecture and design decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.13"/>
                   </part>
                   <part id="pl-2_obj.a.13-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.13[02]"/>
                      <p>a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.13"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.13"/>
                </part>
                <part id="pl-2_obj.a.14" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.14"/>
                   <part id="pl-2_obj.a.14-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.14[01]"/>
                      <p>a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with <insert type="param" id-ref="pl-02_odp.01"/>;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.14"/>
                   </part>
                   <part id="pl-2_obj.a.14-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.14[02]"/>
                      <p>a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with <insert type="param" id-ref="pl-02_odp.01"/>;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.14"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.14"/>
                </part>
                <part id="pl-2_obj.a.15" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.15"/>
                   <part id="pl-2_obj.a.15-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.15[01]"/>
                      <p>a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.15"/>
                   </part>
                   <part id="pl-2_obj.a.15-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.15[02]"/>
                      <p>a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.15"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.15"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.a"/>
             </part>
             <part id="pl-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02b."/>
                <part id="pl-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02b.[01]"/>
                   <p>copies of the plans are distributed to <insert type="param" id-ref="pl-02_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.b"/>
                </part>
                <part id="pl-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02b.[02]"/>
                   <p>subsequent changes to the plans are communicated to <insert type="param" id-ref="pl-02_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.b"/>
             </part>
             <part id="pl-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02c."/>
                <p>plans are reviewed <insert type="param" id-ref="pl-02_odp.03"/>;</p>
+               <link rel="assessment-for" href="#pl-2_smt.c"/>
             </part>
             <part id="pl-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02d."/>
                <part id="pl-2_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02d.[01]"/>
                   <p>plans are updated to address changes to the system and environment of operations;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.d"/>
                </part>
                <part id="pl-2_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02d.[02]"/>
                   <p>plans are updated to address problems identified during the plan implementation;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.d"/>
                </part>
                <part id="pl-2_obj.d-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02d.[03]"/>
                   <p>plans are updated to address problems identified during control assessments;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.d"/>
             </part>
             <part id="pl-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02e."/>
                <part id="pl-2_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02e.[01]"/>
                   <p>plans are protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.e"/>
                </part>
                <part id="pl-2_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02e.[02]"/>
                   <p>plans are protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#pl-2_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt"/>
          </part>
          <part id="pl-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12979,24 +13866,31 @@
                <part id="pl-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04a.[01]"/>
                   <p>rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;</p>
+                  <link rel="assessment-for" href="#pl-4_smt.a"/>
                </part>
                <part id="pl-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04a.[02]"/>
                   <p>rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;</p>
+                  <link rel="assessment-for" href="#pl-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pl-4_smt.a"/>
             </part>
             <part id="pl-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-04b."/>
                <p>before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;</p>
+               <link rel="assessment-for" href="#pl-4_smt.b"/>
             </part>
             <part id="pl-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-04c."/>
                <p>rules of behavior are reviewed and updated <insert type="param" id-ref="pl-04_odp.01"/>;</p>
+               <link rel="assessment-for" href="#pl-4_smt.c"/>
             </part>
             <part id="pl-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-04d."/>
                <p>individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge <insert type="param" id-ref="pl-04_odp.02"/>.</p>
+               <link rel="assessment-for" href="#pl-4_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#pl-4_smt"/>
          </part>
          <part id="pl-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13065,15 +13959,19 @@
                <part id="pl-4.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04(01)(a)"/>
                   <p>the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;</p>
+                  <link rel="assessment-for" href="#pl-4.1_smt.a"/>
                </part>
                <part id="pl-4.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04(01)(b)"/>
                   <p>the rules of behavior include restrictions on posting organizational information on public websites;</p>
+                  <link rel="assessment-for" href="#pl-4.1_smt.b"/>
                </part>
                <part id="pl-4.1_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04(01)(c)"/>
                   <p>the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.</p>
+                  <link rel="assessment-for" href="#pl-4.1_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pl-4.1_smt"/>
             </part>
             <part id="pl-4.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13138,6 +14036,7 @@
          <part id="pl-10_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-10"/>
             <p>a control baseline for the system is selected.</p>
+            <link rel="assessment-for" href="#pl-10_smt"/>
          </part>
          <part id="pl-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13206,6 +14105,7 @@
          <part id="pl-11_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-11"/>
             <p>the selected control baseline is tailored by applying specified tailoring actions.</p>
+            <link rel="assessment-for" href="#pl-11_smt"/>
          </part>
          <part id="pl-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13383,18 +14283,22 @@
                <part id="ps-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.[01]"/>
                   <p>a personnel security policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ps-1_smt.a"/>
                </part>
                <part id="ps-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.[02]"/>
                   <p>the personnel security policy is disseminated to <insert type="param" id-ref="ps-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ps-1_smt.a"/>
                </part>
                <part id="ps-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.[03]"/>
                   <p>personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ps-1_smt.a"/>
                </part>
                <part id="ps-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.[04]"/>
                   <p>the personnel security procedures are disseminated to <insert type="param" id-ref="ps-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ps-1_smt.a"/>
                </part>
                <part id="ps-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.01"/>
@@ -13403,41 +14307,53 @@
                      <part id="ps-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                   </part>
                   <part id="ps-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ps-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ps-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ps-1_smt.a"/>
             </part>
             <part id="ps-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-01b."/>
                <p>the <insert type="param" id-ref="ps-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;</p>
+               <link rel="assessment-for" href="#ps-1_smt.b"/>
             </part>
             <part id="ps-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-01c."/>
@@ -13446,24 +14362,32 @@
                   <part id="ps-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01c.01[01]"/>
                      <p>the current personnel security policy is reviewed and updated <insert type="param" id-ref="ps-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ps-1_smt.c.1"/>
                   </part>
                   <part id="ps-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01c.01[02]"/>
                      <p>the current personnel security policy is reviewed and updated following <insert type="param" id-ref="ps-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ps-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ps-1_smt.c.1"/>
                </part>
                <part id="ps-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01c.02"/>
                   <part id="ps-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01c.02[01]"/>
                      <p>the current personnel security procedures are reviewed and updated <insert type="param" id-ref="ps-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ps-1_smt.c.2"/>
                   </part>
                   <part id="ps-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01c.02[02]"/>
                      <p>the current personnel security procedures are reviewed and updated following <insert type="param" id-ref="ps-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ps-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ps-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ps-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ps-1_smt"/>
          </part>
          <part id="ps-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13537,15 +14461,19 @@
             <part id="ps-2_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-02a."/>
                <p>a risk designation is assigned to all organizational positions;</p>
+               <link rel="assessment-for" href="#ps-2_smt.a"/>
             </part>
             <part id="ps-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-02b."/>
                <p>screening criteria are established for individuals filling organizational positions;</p>
+               <link rel="assessment-for" href="#ps-2_smt.b"/>
             </part>
             <part id="ps-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-02c."/>
                <p>position risk designations are reviewed and updated <insert type="param" id-ref="ps-02_odp"/>.</p>
+               <link rel="assessment-for" href="#ps-2_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ps-2_smt"/>
          </part>
          <part id="ps-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13644,18 +14572,23 @@
             <part id="ps-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-03a."/>
                <p>individuals are screened prior to authorizing access to the system;</p>
+               <link rel="assessment-for" href="#ps-3_smt.a"/>
             </part>
             <part id="ps-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-03b."/>
                <part id="ps-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-03b.[01]"/>
                   <p>individuals are rescreened in accordance with <insert type="param" id-ref="ps-03_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ps-3_smt.b"/>
                </part>
                <part id="ps-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-03b.[02]"/>
                   <p>where rescreening is so indicated, individuals are rescreened <insert type="param" id-ref="ps-03_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#ps-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ps-3_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ps-3_smt"/>
          </part>
          <part id="ps-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13745,23 +14678,29 @@
             <part id="ps-4_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04a."/>
                <p>upon termination of individual employment, system access is disabled within <insert type="param" id-ref="ps-04_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ps-4_smt.a"/>
             </part>
             <part id="ps-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04b."/>
                <p>upon termination of individual employment, any authenticators and credentials are terminated or revoked;</p>
+               <link rel="assessment-for" href="#ps-4_smt.b"/>
             </part>
             <part id="ps-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04c."/>
                <p>upon termination of individual employment, exit interviews that include a discussion of <insert type="param" id-ref="ps-04_odp.02"/> are conducted;</p>
+               <link rel="assessment-for" href="#ps-4_smt.c"/>
             </part>
             <part id="ps-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04d."/>
                <p>upon termination of individual employment, all security-related organizational system-related property is retrieved;</p>
+               <link rel="assessment-for" href="#ps-4_smt.d"/>
             </part>
             <part id="ps-4_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04e."/>
                <p>upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.</p>
+               <link rel="assessment-for" href="#ps-4_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ps-4_smt"/>
          </part>
          <part id="ps-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13869,21 +14808,26 @@
             <part id="ps-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-05a."/>
                <p>the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;</p>
+               <link rel="assessment-for" href="#ps-5_smt.a"/>
             </part>
             <part id="ps-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-05b."/>
                <p>
                   <insert type="param" id-ref="ps-05_odp.01"/> are initiated within <insert type="param" id-ref="ps-05_odp.02"/>;</p>
+               <link rel="assessment-for" href="#ps-5_smt.b"/>
             </part>
             <part id="ps-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-05c."/>
                <p>access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;</p>
+               <link rel="assessment-for" href="#ps-5_smt.c"/>
             </part>
             <part id="ps-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-05d."/>
                <p>
                   <insert type="param" id-ref="ps-05_odp.03"/> are notified within <insert type="param" id-ref="ps-05_odp.04"/>.</p>
+               <link rel="assessment-for" href="#ps-5_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ps-5_smt"/>
          </part>
          <part id="ps-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13984,22 +14928,28 @@
             <part id="ps-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-06a."/>
                <p>access agreements are developed and documented for organizational systems;</p>
+               <link rel="assessment-for" href="#ps-6_smt.a"/>
             </part>
             <part id="ps-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-06b."/>
                <p>the access agreements are reviewed and updated <insert type="param" id-ref="ps-06_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ps-6_smt.b"/>
             </part>
             <part id="ps-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-06c."/>
                <part id="ps-6_obj.c.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-06c.01"/>
                   <p>individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;</p>
+                  <link rel="assessment-for" href="#ps-6_smt.c.1"/>
                </part>
                <part id="ps-6_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-06c.02"/>
                   <p>individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or <insert type="param" id-ref="ps-06_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#ps-6_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ps-6_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ps-6_smt"/>
          </part>
          <part id="ps-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14106,23 +15056,29 @@
             <part id="ps-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07a."/>
                <p>personnel security requirements are established, including security roles and responsibilities for external providers;</p>
+               <link rel="assessment-for" href="#ps-7_smt.a"/>
             </part>
             <part id="ps-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07b."/>
                <p>external providers are required to comply with personnel security policies and procedures established by the organization;</p>
+               <link rel="assessment-for" href="#ps-7_smt.b"/>
             </part>
             <part id="ps-7_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07c."/>
                <p>personnel security requirements are documented;</p>
+               <link rel="assessment-for" href="#ps-7_smt.c"/>
             </part>
             <part id="ps-7_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07d."/>
                <p>external providers are required to notify <insert type="param" id-ref="ps-07_odp.01"/> of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within <insert type="param" id-ref="ps-07_odp.02"/>;</p>
+               <link rel="assessment-for" href="#ps-7_smt.d"/>
             </part>
             <part id="ps-7_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07e."/>
                <p>provider compliance with personnel security requirements is monitored.</p>
+               <link rel="assessment-for" href="#ps-7_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ps-7_smt"/>
          </part>
          <part id="ps-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14204,12 +15160,15 @@
             <part id="ps-8_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-08a."/>
                <p>a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;</p>
+               <link rel="assessment-for" href="#ps-8_smt.a"/>
             </part>
             <part id="ps-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-08b."/>
                <p>
                   <insert type="param" id-ref="ps-08_odp.01"/> is/are notified within <insert type="param" id-ref="ps-08_odp.02"/> when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.</p>
+               <link rel="assessment-for" href="#ps-8_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ps-8_smt"/>
          </part>
          <part id="ps-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14265,11 +15224,14 @@
             <part id="ps-9_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-09[01]"/>
                <p>security roles and responsibilities are incorporated into organizational position descriptions;</p>
+               <link rel="assessment-for" href="#ps-9_smt"/>
             </part>
             <part id="ps-9_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-09[02]"/>
                <p>privacy roles and responsibilities are incorporated into organizational position descriptions.</p>
+               <link rel="assessment-for" href="#ps-9_smt"/>
             </part>
+            <link rel="assessment-for" href="#ps-9_smt"/>
          </part>
          <part id="ps-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14445,18 +15407,22 @@
                <part id="ra-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[01]"/>
                   <p>a risk assessment policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[02]"/>
                   <p>the risk assessment policy is disseminated to <insert type="param" id-ref="ra-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[03]"/>
                   <p>risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[04]"/>
                   <p>the risk assessment procedures are disseminated to <insert type="param" id-ref="ra-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.01"/>
@@ -14465,41 +15431,53 @@
                      <part id="ra-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                   </part>
                   <part id="ra-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ra-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ra-1_smt.a"/>
             </part>
             <part id="ra-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-01b."/>
                <p>the <insert type="param" id-ref="ra-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;</p>
+               <link rel="assessment-for" href="#ra-1_smt.b"/>
             </part>
             <part id="ra-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-01c."/>
@@ -14508,24 +15486,32 @@
                   <part id="ra-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.01[01]"/>
                      <p>the current risk assessment policy is reviewed and updated <insert type="param" id-ref="ra-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.1"/>
                   </part>
                   <part id="ra-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.01[02]"/>
                      <p>the current risk assessment policy is reviewed and updated following <insert type="param" id-ref="ra-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ra-1_smt.c.1"/>
                </part>
                <part id="ra-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01c.02"/>
                   <part id="ra-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.02[01]"/>
                      <p>the current risk assessment procedures are reviewed and updated <insert type="param" id-ref="ra-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.2"/>
                   </part>
                   <part id="ra-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.02[02]"/>
                      <p>the current risk assessment procedures are reviewed and updated following <insert type="param" id-ref="ra-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ra-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ra-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ra-1_smt"/>
          </part>
          <part id="ra-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14602,15 +15588,19 @@
             <part id="ra-2_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-02a."/>
                <p>the system and the information it processes, stores, and transmits are categorized;</p>
+               <link rel="assessment-for" href="#ra-2_smt.a"/>
             </part>
             <part id="ra-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-02b."/>
                <p>the security categorization results, including supporting rationale, are documented in the security plan for the system;</p>
+               <link rel="assessment-for" href="#ra-2_smt.b"/>
             </part>
             <part id="ra-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-02c."/>
                <p>the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.</p>
+               <link rel="assessment-for" href="#ra-2_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ra-2_smt"/>
          </part>
          <part id="ra-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14778,36 +15768,46 @@
                <part id="ra-3_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03a.01"/>
                   <p>a risk assessment is conducted to identify threats to and vulnerabilities in the system;</p>
+                  <link rel="assessment-for" href="#ra-3_smt.a.1"/>
                </part>
                <part id="ra-3_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03a.02"/>
                   <p>a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;</p>
+                  <link rel="assessment-for" href="#ra-3_smt.a.2"/>
                </part>
                <part id="ra-3_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03a.03"/>
                   <p>a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;</p>
+                  <link rel="assessment-for" href="#ra-3_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#ra-3_smt.a"/>
             </part>
             <part id="ra-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03b."/>
                <p>risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;</p>
+               <link rel="assessment-for" href="#ra-3_smt.b"/>
             </part>
             <part id="ra-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03c."/>
                <p>risk assessment results are documented in <insert type="param" id-ref="ra-03_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ra-3_smt.c"/>
             </part>
             <part id="ra-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03d."/>
                <p>risk assessment results are reviewed <insert type="param" id-ref="ra-03_odp.03"/>;</p>
+               <link rel="assessment-for" href="#ra-3_smt.d"/>
             </part>
             <part id="ra-3_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03e."/>
                <p>risk assessment results are disseminated to <insert type="param" id-ref="ra-03_odp.04"/>;</p>
+               <link rel="assessment-for" href="#ra-3_smt.e"/>
             </part>
             <part id="ra-3_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03f."/>
                <p>the risk assessment is updated <insert type="param" id-ref="ra-03_odp.05"/> or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.</p>
+               <link rel="assessment-for" href="#ra-3_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#ra-3_smt"/>
          </part>
          <part id="ra-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14893,11 +15893,14 @@
                <part id="ra-3.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03(01)(a)"/>
                   <p>supply chain risks associated with <insert type="param" id-ref="ra-03.01_odp.01"/> are assessed;</p>
+                  <link rel="assessment-for" href="#ra-3.1_smt.a"/>
                </part>
                <part id="ra-3.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03(01)(b)"/>
                   <p>the supply chain risk assessment is updated <insert type="param" id-ref="ra-03.01_odp.02"/> , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.</p>
+                  <link rel="assessment-for" href="#ra-3.1_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ra-3.1_smt"/>
             </part>
             <part id="ra-3.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15064,11 +16067,14 @@
                <part id="ra-5_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05a.[01]"/>
                   <p>systems and hosted applications are monitored for vulnerabilities <insert type="param" id-ref="ra-05_odp.01"/> and when new vulnerabilities potentially affecting the system are identified and reported;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.a"/>
                </part>
                <part id="ra-5_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05a.[02]"/>
                   <p>systems and hosted applications are scanned for vulnerabilities <insert type="param" id-ref="ra-05_odp.02"/> and when new vulnerabilities potentially affecting the system are identified and reported;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ra-5_smt.a"/>
             </part>
             <part id="ra-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05b."/>
@@ -15076,32 +16082,41 @@
                <part id="ra-5_obj.b.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05b.01"/>
                   <p>vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.b.1"/>
                </part>
                <part id="ra-5_obj.b.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05b.02"/>
                   <p>vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.b.2"/>
                </part>
                <part id="ra-5_obj.b.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05b.03"/>
                   <p>vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.b.3"/>
                </part>
+               <link rel="assessment-for" href="#ra-5_smt.b"/>
             </part>
             <part id="ra-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05c."/>
                <p>vulnerability scan reports and results from vulnerability monitoring are analyzed;</p>
+               <link rel="assessment-for" href="#ra-5_smt.c"/>
             </part>
             <part id="ra-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05d."/>
                <p>legitimate vulnerabilities are remediated <insert type="param" id-ref="ra-05_odp.03"/> in accordance with an organizational assessment of risk;</p>
+               <link rel="assessment-for" href="#ra-5_smt.d"/>
             </part>
             <part id="ra-5_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05e."/>
                <p>information obtained from the vulnerability monitoring process and control assessments is shared with <insert type="param" id-ref="ra-05_odp.04"/> to help eliminate similar vulnerabilities in other systems;</p>
+               <link rel="assessment-for" href="#ra-5_smt.e"/>
             </part>
             <part id="ra-5_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05f."/>
                <p>vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.</p>
+               <link rel="assessment-for" href="#ra-5_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#ra-5_smt"/>
          </part>
          <part id="ra-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15178,6 +16193,7 @@
             <part id="ra-5.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05(02)"/>
                <p>the system vulnerabilities to be scanned are updated <insert type="param" id-ref="ra-05.02_odp.01"/>.</p>
+               <link rel="assessment-for" href="#ra-5.2_smt"/>
             </part>
             <part id="ra-5.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15232,6 +16248,7 @@
             <part id="ra-5.11_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05(11)"/>
                <p>a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.</p>
+               <link rel="assessment-for" href="#ra-5.11_smt"/>
             </part>
             <part id="ra-5.11_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15304,19 +16321,24 @@
             <part id="ra-7_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[01]"/>
                <p>findings from security assessments are responded to in accordance with organizational risk tolerance;</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
             <part id="ra-7_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[02]"/>
                <p>findings from privacy assessments are responded to in accordance with organizational risk tolerance;</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
             <part id="ra-7_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[03]"/>
                <p>findings from monitoring are responded to in accordance with organizational risk tolerance;</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
             <part id="ra-7_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[04]"/>
                <p>findings from audits are responded to in accordance with organizational risk tolerance.</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
+            <link rel="assessment-for" href="#ra-7_smt"/>
          </part>
          <part id="ra-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15493,18 +16515,22 @@
                <part id="sa-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[01]"/>
                   <p>a system and services acquisition policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[02]"/>
                   <p>the system and services acquisition policy is disseminated to <insert type="param" id-ref="sa-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[03]"/>
                   <p>system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[04]"/>
                   <p>the system and services acquisition procedures are disseminated to <insert type="param" id-ref="sa-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.01"/>
@@ -15513,41 +16539,53 @@
                      <part id="sa-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses scope;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses roles;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                   </part>
                   <part id="sa-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#sa-1_smt.a"/>
             </part>
             <part id="sa-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-01b."/>
                <p>the <insert type="param" id-ref="sa-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;</p>
+               <link rel="assessment-for" href="#sa-1_smt.b"/>
             </part>
             <part id="sa-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-01c."/>
@@ -15556,24 +16594,32 @@
                   <part id="sa-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.01[01]"/>
                      <p>the system and services acquisition policy is reviewed and updated <insert type="param" id-ref="sa-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.1"/>
                   </part>
                   <part id="sa-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.01[02]"/>
                      <p>the current system and services acquisition policy is reviewed and updated following <insert type="param" id-ref="sa-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-1_smt.c.1"/>
                </part>
                <part id="sa-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01c.02"/>
                   <part id="sa-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.02[01]"/>
                      <p>the current system and services acquisition procedures are reviewed and updated <insert type="param" id-ref="sa-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.2"/>
                   </part>
                   <part id="sa-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.02[02]"/>
                      <p>the current system and services acquisition procedures are reviewed and updated following <insert type="param" id-ref="sa-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#sa-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sa-1_smt"/>
          </part>
          <part id="sa-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15643,34 +16689,44 @@
                <part id="sa-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02a.[01]"/>
                   <p>the high-level information security requirements for the system or system service are determined in mission and business process planning;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.a"/>
                </part>
                <part id="sa-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02a.[02]"/>
                   <p>the high-level privacy requirements for the system or system service are determined in mission and business process planning;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-2_smt.a"/>
             </part>
             <part id="sa-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-02b."/>
                <part id="sa-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02b.[01]"/>
                   <p>the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.b"/>
                </part>
                <part id="sa-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02b.[02]"/>
                   <p>the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-2_smt.b"/>
             </part>
             <part id="sa-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-02c."/>
                <part id="sa-2_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02c.[01]"/>
                   <p>a discrete line item for information security is established in organizational programming and budgeting documentation;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.c"/>
                </part>
                <part id="sa-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02c.[02]"/>
                   <p>a discrete line item for privacy is established in organizational programming and budgeting documentation.</p>
+                  <link rel="assessment-for" href="#sa-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-2_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sa-2_smt"/>
          </part>
          <part id="sa-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15778,45 +16834,58 @@
                <part id="sa-3_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03a.[01]"/>
                   <p>the system is acquired, developed, and managed using <insert type="param" id-ref="sa-03_odp"/> that incorporates information security considerations;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.a"/>
                </part>
                <part id="sa-3_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03a.[02]"/>
                   <p>the system is acquired, developed, and managed using <insert type="param" id-ref="sa-03_odp"/> that incorporates privacy considerations;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.a"/>
             </part>
             <part id="sa-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-03b."/>
                <part id="sa-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03b.[01]"/>
                   <p>information security roles and responsibilities are defined and documented throughout the system development life cycle;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.b"/>
                </part>
                <part id="sa-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03b.[02]"/>
                   <p>privacy roles and responsibilities are defined and documented throughout the system development life cycle;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.b"/>
             </part>
             <part id="sa-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-03c."/>
                <part id="sa-3_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03c.[01]"/>
                   <p>individuals with information security roles and responsibilities are identified;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.c"/>
                </part>
                <part id="sa-3_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03c.[02]"/>
                   <p>individuals with privacy roles and responsibilities are identified;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.c"/>
             </part>
             <part id="sa-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-03d."/>
                <part id="sa-3_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03d.[01]"/>
                   <p>organizational information security risk management processes are integrated into system development life cycle activities;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.d"/>
                </part>
                <part id="sa-3_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03d.[02]"/>
                   <p>organizational privacy risk management processes are integrated into system development life cycle activities.</p>
+                  <link rel="assessment-for" href="#sa-3_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#sa-3_smt"/>
          </part>
          <part id="sa-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15972,83 +17041,106 @@
                <part id="sa-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04a.[01]"/>
                   <p>security functional requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.a"/>
                </part>
                <part id="sa-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04a.[02]"/>
                   <p>privacy functional requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.a"/>
             </part>
             <part id="sa-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04b."/>
                <p>strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+               <link rel="assessment-for" href="#sa-4_smt.b"/>
             </part>
             <part id="sa-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04c."/>
                <part id="sa-4_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04c.[01]"/>
                   <p>security assurance requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.c"/>
                </part>
                <part id="sa-4_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04c.[02]"/>
                   <p>privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.c"/>
             </part>
             <part id="sa-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04d."/>
                <part id="sa-4_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04d.[01]"/>
                   <p>controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.d"/>
                </part>
                <part id="sa-4_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04d.[02]"/>
                   <p>controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.d"/>
             </part>
             <part id="sa-4_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04e."/>
                <part id="sa-4_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04e.[01]"/>
                   <p>security documentation requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.e"/>
                </part>
                <part id="sa-4_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04e.[02]"/>
                   <p>privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.e"/>
             </part>
             <part id="sa-4_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04f."/>
                <part id="sa-4_obj.f-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04f.[01]"/>
                   <p>requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.f"/>
                </part>
                <part id="sa-4_obj.f-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04f.[02]"/>
                   <p>requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.f"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.f"/>
             </part>
             <part id="sa-4_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04g."/>
                <p>the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+               <link rel="assessment-for" href="#sa-4_smt.g"/>
             </part>
             <part id="sa-4_obj.h" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04h."/>
                <part id="sa-4_obj.h-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04h.[01]"/>
                   <p>the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.h"/>
                </part>
                <part id="sa-4_obj.h-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04h.[02]"/>
                   <p>the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.h"/>
                </part>
                <part id="sa-4_obj.h-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04h.[03]"/>
                   <p>the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.h"/>
             </part>
             <part id="sa-4_obj.i" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04i."/>
                <p>acceptance criteria requirements and descriptions are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service.</p>
+               <link rel="assessment-for" href="#sa-4_smt.i"/>
             </part>
+            <link rel="assessment-for" href="#sa-4_smt"/>
          </part>
          <part id="sa-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16109,6 +17201,7 @@
             <part id="sa-4.10_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04(10)"/>
                <p>only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.</p>
+               <link rel="assessment-for" href="#sa-4.10_smt"/>
             </part>
             <part id="sa-4.10_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16246,46 +17339,59 @@
                   <part id="sa-5_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.01[01]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.1"/>
                   </part>
                   <part id="sa-5_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.01[02]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.1"/>
                   </part>
                   <part id="sa-5_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.01[03]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.a.1"/>
                </part>
                <part id="sa-5_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05a.02"/>
                   <part id="sa-5_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.02[01]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                   </part>
                   <part id="sa-5_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.02[02]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                   </part>
                   <part id="sa-5_obj.a.2-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.02[03]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                   </part>
                   <part id="sa-5_obj.a.2-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.02[04]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                </part>
                <part id="sa-5_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05a.03"/>
                   <part id="sa-5_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.03[01]"/>
                      <p>administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.3"/>
                   </part>
                   <part id="sa-5_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.03[02]"/>
                      <p>administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#sa-5_smt.a"/>
             </part>
             <part id="sa-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-05b."/>
@@ -16294,58 +17400,75 @@
                   <part id="sa-5_obj.b.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.01[01]"/>
                      <p>user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                   </part>
                   <part id="sa-5_obj.b.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.01[02]"/>
                      <p>user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                   </part>
                   <part id="sa-5_obj.b.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.01[03]"/>
                      <p>user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                   </part>
                   <part id="sa-5_obj.b.1-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.01[04]"/>
                      <p>user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                </part>
                <part id="sa-5_obj.b.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05b.02"/>
                   <part id="sa-5_obj.b.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.02[01]"/>
                      <p>user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.2"/>
                   </part>
                   <part id="sa-5_obj.b.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.02[02]"/>
                      <p>user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.b.2"/>
                </part>
                <part id="sa-5_obj.b.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05b.03"/>
                   <part id="sa-5_obj.b.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.03[01]"/>
                      <p>user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.3"/>
                   </part>
                   <part id="sa-5_obj.b.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.03[02]"/>
                      <p>user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.3"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.b.3"/>
                </part>
+               <link rel="assessment-for" href="#sa-5_smt.b"/>
             </part>
             <part id="sa-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-05c."/>
                <part id="sa-5_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05c.[01]"/>
                   <p>attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;</p>
+                  <link rel="assessment-for" href="#sa-5_smt.c"/>
                </part>
                <part id="sa-5_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05c.[02]"/>
                   <p>after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, <insert type="param" id-ref="sa-05_odp.01"/> are taken in response;</p>
+                  <link rel="assessment-for" href="#sa-5_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-5_smt.c"/>
             </part>
             <part id="sa-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-05d."/>
                <p>documentation is distributed to <insert type="param" id-ref="sa-05_odp.02"/>.</p>
+               <link rel="assessment-for" href="#sa-5_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#sa-5_smt"/>
          </part>
          <part id="sa-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16461,52 +17584,63 @@
                <prop name="label" class="sp800-53a" value="SA-08[01]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the specification of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[02]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the design of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[03]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the development of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[04]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the implementation of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-5" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[05]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the modification of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-6" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[06]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the specification of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-7" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[07]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the design of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-8" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[08]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the development of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-9" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[09]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the implementation of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-10" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[10]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the modification of the system and system components.</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
+            <link rel="assessment-for" href="#sa-8_smt"/>
          </part>
          <part id="sa-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16612,32 +17746,41 @@
                <part id="sa-9_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09a.[01]"/>
                   <p>providers of external system services comply with organizational security requirements;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.a"/>
                </part>
                <part id="sa-9_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09a.[02]"/>
                   <p>providers of external system services comply with organizational privacy requirements;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.a"/>
                </part>
                <part id="sa-9_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09a.[03]"/>
                   <p>providers of external system services employ <insert type="param" id-ref="sa-09_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-9_smt.a"/>
             </part>
             <part id="sa-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-09b."/>
                <part id="sa-9_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09b.[01]"/>
                   <p>organizational oversight with regard to external system services are defined and documented;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.b"/>
                </part>
                <part id="sa-9_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09b.[02]"/>
                   <p>user roles and responsibilities with regard to external system services are defined and documented;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-9_smt.b"/>
             </part>
             <part id="sa-9_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-09c."/>
                <p>
                   <insert type="param" id-ref="sa-09_odp.02"/> are employed to monitor control compliance by external service providers on an ongoing basis.</p>
+               <link rel="assessment-for" href="#sa-9_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sa-9_smt"/>
          </part>
          <part id="sa-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16728,12 +17871,15 @@
             <part id="sa-22_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-22a."/>
                <p>system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;</p>
+               <link rel="assessment-for" href="#sa-22_smt.a"/>
             </part>
             <part id="sa-22_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-22b."/>
                <p>
                   <insert type="param" id-ref="sa-22_odp.01"/> provide options for alternative sources for continued support for unsupported components.</p>
+               <link rel="assessment-for" href="#sa-22_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sa-22_smt"/>
          </part>
          <part id="sa-22_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16909,18 +18055,22 @@
                <part id="sc-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.[01]"/>
                   <p>a system and communications protection policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#sc-1_smt.a"/>
                </part>
                <part id="sc-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.[02]"/>
                   <p>the system and communications protection policy is disseminated to <insert type="param" id-ref="sc-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sc-1_smt.a"/>
                </part>
                <part id="sc-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.[03]"/>
                   <p>system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#sc-1_smt.a"/>
                </part>
                <part id="sc-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.[04]"/>
                   <p>the system and communications protection procedures are disseminated to <insert type="param" id-ref="sc-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sc-1_smt.a"/>
                </part>
                <part id="sc-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.01"/>
@@ -16929,41 +18079,53 @@
                      <part id="sc-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses scope;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses roles;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                   </part>
                   <part id="sc-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#sc-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#sc-1_smt.a"/>
             </part>
             <part id="sc-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-01b."/>
                <p>the <insert type="param" id-ref="sc-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;</p>
+               <link rel="assessment-for" href="#sc-1_smt.b"/>
             </part>
             <part id="sc-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-01c."/>
@@ -16972,24 +18134,32 @@
                   <part id="sc-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01c.01[01]"/>
                      <p>the current system and communications protection policy is reviewed and updated <insert type="param" id-ref="sc-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#sc-1_smt.c.1"/>
                   </part>
                   <part id="sc-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01c.01[02]"/>
                      <p>the current system and communications protection policy is reviewed and updated following <insert type="param" id-ref="sc-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#sc-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-1_smt.c.1"/>
                </part>
                <part id="sc-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01c.02"/>
                   <part id="sc-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01c.02[01]"/>
                      <p>the current system and communications protection procedures are reviewed and updated <insert type="param" id-ref="sc-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#sc-1_smt.c.2"/>
                   </part>
                   <part id="sc-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01c.02[02]"/>
                      <p>the current system and communications protection procedures are reviewed and updated following <insert type="param" id-ref="sc-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#sc-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#sc-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sc-1_smt"/>
          </part>
          <part id="sc-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17070,12 +18240,15 @@
             <part id="sc-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-05a."/>
                <p>the effects of <insert type="param" id-ref="sc-05_odp.01"/> are <insert type="param" id-ref="sc-05_odp.02"/>;</p>
+               <link rel="assessment-for" href="#sc-5_smt.a"/>
             </part>
             <part id="sc-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-05b."/>
                <p>
                   <insert type="param" id-ref="sc-05_odp.03"/> are employed to achieve the denial-of-service protection objective.</p>
+               <link rel="assessment-for" href="#sc-5_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-5_smt"/>
          </part>
          <part id="sc-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17181,28 +18354,36 @@
                <part id="sc-7_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[01]"/>
                   <p>communications at external managed interfaces to the system are monitored;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
                <part id="sc-7_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[02]"/>
                   <p>communications at external managed interfaces to the system are controlled;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
                <part id="sc-7_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[03]"/>
                   <p>communications at key internal managed interfaces within the system are monitored;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
                <part id="sc-7_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[04]"/>
                   <p>communications at key internal managed interfaces within the system are controlled;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sc-7_smt.a"/>
             </part>
             <part id="sc-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-07b."/>
                <p>subnetworks for publicly accessible system components are <insert type="param" id-ref="sc-07_odp"/> separated from internal organizational networks;</p>
+               <link rel="assessment-for" href="#sc-7_smt.b"/>
             </part>
             <part id="sc-7_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-07c."/>
                <p>external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.</p>
+               <link rel="assessment-for" href="#sc-7_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sc-7_smt"/>
          </part>
          <part id="sc-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17276,6 +18457,7 @@
          <link rel="related" href="#cm-3"/>
          <link rel="related" href="#ia-3"/>
          <link rel="related" href="#ia-7"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#sa-4"/>
          <link rel="related" href="#sa-8"/>
          <link rel="related" href="#sa-9"/>
@@ -17300,11 +18482,14 @@
             <part id="sc-12_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-12[01]"/>
                <p>cryptographic keys are established when cryptography is employed within the system in accordance with <insert type="param" id-ref="sc-12_odp"/>;</p>
+               <link rel="assessment-for" href="#sc-12_smt"/>
             </part>
             <part id="sc-12_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-12[02]"/>
                <p>cryptographic keys are managed when cryptography is employed within the system in accordance with <insert type="param" id-ref="sc-12_odp"/>.</p>
+               <link rel="assessment-for" href="#sc-12_smt"/>
             </part>
+            <link rel="assessment-for" href="#sc-12_smt"/>
          </part>
          <part id="sc-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17378,6 +18563,7 @@
          <link rel="related" href="#ia-3"/>
          <link rel="related" href="#ia-5"/>
          <link rel="related" href="#ia-7"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#ma-4"/>
          <link rel="related" href="#mp-2"/>
          <link rel="related" href="#mp-4"/>
@@ -17412,12 +18598,15 @@
                <prop name="label" class="sp800-53a" value="SC-13a."/>
                <p>
                   <insert type="param" id-ref="sc-13_odp.01"/> are identified;</p>
+               <link rel="assessment-for" href="#sc-13_smt.a"/>
             </part>
             <part id="sc-13_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-13b."/>
                <p>
                   <insert type="param" id-ref="sc-13_odp.02"/> for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.</p>
+               <link rel="assessment-for" href="#sc-13_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-13_smt"/>
          </part>
          <part id="sc-13_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17488,11 +18677,14 @@
             <part id="sc-15_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-15a."/>
                <p>remote activation of collaborative computing devices and applications is prohibited except <insert type="param" id-ref="sc-15_odp"/>;</p>
+               <link rel="assessment-for" href="#sc-15_smt.a"/>
             </part>
             <part id="sc-15_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-15b."/>
                <p>an explicit indication of use is provided to users physically present at the devices.</p>
+               <link rel="assessment-for" href="#sc-15_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-15_smt"/>
          </part>
          <part id="sc-15_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17564,23 +18756,30 @@
                <part id="sc-20_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-20a.[01]"/>
                   <p>additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;</p>
+                  <link rel="assessment-for" href="#sc-20_smt.a"/>
                </part>
                <part id="sc-20_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-20a.[02]"/>
                   <p>integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;</p>
+                  <link rel="assessment-for" href="#sc-20_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sc-20_smt.a"/>
             </part>
             <part id="sc-20_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-20b."/>
                <part id="sc-20_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-20b.[01]"/>
                   <p>the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;</p>
+                  <link rel="assessment-for" href="#sc-20_smt.b"/>
                </part>
                <part id="sc-20_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-20b.[02]"/>
                   <p>the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.</p>
+                  <link rel="assessment-for" href="#sc-20_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sc-20_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-20_smt"/>
          </part>
          <part id="sc-20_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17633,19 +18832,24 @@
             <part id="sc-21_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-21[01]"/>
                <p>data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;</p>
+               <link rel="assessment-for" href="#sc-21_smt"/>
             </part>
             <part id="sc-21_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-21[02]"/>
                <p>data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;</p>
+               <link rel="assessment-for" href="#sc-21_smt"/>
             </part>
             <part id="sc-21_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-21[03]"/>
                <p>data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;</p>
+               <link rel="assessment-for" href="#sc-21_smt"/>
             </part>
             <part id="sc-21_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-21[04]"/>
                <p>data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.</p>
+               <link rel="assessment-for" href="#sc-21_smt"/>
             </part>
+            <link rel="assessment-for" href="#sc-21_smt"/>
          </part>
          <part id="sc-21_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17701,15 +18905,19 @@
             <part id="sc-22_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-22[01]"/>
                <p>the systems that collectively provide name/address resolution services for an organization are fault-tolerant;</p>
+               <link rel="assessment-for" href="#sc-22_smt"/>
             </part>
             <part id="sc-22_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-22[02]"/>
                <p>the systems that collectively provide name/address resolution services for an organization implement internal role separation;</p>
+               <link rel="assessment-for" href="#sc-22_smt"/>
             </part>
             <part id="sc-22_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-22[03]"/>
                <p>the systems that collectively provide name/address resolution services for an organization implement external role separation.</p>
+               <link rel="assessment-for" href="#sc-22_smt"/>
             </part>
+            <link rel="assessment-for" href="#sc-22_smt"/>
          </part>
          <part id="sc-22_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17772,6 +18980,7 @@
          <part id="sc-39_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-39"/>
             <p>a separate execution domain is maintained for each executing system process.</p>
+            <link rel="assessment-for" href="#sc-39_smt"/>
          </part>
          <part id="sc-39_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17942,18 +19151,22 @@
                <part id="si-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[01]"/>
                   <p>a system and information integrity policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[02]"/>
                   <p>the system and information integrity policy is disseminated to <insert type="param" id-ref="si-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[03]"/>
                   <p>system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[04]"/>
                   <p>the system and information integrity procedures are disseminated to <insert type="param" id-ref="si-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.01"/>
@@ -17962,41 +19175,53 @@
                      <part id="si-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses scope;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses roles;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                   </part>
                   <part id="si-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#si-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#si-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#si-1_smt.a"/>
             </part>
             <part id="si-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-01b."/>
                <p>the <insert type="param" id-ref="si-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;</p>
+               <link rel="assessment-for" href="#si-1_smt.b"/>
             </part>
             <part id="si-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-01c."/>
@@ -18005,24 +19230,32 @@
                   <part id="si-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.01[01]"/>
                      <p>the current system and information integrity policy is reviewed and updated <insert type="param" id-ref="si-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.1"/>
                   </part>
                   <part id="si-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.01[02]"/>
                      <p>the current system and information integrity policy is reviewed and updated following <insert type="param" id-ref="si-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#si-1_smt.c.1"/>
                </part>
                <part id="si-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01c.02"/>
                   <part id="si-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.02[01]"/>
                      <p>the current system and information integrity procedures are reviewed and updated <insert type="param" id-ref="si-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.2"/>
                   </part>
                   <part id="si-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.02[02]"/>
                      <p>the current system and information integrity procedures are reviewed and updated following <insert type="param" id-ref="si-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#si-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#si-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#si-1_smt"/>
          </part>
          <part id="si-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18111,50 +19344,64 @@
                <part id="si-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02a.[01]"/>
                   <p>system flaws are identified;</p>
+                  <link rel="assessment-for" href="#si-2_smt.a"/>
                </part>
                <part id="si-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02a.[02]"/>
                   <p>system flaws are reported;</p>
+                  <link rel="assessment-for" href="#si-2_smt.a"/>
                </part>
                <part id="si-2_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02a.[03]"/>
                   <p>system flaws are corrected;</p>
+                  <link rel="assessment-for" href="#si-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#si-2_smt.a"/>
             </part>
             <part id="si-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-02b."/>
                <part id="si-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02b.[01]"/>
                   <p>software updates related to flaw remediation are tested for effectiveness before installation;</p>
+                  <link rel="assessment-for" href="#si-2_smt.b"/>
                </part>
                <part id="si-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02b.[02]"/>
                   <p>software updates related to flaw remediation are tested for potential side effects before installation;</p>
+                  <link rel="assessment-for" href="#si-2_smt.b"/>
                </part>
                <part id="si-2_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02b.[03]"/>
                   <p>firmware updates related to flaw remediation are tested for effectiveness before installation;</p>
+                  <link rel="assessment-for" href="#si-2_smt.b"/>
                </part>
                <part id="si-2_obj.b-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02b.[04]"/>
                   <p>firmware updates related to flaw remediation are tested for potential side effects before installation;</p>
+                  <link rel="assessment-for" href="#si-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#si-2_smt.b"/>
             </part>
             <part id="si-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-02c."/>
                <part id="si-2_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02c.[01]"/>
                   <p>security-relevant software updates are installed within <insert type="param" id-ref="si-02_odp"/> of the release of the updates;</p>
+                  <link rel="assessment-for" href="#si-2_smt.c"/>
                </part>
                <part id="si-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02c.[02]"/>
                   <p>security-relevant firmware updates are installed within <insert type="param" id-ref="si-02_odp"/> of the release of the updates;</p>
+                  <link rel="assessment-for" href="#si-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#si-2_smt.c"/>
             </part>
             <part id="si-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-02d."/>
                <p>flaw remediation is incorporated into the organizational configuration management process.</p>
+               <link rel="assessment-for" href="#si-2_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#si-2_smt"/>
          </part>
          <part id="si-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18318,16 +19565,20 @@
                   <prop name="label" class="sp800-53a" value="SI-03a.[01]"/>
                   <p>
                      <insert type="param" id-ref="si-03_odp.01"/> malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;</p>
+                  <link rel="assessment-for" href="#si-3_smt.a"/>
                </part>
                <part id="si-3_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-03a.[02]"/>
                   <p>
                      <insert type="param" id-ref="si-03_odp.01"/> malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;</p>
+                  <link rel="assessment-for" href="#si-3_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#si-3_smt.a"/>
             </part>
             <part id="si-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-03b."/>
                <p>malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;</p>
+               <link rel="assessment-for" href="#si-3_smt.b"/>
             </part>
             <part id="si-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-03c."/>
@@ -18336,28 +19587,37 @@
                   <part id="si-3_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-03c.01[01]"/>
                      <p>malicious code protection mechanisms are configured to perform periodic scans of the system <insert type="param" id-ref="si-03_odp.02"/>;</p>
+                     <link rel="assessment-for" href="#si-3_smt.c.1"/>
                   </part>
                   <part id="si-3_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-03c.01[02]"/>
                      <p>malicious code protection mechanisms are configured to perform real-time scans of files from external sources at <insert type="param" id-ref="si-03_odp.03"/> as the files are downloaded, opened, or executed in accordance with organizational policy;</p>
+                     <link rel="assessment-for" href="#si-3_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#si-3_smt.c.1"/>
                </part>
                <part id="si-3_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-03c.02"/>
                   <part id="si-3_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-03c.02[01]"/>
                      <p>malicious code protection mechanisms are configured to <insert type="param" id-ref="si-03_odp.04"/> in response to malicious code detection;</p>
+                     <link rel="assessment-for" href="#si-3_smt.c.2"/>
                   </part>
                   <part id="si-3_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-03c.02[02]"/>
                      <p>malicious code protection mechanisms are configured to send alerts to <insert type="param" id-ref="si-03_odp.06"/> in response to malicious code detection;</p>
+                     <link rel="assessment-for" href="#si-3_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#si-3_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#si-3_smt.c"/>
             </part>
             <part id="si-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-03d."/>
                <p>the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.</p>
+               <link rel="assessment-for" href="#si-3_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#si-3_smt"/>
          </part>
          <part id="si-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18568,63 +19828,80 @@
                <part id="si-4_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04a.01"/>
                   <p>the system is monitored to detect attacks and indicators of potential attacks in accordance with <insert type="param" id-ref="si-04_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#si-4_smt.a.1"/>
                </part>
                <part id="si-4_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04a.02"/>
                   <part id="si-4_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04a.02[01]"/>
                      <p>the system is monitored to detect unauthorized local connections;</p>
+                     <link rel="assessment-for" href="#si-4_smt.a.2"/>
                   </part>
                   <part id="si-4_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04a.02[02]"/>
                      <p>the system is monitored to detect unauthorized network connections;</p>
+                     <link rel="assessment-for" href="#si-4_smt.a.2"/>
                   </part>
                   <part id="si-4_obj.a.2-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04a.02[03]"/>
                      <p>the system is monitored to detect unauthorized remote connections;</p>
+                     <link rel="assessment-for" href="#si-4_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#si-4_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#si-4_smt.a"/>
             </part>
             <part id="si-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04b."/>
                <p>unauthorized use of the system is identified through <insert type="param" id-ref="si-04_odp.02"/>;</p>
+               <link rel="assessment-for" href="#si-4_smt.b"/>
             </part>
             <part id="si-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04c."/>
                <part id="si-4_obj.c.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04c.01"/>
                   <p>internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;</p>
+                  <link rel="assessment-for" href="#si-4_smt.c.1"/>
                </part>
                <part id="si-4_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04c.02"/>
                   <p>internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;</p>
+                  <link rel="assessment-for" href="#si-4_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#si-4_smt.c"/>
             </part>
             <part id="si-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04d."/>
                <part id="si-4_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04d.[01]"/>
                   <p>detected events are analyzed;</p>
+                  <link rel="assessment-for" href="#si-4_smt.d"/>
                </part>
                <part id="si-4_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04d.[02]"/>
                   <p>detected anomalies are analyzed;</p>
+                  <link rel="assessment-for" href="#si-4_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#si-4_smt.d"/>
             </part>
             <part id="si-4_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04e."/>
                <p>the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;</p>
+               <link rel="assessment-for" href="#si-4_smt.e"/>
             </part>
             <part id="si-4_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04f."/>
                <p>a legal opinion regarding system monitoring activities is obtained;</p>
+               <link rel="assessment-for" href="#si-4_smt.f"/>
             </part>
             <part id="si-4_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04g."/>
                <p>
                   <insert type="param" id-ref="si-04_odp.03"/> is provided to <insert type="param" id-ref="si-04_odp.04"/>
                   <insert type="param" id-ref="si-04_odp.05"/>.</p>
+               <link rel="assessment-for" href="#si-4_smt.g"/>
             </part>
+            <link rel="assessment-for" href="#si-4_smt"/>
          </part>
          <part id="si-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18753,19 +20030,24 @@
             <part id="si-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-05a."/>
                <p>system security alerts, advisories, and directives are received from <insert type="param" id-ref="si-05_odp.01"/> on an ongoing basis;</p>
+               <link rel="assessment-for" href="#si-5_smt.a"/>
             </part>
             <part id="si-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-05b."/>
                <p>internal security alerts, advisories, and directives are generated as deemed necessary;</p>
+               <link rel="assessment-for" href="#si-5_smt.b"/>
             </part>
             <part id="si-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-05c."/>
                <p>security alerts, advisories, and directives are disseminated to <insert type="param" id-ref="si-05_odp.02"/>;</p>
+               <link rel="assessment-for" href="#si-5_smt.c"/>
             </part>
             <part id="si-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-05d."/>
                <p>security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.</p>
+               <link rel="assessment-for" href="#si-5_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#si-5_smt"/>
          </part>
          <part id="si-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18852,19 +20134,24 @@
             <part id="si-12_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[01]"/>
                <p>information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
             <part id="si-12_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[02]"/>
                <p>information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
             <part id="si-12_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[03]"/>
                <p>information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
             <part id="si-12_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[04]"/>
                <p>information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
+            <link rel="assessment-for" href="#si-12_smt"/>
          </part>
          <part id="si-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19054,18 +20341,22 @@
                <part id="sr-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.[01]"/>
                   <p>a supply chain risk management policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#sr-1_smt.a"/>
                </part>
                <part id="sr-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.[02]"/>
                   <p>the supply chain risk management policy is disseminated to <insert type="param" id-ref="sr-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-1_smt.a"/>
                </part>
                <part id="sr-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.[03]"/>
                   <p>supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#sr-1_smt.a"/>
                </part>
                <part id="sr-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.[04]"/>
                   <p>the supply chain risk management procedures are disseminated to <insert type="param" id-ref="sr-01_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#sr-1_smt.a"/>
                </part>
                <part id="sr-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.01"/>
@@ -19074,42 +20365,54 @@
                      <part id="sr-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses scope; </p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[03]"/>
                         <p>
                            <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses roles;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses compliance.</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                   </part>
                   <part id="sr-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#sr-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#sr-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#sr-1_smt.a"/>
             </part>
             <part id="sr-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-01b."/>
                <p>the <insert type="param" id-ref="sr-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;</p>
+               <link rel="assessment-for" href="#sr-1_smt.b"/>
             </part>
             <part id="sr-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-01c."/>
@@ -19118,24 +20421,32 @@
                   <part id="sr-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01c.01[01]"/>
                      <p>the current supply chain risk management policy is reviewed and updated <insert type="param" id-ref="sr-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#sr-1_smt.c.1"/>
                   </part>
                   <part id="sr-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01c.01[02]"/>
                      <p>the current supply chain risk management policy is reviewed and updated following <insert type="param" id-ref="sr-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#sr-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sr-1_smt.c.1"/>
                </part>
                <part id="sr-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01c.02"/>
                   <part id="sr-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01c.02[01]"/>
                      <p>the current supply chain risk management procedures are reviewed and updated <insert type="param" id-ref="sr-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#sr-1_smt.c.2"/>
                   </part>
                   <part id="sr-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01c.02[02]"/>
                      <p>the current supply chain risk management procedures are reviewed and updated following <insert type="param" id-ref="sr-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#sr-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sr-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#sr-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sr-1_smt"/>
          </part>
          <part id="sr-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19235,55 +20546,70 @@
                <part id="sr-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[01]"/>
                   <p>a plan for managing supply chain risks is developed;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[02]"/>
                   <p>the supply chain risk management plan addresses risks associated with the research and development of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[03]"/>
                   <p>the supply chain risk management plan addresses risks associated with the design of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[04]"/>
                   <p>the supply chain risk management plan addresses risks associated with the manufacturing of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[05]"/>
                   <p>the supply chain risk management plan addresses risks associated with the acquisition of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[06]"/>
                   <p>the supply chain risk management plan addresses risks associated with the delivery of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[07]"/>
                   <p>the supply chain risk management plan addresses risks associated with the integration of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-8" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[08]"/>
                   <p>the supply chain risk management plan addresses risks associated with the operation and maintenance of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-9" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[09]"/>
                   <p>the supply chain risk management plan addresses risks associated with the disposal of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sr-2_smt.a"/>
             </part>
             <part id="sr-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-02b."/>
                <p>the supply chain risk management plan is reviewed and updated <insert type="param" id-ref="sr-02_odp.02"/> or as required to address threat, organizational, or environmental changes;</p>
+               <link rel="assessment-for" href="#sr-2_smt.b"/>
             </part>
             <part id="sr-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-02c."/>
                <part id="sr-2_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02c.[01]"/>
                   <p>the supply chain risk management plan is protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.c"/>
                </part>
                <part id="sr-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02c.[02]"/>
                   <p>the supply chain risk management plan is protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#sr-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sr-2_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sr-2_smt"/>
          </part>
          <part id="sr-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19370,6 +20696,7 @@
             <part id="sr-2.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-02(01)"/>
                <p>a supply chain risk management team consisting of <insert type="param" id-ref="sr-02.01_odp.01"/> is established to lead and support <insert type="param" id-ref="sr-02.01_odp.02"/>.</p>
+               <link rel="assessment-for" href="#sr-2.1_smt"/>
             </part>
             <part id="sr-2.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19511,21 +20838,27 @@
                <part id="sr-3_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-03a.[01]"/>
                   <p>a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of <insert type="param" id-ref="sr-03_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-3_smt.a"/>
                </part>
                <part id="sr-3_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-03a.[02]"/>
                   <p>the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of <insert type="param" id-ref="sr-03_odp.01"/> is/are coordinated with <insert type="param" id-ref="sr-03_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sr-3_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sr-3_smt.a"/>
             </part>
             <part id="sr-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-03b."/>
                <p>
                   <insert type="param" id-ref="sr-03_odp.03"/> are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;</p>
+               <link rel="assessment-for" href="#sr-3_smt.b"/>
             </part>
             <part id="sr-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-03c."/>
                <p>the selected and implemented supply chain processes and controls are documented in <insert type="param" id-ref="sr-03_odp.04"/>.</p>
+               <link rel="assessment-for" href="#sr-3_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sr-3_smt"/>
          </part>
          <part id="sr-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19622,17 +20955,21 @@
                <prop name="label" class="sp800-53a" value="SR-05[01]"/>
                <p>
                   <insert type="param" id-ref="sr-05_odp"/> are employed to protect against supply chain risks;</p>
+               <link rel="assessment-for" href="#sr-5_smt"/>
             </part>
             <part id="sr-5_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-05[02]"/>
                <p>
                   <insert type="param" id-ref="sr-05_odp"/> are employed to identify supply chain risks;</p>
+               <link rel="assessment-for" href="#sr-5_smt"/>
             </part>
             <part id="sr-5_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-05[03]"/>
                <p>
                   <insert type="param" id-ref="sr-05_odp"/> are employed to mitigate supply chain risks.</p>
+               <link rel="assessment-for" href="#sr-5_smt"/>
             </part>
+            <link rel="assessment-for" href="#sr-5_smt"/>
          </part>
          <part id="sr-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19722,6 +21059,7 @@
          <part id="sr-8_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-08"/>
             <p>agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for <insert type="param" id-ref="sr-08_odp.01"/>.</p>
+            <link rel="assessment-for" href="#sr-8_smt"/>
          </part>
          <part id="sr-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19822,6 +21160,7 @@
             <prop name="label" class="sp800-53a" value="SR-10"/>
             <p>
                <insert type="param" id-ref="sr-10_odp.01"/> are inspected <insert type="param" id-ref="sr-10_odp.02"/> to detect tampering.</p>
+            <link rel="assessment-for" href="#sr-10_smt"/>
          </part>
          <part id="sr-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19925,24 +21264,31 @@
                <part id="sr-11_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11a.[01]"/>
                   <p>an anti-counterfeit policy is developed and implemented;</p>
+                  <link rel="assessment-for" href="#sr-11_smt.a"/>
                </part>
                <part id="sr-11_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11a.[02]"/>
                   <p>anti-counterfeit procedures are developed and implemented;</p>
+                  <link rel="assessment-for" href="#sr-11_smt.a"/>
                </part>
                <part id="sr-11_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11a.[03]"/>
                   <p>the anti-counterfeit procedures include the means to detect counterfeit components entering the system;</p>
+                  <link rel="assessment-for" href="#sr-11_smt.a"/>
                </part>
                <part id="sr-11_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11a.[04]"/>
                   <p>the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;</p>
+                  <link rel="assessment-for" href="#sr-11_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sr-11_smt.a"/>
             </part>
             <part id="sr-11_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-11b."/>
                <p>counterfeit system components are reported to <insert type="param" id-ref="sr-11_odp.01"/>.</p>
+               <link rel="assessment-for" href="#sr-11_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sr-11_smt"/>
          </part>
          <part id="sr-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20015,6 +21361,7 @@
                <prop name="label" class="sp800-53a" value="SR-11(01)"/>
                <p>
                   <insert type="param" id-ref="sr-11.01_odp"/> are trained to detect counterfeit system components (including hardware, software, and firmware).</p>
+               <link rel="assessment-for" href="#sr-11.1_smt"/>
             </part>
             <part id="sr-11.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20086,11 +21433,14 @@
                <part id="sr-11.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11(02)[01]"/>
                   <p>configuration control over <insert type="param" id-ref="sr-11.02_odp"/> awaiting service or repair is maintained;</p>
+                  <link rel="assessment-for" href="#sr-11.2_smt"/>
                </part>
                <part id="sr-11.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11(02)[02]"/>
                   <p>configuration control over serviced or repaired <insert type="param" id-ref="sr-11.02_odp"/> awaiting return to service is maintained.</p>
+                  <link rel="assessment-for" href="#sr-11.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#sr-11.2_smt"/>
             </part>
             <part id="sr-11.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20164,6 +21514,7 @@
             <prop name="label" class="sp800-53a" value="SR-12"/>
             <p>
                <insert type="param" id-ref="sr-12_odp.01"/> are disposed of using <insert type="param" id-ref="sr-12_odp.02"/>.</p>
+            <link rel="assessment-for" href="#sr-12_smt"/>
          </part>
          <part id="sr-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
diff --git a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_LOW-baseline_profile.xml b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_LOW-baseline_profile.xml
index eadeb73f..7d4167c9 100644
--- a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_LOW-baseline_profile.xml
+++ b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_LOW-baseline_profile.xml
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <?xml-model schematypens="http://www.w3.org/2001/XMLSchema" type="application/xml" href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.1/oscal_complete_schema.xsd"?>
 <profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-         uuid="8742196d-86ba-4e72-a411-28867dab43bb">
+         uuid="b648ca9e-da6d-4159-b28d-f2df9a044137">
    <metadata>
-      <title>NIST Special Publication 800-53 Revision 5 LOW IMPACT BASELINE</title>
-      <last-modified>2023-10-12T00:00:00.000000-04:00</last-modified>
-      <version>Final</version>
+      <title>NIST Special Publication 800-53 Revision 5.1.1 LOW IMPACT BASELINE</title>
+      <last-modified>2023-12-04T14:55:00.000000-04:00</last-modified>
+      <version>5.1.1+u2</version>
       <oscal-version>1.1.1</oscal-version>
       <role id="creator">
          <title>Document Creator</title>
diff --git a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.xml b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.xml
index 4b704d04..a299ce2a 100644
--- a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.xml
+++ b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.xml
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-          uuid="64dd932d-a3d3-4369-8fa3-09c7b202e580">
+          uuid="6ce800da-ce21-48b7-8da4-715337b033e6">
    <metadata>
-      <title>NIST Special Publication 800-53 Revision 5 MODERATE IMPACT BASELINE</title>
-      <last-modified>2023-11-02T11:49:44.380433-04:00</last-modified>
-      <version>Final</version>
+      <title>NIST Special Publication 800-53 Revision 5.1.1 MODERATE IMPACT BASELINE</title>
+      <last-modified>2023-12-05T21:54:58.514658Z</last-modified>
+      <version>5.1.1+u2</version>
       <oscal-version>1.1.1</oscal-version>
       <prop name="resolution-tool"
              value="OSCAL Profile Resolver XSLT Pipeline OPRXP"/>
@@ -181,18 +181,22 @@
                <part id="ac-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[01]"/>
                   <p>an access control policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[02]"/>
                   <p>the access control policy is disseminated to <insert type="param" id-ref="ac-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[03]"/>
                   <p>access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[04]"/>
                   <p>the access control procedures are disseminated to <insert type="param" id-ref="ac-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.01"/>
@@ -201,41 +205,53 @@
                      <part id="ac-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                   </part>
                   <part id="ac-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ac-1_smt.a"/>
             </part>
             <part id="ac-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-01b."/>
                <p>the <insert type="param" id-ref="ac-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the access control policy and procedures;</p>
+               <link rel="assessment-for" href="#ac-1_smt.b"/>
             </part>
             <part id="ac-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-01c."/>
@@ -244,24 +260,32 @@
                   <part id="ac-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.01[01]"/>
                      <p>the current access control policy is reviewed and updated <insert type="param" id-ref="ac-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.1"/>
                   </part>
                   <part id="ac-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.01[02]"/>
                      <p>the current access control policy is reviewed and updated following <insert type="param" id-ref="ac-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-1_smt.c.1"/>
                </part>
                <part id="ac-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01c.02"/>
                   <part id="ac-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.02[01]"/>
                      <p>the current access control procedures are reviewed and updated <insert type="param" id-ref="ac-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.2"/>
                   </part>
                   <part id="ac-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.02[02]"/>
                      <p>the current access control procedures are reviewed and updated following <insert type="param" id-ref="ac-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ac-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ac-1_smt"/>
          </part>
          <part id="ac-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -503,131 +527,166 @@
                <part id="ac-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02a.[01]"/>
                   <p>account types allowed for use within the system are defined and documented;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.a"/>
                </part>
                <part id="ac-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02a.[02]"/>
                   <p>account types specifically prohibited for use within the system are defined and documented;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.a"/>
             </part>
             <part id="ac-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02b."/>
                <p>account managers are assigned;</p>
+               <link rel="assessment-for" href="#ac-2_smt.b"/>
             </part>
             <part id="ac-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02c."/>
                <p>
                   <insert type="param" id-ref="ac-02_odp.01"/> for group and role membership are required;</p>
+               <link rel="assessment-for" href="#ac-2_smt.c"/>
             </part>
             <part id="ac-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02d."/>
                <part id="ac-2_obj.d.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02d.01"/>
                   <p>authorized users of the system are specified;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.d.1"/>
                </part>
                <part id="ac-2_obj.d.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02d.02"/>
                   <p>group and role membership are specified;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.d.2"/>
                </part>
                <part id="ac-2_obj.d.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02d.03"/>
                   <part id="ac-2_obj.d.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-02d.03[01]"/>
                      <p>access authorizations (i.e., privileges) are specified for each account;</p>
+                     <link rel="assessment-for" href="#ac-2_smt.d.3"/>
                   </part>
                   <part id="ac-2_obj.d.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-02d.03[02]"/>
                      <p>
                         <insert type="param" id-ref="ac-02_odp.02"/> are specified for each account;</p>
+                     <link rel="assessment-for" href="#ac-2_smt.d.3"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-2_smt.d.3"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.d"/>
             </part>
             <part id="ac-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02e."/>
                <p>approvals are required by <insert type="param" id-ref="ac-02_odp.03"/> for requests to create accounts;</p>
+               <link rel="assessment-for" href="#ac-2_smt.e"/>
             </part>
             <part id="ac-2_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02f."/>
                <part id="ac-2_obj.f-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[01]"/>
                   <p>accounts are created in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
                <part id="ac-2_obj.f-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[02]"/>
                   <p>accounts are enabled in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
                <part id="ac-2_obj.f-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[03]"/>
                   <p>accounts are modified in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
                <part id="ac-2_obj.f-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[04]"/>
                   <p>accounts are disabled in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
                <part id="ac-2_obj.f-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02f.[05]"/>
                   <p>accounts are removed in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.f"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.f"/>
             </part>
             <part id="ac-2_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02g."/>
                <p>the use of accounts is monitored; </p>
+               <link rel="assessment-for" href="#ac-2_smt.g"/>
             </part>
             <part id="ac-2_obj.h" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02h."/>
                <part id="ac-2_obj.h.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02h.01"/>
                   <p>account managers and <insert type="param" id-ref="ac-02_odp.05"/> are notified within <insert type="param" id-ref="ac-02_odp.06"/> when accounts are no longer required;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.h.1"/>
                </part>
                <part id="ac-2_obj.h.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02h.02"/>
                   <p>account managers and <insert type="param" id-ref="ac-02_odp.05"/> are notified within <insert type="param" id-ref="ac-02_odp.07"/> when users are terminated or transferred;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.h.2"/>
                </part>
                <part id="ac-2_obj.h.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02h.03"/>
                   <p>account managers and <insert type="param" id-ref="ac-02_odp.05"/> are notified within <insert type="param" id-ref="ac-02_odp.08"/> when system usage or the need to know changes for an individual;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.h.3"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.h"/>
             </part>
             <part id="ac-2_obj.i" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02i."/>
                <part id="ac-2_obj.i.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02i.01"/>
                   <p>access to the system is authorized based on a valid access authorization;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.i.1"/>
                </part>
                <part id="ac-2_obj.i.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02i.02"/>
                   <p>access to the system is authorized based on intended system usage;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.i.2"/>
                </part>
                <part id="ac-2_obj.i.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02i.03"/>
                   <p>access to the system is authorized based on <insert type="param" id-ref="ac-02_odp.09"/>;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.i.3"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.i"/>
             </part>
             <part id="ac-2_obj.j" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02j."/>
                <p>accounts are reviewed for compliance with account management requirements <insert type="param" id-ref="ac-02_odp.10"/>;</p>
+               <link rel="assessment-for" href="#ac-2_smt.j"/>
             </part>
             <part id="ac-2_obj.k" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02k."/>
                <part id="ac-2_obj.k-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02k.[01]"/>
                   <p>a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.k"/>
                </part>
                <part id="ac-2_obj.k-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02k.[02]"/>
                   <p>a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.k"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.k"/>
             </part>
             <part id="ac-2_obj.l" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02l."/>
                <part id="ac-2_obj.l-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02l.[01]"/>
                   <p>account management processes are aligned with personnel termination processes;</p>
+                  <link rel="assessment-for" href="#ac-2_smt.l"/>
                </part>
                <part id="ac-2_obj.l-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02l.[02]"/>
                   <p>account management processes are aligned with personnel transfer processes.</p>
+                  <link rel="assessment-for" href="#ac-2_smt.l"/>
                </part>
+               <link rel="assessment-for" href="#ac-2_smt.l"/>
             </part>
+            <link rel="assessment-for" href="#ac-2_smt"/>
          </part>
          <part id="ac-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -695,6 +754,7 @@
             <part id="ac-2.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02(01)"/>
                <p>the management of system accounts is supported using <insert type="param" id-ref="ac-02.01_odp"/>.</p>
+               <link rel="assessment-for" href="#ac-2.1_smt"/>
             </part>
             <part id="ac-2.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -764,6 +824,7 @@
             <part id="ac-2.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02(02)"/>
                <p>temporary and emergency accounts are automatically <insert type="param" id-ref="ac-02.02_odp.01"/> after <insert type="param" id-ref="ac-02.02_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ac-2.2_smt"/>
             </part>
             <part id="ac-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -850,19 +911,24 @@
                <part id="ac-2.3_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(03)(a)"/>
                   <p>accounts are disabled within <insert type="param" id-ref="ac-02.03_odp.01"/> when the accounts have expired;</p>
+                  <link rel="assessment-for" href="#ac-2.3_smt.a"/>
                </part>
                <part id="ac-2.3_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(03)(b)"/>
                   <p>accounts are disabled within <insert type="param" id-ref="ac-02.03_odp.01"/> when the accounts are no longer associated with a user or individual;</p>
+                  <link rel="assessment-for" href="#ac-2.3_smt.b"/>
                </part>
                <part id="ac-2.3_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(03)(c)"/>
                   <p>accounts are disabled within <insert type="param" id-ref="ac-02.03_odp.01"/> when the accounts are in violation of organizational policy;</p>
+                  <link rel="assessment-for" href="#ac-2.3_smt.c"/>
                </part>
                <part id="ac-2.3_obj.d" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(03)(d)"/>
                   <p>accounts are disabled within <insert type="param" id-ref="ac-02.03_odp.01"/> when the accounts have been inactive for <insert type="param" id-ref="ac-02.03_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#ac-2.3_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ac-2.3_smt"/>
             </part>
             <part id="ac-2.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -920,23 +986,29 @@
                <part id="ac-2.4_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(04)[01]"/>
                   <p>account creation is automatically audited;</p>
+                  <link rel="assessment-for" href="#ac-2.4_smt"/>
                </part>
                <part id="ac-2.4_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(04)[02]"/>
                   <p>account modification is automatically audited;</p>
+                  <link rel="assessment-for" href="#ac-2.4_smt"/>
                </part>
                <part id="ac-2.4_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(04)[03]"/>
                   <p>account enabling is automatically audited;</p>
+                  <link rel="assessment-for" href="#ac-2.4_smt"/>
                </part>
                <part id="ac-2.4_obj-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(04)[04]"/>
                   <p>account disabling is automatically audited;</p>
+                  <link rel="assessment-for" href="#ac-2.4_smt"/>
                </part>
                <part id="ac-2.4_obj-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-02(04)[05]"/>
                   <p>account removal actions are automatically audited.</p>
+                  <link rel="assessment-for" href="#ac-2.4_smt"/>
                </part>
+               <link rel="assessment-for" href="#ac-2.4_smt"/>
             </part>
             <part id="ac-2.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -999,6 +1071,7 @@
             <part id="ac-2.5_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02(05)"/>
                <p>users are required to log out when <insert type="param" id-ref="ac-02.05_odp"/>.</p>
+               <link rel="assessment-for" href="#ac-2.5_smt"/>
             </part>
             <part id="ac-2.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1061,6 +1134,7 @@
             <part id="ac-2.13_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-02(13)"/>
                <p>accounts of individuals are disabled within <insert type="param" id-ref="ac-02.13_odp.01"/> of discovery of <insert type="param" id-ref="ac-02.13_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ac-2.13_smt"/>
             </part>
             <part id="ac-2.13_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1135,6 +1209,7 @@
          <link rel="related" href="#ia-6"/>
          <link rel="related" href="#ia-7"/>
          <link rel="related" href="#ia-11"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#ma-3"/>
          <link rel="related" href="#ma-4"/>
          <link rel="related" href="#ma-5"/>
@@ -1163,6 +1238,7 @@
          <part id="ac-3_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03"/>
             <p>approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.</p>
+            <link rel="assessment-for" href="#ac-3_smt"/>
          </part>
          <part id="ac-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1244,6 +1320,7 @@
          <part id="ac-4_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04"/>
             <p>approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on <insert type="param" id-ref="ac-04_odp"/>.</p>
+            <link rel="assessment-for" href="#ac-4_smt"/>
          </part>
          <part id="ac-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1336,11 +1413,14 @@
                <prop name="label" class="sp800-53a" value="AC-05a."/>
                <p>
                   <insert type="param" id-ref="ac-05_odp"/> are identified and documented;</p>
+               <link rel="assessment-for" href="#ac-5_smt.a"/>
             </part>
             <part id="ac-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-05b."/>
                <p>system access authorizations to support separation of duties are defined.</p>
+               <link rel="assessment-for" href="#ac-5_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-5_smt"/>
          </part>
          <part id="ac-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1402,6 +1482,7 @@
          <part id="ac-6_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-06"/>
             <p>the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.</p>
+            <link rel="assessment-for" href="#ac-6_smt"/>
          </part>
          <part id="ac-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1519,20 +1600,26 @@
                   <part id="ac-6.1_obj.a-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-06(01)(a)[01]"/>
                      <p>access is authorized for <insert type="param" id-ref="ac-06.01_odp.01"/> to <insert type="param" id-ref="ac-06.01_odp.02"/>;</p>
+                     <link rel="assessment-for" href="#ac-6.1_smt.a"/>
                   </part>
                   <part id="ac-6.1_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-06(01)(a)[02]"/>
                      <p>access is authorized for <insert type="param" id-ref="ac-06.01_odp.01"/> to <insert type="param" id-ref="ac-06.01_odp.03"/>;</p>
+                     <link rel="assessment-for" href="#ac-6.1_smt.a"/>
                   </part>
                   <part id="ac-6.1_obj.a-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-06(01)(a)[03]"/>
                      <p>access is authorized for <insert type="param" id-ref="ac-06.01_odp.01"/> to <insert type="param" id-ref="ac-06.01_odp.04"/>;</p>
+                     <link rel="assessment-for" href="#ac-6.1_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-6.1_smt.a"/>
                </part>
                <part id="ac-6.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-06(01)(b)"/>
                   <p>access is authorized for <insert type="param" id-ref="ac-06.01_odp.01"/> to <insert type="param" id-ref="ac-06.01_odp.05"/>.</p>
+                  <link rel="assessment-for" href="#ac-6.1_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ac-6.1_smt"/>
             </part>
             <part id="ac-6.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1594,6 +1681,7 @@
             <part id="ac-6.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-06(02)"/>
                <p>users of system accounts (or roles) with access to <insert type="param" id-ref="ac-06.02_odp"/> are required to use non-privileged accounts or roles when accessing non-security functions.</p>
+               <link rel="assessment-for" href="#ac-6.2_smt"/>
             </part>
             <part id="ac-6.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1654,6 +1742,7 @@
             <part id="ac-6.5_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-06(05)"/>
                <p>privileged accounts on the system are restricted to <insert type="param" id-ref="ac-06.05_odp"/>.</p>
+               <link rel="assessment-for" href="#ac-6.5_smt"/>
             </part>
             <part id="ac-6.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1731,11 +1820,14 @@
                <part id="ac-6.7_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-06(07)(a)"/>
                   <p>privileges assigned to <insert type="param" id-ref="ac-06.07_odp.02"/> are reviewed <insert type="param" id-ref="ac-06.07_odp.01"/> to validate the need for such privileges;</p>
+                  <link rel="assessment-for" href="#ac-6.7_smt.a"/>
                </part>
                <part id="ac-6.7_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-06(07)(b)"/>
                   <p>privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.</p>
+                  <link rel="assessment-for" href="#ac-6.7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ac-6.7_smt"/>
             </part>
             <part id="ac-6.7_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1791,6 +1883,7 @@
             <part id="ac-6.9_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-06(09)"/>
                <p>the execution of privileged functions is logged.</p>
+               <link rel="assessment-for" href="#ac-6.9_smt"/>
             </part>
             <part id="ac-6.9_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1843,6 +1936,7 @@
             <part id="ac-6.10_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-06(10)"/>
                <p>non-privileged users are prevented from executing privileged functions.</p>
+               <link rel="assessment-for" href="#ac-6.10_smt"/>
             </part>
             <part id="ac-6.10_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1963,11 +2057,14 @@
             <part id="ac-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-07a."/>
                <p>a limit of <insert type="param" id-ref="ac-07_odp.01"/> consecutive invalid logon attempts by a user during <insert type="param" id-ref="ac-07_odp.02"/> is enforced;</p>
+               <link rel="assessment-for" href="#ac-7_smt.a"/>
             </part>
             <part id="ac-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-07b."/>
                <p>automatically <insert type="param" id-ref="ac-07_odp.03"/> when the maximum number of unsuccessful attempts is exceeded.</p>
+               <link rel="assessment-for" href="#ac-7_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-7_smt"/>
          </part>
          <part id="ac-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2086,39 +2183,50 @@
                <part id="ac-8_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08a.01"/>
                   <p>the system use notification states that users are accessing a U.S. Government system;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.a.1"/>
                </part>
                <part id="ac-8_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08a.02"/>
                   <p>the system use notification states that system usage may be monitored, recorded, and subject to audit;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.a.2"/>
                </part>
                <part id="ac-8_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08a.03"/>
                   <p>the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and</p>
+                  <link rel="assessment-for" href="#ac-8_smt.a.3"/>
                </part>
                <part id="ac-8_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08a.04"/>
                   <p>the system use notification states that use of the system indicates consent to monitoring and recording;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.a.4"/>
                </part>
+               <link rel="assessment-for" href="#ac-8_smt.a"/>
             </part>
             <part id="ac-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-08b."/>
                <p>the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;</p>
+               <link rel="assessment-for" href="#ac-8_smt.b"/>
             </part>
             <part id="ac-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-08c."/>
                <part id="ac-8_obj.c.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08c.01"/>
                   <p>for publicly accessible systems, system use information <insert type="param" id-ref="ac-08_odp.02"/> is displayed before granting further access to the publicly accessible system;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.c.1"/>
                </part>
                <part id="ac-8_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08c.02"/>
                   <p>for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;</p>
+                  <link rel="assessment-for" href="#ac-8_smt.c.2"/>
                </part>
                <part id="ac-8_obj.c.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-08c.03"/>
                   <p>for publicly accessible systems, a description of the authorized uses of the system is included.</p>
+                  <link rel="assessment-for" href="#ac-8_smt.c.3"/>
                </part>
+               <link rel="assessment-for" href="#ac-8_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ac-8_smt"/>
          </part>
          <part id="ac-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2203,11 +2311,14 @@
             <part id="ac-11_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-11a."/>
                <p>further access to the system is prevented by <insert type="param" id-ref="ac-11_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ac-11_smt.a"/>
             </part>
             <part id="ac-11_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-11b."/>
                <p>device lock is retained until the user re-establishes access using established identification and authentication procedures.</p>
+               <link rel="assessment-for" href="#ac-11_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-11_smt"/>
          </part>
          <part id="ac-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2257,6 +2368,7 @@
             <part id="ac-11.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-11(01)"/>
                <p>information previously visible on the display is concealed, via device lock, with a publicly viewable image.</p>
+               <link rel="assessment-for" href="#ac-11.1_smt"/>
             </part>
             <part id="ac-11.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2320,6 +2432,7 @@
          <part id="ac-12_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-12"/>
             <p>a user session is automatically terminated after <insert type="param" id-ref="ac-12_odp"/>.</p>
+            <link rel="assessment-for" href="#ac-12_smt"/>
          </part>
          <part id="ac-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2391,18 +2504,23 @@
                <prop name="label" class="sp800-53a" value="AC-14a."/>
                <p>
                   <insert type="param" id-ref="ac-14_odp"/> that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;</p>
+               <link rel="assessment-for" href="#ac-14_smt.a"/>
             </part>
             <part id="ac-14_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-14b."/>
                <part id="ac-14_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-14b.[01]"/>
                   <p>user actions not requiring identification or authentication are documented in the security plan for the system;</p>
+                  <link rel="assessment-for" href="#ac-14_smt.b"/>
                </part>
                <part id="ac-14_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-14b.[02]"/>
                   <p>a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.</p>
+                  <link rel="assessment-for" href="#ac-14_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ac-14_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-14_smt"/>
          </part>
          <part id="ac-14_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2480,20 +2598,26 @@
                <part id="ac-17_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17a.[01]"/>
                   <p>usage restrictions are established and documented for each type of remote access allowed;</p>
+                  <link rel="assessment-for" href="#ac-17_smt.a"/>
                </part>
                <part id="ac-17_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17a.[02]"/>
                   <p>configuration/connection requirements are established and documented for each type of remote access allowed;</p>
+                  <link rel="assessment-for" href="#ac-17_smt.a"/>
                </part>
                <part id="ac-17_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17a.[03]"/>
                   <p>implementation guidance is established and documented for each type of remote access allowed;</p>
+                  <link rel="assessment-for" href="#ac-17_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ac-17_smt.a"/>
             </part>
             <part id="ac-17_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-17b."/>
                <p>each type of remote access to the system is authorized prior to allowing such connections.</p>
+               <link rel="assessment-for" href="#ac-17_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-17_smt"/>
          </part>
          <part id="ac-17_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2552,11 +2676,14 @@
                <part id="ac-17.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17(01)[01]"/>
                   <p>automated mechanisms are employed to monitor remote access methods;</p>
+                  <link rel="assessment-for" href="#ac-17.1_smt"/>
                </part>
                <part id="ac-17.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17(01)[02]"/>
                   <p>automated mechanisms are employed to control remote access methods.</p>
+                  <link rel="assessment-for" href="#ac-17.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#ac-17.1_smt"/>
             </part>
             <part id="ac-17.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2610,6 +2737,7 @@
             <part id="ac-17.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-17(02)"/>
                <p>cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.</p>
+               <link rel="assessment-for" href="#ac-17.2_smt"/>
             </part>
             <part id="ac-17.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2661,6 +2789,7 @@
             <part id="ac-17.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-17(03)"/>
                <p>remote accesses are routed through authorized and managed network access control points.</p>
+               <link rel="assessment-for" href="#ac-17.3_smt"/>
             </part>
             <part id="ac-17.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2747,24 +2876,31 @@
                   <part id="ac-17.4_obj.a-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-17(04)(a)[01]"/>
                      <p>the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;</p>
+                     <link rel="assessment-for" href="#ac-17.4_smt.a"/>
                   </part>
                   <part id="ac-17.4_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-17(04)(a)[02]"/>
                      <p>access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;</p>
+                     <link rel="assessment-for" href="#ac-17.4_smt.a"/>
                   </part>
                   <part id="ac-17.4_obj.a-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-17(04)(a)[03]"/>
                      <p>the execution of privileged commands via remote access is authorized only for the following needs: <insert type="param" id-ref="ac-17.04_odp.01"/>;</p>
+                     <link rel="assessment-for" href="#ac-17.4_smt.a"/>
                   </part>
                   <part id="ac-17.4_obj.a-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-17(04)(a)[04]"/>
                      <p>access to security-relevant information via remote access is authorized only for the following needs: <insert type="param" id-ref="ac-17.04_odp.02"/>;</p>
+                     <link rel="assessment-for" href="#ac-17.4_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-17.4_smt.a"/>
                </part>
                <part id="ac-17.4_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-17(04)(b)"/>
                   <p>the rationale for remote access is documented in the security plan for the system.</p>
+                  <link rel="assessment-for" href="#ac-17.4_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ac-17.4_smt"/>
             </part>
             <part id="ac-17.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2839,20 +2975,26 @@
                <part id="ac-18_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18a.[01]"/>
                   <p>configuration requirements are established for each type of wireless access;</p>
+                  <link rel="assessment-for" href="#ac-18_smt.a"/>
                </part>
                <part id="ac-18_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18a.[02]"/>
                   <p>connection requirements are established for each type of wireless access;</p>
+                  <link rel="assessment-for" href="#ac-18_smt.a"/>
                </part>
                <part id="ac-18_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18a.[03]"/>
                   <p>implementation guidance is established for each type of wireless access;</p>
+                  <link rel="assessment-for" href="#ac-18_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ac-18_smt.a"/>
             </part>
             <part id="ac-18_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-18b."/>
                <p>each type of wireless access to the system is authorized prior to allowing such connections.</p>
+               <link rel="assessment-for" href="#ac-18_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-18_smt"/>
          </part>
          <part id="ac-18_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2915,11 +3057,14 @@
                <part id="ac-18.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18(01)[01]"/>
                   <p>wireless access to the system is protected using authentication of <insert type="param" id-ref="ac-18.01_odp"/>;</p>
+                  <link rel="assessment-for" href="#ac-18.1_smt"/>
                </part>
                <part id="ac-18.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-18(01)[02]"/>
                   <p>wireless access to the system is protected using encryption.</p>
+                  <link rel="assessment-for" href="#ac-18.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#ac-18.1_smt"/>
             </part>
             <part id="ac-18.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2972,6 +3117,7 @@
             <part id="ac-18.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-18(03)"/>
                <p>when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.</p>
+               <link rel="assessment-for" href="#ac-18.3_smt"/>
             </part>
             <part id="ac-18.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3057,20 +3203,26 @@
                <part id="ac-19_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-19a.[01]"/>
                   <p>configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;</p>
+                  <link rel="assessment-for" href="#ac-19_smt.a"/>
                </part>
                <part id="ac-19_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-19a.[02]"/>
                   <p>connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;</p>
+                  <link rel="assessment-for" href="#ac-19_smt.a"/>
                </part>
                <part id="ac-19_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-19a.[03]"/>
                   <p>implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;</p>
+                  <link rel="assessment-for" href="#ac-19_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ac-19_smt.a"/>
             </part>
             <part id="ac-19_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-19b."/>
                <p>the connection of mobile devices to organizational systems is authorized.</p>
+               <link rel="assessment-for" href="#ac-19_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-19_smt"/>
          </part>
          <part id="ac-19_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3142,6 +3294,7 @@
                <prop name="label" class="sp800-53a" value="AC-19(05)"/>
                <p>
                   <insert type="param" id-ref="ac-19.05_odp.01"/> is employed to protect the confidentiality and integrity of information on <insert type="param" id-ref="ac-19.05_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ac-19.5_smt"/>
             </part>
             <part id="ac-19.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3264,20 +3417,25 @@
             <part id="ac-20_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-20a."/>
                <part id="ac-20_obj.a.1" name="assessment-objective">
-                  <prop name="label" class="sp800-53a" value="AC-20a.1"/>
+                  <prop name="label" class="sp800-53a" value="AC-20a.01"/>
                   <p>
                      <insert type="param" id-ref="ac-20_odp.01"/> is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);</p>
+                  <link rel="assessment-for" href="#ac-20_smt.a.1"/>
                </part>
                <part id="ac-20_obj.a.2" name="assessment-objective">
-                  <prop name="label" class="sp800-53a" value="AC-20a.2"/>
+                  <prop name="label" class="sp800-53a" value="AC-20a.02"/>
                   <p>
                      <insert type="param" id-ref="ac-20_odp.01"/> is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);</p>
+                  <link rel="assessment-for" href="#ac-20_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#ac-20_smt.a"/>
             </part>
             <part id="ac-20_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-20b."/>
                <p>the use of <insert type="param" id-ref="ac-20_odp.04"/> is prohibited (if applicable).</p>
+               <link rel="assessment-for" href="#ac-20_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-20_smt"/>
          </part>
          <part id="ac-20_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3338,11 +3496,14 @@
                <part id="ac-20.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-20(01)(a)"/>
                   <p>authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);</p>
+                  <link rel="assessment-for" href="#ac-20.1_smt.a"/>
                </part>
                <part id="ac-20.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-20(01)(b)"/>
                   <p>authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).</p>
+                  <link rel="assessment-for" href="#ac-20.1_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ac-20.1_smt"/>
             </part>
             <part id="ac-20.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3400,6 +3561,7 @@
             <part id="ac-20.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-20(02)"/>
                <p>the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using <insert type="param" id-ref="ac-20.02_odp"/>.</p>
+               <link rel="assessment-for" href="#ac-20.2_smt"/>
             </part>
             <part id="ac-20.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3490,12 +3652,15 @@
             <part id="ac-21_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-21a."/>
                <p>authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for <insert type="param" id-ref="ac-21_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ac-21_smt.a"/>
             </part>
             <part id="ac-21_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-21b."/>
                <p>
                   <insert type="param" id-ref="ac-21_odp.02"/> are employed to assist users in making information-sharing and collaboration decisions.</p>
+               <link rel="assessment-for" href="#ac-21_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-21_smt"/>
          </part>
          <part id="ac-21_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3581,26 +3746,33 @@
             <part id="ac-22_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-22a."/>
                <p>designated individuals are authorized to make information publicly accessible;</p>
+               <link rel="assessment-for" href="#ac-22_smt.a"/>
             </part>
             <part id="ac-22_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-22b."/>
                <p>authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;</p>
+               <link rel="assessment-for" href="#ac-22_smt.b"/>
             </part>
             <part id="ac-22_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-22c."/>
                <p>the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;</p>
+               <link rel="assessment-for" href="#ac-22_smt.c"/>
             </part>
             <part id="ac-22_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-22d."/>
                <part id="ac-22_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-22d.[01]"/>
                   <p>the content on the publicly accessible system is reviewed for non-public information <insert type="param" id-ref="ac-22_odp"/>;</p>
+                  <link rel="assessment-for" href="#ac-22_smt.d"/>
                </part>
                <part id="ac-22_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-22d.[02]"/>
                   <p>non-public information is removed from the publicly accessible system, if discovered.</p>
+                  <link rel="assessment-for" href="#ac-22_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ac-22_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ac-22_smt"/>
          </part>
          <part id="ac-22_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3778,18 +3950,22 @@
                <part id="at-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[01]"/>
                   <p>an awareness and training policy is developed and documented; </p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[02]"/>
                   <p>the awareness and training policy is disseminated to <insert type="param" id-ref="at-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[03]"/>
                   <p>awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[04]"/>
                   <p>the awareness and training procedures are disseminated to <insert type="param" id-ref="at-01_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.01"/>
@@ -3798,41 +3974,53 @@
                      <part id="at-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses scope;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses roles;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses compliance; and</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                   </part>
                   <part id="at-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and</p>
+                     <link rel="assessment-for" href="#at-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#at-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#at-1_smt.a"/>
             </part>
             <part id="at-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-01b."/>
                <p>the <insert type="param" id-ref="at-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;</p>
+               <link rel="assessment-for" href="#at-1_smt.b"/>
             </part>
             <part id="at-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-01c."/>
@@ -3841,24 +4029,32 @@
                   <part id="at-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.01[01]"/>
                      <p>the current awareness and training policy is reviewed and updated <insert type="param" id-ref="at-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#at-1_smt.c.1"/>
                   </part>
                   <part id="at-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.01[02]"/>
                      <p>the current awareness and training policy is reviewed and updated following <insert type="param" id-ref="at-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#at-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#at-1_smt.c.1"/>
                </part>
                <part id="at-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01c.02"/>
                   <part id="at-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.02[01]"/>
                      <p>the current awareness and training procedures are reviewed and updated <insert type="param" id-ref="at-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#at-1_smt.c.2"/>
                   </part>
                   <part id="at-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.02[02]"/>
                      <p>the current awareness and training procedures are reviewed and updated following <insert type="param" id-ref="at-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#at-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#at-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#at-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#at-1_smt"/>
          </part>
          <part id="at-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4021,52 +4217,67 @@
                   <part id="at-2_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[01]"/>
                      <p>security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
                   <part id="at-2_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[02]"/>
                      <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
                   <part id="at-2_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[03]"/>
                      <p>security literacy training is provided to system users (including managers, senior executives, and contractors) <insert type="param" id-ref="at-02_odp.01"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
                   <part id="at-2_obj.a.1-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[04]"/>
                      <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) <insert type="param" id-ref="at-02_odp.02"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#at-2_smt.a.1"/>
                </part>
                <part id="at-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02a.02"/>
                   <part id="at-2_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.02[01]"/>
                      <p>security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following <insert type="param" id-ref="at-02_odp.03"/>;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.2"/>
                   </part>
                   <part id="at-2_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.02[02]"/>
                      <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following <insert type="param" id-ref="at-02_odp.04"/>;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#at-2_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#at-2_smt.a"/>
             </part>
             <part id="at-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-02b."/>
                <p>
                   <insert type="param" id-ref="at-02_odp.05"/> are employed to increase the security and privacy awareness of system users;</p>
+               <link rel="assessment-for" href="#at-2_smt.b"/>
             </part>
             <part id="at-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-02c."/>
                <part id="at-2_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02c.[01]"/>
                   <p>literacy training and awareness content is updated <insert type="param" id-ref="at-02_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#at-2_smt.c"/>
                </part>
                <part id="at-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02c.[02]"/>
                   <p>literacy training and awareness content is updated following <insert type="param" id-ref="at-02_odp.07"/>;</p>
+                  <link rel="assessment-for" href="#at-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#at-2_smt.c"/>
             </part>
             <part id="at-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-02d."/>
                <p>lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.</p>
+               <link rel="assessment-for" href="#at-2_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#at-2_smt"/>
          </part>
          <part id="at-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4123,11 +4334,14 @@
                <part id="at-2.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02(02)[01]"/>
                   <p>literacy training on recognizing potential indicators of insider threat is provided;</p>
+                  <link rel="assessment-for" href="#at-2.2_smt"/>
                </part>
                <part id="at-2.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02(02)[02]"/>
                   <p>literacy training on reporting potential indicators of insider threat is provided.</p>
+                  <link rel="assessment-for" href="#at-2.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#at-2.2_smt"/>
             </part>
             <part id="at-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4175,19 +4389,24 @@
                <part id="at-2.3_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02(03)[01]"/>
                   <p>literacy training on recognizing potential and actual instances of social engineering is provided;</p>
+                  <link rel="assessment-for" href="#at-2.3_smt"/>
                </part>
                <part id="at-2.3_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02(03)[02]"/>
                   <p>literacy training on reporting potential and actual instances of social engineering is provided;</p>
+                  <link rel="assessment-for" href="#at-2.3_smt"/>
                </part>
                <part id="at-2.3_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02(03)[03]"/>
                   <p>literacy training on recognizing potential and actual instances of social mining is provided;</p>
+                  <link rel="assessment-for" href="#at-2.3_smt"/>
                </part>
                <part id="at-2.3_obj-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02(03)[04]"/>
                   <p>literacy training on reporting potential and actual instances of social mining is provided.</p>
+                  <link rel="assessment-for" href="#at-2.3_smt"/>
                </part>
+               <link rel="assessment-for" href="#at-2.3_smt"/>
             </part>
             <part id="at-2.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4331,49 +4550,63 @@
                   <part id="at-3_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[01]"/>
                      <p>role-based security training is provided to <insert type="param" id-ref="at-03_odp.01"/> before authorizing access to the system, information, or performing assigned duties;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
                   <part id="at-3_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[02]"/>
                      <p>role-based privacy training is provided to <insert type="param" id-ref="at-03_odp.02"/> before authorizing access to the system, information, or performing assigned duties;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
                   <part id="at-3_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[03]"/>
                      <p>role-based security training is provided to <insert type="param" id-ref="at-03_odp.01"/>
                         <insert type="param" id-ref="at-03_odp.03"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
                   <part id="at-3_obj.a.1-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[04]"/>
                      <p>role-based privacy training is provided to <insert type="param" id-ref="at-03_odp.02"/>
                         <insert type="param" id-ref="at-03_odp.03"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#at-3_smt.a.1"/>
                </part>
                <part id="at-3_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-03a.02"/>
                   <part id="at-3_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.02[01]"/>
                      <p>role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.2"/>
                   </part>
                   <part id="at-3_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.02[02]"/>
                      <p>role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#at-3_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#at-3_smt.a"/>
             </part>
             <part id="at-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-03b."/>
                <part id="at-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-03b.[01]"/>
                   <p>role-based training content is updated <insert type="param" id-ref="at-03_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#at-3_smt.b"/>
                </part>
                <part id="at-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-03b.[02]"/>
                   <p>role-based training content is updated following <insert type="param" id-ref="at-03_odp.05"/>;</p>
+                  <link rel="assessment-for" href="#at-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#at-3_smt.b"/>
             </part>
             <part id="at-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-03c."/>
                <p>lessons learned from internal or external security incidents or breaches are incorporated into role-based training.</p>
+               <link rel="assessment-for" href="#at-3_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#at-3_smt"/>
          </part>
          <part id="at-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4452,16 +4685,21 @@
                <part id="at-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-04a.[01]"/>
                   <p>information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;</p>
+                  <link rel="assessment-for" href="#at-4_smt.a"/>
                </part>
                <part id="at-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-04a.[02]"/>
                   <p>information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;</p>
+                  <link rel="assessment-for" href="#at-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#at-4_smt.a"/>
             </part>
             <part id="at-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-04b."/>
                <p>individual training records are retained for <insert type="param" id-ref="at-04_odp"/>.</p>
+               <link rel="assessment-for" href="#at-4_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#at-4_smt"/>
          </part>
          <part id="at-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4632,18 +4870,22 @@
                <part id="au-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[01]"/>
                   <p>an audit and accountability policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[02]"/>
                   <p>the audit and accountability policy is disseminated to <insert type="param" id-ref="au-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[03]"/>
                   <p>audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[04]"/>
                   <p>the audit and accountability procedures are disseminated to <insert type="param" id-ref="au-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.01"/>
@@ -4652,41 +4894,53 @@
                      <part id="au-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses scope;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses roles;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                   </part>
                   <part id="au-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#au-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#au-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#au-1_smt.a"/>
             </part>
             <part id="au-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-01b."/>
                <p>the <insert type="param" id-ref="au-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;</p>
+               <link rel="assessment-for" href="#au-1_smt.b"/>
             </part>
             <part id="au-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-01c."/>
@@ -4695,24 +4949,32 @@
                   <part id="au-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.01[01]"/>
                      <p>the current audit and accountability policy is reviewed and updated <insert type="param" id-ref="au-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.1"/>
                   </part>
                   <part id="au-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.01[02]"/>
                      <p>the current audit and accountability policy is reviewed and updated following <insert type="param" id-ref="au-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#au-1_smt.c.1"/>
                </part>
                <part id="au-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01c.02"/>
                   <part id="au-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.02[01]"/>
                      <p>the current audit and accountability procedures are reviewed and updated <insert type="param" id-ref="au-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.2"/>
                   </part>
                   <part id="au-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.02[02]"/>
                      <p>the current audit and accountability procedures are reviewed and updated following <insert type="param" id-ref="au-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#au-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#au-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#au-1_smt"/>
          </part>
          <part id="au-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4852,10 +5114,12 @@
                <prop name="label" class="sp800-53a" value="AU-02a."/>
                <p>
                   <insert type="param" id-ref="au-02_odp.01"/> that the system is capable of logging are identified in support of the audit logging function;</p>
+               <link rel="assessment-for" href="#au-2_smt.a"/>
             </part>
             <part id="au-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02b."/>
                <p>the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;</p>
+               <link rel="assessment-for" href="#au-2_smt.b"/>
             </part>
             <part id="au-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02c."/>
@@ -4863,20 +5127,26 @@
                   <prop name="label" class="sp800-53a" value="AU-02c.[01]"/>
                   <p>
                      <insert type="param" id-ref="au-02_odp.02"/> are specified for logging within the system;</p>
+                  <link rel="assessment-for" href="#au-2_smt.c"/>
                </part>
                <part id="au-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-02c.[02]"/>
                   <p>the specified event types are logged within the system <insert type="param" id-ref="au-02_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#au-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#au-2_smt.c"/>
             </part>
             <part id="au-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02d."/>
                <p>a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;</p>
+               <link rel="assessment-for" href="#au-2_smt.d"/>
             </part>
             <part id="au-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02e."/>
                <p>the event types selected for logging are reviewed and updated <insert type="param" id-ref="au-02_odp.04"/>.</p>
+               <link rel="assessment-for" href="#au-2_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#au-2_smt"/>
          </part>
          <part id="au-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4964,27 +5234,34 @@
             <part id="au-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03a."/>
                <p>audit records contain information that establishes what type of event occurred;</p>
+               <link rel="assessment-for" href="#au-3_smt.a"/>
             </part>
             <part id="au-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03b."/>
                <p>audit records contain information that establishes when the event occurred;</p>
+               <link rel="assessment-for" href="#au-3_smt.b"/>
             </part>
             <part id="au-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03c."/>
                <p>audit records contain information that establishes where the event occurred;</p>
+               <link rel="assessment-for" href="#au-3_smt.c"/>
             </part>
             <part id="au-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03d."/>
                <p>audit records contain information that establishes the source of the event;</p>
+               <link rel="assessment-for" href="#au-3_smt.d"/>
             </part>
             <part id="au-3_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03e."/>
                <p>audit records contain information that establishes the outcome of the event;</p>
+               <link rel="assessment-for" href="#au-3_smt.e"/>
             </part>
             <part id="au-3_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03f."/>
                <p>audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.</p>
+               <link rel="assessment-for" href="#au-3_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#au-3_smt"/>
          </part>
          <part id="au-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5044,6 +5321,7 @@
             <part id="au-3.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03(01)"/>
                <p>generated audit records contain the following <insert type="param" id-ref="au-03.01_odp"/>.</p>
+               <link rel="assessment-for" href="#au-3.1_smt"/>
             </part>
             <part id="au-3.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5116,6 +5394,7 @@
          <part id="au-4_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-04"/>
             <p>audit log storage capacity is allocated to accommodate <insert type="param" id-ref="au-04_odp"/>.</p>
+            <link rel="assessment-for" href="#au-4_smt"/>
          </part>
          <part id="au-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5211,12 +5490,15 @@
                <prop name="label" class="sp800-53a" value="AU-05a."/>
                <p>
                   <insert type="param" id-ref="au-05_odp.01"/> are alerted in the event of an audit logging process failure within <insert type="param" id-ref="au-05_odp.02"/>;</p>
+               <link rel="assessment-for" href="#au-5_smt.a"/>
             </part>
             <part id="au-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-05b."/>
                <p>
                   <insert type="param" id-ref="au-05_odp.03"/> are taken in the event of an audit logging process failure.</p>
+               <link rel="assessment-for" href="#au-5_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#au-5_smt"/>
          </part>
          <part id="au-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5340,15 +5622,19 @@
             <part id="au-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06a."/>
                <p>system audit records are reviewed and analyzed <insert type="param" id-ref="au-06_odp.01"/> for indications of <insert type="param" id-ref="au-06_odp.02"/> and the potential impact of the inappropriate or unusual activity;</p>
+               <link rel="assessment-for" href="#au-6_smt.a"/>
             </part>
             <part id="au-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06b."/>
                <p>findings are reported to <insert type="param" id-ref="au-06_odp.03"/>;</p>
+               <link rel="assessment-for" href="#au-6_smt.b"/>
             </part>
             <part id="au-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06c."/>
                <p>the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.</p>
+               <link rel="assessment-for" href="#au-6_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#au-6_smt"/>
          </part>
          <part id="au-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5401,6 +5687,7 @@
             <part id="au-6.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06(01)"/>
                <p>audit record review, analysis, and reporting processes are integrated using <insert type="param" id-ref="au-06.01_odp"/>.</p>
+               <link rel="assessment-for" href="#au-6.1_smt"/>
             </part>
             <part id="au-6.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5456,6 +5743,7 @@
             <part id="au-6.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-06(03)"/>
                <p>audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.</p>
+               <link rel="assessment-for" href="#au-6.3_smt"/>
             </part>
             <part id="au-6.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5533,23 +5821,30 @@
                <part id="au-7_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-07a.[01]"/>
                   <p>an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;</p>
+                  <link rel="assessment-for" href="#au-7_smt.a"/>
                </part>
                <part id="au-7_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-07a.[02]"/>
                   <p>an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;</p>
+                  <link rel="assessment-for" href="#au-7_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#au-7_smt.a"/>
             </part>
             <part id="au-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-07b."/>
                <part id="au-7_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-07b.[01]"/>
                   <p>an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;</p>
+                  <link rel="assessment-for" href="#au-7_smt.b"/>
                </part>
                <part id="au-7_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-07b.[02]"/>
                   <p>an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.</p>
+                  <link rel="assessment-for" href="#au-7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#au-7_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#au-7_smt"/>
          </part>
          <part id="au-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5612,11 +5907,14 @@
                <part id="au-7.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-07(01)[01]"/>
                   <p>the capability to process, sort, and search audit records for events of interest based on <insert type="param" id-ref="au-07.01_odp"/> are provided;</p>
+                  <link rel="assessment-for" href="#au-7.1_smt"/>
                </part>
                <part id="au-7.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-07(01)[02]"/>
                   <p>the capability to process, sort, and search audit records for events of interest based on <insert type="param" id-ref="au-07.01_odp"/> are implemented.</p>
+                  <link rel="assessment-for" href="#au-7.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#au-7.1_smt"/>
             </part>
             <part id="au-7.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5690,11 +5988,14 @@
             <part id="au-8_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-08a."/>
                <p>internal system clocks are used to generate timestamps for audit records;</p>
+               <link rel="assessment-for" href="#au-8_smt.a"/>
             </part>
             <part id="au-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-08b."/>
                <p>timestamps are recorded for audit records that meet <insert type="param" id-ref="au-08_odp"/> and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.</p>
+               <link rel="assessment-for" href="#au-8_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#au-8_smt"/>
          </part>
          <part id="au-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5778,12 +6079,15 @@
             <part id="au-9_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-09a."/>
                <p>audit information and audit logging tools are protected from unauthorized access, modification, and deletion;</p>
+               <link rel="assessment-for" href="#au-9_smt.a"/>
             </part>
             <part id="au-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-09b."/>
                <p>
                   <insert type="param" id-ref="au-09_odp"/> are alerted upon detection of unauthorized access, modification, or deletion of audit information.</p>
+               <link rel="assessment-for" href="#au-9_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#au-9_smt"/>
          </part>
          <part id="au-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5845,6 +6149,7 @@
             <part id="au-9.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-09(04)"/>
                <p>access to management of audit logging functionality is authorized only to <insert type="param" id-ref="au-09.04_odp"/>.</p>
+               <link rel="assessment-for" href="#au-9.4_smt"/>
             </part>
             <part id="au-9.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5920,6 +6225,7 @@
          <part id="au-11_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-11"/>
             <p>audit records are retained for <insert type="param" id-ref="au-11_odp"/> to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.</p>
+            <link rel="assessment-for" href="#au-11_smt"/>
          </part>
          <part id="au-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6012,16 +6318,20 @@
             <part id="au-12_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-12a."/>
                <p>audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by <insert type="param" id-ref="au-12_odp.01"/>;</p>
+               <link rel="assessment-for" href="#au-12_smt.a"/>
             </part>
             <part id="au-12_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-12b."/>
                <p>
                   <insert type="param" id-ref="au-12_odp.02"/> is/are allowed to select the event types that are to be logged by specific components of the system;</p>
+               <link rel="assessment-for" href="#au-12_smt.b"/>
             </part>
             <part id="au-12_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-12c."/>
                <p>audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.</p>
+               <link rel="assessment-for" href="#au-12_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#au-12_smt"/>
          </part>
          <part id="au-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6204,18 +6514,22 @@
                <part id="ca-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[01]"/>
                   <p>an assessment, authorization, and monitoring policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[02]"/>
                   <p>the assessment, authorization, and monitoring policy is disseminated to <insert type="param" id-ref="ca-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[03]"/>
                   <p>assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[04]"/>
                   <p>the assessment, authorization, and monitoring procedures are disseminated to <insert type="param" id-ref="ca-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.01"/>
@@ -6224,41 +6538,53 @@
                      <part id="ca-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                   </part>
                   <part id="ca-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ca-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ca-1_smt.a"/>
             </part>
             <part id="ca-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-01b."/>
                <p>the <insert type="param" id-ref="ca-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;</p>
+               <link rel="assessment-for" href="#ca-1_smt.b"/>
             </part>
             <part id="ca-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-01c."/>
@@ -6267,24 +6593,32 @@
                   <part id="ca-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.01[01]"/>
                      <p>the current assessment, authorization, and monitoring policy is reviewed and updated <insert type="param" id-ref="ca-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.1"/>
                   </part>
                   <part id="ca-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.01[02]"/>
                      <p>the current assessment, authorization, and monitoring policy is reviewed and updated following <insert type="param" id-ref="ca-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-1_smt.c.1"/>
                </part>
                <part id="ca-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01c.02"/>
                   <part id="ca-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.02[01]"/>
                      <p>the current assessment, authorization, and monitoring procedures are reviewed and updated <insert type="param" id-ref="ca-01_odp.07"/>; </p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.2"/>
                   </part>
                   <part id="ca-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.02[02]"/>
                      <p>the current assessment, authorization, and monitoring procedures are reviewed and updated following <insert type="param" id-ref="ca-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ca-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ca-1_smt"/>
          </part>
          <part id="ca-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6406,56 +6740,71 @@
             <part id="ca-2_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02a."/>
                <p>an appropriate assessor or assessment team is selected for the type of assessment to be conducted;</p>
+               <link rel="assessment-for" href="#ca-2_smt.a"/>
             </part>
             <part id="ca-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02b."/>
                <part id="ca-2_obj.b.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02b.01"/>
                   <p>a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.b.1"/>
                </part>
                <part id="ca-2_obj.b.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02b.02"/>
                   <p>a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.b.2"/>
                </part>
                <part id="ca-2_obj.b.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02b.03"/>
                   <part id="ca-2_obj.b.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-02b.03[01]"/>
                      <p>a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;</p>
+                     <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                   </part>
                   <part id="ca-2_obj.b.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-02b.03[02]"/>
                      <p>a control assessment plan is developed that describes the scope of the assessment, including the assessment team;</p>
+                     <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                   </part>
                   <part id="ca-2_obj.b.3-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-02b.03[03]"/>
                      <p>a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;</p>
+                     <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                </part>
+               <link rel="assessment-for" href="#ca-2_smt.b"/>
             </part>
             <part id="ca-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02c."/>
                <p>the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;</p>
+               <link rel="assessment-for" href="#ca-2_smt.c"/>
             </part>
             <part id="ca-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02d."/>
                <part id="ca-2_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02d.[01]"/>
                   <p>controls are assessed in the system and its environment of operation <insert type="param" id-ref="ca-02_odp.01"/> to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.d"/>
                </part>
                <part id="ca-2_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02d.[02]"/>
                   <p>controls are assessed in the system and its environment of operation <insert type="param" id-ref="ca-02_odp.01"/> to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ca-2_smt.d"/>
             </part>
             <part id="ca-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02e."/>
                <p>a control assessment report is produced that documents the results of the assessment;</p>
+               <link rel="assessment-for" href="#ca-2_smt.e"/>
             </part>
             <part id="ca-2_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02f."/>
                <p>the results of the control assessment are provided to <insert type="param" id-ref="ca-02_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ca-2_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#ca-2_smt"/>
          </part>
          <part id="ca-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6509,6 +6858,7 @@
             <part id="ca-2.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02(01)"/>
                <p>independent assessors or assessment teams are employed to conduct control assessments.</p>
+               <link rel="assessment-for" href="#ca-2.1_smt"/>
             </part>
             <part id="ca-2.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6615,38 +6965,48 @@
             <part id="ca-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-03a."/>
                <p>the exchange of information between the system and other systems is approved and managed using <insert type="param" id-ref="ca-03_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ca-3_smt.a"/>
             </part>
             <part id="ca-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-03b."/>
                <part id="ca-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[01]"/>
                   <p>the interface characteristics are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[02]"/>
                   <p>security requirements are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[03]"/>
                   <p>privacy requirements are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[04]"/>
                   <p>controls are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[05]"/>
                   <p>responsibilities for each system are documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
                <part id="ca-3_obj.b-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-03b.[06]"/>
                   <p>the impact level of the information communicated is documented as part of each exchange agreement;</p>
+                  <link rel="assessment-for" href="#ca-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ca-3_smt.b"/>
             </part>
             <part id="ca-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-03c."/>
                <p>agreements are reviewed and updated <insert type="param" id-ref="ca-03_odp.03"/>.</p>
+               <link rel="assessment-for" href="#ca-3_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ca-3_smt"/>
          </part>
          <part id="ca-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6725,11 +7085,14 @@
             <part id="ca-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-05a."/>
                <p>a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;</p>
+               <link rel="assessment-for" href="#ca-5_smt.a"/>
             </part>
             <part id="ca-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-05b."/>
                <p>existing plan of action and milestones are updated <insert type="param" id-ref="ca-05_odp"/> based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.</p>
+               <link rel="assessment-for" href="#ca-5_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ca-5_smt"/>
          </part>
          <part id="ca-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6831,30 +7194,38 @@
             <part id="ca-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06a."/>
                <p>a senior official is assigned as the authorizing official for the system;</p>
+               <link rel="assessment-for" href="#ca-6_smt.a"/>
             </part>
             <part id="ca-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06b."/>
                <p>a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;</p>
+               <link rel="assessment-for" href="#ca-6_smt.b"/>
             </part>
             <part id="ca-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06c."/>
                <part id="ca-6_obj.c.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-06c.01"/>
                   <p>before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;</p>
+                  <link rel="assessment-for" href="#ca-6_smt.c.1"/>
                </part>
                <part id="ca-6_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-06c.02"/>
                   <p>before commencing operations, the authorizing official for the system authorizes the system to operate;</p>
+                  <link rel="assessment-for" href="#ca-6_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ca-6_smt.c"/>
             </part>
             <part id="ca-6_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06d."/>
                <p>the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;</p>
+               <link rel="assessment-for" href="#ca-6_smt.d"/>
             </part>
             <part id="ca-6_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06e."/>
                <p>the authorizations are updated <insert type="param" id-ref="ca-06_odp"/>.</p>
+               <link rel="assessment-for" href="#ca-6_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ca-6_smt"/>
          </part>
          <part id="ca-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7064,41 +7435,51 @@
             <part id="ca-7_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07[01]"/>
                <p>a system-level continuous monitoring strategy is developed;</p>
+               <link rel="assessment-for" href="#ca-7_smt"/>
             </part>
             <part id="ca-7_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07[02]"/>
                <p>system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;</p>
+               <link rel="assessment-for" href="#ca-7_smt"/>
             </part>
             <part id="ca-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07a."/>
                <p>system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: <insert type="param" id-ref="ca-07_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ca-7_smt.a"/>
             </part>
             <part id="ca-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07b."/>
                <part id="ca-7_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07b.[01]"/>
                   <p>system-level continuous monitoring includes established <insert type="param" id-ref="ca-07_odp.02"/> for monitoring;</p>
+                  <link rel="assessment-for" href="#ca-7_smt.b"/>
                </part>
                <part id="ca-7_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07b.[02]"/>
                   <p>system-level continuous monitoring includes established <insert type="param" id-ref="ca-07_odp.03"/> for assessment of control effectiveness;</p>
+                  <link rel="assessment-for" href="#ca-7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ca-7_smt.b"/>
             </part>
             <part id="ca-7_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07c."/>
                <p>system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;</p>
+               <link rel="assessment-for" href="#ca-7_smt.c"/>
             </part>
             <part id="ca-7_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07d."/>
                <p>system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;</p>
+               <link rel="assessment-for" href="#ca-7_smt.d"/>
             </part>
             <part id="ca-7_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07e."/>
                <p>system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;</p>
+               <link rel="assessment-for" href="#ca-7_smt.e"/>
             </part>
             <part id="ca-7_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07f."/>
                <p>system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;</p>
+               <link rel="assessment-for" href="#ca-7_smt.f"/>
             </part>
             <part id="ca-7_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07g."/>
@@ -7106,13 +7487,17 @@
                   <prop name="label" class="sp800-53a" value="CA-07g.[01]"/>
                   <p>system-level continuous monitoring includes reporting the security status of the system to <insert type="param" id-ref="ca-07_odp.04"/>
                      <insert type="param" id-ref="ca-07_odp.05"/>;</p>
+                  <link rel="assessment-for" href="#ca-7_smt.g"/>
                </part>
                <part id="ca-7_obj.g-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07g.[02]"/>
                   <p>system-level continuous monitoring includes reporting the privacy status of the system to <insert type="param" id-ref="ca-07_odp.06"/>
                      <insert type="param" id-ref="ca-07_odp.07"/>.</p>
+                  <link rel="assessment-for" href="#ca-7_smt.g"/>
                </part>
+               <link rel="assessment-for" href="#ca-7_smt.g"/>
             </part>
+            <link rel="assessment-for" href="#ca-7_smt"/>
          </part>
          <part id="ca-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7173,6 +7558,7 @@
             <part id="ca-7.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07(01)"/>
                <p>independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.</p>
+               <link rel="assessment-for" href="#ca-7.1_smt"/>
             </part>
             <part id="ca-7.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7240,15 +7626,19 @@
                <part id="ca-7.4_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07(04)(a)"/>
                   <p>effectiveness monitoring is included in risk monitoring;</p>
+                  <link rel="assessment-for" href="#ca-7.4_smt.a"/>
                </part>
                <part id="ca-7.4_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07(04)(b)"/>
                   <p>compliance monitoring is included in risk monitoring;</p>
+                  <link rel="assessment-for" href="#ca-7.4_smt.b"/>
                </part>
                <part id="ca-7.4_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07(04)(c)"/>
                   <p>change monitoring is included in risk monitoring.</p>
+                  <link rel="assessment-for" href="#ca-7.4_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#ca-7.4_smt"/>
             </part>
             <part id="ca-7.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7359,34 +7749,43 @@
             <part id="ca-9_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-09a."/>
                <p>internal connections of <insert type="param" id-ref="ca-09_odp.01"/> to the system are authorized;</p>
+               <link rel="assessment-for" href="#ca-9_smt.a"/>
             </part>
             <part id="ca-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-09b."/>
                <part id="ca-9_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-09b.[01]"/>
                   <p>for each internal connection, the interface characteristics are documented;</p>
+                  <link rel="assessment-for" href="#ca-9_smt.b"/>
                </part>
                <part id="ca-9_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-09b.[02]"/>
                   <p>for each internal connection, the security requirements are documented;</p>
+                  <link rel="assessment-for" href="#ca-9_smt.b"/>
                </part>
                <part id="ca-9_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-09b.[03]"/>
                   <p>for each internal connection, the privacy requirements are documented;</p>
+                  <link rel="assessment-for" href="#ca-9_smt.b"/>
                </part>
                <part id="ca-9_obj.b-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-09b.[04]"/>
                   <p>for each internal connection, the nature of the information communicated is documented;</p>
+                  <link rel="assessment-for" href="#ca-9_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ca-9_smt.b"/>
             </part>
             <part id="ca-9_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-09c."/>
                <p>internal system connections are terminated after <insert type="param" id-ref="ca-09_odp.02"/>;</p>
+               <link rel="assessment-for" href="#ca-9_smt.c"/>
             </part>
             <part id="ca-9_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-09d."/>
                <p>the continued need for each internal connection is reviewed <insert type="param" id-ref="ca-09_odp.03"/>.</p>
+               <link rel="assessment-for" href="#ca-9_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ca-9_smt"/>
          </part>
          <part id="ca-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7566,18 +7965,22 @@
                <part id="cm-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[01]"/>
                   <p>a configuration management policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[02]"/>
                   <p>the configuration management policy is disseminated to <insert type="param" id-ref="cm-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[03]"/>
                   <p>configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[04]"/>
                   <p>the configuration management procedures are disseminated to <insert type="param" id-ref="cm-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.01"/>
@@ -7586,41 +7989,53 @@
                      <part id="cm-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses scope;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses roles;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                   </part>
                   <part id="cm-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01a.01(b)"/>
                      <p>the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#cm-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#cm-1_smt.a"/>
             </part>
             <part id="cm-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-01b."/>
                <p>the <insert type="param" id-ref="cm-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;</p>
+               <link rel="assessment-for" href="#cm-1_smt.b"/>
             </part>
             <part id="cm-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-01c."/>
@@ -7629,24 +8044,32 @@
                   <part id="cm-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.01[01]"/>
                      <p>the current configuration management policy is reviewed and updated <insert type="param" id-ref="cm-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.1"/>
                   </part>
                   <part id="cm-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.01[02]"/>
                      <p>the current configuration management policy is reviewed and updated following <insert type="param" id-ref="cm-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-1_smt.c.1"/>
                </part>
                <part id="cm-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01c.02"/>
                   <part id="cm-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.02[01]"/>
                      <p>the current configuration management procedures are reviewed and updated <insert type="param" id-ref="cm-01_odp.07"/>; </p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.2"/>
                   </part>
                   <part id="cm-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.02[02]"/>
                      <p>the current configuration management procedures are reviewed and updated following <insert type="param" id-ref="cm-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#cm-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cm-1_smt"/>
          </part>
          <part id="cm-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7752,27 +8175,35 @@
                <part id="cm-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02a.[01]"/>
                   <p>a current baseline configuration of the system is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-2_smt.a"/>
                </part>
                <part id="cm-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02a.[02]"/>
                   <p>a current baseline configuration of the system is maintained under configuration control;</p>
+                  <link rel="assessment-for" href="#cm-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#cm-2_smt.a"/>
             </part>
             <part id="cm-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-02b."/>
                <part id="cm-2_obj.b.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02b.01"/>
                   <p>the baseline configuration of the system is reviewed and updated <insert type="param" id-ref="cm-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#cm-2_smt.b.1"/>
                </part>
                <part id="cm-2_obj.b.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02b.02"/>
                   <p>the baseline configuration of the system is reviewed and updated when required due to <insert type="param" id-ref="cm-02_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#cm-2_smt.b.2"/>
                </part>
                <part id="cm-2_obj.b.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02b.03"/>
                   <p>the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.</p>
+                  <link rel="assessment-for" href="#cm-2_smt.b.3"/>
                </part>
+               <link rel="assessment-for" href="#cm-2_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cm-2_smt"/>
          </part>
          <part id="cm-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7843,19 +8274,24 @@
                <part id="cm-2.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02(02)[01]"/>
                   <p>the currency of the baseline configuration of the system is maintained using <insert type="param" id-ref="cm-02.02_odp"/>;</p>
+                  <link rel="assessment-for" href="#cm-2.2_smt"/>
                </part>
                <part id="cm-2.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02(02)[02]"/>
                   <p>the completeness of the baseline configuration of the system is maintained using <insert type="param" id-ref="cm-02.02_odp"/>;</p>
+                  <link rel="assessment-for" href="#cm-2.2_smt"/>
                </part>
                <part id="cm-2.2_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02(02)[03]"/>
                   <p>the accuracy of the baseline configuration of the system is maintained using <insert type="param" id-ref="cm-02.02_odp"/>;</p>
+                  <link rel="assessment-for" href="#cm-2.2_smt"/>
                </part>
                <part id="cm-2.2_obj-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02(02)[04]"/>
                   <p>the availability of the baseline configuration of the system is maintained using <insert type="param" id-ref="cm-02.02_odp"/>.</p>
+                  <link rel="assessment-for" href="#cm-2.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#cm-2.2_smt"/>
             </part>
             <part id="cm-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7921,6 +8357,7 @@
                <prop name="label" class="sp800-53a" value="CM-02(03)"/>
                <p>
                   <insert type="param" id-ref="cm-02.03_odp"/> of previous baseline configuration version(s) of the system is/are retained to support rollback.</p>
+               <link rel="assessment-for" href="#cm-2.3_smt"/>
             </part>
             <part id="cm-2.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8010,12 +8447,15 @@
                   <prop name="label" class="sp800-53a" value="CM-02(07)(a)"/>
                   <p>
                      <insert type="param" id-ref="cm-02.07_odp.01"/> with <insert type="param" id-ref="cm-02.07_odp.02"/> are issued to individuals traveling to locations that the organization deems to be of significant risk;</p>
+                  <link rel="assessment-for" href="#cm-2.7_smt.a"/>
                </part>
                <part id="cm-2.7_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-02(07)(b)"/>
                   <p>
                      <insert type="param" id-ref="cm-02.07_odp.03"/> are applied to the systems or system components when the individuals return from travel.</p>
+                  <link rel="assessment-for" href="#cm-2.7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-2.7_smt"/>
             </part>
             <part id="cm-2.7_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8171,52 +8611,66 @@
             <part id="cm-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03a."/>
                <p>the types of changes to the system that are configuration-controlled are determined and documented;</p>
+               <link rel="assessment-for" href="#cm-3_smt.a"/>
             </part>
             <part id="cm-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03b."/>
                <part id="cm-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03b.[01]"/>
                   <p>proposed configuration-controlled changes to the system are reviewed;</p>
+                  <link rel="assessment-for" href="#cm-3_smt.b"/>
                </part>
                <part id="cm-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03b.[02]"/>
                   <p>proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;</p>
+                  <link rel="assessment-for" href="#cm-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-3_smt.b"/>
             </part>
             <part id="cm-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03c."/>
                <p>configuration change decisions associated with the system are documented;</p>
+               <link rel="assessment-for" href="#cm-3_smt.c"/>
             </part>
             <part id="cm-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03d."/>
                <p>approved configuration-controlled changes to the system are implemented;</p>
+               <link rel="assessment-for" href="#cm-3_smt.d"/>
             </part>
             <part id="cm-3_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03e."/>
                <p>records of configuration-controlled changes to the system are retained for <insert type="param" id-ref="cm-03_odp.01"/>;</p>
+               <link rel="assessment-for" href="#cm-3_smt.e"/>
             </part>
             <part id="cm-3_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03f."/>
                <part id="cm-3_obj.f-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03f.[01]"/>
                   <p>activities associated with configuration-controlled changes to the system are monitored;</p>
+                  <link rel="assessment-for" href="#cm-3_smt.f"/>
                </part>
                <part id="cm-3_obj.f-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03f.[02]"/>
                   <p>activities associated with configuration-controlled changes to the system are reviewed;</p>
+                  <link rel="assessment-for" href="#cm-3_smt.f"/>
                </part>
+               <link rel="assessment-for" href="#cm-3_smt.f"/>
             </part>
             <part id="cm-3_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-03g."/>
                <part id="cm-3_obj.g-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03g.[01]"/>
                   <p>configuration change control activities are coordinated and overseen by <insert type="param" id-ref="cm-03_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#cm-3_smt.g"/>
                </part>
                <part id="cm-3_obj.g-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03g.[02]"/>
                   <p>the configuration control element convenes <insert type="param" id-ref="cm-03_odp.03"/>.</p>
+                  <link rel="assessment-for" href="#cm-3_smt.g"/>
                </part>
+               <link rel="assessment-for" href="#cm-3_smt.g"/>
             </part>
+            <link rel="assessment-for" href="#cm-3_smt"/>
          </part>
          <part id="cm-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8278,15 +8732,19 @@
                <part id="cm-3.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03(02)[01]"/>
                   <p>changes to the system are tested before finalizing the implementation of the changes;</p>
+                  <link rel="assessment-for" href="#cm-3.2_smt"/>
                </part>
                <part id="cm-3.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03(02)[02]"/>
                   <p>changes to the system are validated before finalizing the implementation of the changes;</p>
+                  <link rel="assessment-for" href="#cm-3.2_smt"/>
                </part>
                <part id="cm-3.2_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03(02)[03]"/>
                   <p>changes to the system are documented before finalizing the implementation of the changes.</p>
+                  <link rel="assessment-for" href="#cm-3.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#cm-3.2_smt"/>
             </part>
             <part id="cm-3.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8378,12 +8836,15 @@
                   <prop name="label" class="sp800-53a" value="CM-03(04)[01]"/>
                   <p>
                      <insert type="param" id-ref="cm-03.04_odp.01"/> are required to be members of the <insert type="param" id-ref="cm-03.04_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#cm-3.4_smt"/>
                </part>
                <part id="cm-3.4_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-03(04)[02]"/>
                   <p>
                      <insert type="param" id-ref="cm-03.04_odp.02"/> are required to be members of the <insert type="param" id-ref="cm-03.04_odp.03"/>.</p>
+                  <link rel="assessment-for" href="#cm-3.4_smt"/>
                </part>
+               <link rel="assessment-for" href="#cm-3.4_smt"/>
             </part>
             <part id="cm-3.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8450,11 +8911,14 @@
             <part id="cm-4_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-04[01]"/>
                <p>changes to the system are analyzed to determine potential security impacts prior to change implementation;</p>
+               <link rel="assessment-for" href="#cm-4_smt"/>
             </part>
             <part id="cm-4_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-04[02]"/>
                <p>changes to the system are analyzed to determine potential privacy impacts prior to change implementation.</p>
+               <link rel="assessment-for" href="#cm-4_smt"/>
             </part>
+            <link rel="assessment-for" href="#cm-4_smt"/>
          </part>
          <part id="cm-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8522,27 +8986,34 @@
                <part id="cm-4.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(02)[01]"/>
                   <p>the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;</p>
+                  <link rel="assessment-for" href="#cm-4.2_smt"/>
                </part>
                <part id="cm-4.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(02)[02]"/>
                   <p>the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;</p>
+                  <link rel="assessment-for" href="#cm-4.2_smt"/>
                </part>
                <part id="cm-4.2_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(02)[03]"/>
                   <p>the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;</p>
+                  <link rel="assessment-for" href="#cm-4.2_smt"/>
                </part>
                <part id="cm-4.2_obj-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(02)[04]"/>
                   <p>the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;</p>
+                  <link rel="assessment-for" href="#cm-4.2_smt"/>
                </part>
                <part id="cm-4.2_obj-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(02)[05]"/>
                   <p>the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;</p>
+                  <link rel="assessment-for" href="#cm-4.2_smt"/>
                </part>
                <part id="cm-4.2_obj-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-04(02)[06]"/>
                   <p>the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.</p>
+                  <link rel="assessment-for" href="#cm-4.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#cm-4.2_smt"/>
             </part>
             <part id="cm-4.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8616,27 +9087,34 @@
             <part id="cm-5_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[01]"/>
                <p>physical access restrictions associated with changes to the system are defined and documented;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[02]"/>
                <p>physical access restrictions associated with changes to the system are approved;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[03]"/>
                <p>physical access restrictions associated with changes to the system are enforced;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[04]"/>
                <p>logical access restrictions associated with changes to the system are defined and documented;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-5" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[05]"/>
                <p>logical access restrictions associated with changes to the system are approved;</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
             <part id="cm-5_obj-6" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-05[06]"/>
                <p>logical access restrictions associated with changes to the system are enforced.</p>
+               <link rel="assessment-for" href="#cm-5_smt"/>
             </part>
+            <link rel="assessment-for" href="#cm-5_smt"/>
          </part>
          <part id="cm-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8773,33 +9251,42 @@
             <part id="cm-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-06a."/>
                <p>configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using <insert type="param" id-ref="cm-06_odp.01"/>;</p>
+               <link rel="assessment-for" href="#cm-6_smt.a"/>
             </part>
             <part id="cm-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-06b."/>
                <p>the configuration settings documented in CM-06a are implemented;</p>
+               <link rel="assessment-for" href="#cm-6_smt.b"/>
             </part>
             <part id="cm-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-06c."/>
                <part id="cm-6_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06c.[01]"/>
                   <p>any deviations from established configuration settings for <insert type="param" id-ref="cm-06_odp.02"/> are identified and documented based on <insert type="param" id-ref="cm-06_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#cm-6_smt.c"/>
                </part>
                <part id="cm-6_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06c.[02]"/>
                   <p>any deviations from established configuration settings for <insert type="param" id-ref="cm-06_odp.02"/> are approved;</p>
+                  <link rel="assessment-for" href="#cm-6_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#cm-6_smt.c"/>
             </part>
             <part id="cm-6_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-06d."/>
                <part id="cm-6_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06d.[01]"/>
                   <p>changes to the configuration settings are monitored in accordance with organizational policies and procedures;</p>
+                  <link rel="assessment-for" href="#cm-6_smt.d"/>
                </part>
                <part id="cm-6_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-06d.[02]"/>
                   <p>changes to the configuration settings are controlled in accordance with organizational policies and procedures.</p>
+                  <link rel="assessment-for" href="#cm-6_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#cm-6_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#cm-6_smt"/>
          </part>
          <part id="cm-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8956,30 +9443,38 @@
             <part id="cm-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-07a."/>
                <p>the system is configured to provide only <insert type="param" id-ref="cm-07_odp.01"/>;</p>
+               <link rel="assessment-for" href="#cm-7_smt.a"/>
             </part>
             <part id="cm-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-07b."/>
                <part id="cm-7_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[01]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.02"/> is prohibited or restricted;</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
                <part id="cm-7_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[02]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.03"/> is prohibited or restricted;</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
                <part id="cm-7_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[03]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.04"/> is prohibited or restricted;</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
                <part id="cm-7_obj.b-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[04]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.05"/> is prohibited or restricted;</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
                <part id="cm-7_obj.b-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07b.[05]"/>
                   <p>the use of <insert type="param" id-ref="cm-07_odp.06"/> is prohibited or restricted.</p>
+                  <link rel="assessment-for" href="#cm-7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-7_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cm-7_smt"/>
          </part>
          <part id="cm-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9106,6 +9601,7 @@
                <part id="cm-7.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07(01)(a)"/>
                   <p>the system is reviewed <insert type="param" id-ref="cm-07.01_odp.01"/> to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:</p>
+                  <link rel="assessment-for" href="#cm-7.1_smt.a"/>
                </part>
                <part id="cm-7.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07(01)(b)"/>
@@ -9113,28 +9609,35 @@
                      <prop name="label" class="sp800-53a" value="CM-07(01)(b)[01]"/>
                      <p>
                         <insert type="param" id-ref="cm-07.01_odp.02"/> deemed to be unnecessary and/or non-secure are disabled or removed;</p>
+                     <link rel="assessment-for" href="#cm-7.1_smt.b"/>
                   </part>
                   <part id="cm-7.1_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-07(01)(b)[02]"/>
                      <p>
                         <insert type="param" id-ref="cm-07.01_odp.03"/> deemed to be unnecessary and/or non-secure are disabled or removed;</p>
+                     <link rel="assessment-for" href="#cm-7.1_smt.b"/>
                   </part>
                   <part id="cm-7.1_obj.b-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-07(01)(b)[03]"/>
                      <p>
                         <insert type="param" id-ref="cm-07.01_odp.04"/> deemed to be unnecessary and/or non-secure are disabled or removed;</p>
+                     <link rel="assessment-for" href="#cm-7.1_smt.b"/>
                   </part>
                   <part id="cm-7.1_obj.b-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-07(01)(b)[04]"/>
                      <p>
                         <insert type="param" id-ref="cm-07.01_odp.05"/> deemed to be unnecessary and/or non-secure is disabled or removed;</p>
+                     <link rel="assessment-for" href="#cm-7.1_smt.b"/>
                   </part>
                   <part id="cm-7.1_obj.b-5" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-07(01)(b)[05]"/>
                      <p>
                         <insert type="param" id-ref="cm-07.01_odp.06"/> deemed to be unnecessary and/or non-secure are disabled or removed.</p>
+                     <link rel="assessment-for" href="#cm-7.1_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-7.1_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-7.1_smt"/>
             </part>
             <part id="cm-7.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9213,6 +9716,7 @@
             <part id="cm-7.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-07(02)"/>
                <p>program execution is prevented in accordance with <insert type="param" id-ref="cm-07.02_odp.01"/>.</p>
+               <link rel="assessment-for" href="#cm-7.2_smt"/>
             </part>
             <part id="cm-7.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9315,15 +9819,19 @@
                   <prop name="label" class="sp800-53a" value="CM-07(05)(a)"/>
                   <p>
                      <insert type="param" id-ref="cm-07.05_odp.01"/> are identified;</p>
+                  <link rel="assessment-for" href="#cm-7.5_smt.a"/>
                </part>
                <part id="cm-7.5_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07(05)(b)"/>
                   <p>a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;</p>
+                  <link rel="assessment-for" href="#cm-7.5_smt.b"/>
                </part>
                <part id="cm-7.5_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-07(05)(c)"/>
                   <p>the list of authorized software programs is reviewed and updated <insert type="param" id-ref="cm-07.05_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#cm-7.5_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#cm-7.5_smt"/>
             </part>
             <part id="cm-7.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9459,28 +9967,36 @@
                <part id="cm-8_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.01"/>
                   <p>an inventory of system components that accurately reflects the system is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.1"/>
                </part>
                <part id="cm-8_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.02"/>
                   <p>an inventory of system components that includes all components within the system is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.2"/>
                </part>
                <part id="cm-8_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.03"/>
                   <p>an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.3"/>
                </part>
                <part id="cm-8_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.04"/>
                   <p>an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.4"/>
                </part>
                <part id="cm-8_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08a.05"/>
                   <p>an inventory of system components that includes <insert type="param" id-ref="cm-08_odp.01"/> is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-8_smt.a.5"/>
                </part>
+               <link rel="assessment-for" href="#cm-8_smt.a"/>
             </part>
             <part id="cm-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-08b."/>
                <p>the system component inventory is reviewed and updated <insert type="param" id-ref="cm-08_odp.02"/>.</p>
+               <link rel="assessment-for" href="#cm-8_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cm-8_smt"/>
          </part>
          <part id="cm-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9538,15 +10054,19 @@
                <part id="cm-8.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08(01)[01]"/>
                   <p>the inventory of system components is updated as part of component installations;</p>
+                  <link rel="assessment-for" href="#cm-8.1_smt"/>
                </part>
                <part id="cm-8.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08(01)[02]"/>
                   <p>the inventory of system components is updated as part of component removals;</p>
+                  <link rel="assessment-for" href="#cm-8.1_smt"/>
                </part>
                <part id="cm-8.1_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08(01)[03]"/>
                   <p>the inventory of system components is updated as part of system updates.</p>
+                  <link rel="assessment-for" href="#cm-8.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#cm-8.1_smt"/>
             </part>
             <part id="cm-8.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9686,17 +10206,21 @@
                      <prop name="label" class="sp800-53a" value="CM-08(03)(a)[01]"/>
                      <p>the presence of unauthorized hardware within the system is detected using <insert type="param" id-ref="cm-08.03_odp.01"/>
                         <insert type="param" id-ref="cm-08.03_odp.04"/>;</p>
+                     <link rel="assessment-for" href="#cm-8.3_smt.a"/>
                   </part>
                   <part id="cm-8.3_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-08(03)(a)[02]"/>
                      <p>the presence of unauthorized software within the system is detected using <insert type="param" id-ref="cm-08.03_odp.02"/>
                         <insert type="param" id-ref="cm-08.03_odp.04"/>;</p>
+                     <link rel="assessment-for" href="#cm-8.3_smt.a"/>
                   </part>
                   <part id="cm-8.3_obj.a-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-08(03)(a)[03]"/>
                      <p>the presence of unauthorized firmware within the system is detected using <insert type="param" id-ref="cm-08.03_odp.03"/>
                         <insert type="param" id-ref="cm-08.03_odp.04"/>;</p>
+                     <link rel="assessment-for" href="#cm-8.3_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-8.3_smt.a"/>
                </part>
                <part id="cm-8.3_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-08(03)(b)"/>
@@ -9704,18 +10228,23 @@
                      <prop name="label" class="sp800-53a" value="CM-08(03)(b)[01]"/>
                      <p>
                         <insert type="param" id-ref="cm-08.03_odp.05"/> are taken when unauthorized hardware is detected;</p>
+                     <link rel="assessment-for" href="#cm-8.3_smt.b"/>
                   </part>
                   <part id="cm-8.3_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-08(03)(b)[02]"/>
                      <p>
                         <insert type="param" id-ref="cm-08.03_odp.05"/> are taken when unauthorized software is detected;</p>
+                     <link rel="assessment-for" href="#cm-8.3_smt.b"/>
                   </part>
                   <part id="cm-8.3_obj.b-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-08(03)(b)[03]"/>
                      <p>
                         <insert type="param" id-ref="cm-08.03_odp.05"/> are taken when unauthorized firmware is detected.</p>
+                     <link rel="assessment-for" href="#cm-8.3_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-8.3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-8.3_smt"/>
             </part>
             <part id="cm-8.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9818,63 +10347,80 @@
             <part id="cm-9_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-09[01]"/>
                <p>a configuration management plan for the system is developed and documented;</p>
+               <link rel="assessment-for" href="#cm-9_smt"/>
             </part>
             <part id="cm-9_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-09[02]"/>
                <p>a configuration management plan for the system is implemented;</p>
+               <link rel="assessment-for" href="#cm-9_smt"/>
             </part>
             <part id="cm-9_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-09a."/>
                <part id="cm-9_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09a.[01]"/>
                   <p>the configuration management plan addresses roles;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.a"/>
                </part>
                <part id="cm-9_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09a.[02]"/>
                   <p>the configuration management plan addresses responsibilities;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.a"/>
                </part>
                <part id="cm-9_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09a.[03]"/>
                   <p>the configuration management plan addresses configuration management processes and procedures;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#cm-9_smt.a"/>
             </part>
             <part id="cm-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-09b."/>
                <part id="cm-9_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09b.[01]"/>
                   <p>the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.b"/>
                </part>
                <part id="cm-9_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09b.[02]"/>
                   <p>the configuration management plan establishes a process for managing the configuration of the configuration items;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-9_smt.b"/>
             </part>
             <part id="cm-9_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-09c."/>
                <part id="cm-9_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09c.[01]"/>
                   <p>the configuration management plan defines the configuration items for the system;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.c"/>
                </part>
                <part id="cm-9_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09c.[02]"/>
                   <p>the configuration management plan places the configuration items under configuration management;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#cm-9_smt.c"/>
             </part>
             <part id="cm-9_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-09d."/>
                <p>the configuration management plan is reviewed and approved by <insert type="param" id-ref="cm-09_odp"/>;</p>
+               <link rel="assessment-for" href="#cm-9_smt.d"/>
             </part>
             <part id="cm-9_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-09e."/>
                <part id="cm-9_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09e.[01]"/>
                   <p>the configuration management plan is protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#cm-9_smt.e"/>
                </part>
                <part id="cm-9_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-09e.[02]"/>
                   <p>the configuration management plan is protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#cm-9_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#cm-9_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#cm-9_smt"/>
          </part>
          <part id="cm-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9949,15 +10495,19 @@
             <part id="cm-10_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-10a."/>
                <p>software and associated documentation are used in accordance with contract agreements and copyright laws;</p>
+               <link rel="assessment-for" href="#cm-10_smt.a"/>
             </part>
             <part id="cm-10_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-10b."/>
                <p>the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;</p>
+               <link rel="assessment-for" href="#cm-10_smt.b"/>
             </part>
             <part id="cm-10_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-10c."/>
                <p>the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</p>
+               <link rel="assessment-for" href="#cm-10_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cm-10_smt"/>
          </part>
          <part id="cm-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10062,15 +10612,19 @@
                <prop name="label" class="sp800-53a" value="CM-11a."/>
                <p>
                   <insert type="param" id-ref="cm-11_odp.01"/> governing the installation of software by users are established;</p>
+               <link rel="assessment-for" href="#cm-11_smt.a"/>
             </part>
             <part id="cm-11_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-11b."/>
                <p>software installation policies are enforced through <insert type="param" id-ref="cm-11_odp.02"/>;</p>
+               <link rel="assessment-for" href="#cm-11_smt.b"/>
             </part>
             <part id="cm-11_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-11c."/>
                <p>compliance with <insert type="param" id-ref="cm-11_odp.01"/> is monitored <insert type="param" id-ref="cm-11_odp.03"/>.</p>
+               <link rel="assessment-for" href="#cm-11_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cm-11_smt"/>
          </part>
          <part id="cm-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10173,38 +10727,49 @@
                <part id="cm-12_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-12a.[01]"/>
                   <p>the location of <insert type="param" id-ref="cm-12_odp"/> is identified and documented;</p>
+                  <link rel="assessment-for" href="#cm-12_smt.a"/>
                </part>
                <part id="cm-12_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-12a.[02]"/>
                   <p>the specific system components on which <insert type="param" id-ref="cm-12_odp"/> is processed are identified and documented;</p>
+                  <link rel="assessment-for" href="#cm-12_smt.a"/>
                </part>
                <part id="cm-12_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-12a.[03]"/>
                   <p>the specific system components on which <insert type="param" id-ref="cm-12_odp"/> is stored are identified and documented;</p>
+                  <link rel="assessment-for" href="#cm-12_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#cm-12_smt.a"/>
             </part>
             <part id="cm-12_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-12b."/>
                <part id="cm-12_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-12b.[01]"/>
                   <p>the users who have access to the system and system components where <insert type="param" id-ref="cm-12_odp"/> is processed are identified and documented;</p>
+                  <link rel="assessment-for" href="#cm-12_smt.b"/>
                </part>
                <part id="cm-12_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-12b.[02]"/>
                   <p>the users who have access to the system and system components where <insert type="param" id-ref="cm-12_odp"/> is stored are identified and documented;</p>
+                  <link rel="assessment-for" href="#cm-12_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cm-12_smt.b"/>
             </part>
             <part id="cm-12_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-12c."/>
                <part id="cm-12_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-12c.[01]"/>
                   <p>changes to the location (i.e., system or system components) where <insert type="param" id-ref="cm-12_odp"/> is processed are documented;</p>
+                  <link rel="assessment-for" href="#cm-12_smt.c"/>
                </part>
                <part id="cm-12_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-12c.[02]"/>
                   <p>changes to the location (i.e., system or system components) where <insert type="param" id-ref="cm-12_odp"/> is stored are documented.</p>
+                  <link rel="assessment-for" href="#cm-12_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#cm-12_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cm-12_smt"/>
          </part>
          <part id="cm-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10282,6 +10847,7 @@
             <part id="cm-12.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-12(01)"/>
                <p>automated tools are used to identify <insert type="param" id-ref="cm-12.01_odp.01"/> on <insert type="param" id-ref="cm-12.01_odp.02"/> to ensure that controls are in place to protect organizational information and individual privacy.</p>
+               <link rel="assessment-for" href="#cm-12.1_smt"/>
             </part>
             <part id="cm-12.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10465,18 +11031,22 @@
                <part id="cp-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.[01]"/>
                   <p>a contingency planning policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#cp-1_smt.a"/>
                </part>
                <part id="cp-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.[02]"/>
                   <p>the contingency planning policy is disseminated to <insert type="param" id-ref="cp-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#cp-1_smt.a"/>
                </part>
                <part id="cp-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.[03]"/>
                   <p>contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#cp-1_smt.a"/>
                </part>
                <part id="cp-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.[04]"/>
                   <p>the contingency planning procedures are disseminated to <insert type="param" id-ref="cp-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#cp-1_smt.a"/>
                </part>
                <part id="cp-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01a.01"/>
@@ -10485,41 +11055,53 @@
                      <part id="cp-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses scope;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses roles;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
                      <part id="cp-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CP-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
                   </part>
                   <part id="cp-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#cp-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#cp-1_smt.a"/>
             </part>
             <part id="cp-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-01b."/>
                <p>the <insert type="param" id-ref="cp-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;</p>
+               <link rel="assessment-for" href="#cp-1_smt.b"/>
             </part>
             <part id="cp-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-01c."/>
@@ -10528,24 +11110,32 @@
                   <part id="cp-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01c.01[01]"/>
                      <p>the current contingency planning policy is reviewed and updated <insert type="param" id-ref="cp-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#cp-1_smt.c.1"/>
                   </part>
                   <part id="cp-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01c.01[02]"/>
                      <p>the current contingency planning policy is reviewed and updated following <insert type="param" id-ref="cp-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#cp-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-1_smt.c.1"/>
                </part>
                <part id="cp-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-01c.02"/>
                   <part id="cp-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01c.02[01]"/>
                      <p>the current contingency planning procedures are reviewed and updated <insert type="param" id-ref="cp-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#cp-1_smt.c.2"/>
                   </part>
                   <part id="cp-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-01c.02[02]"/>
                      <p>the current contingency planning procedures are reviewed and updated following <insert type="param" id-ref="cp-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#cp-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#cp-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cp-1_smt"/>
          </part>
          <part id="cp-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10751,124 +11341,158 @@
                <part id="cp-2_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.01"/>
                   <p>a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.a.1"/>
                </part>
                <part id="cp-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.02"/>
                   <part id="cp-2_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.02[01]"/>
                      <p>a contingency plan for the system is developed that provides recovery objectives;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.2"/>
                   </part>
                   <part id="cp-2_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.02[02]"/>
                      <p>a contingency plan for the system is developed that provides restoration priorities;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.2"/>
                   </part>
                   <part id="cp-2_obj.a.2-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.02[03]"/>
                      <p>a contingency plan for the system is developed that provides metrics;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-2_smt.a.2"/>
                </part>
                <part id="cp-2_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.03"/>
                   <part id="cp-2_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.03[01]"/>
                      <p>a contingency plan for the system is developed that addresses contingency roles;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.3"/>
                   </part>
                   <part id="cp-2_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.03[02]"/>
                      <p>a contingency plan for the system is developed that addresses contingency responsibilities;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.3"/>
                   </part>
                   <part id="cp-2_obj.a.3-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.03[03]"/>
                      <p>a contingency plan for the system is developed that addresses assigned individuals with contact information;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-2_smt.a.3"/>
                </part>
                <part id="cp-2_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.04"/>
                   <p>a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.a.4"/>
                </part>
                <part id="cp-2_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.05"/>
                   <p>a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.a.5"/>
                </part>
                <part id="cp-2_obj.a.6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.06"/>
                   <p>a contingency plan for the system is developed that addresses the sharing of contingency information;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.a.6"/>
                </part>
                <part id="cp-2_obj.a.7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02a.07"/>
                   <part id="cp-2_obj.a.7-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.07[01]"/>
                      <p>a contingency plan for the system is developed that is reviewed by <insert type="param" id-ref="cp-02_odp.01"/>;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.7"/>
                   </part>
                   <part id="cp-2_obj.a.7-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-02a.07[02]"/>
                      <p>a contingency plan for the system is developed that is approved by <insert type="param" id-ref="cp-02_odp.02"/>;</p>
+                     <link rel="assessment-for" href="#cp-2_smt.a.7"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-2_smt.a.7"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.a"/>
             </part>
             <part id="cp-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02b."/>
                <part id="cp-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02b.[01]"/>
                   <p>copies of the contingency plan are distributed to <insert type="param" id-ref="cp-02_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.b"/>
                </part>
                <part id="cp-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02b.[02]"/>
                   <p>copies of the contingency plan are distributed to <insert type="param" id-ref="cp-02_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.b"/>
             </part>
             <part id="cp-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02c."/>
                <p>contingency planning activities are coordinated with incident handling activities;</p>
+               <link rel="assessment-for" href="#cp-2_smt.c"/>
             </part>
             <part id="cp-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02d."/>
                <p>the contingency plan for the system is reviewed <insert type="param" id-ref="cp-02_odp.05"/>;</p>
+               <link rel="assessment-for" href="#cp-2_smt.d"/>
             </part>
             <part id="cp-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02e."/>
                <part id="cp-2_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02e.[01]"/>
                   <p>the contingency plan is updated to address changes to the organization, system, or environment of operation;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.e"/>
                </part>
                <part id="cp-2_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02e.[02]"/>
                   <p>the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.e"/>
             </part>
             <part id="cp-2_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02f."/>
                <part id="cp-2_obj.f-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02f.[01]"/>
                   <p>contingency plan changes are communicated to <insert type="param" id-ref="cp-02_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.f"/>
                </part>
                <part id="cp-2_obj.f-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02f.[02]"/>
                   <p>contingency plan changes are communicated to <insert type="param" id-ref="cp-02_odp.07"/>;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.f"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.f"/>
             </part>
             <part id="cp-2_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02g."/>
                <part id="cp-2_obj.g-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02g.[01]"/>
                   <p>lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.g"/>
                </part>
                <part id="cp-2_obj.g-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02g.[02]"/>
                   <p>lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.g"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.g"/>
             </part>
             <part id="cp-2_obj.h" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02h."/>
                <part id="cp-2_obj.h-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02h.[01]"/>
                   <p>the contingency plan is protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#cp-2_smt.h"/>
                </part>
                <part id="cp-2_obj.h-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-02h.[02]"/>
                   <p>the contingency plan is protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#cp-2_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#cp-2_smt.h"/>
             </part>
+            <link rel="assessment-for" href="#cp-2_smt"/>
          </part>
          <part id="cp-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10918,6 +11542,7 @@
             <part id="cp-2.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02(01)"/>
                <p>contingency plan development is coordinated with organizational elements responsible for related plans.</p>
+               <link rel="assessment-for" href="#cp-2.1_smt"/>
             </part>
             <part id="cp-2.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10982,6 +11607,7 @@
             <part id="cp-2.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02(03)"/>
                <p>the resumption of <insert type="param" id-ref="cp-02.03_odp.01"/> mission and business functions are planned for within <insert type="param" id-ref="cp-02.03_odp.02"/> of contingency plan activation.</p>
+               <link rel="assessment-for" href="#cp-2.3_smt"/>
             </part>
             <part id="cp-2.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11043,6 +11669,7 @@
             <part id="cp-2.8_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-02(08)"/>
                <p>critical system assets supporting <insert type="param" id-ref="cp-02.08_odp"/> mission and business functions are identified.</p>
+               <link rel="assessment-for" href="#cp-2.8_smt"/>
             </part>
             <part id="cp-2.8_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11153,27 +11780,35 @@
                <part id="cp-3_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03a.01"/>
                   <p>contingency training is provided to system users consistent with assigned roles and responsibilities within <insert type="param" id-ref="cp-03_odp.01"/> of assuming a contingency role or responsibility;</p>
+                  <link rel="assessment-for" href="#cp-3_smt.a.1"/>
                </part>
                <part id="cp-3_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03a.02"/>
                   <p>contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;</p>
+                  <link rel="assessment-for" href="#cp-3_smt.a.2"/>
                </part>
                <part id="cp-3_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03a.03"/>
                   <p>contingency training is provided to system users consistent with assigned roles and responsibilities <insert type="param" id-ref="cp-03_odp.02"/> thereafter;</p>
+                  <link rel="assessment-for" href="#cp-3_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#cp-3_smt.a"/>
             </part>
             <part id="cp-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-03b."/>
                <part id="cp-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03b.[01]"/>
                   <p>the contingency plan training content is reviewed and updated <insert type="param" id-ref="cp-03_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#cp-3_smt.b"/>
                </part>
                <part id="cp-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-03b.[02]"/>
                   <p>the contingency plan training content is reviewed and updated following <insert type="param" id-ref="cp-03_odp.04"/>.</p>
+                  <link rel="assessment-for" href="#cp-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cp-3_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cp-3_smt"/>
          </part>
          <part id="cp-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11285,26 +11920,33 @@
                <part id="cp-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-04a.[01]"/>
                   <p>the contingency plan for the system is tested <insert type="param" id-ref="cp-04_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#cp-4_smt.a"/>
                </part>
                <part id="cp-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-04a.[02]"/>
                   <p>
                      <insert type="param" id-ref="cp-04_odp.02"/> are used to determine the effectiveness of the plan;</p>
+                  <link rel="assessment-for" href="#cp-4_smt.a"/>
                </part>
                <part id="cp-4_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-04a.[03]"/>
                   <p>
                      <insert type="param" id-ref="cp-04_odp.03"/> are used to determine the readiness to execute the plan;</p>
+                  <link rel="assessment-for" href="#cp-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#cp-4_smt.a"/>
             </part>
             <part id="cp-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-04b."/>
                <p>the contingency plan test results are reviewed;</p>
+               <link rel="assessment-for" href="#cp-4_smt.b"/>
             </part>
             <part id="cp-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-04c."/>
                <p>corrective actions are initiated, if needed.</p>
+               <link rel="assessment-for" href="#cp-4_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cp-4_smt"/>
          </part>
          <part id="cp-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11358,6 +12000,7 @@
             <part id="cp-4.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-04(01)"/>
                <p>contingency plan testing is coordinated with organizational elements responsible for related plans.</p>
+               <link rel="assessment-for" href="#cp-4.1_smt"/>
             </part>
             <part id="cp-4.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11429,16 +12072,21 @@
                <part id="cp-6_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-06a.[01]"/>
                   <p>an alternate storage site is established;</p>
+                  <link rel="assessment-for" href="#cp-6_smt.a"/>
                </part>
                <part id="cp-6_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-06a.[02]"/>
                   <p>establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;</p>
+                  <link rel="assessment-for" href="#cp-6_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#cp-6_smt.a"/>
             </part>
             <part id="cp-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-06b."/>
                <p>the alternate storage site provides controls equivalent to that of the primary site.</p>
+               <link rel="assessment-for" href="#cp-6_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cp-6_smt"/>
          </part>
          <part id="cp-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11489,6 +12137,7 @@
             <part id="cp-6.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-06(01)"/>
                <p>an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.</p>
+               <link rel="assessment-for" href="#cp-6.1_smt"/>
             </part>
             <part id="cp-6.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11535,11 +12184,14 @@
                <part id="cp-6.3_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-06(03)[01]"/>
                   <p>potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;</p>
+                  <link rel="assessment-for" href="#cp-6.3_smt"/>
                </part>
                <part id="cp-6.3_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-06(03)[02]"/>
                   <p>explicit mitigation actions to address identified accessibility problems are outlined.</p>
+                  <link rel="assessment-for" href="#cp-6.3_smt"/>
                </part>
+               <link rel="assessment-for" href="#cp-6.3_smt"/>
             </part>
             <part id="cp-6.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11629,22 +12281,28 @@
             <part id="cp-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-07a."/>
                <p>an alternate processing site, including necessary agreements to permit the transfer and resumption of <insert type="param" id-ref="cp-07_odp.01"/> for essential mission and business functions, is established within <insert type="param" id-ref="cp-07_odp.02"/> when the primary processing capabilities are unavailable;</p>
+               <link rel="assessment-for" href="#cp-7_smt.a"/>
             </part>
             <part id="cp-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-07b."/>
                <part id="cp-7_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-07b.[01]"/>
                   <p>the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within <insert type="param" id-ref="cp-07_odp.02"/> for transfer;</p>
+                  <link rel="assessment-for" href="#cp-7_smt.b"/>
                </part>
                <part id="cp-7_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-07b.[02]"/>
                   <p>the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within <insert type="param" id-ref="cp-07_odp.02"/> for resumption;</p>
+                  <link rel="assessment-for" href="#cp-7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cp-7_smt.b"/>
             </part>
             <part id="cp-7_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-07c."/>
                <p>controls provided at the alternate processing site are equivalent to those at the primary site.</p>
+               <link rel="assessment-for" href="#cp-7_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cp-7_smt"/>
          </part>
          <part id="cp-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11697,6 +12355,7 @@
             <part id="cp-7.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-07(01)"/>
                <p>an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.</p>
+               <link rel="assessment-for" href="#cp-7.1_smt"/>
             </part>
             <part id="cp-7.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11743,11 +12402,14 @@
                <part id="cp-7.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-07(02)[01]"/>
                   <p>potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;</p>
+                  <link rel="assessment-for" href="#cp-7.2_smt"/>
                </part>
                <part id="cp-7.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-07(02)[02]"/>
                   <p>explicit mitigation actions to address identified accessibility problems are outlined.</p>
+                  <link rel="assessment-for" href="#cp-7.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#cp-7.2_smt"/>
             </part>
             <part id="cp-7.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11791,6 +12453,7 @@
             <part id="cp-7.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-07(03)"/>
                <p>alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.</p>
+               <link rel="assessment-for" href="#cp-7.3_smt"/>
             </part>
             <part id="cp-7.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11856,6 +12519,7 @@
          <part id="cp-8_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-08"/>
             <p>alternate telecommunications services, including necessary agreements to permit the resumption of <insert type="param" id-ref="cp-08_odp.01"/> , are established for essential mission and business functions within <insert type="param" id-ref="cp-08_odp.02"/> when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.</p>
+            <link rel="assessment-for" href="#cp-8_smt"/>
          </part>
          <part id="cp-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11916,16 +12580,21 @@
                   <part id="cp-8.1_obj.a-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-08(01)(a)[01]"/>
                      <p>primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;</p>
+                     <link rel="assessment-for" href="#cp-8.1_smt.a"/>
                   </part>
                   <part id="cp-8.1_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CP-08(01)(a)[02]"/>
                      <p>alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;</p>
+                     <link rel="assessment-for" href="#cp-8.1_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#cp-8.1_smt.a"/>
                </part>
                <part id="cp-8.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-08(01)(b)"/>
                   <p>Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.</p>
+                  <link rel="assessment-for" href="#cp-8.1_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#cp-8.1_smt"/>
             </part>
             <part id="cp-8.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11976,6 +12645,7 @@
             <part id="cp-8.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-08(02)"/>
                <p>alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.</p>
+               <link rel="assessment-for" href="#cp-8.2_smt"/>
             </part>
             <part id="cp-8.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12092,30 +12762,38 @@
             <part id="cp-9_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09a."/>
                <p>backups of user-level information contained in <insert type="param" id-ref="cp-09_odp.01"/> are conducted <insert type="param" id-ref="cp-09_odp.02"/>;</p>
+               <link rel="assessment-for" href="#cp-9_smt.a"/>
             </part>
             <part id="cp-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09b."/>
                <p>backups of system-level information contained in the system are conducted <insert type="param" id-ref="cp-09_odp.03"/>;</p>
+               <link rel="assessment-for" href="#cp-9_smt.b"/>
             </part>
             <part id="cp-9_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09c."/>
                <p>backups of system documentation, including security- and privacy-related documentation are conducted <insert type="param" id-ref="cp-09_odp.04"/>;</p>
+               <link rel="assessment-for" href="#cp-9_smt.c"/>
             </part>
             <part id="cp-9_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09d."/>
                <part id="cp-9_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09d.[01]"/>
                   <p>the confidentiality of backup information is protected;</p>
+                  <link rel="assessment-for" href="#cp-9_smt.d"/>
                </part>
                <part id="cp-9_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09d.[02]"/>
                   <p>the integrity of backup information is protected;</p>
+                  <link rel="assessment-for" href="#cp-9_smt.d"/>
                </part>
                <part id="cp-9_obj.d-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09d.[03]"/>
                   <p>the availability of backup information is protected.</p>
+                  <link rel="assessment-for" href="#cp-9_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#cp-9_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#cp-9_smt"/>
          </part>
          <part id="cp-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12191,11 +12869,14 @@
                <part id="cp-9.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09(01)[01]"/>
                   <p>backup information is tested <insert type="param" id-ref="cp-09.01_odp.01"/> to verify media reliability;</p>
+                  <link rel="assessment-for" href="#cp-9.1_smt"/>
                </part>
                <part id="cp-9.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CP-09(01)[02]"/>
                   <p>backup information is tested <insert type="param" id-ref="cp-09.01_odp.02"/> to verify information integrity.</p>
+                  <link rel="assessment-for" href="#cp-9.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#cp-9.1_smt"/>
             </part>
             <part id="cp-9.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12257,6 +12938,7 @@
             <part id="cp-9.8_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-09(08)"/>
                <p>cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of <insert type="param" id-ref="cp-09.08_odp"/>.</p>
+               <link rel="assessment-for" href="#cp-9.8_smt"/>
             </part>
             <part id="cp-9.8_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12340,11 +13022,14 @@
             <part id="cp-10_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-10[01]"/>
                <p>the recovery of the system to a known state is provided within <insert type="param" id-ref="cp-10_odp.01"/> after a disruption, compromise, or failure;</p>
+               <link rel="assessment-for" href="#cp-10_smt"/>
             </part>
             <part id="cp-10_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-10[02]"/>
                <p>a reconstitution of the system to a known state is provided within <insert type="param" id-ref="cp-10_odp.02"/> after a disruption, compromise, or failure.</p>
+               <link rel="assessment-for" href="#cp-10_smt"/>
             </part>
+            <link rel="assessment-for" href="#cp-10_smt"/>
          </part>
          <part id="cp-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12396,6 +13081,7 @@
             <part id="cp-10.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CP-10(02)"/>
                <p>transaction recovery is implemented for systems that are transaction-based.</p>
+               <link rel="assessment-for" href="#cp-10.2_smt"/>
             </part>
             <part id="cp-10.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12581,18 +13267,22 @@
                <part id="ia-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.[01]"/>
                   <p>an identification and authentication policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ia-1_smt.a"/>
                </part>
                <part id="ia-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.[02]"/>
                   <p>the identification and authentication policy is disseminated to <insert type="param" id-ref="ia-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ia-1_smt.a"/>
                </part>
                <part id="ia-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.[03]"/>
                   <p>identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ia-1_smt.a"/>
                </part>
                <part id="ia-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.[04]"/>
                   <p>the identification and authentication procedures are disseminated to <insert type="param" id-ref="ia-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ia-1_smt.a"/>
                </part>
                <part id="ia-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01a.01"/>
@@ -12601,41 +13291,53 @@
                      <part id="ia-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
                      <part id="ia-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
                   </part>
                   <part id="ia-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ia-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ia-1_smt.a"/>
             </part>
             <part id="ia-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-01b."/>
                <p>the <insert type="param" id-ref="ia-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;</p>
+               <link rel="assessment-for" href="#ia-1_smt.b"/>
             </part>
             <part id="ia-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-01c."/>
@@ -12644,24 +13346,32 @@
                   <part id="ia-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01c.01[01]"/>
                      <p>the current identification and authentication policy is reviewed and updated <insert type="param" id-ref="ia-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ia-1_smt.c.1"/>
                   </part>
                   <part id="ia-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01c.01[02]"/>
                      <p>the current identification and authentication policy is reviewed and updated following <insert type="param" id-ref="ia-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ia-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-1_smt.c.1"/>
                </part>
                <part id="ia-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-01c.02"/>
                   <part id="ia-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01c.02[01]"/>
                      <p>the current identification and authentication procedures are reviewed and updated <insert type="param" id-ref="ia-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ia-1_smt.c.2"/>
                   </part>
                   <part id="ia-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-01c.02[02]"/>
                      <p>the current identification and authentication procedures are reviewed and updated following <insert type="param" id-ref="ia-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ia-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ia-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ia-1_smt"/>
          </part>
          <part id="ia-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12723,6 +13433,7 @@
          <link rel="related" href="#ia-4"/>
          <link rel="related" href="#ia-5"/>
          <link rel="related" href="#ia-8"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#ma-4"/>
          <link rel="related" href="#ma-5"/>
          <link rel="related" href="#pe-2"/>
@@ -12742,11 +13453,14 @@
             <part id="ia-2_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02[01]"/>
                <p>organizational users are uniquely identified and authenticated;</p>
+               <link rel="assessment-for" href="#ia-2_smt"/>
             </part>
             <part id="ia-2_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02[02]"/>
                <p>the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.</p>
+               <link rel="assessment-for" href="#ia-2_smt"/>
             </part>
+            <link rel="assessment-for" href="#ia-2_smt"/>
          </part>
          <part id="ia-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12800,6 +13514,7 @@
             <part id="ia-2.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02(01)"/>
                <p>multi-factor authentication is implemented for access to privileged accounts.</p>
+               <link rel="assessment-for" href="#ia-2.1_smt"/>
             </part>
             <part id="ia-2.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12853,6 +13568,7 @@
             <part id="ia-2.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02(02)"/>
                <p>multi-factor authentication for access to non-privileged accounts is implemented.</p>
+               <link rel="assessment-for" href="#ia-2.2_smt"/>
             </part>
             <part id="ia-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12913,6 +13629,7 @@
             <part id="ia-2.8_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02(08)"/>
                <p>replay-resistant authentication mechanisms for access to <insert type="param" id-ref="ia-02.08_odp"/> are implemented.</p>
+               <link rel="assessment-for" href="#ia-2.8_smt"/>
             </part>
             <part id="ia-2.8_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12966,6 +13683,7 @@
             <part id="ia-2.12_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-02(12)"/>
                <p>Personal Identity Verification-compliant credentials are accepted and electronically verified.</p>
+               <link rel="assessment-for" href="#ia-2.12_smt"/>
             </part>
             <part id="ia-2.12_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13038,6 +13756,7 @@
          <link rel="related" href="#ia-5"/>
          <link rel="related" href="#ia-9"/>
          <link rel="related" href="#ia-11"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#si-4"/>
          <part name="statement" id="ia-3_smt">
             <p>Uniquely identify and authenticate <insert type="param" id-ref="ia-03_odp.01"/> before establishing a <insert type="param" id-ref="ia-03_odp.02"/> connection.</p>
@@ -13049,6 +13768,7 @@
             <prop name="label" class="sp800-53a" value="IA-03"/>
             <p>
                <insert type="param" id-ref="ia-03_odp.01"/> are uniquely identified and authenticated before establishing a <insert type="param" id-ref="ia-03_odp.02"/> connection.</p>
+            <link rel="assessment-for" href="#ia-3_smt"/>
          </part>
          <part id="ia-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13155,19 +13875,24 @@
             <part id="ia-4_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-04a."/>
                <p>system identifiers are managed by receiving authorization from <insert type="param" id-ref="ia-04_odp.01"/> to assign to an individual, group, role, or device identifier;</p>
+               <link rel="assessment-for" href="#ia-4_smt.a"/>
             </part>
             <part id="ia-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-04b."/>
                <p>system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;</p>
+               <link rel="assessment-for" href="#ia-4_smt.b"/>
             </part>
             <part id="ia-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-04c."/>
                <p>system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;</p>
+               <link rel="assessment-for" href="#ia-4_smt.c"/>
             </part>
             <part id="ia-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-04d."/>
                <p>system identifiers are managed by preventing reuse of identifiers for <insert type="param" id-ref="ia-04_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ia-4_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ia-4_smt"/>
          </part>
          <part id="ia-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13230,6 +13955,7 @@
             <part id="ia-4.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-04(04)"/>
                <p>individual identifiers are managed by uniquely identifying each individual as <insert type="param" id-ref="ia-04.04_odp"/>.</p>
+               <link rel="assessment-for" href="#ia-4.4_smt"/>
             </part>
             <part id="ia-4.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13362,46 +14088,58 @@
             <part id="ia-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05a."/>
                <p>system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;</p>
+               <link rel="assessment-for" href="#ia-5_smt.a"/>
             </part>
             <part id="ia-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05b."/>
                <p>system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;</p>
+               <link rel="assessment-for" href="#ia-5_smt.b"/>
             </part>
             <part id="ia-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05c."/>
                <p>system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;</p>
+               <link rel="assessment-for" href="#ia-5_smt.c"/>
             </part>
             <part id="ia-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05d."/>
                <p>system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;</p>
+               <link rel="assessment-for" href="#ia-5_smt.d"/>
             </part>
             <part id="ia-5_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05e."/>
                <p>system authenticators are managed through the change of default authenticators prior to first use;</p>
+               <link rel="assessment-for" href="#ia-5_smt.e"/>
             </part>
             <part id="ia-5_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05f."/>
                <p>system authenticators are managed through the change or refreshment of authenticators <insert type="param" id-ref="ia-05_odp.01"/> or when <insert type="param" id-ref="ia-05_odp.02"/> occur;</p>
+               <link rel="assessment-for" href="#ia-5_smt.f"/>
             </part>
             <part id="ia-5_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05g."/>
                <p>system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;</p>
+               <link rel="assessment-for" href="#ia-5_smt.g"/>
             </part>
             <part id="ia-5_obj.h" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05h."/>
                <part id="ia-5_obj.h-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05h.[01]"/>
                   <p>system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;</p>
+                  <link rel="assessment-for" href="#ia-5_smt.h"/>
                </part>
                <part id="ia-5_obj.h-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05h.[02]"/>
                   <p>system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;</p>
+                  <link rel="assessment-for" href="#ia-5_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#ia-5_smt.h"/>
             </part>
             <part id="ia-5_obj.i" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05i."/>
                <p>system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.</p>
+               <link rel="assessment-for" href="#ia-5_smt.i"/>
             </part>
+            <link rel="assessment-for" href="#ia-5_smt"/>
          </part>
          <part id="ia-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13506,35 +14244,44 @@
                <part id="ia-5.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(a)"/>
                   <p>for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated <insert type="param" id-ref="ia-05.01_odp.01"/> and when organizational passwords are suspected to have been compromised directly or indirectly;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.a"/>
                </part>
                <part id="ia-5.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(b)"/>
                   <p>for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.b"/>
                </part>
                <part id="ia-5.1_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(c)"/>
                   <p>for password-based authentication, passwords are only transmitted over cryptographically protected channels;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.c"/>
                </part>
                <part id="ia-5.1_obj.d" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(d)"/>
                   <p>for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.d"/>
                </part>
                <part id="ia-5.1_obj.e" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(e)"/>
                   <p>for password-based authentication, immediate selection of a new password is required upon account recovery;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.e"/>
                </part>
                <part id="ia-5.1_obj.f" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(f)"/>
                   <p>for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.f"/>
                </part>
                <part id="ia-5.1_obj.g" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(g)"/>
                   <p>for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.g"/>
                </part>
                <part id="ia-5.1_obj.h" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(01)(h)"/>
                   <p>for password-based authentication, <insert type="param" id-ref="ia-05.01_odp.02"/> are enforced.</p>
+                  <link rel="assessment-for" href="#ia-5.1_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#ia-5.1_smt"/>
             </part>
             <part id="ia-5.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13615,23 +14362,30 @@
                   <part id="ia-5.2_obj.a.1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-05(02)(a)(01)"/>
                      <p>authorized access to the corresponding private key is enforced for public key-based authentication;</p>
+                     <link rel="assessment-for" href="#ia-5.2_smt.a.1"/>
                   </part>
                   <part id="ia-5.2_obj.a.2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-05(02)(a)(02)"/>
                      <p>the authenticated identity is mapped to the account of the individual or group for public key-based authentication;</p>
+                     <link rel="assessment-for" href="#ia-5.2_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-5.2_smt.a"/>
                </part>
                <part id="ia-5.2_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-05(02)(b)"/>
                   <part id="ia-5.2_obj.b.1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-05(02)(b)(01)"/>
                      <p>when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;</p>
+                     <link rel="assessment-for" href="#ia-5.2_smt.b.1"/>
                   </part>
                   <part id="ia-5.2_obj.b.2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-05(02)(b)(02)"/>
                      <p>when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.</p>
+                     <link rel="assessment-for" href="#ia-5.2_smt.b.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-5.2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ia-5.2_smt"/>
             </part>
             <part id="ia-5.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13684,6 +14438,7 @@
             <part id="ia-5.6_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-05(06)"/>
                <p>authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.</p>
+               <link rel="assessment-for" href="#ia-5.6_smt"/>
             </part>
             <part id="ia-5.6_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13736,6 +14491,7 @@
          <part id="ia-6_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-06"/>
             <p>the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.</p>
+            <link rel="assessment-for" href="#ia-6_smt"/>
          </part>
          <part id="ia-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13790,6 +14546,7 @@
          <part id="ia-7_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-07"/>
             <p>mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.</p>
+            <link rel="assessment-for" href="#ia-7_smt"/>
          </part>
          <part id="ia-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13848,6 +14605,7 @@
          <link rel="related" href="#ia-5"/>
          <link rel="related" href="#ia-10"/>
          <link rel="related" href="#ia-11"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#ma-4"/>
          <link rel="related" href="#ra-3"/>
          <link rel="related" href="#sa-4"/>
@@ -13861,6 +14619,7 @@
          <part id="ia-8_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-08"/>
             <p>non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.</p>
+            <link rel="assessment-for" href="#ia-8_smt"/>
          </part>
          <part id="ia-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13915,11 +14674,14 @@
                <part id="ia-8.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-08(01)[01]"/>
                   <p>Personal Identity Verification-compliant credentials from other federal agencies are accepted;</p>
+                  <link rel="assessment-for" href="#ia-8.1_smt"/>
                </part>
                <part id="ia-8.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-08(01)[02]"/>
                   <p>Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.</p>
+                  <link rel="assessment-for" href="#ia-8.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#ia-8.1_smt"/>
             </part>
             <part id="ia-8.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13984,18 +14746,23 @@
                <part id="ia-8.2_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-08(02)(a)"/>
                   <p>only external authenticators that are NIST-compliant are accepted;</p>
+                  <link rel="assessment-for" href="#ia-8.2_smt.a"/>
                </part>
                <part id="ia-8.2_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-08(02)(b)"/>
                   <part id="ia-8.2_obj.b-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-08(02)(b)[01]"/>
                      <p>a list of accepted external authenticators is documented;</p>
+                     <link rel="assessment-for" href="#ia-8.2_smt.b"/>
                   </part>
                   <part id="ia-8.2_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IA-08(02)(b)[02]"/>
                      <p>a list of accepted external authenticators is maintained.</p>
+                     <link rel="assessment-for" href="#ia-8.2_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ia-8.2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ia-8.2_smt"/>
             </part>
             <part id="ia-8.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14060,6 +14827,7 @@
             <part id="ia-8.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-08(04)"/>
                <p>there is conformance with <insert type="param" id-ref="ia-08.04_odp"/> for identity management.</p>
+               <link rel="assessment-for" href="#ia-8.4_smt"/>
             </part>
             <part id="ia-8.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14131,6 +14899,7 @@
          <part id="ia-11_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-11"/>
             <p>users are required to re-authenticate when <insert type="param" id-ref="ia-11_odp"/>.</p>
+            <link rel="assessment-for" href="#ia-11_smt"/>
          </part>
          <part id="ia-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14185,6 +14954,7 @@
          <link rel="related" href="#ia-5"/>
          <link rel="related" href="#ia-6"/>
          <link rel="related" href="#ia-8"/>
+         <link rel="related" href="#ia-13"/>
          <part name="statement" id="ia-12_smt">
             <part name="item" id="ia-12_smt.a">
                <prop name="label" value="a."/>
@@ -14207,26 +14977,33 @@
             <part id="ia-12_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-12a."/>
                <p>users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;</p>
+               <link rel="assessment-for" href="#ia-12_smt.a"/>
             </part>
             <part id="ia-12_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-12b."/>
                <p>user identities are resolved to a unique individual;</p>
+               <link rel="assessment-for" href="#ia-12_smt.b"/>
             </part>
             <part id="ia-12_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-12c."/>
                <part id="ia-12_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-12c.[01]"/>
                   <p>identity evidence is collected;</p>
+                  <link rel="assessment-for" href="#ia-12_smt.c"/>
                </part>
                <part id="ia-12_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-12c.[02]"/>
                   <p>identity evidence is validated;</p>
+                  <link rel="assessment-for" href="#ia-12_smt.c"/>
                </part>
                <part id="ia-12_obj.c-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IA-12c.[03]"/>
                   <p>identity evidence is verified.</p>
+                  <link rel="assessment-for" href="#ia-12_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#ia-12_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ia-12_smt"/>
          </part>
          <part id="ia-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14276,6 +15053,7 @@
             <part id="ia-12.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-12(02)"/>
                <p>evidence of individual identification is presented to the registration authority.</p>
+               <link rel="assessment-for" href="#ia-12.2_smt"/>
             </part>
             <part id="ia-12.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14335,6 +15113,7 @@
             <part id="ia-12.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-12(03)"/>
                <p>the presented identity evidence is validated and verified through <insert type="param" id-ref="ia-12.03_odp"/>.</p>
+               <link rel="assessment-for" href="#ia-12.3_smt"/>
             </part>
             <part id="ia-12.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14392,6 +15171,7 @@
             <part id="ia-12.5_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IA-12(05)"/>
                <p>a <insert type="param" id-ref="ia-12.05_odp"/> is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.</p>
+               <link rel="assessment-for" href="#ia-12.5_smt"/>
             </part>
             <part id="ia-12.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14569,18 +15349,22 @@
                <part id="ir-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[01]"/>
                   <p>an incident response policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[02]"/>
                   <p>the incident response policy is disseminated to <insert type="param" id-ref="ir-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[03]"/>
                   <p>incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[04]"/>
                   <p>the incident response procedures are disseminated to <insert type="param" id-ref="ir-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.01"/>
@@ -14589,41 +15373,53 @@
                      <part id="ir-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                   </part>
                   <part id="ir-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ir-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ir-1_smt.a"/>
             </part>
             <part id="ir-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-01b."/>
                <p>the <insert type="param" id-ref="ir-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;</p>
+               <link rel="assessment-for" href="#ir-1_smt.b"/>
             </part>
             <part id="ir-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-01c."/>
@@ -14632,24 +15428,32 @@
                   <part id="ir-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.01[01]"/>
                      <p>the current incident response policy is reviewed and updated <insert type="param" id-ref="ir-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.1"/>
                   </part>
                   <part id="ir-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.01[02]"/>
                      <p>the current incident response policy is reviewed and updated following <insert type="param" id-ref="ir-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ir-1_smt.c.1"/>
                </part>
                <part id="ir-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01c.02"/>
                   <part id="ir-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.02[01]"/>
                      <p>the current incident response procedures are reviewed and updated <insert type="param" id-ref="ir-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.2"/>
                   </part>
                   <part id="ir-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.02[02]"/>
                      <p>the current incident response procedures are reviewed and updated following <insert type="param" id-ref="ir-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ir-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ir-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ir-1_smt"/>
          </part>
          <part id="ir-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14756,27 +15560,35 @@
                <part id="ir-2_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02a.01"/>
                   <p>incident response training is provided to system users consistent with assigned roles and responsibilities within <insert type="param" id-ref="ir-02_odp.01"/> of assuming an incident response role or responsibility or acquiring system access;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.a.1"/>
                </part>
                <part id="ir-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02a.02"/>
                   <p>incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.a.2"/>
                </part>
                <part id="ir-2_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02a.03"/>
                   <p>incident response training is provided to system users consistent with assigned roles and responsibilities <insert type="param" id-ref="ir-02_odp.02"/> thereafter;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#ir-2_smt.a"/>
             </part>
             <part id="ir-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-02b."/>
                <part id="ir-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02b.[01]"/>
                   <p>incident response training content is reviewed and updated <insert type="param" id-ref="ir-02_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.b"/>
                </part>
                <part id="ir-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02b.[02]"/>
                   <p>incident response training content is reviewed and updated following <insert type="param" id-ref="ir-02_odp.04"/>.</p>
+                  <link rel="assessment-for" href="#ir-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ir-2_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ir-2_smt"/>
          </part>
          <part id="ir-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14848,6 +15660,7 @@
          <part id="ir-3_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-03"/>
             <p>the effectiveness of the incident response capability for the system is tested <insert type="param" id-ref="ir-03_odp.01"/> using <insert type="param" id-ref="ir-03_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ir-3_smt"/>
          </part>
          <part id="ir-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14896,6 +15709,7 @@
             <part id="ir-3.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-03(02)"/>
                <p>incident response testing is coordinated with organizational elements responsible for related plans.</p>
+               <link rel="assessment-for" href="#ir-3.2_smt"/>
             </part>
             <part id="ir-3.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14996,62 +15810,79 @@
                <part id="ir-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[01]"/>
                   <p>an incident handling capability for incidents is implemented that is consistent with the incident response plan;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[02]"/>
                   <p>the incident handling capability for incidents includes preparation;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[03]"/>
                   <p>the incident handling capability for incidents includes detection and analysis;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[04]"/>
                   <p>the incident handling capability for incidents includes containment;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[05]"/>
                   <p>the incident handling capability for incidents includes eradication;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[06]"/>
                   <p>the incident handling capability for incidents includes recovery;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ir-4_smt.a"/>
             </part>
             <part id="ir-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04b."/>
                <p>incident handling activities are coordinated with contingency planning activities;</p>
+               <link rel="assessment-for" href="#ir-4_smt.b"/>
             </part>
             <part id="ir-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04c."/>
                <part id="ir-4_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04c.[01]"/>
                   <p>lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.c"/>
                </part>
                <part id="ir-4_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04c.[02]"/>
                   <p>the changes resulting from the incorporated lessons learned are implemented accordingly;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#ir-4_smt.c"/>
             </part>
             <part id="ir-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04d."/>
                <part id="ir-4_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[01]"/>
                   <p>the rigor of incident handling activities is comparable and predictable across the organization;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
                <part id="ir-4_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[02]"/>
                   <p>the intensity of incident handling activities is comparable and predictable across the organization;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
                <part id="ir-4_obj.d-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[03]"/>
                   <p>the scope of incident handling activities is comparable and predictable across the organization;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
                <part id="ir-4_obj.d-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[04]"/>
                   <p>the results of incident handling activities are comparable and predictable across the organization.</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ir-4_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ir-4_smt"/>
          </part>
          <part id="ir-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15109,6 +15940,7 @@
             <part id="ir-4.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04(01)"/>
                <p>the incident handling process is supported using <insert type="param" id-ref="ir-04.01_odp"/>.</p>
+               <link rel="assessment-for" href="#ir-4.1_smt"/>
             </part>
             <part id="ir-4.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15177,11 +16009,14 @@
             <part id="ir-5_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-05[01]"/>
                <p>incidents are tracked;</p>
+               <link rel="assessment-for" href="#ir-5_smt"/>
             </part>
             <part id="ir-5_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-05[02]"/>
                <p>incidents are documented.</p>
+               <link rel="assessment-for" href="#ir-5_smt"/>
             </part>
+            <link rel="assessment-for" href="#ir-5_smt"/>
          </part>
          <part id="ir-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15265,11 +16100,14 @@
             <part id="ir-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-06a."/>
                <p>personnel is/are required to report suspected incidents to the organizational incident response capability within <insert type="param" id-ref="ir-06_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ir-6_smt.a"/>
             </part>
             <part id="ir-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-06b."/>
                <p>incident information is reported to <insert type="param" id-ref="ir-06_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ir-6_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ir-6_smt"/>
          </part>
          <part id="ir-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15330,6 +16168,7 @@
             <part id="ir-6.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-06(01)"/>
                <p>incidents are reported using <insert type="param" id-ref="ir-06.01_odp"/>.</p>
+               <link rel="assessment-for" href="#ir-6.1_smt"/>
             </part>
             <part id="ir-6.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15381,6 +16220,7 @@
             <part id="ir-6.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-06(03)"/>
                <p>incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.</p>
+               <link rel="assessment-for" href="#ir-6.3_smt"/>
             </part>
             <part id="ir-6.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15449,11 +16289,14 @@
             <part id="ir-7_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-07[01]"/>
                <p>an incident response support resource, integral to the organizational incident response capability, is provided;</p>
+               <link rel="assessment-for" href="#ir-7_smt"/>
             </part>
             <part id="ir-7_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-07[02]"/>
                <p>the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.</p>
+               <link rel="assessment-for" href="#ir-7_smt"/>
             </part>
+            <link rel="assessment-for" href="#ir-7_smt"/>
          </part>
          <part id="ir-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15510,6 +16353,7 @@
             <part id="ir-7.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-07(01)"/>
                <p>the availability of incident response information and support is increased using <insert type="param" id-ref="ir-07.01_odp"/>.</p>
+               <link rel="assessment-for" href="#ir-7.1_smt"/>
             </part>
             <part id="ir-7.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15707,82 +16551,104 @@
                <part id="ir-8_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.01"/>
                   <p>an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.1"/>
                </part>
                <part id="ir-8_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.02"/>
                   <p>an incident response plan is developed that describes the structure and organization of the incident response capability;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.2"/>
                </part>
                <part id="ir-8_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.03"/>
                   <p>an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.3"/>
                </part>
                <part id="ir-8_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.04"/>
                   <p>an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.4"/>
                </part>
                <part id="ir-8_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.05"/>
                   <p>an incident response plan is developed that defines reportable incidents;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.5"/>
                </part>
                <part id="ir-8_obj.a.6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.06"/>
                   <p>an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.6"/>
                </part>
                <part id="ir-8_obj.a.7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.07"/>
                   <p>an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.7"/>
                </part>
                <part id="ir-8_obj.a.8" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.08"/>
                   <p>an incident response plan is developed that addresses the sharing of incident information;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.8"/>
                </part>
                <part id="ir-8_obj.a.9" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.09"/>
                   <p>an incident response plan is developed that is reviewed and approved by <insert type="param" id-ref="ir-08_odp.01"/>
                      <insert type="param" id-ref="ir-08_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.9"/>
                </part>
                <part id="ir-8_obj.a.10" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.10"/>
                   <p>an incident response plan is developed that explicitly designates responsibility for incident response to <insert type="param" id-ref="ir-08_odp.03"/>.</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.10"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.a"/>
             </part>
             <part id="ir-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08b."/>
                <part id="ir-8_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08b.[01]"/>
                   <p>copies of the incident response plan are distributed to <insert type="param" id-ref="ir-08_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.b"/>
                </part>
                <part id="ir-8_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08b.[02]"/>
                   <p>copies of the incident response plan are distributed to <insert type="param" id-ref="ir-08_odp.05"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.b"/>
             </part>
             <part id="ir-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08c."/>
                <p>the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;</p>
+               <link rel="assessment-for" href="#ir-8_smt.c"/>
             </part>
             <part id="ir-8_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08d."/>
                <part id="ir-8_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08d.[01]"/>
                   <p>incident response plan changes are communicated to <insert type="param" id-ref="ir-08_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.d"/>
                </part>
                <part id="ir-8_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08d.[02]"/>
                   <p>incident response plan changes are communicated to <insert type="param" id-ref="ir-08_odp.07"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.d"/>
             </part>
             <part id="ir-8_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08e."/>
                <part id="ir-8_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08e.[01]"/>
                   <p>the incident response plan is protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.e"/>
                </part>
                <part id="ir-8_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08e.[02]"/>
                   <p>the incident response plan is protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#ir-8_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ir-8_smt"/>
          </part>
          <part id="ir-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15956,18 +16822,22 @@
                <part id="ma-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.[01]"/>
                   <p>a maintenance policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ma-1_smt.a"/>
                </part>
                <part id="ma-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.[02]"/>
                   <p>the maintenance policy is disseminated to <insert type="param" id-ref="ma-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ma-1_smt.a"/>
                </part>
                <part id="ma-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.[03]"/>
                   <p>maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ma-1_smt.a"/>
                </part>
                <part id="ma-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.[04]"/>
                   <p>the maintenance procedures are disseminated to <insert type="param" id-ref="ma-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ma-1_smt.a"/>
                </part>
                <part id="ma-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01a.01"/>
@@ -15976,41 +16846,53 @@
                      <part id="ma-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
                      <part id="ma-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
                   </part>
                   <part id="ma-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ma-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ma-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ma-1_smt.a"/>
             </part>
             <part id="ma-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-01b."/>
                <p>the <insert type="param" id-ref="ma-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;</p>
+               <link rel="assessment-for" href="#ma-1_smt.b"/>
             </part>
             <part id="ma-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-01c."/>
@@ -16019,24 +16901,32 @@
                   <part id="ma-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01c.01[01]"/>
                      <p>the current maintenance policy is reviewed and updated <insert type="param" id-ref="ma-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ma-1_smt.c.1"/>
                   </part>
                   <part id="ma-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01c.01[02]"/>
                      <p>the current maintenance policy is reviewed and updated following <insert type="param" id-ref="ma-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ma-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ma-1_smt.c.1"/>
                </part>
                <part id="ma-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-01c.02"/>
                   <part id="ma-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01c.02[01]"/>
                      <p>the current maintenance procedures are reviewed and updated <insert type="param" id-ref="ma-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ma-1_smt.c.2"/>
                   </part>
                   <part id="ma-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MA-01c.02[02]"/>
                      <p>the current maintenance procedures are reviewed and updated following <insert type="param" id-ref="ma-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ma-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ma-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ma-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ma-1_smt"/>
          </part>
          <part id="ma-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16140,45 +17030,57 @@
                <part id="ma-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02a.[01]"/>
                   <p>maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.a"/>
                </part>
                <part id="ma-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02a.[02]"/>
                   <p>maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.a"/>
                </part>
                <part id="ma-2_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02a.[03]"/>
                   <p>records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ma-2_smt.a"/>
             </part>
             <part id="ma-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02b."/>
                <part id="ma-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02b.[01]"/>
                   <p>all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.b"/>
                </part>
                <part id="ma-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-02b.[02]"/>
                   <p>all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;</p>
+                  <link rel="assessment-for" href="#ma-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ma-2_smt.b"/>
             </part>
             <part id="ma-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02c."/>
                <p>
                   <insert type="param" id-ref="ma-02_odp.01"/> is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;</p>
+               <link rel="assessment-for" href="#ma-2_smt.c"/>
             </part>
             <part id="ma-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02d."/>
                <p>equipment is sanitized to remove <insert type="param" id-ref="ma-02_odp.02"/> from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;</p>
+               <link rel="assessment-for" href="#ma-2_smt.d"/>
             </part>
             <part id="ma-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02e."/>
                <p>all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;</p>
+               <link rel="assessment-for" href="#ma-2_smt.e"/>
             </part>
             <part id="ma-2_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-02f."/>
                <p>
                   <insert type="param" id-ref="ma-02_odp.03"/> is included in organizational maintenance records.</p>
+               <link rel="assessment-for" href="#ma-2_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#ma-2_smt"/>
          </part>
          <part id="ma-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16256,20 +17158,26 @@
                <part id="ma-3_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-03a.[01]"/>
                   <p>the use of system maintenance tools is approved;</p>
+                  <link rel="assessment-for" href="#ma-3_smt.a"/>
                </part>
                <part id="ma-3_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-03a.[02]"/>
                   <p>the use of system maintenance tools is controlled;</p>
+                  <link rel="assessment-for" href="#ma-3_smt.a"/>
                </part>
                <part id="ma-3_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-03a.[03]"/>
                   <p>the use of system maintenance tools is monitored;</p>
+                  <link rel="assessment-for" href="#ma-3_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ma-3_smt.a"/>
             </part>
             <part id="ma-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-03b."/>
                <p>previously approved system maintenance tools are reviewed <insert type="param" id-ref="ma-03_odp"/>.</p>
+               <link rel="assessment-for" href="#ma-3_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ma-3_smt"/>
          </part>
          <part id="ma-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16318,6 +17226,7 @@
             <part id="ma-3.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-03(01)"/>
                <p>maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.</p>
+               <link rel="assessment-for" href="#ma-3.1_smt"/>
             </part>
             <part id="ma-3.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16368,6 +17277,7 @@
             <part id="ma-3.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-03(02)"/>
                <p>media containing diagnostic and test programs are checked for malicious code before the media are used in the system.</p>
+               <link rel="assessment-for" href="#ma-3.2_smt"/>
             </part>
             <part id="ma-3.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16443,19 +17353,24 @@
                <part id="ma-3.3_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-03(03)(a)"/>
                   <p>the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or</p>
+                  <link rel="assessment-for" href="#ma-3.3_smt.a"/>
                </part>
                <part id="ma-3.3_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-03(03)(b)"/>
                   <p>the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or</p>
+                  <link rel="assessment-for" href="#ma-3.3_smt.b"/>
                </part>
                <part id="ma-3.3_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-03(03)(c)"/>
                   <p>the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or</p>
+                  <link rel="assessment-for" href="#ma-3.3_smt.c"/>
                </part>
                <part id="ma-3.3_obj.d" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-03(03)(d)"/>
                   <p>the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from <insert type="param" id-ref="ma-03.03_odp"/> explicitly authorizing removal of the equipment from the facility.</p>
+                  <link rel="assessment-for" href="#ma-3.3_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ma-3.3_smt"/>
             </part>
             <part id="ma-3.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16552,42 +17467,54 @@
                <part id="ma-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04a.[01]"/>
                   <p>nonlocal maintenance and diagnostic activities are approved;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.a"/>
                </part>
                <part id="ma-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04a.[02]"/>
                   <p>nonlocal maintenance and diagnostic activities are monitored;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ma-4_smt.a"/>
             </part>
             <part id="ma-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-04b."/>
                <part id="ma-4_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04b.[01]"/>
                   <p>the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.b"/>
                </part>
                <part id="ma-4_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04b.[02]"/>
                   <p>the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ma-4_smt.b"/>
             </part>
             <part id="ma-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-04c."/>
                <p>strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;</p>
+               <link rel="assessment-for" href="#ma-4_smt.c"/>
             </part>
             <part id="ma-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-04d."/>
                <p>records for nonlocal maintenance and diagnostic activities are maintained;</p>
+               <link rel="assessment-for" href="#ma-4_smt.d"/>
             </part>
             <part id="ma-4_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-04e."/>
                <part id="ma-4_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04e.[01]"/>
                   <p>session connections are terminated when nonlocal maintenance is completed;</p>
+                  <link rel="assessment-for" href="#ma-4_smt.e"/>
                </part>
                <part id="ma-4_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-04e.[02]"/>
                   <p>network connections are terminated when nonlocal maintenance is completed.</p>
+                  <link rel="assessment-for" href="#ma-4_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#ma-4_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ma-4_smt"/>
          </part>
          <part id="ma-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16670,20 +17597,26 @@
                <part id="ma-5_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-05a.[01]"/>
                   <p>a process for maintenance personnel authorization is established;</p>
+                  <link rel="assessment-for" href="#ma-5_smt.a"/>
                </part>
                <part id="ma-5_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MA-05a.[02]"/>
                   <p>a list of authorized maintenance organizations or personnel is maintained;</p>
+                  <link rel="assessment-for" href="#ma-5_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ma-5_smt.a"/>
             </part>
             <part id="ma-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-05b."/>
                <p>non-escorted personnel performing maintenance on the system possess the required access authorizations;</p>
+               <link rel="assessment-for" href="#ma-5_smt.b"/>
             </part>
             <part id="ma-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MA-05c."/>
                <p>organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.</p>
+               <link rel="assessment-for" href="#ma-5_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ma-5_smt"/>
          </part>
          <part id="ma-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16759,6 +17692,7 @@
          <part id="ma-6_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-06"/>
             <p>maintenance support and/or spare parts are obtained for <insert type="param" id-ref="ma-06_odp.01"/> within <insert type="param" id-ref="ma-06_odp.02"/> of failure.</p>
+            <link rel="assessment-for" href="#ma-6_smt"/>
          </part>
          <part id="ma-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16934,18 +17868,22 @@
                <part id="mp-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[01]"/>
                   <p>a media protection policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[02]"/>
                   <p>the media protection policy is disseminated to <insert type="param" id-ref="mp-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[03]"/>
                   <p>media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[04]"/>
                   <p>the media protection procedures are disseminated to <insert type="param" id-ref="mp-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.01"/>
@@ -16954,41 +17892,53 @@
                      <part id="mp-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses scope;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses roles;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy compliance;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                   </part>
                   <part id="mp-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01a.01(b)"/>
                      <p>the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#mp-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#mp-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#mp-1_smt.a"/>
             </part>
             <part id="mp-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-01b."/>
                <p>the <insert type="param" id-ref="mp-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.</p>
+               <link rel="assessment-for" href="#mp-1_smt.b"/>
             </part>
             <part id="mp-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-01c."/>
@@ -16997,24 +17947,32 @@
                   <part id="mp-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.01[01]"/>
                      <p>the current media protection policy is reviewed and updated <insert type="param" id-ref="mp-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.1"/>
                   </part>
                   <part id="mp-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.01[02]"/>
                      <p>the current media protection policy is reviewed and updated following <insert type="param" id-ref="mp-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#mp-1_smt.c.1"/>
                </part>
                <part id="mp-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01c.02"/>
                   <part id="mp-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.02[01]"/>
                      <p>the current media protection procedures are reviewed and updated <insert type="param" id-ref="mp-01_odp.07"/>; </p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.2"/>
                   </part>
                   <part id="mp-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.02[02]"/>
                      <p>the current media protection procedures are reviewed and updated following <insert type="param" id-ref="mp-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#mp-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#mp-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#mp-1_smt"/>
          </part>
          <part id="mp-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17118,11 +18076,14 @@
             <part id="mp-2_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-02[01]"/>
                <p>access to <insert type="param" id-ref="mp-02_odp.01"/> is restricted to <insert type="param" id-ref="mp-02_odp.02"/>;</p>
+               <link rel="assessment-for" href="#mp-2_smt"/>
             </part>
             <part id="mp-2_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-02[02]"/>
                <p>access to <insert type="param" id-ref="mp-02_odp.03"/> is restricted to <insert type="param" id-ref="mp-02_odp.04"/>.</p>
+               <link rel="assessment-for" href="#mp-2_smt"/>
             </part>
+            <link rel="assessment-for" href="#mp-2_smt"/>
          </part>
          <part id="mp-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17207,12 +18168,15 @@
             <part id="mp-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-03a."/>
                <p>system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;</p>
+               <link rel="assessment-for" href="#mp-3_smt.a"/>
             </part>
             <part id="mp-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-03b."/>
                <p>
                   <insert type="param" id-ref="mp-03_odp.01"/> remain within <insert type="param" id-ref="mp-03_odp.02"/>.</p>
+               <link rel="assessment-for" href="#mp-3_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#mp-3_smt"/>
          </part>
          <part id="mp-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17361,27 +18325,34 @@
                   <prop name="label" class="sp800-53a" value="MP-04a.[01]"/>
                   <p>
                      <insert type="param" id-ref="mp-04_odp.01"/> are physically controlled;</p>
+                  <link rel="assessment-for" href="#mp-4_smt.a"/>
                </part>
                <part id="mp-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-04a.[02]"/>
                   <p>
                      <insert type="param" id-ref="mp-04_odp.02"/> are physically controlled;</p>
+                  <link rel="assessment-for" href="#mp-4_smt.a"/>
                </part>
                <part id="mp-4_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-04a.[03]"/>
                   <p>
                      <insert type="param" id-ref="mp-04_odp.03"/> are securely stored within <insert type="param" id-ref="mp-04_odp.05"/>;</p>
+                  <link rel="assessment-for" href="#mp-4_smt.a"/>
                </part>
                <part id="mp-4_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-04a.[04]"/>
                   <p>
                      <insert type="param" id-ref="mp-04_odp.04"/> are securely stored within <insert type="param" id-ref="mp-04_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#mp-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#mp-4_smt.a"/>
             </part>
             <part id="mp-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-04b."/>
                <p>system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.</p>
+               <link rel="assessment-for" href="#mp-4_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#mp-4_smt"/>
          </part>
          <part id="mp-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17497,32 +18468,41 @@
                   <prop name="label" class="sp800-53a" value="MP-05a.[01]"/>
                   <p>
                      <insert type="param" id-ref="mp-05_odp.01"/> are protected during transport outside of controlled areas using <insert type="param" id-ref="mp-05_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#mp-5_smt.a"/>
                </part>
                <part id="mp-5_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-05a.[02]"/>
                   <p>
                      <insert type="param" id-ref="mp-05_odp.01"/> are controlled during transport outside of controlled areas using <insert type="param" id-ref="mp-05_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#mp-5_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#mp-5_smt.a"/>
             </part>
             <part id="mp-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-05b."/>
                <p>accountability for system media is maintained during transport outside of controlled areas;</p>
+               <link rel="assessment-for" href="#mp-5_smt.b"/>
             </part>
             <part id="mp-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-05c."/>
                <p>activities associated with the transport of system media are documented;</p>
+               <link rel="assessment-for" href="#mp-5_smt.c"/>
             </part>
             <part id="mp-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-05d."/>
                <part id="mp-5_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-05d.[01]"/>
                   <p>personnel authorized to conduct media transport activities is/are identified;</p>
+                  <link rel="assessment-for" href="#mp-5_smt.d"/>
                </part>
                <part id="mp-5_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-05d.[02]"/>
                   <p>activities associated with the transport of system media are restricted to identified authorized personnel.</p>
+                  <link rel="assessment-for" href="#mp-5_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#mp-5_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#mp-5_smt"/>
          </part>
          <part id="mp-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17674,22 +18654,28 @@
                   <prop name="label" class="sp800-53a" value="MP-06a.[01]"/>
                   <p>
                      <insert type="param" id-ref="mp-06_odp.01"/> is sanitized using <insert type="param" id-ref="mp-06_odp.04"/> prior to disposal;</p>
+                  <link rel="assessment-for" href="#mp-6_smt.a"/>
                </part>
                <part id="mp-6_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06a.[02]"/>
                   <p>
                      <insert type="param" id-ref="mp-06_odp.02"/> is sanitized using <insert type="param" id-ref="mp-06_odp.05"/> prior to release from organizational control;</p>
+                  <link rel="assessment-for" href="#mp-6_smt.a"/>
                </part>
                <part id="mp-6_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06a.[03]"/>
                   <p>
                      <insert type="param" id-ref="mp-06_odp.03"/> is sanitized using <insert type="param" id-ref="mp-06_odp.06"/> prior to release for reuse;</p>
+                  <link rel="assessment-for" href="#mp-6_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#mp-6_smt.a"/>
             </part>
             <part id="mp-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-06b."/>
                <p>sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.</p>
+               <link rel="assessment-for" href="#mp-6_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#mp-6_smt"/>
          </part>
          <part id="mp-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17795,11 +18781,14 @@
             <part id="mp-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-07a."/>
                <p>the use of <insert type="param" id-ref="mp-07_odp.01"/> is <insert type="param" id-ref="mp-07_odp.02"/> on <insert type="param" id-ref="mp-07_odp.03"/> using <insert type="param" id-ref="mp-07_odp.04"/>;</p>
+               <link rel="assessment-for" href="#mp-7_smt.a"/>
             </part>
             <part id="mp-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-07b."/>
                <p>the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.</p>
+               <link rel="assessment-for" href="#mp-7_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#mp-7_smt"/>
          </part>
          <part id="mp-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17977,18 +18966,22 @@
                <part id="pe-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.[01]"/>
                   <p>a physical and environmental protection policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#pe-1_smt.a"/>
                </part>
                <part id="pe-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.[02]"/>
                   <p>the physical and environmental protection policy is disseminated to <insert type="param" id-ref="pe-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pe-1_smt.a"/>
                </part>
                <part id="pe-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.[03]"/>
                   <p>physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#pe-1_smt.a"/>
                </part>
                <part id="pe-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.[04]"/>
                   <p>the physical and environmental protection procedures are disseminated to <insert type="param" id-ref="pe-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pe-1_smt.a"/>
                </part>
                <part id="pe-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01a.01"/>
@@ -17997,41 +18990,53 @@
                      <part id="pe-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses scope;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses roles;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
                      <part id="pe-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PE-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
                   </part>
                   <part id="pe-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#pe-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#pe-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#pe-1_smt.a"/>
             </part>
             <part id="pe-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-01b."/>
                <p>the <insert type="param" id-ref="pe-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;</p>
+               <link rel="assessment-for" href="#pe-1_smt.b"/>
             </part>
             <part id="pe-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-01c."/>
@@ -18040,24 +19045,32 @@
                   <part id="pe-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01c.01[01]"/>
                      <p>the current physical and environmental protection policy is reviewed and updated <insert type="param" id-ref="pe-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#pe-1_smt.c.1"/>
                   </part>
                   <part id="pe-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01c.01[02]"/>
                      <p>the current physical and environmental protection policy is reviewed and updated following <insert type="param" id-ref="pe-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#pe-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pe-1_smt.c.1"/>
                </part>
                <part id="pe-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-01c.02"/>
                   <part id="pe-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01c.02[01]"/>
                      <p>the current physical and environmental protection procedures are reviewed and updated <insert type="param" id-ref="pe-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#pe-1_smt.c.2"/>
                   </part>
                   <part id="pe-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PE-01c.02[02]"/>
                      <p>the current physical and environmental protection procedures are reviewed and updated following <insert type="param" id-ref="pe-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#pe-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pe-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#pe-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pe-1_smt"/>
          </part>
          <part id="pe-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18141,28 +19154,36 @@
                <part id="pe-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-02a.[01]"/>
                   <p>a list of individuals with authorized access to the facility where the system resides has been developed;</p>
+                  <link rel="assessment-for" href="#pe-2_smt.a"/>
                </part>
                <part id="pe-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-02a.[02]"/>
                   <p>the list of individuals with authorized access to the facility where the system resides has been approved;</p>
+                  <link rel="assessment-for" href="#pe-2_smt.a"/>
                </part>
                <part id="pe-2_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-02a.[03]"/>
                   <p>the list of individuals with authorized access to the facility where the system resides has been maintained;</p>
+                  <link rel="assessment-for" href="#pe-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pe-2_smt.a"/>
             </part>
             <part id="pe-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-02b."/>
                <p>authorization credentials are issued for facility access;</p>
+               <link rel="assessment-for" href="#pe-2_smt.b"/>
             </part>
             <part id="pe-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-02c."/>
                <p>the access list detailing authorized facility access by individuals is reviewed <insert type="param" id-ref="pe-02_odp"/>;</p>
+               <link rel="assessment-for" href="#pe-2_smt.c"/>
             </part>
             <part id="pe-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-02d."/>
                <p>individuals are removed from the facility access list when access is no longer required.</p>
+               <link rel="assessment-for" href="#pe-2_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#pe-2_smt"/>
          </part>
          <part id="pe-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18378,62 +19399,79 @@
                <part id="pe-3_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03a.01"/>
                   <p>physical access authorizations are enforced at <insert type="param" id-ref="pe-03_odp.01"/> by verifying individual access authorizations before granting access to the facility;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.a.1"/>
                </part>
                <part id="pe-3_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03a.02"/>
                   <p>physical access authorizations are enforced at <insert type="param" id-ref="pe-03_odp.01"/> by controlling ingress and egress to the facility using <insert type="param" id-ref="pe-03_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#pe-3_smt.a"/>
             </part>
             <part id="pe-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03b."/>
                <p>physical access audit logs are maintained for <insert type="param" id-ref="pe-03_odp.04"/>;</p>
+               <link rel="assessment-for" href="#pe-3_smt.b"/>
             </part>
             <part id="pe-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03c."/>
                <p>access to areas within the facility designated as publicly accessible are maintained by implementing <insert type="param" id-ref="pe-03_odp.05"/>;</p>
+               <link rel="assessment-for" href="#pe-3_smt.c"/>
             </part>
             <part id="pe-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03d."/>
                <part id="pe-3_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03d.[01]"/>
                   <p>visitors are escorted;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.d"/>
                </part>
                <part id="pe-3_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03d.[02]"/>
                   <p>visitor activity is controlled <insert type="param" id-ref="pe-03_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#pe-3_smt.d"/>
             </part>
             <part id="pe-3_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03e."/>
                <part id="pe-3_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03e.[01]"/>
                   <p>keys are secured;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.e"/>
                </part>
                <part id="pe-3_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03e.[02]"/>
                   <p>combinations are secured;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.e"/>
                </part>
                <part id="pe-3_obj.e-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03e.[03]"/>
                   <p>other physical access devices are secured;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#pe-3_smt.e"/>
             </part>
             <part id="pe-3_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03f."/>
                <p>
                   <insert type="param" id-ref="pe-03_odp.07"/> are inventoried <insert type="param" id-ref="pe-03_odp.08"/>;</p>
+               <link rel="assessment-for" href="#pe-3_smt.f"/>
             </part>
             <part id="pe-3_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-03g."/>
                <part id="pe-3_obj.g-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03g.[01]"/>
                   <p>combinations are changed <insert type="param" id-ref="pe-03_odp.09"/> , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;</p>
+                  <link rel="assessment-for" href="#pe-3_smt.g"/>
                </part>
                <part id="pe-3_obj.g-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-03g.[02]"/>
                   <p>keys are changed <insert type="param" id-ref="pe-03_odp.10"/> , when keys are lost, or when individuals possessing the keys are transferred or terminated.</p>
+                  <link rel="assessment-for" href="#pe-3_smt.g"/>
                </part>
+               <link rel="assessment-for" href="#pe-3_smt.g"/>
             </part>
+            <link rel="assessment-for" href="#pe-3_smt"/>
          </part>
          <part id="pe-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18513,6 +19551,7 @@
          <part id="pe-4_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-04"/>
             <p>physical access to <insert type="param" id-ref="pe-04_odp.01"/> within organizational facilities is controlled using <insert type="param" id-ref="pe-04_odp.02"/>.</p>
+            <link rel="assessment-for" href="#pe-4_smt"/>
          </part>
          <part id="pe-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18574,6 +19613,7 @@
          <part id="pe-5_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-05"/>
             <p>physical access to output from <insert type="param" id-ref="pe-05_odp"/> is controlled to prevent unauthorized individuals from obtaining the output.</p>
+            <link rel="assessment-for" href="#pe-5_smt"/>
          </part>
          <part id="pe-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18666,29 +19706,37 @@
             <part id="pe-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-06a."/>
                <p>physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;</p>
+               <link rel="assessment-for" href="#pe-6_smt.a"/>
             </part>
             <part id="pe-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-06b."/>
                <part id="pe-6_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06b.[01]"/>
                   <p>physical access logs are reviewed <insert type="param" id-ref="pe-06_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pe-6_smt.b"/>
                </part>
                <part id="pe-6_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06b.[02]"/>
                   <p>physical access logs are reviewed upon occurrence of <insert type="param" id-ref="pe-06_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pe-6_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pe-6_smt.b"/>
             </part>
             <part id="pe-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-06c."/>
                <part id="pe-6_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06c.[01]"/>
                   <p>results of reviews are coordinated with organizational incident response capabilities;</p>
+                  <link rel="assessment-for" href="#pe-6_smt.c"/>
                </part>
                <part id="pe-6_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06c.[02]"/>
                   <p>results of investigations are coordinated with organizational incident response capabilities.</p>
+                  <link rel="assessment-for" href="#pe-6_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pe-6_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pe-6_smt"/>
          </part>
          <part id="pe-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18744,11 +19792,14 @@
                <part id="pe-6.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06(01)[01]"/>
                   <p>physical access to the facility where the system resides is monitored using physical intrusion alarms;</p>
+                  <link rel="assessment-for" href="#pe-6.1_smt"/>
                </part>
                <part id="pe-6.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-06(01)[02]"/>
                   <p>physical access to the facility where the system resides is monitored using physical surveillance equipment.</p>
+                  <link rel="assessment-for" href="#pe-6.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#pe-6.1_smt"/>
             </part>
             <part id="pe-6.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18846,15 +19897,19 @@
             <part id="pe-8_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-08a."/>
                <p>visitor access records for the facility where the system resides are maintained for <insert type="param" id-ref="pe-08_odp.01"/>;</p>
+               <link rel="assessment-for" href="#pe-8_smt.a"/>
             </part>
             <part id="pe-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-08b."/>
                <p>visitor access records are reviewed <insert type="param" id-ref="pe-08_odp.02"/>;</p>
+               <link rel="assessment-for" href="#pe-8_smt.b"/>
             </part>
             <part id="pe-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-08c."/>
                <p>visitor access records anomalies are reported to <insert type="param" id-ref="pe-08_odp.03"/>.</p>
+               <link rel="assessment-for" href="#pe-8_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pe-8_smt"/>
          </part>
          <part id="pe-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18908,11 +19963,14 @@
             <part id="pe-9_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-09[01]"/>
                <p>power equipment for the system is protected from damage and destruction;</p>
+               <link rel="assessment-for" href="#pe-9_smt"/>
             </part>
             <part id="pe-9_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-09[02]"/>
                <p>power cabling for the system is protected from damage and destruction.</p>
+               <link rel="assessment-for" href="#pe-9_smt"/>
             </part>
+            <link rel="assessment-for" href="#pe-9_smt"/>
          </part>
          <part id="pe-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18991,15 +20049,19 @@
             <part id="pe-10_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-10a."/>
                <p>the capability to shut off power to <insert type="param" id-ref="pe-10_odp.01"/> in emergency situations is provided;</p>
+               <link rel="assessment-for" href="#pe-10_smt.a"/>
             </part>
             <part id="pe-10_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-10b."/>
                <p>emergency shutoff switches or devices are placed in <insert type="param" id-ref="pe-10_odp.02"/> to facilitate access for authorized personnel;</p>
+               <link rel="assessment-for" href="#pe-10_smt.b"/>
             </part>
             <part id="pe-10_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-10c."/>
                <p>the emergency power shutoff capability is protected from unauthorized activation.</p>
+               <link rel="assessment-for" href="#pe-10_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pe-10_smt"/>
          </part>
          <part id="pe-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19058,6 +20120,7 @@
          <part id="pe-11_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-11"/>
             <p>an uninterruptible power supply is provided to facilitate <insert type="param" id-ref="pe-11_odp"/> in the event of a primary power source loss.</p>
+            <link rel="assessment-for" href="#pe-11_smt"/>
          </part>
          <part id="pe-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19110,19 +20173,24 @@
             <part id="pe-12_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-12[01]"/>
                <p>automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;</p>
+               <link rel="assessment-for" href="#pe-12_smt"/>
             </part>
             <part id="pe-12_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-12[02]"/>
                <p>automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;</p>
+               <link rel="assessment-for" href="#pe-12_smt"/>
             </part>
             <part id="pe-12_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-12[03]"/>
                <p>automatic emergency lighting for the system covers emergency exits within the facility;</p>
+               <link rel="assessment-for" href="#pe-12_smt"/>
             </part>
             <part id="pe-12_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-12[04]"/>
                <p>automatic emergency lighting for the system covers evacuation routes within the facility.</p>
+               <link rel="assessment-for" href="#pe-12_smt"/>
             </part>
+            <link rel="assessment-for" href="#pe-12_smt"/>
          </part>
          <part id="pe-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19173,27 +20241,34 @@
             <part id="pe-13_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[01]"/>
                <p>fire detection systems are employed;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[02]"/>
                <p>employed fire detection systems are supported by an independent energy source;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[03]"/>
                <p>employed fire detection systems are maintained;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[04]"/>
                <p>fire suppression systems are employed;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-5" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[05]"/>
                <p>employed fire suppression systems are supported by an independent energy source;</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
             <part id="pe-13_obj-6" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-13[06]"/>
                <p>employed fire suppression systems are maintained.</p>
+               <link rel="assessment-for" href="#pe-13_smt"/>
             </part>
+            <link rel="assessment-for" href="#pe-13_smt"/>
          </part>
          <part id="pe-13_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19259,15 +20334,19 @@
                <part id="pe-13.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-13(01)[01]"/>
                   <p>fire detection systems that activate automatically are employed in the event of a fire;</p>
+                  <link rel="assessment-for" href="#pe-13.1_smt"/>
                </part>
                <part id="pe-13.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-13(01)[02]"/>
                   <p>fire detection systems that notify <insert type="param" id-ref="pe-13.01_odp.01"/> automatically are employed in the event of a fire;</p>
+                  <link rel="assessment-for" href="#pe-13.1_smt"/>
                </part>
                <part id="pe-13.1_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-13(01)[03]"/>
                   <p>fire detection systems that notify <insert type="param" id-ref="pe-13.01_odp.02"/> automatically are employed in the event of a fire.</p>
+                  <link rel="assessment-for" href="#pe-13.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#pe-13.1_smt"/>
             </part>
             <part id="pe-13.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19370,11 +20449,14 @@
                <prop name="label" class="sp800-53a" value="PE-14a."/>
                <p>
                   <insert type="param" id-ref="pe-14_odp.01"/> levels are maintained at <insert type="param" id-ref="pe-14_odp.03"/> within the facility where the system resides;</p>
+               <link rel="assessment-for" href="#pe-14_smt.a"/>
             </part>
             <part id="pe-14_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-14b."/>
                <p>environmental control levels are monitored <insert type="param" id-ref="pe-14_odp.04"/>.</p>
+               <link rel="assessment-for" href="#pe-14_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pe-14_smt"/>
          </part>
          <part id="pe-14_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19427,19 +20509,24 @@
             <part id="pe-15_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-15[01]"/>
                <p>the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;</p>
+               <link rel="assessment-for" href="#pe-15_smt"/>
             </part>
             <part id="pe-15_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-15[02]"/>
                <p>the master shutoff or isolation valves are accessible;</p>
+               <link rel="assessment-for" href="#pe-15_smt"/>
             </part>
             <part id="pe-15_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-15[03]"/>
                <p>the master shutoff or isolation valves are working properly;</p>
+               <link rel="assessment-for" href="#pe-15_smt"/>
             </part>
             <part id="pe-15_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-15[04]"/>
                <p>the master shutoff or isolation valves are known to key personnel.</p>
+               <link rel="assessment-for" href="#pe-15_smt"/>
             </part>
+            <link rel="assessment-for" href="#pe-15_smt"/>
          </part>
          <part id="pe-15_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19534,27 +20621,34 @@
                   <prop name="label" class="sp800-53a" value="PE-16a.[01]"/>
                   <p>
                      <insert type="param" id-ref="pe-16_odp.01"/> are authorized when entering the facility;</p>
+                  <link rel="assessment-for" href="#pe-16_smt.a"/>
                </part>
                <part id="pe-16_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-16a.[02]"/>
                   <p>
                      <insert type="param" id-ref="pe-16_odp.01"/> are controlled when entering the facility;</p>
+                  <link rel="assessment-for" href="#pe-16_smt.a"/>
                </part>
                <part id="pe-16_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-16a.[03]"/>
                   <p>
                      <insert type="param" id-ref="pe-16_odp.02"/> are authorized when exiting the facility;</p>
+                  <link rel="assessment-for" href="#pe-16_smt.a"/>
                </part>
                <part id="pe-16_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PE-16a.[04]"/>
                   <p>
                      <insert type="param" id-ref="pe-16_odp.02"/> are controlled when exiting the facility;</p>
+                  <link rel="assessment-for" href="#pe-16_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pe-16_smt.a"/>
             </part>
             <part id="pe-16_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-16b."/>
                <p>records of the system components are maintained.</p>
+               <link rel="assessment-for" href="#pe-16_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pe-16_smt"/>
          </part>
          <part id="pe-16_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19640,20 +20734,25 @@
                <prop name="label" class="sp800-53a" value="PE-17a."/>
                <p>
                   <insert type="param" id-ref="pe-17_odp.01"/> are determined and documented;</p>
+               <link rel="assessment-for" href="#pe-17_smt.a"/>
             </part>
             <part id="pe-17_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-17b."/>
                <p>
                   <insert type="param" id-ref="pe-17_odp.02"/> are employed at alternate work sites;</p>
+               <link rel="assessment-for" href="#pe-17_smt.b"/>
             </part>
             <part id="pe-17_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-17c."/>
                <p>the effectiveness of controls at alternate work sites is assessed;</p>
+               <link rel="assessment-for" href="#pe-17_smt.c"/>
             </part>
             <part id="pe-17_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-17d."/>
                <p>a means for employees to communicate with information security and privacy personnel in case of incidents is provided.</p>
+               <link rel="assessment-for" href="#pe-17_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#pe-17_smt"/>
          </part>
          <part id="pe-17_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19833,18 +20932,22 @@
                <part id="pl-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[01]"/>
                   <p>a planning policy is developed and documented.</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[02]"/>
                   <p>the planning policy is disseminated to <insert type="param" id-ref="pl-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[03]"/>
                   <p>planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[04]"/>
                   <p>the planning procedures are disseminated to <insert type="param" id-ref="pl-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.01"/>
@@ -19853,41 +20956,53 @@
                      <part id="pl-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses scope;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses roles;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                   </part>
                   <part id="pl-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#pl-1_smt.a"/>
             </part>
             <part id="pl-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-01b."/>
                <p>the <insert type="param" id-ref="pl-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the planning policy and procedures;</p>
+               <link rel="assessment-for" href="#pl-1_smt.b"/>
             </part>
             <part id="pl-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-01c."/>
@@ -19896,24 +21011,32 @@
                   <part id="pl-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.01[01]"/>
                      <p>the current planning policy is reviewed and updated <insert type="param" id-ref="pl-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.1"/>
                   </part>
                   <part id="pl-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.01[02]"/>
                      <p>the current planning policy is reviewed and updated following <insert type="param" id-ref="pl-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-1_smt.c.1"/>
                </part>
                <part id="pl-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01c.02"/>
                   <part id="pl-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.02[01]"/>
                      <p>the current planning procedures are reviewed and updated <insert type="param" id-ref="pl-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.2"/>
                   </part>
                   <part id="pl-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.02[02]"/>
                      <p>the current planning procedures are reviewed and updated following <insert type="param" id-ref="pl-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#pl-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pl-1_smt"/>
          </part>
          <part id="pl-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20108,208 +21231,266 @@
                   <part id="pl-2_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.01[01]"/>
                      <p>a security plan for the system is developed that is consistent with the organization’s enterprise architecture;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.1"/>
                   </part>
                   <part id="pl-2_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.01[02]"/>
                      <p>a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.1"/>
                </part>
                <part id="pl-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.02"/>
                   <part id="pl-2_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.02[01]"/>
                      <p>a security plan for the system is developed that explicitly defines the constituent system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.2"/>
                   </part>
                   <part id="pl-2_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.02[02]"/>
                      <p>a privacy plan for the system is developed that explicitly defines the constituent system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.2"/>
                </part>
                <part id="pl-2_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.03"/>
                   <part id="pl-2_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.03[01]"/>
                      <p>a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.3"/>
                   </part>
                   <part id="pl-2_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.03[02]"/>
                      <p>a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.3"/>
                </part>
                <part id="pl-2_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.04"/>
                   <part id="pl-2_obj.a.4-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.04[01]"/>
                      <p>a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.4"/>
                   </part>
                   <part id="pl-2_obj.a.4-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.04[02]"/>
                      <p>a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.4"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.4"/>
                </part>
                <part id="pl-2_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.05"/>
                   <part id="pl-2_obj.a.5-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.05[01]"/>
                      <p>a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.5"/>
                   </part>
                   <part id="pl-2_obj.a.5-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.05[02]"/>
                      <p>a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.5"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.5"/>
                </part>
                <part id="pl-2_obj.a.6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.06"/>
                   <part id="pl-2_obj.a.6-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.06[01]"/>
                      <p>a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.6"/>
                   </part>
                   <part id="pl-2_obj.a.6-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.06[02]"/>
                      <p>a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.6"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.6"/>
                </part>
                <part id="pl-2_obj.a.7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.07"/>
                   <part id="pl-2_obj.a.7-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.07[01]"/>
                      <p>a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.7"/>
                   </part>
                   <part id="pl-2_obj.a.7-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.07[02]"/>
                      <p>a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.7"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.7"/>
                </part>
                <part id="pl-2_obj.a.8" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.08"/>
                   <part id="pl-2_obj.a.8-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.08[01]"/>
                      <p>a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.8"/>
                   </part>
                   <part id="pl-2_obj.a.8-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.08[02]"/>
                      <p>a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.8"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.8"/>
                </part>
                <part id="pl-2_obj.a.9" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.09"/>
                   <part id="pl-2_obj.a.9-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.09[01]"/>
                      <p>a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.9"/>
                   </part>
                   <part id="pl-2_obj.a.9-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.09[02]"/>
                      <p>a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.9"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.9"/>
                </part>
                <part id="pl-2_obj.a.10" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.10"/>
                   <part id="pl-2_obj.a.10-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.10[01]"/>
                      <p>a security plan for the system is developed that provides an overview of the security requirements for the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.10"/>
                   </part>
                   <part id="pl-2_obj.a.10-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.10[02]"/>
                      <p>a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.10"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.10"/>
                </part>
                <part id="pl-2_obj.a.11" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.11"/>
                   <part id="pl-2_obj.a.11-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.11[01]"/>
                      <p>a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.11"/>
                   </part>
                   <part id="pl-2_obj.a.11-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.11[02]"/>
                      <p>a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.11"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.11"/>
                </part>
                <part id="pl-2_obj.a.12" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.12"/>
                   <part id="pl-2_obj.a.12-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.12[01]"/>
                      <p>a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.12"/>
                   </part>
                   <part id="pl-2_obj.a.12-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.12[02]"/>
                      <p>a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.12"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.12"/>
                </part>
                <part id="pl-2_obj.a.13" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.13"/>
                   <part id="pl-2_obj.a.13-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.13[01]"/>
                      <p>a security plan for the system is developed that includes risk determinations for security architecture and design decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.13"/>
                   </part>
                   <part id="pl-2_obj.a.13-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.13[02]"/>
                      <p>a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.13"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.13"/>
                </part>
                <part id="pl-2_obj.a.14" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.14"/>
                   <part id="pl-2_obj.a.14-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.14[01]"/>
                      <p>a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with <insert type="param" id-ref="pl-02_odp.01"/>;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.14"/>
                   </part>
                   <part id="pl-2_obj.a.14-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.14[02]"/>
                      <p>a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with <insert type="param" id-ref="pl-02_odp.01"/>;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.14"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.14"/>
                </part>
                <part id="pl-2_obj.a.15" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.15"/>
                   <part id="pl-2_obj.a.15-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.15[01]"/>
                      <p>a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.15"/>
                   </part>
                   <part id="pl-2_obj.a.15-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.15[02]"/>
                      <p>a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.15"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.15"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.a"/>
             </part>
             <part id="pl-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02b."/>
                <part id="pl-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02b.[01]"/>
                   <p>copies of the plans are distributed to <insert type="param" id-ref="pl-02_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.b"/>
                </part>
                <part id="pl-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02b.[02]"/>
                   <p>subsequent changes to the plans are communicated to <insert type="param" id-ref="pl-02_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.b"/>
             </part>
             <part id="pl-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02c."/>
                <p>plans are reviewed <insert type="param" id-ref="pl-02_odp.03"/>;</p>
+               <link rel="assessment-for" href="#pl-2_smt.c"/>
             </part>
             <part id="pl-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02d."/>
                <part id="pl-2_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02d.[01]"/>
                   <p>plans are updated to address changes to the system and environment of operations;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.d"/>
                </part>
                <part id="pl-2_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02d.[02]"/>
                   <p>plans are updated to address problems identified during the plan implementation;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.d"/>
                </part>
                <part id="pl-2_obj.d-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02d.[03]"/>
                   <p>plans are updated to address problems identified during control assessments;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.d"/>
             </part>
             <part id="pl-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02e."/>
                <part id="pl-2_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02e.[01]"/>
                   <p>plans are protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.e"/>
                </part>
                <part id="pl-2_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02e.[02]"/>
                   <p>plans are protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#pl-2_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt"/>
          </part>
          <part id="pl-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20433,24 +21614,31 @@
                <part id="pl-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04a.[01]"/>
                   <p>rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;</p>
+                  <link rel="assessment-for" href="#pl-4_smt.a"/>
                </part>
                <part id="pl-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04a.[02]"/>
                   <p>rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;</p>
+                  <link rel="assessment-for" href="#pl-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pl-4_smt.a"/>
             </part>
             <part id="pl-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-04b."/>
                <p>before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;</p>
+               <link rel="assessment-for" href="#pl-4_smt.b"/>
             </part>
             <part id="pl-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-04c."/>
                <p>rules of behavior are reviewed and updated <insert type="param" id-ref="pl-04_odp.01"/>;</p>
+               <link rel="assessment-for" href="#pl-4_smt.c"/>
             </part>
             <part id="pl-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-04d."/>
                <p>individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge <insert type="param" id-ref="pl-04_odp.02"/>.</p>
+               <link rel="assessment-for" href="#pl-4_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#pl-4_smt"/>
          </part>
          <part id="pl-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20519,15 +21707,19 @@
                <part id="pl-4.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04(01)(a)"/>
                   <p>the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;</p>
+                  <link rel="assessment-for" href="#pl-4.1_smt.a"/>
                </part>
                <part id="pl-4.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04(01)(b)"/>
                   <p>the rules of behavior include restrictions on posting organizational information on public websites;</p>
+                  <link rel="assessment-for" href="#pl-4.1_smt.b"/>
                </part>
                <part id="pl-4.1_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04(01)(c)"/>
                   <p>the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.</p>
+                  <link rel="assessment-for" href="#pl-4.1_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pl-4.1_smt"/>
             </part>
             <part id="pl-4.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20640,65 +21832,83 @@
                <part id="pl-8_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08a.01"/>
                   <p>a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.a.1"/>
                </part>
                <part id="pl-8_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08a.02"/>
                   <p>a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.a.2"/>
                </part>
                <part id="pl-8_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08a.03"/>
                   <part id="pl-8_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-08a.03[01]"/>
                      <p>a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;</p>
+                     <link rel="assessment-for" href="#pl-8_smt.a.3"/>
                   </part>
                   <part id="pl-8_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-08a.03[02]"/>
                      <p>a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;</p>
+                     <link rel="assessment-for" href="#pl-8_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-8_smt.a.3"/>
                </part>
                <part id="pl-8_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08a.04"/>
                   <part id="pl-8_obj.a.4-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-08a.04[01]"/>
                      <p>a security architecture for the system describes any assumptions about and dependencies on external systems and services;</p>
+                     <link rel="assessment-for" href="#pl-8_smt.a.4"/>
                   </part>
                   <part id="pl-8_obj.a.4-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-08a.04[02]"/>
                      <p>a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;</p>
+                     <link rel="assessment-for" href="#pl-8_smt.a.4"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-8_smt.a.4"/>
                </part>
+               <link rel="assessment-for" href="#pl-8_smt.a"/>
             </part>
             <part id="pl-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-08b."/>
                <p>changes in the enterprise architecture are reviewed and updated <insert type="param" id-ref="pl-08_odp"/> to reflect changes in the enterprise architecture;</p>
+               <link rel="assessment-for" href="#pl-8_smt.b"/>
             </part>
             <part id="pl-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-08c."/>
                <part id="pl-8_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[01]"/>
                   <p>planned architecture changes are reflected in the security plan;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[02]"/>
                   <p>planned architecture changes are reflected in the privacy plan;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[03]"/>
                   <p>planned architecture changes are reflected in the Concept of Operations (CONOPS);</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[04]"/>
                   <p>planned architecture changes are reflected in criticality analysis;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[05]"/>
                   <p>planned architecture changes are reflected in organizational procedures;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[06]"/>
                   <p>planned architecture changes are reflected in procurements and acquisitions.</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pl-8_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pl-8_smt"/>
          </part>
          <part id="pl-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20766,6 +21976,7 @@
          <part id="pl-10_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-10"/>
             <p>a control baseline for the system is selected.</p>
+            <link rel="assessment-for" href="#pl-10_smt"/>
          </part>
          <part id="pl-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20834,6 +22045,7 @@
          <part id="pl-11_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-11"/>
             <p>the selected control baseline is tailored by applying specified tailoring actions.</p>
+            <link rel="assessment-for" href="#pl-11_smt"/>
          </part>
          <part id="pl-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21011,18 +22223,22 @@
                <part id="ps-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.[01]"/>
                   <p>a personnel security policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ps-1_smt.a"/>
                </part>
                <part id="ps-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.[02]"/>
                   <p>the personnel security policy is disseminated to <insert type="param" id-ref="ps-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ps-1_smt.a"/>
                </part>
                <part id="ps-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.[03]"/>
                   <p>personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ps-1_smt.a"/>
                </part>
                <part id="ps-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.[04]"/>
                   <p>the personnel security procedures are disseminated to <insert type="param" id-ref="ps-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ps-1_smt.a"/>
                </part>
                <part id="ps-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01a.01"/>
@@ -21031,41 +22247,53 @@
                      <part id="ps-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
                      <part id="ps-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PS-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
                   </part>
                   <part id="ps-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ps-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ps-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ps-1_smt.a"/>
             </part>
             <part id="ps-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-01b."/>
                <p>the <insert type="param" id-ref="ps-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;</p>
+               <link rel="assessment-for" href="#ps-1_smt.b"/>
             </part>
             <part id="ps-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-01c."/>
@@ -21074,24 +22302,32 @@
                   <part id="ps-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01c.01[01]"/>
                      <p>the current personnel security policy is reviewed and updated <insert type="param" id-ref="ps-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ps-1_smt.c.1"/>
                   </part>
                   <part id="ps-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01c.01[02]"/>
                      <p>the current personnel security policy is reviewed and updated following <insert type="param" id-ref="ps-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ps-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ps-1_smt.c.1"/>
                </part>
                <part id="ps-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-01c.02"/>
                   <part id="ps-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01c.02[01]"/>
                      <p>the current personnel security procedures are reviewed and updated <insert type="param" id-ref="ps-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ps-1_smt.c.2"/>
                   </part>
                   <part id="ps-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PS-01c.02[02]"/>
                      <p>the current personnel security procedures are reviewed and updated following <insert type="param" id-ref="ps-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ps-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ps-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ps-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ps-1_smt"/>
          </part>
          <part id="ps-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21165,15 +22401,19 @@
             <part id="ps-2_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-02a."/>
                <p>a risk designation is assigned to all organizational positions;</p>
+               <link rel="assessment-for" href="#ps-2_smt.a"/>
             </part>
             <part id="ps-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-02b."/>
                <p>screening criteria are established for individuals filling organizational positions;</p>
+               <link rel="assessment-for" href="#ps-2_smt.b"/>
             </part>
             <part id="ps-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-02c."/>
                <p>position risk designations are reviewed and updated <insert type="param" id-ref="ps-02_odp"/>.</p>
+               <link rel="assessment-for" href="#ps-2_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ps-2_smt"/>
          </part>
          <part id="ps-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21272,18 +22512,23 @@
             <part id="ps-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-03a."/>
                <p>individuals are screened prior to authorizing access to the system;</p>
+               <link rel="assessment-for" href="#ps-3_smt.a"/>
             </part>
             <part id="ps-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-03b."/>
                <part id="ps-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-03b.[01]"/>
                   <p>individuals are rescreened in accordance with <insert type="param" id-ref="ps-03_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ps-3_smt.b"/>
                </part>
                <part id="ps-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-03b.[02]"/>
                   <p>where rescreening is so indicated, individuals are rescreened <insert type="param" id-ref="ps-03_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#ps-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ps-3_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ps-3_smt"/>
          </part>
          <part id="ps-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21373,23 +22618,29 @@
             <part id="ps-4_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04a."/>
                <p>upon termination of individual employment, system access is disabled within <insert type="param" id-ref="ps-04_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ps-4_smt.a"/>
             </part>
             <part id="ps-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04b."/>
                <p>upon termination of individual employment, any authenticators and credentials are terminated or revoked;</p>
+               <link rel="assessment-for" href="#ps-4_smt.b"/>
             </part>
             <part id="ps-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04c."/>
                <p>upon termination of individual employment, exit interviews that include a discussion of <insert type="param" id-ref="ps-04_odp.02"/> are conducted;</p>
+               <link rel="assessment-for" href="#ps-4_smt.c"/>
             </part>
             <part id="ps-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04d."/>
                <p>upon termination of individual employment, all security-related organizational system-related property is retrieved;</p>
+               <link rel="assessment-for" href="#ps-4_smt.d"/>
             </part>
             <part id="ps-4_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-04e."/>
                <p>upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.</p>
+               <link rel="assessment-for" href="#ps-4_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ps-4_smt"/>
          </part>
          <part id="ps-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21497,21 +22748,26 @@
             <part id="ps-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-05a."/>
                <p>the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;</p>
+               <link rel="assessment-for" href="#ps-5_smt.a"/>
             </part>
             <part id="ps-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-05b."/>
                <p>
                   <insert type="param" id-ref="ps-05_odp.01"/> are initiated within <insert type="param" id-ref="ps-05_odp.02"/>;</p>
+               <link rel="assessment-for" href="#ps-5_smt.b"/>
             </part>
             <part id="ps-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-05c."/>
                <p>access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;</p>
+               <link rel="assessment-for" href="#ps-5_smt.c"/>
             </part>
             <part id="ps-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-05d."/>
                <p>
                   <insert type="param" id-ref="ps-05_odp.03"/> are notified within <insert type="param" id-ref="ps-05_odp.04"/>.</p>
+               <link rel="assessment-for" href="#ps-5_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ps-5_smt"/>
          </part>
          <part id="ps-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21612,22 +22868,28 @@
             <part id="ps-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-06a."/>
                <p>access agreements are developed and documented for organizational systems;</p>
+               <link rel="assessment-for" href="#ps-6_smt.a"/>
             </part>
             <part id="ps-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-06b."/>
                <p>the access agreements are reviewed and updated <insert type="param" id-ref="ps-06_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ps-6_smt.b"/>
             </part>
             <part id="ps-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-06c."/>
                <part id="ps-6_obj.c.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-06c.01"/>
                   <p>individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;</p>
+                  <link rel="assessment-for" href="#ps-6_smt.c.1"/>
                </part>
                <part id="ps-6_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-06c.02"/>
                   <p>individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or <insert type="param" id-ref="ps-06_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#ps-6_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ps-6_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ps-6_smt"/>
          </part>
          <part id="ps-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21734,23 +22996,29 @@
             <part id="ps-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07a."/>
                <p>personnel security requirements are established, including security roles and responsibilities for external providers;</p>
+               <link rel="assessment-for" href="#ps-7_smt.a"/>
             </part>
             <part id="ps-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07b."/>
                <p>external providers are required to comply with personnel security policies and procedures established by the organization;</p>
+               <link rel="assessment-for" href="#ps-7_smt.b"/>
             </part>
             <part id="ps-7_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07c."/>
                <p>personnel security requirements are documented;</p>
+               <link rel="assessment-for" href="#ps-7_smt.c"/>
             </part>
             <part id="ps-7_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07d."/>
                <p>external providers are required to notify <insert type="param" id-ref="ps-07_odp.01"/> of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within <insert type="param" id-ref="ps-07_odp.02"/>;</p>
+               <link rel="assessment-for" href="#ps-7_smt.d"/>
             </part>
             <part id="ps-7_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-07e."/>
                <p>provider compliance with personnel security requirements is monitored.</p>
+               <link rel="assessment-for" href="#ps-7_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ps-7_smt"/>
          </part>
          <part id="ps-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21832,12 +23100,15 @@
             <part id="ps-8_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-08a."/>
                <p>a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;</p>
+               <link rel="assessment-for" href="#ps-8_smt.a"/>
             </part>
             <part id="ps-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-08b."/>
                <p>
                   <insert type="param" id-ref="ps-08_odp.01"/> is/are notified within <insert type="param" id-ref="ps-08_odp.02"/> when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.</p>
+               <link rel="assessment-for" href="#ps-8_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ps-8_smt"/>
          </part>
          <part id="ps-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21893,11 +23164,14 @@
             <part id="ps-9_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-09[01]"/>
                <p>security roles and responsibilities are incorporated into organizational position descriptions;</p>
+               <link rel="assessment-for" href="#ps-9_smt"/>
             </part>
             <part id="ps-9_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-09[02]"/>
                <p>privacy roles and responsibilities are incorporated into organizational position descriptions.</p>
+               <link rel="assessment-for" href="#ps-9_smt"/>
             </part>
+            <link rel="assessment-for" href="#ps-9_smt"/>
          </part>
          <part id="ps-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22073,18 +23347,22 @@
                <part id="ra-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[01]"/>
                   <p>a risk assessment policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[02]"/>
                   <p>the risk assessment policy is disseminated to <insert type="param" id-ref="ra-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[03]"/>
                   <p>risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[04]"/>
                   <p>the risk assessment procedures are disseminated to <insert type="param" id-ref="ra-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.01"/>
@@ -22093,41 +23371,53 @@
                      <part id="ra-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                   </part>
                   <part id="ra-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ra-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ra-1_smt.a"/>
             </part>
             <part id="ra-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-01b."/>
                <p>the <insert type="param" id-ref="ra-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;</p>
+               <link rel="assessment-for" href="#ra-1_smt.b"/>
             </part>
             <part id="ra-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-01c."/>
@@ -22136,24 +23426,32 @@
                   <part id="ra-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.01[01]"/>
                      <p>the current risk assessment policy is reviewed and updated <insert type="param" id-ref="ra-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.1"/>
                   </part>
                   <part id="ra-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.01[02]"/>
                      <p>the current risk assessment policy is reviewed and updated following <insert type="param" id-ref="ra-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ra-1_smt.c.1"/>
                </part>
                <part id="ra-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01c.02"/>
                   <part id="ra-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.02[01]"/>
                      <p>the current risk assessment procedures are reviewed and updated <insert type="param" id-ref="ra-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.2"/>
                   </part>
                   <part id="ra-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.02[02]"/>
                      <p>the current risk assessment procedures are reviewed and updated following <insert type="param" id-ref="ra-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ra-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ra-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ra-1_smt"/>
          </part>
          <part id="ra-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22230,15 +23528,19 @@
             <part id="ra-2_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-02a."/>
                <p>the system and the information it processes, stores, and transmits are categorized;</p>
+               <link rel="assessment-for" href="#ra-2_smt.a"/>
             </part>
             <part id="ra-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-02b."/>
                <p>the security categorization results, including supporting rationale, are documented in the security plan for the system;</p>
+               <link rel="assessment-for" href="#ra-2_smt.b"/>
             </part>
             <part id="ra-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-02c."/>
                <p>the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.</p>
+               <link rel="assessment-for" href="#ra-2_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ra-2_smt"/>
          </part>
          <part id="ra-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22406,36 +23708,46 @@
                <part id="ra-3_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03a.01"/>
                   <p>a risk assessment is conducted to identify threats to and vulnerabilities in the system;</p>
+                  <link rel="assessment-for" href="#ra-3_smt.a.1"/>
                </part>
                <part id="ra-3_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03a.02"/>
                   <p>a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;</p>
+                  <link rel="assessment-for" href="#ra-3_smt.a.2"/>
                </part>
                <part id="ra-3_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03a.03"/>
                   <p>a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;</p>
+                  <link rel="assessment-for" href="#ra-3_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#ra-3_smt.a"/>
             </part>
             <part id="ra-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03b."/>
                <p>risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;</p>
+               <link rel="assessment-for" href="#ra-3_smt.b"/>
             </part>
             <part id="ra-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03c."/>
                <p>risk assessment results are documented in <insert type="param" id-ref="ra-03_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ra-3_smt.c"/>
             </part>
             <part id="ra-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03d."/>
                <p>risk assessment results are reviewed <insert type="param" id-ref="ra-03_odp.03"/>;</p>
+               <link rel="assessment-for" href="#ra-3_smt.d"/>
             </part>
             <part id="ra-3_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03e."/>
                <p>risk assessment results are disseminated to <insert type="param" id-ref="ra-03_odp.04"/>;</p>
+               <link rel="assessment-for" href="#ra-3_smt.e"/>
             </part>
             <part id="ra-3_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03f."/>
                <p>the risk assessment is updated <insert type="param" id-ref="ra-03_odp.05"/> or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.</p>
+               <link rel="assessment-for" href="#ra-3_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#ra-3_smt"/>
          </part>
          <part id="ra-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22521,11 +23833,14 @@
                <part id="ra-3.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03(01)(a)"/>
                   <p>supply chain risks associated with <insert type="param" id-ref="ra-03.01_odp.01"/> are assessed;</p>
+                  <link rel="assessment-for" href="#ra-3.1_smt.a"/>
                </part>
                <part id="ra-3.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03(01)(b)"/>
                   <p>the supply chain risk assessment is updated <insert type="param" id-ref="ra-03.01_odp.02"/> , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.</p>
+                  <link rel="assessment-for" href="#ra-3.1_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ra-3.1_smt"/>
             </part>
             <part id="ra-3.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22692,11 +24007,14 @@
                <part id="ra-5_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05a.[01]"/>
                   <p>systems and hosted applications are monitored for vulnerabilities <insert type="param" id-ref="ra-05_odp.01"/> and when new vulnerabilities potentially affecting the system are identified and reported;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.a"/>
                </part>
                <part id="ra-5_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05a.[02]"/>
                   <p>systems and hosted applications are scanned for vulnerabilities <insert type="param" id-ref="ra-05_odp.02"/> and when new vulnerabilities potentially affecting the system are identified and reported;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ra-5_smt.a"/>
             </part>
             <part id="ra-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05b."/>
@@ -22704,32 +24022,41 @@
                <part id="ra-5_obj.b.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05b.01"/>
                   <p>vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.b.1"/>
                </part>
                <part id="ra-5_obj.b.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05b.02"/>
                   <p>vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.b.2"/>
                </part>
                <part id="ra-5_obj.b.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-05b.03"/>
                   <p>vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;</p>
+                  <link rel="assessment-for" href="#ra-5_smt.b.3"/>
                </part>
+               <link rel="assessment-for" href="#ra-5_smt.b"/>
             </part>
             <part id="ra-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05c."/>
                <p>vulnerability scan reports and results from vulnerability monitoring are analyzed;</p>
+               <link rel="assessment-for" href="#ra-5_smt.c"/>
             </part>
             <part id="ra-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05d."/>
                <p>legitimate vulnerabilities are remediated <insert type="param" id-ref="ra-05_odp.03"/> in accordance with an organizational assessment of risk;</p>
+               <link rel="assessment-for" href="#ra-5_smt.d"/>
             </part>
             <part id="ra-5_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05e."/>
                <p>information obtained from the vulnerability monitoring process and control assessments is shared with <insert type="param" id-ref="ra-05_odp.04"/> to help eliminate similar vulnerabilities in other systems;</p>
+               <link rel="assessment-for" href="#ra-5_smt.e"/>
             </part>
             <part id="ra-5_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05f."/>
                <p>vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.</p>
+               <link rel="assessment-for" href="#ra-5_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#ra-5_smt"/>
          </part>
          <part id="ra-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22806,6 +24133,7 @@
             <part id="ra-5.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05(02)"/>
                <p>the system vulnerabilities to be scanned are updated <insert type="param" id-ref="ra-05.02_odp.01"/>.</p>
+               <link rel="assessment-for" href="#ra-5.2_smt"/>
             </part>
             <part id="ra-5.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22876,6 +24204,7 @@
             <part id="ra-5.5_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05(05)"/>
                <p>privileged access authorization is implemented to <insert type="param" id-ref="ra-05.05_odp.01"/> for <insert type="param" id-ref="ra-05.05_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ra-5.5_smt"/>
             </part>
             <part id="ra-5.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22937,6 +24266,7 @@
             <part id="ra-5.11_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-05(11)"/>
                <p>a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.</p>
+               <link rel="assessment-for" href="#ra-5.11_smt"/>
             </part>
             <part id="ra-5.11_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23009,19 +24339,24 @@
             <part id="ra-7_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[01]"/>
                <p>findings from security assessments are responded to in accordance with organizational risk tolerance;</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
             <part id="ra-7_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[02]"/>
                <p>findings from privacy assessments are responded to in accordance with organizational risk tolerance;</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
             <part id="ra-7_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[03]"/>
                <p>findings from monitoring are responded to in accordance with organizational risk tolerance;</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
             <part id="ra-7_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[04]"/>
                <p>findings from audits are responded to in accordance with organizational risk tolerance.</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
+            <link rel="assessment-for" href="#ra-7_smt"/>
          </part>
          <part id="ra-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23100,6 +24435,7 @@
          <part id="ra-9_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-09"/>
             <p>critical system components and functions are identified by performing a criticality analysis for <insert type="param" id-ref="ra-09_odp.01"/> at <insert type="param" id-ref="ra-09_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ra-9_smt"/>
          </part>
          <part id="ra-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23278,18 +24614,22 @@
                <part id="sa-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[01]"/>
                   <p>a system and services acquisition policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[02]"/>
                   <p>the system and services acquisition policy is disseminated to <insert type="param" id-ref="sa-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[03]"/>
                   <p>system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[04]"/>
                   <p>the system and services acquisition procedures are disseminated to <insert type="param" id-ref="sa-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.01"/>
@@ -23298,41 +24638,53 @@
                      <part id="sa-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses scope;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses roles;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                   </part>
                   <part id="sa-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#sa-1_smt.a"/>
             </part>
             <part id="sa-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-01b."/>
                <p>the <insert type="param" id-ref="sa-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;</p>
+               <link rel="assessment-for" href="#sa-1_smt.b"/>
             </part>
             <part id="sa-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-01c."/>
@@ -23341,24 +24693,32 @@
                   <part id="sa-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.01[01]"/>
                      <p>the system and services acquisition policy is reviewed and updated <insert type="param" id-ref="sa-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.1"/>
                   </part>
                   <part id="sa-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.01[02]"/>
                      <p>the current system and services acquisition policy is reviewed and updated following <insert type="param" id-ref="sa-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-1_smt.c.1"/>
                </part>
                <part id="sa-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01c.02"/>
                   <part id="sa-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.02[01]"/>
                      <p>the current system and services acquisition procedures are reviewed and updated <insert type="param" id-ref="sa-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.2"/>
                   </part>
                   <part id="sa-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.02[02]"/>
                      <p>the current system and services acquisition procedures are reviewed and updated following <insert type="param" id-ref="sa-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#sa-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sa-1_smt"/>
          </part>
          <part id="sa-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23428,34 +24788,44 @@
                <part id="sa-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02a.[01]"/>
                   <p>the high-level information security requirements for the system or system service are determined in mission and business process planning;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.a"/>
                </part>
                <part id="sa-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02a.[02]"/>
                   <p>the high-level privacy requirements for the system or system service are determined in mission and business process planning;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-2_smt.a"/>
             </part>
             <part id="sa-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-02b."/>
                <part id="sa-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02b.[01]"/>
                   <p>the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.b"/>
                </part>
                <part id="sa-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02b.[02]"/>
                   <p>the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-2_smt.b"/>
             </part>
             <part id="sa-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-02c."/>
                <part id="sa-2_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02c.[01]"/>
                   <p>a discrete line item for information security is established in organizational programming and budgeting documentation;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.c"/>
                </part>
                <part id="sa-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02c.[02]"/>
                   <p>a discrete line item for privacy is established in organizational programming and budgeting documentation.</p>
+                  <link rel="assessment-for" href="#sa-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-2_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sa-2_smt"/>
          </part>
          <part id="sa-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23563,45 +24933,58 @@
                <part id="sa-3_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03a.[01]"/>
                   <p>the system is acquired, developed, and managed using <insert type="param" id-ref="sa-03_odp"/> that incorporates information security considerations;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.a"/>
                </part>
                <part id="sa-3_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03a.[02]"/>
                   <p>the system is acquired, developed, and managed using <insert type="param" id-ref="sa-03_odp"/> that incorporates privacy considerations;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.a"/>
             </part>
             <part id="sa-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-03b."/>
                <part id="sa-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03b.[01]"/>
                   <p>information security roles and responsibilities are defined and documented throughout the system development life cycle;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.b"/>
                </part>
                <part id="sa-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03b.[02]"/>
                   <p>privacy roles and responsibilities are defined and documented throughout the system development life cycle;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.b"/>
             </part>
             <part id="sa-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-03c."/>
                <part id="sa-3_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03c.[01]"/>
                   <p>individuals with information security roles and responsibilities are identified;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.c"/>
                </part>
                <part id="sa-3_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03c.[02]"/>
                   <p>individuals with privacy roles and responsibilities are identified;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.c"/>
             </part>
             <part id="sa-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-03d."/>
                <part id="sa-3_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03d.[01]"/>
                   <p>organizational information security risk management processes are integrated into system development life cycle activities;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.d"/>
                </part>
                <part id="sa-3_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03d.[02]"/>
                   <p>organizational privacy risk management processes are integrated into system development life cycle activities.</p>
+                  <link rel="assessment-for" href="#sa-3_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#sa-3_smt"/>
          </part>
          <part id="sa-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23757,83 +25140,106 @@
                <part id="sa-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04a.[01]"/>
                   <p>security functional requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.a"/>
                </part>
                <part id="sa-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04a.[02]"/>
                   <p>privacy functional requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.a"/>
             </part>
             <part id="sa-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04b."/>
                <p>strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+               <link rel="assessment-for" href="#sa-4_smt.b"/>
             </part>
             <part id="sa-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04c."/>
                <part id="sa-4_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04c.[01]"/>
                   <p>security assurance requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.c"/>
                </part>
                <part id="sa-4_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04c.[02]"/>
                   <p>privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.c"/>
             </part>
             <part id="sa-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04d."/>
                <part id="sa-4_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04d.[01]"/>
                   <p>controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.d"/>
                </part>
                <part id="sa-4_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04d.[02]"/>
                   <p>controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.d"/>
             </part>
             <part id="sa-4_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04e."/>
                <part id="sa-4_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04e.[01]"/>
                   <p>security documentation requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.e"/>
                </part>
                <part id="sa-4_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04e.[02]"/>
                   <p>privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.e"/>
             </part>
             <part id="sa-4_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04f."/>
                <part id="sa-4_obj.f-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04f.[01]"/>
                   <p>requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.f"/>
                </part>
                <part id="sa-4_obj.f-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04f.[02]"/>
                   <p>requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.f"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.f"/>
             </part>
             <part id="sa-4_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04g."/>
                <p>the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+               <link rel="assessment-for" href="#sa-4_smt.g"/>
             </part>
             <part id="sa-4_obj.h" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04h."/>
                <part id="sa-4_obj.h-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04h.[01]"/>
                   <p>the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.h"/>
                </part>
                <part id="sa-4_obj.h-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04h.[02]"/>
                   <p>the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.h"/>
                </part>
                <part id="sa-4_obj.h-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04h.[03]"/>
                   <p>the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.h"/>
             </part>
             <part id="sa-4_obj.i" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04i."/>
                <p>acceptance criteria requirements and descriptions are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service.</p>
+               <link rel="assessment-for" href="#sa-4_smt.i"/>
             </part>
+            <link rel="assessment-for" href="#sa-4_smt"/>
          </part>
          <part id="sa-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23891,6 +25297,7 @@
             <part id="sa-4.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04(01)"/>
                <p>the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.</p>
+               <link rel="assessment-for" href="#sa-4.1_smt"/>
             </part>
             <part id="sa-4.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23976,6 +25383,7 @@
             <part id="sa-4.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04(02)"/>
                <p>the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using <insert type="param" id-ref="sa-04.02_odp.01"/> at <insert type="param" id-ref="sa-04.02_odp.03"/>.</p>
+               <link rel="assessment-for" href="#sa-4.2_smt"/>
             </part>
             <part id="sa-4.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24037,19 +25445,24 @@
                <part id="sa-4.9_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04(09)[01]"/>
                   <p>the developer of the system, system component, or system service is required to identify the functions intended for organizational use;</p>
+                  <link rel="assessment-for" href="#sa-4.9_smt"/>
                </part>
                <part id="sa-4.9_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04(09)[02]"/>
                   <p>the developer of the system, system component, or system service is required to identify the ports intended for organizational use;</p>
+                  <link rel="assessment-for" href="#sa-4.9_smt"/>
                </part>
                <part id="sa-4.9_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04(09)[03]"/>
                   <p>the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;</p>
+                  <link rel="assessment-for" href="#sa-4.9_smt"/>
                </part>
                <part id="sa-4.9_obj-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04(09)[04]"/>
                   <p>the developer of the system, system component, or system service is required to identify the services intended for organizational use.</p>
+                  <link rel="assessment-for" href="#sa-4.9_smt"/>
                </part>
+               <link rel="assessment-for" href="#sa-4.9_smt"/>
             </part>
             <part id="sa-4.9_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24105,6 +25518,7 @@
             <part id="sa-4.10_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04(10)"/>
                <p>only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.</p>
+               <link rel="assessment-for" href="#sa-4.10_smt"/>
             </part>
             <part id="sa-4.10_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24242,46 +25656,59 @@
                   <part id="sa-5_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.01[01]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.1"/>
                   </part>
                   <part id="sa-5_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.01[02]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.1"/>
                   </part>
                   <part id="sa-5_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.01[03]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.a.1"/>
                </part>
                <part id="sa-5_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05a.02"/>
                   <part id="sa-5_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.02[01]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                   </part>
                   <part id="sa-5_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.02[02]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                   </part>
                   <part id="sa-5_obj.a.2-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.02[03]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                   </part>
                   <part id="sa-5_obj.a.2-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.02[04]"/>
                      <p>administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.a.2"/>
                </part>
                <part id="sa-5_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05a.03"/>
                   <part id="sa-5_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.03[01]"/>
                      <p>administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.3"/>
                   </part>
                   <part id="sa-5_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05a.03[02]"/>
                      <p>administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#sa-5_smt.a"/>
             </part>
             <part id="sa-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-05b."/>
@@ -24290,58 +25717,75 @@
                   <part id="sa-5_obj.b.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.01[01]"/>
                      <p>user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                   </part>
                   <part id="sa-5_obj.b.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.01[02]"/>
                      <p>user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                   </part>
                   <part id="sa-5_obj.b.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.01[03]"/>
                      <p>user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                   </part>
                   <part id="sa-5_obj.b.1-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.01[04]"/>
                      <p>user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.b.1"/>
                </part>
                <part id="sa-5_obj.b.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05b.02"/>
                   <part id="sa-5_obj.b.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.02[01]"/>
                      <p>user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.2"/>
                   </part>
                   <part id="sa-5_obj.b.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.02[02]"/>
                      <p>user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.b.2"/>
                </part>
                <part id="sa-5_obj.b.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05b.03"/>
                   <part id="sa-5_obj.b.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.03[01]"/>
                      <p>user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.3"/>
                   </part>
                   <part id="sa-5_obj.b.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-05b.03[02]"/>
                      <p>user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;</p>
+                     <link rel="assessment-for" href="#sa-5_smt.b.3"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-5_smt.b.3"/>
                </part>
+               <link rel="assessment-for" href="#sa-5_smt.b"/>
             </part>
             <part id="sa-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-05c."/>
                <part id="sa-5_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05c.[01]"/>
                   <p>attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;</p>
+                  <link rel="assessment-for" href="#sa-5_smt.c"/>
                </part>
                <part id="sa-5_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-05c.[02]"/>
                   <p>after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, <insert type="param" id-ref="sa-05_odp.01"/> are taken in response;</p>
+                  <link rel="assessment-for" href="#sa-5_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-5_smt.c"/>
             </part>
             <part id="sa-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-05d."/>
                <p>documentation is distributed to <insert type="param" id-ref="sa-05_odp.02"/>.</p>
+               <link rel="assessment-for" href="#sa-5_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#sa-5_smt"/>
          </part>
          <part id="sa-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24457,52 +25901,63 @@
                <prop name="label" class="sp800-53a" value="SA-08[01]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the specification of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[02]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the design of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[03]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the development of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[04]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the implementation of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-5" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[05]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the modification of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-6" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[06]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the specification of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-7" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[07]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the design of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-8" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[08]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the development of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-9" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[09]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the implementation of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-10" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[10]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the modification of the system and system components.</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
+            <link rel="assessment-for" href="#sa-8_smt"/>
          </part>
          <part id="sa-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24608,32 +26063,41 @@
                <part id="sa-9_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09a.[01]"/>
                   <p>providers of external system services comply with organizational security requirements;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.a"/>
                </part>
                <part id="sa-9_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09a.[02]"/>
                   <p>providers of external system services comply with organizational privacy requirements;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.a"/>
                </part>
                <part id="sa-9_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09a.[03]"/>
                   <p>providers of external system services employ <insert type="param" id-ref="sa-09_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-9_smt.a"/>
             </part>
             <part id="sa-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-09b."/>
                <part id="sa-9_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09b.[01]"/>
                   <p>organizational oversight with regard to external system services are defined and documented;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.b"/>
                </part>
                <part id="sa-9_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09b.[02]"/>
                   <p>user roles and responsibilities with regard to external system services are defined and documented;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-9_smt.b"/>
             </part>
             <part id="sa-9_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-09c."/>
                <p>
                   <insert type="param" id-ref="sa-09_odp.02"/> are employed to monitor control compliance by external service providers on an ongoing basis.</p>
+               <link rel="assessment-for" href="#sa-9_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sa-9_smt"/>
          </part>
          <part id="sa-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24704,6 +26168,7 @@
             <part id="sa-9.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-09(02)"/>
                <p>providers of <insert type="param" id-ref="sa-09.02_odp"/> are required to identify the functions, ports, protocols, and other services required for the use of such services.</p>
+               <link rel="assessment-for" href="#sa-9.2_smt"/>
             </part>
             <part id="sa-9.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24826,56 +26291,71 @@
             <part id="sa-10_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-10a."/>
                <p>the developer of the system, system component, or system service is required to perform configuration management during system, component, or service <insert type="param" id-ref="sa-10_odp.01"/>;</p>
+               <link rel="assessment-for" href="#sa-10_smt.a"/>
             </part>
             <part id="sa-10_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-10b."/>
                <part id="sa-10_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10b.[01]"/>
                   <p>the developer of the system, system component, or system service is required to document the integrity of changes to <insert type="param" id-ref="sa-10_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.b"/>
                </part>
                <part id="sa-10_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10b.[02]"/>
                   <p>the developer of the system, system component, or system service is required to manage the integrity of changes to <insert type="param" id-ref="sa-10_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.b"/>
                </part>
                <part id="sa-10_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10b.[03]"/>
                   <p>the developer of the system, system component, or system service is required to control the integrity of changes to <insert type="param" id-ref="sa-10_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-10_smt.b"/>
             </part>
             <part id="sa-10_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-10c."/>
                <p>the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;</p>
+               <link rel="assessment-for" href="#sa-10_smt.c"/>
             </part>
             <part id="sa-10_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-10d."/>
                <part id="sa-10_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10d.[01]"/>
                   <p>the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.d"/>
                </part>
                <part id="sa-10_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10d.[02]"/>
                   <p>the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.d"/>
                </part>
                <part id="sa-10_obj.d-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10d.[03]"/>
                   <p>the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#sa-10_smt.d"/>
             </part>
             <part id="sa-10_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-10e."/>
                <part id="sa-10_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10e.[01]"/>
                   <p>the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.e"/>
                </part>
                <part id="sa-10_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10e.[02]"/>
                   <p>the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;</p>
+                  <link rel="assessment-for" href="#sa-10_smt.e"/>
                </part>
                <part id="sa-10_obj.e-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-10e.[03]"/>
                   <p>the developer of the system, system component, or system service is required to report findings to <insert type="param" id-ref="sa-10_odp.03"/>.</p>
+                  <link rel="assessment-for" href="#sa-10_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#sa-10_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#sa-10_smt"/>
          </part>
          <part id="sa-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25005,43 +26485,55 @@
                <part id="sa-11_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11a.[01]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.a"/>
                </part>
                <part id="sa-11_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11a.[02]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.a"/>
                </part>
                <part id="sa-11_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11a.[03]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.a"/>
                </part>
                <part id="sa-11_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11a.[04]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-11_smt.a"/>
             </part>
             <part id="sa-11_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-11b."/>
                <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform <insert type="param" id-ref="sa-11_odp.01"/> testing/evaluation <insert type="param" id-ref="sa-11_odp.02"/> at <insert type="param" id-ref="sa-11_odp.03"/>;</p>
+               <link rel="assessment-for" href="#sa-11_smt.b"/>
             </part>
             <part id="sa-11_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-11c."/>
                <part id="sa-11_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11c.[01]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.c"/>
                </part>
                <part id="sa-11_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11c.[02]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-11_smt.c"/>
             </part>
             <part id="sa-11_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-11d."/>
                <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;</p>
+               <link rel="assessment-for" href="#sa-11_smt.d"/>
             </part>
             <part id="sa-11_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-11e."/>
                <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.</p>
+               <link rel="assessment-for" href="#sa-11_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#sa-11_smt"/>
          </part>
          <part id="sa-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25179,50 +26671,65 @@
                   <part id="sa-15_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15a.01[01]"/>
                      <p>the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;</p>
+                     <link rel="assessment-for" href="#sa-15_smt.a.1"/>
                   </part>
                   <part id="sa-15_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15a.01[02]"/>
                      <p>the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;</p>
+                     <link rel="assessment-for" href="#sa-15_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-15_smt.a.1"/>
                </part>
                <part id="sa-15_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-15a.02"/>
                   <part id="sa-15_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15a.02[01]"/>
                      <p>the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;</p>
+                     <link rel="assessment-for" href="#sa-15_smt.a.2"/>
                   </part>
                   <part id="sa-15_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15a.02[02]"/>
                      <p>the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;</p>
+                     <link rel="assessment-for" href="#sa-15_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-15_smt.a.2"/>
                </part>
                <part id="sa-15_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-15a.03"/>
                   <part id="sa-15_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15a.03[01]"/>
                      <p>the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;</p>
+                     <link rel="assessment-for" href="#sa-15_smt.a.3"/>
                   </part>
                   <part id="sa-15_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15a.03[02]"/>
                      <p>the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;</p>
+                     <link rel="assessment-for" href="#sa-15_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-15_smt.a.3"/>
                </part>
                <part id="sa-15_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-15a.04"/>
                   <p>the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;</p>
+                  <link rel="assessment-for" href="#sa-15_smt.a.4"/>
                </part>
+               <link rel="assessment-for" href="#sa-15_smt.a"/>
             </part>
             <part id="sa-15_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-15b."/>
                <part id="sa-15_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-15b.[01]"/>
                   <p>the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed <insert type="param" id-ref="sa-15_odp.01"/> to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy <insert type="param" id-ref="sa-15_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sa-15_smt.b"/>
                </part>
                <part id="sa-15_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-15b.[02]"/>
                   <p>the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed <insert type="param" id-ref="sa-15_odp.01"/> to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy <insert type="param" id-ref="sa-15_odp.03"/>.</p>
+                  <link rel="assessment-for" href="#sa-15_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-15_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sa-15_smt"/>
          </part>
          <part id="sa-15_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25326,18 +26833,23 @@
                <part id="sa-15.3_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-15(03)(a)"/>
                   <p>the developer of the system, system component, or system service is required to perform a criticality analysis at <insert type="param" id-ref="sa-15.03_odp.01"/> in the system development life cycle;</p>
+                  <link rel="assessment-for" href="#sa-15.3_smt.a"/>
                </part>
                <part id="sa-15.3_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-15(03)(b)"/>
                   <part id="sa-15.3_obj.b-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15(03)(b)[01]"/>
                      <p>the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: <insert type="param" id-ref="sa-15.03_odp.02"/>;</p>
+                     <link rel="assessment-for" href="#sa-15.3_smt.b"/>
                   </part>
                   <part id="sa-15.3_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-15(03)(b)[02]"/>
                      <p>the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: <insert type="param" id-ref="sa-15.03_odp.03"/> .</p>
+                     <link rel="assessment-for" href="#sa-15.3_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-15.3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-15.3_smt"/>
             </part>
             <part id="sa-15.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25429,12 +26941,15 @@
             <part id="sa-22_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-22a."/>
                <p>system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;</p>
+               <link rel="assessment-for" href="#sa-22_smt.a"/>
             </part>
             <part id="sa-22_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-22b."/>
                <p>
                   <insert type="param" id-ref="sa-22_odp.01"/> provide options for alternative sources for continued support for unsupported components.</p>
+               <link rel="assessment-for" href="#sa-22_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sa-22_smt"/>
          </part>
          <part id="sa-22_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25610,18 +27125,22 @@
                <part id="sc-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.[01]"/>
                   <p>a system and communications protection policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#sc-1_smt.a"/>
                </part>
                <part id="sc-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.[02]"/>
                   <p>the system and communications protection policy is disseminated to <insert type="param" id-ref="sc-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sc-1_smt.a"/>
                </part>
                <part id="sc-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.[03]"/>
                   <p>system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#sc-1_smt.a"/>
                </part>
                <part id="sc-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.[04]"/>
                   <p>the system and communications protection procedures are disseminated to <insert type="param" id-ref="sc-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sc-1_smt.a"/>
                </part>
                <part id="sc-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01a.01"/>
@@ -25630,41 +27149,53 @@
                      <part id="sc-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses scope;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses roles;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
                      <part id="sc-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SC-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
                   </part>
                   <part id="sc-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#sc-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#sc-1_smt.a"/>
             </part>
             <part id="sc-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-01b."/>
                <p>the <insert type="param" id-ref="sc-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;</p>
+               <link rel="assessment-for" href="#sc-1_smt.b"/>
             </part>
             <part id="sc-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-01c."/>
@@ -25673,24 +27204,32 @@
                   <part id="sc-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01c.01[01]"/>
                      <p>the current system and communications protection policy is reviewed and updated <insert type="param" id-ref="sc-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#sc-1_smt.c.1"/>
                   </part>
                   <part id="sc-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01c.01[02]"/>
                      <p>the current system and communications protection policy is reviewed and updated following <insert type="param" id-ref="sc-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#sc-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-1_smt.c.1"/>
                </part>
                <part id="sc-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-01c.02"/>
                   <part id="sc-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01c.02[01]"/>
                      <p>the current system and communications protection procedures are reviewed and updated <insert type="param" id-ref="sc-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#sc-1_smt.c.2"/>
                   </part>
                   <part id="sc-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-01c.02[02]"/>
                      <p>the current system and communications protection procedures are reviewed and updated following <insert type="param" id-ref="sc-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#sc-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#sc-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sc-1_smt"/>
          </part>
          <part id="sc-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25742,6 +27281,7 @@
          <part id="sc-2_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-02"/>
             <p>user functionality, including user interface services, is separated from system management functionality.</p>
+            <link rel="assessment-for" href="#sc-2_smt"/>
          </part>
          <part id="sc-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25795,11 +27335,14 @@
             <part id="sc-4_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-04[01]"/>
                <p>unauthorized information transfer via shared system resources is prevented;</p>
+               <link rel="assessment-for" href="#sc-4_smt"/>
             </part>
             <part id="sc-4_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-04[02]"/>
                <p>unintended information transfer via shared system resources is prevented.</p>
+               <link rel="assessment-for" href="#sc-4_smt"/>
             </part>
+            <link rel="assessment-for" href="#sc-4_smt"/>
          </part>
          <part id="sc-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25888,12 +27431,15 @@
             <part id="sc-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-05a."/>
                <p>the effects of <insert type="param" id-ref="sc-05_odp.01"/> are <insert type="param" id-ref="sc-05_odp.02"/>;</p>
+               <link rel="assessment-for" href="#sc-5_smt.a"/>
             </part>
             <part id="sc-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-05b."/>
                <p>
                   <insert type="param" id-ref="sc-05_odp.03"/> are employed to achieve the denial-of-service protection objective.</p>
+               <link rel="assessment-for" href="#sc-5_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-5_smt"/>
          </part>
          <part id="sc-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25999,28 +27545,36 @@
                <part id="sc-7_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[01]"/>
                   <p>communications at external managed interfaces to the system are monitored;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
                <part id="sc-7_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[02]"/>
                   <p>communications at external managed interfaces to the system are controlled;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
                <part id="sc-7_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[03]"/>
                   <p>communications at key internal managed interfaces within the system are monitored;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
                <part id="sc-7_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[04]"/>
                   <p>communications at key internal managed interfaces within the system are controlled;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sc-7_smt.a"/>
             </part>
             <part id="sc-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-07b."/>
                <p>subnetworks for publicly accessible system components are <insert type="param" id-ref="sc-07_odp"/> separated from internal organizational networks;</p>
+               <link rel="assessment-for" href="#sc-7_smt.b"/>
             </part>
             <part id="sc-7_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-07c."/>
                <p>external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.</p>
+               <link rel="assessment-for" href="#sc-7_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sc-7_smt"/>
          </part>
          <part id="sc-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26073,6 +27627,7 @@
             <part id="sc-7.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-07(03)"/>
                <p>the number of external network connections to the system is limited.</p>
+               <link rel="assessment-for" href="#sc-7.3_smt"/>
             </part>
             <part id="sc-7.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26172,49 +27727,62 @@
                <part id="sc-7.4_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(a)"/>
                   <p>a managed interface is implemented for each external telecommunication service;</p>
+                  <link rel="assessment-for" href="#sc-7.4_smt.a"/>
                </part>
                <part id="sc-7.4_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(b)"/>
                   <p>a traffic flow policy is established for each managed interface;</p>
+                  <link rel="assessment-for" href="#sc-7.4_smt.b"/>
                </part>
                <part id="sc-7.4_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(c)"/>
                   <part id="sc-7.4_obj.c-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-07(04)(c)[01]"/>
                      <p>the confidentiality of the information being transmitted across each interface is protected;</p>
+                     <link rel="assessment-for" href="#sc-7.4_smt.c"/>
                   </part>
                   <part id="sc-7.4_obj.c-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-07(04)(c)[02]"/>
                      <p>the integrity of the information being transmitted across each interface is protected;</p>
+                     <link rel="assessment-for" href="#sc-7.4_smt.c"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-7.4_smt.c"/>
                </part>
                <part id="sc-7.4_obj.d" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(d)"/>
                   <p>each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;</p>
+                  <link rel="assessment-for" href="#sc-7.4_smt.d"/>
                </part>
                <part id="sc-7.4_obj.e" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(e)"/>
                   <part id="sc-7.4_obj.e-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-07(04)(e)[01]"/>
                      <p>exceptions to the traffic flow policy are reviewed <insert type="param" id-ref="sc-07.04_odp"/>;</p>
+                     <link rel="assessment-for" href="#sc-7.4_smt.e"/>
                   </part>
                   <part id="sc-7.4_obj.e-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-07(04)(e)[02]"/>
                      <p>exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;</p>
+                     <link rel="assessment-for" href="#sc-7.4_smt.e"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-7.4_smt.e"/>
                </part>
                <part id="sc-7.4_obj.f" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(f)"/>
                   <p>unauthorized exchanges of control plan traffic with external networks are prevented;</p>
+                  <link rel="assessment-for" href="#sc-7.4_smt.f"/>
                </part>
                <part id="sc-7.4_obj.g" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(g)"/>
                   <p>information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;</p>
+                  <link rel="assessment-for" href="#sc-7.4_smt.g"/>
                </part>
                <part id="sc-7.4_obj.h" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(04)(h)"/>
                   <p>unauthorized control plane traffic is filtered from external networks.</p>
+                  <link rel="assessment-for" href="#sc-7.4_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#sc-7.4_smt"/>
             </part>
             <part id="sc-7.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26292,11 +27860,14 @@
                <part id="sc-7.5_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(05)[01]"/>
                   <p>network communications traffic is denied by default <insert type="param" id-ref="sc-07.05_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sc-7.5_smt"/>
                </part>
                <part id="sc-7.5_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(05)[02]"/>
                   <p>network communications traffic is allowed by exception <insert type="param" id-ref="sc-07.05_odp.01"/>.</p>
+                  <link rel="assessment-for" href="#sc-7.5_smt"/>
                </part>
+               <link rel="assessment-for" href="#sc-7.5_smt"/>
             </part>
             <part id="sc-7.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26355,6 +27926,7 @@
             <part id="sc-7.7_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-07(07)"/>
                <p>split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using <insert type="param" id-ref="sc-07.07_odp"/>.</p>
+               <link rel="assessment-for" href="#sc-7.7_smt"/>
             </part>
             <part id="sc-7.7_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26426,6 +27998,7 @@
                <prop name="label" class="sp800-53a" value="SC-07(08)"/>
                <p>
                   <insert type="param" id-ref="sc-07.08_odp.01"/> is routed to <insert type="param" id-ref="sc-07.08_odp.02"/> through authenticated proxy servers at managed interfaces.</p>
+               <link rel="assessment-for" href="#sc-7.8_smt"/>
             </part>
             <part id="sc-7.8_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26510,6 +28083,7 @@
          <part id="sc-8_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-08"/>
             <p>the <insert type="param" id-ref="sc-08_odp"/> of transmitted information is/are protected.</p>
+            <link rel="assessment-for" href="#sc-8_smt"/>
          </part>
          <part id="sc-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26568,6 +28142,7 @@
             <part id="sc-8.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-08(01)"/>
                <p>cryptographic mechanisms are implemented to <insert type="param" id-ref="sc-08.01_odp"/> during transmission.</p>
+               <link rel="assessment-for" href="#sc-8.1_smt"/>
             </part>
             <part id="sc-8.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26629,6 +28204,7 @@
          <part id="sc-10_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-10"/>
             <p>the network connection associated with a communication session is terminated at the end of the session or after <insert type="param" id-ref="sc-10_odp"/> of inactivity.</p>
+            <link rel="assessment-for" href="#sc-10_smt"/>
          </part>
          <part id="sc-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26699,6 +28275,7 @@
          <link rel="related" href="#cm-3"/>
          <link rel="related" href="#ia-3"/>
          <link rel="related" href="#ia-7"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#sa-4"/>
          <link rel="related" href="#sa-8"/>
          <link rel="related" href="#sa-9"/>
@@ -26723,11 +28300,14 @@
             <part id="sc-12_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-12[01]"/>
                <p>cryptographic keys are established when cryptography is employed within the system in accordance with <insert type="param" id-ref="sc-12_odp"/>;</p>
+               <link rel="assessment-for" href="#sc-12_smt"/>
             </part>
             <part id="sc-12_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-12[02]"/>
                <p>cryptographic keys are managed when cryptography is employed within the system in accordance with <insert type="param" id-ref="sc-12_odp"/>.</p>
+               <link rel="assessment-for" href="#sc-12_smt"/>
             </part>
+            <link rel="assessment-for" href="#sc-12_smt"/>
          </part>
          <part id="sc-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26801,6 +28381,7 @@
          <link rel="related" href="#ia-3"/>
          <link rel="related" href="#ia-5"/>
          <link rel="related" href="#ia-7"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#ma-4"/>
          <link rel="related" href="#mp-2"/>
          <link rel="related" href="#mp-4"/>
@@ -26835,12 +28416,15 @@
                <prop name="label" class="sp800-53a" value="SC-13a."/>
                <p>
                   <insert type="param" id-ref="sc-13_odp.01"/> are identified;</p>
+               <link rel="assessment-for" href="#sc-13_smt.a"/>
             </part>
             <part id="sc-13_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-13b."/>
                <p>
                   <insert type="param" id-ref="sc-13_odp.02"/> for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.</p>
+               <link rel="assessment-for" href="#sc-13_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-13_smt"/>
          </part>
          <part id="sc-13_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26911,11 +28495,14 @@
             <part id="sc-15_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-15a."/>
                <p>remote activation of collaborative computing devices and applications is prohibited except <insert type="param" id-ref="sc-15_odp"/>;</p>
+               <link rel="assessment-for" href="#sc-15_smt.a"/>
             </part>
             <part id="sc-15_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-15b."/>
                <p>an explicit indication of use is provided to users physically present at the devices.</p>
+               <link rel="assessment-for" href="#sc-15_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-15_smt"/>
          </part>
          <part id="sc-15_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26995,11 +28582,14 @@
             <part id="sc-17_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-17a."/>
                <p>public key certificates are issued under <insert type="param" id-ref="sc-17_odp"/> , or public key certificates are obtained from an approved service provider;</p>
+               <link rel="assessment-for" href="#sc-17_smt.a"/>
             </part>
             <part id="sc-17_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-17b."/>
                <p>only approved trust anchors are included in trust stores or certificate stores managed by the organization.</p>
+               <link rel="assessment-for" href="#sc-17_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-17_smt"/>
          </part>
          <part id="sc-17_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27065,35 +28655,45 @@
                <part id="sc-18_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-18a.[01]"/>
                   <p>acceptable mobile code is defined;</p>
+                  <link rel="assessment-for" href="#sc-18_smt.a"/>
                </part>
                <part id="sc-18_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-18a.[02]"/>
                   <p>unacceptable mobile code is defined;</p>
+                  <link rel="assessment-for" href="#sc-18_smt.a"/>
                </part>
                <part id="sc-18_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-18a.[03]"/>
                   <p>acceptable mobile code technologies are defined;</p>
+                  <link rel="assessment-for" href="#sc-18_smt.a"/>
                </part>
                <part id="sc-18_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-18a.[04]"/>
                   <p>unacceptable mobile code technologies are defined;</p>
+                  <link rel="assessment-for" href="#sc-18_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sc-18_smt.a"/>
             </part>
             <part id="sc-18_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-18b."/>
                <part id="sc-18_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-18b.[01]"/>
                   <p>the use of mobile code is authorized within the system;</p>
+                  <link rel="assessment-for" href="#sc-18_smt.b"/>
                </part>
                <part id="sc-18_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-18b.[02]"/>
                   <p>the use of mobile code is monitored within the system;</p>
+                  <link rel="assessment-for" href="#sc-18_smt.b"/>
                </part>
                <part id="sc-18_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-18b.[03]"/>
                   <p>the use of mobile code is controlled within the system.</p>
+                  <link rel="assessment-for" href="#sc-18_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sc-18_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-18_smt"/>
          </part>
          <part id="sc-18_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27167,23 +28767,30 @@
                <part id="sc-20_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-20a.[01]"/>
                   <p>additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;</p>
+                  <link rel="assessment-for" href="#sc-20_smt.a"/>
                </part>
                <part id="sc-20_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-20a.[02]"/>
                   <p>integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;</p>
+                  <link rel="assessment-for" href="#sc-20_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sc-20_smt.a"/>
             </part>
             <part id="sc-20_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-20b."/>
                <part id="sc-20_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-20b.[01]"/>
                   <p>the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;</p>
+                  <link rel="assessment-for" href="#sc-20_smt.b"/>
                </part>
                <part id="sc-20_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-20b.[02]"/>
                   <p>the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.</p>
+                  <link rel="assessment-for" href="#sc-20_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sc-20_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-20_smt"/>
          </part>
          <part id="sc-20_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27236,19 +28843,24 @@
             <part id="sc-21_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-21[01]"/>
                <p>data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;</p>
+               <link rel="assessment-for" href="#sc-21_smt"/>
             </part>
             <part id="sc-21_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-21[02]"/>
                <p>data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;</p>
+               <link rel="assessment-for" href="#sc-21_smt"/>
             </part>
             <part id="sc-21_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-21[03]"/>
                <p>data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;</p>
+               <link rel="assessment-for" href="#sc-21_smt"/>
             </part>
             <part id="sc-21_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-21[04]"/>
                <p>data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.</p>
+               <link rel="assessment-for" href="#sc-21_smt"/>
             </part>
+            <link rel="assessment-for" href="#sc-21_smt"/>
          </part>
          <part id="sc-21_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27304,15 +28916,19 @@
             <part id="sc-22_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-22[01]"/>
                <p>the systems that collectively provide name/address resolution services for an organization are fault-tolerant;</p>
+               <link rel="assessment-for" href="#sc-22_smt"/>
             </part>
             <part id="sc-22_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-22[02]"/>
                <p>the systems that collectively provide name/address resolution services for an organization implement internal role separation;</p>
+               <link rel="assessment-for" href="#sc-22_smt"/>
             </part>
             <part id="sc-22_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-22[03]"/>
                <p>the systems that collectively provide name/address resolution services for an organization implement external role separation.</p>
+               <link rel="assessment-for" href="#sc-22_smt"/>
             </part>
+            <link rel="assessment-for" href="#sc-22_smt"/>
          </part>
          <part id="sc-22_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27371,6 +28987,7 @@
          <part id="sc-23_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-23"/>
             <p>the authenticity of communication sessions is protected.</p>
+            <link rel="assessment-for" href="#sc-23_smt"/>
          </part>
          <part id="sc-23_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27462,6 +29079,7 @@
          <part id="sc-28_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-28"/>
             <p>the <insert type="param" id-ref="sc-28_odp.01"/> of <insert type="param" id-ref="sc-28_odp.02"/> is/are protected.</p>
+            <link rel="assessment-for" href="#sc-28_smt"/>
          </part>
          <part id="sc-28_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27532,11 +29150,14 @@
                <part id="sc-28.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-28(01)[01]"/>
                   <p>cryptographic mechanisms are implemented to prevent unauthorized disclosure of <insert type="param" id-ref="sc-28.01_odp.01"/> at rest on <insert type="param" id-ref="sc-28.01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sc-28.1_smt"/>
                </part>
                <part id="sc-28.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-28(01)[02]"/>
                   <p>cryptographic mechanisms are implemented to prevent unauthorized modification of <insert type="param" id-ref="sc-28.01_odp.01"/> at rest on <insert type="param" id-ref="sc-28.01_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#sc-28.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#sc-28.1_smt"/>
             </part>
             <part id="sc-28.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27599,6 +29220,7 @@
          <part id="sc-39_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-39"/>
             <p>a separate execution domain is maintained for each executing system process.</p>
+            <link rel="assessment-for" href="#sc-39_smt"/>
          </part>
          <part id="sc-39_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27769,18 +29391,22 @@
                <part id="si-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[01]"/>
                   <p>a system and information integrity policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[02]"/>
                   <p>the system and information integrity policy is disseminated to <insert type="param" id-ref="si-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[03]"/>
                   <p>system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[04]"/>
                   <p>the system and information integrity procedures are disseminated to <insert type="param" id-ref="si-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.01"/>
@@ -27789,41 +29415,53 @@
                      <part id="si-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses scope;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses roles;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                   </part>
                   <part id="si-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#si-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#si-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#si-1_smt.a"/>
             </part>
             <part id="si-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-01b."/>
                <p>the <insert type="param" id-ref="si-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;</p>
+               <link rel="assessment-for" href="#si-1_smt.b"/>
             </part>
             <part id="si-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-01c."/>
@@ -27832,24 +29470,32 @@
                   <part id="si-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.01[01]"/>
                      <p>the current system and information integrity policy is reviewed and updated <insert type="param" id-ref="si-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.1"/>
                   </part>
                   <part id="si-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.01[02]"/>
                      <p>the current system and information integrity policy is reviewed and updated following <insert type="param" id-ref="si-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#si-1_smt.c.1"/>
                </part>
                <part id="si-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01c.02"/>
                   <part id="si-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.02[01]"/>
                      <p>the current system and information integrity procedures are reviewed and updated <insert type="param" id-ref="si-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.2"/>
                   </part>
                   <part id="si-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.02[02]"/>
                      <p>the current system and information integrity procedures are reviewed and updated following <insert type="param" id-ref="si-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#si-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#si-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#si-1_smt"/>
          </part>
          <part id="si-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27938,50 +29584,64 @@
                <part id="si-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02a.[01]"/>
                   <p>system flaws are identified;</p>
+                  <link rel="assessment-for" href="#si-2_smt.a"/>
                </part>
                <part id="si-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02a.[02]"/>
                   <p>system flaws are reported;</p>
+                  <link rel="assessment-for" href="#si-2_smt.a"/>
                </part>
                <part id="si-2_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02a.[03]"/>
                   <p>system flaws are corrected;</p>
+                  <link rel="assessment-for" href="#si-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#si-2_smt.a"/>
             </part>
             <part id="si-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-02b."/>
                <part id="si-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02b.[01]"/>
                   <p>software updates related to flaw remediation are tested for effectiveness before installation;</p>
+                  <link rel="assessment-for" href="#si-2_smt.b"/>
                </part>
                <part id="si-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02b.[02]"/>
                   <p>software updates related to flaw remediation are tested for potential side effects before installation;</p>
+                  <link rel="assessment-for" href="#si-2_smt.b"/>
                </part>
                <part id="si-2_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02b.[03]"/>
                   <p>firmware updates related to flaw remediation are tested for effectiveness before installation;</p>
+                  <link rel="assessment-for" href="#si-2_smt.b"/>
                </part>
                <part id="si-2_obj.b-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02b.[04]"/>
                   <p>firmware updates related to flaw remediation are tested for potential side effects before installation;</p>
+                  <link rel="assessment-for" href="#si-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#si-2_smt.b"/>
             </part>
             <part id="si-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-02c."/>
                <part id="si-2_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02c.[01]"/>
                   <p>security-relevant software updates are installed within <insert type="param" id-ref="si-02_odp"/> of the release of the updates;</p>
+                  <link rel="assessment-for" href="#si-2_smt.c"/>
                </part>
                <part id="si-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-02c.[02]"/>
                   <p>security-relevant firmware updates are installed within <insert type="param" id-ref="si-02_odp"/> of the release of the updates;</p>
+                  <link rel="assessment-for" href="#si-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#si-2_smt.c"/>
             </part>
             <part id="si-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-02d."/>
                <p>flaw remediation is incorporated into the organizational configuration management process.</p>
+               <link rel="assessment-for" href="#si-2_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#si-2_smt"/>
          </part>
          <part id="si-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28058,6 +29718,7 @@
             <part id="si-2.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-02(02)"/>
                <p>system components have applicable security-relevant software and firmware updates installed <insert type="param" id-ref="si-02.02_odp.02"/> using <insert type="param" id-ref="si-02.02_odp.01"/>.</p>
+               <link rel="assessment-for" href="#si-2.2_smt"/>
             </part>
             <part id="si-2.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28216,16 +29877,20 @@
                   <prop name="label" class="sp800-53a" value="SI-03a.[01]"/>
                   <p>
                      <insert type="param" id-ref="si-03_odp.01"/> malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;</p>
+                  <link rel="assessment-for" href="#si-3_smt.a"/>
                </part>
                <part id="si-3_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-03a.[02]"/>
                   <p>
                      <insert type="param" id-ref="si-03_odp.01"/> malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;</p>
+                  <link rel="assessment-for" href="#si-3_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#si-3_smt.a"/>
             </part>
             <part id="si-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-03b."/>
                <p>malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;</p>
+               <link rel="assessment-for" href="#si-3_smt.b"/>
             </part>
             <part id="si-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-03c."/>
@@ -28234,28 +29899,37 @@
                   <part id="si-3_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-03c.01[01]"/>
                      <p>malicious code protection mechanisms are configured to perform periodic scans of the system <insert type="param" id-ref="si-03_odp.02"/>;</p>
+                     <link rel="assessment-for" href="#si-3_smt.c.1"/>
                   </part>
                   <part id="si-3_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-03c.01[02]"/>
                      <p>malicious code protection mechanisms are configured to perform real-time scans of files from external sources at <insert type="param" id-ref="si-03_odp.03"/> as the files are downloaded, opened, or executed in accordance with organizational policy;</p>
+                     <link rel="assessment-for" href="#si-3_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#si-3_smt.c.1"/>
                </part>
                <part id="si-3_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-03c.02"/>
                   <part id="si-3_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-03c.02[01]"/>
                      <p>malicious code protection mechanisms are configured to <insert type="param" id-ref="si-03_odp.04"/> in response to malicious code detection;</p>
+                     <link rel="assessment-for" href="#si-3_smt.c.2"/>
                   </part>
                   <part id="si-3_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-03c.02[02]"/>
                      <p>malicious code protection mechanisms are configured to send alerts to <insert type="param" id-ref="si-03_odp.06"/> in response to malicious code detection;</p>
+                     <link rel="assessment-for" href="#si-3_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#si-3_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#si-3_smt.c"/>
             </part>
             <part id="si-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-03d."/>
                <p>the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.</p>
+               <link rel="assessment-for" href="#si-3_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#si-3_smt"/>
          </part>
          <part id="si-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28466,63 +30140,80 @@
                <part id="si-4_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04a.01"/>
                   <p>the system is monitored to detect attacks and indicators of potential attacks in accordance with <insert type="param" id-ref="si-04_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#si-4_smt.a.1"/>
                </part>
                <part id="si-4_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04a.02"/>
                   <part id="si-4_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04a.02[01]"/>
                      <p>the system is monitored to detect unauthorized local connections;</p>
+                     <link rel="assessment-for" href="#si-4_smt.a.2"/>
                   </part>
                   <part id="si-4_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04a.02[02]"/>
                      <p>the system is monitored to detect unauthorized network connections;</p>
+                     <link rel="assessment-for" href="#si-4_smt.a.2"/>
                   </part>
                   <part id="si-4_obj.a.2-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04a.02[03]"/>
                      <p>the system is monitored to detect unauthorized remote connections;</p>
+                     <link rel="assessment-for" href="#si-4_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#si-4_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#si-4_smt.a"/>
             </part>
             <part id="si-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04b."/>
                <p>unauthorized use of the system is identified through <insert type="param" id-ref="si-04_odp.02"/>;</p>
+               <link rel="assessment-for" href="#si-4_smt.b"/>
             </part>
             <part id="si-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04c."/>
                <part id="si-4_obj.c.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04c.01"/>
                   <p>internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;</p>
+                  <link rel="assessment-for" href="#si-4_smt.c.1"/>
                </part>
                <part id="si-4_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04c.02"/>
                   <p>internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;</p>
+                  <link rel="assessment-for" href="#si-4_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#si-4_smt.c"/>
             </part>
             <part id="si-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04d."/>
                <part id="si-4_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04d.[01]"/>
                   <p>detected events are analyzed;</p>
+                  <link rel="assessment-for" href="#si-4_smt.d"/>
                </part>
                <part id="si-4_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04d.[02]"/>
                   <p>detected anomalies are analyzed;</p>
+                  <link rel="assessment-for" href="#si-4_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#si-4_smt.d"/>
             </part>
             <part id="si-4_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04e."/>
                <p>the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;</p>
+               <link rel="assessment-for" href="#si-4_smt.e"/>
             </part>
             <part id="si-4_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04f."/>
                <p>a legal opinion regarding system monitoring activities is obtained;</p>
+               <link rel="assessment-for" href="#si-4_smt.f"/>
             </part>
             <part id="si-4_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04g."/>
                <p>
                   <insert type="param" id-ref="si-04_odp.03"/> is provided to <insert type="param" id-ref="si-04_odp.04"/>
                   <insert type="param" id-ref="si-04_odp.05"/>.</p>
+               <link rel="assessment-for" href="#si-4_smt.g"/>
             </part>
+            <link rel="assessment-for" href="#si-4_smt"/>
          </part>
          <part id="si-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28582,6 +30273,7 @@
             <part id="si-4.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-04(02)"/>
                <p>automated tools and mechanisms are employed to support a near real-time analysis of events.</p>
+               <link rel="assessment-for" href="#si-4.2_smt"/>
             </part>
             <part id="si-4.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28702,23 +30394,30 @@
                   <part id="si-4.4_obj.a-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04(04)(a)[01]"/>
                      <p>criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;</p>
+                     <link rel="assessment-for" href="#si-4.4_smt.a"/>
                   </part>
                   <part id="si-4.4_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04(04)(a)[02]"/>
                      <p>criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;</p>
+                     <link rel="assessment-for" href="#si-4.4_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#si-4.4_smt.a"/>
                </part>
                <part id="si-4.4_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-04(04)(b)"/>
                   <part id="si-4.4_obj.b-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04(04)(b)[01]"/>
                      <p>inbound communications traffic is monitored <insert type="param" id-ref="si-04.04_odp.01"/> for <insert type="param" id-ref="si-04.04_odp.02"/>;</p>
+                     <link rel="assessment-for" href="#si-4.4_smt.b"/>
                   </part>
                   <part id="si-4.4_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-04(04)(b)[02]"/>
                      <p>outbound communications traffic is monitored <insert type="param" id-ref="si-04.04_odp.03"/> for <insert type="param" id-ref="si-04.04_odp.04"/>.</p>
+                     <link rel="assessment-for" href="#si-4.4_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#si-4.4_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#si-4.4_smt"/>
             </part>
             <part id="si-4.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28798,6 +30497,7 @@
                <prop name="label" class="sp800-53a" value="SI-04(05)"/>
                <p>
                   <insert type="param" id-ref="si-04.05_odp.01"/> are alerted when system-generated <insert type="param" id-ref="si-04.05_odp.02"/> occur.</p>
+               <link rel="assessment-for" href="#si-4.5_smt"/>
             </part>
             <part id="si-4.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28931,19 +30631,24 @@
             <part id="si-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-05a."/>
                <p>system security alerts, advisories, and directives are received from <insert type="param" id-ref="si-05_odp.01"/> on an ongoing basis;</p>
+               <link rel="assessment-for" href="#si-5_smt.a"/>
             </part>
             <part id="si-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-05b."/>
                <p>internal security alerts, advisories, and directives are generated as deemed necessary;</p>
+               <link rel="assessment-for" href="#si-5_smt.b"/>
             </part>
             <part id="si-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-05c."/>
                <p>security alerts, advisories, and directives are disseminated to <insert type="param" id-ref="si-05_odp.02"/>;</p>
+               <link rel="assessment-for" href="#si-5_smt.c"/>
             </part>
             <part id="si-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-05d."/>
                <p>security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.</p>
+               <link rel="assessment-for" href="#si-5_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#si-5_smt"/>
          </part>
          <part id="si-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29108,15 +30813,19 @@
                <part id="si-7_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07a.[01]"/>
                   <p>integrity verification tools are employed to detect unauthorized changes to <insert type="param" id-ref="si-07_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#si-7_smt.a"/>
                </part>
                <part id="si-7_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07a.[02]"/>
                   <p>integrity verification tools are employed to detect unauthorized changes to <insert type="param" id-ref="si-07_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#si-7_smt.a"/>
                </part>
                <part id="si-7_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07a.[03]"/>
                   <p>integrity verification tools are employed to detect unauthorized changes to <insert type="param" id-ref="si-07_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#si-7_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#si-7_smt.a"/>
             </part>
             <part id="si-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-07b."/>
@@ -29124,18 +30833,23 @@
                   <prop name="label" class="sp800-53a" value="SI-07b.[01]"/>
                   <p>
                      <insert type="param" id-ref="si-07_odp.04"/> are taken when unauthorized changes to the software, are detected;</p>
+                  <link rel="assessment-for" href="#si-7_smt.b"/>
                </part>
                <part id="si-7_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07b.[02]"/>
                   <p>
                      <insert type="param" id-ref="si-07_odp.05"/> are taken when unauthorized changes to the firmware are detected;</p>
+                  <link rel="assessment-for" href="#si-7_smt.b"/>
                </part>
                <part id="si-7_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07b.[03]"/>
                   <p>
                      <insert type="param" id-ref="si-07_odp.06"/> are taken when unauthorized changes to the information are detected.</p>
+                  <link rel="assessment-for" href="#si-7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#si-7_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#si-7_smt"/>
          </part>
          <part id="si-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29346,15 +31060,19 @@
                <part id="si-7.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07(01)[01]"/>
                   <p>an integrity check of <insert type="param" id-ref="si-07.01_odp.01"/> is performed <insert type="param" id-ref="si-07.01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#si-7.1_smt"/>
                </part>
                <part id="si-7.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07(01)[02]"/>
                   <p>an integrity check of <insert type="param" id-ref="si-07.01_odp.05"/> is performed <insert type="param" id-ref="si-07.01_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#si-7.1_smt"/>
                </part>
                <part id="si-7.1_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-07(01)[03]"/>
                   <p>an integrity check of <insert type="param" id-ref="si-07.01_odp.09"/> is performed <insert type="param" id-ref="si-07.01_odp.10"/>.</p>
+                  <link rel="assessment-for" href="#si-7.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#si-7.1_smt"/>
             </part>
             <part id="si-7.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29426,6 +31144,7 @@
             <part id="si-7.7_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-07(07)"/>
                <p>the detection of <insert type="param" id-ref="si-07.07_odp"/> are incorporated into the organizational incident response capability.</p>
+               <link rel="assessment-for" href="#si-7.7_smt"/>
             </part>
             <part id="si-7.7_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29499,24 +31218,31 @@
                <part id="si-8_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-08a.[01]"/>
                   <p>spam protection mechanisms are employed at system entry points to detect unsolicited messages;</p>
+                  <link rel="assessment-for" href="#si-8_smt.a"/>
                </part>
                <part id="si-8_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-08a.[02]"/>
                   <p>spam protection mechanisms are employed at system exit points to detect unsolicited messages;</p>
+                  <link rel="assessment-for" href="#si-8_smt.a"/>
                </part>
                <part id="si-8_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-08a.[03]"/>
                   <p>spam protection mechanisms are employed at system entry points to act on unsolicited messages;</p>
+                  <link rel="assessment-for" href="#si-8_smt.a"/>
                </part>
                <part id="si-8_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-08a.[04]"/>
                   <p>spam protection mechanisms are employed at system exit points to act on unsolicited messages;</p>
+                  <link rel="assessment-for" href="#si-8_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#si-8_smt.a"/>
             </part>
             <part id="si-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-08b."/>
                <p>spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.</p>
+               <link rel="assessment-for" href="#si-8_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#si-8_smt"/>
          </part>
          <part id="si-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29579,6 +31305,7 @@
             <part id="si-8.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-08(02)"/>
                <p>spam protection mechanisms are automatically updated <insert type="param" id-ref="si-08.02_odp"/>.</p>
+               <link rel="assessment-for" href="#si-8.2_smt"/>
             </part>
             <part id="si-8.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29650,6 +31377,7 @@
          <part id="si-10_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-10"/>
             <p>the validity of the <insert type="param" id-ref="si-10_odp"/> is checked.</p>
+            <link rel="assessment-for" href="#si-10_smt"/>
          </part>
          <part id="si-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29726,11 +31454,14 @@
             <part id="si-11_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-11a."/>
                <p>error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;</p>
+               <link rel="assessment-for" href="#si-11_smt.a"/>
             </part>
             <part id="si-11_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-11b."/>
                <p>error messages are revealed only to <insert type="param" id-ref="si-11_odp"/>.</p>
+               <link rel="assessment-for" href="#si-11_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#si-11_smt"/>
          </part>
          <part id="si-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29819,19 +31550,24 @@
             <part id="si-12_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[01]"/>
                <p>information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
             <part id="si-12_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[02]"/>
                <p>information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
             <part id="si-12_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[03]"/>
                <p>information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
             <part id="si-12_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[04]"/>
                <p>information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
+            <link rel="assessment-for" href="#si-12_smt"/>
          </part>
          <part id="si-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29905,6 +31641,7 @@
             <prop name="label" class="sp800-53a" value="SI-16"/>
             <p>
                <insert type="param" id-ref="si-16_odp"/> are implemented to protect the system memory from unauthorized code execution.</p>
+            <link rel="assessment-for" href="#si-16_smt"/>
          </part>
          <part id="si-16_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30087,18 +31824,22 @@
                <part id="sr-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.[01]"/>
                   <p>a supply chain risk management policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#sr-1_smt.a"/>
                </part>
                <part id="sr-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.[02]"/>
                   <p>the supply chain risk management policy is disseminated to <insert type="param" id-ref="sr-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-1_smt.a"/>
                </part>
                <part id="sr-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.[03]"/>
                   <p>supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#sr-1_smt.a"/>
                </part>
                <part id="sr-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.[04]"/>
                   <p>the supply chain risk management procedures are disseminated to <insert type="param" id-ref="sr-01_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#sr-1_smt.a"/>
                </part>
                <part id="sr-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01a.01"/>
@@ -30107,42 +31848,54 @@
                      <part id="sr-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses scope; </p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[03]"/>
                         <p>
                            <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses roles;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
                      <part id="sr-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SR-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses compliance.</p>
+                        <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
                   </part>
                   <part id="sr-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#sr-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#sr-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#sr-1_smt.a"/>
             </part>
             <part id="sr-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-01b."/>
                <p>the <insert type="param" id-ref="sr-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;</p>
+               <link rel="assessment-for" href="#sr-1_smt.b"/>
             </part>
             <part id="sr-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-01c."/>
@@ -30151,24 +31904,32 @@
                   <part id="sr-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01c.01[01]"/>
                      <p>the current supply chain risk management policy is reviewed and updated <insert type="param" id-ref="sr-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#sr-1_smt.c.1"/>
                   </part>
                   <part id="sr-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01c.01[02]"/>
                      <p>the current supply chain risk management policy is reviewed and updated following <insert type="param" id-ref="sr-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#sr-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sr-1_smt.c.1"/>
                </part>
                <part id="sr-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-01c.02"/>
                   <part id="sr-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01c.02[01]"/>
                      <p>the current supply chain risk management procedures are reviewed and updated <insert type="param" id-ref="sr-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#sr-1_smt.c.2"/>
                   </part>
                   <part id="sr-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SR-01c.02[02]"/>
                      <p>the current supply chain risk management procedures are reviewed and updated following <insert type="param" id-ref="sr-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#sr-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sr-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#sr-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sr-1_smt"/>
          </part>
          <part id="sr-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30268,55 +32029,70 @@
                <part id="sr-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[01]"/>
                   <p>a plan for managing supply chain risks is developed;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[02]"/>
                   <p>the supply chain risk management plan addresses risks associated with the research and development of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[03]"/>
                   <p>the supply chain risk management plan addresses risks associated with the design of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[04]"/>
                   <p>the supply chain risk management plan addresses risks associated with the manufacturing of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[05]"/>
                   <p>the supply chain risk management plan addresses risks associated with the acquisition of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[06]"/>
                   <p>the supply chain risk management plan addresses risks associated with the delivery of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[07]"/>
                   <p>the supply chain risk management plan addresses risks associated with the integration of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-8" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[08]"/>
                   <p>the supply chain risk management plan addresses risks associated with the operation and maintenance of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
                <part id="sr-2_obj.a-9" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02a.[09]"/>
                   <p>the supply chain risk management plan addresses risks associated with the disposal of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sr-2_smt.a"/>
             </part>
             <part id="sr-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-02b."/>
                <p>the supply chain risk management plan is reviewed and updated <insert type="param" id-ref="sr-02_odp.02"/> or as required to address threat, organizational, or environmental changes;</p>
+               <link rel="assessment-for" href="#sr-2_smt.b"/>
             </part>
             <part id="sr-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-02c."/>
                <part id="sr-2_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02c.[01]"/>
                   <p>the supply chain risk management plan is protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#sr-2_smt.c"/>
                </part>
                <part id="sr-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-02c.[02]"/>
                   <p>the supply chain risk management plan is protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#sr-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sr-2_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sr-2_smt"/>
          </part>
          <part id="sr-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30403,6 +32179,7 @@
             <part id="sr-2.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-02(01)"/>
                <p>a supply chain risk management team consisting of <insert type="param" id-ref="sr-02.01_odp.01"/> is established to lead and support <insert type="param" id-ref="sr-02.01_odp.02"/>.</p>
+               <link rel="assessment-for" href="#sr-2.1_smt"/>
             </part>
             <part id="sr-2.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30544,21 +32321,27 @@
                <part id="sr-3_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-03a.[01]"/>
                   <p>a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of <insert type="param" id-ref="sr-03_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sr-3_smt.a"/>
                </part>
                <part id="sr-3_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-03a.[02]"/>
                   <p>the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of <insert type="param" id-ref="sr-03_odp.01"/> is/are coordinated with <insert type="param" id-ref="sr-03_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sr-3_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sr-3_smt.a"/>
             </part>
             <part id="sr-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-03b."/>
                <p>
                   <insert type="param" id-ref="sr-03_odp.03"/> are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;</p>
+               <link rel="assessment-for" href="#sr-3_smt.b"/>
             </part>
             <part id="sr-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-03c."/>
                <p>the selected and implemented supply chain processes and controls are documented in <insert type="param" id-ref="sr-03_odp.04"/>.</p>
+               <link rel="assessment-for" href="#sr-3_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sr-3_smt"/>
          </part>
          <part id="sr-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30655,17 +32438,21 @@
                <prop name="label" class="sp800-53a" value="SR-05[01]"/>
                <p>
                   <insert type="param" id-ref="sr-05_odp"/> are employed to protect against supply chain risks;</p>
+               <link rel="assessment-for" href="#sr-5_smt"/>
             </part>
             <part id="sr-5_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-05[02]"/>
                <p>
                   <insert type="param" id-ref="sr-05_odp"/> are employed to identify supply chain risks;</p>
+               <link rel="assessment-for" href="#sr-5_smt"/>
             </part>
             <part id="sr-5_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-05[03]"/>
                <p>
                   <insert type="param" id-ref="sr-05_odp"/> are employed to mitigate supply chain risks.</p>
+               <link rel="assessment-for" href="#sr-5_smt"/>
             </part>
+            <link rel="assessment-for" href="#sr-5_smt"/>
          </part>
          <part id="sr-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30749,6 +32536,7 @@
          <part id="sr-6_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-06"/>
             <p>the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed <insert type="param" id-ref="sr-06_odp"/>.</p>
+            <link rel="assessment-for" href="#sr-6_smt"/>
          </part>
          <part id="sr-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30832,6 +32620,7 @@
          <part id="sr-8_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-08"/>
             <p>agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for <insert type="param" id-ref="sr-08_odp.01"/>.</p>
+            <link rel="assessment-for" href="#sr-8_smt"/>
          </part>
          <part id="sr-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30932,6 +32721,7 @@
             <prop name="label" class="sp800-53a" value="SR-10"/>
             <p>
                <insert type="param" id-ref="sr-10_odp.01"/> are inspected <insert type="param" id-ref="sr-10_odp.02"/> to detect tampering.</p>
+            <link rel="assessment-for" href="#sr-10_smt"/>
          </part>
          <part id="sr-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31035,24 +32825,31 @@
                <part id="sr-11_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11a.[01]"/>
                   <p>an anti-counterfeit policy is developed and implemented;</p>
+                  <link rel="assessment-for" href="#sr-11_smt.a"/>
                </part>
                <part id="sr-11_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11a.[02]"/>
                   <p>anti-counterfeit procedures are developed and implemented;</p>
+                  <link rel="assessment-for" href="#sr-11_smt.a"/>
                </part>
                <part id="sr-11_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11a.[03]"/>
                   <p>the anti-counterfeit procedures include the means to detect counterfeit components entering the system;</p>
+                  <link rel="assessment-for" href="#sr-11_smt.a"/>
                </part>
                <part id="sr-11_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11a.[04]"/>
                   <p>the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;</p>
+                  <link rel="assessment-for" href="#sr-11_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sr-11_smt.a"/>
             </part>
             <part id="sr-11_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SR-11b."/>
                <p>counterfeit system components are reported to <insert type="param" id-ref="sr-11_odp.01"/>.</p>
+               <link rel="assessment-for" href="#sr-11_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sr-11_smt"/>
          </part>
          <part id="sr-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31125,6 +32922,7 @@
                <prop name="label" class="sp800-53a" value="SR-11(01)"/>
                <p>
                   <insert type="param" id-ref="sr-11.01_odp"/> are trained to detect counterfeit system components (including hardware, software, and firmware).</p>
+               <link rel="assessment-for" href="#sr-11.1_smt"/>
             </part>
             <part id="sr-11.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31196,11 +32994,14 @@
                <part id="sr-11.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11(02)[01]"/>
                   <p>configuration control over <insert type="param" id-ref="sr-11.02_odp"/> awaiting service or repair is maintained;</p>
+                  <link rel="assessment-for" href="#sr-11.2_smt"/>
                </part>
                <part id="sr-11.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SR-11(02)[02]"/>
                   <p>configuration control over serviced or repaired <insert type="param" id-ref="sr-11.02_odp"/> awaiting return to service is maintained.</p>
+                  <link rel="assessment-for" href="#sr-11.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#sr-11.2_smt"/>
             </part>
             <part id="sr-11.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31274,6 +33075,7 @@
             <prop name="label" class="sp800-53a" value="SR-12"/>
             <p>
                <insert type="param" id-ref="sr-12_odp.01"/> are disposed of using <insert type="param" id-ref="sr-12_odp.02"/>.</p>
+            <link rel="assessment-for" href="#sr-12_smt"/>
          </part>
          <part id="sr-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
diff --git a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml
index 7141ecf6..f6bad1b7 100644
--- a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml
+++ b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.xml
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <?xml-model schematypens="http://www.w3.org/2001/XMLSchema" type="application/xml" href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.1/oscal_complete_schema.xsd"?>
 <profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-         uuid="1019f424-1556-4aa3-9df3-337b97c2c856">
+         uuid="49f45a95-20d1-450a-b4a5-c27ecc335a26">
    <metadata>
-      <title>NIST Special Publication 800-53 Revision 5 MODERATE IMPACT BASELINE</title>
-      <last-modified>2023-10-12T00:00:00.000000-04:00</last-modified>
-      <version>Final</version>
+      <title>NIST Special Publication 800-53 Revision 5.1.1 MODERATE IMPACT BASELINE</title>
+      <last-modified>2023-12-04T14:55:00.000000-04:00</last-modified>
+      <version>5.1.1+u2</version>
       <oscal-version>1.1.1</oscal-version>
       <role id="creator">
          <title>Document Creator</title>
diff --git a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.xml b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.xml
index 0f5a520f..34a7ffaa 100644
--- a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.xml
+++ b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.xml
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-          uuid="b59abead-41dd-4ba4-818d-b2ce8ca7b80e">
+          uuid="f8f8bd60-df08-46cc-8083-cf001f43ea6a">
    <metadata>
-      <title>NIST Special Publication 800-53 Revision 5 PRIVACY BASELINE</title>
-      <last-modified>2023-11-02T11:49:42.694597-04:00</last-modified>
-      <version>Final</version>
+      <title>NIST Special Publication 800-53 Revision 5.1.1 PRIVACY BASELINE</title>
+      <last-modified>2023-12-05T21:54:56.105295Z</last-modified>
+      <version>5.1.1+u2</version>
       <oscal-version>1.1.1</oscal-version>
       <prop name="resolution-tool"
              value="OSCAL Profile Resolver XSLT Pipeline OPRXP"/>
@@ -181,18 +181,22 @@
                <part id="ac-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[01]"/>
                   <p>an access control policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[02]"/>
                   <p>the access control policy is disseminated to <insert type="param" id-ref="ac-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[03]"/>
                   <p>access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.[04]"/>
                   <p>the access control procedures are disseminated to <insert type="param" id-ref="ac-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ac-1_smt.a"/>
                </part>
                <part id="ac-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01a.01"/>
@@ -201,41 +205,53 @@
                      <part id="ac-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
                      <part id="ac-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AC-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
                   </part>
                   <part id="ac-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ac-1_smt.a"/>
             </part>
             <part id="ac-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-01b."/>
                <p>the <insert type="param" id-ref="ac-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the access control policy and procedures;</p>
+               <link rel="assessment-for" href="#ac-1_smt.b"/>
             </part>
             <part id="ac-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AC-01c."/>
@@ -244,24 +260,32 @@
                   <part id="ac-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.01[01]"/>
                      <p>the current access control policy is reviewed and updated <insert type="param" id-ref="ac-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.1"/>
                   </part>
                   <part id="ac-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.01[02]"/>
                      <p>the current access control policy is reviewed and updated following <insert type="param" id-ref="ac-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-1_smt.c.1"/>
                </part>
                <part id="ac-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AC-01c.02"/>
                   <part id="ac-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.02[01]"/>
                      <p>the current access control procedures are reviewed and updated <insert type="param" id-ref="ac-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.2"/>
                   </part>
                   <part id="ac-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AC-01c.02[02]"/>
                      <p>the current access control procedures are reviewed and updated following <insert type="param" id-ref="ac-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ac-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ac-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ac-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ac-1_smt"/>
          </part>
          <part id="ac-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -322,6 +346,7 @@
          <link rel="related" href="#ia-6"/>
          <link rel="related" href="#ia-7"/>
          <link rel="related" href="#ia-11"/>
+         <link rel="related" href="#ia-13"/>
          <link rel="related" href="#ma-3"/>
          <link rel="related" href="#ma-4"/>
          <link rel="related" href="#ma-5"/>
@@ -350,6 +375,7 @@
          <part id="ac-3_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03"/>
             <p>approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.</p>
+            <link rel="assessment-for" href="#ac-3_smt"/>
          </part>
          <part id="ac-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -423,6 +449,7 @@
                <prop name="label" class="sp800-53a" value="AC-03(14)"/>
                <p>
                   <insert type="param" id-ref="ac-03.14_odp.01"/> are provided to enable individuals to have access to <insert type="param" id-ref="ac-03.14_odp.02"/> of their personally identifiable information.</p>
+               <link rel="assessment-for" href="#ac-3.14_smt"/>
             </part>
             <part id="ac-3.14_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -606,18 +633,22 @@
                <part id="at-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[01]"/>
                   <p>an awareness and training policy is developed and documented; </p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[02]"/>
                   <p>the awareness and training policy is disseminated to <insert type="param" id-ref="at-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[03]"/>
                   <p>awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.[04]"/>
                   <p>the awareness and training procedures are disseminated to <insert type="param" id-ref="at-01_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#at-1_smt.a"/>
                </part>
                <part id="at-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01a.01"/>
@@ -626,41 +657,53 @@
                      <part id="at-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses scope;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses roles;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
                      <part id="at-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AT-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses compliance; and</p>
+                        <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
                   </part>
                   <part id="at-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and</p>
+                     <link rel="assessment-for" href="#at-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#at-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#at-1_smt.a"/>
             </part>
             <part id="at-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-01b."/>
                <p>the <insert type="param" id-ref="at-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;</p>
+               <link rel="assessment-for" href="#at-1_smt.b"/>
             </part>
             <part id="at-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-01c."/>
@@ -669,24 +712,32 @@
                   <part id="at-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.01[01]"/>
                      <p>the current awareness and training policy is reviewed and updated <insert type="param" id-ref="at-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#at-1_smt.c.1"/>
                   </part>
                   <part id="at-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.01[02]"/>
                      <p>the current awareness and training policy is reviewed and updated following <insert type="param" id-ref="at-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#at-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#at-1_smt.c.1"/>
                </part>
                <part id="at-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-01c.02"/>
                   <part id="at-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.02[01]"/>
                      <p>the current awareness and training procedures are reviewed and updated <insert type="param" id-ref="at-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#at-1_smt.c.2"/>
                   </part>
                   <part id="at-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-01c.02[02]"/>
                      <p>the current awareness and training procedures are reviewed and updated following <insert type="param" id-ref="at-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#at-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#at-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#at-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#at-1_smt"/>
          </part>
          <part id="at-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -849,52 +900,67 @@
                   <part id="at-2_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[01]"/>
                      <p>security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
                   <part id="at-2_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[02]"/>
                      <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
                   <part id="at-2_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[03]"/>
                      <p>security literacy training is provided to system users (including managers, senior executives, and contractors) <insert type="param" id-ref="at-02_odp.01"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
                   <part id="at-2_obj.a.1-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.01[04]"/>
                      <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) <insert type="param" id-ref="at-02_odp.02"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#at-2_smt.a.1"/>
                </part>
                <part id="at-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02a.02"/>
                   <part id="at-2_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.02[01]"/>
                      <p>security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following <insert type="param" id-ref="at-02_odp.03"/>;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.2"/>
                   </part>
                   <part id="at-2_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-02a.02[02]"/>
                      <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following <insert type="param" id-ref="at-02_odp.04"/>;</p>
+                     <link rel="assessment-for" href="#at-2_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#at-2_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#at-2_smt.a"/>
             </part>
             <part id="at-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-02b."/>
                <p>
                   <insert type="param" id-ref="at-02_odp.05"/> are employed to increase the security and privacy awareness of system users;</p>
+               <link rel="assessment-for" href="#at-2_smt.b"/>
             </part>
             <part id="at-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-02c."/>
                <part id="at-2_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02c.[01]"/>
                   <p>literacy training and awareness content is updated <insert type="param" id-ref="at-02_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#at-2_smt.c"/>
                </part>
                <part id="at-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-02c.[02]"/>
                   <p>literacy training and awareness content is updated following <insert type="param" id-ref="at-02_odp.07"/>;</p>
+                  <link rel="assessment-for" href="#at-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#at-2_smt.c"/>
             </part>
             <part id="at-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-02d."/>
                <p>lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.</p>
+               <link rel="assessment-for" href="#at-2_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#at-2_smt"/>
          </part>
          <part id="at-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1046,49 +1112,63 @@
                   <part id="at-3_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[01]"/>
                      <p>role-based security training is provided to <insert type="param" id-ref="at-03_odp.01"/> before authorizing access to the system, information, or performing assigned duties;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
                   <part id="at-3_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[02]"/>
                      <p>role-based privacy training is provided to <insert type="param" id-ref="at-03_odp.02"/> before authorizing access to the system, information, or performing assigned duties;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
                   <part id="at-3_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[03]"/>
                      <p>role-based security training is provided to <insert type="param" id-ref="at-03_odp.01"/>
                         <insert type="param" id-ref="at-03_odp.03"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
                   <part id="at-3_obj.a.1-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.01[04]"/>
                      <p>role-based privacy training is provided to <insert type="param" id-ref="at-03_odp.02"/>
                         <insert type="param" id-ref="at-03_odp.03"/> thereafter;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#at-3_smt.a.1"/>
                </part>
                <part id="at-3_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-03a.02"/>
                   <part id="at-3_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.02[01]"/>
                      <p>role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.2"/>
                   </part>
                   <part id="at-3_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AT-03a.02[02]"/>
                      <p>role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;</p>
+                     <link rel="assessment-for" href="#at-3_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#at-3_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#at-3_smt.a"/>
             </part>
             <part id="at-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-03b."/>
                <part id="at-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-03b.[01]"/>
                   <p>role-based training content is updated <insert type="param" id-ref="at-03_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#at-3_smt.b"/>
                </part>
                <part id="at-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-03b.[02]"/>
                   <p>role-based training content is updated following <insert type="param" id-ref="at-03_odp.05"/>;</p>
+                  <link rel="assessment-for" href="#at-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#at-3_smt.b"/>
             </part>
             <part id="at-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-03c."/>
                <p>lessons learned from internal or external security incidents or breaches are incorporated into role-based training.</p>
+               <link rel="assessment-for" href="#at-3_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#at-3_smt"/>
          </part>
          <part id="at-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1162,6 +1242,7 @@
                <prop name="label" class="sp800-53a" value="AT-03(05)"/>
                <p>
                   <insert type="param" id-ref="at-03.05_odp.01"/> are provided with initial and refresher training <insert type="param" id-ref="at-03.05_odp.02"/> in the employment and operation of personally identifiable information processing and transparency controls.</p>
+               <link rel="assessment-for" href="#at-3.5_smt"/>
             </part>
             <part id="at-3.5_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1239,16 +1320,21 @@
                <part id="at-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-04a.[01]"/>
                   <p>information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;</p>
+                  <link rel="assessment-for" href="#at-4_smt.a"/>
                </part>
                <part id="at-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AT-04a.[02]"/>
                   <p>information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;</p>
+                  <link rel="assessment-for" href="#at-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#at-4_smt.a"/>
             </part>
             <part id="at-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AT-04b."/>
                <p>individual training records are retained for <insert type="param" id-ref="at-04_odp"/>.</p>
+               <link rel="assessment-for" href="#at-4_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#at-4_smt"/>
          </part>
          <part id="at-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1419,18 +1505,22 @@
                <part id="au-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[01]"/>
                   <p>an audit and accountability policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[02]"/>
                   <p>the audit and accountability policy is disseminated to <insert type="param" id-ref="au-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[03]"/>
                   <p>audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.[04]"/>
                   <p>the audit and accountability procedures are disseminated to <insert type="param" id-ref="au-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#au-1_smt.a"/>
                </part>
                <part id="au-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01a.01"/>
@@ -1439,41 +1529,53 @@
                      <part id="au-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses scope;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses roles;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
                      <part id="au-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="AU-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
                   </part>
                   <part id="au-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#au-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#au-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#au-1_smt.a"/>
             </part>
             <part id="au-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-01b."/>
                <p>the <insert type="param" id-ref="au-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;</p>
+               <link rel="assessment-for" href="#au-1_smt.b"/>
             </part>
             <part id="au-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-01c."/>
@@ -1482,24 +1584,32 @@
                   <part id="au-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.01[01]"/>
                      <p>the current audit and accountability policy is reviewed and updated <insert type="param" id-ref="au-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.1"/>
                   </part>
                   <part id="au-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.01[02]"/>
                      <p>the current audit and accountability policy is reviewed and updated following <insert type="param" id-ref="au-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#au-1_smt.c.1"/>
                </part>
                <part id="au-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-01c.02"/>
                   <part id="au-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.02[01]"/>
                      <p>the current audit and accountability procedures are reviewed and updated <insert type="param" id-ref="au-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.2"/>
                   </part>
                   <part id="au-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="AU-01c.02[02]"/>
                      <p>the current audit and accountability procedures are reviewed and updated following <insert type="param" id-ref="au-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#au-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#au-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#au-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#au-1_smt"/>
          </part>
          <part id="au-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1639,10 +1749,12 @@
                <prop name="label" class="sp800-53a" value="AU-02a."/>
                <p>
                   <insert type="param" id-ref="au-02_odp.01"/> that the system is capable of logging are identified in support of the audit logging function;</p>
+               <link rel="assessment-for" href="#au-2_smt.a"/>
             </part>
             <part id="au-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02b."/>
                <p>the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;</p>
+               <link rel="assessment-for" href="#au-2_smt.b"/>
             </part>
             <part id="au-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02c."/>
@@ -1650,20 +1762,26 @@
                   <prop name="label" class="sp800-53a" value="AU-02c.[01]"/>
                   <p>
                      <insert type="param" id-ref="au-02_odp.02"/> are specified for logging within the system;</p>
+                  <link rel="assessment-for" href="#au-2_smt.c"/>
                </part>
                <part id="au-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="AU-02c.[02]"/>
                   <p>the specified event types are logged within the system <insert type="param" id-ref="au-02_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#au-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#au-2_smt.c"/>
             </part>
             <part id="au-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02d."/>
                <p>a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;</p>
+               <link rel="assessment-for" href="#au-2_smt.d"/>
             </part>
             <part id="au-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-02e."/>
                <p>the event types selected for logging are reviewed and updated <insert type="param" id-ref="au-02_odp.04"/>.</p>
+               <link rel="assessment-for" href="#au-2_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#au-2_smt"/>
          </part>
          <part id="au-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1751,27 +1869,34 @@
             <part id="au-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03a."/>
                <p>audit records contain information that establishes what type of event occurred;</p>
+               <link rel="assessment-for" href="#au-3_smt.a"/>
             </part>
             <part id="au-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03b."/>
                <p>audit records contain information that establishes when the event occurred;</p>
+               <link rel="assessment-for" href="#au-3_smt.b"/>
             </part>
             <part id="au-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03c."/>
                <p>audit records contain information that establishes where the event occurred;</p>
+               <link rel="assessment-for" href="#au-3_smt.c"/>
             </part>
             <part id="au-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03d."/>
                <p>audit records contain information that establishes the source of the event;</p>
+               <link rel="assessment-for" href="#au-3_smt.d"/>
             </part>
             <part id="au-3_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03e."/>
                <p>audit records contain information that establishes the outcome of the event;</p>
+               <link rel="assessment-for" href="#au-3_smt.e"/>
             </part>
             <part id="au-3_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03f."/>
                <p>audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.</p>
+               <link rel="assessment-for" href="#au-3_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#au-3_smt"/>
          </part>
          <part id="au-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1832,6 +1957,7 @@
             <part id="au-3.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="AU-03(03)"/>
                <p>personally identifiable information contained in audit records is limited to <insert type="param" id-ref="au-03.03_odp"/> identified in the privacy risk assessment.</p>
+               <link rel="assessment-for" href="#au-3.3_smt"/>
             </part>
             <part id="au-3.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1908,6 +2034,7 @@
          <part id="au-11_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-11"/>
             <p>audit records are retained for <insert type="param" id-ref="au-11_odp"/> to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.</p>
+            <link rel="assessment-for" href="#au-11_smt"/>
          </part>
          <part id="au-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2083,18 +2210,22 @@
                <part id="ca-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[01]"/>
                   <p>an assessment, authorization, and monitoring policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[02]"/>
                   <p>the assessment, authorization, and monitoring policy is disseminated to <insert type="param" id-ref="ca-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[03]"/>
                   <p>assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.[04]"/>
                   <p>the assessment, authorization, and monitoring procedures are disseminated to <insert type="param" id-ref="ca-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ca-1_smt.a"/>
                </part>
                <part id="ca-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01a.01"/>
@@ -2103,41 +2234,53 @@
                      <part id="ca-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
                      <part id="ca-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
                   </part>
                   <part id="ca-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ca-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ca-1_smt.a"/>
             </part>
             <part id="ca-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-01b."/>
                <p>the <insert type="param" id-ref="ca-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;</p>
+               <link rel="assessment-for" href="#ca-1_smt.b"/>
             </part>
             <part id="ca-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-01c."/>
@@ -2146,24 +2289,32 @@
                   <part id="ca-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.01[01]"/>
                      <p>the current assessment, authorization, and monitoring policy is reviewed and updated <insert type="param" id-ref="ca-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.1"/>
                   </part>
                   <part id="ca-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.01[02]"/>
                      <p>the current assessment, authorization, and monitoring policy is reviewed and updated following <insert type="param" id-ref="ca-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-1_smt.c.1"/>
                </part>
                <part id="ca-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-01c.02"/>
                   <part id="ca-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.02[01]"/>
                      <p>the current assessment, authorization, and monitoring procedures are reviewed and updated <insert type="param" id-ref="ca-01_odp.07"/>; </p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.2"/>
                   </part>
                   <part id="ca-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-01c.02[02]"/>
                      <p>the current assessment, authorization, and monitoring procedures are reviewed and updated following <insert type="param" id-ref="ca-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ca-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ca-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ca-1_smt"/>
          </part>
          <part id="ca-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2285,56 +2436,71 @@
             <part id="ca-2_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02a."/>
                <p>an appropriate assessor or assessment team is selected for the type of assessment to be conducted;</p>
+               <link rel="assessment-for" href="#ca-2_smt.a"/>
             </part>
             <part id="ca-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02b."/>
                <part id="ca-2_obj.b.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02b.01"/>
                   <p>a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.b.1"/>
                </part>
                <part id="ca-2_obj.b.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02b.02"/>
                   <p>a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.b.2"/>
                </part>
                <part id="ca-2_obj.b.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02b.03"/>
                   <part id="ca-2_obj.b.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-02b.03[01]"/>
                      <p>a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;</p>
+                     <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                   </part>
                   <part id="ca-2_obj.b.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-02b.03[02]"/>
                      <p>a control assessment plan is developed that describes the scope of the assessment, including the assessment team;</p>
+                     <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                   </part>
                   <part id="ca-2_obj.b.3-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CA-02b.03[03]"/>
                      <p>a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;</p>
+                     <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                   </part>
+                  <link rel="assessment-for" href="#ca-2_smt.b.3"/>
                </part>
+               <link rel="assessment-for" href="#ca-2_smt.b"/>
             </part>
             <part id="ca-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02c."/>
                <p>the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;</p>
+               <link rel="assessment-for" href="#ca-2_smt.c"/>
             </part>
             <part id="ca-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02d."/>
                <part id="ca-2_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02d.[01]"/>
                   <p>controls are assessed in the system and its environment of operation <insert type="param" id-ref="ca-02_odp.01"/> to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.d"/>
                </part>
                <part id="ca-2_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-02d.[02]"/>
                   <p>controls are assessed in the system and its environment of operation <insert type="param" id-ref="ca-02_odp.01"/> to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;</p>
+                  <link rel="assessment-for" href="#ca-2_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ca-2_smt.d"/>
             </part>
             <part id="ca-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02e."/>
                <p>a control assessment report is produced that documents the results of the assessment;</p>
+               <link rel="assessment-for" href="#ca-2_smt.e"/>
             </part>
             <part id="ca-2_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-02f."/>
                <p>the results of the control assessment are provided to <insert type="param" id-ref="ca-02_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ca-2_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#ca-2_smt"/>
          </part>
          <part id="ca-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2412,11 +2578,14 @@
             <part id="ca-5_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-05a."/>
                <p>a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;</p>
+               <link rel="assessment-for" href="#ca-5_smt.a"/>
             </part>
             <part id="ca-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-05b."/>
                <p>existing plan of action and milestones are updated <insert type="param" id-ref="ca-05_odp"/> based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.</p>
+               <link rel="assessment-for" href="#ca-5_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ca-5_smt"/>
          </part>
          <part id="ca-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2518,30 +2687,38 @@
             <part id="ca-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06a."/>
                <p>a senior official is assigned as the authorizing official for the system;</p>
+               <link rel="assessment-for" href="#ca-6_smt.a"/>
             </part>
             <part id="ca-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06b."/>
                <p>a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;</p>
+               <link rel="assessment-for" href="#ca-6_smt.b"/>
             </part>
             <part id="ca-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06c."/>
                <part id="ca-6_obj.c.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-06c.01"/>
                   <p>before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;</p>
+                  <link rel="assessment-for" href="#ca-6_smt.c.1"/>
                </part>
                <part id="ca-6_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-06c.02"/>
                   <p>before commencing operations, the authorizing official for the system authorizes the system to operate;</p>
+                  <link rel="assessment-for" href="#ca-6_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ca-6_smt.c"/>
             </part>
             <part id="ca-6_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06d."/>
                <p>the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;</p>
+               <link rel="assessment-for" href="#ca-6_smt.d"/>
             </part>
             <part id="ca-6_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-06e."/>
                <p>the authorizations are updated <insert type="param" id-ref="ca-06_odp"/>.</p>
+               <link rel="assessment-for" href="#ca-6_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ca-6_smt"/>
          </part>
          <part id="ca-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2751,41 +2928,51 @@
             <part id="ca-7_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07[01]"/>
                <p>a system-level continuous monitoring strategy is developed;</p>
+               <link rel="assessment-for" href="#ca-7_smt"/>
             </part>
             <part id="ca-7_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07[02]"/>
                <p>system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;</p>
+               <link rel="assessment-for" href="#ca-7_smt"/>
             </part>
             <part id="ca-7_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07a."/>
                <p>system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: <insert type="param" id-ref="ca-07_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ca-7_smt.a"/>
             </part>
             <part id="ca-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07b."/>
                <part id="ca-7_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07b.[01]"/>
                   <p>system-level continuous monitoring includes established <insert type="param" id-ref="ca-07_odp.02"/> for monitoring;</p>
+                  <link rel="assessment-for" href="#ca-7_smt.b"/>
                </part>
                <part id="ca-7_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07b.[02]"/>
                   <p>system-level continuous monitoring includes established <insert type="param" id-ref="ca-07_odp.03"/> for assessment of control effectiveness;</p>
+                  <link rel="assessment-for" href="#ca-7_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ca-7_smt.b"/>
             </part>
             <part id="ca-7_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07c."/>
                <p>system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;</p>
+               <link rel="assessment-for" href="#ca-7_smt.c"/>
             </part>
             <part id="ca-7_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07d."/>
                <p>system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;</p>
+               <link rel="assessment-for" href="#ca-7_smt.d"/>
             </part>
             <part id="ca-7_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07e."/>
                <p>system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;</p>
+               <link rel="assessment-for" href="#ca-7_smt.e"/>
             </part>
             <part id="ca-7_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07f."/>
                <p>system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;</p>
+               <link rel="assessment-for" href="#ca-7_smt.f"/>
             </part>
             <part id="ca-7_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CA-07g."/>
@@ -2793,13 +2980,17 @@
                   <prop name="label" class="sp800-53a" value="CA-07g.[01]"/>
                   <p>system-level continuous monitoring includes reporting the security status of the system to <insert type="param" id-ref="ca-07_odp.04"/>
                      <insert type="param" id-ref="ca-07_odp.05"/>;</p>
+                  <link rel="assessment-for" href="#ca-7_smt.g"/>
                </part>
                <part id="ca-7_obj.g-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07g.[02]"/>
                   <p>system-level continuous monitoring includes reporting the privacy status of the system to <insert type="param" id-ref="ca-07_odp.06"/>
                      <insert type="param" id-ref="ca-07_odp.07"/>.</p>
+                  <link rel="assessment-for" href="#ca-7_smt.g"/>
                </part>
+               <link rel="assessment-for" href="#ca-7_smt.g"/>
             </part>
+            <link rel="assessment-for" href="#ca-7_smt"/>
          </part>
          <part id="ca-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2878,15 +3069,19 @@
                <part id="ca-7.4_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07(04)(a)"/>
                   <p>effectiveness monitoring is included in risk monitoring;</p>
+                  <link rel="assessment-for" href="#ca-7.4_smt.a"/>
                </part>
                <part id="ca-7.4_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07(04)(b)"/>
                   <p>compliance monitoring is included in risk monitoring;</p>
+                  <link rel="assessment-for" href="#ca-7.4_smt.b"/>
                </part>
                <part id="ca-7.4_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CA-07(04)(c)"/>
                   <p>change monitoring is included in risk monitoring.</p>
+                  <link rel="assessment-for" href="#ca-7.4_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#ca-7.4_smt"/>
             </part>
             <part id="ca-7.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3067,18 +3262,22 @@
                <part id="cm-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[01]"/>
                   <p>a configuration management policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[02]"/>
                   <p>the configuration management policy is disseminated to <insert type="param" id-ref="cm-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[03]"/>
                   <p>configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.[04]"/>
                   <p>the configuration management procedures are disseminated to <insert type="param" id-ref="cm-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#cm-1_smt.a"/>
                </part>
                <part id="cm-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01a.01"/>
@@ -3087,41 +3286,53 @@
                      <part id="cm-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses scope;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses roles;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
                      <part id="cm-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="CM-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
                   </part>
                   <part id="cm-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01a.01(b)"/>
                      <p>the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#cm-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#cm-1_smt.a"/>
             </part>
             <part id="cm-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-01b."/>
                <p>the <insert type="param" id-ref="cm-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;</p>
+               <link rel="assessment-for" href="#cm-1_smt.b"/>
             </part>
             <part id="cm-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-01c."/>
@@ -3130,24 +3341,32 @@
                   <part id="cm-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.01[01]"/>
                      <p>the current configuration management policy is reviewed and updated <insert type="param" id-ref="cm-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.1"/>
                   </part>
                   <part id="cm-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.01[02]"/>
                      <p>the current configuration management policy is reviewed and updated following <insert type="param" id-ref="cm-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-1_smt.c.1"/>
                </part>
                <part id="cm-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="CM-01c.02"/>
                   <part id="cm-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.02[01]"/>
                      <p>the current configuration management procedures are reviewed and updated <insert type="param" id-ref="cm-01_odp.07"/>; </p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.2"/>
                   </part>
                   <part id="cm-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="CM-01c.02[02]"/>
                      <p>the current configuration management procedures are reviewed and updated following <insert type="param" id-ref="cm-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#cm-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#cm-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#cm-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cm-1_smt"/>
          </part>
          <part id="cm-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3207,11 +3426,14 @@
             <part id="cm-4_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-04[01]"/>
                <p>changes to the system are analyzed to determine potential security impacts prior to change implementation;</p>
+               <link rel="assessment-for" href="#cm-4_smt"/>
             </part>
             <part id="cm-4_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="CM-04[02]"/>
                <p>changes to the system are analyzed to determine potential privacy impacts prior to change implementation.</p>
+               <link rel="assessment-for" href="#cm-4_smt"/>
             </part>
+            <link rel="assessment-for" href="#cm-4_smt"/>
          </part>
          <part id="cm-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3400,18 +3622,22 @@
                <part id="ir-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[01]"/>
                   <p>an incident response policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[02]"/>
                   <p>the incident response policy is disseminated to <insert type="param" id-ref="ir-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[03]"/>
                   <p>incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.[04]"/>
                   <p>the incident response procedures are disseminated to <insert type="param" id-ref="ir-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ir-1_smt.a"/>
                </part>
                <part id="ir-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01a.01"/>
@@ -3420,41 +3646,53 @@
                      <part id="ir-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
                      <part id="ir-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="IR-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
                   </part>
                   <part id="ir-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ir-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ir-1_smt.a"/>
             </part>
             <part id="ir-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-01b."/>
                <p>the <insert type="param" id-ref="ir-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;</p>
+               <link rel="assessment-for" href="#ir-1_smt.b"/>
             </part>
             <part id="ir-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-01c."/>
@@ -3463,24 +3701,32 @@
                   <part id="ir-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.01[01]"/>
                      <p>the current incident response policy is reviewed and updated <insert type="param" id-ref="ir-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.1"/>
                   </part>
                   <part id="ir-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.01[02]"/>
                      <p>the current incident response policy is reviewed and updated following <insert type="param" id-ref="ir-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ir-1_smt.c.1"/>
                </part>
                <part id="ir-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-01c.02"/>
                   <part id="ir-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.02[01]"/>
                      <p>the current incident response procedures are reviewed and updated <insert type="param" id-ref="ir-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.2"/>
                   </part>
                   <part id="ir-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="IR-01c.02[02]"/>
                      <p>the current incident response procedures are reviewed and updated following <insert type="param" id-ref="ir-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ir-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ir-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ir-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ir-1_smt"/>
          </part>
          <part id="ir-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3587,27 +3833,35 @@
                <part id="ir-2_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02a.01"/>
                   <p>incident response training is provided to system users consistent with assigned roles and responsibilities within <insert type="param" id-ref="ir-02_odp.01"/> of assuming an incident response role or responsibility or acquiring system access;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.a.1"/>
                </part>
                <part id="ir-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02a.02"/>
                   <p>incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.a.2"/>
                </part>
                <part id="ir-2_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02a.03"/>
                   <p>incident response training is provided to system users consistent with assigned roles and responsibilities <insert type="param" id-ref="ir-02_odp.02"/> thereafter;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#ir-2_smt.a"/>
             </part>
             <part id="ir-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-02b."/>
                <part id="ir-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02b.[01]"/>
                   <p>incident response training content is reviewed and updated <insert type="param" id-ref="ir-02_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#ir-2_smt.b"/>
                </part>
                <part id="ir-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02b.[02]"/>
                   <p>incident response training content is reviewed and updated following <insert type="param" id-ref="ir-02_odp.04"/>.</p>
+                  <link rel="assessment-for" href="#ir-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ir-2_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ir-2_smt"/>
          </part>
          <part id="ir-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3656,11 +3910,14 @@
                <part id="ir-2.3_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02(03)[01]"/>
                   <p>incident response training on how to identify and respond to a breach is provided;</p>
+                  <link rel="assessment-for" href="#ir-2.3_smt"/>
                </part>
                <part id="ir-2.3_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-02(03)[02]"/>
                   <p>incident response training on the organization’s process for reporting a breach is provided.</p>
+                  <link rel="assessment-for" href="#ir-2.3_smt"/>
                </part>
+               <link rel="assessment-for" href="#ir-2.3_smt"/>
             </part>
             <part id="ir-2.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3735,6 +3992,7 @@
          <part id="ir-3_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-03"/>
             <p>the effectiveness of the incident response capability for the system is tested <insert type="param" id-ref="ir-03_odp.01"/> using <insert type="param" id-ref="ir-03_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ir-3_smt"/>
          </part>
          <part id="ir-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3830,62 +4088,79 @@
                <part id="ir-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[01]"/>
                   <p>an incident handling capability for incidents is implemented that is consistent with the incident response plan;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[02]"/>
                   <p>the incident handling capability for incidents includes preparation;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[03]"/>
                   <p>the incident handling capability for incidents includes detection and analysis;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[04]"/>
                   <p>the incident handling capability for incidents includes containment;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[05]"/>
                   <p>the incident handling capability for incidents includes eradication;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
                <part id="ir-4_obj.a-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04a.[06]"/>
                   <p>the incident handling capability for incidents includes recovery;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#ir-4_smt.a"/>
             </part>
             <part id="ir-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04b."/>
                <p>incident handling activities are coordinated with contingency planning activities;</p>
+               <link rel="assessment-for" href="#ir-4_smt.b"/>
             </part>
             <part id="ir-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04c."/>
                <part id="ir-4_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04c.[01]"/>
                   <p>lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.c"/>
                </part>
                <part id="ir-4_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04c.[02]"/>
                   <p>the changes resulting from the incorporated lessons learned are implemented accordingly;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#ir-4_smt.c"/>
             </part>
             <part id="ir-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-04d."/>
                <part id="ir-4_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[01]"/>
                   <p>the rigor of incident handling activities is comparable and predictable across the organization;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
                <part id="ir-4_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[02]"/>
                   <p>the intensity of incident handling activities is comparable and predictable across the organization;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
                <part id="ir-4_obj.d-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[03]"/>
                   <p>the scope of incident handling activities is comparable and predictable across the organization;</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
                <part id="ir-4_obj.d-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-04d.[04]"/>
                   <p>the results of incident handling activities are comparable and predictable across the organization.</p>
+                  <link rel="assessment-for" href="#ir-4_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ir-4_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#ir-4_smt"/>
          </part>
          <part id="ir-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3953,11 +4228,14 @@
             <part id="ir-5_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-05[01]"/>
                <p>incidents are tracked;</p>
+               <link rel="assessment-for" href="#ir-5_smt"/>
             </part>
             <part id="ir-5_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-05[02]"/>
                <p>incidents are documented.</p>
+               <link rel="assessment-for" href="#ir-5_smt"/>
             </part>
+            <link rel="assessment-for" href="#ir-5_smt"/>
          </part>
          <part id="ir-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4041,11 +4319,14 @@
             <part id="ir-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-06a."/>
                <p>personnel is/are required to report suspected incidents to the organizational incident response capability within <insert type="param" id-ref="ir-06_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ir-6_smt.a"/>
             </part>
             <part id="ir-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-06b."/>
                <p>incident information is reported to <insert type="param" id-ref="ir-06_odp.02"/>.</p>
+               <link rel="assessment-for" href="#ir-6_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ir-6_smt"/>
          </part>
          <part id="ir-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4110,11 +4391,14 @@
             <part id="ir-7_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-07[01]"/>
                <p>an incident response support resource, integral to the organizational incident response capability, is provided;</p>
+               <link rel="assessment-for" href="#ir-7_smt"/>
             </part>
             <part id="ir-7_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-07[02]"/>
                <p>the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.</p>
+               <link rel="assessment-for" href="#ir-7_smt"/>
             </part>
+            <link rel="assessment-for" href="#ir-7_smt"/>
          </part>
          <part id="ir-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4309,82 +4593,104 @@
                <part id="ir-8_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.01"/>
                   <p>an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.1"/>
                </part>
                <part id="ir-8_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.02"/>
                   <p>an incident response plan is developed that describes the structure and organization of the incident response capability;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.2"/>
                </part>
                <part id="ir-8_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.03"/>
                   <p>an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.3"/>
                </part>
                <part id="ir-8_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.04"/>
                   <p>an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.4"/>
                </part>
                <part id="ir-8_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.05"/>
                   <p>an incident response plan is developed that defines reportable incidents;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.5"/>
                </part>
                <part id="ir-8_obj.a.6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.06"/>
                   <p>an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.6"/>
                </part>
                <part id="ir-8_obj.a.7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.07"/>
                   <p>an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.7"/>
                </part>
                <part id="ir-8_obj.a.8" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.08"/>
                   <p>an incident response plan is developed that addresses the sharing of incident information;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.8"/>
                </part>
                <part id="ir-8_obj.a.9" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.09"/>
                   <p>an incident response plan is developed that is reviewed and approved by <insert type="param" id-ref="ir-08_odp.01"/>
                      <insert type="param" id-ref="ir-08_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.9"/>
                </part>
                <part id="ir-8_obj.a.10" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08a.10"/>
                   <p>an incident response plan is developed that explicitly designates responsibility for incident response to <insert type="param" id-ref="ir-08_odp.03"/>.</p>
+                  <link rel="assessment-for" href="#ir-8_smt.a.10"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.a"/>
             </part>
             <part id="ir-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08b."/>
                <part id="ir-8_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08b.[01]"/>
                   <p>copies of the incident response plan are distributed to <insert type="param" id-ref="ir-08_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.b"/>
                </part>
                <part id="ir-8_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08b.[02]"/>
                   <p>copies of the incident response plan are distributed to <insert type="param" id-ref="ir-08_odp.05"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.b"/>
             </part>
             <part id="ir-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08c."/>
                <p>the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;</p>
+               <link rel="assessment-for" href="#ir-8_smt.c"/>
             </part>
             <part id="ir-8_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08d."/>
                <part id="ir-8_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08d.[01]"/>
                   <p>incident response plan changes are communicated to <insert type="param" id-ref="ir-08_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.d"/>
                </part>
                <part id="ir-8_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08d.[02]"/>
                   <p>incident response plan changes are communicated to <insert type="param" id-ref="ir-08_odp.07"/>;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.d"/>
             </part>
             <part id="ir-8_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="IR-08e."/>
                <part id="ir-8_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08e.[01]"/>
                   <p>the incident response plan is protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#ir-8_smt.e"/>
                </part>
                <part id="ir-8_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08e.[02]"/>
                   <p>the incident response plan is protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#ir-8_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#ir-8_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#ir-8_smt"/>
          </part>
          <part id="ir-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4452,15 +4758,19 @@
                <part id="ir-8.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08(01)(a)"/>
                   <p>the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;</p>
+                  <link rel="assessment-for" href="#ir-8.1_smt.a"/>
                </part>
                <part id="ir-8.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08(01)(b)"/>
                   <p>the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;</p>
+                  <link rel="assessment-for" href="#ir-8.1_smt.b"/>
                </part>
                <part id="ir-8.1_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="IR-08(01)(c)"/>
                   <p>the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements.</p>
+                  <link rel="assessment-for" href="#ir-8.1_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#ir-8.1_smt"/>
             </part>
             <part id="ir-8.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4635,18 +4945,22 @@
                <part id="mp-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[01]"/>
                   <p>a media protection policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[02]"/>
                   <p>the media protection policy is disseminated to <insert type="param" id-ref="mp-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[03]"/>
                   <p>media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.[04]"/>
                   <p>the media protection procedures are disseminated to <insert type="param" id-ref="mp-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#mp-1_smt.a"/>
                </part>
                <part id="mp-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01a.01"/>
@@ -4655,41 +4969,53 @@
                      <part id="mp-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses scope;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses roles;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
                      <part id="mp-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="MP-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy compliance;</p>
+                        <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
                   </part>
                   <part id="mp-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01a.01(b)"/>
                      <p>the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#mp-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#mp-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#mp-1_smt.a"/>
             </part>
             <part id="mp-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-01b."/>
                <p>the <insert type="param" id-ref="mp-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.</p>
+               <link rel="assessment-for" href="#mp-1_smt.b"/>
             </part>
             <part id="mp-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-01c."/>
@@ -4698,24 +5024,32 @@
                   <part id="mp-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.01[01]"/>
                      <p>the current media protection policy is reviewed and updated <insert type="param" id-ref="mp-01_odp.05"/>; </p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.1"/>
                   </part>
                   <part id="mp-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.01[02]"/>
                      <p>the current media protection policy is reviewed and updated following <insert type="param" id-ref="mp-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#mp-1_smt.c.1"/>
                </part>
                <part id="mp-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-01c.02"/>
                   <part id="mp-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.02[01]"/>
                      <p>the current media protection procedures are reviewed and updated <insert type="param" id-ref="mp-01_odp.07"/>; </p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.2"/>
                   </part>
                   <part id="mp-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="MP-01c.02[02]"/>
                      <p>the current media protection procedures are reviewed and updated following <insert type="param" id-ref="mp-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#mp-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#mp-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#mp-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#mp-1_smt"/>
          </part>
          <part id="mp-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4854,22 +5188,28 @@
                   <prop name="label" class="sp800-53a" value="MP-06a.[01]"/>
                   <p>
                      <insert type="param" id-ref="mp-06_odp.01"/> is sanitized using <insert type="param" id-ref="mp-06_odp.04"/> prior to disposal;</p>
+                  <link rel="assessment-for" href="#mp-6_smt.a"/>
                </part>
                <part id="mp-6_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06a.[02]"/>
                   <p>
                      <insert type="param" id-ref="mp-06_odp.02"/> is sanitized using <insert type="param" id-ref="mp-06_odp.05"/> prior to release from organizational control;</p>
+                  <link rel="assessment-for" href="#mp-6_smt.a"/>
                </part>
                <part id="mp-6_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="MP-06a.[03]"/>
                   <p>
                      <insert type="param" id-ref="mp-06_odp.03"/> is sanitized using <insert type="param" id-ref="mp-06_odp.06"/> prior to release for reuse;</p>
+                  <link rel="assessment-for" href="#mp-6_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#mp-6_smt.a"/>
             </part>
             <part id="mp-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="MP-06b."/>
                <p>sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.</p>
+               <link rel="assessment-for" href="#mp-6_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#mp-6_smt"/>
          </part>
          <part id="mp-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4971,15 +5311,19 @@
             <part id="pe-8_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-08a."/>
                <p>visitor access records for the facility where the system resides are maintained for <insert type="param" id-ref="pe-08_odp.01"/>;</p>
+               <link rel="assessment-for" href="#pe-8_smt.a"/>
             </part>
             <part id="pe-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-08b."/>
                <p>visitor access records are reviewed <insert type="param" id-ref="pe-08_odp.02"/>;</p>
+               <link rel="assessment-for" href="#pe-8_smt.b"/>
             </part>
             <part id="pe-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-08c."/>
                <p>visitor access records anomalies are reported to <insert type="param" id-ref="pe-08_odp.03"/>.</p>
+               <link rel="assessment-for" href="#pe-8_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pe-8_smt"/>
          </part>
          <part id="pe-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5040,6 +5384,7 @@
             <part id="pe-8.3_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PE-08(03)"/>
                <p>personally identifiable information contained in visitor access records is limited to <insert type="param" id-ref="pe-08.03_odp"/> identified in the privacy risk assessment.</p>
+               <link rel="assessment-for" href="#pe-8.3_smt"/>
             </part>
             <part id="pe-8.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5217,18 +5562,22 @@
                <part id="pl-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[01]"/>
                   <p>a planning policy is developed and documented.</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[02]"/>
                   <p>the planning policy is disseminated to <insert type="param" id-ref="pl-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[03]"/>
                   <p>planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.[04]"/>
                   <p>the planning procedures are disseminated to <insert type="param" id-ref="pl-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pl-1_smt.a"/>
                </part>
                <part id="pl-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01a.01"/>
@@ -5237,41 +5586,53 @@
                      <part id="pl-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses scope;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses roles;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
                      <part id="pl-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PL-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
                   </part>
                   <part id="pl-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#pl-1_smt.a"/>
             </part>
             <part id="pl-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-01b."/>
                <p>the <insert type="param" id-ref="pl-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the planning policy and procedures;</p>
+               <link rel="assessment-for" href="#pl-1_smt.b"/>
             </part>
             <part id="pl-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-01c."/>
@@ -5280,24 +5641,32 @@
                   <part id="pl-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.01[01]"/>
                      <p>the current planning policy is reviewed and updated <insert type="param" id-ref="pl-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.1"/>
                   </part>
                   <part id="pl-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.01[02]"/>
                      <p>the current planning policy is reviewed and updated following <insert type="param" id-ref="pl-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-1_smt.c.1"/>
                </part>
                <part id="pl-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-01c.02"/>
                   <part id="pl-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.02[01]"/>
                      <p>the current planning procedures are reviewed and updated <insert type="param" id-ref="pl-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.2"/>
                   </part>
                   <part id="pl-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-01c.02[02]"/>
                      <p>the current planning procedures are reviewed and updated following <insert type="param" id-ref="pl-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#pl-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#pl-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pl-1_smt"/>
          </part>
          <part id="pl-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5492,208 +5861,266 @@
                   <part id="pl-2_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.01[01]"/>
                      <p>a security plan for the system is developed that is consistent with the organization’s enterprise architecture;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.1"/>
                   </part>
                   <part id="pl-2_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.01[02]"/>
                      <p>a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.1"/>
                </part>
                <part id="pl-2_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.02"/>
                   <part id="pl-2_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.02[01]"/>
                      <p>a security plan for the system is developed that explicitly defines the constituent system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.2"/>
                   </part>
                   <part id="pl-2_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.02[02]"/>
                      <p>a privacy plan for the system is developed that explicitly defines the constituent system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.2"/>
                </part>
                <part id="pl-2_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.03"/>
                   <part id="pl-2_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.03[01]"/>
                      <p>a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.3"/>
                   </part>
                   <part id="pl-2_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.03[02]"/>
                      <p>a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.3"/>
                </part>
                <part id="pl-2_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.04"/>
                   <part id="pl-2_obj.a.4-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.04[01]"/>
                      <p>a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.4"/>
                   </part>
                   <part id="pl-2_obj.a.4-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.04[02]"/>
                      <p>a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.4"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.4"/>
                </part>
                <part id="pl-2_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.05"/>
                   <part id="pl-2_obj.a.5-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.05[01]"/>
                      <p>a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.5"/>
                   </part>
                   <part id="pl-2_obj.a.5-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.05[02]"/>
                      <p>a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.5"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.5"/>
                </part>
                <part id="pl-2_obj.a.6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.06"/>
                   <part id="pl-2_obj.a.6-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.06[01]"/>
                      <p>a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.6"/>
                   </part>
                   <part id="pl-2_obj.a.6-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.06[02]"/>
                      <p>a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.6"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.6"/>
                </part>
                <part id="pl-2_obj.a.7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.07"/>
                   <part id="pl-2_obj.a.7-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.07[01]"/>
                      <p>a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.7"/>
                   </part>
                   <part id="pl-2_obj.a.7-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.07[02]"/>
                      <p>a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.7"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.7"/>
                </part>
                <part id="pl-2_obj.a.8" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.08"/>
                   <part id="pl-2_obj.a.8-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.08[01]"/>
                      <p>a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.8"/>
                   </part>
                   <part id="pl-2_obj.a.8-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.08[02]"/>
                      <p>a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.8"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.8"/>
                </part>
                <part id="pl-2_obj.a.9" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.09"/>
                   <part id="pl-2_obj.a.9-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.09[01]"/>
                      <p>a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.9"/>
                   </part>
                   <part id="pl-2_obj.a.9-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.09[02]"/>
                      <p>a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.9"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.9"/>
                </part>
                <part id="pl-2_obj.a.10" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.10"/>
                   <part id="pl-2_obj.a.10-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.10[01]"/>
                      <p>a security plan for the system is developed that provides an overview of the security requirements for the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.10"/>
                   </part>
                   <part id="pl-2_obj.a.10-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.10[02]"/>
                      <p>a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.10"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.10"/>
                </part>
                <part id="pl-2_obj.a.11" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.11"/>
                   <part id="pl-2_obj.a.11-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.11[01]"/>
                      <p>a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.11"/>
                   </part>
                   <part id="pl-2_obj.a.11-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.11[02]"/>
                      <p>a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.11"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.11"/>
                </part>
                <part id="pl-2_obj.a.12" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.12"/>
                   <part id="pl-2_obj.a.12-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.12[01]"/>
                      <p>a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.12"/>
                   </part>
                   <part id="pl-2_obj.a.12-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.12[02]"/>
                      <p>a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.12"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.12"/>
                </part>
                <part id="pl-2_obj.a.13" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.13"/>
                   <part id="pl-2_obj.a.13-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.13[01]"/>
                      <p>a security plan for the system is developed that includes risk determinations for security architecture and design decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.13"/>
                   </part>
                   <part id="pl-2_obj.a.13-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.13[02]"/>
                      <p>a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.13"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.13"/>
                </part>
                <part id="pl-2_obj.a.14" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.14"/>
                   <part id="pl-2_obj.a.14-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.14[01]"/>
                      <p>a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with <insert type="param" id-ref="pl-02_odp.01"/>;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.14"/>
                   </part>
                   <part id="pl-2_obj.a.14-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.14[02]"/>
                      <p>a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with <insert type="param" id-ref="pl-02_odp.01"/>;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.14"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.14"/>
                </part>
                <part id="pl-2_obj.a.15" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02a.15"/>
                   <part id="pl-2_obj.a.15-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.15[01]"/>
                      <p>a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.15"/>
                   </part>
                   <part id="pl-2_obj.a.15-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-02a.15[02]"/>
                      <p>a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.</p>
+                     <link rel="assessment-for" href="#pl-2_smt.a.15"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-2_smt.a.15"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.a"/>
             </part>
             <part id="pl-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02b."/>
                <part id="pl-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02b.[01]"/>
                   <p>copies of the plans are distributed to <insert type="param" id-ref="pl-02_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.b"/>
                </part>
                <part id="pl-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02b.[02]"/>
                   <p>subsequent changes to the plans are communicated to <insert type="param" id-ref="pl-02_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.b"/>
             </part>
             <part id="pl-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02c."/>
                <p>plans are reviewed <insert type="param" id-ref="pl-02_odp.03"/>;</p>
+               <link rel="assessment-for" href="#pl-2_smt.c"/>
             </part>
             <part id="pl-2_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02d."/>
                <part id="pl-2_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02d.[01]"/>
                   <p>plans are updated to address changes to the system and environment of operations;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.d"/>
                </part>
                <part id="pl-2_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02d.[02]"/>
                   <p>plans are updated to address problems identified during the plan implementation;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.d"/>
                </part>
                <part id="pl-2_obj.d-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02d.[03]"/>
                   <p>plans are updated to address problems identified during control assessments;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.d"/>
             </part>
             <part id="pl-2_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-02e."/>
                <part id="pl-2_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02e.[01]"/>
                   <p>plans are protected from unauthorized disclosure;</p>
+                  <link rel="assessment-for" href="#pl-2_smt.e"/>
                </part>
                <part id="pl-2_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-02e.[02]"/>
                   <p>plans are protected from unauthorized modification.</p>
+                  <link rel="assessment-for" href="#pl-2_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#pl-2_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt"/>
          </part>
          <part id="pl-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5817,24 +6244,31 @@
                <part id="pl-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04a.[01]"/>
                   <p>rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;</p>
+                  <link rel="assessment-for" href="#pl-4_smt.a"/>
                </part>
                <part id="pl-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04a.[02]"/>
                   <p>rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;</p>
+                  <link rel="assessment-for" href="#pl-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pl-4_smt.a"/>
             </part>
             <part id="pl-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-04b."/>
                <p>before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;</p>
+               <link rel="assessment-for" href="#pl-4_smt.b"/>
             </part>
             <part id="pl-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-04c."/>
                <p>rules of behavior are reviewed and updated <insert type="param" id-ref="pl-04_odp.01"/>;</p>
+               <link rel="assessment-for" href="#pl-4_smt.c"/>
             </part>
             <part id="pl-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-04d."/>
                <p>individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge <insert type="param" id-ref="pl-04_odp.02"/>.</p>
+               <link rel="assessment-for" href="#pl-4_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#pl-4_smt"/>
          </part>
          <part id="pl-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5903,15 +6337,19 @@
                <part id="pl-4.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04(01)(a)"/>
                   <p>the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;</p>
+                  <link rel="assessment-for" href="#pl-4.1_smt.a"/>
                </part>
                <part id="pl-4.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04(01)(b)"/>
                   <p>the rules of behavior include restrictions on posting organizational information on public websites;</p>
+                  <link rel="assessment-for" href="#pl-4.1_smt.b"/>
                </part>
                <part id="pl-4.1_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-04(01)(c)"/>
                   <p>the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.</p>
+                  <link rel="assessment-for" href="#pl-4.1_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pl-4.1_smt"/>
             </part>
             <part id="pl-4.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6024,65 +6462,83 @@
                <part id="pl-8_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08a.01"/>
                   <p>a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.a.1"/>
                </part>
                <part id="pl-8_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08a.02"/>
                   <p>a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.a.2"/>
                </part>
                <part id="pl-8_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08a.03"/>
                   <part id="pl-8_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-08a.03[01]"/>
                      <p>a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;</p>
+                     <link rel="assessment-for" href="#pl-8_smt.a.3"/>
                   </part>
                   <part id="pl-8_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-08a.03[02]"/>
                      <p>a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;</p>
+                     <link rel="assessment-for" href="#pl-8_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-8_smt.a.3"/>
                </part>
                <part id="pl-8_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08a.04"/>
                   <part id="pl-8_obj.a.4-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-08a.04[01]"/>
                      <p>a security architecture for the system describes any assumptions about and dependencies on external systems and services;</p>
+                     <link rel="assessment-for" href="#pl-8_smt.a.4"/>
                   </part>
                   <part id="pl-8_obj.a.4-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PL-08a.04[02]"/>
                      <p>a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;</p>
+                     <link rel="assessment-for" href="#pl-8_smt.a.4"/>
                   </part>
+                  <link rel="assessment-for" href="#pl-8_smt.a.4"/>
                </part>
+               <link rel="assessment-for" href="#pl-8_smt.a"/>
             </part>
             <part id="pl-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-08b."/>
                <p>changes in the enterprise architecture are reviewed and updated <insert type="param" id-ref="pl-08_odp"/> to reflect changes in the enterprise architecture;</p>
+               <link rel="assessment-for" href="#pl-8_smt.b"/>
             </part>
             <part id="pl-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PL-08c."/>
                <part id="pl-8_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[01]"/>
                   <p>planned architecture changes are reflected in the security plan;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[02]"/>
                   <p>planned architecture changes are reflected in the privacy plan;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[03]"/>
                   <p>planned architecture changes are reflected in the Concept of Operations (CONOPS);</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[04]"/>
                   <p>planned architecture changes are reflected in criticality analysis;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[05]"/>
                   <p>planned architecture changes are reflected in organizational procedures;</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
                <part id="pl-8_obj.c-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PL-08c.[06]"/>
                   <p>planned architecture changes are reflected in procurements and acquisitions.</p>
+                  <link rel="assessment-for" href="#pl-8_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pl-8_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pl-8_smt"/>
          </part>
          <part id="pl-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6153,6 +6609,7 @@
             <prop name="label" class="sp800-53a" value="PL-09"/>
             <p>
                <insert type="param" id-ref="pl-09_odp"/> are centrally managed.</p>
+            <link rel="assessment-for" href="#pl-9_smt"/>
          </part>
          <part id="pl-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6227,34 +6684,44 @@
                <part id="pm-3_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-03a.[01]"/>
                   <p>the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented;</p>
+                  <link rel="assessment-for" href="#pm-3_smt.a"/>
                </part>
                <part id="pm-3_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-03a.[02]"/>
                   <p>the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented;</p>
+                  <link rel="assessment-for" href="#pm-3_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pm-3_smt.a"/>
             </part>
             <part id="pm-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-03b."/>
                <part id="pm-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-03b.[01]"/>
                   <p>the documentation required for addressing the information security program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;</p>
+                  <link rel="assessment-for" href="#pm-3_smt.b"/>
                </part>
                <part id="pm-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-03b.[02]"/>
                   <p>the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;</p>
+                  <link rel="assessment-for" href="#pm-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pm-3_smt.b"/>
             </part>
             <part id="pm-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-03c."/>
                <part id="pm-3_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-03c.[01]"/>
                   <p>information security resources are made available for expenditure as planned;</p>
+                  <link rel="assessment-for" href="#pm-3_smt.c"/>
                </part>
                <part id="pm-3_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-03c.[02]"/>
                   <p>privacy resources are made available for expenditure as planned.</p>
+                  <link rel="assessment-for" href="#pm-3_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pm-3_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pm-3_smt"/>
          </part>
          <part id="pm-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6340,70 +6807,90 @@
                   <part id="pm-4_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-04a.01[01]"/>
                      <p>a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed;</p>
+                     <link rel="assessment-for" href="#pm-4_smt.a.1"/>
                   </part>
                   <part id="pm-4_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-04a.01[02]"/>
                      <p>a process to ensure that plans of action and milestones for the information security program and associated organizational systems are maintained;</p>
+                     <link rel="assessment-for" href="#pm-4_smt.a.1"/>
                   </part>
                   <part id="pm-4_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-04a.01[03]"/>
                      <p>a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed;</p>
+                     <link rel="assessment-for" href="#pm-4_smt.a.1"/>
                   </part>
                   <part id="pm-4_obj.a.1-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-04a.01[04]"/>
                      <p>a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained;</p>
+                     <link rel="assessment-for" href="#pm-4_smt.a.1"/>
                   </part>
                   <part id="pm-4_obj.a.1-5" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-04a.01[05]"/>
                      <p>a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed;</p>
+                     <link rel="assessment-for" href="#pm-4_smt.a.1"/>
                   </part>
                   <part id="pm-4_obj.a.1-6" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-04a.01[06]"/>
                      <p>a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained;</p>
+                     <link rel="assessment-for" href="#pm-4_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-4_smt.a.1"/>
                </part>
                <part id="pm-4_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-04a.02"/>
                   <part id="pm-4_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-04a.02[01]"/>
                      <p>a process to ensure that plans of action and milestones for the information security program and associated organizational systems document remedial information security risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;</p>
+                     <link rel="assessment-for" href="#pm-4_smt.a.2"/>
                   </part>
                   <part id="pm-4_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-04a.02[02]"/>
                      <p>a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;</p>
+                     <link rel="assessment-for" href="#pm-4_smt.a.2"/>
                   </part>
                   <part id="pm-4_obj.a.2-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-04a.02[03]"/>
                      <p>a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;</p>
+                     <link rel="assessment-for" href="#pm-4_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-4_smt.a.2"/>
                </part>
                <part id="pm-4_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-04a.03"/>
                   <part id="pm-4_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-04a.03[01]"/>
                      <p>a process to ensure that plans of action and milestones for the information security risk management programs and associated organizational systems are reported in accordance with established reporting requirements;</p>
+                     <link rel="assessment-for" href="#pm-4_smt.a.3"/>
                   </part>
                   <part id="pm-4_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-04a.03[02]"/>
                      <p>a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements;</p>
+                     <link rel="assessment-for" href="#pm-4_smt.a.3"/>
                   </part>
                   <part id="pm-4_obj.a.3-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-04a.03[03]"/>
                      <p>a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements;</p>
+                     <link rel="assessment-for" href="#pm-4_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-4_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#pm-4_smt.a"/>
             </part>
             <part id="pm-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-04b."/>
                <part id="pm-4_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-04b.[01]"/>
                   <p>plans of action and milestones are reviewed for consistency with the organizational risk management strategy;</p>
+                  <link rel="assessment-for" href="#pm-4_smt.b"/>
                </part>
                <part id="pm-4_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-04b.[02]"/>
                   <p>plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions.</p>
+                  <link rel="assessment-for" href="#pm-4_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pm-4_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pm-4_smt"/>
          </part>
          <part id="pm-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6466,11 +6953,14 @@
             <part id="pm-5_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-05[01]"/>
                <p>an inventory of organizational systems is developed;</p>
+               <link rel="assessment-for" href="#pm-5_smt"/>
             </part>
             <part id="pm-5_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-05[02]"/>
                <p>the inventory of organizational systems is updated <insert type="param" id-ref="pm-05_odp"/>.</p>
+               <link rel="assessment-for" href="#pm-5_smt"/>
             </part>
+            <link rel="assessment-for" href="#pm-5_smt"/>
          </part>
          <part id="pm-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6538,15 +7028,19 @@
                <part id="pm-5.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-05(01)[01]"/>
                   <p>an inventory of all systems, applications, and projects that process personally identifiable information is established;</p>
+                  <link rel="assessment-for" href="#pm-5.1_smt"/>
                </part>
                <part id="pm-5.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-05(01)[02]"/>
                   <p>an inventory of all systems, applications, and projects that process personally identifiable information is maintained;</p>
+                  <link rel="assessment-for" href="#pm-5.1_smt"/>
                </part>
                <part id="pm-5.1_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-05(01)[03]"/>
                   <p>an inventory of all systems, applications, and projects that process personally identifiable information is updated <insert type="param" id-ref="pm-05.01_odp"/>.</p>
+                  <link rel="assessment-for" href="#pm-5.1_smt"/>
                </part>
+               <link rel="assessment-for" href="#pm-5.1_smt"/>
             </part>
             <part id="pm-5.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6611,27 +7105,34 @@
             <part id="pm-6_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-06[01]"/>
                <p>information security measures of performance are developed;</p>
+               <link rel="assessment-for" href="#pm-6_smt"/>
             </part>
             <part id="pm-6_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-06[02]"/>
                <p>information security measures of performance are monitored;</p>
+               <link rel="assessment-for" href="#pm-6_smt"/>
             </part>
             <part id="pm-6_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-06[03]"/>
                <p>the results of information security measures of performance are reported;</p>
+               <link rel="assessment-for" href="#pm-6_smt"/>
             </part>
             <part id="pm-6_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-06[04]"/>
                <p>privacy measures of performance are developed;</p>
+               <link rel="assessment-for" href="#pm-6_smt"/>
             </part>
             <part id="pm-6_obj-5" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-06[05]"/>
                <p>privacy measures of performance are monitored;</p>
+               <link rel="assessment-for" href="#pm-6_smt"/>
             </part>
             <part id="pm-6_obj-6" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-06[06]"/>
                <p>the results of privacy measures of performance are reported.</p>
+               <link rel="assessment-for" href="#pm-6_smt"/>
             </part>
+            <link rel="assessment-for" href="#pm-6_smt"/>
          </part>
          <part id="pm-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6696,27 +7197,34 @@
             <part id="pm-7_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-07[01]"/>
                <p>an enterprise architecture is developed with consideration for information security;</p>
+               <link rel="assessment-for" href="#pm-7_smt"/>
             </part>
             <part id="pm-7_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-07[02]"/>
                <p>an enterprise architecture is maintained with consideration for information security;</p>
+               <link rel="assessment-for" href="#pm-7_smt"/>
             </part>
             <part id="pm-7_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-07[03]"/>
                <p>an enterprise architecture is developed with consideration for privacy;</p>
+               <link rel="assessment-for" href="#pm-7_smt"/>
             </part>
             <part id="pm-7_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-07[04]"/>
                <p>an enterprise architecture is maintained with consideration for privacy;</p>
+               <link rel="assessment-for" href="#pm-7_smt"/>
             </part>
             <part id="pm-7_obj-5" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-07[05]"/>
                <p>an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation;</p>
+               <link rel="assessment-for" href="#pm-7_smt"/>
             </part>
             <part id="pm-7_obj-6" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-07[06]"/>
                <p>an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.</p>
+               <link rel="assessment-for" href="#pm-7_smt"/>
             </part>
+            <link rel="assessment-for" href="#pm-7_smt"/>
          </part>
          <part id="pm-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6781,27 +7289,34 @@
             <part id="pm-8_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-08[01]"/>
                <p>information security issues are addressed in the development of a critical infrastructure and key resources protection plan;</p>
+               <link rel="assessment-for" href="#pm-8_smt"/>
             </part>
             <part id="pm-8_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-08[02]"/>
                <p>information security issues are addressed in the documentation of a critical infrastructure and key resources protection plan;</p>
+               <link rel="assessment-for" href="#pm-8_smt"/>
             </part>
             <part id="pm-8_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-08[03]"/>
                <p>information security issues are addressed in the update of a critical infrastructure and key resources protection plan;</p>
+               <link rel="assessment-for" href="#pm-8_smt"/>
             </part>
             <part id="pm-8_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-08[04]"/>
                <p>privacy issues are addressed in the development of a critical infrastructure and key resources protection plan;</p>
+               <link rel="assessment-for" href="#pm-8_smt"/>
             </part>
             <part id="pm-8_obj-5" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-08[05]"/>
                <p>privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan;</p>
+               <link rel="assessment-for" href="#pm-8_smt"/>
             </part>
             <part id="pm-8_obj-6" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-08[06]"/>
                <p>privacy issues are addressed in the update of a critical infrastructure and key resources protection plan.</p>
+               <link rel="assessment-for" href="#pm-8_smt"/>
             </part>
+            <link rel="assessment-for" href="#pm-8_smt"/>
          </part>
          <part id="pm-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6928,20 +7443,26 @@
                <part id="pm-9_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-09a.01"/>
                   <p>a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems;</p>
+                  <link rel="assessment-for" href="#pm-9_smt.a.1"/>
                </part>
                <part id="pm-9_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-09a.02"/>
                   <p>a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information;</p>
+                  <link rel="assessment-for" href="#pm-9_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#pm-9_smt.a"/>
             </part>
             <part id="pm-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-09b."/>
                <p>the risk management strategy is implemented consistently across the organization;</p>
+               <link rel="assessment-for" href="#pm-9_smt.b"/>
             </part>
             <part id="pm-9_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-09c."/>
                <p>the risk management strategy is reviewed and updated <insert type="param" id-ref="pm-09_odp"/> or as required to address organizational changes.</p>
+               <link rel="assessment-for" href="#pm-9_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pm-9_smt"/>
          </part>
          <part id="pm-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7015,20 +7536,26 @@
                <part id="pm-10_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-10a.[01]"/>
                   <p>the security state of organizational systems and the environments in which those systems operate are managed through authorization processes;</p>
+                  <link rel="assessment-for" href="#pm-10_smt.a"/>
                </part>
                <part id="pm-10_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-10a.[02]"/>
                   <p>the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes;</p>
+                  <link rel="assessment-for" href="#pm-10_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pm-10_smt.a"/>
             </part>
             <part id="pm-10_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-10b."/>
                <p>individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process;</p>
+               <link rel="assessment-for" href="#pm-10_smt.b"/>
             </part>
             <part id="pm-10_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-10c."/>
                <p>the authorization processes are integrated into an organization-wide risk management program.</p>
+               <link rel="assessment-for" href="#pm-10_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pm-10_smt"/>
          </part>
          <part id="pm-10_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7118,31 +7645,40 @@
                <part id="pm-11_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-11a.[01]"/>
                   <p>organizational mission and business processes are defined with consideration for information security;</p>
+                  <link rel="assessment-for" href="#pm-11_smt.a"/>
                </part>
                <part id="pm-11_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-11a.[02]"/>
                   <p>organizational mission and business processes are defined with consideration for privacy;</p>
+                  <link rel="assessment-for" href="#pm-11_smt.a"/>
                </part>
                <part id="pm-11_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-11a.[03]"/>
                   <p>organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;</p>
+                  <link rel="assessment-for" href="#pm-11_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pm-11_smt.a"/>
             </part>
             <part id="pm-11_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-11b."/>
                <part id="pm-11_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-11b.[01]"/>
                   <p>information protection needs arising from the defined mission and business processes are determined;</p>
+                  <link rel="assessment-for" href="#pm-11_smt.b"/>
                </part>
                <part id="pm-11_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-11b.[02]"/>
                   <p>personally identifiable information processing needs arising from the defined mission and business processes are determined;</p>
+                  <link rel="assessment-for" href="#pm-11_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pm-11_smt.b"/>
             </part>
             <part id="pm-11_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-11c."/>
                <p>the mission and business processes are reviewed and revised <insert type="param" id-ref="pm-11_odp"/>.</p>
+               <link rel="assessment-for" href="#pm-11_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pm-11_smt"/>
          </part>
          <part id="pm-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7199,11 +7735,14 @@
             <part id="pm-13_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-13[01]"/>
                <p>a security workforce development and improvement program is established;</p>
+               <link rel="assessment-for" href="#pm-13_smt"/>
             </part>
             <part id="pm-13_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-13[02]"/>
                <p>a privacy workforce development and improvement program is established.</p>
+               <link rel="assessment-for" href="#pm-13_smt"/>
             </part>
+            <link rel="assessment-for" href="#pm-13_smt"/>
          </part>
          <part id="pm-13_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7289,59 +7828,76 @@
                   <part id="pm-14_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-14a.01[01]"/>
                      <p>a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed;</p>
+                     <link rel="assessment-for" href="#pm-14_smt.a.1"/>
                   </part>
                   <part id="pm-14_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-14a.01[02]"/>
                      <p>a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained;</p>
+                     <link rel="assessment-for" href="#pm-14_smt.a.1"/>
                   </part>
                   <part id="pm-14_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-14a.01[03]"/>
                      <p>a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed;</p>
+                     <link rel="assessment-for" href="#pm-14_smt.a.1"/>
                   </part>
                   <part id="pm-14_obj.a.1-4" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-14a.01[04]"/>
                      <p>a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained;</p>
+                     <link rel="assessment-for" href="#pm-14_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-14_smt.a.1"/>
                </part>
                <part id="pm-14_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-14a.02"/>
                   <part id="pm-14_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-14a.02[01]"/>
                      <p>a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed;</p>
+                     <link rel="assessment-for" href="#pm-14_smt.a.2"/>
                   </part>
                   <part id="pm-14_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-14a.02[02]"/>
                      <p>a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed;</p>
+                     <link rel="assessment-for" href="#pm-14_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-14_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#pm-14_smt.a"/>
             </part>
             <part id="pm-14_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-14b."/>
                <part id="pm-14_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-14b.[01]"/>
                   <p>testing plans are reviewed for consistency with the organizational risk management strategy;</p>
+                  <link rel="assessment-for" href="#pm-14_smt.b"/>
                </part>
                <part id="pm-14_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-14b.[02]"/>
                   <p>training plans are reviewed for consistency with the organizational risk management strategy;</p>
+                  <link rel="assessment-for" href="#pm-14_smt.b"/>
                </part>
                <part id="pm-14_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-14b.[03]"/>
                   <p>monitoring plans are reviewed for consistency with the organizational risk management strategy;</p>
+                  <link rel="assessment-for" href="#pm-14_smt.b"/>
                </part>
                <part id="pm-14_obj.b-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-14b.[04]"/>
                   <p>testing plans are reviewed for consistency with organization-wide priorities for risk response actions;</p>
+                  <link rel="assessment-for" href="#pm-14_smt.b"/>
                </part>
                <part id="pm-14_obj.b-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-14b.[05]"/>
                   <p>training plans are reviewed for consistency with organization-wide priorities for risk response actions;</p>
+                  <link rel="assessment-for" href="#pm-14_smt.b"/>
                </part>
                <part id="pm-14_obj.b-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-14b.[06]"/>
                   <p>monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions.</p>
+                  <link rel="assessment-for" href="#pm-14_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pm-14_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pm-14_smt"/>
          </part>
          <part id="pm-14_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7435,24 +7991,31 @@
                <part id="pm-17_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-17a.[01]"/>
                   <p>policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;</p>
+                  <link rel="assessment-for" href="#pm-17_smt.a"/>
                </part>
                <part id="pm-17_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-17a.[02]"/>
                   <p>procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;</p>
+                  <link rel="assessment-for" href="#pm-17_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pm-17_smt.a"/>
             </part>
             <part id="pm-17_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-17b."/>
                <part id="pm-17_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-17b.[01]"/>
                   <p>policy is reviewed and updated <insert type="param" id-ref="pm-17_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pm-17_smt.b"/>
                </part>
                <part id="pm-17_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-17b.[02]"/>
                   <p>procedures are reviewed and updated <insert type="param" id-ref="pm-17_odp.02"/>
                   </p>
+                  <link rel="assessment-for" href="#pm-17_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pm-17_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pm-17_smt"/>
          </part>
          <part id="pm-17_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7540,91 +8103,116 @@
                <part id="pm-18_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-18a.[01]"/>
                   <p>an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed;</p>
+                  <link rel="assessment-for" href="#pm-18_smt.a"/>
                </part>
                <part id="pm-18_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-18a.01"/>
                   <part id="pm-18_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-18a.01[01]"/>
                      <p>the privacy program plan includes a description of the structure of the privacy program;</p>
+                     <link rel="assessment-for" href="#pm-18_smt.a.1"/>
                   </part>
                   <part id="pm-18_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-18a.01[02]"/>
                      <p>the privacy program plan includes a description of the resources dedicated to the privacy program;</p>
+                     <link rel="assessment-for" href="#pm-18_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-18_smt.a.1"/>
                </part>
                <part id="pm-18_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-18a.02"/>
                   <part id="pm-18_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-18a.02[01]"/>
                      <p>the privacy program plan provides an overview of the requirements for the privacy program;</p>
+                     <link rel="assessment-for" href="#pm-18_smt.a.2"/>
                   </part>
                   <part id="pm-18_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-18a.02[02]"/>
                      <p>the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program;</p>
+                     <link rel="assessment-for" href="#pm-18_smt.a.2"/>
                   </part>
                   <part id="pm-18_obj.a.2-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-18a.02[03]"/>
                      <p>the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program;</p>
+                     <link rel="assessment-for" href="#pm-18_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-18_smt.a.2"/>
                </part>
                <part id="pm-18_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-18a.03"/>
                   <part id="pm-18_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-18a.03[01]"/>
                      <p>the privacy program plan includes the role of the senior agency official for privacy;</p>
+                     <link rel="assessment-for" href="#pm-18_smt.a.3"/>
                   </part>
                   <part id="pm-18_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-18a.03[02]"/>
                      <p>the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities;</p>
+                     <link rel="assessment-for" href="#pm-18_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-18_smt.a.3"/>
                </part>
                <part id="pm-18_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-18a.04"/>
                   <part id="pm-18_obj.a.4-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-18a.04[01]"/>
                      <p>the privacy program plan describes management commitment;</p>
+                     <link rel="assessment-for" href="#pm-18_smt.a.4"/>
                   </part>
                   <part id="pm-18_obj.a.4-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-18a.04[02]"/>
                      <p>the privacy program plan describes compliance;</p>
+                     <link rel="assessment-for" href="#pm-18_smt.a.4"/>
                   </part>
                   <part id="pm-18_obj.a.4-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-18a.04[03]"/>
                      <p>the privacy program plan describes the strategic goals and objectives of the privacy program;</p>
+                     <link rel="assessment-for" href="#pm-18_smt.a.4"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-18_smt.a.4"/>
                </part>
                <part id="pm-18_obj.a.5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-18a.05"/>
                   <p>the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy;</p>
+                  <link rel="assessment-for" href="#pm-18_smt.a.5"/>
                </part>
                <part id="pm-18_obj.a.6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-18a.06"/>
                   <p>the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;</p>
+                  <link rel="assessment-for" href="#pm-18_smt.a.6"/>
                </part>
                <part id="pm-18_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-18a.[02]"/>
                   <p>the privacy program plan is disseminated;</p>
+                  <link rel="assessment-for" href="#pm-18_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pm-18_smt.a"/>
             </part>
             <part id="pm-18_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-18b."/>
                <part id="pm-18_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-18b.[01]"/>
                   <p>the privacy program plan is updated <insert type="param" id-ref="pm-18_odp"/>;</p>
+                  <link rel="assessment-for" href="#pm-18_smt.b"/>
                </part>
                <part id="pm-18_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-18b.[02]"/>
                   <p>the privacy program plan is updated to address changes in federal privacy laws and policies;</p>
+                  <link rel="assessment-for" href="#pm-18_smt.b"/>
                </part>
                <part id="pm-18_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-18b.[03]"/>
                   <p>the privacy program plan is updated to address organizational changes;</p>
+                  <link rel="assessment-for" href="#pm-18_smt.b"/>
                </part>
                <part id="pm-18_obj.b-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-18b.[04]"/>
                   <p>the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments.</p>
+                  <link rel="assessment-for" href="#pm-18_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pm-18_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pm-18_smt"/>
          </part>
          <part id="pm-18_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7672,23 +8260,29 @@
             <part id="pm-19_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-19[01]"/>
                <p>a senior agency official for privacy with authority, mission, accountability, and resources is appointed;</p>
+               <link rel="assessment-for" href="#pm-19_smt"/>
             </part>
             <part id="pm-19_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-19[02]"/>
                <p>the senior agency official for privacy coordinates applicable privacy requirements;</p>
+               <link rel="assessment-for" href="#pm-19_smt"/>
             </part>
             <part id="pm-19_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-19[03]"/>
                <p>the senior agency official for privacy develops applicable privacy requirements;</p>
+               <link rel="assessment-for" href="#pm-19_smt"/>
             </part>
             <part id="pm-19_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-19[04]"/>
                <p>the senior agency official for privacy implements applicable privacy requirements;</p>
+               <link rel="assessment-for" href="#pm-19_smt"/>
             </part>
             <part id="pm-19_obj-5" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-19[05]"/>
                <p>the senior agency official for privacy manages privacy risks through the organization-wide privacy program.</p>
+               <link rel="assessment-for" href="#pm-19_smt"/>
             </part>
+            <link rel="assessment-for" href="#pm-19_smt"/>
          </part>
          <part id="pm-19_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7757,37 +8351,47 @@
             <part id="pm-20_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-20[01]"/>
                <p>a central resource webpage is maintained on the organization’s principal public website;</p>
+               <link rel="assessment-for" href="#pm-20_smt"/>
             </part>
             <part id="pm-20_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-20[02]"/>
                <p>the webpage serves as a central source of information about the organization’s privacy program;</p>
+               <link rel="assessment-for" href="#pm-20_smt"/>
             </part>
             <part id="pm-20_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-20a."/>
                <part id="pm-20_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-20a.[01]"/>
                   <p>the webpage ensures that the public has access to information about organizational privacy activities;</p>
+                  <link rel="assessment-for" href="#pm-20_smt.a"/>
                </part>
                <part id="pm-20_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-20a.[02]"/>
                   <p>the webpage ensures that the public can communicate with its senior agency official for privacy;</p>
+                  <link rel="assessment-for" href="#pm-20_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pm-20_smt.a"/>
             </part>
             <part id="pm-20_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-20b."/>
                <part id="pm-20_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-20b.[01]"/>
                   <p>the webpage ensures that organizational privacy practices are publicly available;</p>
+                  <link rel="assessment-for" href="#pm-20_smt.b"/>
                </part>
                <part id="pm-20_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-20b.[02]"/>
                   <p>the webpage ensures that organizational privacy reports are publicly available;</p>
+                  <link rel="assessment-for" href="#pm-20_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pm-20_smt.b"/>
             </part>
             <part id="pm-20_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-20c."/>
                <p>the webpage employs publicly facing email addresses and/or phone numbers to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.</p>
+               <link rel="assessment-for" href="#pm-20_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pm-20_smt"/>
          </part>
          <part id="pm-20_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7854,48 +8458,61 @@
                <part id="pm-20.1_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-20(01)[01]"/>
                   <p>privacy policies are developed and posted on all external-facing websites;</p>
+                  <link rel="assessment-for" href="#pm-20.1_smt"/>
                </part>
                <part id="pm-20.1_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-20(01)[02]"/>
                   <p>privacy policies are developed and posted on all mobile applications;</p>
+                  <link rel="assessment-for" href="#pm-20.1_smt"/>
                </part>
                <part id="pm-20.1_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-20(01)[03]"/>
                   <p>privacy policies are developed and posted on all other digital services;</p>
+                  <link rel="assessment-for" href="#pm-20.1_smt"/>
                </part>
                <part id="pm-20.1_obj.a" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-20(01)(a)"/>
                   <part id="pm-20.1_obj.a-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-20(01)(a)[01]"/>
                      <p>the privacy policies are written in plain language;</p>
+                     <link rel="assessment-for" href="#pm-20.1_smt.a"/>
                   </part>
                   <part id="pm-20.1_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-20(01)(a)[02]"/>
                      <p>the privacy policies are organized in a way that is easy to understand and navigate;</p>
+                     <link rel="assessment-for" href="#pm-20.1_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-20.1_smt.a"/>
                </part>
                <part id="pm-20.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-20(01)(b)"/>
                   <part id="pm-20.1_obj.b-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-20(01)(b)[01]"/>
                      <p>the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization;</p>
+                     <link rel="assessment-for" href="#pm-20.1_smt.b"/>
                   </part>
                   <part id="pm-20.1_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-20(01)(b)[02]"/>
                      <p>the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization;</p>
+                     <link rel="assessment-for" href="#pm-20.1_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-20.1_smt.b"/>
                </part>
                <part id="pm-20.1_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-20(01)(c)"/>
                   <part id="pm-20.1_obj.c-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-20(01)(c)[01]"/>
                      <p>the privacy policies are updated whenever the organization makes a substantive change to the practices it describes;</p>
+                     <link rel="assessment-for" href="#pm-20.1_smt.c"/>
                   </part>
                   <part id="pm-20.1_obj.c-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-20(01)(c)[02]"/>
                      <p>the privacy policies include a time/date stamp to inform the public of the date of the most recent changes.</p>
+                     <link rel="assessment-for" href="#pm-20.1_smt.c"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-20.1_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pm-20.1_smt"/>
             </part>
             <part id="pm-20.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7973,36 +8590,47 @@
                   <part id="pm-21_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-21a.01[01]"/>
                      <p>the accounting includes the date of each disclosure;</p>
+                     <link rel="assessment-for" href="#pm-21_smt.a.1"/>
                   </part>
                   <part id="pm-21_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-21a.01[02]"/>
                      <p>the accounting includes the nature of each disclosure;</p>
+                     <link rel="assessment-for" href="#pm-21_smt.a.1"/>
                   </part>
                   <part id="pm-21_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-21a.01[03]"/>
                      <p>the accounting includes the purpose of each disclosure;</p>
+                     <link rel="assessment-for" href="#pm-21_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-21_smt.a.1"/>
                </part>
                <part id="pm-21_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-21a.02"/>
                   <part id="pm-21_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-21a.02[01]"/>
                      <p>the accounting includes the name of the individual or organization to whom the disclosure was made;</p>
+                     <link rel="assessment-for" href="#pm-21_smt.a.2"/>
                   </part>
                   <part id="pm-21_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-21a.02[02]"/>
                      <p>the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made;</p>
+                     <link rel="assessment-for" href="#pm-21_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-21_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#pm-21_smt.a"/>
             </part>
             <part id="pm-21_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-21b."/>
                <p>the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;</p>
+               <link rel="assessment-for" href="#pm-21_smt.b"/>
             </part>
             <part id="pm-21_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-21c."/>
                <p>the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request.</p>
+               <link rel="assessment-for" href="#pm-21_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pm-21_smt"/>
          </part>
          <part id="pm-21_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8079,79 +8707,100 @@
             <part id="pm-22_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-22[01]"/>
                <p>organization-wide policies for personally identifiable information quality management are developed and documented;</p>
+               <link rel="assessment-for" href="#pm-22_smt"/>
             </part>
             <part id="pm-22_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-22[02]"/>
                <p>organization-wide procedures for personally identifiable information quality management are developed and documented;</p>
+               <link rel="assessment-for" href="#pm-22_smt"/>
             </part>
             <part id="pm-22_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-22a."/>
                <part id="pm-22_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-22a.[01]"/>
                   <p>the policies address reviewing the accuracy of personally identifiable information across the information life cycle;</p>
+                  <link rel="assessment-for" href="#pm-22_smt.a"/>
                </part>
                <part id="pm-22_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-22a.[02]"/>
                   <p>the policies address reviewing the relevance of personally identifiable information across the information life cycle;</p>
+                  <link rel="assessment-for" href="#pm-22_smt.a"/>
                </part>
                <part id="pm-22_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-22a.[03]"/>
                   <p>the policies address reviewing the timeliness of personally identifiable information across the information life cycle;</p>
+                  <link rel="assessment-for" href="#pm-22_smt.a"/>
                </part>
                <part id="pm-22_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-22a.[04]"/>
                   <p>the policies address reviewing the completeness of personally identifiable information across the information life cycle;</p>
+                  <link rel="assessment-for" href="#pm-22_smt.a"/>
                </part>
                <part id="pm-22_obj.a-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-22a.[05]"/>
                   <p>the procedures address reviewing the accuracy of personally identifiable information across the information life cycle;</p>
+                  <link rel="assessment-for" href="#pm-22_smt.a"/>
                </part>
                <part id="pm-22_obj.a-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-22a.[06]"/>
                   <p>the procedures address reviewing the relevance of personally identifiable information across the information life cycle;</p>
+                  <link rel="assessment-for" href="#pm-22_smt.a"/>
                </part>
                <part id="pm-22_obj.a-7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-22a.[07]"/>
                   <p>the procedures address reviewing the timeliness of personally identifiable information across the information life cycle;</p>
+                  <link rel="assessment-for" href="#pm-22_smt.a"/>
                </part>
                <part id="pm-22_obj.a-8" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-22a.[08]"/>
                   <p>the procedures address reviewing the completeness of personally identifiable information across the information life cycle;</p>
+                  <link rel="assessment-for" href="#pm-22_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pm-22_smt.a"/>
             </part>
             <part id="pm-22_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-22b."/>
                <part id="pm-22_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-22b.[01]"/>
                   <p>the policies address correcting or deleting inaccurate or outdated personally identifiable information;</p>
+                  <link rel="assessment-for" href="#pm-22_smt.b"/>
                </part>
                <part id="pm-22_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-22b.[02]"/>
                   <p>the procedures address correcting or deleting inaccurate or outdated personally identifiable information;</p>
+                  <link rel="assessment-for" href="#pm-22_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pm-22_smt.b"/>
             </part>
             <part id="pm-22_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-22c."/>
                <part id="pm-22_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-22c.[01]"/>
                   <p>the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;</p>
+                  <link rel="assessment-for" href="#pm-22_smt.c"/>
                </part>
                <part id="pm-22_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-22c.[02]"/>
                   <p>the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;</p>
+                  <link rel="assessment-for" href="#pm-22_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pm-22_smt.c"/>
             </part>
             <part id="pm-22_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-22d."/>
                <part id="pm-22_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-22d.[01]"/>
                   <p>the policies address appeals of adverse decisions on correction or deletion requests;</p>
+                  <link rel="assessment-for" href="#pm-22_smt.d"/>
                </part>
                <part id="pm-22_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-22d.[02]"/>
                   <p>the procedures address appeals of adverse decisions on correction or deletion requests.</p>
+                  <link rel="assessment-for" href="#pm-22_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#pm-22_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#pm-22_smt"/>
          </part>
          <part id="pm-22_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8219,11 +8868,14 @@
             <part id="pm-24_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-24a."/>
                <p>the Data Integrity Board reviews proposals to conduct or participate in a matching program;</p>
+               <link rel="assessment-for" href="#pm-24_smt.a"/>
             </part>
             <part id="pm-24_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-24b."/>
                <p>the Data Integrity Board conducts an annual review of all matching programs in which the agency has participated.</p>
+               <link rel="assessment-for" href="#pm-24_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pm-24_smt"/>
          </part>
          <part id="pm-24_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8331,101 +8983,128 @@
                <part id="pm-25_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25a.[01]"/>
                   <p>policies that address the use of personally identifiable information for internal testing are developed and documented;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.a"/>
                </part>
                <part id="pm-25_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25a.[02]"/>
                   <p>policies that address the use of personally identifiable information for internal training are developed and documented;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.a"/>
                </part>
                <part id="pm-25_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25a.[03]"/>
                   <p>policies that address the use of personally identifiable information for internal research are developed and documented;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.a"/>
                </part>
                <part id="pm-25_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25a.[04]"/>
                   <p>procedures that address the use of personally identifiable information for internal testing are developed and documented;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.a"/>
                </part>
                <part id="pm-25_obj.a-5" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25a.[05]"/>
                   <p>procedures that address the use of personally identifiable information for internal training are developed and documented;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.a"/>
                </part>
                <part id="pm-25_obj.a-6" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25a.[06]"/>
                   <p>procedures that address the use of personally identifiable information for internal research are developed and documented;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.a"/>
                </part>
                <part id="pm-25_obj.a-7" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25a.[07]"/>
                   <p>policies that address the use of personally identifiable information for internal testing, are implemented;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.a"/>
                </part>
                <part id="pm-25_obj.a-8" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25a.[08]"/>
                   <p>policies that address the use of personally identifiable information for training are implemented;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.a"/>
                </part>
                <part id="pm-25_obj.a-9" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25a.[09]"/>
                   <p>policies that address the use of personally identifiable information for research are implemented;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.a"/>
                </part>
                <part id="pm-25_obj.a-10" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25a.[10]"/>
                   <p>procedures that address the use of personally identifiable information for internal testing are implemented;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.a"/>
                </part>
                <part id="pm-25_obj.a-11" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25a.[11]"/>
                   <p>procedures that address the use of personally identifiable information for training are implemented;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.a"/>
                </part>
                <part id="pm-25_obj.a-12" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25a.[12]"/>
                   <p>procedures that address the use of personally identifiable information for research are implemented;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pm-25_smt.a"/>
             </part>
             <part id="pm-25_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-25b."/>
                <part id="pm-25_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25b.[01]"/>
                   <p>the amount of personally identifiable information used for internal testing purposes is limited or minimized;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.b"/>
                </part>
                <part id="pm-25_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25b.[02]"/>
                   <p>the amount of personally identifiable information used for internal training purposes is limited or minimized;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.b"/>
                </part>
                <part id="pm-25_obj.b-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25b.[03]"/>
                   <p>the amount of personally identifiable information used for internal research purposes is limited or minimized;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pm-25_smt.b"/>
             </part>
             <part id="pm-25_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-25c."/>
                <part id="pm-25_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25c.[01]"/>
                   <p>the required use of personally identifiable information for internal testing is authorized;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.c"/>
                </part>
                <part id="pm-25_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25c.[02]"/>
                   <p>the required use of personally identifiable information for internal training is authorized;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.c"/>
                </part>
                <part id="pm-25_obj.c-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25c.[03]"/>
                   <p>the required use of personally identifiable information for internal research is authorized;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pm-25_smt.c"/>
             </part>
             <part id="pm-25_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-25d."/>
                <part id="pm-25_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25d.[01]"/>
                   <p>policies are reviewed <insert type="param" id-ref="pm-25_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.d"/>
                </part>
                <part id="pm-25_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25d.[02]"/>
                   <p>policies are updated <insert type="param" id-ref="pm-25_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.d"/>
                </part>
                <part id="pm-25_obj.d-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25d.[03]"/>
                   <p>procedures are reviewed <insert type="param" id-ref="pm-25_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#pm-25_smt.d"/>
                </part>
                <part id="pm-25_obj.d-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-25d.[04]"/>
                   <p>procedures are updated <insert type="param" id-ref="pm-25_odp.04"/>.</p>
+                  <link rel="assessment-for" href="#pm-25_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#pm-25_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#pm-25_smt"/>
          </part>
          <part id="pm-25_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8541,45 +9220,57 @@
             <part id="pm-26_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-26[01]"/>
                <p>a process for receiving complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;</p>
+               <link rel="assessment-for" href="#pm-26_smt"/>
             </part>
             <part id="pm-26_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-26[02]"/>
                <p>a process for responding to complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;</p>
+               <link rel="assessment-for" href="#pm-26_smt"/>
             </part>
             <part id="pm-26_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-26a."/>
                <part id="pm-26_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-26a.[01]"/>
                   <p>the complaint management process includes mechanisms that are easy to use by the public;</p>
+                  <link rel="assessment-for" href="#pm-26_smt.a"/>
                </part>
                <part id="pm-26_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-26a.[02]"/>
                   <p>the complaint management process includes mechanisms that are readily accessible by the public;</p>
+                  <link rel="assessment-for" href="#pm-26_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pm-26_smt.a"/>
             </part>
             <part id="pm-26_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-26b."/>
                <p>the complaint management process includes all information necessary for successfully filing complaints;</p>
+               <link rel="assessment-for" href="#pm-26_smt.b"/>
             </part>
             <part id="pm-26_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-26c."/>
                <part id="pm-26_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-26c.[01]"/>
                   <p>the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within <insert type="param" id-ref="pm-26_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pm-26_smt.c"/>
                </part>
                <part id="pm-26_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-26c.[02]"/>
                   <p>the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within <insert type="param" id-ref="pm-26_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pm-26_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pm-26_smt.c"/>
             </part>
             <part id="pm-26_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-26d."/>
                <p>the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within <insert type="param" id-ref="pm-26_odp.03"/>;</p>
+               <link rel="assessment-for" href="#pm-26_smt.d"/>
             </part>
             <part id="pm-26_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-26e."/>
                <p>the complaint management process includes responding to complaints, concerns, or questions from individuals within <insert type="param" id-ref="pm-26_odp.04"/>.</p>
+               <link rel="assessment-for" href="#pm-26_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#pm-26_smt"/>
          </part>
          <part id="pm-26_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8687,23 +9378,30 @@
                <part id="pm-27_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-27a.01"/>
                   <p>the privacy reports are disseminated to <insert type="param" id-ref="pm-27_odp.02"/> to demonstrate accountability with statutory, regulatory, and policy privacy mandates;</p>
+                  <link rel="assessment-for" href="#pm-27_smt.a.1"/>
                </part>
                <part id="pm-27_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-27a.02"/>
                   <part id="pm-27_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-27a.02[01]"/>
                      <p>the privacy reports are disseminated to <insert type="param" id-ref="pm-27_odp.03"/>;</p>
+                     <link rel="assessment-for" href="#pm-27_smt.a.2"/>
                   </part>
                   <part id="pm-27_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-27a.02[02]"/>
                      <p>the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance;</p>
+                     <link rel="assessment-for" href="#pm-27_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-27_smt.a.2"/>
                </part>
+               <link rel="assessment-for" href="#pm-27_smt.a"/>
             </part>
             <part id="pm-27_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-27b."/>
                <p>the privacy reports are reviewed and updated <insert type="param" id-ref="pm-27_odp.04"/>.</p>
+               <link rel="assessment-for" href="#pm-27_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pm-27_smt"/>
          </part>
          <part id="pm-27_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8803,55 +9501,71 @@
                   <part id="pm-28_obj.a.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-28a.01[01]"/>
                      <p>assumptions affecting risk assessments are identified and documented;</p>
+                     <link rel="assessment-for" href="#pm-28_smt.a.1"/>
                   </part>
                   <part id="pm-28_obj.a.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-28a.01[02]"/>
                      <p>assumptions affecting risk responses are identified and documented;</p>
+                     <link rel="assessment-for" href="#pm-28_smt.a.1"/>
                   </part>
                   <part id="pm-28_obj.a.1-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-28a.01[03]"/>
                      <p>assumptions affecting risk monitoring are identified and documented;</p>
+                     <link rel="assessment-for" href="#pm-28_smt.a.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-28_smt.a.1"/>
                </part>
                <part id="pm-28_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-28a.02"/>
                   <part id="pm-28_obj.a.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-28a.02[01]"/>
                      <p>constraints affecting risk assessments are identified and documented;</p>
+                     <link rel="assessment-for" href="#pm-28_smt.a.2"/>
                   </part>
                   <part id="pm-28_obj.a.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-28a.02[02]"/>
                      <p>constraints affecting risk responses are identified and documented;</p>
+                     <link rel="assessment-for" href="#pm-28_smt.a.2"/>
                   </part>
                   <part id="pm-28_obj.a.2-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-28a.02[03]"/>
                      <p>constraints affecting risk monitoring are identified and documented;</p>
+                     <link rel="assessment-for" href="#pm-28_smt.a.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-28_smt.a.2"/>
                </part>
                <part id="pm-28_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-28a.03"/>
                   <part id="pm-28_obj.a.3-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-28a.03[01]"/>
                      <p>priorities considered by the organization for managing risk are identified and documented;</p>
+                     <link rel="assessment-for" href="#pm-28_smt.a.3"/>
                   </part>
                   <part id="pm-28_obj.a.3-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PM-28a.03[02]"/>
                      <p>trade-offs considered by the organization for managing risk are identified and documented;</p>
+                     <link rel="assessment-for" href="#pm-28_smt.a.3"/>
                   </part>
+                  <link rel="assessment-for" href="#pm-28_smt.a.3"/>
                </part>
                <part id="pm-28_obj.a.4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-28a.04"/>
                   <p>organizational risk tolerance is identified and documented;</p>
+                  <link rel="assessment-for" href="#pm-28_smt.a.4"/>
                </part>
+               <link rel="assessment-for" href="#pm-28_smt.a"/>
             </part>
             <part id="pm-28_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-28b."/>
                <p>the results of risk framing activities are distributed to <insert type="param" id-ref="pm-28_odp.01"/>;</p>
+               <link rel="assessment-for" href="#pm-28_smt.b"/>
             </part>
             <part id="pm-28_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-28c."/>
                <p>risk framing considerations are reviewed and updated <insert type="param" id-ref="pm-28_odp.02"/>.</p>
+               <link rel="assessment-for" href="#pm-28_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pm-28_smt"/>
          </part>
          <part id="pm-28_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8918,18 +9632,18 @@
             <prop name="alt-identifier" value="pm-31_prm_2"/>
             <prop name="alt-label" class="sp800-53" value="frequencies"/>
             <prop name="label" class="sp800-53a" value="PM-31_ODP[02]"/>
-            <label>frequency</label>
+            <label>monitoring frequencies</label>
             <guideline>
-               <p>the frequency for monitoring is defined;</p>
+               <p>the frequencies for monitoring are defined;</p>
             </guideline>
          </param>
          <param id="pm-31_odp.03">
             <prop name="alt-identifier" value="pm-31_prm_3"/>
             <prop name="alt-label" class="sp800-53" value="frequencies"/>
             <prop name="label" class="sp800-53a" value="PM-31_ODP[03]"/>
-            <label>frequency</label>
+            <label>assessment frequencies</label>
             <guideline>
-               <p>the frequency for assessing control effectiveness is defined;</p>
+               <p>the frequencies for assessing control effectiveness are defined;</p>
             </guideline>
          </param>
          <param id="pm-31_odp.04">
@@ -9028,7 +9742,7 @@
             </part>
             <part name="item" id="pm-31_smt.b">
                <prop name="label" value="b."/>
-               <p>Establishing <insert type="param" id-ref="pm-31_odp.02"/> for monitoring and <insert type="param" id-ref="pm-31_odp.03"/> for assessment of control effectiveness;</p>
+               <p>Establishing <insert type="param" id-ref="pm-31_odp.02"/> and <insert type="param" id-ref="pm-31_odp.03"/> for control effectiveness;</p>
             </part>
             <part name="item" id="pm-31_smt.c">
                <prop name="label" value="c."/>
@@ -9057,43 +9771,54 @@
             <part id="pm-31_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-31a."/>
                <p>continuous monitoring programs are implemented that include establishing <insert type="param" id-ref="pm-31_odp.01"/> to be monitored;</p>
+               <link rel="assessment-for" href="#pm-31_smt.a"/>
             </part>
             <part id="pm-31_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-31b."/>
                <part id="pm-31_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-31b.[01]"/>
                   <p>continuous monitoring programs are implemented that establish <insert type="param" id-ref="pm-31_odp.02"/> for monitoring;</p>
+                  <link rel="assessment-for" href="#pm-31_smt.b"/>
                </part>
                <part id="pm-31_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-31b.[02]"/>
                   <p>continuous monitoring programs are implemented that establish <insert type="param" id-ref="pm-31_odp.03"/> for assessment of control effectiveness;</p>
+                  <link rel="assessment-for" href="#pm-31_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pm-31_smt.b"/>
             </part>
             <part id="pm-31_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-31c."/>
                <p>continuous monitoring programs are implemented that include monitoring <insert type="param" id-ref="pm-31_odp.01"/> on an ongoing basis in accordance with the continuous monitoring strategy;</p>
+               <link rel="assessment-for" href="#pm-31_smt.c"/>
             </part>
             <part id="pm-31_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-31d."/>
                <part id="pm-31_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-31d.[01]"/>
                   <p>continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring;</p>
+                  <link rel="assessment-for" href="#pm-31_smt.d"/>
                </part>
                <part id="pm-31_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-31d.[02]"/>
                   <p>continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring;</p>
+                  <link rel="assessment-for" href="#pm-31_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#pm-31_smt.d"/>
             </part>
             <part id="pm-31_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-31e."/>
                <part id="pm-31_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-31e.[01]"/>
                   <p>continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information;</p>
+                  <link rel="assessment-for" href="#pm-31_smt.e"/>
                </part>
                <part id="pm-31_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-31e.[02]"/>
                   <p>continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information;</p>
+                  <link rel="assessment-for" href="#pm-31_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#pm-31_smt.e"/>
             </part>
             <part id="pm-31_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PM-31f."/>
@@ -9101,13 +9826,17 @@
                   <prop name="label" class="sp800-53a" value="PM-31f.[01]"/>
                   <p>continuous monitoring programs are implemented that include reporting the security status of organizational systems to <insert type="param" id-ref="pm-31_odp.04"/>
                      <insert type="param" id-ref="pm-31_odp.06"/>;</p>
+                  <link rel="assessment-for" href="#pm-31_smt.f"/>
                </part>
                <part id="pm-31_obj.f-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PM-31f.[02]"/>
                   <p>continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to <insert type="param" id-ref="pm-31_odp.05"/>
                      <insert type="param" id-ref="pm-31_odp.07"/>.</p>
+                  <link rel="assessment-for" href="#pm-31_smt.f"/>
                </part>
+               <link rel="assessment-for" href="#pm-31_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#pm-31_smt"/>
          </part>
          <part id="pm-31_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9218,22 +9947,28 @@
             <part id="ps-6_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-06a."/>
                <p>access agreements are developed and documented for organizational systems;</p>
+               <link rel="assessment-for" href="#ps-6_smt.a"/>
             </part>
             <part id="ps-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-06b."/>
                <p>the access agreements are reviewed and updated <insert type="param" id-ref="ps-06_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ps-6_smt.b"/>
             </part>
             <part id="ps-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PS-06c."/>
                <part id="ps-6_obj.c.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-06c.01"/>
                   <p>individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;</p>
+                  <link rel="assessment-for" href="#ps-6_smt.c.1"/>
                </part>
                <part id="ps-6_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PS-06c.02"/>
                   <p>individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or <insert type="param" id-ref="ps-06_odp.02"/>.</p>
+                  <link rel="assessment-for" href="#ps-6_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ps-6_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ps-6_smt"/>
          </part>
          <part id="ps-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9405,18 +10140,22 @@
                <part id="pt-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-01a.[01]"/>
                   <p>a personally identifiable information processing and transparency policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#pt-1_smt.a"/>
                </part>
                <part id="pt-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-01a.[02]"/>
                   <p>the personally identifiable information processing and transparency policy is disseminated to <insert type="param" id-ref="pt-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pt-1_smt.a"/>
                </part>
                <part id="pt-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-01a.[03]"/>
                   <p>personally identifiable information processing and transparency procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and associated personally identifiable information processing and transparency controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#pt-1_smt.a"/>
                </part>
                <part id="pt-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-01a.[04]"/>
                   <p>the personally identifiable information processing and transparency procedures are disseminated to <insert type="param" id-ref="pt-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#pt-1_smt.a"/>
                </part>
                <part id="pt-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-01a.01"/>
@@ -9425,41 +10164,53 @@
                      <part id="pt-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PT-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
                      </part>
                      <part id="pt-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PT-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy addresses scope;</p>
+                        <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
                      </part>
                      <part id="pt-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PT-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy addresses roles;</p>
+                        <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
                      </part>
                      <part id="pt-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PT-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
                      </part>
                      <part id="pt-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PT-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
                      </part>
                      <part id="pt-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PT-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
                      </part>
                      <part id="pt-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="PT-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
                   </part>
                   <part id="pt-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PT-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#pt-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#pt-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#pt-1_smt.a"/>
             </part>
             <part id="pt-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-01b."/>
                <p>the <insert type="param" id-ref="pt-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures;</p>
+               <link rel="assessment-for" href="#pt-1_smt.b"/>
             </part>
             <part id="pt-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-01c."/>
@@ -9468,24 +10219,32 @@
                   <part id="pt-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PT-01c.01[01]"/>
                      <p>the current personally identifiable information processing and transparency policy is reviewed and updated <insert type="param" id-ref="pt-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#pt-1_smt.c.1"/>
                   </part>
                   <part id="pt-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PT-01c.01[02]"/>
                      <p>the current personally identifiable information processing and transparency policy is reviewed and updated following <insert type="param" id-ref="pt-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#pt-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#pt-1_smt.c.1"/>
                </part>
                <part id="pt-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-01c.02"/>
                   <part id="pt-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PT-01c.02[01]"/>
                      <p>the current personally identifiable information processing and transparency procedures are reviewed and updated <insert type="param" id-ref="pt-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#pt-1_smt.c.2"/>
                   </part>
                   <part id="pt-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PT-01c.02[02]"/>
                      <p>the current personally identifiable information processing and transparency procedures are reviewed and updated following <insert type="param" id-ref="pt-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#pt-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#pt-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#pt-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pt-1_smt"/>
          </part>
          <part id="pt-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9579,11 +10338,14 @@
             <part id="pt-2_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-02a."/>
                <p>the <insert type="param" id-ref="pt-02_odp.01"/> that permits the <insert type="param" id-ref="pt-02_odp.02"/> of personally identifiable information is determined and documented;</p>
+               <link rel="assessment-for" href="#pt-2_smt.a"/>
             </part>
             <part id="pt-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-02b."/>
                <p>the <insert type="param" id-ref="pt-02_odp.03"/> of personally identifiable information is restricted to only that which is authorized.</p>
+               <link rel="assessment-for" href="#pt-2_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pt-2_smt"/>
          </part>
          <part id="pt-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9697,34 +10459,43 @@
             <part id="pt-3_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-03a."/>
                <p>the <insert type="param" id-ref="pt-03_odp.01"/> for processing personally identifiable information is/are identified and documented;</p>
+               <link rel="assessment-for" href="#pt-3_smt.a"/>
             </part>
             <part id="pt-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-03b."/>
                <part id="pt-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-03b.[01]"/>
                   <p>the purpose(s) is/are described in the public privacy notices of the organization;</p>
+                  <link rel="assessment-for" href="#pt-3_smt.b"/>
                </part>
                <part id="pt-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-03b.[02]"/>
                   <p>the purpose(s) is/are described in the policies of the organization;</p>
+                  <link rel="assessment-for" href="#pt-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pt-3_smt.b"/>
             </part>
             <part id="pt-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-03c."/>
                <p>the <insert type="param" id-ref="pt-03_odp.02"/> of personally identifiable information are restricted to only that which is compatible with the identified purpose(s);</p>
+               <link rel="assessment-for" href="#pt-3_smt.c"/>
             </part>
             <part id="pt-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-03d."/>
                <part id="pt-3_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-03d.[01]"/>
                   <p>changes in the processing of personally identifiable information are monitored;</p>
+                  <link rel="assessment-for" href="#pt-3_smt.d"/>
                </part>
                <part id="pt-3_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-03d.[02]"/>
                   <p>
                      <insert type="param" id-ref="pt-03_odp.03"/> are implemented to ensure that any changes are made in accordance with <insert type="param" id-ref="pt-03_odp.04"/>.</p>
+                  <link rel="assessment-for" href="#pt-3_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#pt-3_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#pt-3_smt"/>
          </part>
          <part id="pt-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9791,6 +10562,7 @@
          <part id="pt-4_obj" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-04"/>
             <p>the <insert type="param" id-ref="pt-04_odp"/> are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.</p>
+            <link rel="assessment-for" href="#pt-4_smt"/>
          </part>
          <part id="pt-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9893,28 +10665,36 @@
                <part id="pt-5_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-05a.[01]"/>
                   <p>a notice to individuals about the processing of personally identifiable information is provided such that the notice is available to individuals upon first interacting with an organization;</p>
+                  <link rel="assessment-for" href="#pt-5_smt.a"/>
                </part>
                <part id="pt-5_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-05a.[02]"/>
                   <p>a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals <insert type="param" id-ref="pt-05_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#pt-5_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pt-5_smt.a"/>
             </part>
             <part id="pt-5_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-05b."/>
                <p>a notice to individuals about the processing of personally identifiable information is provided that is clear, easy-to-understand, and expresses information about personally identifiable information processing in plain language;</p>
+               <link rel="assessment-for" href="#pt-5_smt.b"/>
             </part>
             <part id="pt-5_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-05c."/>
                <p>a notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information is provided;</p>
+               <link rel="assessment-for" href="#pt-5_smt.c"/>
             </part>
             <part id="pt-5_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-05d."/>
                <p>a notice to individuals about the processing of personally identifiable information that identifies the purpose for which personally identifiable information is to be processed is provided;</p>
+               <link rel="assessment-for" href="#pt-5_smt.d"/>
             </part>
             <part id="pt-5_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-05e."/>
                <p>a notice to individuals about the processing of personally identifiable information which includes <insert type="param" id-ref="pt-05_odp.02"/> is provided.</p>
+               <link rel="assessment-for" href="#pt-5_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#pt-5_smt"/>
          </part>
          <part id="pt-5_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9964,6 +10744,7 @@
             <part id="pt-5.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-05(02)"/>
                <p>Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or Privacy Act statements are provided on separate forms that can be retained by individuals.</p>
+               <link rel="assessment-for" href="#pt-5.2_smt"/>
             </part>
             <part id="pt-5.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10034,20 +10815,26 @@
                <part id="pt-6_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-06a.[01]"/>
                   <p>system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records;</p>
+                  <link rel="assessment-for" href="#pt-6_smt.a"/>
                </part>
                <part id="pt-6_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-06a.[02]"/>
                   <p>new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records;</p>
+                  <link rel="assessment-for" href="#pt-6_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#pt-6_smt.a"/>
             </part>
             <part id="pt-6_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-06b."/>
                <p>system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records;</p>
+               <link rel="assessment-for" href="#pt-6_smt.b"/>
             </part>
             <part id="pt-6_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-06c."/>
                <p>system of records notices are kept accurate, up-to-date, and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records.</p>
+               <link rel="assessment-for" href="#pt-6_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pt-6_smt"/>
          </part>
          <part id="pt-6_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10102,6 +10889,7 @@
             <part id="pt-6.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-06(01)"/>
                <p>all routine uses published in the system of records notice are reviewed <insert type="param" id-ref="pt-06.01_odp"/> to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.</p>
+               <link rel="assessment-for" href="#pt-6.1_smt"/>
             </part>
             <part id="pt-6.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10158,15 +10946,19 @@
                <part id="pt-6.2_obj-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-06(02)[01]"/>
                   <p>all Privacy Act exemptions claimed for the system of records are reviewed <insert type="param" id-ref="pt-06.02_odp"/> to ensure that they remain appropriate and necessary in accordance with law;</p>
+                  <link rel="assessment-for" href="#pt-6.2_smt"/>
                </part>
                <part id="pt-6.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-06(02)[02]"/>
                   <p>all Privacy Act exemptions claimed for the system of records are reviewed <insert type="param" id-ref="pt-06.02_odp"/> to ensure that they have been promulgated as regulations;</p>
+                  <link rel="assessment-for" href="#pt-6.2_smt"/>
                </part>
                <part id="pt-6.2_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-06(02)[03]"/>
                   <p>all Privacy Act exemptions claimed for the system of records are reviewed <insert type="param" id-ref="pt-06.02_odp"/> to ensure that they are accurately described in the system of records notice.</p>
+                  <link rel="assessment-for" href="#pt-6.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#pt-6.2_smt"/>
             </part>
             <part id="pt-6.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10231,6 +11023,7 @@
             <prop name="label" class="sp800-53a" value="PT-07"/>
             <p>
                <insert type="param" id-ref="pt-07_odp"/> are applied for specific categories of personally identifiable information.</p>
+            <link rel="assessment-for" href="#pt-7_smt"/>
          </part>
          <part id="pt-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10298,31 +11091,40 @@
                   <part id="pt-7.1_obj.a-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PT-07(01)(a)[01]"/>
                      <p>when a system processes Social Security numbers, the unnecessary collection, maintenance, and use of Social Security numbers are eliminated;</p>
+                     <link rel="assessment-for" href="#pt-7.1_smt.a"/>
                   </part>
                   <part id="pt-7.1_obj.a-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PT-07(01)(a)[02]"/>
                      <p>when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored;</p>
+                     <link rel="assessment-for" href="#pt-7.1_smt.a"/>
                   </part>
+                  <link rel="assessment-for" href="#pt-7.1_smt.a"/>
                </part>
                <part id="pt-7.1_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-07(01)(b)"/>
                   <p>when a system processes Social Security numbers, individual rights, benefits, or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number;</p>
+                  <link rel="assessment-for" href="#pt-7.1_smt.b"/>
                </part>
                <part id="pt-7.1_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-07(01)(c)"/>
                   <part id="pt-7.1_obj.c-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PT-07(01)(c)[01]"/>
                      <p>when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it;</p>
+                     <link rel="assessment-for" href="#pt-7.1_smt.c"/>
                   </part>
                   <part id="pt-7.1_obj.c-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PT-07(01)(c)[02]"/>
                      <p>when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited;</p>
+                     <link rel="assessment-for" href="#pt-7.1_smt.c"/>
                   </part>
                   <part id="pt-7.1_obj.c-3" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="PT-07(01)(c)[03]"/>
                      <p>when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it.</p>
+                     <link rel="assessment-for" href="#pt-7.1_smt.c"/>
                   </part>
+                  <link rel="assessment-for" href="#pt-7.1_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#pt-7.1_smt"/>
             </part>
             <part id="pt-7.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10372,6 +11174,7 @@
             <part id="pt-7.2_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-07(02)"/>
                <p>the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.</p>
+               <link rel="assessment-for" href="#pt-7.2_smt"/>
             </part>
             <part id="pt-7.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10445,37 +11248,47 @@
             <part id="pt-8_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-08a."/>
                <p>approval to conduct the matching program is obtained from the Data Integrity Board when a system or organization processes information for the purpose of conducting a matching program;</p>
+               <link rel="assessment-for" href="#pt-8_smt.a"/>
             </part>
             <part id="pt-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-08b."/>
                <part id="pt-8_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-08b.[01]"/>
                   <p>a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program;</p>
+                  <link rel="assessment-for" href="#pt-8_smt.b"/>
                </part>
                <part id="pt-8_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-08b.[02]"/>
                   <p>a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program;</p>
+                  <link rel="assessment-for" href="#pt-8_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#pt-8_smt.b"/>
             </part>
             <part id="pt-8_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-08c."/>
                <p>a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program;</p>
+               <link rel="assessment-for" href="#pt-8_smt.c"/>
             </part>
             <part id="pt-8_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-08d."/>
                <p>the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program;</p>
+               <link rel="assessment-for" href="#pt-8_smt.d"/>
             </part>
             <part id="pt-8_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="PT-08e."/>
                <part id="pt-8_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-08e.[01]"/>
                   <p>individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program;</p>
+                  <link rel="assessment-for" href="#pt-8_smt.e"/>
                </part>
                <part id="pt-8_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="PT-08e.[02]"/>
                   <p>individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program.</p>
+                  <link rel="assessment-for" href="#pt-8_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#pt-8_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#pt-8_smt"/>
          </part>
          <part id="pt-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10654,18 +11467,22 @@
                <part id="ra-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[01]"/>
                   <p>a risk assessment policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[02]"/>
                   <p>the risk assessment policy is disseminated to <insert type="param" id-ref="ra-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[03]"/>
                   <p>risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.[04]"/>
                   <p>the risk assessment procedures are disseminated to <insert type="param" id-ref="ra-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#ra-1_smt.a"/>
                </part>
                <part id="ra-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01a.01"/>
@@ -10674,41 +11491,53 @@
                      <part id="ra-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses scope;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses roles;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
                      <part id="ra-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="RA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
                   </part>
                   <part id="ra-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#ra-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#ra-1_smt.a"/>
             </part>
             <part id="ra-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-01b."/>
                <p>the <insert type="param" id-ref="ra-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;</p>
+               <link rel="assessment-for" href="#ra-1_smt.b"/>
             </part>
             <part id="ra-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-01c."/>
@@ -10717,24 +11546,32 @@
                   <part id="ra-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.01[01]"/>
                      <p>the current risk assessment policy is reviewed and updated <insert type="param" id-ref="ra-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.1"/>
                   </part>
                   <part id="ra-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.01[02]"/>
                      <p>the current risk assessment policy is reviewed and updated following <insert type="param" id-ref="ra-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#ra-1_smt.c.1"/>
                </part>
                <part id="ra-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-01c.02"/>
                   <part id="ra-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.02[01]"/>
                      <p>the current risk assessment procedures are reviewed and updated <insert type="param" id-ref="ra-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.2"/>
                   </part>
                   <part id="ra-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="RA-01c.02[02]"/>
                      <p>the current risk assessment procedures are reviewed and updated following <insert type="param" id-ref="ra-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#ra-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#ra-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#ra-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ra-1_smt"/>
          </part>
          <part id="ra-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10892,36 +11729,46 @@
                <part id="ra-3_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03a.01"/>
                   <p>a risk assessment is conducted to identify threats to and vulnerabilities in the system;</p>
+                  <link rel="assessment-for" href="#ra-3_smt.a.1"/>
                </part>
                <part id="ra-3_obj.a.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03a.02"/>
                   <p>a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;</p>
+                  <link rel="assessment-for" href="#ra-3_smt.a.2"/>
                </part>
                <part id="ra-3_obj.a.3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-03a.03"/>
                   <p>a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;</p>
+                  <link rel="assessment-for" href="#ra-3_smt.a.3"/>
                </part>
+               <link rel="assessment-for" href="#ra-3_smt.a"/>
             </part>
             <part id="ra-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03b."/>
                <p>risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;</p>
+               <link rel="assessment-for" href="#ra-3_smt.b"/>
             </part>
             <part id="ra-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03c."/>
                <p>risk assessment results are documented in <insert type="param" id-ref="ra-03_odp.01"/>;</p>
+               <link rel="assessment-for" href="#ra-3_smt.c"/>
             </part>
             <part id="ra-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03d."/>
                <p>risk assessment results are reviewed <insert type="param" id-ref="ra-03_odp.03"/>;</p>
+               <link rel="assessment-for" href="#ra-3_smt.d"/>
             </part>
             <part id="ra-3_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03e."/>
                <p>risk assessment results are disseminated to <insert type="param" id-ref="ra-03_odp.04"/>;</p>
+               <link rel="assessment-for" href="#ra-3_smt.e"/>
             </part>
             <part id="ra-3_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-03f."/>
                <p>the risk assessment is updated <insert type="param" id-ref="ra-03_odp.05"/> or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.</p>
+               <link rel="assessment-for" href="#ra-3_smt.f"/>
             </part>
+            <link rel="assessment-for" href="#ra-3_smt"/>
          </part>
          <part id="ra-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10992,19 +11839,24 @@
             <part id="ra-7_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[01]"/>
                <p>findings from security assessments are responded to in accordance with organizational risk tolerance;</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
             <part id="ra-7_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[02]"/>
                <p>findings from privacy assessments are responded to in accordance with organizational risk tolerance;</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
             <part id="ra-7_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[03]"/>
                <p>findings from monitoring are responded to in accordance with organizational risk tolerance;</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
             <part id="ra-7_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-07[04]"/>
                <p>findings from audits are responded to in accordance with organizational risk tolerance.</p>
+               <link rel="assessment-for" href="#ra-7_smt"/>
             </part>
+            <link rel="assessment-for" href="#ra-7_smt"/>
          </part>
          <part id="ra-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11089,18 +11941,23 @@
             <part id="ra-8_obj.a" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-08a."/>
                <p>privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information;</p>
+               <link rel="assessment-for" href="#ra-8_smt.a"/>
             </part>
             <part id="ra-8_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="RA-08b."/>
                <part id="ra-8_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-08b.[01]"/>
                   <p>privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology;</p>
+                  <link rel="assessment-for" href="#ra-8_smt.b"/>
                </part>
                <part id="ra-8_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="RA-08b.[02]"/>
                   <p>privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.</p>
+                  <link rel="assessment-for" href="#ra-8_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#ra-8_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ra-8_smt"/>
          </part>
          <part id="ra-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11280,18 +12137,22 @@
                <part id="sa-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[01]"/>
                   <p>a system and services acquisition policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[02]"/>
                   <p>the system and services acquisition policy is disseminated to <insert type="param" id-ref="sa-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[03]"/>
                   <p>system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.[04]"/>
                   <p>the system and services acquisition procedures are disseminated to <insert type="param" id-ref="sa-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#sa-1_smt.a"/>
                </part>
                <part id="sa-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01a.01"/>
@@ -11300,41 +12161,53 @@
                      <part id="sa-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses scope;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses roles;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
                      <part id="sa-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SA-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
                   </part>
                   <part id="sa-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#sa-1_smt.a"/>
             </part>
             <part id="sa-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-01b."/>
                <p>the <insert type="param" id-ref="sa-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;</p>
+               <link rel="assessment-for" href="#sa-1_smt.b"/>
             </part>
             <part id="sa-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-01c."/>
@@ -11343,24 +12216,32 @@
                   <part id="sa-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.01[01]"/>
                      <p>the system and services acquisition policy is reviewed and updated <insert type="param" id-ref="sa-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.1"/>
                   </part>
                   <part id="sa-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.01[02]"/>
                      <p>the current system and services acquisition policy is reviewed and updated following <insert type="param" id-ref="sa-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-1_smt.c.1"/>
                </part>
                <part id="sa-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-01c.02"/>
                   <part id="sa-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.02[01]"/>
                      <p>the current system and services acquisition procedures are reviewed and updated <insert type="param" id-ref="sa-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.2"/>
                   </part>
                   <part id="sa-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SA-01c.02[02]"/>
                      <p>the current system and services acquisition procedures are reviewed and updated following <insert type="param" id-ref="sa-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#sa-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#sa-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#sa-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sa-1_smt"/>
          </part>
          <part id="sa-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11430,34 +12311,44 @@
                <part id="sa-2_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02a.[01]"/>
                   <p>the high-level information security requirements for the system or system service are determined in mission and business process planning;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.a"/>
                </part>
                <part id="sa-2_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02a.[02]"/>
                   <p>the high-level privacy requirements for the system or system service are determined in mission and business process planning;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-2_smt.a"/>
             </part>
             <part id="sa-2_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-02b."/>
                <part id="sa-2_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02b.[01]"/>
                   <p>the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.b"/>
                </part>
                <part id="sa-2_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02b.[02]"/>
                   <p>the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-2_smt.b"/>
             </part>
             <part id="sa-2_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-02c."/>
                <part id="sa-2_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02c.[01]"/>
                   <p>a discrete line item for information security is established in organizational programming and budgeting documentation;</p>
+                  <link rel="assessment-for" href="#sa-2_smt.c"/>
                </part>
                <part id="sa-2_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-02c.[02]"/>
                   <p>a discrete line item for privacy is established in organizational programming and budgeting documentation.</p>
+                  <link rel="assessment-for" href="#sa-2_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-2_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sa-2_smt"/>
          </part>
          <part id="sa-2_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11565,45 +12456,58 @@
                <part id="sa-3_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03a.[01]"/>
                   <p>the system is acquired, developed, and managed using <insert type="param" id-ref="sa-03_odp"/> that incorporates information security considerations;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.a"/>
                </part>
                <part id="sa-3_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03a.[02]"/>
                   <p>the system is acquired, developed, and managed using <insert type="param" id-ref="sa-03_odp"/> that incorporates privacy considerations;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.a"/>
             </part>
             <part id="sa-3_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-03b."/>
                <part id="sa-3_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03b.[01]"/>
                   <p>information security roles and responsibilities are defined and documented throughout the system development life cycle;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.b"/>
                </part>
                <part id="sa-3_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03b.[02]"/>
                   <p>privacy roles and responsibilities are defined and documented throughout the system development life cycle;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.b"/>
             </part>
             <part id="sa-3_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-03c."/>
                <part id="sa-3_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03c.[01]"/>
                   <p>individuals with information security roles and responsibilities are identified;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.c"/>
                </part>
                <part id="sa-3_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03c.[02]"/>
                   <p>individuals with privacy roles and responsibilities are identified;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.c"/>
             </part>
             <part id="sa-3_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-03d."/>
                <part id="sa-3_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03d.[01]"/>
                   <p>organizational information security risk management processes are integrated into system development life cycle activities;</p>
+                  <link rel="assessment-for" href="#sa-3_smt.d"/>
                </part>
                <part id="sa-3_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-03d.[02]"/>
                   <p>organizational privacy risk management processes are integrated into system development life cycle activities.</p>
+                  <link rel="assessment-for" href="#sa-3_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#sa-3_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#sa-3_smt"/>
          </part>
          <part id="sa-3_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11759,83 +12663,106 @@
                <part id="sa-4_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04a.[01]"/>
                   <p>security functional requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.a"/>
                </part>
                <part id="sa-4_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04a.[02]"/>
                   <p>privacy functional requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.a"/>
             </part>
             <part id="sa-4_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04b."/>
                <p>strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+               <link rel="assessment-for" href="#sa-4_smt.b"/>
             </part>
             <part id="sa-4_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04c."/>
                <part id="sa-4_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04c.[01]"/>
                   <p>security assurance requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.c"/>
                </part>
                <part id="sa-4_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04c.[02]"/>
                   <p>privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.c"/>
             </part>
             <part id="sa-4_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04d."/>
                <part id="sa-4_obj.d-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04d.[01]"/>
                   <p>controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.d"/>
                </part>
                <part id="sa-4_obj.d-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04d.[02]"/>
                   <p>controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.d"/>
             </part>
             <part id="sa-4_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04e."/>
                <part id="sa-4_obj.e-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04e.[01]"/>
                   <p>security documentation requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.e"/>
                </part>
                <part id="sa-4_obj.e-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04e.[02]"/>
                   <p>privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.e"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.e"/>
             </part>
             <part id="sa-4_obj.f" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04f."/>
                <part id="sa-4_obj.f-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04f.[01]"/>
                   <p>requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.f"/>
                </part>
                <part id="sa-4_obj.f-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04f.[02]"/>
                   <p>requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.f"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.f"/>
             </part>
             <part id="sa-4_obj.g" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04g."/>
                <p>the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+               <link rel="assessment-for" href="#sa-4_smt.g"/>
             </part>
             <part id="sa-4_obj.h" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04h."/>
                <part id="sa-4_obj.h-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04h.[01]"/>
                   <p>the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.h"/>
                </part>
                <part id="sa-4_obj.h-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04h.[02]"/>
                   <p>the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.h"/>
                </part>
                <part id="sa-4_obj.h-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-04h.[03]"/>
                   <p>the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-4_smt.h"/>
                </part>
+               <link rel="assessment-for" href="#sa-4_smt.h"/>
             </part>
             <part id="sa-4_obj.i" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-04i."/>
                <p>acceptance criteria requirements and descriptions are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service.</p>
+               <link rel="assessment-for" href="#sa-4_smt.i"/>
             </part>
+            <link rel="assessment-for" href="#sa-4_smt"/>
          </part>
          <part id="sa-4_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11949,52 +12876,63 @@
                <prop name="label" class="sp800-53a" value="SA-08[01]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the specification of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[02]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the design of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[03]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the development of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[04]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the implementation of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-5" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[05]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.01"/> are applied in the modification of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-6" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[06]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the specification of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-7" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[07]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the design of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-8" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[08]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the development of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-9" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[09]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the implementation of the system and system components;</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
             <part id="sa-8_obj-10" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08[10]"/>
                <p>
                   <insert type="param" id-ref="sa-08_odp.02"/> are applied in the modification of the system and system components.</p>
+               <link rel="assessment-for" href="#sa-8_smt"/>
             </part>
+            <link rel="assessment-for" href="#sa-8_smt"/>
          </part>
          <part id="sa-8_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12067,6 +13005,7 @@
             <part id="sa-8.33_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-08(33)"/>
                <p>the privacy principle of minimization is implemented using <insert type="param" id-ref="sa-08.33_odp"/>.</p>
+               <link rel="assessment-for" href="#sa-8.33_smt"/>
             </part>
             <part id="sa-8.33_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12178,32 +13117,41 @@
                <part id="sa-9_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09a.[01]"/>
                   <p>providers of external system services comply with organizational security requirements;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.a"/>
                </part>
                <part id="sa-9_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09a.[02]"/>
                   <p>providers of external system services comply with organizational privacy requirements;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.a"/>
                </part>
                <part id="sa-9_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09a.[03]"/>
                   <p>providers of external system services employ <insert type="param" id-ref="sa-09_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-9_smt.a"/>
             </part>
             <part id="sa-9_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-09b."/>
                <part id="sa-9_obj.b-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09b.[01]"/>
                   <p>organizational oversight with regard to external system services are defined and documented;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.b"/>
                </part>
                <part id="sa-9_obj.b-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-09b.[02]"/>
                   <p>user roles and responsibilities with regard to external system services are defined and documented;</p>
+                  <link rel="assessment-for" href="#sa-9_smt.b"/>
                </part>
+               <link rel="assessment-for" href="#sa-9_smt.b"/>
             </part>
             <part id="sa-9_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-09c."/>
                <p>
                   <insert type="param" id-ref="sa-09_odp.02"/> are employed to monitor control compliance by external service providers on an ongoing basis.</p>
+               <link rel="assessment-for" href="#sa-9_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sa-9_smt"/>
          </part>
          <part id="sa-9_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12334,43 +13282,55 @@
                <part id="sa-11_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11a.[01]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.a"/>
                </part>
                <part id="sa-11_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11a.[02]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.a"/>
                </part>
                <part id="sa-11_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11a.[03]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.a"/>
                </part>
                <part id="sa-11_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11a.[04]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sa-11_smt.a"/>
             </part>
             <part id="sa-11_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-11b."/>
                <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform <insert type="param" id-ref="sa-11_odp.01"/> testing/evaluation <insert type="param" id-ref="sa-11_odp.02"/> at <insert type="param" id-ref="sa-11_odp.03"/>;</p>
+               <link rel="assessment-for" href="#sa-11_smt.b"/>
             </part>
             <part id="sa-11_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-11c."/>
                <part id="sa-11_obj.c-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11c.[01]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.c"/>
                </part>
                <part id="sa-11_obj.c-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SA-11c.[02]"/>
                   <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;</p>
+                  <link rel="assessment-for" href="#sa-11_smt.c"/>
                </part>
+               <link rel="assessment-for" href="#sa-11_smt.c"/>
             </part>
             <part id="sa-11_obj.d" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-11d."/>
                <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;</p>
+               <link rel="assessment-for" href="#sa-11_smt.d"/>
             </part>
             <part id="sa-11_obj.e" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SA-11e."/>
                <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.</p>
+               <link rel="assessment-for" href="#sa-11_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#sa-11_smt"/>
          </part>
          <part id="sa-11_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12489,28 +13449,36 @@
                <part id="sc-7_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[01]"/>
                   <p>communications at external managed interfaces to the system are monitored;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
                <part id="sc-7_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[02]"/>
                   <p>communications at external managed interfaces to the system are controlled;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
                <part id="sc-7_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[03]"/>
                   <p>communications at key internal managed interfaces within the system are monitored;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
                <part id="sc-7_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07a.[04]"/>
                   <p>communications at key internal managed interfaces within the system are controlled;</p>
+                  <link rel="assessment-for" href="#sc-7_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#sc-7_smt.a"/>
             </part>
             <part id="sc-7_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-07b."/>
                <p>subnetworks for publicly accessible system components are <insert type="param" id-ref="sc-07_odp"/> separated from internal organizational networks;</p>
+               <link rel="assessment-for" href="#sc-7_smt.b"/>
             </part>
             <part id="sc-7_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SC-07c."/>
                <p>external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.</p>
+               <link rel="assessment-for" href="#sc-7_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sc-7_smt"/>
          </part>
          <part id="sc-7_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12595,33 +13563,42 @@
                   <prop name="label" class="sp800-53a" value="SC-07(24)(a)"/>
                   <p>
                      <insert type="param" id-ref="sc-07.24_odp"/> are applied to data elements of personally identifiable information on systems that process personally identifiable information;</p>
+                  <link rel="assessment-for" href="#sc-7.24_smt.a"/>
                </part>
                <part id="sc-7.24_obj.b" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(24)(b)"/>
                   <part id="sc-7.24_obj.b-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-07(24)(b)[01]"/>
                      <p>permitted processing is monitored at the external interfaces to the systems that process personally identifiable information;</p>
+                     <link rel="assessment-for" href="#sc-7.24_smt.b"/>
                   </part>
                   <part id="sc-7.24_obj.b-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-07(24)(b)[02]"/>
                      <p>permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information;</p>
+                     <link rel="assessment-for" href="#sc-7.24_smt.b"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-7.24_smt.b"/>
                </part>
                <part id="sc-7.24_obj.c" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(24)(c)"/>
                   <p>each processing exception is documented for systems that process personally identifiable information;</p>
+                  <link rel="assessment-for" href="#sc-7.24_smt.c"/>
                </part>
                <part id="sc-7.24_obj.d" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SC-07(24)(d)"/>
                   <part id="sc-7.24_obj.d-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-07(24)(d)[01]"/>
                      <p>exceptions for systems that process personally identifiable information are reviewed;</p>
+                     <link rel="assessment-for" href="#sc-7.24_smt.d"/>
                   </part>
                   <part id="sc-7.24_obj.d-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SC-07(24)(d)[02]"/>
                      <p>exceptions for systems that process personally identifiable information that are no longer supported are removed.</p>
+                     <link rel="assessment-for" href="#sc-7.24_smt.d"/>
                   </part>
+                  <link rel="assessment-for" href="#sc-7.24_smt.d"/>
                </part>
+               <link rel="assessment-for" href="#sc-7.24_smt"/>
             </part>
             <part id="sc-7.24_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12803,18 +13780,22 @@
                <part id="si-1_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[01]"/>
                   <p>a system and information integrity policy is developed and documented;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[02]"/>
                   <p>the system and information integrity policy is disseminated to <insert type="param" id-ref="si-01_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[03]"/>
                   <p>system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.[04]"/>
                   <p>the system and information integrity procedures are disseminated to <insert type="param" id-ref="si-01_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#si-1_smt.a"/>
                </part>
                <part id="si-1_obj.a.1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01a.01"/>
@@ -12823,41 +13804,53 @@
                      <part id="si-1_obj.a.1.a-1" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[01]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses purpose;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-2" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[02]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses scope;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-3" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[03]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses roles;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-4" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[04]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses responsibilities;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-5" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[05]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses management commitment;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-6" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[06]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses coordination among organizational entities;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
                      <part id="si-1_obj.a.1.a-7" name="assessment-objective">
                         <prop name="label" class="sp800-53a" value="SI-01a.01(a)[07]"/>
                         <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses compliance;</p>
+                        <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                      </part>
+                     <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
                   </part>
                   <part id="si-1_obj.a.1.b" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01a.01(b)"/>
                      <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+                     <link rel="assessment-for" href="#si-1_smt.a.1.b"/>
                   </part>
+                  <link rel="assessment-for" href="#si-1_smt.a.1"/>
                </part>
+               <link rel="assessment-for" href="#si-1_smt.a"/>
             </part>
             <part id="si-1_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-01b."/>
                <p>the <insert type="param" id-ref="si-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;</p>
+               <link rel="assessment-for" href="#si-1_smt.b"/>
             </part>
             <part id="si-1_obj.c" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-01c."/>
@@ -12866,24 +13859,32 @@
                   <part id="si-1_obj.c.1-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.01[01]"/>
                      <p>the current system and information integrity policy is reviewed and updated <insert type="param" id-ref="si-01_odp.05"/>;</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.1"/>
                   </part>
                   <part id="si-1_obj.c.1-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.01[02]"/>
                      <p>the current system and information integrity policy is reviewed and updated following <insert type="param" id-ref="si-01_odp.06"/>;</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.1"/>
                   </part>
+                  <link rel="assessment-for" href="#si-1_smt.c.1"/>
                </part>
                <part id="si-1_obj.c.2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-01c.02"/>
                   <part id="si-1_obj.c.2-1" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.02[01]"/>
                      <p>the current system and information integrity procedures are reviewed and updated <insert type="param" id-ref="si-01_odp.07"/>;</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.2"/>
                   </part>
                   <part id="si-1_obj.c.2-2" name="assessment-objective">
                      <prop name="label" class="sp800-53a" value="SI-01c.02[02]"/>
                      <p>the current system and information integrity procedures are reviewed and updated following <insert type="param" id-ref="si-01_odp.08"/>.</p>
+                     <link rel="assessment-for" href="#si-1_smt.c.2"/>
                   </part>
+                  <link rel="assessment-for" href="#si-1_smt.c.2"/>
                </part>
+               <link rel="assessment-for" href="#si-1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#si-1_smt"/>
          </part>
          <part id="si-1_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12957,19 +13958,24 @@
             <part id="si-12_obj-1" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[01]"/>
                <p>information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
             <part id="si-12_obj-2" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[02]"/>
                <p>information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
             <part id="si-12_obj-3" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[03]"/>
                <p>information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
             <part id="si-12_obj-4" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12[04]"/>
                <p>information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.</p>
+               <link rel="assessment-for" href="#si-12_smt"/>
             </part>
+            <link rel="assessment-for" href="#si-12_smt"/>
          </part>
          <part id="si-12_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13037,6 +14043,7 @@
             <part id="si-12.1_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-12(01)"/>
                <p>personally identifiable information being processed in the information life cycle is limited to <insert type="param" id-ref="si-12.01_odp"/>.</p>
+               <link rel="assessment-for" href="#si-12.1_smt"/>
             </part>
             <part id="si-12.1_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13136,17 +14143,21 @@
                   <prop name="label" class="sp800-53a" value="SI-12(02)[01]"/>
                   <p>
                      <insert type="param" id-ref="si-12.02_odp.01"/> are used to minimize the use of personally identifiable information for research;</p>
+                  <link rel="assessment-for" href="#si-12.2_smt"/>
                </part>
                <part id="si-12.2_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-12(02)[02]"/>
                   <p>
                      <insert type="param" id-ref="si-12.02_odp.02"/> are used to minimize the use of personally identifiable information for testing;</p>
+                  <link rel="assessment-for" href="#si-12.2_smt"/>
                </part>
                <part id="si-12.2_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-12(02)[03]"/>
                   <p>
                      <insert type="param" id-ref="si-12.02_odp.03"/> are used to minimize the use of personally identifiable information for training.</p>
+                  <link rel="assessment-for" href="#si-12.2_smt"/>
                </part>
+               <link rel="assessment-for" href="#si-12.2_smt"/>
             </part>
             <part id="si-12.2_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13242,17 +14253,21 @@
                   <prop name="label" class="sp800-53a" value="SI-12(03)[01]"/>
                   <p>
                      <insert type="param" id-ref="si-12.03_odp.01"/> are used to dispose of information following the retention period;</p>
+                  <link rel="assessment-for" href="#si-12.3_smt"/>
                </part>
                <part id="si-12.3_obj-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-12(03)[02]"/>
                   <p>
                      <insert type="param" id-ref="si-12.03_odp.02"/> are used to destroy information following the retention period;</p>
+                  <link rel="assessment-for" href="#si-12.3_smt"/>
                </part>
                <part id="si-12.3_obj-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-12(03)[03]"/>
                   <p>
                      <insert type="param" id-ref="si-12.03_odp.03"/> are used to erase information following the retention period.</p>
+                  <link rel="assessment-for" href="#si-12.3_smt"/>
                </part>
+               <link rel="assessment-for" href="#si-12.3_smt"/>
             </part>
             <part id="si-12.3_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13377,24 +14392,31 @@
                <part id="si-18_obj.a-1" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-18a.[01]"/>
                   <p>the accuracy of personally identifiable information across the information life cycle is checked <insert type="param" id-ref="si-18_odp.01"/>;</p>
+                  <link rel="assessment-for" href="#si-18_smt.a"/>
                </part>
                <part id="si-18_obj.a-2" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-18a.[02]"/>
                   <p>the relevance of personally identifiable information across the information life cycle is checked <insert type="param" id-ref="si-18_odp.02"/>;</p>
+                  <link rel="assessment-for" href="#si-18_smt.a"/>
                </part>
                <part id="si-18_obj.a-3" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-18a.[03]"/>
                   <p>the timeliness of personally identifiable information across the information life cycle is checked <insert type="param" id-ref="si-18_odp.03"/>;</p>
+                  <link rel="assessment-for" href="#si-18_smt.a"/>
                </part>
                <part id="si-18_obj.a-4" name="assessment-objective">
                   <prop name="label" class="sp800-53a" value="SI-18a.[04]"/>
                   <p>the completeness of personally identifiable information across the information life cycle is checked <insert type="param" id-ref="si-18_odp.04"/>;</p>
+                  <link rel="assessment-for" href="#si-18_smt.a"/>
                </part>
+               <link rel="assessment-for" href="#si-18_smt.a"/>
             </part>
             <part id="si-18_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-18b."/>
                <p>inaccurate or outdated personally identifiable information is corrected or deleted.</p>
+               <link rel="assessment-for" href="#si-18_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#si-18_smt"/>
          </part>
          <part id="si-18_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13453,6 +14475,7 @@
             <part id="si-18.4_obj" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-18(04)"/>
                <p>personally identifiable information is corrected or deleted upon request by individuals or their designated representatives.</p>
+               <link rel="assessment-for" href="#si-18.4_smt"/>
             </part>
             <part id="si-18.4_asm-examine" name="assessment-method">
                <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13547,11 +14570,14 @@
                <prop name="label" class="sp800-53a" value="SI-19a."/>
                <p>
                   <insert type="param" id-ref="si-19_odp.01"/> are removed from datasets;</p>
+               <link rel="assessment-for" href="#si-19_smt.a"/>
             </part>
             <part id="si-19_obj.b" name="assessment-objective">
                <prop name="label" class="sp800-53a" value="SI-19b."/>
                <p>the effectiveness of de-identification is evaluated <insert type="param" id-ref="si-19_odp.02"/>.</p>
+               <link rel="assessment-for" href="#si-19_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#si-19_smt"/>
          </part>
          <part id="si-19_asm-examine" name="assessment-method">
             <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
diff --git a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.xml b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.xml
index 8a432b0f..91636b8c 100644
--- a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.xml
+++ b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.xml
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <?xml-model schematypens="http://www.w3.org/2001/XMLSchema" type="application/xml" href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.1/oscal_complete_schema.xsd"?>
 <profile xmlns="http://csrc.nist.gov/ns/oscal/1.0"
-         uuid="66b95dd9-650d-456f-b143-19ae7bb36944">
+         uuid="c8485895-a2f7-46f1-843a-380668cd6fe8">
    <metadata>
-      <title>NIST Special Publication 800-53 Revision 5 PRIVACY BASELINE</title>
-      <last-modified>2023-10-12T00:00:00.000000-04:00</last-modified>
-      <version>Final</version>
+      <title>NIST Special Publication 800-53 Revision 5.1.1 PRIVACY BASELINE</title>
+      <last-modified>2023-12-04T14:55:00.000000-04:00</last-modified>
+      <version>5.1.1+u2</version>
       <oscal-version>1.1.1</oscal-version>
       <role id="creator">
          <title>Document Creator</title>
diff --git a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml
index 22b0b3e0..c0686c73 100644
--- a/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml
+++ b/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml
@@ -1,11 +1,33 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <?xml-model schematypens="http://www.w3.org/2001/XMLSchema" type="application/xml" href="https://github.com/usnistgov/OSCAL/releases/download/v1.1.1/oscal_complete_schema.xsd"?>
-<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="0e9e8558-4d93-4a7f-8c87-34d4d4f9e7bd">
+<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="1f2fcda3-408f-422c-aecd-b1717c3f7843">
   <metadata>
-    <title>Electronic Version of NIST SP 800-53 Rev 5 Controls and SP 800-53A Rev 5 Assessment Procedures</title>
-    <last-modified>2023-10-12T00:00:00.000000-04:00</last-modified>
-    <version>5.1.1</version>
+    <title>Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures</title>
+    <last-modified>2023-12-04T13:16:10.000000-04:00</last-modified>
+    <version>5.1.1+u2</version>
     <oscal-version>1.1.1</oscal-version>
+    <revisions>
+      <revision>
+        <title>Electronic Version of NIST SP 800-53 Rev 5 Controls and SP 800-53A Rev 5 Assessment Procedures</title>
+        <last-modified>2023-10-12T00:00:00.000000-04:00</last-modified>
+        <version>5.1.1</version>
+        <oscal-version>1.1.1</oscal-version>
+        <link rel="version-history" href="#5a5ffcb9-2272-484e-8d47-4483a0585dec"/>
+        <remarks>
+          <p>This revison of the SP 800-53 Revision 5 Catalog includes metadata and tagging reflecting richer control semantics, such as organizational vs system-level controls as indicated in SP800-53 Rev 5.1 Appendix C, and minor bug fixes in its content.</p>
+        </remarks>
+      </revision>
+      <revision>
+        <title>Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures</title>
+        <last-modified>2023-11-14T00:00:00.000000-04:00</last-modified>
+        <version>5.1.1+u1</version>
+        <oscal-version>1.1.1</oscal-version>
+        <link rel="version-history" href="#5a5ffcb9-2272-484e-8d47-4483a0585dec"/>
+        <remarks>
+          <p>This revision of the SP 800-53 Revision 5 Catalog is the finalized changes to NIST SP 800-53 Revision 5.1.1 on November, 7, 2023.</p>
+        </remarks>
+      </revision>
+    </revisions>
     <prop name="keywords" value="Assessment, assessment plan, assurance, availability, computer security, confidentiality, control, control assessment, cybersecurity, FISMA, information security, information system, integrity, personally identifiable information, OSCAL, Open Security Controls Assessment Language, Privacy Act, privacy controls, privacy functions, privacy requirements, Risk Management Framework, security controls, security functions, security requirements, system, system security"/>
     <link rel="alternate" href="#c3397cc9-83c6-4459-adb2-836739dc1b94"/>
     <link rel="canonical" href="#f7cf488d-bc64-4a91-a994-810e153ee481"/>
@@ -171,18 +193,22 @@
           <part id="ac-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-01a.[01]"/>
             <p>an access control policy is developed and documented;</p>
+            <link rel="assessment-for" href="#ac-1_smt.a"/>
           </part>
           <part id="ac-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-01a.[02]"/>
             <p>the access control policy is disseminated to <insert type="param" id-ref="ac-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ac-1_smt.a"/>
           </part>
           <part id="ac-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-01a.[03]"/>
             <p>access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;</p>
+            <link rel="assessment-for" href="#ac-1_smt.a"/>
           </part>
           <part id="ac-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-01a.[04]"/>
             <p>the access control procedures are disseminated to <insert type="param" id-ref="ac-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#ac-1_smt.a"/>
           </part>
           <part id="ac-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-01a.01"/>
@@ -191,41 +217,53 @@
               <part id="ac-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AC-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses purpose;</p>
+                <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
               </part>
               <part id="ac-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AC-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses scope;</p>
+                <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
               </part>
               <part id="ac-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AC-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses roles;</p>
+                <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
               </part>
               <part id="ac-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AC-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
               </part>
               <part id="ac-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AC-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
               </part>
               <part id="ac-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AC-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
               </part>
               <part id="ac-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AC-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy addresses compliance;</p>
+                <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#ac-1_smt.a.1.a"/>
             </part>
             <part id="ac-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-01a.01(b)"/>
               <p>the <insert type="param" id-ref="ac-01_odp.03"/> access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#ac-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#ac-1_smt.a"/>
         </part>
         <part id="ac-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-01b."/>
           <p>the <insert type="param" id-ref="ac-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the access control policy and procedures;</p>
+          <link rel="assessment-for" href="#ac-1_smt.b"/>
         </part>
         <part id="ac-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-01c."/>
@@ -234,24 +272,32 @@
             <part id="ac-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-01c.01[01]"/>
               <p>the current access control policy is reviewed and updated <insert type="param" id-ref="ac-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#ac-1_smt.c.1"/>
             </part>
             <part id="ac-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-01c.01[02]"/>
               <p>the current access control policy is reviewed and updated following <insert type="param" id-ref="ac-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#ac-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#ac-1_smt.c.1"/>
           </part>
           <part id="ac-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-01c.02"/>
             <part id="ac-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-01c.02[01]"/>
               <p>the current access control procedures are reviewed and updated <insert type="param" id-ref="ac-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#ac-1_smt.c.2"/>
             </part>
             <part id="ac-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-01c.02[02]"/>
               <p>the current access control procedures are reviewed and updated following <insert type="param" id-ref="ac-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#ac-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#ac-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#ac-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#ac-1_smt"/>
       </part>
       <part id="ac-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -487,129 +533,164 @@
           <part id="ac-2_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02a.[01]"/>
             <p>account types allowed for use within the system are defined and documented;</p>
+            <link rel="assessment-for" href="#ac-2_smt.a"/>
           </part>
           <part id="ac-2_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02a.[02]"/>
             <p>account types specifically prohibited for use within the system are defined and documented;</p>
+            <link rel="assessment-for" href="#ac-2_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#ac-2_smt.a"/>
         </part>
         <part id="ac-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02b."/>
           <p>account managers are assigned;</p>
+          <link rel="assessment-for" href="#ac-2_smt.b"/>
         </part>
         <part id="ac-2_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02c."/>
           <p><insert type="param" id-ref="ac-02_odp.01"/> for group and role membership are required;</p>
+          <link rel="assessment-for" href="#ac-2_smt.c"/>
         </part>
         <part id="ac-2_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02d."/>
           <part id="ac-2_obj.d.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02d.01"/>
             <p>authorized users of the system are specified;</p>
+            <link rel="assessment-for" href="#ac-2_smt.d.1"/>
           </part>
           <part id="ac-2_obj.d.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02d.02"/>
             <p>group and role membership are specified;</p>
+            <link rel="assessment-for" href="#ac-2_smt.d.2"/>
           </part>
           <part id="ac-2_obj.d.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02d.03"/>
             <part id="ac-2_obj.d.3-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-02d.03[01]"/>
               <p>access authorizations (i.e., privileges) are specified for each account;</p>
+              <link rel="assessment-for" href="#ac-2_smt.d.3"/>
             </part>
             <part id="ac-2_obj.d.3-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-02d.03[02]"/>
               <p><insert type="param" id-ref="ac-02_odp.02"/> are specified for each account;</p>
+              <link rel="assessment-for" href="#ac-2_smt.d.3"/>
             </part>
+            <link rel="assessment-for" href="#ac-2_smt.d.3"/>
           </part>
+          <link rel="assessment-for" href="#ac-2_smt.d"/>
         </part>
         <part id="ac-2_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02e."/>
           <p>approvals are required by <insert type="param" id-ref="ac-02_odp.03"/> for requests to create accounts;</p>
+          <link rel="assessment-for" href="#ac-2_smt.e"/>
         </part>
         <part id="ac-2_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02f."/>
           <part id="ac-2_obj.f-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02f.[01]"/>
             <p>accounts are created in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+            <link rel="assessment-for" href="#ac-2_smt.f"/>
           </part>
           <part id="ac-2_obj.f-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02f.[02]"/>
             <p>accounts are enabled in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+            <link rel="assessment-for" href="#ac-2_smt.f"/>
           </part>
           <part id="ac-2_obj.f-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02f.[03]"/>
             <p>accounts are modified in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+            <link rel="assessment-for" href="#ac-2_smt.f"/>
           </part>
           <part id="ac-2_obj.f-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02f.[04]"/>
             <p>accounts are disabled in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+            <link rel="assessment-for" href="#ac-2_smt.f"/>
           </part>
           <part id="ac-2_obj.f-5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02f.[05]"/>
             <p>accounts are removed in accordance with <insert type="param" id-ref="ac-02_odp.04"/>;</p>
+            <link rel="assessment-for" href="#ac-2_smt.f"/>
           </part>
+          <link rel="assessment-for" href="#ac-2_smt.f"/>
         </part>
         <part id="ac-2_obj.g" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02g."/>
           <p>the use of accounts is monitored; </p>
+          <link rel="assessment-for" href="#ac-2_smt.g"/>
         </part>
         <part id="ac-2_obj.h" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02h."/>
           <part id="ac-2_obj.h.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02h.01"/>
             <p>account managers and <insert type="param" id-ref="ac-02_odp.05"/> are notified within <insert type="param" id-ref="ac-02_odp.06"/> when accounts are no longer required;</p>
+            <link rel="assessment-for" href="#ac-2_smt.h.1"/>
           </part>
           <part id="ac-2_obj.h.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02h.02"/>
             <p>account managers and <insert type="param" id-ref="ac-02_odp.05"/> are notified within <insert type="param" id-ref="ac-02_odp.07"/> when users are terminated or transferred;</p>
+            <link rel="assessment-for" href="#ac-2_smt.h.2"/>
           </part>
           <part id="ac-2_obj.h.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02h.03"/>
             <p>account managers and <insert type="param" id-ref="ac-02_odp.05"/> are notified within <insert type="param" id-ref="ac-02_odp.08"/> when system usage or the need to know changes for an individual;</p>
+            <link rel="assessment-for" href="#ac-2_smt.h.3"/>
           </part>
+          <link rel="assessment-for" href="#ac-2_smt.h"/>
         </part>
         <part id="ac-2_obj.i" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02i."/>
           <part id="ac-2_obj.i.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02i.01"/>
             <p>access to the system is authorized based on a valid access authorization;</p>
+            <link rel="assessment-for" href="#ac-2_smt.i.1"/>
           </part>
           <part id="ac-2_obj.i.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02i.02"/>
             <p>access to the system is authorized based on intended system usage;</p>
+            <link rel="assessment-for" href="#ac-2_smt.i.2"/>
           </part>
           <part id="ac-2_obj.i.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02i.03"/>
             <p>access to the system is authorized based on <insert type="param" id-ref="ac-02_odp.09"/>;</p>
+            <link rel="assessment-for" href="#ac-2_smt.i.3"/>
           </part>
+          <link rel="assessment-for" href="#ac-2_smt.i"/>
         </part>
         <part id="ac-2_obj.j" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02j."/>
           <p>accounts are reviewed for compliance with account management requirements <insert type="param" id-ref="ac-02_odp.10"/>;</p>
+          <link rel="assessment-for" href="#ac-2_smt.j"/>
         </part>
         <part id="ac-2_obj.k" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02k."/>
           <part id="ac-2_obj.k-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02k.[01]"/>
             <p>a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;</p>
+            <link rel="assessment-for" href="#ac-2_smt.k"/>
           </part>
           <part id="ac-2_obj.k-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02k.[02]"/>
             <p>a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;</p>
+            <link rel="assessment-for" href="#ac-2_smt.k"/>
           </part>
+          <link rel="assessment-for" href="#ac-2_smt.k"/>
         </part>
         <part id="ac-2_obj.l" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02l."/>
           <part id="ac-2_obj.l-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02l.[01]"/>
             <p>account management processes are aligned with personnel termination processes;</p>
+            <link rel="assessment-for" href="#ac-2_smt.l"/>
           </part>
           <part id="ac-2_obj.l-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02l.[02]"/>
             <p>account management processes are aligned with personnel transfer processes.</p>
+            <link rel="assessment-for" href="#ac-2_smt.l"/>
           </part>
+          <link rel="assessment-for" href="#ac-2_smt.l"/>
         </part>
+        <link rel="assessment-for" href="#ac-2_smt"/>
       </part>
       <part id="ac-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -675,6 +756,7 @@
         <part id="ac-2.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02(01)"/>
           <p>the management of system accounts is supported using <insert type="param" id-ref="ac-02.01_odp"/>.</p>
+          <link rel="assessment-for" href="#ac-2.1_smt"/>
         </part>
         <part id="ac-2.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -740,6 +822,7 @@
         <part id="ac-2.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02(02)"/>
           <p>temporary and emergency accounts are automatically <insert type="param" id-ref="ac-02.02_odp.01"/> after <insert type="param" id-ref="ac-02.02_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ac-2.2_smt"/>
         </part>
         <part id="ac-2.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -824,19 +907,24 @@
           <part id="ac-2.3_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(03)(a)"/>
             <p>accounts are disabled within <insert type="param" id-ref="ac-02.03_odp.01"/> when the accounts have expired;</p>
+            <link rel="assessment-for" href="#ac-2.3_smt.a"/>
           </part>
           <part id="ac-2.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(03)(b)"/>
             <p>accounts are disabled within <insert type="param" id-ref="ac-02.03_odp.01"/> when the accounts are no longer associated with a user or individual;</p>
+            <link rel="assessment-for" href="#ac-2.3_smt.b"/>
           </part>
           <part id="ac-2.3_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(03)(c)"/>
             <p>accounts are disabled within <insert type="param" id-ref="ac-02.03_odp.01"/> when the accounts are in violation of organizational policy;</p>
+            <link rel="assessment-for" href="#ac-2.3_smt.c"/>
           </part>
           <part id="ac-2.3_obj.d" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(03)(d)"/>
             <p>accounts are disabled within <insert type="param" id-ref="ac-02.03_odp.01"/> when the accounts have been inactive for <insert type="param" id-ref="ac-02.03_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ac-2.3_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#ac-2.3_smt"/>
         </part>
         <part id="ac-2.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -892,23 +980,29 @@
           <part id="ac-2.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(04)[01]"/>
             <p>account creation is automatically audited;</p>
+            <link rel="assessment-for" href="#ac-2.4_smt"/>
           </part>
           <part id="ac-2.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(04)[02]"/>
             <p>account modification is automatically audited;</p>
+            <link rel="assessment-for" href="#ac-2.4_smt"/>
           </part>
           <part id="ac-2.4_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(04)[03]"/>
             <p>account enabling is automatically audited;</p>
+            <link rel="assessment-for" href="#ac-2.4_smt"/>
           </part>
           <part id="ac-2.4_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(04)[04]"/>
             <p>account disabling is automatically audited;</p>
+            <link rel="assessment-for" href="#ac-2.4_smt"/>
           </part>
           <part id="ac-2.4_obj-5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(04)[05]"/>
             <p>account removal actions are automatically audited.</p>
+            <link rel="assessment-for" href="#ac-2.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-2.4_smt"/>
         </part>
         <part id="ac-2.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -967,6 +1061,7 @@
         <part id="ac-2.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02(05)"/>
           <p>users are required to log out when <insert type="param" id-ref="ac-02.05_odp"/>.</p>
+          <link rel="assessment-for" href="#ac-2.5_smt"/>
         </part>
         <part id="ac-2.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1018,6 +1113,7 @@
         <part id="ac-2.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02(06)"/>
           <p><insert type="param" id-ref="ac-02.06_odp"/> are implemented.</p>
+          <link rel="assessment-for" href="#ac-2.6_smt"/>
         </part>
         <part id="ac-2.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1092,19 +1188,24 @@
           <part id="ac-2.7_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(07)(a)"/>
             <p>privileged user accounts are established and administered in accordance with <insert type="param" id-ref="ac-02.07_odp"/>;</p>
+            <link rel="assessment-for" href="#ac-2.7_smt.a"/>
           </part>
           <part id="ac-2.7_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(07)(b)"/>
             <p>privileged role or attribute assignments are monitored;</p>
+            <link rel="assessment-for" href="#ac-2.7_smt.b"/>
           </part>
           <part id="ac-2.7_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(07)(c)"/>
             <p>changes to roles or attributes are monitored;</p>
+            <link rel="assessment-for" href="#ac-2.7_smt.c"/>
           </part>
           <part id="ac-2.7_obj.d" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(07)(d)"/>
             <p>access is revoked when privileged role or attribute assignments are no longer appropriate.</p>
+            <link rel="assessment-for" href="#ac-2.7_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#ac-2.7_smt"/>
         </part>
         <part id="ac-2.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1168,19 +1269,24 @@
           <part id="ac-2.8_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(08)[01]"/>
             <p><insert type="param" id-ref="ac-02.08_odp"/> are created dynamically;</p>
+            <link rel="assessment-for" href="#ac-2.8_smt"/>
           </part>
           <part id="ac-2.8_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(08)[02]"/>
             <p><insert type="param" id-ref="ac-02.08_odp"/> are activated dynamically;</p>
+            <link rel="assessment-for" href="#ac-2.8_smt"/>
           </part>
           <part id="ac-2.8_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(08)[03]"/>
             <p><insert type="param" id-ref="ac-02.08_odp"/> are managed dynamically;</p>
+            <link rel="assessment-for" href="#ac-2.8_smt"/>
           </part>
           <part id="ac-2.8_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(08)[04]"/>
             <p><insert type="param" id-ref="ac-02.08_odp"/> are deactivated dynamically.</p>
+            <link rel="assessment-for" href="#ac-2.8_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-2.8_smt"/>
         </part>
         <part id="ac-2.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1239,6 +1345,7 @@
         <part id="ac-2.9_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02(09)"/>
           <p>the use of shared and group accounts is only permitted if <insert type="param" id-ref="ac-02.09_odp"/> are met.</p>
+          <link rel="assessment-for" href="#ac-2.9_smt"/>
         </part>
         <part id="ac-2.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1311,6 +1418,7 @@
         <part id="ac-2.11_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02(11)"/>
           <p><insert type="param" id-ref="ac-02.11_odp.01"/> for <insert type="param" id-ref="ac-02.11_odp.02"/> are enforced.</p>
+          <link rel="assessment-for" href="#ac-2.11_smt"/>
         </part>
         <part id="ac-2.11_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1391,11 +1499,14 @@
           <part id="ac-2.12_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(12)(a)"/>
             <p>system accounts are monitored for <insert type="param" id-ref="ac-02.12_odp.01"/>; </p>
+            <link rel="assessment-for" href="#ac-2.12_smt.a"/>
           </part>
           <part id="ac-2.12_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-02(12)(b)"/>
             <p>atypical usage of system accounts is reported to <insert type="param" id-ref="ac-02.12_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ac-2.12_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ac-2.12_smt"/>
         </part>
         <part id="ac-2.12_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1465,6 +1576,7 @@
         <part id="ac-2.13_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-02(13)"/>
           <p>accounts of individuals are disabled within <insert type="param" id-ref="ac-02.13_odp.01"/> of discovery of <insert type="param" id-ref="ac-02.13_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ac-2.13_smt"/>
         </part>
         <part id="ac-2.13_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1537,6 +1649,7 @@
       <link rel="related" href="#ia-6"/>
       <link rel="related" href="#ia-7"/>
       <link rel="related" href="#ia-11"/>
+      <link rel="related" href="#ia-13"/>
       <link rel="related" href="#ma-3"/>
       <link rel="related" href="#ma-4"/>
       <link rel="related" href="#ma-5"/>
@@ -1565,6 +1678,7 @@
       <part id="ac-3_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="AC-03"/>
         <p>approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.</p>
+        <link rel="assessment-for" href="#ac-3_smt"/>
       </part>
       <part id="ac-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1633,6 +1747,7 @@
         <part id="ac-3.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-03(02)"/>
           <p>dual authorization is enforced for <insert type="param" id-ref="ac-03.02_odp"/>.</p>
+          <link rel="assessment-for" href="#ac-3.2_smt"/>
         </part>
         <part id="ac-3.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1754,49 +1869,62 @@
           <part id="ac-3.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(03)[01]"/>
             <p><insert type="param" id-ref="ac-03.03_odp.01"/> is enforced over the set of covered subjects specified in the policy;</p>
+            <link rel="assessment-for" href="#ac-3.3_smt"/>
           </part>
           <part id="ac-3.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(03)[02]"/>
             <p><insert type="param" id-ref="ac-03.03_odp.02"/> is enforced over the set of covered objects specified in the policy;</p>
+            <link rel="assessment-for" href="#ac-3.3_smt"/>
           </part>
           <part id="ac-3.3_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(03)(a)"/>
             <part id="ac-3.3_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-03(03)(a)[01]"/>
               <p><insert type="param" id-ref="ac-03.03_odp.01"/> is uniformly enforced across the covered subjects within the system;</p>
+              <link rel="assessment-for" href="#ac-3.3_smt.a"/>
             </part>
             <part id="ac-3.3_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-03(03)(a)[02]"/>
               <p><insert type="param" id-ref="ac-03.03_odp.02"/> is uniformly enforced across the covered objects within the system;</p>
+              <link rel="assessment-for" href="#ac-3.3_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#ac-3.3_smt.a"/>
           </part>
           <part id="ac-3.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(03)(b)"/>
             <part id="ac-3.3_obj.b.1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-03(03)(b)(01)"/>
               <p><insert type="param" id-ref="ac-03.03_odp.01"/> and <insert type="param" id-ref="ac-03.03_odp.02"/> specifying that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects are enforced;</p>
+              <link rel="assessment-for" href="#ac-3.3_smt.b.1"/>
             </part>
             <part id="ac-3.3_obj.b.2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-03(03)(b)(02)"/>
               <p><insert type="param" id-ref="ac-03.03_odp.01"/> and <insert type="param" id-ref="ac-03.03_odp.02"/> specifying that a subject that has been granted access to information is constrained from granting its privileges to other subjects are enforced;</p>
+              <link rel="assessment-for" href="#ac-3.3_smt.b.2"/>
             </part>
             <part id="ac-3.3_obj.b.3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-03(03)(b)(03)"/>
               <p><insert type="param" id-ref="ac-03.03_odp.01"/> and <insert type="param" id-ref="ac-03.03_odp.02"/> specifying that a subject that has been granted access to information is constrained from changing one of more security attributes (specified by the policy) on subjects, objects, the system, or system components are enforced;</p>
+              <link rel="assessment-for" href="#ac-3.3_smt.b.3"/>
             </part>
             <part id="ac-3.3_obj.b.4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-03(03)(b)(04)"/>
               <p><insert type="param" id-ref="ac-03.03_odp.01"/> and <insert type="param" id-ref="ac-03.03_odp.02"/> specifying that a subject that has been granted access to information is constrained from choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects are enforced;</p>
+              <link rel="assessment-for" href="#ac-3.3_smt.b.4"/>
             </part>
             <part id="ac-3.3_obj.b.5" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-03(03)(b)(05)"/>
               <p><insert type="param" id-ref="ac-03.03_odp.01"/> and <insert type="param" id-ref="ac-03.03_odp.02"/> specifying that a subject that has been granted access to information is constrained from changing the rules governing access control are enforced;</p>
+              <link rel="assessment-for" href="#ac-3.3_smt.b.5"/>
             </part>
+            <link rel="assessment-for" href="#ac-3.3_smt.b"/>
           </part>
           <part id="ac-3.3_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(03)(c)"/>
             <p><insert type="param" id-ref="ac-03.03_odp.01"/> and <insert type="param" id-ref="ac-03.03_odp.02"/> specifying that <insert type="param" id-ref="ac-03.03_odp.03"/> may explicitly be granted <insert type="param" id-ref="ac-03.03_odp.04"/> such that they are not limited by any defined subset (or all) of the above constraints are enforced.</p>
+            <link rel="assessment-for" href="#ac-3.3_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#ac-3.3_smt"/>
         </part>
         <part id="ac-3.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1888,31 +2016,39 @@
           <part id="ac-3.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(04)[01]"/>
             <p><insert type="param" id-ref="ac-03.04_odp.01"/> is enforced over the set of covered subjects specified in the policy;</p>
+            <link rel="assessment-for" href="#ac-3.4_smt"/>
           </part>
           <part id="ac-3.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(04)[02]"/>
             <p><insert type="param" id-ref="ac-03.04_odp.02"/> is enforced over the set of covered objects specified in the policy;</p>
+            <link rel="assessment-for" href="#ac-3.4_smt"/>
           </part>
           <part id="ac-3.4_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(04)(a)"/>
             <p><insert type="param" id-ref="ac-03.04_odp.01"/> and <insert type="param" id-ref="ac-03.04_odp.02"/> are enforced where the policy specifies that a subject that has been granted access to information can pass the information to any other subjects or objects;</p>
+            <link rel="assessment-for" href="#ac-3.4_smt.a"/>
           </part>
           <part id="ac-3.4_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(04)(b)"/>
             <p><insert type="param" id-ref="ac-03.04_odp.01"/> and <insert type="param" id-ref="ac-03.04_odp.02"/> are enforced where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects;</p>
+            <link rel="assessment-for" href="#ac-3.4_smt.b"/>
           </part>
           <part id="ac-3.4_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(04)(c)"/>
             <p><insert type="param" id-ref="ac-03.04_odp.01"/> and <insert type="param" id-ref="ac-03.04_odp.02"/> are enforced where the policy specifies that a subject that has been granted access to information can change security attributes on subjects, objects, the system, or the system’s components;</p>
+            <link rel="assessment-for" href="#ac-3.4_smt.c"/>
           </part>
           <part id="ac-3.4_obj.d" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(04)(d)"/>
             <p><insert type="param" id-ref="ac-03.04_odp.01"/> and <insert type="param" id-ref="ac-03.04_odp.02"/> are enforced where the policy specifies that a subject that has been granted access to information can choose the security attributes to be associated with newly created or revised objects;</p>
+            <link rel="assessment-for" href="#ac-3.4_smt.d"/>
           </part>
           <part id="ac-3.4_obj.e" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(04)(e)"/>
             <p><insert type="param" id-ref="ac-03.04_odp.01"/> and <insert type="param" id-ref="ac-03.04_odp.02"/> are enforced where the policy specifies that a subject that has been granted access to information can change the rules governing access control.</p>
+            <link rel="assessment-for" href="#ac-3.4_smt.e"/>
           </part>
+          <link rel="assessment-for" href="#ac-3.4_smt"/>
         </part>
         <part id="ac-3.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -1973,6 +2109,7 @@
         <part id="ac-3.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-03(05)"/>
           <p>access to <insert type="param" id-ref="ac-03.05_odp"/> is prevented except during secure, non-operable system states.</p>
+          <link rel="assessment-for" href="#ac-3.5_smt"/>
         </part>
         <part id="ac-3.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2052,15 +2189,19 @@
           <part id="ac-3.7_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(07)[01]"/>
             <p>a role-based access control policy is enforced over defined subjects;</p>
+            <link rel="assessment-for" href="#ac-3.7_smt"/>
           </part>
           <part id="ac-3.7_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(07)[02]"/>
             <p>a role-based access control policy is enforced over defined objects;</p>
+            <link rel="assessment-for" href="#ac-3.7_smt"/>
           </part>
           <part id="ac-3.7_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(07)[03]"/>
             <p>access is controlled based on <insert type="param" id-ref="ac-03.07_odp.01"/> and <insert type="param" id-ref="ac-03.07_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ac-3.7_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-3.7_smt"/>
         </part>
         <part id="ac-3.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2124,11 +2265,14 @@
           <part id="ac-3.8_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(08)[01]"/>
             <p>revocation of access authorizations is enforced, resulting from changes to the security attributes of subjects based on <insert type="param" id-ref="ac-03.08_odp"/>;</p>
+            <link rel="assessment-for" href="#ac-3.8_smt"/>
           </part>
           <part id="ac-3.8_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(08)[02]"/>
             <p>revocation of access authorizations is enforced resulting from changes to the security attributes of objects based on <insert type="param" id-ref="ac-03.08_odp"/>.</p>
+            <link rel="assessment-for" href="#ac-3.8_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-3.8_smt"/>
         </part>
         <part id="ac-3.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2218,11 +2362,14 @@
           <part id="ac-3.9_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(09)(a)"/>
             <p>information is released outside of the system only if the receiving <insert type="param" id-ref="ac-03.09_odp.01"/> provides <insert type="param" id-ref="ac-03.09_odp.02"/>;</p>
+            <link rel="assessment-for" href="#ac-3.9_smt.a"/>
           </part>
           <part id="ac-3.9_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(09)(b)"/>
             <p>information is released outside of the system only if <insert type="param" id-ref="ac-03.09_odp.03"/> are used to validate the appropriateness of the information designated for release.</p>
+            <link rel="assessment-for" href="#ac-3.9_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ac-3.9_smt"/>
         </part>
         <part id="ac-3.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2301,6 +2448,7 @@
         <part id="ac-3.10_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-03(10)"/>
           <p>an audited override of automated access control mechanisms is employed under <insert type="param" id-ref="ac-03.10_odp.01"/> by <insert type="param" id-ref="ac-03.10_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ac-3.10_smt"/>
         </part>
         <part id="ac-3.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2361,6 +2509,7 @@
         <part id="ac-3.11_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-03(11)"/>
           <p>access to data repositories containing <insert type="param" id-ref="ac-03.11_odp"/> is restricted.</p>
+          <link rel="assessment-for" href="#ac-3.11_smt"/>
         </part>
         <part id="ac-3.11_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2431,15 +2580,19 @@
           <part id="ac-3.12_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(12)(a)"/>
             <p>as part of the installation process, applications are required to assert the access needed to the following system applications and functions: <insert type="param" id-ref="ac-03.12_odp"/>;</p>
+            <link rel="assessment-for" href="#ac-3.12_smt.a"/>
           </part>
           <part id="ac-3.12_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(12)(b)"/>
             <p>an enforcement mechanism to prevent unauthorized access is provided; </p>
+            <link rel="assessment-for" href="#ac-3.12_smt.b"/>
           </part>
           <part id="ac-3.12_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(12)(c)"/>
             <p>access changes after initial installation of the application are approved.</p>
+            <link rel="assessment-for" href="#ac-3.12_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#ac-3.12_smt"/>
         </part>
         <part id="ac-3.12_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2498,15 +2651,19 @@
           <part id="ac-3.13_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(13)[01]"/>
             <p>the attribute-based access control policy is enforced over defined subjects;</p>
+            <link rel="assessment-for" href="#ac-3.13_smt"/>
           </part>
           <part id="ac-3.13_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(13)[02]"/>
             <p>the attribute-based access control policy is enforced over defined objects;</p>
+            <link rel="assessment-for" href="#ac-3.13_smt"/>
           </part>
           <part id="ac-3.13_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(13)[03]"/>
             <p>access is controlled based on <insert type="param" id-ref="ac-03.13_odp"/>.</p>
+            <link rel="assessment-for" href="#ac-3.13_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-3.13_smt"/>
         </part>
         <part id="ac-3.13_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2576,6 +2733,7 @@
         <part id="ac-3.14_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-03(14)"/>
           <p><insert type="param" id-ref="ac-03.14_odp.01"/> are provided to enable individuals to have access to <insert type="param" id-ref="ac-03.14_odp.02"/> of their personally identifiable information.</p>
+          <link rel="assessment-for" href="#ac-3.14_smt"/>
         </part>
         <part id="ac-3.14_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2682,23 +2840,30 @@
             <part id="ac-3.15_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-03(15)(a)[01]"/>
               <p><insert type="param" id-ref="ac-03.15_odp.01"/> is enforced over the set of covered subjects specified in the policy;</p>
+              <link rel="assessment-for" href="#ac-3.15_smt.a"/>
             </part>
             <part id="ac-3.15_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-03(15)(a)[02]"/>
               <p><insert type="param" id-ref="ac-03.15_odp.02"/> is enforced over the set of covered objects specified in the policy;</p>
+              <link rel="assessment-for" href="#ac-3.15_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#ac-3.15_smt.a"/>
           </part>
           <part id="ac-3.15_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-03(15)(b)"/>
             <part id="ac-3.15_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-03(15)(b)[01]"/>
               <p><insert type="param" id-ref="ac-03.15_odp.03"/> is enforced over the set of covered subjects specified in the policy;</p>
+              <link rel="assessment-for" href="#ac-3.15_smt.b"/>
             </part>
             <part id="ac-3.15_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-03(15)(b)[02]"/>
               <p><insert type="param" id-ref="ac-03.15_odp.04"/> is enforced over the set of covered objects specified in the policy.</p>
+              <link rel="assessment-for" href="#ac-3.15_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-3.15_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ac-3.15_smt"/>
         </part>
         <part id="ac-3.15_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2779,6 +2944,7 @@
       <part id="ac-4_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="AC-04"/>
         <p>approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on <insert type="param" id-ref="ac-04_odp"/>.</p>
+        <link rel="assessment-for" href="#ac-4_smt"/>
       </part>
       <part id="ac-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2912,11 +3078,14 @@
           <part id="ac-4.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(01)[01]"/>
             <p><insert type="param" id-ref="ac-04.01_odp.01"/> associated with <insert type="param" id-ref="ac-04.01_odp.03"/>, <insert type="param" id-ref="ac-04.01_odp.05"/> , and <insert type="param" id-ref="ac-04.01_odp.07"/> are used to enforce <insert type="param" id-ref="ac-04.01_odp.09"/> as a basis for flow control decisions;</p>
+            <link rel="assessment-for" href="#ac-4.1_smt"/>
           </part>
           <part id="ac-4.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(01)[02]"/>
             <p><insert type="param" id-ref="ac-04.01_odp.02"/> associated with <insert type="param" id-ref="ac-04.01_odp.04"/>, <insert type="param" id-ref="ac-04.01_odp.06"/> , and <insert type="param" id-ref="ac-04.01_odp.08"/> are used to enforce <insert type="param" id-ref="ac-04.01_odp.09"/> as a basis for flow control decisions.</p>
+            <link rel="assessment-for" href="#ac-4.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-4.1_smt"/>
         </part>
         <part id="ac-4.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -2977,6 +3146,7 @@
         <part id="ac-4.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(02)"/>
           <p>protected processing domains are used to enforce <insert type="param" id-ref="ac-04.02_odp"/> as a basis for flow control decisions.</p>
+          <link rel="assessment-for" href="#ac-4.2_smt"/>
         </part>
         <part id="ac-4.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3034,6 +3204,7 @@
         <part id="ac-4.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(03)"/>
           <p><insert type="param" id-ref="ac-04.03_odp"/> are enforced.</p>
+          <link rel="assessment-for" href="#ac-4.3_smt"/>
         </part>
         <part id="ac-4.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3111,6 +3282,7 @@
         <part id="ac-4.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(04)"/>
           <p>encrypted information is prevented from bypassing <insert type="param" id-ref="ac-04.04_odp.01"/> by <insert type="param" id-ref="ac-04.04_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ac-4.4_smt"/>
         </part>
         <part id="ac-4.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3167,6 +3339,7 @@
         <part id="ac-4.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(05)"/>
           <p><insert type="param" id-ref="ac-04.05_odp"/> are enforced on embedding data types within other data types.</p>
+          <link rel="assessment-for" href="#ac-4.5_smt"/>
         </part>
         <part id="ac-4.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3225,6 +3398,7 @@
         <part id="ac-4.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(06)"/>
           <p>information flow control enforcement is based on <insert type="param" id-ref="ac-04.06_odp"/>.</p>
+          <link rel="assessment-for" href="#ac-4.6_smt"/>
         </part>
         <part id="ac-4.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3274,6 +3448,7 @@
         <part id="ac-4.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(07)"/>
           <p>one-way information flows are enforced through hardware-based flow control mechanisms.</p>
+          <link rel="assessment-for" href="#ac-4.7_smt"/>
         </part>
         <part id="ac-4.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3401,17 +3576,22 @@
             <part id="ac-4.8_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-04(08)(a)[01]"/>
               <p>information flow control is enforced using <insert type="param" id-ref="ac-04.08_odp.01"/> as a basis for flow control decisions for <insert type="param" id-ref="ac-04.08_odp.03"/>;</p>
+              <link rel="assessment-for" href="#ac-4.8_smt.a"/>
             </part>
             <part id="ac-4.8_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-04(08)(a)[02]"/>
               <p>information flow control is enforced using <insert type="param" id-ref="ac-04.08_odp.02"/> as a basis for flow control decisions for <insert type="param" id-ref="ac-04.08_odp.04"/>;</p>
+              <link rel="assessment-for" href="#ac-4.8_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#ac-4.8_smt.a"/>
           </part>
           <part id="ac-4.8_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(08)(b)"/>
             <p><insert type="param" id-ref="ac-04.08_odp.05"/> data after a filter processing failure in accordance with <insert type="param" id-ref="ac-04.08_odp.06"/>;</p>
             <p><insert type="param" id-ref="ac-04.08_odp.05"/> data after a filter processing failure in accordance with <insert type="param" id-ref="ac-04.08_odp.07"/>.</p>
+            <link rel="assessment-for" href="#ac-4.8_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ac-4.8_smt"/>
         </part>
         <part id="ac-4.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3481,6 +3661,7 @@
         <part id="ac-4.9_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(09)"/>
           <p>human reviews are used for <insert type="param" id-ref="ac-04.09_odp.01"/> under <insert type="param" id-ref="ac-04.09_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ac-4.9_smt"/>
         </part>
         <part id="ac-4.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3574,11 +3755,14 @@
           <part id="ac-4.10_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(10)[01]"/>
             <p>capability is provided for privileged administrators to enable and disable <insert type="param" id-ref="ac-04.10_odp.01"/> under <insert type="param" id-ref="ac-04.10_odp.03"/>;</p>
+            <link rel="assessment-for" href="#ac-4.10_smt"/>
           </part>
           <part id="ac-4.10_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(10)[02]"/>
             <p>capability is provided for privileged administrators to enable and disable <insert type="param" id-ref="ac-04.10_odp.02"/> under <insert type="param" id-ref="ac-04.10_odp.04"/>.</p>
+            <link rel="assessment-for" href="#ac-4.10_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-4.10_smt"/>
         </part>
         <part id="ac-4.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3654,11 +3838,14 @@
           <part id="ac-4.11_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(11)[01]"/>
             <p>capability is provided for privileged administrators to configure <insert type="param" id-ref="ac-04.11_odp.01"/> to support different security or privacy policies;</p>
+            <link rel="assessment-for" href="#ac-4.11_smt"/>
           </part>
           <part id="ac-4.11_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(11)[02]"/>
             <p>capability is provided for privileged administrators to configure <insert type="param" id-ref="ac-04.11_odp.02"/> to support different security or privacy policies.</p>
+            <link rel="assessment-for" href="#ac-4.11_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-4.11_smt"/>
         </part>
         <part id="ac-4.11_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3720,6 +3907,7 @@
         <part id="ac-4.12_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(12)"/>
           <p>when transferring information between different security domains, <insert type="param" id-ref="ac-04.12_odp"/> are used to validate data essential for information flow decisions.</p>
+          <link rel="assessment-for" href="#ac-4.12_smt"/>
         </part>
         <part id="ac-4.12_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3777,6 +3965,7 @@
         <part id="ac-4.13_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(13)"/>
           <p>when transferring information between different security domains, information is decomposed into <insert type="param" id-ref="ac-04.13_odp"/> for submission to policy enforcement mechanisms.</p>
+          <link rel="assessment-for" href="#ac-4.13_smt"/>
         </part>
         <part id="ac-4.13_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3846,11 +4035,14 @@
           <part id="ac-4.14_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(14)[01]"/>
             <p>when transferring information between different security domains, implemented <insert type="param" id-ref="ac-04.14_odp.01"/> require fully enumerated formats that restrict data structure and content;</p>
+            <link rel="assessment-for" href="#ac-4.14_smt"/>
           </part>
           <part id="ac-4.14_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(14)[02]"/>
             <p>when transferring information between different security domains, implemented <insert type="param" id-ref="ac-04.14_odp.02"/> require fully enumerated formats that restrict data structure and content.</p>
+            <link rel="assessment-for" href="#ac-4.14_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-4.14_smt"/>
         </part>
         <part id="ac-4.14_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -3934,15 +4126,19 @@
           <part id="ac-4.15_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(15)[01]"/>
             <p>when transferring information between different security domains, information is examined for the presence of <insert type="param" id-ref="ac-04.15_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ac-4.15_smt"/>
           </part>
           <part id="ac-4.15_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(15)[02]"/>
             <p>when transferring information between different security domains, transfer of <insert type="param" id-ref="ac-04.15_odp.01"/> is prohibited in accordance with the <insert type="param" id-ref="ac-04.15_odp.02"/>;</p>
+            <link rel="assessment-for" href="#ac-4.15_smt"/>
           </part>
           <part id="ac-4.15_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(15)[03]"/>
             <p>when transferring information between different security domains, transfer of <insert type="param" id-ref="ac-04.15_odp.01"/> is prohibited in accordance with the <insert type="param" id-ref="ac-04.15_odp.03"/>.</p>
+            <link rel="assessment-for" href="#ac-4.15_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-4.15_smt"/>
         </part>
         <part id="ac-4.15_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4011,6 +4207,7 @@
         <part id="ac-4.17_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(17)"/>
           <p>source and destination points are uniquely identified and authenticated by <insert type="param" id-ref="ac-04.17_odp"/> for information transfer.</p>
+          <link rel="assessment-for" href="#ac-4.17_smt"/>
         </part>
         <part id="ac-4.17_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4091,11 +4288,14 @@
           <part id="ac-4.19_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(19)[01]"/>
             <p>when transferring information between different security domains, <insert type="param" id-ref="ac-04.19_odp.01"/> are implemented on metadata;</p>
+            <link rel="assessment-for" href="#ac-4.19_smt"/>
           </part>
           <part id="ac-4.19_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(19)[02]"/>
             <p>when transferring information between different security domains, <insert type="param" id-ref="ac-04.19_odp.02"/> are implemented on metadata.</p>
+            <link rel="assessment-for" href="#ac-4.19_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-4.19_smt"/>
         </part>
         <part id="ac-4.19_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4165,6 +4365,7 @@
         <part id="ac-4.20_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(20)"/>
           <p><insert type="param" id-ref="ac-04.20_odp.01"/> are employed to control the flow of <insert type="param" id-ref="ac-04.20_odp.02"/> across security domains.</p>
+          <link rel="assessment-for" href="#ac-4.20_smt"/>
         </part>
         <part id="ac-4.20_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4247,11 +4448,14 @@
           <part id="ac-4.21_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(21)[01]"/>
             <p>information flows are separated logically using <insert type="param" id-ref="ac-04.21_odp.01"/> to accomplish <insert type="param" id-ref="ac-04.21_odp.03"/>;</p>
+            <link rel="assessment-for" href="#ac-4.21_smt"/>
           </part>
           <part id="ac-4.21_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(21)[02]"/>
             <p>information flows are separated physically using <insert type="param" id-ref="ac-04.21_odp.02"/> to accomplish <insert type="param" id-ref="ac-04.21_odp.03"/>.</p>
+            <link rel="assessment-for" href="#ac-4.21_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-4.21_smt"/>
         </part>
         <part id="ac-4.21_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4303,6 +4507,7 @@
         <part id="ac-4.22_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(22)"/>
           <p>access is provided from a single device to computing platforms, applications, or data that reside in multiple different security domains while preventing information flow between the different security domains.</p>
+          <link rel="assessment-for" href="#ac-4.22_smt"/>
         </part>
         <part id="ac-4.22_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4359,6 +4564,7 @@
         <part id="ac-4.23_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(23)"/>
           <p>when transferring information between security domains, non-releasable information is modified by implementing <insert type="param" id-ref="ac-04.23_odp"/>.</p>
+          <link rel="assessment-for" href="#ac-4.23_smt"/>
         </part>
         <part id="ac-4.23_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4408,11 +4614,14 @@
           <part id="ac-4.24_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(24)[01]"/>
             <p>when transferring information between different security domains, incoming data is parsed into an internal, normalized format;</p>
+            <link rel="assessment-for" href="#ac-4.24_smt"/>
           </part>
           <part id="ac-4.24_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(24)[02]"/>
             <p>when transferring information between different security domains, the data is regenerated to be consistent with its intended specification.</p>
+            <link rel="assessment-for" href="#ac-4.24_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-4.24_smt"/>
         </part>
         <part id="ac-4.24_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4477,6 +4686,7 @@
         <part id="ac-4.25_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(25)"/>
           <p>when transferring information between different security domains, data is sanitized to minimize <insert type="param" id-ref="ac-04.25_odp.01"/> in accordance with <insert type="param" id-ref="ac-04.25_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ac-4.25_smt"/>
         </part>
         <part id="ac-4.25_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4530,11 +4740,14 @@
           <part id="ac-4.26_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(26)[01]"/>
             <p>when transferring information between different security domains, content-filtering actions are recorded and audited;</p>
+            <link rel="assessment-for" href="#ac-4.26_smt"/>
           </part>
           <part id="ac-4.26_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(26)[02]"/>
             <p>when transferring information between different security domains, results for the information being filtered are recorded and audited.</p>
+            <link rel="assessment-for" href="#ac-4.26_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-4.26_smt"/>
         </part>
         <part id="ac-4.26_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4584,6 +4797,7 @@
         <part id="ac-4.27_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(27)"/>
           <p>when transferring information between security domains, implemented content filtering solutions provide redundant and independent filtering mechanisms for each data type.</p>
+          <link rel="assessment-for" href="#ac-4.27_smt"/>
         </part>
         <part id="ac-4.27_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4631,6 +4845,7 @@
         <part id="ac-4.28_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(28)"/>
           <p>when transferring information between security domains, a linear content filter pipeline is implemented that is enforced with discretionary and mandatory access controls.</p>
+          <link rel="assessment-for" href="#ac-4.28_smt"/>
         </part>
         <part id="ac-4.28_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4698,18 +4913,23 @@
           <part id="ac-4.29_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(29)(a)"/>
             <p>when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering mechanisms successfully complete execution without errors;</p>
+            <link rel="assessment-for" href="#ac-4.29_smt.a"/>
           </part>
           <part id="ac-4.29_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(29)(b)"/>
             <part id="ac-4.29_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-04(29)(b)[01]"/>
               <p>when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions occur in the correct order;</p>
+              <link rel="assessment-for" href="#ac-4.29_smt.b"/>
             </part>
             <part id="ac-4.29_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-04(29)(b)[02]"/>
               <p>when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions comply with <insert type="param" id-ref="ac-04.29_odp"/>.</p>
+              <link rel="assessment-for" href="#ac-4.29_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ac-4.29_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ac-4.29_smt"/>
         </part>
         <part id="ac-4.29_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4758,6 +4978,7 @@
         <part id="ac-4.30_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(30)"/>
           <p>when transferring information between security domains, content-filtering mechanisms using multiple processes are implemented.</p>
+          <link rel="assessment-for" href="#ac-4.30_smt"/>
         </part>
         <part id="ac-4.30_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4806,6 +5027,7 @@
         <part id="ac-4.31_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-04(31)"/>
           <p>when transferring information between different security domains, the transfer of failed content to the receiving domain is prevented.</p>
+          <link rel="assessment-for" href="#ac-4.31_smt"/>
         </part>
         <part id="ac-4.31_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4871,19 +5093,24 @@
           <part id="ac-4.32_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(32)(a)"/>
             <p>when transferring information between different security domains, the process that transfers information between filter pipelines does not filter message content;</p>
+            <link rel="assessment-for" href="#ac-4.32_smt.a"/>
           </part>
           <part id="ac-4.32_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(32)(b)"/>
             <p>when transferring information between different security domains, the process that transfers information between filter pipelines validates filtering metadata;</p>
+            <link rel="assessment-for" href="#ac-4.32_smt.b"/>
           </part>
           <part id="ac-4.32_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(32)(c)"/>
             <p>when transferring information between different security domains, the process that transfers information between filter pipelines ensures that the content with the filtering metadata has successfully completed filtering;</p>
+            <link rel="assessment-for" href="#ac-4.32_smt.c"/>
           </part>
           <part id="ac-4.32_obj.d" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-04(32)(d)"/>
             <p>when transferring information between different security domains, the process that transfers information between filter pipelines transfers the content to the destination filter pipeline.</p>
+            <link rel="assessment-for" href="#ac-4.32_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#ac-4.32_smt"/>
         </part>
         <part id="ac-4.32_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -4966,11 +5193,14 @@
         <part id="ac-5_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-05a."/>
           <p><insert type="param" id-ref="ac-05_odp"/> are identified and documented;</p>
+          <link rel="assessment-for" href="#ac-5_smt.a"/>
         </part>
         <part id="ac-5_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-05b."/>
           <p>system access authorizations to support separation of duties are defined.</p>
+          <link rel="assessment-for" href="#ac-5_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ac-5_smt"/>
       </part>
       <part id="ac-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5030,6 +5260,7 @@
       <part id="ac-6_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="AC-06"/>
         <p>the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.</p>
+        <link rel="assessment-for" href="#ac-6_smt"/>
       </part>
       <part id="ac-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5137,20 +5368,26 @@
             <part id="ac-6.1_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-06(01)(a)[01]"/>
               <p>access is authorized for <insert type="param" id-ref="ac-06.01_odp.01"/> to <insert type="param" id-ref="ac-06.01_odp.02"/>;</p>
+              <link rel="assessment-for" href="#ac-6.1_smt.a"/>
             </part>
             <part id="ac-6.1_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-06(01)(a)[02]"/>
               <p>access is authorized for <insert type="param" id-ref="ac-06.01_odp.01"/> to <insert type="param" id-ref="ac-06.01_odp.03"/>;</p>
+              <link rel="assessment-for" href="#ac-6.1_smt.a"/>
             </part>
             <part id="ac-6.1_obj.a-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-06(01)(a)[03]"/>
               <p>access is authorized for <insert type="param" id-ref="ac-06.01_odp.01"/> to <insert type="param" id-ref="ac-06.01_odp.04"/>;</p>
+              <link rel="assessment-for" href="#ac-6.1_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#ac-6.1_smt.a"/>
           </part>
           <part id="ac-6.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-06(01)(b)"/>
             <p>access is authorized for <insert type="param" id-ref="ac-06.01_odp.01"/> to <insert type="param" id-ref="ac-06.01_odp.05"/>.</p>
+            <link rel="assessment-for" href="#ac-6.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ac-6.1_smt"/>
         </part>
         <part id="ac-6.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5210,6 +5447,7 @@
         <part id="ac-6.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-06(02)"/>
           <p>users of system accounts (or roles) with access to <insert type="param" id-ref="ac-06.02_odp"/> are required to use non-privileged accounts or roles when accessing non-security functions.</p>
+          <link rel="assessment-for" href="#ac-6.2_smt"/>
         </part>
         <part id="ac-6.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5278,11 +5516,14 @@
           <part id="ac-6.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-06(03)[01]"/>
             <p>network access to <insert type="param" id-ref="ac-06.03_odp.01"/> is authorized only for <insert type="param" id-ref="ac-06.03_odp.02"/>;</p>
+            <link rel="assessment-for" href="#ac-6.3_smt"/>
           </part>
           <part id="ac-6.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-06(03)[02]"/>
             <p>the rationale for authorizing network access to privileged commands is documented in the security plan for the system.</p>
+            <link rel="assessment-for" href="#ac-6.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-6.3_smt"/>
         </part>
         <part id="ac-6.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5336,6 +5577,7 @@
         <part id="ac-6.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-06(04)"/>
           <p>separate processing domains are provided to enable finer-grain allocation of user privileges.</p>
+          <link rel="assessment-for" href="#ac-6.4_smt"/>
         </part>
         <part id="ac-6.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5394,6 +5636,7 @@
         <part id="ac-6.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-06(05)"/>
           <p>privileged accounts on the system are restricted to <insert type="param" id-ref="ac-06.05_odp"/>.</p>
+          <link rel="assessment-for" href="#ac-6.5_smt"/>
         </part>
         <part id="ac-6.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5446,6 +5689,7 @@
         <part id="ac-6.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-06(06)"/>
           <p>privileged access to the system by non-organizational users is prohibited.</p>
+          <link rel="assessment-for" href="#ac-6.6_smt"/>
         </part>
         <part id="ac-6.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5521,11 +5765,14 @@
           <part id="ac-6.7_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-06(07)(a)"/>
             <p>privileges assigned to <insert type="param" id-ref="ac-06.07_odp.02"/> are reviewed <insert type="param" id-ref="ac-06.07_odp.01"/> to validate the need for such privileges;</p>
+            <link rel="assessment-for" href="#ac-6.7_smt.a"/>
           </part>
           <part id="ac-6.7_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-06(07)(b)"/>
             <p>privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.</p>
+            <link rel="assessment-for" href="#ac-6.7_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ac-6.7_smt"/>
         </part>
         <part id="ac-6.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5584,6 +5831,7 @@
         <part id="ac-6.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-06(08)"/>
           <p><insert type="param" id-ref="ac-06.08_odp"/> is prevented from executing at higher privilege levels than users executing the software.</p>
+          <link rel="assessment-for" href="#ac-6.8_smt"/>
         </part>
         <part id="ac-6.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5636,6 +5884,7 @@
         <part id="ac-6.9_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-06(09)"/>
           <p>the execution of privileged functions is logged.</p>
+          <link rel="assessment-for" href="#ac-6.9_smt"/>
         </part>
         <part id="ac-6.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5686,6 +5935,7 @@
         <part id="ac-6.10_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-06(10)"/>
           <p>non-privileged users are prevented from executing privileged functions.</p>
+          <link rel="assessment-for" href="#ac-6.10_smt"/>
         </part>
         <part id="ac-6.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5801,11 +6051,14 @@
         <part id="ac-7_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-07a."/>
           <p>a limit of <insert type="param" id-ref="ac-07_odp.01"/> consecutive invalid logon attempts by a user during <insert type="param" id-ref="ac-07_odp.02"/> is enforced;</p>
+          <link rel="assessment-for" href="#ac-7_smt.a"/>
         </part>
         <part id="ac-7_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-07b."/>
           <p>automatically <insert type="param" id-ref="ac-07_odp.03"/> when the maximum number of unsuccessful attempts is exceeded.</p>
+          <link rel="assessment-for" href="#ac-7_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ac-7_smt"/>
       </part>
       <part id="ac-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5858,9 +6111,9 @@
           <prop name="alt-identifier" value="ac-7.2_prm_2"/>
           <prop name="alt-label" class="sp800-53" value="purging or wiping requirements and techniques"/>
           <prop name="label" class="sp800-53a" value="AC-07(02)_ODP[02]"/>
-          <label>purging or wiping requirements or techniques</label>
+          <label>purging or wiping requirements and techniques</label>
           <guideline>
-            <p>purging or wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined;</p>
+            <p>purging and wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined;</p>
           </guideline>
         </param>
         <param id="ac-07.02_odp.03">
@@ -5888,6 +6141,7 @@
         <part id="ac-7.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-07(02)"/>
           <p>information is purged or wiped from <insert type="param" id-ref="ac-07.02_odp.01"/> based on <insert type="param" id-ref="ac-07.02_odp.02"/> after <insert type="param" id-ref="ac-07.02_odp.03"/> consecutive, unsuccessful device logon attempts.</p>
+          <link rel="assessment-for" href="#ac-7.2_smt"/>
         </part>
         <part id="ac-7.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -5945,6 +6199,7 @@
         <part id="ac-7.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-07(03)"/>
           <p>unsuccessful biometric logon attempts are limited to <insert type="param" id-ref="ac-07.03_odp"/>.</p>
+          <link rel="assessment-for" href="#ac-7.3_smt"/>
         </part>
         <part id="ac-7.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6026,11 +6281,14 @@
           <part id="ac-7.4_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-07(04)(a)"/>
             <p><insert type="param" id-ref="ac-07.04_odp.01"/> that are different from the primary authentication factors are allowed to be used after the number of organization-defined consecutive invalid logon attempts have been exceeded;</p>
+            <link rel="assessment-for" href="#ac-7.4_smt.a"/>
           </part>
           <part id="ac-7.4_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-07(04)(b)"/>
             <p>a limit of <insert type="param" id-ref="ac-07.04_odp.02"/> consecutive invalid logon attempts through the use of the alternative factors by the user during a <insert type="param" id-ref="ac-07.04_odp.03"/> is enforced.</p>
+            <link rel="assessment-for" href="#ac-7.4_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ac-7.4_smt"/>
         </part>
         <part id="ac-7.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6142,39 +6400,50 @@
           <part id="ac-8_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-08a.01"/>
             <p>the system use notification states that users are accessing a U.S. Government system;</p>
+            <link rel="assessment-for" href="#ac-8_smt.a.1"/>
           </part>
           <part id="ac-8_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-08a.02"/>
             <p>the system use notification states that system usage may be monitored, recorded, and subject to audit;</p>
+            <link rel="assessment-for" href="#ac-8_smt.a.2"/>
           </part>
           <part id="ac-8_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-08a.03"/>
             <p>the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and</p>
+            <link rel="assessment-for" href="#ac-8_smt.a.3"/>
           </part>
           <part id="ac-8_obj.a.4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-08a.04"/>
             <p>the system use notification states that use of the system indicates consent to monitoring and recording;</p>
+            <link rel="assessment-for" href="#ac-8_smt.a.4"/>
           </part>
+          <link rel="assessment-for" href="#ac-8_smt.a"/>
         </part>
         <part id="ac-8_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-08b."/>
           <p>the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;</p>
+          <link rel="assessment-for" href="#ac-8_smt.b"/>
         </part>
         <part id="ac-8_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-08c."/>
           <part id="ac-8_obj.c.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-08c.01"/>
             <p>for publicly accessible systems, system use information <insert type="param" id-ref="ac-08_odp.02"/> is displayed before granting further access to the publicly accessible system;</p>
+            <link rel="assessment-for" href="#ac-8_smt.c.1"/>
           </part>
           <part id="ac-8_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-08c.02"/>
             <p>for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;</p>
+            <link rel="assessment-for" href="#ac-8_smt.c.2"/>
           </part>
           <part id="ac-8_obj.c.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-08c.03"/>
             <p>for publicly accessible systems, a description of the authorized uses of the system is included.</p>
+            <link rel="assessment-for" href="#ac-8_smt.c.3"/>
           </part>
+          <link rel="assessment-for" href="#ac-8_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#ac-8_smt"/>
       </part>
       <part id="ac-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6230,6 +6499,7 @@
       <part id="ac-9_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="AC-09"/>
         <p>the user is notified, upon successful logon to the system, of the date and time of the last logon.</p>
+        <link rel="assessment-for" href="#ac-9_smt"/>
       </part>
       <part id="ac-9_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6276,6 +6546,7 @@
         <part id="ac-9.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-09(01)"/>
           <p>the user is notified, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.</p>
+          <link rel="assessment-for" href="#ac-9.1_smt"/>
         </part>
         <part id="ac-9.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6340,6 +6611,7 @@
         <part id="ac-9.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-09(02)"/>
           <p>the user is notified, upon successful logon, of the number of <insert type="param" id-ref="ac-09.02_odp.01"/> during <insert type="param" id-ref="ac-09.02_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ac-9.2_smt"/>
         </part>
         <part id="ac-9.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6404,6 +6676,7 @@
         <part id="ac-9.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-09(03)"/>
           <p>the user is notified, upon successful logon, of changes to <insert type="param" id-ref="ac-09.03_odp.01"/> during <insert type="param" id-ref="ac-09.03_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ac-9.3_smt"/>
         </part>
         <part id="ac-9.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6459,6 +6732,7 @@
         <part id="ac-9.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-09(04)"/>
           <p>the user is notified, upon successful logon, of <insert type="param" id-ref="ac-09.04_odp"/>.</p>
+          <link rel="assessment-for" href="#ac-9.4_smt"/>
         </part>
         <part id="ac-9.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6524,6 +6798,7 @@
       <part id="ac-10_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="AC-10"/>
         <p>the number of concurrent sessions for each <insert type="param" id-ref="ac-10_odp.01"/> is limited to <insert type="param" id-ref="ac-10_odp.02"/>.</p>
+        <link rel="assessment-for" href="#ac-10_smt"/>
       </part>
       <part id="ac-10_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6599,11 +6874,14 @@
         <part id="ac-11_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-11a."/>
           <p>further access to the system is prevented by <insert type="param" id-ref="ac-11_odp.01"/>;</p>
+          <link rel="assessment-for" href="#ac-11_smt.a"/>
         </part>
         <part id="ac-11_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-11b."/>
           <p>device lock is retained until the user re-establishes access using established identification and authentication procedures.</p>
+          <link rel="assessment-for" href="#ac-11_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ac-11_smt"/>
       </part>
       <part id="ac-11_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6651,6 +6929,7 @@
         <part id="ac-11.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-11(01)"/>
           <p>information previously visible on the display is concealed, via device lock, with a publicly viewable image.</p>
+          <link rel="assessment-for" href="#ac-11.1_smt"/>
         </part>
         <part id="ac-11.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6710,6 +6989,7 @@
       <part id="ac-12_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="AC-12"/>
         <p>a user session is automatically terminated after <insert type="param" id-ref="ac-12_odp"/>.</p>
+        <link rel="assessment-for" href="#ac-12_smt"/>
       </part>
       <part id="ac-12_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6766,6 +7046,7 @@
         <part id="ac-12.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-12(01)"/>
           <p>a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to <insert type="param" id-ref="ac-12.01_odp"/>.</p>
+          <link rel="assessment-for" href="#ac-12.1_smt"/>
         </part>
         <part id="ac-12.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6815,6 +7096,7 @@
         <part id="ac-12.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-12(02)"/>
           <p>an explicit logout message is displayed to users indicating the termination of authenticated communication sessions.</p>
+          <link rel="assessment-for" href="#ac-12.2_smt"/>
         </part>
         <part id="ac-12.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6873,6 +7155,7 @@
         <part id="ac-12.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-12(03)"/>
           <p>an explicit message to users is displayed indicating that the session will end in <insert type="param" id-ref="ac-12.03_odp"/>.</p>
+          <link rel="assessment-for" href="#ac-12.3_smt"/>
         </part>
         <part id="ac-12.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -6951,18 +7234,23 @@
         <part id="ac-14_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-14a."/>
           <p><insert type="param" id-ref="ac-14_odp"/> that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;</p>
+          <link rel="assessment-for" href="#ac-14_smt.a"/>
         </part>
         <part id="ac-14_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-14b."/>
           <part id="ac-14_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-14b.[01]"/>
             <p>user actions not requiring identification or authentication are documented in the security plan for the system;</p>
+            <link rel="assessment-for" href="#ac-14_smt.b"/>
           </part>
           <part id="ac-14_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-14b.[02]"/>
             <p>a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.</p>
+            <link rel="assessment-for" href="#ac-14_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ac-14_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ac-14_smt"/>
       </part>
       <part id="ac-14_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7177,53 +7465,68 @@
           <part id="ac-16_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16a.[01]"/>
             <p>the means to associate <insert type="param" id-ref="ac-16_odp.01"/> with <insert type="param" id-ref="ac-16_odp.03"/> for information in storage, in process, and/or in transmission are provided;</p>
+            <link rel="assessment-for" href="#ac-16_smt.a"/>
           </part>
           <part id="ac-16_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16a.[02]"/>
             <p>the means to associate <insert type="param" id-ref="ac-16_odp.02"/> with <insert type="param" id-ref="ac-16_odp.04"/> for information in storage, in process, and/or in transmission are provided;</p>
+            <link rel="assessment-for" href="#ac-16_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#ac-16_smt.a"/>
         </part>
         <part id="ac-16_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-16b."/>
           <part id="ac-16_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16b.[01]"/>
             <p>attribute associations are made;</p>
+            <link rel="assessment-for" href="#ac-16_smt.b"/>
           </part>
           <part id="ac-16_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16b.[02]"/>
             <p>attribute associations are retained with the information;</p>
+            <link rel="assessment-for" href="#ac-16_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ac-16_smt.b"/>
         </part>
         <part id="ac-16_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-16c."/>
           <part id="ac-16_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16c.[01]"/>
             <p>the following permitted security attributes are established from the attributes defined in AC-16_ODP[01] for <insert type="param" id-ref="ac-16_odp.05"/>: <insert type="param" id-ref="ac-16_odp.07"/>;</p>
+            <link rel="assessment-for" href="#ac-16_smt.c"/>
           </part>
           <part id="ac-16_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16c.[02]"/>
             <p>the following permitted privacy attributes are established from the attributes defined in AC-16_ODP[02] for <insert type="param" id-ref="ac-16_odp.06"/>: <insert type="param" id-ref="ac-16_odp.08"/>;</p>
+            <link rel="assessment-for" href="#ac-16_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#ac-16_smt.c"/>
         </part>
         <part id="ac-16_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-16d."/>
           <p>the following permitted attribute values or ranges for each of the established attributes are determined: <insert type="param" id-ref="ac-16_odp.09"/>;</p>
+          <link rel="assessment-for" href="#ac-16_smt.d"/>
         </part>
         <part id="ac-16_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-16e."/>
           <p>changes to attributes are audited;</p>
+          <link rel="assessment-for" href="#ac-16_smt.e"/>
         </part>
         <part id="ac-16_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-16f."/>
           <part id="ac-16_obj.f-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16f.[01]"/>
             <p><insert type="param" id-ref="ac-16_odp.07"/> are reviewed for applicability <insert type="param" id-ref="ac-16_odp.10"/>;</p>
+            <link rel="assessment-for" href="#ac-16_smt.f"/>
           </part>
           <part id="ac-16_obj.f-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16f.[02]"/>
             <p><insert type="param" id-ref="ac-16_odp.08"/> are reviewed for applicability <insert type="param" id-ref="ac-16_odp.11"/>.</p>
+            <link rel="assessment-for" href="#ac-16_smt.f"/>
           </part>
+          <link rel="assessment-for" href="#ac-16_smt.f"/>
         </part>
+        <link rel="assessment-for" href="#ac-16_smt"/>
       </part>
       <part id="ac-16_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7327,19 +7630,24 @@
           <part id="ac-16.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(01)[01]"/>
             <p>security attributes are dynamically associated with <insert type="param" id-ref="ac-16.01_odp.01"/> in accordance with the following security policies as information is created and combined: <insert type="param" id-ref="ac-16.01_odp.05"/>;</p>
+            <link rel="assessment-for" href="#ac-16.1_smt"/>
           </part>
           <part id="ac-16.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(01)[02]"/>
             <p>security attributes are dynamically associated with <insert type="param" id-ref="ac-16.01_odp.02"/> in accordance with the following security policies as information is created and combined: <insert type="param" id-ref="ac-16.01_odp.05"/>;</p>
+            <link rel="assessment-for" href="#ac-16.1_smt"/>
           </part>
           <part id="ac-16.1_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(01)[03]"/>
             <p>privacy attributes are dynamically associated with <insert type="param" id-ref="ac-16.01_odp.03"/> in accordance with the following privacy policies as information is created and combined: <insert type="param" id-ref="ac-16.01_odp.06"/>;</p>
+            <link rel="assessment-for" href="#ac-16.1_smt"/>
           </part>
           <part id="ac-16.1_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(01)[04]"/>
             <p>privacy attributes are dynamically associated with <insert type="param" id-ref="ac-16.01_odp.04"/> in accordance with the following privacy policies as information is created and combined: <insert type="param" id-ref="ac-16.01_odp.06"/>.</p>
+            <link rel="assessment-for" href="#ac-16.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-16.1_smt"/>
         </part>
         <part id="ac-16.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7390,11 +7698,14 @@
           <part id="ac-16.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(02)[01]"/>
             <p>authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated security attributes;</p>
+            <link rel="assessment-for" href="#ac-16.2_smt"/>
           </part>
           <part id="ac-16.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(02)[02]"/>
             <p>authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated privacy attributes.</p>
+            <link rel="assessment-for" href="#ac-16.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-16.2_smt"/>
         </part>
         <part id="ac-16.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7500,19 +7811,24 @@
           <part id="ac-16.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(03)[01]"/>
             <p>the association and integrity of <insert type="param" id-ref="ac-16.03_odp.01"/> to <insert type="param" id-ref="ac-16.03_odp.03"/> is maintained;</p>
+            <link rel="assessment-for" href="#ac-16.3_smt"/>
           </part>
           <part id="ac-16.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(03)[02]"/>
             <p>the association and integrity of <insert type="param" id-ref="ac-16.03_odp.01"/> to <insert type="param" id-ref="ac-16.03_odp.04"/> is maintained.</p>
+            <link rel="assessment-for" href="#ac-16.3_smt"/>
           </part>
           <part id="ac-16.3_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(03)[03]"/>
             <p>the association and integrity of <insert type="param" id-ref="ac-16.03_odp.02"/> to <insert type="param" id-ref="ac-16.03_odp.05"/> is maintained;</p>
+            <link rel="assessment-for" href="#ac-16.3_smt"/>
           </part>
           <part id="ac-16.3_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(03)[04]"/>
             <p>the association and integrity of <insert type="param" id-ref="ac-16.03_odp.02"/> to <insert type="param" id-ref="ac-16.03_odp.06"/> is maintained.</p>
+            <link rel="assessment-for" href="#ac-16.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-16.3_smt"/>
         </part>
         <part id="ac-16.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7632,19 +7948,24 @@
           <part id="ac-16.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(04)[01]"/>
             <p>authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate <insert type="param" id-ref="ac-16.04_odp.01"/> with <insert type="param" id-ref="ac-16.04_odp.05"/>;</p>
+            <link rel="assessment-for" href="#ac-16.4_smt"/>
           </part>
           <part id="ac-16.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(04)[02]"/>
             <p>authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate <insert type="param" id-ref="ac-16.04_odp.02"/> with <insert type="param" id-ref="ac-16.04_odp.06"/>;</p>
+            <link rel="assessment-for" href="#ac-16.4_smt"/>
           </part>
           <part id="ac-16.4_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(04)[03]"/>
             <p>authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate <insert type="param" id-ref="ac-16.04_odp.03"/> with <insert type="param" id-ref="ac-16.04_odp.07"/>;</p>
+            <link rel="assessment-for" href="#ac-16.4_smt"/>
           </part>
           <part id="ac-16.4_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(04)[04]"/>
             <p>authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate <insert type="param" id-ref="ac-16.04_odp.04"/> with <insert type="param" id-ref="ac-16.04_odp.08"/>.</p>
+            <link rel="assessment-for" href="#ac-16.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-16.4_smt"/>
         </part>
         <part id="ac-16.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7715,11 +8036,14 @@
           <part id="ac-16.5_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(05)[01]"/>
             <p>security attributes are displayed in human-readable form on each object that the system transmits to output devices to identify <insert type="param" id-ref="ac-16.05_odp.01"/> using <insert type="param" id-ref="ac-16.05_odp.02"/>;</p>
+            <link rel="assessment-for" href="#ac-16.5_smt"/>
           </part>
           <part id="ac-16.5_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(05)[02]"/>
             <p>privacy attributes are displayed in human-readable form on each object that the system transmits to output devices to identify <insert type="param" id-ref="ac-16.05_odp.01"/> using <insert type="param" id-ref="ac-16.05_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ac-16.5_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-16.5_smt"/>
         </part>
         <part id="ac-16.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7860,19 +8184,24 @@
           <part id="ac-16.6_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(06)[01]"/>
             <p>personnel are required to associate and maintain the association of <insert type="param" id-ref="ac-16.06_odp.01"/> with <insert type="param" id-ref="ac-16.06_odp.05"/> in accordance with <insert type="param" id-ref="ac-16.06_odp.09"/>;</p>
+            <link rel="assessment-for" href="#ac-16.6_smt"/>
           </part>
           <part id="ac-16.6_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(06)[02]"/>
             <p>personnel are required to associate and maintain the association of <insert type="param" id-ref="ac-16.06_odp.02"/> with <insert type="param" id-ref="ac-16.06_odp.06"/> in accordance with <insert type="param" id-ref="ac-16.06_odp.09"/>;</p>
+            <link rel="assessment-for" href="#ac-16.6_smt"/>
           </part>
           <part id="ac-16.6_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(06)[03]"/>
             <p>personnel are required to associate and maintain the association of <insert type="param" id-ref="ac-16.06_odp.03"/> with <insert type="param" id-ref="ac-16.06_odp.07"/> in accordance with <insert type="param" id-ref="ac-16.06_odp.10"/>;</p>
+            <link rel="assessment-for" href="#ac-16.6_smt"/>
           </part>
           <part id="ac-16.6_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(06)[04]"/>
             <p>personnel are required to associate and maintain the association of <insert type="param" id-ref="ac-16.06_odp.04"/> with <insert type="param" id-ref="ac-16.06_odp.08"/> in accordance with <insert type="param" id-ref="ac-16.06_odp.10"/>.</p>
+            <link rel="assessment-for" href="#ac-16.6_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-16.6_smt"/>
         </part>
         <part id="ac-16.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7920,11 +8249,14 @@
           <part id="ac-16.7_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(07)[01]"/>
             <p>a consistent interpretation of security attributes transmitted between distributed system components is provided;</p>
+            <link rel="assessment-for" href="#ac-16.7_smt"/>
           </part>
           <part id="ac-16.7_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(07)[02]"/>
             <p>a consistent interpretation of privacy attributes transmitted between distributed system components is provided.</p>
+            <link rel="assessment-for" href="#ac-16.7_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-16.7_smt"/>
         </part>
         <part id="ac-16.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -7998,11 +8330,14 @@
           <part id="ac-16.8_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(08)[01]"/>
             <p><insert type="param" id-ref="ac-16.08_odp.01"/> are implemented in associating security attributes to information;</p>
+            <link rel="assessment-for" href="#ac-16.8_smt"/>
           </part>
           <part id="ac-16.8_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(08)[02]"/>
             <p><insert type="param" id-ref="ac-16.08_odp.02"/> are implemented in associating privacy attributes to information.</p>
+            <link rel="assessment-for" href="#ac-16.8_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-16.8_smt"/>
         </part>
         <part id="ac-16.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8072,11 +8407,14 @@
           <part id="ac-16.9_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(09)[01]"/>
             <p>security attributes associated with information are changed only via regrading mechanisms validated using <insert type="param" id-ref="ac-16.09_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ac-16.9_smt"/>
           </part>
           <part id="ac-16.9_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(09)[02]"/>
             <p>privacy attributes associated with information are changed only via regrading mechanisms validated using <insert type="param" id-ref="ac-16.09_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ac-16.9_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-16.9_smt"/>
         </part>
         <part id="ac-16.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8127,11 +8465,14 @@
           <part id="ac-16.10_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(10)[01]"/>
             <p>authorized individuals are provided with the capability to define or change the type and value of security attributes available for association with subjects and objects;</p>
+            <link rel="assessment-for" href="#ac-16.10_smt"/>
           </part>
           <part id="ac-16.10_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-16(10)[02]"/>
             <p>authorized individuals are provided with the capability to define or change the type and value of privacy attributes available for association with subjects and objects.</p>
+            <link rel="assessment-for" href="#ac-16.10_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-16.10_smt"/>
         </part>
         <part id="ac-16.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8216,20 +8557,26 @@
           <part id="ac-17_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-17a.[01]"/>
             <p>usage restrictions are established and documented for each type of remote access allowed;</p>
+            <link rel="assessment-for" href="#ac-17_smt.a"/>
           </part>
           <part id="ac-17_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-17a.[02]"/>
             <p>configuration/connection requirements are established and documented for each type of remote access allowed;</p>
+            <link rel="assessment-for" href="#ac-17_smt.a"/>
           </part>
           <part id="ac-17_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-17a.[03]"/>
             <p>implementation guidance is established and documented for each type of remote access allowed;</p>
+            <link rel="assessment-for" href="#ac-17_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#ac-17_smt.a"/>
         </part>
         <part id="ac-17_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-17b."/>
           <p>each type of remote access to the system is authorized prior to allowing such connections.</p>
+          <link rel="assessment-for" href="#ac-17_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ac-17_smt"/>
       </part>
       <part id="ac-17_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8284,11 +8631,14 @@
           <part id="ac-17.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-17(01)[01]"/>
             <p>automated mechanisms are employed to monitor remote access methods;</p>
+            <link rel="assessment-for" href="#ac-17.1_smt"/>
           </part>
           <part id="ac-17.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-17(01)[02]"/>
             <p>automated mechanisms are employed to control remote access methods.</p>
+            <link rel="assessment-for" href="#ac-17.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-17.1_smt"/>
         </part>
         <part id="ac-17.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8340,6 +8690,7 @@
         <part id="ac-17.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-17(02)"/>
           <p>cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.</p>
+          <link rel="assessment-for" href="#ac-17.2_smt"/>
         </part>
         <part id="ac-17.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8389,6 +8740,7 @@
         <part id="ac-17.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-17(03)"/>
           <p>remote accesses are routed through authorized and managed network access control points.</p>
+          <link rel="assessment-for" href="#ac-17.3_smt"/>
         </part>
         <part id="ac-17.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8469,24 +8821,31 @@
             <part id="ac-17.4_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-17(04)(a)[01]"/>
               <p>the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;</p>
+              <link rel="assessment-for" href="#ac-17.4_smt.a"/>
             </part>
             <part id="ac-17.4_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-17(04)(a)[02]"/>
               <p>access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;</p>
+              <link rel="assessment-for" href="#ac-17.4_smt.a"/>
             </part>
             <part id="ac-17.4_obj.a-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-17(04)(a)[03]"/>
               <p>the execution of privileged commands via remote access is authorized only for the following needs: <insert type="param" id-ref="ac-17.04_odp.01"/>;</p>
+              <link rel="assessment-for" href="#ac-17.4_smt.a"/>
             </part>
             <part id="ac-17.4_obj.a-4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-17(04)(a)[04]"/>
               <p>access to security-relevant information via remote access is authorized only for the following needs: <insert type="param" id-ref="ac-17.04_odp.02"/>;</p>
+              <link rel="assessment-for" href="#ac-17.4_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#ac-17.4_smt.a"/>
           </part>
           <part id="ac-17.4_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-17(04)(b)"/>
             <p>the rationale for remote access is documented in the security plan for the system.</p>
+            <link rel="assessment-for" href="#ac-17.4_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ac-17.4_smt"/>
         </part>
         <part id="ac-17.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8544,6 +8903,7 @@
         <part id="ac-17.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-17(06)"/>
           <p>information about remote access mechanisms is protected from unauthorized use and disclosure.</p>
+          <link rel="assessment-for" href="#ac-17.6_smt"/>
         </part>
         <part id="ac-17.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8605,6 +8965,7 @@
         <part id="ac-17.9_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-17(09)"/>
           <p>the capability to disconnect or disable remote access to the system within <insert type="param" id-ref="ac-17.09_odp"/> is provided.</p>
+          <link rel="assessment-for" href="#ac-17.9_smt"/>
         </part>
         <part id="ac-17.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8671,6 +9032,7 @@
         <part id="ac-17.10_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-17(10)"/>
           <p><insert type="param" id-ref="ac-17.10_odp.01"/> are implemented to authenticate <insert type="param" id-ref="ac-17.10_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ac-17.10_smt"/>
         </part>
         <part id="ac-17.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8744,20 +9106,26 @@
           <part id="ac-18_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-18a.[01]"/>
             <p>configuration requirements are established for each type of wireless access;</p>
+            <link rel="assessment-for" href="#ac-18_smt.a"/>
           </part>
           <part id="ac-18_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-18a.[02]"/>
             <p>connection requirements are established for each type of wireless access;</p>
+            <link rel="assessment-for" href="#ac-18_smt.a"/>
           </part>
           <part id="ac-18_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-18a.[03]"/>
             <p>implementation guidance is established for each type of wireless access;</p>
+            <link rel="assessment-for" href="#ac-18_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#ac-18_smt.a"/>
         </part>
         <part id="ac-18_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-18b."/>
           <p>each type of wireless access to the system is authorized prior to allowing such connections.</p>
+          <link rel="assessment-for" href="#ac-18_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ac-18_smt"/>
       </part>
       <part id="ac-18_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8818,11 +9186,14 @@
           <part id="ac-18.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-18(01)[01]"/>
             <p>wireless access to the system is protected using authentication of <insert type="param" id-ref="ac-18.01_odp"/>;</p>
+            <link rel="assessment-for" href="#ac-18.1_smt"/>
           </part>
           <part id="ac-18.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-18(01)[02]"/>
             <p>wireless access to the system is protected using encryption.</p>
+            <link rel="assessment-for" href="#ac-18.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-18.1_smt"/>
         </part>
         <part id="ac-18.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8879,6 +9250,7 @@
         <part id="ac-18.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-18(03)"/>
           <p>when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.</p>
+          <link rel="assessment-for" href="#ac-18.3_smt"/>
         </part>
         <part id="ac-18.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8929,11 +9301,14 @@
           <part id="ac-18.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-18(04)[01]"/>
             <p>users allowed to independently configure wireless networking capabilities are identified;</p>
+            <link rel="assessment-for" href="#ac-18.4_smt"/>
           </part>
           <part id="ac-18.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-18(04)[02]"/>
             <p>users allowed to independently configure wireless networking capabilities are explicitly authorized.</p>
+            <link rel="assessment-for" href="#ac-18.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-18.4_smt"/>
         </part>
         <part id="ac-18.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -8983,11 +9358,14 @@
           <part id="ac-18.5_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-18(05)[01]"/>
             <p>radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;</p>
+            <link rel="assessment-for" href="#ac-18.5_smt"/>
           </part>
           <part id="ac-18.5_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-18(05)[02]"/>
             <p>transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.</p>
+            <link rel="assessment-for" href="#ac-18.5_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-18.5_smt"/>
         </part>
         <part id="ac-18.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9073,20 +9451,26 @@
           <part id="ac-19_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-19a.[01]"/>
             <p>configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;</p>
+            <link rel="assessment-for" href="#ac-19_smt.a"/>
           </part>
           <part id="ac-19_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-19a.[02]"/>
             <p>connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;</p>
+            <link rel="assessment-for" href="#ac-19_smt.a"/>
           </part>
           <part id="ac-19_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-19a.[03]"/>
             <p>implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;</p>
+            <link rel="assessment-for" href="#ac-19_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#ac-19_smt.a"/>
         </part>
         <part id="ac-19_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-19b."/>
           <p>the connection of mobile devices to organizational systems is authorized.</p>
+          <link rel="assessment-for" href="#ac-19_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ac-19_smt"/>
       </part>
       <part id="ac-19_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9207,37 +9591,47 @@
           <part id="ac-19.4_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-19(04)(a)"/>
             <p>the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information is prohibited unless specifically permitted by the authorizing official;</p>
+            <link rel="assessment-for" href="#ac-19.4_smt.a"/>
           </part>
           <part id="ac-19.4_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-19(04)(b)"/>
             <part id="ac-19.4_obj.b.1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-19(04)(b)(01)"/>
               <p>prohibition of the connection of unclassified mobile devices to classified systems is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;</p>
+              <link rel="assessment-for" href="#ac-19.4_smt.b.1"/>
             </part>
             <part id="ac-19.4_obj.b.2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-19(04)(b)(02)"/>
               <p>approval by the authorizing official for the connection of unclassified mobile devices to unclassified systems is enforced on individuals permitted to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;</p>
+              <link rel="assessment-for" href="#ac-19.4_smt.b.2"/>
             </part>
             <part id="ac-19.4_obj.b.3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-19(04)(b)(03)"/>
               <p>prohibition of the use of internal or external modems or wireless interfaces within unclassified mobile devices is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;</p>
+              <link rel="assessment-for" href="#ac-19.4_smt.b.3"/>
             </part>
             <part id="ac-19.4_obj.b.4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AC-19(04)(b)(04)"/>
               <part id="ac-19.4_obj.b.4-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AC-19(04)(b)(04)[01]"/>
                 <p>random review and inspection of unclassified mobile devices and the information stored on those devices by <insert type="param" id-ref="ac-19.04_odp.01"/> are enforced;</p>
+                <link rel="assessment-for" href="#ac-19.4_smt.b.4"/>
               </part>
               <part id="ac-19.4_obj.b.4-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AC-19(04)(b)(04)[02]"/>
                 <p>following of the incident handling policy is enforced if classified information is found during a random review and inspection of unclassified mobile devices;</p>
+                <link rel="assessment-for" href="#ac-19.4_smt.b.4"/>
               </part>
+              <link rel="assessment-for" href="#ac-19.4_smt.b.4"/>
             </part>
+            <link rel="assessment-for" href="#ac-19.4_smt.b"/>
           </part>
           <part id="ac-19.4_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-19(04)(c)"/>
             <p>the connection of classified mobile devices to classified systems is restricted in accordance with <insert type="param" id-ref="ac-19.04_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ac-19.4_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#ac-19.4_smt"/>
         </part>
         <part id="ac-19.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9308,6 +9702,7 @@
         <part id="ac-19.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-19(05)"/>
           <p><insert type="param" id-ref="ac-19.05_odp.01"/> is employed to protect the confidentiality and integrity of information on <insert type="param" id-ref="ac-19.05_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ac-19.5_smt"/>
         </part>
         <part id="ac-19.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9421,18 +9816,23 @@
         <part id="ac-20_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-20a."/>
           <part id="ac-20_obj.a.1" name="assessment-objective">
-            <prop name="label" class="sp800-53a" value="AC-20a.1"/>
+            <prop name="label" class="sp800-53a" value="AC-20a.01"/>
             <p><insert type="param" id-ref="ac-20_odp.01"/> is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);</p>
+            <link rel="assessment-for" href="#ac-20_smt.a.1"/>
           </part>
           <part id="ac-20_obj.a.2" name="assessment-objective">
-            <prop name="label" class="sp800-53a" value="AC-20a.2"/>
+            <prop name="label" class="sp800-53a" value="AC-20a.02"/>
             <p><insert type="param" id-ref="ac-20_odp.01"/> is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);</p>
+            <link rel="assessment-for" href="#ac-20_smt.a.2"/>
           </part>
+          <link rel="assessment-for" href="#ac-20_smt.a"/>
         </part>
         <part id="ac-20_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-20b."/>
           <p>the use of <insert type="param" id-ref="ac-20_odp.04"/> is prohibited (if applicable).</p>
+          <link rel="assessment-for" href="#ac-20_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ac-20_smt"/>
       </part>
       <part id="ac-20_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9491,11 +9891,14 @@
           <part id="ac-20.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-20(01)(a)"/>
             <p>authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);</p>
+            <link rel="assessment-for" href="#ac-20.1_smt.a"/>
           </part>
           <part id="ac-20.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-20(01)(b)"/>
             <p>authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).</p>
+            <link rel="assessment-for" href="#ac-20.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ac-20.1_smt"/>
         </part>
         <part id="ac-20.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9551,6 +9954,7 @@
         <part id="ac-20.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-20(02)"/>
           <p>the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using <insert type="param" id-ref="ac-20.02_odp"/>.</p>
+          <link rel="assessment-for" href="#ac-20.2_smt"/>
         </part>
         <part id="ac-20.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9606,6 +10010,7 @@
         <part id="ac-20.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-20(03)"/>
           <p>the use of non-organizationally owned systems or system components to process, store, or transmit organizational information is restricted using <insert type="param" id-ref="ac-20.03_odp"/>.</p>
+          <link rel="assessment-for" href="#ac-20.3_smt"/>
         </part>
         <part id="ac-20.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9662,6 +10067,7 @@
         <part id="ac-20.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-20(04)"/>
           <p>the use of <insert type="param" id-ref="ac-20.04_odp"/> is prohibited in external systems.</p>
+          <link rel="assessment-for" href="#ac-20.4_smt"/>
         </part>
         <part id="ac-20.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9715,6 +10121,7 @@
         <part id="ac-20.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-20(05)"/>
           <p>the use of organization-controlled portable storage devices by authorized individuals is prohibited on external systems.</p>
+          <link rel="assessment-for" href="#ac-20.5_smt"/>
         </part>
         <part id="ac-20.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9793,11 +10200,14 @@
         <part id="ac-21_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-21a."/>
           <p>authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for <insert type="param" id-ref="ac-21_odp.01"/>;</p>
+          <link rel="assessment-for" href="#ac-21_smt.a"/>
         </part>
         <part id="ac-21_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-21b."/>
           <p><insert type="param" id-ref="ac-21_odp.02"/> are employed to assist users in making information-sharing and collaboration decisions.</p>
+          <link rel="assessment-for" href="#ac-21_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ac-21_smt"/>
       </part>
       <part id="ac-21_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9859,6 +10269,7 @@
         <part id="ac-21.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-21(01)"/>
           <p><insert type="param" id-ref="ac-21.01_odp"/> are employed to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.</p>
+          <link rel="assessment-for" href="#ac-21.1_smt"/>
         </part>
         <part id="ac-21.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9917,6 +10328,7 @@
         <part id="ac-21.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-21(02)"/>
           <p>information search and retrieval services that enforce <insert type="param" id-ref="ac-21.02_odp"/> are implemented.</p>
+          <link rel="assessment-for" href="#ac-21.2_smt"/>
         </part>
         <part id="ac-21.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -9997,26 +10409,33 @@
         <part id="ac-22_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-22a."/>
           <p>designated individuals are authorized to make information publicly accessible;</p>
+          <link rel="assessment-for" href="#ac-22_smt.a"/>
         </part>
         <part id="ac-22_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-22b."/>
           <p>authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;</p>
+          <link rel="assessment-for" href="#ac-22_smt.b"/>
         </part>
         <part id="ac-22_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-22c."/>
           <p>the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;</p>
+          <link rel="assessment-for" href="#ac-22_smt.c"/>
         </part>
         <part id="ac-22_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-22d."/>
           <part id="ac-22_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-22d.[01]"/>
             <p>the content on the publicly accessible system is reviewed for non-public information <insert type="param" id-ref="ac-22_odp"/>;</p>
+            <link rel="assessment-for" href="#ac-22_smt.d"/>
           </part>
           <part id="ac-22_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-22d.[02]"/>
             <p>non-public information is removed from the publicly accessible system, if discovered.</p>
+            <link rel="assessment-for" href="#ac-22_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#ac-22_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#ac-22_smt"/>
       </part>
       <part id="ac-22_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10087,6 +10506,7 @@
       <part id="ac-23_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="AC-23"/>
         <p><insert type="param" id-ref="ac-23_odp.01"/> are employed for <insert type="param" id-ref="ac-23_odp.02"/> to detect and protect against unauthorized data mining.</p>
+        <link rel="assessment-for" href="#ac-23_smt"/>
       </part>
       <part id="ac-23_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10161,6 +10581,7 @@
       <part id="ac-24_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="AC-24"/>
         <p><insert type="param" id-ref="ac-24_odp.01"/> are taken to ensure that <insert type="param" id-ref="ac-24_odp.02"/> are applied to each access request prior to access enforcement.</p>
+        <link rel="assessment-for" href="#ac-24_smt"/>
       </part>
       <part id="ac-24_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10231,6 +10652,7 @@
         <part id="ac-24.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AC-24(01)"/>
           <p><insert type="param" id-ref="ac-24.01_odp.01"/> is transmitted using <insert type="param" id-ref="ac-24.01_odp.02"/> to <insert type="param" id-ref="ac-24.01_odp.03"/> that enforce access control decisions.</p>
+          <link rel="assessment-for" href="#ac-24.1_smt"/>
         </part>
         <part id="ac-24.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10300,11 +10722,14 @@
           <part id="ac-24.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-24(02)[01]"/>
             <p>access control decisions are enforced based on <insert type="param" id-ref="ac-24.02_odp.01"/> that do not include the identity of the user or process acting on behalf of the user (if selected);</p>
+            <link rel="assessment-for" href="#ac-24.2_smt"/>
           </part>
           <part id="ac-24.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AC-24(02)[02]"/>
             <p>access control decisions are enforced based on <insert type="param" id-ref="ac-24.02_odp.02"/> that do not include the identity of the user or process acting on behalf of the user (if selected).</p>
+            <link rel="assessment-for" href="#ac-24.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#ac-24.2_smt"/>
         </part>
         <part id="ac-24.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10371,6 +10796,7 @@
       <part id="ac-25_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="AC-25"/>
         <p>a reference monitor is implemented for <insert type="param" id-ref="ac-25_odp"/> that is tamper-proof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.</p>
+        <link rel="assessment-for" href="#ac-25_smt"/>
       </part>
       <part id="ac-25_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10538,18 +10964,22 @@
           <part id="at-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-01a.[01]"/>
             <p>an awareness and training policy is developed and documented; </p>
+            <link rel="assessment-for" href="#at-1_smt.a"/>
           </part>
           <part id="at-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-01a.[02]"/>
             <p>the awareness and training policy is disseminated to <insert type="param" id-ref="at-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#at-1_smt.a"/>
           </part>
           <part id="at-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-01a.[03]"/>
             <p>awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;</p>
+            <link rel="assessment-for" href="#at-1_smt.a"/>
           </part>
           <part id="at-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-01a.[04]"/>
             <p>the awareness and training procedures are disseminated to <insert type="param" id-ref="at-01_odp.02"/>.</p>
+            <link rel="assessment-for" href="#at-1_smt.a"/>
           </part>
           <part id="at-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-01a.01"/>
@@ -10558,41 +10988,53 @@
               <part id="at-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AT-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses purpose;</p>
+                <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
               </part>
               <part id="at-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AT-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses scope;</p>
+                <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
               </part>
               <part id="at-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AT-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses roles;</p>
+                <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
               </part>
               <part id="at-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AT-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
               </part>
               <part id="at-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AT-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
               </part>
               <part id="at-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AT-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
               </part>
               <part id="at-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AT-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy addresses compliance; and</p>
+                <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#at-1_smt.a.1.a"/>
             </part>
             <part id="at-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-01a.01(b)"/>
               <p>the <insert type="param" id-ref="at-01_odp.03"/> awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and</p>
+              <link rel="assessment-for" href="#at-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#at-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#at-1_smt.a"/>
         </part>
         <part id="at-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AT-01b."/>
           <p>the <insert type="param" id-ref="at-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;</p>
+          <link rel="assessment-for" href="#at-1_smt.b"/>
         </part>
         <part id="at-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AT-01c."/>
@@ -10601,24 +11043,32 @@
             <part id="at-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-01c.01[01]"/>
               <p>the current awareness and training policy is reviewed and updated <insert type="param" id-ref="at-01_odp.05"/>; </p>
+              <link rel="assessment-for" href="#at-1_smt.c.1"/>
             </part>
             <part id="at-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-01c.01[02]"/>
               <p>the current awareness and training policy is reviewed and updated following <insert type="param" id-ref="at-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#at-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#at-1_smt.c.1"/>
           </part>
           <part id="at-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-01c.02"/>
             <part id="at-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-01c.02[01]"/>
               <p>the current awareness and training procedures are reviewed and updated <insert type="param" id-ref="at-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#at-1_smt.c.2"/>
             </part>
             <part id="at-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-01c.02[02]"/>
               <p>the current awareness and training procedures are reviewed and updated following <insert type="param" id-ref="at-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#at-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#at-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#at-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#at-1_smt"/>
       </part>
       <part id="at-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10769,51 +11219,66 @@
             <part id="at-2_obj.a.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-02a.01[01]"/>
               <p>security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;</p>
+              <link rel="assessment-for" href="#at-2_smt.a.1"/>
             </part>
             <part id="at-2_obj.a.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-02a.01[02]"/>
               <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;</p>
+              <link rel="assessment-for" href="#at-2_smt.a.1"/>
             </part>
             <part id="at-2_obj.a.1-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-02a.01[03]"/>
               <p>security literacy training is provided to system users (including managers, senior executives, and contractors) <insert type="param" id-ref="at-02_odp.01"/> thereafter;</p>
+              <link rel="assessment-for" href="#at-2_smt.a.1"/>
             </part>
             <part id="at-2_obj.a.1-4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-02a.01[04]"/>
               <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) <insert type="param" id-ref="at-02_odp.02"/> thereafter;</p>
+              <link rel="assessment-for" href="#at-2_smt.a.1"/>
             </part>
+            <link rel="assessment-for" href="#at-2_smt.a.1"/>
           </part>
           <part id="at-2_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-02a.02"/>
             <part id="at-2_obj.a.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-02a.02[01]"/>
               <p>security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following <insert type="param" id-ref="at-02_odp.03"/>;</p>
+              <link rel="assessment-for" href="#at-2_smt.a.2"/>
             </part>
             <part id="at-2_obj.a.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-02a.02[02]"/>
               <p>privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following <insert type="param" id-ref="at-02_odp.04"/>;</p>
+              <link rel="assessment-for" href="#at-2_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#at-2_smt.a.2"/>
           </part>
+          <link rel="assessment-for" href="#at-2_smt.a"/>
         </part>
         <part id="at-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AT-02b."/>
           <p><insert type="param" id-ref="at-02_odp.05"/> are employed to increase the security and privacy awareness of system users;</p>
+          <link rel="assessment-for" href="#at-2_smt.b"/>
         </part>
         <part id="at-2_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AT-02c."/>
           <part id="at-2_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-02c.[01]"/>
             <p>literacy training and awareness content is updated <insert type="param" id-ref="at-02_odp.06"/>;</p>
+            <link rel="assessment-for" href="#at-2_smt.c"/>
           </part>
           <part id="at-2_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-02c.[02]"/>
             <p>literacy training and awareness content is updated following <insert type="param" id-ref="at-02_odp.07"/>;</p>
+            <link rel="assessment-for" href="#at-2_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#at-2_smt.c"/>
         </part>
         <part id="at-2_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AT-02d."/>
           <p>lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.</p>
+          <link rel="assessment-for" href="#at-2_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#at-2_smt"/>
       </part>
       <part id="at-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10867,6 +11332,7 @@
         <part id="at-2.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AT-02(01)"/>
           <p>practical exercises in literacy training that simulate events and incidents are provided.</p>
+          <link rel="assessment-for" href="#at-2.1_smt"/>
         </part>
         <part id="at-2.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10918,11 +11384,14 @@
           <part id="at-2.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-02(02)[01]"/>
             <p>literacy training on recognizing potential indicators of insider threat is provided;</p>
+            <link rel="assessment-for" href="#at-2.2_smt"/>
           </part>
           <part id="at-2.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-02(02)[02]"/>
             <p>literacy training on reporting potential indicators of insider threat is provided.</p>
+            <link rel="assessment-for" href="#at-2.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#at-2.2_smt"/>
         </part>
         <part id="at-2.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -10966,19 +11435,24 @@
           <part id="at-2.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-02(03)[01]"/>
             <p>literacy training on recognizing potential and actual instances of social engineering is provided;</p>
+            <link rel="assessment-for" href="#at-2.3_smt"/>
           </part>
           <part id="at-2.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-02(03)[02]"/>
             <p>literacy training on reporting potential and actual instances of social engineering is provided;</p>
+            <link rel="assessment-for" href="#at-2.3_smt"/>
           </part>
           <part id="at-2.3_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-02(03)[03]"/>
             <p>literacy training on recognizing potential and actual instances of social mining is provided;</p>
+            <link rel="assessment-for" href="#at-2.3_smt"/>
           </part>
           <part id="at-2.3_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-02(03)[04]"/>
             <p>literacy training on reporting potential and actual instances of social mining is provided.</p>
+            <link rel="assessment-for" href="#at-2.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#at-2.3_smt"/>
         </part>
         <part id="at-2.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11028,6 +11502,7 @@
         <part id="at-2.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AT-02(04)"/>
           <p>literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using <insert type="param" id-ref="at-02.04_odp"/> is provided.</p>
+          <link rel="assessment-for" href="#at-2.4_smt"/>
         </part>
         <part id="at-2.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11069,6 +11544,7 @@
         <part id="at-2.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AT-02(05)"/>
           <p>literacy training on the advanced persistent threat is provided.</p>
+          <link rel="assessment-for" href="#at-2.5_smt"/>
         </part>
         <part id="at-2.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11120,11 +11596,14 @@
           <part id="at-2.6_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-02(06)(a)"/>
             <p>literacy training on the cyber threat environment is provided;</p>
+            <link rel="assessment-for" href="#at-2.6_smt.a"/>
           </part>
           <part id="at-2.6_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-02(06)(b)"/>
             <p>system operations reflects current cyber threat information.</p>
+            <link rel="assessment-for" href="#at-2.6_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#at-2.6_smt"/>
         </part>
         <part id="at-2.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11260,47 +11739,61 @@
             <part id="at-3_obj.a.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-03a.01[01]"/>
               <p>role-based security training is provided to <insert type="param" id-ref="at-03_odp.01"/> before authorizing access to the system, information, or performing assigned duties;</p>
+              <link rel="assessment-for" href="#at-3_smt.a.1"/>
             </part>
             <part id="at-3_obj.a.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-03a.01[02]"/>
               <p>role-based privacy training is provided to <insert type="param" id-ref="at-03_odp.02"/> before authorizing access to the system, information, or performing assigned duties;</p>
+              <link rel="assessment-for" href="#at-3_smt.a.1"/>
             </part>
             <part id="at-3_obj.a.1-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-03a.01[03]"/>
               <p>role-based security training is provided to <insert type="param" id-ref="at-03_odp.01"/> <insert type="param" id-ref="at-03_odp.03"/> thereafter;</p>
+              <link rel="assessment-for" href="#at-3_smt.a.1"/>
             </part>
             <part id="at-3_obj.a.1-4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-03a.01[04]"/>
               <p>role-based privacy training is provided to <insert type="param" id-ref="at-03_odp.02"/> <insert type="param" id-ref="at-03_odp.03"/> thereafter;</p>
+              <link rel="assessment-for" href="#at-3_smt.a.1"/>
             </part>
+            <link rel="assessment-for" href="#at-3_smt.a.1"/>
           </part>
           <part id="at-3_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-03a.02"/>
             <part id="at-3_obj.a.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-03a.02[01]"/>
               <p>role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;</p>
+              <link rel="assessment-for" href="#at-3_smt.a.2"/>
             </part>
             <part id="at-3_obj.a.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AT-03a.02[02]"/>
               <p>role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;</p>
+              <link rel="assessment-for" href="#at-3_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#at-3_smt.a.2"/>
           </part>
+          <link rel="assessment-for" href="#at-3_smt.a"/>
         </part>
         <part id="at-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AT-03b."/>
           <part id="at-3_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-03b.[01]"/>
             <p>role-based training content is updated <insert type="param" id-ref="at-03_odp.04"/>;</p>
+            <link rel="assessment-for" href="#at-3_smt.b"/>
           </part>
           <part id="at-3_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-03b.[02]"/>
             <p>role-based training content is updated following <insert type="param" id-ref="at-03_odp.05"/>;</p>
+            <link rel="assessment-for" href="#at-3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#at-3_smt.b"/>
         </part>
         <part id="at-3_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AT-03c."/>
           <p>lessons learned from internal or external security incidents or breaches are incorporated into role-based training.</p>
+          <link rel="assessment-for" href="#at-3_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#at-3_smt"/>
       </part>
       <part id="at-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11370,6 +11863,7 @@
         <part id="at-3.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AT-03(01)"/>
           <p><insert type="param" id-ref="at-03.01_odp.01"/> are provided with initial and refresher training <insert type="param" id-ref="at-03.01_odp.02"/> in the employment and operation of environmental controls.</p>
+          <link rel="assessment-for" href="#at-3.1_smt"/>
         </part>
         <part id="at-3.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11430,6 +11924,7 @@
         <part id="at-3.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AT-03(02)"/>
           <p><insert type="param" id-ref="at-03.02_odp.01"/> is/are provided with initial and refresher training <insert type="param" id-ref="at-03.02_odp.02"/> in the employment and operation of physical security controls.</p>
+          <link rel="assessment-for" href="#at-3.2_smt"/>
         </part>
         <part id="at-3.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11473,11 +11968,14 @@
           <part id="at-3.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-03(03)[01]"/>
             <p>practical exercises in security training that reinforce training objectives are provided;</p>
+            <link rel="assessment-for" href="#at-3.3_smt"/>
           </part>
           <part id="at-3.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-03(03)[02]"/>
             <p>practical exercises in privacy training that reinforce training objectives are provided.</p>
+            <link rel="assessment-for" href="#at-3.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#at-3.3_smt"/>
         </part>
         <part id="at-3.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11547,6 +12045,7 @@
         <part id="at-3.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AT-03(05)"/>
           <p><insert type="param" id-ref="at-03.05_odp.01"/> are provided with initial and refresher training <insert type="param" id-ref="at-03.05_odp.02"/> in the employment and operation of personally identifiable information processing and transparency controls.</p>
+          <link rel="assessment-for" href="#at-3.5_smt"/>
         </part>
         <part id="at-3.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11620,16 +12119,21 @@
           <part id="at-4_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-04a.[01]"/>
             <p>information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;</p>
+            <link rel="assessment-for" href="#at-4_smt.a"/>
           </part>
           <part id="at-4_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AT-04a.[02]"/>
             <p>information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;</p>
+            <link rel="assessment-for" href="#at-4_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#at-4_smt.a"/>
         </part>
         <part id="at-4_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AT-04b."/>
           <p>individual training records are retained for <insert type="param" id-ref="at-04_odp"/>.</p>
+          <link rel="assessment-for" href="#at-4_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#at-4_smt"/>
       </part>
       <part id="at-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11698,6 +12202,7 @@
       <part id="at-6_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="AT-06"/>
         <p>feedback on organizational training results is provided <insert type="param" id-ref="at-06_odp.01"/> to <insert type="param" id-ref="at-06_odp.02"/>.</p>
+        <link rel="assessment-for" href="#at-6_smt"/>
       </part>
       <part id="at-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -11858,18 +12363,22 @@
           <part id="au-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-01a.[01]"/>
             <p>an audit and accountability policy is developed and documented;</p>
+            <link rel="assessment-for" href="#au-1_smt.a"/>
           </part>
           <part id="au-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-01a.[02]"/>
             <p>the audit and accountability policy is disseminated to <insert type="param" id-ref="au-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#au-1_smt.a"/>
           </part>
           <part id="au-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-01a.[03]"/>
             <p>audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;</p>
+            <link rel="assessment-for" href="#au-1_smt.a"/>
           </part>
           <part id="au-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-01a.[04]"/>
             <p>the audit and accountability procedures are disseminated to <insert type="param" id-ref="au-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#au-1_smt.a"/>
           </part>
           <part id="au-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-01a.01"/>
@@ -11878,41 +12387,53 @@
               <part id="au-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AU-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses purpose;</p>
+                <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
               </part>
               <part id="au-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AU-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses scope;</p>
+                <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
               </part>
               <part id="au-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AU-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses roles;</p>
+                <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
               </part>
               <part id="au-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AU-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
               </part>
               <part id="au-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AU-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
               </part>
               <part id="au-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AU-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
               </part>
               <part id="au-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="AU-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy addresses compliance;</p>
+                <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#au-1_smt.a.1.a"/>
             </part>
             <part id="au-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AU-01a.01(b)"/>
               <p>the <insert type="param" id-ref="au-01_odp.03"/> of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#au-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#au-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#au-1_smt.a"/>
         </part>
         <part id="au-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-01b."/>
           <p>the <insert type="param" id-ref="au-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;</p>
+          <link rel="assessment-for" href="#au-1_smt.b"/>
         </part>
         <part id="au-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-01c."/>
@@ -11921,24 +12442,32 @@
             <part id="au-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AU-01c.01[01]"/>
               <p>the current audit and accountability policy is reviewed and updated <insert type="param" id-ref="au-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#au-1_smt.c.1"/>
             </part>
             <part id="au-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AU-01c.01[02]"/>
               <p>the current audit and accountability policy is reviewed and updated following <insert type="param" id-ref="au-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#au-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#au-1_smt.c.1"/>
           </part>
           <part id="au-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-01c.02"/>
             <part id="au-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AU-01c.02[01]"/>
               <p>the current audit and accountability procedures are reviewed and updated <insert type="param" id-ref="au-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#au-1_smt.c.2"/>
             </part>
             <part id="au-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="AU-01c.02[02]"/>
               <p>the current audit and accountability procedures are reviewed and updated following <insert type="param" id-ref="au-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#au-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#au-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#au-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#au-1_smt"/>
       </part>
       <part id="au-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12069,30 +12598,38 @@
         <part id="au-2_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-02a."/>
           <p><insert type="param" id-ref="au-02_odp.01"/> that the system is capable of logging are identified in support of the audit logging function;</p>
+          <link rel="assessment-for" href="#au-2_smt.a"/>
         </part>
         <part id="au-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-02b."/>
           <p>the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;</p>
+          <link rel="assessment-for" href="#au-2_smt.b"/>
         </part>
         <part id="au-2_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-02c."/>
           <part id="au-2_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-02c.[01]"/>
             <p><insert type="param" id-ref="au-02_odp.02"/> are specified for logging within the system;</p>
+            <link rel="assessment-for" href="#au-2_smt.c"/>
           </part>
           <part id="au-2_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-02c.[02]"/>
             <p>the specified event types are logged within the system <insert type="param" id-ref="au-02_odp.03"/>;</p>
+            <link rel="assessment-for" href="#au-2_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#au-2_smt.c"/>
         </part>
         <part id="au-2_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-02d."/>
           <p>a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;</p>
+          <link rel="assessment-for" href="#au-2_smt.d"/>
         </part>
         <part id="au-2_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-02e."/>
           <p>the event types selected for logging are reviewed and updated <insert type="param" id-ref="au-02_odp.04"/>.</p>
+          <link rel="assessment-for" href="#au-2_smt.e"/>
         </part>
+        <link rel="assessment-for" href="#au-2_smt"/>
       </part>
       <part id="au-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12210,27 +12747,34 @@
         <part id="au-3_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-03a."/>
           <p>audit records contain information that establishes what type of event occurred;</p>
+          <link rel="assessment-for" href="#au-3_smt.a"/>
         </part>
         <part id="au-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-03b."/>
           <p>audit records contain information that establishes when the event occurred;</p>
+          <link rel="assessment-for" href="#au-3_smt.b"/>
         </part>
         <part id="au-3_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-03c."/>
           <p>audit records contain information that establishes where the event occurred;</p>
+          <link rel="assessment-for" href="#au-3_smt.c"/>
         </part>
         <part id="au-3_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-03d."/>
           <p>audit records contain information that establishes the source of the event;</p>
+          <link rel="assessment-for" href="#au-3_smt.d"/>
         </part>
         <part id="au-3_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-03e."/>
           <p>audit records contain information that establishes the outcome of the event;</p>
+          <link rel="assessment-for" href="#au-3_smt.e"/>
         </part>
         <part id="au-3_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-03f."/>
           <p>audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.</p>
+          <link rel="assessment-for" href="#au-3_smt.f"/>
         </part>
+        <link rel="assessment-for" href="#au-3_smt"/>
       </part>
       <part id="au-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12288,6 +12832,7 @@
         <part id="au-3.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-03(01)"/>
           <p>generated audit records contain the following <insert type="param" id-ref="au-03.01_odp"/>.</p>
+          <link rel="assessment-for" href="#au-3.1_smt"/>
         </part>
         <part id="au-3.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12355,6 +12900,7 @@
         <part id="au-3.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-03(03)"/>
           <p>personally identifiable information contained in audit records is limited to <insert type="param" id-ref="au-03.03_odp"/> identified in the privacy risk assessment.</p>
+          <link rel="assessment-for" href="#au-3.3_smt"/>
         </part>
         <part id="au-3.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12426,6 +12972,7 @@
       <part id="au-4_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="AU-04"/>
         <p>audit log storage capacity is allocated to accommodate <insert type="param" id-ref="au-04_odp"/>.</p>
+        <link rel="assessment-for" href="#au-4_smt"/>
       </part>
       <part id="au-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12485,6 +13032,7 @@
         <part id="au-4.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-04(01)"/>
           <p>audit logs are transferred <insert type="param" id-ref="au-04.01_odp"/> to a different system, system component, or media other than the system or system component conducting the logging.</p>
+          <link rel="assessment-for" href="#au-4.1_smt"/>
         </part>
         <part id="au-4.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12577,11 +13125,14 @@
         <part id="au-5_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-05a."/>
           <p><insert type="param" id-ref="au-05_odp.01"/> are alerted in the event of an audit logging process failure within <insert type="param" id-ref="au-05_odp.02"/>;</p>
+          <link rel="assessment-for" href="#au-5_smt.a"/>
         </part>
         <part id="au-5_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-05b."/>
           <p><insert type="param" id-ref="au-05_odp.03"/> are taken in the event of an audit logging process failure.</p>
+          <link rel="assessment-for" href="#au-5_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#au-5_smt"/>
       </part>
       <part id="au-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12655,6 +13206,7 @@
         <part id="au-5.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-05(01)"/>
           <p>a warning is provided to <insert type="param" id-ref="au-05.01_odp.01"/> within <insert type="param" id-ref="au-05.01_odp.02"/> when allocated audit log storage volume reaches <insert type="param" id-ref="au-05.01_odp.03"/> of repository maximum audit log storage capacity.</p>
+          <link rel="assessment-for" href="#au-5.1_smt"/>
         </part>
         <part id="au-5.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12727,6 +13279,7 @@
         <part id="au-5.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-05(02)"/>
           <p>an alert is provided within <insert type="param" id-ref="au-05.02_odp.01"/> to <insert type="param" id-ref="au-05.02_odp.02"/> when <insert type="param" id-ref="au-05.02_odp.03"/> occur.</p>
+          <link rel="assessment-for" href="#au-5.2_smt"/>
         </part>
         <part id="au-5.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12779,11 +13332,14 @@
           <part id="au-5.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-05(03)[01]"/>
             <p>configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity are enforced;</p>
+            <link rel="assessment-for" href="#au-5.3_smt"/>
           </part>
           <part id="au-5.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-05(03)[02]"/>
             <p>network traffic is <insert type="param" id-ref="au-05.03_odp"/> if network traffic volume is above configured thresholds.</p>
+            <link rel="assessment-for" href="#au-5.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#au-5.3_smt"/>
         </part>
         <part id="au-5.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12844,6 +13400,7 @@
         <part id="au-5.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-05(04)"/>
           <p><insert type="param" id-ref="au-05.04_odp.01"/> is/are invoked in the event of <insert type="param" id-ref="au-05.04_odp.02"/> , unless an alternate audit logging capability exists.</p>
+          <link rel="assessment-for" href="#au-5.4_smt"/>
         </part>
         <part id="au-5.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -12902,6 +13459,7 @@
         <part id="au-5.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-05(05)"/>
           <p>an alternate audit logging capability is provided in the event of a failure in primary audit logging capability that implements <insert type="param" id-ref="au-05.05_odp"/>.</p>
+          <link rel="assessment-for" href="#au-5.5_smt"/>
         </part>
         <part id="au-5.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13021,15 +13579,19 @@
         <part id="au-6_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-06a."/>
           <p>system audit records are reviewed and analyzed <insert type="param" id-ref="au-06_odp.01"/> for indications of <insert type="param" id-ref="au-06_odp.02"/> and the potential impact of the inappropriate or unusual activity;</p>
+          <link rel="assessment-for" href="#au-6_smt.a"/>
         </part>
         <part id="au-6_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-06b."/>
           <p>findings are reported to <insert type="param" id-ref="au-06_odp.03"/>;</p>
+          <link rel="assessment-for" href="#au-6_smt.b"/>
         </part>
         <part id="au-6_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-06c."/>
           <p>the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.</p>
+          <link rel="assessment-for" href="#au-6_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#au-6_smt"/>
       </part>
       <part id="au-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13078,6 +13640,7 @@
         <part id="au-6.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-06(01)"/>
           <p>audit record review, analysis, and reporting processes are integrated using <insert type="param" id-ref="au-06.01_odp"/>.</p>
+          <link rel="assessment-for" href="#au-6.1_smt"/>
         </part>
         <part id="au-6.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13137,6 +13700,7 @@
         <part id="au-6.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-06(03)"/>
           <p>audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.</p>
+          <link rel="assessment-for" href="#au-6.3_smt"/>
         </part>
         <part id="au-6.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13189,11 +13753,14 @@
           <part id="au-6.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-06(04)[01]"/>
             <p>the capability to centrally review and analyze audit records from multiple components within the system is provided;</p>
+            <link rel="assessment-for" href="#au-6.4_smt"/>
           </part>
           <part id="au-6.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-06(04)[02]"/>
             <p>the capability to centrally review and analyze audit records from multiple components within the system is implemented.</p>
+            <link rel="assessment-for" href="#au-6.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#au-6.4_smt"/>
         </part>
         <part id="au-6.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13263,6 +13830,7 @@
         <part id="au-6.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-06(05)"/>
           <p>analysis of audit records is integrated with analysis of <insert type="param" id-ref="au-06.05_odp.01"/> to further enhance the ability to identify inappropriate or unusual activity.</p>
+          <link rel="assessment-for" href="#au-6.5_smt"/>
         </part>
         <part id="au-6.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13311,6 +13879,7 @@
         <part id="au-6.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-06(06)"/>
           <p>information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.</p>
+          <link rel="assessment-for" href="#au-6.6_smt"/>
         </part>
         <part id="au-6.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13370,6 +13939,7 @@
         <part id="au-6.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-06(07)"/>
           <p>the permitted actions for each <insert type="param" id-ref="au-06.07_odp"/> associated with the review, analysis, and reporting of audit record information are specified.</p>
+          <link rel="assessment-for" href="#au-6.7_smt"/>
         </part>
         <part id="au-6.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13419,6 +13989,7 @@
         <part id="au-6.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-06(08)"/>
           <p>a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system or other system that is dedicated to that analysis is performed.</p>
+          <link rel="assessment-for" href="#au-6.8_smt"/>
         </part>
         <part id="au-6.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13469,6 +14040,7 @@
         <part id="au-6.9_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-06(09)"/>
           <p>information from non-technical sources is correlated with audit record information to enhance organization-wide situational awareness.</p>
+          <link rel="assessment-for" href="#au-6.9_smt"/>
         </part>
         <part id="au-6.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13551,23 +14123,30 @@
           <part id="au-7_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-07a.[01]"/>
             <p>an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;</p>
+            <link rel="assessment-for" href="#au-7_smt.a"/>
           </part>
           <part id="au-7_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-07a.[02]"/>
             <p>an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;</p>
+            <link rel="assessment-for" href="#au-7_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#au-7_smt.a"/>
         </part>
         <part id="au-7_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-07b."/>
           <part id="au-7_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-07b.[01]"/>
             <p>an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;</p>
+            <link rel="assessment-for" href="#au-7_smt.b"/>
           </part>
           <part id="au-7_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-07b.[02]"/>
             <p>an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.</p>
+            <link rel="assessment-for" href="#au-7_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#au-7_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#au-7_smt"/>
       </part>
       <part id="au-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13626,11 +14205,14 @@
           <part id="au-7.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-07(01)[01]"/>
             <p>the capability to process, sort, and search audit records for events of interest based on <insert type="param" id-ref="au-07.01_odp"/> are provided;</p>
+            <link rel="assessment-for" href="#au-7.1_smt"/>
           </part>
           <part id="au-7.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-07(01)[02]"/>
             <p>the capability to process, sort, and search audit records for events of interest based on <insert type="param" id-ref="au-07.01_odp"/> are implemented.</p>
+            <link rel="assessment-for" href="#au-7.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#au-7.1_smt"/>
         </part>
         <part id="au-7.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13710,11 +14292,14 @@
         <part id="au-8_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-08a."/>
           <p>internal system clocks are used to generate timestamps for audit records;</p>
+          <link rel="assessment-for" href="#au-8_smt.a"/>
         </part>
         <part id="au-8_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-08b."/>
           <p>timestamps are recorded for audit records that meet <insert type="param" id-ref="au-08_odp"/> and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.</p>
+          <link rel="assessment-for" href="#au-8_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#au-8_smt"/>
       </part>
       <part id="au-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13812,11 +14397,14 @@
         <part id="au-9_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-09a."/>
           <p>audit information and audit logging tools are protected from unauthorized access, modification, and deletion;</p>
+          <link rel="assessment-for" href="#au-9_smt.a"/>
         </part>
         <part id="au-9_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-09b."/>
           <p><insert type="param" id-ref="au-09_odp"/> are alerted upon detection of unauthorized access, modification, or deletion of audit information.</p>
+          <link rel="assessment-for" href="#au-9_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#au-9_smt"/>
       </part>
       <part id="au-9_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13869,6 +14457,7 @@
         <part id="au-9.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-09(01)"/>
           <p>audit trails are written to hardware-enforced, write-once media.</p>
+          <link rel="assessment-for" href="#au-9.1_smt"/>
         </part>
         <part id="au-9.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13931,6 +14520,7 @@
         <part id="au-9.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-09(02)"/>
           <p>audit records are stored <insert type="param" id-ref="au-09.02_odp"/> in a repository that is part of a physically different system or system component than the system or component being audited.</p>
+          <link rel="assessment-for" href="#au-9.2_smt"/>
         </part>
         <part id="au-9.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -13984,6 +14574,7 @@
         <part id="au-9.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-09(03)"/>
           <p>cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.</p>
+          <link rel="assessment-for" href="#au-9.3_smt"/>
         </part>
         <part id="au-9.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14044,6 +14635,7 @@
         <part id="au-9.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-09(04)"/>
           <p>access to management of audit logging functionality is authorized only to <insert type="param" id-ref="au-09.04_odp"/>.</p>
+          <link rel="assessment-for" href="#au-9.4_smt"/>
         </part>
         <part id="au-9.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14114,6 +14706,7 @@
         <part id="au-9.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-09(05)"/>
           <p>dual authorization is enforced for the <insert type="param" id-ref="au-09.05_odp.01"/> of <insert type="param" id-ref="au-09.05_odp.02"/>.</p>
+          <link rel="assessment-for" href="#au-9.5_smt"/>
         </part>
         <part id="au-9.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14173,6 +14766,7 @@
         <part id="au-9.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-09(06)"/>
           <p>read-only access to audit information is authorized to <insert type="param" id-ref="au-09.06_odp"/>.</p>
+          <link rel="assessment-for" href="#au-9.6_smt"/>
         </part>
         <part id="au-9.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14229,6 +14823,7 @@
         <part id="au-9.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-09(07)"/>
           <p>audit information is stored on a component running a different operating system than the system or component being audited.</p>
+          <link rel="assessment-for" href="#au-9.7_smt"/>
         </part>
         <part id="au-9.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14303,6 +14898,7 @@
       <part id="au-10_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="AU-10"/>
         <p>irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed <insert type="param" id-ref="au-10_odp"/>.</p>
+        <link rel="assessment-for" href="#au-10_smt"/>
       </part>
       <part id="au-10_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14370,11 +14966,14 @@
           <part id="au-10.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-10(01)(a)"/>
             <p>the identity of the information producer is bound with the information to <insert type="param" id-ref="au-10.01_odp"/>;</p>
+            <link rel="assessment-for" href="#au-10.1_smt.a"/>
           </part>
           <part id="au-10.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-10(01)(b)"/>
             <p>the means for authorized individuals to determine the identity of the producer of the information is provided.</p>
+            <link rel="assessment-for" href="#au-10.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#au-10.1_smt"/>
         </part>
         <part id="au-10.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14452,11 +15051,14 @@
           <part id="au-10.2_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-10(02)(a)"/>
             <p>the binding of the information producer identity to the information is validated at <insert type="param" id-ref="au-10.02_odp.01"/>;</p>
+            <link rel="assessment-for" href="#au-10.2_smt.a"/>
           </part>
           <part id="au-10.2_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-10(02)(b)"/>
             <p><insert type="param" id-ref="au-10.02_odp.02"/> in the event of a validation error are performed.</p>
+            <link rel="assessment-for" href="#au-10.2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#au-10.2_smt"/>
         </part>
         <part id="au-10.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14510,6 +15112,7 @@
         <part id="au-10.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-10(03)"/>
           <p>reviewer or releaser credentials are maintained within the established chain of custody for information reviewed or released.</p>
+          <link rel="assessment-for" href="#au-10.3_smt"/>
         </part>
         <part id="au-10.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14587,11 +15190,14 @@
           <part id="au-10.4_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-10(04)(a)"/>
             <p>the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between <insert type="param" id-ref="au-10.04_odp.01"/> is validated;</p>
+            <link rel="assessment-for" href="#au-10.4_smt.a"/>
           </part>
           <part id="au-10.4_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-10(04)(b)"/>
             <p><insert type="param" id-ref="au-10.04_odp.02"/> are performed in the event of a validation error.</p>
+            <link rel="assessment-for" href="#au-10.4_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#au-10.4_smt"/>
         </part>
         <part id="au-10.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14668,6 +15274,7 @@
       <part id="au-11_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="AU-11"/>
         <p>audit records are retained for <insert type="param" id-ref="au-11_odp"/> to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.</p>
+        <link rel="assessment-for" href="#au-11_smt"/>
       </part>
       <part id="au-11_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14719,6 +15326,7 @@
         <part id="au-11.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-11(01)"/>
           <p><insert type="param" id-ref="au-11.01_odp"/> are employed to ensure that long-term audit records generated by the system can be retrieved.</p>
+          <link rel="assessment-for" href="#au-11.1_smt"/>
         </part>
         <part id="au-11.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14817,15 +15425,19 @@
         <part id="au-12_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-12a."/>
           <p>audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by <insert type="param" id-ref="au-12_odp.01"/>;</p>
+          <link rel="assessment-for" href="#au-12_smt.a"/>
         </part>
         <part id="au-12_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-12b."/>
           <p><insert type="param" id-ref="au-12_odp.02"/> is/are allowed to select the event types that are to be logged by specific components of the system;</p>
+          <link rel="assessment-for" href="#au-12_smt.b"/>
         </part>
         <part id="au-12_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-12c."/>
           <p>audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.</p>
+          <link rel="assessment-for" href="#au-12_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#au-12_smt"/>
       </part>
       <part id="au-12_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14894,6 +15506,7 @@
         <part id="au-12.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-12(01)"/>
           <p>audit records from <insert type="param" id-ref="au-12.01_odp.01"/> are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within <insert type="param" id-ref="au-12.01_odp.02"/>.</p>
+          <link rel="assessment-for" href="#au-12.1_smt"/>
         </part>
         <part id="au-12.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -14944,6 +15557,7 @@
         <part id="au-12.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-12(02)"/>
           <p>a system-wide (logical or physical) audit trail composed of audit records is produced in a standardized format.</p>
+          <link rel="assessment-for" href="#au-12.2_smt"/>
         </part>
         <part id="au-12.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15029,11 +15643,14 @@
           <part id="au-12.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-12(03)[01]"/>
             <p>the capability for <insert type="param" id-ref="au-12.03_odp.01"/> to change the logging to be performed on <insert type="param" id-ref="au-12.03_odp.02"/> based on <insert type="param" id-ref="au-12.03_odp.03"/> within <insert type="param" id-ref="au-12.03_odp.04"/> is provided;</p>
+            <link rel="assessment-for" href="#au-12.3_smt"/>
           </part>
           <part id="au-12.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-12(03)[02]"/>
             <p>the capability for <insert type="param" id-ref="au-12.03_odp.01"/> to change the logging to be performed on <insert type="param" id-ref="au-12.03_odp.02"/> based on <insert type="param" id-ref="au-12.03_odp.03"/> within <insert type="param" id-ref="au-12.03_odp.04"/> is implemented.</p>
+            <link rel="assessment-for" href="#au-12.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#au-12.3_smt"/>
         </part>
         <part id="au-12.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15086,11 +15703,14 @@
           <part id="au-12.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-12(04)[01]"/>
             <p>the capability to audit the parameters of user query events for data sets containing personally identifiable information is provided;</p>
+            <link rel="assessment-for" href="#au-12.4_smt"/>
           </part>
           <part id="au-12.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-12(04)[02]"/>
             <p>the capability to audit the parameters of user query events for data sets containing personally identifiable information is implemented.</p>
+            <link rel="assessment-for" href="#au-12.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#au-12.4_smt"/>
         </part>
         <part id="au-12.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15198,18 +15818,23 @@
         <part id="au-13_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-13a."/>
           <p><insert type="param" id-ref="au-13_odp.01"/> is/are monitored <insert type="param" id-ref="au-13_odp.02"/> for evidence of unauthorized disclosure of organizational information;</p>
+          <link rel="assessment-for" href="#au-13_smt.a"/>
         </part>
         <part id="au-13_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-13b."/>
           <part id="au-13_obj.b.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-13b.01"/>
             <p><insert type="param" id-ref="au-13_odp.03"/> are notified if an information disclosure is discovered;</p>
+            <link rel="assessment-for" href="#au-13_smt.b.1"/>
           </part>
           <part id="au-13_obj.b.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-13b.02"/>
             <p><insert type="param" id-ref="au-13_odp.04"/> are taken if an information disclosure is discovered.</p>
+            <link rel="assessment-for" href="#au-13_smt.b.2"/>
           </part>
+          <link rel="assessment-for" href="#au-13_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#au-13_smt"/>
       </part>
       <part id="au-13_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15267,6 +15892,7 @@
         <part id="au-13.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-13(01)"/>
           <p>open-source information and information sites are monitored using <insert type="param" id-ref="au-13.01_odp"/>.</p>
+          <link rel="assessment-for" href="#au-13.1_smt"/>
         </part>
         <part id="au-13.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15324,6 +15950,7 @@
         <part id="au-13.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-13(02)"/>
           <p>the list of open-source information sites being monitored is reviewed <insert type="param" id-ref="au-13.02_odp"/>.</p>
+          <link rel="assessment-for" href="#au-13.2_smt"/>
         </part>
         <part id="au-13.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15374,6 +16001,7 @@
         <part id="au-13.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-13(03)"/>
           <p>discovery techniques, processes, and tools are employed to determine if external entities are replicating organizational information in an unauthorized manner.</p>
+          <link rel="assessment-for" href="#au-13.3_smt"/>
         </part>
         <part id="au-13.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15471,27 +16099,35 @@
           <part id="au-14_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-14a.[01]"/>
             <p><insert type="param" id-ref="au-14_odp.01"/> are provided with the capability to <insert type="param" id-ref="au-14_odp.02"/> the content of a user session under <insert type="param" id-ref="au-14_odp.03"/>;</p>
+            <link rel="assessment-for" href="#au-14_smt.a"/>
           </part>
           <part id="au-14_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-14a.[02]"/>
             <p>the capability for <insert type="param" id-ref="au-14_odp.01"/> to <insert type="param" id-ref="au-14_odp.02"/> the content of a user session under <insert type="param" id-ref="au-14_odp.03"/> is implemented;</p>
+            <link rel="assessment-for" href="#au-14_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#au-14_smt.a"/>
         </part>
         <part id="au-14_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-14b."/>
           <part id="au-14_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-14b.[01]"/>
             <p>session auditing activities are developed in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+            <link rel="assessment-for" href="#au-14_smt.b"/>
           </part>
           <part id="au-14_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-14b.[02]"/>
             <p>session auditing activities are integrated in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+            <link rel="assessment-for" href="#au-14_smt.b"/>
           </part>
           <part id="au-14_obj.b-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-14b.[03]"/>
             <p>session auditing activities are used in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+            <link rel="assessment-for" href="#au-14_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#au-14_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#au-14_smt"/>
       </part>
       <part id="au-14_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15542,6 +16178,7 @@
         <part id="au-14.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-14(01)"/>
           <p>session audits are initiated automatically at system start-up.</p>
+          <link rel="assessment-for" href="#au-14.1_smt"/>
         </part>
         <part id="au-14.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15602,11 +16239,14 @@
           <part id="au-14.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-14(03)[01]"/>
             <p>the capability for authorized users to remotely view and hear content related to an established user session in real time is provided;</p>
+            <link rel="assessment-for" href="#au-14.3_smt"/>
           </part>
           <part id="au-14.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="AU-14(03)[02]"/>
             <p>the capability for authorized users to remotely view and hear content related to an established user session in real time is implemented.</p>
+            <link rel="assessment-for" href="#au-14.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#au-14.3_smt"/>
         </part>
         <part id="au-14.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15686,6 +16326,7 @@
       <part id="au-16_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="AU-16"/>
         <p><insert type="param" id-ref="au-16_odp.01"/> for coordinating <insert type="param" id-ref="au-16_odp.02"/> among external organizations when audit information is transmitted across organizational boundaries are employed.</p>
+        <link rel="assessment-for" href="#au-16_smt"/>
       </part>
       <part id="au-16_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15736,6 +16377,7 @@
         <part id="au-16.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-16(01)"/>
           <p>the identity of individuals in cross-organizational audit trails is preserved.</p>
+          <link rel="assessment-for" href="#au-16.1_smt"/>
         </part>
         <part id="au-16.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15801,6 +16443,7 @@
         <part id="au-16.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-16(02)"/>
           <p>cross-organizational audit information is provided to <insert type="param" id-ref="au-16.02_odp.01"/> based on <insert type="param" id-ref="au-16.02_odp.02"/>.</p>
+          <link rel="assessment-for" href="#au-16.2_smt"/>
         </part>
         <part id="au-16.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -15847,6 +16490,7 @@
         <part id="au-16.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="AU-16(03)"/>
           <p><insert type="param" id-ref="au-16.03_odp"/> are implemented to disassociate individuals from audit information transmitted across organizational boundaries.</p>
+          <link rel="assessment-for" href="#au-16.3_smt"/>
         </part>
         <part id="au-16.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16019,18 +16663,22 @@
           <part id="ca-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-01a.[01]"/>
             <p>an assessment, authorization, and monitoring policy is developed and documented;</p>
+            <link rel="assessment-for" href="#ca-1_smt.a"/>
           </part>
           <part id="ca-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-01a.[02]"/>
             <p>the assessment, authorization, and monitoring policy is disseminated to <insert type="param" id-ref="ca-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ca-1_smt.a"/>
           </part>
           <part id="ca-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-01a.[03]"/>
             <p>assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;</p>
+            <link rel="assessment-for" href="#ca-1_smt.a"/>
           </part>
           <part id="ca-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-01a.[04]"/>
             <p>the assessment, authorization, and monitoring procedures are disseminated to <insert type="param" id-ref="ca-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#ca-1_smt.a"/>
           </part>
           <part id="ca-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-01a.01"/>
@@ -16039,41 +16687,53 @@
               <part id="ca-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CA-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses purpose;</p>
+                <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
               </part>
               <part id="ca-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CA-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses scope;</p>
+                <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
               </part>
               <part id="ca-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CA-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses roles;</p>
+                <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
               </part>
               <part id="ca-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CA-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
               </part>
               <part id="ca-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CA-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
               </part>
               <part id="ca-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CA-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
               </part>
               <part id="ca-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CA-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy addresses compliance;</p>
+                <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#ca-1_smt.a.1.a"/>
             </part>
             <part id="ca-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CA-01a.01(b)"/>
               <p>the <insert type="param" id-ref="ca-01_odp.03"/> assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#ca-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#ca-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#ca-1_smt.a"/>
         </part>
         <part id="ca-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-01b."/>
           <p>the <insert type="param" id-ref="ca-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;</p>
+          <link rel="assessment-for" href="#ca-1_smt.b"/>
         </part>
         <part id="ca-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-01c."/>
@@ -16082,24 +16742,32 @@
             <part id="ca-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CA-01c.01[01]"/>
               <p>the current assessment, authorization, and monitoring policy is reviewed and updated <insert type="param" id-ref="ca-01_odp.05"/>; </p>
+              <link rel="assessment-for" href="#ca-1_smt.c.1"/>
             </part>
             <part id="ca-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CA-01c.01[02]"/>
               <p>the current assessment, authorization, and monitoring policy is reviewed and updated following <insert type="param" id-ref="ca-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#ca-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#ca-1_smt.c.1"/>
           </part>
           <part id="ca-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-01c.02"/>
             <part id="ca-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CA-01c.02[01]"/>
               <p>the current assessment, authorization, and monitoring procedures are reviewed and updated <insert type="param" id-ref="ca-01_odp.07"/>; </p>
+              <link rel="assessment-for" href="#ca-1_smt.c.2"/>
             </part>
             <part id="ca-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CA-01c.02[02]"/>
               <p>the current assessment, authorization, and monitoring procedures are reviewed and updated following <insert type="param" id-ref="ca-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#ca-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#ca-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#ca-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#ca-1_smt"/>
       </part>
       <part id="ca-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16217,56 +16885,71 @@
         <part id="ca-2_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-02a."/>
           <p>an appropriate assessor or assessment team is selected for the type of assessment to be conducted;</p>
+          <link rel="assessment-for" href="#ca-2_smt.a"/>
         </part>
         <part id="ca-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-02b."/>
           <part id="ca-2_obj.b.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-02b.01"/>
             <p>a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;</p>
+            <link rel="assessment-for" href="#ca-2_smt.b.1"/>
           </part>
           <part id="ca-2_obj.b.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-02b.02"/>
             <p>a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;</p>
+            <link rel="assessment-for" href="#ca-2_smt.b.2"/>
           </part>
           <part id="ca-2_obj.b.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-02b.03"/>
             <part id="ca-2_obj.b.3-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CA-02b.03[01]"/>
               <p>a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;</p>
+              <link rel="assessment-for" href="#ca-2_smt.b.3"/>
             </part>
             <part id="ca-2_obj.b.3-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CA-02b.03[02]"/>
               <p>a control assessment plan is developed that describes the scope of the assessment, including the assessment team;</p>
+              <link rel="assessment-for" href="#ca-2_smt.b.3"/>
             </part>
             <part id="ca-2_obj.b.3-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CA-02b.03[03]"/>
               <p>a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;</p>
+              <link rel="assessment-for" href="#ca-2_smt.b.3"/>
             </part>
+            <link rel="assessment-for" href="#ca-2_smt.b.3"/>
           </part>
+          <link rel="assessment-for" href="#ca-2_smt.b"/>
         </part>
         <part id="ca-2_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-02c."/>
           <p>the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;</p>
+          <link rel="assessment-for" href="#ca-2_smt.c"/>
         </part>
         <part id="ca-2_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-02d."/>
           <part id="ca-2_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-02d.[01]"/>
             <p>controls are assessed in the system and its environment of operation <insert type="param" id-ref="ca-02_odp.01"/> to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;</p>
+            <link rel="assessment-for" href="#ca-2_smt.d"/>
           </part>
           <part id="ca-2_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-02d.[02]"/>
             <p>controls are assessed in the system and its environment of operation <insert type="param" id-ref="ca-02_odp.01"/> to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;</p>
+            <link rel="assessment-for" href="#ca-2_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#ca-2_smt.d"/>
         </part>
         <part id="ca-2_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-02e."/>
           <p>a control assessment report is produced that documents the results of the assessment;</p>
+          <link rel="assessment-for" href="#ca-2_smt.e"/>
         </part>
         <part id="ca-2_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-02f."/>
           <p>the results of the control assessment are provided to <insert type="param" id-ref="ca-02_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ca-2_smt.f"/>
         </part>
+        <link rel="assessment-for" href="#ca-2_smt"/>
       </part>
       <part id="ca-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16316,6 +16999,7 @@
         <part id="ca-2.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-02(01)"/>
           <p>independent assessors or assessment teams are employed to conduct control assessments.</p>
+          <link rel="assessment-for" href="#ca-2.1_smt"/>
         </part>
         <part id="ca-2.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16400,6 +17084,7 @@
         <part id="ca-2.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-02(02)"/>
           <p><insert type="param" id-ref="ca-02.02_odp.01"/> <insert type="param" id-ref="ca-02.02_odp.02"/> <insert type="param" id-ref="ca-02.02_odp.03"/> are included as part of control assessments.</p>
+          <link rel="assessment-for" href="#ca-2.2_smt"/>
         </part>
         <part id="ca-2.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16437,9 +17122,9 @@
           <prop name="alt-identifier" value="ca-2.3_prm_1"/>
           <prop name="alt-label" class="sp800-53" value="external organization"/>
           <prop name="label" class="sp800-53a" value="CA-02(03)_ODP[01]"/>
-          <label>external organizations</label>
+          <label>external organization(s)</label>
           <guideline>
-            <p>external organizations from which the results of control assessments are leveraged are defined;</p>
+            <p>external organization(s) from which the results of control assessments are leveraged are defined;</p>
           </guideline>
         </param>
         <param id="ca-02.03_odp.02">
@@ -16474,6 +17159,7 @@
         <part id="ca-2.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-02(03)"/>
           <p>the results of control assessments performed by <insert type="param" id-ref="ca-02.03_odp.01"/> on <insert type="param" id-ref="ca-02.03_odp.02"/> are leveraged when the assessment meets <insert type="param" id-ref="ca-02.03_odp.03"/>.</p>
+          <link rel="assessment-for" href="#ca-2.3_smt"/>
         </part>
         <part id="ca-2.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16576,38 +17262,48 @@
         <part id="ca-3_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-03a."/>
           <p>the exchange of information between the system and other systems is approved and managed using <insert type="param" id-ref="ca-03_odp.01"/>;</p>
+          <link rel="assessment-for" href="#ca-3_smt.a"/>
         </part>
         <part id="ca-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-03b."/>
           <part id="ca-3_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-03b.[01]"/>
             <p>the interface characteristics are documented as part of each exchange agreement;</p>
+            <link rel="assessment-for" href="#ca-3_smt.b"/>
           </part>
           <part id="ca-3_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-03b.[02]"/>
             <p>security requirements are documented as part of each exchange agreement;</p>
+            <link rel="assessment-for" href="#ca-3_smt.b"/>
           </part>
           <part id="ca-3_obj.b-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-03b.[03]"/>
             <p>privacy requirements are documented as part of each exchange agreement;</p>
+            <link rel="assessment-for" href="#ca-3_smt.b"/>
           </part>
           <part id="ca-3_obj.b-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-03b.[04]"/>
             <p>controls are documented as part of each exchange agreement;</p>
+            <link rel="assessment-for" href="#ca-3_smt.b"/>
           </part>
           <part id="ca-3_obj.b-5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-03b.[05]"/>
             <p>responsibilities for each system are documented as part of each exchange agreement;</p>
+            <link rel="assessment-for" href="#ca-3_smt.b"/>
           </part>
           <part id="ca-3_obj.b-6" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-03b.[06]"/>
             <p>the impact level of the information communicated is documented as part of each exchange agreement;</p>
+            <link rel="assessment-for" href="#ca-3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ca-3_smt.b"/>
         </part>
         <part id="ca-3_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-03c."/>
           <p>agreements are reviewed and updated <insert type="param" id-ref="ca-03_odp.03"/>.</p>
+          <link rel="assessment-for" href="#ca-3_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#ca-3_smt"/>
       </part>
       <part id="ca-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16700,6 +17396,7 @@
         <part id="ca-3.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-03(06)"/>
           <p>individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.</p>
+          <link rel="assessment-for" href="#ca-3.6_smt"/>
         </part>
         <part id="ca-3.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16767,11 +17464,14 @@
           <part id="ca-3.7_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-03(07)(a)"/>
             <p>transitive (downstream) information exchanges with other systems through the systems identified in CA-03a are identified;</p>
+            <link rel="assessment-for" href="#ca-3.7_smt.a"/>
           </part>
           <part id="ca-3.7_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-03(07)(b)"/>
             <p>measures are taken to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated.</p>
+            <link rel="assessment-for" href="#ca-3.7_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ca-3.7_smt"/>
         </part>
         <part id="ca-3.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16862,11 +17562,14 @@
         <part id="ca-5_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-05a."/>
           <p>a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;</p>
+          <link rel="assessment-for" href="#ca-5_smt.a"/>
         </part>
         <part id="ca-5_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-05b."/>
           <p>existing plan of action and milestones are updated <insert type="param" id-ref="ca-05_odp"/> based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.</p>
+          <link rel="assessment-for" href="#ca-5_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ca-5_smt"/>
       </part>
       <part id="ca-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -16923,6 +17626,7 @@
         <part id="ca-5.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-05(01)"/>
           <p><insert type="param" id-ref="ca-05.01_odp"/> are used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system.</p>
+          <link rel="assessment-for" href="#ca-5.1_smt"/>
         </part>
         <part id="ca-5.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17021,30 +17725,38 @@
         <part id="ca-6_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-06a."/>
           <p>a senior official is assigned as the authorizing official for the system;</p>
+          <link rel="assessment-for" href="#ca-6_smt.a"/>
         </part>
         <part id="ca-6_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-06b."/>
           <p>a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;</p>
+          <link rel="assessment-for" href="#ca-6_smt.b"/>
         </part>
         <part id="ca-6_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-06c."/>
           <part id="ca-6_obj.c.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-06c.01"/>
             <p>before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;</p>
+            <link rel="assessment-for" href="#ca-6_smt.c.1"/>
           </part>
           <part id="ca-6_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-06c.02"/>
             <p>before commencing operations, the authorizing official for the system authorizes the system to operate;</p>
+            <link rel="assessment-for" href="#ca-6_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#ca-6_smt.c"/>
         </part>
         <part id="ca-6_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-06d."/>
           <p>the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;</p>
+          <link rel="assessment-for" href="#ca-6_smt.d"/>
         </part>
         <part id="ca-6_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-06e."/>
           <p>the authorizations are updated <insert type="param" id-ref="ca-06_odp"/>.</p>
+          <link rel="assessment-for" href="#ca-6_smt.e"/>
         </part>
+        <link rel="assessment-for" href="#ca-6_smt"/>
       </part>
       <part id="ca-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17092,11 +17804,14 @@
           <part id="ca-6.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-06(01)[01]"/>
             <p>a joint authorization process is employed for the system;</p>
+            <link rel="assessment-for" href="#ca-6.1_smt"/>
           </part>
           <part id="ca-6.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-06(01)[02]"/>
             <p>the joint authorization process employed for the system includes multiple authorizing officials from the same organization conducting the authorization.</p>
+            <link rel="assessment-for" href="#ca-6.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#ca-6.1_smt"/>
         </part>
         <part id="ca-6.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17148,11 +17863,14 @@
           <part id="ca-6.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-06(02)[01]"/>
             <p>a joint authorization process is employed for the system;</p>
+            <link rel="assessment-for" href="#ca-6.2_smt"/>
           </part>
           <part id="ca-6.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-06(02)[02]"/>
             <p>the joint authorization process employed for the system includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization.</p>
+            <link rel="assessment-for" href="#ca-6.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#ca-6.2_smt"/>
         </part>
         <part id="ca-6.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17353,53 +18071,67 @@
         <part id="ca-7_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-07[01]"/>
           <p>a system-level continuous monitoring strategy is developed;</p>
+          <link rel="assessment-for" href="#ca-7_smt"/>
         </part>
         <part id="ca-7_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-07[02]"/>
           <p>system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;</p>
+          <link rel="assessment-for" href="#ca-7_smt"/>
         </part>
         <part id="ca-7_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-07a."/>
           <p>system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: <insert type="param" id-ref="ca-07_odp.01"/>;</p>
+          <link rel="assessment-for" href="#ca-7_smt.a"/>
         </part>
         <part id="ca-7_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-07b."/>
           <part id="ca-7_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-07b.[01]"/>
             <p>system-level continuous monitoring includes established <insert type="param" id-ref="ca-07_odp.02"/> for monitoring;</p>
+            <link rel="assessment-for" href="#ca-7_smt.b"/>
           </part>
           <part id="ca-7_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-07b.[02]"/>
             <p>system-level continuous monitoring includes established <insert type="param" id-ref="ca-07_odp.03"/> for assessment of control effectiveness;</p>
+            <link rel="assessment-for" href="#ca-7_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ca-7_smt.b"/>
         </part>
         <part id="ca-7_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-07c."/>
           <p>system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;</p>
+          <link rel="assessment-for" href="#ca-7_smt.c"/>
         </part>
         <part id="ca-7_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-07d."/>
           <p>system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;</p>
+          <link rel="assessment-for" href="#ca-7_smt.d"/>
         </part>
         <part id="ca-7_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-07e."/>
           <p>system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;</p>
+          <link rel="assessment-for" href="#ca-7_smt.e"/>
         </part>
         <part id="ca-7_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-07f."/>
           <p>system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;</p>
+          <link rel="assessment-for" href="#ca-7_smt.f"/>
         </part>
         <part id="ca-7_obj.g" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-07g."/>
           <part id="ca-7_obj.g-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-07g.[01]"/>
             <p>system-level continuous monitoring includes reporting the security status of the system to <insert type="param" id-ref="ca-07_odp.04"/> <insert type="param" id-ref="ca-07_odp.05"/>;</p>
+            <link rel="assessment-for" href="#ca-7_smt.g"/>
           </part>
           <part id="ca-7_obj.g-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-07g.[02]"/>
             <p>system-level continuous monitoring includes reporting the privacy status of the system to <insert type="param" id-ref="ca-07_odp.06"/> <insert type="param" id-ref="ca-07_odp.07"/>.</p>
+            <link rel="assessment-for" href="#ca-7_smt.g"/>
           </part>
+          <link rel="assessment-for" href="#ca-7_smt.g"/>
         </part>
+        <link rel="assessment-for" href="#ca-7_smt"/>
       </part>
       <part id="ca-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17456,6 +18188,7 @@
         <part id="ca-7.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-07(01)"/>
           <p>independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.</p>
+          <link rel="assessment-for" href="#ca-7.1_smt"/>
         </part>
         <part id="ca-7.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17511,15 +18244,19 @@
           <part id="ca-7.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-07(03)[01]"/>
             <p>trend analysis is employed to determine if control implementations used in the continuous monitoring process need to be modified based on empirical data;</p>
+            <link rel="assessment-for" href="#ca-7.3_smt"/>
           </part>
           <part id="ca-7.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-07(03)[02]"/>
             <p>trend analysis is employed to determine if the frequency of continuous monitoring activities used in the continuous monitoring process needs to be modified based on empirical data;</p>
+            <link rel="assessment-for" href="#ca-7.3_smt"/>
           </part>
           <part id="ca-7.3_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-07(03)[03]"/>
             <p>trend analysis is employed to determine if the types of activities used in the continuous monitoring process need to be modified based on empirical data.</p>
+            <link rel="assessment-for" href="#ca-7.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#ca-7.3_smt"/>
         </part>
         <part id="ca-7.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17589,15 +18326,19 @@
           <part id="ca-7.4_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-07(04)(a)"/>
             <p>effectiveness monitoring is included in risk monitoring;</p>
+            <link rel="assessment-for" href="#ca-7.4_smt.a"/>
           </part>
           <part id="ca-7.4_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-07(04)(b)"/>
             <p>compliance monitoring is included in risk monitoring;</p>
+            <link rel="assessment-for" href="#ca-7.4_smt.b"/>
           </part>
           <part id="ca-7.4_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-07(04)(c)"/>
             <p>change monitoring is included in risk monitoring.</p>
+            <link rel="assessment-for" href="#ca-7.4_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#ca-7.4_smt"/>
         </part>
         <part id="ca-7.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17671,11 +18412,14 @@
           <part id="ca-7.5_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-07(05)[01]"/>
             <p><insert type="param" id-ref="ca-07.05_odp.01"/> are employed to validate that policies are established;</p>
+            <link rel="assessment-for" href="#ca-7.5_smt"/>
           </part>
           <part id="ca-7.5_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-07(05)[02]"/>
             <p><insert type="param" id-ref="ca-07.05_odp.02"/> are employed to validate that implemented controls are operating in a consistent manner.</p>
+            <link rel="assessment-for" href="#ca-7.5_smt"/>
           </part>
+          <link rel="assessment-for" href="#ca-7.5_smt"/>
         </part>
         <part id="ca-7.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17736,6 +18480,7 @@
         <part id="ca-7.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-07(06)"/>
           <p><insert type="param" id-ref="ca-07.06_odp"/> are used to ensure the accuracy, currency, and availability of monitoring results for the system.</p>
+          <link rel="assessment-for" href="#ca-7.6_smt"/>
         </part>
         <part id="ca-7.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17811,6 +18556,7 @@
       <part id="ca-8_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="CA-08"/>
         <p>penetration testing is conducted <insert type="param" id-ref="ca-08_odp.01"/> on <insert type="param" id-ref="ca-08_odp.02"/>.</p>
+        <link rel="assessment-for" href="#ca-8_smt"/>
       </part>
       <part id="ca-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17861,6 +18607,7 @@
         <part id="ca-8.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-08(01)"/>
           <p>an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.</p>
+          <link rel="assessment-for" href="#ca-8.1_smt"/>
         </part>
         <part id="ca-8.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17911,6 +18658,7 @@
         <part id="ca-8.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-08(02)"/>
           <p><insert type="param" id-ref="ca-08.02_odp"/> are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.</p>
+          <link rel="assessment-for" href="#ca-8.2_smt"/>
         </part>
         <part id="ca-8.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -17982,6 +18730,7 @@
         <part id="ca-8.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-08(03)"/>
           <p>the penetration testing process includes <insert type="param" id-ref="ca-08.03_odp.01"/> <insert type="param" id-ref="ca-08.03_odp.02"/> attempts to bypass or circumvent controls associated with physical access points to facility.</p>
+          <link rel="assessment-for" href="#ca-8.3_smt"/>
         </part>
         <part id="ca-8.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18087,34 +18836,43 @@
         <part id="ca-9_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-09a."/>
           <p>internal connections of <insert type="param" id-ref="ca-09_odp.01"/> to the system are authorized;</p>
+          <link rel="assessment-for" href="#ca-9_smt.a"/>
         </part>
         <part id="ca-9_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-09b."/>
           <part id="ca-9_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-09b.[01]"/>
             <p>for each internal connection, the interface characteristics are documented;</p>
+            <link rel="assessment-for" href="#ca-9_smt.b"/>
           </part>
           <part id="ca-9_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-09b.[02]"/>
             <p>for each internal connection, the security requirements are documented;</p>
+            <link rel="assessment-for" href="#ca-9_smt.b"/>
           </part>
           <part id="ca-9_obj.b-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-09b.[03]"/>
             <p>for each internal connection, the privacy requirements are documented;</p>
+            <link rel="assessment-for" href="#ca-9_smt.b"/>
           </part>
           <part id="ca-9_obj.b-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-09b.[04]"/>
             <p>for each internal connection, the nature of the information communicated is documented;</p>
+            <link rel="assessment-for" href="#ca-9_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ca-9_smt.b"/>
         </part>
         <part id="ca-9_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-09c."/>
           <p>internal system connections are terminated after <insert type="param" id-ref="ca-09_odp.02"/>;</p>
+          <link rel="assessment-for" href="#ca-9_smt.c"/>
         </part>
         <part id="ca-9_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CA-09d."/>
           <p>the continued need for each internal connection is reviewed <insert type="param" id-ref="ca-09_odp.03"/>.</p>
+          <link rel="assessment-for" href="#ca-9_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#ca-9_smt"/>
       </part>
       <part id="ca-9_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18170,11 +18928,14 @@
           <part id="ca-9.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-09(01)[01]"/>
             <p>security compliance checks are performed on constituent system components prior to the establishment of the internal connection;</p>
+            <link rel="assessment-for" href="#ca-9.1_smt"/>
           </part>
           <part id="ca-9.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CA-09(01)[02]"/>
             <p>privacy compliance checks are performed on constituent system components prior to the establishment of the internal connection.</p>
+            <link rel="assessment-for" href="#ca-9.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#ca-9.1_smt"/>
         </part>
         <part id="ca-9.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18346,18 +19107,22 @@
           <part id="cm-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-01a.[01]"/>
             <p>a configuration management policy is developed and documented;</p>
+            <link rel="assessment-for" href="#cm-1_smt.a"/>
           </part>
           <part id="cm-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-01a.[02]"/>
             <p>the configuration management policy is disseminated to <insert type="param" id-ref="cm-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#cm-1_smt.a"/>
           </part>
           <part id="cm-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-01a.[03]"/>
             <p>configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;</p>
+            <link rel="assessment-for" href="#cm-1_smt.a"/>
           </part>
           <part id="cm-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-01a.[04]"/>
             <p>the configuration management procedures are disseminated to <insert type="param" id-ref="cm-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#cm-1_smt.a"/>
           </part>
           <part id="cm-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-01a.01"/>
@@ -18366,41 +19131,53 @@
               <part id="cm-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CM-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses purpose;</p>
+                <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
               </part>
               <part id="cm-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CM-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses scope;</p>
+                <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
               </part>
               <part id="cm-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CM-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses roles;</p>
+                <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
               </part>
               <part id="cm-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CM-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
               </part>
               <part id="cm-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CM-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
               </part>
               <part id="cm-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CM-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
               </part>
               <part id="cm-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CM-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="cm-01_odp.03"/> of the configuration management policy addresses compliance;</p>
+                <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#cm-1_smt.a.1.a"/>
             </part>
             <part id="cm-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-01a.01(b)"/>
               <p>the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#cm-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#cm-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#cm-1_smt.a"/>
         </part>
         <part id="cm-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-01b."/>
           <p>the <insert type="param" id-ref="cm-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;</p>
+          <link rel="assessment-for" href="#cm-1_smt.b"/>
         </part>
         <part id="cm-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-01c."/>
@@ -18409,24 +19186,32 @@
             <part id="cm-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-01c.01[01]"/>
               <p>the current configuration management policy is reviewed and updated <insert type="param" id-ref="cm-01_odp.05"/>; </p>
+              <link rel="assessment-for" href="#cm-1_smt.c.1"/>
             </part>
             <part id="cm-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-01c.01[02]"/>
               <p>the current configuration management policy is reviewed and updated following <insert type="param" id-ref="cm-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#cm-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#cm-1_smt.c.1"/>
           </part>
           <part id="cm-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-01c.02"/>
             <part id="cm-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-01c.02[01]"/>
               <p>the current configuration management procedures are reviewed and updated <insert type="param" id-ref="cm-01_odp.07"/>; </p>
+              <link rel="assessment-for" href="#cm-1_smt.c.2"/>
             </part>
             <part id="cm-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-01c.02[02]"/>
               <p>the current configuration management procedures are reviewed and updated following <insert type="param" id-ref="cm-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#cm-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#cm-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#cm-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#cm-1_smt"/>
       </part>
       <part id="cm-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18527,27 +19312,35 @@
           <part id="cm-2_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-02a.[01]"/>
             <p>a current baseline configuration of the system is developed and documented;</p>
+            <link rel="assessment-for" href="#cm-2_smt.a"/>
           </part>
           <part id="cm-2_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-02a.[02]"/>
             <p>a current baseline configuration of the system is maintained under configuration control;</p>
+            <link rel="assessment-for" href="#cm-2_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#cm-2_smt.a"/>
         </part>
         <part id="cm-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-02b."/>
           <part id="cm-2_obj.b.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-02b.01"/>
             <p>the baseline configuration of the system is reviewed and updated <insert type="param" id-ref="cm-02_odp.01"/>;</p>
+            <link rel="assessment-for" href="#cm-2_smt.b.1"/>
           </part>
           <part id="cm-2_obj.b.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-02b.02"/>
             <p>the baseline configuration of the system is reviewed and updated when required due to <insert type="param" id-ref="cm-02_odp.02"/>;</p>
+            <link rel="assessment-for" href="#cm-2_smt.b.2"/>
           </part>
           <part id="cm-2_obj.b.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-02b.03"/>
             <p>the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.</p>
+            <link rel="assessment-for" href="#cm-2_smt.b.3"/>
           </part>
+          <link rel="assessment-for" href="#cm-2_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#cm-2_smt"/>
       </part>
       <part id="cm-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18622,19 +19415,24 @@
           <part id="cm-2.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-02(02)[01]"/>
             <p>the currency of the baseline configuration of the system is maintained using <insert type="param" id-ref="cm-02.02_odp"/>;</p>
+            <link rel="assessment-for" href="#cm-2.2_smt"/>
           </part>
           <part id="cm-2.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-02(02)[02]"/>
             <p>the completeness of the baseline configuration of the system is maintained using <insert type="param" id-ref="cm-02.02_odp"/>;</p>
+            <link rel="assessment-for" href="#cm-2.2_smt"/>
           </part>
           <part id="cm-2.2_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-02(02)[03]"/>
             <p>the accuracy of the baseline configuration of the system is maintained using <insert type="param" id-ref="cm-02.02_odp"/>;</p>
+            <link rel="assessment-for" href="#cm-2.2_smt"/>
           </part>
           <part id="cm-2.2_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-02(02)[04]"/>
             <p>the availability of the baseline configuration of the system is maintained using <insert type="param" id-ref="cm-02.02_odp"/>.</p>
+            <link rel="assessment-for" href="#cm-2.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#cm-2.2_smt"/>
         </part>
         <part id="cm-2.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18695,6 +19493,7 @@
         <part id="cm-2.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-02(03)"/>
           <p><insert type="param" id-ref="cm-02.03_odp"/> of previous baseline configuration version(s) of the system is/are retained to support rollback.</p>
+          <link rel="assessment-for" href="#cm-2.3_smt"/>
         </part>
         <part id="cm-2.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18765,11 +19564,14 @@
           <part id="cm-2.6_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-02(06)[01]"/>
             <p>a baseline configuration for system development environments that is managed separately from the operational baseline configuration is maintained;</p>
+            <link rel="assessment-for" href="#cm-2.6_smt"/>
           </part>
           <part id="cm-2.6_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-02(06)[02]"/>
             <p>a baseline configuration for test environments that is managed separately from the operational baseline configuration is maintained.</p>
+            <link rel="assessment-for" href="#cm-2.6_smt"/>
           </part>
+          <link rel="assessment-for" href="#cm-2.6_smt"/>
         </part>
         <part id="cm-2.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -18855,11 +19657,14 @@
           <part id="cm-2.7_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-02(07)(a)"/>
             <p><insert type="param" id-ref="cm-02.07_odp.01"/> with <insert type="param" id-ref="cm-02.07_odp.02"/> are issued to individuals traveling to locations that the organization deems to be of significant risk;</p>
+            <link rel="assessment-for" href="#cm-2.7_smt.a"/>
           </part>
           <part id="cm-2.7_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-02(07)(b)"/>
             <p><insert type="param" id-ref="cm-02.07_odp.03"/> are applied to the systems or system components when the individuals return from travel.</p>
+            <link rel="assessment-for" href="#cm-2.7_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cm-2.7_smt"/>
         </part>
         <part id="cm-2.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19008,52 +19813,66 @@
         <part id="cm-3_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-03a."/>
           <p>the types of changes to the system that are configuration-controlled are determined and documented;</p>
+          <link rel="assessment-for" href="#cm-3_smt.a"/>
         </part>
         <part id="cm-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-03b."/>
           <part id="cm-3_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03b.[01]"/>
             <p>proposed configuration-controlled changes to the system are reviewed;</p>
+            <link rel="assessment-for" href="#cm-3_smt.b"/>
           </part>
           <part id="cm-3_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03b.[02]"/>
             <p>proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;</p>
+            <link rel="assessment-for" href="#cm-3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cm-3_smt.b"/>
         </part>
         <part id="cm-3_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-03c."/>
           <p>configuration change decisions associated with the system are documented;</p>
+          <link rel="assessment-for" href="#cm-3_smt.c"/>
         </part>
         <part id="cm-3_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-03d."/>
           <p>approved configuration-controlled changes to the system are implemented;</p>
+          <link rel="assessment-for" href="#cm-3_smt.d"/>
         </part>
         <part id="cm-3_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-03e."/>
           <p>records of configuration-controlled changes to the system are retained for <insert type="param" id-ref="cm-03_odp.01"/>;</p>
+          <link rel="assessment-for" href="#cm-3_smt.e"/>
         </part>
         <part id="cm-3_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-03f."/>
           <part id="cm-3_obj.f-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03f.[01]"/>
             <p>activities associated with configuration-controlled changes to the system are monitored;</p>
+            <link rel="assessment-for" href="#cm-3_smt.f"/>
           </part>
           <part id="cm-3_obj.f-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03f.[02]"/>
             <p>activities associated with configuration-controlled changes to the system are reviewed;</p>
+            <link rel="assessment-for" href="#cm-3_smt.f"/>
           </part>
+          <link rel="assessment-for" href="#cm-3_smt.f"/>
         </part>
         <part id="cm-3_obj.g" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-03g."/>
           <part id="cm-3_obj.g-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03g.[01]"/>
             <p>configuration change control activities are coordinated and overseen by <insert type="param" id-ref="cm-03_odp.02"/>;</p>
+            <link rel="assessment-for" href="#cm-3_smt.g"/>
           </part>
           <part id="cm-3_obj.g-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03g.[02]"/>
             <p>the configuration control element convenes <insert type="param" id-ref="cm-03_odp.03"/>.</p>
+            <link rel="assessment-for" href="#cm-3_smt.g"/>
           </part>
+          <link rel="assessment-for" href="#cm-3_smt.g"/>
         </part>
+        <link rel="assessment-for" href="#cm-3_smt"/>
       </part>
       <part id="cm-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19167,27 +19986,34 @@
           <part id="cm-3.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03(01)(a)"/>
             <p><insert type="param" id-ref="cm-03.01_odp.01"/> are used to document proposed changes to the system;</p>
+            <link rel="assessment-for" href="#cm-3.1_smt.a"/>
           </part>
           <part id="cm-3.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03(01)(b)"/>
             <p><insert type="param" id-ref="cm-03.01_odp.01"/> are used to notify <insert type="param" id-ref="cm-03.01_odp.02"/> of proposed changes to the system and request change approval;</p>
+            <link rel="assessment-for" href="#cm-3.1_smt.b"/>
           </part>
           <part id="cm-3.1_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03(01)(c)"/>
             <p><insert type="param" id-ref="cm-03.01_odp.01"/> are used to highlight proposed changes to the system that have not been approved or disapproved within <insert type="param" id-ref="cm-03.01_odp.03"/>;</p>
+            <link rel="assessment-for" href="#cm-3.1_smt.c"/>
           </part>
           <part id="cm-3.1_obj.d" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03(01)(d)"/>
             <p><insert type="param" id-ref="cm-03.01_odp.01"/> are used to prohibit changes to the system until designated approvals are received;</p>
+            <link rel="assessment-for" href="#cm-3.1_smt.d"/>
           </part>
           <part id="cm-3.1_obj.e" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03(01)(e)"/>
             <p><insert type="param" id-ref="cm-03.01_odp.01"/> are used to document all changes to the system;</p>
+            <link rel="assessment-for" href="#cm-3.1_smt.e"/>
           </part>
           <part id="cm-3.1_obj.f" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03(01)(f)"/>
             <p><insert type="param" id-ref="cm-03.01_odp.01"/> are used to notify <insert type="param" id-ref="cm-03.01_odp.04"/> when approved changes to the system are completed.</p>
+            <link rel="assessment-for" href="#cm-3.1_smt.f"/>
           </part>
+          <link rel="assessment-for" href="#cm-3.1_smt"/>
         </part>
         <part id="cm-3.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19247,15 +20073,19 @@
           <part id="cm-3.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03(02)[01]"/>
             <p>changes to the system are tested before finalizing the implementation of the changes;</p>
+            <link rel="assessment-for" href="#cm-3.2_smt"/>
           </part>
           <part id="cm-3.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03(02)[02]"/>
             <p>changes to the system are validated before finalizing the implementation of the changes;</p>
+            <link rel="assessment-for" href="#cm-3.2_smt"/>
           </part>
           <part id="cm-3.2_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03(02)[03]"/>
             <p>changes to the system are documented before finalizing the implementation of the changes.</p>
+            <link rel="assessment-for" href="#cm-3.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#cm-3.2_smt"/>
         </part>
         <part id="cm-3.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19321,11 +20151,14 @@
           <part id="cm-3.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03(03)[01]"/>
             <p>changes to the current system baseline are implemented using <insert type="param" id-ref="cm-03.03_odp"/>;</p>
+            <link rel="assessment-for" href="#cm-3.3_smt"/>
           </part>
           <part id="cm-3.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03(03)[02]"/>
             <p>the updated baseline is deployed across the installed base using <insert type="param" id-ref="cm-03.03_odp"/>.</p>
+            <link rel="assessment-for" href="#cm-3.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#cm-3.3_smt"/>
         </part>
         <part id="cm-3.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19409,11 +20242,14 @@
           <part id="cm-3.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03(04)[01]"/>
             <p><insert type="param" id-ref="cm-03.04_odp.01"/> are required to be members of the <insert type="param" id-ref="cm-03.04_odp.03"/>;</p>
+            <link rel="assessment-for" href="#cm-3.4_smt"/>
           </part>
           <part id="cm-3.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-03(04)[02]"/>
             <p><insert type="param" id-ref="cm-03.04_odp.02"/> are required to be members of the <insert type="param" id-ref="cm-03.04_odp.03"/>.</p>
+            <link rel="assessment-for" href="#cm-3.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#cm-3.4_smt"/>
         </part>
         <part id="cm-3.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19468,6 +20304,7 @@
         <part id="cm-3.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-03(05)"/>
           <p><insert type="param" id-ref="cm-03.05_odp"/> are automatically implemented if baseline configurations are changed in an unauthorized manner.</p>
+          <link rel="assessment-for" href="#cm-3.5_smt"/>
         </part>
         <part id="cm-3.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19530,6 +20367,7 @@
         <part id="cm-3.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-03(06)"/>
           <p>cryptographic mechanisms used to provide <insert type="param" id-ref="cm-03.06_odp"/> are under configuration management.</p>
+          <link rel="assessment-for" href="#cm-3.6_smt"/>
         </part>
         <part id="cm-3.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19600,6 +20438,7 @@
         <part id="cm-3.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-03(07)"/>
           <p>changes to the system are reviewed <insert type="param" id-ref="cm-03.07_odp.01"/> or when <insert type="param" id-ref="cm-03.07_odp.02"/> to determine whether unauthorized changes have occurred.</p>
+          <link rel="assessment-for" href="#cm-3.7_smt"/>
         </part>
         <part id="cm-3.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19660,6 +20499,7 @@
         <part id="cm-3.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-03(08)"/>
           <p>changes to the configuration of the system are prevented or restricted under <insert type="param" id-ref="cm-03.08_odp"/>.</p>
+          <link rel="assessment-for" href="#cm-3.8_smt"/>
         </part>
         <part id="cm-3.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19710,11 +20550,14 @@
         <part id="cm-4_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-04[01]"/>
           <p>changes to the system are analyzed to determine potential security impacts prior to change implementation;</p>
+          <link rel="assessment-for" href="#cm-4_smt"/>
         </part>
         <part id="cm-4_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-04[02]"/>
           <p>changes to the system are analyzed to determine potential privacy impacts prior to change implementation.</p>
+          <link rel="assessment-for" href="#cm-4_smt"/>
         </part>
+        <link rel="assessment-for" href="#cm-4_smt"/>
       </part>
       <part id="cm-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19777,39 +20620,49 @@
           <part id="cm-4.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(01)[01]"/>
             <p>changes to the system are analyzed in a separate test environment before implementation in an operational environment;</p>
+            <link rel="assessment-for" href="#cm-4.1_smt"/>
           </part>
           <part id="cm-4.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(01)[02]"/>
             <p>changes to the system are analyzed for security impacts due to flaws;</p>
+            <link rel="assessment-for" href="#cm-4.1_smt"/>
           </part>
           <part id="cm-4.1_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(01)[03]"/>
             <p>changes to the system are analyzed for privacy impacts due to flaws;</p>
+            <link rel="assessment-for" href="#cm-4.1_smt"/>
           </part>
           <part id="cm-4.1_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(01)[04]"/>
             <p>changes to the system are analyzed for security impacts due to weaknesses;</p>
+            <link rel="assessment-for" href="#cm-4.1_smt"/>
           </part>
           <part id="cm-4.1_obj-5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(01)[05]"/>
             <p>changes to the system are analyzed for privacy impacts due to weaknesses;</p>
+            <link rel="assessment-for" href="#cm-4.1_smt"/>
           </part>
           <part id="cm-4.1_obj-6" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(01)[06]"/>
             <p>changes to the system are analyzed for security impacts due to incompatibility;</p>
+            <link rel="assessment-for" href="#cm-4.1_smt"/>
           </part>
           <part id="cm-4.1_obj-7" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(01)[07]"/>
             <p>changes to the system are analyzed for privacy impacts due to incompatibility;</p>
+            <link rel="assessment-for" href="#cm-4.1_smt"/>
           </part>
           <part id="cm-4.1_obj-8" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(01)[08]"/>
             <p>changes to the system are analyzed for security impacts due to intentional malice;</p>
+            <link rel="assessment-for" href="#cm-4.1_smt"/>
           </part>
           <part id="cm-4.1_obj-9" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(01)[09]"/>
             <p>changes to the system are analyzed for privacy impacts due to intentional malice.</p>
+            <link rel="assessment-for" href="#cm-4.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#cm-4.1_smt"/>
         </part>
         <part id="cm-4.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19875,27 +20728,34 @@
           <part id="cm-4.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(02)[01]"/>
             <p>the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;</p>
+            <link rel="assessment-for" href="#cm-4.2_smt"/>
           </part>
           <part id="cm-4.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(02)[02]"/>
             <p>the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;</p>
+            <link rel="assessment-for" href="#cm-4.2_smt"/>
           </part>
           <part id="cm-4.2_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(02)[03]"/>
             <p>the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;</p>
+            <link rel="assessment-for" href="#cm-4.2_smt"/>
           </part>
           <part id="cm-4.2_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(02)[04]"/>
             <p>the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;</p>
+            <link rel="assessment-for" href="#cm-4.2_smt"/>
           </part>
           <part id="cm-4.2_obj-5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(02)[05]"/>
             <p>the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;</p>
+            <link rel="assessment-for" href="#cm-4.2_smt"/>
           </part>
           <part id="cm-4.2_obj-6" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-04(02)[06]"/>
             <p>the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.</p>
+            <link rel="assessment-for" href="#cm-4.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#cm-4.2_smt"/>
         </part>
         <part id="cm-4.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -19967,27 +20827,34 @@
         <part id="cm-5_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-05[01]"/>
           <p>physical access restrictions associated with changes to the system are defined and documented;</p>
+          <link rel="assessment-for" href="#cm-5_smt"/>
         </part>
         <part id="cm-5_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-05[02]"/>
           <p>physical access restrictions associated with changes to the system are approved;</p>
+          <link rel="assessment-for" href="#cm-5_smt"/>
         </part>
         <part id="cm-5_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-05[03]"/>
           <p>physical access restrictions associated with changes to the system are enforced;</p>
+          <link rel="assessment-for" href="#cm-5_smt"/>
         </part>
         <part id="cm-5_obj-4" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-05[04]"/>
           <p>logical access restrictions associated with changes to the system are defined and documented;</p>
+          <link rel="assessment-for" href="#cm-5_smt"/>
         </part>
         <part id="cm-5_obj-5" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-05[05]"/>
           <p>logical access restrictions associated with changes to the system are approved;</p>
+          <link rel="assessment-for" href="#cm-5_smt"/>
         </part>
         <part id="cm-5_obj-6" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-05[06]"/>
           <p>logical access restrictions associated with changes to the system are enforced.</p>
+          <link rel="assessment-for" href="#cm-5_smt"/>
         </part>
+        <link rel="assessment-for" href="#cm-5_smt"/>
       </part>
       <part id="cm-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20066,11 +20933,14 @@
           <part id="cm-5.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-05(01)(a)"/>
             <p>access restrictions for change are enforced using <insert type="param" id-ref="cm-05.01_odp"/>;</p>
+            <link rel="assessment-for" href="#cm-5.1_smt.a"/>
           </part>
           <part id="cm-5.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-05(01)(b)"/>
             <p>audit records of enforcement actions are automatically generated.</p>
+            <link rel="assessment-for" href="#cm-5.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cm-5.1_smt"/>
         </part>
         <part id="cm-5.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20164,11 +21034,14 @@
           <part id="cm-5.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-05(04)[01]"/>
             <p>dual authorization for implementing changes to <insert type="param" id-ref="cm-05.04_odp.01"/> is enforced;</p>
+            <link rel="assessment-for" href="#cm-5.4_smt"/>
           </part>
           <part id="cm-5.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-05(04)[02]"/>
             <p>dual authorization for implementing changes to <insert type="param" id-ref="cm-05.04_odp.02"/> is enforced.</p>
+            <link rel="assessment-for" href="#cm-5.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#cm-5.4_smt"/>
         </part>
         <part id="cm-5.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20253,23 +21126,30 @@
             <part id="cm-5.5_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-05(05)(a)[01]"/>
               <p>privileges to change system components within a production or operational environment are limited;</p>
+              <link rel="assessment-for" href="#cm-5.5_smt.a"/>
             </part>
             <part id="cm-5.5_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-05(05)(a)[02]"/>
               <p>privileges to change system-related information within a production or operational environment are limited;</p>
+              <link rel="assessment-for" href="#cm-5.5_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#cm-5.5_smt.a"/>
           </part>
           <part id="cm-5.5_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-05(05)(b)"/>
             <part id="cm-5.5_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-05(05)(b)[01]"/>
               <p>privileges are reviewed <insert type="param" id-ref="cm-05.05_odp.01"/>;</p>
+              <link rel="assessment-for" href="#cm-5.5_smt.b"/>
             </part>
             <part id="cm-5.5_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-05(05)(b)[02]"/>
               <p>privileges are reevaluated <insert type="param" id-ref="cm-05.05_odp.02"/>.</p>
+              <link rel="assessment-for" href="#cm-5.5_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cm-5.5_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cm-5.5_smt"/>
         </part>
         <part id="cm-5.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20325,6 +21205,7 @@
         <part id="cm-5.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-05(06)"/>
           <p>privileges to change software resident within software libraries are limited.</p>
+          <link rel="assessment-for" href="#cm-5.6_smt"/>
         </part>
         <part id="cm-5.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20462,33 +21343,42 @@
         <part id="cm-6_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-06a."/>
           <p>configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using <insert type="param" id-ref="cm-06_odp.01"/>;</p>
+          <link rel="assessment-for" href="#cm-6_smt.a"/>
         </part>
         <part id="cm-6_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-06b."/>
           <p>the configuration settings documented in CM-06a are implemented;</p>
+          <link rel="assessment-for" href="#cm-6_smt.b"/>
         </part>
         <part id="cm-6_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-06c."/>
           <part id="cm-6_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-06c.[01]"/>
             <p>any deviations from established configuration settings for <insert type="param" id-ref="cm-06_odp.02"/> are identified and documented based on <insert type="param" id-ref="cm-06_odp.03"/>;</p>
+            <link rel="assessment-for" href="#cm-6_smt.c"/>
           </part>
           <part id="cm-6_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-06c.[02]"/>
             <p>any deviations from established configuration settings for <insert type="param" id-ref="cm-06_odp.02"/> are approved;</p>
+            <link rel="assessment-for" href="#cm-6_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#cm-6_smt.c"/>
         </part>
         <part id="cm-6_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-06d."/>
           <part id="cm-6_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-06d.[01]"/>
             <p>changes to the configuration settings are monitored in accordance with organizational policies and procedures;</p>
+            <link rel="assessment-for" href="#cm-6_smt.d"/>
           </part>
           <part id="cm-6_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-06d.[02]"/>
             <p>changes to the configuration settings are controlled in accordance with organizational policies and procedures.</p>
+            <link rel="assessment-for" href="#cm-6_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#cm-6_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#cm-6_smt"/>
       </part>
       <part id="cm-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20583,15 +21473,19 @@
           <part id="cm-6.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-06(01)[01]"/>
             <p>configuration settings for <insert type="param" id-ref="cm-06.01_odp.01"/> are managed using <insert type="param" id-ref="cm-06.01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#cm-6.1_smt"/>
           </part>
           <part id="cm-6.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-06(01)[02]"/>
             <p>configuration settings for <insert type="param" id-ref="cm-06.01_odp.01"/> are applied using <insert type="param" id-ref="cm-06.01_odp.03"/>;</p>
+            <link rel="assessment-for" href="#cm-6.1_smt"/>
           </part>
           <part id="cm-6.1_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-06(01)[03]"/>
             <p>configuration settings for <insert type="param" id-ref="cm-06.01_odp.01"/> are verified using <insert type="param" id-ref="cm-06.01_odp.04"/>.</p>
+            <link rel="assessment-for" href="#cm-6.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#cm-6.1_smt"/>
         </part>
         <part id="cm-6.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20665,6 +21559,7 @@
         <part id="cm-6.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-06(02)"/>
           <p><insert type="param" id-ref="cm-06.02_odp.01"/> are taken in response to unauthorized changes to <insert type="param" id-ref="cm-06.02_odp.02"/>.</p>
+          <link rel="assessment-for" href="#cm-6.2_smt"/>
         </part>
         <part id="cm-6.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20819,30 +21714,38 @@
         <part id="cm-7_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-07a."/>
           <p>the system is configured to provide only <insert type="param" id-ref="cm-07_odp.01"/>;</p>
+          <link rel="assessment-for" href="#cm-7_smt.a"/>
         </part>
         <part id="cm-7_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-07b."/>
           <part id="cm-7_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07b.[01]"/>
             <p>the use of <insert type="param" id-ref="cm-07_odp.02"/> is prohibited or restricted;</p>
+            <link rel="assessment-for" href="#cm-7_smt.b"/>
           </part>
           <part id="cm-7_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07b.[02]"/>
             <p>the use of <insert type="param" id-ref="cm-07_odp.03"/> is prohibited or restricted;</p>
+            <link rel="assessment-for" href="#cm-7_smt.b"/>
           </part>
           <part id="cm-7_obj.b-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07b.[03]"/>
             <p>the use of <insert type="param" id-ref="cm-07_odp.04"/> is prohibited or restricted;</p>
+            <link rel="assessment-for" href="#cm-7_smt.b"/>
           </part>
           <part id="cm-7_obj.b-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07b.[04]"/>
             <p>the use of <insert type="param" id-ref="cm-07_odp.05"/> is prohibited or restricted;</p>
+            <link rel="assessment-for" href="#cm-7_smt.b"/>
           </part>
           <part id="cm-7_obj.b-5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07b.[05]"/>
             <p>the use of <insert type="param" id-ref="cm-07_odp.06"/> is prohibited or restricted.</p>
+            <link rel="assessment-for" href="#cm-7_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cm-7_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#cm-7_smt"/>
       </part>
       <part id="cm-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -20955,30 +21858,38 @@
           <part id="cm-7.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(01)(a)"/>
             <p>the system is reviewed <insert type="param" id-ref="cm-07.01_odp.01"/> to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:</p>
+            <link rel="assessment-for" href="#cm-7.1_smt.a"/>
           </part>
           <part id="cm-7.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(01)(b)"/>
             <part id="cm-7.1_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-07(01)(b)[01]"/>
               <p><insert type="param" id-ref="cm-07.01_odp.02"/> deemed to be unnecessary and/or non-secure are disabled or removed;</p>
+              <link rel="assessment-for" href="#cm-7.1_smt.b"/>
             </part>
             <part id="cm-7.1_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-07(01)(b)[02]"/>
               <p><insert type="param" id-ref="cm-07.01_odp.03"/> deemed to be unnecessary and/or non-secure are disabled or removed;</p>
+              <link rel="assessment-for" href="#cm-7.1_smt.b"/>
             </part>
             <part id="cm-7.1_obj.b-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-07(01)(b)[03]"/>
               <p><insert type="param" id-ref="cm-07.01_odp.04"/> deemed to be unnecessary and/or non-secure are disabled or removed;</p>
+              <link rel="assessment-for" href="#cm-7.1_smt.b"/>
             </part>
             <part id="cm-7.1_obj.b-4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-07(01)(b)[04]"/>
               <p><insert type="param" id-ref="cm-07.01_odp.05"/> deemed to be unnecessary and/or non-secure is disabled or removed;</p>
+              <link rel="assessment-for" href="#cm-7.1_smt.b"/>
             </part>
             <part id="cm-7.1_obj.b-5" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-07(01)(b)[05]"/>
               <p><insert type="param" id-ref="cm-07.01_odp.06"/> deemed to be unnecessary and/or non-secure are disabled or removed.</p>
+              <link rel="assessment-for" href="#cm-7.1_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cm-7.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cm-7.1_smt"/>
         </part>
         <part id="cm-7.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21053,6 +21964,7 @@
         <part id="cm-7.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-07(02)"/>
           <p>program execution is prevented in accordance with <insert type="param" id-ref="cm-07.02_odp.01"/>.</p>
+          <link rel="assessment-for" href="#cm-7.2_smt"/>
         </part>
         <part id="cm-7.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21117,6 +22029,7 @@
         <part id="cm-7.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-07(03)"/>
           <p><insert type="param" id-ref="cm-07.03_odp"/> are complied with.</p>
+          <link rel="assessment-for" href="#cm-7.3_smt"/>
         </part>
         <part id="cm-7.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21203,15 +22116,19 @@
           <part id="cm-7.4_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(04)(a)"/>
             <p><insert type="param" id-ref="cm-07.04_odp.01"/> are identified;</p>
+            <link rel="assessment-for" href="#cm-7.4_smt.a"/>
           </part>
           <part id="cm-7.4_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(04)(b)"/>
             <p>an allow-all, deny-by-exception policy is employed to prohibit the execution of unauthorized software programs on the system;</p>
+            <link rel="assessment-for" href="#cm-7.4_smt.b"/>
           </part>
           <part id="cm-7.4_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(04)(c)"/>
             <p>the list of unauthorized software programs is reviewed and updated <insert type="param" id-ref="cm-07.04_odp.02"/>.</p>
+            <link rel="assessment-for" href="#cm-7.4_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#cm-7.4_smt"/>
         </part>
         <part id="cm-7.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21307,15 +22224,19 @@
           <part id="cm-7.5_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(05)(a)"/>
             <p><insert type="param" id-ref="cm-07.05_odp.01"/> are identified;</p>
+            <link rel="assessment-for" href="#cm-7.5_smt.a"/>
           </part>
           <part id="cm-7.5_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(05)(b)"/>
             <p>a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;</p>
+            <link rel="assessment-for" href="#cm-7.5_smt.b"/>
           </part>
           <part id="cm-7.5_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(05)(c)"/>
             <p>the list of authorized software programs is reviewed and updated <insert type="param" id-ref="cm-07.05_odp.02"/>.</p>
+            <link rel="assessment-for" href="#cm-7.5_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#cm-7.5_smt"/>
         </part>
         <part id="cm-7.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21382,6 +22303,7 @@
         <part id="cm-7.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-07(06)"/>
           <p><insert type="param" id-ref="cm-07.06_odp"/> is required to be executed in a confined physical or virtual machine environment with limited privileges.</p>
+          <link rel="assessment-for" href="#cm-7.6_smt"/>
         </part>
         <part id="cm-7.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21458,11 +22380,14 @@
           <part id="cm-7.7_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(07)(a)"/>
             <p>the execution of binary or machine-executable code obtained from sources with limited or no warranty is only allowed with the explicit approval of <insert type="param" id-ref="cm-07.07_odp"/>;</p>
+            <link rel="assessment-for" href="#cm-7.7_smt.a"/>
           </part>
           <part id="cm-7.7_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(07)(b)"/>
             <p>the execution of binary or machine-executable code without the provision of source code is only allowed with the explicit approval of <insert type="param" id-ref="cm-07.07_odp"/>.</p>
+            <link rel="assessment-for" href="#cm-7.7_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cm-7.7_smt"/>
         </part>
         <part id="cm-7.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21531,18 +22456,23 @@
           <part id="cm-7.8_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(08)(a)"/>
             <p>the use of binary or machine-executable code is prohibited when it originates from sources with limited or no warranty or without the provision of source code;</p>
+            <link rel="assessment-for" href="#cm-7.8_smt.a"/>
           </part>
           <part id="cm-7.8_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(08)(b)"/>
             <part id="cm-7.8_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-07(08)(b)[01]"/>
               <p>exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only for compelling mission or operational requirements;</p>
+              <link rel="assessment-for" href="#cm-7.8_smt.b"/>
             </part>
             <part id="cm-7.8_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-07(08)(b)[02]"/>
               <p>exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only with the approval of the authorizing official.</p>
+              <link rel="assessment-for" href="#cm-7.8_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cm-7.8_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cm-7.8_smt"/>
         </part>
         <part id="cm-7.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21630,15 +22560,19 @@
           <part id="cm-7.9_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(09)(a)"/>
             <p><insert type="param" id-ref="cm-07.09_odp.01"/> are identified;</p>
+            <link rel="assessment-for" href="#cm-7.9_smt.a"/>
           </part>
           <part id="cm-7.9_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(09)(b)"/>
             <p>the use or connection of unauthorized hardware components is prohibited;</p>
+            <link rel="assessment-for" href="#cm-7.9_smt.b"/>
           </part>
           <part id="cm-7.9_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-07(09)(c)"/>
             <p>the list of authorized hardware components is reviewed and updated <insert type="param" id-ref="cm-07.09_odp.02"/>.</p>
+            <link rel="assessment-for" href="#cm-7.9_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#cm-7.9_smt"/>
         </part>
         <part id="cm-7.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21763,28 +22697,36 @@
           <part id="cm-8_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08a.01"/>
             <p>an inventory of system components that accurately reflects the system is developed and documented;</p>
+            <link rel="assessment-for" href="#cm-8_smt.a.1"/>
           </part>
           <part id="cm-8_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08a.02"/>
             <p>an inventory of system components that includes all components within the system is developed and documented;</p>
+            <link rel="assessment-for" href="#cm-8_smt.a.2"/>
           </part>
           <part id="cm-8_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08a.03"/>
             <p>an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;</p>
+            <link rel="assessment-for" href="#cm-8_smt.a.3"/>
           </part>
           <part id="cm-8_obj.a.4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08a.04"/>
             <p>an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;</p>
+            <link rel="assessment-for" href="#cm-8_smt.a.4"/>
           </part>
           <part id="cm-8_obj.a.5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08a.05"/>
             <p>an inventory of system components that includes <insert type="param" id-ref="cm-08_odp.01"/> is developed and documented;</p>
+            <link rel="assessment-for" href="#cm-8_smt.a.5"/>
           </part>
+          <link rel="assessment-for" href="#cm-8_smt.a"/>
         </part>
         <part id="cm-8_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-08b."/>
           <p>the system component inventory is reviewed and updated <insert type="param" id-ref="cm-08_odp.02"/>.</p>
+          <link rel="assessment-for" href="#cm-8_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#cm-8_smt"/>
       </part>
       <part id="cm-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21838,15 +22780,19 @@
           <part id="cm-8.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08(01)[01]"/>
             <p>the inventory of system components is updated as part of component installations;</p>
+            <link rel="assessment-for" href="#cm-8.1_smt"/>
           </part>
           <part id="cm-8.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08(01)[02]"/>
             <p>the inventory of system components is updated as part of component removals;</p>
+            <link rel="assessment-for" href="#cm-8.1_smt"/>
           </part>
           <part id="cm-8.1_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08(01)[03]"/>
             <p>the inventory of system components is updated as part of system updates.</p>
+            <link rel="assessment-for" href="#cm-8.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#cm-8.1_smt"/>
         </part>
         <part id="cm-8.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -21937,19 +22883,24 @@
           <part id="cm-8.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08(02)[01]"/>
             <p><insert type="param" id-ref="cm-08.02_odp.01"/> are used to maintain the currency of the system component inventory;</p>
+            <link rel="assessment-for" href="#cm-8.2_smt"/>
           </part>
           <part id="cm-8.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08(02)[02]"/>
             <p><insert type="param" id-ref="cm-08.02_odp.02"/> are used to maintain the completeness of the system component inventory;</p>
+            <link rel="assessment-for" href="#cm-8.2_smt"/>
           </part>
           <part id="cm-8.2_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08(02)[03]"/>
             <p><insert type="param" id-ref="cm-08.02_odp.03"/> are used to maintain the accuracy of the system component inventory;</p>
+            <link rel="assessment-for" href="#cm-8.2_smt"/>
           </part>
           <part id="cm-8.2_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08(02)[04]"/>
             <p><insert type="param" id-ref="cm-08.02_odp.04"/> are used to maintain the availability of the system component inventory.</p>
+            <link rel="assessment-for" href="#cm-8.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#cm-8.2_smt"/>
         </part>
         <part id="cm-8.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22076,31 +23027,40 @@
             <part id="cm-8.3_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-08(03)(a)[01]"/>
               <p>the presence of unauthorized hardware within the system is detected using <insert type="param" id-ref="cm-08.03_odp.01"/> <insert type="param" id-ref="cm-08.03_odp.04"/>;</p>
+              <link rel="assessment-for" href="#cm-8.3_smt.a"/>
             </part>
             <part id="cm-8.3_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-08(03)(a)[02]"/>
               <p>the presence of unauthorized software within the system is detected using <insert type="param" id-ref="cm-08.03_odp.02"/> <insert type="param" id-ref="cm-08.03_odp.04"/>;</p>
+              <link rel="assessment-for" href="#cm-8.3_smt.a"/>
             </part>
             <part id="cm-8.3_obj.a-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-08(03)(a)[03]"/>
               <p>the presence of unauthorized firmware within the system is detected using <insert type="param" id-ref="cm-08.03_odp.03"/> <insert type="param" id-ref="cm-08.03_odp.04"/>;</p>
+              <link rel="assessment-for" href="#cm-8.3_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#cm-8.3_smt.a"/>
           </part>
           <part id="cm-8.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08(03)(b)"/>
             <part id="cm-8.3_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-08(03)(b)[01]"/>
               <p><insert type="param" id-ref="cm-08.03_odp.05"/> are taken when unauthorized hardware is detected;</p>
+              <link rel="assessment-for" href="#cm-8.3_smt.b"/>
             </part>
             <part id="cm-8.3_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-08(03)(b)[02]"/>
               <p><insert type="param" id-ref="cm-08.03_odp.05"/> are taken when unauthorized software is detected;</p>
+              <link rel="assessment-for" href="#cm-8.3_smt.b"/>
             </part>
             <part id="cm-8.3_obj.b-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CM-08(03)(b)[03]"/>
               <p><insert type="param" id-ref="cm-08.03_odp.05"/> are taken when unauthorized firmware is detected.</p>
+              <link rel="assessment-for" href="#cm-8.3_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#cm-8.3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cm-8.3_smt"/>
         </part>
         <part id="cm-8.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22170,6 +23130,7 @@
         <part id="cm-8.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-08(04)"/>
           <p>individuals responsible and accountable for administering system components are identified by <insert type="param" id-ref="cm-08.04_odp"/> in the system component inventory.</p>
+          <link rel="assessment-for" href="#cm-8.4_smt"/>
         </part>
         <part id="cm-8.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22229,11 +23190,14 @@
           <part id="cm-8.6_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08(06)[01]"/>
             <p>assessed component configurations are included in the system component inventory;</p>
+            <link rel="assessment-for" href="#cm-8.6_smt"/>
           </part>
           <part id="cm-8.6_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08(06)[02]"/>
             <p>any approved deviations to current deployed configurations are included in the system component inventory.</p>
+            <link rel="assessment-for" href="#cm-8.6_smt"/>
           </part>
+          <link rel="assessment-for" href="#cm-8.6_smt"/>
         </part>
         <part id="cm-8.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22287,6 +23251,7 @@
         <part id="cm-8.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-08(07)"/>
           <p>a centralized repository for the system component inventory is provided.</p>
+          <link rel="assessment-for" href="#cm-8.7_smt"/>
         </part>
         <part id="cm-8.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22347,6 +23312,7 @@
         <part id="cm-8.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-08(08)"/>
           <p><insert type="param" id-ref="cm-08.08_odp"/> are used to support the tracking of system components by geographic location.</p>
+          <link rel="assessment-for" href="#cm-8.8_smt"/>
         </part>
         <part id="cm-8.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22418,11 +23384,14 @@
           <part id="cm-8.9_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08(09)(a)"/>
             <p>system components are assigned to a system;</p>
+            <link rel="assessment-for" href="#cm-8.9_smt.a"/>
           </part>
           <part id="cm-8.9_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-08(09)(b)"/>
             <p>an acknowledgement of the component assignment is received from <insert type="param" id-ref="cm-08.09_odp"/>.</p>
+            <link rel="assessment-for" href="#cm-8.9_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cm-8.9_smt"/>
         </part>
         <part id="cm-8.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22519,63 +23488,80 @@
         <part id="cm-9_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-09[01]"/>
           <p>a configuration management plan for the system is developed and documented;</p>
+          <link rel="assessment-for" href="#cm-9_smt"/>
         </part>
         <part id="cm-9_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-09[02]"/>
           <p>a configuration management plan for the system is implemented;</p>
+          <link rel="assessment-for" href="#cm-9_smt"/>
         </part>
         <part id="cm-9_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-09a."/>
           <part id="cm-9_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-09a.[01]"/>
             <p>the configuration management plan addresses roles;</p>
+            <link rel="assessment-for" href="#cm-9_smt.a"/>
           </part>
           <part id="cm-9_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-09a.[02]"/>
             <p>the configuration management plan addresses responsibilities;</p>
+            <link rel="assessment-for" href="#cm-9_smt.a"/>
           </part>
           <part id="cm-9_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-09a.[03]"/>
             <p>the configuration management plan addresses configuration management processes and procedures;</p>
+            <link rel="assessment-for" href="#cm-9_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#cm-9_smt.a"/>
         </part>
         <part id="cm-9_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-09b."/>
           <part id="cm-9_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-09b.[01]"/>
             <p>the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;</p>
+            <link rel="assessment-for" href="#cm-9_smt.b"/>
           </part>
           <part id="cm-9_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-09b.[02]"/>
             <p>the configuration management plan establishes a process for managing the configuration of the configuration items;</p>
+            <link rel="assessment-for" href="#cm-9_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cm-9_smt.b"/>
         </part>
         <part id="cm-9_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-09c."/>
           <part id="cm-9_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-09c.[01]"/>
             <p>the configuration management plan defines the configuration items for the system;</p>
+            <link rel="assessment-for" href="#cm-9_smt.c"/>
           </part>
           <part id="cm-9_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-09c.[02]"/>
             <p>the configuration management plan places the configuration items under configuration management;</p>
+            <link rel="assessment-for" href="#cm-9_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#cm-9_smt.c"/>
         </part>
         <part id="cm-9_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-09d."/>
           <p>the configuration management plan is reviewed and approved by <insert type="param" id-ref="cm-09_odp"/>;</p>
+          <link rel="assessment-for" href="#cm-9_smt.d"/>
         </part>
         <part id="cm-9_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-09e."/>
           <part id="cm-9_obj.e-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-09e.[01]"/>
             <p>the configuration management plan is protected from unauthorized disclosure;</p>
+            <link rel="assessment-for" href="#cm-9_smt.e"/>
           </part>
           <part id="cm-9_obj.e-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-09e.[02]"/>
             <p>the configuration management plan is protected from unauthorized modification.</p>
+            <link rel="assessment-for" href="#cm-9_smt.e"/>
           </part>
+          <link rel="assessment-for" href="#cm-9_smt.e"/>
         </part>
+        <link rel="assessment-for" href="#cm-9_smt"/>
       </part>
       <part id="cm-9_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22629,6 +23615,7 @@
         <part id="cm-9.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-09(01)"/>
           <p>the responsibility for developing the configuration management process is assigned to organizational personnel who are not directly involved in system development.</p>
+          <link rel="assessment-for" href="#cm-9.1_smt"/>
         </part>
         <part id="cm-9.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22686,15 +23673,19 @@
         <part id="cm-10_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-10a."/>
           <p>software and associated documentation are used in accordance with contract agreements and copyright laws;</p>
+          <link rel="assessment-for" href="#cm-10_smt.a"/>
         </part>
         <part id="cm-10_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-10b."/>
           <p>the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;</p>
+          <link rel="assessment-for" href="#cm-10_smt.b"/>
         </part>
         <part id="cm-10_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-10c."/>
           <p>the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</p>
+          <link rel="assessment-for" href="#cm-10_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#cm-10_smt"/>
       </part>
       <part id="cm-10_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22757,6 +23748,7 @@
         <part id="cm-10.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-10(01)"/>
           <p><insert type="param" id-ref="cm-10.01_odp"/> are established for the use of open-source software.</p>
+          <link rel="assessment-for" href="#cm-10.1_smt"/>
         </part>
         <part id="cm-10.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22859,15 +23851,19 @@
         <part id="cm-11_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-11a."/>
           <p><insert type="param" id-ref="cm-11_odp.01"/> governing the installation of software by users are established;</p>
+          <link rel="assessment-for" href="#cm-11_smt.a"/>
         </part>
         <part id="cm-11_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-11b."/>
           <p>software installation policies are enforced through <insert type="param" id-ref="cm-11_odp.02"/>;</p>
+          <link rel="assessment-for" href="#cm-11_smt.b"/>
         </part>
         <part id="cm-11_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-11c."/>
           <p>compliance with <insert type="param" id-ref="cm-11_odp.01"/> is monitored <insert type="param" id-ref="cm-11_odp.03"/>.</p>
+          <link rel="assessment-for" href="#cm-11_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#cm-11_smt"/>
       </part>
       <part id="cm-11_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -22933,6 +23929,7 @@
         <part id="cm-11.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-11(02)"/>
           <p>user installation of software is allowed only with explicit privileged status.</p>
+          <link rel="assessment-for" href="#cm-11.2_smt"/>
         </part>
         <part id="cm-11.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23008,11 +24005,14 @@
           <part id="cm-11.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-11(03)[01]"/>
             <p>compliance with software installation policies is enforced using <insert type="param" id-ref="cm-11.03_odp.01"/>;</p>
+            <link rel="assessment-for" href="#cm-11.3_smt"/>
           </part>
           <part id="cm-11.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-11(03)[02]"/>
             <p>compliance with software installation policies is monitored using <insert type="param" id-ref="cm-11.03_odp.02"/>.</p>
+            <link rel="assessment-for" href="#cm-11.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#cm-11.3_smt"/>
         </part>
         <part id="cm-11.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23112,38 +24112,49 @@
           <part id="cm-12_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-12a.[01]"/>
             <p>the location of <insert type="param" id-ref="cm-12_odp"/> is identified and documented;</p>
+            <link rel="assessment-for" href="#cm-12_smt.a"/>
           </part>
           <part id="cm-12_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-12a.[02]"/>
             <p>the specific system components on which <insert type="param" id-ref="cm-12_odp"/> is processed are identified and documented;</p>
+            <link rel="assessment-for" href="#cm-12_smt.a"/>
           </part>
           <part id="cm-12_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-12a.[03]"/>
             <p>the specific system components on which <insert type="param" id-ref="cm-12_odp"/> is stored are identified and documented;</p>
+            <link rel="assessment-for" href="#cm-12_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#cm-12_smt.a"/>
         </part>
         <part id="cm-12_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-12b."/>
           <part id="cm-12_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-12b.[01]"/>
             <p>the users who have access to the system and system components where <insert type="param" id-ref="cm-12_odp"/> is processed are identified and documented;</p>
+            <link rel="assessment-for" href="#cm-12_smt.b"/>
           </part>
           <part id="cm-12_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-12b.[02]"/>
             <p>the users who have access to the system and system components where <insert type="param" id-ref="cm-12_odp"/> is stored are identified and documented;</p>
+            <link rel="assessment-for" href="#cm-12_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cm-12_smt.b"/>
         </part>
         <part id="cm-12_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-12c."/>
           <part id="cm-12_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-12c.[01]"/>
             <p>changes to the location (i.e., system or system components) where <insert type="param" id-ref="cm-12_odp"/> is processed are documented;</p>
+            <link rel="assessment-for" href="#cm-12_smt.c"/>
           </part>
           <part id="cm-12_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CM-12c.[02]"/>
             <p>changes to the location (i.e., system or system components) where <insert type="param" id-ref="cm-12_odp"/> is stored are documented.</p>
+            <link rel="assessment-for" href="#cm-12_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#cm-12_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#cm-12_smt"/>
       </part>
       <part id="cm-12_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23217,6 +24228,7 @@
         <part id="cm-12.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-12(01)"/>
           <p>automated tools are used to identify <insert type="param" id-ref="cm-12.01_odp.01"/> on <insert type="param" id-ref="cm-12.01_odp.02"/> to ensure that controls are in place to protect organizational information and individual privacy.</p>
+          <link rel="assessment-for" href="#cm-12.1_smt"/>
         </part>
         <part id="cm-12.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23280,6 +24292,7 @@
       <part id="cm-13_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="CM-13"/>
         <p>a map of system data actions is developed and documented.</p>
+        <link rel="assessment-for" href="#cm-13_smt"/>
       </part>
       <part id="cm-13_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23362,11 +24375,14 @@
         <part id="cm-14_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-14[01]"/>
           <p>the installation of <insert type="param" id-ref="cm-14_odp.01"/> is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization;</p>
+          <link rel="assessment-for" href="#cm-14_smt"/>
         </part>
         <part id="cm-14_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CM-14[02]"/>
           <p>the installation of <insert type="param" id-ref="cm-14_odp.02"/> is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization.</p>
+          <link rel="assessment-for" href="#cm-14_smt"/>
         </part>
+        <link rel="assessment-for" href="#cm-14_smt"/>
       </part>
       <part id="cm-14_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23539,18 +24555,22 @@
           <part id="cp-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-01a.[01]"/>
             <p>a contingency planning policy is developed and documented;</p>
+            <link rel="assessment-for" href="#cp-1_smt.a"/>
           </part>
           <part id="cp-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-01a.[02]"/>
             <p>the contingency planning policy is disseminated to <insert type="param" id-ref="cp-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#cp-1_smt.a"/>
           </part>
           <part id="cp-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-01a.[03]"/>
             <p>contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;</p>
+            <link rel="assessment-for" href="#cp-1_smt.a"/>
           </part>
           <part id="cp-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-01a.[04]"/>
             <p>the contingency planning procedures are disseminated to <insert type="param" id-ref="cp-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#cp-1_smt.a"/>
           </part>
           <part id="cp-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-01a.01"/>
@@ -23559,41 +24579,53 @@
               <part id="cp-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CP-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses purpose;</p>
+                <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
               </part>
               <part id="cp-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CP-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses scope;</p>
+                <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
               </part>
               <part id="cp-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CP-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses roles;</p>
+                <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
               </part>
               <part id="cp-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CP-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
               </part>
               <part id="cp-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CP-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
               </part>
               <part id="cp-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CP-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
               </part>
               <part id="cp-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="CP-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy addresses compliance;</p>
+                <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#cp-1_smt.a.1.a"/>
             </part>
             <part id="cp-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-01a.01(b)"/>
               <p>the <insert type="param" id-ref="cp-01_odp.03"/> contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#cp-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#cp-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#cp-1_smt.a"/>
         </part>
         <part id="cp-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-01b."/>
           <p>the <insert type="param" id-ref="cp-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;</p>
+          <link rel="assessment-for" href="#cp-1_smt.b"/>
         </part>
         <part id="cp-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-01c."/>
@@ -23602,24 +24634,32 @@
             <part id="cp-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-01c.01[01]"/>
               <p>the current contingency planning policy is reviewed and updated <insert type="param" id-ref="cp-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#cp-1_smt.c.1"/>
             </part>
             <part id="cp-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-01c.01[02]"/>
               <p>the current contingency planning policy is reviewed and updated following <insert type="param" id-ref="cp-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#cp-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#cp-1_smt.c.1"/>
           </part>
           <part id="cp-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-01c.02"/>
             <part id="cp-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-01c.02[01]"/>
               <p>the current contingency planning procedures are reviewed and updated <insert type="param" id-ref="cp-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#cp-1_smt.c.2"/>
             </part>
             <part id="cp-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-01c.02[02]"/>
               <p>the current contingency planning procedures are reviewed and updated following <insert type="param" id-ref="cp-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#cp-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#cp-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#cp-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#cp-1_smt"/>
       </part>
       <part id="cp-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23811,124 +24851,158 @@
           <part id="cp-2_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02a.01"/>
             <p>a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;</p>
+            <link rel="assessment-for" href="#cp-2_smt.a.1"/>
           </part>
           <part id="cp-2_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02a.02"/>
             <part id="cp-2_obj.a.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-02a.02[01]"/>
               <p>a contingency plan for the system is developed that provides recovery objectives;</p>
+              <link rel="assessment-for" href="#cp-2_smt.a.2"/>
             </part>
             <part id="cp-2_obj.a.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-02a.02[02]"/>
               <p>a contingency plan for the system is developed that provides restoration priorities;</p>
+              <link rel="assessment-for" href="#cp-2_smt.a.2"/>
             </part>
             <part id="cp-2_obj.a.2-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-02a.02[03]"/>
               <p>a contingency plan for the system is developed that provides metrics;</p>
+              <link rel="assessment-for" href="#cp-2_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#cp-2_smt.a.2"/>
           </part>
           <part id="cp-2_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02a.03"/>
             <part id="cp-2_obj.a.3-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-02a.03[01]"/>
               <p>a contingency plan for the system is developed that addresses contingency roles;</p>
+              <link rel="assessment-for" href="#cp-2_smt.a.3"/>
             </part>
             <part id="cp-2_obj.a.3-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-02a.03[02]"/>
               <p>a contingency plan for the system is developed that addresses contingency responsibilities;</p>
+              <link rel="assessment-for" href="#cp-2_smt.a.3"/>
             </part>
             <part id="cp-2_obj.a.3-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-02a.03[03]"/>
               <p>a contingency plan for the system is developed that addresses assigned individuals with contact information;</p>
+              <link rel="assessment-for" href="#cp-2_smt.a.3"/>
             </part>
+            <link rel="assessment-for" href="#cp-2_smt.a.3"/>
           </part>
           <part id="cp-2_obj.a.4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02a.04"/>
             <p>a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;</p>
+            <link rel="assessment-for" href="#cp-2_smt.a.4"/>
           </part>
           <part id="cp-2_obj.a.5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02a.05"/>
             <p>a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;</p>
+            <link rel="assessment-for" href="#cp-2_smt.a.5"/>
           </part>
           <part id="cp-2_obj.a.6" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02a.06"/>
             <p>a contingency plan for the system is developed that addresses the sharing of contingency information;</p>
+            <link rel="assessment-for" href="#cp-2_smt.a.6"/>
           </part>
           <part id="cp-2_obj.a.7" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02a.07"/>
             <part id="cp-2_obj.a.7-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-02a.07[01]"/>
               <p>a contingency plan for the system is developed that is reviewed by <insert type="param" id-ref="cp-02_odp.01"/>;</p>
+              <link rel="assessment-for" href="#cp-2_smt.a.7"/>
             </part>
             <part id="cp-2_obj.a.7-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-02a.07[02]"/>
               <p>a contingency plan for the system is developed that is approved by <insert type="param" id-ref="cp-02_odp.02"/>;</p>
+              <link rel="assessment-for" href="#cp-2_smt.a.7"/>
             </part>
+            <link rel="assessment-for" href="#cp-2_smt.a.7"/>
           </part>
+          <link rel="assessment-for" href="#cp-2_smt.a"/>
         </part>
         <part id="cp-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-02b."/>
           <part id="cp-2_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02b.[01]"/>
             <p>copies of the contingency plan are distributed to <insert type="param" id-ref="cp-02_odp.03"/>;</p>
+            <link rel="assessment-for" href="#cp-2_smt.b"/>
           </part>
           <part id="cp-2_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02b.[02]"/>
             <p>copies of the contingency plan are distributed to <insert type="param" id-ref="cp-02_odp.04"/>;</p>
+            <link rel="assessment-for" href="#cp-2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cp-2_smt.b"/>
         </part>
         <part id="cp-2_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-02c."/>
           <p>contingency planning activities are coordinated with incident handling activities;</p>
+          <link rel="assessment-for" href="#cp-2_smt.c"/>
         </part>
         <part id="cp-2_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-02d."/>
           <p>the contingency plan for the system is reviewed <insert type="param" id-ref="cp-02_odp.05"/>;</p>
+          <link rel="assessment-for" href="#cp-2_smt.d"/>
         </part>
         <part id="cp-2_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-02e."/>
           <part id="cp-2_obj.e-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02e.[01]"/>
             <p>the contingency plan is updated to address changes to the organization, system, or environment of operation;</p>
+            <link rel="assessment-for" href="#cp-2_smt.e"/>
           </part>
           <part id="cp-2_obj.e-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02e.[02]"/>
             <p>the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;</p>
+            <link rel="assessment-for" href="#cp-2_smt.e"/>
           </part>
+          <link rel="assessment-for" href="#cp-2_smt.e"/>
         </part>
         <part id="cp-2_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-02f."/>
           <part id="cp-2_obj.f-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02f.[01]"/>
             <p>contingency plan changes are communicated to <insert type="param" id-ref="cp-02_odp.06"/>;</p>
+            <link rel="assessment-for" href="#cp-2_smt.f"/>
           </part>
           <part id="cp-2_obj.f-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02f.[02]"/>
             <p>contingency plan changes are communicated to <insert type="param" id-ref="cp-02_odp.07"/>;</p>
+            <link rel="assessment-for" href="#cp-2_smt.f"/>
           </part>
+          <link rel="assessment-for" href="#cp-2_smt.f"/>
         </part>
         <part id="cp-2_obj.g" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-02g."/>
           <part id="cp-2_obj.g-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02g.[01]"/>
             <p>lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;</p>
+            <link rel="assessment-for" href="#cp-2_smt.g"/>
           </part>
           <part id="cp-2_obj.g-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02g.[02]"/>
             <p>lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;</p>
+            <link rel="assessment-for" href="#cp-2_smt.g"/>
           </part>
+          <link rel="assessment-for" href="#cp-2_smt.g"/>
         </part>
         <part id="cp-2_obj.h" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-02h."/>
           <part id="cp-2_obj.h-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02h.[01]"/>
             <p>the contingency plan is protected from unauthorized disclosure;</p>
+            <link rel="assessment-for" href="#cp-2_smt.h"/>
           </part>
           <part id="cp-2_obj.h-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02h.[02]"/>
             <p>the contingency plan is protected from unauthorized modification.</p>
+            <link rel="assessment-for" href="#cp-2_smt.h"/>
           </part>
+          <link rel="assessment-for" href="#cp-2_smt.h"/>
         </part>
+        <link rel="assessment-for" href="#cp-2_smt"/>
       </part>
       <part id="cp-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -23976,6 +25050,7 @@
         <part id="cp-2.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-02(01)"/>
           <p>contingency plan development is coordinated with organizational elements responsible for related plans.</p>
+          <link rel="assessment-for" href="#cp-2.1_smt"/>
         </part>
         <part id="cp-2.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24030,15 +25105,19 @@
           <part id="cp-2.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02(02)[01]"/>
             <p>capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;</p>
+            <link rel="assessment-for" href="#cp-2.2_smt"/>
           </part>
           <part id="cp-2.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02(02)[02]"/>
             <p>capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;</p>
+            <link rel="assessment-for" href="#cp-2.2_smt"/>
           </part>
           <part id="cp-2.2_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02(02)[03]"/>
             <p>capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.</p>
+            <link rel="assessment-for" href="#cp-2.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#cp-2.2_smt"/>
         </part>
         <part id="cp-2.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24094,6 +25173,7 @@
         <part id="cp-2.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-02(03)"/>
           <p>the resumption of <insert type="param" id-ref="cp-02.03_odp.01"/> mission and business functions are planned for within <insert type="param" id-ref="cp-02.03_odp.02"/> of contingency plan activation.</p>
+          <link rel="assessment-for" href="#cp-2.3_smt"/>
         </part>
         <part id="cp-2.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24161,11 +25241,14 @@
           <part id="cp-2.5_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02(05)[01]"/>
             <p>the continuance of <insert type="param" id-ref="cp-02.05_odp"/> mission and business functions with minimal or no loss of operational continuity is planned for;</p>
+            <link rel="assessment-for" href="#cp-2.5_smt"/>
           </part>
           <part id="cp-2.5_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02(05)[02]"/>
             <p>continuity is sustained until full system restoration at primary processing and/or storage sites.</p>
+            <link rel="assessment-for" href="#cp-2.5_smt"/>
           </part>
+          <link rel="assessment-for" href="#cp-2.5_smt"/>
         </part>
         <part id="cp-2.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24228,11 +25311,14 @@
           <part id="cp-2.6_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02(06)[01]"/>
             <p>the transfer of <insert type="param" id-ref="cp-02.06_odp"/> mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity is planned for;</p>
+            <link rel="assessment-for" href="#cp-2.6_smt"/>
           </part>
           <part id="cp-2.6_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-02(06)[02]"/>
             <p>operational continuity is sustained until full system restoration at primary processing and/or storage sites.</p>
+            <link rel="assessment-for" href="#cp-2.6_smt"/>
           </part>
+          <link rel="assessment-for" href="#cp-2.6_smt"/>
         </part>
         <part id="cp-2.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24284,6 +25370,7 @@
         <part id="cp-2.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-02(07)"/>
           <p>the contingency plan is coordinated with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.</p>
+          <link rel="assessment-for" href="#cp-2.7_smt"/>
         </part>
         <part id="cp-2.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24336,6 +25423,7 @@
         <part id="cp-2.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-02(08)"/>
           <p>critical system assets supporting <insert type="param" id-ref="cp-02.08_odp"/> mission and business functions are identified.</p>
+          <link rel="assessment-for" href="#cp-2.8_smt"/>
         </part>
         <part id="cp-2.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24441,27 +25529,35 @@
           <part id="cp-3_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-03a.01"/>
             <p>contingency training is provided to system users consistent with assigned roles and responsibilities within <insert type="param" id-ref="cp-03_odp.01"/> of assuming a contingency role or responsibility;</p>
+            <link rel="assessment-for" href="#cp-3_smt.a.1"/>
           </part>
           <part id="cp-3_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-03a.02"/>
             <p>contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;</p>
+            <link rel="assessment-for" href="#cp-3_smt.a.2"/>
           </part>
           <part id="cp-3_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-03a.03"/>
             <p>contingency training is provided to system users consistent with assigned roles and responsibilities <insert type="param" id-ref="cp-03_odp.02"/> thereafter;</p>
+            <link rel="assessment-for" href="#cp-3_smt.a.3"/>
           </part>
+          <link rel="assessment-for" href="#cp-3_smt.a"/>
         </part>
         <part id="cp-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-03b."/>
           <part id="cp-3_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-03b.[01]"/>
             <p>the contingency plan training content is reviewed and updated <insert type="param" id-ref="cp-03_odp.03"/>;</p>
+            <link rel="assessment-for" href="#cp-3_smt.b"/>
           </part>
           <part id="cp-3_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-03b.[02]"/>
             <p>the contingency plan training content is reviewed and updated following <insert type="param" id-ref="cp-03_odp.04"/>.</p>
+            <link rel="assessment-for" href="#cp-3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cp-3_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#cp-3_smt"/>
       </part>
       <part id="cp-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24509,6 +25605,7 @@
         <part id="cp-3.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-03(01)"/>
           <p>simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.</p>
+          <link rel="assessment-for" href="#cp-3.1_smt"/>
         </part>
         <part id="cp-3.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24557,6 +25654,7 @@
         <part id="cp-3.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-03(02)"/>
           <p>mechanisms used in operations are employed to provide a more thorough and realistic contingency training environment.</p>
+          <link rel="assessment-for" href="#cp-3.2_smt"/>
         </part>
         <part id="cp-3.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24661,24 +25759,31 @@
           <part id="cp-4_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-04a.[01]"/>
             <p>the contingency plan for the system is tested <insert type="param" id-ref="cp-04_odp.01"/>;</p>
+            <link rel="assessment-for" href="#cp-4_smt.a"/>
           </part>
           <part id="cp-4_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-04a.[02]"/>
             <p><insert type="param" id-ref="cp-04_odp.02"/> are used to determine the effectiveness of the plan;</p>
+            <link rel="assessment-for" href="#cp-4_smt.a"/>
           </part>
           <part id="cp-4_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-04a.[03]"/>
             <p><insert type="param" id-ref="cp-04_odp.03"/> are used to determine the readiness to execute the plan;</p>
+            <link rel="assessment-for" href="#cp-4_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#cp-4_smt.a"/>
         </part>
         <part id="cp-4_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-04b."/>
           <p>the contingency plan test results are reviewed;</p>
+          <link rel="assessment-for" href="#cp-4_smt.b"/>
         </part>
         <part id="cp-4_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-04c."/>
           <p>corrective actions are initiated, if needed.</p>
+          <link rel="assessment-for" href="#cp-4_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#cp-4_smt"/>
       </part>
       <part id="cp-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24728,6 +25833,7 @@
         <part id="cp-4.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-04(01)"/>
           <p>contingency plan testing is coordinated with organizational elements responsible for related plans.</p>
+          <link rel="assessment-for" href="#cp-4.1_smt"/>
         </part>
         <part id="cp-4.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24787,11 +25893,14 @@
           <part id="cp-4.2_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-04(02)(a)"/>
             <p>the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;</p>
+            <link rel="assessment-for" href="#cp-4.2_smt.a"/>
           </part>
           <part id="cp-4.2_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-04(02)(b)"/>
             <p>the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.</p>
+            <link rel="assessment-for" href="#cp-4.2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cp-4.2_smt"/>
         </part>
         <part id="cp-4.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24850,6 +25959,7 @@
         <part id="cp-4.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-04(03)"/>
           <p>the contingency plan is tested using <insert type="param" id-ref="cp-04.03_odp"/>.</p>
+          <link rel="assessment-for" href="#cp-4.3_smt"/>
         </part>
         <part id="cp-4.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24903,11 +26013,14 @@
           <part id="cp-4.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-04(04)[01]"/>
             <p>a full recovery of the system to a known state is included as part of contingency plan testing;</p>
+            <link rel="assessment-for" href="#cp-4.4_smt"/>
           </part>
           <part id="cp-4.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-04(04)[02]"/>
             <p>a full reconstitution of the system to a known state is included as part of contingency plan testing.</p>
+            <link rel="assessment-for" href="#cp-4.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#cp-4.4_smt"/>
         </part>
         <part id="cp-4.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -24975,6 +26088,7 @@
         <part id="cp-4.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-04(05)"/>
           <p><insert type="param" id-ref="cp-04.05_odp.01"/> are employed to disrupt and adversely affect the <insert type="param" id-ref="cp-04.05_odp.02"/>.</p>
+          <link rel="assessment-for" href="#cp-4.5_smt"/>
         </part>
         <part id="cp-4.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25053,16 +26167,21 @@
           <part id="cp-6_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-06a.[01]"/>
             <p>an alternate storage site is established;</p>
+            <link rel="assessment-for" href="#cp-6_smt.a"/>
           </part>
           <part id="cp-6_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-06a.[02]"/>
             <p>establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;</p>
+            <link rel="assessment-for" href="#cp-6_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#cp-6_smt.a"/>
         </part>
         <part id="cp-6_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-06b."/>
           <p>the alternate storage site provides controls equivalent to that of the primary site.</p>
+          <link rel="assessment-for" href="#cp-6_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#cp-6_smt"/>
       </part>
       <part id="cp-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25111,6 +26230,7 @@
         <part id="cp-6.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-06(01)"/>
           <p>an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.</p>
+          <link rel="assessment-for" href="#cp-6.1_smt"/>
         </part>
         <part id="cp-6.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25154,11 +26274,14 @@
           <part id="cp-6.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-06(02)[01]"/>
             <p>the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;</p>
+            <link rel="assessment-for" href="#cp-6.2_smt"/>
           </part>
           <part id="cp-6.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-06(02)[02]"/>
             <p>the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.</p>
+            <link rel="assessment-for" href="#cp-6.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#cp-6.2_smt"/>
         </part>
         <part id="cp-6.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25211,11 +26334,14 @@
           <part id="cp-6.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-06(03)[01]"/>
             <p>potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;</p>
+            <link rel="assessment-for" href="#cp-6.3_smt"/>
           </part>
           <part id="cp-6.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-06(03)[02]"/>
             <p>explicit mitigation actions to address identified accessibility problems are outlined.</p>
+            <link rel="assessment-for" href="#cp-6.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#cp-6.3_smt"/>
         </part>
         <part id="cp-6.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25301,22 +26427,28 @@
         <part id="cp-7_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-07a."/>
           <p>an alternate processing site, including necessary agreements to permit the transfer and resumption of <insert type="param" id-ref="cp-07_odp.01"/> for essential mission and business functions, is established within <insert type="param" id-ref="cp-07_odp.02"/> when the primary processing capabilities are unavailable;</p>
+          <link rel="assessment-for" href="#cp-7_smt.a"/>
         </part>
         <part id="cp-7_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-07b."/>
           <part id="cp-7_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-07b.[01]"/>
             <p>the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within <insert type="param" id-ref="cp-07_odp.02"/> for transfer;</p>
+            <link rel="assessment-for" href="#cp-7_smt.b"/>
           </part>
           <part id="cp-7_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-07b.[02]"/>
             <p>the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within <insert type="param" id-ref="cp-07_odp.02"/> for resumption;</p>
+            <link rel="assessment-for" href="#cp-7_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cp-7_smt.b"/>
         </part>
         <part id="cp-7_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-07c."/>
           <p>controls provided at the alternate processing site are equivalent to those at the primary site.</p>
+          <link rel="assessment-for" href="#cp-7_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#cp-7_smt"/>
       </part>
       <part id="cp-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25367,6 +26499,7 @@
         <part id="cp-7.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-07(01)"/>
           <p>an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.</p>
+          <link rel="assessment-for" href="#cp-7.1_smt"/>
         </part>
         <part id="cp-7.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25411,11 +26544,14 @@
           <part id="cp-7.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-07(02)[01]"/>
             <p>potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;</p>
+            <link rel="assessment-for" href="#cp-7.2_smt"/>
           </part>
           <part id="cp-7.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-07(02)[02]"/>
             <p>explicit mitigation actions to address identified accessibility problems are outlined.</p>
+            <link rel="assessment-for" href="#cp-7.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#cp-7.2_smt"/>
         </part>
         <part id="cp-7.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25457,6 +26593,7 @@
         <part id="cp-7.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-07(03)"/>
           <p>alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.</p>
+          <link rel="assessment-for" href="#cp-7.3_smt"/>
         </part>
         <part id="cp-7.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25501,6 +26638,7 @@
         <part id="cp-7.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-07(04)"/>
           <p>the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.</p>
+          <link rel="assessment-for" href="#cp-7.4_smt"/>
         </part>
         <part id="cp-7.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25559,11 +26697,14 @@
           <part id="cp-7.6_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-07(06)[01]"/>
             <p>circumstances that preclude returning to the primary processing site are planned for;</p>
+            <link rel="assessment-for" href="#cp-7.6_smt"/>
           </part>
           <part id="cp-7.6_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-07(06)[02]"/>
             <p>circumstances that preclude returning to the primary processing site are prepared for.</p>
+            <link rel="assessment-for" href="#cp-7.6_smt"/>
           </part>
+          <link rel="assessment-for" href="#cp-7.6_smt"/>
         </part>
         <part id="cp-7.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25626,6 +26767,7 @@
       <part id="cp-8_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="CP-08"/>
         <p>alternate telecommunications services, including necessary agreements to permit the resumption of <insert type="param" id-ref="cp-08_odp.01"/> , are established for essential mission and business functions within <insert type="param" id-ref="cp-08_odp.02"/> when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.</p>
+        <link rel="assessment-for" href="#cp-8_smt"/>
       </part>
       <part id="cp-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25684,16 +26826,21 @@
             <part id="cp-8.1_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-08(01)(a)[01]"/>
               <p>primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;</p>
+              <link rel="assessment-for" href="#cp-8.1_smt.a"/>
             </part>
             <part id="cp-8.1_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-08(01)(a)[02]"/>
               <p>alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;</p>
+              <link rel="assessment-for" href="#cp-8.1_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#cp-8.1_smt.a"/>
           </part>
           <part id="cp-8.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-08(01)(b)"/>
             <p>Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.</p>
+            <link rel="assessment-for" href="#cp-8.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#cp-8.1_smt"/>
         </part>
         <part id="cp-8.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25742,6 +26889,7 @@
         <part id="cp-8.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-08(02)"/>
           <p>alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.</p>
+          <link rel="assessment-for" href="#cp-8.2_smt"/>
         </part>
         <part id="cp-8.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25782,6 +26930,7 @@
         <part id="cp-8.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-08(03)"/>
           <p>alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.</p>
+          <link rel="assessment-for" href="#cp-8.3_smt"/>
         </part>
         <part id="cp-8.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25859,27 +27008,35 @@
             <part id="cp-8.4_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-08(04)(a)[01]"/>
               <p>primary telecommunications service providers are required to have contingency plans;</p>
+              <link rel="assessment-for" href="#cp-8.4_smt.a"/>
             </part>
             <part id="cp-8.4_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-08(04)(a)[02]"/>
               <p>alternate telecommunications service providers are required to have contingency plans;</p>
+              <link rel="assessment-for" href="#cp-8.4_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#cp-8.4_smt.a"/>
           </part>
           <part id="cp-8.4_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-08(04)(b)"/>
             <p>provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;</p>
+            <link rel="assessment-for" href="#cp-8.4_smt.b"/>
           </part>
           <part id="cp-8.4_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-08(04)(c)"/>
             <part id="cp-8.4_obj.c-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-08(04)(c)[01]"/>
               <p>evidence of contingency testing by providers is obtained <insert type="param" id-ref="cp-08.04_odp.01"/>.</p>
+              <link rel="assessment-for" href="#cp-8.4_smt.c"/>
             </part>
             <part id="cp-8.4_obj.c-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="CP-08(04)(c)[02]"/>
               <p>evidence of contingency training by providers is obtained <insert type="param" id-ref="cp-08.04_odp.02"/>.</p>
+              <link rel="assessment-for" href="#cp-8.4_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#cp-8.4_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#cp-8.4_smt"/>
         </part>
         <part id="cp-8.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -25931,6 +27088,7 @@
         <part id="cp-8.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-08(05)"/>
           <p>alternate telecommunications services are tested <insert type="param" id-ref="cp-08.05_odp"/>.</p>
+          <link rel="assessment-for" href="#cp-8.5_smt"/>
         </part>
         <part id="cp-8.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26045,30 +27203,38 @@
         <part id="cp-9_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-09a."/>
           <p>backups of user-level information contained in <insert type="param" id-ref="cp-09_odp.01"/> are conducted <insert type="param" id-ref="cp-09_odp.02"/>;</p>
+          <link rel="assessment-for" href="#cp-9_smt.a"/>
         </part>
         <part id="cp-9_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-09b."/>
           <p>backups of system-level information contained in the system are conducted <insert type="param" id-ref="cp-09_odp.03"/>;</p>
+          <link rel="assessment-for" href="#cp-9_smt.b"/>
         </part>
         <part id="cp-9_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-09c."/>
           <p>backups of system documentation, including security- and privacy-related documentation are conducted <insert type="param" id-ref="cp-09_odp.04"/>;</p>
+          <link rel="assessment-for" href="#cp-9_smt.c"/>
         </part>
         <part id="cp-9_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-09d."/>
           <part id="cp-9_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-09d.[01]"/>
             <p>the confidentiality of backup information is protected;</p>
+            <link rel="assessment-for" href="#cp-9_smt.d"/>
           </part>
           <part id="cp-9_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-09d.[02]"/>
             <p>the integrity of backup information is protected;</p>
+            <link rel="assessment-for" href="#cp-9_smt.d"/>
           </part>
           <part id="cp-9_obj.d-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-09d.[03]"/>
             <p>the availability of backup information is protected.</p>
+            <link rel="assessment-for" href="#cp-9_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#cp-9_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#cp-9_smt"/>
       </part>
       <part id="cp-9_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26138,11 +27304,14 @@
           <part id="cp-9.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-09(01)[01]"/>
             <p>backup information is tested <insert type="param" id-ref="cp-09.01_odp.01"/> to verify media reliability;</p>
+            <link rel="assessment-for" href="#cp-9.1_smt"/>
           </part>
           <part id="cp-9.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-09(01)[02]"/>
             <p>backup information is tested <insert type="param" id-ref="cp-09.01_odp.02"/> to verify information integrity.</p>
+            <link rel="assessment-for" href="#cp-9.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#cp-9.1_smt"/>
         </part>
         <part id="cp-9.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26192,6 +27361,7 @@
         <part id="cp-9.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-09(02)"/>
           <p>a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.</p>
+          <link rel="assessment-for" href="#cp-9.2_smt"/>
         </part>
         <part id="cp-9.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26252,6 +27422,7 @@
         <part id="cp-9.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-09(03)"/>
           <p>backup copies of <insert type="param" id-ref="cp-09.03_odp"/> are stored in a separate facility or in a fire rated container that is not collocated with the operational system.</p>
+          <link rel="assessment-for" href="#cp-9.3_smt"/>
         </part>
         <part id="cp-9.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26326,11 +27497,14 @@
           <part id="cp-9.5_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-09(05)[01]"/>
             <p>system backup information is transferred to the alternate storage site for <insert type="param" id-ref="cp-09.05_odp.01"/>;</p>
+            <link rel="assessment-for" href="#cp-9.5_smt"/>
           </part>
           <part id="cp-9.5_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-09(05)[02]"/>
             <p>system backup information is transferred to the alternate storage site <insert type="param" id-ref="cp-09.05_odp.02"/>.</p>
+            <link rel="assessment-for" href="#cp-9.5_smt"/>
           </part>
+          <link rel="assessment-for" href="#cp-9.5_smt"/>
         </part>
         <part id="cp-9.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26383,11 +27557,14 @@
           <part id="cp-9.6_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-09(06)[01]"/>
             <p>system backup is conducted by maintaining a redundant secondary system that is not collocated with the primary system;</p>
+            <link rel="assessment-for" href="#cp-9.6_smt"/>
           </part>
           <part id="cp-9.6_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="CP-09(06)[02]"/>
             <p>system backup is conducted by maintaining a redundant secondary system that can be activated without loss of information or disruption to operations.</p>
+            <link rel="assessment-for" href="#cp-9.6_smt"/>
           </part>
+          <link rel="assessment-for" href="#cp-9.6_smt"/>
         </part>
         <part id="cp-9.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26451,6 +27628,7 @@
         <part id="cp-9.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-09(07)"/>
           <p>dual authorization for the deletion or destruction of <insert type="param" id-ref="cp-09.07_odp"/> is enforced.</p>
+          <link rel="assessment-for" href="#cp-9.7_smt"/>
         </part>
         <part id="cp-9.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26511,6 +27689,7 @@
         <part id="cp-9.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-09(08)"/>
           <p>cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of <insert type="param" id-ref="cp-09.08_odp"/>.</p>
+          <link rel="assessment-for" href="#cp-9.8_smt"/>
         </part>
         <part id="cp-9.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26588,11 +27767,14 @@
         <part id="cp-10_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-10[01]"/>
           <p>the recovery of the system to a known state is provided within <insert type="param" id-ref="cp-10_odp.01"/> after a disruption, compromise, or failure;</p>
+          <link rel="assessment-for" href="#cp-10_smt"/>
         </part>
         <part id="cp-10_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-10[02]"/>
           <p>a reconstitution of the system to a known state is provided within <insert type="param" id-ref="cp-10_odp.02"/> after a disruption, compromise, or failure.</p>
+          <link rel="assessment-for" href="#cp-10_smt"/>
         </part>
+        <link rel="assessment-for" href="#cp-10_smt"/>
       </part>
       <part id="cp-10_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26650,6 +27832,7 @@
         <part id="cp-10.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-10(02)"/>
           <p>transaction recovery is implemented for systems that are transaction-based.</p>
+          <link rel="assessment-for" href="#cp-10.2_smt"/>
         </part>
         <part id="cp-10.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26720,6 +27903,7 @@
         <part id="cp-10.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-10(04)"/>
           <p>the capability to restore system components within <insert type="param" id-ref="cp-10.04_odp"/> from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.</p>
+          <link rel="assessment-for" href="#cp-10.4_smt"/>
         </part>
         <part id="cp-10.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26783,6 +27967,7 @@
         <part id="cp-10.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="CP-10(06)"/>
           <p>system components used for recovery and reconstitution are protected.</p>
+          <link rel="assessment-for" href="#cp-10.6_smt"/>
         </part>
         <part id="cp-10.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26845,6 +28030,7 @@
       <part id="cp-11_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="CP-11"/>
         <p>the capability to employ <insert type="param" id-ref="cp-11_odp"/> are provided in support of maintaining continuity of operations.</p>
+        <link rel="assessment-for" href="#cp-11_smt"/>
       </part>
       <part id="cp-11_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26918,6 +28104,7 @@
       <part id="cp-12_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="CP-12"/>
         <p>a safe mode of operation is entered with <insert type="param" id-ref="cp-12_odp.01"/> when <insert type="param" id-ref="cp-12_odp.02"/> are detected.</p>
+        <link rel="assessment-for" href="#cp-12_smt"/>
       </part>
       <part id="cp-12_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -26991,6 +28178,7 @@
       <part id="cp-13_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="CP-13"/>
         <p><insert type="param" id-ref="cp-13_odp.01"/> are employed for satisfying <insert type="param" id-ref="cp-13_odp.02"/> when the primary means of implementing the security function is unavailable or compromised.</p>
+        <link rel="assessment-for" href="#cp-13_smt"/>
       </part>
       <part id="cp-13_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27165,18 +28353,22 @@
           <part id="ia-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-01a.[01]"/>
             <p>an identification and authentication policy is developed and documented;</p>
+            <link rel="assessment-for" href="#ia-1_smt.a"/>
           </part>
           <part id="ia-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-01a.[02]"/>
             <p>the identification and authentication policy is disseminated to <insert type="param" id-ref="ia-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ia-1_smt.a"/>
           </part>
           <part id="ia-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-01a.[03]"/>
             <p>identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;</p>
+            <link rel="assessment-for" href="#ia-1_smt.a"/>
           </part>
           <part id="ia-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-01a.[04]"/>
             <p>the identification and authentication procedures are disseminated to <insert type="param" id-ref="ia-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#ia-1_smt.a"/>
           </part>
           <part id="ia-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-01a.01"/>
@@ -27185,41 +28377,53 @@
               <part id="ia-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="IA-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses purpose;</p>
+                <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
               </part>
               <part id="ia-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="IA-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses scope;</p>
+                <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
               </part>
               <part id="ia-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="IA-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses roles;</p>
+                <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
               </part>
               <part id="ia-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="IA-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
               </part>
               <part id="ia-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="IA-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
               </part>
               <part id="ia-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="IA-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
               </part>
               <part id="ia-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="IA-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy addresses compliance;</p>
+                <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#ia-1_smt.a.1.a"/>
             </part>
             <part id="ia-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IA-01a.01(b)"/>
               <p>the <insert type="param" id-ref="ia-01_odp.03"/> identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#ia-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#ia-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#ia-1_smt.a"/>
         </part>
         <part id="ia-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-01b."/>
           <p>the <insert type="param" id-ref="ia-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;</p>
+          <link rel="assessment-for" href="#ia-1_smt.b"/>
         </part>
         <part id="ia-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-01c."/>
@@ -27228,24 +28432,32 @@
             <part id="ia-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IA-01c.01[01]"/>
               <p>the current identification and authentication policy is reviewed and updated <insert type="param" id-ref="ia-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#ia-1_smt.c.1"/>
             </part>
             <part id="ia-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IA-01c.01[02]"/>
               <p>the current identification and authentication policy is reviewed and updated following <insert type="param" id-ref="ia-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#ia-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#ia-1_smt.c.1"/>
           </part>
           <part id="ia-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-01c.02"/>
             <part id="ia-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IA-01c.02[01]"/>
               <p>the current identification and authentication procedures are reviewed and updated <insert type="param" id-ref="ia-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#ia-1_smt.c.2"/>
             </part>
             <part id="ia-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IA-01c.02[02]"/>
               <p>the current identification and authentication procedures are reviewed and updated following <insert type="param" id-ref="ia-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#ia-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#ia-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#ia-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#ia-1_smt"/>
       </part>
       <part id="ia-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27303,6 +28515,7 @@
       <link rel="related" href="#ia-4"/>
       <link rel="related" href="#ia-5"/>
       <link rel="related" href="#ia-8"/>
+      <link rel="related" href="#ia-13"/>
       <link rel="related" href="#ma-4"/>
       <link rel="related" href="#ma-5"/>
       <link rel="related" href="#pe-2"/>
@@ -27322,11 +28535,14 @@
         <part id="ia-2_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-02[01]"/>
           <p>organizational users are uniquely identified and authenticated;</p>
+          <link rel="assessment-for" href="#ia-2_smt"/>
         </part>
         <part id="ia-2_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-02[02]"/>
           <p>the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.</p>
+          <link rel="assessment-for" href="#ia-2_smt"/>
         </part>
+        <link rel="assessment-for" href="#ia-2_smt"/>
       </part>
       <part id="ia-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27378,6 +28594,7 @@
         <part id="ia-2.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-02(01)"/>
           <p>multi-factor authentication is implemented for access to privileged accounts.</p>
+          <link rel="assessment-for" href="#ia-2.1_smt"/>
         </part>
         <part id="ia-2.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27429,6 +28646,7 @@
         <part id="ia-2.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-02(02)"/>
           <p>multi-factor authentication for access to non-privileged accounts is implemented.</p>
+          <link rel="assessment-for" href="#ia-2.2_smt"/>
         </part>
         <part id="ia-2.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27496,6 +28714,7 @@
         <part id="ia-2.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-02(05)"/>
           <p>users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.</p>
+          <link rel="assessment-for" href="#ia-2.5_smt"/>
         </part>
         <part id="ia-2.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27582,11 +28801,14 @@
           <part id="ia-2.6_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-02(06)(a)"/>
             <p>multi-factor authentication is implemented for <insert type="param" id-ref="ia-02.06_odp.01"/> access to <insert type="param" id-ref="ia-02.06_odp.02"/> such that one of the factors is provided by a device separate from the system gaining access;</p>
+            <link rel="assessment-for" href="#ia-2.6_smt.a"/>
           </part>
           <part id="ia-2.6_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-02(06)(b)"/>
             <p>multi-factor authentication is implemented for <insert type="param" id-ref="ia-02.06_odp.01"/> access to <insert type="param" id-ref="ia-02.06_odp.02"/> such that the device meets <insert type="param" id-ref="ia-02.06_odp.03"/>.</p>
+            <link rel="assessment-for" href="#ia-2.6_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ia-2.6_smt"/>
         </part>
         <part id="ia-2.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27653,6 +28875,7 @@
         <part id="ia-2.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-02(08)"/>
           <p>replay-resistant authentication mechanisms for access to <insert type="param" id-ref="ia-02.08_odp"/> are implemented.</p>
+          <link rel="assessment-for" href="#ia-2.8_smt"/>
         </part>
         <part id="ia-2.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27720,6 +28943,7 @@
         <part id="ia-2.10_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-02(10)"/>
           <p>a single sign-on capability is provided for <insert type="param" id-ref="ia-02.10_odp"/>.</p>
+          <link rel="assessment-for" href="#ia-2.10_smt"/>
         </part>
         <part id="ia-2.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27780,6 +29004,7 @@
         <part id="ia-2.12_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-02(12)"/>
           <p>Personal Identity Verification-compliant credentials are accepted and electronically verified.</p>
+          <link rel="assessment-for" href="#ia-2.12_smt"/>
         </part>
         <part id="ia-2.12_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27851,6 +29076,7 @@
         <part id="ia-2.13_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-02(13)"/>
           <p><insert type="param" id-ref="ia-02.13_odp.01"/> mechanisms are implemented under <insert type="param" id-ref="ia-02.13_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ia-2.13_smt"/>
         </part>
         <part id="ia-2.13_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27919,6 +29145,7 @@
       <link rel="related" href="#ia-5"/>
       <link rel="related" href="#ia-9"/>
       <link rel="related" href="#ia-11"/>
+      <link rel="related" href="#ia-13"/>
       <link rel="related" href="#si-4"/>
       <part name="statement" id="ia-3_smt">
         <p>Uniquely identify and authenticate <insert type="param" id-ref="ia-03_odp.01"/> before establishing a <insert type="param" id-ref="ia-03_odp.02"/> connection.</p>
@@ -27929,6 +29156,7 @@
       <part id="ia-3_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="IA-03"/>
         <p><insert type="param" id-ref="ia-03_odp.01"/> are uniquely identified and authenticated before establishing a <insert type="param" id-ref="ia-03_odp.02"/> connection.</p>
+        <link rel="assessment-for" href="#ia-3_smt"/>
       </part>
       <part id="ia-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -27997,6 +29225,7 @@
         <part id="ia-3.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-03(01)"/>
           <p><insert type="param" id-ref="ia-03.01_odp.01"/> are authenticated before establishing <insert type="param" id-ref="ia-03.01_odp.02"/> connection using bidirectional authentication that is cryptographically based.</p>
+          <link rel="assessment-for" href="#ia-3.1_smt"/>
         </part>
         <part id="ia-3.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28086,16 +29315,21 @@
             <part id="ia-3.3_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IA-03(03)(a)[01]"/>
               <p>dynamic address allocation lease information assigned to devices where addresses are allocated dynamically are standardized in accordance with <insert type="param" id-ref="ia-03.03_odp.01"/>;</p>
+              <link rel="assessment-for" href="#ia-3.3_smt.a"/>
             </part>
             <part id="ia-3.3_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IA-03(03)(a)[02]"/>
               <p>dynamic address allocation lease duration assigned to devices where addresses are allocated dynamically are standardized in accordance with <insert type="param" id-ref="ia-03.03_odp.02"/>;</p>
+              <link rel="assessment-for" href="#ia-3.3_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#ia-3.3_smt.a"/>
           </part>
           <part id="ia-3.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-03(03)(b)"/>
             <p>lease information is audited when assigned to a device.</p>
+            <link rel="assessment-for" href="#ia-3.3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ia-3.3_smt"/>
         </part>
         <part id="ia-3.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28159,6 +29393,7 @@
         <part id="ia-3.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-03(04)"/>
           <p>device identification and authentication are handled based on attestation by <insert type="param" id-ref="ia-03.04_odp"/>.</p>
+          <link rel="assessment-for" href="#ia-3.4_smt"/>
         </part>
         <part id="ia-3.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28267,19 +29502,24 @@
         <part id="ia-4_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-04a."/>
           <p>system identifiers are managed by receiving authorization from <insert type="param" id-ref="ia-04_odp.01"/> to assign to an individual, group, role, or device identifier;</p>
+          <link rel="assessment-for" href="#ia-4_smt.a"/>
         </part>
         <part id="ia-4_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-04b."/>
           <p>system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;</p>
+          <link rel="assessment-for" href="#ia-4_smt.b"/>
         </part>
         <part id="ia-4_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-04c."/>
           <p>system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;</p>
+          <link rel="assessment-for" href="#ia-4_smt.c"/>
         </part>
         <part id="ia-4_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-04d."/>
           <p>system identifiers are managed by preventing reuse of identifiers for <insert type="param" id-ref="ia-04_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ia-4_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#ia-4_smt"/>
       </part>
       <part id="ia-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28331,6 +29571,7 @@
         <part id="ia-4.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-04(01)"/>
           <p>the use of system account identifiers that are the same as public identifiers is prohibited for individual accounts.</p>
+          <link rel="assessment-for" href="#ia-4.1_smt"/>
         </part>
         <part id="ia-4.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28404,6 +29645,7 @@
         <part id="ia-4.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-04(04)"/>
           <p>individual identifiers are managed by uniquely identifying each individual as <insert type="param" id-ref="ia-04.04_odp"/>.</p>
+          <link rel="assessment-for" href="#ia-4.4_smt"/>
         </part>
         <part id="ia-4.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28459,6 +29701,7 @@
         <part id="ia-4.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-04(05)"/>
           <p>individual identifiers are dynamically managed in accordance with <insert type="param" id-ref="ia-04.05_odp"/>.</p>
+          <link rel="assessment-for" href="#ia-4.5_smt"/>
         </part>
         <part id="ia-4.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28519,6 +29762,7 @@
         <part id="ia-4.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-04(06)"/>
           <p>cross-organization management of identifiers is coordinated with <insert type="param" id-ref="ia-04.06_odp"/>.</p>
+          <link rel="assessment-for" href="#ia-4.6_smt"/>
         </part>
         <part id="ia-4.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28572,6 +29816,7 @@
         <part id="ia-4.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-04(08)"/>
           <p>pairwise pseudonymous identifiers are generated.</p>
+          <link rel="assessment-for" href="#ia-4.8_smt"/>
         </part>
         <part id="ia-4.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28628,6 +29873,7 @@
         <part id="ia-4.9_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-04(09)"/>
           <p>the attributes for each uniquely identified individual, device, or service are maintained in <insert type="param" id-ref="ia-04.09_odp"/>.</p>
+          <link rel="assessment-for" href="#ia-4.9_smt"/>
         </part>
         <part id="ia-4.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28757,46 +30003,58 @@
         <part id="ia-5_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05a."/>
           <p>system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;</p>
+          <link rel="assessment-for" href="#ia-5_smt.a"/>
         </part>
         <part id="ia-5_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05b."/>
           <p>system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;</p>
+          <link rel="assessment-for" href="#ia-5_smt.b"/>
         </part>
         <part id="ia-5_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05c."/>
           <p>system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;</p>
+          <link rel="assessment-for" href="#ia-5_smt.c"/>
         </part>
         <part id="ia-5_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05d."/>
           <p>system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;</p>
+          <link rel="assessment-for" href="#ia-5_smt.d"/>
         </part>
         <part id="ia-5_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05e."/>
           <p>system authenticators are managed through the change of default authenticators prior to first use;</p>
+          <link rel="assessment-for" href="#ia-5_smt.e"/>
         </part>
         <part id="ia-5_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05f."/>
           <p>system authenticators are managed through the change or refreshment of authenticators <insert type="param" id-ref="ia-05_odp.01"/> or when <insert type="param" id-ref="ia-05_odp.02"/> occur;</p>
+          <link rel="assessment-for" href="#ia-5_smt.f"/>
         </part>
         <part id="ia-5_obj.g" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05g."/>
           <p>system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;</p>
+          <link rel="assessment-for" href="#ia-5_smt.g"/>
         </part>
         <part id="ia-5_obj.h" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05h."/>
           <part id="ia-5_obj.h-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-05h.[01]"/>
             <p>system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;</p>
+            <link rel="assessment-for" href="#ia-5_smt.h"/>
           </part>
           <part id="ia-5_obj.h-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-05h.[02]"/>
             <p>system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;</p>
+            <link rel="assessment-for" href="#ia-5_smt.h"/>
           </part>
+          <link rel="assessment-for" href="#ia-5_smt.h"/>
         </part>
         <part id="ia-5_obj.i" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05i."/>
           <p>system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.</p>
+          <link rel="assessment-for" href="#ia-5_smt.i"/>
         </part>
+        <link rel="assessment-for" href="#ia-5_smt"/>
       </part>
       <part id="ia-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -28897,35 +30155,44 @@
           <part id="ia-5.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-05(01)(a)"/>
             <p>for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated <insert type="param" id-ref="ia-05.01_odp.01"/> and when organizational passwords are suspected to have been compromised directly or indirectly;</p>
+            <link rel="assessment-for" href="#ia-5.1_smt.a"/>
           </part>
           <part id="ia-5.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-05(01)(b)"/>
             <p>for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);</p>
+            <link rel="assessment-for" href="#ia-5.1_smt.b"/>
           </part>
           <part id="ia-5.1_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-05(01)(c)"/>
             <p>for password-based authentication, passwords are only transmitted over cryptographically protected channels;</p>
+            <link rel="assessment-for" href="#ia-5.1_smt.c"/>
           </part>
           <part id="ia-5.1_obj.d" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-05(01)(d)"/>
             <p>for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;</p>
+            <link rel="assessment-for" href="#ia-5.1_smt.d"/>
           </part>
           <part id="ia-5.1_obj.e" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-05(01)(e)"/>
             <p>for password-based authentication, immediate selection of a new password is required upon account recovery;</p>
+            <link rel="assessment-for" href="#ia-5.1_smt.e"/>
           </part>
           <part id="ia-5.1_obj.f" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-05(01)(f)"/>
             <p>for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;</p>
+            <link rel="assessment-for" href="#ia-5.1_smt.f"/>
           </part>
           <part id="ia-5.1_obj.g" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-05(01)(g)"/>
             <p>for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;</p>
+            <link rel="assessment-for" href="#ia-5.1_smt.g"/>
           </part>
           <part id="ia-5.1_obj.h" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-05(01)(h)"/>
             <p>for password-based authentication, <insert type="param" id-ref="ia-05.01_odp.02"/> are enforced.</p>
+            <link rel="assessment-for" href="#ia-5.1_smt.h"/>
           </part>
+          <link rel="assessment-for" href="#ia-5.1_smt"/>
         </part>
         <part id="ia-5.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29004,23 +30271,30 @@
             <part id="ia-5.2_obj.a.1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IA-05(02)(a)(01)"/>
               <p>authorized access to the corresponding private key is enforced for public key-based authentication;</p>
+              <link rel="assessment-for" href="#ia-5.2_smt.a.1"/>
             </part>
             <part id="ia-5.2_obj.a.2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IA-05(02)(a)(02)"/>
               <p>the authenticated identity is mapped to the account of the individual or group for public key-based authentication;</p>
+              <link rel="assessment-for" href="#ia-5.2_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#ia-5.2_smt.a"/>
           </part>
           <part id="ia-5.2_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-05(02)(b)"/>
             <part id="ia-5.2_obj.b.1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IA-05(02)(b)(01)"/>
               <p>when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;</p>
+              <link rel="assessment-for" href="#ia-5.2_smt.b.1"/>
             </part>
             <part id="ia-5.2_obj.b.2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IA-05(02)(b)(02)"/>
               <p>when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.</p>
+              <link rel="assessment-for" href="#ia-5.2_smt.b.2"/>
             </part>
+            <link rel="assessment-for" href="#ia-5.2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ia-5.2_smt"/>
         </part>
         <part id="ia-5.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29086,6 +30360,7 @@
         <part id="ia-5.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05(05)"/>
           <p>developers and installers of system components are required to provide unique authenticators or change default authenticators prior to delivery and installation.</p>
+          <link rel="assessment-for" href="#ia-5.5_smt"/>
         </part>
         <part id="ia-5.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29135,6 +30410,7 @@
         <part id="ia-5.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05(06)"/>
           <p>authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.</p>
+          <link rel="assessment-for" href="#ia-5.6_smt"/>
         </part>
         <part id="ia-5.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29184,6 +30460,7 @@
         <part id="ia-5.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05(07)"/>
           <p>unencrypted static authenticators are not embedded in applications or other forms of static storage.</p>
+          <link rel="assessment-for" href="#ia-5.7_smt"/>
         </part>
         <part id="ia-5.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29243,6 +30520,7 @@
         <part id="ia-5.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05(08)"/>
           <p><insert type="param" id-ref="ia-05.08_odp"/> are implemented to manage the risk of compromise due to individuals having accounts on multiple systems.</p>
+          <link rel="assessment-for" href="#ia-5.8_smt"/>
         </part>
         <part id="ia-5.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29299,6 +30577,7 @@
         <part id="ia-5.9_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05(09)"/>
           <p><insert type="param" id-ref="ia-05.09_odp"/> are used to federate credentials.</p>
+          <link rel="assessment-for" href="#ia-5.9_smt"/>
         </part>
         <part id="ia-5.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29355,6 +30634,7 @@
         <part id="ia-5.10_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05(10)"/>
           <p>identities and authenticators are dynamically bound using <insert type="param" id-ref="ia-05.10_odp"/>.</p>
+          <link rel="assessment-for" href="#ia-5.10_smt"/>
         </part>
         <part id="ia-5.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29422,6 +30702,7 @@
         <part id="ia-5.12_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05(12)"/>
           <p>mechanisms that satisfy <insert type="param" id-ref="ia-05.12_odp"/> are employed for biometric-based authentication.</p>
+          <link rel="assessment-for" href="#ia-5.12_smt"/>
         </part>
         <part id="ia-5.12_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29480,6 +30761,7 @@
         <part id="ia-5.13_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05(13)"/>
           <p>the use of cached authenticators is prohibited after <insert type="param" id-ref="ia-05.13_odp"/>.</p>
+          <link rel="assessment-for" href="#ia-5.13_smt"/>
         </part>
         <part id="ia-5.13_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29528,6 +30810,7 @@
         <part id="ia-5.14_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05(14)"/>
           <p>an organization-wide methodology for managing the content of PKI trust stores is employed across all platforms, including networks, operating systems, browsers, and applications for PKI-based authentication.</p>
+          <link rel="assessment-for" href="#ia-5.14_smt"/>
         </part>
         <part id="ia-5.14_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29579,6 +30862,7 @@
         <part id="ia-5.15_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05(15)"/>
           <p>only General Services Administration-approved products and services are used for identity, credential, and access management.</p>
+          <link rel="assessment-for" href="#ia-5.15_smt"/>
         </part>
         <part id="ia-5.15_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29661,6 +30945,7 @@
         <part id="ia-5.16_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05(16)"/>
           <p>the issuance of <insert type="param" id-ref="ia-05.16_odp.01"/> is required to be conducted <insert type="param" id-ref="ia-05.16_odp.02"/> before <insert type="param" id-ref="ia-05.16_odp.03"/> with authorization by <insert type="param" id-ref="ia-05.16_odp.04"/>.</p>
+          <link rel="assessment-for" href="#ia-5.16_smt"/>
         </part>
         <part id="ia-5.16_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29711,6 +30996,7 @@
         <part id="ia-5.17_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-05(17)"/>
           <p>presentation attack detection mechanisms are employed for biometric-based authentication.</p>
+          <link rel="assessment-for" href="#ia-5.17_smt"/>
         </part>
         <part id="ia-5.17_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29785,11 +31071,14 @@
           <part id="ia-5.18_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-05(18)(a)"/>
             <p><insert type="param" id-ref="ia-05.18_odp.01"/> are employed to generate and manage passwords;</p>
+            <link rel="assessment-for" href="#ia-5.18_smt.a"/>
           </part>
           <part id="ia-5.18_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-05(18)(b)"/>
             <p>the passwords are protected using <insert type="param" id-ref="ia-05.18_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ia-5.18_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ia-5.18_smt"/>
         </part>
         <part id="ia-5.18_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29840,6 +31129,7 @@
       <part id="ia-6_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="IA-06"/>
         <p>the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.</p>
+        <link rel="assessment-for" href="#ia-6_smt"/>
       </part>
       <part id="ia-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29892,6 +31182,7 @@
       <part id="ia-7_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="IA-07"/>
         <p>mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.</p>
+        <link rel="assessment-for" href="#ia-7_smt"/>
       </part>
       <part id="ia-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -29948,6 +31239,7 @@
       <link rel="related" href="#ia-5"/>
       <link rel="related" href="#ia-10"/>
       <link rel="related" href="#ia-11"/>
+      <link rel="related" href="#ia-13"/>
       <link rel="related" href="#ma-4"/>
       <link rel="related" href="#ra-3"/>
       <link rel="related" href="#sa-4"/>
@@ -29961,6 +31253,7 @@
       <part id="ia-8_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="IA-08"/>
         <p>non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.</p>
+        <link rel="assessment-for" href="#ia-8_smt"/>
       </part>
       <part id="ia-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30013,11 +31306,14 @@
           <part id="ia-8.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-08(01)[01]"/>
             <p>Personal Identity Verification-compliant credentials from other federal agencies are accepted;</p>
+            <link rel="assessment-for" href="#ia-8.1_smt"/>
           </part>
           <part id="ia-8.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-08(01)[02]"/>
             <p>Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.</p>
+            <link rel="assessment-for" href="#ia-8.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#ia-8.1_smt"/>
         </part>
         <part id="ia-8.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30080,18 +31376,23 @@
           <part id="ia-8.2_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-08(02)(a)"/>
             <p>only external authenticators that are NIST-compliant are accepted;</p>
+            <link rel="assessment-for" href="#ia-8.2_smt.a"/>
           </part>
           <part id="ia-8.2_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-08(02)(b)"/>
             <part id="ia-8.2_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IA-08(02)(b)[01]"/>
               <p>a list of accepted external authenticators is documented;</p>
+              <link rel="assessment-for" href="#ia-8.2_smt.b"/>
             </part>
             <part id="ia-8.2_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IA-08(02)(b)[02]"/>
               <p>a list of accepted external authenticators is maintained.</p>
+              <link rel="assessment-for" href="#ia-8.2_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ia-8.2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ia-8.2_smt"/>
         </part>
         <part id="ia-8.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30162,6 +31463,7 @@
         <part id="ia-8.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-08(04)"/>
           <p>there is conformance with <insert type="param" id-ref="ia-08.04_odp"/> for identity management.</p>
+          <link rel="assessment-for" href="#ia-8.4_smt"/>
         </part>
         <part id="ia-8.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30221,11 +31523,14 @@
           <part id="ia-8.5_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-08(05)[01]"/>
             <p>federated or PKI credentials that meet <insert type="param" id-ref="ia-08.05_odp"/> are accepted;</p>
+            <link rel="assessment-for" href="#ia-8.5_smt"/>
           </part>
           <part id="ia-8.5_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-08(05)[02]"/>
             <p>federated or PKI credentials that meet <insert type="param" id-ref="ia-08.05_odp"/> are verified.</p>
+            <link rel="assessment-for" href="#ia-8.5_smt"/>
           </part>
+          <link rel="assessment-for" href="#ia-8.5_smt"/>
         </part>
         <part id="ia-8.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30287,6 +31592,7 @@
         <part id="ia-8.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-08(06)"/>
           <p><insert type="param" id-ref="ia-08.06_odp"/> to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties are implemented.</p>
+          <link rel="assessment-for" href="#ia-8.6_smt"/>
         </part>
         <part id="ia-8.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30340,6 +31646,7 @@
       <link rel="related" href="#ia-3"/>
       <link rel="related" href="#ia-4"/>
       <link rel="related" href="#ia-5"/>
+      <link rel="related" href="#ia-13"/>
       <link rel="related" href="#sc-8"/>
       <part name="statement" id="ia-9_smt">
         <p>Uniquely identify and authenticate <insert type="param" id-ref="ia-09_odp"/> before establishing communications with devices, users, or other services or applications.</p>
@@ -30350,6 +31657,7 @@
       <part id="ia-9_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="IA-09"/>
         <p><insert type="param" id-ref="ia-09_odp"/> are uniquely identified and authenticated before establishing communications with devices, users, or other services or applications.</p>
+        <link rel="assessment-for" href="#ia-9_smt"/>
       </part>
       <part id="ia-9_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30434,6 +31742,7 @@
       <part id="ia-10_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="IA-10"/>
         <p>individuals accessing the system are required to employ <insert type="param" id-ref="ia-10_odp.01"/> under specific <insert type="param" id-ref="ia-10_odp.02"/>.</p>
+        <link rel="assessment-for" href="#ia-10_smt"/>
       </part>
       <part id="ia-10_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30499,6 +31808,7 @@
       <part id="ia-11_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="IA-11"/>
         <p>users are required to re-authenticate when <insert type="param" id-ref="ia-11_odp"/>.</p>
+        <link rel="assessment-for" href="#ia-11_smt"/>
       </part>
       <part id="ia-11_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30551,6 +31861,7 @@
       <link rel="related" href="#ia-5"/>
       <link rel="related" href="#ia-6"/>
       <link rel="related" href="#ia-8"/>
+      <link rel="related" href="#ia-13"/>
       <part name="statement" id="ia-12_smt">
         <part name="item" id="ia-12_smt.a">
           <prop name="label" value="a."/>
@@ -30573,26 +31884,33 @@
         <part id="ia-12_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-12a."/>
           <p>users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;</p>
+          <link rel="assessment-for" href="#ia-12_smt.a"/>
         </part>
         <part id="ia-12_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-12b."/>
           <p>user identities are resolved to a unique individual;</p>
+          <link rel="assessment-for" href="#ia-12_smt.b"/>
         </part>
         <part id="ia-12_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-12c."/>
           <part id="ia-12_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-12c.[01]"/>
             <p>identity evidence is collected;</p>
+            <link rel="assessment-for" href="#ia-12_smt.c"/>
           </part>
           <part id="ia-12_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-12c.[02]"/>
             <p>identity evidence is validated;</p>
+            <link rel="assessment-for" href="#ia-12_smt.c"/>
           </part>
           <part id="ia-12_obj.c-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IA-12c.[03]"/>
             <p>identity evidence is verified.</p>
+            <link rel="assessment-for" href="#ia-12_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#ia-12_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#ia-12_smt"/>
       </part>
       <part id="ia-12_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30640,6 +31958,7 @@
         <part id="ia-12.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-12(01)"/>
           <p>the registration process to receive an account for logical access includes supervisor or sponsor authorization.</p>
+          <link rel="assessment-for" href="#ia-12.1_smt"/>
         </part>
         <part id="ia-12.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30686,6 +32005,7 @@
         <part id="ia-12.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-12(02)"/>
           <p>evidence of individual identification is presented to the registration authority.</p>
+          <link rel="assessment-for" href="#ia-12.2_smt"/>
         </part>
         <part id="ia-12.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30741,6 +32061,7 @@
         <part id="ia-12.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-12(03)"/>
           <p>the presented identity evidence is validated and verified through <insert type="param" id-ref="ia-12.03_odp"/>.</p>
+          <link rel="assessment-for" href="#ia-12.3_smt"/>
         </part>
         <part id="ia-12.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30787,6 +32108,7 @@
         <part id="ia-12.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-12(04)"/>
           <p>the validation and verification of identity evidence is conducted in person before a designated registration authority.</p>
+          <link rel="assessment-for" href="#ia-12.4_smt"/>
         </part>
         <part id="ia-12.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30842,6 +32164,7 @@
         <part id="ia-12.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-12(05)"/>
           <p>a <insert type="param" id-ref="ia-12.05_odp"/> is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.</p>
+          <link rel="assessment-for" href="#ia-12.5_smt"/>
         </part>
         <part id="ia-12.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30900,6 +32223,7 @@
         <part id="ia-12.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IA-12(06)"/>
           <p>externally proofed identities are accepted <insert type="param" id-ref="ia-12.06_odp"/>.</p>
+          <link rel="assessment-for" href="#ia-12.6_smt"/>
         </part>
         <part id="ia-12.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -30931,6 +32255,375 @@
         </part>
       </control>
     </control>
+    <control class="SP800-53" id="ia-13">
+      <title>Identity Providers and Authorization Servers</title>
+      <param id="ia-13_prm_1">
+        <prop name="aggregates" ns="http://csrc.nist.gov/ns/rmf" value="ia-13_odp.01"/>
+        <label>organization-defined identification and authentication policy</label>
+      </param>
+      <param id="ia-13_prm_2">
+        <prop name="aggregates" ns="http://csrc.nist.gov/ns/rmf" value="ia-13_odp.02"/>
+        <label>organization-defined mechanisms</label>
+      </param>      
+      <param id="ia-13_odp.01">
+        <prop name="label" class="sp800-53a" value="IA-13_ODP[01]"/>
+        <label>policy</label>
+        <guideline>
+          <p>identification and authentication policy is defined;</p>
+        </guideline>
+      </param>
+      <param id="ia-13_odp.02">
+        <prop name="label" class="sp800-53a" value="IA-13_ODP[02]"/>
+        <label>mechanisms</label>
+        <guideline>
+          <p>mechanisms supporting authentication and authorization decisions are defined;</p>
+        </guideline>
+      </param>
+      <prop name="label" value="IA-13"/>
+      <prop name="label" class="sp800-53a" value="IA-13"/>
+      <prop name="sort-id" value="ia-13"/>
+      <prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="organization"/>
+      <prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="system"/>
+      <link rel="related" href="#ac-3"/>
+      <link rel="related" href="#ia-2"/>
+      <link rel="related" href="#ia-3"/>
+      <link rel="related" href="#ia-8"/>
+      <link rel="related" href="#ia-9"/>
+      <link rel="related" href="#ia-12"/>
+      <part name="statement" id="ia-13_smt">
+        <p>Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions in accordance with <insert type="param" id-ref="ia-13_prm_1"/> using <insert type="param" id-ref="ia-13_prm_2"/>.</p>
+      </part>
+      <part name="guidance" id="ia-13_gdn">
+        <p>Identity providers, both internal and external to the organization, manage the user, device, and NPE authenticators and issue statements, often called identity assertions, attesting to identities of other systems or systems components. Authorization servers create and issue access tokens to identified and authenticated users and devices that can be used to gain access to system or information resources. For example, single sign-on (SSO) provides identity provider and authorization server functions. Authenticator management (to include credential management) is covered by IA-05.</p>
+      </part>      
+      <part id="ia-13_obj" name="assessment-objective">
+        <prop name="label" class="sp800-53a" value="IA-13"/>
+        <part id="ia-13_obj-1" name="assessment-objective">
+          <prop name="label" class="sp800-53a" value="IA-13[01]"/>
+          <p>identity providers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authentication decisions in accordance with <insert type="param" id-ref="ia-13_odp.02"/> using <insert type="param" id-ref="ia-13_odp.02"/>;</p>
+          <link rel="assessment-for" href="#ia-13_smt"/>
+        </part>
+        <part id="ia-13_obj-2" name="assessment-objective">
+          <prop name="label" class="sp800-53a" value="IA-13[02]"/>
+          <p>identity providers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authorization decisions in accordance with <insert type="param" id-ref="ia-13_odp.02"/> using <insert type="param" id-ref="ia-13_odp.02"/>;</p>
+          <link rel="assessment-for" href="#ia-13_smt"/>
+        </part>
+        <part id="ia-13_obj-3" name="assessment-objective">
+          <prop name="label" class="sp800-53a" value="IA-13[03]"/>
+          <p>authorization servers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authentication decisions in accordance with <insert type="param" id-ref="ia-13_odp.02"/> using <insert type="param" id-ref="ia-13_odp.02"/>;</p>
+          <link rel="assessment-for" href="#ia-13_smt"/>
+        </part>
+        <part id="ia-13_obj-4" name="assessment-objective">
+          <prop name="label" class="sp800-53a" value="IA-13[04]"/>
+          <p>authorization servers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authorization decisions in accordance with <insert type="param" id-ref="ia-13_odp.02"/> using <insert type="param" id-ref="ia-13_odp.02"/>;</p>
+          <link rel="assessment-for" href="#ia-13_smt"/>
+        </part>   
+      </part>
+      <part id="ia-13_asm-examine" name="assessment-method">
+        <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
+        <prop name="label" class="sp800-53a" value="IA-13-Examine"/>
+        <part name="assessment-objects">
+          <p> Identification and authentication policy;</p>
+          <p>procedures addressing user and device identification and authentication;</p>
+          <p>system security plan;</p>
+          <p>system design documentation;</p>
+          <p>system configuration settings and associated documentation;</p>
+          <p>other relevant documents or records</p>
+        </part>
+      </part>
+      <part id="ia-13_asm-interview" name="assessment-method">
+        <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="INTERVIEW"/>
+        <prop name="label" class="sp800-53a" value="IA-13-Interview"/>
+        <part name="assessment-objects">
+          <p>Organizational personnel with system operations responsibilities;</p>
+          <p>organizational personnel with information security responsibilities;</p>
+          <p>system/network administrators;</p>
+          <p>organizational personnel with account management responsibilities;</p>
+          <p>system developers</p>
+        </part>
+      </part>
+      <part id="ia-13_asm-test" name="assessment-method">
+        <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="TEST"/>
+        <prop name="label" class="sp800-53a" value="IA-13-Test"/>
+        <part name="assessment-objects">
+          <p>Mechanisms supporting and/or implementing identification and authentication capabilities and access rights</p>
+        </part>
+      </part>
+      <control class="SP800-53-enhancement" id="ia-13.1">
+        <title>Protection of Cryptographic Keys</title>
+        <prop name="label" value="IA-13(1)"/>
+        <prop name="label" class="sp800-53a" value="IA-13(01)"/>
+        <prop name="sort-id" value="ia-13.01"/>
+        <prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="organization"/>
+        <prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="system"/>
+        <link rel="required" href="#ia-13"/>
+        <link rel="related" href="#ia-13"/>
+        <link rel="related" href="#sc-12"/>
+        <link rel="related" href="#sc-13"/>
+        <part name="statement" id="ia-13.1_smt">
+          <p>Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse.</p>
+        </part>
+        <part name="guidance" id="ia-13.1_gdn">
+          <p>Identity assertions and access tokens are typically digitally signed. The private keys used to sign these assertions and tokens are protected commensurate with the impact of the system and information resources that can be accessed. </p>
+        </part>
+        <part id="ia-13.1_obj" name="assessment-objective">
+          <prop name="label" class="sp800-53a" value="IA-13(01)"/>
+          <part id="ia-13.1_obj-1" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(01)[01]"/>
+            <p>cryptographic keys that protect access tokens are generated;</p>
+            <link rel="assessment-for" href="#ia-13.1_smt"/>
+          </part>
+          <part id="ia-13.1_obj-2" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(01)[02]"/>
+            <p>cryptographic keys that protect access tokens are managed;</p>
+            <link rel="assessment-for" href="#ia-13.1_smt"/>
+          </part>
+          <part id="ia-13.1_obj-3" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(01)[03]"/>
+            <p>cryptographic keys that protect access tokens are protected from disclosure; and</p>
+            <link rel="assessment-for" href="#ia-13.1_smt"/>
+          </part>
+          <part id="ia-13.1_obj-4" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(01)[04]"/>
+            <p>cryptographic keys that protect access tokens are protected from disclosure and misuse</p>
+            <link rel="assessment-for" href="#ia-13.1_smt"/>
+          </part>          
+        </part>
+        <part id="ia-13.1_asm-examine" name="assessment-method">
+          <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
+          <prop name="label" class="sp800-53a" value="IA-13(01)-Examine"/>
+          <part name="assessment-objects">
+            <p>Identification and authentication policy;</p>
+            <p>procedures addressing cryptographic key establishment and management;</p>
+            <p>system design documentation;</p>
+            <p>cryptographic mechanisms;</p>
+            <p>system configuration settings and associated documentation;</p>
+            <p>system security plan;</p>
+            <p>other relevant documents or records</p>
+          </part>
+        </part>
+        <part id="ia-13.1_asm-interview" name="assessment-method">
+          <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="INTERVIEW"/>
+          <prop name="label" class="sp800-53a" value="IA-13(01)-Interview"/>
+          <part name="assessment-objects">
+            <p>System/network administrators;</p>
+            <p>organizational personnel with information security responsibilities;</p>
+            <p>organizational personnel with responsibilities for cryptographic key establishment and/or management</p>
+          </part>
+        </part>
+        <part id="ia-13.1_asm-test" name="assessment-method">
+          <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="TEST"/>
+          <prop name="label" class="sp800-53a" value="IA-13(01)-Test"/>
+          <part name="assessment-objects">
+            <p>Organizational processes for cryptographic key management;</p>
+            <p>cryptographic modules generating, storing, and using cryptographic keys</p>
+          </part>
+        </part>        
+      </control>
+      <control class="SP800-53-enhancement" id="ia-13.2">
+        <title>Verification of Identity Assertions and Access Tokens</title>
+        <prop name="label" value="IA-13(2)"/>
+        <prop name="label" class="sp800-53a" value="IA-13(02)"/>
+        <prop name="sort-id" value="ia-13.02"/>
+        <prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="organization"/>
+        <prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="system"/>
+        <link rel="required" href="#ia-13"/>
+        <link rel="related" href="#ia-13"/>
+        <part name="statement" id="ia-13.2_smt">
+          <p>The source and integrity of identity assertions and access tokens are verified before granting access to system and information resources.</p>
+        </part>
+        <part name="guidance" id="ia-13.2_gdn">
+          <p>This includes verification of digital signatures protecting identity assertions and access tokens, as well as included metadata. Metadata includes information about the access request such as information unique to user, system or information resource being accessed, or the transaction itself such as time. Protected system and information resources could include connected networks, applications, and APIs.</p>
+        </part>
+        <part id="ia-13.2_obj" name="assessment-objective">
+          <prop name="label" class="sp800-53a" value="IA-13(02)"/>
+          <part id="ia-13.2_obj-1" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(02)[01]"/>
+            <p>the source of identity assertions is verified before granting access to system and information resources;</p>
+            <link rel="assessment-for" href="#ia-13.2_smt"/>
+          </part>
+          <part id="ia-13.2_obj-2" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(02)[02]"/>
+            <p>the source of access tokens is verified before granting access to system and information resources;</p>
+            <link rel="assessment-for" href="#ia-13.2_smt"/>
+          </part>
+          <part id="ia-13.2_obj-3" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(02)[03]"/>
+            <p>the integrity of identity assertions is verified before granting access to system and information resources;</p>
+            <link rel="assessment-for" href="#ia-13.2_smt"/>
+          </part>
+          <part id="ia-13.2_obj-4" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(02)[04]"/>
+            <p>the integrity of access tokens is verified before granting access to system and information resources</p>
+            <link rel="assessment-for" href="#ia-13.2_smt"/>
+          </part>
+        </part>
+        <part id="ia-13.2_asm-examine" name="assessment-method">
+          <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
+          <prop name="label" class="sp800-53a" value="IA-13(02)-Examine"/>
+          <part name="assessment-objects">
+            <p>Identification and authentication policy;</p>
+            <p>system security plan; system design documentation;</p>
+            <p>system configuration settings and associated documentation;</p>
+            <p>other relevant documents or records</p>
+          </part>
+        </part>
+        <part id="ia-13.2_asm-interview" name="assessment-method">
+          <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="INTERVIEW"/>
+          <prop name="label" class="sp800-53a" value="IA-13(02)-Interview"/>
+          <part name="assessment-objects">
+            <p>Organizational personnel with system operations responsibilities;</p>
+            <p>organizational personnel with information security responsibilities;</p>
+            <p>system/ network administrators;</p>
+            <p>organizational personnel with account management responsibilities;</p>
+            <p>system developers</p>
+          </part>
+        </part>
+        <part id="ia-13.2_asm-test" name="assessment-method">
+          <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="TEST"/>
+          <prop name="label" class="sp800-53a" value="IA-13(02)-Test"/>
+          <part name="assessment-objects">
+            <p>Identity provider mechanisms supporting and/or implementing identification and authentication capabilities and access rights</p>
+          </part>
+        </part>
+      </control>
+      <control class="SP800-53-enhancement" id="ia-13.3">
+        <title>Token Management</title>
+        <prop name="label" value="IA-13(3)"/>
+        <prop name="label" class="sp800-53a" value="IA-13(03)"/>
+        <prop name="sort-id" value="ia-13.03"/>
+        <prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="organization"/>
+        <prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="system"/>
+        <link rel="reference" href="#737513fa-6758-403f-831d-5ddab5e23cb3"/>
+        <link rel="reference" href="#ff989cdc-649d-4f45-8f61-9309c9680933"/>
+        <link rel="reference" href="#e9d6c5f2-b3aa-4a28-8bea-a0135718d453"/>
+        <link rel="required" href="#ia-13"/>
+        <link rel="related" href="#ia-13"/>
+        <part name="statement" id="ia-13.3_smt">
+          <p>In accordance with <insert type="param" id-ref="ia-13_prm_1"/>, assertions and access tokens are:</p>
+          <part name="item" id="ac-13.3_smt.a">
+            <prop name="label" value="(a)"/>
+            <p>generated;</p>
+          </part>
+          <part name="item" id="ac-13.3_smt.b">
+            <prop name="label" value="(b)"/>
+            <p>issued;</p>
+          </part>
+          <part name="item" id="ac-13.3_smt.c">
+            <prop name="label" value="(c)"/>
+            <p>refreshed;</p>
+          </part>
+          <part name="item" id="ac-13.3_smt.d">
+            <prop name="label" value="(d)"/>
+            <p>revoked;</p>
+          </part>
+          <part name="item" id="ac-13.3_smt.e">
+            <prop name="label" value="(e)"/>
+            <p>time-restricted; and</p>
+          </part>
+          <part name="item" id="ac-13.3_smt.f">
+            <prop name="label" value="(f)"/>
+            <p>audience-restricted.</p>
+          </part>          
+        </part>
+        <part name="guidance" id="ia-13.3_gdn">
+          <p>An access token is a piece of data that represents the authorization granted to a user or NPE to access specific systems or information resources. Access tokens enable controlled access to services and resources. Properly managing the lifecycle of access tokens, including their issuance, validation, and revocation, is crucial to maintaining confidentiality of data and systems. Restricting token validity to a specific audience, e.g., an application or security domain, and restricting token validity lifetimes are important practices. Access tokens are revoked or invalidated if they are compromised, lost, or are no longer needed to mitigate the risks associated with stolen or misused tokens.</p>
+        </part>
+        <part id="ia-13.3_obj" name="assessment-objective">
+          <prop name="label" class="sp800-53a" value="IA-13(03)"/>
+          <part id="ia-13.3_obj.a-1" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(03)(a)[01]"/>
+            <p>assertions are generated in accordance with <insert type="param" id-ref="ia-13_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ia-13.3_smt.a"/>
+          </part>
+          <part id="ia-13.3_obj.a-2" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(03)(a)[02]"/>
+            <p>access tokens are generated in accordance with <insert type="param" id-ref="ia-13_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ia-13.3_smt.a"/>
+          </part>
+          <part id="ia-13.3_obj.b-1" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(03)(b)[01]"/>
+            <p>assertions are issued in accordance with <insert type="param" id-ref="ia-13_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ia-13.3_smt.b"/>
+          </part>
+          <part id="ia-13.3_obj.b-2" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(03)(b)[02]"/>
+            <p>access tokens are issued in accordance with <insert type="param" id-ref="ia-13_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ia-13.3_smt.b"/>
+          </part>
+          <part id="ia-13.3_obj.c-1" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(03)(c)[01]"/>
+            <p>assertions are refreshed in accordance with <insert type="param" id-ref="ia-13_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ia-13.3_smt.c"/>
+          </part>
+          <part id="ia-13.3_obj.c-2" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(03)(c)[02]"/>
+            <p>access tokens are refreshed in accordance with <insert type="param" id-ref="ia-13_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ia-13.3_smt.c"/>
+          </part>
+          <part id="ia-13.3_obj.d-1" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(03)(d)[01]"/>
+            <p>assertions are revoked in accordance with <insert type="param" id-ref="ia-13_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ia-13.3_smt.d"/>
+          </part>
+          <part id="ia-13.3_obj.d-2" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(03)(d)[02]"/>
+            <p>access tokens are revoked in accordance with <insert type="param" id-ref="ia-13_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ia-13.3_smt.d"/>
+          </part>
+          <part id="ia-13.3_obj.e-1" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(03)(e)[01]"/>
+            <p>assertions are time-restricted in accordance with <insert type="param" id-ref="ia-13_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ia-13.3_smt.e"/>
+          </part>
+          <part id="ia-13.3_obj.e-2" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(03)(e)[02]"/>
+            <p>access tokens are time-restricted in accordance with <insert type="param" id-ref="ia-13_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ia-13.3_smt.e"/>
+          </part>
+          <part id="ia-13.3_obj.f-1" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(03)(f)[01]"/>
+            <p>assertions are audience-restricted in accordance with <insert type="param" id-ref="ia-13_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ia-13.3_smt.f"/>
+          </part>
+          <part id="ia-13.3_obj.f-2" name="assessment-objective">
+            <prop name="label" class="sp800-53a" value="IA-13(03)(f)[02]"/>
+            <p>access tokens are audience-restricted in accordance with <insert type="param" id-ref="ia-13_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ia-13.3_smt.f"/>
+          </part>                           
+        </part>
+        <part id="ia-13.3_asm-examine" name="assessment-method">
+          <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
+          <prop name="label" class="sp800-53a" value="IA-13(03)-Examine"/>
+          <part name="assessment-objects">
+            <p>Identification and authentication policy;</p>
+            <p>access control policy;</p>
+            <p>procedures for assertion and token management;</p>
+            <p>system design documentation;</p>
+            <p>system configuration settings and associated documentation;</p>
+            <p>other relevant documents or records</p>
+          </part>
+        </part>
+        <part id="ia-13.3_asm-interview" name="assessment-method">
+          <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="INTERVIEW"/>
+          <prop name="label" class="sp800-53a" value="IA-13(03)-Interview"/>
+          <part name="assessment-objects">
+            <p>Organizational personnel with system operations responsibilities;</p>
+            <p>organizational personnel with information security responsibilities;</p>
+            <p>system/ network administrators;</p>
+            <p>organizational personnel with account management responsibilities;</p>
+            <p>system developers</p>
+          </part>
+        </part>
+        <part id="ia-13.3_asm-test" name="assessment-method">
+          <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="TEST"/>
+          <prop name="label" class="sp800-53a" value="IA-13(03)-Test"/>
+          <part name="assessment-objects">
+            <p>Mechanisms and software supporting and/or implementing token generation</p>
+          </part>
+        </part>        
+      </control>
+    </control>
   </group>
   <group class="family" id="ir">
     <title>Incident Response</title>
@@ -31068,18 +32761,22 @@
           <part id="ir-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-01a.[01]"/>
             <p>an incident response policy is developed and documented;</p>
+            <link rel="assessment-for" href="#ir-1_smt.a"/>
           </part>
           <part id="ir-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-01a.[02]"/>
             <p>the incident response policy is disseminated to <insert type="param" id-ref="ir-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ir-1_smt.a"/>
           </part>
           <part id="ir-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-01a.[03]"/>
             <p>incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;</p>
+            <link rel="assessment-for" href="#ir-1_smt.a"/>
           </part>
           <part id="ir-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-01a.[04]"/>
             <p>the incident response procedures are disseminated to <insert type="param" id-ref="ir-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#ir-1_smt.a"/>
           </part>
           <part id="ir-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-01a.01"/>
@@ -31088,41 +32785,53 @@
               <part id="ir-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="IR-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses purpose;</p>
+                <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
               </part>
               <part id="ir-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="IR-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses scope;</p>
+                <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
               </part>
               <part id="ir-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="IR-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses roles;</p>
+                <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
               </part>
               <part id="ir-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="IR-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
               </part>
               <part id="ir-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="IR-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
               </part>
               <part id="ir-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="IR-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
               </part>
               <part id="ir-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="IR-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy addresses compliance;</p>
+                <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#ir-1_smt.a.1.a"/>
             </part>
             <part id="ir-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-01a.01(b)"/>
               <p>the <insert type="param" id-ref="ir-01_odp.03"/> incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#ir-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#ir-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#ir-1_smt.a"/>
         </part>
         <part id="ir-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-01b."/>
           <p>the <insert type="param" id-ref="ir-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;</p>
+          <link rel="assessment-for" href="#ir-1_smt.b"/>
         </part>
         <part id="ir-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-01c."/>
@@ -31131,24 +32840,32 @@
             <part id="ir-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-01c.01[01]"/>
               <p>the current incident response policy is reviewed and updated <insert type="param" id-ref="ir-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#ir-1_smt.c.1"/>
             </part>
             <part id="ir-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-01c.01[02]"/>
               <p>the current incident response policy is reviewed and updated following <insert type="param" id-ref="ir-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#ir-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#ir-1_smt.c.1"/>
           </part>
           <part id="ir-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-01c.02"/>
             <part id="ir-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-01c.02[01]"/>
               <p>the current incident response procedures are reviewed and updated <insert type="param" id-ref="ir-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#ir-1_smt.c.2"/>
             </part>
             <part id="ir-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-01c.02[02]"/>
               <p>the current incident response procedures are reviewed and updated following <insert type="param" id-ref="ir-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#ir-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#ir-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#ir-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#ir-1_smt"/>
       </part>
       <part id="ir-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31250,27 +32967,35 @@
           <part id="ir-2_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-02a.01"/>
             <p>incident response training is provided to system users consistent with assigned roles and responsibilities within <insert type="param" id-ref="ir-02_odp.01"/> of assuming an incident response role or responsibility or acquiring system access;</p>
+            <link rel="assessment-for" href="#ir-2_smt.a.1"/>
           </part>
           <part id="ir-2_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-02a.02"/>
             <p>incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;</p>
+            <link rel="assessment-for" href="#ir-2_smt.a.2"/>
           </part>
           <part id="ir-2_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-02a.03"/>
             <p>incident response training is provided to system users consistent with assigned roles and responsibilities <insert type="param" id-ref="ir-02_odp.02"/> thereafter;</p>
+            <link rel="assessment-for" href="#ir-2_smt.a.3"/>
           </part>
+          <link rel="assessment-for" href="#ir-2_smt.a"/>
         </part>
         <part id="ir-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-02b."/>
           <part id="ir-2_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-02b.[01]"/>
             <p>incident response training content is reviewed and updated <insert type="param" id-ref="ir-02_odp.03"/>;</p>
+            <link rel="assessment-for" href="#ir-2_smt.b"/>
           </part>
           <part id="ir-2_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-02b.[02]"/>
             <p>incident response training content is reviewed and updated following <insert type="param" id-ref="ir-02_odp.04"/>.</p>
+            <link rel="assessment-for" href="#ir-2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ir-2_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ir-2_smt"/>
       </part>
       <part id="ir-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31313,6 +33038,7 @@
         <part id="ir-2.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-02(01)"/>
           <p>simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.</p>
+          <link rel="assessment-for" href="#ir-2.1_smt"/>
         </part>
         <part id="ir-2.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31369,6 +33095,7 @@
         <part id="ir-2.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-02(02)"/>
           <p>an incident response training environment is provided using <insert type="param" id-ref="ir-02.02_odp"/>.</p>
+          <link rel="assessment-for" href="#ir-2.2_smt"/>
         </part>
         <part id="ir-2.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31420,11 +33147,14 @@
           <part id="ir-2.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-02(03)[01]"/>
             <p>incident response training on how to identify and respond to a breach is provided;</p>
+            <link rel="assessment-for" href="#ir-2.3_smt"/>
           </part>
           <part id="ir-2.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-02(03)[02]"/>
             <p>incident response training on the organization’s process for reporting a breach is provided.</p>
+            <link rel="assessment-for" href="#ir-2.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#ir-2.3_smt"/>
         </part>
         <part id="ir-2.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31495,6 +33225,7 @@
       <part id="ir-3_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="IR-03"/>
         <p>the effectiveness of the incident response capability for the system is tested <insert type="param" id-ref="ir-03_odp.01"/> using <insert type="param" id-ref="ir-03_odp.02"/>.</p>
+        <link rel="assessment-for" href="#ir-3_smt"/>
       </part>
       <part id="ir-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31547,6 +33278,7 @@
         <part id="ir-3.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-03(01)"/>
           <p>the incident response capability is tested using <insert type="param" id-ref="ir-03.01_odp"/>.</p>
+          <link rel="assessment-for" href="#ir-3.1_smt"/>
         </part>
         <part id="ir-3.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31599,6 +33331,7 @@
         <part id="ir-3.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-03(02)"/>
           <p>incident response testing is coordinated with organizational elements responsible for related plans.</p>
+          <link rel="assessment-for" href="#ir-3.2_smt"/>
         </part>
         <part id="ir-3.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31664,50 +33397,64 @@
             <part id="ir-3.3_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-03(03)(a)[01]"/>
               <p>qualitative data from testing are used to determine the effectiveness of incident response processes;</p>
+              <link rel="assessment-for" href="#ir-3.3_smt.a"/>
             </part>
             <part id="ir-3.3_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-03(03)(a)[02]"/>
               <p>quantitative data from testing are used to determine the effectiveness of incident response processes;</p>
+              <link rel="assessment-for" href="#ir-3.3_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#ir-3.3_smt.a"/>
           </part>
           <part id="ir-3.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-03(03)(b)"/>
             <part id="ir-3.3_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-03(03)(b)[01]"/>
               <p>qualitative data from testing are used to continuously improve incident response processes;</p>
+              <link rel="assessment-for" href="#ir-3.3_smt.b"/>
             </part>
             <part id="ir-3.3_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-03(03)(b)[02]"/>
               <p>quantitative data from testing are used to continuously improve incident response processes;</p>
+              <link rel="assessment-for" href="#ir-3.3_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ir-3.3_smt.b"/>
           </part>
           <part id="ir-3.3_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-03(03)(c)"/>
             <part id="ir-3.3_obj.c-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-03(03)(c)[01]"/>
               <p>qualitative data from testing are used to provide incident response measures and metrics that are accurate;</p>
+              <link rel="assessment-for" href="#ir-3.3_smt.c"/>
             </part>
             <part id="ir-3.3_obj.c-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-03(03)(c)[02]"/>
               <p>quantitative data from testing are used to provide incident response measures and metrics that are accurate;</p>
+              <link rel="assessment-for" href="#ir-3.3_smt.c"/>
             </part>
             <part id="ir-3.3_obj.c-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-03(03)(c)[03]"/>
               <p>qualitative data from testing are used to provide incident response measures and metrics that are consistent;</p>
+              <link rel="assessment-for" href="#ir-3.3_smt.c"/>
             </part>
             <part id="ir-3.3_obj.c-4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-03(03)(c)[04]"/>
               <p>quantitative data from testing are used to provide incident response measures and metrics that are consistent;</p>
+              <link rel="assessment-for" href="#ir-3.3_smt.c"/>
             </part>
             <part id="ir-3.3_obj.c-5" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-03(03)(c)[05]"/>
               <p>qualitative data from testing are used to provide incident response measures and metrics in a reproducible format;</p>
+              <link rel="assessment-for" href="#ir-3.3_smt.c"/>
             </part>
             <part id="ir-3.3_obj.c-6" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="IR-03(03)(c)[06]"/>
               <p>quantitative data from testing are used to provide incident response measures and metrics in a reproducible format.</p>
+              <link rel="assessment-for" href="#ir-3.3_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#ir-3.3_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#ir-3.3_smt"/>
         </part>
         <part id="ir-3.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31806,62 +33553,79 @@
           <part id="ir-4_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04a.[01]"/>
             <p>an incident handling capability for incidents is implemented that is consistent with the incident response plan;</p>
+            <link rel="assessment-for" href="#ir-4_smt.a"/>
           </part>
           <part id="ir-4_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04a.[02]"/>
             <p>the incident handling capability for incidents includes preparation;</p>
+            <link rel="assessment-for" href="#ir-4_smt.a"/>
           </part>
           <part id="ir-4_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04a.[03]"/>
             <p>the incident handling capability for incidents includes detection and analysis;</p>
+            <link rel="assessment-for" href="#ir-4_smt.a"/>
           </part>
           <part id="ir-4_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04a.[04]"/>
             <p>the incident handling capability for incidents includes containment;</p>
+            <link rel="assessment-for" href="#ir-4_smt.a"/>
           </part>
           <part id="ir-4_obj.a-5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04a.[05]"/>
             <p>the incident handling capability for incidents includes eradication;</p>
+            <link rel="assessment-for" href="#ir-4_smt.a"/>
           </part>
           <part id="ir-4_obj.a-6" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04a.[06]"/>
             <p>the incident handling capability for incidents includes recovery;</p>
+            <link rel="assessment-for" href="#ir-4_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#ir-4_smt.a"/>
         </part>
         <part id="ir-4_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-04b."/>
           <p>incident handling activities are coordinated with contingency planning activities;</p>
+          <link rel="assessment-for" href="#ir-4_smt.b"/>
         </part>
         <part id="ir-4_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-04c."/>
           <part id="ir-4_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04c.[01]"/>
             <p>lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;</p>
+            <link rel="assessment-for" href="#ir-4_smt.c"/>
           </part>
           <part id="ir-4_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04c.[02]"/>
             <p>the changes resulting from the incorporated lessons learned are implemented accordingly;</p>
+            <link rel="assessment-for" href="#ir-4_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#ir-4_smt.c"/>
         </part>
         <part id="ir-4_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-04d."/>
           <part id="ir-4_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04d.[01]"/>
             <p>the rigor of incident handling activities is comparable and predictable across the organization;</p>
+            <link rel="assessment-for" href="#ir-4_smt.d"/>
           </part>
           <part id="ir-4_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04d.[02]"/>
             <p>the intensity of incident handling activities is comparable and predictable across the organization;</p>
+            <link rel="assessment-for" href="#ir-4_smt.d"/>
           </part>
           <part id="ir-4_obj.d-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04d.[03]"/>
             <p>the scope of incident handling activities is comparable and predictable across the organization;</p>
+            <link rel="assessment-for" href="#ir-4_smt.d"/>
           </part>
           <part id="ir-4_obj.d-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04d.[04]"/>
             <p>the results of incident handling activities are comparable and predictable across the organization.</p>
+            <link rel="assessment-for" href="#ir-4_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#ir-4_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#ir-4_smt"/>
       </part>
       <part id="ir-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31917,6 +33681,7 @@
         <part id="ir-4.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-04(01)"/>
           <p>the incident handling process is supported using <insert type="param" id-ref="ir-04.01_odp"/>.</p>
+          <link rel="assessment-for" href="#ir-4.1_smt"/>
         </part>
         <part id="ir-4.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -31984,6 +33749,7 @@
         <part id="ir-4.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-04(02)"/>
           <p><insert type="param" id-ref="ir-04.02_odp.01"/> for <insert type="param" id-ref="ir-04.02_odp.02"/> are included as part of the incident response capability.</p>
+          <link rel="assessment-for" href="#ir-4.2_smt"/>
         </part>
         <part id="ir-4.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32052,11 +33818,14 @@
           <part id="ir-4.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04(03)[01]"/>
             <p><insert type="param" id-ref="ir-04.03_odp.01"/> are identified;</p>
+            <link rel="assessment-for" href="#ir-4.3_smt"/>
           </part>
           <part id="ir-4.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04(03)[02]"/>
             <p><insert type="param" id-ref="ir-04.03_odp.02"/> are taken in response to those incidents (defined in IR-04(03)_ODP[01]) to ensure the continuation of organizational mission and business functions.</p>
+            <link rel="assessment-for" href="#ir-4.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#ir-4.3_smt"/>
         </part>
         <part id="ir-4.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32104,6 +33873,7 @@
         <part id="ir-4.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-04(04)"/>
           <p>incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.</p>
+          <link rel="assessment-for" href="#ir-4.4_smt"/>
         </part>
         <part id="ir-4.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32171,6 +33941,7 @@
         <part id="ir-4.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-04(05)"/>
           <p>a configurable capability is implemented to automatically disable the system if <insert type="param" id-ref="ir-04.05_odp"/> are detected.</p>
+          <link rel="assessment-for" href="#ir-4.5_smt"/>
         </part>
         <part id="ir-4.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32221,6 +33992,7 @@
         <part id="ir-4.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-04(06)"/>
           <p>an incident handling capability is implemented for incidents involving insider threats.</p>
+          <link rel="assessment-for" href="#ir-4.6_smt"/>
         </part>
         <part id="ir-4.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32279,11 +34051,14 @@
           <part id="ir-4.7_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04(07)[01]"/>
             <p>an incident handling capability is coordinated for insider threats;</p>
+            <link rel="assessment-for" href="#ir-4.7_smt"/>
           </part>
           <part id="ir-4.7_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04(07)[02]"/>
             <p>the coordinated incident handling capability includes <insert type="param" id-ref="ir-04.07_odp"/>.</p>
+            <link rel="assessment-for" href="#ir-4.7_smt"/>
           </part>
+          <link rel="assessment-for" href="#ir-4.7_smt"/>
         </part>
         <part id="ir-4.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32350,6 +34125,7 @@
         <part id="ir-4.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-04(08)"/>
           <p>there is coordination with <insert type="param" id-ref="ir-04.08_odp.01"/> to correlate and share <insert type="param" id-ref="ir-04.08_odp.02"/> to achieve a cross-organization perspective on incident awareness and more effective incident responses.</p>
+          <link rel="assessment-for" href="#ir-4.8_smt"/>
         </part>
         <part id="ir-4.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32406,6 +34182,7 @@
         <part id="ir-4.9_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-04(09)"/>
           <p><insert type="param" id-ref="ir-04.09_odp"/> are employed to respond to incidents.</p>
+          <link rel="assessment-for" href="#ir-4.9_smt"/>
         </part>
         <part id="ir-4.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32459,6 +34236,7 @@
         <part id="ir-4.10_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-04(10)"/>
           <p>incident handling activities involving supply chain events are coordinated with other organizations involved in the supply chain.</p>
+          <link rel="assessment-for" href="#ir-4.10_smt"/>
         </part>
         <part id="ir-4.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32516,11 +34294,14 @@
           <part id="ir-4.11_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04(11)[01]"/>
             <p>an integrated incident response team is established and maintained;</p>
+            <link rel="assessment-for" href="#ir-4.11_smt"/>
           </part>
           <part id="ir-4.11_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04(11)[02]"/>
             <p>the integrated incident response team can be deployed to any location identified by the organization in <insert type="param" id-ref="ir-04.11_odp"/>.</p>
+            <link rel="assessment-for" href="#ir-4.11_smt"/>
           </part>
+          <link rel="assessment-for" href="#ir-4.11_smt"/>
         </part>
         <part id="ir-4.11_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32563,11 +34344,14 @@
           <part id="ir-4.12_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04(12)[01]"/>
             <p>malicious code remaining in the system is analyzed after the incident;</p>
+            <link rel="assessment-for" href="#ir-4.12_smt"/>
           </part>
           <part id="ir-4.12_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04(12)[02]"/>
             <p>other residual artifacts remaining in the system (if any) are analyzed after the incident.</p>
+            <link rel="assessment-for" href="#ir-4.12_smt"/>
           </part>
+          <link rel="assessment-for" href="#ir-4.12_smt"/>
         </part>
         <part id="ir-4.12_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32631,6 +34415,7 @@
         <part id="ir-4.13_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-04(13)"/>
           <p>anomalous or suspected adversarial behavior in or related to <insert type="param" id-ref="ir-04.13_odp"/> are analyzed.</p>
+          <link rel="assessment-for" href="#ir-4.13_smt"/>
         </part>
         <part id="ir-4.13_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32686,11 +34471,14 @@
           <part id="ir-4.14_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04(14)[01]"/>
             <p>a security operations center is established;</p>
+            <link rel="assessment-for" href="#ir-4.14_smt"/>
           </part>
           <part id="ir-4.14_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04(14)[02]"/>
             <p>a security operations center is maintained.</p>
+            <link rel="assessment-for" href="#ir-4.14_smt"/>
           </part>
+          <link rel="assessment-for" href="#ir-4.14_smt"/>
         </part>
         <part id="ir-4.14_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32751,11 +34539,14 @@
           <part id="ir-4.15_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04(15)(a)"/>
             <p>public relations associated with an incident are managed;</p>
+            <link rel="assessment-for" href="#ir-4.15_smt.a"/>
           </part>
           <part id="ir-4.15_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-04(15)(b)"/>
             <p>measures are employed to repair the reputation of the organization.</p>
+            <link rel="assessment-for" href="#ir-4.15_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ir-4.15_smt"/>
         </part>
         <part id="ir-4.15_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32811,11 +34602,14 @@
         <part id="ir-5_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-05[01]"/>
           <p>incidents are tracked;</p>
+          <link rel="assessment-for" href="#ir-5_smt"/>
         </part>
         <part id="ir-5_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-05[02]"/>
           <p>incidents are documented.</p>
+          <link rel="assessment-for" href="#ir-5_smt"/>
         </part>
+        <link rel="assessment-for" href="#ir-5_smt"/>
       </part>
       <part id="ir-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32892,15 +34686,19 @@
           <part id="ir-5.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-05(01)[01]"/>
             <p>incidents are tracked using <insert type="param" id-ref="ir-05.01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ir-5.1_smt"/>
           </part>
           <part id="ir-5.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-05(01)[02]"/>
             <p>incident information is collected using <insert type="param" id-ref="ir-05.01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#ir-5.1_smt"/>
           </part>
           <part id="ir-5.1_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-05(01)[03]"/>
             <p>incident information is analyzed using <insert type="param" id-ref="ir-05.01_odp.03"/>.</p>
+            <link rel="assessment-for" href="#ir-5.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#ir-5.1_smt"/>
         </part>
         <part id="ir-5.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -32982,11 +34780,14 @@
         <part id="ir-6_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-06a."/>
           <p>personnel is/are required to report suspected incidents to the organizational incident response capability within <insert type="param" id-ref="ir-06_odp.01"/>;</p>
+          <link rel="assessment-for" href="#ir-6_smt.a"/>
         </part>
         <part id="ir-6_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-06b."/>
           <p>incident information is reported to <insert type="param" id-ref="ir-06_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ir-6_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ir-6_smt"/>
       </part>
       <part id="ir-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33045,6 +34846,7 @@
         <part id="ir-6.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-06(01)"/>
           <p>incidents are reported using <insert type="param" id-ref="ir-06.01_odp"/>.</p>
+          <link rel="assessment-for" href="#ir-6.1_smt"/>
         </part>
         <part id="ir-6.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33101,6 +34903,7 @@
         <part id="ir-6.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-06(02)"/>
           <p>system vulnerabilities associated with reported incidents are reported to <insert type="param" id-ref="ir-06.02_odp"/>.</p>
+          <link rel="assessment-for" href="#ir-6.2_smt"/>
         </part>
         <part id="ir-6.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33151,6 +34954,7 @@
         <part id="ir-6.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-06(03)"/>
           <p>incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.</p>
+          <link rel="assessment-for" href="#ir-6.3_smt"/>
         </part>
         <part id="ir-6.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33217,11 +35021,14 @@
         <part id="ir-7_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-07[01]"/>
           <p>an incident response support resource, integral to the organizational incident response capability, is provided;</p>
+          <link rel="assessment-for" href="#ir-7_smt"/>
         </part>
         <part id="ir-7_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-07[02]"/>
           <p>the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.</p>
+          <link rel="assessment-for" href="#ir-7_smt"/>
         </part>
+        <link rel="assessment-for" href="#ir-7_smt"/>
       </part>
       <part id="ir-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33276,6 +35083,7 @@
         <part id="ir-7.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-07(01)"/>
           <p>the availability of incident response information and support is increased using <insert type="param" id-ref="ir-07.01_odp"/>.</p>
+          <link rel="assessment-for" href="#ir-7.1_smt"/>
         </part>
         <part id="ir-7.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33334,11 +35142,14 @@
           <part id="ir-7.2_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-07(02)(a)"/>
             <p>a direct, cooperative relationship is established between its incident response capability and external providers of the system protection capability;</p>
+            <link rel="assessment-for" href="#ir-7.2_smt.a"/>
           </part>
           <part id="ir-7.2_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-07(02)(b)"/>
             <p>organizational incident response team members are identified to the external providers.</p>
+            <link rel="assessment-for" href="#ir-7.2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ir-7.2_smt"/>
         </part>
         <part id="ir-7.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33515,81 +35326,103 @@
           <part id="ir-8_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08a.01"/>
             <p>an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;</p>
+            <link rel="assessment-for" href="#ir-8_smt.a.1"/>
           </part>
           <part id="ir-8_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08a.02"/>
             <p>an incident response plan is developed that describes the structure and organization of the incident response capability;</p>
+            <link rel="assessment-for" href="#ir-8_smt.a.2"/>
           </part>
           <part id="ir-8_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08a.03"/>
             <p>an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;</p>
+            <link rel="assessment-for" href="#ir-8_smt.a.3"/>
           </part>
           <part id="ir-8_obj.a.4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08a.04"/>
             <p>an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;</p>
+            <link rel="assessment-for" href="#ir-8_smt.a.4"/>
           </part>
           <part id="ir-8_obj.a.5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08a.05"/>
             <p>an incident response plan is developed that defines reportable incidents;</p>
+            <link rel="assessment-for" href="#ir-8_smt.a.5"/>
           </part>
           <part id="ir-8_obj.a.6" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08a.06"/>
             <p>an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;</p>
+            <link rel="assessment-for" href="#ir-8_smt.a.6"/>
           </part>
           <part id="ir-8_obj.a.7" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08a.07"/>
             <p>an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;</p>
+            <link rel="assessment-for" href="#ir-8_smt.a.7"/>
           </part>
           <part id="ir-8_obj.a.8" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08a.08"/>
             <p>an incident response plan is developed that addresses the sharing of incident information;</p>
+            <link rel="assessment-for" href="#ir-8_smt.a.8"/>
           </part>
           <part id="ir-8_obj.a.9" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08a.09"/>
             <p>an incident response plan is developed that is reviewed and approved by <insert type="param" id-ref="ir-08_odp.01"/> <insert type="param" id-ref="ir-08_odp.02"/>;</p>
+            <link rel="assessment-for" href="#ir-8_smt.a.9"/>
           </part>
           <part id="ir-8_obj.a.10" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08a.10"/>
             <p>an incident response plan is developed that explicitly designates responsibility for incident response to <insert type="param" id-ref="ir-08_odp.03"/>.</p>
+            <link rel="assessment-for" href="#ir-8_smt.a.10"/>
           </part>
+          <link rel="assessment-for" href="#ir-8_smt.a"/>
         </part>
         <part id="ir-8_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-08b."/>
           <part id="ir-8_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08b.[01]"/>
             <p>copies of the incident response plan are distributed to <insert type="param" id-ref="ir-08_odp.04"/>;</p>
+            <link rel="assessment-for" href="#ir-8_smt.b"/>
           </part>
           <part id="ir-8_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08b.[02]"/>
             <p>copies of the incident response plan are distributed to <insert type="param" id-ref="ir-08_odp.05"/>;</p>
+            <link rel="assessment-for" href="#ir-8_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ir-8_smt.b"/>
         </part>
         <part id="ir-8_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-08c."/>
           <p>the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;</p>
+          <link rel="assessment-for" href="#ir-8_smt.c"/>
         </part>
         <part id="ir-8_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-08d."/>
           <part id="ir-8_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08d.[01]"/>
             <p>incident response plan changes are communicated to <insert type="param" id-ref="ir-08_odp.06"/>;</p>
+            <link rel="assessment-for" href="#ir-8_smt.d"/>
           </part>
           <part id="ir-8_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08d.[02]"/>
             <p>incident response plan changes are communicated to <insert type="param" id-ref="ir-08_odp.07"/>;</p>
+            <link rel="assessment-for" href="#ir-8_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#ir-8_smt.d"/>
         </part>
         <part id="ir-8_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-08e."/>
           <part id="ir-8_obj.e-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08e.[01]"/>
             <p>the incident response plan is protected from unauthorized disclosure;</p>
+            <link rel="assessment-for" href="#ir-8_smt.e"/>
           </part>
           <part id="ir-8_obj.e-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08e.[02]"/>
             <p>the incident response plan is protected from unauthorized modification.</p>
+            <link rel="assessment-for" href="#ir-8_smt.e"/>
           </part>
+          <link rel="assessment-for" href="#ir-8_smt.e"/>
         </part>
+        <link rel="assessment-for" href="#ir-8_smt"/>
       </part>
       <part id="ir-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33655,15 +35488,19 @@
           <part id="ir-8.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08(01)(a)"/>
             <p>the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;</p>
+            <link rel="assessment-for" href="#ir-8.1_smt.a"/>
           </part>
           <part id="ir-8.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08(01)(b)"/>
             <p>the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;</p>
+            <link rel="assessment-for" href="#ir-8.1_smt.b"/>
           </part>
           <part id="ir-8.1_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="IR-08(01)(c)"/>
             <p>the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements.</p>
+            <link rel="assessment-for" href="#ir-8.1_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#ir-8.1_smt"/>
         </part>
         <part id="ir-8.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33772,31 +35609,39 @@
         <part id="ir-9_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-09a."/>
           <p><insert type="param" id-ref="ir-09_odp.01"/> is/are assigned the responsibility to respond to information spills;</p>
+          <link rel="assessment-for" href="#ir-9_smt.a"/>
         </part>
         <part id="ir-9_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-09b."/>
           <p>the specific information involved in the system contamination is identified in response to information spills;</p>
+          <link rel="assessment-for" href="#ir-9_smt.b"/>
         </part>
         <part id="ir-9_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-09c."/>
           <p><insert type="param" id-ref="ir-09_odp.02"/> is/are alerted of the information spill using a method of communication not associated with the spill;</p>
+          <link rel="assessment-for" href="#ir-9_smt.c"/>
         </part>
         <part id="ir-9_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-09d."/>
           <p>the contaminated system or system component is isolated in response to information spills;</p>
+          <link rel="assessment-for" href="#ir-9_smt.d"/>
         </part>
         <part id="ir-9_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-09e."/>
           <p>the information is eradicated from the contaminated system or component in response to information spills;</p>
+          <link rel="assessment-for" href="#ir-9_smt.e"/>
         </part>
         <part id="ir-9_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-09f."/>
           <p>other systems or system components that may have been subsequently contaminated are identified in response to information spills;</p>
+          <link rel="assessment-for" href="#ir-9_smt.f"/>
         </part>
         <part id="ir-9_obj.g" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-09g."/>
           <p><insert type="param" id-ref="ir-09_odp.03"/> are performed in response to information spills.</p>
+          <link rel="assessment-for" href="#ir-9_smt.g"/>
         </part>
+        <link rel="assessment-for" href="#ir-9_smt"/>
       </part>
       <part id="ir-9_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33864,6 +35709,7 @@
         <part id="ir-9.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-09(02)"/>
           <p>information spillage response training is provided <insert type="param" id-ref="ir-09.02_odp"/>.</p>
+          <link rel="assessment-for" href="#ir-9.2_smt"/>
         </part>
         <part id="ir-9.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33912,6 +35758,7 @@
         <part id="ir-9.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-09(03)"/>
           <p><insert type="param" id-ref="ir-09.03_odp"/> are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.</p>
+          <link rel="assessment-for" href="#ir-9.3_smt"/>
         </part>
         <part id="ir-9.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -33965,6 +35812,7 @@
         <part id="ir-9.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="IR-09(04)"/>
           <p><insert type="param" id-ref="ir-09.04_odp"/> are employed for personnel exposed to information not within assigned access authorizations.</p>
+          <link rel="assessment-for" href="#ir-9.4_smt"/>
         </part>
         <part id="ir-9.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34139,18 +35987,22 @@
           <part id="ma-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-01a.[01]"/>
             <p>a maintenance policy is developed and documented;</p>
+            <link rel="assessment-for" href="#ma-1_smt.a"/>
           </part>
           <part id="ma-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-01a.[02]"/>
             <p>the maintenance policy is disseminated to <insert type="param" id-ref="ma-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ma-1_smt.a"/>
           </part>
           <part id="ma-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-01a.[03]"/>
             <p>maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;</p>
+            <link rel="assessment-for" href="#ma-1_smt.a"/>
           </part>
           <part id="ma-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-01a.[04]"/>
             <p>the maintenance procedures are disseminated to <insert type="param" id-ref="ma-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#ma-1_smt.a"/>
           </part>
           <part id="ma-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-01a.01"/>
@@ -34159,41 +36011,53 @@
               <part id="ma-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="MA-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses purpose;</p>
+                <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
               </part>
               <part id="ma-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="MA-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses scope;</p>
+                <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
               </part>
               <part id="ma-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="MA-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses roles;</p>
+                <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
               </part>
               <part id="ma-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="MA-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
               </part>
               <part id="ma-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="MA-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
               </part>
               <part id="ma-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="MA-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
               </part>
               <part id="ma-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="MA-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy addresses compliance;</p>
+                <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#ma-1_smt.a.1.a"/>
             </part>
             <part id="ma-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-01a.01(b)"/>
               <p>the <insert type="param" id-ref="ma-01_odp.03"/> maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#ma-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#ma-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#ma-1_smt.a"/>
         </part>
         <part id="ma-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-01b."/>
           <p>the <insert type="param" id-ref="ma-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;</p>
+          <link rel="assessment-for" href="#ma-1_smt.b"/>
         </part>
         <part id="ma-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-01c."/>
@@ -34202,24 +36066,32 @@
             <part id="ma-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-01c.01[01]"/>
               <p>the current maintenance policy is reviewed and updated <insert type="param" id-ref="ma-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#ma-1_smt.c.1"/>
             </part>
             <part id="ma-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-01c.01[02]"/>
               <p>the current maintenance policy is reviewed and updated following <insert type="param" id-ref="ma-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#ma-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#ma-1_smt.c.1"/>
           </part>
           <part id="ma-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-01c.02"/>
             <part id="ma-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-01c.02[01]"/>
               <p>the current maintenance procedures are reviewed and updated <insert type="param" id-ref="ma-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#ma-1_smt.c.2"/>
             </part>
             <part id="ma-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-01c.02[02]"/>
               <p>the current maintenance procedures are reviewed and updated following <insert type="param" id-ref="ma-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#ma-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#ma-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#ma-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#ma-1_smt"/>
       </part>
       <part id="ma-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34321,43 +36193,55 @@
           <part id="ma-2_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-02a.[01]"/>
             <p>maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
+            <link rel="assessment-for" href="#ma-2_smt.a"/>
           </part>
           <part id="ma-2_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-02a.[02]"/>
             <p>maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
+            <link rel="assessment-for" href="#ma-2_smt.a"/>
           </part>
           <part id="ma-2_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-02a.[03]"/>
             <p>records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;</p>
+            <link rel="assessment-for" href="#ma-2_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#ma-2_smt.a"/>
         </part>
         <part id="ma-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-02b."/>
           <part id="ma-2_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-02b.[01]"/>
             <p>all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;</p>
+            <link rel="assessment-for" href="#ma-2_smt.b"/>
           </part>
           <part id="ma-2_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-02b.[02]"/>
             <p>all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;</p>
+            <link rel="assessment-for" href="#ma-2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ma-2_smt.b"/>
         </part>
         <part id="ma-2_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-02c."/>
           <p><insert type="param" id-ref="ma-02_odp.01"/> is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;</p>
+          <link rel="assessment-for" href="#ma-2_smt.c"/>
         </part>
         <part id="ma-2_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-02d."/>
           <p>equipment is sanitized to remove <insert type="param" id-ref="ma-02_odp.02"/> from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;</p>
+          <link rel="assessment-for" href="#ma-2_smt.d"/>
         </part>
         <part id="ma-2_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-02e."/>
           <p>all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;</p>
+          <link rel="assessment-for" href="#ma-2_smt.e"/>
         </part>
         <part id="ma-2_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-02f."/>
           <p><insert type="param" id-ref="ma-02_odp.03"/> is included in organizational maintenance records.</p>
+          <link rel="assessment-for" href="#ma-2_smt.f"/>
         </part>
+        <link rel="assessment-for" href="#ma-2_smt"/>
       </part>
       <part id="ma-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34456,31 +36340,40 @@
             <part id="ma-2.2_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-02(02)(a)[01]"/>
               <p><insert type="param" id-ref="ma-02.02_odp.01"/> are used to schedule maintenance, repair, and replacement actions for the system;</p>
+              <link rel="assessment-for" href="#ma-2.2_smt.a"/>
             </part>
             <part id="ma-2.2_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-02(02)(a)[02]"/>
               <p><insert type="param" id-ref="ma-02.02_odp.02"/> are used to conduct maintenance, repair, and replacement actions for the system;</p>
+              <link rel="assessment-for" href="#ma-2.2_smt.a"/>
             </part>
             <part id="ma-2.2_obj.a-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-02(02)(a)[03]"/>
               <p><insert type="param" id-ref="ma-02.02_odp.03"/> are used to document maintenance, repair, and replacement actions for the system;</p>
+              <link rel="assessment-for" href="#ma-2.2_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#ma-2.2_smt.a"/>
           </part>
           <part id="ma-2.2_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-02(02)(b)"/>
             <part id="ma-2.2_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-02(02)(b)[01]"/>
               <p>up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced.</p>
+              <link rel="assessment-for" href="#ma-2.2_smt.b"/>
             </part>
             <part id="ma-2.2_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-02(02)(b)[02]"/>
               <p>up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced.</p>
+              <link rel="assessment-for" href="#ma-2.2_smt.b"/>
             </part>
             <part id="ma-2.2_obj.b-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-02(02)(b)[03]"/>
               <p>up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced.</p>
+              <link rel="assessment-for" href="#ma-2.2_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ma-2.2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ma-2.2_smt"/>
         </part>
         <part id="ma-2.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34551,20 +36444,26 @@
           <part id="ma-3_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-03a.[01]"/>
             <p>the use of system maintenance tools is approved;</p>
+            <link rel="assessment-for" href="#ma-3_smt.a"/>
           </part>
           <part id="ma-3_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-03a.[02]"/>
             <p>the use of system maintenance tools is controlled;</p>
+            <link rel="assessment-for" href="#ma-3_smt.a"/>
           </part>
           <part id="ma-3_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-03a.[03]"/>
             <p>the use of system maintenance tools is monitored;</p>
+            <link rel="assessment-for" href="#ma-3_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#ma-3_smt.a"/>
         </part>
         <part id="ma-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-03b."/>
           <p>previously approved system maintenance tools are reviewed <insert type="param" id-ref="ma-03_odp"/>.</p>
+          <link rel="assessment-for" href="#ma-3_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ma-3_smt"/>
       </part>
       <part id="ma-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34611,6 +36510,7 @@
         <part id="ma-3.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-03(01)"/>
           <p>maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.</p>
+          <link rel="assessment-for" href="#ma-3.1_smt"/>
         </part>
         <part id="ma-3.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34659,6 +36559,7 @@
         <part id="ma-3.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-03(02)"/>
           <p>media containing diagnostic and test programs are checked for malicious code before the media are used in the system.</p>
+          <link rel="assessment-for" href="#ma-3.2_smt"/>
         </part>
         <part id="ma-3.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34732,19 +36633,24 @@
           <part id="ma-3.3_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-03(03)(a)"/>
             <p>the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or</p>
+            <link rel="assessment-for" href="#ma-3.3_smt.a"/>
           </part>
           <part id="ma-3.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-03(03)(b)"/>
             <p>the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or</p>
+            <link rel="assessment-for" href="#ma-3.3_smt.b"/>
           </part>
           <part id="ma-3.3_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-03(03)(c)"/>
             <p>the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or</p>
+            <link rel="assessment-for" href="#ma-3.3_smt.c"/>
           </part>
           <part id="ma-3.3_obj.d" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-03(03)(d)"/>
             <p>the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from <insert type="param" id-ref="ma-03.03_odp"/> explicitly authorizing removal of the equipment from the facility.</p>
+            <link rel="assessment-for" href="#ma-3.3_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#ma-3.3_smt"/>
         </part>
         <part id="ma-3.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34800,6 +36706,7 @@
         <part id="ma-3.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-03(04)"/>
           <p>the use of maintenance tools is restricted to authorized personnel only.</p>
+          <link rel="assessment-for" href="#ma-3.4_smt"/>
         </part>
         <part id="ma-3.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34851,6 +36758,7 @@
         <part id="ma-3.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-03(05)"/>
           <p>the use of maintenance tools that execute with increased privilege is monitored.</p>
+          <link rel="assessment-for" href="#ma-3.5_smt"/>
         </part>
         <part id="ma-3.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34903,6 +36811,7 @@
         <part id="ma-3.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-03(06)"/>
           <p>maintenance tools are inspected to ensure that the latest software updates and patches are installed.</p>
+          <link rel="assessment-for" href="#ma-3.6_smt"/>
         </part>
         <part id="ma-3.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -34996,42 +36905,54 @@
           <part id="ma-4_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04a.[01]"/>
             <p>nonlocal maintenance and diagnostic activities are approved;</p>
+            <link rel="assessment-for" href="#ma-4_smt.a"/>
           </part>
           <part id="ma-4_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04a.[02]"/>
             <p>nonlocal maintenance and diagnostic activities are monitored;</p>
+            <link rel="assessment-for" href="#ma-4_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#ma-4_smt.a"/>
         </part>
         <part id="ma-4_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-04b."/>
           <part id="ma-4_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04b.[01]"/>
             <p>the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;</p>
+            <link rel="assessment-for" href="#ma-4_smt.b"/>
           </part>
           <part id="ma-4_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04b.[02]"/>
             <p>the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;</p>
+            <link rel="assessment-for" href="#ma-4_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ma-4_smt.b"/>
         </part>
         <part id="ma-4_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-04c."/>
           <p>strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;</p>
+          <link rel="assessment-for" href="#ma-4_smt.c"/>
         </part>
         <part id="ma-4_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-04d."/>
           <p>records for nonlocal maintenance and diagnostic activities are maintained;</p>
+          <link rel="assessment-for" href="#ma-4_smt.d"/>
         </part>
         <part id="ma-4_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-04e."/>
           <part id="ma-4_obj.e-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04e.[01]"/>
             <p>session connections are terminated when nonlocal maintenance is completed;</p>
+            <link rel="assessment-for" href="#ma-4_smt.e"/>
           </part>
           <part id="ma-4_obj.e-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04e.[02]"/>
             <p>network connections are terminated when nonlocal maintenance is completed.</p>
+            <link rel="assessment-for" href="#ma-4_smt.e"/>
           </part>
+          <link rel="assessment-for" href="#ma-4_smt.e"/>
         </part>
+        <link rel="assessment-for" href="#ma-4_smt"/>
       </part>
       <part id="ma-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35117,23 +37038,30 @@
             <part id="ma-4.1_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-04(01)(a)[01]"/>
               <p><insert type="param" id-ref="ma-04.01_odp.01"/> are logged for nonlocal maintenance sessions;</p>
+              <link rel="assessment-for" href="#ma-4.1_smt.a"/>
             </part>
             <part id="ma-4.1_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-04(01)(a)[02]"/>
               <p><insert type="param" id-ref="ma-04.01_odp.02"/> are logged for nonlocal diagnostic sessions;</p>
+              <link rel="assessment-for" href="#ma-4.1_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#ma-4.1_smt.a"/>
           </part>
           <part id="ma-4.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04(01)(b)"/>
             <part id="ma-4.1_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-04(01)(b)[01]"/>
               <p>the audit records of the maintenance sessions are reviewed to detect anomalous behavior;</p>
+              <link rel="assessment-for" href="#ma-4.1_smt.b"/>
             </part>
             <part id="ma-4.1_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-04(01)(b)[02]"/>
               <p>the audit records of the diagnostic sessions are reviewed to detect anomalous behavior.</p>
+              <link rel="assessment-for" href="#ma-4.1_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ma-4.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ma-4.1_smt"/>
         </part>
         <part id="ma-4.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35209,27 +37137,35 @@
             <part id="ma-4.3_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-04(03)(a)[01]"/>
               <p>nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;</p>
+              <link rel="assessment-for" href="#ma-4.3_smt.a"/>
             </part>
             <part id="ma-4.3_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-04(03)(a)[02]"/>
               <p>nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or</p>
+              <link rel="assessment-for" href="#ma-4.3_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#ma-4.3_smt.a"/>
           </part>
           <part id="ma-4.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04(03)(b)"/>
             <part id="ma-4.3_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-04(03)(b)[01]"/>
               <p>the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;</p>
+              <link rel="assessment-for" href="#ma-4.3_smt.b"/>
             </part>
             <part id="ma-4.3_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-04(03)(b)[02]"/>
               <p>the component to be serviced is sanitized (for organizational information);</p>
+              <link rel="assessment-for" href="#ma-4.3_smt.b"/>
             </part>
             <part id="ma-4.3_obj.b-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-04(03)(b)[03]"/>
               <p>the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.</p>
+              <link rel="assessment-for" href="#ma-4.3_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ma-4.3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ma-4.3_smt"/>
         </part>
         <part id="ma-4.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35310,18 +37246,23 @@
           <part id="ma-4.4_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04(04)(a)"/>
             <p>nonlocal maintenance sessions are protected by employing <insert type="param" id-ref="ma-04.04_odp"/>;</p>
+            <link rel="assessment-for" href="#ma-4.4_smt.a"/>
           </part>
           <part id="ma-4.4_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04(04)(b)"/>
             <part id="ma-4.4_obj.b.1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-04(04)(b)(01)"/>
               <p>nonlocal maintenance sessions are protected by separating maintenance sessions from other network sessions with the system by physically separated communication paths; or</p>
+              <link rel="assessment-for" href="#ma-4.4_smt.b.1"/>
             </part>
             <part id="ma-4.4_obj.b.2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-04(04)(b)(02)"/>
               <p>nonlocal maintenance sessions are protected by logically separated communication paths.</p>
+              <link rel="assessment-for" href="#ma-4.4_smt.b.2"/>
             </part>
+            <link rel="assessment-for" href="#ma-4.4_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ma-4.4_smt"/>
         </part>
         <part id="ma-4.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35399,11 +37340,14 @@
           <part id="ma-4.5_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04(05)(a)"/>
             <p>the approval of each nonlocal maintenance session is required by <insert type="param" id-ref="ma-04.05_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ma-4.5_smt.a"/>
           </part>
           <part id="ma-4.5_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04(05)(b)"/>
             <p><insert type="param" id-ref="ma-04.05_odp.02"/> is/are notified of the date and time of planned nonlocal maintenance.</p>
+            <link rel="assessment-for" href="#ma-4.5_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ma-4.5_smt"/>
         </part>
         <part id="ma-4.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35467,11 +37411,14 @@
           <part id="ma-4.6_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04(06)[01]"/>
             <p><insert type="param" id-ref="ma-04.06_odp"/> are implemented to protect the integrity of nonlocal maintenance and diagnostic communications;</p>
+            <link rel="assessment-for" href="#ma-4.6_smt"/>
           </part>
           <part id="ma-4.6_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04(06)[02]"/>
             <p><insert type="param" id-ref="ma-04.06_odp"/> are implemented to protect the confidentiality of nonlocal maintenance and diagnostic communications.</p>
+            <link rel="assessment-for" href="#ma-4.6_smt"/>
           </part>
+          <link rel="assessment-for" href="#ma-4.6_smt"/>
         </part>
         <part id="ma-4.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35526,11 +37473,14 @@
           <part id="ma-4.7_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04(07)[01]"/>
             <p>session connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions;</p>
+            <link rel="assessment-for" href="#ma-4.7_smt"/>
           </part>
           <part id="ma-4.7_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-04(07)[02]"/>
             <p>network connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions.</p>
+            <link rel="assessment-for" href="#ma-4.7_smt"/>
           </part>
+          <link rel="assessment-for" href="#ma-4.7_smt"/>
         </part>
         <part id="ma-4.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35610,20 +37560,26 @@
           <part id="ma-5_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-05a.[01]"/>
             <p>a process for maintenance personnel authorization is established;</p>
+            <link rel="assessment-for" href="#ma-5_smt.a"/>
           </part>
           <part id="ma-5_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-05a.[02]"/>
             <p>a list of authorized maintenance organizations or personnel is maintained;</p>
+            <link rel="assessment-for" href="#ma-5_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#ma-5_smt.a"/>
         </part>
         <part id="ma-5_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-05b."/>
           <p>non-escorted personnel performing maintenance on the system possess the required access authorizations;</p>
+          <link rel="assessment-for" href="#ma-5_smt.b"/>
         </part>
         <part id="ma-5_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-05c."/>
           <p>organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.</p>
+          <link rel="assessment-for" href="#ma-5_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#ma-5_smt"/>
       </part>
       <part id="ma-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35701,16 +37657,21 @@
             <part id="ma-5.1_obj.a.1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-05(01)(a)(01)"/>
               <p>procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;</p>
+              <link rel="assessment-for" href="#ma-5.1_smt.a.1"/>
             </part>
             <part id="ma-5.1_obj.a.2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-05(01)(a)(02)"/>
               <p>procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;</p>
+              <link rel="assessment-for" href="#ma-5.1_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#ma-5.1_smt.a"/>
           </part>
           <part id="ma-5.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-05(01)(b)"/>
             <p><insert type="param" id-ref="ma-05.01_odp"/> are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.</p>
+            <link rel="assessment-for" href="#ma-5.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ma-5.1_smt"/>
         </part>
         <part id="ma-5.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35768,11 +37729,14 @@
           <part id="ma-5.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-05(02)[01]"/>
             <p>personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances for at least the highest classification level and for compartments of information on the system;</p>
+            <link rel="assessment-for" href="#ma-5.2_smt"/>
           </part>
           <part id="ma-5.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-05(02)[02]"/>
             <p>personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess formal access approvals for at least the highest classification level and for compartments of information on the system.</p>
+            <link rel="assessment-for" href="#ma-5.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#ma-5.2_smt"/>
         </part>
         <part id="ma-5.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35824,6 +37788,7 @@
         <part id="ma-5.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-05(03)"/>
           <p>personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens.</p>
+          <link rel="assessment-for" href="#ma-5.3_smt"/>
         </part>
         <part id="ma-5.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35877,22 +37842,28 @@
           <part id="ma-5.4_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-05(04)(a)"/>
             <p>foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments or owned and operated solely by foreign allied governments;</p>
+            <link rel="assessment-for" href="#ma-5.4_smt.a"/>
           </part>
           <part id="ma-5.4_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MA-05(04)(b)"/>
             <part id="ma-5.4_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-05(04)(b)[01]"/>
               <p>approvals regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;</p>
+              <link rel="assessment-for" href="#ma-5.4_smt.b"/>
             </part>
             <part id="ma-5.4_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-05(04)(b)[02]"/>
               <p>consents regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;</p>
+              <link rel="assessment-for" href="#ma-5.4_smt.b"/>
             </part>
             <part id="ma-5.4_obj.b-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MA-05(04)(b)[03]"/>
               <p>detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.</p>
+              <link rel="assessment-for" href="#ma-5.4_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#ma-5.4_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ma-5.4_smt"/>
         </part>
         <part id="ma-5.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -35945,6 +37916,7 @@
         <part id="ma-5.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-05(05)"/>
           <p>non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system have required access authorizations.</p>
+          <link rel="assessment-for" href="#ma-5.5_smt"/>
         </part>
         <part id="ma-5.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36014,6 +37986,7 @@
       <part id="ma-6_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="MA-06"/>
         <p>maintenance support and/or spare parts are obtained for <insert type="param" id-ref="ma-06_odp.01"/> within <insert type="param" id-ref="ma-06_odp.02"/> of failure.</p>
+        <link rel="assessment-for" href="#ma-6_smt"/>
       </part>
       <part id="ma-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36077,6 +38050,7 @@
         <part id="ma-6.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-06(01)"/>
           <p>preventive maintenance is performed on <insert type="param" id-ref="ma-06.01_odp.01"/> at <insert type="param" id-ref="ma-06.01_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ma-6.1_smt"/>
         </part>
         <part id="ma-6.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36142,6 +38116,7 @@
         <part id="ma-6.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-06(02)"/>
           <p>predictive maintenance is performed on <insert type="param" id-ref="ma-06.02_odp.01"/> at <insert type="param" id-ref="ma-06.02_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ma-6.2_smt"/>
         </part>
         <part id="ma-6.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36199,6 +38174,7 @@
         <part id="ma-6.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MA-06(03)"/>
           <p>predictive maintenance data is transferred to a maintenance management system using <insert type="param" id-ref="ma-06.03_odp"/>.</p>
+          <link rel="assessment-for" href="#ma-6.3_smt"/>
         </part>
         <part id="ma-6.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36267,6 +38243,7 @@
       <part id="ma-7_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="MA-07"/>
         <p>field maintenance on <insert type="param" id-ref="ma-07_odp.01"/> are restricted or prohibited to <insert type="param" id-ref="ma-07_odp.02"/>.</p>
+        <link rel="assessment-for" href="#ma-7_smt"/>
       </part>
       <part id="ma-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36436,18 +38413,22 @@
           <part id="mp-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-01a.[01]"/>
             <p>a media protection policy is developed and documented;</p>
+            <link rel="assessment-for" href="#mp-1_smt.a"/>
           </part>
           <part id="mp-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-01a.[02]"/>
             <p>the media protection policy is disseminated to <insert type="param" id-ref="mp-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#mp-1_smt.a"/>
           </part>
           <part id="mp-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-01a.[03]"/>
             <p>media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;</p>
+            <link rel="assessment-for" href="#mp-1_smt.a"/>
           </part>
           <part id="mp-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-01a.[04]"/>
             <p>the media protection procedures are disseminated to <insert type="param" id-ref="mp-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#mp-1_smt.a"/>
           </part>
           <part id="mp-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-01a.01"/>
@@ -36456,41 +38437,53 @@
               <part id="mp-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="MP-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses purpose;</p>
+                <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
               </part>
               <part id="mp-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="MP-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses scope;</p>
+                <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
               </part>
               <part id="mp-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="MP-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses roles;</p>
+                <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
               </part>
               <part id="mp-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="MP-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
               </part>
               <part id="mp-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="MP-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
               </part>
               <part id="mp-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="MP-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
               </part>
               <part id="mp-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="MP-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="mp-01_odp.03"/> media protection policy compliance;</p>
+                <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#mp-1_smt.a.1.a"/>
             </part>
             <part id="mp-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MP-01a.01(b)"/>
               <p>the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#mp-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#mp-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#mp-1_smt.a"/>
         </part>
         <part id="mp-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-01b."/>
           <p>the <insert type="param" id-ref="mp-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.</p>
+          <link rel="assessment-for" href="#mp-1_smt.b"/>
         </part>
         <part id="mp-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-01c."/>
@@ -36499,24 +38492,32 @@
             <part id="mp-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MP-01c.01[01]"/>
               <p>the current media protection policy is reviewed and updated <insert type="param" id-ref="mp-01_odp.05"/>; </p>
+              <link rel="assessment-for" href="#mp-1_smt.c.1"/>
             </part>
             <part id="mp-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MP-01c.01[02]"/>
               <p>the current media protection policy is reviewed and updated following <insert type="param" id-ref="mp-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#mp-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#mp-1_smt.c.1"/>
           </part>
           <part id="mp-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-01c.02"/>
             <part id="mp-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MP-01c.02[01]"/>
               <p>the current media protection procedures are reviewed and updated <insert type="param" id-ref="mp-01_odp.07"/>; </p>
+              <link rel="assessment-for" href="#mp-1_smt.c.2"/>
             </part>
             <part id="mp-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="MP-01c.02[02]"/>
               <p>the current media protection procedures are reviewed and updated following <insert type="param" id-ref="mp-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#mp-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#mp-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#mp-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#mp-1_smt"/>
       </part>
       <part id="mp-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36610,11 +38611,14 @@
         <part id="mp-2_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-02[01]"/>
           <p>access to <insert type="param" id-ref="mp-02_odp.01"/> is restricted to <insert type="param" id-ref="mp-02_odp.02"/>;</p>
+          <link rel="assessment-for" href="#mp-2_smt"/>
         </part>
         <part id="mp-2_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-02[02]"/>
           <p>access to <insert type="param" id-ref="mp-02_odp.03"/> is restricted to <insert type="param" id-ref="mp-02_odp.04"/>.</p>
+          <link rel="assessment-for" href="#mp-2_smt"/>
         </part>
+        <link rel="assessment-for" href="#mp-2_smt"/>
       </part>
       <part id="mp-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36713,11 +38717,14 @@
         <part id="mp-3_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-03a."/>
           <p>system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;</p>
+          <link rel="assessment-for" href="#mp-3_smt.a"/>
         </part>
         <part id="mp-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-03b."/>
           <p><insert type="param" id-ref="mp-03_odp.01"/> remain within <insert type="param" id-ref="mp-03_odp.02"/>.</p>
+          <link rel="assessment-for" href="#mp-3_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#mp-3_smt"/>
       </part>
       <part id="mp-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36851,24 +38858,31 @@
           <part id="mp-4_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-04a.[01]"/>
             <p><insert type="param" id-ref="mp-04_odp.01"/> are physically controlled;</p>
+            <link rel="assessment-for" href="#mp-4_smt.a"/>
           </part>
           <part id="mp-4_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-04a.[02]"/>
             <p><insert type="param" id-ref="mp-04_odp.02"/> are physically controlled;</p>
+            <link rel="assessment-for" href="#mp-4_smt.a"/>
           </part>
           <part id="mp-4_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-04a.[03]"/>
             <p><insert type="param" id-ref="mp-04_odp.03"/> are securely stored within <insert type="param" id-ref="mp-04_odp.05"/>;</p>
+            <link rel="assessment-for" href="#mp-4_smt.a"/>
           </part>
           <part id="mp-4_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-04a.[04]"/>
             <p><insert type="param" id-ref="mp-04_odp.04"/> are securely stored within <insert type="param" id-ref="mp-04_odp.06"/>;</p>
+            <link rel="assessment-for" href="#mp-4_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#mp-4_smt.a"/>
         </part>
         <part id="mp-4_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-04b."/>
           <p>system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.</p>
+          <link rel="assessment-for" href="#mp-4_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#mp-4_smt"/>
       </part>
       <part id="mp-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -36959,15 +38973,19 @@
           <part id="mp-4.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-04(02)[01]"/>
             <p>access to media storage areas is restricted using <insert type="param" id-ref="mp-04.02_odp.01"/>;</p>
+            <link rel="assessment-for" href="#mp-4.2_smt"/>
           </part>
           <part id="mp-4.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-04(02)[02]"/>
             <p>access attempts to media storage areas are logged using <insert type="param" id-ref="mp-04.02_odp.02"/>;</p>
+            <link rel="assessment-for" href="#mp-4.2_smt"/>
           </part>
           <part id="mp-4.2_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-04(02)[03]"/>
             <p>access granted to media storage areas is logged using <insert type="param" id-ref="mp-04.02_odp.03"/>.</p>
+            <link rel="assessment-for" href="#mp-4.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#mp-4.2_smt"/>
         </part>
         <part id="mp-4.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37082,31 +39100,40 @@
           <part id="mp-5_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-05a.[01]"/>
             <p><insert type="param" id-ref="mp-05_odp.01"/> are protected during transport outside of controlled areas using <insert type="param" id-ref="mp-05_odp.02"/>;</p>
+            <link rel="assessment-for" href="#mp-5_smt.a"/>
           </part>
           <part id="mp-5_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-05a.[02]"/>
             <p><insert type="param" id-ref="mp-05_odp.01"/> are controlled during transport outside of controlled areas using <insert type="param" id-ref="mp-05_odp.03"/>;</p>
+            <link rel="assessment-for" href="#mp-5_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#mp-5_smt.a"/>
         </part>
         <part id="mp-5_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-05b."/>
           <p>accountability for system media is maintained during transport outside of controlled areas;</p>
+          <link rel="assessment-for" href="#mp-5_smt.b"/>
         </part>
         <part id="mp-5_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-05c."/>
           <p>activities associated with the transport of system media are documented;</p>
+          <link rel="assessment-for" href="#mp-5_smt.c"/>
         </part>
         <part id="mp-5_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-05d."/>
           <part id="mp-5_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-05d.[01]"/>
             <p>personnel authorized to conduct media transport activities is/are identified;</p>
+            <link rel="assessment-for" href="#mp-5_smt.d"/>
           </part>
           <part id="mp-5_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-05d.[02]"/>
             <p>activities associated with the transport of system media are restricted to identified authorized personnel.</p>
+            <link rel="assessment-for" href="#mp-5_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#mp-5_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#mp-5_smt"/>
       </part>
       <part id="mp-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37174,11 +39201,14 @@
           <part id="mp-5.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-05(03)[01]"/>
             <p>a custodian to transport system media outside of controlled areas is identified;</p>
+            <link rel="assessment-for" href="#mp-5.3_smt"/>
           </part>
           <part id="mp-5.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-05(03)[02]"/>
             <p>the identified custodian is employed during the transport of system media outside of controlled areas.</p>
+            <link rel="assessment-for" href="#mp-5.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#mp-5.3_smt"/>
         </part>
         <part id="mp-5.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37320,20 +39350,26 @@
           <part id="mp-6_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-06a.[01]"/>
             <p><insert type="param" id-ref="mp-06_odp.01"/> is sanitized using <insert type="param" id-ref="mp-06_odp.04"/> prior to disposal;</p>
+            <link rel="assessment-for" href="#mp-6_smt.a"/>
           </part>
           <part id="mp-6_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-06a.[02]"/>
             <p><insert type="param" id-ref="mp-06_odp.02"/> is sanitized using <insert type="param" id-ref="mp-06_odp.05"/> prior to release from organizational control;</p>
+            <link rel="assessment-for" href="#mp-6_smt.a"/>
           </part>
           <part id="mp-6_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-06a.[03]"/>
             <p><insert type="param" id-ref="mp-06_odp.03"/> is sanitized using <insert type="param" id-ref="mp-06_odp.06"/> prior to release for reuse;</p>
+            <link rel="assessment-for" href="#mp-6_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#mp-6_smt.a"/>
         </part>
         <part id="mp-6_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-06b."/>
           <p>sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.</p>
+          <link rel="assessment-for" href="#mp-6_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#mp-6_smt"/>
       </part>
       <part id="mp-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37389,23 +39425,29 @@
           <part id="mp-6.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-06(01)[01]"/>
             <p>media sanitization and disposal actions are reviewed;</p>
+            <link rel="assessment-for" href="#mp-6.1_smt"/>
           </part>
           <part id="mp-6.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-06(01)[02]"/>
             <p>media sanitization and disposal actions are approved;</p>
+            <link rel="assessment-for" href="#mp-6.1_smt"/>
           </part>
           <part id="mp-6.1_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-06(01)[03]"/>
             <p>media sanitization and disposal actions are tracked;</p>
+            <link rel="assessment-for" href="#mp-6.1_smt"/>
           </part>
           <part id="mp-6.1_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-06(01)[04]"/>
             <p>media sanitization and disposal actions are documented;</p>
+            <link rel="assessment-for" href="#mp-6.1_smt"/>
           </part>
           <part id="mp-6.1_obj-5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-06(01)[05]"/>
             <p>media sanitization and disposal actions are verified.</p>
+            <link rel="assessment-for" href="#mp-6.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#mp-6.1_smt"/>
         </part>
         <part id="mp-6.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37483,11 +39525,14 @@
           <part id="mp-6.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-06(02)[01]"/>
             <p>sanitization equipment is tested <insert type="param" id-ref="mp-06.02_odp.01"/> to ensure that the intended sanitization is being achieved;</p>
+            <link rel="assessment-for" href="#mp-6.2_smt"/>
           </part>
           <part id="mp-6.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-06(02)[02]"/>
             <p>sanitization procedures are tested <insert type="param" id-ref="mp-06.02_odp.02"/> to ensure that the intended sanitization is being achieved.</p>
+            <link rel="assessment-for" href="#mp-6.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#mp-6.2_smt"/>
         </part>
         <part id="mp-6.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37550,6 +39595,7 @@
         <part id="mp-6.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-06(03)"/>
           <p>non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under <insert type="param" id-ref="mp-06.03_odp"/>.</p>
+          <link rel="assessment-for" href="#mp-6.3_smt"/>
         </part>
         <part id="mp-6.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37632,6 +39678,7 @@
         <part id="mp-6.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-06(07)"/>
           <p>dual authorization for sanitization of <insert type="param" id-ref="mp-06.07_odp"/> is enforced.</p>
+          <link rel="assessment-for" href="#mp-6.7_smt"/>
         </part>
         <part id="mp-6.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37707,6 +39754,7 @@
         <part id="mp-6.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-06(08)"/>
           <p>the capability to purge or wipe information from <insert type="param" id-ref="mp-06.08_odp.01"/> <insert type="param" id-ref="mp-06.08_odp.02"/> is provided.</p>
+          <link rel="assessment-for" href="#mp-6.8_smt"/>
         </part>
         <part id="mp-6.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37806,11 +39854,14 @@
         <part id="mp-7_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-07a."/>
           <p>the use of <insert type="param" id-ref="mp-07_odp.01"/> is <insert type="param" id-ref="mp-07_odp.02"/> on <insert type="param" id-ref="mp-07_odp.03"/> using <insert type="param" id-ref="mp-07_odp.04"/>;</p>
+          <link rel="assessment-for" href="#mp-7_smt.a"/>
         </part>
         <part id="mp-7_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-07b."/>
           <p>the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.</p>
+          <link rel="assessment-for" href="#mp-7_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#mp-7_smt"/>
       </part>
       <part id="mp-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37871,11 +39922,14 @@
           <part id="mp-7.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-07(02)[01]"/>
             <p>sanitization-resistant media is identified;</p>
+            <link rel="assessment-for" href="#mp-7.2_smt"/>
           </part>
           <part id="mp-7.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-07(02)[02]"/>
             <p>the use of sanitization-resistant media in organizational systems is prohibited.</p>
+            <link rel="assessment-for" href="#mp-7.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#mp-7.2_smt"/>
         </part>
         <part id="mp-7.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -37961,31 +40015,40 @@
           <part id="mp-8_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-08a.[01]"/>
             <p>a <insert type="param" id-ref="mp-08_odp.01"/> is established;</p>
+            <link rel="assessment-for" href="#mp-8_smt.a"/>
           </part>
           <part id="mp-8_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-08a.[02]"/>
             <p>the <insert type="param" id-ref="mp-08_odp.01"/> includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;</p>
+            <link rel="assessment-for" href="#mp-8_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#mp-8_smt.a"/>
         </part>
         <part id="mp-8_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-08b."/>
           <part id="mp-8_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-08b.[01]"/>
             <p>there is verification that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed;</p>
+            <link rel="assessment-for" href="#mp-8_smt.b"/>
           </part>
           <part id="mp-8_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-08b.[02]"/>
             <p>there is verification that the system media downgrading process is commensurate with the access authorizations of the potential recipients of the downgraded information;</p>
+            <link rel="assessment-for" href="#mp-8_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#mp-8_smt.b"/>
         </part>
         <part id="mp-8_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-08c."/>
           <p><insert type="param" id-ref="mp-08_odp.02"/> is identified;</p>
+          <link rel="assessment-for" href="#mp-8_smt.c"/>
         </part>
         <part id="mp-8_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-08d."/>
           <p>the identified system media is downgraded using the <insert type="param" id-ref="mp-08_odp.01"/>.</p>
+          <link rel="assessment-for" href="#mp-8_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#mp-8_smt"/>
       </part>
       <part id="mp-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -38034,6 +40097,7 @@
         <part id="mp-8.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="MP-08(01)"/>
           <p>system media downgrading actions are documented.</p>
+          <link rel="assessment-for" href="#mp-8.1_smt"/>
         </part>
         <part id="mp-8.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -38104,11 +40168,14 @@
           <part id="mp-8.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-08(02)[01]"/>
             <p>downgrading equipment is tested <insert type="param" id-ref="mp-08.02_odp.01"/> to ensure that downgrading actions are being achieved;</p>
+            <link rel="assessment-for" href="#mp-8.2_smt"/>
           </part>
           <part id="mp-8.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-08(02)[02]"/>
             <p>downgrading procedures are tested <insert type="param" id-ref="mp-08.02_odp.02"/> to ensure that downgrading actions are being achieved.</p>
+            <link rel="assessment-for" href="#mp-8.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#mp-8.2_smt"/>
         </part>
         <part id="mp-8.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -38159,11 +40226,14 @@
           <part id="mp-8.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-08(03)[01]"/>
             <p>system media containing controlled unclassified information is identified;</p>
+            <link rel="assessment-for" href="#mp-8.3_smt"/>
           </part>
           <part id="mp-8.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-08(03)[02]"/>
             <p>system media containing controlled unclassified information is downgraded prior to public release.</p>
+            <link rel="assessment-for" href="#mp-8.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#mp-8.3_smt"/>
         </part>
         <part id="mp-8.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -38213,11 +40283,14 @@
           <part id="mp-8.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-08(04)[01]"/>
             <p>system media containing classified information is identified;</p>
+            <link rel="assessment-for" href="#mp-8.4_smt"/>
           </part>
           <part id="mp-8.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="MP-08(04)[02]"/>
             <p>system media containing classified information is downgraded prior to release to individuals without required access authorizations.</p>
+            <link rel="assessment-for" href="#mp-8.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#mp-8.4_smt"/>
         </part>
         <part id="mp-8.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -38385,18 +40458,22 @@
           <part id="pe-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-01a.[01]"/>
             <p>a physical and environmental protection policy is developed and documented;</p>
+            <link rel="assessment-for" href="#pe-1_smt.a"/>
           </part>
           <part id="pe-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-01a.[02]"/>
             <p>the physical and environmental protection policy is disseminated to <insert type="param" id-ref="pe-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#pe-1_smt.a"/>
           </part>
           <part id="pe-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-01a.[03]"/>
             <p>physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;</p>
+            <link rel="assessment-for" href="#pe-1_smt.a"/>
           </part>
           <part id="pe-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-01a.[04]"/>
             <p>the physical and environmental protection procedures are disseminated to <insert type="param" id-ref="pe-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#pe-1_smt.a"/>
           </part>
           <part id="pe-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-01a.01"/>
@@ -38405,41 +40482,53 @@
               <part id="pe-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PE-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses purpose;</p>
+                <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
               </part>
               <part id="pe-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PE-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses scope;</p>
+                <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
               </part>
               <part id="pe-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PE-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses roles;</p>
+                <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
               </part>
               <part id="pe-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PE-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
               </part>
               <part id="pe-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PE-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
               </part>
               <part id="pe-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PE-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
               </part>
               <part id="pe-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PE-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy addresses compliance;</p>
+                <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#pe-1_smt.a.1.a"/>
             </part>
             <part id="pe-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PE-01a.01(b)"/>
               <p>the <insert type="param" id-ref="pe-01_odp.03"/> physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#pe-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#pe-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#pe-1_smt.a"/>
         </part>
         <part id="pe-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-01b."/>
           <p>the <insert type="param" id-ref="pe-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;</p>
+          <link rel="assessment-for" href="#pe-1_smt.b"/>
         </part>
         <part id="pe-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-01c."/>
@@ -38448,24 +40537,32 @@
             <part id="pe-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PE-01c.01[01]"/>
               <p>the current physical and environmental protection policy is reviewed and updated <insert type="param" id-ref="pe-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#pe-1_smt.c.1"/>
             </part>
             <part id="pe-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PE-01c.01[02]"/>
               <p>the current physical and environmental protection policy is reviewed and updated following <insert type="param" id-ref="pe-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#pe-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#pe-1_smt.c.1"/>
           </part>
           <part id="pe-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-01c.02"/>
             <part id="pe-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PE-01c.02[01]"/>
               <p>the current physical and environmental protection procedures are reviewed and updated <insert type="param" id-ref="pe-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#pe-1_smt.c.2"/>
             </part>
             <part id="pe-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PE-01c.02[02]"/>
               <p>the current physical and environmental protection procedures are reviewed and updated following <insert type="param" id-ref="pe-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#pe-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#pe-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#pe-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pe-1_smt"/>
       </part>
       <part id="pe-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -38547,28 +40644,36 @@
           <part id="pe-2_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-02a.[01]"/>
             <p>a list of individuals with authorized access to the facility where the system resides has been developed;</p>
+            <link rel="assessment-for" href="#pe-2_smt.a"/>
           </part>
           <part id="pe-2_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-02a.[02]"/>
             <p>the list of individuals with authorized access to the facility where the system resides has been approved;</p>
+            <link rel="assessment-for" href="#pe-2_smt.a"/>
           </part>
           <part id="pe-2_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-02a.[03]"/>
             <p>the list of individuals with authorized access to the facility where the system resides has been maintained;</p>
+            <link rel="assessment-for" href="#pe-2_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pe-2_smt.a"/>
         </part>
         <part id="pe-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-02b."/>
           <p>authorization credentials are issued for facility access;</p>
+          <link rel="assessment-for" href="#pe-2_smt.b"/>
         </part>
         <part id="pe-2_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-02c."/>
           <p>the access list detailing authorized facility access by individuals is reviewed <insert type="param" id-ref="pe-02_odp"/>;</p>
+          <link rel="assessment-for" href="#pe-2_smt.c"/>
         </part>
         <part id="pe-2_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-02d."/>
           <p>individuals are removed from the facility access list when access is no longer required.</p>
+          <link rel="assessment-for" href="#pe-2_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#pe-2_smt"/>
       </part>
       <part id="pe-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -38620,6 +40725,7 @@
         <part id="pe-2.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-02(01)"/>
           <p>physical access to the facility where the system resides is authorized based on position or role.</p>
+          <link rel="assessment-for" href="#pe-2.1_smt"/>
         </part>
         <part id="pe-2.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -38679,6 +40785,7 @@
         <part id="pe-2.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-02(02)"/>
           <p>two forms of identification are required from <insert type="param" id-ref="pe-02.02_odp"/> for visitor access to the facility where the system resides.</p>
+          <link rel="assessment-for" href="#pe-2.2_smt"/>
         </part>
         <part id="pe-2.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -38748,6 +40855,7 @@
         <part id="pe-2.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-02(03)"/>
           <p>unescorted access to the facility where the system resides is restricted to personnel with <insert type="param" id-ref="pe-02.03_odp.01"/>.</p>
+          <link rel="assessment-for" href="#pe-2.3_smt"/>
         </part>
         <part id="pe-2.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -38951,61 +41059,78 @@
           <part id="pe-3_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-03a.01"/>
             <p>physical access authorizations are enforced at <insert type="param" id-ref="pe-03_odp.01"/> by verifying individual access authorizations before granting access to the facility;</p>
+            <link rel="assessment-for" href="#pe-3_smt.a.1"/>
           </part>
           <part id="pe-3_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-03a.02"/>
             <p>physical access authorizations are enforced at <insert type="param" id-ref="pe-03_odp.01"/> by controlling ingress and egress to the facility using <insert type="param" id-ref="pe-03_odp.02"/>;</p>
+            <link rel="assessment-for" href="#pe-3_smt.a.2"/>
           </part>
+          <link rel="assessment-for" href="#pe-3_smt.a"/>
         </part>
         <part id="pe-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-03b."/>
           <p>physical access audit logs are maintained for <insert type="param" id-ref="pe-03_odp.04"/>;</p>
+          <link rel="assessment-for" href="#pe-3_smt.b"/>
         </part>
         <part id="pe-3_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-03c."/>
           <p>access to areas within the facility designated as publicly accessible are maintained by implementing <insert type="param" id-ref="pe-03_odp.05"/>;</p>
+          <link rel="assessment-for" href="#pe-3_smt.c"/>
         </part>
         <part id="pe-3_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-03d."/>
           <part id="pe-3_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-03d.[01]"/>
             <p>visitors are escorted;</p>
+            <link rel="assessment-for" href="#pe-3_smt.d"/>
           </part>
           <part id="pe-3_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-03d.[02]"/>
             <p>visitor activity is controlled <insert type="param" id-ref="pe-03_odp.06"/>;</p>
+            <link rel="assessment-for" href="#pe-3_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#pe-3_smt.d"/>
         </part>
         <part id="pe-3_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-03e."/>
           <part id="pe-3_obj.e-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-03e.[01]"/>
             <p>keys are secured;</p>
+            <link rel="assessment-for" href="#pe-3_smt.e"/>
           </part>
           <part id="pe-3_obj.e-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-03e.[02]"/>
             <p>combinations are secured;</p>
+            <link rel="assessment-for" href="#pe-3_smt.e"/>
           </part>
           <part id="pe-3_obj.e-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-03e.[03]"/>
             <p>other physical access devices are secured;</p>
+            <link rel="assessment-for" href="#pe-3_smt.e"/>
           </part>
+          <link rel="assessment-for" href="#pe-3_smt.e"/>
         </part>
         <part id="pe-3_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-03f."/>
           <p><insert type="param" id-ref="pe-03_odp.07"/> are inventoried <insert type="param" id-ref="pe-03_odp.08"/>;</p>
+          <link rel="assessment-for" href="#pe-3_smt.f"/>
         </part>
         <part id="pe-3_obj.g" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-03g."/>
           <part id="pe-3_obj.g-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-03g.[01]"/>
             <p>combinations are changed <insert type="param" id-ref="pe-03_odp.09"/> , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;</p>
+            <link rel="assessment-for" href="#pe-3_smt.g"/>
           </part>
           <part id="pe-3_obj.g-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-03g.[02]"/>
             <p>keys are changed <insert type="param" id-ref="pe-03_odp.10"/> , when keys are lost, or when individuals possessing the keys are transferred or terminated.</p>
+            <link rel="assessment-for" href="#pe-3_smt.g"/>
           </part>
+          <link rel="assessment-for" href="#pe-3_smt.g"/>
         </part>
+        <link rel="assessment-for" href="#pe-3_smt"/>
       </part>
       <part id="pe-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -39068,11 +41193,14 @@
           <part id="pe-3.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-03(01)[01]"/>
             <p>physical access authorizations to the system are enforced;</p>
+            <link rel="assessment-for" href="#pe-3.1_smt"/>
           </part>
           <part id="pe-3.1_obj.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-03(01)[02]"/>
             <p>physical access controls are enforced for the facility at <insert type="param" id-ref="pe-03.01_odp"/>.</p>
+            <link rel="assessment-for" href="#pe-3.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#pe-3.1_smt"/>
         </part>
         <part id="pe-3.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -39133,6 +41261,7 @@
         <part id="pe-3.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-03(02)"/>
           <p>security checks are performed <insert type="param" id-ref="pe-03.02_odp"/> at the physical perimeter of the facility or system for exfiltration of information or removal of system components.</p>
+          <link rel="assessment-for" href="#pe-3.2_smt"/>
         </part>
         <part id="pe-3.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -39195,6 +41324,7 @@
         <part id="pe-3.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-03(03)"/>
           <p>guards are employed to control <insert type="param" id-ref="pe-03.03_odp"/> to the facility where the system resides 24 hours per day, 7 days per week.</p>
+          <link rel="assessment-for" href="#pe-3.3_smt"/>
         </part>
         <part id="pe-3.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -39252,6 +41382,7 @@
         <part id="pe-3.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-03(04)"/>
           <p>lockable physical casings are used to protect <insert type="param" id-ref="pe-03.04_odp"/> from unauthorized access.</p>
+          <link rel="assessment-for" href="#pe-3.4_smt"/>
         </part>
         <part id="pe-3.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -39324,6 +41455,7 @@
         <part id="pe-3.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-03(05)"/>
           <p><insert type="param" id-ref="pe-03.05_odp.01"/> are employed to <insert type="param" id-ref="pe-03.05_odp.02"/> physical tampering or alteration of <insert type="param" id-ref="pe-03.05_odp.03"/> within the system.</p>
+          <link rel="assessment-for" href="#pe-3.5_smt"/>
         </part>
         <part id="pe-3.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -39377,6 +41509,7 @@
         <part id="pe-3.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-03(07)"/>
           <p>physical barriers are used to limit access.</p>
+          <link rel="assessment-for" href="#pe-3.7_smt"/>
         </part>
         <part id="pe-3.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -39423,6 +41556,7 @@
         <part id="pe-3.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-03(08)"/>
           <p>access control vestibules are employed at <insert type="param" id-ref="pe-03.08_odp"/>.</p>
+          <link rel="assessment-for" href="#pe-3.8_smt"/>
         </part>
         <part id="pe-3.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -39493,6 +41627,7 @@
       <part id="pe-4_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PE-04"/>
         <p>physical access to <insert type="param" id-ref="pe-04_odp.01"/> within organizational facilities is controlled using <insert type="param" id-ref="pe-04_odp.02"/>.</p>
+        <link rel="assessment-for" href="#pe-4_smt"/>
       </part>
       <part id="pe-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -39552,6 +41687,7 @@
       <part id="pe-5_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PE-05"/>
         <p>physical access to output from <insert type="param" id-ref="pe-05_odp"/> is controlled to prevent unauthorized individuals from obtaining the output.</p>
+        <link rel="assessment-for" href="#pe-5_smt"/>
       </part>
       <part id="pe-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -39607,6 +41743,7 @@
         <part id="pe-5.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-05(02)"/>
           <p>individual identity is linked to the receipt of output from output devices.</p>
+          <link rel="assessment-for" href="#pe-5.2_smt"/>
         </part>
         <part id="pe-5.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -39708,29 +41845,37 @@
         <part id="pe-6_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-06a."/>
           <p>physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;</p>
+          <link rel="assessment-for" href="#pe-6_smt.a"/>
         </part>
         <part id="pe-6_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-06b."/>
           <part id="pe-6_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-06b.[01]"/>
             <p>physical access logs are reviewed <insert type="param" id-ref="pe-06_odp.01"/>;</p>
+            <link rel="assessment-for" href="#pe-6_smt.b"/>
           </part>
           <part id="pe-6_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-06b.[02]"/>
             <p>physical access logs are reviewed upon occurrence of <insert type="param" id-ref="pe-06_odp.02"/>;</p>
+            <link rel="assessment-for" href="#pe-6_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pe-6_smt.b"/>
         </part>
         <part id="pe-6_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-06c."/>
           <part id="pe-6_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-06c.[01]"/>
             <p>results of reviews are coordinated with organizational incident response capabilities;</p>
+            <link rel="assessment-for" href="#pe-6_smt.c"/>
           </part>
           <part id="pe-6_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-06c.[02]"/>
             <p>results of investigations are coordinated with organizational incident response capabilities.</p>
+            <link rel="assessment-for" href="#pe-6_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#pe-6_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pe-6_smt"/>
       </part>
       <part id="pe-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -39782,11 +41927,14 @@
           <part id="pe-6.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-06(01)[01]"/>
             <p>physical access to the facility where the system resides is monitored using physical intrusion alarms;</p>
+            <link rel="assessment-for" href="#pe-6.1_smt"/>
           </part>
           <part id="pe-6.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-06(01)[02]"/>
             <p>physical access to the facility where the system resides is monitored using physical surveillance equipment.</p>
+            <link rel="assessment-for" href="#pe-6.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#pe-6.1_smt"/>
         </part>
         <part id="pe-6.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -39867,11 +42015,14 @@
           <part id="pe-6.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-06(02)[01]"/>
             <p><insert type="param" id-ref="pe-06.02_odp.01"/> are recognized;</p>
+            <link rel="assessment-for" href="#pe-6.2_smt"/>
           </part>
           <part id="pe-6.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-06(02)[02]"/>
             <p><insert type="param" id-ref="pe-06.02_odp.02"/> are initiated using <insert type="param" id-ref="pe-06.02_odp.03"/>.</p>
+            <link rel="assessment-for" href="#pe-6.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#pe-6.2_smt"/>
         </part>
         <part id="pe-6.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -39960,15 +42111,19 @@
           <part id="pe-6.3_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-06(03)(a)"/>
             <p>video surveillance of <insert type="param" id-ref="pe-06.03_odp.01"/> is employed;</p>
+            <link rel="assessment-for" href="#pe-6.3_smt.a"/>
           </part>
           <part id="pe-6.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-06(03)(b)"/>
             <p>video recordings are reviewed <insert type="param" id-ref="pe-06.03_odp.02"/>;</p>
+            <link rel="assessment-for" href="#pe-6.3_smt.b"/>
           </part>
           <part id="pe-6.3_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-06(03)(c)"/>
             <p>video recordings are retained for <insert type="param" id-ref="pe-06.03_odp.03"/>.</p>
+            <link rel="assessment-for" href="#pe-6.3_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#pe-6.3_smt"/>
         </part>
         <part id="pe-6.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40030,6 +42185,7 @@
         <part id="pe-6.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-06(04)"/>
           <p>physical access to the system is monitored in addition to the physical access monitoring of the facility at <insert type="param" id-ref="pe-06.04_odp"/>.</p>
+          <link rel="assessment-for" href="#pe-6.4_smt"/>
         </part>
         <part id="pe-6.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40132,15 +42288,19 @@
         <part id="pe-8_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-08a."/>
           <p>visitor access records for the facility where the system resides are maintained for <insert type="param" id-ref="pe-08_odp.01"/>;</p>
+          <link rel="assessment-for" href="#pe-8_smt.a"/>
         </part>
         <part id="pe-8_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-08b."/>
           <p>visitor access records are reviewed <insert type="param" id-ref="pe-08_odp.02"/>;</p>
+          <link rel="assessment-for" href="#pe-8_smt.b"/>
         </part>
         <part id="pe-8_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-08c."/>
           <p>visitor access records anomalies are reported to <insert type="param" id-ref="pe-08_odp.03"/>.</p>
+          <link rel="assessment-for" href="#pe-8_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pe-8_smt"/>
       </part>
       <part id="pe-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40210,11 +42370,14 @@
           <part id="pe-8.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-08(01)[01]"/>
             <p>visitor access records are maintained using <insert type="param" id-ref="pe-08.01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#pe-8.1_smt"/>
           </part>
           <part id="pe-8.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-08(01)[02]"/>
             <p>visitor access records are reviewed using <insert type="param" id-ref="pe-08.01_odp.02"/>.</p>
+            <link rel="assessment-for" href="#pe-8.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#pe-8.1_smt"/>
         </part>
         <part id="pe-8.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40280,6 +42443,7 @@
         <part id="pe-8.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-08(03)"/>
           <p>personally identifiable information contained in visitor access records is limited to <insert type="param" id-ref="pe-08.03_odp"/> identified in the privacy risk assessment.</p>
+          <link rel="assessment-for" href="#pe-8.3_smt"/>
         </part>
         <part id="pe-8.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40331,11 +42495,14 @@
         <part id="pe-9_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-09[01]"/>
           <p>power equipment for the system is protected from damage and destruction;</p>
+          <link rel="assessment-for" href="#pe-9_smt"/>
         </part>
         <part id="pe-9_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-09[02]"/>
           <p>power cabling for the system is protected from damage and destruction.</p>
+          <link rel="assessment-for" href="#pe-9_smt"/>
         </part>
+        <link rel="assessment-for" href="#pe-9_smt"/>
       </part>
       <part id="pe-9_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40387,6 +42554,7 @@
         <part id="pe-9.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-09(01)"/>
           <p>redundant power cabling paths that are physically separated by <insert type="param" id-ref="pe-09.01_odp"/> are employed.</p>
+          <link rel="assessment-for" href="#pe-9.1_smt"/>
         </part>
         <part id="pe-9.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40439,6 +42607,7 @@
         <part id="pe-9.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-09(02)"/>
           <p>automatic voltage controls for <insert type="param" id-ref="pe-09.02_odp"/> are employed.</p>
+          <link rel="assessment-for" href="#pe-9.2_smt"/>
         </part>
         <part id="pe-9.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40516,15 +42685,19 @@
         <part id="pe-10_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-10a."/>
           <p>the capability to shut off power to <insert type="param" id-ref="pe-10_odp.01"/> in emergency situations is provided;</p>
+          <link rel="assessment-for" href="#pe-10_smt.a"/>
         </part>
         <part id="pe-10_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-10b."/>
           <p>emergency shutoff switches or devices are placed in <insert type="param" id-ref="pe-10_odp.02"/> to facilitate access for authorized personnel;</p>
+          <link rel="assessment-for" href="#pe-10_smt.b"/>
         </part>
         <part id="pe-10_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-10c."/>
           <p>the emergency power shutoff capability is protected from unauthorized activation.</p>
+          <link rel="assessment-for" href="#pe-10_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pe-10_smt"/>
       </part>
       <part id="pe-10_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40589,6 +42762,7 @@
       <part id="pe-11_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PE-11"/>
         <p>an uninterruptible power supply is provided to facilitate <insert type="param" id-ref="pe-11_odp"/> in the event of a primary power source loss.</p>
+        <link rel="assessment-for" href="#pe-11_smt"/>
       </part>
       <part id="pe-11_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40645,11 +42819,14 @@
           <part id="pe-11.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-11(01)[01]"/>
             <p>an alternate power supply provided for the system is activated <insert type="param" id-ref="pe-11.01_odp"/>;</p>
+            <link rel="assessment-for" href="#pe-11.1_smt"/>
           </part>
           <part id="pe-11.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-11(01)[02]"/>
             <p>the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.</p>
+            <link rel="assessment-for" href="#pe-11.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#pe-11.1_smt"/>
         </part>
         <part id="pe-11.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40728,15 +42905,19 @@
           <part id="pe-11.2_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-11(02)(a)"/>
             <p>the alternate power supply provided for the system is self-contained;</p>
+            <link rel="assessment-for" href="#pe-11.2_smt.a"/>
           </part>
           <part id="pe-11.2_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-11(02)(b)"/>
             <p>the alternate power supply provided for the system is not reliant on external power generation;</p>
+            <link rel="assessment-for" href="#pe-11.2_smt.b"/>
           </part>
           <part id="pe-11.2_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-11(02)(c)"/>
             <p>the alternate power supply provided for the system is capable of maintaining <insert type="param" id-ref="pe-11.02_odp.02"/> in the event of an extended loss of the primary power source.</p>
+            <link rel="assessment-for" href="#pe-11.2_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#pe-11.2_smt"/>
         </part>
         <part id="pe-11.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40788,19 +42969,24 @@
         <part id="pe-12_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-12[01]"/>
           <p>automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;</p>
+          <link rel="assessment-for" href="#pe-12_smt"/>
         </part>
         <part id="pe-12_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-12[02]"/>
           <p>automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;</p>
+          <link rel="assessment-for" href="#pe-12_smt"/>
         </part>
         <part id="pe-12_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-12[03]"/>
           <p>automatic emergency lighting for the system covers emergency exits within the facility;</p>
+          <link rel="assessment-for" href="#pe-12_smt"/>
         </part>
         <part id="pe-12_obj-4" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-12[04]"/>
           <p>automatic emergency lighting for the system covers evacuation routes within the facility.</p>
+          <link rel="assessment-for" href="#pe-12_smt"/>
         </part>
+        <link rel="assessment-for" href="#pe-12_smt"/>
       </part>
       <part id="pe-12_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40846,6 +43032,7 @@
         <part id="pe-12.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-12(01)"/>
           <p>emergency lighting is provided for all areas within the facility supporting essential mission and business functions.</p>
+          <link rel="assessment-for" href="#pe-12.1_smt"/>
         </part>
         <part id="pe-12.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40896,27 +43083,34 @@
         <part id="pe-13_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-13[01]"/>
           <p>fire detection systems are employed;</p>
+          <link rel="assessment-for" href="#pe-13_smt"/>
         </part>
         <part id="pe-13_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-13[02]"/>
           <p>employed fire detection systems are supported by an independent energy source;</p>
+          <link rel="assessment-for" href="#pe-13_smt"/>
         </part>
         <part id="pe-13_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-13[03]"/>
           <p>employed fire detection systems are maintained;</p>
+          <link rel="assessment-for" href="#pe-13_smt"/>
         </part>
         <part id="pe-13_obj-4" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-13[04]"/>
           <p>fire suppression systems are employed;</p>
+          <link rel="assessment-for" href="#pe-13_smt"/>
         </part>
         <part id="pe-13_obj-5" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-13[05]"/>
           <p>employed fire suppression systems are supported by an independent energy source;</p>
+          <link rel="assessment-for" href="#pe-13_smt"/>
         </part>
         <part id="pe-13_obj-6" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-13[06]"/>
           <p>employed fire suppression systems are maintained.</p>
+          <link rel="assessment-for" href="#pe-13_smt"/>
         </part>
+        <link rel="assessment-for" href="#pe-13_smt"/>
       </part>
       <part id="pe-13_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -40980,15 +43174,19 @@
           <part id="pe-13.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-13(01)[01]"/>
             <p>fire detection systems that activate automatically are employed in the event of a fire;</p>
+            <link rel="assessment-for" href="#pe-13.1_smt"/>
           </part>
           <part id="pe-13.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-13(01)[02]"/>
             <p>fire detection systems that notify <insert type="param" id-ref="pe-13.01_odp.01"/> automatically are employed in the event of a fire;</p>
+            <link rel="assessment-for" href="#pe-13.1_smt"/>
           </part>
           <part id="pe-13.1_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-13(01)[03]"/>
             <p>fire detection systems that notify <insert type="param" id-ref="pe-13.01_odp.02"/> automatically are employed in the event of a fire.</p>
+            <link rel="assessment-for" href="#pe-13.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#pe-13.1_smt"/>
         </part>
         <part id="pe-13.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -41067,20 +43265,26 @@
             <part id="pe-13.2_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PE-13(02)(a)[01]"/>
               <p>fire suppression systems that activate automatically are employed;</p>
+              <link rel="assessment-for" href="#pe-13.2_smt.a"/>
             </part>
             <part id="pe-13.2_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PE-13(02)(a)[02]"/>
               <p>fire suppression systems that notify <insert type="param" id-ref="pe-13.02_odp.01"/> automatically are employed;</p>
+              <link rel="assessment-for" href="#pe-13.2_smt.a"/>
             </part>
             <part id="pe-13.2_obj.a-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PE-13(02)(a)[03]"/>
               <p>fire suppression systems that notify <insert type="param" id-ref="pe-13.02_odp.02"/> automatically are employed;</p>
+              <link rel="assessment-for" href="#pe-13.2_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#pe-13.2_smt.a"/>
           </part>
           <part id="pe-13.2_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-13(02)(b)"/>
             <p>an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.</p>
+            <link rel="assessment-for" href="#pe-13.2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pe-13.2_smt"/>
         </part>
         <part id="pe-13.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -41157,11 +43361,14 @@
           <part id="pe-13.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-13(04)[01]"/>
             <p>the facility undergoes fire protection inspections <insert type="param" id-ref="pe-13.04_odp.01"/> by authorized and qualified inspectors;</p>
+            <link rel="assessment-for" href="#pe-13.4_smt"/>
           </part>
           <part id="pe-13.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-13(04)[02]"/>
             <p>the identified deficiencies from fire protection inspections are resolved within <insert type="param" id-ref="pe-13.04_odp.02"/>.</p>
+            <link rel="assessment-for" href="#pe-13.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#pe-13.4_smt"/>
         </part>
         <part id="pe-13.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -41249,11 +43456,14 @@
         <part id="pe-14_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-14a."/>
           <p><insert type="param" id-ref="pe-14_odp.01"/> levels are maintained at <insert type="param" id-ref="pe-14_odp.03"/> within the facility where the system resides;</p>
+          <link rel="assessment-for" href="#pe-14_smt.a"/>
         </part>
         <part id="pe-14_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-14b."/>
           <p>environmental control levels are monitored <insert type="param" id-ref="pe-14_odp.04"/>.</p>
+          <link rel="assessment-for" href="#pe-14_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#pe-14_smt"/>
       </part>
       <part id="pe-14_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -41308,6 +43518,7 @@
         <part id="pe-14.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-14(01)"/>
           <p><insert type="param" id-ref="pe-14.01_odp"/> are employed in the facility to prevent fluctuations that are potentially harmful to the system.</p>
+          <link rel="assessment-for" href="#pe-14.1_smt"/>
         </part>
         <part id="pe-14.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -41365,11 +43576,14 @@
           <part id="pe-14.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-14(02)[01]"/>
             <p>environmental control monitoring is employed;</p>
+            <link rel="assessment-for" href="#pe-14.2_smt"/>
           </part>
           <part id="pe-14.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-14(02)[02]"/>
             <p>the environmental control monitoring capability provides an alarm or notification to <insert type="param" id-ref="pe-14.02_odp"/> when changes are potentially harmful to personnel or equipment.</p>
+            <link rel="assessment-for" href="#pe-14.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#pe-14.2_smt"/>
         </part>
         <part id="pe-14.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -41420,19 +43634,24 @@
         <part id="pe-15_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-15[01]"/>
           <p>the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;</p>
+          <link rel="assessment-for" href="#pe-15_smt"/>
         </part>
         <part id="pe-15_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-15[02]"/>
           <p>the master shutoff or isolation valves are accessible;</p>
+          <link rel="assessment-for" href="#pe-15_smt"/>
         </part>
         <part id="pe-15_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-15[03]"/>
           <p>the master shutoff or isolation valves are working properly;</p>
+          <link rel="assessment-for" href="#pe-15_smt"/>
         </part>
         <part id="pe-15_obj-4" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-15[04]"/>
           <p>the master shutoff or isolation valves are known to key personnel.</p>
+          <link rel="assessment-for" href="#pe-15_smt"/>
         </part>
+        <link rel="assessment-for" href="#pe-15_smt"/>
       </part>
       <part id="pe-15_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -41498,11 +43717,14 @@
           <part id="pe-15.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-15(01)[01]"/>
             <p>the presence of water near the system can be detected automatically;</p>
+            <link rel="assessment-for" href="#pe-15.1_smt"/>
           </part>
           <part id="pe-15.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-15(01)[02]"/>
             <p><insert type="param" id-ref="pe-15.01_odp.01"/> is/are alerted using <insert type="param" id-ref="pe-15.01_odp.02"/>.</p>
+            <link rel="assessment-for" href="#pe-15.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#pe-15.1_smt"/>
         </part>
         <part id="pe-15.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -41590,24 +43812,31 @@
           <part id="pe-16_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-16a.[01]"/>
             <p><insert type="param" id-ref="pe-16_odp.01"/> are authorized when entering the facility;</p>
+            <link rel="assessment-for" href="#pe-16_smt.a"/>
           </part>
           <part id="pe-16_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-16a.[02]"/>
             <p><insert type="param" id-ref="pe-16_odp.01"/> are controlled when entering the facility;</p>
+            <link rel="assessment-for" href="#pe-16_smt.a"/>
           </part>
           <part id="pe-16_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-16a.[03]"/>
             <p><insert type="param" id-ref="pe-16_odp.02"/> are authorized when exiting the facility;</p>
+            <link rel="assessment-for" href="#pe-16_smt.a"/>
           </part>
           <part id="pe-16_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-16a.[04]"/>
             <p><insert type="param" id-ref="pe-16_odp.02"/> are controlled when exiting the facility;</p>
+            <link rel="assessment-for" href="#pe-16_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pe-16_smt.a"/>
         </part>
         <part id="pe-16_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-16b."/>
           <p>records of the system components are maintained.</p>
+          <link rel="assessment-for" href="#pe-16_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#pe-16_smt"/>
       </part>
       <part id="pe-16_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -41690,19 +43919,24 @@
         <part id="pe-17_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-17a."/>
           <p><insert type="param" id-ref="pe-17_odp.01"/> are determined and documented;</p>
+          <link rel="assessment-for" href="#pe-17_smt.a"/>
         </part>
         <part id="pe-17_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-17b."/>
           <p><insert type="param" id-ref="pe-17_odp.02"/> are employed at alternate work sites;</p>
+          <link rel="assessment-for" href="#pe-17_smt.b"/>
         </part>
         <part id="pe-17_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-17c."/>
           <p>the effectiveness of controls at alternate work sites is assessed;</p>
+          <link rel="assessment-for" href="#pe-17_smt.c"/>
         </part>
         <part id="pe-17_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-17d."/>
           <p>a means for employees to communicate with information security and privacy personnel in case of incidents is provided.</p>
+          <link rel="assessment-for" href="#pe-17_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#pe-17_smt"/>
       </part>
       <part id="pe-17_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -41766,6 +44000,7 @@
       <part id="pe-18_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PE-18"/>
         <p>system components are positioned within the facility to minimize potential damage from <insert type="param" id-ref="pe-18_odp"/> and to minimize the opportunity for unauthorized access.</p>
+        <link rel="assessment-for" href="#pe-18_smt"/>
       </part>
       <part id="pe-18_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -41823,6 +44058,7 @@
       <part id="pe-19_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PE-19"/>
         <p>the system is protected from information leakage due to electromagnetic signal emanations.</p>
+        <link rel="assessment-for" href="#pe-19_smt"/>
       </part>
       <part id="pe-19_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -41870,15 +44106,19 @@
           <part id="pe-19.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-19(01)[01]"/>
             <p>system components are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;</p>
+            <link rel="assessment-for" href="#pe-19.1_smt"/>
           </part>
           <part id="pe-19.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-19(01)[02]"/>
             <p>associated data communications are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;</p>
+            <link rel="assessment-for" href="#pe-19.1_smt"/>
           </part>
           <part id="pe-19.1_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PE-19(01)[03]"/>
             <p>networks are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information.</p>
+            <link rel="assessment-for" href="#pe-19.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#pe-19.1_smt"/>
         </part>
         <part id="pe-19.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -41950,6 +44190,7 @@
       <part id="pe-20_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PE-20"/>
         <p><insert type="param" id-ref="pe-20_odp.01"/> are employed to track and monitor the location and movement of <insert type="param" id-ref="pe-20_odp.02"/> within <insert type="param" id-ref="pe-20_odp.03"/>.</p>
+        <link rel="assessment-for" href="#pe-20_smt"/>
       </part>
       <part id="pe-20_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -42018,6 +44259,7 @@
       <part id="pe-21_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PE-21"/>
         <p><insert type="param" id-ref="pe-21_odp.01"/> are employed against electromagnetic pulse damage for <insert type="param" id-ref="pe-21_odp.02"/>.</p>
+        <link rel="assessment-for" href="#pe-21_smt"/>
       </part>
       <part id="pe-21_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -42076,6 +44318,7 @@
       <part id="pe-22_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PE-22"/>
         <p><insert type="param" id-ref="pe-22_odp"/> are marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.</p>
+        <link rel="assessment-for" href="#pe-22_smt"/>
       </part>
       <part id="pe-22_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -42139,11 +44382,14 @@
         <part id="pe-23_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-23a."/>
           <p>the location or site of the facility where the system resides is planned considering physical and environmental hazards;</p>
+          <link rel="assessment-for" href="#pe-23_smt.a"/>
         </part>
         <part id="pe-23_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PE-23b."/>
           <p>for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy.</p>
+          <link rel="assessment-for" href="#pe-23_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#pe-23_smt"/>
       </part>
       <part id="pe-23_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -42310,18 +44556,22 @@
           <part id="pl-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-01a.[01]"/>
             <p>a planning policy is developed and documented.</p>
+            <link rel="assessment-for" href="#pl-1_smt.a"/>
           </part>
           <part id="pl-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-01a.[02]"/>
             <p>the planning policy is disseminated to <insert type="param" id-ref="pl-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#pl-1_smt.a"/>
           </part>
           <part id="pl-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-01a.[03]"/>
             <p>planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;</p>
+            <link rel="assessment-for" href="#pl-1_smt.a"/>
           </part>
           <part id="pl-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-01a.[04]"/>
             <p>the planning procedures are disseminated to <insert type="param" id-ref="pl-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#pl-1_smt.a"/>
           </part>
           <part id="pl-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-01a.01"/>
@@ -42330,41 +44580,53 @@
               <part id="pl-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PL-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses purpose;</p>
+                <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
               </part>
               <part id="pl-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PL-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses scope;</p>
+                <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
               </part>
               <part id="pl-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PL-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses roles;</p>
+                <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
               </part>
               <part id="pl-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PL-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
               </part>
               <part id="pl-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PL-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
               </part>
               <part id="pl-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PL-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
               </part>
               <part id="pl-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PL-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy addresses compliance;</p>
+                <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#pl-1_smt.a.1.a"/>
             </part>
             <part id="pl-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-01a.01(b)"/>
               <p>the <insert type="param" id-ref="pl-01_odp.03"/> planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#pl-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#pl-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#pl-1_smt.a"/>
         </part>
         <part id="pl-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PL-01b."/>
           <p>the <insert type="param" id-ref="pl-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the planning policy and procedures;</p>
+          <link rel="assessment-for" href="#pl-1_smt.b"/>
         </part>
         <part id="pl-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PL-01c."/>
@@ -42373,24 +44635,32 @@
             <part id="pl-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-01c.01[01]"/>
               <p>the current planning policy is reviewed and updated <insert type="param" id-ref="pl-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#pl-1_smt.c.1"/>
             </part>
             <part id="pl-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-01c.01[02]"/>
               <p>the current planning policy is reviewed and updated following <insert type="param" id-ref="pl-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#pl-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#pl-1_smt.c.1"/>
           </part>
           <part id="pl-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-01c.02"/>
             <part id="pl-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-01c.02[01]"/>
               <p>the current planning procedures are reviewed and updated <insert type="param" id-ref="pl-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#pl-1_smt.c.2"/>
             </part>
             <part id="pl-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-01c.02[02]"/>
               <p>the current planning procedures are reviewed and updated following <insert type="param" id-ref="pl-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#pl-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#pl-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#pl-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pl-1_smt"/>
       </part>
       <part id="pl-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -42581,208 +44851,266 @@
             <part id="pl-2_obj.a.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.01[01]"/>
               <p>a security plan for the system is developed that is consistent with the organization’s enterprise architecture;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.1"/>
             </part>
             <part id="pl-2_obj.a.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.01[02]"/>
               <p>a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.1"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.1"/>
           </part>
           <part id="pl-2_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02a.02"/>
             <part id="pl-2_obj.a.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.02[01]"/>
               <p>a security plan for the system is developed that explicitly defines the constituent system components;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.2"/>
             </part>
             <part id="pl-2_obj.a.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.02[02]"/>
               <p>a privacy plan for the system is developed that explicitly defines the constituent system components;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.2"/>
           </part>
           <part id="pl-2_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02a.03"/>
             <part id="pl-2_obj.a.3-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.03[01]"/>
               <p>a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.3"/>
             </part>
             <part id="pl-2_obj.a.3-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.03[02]"/>
               <p>a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.3"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.3"/>
           </part>
           <part id="pl-2_obj.a.4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02a.04"/>
             <part id="pl-2_obj.a.4-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.04[01]"/>
               <p>a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.4"/>
             </part>
             <part id="pl-2_obj.a.4-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.04[02]"/>
               <p>a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.4"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.4"/>
           </part>
           <part id="pl-2_obj.a.5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02a.05"/>
             <part id="pl-2_obj.a.5-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.05[01]"/>
               <p>a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.5"/>
             </part>
             <part id="pl-2_obj.a.5-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.05[02]"/>
               <p>a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.5"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.5"/>
           </part>
           <part id="pl-2_obj.a.6" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02a.06"/>
             <part id="pl-2_obj.a.6-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.06[01]"/>
               <p>a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.6"/>
             </part>
             <part id="pl-2_obj.a.6-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.06[02]"/>
               <p>a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.6"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.6"/>
           </part>
           <part id="pl-2_obj.a.7" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02a.07"/>
             <part id="pl-2_obj.a.7-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.07[01]"/>
               <p>a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.7"/>
             </part>
             <part id="pl-2_obj.a.7-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.07[02]"/>
               <p>a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.7"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.7"/>
           </part>
           <part id="pl-2_obj.a.8" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02a.08"/>
             <part id="pl-2_obj.a.8-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.08[01]"/>
               <p>a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.8"/>
             </part>
             <part id="pl-2_obj.a.8-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.08[02]"/>
               <p>a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.8"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.8"/>
           </part>
           <part id="pl-2_obj.a.9" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02a.09"/>
             <part id="pl-2_obj.a.9-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.09[01]"/>
               <p>a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.9"/>
             </part>
             <part id="pl-2_obj.a.9-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.09[02]"/>
               <p>a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.9"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.9"/>
           </part>
           <part id="pl-2_obj.a.10" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02a.10"/>
             <part id="pl-2_obj.a.10-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.10[01]"/>
               <p>a security plan for the system is developed that provides an overview of the security requirements for the system;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.10"/>
             </part>
             <part id="pl-2_obj.a.10-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.10[02]"/>
               <p>a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.10"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.10"/>
           </part>
           <part id="pl-2_obj.a.11" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02a.11"/>
             <part id="pl-2_obj.a.11-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.11[01]"/>
               <p>a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.11"/>
             </part>
             <part id="pl-2_obj.a.11-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.11[02]"/>
               <p>a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.11"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.11"/>
           </part>
           <part id="pl-2_obj.a.12" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02a.12"/>
             <part id="pl-2_obj.a.12-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.12[01]"/>
               <p>a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.12"/>
             </part>
             <part id="pl-2_obj.a.12-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.12[02]"/>
               <p>a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.12"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.12"/>
           </part>
           <part id="pl-2_obj.a.13" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02a.13"/>
             <part id="pl-2_obj.a.13-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.13[01]"/>
               <p>a security plan for the system is developed that includes risk determinations for security architecture and design decisions;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.13"/>
             </part>
             <part id="pl-2_obj.a.13-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.13[02]"/>
               <p>a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.13"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.13"/>
           </part>
           <part id="pl-2_obj.a.14" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02a.14"/>
             <part id="pl-2_obj.a.14-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.14[01]"/>
               <p>a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with <insert type="param" id-ref="pl-02_odp.01"/>;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.14"/>
             </part>
             <part id="pl-2_obj.a.14-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.14[02]"/>
               <p>a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with <insert type="param" id-ref="pl-02_odp.01"/>;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.14"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.14"/>
           </part>
           <part id="pl-2_obj.a.15" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02a.15"/>
             <part id="pl-2_obj.a.15-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.15[01]"/>
               <p>a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.15"/>
             </part>
             <part id="pl-2_obj.a.15-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-02a.15[02]"/>
               <p>a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.</p>
+              <link rel="assessment-for" href="#pl-2_smt.a.15"/>
             </part>
+            <link rel="assessment-for" href="#pl-2_smt.a.15"/>
           </part>
+          <link rel="assessment-for" href="#pl-2_smt.a"/>
         </part>
         <part id="pl-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PL-02b."/>
           <part id="pl-2_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02b.[01]"/>
             <p>copies of the plans are distributed to <insert type="param" id-ref="pl-02_odp.02"/>;</p>
+            <link rel="assessment-for" href="#pl-2_smt.b"/>
           </part>
           <part id="pl-2_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02b.[02]"/>
             <p>subsequent changes to the plans are communicated to <insert type="param" id-ref="pl-02_odp.02"/>;</p>
+            <link rel="assessment-for" href="#pl-2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pl-2_smt.b"/>
         </part>
         <part id="pl-2_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PL-02c."/>
           <p>plans are reviewed <insert type="param" id-ref="pl-02_odp.03"/>;</p>
+          <link rel="assessment-for" href="#pl-2_smt.c"/>
         </part>
         <part id="pl-2_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PL-02d."/>
           <part id="pl-2_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02d.[01]"/>
             <p>plans are updated to address changes to the system and environment of operations;</p>
+            <link rel="assessment-for" href="#pl-2_smt.d"/>
           </part>
           <part id="pl-2_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02d.[02]"/>
             <p>plans are updated to address problems identified during the plan implementation;</p>
+            <link rel="assessment-for" href="#pl-2_smt.d"/>
           </part>
           <part id="pl-2_obj.d-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02d.[03]"/>
             <p>plans are updated to address problems identified during control assessments;</p>
+            <link rel="assessment-for" href="#pl-2_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#pl-2_smt.d"/>
         </part>
         <part id="pl-2_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PL-02e."/>
           <part id="pl-2_obj.e-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02e.[01]"/>
             <p>plans are protected from unauthorized disclosure;</p>
+            <link rel="assessment-for" href="#pl-2_smt.e"/>
           </part>
           <part id="pl-2_obj.e-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-02e.[02]"/>
             <p>plans are protected from unauthorized modification.</p>
+            <link rel="assessment-for" href="#pl-2_smt.e"/>
           </part>
+          <link rel="assessment-for" href="#pl-2_smt.e"/>
         </part>
+        <link rel="assessment-for" href="#pl-2_smt"/>
       </part>
       <part id="pl-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -42932,24 +45260,31 @@
           <part id="pl-4_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-04a.[01]"/>
             <p>rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;</p>
+            <link rel="assessment-for" href="#pl-4_smt.a"/>
           </part>
           <part id="pl-4_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-04a.[02]"/>
             <p>rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;</p>
+            <link rel="assessment-for" href="#pl-4_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pl-4_smt.a"/>
         </part>
         <part id="pl-4_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PL-04b."/>
           <p>before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;</p>
+          <link rel="assessment-for" href="#pl-4_smt.b"/>
         </part>
         <part id="pl-4_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PL-04c."/>
           <p>rules of behavior are reviewed and updated <insert type="param" id-ref="pl-04_odp.01"/>;</p>
+          <link rel="assessment-for" href="#pl-4_smt.c"/>
         </part>
         <part id="pl-4_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PL-04d."/>
           <p>individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge <insert type="param" id-ref="pl-04_odp.02"/>.</p>
+          <link rel="assessment-for" href="#pl-4_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#pl-4_smt"/>
       </part>
       <part id="pl-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -43014,15 +45349,19 @@
           <part id="pl-4.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-04(01)(a)"/>
             <p>the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;</p>
+            <link rel="assessment-for" href="#pl-4.1_smt.a"/>
           </part>
           <part id="pl-4.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-04(01)(b)"/>
             <p>the rules of behavior include restrictions on posting organizational information on public websites;</p>
+            <link rel="assessment-for" href="#pl-4.1_smt.b"/>
           </part>
           <part id="pl-4.1_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-04(01)(c)"/>
             <p>the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.</p>
+            <link rel="assessment-for" href="#pl-4.1_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#pl-4.1_smt"/>
         </part>
         <part id="pl-4.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -43107,11 +45446,14 @@
         <part id="pl-7_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PL-07a."/>
           <p>a CONOPS for the system describing how the organization intends to operate the system from the perspective of information security and privacy is developed;</p>
+          <link rel="assessment-for" href="#pl-7_smt.a"/>
         </part>
         <part id="pl-7_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PL-07b."/>
           <p>the CONOPS is reviewed and updated <insert type="param" id-ref="pl-07_odp"/>.</p>
+          <link rel="assessment-for" href="#pl-7_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#pl-7_smt"/>
       </part>
       <part id="pl-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -43218,65 +45560,83 @@
           <part id="pl-8_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-08a.01"/>
             <p>a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;</p>
+            <link rel="assessment-for" href="#pl-8_smt.a.1"/>
           </part>
           <part id="pl-8_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-08a.02"/>
             <p>a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;</p>
+            <link rel="assessment-for" href="#pl-8_smt.a.2"/>
           </part>
           <part id="pl-8_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-08a.03"/>
             <part id="pl-8_obj.a.3-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-08a.03[01]"/>
               <p>a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;</p>
+              <link rel="assessment-for" href="#pl-8_smt.a.3"/>
             </part>
             <part id="pl-8_obj.a.3-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-08a.03[02]"/>
               <p>a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;</p>
+              <link rel="assessment-for" href="#pl-8_smt.a.3"/>
             </part>
+            <link rel="assessment-for" href="#pl-8_smt.a.3"/>
           </part>
           <part id="pl-8_obj.a.4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-08a.04"/>
             <part id="pl-8_obj.a.4-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-08a.04[01]"/>
               <p>a security architecture for the system describes any assumptions about and dependencies on external systems and services;</p>
+              <link rel="assessment-for" href="#pl-8_smt.a.4"/>
             </part>
             <part id="pl-8_obj.a.4-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-08a.04[02]"/>
               <p>a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;</p>
+              <link rel="assessment-for" href="#pl-8_smt.a.4"/>
             </part>
+            <link rel="assessment-for" href="#pl-8_smt.a.4"/>
           </part>
+          <link rel="assessment-for" href="#pl-8_smt.a"/>
         </part>
         <part id="pl-8_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PL-08b."/>
           <p>changes in the enterprise architecture are reviewed and updated <insert type="param" id-ref="pl-08_odp"/> to reflect changes in the enterprise architecture;</p>
+          <link rel="assessment-for" href="#pl-8_smt.b"/>
         </part>
         <part id="pl-8_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PL-08c."/>
           <part id="pl-8_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-08c.[01]"/>
             <p>planned architecture changes are reflected in the security plan;</p>
+            <link rel="assessment-for" href="#pl-8_smt.c"/>
           </part>
           <part id="pl-8_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-08c.[02]"/>
             <p>planned architecture changes are reflected in the privacy plan;</p>
+            <link rel="assessment-for" href="#pl-8_smt.c"/>
           </part>
           <part id="pl-8_obj.c-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-08c.[03]"/>
             <p>planned architecture changes are reflected in the Concept of Operations (CONOPS);</p>
+            <link rel="assessment-for" href="#pl-8_smt.c"/>
           </part>
           <part id="pl-8_obj.c-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-08c.[04]"/>
             <p>planned architecture changes are reflected in criticality analysis;</p>
+            <link rel="assessment-for" href="#pl-8_smt.c"/>
           </part>
           <part id="pl-8_obj.c-5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-08c.[05]"/>
             <p>planned architecture changes are reflected in organizational procedures;</p>
+            <link rel="assessment-for" href="#pl-8_smt.c"/>
           </part>
           <part id="pl-8_obj.c-6" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-08c.[06]"/>
             <p>planned architecture changes are reflected in procurements and acquisitions.</p>
+            <link rel="assessment-for" href="#pl-8_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#pl-8_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pl-8_smt"/>
       </part>
       <part id="pl-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -43360,23 +45720,30 @@
             <part id="pl-8.1_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-08(01)(a)[01]"/>
               <p>the security architecture for the system is designed using a defense-in-depth approach that allocates <insert type="param" id-ref="pl-08.01_odp.01"/> to <insert type="param" id-ref="pl-08.01_odp.02"/>;</p>
+              <link rel="assessment-for" href="#pl-8.1_smt.a"/>
             </part>
             <part id="pl-8.1_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-08(01)(a)[02]"/>
               <p>the privacy architecture for the system is designed using a defense-in-depth approach that allocates <insert type="param" id-ref="pl-08.01_odp.01"/> to <insert type="param" id-ref="pl-08.01_odp.02"/>;</p>
+              <link rel="assessment-for" href="#pl-8.1_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#pl-8.1_smt.a"/>
           </part>
           <part id="pl-8.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PL-08(01)(b)"/>
             <part id="pl-8.1_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-08(01)(b)[01]"/>
               <p>the security architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner;</p>
+              <link rel="assessment-for" href="#pl-8.1_smt.b"/>
             </part>
             <part id="pl-8.1_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PL-08(01)(b)[02]"/>
               <p>the privacy architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner.</p>
+              <link rel="assessment-for" href="#pl-8.1_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pl-8.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pl-8.1_smt"/>
         </part>
         <part id="pl-8.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -43445,6 +45812,7 @@
         <part id="pl-8.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PL-08(02)"/>
           <p><insert type="param" id-ref="pl-08.02_odp.01"/> that are allocated to <insert type="param" id-ref="pl-08.02_odp.02"/> are required to be obtained from different suppliers.</p>
+          <link rel="assessment-for" href="#pl-8.2_smt"/>
         </part>
         <part id="pl-8.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -43510,6 +45878,7 @@
       <part id="pl-9_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PL-09"/>
         <p><insert type="param" id-ref="pl-09_odp"/> are centrally managed.</p>
+        <link rel="assessment-for" href="#pl-9_smt"/>
       </part>
       <part id="pl-9_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -43570,6 +45939,7 @@
       <part id="pl-10_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PL-10"/>
         <p>a control baseline for the system is selected.</p>
+        <link rel="assessment-for" href="#pl-10_smt"/>
       </part>
       <part id="pl-10_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -43636,6 +46006,7 @@
       <part id="pl-11_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PL-11"/>
         <p>the selected control baseline is tailored by applying specified tailoring actions.</p>
+        <link rel="assessment-for" href="#pl-11_smt"/>
       </part>
       <part id="pl-11_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -43755,80 +46126,102 @@
           <part id="pm-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-01a.[01]"/>
             <p>an organization-wide information security program plan is developed;</p>
+            <link rel="assessment-for" href="#pm-1_smt.a"/>
           </part>
           <part id="pm-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-01a.[02]"/>
             <p>the information security program plan is disseminated;</p>
+            <link rel="assessment-for" href="#pm-1_smt.a"/>
           </part>
           <part id="pm-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-01a.01"/>
             <part id="pm-1_obj.a.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-01a.01[01]"/>
               <p>the information security program plan provides an overview of the requirements for the security program;</p>
+              <link rel="assessment-for" href="#pm-1_smt.a.1"/>
             </part>
             <part id="pm-1_obj.a.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-01a.01[02]"/>
               <p>the information security program plan provides a description of the security program management controls in place or planned for meeting those requirements;</p>
+              <link rel="assessment-for" href="#pm-1_smt.a.1"/>
             </part>
             <part id="pm-1_obj.a.1-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-01a.01[03]"/>
               <p>the information security program plan provides a description of the common controls in place or planned for meeting those requirements;</p>
+              <link rel="assessment-for" href="#pm-1_smt.a.1"/>
             </part>
+            <link rel="assessment-for" href="#pm-1_smt.a.1"/>
           </part>
           <part id="pm-1_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-01a.02"/>
             <part id="pm-1_obj.a.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-01a.02[01]"/>
               <p>the information security program plan includes the identification and assignment of roles;</p>
+              <link rel="assessment-for" href="#pm-1_smt.a.2"/>
             </part>
             <part id="pm-1_obj.a.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-01a.02[02]"/>
               <p>the information security program plan includes the identification and assignment of responsibilities;</p>
+              <link rel="assessment-for" href="#pm-1_smt.a.2"/>
             </part>
             <part id="pm-1_obj.a.2-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-01a.02[03]"/>
               <p>the information security program plan addresses management commitment;</p>
+              <link rel="assessment-for" href="#pm-1_smt.a.2"/>
             </part>
             <part id="pm-1_obj.a.2-4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-01a.02[04]"/>
               <p>the information security program plan addresses coordination among organizational entities;</p>
+              <link rel="assessment-for" href="#pm-1_smt.a.2"/>
             </part>
             <part id="pm-1_obj.a.2-5" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-01a.02[05]"/>
               <p>the information security program plan addresses compliance;</p>
+              <link rel="assessment-for" href="#pm-1_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#pm-1_smt.a.2"/>
           </part>
           <part id="pm-1_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-01a.03"/>
             <p>the information security program plan reflects the coordination among the organizational entities responsible for information security;</p>
+            <link rel="assessment-for" href="#pm-1_smt.a.3"/>
           </part>
           <part id="pm-1_obj.a.4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-01a.04"/>
             <p>the information security program plan is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;</p>
+            <link rel="assessment-for" href="#pm-1_smt.a.4"/>
           </part>
+          <link rel="assessment-for" href="#pm-1_smt.a"/>
         </part>
         <part id="pm-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-01b."/>
           <part id="pm-1_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-01b.[01]"/>
             <p>the information security program plan is reviewed and updated <insert type="param" id-ref="pm-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#pm-1_smt.b"/>
           </part>
           <part id="pm-1_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-01b.[02]"/>
             <p>the information security program plan is reviewed and updated following <insert type="param" id-ref="pm-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#pm-1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pm-1_smt.b"/>
         </part>
         <part id="pm-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-01c."/>
           <part id="pm-1_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-01c.[01]"/>
             <p>the information security program plan is protected from unauthorized disclosure;</p>
+            <link rel="assessment-for" href="#pm-1_smt.c"/>
           </part>
           <part id="pm-1_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-01c.[02]"/>
             <p>the information security program plan is protected from unauthorized modification.</p>
+            <link rel="assessment-for" href="#pm-1_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#pm-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pm-1_smt"/>
       </part>
       <part id="pm-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -43881,23 +46274,29 @@
         <part id="pm-2_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-02[01]"/>
           <p>a senior agency information security officer is appointed;</p>
+          <link rel="assessment-for" href="#pm-2_smt"/>
         </part>
         <part id="pm-2_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-02[02]"/>
           <p>the senior agency information security officer is provided with the mission and resources to coordinate an organization-wide information security program;</p>
+          <link rel="assessment-for" href="#pm-2_smt"/>
         </part>
         <part id="pm-2_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-02[03]"/>
           <p>the senior agency information security officer is provided with the mission and resources to develop an organization-wide information security program;</p>
+          <link rel="assessment-for" href="#pm-2_smt"/>
         </part>
         <part id="pm-2_obj-4" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-02[04]"/>
           <p>the senior agency information security officer is provided with the mission and resources to implement an organization-wide information security program;</p>
+          <link rel="assessment-for" href="#pm-2_smt"/>
         </part>
         <part id="pm-2_obj-5" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-02[05]"/>
           <p>the senior agency information security officer is provided with the mission and resources to maintain an organization-wide information security program.</p>
+          <link rel="assessment-for" href="#pm-2_smt"/>
         </part>
+        <link rel="assessment-for" href="#pm-2_smt"/>
       </part>
       <part id="pm-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -43953,34 +46352,44 @@
           <part id="pm-3_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-03a.[01]"/>
             <p>the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented;</p>
+            <link rel="assessment-for" href="#pm-3_smt.a"/>
           </part>
           <part id="pm-3_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-03a.[02]"/>
             <p>the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented;</p>
+            <link rel="assessment-for" href="#pm-3_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pm-3_smt.a"/>
         </part>
         <part id="pm-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-03b."/>
           <part id="pm-3_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-03b.[01]"/>
             <p>the documentation required for addressing the information security program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;</p>
+            <link rel="assessment-for" href="#pm-3_smt.b"/>
           </part>
           <part id="pm-3_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-03b.[02]"/>
             <p>the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;</p>
+            <link rel="assessment-for" href="#pm-3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pm-3_smt.b"/>
         </part>
         <part id="pm-3_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-03c."/>
           <part id="pm-3_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-03c.[01]"/>
             <p>information security resources are made available for expenditure as planned;</p>
+            <link rel="assessment-for" href="#pm-3_smt.c"/>
           </part>
           <part id="pm-3_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-03c.[02]"/>
             <p>privacy resources are made available for expenditure as planned.</p>
+            <link rel="assessment-for" href="#pm-3_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#pm-3_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pm-3_smt"/>
       </part>
       <part id="pm-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -44064,70 +46473,90 @@
             <part id="pm-4_obj.a.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-04a.01[01]"/>
               <p>a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed;</p>
+              <link rel="assessment-for" href="#pm-4_smt.a.1"/>
             </part>
             <part id="pm-4_obj.a.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-04a.01[02]"/>
               <p>a process to ensure that plans of action and milestones for the information security program and associated organizational systems are maintained;</p>
+              <link rel="assessment-for" href="#pm-4_smt.a.1"/>
             </part>
             <part id="pm-4_obj.a.1-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-04a.01[03]"/>
               <p>a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed;</p>
+              <link rel="assessment-for" href="#pm-4_smt.a.1"/>
             </part>
             <part id="pm-4_obj.a.1-4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-04a.01[04]"/>
               <p>a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained;</p>
+              <link rel="assessment-for" href="#pm-4_smt.a.1"/>
             </part>
             <part id="pm-4_obj.a.1-5" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-04a.01[05]"/>
               <p>a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed;</p>
+              <link rel="assessment-for" href="#pm-4_smt.a.1"/>
             </part>
             <part id="pm-4_obj.a.1-6" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-04a.01[06]"/>
               <p>a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained;</p>
+              <link rel="assessment-for" href="#pm-4_smt.a.1"/>
             </part>
+            <link rel="assessment-for" href="#pm-4_smt.a.1"/>
           </part>
           <part id="pm-4_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-04a.02"/>
             <part id="pm-4_obj.a.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-04a.02[01]"/>
               <p>a process to ensure that plans of action and milestones for the information security program and associated organizational systems document remedial information security risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;</p>
+              <link rel="assessment-for" href="#pm-4_smt.a.2"/>
             </part>
             <part id="pm-4_obj.a.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-04a.02[02]"/>
               <p>a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;</p>
+              <link rel="assessment-for" href="#pm-4_smt.a.2"/>
             </part>
             <part id="pm-4_obj.a.2-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-04a.02[03]"/>
               <p>a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;</p>
+              <link rel="assessment-for" href="#pm-4_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#pm-4_smt.a.2"/>
           </part>
           <part id="pm-4_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-04a.03"/>
             <part id="pm-4_obj.a.3-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-04a.03[01]"/>
               <p>a process to ensure that plans of action and milestones for the information security risk management programs and associated organizational systems are reported in accordance with established reporting requirements;</p>
+              <link rel="assessment-for" href="#pm-4_smt.a.3"/>
             </part>
             <part id="pm-4_obj.a.3-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-04a.03[02]"/>
               <p>a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements;</p>
+              <link rel="assessment-for" href="#pm-4_smt.a.3"/>
             </part>
             <part id="pm-4_obj.a.3-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-04a.03[03]"/>
               <p>a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements;</p>
+              <link rel="assessment-for" href="#pm-4_smt.a.3"/>
             </part>
+            <link rel="assessment-for" href="#pm-4_smt.a.3"/>
           </part>
+          <link rel="assessment-for" href="#pm-4_smt.a"/>
         </part>
         <part id="pm-4_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-04b."/>
           <part id="pm-4_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-04b.[01]"/>
             <p>plans of action and milestones are reviewed for consistency with the organizational risk management strategy;</p>
+            <link rel="assessment-for" href="#pm-4_smt.b"/>
           </part>
           <part id="pm-4_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-04b.[02]"/>
             <p>plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions.</p>
+            <link rel="assessment-for" href="#pm-4_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pm-4_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#pm-4_smt"/>
       </part>
       <part id="pm-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -44187,11 +46616,14 @@
         <part id="pm-5_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-05[01]"/>
           <p>an inventory of organizational systems is developed;</p>
+          <link rel="assessment-for" href="#pm-5_smt"/>
         </part>
         <part id="pm-5_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-05[02]"/>
           <p>the inventory of organizational systems is updated <insert type="param" id-ref="pm-05_odp"/>.</p>
+          <link rel="assessment-for" href="#pm-5_smt"/>
         </part>
+        <link rel="assessment-for" href="#pm-5_smt"/>
       </part>
       <part id="pm-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -44257,15 +46689,19 @@
           <part id="pm-5.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-05(01)[01]"/>
             <p>an inventory of all systems, applications, and projects that process personally identifiable information is established;</p>
+            <link rel="assessment-for" href="#pm-5.1_smt"/>
           </part>
           <part id="pm-5.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-05(01)[02]"/>
             <p>an inventory of all systems, applications, and projects that process personally identifiable information is maintained;</p>
+            <link rel="assessment-for" href="#pm-5.1_smt"/>
           </part>
           <part id="pm-5.1_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-05(01)[03]"/>
             <p>an inventory of all systems, applications, and projects that process personally identifiable information is updated <insert type="param" id-ref="pm-05.01_odp"/>.</p>
+            <link rel="assessment-for" href="#pm-5.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#pm-5.1_smt"/>
         </part>
         <part id="pm-5.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -44326,27 +46762,34 @@
         <part id="pm-6_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-06[01]"/>
           <p>information security measures of performance are developed;</p>
+          <link rel="assessment-for" href="#pm-6_smt"/>
         </part>
         <part id="pm-6_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-06[02]"/>
           <p>information security measures of performance are monitored;</p>
+          <link rel="assessment-for" href="#pm-6_smt"/>
         </part>
         <part id="pm-6_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-06[03]"/>
           <p>the results of information security measures of performance are reported;</p>
+          <link rel="assessment-for" href="#pm-6_smt"/>
         </part>
         <part id="pm-6_obj-4" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-06[04]"/>
           <p>privacy measures of performance are developed;</p>
+          <link rel="assessment-for" href="#pm-6_smt"/>
         </part>
         <part id="pm-6_obj-5" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-06[05]"/>
           <p>privacy measures of performance are monitored;</p>
+          <link rel="assessment-for" href="#pm-6_smt"/>
         </part>
         <part id="pm-6_obj-6" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-06[06]"/>
           <p>the results of privacy measures of performance are reported.</p>
+          <link rel="assessment-for" href="#pm-6_smt"/>
         </part>
+        <link rel="assessment-for" href="#pm-6_smt"/>
       </part>
       <part id="pm-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -44409,27 +46852,34 @@
         <part id="pm-7_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-07[01]"/>
           <p>an enterprise architecture is developed with consideration for information security;</p>
+          <link rel="assessment-for" href="#pm-7_smt"/>
         </part>
         <part id="pm-7_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-07[02]"/>
           <p>an enterprise architecture is maintained with consideration for information security;</p>
+          <link rel="assessment-for" href="#pm-7_smt"/>
         </part>
         <part id="pm-7_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-07[03]"/>
           <p>an enterprise architecture is developed with consideration for privacy;</p>
+          <link rel="assessment-for" href="#pm-7_smt"/>
         </part>
         <part id="pm-7_obj-4" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-07[04]"/>
           <p>an enterprise architecture is maintained with consideration for privacy;</p>
+          <link rel="assessment-for" href="#pm-7_smt"/>
         </part>
         <part id="pm-7_obj-5" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-07[05]"/>
           <p>an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation;</p>
+          <link rel="assessment-for" href="#pm-7_smt"/>
         </part>
         <part id="pm-7_obj-6" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-07[06]"/>
           <p>an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.</p>
+          <link rel="assessment-for" href="#pm-7_smt"/>
         </part>
+        <link rel="assessment-for" href="#pm-7_smt"/>
       </part>
       <part id="pm-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -44486,6 +46936,7 @@
         <part id="pm-7.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-07(01)"/>
           <p><insert type="param" id-ref="pm-07.01_odp"/> are offloaded to other systems, system components, or an external provider.</p>
+          <link rel="assessment-for" href="#pm-7.1_smt"/>
         </part>
         <part id="pm-7.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -44551,27 +47002,34 @@
         <part id="pm-8_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-08[01]"/>
           <p>information security issues are addressed in the development of a critical infrastructure and key resources protection plan;</p>
+          <link rel="assessment-for" href="#pm-8_smt"/>
         </part>
         <part id="pm-8_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-08[02]"/>
           <p>information security issues are addressed in the documentation of a critical infrastructure and key resources protection plan;</p>
+          <link rel="assessment-for" href="#pm-8_smt"/>
         </part>
         <part id="pm-8_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-08[03]"/>
           <p>information security issues are addressed in the update of a critical infrastructure and key resources protection plan;</p>
+          <link rel="assessment-for" href="#pm-8_smt"/>
         </part>
         <part id="pm-8_obj-4" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-08[04]"/>
           <p>privacy issues are addressed in the development of a critical infrastructure and key resources protection plan;</p>
+          <link rel="assessment-for" href="#pm-8_smt"/>
         </part>
         <part id="pm-8_obj-5" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-08[05]"/>
           <p>privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan;</p>
+          <link rel="assessment-for" href="#pm-8_smt"/>
         </part>
         <part id="pm-8_obj-6" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-08[06]"/>
           <p>privacy issues are addressed in the update of a critical infrastructure and key resources protection plan.</p>
+          <link rel="assessment-for" href="#pm-8_smt"/>
         </part>
+        <link rel="assessment-for" href="#pm-8_smt"/>
       </part>
       <part id="pm-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -44694,20 +47152,26 @@
           <part id="pm-9_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-09a.01"/>
             <p>a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems;</p>
+            <link rel="assessment-for" href="#pm-9_smt.a.1"/>
           </part>
           <part id="pm-9_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-09a.02"/>
             <p>a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information;</p>
+            <link rel="assessment-for" href="#pm-9_smt.a.2"/>
           </part>
+          <link rel="assessment-for" href="#pm-9_smt.a"/>
         </part>
         <part id="pm-9_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-09b."/>
           <p>the risk management strategy is implemented consistently across the organization;</p>
+          <link rel="assessment-for" href="#pm-9_smt.b"/>
         </part>
         <part id="pm-9_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-09c."/>
           <p>the risk management strategy is reviewed and updated <insert type="param" id-ref="pm-09_odp"/> or as required to address organizational changes.</p>
+          <link rel="assessment-for" href="#pm-9_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pm-9_smt"/>
       </part>
       <part id="pm-9_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -44777,20 +47241,26 @@
           <part id="pm-10_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-10a.[01]"/>
             <p>the security state of organizational systems and the environments in which those systems operate are managed through authorization processes;</p>
+            <link rel="assessment-for" href="#pm-10_smt.a"/>
           </part>
           <part id="pm-10_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-10a.[02]"/>
             <p>the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes;</p>
+            <link rel="assessment-for" href="#pm-10_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pm-10_smt.a"/>
         </part>
         <part id="pm-10_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-10b."/>
           <p>individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process;</p>
+          <link rel="assessment-for" href="#pm-10_smt.b"/>
         </part>
         <part id="pm-10_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-10c."/>
           <p>the authorization processes are integrated into an organization-wide risk management program.</p>
+          <link rel="assessment-for" href="#pm-10_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pm-10_smt"/>
       </part>
       <part id="pm-10_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -44878,31 +47348,40 @@
           <part id="pm-11_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-11a.[01]"/>
             <p>organizational mission and business processes are defined with consideration for information security;</p>
+            <link rel="assessment-for" href="#pm-11_smt.a"/>
           </part>
           <part id="pm-11_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-11a.[02]"/>
             <p>organizational mission and business processes are defined with consideration for privacy;</p>
+            <link rel="assessment-for" href="#pm-11_smt.a"/>
           </part>
           <part id="pm-11_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-11a.[03]"/>
             <p>organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;</p>
+            <link rel="assessment-for" href="#pm-11_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pm-11_smt.a"/>
         </part>
         <part id="pm-11_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-11b."/>
           <part id="pm-11_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-11b.[01]"/>
             <p>information protection needs arising from the defined mission and business processes are determined;</p>
+            <link rel="assessment-for" href="#pm-11_smt.b"/>
           </part>
           <part id="pm-11_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-11b.[02]"/>
             <p>personally identifiable information processing needs arising from the defined mission and business processes are determined;</p>
+            <link rel="assessment-for" href="#pm-11_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pm-11_smt.b"/>
         </part>
         <part id="pm-11_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-11c."/>
           <p>the mission and business processes are reviewed and revised <insert type="param" id-ref="pm-11_odp"/>.</p>
+          <link rel="assessment-for" href="#pm-11_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pm-11_smt"/>
       </part>
       <part id="pm-11_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -44978,6 +47457,7 @@
       <part id="pm-12_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PM-12"/>
         <p>an insider threat program that includes a cross-discipline insider threat incident handling team is implemented.</p>
+        <link rel="assessment-for" href="#pm-12_smt"/>
       </part>
       <part id="pm-12_asm-interview" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="INTERVIEW"/>
@@ -45020,11 +47500,14 @@
         <part id="pm-13_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-13[01]"/>
           <p>a security workforce development and improvement program is established;</p>
+          <link rel="assessment-for" href="#pm-13_smt"/>
         </part>
         <part id="pm-13_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-13[02]"/>
           <p>a privacy workforce development and improvement program is established.</p>
+          <link rel="assessment-for" href="#pm-13_smt"/>
         </part>
+        <link rel="assessment-for" href="#pm-13_smt"/>
       </part>
       <part id="pm-13_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -45106,59 +47589,76 @@
             <part id="pm-14_obj.a.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-14a.01[01]"/>
               <p>a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed;</p>
+              <link rel="assessment-for" href="#pm-14_smt.a.1"/>
             </part>
             <part id="pm-14_obj.a.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-14a.01[02]"/>
               <p>a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained;</p>
+              <link rel="assessment-for" href="#pm-14_smt.a.1"/>
             </part>
             <part id="pm-14_obj.a.1-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-14a.01[03]"/>
               <p>a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed;</p>
+              <link rel="assessment-for" href="#pm-14_smt.a.1"/>
             </part>
             <part id="pm-14_obj.a.1-4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-14a.01[04]"/>
               <p>a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained;</p>
+              <link rel="assessment-for" href="#pm-14_smt.a.1"/>
             </part>
+            <link rel="assessment-for" href="#pm-14_smt.a.1"/>
           </part>
           <part id="pm-14_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-14a.02"/>
             <part id="pm-14_obj.a.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-14a.02[01]"/>
               <p>a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed;</p>
+              <link rel="assessment-for" href="#pm-14_smt.a.2"/>
             </part>
             <part id="pm-14_obj.a.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-14a.02[02]"/>
               <p>a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed;</p>
+              <link rel="assessment-for" href="#pm-14_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#pm-14_smt.a.2"/>
           </part>
+          <link rel="assessment-for" href="#pm-14_smt.a"/>
         </part>
         <part id="pm-14_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-14b."/>
           <part id="pm-14_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-14b.[01]"/>
             <p>testing plans are reviewed for consistency with the organizational risk management strategy;</p>
+            <link rel="assessment-for" href="#pm-14_smt.b"/>
           </part>
           <part id="pm-14_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-14b.[02]"/>
             <p>training plans are reviewed for consistency with the organizational risk management strategy;</p>
+            <link rel="assessment-for" href="#pm-14_smt.b"/>
           </part>
           <part id="pm-14_obj.b-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-14b.[03]"/>
             <p>monitoring plans are reviewed for consistency with the organizational risk management strategy;</p>
+            <link rel="assessment-for" href="#pm-14_smt.b"/>
           </part>
           <part id="pm-14_obj.b-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-14b.[04]"/>
             <p>testing plans are reviewed for consistency with organization-wide priorities for risk response actions;</p>
+            <link rel="assessment-for" href="#pm-14_smt.b"/>
           </part>
           <part id="pm-14_obj.b-5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-14b.[05]"/>
             <p>training plans are reviewed for consistency with organization-wide priorities for risk response actions;</p>
+            <link rel="assessment-for" href="#pm-14_smt.b"/>
           </part>
           <part id="pm-14_obj.b-6" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-14b.[06]"/>
             <p>monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions.</p>
+            <link rel="assessment-for" href="#pm-14_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pm-14_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#pm-14_smt"/>
       </part>
       <part id="pm-14_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -45226,34 +47726,44 @@
           <part id="pm-15_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-15a.[01]"/>
             <p>contact is established and institutionalized with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel;</p>
+            <link rel="assessment-for" href="#pm-15_smt.a"/>
           </part>
           <part id="pm-15_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-15a.[02]"/>
             <p>contact is established and institutionalized with selected groups and associations within the privacy community to facilitate ongoing privacy education and training for organizational personnel;</p>
+            <link rel="assessment-for" href="#pm-15_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pm-15_smt.a"/>
         </part>
         <part id="pm-15_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-15b."/>
           <part id="pm-15_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-15b.[01]"/>
             <p>contact is established and institutionalized with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies;</p>
+            <link rel="assessment-for" href="#pm-15_smt.b"/>
           </part>
           <part id="pm-15_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-15b.[02]"/>
             <p>contact is established and institutionalized with selected groups and associations within the privacy community to maintain currency with recommended privacy practices, techniques, and technologies;</p>
+            <link rel="assessment-for" href="#pm-15_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pm-15_smt.b"/>
         </part>
         <part id="pm-15_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-15c."/>
           <part id="pm-15_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-15c.[01]"/>
             <p>contact is established and institutionalized with selected groups and associations within the security community to share current security information, including threats, vulnerabilities, and incidents;</p>
+            <link rel="assessment-for" href="#pm-15_smt.c"/>
           </part>
           <part id="pm-15_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-15c.[02]"/>
             <p>contact is established and institutionalized with selected groups and associations within the privacy community to share current privacy information, including threats, vulnerabilities, and incidents.</p>
+            <link rel="assessment-for" href="#pm-15_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#pm-15_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pm-15_smt"/>
       </part>
       <part id="pm-15_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -45304,6 +47814,7 @@
       <part id="pm-16_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PM-16"/>
         <p>a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence is implemented.</p>
+        <link rel="assessment-for" href="#pm-16_smt"/>
       </part>
       <part id="pm-16_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -45356,6 +47867,7 @@
         <part id="pm-16.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-16(01)"/>
           <p>automated mechanisms are employed to maximize the effectiveness of sharing threat intelligence information.</p>
+          <link rel="assessment-for" href="#pm-16.1_smt"/>
         </part>
         <part id="pm-16.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -45445,23 +47957,30 @@
           <part id="pm-17_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-17a.[01]"/>
             <p>policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;</p>
+            <link rel="assessment-for" href="#pm-17_smt.a"/>
           </part>
           <part id="pm-17_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-17a.[02]"/>
             <p>procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;</p>
+            <link rel="assessment-for" href="#pm-17_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pm-17_smt.a"/>
         </part>
         <part id="pm-17_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-17b."/>
           <part id="pm-17_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-17b.[01]"/>
             <p>policy is reviewed and updated <insert type="param" id-ref="pm-17_odp.01"/>;</p>
+            <link rel="assessment-for" href="#pm-17_smt.b"/>
           </part>
           <part id="pm-17_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-17b.[02]"/>
             <p>procedures are reviewed and updated <insert type="param" id-ref="pm-17_odp.02"/> </p>
+            <link rel="assessment-for" href="#pm-17_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pm-17_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#pm-17_smt"/>
       </part>
       <part id="pm-17_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -45547,91 +48066,116 @@
           <part id="pm-18_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-18a.[01]"/>
             <p>an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed;</p>
+            <link rel="assessment-for" href="#pm-18_smt.a"/>
           </part>
           <part id="pm-18_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-18a.01"/>
             <part id="pm-18_obj.a.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-18a.01[01]"/>
               <p>the privacy program plan includes a description of the structure of the privacy program;</p>
+              <link rel="assessment-for" href="#pm-18_smt.a.1"/>
             </part>
             <part id="pm-18_obj.a.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-18a.01[02]"/>
               <p>the privacy program plan includes a description of the resources dedicated to the privacy program;</p>
+              <link rel="assessment-for" href="#pm-18_smt.a.1"/>
             </part>
+            <link rel="assessment-for" href="#pm-18_smt.a.1"/>
           </part>
           <part id="pm-18_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-18a.02"/>
             <part id="pm-18_obj.a.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-18a.02[01]"/>
               <p>the privacy program plan provides an overview of the requirements for the privacy program;</p>
+              <link rel="assessment-for" href="#pm-18_smt.a.2"/>
             </part>
             <part id="pm-18_obj.a.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-18a.02[02]"/>
               <p>the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program;</p>
+              <link rel="assessment-for" href="#pm-18_smt.a.2"/>
             </part>
             <part id="pm-18_obj.a.2-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-18a.02[03]"/>
               <p>the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program;</p>
+              <link rel="assessment-for" href="#pm-18_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#pm-18_smt.a.2"/>
           </part>
           <part id="pm-18_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-18a.03"/>
             <part id="pm-18_obj.a.3-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-18a.03[01]"/>
               <p>the privacy program plan includes the role of the senior agency official for privacy;</p>
+              <link rel="assessment-for" href="#pm-18_smt.a.3"/>
             </part>
             <part id="pm-18_obj.a.3-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-18a.03[02]"/>
               <p>the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities;</p>
+              <link rel="assessment-for" href="#pm-18_smt.a.3"/>
             </part>
+            <link rel="assessment-for" href="#pm-18_smt.a.3"/>
           </part>
           <part id="pm-18_obj.a.4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-18a.04"/>
             <part id="pm-18_obj.a.4-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-18a.04[01]"/>
               <p>the privacy program plan describes management commitment;</p>
+              <link rel="assessment-for" href="#pm-18_smt.a.4"/>
             </part>
             <part id="pm-18_obj.a.4-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-18a.04[02]"/>
               <p>the privacy program plan describes compliance;</p>
+              <link rel="assessment-for" href="#pm-18_smt.a.4"/>
             </part>
             <part id="pm-18_obj.a.4-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-18a.04[03]"/>
               <p>the privacy program plan describes the strategic goals and objectives of the privacy program;</p>
+              <link rel="assessment-for" href="#pm-18_smt.a.4"/>
             </part>
+            <link rel="assessment-for" href="#pm-18_smt.a.4"/>
           </part>
           <part id="pm-18_obj.a.5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-18a.05"/>
             <p>the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy;</p>
+            <link rel="assessment-for" href="#pm-18_smt.a.5"/>
           </part>
           <part id="pm-18_obj.a.6" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-18a.06"/>
             <p>the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;</p>
+            <link rel="assessment-for" href="#pm-18_smt.a.6"/>
           </part>
           <part id="pm-18_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-18a.[02]"/>
             <p>the privacy program plan is disseminated;</p>
+            <link rel="assessment-for" href="#pm-18_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pm-18_smt.a"/>
         </part>
         <part id="pm-18_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-18b."/>
           <part id="pm-18_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-18b.[01]"/>
             <p>the privacy program plan is updated <insert type="param" id-ref="pm-18_odp"/>;</p>
+            <link rel="assessment-for" href="#pm-18_smt.b"/>
           </part>
           <part id="pm-18_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-18b.[02]"/>
             <p>the privacy program plan is updated to address changes in federal privacy laws and policies;</p>
+            <link rel="assessment-for" href="#pm-18_smt.b"/>
           </part>
           <part id="pm-18_obj.b-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-18b.[03]"/>
             <p>the privacy program plan is updated to address organizational changes;</p>
+            <link rel="assessment-for" href="#pm-18_smt.b"/>
           </part>
           <part id="pm-18_obj.b-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-18b.[04]"/>
             <p>the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments.</p>
+            <link rel="assessment-for" href="#pm-18_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pm-18_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#pm-18_smt"/>
       </part>
       <part id="pm-18_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -45677,23 +48221,29 @@
         <part id="pm-19_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-19[01]"/>
           <p>a senior agency official for privacy with authority, mission, accountability, and resources is appointed;</p>
+          <link rel="assessment-for" href="#pm-19_smt"/>
         </part>
         <part id="pm-19_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-19[02]"/>
           <p>the senior agency official for privacy coordinates applicable privacy requirements;</p>
+          <link rel="assessment-for" href="#pm-19_smt"/>
         </part>
         <part id="pm-19_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-19[03]"/>
           <p>the senior agency official for privacy develops applicable privacy requirements;</p>
+          <link rel="assessment-for" href="#pm-19_smt"/>
         </part>
         <part id="pm-19_obj-4" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-19[04]"/>
           <p>the senior agency official for privacy implements applicable privacy requirements;</p>
+          <link rel="assessment-for" href="#pm-19_smt"/>
         </part>
         <part id="pm-19_obj-5" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-19[05]"/>
           <p>the senior agency official for privacy manages privacy risks through the organization-wide privacy program.</p>
+          <link rel="assessment-for" href="#pm-19_smt"/>
         </part>
+        <link rel="assessment-for" href="#pm-19_smt"/>
       </part>
       <part id="pm-19_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -45760,37 +48310,47 @@
         <part id="pm-20_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-20[01]"/>
           <p>a central resource webpage is maintained on the organization’s principal public website;</p>
+          <link rel="assessment-for" href="#pm-20_smt"/>
         </part>
         <part id="pm-20_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-20[02]"/>
           <p>the webpage serves as a central source of information about the organization’s privacy program;</p>
+          <link rel="assessment-for" href="#pm-20_smt"/>
         </part>
         <part id="pm-20_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-20a."/>
           <part id="pm-20_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-20a.[01]"/>
             <p>the webpage ensures that the public has access to information about organizational privacy activities;</p>
+            <link rel="assessment-for" href="#pm-20_smt.a"/>
           </part>
           <part id="pm-20_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-20a.[02]"/>
             <p>the webpage ensures that the public can communicate with its senior agency official for privacy;</p>
+            <link rel="assessment-for" href="#pm-20_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pm-20_smt.a"/>
         </part>
         <part id="pm-20_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-20b."/>
           <part id="pm-20_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-20b.[01]"/>
             <p>the webpage ensures that organizational privacy practices are publicly available;</p>
+            <link rel="assessment-for" href="#pm-20_smt.b"/>
           </part>
           <part id="pm-20_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-20b.[02]"/>
             <p>the webpage ensures that organizational privacy reports are publicly available;</p>
+            <link rel="assessment-for" href="#pm-20_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pm-20_smt.b"/>
         </part>
         <part id="pm-20_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-20c."/>
           <p>the webpage employs publicly facing email addresses and/or phone numbers to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.</p>
+          <link rel="assessment-for" href="#pm-20_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pm-20_smt"/>
       </part>
       <part id="pm-20_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -45853,48 +48413,61 @@
           <part id="pm-20.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-20(01)[01]"/>
             <p>privacy policies are developed and posted on all external-facing websites;</p>
+            <link rel="assessment-for" href="#pm-20.1_smt"/>
           </part>
           <part id="pm-20.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-20(01)[02]"/>
             <p>privacy policies are developed and posted on all mobile applications;</p>
+            <link rel="assessment-for" href="#pm-20.1_smt"/>
           </part>
           <part id="pm-20.1_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-20(01)[03]"/>
             <p>privacy policies are developed and posted on all other digital services;</p>
+            <link rel="assessment-for" href="#pm-20.1_smt"/>
           </part>
           <part id="pm-20.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-20(01)(a)"/>
             <part id="pm-20.1_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-20(01)(a)[01]"/>
               <p>the privacy policies are written in plain language;</p>
+              <link rel="assessment-for" href="#pm-20.1_smt.a"/>
             </part>
             <part id="pm-20.1_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-20(01)(a)[02]"/>
               <p>the privacy policies are organized in a way that is easy to understand and navigate;</p>
+              <link rel="assessment-for" href="#pm-20.1_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#pm-20.1_smt.a"/>
           </part>
           <part id="pm-20.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-20(01)(b)"/>
             <part id="pm-20.1_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-20(01)(b)[01]"/>
               <p>the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization;</p>
+              <link rel="assessment-for" href="#pm-20.1_smt.b"/>
             </part>
             <part id="pm-20.1_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-20(01)(b)[02]"/>
               <p>the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization;</p>
+              <link rel="assessment-for" href="#pm-20.1_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#pm-20.1_smt.b"/>
           </part>
           <part id="pm-20.1_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-20(01)(c)"/>
             <part id="pm-20.1_obj.c-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-20(01)(c)[01]"/>
               <p>the privacy policies are updated whenever the organization makes a substantive change to the practices it describes;</p>
+              <link rel="assessment-for" href="#pm-20.1_smt.c"/>
             </part>
             <part id="pm-20.1_obj.c-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-20(01)(c)[02]"/>
               <p>the privacy policies include a time/date stamp to inform the public of the date of the most recent changes.</p>
+              <link rel="assessment-for" href="#pm-20.1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pm-20.1_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#pm-20.1_smt"/>
         </part>
         <part id="pm-20.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -45970,36 +48543,47 @@
             <part id="pm-21_obj.a.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-21a.01[01]"/>
               <p>the accounting includes the date of each disclosure;</p>
+              <link rel="assessment-for" href="#pm-21_smt.a.1"/>
             </part>
             <part id="pm-21_obj.a.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-21a.01[02]"/>
               <p>the accounting includes the nature of each disclosure;</p>
+              <link rel="assessment-for" href="#pm-21_smt.a.1"/>
             </part>
             <part id="pm-21_obj.a.1-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-21a.01[03]"/>
               <p>the accounting includes the purpose of each disclosure;</p>
+              <link rel="assessment-for" href="#pm-21_smt.a.1"/>
             </part>
+            <link rel="assessment-for" href="#pm-21_smt.a.1"/>
           </part>
           <part id="pm-21_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-21a.02"/>
             <part id="pm-21_obj.a.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-21a.02[01]"/>
               <p>the accounting includes the name of the individual or organization to whom the disclosure was made;</p>
+              <link rel="assessment-for" href="#pm-21_smt.a.2"/>
             </part>
             <part id="pm-21_obj.a.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-21a.02[02]"/>
               <p>the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made;</p>
+              <link rel="assessment-for" href="#pm-21_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#pm-21_smt.a.2"/>
           </part>
+          <link rel="assessment-for" href="#pm-21_smt.a"/>
         </part>
         <part id="pm-21_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-21b."/>
           <p>the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;</p>
+          <link rel="assessment-for" href="#pm-21_smt.b"/>
         </part>
         <part id="pm-21_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-21c."/>
           <p>the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request.</p>
+          <link rel="assessment-for" href="#pm-21_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pm-21_smt"/>
       </part>
       <part id="pm-21_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -46072,79 +48656,100 @@
         <part id="pm-22_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-22[01]"/>
           <p>organization-wide policies for personally identifiable information quality management are developed and documented;</p>
+          <link rel="assessment-for" href="#pm-22_smt"/>
         </part>
         <part id="pm-22_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-22[02]"/>
           <p>organization-wide procedures for personally identifiable information quality management are developed and documented;</p>
+          <link rel="assessment-for" href="#pm-22_smt"/>
         </part>
         <part id="pm-22_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-22a."/>
           <part id="pm-22_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-22a.[01]"/>
             <p>the policies address reviewing the accuracy of personally identifiable information across the information life cycle;</p>
+            <link rel="assessment-for" href="#pm-22_smt.a"/>
           </part>
           <part id="pm-22_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-22a.[02]"/>
             <p>the policies address reviewing the relevance of personally identifiable information across the information life cycle;</p>
+            <link rel="assessment-for" href="#pm-22_smt.a"/>
           </part>
           <part id="pm-22_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-22a.[03]"/>
             <p>the policies address reviewing the timeliness of personally identifiable information across the information life cycle;</p>
+            <link rel="assessment-for" href="#pm-22_smt.a"/>
           </part>
           <part id="pm-22_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-22a.[04]"/>
             <p>the policies address reviewing the completeness of personally identifiable information across the information life cycle;</p>
+            <link rel="assessment-for" href="#pm-22_smt.a"/>
           </part>
           <part id="pm-22_obj.a-5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-22a.[05]"/>
             <p>the procedures address reviewing the accuracy of personally identifiable information across the information life cycle;</p>
+            <link rel="assessment-for" href="#pm-22_smt.a"/>
           </part>
           <part id="pm-22_obj.a-6" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-22a.[06]"/>
             <p>the procedures address reviewing the relevance of personally identifiable information across the information life cycle;</p>
+            <link rel="assessment-for" href="#pm-22_smt.a"/>
           </part>
           <part id="pm-22_obj.a-7" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-22a.[07]"/>
             <p>the procedures address reviewing the timeliness of personally identifiable information across the information life cycle;</p>
+            <link rel="assessment-for" href="#pm-22_smt.a"/>
           </part>
           <part id="pm-22_obj.a-8" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-22a.[08]"/>
             <p>the procedures address reviewing the completeness of personally identifiable information across the information life cycle;</p>
+            <link rel="assessment-for" href="#pm-22_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pm-22_smt.a"/>
         </part>
         <part id="pm-22_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-22b."/>
           <part id="pm-22_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-22b.[01]"/>
             <p>the policies address correcting or deleting inaccurate or outdated personally identifiable information;</p>
+            <link rel="assessment-for" href="#pm-22_smt.b"/>
           </part>
           <part id="pm-22_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-22b.[02]"/>
             <p>the procedures address correcting or deleting inaccurate or outdated personally identifiable information;</p>
+            <link rel="assessment-for" href="#pm-22_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pm-22_smt.b"/>
         </part>
         <part id="pm-22_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-22c."/>
           <part id="pm-22_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-22c.[01]"/>
             <p>the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;</p>
+            <link rel="assessment-for" href="#pm-22_smt.c"/>
           </part>
           <part id="pm-22_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-22c.[02]"/>
             <p>the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;</p>
+            <link rel="assessment-for" href="#pm-22_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#pm-22_smt.c"/>
         </part>
         <part id="pm-22_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-22d."/>
           <part id="pm-22_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-22d.[01]"/>
             <p>the policies address appeals of adverse decisions on correction or deletion requests;</p>
+            <link rel="assessment-for" href="#pm-22_smt.d"/>
           </part>
           <part id="pm-22_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-22d.[02]"/>
             <p>the procedures address appeals of adverse decisions on correction or deletion requests.</p>
+            <link rel="assessment-for" href="#pm-22_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#pm-22_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#pm-22_smt"/>
       </part>
       <part id="pm-22_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -46217,6 +48822,7 @@
       <part id="pm-23_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PM-23"/>
         <p>a Data Governance Body consisting of <insert type="param" id-ref="pm-23_odp.01"/> with <insert type="param" id-ref="pm-23_odp.02"/> is established.</p>
+        <link rel="assessment-for" href="#pm-23_smt"/>
       </part>
       <part id="pm-23_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -46272,11 +48878,14 @@
         <part id="pm-24_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-24a."/>
           <p>the Data Integrity Board reviews proposals to conduct or participate in a matching program;</p>
+          <link rel="assessment-for" href="#pm-24_smt.a"/>
         </part>
         <part id="pm-24_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-24b."/>
           <p>the Data Integrity Board conducts an annual review of all matching programs in which the agency has participated.</p>
+          <link rel="assessment-for" href="#pm-24_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#pm-24_smt"/>
       </part>
       <part id="pm-24_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -46374,101 +48983,128 @@
           <part id="pm-25_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25a.[01]"/>
             <p>policies that address the use of personally identifiable information for internal testing are developed and documented;</p>
+            <link rel="assessment-for" href="#pm-25_smt.a"/>
           </part>
           <part id="pm-25_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25a.[02]"/>
             <p>policies that address the use of personally identifiable information for internal training are developed and documented;</p>
+            <link rel="assessment-for" href="#pm-25_smt.a"/>
           </part>
           <part id="pm-25_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25a.[03]"/>
             <p>policies that address the use of personally identifiable information for internal research are developed and documented;</p>
+            <link rel="assessment-for" href="#pm-25_smt.a"/>
           </part>
           <part id="pm-25_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25a.[04]"/>
             <p>procedures that address the use of personally identifiable information for internal testing are developed and documented;</p>
+            <link rel="assessment-for" href="#pm-25_smt.a"/>
           </part>
           <part id="pm-25_obj.a-5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25a.[05]"/>
             <p>procedures that address the use of personally identifiable information for internal training are developed and documented;</p>
+            <link rel="assessment-for" href="#pm-25_smt.a"/>
           </part>
           <part id="pm-25_obj.a-6" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25a.[06]"/>
             <p>procedures that address the use of personally identifiable information for internal research are developed and documented;</p>
+            <link rel="assessment-for" href="#pm-25_smt.a"/>
           </part>
           <part id="pm-25_obj.a-7" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25a.[07]"/>
             <p>policies that address the use of personally identifiable information for internal testing, are implemented;</p>
+            <link rel="assessment-for" href="#pm-25_smt.a"/>
           </part>
           <part id="pm-25_obj.a-8" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25a.[08]"/>
             <p>policies that address the use of personally identifiable information for training are implemented;</p>
+            <link rel="assessment-for" href="#pm-25_smt.a"/>
           </part>
           <part id="pm-25_obj.a-9" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25a.[09]"/>
             <p>policies that address the use of personally identifiable information for research are implemented;</p>
+            <link rel="assessment-for" href="#pm-25_smt.a"/>
           </part>
           <part id="pm-25_obj.a-10" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25a.[10]"/>
             <p>procedures that address the use of personally identifiable information for internal testing are implemented;</p>
+            <link rel="assessment-for" href="#pm-25_smt.a"/>
           </part>
           <part id="pm-25_obj.a-11" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25a.[11]"/>
             <p>procedures that address the use of personally identifiable information for training are implemented;</p>
+            <link rel="assessment-for" href="#pm-25_smt.a"/>
           </part>
           <part id="pm-25_obj.a-12" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25a.[12]"/>
             <p>procedures that address the use of personally identifiable information for research are implemented;</p>
+            <link rel="assessment-for" href="#pm-25_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pm-25_smt.a"/>
         </part>
         <part id="pm-25_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-25b."/>
           <part id="pm-25_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25b.[01]"/>
             <p>the amount of personally identifiable information used for internal testing purposes is limited or minimized;</p>
+            <link rel="assessment-for" href="#pm-25_smt.b"/>
           </part>
           <part id="pm-25_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25b.[02]"/>
             <p>the amount of personally identifiable information used for internal training purposes is limited or minimized;</p>
+            <link rel="assessment-for" href="#pm-25_smt.b"/>
           </part>
           <part id="pm-25_obj.b-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25b.[03]"/>
             <p>the amount of personally identifiable information used for internal research purposes is limited or minimized;</p>
+            <link rel="assessment-for" href="#pm-25_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pm-25_smt.b"/>
         </part>
         <part id="pm-25_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-25c."/>
           <part id="pm-25_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25c.[01]"/>
             <p>the required use of personally identifiable information for internal testing is authorized;</p>
+            <link rel="assessment-for" href="#pm-25_smt.c"/>
           </part>
           <part id="pm-25_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25c.[02]"/>
             <p>the required use of personally identifiable information for internal training is authorized;</p>
+            <link rel="assessment-for" href="#pm-25_smt.c"/>
           </part>
           <part id="pm-25_obj.c-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25c.[03]"/>
             <p>the required use of personally identifiable information for internal research is authorized;</p>
+            <link rel="assessment-for" href="#pm-25_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#pm-25_smt.c"/>
         </part>
         <part id="pm-25_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-25d."/>
           <part id="pm-25_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25d.[01]"/>
             <p>policies are reviewed <insert type="param" id-ref="pm-25_odp.01"/>;</p>
+            <link rel="assessment-for" href="#pm-25_smt.d"/>
           </part>
           <part id="pm-25_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25d.[02]"/>
             <p>policies are updated <insert type="param" id-ref="pm-25_odp.02"/>;</p>
+            <link rel="assessment-for" href="#pm-25_smt.d"/>
           </part>
           <part id="pm-25_obj.d-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25d.[03]"/>
             <p>procedures are reviewed <insert type="param" id-ref="pm-25_odp.03"/>;</p>
+            <link rel="assessment-for" href="#pm-25_smt.d"/>
           </part>
           <part id="pm-25_obj.d-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-25d.[04]"/>
             <p>procedures are updated <insert type="param" id-ref="pm-25_odp.04"/>.</p>
+            <link rel="assessment-for" href="#pm-25_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#pm-25_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#pm-25_smt"/>
       </part>
       <part id="pm-25_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -46578,45 +49214,57 @@
         <part id="pm-26_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-26[01]"/>
           <p>a process for receiving complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;</p>
+          <link rel="assessment-for" href="#pm-26_smt"/>
         </part>
         <part id="pm-26_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-26[02]"/>
           <p>a process for responding to complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;</p>
+          <link rel="assessment-for" href="#pm-26_smt"/>
         </part>
         <part id="pm-26_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-26a."/>
           <part id="pm-26_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-26a.[01]"/>
             <p>the complaint management process includes mechanisms that are easy to use by the public;</p>
+            <link rel="assessment-for" href="#pm-26_smt.a"/>
           </part>
           <part id="pm-26_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-26a.[02]"/>
             <p>the complaint management process includes mechanisms that are readily accessible by the public;</p>
+            <link rel="assessment-for" href="#pm-26_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pm-26_smt.a"/>
         </part>
         <part id="pm-26_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-26b."/>
           <p>the complaint management process includes all information necessary for successfully filing complaints;</p>
+          <link rel="assessment-for" href="#pm-26_smt.b"/>
         </part>
         <part id="pm-26_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-26c."/>
           <part id="pm-26_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-26c.[01]"/>
             <p>the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within <insert type="param" id-ref="pm-26_odp.01"/>;</p>
+            <link rel="assessment-for" href="#pm-26_smt.c"/>
           </part>
           <part id="pm-26_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-26c.[02]"/>
             <p>the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within <insert type="param" id-ref="pm-26_odp.02"/>;</p>
+            <link rel="assessment-for" href="#pm-26_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#pm-26_smt.c"/>
         </part>
         <part id="pm-26_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-26d."/>
           <p>the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within <insert type="param" id-ref="pm-26_odp.03"/>;</p>
+          <link rel="assessment-for" href="#pm-26_smt.d"/>
         </part>
         <part id="pm-26_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-26e."/>
           <p>the complaint management process includes responding to complaints, concerns, or questions from individuals within <insert type="param" id-ref="pm-26_odp.04"/>.</p>
+          <link rel="assessment-for" href="#pm-26_smt.e"/>
         </part>
+        <link rel="assessment-for" href="#pm-26_smt"/>
       </part>
       <part id="pm-26_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -46719,23 +49367,30 @@
           <part id="pm-27_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-27a.01"/>
             <p>the privacy reports are disseminated to <insert type="param" id-ref="pm-27_odp.02"/> to demonstrate accountability with statutory, regulatory, and policy privacy mandates;</p>
+            <link rel="assessment-for" href="#pm-27_smt.a.1"/>
           </part>
           <part id="pm-27_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-27a.02"/>
             <part id="pm-27_obj.a.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-27a.02[01]"/>
               <p>the privacy reports are disseminated to <insert type="param" id-ref="pm-27_odp.03"/>;</p>
+              <link rel="assessment-for" href="#pm-27_smt.a.2"/>
             </part>
             <part id="pm-27_obj.a.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-27a.02[02]"/>
               <p>the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance;</p>
+              <link rel="assessment-for" href="#pm-27_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#pm-27_smt.a.2"/>
           </part>
+          <link rel="assessment-for" href="#pm-27_smt.a"/>
         </part>
         <part id="pm-27_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-27b."/>
           <p>the privacy reports are reviewed and updated <insert type="param" id-ref="pm-27_odp.04"/>.</p>
+          <link rel="assessment-for" href="#pm-27_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#pm-27_smt"/>
       </part>
       <part id="pm-27_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -46831,55 +49486,71 @@
             <part id="pm-28_obj.a.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-28a.01[01]"/>
               <p>assumptions affecting risk assessments are identified and documented;</p>
+              <link rel="assessment-for" href="#pm-28_smt.a.1"/>
             </part>
             <part id="pm-28_obj.a.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-28a.01[02]"/>
               <p>assumptions affecting risk responses are identified and documented;</p>
+              <link rel="assessment-for" href="#pm-28_smt.a.1"/>
             </part>
             <part id="pm-28_obj.a.1-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-28a.01[03]"/>
               <p>assumptions affecting risk monitoring are identified and documented;</p>
+              <link rel="assessment-for" href="#pm-28_smt.a.1"/>
             </part>
+            <link rel="assessment-for" href="#pm-28_smt.a.1"/>
           </part>
           <part id="pm-28_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-28a.02"/>
             <part id="pm-28_obj.a.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-28a.02[01]"/>
               <p>constraints affecting risk assessments are identified and documented;</p>
+              <link rel="assessment-for" href="#pm-28_smt.a.2"/>
             </part>
             <part id="pm-28_obj.a.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-28a.02[02]"/>
               <p>constraints affecting risk responses are identified and documented;</p>
+              <link rel="assessment-for" href="#pm-28_smt.a.2"/>
             </part>
             <part id="pm-28_obj.a.2-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-28a.02[03]"/>
               <p>constraints affecting risk monitoring are identified and documented;</p>
+              <link rel="assessment-for" href="#pm-28_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#pm-28_smt.a.2"/>
           </part>
           <part id="pm-28_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-28a.03"/>
             <part id="pm-28_obj.a.3-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-28a.03[01]"/>
               <p>priorities considered by the organization for managing risk are identified and documented;</p>
+              <link rel="assessment-for" href="#pm-28_smt.a.3"/>
             </part>
             <part id="pm-28_obj.a.3-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PM-28a.03[02]"/>
               <p>trade-offs considered by the organization for managing risk are identified and documented;</p>
+              <link rel="assessment-for" href="#pm-28_smt.a.3"/>
             </part>
+            <link rel="assessment-for" href="#pm-28_smt.a.3"/>
           </part>
           <part id="pm-28_obj.a.4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-28a.04"/>
             <p>organizational risk tolerance is identified and documented;</p>
+            <link rel="assessment-for" href="#pm-28_smt.a.4"/>
           </part>
+          <link rel="assessment-for" href="#pm-28_smt.a"/>
         </part>
         <part id="pm-28_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-28b."/>
           <p>the results of risk framing activities are distributed to <insert type="param" id-ref="pm-28_odp.01"/>;</p>
+          <link rel="assessment-for" href="#pm-28_smt.b"/>
         </part>
         <part id="pm-28_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-28c."/>
           <p>risk framing considerations are reviewed and updated <insert type="param" id-ref="pm-28_odp.02"/>.</p>
+          <link rel="assessment-for" href="#pm-28_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pm-28_smt"/>
       </part>
       <part id="pm-28_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -46944,27 +49615,35 @@
           <part id="pm-29_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-29a.[01]"/>
             <p>a Senior Accountable Official for Risk Management is appointed;</p>
+            <link rel="assessment-for" href="#pm-29_smt.a"/>
           </part>
           <part id="pm-29_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-29a.[02]"/>
             <p>a Senior Accountable Official for Risk Management aligns information security and privacy management processes with strategic, operational, and budgetary planning processes;</p>
+            <link rel="assessment-for" href="#pm-29_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pm-29_smt.a"/>
         </part>
         <part id="pm-29_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-29b."/>
           <part id="pm-29_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-29b.[01]"/>
             <p>a Risk Executive (function) is established;</p>
+            <link rel="assessment-for" href="#pm-29_smt.b"/>
           </part>
           <part id="pm-29_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-29b.[02]"/>
             <p>a Risk Executive (function) views and analyzes risk from an organization-wide perspective;</p>
+            <link rel="assessment-for" href="#pm-29_smt.b"/>
           </part>
           <part id="pm-29_obj.b-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-29b.[03]"/>
             <p>a Risk Executive (function) ensures that the management of risk is consistent across the organization.</p>
+            <link rel="assessment-for" href="#pm-29_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pm-29_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#pm-29_smt"/>
       </part>
       <part id="pm-29_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -47053,64 +49732,81 @@
           <part id="pm-30_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30a.[01]"/>
             <p>an organization-wide strategy for managing supply chain risks is developed;</p>
+            <link rel="assessment-for" href="#pm-30_smt.a"/>
           </part>
           <part id="pm-30_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30a.[02]"/>
             <p>the supply chain risk management strategy addresses risks associated with the development of systems;</p>
+            <link rel="assessment-for" href="#pm-30_smt.a"/>
           </part>
           <part id="pm-30_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30a.[03]"/>
             <p>the supply chain risk management strategy addresses risks associated with the development of system components;</p>
+            <link rel="assessment-for" href="#pm-30_smt.a"/>
           </part>
           <part id="pm-30_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30a.[04]"/>
             <p>the supply chain risk management strategy addresses risks associated with the development of system services;</p>
+            <link rel="assessment-for" href="#pm-30_smt.a"/>
           </part>
           <part id="pm-30_obj.a-5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30a.[05]"/>
             <p>the supply chain risk management strategy addresses risks associated with the acquisition of systems;</p>
+            <link rel="assessment-for" href="#pm-30_smt.a"/>
           </part>
           <part id="pm-30_obj.a-6" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30a.[06]"/>
             <p>the supply chain risk management strategy addresses risks associated with the acquisition of system components;</p>
+            <link rel="assessment-for" href="#pm-30_smt.a"/>
           </part>
           <part id="pm-30_obj.a-7" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30a.[07]"/>
             <p>the supply chain risk management strategy addresses risks associated with the acquisition of system services;</p>
+            <link rel="assessment-for" href="#pm-30_smt.a"/>
           </part>
           <part id="pm-30_obj.a-8" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30a.[08]"/>
             <p>the supply chain risk management strategy addresses risks associated with the maintenance of systems;</p>
+            <link rel="assessment-for" href="#pm-30_smt.a"/>
           </part>
           <part id="pm-30_obj.a-9" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30a.[09]"/>
             <p>the supply chain risk management strategy addresses risks associated with the maintenance of system components;</p>
+            <link rel="assessment-for" href="#pm-30_smt.a"/>
           </part>
           <part id="pm-30_obj.a-10" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30a.[10]"/>
             <p>the supply chain risk management strategy addresses risks associated with the maintenance of system services;</p>
+            <link rel="assessment-for" href="#pm-30_smt.a"/>
           </part>
           <part id="pm-30_obj.a-11" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30a.[11]"/>
             <p>the supply chain risk management strategy addresses risks associated with the disposal of systems;</p>
+            <link rel="assessment-for" href="#pm-30_smt.a"/>
           </part>
           <part id="pm-30_obj.a-12" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30a.[12]"/>
             <p>the supply chain risk management strategy addresses risks associated with the disposal of system components;</p>
+            <link rel="assessment-for" href="#pm-30_smt.a"/>
           </part>
           <part id="pm-30_obj.a-13" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30a.[13]"/>
             <p>the supply chain risk management strategy addresses risks associated with the disposal of system services;</p>
+            <link rel="assessment-for" href="#pm-30_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pm-30_smt.a"/>
         </part>
         <part id="pm-30_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-30b."/>
           <p>the supply chain risk management strategy is implemented consistently across the organization;</p>
+          <link rel="assessment-for" href="#pm-30_smt.b"/>
         </part>
         <part id="pm-30_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-30c."/>
           <p>the supply chain risk management strategy is reviewed and updated <insert type="param" id-ref="pm-30_odp"/> or as required to address organizational changes.</p>
+          <link rel="assessment-for" href="#pm-30_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pm-30_smt"/>
       </part>
       <part id="pm-30_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -47153,15 +49849,19 @@
           <part id="pm-30.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30(01)[01]"/>
             <p>suppliers of critical or mission-essential technologies, products, and services are identified;</p>
+            <link rel="assessment-for" href="#pm-30.1_smt"/>
           </part>
           <part id="pm-30.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30(01)[02]"/>
             <p>suppliers of critical or mission-essential technologies, products, and services are prioritized;</p>
+            <link rel="assessment-for" href="#pm-30.1_smt"/>
           </part>
           <part id="pm-30.1_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-30(01)[03]"/>
             <p>suppliers of critical or mission-essential technologies, products, and services are assessed.</p>
+            <link rel="assessment-for" href="#pm-30.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#pm-30.1_smt"/>
         </part>
         <part id="pm-30.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -47221,18 +49921,18 @@
         <prop name="alt-identifier" value="pm-31_prm_2"/>
         <prop name="alt-label" class="sp800-53" value="frequencies"/>
         <prop name="label" class="sp800-53a" value="PM-31_ODP[02]"/>
-        <label>frequency</label>
+        <label>monitoring frequencies</label>
         <guideline>
-          <p>the frequency for monitoring is defined;</p>
+          <p>the frequencies for monitoring are defined;</p>
         </guideline>
       </param>
       <param id="pm-31_odp.03">
         <prop name="alt-identifier" value="pm-31_prm_3"/>
         <prop name="alt-label" class="sp800-53" value="frequencies"/>
         <prop name="label" class="sp800-53a" value="PM-31_ODP[03]"/>
-        <label>frequency</label>
+        <label>assessment frequencies</label>
         <guideline>
-          <p>the frequency for assessing control effectiveness is defined;</p>
+          <p>the frequencies for assessing control effectiveness are defined;</p>
         </guideline>
       </param>
       <param id="pm-31_odp.04">
@@ -47329,7 +50029,7 @@
         </part>
         <part name="item" id="pm-31_smt.b">
           <prop name="label" value="b."/>
-          <p>Establishing <insert type="param" id-ref="pm-31_odp.02"/> for monitoring and <insert type="param" id-ref="pm-31_odp.03"/> for assessment of control effectiveness;</p>
+          <p>Establishing <insert type="param" id-ref="pm-31_odp.02"/> and <insert type="param" id-ref="pm-31_odp.03"/> for control effectiveness;</p>
         </part>
         <part name="item" id="pm-31_smt.c">
           <prop name="label" value="c."/>
@@ -47357,55 +50057,70 @@
         <part id="pm-31_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-31a."/>
           <p>continuous monitoring programs are implemented that include establishing <insert type="param" id-ref="pm-31_odp.01"/> to be monitored;</p>
+          <link rel="assessment-for" href="#pm-31_smt.a"/>
         </part>
         <part id="pm-31_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-31b."/>
           <part id="pm-31_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-31b.[01]"/>
             <p>continuous monitoring programs are implemented that establish <insert type="param" id-ref="pm-31_odp.02"/> for monitoring;</p>
+            <link rel="assessment-for" href="#pm-31_smt.b"/>
           </part>
           <part id="pm-31_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-31b.[02]"/>
             <p>continuous monitoring programs are implemented that establish <insert type="param" id-ref="pm-31_odp.03"/> for assessment of control effectiveness;</p>
+            <link rel="assessment-for" href="#pm-31_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pm-31_smt.b"/>
         </part>
         <part id="pm-31_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-31c."/>
           <p>continuous monitoring programs are implemented that include monitoring <insert type="param" id-ref="pm-31_odp.01"/> on an ongoing basis in accordance with the continuous monitoring strategy;</p>
+          <link rel="assessment-for" href="#pm-31_smt.c"/>
         </part>
         <part id="pm-31_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-31d."/>
           <part id="pm-31_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-31d.[01]"/>
             <p>continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring;</p>
+            <link rel="assessment-for" href="#pm-31_smt.d"/>
           </part>
           <part id="pm-31_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-31d.[02]"/>
             <p>continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring;</p>
+            <link rel="assessment-for" href="#pm-31_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#pm-31_smt.d"/>
         </part>
         <part id="pm-31_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-31e."/>
           <part id="pm-31_obj.e-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-31e.[01]"/>
             <p>continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information;</p>
+            <link rel="assessment-for" href="#pm-31_smt.e"/>
           </part>
           <part id="pm-31_obj.e-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-31e.[02]"/>
             <p>continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information;</p>
+            <link rel="assessment-for" href="#pm-31_smt.e"/>
           </part>
+          <link rel="assessment-for" href="#pm-31_smt.e"/>
         </part>
         <part id="pm-31_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PM-31f."/>
           <part id="pm-31_obj.f-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-31f.[01]"/>
             <p>continuous monitoring programs are implemented that include reporting the security status of organizational systems to <insert type="param" id-ref="pm-31_odp.04"/> <insert type="param" id-ref="pm-31_odp.06"/>;</p>
+            <link rel="assessment-for" href="#pm-31_smt.f"/>
           </part>
           <part id="pm-31_obj.f-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PM-31f.[02]"/>
             <p>continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to <insert type="param" id-ref="pm-31_odp.05"/> <insert type="param" id-ref="pm-31_odp.07"/>.</p>
+            <link rel="assessment-for" href="#pm-31_smt.f"/>
           </part>
+          <link rel="assessment-for" href="#pm-31_smt.f"/>
         </part>
+        <link rel="assessment-for" href="#pm-31_smt"/>
       </part>
       <part id="pm-31_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -47477,6 +50192,7 @@
       <part id="pm-32_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PM-32"/>
         <p><insert type="param" id-ref="pm-32_odp"/> supporting mission-essential services or functions are analyzed to ensure that the information resources are being used in a manner that is consistent with their intended purpose.</p>
+        <link rel="assessment-for" href="#pm-32_smt"/>
       </part>
       <part id="pm-32_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -47631,18 +50347,22 @@
           <part id="ps-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-01a.[01]"/>
             <p>a personnel security policy is developed and documented;</p>
+            <link rel="assessment-for" href="#ps-1_smt.a"/>
           </part>
           <part id="ps-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-01a.[02]"/>
             <p>the personnel security policy is disseminated to <insert type="param" id-ref="ps-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ps-1_smt.a"/>
           </part>
           <part id="ps-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-01a.[03]"/>
             <p>personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;</p>
+            <link rel="assessment-for" href="#ps-1_smt.a"/>
           </part>
           <part id="ps-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-01a.[04]"/>
             <p>the personnel security procedures are disseminated to <insert type="param" id-ref="ps-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#ps-1_smt.a"/>
           </part>
           <part id="ps-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-01a.01"/>
@@ -47651,41 +50371,53 @@
               <part id="ps-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PS-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses purpose;</p>
+                <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
               </part>
               <part id="ps-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PS-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses scope;</p>
+                <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
               </part>
               <part id="ps-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PS-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses roles;</p>
+                <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
               </part>
               <part id="ps-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PS-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
               </part>
               <part id="ps-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PS-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
               </part>
               <part id="ps-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PS-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
               </part>
               <part id="ps-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PS-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy addresses compliance;</p>
+                <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#ps-1_smt.a.1.a"/>
             </part>
             <part id="ps-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PS-01a.01(b)"/>
               <p>the <insert type="param" id-ref="ps-01_odp.03"/> personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#ps-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#ps-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#ps-1_smt.a"/>
         </part>
         <part id="ps-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-01b."/>
           <p>the <insert type="param" id-ref="ps-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;</p>
+          <link rel="assessment-for" href="#ps-1_smt.b"/>
         </part>
         <part id="ps-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-01c."/>
@@ -47694,24 +50426,32 @@
             <part id="ps-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PS-01c.01[01]"/>
               <p>the current personnel security policy is reviewed and updated <insert type="param" id-ref="ps-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#ps-1_smt.c.1"/>
             </part>
             <part id="ps-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PS-01c.01[02]"/>
               <p>the current personnel security policy is reviewed and updated following <insert type="param" id-ref="ps-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#ps-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#ps-1_smt.c.1"/>
           </part>
           <part id="ps-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-01c.02"/>
             <part id="ps-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PS-01c.02[01]"/>
               <p>the current personnel security procedures are reviewed and updated <insert type="param" id-ref="ps-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#ps-1_smt.c.2"/>
             </part>
             <part id="ps-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PS-01c.02[02]"/>
               <p>the current personnel security procedures are reviewed and updated following <insert type="param" id-ref="ps-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#ps-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#ps-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#ps-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#ps-1_smt"/>
       </part>
       <part id="ps-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -47783,15 +50523,19 @@
         <part id="ps-2_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-02a."/>
           <p>a risk designation is assigned to all organizational positions;</p>
+          <link rel="assessment-for" href="#ps-2_smt.a"/>
         </part>
         <part id="ps-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-02b."/>
           <p>screening criteria are established for individuals filling organizational positions;</p>
+          <link rel="assessment-for" href="#ps-2_smt.b"/>
         </part>
         <part id="ps-2_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-02c."/>
           <p>position risk designations are reviewed and updated <insert type="param" id-ref="ps-02_odp"/>.</p>
+          <link rel="assessment-for" href="#ps-2_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#ps-2_smt"/>
       </part>
       <part id="ps-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -47884,18 +50628,23 @@
         <part id="ps-3_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-03a."/>
           <p>individuals are screened prior to authorizing access to the system;</p>
+          <link rel="assessment-for" href="#ps-3_smt.a"/>
         </part>
         <part id="ps-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-03b."/>
           <part id="ps-3_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-03b.[01]"/>
             <p>individuals are rescreened in accordance with <insert type="param" id-ref="ps-03_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ps-3_smt.b"/>
           </part>
           <part id="ps-3_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-03b.[02]"/>
             <p>where rescreening is so indicated, individuals are rescreened <insert type="param" id-ref="ps-03_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ps-3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ps-3_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ps-3_smt"/>
       </part>
       <part id="ps-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -47943,11 +50692,14 @@
           <part id="ps-3.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-03(01)[01]"/>
             <p>individuals accessing a system processing, storing, or transmitting classified information are cleared;</p>
+            <link rel="assessment-for" href="#ps-3.1_smt"/>
           </part>
           <part id="ps-3.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-03(01)[02]"/>
             <p>individuals accessing a system processing, storing, or transmitting classified information are indoctrinated to the highest classification level of the information to which they have access on the system.</p>
+            <link rel="assessment-for" href="#ps-3.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#ps-3.1_smt"/>
         </part>
         <part id="ps-3.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -47994,6 +50746,7 @@
         <part id="ps-3.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-03(02)"/>
           <p>individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination are formally indoctrinated for all of the relevant types of information to which they have access on the system.</p>
+          <link rel="assessment-for" href="#ps-3.2_smt"/>
         </part>
         <part id="ps-3.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -48057,11 +50810,14 @@
           <part id="ps-3.3_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-03(03)(a)"/>
             <p>individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;</p>
+            <link rel="assessment-for" href="#ps-3.3_smt.a"/>
           </part>
           <part id="ps-3.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-03(03)(b)"/>
             <p>individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy <insert type="param" id-ref="ps-03.03_odp"/>.</p>
+            <link rel="assessment-for" href="#ps-3.3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ps-3.3_smt"/>
         </part>
         <part id="ps-3.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -48125,6 +50881,7 @@
         <part id="ps-3.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-03(04)"/>
           <p>individuals accessing a system processing, storing, or transmitting <insert type="param" id-ref="ps-03.04_odp.01"/> meet <insert type="param" id-ref="ps-03.04_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ps-3.4_smt"/>
         </part>
         <part id="ps-3.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -48216,23 +50973,29 @@
         <part id="ps-4_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-04a."/>
           <p>upon termination of individual employment, system access is disabled within <insert type="param" id-ref="ps-04_odp.01"/>;</p>
+          <link rel="assessment-for" href="#ps-4_smt.a"/>
         </part>
         <part id="ps-4_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-04b."/>
           <p>upon termination of individual employment, any authenticators and credentials are terminated or revoked;</p>
+          <link rel="assessment-for" href="#ps-4_smt.b"/>
         </part>
         <part id="ps-4_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-04c."/>
           <p>upon termination of individual employment, exit interviews that include a discussion of <insert type="param" id-ref="ps-04_odp.02"/> are conducted;</p>
+          <link rel="assessment-for" href="#ps-4_smt.c"/>
         </part>
         <part id="ps-4_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-04d."/>
           <p>upon termination of individual employment, all security-related organizational system-related property is retrieved;</p>
+          <link rel="assessment-for" href="#ps-4_smt.d"/>
         </part>
         <part id="ps-4_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-04e."/>
           <p>upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.</p>
+          <link rel="assessment-for" href="#ps-4_smt.e"/>
         </part>
+        <link rel="assessment-for" href="#ps-4_smt"/>
       </part>
       <part id="ps-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -48292,11 +51055,14 @@
           <part id="ps-4.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-04(01)(a)"/>
             <p>terminated individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information;</p>
+            <link rel="assessment-for" href="#ps-4.1_smt.a"/>
           </part>
           <part id="ps-4.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-04(01)(b)"/>
             <p>terminated individuals are required to sign an acknowledgement of post-employment requirements as part of the organizational termination process.</p>
+            <link rel="assessment-for" href="#ps-4.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ps-4.1_smt"/>
         </part>
         <part id="ps-4.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -48366,6 +51132,7 @@
         <part id="ps-4.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-04(02)"/>
           <p><insert type="param" id-ref="ps-04.02_odp.01"/> are used to <insert type="param" id-ref="ps-04.02_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ps-4.2_smt"/>
         </part>
         <part id="ps-4.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -48469,19 +51236,24 @@
         <part id="ps-5_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-05a."/>
           <p>the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;</p>
+          <link rel="assessment-for" href="#ps-5_smt.a"/>
         </part>
         <part id="ps-5_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-05b."/>
           <p><insert type="param" id-ref="ps-05_odp.01"/> are initiated within <insert type="param" id-ref="ps-05_odp.02"/>;</p>
+          <link rel="assessment-for" href="#ps-5_smt.b"/>
         </part>
         <part id="ps-5_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-05c."/>
           <p>access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;</p>
+          <link rel="assessment-for" href="#ps-5_smt.c"/>
         </part>
         <part id="ps-5_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-05d."/>
           <p><insert type="param" id-ref="ps-05_odp.03"/> are notified within <insert type="param" id-ref="ps-05_odp.04"/>.</p>
+          <link rel="assessment-for" href="#ps-5_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#ps-5_smt"/>
       </part>
       <part id="ps-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -48578,22 +51350,28 @@
         <part id="ps-6_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-06a."/>
           <p>access agreements are developed and documented for organizational systems;</p>
+          <link rel="assessment-for" href="#ps-6_smt.a"/>
         </part>
         <part id="ps-6_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-06b."/>
           <p>the access agreements are reviewed and updated <insert type="param" id-ref="ps-06_odp.01"/>;</p>
+          <link rel="assessment-for" href="#ps-6_smt.b"/>
         </part>
         <part id="ps-6_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-06c."/>
           <part id="ps-6_obj.c.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-06c.01"/>
             <p>individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;</p>
+            <link rel="assessment-for" href="#ps-6_smt.c.1"/>
           </part>
           <part id="ps-6_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-06c.02"/>
             <p>individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or <insert type="param" id-ref="ps-06_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ps-6_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#ps-6_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#ps-6_smt"/>
       </part>
       <part id="ps-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -48667,15 +51445,19 @@
           <part id="ps-6.2_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-06(02)(a)"/>
             <p>access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties;</p>
+            <link rel="assessment-for" href="#ps-6.2_smt.a"/>
           </part>
           <part id="ps-6.2_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-06(02)(b)"/>
             <p>access to classified information requiring special protection is granted only to individuals who satisfy associated personnel security criteria;</p>
+            <link rel="assessment-for" href="#ps-6.2_smt.b"/>
           </part>
           <part id="ps-6.2_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-06(02)(c)"/>
             <p>access to classified information requiring special protection is granted only to individuals who have read, understood, and signed a non-disclosure agreement.</p>
+            <link rel="assessment-for" href="#ps-6.2_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#ps-6.2_smt"/>
         </part>
         <part id="ps-6.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -48735,11 +51517,14 @@
           <part id="ps-6.3_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-06(03)(a)"/>
             <p>individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information;</p>
+            <link rel="assessment-for" href="#ps-6.3_smt.a"/>
           </part>
           <part id="ps-6.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PS-06(03)(b)"/>
             <p>individuals are required to sign an acknowledgement of applicable, legally binding post-employment requirements as part of being granted initial access to covered information.</p>
+            <link rel="assessment-for" href="#ps-6.3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ps-6.3_smt"/>
         </part>
         <part id="ps-6.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -48840,23 +51625,29 @@
         <part id="ps-7_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-07a."/>
           <p>personnel security requirements are established, including security roles and responsibilities for external providers;</p>
+          <link rel="assessment-for" href="#ps-7_smt.a"/>
         </part>
         <part id="ps-7_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-07b."/>
           <p>external providers are required to comply with personnel security policies and procedures established by the organization;</p>
+          <link rel="assessment-for" href="#ps-7_smt.b"/>
         </part>
         <part id="ps-7_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-07c."/>
           <p>personnel security requirements are documented;</p>
+          <link rel="assessment-for" href="#ps-7_smt.c"/>
         </part>
         <part id="ps-7_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-07d."/>
           <p>external providers are required to notify <insert type="param" id-ref="ps-07_odp.01"/> of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within <insert type="param" id-ref="ps-07_odp.02"/>;</p>
+          <link rel="assessment-for" href="#ps-7_smt.d"/>
         </part>
         <part id="ps-7_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-07e."/>
           <p>provider compliance with personnel security requirements is monitored.</p>
+          <link rel="assessment-for" href="#ps-7_smt.e"/>
         </part>
+        <link rel="assessment-for" href="#ps-7_smt"/>
       </part>
       <part id="ps-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -48936,11 +51727,14 @@
         <part id="ps-8_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-08a."/>
           <p>a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;</p>
+          <link rel="assessment-for" href="#ps-8_smt.a"/>
         </part>
         <part id="ps-8_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-08b."/>
           <p><insert type="param" id-ref="ps-08_odp.01"/> is/are notified within <insert type="param" id-ref="ps-08_odp.02"/> when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.</p>
+          <link rel="assessment-for" href="#ps-8_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ps-8_smt"/>
       </part>
       <part id="ps-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -48994,11 +51788,14 @@
         <part id="ps-9_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-09[01]"/>
           <p>security roles and responsibilities are incorporated into organizational position descriptions;</p>
+          <link rel="assessment-for" href="#ps-9_smt"/>
         </part>
         <part id="ps-9_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PS-09[02]"/>
           <p>privacy roles and responsibilities are incorporated into organizational position descriptions.</p>
+          <link rel="assessment-for" href="#ps-9_smt"/>
         </part>
+        <link rel="assessment-for" href="#ps-9_smt"/>
       </part>
       <part id="ps-9_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -49158,18 +51955,22 @@
           <part id="pt-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-01a.[01]"/>
             <p>a personally identifiable information processing and transparency policy is developed and documented;</p>
+            <link rel="assessment-for" href="#pt-1_smt.a"/>
           </part>
           <part id="pt-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-01a.[02]"/>
             <p>the personally identifiable information processing and transparency policy is disseminated to <insert type="param" id-ref="pt-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#pt-1_smt.a"/>
           </part>
           <part id="pt-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-01a.[03]"/>
             <p>personally identifiable information processing and transparency procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and associated personally identifiable information processing and transparency controls are developed and documented;</p>
+            <link rel="assessment-for" href="#pt-1_smt.a"/>
           </part>
           <part id="pt-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-01a.[04]"/>
             <p>the personally identifiable information processing and transparency procedures are disseminated to <insert type="param" id-ref="pt-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#pt-1_smt.a"/>
           </part>
           <part id="pt-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-01a.01"/>
@@ -49178,41 +51979,53 @@
               <part id="pt-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PT-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy addresses purpose;</p>
+                <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
               </part>
               <part id="pt-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PT-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy addresses scope;</p>
+                <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
               </part>
               <part id="pt-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PT-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy addresses roles;</p>
+                <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
               </part>
               <part id="pt-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PT-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
               </part>
               <part id="pt-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PT-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
               </part>
               <part id="pt-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PT-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
               </part>
               <part id="pt-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="PT-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy addresses compliance;</p>
+                <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#pt-1_smt.a.1.a"/>
             </part>
             <part id="pt-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PT-01a.01(b)"/>
               <p>the <insert type="param" id-ref="pt-01_odp.03"/> personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#pt-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#pt-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#pt-1_smt.a"/>
         </part>
         <part id="pt-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-01b."/>
           <p>the <insert type="param" id-ref="pt-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures;</p>
+          <link rel="assessment-for" href="#pt-1_smt.b"/>
         </part>
         <part id="pt-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-01c."/>
@@ -49221,24 +52034,32 @@
             <part id="pt-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PT-01c.01[01]"/>
               <p>the current personally identifiable information processing and transparency policy is reviewed and updated <insert type="param" id-ref="pt-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#pt-1_smt.c.1"/>
             </part>
             <part id="pt-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PT-01c.01[02]"/>
               <p>the current personally identifiable information processing and transparency policy is reviewed and updated following <insert type="param" id-ref="pt-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#pt-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#pt-1_smt.c.1"/>
           </part>
           <part id="pt-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-01c.02"/>
             <part id="pt-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PT-01c.02[01]"/>
               <p>the current personally identifiable information processing and transparency procedures are reviewed and updated <insert type="param" id-ref="pt-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#pt-1_smt.c.2"/>
             </part>
             <part id="pt-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PT-01c.02[02]"/>
               <p>the current personally identifiable information processing and transparency procedures are reviewed and updated following <insert type="param" id-ref="pt-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#pt-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#pt-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#pt-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pt-1_smt"/>
       </part>
       <part id="pt-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -49328,11 +52149,14 @@
         <part id="pt-2_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-02a."/>
           <p>the <insert type="param" id-ref="pt-02_odp.01"/> that permits the <insert type="param" id-ref="pt-02_odp.02"/> of personally identifiable information is determined and documented;</p>
+          <link rel="assessment-for" href="#pt-2_smt.a"/>
         </part>
         <part id="pt-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-02b."/>
           <p>the <insert type="param" id-ref="pt-02_odp.03"/> of personally identifiable information is restricted to only that which is authorized.</p>
+          <link rel="assessment-for" href="#pt-2_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#pt-2_smt"/>
       </part>
       <part id="pt-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -49403,6 +52227,7 @@
         <part id="pt-2.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-02(01)"/>
           <p>data tags containing <insert type="param" id-ref="pt-02.01_odp.01"/> are attached to <insert type="param" id-ref="pt-02.01_odp.02"/>.</p>
+          <link rel="assessment-for" href="#pt-2.1_smt"/>
         </part>
         <part id="pt-2.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -49470,6 +52295,7 @@
         <part id="pt-2.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-02(02)"/>
           <p>enforcement of the authorized processing of personally identifiable information is managed using <insert type="param" id-ref="pt-02.02_odp"/>.</p>
+          <link rel="assessment-for" href="#pt-2.2_smt"/>
         </part>
         <part id="pt-2.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -49582,33 +52408,42 @@
         <part id="pt-3_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-03a."/>
           <p>the <insert type="param" id-ref="pt-03_odp.01"/> for processing personally identifiable information is/are identified and documented;</p>
+          <link rel="assessment-for" href="#pt-3_smt.a"/>
         </part>
         <part id="pt-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-03b."/>
           <part id="pt-3_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-03b.[01]"/>
             <p>the purpose(s) is/are described in the public privacy notices of the organization;</p>
+            <link rel="assessment-for" href="#pt-3_smt.b"/>
           </part>
           <part id="pt-3_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-03b.[02]"/>
             <p>the purpose(s) is/are described in the policies of the organization;</p>
+            <link rel="assessment-for" href="#pt-3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pt-3_smt.b"/>
         </part>
         <part id="pt-3_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-03c."/>
           <p>the <insert type="param" id-ref="pt-03_odp.02"/> of personally identifiable information are restricted to only that which is compatible with the identified purpose(s);</p>
+          <link rel="assessment-for" href="#pt-3_smt.c"/>
         </part>
         <part id="pt-3_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-03d."/>
           <part id="pt-3_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-03d.[01]"/>
             <p>changes in the processing of personally identifiable information are monitored;</p>
+            <link rel="assessment-for" href="#pt-3_smt.d"/>
           </part>
           <part id="pt-3_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-03d.[02]"/>
             <p><insert type="param" id-ref="pt-03_odp.03"/> are implemented to ensure that any changes are made in accordance with <insert type="param" id-ref="pt-03_odp.04"/>.</p>
+            <link rel="assessment-for" href="#pt-3_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#pt-3_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#pt-3_smt"/>
       </part>
       <part id="pt-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -49685,6 +52520,7 @@
         <part id="pt-3.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-03(01)"/>
           <p>data tags containing <insert type="param" id-ref="pt-03.01_odp.01"/> are attached to <insert type="param" id-ref="pt-03.01_odp.02"/>.</p>
+          <link rel="assessment-for" href="#pt-3.1_smt"/>
         </part>
         <part id="pt-3.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -49750,6 +52586,7 @@
         <part id="pt-3.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-03(02)"/>
           <p>the processing purposes of personally identifiable information are tracked using <insert type="param" id-ref="pt-03.02_odp"/>.</p>
+          <link rel="assessment-for" href="#pt-3.2_smt"/>
         </part>
         <part id="pt-3.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -49808,6 +52645,7 @@
       <part id="pt-4_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PT-04"/>
         <p>the <insert type="param" id-ref="pt-04_odp"/> are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.</p>
+        <link rel="assessment-for" href="#pt-4_smt"/>
       </part>
       <part id="pt-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -49864,6 +52702,7 @@
         <part id="pt-4.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-04(01)"/>
           <p><insert type="param" id-ref="pt-04.01_odp"/> are provided to allow individuals to tailor processing permissions to selected elements of personally identifiable information.</p>
+          <link rel="assessment-for" href="#pt-4.1_smt"/>
         </part>
         <part id="pt-4.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -49937,6 +52776,7 @@
         <part id="pt-4.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-04(02)"/>
           <p><insert type="param" id-ref="pt-04.02_odp.01"/> are presented to individuals <insert type="param" id-ref="pt-04.02_odp.02"/> and in conjunction with <insert type="param" id-ref="pt-04.02_odp.03"/>.</p>
+          <link rel="assessment-for" href="#pt-4.2_smt"/>
         </part>
         <part id="pt-4.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -49992,6 +52832,7 @@
         <part id="pt-4.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-04(03)"/>
           <p>the <insert type="param" id-ref="pt-04.03_odp"/> are implemented for individuals to revoke consent to the processing of their personally identifiable information.</p>
+          <link rel="assessment-for" href="#pt-4.3_smt"/>
         </part>
         <part id="pt-4.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -50091,28 +52932,36 @@
           <part id="pt-5_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-05a.[01]"/>
             <p>a notice to individuals about the processing of personally identifiable information is provided such that the notice is available to individuals upon first interacting with an organization;</p>
+            <link rel="assessment-for" href="#pt-5_smt.a"/>
           </part>
           <part id="pt-5_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-05a.[02]"/>
             <p>a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals <insert type="param" id-ref="pt-05_odp.01"/>;</p>
+            <link rel="assessment-for" href="#pt-5_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pt-5_smt.a"/>
         </part>
         <part id="pt-5_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-05b."/>
           <p>a notice to individuals about the processing of personally identifiable information is provided that is clear, easy-to-understand, and expresses information about personally identifiable information processing in plain language;</p>
+          <link rel="assessment-for" href="#pt-5_smt.b"/>
         </part>
         <part id="pt-5_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-05c."/>
           <p>a notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information is provided;</p>
+          <link rel="assessment-for" href="#pt-5_smt.c"/>
         </part>
         <part id="pt-5_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-05d."/>
           <p>a notice to individuals about the processing of personally identifiable information that identifies the purpose for which personally identifiable information is to be processed is provided;</p>
+          <link rel="assessment-for" href="#pt-5_smt.d"/>
         </part>
         <part id="pt-5_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-05e."/>
           <p>a notice to individuals about the processing of personally identifiable information which includes <insert type="param" id-ref="pt-05_odp.02"/> is provided.</p>
+          <link rel="assessment-for" href="#pt-5_smt.e"/>
         </part>
+        <link rel="assessment-for" href="#pt-5_smt"/>
       </part>
       <part id="pt-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -50166,6 +53015,7 @@
         <part id="pt-5.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-05(01)"/>
           <p>a notice of personally identifiable information processing is presented to individuals at a time and location where the individual provides personally identifiable information, in conjunction with a data action, or <insert type="param" id-ref="pt-05.01_odp"/>.</p>
+          <link rel="assessment-for" href="#pt-5.1_smt"/>
         </part>
         <part id="pt-5.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -50212,6 +53062,7 @@
         <part id="pt-5.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-05(02)"/>
           <p>Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or Privacy Act statements are provided on separate forms that can be retained by individuals.</p>
+          <link rel="assessment-for" href="#pt-5.2_smt"/>
         </part>
         <part id="pt-5.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -50280,20 +53131,26 @@
           <part id="pt-6_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-06a.[01]"/>
             <p>system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records;</p>
+            <link rel="assessment-for" href="#pt-6_smt.a"/>
           </part>
           <part id="pt-6_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-06a.[02]"/>
             <p>new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records;</p>
+            <link rel="assessment-for" href="#pt-6_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#pt-6_smt.a"/>
         </part>
         <part id="pt-6_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-06b."/>
           <p>system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records;</p>
+          <link rel="assessment-for" href="#pt-6_smt.b"/>
         </part>
         <part id="pt-6_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-06c."/>
           <p>system of records notices are kept accurate, up-to-date, and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records.</p>
+          <link rel="assessment-for" href="#pt-6_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#pt-6_smt"/>
       </part>
       <part id="pt-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -50346,6 +53203,7 @@
         <part id="pt-6.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-06(01)"/>
           <p>all routine uses published in the system of records notice are reviewed <insert type="param" id-ref="pt-06.01_odp"/> to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.</p>
+          <link rel="assessment-for" href="#pt-6.1_smt"/>
         </part>
         <part id="pt-6.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -50400,15 +53258,19 @@
           <part id="pt-6.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-06(02)[01]"/>
             <p>all Privacy Act exemptions claimed for the system of records are reviewed <insert type="param" id-ref="pt-06.02_odp"/> to ensure that they remain appropriate and necessary in accordance with law;</p>
+            <link rel="assessment-for" href="#pt-6.2_smt"/>
           </part>
           <part id="pt-6.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-06(02)[02]"/>
             <p>all Privacy Act exemptions claimed for the system of records are reviewed <insert type="param" id-ref="pt-06.02_odp"/> to ensure that they have been promulgated as regulations;</p>
+            <link rel="assessment-for" href="#pt-6.2_smt"/>
           </part>
           <part id="pt-6.2_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-06(02)[03]"/>
             <p>all Privacy Act exemptions claimed for the system of records are reviewed <insert type="param" id-ref="pt-06.02_odp"/> to ensure that they are accurately described in the system of records notice.</p>
+            <link rel="assessment-for" href="#pt-6.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#pt-6.2_smt"/>
         </part>
         <part id="pt-6.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -50470,6 +53332,7 @@
       <part id="pt-7_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="PT-07"/>
         <p><insert type="param" id-ref="pt-07_odp"/> are applied for specific categories of personally identifiable information.</p>
+        <link rel="assessment-for" href="#pt-7_smt"/>
       </part>
       <part id="pt-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -50535,31 +53398,40 @@
             <part id="pt-7.1_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PT-07(01)(a)[01]"/>
               <p>when a system processes Social Security numbers, the unnecessary collection, maintenance, and use of Social Security numbers are eliminated;</p>
+              <link rel="assessment-for" href="#pt-7.1_smt.a"/>
             </part>
             <part id="pt-7.1_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PT-07(01)(a)[02]"/>
               <p>when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored;</p>
+              <link rel="assessment-for" href="#pt-7.1_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#pt-7.1_smt.a"/>
           </part>
           <part id="pt-7.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-07(01)(b)"/>
             <p>when a system processes Social Security numbers, individual rights, benefits, or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number;</p>
+            <link rel="assessment-for" href="#pt-7.1_smt.b"/>
           </part>
           <part id="pt-7.1_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-07(01)(c)"/>
             <part id="pt-7.1_obj.c-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PT-07(01)(c)[01]"/>
               <p>when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it;</p>
+              <link rel="assessment-for" href="#pt-7.1_smt.c"/>
             </part>
             <part id="pt-7.1_obj.c-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PT-07(01)(c)[02]"/>
               <p>when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited;</p>
+              <link rel="assessment-for" href="#pt-7.1_smt.c"/>
             </part>
             <part id="pt-7.1_obj.c-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="PT-07(01)(c)[03]"/>
               <p>when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it.</p>
+              <link rel="assessment-for" href="#pt-7.1_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#pt-7.1_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#pt-7.1_smt"/>
         </part>
         <part id="pt-7.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -50607,6 +53479,7 @@
         <part id="pt-7.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-07(02)"/>
           <p>the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.</p>
+          <link rel="assessment-for" href="#pt-7.2_smt"/>
         </part>
         <part id="pt-7.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -50678,37 +53551,47 @@
         <part id="pt-8_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-08a."/>
           <p>approval to conduct the matching program is obtained from the Data Integrity Board when a system or organization processes information for the purpose of conducting a matching program;</p>
+          <link rel="assessment-for" href="#pt-8_smt.a"/>
         </part>
         <part id="pt-8_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-08b."/>
           <part id="pt-8_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-08b.[01]"/>
             <p>a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program;</p>
+            <link rel="assessment-for" href="#pt-8_smt.b"/>
           </part>
           <part id="pt-8_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-08b.[02]"/>
             <p>a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program;</p>
+            <link rel="assessment-for" href="#pt-8_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#pt-8_smt.b"/>
         </part>
         <part id="pt-8_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-08c."/>
           <p>a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program;</p>
+          <link rel="assessment-for" href="#pt-8_smt.c"/>
         </part>
         <part id="pt-8_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-08d."/>
           <p>the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program;</p>
+          <link rel="assessment-for" href="#pt-8_smt.d"/>
         </part>
         <part id="pt-8_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="PT-08e."/>
           <part id="pt-8_obj.e-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-08e.[01]"/>
             <p>individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program;</p>
+            <link rel="assessment-for" href="#pt-8_smt.e"/>
           </part>
           <part id="pt-8_obj.e-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="PT-08e.[02]"/>
             <p>individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program.</p>
+            <link rel="assessment-for" href="#pt-8_smt.e"/>
           </part>
+          <link rel="assessment-for" href="#pt-8_smt.e"/>
         </part>
+        <link rel="assessment-for" href="#pt-8_smt"/>
       </part>
       <part id="pt-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -50878,18 +53761,22 @@
           <part id="ra-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-01a.[01]"/>
             <p>a risk assessment policy is developed and documented;</p>
+            <link rel="assessment-for" href="#ra-1_smt.a"/>
           </part>
           <part id="ra-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-01a.[02]"/>
             <p>the risk assessment policy is disseminated to <insert type="param" id-ref="ra-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#ra-1_smt.a"/>
           </part>
           <part id="ra-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-01a.[03]"/>
             <p>risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;</p>
+            <link rel="assessment-for" href="#ra-1_smt.a"/>
           </part>
           <part id="ra-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-01a.[04]"/>
             <p>the risk assessment procedures are disseminated to <insert type="param" id-ref="ra-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#ra-1_smt.a"/>
           </part>
           <part id="ra-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-01a.01"/>
@@ -50898,41 +53785,53 @@
               <part id="ra-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="RA-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses purpose;</p>
+                <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
               </part>
               <part id="ra-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="RA-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses scope;</p>
+                <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
               </part>
               <part id="ra-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="RA-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses roles;</p>
+                <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
               </part>
               <part id="ra-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="RA-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
               </part>
               <part id="ra-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="RA-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
               </part>
               <part id="ra-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="RA-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
               </part>
               <part id="ra-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="RA-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy addresses compliance;</p>
+                <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#ra-1_smt.a.1.a"/>
             </part>
             <part id="ra-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="RA-01a.01(b)"/>
               <p>the <insert type="param" id-ref="ra-01_odp.03"/> risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#ra-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#ra-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#ra-1_smt.a"/>
         </part>
         <part id="ra-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-01b."/>
           <p>the <insert type="param" id-ref="ra-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;</p>
+          <link rel="assessment-for" href="#ra-1_smt.b"/>
         </part>
         <part id="ra-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-01c."/>
@@ -50941,24 +53840,32 @@
             <part id="ra-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="RA-01c.01[01]"/>
               <p>the current risk assessment policy is reviewed and updated <insert type="param" id-ref="ra-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#ra-1_smt.c.1"/>
             </part>
             <part id="ra-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="RA-01c.01[02]"/>
               <p>the current risk assessment policy is reviewed and updated following <insert type="param" id-ref="ra-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#ra-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#ra-1_smt.c.1"/>
           </part>
           <part id="ra-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-01c.02"/>
             <part id="ra-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="RA-01c.02[01]"/>
               <p>the current risk assessment procedures are reviewed and updated <insert type="param" id-ref="ra-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#ra-1_smt.c.2"/>
             </part>
             <part id="ra-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="RA-01c.02[02]"/>
               <p>the current risk assessment procedures are reviewed and updated following <insert type="param" id-ref="ra-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#ra-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#ra-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#ra-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#ra-1_smt"/>
       </part>
       <part id="ra-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -51033,15 +53940,19 @@
         <part id="ra-2_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-02a."/>
           <p>the system and the information it processes, stores, and transmits are categorized;</p>
+          <link rel="assessment-for" href="#ra-2_smt.a"/>
         </part>
         <part id="ra-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-02b."/>
           <p>the security categorization results, including supporting rationale, are documented in the security plan for the system;</p>
+          <link rel="assessment-for" href="#ra-2_smt.b"/>
         </part>
         <part id="ra-2_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-02c."/>
           <p>the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.</p>
+          <link rel="assessment-for" href="#ra-2_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#ra-2_smt"/>
       </part>
       <part id="ra-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -51087,6 +53998,7 @@
         <part id="ra-2.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-02(01)"/>
           <p>an impact-level prioritization of organizational systems is conducted to obtain additional granularity on system impact levels.</p>
+          <link rel="assessment-for" href="#ra-2.1_smt"/>
         </part>
         <part id="ra-2.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -51249,36 +54161,46 @@
           <part id="ra-3_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-03a.01"/>
             <p>a risk assessment is conducted to identify threats to and vulnerabilities in the system;</p>
+            <link rel="assessment-for" href="#ra-3_smt.a.1"/>
           </part>
           <part id="ra-3_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-03a.02"/>
             <p>a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;</p>
+            <link rel="assessment-for" href="#ra-3_smt.a.2"/>
           </part>
           <part id="ra-3_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-03a.03"/>
             <p>a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;</p>
+            <link rel="assessment-for" href="#ra-3_smt.a.3"/>
           </part>
+          <link rel="assessment-for" href="#ra-3_smt.a"/>
         </part>
         <part id="ra-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-03b."/>
           <p>risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;</p>
+          <link rel="assessment-for" href="#ra-3_smt.b"/>
         </part>
         <part id="ra-3_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-03c."/>
           <p>risk assessment results are documented in <insert type="param" id-ref="ra-03_odp.01"/>;</p>
+          <link rel="assessment-for" href="#ra-3_smt.c"/>
         </part>
         <part id="ra-3_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-03d."/>
           <p>risk assessment results are reviewed <insert type="param" id-ref="ra-03_odp.03"/>;</p>
+          <link rel="assessment-for" href="#ra-3_smt.d"/>
         </part>
         <part id="ra-3_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-03e."/>
           <p>risk assessment results are disseminated to <insert type="param" id-ref="ra-03_odp.04"/>;</p>
+          <link rel="assessment-for" href="#ra-3_smt.e"/>
         </part>
         <part id="ra-3_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-03f."/>
           <p>the risk assessment is updated <insert type="param" id-ref="ra-03_odp.05"/> or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.</p>
+          <link rel="assessment-for" href="#ra-3_smt.f"/>
         </part>
+        <link rel="assessment-for" href="#ra-3_smt"/>
       </part>
       <part id="ra-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -51360,11 +54282,14 @@
           <part id="ra-3.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-03(01)(a)"/>
             <p>supply chain risks associated with <insert type="param" id-ref="ra-03.01_odp.01"/> are assessed;</p>
+            <link rel="assessment-for" href="#ra-3.1_smt.a"/>
           </part>
           <part id="ra-3.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-03(01)(b)"/>
             <p>the supply chain risk assessment is updated <insert type="param" id-ref="ra-03.01_odp.02"/> , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.</p>
+            <link rel="assessment-for" href="#ra-3.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ra-3.1_smt"/>
         </part>
         <part id="ra-3.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -51420,6 +54345,7 @@
         <part id="ra-3.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-03(02)"/>
           <p>all-source intelligence is used to assist in the analysis of risk.</p>
+          <link rel="assessment-for" href="#ra-3.2_smt"/>
         </part>
         <part id="ra-3.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -51480,6 +54406,7 @@
         <part id="ra-3.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-03(03)"/>
           <p>the current cyber threat environment is determined on an ongoing basis using <insert type="param" id-ref="ra-03.03_odp"/>.</p>
+          <link rel="assessment-for" href="#ra-3.3_smt"/>
         </part>
         <part id="ra-3.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -51560,11 +54487,14 @@
           <part id="ra-3.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-03(04)[01]"/>
             <p><insert type="param" id-ref="ra-03.04_odp.01"/> are employed to predict and identify risks to <insert type="param" id-ref="ra-03.04_odp.02"/>;</p>
+            <link rel="assessment-for" href="#ra-3.4_smt"/>
           </part>
           <part id="ra-3.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-03(04)[02]"/>
             <p><insert type="param" id-ref="ra-03.04_odp.03"/> are employed to predict and identify risks to <insert type="param" id-ref="ra-03.04_odp.02"/>.</p>
+            <link rel="assessment-for" href="#ra-3.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#ra-3.4_smt"/>
         </part>
         <part id="ra-3.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -51727,11 +54657,14 @@
           <part id="ra-5_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-05a.[01]"/>
             <p>systems and hosted applications are monitored for vulnerabilities <insert type="param" id-ref="ra-05_odp.01"/> and when new vulnerabilities potentially affecting the system are identified and reported;</p>
+            <link rel="assessment-for" href="#ra-5_smt.a"/>
           </part>
           <part id="ra-5_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-05a.[02]"/>
             <p>systems and hosted applications are scanned for vulnerabilities <insert type="param" id-ref="ra-05_odp.02"/> and when new vulnerabilities potentially affecting the system are identified and reported;</p>
+            <link rel="assessment-for" href="#ra-5_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#ra-5_smt.a"/>
         </part>
         <part id="ra-5_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-05b."/>
@@ -51739,32 +54672,41 @@
           <part id="ra-5_obj.b.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-05b.01"/>
             <p>vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;</p>
+            <link rel="assessment-for" href="#ra-5_smt.b.1"/>
           </part>
           <part id="ra-5_obj.b.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-05b.02"/>
             <p>vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;</p>
+            <link rel="assessment-for" href="#ra-5_smt.b.2"/>
           </part>
           <part id="ra-5_obj.b.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-05b.03"/>
             <p>vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;</p>
+            <link rel="assessment-for" href="#ra-5_smt.b.3"/>
           </part>
+          <link rel="assessment-for" href="#ra-5_smt.b"/>
         </part>
         <part id="ra-5_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-05c."/>
           <p>vulnerability scan reports and results from vulnerability monitoring are analyzed;</p>
+          <link rel="assessment-for" href="#ra-5_smt.c"/>
         </part>
         <part id="ra-5_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-05d."/>
           <p>legitimate vulnerabilities are remediated <insert type="param" id-ref="ra-05_odp.03"/> in accordance with an organizational assessment of risk;</p>
+          <link rel="assessment-for" href="#ra-5_smt.d"/>
         </part>
         <part id="ra-5_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-05e."/>
           <p>information obtained from the vulnerability monitoring process and control assessments is shared with <insert type="param" id-ref="ra-05_odp.04"/> to help eliminate similar vulnerabilities in other systems;</p>
+          <link rel="assessment-for" href="#ra-5_smt.e"/>
         </part>
         <part id="ra-5_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-05f."/>
           <p>vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.</p>
+          <link rel="assessment-for" href="#ra-5_smt.f"/>
         </part>
+        <link rel="assessment-for" href="#ra-5_smt"/>
       </part>
       <part id="ra-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -51843,6 +54785,7 @@
         <part id="ra-5.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-05(02)"/>
           <p>the system vulnerabilities to be scanned are updated <insert type="param" id-ref="ra-05.02_odp.01"/>.</p>
+          <link rel="assessment-for" href="#ra-5.2_smt"/>
         </part>
         <part id="ra-5.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -51893,6 +54836,7 @@
         <part id="ra-5.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-05(03)"/>
           <p>the breadth and depth of vulnerability scanning coverage are defined.</p>
+          <link rel="assessment-for" href="#ra-5.3_smt"/>
         </part>
         <part id="ra-5.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -51954,11 +54898,14 @@
           <part id="ra-5.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-05(04)[01]"/>
             <p>information about the system is discoverable;</p>
+            <link rel="assessment-for" href="#ra-5.4_smt"/>
           </part>
           <part id="ra-5.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-05(04)[02]"/>
             <p><insert type="param" id-ref="ra-05.04_odp"/> are taken when information about the system is confirmed as discoverable.</p>
+            <link rel="assessment-for" href="#ra-5.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#ra-5.4_smt"/>
         </part>
         <part id="ra-5.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -52033,6 +54980,7 @@
         <part id="ra-5.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-05(05)"/>
           <p>privileged access authorization is implemented to <insert type="param" id-ref="ra-05.05_odp.01"/> for <insert type="param" id-ref="ra-05.05_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ra-5.5_smt"/>
         </part>
         <part id="ra-5.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -52098,6 +55046,7 @@
         <part id="ra-5.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-05(06)"/>
           <p>the results of multiple vulnerability scans are compared using <insert type="param" id-ref="ra-05.06_odp"/>.</p>
+          <link rel="assessment-for" href="#ra-5.6_smt"/>
         </part>
         <part id="ra-5.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -52174,6 +55123,7 @@
         <part id="ra-5.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-05(08)"/>
           <p>historic audit logs are reviewed to determine if a vulnerability identified in a <insert type="param" id-ref="ra-05.08_odp.01"/> has been previously exploited within <insert type="param" id-ref="ra-05.08_odp.02"/>.</p>
+          <link rel="assessment-for" href="#ra-5.8_smt"/>
         </part>
         <part id="ra-5.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -52236,6 +55186,7 @@
         <part id="ra-5.10_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-05(10)"/>
           <p>the output from vulnerability scanning tools is correlated to determine the presence of multi-vulnerability and multi-hop attack vectors.</p>
+          <link rel="assessment-for" href="#ra-5.10_smt"/>
         </part>
         <part id="ra-5.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -52289,6 +55240,7 @@
         <part id="ra-5.11_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-05(11)"/>
           <p>a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.</p>
+          <link rel="assessment-for" href="#ra-5.11_smt"/>
         </part>
         <part id="ra-5.11_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -52374,6 +55326,7 @@
       <part id="ra-6_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="RA-06"/>
         <p>a technical surveillance countermeasures survey is employed at <insert type="param" id-ref="ra-06_odp.01"/> <insert type="param" id-ref="ra-06_odp.02"/>.</p>
+        <link rel="assessment-for" href="#ra-6_smt"/>
       </part>
       <part id="ra-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -52435,19 +55388,24 @@
         <part id="ra-7_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-07[01]"/>
           <p>findings from security assessments are responded to in accordance with organizational risk tolerance;</p>
+          <link rel="assessment-for" href="#ra-7_smt"/>
         </part>
         <part id="ra-7_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-07[02]"/>
           <p>findings from privacy assessments are responded to in accordance with organizational risk tolerance;</p>
+          <link rel="assessment-for" href="#ra-7_smt"/>
         </part>
         <part id="ra-7_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-07[03]"/>
           <p>findings from monitoring are responded to in accordance with organizational risk tolerance;</p>
+          <link rel="assessment-for" href="#ra-7_smt"/>
         </part>
         <part id="ra-7_obj-4" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-07[04]"/>
           <p>findings from audits are responded to in accordance with organizational risk tolerance.</p>
+          <link rel="assessment-for" href="#ra-7_smt"/>
         </part>
+        <link rel="assessment-for" href="#ra-7_smt"/>
       </part>
       <part id="ra-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -52528,18 +55486,23 @@
         <part id="ra-8_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-08a."/>
           <p>privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information;</p>
+          <link rel="assessment-for" href="#ra-8_smt.a"/>
         </part>
         <part id="ra-8_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-08b."/>
           <part id="ra-8_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-08b.[01]"/>
             <p>privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology;</p>
+            <link rel="assessment-for" href="#ra-8_smt.b"/>
           </part>
           <part id="ra-8_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-08b.[02]"/>
             <p>privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.</p>
+            <link rel="assessment-for" href="#ra-8_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#ra-8_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ra-8_smt"/>
       </part>
       <part id="ra-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -52619,6 +55582,7 @@
       <part id="ra-9_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="RA-09"/>
         <p>critical system components and functions are identified by performing a criticality analysis for <insert type="param" id-ref="ra-09_odp.01"/> at <insert type="param" id-ref="ra-09_odp.02"/>.</p>
+        <link rel="assessment-for" href="#ra-9_smt"/>
       </part>
       <part id="ra-9_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -52704,16 +55668,21 @@
           <part id="ra-10_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-10a.01"/>
             <p>a cyber threat capability is established and maintained to search for indicators of compromise in organizational systems;</p>
+            <link rel="assessment-for" href="#ra-10_smt.a.1"/>
           </part>
           <part id="ra-10_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="RA-10a.02"/>
             <p>a cyber threat capability is established and maintained to detect, track, and disrupt threats that evade existing controls;</p>
+            <link rel="assessment-for" href="#ra-10_smt.a.2"/>
           </part>
+          <link rel="assessment-for" href="#ra-10_smt.a"/>
         </part>
         <part id="ra-10_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="RA-10b."/>
           <p>the threat hunting capability is employed <insert type="param" id-ref="ra-10_odp"/>.</p>
+          <link rel="assessment-for" href="#ra-10_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#ra-10_smt"/>
       </part>
       <part id="ra-10_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -52881,18 +55850,22 @@
           <part id="sa-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-01a.[01]"/>
             <p>a system and services acquisition policy is developed and documented;</p>
+            <link rel="assessment-for" href="#sa-1_smt.a"/>
           </part>
           <part id="sa-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-01a.[02]"/>
             <p>the system and services acquisition policy is disseminated to <insert type="param" id-ref="sa-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sa-1_smt.a"/>
           </part>
           <part id="sa-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-01a.[03]"/>
             <p>system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;</p>
+            <link rel="assessment-for" href="#sa-1_smt.a"/>
           </part>
           <part id="sa-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-01a.[04]"/>
             <p>the system and services acquisition procedures are disseminated to <insert type="param" id-ref="sa-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#sa-1_smt.a"/>
           </part>
           <part id="sa-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-01a.01"/>
@@ -52901,41 +55874,53 @@
               <part id="sa-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SA-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses purpose;</p>
+                <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
               </part>
               <part id="sa-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SA-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses scope;</p>
+                <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
               </part>
               <part id="sa-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SA-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses roles;</p>
+                <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
               </part>
               <part id="sa-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SA-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
               </part>
               <part id="sa-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SA-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
               </part>
               <part id="sa-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SA-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
               </part>
               <part id="sa-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SA-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy addresses compliance;</p>
+                <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#sa-1_smt.a.1.a"/>
             </part>
             <part id="sa-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-01a.01(b)"/>
               <p>the <insert type="param" id-ref="sa-01_odp.03"/> system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#sa-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#sa-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#sa-1_smt.a"/>
         </part>
         <part id="sa-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-01b."/>
           <p>the <insert type="param" id-ref="sa-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;</p>
+          <link rel="assessment-for" href="#sa-1_smt.b"/>
         </part>
         <part id="sa-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-01c."/>
@@ -52944,24 +55929,32 @@
             <part id="sa-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-01c.01[01]"/>
               <p>the system and services acquisition policy is reviewed and updated <insert type="param" id-ref="sa-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#sa-1_smt.c.1"/>
             </part>
             <part id="sa-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-01c.01[02]"/>
               <p>the current system and services acquisition policy is reviewed and updated following <insert type="param" id-ref="sa-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#sa-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#sa-1_smt.c.1"/>
           </part>
           <part id="sa-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-01c.02"/>
             <part id="sa-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-01c.02[01]"/>
               <p>the current system and services acquisition procedures are reviewed and updated <insert type="param" id-ref="sa-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#sa-1_smt.c.2"/>
             </part>
             <part id="sa-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-01c.02[02]"/>
               <p>the current system and services acquisition procedures are reviewed and updated following <insert type="param" id-ref="sa-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#sa-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#sa-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#sa-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#sa-1_smt"/>
       </part>
       <part id="sa-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -53027,34 +56020,44 @@
           <part id="sa-2_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-02a.[01]"/>
             <p>the high-level information security requirements for the system or system service are determined in mission and business process planning;</p>
+            <link rel="assessment-for" href="#sa-2_smt.a"/>
           </part>
           <part id="sa-2_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-02a.[02]"/>
             <p>the high-level privacy requirements for the system or system service are determined in mission and business process planning;</p>
+            <link rel="assessment-for" href="#sa-2_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#sa-2_smt.a"/>
         </part>
         <part id="sa-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-02b."/>
           <part id="sa-2_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-02b.[01]"/>
             <p>the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;</p>
+            <link rel="assessment-for" href="#sa-2_smt.b"/>
           </part>
           <part id="sa-2_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-02b.[02]"/>
             <p>the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;</p>
+            <link rel="assessment-for" href="#sa-2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-2_smt.b"/>
         </part>
         <part id="sa-2_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-02c."/>
           <part id="sa-2_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-02c.[01]"/>
             <p>a discrete line item for information security is established in organizational programming and budgeting documentation;</p>
+            <link rel="assessment-for" href="#sa-2_smt.c"/>
           </part>
           <part id="sa-2_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-02c.[02]"/>
             <p>a discrete line item for privacy is established in organizational programming and budgeting documentation.</p>
+            <link rel="assessment-for" href="#sa-2_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#sa-2_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#sa-2_smt"/>
       </part>
       <part id="sa-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -53156,45 +56159,58 @@
           <part id="sa-3_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-03a.[01]"/>
             <p>the system is acquired, developed, and managed using <insert type="param" id-ref="sa-03_odp"/> that incorporates information security considerations;</p>
+            <link rel="assessment-for" href="#sa-3_smt.a"/>
           </part>
           <part id="sa-3_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-03a.[02]"/>
             <p>the system is acquired, developed, and managed using <insert type="param" id-ref="sa-03_odp"/> that incorporates privacy considerations;</p>
+            <link rel="assessment-for" href="#sa-3_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#sa-3_smt.a"/>
         </part>
         <part id="sa-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-03b."/>
           <part id="sa-3_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-03b.[01]"/>
             <p>information security roles and responsibilities are defined and documented throughout the system development life cycle;</p>
+            <link rel="assessment-for" href="#sa-3_smt.b"/>
           </part>
           <part id="sa-3_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-03b.[02]"/>
             <p>privacy roles and responsibilities are defined and documented throughout the system development life cycle;</p>
+            <link rel="assessment-for" href="#sa-3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-3_smt.b"/>
         </part>
         <part id="sa-3_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-03c."/>
           <part id="sa-3_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-03c.[01]"/>
             <p>individuals with information security roles and responsibilities are identified;</p>
+            <link rel="assessment-for" href="#sa-3_smt.c"/>
           </part>
           <part id="sa-3_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-03c.[02]"/>
             <p>individuals with privacy roles and responsibilities are identified;</p>
+            <link rel="assessment-for" href="#sa-3_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#sa-3_smt.c"/>
         </part>
         <part id="sa-3_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-03d."/>
           <part id="sa-3_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-03d.[01]"/>
             <p>organizational information security risk management processes are integrated into system development life cycle activities;</p>
+            <link rel="assessment-for" href="#sa-3_smt.d"/>
           </part>
           <part id="sa-3_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-03d.[02]"/>
             <p>organizational privacy risk management processes are integrated into system development life cycle activities.</p>
+            <link rel="assessment-for" href="#sa-3_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#sa-3_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#sa-3_smt"/>
       </part>
       <part id="sa-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -53256,6 +56272,7 @@
         <part id="sa-3.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-03(01)"/>
           <p>system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component, or system service.</p>
+          <link rel="assessment-for" href="#sa-3.1_smt"/>
         </part>
         <part id="sa-3.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -53321,20 +56338,26 @@
             <part id="sa-3.2_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-03(02)a.[01]"/>
               <p>the use of live data in pre-production environments is approved for the system, system component, or system service;</p>
+              <link rel="assessment-for" href="#sa-3.2_smt.a"/>
             </part>
             <part id="sa-3.2_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-03(02)a.[02]"/>
               <p>the use of live data in pre-production environments is documented for the system, system component, or system service;</p>
+              <link rel="assessment-for" href="#sa-3.2_smt.a"/>
             </part>
             <part id="sa-3.2_obj.a-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-03(02)a.[03]"/>
               <p>the use of live data in pre-production environments is controlled for the system, system component, or system service;</p>
+              <link rel="assessment-for" href="#sa-3.2_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#sa-3.2_smt.a"/>
           </part>
           <part id="sa-3.2_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-03(02)b."/>
             <p>pre-production environments for the system, system component, or system service are protected at the same impact or classification level as any live data in use within the pre-production environments.</p>
+            <link rel="assessment-for" href="#sa-3.2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-3.2_smt"/>
         </part>
         <part id="sa-3.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -53393,11 +56416,14 @@
           <part id="sa-3.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-03(03)[01]"/>
             <p>a technology refresh schedule is planned for the system throughout the system development life cycle;</p>
+            <link rel="assessment-for" href="#sa-3.3_smt"/>
           </part>
           <part id="sa-3.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-03(03)[02]"/>
             <p>a technology refresh schedule is implemented for the system throughout the system development life cycle.</p>
+            <link rel="assessment-for" href="#sa-3.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-3.3_smt"/>
         </part>
         <part id="sa-3.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -53545,83 +56571,106 @@
           <part id="sa-4_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04a.[01]"/>
             <p>security functional requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+            <link rel="assessment-for" href="#sa-4_smt.a"/>
           </part>
           <part id="sa-4_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04a.[02]"/>
             <p>privacy functional requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+            <link rel="assessment-for" href="#sa-4_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#sa-4_smt.a"/>
         </part>
         <part id="sa-4_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-04b."/>
           <p>strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+          <link rel="assessment-for" href="#sa-4_smt.b"/>
         </part>
         <part id="sa-4_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-04c."/>
           <part id="sa-4_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04c.[01]"/>
             <p>security assurance requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+            <link rel="assessment-for" href="#sa-4_smt.c"/>
           </part>
           <part id="sa-4_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04c.[02]"/>
             <p>privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+            <link rel="assessment-for" href="#sa-4_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#sa-4_smt.c"/>
         </part>
         <part id="sa-4_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-04d."/>
           <part id="sa-4_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04d.[01]"/>
             <p>controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+            <link rel="assessment-for" href="#sa-4_smt.d"/>
           </part>
           <part id="sa-4_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04d.[02]"/>
             <p>controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+            <link rel="assessment-for" href="#sa-4_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#sa-4_smt.d"/>
         </part>
         <part id="sa-4_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-04e."/>
           <part id="sa-4_obj.e-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04e.[01]"/>
             <p>security documentation requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+            <link rel="assessment-for" href="#sa-4_smt.e"/>
           </part>
           <part id="sa-4_obj.e-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04e.[02]"/>
             <p>privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+            <link rel="assessment-for" href="#sa-4_smt.e"/>
           </part>
+          <link rel="assessment-for" href="#sa-4_smt.e"/>
         </part>
         <part id="sa-4_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-04f."/>
           <part id="sa-4_obj.f-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04f.[01]"/>
             <p>requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+            <link rel="assessment-for" href="#sa-4_smt.f"/>
           </part>
           <part id="sa-4_obj.f-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04f.[02]"/>
             <p>requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+            <link rel="assessment-for" href="#sa-4_smt.f"/>
           </part>
+          <link rel="assessment-for" href="#sa-4_smt.f"/>
         </part>
         <part id="sa-4_obj.g" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-04g."/>
           <p>the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+          <link rel="assessment-for" href="#sa-4_smt.g"/>
         </part>
         <part id="sa-4_obj.h" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-04h."/>
           <part id="sa-4_obj.h-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04h.[01]"/>
             <p>the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service;</p>
+            <link rel="assessment-for" href="#sa-4_smt.h"/>
           </part>
           <part id="sa-4_obj.h-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04h.[02]"/>
             <p>the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sa-4_smt.h"/>
           </part>
           <part id="sa-4_obj.h-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04h.[03]"/>
             <p>the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sa-4_smt.h"/>
           </part>
+          <link rel="assessment-for" href="#sa-4_smt.h"/>
         </part>
         <part id="sa-4_obj.i" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-04i."/>
           <p>acceptance criteria requirements and descriptions are included explicitly or by reference using <insert type="param" id-ref="sa-04_odp.01"/> in the acquisition contract for the system, system component, or system service.</p>
+          <link rel="assessment-for" href="#sa-4_smt.i"/>
         </part>
+        <link rel="assessment-for" href="#sa-4_smt"/>
       </part>
       <part id="sa-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -53675,6 +56724,7 @@
         <part id="sa-4.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-04(01)"/>
           <p>the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.</p>
+          <link rel="assessment-for" href="#sa-4.1_smt"/>
         </part>
         <part id="sa-4.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -53754,6 +56804,7 @@
         <part id="sa-4.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-04(02)"/>
           <p>the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using <insert type="param" id-ref="sa-04.02_odp.01"/> at <insert type="param" id-ref="sa-04.02_odp.03"/>.</p>
+          <link rel="assessment-for" href="#sa-4.2_smt"/>
         </part>
         <part id="sa-4.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -53883,15 +56934,19 @@
           <part id="sa-4.3_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(03)(a)"/>
             <p>the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes <insert type="param" id-ref="sa-04.03_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sa-4.3_smt.a"/>
           </part>
           <part id="sa-4.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(03)(b)"/>
             <p>the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes <insert type="param" id-ref="sa-04.03_odp.02"/>;</p>
+            <link rel="assessment-for" href="#sa-4.3_smt.b"/>
           </part>
           <part id="sa-4.3_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(03)(c)"/>
             <p>the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes <insert type="param" id-ref="sa-04.03_odp.05"/>.</p>
+            <link rel="assessment-for" href="#sa-4.3_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#sa-4.3_smt"/>
         </part>
         <part id="sa-4.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -53973,11 +57028,14 @@
           <part id="sa-4.5_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(05)(a)"/>
             <p>the developer of the system, system component, or system service is required to deliver the system, component, or service with <insert type="param" id-ref="sa-04.05_odp"/> implemented;</p>
+            <link rel="assessment-for" href="#sa-4.5_smt.a"/>
           </part>
           <part id="sa-4.5_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(05)(b)"/>
             <p>the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade.</p>
+            <link rel="assessment-for" href="#sa-4.5_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-4.5_smt"/>
         </part>
         <part id="sa-4.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -54041,11 +57099,14 @@
           <part id="sa-4.6_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(06)(a)"/>
             <p>only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted are employed;</p>
+            <link rel="assessment-for" href="#sa-4.6_smt.a"/>
           </part>
           <part id="sa-4.6_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(06)(b)"/>
             <p>these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.</p>
+            <link rel="assessment-for" href="#sa-4.6_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-4.6_smt"/>
         </part>
         <part id="sa-4.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -54112,11 +57173,14 @@
           <part id="sa-4.7_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(07)(a)"/>
             <p>the use of commercially provided information assurance and information assurance-enabled information technology products is limited to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists;</p>
+            <link rel="assessment-for" href="#sa-4.7_smt.a"/>
           </part>
           <part id="sa-4.7_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(07)(b)"/>
             <p>if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that cryptographic module is required to be FIPS-validated or NSA-approved.</p>
+            <link rel="assessment-for" href="#sa-4.7_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-4.7_smt"/>
         </part>
         <part id="sa-4.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -54171,6 +57235,7 @@
         <part id="sa-4.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-04(08)"/>
           <p>the developer of the system, system component, or system service is required to produce a plan for the continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.</p>
+          <link rel="assessment-for" href="#sa-4.8_smt"/>
         </part>
         <part id="sa-4.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -54229,19 +57294,24 @@
           <part id="sa-4.9_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(09)[01]"/>
             <p>the developer of the system, system component, or system service is required to identify the functions intended for organizational use;</p>
+            <link rel="assessment-for" href="#sa-4.9_smt"/>
           </part>
           <part id="sa-4.9_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(09)[02]"/>
             <p>the developer of the system, system component, or system service is required to identify the ports intended for organizational use;</p>
+            <link rel="assessment-for" href="#sa-4.9_smt"/>
           </part>
           <part id="sa-4.9_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(09)[03]"/>
             <p>the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;</p>
+            <link rel="assessment-for" href="#sa-4.9_smt"/>
           </part>
           <part id="sa-4.9_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(09)[04]"/>
             <p>the developer of the system, system component, or system service is required to identify the services intended for organizational use.</p>
+            <link rel="assessment-for" href="#sa-4.9_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-4.9_smt"/>
         </part>
         <part id="sa-4.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -54293,6 +57363,7 @@
         <part id="sa-4.10_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-04(10)"/>
           <p>only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.</p>
+          <link rel="assessment-for" href="#sa-4.10_smt"/>
         </part>
         <part id="sa-4.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -54354,6 +57425,7 @@
         <part id="sa-4.11_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-04(11)"/>
           <p><insert type="param" id-ref="sa-04.11_odp"/> are defined in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.</p>
+          <link rel="assessment-for" href="#sa-4.11_smt"/>
         </part>
         <part id="sa-4.11_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -54426,11 +57498,14 @@
           <part id="sa-4.12_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(12)(a)"/>
             <p>organizational data ownership requirements are included in the acquisition contract;</p>
+            <link rel="assessment-for" href="#sa-4.12_smt.a"/>
           </part>
           <part id="sa-4.12_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-04(12)(b)"/>
             <p>all data to be removed from the contractor’s system and returned to the organization is required within <insert type="param" id-ref="sa-04.12_odp"/>.</p>
+            <link rel="assessment-for" href="#sa-4.12_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-4.12_smt"/>
         </part>
         <part id="sa-4.12_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -54571,46 +57646,59 @@
             <part id="sa-5_obj.a.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05a.01[01]"/>
               <p>administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.a.1"/>
             </part>
             <part id="sa-5_obj.a.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05a.01[02]"/>
               <p>administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.a.1"/>
             </part>
             <part id="sa-5_obj.a.1-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05a.01[03]"/>
               <p>administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.a.1"/>
             </part>
+            <link rel="assessment-for" href="#sa-5_smt.a.1"/>
           </part>
           <part id="sa-5_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-05a.02"/>
             <part id="sa-5_obj.a.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05a.02[01]"/>
               <p>administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.a.2"/>
             </part>
             <part id="sa-5_obj.a.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05a.02[02]"/>
               <p>administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.a.2"/>
             </part>
             <part id="sa-5_obj.a.2-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05a.02[03]"/>
               <p>administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.a.2"/>
             </part>
             <part id="sa-5_obj.a.2-4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05a.02[04]"/>
               <p>administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#sa-5_smt.a.2"/>
           </part>
           <part id="sa-5_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-05a.03"/>
             <part id="sa-5_obj.a.3-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05a.03[01]"/>
               <p>administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.a.3"/>
             </part>
             <part id="sa-5_obj.a.3-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05a.03[02]"/>
               <p>administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.a.3"/>
             </part>
+            <link rel="assessment-for" href="#sa-5_smt.a.3"/>
           </part>
+          <link rel="assessment-for" href="#sa-5_smt.a"/>
         </part>
         <part id="sa-5_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-05b."/>
@@ -54619,58 +57707,75 @@
             <part id="sa-5_obj.b.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05b.01[01]"/>
               <p>user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.b.1"/>
             </part>
             <part id="sa-5_obj.b.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05b.01[02]"/>
               <p>user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.b.1"/>
             </part>
             <part id="sa-5_obj.b.1-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05b.01[03]"/>
               <p>user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.b.1"/>
             </part>
             <part id="sa-5_obj.b.1-4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05b.01[04]"/>
               <p>user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.b.1"/>
             </part>
+            <link rel="assessment-for" href="#sa-5_smt.b.1"/>
           </part>
           <part id="sa-5_obj.b.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-05b.02"/>
             <part id="sa-5_obj.b.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05b.02[01]"/>
               <p>user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.b.2"/>
             </part>
             <part id="sa-5_obj.b.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05b.02[02]"/>
               <p>user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.b.2"/>
             </part>
+            <link rel="assessment-for" href="#sa-5_smt.b.2"/>
           </part>
           <part id="sa-5_obj.b.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-05b.03"/>
             <part id="sa-5_obj.b.3-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05b.03[01]"/>
               <p>user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.b.3"/>
             </part>
             <part id="sa-5_obj.b.3-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-05b.03[02]"/>
               <p>user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;</p>
+              <link rel="assessment-for" href="#sa-5_smt.b.3"/>
             </part>
+            <link rel="assessment-for" href="#sa-5_smt.b.3"/>
           </part>
+          <link rel="assessment-for" href="#sa-5_smt.b"/>
         </part>
         <part id="sa-5_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-05c."/>
           <part id="sa-5_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-05c.[01]"/>
             <p>attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;</p>
+            <link rel="assessment-for" href="#sa-5_smt.c"/>
           </part>
           <part id="sa-5_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-05c.[02]"/>
             <p>after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, <insert type="param" id-ref="sa-05_odp.01"/> are taken in response;</p>
+            <link rel="assessment-for" href="#sa-5_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#sa-5_smt.c"/>
         </part>
         <part id="sa-5_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-05d."/>
           <p>documentation is distributed to <insert type="param" id-ref="sa-05_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sa-5_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#sa-5_smt"/>
       </part>
       <part id="sa-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -54835,43 +57940,54 @@
         <part id="sa-8_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08[01]"/>
           <p><insert type="param" id-ref="sa-08_odp.01"/> are applied in the specification of the system and system components;</p>
+          <link rel="assessment-for" href="#sa-8_smt"/>
         </part>
         <part id="sa-8_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08[02]"/>
           <p><insert type="param" id-ref="sa-08_odp.01"/> are applied in the design of the system and system components;</p>
+          <link rel="assessment-for" href="#sa-8_smt"/>
         </part>
         <part id="sa-8_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08[03]"/>
           <p><insert type="param" id-ref="sa-08_odp.01"/> are applied in the development of the system and system components;</p>
+          <link rel="assessment-for" href="#sa-8_smt"/>
         </part>
         <part id="sa-8_obj-4" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08[04]"/>
           <p><insert type="param" id-ref="sa-08_odp.01"/> are applied in the implementation of the system and system components;</p>
+          <link rel="assessment-for" href="#sa-8_smt"/>
         </part>
         <part id="sa-8_obj-5" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08[05]"/>
           <p><insert type="param" id-ref="sa-08_odp.01"/> are applied in the modification of the system and system components;</p>
+          <link rel="assessment-for" href="#sa-8_smt"/>
         </part>
         <part id="sa-8_obj-6" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08[06]"/>
           <p><insert type="param" id-ref="sa-08_odp.02"/> are applied in the specification of the system and system components;</p>
+          <link rel="assessment-for" href="#sa-8_smt"/>
         </part>
         <part id="sa-8_obj-7" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08[07]"/>
           <p><insert type="param" id-ref="sa-08_odp.02"/> are applied in the design of the system and system components;</p>
+          <link rel="assessment-for" href="#sa-8_smt"/>
         </part>
         <part id="sa-8_obj-8" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08[08]"/>
           <p><insert type="param" id-ref="sa-08_odp.02"/> are applied in the development of the system and system components;</p>
+          <link rel="assessment-for" href="#sa-8_smt"/>
         </part>
         <part id="sa-8_obj-9" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08[09]"/>
           <p><insert type="param" id-ref="sa-08_odp.02"/> are applied in the implementation of the system and system components;</p>
+          <link rel="assessment-for" href="#sa-8_smt"/>
         </part>
         <part id="sa-8_obj-10" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08[10]"/>
           <p><insert type="param" id-ref="sa-08_odp.02"/> are applied in the modification of the system and system components.</p>
+          <link rel="assessment-for" href="#sa-8_smt"/>
         </part>
+        <link rel="assessment-for" href="#sa-8_smt"/>
       </part>
       <part id="sa-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -54926,6 +58042,7 @@
         <part id="sa-8.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(01)"/>
           <p>the security design principle of clear abstractions is implemented.</p>
+          <link rel="assessment-for" href="#sa-8.1_smt"/>
         </part>
         <part id="sa-8.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -54985,6 +58102,7 @@
         <part id="sa-8.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(02)"/>
           <p><insert type="param" id-ref="sa-08.02_odp"/> implement the security design principle of least common mechanism.</p>
+          <link rel="assessment-for" href="#sa-8.2_smt"/>
         </part>
         <part id="sa-8.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55059,11 +58177,14 @@
           <part id="sa-8.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-08(03)[01]"/>
             <p><insert type="param" id-ref="sa-08.03_odp.01"/> implement the security design principle of modularity;</p>
+            <link rel="assessment-for" href="#sa-8.3_smt"/>
           </part>
           <part id="sa-8.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-08(03)[02]"/>
             <p><insert type="param" id-ref="sa-08.03_odp.02"/> implement the security design principle of layering.</p>
+            <link rel="assessment-for" href="#sa-8.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-8.3_smt"/>
         </part>
         <part id="sa-8.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55124,6 +58245,7 @@
         <part id="sa-8.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(04)"/>
           <p><insert type="param" id-ref="sa-08.04_odp"/> implement the security design principle of partially ordered dependencies.</p>
+          <link rel="assessment-for" href="#sa-8.4_smt"/>
         </part>
         <part id="sa-8.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55184,6 +58306,7 @@
         <part id="sa-8.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(05)"/>
           <p><insert type="param" id-ref="sa-08.05_odp"/> implement the security design principle of efficiently mediated access.</p>
+          <link rel="assessment-for" href="#sa-8.5_smt"/>
         </part>
         <part id="sa-8.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55245,6 +58368,7 @@
         <part id="sa-8.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(06)"/>
           <p><insert type="param" id-ref="sa-08.06_odp"/> implement the security design principle of minimized sharing.</p>
+          <link rel="assessment-for" href="#sa-8.6_smt"/>
         </part>
         <part id="sa-8.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55304,6 +58428,7 @@
         <part id="sa-8.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(07)"/>
           <p><insert type="param" id-ref="sa-08.07_odp"/> implement the security design principle of reduced complexity.</p>
+          <link rel="assessment-for" href="#sa-8.7_smt"/>
         </part>
         <part id="sa-8.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55364,6 +58489,7 @@
         <part id="sa-8.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(08)"/>
           <p><insert type="param" id-ref="sa-08.08_odp"/> implement the security design principle of secure evolvability.</p>
+          <link rel="assessment-for" href="#sa-8.8_smt"/>
         </part>
         <part id="sa-8.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55424,6 +58550,7 @@
         <part id="sa-8.9_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(09)"/>
           <p><insert type="param" id-ref="sa-08.09_odp"/> implement the security design principle of trusted components.</p>
+          <link rel="assessment-for" href="#sa-8.9_smt"/>
         </part>
         <part id="sa-8.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55486,6 +58613,7 @@
         <part id="sa-8.10_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(10)"/>
           <p><insert type="param" id-ref="sa-08.10_odp"/> implement the security design principle of hierarchical trust.</p>
+          <link rel="assessment-for" href="#sa-8.10_smt"/>
         </part>
         <part id="sa-8.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55545,6 +58673,7 @@
         <part id="sa-8.11_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(11)"/>
           <p><insert type="param" id-ref="sa-08.11_odp"/> implement the security design principle of inverse modification threshold.</p>
+          <link rel="assessment-for" href="#sa-8.11_smt"/>
         </part>
         <part id="sa-8.11_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55604,6 +58733,7 @@
         <part id="sa-8.12_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(12)"/>
           <p><insert type="param" id-ref="sa-08.12_odp"/> implement the security design principle of hierarchical protection.</p>
+          <link rel="assessment-for" href="#sa-8.12_smt"/>
         </part>
         <part id="sa-8.12_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55663,6 +58793,7 @@
         <part id="sa-8.13_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(13)"/>
           <p><insert type="param" id-ref="sa-08.13_odp"/> implement the security design principle of minimized security elements.</p>
+          <link rel="assessment-for" href="#sa-8.13_smt"/>
         </part>
         <part id="sa-8.13_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55725,6 +58856,7 @@
         <part id="sa-8.14_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(14)"/>
           <p><insert type="param" id-ref="sa-08.14_odp"/> implement the security design principle of least privilege.</p>
+          <link rel="assessment-for" href="#sa-8.14_smt"/>
         </part>
         <part id="sa-8.14_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55785,6 +58917,7 @@
         <part id="sa-8.15_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(15)"/>
           <p><insert type="param" id-ref="sa-08.15_odp"/> implement the security design principle of predicate permission.</p>
+          <link rel="assessment-for" href="#sa-8.15_smt"/>
         </part>
         <part id="sa-8.15_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55844,6 +58977,7 @@
         <part id="sa-8.16_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(16)"/>
           <p><insert type="param" id-ref="sa-08.16_odp"/> implement the security design principle of self-reliant trustworthiness.</p>
+          <link rel="assessment-for" href="#sa-8.16_smt"/>
         </part>
         <part id="sa-8.16_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55903,6 +59037,7 @@
         <part id="sa-8.17_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(17)"/>
           <p><insert type="param" id-ref="sa-08.17_odp"/> implement the security design principle of secure distributed composition.</p>
+          <link rel="assessment-for" href="#sa-8.17_smt"/>
         </part>
         <part id="sa-8.17_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -55965,6 +59100,7 @@
         <part id="sa-8.18_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(18)"/>
           <p><insert type="param" id-ref="sa-08.18_odp"/> implement the security design principle of trusted communications channels.</p>
+          <link rel="assessment-for" href="#sa-8.18_smt"/>
         </part>
         <part id="sa-8.18_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -56026,6 +59162,7 @@
         <part id="sa-8.19_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(19)"/>
           <p><insert type="param" id-ref="sa-08.19_odp"/> implement the security design principle of continuous protection.</p>
+          <link rel="assessment-for" href="#sa-8.19_smt"/>
         </part>
         <part id="sa-8.19_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -56095,6 +59232,7 @@
         <part id="sa-8.20_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(20)"/>
           <p><insert type="param" id-ref="sa-08.20_odp"/> implement the security design principle of secure metadata management.</p>
+          <link rel="assessment-for" href="#sa-8.20_smt"/>
         </part>
         <part id="sa-8.20_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -56155,6 +59293,7 @@
         <part id="sa-8.21_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(21)"/>
           <p><insert type="param" id-ref="sa-08.21_odp"/> implement the security design principle of self-analysis.</p>
+          <link rel="assessment-for" href="#sa-8.21_smt"/>
         </part>
         <part id="sa-8.21_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -56236,11 +59375,14 @@
           <part id="sa-8.22_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-08(22)[01]"/>
             <p><insert type="param" id-ref="sa-08.22_odp.01"/> implement the security design principle of accountability;</p>
+            <link rel="assessment-for" href="#sa-8.22_smt"/>
           </part>
           <part id="sa-8.22_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-08(22)[02]"/>
             <p><insert type="param" id-ref="sa-08.22_odp.02"/> implement the security design principle of traceability.</p>
+            <link rel="assessment-for" href="#sa-8.22_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-8.22_smt"/>
         </part>
         <part id="sa-8.22_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -56317,6 +59459,7 @@
         <part id="sa-8.23_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(23)"/>
           <p><insert type="param" id-ref="sa-08.23_odp"/> implement the security design principle of secure defaults.</p>
+          <link rel="assessment-for" href="#sa-8.23_smt"/>
         </part>
         <part id="sa-8.23_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -56407,11 +59550,14 @@
           <part id="sa-8.24_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-08(24)[01]"/>
             <p><insert type="param" id-ref="sa-08.24_odp.01"/> implement the security design principle of secure failure;</p>
+            <link rel="assessment-for" href="#sa-8.24_smt"/>
           </part>
           <part id="sa-8.24_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-08(24)[02]"/>
             <p><insert type="param" id-ref="sa-08.24_odp.02"/> implement the security design principle of secure recovery.</p>
+            <link rel="assessment-for" href="#sa-8.24_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-8.24_smt"/>
         </part>
         <part id="sa-8.24_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -56488,6 +59634,7 @@
         <part id="sa-8.25_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(25)"/>
           <p><insert type="param" id-ref="sa-08.25_odp"/> implement the security design principle of economic security.</p>
+          <link rel="assessment-for" href="#sa-8.25_smt"/>
         </part>
         <part id="sa-8.25_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -56553,6 +59700,7 @@
         <part id="sa-8.26_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(26)"/>
           <p><insert type="param" id-ref="sa-08.26_odp"/> implement the security design principle of performance security.</p>
+          <link rel="assessment-for" href="#sa-8.26_smt"/>
         </part>
         <part id="sa-8.26_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -56613,6 +59761,7 @@
         <part id="sa-8.27_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(27)"/>
           <p><insert type="param" id-ref="sa-08.27_odp"/> implement the security design principle of human factored security.</p>
+          <link rel="assessment-for" href="#sa-8.27_smt"/>
         </part>
         <part id="sa-8.27_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -56675,6 +59824,7 @@
         <part id="sa-8.28_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(28)"/>
           <p><insert type="param" id-ref="sa-08.28_odp"/> implement the security design principle of acceptable security.</p>
+          <link rel="assessment-for" href="#sa-8.28_smt"/>
         </part>
         <part id="sa-8.28_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -56748,6 +59898,7 @@
         <part id="sa-8.29_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(29)"/>
           <p><insert type="param" id-ref="sa-08.29_odp"/> implement the security design principle of repeatable and documented procedures.</p>
+          <link rel="assessment-for" href="#sa-8.29_smt"/>
         </part>
         <part id="sa-8.29_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -56810,6 +59961,7 @@
         <part id="sa-8.30_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(30)"/>
           <p><insert type="param" id-ref="sa-08.30_odp"/> implement the security design principle of procedural rigor.</p>
+          <link rel="assessment-for" href="#sa-8.30_smt"/>
         </part>
         <part id="sa-8.30_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -56872,6 +60024,7 @@
         <part id="sa-8.31_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(31)"/>
           <p><insert type="param" id-ref="sa-08.31_odp"/> implement the security design principle of secure system modification.</p>
+          <link rel="assessment-for" href="#sa-8.31_smt"/>
         </part>
         <part id="sa-8.31_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -56940,6 +60093,7 @@
         <part id="sa-8.32_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(32)"/>
           <p><insert type="param" id-ref="sa-08.32_odp"/> implement the security design principle of sufficient documentation.</p>
+          <link rel="assessment-for" href="#sa-8.32_smt"/>
         </part>
         <part id="sa-8.32_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -57009,6 +60163,7 @@
         <part id="sa-8.33_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-08(33)"/>
           <p>the privacy principle of minimization is implemented using <insert type="param" id-ref="sa-08.33_odp"/>.</p>
+          <link rel="assessment-for" href="#sa-8.33_smt"/>
         </part>
         <part id="sa-8.33_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -57116,31 +60271,40 @@
           <part id="sa-9_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-09a.[01]"/>
             <p>providers of external system services comply with organizational security requirements;</p>
+            <link rel="assessment-for" href="#sa-9_smt.a"/>
           </part>
           <part id="sa-9_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-09a.[02]"/>
             <p>providers of external system services comply with organizational privacy requirements;</p>
+            <link rel="assessment-for" href="#sa-9_smt.a"/>
           </part>
           <part id="sa-9_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-09a.[03]"/>
             <p>providers of external system services employ <insert type="param" id-ref="sa-09_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sa-9_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#sa-9_smt.a"/>
         </part>
         <part id="sa-9_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-09b."/>
           <part id="sa-9_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-09b.[01]"/>
             <p>organizational oversight with regard to external system services are defined and documented;</p>
+            <link rel="assessment-for" href="#sa-9_smt.b"/>
           </part>
           <part id="sa-9_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-09b.[02]"/>
             <p>user roles and responsibilities with regard to external system services are defined and documented;</p>
+            <link rel="assessment-for" href="#sa-9_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-9_smt.b"/>
         </part>
         <part id="sa-9_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-09c."/>
           <p><insert type="param" id-ref="sa-09_odp.02"/> are employed to monitor control compliance by external service providers on an ongoing basis.</p>
+          <link rel="assessment-for" href="#sa-9_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#sa-9_smt"/>
       </part>
       <part id="sa-9_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -57217,11 +60381,14 @@
           <part id="sa-9.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-09(01)(a)"/>
             <p>an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services;</p>
+            <link rel="assessment-for" href="#sa-9.1_smt.a"/>
           </part>
           <part id="sa-9.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-09(01)(b)"/>
             <p><insert type="param" id-ref="sa-09.01_odp"/> approve the acquisition or outsourcing of dedicated information security services.</p>
+            <link rel="assessment-for" href="#sa-9.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-9.1_smt"/>
         </part>
         <part id="sa-9.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -57288,6 +60455,7 @@
         <part id="sa-9.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-09(02)"/>
           <p>providers of <insert type="param" id-ref="sa-09.02_odp"/> are required to identify the functions, ports, protocols, and other services required for the use of such services.</p>
+          <link rel="assessment-for" href="#sa-9.2_smt"/>
         </part>
         <part id="sa-9.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -57356,19 +60524,24 @@
           <part id="sa-9.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-09(03)[01]"/>
             <p>trust relationships with external service provides based on <insert type="param" id-ref="sa-09.03_odp.01"/> are established and documented;</p>
+            <link rel="assessment-for" href="#sa-9.3_smt"/>
           </part>
           <part id="sa-9.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-09(03)[02]"/>
             <p>trust relationships with external service provides based on <insert type="param" id-ref="sa-09.03_odp.01"/> are maintained;</p>
+            <link rel="assessment-for" href="#sa-9.3_smt"/>
           </part>
           <part id="sa-9.3_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-09(03)[03]"/>
             <p>trust relationships with external service provides based on <insert type="param" id-ref="sa-09.03_odp.02"/> are established and documented;</p>
+            <link rel="assessment-for" href="#sa-9.3_smt"/>
           </part>
           <part id="sa-9.3_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-09(03)[04]"/>
             <p>trust relationships with external service provides based on <insert type="param" id-ref="sa-09.03_odp.02"/> are maintained.</p>
+            <link rel="assessment-for" href="#sa-9.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-9.3_smt"/>
         </part>
         <part id="sa-9.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -57434,6 +60607,7 @@
         <part id="sa-9.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-09(04)"/>
           <p><insert type="param" id-ref="sa-09.04_odp.02"/> are taken to verify that the interests of <insert type="param" id-ref="sa-09.04_odp.01"/> are consistent with and reflect organizational interests.</p>
+          <link rel="assessment-for" href="#sa-9.4_smt"/>
         </part>
         <part id="sa-9.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -57517,6 +60691,7 @@
         <part id="sa-9.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-09(05)"/>
           <p>based on <insert type="param" id-ref="sa-09.05_odp.03"/>, <insert type="param" id-ref="sa-09.05_odp.01"/> is/are restricted to <insert type="param" id-ref="sa-09.05_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sa-9.5_smt"/>
         </part>
         <part id="sa-9.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -57576,6 +60751,7 @@
         <part id="sa-9.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-09(06)"/>
           <p>exclusive control of cryptographic keys is maintained for encrypted material stored or transmitted through an external system.</p>
+          <link rel="assessment-for" href="#sa-9.6_smt"/>
         </part>
         <part id="sa-9.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -57632,6 +60808,7 @@
         <part id="sa-9.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-09(07)"/>
           <p>the capability is provided to check the integrity of information while it resides in the external system.</p>
+          <link rel="assessment-for" href="#sa-9.7_smt"/>
         </part>
         <part id="sa-9.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -57690,6 +60867,7 @@
         <part id="sa-9.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-09(08)"/>
           <p>the geographic location of information processing and data storage is restricted to facilities located within the legal jurisdictional boundary of the United States.</p>
+          <link rel="assessment-for" href="#sa-9.8_smt"/>
         </part>
         <part id="sa-9.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -57815,56 +60993,71 @@
         <part id="sa-10_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-10a."/>
           <p>the developer of the system, system component, or system service is required to perform configuration management during system, component, or service <insert type="param" id-ref="sa-10_odp.01"/>;</p>
+          <link rel="assessment-for" href="#sa-10_smt.a"/>
         </part>
         <part id="sa-10_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-10b."/>
           <part id="sa-10_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-10b.[01]"/>
             <p>the developer of the system, system component, or system service is required to document the integrity of changes to <insert type="param" id-ref="sa-10_odp.02"/>;</p>
+            <link rel="assessment-for" href="#sa-10_smt.b"/>
           </part>
           <part id="sa-10_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-10b.[02]"/>
             <p>the developer of the system, system component, or system service is required to manage the integrity of changes to <insert type="param" id-ref="sa-10_odp.02"/>;</p>
+            <link rel="assessment-for" href="#sa-10_smt.b"/>
           </part>
           <part id="sa-10_obj.b-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-10b.[03]"/>
             <p>the developer of the system, system component, or system service is required to control the integrity of changes to <insert type="param" id-ref="sa-10_odp.02"/>;</p>
+            <link rel="assessment-for" href="#sa-10_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-10_smt.b"/>
         </part>
         <part id="sa-10_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-10c."/>
           <p>the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;</p>
+          <link rel="assessment-for" href="#sa-10_smt.c"/>
         </part>
         <part id="sa-10_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-10d."/>
           <part id="sa-10_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-10d.[01]"/>
             <p>the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;</p>
+            <link rel="assessment-for" href="#sa-10_smt.d"/>
           </part>
           <part id="sa-10_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-10d.[02]"/>
             <p>the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;</p>
+            <link rel="assessment-for" href="#sa-10_smt.d"/>
           </part>
           <part id="sa-10_obj.d-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-10d.[03]"/>
             <p>the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;</p>
+            <link rel="assessment-for" href="#sa-10_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#sa-10_smt.d"/>
         </part>
         <part id="sa-10_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-10e."/>
           <part id="sa-10_obj.e-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-10e.[01]"/>
             <p>the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;</p>
+            <link rel="assessment-for" href="#sa-10_smt.e"/>
           </part>
           <part id="sa-10_obj.e-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-10e.[02]"/>
             <p>the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;</p>
+            <link rel="assessment-for" href="#sa-10_smt.e"/>
           </part>
           <part id="sa-10_obj.e-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-10e.[03]"/>
             <p>the developer of the system, system component, or system service is required to report findings to <insert type="param" id-ref="sa-10_odp.03"/>.</p>
+            <link rel="assessment-for" href="#sa-10_smt.e"/>
           </part>
+          <link rel="assessment-for" href="#sa-10_smt.e"/>
         </part>
+        <link rel="assessment-for" href="#sa-10_smt"/>
       </part>
       <part id="sa-10_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -57922,6 +61115,7 @@
         <part id="sa-10.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-10(01)"/>
           <p>the developer of the system, system component, or system service is required to enable integrity verification of software and firmware components.</p>
+          <link rel="assessment-for" href="#sa-10.1_smt"/>
         </part>
         <part id="sa-10.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -57980,6 +61174,7 @@
         <part id="sa-10.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-10(02)"/>
           <p>an alternate configuration management process has been provided using organizational personnel in the absence of a dedicated developer configuration management team.</p>
+          <link rel="assessment-for" href="#sa-10.2_smt"/>
         </part>
         <part id="sa-10.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -58040,6 +61235,7 @@
         <part id="sa-10.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-10(03)"/>
           <p>the developer of the system, system component, or system service is required to enable integrity verification of hardware components.</p>
+          <link rel="assessment-for" href="#sa-10.3_smt"/>
         </part>
         <part id="sa-10.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -58097,15 +61293,19 @@
           <part id="sa-10.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-10(04)[01]"/>
             <p>the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of security-relevant hardware descriptions with previous versions;</p>
+            <link rel="assessment-for" href="#sa-10.4_smt"/>
           </part>
           <part id="sa-10.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-10(04)[02]"/>
             <p>the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of source code with previous versions;</p>
+            <link rel="assessment-for" href="#sa-10.4_smt"/>
           </part>
           <part id="sa-10.4_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-10(04)[03]"/>
             <p>the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of object code with previous versions.</p>
+            <link rel="assessment-for" href="#sa-10.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-10.4_smt"/>
         </part>
         <part id="sa-10.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -58151,6 +61351,7 @@
         <part id="sa-10.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-10(05)"/>
           <p>the developer of the system, system component, or system service is required to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.</p>
+          <link rel="assessment-for" href="#sa-10.5_smt"/>
         </part>
         <part id="sa-10.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -58207,6 +61408,7 @@
         <part id="sa-10.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-10(06)"/>
           <p>the developer of the system, system component, or system service is required to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.</p>
+          <link rel="assessment-for" href="#sa-10.6_smt"/>
         </part>
         <part id="sa-10.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -58301,11 +61503,14 @@
           <part id="sa-10.7_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-10(07)[01]"/>
             <p><insert type="param" id-ref="sa-10.07_odp.01"/> are required to be included in the <insert type="param" id-ref="sa-10.07_odp.03"/>;</p>
+            <link rel="assessment-for" href="#sa-10.7_smt"/>
           </part>
           <part id="sa-10.7_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-10(07)[02]"/>
             <p><insert type="param" id-ref="sa-10.07_odp.02"/> are required to be included in the <insert type="param" id-ref="sa-10.07_odp.04"/>.</p>
+            <link rel="assessment-for" href="#sa-10.7_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-10.7_smt"/>
         </part>
         <part id="sa-10.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -58424,43 +61629,55 @@
           <part id="sa-11_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11a.[01]"/>
             <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;</p>
+            <link rel="assessment-for" href="#sa-11_smt.a"/>
           </part>
           <part id="sa-11_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11a.[02]"/>
             <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;</p>
+            <link rel="assessment-for" href="#sa-11_smt.a"/>
           </part>
           <part id="sa-11_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11a.[03]"/>
             <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;</p>
+            <link rel="assessment-for" href="#sa-11_smt.a"/>
           </part>
           <part id="sa-11_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11a.[04]"/>
             <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;</p>
+            <link rel="assessment-for" href="#sa-11_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#sa-11_smt.a"/>
         </part>
         <part id="sa-11_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-11b."/>
           <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform <insert type="param" id-ref="sa-11_odp.01"/> testing/evaluation <insert type="param" id-ref="sa-11_odp.02"/> at <insert type="param" id-ref="sa-11_odp.03"/>;</p>
+          <link rel="assessment-for" href="#sa-11_smt.b"/>
         </part>
         <part id="sa-11_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-11c."/>
           <part id="sa-11_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11c.[01]"/>
             <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;</p>
+            <link rel="assessment-for" href="#sa-11_smt.c"/>
           </part>
           <part id="sa-11_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11c.[02]"/>
             <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;</p>
+            <link rel="assessment-for" href="#sa-11_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#sa-11_smt.c"/>
         </part>
         <part id="sa-11_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-11d."/>
           <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;</p>
+          <link rel="assessment-for" href="#sa-11_smt.d"/>
         </part>
         <part id="sa-11_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-11e."/>
           <p>the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.</p>
+          <link rel="assessment-for" href="#sa-11_smt.e"/>
         </part>
+        <link rel="assessment-for" href="#sa-11_smt"/>
       </part>
       <part id="sa-11_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -58523,11 +61740,14 @@
           <part id="sa-11.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11(01)[01]"/>
             <p>the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws;</p>
+            <link rel="assessment-for" href="#sa-11.1_smt"/>
           </part>
           <part id="sa-11.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11(01)[02]"/>
             <p>the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis.</p>
+            <link rel="assessment-for" href="#sa-11.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-11.1_smt"/>
         </part>
         <part id="sa-11.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -58669,69 +61889,88 @@
             <part id="sa-11.2_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(02)(a)[01]"/>
               <p>the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses <insert type="param" id-ref="sa-11.02_odp.01"/>;</p>
+              <link rel="assessment-for" href="#sa-11.2_smt.a"/>
             </part>
             <part id="sa-11.2_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(02)(a)[02]"/>
               <p>the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses <insert type="param" id-ref="sa-11.02_odp.01"/>;</p>
+              <link rel="assessment-for" href="#sa-11.2_smt.a"/>
             </part>
             <part id="sa-11.2_obj.a-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(02)(a)[03]"/>
               <p>the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses <insert type="param" id-ref="sa-11.02_odp.01"/>;</p>
+              <link rel="assessment-for" href="#sa-11.2_smt.a"/>
             </part>
             <part id="sa-11.2_obj.a-4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(02)(a)[04]"/>
               <p>the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses <insert type="param" id-ref="sa-11.02_odp.01"/>;</p>
+              <link rel="assessment-for" href="#sa-11.2_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#sa-11.2_smt.a"/>
           </part>
           <part id="sa-11.2_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11(02)(b)"/>
             <part id="sa-11.2_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(02)(b)[01]"/>
               <p>the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs <insert type="param" id-ref="sa-11.02_odp.02"/>;</p>
+              <link rel="assessment-for" href="#sa-11.2_smt.b"/>
             </part>
             <part id="sa-11.2_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(02)(b)[02]"/>
               <p>the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs <insert type="param" id-ref="sa-11.02_odp.02"/>;</p>
+              <link rel="assessment-for" href="#sa-11.2_smt.b"/>
             </part>
             <part id="sa-11.2_obj.b-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(02)(b)[03]"/>
               <p>the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs <insert type="param" id-ref="sa-11.02_odp.02"/>;</p>
+              <link rel="assessment-for" href="#sa-11.2_smt.b"/>
             </part>
             <part id="sa-11.2_obj.b-4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(02)(b)[04]"/>
               <p>the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs <insert type="param" id-ref="sa-11.02_odp.02"/>;</p>
+              <link rel="assessment-for" href="#sa-11.2_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sa-11.2_smt.b"/>
           </part>
           <part id="sa-11.2_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11(02)(c)"/>
             <part id="sa-11.2_obj.c-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(02)(c)[01]"/>
               <p>the developer of the system, system component, or system service is required to perform threat modeling at <insert type="param" id-ref="sa-11.02_odp.03"/> during development of the system, component, or service;</p>
+              <link rel="assessment-for" href="#sa-11.2_smt.c"/>
             </part>
             <part id="sa-11.2_obj.c-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(02)(c)[02]"/>
               <p>the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at <insert type="param" id-ref="sa-11.02_odp.04"/>;</p>
+              <link rel="assessment-for" href="#sa-11.2_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sa-11.2_smt.c"/>
           </part>
           <part id="sa-11.2_obj.d" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11(02)(d)"/>
             <part id="sa-11.2_obj.d-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(02)(d)[01]"/>
               <p>the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets <insert type="param" id-ref="sa-11.02_odp.05"/>;</p>
+              <link rel="assessment-for" href="#sa-11.2_smt.d"/>
             </part>
             <part id="sa-11.2_obj.d-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(02)(d)[02]"/>
               <p>the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets <insert type="param" id-ref="sa-11.02_odp.05"/>;</p>
+              <link rel="assessment-for" href="#sa-11.2_smt.d"/>
             </part>
             <part id="sa-11.2_obj.d-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(02)(d)[03]"/>
               <p>the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets <insert type="param" id-ref="sa-11.02_odp.06"/>;</p>
+              <link rel="assessment-for" href="#sa-11.2_smt.d"/>
             </part>
             <part id="sa-11.2_obj.d-4" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(02)(d)[04]"/>
               <p>the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets <insert type="param" id-ref="sa-11.02_odp.06"/>.</p>
+              <link rel="assessment-for" href="#sa-11.2_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#sa-11.2_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#sa-11.2_smt"/>
         </part>
         <part id="sa-11.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -58811,16 +62050,21 @@
             <part id="sa-11.3_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(03)(a)[01]"/>
               <p>an independent agent is required to satisfy <insert type="param" id-ref="sa-11.03_odp"/> to verify the correct implementation of the developer security assessment plan and the evidence produced during testing and evaluation;</p>
+              <link rel="assessment-for" href="#sa-11.3_smt.a"/>
             </part>
             <part id="sa-11.3_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(03)(a)[02]"/>
               <p>an independent agent is required to satisfy <insert type="param" id-ref="sa-11.03_odp"/> to verify the correct implementation of the developer privacy assessment plan and the evidence produced during testing and evaluation;</p>
+              <link rel="assessment-for" href="#sa-11.3_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#sa-11.3_smt.a"/>
           </part>
           <part id="sa-11.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11(03)(b)"/>
             <p>the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.</p>
+            <link rel="assessment-for" href="#sa-11.3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-11.3_smt"/>
         </part>
         <part id="sa-11.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -58895,6 +62139,7 @@
         <part id="sa-11.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-11(04)"/>
           <p>the developer of the system, system component, or system service is required to perform a manual code review of <insert type="param" id-ref="sa-11.04_odp.01"/> using <insert type="param" id-ref="sa-11.04_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sa-11.4_smt"/>
         </part>
         <part id="sa-11.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -58998,16 +62243,21 @@
             <part id="sa-11.5_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(05)(a)[01]"/>
               <p>the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: <insert type="param" id-ref="sa-11.05_odp.01"/>;</p>
+              <link rel="assessment-for" href="#sa-11.5_smt.a"/>
             </part>
             <part id="sa-11.5_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-11(05)(a)[02]"/>
               <p>the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: <insert type="param" id-ref="sa-11.05_odp.02"/>;</p>
+              <link rel="assessment-for" href="#sa-11.5_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#sa-11.5_smt.a"/>
           </part>
           <part id="sa-11.5_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11(05)(b)"/>
             <p>the developer of the system, system component, or system service is required to perform penetration testing under <insert type="param" id-ref="sa-11.05_odp.03"/>.</p>
+            <link rel="assessment-for" href="#sa-11.5_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-11.5_smt"/>
         </part>
         <part id="sa-11.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -59066,6 +62316,7 @@
         <part id="sa-11.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-11(06)"/>
           <p>the developer of the system, system component, or system service is required to perform attack surface reviews.</p>
+          <link rel="assessment-for" href="#sa-11.6_smt"/>
         </part>
         <part id="sa-11.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -59143,11 +62394,14 @@
           <part id="sa-11.7_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11(07)[01]"/>
             <p>the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at <insert type="param" id-ref="sa-11.07_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sa-11.7_smt"/>
           </part>
           <part id="sa-11.7_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11(07)[02]"/>
             <p>the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at <insert type="param" id-ref="sa-11.07_odp.02"/>.</p>
+            <link rel="assessment-for" href="#sa-11.7_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-11.7_smt"/>
         </part>
         <part id="sa-11.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -59204,11 +62458,14 @@
           <part id="sa-11.8_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11(08)[01]"/>
             <p>the developer of the system, system component, or system service is required to employ dynamic code analysis tools to identify common flaws;</p>
+            <link rel="assessment-for" href="#sa-11.8_smt"/>
           </part>
           <part id="sa-11.8_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11(08)[02]"/>
             <p>the developer of the system, system component, or system service is required to document the results of the analysis.</p>
+            <link rel="assessment-for" href="#sa-11.8_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-11.8_smt"/>
         </part>
         <part id="sa-11.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -59267,11 +62524,14 @@
           <part id="sa-11.9_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11(09)[01]"/>
             <p>the developer of the system, system component, or system service is required to employ interactive application security testing tools to identify flaws;</p>
+            <link rel="assessment-for" href="#sa-11.9_smt"/>
           </part>
           <part id="sa-11.9_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-11(09)[02]"/>
             <p>the developer of the system, system component, or system service is required to document the results of flaw identification.</p>
+            <link rel="assessment-for" href="#sa-11.9_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-11.9_smt"/>
         </part>
         <part id="sa-11.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -59551,50 +62811,65 @@
             <part id="sa-15_obj.a.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-15a.01[01]"/>
               <p>the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;</p>
+              <link rel="assessment-for" href="#sa-15_smt.a.1"/>
             </part>
             <part id="sa-15_obj.a.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-15a.01[02]"/>
               <p>the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;</p>
+              <link rel="assessment-for" href="#sa-15_smt.a.1"/>
             </part>
+            <link rel="assessment-for" href="#sa-15_smt.a.1"/>
           </part>
           <part id="sa-15_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15a.02"/>
             <part id="sa-15_obj.a.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-15a.02[01]"/>
               <p>the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;</p>
+              <link rel="assessment-for" href="#sa-15_smt.a.2"/>
             </part>
             <part id="sa-15_obj.a.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-15a.02[02]"/>
               <p>the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;</p>
+              <link rel="assessment-for" href="#sa-15_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#sa-15_smt.a.2"/>
           </part>
           <part id="sa-15_obj.a.3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15a.03"/>
             <part id="sa-15_obj.a.3-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-15a.03[01]"/>
               <p>the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;</p>
+              <link rel="assessment-for" href="#sa-15_smt.a.3"/>
             </part>
             <part id="sa-15_obj.a.3-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-15a.03[02]"/>
               <p>the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;</p>
+              <link rel="assessment-for" href="#sa-15_smt.a.3"/>
             </part>
+            <link rel="assessment-for" href="#sa-15_smt.a.3"/>
           </part>
           <part id="sa-15_obj.a.4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15a.04"/>
             <p>the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;</p>
+            <link rel="assessment-for" href="#sa-15_smt.a.4"/>
           </part>
+          <link rel="assessment-for" href="#sa-15_smt.a"/>
         </part>
         <part id="sa-15_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-15b."/>
           <part id="sa-15_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15b.[01]"/>
             <p>the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed <insert type="param" id-ref="sa-15_odp.01"/> to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy <insert type="param" id-ref="sa-15_odp.02"/>;</p>
+            <link rel="assessment-for" href="#sa-15_smt.b"/>
           </part>
           <part id="sa-15_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15b.[02]"/>
             <p>the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed <insert type="param" id-ref="sa-15_odp.01"/> to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy <insert type="param" id-ref="sa-15_odp.03"/>.</p>
+            <link rel="assessment-for" href="#sa-15_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-15_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sa-15_smt"/>
       </part>
       <part id="sa-15_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -59685,11 +62960,14 @@
           <part id="sa-15.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(01)(a)"/>
             <p>the developer of the system, system component, or system service is required to define quality metrics at the beginning of the development process;</p>
+            <link rel="assessment-for" href="#sa-15.1_smt.a"/>
           </part>
           <part id="sa-15.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(01)(b)"/>
             <p>the developer of the system, system component, or system service is required to provide evidence of meeting the quality metrics <insert type="param" id-ref="sa-15.01_odp.01"/>.</p>
+            <link rel="assessment-for" href="#sa-15.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-15.1_smt"/>
         </part>
         <part id="sa-15.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -59738,11 +63016,14 @@
           <part id="sa-15.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(02)[01]"/>
             <p>the developer of the system, system component, or system service is required to select and employ security tracking tools for use during the development process;</p>
+            <link rel="assessment-for" href="#sa-15.2_smt"/>
           </part>
           <part id="sa-15.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(02)[02]"/>
             <p>the developer of the system, system component, or system service is required to select and employ privacy tracking tools for use during the development process.</p>
+            <link rel="assessment-for" href="#sa-15.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-15.2_smt"/>
         </part>
         <part id="sa-15.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -59832,18 +63113,23 @@
           <part id="sa-15.3_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(03)(a)"/>
             <p>the developer of the system, system component, or system service is required to perform a criticality analysis at <insert type="param" id-ref="sa-15.03_odp.01"/> in the system development life cycle;</p>
+            <link rel="assessment-for" href="#sa-15.3_smt.a"/>
           </part>
           <part id="sa-15.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(03)(b)"/>
             <part id="sa-15.3_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-15(03)(b)[01]"/>
               <p>the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: <insert type="param" id-ref="sa-15.03_odp.02"/>;</p>
+              <link rel="assessment-for" href="#sa-15.3_smt.b"/>
             </part>
             <part id="sa-15.3_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-15(03)(b)[02]"/>
               <p>the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: <insert type="param" id-ref="sa-15.03_odp.03"/> .</p>
+              <link rel="assessment-for" href="#sa-15.3_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sa-15.3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-15.3_smt"/>
         </part>
         <part id="sa-15.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -59921,6 +63207,7 @@
         <part id="sa-15.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-15(05)"/>
           <p>the developer of the system, system component, or system service is required to reduce attack surfaces to <insert type="param" id-ref="sa-15.05_odp"/>.</p>
+          <link rel="assessment-for" href="#sa-15.5_smt"/>
         </part>
         <part id="sa-15.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -59976,6 +63263,7 @@
         <part id="sa-15.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-15(06)"/>
           <p>the developer of the system, system component, or system service is required to implement an explicit process to continuously improve the development process.</p>
+          <link rel="assessment-for" href="#sa-15.6_smt"/>
         </part>
         <part id="sa-15.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -60070,19 +63358,24 @@
           <part id="sa-15.7_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(07)(a)"/>
             <p>the developer of the system, system component, or system service is required to perform automated vulnerability analysis <insert type="param" id-ref="sa-15.07_odp.01"/> using <insert type="param" id-ref="sa-15.07_odp.02"/>;</p>
+            <link rel="assessment-for" href="#sa-15.7_smt.a"/>
           </part>
           <part id="sa-15.7_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(07)(b)"/>
             <p>the developer of the system, system component, or system service is required to determine the exploitation potential for discovered vulnerabilities <insert type="param" id-ref="sa-15.07_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sa-15.7_smt.b"/>
           </part>
           <part id="sa-15.7_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(07)(c)"/>
             <p>the developer of the system, system component, or system service is required to determine potential risk mitigations <insert type="param" id-ref="sa-15.07_odp.01"/> for delivered vulnerabilities;</p>
+            <link rel="assessment-for" href="#sa-15.7_smt.c"/>
           </part>
           <part id="sa-15.7_obj.d" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(07)(d)"/>
             <p>the developer of the system, system component, or system service is required to deliver the outputs of the tools and results of the analysis <insert type="param" id-ref="sa-15.07_odp.01"/> to <insert type="param" id-ref="sa-15.07_odp.03"/>.</p>
+            <link rel="assessment-for" href="#sa-15.7_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#sa-15.7_smt"/>
         </part>
         <part id="sa-15.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -60141,11 +63434,14 @@
           <part id="sa-15.8_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(08)[01]"/>
             <p>the developer of the system, system component, or system service is required to use threat modeling from similar systems, components, or services to inform the current development process;</p>
+            <link rel="assessment-for" href="#sa-15.8_smt"/>
           </part>
           <part id="sa-15.8_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(08)[02]"/>
             <p>the developer of the system, system component, or system service is required to use vulnerability analyses from similar systems, components, or services to inform the current development process.</p>
+            <link rel="assessment-for" href="#sa-15.8_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-15.8_smt"/>
         </part>
         <part id="sa-15.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -60202,15 +63498,19 @@
           <part id="sa-15.10_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(10)[01]"/>
             <p>the developer of the system, system component, or system service is required to provide an incident response plan;</p>
+            <link rel="assessment-for" href="#sa-15.10_smt"/>
           </part>
           <part id="sa-15.10_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(10)[02]"/>
             <p>the developer of the system, system component, or system service is required to implement an incident response plan;</p>
+            <link rel="assessment-for" href="#sa-15.10_smt"/>
           </part>
           <part id="sa-15.10_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-15(10)[03]"/>
             <p>the developer of the system, system component, or system service is required to test an incident response plan.</p>
+            <link rel="assessment-for" href="#sa-15.10_smt"/>
           </part>
+          <link rel="assessment-for" href="#sa-15.10_smt"/>
         </part>
         <part id="sa-15.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -60261,6 +63561,7 @@
         <part id="sa-15.11_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-15(11)"/>
           <p>the developer of the system or system component is required to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.</p>
+          <link rel="assessment-for" href="#sa-15.11_smt"/>
         </part>
         <part id="sa-15.11_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -60309,6 +63610,7 @@
         <part id="sa-15.12_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-15(12)"/>
           <p>the developer of the system or system component is required to minimize the use of personally identifiable information in development and test environments.</p>
+          <link rel="assessment-for" href="#sa-15.12_smt"/>
         </part>
         <part id="sa-15.12_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -60377,6 +63679,7 @@
       <part id="sa-16_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SA-16"/>
         <p>the developer of the system, system component, or system service is required to provide <insert type="param" id-ref="sa-16_odp"/> on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.</p>
+        <link rel="assessment-for" href="#sa-16_smt"/>
       </part>
       <part id="sa-16_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -60452,34 +63755,44 @@
           <part id="sa-17_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(a)[01]"/>
             <p>the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;</p>
+            <link rel="assessment-for" href="#sa-17_smt.a"/>
           </part>
           <part id="sa-17_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(a)[02]"/>
             <p>the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;</p>
+            <link rel="assessment-for" href="#sa-17_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#sa-17_smt.a"/>
         </part>
         <part id="sa-17_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-17(b)"/>
           <part id="sa-17_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(b)[01]"/>
             <p>the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;</p>
+            <link rel="assessment-for" href="#sa-17_smt.b"/>
           </part>
           <part id="sa-17_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(b)[02]"/>
             <p>the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;</p>
+            <link rel="assessment-for" href="#sa-17_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-17_smt.b"/>
         </part>
         <part id="sa-17_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-17(c)"/>
           <part id="sa-17_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(c)[01]"/>
             <p>the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;</p>
+            <link rel="assessment-for" href="#sa-17_smt.c"/>
           </part>
           <part id="sa-17_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(c)[02]"/>
             <p>the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.</p>
+            <link rel="assessment-for" href="#sa-17_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#sa-17_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#sa-17_smt"/>
       </part>
       <part id="sa-17_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -60561,23 +63874,30 @@
             <part id="sa-17.1_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-17(01)(a)[01]"/>
               <p>as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the <insert type="param" id-ref="sa-17.01_odp.01"/> to be enforced;</p>
+              <link rel="assessment-for" href="#sa-17.1_smt.a"/>
             </part>
             <part id="sa-17.1_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-17(01)(a)[02]"/>
               <p>as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the <insert type="param" id-ref="sa-17.01_odp.02"/> to be enforced;</p>
+              <link rel="assessment-for" href="#sa-17.1_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#sa-17.1_smt.a"/>
           </part>
           <part id="sa-17.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(01)(b)"/>
             <part id="sa-17.1_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-17(01)(b)[01]"/>
               <p>the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented;</p>
+              <link rel="assessment-for" href="#sa-17.1_smt.b"/>
             </part>
             <part id="sa-17.1_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-17(01)(b)[02]"/>
               <p>the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational privacy policy when implemented.</p>
+              <link rel="assessment-for" href="#sa-17.1_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sa-17.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-17.1_smt"/>
         </part>
         <part id="sa-17.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -60640,20 +63960,26 @@
             <part id="sa-17.2_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-17(02)(a)[01]"/>
               <p>the developer of the system, system component, or system service is required to define security-relevant hardware;</p>
+              <link rel="assessment-for" href="#sa-17.2_smt.a"/>
             </part>
             <part id="sa-17.2_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-17(02)(a)[02]"/>
               <p>the developer of the system, system component, or system service is required to define security-relevant software;</p>
+              <link rel="assessment-for" href="#sa-17.2_smt.a"/>
             </part>
             <part id="sa-17.2_obj.a-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-17(02)(a)[03]"/>
               <p>the developer of the system, system component, or system service is required to define security-relevant firmware;</p>
+              <link rel="assessment-for" href="#sa-17.2_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#sa-17.2_smt.a"/>
           </part>
           <part id="sa-17.2_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(02)(b)"/>
             <p>the developer of the system, system component, or system service is required to provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.</p>
+            <link rel="assessment-for" href="#sa-17.2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-17.2_smt"/>
         </part>
         <part id="sa-17.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -60729,32 +64055,41 @@
             <part id="sa-17.3_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-17(03)(a)[01]"/>
               <p>as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions;</p>
+              <link rel="assessment-for" href="#sa-17.3_smt.a"/>
             </part>
             <part id="sa-17.3_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-17(03)(a)[02]"/>
               <p>as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages;</p>
+              <link rel="assessment-for" href="#sa-17.3_smt.a"/>
             </part>
             <part id="sa-17.3_obj.a-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-17(03)(a)[03]"/>
               <p>as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects;</p>
+              <link rel="assessment-for" href="#sa-17.3_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#sa-17.3_smt.a"/>
           </part>
           <part id="sa-17.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(03)(b)"/>
             <p>the developer of the system, system component, or system service is required to show proof that the formal top-level specification is consistent with the formal policy model to the extent feasible with additional informal demonstration as necessary;</p>
+            <link rel="assessment-for" href="#sa-17.3_smt.b"/>
           </part>
           <part id="sa-17.3_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(03)(c)"/>
             <p>the developer of the system, system component, or system service is required to show via informal demonstration that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;</p>
+            <link rel="assessment-for" href="#sa-17.3_smt.c"/>
           </part>
           <part id="sa-17.3_obj.d" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(03)(d)"/>
             <p>the developer of the system, system component, or system service is required to show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware;</p>
+            <link rel="assessment-for" href="#sa-17.3_smt.d"/>
           </part>
           <part id="sa-17.3_obj.e" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(03)(e)"/>
             <p>the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the formal top-level specification but are strictly internal to the security-relevant hardware, software, and firmware.</p>
+            <link rel="assessment-for" href="#sa-17.3_smt.e"/>
           </part>
+          <link rel="assessment-for" href="#sa-17.3_smt"/>
         </part>
         <part id="sa-17.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -60841,32 +64176,41 @@
             <part id="sa-17.4_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-17(04)(a)[01]"/>
               <p>as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions;</p>
+              <link rel="assessment-for" href="#sa-17.4_smt.a"/>
             </part>
             <part id="sa-17.4_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-17(04)(a)[02]"/>
               <p>as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages;</p>
+              <link rel="assessment-for" href="#sa-17.4_smt.a"/>
             </part>
             <part id="sa-17.4_obj.a-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SA-17(04)(a)[03]"/>
               <p>as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects;</p>
+              <link rel="assessment-for" href="#sa-17.4_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#sa-17.4_smt.a"/>
           </part>
           <part id="sa-17.4_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(04)(b)"/>
             <p>the developer of the system, system component, or system service is required to show via <insert type="param" id-ref="sa-17.04_odp"/> that the descriptive top-level specification is consistent with the formal policy model;</p>
+            <link rel="assessment-for" href="#sa-17.4_smt.b"/>
           </part>
           <part id="sa-17.4_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(04)(c)"/>
             <p>the developer of the system, system component, or system service is required to show via informal demonstration that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;</p>
+            <link rel="assessment-for" href="#sa-17.4_smt.c"/>
           </part>
           <part id="sa-17.4_obj.d" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(04)(d)"/>
             <p>the developer of the system, system component, or system service is required to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware;</p>
+            <link rel="assessment-for" href="#sa-17.4_smt.d"/>
           </part>
           <part id="sa-17.4_obj.e" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(04)(e)"/>
             <p>the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the descriptive top-level specification but are strictly internal to the security-relevant hardware, software, and firmware.</p>
+            <link rel="assessment-for" href="#sa-17.4_smt.e"/>
           </part>
+          <link rel="assessment-for" href="#sa-17.4_smt"/>
         </part>
         <part id="sa-17.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -60930,11 +64274,14 @@
           <part id="sa-17.5_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(05)(a)"/>
             <p>the developer of the system, system component, or system service is required to design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics;</p>
+            <link rel="assessment-for" href="#sa-17.5_smt.a"/>
           </part>
           <part id="sa-17.5_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SA-17(05)(b)"/>
             <p>the developer of the system, system component, or system service is required to internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.</p>
+            <link rel="assessment-for" href="#sa-17.5_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sa-17.5_smt"/>
         </part>
         <part id="sa-17.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -60985,6 +64332,7 @@
         <part id="sa-17.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-17(06)"/>
           <p>the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate testing.</p>
+          <link rel="assessment-for" href="#sa-17.6_smt"/>
         </part>
         <part id="sa-17.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -61039,6 +64387,7 @@
         <part id="sa-17.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-17(07)"/>
           <p>the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.</p>
+          <link rel="assessment-for" href="#sa-17.7_smt"/>
         </part>
         <part id="sa-17.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -61105,6 +64454,7 @@
         <part id="sa-17.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-17(08)"/>
           <p><insert type="param" id-ref="sa-17.08_odp.01"/> are designed with coordinated behavior to implement <insert type="param" id-ref="sa-17.08_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sa-17.8_smt"/>
         </part>
         <part id="sa-17.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -61164,6 +64514,7 @@
         <part id="sa-17.9_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-17(09)"/>
           <p>different designs are used for <insert type="param" id-ref="sa-17.09_odp"/> to satisfy a common set of requirements or to provide equivalent functionality.</p>
+          <link rel="assessment-for" href="#sa-17.9_smt"/>
         </part>
         <part id="sa-17.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -61288,6 +64639,7 @@
       <part id="sa-20_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SA-20"/>
         <p><insert type="param" id-ref="sa-20_odp"/> are reimplemented or custom-developed.</p>
+        <link rel="assessment-for" href="#sa-20_smt"/>
       </part>
       <part id="sa-20_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -61380,11 +64732,14 @@
         <part id="sa-21_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-21a."/>
           <p>the developer of <insert type="param" id-ref="sa-21_odp.01"/> is required to have appropriate access authorizations as determined by assigned <insert type="param" id-ref="sa-21_odp.02"/>;</p>
+          <link rel="assessment-for" href="#sa-21_smt.a"/>
         </part>
         <part id="sa-21_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-21b."/>
           <p>the developer of <insert type="param" id-ref="sa-21_odp.01"/> is required to satisfy <insert type="param" id-ref="sa-21_odp.03"/>.</p>
+          <link rel="assessment-for" href="#sa-21_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sa-21_smt"/>
       </part>
       <part id="sa-21_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -61475,11 +64830,14 @@
         <part id="sa-22_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-22a."/>
           <p>system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;</p>
+          <link rel="assessment-for" href="#sa-22_smt.a"/>
         </part>
         <part id="sa-22_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SA-22b."/>
           <p><insert type="param" id-ref="sa-22_odp.01"/> provide options for alternative sources for continued support for unsupported components.</p>
+          <link rel="assessment-for" href="#sa-22_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sa-22_smt"/>
       </part>
       <part id="sa-22_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -61558,6 +64916,7 @@
       <part id="sa-23_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SA-23"/>
         <p><insert type="param" id-ref="sa-23_odp.01"/> is employed on <insert type="param" id-ref="sa-23_odp.02"/> supporting essential services or functions to increase the trustworthiness in those systems or components.</p>
+        <link rel="assessment-for" href="#sa-23_smt"/>
       </part>
       <part id="sa-23_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -61723,18 +65082,22 @@
           <part id="sc-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-01a.[01]"/>
             <p>a system and communications protection policy is developed and documented;</p>
+            <link rel="assessment-for" href="#sc-1_smt.a"/>
           </part>
           <part id="sc-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-01a.[02]"/>
             <p>the system and communications protection policy is disseminated to <insert type="param" id-ref="sc-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sc-1_smt.a"/>
           </part>
           <part id="sc-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-01a.[03]"/>
             <p>system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;</p>
+            <link rel="assessment-for" href="#sc-1_smt.a"/>
           </part>
           <part id="sc-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-01a.[04]"/>
             <p>the system and communications protection procedures are disseminated to <insert type="param" id-ref="sc-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#sc-1_smt.a"/>
           </part>
           <part id="sc-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-01a.01"/>
@@ -61743,41 +65106,53 @@
               <part id="sc-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SC-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses purpose;</p>
+                <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
               </part>
               <part id="sc-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SC-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses scope;</p>
+                <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
               </part>
               <part id="sc-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SC-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses roles;</p>
+                <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
               </part>
               <part id="sc-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SC-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
               </part>
               <part id="sc-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SC-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
               </part>
               <part id="sc-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SC-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
               </part>
               <part id="sc-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SC-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy addresses compliance;</p>
+                <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#sc-1_smt.a.1.a"/>
             </part>
             <part id="sc-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-01a.01(b)"/>
               <p>the <insert type="param" id-ref="sc-01_odp.03"/> system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#sc-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#sc-1_smt.a"/>
         </part>
         <part id="sc-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-01b."/>
           <p>the <insert type="param" id-ref="sc-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;</p>
+          <link rel="assessment-for" href="#sc-1_smt.b"/>
         </part>
         <part id="sc-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-01c."/>
@@ -61786,24 +65161,32 @@
             <part id="sc-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-01c.01[01]"/>
               <p>the current system and communications protection policy is reviewed and updated <insert type="param" id-ref="sc-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#sc-1_smt.c.1"/>
             </part>
             <part id="sc-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-01c.01[02]"/>
               <p>the current system and communications protection policy is reviewed and updated following <insert type="param" id-ref="sc-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#sc-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#sc-1_smt.c.1"/>
           </part>
           <part id="sc-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-01c.02"/>
             <part id="sc-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-01c.02[01]"/>
               <p>the current system and communications protection procedures are reviewed and updated <insert type="param" id-ref="sc-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#sc-1_smt.c.2"/>
             </part>
             <part id="sc-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-01c.02[02]"/>
               <p>the current system and communications protection procedures are reviewed and updated following <insert type="param" id-ref="sc-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#sc-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#sc-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#sc-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#sc-1_smt"/>
       </part>
       <part id="sc-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -61851,6 +65234,7 @@
       <part id="sc-2_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-02"/>
         <p>user functionality, including user interface services, is separated from system management functionality.</p>
+        <link rel="assessment-for" href="#sc-2_smt"/>
       </part>
       <part id="sc-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -61899,6 +65283,7 @@
         <part id="sc-2.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-02(01)"/>
           <p>the presentation of system management functionality is prevented at interfaces to non-privileged users.</p>
+          <link rel="assessment-for" href="#sc-2.1_smt"/>
         </part>
         <part id="sc-2.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -61948,6 +65333,7 @@
         <part id="sc-2.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-02(02)"/>
           <p>state information is stored separately from applications and software.</p>
+          <link rel="assessment-for" href="#sc-2.2_smt"/>
         </part>
         <part id="sc-2.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62012,6 +65398,7 @@
       <part id="sc-3_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-03"/>
         <p>security functions are isolated from non-security functions.</p>
+        <link rel="assessment-for" href="#sc-3_smt"/>
       </part>
       <part id="sc-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62060,6 +65447,7 @@
         <part id="sc-3.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-03(01)"/>
           <p>hardware separation mechanisms are employed to implement security function isolation.</p>
+          <link rel="assessment-for" href="#sc-3.1_smt"/>
         </part>
         <part id="sc-3.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62111,19 +65499,24 @@
           <part id="sc-3.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-03(02)[01]"/>
             <p>security functions enforcing access control are isolated from non-security functions;</p>
+            <link rel="assessment-for" href="#sc-3.2_smt"/>
           </part>
           <part id="sc-3.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-03(02)[02]"/>
             <p>security functions enforcing access control are isolated from other security functions;</p>
+            <link rel="assessment-for" href="#sc-3.2_smt"/>
           </part>
           <part id="sc-3.2_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-03(02)[03]"/>
             <p>security functions enforcing information flow control are isolated from non-security functions;</p>
+            <link rel="assessment-for" href="#sc-3.2_smt"/>
           </part>
           <part id="sc-3.2_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-03(02)[04]"/>
             <p>security functions enforcing information flow control are isolated from other security functions.</p>
+            <link rel="assessment-for" href="#sc-3.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-3.2_smt"/>
         </part>
         <part id="sc-3.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62173,6 +65566,7 @@
         <part id="sc-3.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-03(03)"/>
           <p>the number of non-security functions included within the isolation boundary containing security functions is minimized.</p>
+          <link rel="assessment-for" href="#sc-3.3_smt"/>
         </part>
         <part id="sc-3.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62223,11 +65617,14 @@
           <part id="sc-3.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-03(04)[01]"/>
             <p>security functions are implemented as largely independent modules that maximize internal cohesiveness within modules;</p>
+            <link rel="assessment-for" href="#sc-3.4_smt"/>
           </part>
           <part id="sc-3.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-03(04)[02]"/>
             <p>security functions are implemented as largely independent modules that minimize coupling between modules.</p>
+            <link rel="assessment-for" href="#sc-3.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-3.4_smt"/>
         </part>
         <part id="sc-3.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62277,6 +65674,7 @@
         <part id="sc-3.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-03(05)"/>
           <p>security functions are implemented as a layered structure, minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.</p>
+          <link rel="assessment-for" href="#sc-3.5_smt"/>
         </part>
         <part id="sc-3.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62329,11 +65727,14 @@
         <part id="sc-4_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-04[01]"/>
           <p>unauthorized information transfer via shared system resources is prevented;</p>
+          <link rel="assessment-for" href="#sc-4_smt"/>
         </part>
         <part id="sc-4_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-04[02]"/>
           <p>unintended information transfer via shared system resources is prevented.</p>
+          <link rel="assessment-for" href="#sc-4_smt"/>
         </part>
+        <link rel="assessment-for" href="#sc-4_smt"/>
       </part>
       <part id="sc-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62396,6 +65797,7 @@
         <part id="sc-4.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-04(02)"/>
           <p>unauthorized information transfer via shared resources is prevented in accordance with <insert type="param" id-ref="sc-04.02_odp"/> when system processing explicitly switches between different information classification levels or security categories.</p>
+          <link rel="assessment-for" href="#sc-4.2_smt"/>
         </part>
         <part id="sc-4.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62482,11 +65884,14 @@
         <part id="sc-5_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-05a."/>
           <p>the effects of <insert type="param" id-ref="sc-05_odp.01"/> are <insert type="param" id-ref="sc-05_odp.02"/>;</p>
+          <link rel="assessment-for" href="#sc-5_smt.a"/>
         </part>
         <part id="sc-5_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-05b."/>
           <p><insert type="param" id-ref="sc-05_odp.03"/> are employed to achieve the denial-of-service protection objective.</p>
+          <link rel="assessment-for" href="#sc-5_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sc-5_smt"/>
       </part>
       <part id="sc-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62544,6 +65949,7 @@
         <part id="sc-5.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-05(01)"/>
           <p>the ability of individuals to launch <insert type="param" id-ref="sc-05.01_odp"/> against other systems is restricted.</p>
+          <link rel="assessment-for" href="#sc-5.1_smt"/>
         </part>
         <part id="sc-5.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62593,6 +65999,7 @@
         <part id="sc-5.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-05(02)"/>
           <p>capacity, bandwidth, or other redundancies to limit the effects of information flooding denial-of-service attacks are managed.</p>
+          <link rel="assessment-for" href="#sc-5.2_smt"/>
         </part>
         <part id="sc-5.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62668,11 +66075,14 @@
           <part id="sc-5.3_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-05(03)(a)"/>
             <p><insert type="param" id-ref="sc-05.03_odp.01"/> are employed to detect indicators of denial-of-service attacks against or launched from the system;</p>
+            <link rel="assessment-for" href="#sc-5.3_smt.a"/>
           </part>
           <part id="sc-5.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-05(03)(b)"/>
             <p><insert type="param" id-ref="sc-05.03_odp.02"/> are monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks.</p>
+            <link rel="assessment-for" href="#sc-5.3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sc-5.3_smt"/>
         </part>
         <part id="sc-5.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62750,6 +66160,7 @@
       <part id="sc-6_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-06"/>
         <p>the availability of resources is protected by allocating <insert type="param" id-ref="sc-06_odp.01"/> by <insert type="param" id-ref="sc-06_odp.02"/>.</p>
+        <link rel="assessment-for" href="#sc-6_smt"/>
       </part>
       <part id="sc-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62851,28 +66262,36 @@
           <part id="sc-7_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07a.[01]"/>
             <p>communications at external managed interfaces to the system are monitored;</p>
+            <link rel="assessment-for" href="#sc-7_smt.a"/>
           </part>
           <part id="sc-7_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07a.[02]"/>
             <p>communications at external managed interfaces to the system are controlled;</p>
+            <link rel="assessment-for" href="#sc-7_smt.a"/>
           </part>
           <part id="sc-7_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07a.[03]"/>
             <p>communications at key internal managed interfaces within the system are monitored;</p>
+            <link rel="assessment-for" href="#sc-7_smt.a"/>
           </part>
           <part id="sc-7_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07a.[04]"/>
             <p>communications at key internal managed interfaces within the system are controlled;</p>
+            <link rel="assessment-for" href="#sc-7_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#sc-7_smt.a"/>
         </part>
         <part id="sc-7_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07b."/>
           <p>subnetworks for publicly accessible system components are <insert type="param" id-ref="sc-07_odp"/> separated from internal organizational networks;</p>
+          <link rel="assessment-for" href="#sc-7_smt.b"/>
         </part>
         <part id="sc-7_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07c."/>
           <p>external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.</p>
+          <link rel="assessment-for" href="#sc-7_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#sc-7_smt"/>
       </part>
       <part id="sc-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -62939,6 +66358,7 @@
         <part id="sc-7.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(03)"/>
           <p>the number of external network connections to the system is limited.</p>
+          <link rel="assessment-for" href="#sc-7.3_smt"/>
         </part>
         <part id="sc-7.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63036,49 +66456,62 @@
           <part id="sc-7.4_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(04)(a)"/>
             <p>a managed interface is implemented for each external telecommunication service;</p>
+            <link rel="assessment-for" href="#sc-7.4_smt.a"/>
           </part>
           <part id="sc-7.4_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(04)(b)"/>
             <p>a traffic flow policy is established for each managed interface;</p>
+            <link rel="assessment-for" href="#sc-7.4_smt.b"/>
           </part>
           <part id="sc-7.4_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(04)(c)"/>
             <part id="sc-7.4_obj.c-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-07(04)(c)[01]"/>
               <p>the confidentiality of the information being transmitted across each interface is protected;</p>
+              <link rel="assessment-for" href="#sc-7.4_smt.c"/>
             </part>
             <part id="sc-7.4_obj.c-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-07(04)(c)[02]"/>
               <p>the integrity of the information being transmitted across each interface is protected;</p>
+              <link rel="assessment-for" href="#sc-7.4_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#sc-7.4_smt.c"/>
           </part>
           <part id="sc-7.4_obj.d" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(04)(d)"/>
             <p>each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;</p>
+            <link rel="assessment-for" href="#sc-7.4_smt.d"/>
           </part>
           <part id="sc-7.4_obj.e" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(04)(e)"/>
             <part id="sc-7.4_obj.e-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-07(04)(e)[01]"/>
               <p>exceptions to the traffic flow policy are reviewed <insert type="param" id-ref="sc-07.04_odp"/>;</p>
+              <link rel="assessment-for" href="#sc-7.4_smt.e"/>
             </part>
             <part id="sc-7.4_obj.e-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-07(04)(e)[02]"/>
               <p>exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;</p>
+              <link rel="assessment-for" href="#sc-7.4_smt.e"/>
             </part>
+            <link rel="assessment-for" href="#sc-7.4_smt.e"/>
           </part>
           <part id="sc-7.4_obj.f" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(04)(f)"/>
             <p>unauthorized exchanges of control plan traffic with external networks are prevented;</p>
+            <link rel="assessment-for" href="#sc-7.4_smt.f"/>
           </part>
           <part id="sc-7.4_obj.g" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(04)(g)"/>
             <p>information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;</p>
+            <link rel="assessment-for" href="#sc-7.4_smt.g"/>
           </part>
           <part id="sc-7.4_obj.h" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(04)(h)"/>
             <p>unauthorized control plane traffic is filtered from external networks.</p>
+            <link rel="assessment-for" href="#sc-7.4_smt.h"/>
           </part>
+          <link rel="assessment-for" href="#sc-7.4_smt"/>
         </part>
         <part id="sc-7.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63153,11 +66586,14 @@
           <part id="sc-7.5_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(05)[01]"/>
             <p>network communications traffic is denied by default <insert type="param" id-ref="sc-07.05_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sc-7.5_smt"/>
           </part>
           <part id="sc-7.5_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(05)[02]"/>
             <p>network communications traffic is allowed by exception <insert type="param" id-ref="sc-07.05_odp.01"/>.</p>
+            <link rel="assessment-for" href="#sc-7.5_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-7.5_smt"/>
         </part>
         <part id="sc-7.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63222,6 +66658,7 @@
         <part id="sc-7.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(07)"/>
           <p>split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using <insert type="param" id-ref="sc-07.07_odp"/>.</p>
+          <link rel="assessment-for" href="#sc-7.7_smt"/>
         </part>
         <part id="sc-7.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63290,6 +66727,7 @@
         <part id="sc-7.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(08)"/>
           <p><insert type="param" id-ref="sc-07.08_odp.01"/> is routed to <insert type="param" id-ref="sc-07.08_odp.02"/> through authenticated proxy servers at managed interfaces.</p>
+          <link rel="assessment-for" href="#sc-7.8_smt"/>
         </part>
         <part id="sc-7.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63358,16 +66796,21 @@
             <part id="sc-7.9_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-07(09)(a)[01]"/>
               <p>outgoing communications traffic posing a threat to external systems is detected;</p>
+              <link rel="assessment-for" href="#sc-7.9_smt.a"/>
             </part>
             <part id="sc-7.9_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-07(09)(a)[02]"/>
               <p>outgoing communications traffic posing a threat to external systems is denied;</p>
+              <link rel="assessment-for" href="#sc-7.9_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#sc-7.9_smt.a"/>
           </part>
           <part id="sc-7.9_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(09)(b)"/>
             <p>the identity of internal users associated with denied communications is audited.</p>
+            <link rel="assessment-for" href="#sc-7.9_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sc-7.9_smt"/>
         </part>
         <part id="sc-7.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63440,11 +66883,14 @@
           <part id="sc-7.10_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(10)(a)"/>
             <p>the exfiltration of information is prevented;</p>
+            <link rel="assessment-for" href="#sc-7.10_smt.a"/>
           </part>
           <part id="sc-7.10_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(10)(b)"/>
             <p>exfiltration tests are conducted <insert type="param" id-ref="sc-07.10_odp"/>.</p>
+            <link rel="assessment-for" href="#sc-7.10_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sc-7.10_smt"/>
         </part>
         <part id="sc-7.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63509,6 +66955,7 @@
         <part id="sc-7.11_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(11)"/>
           <p>only incoming communications from <insert type="param" id-ref="sc-07.11_odp.01"/> are allowed to be routed to <insert type="param" id-ref="sc-07.11_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sc-7.11_smt"/>
         </part>
         <part id="sc-7.11_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63573,6 +67020,7 @@
         <part id="sc-7.12_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(12)"/>
           <p><insert type="param" id-ref="sc-07.12_odp.01"/> are implemented at <insert type="param" id-ref="sc-07.12_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sc-7.12_smt"/>
         </part>
         <part id="sc-7.12_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63632,6 +67080,7 @@
         <part id="sc-7.13_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(13)"/>
           <p><insert type="param" id-ref="sc-07.13_odp"/> are isolated from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.</p>
+          <link rel="assessment-for" href="#sc-7.13_smt"/>
         </part>
         <part id="sc-7.13_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63692,6 +67141,7 @@
         <part id="sc-7.14_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(14)"/>
           <p><insert type="param" id-ref="sc-07.14_odp"/> are protected against unauthorized physical connections.</p>
+          <link rel="assessment-for" href="#sc-7.14_smt"/>
         </part>
         <part id="sc-7.14_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63746,11 +67196,14 @@
           <part id="sc-7.15_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(15)[01]"/>
             <p>networked, privileged accesses are routed through a dedicated, managed interface for purposes of access control;</p>
+            <link rel="assessment-for" href="#sc-7.15_smt"/>
           </part>
           <part id="sc-7.15_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(15)[02]"/>
             <p>networked, privileged accesses are routed through a dedicated, managed interface for purposes of auditing.</p>
+            <link rel="assessment-for" href="#sc-7.15_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-7.15_smt"/>
         </part>
         <part id="sc-7.15_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63801,6 +67254,7 @@
         <part id="sc-7.16_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(16)"/>
           <p>the discovery of specific system components that represent a managed interface is prevented.</p>
+          <link rel="assessment-for" href="#sc-7.16_smt"/>
         </part>
         <part id="sc-7.16_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63852,6 +67306,7 @@
         <part id="sc-7.17_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(17)"/>
           <p>adherence to protocol formats is enforced.</p>
+          <link rel="assessment-for" href="#sc-7.17_smt"/>
         </part>
         <part id="sc-7.17_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63905,6 +67360,7 @@
         <part id="sc-7.18_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(18)"/>
           <p>systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.</p>
+          <link rel="assessment-for" href="#sc-7.18_smt"/>
         </part>
         <part id="sc-7.18_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -63964,11 +67420,14 @@
           <part id="sc-7.19_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(19)[01]"/>
             <p>inbound communications traffic is blocked between <insert type="param" id-ref="sc-07.19_odp"/> that are independently configured by end users and external service providers;</p>
+            <link rel="assessment-for" href="#sc-7.19_smt"/>
           </part>
           <part id="sc-7.19_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(19)[02]"/>
             <p>outbound communications traffic is blocked between <insert type="param" id-ref="sc-07.19_odp"/> that are independently configured by end users and external service providers.</p>
+            <link rel="assessment-for" href="#sc-7.19_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-7.19_smt"/>
         </part>
         <part id="sc-7.19_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64027,6 +67486,7 @@
         <part id="sc-7.20_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(20)"/>
           <p>the capability to dynamically isolate <insert type="param" id-ref="sc-07.20_odp"/> from other system components is provided.</p>
+          <link rel="assessment-for" href="#sc-7.20_smt"/>
         </part>
         <part id="sc-7.20_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64097,6 +67557,7 @@
         <part id="sc-7.21_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(21)"/>
           <p>boundary protection mechanisms are employed to isolate <insert type="param" id-ref="sc-07.21_odp.01"/> supporting <insert type="param" id-ref="sc-07.21_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sc-7.21_smt"/>
         </part>
         <part id="sc-7.21_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64148,6 +67609,7 @@
         <part id="sc-7.22_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(22)"/>
           <p>separate network addresses are implemented to connect to systems in different security domains.</p>
+          <link rel="assessment-for" href="#sc-7.22_smt"/>
         </part>
         <part id="sc-7.22_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64198,6 +67660,7 @@
         <part id="sc-7.23_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(23)"/>
           <p>feedback to senders is disabled on protocol format validation failure.</p>
+          <link rel="assessment-for" href="#sc-7.23_smt"/>
         </part>
         <part id="sc-7.23_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64277,33 +67740,42 @@
           <part id="sc-7.24_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(24)(a)"/>
             <p><insert type="param" id-ref="sc-07.24_odp"/> are applied to data elements of personally identifiable information on systems that process personally identifiable information;</p>
+            <link rel="assessment-for" href="#sc-7.24_smt.a"/>
           </part>
           <part id="sc-7.24_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(24)(b)"/>
             <part id="sc-7.24_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-07(24)(b)[01]"/>
               <p>permitted processing is monitored at the external interfaces to the systems that process personally identifiable information;</p>
+              <link rel="assessment-for" href="#sc-7.24_smt.b"/>
             </part>
             <part id="sc-7.24_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-07(24)(b)[02]"/>
               <p>permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information;</p>
+              <link rel="assessment-for" href="#sc-7.24_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#sc-7.24_smt.b"/>
           </part>
           <part id="sc-7.24_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(24)(c)"/>
             <p>each processing exception is documented for systems that process personally identifiable information;</p>
+            <link rel="assessment-for" href="#sc-7.24_smt.c"/>
           </part>
           <part id="sc-7.24_obj.d" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-07(24)(d)"/>
             <part id="sc-7.24_obj.d-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-07(24)(d)[01]"/>
               <p>exceptions for systems that process personally identifiable information are reviewed;</p>
+              <link rel="assessment-for" href="#sc-7.24_smt.d"/>
             </part>
             <part id="sc-7.24_obj.d-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SC-07(24)(d)[02]"/>
               <p>exceptions for systems that process personally identifiable information that are no longer supported are removed.</p>
+              <link rel="assessment-for" href="#sc-7.24_smt.d"/>
             </part>
+            <link rel="assessment-for" href="#sc-7.24_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#sc-7.24_smt"/>
         </part>
         <part id="sc-7.24_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64374,6 +67846,7 @@
         <part id="sc-7.25_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(25)"/>
           <p>the direct connection of <insert type="param" id-ref="sc-07.25_odp.01"/> to an external network without the use of <insert type="param" id-ref="sc-07.25_odp.02"/> is prohibited.</p>
+          <link rel="assessment-for" href="#sc-7.25_smt"/>
         </part>
         <part id="sc-7.25_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64432,6 +67905,7 @@
         <part id="sc-7.26_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(26)"/>
           <p>the direct connection of classified national security system to an external network without the use of a <insert type="param" id-ref="sc-07.26_odp"/> is prohibited.</p>
+          <link rel="assessment-for" href="#sc-7.26_smt"/>
         </part>
         <part id="sc-7.26_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64499,6 +67973,7 @@
         <part id="sc-7.27_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(27)"/>
           <p>the direct connection of <insert type="param" id-ref="sc-07.27_odp.01"/> to an external network without the use of a <insert type="param" id-ref="sc-07.27_odp.02"/> is prohibited.</p>
+          <link rel="assessment-for" href="#sc-7.27_smt"/>
         </part>
         <part id="sc-7.27_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64557,6 +68032,7 @@
         <part id="sc-7.28_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(28)"/>
           <p>the direct connection of the <insert type="param" id-ref="sc-07.28_odp"/> to a public network is prohibited.</p>
+          <link rel="assessment-for" href="#sc-7.28_smt"/>
         </part>
         <part id="sc-7.28_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64623,6 +68099,7 @@
         <part id="sc-7.29_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-07(29)"/>
           <p>subnetworks are separated <insert type="param" id-ref="sc-07.29_odp.01"/> to isolate <insert type="param" id-ref="sc-07.29_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sc-7.29_smt"/>
         </part>
         <part id="sc-7.29_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64706,6 +68183,7 @@
       <part id="sc-8_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-08"/>
         <p>the <insert type="param" id-ref="sc-08_odp"/> of transmitted information is/are protected.</p>
+        <link rel="assessment-for" href="#sc-8_smt"/>
       </part>
       <part id="sc-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64762,6 +68240,7 @@
         <part id="sc-8.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-08(01)"/>
           <p>cryptographic mechanisms are implemented to <insert type="param" id-ref="sc-08.01_odp"/> during transmission.</p>
+          <link rel="assessment-for" href="#sc-8.1_smt"/>
         </part>
         <part id="sc-8.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64821,11 +68300,14 @@
           <part id="sc-8.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-08(02)[01]"/>
             <p>information <insert type="param" id-ref="sc-08.02_odp"/> is/are maintained during preparation for transmission;</p>
+            <link rel="assessment-for" href="#sc-8.2_smt"/>
           </part>
           <part id="sc-8.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-08(02)[02]"/>
             <p>information <insert type="param" id-ref="sc-08.02_odp"/> is/are maintained during reception.</p>
+            <link rel="assessment-for" href="#sc-8.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-8.2_smt"/>
         </part>
         <part id="sc-8.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64883,6 +68365,7 @@
         <part id="sc-8.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-08(03)"/>
           <p>cryptographic mechanisms are implemented to protect message externals unless otherwise protected by <insert type="param" id-ref="sc-08.03_odp"/>.</p>
+          <link rel="assessment-for" href="#sc-8.3_smt"/>
         </part>
         <part id="sc-8.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -64942,6 +68425,7 @@
         <part id="sc-8.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-08(04)"/>
           <p>cryptographic mechanisms are implemented to conceal or randomize communication patterns unless otherwise protected by <insert type="param" id-ref="sc-08.04_odp"/>.</p>
+          <link rel="assessment-for" href="#sc-8.4_smt"/>
         </part>
         <part id="sc-8.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -65007,6 +68491,7 @@
         <part id="sc-8.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-08(05)"/>
           <p>the <insert type="param" id-ref="sc-08.05_odp.01"/> is implemented to <insert type="param" id-ref="sc-08.05_odp.02"/> during transmission.</p>
+          <link rel="assessment-for" href="#sc-8.5_smt"/>
         </part>
         <part id="sc-8.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -65073,6 +68558,7 @@
       <part id="sc-10_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-10"/>
         <p>the network connection associated with a communication session is terminated at the end of the session or after <insert type="param" id-ref="sc-10_odp"/> of inactivity.</p>
+        <link rel="assessment-for" href="#sc-10_smt"/>
       </part>
       <part id="sc-10_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -65151,11 +68637,14 @@
         <part id="sc-11_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-11a."/>
           <p>a <insert type="param" id-ref="sc-11_odp.01"/> isolated trusted communication path is provided for communications between the user and the trusted components of the system;</p>
+          <link rel="assessment-for" href="#sc-11_smt.a"/>
         </part>
         <part id="sc-11_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-11b."/>
           <p>users are permitted to invoke the trusted communication path for communications between the user and the <insert type="param" id-ref="sc-11_odp.02"/> of the system, including authentication and re-authentication, at a minimum.</p>
+          <link rel="assessment-for" href="#sc-11_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sc-11_smt"/>
       </part>
       <part id="sc-11_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -65222,11 +68711,14 @@
           <part id="sc-11.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-11(01)(a)"/>
             <p>a trusted communication path that is irrefutably distinguishable from other communication paths is provided;</p>
+            <link rel="assessment-for" href="#sc-11.1_smt.a"/>
           </part>
           <part id="sc-11.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-11(01)(b)"/>
             <p>the trusted communication path for communications between the <insert type="param" id-ref="sc-11.01_odp"/> of the system and the user is initiated.</p>
+            <link rel="assessment-for" href="#sc-11.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sc-11.1_smt"/>
         </part>
         <part id="sc-11.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -65293,6 +68785,7 @@
       <link rel="related" href="#cm-3"/>
       <link rel="related" href="#ia-3"/>
       <link rel="related" href="#ia-7"/>
+      <link rel="related" href="#ia-13"/>
       <link rel="related" href="#sa-4"/>
       <link rel="related" href="#sa-8"/>
       <link rel="related" href="#sa-9"/>
@@ -65317,11 +68810,14 @@
         <part id="sc-12_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-12[01]"/>
           <p>cryptographic keys are established when cryptography is employed within the system in accordance with <insert type="param" id-ref="sc-12_odp"/>;</p>
+          <link rel="assessment-for" href="#sc-12_smt"/>
         </part>
         <part id="sc-12_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-12[02]"/>
           <p>cryptographic keys are managed when cryptography is employed within the system in accordance with <insert type="param" id-ref="sc-12_odp"/>.</p>
+          <link rel="assessment-for" href="#sc-12_smt"/>
         </part>
+        <link rel="assessment-for" href="#sc-12_smt"/>
       </part>
       <part id="sc-12_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -65370,6 +68866,7 @@
         <part id="sc-12.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-12(01)"/>
           <p>information availability is maintained in the event of the loss of cryptographic keys by users.</p>
+          <link rel="assessment-for" href="#sc-12.1_smt"/>
         </part>
         <part id="sc-12.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -65428,15 +68925,19 @@
           <part id="sc-12.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-12(02)[01]"/>
             <p>symmetric cryptographic keys are produced using <insert type="param" id-ref="sc-12.02_odp"/> key management technology and processes;</p>
+            <link rel="assessment-for" href="#sc-12.2_smt"/>
           </part>
           <part id="sc-12.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-12(02)[02]"/>
             <p>symmetric cryptographic keys are controlled using <insert type="param" id-ref="sc-12.02_odp"/> key management technology and processes;</p>
+            <link rel="assessment-for" href="#sc-12.2_smt"/>
           </part>
           <part id="sc-12.2_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-12(02)[03]"/>
             <p>symmetric cryptographic keys are distributed using <insert type="param" id-ref="sc-12.02_odp"/> key management technology and processes.</p>
+            <link rel="assessment-for" href="#sc-12.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-12.2_smt"/>
         </part>
         <part id="sc-12.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -65501,15 +69002,19 @@
           <part id="sc-12.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-12(03)[01]"/>
             <p>asymmetric cryptographic keys are produced using <insert type="param" id-ref="sc-12.03_odp"/>;</p>
+            <link rel="assessment-for" href="#sc-12.3_smt"/>
           </part>
           <part id="sc-12.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-12(03)[02]"/>
             <p>asymmetric cryptographic keys are controlled using <insert type="param" id-ref="sc-12.03_odp"/>;</p>
+            <link rel="assessment-for" href="#sc-12.3_smt"/>
           </part>
           <part id="sc-12.3_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-12(03)[03]"/>
             <p>asymmetric cryptographic keys are distributed using <insert type="param" id-ref="sc-12.03_odp"/>.</p>
+            <link rel="assessment-for" href="#sc-12.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-12.3_smt"/>
         </part>
         <part id="sc-12.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -65578,6 +69083,7 @@
         <part id="sc-12.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-12(06)"/>
           <p>physical control of cryptographic keys is maintained when stored information is encrypted by external service providers.</p>
+          <link rel="assessment-for" href="#sc-12.6_smt"/>
         </part>
         <part id="sc-12.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -65647,6 +69153,7 @@
       <link rel="related" href="#ia-3"/>
       <link rel="related" href="#ia-5"/>
       <link rel="related" href="#ia-7"/>
+      <link rel="related" href="#ia-13"/>
       <link rel="related" href="#ma-4"/>
       <link rel="related" href="#mp-2"/>
       <link rel="related" href="#mp-4"/>
@@ -65680,11 +69187,14 @@
         <part id="sc-13_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-13a."/>
           <p><insert type="param" id-ref="sc-13_odp.01"/> are identified;</p>
+          <link rel="assessment-for" href="#sc-13_smt.a"/>
         </part>
         <part id="sc-13_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-13b."/>
           <p><insert type="param" id-ref="sc-13_odp.02"/> for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.</p>
+          <link rel="assessment-for" href="#sc-13_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sc-13_smt"/>
       </part>
       <part id="sc-13_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -65801,11 +69311,14 @@
         <part id="sc-15_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-15a."/>
           <p>remote activation of collaborative computing devices and applications is prohibited except <insert type="param" id-ref="sc-15_odp"/>;</p>
+          <link rel="assessment-for" href="#sc-15_smt.a"/>
         </part>
         <part id="sc-15_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-15b."/>
           <p>an explicit indication of use is provided to users physically present at the devices.</p>
+          <link rel="assessment-for" href="#sc-15_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sc-15_smt"/>
       </part>
       <part id="sc-15_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -65863,6 +69376,7 @@
         <part id="sc-15.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-15(01)"/>
           <p>the <insert type="param" id-ref="sc-15.01_odp"/> disconnect of collaborative computing devices is/are provided in a manner that supports ease of use.</p>
+          <link rel="assessment-for" href="#sc-15.1_smt"/>
         </part>
         <part id="sc-15.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -65936,6 +69450,7 @@
         <part id="sc-15.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-15(03)"/>
           <p>collaborative computing devices and applications are disabled or removed from <insert type="param" id-ref="sc-15.03_odp.01"/> in <insert type="param" id-ref="sc-15.03_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sc-15.3_smt"/>
         </part>
         <part id="sc-15.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -65994,6 +69509,7 @@
         <part id="sc-15.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-15(04)"/>
           <p>an explicit indication of current participants in <insert type="param" id-ref="sc-15.04_odp"/> is provided.</p>
+          <link rel="assessment-for" href="#sc-15.4_smt"/>
         </part>
         <part id="sc-15.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -66068,19 +69584,24 @@
         <part id="sc-16_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-16[01]"/>
           <p><insert type="param" id-ref="sc-16_odp.01"/> are associated with information exchanged between systems;</p>
+          <link rel="assessment-for" href="#sc-16_smt"/>
         </part>
         <part id="sc-16_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-16[02]"/>
           <p><insert type="param" id-ref="sc-16_odp.01"/> are associated with information exchanged between system components;</p>
+          <link rel="assessment-for" href="#sc-16_smt"/>
         </part>
         <part id="sc-16_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-16[03]"/>
           <p><insert type="param" id-ref="sc-16_odp.02"/> are associated with information exchanged between systems;</p>
+          <link rel="assessment-for" href="#sc-16_smt"/>
         </part>
         <part id="sc-16_obj-4" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-16[04]"/>
           <p><insert type="param" id-ref="sc-16_odp.02"/> are associated with information exchanged between system components.</p>
+          <link rel="assessment-for" href="#sc-16_smt"/>
         </part>
+        <link rel="assessment-for" href="#sc-16_smt"/>
       </part>
       <part id="sc-16_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -66133,11 +69654,14 @@
           <part id="sc-16.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-16(01)[01]"/>
             <p>the integrity of transmitted security attributes is verified;</p>
+            <link rel="assessment-for" href="#sc-16.1_smt"/>
           </part>
           <part id="sc-16.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-16(01)[02]"/>
             <p>the integrity of transmitted privacy attributes is verified.</p>
+            <link rel="assessment-for" href="#sc-16.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-16.1_smt"/>
         </part>
         <part id="sc-16.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -66189,6 +69713,7 @@
         <part id="sc-16.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-16(02)"/>
           <p>anti-spoofing mechanisms are implemented to prevent adversaries from falsifying the security attributes indicating the successful application of the security process.</p>
+          <link rel="assessment-for" href="#sc-16.2_smt"/>
         </part>
         <part id="sc-16.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -66247,6 +69772,7 @@
         <part id="sc-16.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-16(03)"/>
           <p><insert type="param" id-ref="sc-16.03_odp"/> are implemented to bind security and privacy attributes to transmitted information.</p>
+          <link rel="assessment-for" href="#sc-16.3_smt"/>
         </part>
         <part id="sc-16.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -66320,11 +69846,14 @@
         <part id="sc-17_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-17a."/>
           <p>public key certificates are issued under <insert type="param" id-ref="sc-17_odp"/> , or public key certificates are obtained from an approved service provider;</p>
+          <link rel="assessment-for" href="#sc-17_smt.a"/>
         </part>
         <part id="sc-17_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-17b."/>
           <p>only approved trust anchors are included in trust stores or certificate stores managed by the organization.</p>
+          <link rel="assessment-for" href="#sc-17_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sc-17_smt"/>
       </part>
       <part id="sc-17_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -66388,35 +69917,45 @@
           <part id="sc-18_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18a.[01]"/>
             <p>acceptable mobile code is defined;</p>
+            <link rel="assessment-for" href="#sc-18_smt.a"/>
           </part>
           <part id="sc-18_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18a.[02]"/>
             <p>unacceptable mobile code is defined;</p>
+            <link rel="assessment-for" href="#sc-18_smt.a"/>
           </part>
           <part id="sc-18_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18a.[03]"/>
             <p>acceptable mobile code technologies are defined;</p>
+            <link rel="assessment-for" href="#sc-18_smt.a"/>
           </part>
           <part id="sc-18_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18a.[04]"/>
             <p>unacceptable mobile code technologies are defined;</p>
+            <link rel="assessment-for" href="#sc-18_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#sc-18_smt.a"/>
         </part>
         <part id="sc-18_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-18b."/>
           <part id="sc-18_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18b.[01]"/>
             <p>the use of mobile code is authorized within the system;</p>
+            <link rel="assessment-for" href="#sc-18_smt.b"/>
           </part>
           <part id="sc-18_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18b.[02]"/>
             <p>the use of mobile code is monitored within the system;</p>
+            <link rel="assessment-for" href="#sc-18_smt.b"/>
           </part>
           <part id="sc-18_obj.b-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18b.[03]"/>
             <p>the use of mobile code is controlled within the system.</p>
+            <link rel="assessment-for" href="#sc-18_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sc-18_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sc-18_smt"/>
       </part>
       <part id="sc-18_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -66486,11 +70025,14 @@
           <part id="sc-18.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18(01)[01]"/>
             <p><insert type="param" id-ref="sc-18.01_odp.01"/> is identified;</p>
+            <link rel="assessment-for" href="#sc-18.1_smt"/>
           </part>
           <part id="sc-18.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18(01)[02]"/>
             <p><insert type="param" id-ref="sc-18.01_odp.02"/> are taken if unacceptable mobile code is identified.</p>
+            <link rel="assessment-for" href="#sc-18.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-18.1_smt"/>
         </part>
         <part id="sc-18.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -66554,15 +70096,19 @@
           <part id="sc-18.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18(02)[01]"/>
             <p>the acquisition of mobile code to be deployed in the system meets <insert type="param" id-ref="sc-18.02_odp"/>;</p>
+            <link rel="assessment-for" href="#sc-18.2_smt"/>
           </part>
           <part id="sc-18.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18(02)[02]"/>
             <p>the development of mobile code to be deployed in the system meets <insert type="param" id-ref="sc-18.02_odp"/>;</p>
+            <link rel="assessment-for" href="#sc-18.2_smt"/>
           </part>
           <part id="sc-18.2_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18(02)[03]"/>
             <p>the use of mobile code to be deployed in the system meets <insert type="param" id-ref="sc-18.02_odp"/>.</p>
+            <link rel="assessment-for" href="#sc-18.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-18.2_smt"/>
         </part>
         <part id="sc-18.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -66624,11 +70170,14 @@
           <part id="sc-18.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18(03)[01]"/>
             <p>the download of <insert type="param" id-ref="sc-18.03_odp"/> is prevented;</p>
+            <link rel="assessment-for" href="#sc-18.3_smt"/>
           </part>
           <part id="sc-18.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18(03)[02]"/>
             <p>the execution of <insert type="param" id-ref="sc-18.03_odp"/> is prevented.</p>
+            <link rel="assessment-for" href="#sc-18.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-18.3_smt"/>
         </part>
         <part id="sc-18.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -66697,11 +70246,14 @@
           <part id="sc-18.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18(04)[01]"/>
             <p>the automatic execution of mobile code in <insert type="param" id-ref="sc-18.04_odp.01"/> is prevented;</p>
+            <link rel="assessment-for" href="#sc-18.4_smt"/>
           </part>
           <part id="sc-18.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-18(04)[02]"/>
             <p><insert type="param" id-ref="sc-18.04_odp.02"/> are enforced prior to executing mobile code.</p>
+            <link rel="assessment-for" href="#sc-18.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-18.4_smt"/>
         </part>
         <part id="sc-18.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -66756,6 +70308,7 @@
         <part id="sc-18.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-18(05)"/>
           <p>execution of permitted mobile code is allowed only in confined virtual machine environments.</p>
+          <link rel="assessment-for" href="#sc-18.5_smt"/>
         </part>
         <part id="sc-18.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -66837,23 +70390,30 @@
           <part id="sc-20_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-20a.[01]"/>
             <p>additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;</p>
+            <link rel="assessment-for" href="#sc-20_smt.a"/>
           </part>
           <part id="sc-20_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-20a.[02]"/>
             <p>integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;</p>
+            <link rel="assessment-for" href="#sc-20_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#sc-20_smt.a"/>
         </part>
         <part id="sc-20_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-20b."/>
           <part id="sc-20_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-20b.[01]"/>
             <p>the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;</p>
+            <link rel="assessment-for" href="#sc-20_smt.b"/>
           </part>
           <part id="sc-20_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-20b.[02]"/>
             <p>the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.</p>
+            <link rel="assessment-for" href="#sc-20_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sc-20_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sc-20_smt"/>
       </part>
       <part id="sc-20_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -66909,11 +70469,14 @@
           <part id="sc-20.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-20(02)[01]"/>
             <p>data origin artifacts are provided for internal name/address resolution queries;</p>
+            <link rel="assessment-for" href="#sc-20.2_smt"/>
           </part>
           <part id="sc-20.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-20(02)[02]"/>
             <p>integrity protection artifacts are provided for internal name/address resolution queries.</p>
+            <link rel="assessment-for" href="#sc-20.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-20.2_smt"/>
         </part>
         <part id="sc-20.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -66966,19 +70529,24 @@
         <part id="sc-21_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-21[01]"/>
           <p>data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;</p>
+          <link rel="assessment-for" href="#sc-21_smt"/>
         </part>
         <part id="sc-21_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-21[02]"/>
           <p>data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;</p>
+          <link rel="assessment-for" href="#sc-21_smt"/>
         </part>
         <part id="sc-21_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-21[03]"/>
           <p>data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;</p>
+          <link rel="assessment-for" href="#sc-21_smt"/>
         </part>
         <part id="sc-21_obj-4" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-21[04]"/>
           <p>data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.</p>
+          <link rel="assessment-for" href="#sc-21_smt"/>
         </part>
+        <link rel="assessment-for" href="#sc-21_smt"/>
       </part>
       <part id="sc-21_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67040,15 +70608,19 @@
         <part id="sc-22_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-22[01]"/>
           <p>the systems that collectively provide name/address resolution services for an organization are fault-tolerant;</p>
+          <link rel="assessment-for" href="#sc-22_smt"/>
         </part>
         <part id="sc-22_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-22[02]"/>
           <p>the systems that collectively provide name/address resolution services for an organization implement internal role separation;</p>
+          <link rel="assessment-for" href="#sc-22_smt"/>
         </part>
         <part id="sc-22_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-22[03]"/>
           <p>the systems that collectively provide name/address resolution services for an organization implement external role separation.</p>
+          <link rel="assessment-for" href="#sc-22_smt"/>
         </part>
+        <link rel="assessment-for" href="#sc-22_smt"/>
       </part>
       <part id="sc-22_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67105,6 +70677,7 @@
       <part id="sc-23_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-23"/>
         <p>the authenticity of communication sessions is protected.</p>
+        <link rel="assessment-for" href="#sc-23_smt"/>
       </part>
       <part id="sc-23_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67150,6 +70723,7 @@
         <part id="sc-23.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-23(01)"/>
           <p>session identifiers are invalidated upon user logout or other session termination.</p>
+          <link rel="assessment-for" href="#sc-23.1_smt"/>
         </part>
         <part id="sc-23.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67217,11 +70791,14 @@
           <part id="sc-23.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-23(03)[01]"/>
             <p>a unique session identifier is generated for each session with <insert type="param" id-ref="sc-23.03_odp"/>;</p>
+            <link rel="assessment-for" href="#sc-23.3_smt"/>
           </part>
           <part id="sc-23.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-23(03)[02]"/>
             <p>only system-generated session identifiers are recognized.</p>
+            <link rel="assessment-for" href="#sc-23.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-23.3_smt"/>
         </part>
         <part id="sc-23.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67288,6 +70865,7 @@
         <part id="sc-23.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-23(05)"/>
           <p>only the use of <insert type="param" id-ref="sc-23.05_odp"/> for verification of the establishment of protected sessions is allowed.</p>
+          <link rel="assessment-for" href="#sc-23.5_smt"/>
         </part>
         <part id="sc-23.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67369,6 +70947,7 @@
       <part id="sc-24_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-24"/>
         <p><insert type="param" id-ref="sc-24_odp.01"/> fail to a <insert type="param" id-ref="sc-24_odp.02"/> while preserving <insert type="param" id-ref="sc-24_odp.03"/> in failure.</p>
+        <link rel="assessment-for" href="#sc-24_smt"/>
       </part>
       <part id="sc-24_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67430,11 +71009,14 @@
         <part id="sc-25_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-25[01]"/>
           <p>minimal functionality for <insert type="param" id-ref="sc-25_odp"/> is employed;</p>
+          <link rel="assessment-for" href="#sc-25_smt"/>
         </part>
         <part id="sc-25_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-25[02]"/>
           <p>minimal information storage on <insert type="param" id-ref="sc-25_odp"/> is allocated.</p>
+          <link rel="assessment-for" href="#sc-25_smt"/>
         </part>
+        <link rel="assessment-for" href="#sc-25_smt"/>
       </part>
       <part id="sc-25_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67489,15 +71071,19 @@
         <part id="sc-26_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-26[01]"/>
           <p>components within organizational systems specifically designed to be the target of malicious attacks are included to detect such attacks;</p>
+          <link rel="assessment-for" href="#sc-26_smt"/>
         </part>
         <part id="sc-26_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-26[02]"/>
           <p>components within organizational systems specifically designed to be the target of malicious attacks are included to deflect such attacks;</p>
+          <link rel="assessment-for" href="#sc-26_smt"/>
         </part>
         <part id="sc-26_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-26[03]"/>
           <p>components within organizational systems specifically designed to be the target of malicious attacks are included to analyze such attacks.</p>
+          <link rel="assessment-for" href="#sc-26_smt"/>
         </part>
+        <link rel="assessment-for" href="#sc-26_smt"/>
       </part>
       <part id="sc-26_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67561,6 +71147,7 @@
       <part id="sc-27_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-27"/>
         <p><insert type="param" id-ref="sc-27_odp"/> are included within organizational systems.</p>
+        <link rel="assessment-for" href="#sc-27_smt"/>
       </part>
       <part id="sc-27_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67652,6 +71239,7 @@
       <part id="sc-28_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-28"/>
         <p>the <insert type="param" id-ref="sc-28_odp.01"/> of <insert type="param" id-ref="sc-28_odp.02"/> is/are protected.</p>
+        <link rel="assessment-for" href="#sc-28_smt"/>
       </part>
       <part id="sc-28_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67720,11 +71308,14 @@
           <part id="sc-28.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-28(01)[01]"/>
             <p>cryptographic mechanisms are implemented to prevent unauthorized disclosure of <insert type="param" id-ref="sc-28.01_odp.01"/> at rest on <insert type="param" id-ref="sc-28.01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#sc-28.1_smt"/>
           </part>
           <part id="sc-28.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-28(01)[02]"/>
             <p>cryptographic mechanisms are implemented to prevent unauthorized modification of <insert type="param" id-ref="sc-28.01_odp.01"/> at rest on <insert type="param" id-ref="sc-28.01_odp.02"/>.</p>
+            <link rel="assessment-for" href="#sc-28.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-28.1_smt"/>
         </part>
         <part id="sc-28.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67783,11 +71374,14 @@
           <part id="sc-28.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-28(02)[01]"/>
             <p><insert type="param" id-ref="sc-28.02_odp"/> is removed from online storage;</p>
+            <link rel="assessment-for" href="#sc-28.2_smt"/>
           </part>
           <part id="sc-28.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-28(02)[02]"/>
             <p><insert type="param" id-ref="sc-28.02_odp"/> is stored offline in a secure location.</p>
+            <link rel="assessment-for" href="#sc-28.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-28.2_smt"/>
         </part>
         <part id="sc-28.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67856,6 +71450,7 @@
         <part id="sc-28.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-28(03)"/>
           <p>protected storage for cryptographic keys is provided using <insert type="param" id-ref="sc-28.03_odp.01"/>.</p>
+          <link rel="assessment-for" href="#sc-28.3_smt"/>
         </part>
         <part id="sc-28.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67917,6 +71512,7 @@
       <part id="sc-29_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-29"/>
         <p>a diverse set of information technologies is employed for <insert type="param" id-ref="sc-29_odp"/> in the implementation of the system.</p>
+        <link rel="assessment-for" href="#sc-29_smt"/>
       </part>
       <part id="sc-29_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -67973,6 +71569,7 @@
         <part id="sc-29.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-29(01)"/>
           <p>virtualization techniques are employed to support the deployment of a diverse range of operating systems and applications that are changed <insert type="param" id-ref="sc-29.01_odp"/>.</p>
+          <link rel="assessment-for" href="#sc-29.1_smt"/>
         </part>
         <part id="sc-29.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -68056,6 +71653,7 @@
       <part id="sc-30_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-30"/>
         <p><insert type="param" id-ref="sc-30_odp.01"/> are employed for <insert type="param" id-ref="sc-30_odp.02"/> for <insert type="param" id-ref="sc-30_odp.03"/> to confuse and mislead adversaries.</p>
+        <link rel="assessment-for" href="#sc-30_smt"/>
       </part>
       <part id="sc-30_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -68121,6 +71719,7 @@
         <part id="sc-30.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-30(02)"/>
           <p><insert type="param" id-ref="sc-30.02_odp"/> are employed to introduce randomness into organizational operations and assets.</p>
+          <link rel="assessment-for" href="#sc-30.2_smt"/>
         </part>
         <part id="sc-30.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -68195,6 +71794,7 @@
         <part id="sc-30.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-30(03)"/>
           <p>the location of <insert type="param" id-ref="sc-30.03_odp.01"/> is changed <insert type="param" id-ref="sc-30.03_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sc-30.3_smt"/>
         </part>
         <part id="sc-30.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -68253,6 +71853,7 @@
         <part id="sc-30.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-30(04)"/>
           <p>realistic but misleading information about the security state or posture of <insert type="param" id-ref="sc-30.04_odp"/> is employed.</p>
+          <link rel="assessment-for" href="#sc-30.4_smt"/>
         </part>
         <part id="sc-30.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -68318,6 +71919,7 @@
         <part id="sc-30.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-30(05)"/>
           <p><insert type="param" id-ref="sc-30.05_odp.01"/> are employed to hide or conceal <insert type="param" id-ref="sc-30.05_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sc-30.5_smt"/>
         </part>
         <part id="sc-30.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -68389,11 +71991,14 @@
         <part id="sc-31_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-31a."/>
           <p>a covert channel analysis is performed to identify those aspects of communications within the system that are potential avenues for covert <insert type="param" id-ref="sc-31_odp"/> channels;</p>
+          <link rel="assessment-for" href="#sc-31_smt.a"/>
         </part>
         <part id="sc-31_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-31b."/>
           <p>the maximum bandwidth of those channels is estimated.</p>
+          <link rel="assessment-for" href="#sc-31_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sc-31_smt"/>
       </part>
       <part id="sc-31_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -68445,6 +72050,7 @@
         <part id="sc-31.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-31(01)"/>
           <p>a subset of the identified covert channels is tested to determine the channels that are exploitable.</p>
+          <link rel="assessment-for" href="#sc-31.1_smt"/>
         </part>
         <part id="sc-31.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -68512,6 +72118,7 @@
         <part id="sc-31.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-31(02)"/>
           <p>the maximum bandwidth for identified covert <insert type="param" id-ref="sc-31.02_odp.01"/> channels is reduced to <insert type="param" id-ref="sc-31.02_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sc-31.2_smt"/>
         </part>
         <part id="sc-31.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -68574,6 +72181,7 @@
         <part id="sc-31.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-31(03)"/>
           <p>the bandwidth of <insert type="param" id-ref="sc-31.03_odp"/> is measured in the operational environment of the system.</p>
+          <link rel="assessment-for" href="#sc-31.3_smt"/>
         </part>
         <part id="sc-31.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -68661,6 +72269,7 @@
       <part id="sc-32_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-32"/>
         <p>the system is partitioned into <insert type="param" id-ref="sc-32_odp.01"/> residing in separate <insert type="param" id-ref="sc-32_odp.02"/> domains or environments based on <insert type="param" id-ref="sc-32_odp.03"/>.</p>
+        <link rel="assessment-for" href="#sc-32_smt"/>
       </part>
       <part id="sc-32_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -68713,6 +72322,7 @@
         <part id="sc-32.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-32(01)"/>
           <p>privileged functions are partitioned into separate physical domains.</p>
+          <link rel="assessment-for" href="#sc-32.1_smt"/>
         </part>
         <part id="sc-32.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -68802,11 +72412,14 @@
         <part id="sc-34_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-34a."/>
           <p>the operating environment for <insert type="param" id-ref="sc-34_odp.01"/> is loaded and executed from hardware-enforced, read-only media;</p>
+          <link rel="assessment-for" href="#sc-34_smt.a"/>
         </part>
         <part id="sc-34_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-34b."/>
           <p><insert type="param" id-ref="sc-34_odp.02"/> for <insert type="param" id-ref="sc-34_odp.01"/> are loaded and executed from hardware-enforced, read-only media.</p>
+          <link rel="assessment-for" href="#sc-34_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sc-34_smt"/>
       </part>
       <part id="sc-34_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -68872,6 +72485,7 @@
         <part id="sc-34.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-34(01)"/>
           <p><insert type="param" id-ref="sc-34.01_odp"/> are employed with no writeable storage that is persistent across component restart or power on/off.</p>
+          <link rel="assessment-for" href="#sc-34.1_smt"/>
         </part>
         <part id="sc-34.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -68934,11 +72548,14 @@
           <part id="sc-34.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-34(02)[01]"/>
             <p>the integrity of information is protected prior to storage on read-only media;</p>
+            <link rel="assessment-for" href="#sc-34.2_smt"/>
           </part>
           <part id="sc-34.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-34(02)[02]"/>
             <p>the media is controlled after such information has been recorded onto the media;</p>
+            <link rel="assessment-for" href="#sc-34.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#sc-34.2_smt"/>
         </part>
         <part id="sc-34.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -69001,6 +72618,7 @@
       <part id="sc-35_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-35"/>
         <p>system components that proactively seek to identify network-based malicious code or malicious websites are included.</p>
+        <link rel="assessment-for" href="#sc-35_smt"/>
       </part>
       <part id="sc-35_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -69098,11 +72716,14 @@
         <part id="sc-36_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-36[01]"/>
           <p><insert type="param" id-ref="sc-36_odp.01"/> are distributed across <insert type="param" id-ref="sc-36_odp.02"/>;</p>
+          <link rel="assessment-for" href="#sc-36_smt"/>
         </part>
         <part id="sc-36_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-36[02]"/>
           <p><insert type="param" id-ref="sc-36_odp.03"/> are distributed across <insert type="param" id-ref="sc-36_odp.04"/>.</p>
+          <link rel="assessment-for" href="#sc-36_smt"/>
         </part>
+        <link rel="assessment-for" href="#sc-36_smt"/>
       </part>
       <part id="sc-36_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -69184,11 +72805,14 @@
           <part id="sc-36.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-36(01)(a)"/>
             <p>polling techniques are employed to identify potential faults, errors, or compromises to <insert type="param" id-ref="sc-36.01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sc-36.1_smt.a"/>
           </part>
           <part id="sc-36.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-36(01)(b)"/>
             <p><insert type="param" id-ref="sc-36.01_odp.02"/> are taken in response to identified faults, errors, or compromise.</p>
+            <link rel="assessment-for" href="#sc-36.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sc-36.1_smt"/>
         </part>
         <part id="sc-36.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -69249,6 +72873,7 @@
         <part id="sc-36.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-36(02)"/>
           <p><insert type="param" id-ref="sc-36.02_odp"/> are synchronized.</p>
+          <link rel="assessment-for" href="#sc-36.2_smt"/>
         </part>
         <part id="sc-36.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -69334,11 +72959,12 @@
         <p>Employ the following out-of-band channels for the physical delivery or electronic transmission of <insert type="param" id-ref="sc-37_odp.02"/> to <insert type="param" id-ref="sc-37_odp.03"/>: <insert type="param" id-ref="sc-37_odp.01"/>.</p>
       </part>
       <part name="guidance" id="sc-37_gdn">
-        <p>Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates.</p>
+        <p>Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates. For example, cryptographic keys for encrypted files are delivered using a different channel than the file.</p>
       </part>
       <part id="sc-37_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-37"/>
         <p><insert type="param" id-ref="sc-37_odp.01"/> are employed for the physical delivery or electronic transmission of <insert type="param" id-ref="sc-37_odp.02"/> to <insert type="param" id-ref="sc-37_odp.03"/>.</p>
+        <link rel="assessment-for" href="#sc-37_smt"/>
       </part>
       <part id="sc-37_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -69420,6 +73046,7 @@
         <part id="sc-37.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-37(01)"/>
           <p><insert type="param" id-ref="sc-37.01_odp.01"/> are employed to ensure that only <insert type="param" id-ref="sc-37.01_odp.02"/> receive <insert type="param" id-ref="sc-37.01_odp.03"/>.</p>
+          <link rel="assessment-for" href="#sc-37.1_smt"/>
         </part>
         <part id="sc-37.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -69497,6 +73124,7 @@
       <part id="sc-38_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-38"/>
         <p><insert type="param" id-ref="sc-38_odp"/> are employed to protect key organizational information throughout the system development life cycle.</p>
+        <link rel="assessment-for" href="#sc-38_smt"/>
       </part>
       <part id="sc-38_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -69559,6 +73187,7 @@
       <part id="sc-39_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-39"/>
         <p>a separate execution domain is maintained for each executing system process.</p>
+        <link rel="assessment-for" href="#sc-39_smt"/>
       </part>
       <part id="sc-39_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -69603,6 +73232,7 @@
         <part id="sc-39.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-39(01)"/>
           <p>hardware separation is implemented to facilitate process isolation.</p>
+          <link rel="assessment-for" href="#sc-39.1_smt"/>
         </part>
         <part id="sc-39.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -69662,6 +73292,7 @@
         <part id="sc-39.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-39(02)"/>
           <p>a separate execution domain is maintained for each thread in <insert type="param" id-ref="sc-39.02_odp"/>.</p>
+          <link rel="assessment-for" href="#sc-39.2_smt"/>
         </part>
         <part id="sc-39.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -69756,11 +73387,14 @@
         <part id="sc-40_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-40[01]"/>
           <p>external <insert type="param" id-ref="sc-40_odp.01"/> are protected from <insert type="param" id-ref="sc-40_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sc-40_smt"/>
         </part>
         <part id="sc-40_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-40[02]"/>
           <p>internal <insert type="param" id-ref="sc-40_odp.03"/> are protected from <insert type="param" id-ref="sc-40_odp.04"/>.</p>
+          <link rel="assessment-for" href="#sc-40_smt"/>
         </part>
+        <link rel="assessment-for" href="#sc-40_smt"/>
       </part>
       <part id="sc-40_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -69825,6 +73459,7 @@
         <part id="sc-40.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-40(01)"/>
           <p>cryptographic mechanisms that achieve <insert type="param" id-ref="sc-40.01_odp"/> against the effects of intentional electromagnetic interference are implemented.</p>
+          <link rel="assessment-for" href="#sc-40.1_smt"/>
         </part>
         <part id="sc-40.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -69889,6 +73524,7 @@
         <part id="sc-40.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-40(02)"/>
           <p>cryptographic mechanisms to reduce the detection potential of wireless links to <insert type="param" id-ref="sc-40.02_odp"/> are implemented.</p>
+          <link rel="assessment-for" href="#sc-40.2_smt"/>
         </part>
         <part id="sc-40.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -69946,6 +73582,7 @@
         <part id="sc-40.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-40(03)"/>
           <p>cryptographic mechanisms are implemented to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.</p>
+          <link rel="assessment-for" href="#sc-40.3_smt"/>
         </part>
         <part id="sc-40.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -70008,6 +73645,7 @@
         <part id="sc-40.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-40(04)"/>
           <p>cryptographic mechanisms are implemented to prevent the identification of <insert type="param" id-ref="sc-40.04_odp"/> by using the transmitter signal parameters.</p>
+          <link rel="assessment-for" href="#sc-40.4_smt"/>
         </part>
         <part id="sc-40.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -70087,6 +73725,7 @@
       <part id="sc-41_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-41"/>
         <p><insert type="param" id-ref="sc-41_odp.01"/> are <insert type="param" id-ref="sc-41_odp.02"/> disabled or removed on <insert type="param" id-ref="sc-41_odp.03"/>.</p>
+        <link rel="assessment-for" href="#sc-41_smt"/>
       </part>
       <part id="sc-41_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -70188,11 +73827,14 @@
         <part id="sc-42_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-42a."/>
           <p><insert type="param" id-ref="sc-42_odp.01"/> is/are prohibited;</p>
+          <link rel="assessment-for" href="#sc-42_smt.a"/>
         </part>
         <part id="sc-42_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-42b."/>
           <p>an explicit indication of sensor use is provided to <insert type="param" id-ref="sc-42_odp.05"/>.</p>
+          <link rel="assessment-for" href="#sc-42_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sc-42_smt"/>
       </part>
       <part id="sc-42_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -70253,6 +73895,7 @@
         <part id="sc-42.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-42(01)"/>
           <p>the system is configured so that data or information collected by the <insert type="param" id-ref="sc-42.01_odp"/> is only reported to authorized individuals or roles.</p>
+          <link rel="assessment-for" href="#sc-42.1_smt"/>
         </part>
         <part id="sc-42.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -70317,6 +73960,7 @@
         <part id="sc-42.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-42(02)"/>
           <p><insert type="param" id-ref="sc-42.02_odp"/> are employed so that data or information collected by <insert type="param" id-ref="sc-42.01_odp"/> is only used for authorized purposes.</p>
+          <link rel="assessment-for" href="#sc-42.2_smt"/>
         </part>
         <part id="sc-42.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -70398,6 +74042,7 @@
         <part id="sc-42.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-42(04)"/>
           <p><insert type="param" id-ref="sc-42.04_odp.01"/> are employed to facilitate an individual’s awareness that personally identifiable information is being collected by <insert type="param" id-ref="sc-42.04_odp.02"/> </p>
+          <link rel="assessment-for" href="#sc-42.4_smt"/>
         </part>
         <part id="sc-42.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -70465,6 +74110,7 @@
         <part id="sc-42.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-42(05)"/>
           <p>the <insert type="param" id-ref="sc-42.05_odp"/> configured to minimize the collection of information about individuals that is not needed are employed.</p>
+          <link rel="assessment-for" href="#sc-42.5_smt"/>
         </part>
         <part id="sc-42.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -70548,22 +74194,28 @@
         <part id="sc-43_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-43a."/>
           <p>usage restrictions and implementation guidelines are established for <insert type="param" id-ref="sc-43_odp"/>;</p>
+          <link rel="assessment-for" href="#sc-43_smt.a"/>
         </part>
         <part id="sc-43_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-43b."/>
           <part id="sc-43_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-43b.[01]"/>
             <p>the use of <insert type="param" id-ref="sc-43_odp"/> is authorized within the system;</p>
+            <link rel="assessment-for" href="#sc-43_smt.b"/>
           </part>
           <part id="sc-43_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-43b.[02]"/>
             <p>the use of <insert type="param" id-ref="sc-43_odp"/> is monitored within the system;</p>
+            <link rel="assessment-for" href="#sc-43_smt.b"/>
           </part>
           <part id="sc-43_obj.b-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-43b.[03]"/>
             <p>the use of <insert type="param" id-ref="sc-43_odp"/> is controlled within the system.</p>
+            <link rel="assessment-for" href="#sc-43_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sc-43_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sc-43_smt"/>
       </part>
       <part id="sc-43_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -70631,6 +74283,7 @@
       <part id="sc-44_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-44"/>
         <p>a detonation chamber capability is employed within the <insert type="param" id-ref="sc-44_odp"/>.</p>
+        <link rel="assessment-for" href="#sc-44_smt"/>
       </part>
       <part id="sc-44_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -70682,6 +74335,7 @@
       <part id="sc-45_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-45"/>
         <p>system clocks are synchronized within and between systems and system components.</p>
+        <link rel="assessment-for" href="#sc-45_smt"/>
       </part>
       <part id="sc-45_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -70761,11 +74415,14 @@
           <part id="sc-45.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-45(01)(a)"/>
             <p>the internal system clocks are compared <insert type="param" id-ref="sc-45.01_odp.01"/> with <insert type="param" id-ref="sc-45.01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#sc-45.1_smt.a"/>
           </part>
           <part id="sc-45.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-45(01)(b)"/>
             <p>the internal system clocks are synchronized with the authoritative time source when the time difference is greater than <insert type="param" id-ref="sc-45.01_odp.03"/>.</p>
+            <link rel="assessment-for" href="#sc-45.1_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sc-45.1_smt"/>
         </part>
         <part id="sc-45.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -70822,11 +74479,14 @@
           <part id="sc-45.2_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-45(02)(a)"/>
             <p>a secondary authoritative time source is identified that is in a different geographic region than the primary authoritative time source;</p>
+            <link rel="assessment-for" href="#sc-45.2_smt.a"/>
           </part>
           <part id="sc-45.2_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-45(02)(b)"/>
             <p>the internal system clocks are synchronized to the secondary authoritative time source if the primary authoritative time source is unavailable.</p>
+            <link rel="assessment-for" href="#sc-45.2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sc-45.2_smt"/>
         </part>
         <part id="sc-45.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -70885,6 +74545,7 @@
       <part id="sc-46_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-46"/>
         <p>a policy enforcement mechanism is <insert type="param" id-ref="sc-46_odp"/> implemented between the physical and/or network interfaces for the connecting security domains.</p>
+        <link rel="assessment-for" href="#sc-46_smt"/>
       </part>
       <part id="sc-46_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -70946,6 +74607,7 @@
       <part id="sc-47_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-47"/>
         <p><insert type="param" id-ref="sc-47_odp"/> are established for system operations and operational command and control.</p>
+        <link rel="assessment-for" href="#sc-47_smt"/>
       </part>
       <part id="sc-47_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -71021,6 +74683,7 @@
       <part id="sc-48_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-48"/>
         <p><insert type="param" id-ref="sc-48_odp.01"/> are relocated to <insert type="param" id-ref="sc-48_odp.02"/> under <insert type="param" id-ref="sc-48_odp.03"/>.</p>
+        <link rel="assessment-for" href="#sc-48_smt"/>
       </part>
       <part id="sc-48_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -71095,6 +74758,7 @@
         <part id="sc-48.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-48(01)"/>
           <p><insert type="param" id-ref="sc-48.01_odp.01"/> are dynamically relocated to <insert type="param" id-ref="sc-48.01_odp.02"/> under <insert type="param" id-ref="sc-48.01_odp.03"/>.</p>
+          <link rel="assessment-for" href="#sc-48.1_smt"/>
         </part>
         <part id="sc-48.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -71159,6 +74823,7 @@
       <part id="sc-49_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-49"/>
         <p>hardware-enforced separation and policy enforcement mechanisms are implemented between <insert type="param" id-ref="sc-49_odp"/>.</p>
+        <link rel="assessment-for" href="#sc-49_smt"/>
       </part>
       <part id="sc-49_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -71222,6 +74887,7 @@
       <part id="sc-50_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-50"/>
         <p>software-enforced separation and policy enforcement mechanisms are implemented between <insert type="param" id-ref="sc-50_odp"/>.</p>
+        <link rel="assessment-for" href="#sc-50_smt"/>
       </part>
       <part id="sc-50_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -71295,18 +74961,23 @@
         <part id="sc-51_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-51a."/>
           <p>hardware-based write-protect for <insert type="param" id-ref="sc-51_odp.01"/> is employed;</p>
+          <link rel="assessment-for" href="#sc-51_smt.a"/>
         </part>
         <part id="sc-51_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SC-51b."/>
           <part id="sc-51_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-51b.[01]"/>
             <p>specific procedures are implemented for <insert type="param" id-ref="sc-51_odp.02"/> to manually disable hardware write-protect for firmware modifications;</p>
+            <link rel="assessment-for" href="#sc-51_smt.b"/>
           </part>
           <part id="sc-51_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SC-51b.[02]"/>
             <p>specific procedures are implemented for <insert type="param" id-ref="sc-51_odp.02"/> to re-enable the write-protect prior to returning to operational mode.</p>
+            <link rel="assessment-for" href="#sc-51_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#sc-51_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sc-51_smt"/>
       </part>
       <part id="sc-51_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -71474,18 +75145,22 @@
           <part id="si-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-01a.[01]"/>
             <p>a system and information integrity policy is developed and documented;</p>
+            <link rel="assessment-for" href="#si-1_smt.a"/>
           </part>
           <part id="si-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-01a.[02]"/>
             <p>the system and information integrity policy is disseminated to <insert type="param" id-ref="si-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#si-1_smt.a"/>
           </part>
           <part id="si-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-01a.[03]"/>
             <p>system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;</p>
+            <link rel="assessment-for" href="#si-1_smt.a"/>
           </part>
           <part id="si-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-01a.[04]"/>
             <p>the system and information integrity procedures are disseminated to <insert type="param" id-ref="si-01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#si-1_smt.a"/>
           </part>
           <part id="si-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-01a.01"/>
@@ -71494,41 +75169,53 @@
               <part id="si-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SI-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses purpose;</p>
+                <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
               </part>
               <part id="si-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SI-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses scope;</p>
+                <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
               </part>
               <part id="si-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SI-01a.01(a)[03]"/>
                 <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses roles;</p>
+                <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
               </part>
               <part id="si-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SI-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
               </part>
               <part id="si-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SI-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
               </part>
               <part id="si-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SI-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
               </part>
               <part id="si-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SI-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy addresses compliance;</p>
+                <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#si-1_smt.a.1.a"/>
             </part>
             <part id="si-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-01a.01(b)"/>
               <p>the <insert type="param" id-ref="si-01_odp.03"/> system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#si-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#si-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#si-1_smt.a"/>
         </part>
         <part id="si-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-01b."/>
           <p>the <insert type="param" id-ref="si-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;</p>
+          <link rel="assessment-for" href="#si-1_smt.b"/>
         </part>
         <part id="si-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-01c."/>
@@ -71537,24 +75224,32 @@
             <part id="si-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-01c.01[01]"/>
               <p>the current system and information integrity policy is reviewed and updated <insert type="param" id-ref="si-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#si-1_smt.c.1"/>
             </part>
             <part id="si-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-01c.01[02]"/>
               <p>the current system and information integrity policy is reviewed and updated following <insert type="param" id-ref="si-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#si-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#si-1_smt.c.1"/>
           </part>
           <part id="si-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-01c.02"/>
             <part id="si-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-01c.02[01]"/>
               <p>the current system and information integrity procedures are reviewed and updated <insert type="param" id-ref="si-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#si-1_smt.c.2"/>
             </part>
             <part id="si-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-01c.02[02]"/>
               <p>the current system and information integrity procedures are reviewed and updated following <insert type="param" id-ref="si-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#si-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#si-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#si-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#si-1_smt"/>
       </part>
       <part id="si-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -71641,50 +75336,64 @@
           <part id="si-2_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-02a.[01]"/>
             <p>system flaws are identified;</p>
+            <link rel="assessment-for" href="#si-2_smt.a"/>
           </part>
           <part id="si-2_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-02a.[02]"/>
             <p>system flaws are reported;</p>
+            <link rel="assessment-for" href="#si-2_smt.a"/>
           </part>
           <part id="si-2_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-02a.[03]"/>
             <p>system flaws are corrected;</p>
+            <link rel="assessment-for" href="#si-2_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#si-2_smt.a"/>
         </part>
         <part id="si-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-02b."/>
           <part id="si-2_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-02b.[01]"/>
             <p>software updates related to flaw remediation are tested for effectiveness before installation;</p>
+            <link rel="assessment-for" href="#si-2_smt.b"/>
           </part>
           <part id="si-2_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-02b.[02]"/>
             <p>software updates related to flaw remediation are tested for potential side effects before installation;</p>
+            <link rel="assessment-for" href="#si-2_smt.b"/>
           </part>
           <part id="si-2_obj.b-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-02b.[03]"/>
             <p>firmware updates related to flaw remediation are tested for effectiveness before installation;</p>
+            <link rel="assessment-for" href="#si-2_smt.b"/>
           </part>
           <part id="si-2_obj.b-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-02b.[04]"/>
             <p>firmware updates related to flaw remediation are tested for potential side effects before installation;</p>
+            <link rel="assessment-for" href="#si-2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#si-2_smt.b"/>
         </part>
         <part id="si-2_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-02c."/>
           <part id="si-2_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-02c.[01]"/>
             <p>security-relevant software updates are installed within <insert type="param" id-ref="si-02_odp"/> of the release of the updates;</p>
+            <link rel="assessment-for" href="#si-2_smt.c"/>
           </part>
           <part id="si-2_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-02c.[02]"/>
             <p>security-relevant firmware updates are installed within <insert type="param" id-ref="si-02_odp"/> of the release of the updates;</p>
+            <link rel="assessment-for" href="#si-2_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#si-2_smt.c"/>
         </part>
         <part id="si-2_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-02d."/>
           <p>flaw remediation is incorporated into the organizational configuration management process.</p>
+          <link rel="assessment-for" href="#si-2_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#si-2_smt"/>
       </part>
       <part id="si-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -71766,6 +75475,7 @@
         <part id="si-2.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-02(02)"/>
           <p>system components have applicable security-relevant software and firmware updates installed <insert type="param" id-ref="si-02.02_odp.02"/> using <insert type="param" id-ref="si-02.02_odp.01"/>.</p>
+          <link rel="assessment-for" href="#si-2.2_smt"/>
         </part>
         <part id="si-2.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -71833,11 +75543,14 @@
           <part id="si-2.3_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-02(03)(a)"/>
             <p>the time between flaw identification and flaw remediation is measured;</p>
+            <link rel="assessment-for" href="#si-2.3_smt.a"/>
           </part>
           <part id="si-2.3_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-02(03)(b)"/>
             <p><insert type="param" id-ref="si-02.03_odp"/> for taking corrective actions have been established.</p>
+            <link rel="assessment-for" href="#si-2.3_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#si-2.3_smt"/>
         </part>
         <part id="si-2.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -71899,6 +75612,7 @@
         <part id="si-2.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-02(04)"/>
           <p>automated patch management tools are employed to facilitate flaw remediation to <insert type="param" id-ref="si-02.04_odp"/>.</p>
+          <link rel="assessment-for" href="#si-2.4_smt"/>
         </part>
         <part id="si-2.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -71970,6 +75684,7 @@
         <part id="si-2.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-02(05)"/>
           <p><insert type="param" id-ref="si-02.05_odp.01"/> are installed automatically to <insert type="param" id-ref="si-02.05_odp.02"/>.</p>
+          <link rel="assessment-for" href="#si-2.5_smt"/>
         </part>
         <part id="si-2.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -72030,6 +75745,7 @@
         <part id="si-2.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-02(06)"/>
           <p>previous versions of <insert type="param" id-ref="si-02.06_odp"/> are removed after updated versions have been installed.</p>
+          <link rel="assessment-for" href="#si-2.6_smt"/>
         </part>
         <part id="si-2.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -72182,15 +75898,19 @@
           <part id="si-3_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-03a.[01]"/>
             <p><insert type="param" id-ref="si-03_odp.01"/> malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;</p>
+            <link rel="assessment-for" href="#si-3_smt.a"/>
           </part>
           <part id="si-3_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-03a.[02]"/>
             <p><insert type="param" id-ref="si-03_odp.01"/> malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;</p>
+            <link rel="assessment-for" href="#si-3_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#si-3_smt.a"/>
         </part>
         <part id="si-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-03b."/>
           <p>malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;</p>
+          <link rel="assessment-for" href="#si-3_smt.b"/>
         </part>
         <part id="si-3_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-03c."/>
@@ -72199,28 +75919,37 @@
             <part id="si-3_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-03c.01[01]"/>
               <p>malicious code protection mechanisms are configured to perform periodic scans of the system <insert type="param" id-ref="si-03_odp.02"/>;</p>
+              <link rel="assessment-for" href="#si-3_smt.c.1"/>
             </part>
             <part id="si-3_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-03c.01[02]"/>
               <p>malicious code protection mechanisms are configured to perform real-time scans of files from external sources at <insert type="param" id-ref="si-03_odp.03"/> as the files are downloaded, opened, or executed in accordance with organizational policy;</p>
+              <link rel="assessment-for" href="#si-3_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#si-3_smt.c.1"/>
           </part>
           <part id="si-3_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-03c.02"/>
             <part id="si-3_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-03c.02[01]"/>
               <p>malicious code protection mechanisms are configured to <insert type="param" id-ref="si-03_odp.04"/> in response to malicious code detection;</p>
+              <link rel="assessment-for" href="#si-3_smt.c.2"/>
             </part>
             <part id="si-3_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-03c.02[02]"/>
               <p>malicious code protection mechanisms are configured to send alerts to <insert type="param" id-ref="si-03_odp.06"/> in response to malicious code detection;</p>
+              <link rel="assessment-for" href="#si-3_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#si-3_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#si-3_smt.c"/>
         </part>
         <part id="si-3_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-03d."/>
           <p>the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.</p>
+          <link rel="assessment-for" href="#si-3_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#si-3_smt"/>
       </part>
       <part id="si-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -72304,6 +76033,7 @@
         <part id="si-3.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-03(04)"/>
           <p>malicious code protection mechanisms are updated only when directed by a privileged user.</p>
+          <link rel="assessment-for" href="#si-3.4_smt"/>
         </part>
         <part id="si-3.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -72385,18 +76115,23 @@
           <part id="si-3.6_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-03(06)(a)"/>
             <p>malicious code protection mechanisms are tested <insert type="param" id-ref="si-03.06_odp"/> by introducing known benign code into the system;</p>
+            <link rel="assessment-for" href="#si-3.6_smt.a"/>
           </part>
           <part id="si-3.6_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-03(06)(b)"/>
             <part id="si-3.6_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-03(06)(b)[01]"/>
               <p>the detection of (benign test) code occurs;</p>
+              <link rel="assessment-for" href="#si-3.6_smt.b"/>
             </part>
             <part id="si-3.6_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-03(06)(b)[02]"/>
               <p>the associated incident reporting occurs.</p>
+              <link rel="assessment-for" href="#si-3.6_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#si-3.6_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#si-3.6_smt"/>
         </part>
         <part id="si-3.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -72493,11 +76228,14 @@
           <part id="si-3.8_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-03(08)(a)"/>
             <p><insert type="param" id-ref="si-03.08_odp.01"/> are detected through the kernel application programming interface on <insert type="param" id-ref="si-03.08_odp.02"/>;</p>
+            <link rel="assessment-for" href="#si-3.8_smt.a"/>
           </part>
           <part id="si-3.8_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-03(08)(b)"/>
             <p><insert type="param" id-ref="si-03.08_odp.03"/> is/are performed.</p>
+            <link rel="assessment-for" href="#si-3.8_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#si-3.8_smt"/>
         </part>
         <part id="si-3.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -72576,18 +76314,23 @@
           <part id="si-3.10_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-03(10)(a)"/>
             <p><insert type="param" id-ref="si-03.10_odp"/> are employed to analyze the characteristics and behavior of malicious code;</p>
+            <link rel="assessment-for" href="#si-3.10_smt.a"/>
           </part>
           <part id="si-3.10_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-03(10)(b)"/>
             <part id="si-3.10_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-03(10)(b)[01]"/>
               <p>the results from malicious code analysis are incorporated into organizational incident response processes;</p>
+              <link rel="assessment-for" href="#si-3.10_smt.b"/>
             </part>
             <part id="si-3.10_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-03(10)(b)[02]"/>
               <p>the results from malicious code analysis are incorporated into organizational flaw remediation processes.</p>
+              <link rel="assessment-for" href="#si-3.10_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#si-3.10_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#si-3.10_smt"/>
         </part>
         <part id="si-3.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -72791,61 +76534,78 @@
           <part id="si-4_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04a.01"/>
             <p>the system is monitored to detect attacks and indicators of potential attacks in accordance with <insert type="param" id-ref="si-04_odp.01"/>;</p>
+            <link rel="assessment-for" href="#si-4_smt.a.1"/>
           </part>
           <part id="si-4_obj.a.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04a.02"/>
             <part id="si-4_obj.a.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-04a.02[01]"/>
               <p>the system is monitored to detect unauthorized local connections;</p>
+              <link rel="assessment-for" href="#si-4_smt.a.2"/>
             </part>
             <part id="si-4_obj.a.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-04a.02[02]"/>
               <p>the system is monitored to detect unauthorized network connections;</p>
+              <link rel="assessment-for" href="#si-4_smt.a.2"/>
             </part>
             <part id="si-4_obj.a.2-3" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-04a.02[03]"/>
               <p>the system is monitored to detect unauthorized remote connections;</p>
+              <link rel="assessment-for" href="#si-4_smt.a.2"/>
             </part>
+            <link rel="assessment-for" href="#si-4_smt.a.2"/>
           </part>
+          <link rel="assessment-for" href="#si-4_smt.a"/>
         </part>
         <part id="si-4_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04b."/>
           <p>unauthorized use of the system is identified through <insert type="param" id-ref="si-04_odp.02"/>;</p>
+          <link rel="assessment-for" href="#si-4_smt.b"/>
         </part>
         <part id="si-4_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04c."/>
           <part id="si-4_obj.c.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04c.01"/>
             <p>internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;</p>
+            <link rel="assessment-for" href="#si-4_smt.c.1"/>
           </part>
           <part id="si-4_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04c.02"/>
             <p>internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;</p>
+            <link rel="assessment-for" href="#si-4_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#si-4_smt.c"/>
         </part>
         <part id="si-4_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04d."/>
           <part id="si-4_obj.d-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04d.[01]"/>
             <p>detected events are analyzed;</p>
+            <link rel="assessment-for" href="#si-4_smt.d"/>
           </part>
           <part id="si-4_obj.d-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04d.[02]"/>
             <p>detected anomalies are analyzed;</p>
+            <link rel="assessment-for" href="#si-4_smt.d"/>
           </part>
+          <link rel="assessment-for" href="#si-4_smt.d"/>
         </part>
         <part id="si-4_obj.e" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04e."/>
           <p>the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;</p>
+          <link rel="assessment-for" href="#si-4_smt.e"/>
         </part>
         <part id="si-4_obj.f" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04f."/>
           <p>a legal opinion regarding system monitoring activities is obtained;</p>
+          <link rel="assessment-for" href="#si-4_smt.f"/>
         </part>
         <part id="si-4_obj.g" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04g."/>
           <p><insert type="param" id-ref="si-04_odp.03"/> is provided to <insert type="param" id-ref="si-04_odp.04"/> <insert type="param" id-ref="si-04_odp.05"/>.</p>
+          <link rel="assessment-for" href="#si-4_smt.g"/>
         </part>
+        <link rel="assessment-for" href="#si-4_smt"/>
       </part>
       <part id="si-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -72902,11 +76662,14 @@
           <part id="si-4.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(01)[01]"/>
             <p>individual intrusion detection tools are connected to a system-wide intrusion detection system;</p>
+            <link rel="assessment-for" href="#si-4.1_smt"/>
           </part>
           <part id="si-4.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(01)[02]"/>
             <p>individual intrusion detection tools are configured into a system-wide intrusion detection system.</p>
+            <link rel="assessment-for" href="#si-4.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-4.1_smt"/>
         </part>
         <part id="si-4.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -72962,6 +76725,7 @@
         <part id="si-4.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04(02)"/>
           <p>automated tools and mechanisms are employed to support a near real-time analysis of events.</p>
+          <link rel="assessment-for" href="#si-4.2_smt"/>
         </part>
         <part id="si-4.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -73025,11 +76789,14 @@
           <part id="si-4.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(03)[01]"/>
             <p>automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into access control mechanisms;</p>
+            <link rel="assessment-for" href="#si-4.3_smt"/>
           </part>
           <part id="si-4.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(03)[02]"/>
             <p>automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into flow control mechanisms.</p>
+            <link rel="assessment-for" href="#si-4.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-4.3_smt"/>
         </part>
         <part id="si-4.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -73135,23 +76902,30 @@
             <part id="si-4.4_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-04(04)(a)[01]"/>
               <p>criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;</p>
+              <link rel="assessment-for" href="#si-4.4_smt.a"/>
             </part>
             <part id="si-4.4_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-04(04)(a)[02]"/>
               <p>criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;</p>
+              <link rel="assessment-for" href="#si-4.4_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#si-4.4_smt.a"/>
           </part>
           <part id="si-4.4_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(04)(b)"/>
             <part id="si-4.4_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-04(04)(b)[01]"/>
               <p>inbound communications traffic is monitored <insert type="param" id-ref="si-04.04_odp.01"/> for <insert type="param" id-ref="si-04.04_odp.02"/>;</p>
+              <link rel="assessment-for" href="#si-4.4_smt.b"/>
             </part>
             <part id="si-4.4_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-04(04)(b)[02]"/>
               <p>outbound communications traffic is monitored <insert type="param" id-ref="si-04.04_odp.03"/> for <insert type="param" id-ref="si-04.04_odp.04"/>.</p>
+              <link rel="assessment-for" href="#si-4.4_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#si-4.4_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#si-4.4_smt"/>
         </part>
         <part id="si-4.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -73226,6 +77000,7 @@
         <part id="si-4.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04(05)"/>
           <p><insert type="param" id-ref="si-04.05_odp.01"/> are alerted when system-generated <insert type="param" id-ref="si-04.05_odp.02"/> occur.</p>
+          <link rel="assessment-for" href="#si-4.5_smt"/>
         </part>
         <part id="si-4.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -73319,11 +77094,14 @@
           <part id="si-4.7_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(07)(a)"/>
             <p><insert type="param" id-ref="si-04.07_odp.01"/> are notified of detected suspicious events;</p>
+            <link rel="assessment-for" href="#si-4.7_smt.a"/>
           </part>
           <part id="si-4.7_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(07)(b)"/>
             <p><insert type="param" id-ref="si-04.07_odp.02"/> are taken upon the detection of suspicious events.</p>
+            <link rel="assessment-for" href="#si-4.7_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#si-4.7_smt"/>
         </part>
         <part id="si-4.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -73398,6 +77176,7 @@
         <part id="si-4.9_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04(09)"/>
           <p>intrusion-monitoring tools and mechanisms are tested <insert type="param" id-ref="si-04.09_odp"/>.</p>
+          <link rel="assessment-for" href="#si-4.9_smt"/>
         </part>
         <part id="si-4.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -73465,6 +77244,7 @@
         <part id="si-4.10_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04(10)"/>
           <p>provisions are made so that <insert type="param" id-ref="si-04.10_odp.01"/> is visible to <insert type="param" id-ref="si-04.10_odp.02"/>.</p>
+          <link rel="assessment-for" href="#si-4.10_smt"/>
         </part>
         <part id="si-4.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -73531,11 +77311,14 @@
           <part id="si-4.11_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(11)[01]"/>
             <p>outbound communications traffic at the external interfaces to the system is analyzed to discover anomalies;</p>
+            <link rel="assessment-for" href="#si-4.11_smt"/>
           </part>
           <part id="si-4.11_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(11)[02]"/>
             <p>outbound communications traffic at <insert type="param" id-ref="si-04.11_odp"/> is analyzed to discover anomalies.</p>
+            <link rel="assessment-for" href="#si-4.11_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-4.11_smt"/>
         </part>
         <part id="si-4.11_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -73617,6 +77400,7 @@
         <part id="si-4.12_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04(12)"/>
           <p><insert type="param" id-ref="si-04.12_odp.01"/> is/are alerted using <insert type="param" id-ref="si-04.12_odp.02"/> when <insert type="param" id-ref="si-04.12_odp.03"/> indicate inappropriate or unusual activities with security or privacy implications.</p>
+          <link rel="assessment-for" href="#si-4.12_smt"/>
         </part>
         <part id="si-4.12_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -73693,34 +77477,44 @@
             <part id="si-4.13_obj.a-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-04(13)(a)[01]"/>
               <p>communications traffic for the system is analyzed;</p>
+              <link rel="assessment-for" href="#si-4.13_smt.a"/>
             </part>
             <part id="si-4.13_obj.a-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-04(13)(a)[02]"/>
               <p>event patterns for the system are analyzed;</p>
+              <link rel="assessment-for" href="#si-4.13_smt.a"/>
             </part>
+            <link rel="assessment-for" href="#si-4.13_smt.a"/>
           </part>
           <part id="si-4.13_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(13)(b)"/>
             <part id="si-4.13_obj.b-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-04(13)(b)[01]"/>
               <p>profiles representing common traffic are developed;</p>
+              <link rel="assessment-for" href="#si-4.13_smt.b"/>
             </part>
             <part id="si-4.13_obj.b-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-04(13)(b)[02]"/>
               <p>profiles representing event patterns are developed;</p>
+              <link rel="assessment-for" href="#si-4.13_smt.b"/>
             </part>
+            <link rel="assessment-for" href="#si-4.13_smt.b"/>
           </part>
           <part id="si-4.13_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(13)(c)"/>
             <part id="si-4.13_obj.c-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-04(13)(c)[01]"/>
               <p>traffic profiles are used in tuning system-monitoring devices;</p>
+              <link rel="assessment-for" href="#si-4.13_smt.c"/>
             </part>
             <part id="si-4.13_obj.c-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SI-04(13)(c)[02]"/>
               <p>event profiles are used in tuning system-monitoring devices.</p>
+              <link rel="assessment-for" href="#si-4.13_smt.c"/>
             </part>
+            <link rel="assessment-for" href="#si-4.13_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#si-4.13_smt"/>
         </part>
         <part id="si-4.13_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -73781,15 +77575,19 @@
           <part id="si-4.14_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(14)[01]"/>
             <p>a wireless intrusion detection system is employed to identify rogue wireless devices;</p>
+            <link rel="assessment-for" href="#si-4.14_smt"/>
           </part>
           <part id="si-4.14_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(14)[02]"/>
             <p>a wireless intrusion detection system is employed to detect attack attempts on the system;</p>
+            <link rel="assessment-for" href="#si-4.14_smt"/>
           </part>
           <part id="si-4.14_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(14)[03]"/>
             <p>a wireless intrusion detection system is employed to detect potential compromises or breaches to the system.</p>
+            <link rel="assessment-for" href="#si-4.14_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-4.14_smt"/>
         </part>
         <part id="si-4.14_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -73845,6 +77643,7 @@
         <part id="si-4.15_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04(15)"/>
           <p>an intrusion detection system is employed to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.</p>
+          <link rel="assessment-for" href="#si-4.15_smt"/>
         </part>
         <part id="si-4.15_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -73902,6 +77701,7 @@
         <part id="si-4.16_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04(16)"/>
           <p>information from monitoring tools and mechanisms employed throughout the system is correlated.</p>
+          <link rel="assessment-for" href="#si-4.16_smt"/>
         </part>
         <part id="si-4.16_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -73962,6 +77762,7 @@
         <part id="si-4.17_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04(17)"/>
           <p>information from monitoring physical, cyber, and supply chain activities are correlated to achieve integrated, organization-wide situational awareness.</p>
+          <link rel="assessment-for" href="#si-4.17_smt"/>
         </part>
         <part id="si-4.17_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -74030,11 +77831,14 @@
           <part id="si-4.18_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(18)[01]"/>
             <p>outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information;</p>
+            <link rel="assessment-for" href="#si-4.18_smt"/>
           </part>
           <part id="si-4.18_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(18)[02]"/>
             <p>outbound communications traffic is analyzed at <insert type="param" id-ref="si-04.18_odp"/> to detect covert exfiltration of information.</p>
+            <link rel="assessment-for" href="#si-4.18_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-4.18_smt"/>
         </part>
         <part id="si-4.18_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -74107,6 +77911,7 @@
         <part id="si-4.19_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04(19)"/>
           <p><insert type="param" id-ref="si-04.19_odp.01"/> is implemented on individuals who have been identified by <insert type="param" id-ref="si-04.19_odp.02"/> as posing an increased level of risk.</p>
+          <link rel="assessment-for" href="#si-4.19_smt"/>
         </part>
         <part id="si-4.19_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -74172,6 +77977,7 @@
         <part id="si-4.20_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04(20)"/>
           <p><insert type="param" id-ref="si-04.20_odp"/> of privileged users is implemented.</p>
+          <link rel="assessment-for" href="#si-4.20_smt"/>
         </part>
         <part id="si-4.20_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -74242,6 +78048,7 @@
         <part id="si-4.21_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04(21)"/>
           <p><insert type="param" id-ref="si-04.21_odp.01"/> of individuals is implemented during <insert type="param" id-ref="si-04.21_odp.02"/>.</p>
+          <link rel="assessment-for" href="#si-4.21_smt"/>
         </part>
         <part id="si-4.21_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -74329,11 +78136,14 @@
           <part id="si-4.22_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(22)(a)"/>
             <p>network services that have not been authorized or approved by <insert type="param" id-ref="si-04.22_odp.01"/> are detected;</p>
+            <link rel="assessment-for" href="#si-4.22_smt.a"/>
           </part>
           <part id="si-4.22_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(22)(b)"/>
             <p><insert type="param" id-ref="si-04.22_odp.02"/> is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.</p>
+            <link rel="assessment-for" href="#si-4.22_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#si-4.22_smt"/>
         </part>
         <part id="si-4.22_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -74410,6 +78220,7 @@
         <part id="si-4.23_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-04(23)"/>
           <p><insert type="param" id-ref="si-04.23_odp.01"/> are implemented on <insert type="param" id-ref="si-04.23_odp.02"/>.</p>
+          <link rel="assessment-for" href="#si-4.23_smt"/>
         </part>
         <part id="si-4.23_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -74484,15 +78295,19 @@
           <part id="si-4.24_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(24)[01]"/>
             <p>indicators of compromise provided by <insert type="param" id-ref="si-04.24_odp.01"/> are discovered;</p>
+            <link rel="assessment-for" href="#si-4.24_smt"/>
           </part>
           <part id="si-4.24_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(24)[02]"/>
             <p>indicators of compromise provided by <insert type="param" id-ref="si-04.24_odp.01"/> are collected;</p>
+            <link rel="assessment-for" href="#si-4.24_smt"/>
           </part>
           <part id="si-4.24_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(24)[03]"/>
             <p>indicators of compromise provided by <insert type="param" id-ref="si-04.24_odp.01"/> are distributed to <insert type="param" id-ref="si-04.24_odp.02"/>.</p>
+            <link rel="assessment-for" href="#si-4.24_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-4.24_smt"/>
         </part>
         <part id="si-4.24_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -74551,11 +78366,14 @@
           <part id="si-4.25_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(25)[01]"/>
             <p>visibility into network traffic at external system interfaces is provided to optimize the effectiveness of monitoring devices;</p>
+            <link rel="assessment-for" href="#si-4.25_smt"/>
           </part>
           <part id="si-4.25_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-04(25)[02]"/>
             <p>visibility into network traffic at key internal system interfaces is provided to optimize the effectiveness of monitoring devices.</p>
+            <link rel="assessment-for" href="#si-4.25_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-4.25_smt"/>
         </part>
         <part id="si-4.25_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -74677,19 +78495,24 @@
         <part id="si-5_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-05a."/>
           <p>system security alerts, advisories, and directives are received from <insert type="param" id-ref="si-05_odp.01"/> on an ongoing basis;</p>
+          <link rel="assessment-for" href="#si-5_smt.a"/>
         </part>
         <part id="si-5_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-05b."/>
           <p>internal security alerts, advisories, and directives are generated as deemed necessary;</p>
+          <link rel="assessment-for" href="#si-5_smt.b"/>
         </part>
         <part id="si-5_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-05c."/>
           <p>security alerts, advisories, and directives are disseminated to <insert type="param" id-ref="si-05_odp.02"/>;</p>
+          <link rel="assessment-for" href="#si-5_smt.c"/>
         </part>
         <part id="si-5_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-05d."/>
           <p>security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.</p>
+          <link rel="assessment-for" href="#si-5_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#si-5_smt"/>
       </part>
       <part id="si-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -74748,6 +78571,7 @@
         <part id="si-5.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-05(01)"/>
           <p><insert type="param" id-ref="si-05.01_odp"/> are used to broadcast security alert and advisory information throughout the organization.</p>
+          <link rel="assessment-for" href="#si-5.1_smt"/>
         </part>
         <part id="si-5.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -74895,38 +78719,49 @@
           <part id="si-6_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-06a.[01]"/>
             <p><insert type="param" id-ref="si-06_odp.01"/> are verified to be operating correctly;</p>
+            <link rel="assessment-for" href="#si-6_smt.a"/>
           </part>
           <part id="si-6_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-06a.[02]"/>
             <p><insert type="param" id-ref="si-06_odp.02"/> are verified to be operating correctly;</p>
+            <link rel="assessment-for" href="#si-6_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#si-6_smt.a"/>
         </part>
         <part id="si-6_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-06b."/>
           <part id="si-6_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-06b.[01]"/>
             <p><insert type="param" id-ref="si-06_odp.01"/> are verified <insert type="param" id-ref="si-06_odp.03"/>;</p>
+            <link rel="assessment-for" href="#si-6_smt.b"/>
           </part>
           <part id="si-6_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-06b.[02]"/>
             <p><insert type="param" id-ref="si-06_odp.02"/> are verified <insert type="param" id-ref="si-06_odp.03"/>;</p>
+            <link rel="assessment-for" href="#si-6_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#si-6_smt.b"/>
         </part>
         <part id="si-6_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-06c."/>
           <part id="si-6_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-06c.[01]"/>
             <p><insert type="param" id-ref="si-06_odp.06"/> is/are alerted to failed security verification tests;</p>
+            <link rel="assessment-for" href="#si-6_smt.c"/>
           </part>
           <part id="si-6_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-06c.[02]"/>
             <p><insert type="param" id-ref="si-06_odp.06"/> is/are alerted to failed privacy verification tests;</p>
+            <link rel="assessment-for" href="#si-6_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#si-6_smt.c"/>
         </part>
         <part id="si-6_obj.d" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-06d."/>
           <p><insert type="param" id-ref="si-06_odp.07"/> is/are initiated when anomalies are discovered.</p>
+          <link rel="assessment-for" href="#si-6_smt.d"/>
         </part>
+        <link rel="assessment-for" href="#si-6_smt"/>
       </part>
       <part id="si-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -74991,11 +78826,14 @@
           <part id="si-6.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-06(02)[01]"/>
             <p>automated mechanisms are implemented to support the management of distributed security function testing;</p>
+            <link rel="assessment-for" href="#si-6.2_smt"/>
           </part>
           <part id="si-6.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-06(02)[02]"/>
             <p>automated mechanisms are implemented to support the management of distributed privacy function testing.</p>
+            <link rel="assessment-for" href="#si-6.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-6.2_smt"/>
         </part>
         <part id="si-6.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -75060,11 +78898,14 @@
           <part id="si-6.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-06(03)[01]"/>
             <p>the results of security function verification are reported to <insert type="param" id-ref="si-06.03_odp"/>;</p>
+            <link rel="assessment-for" href="#si-6.3_smt"/>
           </part>
           <part id="si-6.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-06(03)[02]"/>
             <p>the results of privacy function verification are reported to <insert type="param" id-ref="si-06.03_odp"/>.</p>
+            <link rel="assessment-for" href="#si-6.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-6.3_smt"/>
         </part>
         <part id="si-6.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -75213,31 +79054,40 @@
           <part id="si-7_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-07a.[01]"/>
             <p>integrity verification tools are employed to detect unauthorized changes to <insert type="param" id-ref="si-07_odp.01"/>;</p>
+            <link rel="assessment-for" href="#si-7_smt.a"/>
           </part>
           <part id="si-7_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-07a.[02]"/>
             <p>integrity verification tools are employed to detect unauthorized changes to <insert type="param" id-ref="si-07_odp.02"/>;</p>
+            <link rel="assessment-for" href="#si-7_smt.a"/>
           </part>
           <part id="si-7_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-07a.[03]"/>
             <p>integrity verification tools are employed to detect unauthorized changes to <insert type="param" id-ref="si-07_odp.03"/>;</p>
+            <link rel="assessment-for" href="#si-7_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#si-7_smt.a"/>
         </part>
         <part id="si-7_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-07b."/>
           <part id="si-7_obj.b-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-07b.[01]"/>
             <p><insert type="param" id-ref="si-07_odp.04"/> are taken when unauthorized changes to the software, are detected;</p>
+            <link rel="assessment-for" href="#si-7_smt.b"/>
           </part>
           <part id="si-7_obj.b-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-07b.[02]"/>
             <p><insert type="param" id-ref="si-07_odp.05"/> are taken when unauthorized changes to the firmware are detected;</p>
+            <link rel="assessment-for" href="#si-7_smt.b"/>
           </part>
           <part id="si-7_obj.b-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-07b.[03]"/>
             <p><insert type="param" id-ref="si-07_odp.06"/> are taken when unauthorized changes to the information are detected.</p>
+            <link rel="assessment-for" href="#si-7_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#si-7_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#si-7_smt"/>
       </part>
       <part id="si-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -75407,15 +79257,19 @@
           <part id="si-7.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-07(01)[01]"/>
             <p>an integrity check of <insert type="param" id-ref="si-07.01_odp.01"/> is performed <insert type="param" id-ref="si-07.01_odp.02"/>;</p>
+            <link rel="assessment-for" href="#si-7.1_smt"/>
           </part>
           <part id="si-7.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-07(01)[02]"/>
             <p>an integrity check of <insert type="param" id-ref="si-07.01_odp.05"/> is performed <insert type="param" id-ref="si-07.01_odp.06"/>;</p>
+            <link rel="assessment-for" href="#si-7.1_smt"/>
           </part>
           <part id="si-7.1_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-07(01)[03]"/>
             <p>an integrity check of <insert type="param" id-ref="si-07.01_odp.09"/> is performed <insert type="param" id-ref="si-07.01_odp.10"/>.</p>
+            <link rel="assessment-for" href="#si-7.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-7.1_smt"/>
         </part>
         <part id="si-7.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -75475,6 +79329,7 @@
         <part id="si-7.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-07(02)"/>
           <p>automated tools that provide notification to <insert type="param" id-ref="si-07.02_odp"/> upon discovering discrepancies during integrity verification are employed.</p>
+          <link rel="assessment-for" href="#si-7.2_smt"/>
         </part>
         <part id="si-7.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -75535,6 +79390,7 @@
         <part id="si-7.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-07(03)"/>
           <p>centrally managed integrity verification tools are employed.</p>
+          <link rel="assessment-for" href="#si-7.3_smt"/>
         </part>
         <part id="si-7.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -75609,6 +79465,7 @@
         <part id="si-7.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-07(05)"/>
           <p><insert type="param" id-ref="si-07.05_odp.01"/> are automatically performed when integrity violations are discovered.</p>
+          <link rel="assessment-for" href="#si-7.5_smt"/>
         </part>
         <part id="si-7.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -75668,15 +79525,19 @@
           <part id="si-7.6_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-07(06)[01]"/>
             <p>cryptographic mechanisms are implemented to detect unauthorized changes to software;</p>
+            <link rel="assessment-for" href="#si-7.6_smt"/>
           </part>
           <part id="si-7.6_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-07(06)[02]"/>
             <p>cryptographic mechanisms are implemented to detect unauthorized changes to firmware;</p>
+            <link rel="assessment-for" href="#si-7.6_smt"/>
           </part>
           <part id="si-7.6_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-07(06)[03]"/>
             <p>cryptographic mechanisms are implemented to detect unauthorized changes to information.</p>
+            <link rel="assessment-for" href="#si-7.6_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-7.6_smt"/>
         </part>
         <part id="si-7.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -75744,6 +79605,7 @@
         <part id="si-7.7_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-07(07)"/>
           <p>the detection of <insert type="param" id-ref="si-07.07_odp"/> are incorporated into the organizational incident response capability.</p>
+          <link rel="assessment-for" href="#si-7.7_smt"/>
         </part>
         <part id="si-7.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -75828,11 +79690,14 @@
           <part id="si-7.8_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-07(08)[01]"/>
             <p>the capability to audit an event upon the detection of a potential integrity violation is provided;</p>
+            <link rel="assessment-for" href="#si-7.8_smt"/>
           </part>
           <part id="si-7.8_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-07(08)[02]"/>
             <p><insert type="param" id-ref="si-07.08_odp.01"/> is/are initiated upon the detection of a potential integrity violation.</p>
+            <link rel="assessment-for" href="#si-7.8_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-7.8_smt"/>
         </part>
         <part id="si-7.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -75899,6 +79764,7 @@
         <part id="si-7.9_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-07(09)"/>
           <p>the integrity of the boot process of <insert type="param" id-ref="si-07.09_odp"/> is verified.</p>
+          <link rel="assessment-for" href="#si-7.9_smt"/>
         </part>
         <part id="si-7.9_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -75969,6 +79835,7 @@
         <part id="si-7.10_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-07(10)"/>
           <p><insert type="param" id-ref="si-07.10_odp.01"/> are implemented to protect the integrity of boot firmware in <insert type="param" id-ref="si-07.10_odp.02"/>.</p>
+          <link rel="assessment-for" href="#si-7.10_smt"/>
         </part>
         <part id="si-7.10_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76041,6 +79908,7 @@
         <part id="si-7.12_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-07(12)"/>
           <p>the integrity of <insert type="param" id-ref="si-07.12_odp"/> is verified prior to execution.</p>
+          <link rel="assessment-for" href="#si-7.12_smt"/>
         </part>
         <part id="si-7.12_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76118,6 +79986,7 @@
         <part id="si-7.15_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-07(15)"/>
           <p>cryptographic mechanisms are implemented to authenticate <insert type="param" id-ref="si-07.15_odp"/> prior to installation.</p>
+          <link rel="assessment-for" href="#si-7.15_smt"/>
         </part>
         <part id="si-7.15_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76177,6 +80046,7 @@
         <part id="si-7.16_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-07(16)"/>
           <p>processes are prohibited from executing without supervision for more than <insert type="param" id-ref="si-07.16_odp"/>.</p>
+          <link rel="assessment-for" href="#si-7.16_smt"/>
         </part>
         <part id="si-7.16_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76238,6 +80108,7 @@
         <part id="si-7.17_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-07(17)"/>
           <p><insert type="param" id-ref="si-07.17_odp"/> are implemented for application self-protection at runtime.</p>
+          <link rel="assessment-for" href="#si-7.17_smt"/>
         </part>
         <part id="si-7.17_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76307,24 +80178,31 @@
           <part id="si-8_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-08a.[01]"/>
             <p>spam protection mechanisms are employed at system entry points to detect unsolicited messages;</p>
+            <link rel="assessment-for" href="#si-8_smt.a"/>
           </part>
           <part id="si-8_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-08a.[02]"/>
             <p>spam protection mechanisms are employed at system exit points to detect unsolicited messages;</p>
+            <link rel="assessment-for" href="#si-8_smt.a"/>
           </part>
           <part id="si-8_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-08a.[03]"/>
             <p>spam protection mechanisms are employed at system entry points to act on unsolicited messages;</p>
+            <link rel="assessment-for" href="#si-8_smt.a"/>
           </part>
           <part id="si-8_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-08a.[04]"/>
             <p>spam protection mechanisms are employed at system exit points to act on unsolicited messages;</p>
+            <link rel="assessment-for" href="#si-8_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#si-8_smt.a"/>
         </part>
         <part id="si-8_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-08b."/>
           <p>spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.</p>
+          <link rel="assessment-for" href="#si-8_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#si-8_smt"/>
       </part>
       <part id="si-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76393,6 +80271,7 @@
         <part id="si-8.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-08(02)"/>
           <p>spam protection mechanisms are automatically updated <insert type="param" id-ref="si-08.02_odp"/>.</p>
+          <link rel="assessment-for" href="#si-8.2_smt"/>
         </part>
         <part id="si-8.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76445,6 +80324,7 @@
         <part id="si-8.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-08(03)"/>
           <p>spam protection mechanisms with a learning capability are implemented to more effectively identify legitimate communications traffic.</p>
+          <link rel="assessment-for" href="#si-8.3_smt"/>
         </part>
         <part id="si-8.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76519,6 +80399,7 @@
       <part id="si-10_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SI-10"/>
         <p>the validity of the <insert type="param" id-ref="si-10_odp"/> is checked.</p>
+        <link rel="assessment-for" href="#si-10_smt"/>
       </part>
       <part id="si-10_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76597,15 +80478,19 @@
           <part id="si-10.1_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-10(01)(a)"/>
             <p>a manual override capability for the validation of <insert type="param" id-ref="si-10_odp"/> is provided;</p>
+            <link rel="assessment-for" href="#si-10.1_smt.a"/>
           </part>
           <part id="si-10.1_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-10(01)(b)"/>
             <p>the use of the manual override capability is restricted to only <insert type="param" id-ref="si-10.01_odp"/>;</p>
+            <link rel="assessment-for" href="#si-10.1_smt.b"/>
           </part>
           <part id="si-10.1_obj.c" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-10(01)(c)"/>
             <p>the use of the manual override capability is audited.</p>
+            <link rel="assessment-for" href="#si-10.1_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#si-10.1_smt"/>
         </part>
         <part id="si-10.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76681,11 +80566,14 @@
           <part id="si-10.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-10(02)[01]"/>
             <p>input validation errors are reviewed within <insert type="param" id-ref="si-10.02_odp.01"/>;</p>
+            <link rel="assessment-for" href="#si-10.2_smt"/>
           </part>
           <part id="si-10.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-10(02)[02]"/>
             <p>input validation errors are resolved within <insert type="param" id-ref="si-10.02_odp.02"/>.</p>
+            <link rel="assessment-for" href="#si-10.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-10.2_smt"/>
         </part>
         <part id="si-10.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76741,11 +80629,14 @@
           <part id="si-10.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-10(03)[01]"/>
             <p>the system behaves in a predictable manner when invalid inputs are received;</p>
+            <link rel="assessment-for" href="#si-10.3_smt"/>
           </part>
           <part id="si-10.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-10(03)[02]"/>
             <p>the system behaves in a documented manner when invalid inputs are received.</p>
+            <link rel="assessment-for" href="#si-10.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-10.3_smt"/>
         </part>
         <part id="si-10.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76796,6 +80687,7 @@
         <part id="si-10.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-10(04)"/>
           <p>timing interactions among system components are accounted for in determining appropriate responses for invalid inputs.</p>
+          <link rel="assessment-for" href="#si-10.4_smt"/>
         </part>
         <part id="si-10.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76865,6 +80757,7 @@
         <part id="si-10.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-10(05)"/>
           <p>the use of information inputs is restricted to <insert type="param" id-ref="si-10.05_odp.01"/> and/or <insert type="param" id-ref="si-10.05_odp.02"/>.</p>
+          <link rel="assessment-for" href="#si-10.5_smt"/>
         </part>
         <part id="si-10.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76920,6 +80813,7 @@
         <part id="si-10.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-10(06)"/>
           <p>untrusted data injections are prevented.</p>
+          <link rel="assessment-for" href="#si-10.6_smt"/>
         </part>
         <part id="si-10.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -76994,11 +80888,14 @@
         <part id="si-11_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-11a."/>
           <p>error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;</p>
+          <link rel="assessment-for" href="#si-11_smt.a"/>
         </part>
         <part id="si-11_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-11b."/>
           <p>error messages are revealed only to <insert type="param" id-ref="si-11_odp"/>.</p>
+          <link rel="assessment-for" href="#si-11_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#si-11_smt"/>
       </part>
       <part id="si-11_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -77085,19 +80982,24 @@
         <part id="si-12_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-12[01]"/>
           <p>information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+          <link rel="assessment-for" href="#si-12_smt"/>
         </part>
         <part id="si-12_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-12[02]"/>
           <p>information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+          <link rel="assessment-for" href="#si-12_smt"/>
         </part>
         <part id="si-12_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-12[03]"/>
           <p>information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;</p>
+          <link rel="assessment-for" href="#si-12_smt"/>
         </part>
         <part id="si-12_obj-4" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-12[04]"/>
           <p>information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.</p>
+          <link rel="assessment-for" href="#si-12_smt"/>
         </part>
+        <link rel="assessment-for" href="#si-12_smt"/>
       </part>
       <part id="si-12_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -77163,6 +81065,7 @@
         <part id="si-12.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-12(01)"/>
           <p>personally identifiable information being processed in the information life cycle is limited to <insert type="param" id-ref="si-12.01_odp"/>.</p>
+          <link rel="assessment-for" href="#si-12.1_smt"/>
         </part>
         <part id="si-12.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -77253,15 +81156,19 @@
           <part id="si-12.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-12(02)[01]"/>
             <p><insert type="param" id-ref="si-12.02_odp.01"/> are used to minimize the use of personally identifiable information for research;</p>
+            <link rel="assessment-for" href="#si-12.2_smt"/>
           </part>
           <part id="si-12.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-12(02)[02]"/>
             <p><insert type="param" id-ref="si-12.02_odp.02"/> are used to minimize the use of personally identifiable information for testing;</p>
+            <link rel="assessment-for" href="#si-12.2_smt"/>
           </part>
           <part id="si-12.2_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-12(02)[03]"/>
             <p><insert type="param" id-ref="si-12.02_odp.03"/> are used to minimize the use of personally identifiable information for training.</p>
+            <link rel="assessment-for" href="#si-12.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-12.2_smt"/>
         </part>
         <part id="si-12.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -77348,15 +81255,19 @@
           <part id="si-12.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-12(03)[01]"/>
             <p><insert type="param" id-ref="si-12.03_odp.01"/> are used to dispose of information following the retention period;</p>
+            <link rel="assessment-for" href="#si-12.3_smt"/>
           </part>
           <part id="si-12.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-12(03)[02]"/>
             <p><insert type="param" id-ref="si-12.03_odp.02"/> are used to destroy information following the retention period;</p>
+            <link rel="assessment-for" href="#si-12.3_smt"/>
           </part>
           <part id="si-12.3_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-12(03)[03]"/>
             <p><insert type="param" id-ref="si-12.03_odp.03"/> are used to erase information following the retention period.</p>
+            <link rel="assessment-for" href="#si-12.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-12.3_smt"/>
         </part>
         <part id="si-12.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -77449,11 +81360,14 @@
         <part id="si-13_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-13a."/>
           <p>mean time to failure (MTTF) is determined for <insert type="param" id-ref="si-13_odp.01"/> in specific environments of operation;</p>
+          <link rel="assessment-for" href="#si-13_smt.a"/>
         </part>
         <part id="si-13_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-13b."/>
           <p>substitute system components and a means to exchange active and standby components are provided in accordance with <insert type="param" id-ref="si-13_odp.02"/>.</p>
+          <link rel="assessment-for" href="#si-13_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#si-13_smt"/>
       </part>
       <part id="si-13_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -77512,6 +81426,7 @@
         <part id="si-13.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-13(01)"/>
           <p>system components are taken out of service by transferring component responsibilities to substitute components no later than <insert type="param" id-ref="si-13.01_odp"/> of mean time to failure.</p>
+          <link rel="assessment-for" href="#si-13.1_smt"/>
         </part>
         <part id="si-13.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -77579,6 +81494,7 @@
         <part id="si-13.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-13(03)"/>
           <p>transfers are initiated manually between active and standby system components when the use of the active component reaches <insert type="param" id-ref="si-13.03_odp"/> of the mean time to failure.</p>
+          <link rel="assessment-for" href="#si-13.3_smt"/>
         </part>
         <part id="si-13.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -77673,11 +81589,14 @@
           <part id="si-13.4_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-13(04)(a)"/>
             <p>the standby components are successfully and transparently installed within <insert type="param" id-ref="si-13.04_odp.01"/> if system component failures are detected;</p>
+            <link rel="assessment-for" href="#si-13.4_smt.a"/>
           </part>
           <part id="si-13.4_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-13(04)(b)"/>
             <p><insert type="param" id-ref="si-13.04_odp.02"/> are performed if system component failures are detected.</p>
+            <link rel="assessment-for" href="#si-13.4_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#si-13.4_smt"/>
         </part>
         <part id="si-13.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -77750,6 +81669,7 @@
         <part id="si-13.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-13(05)"/>
           <p><insert type="param" id-ref="si-13.05_odp.01"/> <insert type="param" id-ref="si-13.05_odp.02"/> is provided for the system.</p>
+          <link rel="assessment-for" href="#si-13.5_smt"/>
         </part>
         <part id="si-13.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -77832,11 +81752,14 @@
         <part id="si-14_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-14[01]"/>
           <p>non-persistent <insert type="param" id-ref="si-14_odp.01"/> that are initiated in a known state are implemented;</p>
+          <link rel="assessment-for" href="#si-14_smt"/>
         </part>
         <part id="si-14_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-14[02]"/>
           <p>non-persistent <insert type="param" id-ref="si-14_odp.01"/> are terminated <insert type="param" id-ref="si-14_odp.02"/>.</p>
+          <link rel="assessment-for" href="#si-14_smt"/>
         </part>
+        <link rel="assessment-for" href="#si-14_smt"/>
       </part>
       <part id="si-14_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -77894,6 +81817,7 @@
         <part id="si-14.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-14(01)"/>
           <p>the software and data employed during system component and service refreshes are obtained from <insert type="param" id-ref="si-14.01_odp"/>.</p>
+          <link rel="assessment-for" href="#si-14.1_smt"/>
         </part>
         <part id="si-14.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -77984,11 +81908,14 @@
           <part id="si-14.2_obj.a" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-14(02)(a)"/>
             <p><insert type="param" id-ref="si-14.02_odp.01"/> is performed;</p>
+            <link rel="assessment-for" href="#si-14.2_smt.a"/>
           </part>
           <part id="si-14.2_obj.b" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-14(02)(b)"/>
             <p>information is deleted when no longer needed.</p>
+            <link rel="assessment-for" href="#si-14.2_smt.b"/>
           </part>
+          <link rel="assessment-for" href="#si-14.2_smt"/>
         </part>
         <part id="si-14.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78049,11 +81976,14 @@
           <part id="si-14.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-14(03)[01]"/>
             <p>connections to the system are established on demand;</p>
+            <link rel="assessment-for" href="#si-14.3_smt"/>
           </part>
           <part id="si-14.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-14(03)[02]"/>
             <p>connections to the system are terminated after <insert type="param" id-ref="si-14.03_odp"/>.</p>
+            <link rel="assessment-for" href="#si-14.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-14.3_smt"/>
         </part>
         <part id="si-14.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78114,6 +82044,7 @@
       <part id="si-15_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SI-15"/>
         <p>information output from <insert type="param" id-ref="si-15_odp"/> is validated to ensure that the information is consistent with the expected content.</p>
+        <link rel="assessment-for" href="#si-15_smt"/>
       </part>
       <part id="si-15_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78175,6 +82106,7 @@
       <part id="si-16_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SI-16"/>
         <p><insert type="param" id-ref="si-16_odp"/> are implemented to protect the system memory from unauthorized code execution.</p>
+        <link rel="assessment-for" href="#si-16_smt"/>
       </part>
       <part id="si-16_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78248,6 +82180,7 @@
       <part id="si-17_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SI-17"/>
         <p><insert type="param" id-ref="si-17_odp.01"/> are implemented when <insert type="param" id-ref="si-17_odp.02"/> occur.</p>
+        <link rel="assessment-for" href="#si-17_smt"/>
       </part>
       <part id="si-17_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78352,24 +82285,31 @@
           <part id="si-18_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-18a.[01]"/>
             <p>the accuracy of personally identifiable information across the information life cycle is checked <insert type="param" id-ref="si-18_odp.01"/>;</p>
+            <link rel="assessment-for" href="#si-18_smt.a"/>
           </part>
           <part id="si-18_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-18a.[02]"/>
             <p>the relevance of personally identifiable information across the information life cycle is checked <insert type="param" id-ref="si-18_odp.02"/>;</p>
+            <link rel="assessment-for" href="#si-18_smt.a"/>
           </part>
           <part id="si-18_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-18a.[03]"/>
             <p>the timeliness of personally identifiable information across the information life cycle is checked <insert type="param" id-ref="si-18_odp.03"/>;</p>
+            <link rel="assessment-for" href="#si-18_smt.a"/>
           </part>
           <part id="si-18_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-18a.[04]"/>
             <p>the completeness of personally identifiable information across the information life cycle is checked <insert type="param" id-ref="si-18_odp.04"/>;</p>
+            <link rel="assessment-for" href="#si-18_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#si-18_smt.a"/>
         </part>
         <part id="si-18_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-18b."/>
           <p>inaccurate or outdated personally identifiable information is corrected or deleted.</p>
+          <link rel="assessment-for" href="#si-18_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#si-18_smt"/>
       </part>
       <part id="si-18_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78435,6 +82375,7 @@
         <part id="si-18.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-18(01)"/>
           <p><insert type="param" id-ref="si-18.01_odp"/> are used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified.</p>
+          <link rel="assessment-for" href="#si-18.1_smt"/>
         </part>
         <part id="si-18.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78492,6 +82433,7 @@
         <part id="si-18.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-18(02)"/>
           <p>data tags are employed to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems.</p>
+          <link rel="assessment-for" href="#si-18.2_smt"/>
         </part>
         <part id="si-18.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78545,6 +82487,7 @@
         <part id="si-18.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-18(03)"/>
           <p>personally identifiable information is collected directly from the individual.</p>
+          <link rel="assessment-for" href="#si-18.3_smt"/>
         </part>
         <part id="si-18.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78597,6 +82540,7 @@
         <part id="si-18.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-18(04)"/>
           <p>personally identifiable information is corrected or deleted upon request by individuals or their designated representatives.</p>
+          <link rel="assessment-for" href="#si-18.4_smt"/>
         </part>
         <part id="si-18.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78659,6 +82603,7 @@
         <part id="si-18.5_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-18(05)"/>
           <p><insert type="param" id-ref="si-18.05_odp"/> and individuals are notified when the personally identifiable information has been corrected or deleted.</p>
+          <link rel="assessment-for" href="#si-18.5_smt"/>
         </part>
         <part id="si-18.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78746,11 +82691,14 @@
         <part id="si-19_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-19a."/>
           <p><insert type="param" id-ref="si-19_odp.01"/> are removed from datasets;</p>
+          <link rel="assessment-for" href="#si-19_smt.a"/>
         </part>
         <part id="si-19_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-19b."/>
           <p>the effectiveness of de-identification is evaluated <insert type="param" id-ref="si-19_odp.02"/>.</p>
+          <link rel="assessment-for" href="#si-19_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#si-19_smt"/>
       </part>
       <part id="si-19_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78802,6 +82750,7 @@
         <part id="si-19.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-19(01)"/>
           <p>the dataset is de-identified upon collection by not collecting personally identifiable information.</p>
+          <link rel="assessment-for" href="#si-19.1_smt"/>
         </part>
         <part id="si-19.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78854,6 +82803,7 @@
         <part id="si-19.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-19(02)"/>
           <p>the archiving of personally identifiable information elements is prohibited if those elements in a dataset will not be needed after the dataset is archived.</p>
+          <link rel="assessment-for" href="#si-19.2_smt"/>
         </part>
         <part id="si-19.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78906,6 +82856,7 @@
         <part id="si-19.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-19(03)"/>
           <p>personally identifiable information elements are removed from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.</p>
+          <link rel="assessment-for" href="#si-19.3_smt"/>
         </part>
         <part id="si-19.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -78959,6 +82910,7 @@
         <part id="si-19.4_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-19(04)"/>
           <p>direct identifiers in a dataset are removed, masked, encrypted, hashed, or replaced.</p>
+          <link rel="assessment-for" href="#si-19.4_smt"/>
         </part>
         <part id="si-19.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -79013,15 +82965,19 @@
           <part id="si-19.5_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-19(05)[01]"/>
             <p>numerical data is manipulated so that no individual or organization is identifiable in the results of the analysis;</p>
+            <link rel="assessment-for" href="#si-19.5_smt"/>
           </part>
           <part id="si-19.5_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-19(05)[02]"/>
             <p>contingency tables are manipulated so that no individual or organization is identifiable in the results of the analysis;</p>
+            <link rel="assessment-for" href="#si-19.5_smt"/>
           </part>
           <part id="si-19.5_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-19(05)[03]"/>
             <p>statistical findings are manipulated so that no individual or organization is identifiable in the results of the analysis.</p>
+            <link rel="assessment-for" href="#si-19.5_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-19.5_smt"/>
         </part>
         <part id="si-19.5_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -79077,6 +83033,7 @@
         <part id="si-19.6_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-19(06)"/>
           <p>the disclosure of personally identifiable information is prevented by adding non-deterministic noise to the results of mathematical operations before the results are reported.</p>
+          <link rel="assessment-for" href="#si-19.6_smt"/>
         </part>
         <part id="si-19.6_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -79131,11 +83088,14 @@
           <part id="si-19.7_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-19(07)[01]"/>
             <p>de-identification is performed using validated algorithms;</p>
+            <link rel="assessment-for" href="#si-19.7_smt"/>
           </part>
           <part id="si-19.7_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SI-19(07)[02]"/>
             <p>de-identification is performed using software that is validated to implement the algorithms.</p>
+            <link rel="assessment-for" href="#si-19.7_smt"/>
           </part>
+          <link rel="assessment-for" href="#si-19.7_smt"/>
         </part>
         <part id="si-19.7_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -79188,6 +83148,7 @@
         <part id="si-19.8_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-19(08)"/>
           <p>a motivated intruder test is performed on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.</p>
+          <link rel="assessment-for" href="#si-19.8_smt"/>
         </part>
         <part id="si-19.8_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -79252,6 +83213,7 @@
       <part id="si-20_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SI-20"/>
         <p>data or capabilities are embedded in <insert type="param" id-ref="si-20_odp"/> to determine if organizational data has been exfiltrated or improperly removed from the organization.</p>
+        <link rel="assessment-for" href="#si-20_smt"/>
       </part>
       <part id="si-20_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -79324,6 +83286,7 @@
       <part id="si-21_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SI-21"/>
         <p>the <insert type="param" id-ref="si-21_odp.01"/> is refreshed <insert type="param" id-ref="si-21_odp.02"/> or is generated on demand and deleted when no longer needed.</p>
+        <link rel="assessment-for" href="#si-21_smt"/>
       </part>
       <part id="si-21_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -79412,11 +83375,14 @@
         <part id="si-22_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-22a."/>
           <p><insert type="param" id-ref="si-22_odp.01"/> for <insert type="param" id-ref="si-22_odp.02"/> are identified;</p>
+          <link rel="assessment-for" href="#si-22_smt.a"/>
         </part>
         <part id="si-22_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-22b."/>
           <p>an alternative information source is used for the execution of essential functions or services on <insert type="param" id-ref="si-22_odp.03"/> when the primary source of information is corrupted or unavailable.</p>
+          <link rel="assessment-for" href="#si-22_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#si-22_smt"/>
       </part>
       <part id="si-22_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -79502,11 +83468,14 @@
         <part id="si-23_obj.a" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-23a."/>
           <p>under <insert type="param" id-ref="si-23_odp.01"/>, <insert type="param" id-ref="si-23_odp.02"/> is fragmented;</p>
+          <link rel="assessment-for" href="#si-23_smt.a"/>
         </part>
         <part id="si-23_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SI-23b."/>
           <p>under <insert type="param" id-ref="si-23_odp.01"/> , the fragmented information is distributed across <insert type="param" id-ref="si-23_odp.03"/>.</p>
+          <link rel="assessment-for" href="#si-23_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#si-23_smt"/>
       </part>
       <part id="si-23_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -79686,18 +83655,22 @@
           <part id="sr-1_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-01a.[01]"/>
             <p>a supply chain risk management policy is developed and documented;</p>
+            <link rel="assessment-for" href="#sr-1_smt.a"/>
           </part>
           <part id="sr-1_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-01a.[02]"/>
             <p>the supply chain risk management policy is disseminated to <insert type="param" id-ref="sr-01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sr-1_smt.a"/>
           </part>
           <part id="sr-1_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-01a.[03]"/>
             <p>supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;</p>
+            <link rel="assessment-for" href="#sr-1_smt.a"/>
           </part>
           <part id="sr-1_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-01a.[04]"/>
             <p>the supply chain risk management procedures are disseminated to <insert type="param" id-ref="sr-01_odp.02"/>.</p>
+            <link rel="assessment-for" href="#sr-1_smt.a"/>
           </part>
           <part id="sr-1_obj.a.1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-01a.01"/>
@@ -79706,41 +83679,53 @@
               <part id="sr-1_obj.a.1.a-1" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SR-01a.01(a)[01]"/>
                 <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses purpose;</p>
+                <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
               </part>
               <part id="sr-1_obj.a.1.a-2" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SR-01a.01(a)[02]"/>
                 <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses scope; </p>
+                <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
               </part>
               <part id="sr-1_obj.a.1.a-3" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SR-01a.01(a)[03]"/>
                 <p><insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses roles;</p>
+                <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
               </part>
               <part id="sr-1_obj.a.1.a-4" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SR-01a.01(a)[04]"/>
                 <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses responsibilities;</p>
+                <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
               </part>
               <part id="sr-1_obj.a.1.a-5" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SR-01a.01(a)[05]"/>
                 <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses management commitment;</p>
+                <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
               </part>
               <part id="sr-1_obj.a.1.a-6" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SR-01a.01(a)[06]"/>
                 <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses coordination among organizational entities;</p>
+                <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
               </part>
               <part id="sr-1_obj.a.1.a-7" name="assessment-objective">
                 <prop name="label" class="sp800-53a" value="SR-01a.01(a)[07]"/>
                 <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy addresses compliance.</p>
+                <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
               </part>
+              <link rel="assessment-for" href="#sr-1_smt.a.1.a"/>
             </part>
             <part id="sr-1_obj.a.1.b" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SR-01a.01(b)"/>
               <p>the <insert type="param" id-ref="sr-01_odp.03"/> supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;</p>
+              <link rel="assessment-for" href="#sr-1_smt.a.1.b"/>
             </part>
+            <link rel="assessment-for" href="#sr-1_smt.a.1"/>
           </part>
+          <link rel="assessment-for" href="#sr-1_smt.a"/>
         </part>
         <part id="sr-1_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-01b."/>
           <p>the <insert type="param" id-ref="sr-01_odp.04"/> is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;</p>
+          <link rel="assessment-for" href="#sr-1_smt.b"/>
         </part>
         <part id="sr-1_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-01c."/>
@@ -79749,24 +83734,32 @@
             <part id="sr-1_obj.c.1-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SR-01c.01[01]"/>
               <p>the current supply chain risk management policy is reviewed and updated <insert type="param" id-ref="sr-01_odp.05"/>;</p>
+              <link rel="assessment-for" href="#sr-1_smt.c.1"/>
             </part>
             <part id="sr-1_obj.c.1-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SR-01c.01[02]"/>
               <p>the current supply chain risk management policy is reviewed and updated following <insert type="param" id-ref="sr-01_odp.06"/>;</p>
+              <link rel="assessment-for" href="#sr-1_smt.c.1"/>
             </part>
+            <link rel="assessment-for" href="#sr-1_smt.c.1"/>
           </part>
           <part id="sr-1_obj.c.2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-01c.02"/>
             <part id="sr-1_obj.c.2-1" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SR-01c.02[01]"/>
               <p>the current supply chain risk management procedures are reviewed and updated <insert type="param" id-ref="sr-01_odp.07"/>;</p>
+              <link rel="assessment-for" href="#sr-1_smt.c.2"/>
             </part>
             <part id="sr-1_obj.c.2-2" name="assessment-objective">
               <prop name="label" class="sp800-53a" value="SR-01c.02[02]"/>
               <p>the current supply chain risk management procedures are reviewed and updated following <insert type="param" id-ref="sr-01_odp.08"/>.</p>
+              <link rel="assessment-for" href="#sr-1_smt.c.2"/>
             </part>
+            <link rel="assessment-for" href="#sr-1_smt.c.2"/>
           </part>
+          <link rel="assessment-for" href="#sr-1_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#sr-1_smt"/>
       </part>
       <part id="sr-1_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -79862,55 +83855,70 @@
           <part id="sr-2_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-02a.[01]"/>
             <p>a plan for managing supply chain risks is developed;</p>
+            <link rel="assessment-for" href="#sr-2_smt.a"/>
           </part>
           <part id="sr-2_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-02a.[02]"/>
             <p>the supply chain risk management plan addresses risks associated with the research and development of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sr-2_smt.a"/>
           </part>
           <part id="sr-2_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-02a.[03]"/>
             <p>the supply chain risk management plan addresses risks associated with the design of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sr-2_smt.a"/>
           </part>
           <part id="sr-2_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-02a.[04]"/>
             <p>the supply chain risk management plan addresses risks associated with the manufacturing of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sr-2_smt.a"/>
           </part>
           <part id="sr-2_obj.a-5" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-02a.[05]"/>
             <p>the supply chain risk management plan addresses risks associated with the acquisition of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sr-2_smt.a"/>
           </part>
           <part id="sr-2_obj.a-6" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-02a.[06]"/>
             <p>the supply chain risk management plan addresses risks associated with the delivery of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sr-2_smt.a"/>
           </part>
           <part id="sr-2_obj.a-7" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-02a.[07]"/>
             <p>the supply chain risk management plan addresses risks associated with the integration of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sr-2_smt.a"/>
           </part>
           <part id="sr-2_obj.a-8" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-02a.[08]"/>
             <p>the supply chain risk management plan addresses risks associated with the operation and maintenance of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sr-2_smt.a"/>
           </part>
           <part id="sr-2_obj.a-9" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-02a.[09]"/>
             <p>the supply chain risk management plan addresses risks associated with the disposal of <insert type="param" id-ref="sr-02_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sr-2_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#sr-2_smt.a"/>
         </part>
         <part id="sr-2_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-02b."/>
           <p>the supply chain risk management plan is reviewed and updated <insert type="param" id-ref="sr-02_odp.02"/> or as required to address threat, organizational, or environmental changes;</p>
+          <link rel="assessment-for" href="#sr-2_smt.b"/>
         </part>
         <part id="sr-2_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-02c."/>
           <part id="sr-2_obj.c-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-02c.[01]"/>
             <p>the supply chain risk management plan is protected from unauthorized disclosure;</p>
+            <link rel="assessment-for" href="#sr-2_smt.c"/>
           </part>
           <part id="sr-2_obj.c-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-02c.[02]"/>
             <p>the supply chain risk management plan is protected from unauthorized modification.</p>
+            <link rel="assessment-for" href="#sr-2_smt.c"/>
           </part>
+          <link rel="assessment-for" href="#sr-2_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#sr-2_smt"/>
       </part>
       <part id="sr-2_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -79991,6 +83999,7 @@
         <part id="sr-2.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-02(01)"/>
           <p>a supply chain risk management team consisting of <insert type="param" id-ref="sr-02.01_odp.01"/> is established to lead and support <insert type="param" id-ref="sr-02.01_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sr-2.1_smt"/>
         </part>
         <part id="sr-2.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -80124,20 +84133,26 @@
           <part id="sr-3_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-03a.[01]"/>
             <p>a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of <insert type="param" id-ref="sr-03_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sr-3_smt.a"/>
           </part>
           <part id="sr-3_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-03a.[02]"/>
             <p>the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of <insert type="param" id-ref="sr-03_odp.01"/> is/are coordinated with <insert type="param" id-ref="sr-03_odp.02"/>;</p>
+            <link rel="assessment-for" href="#sr-3_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#sr-3_smt.a"/>
         </part>
         <part id="sr-3_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-03b."/>
           <p><insert type="param" id-ref="sr-03_odp.03"/> are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;</p>
+          <link rel="assessment-for" href="#sr-3_smt.b"/>
         </part>
         <part id="sr-3_obj.c" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-03c."/>
           <p>the selected and implemented supply chain processes and controls are documented in <insert type="param" id-ref="sr-03_odp.04"/>.</p>
+          <link rel="assessment-for" href="#sr-3_smt.c"/>
         </part>
+        <link rel="assessment-for" href="#sr-3_smt"/>
       </part>
       <part id="sr-3_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -80215,11 +84230,14 @@
           <part id="sr-3.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-03(01)[01]"/>
             <p>a diverse set of sources is employed for <insert type="param" id-ref="sr-03.01_odp.01"/>;</p>
+            <link rel="assessment-for" href="#sr-3.1_smt"/>
           </part>
           <part id="sr-3.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-03(01)[02]"/>
             <p>a diverse set of sources is employed for <insert type="param" id-ref="sr-03.01_odp.02"/>.</p>
+            <link rel="assessment-for" href="#sr-3.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#sr-3.1_smt"/>
         </part>
         <part id="sr-3.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -80281,6 +84299,7 @@
         <part id="sr-3.2_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-03(02)"/>
           <p><insert type="param" id-ref="sr-03.02_odp"/> are employed to limit harm from potential adversaries identifying and targeting the organizational supply chain.</p>
+          <link rel="assessment-for" href="#sr-3.2_smt"/>
         </part>
         <part id="sr-3.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -80343,6 +84362,7 @@
         <part id="sr-3.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-03(03)"/>
           <p>the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.</p>
+          <link rel="assessment-for" href="#sr-3.3_smt"/>
         </part>
         <part id="sr-3.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -80421,15 +84441,19 @@
         <part id="sr-4_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-04[01]"/>
           <p>valid provenance is documented for <insert type="param" id-ref="sr-04_odp"/>;</p>
+          <link rel="assessment-for" href="#sr-4_smt"/>
         </part>
         <part id="sr-4_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-04[02]"/>
           <p>valid provenance is monitored for <insert type="param" id-ref="sr-04_odp"/>;</p>
+          <link rel="assessment-for" href="#sr-4_smt"/>
         </part>
         <part id="sr-4_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-04[03]"/>
           <p>valid provenance is maintained for <insert type="param" id-ref="sr-04_odp"/>.</p>
+          <link rel="assessment-for" href="#sr-4_smt"/>
         </part>
+        <link rel="assessment-for" href="#sr-4_smt"/>
       </part>
       <part id="sr-4_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -80497,11 +84521,14 @@
           <part id="sr-4.1_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-04(01)[01]"/>
             <p>unique identification of <insert type="param" id-ref="sr-04.01_odp"/> is established;</p>
+            <link rel="assessment-for" href="#sr-4.1_smt"/>
           </part>
           <part id="sr-4.1_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-04(01)[02]"/>
             <p>unique identification of <insert type="param" id-ref="sr-04.01_odp"/> is maintained.</p>
+            <link rel="assessment-for" href="#sr-4.1_smt"/>
           </part>
+          <link rel="assessment-for" href="#sr-4.1_smt"/>
         </part>
         <part id="sr-4.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -80567,11 +84594,14 @@
           <part id="sr-4.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-04(02)[01]"/>
             <p>the unique identification of <insert type="param" id-ref="sr-04.02_odp"/> is established for tracking through the supply chain;</p>
+            <link rel="assessment-for" href="#sr-4.2_smt"/>
           </part>
           <part id="sr-4.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-04(02)[02]"/>
             <p>the unique identification of <insert type="param" id-ref="sr-04.02_odp"/> is maintained for tracking through the supply chain.</p>
+            <link rel="assessment-for" href="#sr-4.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#sr-4.2_smt"/>
         </part>
         <part id="sr-4.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -80648,11 +84678,14 @@
           <part id="sr-4.3_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-04(03)[01]"/>
             <p><insert type="param" id-ref="sr-04.03_odp.01"/> are employed to validate that the system or system component received is genuine;</p>
+            <link rel="assessment-for" href="#sr-4.3_smt"/>
           </part>
           <part id="sr-4.3_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-04(03)[02]"/>
             <p><insert type="param" id-ref="sr-04.03_odp.02"/> are employed to validate that the system or system component received has not been altered.</p>
+            <link rel="assessment-for" href="#sr-4.3_smt"/>
           </part>
+          <link rel="assessment-for" href="#sr-4.3_smt"/>
         </part>
         <part id="sr-4.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -80730,11 +84763,14 @@
           <part id="sr-4.4_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-04(04)[01]"/>
             <p><insert type="param" id-ref="sr-04.04_odp.01"/> are employed to ensure the integrity of the system and system components;</p>
+            <link rel="assessment-for" href="#sr-4.4_smt"/>
           </part>
           <part id="sr-4.4_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-04(04)[02]"/>
             <p><insert type="param" id-ref="sr-04.04_odp.02"/> is conducted to ensure the integrity of the system and system components.</p>
+            <link rel="assessment-for" href="#sr-4.4_smt"/>
           </part>
+          <link rel="assessment-for" href="#sr-4.4_smt"/>
         </part>
         <part id="sr-4.4_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -80821,15 +84857,19 @@
         <part id="sr-5_obj-1" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-05[01]"/>
           <p><insert type="param" id-ref="sr-05_odp"/> are employed to protect against supply chain risks;</p>
+          <link rel="assessment-for" href="#sr-5_smt"/>
         </part>
         <part id="sr-5_obj-2" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-05[02]"/>
           <p><insert type="param" id-ref="sr-05_odp"/> are employed to identify supply chain risks;</p>
+          <link rel="assessment-for" href="#sr-5_smt"/>
         </part>
         <part id="sr-5_obj-3" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-05[03]"/>
           <p><insert type="param" id-ref="sr-05_odp"/> are employed to mitigate supply chain risks.</p>
+          <link rel="assessment-for" href="#sr-5_smt"/>
         </part>
+        <link rel="assessment-for" href="#sr-5_smt"/>
       </part>
       <part id="sr-5_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -80903,6 +84943,7 @@
         <part id="sr-5.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-05(01)"/>
           <p><insert type="param" id-ref="sr-05.01_odp.01"/> are employed to ensure an adequate supply of <insert type="param" id-ref="sr-05.01_odp.02"/>.</p>
+          <link rel="assessment-for" href="#sr-5.1_smt"/>
         </part>
         <part id="sr-5.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -80968,19 +85009,24 @@
           <part id="sr-5.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-05(02)[01]"/>
             <p>the system, system component, or system service is assessed prior to selection;</p>
+            <link rel="assessment-for" href="#sr-5.2_smt"/>
           </part>
           <part id="sr-5.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-05(02)[02]"/>
             <p>the system, system component, or system service is assessed prior to acceptance;</p>
+            <link rel="assessment-for" href="#sr-5.2_smt"/>
           </part>
           <part id="sr-5.2_obj-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-05(02)[03]"/>
             <p>the system, system component, or system service is assessed prior to modification;</p>
+            <link rel="assessment-for" href="#sr-5.2_smt"/>
           </part>
           <part id="sr-5.2_obj-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-05(02)[04]"/>
             <p>the system, system component, or system service is assessed prior to update.</p>
+            <link rel="assessment-for" href="#sr-5.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#sr-5.2_smt"/>
         </part>
         <part id="sr-5.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -81056,6 +85102,7 @@
       <part id="sr-6_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SR-06"/>
         <p>the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed <insert type="param" id-ref="sr-06_odp"/>.</p>
+        <link rel="assessment-for" href="#sr-6_smt"/>
       </part>
       <part id="sr-6_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -81126,6 +85173,7 @@
         <part id="sr-6.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-06(01)"/>
           <p><insert type="param" id-ref="sr-06.01_odp.01"/> is/are employed on <insert type="param" id-ref="sr-06.01_odp.02"/> associated with the system, system component, or system service.</p>
+          <link rel="assessment-for" href="#sr-6.1_smt"/>
         </part>
         <part id="sr-6.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -81192,6 +85240,7 @@
       <part id="sr-7_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SR-07"/>
         <p><insert type="param" id-ref="sr-07_odp"/> are employed to protect supply chain-related information for the system, system component, or system service.</p>
+        <link rel="assessment-for" href="#sr-7_smt"/>
       </part>
       <part id="sr-7_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -81274,6 +85323,7 @@
       <part id="sr-8_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SR-08"/>
         <p>agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for <insert type="param" id-ref="sr-08_odp.01"/>.</p>
+        <link rel="assessment-for" href="#sr-8_smt"/>
       </part>
       <part id="sr-8_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -81335,6 +85385,7 @@
       <part id="sr-9_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SR-09"/>
         <p>a tamper protection program is implemented for the system, system component, or system service.</p>
+        <link rel="assessment-for" href="#sr-9_smt"/>
       </part>
       <part id="sr-9_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -81390,6 +85441,7 @@
         <part id="sr-9.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-09(01)"/>
           <p>anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle.</p>
+          <link rel="assessment-for" href="#sr-9.1_smt"/>
         </part>
         <part id="sr-9.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -81492,6 +85544,7 @@
       <part id="sr-10_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SR-10"/>
         <p><insert type="param" id-ref="sr-10_odp.01"/> are inspected <insert type="param" id-ref="sr-10_odp.02"/> to detect tampering.</p>
+        <link rel="assessment-for" href="#sr-10_smt"/>
       </part>
       <part id="sr-10_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -81587,24 +85640,31 @@
           <part id="sr-11_obj.a-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-11a.[01]"/>
             <p>an anti-counterfeit policy is developed and implemented;</p>
+            <link rel="assessment-for" href="#sr-11_smt.a"/>
           </part>
           <part id="sr-11_obj.a-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-11a.[02]"/>
             <p>anti-counterfeit procedures are developed and implemented;</p>
+            <link rel="assessment-for" href="#sr-11_smt.a"/>
           </part>
           <part id="sr-11_obj.a-3" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-11a.[03]"/>
             <p>the anti-counterfeit procedures include the means to detect counterfeit components entering the system;</p>
+            <link rel="assessment-for" href="#sr-11_smt.a"/>
           </part>
           <part id="sr-11_obj.a-4" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-11a.[04]"/>
             <p>the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;</p>
+            <link rel="assessment-for" href="#sr-11_smt.a"/>
           </part>
+          <link rel="assessment-for" href="#sr-11_smt.a"/>
         </part>
         <part id="sr-11_obj.b" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-11b."/>
           <p>counterfeit system components are reported to <insert type="param" id-ref="sr-11_odp.01"/>.</p>
+          <link rel="assessment-for" href="#sr-11_smt.b"/>
         </part>
+        <link rel="assessment-for" href="#sr-11_smt"/>
       </part>
       <part id="sr-11_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -81672,6 +85732,7 @@
         <part id="sr-11.1_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-11(01)"/>
           <p><insert type="param" id-ref="sr-11.01_odp"/> are trained to detect counterfeit system components (including hardware, software, and firmware).</p>
+          <link rel="assessment-for" href="#sr-11.1_smt"/>
         </part>
         <part id="sr-11.1_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -81739,11 +85800,14 @@
           <part id="sr-11.2_obj-1" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-11(02)[01]"/>
             <p>configuration control over <insert type="param" id-ref="sr-11.02_odp"/> awaiting service or repair is maintained;</p>
+            <link rel="assessment-for" href="#sr-11.2_smt"/>
           </part>
           <part id="sr-11.2_obj-2" name="assessment-objective">
             <prop name="label" class="sp800-53a" value="SR-11(02)[02]"/>
             <p>configuration control over serviced or repaired <insert type="param" id-ref="sr-11.02_odp"/> awaiting return to service is maintained.</p>
+            <link rel="assessment-for" href="#sr-11.2_smt"/>
           </part>
+          <link rel="assessment-for" href="#sr-11.2_smt"/>
         </part>
         <part id="sr-11.2_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -81804,6 +85868,7 @@
         <part id="sr-11.3_obj" name="assessment-objective">
           <prop name="label" class="sp800-53a" value="SR-11(03)"/>
           <p>scanning for counterfeit system components is conducted <insert type="param" id-ref="sr-11.03_odp"/>.</p>
+          <link rel="assessment-for" href="#sr-11.3_smt"/>
         </part>
         <part id="sr-11.3_asm-examine" name="assessment-method">
           <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -81877,6 +85942,7 @@
       <part id="sr-12_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SR-12"/>
         <p><insert type="param" id-ref="sr-12_odp.01"/> are disposed of using <insert type="param" id-ref="sr-12_odp.02"/>.</p>
+        <link rel="assessment-for" href="#sr-12_smt"/>
       </part>
       <part id="sr-12_asm-examine" name="assessment-method">
         <prop name="method" ns="http://csrc.nist.gov/ns/rmf" value="EXAMINE"/>
@@ -82110,6 +86176,13 @@
       </citation>
       <rlink href="https://doi.org/10.6028/NIST.FIPS.186-4"/>
     </resource>
+    <resource uuid="ff989cdc-649d-4f45-8f61-9309c9680933">
+      <title>FIPS 196</title>
+      <citation>
+        <text>National Institute of Standards and Technology (1997) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 196.</text>
+      </citation>
+      <rlink href="https://doi.org/10.6028/NIST.FIPS.196"/>
+    </resource>
     <resource uuid="736d6310-e403-4b57-a79d-9967970c66d7">
       <title>FIPS 197</title>
       <citation>
@@ -82117,6 +86190,13 @@
       </citation>
       <rlink href="https://doi.org/10.6028/NIST.FIPS.197"/>
     </resource>
+    <resource uuid="e9d6c5f2-b3aa-4a28-8bea-a0135718d453">
+      <title>FIPS 198-1</title>
+      <citation>
+        <text>National Institute of Standards and Technology (2008) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 198-1.</text>
+      </citation>
+      <rlink href="https://doi.org/10.6028/NIST.FIPS.198-1"/>
+    </resource>
     <resource uuid="628d22a1-6a11-4784-bc59-5cd9497b5445">
       <title>FIPS 199</title>
       <citation>
@@ -83249,5 +87329,9 @@
       <title>NIST Special Publication 800-53, Revision 5: <em> Security and Privacy Controls for Information Systems and Organizations</em> (DOI link)</title>
       <rlink media-type="application/pdf" href="https://doi.org/10.6028/NIST.SP.800-53r5"/>
     </resource>
+    <resource uuid="5a5ffcb9-2272-484e-8d47-4483a0585dec">
+      <title>NIST SP 800-53 content and other OSCAL content examples</title>
+      <rlink href="https://github.com/usnistgov/oscal-content/releases/"/>
+    </resource>
   </back-matter>
-</catalog>
\ No newline at end of file
+</catalog>
diff --git a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.yaml b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.yaml
index 7a890d11..558d0bc8 100644
--- a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.yaml
+++ b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_HIGH-baseline-resolved-profile_catalog.yaml
@@ -1,9 +1,9 @@
 catalog:
-  uuid: fa9322a2-ab84-423c-b677-8602000b4876
+  uuid: 283e5a73-1997-40fe-8d7e-38abfe6c6b2b
   metadata:
-    title: NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE
-    last-modified: "2023-11-02T11:49:45.431064-04:00"
-    version: Final
+    title: NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE
+    last-modified: "2023-12-05T21:55:03.03012Z"
+    version: 5.1.1+u2
     oscal-version: 1.1.1
     props:
       - name: resolution-tool
@@ -257,6 +257,9 @@ catalog:
                           value: AC-01a.[01]
                           class: sp800-53a
                       prose: an access control policy is developed and documented;
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -264,6 +267,9 @@ catalog:
                           value: AC-01a.[02]
                           class: sp800-53a
                       prose: 'the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};'
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -271,6 +277,9 @@ catalog:
                           value: AC-01a.[03]
                           class: sp800-53a
                       prose: access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -278,6 +287,9 @@ catalog:
                           value: AC-01a.[04]
                           class: sp800-53a
                       prose: 'the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};'
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -299,6 +311,9 @@ catalog:
                                   value: AC-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -306,6 +321,9 @@ catalog:
                                   value: AC-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -313,6 +331,9 @@ catalog:
                                   value: AC-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -320,6 +341,9 @@ catalog:
                                   value: AC-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -327,6 +351,9 @@ catalog:
                                   value: AC-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -334,6 +361,9 @@ catalog:
                                   value: AC-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -341,6 +371,12 @@ catalog:
                                   value: AC-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ac-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ac-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -348,6 +384,15 @@ catalog:
                               value: AC-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ac-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-1_smt.a'
+                      rel: assessment-for
                 - id: ac-1_obj.b
                   name: assessment-objective
                   props:
@@ -355,6 +400,9 @@ catalog:
                       value: AC-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;'
+                  links:
+                    - href: '#ac-1_smt.b'
+                      rel: assessment-for
                 - id: ac-1_obj.c
                   name: assessment-objective
                   props:
@@ -376,6 +424,9 @@ catalog:
                               value: AC-01c.01[01]
                               class: sp800-53a
                           prose: 'the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};'
+                          links:
+                            - href: '#ac-1_smt.c.1'
+                              rel: assessment-for
                         - id: ac-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -383,6 +434,12 @@ catalog:
                               value: AC-01c.01[02]
                               class: sp800-53a
                           prose: 'the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};'
+                          links:
+                            - href: '#ac-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.c.1'
+                          rel: assessment-for
                     - id: ac-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -397,6 +454,9 @@ catalog:
                               value: AC-01c.02[01]
                               class: sp800-53a
                           prose: 'the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};'
+                          links:
+                            - href: '#ac-1_smt.c.2'
+                              rel: assessment-for
                         - id: ac-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -404,6 +464,18 @@ catalog:
                               value: AC-01c.02[02]
                               class: sp800-53a
                           prose: 'the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.'
+                          links:
+                            - href: '#ac-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ac-1_smt'
+                  rel: assessment-for
             - id: ac-1_asm-examine
               name: assessment-method
               props:
@@ -778,6 +850,9 @@ catalog:
                           value: AC-02a.[01]
                           class: sp800-53a
                       prose: account types allowed for use within the system are defined and documented;
+                      links:
+                        - href: '#ac-2_smt.a'
+                          rel: assessment-for
                     - id: ac-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -785,6 +860,12 @@ catalog:
                           value: AC-02a.[02]
                           class: sp800-53a
                       prose: account types specifically prohibited for use within the system are defined and documented;
+                      links:
+                        - href: '#ac-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.a'
+                      rel: assessment-for
                 - id: ac-2_obj.b
                   name: assessment-objective
                   props:
@@ -792,6 +873,9 @@ catalog:
                       value: AC-02b.
                       class: sp800-53a
                   prose: account managers are assigned;
+                  links:
+                    - href: '#ac-2_smt.b'
+                      rel: assessment-for
                 - id: ac-2_obj.c
                   name: assessment-objective
                   props:
@@ -799,6 +883,9 @@ catalog:
                       value: AC-02c.
                       class: sp800-53a
                   prose: ' {{ insert: param, ac-02_odp.01 }} for group and role membership are required;'
+                  links:
+                    - href: '#ac-2_smt.c'
+                      rel: assessment-for
                 - id: ac-2_obj.d
                   name: assessment-objective
                   props:
@@ -813,6 +900,9 @@ catalog:
                           value: AC-02d.01
                           class: sp800-53a
                       prose: authorized users of the system are specified;
+                      links:
+                        - href: '#ac-2_smt.d.1'
+                          rel: assessment-for
                     - id: ac-2_obj.d.2
                       name: assessment-objective
                       props:
@@ -820,6 +910,9 @@ catalog:
                           value: AC-02d.02
                           class: sp800-53a
                       prose: group and role membership are specified;
+                      links:
+                        - href: '#ac-2_smt.d.2'
+                          rel: assessment-for
                     - id: ac-2_obj.d.3
                       name: assessment-objective
                       props:
@@ -834,6 +927,9 @@ catalog:
                               value: AC-02d.03[01]
                               class: sp800-53a
                           prose: access authorizations (i.e., privileges) are specified for each account;
+                          links:
+                            - href: '#ac-2_smt.d.3'
+                              rel: assessment-for
                         - id: ac-2_obj.d.3-2
                           name: assessment-objective
                           props:
@@ -841,6 +937,15 @@ catalog:
                               value: AC-02d.03[02]
                               class: sp800-53a
                           prose: ' {{ insert: param, ac-02_odp.02 }} are specified for each account;'
+                          links:
+                            - href: '#ac-2_smt.d.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-2_smt.d.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.d'
+                      rel: assessment-for
                 - id: ac-2_obj.e
                   name: assessment-objective
                   props:
@@ -848,6 +953,9 @@ catalog:
                       value: AC-02e.
                       class: sp800-53a
                   prose: 'approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;'
+                  links:
+                    - href: '#ac-2_smt.e'
+                      rel: assessment-for
                 - id: ac-2_obj.f
                   name: assessment-objective
                   props:
@@ -862,6 +970,9 @@ catalog:
                           value: AC-02f.[01]
                           class: sp800-53a
                       prose: 'accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-2
                       name: assessment-objective
                       props:
@@ -869,6 +980,9 @@ catalog:
                           value: AC-02f.[02]
                           class: sp800-53a
                       prose: 'accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-3
                       name: assessment-objective
                       props:
@@ -876,6 +990,9 @@ catalog:
                           value: AC-02f.[03]
                           class: sp800-53a
                       prose: 'accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-4
                       name: assessment-objective
                       props:
@@ -883,6 +1000,9 @@ catalog:
                           value: AC-02f.[04]
                           class: sp800-53a
                       prose: 'accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-5
                       name: assessment-objective
                       props:
@@ -890,6 +1010,12 @@ catalog:
                           value: AC-02f.[05]
                           class: sp800-53a
                       prose: 'accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.f'
+                      rel: assessment-for
                 - id: ac-2_obj.g
                   name: assessment-objective
                   props:
@@ -897,6 +1023,9 @@ catalog:
                       value: AC-02g.
                       class: sp800-53a
                   prose: 'the use of accounts is monitored; '
+                  links:
+                    - href: '#ac-2_smt.g'
+                      rel: assessment-for
                 - id: ac-2_obj.h
                   name: assessment-objective
                   props:
@@ -911,6 +1040,9 @@ catalog:
                           value: AC-02h.01
                           class: sp800-53a
                       prose: 'account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;'
+                      links:
+                        - href: '#ac-2_smt.h.1'
+                          rel: assessment-for
                     - id: ac-2_obj.h.2
                       name: assessment-objective
                       props:
@@ -918,6 +1050,9 @@ catalog:
                           value: AC-02h.02
                           class: sp800-53a
                       prose: 'account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;'
+                      links:
+                        - href: '#ac-2_smt.h.2'
+                          rel: assessment-for
                     - id: ac-2_obj.h.3
                       name: assessment-objective
                       props:
@@ -925,6 +1060,12 @@ catalog:
                           value: AC-02h.03
                           class: sp800-53a
                       prose: 'account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;'
+                      links:
+                        - href: '#ac-2_smt.h.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.h'
+                      rel: assessment-for
                 - id: ac-2_obj.i
                   name: assessment-objective
                   props:
@@ -939,6 +1080,9 @@ catalog:
                           value: AC-02i.01
                           class: sp800-53a
                       prose: access to the system is authorized based on a valid access authorization;
+                      links:
+                        - href: '#ac-2_smt.i.1'
+                          rel: assessment-for
                     - id: ac-2_obj.i.2
                       name: assessment-objective
                       props:
@@ -946,6 +1090,9 @@ catalog:
                           value: AC-02i.02
                           class: sp800-53a
                       prose: access to the system is authorized based on intended system usage;
+                      links:
+                        - href: '#ac-2_smt.i.2'
+                          rel: assessment-for
                     - id: ac-2_obj.i.3
                       name: assessment-objective
                       props:
@@ -953,6 +1100,12 @@ catalog:
                           value: AC-02i.03
                           class: sp800-53a
                       prose: 'access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};'
+                      links:
+                        - href: '#ac-2_smt.i.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.i'
+                      rel: assessment-for
                 - id: ac-2_obj.j
                   name: assessment-objective
                   props:
@@ -960,6 +1113,9 @@ catalog:
                       value: AC-02j.
                       class: sp800-53a
                   prose: 'accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};'
+                  links:
+                    - href: '#ac-2_smt.j'
+                      rel: assessment-for
                 - id: ac-2_obj.k
                   name: assessment-objective
                   props:
@@ -974,6 +1130,9 @@ catalog:
                           value: AC-02k.[01]
                           class: sp800-53a
                       prose: a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
+                      links:
+                        - href: '#ac-2_smt.k'
+                          rel: assessment-for
                     - id: ac-2_obj.k-2
                       name: assessment-objective
                       props:
@@ -981,6 +1140,12 @@ catalog:
                           value: AC-02k.[02]
                           class: sp800-53a
                       prose: a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
+                      links:
+                        - href: '#ac-2_smt.k'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.k'
+                      rel: assessment-for
                 - id: ac-2_obj.l
                   name: assessment-objective
                   props:
@@ -995,6 +1160,9 @@ catalog:
                           value: AC-02l.[01]
                           class: sp800-53a
                       prose: account management processes are aligned with personnel termination processes;
+                      links:
+                        - href: '#ac-2_smt.l'
+                          rel: assessment-for
                     - id: ac-2_obj.l-2
                       name: assessment-objective
                       props:
@@ -1002,6 +1170,15 @@ catalog:
                           value: AC-02l.[02]
                           class: sp800-53a
                       prose: account management processes are aligned with personnel transfer processes.
+                      links:
+                        - href: '#ac-2_smt.l'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.l'
+                      rel: assessment-for
+              links:
+                - href: '#ac-2_smt'
+                  rel: assessment-for
             - id: ac-2_asm-examine
               name: assessment-method
               props:
@@ -1122,6 +1299,9 @@ catalog:
                       value: AC-02(01)
                       class: sp800-53a
                   prose: 'the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}.'
+                  links:
+                    - href: '#ac-2.1_smt'
+                      rel: assessment-for
                 - id: ac-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -1234,6 +1414,9 @@ catalog:
                       value: AC-02(02)
                       class: sp800-53a
                   prose: 'temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}.'
+                  links:
+                    - href: '#ac-2.2_smt'
+                      rel: assessment-for
                 - id: ac-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -1378,6 +1561,9 @@ catalog:
                           value: AC-02(03)(a)
                           class: sp800-53a
                       prose: 'accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;'
+                      links:
+                        - href: '#ac-2.3_smt.a'
+                          rel: assessment-for
                     - id: ac-2.3_obj.b
                       name: assessment-objective
                       props:
@@ -1385,6 +1571,9 @@ catalog:
                           value: AC-02(03)(b)
                           class: sp800-53a
                       prose: 'accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;'
+                      links:
+                        - href: '#ac-2.3_smt.b'
+                          rel: assessment-for
                     - id: ac-2.3_obj.c
                       name: assessment-objective
                       props:
@@ -1392,6 +1581,9 @@ catalog:
                           value: AC-02(03)(c)
                           class: sp800-53a
                       prose: 'accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;'
+                      links:
+                        - href: '#ac-2.3_smt.c'
+                          rel: assessment-for
                     - id: ac-2.3_obj.d
                       name: assessment-objective
                       props:
@@ -1399,6 +1591,12 @@ catalog:
                           value: AC-02(03)(d)
                           class: sp800-53a
                       prose: 'accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}.'
+                      links:
+                        - href: '#ac-2.3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2.3_smt'
+                      rel: assessment-for
                 - id: ac-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -1503,6 +1701,9 @@ catalog:
                           value: AC-02(04)[01]
                           class: sp800-53a
                       prose: account creation is automatically audited;
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
                     - id: ac-2.4_obj-2
                       name: assessment-objective
                       props:
@@ -1510,6 +1711,9 @@ catalog:
                           value: AC-02(04)[02]
                           class: sp800-53a
                       prose: account modification is automatically audited;
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
                     - id: ac-2.4_obj-3
                       name: assessment-objective
                       props:
@@ -1517,6 +1721,9 @@ catalog:
                           value: AC-02(04)[03]
                           class: sp800-53a
                       prose: account enabling is automatically audited;
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
                     - id: ac-2.4_obj-4
                       name: assessment-objective
                       props:
@@ -1524,6 +1731,9 @@ catalog:
                           value: AC-02(04)[04]
                           class: sp800-53a
                       prose: account disabling is automatically audited;
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
                     - id: ac-2.4_obj-5
                       name: assessment-objective
                       props:
@@ -1531,6 +1741,12 @@ catalog:
                           value: AC-02(04)[05]
                           class: sp800-53a
                       prose: account removal actions are automatically audited.
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2.4_smt'
+                      rel: assessment-for
                 - id: ac-2.4_asm-examine
                   name: assessment-method
                   props:
@@ -1634,6 +1850,9 @@ catalog:
                       value: AC-02(05)
                       class: sp800-53a
                   prose: 'users are required to log out when {{ insert: param, ac-02.05_odp }}.'
+                  links:
+                    - href: '#ac-2.5_smt'
+                      rel: assessment-for
                 - id: ac-2.5_asm-examine
                   name: assessment-method
                   props:
@@ -1732,6 +1951,9 @@ catalog:
                       value: AC-02(11)
                       class: sp800-53a
                   prose: ' {{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }} are enforced.'
+                  links:
+                    - href: '#ac-2.11_smt'
+                      rel: assessment-for
                 - id: ac-2.11_asm-examine
                   name: assessment-method
                   props:
@@ -1874,6 +2096,9 @@ catalog:
                           value: AC-02(12)(a)
                           class: sp800-53a
                       prose: 'system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; '
+                      links:
+                        - href: '#ac-2.12_smt.a'
+                          rel: assessment-for
                     - id: ac-2.12_obj.b
                       name: assessment-objective
                       props:
@@ -1881,6 +2106,12 @@ catalog:
                           value: AC-02(12)(b)
                           class: sp800-53a
                       prose: 'atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}.'
+                      links:
+                        - href: '#ac-2.12_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2.12_smt'
+                      rel: assessment-for
                 - id: ac-2.12_asm-examine
                   name: assessment-method
                   props:
@@ -1999,6 +2230,9 @@ catalog:
                       value: AC-02(13)
                       class: sp800-53a
                   prose: 'accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.'
+                  links:
+                    - href: '#ac-2.13_smt'
+                      rel: assessment-for
                 - id: ac-2.13_asm-examine
                   name: assessment-method
                   props:
@@ -2136,6 +2370,8 @@ catalog:
               rel: related
             - href: '#ia-11'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-3'
               rel: related
             - href: '#ma-4'
@@ -2188,6 +2424,9 @@ catalog:
                   value: AC-03
                   class: sp800-53a
               prose: approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.
+              links:
+                - href: '#ac-3_smt'
+                  rel: assessment-for
             - id: ac-3_asm-examine
               name: assessment-method
               props:
@@ -2333,6 +2572,9 @@ catalog:
                   value: AC-04
                   class: sp800-53a
               prose: 'approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.'
+              links:
+                - href: '#ac-4_smt'
+                  rel: assessment-for
             - id: ac-4_asm-examine
               name: assessment-method
               props:
@@ -2473,6 +2715,9 @@ catalog:
                       value: AC-04(04)
                       class: sp800-53a
                   prose: 'encrypted information is prevented from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.'
+                  links:
+                    - href: '#ac-4.4_smt'
+                      rel: assessment-for
                 - id: ac-4.4_asm-examine
                   name: assessment-method
                   props:
@@ -2623,6 +2868,9 @@ catalog:
                       value: AC-05a.
                       class: sp800-53a
                   prose: ' {{ insert: param, ac-05_odp }} are identified and documented;'
+                  links:
+                    - href: '#ac-5_smt.a'
+                      rel: assessment-for
                 - id: ac-5_obj.b
                   name: assessment-objective
                   props:
@@ -2630,6 +2878,12 @@ catalog:
                       value: AC-05b.
                       class: sp800-53a
                   prose: system access authorizations to support separation of duties are defined.
+                  links:
+                    - href: '#ac-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-5_smt'
+                  rel: assessment-for
             - id: ac-5_asm-examine
               name: assessment-method
               props:
@@ -2739,6 +2993,9 @@ catalog:
                   value: AC-06
                   class: sp800-53a
               prose: the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
+              links:
+                - href: '#ac-6_smt'
+                  rel: assessment-for
             - id: ac-6_asm-examine
               name: assessment-method
               props:
@@ -2922,6 +3179,9 @@ catalog:
                               value: AC-06(01)(a)[01]
                               class: sp800-53a
                           prose: 'access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};'
+                          links:
+                            - href: '#ac-6.1_smt.a'
+                              rel: assessment-for
                         - id: ac-6.1_obj.a-2
                           name: assessment-objective
                           props:
@@ -2929,6 +3189,9 @@ catalog:
                               value: AC-06(01)(a)[02]
                               class: sp800-53a
                           prose: 'access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};'
+                          links:
+                            - href: '#ac-6.1_smt.a'
+                              rel: assessment-for
                         - id: ac-6.1_obj.a-3
                           name: assessment-objective
                           props:
@@ -2936,6 +3199,12 @@ catalog:
                               value: AC-06(01)(a)[03]
                               class: sp800-53a
                           prose: 'access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};'
+                          links:
+                            - href: '#ac-6.1_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-6.1_smt.a'
+                          rel: assessment-for
                     - id: ac-6.1_obj.b
                       name: assessment-objective
                       props:
@@ -2943,6 +3212,12 @@ catalog:
                           value: AC-06(01)(b)
                           class: sp800-53a
                       prose: 'access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}.'
+                      links:
+                        - href: '#ac-6.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-6.1_smt'
+                      rel: assessment-for
                 - id: ac-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -3047,6 +3322,9 @@ catalog:
                       value: AC-06(02)
                       class: sp800-53a
                   prose: 'users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions.'
+                  links:
+                    - href: '#ac-6.2_smt'
+                      rel: assessment-for
                 - id: ac-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -3166,6 +3444,9 @@ catalog:
                           value: AC-06(03)[01]
                           class: sp800-53a
                       prose: 'network access to {{ insert: param, ac-06.03_odp.01 }} is authorized only for {{ insert: param, ac-06.03_odp.02 }};'
+                      links:
+                        - href: '#ac-6.3_smt'
+                          rel: assessment-for
                     - id: ac-6.3_obj-2
                       name: assessment-objective
                       props:
@@ -3173,6 +3454,12 @@ catalog:
                           value: AC-06(03)[02]
                           class: sp800-53a
                       prose: the rationale for authorizing network access to privileged commands is documented in the security plan for the system.
+                      links:
+                        - href: '#ac-6.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-6.3_smt'
+                      rel: assessment-for
                 - id: ac-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -3273,6 +3560,9 @@ catalog:
                       value: AC-06(05)
                       class: sp800-53a
                   prose: 'privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}.'
+                  links:
+                    - href: '#ac-6.5_smt'
+                      rel: assessment-for
                 - id: ac-6.5_asm-examine
                   name: assessment-method
                   props:
@@ -3405,6 +3695,9 @@ catalog:
                           value: AC-06(07)(a)
                           class: sp800-53a
                       prose: 'privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;'
+                      links:
+                        - href: '#ac-6.7_smt.a'
+                          rel: assessment-for
                     - id: ac-6.7_obj.b
                       name: assessment-objective
                       props:
@@ -3412,6 +3705,12 @@ catalog:
                           value: AC-06(07)(b)
                           class: sp800-53a
                       prose: privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.
+                      links:
+                        - href: '#ac-6.7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-6.7_smt'
+                      rel: assessment-for
                 - id: ac-6.7_asm-examine
                   name: assessment-method
                   props:
@@ -3509,6 +3808,9 @@ catalog:
                       value: AC-06(09)
                       class: sp800-53a
                   prose: the execution of privileged functions is logged.
+                  links:
+                    - href: '#ac-6.9_smt'
+                      rel: assessment-for
                 - id: ac-6.9_asm-examine
                   name: assessment-method
                   props:
@@ -3600,6 +3902,9 @@ catalog:
                       value: AC-06(10)
                       class: sp800-53a
                   prose: non-privileged users are prevented from executing privileged functions.
+                  links:
+                    - href: '#ac-6.10_smt'
+                      rel: assessment-for
                 - id: ac-6.10_asm-examine
                   name: assessment-method
                   props:
@@ -3784,6 +4089,9 @@ catalog:
                       value: AC-07a.
                       class: sp800-53a
                   prose: 'a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;'
+                  links:
+                    - href: '#ac-7_smt.a'
+                      rel: assessment-for
                 - id: ac-7_obj.b
                   name: assessment-objective
                   props:
@@ -3791,6 +4099,12 @@ catalog:
                       value: AC-07b.
                       class: sp800-53a
                   prose: 'automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.'
+                  links:
+                    - href: '#ac-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-7_smt'
+                  rel: assessment-for
             - id: ac-7_asm-examine
               name: assessment-method
               props:
@@ -3984,6 +4298,9 @@ catalog:
                           value: AC-08a.01
                           class: sp800-53a
                       prose: the system use notification states that users are accessing a U.S. Government system;
+                      links:
+                        - href: '#ac-8_smt.a.1'
+                          rel: assessment-for
                     - id: ac-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -3991,6 +4308,9 @@ catalog:
                           value: AC-08a.02
                           class: sp800-53a
                       prose: the system use notification states that system usage may be monitored, recorded, and subject to audit;
+                      links:
+                        - href: '#ac-8_smt.a.2'
+                          rel: assessment-for
                     - id: ac-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -3998,6 +4318,9 @@ catalog:
                           value: AC-08a.03
                           class: sp800-53a
                       prose: the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
+                      links:
+                        - href: '#ac-8_smt.a.3'
+                          rel: assessment-for
                     - id: ac-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -4005,6 +4328,12 @@ catalog:
                           value: AC-08a.04
                           class: sp800-53a
                       prose: the system use notification states that use of the system indicates consent to monitoring and recording;
+                      links:
+                        - href: '#ac-8_smt.a.4'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-8_smt.a'
+                      rel: assessment-for
                 - id: ac-8_obj.b
                   name: assessment-objective
                   props:
@@ -4012,6 +4341,9 @@ catalog:
                       value: AC-08b.
                       class: sp800-53a
                   prose: the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;
+                  links:
+                    - href: '#ac-8_smt.b'
+                      rel: assessment-for
                 - id: ac-8_obj.c
                   name: assessment-objective
                   props:
@@ -4026,6 +4358,9 @@ catalog:
                           value: AC-08c.01
                           class: sp800-53a
                       prose: 'for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;'
+                      links:
+                        - href: '#ac-8_smt.c.1'
+                          rel: assessment-for
                     - id: ac-8_obj.c.2
                       name: assessment-objective
                       props:
@@ -4033,6 +4368,9 @@ catalog:
                           value: AC-08c.02
                           class: sp800-53a
                       prose: for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;
+                      links:
+                        - href: '#ac-8_smt.c.2'
+                          rel: assessment-for
                     - id: ac-8_obj.c.3
                       name: assessment-objective
                       props:
@@ -4040,6 +4378,15 @@ catalog:
                           value: AC-08c.03
                           class: sp800-53a
                       prose: for publicly accessible systems, a description of the authorized uses of the system is included.
+                      links:
+                        - href: '#ac-8_smt.c.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-8_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ac-8_smt'
+                  rel: assessment-for
             - id: ac-8_asm-examine
               name: assessment-method
               props:
@@ -4163,6 +4510,9 @@ catalog:
                   value: AC-10
                   class: sp800-53a
               prose: 'the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}.'
+              links:
+                - href: '#ac-10_smt'
+                  rel: assessment-for
             - id: ac-10_asm-examine
               name: assessment-method
               props:
@@ -4296,6 +4646,9 @@ catalog:
                       value: AC-11a.
                       class: sp800-53a
                   prose: 'further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};'
+                  links:
+                    - href: '#ac-11_smt.a'
+                      rel: assessment-for
                 - id: ac-11_obj.b
                   name: assessment-objective
                   props:
@@ -4303,6 +4656,12 @@ catalog:
                       value: AC-11b.
                       class: sp800-53a
                   prose: device lock is retained until the user re-establishes access using established identification and authentication procedures.
+                  links:
+                    - href: '#ac-11_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-11_smt'
+                  rel: assessment-for
             - id: ac-11_asm-examine
               name: assessment-method
               props:
@@ -4391,6 +4750,9 @@ catalog:
                       value: AC-11(01)
                       class: sp800-53a
                   prose: information previously visible on the display is concealed, via device lock, with a publicly viewable image.
+                  links:
+                    - href: '#ac-11.1_smt'
+                      rel: assessment-for
                 - id: ac-11.1_asm-examine
                   name: assessment-method
                   props:
@@ -4494,6 +4856,9 @@ catalog:
                   value: AC-12
                   class: sp800-53a
               prose: 'a user session is automatically terminated after {{ insert: param, ac-12_odp }}.'
+              links:
+                - href: '#ac-12_smt'
+                  rel: assessment-for
             - id: ac-12_asm-examine
               name: assessment-method
               props:
@@ -4615,6 +4980,9 @@ catalog:
                       value: AC-14a.
                       class: sp800-53a
                   prose: ' {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;'
+                  links:
+                    - href: '#ac-14_smt.a'
+                      rel: assessment-for
                 - id: ac-14_obj.b
                   name: assessment-objective
                   props:
@@ -4629,6 +4997,9 @@ catalog:
                           value: AC-14b.[01]
                           class: sp800-53a
                       prose: user actions not requiring identification or authentication are documented in the security plan for the system;
+                      links:
+                        - href: '#ac-14_smt.b'
+                          rel: assessment-for
                     - id: ac-14_obj.b-2
                       name: assessment-objective
                       props:
@@ -4636,6 +5007,15 @@ catalog:
                           value: AC-14b.[02]
                           class: sp800-53a
                       prose: a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.
+                      links:
+                        - href: '#ac-14_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-14_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-14_smt'
+                  rel: assessment-for
             - id: ac-14_asm-examine
               name: assessment-method
               props:
@@ -4783,6 +5163,9 @@ catalog:
                           value: AC-17a.[01]
                           class: sp800-53a
                       prose: usage restrictions are established and documented for each type of remote access allowed;
+                      links:
+                        - href: '#ac-17_smt.a'
+                          rel: assessment-for
                     - id: ac-17_obj.a-2
                       name: assessment-objective
                       props:
@@ -4790,6 +5173,9 @@ catalog:
                           value: AC-17a.[02]
                           class: sp800-53a
                       prose: configuration/connection requirements are established and documented for each type of remote access allowed;
+                      links:
+                        - href: '#ac-17_smt.a'
+                          rel: assessment-for
                     - id: ac-17_obj.a-3
                       name: assessment-objective
                       props:
@@ -4797,6 +5183,12 @@ catalog:
                           value: AC-17a.[03]
                           class: sp800-53a
                       prose: implementation guidance is established and documented for each type of remote access allowed;
+                      links:
+                        - href: '#ac-17_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-17_smt.a'
+                      rel: assessment-for
                 - id: ac-17_obj.b
                   name: assessment-objective
                   props:
@@ -4804,6 +5196,12 @@ catalog:
                       value: AC-17b.
                       class: sp800-53a
                   prose: each type of remote access to the system is authorized prior to allowing such connections.
+                  links:
+                    - href: '#ac-17_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-17_smt'
+                  rel: assessment-for
             - id: ac-17_asm-examine
               name: assessment-method
               props:
@@ -4910,6 +5308,9 @@ catalog:
                           value: AC-17(01)[01]
                           class: sp800-53a
                       prose: automated mechanisms are employed to monitor remote access methods;
+                      links:
+                        - href: '#ac-17.1_smt'
+                          rel: assessment-for
                     - id: ac-17.1_obj-2
                       name: assessment-objective
                       props:
@@ -4917,6 +5318,12 @@ catalog:
                           value: AC-17(01)[02]
                           class: sp800-53a
                       prose: automated mechanisms are employed to control remote access methods.
+                      links:
+                        - href: '#ac-17.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-17.1_smt'
+                      rel: assessment-for
                 - id: ac-17.1_asm-examine
                   name: assessment-method
                   props:
@@ -5010,6 +5417,9 @@ catalog:
                       value: AC-17(02)
                       class: sp800-53a
                   prose: cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.
+                  links:
+                    - href: '#ac-17.2_smt'
+                      rel: assessment-for
                 - id: ac-17.2_asm-examine
                   name: assessment-method
                   props:
@@ -5099,6 +5509,9 @@ catalog:
                       value: AC-17(03)
                       class: sp800-53a
                   prose: remote accesses are routed through authorized and managed network access control points.
+                  links:
+                    - href: '#ac-17.3_smt'
+                      rel: assessment-for
                 - id: ac-17.3_asm-examine
                   name: assessment-method
                   props:
@@ -5242,6 +5655,9 @@ catalog:
                               value: AC-17(04)(a)[01]
                               class: sp800-53a
                           prose: the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;
+                          links:
+                            - href: '#ac-17.4_smt.a'
+                              rel: assessment-for
                         - id: ac-17.4_obj.a-2
                           name: assessment-objective
                           props:
@@ -5249,6 +5665,9 @@ catalog:
                               value: AC-17(04)(a)[02]
                               class: sp800-53a
                           prose: access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;
+                          links:
+                            - href: '#ac-17.4_smt.a'
+                              rel: assessment-for
                         - id: ac-17.4_obj.a-3
                           name: assessment-objective
                           props:
@@ -5256,6 +5675,9 @@ catalog:
                               value: AC-17(04)(a)[03]
                               class: sp800-53a
                           prose: 'the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};'
+                          links:
+                            - href: '#ac-17.4_smt.a'
+                              rel: assessment-for
                         - id: ac-17.4_obj.a-4
                           name: assessment-objective
                           props:
@@ -5263,6 +5685,12 @@ catalog:
                               value: AC-17(04)(a)[04]
                               class: sp800-53a
                           prose: 'access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};'
+                          links:
+                            - href: '#ac-17.4_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-17.4_smt.a'
+                          rel: assessment-for
                     - id: ac-17.4_obj.b
                       name: assessment-objective
                       props:
@@ -5270,6 +5698,12 @@ catalog:
                           value: AC-17(04)(b)
                           class: sp800-53a
                       prose: the rationale for remote access is documented in the security plan for the system.
+                      links:
+                        - href: '#ac-17.4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-17.4_smt'
+                      rel: assessment-for
                 - id: ac-17.4_asm-examine
                   name: assessment-method
                   props:
@@ -5407,6 +5841,9 @@ catalog:
                           value: AC-18a.[01]
                           class: sp800-53a
                       prose: configuration requirements are established for each type of wireless access;
+                      links:
+                        - href: '#ac-18_smt.a'
+                          rel: assessment-for
                     - id: ac-18_obj.a-2
                       name: assessment-objective
                       props:
@@ -5414,6 +5851,9 @@ catalog:
                           value: AC-18a.[02]
                           class: sp800-53a
                       prose: connection requirements are established for each type of wireless access;
+                      links:
+                        - href: '#ac-18_smt.a'
+                          rel: assessment-for
                     - id: ac-18_obj.a-3
                       name: assessment-objective
                       props:
@@ -5421,6 +5861,12 @@ catalog:
                           value: AC-18a.[03]
                           class: sp800-53a
                       prose: implementation guidance is established for each type of wireless access;
+                      links:
+                        - href: '#ac-18_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-18_smt.a'
+                      rel: assessment-for
                 - id: ac-18_obj.b
                   name: assessment-objective
                   props:
@@ -5428,6 +5874,12 @@ catalog:
                       value: AC-18b.
                       class: sp800-53a
                   prose: each type of wireless access to the system is authorized prior to allowing such connections.
+                  links:
+                    - href: '#ac-18_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-18_smt'
+                  rel: assessment-for
             - id: ac-18_asm-examine
               name: assessment-method
               props:
@@ -5542,6 +5994,9 @@ catalog:
                           value: AC-18(01)[01]
                           class: sp800-53a
                       prose: 'wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};'
+                      links:
+                        - href: '#ac-18.1_smt'
+                          rel: assessment-for
                     - id: ac-18.1_obj-2
                       name: assessment-objective
                       props:
@@ -5549,6 +6004,12 @@ catalog:
                           value: AC-18(01)[02]
                           class: sp800-53a
                       prose: wireless access to the system is protected using encryption.
+                      links:
+                        - href: '#ac-18.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-18.1_smt'
+                      rel: assessment-for
                 - id: ac-18.1_asm-examine
                   name: assessment-method
                   props:
@@ -5637,6 +6098,9 @@ catalog:
                       value: AC-18(03)
                       class: sp800-53a
                   prose: when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.
+                  links:
+                    - href: '#ac-18.3_smt'
+                      rel: assessment-for
                 - id: ac-18.3_asm-examine
                   name: assessment-method
                   props:
@@ -5731,6 +6195,9 @@ catalog:
                           value: AC-18(04)[01]
                           class: sp800-53a
                       prose: users allowed to independently configure wireless networking capabilities are identified;
+                      links:
+                        - href: '#ac-18.4_smt'
+                          rel: assessment-for
                     - id: ac-18.4_obj-2
                       name: assessment-objective
                       props:
@@ -5738,6 +6205,12 @@ catalog:
                           value: AC-18(04)[02]
                           class: sp800-53a
                       prose: users allowed to independently configure wireless networking capabilities are explicitly authorized.
+                      links:
+                        - href: '#ac-18.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-18.4_smt'
+                      rel: assessment-for
                 - id: ac-18.4_asm-examine
                   name: assessment-method
                   props:
@@ -5830,6 +6303,9 @@ catalog:
                           value: AC-18(05)[01]
                           class: sp800-53a
                       prose: radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;
+                      links:
+                        - href: '#ac-18.5_smt'
+                          rel: assessment-for
                     - id: ac-18.5_obj-2
                       name: assessment-objective
                       props:
@@ -5837,6 +6313,12 @@ catalog:
                           value: AC-18(05)[02]
                           class: sp800-53a
                       prose: transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.
+                      links:
+                        - href: '#ac-18.5_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-18.5_smt'
+                      rel: assessment-for
                 - id: ac-18.5_asm-examine
                   name: assessment-method
                   props:
@@ -6002,6 +6484,9 @@ catalog:
                           value: AC-19a.[01]
                           class: sp800-53a
                       prose: configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+                      links:
+                        - href: '#ac-19_smt.a'
+                          rel: assessment-for
                     - id: ac-19_obj.a-2
                       name: assessment-objective
                       props:
@@ -6009,6 +6494,9 @@ catalog:
                           value: AC-19a.[02]
                           class: sp800-53a
                       prose: connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+                      links:
+                        - href: '#ac-19_smt.a'
+                          rel: assessment-for
                     - id: ac-19_obj.a-3
                       name: assessment-objective
                       props:
@@ -6016,6 +6504,12 @@ catalog:
                           value: AC-19a.[03]
                           class: sp800-53a
                       prose: implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+                      links:
+                        - href: '#ac-19_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-19_smt.a'
+                      rel: assessment-for
                 - id: ac-19_obj.b
                   name: assessment-objective
                   props:
@@ -6023,6 +6517,12 @@ catalog:
                       value: AC-19b.
                       class: sp800-53a
                   prose: the connection of mobile devices to organizational systems is authorized.
+                  links:
+                    - href: '#ac-19_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-19_smt'
+                  rel: assessment-for
             - id: ac-19_asm-examine
               name: assessment-method
               props:
@@ -6144,6 +6644,9 @@ catalog:
                       value: AC-19(05)
                       class: sp800-53a
                   prose: ' {{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.'
+                  links:
+                    - href: '#ac-19.5_smt'
+                      rel: assessment-for
                 - id: ac-19.5_asm-examine
                   name: assessment-method
                   props:
@@ -6343,16 +6846,25 @@ catalog:
                       name: assessment-objective
                       props:
                         - name: label
-                          value: AC-20a.1
+                          value: AC-20a.01
                           class: sp800-53a
                       prose: ' {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);'
+                      links:
+                        - href: '#ac-20_smt.a.1'
+                          rel: assessment-for
                     - id: ac-20_obj.a.2
                       name: assessment-objective
                       props:
                         - name: label
-                          value: AC-20a.2
+                          value: AC-20a.02
                           class: sp800-53a
                       prose: ' {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);'
+                      links:
+                        - href: '#ac-20_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-20_smt.a'
+                      rel: assessment-for
                 - id: ac-20_obj.b
                   name: assessment-objective
                   props:
@@ -6360,6 +6872,12 @@ catalog:
                       value: AC-20b.
                       class: sp800-53a
                   prose: 'the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).'
+                  links:
+                    - href: '#ac-20_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-20_smt'
+                  rel: assessment-for
             - id: ac-20_asm-examine
               name: assessment-method
               props:
@@ -6470,6 +6988,9 @@ catalog:
                           value: AC-20(01)(a)
                           class: sp800-53a
                       prose: authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);
+                      links:
+                        - href: '#ac-20.1_smt.a'
+                          rel: assessment-for
                     - id: ac-20.1_obj.b
                       name: assessment-objective
                       props:
@@ -6477,6 +6998,12 @@ catalog:
                           value: AC-20(01)(b)
                           class: sp800-53a
                       prose: authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).
+                      links:
+                        - href: '#ac-20.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-20.1_smt'
+                      rel: assessment-for
                 - id: ac-20.1_asm-examine
                   name: assessment-method
                   props:
@@ -6573,6 +7100,9 @@ catalog:
                       value: AC-20(02)
                       class: sp800-53a
                   prose: 'the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}.'
+                  links:
+                    - href: '#ac-20.2_smt'
+                      rel: assessment-for
                 - id: ac-20.2_asm-examine
                   name: assessment-method
                   props:
@@ -6722,6 +7252,9 @@ catalog:
                       value: AC-21a.
                       class: sp800-53a
                   prose: 'authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};'
+                  links:
+                    - href: '#ac-21_smt.a'
+                      rel: assessment-for
                 - id: ac-21_obj.b
                   name: assessment-objective
                   props:
@@ -6729,6 +7262,12 @@ catalog:
                       value: AC-21b.
                       class: sp800-53a
                   prose: ' {{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions.'
+                  links:
+                    - href: '#ac-21_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-21_smt'
+                  rel: assessment-for
             - id: ac-21_asm-examine
               name: assessment-method
               props:
@@ -6878,6 +7417,9 @@ catalog:
                       value: AC-22a.
                       class: sp800-53a
                   prose: designated individuals are authorized to make information publicly accessible;
+                  links:
+                    - href: '#ac-22_smt.a'
+                      rel: assessment-for
                 - id: ac-22_obj.b
                   name: assessment-objective
                   props:
@@ -6885,6 +7427,9 @@ catalog:
                       value: AC-22b.
                       class: sp800-53a
                   prose: authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;
+                  links:
+                    - href: '#ac-22_smt.b'
+                      rel: assessment-for
                 - id: ac-22_obj.c
                   name: assessment-objective
                   props:
@@ -6892,6 +7437,9 @@ catalog:
                       value: AC-22c.
                       class: sp800-53a
                   prose: the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;
+                  links:
+                    - href: '#ac-22_smt.c'
+                      rel: assessment-for
                 - id: ac-22_obj.d
                   name: assessment-objective
                   props:
@@ -6906,6 +7454,9 @@ catalog:
                           value: AC-22d.[01]
                           class: sp800-53a
                       prose: 'the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};'
+                      links:
+                        - href: '#ac-22_smt.d'
+                          rel: assessment-for
                     - id: ac-22_obj.d-2
                       name: assessment-objective
                       props:
@@ -6913,6 +7464,15 @@ catalog:
                           value: AC-22d.[02]
                           class: sp800-53a
                       prose: non-public information is removed from the publicly accessible system, if discovered.
+                      links:
+                        - href: '#ac-22_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-22_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ac-22_smt'
+                  rel: assessment-for
             - id: ac-22_asm-examine
               name: assessment-method
               props:
@@ -7185,6 +7745,9 @@ catalog:
                           value: AT-01a.[01]
                           class: sp800-53a
                       prose: 'an awareness and training policy is developed and documented; '
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -7192,6 +7755,9 @@ catalog:
                           value: AT-01a.[02]
                           class: sp800-53a
                       prose: 'the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};'
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -7199,6 +7765,9 @@ catalog:
                           value: AT-01a.[03]
                           class: sp800-53a
                       prose: awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -7206,6 +7775,9 @@ catalog:
                           value: AT-01a.[04]
                           class: sp800-53a
                       prose: 'the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.'
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -7227,6 +7799,9 @@ catalog:
                                   value: AT-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -7234,6 +7809,9 @@ catalog:
                                   value: AT-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -7241,6 +7819,9 @@ catalog:
                                   value: AT-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -7248,6 +7829,9 @@ catalog:
                                   value: AT-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -7255,6 +7839,9 @@ catalog:
                                   value: AT-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -7262,6 +7849,9 @@ catalog:
                                   value: AT-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -7269,6 +7859,12 @@ catalog:
                                   value: AT-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#at-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: at-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -7276,6 +7872,15 @@ catalog:
                               value: AT-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and'
+                          links:
+                            - href: '#at-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-1_smt.a'
+                      rel: assessment-for
                 - id: at-1_obj.b
                   name: assessment-objective
                   props:
@@ -7283,6 +7888,9 @@ catalog:
                       value: AT-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;'
+                  links:
+                    - href: '#at-1_smt.b'
+                      rel: assessment-for
                 - id: at-1_obj.c
                   name: assessment-objective
                   props:
@@ -7304,6 +7912,9 @@ catalog:
                               value: AT-01c.01[01]
                               class: sp800-53a
                           prose: 'the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; '
+                          links:
+                            - href: '#at-1_smt.c.1'
+                              rel: assessment-for
                         - id: at-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -7311,6 +7922,12 @@ catalog:
                               value: AT-01c.01[02]
                               class: sp800-53a
                           prose: 'the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};'
+                          links:
+                            - href: '#at-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.c.1'
+                          rel: assessment-for
                     - id: at-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -7325,6 +7942,9 @@ catalog:
                               value: AT-01c.02[01]
                               class: sp800-53a
                           prose: 'the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};'
+                          links:
+                            - href: '#at-1_smt.c.2'
+                              rel: assessment-for
                         - id: at-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -7332,6 +7952,18 @@ catalog:
                               value: AT-01c.02[02]
                               class: sp800-53a
                           prose: 'the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.'
+                          links:
+                            - href: '#at-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#at-1_smt'
+                  rel: assessment-for
             - id: at-1_asm-examine
               name: assessment-method
               props:
@@ -7584,6 +8216,9 @@ catalog:
                               value: AT-02a.01[01]
                               class: sp800-53a
                           prose: security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -7591,6 +8226,9 @@ catalog:
                               value: AT-02a.01[02]
                               class: sp800-53a
                           prose: privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -7598,6 +8236,9 @@ catalog:
                               value: AT-02a.01[03]
                               class: sp800-53a
                           prose: 'security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;'
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-4
                           name: assessment-objective
                           props:
@@ -7605,6 +8246,12 @@ catalog:
                               value: AT-02a.01[04]
                               class: sp800-53a
                           prose: 'privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;'
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-2_smt.a.1'
+                          rel: assessment-for
                     - id: at-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -7619,6 +8266,9 @@ catalog:
                               value: AT-02a.02[01]
                               class: sp800-53a
                           prose: 'security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};'
+                          links:
+                            - href: '#at-2_smt.a.2'
+                              rel: assessment-for
                         - id: at-2_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -7626,6 +8276,15 @@ catalog:
                               value: AT-02a.02[02]
                               class: sp800-53a
                           prose: 'privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};'
+                          links:
+                            - href: '#at-2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-2_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2_smt.a'
+                      rel: assessment-for
                 - id: at-2_obj.b
                   name: assessment-objective
                   props:
@@ -7633,6 +8292,9 @@ catalog:
                       value: AT-02b.
                       class: sp800-53a
                   prose: ' {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;'
+                  links:
+                    - href: '#at-2_smt.b'
+                      rel: assessment-for
                 - id: at-2_obj.c
                   name: assessment-objective
                   props:
@@ -7647,6 +8309,9 @@ catalog:
                           value: AT-02c.[01]
                           class: sp800-53a
                       prose: 'literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};'
+                      links:
+                        - href: '#at-2_smt.c'
+                          rel: assessment-for
                     - id: at-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -7654,6 +8319,12 @@ catalog:
                           value: AT-02c.[02]
                           class: sp800-53a
                       prose: 'literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};'
+                      links:
+                        - href: '#at-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2_smt.c'
+                      rel: assessment-for
                 - id: at-2_obj.d
                   name: assessment-objective
                   props:
@@ -7661,6 +8332,12 @@ catalog:
                       value: AT-02d.
                       class: sp800-53a
                   prose: lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.
+                  links:
+                    - href: '#at-2_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#at-2_smt'
+                  rel: assessment-for
             - id: at-2_asm-examine
               name: assessment-method
               props:
@@ -7763,6 +8440,9 @@ catalog:
                           value: AT-02(02)[01]
                           class: sp800-53a
                       prose: literacy training on recognizing potential indicators of insider threat is provided;
+                      links:
+                        - href: '#at-2.2_smt'
+                          rel: assessment-for
                     - id: at-2.2_obj-2
                       name: assessment-objective
                       props:
@@ -7770,6 +8450,12 @@ catalog:
                           value: AT-02(02)[02]
                           class: sp800-53a
                       prose: literacy training on reporting potential indicators of insider threat is provided.
+                      links:
+                        - href: '#at-2.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2.2_smt'
+                      rel: assessment-for
                 - id: at-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -7853,6 +8539,9 @@ catalog:
                           value: AT-02(03)[01]
                           class: sp800-53a
                       prose: literacy training on recognizing potential and actual instances of social engineering is provided;
+                      links:
+                        - href: '#at-2.3_smt'
+                          rel: assessment-for
                     - id: at-2.3_obj-2
                       name: assessment-objective
                       props:
@@ -7860,6 +8549,9 @@ catalog:
                           value: AT-02(03)[02]
                           class: sp800-53a
                       prose: literacy training on reporting potential and actual instances of social engineering is provided;
+                      links:
+                        - href: '#at-2.3_smt'
+                          rel: assessment-for
                     - id: at-2.3_obj-3
                       name: assessment-objective
                       props:
@@ -7867,6 +8559,9 @@ catalog:
                           value: AT-02(03)[03]
                           class: sp800-53a
                       prose: literacy training on recognizing potential and actual instances of social mining is provided;
+                      links:
+                        - href: '#at-2.3_smt'
+                          rel: assessment-for
                     - id: at-2.3_obj-4
                       name: assessment-objective
                       props:
@@ -7874,6 +8569,12 @@ catalog:
                           value: AT-02(03)[04]
                           class: sp800-53a
                       prose: literacy training on reporting potential and actual instances of social mining is provided.
+                      links:
+                        - href: '#at-2.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2.3_smt'
+                      rel: assessment-for
                 - id: at-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -8109,6 +8810,9 @@ catalog:
                               value: AT-03a.01[01]
                               class: sp800-53a
                           prose: 'role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -8116,6 +8820,9 @@ catalog:
                               value: AT-03a.01[02]
                               class: sp800-53a
                           prose: 'role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -8123,6 +8830,9 @@ catalog:
                               value: AT-03a.01[03]
                               class: sp800-53a
                           prose: 'role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-4
                           name: assessment-objective
                           props:
@@ -8130,6 +8840,12 @@ catalog:
                               value: AT-03a.01[04]
                               class: sp800-53a
                           prose: 'role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-3_smt.a.1'
+                          rel: assessment-for
                     - id: at-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -8144,6 +8860,9 @@ catalog:
                               value: AT-03a.02[01]
                               class: sp800-53a
                           prose: role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;
+                          links:
+                            - href: '#at-3_smt.a.2'
+                              rel: assessment-for
                         - id: at-3_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -8151,6 +8870,15 @@ catalog:
                               value: AT-03a.02[02]
                               class: sp800-53a
                           prose: role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;
+                          links:
+                            - href: '#at-3_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-3_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-3_smt.a'
+                      rel: assessment-for
                 - id: at-3_obj.b
                   name: assessment-objective
                   props:
@@ -8165,6 +8893,9 @@ catalog:
                           value: AT-03b.[01]
                           class: sp800-53a
                       prose: 'role-based training content is updated {{ insert: param, at-03_odp.04 }};'
+                      links:
+                        - href: '#at-3_smt.b'
+                          rel: assessment-for
                     - id: at-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -8172,6 +8903,12 @@ catalog:
                           value: AT-03b.[02]
                           class: sp800-53a
                       prose: 'role-based training content is updated following {{ insert: param, at-03_odp.05 }};'
+                      links:
+                        - href: '#at-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-3_smt.b'
+                      rel: assessment-for
                 - id: at-3_obj.c
                   name: assessment-objective
                   props:
@@ -8179,6 +8916,12 @@ catalog:
                       value: AT-03c.
                       class: sp800-53a
                   prose: lessons learned from internal or external security incidents or breaches are incorporated into role-based training.
+                  links:
+                    - href: '#at-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#at-3_smt'
+                  rel: assessment-for
             - id: at-3_asm-examine
               name: assessment-method
               props:
@@ -8318,6 +9061,9 @@ catalog:
                           value: AT-04a.[01]
                           class: sp800-53a
                       prose: information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;
+                      links:
+                        - href: '#at-4_smt.a'
+                          rel: assessment-for
                     - id: at-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -8325,6 +9071,12 @@ catalog:
                           value: AT-04a.[02]
                           class: sp800-53a
                       prose: information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;
+                      links:
+                        - href: '#at-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-4_smt.a'
+                      rel: assessment-for
                 - id: at-4_obj.b
                   name: assessment-objective
                   props:
@@ -8332,6 +9084,12 @@ catalog:
                       value: AT-04b.
                       class: sp800-53a
                   prose: 'individual training records are retained for {{ insert: param, at-04_odp }}.'
+                  links:
+                    - href: '#at-4_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#at-4_smt'
+                  rel: assessment-for
             - id: at-4_asm-examine
               name: assessment-method
               props:
@@ -8589,6 +9347,9 @@ catalog:
                           value: AU-01a.[01]
                           class: sp800-53a
                       prose: an audit and accountability policy is developed and documented;
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -8596,6 +9357,9 @@ catalog:
                           value: AU-01a.[02]
                           class: sp800-53a
                       prose: 'the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};'
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -8603,6 +9367,9 @@ catalog:
                           value: AU-01a.[03]
                           class: sp800-53a
                       prose: audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -8610,6 +9377,9 @@ catalog:
                           value: AU-01a.[04]
                           class: sp800-53a
                       prose: 'the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};'
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -8631,6 +9401,9 @@ catalog:
                                   value: AU-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -8638,6 +9411,9 @@ catalog:
                                   value: AU-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -8645,6 +9421,9 @@ catalog:
                                   value: AU-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -8652,6 +9431,9 @@ catalog:
                                   value: AU-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -8659,6 +9441,9 @@ catalog:
                                   value: AU-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -8666,6 +9451,9 @@ catalog:
                                   value: AU-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -8673,6 +9461,12 @@ catalog:
                                   value: AU-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#au-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: au-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -8680,6 +9474,15 @@ catalog:
                               value: AU-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#au-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-1_smt.a'
+                      rel: assessment-for
                 - id: au-1_obj.b
                   name: assessment-objective
                   props:
@@ -8687,6 +9490,9 @@ catalog:
                       value: AU-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;'
+                  links:
+                    - href: '#au-1_smt.b'
+                      rel: assessment-for
                 - id: au-1_obj.c
                   name: assessment-objective
                   props:
@@ -8708,6 +9514,9 @@ catalog:
                               value: AU-01c.01[01]
                               class: sp800-53a
                           prose: 'the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};'
+                          links:
+                            - href: '#au-1_smt.c.1'
+                              rel: assessment-for
                         - id: au-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -8715,6 +9524,12 @@ catalog:
                               value: AU-01c.01[02]
                               class: sp800-53a
                           prose: 'the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};'
+                          links:
+                            - href: '#au-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.c.1'
+                          rel: assessment-for
                     - id: au-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -8729,6 +9544,9 @@ catalog:
                               value: AU-01c.02[01]
                               class: sp800-53a
                           prose: 'the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};'
+                          links:
+                            - href: '#au-1_smt.c.2'
+                              rel: assessment-for
                         - id: au-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -8736,6 +9554,18 @@ catalog:
                               value: AU-01c.02[02]
                               class: sp800-53a
                           prose: 'the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.'
+                          links:
+                            - href: '#au-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#au-1_smt'
+                  rel: assessment-for
             - id: au-1_asm-examine
               name: assessment-method
               props:
@@ -8962,6 +9792,9 @@ catalog:
                       value: AU-02a.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;'
+                  links:
+                    - href: '#au-2_smt.a'
+                      rel: assessment-for
                 - id: au-2_obj.b
                   name: assessment-objective
                   props:
@@ -8969,6 +9802,9 @@ catalog:
                       value: AU-02b.
                       class: sp800-53a
                   prose: the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
+                  links:
+                    - href: '#au-2_smt.b'
+                      rel: assessment-for
                 - id: au-2_obj.c
                   name: assessment-objective
                   props:
@@ -8983,6 +9819,9 @@ catalog:
                           value: AU-02c.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, au-02_odp.02 }} are specified for logging within the system;'
+                      links:
+                        - href: '#au-2_smt.c'
+                          rel: assessment-for
                     - id: au-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -8990,6 +9829,12 @@ catalog:
                           value: AU-02c.[02]
                           class: sp800-53a
                       prose: 'the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};'
+                      links:
+                        - href: '#au-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-2_smt.c'
+                      rel: assessment-for
                 - id: au-2_obj.d
                   name: assessment-objective
                   props:
@@ -8997,6 +9842,9 @@ catalog:
                       value: AU-02d.
                       class: sp800-53a
                   prose: a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;
+                  links:
+                    - href: '#au-2_smt.d'
+                      rel: assessment-for
                 - id: au-2_obj.e
                   name: assessment-objective
                   props:
@@ -9004,6 +9852,12 @@ catalog:
                       value: AU-02e.
                       class: sp800-53a
                   prose: 'the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.'
+                  links:
+                    - href: '#au-2_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#au-2_smt'
+                  rel: assessment-for
             - id: au-2_asm-examine
               name: assessment-method
               props:
@@ -9157,6 +10011,9 @@ catalog:
                       value: AU-03a.
                       class: sp800-53a
                   prose: audit records contain information that establishes what type of event occurred;
+                  links:
+                    - href: '#au-3_smt.a'
+                      rel: assessment-for
                 - id: au-3_obj.b
                   name: assessment-objective
                   props:
@@ -9164,6 +10021,9 @@ catalog:
                       value: AU-03b.
                       class: sp800-53a
                   prose: audit records contain information that establishes when the event occurred;
+                  links:
+                    - href: '#au-3_smt.b'
+                      rel: assessment-for
                 - id: au-3_obj.c
                   name: assessment-objective
                   props:
@@ -9171,6 +10031,9 @@ catalog:
                       value: AU-03c.
                       class: sp800-53a
                   prose: audit records contain information that establishes where the event occurred;
+                  links:
+                    - href: '#au-3_smt.c'
+                      rel: assessment-for
                 - id: au-3_obj.d
                   name: assessment-objective
                   props:
@@ -9178,6 +10041,9 @@ catalog:
                       value: AU-03d.
                       class: sp800-53a
                   prose: audit records contain information that establishes the source of the event;
+                  links:
+                    - href: '#au-3_smt.d'
+                      rel: assessment-for
                 - id: au-3_obj.e
                   name: assessment-objective
                   props:
@@ -9185,6 +10051,9 @@ catalog:
                       value: AU-03e.
                       class: sp800-53a
                   prose: audit records contain information that establishes the outcome of the event;
+                  links:
+                    - href: '#au-3_smt.e'
+                      rel: assessment-for
                 - id: au-3_obj.f
                   name: assessment-objective
                   props:
@@ -9192,6 +10061,12 @@ catalog:
                       value: AU-03f.
                       class: sp800-53a
                   prose: audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.
+                  links:
+                    - href: '#au-3_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#au-3_smt'
+                  rel: assessment-for
             - id: au-3_asm-examine
               name: assessment-method
               props:
@@ -9295,6 +10170,9 @@ catalog:
                       value: AU-03(01)
                       class: sp800-53a
                   prose: 'generated audit records contain the following {{ insert: param, au-03.01_odp }}.'
+                  links:
+                    - href: '#au-3.1_smt'
+                      rel: assessment-for
                 - id: au-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -9416,6 +10294,9 @@ catalog:
                   value: AU-04
                   class: sp800-53a
               prose: 'audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.'
+              links:
+                - href: '#au-4_smt'
+                  rel: assessment-for
             - id: au-4_asm-examine
               name: assessment-method
               props:
@@ -9575,6 +10456,9 @@ catalog:
                       value: AU-05a.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};'
+                  links:
+                    - href: '#au-5_smt.a'
+                      rel: assessment-for
                 - id: au-5_obj.b
                   name: assessment-objective
                   props:
@@ -9582,6 +10466,12 @@ catalog:
                       value: AU-05b.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.'
+                  links:
+                    - href: '#au-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-5_smt'
+                  rel: assessment-for
             - id: au-5_asm-examine
               name: assessment-method
               props:
@@ -9705,6 +10595,9 @@ catalog:
                       value: AU-05(01)
                       class: sp800-53a
                   prose: 'a warning is provided to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity.'
+                  links:
+                    - href: '#au-5.1_smt'
+                      rel: assessment-for
                 - id: au-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -9823,6 +10716,9 @@ catalog:
                       value: AU-05(02)
                       class: sp800-53a
                   prose: 'an alert is provided within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when {{ insert: param, au-05.02_odp.03 }} occur.'
+                  links:
+                    - href: '#au-5.2_smt'
+                      rel: assessment-for
                 - id: au-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -10021,6 +10917,9 @@ catalog:
                       value: AU-06a.
                       class: sp800-53a
                   prose: 'system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;'
+                  links:
+                    - href: '#au-6_smt.a'
+                      rel: assessment-for
                 - id: au-6_obj.b
                   name: assessment-objective
                   props:
@@ -10028,6 +10927,9 @@ catalog:
                       value: AU-06b.
                       class: sp800-53a
                   prose: 'findings are reported to {{ insert: param, au-06_odp.03 }};'
+                  links:
+                    - href: '#au-6_smt.b'
+                      rel: assessment-for
                 - id: au-6_obj.c
                   name: assessment-objective
                   props:
@@ -10035,6 +10937,12 @@ catalog:
                       value: AU-06c.
                       class: sp800-53a
                   prose: the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
+                  links:
+                    - href: '#au-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#au-6_smt'
+                  rel: assessment-for
             - id: au-6_asm-examine
               name: assessment-method
               props:
@@ -10123,6 +11031,9 @@ catalog:
                       value: AU-06(01)
                       class: sp800-53a
                   prose: 'audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}.'
+                  links:
+                    - href: '#au-6.1_smt'
+                      rel: assessment-for
                 - id: au-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -10217,6 +11128,9 @@ catalog:
                       value: AU-06(03)
                       class: sp800-53a
                   prose: audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.
+                  links:
+                    - href: '#au-6.3_smt'
+                      rel: assessment-for
                 - id: au-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -10334,6 +11248,9 @@ catalog:
                       value: AU-06(05)
                       class: sp800-53a
                   prose: 'analysis of audit records is integrated with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity.'
+                  links:
+                    - href: '#au-6.5_smt'
+                      rel: assessment-for
                 - id: au-6.5_asm-examine
                   name: assessment-method
                   props:
@@ -10422,6 +11339,9 @@ catalog:
                       value: AU-06(06)
                       class: sp800-53a
                   prose: information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
+                  links:
+                    - href: '#au-6.6_smt'
+                      rel: assessment-for
                 - id: au-6.6_asm-examine
                   name: assessment-method
                   props:
@@ -10565,6 +11485,9 @@ catalog:
                           value: AU-07a.[01]
                           class: sp800-53a
                       prose: an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;
+                      links:
+                        - href: '#au-7_smt.a'
+                          rel: assessment-for
                     - id: au-7_obj.a-2
                       name: assessment-objective
                       props:
@@ -10572,6 +11495,12 @@ catalog:
                           value: AU-07a.[02]
                           class: sp800-53a
                       prose: an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;
+                      links:
+                        - href: '#au-7_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-7_smt.a'
+                      rel: assessment-for
                 - id: au-7_obj.b
                   name: assessment-objective
                   props:
@@ -10586,6 +11515,9 @@ catalog:
                           value: AU-07b.[01]
                           class: sp800-53a
                       prose: an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;
+                      links:
+                        - href: '#au-7_smt.b'
+                          rel: assessment-for
                     - id: au-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -10593,6 +11525,15 @@ catalog:
                           value: AU-07b.[02]
                           class: sp800-53a
                       prose: an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.
+                      links:
+                        - href: '#au-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-7_smt'
+                  rel: assessment-for
             - id: au-7_asm-examine
               name: assessment-method
               props:
@@ -10702,6 +11643,9 @@ catalog:
                           value: AU-07(01)[01]
                           class: sp800-53a
                       prose: 'the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;'
+                      links:
+                        - href: '#au-7.1_smt'
+                          rel: assessment-for
                     - id: au-7.1_obj-2
                       name: assessment-objective
                       props:
@@ -10709,6 +11653,12 @@ catalog:
                           value: AU-07(01)[02]
                           class: sp800-53a
                       prose: 'the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented.'
+                      links:
+                        - href: '#au-7.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-7.1_smt'
+                      rel: assessment-for
                 - id: au-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -10836,6 +11786,9 @@ catalog:
                       value: AU-08a.
                       class: sp800-53a
                   prose: internal system clocks are used to generate timestamps for audit records;
+                  links:
+                    - href: '#au-8_smt.a'
+                      rel: assessment-for
                 - id: au-8_obj.b
                   name: assessment-objective
                   props:
@@ -10843,6 +11796,12 @@ catalog:
                       value: AU-08b.
                       class: sp800-53a
                   prose: 'timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.'
+                  links:
+                    - href: '#au-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-8_smt'
+                  rel: assessment-for
             - id: au-8_asm-examine
               name: assessment-method
               props:
@@ -10992,6 +11951,9 @@ catalog:
                       value: AU-09a.
                       class: sp800-53a
                   prose: audit information and audit logging tools are protected from unauthorized access, modification, and deletion;
+                  links:
+                    - href: '#au-9_smt.a'
+                      rel: assessment-for
                 - id: au-9_obj.b
                   name: assessment-objective
                   props:
@@ -10999,6 +11961,12 @@ catalog:
                       value: AU-09b.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.'
+                  links:
+                    - href: '#au-9_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-9_smt'
+                  rel: assessment-for
             - id: au-9_asm-examine
               name: assessment-method
               props:
@@ -11108,6 +12076,9 @@ catalog:
                       value: AU-09(02)
                       class: sp800-53a
                   prose: 'audit records are stored {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited.'
+                  links:
+                    - href: '#au-9.2_smt'
+                      rel: assessment-for
                 - id: au-9.2_asm-examine
                   name: assessment-method
                   props:
@@ -11205,6 +12176,9 @@ catalog:
                       value: AU-09(03)
                       class: sp800-53a
                   prose: cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.
+                  links:
+                    - href: '#au-9.3_smt'
+                      rel: assessment-for
                 - id: au-9.3_asm-examine
                   name: assessment-method
                   props:
@@ -11311,6 +12285,9 @@ catalog:
                       value: AU-09(04)
                       class: sp800-53a
                   prose: 'access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}.'
+                  links:
+                    - href: '#au-9.4_smt'
+                      rel: assessment-for
                 - id: au-9.4_asm-examine
                   name: assessment-method
                   props:
@@ -11449,6 +12426,9 @@ catalog:
                   value: AU-10
                   class: sp800-53a
               prose: 'irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}.'
+              links:
+                - href: '#au-10_smt'
+                  rel: assessment-for
             - id: au-10_asm-examine
               name: assessment-method
               props:
@@ -11568,6 +12548,9 @@ catalog:
                   value: AU-11
                   class: sp800-53a
               prose: 'audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.'
+              links:
+                - href: '#au-11_smt'
+                  rel: assessment-for
             - id: au-11_asm-examine
               name: assessment-method
               props:
@@ -11729,6 +12712,9 @@ catalog:
                       value: AU-12a.
                       class: sp800-53a
                   prose: 'audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};'
+                  links:
+                    - href: '#au-12_smt.a'
+                      rel: assessment-for
                 - id: au-12_obj.b
                   name: assessment-objective
                   props:
@@ -11736,6 +12722,9 @@ catalog:
                       value: AU-12b.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;'
+                  links:
+                    - href: '#au-12_smt.b'
+                      rel: assessment-for
                 - id: au-12_obj.c
                   name: assessment-objective
                   props:
@@ -11743,6 +12732,12 @@ catalog:
                       value: AU-12c.
                       class: sp800-53a
                   prose: audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.
+                  links:
+                    - href: '#au-12_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#au-12_smt'
+                  rel: assessment-for
             - id: au-12_asm-examine
               name: assessment-method
               props:
@@ -11863,6 +12858,9 @@ catalog:
                       value: AU-12(01)
                       class: sp800-53a
                   prose: 'audit records from {{ insert: param, au-12.01_odp.01 }} are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}.'
+                  links:
+                    - href: '#au-12.1_smt'
+                      rel: assessment-for
                 - id: au-12.1_asm-examine
                   name: assessment-method
                   props:
@@ -12004,6 +13002,9 @@ catalog:
                           value: AU-12(03)[01]
                           class: sp800-53a
                       prose: 'the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is provided;'
+                      links:
+                        - href: '#au-12.3_smt'
+                          rel: assessment-for
                     - id: au-12.3_obj-2
                       name: assessment-objective
                       props:
@@ -12011,6 +13012,12 @@ catalog:
                           value: AU-12(03)[02]
                           class: sp800-53a
                       prose: 'the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is implemented.'
+                      links:
+                        - href: '#au-12.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-12.3_smt'
+                      rel: assessment-for
                 - id: au-12.3_asm-examine
                   name: assessment-method
                   props:
@@ -12293,6 +13300,9 @@ catalog:
                           value: CA-01a.[01]
                           class: sp800-53a
                       prose: an assessment, authorization, and monitoring policy is developed and documented;
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -12300,6 +13310,9 @@ catalog:
                           value: CA-01a.[02]
                           class: sp800-53a
                       prose: 'the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};'
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -12307,6 +13320,9 @@ catalog:
                           value: CA-01a.[03]
                           class: sp800-53a
                       prose: assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -12314,6 +13330,9 @@ catalog:
                           value: CA-01a.[04]
                           class: sp800-53a
                       prose: 'the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};'
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -12335,6 +13354,9 @@ catalog:
                                   value: CA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -12342,6 +13364,9 @@ catalog:
                                   value: CA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -12349,6 +13374,9 @@ catalog:
                                   value: CA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -12356,6 +13384,9 @@ catalog:
                                   value: CA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -12363,6 +13394,9 @@ catalog:
                                   value: CA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -12370,6 +13404,9 @@ catalog:
                                   value: CA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -12377,6 +13414,12 @@ catalog:
                                   value: CA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ca-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ca-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -12384,6 +13427,15 @@ catalog:
                               value: CA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ca-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-1_smt.a'
+                      rel: assessment-for
                 - id: ca-1_obj.b
                   name: assessment-objective
                   props:
@@ -12391,6 +13443,9 @@ catalog:
                       value: CA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;'
+                  links:
+                    - href: '#ca-1_smt.b'
+                      rel: assessment-for
                 - id: ca-1_obj.c
                   name: assessment-objective
                   props:
@@ -12412,6 +13467,9 @@ catalog:
                               value: CA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; '
+                          links:
+                            - href: '#ca-1_smt.c.1'
+                              rel: assessment-for
                         - id: ca-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -12419,6 +13477,12 @@ catalog:
                               value: CA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};'
+                          links:
+                            - href: '#ca-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.c.1'
+                          rel: assessment-for
                     - id: ca-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -12433,6 +13497,9 @@ catalog:
                               value: CA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; '
+                          links:
+                            - href: '#ca-1_smt.c.2'
+                              rel: assessment-for
                         - id: ca-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -12440,6 +13507,18 @@ catalog:
                               value: CA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.'
+                          links:
+                            - href: '#ca-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ca-1_smt'
+                  rel: assessment-for
             - id: ca-1_asm-examine
               name: assessment-method
               props:
@@ -12647,6 +13726,9 @@ catalog:
                       value: CA-02a.
                       class: sp800-53a
                   prose: an appropriate assessor or assessment team is selected for the type of assessment to be conducted;
+                  links:
+                    - href: '#ca-2_smt.a'
+                      rel: assessment-for
                 - id: ca-2_obj.b
                   name: assessment-objective
                   props:
@@ -12661,6 +13743,9 @@ catalog:
                           value: CA-02b.01
                           class: sp800-53a
                       prose: a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;
+                      links:
+                        - href: '#ca-2_smt.b.1'
+                          rel: assessment-for
                     - id: ca-2_obj.b.2
                       name: assessment-objective
                       props:
@@ -12668,6 +13753,9 @@ catalog:
                           value: CA-02b.02
                           class: sp800-53a
                       prose: a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;
+                      links:
+                        - href: '#ca-2_smt.b.2'
+                          rel: assessment-for
                     - id: ca-2_obj.b.3
                       name: assessment-objective
                       props:
@@ -12682,6 +13770,9 @@ catalog:
                               value: CA-02b.03[01]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
                         - id: ca-2_obj.b.3-2
                           name: assessment-objective
                           props:
@@ -12689,6 +13780,9 @@ catalog:
                               value: CA-02b.03[02]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including the assessment team;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
                         - id: ca-2_obj.b.3-3
                           name: assessment-objective
                           props:
@@ -12696,6 +13790,15 @@ catalog:
                               value: CA-02b.03[03]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-2_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-2_smt.b'
+                      rel: assessment-for
                 - id: ca-2_obj.c
                   name: assessment-objective
                   props:
@@ -12703,6 +13806,9 @@ catalog:
                       value: CA-02c.
                       class: sp800-53a
                   prose: the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
+                  links:
+                    - href: '#ca-2_smt.c'
+                      rel: assessment-for
                 - id: ca-2_obj.d
                   name: assessment-objective
                   props:
@@ -12717,6 +13823,9 @@ catalog:
                           value: CA-02d.[01]
                           class: sp800-53a
                       prose: 'controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;'
+                      links:
+                        - href: '#ca-2_smt.d'
+                          rel: assessment-for
                     - id: ca-2_obj.d-2
                       name: assessment-objective
                       props:
@@ -12724,6 +13833,12 @@ catalog:
                           value: CA-02d.[02]
                           class: sp800-53a
                       prose: 'controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;'
+                      links:
+                        - href: '#ca-2_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-2_smt.d'
+                      rel: assessment-for
                 - id: ca-2_obj.e
                   name: assessment-objective
                   props:
@@ -12731,6 +13846,9 @@ catalog:
                       value: CA-02e.
                       class: sp800-53a
                   prose: a control assessment report is produced that documents the results of the assessment;
+                  links:
+                    - href: '#ca-2_smt.e'
+                      rel: assessment-for
                 - id: ca-2_obj.f
                   name: assessment-objective
                   props:
@@ -12738,6 +13856,12 @@ catalog:
                       value: CA-02f.
                       class: sp800-53a
                   prose: 'the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.'
+                  links:
+                    - href: '#ca-2_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ca-2_smt'
+                  rel: assessment-for
             - id: ca-2_asm-examine
               name: assessment-method
               props:
@@ -12832,6 +13956,9 @@ catalog:
                       value: CA-02(01)
                       class: sp800-53a
                   prose: independent assessors or assessment teams are employed to conduct control assessments.
+                  links:
+                    - href: '#ca-2.1_smt'
+                      rel: assessment-for
                 - id: ca-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -12968,6 +14095,9 @@ catalog:
                       value: CA-02(02)
                       class: sp800-53a
                   prose: ' {{ insert: param, ca-02.02_odp.01 }} {{ insert: param, ca-02.02_odp.02 }} {{ insert: param, ca-02.02_odp.03 }} are included as part of control assessments.'
+                  links:
+                    - href: '#ca-2.2_smt'
+                      rel: assessment-for
                 - id: ca-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -13150,6 +14280,9 @@ catalog:
                       value: CA-03a.
                       class: sp800-53a
                   prose: 'the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};'
+                  links:
+                    - href: '#ca-3_smt.a'
+                      rel: assessment-for
                 - id: ca-3_obj.b
                   name: assessment-objective
                   props:
@@ -13164,6 +14297,9 @@ catalog:
                           value: CA-03b.[01]
                           class: sp800-53a
                       prose: the interface characteristics are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -13171,6 +14307,9 @@ catalog:
                           value: CA-03b.[02]
                           class: sp800-53a
                       prose: security requirements are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-3
                       name: assessment-objective
                       props:
@@ -13178,6 +14317,9 @@ catalog:
                           value: CA-03b.[03]
                           class: sp800-53a
                       prose: privacy requirements are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-4
                       name: assessment-objective
                       props:
@@ -13185,6 +14327,9 @@ catalog:
                           value: CA-03b.[04]
                           class: sp800-53a
                       prose: controls are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-5
                       name: assessment-objective
                       props:
@@ -13192,6 +14337,9 @@ catalog:
                           value: CA-03b.[05]
                           class: sp800-53a
                       prose: responsibilities for each system are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-6
                       name: assessment-objective
                       props:
@@ -13199,6 +14347,12 @@ catalog:
                           value: CA-03b.[06]
                           class: sp800-53a
                       prose: the impact level of the information communicated is documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-3_smt.b'
+                      rel: assessment-for
                 - id: ca-3_obj.c
                   name: assessment-objective
                   props:
@@ -13206,6 +14360,12 @@ catalog:
                       value: CA-03c.
                       class: sp800-53a
                   prose: 'agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.'
+                  links:
+                    - href: '#ca-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ca-3_smt'
+                  rel: assessment-for
             - id: ca-3_asm-examine
               name: assessment-method
               props:
@@ -13308,6 +14468,9 @@ catalog:
                       value: CA-03(06)
                       class: sp800-53a
                   prose: individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.
+                  links:
+                    - href: '#ca-3.6_smt'
+                      rel: assessment-for
                 - id: ca-3.6_asm-examine
                   name: assessment-method
                   props:
@@ -13458,6 +14621,9 @@ catalog:
                       value: CA-05a.
                       class: sp800-53a
                   prose: a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;
+                  links:
+                    - href: '#ca-5_smt.a'
+                      rel: assessment-for
                 - id: ca-5_obj.b
                   name: assessment-objective
                   props:
@@ -13465,6 +14631,12 @@ catalog:
                       value: CA-05b.
                       class: sp800-53a
                   prose: 'existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.'
+                  links:
+                    - href: '#ca-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ca-5_smt'
+                  rel: assessment-for
             - id: ca-5_asm-examine
               name: assessment-method
               props:
@@ -13639,6 +14811,9 @@ catalog:
                       value: CA-06a.
                       class: sp800-53a
                   prose: a senior official is assigned as the authorizing official for the system;
+                  links:
+                    - href: '#ca-6_smt.a'
+                      rel: assessment-for
                 - id: ca-6_obj.b
                   name: assessment-objective
                   props:
@@ -13646,6 +14821,9 @@ catalog:
                       value: CA-06b.
                       class: sp800-53a
                   prose: a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;
+                  links:
+                    - href: '#ca-6_smt.b'
+                      rel: assessment-for
                 - id: ca-6_obj.c
                   name: assessment-objective
                   props:
@@ -13660,6 +14838,9 @@ catalog:
                           value: CA-06c.01
                           class: sp800-53a
                       prose: before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;
+                      links:
+                        - href: '#ca-6_smt.c.1'
+                          rel: assessment-for
                     - id: ca-6_obj.c.2
                       name: assessment-objective
                       props:
@@ -13667,6 +14848,12 @@ catalog:
                           value: CA-06c.02
                           class: sp800-53a
                       prose: before commencing operations, the authorizing official for the system authorizes the system to operate;
+                      links:
+                        - href: '#ca-6_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-6_smt.c'
+                      rel: assessment-for
                 - id: ca-6_obj.d
                   name: assessment-objective
                   props:
@@ -13674,6 +14861,9 @@ catalog:
                       value: CA-06d.
                       class: sp800-53a
                   prose: the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
+                  links:
+                    - href: '#ca-6_smt.d'
+                      rel: assessment-for
                 - id: ca-6_obj.e
                   name: assessment-objective
                   props:
@@ -13681,6 +14871,12 @@ catalog:
                       value: CA-06e.
                       class: sp800-53a
                   prose: 'the authorizations are updated {{ insert: param, ca-06_odp }}.'
+                  links:
+                    - href: '#ca-6_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ca-6_smt'
+                  rel: assessment-for
             - id: ca-6_asm-examine
               name: assessment-method
               props:
@@ -14013,6 +15209,9 @@ catalog:
                       value: CA-07[01]
                       class: sp800-53a
                   prose: a system-level continuous monitoring strategy is developed;
+                  links:
+                    - href: '#ca-7_smt'
+                      rel: assessment-for
                 - id: ca-7_obj-2
                   name: assessment-objective
                   props:
@@ -14020,6 +15219,9 @@ catalog:
                       value: CA-07[02]
                       class: sp800-53a
                   prose: system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt'
+                      rel: assessment-for
                 - id: ca-7_obj.a
                   name: assessment-objective
                   props:
@@ -14027,6 +15229,9 @@ catalog:
                       value: CA-07a.
                       class: sp800-53a
                   prose: 'system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};'
+                  links:
+                    - href: '#ca-7_smt.a'
+                      rel: assessment-for
                 - id: ca-7_obj.b
                   name: assessment-objective
                   props:
@@ -14041,6 +15246,9 @@ catalog:
                           value: CA-07b.[01]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;'
+                      links:
+                        - href: '#ca-7_smt.b'
+                          rel: assessment-for
                     - id: ca-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -14048,6 +15256,12 @@ catalog:
                           value: CA-07b.[02]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;'
+                      links:
+                        - href: '#ca-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7_smt.b'
+                      rel: assessment-for
                 - id: ca-7_obj.c
                   name: assessment-objective
                   props:
@@ -14055,6 +15269,9 @@ catalog:
                       value: CA-07c.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt.c'
+                      rel: assessment-for
                 - id: ca-7_obj.d
                   name: assessment-objective
                   props:
@@ -14062,6 +15279,9 @@ catalog:
                       value: CA-07d.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt.d'
+                      rel: assessment-for
                 - id: ca-7_obj.e
                   name: assessment-objective
                   props:
@@ -14069,6 +15289,9 @@ catalog:
                       value: CA-07e.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;
+                  links:
+                    - href: '#ca-7_smt.e'
+                      rel: assessment-for
                 - id: ca-7_obj.f
                   name: assessment-objective
                   props:
@@ -14076,6 +15299,9 @@ catalog:
                       value: CA-07f.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;
+                  links:
+                    - href: '#ca-7_smt.f'
+                      rel: assessment-for
                 - id: ca-7_obj.g
                   name: assessment-objective
                   props:
@@ -14090,6 +15316,9 @@ catalog:
                           value: CA-07g.[01]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};'
+                      links:
+                        - href: '#ca-7_smt.g'
+                          rel: assessment-for
                     - id: ca-7_obj.g-2
                       name: assessment-objective
                       props:
@@ -14097,6 +15326,15 @@ catalog:
                           value: CA-07g.[02]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.'
+                      links:
+                        - href: '#ca-7_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#ca-7_smt'
+                  rel: assessment-for
             - id: ca-7_asm-examine
               name: assessment-method
               props:
@@ -14205,6 +15443,9 @@ catalog:
                       value: CA-07(01)
                       class: sp800-53a
                   prose: independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.
+                  links:
+                    - href: '#ca-7.1_smt'
+                      rel: assessment-for
                 - id: ca-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -14319,6 +15560,9 @@ catalog:
                           value: CA-07(04)(a)
                           class: sp800-53a
                       prose: effectiveness monitoring is included in risk monitoring;
+                      links:
+                        - href: '#ca-7.4_smt.a'
+                          rel: assessment-for
                     - id: ca-7.4_obj.b
                       name: assessment-objective
                       props:
@@ -14326,6 +15570,9 @@ catalog:
                           value: CA-07(04)(b)
                           class: sp800-53a
                       prose: compliance monitoring is included in risk monitoring;
+                      links:
+                        - href: '#ca-7.4_smt.b'
+                          rel: assessment-for
                     - id: ca-7.4_obj.c
                       name: assessment-objective
                       props:
@@ -14333,6 +15580,12 @@ catalog:
                           value: CA-07(04)(c)
                           class: sp800-53a
                       prose: change monitoring is included in risk monitoring.
+                      links:
+                        - href: '#ca-7.4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7.4_smt'
+                      rel: assessment-for
                 - id: ca-7.4_asm-examine
                   name: assessment-method
                   props:
@@ -14464,6 +15717,9 @@ catalog:
                   value: CA-08
                   class: sp800-53a
               prose: 'penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.'
+              links:
+                - href: '#ca-8_smt'
+                  rel: assessment-for
             - id: ca-8_asm-examine
               name: assessment-method
               props:
@@ -14559,6 +15815,9 @@ catalog:
                       value: CA-08(01)
                       class: sp800-53a
                   prose: an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.
+                  links:
+                    - href: '#ca-8.1_smt'
+                      rel: assessment-for
                 - id: ca-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -14720,6 +15979,9 @@ catalog:
                       value: CA-09a.
                       class: sp800-53a
                   prose: 'internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;'
+                  links:
+                    - href: '#ca-9_smt.a'
+                      rel: assessment-for
                 - id: ca-9_obj.b
                   name: assessment-objective
                   props:
@@ -14734,6 +15996,9 @@ catalog:
                           value: CA-09b.[01]
                           class: sp800-53a
                       prose: for each internal connection, the interface characteristics are documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
                     - id: ca-9_obj.b-2
                       name: assessment-objective
                       props:
@@ -14741,6 +16006,9 @@ catalog:
                           value: CA-09b.[02]
                           class: sp800-53a
                       prose: for each internal connection, the security requirements are documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
                     - id: ca-9_obj.b-3
                       name: assessment-objective
                       props:
@@ -14748,6 +16016,9 @@ catalog:
                           value: CA-09b.[03]
                           class: sp800-53a
                       prose: for each internal connection, the privacy requirements are documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
                     - id: ca-9_obj.b-4
                       name: assessment-objective
                       props:
@@ -14755,6 +16026,12 @@ catalog:
                           value: CA-09b.[04]
                           class: sp800-53a
                       prose: for each internal connection, the nature of the information communicated is documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-9_smt.b'
+                      rel: assessment-for
                 - id: ca-9_obj.c
                   name: assessment-objective
                   props:
@@ -14762,6 +16039,9 @@ catalog:
                       value: CA-09c.
                       class: sp800-53a
                   prose: 'internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};'
+                  links:
+                    - href: '#ca-9_smt.c'
+                      rel: assessment-for
                 - id: ca-9_obj.d
                   name: assessment-objective
                   props:
@@ -14769,6 +16049,12 @@ catalog:
                       value: CA-09d.
                       class: sp800-53a
                   prose: 'the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.'
+                  links:
+                    - href: '#ca-9_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ca-9_smt'
+                  rel: assessment-for
             - id: ca-9_asm-examine
               name: assessment-method
               props:
@@ -15045,6 +16331,9 @@ catalog:
                           value: CM-01a.[01]
                           class: sp800-53a
                       prose: a configuration management policy is developed and documented;
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -15052,6 +16341,9 @@ catalog:
                           value: CM-01a.[02]
                           class: sp800-53a
                       prose: 'the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};'
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -15059,6 +16351,9 @@ catalog:
                           value: CM-01a.[03]
                           class: sp800-53a
                       prose: configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -15066,6 +16361,9 @@ catalog:
                           value: CM-01a.[04]
                           class: sp800-53a
                       prose: 'the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};'
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -15087,6 +16385,9 @@ catalog:
                                   value: CM-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -15094,6 +16395,9 @@ catalog:
                                   value: CM-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -15101,6 +16405,9 @@ catalog:
                                   value: CM-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -15108,6 +16415,9 @@ catalog:
                                   value: CM-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -15115,6 +16425,9 @@ catalog:
                                   value: CM-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -15122,6 +16435,9 @@ catalog:
                                   value: CM-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -15129,6 +16445,12 @@ catalog:
                                   value: CM-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#cm-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: cm-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -15136,6 +16458,15 @@ catalog:
                               value: CM-01a.01(b)
                               class: sp800-53a
                           prose: the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+                          links:
+                            - href: '#cm-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-1_smt.a'
+                      rel: assessment-for
                 - id: cm-1_obj.b
                   name: assessment-objective
                   props:
@@ -15143,6 +16474,9 @@ catalog:
                       value: CM-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;'
+                  links:
+                    - href: '#cm-1_smt.b'
+                      rel: assessment-for
                 - id: cm-1_obj.c
                   name: assessment-objective
                   props:
@@ -15164,6 +16498,9 @@ catalog:
                               value: CM-01c.01[01]
                               class: sp800-53a
                           prose: 'the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; '
+                          links:
+                            - href: '#cm-1_smt.c.1'
+                              rel: assessment-for
                         - id: cm-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -15171,6 +16508,12 @@ catalog:
                               value: CM-01c.01[02]
                               class: sp800-53a
                           prose: 'the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};'
+                          links:
+                            - href: '#cm-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.c.1'
+                          rel: assessment-for
                     - id: cm-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -15185,6 +16528,9 @@ catalog:
                               value: CM-01c.02[01]
                               class: sp800-53a
                           prose: 'the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; '
+                          links:
+                            - href: '#cm-1_smt.c.2'
+                              rel: assessment-for
                         - id: cm-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -15192,6 +16538,18 @@ catalog:
                               value: CM-01c.02[02]
                               class: sp800-53a
                           prose: 'the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.'
+                          links:
+                            - href: '#cm-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-1_smt'
+                  rel: assessment-for
             - id: cm-1_asm-examine
               name: assessment-method
               props:
@@ -15374,6 +16732,9 @@ catalog:
                           value: CM-02a.[01]
                           class: sp800-53a
                       prose: a current baseline configuration of the system is developed and documented;
+                      links:
+                        - href: '#cm-2_smt.a'
+                          rel: assessment-for
                     - id: cm-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -15381,6 +16742,12 @@ catalog:
                           value: CM-02a.[02]
                           class: sp800-53a
                       prose: a current baseline configuration of the system is maintained under configuration control;
+                      links:
+                        - href: '#cm-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2_smt.a'
+                      rel: assessment-for
                 - id: cm-2_obj.b
                   name: assessment-objective
                   props:
@@ -15395,6 +16762,9 @@ catalog:
                           value: CM-02b.01
                           class: sp800-53a
                       prose: 'the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};'
+                      links:
+                        - href: '#cm-2_smt.b.1'
+                          rel: assessment-for
                     - id: cm-2_obj.b.2
                       name: assessment-objective
                       props:
@@ -15402,6 +16772,9 @@ catalog:
                           value: CM-02b.02
                           class: sp800-53a
                       prose: 'the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};'
+                      links:
+                        - href: '#cm-2_smt.b.2'
+                          rel: assessment-for
                     - id: cm-2_obj.b.3
                       name: assessment-objective
                       props:
@@ -15409,6 +16782,15 @@ catalog:
                           value: CM-02b.03
                           class: sp800-53a
                       prose: the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.
+                      links:
+                        - href: '#cm-2_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cm-2_smt'
+                  rel: assessment-for
             - id: cm-2_asm-examine
               name: assessment-method
               props:
@@ -15535,6 +16917,9 @@ catalog:
                           value: CM-02(02)[01]
                           class: sp800-53a
                       prose: 'the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};'
+                      links:
+                        - href: '#cm-2.2_smt'
+                          rel: assessment-for
                     - id: cm-2.2_obj-2
                       name: assessment-objective
                       props:
@@ -15542,6 +16927,9 @@ catalog:
                           value: CM-02(02)[02]
                           class: sp800-53a
                       prose: 'the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};'
+                      links:
+                        - href: '#cm-2.2_smt'
+                          rel: assessment-for
                     - id: cm-2.2_obj-3
                       name: assessment-objective
                       props:
@@ -15549,6 +16937,9 @@ catalog:
                           value: CM-02(02)[03]
                           class: sp800-53a
                       prose: 'the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};'
+                      links:
+                        - href: '#cm-2.2_smt'
+                          rel: assessment-for
                     - id: cm-2.2_obj-4
                       name: assessment-objective
                       props:
@@ -15556,6 +16947,12 @@ catalog:
                           value: CM-02(02)[04]
                           class: sp800-53a
                       prose: 'the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}.'
+                      links:
+                        - href: '#cm-2.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2.2_smt'
+                      rel: assessment-for
                 - id: cm-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -15664,6 +17061,9 @@ catalog:
                       value: CM-02(03)
                       class: sp800-53a
                   prose: ' {{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is/are retained to support rollback.'
+                  links:
+                    - href: '#cm-2.3_smt'
+                      rel: assessment-for
                 - id: cm-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -15808,6 +17208,9 @@ catalog:
                           value: CM-02(07)(a)
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;'
+                      links:
+                        - href: '#cm-2.7_smt.a'
+                          rel: assessment-for
                     - id: cm-2.7_obj.b
                       name: assessment-objective
                       props:
@@ -15815,6 +17218,12 @@ catalog:
                           value: CM-02(07)(b)
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel.'
+                      links:
+                        - href: '#cm-2.7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2.7_smt'
+                      rel: assessment-for
                 - id: cm-2.7_asm-examine
                   name: assessment-method
                   props:
@@ -16065,6 +17474,9 @@ catalog:
                       value: CM-03a.
                       class: sp800-53a
                   prose: the types of changes to the system that are configuration-controlled are determined and documented;
+                  links:
+                    - href: '#cm-3_smt.a'
+                      rel: assessment-for
                 - id: cm-3_obj.b
                   name: assessment-objective
                   props:
@@ -16079,6 +17491,9 @@ catalog:
                           value: CM-03b.[01]
                           class: sp800-53a
                       prose: proposed configuration-controlled changes to the system are reviewed;
+                      links:
+                        - href: '#cm-3_smt.b'
+                          rel: assessment-for
                     - id: cm-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -16086,6 +17501,12 @@ catalog:
                           value: CM-03b.[02]
                           class: sp800-53a
                       prose: proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;
+                      links:
+                        - href: '#cm-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3_smt.b'
+                      rel: assessment-for
                 - id: cm-3_obj.c
                   name: assessment-objective
                   props:
@@ -16093,6 +17514,9 @@ catalog:
                       value: CM-03c.
                       class: sp800-53a
                   prose: configuration change decisions associated with the system are documented;
+                  links:
+                    - href: '#cm-3_smt.c'
+                      rel: assessment-for
                 - id: cm-3_obj.d
                   name: assessment-objective
                   props:
@@ -16100,6 +17524,9 @@ catalog:
                       value: CM-03d.
                       class: sp800-53a
                   prose: approved configuration-controlled changes to the system are implemented;
+                  links:
+                    - href: '#cm-3_smt.d'
+                      rel: assessment-for
                 - id: cm-3_obj.e
                   name: assessment-objective
                   props:
@@ -16107,6 +17534,9 @@ catalog:
                       value: CM-03e.
                       class: sp800-53a
                   prose: 'records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};'
+                  links:
+                    - href: '#cm-3_smt.e'
+                      rel: assessment-for
                 - id: cm-3_obj.f
                   name: assessment-objective
                   props:
@@ -16121,6 +17551,9 @@ catalog:
                           value: CM-03f.[01]
                           class: sp800-53a
                       prose: activities associated with configuration-controlled changes to the system are monitored;
+                      links:
+                        - href: '#cm-3_smt.f'
+                          rel: assessment-for
                     - id: cm-3_obj.f-2
                       name: assessment-objective
                       props:
@@ -16128,6 +17561,12 @@ catalog:
                           value: CM-03f.[02]
                           class: sp800-53a
                       prose: activities associated with configuration-controlled changes to the system are reviewed;
+                      links:
+                        - href: '#cm-3_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3_smt.f'
+                      rel: assessment-for
                 - id: cm-3_obj.g
                   name: assessment-objective
                   props:
@@ -16142,6 +17581,9 @@ catalog:
                           value: CM-03g.[01]
                           class: sp800-53a
                       prose: 'configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};'
+                      links:
+                        - href: '#cm-3_smt.g'
+                          rel: assessment-for
                     - id: cm-3_obj.g-2
                       name: assessment-objective
                       props:
@@ -16149,6 +17591,15 @@ catalog:
                           value: CM-03g.[02]
                           class: sp800-53a
                       prose: 'the configuration control element convenes {{ insert: param, cm-03_odp.03 }}.'
+                      links:
+                        - href: '#cm-3_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#cm-3_smt'
+                  rel: assessment-for
             - id: cm-3_asm-examine
               name: assessment-method
               props:
@@ -16340,6 +17791,9 @@ catalog:
                           value: CM-03(01)(a)
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-03.01_odp.01 }} are used to document proposed changes to the system;'
+                      links:
+                        - href: '#cm-3.1_smt.a'
+                          rel: assessment-for
                     - id: cm-3.1_obj.b
                       name: assessment-objective
                       props:
@@ -16347,6 +17801,9 @@ catalog:
                           value: CM-03(01)(b)
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;'
+                      links:
+                        - href: '#cm-3.1_smt.b'
+                          rel: assessment-for
                     - id: cm-3.1_obj.c
                       name: assessment-objective
                       props:
@@ -16354,6 +17811,9 @@ catalog:
                           value: CM-03(01)(c)
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-03.01_odp.01 }} are used to highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};'
+                      links:
+                        - href: '#cm-3.1_smt.c'
+                          rel: assessment-for
                     - id: cm-3.1_obj.d
                       name: assessment-objective
                       props:
@@ -16361,6 +17821,9 @@ catalog:
                           value: CM-03(01)(d)
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-03.01_odp.01 }} are used to prohibit changes to the system until designated approvals are received;'
+                      links:
+                        - href: '#cm-3.1_smt.d'
+                          rel: assessment-for
                     - id: cm-3.1_obj.e
                       name: assessment-objective
                       props:
@@ -16368,6 +17831,9 @@ catalog:
                           value: CM-03(01)(e)
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-03.01_odp.01 }} are used to document all changes to the system;'
+                      links:
+                        - href: '#cm-3.1_smt.e'
+                          rel: assessment-for
                     - id: cm-3.1_obj.f
                       name: assessment-objective
                       props:
@@ -16375,6 +17841,12 @@ catalog:
                           value: CM-03(01)(f)
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed.'
+                      links:
+                        - href: '#cm-3.1_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3.1_smt'
+                      rel: assessment-for
                 - id: cm-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -16489,6 +17961,9 @@ catalog:
                           value: CM-03(02)[01]
                           class: sp800-53a
                       prose: changes to the system are tested before finalizing the implementation of the changes;
+                      links:
+                        - href: '#cm-3.2_smt'
+                          rel: assessment-for
                     - id: cm-3.2_obj-2
                       name: assessment-objective
                       props:
@@ -16496,6 +17971,9 @@ catalog:
                           value: CM-03(02)[02]
                           class: sp800-53a
                       prose: changes to the system are validated before finalizing the implementation of the changes;
+                      links:
+                        - href: '#cm-3.2_smt'
+                          rel: assessment-for
                     - id: cm-3.2_obj-3
                       name: assessment-objective
                       props:
@@ -16503,6 +17981,12 @@ catalog:
                           value: CM-03(02)[03]
                           class: sp800-53a
                       prose: changes to the system are documented before finalizing the implementation of the changes.
+                      links:
+                        - href: '#cm-3.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3.2_smt'
+                      rel: assessment-for
                 - id: cm-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -16648,6 +18132,9 @@ catalog:
                           value: CM-03(04)[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};'
+                      links:
+                        - href: '#cm-3.4_smt'
+                          rel: assessment-for
                     - id: cm-3.4_obj-2
                       name: assessment-objective
                       props:
@@ -16655,6 +18142,12 @@ catalog:
                           value: CM-03(04)[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}.'
+                      links:
+                        - href: '#cm-3.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3.4_smt'
+                      rel: assessment-for
                 - id: cm-3.4_asm-examine
                   name: assessment-method
                   props:
@@ -16751,6 +18244,9 @@ catalog:
                       value: CM-03(06)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms used to provide {{ insert: param, cm-03.06_odp }} are under configuration management.'
+                  links:
+                    - href: '#cm-3.6_smt'
+                      rel: assessment-for
                 - id: cm-3.6_asm-examine
                   name: assessment-method
                   props:
@@ -16879,6 +18375,9 @@ catalog:
                       value: CM-04[01]
                       class: sp800-53a
                   prose: changes to the system are analyzed to determine potential security impacts prior to change implementation;
+                  links:
+                    - href: '#cm-4_smt'
+                      rel: assessment-for
                 - id: cm-4_obj-2
                   name: assessment-objective
                   props:
@@ -16886,6 +18385,12 @@ catalog:
                       value: CM-04[02]
                       class: sp800-53a
                   prose: changes to the system are analyzed to determine potential privacy impacts prior to change implementation.
+                  links:
+                    - href: '#cm-4_smt'
+                      rel: assessment-for
+              links:
+                - href: '#cm-4_smt'
+                  rel: assessment-for
             - id: cm-4_asm-examine
               name: assessment-method
               props:
@@ -17009,6 +18514,9 @@ catalog:
                           value: CM-04(01)[01]
                           class: sp800-53a
                       prose: changes to the system are analyzed in a separate test environment before implementation in an operational environment;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-2
                       name: assessment-objective
                       props:
@@ -17016,6 +18524,9 @@ catalog:
                           value: CM-04(01)[02]
                           class: sp800-53a
                       prose: changes to the system are analyzed for security impacts due to flaws;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-3
                       name: assessment-objective
                       props:
@@ -17023,6 +18534,9 @@ catalog:
                           value: CM-04(01)[03]
                           class: sp800-53a
                       prose: changes to the system are analyzed for privacy impacts due to flaws;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-4
                       name: assessment-objective
                       props:
@@ -17030,6 +18544,9 @@ catalog:
                           value: CM-04(01)[04]
                           class: sp800-53a
                       prose: changes to the system are analyzed for security impacts due to weaknesses;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-5
                       name: assessment-objective
                       props:
@@ -17037,6 +18554,9 @@ catalog:
                           value: CM-04(01)[05]
                           class: sp800-53a
                       prose: changes to the system are analyzed for privacy impacts due to weaknesses;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-6
                       name: assessment-objective
                       props:
@@ -17044,6 +18564,9 @@ catalog:
                           value: CM-04(01)[06]
                           class: sp800-53a
                       prose: changes to the system are analyzed for security impacts due to incompatibility;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-7
                       name: assessment-objective
                       props:
@@ -17051,6 +18574,9 @@ catalog:
                           value: CM-04(01)[07]
                           class: sp800-53a
                       prose: changes to the system are analyzed for privacy impacts due to incompatibility;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-8
                       name: assessment-objective
                       props:
@@ -17058,6 +18584,9 @@ catalog:
                           value: CM-04(01)[08]
                           class: sp800-53a
                       prose: changes to the system are analyzed for security impacts due to intentional malice;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-9
                       name: assessment-objective
                       props:
@@ -17065,6 +18594,12 @@ catalog:
                           value: CM-04(01)[09]
                           class: sp800-53a
                       prose: changes to the system are analyzed for privacy impacts due to intentional malice.
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-4.1_smt'
+                      rel: assessment-for
                 - id: cm-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -17191,6 +18726,9 @@ catalog:
                           value: CM-04(02)[01]
                           class: sp800-53a
                       prose: the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-2
                       name: assessment-objective
                       props:
@@ -17198,6 +18736,9 @@ catalog:
                           value: CM-04(02)[02]
                           class: sp800-53a
                       prose: the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-3
                       name: assessment-objective
                       props:
@@ -17205,6 +18746,9 @@ catalog:
                           value: CM-04(02)[03]
                           class: sp800-53a
                       prose: the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-4
                       name: assessment-objective
                       props:
@@ -17212,6 +18756,9 @@ catalog:
                           value: CM-04(02)[04]
                           class: sp800-53a
                       prose: the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-5
                       name: assessment-objective
                       props:
@@ -17219,6 +18766,9 @@ catalog:
                           value: CM-04(02)[05]
                           class: sp800-53a
                       prose: the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-6
                       name: assessment-objective
                       props:
@@ -17226,6 +18776,12 @@ catalog:
                           value: CM-04(02)[06]
                           class: sp800-53a
                       prose: the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-4.2_smt'
+                      rel: assessment-for
                 - id: cm-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -17361,6 +18917,9 @@ catalog:
                       value: CM-05[01]
                       class: sp800-53a
                   prose: physical access restrictions associated with changes to the system are defined and documented;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-2
                   name: assessment-objective
                   props:
@@ -17368,6 +18927,9 @@ catalog:
                       value: CM-05[02]
                       class: sp800-53a
                   prose: physical access restrictions associated with changes to the system are approved;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-3
                   name: assessment-objective
                   props:
@@ -17375,6 +18937,9 @@ catalog:
                       value: CM-05[03]
                       class: sp800-53a
                   prose: physical access restrictions associated with changes to the system are enforced;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-4
                   name: assessment-objective
                   props:
@@ -17382,6 +18947,9 @@ catalog:
                       value: CM-05[04]
                       class: sp800-53a
                   prose: logical access restrictions associated with changes to the system are defined and documented;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-5
                   name: assessment-objective
                   props:
@@ -17389,6 +18957,9 @@ catalog:
                       value: CM-05[05]
                       class: sp800-53a
                   prose: logical access restrictions associated with changes to the system are approved;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-6
                   name: assessment-objective
                   props:
@@ -17396,6 +18967,12 @@ catalog:
                       value: CM-05[06]
                       class: sp800-53a
                   prose: logical access restrictions associated with changes to the system are enforced.
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#cm-5_smt'
+                  rel: assessment-for
             - id: cm-5_asm-examine
               name: assessment-method
               props:
@@ -17543,6 +19120,9 @@ catalog:
                           value: CM-05(01)(a)
                           class: sp800-53a
                       prose: 'access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};'
+                      links:
+                        - href: '#cm-5.1_smt.a'
+                          rel: assessment-for
                     - id: cm-5.1_obj.b
                       name: assessment-objective
                       props:
@@ -17550,6 +19130,12 @@ catalog:
                           value: CM-05(01)(b)
                           class: sp800-53a
                       prose: audit records of enforcement actions are automatically generated.
+                      links:
+                        - href: '#cm-5.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-5.1_smt'
+                      rel: assessment-for
                 - id: cm-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -17782,6 +19368,9 @@ catalog:
                       value: CM-06a.
                       class: sp800-53a
                   prose: 'configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};'
+                  links:
+                    - href: '#cm-6_smt.a'
+                      rel: assessment-for
                 - id: cm-6_obj.b
                   name: assessment-objective
                   props:
@@ -17789,6 +19378,9 @@ catalog:
                       value: CM-06b.
                       class: sp800-53a
                   prose: the configuration settings documented in CM-06a are implemented;
+                  links:
+                    - href: '#cm-6_smt.b'
+                      rel: assessment-for
                 - id: cm-6_obj.c
                   name: assessment-objective
                   props:
@@ -17803,6 +19395,9 @@ catalog:
                           value: CM-06c.[01]
                           class: sp800-53a
                       prose: 'any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};'
+                      links:
+                        - href: '#cm-6_smt.c'
+                          rel: assessment-for
                     - id: cm-6_obj.c-2
                       name: assessment-objective
                       props:
@@ -17810,6 +19405,12 @@ catalog:
                           value: CM-06c.[02]
                           class: sp800-53a
                       prose: 'any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;'
+                      links:
+                        - href: '#cm-6_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-6_smt.c'
+                      rel: assessment-for
                 - id: cm-6_obj.d
                   name: assessment-objective
                   props:
@@ -17824,6 +19425,9 @@ catalog:
                           value: CM-06d.[01]
                           class: sp800-53a
                       prose: changes to the configuration settings are monitored in accordance with organizational policies and procedures;
+                      links:
+                        - href: '#cm-6_smt.d'
+                          rel: assessment-for
                     - id: cm-6_obj.d-2
                       name: assessment-objective
                       props:
@@ -17831,6 +19435,15 @@ catalog:
                           value: CM-06d.[02]
                           class: sp800-53a
                       prose: changes to the configuration settings are controlled in accordance with organizational policies and procedures.
+                      links:
+                        - href: '#cm-6_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-6_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#cm-6_smt'
+                  rel: assessment-for
             - id: cm-6_asm-examine
               name: assessment-method
               props:
@@ -17994,6 +19607,9 @@ catalog:
                           value: CM-06(01)[01]
                           class: sp800-53a
                       prose: 'configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};'
+                      links:
+                        - href: '#cm-6.1_smt'
+                          rel: assessment-for
                     - id: cm-6.1_obj-2
                       name: assessment-objective
                       props:
@@ -18001,6 +19617,9 @@ catalog:
                           value: CM-06(01)[02]
                           class: sp800-53a
                       prose: 'configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};'
+                      links:
+                        - href: '#cm-6.1_smt'
+                          rel: assessment-for
                     - id: cm-6.1_obj-3
                       name: assessment-objective
                       props:
@@ -18008,6 +19627,12 @@ catalog:
                           value: CM-06(01)[03]
                           class: sp800-53a
                       prose: 'configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}.'
+                      links:
+                        - href: '#cm-6.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-6.1_smt'
+                      rel: assessment-for
                 - id: cm-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -18135,6 +19760,9 @@ catalog:
                       value: CM-06(02)
                       class: sp800-53a
                   prose: ' {{ insert: param, cm-06.02_odp.01 }} are taken in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}.'
+                  links:
+                    - href: '#cm-6.2_smt'
+                      rel: assessment-for
                 - id: cm-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -18371,6 +19999,9 @@ catalog:
                       value: CM-07a.
                       class: sp800-53a
                   prose: 'the system is configured to provide only {{ insert: param, cm-07_odp.01 }};'
+                  links:
+                    - href: '#cm-7_smt.a'
+                      rel: assessment-for
                 - id: cm-7_obj.b
                   name: assessment-objective
                   props:
@@ -18385,6 +20016,9 @@ catalog:
                           value: CM-07b.[01]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -18392,6 +20026,9 @@ catalog:
                           value: CM-07b.[02]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-3
                       name: assessment-objective
                       props:
@@ -18399,6 +20036,9 @@ catalog:
                           value: CM-07b.[03]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-4
                       name: assessment-objective
                       props:
@@ -18406,6 +20046,9 @@ catalog:
                           value: CM-07b.[04]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-5
                       name: assessment-objective
                       props:
@@ -18413,6 +20056,15 @@ catalog:
                           value: CM-07b.[05]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cm-7_smt'
+                  rel: assessment-for
             - id: cm-7_asm-examine
               name: assessment-method
               props:
@@ -18601,6 +20253,9 @@ catalog:
                           value: CM-07(01)(a)
                           class: sp800-53a
                       prose: 'the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:'
+                      links:
+                        - href: '#cm-7.1_smt.a'
+                          rel: assessment-for
                     - id: cm-7.1_obj.b
                       name: assessment-objective
                       props:
@@ -18615,6 +20270,9 @@ catalog:
                               value: CM-07(01)(b)[01]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and/or non-secure are disabled or removed;'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
                         - id: cm-7.1_obj.b-2
                           name: assessment-objective
                           props:
@@ -18622,6 +20280,9 @@ catalog:
                               value: CM-07(01)(b)[02]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and/or non-secure are disabled or removed;'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
                         - id: cm-7.1_obj.b-3
                           name: assessment-objective
                           props:
@@ -18629,6 +20290,9 @@ catalog:
                               value: CM-07(01)(b)[03]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and/or non-secure are disabled or removed;'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
                         - id: cm-7.1_obj.b-4
                           name: assessment-objective
                           props:
@@ -18636,6 +20300,9 @@ catalog:
                               value: CM-07(01)(b)[04]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and/or non-secure is disabled or removed;'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
                         - id: cm-7.1_obj.b-5
                           name: assessment-objective
                           props:
@@ -18643,6 +20310,15 @@ catalog:
                               value: CM-07(01)(b)[05]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and/or non-secure are disabled or removed.'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-7.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-7.1_smt'
+                      rel: assessment-for
                 - id: cm-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -18774,6 +20450,9 @@ catalog:
                       value: CM-07(02)
                       class: sp800-53a
                   prose: 'program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}.'
+                  links:
+                    - href: '#cm-7.2_smt'
+                      rel: assessment-for
                 - id: cm-7.2_asm-examine
                   name: assessment-method
                   props:
@@ -18946,6 +20625,9 @@ catalog:
                           value: CM-07(05)(a)
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-07.05_odp.01 }} are identified;'
+                      links:
+                        - href: '#cm-7.5_smt.a'
+                          rel: assessment-for
                     - id: cm-7.5_obj.b
                       name: assessment-objective
                       props:
@@ -18953,6 +20635,9 @@ catalog:
                           value: CM-07(05)(b)
                           class: sp800-53a
                       prose: a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;
+                      links:
+                        - href: '#cm-7.5_smt.b'
+                          rel: assessment-for
                     - id: cm-7.5_obj.c
                       name: assessment-objective
                       props:
@@ -18960,6 +20645,12 @@ catalog:
                           value: CM-07(05)(c)
                           class: sp800-53a
                       prose: 'the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}.'
+                      links:
+                        - href: '#cm-7.5_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-7.5_smt'
+                      rel: assessment-for
                 - id: cm-7.5_asm-examine
                   name: assessment-method
                   props:
@@ -19195,6 +20886,9 @@ catalog:
                           value: CM-08a.01
                           class: sp800-53a
                       prose: an inventory of system components that accurately reflects the system is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.1'
+                          rel: assessment-for
                     - id: cm-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -19202,6 +20896,9 @@ catalog:
                           value: CM-08a.02
                           class: sp800-53a
                       prose: an inventory of system components that includes all components within the system is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.2'
+                          rel: assessment-for
                     - id: cm-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -19209,6 +20906,9 @@ catalog:
                           value: CM-08a.03
                           class: sp800-53a
                       prose: an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.3'
+                          rel: assessment-for
                     - id: cm-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -19216,6 +20916,9 @@ catalog:
                           value: CM-08a.04
                           class: sp800-53a
                       prose: an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.4'
+                          rel: assessment-for
                     - id: cm-8_obj.a.5
                       name: assessment-objective
                       props:
@@ -19223,6 +20926,12 @@ catalog:
                           value: CM-08a.05
                           class: sp800-53a
                       prose: 'an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;'
+                      links:
+                        - href: '#cm-8_smt.a.5'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-8_smt.a'
+                      rel: assessment-for
                 - id: cm-8_obj.b
                   name: assessment-objective
                   props:
@@ -19230,6 +20939,12 @@ catalog:
                       value: CM-08b.
                       class: sp800-53a
                   prose: 'the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.'
+                  links:
+                    - href: '#cm-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cm-8_smt'
+                  rel: assessment-for
             - id: cm-8_asm-examine
               name: assessment-method
               props:
@@ -19335,6 +21050,9 @@ catalog:
                           value: CM-08(01)[01]
                           class: sp800-53a
                       prose: the inventory of system components is updated as part of component installations;
+                      links:
+                        - href: '#cm-8.1_smt'
+                          rel: assessment-for
                     - id: cm-8.1_obj-2
                       name: assessment-objective
                       props:
@@ -19342,6 +21060,9 @@ catalog:
                           value: CM-08(01)[02]
                           class: sp800-53a
                       prose: the inventory of system components is updated as part of component removals;
+                      links:
+                        - href: '#cm-8.1_smt'
+                          rel: assessment-for
                     - id: cm-8.1_obj-3
                       name: assessment-objective
                       props:
@@ -19349,6 +21070,12 @@ catalog:
                           value: CM-08(01)[03]
                           class: sp800-53a
                       prose: the inventory of system components is updated as part of system updates.
+                      links:
+                        - href: '#cm-8.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-8.1_smt'
+                      rel: assessment-for
                 - id: cm-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -19503,6 +21230,9 @@ catalog:
                           value: CM-08(02)[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-08.02_odp.01 }} are used to maintain the currency of the system component inventory;'
+                      links:
+                        - href: '#cm-8.2_smt'
+                          rel: assessment-for
                     - id: cm-8.2_obj-2
                       name: assessment-objective
                       props:
@@ -19510,6 +21240,9 @@ catalog:
                           value: CM-08(02)[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-08.02_odp.02 }} are used to maintain the completeness of the system component inventory;'
+                      links:
+                        - href: '#cm-8.2_smt'
+                          rel: assessment-for
                     - id: cm-8.2_obj-3
                       name: assessment-objective
                       props:
@@ -19517,6 +21250,9 @@ catalog:
                           value: CM-08(02)[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-08.02_odp.03 }} are used to maintain the accuracy of the system component inventory;'
+                      links:
+                        - href: '#cm-8.2_smt'
+                          rel: assessment-for
                     - id: cm-8.2_obj-4
                       name: assessment-objective
                       props:
@@ -19524,6 +21260,12 @@ catalog:
                           value: CM-08(02)[04]
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-08.02_odp.04 }} are used to maintain the availability of the system component inventory.'
+                      links:
+                        - href: '#cm-8.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-8.2_smt'
+                      rel: assessment-for
                 - id: cm-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -19739,6 +21481,9 @@ catalog:
                               value: CM-08(03)(a)[01]
                               class: sp800-53a
                           prose: 'the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};'
+                          links:
+                            - href: '#cm-8.3_smt.a'
+                              rel: assessment-for
                         - id: cm-8.3_obj.a-2
                           name: assessment-objective
                           props:
@@ -19746,6 +21491,9 @@ catalog:
                               value: CM-08(03)(a)[02]
                               class: sp800-53a
                           prose: 'the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};'
+                          links:
+                            - href: '#cm-8.3_smt.a'
+                              rel: assessment-for
                         - id: cm-8.3_obj.a-3
                           name: assessment-objective
                           props:
@@ -19753,6 +21501,12 @@ catalog:
                               value: CM-08(03)(a)[03]
                               class: sp800-53a
                           prose: 'the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};'
+                          links:
+                            - href: '#cm-8.3_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-8.3_smt.a'
+                          rel: assessment-for
                     - id: cm-8.3_obj.b
                       name: assessment-objective
                       props:
@@ -19767,6 +21521,9 @@ catalog:
                               value: CM-08(03)(b)[01]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;'
+                          links:
+                            - href: '#cm-8.3_smt.b'
+                              rel: assessment-for
                         - id: cm-8.3_obj.b-2
                           name: assessment-objective
                           props:
@@ -19774,6 +21531,9 @@ catalog:
                               value: CM-08(03)(b)[02]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;'
+                          links:
+                            - href: '#cm-8.3_smt.b'
+                              rel: assessment-for
                         - id: cm-8.3_obj.b-3
                           name: assessment-objective
                           props:
@@ -19781,6 +21541,15 @@ catalog:
                               value: CM-08(03)(b)[03]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected.'
+                          links:
+                            - href: '#cm-8.3_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-8.3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-8.3_smt'
+                      rel: assessment-for
                 - id: cm-8.3_asm-examine
                   name: assessment-method
                   props:
@@ -19908,6 +21677,9 @@ catalog:
                       value: CM-08(04)
                       class: sp800-53a
                   prose: 'individuals responsible and accountable for administering system components are identified by {{ insert: param, cm-08.04_odp }} in the system component inventory.'
+                  links:
+                    - href: '#cm-8.4_smt'
+                      rel: assessment-for
                 - id: cm-8.4_asm-examine
                   name: assessment-method
                   props:
@@ -20068,6 +21840,9 @@ catalog:
                       value: CM-09[01]
                       class: sp800-53a
                   prose: a configuration management plan for the system is developed and documented;
+                  links:
+                    - href: '#cm-9_smt'
+                      rel: assessment-for
                 - id: cm-9_obj-2
                   name: assessment-objective
                   props:
@@ -20075,6 +21850,9 @@ catalog:
                       value: CM-09[02]
                       class: sp800-53a
                   prose: a configuration management plan for the system is implemented;
+                  links:
+                    - href: '#cm-9_smt'
+                      rel: assessment-for
                 - id: cm-9_obj.a
                   name: assessment-objective
                   props:
@@ -20089,6 +21867,9 @@ catalog:
                           value: CM-09a.[01]
                           class: sp800-53a
                       prose: the configuration management plan addresses roles;
+                      links:
+                        - href: '#cm-9_smt.a'
+                          rel: assessment-for
                     - id: cm-9_obj.a-2
                       name: assessment-objective
                       props:
@@ -20096,6 +21877,9 @@ catalog:
                           value: CM-09a.[02]
                           class: sp800-53a
                       prose: the configuration management plan addresses responsibilities;
+                      links:
+                        - href: '#cm-9_smt.a'
+                          rel: assessment-for
                     - id: cm-9_obj.a-3
                       name: assessment-objective
                       props:
@@ -20103,6 +21887,12 @@ catalog:
                           value: CM-09a.[03]
                           class: sp800-53a
                       prose: the configuration management plan addresses configuration management processes and procedures;
+                      links:
+                        - href: '#cm-9_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-9_smt.a'
+                      rel: assessment-for
                 - id: cm-9_obj.b
                   name: assessment-objective
                   props:
@@ -20117,6 +21907,9 @@ catalog:
                           value: CM-09b.[01]
                           class: sp800-53a
                       prose: the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;
+                      links:
+                        - href: '#cm-9_smt.b'
+                          rel: assessment-for
                     - id: cm-9_obj.b-2
                       name: assessment-objective
                       props:
@@ -20124,6 +21917,12 @@ catalog:
                           value: CM-09b.[02]
                           class: sp800-53a
                       prose: the configuration management plan establishes a process for managing the configuration of the configuration items;
+                      links:
+                        - href: '#cm-9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-9_smt.b'
+                      rel: assessment-for
                 - id: cm-9_obj.c
                   name: assessment-objective
                   props:
@@ -20138,6 +21937,9 @@ catalog:
                           value: CM-09c.[01]
                           class: sp800-53a
                       prose: the configuration management plan defines the configuration items for the system;
+                      links:
+                        - href: '#cm-9_smt.c'
+                          rel: assessment-for
                     - id: cm-9_obj.c-2
                       name: assessment-objective
                       props:
@@ -20145,6 +21947,12 @@ catalog:
                           value: CM-09c.[02]
                           class: sp800-53a
                       prose: the configuration management plan places the configuration items under configuration management;
+                      links:
+                        - href: '#cm-9_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-9_smt.c'
+                      rel: assessment-for
                 - id: cm-9_obj.d
                   name: assessment-objective
                   props:
@@ -20152,6 +21960,9 @@ catalog:
                       value: CM-09d.
                       class: sp800-53a
                   prose: 'the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};'
+                  links:
+                    - href: '#cm-9_smt.d'
+                      rel: assessment-for
                 - id: cm-9_obj.e
                   name: assessment-objective
                   props:
@@ -20166,6 +21977,9 @@ catalog:
                           value: CM-09e.[01]
                           class: sp800-53a
                       prose: the configuration management plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#cm-9_smt.e'
+                          rel: assessment-for
                     - id: cm-9_obj.e-2
                       name: assessment-objective
                       props:
@@ -20173,6 +21987,15 @@ catalog:
                           value: CM-09e.[02]
                           class: sp800-53a
                       prose: the configuration management plan is protected from unauthorized modification.
+                      links:
+                        - href: '#cm-9_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-9_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#cm-9_smt'
+                  rel: assessment-for
             - id: cm-9_asm-examine
               name: assessment-method
               props:
@@ -20308,6 +22131,9 @@ catalog:
                       value: CM-10a.
                       class: sp800-53a
                   prose: software and associated documentation are used in accordance with contract agreements and copyright laws;
+                  links:
+                    - href: '#cm-10_smt.a'
+                      rel: assessment-for
                 - id: cm-10_obj.b
                   name: assessment-objective
                   props:
@@ -20315,6 +22141,9 @@ catalog:
                       value: CM-10b.
                       class: sp800-53a
                   prose: the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;
+                  links:
+                    - href: '#cm-10_smt.b'
+                      rel: assessment-for
                 - id: cm-10_obj.c
                   name: assessment-objective
                   props:
@@ -20322,6 +22151,12 @@ catalog:
                       value: CM-10c.
                       class: sp800-53a
                   prose: the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
+                  links:
+                    - href: '#cm-10_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-10_smt'
+                  rel: assessment-for
             - id: cm-10_asm-examine
               name: assessment-method
               props:
@@ -20498,6 +22333,9 @@ catalog:
                       value: CM-11a.
                       class: sp800-53a
                   prose: ' {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;'
+                  links:
+                    - href: '#cm-11_smt.a'
+                      rel: assessment-for
                 - id: cm-11_obj.b
                   name: assessment-objective
                   props:
@@ -20505,6 +22343,9 @@ catalog:
                       value: CM-11b.
                       class: sp800-53a
                   prose: 'software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};'
+                  links:
+                    - href: '#cm-11_smt.b'
+                      rel: assessment-for
                 - id: cm-11_obj.c
                   name: assessment-objective
                   props:
@@ -20512,6 +22353,12 @@ catalog:
                       value: CM-11c.
                       class: sp800-53a
                   prose: 'compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.'
+                  links:
+                    - href: '#cm-11_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-11_smt'
+                  rel: assessment-for
             - id: cm-11_asm-examine
               name: assessment-method
               props:
@@ -20698,6 +22545,9 @@ catalog:
                           value: CM-12a.[01]
                           class: sp800-53a
                       prose: 'the location of {{ insert: param, cm-12_odp }} is identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.a'
+                          rel: assessment-for
                     - id: cm-12_obj.a-2
                       name: assessment-objective
                       props:
@@ -20705,6 +22555,9 @@ catalog:
                           value: CM-12a.[02]
                           class: sp800-53a
                       prose: 'the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.a'
+                          rel: assessment-for
                     - id: cm-12_obj.a-3
                       name: assessment-objective
                       props:
@@ -20712,6 +22565,12 @@ catalog:
                           value: CM-12a.[03]
                           class: sp800-53a
                       prose: 'the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-12_smt.a'
+                      rel: assessment-for
                 - id: cm-12_obj.b
                   name: assessment-objective
                   props:
@@ -20726,6 +22585,9 @@ catalog:
                           value: CM-12b.[01]
                           class: sp800-53a
                       prose: 'the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.b'
+                          rel: assessment-for
                     - id: cm-12_obj.b-2
                       name: assessment-objective
                       props:
@@ -20733,6 +22595,12 @@ catalog:
                           value: CM-12b.[02]
                           class: sp800-53a
                       prose: 'the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-12_smt.b'
+                      rel: assessment-for
                 - id: cm-12_obj.c
                   name: assessment-objective
                   props:
@@ -20747,6 +22615,9 @@ catalog:
                           value: CM-12c.[01]
                           class: sp800-53a
                       prose: 'changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;'
+                      links:
+                        - href: '#cm-12_smt.c'
+                          rel: assessment-for
                     - id: cm-12_obj.c-2
                       name: assessment-objective
                       props:
@@ -20754,6 +22625,15 @@ catalog:
                           value: CM-12c.[02]
                           class: sp800-53a
                       prose: 'changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented.'
+                      links:
+                        - href: '#cm-12_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-12_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-12_smt'
+                  rel: assessment-for
             - id: cm-12_asm-examine
               name: assessment-method
               props:
@@ -20885,6 +22765,9 @@ catalog:
                       value: CM-12(01)
                       class: sp800-53a
                   prose: 'automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy.'
+                  links:
+                    - href: '#cm-12.1_smt'
+                      rel: assessment-for
                 - id: cm-12.1_asm-examine
                   name: assessment-method
                   props:
@@ -21168,6 +23051,9 @@ catalog:
                           value: CP-01a.[01]
                           class: sp800-53a
                       prose: a contingency planning policy is developed and documented;
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -21175,6 +23061,9 @@ catalog:
                           value: CP-01a.[02]
                           class: sp800-53a
                       prose: 'the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};'
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -21182,6 +23071,9 @@ catalog:
                           value: CP-01a.[03]
                           class: sp800-53a
                       prose: contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -21189,6 +23081,9 @@ catalog:
                           value: CP-01a.[04]
                           class: sp800-53a
                       prose: 'the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};'
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -21210,6 +23105,9 @@ catalog:
                                   value: CP-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -21217,6 +23115,9 @@ catalog:
                                   value: CP-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -21224,6 +23125,9 @@ catalog:
                                   value: CP-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -21231,6 +23135,9 @@ catalog:
                                   value: CP-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -21238,6 +23145,9 @@ catalog:
                                   value: CP-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -21245,6 +23155,9 @@ catalog:
                                   value: CP-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -21252,6 +23165,12 @@ catalog:
                                   value: CP-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#cp-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: cp-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -21259,6 +23178,15 @@ catalog:
                               value: CP-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#cp-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-1_smt.a'
+                      rel: assessment-for
                 - id: cp-1_obj.b
                   name: assessment-objective
                   props:
@@ -21266,6 +23194,9 @@ catalog:
                       value: CP-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;'
+                  links:
+                    - href: '#cp-1_smt.b'
+                      rel: assessment-for
                 - id: cp-1_obj.c
                   name: assessment-objective
                   props:
@@ -21287,6 +23218,9 @@ catalog:
                               value: CP-01c.01[01]
                               class: sp800-53a
                           prose: 'the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};'
+                          links:
+                            - href: '#cp-1_smt.c.1'
+                              rel: assessment-for
                         - id: cp-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -21294,6 +23228,12 @@ catalog:
                               value: CP-01c.01[02]
                               class: sp800-53a
                           prose: 'the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};'
+                          links:
+                            - href: '#cp-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-1_smt.c.1'
+                          rel: assessment-for
                     - id: cp-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -21308,6 +23248,9 @@ catalog:
                               value: CP-01c.02[01]
                               class: sp800-53a
                           prose: 'the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};'
+                          links:
+                            - href: '#cp-1_smt.c.2'
+                              rel: assessment-for
                         - id: cp-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -21315,6 +23258,18 @@ catalog:
                               value: CP-01c.02[02]
                               class: sp800-53a
                           prose: 'the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.'
+                          links:
+                            - href: '#cp-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cp-1_smt'
+                  rel: assessment-for
             - id: cp-1_asm-examine
               name: assessment-method
               props:
@@ -21626,6 +23581,9 @@ catalog:
                           value: CP-02a.01
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;
+                      links:
+                        - href: '#cp-2_smt.a.1'
+                          rel: assessment-for
                     - id: cp-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -21640,6 +23598,9 @@ catalog:
                               value: CP-02a.02[01]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that provides recovery objectives;
+                          links:
+                            - href: '#cp-2_smt.a.2'
+                              rel: assessment-for
                         - id: cp-2_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -21647,6 +23608,9 @@ catalog:
                               value: CP-02a.02[02]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that provides restoration priorities;
+                          links:
+                            - href: '#cp-2_smt.a.2'
+                              rel: assessment-for
                         - id: cp-2_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -21654,6 +23618,12 @@ catalog:
                               value: CP-02a.02[03]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that provides metrics;
+                          links:
+                            - href: '#cp-2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-2_smt.a.2'
+                          rel: assessment-for
                     - id: cp-2_obj.a.3
                       name: assessment-objective
                       props:
@@ -21668,6 +23638,9 @@ catalog:
                               value: CP-02a.03[01]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that addresses contingency roles;
+                          links:
+                            - href: '#cp-2_smt.a.3'
+                              rel: assessment-for
                         - id: cp-2_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -21675,6 +23648,9 @@ catalog:
                               value: CP-02a.03[02]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that addresses contingency responsibilities;
+                          links:
+                            - href: '#cp-2_smt.a.3'
+                              rel: assessment-for
                         - id: cp-2_obj.a.3-3
                           name: assessment-objective
                           props:
@@ -21682,6 +23658,12 @@ catalog:
                               value: CP-02a.03[03]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that addresses assigned individuals with contact information;
+                          links:
+                            - href: '#cp-2_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-2_smt.a.3'
+                          rel: assessment-for
                     - id: cp-2_obj.a.4
                       name: assessment-objective
                       props:
@@ -21689,6 +23671,9 @@ catalog:
                           value: CP-02a.04
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
+                      links:
+                        - href: '#cp-2_smt.a.4'
+                          rel: assessment-for
                     - id: cp-2_obj.a.5
                       name: assessment-objective
                       props:
@@ -21696,6 +23681,9 @@ catalog:
                           value: CP-02a.05
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;
+                      links:
+                        - href: '#cp-2_smt.a.5'
+                          rel: assessment-for
                     - id: cp-2_obj.a.6
                       name: assessment-objective
                       props:
@@ -21703,6 +23691,9 @@ catalog:
                           value: CP-02a.06
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that addresses the sharing of contingency information;
+                      links:
+                        - href: '#cp-2_smt.a.6'
+                          rel: assessment-for
                     - id: cp-2_obj.a.7
                       name: assessment-objective
                       props:
@@ -21717,6 +23708,9 @@ catalog:
                               value: CP-02a.07[01]
                               class: sp800-53a
                           prose: 'a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};'
+                          links:
+                            - href: '#cp-2_smt.a.7'
+                              rel: assessment-for
                         - id: cp-2_obj.a.7-2
                           name: assessment-objective
                           props:
@@ -21724,6 +23718,15 @@ catalog:
                               value: CP-02a.07[02]
                               class: sp800-53a
                           prose: 'a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};'
+                          links:
+                            - href: '#cp-2_smt.a.7'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-2_smt.a.7'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.a'
+                      rel: assessment-for
                 - id: cp-2_obj.b
                   name: assessment-objective
                   props:
@@ -21738,6 +23741,9 @@ catalog:
                           value: CP-02b.[01]
                           class: sp800-53a
                       prose: 'copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};'
+                      links:
+                        - href: '#cp-2_smt.b'
+                          rel: assessment-for
                     - id: cp-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -21745,6 +23751,12 @@ catalog:
                           value: CP-02b.[02]
                           class: sp800-53a
                       prose: 'copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};'
+                      links:
+                        - href: '#cp-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.b'
+                      rel: assessment-for
                 - id: cp-2_obj.c
                   name: assessment-objective
                   props:
@@ -21752,6 +23764,9 @@ catalog:
                       value: CP-02c.
                       class: sp800-53a
                   prose: contingency planning activities are coordinated with incident handling activities;
+                  links:
+                    - href: '#cp-2_smt.c'
+                      rel: assessment-for
                 - id: cp-2_obj.d
                   name: assessment-objective
                   props:
@@ -21759,6 +23774,9 @@ catalog:
                       value: CP-02d.
                       class: sp800-53a
                   prose: 'the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};'
+                  links:
+                    - href: '#cp-2_smt.d'
+                      rel: assessment-for
                 - id: cp-2_obj.e
                   name: assessment-objective
                   props:
@@ -21773,6 +23791,9 @@ catalog:
                           value: CP-02e.[01]
                           class: sp800-53a
                       prose: the contingency plan is updated to address changes to the organization, system, or environment of operation;
+                      links:
+                        - href: '#cp-2_smt.e'
+                          rel: assessment-for
                     - id: cp-2_obj.e-2
                       name: assessment-objective
                       props:
@@ -21780,6 +23801,12 @@ catalog:
                           value: CP-02e.[02]
                           class: sp800-53a
                       prose: the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;
+                      links:
+                        - href: '#cp-2_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.e'
+                      rel: assessment-for
                 - id: cp-2_obj.f
                   name: assessment-objective
                   props:
@@ -21794,6 +23821,9 @@ catalog:
                           value: CP-02f.[01]
                           class: sp800-53a
                       prose: 'contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};'
+                      links:
+                        - href: '#cp-2_smt.f'
+                          rel: assessment-for
                     - id: cp-2_obj.f-2
                       name: assessment-objective
                       props:
@@ -21801,6 +23831,12 @@ catalog:
                           value: CP-02f.[02]
                           class: sp800-53a
                       prose: 'contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};'
+                      links:
+                        - href: '#cp-2_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.f'
+                      rel: assessment-for
                 - id: cp-2_obj.g
                   name: assessment-objective
                   props:
@@ -21815,6 +23851,9 @@ catalog:
                           value: CP-02g.[01]
                           class: sp800-53a
                       prose: lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;
+                      links:
+                        - href: '#cp-2_smt.g'
+                          rel: assessment-for
                     - id: cp-2_obj.g-2
                       name: assessment-objective
                       props:
@@ -21822,6 +23861,12 @@ catalog:
                           value: CP-02g.[02]
                           class: sp800-53a
                       prose: lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;
+                      links:
+                        - href: '#cp-2_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.g'
+                      rel: assessment-for
                 - id: cp-2_obj.h
                   name: assessment-objective
                   props:
@@ -21836,6 +23881,9 @@ catalog:
                           value: CP-02h.[01]
                           class: sp800-53a
                       prose: the contingency plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#cp-2_smt.h'
+                          rel: assessment-for
                     - id: cp-2_obj.h-2
                       name: assessment-objective
                       props:
@@ -21843,6 +23891,15 @@ catalog:
                           value: CP-02h.[02]
                           class: sp800-53a
                       prose: the contingency plan is protected from unauthorized modification.
+                      links:
+                        - href: '#cp-2_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.h'
+                      rel: assessment-for
+              links:
+                - href: '#cp-2_smt'
+                  rel: assessment-for
             - id: cp-2_asm-examine
               name: assessment-method
               props:
@@ -21932,6 +23989,9 @@ catalog:
                       value: CP-02(01)
                       class: sp800-53a
                   prose: contingency plan development is coordinated with organizational elements responsible for related plans.
+                  links:
+                    - href: '#cp-2.1_smt'
+                      rel: assessment-for
                 - id: cp-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -22036,6 +24096,9 @@ catalog:
                           value: CP-02(02)[01]
                           class: sp800-53a
                       prose: capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;
+                      links:
+                        - href: '#cp-2.2_smt'
+                          rel: assessment-for
                     - id: cp-2.2_obj-2
                       name: assessment-objective
                       props:
@@ -22043,6 +24106,9 @@ catalog:
                           value: CP-02(02)[02]
                           class: sp800-53a
                       prose: capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;
+                      links:
+                        - href: '#cp-2.2_smt'
+                          rel: assessment-for
                     - id: cp-2.2_obj-3
                       name: assessment-objective
                       props:
@@ -22050,6 +24116,12 @@ catalog:
                           value: CP-02(02)[03]
                           class: sp800-53a
                       prose: capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.
+                      links:
+                        - href: '#cp-2.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2.2_smt'
+                      rel: assessment-for
                 - id: cp-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -22143,6 +24215,9 @@ catalog:
                       value: CP-02(03)
                       class: sp800-53a
                   prose: 'the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.'
+                  links:
+                    - href: '#cp-2.3_smt'
+                      rel: assessment-for
                 - id: cp-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -22251,6 +24326,9 @@ catalog:
                           value: CP-02(05)[01]
                           class: sp800-53a
                       prose: 'the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity is planned for;'
+                      links:
+                        - href: '#cp-2.5_smt'
+                          rel: assessment-for
                     - id: cp-2.5_obj-2
                       name: assessment-objective
                       props:
@@ -22258,6 +24336,12 @@ catalog:
                           value: CP-02(05)[02]
                           class: sp800-53a
                       prose: continuity is sustained until full system restoration at primary processing and/or storage sites.
+                      links:
+                        - href: '#cp-2.5_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2.5_smt'
+                      rel: assessment-for
                 - id: cp-2.5_asm-examine
                   name: assessment-method
                   props:
@@ -22369,6 +24453,9 @@ catalog:
                       value: CP-02(08)
                       class: sp800-53a
                   prose: 'critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified.'
+                  links:
+                    - href: '#cp-2.8_smt'
+                      rel: assessment-for
                 - id: cp-2.8_asm-examine
                   name: assessment-method
                   props:
@@ -22547,6 +24634,9 @@ catalog:
                           value: CP-03a.01
                           class: sp800-53a
                       prose: 'contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;'
+                      links:
+                        - href: '#cp-3_smt.a.1'
+                          rel: assessment-for
                     - id: cp-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -22554,6 +24644,9 @@ catalog:
                           value: CP-03a.02
                           class: sp800-53a
                       prose: contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;
+                      links:
+                        - href: '#cp-3_smt.a.2'
+                          rel: assessment-for
                     - id: cp-3_obj.a.3
                       name: assessment-objective
                       props:
@@ -22561,6 +24654,12 @@ catalog:
                           value: CP-03a.03
                           class: sp800-53a
                       prose: 'contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;'
+                      links:
+                        - href: '#cp-3_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-3_smt.a'
+                      rel: assessment-for
                 - id: cp-3_obj.b
                   name: assessment-objective
                   props:
@@ -22575,6 +24674,9 @@ catalog:
                           value: CP-03b.[01]
                           class: sp800-53a
                       prose: 'the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};'
+                      links:
+                        - href: '#cp-3_smt.b'
+                          rel: assessment-for
                     - id: cp-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -22582,6 +24684,15 @@ catalog:
                           value: CP-03b.[02]
                           class: sp800-53a
                       prose: 'the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.'
+                      links:
+                        - href: '#cp-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-3_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cp-3_smt'
+                  rel: assessment-for
             - id: cp-3_asm-examine
               name: assessment-method
               props:
@@ -22671,6 +24782,9 @@ catalog:
                       value: CP-03(01)
                       class: sp800-53a
                   prose: simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.
+                  links:
+                    - href: '#cp-3.1_smt'
+                      rel: assessment-for
                 - id: cp-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -22854,6 +24968,9 @@ catalog:
                           value: CP-04a.[01]
                           class: sp800-53a
                       prose: 'the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};'
+                      links:
+                        - href: '#cp-4_smt.a'
+                          rel: assessment-for
                     - id: cp-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -22861,6 +24978,9 @@ catalog:
                           value: CP-04a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;'
+                      links:
+                        - href: '#cp-4_smt.a'
+                          rel: assessment-for
                     - id: cp-4_obj.a-3
                       name: assessment-objective
                       props:
@@ -22868,6 +24988,12 @@ catalog:
                           value: CP-04a.[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;'
+                      links:
+                        - href: '#cp-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-4_smt.a'
+                      rel: assessment-for
                 - id: cp-4_obj.b
                   name: assessment-objective
                   props:
@@ -22875,6 +25001,9 @@ catalog:
                       value: CP-04b.
                       class: sp800-53a
                   prose: the contingency plan test results are reviewed;
+                  links:
+                    - href: '#cp-4_smt.b'
+                      rel: assessment-for
                 - id: cp-4_obj.c
                   name: assessment-objective
                   props:
@@ -22882,6 +25011,12 @@ catalog:
                       value: CP-04c.
                       class: sp800-53a
                   prose: corrective actions are initiated, if needed.
+                  links:
+                    - href: '#cp-4_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cp-4_smt'
+                  rel: assessment-for
             - id: cp-4_asm-examine
               name: assessment-method
               props:
@@ -22976,6 +25111,9 @@ catalog:
                       value: CP-04(01)
                       class: sp800-53a
                   prose: contingency plan testing is coordinated with organizational elements responsible for related plans.
+                  links:
+                    - href: '#cp-4.1_smt'
+                      rel: assessment-for
                 - id: cp-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -23088,6 +25226,9 @@ catalog:
                           value: CP-04(02)(a)
                           class: sp800-53a
                       prose: the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;
+                      links:
+                        - href: '#cp-4.2_smt.a'
+                          rel: assessment-for
                     - id: cp-4.2_obj.b
                       name: assessment-objective
                       props:
@@ -23095,6 +25236,12 @@ catalog:
                           value: CP-04(02)(b)
                           class: sp800-53a
                       prose: the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.
+                      links:
+                        - href: '#cp-4.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-4.2_smt'
+                      rel: assessment-for
                 - id: cp-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -23231,6 +25378,9 @@ catalog:
                           value: CP-06a.[01]
                           class: sp800-53a
                       prose: an alternate storage site is established;
+                      links:
+                        - href: '#cp-6_smt.a'
+                          rel: assessment-for
                     - id: cp-6_obj.a-2
                       name: assessment-objective
                       props:
@@ -23238,6 +25388,12 @@ catalog:
                           value: CP-06a.[02]
                           class: sp800-53a
                       prose: establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;
+                      links:
+                        - href: '#cp-6_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-6_smt.a'
+                      rel: assessment-for
                 - id: cp-6_obj.b
                   name: assessment-objective
                   props:
@@ -23245,6 +25401,12 @@ catalog:
                       value: CP-06b.
                       class: sp800-53a
                   prose: the alternate storage site provides controls equivalent to that of the primary site.
+                  links:
+                    - href: '#cp-6_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cp-6_smt'
+                  rel: assessment-for
             - id: cp-6_asm-examine
               name: assessment-method
               props:
@@ -23336,6 +25498,9 @@ catalog:
                       value: CP-06(01)
                       class: sp800-53a
                   prose: an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.
+                  links:
+                    - href: '#cp-6.1_smt'
+                      rel: assessment-for
                 - id: cp-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -23418,6 +25583,9 @@ catalog:
                           value: CP-06(02)[01]
                           class: sp800-53a
                       prose: the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;
+                      links:
+                        - href: '#cp-6.2_smt'
+                          rel: assessment-for
                     - id: cp-6.2_obj-2
                       name: assessment-objective
                       props:
@@ -23425,6 +25593,12 @@ catalog:
                           value: CP-06(02)[02]
                           class: sp800-53a
                       prose: the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.
+                      links:
+                        - href: '#cp-6.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-6.2_smt'
+                      rel: assessment-for
                 - id: cp-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -23524,6 +25698,9 @@ catalog:
                           value: CP-06(03)[01]
                           class: sp800-53a
                       prose: potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;
+                      links:
+                        - href: '#cp-6.3_smt'
+                          rel: assessment-for
                     - id: cp-6.3_obj-2
                       name: assessment-objective
                       props:
@@ -23531,6 +25708,12 @@ catalog:
                           value: CP-06(03)[02]
                           class: sp800-53a
                       prose: explicit mitigation actions to address identified accessibility problems are outlined.
+                      links:
+                        - href: '#cp-6.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-6.3_smt'
+                      rel: assessment-for
                 - id: cp-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -23681,6 +25864,9 @@ catalog:
                       value: CP-07a.
                       class: sp800-53a
                   prose: 'an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;'
+                  links:
+                    - href: '#cp-7_smt.a'
+                      rel: assessment-for
                 - id: cp-7_obj.b
                   name: assessment-objective
                   props:
@@ -23695,6 +25881,9 @@ catalog:
                           value: CP-07b.[01]
                           class: sp800-53a
                       prose: 'the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;'
+                      links:
+                        - href: '#cp-7_smt.b'
+                          rel: assessment-for
                     - id: cp-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -23702,6 +25891,12 @@ catalog:
                           value: CP-07b.[02]
                           class: sp800-53a
                       prose: 'the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;'
+                      links:
+                        - href: '#cp-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-7_smt.b'
+                      rel: assessment-for
                 - id: cp-7_obj.c
                   name: assessment-objective
                   props:
@@ -23709,6 +25904,12 @@ catalog:
                       value: CP-07c.
                       class: sp800-53a
                   prose: controls provided at the alternate processing site are equivalent to those at the primary site.
+                  links:
+                    - href: '#cp-7_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cp-7_smt'
+                  rel: assessment-for
             - id: cp-7_asm-examine
               name: assessment-method
               props:
@@ -23804,6 +26005,9 @@ catalog:
                       value: CP-07(01)
                       class: sp800-53a
                   prose: an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.
+                  links:
+                    - href: '#cp-7.1_smt'
+                      rel: assessment-for
                 - id: cp-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -23888,6 +26092,9 @@ catalog:
                           value: CP-07(02)[01]
                           class: sp800-53a
                       prose: potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;
+                      links:
+                        - href: '#cp-7.2_smt'
+                          rel: assessment-for
                     - id: cp-7.2_obj-2
                       name: assessment-objective
                       props:
@@ -23895,6 +26102,12 @@ catalog:
                           value: CP-07(02)[02]
                           class: sp800-53a
                       prose: explicit mitigation actions to address identified accessibility problems are outlined.
+                      links:
+                        - href: '#cp-7.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-7.2_smt'
+                      rel: assessment-for
                 - id: cp-7.2_asm-examine
                   name: assessment-method
                   props:
@@ -23970,6 +26183,9 @@ catalog:
                       value: CP-07(03)
                       class: sp800-53a
                   prose: alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.
+                  links:
+                    - href: '#cp-7.3_smt'
+                      rel: assessment-for
                 - id: cp-7.3_asm-examine
                   name: assessment-method
                   props:
@@ -24051,6 +26267,9 @@ catalog:
                       value: CP-07(04)
                       class: sp800-53a
                   prose: the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.
+                  links:
+                    - href: '#cp-7.4_smt'
+                      rel: assessment-for
                 - id: cp-7.4_asm-examine
                   name: assessment-method
                   props:
@@ -24169,6 +26388,9 @@ catalog:
                   value: CP-08
                   class: sp800-53a
               prose: 'alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.'
+              links:
+                - href: '#cp-8_smt'
+                  rel: assessment-for
             - id: cp-8_asm-examine
               name: assessment-method
               props:
@@ -24283,6 +26505,9 @@ catalog:
                               value: CP-08(01)(a)[01]
                               class: sp800-53a
                           prose: primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;
+                          links:
+                            - href: '#cp-8.1_smt.a'
+                              rel: assessment-for
                         - id: cp-8.1_obj.a-2
                           name: assessment-objective
                           props:
@@ -24290,6 +26515,12 @@ catalog:
                               value: CP-08(01)(a)[02]
                               class: sp800-53a
                           prose: alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;
+                          links:
+                            - href: '#cp-8.1_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-8.1_smt.a'
+                          rel: assessment-for
                     - id: cp-8.1_obj.b
                       name: assessment-objective
                       props:
@@ -24297,6 +26528,12 @@ catalog:
                           value: CP-08(01)(b)
                           class: sp800-53a
                       prose: Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.
+                      links:
+                        - href: '#cp-8.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-8.1_smt'
+                      rel: assessment-for
                 - id: cp-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -24384,6 +26621,9 @@ catalog:
                       value: CP-08(02)
                       class: sp800-53a
                   prose: alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.
+                  links:
+                    - href: '#cp-8.2_smt'
+                      rel: assessment-for
                 - id: cp-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -24457,6 +26697,9 @@ catalog:
                       value: CP-08(03)
                       class: sp800-53a
                   prose: alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.
+                  links:
+                    - href: '#cp-8.3_smt'
+                      rel: assessment-for
                 - id: cp-8.3_asm-examine
                   name: assessment-method
                   props:
@@ -24594,6 +26837,9 @@ catalog:
                               value: CP-08(04)(a)[01]
                               class: sp800-53a
                           prose: primary telecommunications service providers are required to have contingency plans;
+                          links:
+                            - href: '#cp-8.4_smt.a'
+                              rel: assessment-for
                         - id: cp-8.4_obj.a-2
                           name: assessment-objective
                           props:
@@ -24601,6 +26847,12 @@ catalog:
                               value: CP-08(04)(a)[02]
                               class: sp800-53a
                           prose: alternate telecommunications service providers are required to have contingency plans;
+                          links:
+                            - href: '#cp-8.4_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-8.4_smt.a'
+                          rel: assessment-for
                     - id: cp-8.4_obj.b
                       name: assessment-objective
                       props:
@@ -24608,6 +26860,9 @@ catalog:
                           value: CP-08(04)(b)
                           class: sp800-53a
                       prose: provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;
+                      links:
+                        - href: '#cp-8.4_smt.b'
+                          rel: assessment-for
                     - id: cp-8.4_obj.c
                       name: assessment-objective
                       props:
@@ -24622,6 +26877,9 @@ catalog:
                               value: CP-08(04)(c)[01]
                               class: sp800-53a
                           prose: 'evidence of contingency testing by providers is obtained {{ insert: param, cp-08.04_odp.01 }}.'
+                          links:
+                            - href: '#cp-8.4_smt.c'
+                              rel: assessment-for
                         - id: cp-8.4_obj.c-2
                           name: assessment-objective
                           props:
@@ -24629,6 +26887,15 @@ catalog:
                               value: CP-08(04)(c)[02]
                               class: sp800-53a
                           prose: 'evidence of contingency training by providers is obtained {{ insert: param, cp-08.04_odp.02 }}.'
+                          links:
+                            - href: '#cp-8.4_smt.c'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-8.4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-8.4_smt'
+                      rel: assessment-for
                 - id: cp-8.4_asm-examine
                   name: assessment-method
                   props:
@@ -24815,6 +27082,9 @@ catalog:
                       value: CP-09a.
                       class: sp800-53a
                   prose: 'backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};'
+                  links:
+                    - href: '#cp-9_smt.a'
+                      rel: assessment-for
                 - id: cp-9_obj.b
                   name: assessment-objective
                   props:
@@ -24822,6 +27092,9 @@ catalog:
                       value: CP-09b.
                       class: sp800-53a
                   prose: 'backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};'
+                  links:
+                    - href: '#cp-9_smt.b'
+                      rel: assessment-for
                 - id: cp-9_obj.c
                   name: assessment-objective
                   props:
@@ -24829,6 +27102,9 @@ catalog:
                       value: CP-09c.
                       class: sp800-53a
                   prose: 'backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};'
+                  links:
+                    - href: '#cp-9_smt.c'
+                      rel: assessment-for
                 - id: cp-9_obj.d
                   name: assessment-objective
                   props:
@@ -24843,6 +27119,9 @@ catalog:
                           value: CP-09d.[01]
                           class: sp800-53a
                       prose: the confidentiality of backup information is protected;
+                      links:
+                        - href: '#cp-9_smt.d'
+                          rel: assessment-for
                     - id: cp-9_obj.d-2
                       name: assessment-objective
                       props:
@@ -24850,6 +27129,9 @@ catalog:
                           value: CP-09d.[02]
                           class: sp800-53a
                       prose: the integrity of backup information is protected;
+                      links:
+                        - href: '#cp-9_smt.d'
+                          rel: assessment-for
                     - id: cp-9_obj.d-3
                       name: assessment-objective
                       props:
@@ -24857,6 +27139,15 @@ catalog:
                           value: CP-09d.[03]
                           class: sp800-53a
                       prose: the availability of backup information is protected.
+                      links:
+                        - href: '#cp-9_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-9_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#cp-9_smt'
+                  rel: assessment-for
             - id: cp-9_asm-examine
               name: assessment-method
               props:
@@ -24981,6 +27272,9 @@ catalog:
                           value: CP-09(01)[01]
                           class: sp800-53a
                       prose: 'backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;'
+                      links:
+                        - href: '#cp-9.1_smt'
+                          rel: assessment-for
                     - id: cp-9.1_obj-2
                       name: assessment-objective
                       props:
@@ -24988,6 +27282,12 @@ catalog:
                           value: CP-09(01)[02]
                           class: sp800-53a
                       prose: 'backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity.'
+                      links:
+                        - href: '#cp-9.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-9.1_smt'
+                      rel: assessment-for
                 - id: cp-9.1_asm-examine
                   name: assessment-method
                   props:
@@ -25078,6 +27378,9 @@ catalog:
                       value: CP-09(02)
                       class: sp800-53a
                   prose: a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.
+                  links:
+                    - href: '#cp-9.2_smt'
+                      rel: assessment-for
                 - id: cp-9.2_asm-examine
                   name: assessment-method
                   props:
@@ -25185,6 +27488,9 @@ catalog:
                       value: CP-09(03)
                       class: sp800-53a
                   prose: 'backup copies of {{ insert: param, cp-09.03_odp }} are stored in a separate facility or in a fire rated container that is not collocated with the operational system.'
+                  links:
+                    - href: '#cp-9.3_smt'
+                      rel: assessment-for
                 - id: cp-9.3_asm-examine
                   name: assessment-method
                   props:
@@ -25301,6 +27607,9 @@ catalog:
                           value: CP-09(05)[01]
                           class: sp800-53a
                       prose: 'system backup information is transferred to the alternate storage site for {{ insert: param, cp-09.05_odp.01 }};'
+                      links:
+                        - href: '#cp-9.5_smt'
+                          rel: assessment-for
                     - id: cp-9.5_obj-2
                       name: assessment-objective
                       props:
@@ -25308,6 +27617,12 @@ catalog:
                           value: CP-09(05)[02]
                           class: sp800-53a
                       prose: 'system backup information is transferred to the alternate storage site {{ insert: param, cp-09.05_odp.02 }}.'
+                      links:
+                        - href: '#cp-9.5_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-9.5_smt'
+                      rel: assessment-for
                 - id: cp-9.5_asm-examine
                   name: assessment-method
                   props:
@@ -25415,6 +27730,9 @@ catalog:
                       value: CP-09(08)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.'
+                  links:
+                    - href: '#cp-9.8_smt'
+                      rel: assessment-for
                 - id: cp-9.8_asm-examine
                   name: assessment-method
                   props:
@@ -25549,6 +27867,9 @@ catalog:
                       value: CP-10[01]
                       class: sp800-53a
                   prose: 'the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;'
+                  links:
+                    - href: '#cp-10_smt'
+                      rel: assessment-for
                 - id: cp-10_obj-2
                   name: assessment-objective
                   props:
@@ -25556,6 +27877,12 @@ catalog:
                       value: CP-10[02]
                       class: sp800-53a
                   prose: 'a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.'
+                  links:
+                    - href: '#cp-10_smt'
+                      rel: assessment-for
+              links:
+                - href: '#cp-10_smt'
+                  rel: assessment-for
             - id: cp-10_asm-examine
               name: assessment-method
               props:
@@ -25649,6 +27976,9 @@ catalog:
                       value: CP-10(02)
                       class: sp800-53a
                   prose: transaction recovery is implemented for systems that are transaction-based.
+                  links:
+                    - href: '#cp-10.2_smt'
+                      rel: assessment-for
                 - id: cp-10.2_asm-examine
                   name: assessment-method
                   props:
@@ -25755,6 +28085,9 @@ catalog:
                       value: CP-10(04)
                       class: sp800-53a
                   prose: 'the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.'
+                  links:
+                    - href: '#cp-10.4_smt'
+                      rel: assessment-for
                 - id: cp-10.4_asm-examine
                   name: assessment-method
                   props:
@@ -26039,6 +28372,9 @@ catalog:
                           value: IA-01a.[01]
                           class: sp800-53a
                       prose: an identification and authentication policy is developed and documented;
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -26046,6 +28382,9 @@ catalog:
                           value: IA-01a.[02]
                           class: sp800-53a
                       prose: 'the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};'
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -26053,6 +28392,9 @@ catalog:
                           value: IA-01a.[03]
                           class: sp800-53a
                       prose: identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -26060,6 +28402,9 @@ catalog:
                           value: IA-01a.[04]
                           class: sp800-53a
                       prose: 'the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};'
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -26081,6 +28426,9 @@ catalog:
                                   value: IA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -26088,6 +28436,9 @@ catalog:
                                   value: IA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -26095,6 +28446,9 @@ catalog:
                                   value: IA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -26102,6 +28456,9 @@ catalog:
                                   value: IA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -26109,6 +28466,9 @@ catalog:
                                   value: IA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -26116,6 +28476,9 @@ catalog:
                                   value: IA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -26123,6 +28486,12 @@ catalog:
                                   value: IA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ia-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ia-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -26130,6 +28499,15 @@ catalog:
                               value: IA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ia-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-1_smt.a'
+                      rel: assessment-for
                 - id: ia-1_obj.b
                   name: assessment-objective
                   props:
@@ -26137,6 +28515,9 @@ catalog:
                       value: IA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;'
+                  links:
+                    - href: '#ia-1_smt.b'
+                      rel: assessment-for
                 - id: ia-1_obj.c
                   name: assessment-objective
                   props:
@@ -26158,6 +28539,9 @@ catalog:
                               value: IA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};'
+                          links:
+                            - href: '#ia-1_smt.c.1'
+                              rel: assessment-for
                         - id: ia-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -26165,6 +28549,12 @@ catalog:
                               value: IA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};'
+                          links:
+                            - href: '#ia-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-1_smt.c.1'
+                          rel: assessment-for
                     - id: ia-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -26179,6 +28569,9 @@ catalog:
                               value: IA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};'
+                          links:
+                            - href: '#ia-1_smt.c.2'
+                              rel: assessment-for
                         - id: ia-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -26186,6 +28579,18 @@ catalog:
                               value: IA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.'
+                          links:
+                            - href: '#ia-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ia-1_smt'
+                  rel: assessment-for
             - id: ia-1_asm-examine
               name: assessment-method
               props:
@@ -26298,6 +28703,8 @@ catalog:
               rel: related
             - href: '#ia-8'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-4'
               rel: related
             - href: '#ma-5'
@@ -26336,6 +28743,9 @@ catalog:
                       value: IA-02[01]
                       class: sp800-53a
                   prose: organizational users are uniquely identified and authenticated;
+                  links:
+                    - href: '#ia-2_smt'
+                      rel: assessment-for
                 - id: ia-2_obj-2
                   name: assessment-objective
                   props:
@@ -26343,6 +28753,12 @@ catalog:
                       value: IA-02[02]
                       class: sp800-53a
                   prose: the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.
+                  links:
+                    - href: '#ia-2_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ia-2_smt'
+                  rel: assessment-for
             - id: ia-2_asm-examine
               name: assessment-method
               props:
@@ -26440,6 +28856,9 @@ catalog:
                       value: IA-02(01)
                       class: sp800-53a
                   prose: multi-factor authentication is implemented for access to privileged accounts.
+                  links:
+                    - href: '#ia-2.1_smt'
+                      rel: assessment-for
                 - id: ia-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -26533,6 +28952,9 @@ catalog:
                       value: IA-02(02)
                       class: sp800-53a
                   prose: multi-factor authentication for access to non-privileged accounts is implemented.
+                  links:
+                    - href: '#ia-2.2_smt'
+                      rel: assessment-for
                 - id: ia-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -26627,6 +29049,9 @@ catalog:
                       value: IA-02(05)
                       class: sp800-53a
                   prose: users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.
+                  links:
+                    - href: '#ia-2.5_smt'
+                      rel: assessment-for
                 - id: ia-2.5_asm-examine
                   name: assessment-method
                   props:
@@ -26731,6 +29156,9 @@ catalog:
                       value: IA-02(08)
                       class: sp800-53a
                   prose: 'replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.'
+                  links:
+                    - href: '#ia-2.8_smt'
+                      rel: assessment-for
                 - id: ia-2.8_asm-examine
                   name: assessment-method
                   props:
@@ -26825,6 +29253,9 @@ catalog:
                       value: IA-02(12)
                       class: sp800-53a
                   prose: Personal Identity Verification-compliant credentials are accepted and electronically verified.
+                  links:
+                    - href: '#ia-2.12_smt'
+                      rel: assessment-for
                 - id: ia-2.12_asm-examine
                   name: assessment-method
                   props:
@@ -26948,6 +29379,8 @@ catalog:
               rel: related
             - href: '#ia-11'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#si-4'
               rel: related
           parts:
@@ -26964,6 +29397,9 @@ catalog:
                   value: IA-03
                   class: sp800-53a
               prose: ' {{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection.'
+              links:
+                - href: '#ia-3_smt'
+                  rel: assessment-for
             - id: ia-3_asm-examine
               name: assessment-method
               props:
@@ -27148,6 +29584,9 @@ catalog:
                       value: IA-04a.
                       class: sp800-53a
                   prose: 'system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;'
+                  links:
+                    - href: '#ia-4_smt.a'
+                      rel: assessment-for
                 - id: ia-4_obj.b
                   name: assessment-objective
                   props:
@@ -27155,6 +29594,9 @@ catalog:
                       value: IA-04b.
                       class: sp800-53a
                   prose: system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;
+                  links:
+                    - href: '#ia-4_smt.b'
+                      rel: assessment-for
                 - id: ia-4_obj.c
                   name: assessment-objective
                   props:
@@ -27162,6 +29604,9 @@ catalog:
                       value: IA-04c.
                       class: sp800-53a
                   prose: system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;
+                  links:
+                    - href: '#ia-4_smt.c'
+                      rel: assessment-for
                 - id: ia-4_obj.d
                   name: assessment-objective
                   props:
@@ -27169,6 +29614,12 @@ catalog:
                       value: IA-04d.
                       class: sp800-53a
                   prose: 'system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.'
+                  links:
+                    - href: '#ia-4_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ia-4_smt'
+                  rel: assessment-for
             - id: ia-4_asm-examine
               name: assessment-method
               props:
@@ -27275,6 +29726,9 @@ catalog:
                       value: IA-04(04)
                       class: sp800-53a
                   prose: 'individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.'
+                  links:
+                    - href: '#ia-4.4_smt'
+                      rel: assessment-for
                 - id: ia-4.4_asm-examine
                   name: assessment-method
                   props:
@@ -27497,6 +29951,9 @@ catalog:
                       value: IA-05a.
                       class: sp800-53a
                   prose: system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;
+                  links:
+                    - href: '#ia-5_smt.a'
+                      rel: assessment-for
                 - id: ia-5_obj.b
                   name: assessment-objective
                   props:
@@ -27504,6 +29961,9 @@ catalog:
                       value: IA-05b.
                       class: sp800-53a
                   prose: system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;
+                  links:
+                    - href: '#ia-5_smt.b'
+                      rel: assessment-for
                 - id: ia-5_obj.c
                   name: assessment-objective
                   props:
@@ -27511,6 +29971,9 @@ catalog:
                       value: IA-05c.
                       class: sp800-53a
                   prose: system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;
+                  links:
+                    - href: '#ia-5_smt.c'
+                      rel: assessment-for
                 - id: ia-5_obj.d
                   name: assessment-objective
                   props:
@@ -27518,6 +29981,9 @@ catalog:
                       value: IA-05d.
                       class: sp800-53a
                   prose: system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;
+                  links:
+                    - href: '#ia-5_smt.d'
+                      rel: assessment-for
                 - id: ia-5_obj.e
                   name: assessment-objective
                   props:
@@ -27525,6 +29991,9 @@ catalog:
                       value: IA-05e.
                       class: sp800-53a
                   prose: system authenticators are managed through the change of default authenticators prior to first use;
+                  links:
+                    - href: '#ia-5_smt.e'
+                      rel: assessment-for
                 - id: ia-5_obj.f
                   name: assessment-objective
                   props:
@@ -27532,6 +30001,9 @@ catalog:
                       value: IA-05f.
                       class: sp800-53a
                   prose: 'system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;'
+                  links:
+                    - href: '#ia-5_smt.f'
+                      rel: assessment-for
                 - id: ia-5_obj.g
                   name: assessment-objective
                   props:
@@ -27539,6 +30011,9 @@ catalog:
                       value: IA-05g.
                       class: sp800-53a
                   prose: system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;
+                  links:
+                    - href: '#ia-5_smt.g'
+                      rel: assessment-for
                 - id: ia-5_obj.h
                   name: assessment-objective
                   props:
@@ -27553,6 +30028,9 @@ catalog:
                           value: IA-05h.[01]
                           class: sp800-53a
                       prose: system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;
+                      links:
+                        - href: '#ia-5_smt.h'
+                          rel: assessment-for
                     - id: ia-5_obj.h-2
                       name: assessment-objective
                       props:
@@ -27560,6 +30038,12 @@ catalog:
                           value: IA-05h.[02]
                           class: sp800-53a
                       prose: system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;
+                      links:
+                        - href: '#ia-5_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-5_smt.h'
+                      rel: assessment-for
                 - id: ia-5_obj.i
                   name: assessment-objective
                   props:
@@ -27567,6 +30051,12 @@ catalog:
                       value: IA-05i.
                       class: sp800-53a
                   prose: system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.
+                  links:
+                    - href: '#ia-5_smt.i'
+                      rel: assessment-for
+              links:
+                - href: '#ia-5_smt'
+                  rel: assessment-for
             - id: ia-5_asm-examine
               name: assessment-method
               props:
@@ -27739,6 +30229,9 @@ catalog:
                           value: IA-05(01)(a)
                           class: sp800-53a
                       prose: 'for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;'
+                      links:
+                        - href: '#ia-5.1_smt.a'
+                          rel: assessment-for
                     - id: ia-5.1_obj.b
                       name: assessment-objective
                       props:
@@ -27746,6 +30239,9 @@ catalog:
                           value: IA-05(01)(b)
                           class: sp800-53a
                       prose: for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);
+                      links:
+                        - href: '#ia-5.1_smt.b'
+                          rel: assessment-for
                     - id: ia-5.1_obj.c
                       name: assessment-objective
                       props:
@@ -27753,6 +30249,9 @@ catalog:
                           value: IA-05(01)(c)
                           class: sp800-53a
                       prose: for password-based authentication, passwords are only transmitted over cryptographically protected channels;
+                      links:
+                        - href: '#ia-5.1_smt.c'
+                          rel: assessment-for
                     - id: ia-5.1_obj.d
                       name: assessment-objective
                       props:
@@ -27760,6 +30259,9 @@ catalog:
                           value: IA-05(01)(d)
                           class: sp800-53a
                       prose: for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;
+                      links:
+                        - href: '#ia-5.1_smt.d'
+                          rel: assessment-for
                     - id: ia-5.1_obj.e
                       name: assessment-objective
                       props:
@@ -27767,6 +30269,9 @@ catalog:
                           value: IA-05(01)(e)
                           class: sp800-53a
                       prose: for password-based authentication, immediate selection of a new password is required upon account recovery;
+                      links:
+                        - href: '#ia-5.1_smt.e'
+                          rel: assessment-for
                     - id: ia-5.1_obj.f
                       name: assessment-objective
                       props:
@@ -27774,6 +30279,9 @@ catalog:
                           value: IA-05(01)(f)
                           class: sp800-53a
                       prose: for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;
+                      links:
+                        - href: '#ia-5.1_smt.f'
+                          rel: assessment-for
                     - id: ia-5.1_obj.g
                       name: assessment-objective
                       props:
@@ -27781,6 +30289,9 @@ catalog:
                           value: IA-05(01)(g)
                           class: sp800-53a
                       prose: for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;
+                      links:
+                        - href: '#ia-5.1_smt.g'
+                          rel: assessment-for
                     - id: ia-5.1_obj.h
                       name: assessment-objective
                       props:
@@ -27788,6 +30299,12 @@ catalog:
                           value: IA-05(01)(h)
                           class: sp800-53a
                       prose: 'for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.'
+                      links:
+                        - href: '#ia-5.1_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-5.1_smt'
+                      rel: assessment-for
                 - id: ia-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -27933,6 +30450,9 @@ catalog:
                               value: IA-05(02)(a)(01)
                               class: sp800-53a
                           prose: authorized access to the corresponding private key is enforced for public key-based authentication;
+                          links:
+                            - href: '#ia-5.2_smt.a.1'
+                              rel: assessment-for
                         - id: ia-5.2_obj.a.2
                           name: assessment-objective
                           props:
@@ -27940,6 +30460,12 @@ catalog:
                               value: IA-05(02)(a)(02)
                               class: sp800-53a
                           prose: the authenticated identity is mapped to the account of the individual or group for public key-based authentication;
+                          links:
+                            - href: '#ia-5.2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-5.2_smt.a'
+                          rel: assessment-for
                     - id: ia-5.2_obj.b
                       name: assessment-objective
                       props:
@@ -27954,6 +30480,9 @@ catalog:
                               value: IA-05(02)(b)(01)
                               class: sp800-53a
                           prose: when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;
+                          links:
+                            - href: '#ia-5.2_smt.b.1'
+                              rel: assessment-for
                         - id: ia-5.2_obj.b.2
                           name: assessment-objective
                           props:
@@ -27961,6 +30490,15 @@ catalog:
                               value: IA-05(02)(b)(02)
                               class: sp800-53a
                           prose: when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.
+                          links:
+                            - href: '#ia-5.2_smt.b.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-5.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-5.2_smt'
+                      rel: assessment-for
                 - id: ia-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -28052,6 +30590,9 @@ catalog:
                       value: IA-05(06)
                       class: sp800-53a
                   prose: authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.
+                  links:
+                    - href: '#ia-5.6_smt'
+                      rel: assessment-for
                 - id: ia-5.6_asm-examine
                   name: assessment-method
                   props:
@@ -28142,6 +30683,9 @@ catalog:
                   value: IA-06
                   class: sp800-53a
               prose: the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.
+              links:
+                - href: '#ia-6_smt'
+                  rel: assessment-for
             - id: ia-6_asm-examine
               name: assessment-method
               props:
@@ -28237,6 +30781,9 @@ catalog:
                   value: IA-07
                   class: sp800-53a
               prose: mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.
+              links:
+                - href: '#ia-7_smt'
+                  rel: assessment-for
             - id: ia-7_asm-examine
               name: assessment-method
               props:
@@ -28344,6 +30891,8 @@ catalog:
               rel: related
             - href: '#ia-11'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-4'
               rel: related
             - href: '#ra-3'
@@ -28366,6 +30915,9 @@ catalog:
                   value: IA-08
                   class: sp800-53a
               prose: non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.
+              links:
+                - href: '#ia-8_smt'
+                  rel: assessment-for
             - id: ia-8_asm-examine
               name: assessment-method
               props:
@@ -28467,6 +31019,9 @@ catalog:
                           value: IA-08(01)[01]
                           class: sp800-53a
                       prose: Personal Identity Verification-compliant credentials from other federal agencies are accepted;
+                      links:
+                        - href: '#ia-8.1_smt'
+                          rel: assessment-for
                     - id: ia-8.1_obj-2
                       name: assessment-objective
                       props:
@@ -28474,6 +31029,12 @@ catalog:
                           value: IA-08(01)[02]
                           class: sp800-53a
                       prose: Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.
+                      links:
+                        - href: '#ia-8.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-8.1_smt'
+                      rel: assessment-for
                 - id: ia-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -28591,6 +31152,9 @@ catalog:
                           value: IA-08(02)(a)
                           class: sp800-53a
                       prose: only external authenticators that are NIST-compliant are accepted;
+                      links:
+                        - href: '#ia-8.2_smt.a'
+                          rel: assessment-for
                     - id: ia-8.2_obj.b
                       name: assessment-objective
                       props:
@@ -28605,6 +31169,9 @@ catalog:
                               value: IA-08(02)(b)[01]
                               class: sp800-53a
                           prose: a list of accepted external authenticators is documented;
+                          links:
+                            - href: '#ia-8.2_smt.b'
+                              rel: assessment-for
                         - id: ia-8.2_obj.b-2
                           name: assessment-objective
                           props:
@@ -28612,6 +31179,15 @@ catalog:
                               value: IA-08(02)(b)[02]
                               class: sp800-53a
                           prose: a list of accepted external authenticators is maintained.
+                          links:
+                            - href: '#ia-8.2_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-8.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-8.2_smt'
+                      rel: assessment-for
                 - id: ia-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -28723,6 +31299,9 @@ catalog:
                       value: IA-08(04)
                       class: sp800-53a
                   prose: 'there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.'
+                  links:
+                    - href: '#ia-8.4_smt'
+                      rel: assessment-for
                 - id: ia-8.4_asm-examine
                   name: assessment-method
                   props:
@@ -28840,6 +31419,9 @@ catalog:
                   value: IA-11
                   class: sp800-53a
               prose: 'users are required to re-authenticate when {{ insert: param, ia-11_odp }}.'
+              links:
+                - href: '#ia-11_smt'
+                  rel: assessment-for
             - id: ia-11_asm-examine
               name: assessment-method
               props:
@@ -28939,6 +31521,8 @@ catalog:
               rel: related
             - href: '#ia-8'
               rel: related
+            - href: '#ia-13'
+              rel: related
           parts:
             - id: ia-12_smt
               name: statement
@@ -28978,6 +31562,9 @@ catalog:
                       value: IA-12a.
                       class: sp800-53a
                   prose: users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;
+                  links:
+                    - href: '#ia-12_smt.a'
+                      rel: assessment-for
                 - id: ia-12_obj.b
                   name: assessment-objective
                   props:
@@ -28985,6 +31572,9 @@ catalog:
                       value: IA-12b.
                       class: sp800-53a
                   prose: user identities are resolved to a unique individual;
+                  links:
+                    - href: '#ia-12_smt.b'
+                      rel: assessment-for
                 - id: ia-12_obj.c
                   name: assessment-objective
                   props:
@@ -28999,6 +31589,9 @@ catalog:
                           value: IA-12c.[01]
                           class: sp800-53a
                       prose: identity evidence is collected;
+                      links:
+                        - href: '#ia-12_smt.c'
+                          rel: assessment-for
                     - id: ia-12_obj.c-2
                       name: assessment-objective
                       props:
@@ -29006,6 +31599,9 @@ catalog:
                           value: IA-12c.[02]
                           class: sp800-53a
                       prose: identity evidence is validated;
+                      links:
+                        - href: '#ia-12_smt.c'
+                          rel: assessment-for
                     - id: ia-12_obj.c-3
                       name: assessment-objective
                       props:
@@ -29013,6 +31609,15 @@ catalog:
                           value: IA-12c.[03]
                           class: sp800-53a
                       prose: identity evidence is verified.
+                      links:
+                        - href: '#ia-12_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-12_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ia-12_smt'
+                  rel: assessment-for
             - id: ia-12_asm-examine
               name: assessment-method
               props:
@@ -29101,6 +31706,9 @@ catalog:
                       value: IA-12(02)
                       class: sp800-53a
                   prose: evidence of individual identification is presented to the registration authority.
+                  links:
+                    - href: '#ia-12.2_smt'
+                      rel: assessment-for
                 - id: ia-12.2_asm-examine
                   name: assessment-method
                   props:
@@ -29198,6 +31806,9 @@ catalog:
                       value: IA-12(03)
                       class: sp800-53a
                   prose: 'the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}.'
+                  links:
+                    - href: '#ia-12.3_smt'
+                      rel: assessment-for
                 - id: ia-12.3_asm-examine
                   name: assessment-method
                   props:
@@ -29281,6 +31892,9 @@ catalog:
                       value: IA-12(04)
                       class: sp800-53a
                   prose: the validation and verification of identity evidence is conducted in person before a designated registration authority.
+                  links:
+                    - href: '#ia-12.4_smt'
+                      rel: assessment-for
                 - id: ia-12.4_asm-examine
                   name: assessment-method
                   props:
@@ -29378,6 +31992,9 @@ catalog:
                       value: IA-12(05)
                       class: sp800-53a
                   prose: 'a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.'
+                  links:
+                    - href: '#ia-12.5_smt'
+                      rel: assessment-for
                 - id: ia-12.5_asm-examine
                   name: assessment-method
                   props:
@@ -29648,6 +32265,9 @@ catalog:
                           value: IR-01a.[01]
                           class: sp800-53a
                       prose: an incident response policy is developed and documented;
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -29655,6 +32275,9 @@ catalog:
                           value: IR-01a.[02]
                           class: sp800-53a
                       prose: 'the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};'
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -29662,6 +32285,9 @@ catalog:
                           value: IR-01a.[03]
                           class: sp800-53a
                       prose: incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -29669,6 +32295,9 @@ catalog:
                           value: IR-01a.[04]
                           class: sp800-53a
                       prose: 'the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};'
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -29690,6 +32319,9 @@ catalog:
                                   value: IR-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -29697,6 +32329,9 @@ catalog:
                                   value: IR-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -29704,6 +32339,9 @@ catalog:
                                   value: IR-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -29711,6 +32349,9 @@ catalog:
                                   value: IR-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -29718,6 +32359,9 @@ catalog:
                                   value: IR-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -29725,6 +32369,9 @@ catalog:
                                   value: IR-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -29732,6 +32379,12 @@ catalog:
                                   value: IR-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ir-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ir-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -29739,6 +32392,15 @@ catalog:
                               value: IR-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ir-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-1_smt.a'
+                      rel: assessment-for
                 - id: ir-1_obj.b
                   name: assessment-objective
                   props:
@@ -29746,6 +32408,9 @@ catalog:
                       value: IR-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;'
+                  links:
+                    - href: '#ir-1_smt.b'
+                      rel: assessment-for
                 - id: ir-1_obj.c
                   name: assessment-objective
                   props:
@@ -29767,6 +32432,9 @@ catalog:
                               value: IR-01c.01[01]
                               class: sp800-53a
                           prose: 'the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};'
+                          links:
+                            - href: '#ir-1_smt.c.1'
+                              rel: assessment-for
                         - id: ir-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -29774,6 +32442,12 @@ catalog:
                               value: IR-01c.01[02]
                               class: sp800-53a
                           prose: 'the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};'
+                          links:
+                            - href: '#ir-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.c.1'
+                          rel: assessment-for
                     - id: ir-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -29788,6 +32462,9 @@ catalog:
                               value: IR-01c.02[01]
                               class: sp800-53a
                           prose: 'the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};'
+                          links:
+                            - href: '#ir-1_smt.c.2'
+                              rel: assessment-for
                         - id: ir-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -29795,6 +32472,18 @@ catalog:
                               value: IR-01c.02[02]
                               class: sp800-53a
                           prose: 'the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.'
+                          links:
+                            - href: '#ir-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ir-1_smt'
+                  rel: assessment-for
             - id: ir-1_asm-examine
               name: assessment-method
               props:
@@ -29967,6 +32656,9 @@ catalog:
                           value: IR-02a.01
                           class: sp800-53a
                       prose: 'incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;'
+                      links:
+                        - href: '#ir-2_smt.a.1'
+                          rel: assessment-for
                     - id: ir-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -29974,6 +32666,9 @@ catalog:
                           value: IR-02a.02
                           class: sp800-53a
                       prose: incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;
+                      links:
+                        - href: '#ir-2_smt.a.2'
+                          rel: assessment-for
                     - id: ir-2_obj.a.3
                       name: assessment-objective
                       props:
@@ -29981,6 +32676,12 @@ catalog:
                           value: IR-02a.03
                           class: sp800-53a
                       prose: 'incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;'
+                      links:
+                        - href: '#ir-2_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-2_smt.a'
+                      rel: assessment-for
                 - id: ir-2_obj.b
                   name: assessment-objective
                   props:
@@ -29995,6 +32696,9 @@ catalog:
                           value: IR-02b.[01]
                           class: sp800-53a
                       prose: 'incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};'
+                      links:
+                        - href: '#ir-2_smt.b'
+                          rel: assessment-for
                     - id: ir-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -30002,6 +32706,15 @@ catalog:
                           value: IR-02b.[02]
                           class: sp800-53a
                       prose: 'incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.'
+                      links:
+                        - href: '#ir-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-2_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ir-2_smt'
+                  rel: assessment-for
             - id: ir-2_asm-examine
               name: assessment-method
               props:
@@ -30083,6 +32796,9 @@ catalog:
                       value: IR-02(01)
                       class: sp800-53a
                   prose: simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.
+                  links:
+                    - href: '#ir-2.1_smt'
+                      rel: assessment-for
                 - id: ir-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -30182,6 +32898,9 @@ catalog:
                       value: IR-02(02)
                       class: sp800-53a
                   prose: 'an incident response training environment is provided using {{ insert: param, ir-02.02_odp }}.'
+                  links:
+                    - href: '#ir-2.2_smt'
+                      rel: assessment-for
                 - id: ir-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -30309,6 +33028,9 @@ catalog:
                   value: IR-03
                   class: sp800-53a
               prose: 'the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.'
+              links:
+                - href: '#ir-3_smt'
+                  rel: assessment-for
             - id: ir-3_asm-examine
               name: assessment-method
               props:
@@ -30394,6 +33116,9 @@ catalog:
                       value: IR-03(02)
                       class: sp800-53a
                   prose: incident response testing is coordinated with organizational elements responsible for related plans.
+                  links:
+                    - href: '#ir-3.2_smt'
+                      rel: assessment-for
                 - id: ir-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -30581,6 +33306,9 @@ catalog:
                           value: IR-04a.[01]
                           class: sp800-53a
                       prose: an incident handling capability for incidents is implemented that is consistent with the incident response plan;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -30588,6 +33316,9 @@ catalog:
                           value: IR-04a.[02]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes preparation;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-3
                       name: assessment-objective
                       props:
@@ -30595,6 +33326,9 @@ catalog:
                           value: IR-04a.[03]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes detection and analysis;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-4
                       name: assessment-objective
                       props:
@@ -30602,6 +33336,9 @@ catalog:
                           value: IR-04a.[04]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes containment;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-5
                       name: assessment-objective
                       props:
@@ -30609,6 +33346,9 @@ catalog:
                           value: IR-04a.[05]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes eradication;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-6
                       name: assessment-objective
                       props:
@@ -30616,6 +33356,12 @@ catalog:
                           value: IR-04a.[06]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes recovery;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.a'
+                      rel: assessment-for
                 - id: ir-4_obj.b
                   name: assessment-objective
                   props:
@@ -30623,6 +33369,9 @@ catalog:
                       value: IR-04b.
                       class: sp800-53a
                   prose: incident handling activities are coordinated with contingency planning activities;
+                  links:
+                    - href: '#ir-4_smt.b'
+                      rel: assessment-for
                 - id: ir-4_obj.c
                   name: assessment-objective
                   props:
@@ -30637,6 +33386,9 @@ catalog:
                           value: IR-04c.[01]
                           class: sp800-53a
                       prose: lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;
+                      links:
+                        - href: '#ir-4_smt.c'
+                          rel: assessment-for
                     - id: ir-4_obj.c-2
                       name: assessment-objective
                       props:
@@ -30644,6 +33396,12 @@ catalog:
                           value: IR-04c.[02]
                           class: sp800-53a
                       prose: the changes resulting from the incorporated lessons learned are implemented accordingly;
+                      links:
+                        - href: '#ir-4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.c'
+                      rel: assessment-for
                 - id: ir-4_obj.d
                   name: assessment-objective
                   props:
@@ -30658,6 +33416,9 @@ catalog:
                           value: IR-04d.[01]
                           class: sp800-53a
                       prose: the rigor of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-2
                       name: assessment-objective
                       props:
@@ -30665,6 +33426,9 @@ catalog:
                           value: IR-04d.[02]
                           class: sp800-53a
                       prose: the intensity of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-3
                       name: assessment-objective
                       props:
@@ -30672,6 +33436,9 @@ catalog:
                           value: IR-04d.[03]
                           class: sp800-53a
                       prose: the scope of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-4
                       name: assessment-objective
                       props:
@@ -30679,6 +33446,15 @@ catalog:
                           value: IR-04d.[04]
                           class: sp800-53a
                       prose: the results of incident handling activities are comparable and predictable across the organization.
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ir-4_smt'
+                  rel: assessment-for
             - id: ir-4_asm-examine
               name: assessment-method
               props:
@@ -30778,6 +33554,9 @@ catalog:
                       value: IR-04(01)
                       class: sp800-53a
                   prose: 'the incident handling process is supported using {{ insert: param, ir-04.01_odp }}.'
+                  links:
+                    - href: '#ir-4.1_smt'
+                      rel: assessment-for
                 - id: ir-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -30865,6 +33644,9 @@ catalog:
                       value: IR-04(04)
                       class: sp800-53a
                   prose: incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.
+                  links:
+                    - href: '#ir-4.4_smt'
+                      rel: assessment-for
                 - id: ir-4.4_asm-examine
                   name: assessment-method
                   props:
@@ -30996,6 +33778,9 @@ catalog:
                           value: IR-04(11)[01]
                           class: sp800-53a
                       prose: an integrated incident response team is established and maintained;
+                      links:
+                        - href: '#ir-4.11_smt'
+                          rel: assessment-for
                     - id: ir-4.11_obj-2
                       name: assessment-objective
                       props:
@@ -31003,6 +33788,12 @@ catalog:
                           value: IR-04(11)[02]
                           class: sp800-53a
                       prose: 'the integrated incident response team can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}.'
+                      links:
+                        - href: '#ir-4.11_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4.11_smt'
+                      rel: assessment-for
                 - id: ir-4.11_asm-examine
                   name: assessment-method
                   props:
@@ -31110,6 +33901,9 @@ catalog:
                       value: IR-05[01]
                       class: sp800-53a
                   prose: incidents are tracked;
+                  links:
+                    - href: '#ir-5_smt'
+                      rel: assessment-for
                 - id: ir-5_obj-2
                   name: assessment-objective
                   props:
@@ -31117,6 +33911,12 @@ catalog:
                       value: IR-05[02]
                       class: sp800-53a
                   prose: incidents are documented.
+                  links:
+                    - href: '#ir-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ir-5_smt'
+                  rel: assessment-for
             - id: ir-5_asm-examine
               name: assessment-method
               props:
@@ -31251,6 +34051,9 @@ catalog:
                           value: IR-05(01)[01]
                           class: sp800-53a
                       prose: 'incidents are tracked using {{ insert: param, ir-05.01_odp.01 }};'
+                      links:
+                        - href: '#ir-5.1_smt'
+                          rel: assessment-for
                     - id: ir-5.1_obj-2
                       name: assessment-objective
                       props:
@@ -31258,6 +34061,9 @@ catalog:
                           value: IR-05(01)[02]
                           class: sp800-53a
                       prose: 'incident information is collected using {{ insert: param, ir-05.01_odp.02 }};'
+                      links:
+                        - href: '#ir-5.1_smt'
+                          rel: assessment-for
                     - id: ir-5.1_obj-3
                       name: assessment-objective
                       props:
@@ -31265,6 +34071,12 @@ catalog:
                           value: IR-05(01)[03]
                           class: sp800-53a
                       prose: 'incident information is analyzed using {{ insert: param, ir-05.01_odp.03 }}.'
+                      links:
+                        - href: '#ir-5.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-5.1_smt'
+                      rel: assessment-for
                 - id: ir-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -31407,6 +34219,9 @@ catalog:
                       value: IR-06a.
                       class: sp800-53a
                   prose: 'personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};'
+                  links:
+                    - href: '#ir-6_smt.a'
+                      rel: assessment-for
                 - id: ir-6_obj.b
                   name: assessment-objective
                   props:
@@ -31414,6 +34229,12 @@ catalog:
                       value: IR-06b.
                       class: sp800-53a
                   prose: 'incident information is reported to {{ insert: param, ir-06_odp.02 }}.'
+                  links:
+                    - href: '#ir-6_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ir-6_smt'
+                  rel: assessment-for
             - id: ir-6_asm-examine
               name: assessment-method
               props:
@@ -31520,6 +34341,9 @@ catalog:
                       value: IR-06(01)
                       class: sp800-53a
                   prose: 'incidents are reported using {{ insert: param, ir-06.01_odp }}.'
+                  links:
+                    - href: '#ir-6.1_smt'
+                      rel: assessment-for
                 - id: ir-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -31610,6 +34434,9 @@ catalog:
                       value: IR-06(03)
                       class: sp800-53a
                   prose: incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.
+                  links:
+                    - href: '#ir-6.3_smt'
+                      rel: assessment-for
                 - id: ir-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -31735,6 +34562,9 @@ catalog:
                       value: IR-07[01]
                       class: sp800-53a
                   prose: an incident response support resource, integral to the organizational incident response capability, is provided;
+                  links:
+                    - href: '#ir-7_smt'
+                      rel: assessment-for
                 - id: ir-7_obj-2
                   name: assessment-objective
                   props:
@@ -31742,6 +34572,12 @@ catalog:
                       value: IR-07[02]
                       class: sp800-53a
                   prose: the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.
+                  links:
+                    - href: '#ir-7_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ir-7_smt'
+                  rel: assessment-for
             - id: ir-7_asm-examine
               name: assessment-method
               props:
@@ -31840,6 +34676,9 @@ catalog:
                       value: IR-07(01)
                       class: sp800-53a
                   prose: 'the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}.'
+                  links:
+                    - href: '#ir-7.1_smt'
+                      rel: assessment-for
                 - id: ir-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -32141,6 +34980,9 @@ catalog:
                           value: IR-08a.01
                           class: sp800-53a
                       prose: an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.1'
+                          rel: assessment-for
                     - id: ir-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -32148,6 +34990,9 @@ catalog:
                           value: IR-08a.02
                           class: sp800-53a
                       prose: an incident response plan is developed that describes the structure and organization of the incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.2'
+                          rel: assessment-for
                     - id: ir-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -32155,6 +35000,9 @@ catalog:
                           value: IR-08a.03
                           class: sp800-53a
                       prose: an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;
+                      links:
+                        - href: '#ir-8_smt.a.3'
+                          rel: assessment-for
                     - id: ir-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -32162,6 +35010,9 @@ catalog:
                           value: IR-08a.04
                           class: sp800-53a
                       prose: an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;
+                      links:
+                        - href: '#ir-8_smt.a.4'
+                          rel: assessment-for
                     - id: ir-8_obj.a.5
                       name: assessment-objective
                       props:
@@ -32169,6 +35020,9 @@ catalog:
                           value: IR-08a.05
                           class: sp800-53a
                       prose: an incident response plan is developed that defines reportable incidents;
+                      links:
+                        - href: '#ir-8_smt.a.5'
+                          rel: assessment-for
                     - id: ir-8_obj.a.6
                       name: assessment-objective
                       props:
@@ -32176,6 +35030,9 @@ catalog:
                           value: IR-08a.06
                           class: sp800-53a
                       prose: an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;
+                      links:
+                        - href: '#ir-8_smt.a.6'
+                          rel: assessment-for
                     - id: ir-8_obj.a.7
                       name: assessment-objective
                       props:
@@ -32183,6 +35040,9 @@ catalog:
                           value: IR-08a.07
                           class: sp800-53a
                       prose: an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.7'
+                          rel: assessment-for
                     - id: ir-8_obj.a.8
                       name: assessment-objective
                       props:
@@ -32190,6 +35050,9 @@ catalog:
                           value: IR-08a.08
                           class: sp800-53a
                       prose: an incident response plan is developed that addresses the sharing of incident information;
+                      links:
+                        - href: '#ir-8_smt.a.8'
+                          rel: assessment-for
                     - id: ir-8_obj.a.9
                       name: assessment-objective
                       props:
@@ -32197,6 +35060,9 @@ catalog:
                           value: IR-08a.09
                           class: sp800-53a
                       prose: 'an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};'
+                      links:
+                        - href: '#ir-8_smt.a.9'
+                          rel: assessment-for
                     - id: ir-8_obj.a.10
                       name: assessment-objective
                       props:
@@ -32204,6 +35070,12 @@ catalog:
                           value: IR-08a.10
                           class: sp800-53a
                       prose: 'an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.'
+                      links:
+                        - href: '#ir-8_smt.a.10'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.a'
+                      rel: assessment-for
                 - id: ir-8_obj.b
                   name: assessment-objective
                   props:
@@ -32218,6 +35090,9 @@ catalog:
                           value: IR-08b.[01]
                           class: sp800-53a
                       prose: 'copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};'
+                      links:
+                        - href: '#ir-8_smt.b'
+                          rel: assessment-for
                     - id: ir-8_obj.b-2
                       name: assessment-objective
                       props:
@@ -32225,6 +35100,12 @@ catalog:
                           value: IR-08b.[02]
                           class: sp800-53a
                       prose: 'copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};'
+                      links:
+                        - href: '#ir-8_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.b'
+                      rel: assessment-for
                 - id: ir-8_obj.c
                   name: assessment-objective
                   props:
@@ -32232,6 +35113,9 @@ catalog:
                       value: IR-08c.
                       class: sp800-53a
                   prose: the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
+                  links:
+                    - href: '#ir-8_smt.c'
+                      rel: assessment-for
                 - id: ir-8_obj.d
                   name: assessment-objective
                   props:
@@ -32246,6 +35130,9 @@ catalog:
                           value: IR-08d.[01]
                           class: sp800-53a
                       prose: 'incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};'
+                      links:
+                        - href: '#ir-8_smt.d'
+                          rel: assessment-for
                     - id: ir-8_obj.d-2
                       name: assessment-objective
                       props:
@@ -32253,6 +35140,12 @@ catalog:
                           value: IR-08d.[02]
                           class: sp800-53a
                       prose: 'incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};'
+                      links:
+                        - href: '#ir-8_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.d'
+                      rel: assessment-for
                 - id: ir-8_obj.e
                   name: assessment-objective
                   props:
@@ -32267,6 +35160,9 @@ catalog:
                           value: IR-08e.[01]
                           class: sp800-53a
                       prose: the incident response plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#ir-8_smt.e'
+                          rel: assessment-for
                     - id: ir-8_obj.e-2
                       name: assessment-objective
                       props:
@@ -32274,6 +35170,15 @@ catalog:
                           value: IR-08e.[02]
                           class: sp800-53a
                       prose: the incident response plan is protected from unauthorized modification.
+                      links:
+                        - href: '#ir-8_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ir-8_smt'
+                  rel: assessment-for
             - id: ir-8_asm-examine
               name: assessment-method
               props:
@@ -32538,6 +35443,9 @@ catalog:
                           value: MA-01a.[01]
                           class: sp800-53a
                       prose: a maintenance policy is developed and documented;
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -32545,6 +35453,9 @@ catalog:
                           value: MA-01a.[02]
                           class: sp800-53a
                       prose: 'the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};'
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -32552,6 +35463,9 @@ catalog:
                           value: MA-01a.[03]
                           class: sp800-53a
                       prose: maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -32559,6 +35473,9 @@ catalog:
                           value: MA-01a.[04]
                           class: sp800-53a
                       prose: 'the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};'
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -32580,6 +35497,9 @@ catalog:
                                   value: MA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -32587,6 +35507,9 @@ catalog:
                                   value: MA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -32594,6 +35517,9 @@ catalog:
                                   value: MA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -32601,6 +35527,9 @@ catalog:
                                   value: MA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -32608,6 +35537,9 @@ catalog:
                                   value: MA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -32615,6 +35547,9 @@ catalog:
                                   value: MA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -32622,6 +35557,12 @@ catalog:
                                   value: MA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ma-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ma-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -32629,6 +35570,15 @@ catalog:
                               value: MA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ma-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-1_smt.a'
+                      rel: assessment-for
                 - id: ma-1_obj.b
                   name: assessment-objective
                   props:
@@ -32636,6 +35586,9 @@ catalog:
                       value: MA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;'
+                  links:
+                    - href: '#ma-1_smt.b'
+                      rel: assessment-for
                 - id: ma-1_obj.c
                   name: assessment-objective
                   props:
@@ -32657,6 +35610,9 @@ catalog:
                               value: MA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};'
+                          links:
+                            - href: '#ma-1_smt.c.1'
+                              rel: assessment-for
                         - id: ma-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -32664,6 +35620,12 @@ catalog:
                               value: MA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};'
+                          links:
+                            - href: '#ma-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-1_smt.c.1'
+                          rel: assessment-for
                     - id: ma-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -32678,6 +35640,9 @@ catalog:
                               value: MA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};'
+                          links:
+                            - href: '#ma-1_smt.c.2'
+                              rel: assessment-for
                         - id: ma-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -32685,6 +35650,18 @@ catalog:
                               value: MA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.'
+                          links:
+                            - href: '#ma-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ma-1_smt'
+                  rel: assessment-for
             - id: ma-1_asm-examine
               name: assessment-method
               props:
@@ -32859,6 +35836,9 @@ catalog:
                           value: MA-02a.[01]
                           class: sp800-53a
                       prose: maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;
+                      links:
+                        - href: '#ma-2_smt.a'
+                          rel: assessment-for
                     - id: ma-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -32866,6 +35846,9 @@ catalog:
                           value: MA-02a.[02]
                           class: sp800-53a
                       prose: maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;
+                      links:
+                        - href: '#ma-2_smt.a'
+                          rel: assessment-for
                     - id: ma-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -32873,6 +35856,12 @@ catalog:
                           value: MA-02a.[03]
                           class: sp800-53a
                       prose: records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;
+                      links:
+                        - href: '#ma-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-2_smt.a'
+                      rel: assessment-for
                 - id: ma-2_obj.b
                   name: assessment-objective
                   props:
@@ -32887,6 +35876,9 @@ catalog:
                           value: MA-02b.[01]
                           class: sp800-53a
                       prose: all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;
+                      links:
+                        - href: '#ma-2_smt.b'
+                          rel: assessment-for
                     - id: ma-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -32894,6 +35886,12 @@ catalog:
                           value: MA-02b.[02]
                           class: sp800-53a
                       prose: all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;
+                      links:
+                        - href: '#ma-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-2_smt.b'
+                      rel: assessment-for
                 - id: ma-2_obj.c
                   name: assessment-objective
                   props:
@@ -32901,6 +35899,9 @@ catalog:
                       value: MA-02c.
                       class: sp800-53a
                   prose: ' {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;'
+                  links:
+                    - href: '#ma-2_smt.c'
+                      rel: assessment-for
                 - id: ma-2_obj.d
                   name: assessment-objective
                   props:
@@ -32908,6 +35909,9 @@ catalog:
                       value: MA-02d.
                       class: sp800-53a
                   prose: 'equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;'
+                  links:
+                    - href: '#ma-2_smt.d'
+                      rel: assessment-for
                 - id: ma-2_obj.e
                   name: assessment-objective
                   props:
@@ -32915,6 +35919,9 @@ catalog:
                       value: MA-02e.
                       class: sp800-53a
                   prose: all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;
+                  links:
+                    - href: '#ma-2_smt.e'
+                      rel: assessment-for
                 - id: ma-2_obj.f
                   name: assessment-objective
                   props:
@@ -32922,6 +35929,12 @@ catalog:
                       value: MA-02f.
                       class: sp800-53a
                   prose: ' {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.'
+                  links:
+                    - href: '#ma-2_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ma-2_smt'
+                  rel: assessment-for
             - id: ma-2_asm-examine
               name: assessment-method
               props:
@@ -33084,6 +36097,9 @@ catalog:
                               value: MA-02(02)(a)[01]
                               class: sp800-53a
                           prose: ' {{ insert: param, ma-02.02_odp.01 }} are used to schedule maintenance, repair, and replacement actions for the system;'
+                          links:
+                            - href: '#ma-2.2_smt.a'
+                              rel: assessment-for
                         - id: ma-2.2_obj.a-2
                           name: assessment-objective
                           props:
@@ -33091,6 +36107,9 @@ catalog:
                               value: MA-02(02)(a)[02]
                               class: sp800-53a
                           prose: ' {{ insert: param, ma-02.02_odp.02 }} are used to conduct maintenance, repair, and replacement actions for the system;'
+                          links:
+                            - href: '#ma-2.2_smt.a'
+                              rel: assessment-for
                         - id: ma-2.2_obj.a-3
                           name: assessment-objective
                           props:
@@ -33098,6 +36117,12 @@ catalog:
                               value: MA-02(02)(a)[03]
                               class: sp800-53a
                           prose: ' {{ insert: param, ma-02.02_odp.03 }} are used to document maintenance, repair, and replacement actions for the system;'
+                          links:
+                            - href: '#ma-2.2_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-2.2_smt.a'
+                          rel: assessment-for
                     - id: ma-2.2_obj.b
                       name: assessment-objective
                       props:
@@ -33112,6 +36137,9 @@ catalog:
                               value: MA-02(02)(b)[01]
                               class: sp800-53a
                           prose: up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced.
+                          links:
+                            - href: '#ma-2.2_smt.b'
+                              rel: assessment-for
                         - id: ma-2.2_obj.b-2
                           name: assessment-objective
                           props:
@@ -33119,6 +36147,9 @@ catalog:
                               value: MA-02(02)(b)[02]
                               class: sp800-53a
                           prose: up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced.
+                          links:
+                            - href: '#ma-2.2_smt.b'
+                              rel: assessment-for
                         - id: ma-2.2_obj.b-3
                           name: assessment-objective
                           props:
@@ -33126,6 +36157,15 @@ catalog:
                               value: MA-02(02)(b)[03]
                               class: sp800-53a
                           prose: up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced.
+                          links:
+                            - href: '#ma-2.2_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-2.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-2.2_smt'
+                      rel: assessment-for
                 - id: ma-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -33255,6 +36295,9 @@ catalog:
                           value: MA-03a.[01]
                           class: sp800-53a
                       prose: the use of system maintenance tools is approved;
+                      links:
+                        - href: '#ma-3_smt.a'
+                          rel: assessment-for
                     - id: ma-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -33262,6 +36305,9 @@ catalog:
                           value: MA-03a.[02]
                           class: sp800-53a
                       prose: the use of system maintenance tools is controlled;
+                      links:
+                        - href: '#ma-3_smt.a'
+                          rel: assessment-for
                     - id: ma-3_obj.a-3
                       name: assessment-objective
                       props:
@@ -33269,6 +36315,12 @@ catalog:
                           value: MA-03a.[03]
                           class: sp800-53a
                       prose: the use of system maintenance tools is monitored;
+                      links:
+                        - href: '#ma-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-3_smt.a'
+                      rel: assessment-for
                 - id: ma-3_obj.b
                   name: assessment-objective
                   props:
@@ -33276,6 +36328,12 @@ catalog:
                       value: MA-03b.
                       class: sp800-53a
                   prose: 'previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}.'
+                  links:
+                    - href: '#ma-3_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ma-3_smt'
+                  rel: assessment-for
             - id: ma-3_asm-examine
               name: assessment-method
               props:
@@ -33363,6 +36421,9 @@ catalog:
                       value: MA-03(01)
                       class: sp800-53a
                   prose: maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.
+                  links:
+                    - href: '#ma-3.1_smt'
+                      rel: assessment-for
                 - id: ma-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -33451,6 +36512,9 @@ catalog:
                       value: MA-03(02)
                       class: sp800-53a
                   prose: media containing diagnostic and test programs are checked for malicious code before the media are used in the system.
+                  links:
+                    - href: '#ma-3.2_smt'
+                      rel: assessment-for
                 - id: ma-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -33580,6 +36644,9 @@ catalog:
                           value: MA-03(03)(a)
                           class: sp800-53a
                       prose: the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or
+                      links:
+                        - href: '#ma-3.3_smt.a'
+                          rel: assessment-for
                     - id: ma-3.3_obj.b
                       name: assessment-objective
                       props:
@@ -33587,6 +36654,9 @@ catalog:
                           value: MA-03(03)(b)
                           class: sp800-53a
                       prose: the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or
+                      links:
+                        - href: '#ma-3.3_smt.b'
+                          rel: assessment-for
                     - id: ma-3.3_obj.c
                       name: assessment-objective
                       props:
@@ -33594,6 +36664,9 @@ catalog:
                           value: MA-03(03)(c)
                           class: sp800-53a
                       prose: the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or
+                      links:
+                        - href: '#ma-3.3_smt.c'
+                          rel: assessment-for
                     - id: ma-3.3_obj.d
                       name: assessment-objective
                       props:
@@ -33601,6 +36674,12 @@ catalog:
                           value: MA-03(03)(d)
                           class: sp800-53a
                       prose: 'the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.'
+                      links:
+                        - href: '#ma-3.3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-3.3_smt'
+                      rel: assessment-for
                 - id: ma-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -33777,6 +36856,9 @@ catalog:
                           value: MA-04a.[01]
                           class: sp800-53a
                       prose: nonlocal maintenance and diagnostic activities are approved;
+                      links:
+                        - href: '#ma-4_smt.a'
+                          rel: assessment-for
                     - id: ma-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -33784,6 +36866,12 @@ catalog:
                           value: MA-04a.[02]
                           class: sp800-53a
                       prose: nonlocal maintenance and diagnostic activities are monitored;
+                      links:
+                        - href: '#ma-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4_smt.a'
+                      rel: assessment-for
                 - id: ma-4_obj.b
                   name: assessment-objective
                   props:
@@ -33798,6 +36886,9 @@ catalog:
                           value: MA-04b.[01]
                           class: sp800-53a
                       prose: the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;
+                      links:
+                        - href: '#ma-4_smt.b'
+                          rel: assessment-for
                     - id: ma-4_obj.b-2
                       name: assessment-objective
                       props:
@@ -33805,6 +36896,12 @@ catalog:
                           value: MA-04b.[02]
                           class: sp800-53a
                       prose: the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;
+                      links:
+                        - href: '#ma-4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4_smt.b'
+                      rel: assessment-for
                 - id: ma-4_obj.c
                   name: assessment-objective
                   props:
@@ -33812,6 +36909,9 @@ catalog:
                       value: MA-04c.
                       class: sp800-53a
                   prose: strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;
+                  links:
+                    - href: '#ma-4_smt.c'
+                      rel: assessment-for
                 - id: ma-4_obj.d
                   name: assessment-objective
                   props:
@@ -33819,6 +36919,9 @@ catalog:
                       value: MA-04d.
                       class: sp800-53a
                   prose: records for nonlocal maintenance and diagnostic activities are maintained;
+                  links:
+                    - href: '#ma-4_smt.d'
+                      rel: assessment-for
                 - id: ma-4_obj.e
                   name: assessment-objective
                   props:
@@ -33833,6 +36936,9 @@ catalog:
                           value: MA-04e.[01]
                           class: sp800-53a
                       prose: session connections are terminated when nonlocal maintenance is completed;
+                      links:
+                        - href: '#ma-4_smt.e'
+                          rel: assessment-for
                     - id: ma-4_obj.e-2
                       name: assessment-objective
                       props:
@@ -33840,6 +36946,15 @@ catalog:
                           value: MA-04e.[02]
                           class: sp800-53a
                       prose: network connections are terminated when nonlocal maintenance is completed.
+                      links:
+                        - href: '#ma-4_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ma-4_smt'
+                  rel: assessment-for
             - id: ma-4_asm-examine
               name: assessment-method
               props:
@@ -33973,6 +37088,9 @@ catalog:
                               value: MA-04(03)(a)[01]
                               class: sp800-53a
                           prose: nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;
+                          links:
+                            - href: '#ma-4.3_smt.a'
+                              rel: assessment-for
                         - id: ma-4.3_obj.a-2
                           name: assessment-objective
                           props:
@@ -33980,6 +37098,12 @@ catalog:
                               value: MA-04(03)(a)[02]
                               class: sp800-53a
                           prose: nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or
+                          links:
+                            - href: '#ma-4.3_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-4.3_smt.a'
+                          rel: assessment-for
                     - id: ma-4.3_obj.b
                       name: assessment-objective
                       props:
@@ -33994,6 +37118,9 @@ catalog:
                               value: MA-04(03)(b)[01]
                               class: sp800-53a
                           prose: the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;
+                          links:
+                            - href: '#ma-4.3_smt.b'
+                              rel: assessment-for
                         - id: ma-4.3_obj.b-2
                           name: assessment-objective
                           props:
@@ -34001,6 +37128,9 @@ catalog:
                               value: MA-04(03)(b)[02]
                               class: sp800-53a
                           prose: the component to be serviced is sanitized (for organizational information);
+                          links:
+                            - href: '#ma-4.3_smt.b'
+                              rel: assessment-for
                         - id: ma-4.3_obj.b-3
                           name: assessment-objective
                           props:
@@ -34008,6 +37138,15 @@ catalog:
                               value: MA-04(03)(b)[03]
                               class: sp800-53a
                           prose: the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.
+                          links:
+                            - href: '#ma-4.3_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-4.3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4.3_smt'
+                      rel: assessment-for
                 - id: ma-4.3_asm-examine
                   name: assessment-method
                   props:
@@ -34162,6 +37301,9 @@ catalog:
                           value: MA-05a.[01]
                           class: sp800-53a
                       prose: a process for maintenance personnel authorization is established;
+                      links:
+                        - href: '#ma-5_smt.a'
+                          rel: assessment-for
                     - id: ma-5_obj.a-2
                       name: assessment-objective
                       props:
@@ -34169,6 +37311,12 @@ catalog:
                           value: MA-05a.[02]
                           class: sp800-53a
                       prose: a list of authorized maintenance organizations or personnel is maintained;
+                      links:
+                        - href: '#ma-5_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-5_smt.a'
+                      rel: assessment-for
                 - id: ma-5_obj.b
                   name: assessment-objective
                   props:
@@ -34176,6 +37324,9 @@ catalog:
                       value: MA-05b.
                       class: sp800-53a
                   prose: non-escorted personnel performing maintenance on the system possess the required access authorizations;
+                  links:
+                    - href: '#ma-5_smt.b'
+                      rel: assessment-for
                 - id: ma-5_obj.c
                   name: assessment-objective
                   props:
@@ -34183,6 +37334,12 @@ catalog:
                       value: MA-05c.
                       class: sp800-53a
                   prose: organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.
+                  links:
+                    - href: '#ma-5_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ma-5_smt'
+                  rel: assessment-for
             - id: ma-5_asm-examine
               name: assessment-method
               props:
@@ -34328,6 +37485,9 @@ catalog:
                               value: MA-05(01)(a)(01)
                               class: sp800-53a
                           prose: procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;
+                          links:
+                            - href: '#ma-5.1_smt.a.1'
+                              rel: assessment-for
                         - id: ma-5.1_obj.a.2
                           name: assessment-objective
                           props:
@@ -34335,6 +37495,12 @@ catalog:
                               value: MA-05(01)(a)(02)
                               class: sp800-53a
                           prose: procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;
+                          links:
+                            - href: '#ma-5.1_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-5.1_smt.a'
+                          rel: assessment-for
                     - id: ma-5.1_obj.b
                       name: assessment-objective
                       props:
@@ -34342,6 +37508,12 @@ catalog:
                           value: MA-05(01)(b)
                           class: sp800-53a
                       prose: ' {{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.'
+                      links:
+                        - href: '#ma-5.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-5.1_smt'
+                      rel: assessment-for
                 - id: ma-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -34479,6 +37651,9 @@ catalog:
                   value: MA-06
                   class: sp800-53a
               prose: 'maintenance support and/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.'
+              links:
+                - href: '#ma-6_smt'
+                  rel: assessment-for
             - id: ma-6_asm-examine
               name: assessment-method
               props:
@@ -34747,6 +37922,9 @@ catalog:
                           value: MP-01a.[01]
                           class: sp800-53a
                       prose: a media protection policy is developed and documented;
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -34754,6 +37932,9 @@ catalog:
                           value: MP-01a.[02]
                           class: sp800-53a
                       prose: 'the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};'
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -34761,6 +37942,9 @@ catalog:
                           value: MP-01a.[03]
                           class: sp800-53a
                       prose: media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -34768,6 +37952,9 @@ catalog:
                           value: MP-01a.[04]
                           class: sp800-53a
                       prose: 'the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};'
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -34789,6 +37976,9 @@ catalog:
                                   value: MP-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -34796,6 +37986,9 @@ catalog:
                                   value: MP-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -34803,6 +37996,9 @@ catalog:
                                   value: MP-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -34810,6 +38006,9 @@ catalog:
                                   value: MP-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -34817,6 +38016,9 @@ catalog:
                                   value: MP-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -34824,6 +38026,9 @@ catalog:
                                   value: MP-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -34831,6 +38036,12 @@ catalog:
                                   value: MP-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#mp-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: mp-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -34838,6 +38049,15 @@ catalog:
                               value: MP-01a.01(b)
                               class: sp800-53a
                           prose: the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+                          links:
+                            - href: '#mp-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-1_smt.a'
+                      rel: assessment-for
                 - id: mp-1_obj.b
                   name: assessment-objective
                   props:
@@ -34845,6 +38065,9 @@ catalog:
                       value: MP-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.'
+                  links:
+                    - href: '#mp-1_smt.b'
+                      rel: assessment-for
                 - id: mp-1_obj.c
                   name: assessment-objective
                   props:
@@ -34866,6 +38089,9 @@ catalog:
                               value: MP-01c.01[01]
                               class: sp800-53a
                           prose: 'the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; '
+                          links:
+                            - href: '#mp-1_smt.c.1'
+                              rel: assessment-for
                         - id: mp-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -34873,6 +38099,12 @@ catalog:
                               value: MP-01c.01[02]
                               class: sp800-53a
                           prose: 'the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};'
+                          links:
+                            - href: '#mp-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.c.1'
+                          rel: assessment-for
                     - id: mp-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -34887,6 +38119,9 @@ catalog:
                               value: MP-01c.02[01]
                               class: sp800-53a
                           prose: 'the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; '
+                          links:
+                            - href: '#mp-1_smt.c.2'
+                              rel: assessment-for
                         - id: mp-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -34894,6 +38129,18 @@ catalog:
                               value: MP-01c.02[02]
                               class: sp800-53a
                           prose: 'the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.'
+                          links:
+                            - href: '#mp-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#mp-1_smt'
+                  rel: assessment-for
             - id: mp-1_asm-examine
               name: assessment-method
               props:
@@ -35051,6 +38298,9 @@ catalog:
                       value: MP-02[01]
                       class: sp800-53a
                   prose: 'access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};'
+                  links:
+                    - href: '#mp-2_smt'
+                      rel: assessment-for
                 - id: mp-2_obj-2
                   name: assessment-objective
                   props:
@@ -35058,6 +38308,12 @@ catalog:
                       value: MP-02[02]
                       class: sp800-53a
                   prose: 'access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.'
+                  links:
+                    - href: '#mp-2_smt'
+                      rel: assessment-for
+              links:
+                - href: '#mp-2_smt'
+                  rel: assessment-for
             - id: mp-2_asm-examine
               name: assessment-method
               props:
@@ -35205,6 +38461,9 @@ catalog:
                       value: MP-03a.
                       class: sp800-53a
                   prose: system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;
+                  links:
+                    - href: '#mp-3_smt.a'
+                      rel: assessment-for
                 - id: mp-3_obj.b
                   name: assessment-objective
                   props:
@@ -35212,6 +38471,12 @@ catalog:
                       value: MP-03b.
                       class: sp800-53a
                   prose: ' {{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}.'
+                  links:
+                    - href: '#mp-3_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-3_smt'
+                  rel: assessment-for
             - id: mp-3_asm-examine
               name: assessment-method
               props:
@@ -35439,6 +38704,9 @@ catalog:
                           value: MP-04a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-04_odp.01 }} are physically controlled;'
+                      links:
+                        - href: '#mp-4_smt.a'
+                          rel: assessment-for
                     - id: mp-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -35446,6 +38714,9 @@ catalog:
                           value: MP-04a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-04_odp.02 }} are physically controlled;'
+                      links:
+                        - href: '#mp-4_smt.a'
+                          rel: assessment-for
                     - id: mp-4_obj.a-3
                       name: assessment-objective
                       props:
@@ -35453,6 +38724,9 @@ catalog:
                           value: MP-04a.[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};'
+                      links:
+                        - href: '#mp-4_smt.a'
+                          rel: assessment-for
                     - id: mp-4_obj.a-4
                       name: assessment-objective
                       props:
@@ -35460,6 +38734,12 @@ catalog:
                           value: MP-04a.[04]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};'
+                      links:
+                        - href: '#mp-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-4_smt.a'
+                      rel: assessment-for
                 - id: mp-4_obj.b
                   name: assessment-objective
                   props:
@@ -35467,6 +38747,12 @@ catalog:
                       value: MP-04b.
                       class: sp800-53a
                   prose: system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
+                  links:
+                    - href: '#mp-4_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-4_smt'
+                  rel: assessment-for
             - id: mp-4_asm-examine
               name: assessment-method
               props:
@@ -35657,6 +38943,9 @@ catalog:
                           value: MP-05a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};'
+                      links:
+                        - href: '#mp-5_smt.a'
+                          rel: assessment-for
                     - id: mp-5_obj.a-2
                       name: assessment-objective
                       props:
@@ -35664,6 +38953,12 @@ catalog:
                           value: MP-05a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};'
+                      links:
+                        - href: '#mp-5_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-5_smt.a'
+                      rel: assessment-for
                 - id: mp-5_obj.b
                   name: assessment-objective
                   props:
@@ -35671,6 +38966,9 @@ catalog:
                       value: MP-05b.
                       class: sp800-53a
                   prose: accountability for system media is maintained during transport outside of controlled areas;
+                  links:
+                    - href: '#mp-5_smt.b'
+                      rel: assessment-for
                 - id: mp-5_obj.c
                   name: assessment-objective
                   props:
@@ -35678,6 +38976,9 @@ catalog:
                       value: MP-05c.
                       class: sp800-53a
                   prose: activities associated with the transport of system media are documented;
+                  links:
+                    - href: '#mp-5_smt.c'
+                      rel: assessment-for
                 - id: mp-5_obj.d
                   name: assessment-objective
                   props:
@@ -35692,6 +38993,9 @@ catalog:
                           value: MP-05d.[01]
                           class: sp800-53a
                       prose: personnel authorized to conduct media transport activities is/are identified;
+                      links:
+                        - href: '#mp-5_smt.d'
+                          rel: assessment-for
                     - id: mp-5_obj.d-2
                       name: assessment-objective
                       props:
@@ -35699,6 +39003,15 @@ catalog:
                           value: MP-05d.[02]
                           class: sp800-53a
                       prose: activities associated with the transport of system media are restricted to identified authorized personnel.
+                      links:
+                        - href: '#mp-5_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#mp-5_smt'
+                  rel: assessment-for
             - id: mp-5_asm-examine
               name: assessment-method
               props:
@@ -35932,6 +39245,9 @@ catalog:
                           value: MP-06a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
                     - id: mp-6_obj.a-2
                       name: assessment-objective
                       props:
@@ -35939,6 +39255,9 @@ catalog:
                           value: MP-06a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
                     - id: mp-6_obj.a-3
                       name: assessment-objective
                       props:
@@ -35946,6 +39265,12 @@ catalog:
                           value: MP-06a.[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-6_smt.a'
+                      rel: assessment-for
                 - id: mp-6_obj.b
                   name: assessment-objective
                   props:
@@ -35953,6 +39278,12 @@ catalog:
                       value: MP-06b.
                       class: sp800-53a
                   prose: sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.
+                  links:
+                    - href: '#mp-6_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-6_smt'
+                  rel: assessment-for
             - id: mp-6_asm-examine
               name: assessment-method
               props:
@@ -36061,6 +39392,9 @@ catalog:
                           value: MP-06(01)[01]
                           class: sp800-53a
                       prose: media sanitization and disposal actions are reviewed;
+                      links:
+                        - href: '#mp-6.1_smt'
+                          rel: assessment-for
                     - id: mp-6.1_obj-2
                       name: assessment-objective
                       props:
@@ -36068,6 +39402,9 @@ catalog:
                           value: MP-06(01)[02]
                           class: sp800-53a
                       prose: media sanitization and disposal actions are approved;
+                      links:
+                        - href: '#mp-6.1_smt'
+                          rel: assessment-for
                     - id: mp-6.1_obj-3
                       name: assessment-objective
                       props:
@@ -36075,6 +39412,9 @@ catalog:
                           value: MP-06(01)[03]
                           class: sp800-53a
                       prose: media sanitization and disposal actions are tracked;
+                      links:
+                        - href: '#mp-6.1_smt'
+                          rel: assessment-for
                     - id: mp-6.1_obj-4
                       name: assessment-objective
                       props:
@@ -36082,6 +39422,9 @@ catalog:
                           value: MP-06(01)[04]
                           class: sp800-53a
                       prose: media sanitization and disposal actions are documented;
+                      links:
+                        - href: '#mp-6.1_smt'
+                          rel: assessment-for
                     - id: mp-6.1_obj-5
                       name: assessment-objective
                       props:
@@ -36089,6 +39432,12 @@ catalog:
                           value: MP-06(01)[05]
                           class: sp800-53a
                       prose: media sanitization and disposal actions are verified.
+                      links:
+                        - href: '#mp-6.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-6.1_smt'
+                      rel: assessment-for
                 - id: mp-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -36226,6 +39575,9 @@ catalog:
                           value: MP-06(02)[01]
                           class: sp800-53a
                       prose: 'sanitization equipment is tested {{ insert: param, mp-06.02_odp.01 }} to ensure that the intended sanitization is being achieved;'
+                      links:
+                        - href: '#mp-6.2_smt'
+                          rel: assessment-for
                     - id: mp-6.2_obj-2
                       name: assessment-objective
                       props:
@@ -36233,6 +39585,12 @@ catalog:
                           value: MP-06(02)[02]
                           class: sp800-53a
                       prose: 'sanitization procedures are tested {{ insert: param, mp-06.02_odp.02 }} to ensure that the intended sanitization is being achieved.'
+                      links:
+                        - href: '#mp-6.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-6.2_smt'
+                      rel: assessment-for
                 - id: mp-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -36345,6 +39703,9 @@ catalog:
                       value: MP-06(03)
                       class: sp800-53a
                   prose: 'non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under {{ insert: param, mp-06.03_odp }}.'
+                  links:
+                    - href: '#mp-6.3_smt'
+                      rel: assessment-for
                 - id: mp-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -36508,6 +39869,9 @@ catalog:
                       value: MP-07a.
                       class: sp800-53a
                   prose: 'the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};'
+                  links:
+                    - href: '#mp-7_smt.a'
+                      rel: assessment-for
                 - id: mp-7_obj.b
                   name: assessment-objective
                   props:
@@ -36515,6 +39879,12 @@ catalog:
                       value: MP-07b.
                       class: sp800-53a
                   prose: the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.
+                  links:
+                    - href: '#mp-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-7_smt'
+                  rel: assessment-for
             - id: mp-7_asm-examine
               name: assessment-method
               props:
@@ -36788,6 +40158,9 @@ catalog:
                           value: PE-01a.[01]
                           class: sp800-53a
                       prose: a physical and environmental protection policy is developed and documented;
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -36795,6 +40168,9 @@ catalog:
                           value: PE-01a.[02]
                           class: sp800-53a
                       prose: 'the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};'
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -36802,6 +40178,9 @@ catalog:
                           value: PE-01a.[03]
                           class: sp800-53a
                       prose: physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -36809,6 +40188,9 @@ catalog:
                           value: PE-01a.[04]
                           class: sp800-53a
                       prose: 'the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};'
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -36830,6 +40212,9 @@ catalog:
                                   value: PE-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -36837,6 +40222,9 @@ catalog:
                                   value: PE-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -36844,6 +40232,9 @@ catalog:
                                   value: PE-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -36851,6 +40242,9 @@ catalog:
                                   value: PE-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -36858,6 +40252,9 @@ catalog:
                                   value: PE-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -36865,6 +40262,9 @@ catalog:
                                   value: PE-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -36872,6 +40272,12 @@ catalog:
                                   value: PE-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#pe-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: pe-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -36879,6 +40285,15 @@ catalog:
                               value: PE-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#pe-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#pe-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-1_smt.a'
+                      rel: assessment-for
                 - id: pe-1_obj.b
                   name: assessment-objective
                   props:
@@ -36886,6 +40301,9 @@ catalog:
                       value: PE-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;'
+                  links:
+                    - href: '#pe-1_smt.b'
+                      rel: assessment-for
                 - id: pe-1_obj.c
                   name: assessment-objective
                   props:
@@ -36907,6 +40325,9 @@ catalog:
                               value: PE-01c.01[01]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};'
+                          links:
+                            - href: '#pe-1_smt.c.1'
+                              rel: assessment-for
                         - id: pe-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -36914,6 +40335,12 @@ catalog:
                               value: PE-01c.01[02]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};'
+                          links:
+                            - href: '#pe-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pe-1_smt.c.1'
+                          rel: assessment-for
                     - id: pe-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -36928,6 +40355,9 @@ catalog:
                               value: PE-01c.02[01]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};'
+                          links:
+                            - href: '#pe-1_smt.c.2'
+                              rel: assessment-for
                         - id: pe-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -36935,6 +40365,18 @@ catalog:
                               value: PE-01c.02[02]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.'
+                          links:
+                            - href: '#pe-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pe-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-1_smt'
+                  rel: assessment-for
             - id: pe-1_asm-examine
               name: assessment-method
               props:
@@ -37085,6 +40527,9 @@ catalog:
                           value: PE-02a.[01]
                           class: sp800-53a
                       prose: a list of individuals with authorized access to the facility where the system resides has been developed;
+                      links:
+                        - href: '#pe-2_smt.a'
+                          rel: assessment-for
                     - id: pe-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -37092,6 +40537,9 @@ catalog:
                           value: PE-02a.[02]
                           class: sp800-53a
                       prose: the list of individuals with authorized access to the facility where the system resides has been approved;
+                      links:
+                        - href: '#pe-2_smt.a'
+                          rel: assessment-for
                     - id: pe-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -37099,6 +40547,12 @@ catalog:
                           value: PE-02a.[03]
                           class: sp800-53a
                       prose: the list of individuals with authorized access to the facility where the system resides has been maintained;
+                      links:
+                        - href: '#pe-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-2_smt.a'
+                      rel: assessment-for
                 - id: pe-2_obj.b
                   name: assessment-objective
                   props:
@@ -37106,6 +40560,9 @@ catalog:
                       value: PE-02b.
                       class: sp800-53a
                   prose: authorization credentials are issued for facility access;
+                  links:
+                    - href: '#pe-2_smt.b'
+                      rel: assessment-for
                 - id: pe-2_obj.c
                   name: assessment-objective
                   props:
@@ -37113,6 +40570,9 @@ catalog:
                       value: PE-02c.
                       class: sp800-53a
                   prose: 'the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};'
+                  links:
+                    - href: '#pe-2_smt.c'
+                      rel: assessment-for
                 - id: pe-2_obj.d
                   name: assessment-objective
                   props:
@@ -37120,6 +40580,12 @@ catalog:
                       value: PE-02d.
                       class: sp800-53a
                   prose: individuals are removed from the facility access list when access is no longer required.
+                  links:
+                    - href: '#pe-2_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pe-2_smt'
+                  rel: assessment-for
             - id: pe-2_asm-examine
               name: assessment-method
               props:
@@ -37450,6 +40916,9 @@ catalog:
                           value: PE-03a.01
                           class: sp800-53a
                       prose: 'physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;'
+                      links:
+                        - href: '#pe-3_smt.a.1'
+                          rel: assessment-for
                     - id: pe-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -37457,6 +40926,12 @@ catalog:
                           value: PE-03a.02
                           class: sp800-53a
                       prose: 'physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};'
+                      links:
+                        - href: '#pe-3_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.a'
+                      rel: assessment-for
                 - id: pe-3_obj.b
                   name: assessment-objective
                   props:
@@ -37464,6 +40939,9 @@ catalog:
                       value: PE-03b.
                       class: sp800-53a
                   prose: 'physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};'
+                  links:
+                    - href: '#pe-3_smt.b'
+                      rel: assessment-for
                 - id: pe-3_obj.c
                   name: assessment-objective
                   props:
@@ -37471,6 +40949,9 @@ catalog:
                       value: PE-03c.
                       class: sp800-53a
                   prose: 'access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};'
+                  links:
+                    - href: '#pe-3_smt.c'
+                      rel: assessment-for
                 - id: pe-3_obj.d
                   name: assessment-objective
                   props:
@@ -37485,6 +40966,9 @@ catalog:
                           value: PE-03d.[01]
                           class: sp800-53a
                       prose: visitors are escorted;
+                      links:
+                        - href: '#pe-3_smt.d'
+                          rel: assessment-for
                     - id: pe-3_obj.d-2
                       name: assessment-objective
                       props:
@@ -37492,6 +40976,12 @@ catalog:
                           value: PE-03d.[02]
                           class: sp800-53a
                       prose: 'visitor activity is controlled {{ insert: param, pe-03_odp.06 }};'
+                      links:
+                        - href: '#pe-3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.d'
+                      rel: assessment-for
                 - id: pe-3_obj.e
                   name: assessment-objective
                   props:
@@ -37506,6 +40996,9 @@ catalog:
                           value: PE-03e.[01]
                           class: sp800-53a
                       prose: keys are secured;
+                      links:
+                        - href: '#pe-3_smt.e'
+                          rel: assessment-for
                     - id: pe-3_obj.e-2
                       name: assessment-objective
                       props:
@@ -37513,6 +41006,9 @@ catalog:
                           value: PE-03e.[02]
                           class: sp800-53a
                       prose: combinations are secured;
+                      links:
+                        - href: '#pe-3_smt.e'
+                          rel: assessment-for
                     - id: pe-3_obj.e-3
                       name: assessment-objective
                       props:
@@ -37520,6 +41016,12 @@ catalog:
                           value: PE-03e.[03]
                           class: sp800-53a
                       prose: other physical access devices are secured;
+                      links:
+                        - href: '#pe-3_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.e'
+                      rel: assessment-for
                 - id: pe-3_obj.f
                   name: assessment-objective
                   props:
@@ -37527,6 +41029,9 @@ catalog:
                       value: PE-03f.
                       class: sp800-53a
                   prose: ' {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};'
+                  links:
+                    - href: '#pe-3_smt.f'
+                      rel: assessment-for
                 - id: pe-3_obj.g
                   name: assessment-objective
                   props:
@@ -37541,6 +41046,9 @@ catalog:
                           value: PE-03g.[01]
                           class: sp800-53a
                       prose: 'combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;'
+                      links:
+                        - href: '#pe-3_smt.g'
+                          rel: assessment-for
                     - id: pe-3_obj.g-2
                       name: assessment-objective
                       props:
@@ -37548,6 +41056,15 @@ catalog:
                           value: PE-03g.[02]
                           class: sp800-53a
                       prose: 'keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.'
+                      links:
+                        - href: '#pe-3_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#pe-3_smt'
+                  rel: assessment-for
             - id: pe-3_asm-examine
               name: assessment-method
               props:
@@ -37666,6 +41183,9 @@ catalog:
                           value: PE-03(01)[01]
                           class: sp800-53a
                       prose: physical access authorizations to the system are enforced;
+                      links:
+                        - href: '#pe-3.1_smt'
+                          rel: assessment-for
                     - id: pe-3.1_obj.2
                       name: assessment-objective
                       props:
@@ -37673,6 +41193,12 @@ catalog:
                           value: PE-03(01)[02]
                           class: sp800-53a
                       prose: 'physical access controls are enforced for the facility at {{ insert: param, pe-03.01_odp }}.'
+                      links:
+                        - href: '#pe-3.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3.1_smt'
+                      rel: assessment-for
                 - id: pe-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -37804,6 +41330,9 @@ catalog:
                   value: PE-04
                   class: sp800-53a
               prose: 'physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}.'
+              links:
+                - href: '#pe-4_smt'
+                  rel: assessment-for
             - id: pe-4_asm-examine
               name: assessment-method
               props:
@@ -37909,6 +41438,9 @@ catalog:
                   value: PE-05
                   class: sp800-53a
               prose: 'physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output.'
+              links:
+                - href: '#pe-5_smt'
+                  rel: assessment-for
             - id: pe-5_asm-examine
               name: assessment-method
               props:
@@ -38063,6 +41595,9 @@ catalog:
                       value: PE-06a.
                       class: sp800-53a
                   prose: physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;
+                  links:
+                    - href: '#pe-6_smt.a'
+                      rel: assessment-for
                 - id: pe-6_obj.b
                   name: assessment-objective
                   props:
@@ -38077,6 +41612,9 @@ catalog:
                           value: PE-06b.[01]
                           class: sp800-53a
                       prose: 'physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};'
+                      links:
+                        - href: '#pe-6_smt.b'
+                          rel: assessment-for
                     - id: pe-6_obj.b-2
                       name: assessment-objective
                       props:
@@ -38084,6 +41622,12 @@ catalog:
                           value: PE-06b.[02]
                           class: sp800-53a
                       prose: 'physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};'
+                      links:
+                        - href: '#pe-6_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-6_smt.b'
+                      rel: assessment-for
                 - id: pe-6_obj.c
                   name: assessment-objective
                   props:
@@ -38098,6 +41642,9 @@ catalog:
                           value: PE-06c.[01]
                           class: sp800-53a
                       prose: results of reviews are coordinated with organizational incident response capabilities;
+                      links:
+                        - href: '#pe-6_smt.c'
+                          rel: assessment-for
                     - id: pe-6_obj.c-2
                       name: assessment-objective
                       props:
@@ -38105,6 +41652,15 @@ catalog:
                           value: PE-06c.[02]
                           class: sp800-53a
                       prose: results of investigations are coordinated with organizational incident response capabilities.
+                      links:
+                        - href: '#pe-6_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-6_smt'
+                  rel: assessment-for
             - id: pe-6_asm-examine
               name: assessment-method
               props:
@@ -38206,6 +41762,9 @@ catalog:
                           value: PE-06(01)[01]
                           class: sp800-53a
                       prose: physical access to the facility where the system resides is monitored using physical intrusion alarms;
+                      links:
+                        - href: '#pe-6.1_smt'
+                          rel: assessment-for
                     - id: pe-6.1_obj-2
                       name: assessment-objective
                       props:
@@ -38213,6 +41772,12 @@ catalog:
                           value: PE-06(01)[02]
                           class: sp800-53a
                       prose: physical access to the facility where the system resides is monitored using physical surveillance equipment.
+                      links:
+                        - href: '#pe-6.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-6.1_smt'
+                      rel: assessment-for
                 - id: pe-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -38326,6 +41891,9 @@ catalog:
                       value: PE-06(04)
                       class: sp800-53a
                   prose: 'physical access to the system is monitored in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}.'
+                  links:
+                    - href: '#pe-6.4_smt'
+                      rel: assessment-for
                 - id: pe-6.4_asm-examine
                   name: assessment-method
                   props:
@@ -38485,6 +42053,9 @@ catalog:
                       value: PE-08a.
                       class: sp800-53a
                   prose: 'visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};'
+                  links:
+                    - href: '#pe-8_smt.a'
+                      rel: assessment-for
                 - id: pe-8_obj.b
                   name: assessment-objective
                   props:
@@ -38492,6 +42063,9 @@ catalog:
                       value: PE-08b.
                       class: sp800-53a
                   prose: 'visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};'
+                  links:
+                    - href: '#pe-8_smt.b'
+                      rel: assessment-for
                 - id: pe-8_obj.c
                   name: assessment-objective
                   props:
@@ -38499,6 +42073,12 @@ catalog:
                       value: PE-08c.
                       class: sp800-53a
                   prose: 'visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.'
+                  links:
+                    - href: '#pe-8_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-8_smt'
+                  rel: assessment-for
             - id: pe-8_asm-examine
               name: assessment-method
               props:
@@ -38623,6 +42203,9 @@ catalog:
                           value: PE-08(01)[01]
                           class: sp800-53a
                       prose: 'visitor access records are maintained using {{ insert: param, pe-08.01_odp.01 }};'
+                      links:
+                        - href: '#pe-8.1_smt'
+                          rel: assessment-for
                     - id: pe-8.1_obj-2
                       name: assessment-objective
                       props:
@@ -38630,6 +42213,12 @@ catalog:
                           value: PE-08(01)[02]
                           class: sp800-53a
                       prose: 'visitor access records are reviewed using {{ insert: param, pe-08.01_odp.02 }}.'
+                      links:
+                        - href: '#pe-8.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-8.1_smt'
+                      rel: assessment-for
                 - id: pe-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -38723,6 +42312,9 @@ catalog:
                       value: PE-09[01]
                       class: sp800-53a
                   prose: power equipment for the system is protected from damage and destruction;
+                  links:
+                    - href: '#pe-9_smt'
+                      rel: assessment-for
                 - id: pe-9_obj-2
                   name: assessment-objective
                   props:
@@ -38730,6 +42322,12 @@ catalog:
                       value: PE-09[02]
                       class: sp800-53a
                   prose: power cabling for the system is protected from damage and destruction.
+                  links:
+                    - href: '#pe-9_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-9_smt'
+                  rel: assessment-for
             - id: pe-9_asm-examine
               name: assessment-method
               props:
@@ -38858,6 +42456,9 @@ catalog:
                       value: PE-10a.
                       class: sp800-53a
                   prose: 'the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;'
+                  links:
+                    - href: '#pe-10_smt.a'
+                      rel: assessment-for
                 - id: pe-10_obj.b
                   name: assessment-objective
                   props:
@@ -38865,6 +42466,9 @@ catalog:
                       value: PE-10b.
                       class: sp800-53a
                   prose: 'emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;'
+                  links:
+                    - href: '#pe-10_smt.b'
+                      rel: assessment-for
                 - id: pe-10_obj.c
                   name: assessment-objective
                   props:
@@ -38872,6 +42476,12 @@ catalog:
                       value: PE-10c.
                       class: sp800-53a
                   prose: the emergency power shutoff capability is protected from unauthorized activation.
+                  links:
+                    - href: '#pe-10_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-10_smt'
+                  rel: assessment-for
             - id: pe-10_asm-examine
               name: assessment-method
               props:
@@ -38971,6 +42581,9 @@ catalog:
                   value: PE-11
                   class: sp800-53a
               prose: 'an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss.'
+              links:
+                - href: '#pe-11_smt'
+                  rel: assessment-for
             - id: pe-11_asm-examine
               name: assessment-method
               props:
@@ -39077,6 +42690,9 @@ catalog:
                           value: PE-11(01)[01]
                           class: sp800-53a
                       prose: 'an alternate power supply provided for the system is activated {{ insert: param, pe-11.01_odp }};'
+                      links:
+                        - href: '#pe-11.1_smt'
+                          rel: assessment-for
                     - id: pe-11.1_obj-2
                       name: assessment-objective
                       props:
@@ -39084,6 +42700,12 @@ catalog:
                           value: PE-11(01)[02]
                           class: sp800-53a
                       prose: the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.
+                      links:
+                        - href: '#pe-11.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-11.1_smt'
+                      rel: assessment-for
                 - id: pe-11.1_asm-examine
                   name: assessment-method
                   props:
@@ -39179,6 +42801,9 @@ catalog:
                       value: PE-12[01]
                       class: sp800-53a
                   prose: automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
                 - id: pe-12_obj-2
                   name: assessment-objective
                   props:
@@ -39186,6 +42811,9 @@ catalog:
                       value: PE-12[02]
                       class: sp800-53a
                   prose: automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
                 - id: pe-12_obj-3
                   name: assessment-objective
                   props:
@@ -39193,6 +42821,9 @@ catalog:
                       value: PE-12[03]
                       class: sp800-53a
                   prose: automatic emergency lighting for the system covers emergency exits within the facility;
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
                 - id: pe-12_obj-4
                   name: assessment-objective
                   props:
@@ -39200,6 +42831,12 @@ catalog:
                       value: PE-12[04]
                       class: sp800-53a
                   prose: automatic emergency lighting for the system covers evacuation routes within the facility.
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-12_smt'
+                  rel: assessment-for
             - id: pe-12_asm-examine
               name: assessment-method
               props:
@@ -39290,6 +42927,9 @@ catalog:
                       value: PE-13[01]
                       class: sp800-53a
                   prose: fire detection systems are employed;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-2
                   name: assessment-objective
                   props:
@@ -39297,6 +42937,9 @@ catalog:
                       value: PE-13[02]
                       class: sp800-53a
                   prose: employed fire detection systems are supported by an independent energy source;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-3
                   name: assessment-objective
                   props:
@@ -39304,6 +42947,9 @@ catalog:
                       value: PE-13[03]
                       class: sp800-53a
                   prose: employed fire detection systems are maintained;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-4
                   name: assessment-objective
                   props:
@@ -39311,6 +42957,9 @@ catalog:
                       value: PE-13[04]
                       class: sp800-53a
                   prose: fire suppression systems are employed;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-5
                   name: assessment-objective
                   props:
@@ -39318,6 +42967,9 @@ catalog:
                       value: PE-13[05]
                       class: sp800-53a
                   prose: employed fire suppression systems are supported by an independent energy source;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-6
                   name: assessment-objective
                   props:
@@ -39325,6 +42977,12 @@ catalog:
                       value: PE-13[06]
                       class: sp800-53a
                   prose: employed fire suppression systems are maintained.
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-13_smt'
+                  rel: assessment-for
             - id: pe-13_asm-examine
               name: assessment-method
               props:
@@ -39437,6 +43095,9 @@ catalog:
                           value: PE-13(01)[01]
                           class: sp800-53a
                       prose: fire detection systems that activate automatically are employed in the event of a fire;
+                      links:
+                        - href: '#pe-13.1_smt'
+                          rel: assessment-for
                     - id: pe-13.1_obj-2
                       name: assessment-objective
                       props:
@@ -39444,6 +43105,9 @@ catalog:
                           value: PE-13(01)[02]
                           class: sp800-53a
                       prose: 'fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;'
+                      links:
+                        - href: '#pe-13.1_smt'
+                          rel: assessment-for
                     - id: pe-13.1_obj-3
                       name: assessment-objective
                       props:
@@ -39451,6 +43115,12 @@ catalog:
                           value: PE-13(01)[03]
                           class: sp800-53a
                       prose: 'fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire.'
+                      links:
+                        - href: '#pe-13.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-13.1_smt'
+                      rel: assessment-for
                 - id: pe-13.1_asm-examine
                   name: assessment-method
                   props:
@@ -39592,6 +43262,9 @@ catalog:
                               value: PE-13(02)(a)[01]
                               class: sp800-53a
                           prose: fire suppression systems that activate automatically are employed;
+                          links:
+                            - href: '#pe-13.2_smt.a'
+                              rel: assessment-for
                         - id: pe-13.2_obj.a-2
                           name: assessment-objective
                           props:
@@ -39599,6 +43272,9 @@ catalog:
                               value: PE-13(02)(a)[02]
                               class: sp800-53a
                           prose: 'fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;'
+                          links:
+                            - href: '#pe-13.2_smt.a'
+                              rel: assessment-for
                         - id: pe-13.2_obj.a-3
                           name: assessment-objective
                           props:
@@ -39606,6 +43282,12 @@ catalog:
                               value: PE-13(02)(a)[03]
                               class: sp800-53a
                           prose: 'fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;'
+                          links:
+                            - href: '#pe-13.2_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#pe-13.2_smt.a'
+                          rel: assessment-for
                     - id: pe-13.2_obj.b
                       name: assessment-objective
                       props:
@@ -39613,6 +43295,12 @@ catalog:
                           value: PE-13(02)(b)
                           class: sp800-53a
                       prose: an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.
+                      links:
+                        - href: '#pe-13.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-13.2_smt'
+                      rel: assessment-for
                 - id: pe-13.2_asm-examine
                   name: assessment-method
                   props:
@@ -39772,6 +43460,9 @@ catalog:
                       value: PE-14a.
                       class: sp800-53a
                   prose: ' {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;'
+                  links:
+                    - href: '#pe-14_smt.a'
+                      rel: assessment-for
                 - id: pe-14_obj.b
                   name: assessment-objective
                   props:
@@ -39779,6 +43470,12 @@ catalog:
                       value: PE-14b.
                       class: sp800-53a
                   prose: 'environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.'
+                  links:
+                    - href: '#pe-14_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pe-14_smt'
+                  rel: assessment-for
             - id: pe-14_asm-examine
               name: assessment-method
               props:
@@ -39873,6 +43570,9 @@ catalog:
                       value: PE-15[01]
                       class: sp800-53a
                   prose: the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
                 - id: pe-15_obj-2
                   name: assessment-objective
                   props:
@@ -39880,6 +43580,9 @@ catalog:
                       value: PE-15[02]
                       class: sp800-53a
                   prose: the master shutoff or isolation valves are accessible;
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
                 - id: pe-15_obj-3
                   name: assessment-objective
                   props:
@@ -39887,6 +43590,9 @@ catalog:
                       value: PE-15[03]
                       class: sp800-53a
                   prose: the master shutoff or isolation valves are working properly;
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
                 - id: pe-15_obj-4
                   name: assessment-objective
                   props:
@@ -39894,6 +43600,12 @@ catalog:
                       value: PE-15[04]
                       class: sp800-53a
                   prose: the master shutoff or isolation valves are known to key personnel.
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-15_smt'
+                  rel: assessment-for
             - id: pe-15_asm-examine
               name: assessment-method
               props:
@@ -40011,6 +43723,9 @@ catalog:
                           value: PE-15(01)[01]
                           class: sp800-53a
                       prose: the presence of water near the system can be detected automatically;
+                      links:
+                        - href: '#pe-15.1_smt'
+                          rel: assessment-for
                     - id: pe-15.1_obj-2
                       name: assessment-objective
                       props:
@@ -40018,6 +43733,12 @@ catalog:
                           value: PE-15(01)[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, pe-15.01_odp.01 }} is/are alerted using {{ insert: param, pe-15.01_odp.02 }}.'
+                      links:
+                        - href: '#pe-15.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-15.1_smt'
+                      rel: assessment-for
                 - id: pe-15.1_asm-examine
                   name: assessment-method
                   props:
@@ -40173,6 +43894,9 @@ catalog:
                           value: PE-16a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
                     - id: pe-16_obj.a-2
                       name: assessment-objective
                       props:
@@ -40180,6 +43904,9 @@ catalog:
                           value: PE-16a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
                     - id: pe-16_obj.a-3
                       name: assessment-objective
                       props:
@@ -40187,6 +43914,9 @@ catalog:
                           value: PE-16a.[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
                     - id: pe-16_obj.a-4
                       name: assessment-objective
                       props:
@@ -40194,6 +43924,12 @@ catalog:
                           value: PE-16a.[04]
                           class: sp800-53a
                       prose: ' {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-16_smt.a'
+                      rel: assessment-for
                 - id: pe-16_obj.b
                   name: assessment-objective
                   props:
@@ -40201,6 +43937,12 @@ catalog:
                       value: PE-16b.
                       class: sp800-53a
                   prose: records of the system components are maintained.
+                  links:
+                    - href: '#pe-16_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pe-16_smt'
+                  rel: assessment-for
             - id: pe-16_asm-examine
               name: assessment-method
               props:
@@ -40343,6 +44085,9 @@ catalog:
                       value: PE-17a.
                       class: sp800-53a
                   prose: ' {{ insert: param, pe-17_odp.01 }} are determined and documented;'
+                  links:
+                    - href: '#pe-17_smt.a'
+                      rel: assessment-for
                 - id: pe-17_obj.b
                   name: assessment-objective
                   props:
@@ -40350,6 +44095,9 @@ catalog:
                       value: PE-17b.
                       class: sp800-53a
                   prose: ' {{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;'
+                  links:
+                    - href: '#pe-17_smt.b'
+                      rel: assessment-for
                 - id: pe-17_obj.c
                   name: assessment-objective
                   props:
@@ -40357,6 +44105,9 @@ catalog:
                       value: PE-17c.
                       class: sp800-53a
                   prose: the effectiveness of controls at alternate work sites is assessed;
+                  links:
+                    - href: '#pe-17_smt.c'
+                      rel: assessment-for
                 - id: pe-17_obj.d
                   name: assessment-objective
                   props:
@@ -40364,6 +44115,12 @@ catalog:
                       value: PE-17d.
                       class: sp800-53a
                   prose: a means for employees to communicate with information security and privacy personnel in case of incidents is provided.
+                  links:
+                    - href: '#pe-17_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pe-17_smt'
+                  rel: assessment-for
             - id: pe-17_asm-examine
               name: assessment-method
               props:
@@ -40477,6 +44234,9 @@ catalog:
                   value: PE-18
                   class: sp800-53a
               prose: 'system components are positioned within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access.'
+              links:
+                - href: '#pe-18_smt'
+                  rel: assessment-for
             - id: pe-18_asm-examine
               name: assessment-method
               props:
@@ -40743,6 +44503,9 @@ catalog:
                           value: PL-01a.[01]
                           class: sp800-53a
                       prose: a planning policy is developed and documented.
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -40750,6 +44513,9 @@ catalog:
                           value: PL-01a.[02]
                           class: sp800-53a
                       prose: 'the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};'
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -40757,6 +44523,9 @@ catalog:
                           value: PL-01a.[03]
                           class: sp800-53a
                       prose: planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -40764,6 +44533,9 @@ catalog:
                           value: PL-01a.[04]
                           class: sp800-53a
                       prose: 'the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};'
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -40785,6 +44557,9 @@ catalog:
                                   value: PL-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -40792,6 +44567,9 @@ catalog:
                                   value: PL-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -40799,6 +44577,9 @@ catalog:
                                   value: PL-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -40806,6 +44587,9 @@ catalog:
                                   value: PL-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -40813,6 +44597,9 @@ catalog:
                                   value: PL-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -40820,6 +44607,9 @@ catalog:
                                   value: PL-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -40827,6 +44617,12 @@ catalog:
                                   value: PL-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#pl-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: pl-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -40834,6 +44630,15 @@ catalog:
                               value: PL-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#pl-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-1_smt.a'
+                      rel: assessment-for
                 - id: pl-1_obj.b
                   name: assessment-objective
                   props:
@@ -40841,6 +44646,9 @@ catalog:
                       value: PL-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;'
+                  links:
+                    - href: '#pl-1_smt.b'
+                      rel: assessment-for
                 - id: pl-1_obj.c
                   name: assessment-objective
                   props:
@@ -40862,6 +44670,9 @@ catalog:
                               value: PL-01c.01[01]
                               class: sp800-53a
                           prose: 'the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};'
+                          links:
+                            - href: '#pl-1_smt.c.1'
+                              rel: assessment-for
                         - id: pl-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -40869,6 +44680,12 @@ catalog:
                               value: PL-01c.01[02]
                               class: sp800-53a
                           prose: 'the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};'
+                          links:
+                            - href: '#pl-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.c.1'
+                          rel: assessment-for
                     - id: pl-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -40883,6 +44700,9 @@ catalog:
                               value: PL-01c.02[01]
                               class: sp800-53a
                           prose: 'the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};'
+                          links:
+                            - href: '#pl-1_smt.c.2'
+                              rel: assessment-for
                         - id: pl-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -40890,6 +44710,18 @@ catalog:
                               value: PL-01c.02[02]
                               class: sp800-53a
                           prose: 'the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.'
+                          links:
+                            - href: '#pl-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pl-1_smt'
+                  rel: assessment-for
             - id: pl-1_asm-examine
               name: assessment-method
               props:
@@ -41220,6 +45052,9 @@ catalog:
                               value: PL-02a.01[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that is consistent with the organization’s enterprise architecture;
+                          links:
+                            - href: '#pl-2_smt.a.1'
+                              rel: assessment-for
                         - id: pl-2_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -41227,6 +45062,12 @@ catalog:
                               value: PL-02a.01[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;
+                          links:
+                            - href: '#pl-2_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.1'
+                          rel: assessment-for
                     - id: pl-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -41241,6 +45082,9 @@ catalog:
                               value: PL-02a.02[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that explicitly defines the constituent system components;
+                          links:
+                            - href: '#pl-2_smt.a.2'
+                              rel: assessment-for
                         - id: pl-2_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -41248,6 +45092,12 @@ catalog:
                               value: PL-02a.02[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that explicitly defines the constituent system components;
+                          links:
+                            - href: '#pl-2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.2'
+                          rel: assessment-for
                     - id: pl-2_obj.a.3
                       name: assessment-objective
                       props:
@@ -41262,6 +45112,9 @@ catalog:
                               value: PL-02a.03[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;
+                          links:
+                            - href: '#pl-2_smt.a.3'
+                              rel: assessment-for
                         - id: pl-2_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -41269,6 +45122,12 @@ catalog:
                               value: PL-02a.03[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;
+                          links:
+                            - href: '#pl-2_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.3'
+                          rel: assessment-for
                     - id: pl-2_obj.a.4
                       name: assessment-objective
                       props:
@@ -41283,6 +45142,9 @@ catalog:
                               value: PL-02a.04[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;
+                          links:
+                            - href: '#pl-2_smt.a.4'
+                              rel: assessment-for
                         - id: pl-2_obj.a.4-2
                           name: assessment-objective
                           props:
@@ -41290,6 +45152,12 @@ catalog:
                               value: PL-02a.04[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;
+                          links:
+                            - href: '#pl-2_smt.a.4'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.4'
+                          rel: assessment-for
                     - id: pl-2_obj.a.5
                       name: assessment-objective
                       props:
@@ -41304,6 +45172,9 @@ catalog:
                               value: PL-02a.05[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;
+                          links:
+                            - href: '#pl-2_smt.a.5'
+                              rel: assessment-for
                         - id: pl-2_obj.a.5-2
                           name: assessment-objective
                           props:
@@ -41311,6 +45182,12 @@ catalog:
                               value: PL-02a.05[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;
+                          links:
+                            - href: '#pl-2_smt.a.5'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.5'
+                          rel: assessment-for
                     - id: pl-2_obj.a.6
                       name: assessment-objective
                       props:
@@ -41325,6 +45202,9 @@ catalog:
                               value: PL-02a.06[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;
+                          links:
+                            - href: '#pl-2_smt.a.6'
+                              rel: assessment-for
                         - id: pl-2_obj.a.6-2
                           name: assessment-objective
                           props:
@@ -41332,6 +45212,12 @@ catalog:
                               value: PL-02a.06[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;
+                          links:
+                            - href: '#pl-2_smt.a.6'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.6'
+                          rel: assessment-for
                     - id: pl-2_obj.a.7
                       name: assessment-objective
                       props:
@@ -41346,6 +45232,9 @@ catalog:
                               value: PL-02a.07[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;
+                          links:
+                            - href: '#pl-2_smt.a.7'
+                              rel: assessment-for
                         - id: pl-2_obj.a.7-2
                           name: assessment-objective
                           props:
@@ -41353,6 +45242,12 @@ catalog:
                               value: PL-02a.07[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;
+                          links:
+                            - href: '#pl-2_smt.a.7'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.7'
+                          rel: assessment-for
                     - id: pl-2_obj.a.8
                       name: assessment-objective
                       props:
@@ -41367,6 +45262,9 @@ catalog:
                               value: PL-02a.08[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;
+                          links:
+                            - href: '#pl-2_smt.a.8'
+                              rel: assessment-for
                         - id: pl-2_obj.a.8-2
                           name: assessment-objective
                           props:
@@ -41374,6 +45272,12 @@ catalog:
                               value: PL-02a.08[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;
+                          links:
+                            - href: '#pl-2_smt.a.8'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.8'
+                          rel: assessment-for
                     - id: pl-2_obj.a.9
                       name: assessment-objective
                       props:
@@ -41388,6 +45292,9 @@ catalog:
                               value: PL-02a.09[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;
+                          links:
+                            - href: '#pl-2_smt.a.9'
+                              rel: assessment-for
                         - id: pl-2_obj.a.9-2
                           name: assessment-objective
                           props:
@@ -41395,6 +45302,12 @@ catalog:
                               value: PL-02a.09[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;
+                          links:
+                            - href: '#pl-2_smt.a.9'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.9'
+                          rel: assessment-for
                     - id: pl-2_obj.a.10
                       name: assessment-objective
                       props:
@@ -41409,6 +45322,9 @@ catalog:
                               value: PL-02a.10[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides an overview of the security requirements for the system;
+                          links:
+                            - href: '#pl-2_smt.a.10'
+                              rel: assessment-for
                         - id: pl-2_obj.a.10-2
                           name: assessment-objective
                           props:
@@ -41416,6 +45332,12 @@ catalog:
                               value: PL-02a.10[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;
+                          links:
+                            - href: '#pl-2_smt.a.10'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.10'
+                          rel: assessment-for
                     - id: pl-2_obj.a.11
                       name: assessment-objective
                       props:
@@ -41430,6 +45352,9 @@ catalog:
                               value: PL-02a.11[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;
+                          links:
+                            - href: '#pl-2_smt.a.11'
+                              rel: assessment-for
                         - id: pl-2_obj.a.11-2
                           name: assessment-objective
                           props:
@@ -41437,6 +45362,12 @@ catalog:
                               value: PL-02a.11[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;
+                          links:
+                            - href: '#pl-2_smt.a.11'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.11'
+                          rel: assessment-for
                     - id: pl-2_obj.a.12
                       name: assessment-objective
                       props:
@@ -41451,6 +45382,9 @@ catalog:
                               value: PL-02a.12[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;
+                          links:
+                            - href: '#pl-2_smt.a.12'
+                              rel: assessment-for
                         - id: pl-2_obj.a.12-2
                           name: assessment-objective
                           props:
@@ -41458,6 +45392,12 @@ catalog:
                               value: PL-02a.12[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;
+                          links:
+                            - href: '#pl-2_smt.a.12'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.12'
+                          rel: assessment-for
                     - id: pl-2_obj.a.13
                       name: assessment-objective
                       props:
@@ -41472,6 +45412,9 @@ catalog:
                               value: PL-02a.13[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that includes risk determinations for security architecture and design decisions;
+                          links:
+                            - href: '#pl-2_smt.a.13'
+                              rel: assessment-for
                         - id: pl-2_obj.a.13-2
                           name: assessment-objective
                           props:
@@ -41479,6 +45422,12 @@ catalog:
                               value: PL-02a.13[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;
+                          links:
+                            - href: '#pl-2_smt.a.13'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.13'
+                          rel: assessment-for
                     - id: pl-2_obj.a.14
                       name: assessment-objective
                       props:
@@ -41493,6 +45442,9 @@ catalog:
                               value: PL-02a.14[01]
                               class: sp800-53a
                           prose: 'a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};'
+                          links:
+                            - href: '#pl-2_smt.a.14'
+                              rel: assessment-for
                         - id: pl-2_obj.a.14-2
                           name: assessment-objective
                           props:
@@ -41500,6 +45452,12 @@ catalog:
                               value: PL-02a.14[02]
                               class: sp800-53a
                           prose: 'a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};'
+                          links:
+                            - href: '#pl-2_smt.a.14'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.14'
+                          rel: assessment-for
                     - id: pl-2_obj.a.15
                       name: assessment-objective
                       props:
@@ -41514,6 +45472,9 @@ catalog:
                               value: PL-02a.15[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
+                          links:
+                            - href: '#pl-2_smt.a.15'
+                              rel: assessment-for
                         - id: pl-2_obj.a.15-2
                           name: assessment-objective
                           props:
@@ -41521,6 +45482,15 @@ catalog:
                               value: PL-02a.15[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.
+                          links:
+                            - href: '#pl-2_smt.a.15'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.15'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.a'
+                      rel: assessment-for
                 - id: pl-2_obj.b
                   name: assessment-objective
                   props:
@@ -41535,6 +45505,9 @@ catalog:
                           value: PL-02b.[01]
                           class: sp800-53a
                       prose: 'copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};'
+                      links:
+                        - href: '#pl-2_smt.b'
+                          rel: assessment-for
                     - id: pl-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -41542,6 +45515,12 @@ catalog:
                           value: PL-02b.[02]
                           class: sp800-53a
                       prose: 'subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};'
+                      links:
+                        - href: '#pl-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.b'
+                      rel: assessment-for
                 - id: pl-2_obj.c
                   name: assessment-objective
                   props:
@@ -41549,6 +45528,9 @@ catalog:
                       value: PL-02c.
                       class: sp800-53a
                   prose: 'plans are reviewed {{ insert: param, pl-02_odp.03 }};'
+                  links:
+                    - href: '#pl-2_smt.c'
+                      rel: assessment-for
                 - id: pl-2_obj.d
                   name: assessment-objective
                   props:
@@ -41563,6 +45545,9 @@ catalog:
                           value: PL-02d.[01]
                           class: sp800-53a
                       prose: plans are updated to address changes to the system and environment of operations;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
                     - id: pl-2_obj.d-2
                       name: assessment-objective
                       props:
@@ -41570,6 +45555,9 @@ catalog:
                           value: PL-02d.[02]
                           class: sp800-53a
                       prose: plans are updated to address problems identified during the plan implementation;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
                     - id: pl-2_obj.d-3
                       name: assessment-objective
                       props:
@@ -41577,6 +45565,12 @@ catalog:
                           value: PL-02d.[03]
                           class: sp800-53a
                       prose: plans are updated to address problems identified during control assessments;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.d'
+                      rel: assessment-for
                 - id: pl-2_obj.e
                   name: assessment-objective
                   props:
@@ -41591,6 +45585,9 @@ catalog:
                           value: PL-02e.[01]
                           class: sp800-53a
                       prose: plans are protected from unauthorized disclosure;
+                      links:
+                        - href: '#pl-2_smt.e'
+                          rel: assessment-for
                     - id: pl-2_obj.e-2
                       name: assessment-objective
                       props:
@@ -41598,6 +45595,15 @@ catalog:
                           value: PL-02e.[02]
                           class: sp800-53a
                       prose: plans are protected from unauthorized modification.
+                      links:
+                        - href: '#pl-2_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#pl-2_smt'
+                  rel: assessment-for
             - id: pl-2_asm-examine
               name: assessment-method
               props:
@@ -41810,6 +45816,9 @@ catalog:
                           value: PL-04a.[01]
                           class: sp800-53a
                       prose: rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;
+                      links:
+                        - href: '#pl-4_smt.a'
+                          rel: assessment-for
                     - id: pl-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -41817,6 +45826,12 @@ catalog:
                           value: PL-04a.[02]
                           class: sp800-53a
                       prose: rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;
+                      links:
+                        - href: '#pl-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-4_smt.a'
+                      rel: assessment-for
                 - id: pl-4_obj.b
                   name: assessment-objective
                   props:
@@ -41824,6 +45839,9 @@ catalog:
                       value: PL-04b.
                       class: sp800-53a
                   prose: before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;
+                  links:
+                    - href: '#pl-4_smt.b'
+                      rel: assessment-for
                 - id: pl-4_obj.c
                   name: assessment-objective
                   props:
@@ -41831,6 +45849,9 @@ catalog:
                       value: PL-04c.
                       class: sp800-53a
                   prose: 'rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};'
+                  links:
+                    - href: '#pl-4_smt.c'
+                      rel: assessment-for
                 - id: pl-4_obj.d
                   name: assessment-objective
                   props:
@@ -41838,6 +45859,12 @@ catalog:
                       value: PL-04d.
                       class: sp800-53a
                   prose: 'individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.'
+                  links:
+                    - href: '#pl-4_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pl-4_smt'
+                  rel: assessment-for
             - id: pl-4_asm-examine
               name: assessment-method
               props:
@@ -41960,6 +45987,9 @@ catalog:
                           value: PL-04(01)(a)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;
+                      links:
+                        - href: '#pl-4.1_smt.a'
+                          rel: assessment-for
                     - id: pl-4.1_obj.b
                       name: assessment-objective
                       props:
@@ -41967,6 +45997,9 @@ catalog:
                           value: PL-04(01)(b)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on posting organizational information on public websites;
+                      links:
+                        - href: '#pl-4.1_smt.b'
+                          rel: assessment-for
                     - id: pl-4.1_obj.c
                       name: assessment-objective
                       props:
@@ -41974,6 +46007,12 @@ catalog:
                           value: PL-04(01)(c)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.
+                      links:
+                        - href: '#pl-4.1_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-4.1_smt'
+                      rel: assessment-for
                 - id: pl-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -42168,6 +46207,9 @@ catalog:
                           value: PL-08a.01
                           class: sp800-53a
                       prose: a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;
+                      links:
+                        - href: '#pl-8_smt.a.1'
+                          rel: assessment-for
                     - id: pl-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -42175,6 +46217,9 @@ catalog:
                           value: PL-08a.02
                           class: sp800-53a
                       prose: a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;
+                      links:
+                        - href: '#pl-8_smt.a.2'
+                          rel: assessment-for
                     - id: pl-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -42189,6 +46234,9 @@ catalog:
                               value: PL-08a.03[01]
                               class: sp800-53a
                           prose: a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;
+                          links:
+                            - href: '#pl-8_smt.a.3'
+                              rel: assessment-for
                         - id: pl-8_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -42196,6 +46244,12 @@ catalog:
                               value: PL-08a.03[02]
                               class: sp800-53a
                           prose: a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;
+                          links:
+                            - href: '#pl-8_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-8_smt.a.3'
+                          rel: assessment-for
                     - id: pl-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -42210,6 +46264,9 @@ catalog:
                               value: PL-08a.04[01]
                               class: sp800-53a
                           prose: a security architecture for the system describes any assumptions about and dependencies on external systems and services;
+                          links:
+                            - href: '#pl-8_smt.a.4'
+                              rel: assessment-for
                         - id: pl-8_obj.a.4-2
                           name: assessment-objective
                           props:
@@ -42217,6 +46274,15 @@ catalog:
                               value: PL-08a.04[02]
                               class: sp800-53a
                           prose: a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;
+                          links:
+                            - href: '#pl-8_smt.a.4'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-8_smt.a.4'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-8_smt.a'
+                      rel: assessment-for
                 - id: pl-8_obj.b
                   name: assessment-objective
                   props:
@@ -42224,6 +46290,9 @@ catalog:
                       value: PL-08b.
                       class: sp800-53a
                   prose: 'changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;'
+                  links:
+                    - href: '#pl-8_smt.b'
+                      rel: assessment-for
                 - id: pl-8_obj.c
                   name: assessment-objective
                   props:
@@ -42238,6 +46307,9 @@ catalog:
                           value: PL-08c.[01]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in the security plan;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-2
                       name: assessment-objective
                       props:
@@ -42245,6 +46317,9 @@ catalog:
                           value: PL-08c.[02]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in the privacy plan;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-3
                       name: assessment-objective
                       props:
@@ -42252,6 +46327,9 @@ catalog:
                           value: PL-08c.[03]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in the Concept of Operations (CONOPS);
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-4
                       name: assessment-objective
                       props:
@@ -42259,6 +46337,9 @@ catalog:
                           value: PL-08c.[04]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in criticality analysis;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-5
                       name: assessment-objective
                       props:
@@ -42266,6 +46347,9 @@ catalog:
                           value: PL-08c.[05]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in organizational procedures;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-6
                       name: assessment-objective
                       props:
@@ -42273,6 +46357,15 @@ catalog:
                           value: PL-08c.[06]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in procurements and acquisitions.
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-8_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pl-8_smt'
+                  rel: assessment-for
             - id: pl-8_asm-examine
               name: assessment-method
               props:
@@ -42395,6 +46488,9 @@ catalog:
                   value: PL-10
                   class: sp800-53a
               prose: a control baseline for the system is selected.
+              links:
+                - href: '#pl-10_smt'
+                  rel: assessment-for
             - id: pl-10_asm-examine
               name: assessment-method
               props:
@@ -42520,6 +46616,9 @@ catalog:
                   value: PL-11
                   class: sp800-53a
               prose: the selected control baseline is tailored by applying specified tailoring actions.
+              links:
+                - href: '#pl-11_smt'
+                  rel: assessment-for
             - id: pl-11_asm-examine
               name: assessment-method
               props:
@@ -42794,6 +46893,9 @@ catalog:
                           value: PS-01a.[01]
                           class: sp800-53a
                       prose: a personnel security policy is developed and documented;
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -42801,6 +46903,9 @@ catalog:
                           value: PS-01a.[02]
                           class: sp800-53a
                       prose: 'the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};'
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -42808,6 +46913,9 @@ catalog:
                           value: PS-01a.[03]
                           class: sp800-53a
                       prose: personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -42815,6 +46923,9 @@ catalog:
                           value: PS-01a.[04]
                           class: sp800-53a
                       prose: 'the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};'
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -42836,6 +46947,9 @@ catalog:
                                   value: PS-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -42843,6 +46957,9 @@ catalog:
                                   value: PS-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -42850,6 +46967,9 @@ catalog:
                                   value: PS-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -42857,6 +46977,9 @@ catalog:
                                   value: PS-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -42864,6 +46987,9 @@ catalog:
                                   value: PS-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -42871,6 +46997,9 @@ catalog:
                                   value: PS-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -42878,6 +47007,12 @@ catalog:
                                   value: PS-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ps-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ps-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -42885,6 +47020,15 @@ catalog:
                               value: PS-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ps-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ps-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-1_smt.a'
+                      rel: assessment-for
                 - id: ps-1_obj.b
                   name: assessment-objective
                   props:
@@ -42892,6 +47036,9 @@ catalog:
                       value: PS-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;'
+                  links:
+                    - href: '#ps-1_smt.b'
+                      rel: assessment-for
                 - id: ps-1_obj.c
                   name: assessment-objective
                   props:
@@ -42913,6 +47060,9 @@ catalog:
                               value: PS-01c.01[01]
                               class: sp800-53a
                           prose: 'the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};'
+                          links:
+                            - href: '#ps-1_smt.c.1'
+                              rel: assessment-for
                         - id: ps-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -42920,6 +47070,12 @@ catalog:
                               value: PS-01c.01[02]
                               class: sp800-53a
                           prose: 'the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};'
+                          links:
+                            - href: '#ps-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ps-1_smt.c.1'
+                          rel: assessment-for
                     - id: ps-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -42934,6 +47090,9 @@ catalog:
                               value: PS-01c.02[01]
                               class: sp800-53a
                           prose: 'the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};'
+                          links:
+                            - href: '#ps-1_smt.c.2'
+                              rel: assessment-for
                         - id: ps-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -42941,6 +47100,18 @@ catalog:
                               value: PS-01c.02[02]
                               class: sp800-53a
                           prose: 'the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.'
+                          links:
+                            - href: '#ps-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ps-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ps-1_smt'
+                  rel: assessment-for
             - id: ps-1_asm-examine
               name: assessment-method
               props:
@@ -43070,6 +47241,9 @@ catalog:
                       value: PS-02a.
                       class: sp800-53a
                   prose: a risk designation is assigned to all organizational positions;
+                  links:
+                    - href: '#ps-2_smt.a'
+                      rel: assessment-for
                 - id: ps-2_obj.b
                   name: assessment-objective
                   props:
@@ -43077,6 +47251,9 @@ catalog:
                       value: PS-02b.
                       class: sp800-53a
                   prose: screening criteria are established for individuals filling organizational positions;
+                  links:
+                    - href: '#ps-2_smt.b'
+                      rel: assessment-for
                 - id: ps-2_obj.c
                   name: assessment-objective
                   props:
@@ -43084,6 +47261,12 @@ catalog:
                       value: PS-02c.
                       class: sp800-53a
                   prose: 'position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.'
+                  links:
+                    - href: '#ps-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ps-2_smt'
+                  rel: assessment-for
             - id: ps-2_asm-examine
               name: assessment-method
               props:
@@ -43249,6 +47432,9 @@ catalog:
                       value: PS-03a.
                       class: sp800-53a
                   prose: individuals are screened prior to authorizing access to the system;
+                  links:
+                    - href: '#ps-3_smt.a'
+                      rel: assessment-for
                 - id: ps-3_obj.b
                   name: assessment-objective
                   props:
@@ -43263,6 +47449,9 @@ catalog:
                           value: PS-03b.[01]
                           class: sp800-53a
                       prose: 'individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};'
+                      links:
+                        - href: '#ps-3_smt.b'
+                          rel: assessment-for
                     - id: ps-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -43270,6 +47459,15 @@ catalog:
                           value: PS-03b.[02]
                           class: sp800-53a
                       prose: 'where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.'
+                      links:
+                        - href: '#ps-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-3_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ps-3_smt'
+                  rel: assessment-for
             - id: ps-3_asm-examine
               name: assessment-method
               props:
@@ -43418,6 +47616,9 @@ catalog:
                       value: PS-04a.
                       class: sp800-53a
                   prose: 'upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};'
+                  links:
+                    - href: '#ps-4_smt.a'
+                      rel: assessment-for
                 - id: ps-4_obj.b
                   name: assessment-objective
                   props:
@@ -43425,6 +47626,9 @@ catalog:
                       value: PS-04b.
                       class: sp800-53a
                   prose: upon termination of individual employment, any authenticators and credentials are terminated or revoked;
+                  links:
+                    - href: '#ps-4_smt.b'
+                      rel: assessment-for
                 - id: ps-4_obj.c
                   name: assessment-objective
                   props:
@@ -43432,6 +47636,9 @@ catalog:
                       value: PS-04c.
                       class: sp800-53a
                   prose: 'upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;'
+                  links:
+                    - href: '#ps-4_smt.c'
+                      rel: assessment-for
                 - id: ps-4_obj.d
                   name: assessment-objective
                   props:
@@ -43439,6 +47646,9 @@ catalog:
                       value: PS-04d.
                       class: sp800-53a
                   prose: upon termination of individual employment, all security-related organizational system-related property is retrieved;
+                  links:
+                    - href: '#ps-4_smt.d'
+                      rel: assessment-for
                 - id: ps-4_obj.e
                   name: assessment-objective
                   props:
@@ -43446,6 +47656,12 @@ catalog:
                       value: PS-04e.
                       class: sp800-53a
                   prose: upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.
+                  links:
+                    - href: '#ps-4_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ps-4_smt'
+                  rel: assessment-for
             - id: ps-4_asm-examine
               name: assessment-method
               props:
@@ -43574,6 +47790,9 @@ catalog:
                       value: PS-04(02)
                       class: sp800-53a
                   prose: ' {{ insert: param, ps-04.02_odp.01 }} are used to {{ insert: param, ps-04.02_odp.02 }}.'
+                  links:
+                    - href: '#ps-4.2_smt'
+                      rel: assessment-for
                 - id: ps-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -43744,6 +47963,9 @@ catalog:
                       value: PS-05a.
                       class: sp800-53a
                   prose: the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;
+                  links:
+                    - href: '#ps-5_smt.a'
+                      rel: assessment-for
                 - id: ps-5_obj.b
                   name: assessment-objective
                   props:
@@ -43751,6 +47973,9 @@ catalog:
                       value: PS-05b.
                       class: sp800-53a
                   prose: ' {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};'
+                  links:
+                    - href: '#ps-5_smt.b'
+                      rel: assessment-for
                 - id: ps-5_obj.c
                   name: assessment-objective
                   props:
@@ -43758,6 +47983,9 @@ catalog:
                       value: PS-05c.
                       class: sp800-53a
                   prose: access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;
+                  links:
+                    - href: '#ps-5_smt.c'
+                      rel: assessment-for
                 - id: ps-5_obj.d
                   name: assessment-objective
                   props:
@@ -43765,6 +47993,12 @@ catalog:
                       value: PS-05d.
                       class: sp800-53a
                   prose: ' {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.'
+                  links:
+                    - href: '#ps-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ps-5_smt'
+                  rel: assessment-for
             - id: ps-5_asm-examine
               name: assessment-method
               props:
@@ -43935,6 +48169,9 @@ catalog:
                       value: PS-06a.
                       class: sp800-53a
                   prose: access agreements are developed and documented for organizational systems;
+                  links:
+                    - href: '#ps-6_smt.a'
+                      rel: assessment-for
                 - id: ps-6_obj.b
                   name: assessment-objective
                   props:
@@ -43942,6 +48179,9 @@ catalog:
                       value: PS-06b.
                       class: sp800-53a
                   prose: 'the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};'
+                  links:
+                    - href: '#ps-6_smt.b'
+                      rel: assessment-for
                 - id: ps-6_obj.c
                   name: assessment-objective
                   props:
@@ -43956,6 +48196,9 @@ catalog:
                           value: PS-06c.01
                           class: sp800-53a
                       prose: individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;
+                      links:
+                        - href: '#ps-6_smt.c.1'
+                          rel: assessment-for
                     - id: ps-6_obj.c.2
                       name: assessment-objective
                       props:
@@ -43963,6 +48206,15 @@ catalog:
                           value: PS-06c.02
                           class: sp800-53a
                       prose: 'individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.'
+                      links:
+                        - href: '#ps-6_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ps-6_smt'
+                  rel: assessment-for
             - id: ps-6_asm-examine
               name: assessment-method
               props:
@@ -44144,6 +48396,9 @@ catalog:
                       value: PS-07a.
                       class: sp800-53a
                   prose: personnel security requirements are established, including security roles and responsibilities for external providers;
+                  links:
+                    - href: '#ps-7_smt.a'
+                      rel: assessment-for
                 - id: ps-7_obj.b
                   name: assessment-objective
                   props:
@@ -44151,6 +48406,9 @@ catalog:
                       value: PS-07b.
                       class: sp800-53a
                   prose: external providers are required to comply with personnel security policies and procedures established by the organization;
+                  links:
+                    - href: '#ps-7_smt.b'
+                      rel: assessment-for
                 - id: ps-7_obj.c
                   name: assessment-objective
                   props:
@@ -44158,6 +48416,9 @@ catalog:
                       value: PS-07c.
                       class: sp800-53a
                   prose: personnel security requirements are documented;
+                  links:
+                    - href: '#ps-7_smt.c'
+                      rel: assessment-for
                 - id: ps-7_obj.d
                   name: assessment-objective
                   props:
@@ -44165,6 +48426,9 @@ catalog:
                       value: PS-07d.
                       class: sp800-53a
                   prose: 'external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};'
+                  links:
+                    - href: '#ps-7_smt.d'
+                      rel: assessment-for
                 - id: ps-7_obj.e
                   name: assessment-objective
                   props:
@@ -44172,6 +48436,12 @@ catalog:
                       value: PS-07e.
                       class: sp800-53a
                   prose: provider compliance with personnel security requirements is monitored.
+                  links:
+                    - href: '#ps-7_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ps-7_smt'
+                  rel: assessment-for
             - id: ps-7_asm-examine
               name: assessment-method
               props:
@@ -44312,6 +48582,9 @@ catalog:
                       value: PS-08a.
                       class: sp800-53a
                   prose: a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;
+                  links:
+                    - href: '#ps-8_smt.a'
+                      rel: assessment-for
                 - id: ps-8_obj.b
                   name: assessment-objective
                   props:
@@ -44319,6 +48592,12 @@ catalog:
                       value: PS-08b.
                       class: sp800-53a
                   prose: ' {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.'
+                  links:
+                    - href: '#ps-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ps-8_smt'
+                  rel: assessment-for
             - id: ps-8_asm-examine
               name: assessment-method
               props:
@@ -44420,6 +48699,9 @@ catalog:
                       value: PS-09[01]
                       class: sp800-53a
                   prose: security roles and responsibilities are incorporated into organizational position descriptions;
+                  links:
+                    - href: '#ps-9_smt'
+                      rel: assessment-for
                 - id: ps-9_obj-2
                   name: assessment-objective
                   props:
@@ -44427,6 +48709,12 @@ catalog:
                       value: PS-09[02]
                       class: sp800-53a
                   prose: privacy roles and responsibilities are incorporated into organizational position descriptions.
+                  links:
+                    - href: '#ps-9_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ps-9_smt'
+                  rel: assessment-for
             - id: ps-9_asm-examine
               name: assessment-method
               props:
@@ -44695,6 +48983,9 @@ catalog:
                           value: RA-01a.[01]
                           class: sp800-53a
                       prose: a risk assessment policy is developed and documented;
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -44702,6 +48993,9 @@ catalog:
                           value: RA-01a.[02]
                           class: sp800-53a
                       prose: 'the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};'
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -44709,6 +49003,9 @@ catalog:
                           value: RA-01a.[03]
                           class: sp800-53a
                       prose: risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -44716,6 +49013,9 @@ catalog:
                           value: RA-01a.[04]
                           class: sp800-53a
                       prose: 'the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};'
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -44737,6 +49037,9 @@ catalog:
                                   value: RA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -44744,6 +49047,9 @@ catalog:
                                   value: RA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -44751,6 +49057,9 @@ catalog:
                                   value: RA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -44758,6 +49067,9 @@ catalog:
                                   value: RA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -44765,6 +49077,9 @@ catalog:
                                   value: RA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -44772,6 +49087,9 @@ catalog:
                                   value: RA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -44779,6 +49097,12 @@ catalog:
                                   value: RA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ra-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ra-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -44786,6 +49110,15 @@ catalog:
                               value: RA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ra-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-1_smt.a'
+                      rel: assessment-for
                 - id: ra-1_obj.b
                   name: assessment-objective
                   props:
@@ -44793,6 +49126,9 @@ catalog:
                       value: RA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;'
+                  links:
+                    - href: '#ra-1_smt.b'
+                      rel: assessment-for
                 - id: ra-1_obj.c
                   name: assessment-objective
                   props:
@@ -44814,6 +49150,9 @@ catalog:
                               value: RA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};'
+                          links:
+                            - href: '#ra-1_smt.c.1'
+                              rel: assessment-for
                         - id: ra-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -44821,6 +49160,12 @@ catalog:
                               value: RA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};'
+                          links:
+                            - href: '#ra-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.c.1'
+                          rel: assessment-for
                     - id: ra-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -44835,6 +49180,9 @@ catalog:
                               value: RA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};'
+                          links:
+                            - href: '#ra-1_smt.c.2'
+                              rel: assessment-for
                         - id: ra-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -44842,6 +49190,18 @@ catalog:
                               value: RA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.'
+                          links:
+                            - href: '#ra-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ra-1_smt'
+                  rel: assessment-for
             - id: ra-1_asm-examine
               name: assessment-method
               props:
@@ -44983,6 +49343,9 @@ catalog:
                       value: RA-02a.
                       class: sp800-53a
                   prose: the system and the information it processes, stores, and transmits are categorized;
+                  links:
+                    - href: '#ra-2_smt.a'
+                      rel: assessment-for
                 - id: ra-2_obj.b
                   name: assessment-objective
                   props:
@@ -44990,6 +49353,9 @@ catalog:
                       value: RA-02b.
                       class: sp800-53a
                   prose: the security categorization results, including supporting rationale, are documented in the security plan for the system;
+                  links:
+                    - href: '#ra-2_smt.b'
+                      rel: assessment-for
                 - id: ra-2_obj.c
                   name: assessment-objective
                   props:
@@ -44997,6 +49363,12 @@ catalog:
                       value: RA-02c.
                       class: sp800-53a
                   prose: the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
+                  links:
+                    - href: '#ra-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ra-2_smt'
+                  rel: assessment-for
             - id: ra-2_asm-examine
               name: assessment-method
               props:
@@ -45274,6 +49646,9 @@ catalog:
                           value: RA-03a.01
                           class: sp800-53a
                       prose: a risk assessment is conducted to identify threats to and vulnerabilities in the system;
+                      links:
+                        - href: '#ra-3_smt.a.1'
+                          rel: assessment-for
                     - id: ra-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -45281,6 +49656,9 @@ catalog:
                           value: RA-03a.02
                           class: sp800-53a
                       prose: a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;
+                      links:
+                        - href: '#ra-3_smt.a.2'
+                          rel: assessment-for
                     - id: ra-3_obj.a.3
                       name: assessment-objective
                       props:
@@ -45288,6 +49666,12 @@ catalog:
                           value: RA-03a.03
                           class: sp800-53a
                       prose: a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
+                      links:
+                        - href: '#ra-3_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-3_smt.a'
+                      rel: assessment-for
                 - id: ra-3_obj.b
                   name: assessment-objective
                   props:
@@ -45295,6 +49679,9 @@ catalog:
                       value: RA-03b.
                       class: sp800-53a
                   prose: risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;
+                  links:
+                    - href: '#ra-3_smt.b'
+                      rel: assessment-for
                 - id: ra-3_obj.c
                   name: assessment-objective
                   props:
@@ -45302,6 +49689,9 @@ catalog:
                       value: RA-03c.
                       class: sp800-53a
                   prose: 'risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};'
+                  links:
+                    - href: '#ra-3_smt.c'
+                      rel: assessment-for
                 - id: ra-3_obj.d
                   name: assessment-objective
                   props:
@@ -45309,6 +49699,9 @@ catalog:
                       value: RA-03d.
                       class: sp800-53a
                   prose: 'risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};'
+                  links:
+                    - href: '#ra-3_smt.d'
+                      rel: assessment-for
                 - id: ra-3_obj.e
                   name: assessment-objective
                   props:
@@ -45316,6 +49709,9 @@ catalog:
                       value: RA-03e.
                       class: sp800-53a
                   prose: 'risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};'
+                  links:
+                    - href: '#ra-3_smt.e'
+                      rel: assessment-for
                 - id: ra-3_obj.f
                   name: assessment-objective
                   props:
@@ -45323,6 +49719,12 @@ catalog:
                       value: RA-03f.
                       class: sp800-53a
                   prose: 'the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.'
+                  links:
+                    - href: '#ra-3_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ra-3_smt'
+                  rel: assessment-for
             - id: ra-3_asm-examine
               name: assessment-method
               props:
@@ -45471,6 +49873,9 @@ catalog:
                           value: RA-03(01)(a)
                           class: sp800-53a
                       prose: 'supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;'
+                      links:
+                        - href: '#ra-3.1_smt.a'
+                          rel: assessment-for
                     - id: ra-3.1_obj.b
                       name: assessment-objective
                       props:
@@ -45478,6 +49883,12 @@ catalog:
                           value: RA-03(01)(b)
                           class: sp800-53a
                       prose: 'the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.'
+                      links:
+                        - href: '#ra-3.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-3.1_smt'
+                      rel: assessment-for
                 - id: ra-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -45753,6 +50164,9 @@ catalog:
                           value: RA-05a.[01]
                           class: sp800-53a
                       prose: 'systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;'
+                      links:
+                        - href: '#ra-5_smt.a'
+                          rel: assessment-for
                     - id: ra-5_obj.a-2
                       name: assessment-objective
                       props:
@@ -45760,6 +50174,12 @@ catalog:
                           value: RA-05a.[02]
                           class: sp800-53a
                       prose: 'systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;'
+                      links:
+                        - href: '#ra-5_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-5_smt.a'
+                      rel: assessment-for
                 - id: ra-5_obj.b
                   name: assessment-objective
                   props:
@@ -45775,6 +50195,9 @@ catalog:
                           value: RA-05b.01
                           class: sp800-53a
                       prose: vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;
+                      links:
+                        - href: '#ra-5_smt.b.1'
+                          rel: assessment-for
                     - id: ra-5_obj.b.2
                       name: assessment-objective
                       props:
@@ -45782,6 +50205,9 @@ catalog:
                           value: RA-05b.02
                           class: sp800-53a
                       prose: vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;
+                      links:
+                        - href: '#ra-5_smt.b.2'
+                          rel: assessment-for
                     - id: ra-5_obj.b.3
                       name: assessment-objective
                       props:
@@ -45789,6 +50215,12 @@ catalog:
                           value: RA-05b.03
                           class: sp800-53a
                       prose: vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;
+                      links:
+                        - href: '#ra-5_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-5_smt.b'
+                      rel: assessment-for
                 - id: ra-5_obj.c
                   name: assessment-objective
                   props:
@@ -45796,6 +50228,9 @@ catalog:
                       value: RA-05c.
                       class: sp800-53a
                   prose: vulnerability scan reports and results from vulnerability monitoring are analyzed;
+                  links:
+                    - href: '#ra-5_smt.c'
+                      rel: assessment-for
                 - id: ra-5_obj.d
                   name: assessment-objective
                   props:
@@ -45803,6 +50238,9 @@ catalog:
                       value: RA-05d.
                       class: sp800-53a
                   prose: 'legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;'
+                  links:
+                    - href: '#ra-5_smt.d'
+                      rel: assessment-for
                 - id: ra-5_obj.e
                   name: assessment-objective
                   props:
@@ -45810,6 +50248,9 @@ catalog:
                       value: RA-05e.
                       class: sp800-53a
                   prose: 'information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;'
+                  links:
+                    - href: '#ra-5_smt.e'
+                      rel: assessment-for
                 - id: ra-5_obj.f
                   name: assessment-objective
                   props:
@@ -45817,6 +50258,12 @@ catalog:
                       value: RA-05f.
                       class: sp800-53a
                   prose: vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.
+                  links:
+                    - href: '#ra-5_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ra-5_smt'
+                  rel: assessment-for
             - id: ra-5_asm-examine
               name: assessment-method
               props:
@@ -45943,6 +50390,9 @@ catalog:
                       value: RA-05(02)
                       class: sp800-53a
                   prose: 'the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.'
+                  links:
+                    - href: '#ra-5.2_smt'
+                      rel: assessment-for
                 - id: ra-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -46058,6 +50508,9 @@ catalog:
                           value: RA-05(04)[01]
                           class: sp800-53a
                       prose: information about the system is discoverable;
+                      links:
+                        - href: '#ra-5.4_smt'
+                          rel: assessment-for
                     - id: ra-5.4_obj-2
                       name: assessment-objective
                       props:
@@ -46065,6 +50518,12 @@ catalog:
                           value: RA-05(04)[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, ra-05.04_odp }} are taken when information about the system is confirmed as discoverable.'
+                      links:
+                        - href: '#ra-5.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-5.4_smt'
+                      rel: assessment-for
                 - id: ra-5.4_asm-examine
                   name: assessment-method
                   props:
@@ -46195,6 +50654,9 @@ catalog:
                       value: RA-05(05)
                       class: sp800-53a
                   prose: 'privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.'
+                  links:
+                    - href: '#ra-5.5_smt'
+                      rel: assessment-for
                 - id: ra-5.5_asm-examine
                   name: assessment-method
                   props:
@@ -46302,6 +50764,9 @@ catalog:
                       value: RA-05(11)
                       class: sp800-53a
                   prose: a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.
+                  links:
+                    - href: '#ra-5.11_smt'
+                      rel: assessment-for
                 - id: ra-5.11_asm-examine
                   name: assessment-method
                   props:
@@ -46432,6 +50897,9 @@ catalog:
                       value: RA-07[01]
                       class: sp800-53a
                   prose: findings from security assessments are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-2
                   name: assessment-objective
                   props:
@@ -46439,6 +50907,9 @@ catalog:
                       value: RA-07[02]
                       class: sp800-53a
                   prose: findings from privacy assessments are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-3
                   name: assessment-objective
                   props:
@@ -46446,6 +50917,9 @@ catalog:
                       value: RA-07[03]
                       class: sp800-53a
                   prose: findings from monitoring are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-4
                   name: assessment-objective
                   props:
@@ -46453,6 +50927,12 @@ catalog:
                       value: RA-07[04]
                       class: sp800-53a
                   prose: findings from audits are responded to in accordance with organizational risk tolerance.
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ra-7_smt'
+                  rel: assessment-for
             - id: ra-7_asm-examine
               name: assessment-method
               props:
@@ -46587,6 +51067,9 @@ catalog:
                   value: RA-09
                   class: sp800-53a
               prose: 'critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.'
+              links:
+                - href: '#ra-9_smt'
+                  rel: assessment-for
             - id: ra-9_asm-examine
               name: assessment-method
               props:
@@ -46862,6 +51345,9 @@ catalog:
                           value: SA-01a.[01]
                           class: sp800-53a
                       prose: a system and services acquisition policy is developed and documented;
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -46869,6 +51355,9 @@ catalog:
                           value: SA-01a.[02]
                           class: sp800-53a
                       prose: 'the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};'
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -46876,6 +51365,9 @@ catalog:
                           value: SA-01a.[03]
                           class: sp800-53a
                       prose: system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -46883,6 +51375,9 @@ catalog:
                           value: SA-01a.[04]
                           class: sp800-53a
                       prose: 'the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};'
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -46904,6 +51399,9 @@ catalog:
                                   value: SA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -46911,6 +51409,9 @@ catalog:
                                   value: SA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -46918,6 +51419,9 @@ catalog:
                                   value: SA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -46925,6 +51429,9 @@ catalog:
                                   value: SA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -46932,6 +51439,9 @@ catalog:
                                   value: SA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -46939,6 +51449,9 @@ catalog:
                                   value: SA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -46946,6 +51459,12 @@ catalog:
                                   value: SA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#sa-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: sa-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -46953,6 +51472,15 @@ catalog:
                               value: SA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#sa-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-1_smt.a'
+                      rel: assessment-for
                 - id: sa-1_obj.b
                   name: assessment-objective
                   props:
@@ -46960,6 +51488,9 @@ catalog:
                       value: SA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;'
+                  links:
+                    - href: '#sa-1_smt.b'
+                      rel: assessment-for
                 - id: sa-1_obj.c
                   name: assessment-objective
                   props:
@@ -46981,6 +51512,9 @@ catalog:
                               value: SA-01c.01[01]
                               class: sp800-53a
                           prose: 'the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};'
+                          links:
+                            - href: '#sa-1_smt.c.1'
+                              rel: assessment-for
                         - id: sa-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -46988,6 +51522,12 @@ catalog:
                               value: SA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};'
+                          links:
+                            - href: '#sa-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.c.1'
+                          rel: assessment-for
                     - id: sa-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -47002,6 +51542,9 @@ catalog:
                               value: SA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};'
+                          links:
+                            - href: '#sa-1_smt.c.2'
+                              rel: assessment-for
                         - id: sa-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -47009,6 +51552,18 @@ catalog:
                               value: SA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.'
+                          links:
+                            - href: '#sa-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-1_smt'
+                  rel: assessment-for
             - id: sa-1_asm-examine
               name: assessment-method
               props:
@@ -47135,6 +51690,9 @@ catalog:
                           value: SA-02a.[01]
                           class: sp800-53a
                       prose: the high-level information security requirements for the system or system service are determined in mission and business process planning;
+                      links:
+                        - href: '#sa-2_smt.a'
+                          rel: assessment-for
                     - id: sa-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -47142,6 +51700,12 @@ catalog:
                           value: SA-02a.[02]
                           class: sp800-53a
                       prose: the high-level privacy requirements for the system or system service are determined in mission and business process planning;
+                      links:
+                        - href: '#sa-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.a'
+                      rel: assessment-for
                 - id: sa-2_obj.b
                   name: assessment-objective
                   props:
@@ -47156,6 +51720,9 @@ catalog:
                           value: SA-02b.[01]
                           class: sp800-53a
                       prose: the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;
+                      links:
+                        - href: '#sa-2_smt.b'
+                          rel: assessment-for
                     - id: sa-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -47163,6 +51730,12 @@ catalog:
                           value: SA-02b.[02]
                           class: sp800-53a
                       prose: the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;
+                      links:
+                        - href: '#sa-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.b'
+                      rel: assessment-for
                 - id: sa-2_obj.c
                   name: assessment-objective
                   props:
@@ -47177,6 +51750,9 @@ catalog:
                           value: SA-02c.[01]
                           class: sp800-53a
                       prose: a discrete line item for information security is established in organizational programming and budgeting documentation;
+                      links:
+                        - href: '#sa-2_smt.c'
+                          rel: assessment-for
                     - id: sa-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -47184,6 +51760,15 @@ catalog:
                           value: SA-02c.[02]
                           class: sp800-53a
                       prose: a discrete line item for privacy is established in organizational programming and budgeting documentation.
+                      links:
+                        - href: '#sa-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-2_smt'
+                  rel: assessment-for
             - id: sa-2_asm-examine
               name: assessment-method
               props:
@@ -47376,6 +51961,9 @@ catalog:
                           value: SA-03a.[01]
                           class: sp800-53a
                       prose: 'the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;'
+                      links:
+                        - href: '#sa-3_smt.a'
+                          rel: assessment-for
                     - id: sa-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -47383,6 +51971,12 @@ catalog:
                           value: SA-03a.[02]
                           class: sp800-53a
                       prose: 'the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;'
+                      links:
+                        - href: '#sa-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.a'
+                      rel: assessment-for
                 - id: sa-3_obj.b
                   name: assessment-objective
                   props:
@@ -47397,6 +51991,9 @@ catalog:
                           value: SA-03b.[01]
                           class: sp800-53a
                       prose: information security roles and responsibilities are defined and documented throughout the system development life cycle;
+                      links:
+                        - href: '#sa-3_smt.b'
+                          rel: assessment-for
                     - id: sa-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -47404,6 +52001,12 @@ catalog:
                           value: SA-03b.[02]
                           class: sp800-53a
                       prose: privacy roles and responsibilities are defined and documented throughout the system development life cycle;
+                      links:
+                        - href: '#sa-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.b'
+                      rel: assessment-for
                 - id: sa-3_obj.c
                   name: assessment-objective
                   props:
@@ -47418,6 +52021,9 @@ catalog:
                           value: SA-03c.[01]
                           class: sp800-53a
                       prose: individuals with information security roles and responsibilities are identified;
+                      links:
+                        - href: '#sa-3_smt.c'
+                          rel: assessment-for
                     - id: sa-3_obj.c-2
                       name: assessment-objective
                       props:
@@ -47425,6 +52031,12 @@ catalog:
                           value: SA-03c.[02]
                           class: sp800-53a
                       prose: individuals with privacy roles and responsibilities are identified;
+                      links:
+                        - href: '#sa-3_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.c'
+                      rel: assessment-for
                 - id: sa-3_obj.d
                   name: assessment-objective
                   props:
@@ -47439,6 +52051,9 @@ catalog:
                           value: SA-03d.[01]
                           class: sp800-53a
                       prose: organizational information security risk management processes are integrated into system development life cycle activities;
+                      links:
+                        - href: '#sa-3_smt.d'
+                          rel: assessment-for
                     - id: sa-3_obj.d-2
                       name: assessment-objective
                       props:
@@ -47446,6 +52061,15 @@ catalog:
                           value: SA-03d.[02]
                           class: sp800-53a
                       prose: organizational privacy risk management processes are integrated into system development life cycle activities.
+                      links:
+                        - href: '#sa-3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#sa-3_smt'
+                  rel: assessment-for
             - id: sa-3_asm-examine
               name: assessment-method
               props:
@@ -47718,6 +52342,9 @@ catalog:
                           value: SA-04a.[01]
                           class: sp800-53a
                       prose: 'security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.a'
+                          rel: assessment-for
                     - id: sa-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -47725,6 +52352,12 @@ catalog:
                           value: SA-04a.[02]
                           class: sp800-53a
                       prose: 'privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.a'
+                      rel: assessment-for
                 - id: sa-4_obj.b
                   name: assessment-objective
                   props:
@@ -47732,6 +52365,9 @@ catalog:
                       value: SA-04b.
                       class: sp800-53a
                   prose: 'strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                  links:
+                    - href: '#sa-4_smt.b'
+                      rel: assessment-for
                 - id: sa-4_obj.c
                   name: assessment-objective
                   props:
@@ -47746,6 +52382,9 @@ catalog:
                           value: SA-04c.[01]
                           class: sp800-53a
                       prose: 'security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.c'
+                          rel: assessment-for
                     - id: sa-4_obj.c-2
                       name: assessment-objective
                       props:
@@ -47753,6 +52392,12 @@ catalog:
                           value: SA-04c.[02]
                           class: sp800-53a
                       prose: 'privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.c'
+                      rel: assessment-for
                 - id: sa-4_obj.d
                   name: assessment-objective
                   props:
@@ -47767,6 +52412,9 @@ catalog:
                           value: SA-04d.[01]
                           class: sp800-53a
                       prose: 'controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.d'
+                          rel: assessment-for
                     - id: sa-4_obj.d-2
                       name: assessment-objective
                       props:
@@ -47774,6 +52422,12 @@ catalog:
                           value: SA-04d.[02]
                           class: sp800-53a
                       prose: 'controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.d'
+                      rel: assessment-for
                 - id: sa-4_obj.e
                   name: assessment-objective
                   props:
@@ -47788,6 +52442,9 @@ catalog:
                           value: SA-04e.[01]
                           class: sp800-53a
                       prose: 'security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.e'
+                          rel: assessment-for
                     - id: sa-4_obj.e-2
                       name: assessment-objective
                       props:
@@ -47795,6 +52452,12 @@ catalog:
                           value: SA-04e.[02]
                           class: sp800-53a
                       prose: 'privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.e'
+                      rel: assessment-for
                 - id: sa-4_obj.f
                   name: assessment-objective
                   props:
@@ -47809,6 +52472,9 @@ catalog:
                           value: SA-04f.[01]
                           class: sp800-53a
                       prose: 'requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.f'
+                          rel: assessment-for
                     - id: sa-4_obj.f-2
                       name: assessment-objective
                       props:
@@ -47816,6 +52482,12 @@ catalog:
                           value: SA-04f.[02]
                           class: sp800-53a
                       prose: 'requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.f'
+                      rel: assessment-for
                 - id: sa-4_obj.g
                   name: assessment-objective
                   props:
@@ -47823,6 +52495,9 @@ catalog:
                       value: SA-04g.
                       class: sp800-53a
                   prose: 'the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                  links:
+                    - href: '#sa-4_smt.g'
+                      rel: assessment-for
                 - id: sa-4_obj.h
                   name: assessment-objective
                   props:
@@ -47837,6 +52512,9 @@ catalog:
                           value: SA-04h.[01]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
                     - id: sa-4_obj.h-2
                       name: assessment-objective
                       props:
@@ -47844,6 +52522,9 @@ catalog:
                           value: SA-04h.[02]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
                     - id: sa-4_obj.h-3
                       name: assessment-objective
                       props:
@@ -47851,6 +52532,12 @@ catalog:
                           value: SA-04h.[03]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.h'
+                      rel: assessment-for
                 - id: sa-4_obj.i
                   name: assessment-objective
                   props:
@@ -47858,6 +52545,12 @@ catalog:
                       value: SA-04i.
                       class: sp800-53a
                   prose: 'acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.'
+                  links:
+                    - href: '#sa-4_smt.i'
+                      rel: assessment-for
+              links:
+                - href: '#sa-4_smt'
+                  rel: assessment-for
             - id: sa-4_asm-examine
               name: assessment-method
               props:
@@ -47960,6 +52653,9 @@ catalog:
                       value: SA-04(01)
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.
+                  links:
+                    - href: '#sa-4.1_smt'
+                      rel: assessment-for
                 - id: sa-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -48093,6 +52789,9 @@ catalog:
                       value: SA-04(02)
                       class: sp800-53a
                   prose: 'the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}.'
+                  links:
+                    - href: '#sa-4.2_smt'
+                      rel: assessment-for
                 - id: sa-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -48223,6 +52922,9 @@ catalog:
                           value: SA-04(05)(a)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented;'
+                      links:
+                        - href: '#sa-4.5_smt.a'
+                          rel: assessment-for
                     - id: sa-4.5_obj.b
                       name: assessment-objective
                       props:
@@ -48230,6 +52932,12 @@ catalog:
                           value: SA-04(05)(b)
                           class: sp800-53a
                       prose: the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade.
+                      links:
+                        - href: '#sa-4.5_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4.5_smt'
+                      rel: assessment-for
                 - id: sa-4.5_asm-examine
                   name: assessment-method
                   props:
@@ -48335,6 +53043,9 @@ catalog:
                           value: SA-04(09)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to identify the functions intended for organizational use;
+                      links:
+                        - href: '#sa-4.9_smt'
+                          rel: assessment-for
                     - id: sa-4.9_obj-2
                       name: assessment-objective
                       props:
@@ -48342,6 +53053,9 @@ catalog:
                           value: SA-04(09)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to identify the ports intended for organizational use;
+                      links:
+                        - href: '#sa-4.9_smt'
+                          rel: assessment-for
                     - id: sa-4.9_obj-3
                       name: assessment-objective
                       props:
@@ -48349,6 +53063,9 @@ catalog:
                           value: SA-04(09)[03]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;
+                      links:
+                        - href: '#sa-4.9_smt'
+                          rel: assessment-for
                     - id: sa-4.9_obj-4
                       name: assessment-objective
                       props:
@@ -48356,6 +53073,12 @@ catalog:
                           value: SA-04(09)[04]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to identify the services intended for organizational use.
+                      links:
+                        - href: '#sa-4.9_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4.9_smt'
+                      rel: assessment-for
                 - id: sa-4.9_asm-examine
                   name: assessment-method
                   props:
@@ -48452,6 +53175,9 @@ catalog:
                       value: SA-04(10)
                       class: sp800-53a
                   prose: only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.
+                  links:
+                    - href: '#sa-4.10_smt'
+                      rel: assessment-for
                 - id: sa-4.10_asm-examine
                   name: assessment-method
                   props:
@@ -48690,6 +53416,9 @@ catalog:
                               value: SA-05a.01[01]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.1'
+                              rel: assessment-for
                         - id: sa-5_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -48697,6 +53426,9 @@ catalog:
                               value: SA-05a.01[02]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.1'
+                              rel: assessment-for
                         - id: sa-5_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -48704,6 +53436,12 @@ catalog:
                               value: SA-05a.01[03]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.a.1'
+                          rel: assessment-for
                     - id: sa-5_obj.a.2
                       name: assessment-objective
                       props:
@@ -48718,6 +53456,9 @@ catalog:
                               value: SA-05a.02[01]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
                         - id: sa-5_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -48725,6 +53466,9 @@ catalog:
                               value: SA-05a.02[02]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
                         - id: sa-5_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -48732,6 +53476,9 @@ catalog:
                               value: SA-05a.02[03]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
                         - id: sa-5_obj.a.2-4
                           name: assessment-objective
                           props:
@@ -48739,6 +53486,12 @@ catalog:
                               value: SA-05a.02[04]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.a.2'
+                          rel: assessment-for
                     - id: sa-5_obj.a.3
                       name: assessment-objective
                       props:
@@ -48753,6 +53506,9 @@ catalog:
                               value: SA-05a.03[01]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.3'
+                              rel: assessment-for
                         - id: sa-5_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -48760,6 +53516,15 @@ catalog:
                               value: SA-05a.03[02]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-5_smt.a'
+                      rel: assessment-for
                 - id: sa-5_obj.b
                   name: assessment-objective
                   props:
@@ -48781,6 +53546,9 @@ catalog:
                               value: SA-05b.01[01]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
                         - id: sa-5_obj.b.1-2
                           name: assessment-objective
                           props:
@@ -48788,6 +53556,9 @@ catalog:
                               value: SA-05b.01[02]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
                         - id: sa-5_obj.b.1-3
                           name: assessment-objective
                           props:
@@ -48795,6 +53566,9 @@ catalog:
                               value: SA-05b.01[03]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
                         - id: sa-5_obj.b.1-4
                           name: assessment-objective
                           props:
@@ -48802,6 +53576,12 @@ catalog:
                               value: SA-05b.01[04]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.b.1'
+                          rel: assessment-for
                     - id: sa-5_obj.b.2
                       name: assessment-objective
                       props:
@@ -48816,6 +53596,9 @@ catalog:
                               value: SA-05b.02[01]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.2'
+                              rel: assessment-for
                         - id: sa-5_obj.b.2-2
                           name: assessment-objective
                           props:
@@ -48823,6 +53606,12 @@ catalog:
                               value: SA-05b.02[02]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.b.2'
+                          rel: assessment-for
                     - id: sa-5_obj.b.3
                       name: assessment-objective
                       props:
@@ -48837,6 +53626,9 @@ catalog:
                               value: SA-05b.03[01]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.3'
+                              rel: assessment-for
                         - id: sa-5_obj.b.3-2
                           name: assessment-objective
                           props:
@@ -48844,6 +53636,15 @@ catalog:
                               value: SA-05b.03[02]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-5_smt.b'
+                      rel: assessment-for
                 - id: sa-5_obj.c
                   name: assessment-objective
                   props:
@@ -48858,6 +53659,9 @@ catalog:
                           value: SA-05c.[01]
                           class: sp800-53a
                       prose: attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;
+                      links:
+                        - href: '#sa-5_smt.c'
+                          rel: assessment-for
                     - id: sa-5_obj.c-2
                       name: assessment-objective
                       props:
@@ -48865,6 +53669,12 @@ catalog:
                           value: SA-05c.[02]
                           class: sp800-53a
                       prose: 'after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;'
+                      links:
+                        - href: '#sa-5_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-5_smt.c'
+                      rel: assessment-for
                 - id: sa-5_obj.d
                   name: assessment-objective
                   props:
@@ -48872,6 +53682,12 @@ catalog:
                       value: SA-05d.
                       class: sp800-53a
                   prose: 'documentation is distributed to {{ insert: param, sa-05_odp.02 }}.'
+                  links:
+                    - href: '#sa-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#sa-5_smt'
+                  rel: assessment-for
             - id: sa-5_asm-examine
               name: assessment-method
               props:
@@ -49068,6 +53884,9 @@ catalog:
                       value: SA-08[01]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-2
                   name: assessment-objective
                   props:
@@ -49075,6 +53894,9 @@ catalog:
                       value: SA-08[02]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-3
                   name: assessment-objective
                   props:
@@ -49082,6 +53904,9 @@ catalog:
                       value: SA-08[03]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-4
                   name: assessment-objective
                   props:
@@ -49089,6 +53914,9 @@ catalog:
                       value: SA-08[04]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-5
                   name: assessment-objective
                   props:
@@ -49096,6 +53924,9 @@ catalog:
                       value: SA-08[05]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-6
                   name: assessment-objective
                   props:
@@ -49103,6 +53934,9 @@ catalog:
                       value: SA-08[06]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-7
                   name: assessment-objective
                   props:
@@ -49110,6 +53944,9 @@ catalog:
                       value: SA-08[07]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-8
                   name: assessment-objective
                   props:
@@ -49117,6 +53954,9 @@ catalog:
                       value: SA-08[08]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-9
                   name: assessment-objective
                   props:
@@ -49124,6 +53964,9 @@ catalog:
                       value: SA-08[09]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-10
                   name: assessment-objective
                   props:
@@ -49131,6 +53974,12 @@ catalog:
                       value: SA-08[10]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sa-8_smt'
+                  rel: assessment-for
             - id: sa-8_asm-examine
               name: assessment-method
               props:
@@ -49317,6 +54166,9 @@ catalog:
                           value: SA-09a.[01]
                           class: sp800-53a
                       prose: providers of external system services comply with organizational security requirements;
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
                     - id: sa-9_obj.a-2
                       name: assessment-objective
                       props:
@@ -49324,6 +54176,9 @@ catalog:
                           value: SA-09a.[02]
                           class: sp800-53a
                       prose: providers of external system services comply with organizational privacy requirements;
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
                     - id: sa-9_obj.a-3
                       name: assessment-objective
                       props:
@@ -49331,6 +54186,12 @@ catalog:
                           value: SA-09a.[03]
                           class: sp800-53a
                       prose: 'providers of external system services employ {{ insert: param, sa-09_odp.01 }};'
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-9_smt.a'
+                      rel: assessment-for
                 - id: sa-9_obj.b
                   name: assessment-objective
                   props:
@@ -49345,6 +54206,9 @@ catalog:
                           value: SA-09b.[01]
                           class: sp800-53a
                       prose: organizational oversight with regard to external system services are defined and documented;
+                      links:
+                        - href: '#sa-9_smt.b'
+                          rel: assessment-for
                     - id: sa-9_obj.b-2
                       name: assessment-objective
                       props:
@@ -49352,6 +54216,12 @@ catalog:
                           value: SA-09b.[02]
                           class: sp800-53a
                       prose: user roles and responsibilities with regard to external system services are defined and documented;
+                      links:
+                        - href: '#sa-9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-9_smt.b'
+                      rel: assessment-for
                 - id: sa-9_obj.c
                   name: assessment-objective
                   props:
@@ -49359,6 +54229,12 @@ catalog:
                       value: SA-09c.
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.'
+                  links:
+                    - href: '#sa-9_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-9_smt'
+                  rel: assessment-for
             - id: sa-9_asm-examine
               name: assessment-method
               props:
@@ -49482,6 +54358,9 @@ catalog:
                       value: SA-09(02)
                       class: sp800-53a
                   prose: 'providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services.'
+                  links:
+                    - href: '#sa-9.2_smt'
+                      rel: assessment-for
                 - id: sa-9.2_asm-examine
                   name: assessment-method
                   props:
@@ -49684,6 +54563,9 @@ catalog:
                       value: SA-10a.
                       class: sp800-53a
                   prose: 'the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};'
+                  links:
+                    - href: '#sa-10_smt.a'
+                      rel: assessment-for
                 - id: sa-10_obj.b
                   name: assessment-objective
                   props:
@@ -49698,6 +54580,9 @@ catalog:
                           value: SA-10b.[01]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};'
+                      links:
+                        - href: '#sa-10_smt.b'
+                          rel: assessment-for
                     - id: sa-10_obj.b-2
                       name: assessment-objective
                       props:
@@ -49705,6 +54590,9 @@ catalog:
                           value: SA-10b.[02]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};'
+                      links:
+                        - href: '#sa-10_smt.b'
+                          rel: assessment-for
                     - id: sa-10_obj.b-3
                       name: assessment-objective
                       props:
@@ -49712,6 +54600,12 @@ catalog:
                           value: SA-10b.[03]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};'
+                      links:
+                        - href: '#sa-10_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-10_smt.b'
+                      rel: assessment-for
                 - id: sa-10_obj.c
                   name: assessment-objective
                   props:
@@ -49719,6 +54613,9 @@ catalog:
                       value: SA-10c.
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;
+                  links:
+                    - href: '#sa-10_smt.c'
+                      rel: assessment-for
                 - id: sa-10_obj.d
                   name: assessment-objective
                   props:
@@ -49733,6 +54630,9 @@ catalog:
                           value: SA-10d.[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;
+                      links:
+                        - href: '#sa-10_smt.d'
+                          rel: assessment-for
                     - id: sa-10_obj.d-2
                       name: assessment-objective
                       props:
@@ -49740,6 +54640,9 @@ catalog:
                           value: SA-10d.[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;
+                      links:
+                        - href: '#sa-10_smt.d'
+                          rel: assessment-for
                     - id: sa-10_obj.d-3
                       name: assessment-objective
                       props:
@@ -49747,6 +54650,12 @@ catalog:
                           value: SA-10d.[03]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;
+                      links:
+                        - href: '#sa-10_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-10_smt.d'
+                      rel: assessment-for
                 - id: sa-10_obj.e
                   name: assessment-objective
                   props:
@@ -49761,6 +54670,9 @@ catalog:
                           value: SA-10e.[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;
+                      links:
+                        - href: '#sa-10_smt.e'
+                          rel: assessment-for
                     - id: sa-10_obj.e-2
                       name: assessment-objective
                       props:
@@ -49768,6 +54680,9 @@ catalog:
                           value: SA-10e.[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;
+                      links:
+                        - href: '#sa-10_smt.e'
+                          rel: assessment-for
                     - id: sa-10_obj.e-3
                       name: assessment-objective
                       props:
@@ -49775,6 +54690,15 @@ catalog:
                           value: SA-10e.[03]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}.'
+                      links:
+                        - href: '#sa-10_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-10_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#sa-10_smt'
+                  rel: assessment-for
             - id: sa-10_asm-examine
               name: assessment-method
               props:
@@ -50000,6 +54924,9 @@ catalog:
                           value: SA-11a.[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
                     - id: sa-11_obj.a-2
                       name: assessment-objective
                       props:
@@ -50007,6 +54934,9 @@ catalog:
                           value: SA-11a.[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
                     - id: sa-11_obj.a-3
                       name: assessment-objective
                       props:
@@ -50014,6 +54944,9 @@ catalog:
                           value: SA-11a.[03]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
                     - id: sa-11_obj.a-4
                       name: assessment-objective
                       props:
@@ -50021,6 +54954,12 @@ catalog:
                           value: SA-11a.[04]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11_smt.a'
+                      rel: assessment-for
                 - id: sa-11_obj.b
                   name: assessment-objective
                   props:
@@ -50028,6 +54967,9 @@ catalog:
                       value: SA-11b.
                       class: sp800-53a
                   prose: 'the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};'
+                  links:
+                    - href: '#sa-11_smt.b'
+                      rel: assessment-for
                 - id: sa-11_obj.c
                   name: assessment-objective
                   props:
@@ -50042,6 +54984,9 @@ catalog:
                           value: SA-11c.[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;
+                      links:
+                        - href: '#sa-11_smt.c'
+                          rel: assessment-for
                     - id: sa-11_obj.c-2
                       name: assessment-objective
                       props:
@@ -50049,6 +54994,12 @@ catalog:
                           value: SA-11c.[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;
+                      links:
+                        - href: '#sa-11_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11_smt.c'
+                      rel: assessment-for
                 - id: sa-11_obj.d
                   name: assessment-objective
                   props:
@@ -50056,6 +55007,9 @@ catalog:
                       value: SA-11d.
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;
+                  links:
+                    - href: '#sa-11_smt.d'
+                      rel: assessment-for
                 - id: sa-11_obj.e
                   name: assessment-objective
                   props:
@@ -50063,6 +55017,12 @@ catalog:
                       value: SA-11e.
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.
+                  links:
+                    - href: '#sa-11_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#sa-11_smt'
+                  rel: assessment-for
             - id: sa-11_asm-examine
               name: assessment-method
               props:
@@ -50296,6 +55256,9 @@ catalog:
                               value: SA-15a.01[01]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;
+                          links:
+                            - href: '#sa-15_smt.a.1'
+                              rel: assessment-for
                         - id: sa-15_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -50303,6 +55266,12 @@ catalog:
                               value: SA-15a.01[02]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;
+                          links:
+                            - href: '#sa-15_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-15_smt.a.1'
+                          rel: assessment-for
                     - id: sa-15_obj.a.2
                       name: assessment-objective
                       props:
@@ -50317,6 +55286,9 @@ catalog:
                               value: SA-15a.02[01]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;
+                          links:
+                            - href: '#sa-15_smt.a.2'
+                              rel: assessment-for
                         - id: sa-15_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -50324,6 +55296,12 @@ catalog:
                               value: SA-15a.02[02]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;
+                          links:
+                            - href: '#sa-15_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-15_smt.a.2'
+                          rel: assessment-for
                     - id: sa-15_obj.a.3
                       name: assessment-objective
                       props:
@@ -50338,6 +55316,9 @@ catalog:
                               value: SA-15a.03[01]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;
+                          links:
+                            - href: '#sa-15_smt.a.3'
+                              rel: assessment-for
                         - id: sa-15_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -50345,6 +55326,12 @@ catalog:
                               value: SA-15a.03[02]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;
+                          links:
+                            - href: '#sa-15_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-15_smt.a.3'
+                          rel: assessment-for
                     - id: sa-15_obj.a.4
                       name: assessment-objective
                       props:
@@ -50352,6 +55339,12 @@ catalog:
                           value: SA-15a.04
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;
+                      links:
+                        - href: '#sa-15_smt.a.4'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-15_smt.a'
+                      rel: assessment-for
                 - id: sa-15_obj.b
                   name: assessment-objective
                   props:
@@ -50366,6 +55359,9 @@ catalog:
                           value: SA-15b.[01]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};'
+                      links:
+                        - href: '#sa-15_smt.b'
+                          rel: assessment-for
                     - id: sa-15_obj.b-2
                       name: assessment-objective
                       props:
@@ -50373,6 +55369,15 @@ catalog:
                           value: SA-15b.[02]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}.'
+                      links:
+                        - href: '#sa-15_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-15_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sa-15_smt'
+                  rel: assessment-for
             - id: sa-15_asm-examine
               name: assessment-method
               props:
@@ -50539,6 +55544,9 @@ catalog:
                           value: SA-15(03)(a)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;'
+                      links:
+                        - href: '#sa-15.3_smt.a'
+                          rel: assessment-for
                     - id: sa-15.3_obj.b
                       name: assessment-objective
                       props:
@@ -50553,6 +55561,9 @@ catalog:
                               value: SA-15(03)(b)[01]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};'
+                          links:
+                            - href: '#sa-15.3_smt.b'
+                              rel: assessment-for
                         - id: sa-15.3_obj.b-2
                           name: assessment-objective
                           props:
@@ -50560,6 +55571,15 @@ catalog:
                               value: SA-15(03)(b)[02]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} .'
+                          links:
+                            - href: '#sa-15.3_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-15.3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-15.3_smt'
+                      rel: assessment-for
                 - id: sa-15.3_asm-examine
                   name: assessment-method
                   props:
@@ -50686,6 +55706,9 @@ catalog:
                   value: SA-16
                   class: sp800-53a
               prose: 'the developer of the system, system component, or system service is required to provide {{ insert: param, sa-16_odp }} on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.'
+              links:
+                - href: '#sa-16_smt'
+                  rel: assessment-for
             - id: sa-16_asm-examine
               name: assessment-method
               props:
@@ -50831,6 +55854,9 @@ catalog:
                           value: SA-17(a)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;
+                      links:
+                        - href: '#sa-17_smt.a'
+                          rel: assessment-for
                     - id: sa-17_obj.a-2
                       name: assessment-objective
                       props:
@@ -50838,6 +55864,12 @@ catalog:
                           value: SA-17(a)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;
+                      links:
+                        - href: '#sa-17_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-17_smt.a'
+                      rel: assessment-for
                 - id: sa-17_obj.b
                   name: assessment-objective
                   props:
@@ -50852,6 +55884,9 @@ catalog:
                           value: SA-17(b)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;
+                      links:
+                        - href: '#sa-17_smt.b'
+                          rel: assessment-for
                     - id: sa-17_obj.b-2
                       name: assessment-objective
                       props:
@@ -50859,6 +55894,12 @@ catalog:
                           value: SA-17(b)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;
+                      links:
+                        - href: '#sa-17_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-17_smt.b'
+                      rel: assessment-for
                 - id: sa-17_obj.c
                   name: assessment-objective
                   props:
@@ -50873,6 +55914,9 @@ catalog:
                           value: SA-17(c)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;
+                      links:
+                        - href: '#sa-17_smt.c'
+                          rel: assessment-for
                     - id: sa-17_obj.c-2
                       name: assessment-objective
                       props:
@@ -50880,6 +55924,15 @@ catalog:
                           value: SA-17(c)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.
+                      links:
+                        - href: '#sa-17_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-17_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-17_smt'
+                  rel: assessment-for
             - id: sa-17_asm-examine
               name: assessment-method
               props:
@@ -51034,6 +56087,9 @@ catalog:
                       value: SA-21a.
                       class: sp800-53a
                   prose: 'the developer of {{ insert: param, sa-21_odp.01 }} is required to have appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }};'
+                  links:
+                    - href: '#sa-21_smt.a'
+                      rel: assessment-for
                 - id: sa-21_obj.b
                   name: assessment-objective
                   props:
@@ -51041,6 +56097,12 @@ catalog:
                       value: SA-21b.
                       class: sp800-53a
                   prose: 'the developer of {{ insert: param, sa-21_odp.01 }} is required to satisfy {{ insert: param, sa-21_odp.03 }}.'
+                  links:
+                    - href: '#sa-21_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sa-21_smt'
+                  rel: assessment-for
             - id: sa-21_asm-examine
               name: assessment-method
               props:
@@ -51191,6 +56253,9 @@ catalog:
                       value: SA-22a.
                       class: sp800-53a
                   prose: system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;
+                  links:
+                    - href: '#sa-22_smt.a'
+                      rel: assessment-for
                 - id: sa-22_obj.b
                   name: assessment-objective
                   props:
@@ -51198,6 +56263,12 @@ catalog:
                       value: SA-22b.
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.'
+                  links:
+                    - href: '#sa-22_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sa-22_smt'
+                  rel: assessment-for
             - id: sa-22_asm-examine
               name: assessment-method
               props:
@@ -51467,6 +56538,9 @@ catalog:
                           value: SC-01a.[01]
                           class: sp800-53a
                       prose: a system and communications protection policy is developed and documented;
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -51474,6 +56548,9 @@ catalog:
                           value: SC-01a.[02]
                           class: sp800-53a
                       prose: 'the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};'
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -51481,6 +56558,9 @@ catalog:
                           value: SC-01a.[03]
                           class: sp800-53a
                       prose: system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -51488,6 +56568,9 @@ catalog:
                           value: SC-01a.[04]
                           class: sp800-53a
                       prose: 'the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};'
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -51509,6 +56592,9 @@ catalog:
                                   value: SC-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -51516,6 +56602,9 @@ catalog:
                                   value: SC-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -51523,6 +56612,9 @@ catalog:
                                   value: SC-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -51530,6 +56622,9 @@ catalog:
                                   value: SC-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -51537,6 +56632,9 @@ catalog:
                                   value: SC-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -51544,6 +56642,9 @@ catalog:
                                   value: SC-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -51551,6 +56652,12 @@ catalog:
                                   value: SC-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#sc-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: sc-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -51558,6 +56665,15 @@ catalog:
                               value: SC-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#sc-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-1_smt.a'
+                      rel: assessment-for
                 - id: sc-1_obj.b
                   name: assessment-objective
                   props:
@@ -51565,6 +56681,9 @@ catalog:
                       value: SC-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;'
+                  links:
+                    - href: '#sc-1_smt.b'
+                      rel: assessment-for
                 - id: sc-1_obj.c
                   name: assessment-objective
                   props:
@@ -51586,6 +56705,9 @@ catalog:
                               value: SC-01c.01[01]
                               class: sp800-53a
                           prose: 'the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};'
+                          links:
+                            - href: '#sc-1_smt.c.1'
+                              rel: assessment-for
                         - id: sc-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -51593,6 +56715,12 @@ catalog:
                               value: SC-01c.01[02]
                               class: sp800-53a
                           prose: 'the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};'
+                          links:
+                            - href: '#sc-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-1_smt.c.1'
+                          rel: assessment-for
                     - id: sc-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -51607,6 +56735,9 @@ catalog:
                               value: SC-01c.02[01]
                               class: sp800-53a
                           prose: 'the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};'
+                          links:
+                            - href: '#sc-1_smt.c.2'
+                              rel: assessment-for
                         - id: sc-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -51614,6 +56745,18 @@ catalog:
                               value: SC-01c.02[02]
                               class: sp800-53a
                           prose: 'the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.'
+                          links:
+                            - href: '#sc-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sc-1_smt'
+                  rel: assessment-for
             - id: sc-1_asm-examine
               name: assessment-method
               props:
@@ -51702,6 +56845,9 @@ catalog:
                   value: SC-02
                   class: sp800-53a
               prose: user functionality, including user interface services, is separated from system management functionality.
+              links:
+                - href: '#sc-2_smt'
+                  rel: assessment-for
             - id: sc-2_asm-examine
               name: assessment-method
               props:
@@ -51818,6 +56964,9 @@ catalog:
                   value: SC-03
                   class: sp800-53a
               prose: security functions are isolated from non-security functions.
+              links:
+                - href: '#sc-3_smt'
+                  rel: assessment-for
             - id: sc-3_asm-examine
               name: assessment-method
               props:
@@ -51916,6 +57065,9 @@ catalog:
                       value: SC-04[01]
                       class: sp800-53a
                   prose: unauthorized information transfer via shared system resources is prevented;
+                  links:
+                    - href: '#sc-4_smt'
+                      rel: assessment-for
                 - id: sc-4_obj-2
                   name: assessment-objective
                   props:
@@ -51923,6 +57075,12 @@ catalog:
                       value: SC-04[02]
                       class: sp800-53a
                   prose: unintended information transfer via shared system resources is prevented.
+                  links:
+                    - href: '#sc-4_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-4_smt'
+                  rel: assessment-for
             - id: sc-4_asm-examine
               name: assessment-method
               props:
@@ -52069,6 +57227,9 @@ catalog:
                       value: SC-05a.
                       class: sp800-53a
                   prose: 'the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};'
+                  links:
+                    - href: '#sc-5_smt.a'
+                      rel: assessment-for
                 - id: sc-5_obj.b
                   name: assessment-objective
                   props:
@@ -52076,6 +57237,12 @@ catalog:
                       value: SC-05b.
                       class: sp800-53a
                   prose: ' {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.'
+                  links:
+                    - href: '#sc-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-5_smt'
+                  rel: assessment-for
             - id: sc-5_asm-examine
               name: assessment-method
               props:
@@ -52271,6 +57438,9 @@ catalog:
                           value: SC-07a.[01]
                           class: sp800-53a
                       prose: communications at external managed interfaces to the system are monitored;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-2
                       name: assessment-objective
                       props:
@@ -52278,6 +57448,9 @@ catalog:
                           value: SC-07a.[02]
                           class: sp800-53a
                       prose: communications at external managed interfaces to the system are controlled;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-3
                       name: assessment-objective
                       props:
@@ -52285,6 +57458,9 @@ catalog:
                           value: SC-07a.[03]
                           class: sp800-53a
                       prose: communications at key internal managed interfaces within the system are monitored;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-4
                       name: assessment-objective
                       props:
@@ -52292,6 +57468,12 @@ catalog:
                           value: SC-07a.[04]
                           class: sp800-53a
                       prose: communications at key internal managed interfaces within the system are controlled;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7_smt.a'
+                      rel: assessment-for
                 - id: sc-7_obj.b
                   name: assessment-objective
                   props:
@@ -52299,6 +57481,9 @@ catalog:
                       value: SC-07b.
                       class: sp800-53a
                   prose: 'subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;'
+                  links:
+                    - href: '#sc-7_smt.b'
+                      rel: assessment-for
                 - id: sc-7_obj.c
                   name: assessment-objective
                   props:
@@ -52306,6 +57491,12 @@ catalog:
                       value: SC-07c.
                       class: sp800-53a
                   prose: external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
+                  links:
+                    - href: '#sc-7_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sc-7_smt'
+                  rel: assessment-for
             - id: sc-7_asm-examine
               name: assessment-method
               props:
@@ -52400,6 +57591,9 @@ catalog:
                       value: SC-07(03)
                       class: sp800-53a
                   prose: the number of external network connections to the system is limited.
+                  links:
+                    - href: '#sc-7.3_smt'
+                      rel: assessment-for
                 - id: sc-7.3_asm-examine
                   name: assessment-method
                   props:
@@ -52570,6 +57764,9 @@ catalog:
                           value: SC-07(04)(a)
                           class: sp800-53a
                       prose: a managed interface is implemented for each external telecommunication service;
+                      links:
+                        - href: '#sc-7.4_smt.a'
+                          rel: assessment-for
                     - id: sc-7.4_obj.b
                       name: assessment-objective
                       props:
@@ -52577,6 +57774,9 @@ catalog:
                           value: SC-07(04)(b)
                           class: sp800-53a
                       prose: a traffic flow policy is established for each managed interface;
+                      links:
+                        - href: '#sc-7.4_smt.b'
+                          rel: assessment-for
                     - id: sc-7.4_obj.c
                       name: assessment-objective
                       props:
@@ -52591,6 +57791,9 @@ catalog:
                               value: SC-07(04)(c)[01]
                               class: sp800-53a
                           prose: the confidentiality of the information being transmitted across each interface is protected;
+                          links:
+                            - href: '#sc-7.4_smt.c'
+                              rel: assessment-for
                         - id: sc-7.4_obj.c-2
                           name: assessment-objective
                           props:
@@ -52598,6 +57801,12 @@ catalog:
                               value: SC-07(04)(c)[02]
                               class: sp800-53a
                           prose: the integrity of the information being transmitted across each interface is protected;
+                          links:
+                            - href: '#sc-7.4_smt.c'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-7.4_smt.c'
+                          rel: assessment-for
                     - id: sc-7.4_obj.d
                       name: assessment-objective
                       props:
@@ -52605,6 +57814,9 @@ catalog:
                           value: SC-07(04)(d)
                           class: sp800-53a
                       prose: each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;
+                      links:
+                        - href: '#sc-7.4_smt.d'
+                          rel: assessment-for
                     - id: sc-7.4_obj.e
                       name: assessment-objective
                       props:
@@ -52619,6 +57831,9 @@ catalog:
                               value: SC-07(04)(e)[01]
                               class: sp800-53a
                           prose: 'exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};'
+                          links:
+                            - href: '#sc-7.4_smt.e'
+                              rel: assessment-for
                         - id: sc-7.4_obj.e-2
                           name: assessment-objective
                           props:
@@ -52626,6 +57841,12 @@ catalog:
                               value: SC-07(04)(e)[02]
                               class: sp800-53a
                           prose: exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;
+                          links:
+                            - href: '#sc-7.4_smt.e'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-7.4_smt.e'
+                          rel: assessment-for
                     - id: sc-7.4_obj.f
                       name: assessment-objective
                       props:
@@ -52633,6 +57854,9 @@ catalog:
                           value: SC-07(04)(f)
                           class: sp800-53a
                       prose: unauthorized exchanges of control plan traffic with external networks are prevented;
+                      links:
+                        - href: '#sc-7.4_smt.f'
+                          rel: assessment-for
                     - id: sc-7.4_obj.g
                       name: assessment-objective
                       props:
@@ -52640,6 +57864,9 @@ catalog:
                           value: SC-07(04)(g)
                           class: sp800-53a
                       prose: information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;
+                      links:
+                        - href: '#sc-7.4_smt.g'
+                          rel: assessment-for
                     - id: sc-7.4_obj.h
                       name: assessment-objective
                       props:
@@ -52647,6 +57874,12 @@ catalog:
                           value: SC-07(04)(h)
                           class: sp800-53a
                       prose: unauthorized control plane traffic is filtered from external networks.
+                      links:
+                        - href: '#sc-7.4_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7.4_smt'
+                      rel: assessment-for
                 - id: sc-7.4_asm-examine
                   name: assessment-method
                   props:
@@ -52781,6 +58014,9 @@ catalog:
                           value: SC-07(05)[01]
                           class: sp800-53a
                       prose: 'network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};'
+                      links:
+                        - href: '#sc-7.5_smt'
+                          rel: assessment-for
                     - id: sc-7.5_obj-2
                       name: assessment-objective
                       props:
@@ -52788,6 +58024,12 @@ catalog:
                           value: SC-07(05)[02]
                           class: sp800-53a
                       prose: 'network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}.'
+                      links:
+                        - href: '#sc-7.5_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7.5_smt'
+                      rel: assessment-for
                 - id: sc-7.5_asm-examine
                   name: assessment-method
                   props:
@@ -52886,6 +58128,9 @@ catalog:
                       value: SC-07(07)
                       class: sp800-53a
                   prose: 'split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.'
+                  links:
+                    - href: '#sc-7.7_smt'
+                      rel: assessment-for
                 - id: sc-7.7_asm-examine
                   name: assessment-method
                   props:
@@ -53003,6 +58248,9 @@ catalog:
                       value: SC-07(08)
                       class: sp800-53a
                   prose: ' {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.'
+                  links:
+                    - href: '#sc-7.8_smt'
+                      rel: assessment-for
                 - id: sc-7.8_asm-examine
                   name: assessment-method
                   props:
@@ -53103,6 +58351,9 @@ catalog:
                       value: SC-07(18)
                       class: sp800-53a
                   prose: systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.
+                  links:
+                    - href: '#sc-7.18_smt'
+                      rel: assessment-for
                 - id: sc-7.18_asm-examine
                   name: assessment-method
                   props:
@@ -53221,6 +58472,9 @@ catalog:
                       value: SC-07(21)
                       class: sp800-53a
                   prose: 'boundary protection mechanisms are employed to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}.'
+                  links:
+                    - href: '#sc-7.21_smt'
+                      rel: assessment-for
                 - id: sc-7.21_asm-examine
                   name: assessment-method
                   props:
@@ -53372,6 +58626,9 @@ catalog:
                   value: SC-08
                   class: sp800-53a
               prose: 'the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.'
+              links:
+                - href: '#sc-8_smt'
+                  rel: assessment-for
             - id: sc-8_asm-examine
               name: assessment-method
               props:
@@ -53475,6 +58732,9 @@ catalog:
                       value: SC-08(01)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.'
+                  links:
+                    - href: '#sc-8.1_smt'
+                      rel: assessment-for
                 - id: sc-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -53578,6 +58838,9 @@ catalog:
                   value: SC-10
                   class: sp800-53a
               prose: 'the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.'
+              links:
+                - href: '#sc-10_smt'
+                  rel: assessment-for
             - id: sc-10_asm-examine
               name: assessment-method
               props:
@@ -53698,6 +58961,8 @@ catalog:
               rel: related
             - href: '#ia-7'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#sa-4'
               rel: related
             - href: '#sa-8'
@@ -53745,6 +59010,9 @@ catalog:
                       value: SC-12[01]
                       class: sp800-53a
                   prose: 'cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};'
+                  links:
+                    - href: '#sc-12_smt'
+                      rel: assessment-for
                 - id: sc-12_obj-2
                   name: assessment-objective
                   props:
@@ -53752,6 +59020,12 @@ catalog:
                       value: SC-12[02]
                       class: sp800-53a
                   prose: 'cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.'
+                  links:
+                    - href: '#sc-12_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-12_smt'
+                  rel: assessment-for
             - id: sc-12_asm-examine
               name: assessment-method
               props:
@@ -53843,6 +59117,9 @@ catalog:
                       value: SC-12(01)
                       class: sp800-53a
                   prose: information availability is maintained in the event of the loss of cryptographic keys by users.
+                  links:
+                    - href: '#sc-12.1_smt'
+                      rel: assessment-for
                 - id: sc-12.1_asm-examine
                   name: assessment-method
                   props:
@@ -53964,6 +59241,8 @@ catalog:
               rel: related
             - href: '#ia-7'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-4'
               rel: related
             - href: '#mp-2'
@@ -54027,6 +59306,9 @@ catalog:
                       value: SC-13a.
                       class: sp800-53a
                   prose: ' {{ insert: param, sc-13_odp.01 }} are identified;'
+                  links:
+                    - href: '#sc-13_smt.a'
+                      rel: assessment-for
                 - id: sc-13_obj.b
                   name: assessment-objective
                   props:
@@ -54034,6 +59316,12 @@ catalog:
                       value: SC-13b.
                       class: sp800-53a
                   prose: ' {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.'
+                  links:
+                    - href: '#sc-13_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-13_smt'
+                  rel: assessment-for
             - id: sc-13_asm-examine
               name: assessment-method
               props:
@@ -54157,6 +59445,9 @@ catalog:
                       value: SC-15a.
                       class: sp800-53a
                   prose: 'remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};'
+                  links:
+                    - href: '#sc-15_smt.a'
+                      rel: assessment-for
                 - id: sc-15_obj.b
                   name: assessment-objective
                   props:
@@ -54164,6 +59455,12 @@ catalog:
                       value: SC-15b.
                       class: sp800-53a
                   prose: an explicit indication of use is provided to users physically present at the devices.
+                  links:
+                    - href: '#sc-15_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-15_smt'
+                  rel: assessment-for
             - id: sc-15_asm-examine
               name: assessment-method
               props:
@@ -54303,6 +59600,9 @@ catalog:
                       value: SC-17a.
                       class: sp800-53a
                   prose: 'public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;'
+                  links:
+                    - href: '#sc-17_smt.a'
+                      rel: assessment-for
                 - id: sc-17_obj.b
                   name: assessment-objective
                   props:
@@ -54310,6 +59610,12 @@ catalog:
                       value: SC-17b.
                       class: sp800-53a
                   prose: only approved trust anchors are included in trust stores or certificate stores managed by the organization.
+                  links:
+                    - href: '#sc-17_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-17_smt'
+                  rel: assessment-for
             - id: sc-17_asm-examine
               name: assessment-method
               props:
@@ -54431,6 +59737,9 @@ catalog:
                           value: SC-18a.[01]
                           class: sp800-53a
                       prose: acceptable mobile code is defined;
+                      links:
+                        - href: '#sc-18_smt.a'
+                          rel: assessment-for
                     - id: sc-18_obj.a-2
                       name: assessment-objective
                       props:
@@ -54438,6 +59747,9 @@ catalog:
                           value: SC-18a.[02]
                           class: sp800-53a
                       prose: unacceptable mobile code is defined;
+                      links:
+                        - href: '#sc-18_smt.a'
+                          rel: assessment-for
                     - id: sc-18_obj.a-3
                       name: assessment-objective
                       props:
@@ -54445,6 +59757,9 @@ catalog:
                           value: SC-18a.[03]
                           class: sp800-53a
                       prose: acceptable mobile code technologies are defined;
+                      links:
+                        - href: '#sc-18_smt.a'
+                          rel: assessment-for
                     - id: sc-18_obj.a-4
                       name: assessment-objective
                       props:
@@ -54452,6 +59767,12 @@ catalog:
                           value: SC-18a.[04]
                           class: sp800-53a
                       prose: unacceptable mobile code technologies are defined;
+                      links:
+                        - href: '#sc-18_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-18_smt.a'
+                      rel: assessment-for
                 - id: sc-18_obj.b
                   name: assessment-objective
                   props:
@@ -54466,6 +59787,9 @@ catalog:
                           value: SC-18b.[01]
                           class: sp800-53a
                       prose: the use of mobile code is authorized within the system;
+                      links:
+                        - href: '#sc-18_smt.b'
+                          rel: assessment-for
                     - id: sc-18_obj.b-2
                       name: assessment-objective
                       props:
@@ -54473,6 +59797,9 @@ catalog:
                           value: SC-18b.[02]
                           class: sp800-53a
                       prose: the use of mobile code is monitored within the system;
+                      links:
+                        - href: '#sc-18_smt.b'
+                          rel: assessment-for
                     - id: sc-18_obj.b-3
                       name: assessment-objective
                       props:
@@ -54480,6 +59807,15 @@ catalog:
                           value: SC-18b.[03]
                           class: sp800-53a
                       prose: the use of mobile code is controlled within the system.
+                      links:
+                        - href: '#sc-18_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-18_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-18_smt'
+                  rel: assessment-for
             - id: sc-18_asm-examine
               name: assessment-method
               props:
@@ -54618,6 +59954,9 @@ catalog:
                           value: SC-20a.[01]
                           class: sp800-53a
                       prose: additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;
+                      links:
+                        - href: '#sc-20_smt.a'
+                          rel: assessment-for
                     - id: sc-20_obj.a-2
                       name: assessment-objective
                       props:
@@ -54625,6 +59964,12 @@ catalog:
                           value: SC-20a.[02]
                           class: sp800-53a
                       prose: integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;
+                      links:
+                        - href: '#sc-20_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-20_smt.a'
+                      rel: assessment-for
                 - id: sc-20_obj.b
                   name: assessment-objective
                   props:
@@ -54639,6 +59984,9 @@ catalog:
                           value: SC-20b.[01]
                           class: sp800-53a
                       prose: the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;
+                      links:
+                        - href: '#sc-20_smt.b'
+                          rel: assessment-for
                     - id: sc-20_obj.b-2
                       name: assessment-objective
                       props:
@@ -54646,6 +59994,15 @@ catalog:
                           value: SC-20b.[02]
                           class: sp800-53a
                       prose: the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.
+                      links:
+                        - href: '#sc-20_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-20_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-20_smt'
+                  rel: assessment-for
             - id: sc-20_asm-examine
               name: assessment-method
               props:
@@ -54740,6 +60097,9 @@ catalog:
                       value: SC-21[01]
                       class: sp800-53a
                   prose: data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
                 - id: sc-21_obj-2
                   name: assessment-objective
                   props:
@@ -54747,6 +60107,9 @@ catalog:
                       value: SC-21[02]
                       class: sp800-53a
                   prose: data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
                 - id: sc-21_obj-3
                   name: assessment-objective
                   props:
@@ -54754,6 +60117,9 @@ catalog:
                       value: SC-21[03]
                       class: sp800-53a
                   prose: data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
                 - id: sc-21_obj-4
                   name: assessment-objective
                   props:
@@ -54761,6 +60127,12 @@ catalog:
                       value: SC-21[04]
                       class: sp800-53a
                   prose: data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-21_smt'
+                  rel: assessment-for
             - id: sc-21_asm-examine
               name: assessment-method
               props:
@@ -54861,6 +60233,9 @@ catalog:
                       value: SC-22[01]
                       class: sp800-53a
                   prose: the systems that collectively provide name/address resolution services for an organization are fault-tolerant;
+                  links:
+                    - href: '#sc-22_smt'
+                      rel: assessment-for
                 - id: sc-22_obj-2
                   name: assessment-objective
                   props:
@@ -54868,6 +60243,9 @@ catalog:
                       value: SC-22[02]
                       class: sp800-53a
                   prose: the systems that collectively provide name/address resolution services for an organization implement internal role separation;
+                  links:
+                    - href: '#sc-22_smt'
+                      rel: assessment-for
                 - id: sc-22_obj-3
                   name: assessment-objective
                   props:
@@ -54875,6 +60253,12 @@ catalog:
                       value: SC-22[03]
                       class: sp800-53a
                   prose: the systems that collectively provide name/address resolution services for an organization implement external role separation.
+                  links:
+                    - href: '#sc-22_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-22_smt'
+                  rel: assessment-for
             - id: sc-22_asm-examine
               name: assessment-method
               props:
@@ -54978,6 +60362,9 @@ catalog:
                   value: SC-23
                   class: sp800-53a
               prose: the authenticity of communication sessions is protected.
+              links:
+                - href: '#sc-23_smt'
+                  rel: assessment-for
             - id: sc-23_asm-examine
               name: assessment-method
               props:
@@ -55112,6 +60499,9 @@ catalog:
                   value: SC-24
                   class: sp800-53a
               prose: ' {{ insert: param, sc-24_odp.01 }} fail to a {{ insert: param, sc-24_odp.02 }} while preserving {{ insert: param, sc-24_odp.03 }} in failure.'
+              links:
+                - href: '#sc-24_smt'
+                  rel: assessment-for
             - id: sc-24_asm-examine
               name: assessment-method
               props:
@@ -55281,6 +60671,9 @@ catalog:
                   value: SC-28
                   class: sp800-53a
               prose: 'the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.'
+              links:
+                - href: '#sc-28_smt'
+                  rel: assessment-for
             - id: sc-28_asm-examine
               name: assessment-method
               props:
@@ -55403,6 +60796,9 @@ catalog:
                           value: SC-28(01)[01]
                           class: sp800-53a
                       prose: 'cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};'
+                      links:
+                        - href: '#sc-28.1_smt'
+                          rel: assessment-for
                     - id: sc-28.1_obj-2
                       name: assessment-objective
                       props:
@@ -55410,6 +60806,12 @@ catalog:
                           value: SC-28(01)[02]
                           class: sp800-53a
                       prose: 'cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.'
+                      links:
+                        - href: '#sc-28.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-28.1_smt'
+                      rel: assessment-for
                 - id: sc-28.1_asm-examine
                   name: assessment-method
                   props:
@@ -55516,6 +60918,9 @@ catalog:
                   value: SC-39
                   class: sp800-53a
               prose: a separate execution domain is maintained for each executing system process.
+              links:
+                - href: '#sc-39_smt'
+                  rel: assessment-for
             - id: sc-39_asm-examine
               name: assessment-method
               props:
@@ -55774,6 +61179,9 @@ catalog:
                           value: SI-01a.[01]
                           class: sp800-53a
                       prose: a system and information integrity policy is developed and documented;
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -55781,6 +61189,9 @@ catalog:
                           value: SI-01a.[02]
                           class: sp800-53a
                       prose: 'the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};'
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -55788,6 +61199,9 @@ catalog:
                           value: SI-01a.[03]
                           class: sp800-53a
                       prose: system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -55795,6 +61209,9 @@ catalog:
                           value: SI-01a.[04]
                           class: sp800-53a
                       prose: 'the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};'
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -55816,6 +61233,9 @@ catalog:
                                   value: SI-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -55823,6 +61243,9 @@ catalog:
                                   value: SI-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -55830,6 +61253,9 @@ catalog:
                                   value: SI-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -55837,6 +61263,9 @@ catalog:
                                   value: SI-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -55844,6 +61273,9 @@ catalog:
                                   value: SI-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -55851,6 +61283,9 @@ catalog:
                                   value: SI-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -55858,6 +61293,12 @@ catalog:
                                   value: SI-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#si-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: si-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -55865,6 +61306,15 @@ catalog:
                               value: SI-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#si-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-1_smt.a'
+                      rel: assessment-for
                 - id: si-1_obj.b
                   name: assessment-objective
                   props:
@@ -55872,6 +61322,9 @@ catalog:
                       value: SI-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;'
+                  links:
+                    - href: '#si-1_smt.b'
+                      rel: assessment-for
                 - id: si-1_obj.c
                   name: assessment-objective
                   props:
@@ -55893,6 +61346,9 @@ catalog:
                               value: SI-01c.01[01]
                               class: sp800-53a
                           prose: 'the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};'
+                          links:
+                            - href: '#si-1_smt.c.1'
+                              rel: assessment-for
                         - id: si-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -55900,6 +61356,12 @@ catalog:
                               value: SI-01c.01[02]
                               class: sp800-53a
                           prose: 'the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};'
+                          links:
+                            - href: '#si-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.c.1'
+                          rel: assessment-for
                     - id: si-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -55914,6 +61376,9 @@ catalog:
                               value: SI-01c.02[01]
                               class: sp800-53a
                           prose: 'the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};'
+                          links:
+                            - href: '#si-1_smt.c.2'
+                              rel: assessment-for
                         - id: si-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -55921,6 +61386,18 @@ catalog:
                               value: SI-01c.02[02]
                               class: sp800-53a
                           prose: 'the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.'
+                          links:
+                            - href: '#si-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#si-1_smt'
+                  rel: assessment-for
             - id: si-1_asm-examine
               name: assessment-method
               props:
@@ -56082,6 +61559,9 @@ catalog:
                           value: SI-02a.[01]
                           class: sp800-53a
                       prose: system flaws are identified;
+                      links:
+                        - href: '#si-2_smt.a'
+                          rel: assessment-for
                     - id: si-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -56089,6 +61569,9 @@ catalog:
                           value: SI-02a.[02]
                           class: sp800-53a
                       prose: system flaws are reported;
+                      links:
+                        - href: '#si-2_smt.a'
+                          rel: assessment-for
                     - id: si-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -56096,6 +61579,12 @@ catalog:
                           value: SI-02a.[03]
                           class: sp800-53a
                       prose: system flaws are corrected;
+                      links:
+                        - href: '#si-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-2_smt.a'
+                      rel: assessment-for
                 - id: si-2_obj.b
                   name: assessment-objective
                   props:
@@ -56110,6 +61599,9 @@ catalog:
                           value: SI-02b.[01]
                           class: sp800-53a
                       prose: software updates related to flaw remediation are tested for effectiveness before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
                     - id: si-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -56117,6 +61609,9 @@ catalog:
                           value: SI-02b.[02]
                           class: sp800-53a
                       prose: software updates related to flaw remediation are tested for potential side effects before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
                     - id: si-2_obj.b-3
                       name: assessment-objective
                       props:
@@ -56124,6 +61619,9 @@ catalog:
                           value: SI-02b.[03]
                           class: sp800-53a
                       prose: firmware updates related to flaw remediation are tested for effectiveness before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
                     - id: si-2_obj.b-4
                       name: assessment-objective
                       props:
@@ -56131,6 +61629,12 @@ catalog:
                           value: SI-02b.[04]
                           class: sp800-53a
                       prose: firmware updates related to flaw remediation are tested for potential side effects before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-2_smt.b'
+                      rel: assessment-for
                 - id: si-2_obj.c
                   name: assessment-objective
                   props:
@@ -56145,6 +61649,9 @@ catalog:
                           value: SI-02c.[01]
                           class: sp800-53a
                       prose: 'security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;'
+                      links:
+                        - href: '#si-2_smt.c'
+                          rel: assessment-for
                     - id: si-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -56152,6 +61659,12 @@ catalog:
                           value: SI-02c.[02]
                           class: sp800-53a
                       prose: 'security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;'
+                      links:
+                        - href: '#si-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-2_smt.c'
+                      rel: assessment-for
                 - id: si-2_obj.d
                   name: assessment-objective
                   props:
@@ -56159,6 +61672,12 @@ catalog:
                       value: SI-02d.
                       class: sp800-53a
                   prose: flaw remediation is incorporated into the organizational configuration management process.
+                  links:
+                    - href: '#si-2_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#si-2_smt'
+                  rel: assessment-for
             - id: si-2_asm-examine
               name: assessment-method
               props:
@@ -56289,6 +61808,9 @@ catalog:
                       value: SI-02(02)
                       class: sp800-53a
                   prose: 'system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}.'
+                  links:
+                    - href: '#si-2.2_smt'
+                      rel: assessment-for
                 - id: si-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -56549,6 +62071,9 @@ catalog:
                           value: SI-03a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;'
+                      links:
+                        - href: '#si-3_smt.a'
+                          rel: assessment-for
                     - id: si-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -56556,6 +62081,12 @@ catalog:
                           value: SI-03a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;'
+                      links:
+                        - href: '#si-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-3_smt.a'
+                      rel: assessment-for
                 - id: si-3_obj.b
                   name: assessment-objective
                   props:
@@ -56563,6 +62094,9 @@ catalog:
                       value: SI-03b.
                       class: sp800-53a
                   prose: malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;
+                  links:
+                    - href: '#si-3_smt.b'
+                      rel: assessment-for
                 - id: si-3_obj.c
                   name: assessment-objective
                   props:
@@ -56584,6 +62118,9 @@ catalog:
                               value: SI-03c.01[01]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};'
+                          links:
+                            - href: '#si-3_smt.c.1'
+                              rel: assessment-for
                         - id: si-3_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -56591,6 +62128,12 @@ catalog:
                               value: SI-03c.01[02]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;'
+                          links:
+                            - href: '#si-3_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-3_smt.c.1'
+                          rel: assessment-for
                     - id: si-3_obj.c.2
                       name: assessment-objective
                       props:
@@ -56605,6 +62148,9 @@ catalog:
                               value: SI-03c.02[01]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;'
+                          links:
+                            - href: '#si-3_smt.c.2'
+                              rel: assessment-for
                         - id: si-3_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -56612,6 +62158,15 @@ catalog:
                               value: SI-03c.02[02]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;'
+                          links:
+                            - href: '#si-3_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-3_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-3_smt.c'
+                      rel: assessment-for
                 - id: si-3_obj.d
                   name: assessment-objective
                   props:
@@ -56619,6 +62174,12 @@ catalog:
                       value: SI-03d.
                       class: sp800-53a
                   prose: the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.
+                  links:
+                    - href: '#si-3_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#si-3_smt'
+                  rel: assessment-for
             - id: si-3_asm-examine
               name: assessment-method
               props:
@@ -56971,6 +62532,9 @@ catalog:
                           value: SI-04a.01
                           class: sp800-53a
                       prose: 'the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};'
+                      links:
+                        - href: '#si-4_smt.a.1'
+                          rel: assessment-for
                     - id: si-4_obj.a.2
                       name: assessment-objective
                       props:
@@ -56985,6 +62549,9 @@ catalog:
                               value: SI-04a.02[01]
                               class: sp800-53a
                           prose: the system is monitored to detect unauthorized local connections;
+                          links:
+                            - href: '#si-4_smt.a.2'
+                              rel: assessment-for
                         - id: si-4_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -56992,6 +62559,9 @@ catalog:
                               value: SI-04a.02[02]
                               class: sp800-53a
                           prose: the system is monitored to detect unauthorized network connections;
+                          links:
+                            - href: '#si-4_smt.a.2'
+                              rel: assessment-for
                         - id: si-4_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -56999,6 +62569,15 @@ catalog:
                               value: SI-04a.02[03]
                               class: sp800-53a
                           prose: the system is monitored to detect unauthorized remote connections;
+                          links:
+                            - href: '#si-4_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-4_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4_smt.a'
+                      rel: assessment-for
                 - id: si-4_obj.b
                   name: assessment-objective
                   props:
@@ -57006,6 +62585,9 @@ catalog:
                       value: SI-04b.
                       class: sp800-53a
                   prose: 'unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};'
+                  links:
+                    - href: '#si-4_smt.b'
+                      rel: assessment-for
                 - id: si-4_obj.c
                   name: assessment-objective
                   props:
@@ -57020,6 +62602,9 @@ catalog:
                           value: SI-04c.01
                           class: sp800-53a
                       prose: internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;
+                      links:
+                        - href: '#si-4_smt.c.1'
+                          rel: assessment-for
                     - id: si-4_obj.c.2
                       name: assessment-objective
                       props:
@@ -57027,6 +62612,12 @@ catalog:
                           value: SI-04c.02
                           class: sp800-53a
                       prose: internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;
+                      links:
+                        - href: '#si-4_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4_smt.c'
+                      rel: assessment-for
                 - id: si-4_obj.d
                   name: assessment-objective
                   props:
@@ -57041,6 +62632,9 @@ catalog:
                           value: SI-04d.[01]
                           class: sp800-53a
                       prose: detected events are analyzed;
+                      links:
+                        - href: '#si-4_smt.d'
+                          rel: assessment-for
                     - id: si-4_obj.d-2
                       name: assessment-objective
                       props:
@@ -57048,6 +62642,12 @@ catalog:
                           value: SI-04d.[02]
                           class: sp800-53a
                       prose: detected anomalies are analyzed;
+                      links:
+                        - href: '#si-4_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4_smt.d'
+                      rel: assessment-for
                 - id: si-4_obj.e
                   name: assessment-objective
                   props:
@@ -57055,6 +62655,9 @@ catalog:
                       value: SI-04e.
                       class: sp800-53a
                   prose: the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;
+                  links:
+                    - href: '#si-4_smt.e'
+                      rel: assessment-for
                 - id: si-4_obj.f
                   name: assessment-objective
                   props:
@@ -57062,6 +62665,9 @@ catalog:
                       value: SI-04f.
                       class: sp800-53a
                   prose: a legal opinion regarding system monitoring activities is obtained;
+                  links:
+                    - href: '#si-4_smt.f'
+                      rel: assessment-for
                 - id: si-4_obj.g
                   name: assessment-objective
                   props:
@@ -57069,6 +62675,12 @@ catalog:
                       value: SI-04g.
                       class: sp800-53a
                   prose: ' {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.'
+                  links:
+                    - href: '#si-4_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#si-4_smt'
+                  rel: assessment-for
             - id: si-4_asm-examine
               name: assessment-method
               props:
@@ -57175,6 +62787,9 @@ catalog:
                       value: SI-04(02)
                       class: sp800-53a
                   prose: automated tools and mechanisms are employed to support a near real-time analysis of events.
+                  links:
+                    - href: '#si-4.2_smt'
+                      rel: assessment-for
                 - id: si-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -57363,6 +62978,9 @@ catalog:
                               value: SI-04(04)(a)[01]
                               class: sp800-53a
                           prose: criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;
+                          links:
+                            - href: '#si-4.4_smt.a'
+                              rel: assessment-for
                         - id: si-4.4_obj.a-2
                           name: assessment-objective
                           props:
@@ -57370,6 +62988,12 @@ catalog:
                               value: SI-04(04)(a)[02]
                               class: sp800-53a
                           prose: criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;
+                          links:
+                            - href: '#si-4.4_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-4.4_smt.a'
+                          rel: assessment-for
                     - id: si-4.4_obj.b
                       name: assessment-objective
                       props:
@@ -57384,6 +63008,9 @@ catalog:
                               value: SI-04(04)(b)[01]
                               class: sp800-53a
                           prose: 'inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};'
+                          links:
+                            - href: '#si-4.4_smt.b'
+                              rel: assessment-for
                         - id: si-4.4_obj.b-2
                           name: assessment-objective
                           props:
@@ -57391,6 +63018,15 @@ catalog:
                               value: SI-04(04)(b)[02]
                               class: sp800-53a
                           prose: 'outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}.'
+                          links:
+                            - href: '#si-4.4_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-4.4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.4_smt'
+                      rel: assessment-for
                 - id: si-4.4_asm-examine
                   name: assessment-method
                   props:
@@ -57521,6 +63157,9 @@ catalog:
                       value: SI-04(05)
                       class: sp800-53a
                   prose: ' {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur.'
+                  links:
+                    - href: '#si-4.5_smt'
+                      rel: assessment-for
                 - id: si-4.5_asm-examine
                   name: assessment-method
                   props:
@@ -57651,6 +63290,9 @@ catalog:
                       value: SI-04(10)
                       class: sp800-53a
                   prose: 'provisions are made so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}.'
+                  links:
+                    - href: '#si-4.10_smt'
+                      rel: assessment-for
                 - id: si-4.10_asm-examine
                   name: assessment-method
                   props:
@@ -57786,6 +63428,9 @@ catalog:
                       value: SI-04(12)
                       class: sp800-53a
                   prose: ' {{ insert: param, si-04.12_odp.01 }} is/are alerted using {{ insert: param, si-04.12_odp.02 }} when {{ insert: param, si-04.12_odp.03 }} indicate inappropriate or unusual activities with security or privacy implications.'
+                  links:
+                    - href: '#si-4.12_smt'
+                      rel: assessment-for
                 - id: si-4.12_asm-examine
                   name: assessment-method
                   props:
@@ -57910,6 +63555,9 @@ catalog:
                           value: SI-04(14)[01]
                           class: sp800-53a
                       prose: a wireless intrusion detection system is employed to identify rogue wireless devices;
+                      links:
+                        - href: '#si-4.14_smt'
+                          rel: assessment-for
                     - id: si-4.14_obj-2
                       name: assessment-objective
                       props:
@@ -57917,6 +63565,9 @@ catalog:
                           value: SI-04(14)[02]
                           class: sp800-53a
                       prose: a wireless intrusion detection system is employed to detect attack attempts on the system;
+                      links:
+                        - href: '#si-4.14_smt'
+                          rel: assessment-for
                     - id: si-4.14_obj-3
                       name: assessment-objective
                       props:
@@ -57924,6 +63575,12 @@ catalog:
                           value: SI-04(14)[03]
                           class: sp800-53a
                       prose: a wireless intrusion detection system is employed to detect potential compromises or breaches to the system.
+                      links:
+                        - href: '#si-4.14_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.14_smt'
+                      rel: assessment-for
                 - id: si-4.14_asm-examine
                   name: assessment-method
                   props:
@@ -58038,6 +63695,9 @@ catalog:
                       value: SI-04(20)
                       class: sp800-53a
                   prose: ' {{ insert: param, si-04.20_odp }} of privileged users is implemented.'
+                  links:
+                    - href: '#si-4.20_smt'
+                      rel: assessment-for
                 - id: si-4.20_asm-examine
                   name: assessment-method
                   props:
@@ -58191,6 +63851,9 @@ catalog:
                           value: SI-04(22)(a)
                           class: sp800-53a
                       prose: 'network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} are detected;'
+                      links:
+                        - href: '#si-4.22_smt.a'
+                          rel: assessment-for
                     - id: si-4.22_obj.b
                       name: assessment-objective
                       props:
@@ -58198,6 +63861,12 @@ catalog:
                           value: SI-04(22)(b)
                           class: sp800-53a
                       prose: ' {{ insert: param, si-04.22_odp.02 }} is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.'
+                      links:
+                        - href: '#si-4.22_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.22_smt'
+                      rel: assessment-for
                 - id: si-4.22_asm-examine
                   name: assessment-method
                   props:
@@ -58401,6 +64070,9 @@ catalog:
                       value: SI-05a.
                       class: sp800-53a
                   prose: 'system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;'
+                  links:
+                    - href: '#si-5_smt.a'
+                      rel: assessment-for
                 - id: si-5_obj.b
                   name: assessment-objective
                   props:
@@ -58408,6 +64080,9 @@ catalog:
                       value: SI-05b.
                       class: sp800-53a
                   prose: internal security alerts, advisories, and directives are generated as deemed necessary;
+                  links:
+                    - href: '#si-5_smt.b'
+                      rel: assessment-for
                 - id: si-5_obj.c
                   name: assessment-objective
                   props:
@@ -58415,6 +64090,9 @@ catalog:
                       value: SI-05c.
                       class: sp800-53a
                   prose: 'security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};'
+                  links:
+                    - href: '#si-5_smt.c'
+                      rel: assessment-for
                 - id: si-5_obj.d
                   name: assessment-objective
                   props:
@@ -58422,6 +64100,12 @@ catalog:
                       value: SI-05d.
                       class: sp800-53a
                   prose: security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.
+                  links:
+                    - href: '#si-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#si-5_smt'
+                  rel: assessment-for
             - id: si-5_asm-examine
               name: assessment-method
               props:
@@ -58529,6 +64213,9 @@ catalog:
                       value: SI-05(01)
                       class: sp800-53a
                   prose: ' {{ insert: param, si-05.01_odp }} are used to broadcast security alert and advisory information throughout the organization.'
+                  links:
+                    - href: '#si-5.1_smt'
+                      rel: assessment-for
                 - id: si-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -58768,6 +64455,9 @@ catalog:
                           value: SI-06a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-06_odp.01 }} are verified to be operating correctly;'
+                      links:
+                        - href: '#si-6_smt.a'
+                          rel: assessment-for
                     - id: si-6_obj.a-2
                       name: assessment-objective
                       props:
@@ -58775,6 +64465,12 @@ catalog:
                           value: SI-06a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-06_odp.02 }} are verified to be operating correctly;'
+                      links:
+                        - href: '#si-6_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-6_smt.a'
+                      rel: assessment-for
                 - id: si-6_obj.b
                   name: assessment-objective
                   props:
@@ -58789,6 +64485,9 @@ catalog:
                           value: SI-06b.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-06_odp.01 }} are verified {{ insert: param, si-06_odp.03 }};'
+                      links:
+                        - href: '#si-6_smt.b'
+                          rel: assessment-for
                     - id: si-6_obj.b-2
                       name: assessment-objective
                       props:
@@ -58796,6 +64495,12 @@ catalog:
                           value: SI-06b.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-06_odp.02 }} are verified {{ insert: param, si-06_odp.03 }};'
+                      links:
+                        - href: '#si-6_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-6_smt.b'
+                      rel: assessment-for
                 - id: si-6_obj.c
                   name: assessment-objective
                   props:
@@ -58810,6 +64515,9 @@ catalog:
                           value: SI-06c.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-06_odp.06 }} is/are alerted to failed security verification tests;'
+                      links:
+                        - href: '#si-6_smt.c'
+                          rel: assessment-for
                     - id: si-6_obj.c-2
                       name: assessment-objective
                       props:
@@ -58817,6 +64525,12 @@ catalog:
                           value: SI-06c.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-06_odp.06 }} is/are alerted to failed privacy verification tests;'
+                      links:
+                        - href: '#si-6_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-6_smt.c'
+                      rel: assessment-for
                 - id: si-6_obj.d
                   name: assessment-objective
                   props:
@@ -58824,6 +64538,12 @@ catalog:
                       value: SI-06d.
                       class: sp800-53a
                   prose: ' {{ insert: param, si-06_odp.07 }} is/are initiated when anomalies are discovered.'
+                  links:
+                    - href: '#si-6_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#si-6_smt'
+                  rel: assessment-for
             - id: si-6_asm-examine
               name: assessment-method
               props:
@@ -59087,6 +64807,9 @@ catalog:
                           value: SI-07a.[01]
                           class: sp800-53a
                       prose: 'integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};'
+                      links:
+                        - href: '#si-7_smt.a'
+                          rel: assessment-for
                     - id: si-7_obj.a-2
                       name: assessment-objective
                       props:
@@ -59094,6 +64817,9 @@ catalog:
                           value: SI-07a.[02]
                           class: sp800-53a
                       prose: 'integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};'
+                      links:
+                        - href: '#si-7_smt.a'
+                          rel: assessment-for
                     - id: si-7_obj.a-3
                       name: assessment-objective
                       props:
@@ -59101,6 +64827,12 @@ catalog:
                           value: SI-07a.[03]
                           class: sp800-53a
                       prose: 'integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};'
+                      links:
+                        - href: '#si-7_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-7_smt.a'
+                      rel: assessment-for
                 - id: si-7_obj.b
                   name: assessment-objective
                   props:
@@ -59115,6 +64847,9 @@ catalog:
                           value: SI-07b.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;'
+                      links:
+                        - href: '#si-7_smt.b'
+                          rel: assessment-for
                     - id: si-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -59122,6 +64857,9 @@ catalog:
                           value: SI-07b.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;'
+                      links:
+                        - href: '#si-7_smt.b'
+                          rel: assessment-for
                     - id: si-7_obj.b-3
                       name: assessment-objective
                       props:
@@ -59129,6 +64867,15 @@ catalog:
                           value: SI-07b.[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected.'
+                      links:
+                        - href: '#si-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-7_smt'
+                  rel: assessment-for
             - id: si-7_asm-examine
               name: assessment-method
               props:
@@ -59394,6 +65141,9 @@ catalog:
                           value: SI-07(01)[01]
                           class: sp800-53a
                       prose: 'an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};'
+                      links:
+                        - href: '#si-7.1_smt'
+                          rel: assessment-for
                     - id: si-7.1_obj-2
                       name: assessment-objective
                       props:
@@ -59401,6 +65151,9 @@ catalog:
                           value: SI-07(01)[02]
                           class: sp800-53a
                       prose: 'an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};'
+                      links:
+                        - href: '#si-7.1_smt'
+                          rel: assessment-for
                     - id: si-7.1_obj-3
                       name: assessment-objective
                       props:
@@ -59408,6 +65161,12 @@ catalog:
                           value: SI-07(01)[03]
                           class: sp800-53a
                       prose: 'an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}.'
+                      links:
+                        - href: '#si-7.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-7.1_smt'
+                      rel: assessment-for
                 - id: si-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -59513,6 +65272,9 @@ catalog:
                       value: SI-07(02)
                       class: sp800-53a
                   prose: 'automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification are employed.'
+                  links:
+                    - href: '#si-7.2_smt'
+                      rel: assessment-for
                 - id: si-7.2_asm-examine
                   name: assessment-method
                   props:
@@ -59644,6 +65406,9 @@ catalog:
                       value: SI-07(05)
                       class: sp800-53a
                   prose: ' {{ insert: param, si-07.05_odp.01 }} are automatically performed when integrity violations are discovered.'
+                  links:
+                    - href: '#si-7.5_smt'
+                      rel: assessment-for
                 - id: si-7.5_asm-examine
                   name: assessment-method
                   props:
@@ -59771,6 +65536,9 @@ catalog:
                       value: SI-07(07)
                       class: sp800-53a
                   prose: 'the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability.'
+                  links:
+                    - href: '#si-7.7_smt'
+                      rel: assessment-for
                 - id: si-7.7_asm-examine
                   name: assessment-method
                   props:
@@ -59887,6 +65655,9 @@ catalog:
                       value: SI-07(15)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms are implemented to authenticate {{ insert: param, si-07.15_odp }} prior to installation.'
+                  links:
+                    - href: '#si-7.15_smt'
+                      rel: assessment-for
                 - id: si-7.15_asm-examine
                   name: assessment-method
                   props:
@@ -60018,6 +65789,9 @@ catalog:
                           value: SI-08a.[01]
                           class: sp800-53a
                       prose: spam protection mechanisms are employed at system entry points to detect unsolicited messages;
+                      links:
+                        - href: '#si-8_smt.a'
+                          rel: assessment-for
                     - id: si-8_obj.a-2
                       name: assessment-objective
                       props:
@@ -60025,6 +65799,9 @@ catalog:
                           value: SI-08a.[02]
                           class: sp800-53a
                       prose: spam protection mechanisms are employed at system exit points to detect unsolicited messages;
+                      links:
+                        - href: '#si-8_smt.a'
+                          rel: assessment-for
                     - id: si-8_obj.a-3
                       name: assessment-objective
                       props:
@@ -60032,6 +65809,9 @@ catalog:
                           value: SI-08a.[03]
                           class: sp800-53a
                       prose: spam protection mechanisms are employed at system entry points to act on unsolicited messages;
+                      links:
+                        - href: '#si-8_smt.a'
+                          rel: assessment-for
                     - id: si-8_obj.a-4
                       name: assessment-objective
                       props:
@@ -60039,6 +65819,12 @@ catalog:
                           value: SI-08a.[04]
                           class: sp800-53a
                       prose: spam protection mechanisms are employed at system exit points to act on unsolicited messages;
+                      links:
+                        - href: '#si-8_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-8_smt.a'
+                      rel: assessment-for
                 - id: si-8_obj.b
                   name: assessment-objective
                   props:
@@ -60046,6 +65832,12 @@ catalog:
                       value: SI-08b.
                       class: sp800-53a
                   prose: spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.
+                  links:
+                    - href: '#si-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-8_smt'
+                  rel: assessment-for
             - id: si-8_asm-examine
               name: assessment-method
               props:
@@ -60156,6 +65948,9 @@ catalog:
                       value: SI-08(02)
                       class: sp800-53a
                   prose: 'spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}.'
+                  links:
+                    - href: '#si-8.2_smt'
+                      rel: assessment-for
                 - id: si-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -60271,6 +66066,9 @@ catalog:
                   value: SI-10
                   class: sp800-53a
               prose: 'the validity of the {{ insert: param, si-10_odp }} is checked.'
+              links:
+                - href: '#si-10_smt'
+                  rel: assessment-for
             - id: si-10_asm-examine
               name: assessment-method
               props:
@@ -60406,6 +66204,9 @@ catalog:
                       value: SI-11a.
                       class: sp800-53a
                   prose: error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;
+                  links:
+                    - href: '#si-11_smt.a'
+                      rel: assessment-for
                 - id: si-11_obj.b
                   name: assessment-objective
                   props:
@@ -60413,6 +66214,12 @@ catalog:
                       value: SI-11b.
                       class: sp800-53a
                   prose: 'error messages are revealed only to {{ insert: param, si-11_odp }}.'
+                  links:
+                    - href: '#si-11_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-11_smt'
+                  rel: assessment-for
             - id: si-11_asm-examine
               name: assessment-method
               props:
@@ -60580,6 +66387,9 @@ catalog:
                       value: SI-12[01]
                       class: sp800-53a
                   prose: information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-2
                   name: assessment-objective
                   props:
@@ -60587,6 +66397,9 @@ catalog:
                       value: SI-12[02]
                       class: sp800-53a
                   prose: information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-3
                   name: assessment-objective
                   props:
@@ -60594,6 +66407,9 @@ catalog:
                       value: SI-12[03]
                       class: sp800-53a
                   prose: information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-4
                   name: assessment-objective
                   props:
@@ -60601,6 +66417,12 @@ catalog:
                       value: SI-12[04]
                       class: sp800-53a
                   prose: information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
+              links:
+                - href: '#si-12_smt'
+                  rel: assessment-for
             - id: si-12_asm-examine
               name: assessment-method
               props:
@@ -60725,6 +66547,9 @@ catalog:
                   value: SI-16
                   class: sp800-53a
               prose: ' {{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution.'
+              links:
+                - href: '#si-16_smt'
+                  rel: assessment-for
             - id: si-16_asm-examine
               name: assessment-method
               props:
@@ -61007,6 +66832,9 @@ catalog:
                           value: SR-01a.[01]
                           class: sp800-53a
                       prose: a supply chain risk management policy is developed and documented;
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -61014,6 +66842,9 @@ catalog:
                           value: SR-01a.[02]
                           class: sp800-53a
                       prose: 'the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};'
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -61021,6 +66852,9 @@ catalog:
                           value: SR-01a.[03]
                           class: sp800-53a
                       prose: supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -61028,6 +66862,9 @@ catalog:
                           value: SR-01a.[04]
                           class: sp800-53a
                       prose: 'the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.'
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -61049,6 +66886,9 @@ catalog:
                                   value: SR-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -61056,6 +66896,9 @@ catalog:
                                   value: SR-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; '
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -61063,6 +66906,9 @@ catalog:
                                   value: SR-01a.01(a)[03]
                                   class: sp800-53a
                               prose: ' {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -61070,6 +66916,9 @@ catalog:
                                   value: SR-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -61077,6 +66926,9 @@ catalog:
                                   value: SR-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -61084,6 +66936,9 @@ catalog:
                                   value: SR-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -61091,6 +66946,12 @@ catalog:
                                   value: SR-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#sr-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: sr-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -61098,6 +66959,15 @@ catalog:
                               value: SR-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#sr-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sr-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-1_smt.a'
+                      rel: assessment-for
                 - id: sr-1_obj.b
                   name: assessment-objective
                   props:
@@ -61105,6 +66975,9 @@ catalog:
                       value: SR-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;'
+                  links:
+                    - href: '#sr-1_smt.b'
+                      rel: assessment-for
                 - id: sr-1_obj.c
                   name: assessment-objective
                   props:
@@ -61126,6 +66999,9 @@ catalog:
                               value: SR-01c.01[01]
                               class: sp800-53a
                           prose: 'the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};'
+                          links:
+                            - href: '#sr-1_smt.c.1'
+                              rel: assessment-for
                         - id: sr-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -61133,6 +67009,12 @@ catalog:
                               value: SR-01c.01[02]
                               class: sp800-53a
                           prose: 'the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};'
+                          links:
+                            - href: '#sr-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sr-1_smt.c.1'
+                          rel: assessment-for
                     - id: sr-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -61147,6 +67029,9 @@ catalog:
                               value: SR-01c.02[01]
                               class: sp800-53a
                           prose: 'the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};'
+                          links:
+                            - href: '#sr-1_smt.c.2'
+                              rel: assessment-for
                         - id: sr-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -61154,6 +67039,18 @@ catalog:
                               value: SR-01c.02[02]
                               class: sp800-53a
                           prose: 'the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.'
+                          links:
+                            - href: '#sr-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sr-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sr-1_smt'
+                  rel: assessment-for
             - id: sr-1_asm-examine
               name: assessment-method
               props:
@@ -61330,6 +67227,9 @@ catalog:
                           value: SR-02a.[01]
                           class: sp800-53a
                       prose: a plan for managing supply chain risks is developed;
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -61337,6 +67237,9 @@ catalog:
                           value: SR-02a.[02]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -61344,6 +67247,9 @@ catalog:
                           value: SR-02a.[03]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-4
                       name: assessment-objective
                       props:
@@ -61351,6 +67257,9 @@ catalog:
                           value: SR-02a.[04]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-5
                       name: assessment-objective
                       props:
@@ -61358,6 +67267,9 @@ catalog:
                           value: SR-02a.[05]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-6
                       name: assessment-objective
                       props:
@@ -61365,6 +67277,9 @@ catalog:
                           value: SR-02a.[06]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-7
                       name: assessment-objective
                       props:
@@ -61372,6 +67287,9 @@ catalog:
                           value: SR-02a.[07]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-8
                       name: assessment-objective
                       props:
@@ -61379,6 +67297,9 @@ catalog:
                           value: SR-02a.[08]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-9
                       name: assessment-objective
                       props:
@@ -61386,6 +67307,12 @@ catalog:
                           value: SR-02a.[09]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-2_smt.a'
+                      rel: assessment-for
                 - id: sr-2_obj.b
                   name: assessment-objective
                   props:
@@ -61393,6 +67320,9 @@ catalog:
                       value: SR-02b.
                       class: sp800-53a
                   prose: 'the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;'
+                  links:
+                    - href: '#sr-2_smt.b'
+                      rel: assessment-for
                 - id: sr-2_obj.c
                   name: assessment-objective
                   props:
@@ -61407,6 +67337,9 @@ catalog:
                           value: SR-02c.[01]
                           class: sp800-53a
                       prose: the supply chain risk management plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#sr-2_smt.c'
+                          rel: assessment-for
                     - id: sr-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -61414,6 +67347,15 @@ catalog:
                           value: SR-02c.[02]
                           class: sp800-53a
                       prose: the supply chain risk management plan is protected from unauthorized modification.
+                      links:
+                        - href: '#sr-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sr-2_smt'
+                  rel: assessment-for
             - id: sr-2_asm-examine
               name: assessment-method
               props:
@@ -61560,6 +67502,9 @@ catalog:
                       value: SR-02(01)
                       class: sp800-53a
                   prose: 'a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.'
+                  links:
+                    - href: '#sr-2.1_smt'
+                      rel: assessment-for
                 - id: sr-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -61793,6 +67738,9 @@ catalog:
                           value: SR-03a.[01]
                           class: sp800-53a
                       prose: 'a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};'
+                      links:
+                        - href: '#sr-3_smt.a'
+                          rel: assessment-for
                     - id: sr-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -61800,6 +67748,12 @@ catalog:
                           value: SR-03a.[02]
                           class: sp800-53a
                       prose: 'the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};'
+                      links:
+                        - href: '#sr-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-3_smt.a'
+                      rel: assessment-for
                 - id: sr-3_obj.b
                   name: assessment-objective
                   props:
@@ -61807,6 +67761,9 @@ catalog:
                       value: SR-03b.
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;'
+                  links:
+                    - href: '#sr-3_smt.b'
+                      rel: assessment-for
                 - id: sr-3_obj.c
                   name: assessment-objective
                   props:
@@ -61814,6 +67771,12 @@ catalog:
                       value: SR-03c.
                       class: sp800-53a
                   prose: 'the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.'
+                  links:
+                    - href: '#sr-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sr-3_smt'
+                  rel: assessment-for
             - id: sr-3_asm-examine
               name: assessment-method
               props:
@@ -61983,6 +67946,9 @@ catalog:
                       value: SR-05[01]
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;'
+                  links:
+                    - href: '#sr-5_smt'
+                      rel: assessment-for
                 - id: sr-5_obj-2
                   name: assessment-objective
                   props:
@@ -61990,6 +67956,9 @@ catalog:
                       value: SR-05[02]
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;'
+                  links:
+                    - href: '#sr-5_smt'
+                      rel: assessment-for
                 - id: sr-5_obj-3
                   name: assessment-objective
                   props:
@@ -61997,6 +67966,12 @@ catalog:
                       value: SR-05[03]
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.'
+                  links:
+                    - href: '#sr-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sr-5_smt'
+                  rel: assessment-for
             - id: sr-5_asm-examine
               name: assessment-method
               props:
@@ -62143,6 +68118,9 @@ catalog:
                   value: SR-06
                   class: sp800-53a
               prose: 'the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}.'
+              links:
+                - href: '#sr-6_smt'
+                  rel: assessment-for
             - id: sr-6_asm-examine
               name: assessment-method
               props:
@@ -62282,6 +68260,9 @@ catalog:
                   value: SR-08
                   class: sp800-53a
               prose: 'agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.'
+              links:
+                - href: '#sr-8_smt'
+                  rel: assessment-for
             - id: sr-8_asm-examine
               name: assessment-method
               props:
@@ -62396,6 +68377,9 @@ catalog:
                   value: SR-09
                   class: sp800-53a
               prose: a tamper protection program is implemented for the system, system component, or system service.
+              links:
+                - href: '#sr-9_smt'
+                  rel: assessment-for
             - id: sr-9_asm-examine
               name: assessment-method
               props:
@@ -62502,6 +68486,9 @@ catalog:
                       value: SR-09(01)
                       class: sp800-53a
                   prose: anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle.
+                  links:
+                    - href: '#sr-9.1_smt'
+                      rel: assessment-for
                 - id: sr-9.1_asm-examine
                   name: assessment-method
                   props:
@@ -62675,6 +68662,9 @@ catalog:
                   value: SR-10
                   class: sp800-53a
               prose: ' {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.'
+              links:
+                - href: '#sr-10_smt'
+                  rel: assessment-for
             - id: sr-10_asm-examine
               name: assessment-method
               props:
@@ -62846,6 +68836,9 @@ catalog:
                           value: SR-11a.[01]
                           class: sp800-53a
                       prose: an anti-counterfeit policy is developed and implemented;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
                     - id: sr-11_obj.a-2
                       name: assessment-objective
                       props:
@@ -62853,6 +68846,9 @@ catalog:
                           value: SR-11a.[02]
                           class: sp800-53a
                       prose: anti-counterfeit procedures are developed and implemented;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
                     - id: sr-11_obj.a-3
                       name: assessment-objective
                       props:
@@ -62860,6 +68856,9 @@ catalog:
                           value: SR-11a.[03]
                           class: sp800-53a
                       prose: the anti-counterfeit procedures include the means to detect counterfeit components entering the system;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
                     - id: sr-11_obj.a-4
                       name: assessment-objective
                       props:
@@ -62867,6 +68866,12 @@ catalog:
                           value: SR-11a.[04]
                           class: sp800-53a
                       prose: the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-11_smt.a'
+                      rel: assessment-for
                 - id: sr-11_obj.b
                   name: assessment-objective
                   props:
@@ -62874,6 +68879,12 @@ catalog:
                       value: SR-11b.
                       class: sp800-53a
                   prose: 'counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.'
+                  links:
+                    - href: '#sr-11_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sr-11_smt'
+                  rel: assessment-for
             - id: sr-11_asm-examine
               name: assessment-method
               props:
@@ -62999,6 +69010,9 @@ catalog:
                       value: SR-11(01)
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).'
+                  links:
+                    - href: '#sr-11.1_smt'
+                      rel: assessment-for
                 - id: sr-11.1_asm-examine
                   name: assessment-method
                   props:
@@ -63123,6 +69137,9 @@ catalog:
                           value: SR-11(02)[01]
                           class: sp800-53a
                       prose: 'configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;'
+                      links:
+                        - href: '#sr-11.2_smt'
+                          rel: assessment-for
                     - id: sr-11.2_obj-2
                       name: assessment-objective
                       props:
@@ -63130,6 +69147,12 @@ catalog:
                           value: SR-11(02)[02]
                           class: sp800-53a
                       prose: 'configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.'
+                      links:
+                        - href: '#sr-11.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-11.2_smt'
+                      rel: assessment-for
                 - id: sr-11.2_asm-examine
                   name: assessment-method
                   props:
@@ -63246,6 +69269,9 @@ catalog:
                   value: SR-12
                   class: sp800-53a
               prose: ' {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.'
+              links:
+                - href: '#sr-12_smt'
+                  rel: assessment-for
             - id: sr-12_asm-examine
               name: assessment-method
               props:
diff --git a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_HIGH-baseline_profile.yaml b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_HIGH-baseline_profile.yaml
index d4483eb9..5aa994ca 100644
--- a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_HIGH-baseline_profile.yaml
+++ b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_HIGH-baseline_profile.yaml
@@ -1,9 +1,9 @@
 profile:
-  uuid: beade175-48ad-47c0-ac38-e9c2514cba22
+  uuid: cd073316-7c58-4c34-9f5c-9eb5aa722683
   metadata:
-    title: NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE
-    last-modified: "2023-10-12T00:00:00.000000-04:00"
-    version: Final
+    title: NIST Special Publication 800-53 Revision 5.1.1 HIGH IMPACT BASELINE
+    last-modified: "2023-12-04T14:55:00.000000-04:00"
+    version: 5.1.1+u2
     oscal-version: 1.1.1
     roles:
       - id: creator
diff --git a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.yaml b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.yaml
index 38c11048..e290f33f 100644
--- a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.yaml
+++ b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.yaml
@@ -1,9 +1,9 @@
 catalog:
-  uuid: 8a6a307c-2c1d-47ef-9bcb-6362480d31cb
+  uuid: 64d89a61-c70c-49bc-9e1b-b620e2b3d855
   metadata:
-    title: NIST Special Publication 800-53 Revision 5 LOW IMPACT BASELINE
-    last-modified: "2023-11-02T11:49:44.518316-04:00"
-    version: Final
+    title: NIST Special Publication 800-53 Revision 5.1.1 LOW IMPACT BASELINE
+    last-modified: "2023-12-05T21:54:50.284874Z"
+    version: 5.1.1+u2
     oscal-version: 1.1.1
     props:
       - name: resolution-tool
@@ -257,6 +257,9 @@ catalog:
                           value: AC-01a.[01]
                           class: sp800-53a
                       prose: an access control policy is developed and documented;
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -264,6 +267,9 @@ catalog:
                           value: AC-01a.[02]
                           class: sp800-53a
                       prose: 'the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};'
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -271,6 +277,9 @@ catalog:
                           value: AC-01a.[03]
                           class: sp800-53a
                       prose: access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -278,6 +287,9 @@ catalog:
                           value: AC-01a.[04]
                           class: sp800-53a
                       prose: 'the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};'
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -299,6 +311,9 @@ catalog:
                                   value: AC-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -306,6 +321,9 @@ catalog:
                                   value: AC-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -313,6 +331,9 @@ catalog:
                                   value: AC-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -320,6 +341,9 @@ catalog:
                                   value: AC-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -327,6 +351,9 @@ catalog:
                                   value: AC-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -334,6 +361,9 @@ catalog:
                                   value: AC-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -341,6 +371,12 @@ catalog:
                                   value: AC-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ac-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ac-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -348,6 +384,15 @@ catalog:
                               value: AC-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ac-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-1_smt.a'
+                      rel: assessment-for
                 - id: ac-1_obj.b
                   name: assessment-objective
                   props:
@@ -355,6 +400,9 @@ catalog:
                       value: AC-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;'
+                  links:
+                    - href: '#ac-1_smt.b'
+                      rel: assessment-for
                 - id: ac-1_obj.c
                   name: assessment-objective
                   props:
@@ -376,6 +424,9 @@ catalog:
                               value: AC-01c.01[01]
                               class: sp800-53a
                           prose: 'the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};'
+                          links:
+                            - href: '#ac-1_smt.c.1'
+                              rel: assessment-for
                         - id: ac-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -383,6 +434,12 @@ catalog:
                               value: AC-01c.01[02]
                               class: sp800-53a
                           prose: 'the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};'
+                          links:
+                            - href: '#ac-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.c.1'
+                          rel: assessment-for
                     - id: ac-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -397,6 +454,9 @@ catalog:
                               value: AC-01c.02[01]
                               class: sp800-53a
                           prose: 'the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};'
+                          links:
+                            - href: '#ac-1_smt.c.2'
+                              rel: assessment-for
                         - id: ac-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -404,6 +464,18 @@ catalog:
                               value: AC-01c.02[02]
                               class: sp800-53a
                           prose: 'the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.'
+                          links:
+                            - href: '#ac-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ac-1_smt'
+                  rel: assessment-for
             - id: ac-1_asm-examine
               name: assessment-method
               props:
@@ -778,6 +850,9 @@ catalog:
                           value: AC-02a.[01]
                           class: sp800-53a
                       prose: account types allowed for use within the system are defined and documented;
+                      links:
+                        - href: '#ac-2_smt.a'
+                          rel: assessment-for
                     - id: ac-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -785,6 +860,12 @@ catalog:
                           value: AC-02a.[02]
                           class: sp800-53a
                       prose: account types specifically prohibited for use within the system are defined and documented;
+                      links:
+                        - href: '#ac-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.a'
+                      rel: assessment-for
                 - id: ac-2_obj.b
                   name: assessment-objective
                   props:
@@ -792,6 +873,9 @@ catalog:
                       value: AC-02b.
                       class: sp800-53a
                   prose: account managers are assigned;
+                  links:
+                    - href: '#ac-2_smt.b'
+                      rel: assessment-for
                 - id: ac-2_obj.c
                   name: assessment-objective
                   props:
@@ -799,6 +883,9 @@ catalog:
                       value: AC-02c.
                       class: sp800-53a
                   prose: ' {{ insert: param, ac-02_odp.01 }} for group and role membership are required;'
+                  links:
+                    - href: '#ac-2_smt.c'
+                      rel: assessment-for
                 - id: ac-2_obj.d
                   name: assessment-objective
                   props:
@@ -813,6 +900,9 @@ catalog:
                           value: AC-02d.01
                           class: sp800-53a
                       prose: authorized users of the system are specified;
+                      links:
+                        - href: '#ac-2_smt.d.1'
+                          rel: assessment-for
                     - id: ac-2_obj.d.2
                       name: assessment-objective
                       props:
@@ -820,6 +910,9 @@ catalog:
                           value: AC-02d.02
                           class: sp800-53a
                       prose: group and role membership are specified;
+                      links:
+                        - href: '#ac-2_smt.d.2'
+                          rel: assessment-for
                     - id: ac-2_obj.d.3
                       name: assessment-objective
                       props:
@@ -834,6 +927,9 @@ catalog:
                               value: AC-02d.03[01]
                               class: sp800-53a
                           prose: access authorizations (i.e., privileges) are specified for each account;
+                          links:
+                            - href: '#ac-2_smt.d.3'
+                              rel: assessment-for
                         - id: ac-2_obj.d.3-2
                           name: assessment-objective
                           props:
@@ -841,6 +937,15 @@ catalog:
                               value: AC-02d.03[02]
                               class: sp800-53a
                           prose: ' {{ insert: param, ac-02_odp.02 }} are specified for each account;'
+                          links:
+                            - href: '#ac-2_smt.d.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-2_smt.d.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.d'
+                      rel: assessment-for
                 - id: ac-2_obj.e
                   name: assessment-objective
                   props:
@@ -848,6 +953,9 @@ catalog:
                       value: AC-02e.
                       class: sp800-53a
                   prose: 'approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;'
+                  links:
+                    - href: '#ac-2_smt.e'
+                      rel: assessment-for
                 - id: ac-2_obj.f
                   name: assessment-objective
                   props:
@@ -862,6 +970,9 @@ catalog:
                           value: AC-02f.[01]
                           class: sp800-53a
                       prose: 'accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-2
                       name: assessment-objective
                       props:
@@ -869,6 +980,9 @@ catalog:
                           value: AC-02f.[02]
                           class: sp800-53a
                       prose: 'accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-3
                       name: assessment-objective
                       props:
@@ -876,6 +990,9 @@ catalog:
                           value: AC-02f.[03]
                           class: sp800-53a
                       prose: 'accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-4
                       name: assessment-objective
                       props:
@@ -883,6 +1000,9 @@ catalog:
                           value: AC-02f.[04]
                           class: sp800-53a
                       prose: 'accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-5
                       name: assessment-objective
                       props:
@@ -890,6 +1010,12 @@ catalog:
                           value: AC-02f.[05]
                           class: sp800-53a
                       prose: 'accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.f'
+                      rel: assessment-for
                 - id: ac-2_obj.g
                   name: assessment-objective
                   props:
@@ -897,6 +1023,9 @@ catalog:
                       value: AC-02g.
                       class: sp800-53a
                   prose: 'the use of accounts is monitored; '
+                  links:
+                    - href: '#ac-2_smt.g'
+                      rel: assessment-for
                 - id: ac-2_obj.h
                   name: assessment-objective
                   props:
@@ -911,6 +1040,9 @@ catalog:
                           value: AC-02h.01
                           class: sp800-53a
                       prose: 'account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;'
+                      links:
+                        - href: '#ac-2_smt.h.1'
+                          rel: assessment-for
                     - id: ac-2_obj.h.2
                       name: assessment-objective
                       props:
@@ -918,6 +1050,9 @@ catalog:
                           value: AC-02h.02
                           class: sp800-53a
                       prose: 'account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;'
+                      links:
+                        - href: '#ac-2_smt.h.2'
+                          rel: assessment-for
                     - id: ac-2_obj.h.3
                       name: assessment-objective
                       props:
@@ -925,6 +1060,12 @@ catalog:
                           value: AC-02h.03
                           class: sp800-53a
                       prose: 'account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;'
+                      links:
+                        - href: '#ac-2_smt.h.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.h'
+                      rel: assessment-for
                 - id: ac-2_obj.i
                   name: assessment-objective
                   props:
@@ -939,6 +1080,9 @@ catalog:
                           value: AC-02i.01
                           class: sp800-53a
                       prose: access to the system is authorized based on a valid access authorization;
+                      links:
+                        - href: '#ac-2_smt.i.1'
+                          rel: assessment-for
                     - id: ac-2_obj.i.2
                       name: assessment-objective
                       props:
@@ -946,6 +1090,9 @@ catalog:
                           value: AC-02i.02
                           class: sp800-53a
                       prose: access to the system is authorized based on intended system usage;
+                      links:
+                        - href: '#ac-2_smt.i.2'
+                          rel: assessment-for
                     - id: ac-2_obj.i.3
                       name: assessment-objective
                       props:
@@ -953,6 +1100,12 @@ catalog:
                           value: AC-02i.03
                           class: sp800-53a
                       prose: 'access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};'
+                      links:
+                        - href: '#ac-2_smt.i.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.i'
+                      rel: assessment-for
                 - id: ac-2_obj.j
                   name: assessment-objective
                   props:
@@ -960,6 +1113,9 @@ catalog:
                       value: AC-02j.
                       class: sp800-53a
                   prose: 'accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};'
+                  links:
+                    - href: '#ac-2_smt.j'
+                      rel: assessment-for
                 - id: ac-2_obj.k
                   name: assessment-objective
                   props:
@@ -974,6 +1130,9 @@ catalog:
                           value: AC-02k.[01]
                           class: sp800-53a
                       prose: a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
+                      links:
+                        - href: '#ac-2_smt.k'
+                          rel: assessment-for
                     - id: ac-2_obj.k-2
                       name: assessment-objective
                       props:
@@ -981,6 +1140,12 @@ catalog:
                           value: AC-02k.[02]
                           class: sp800-53a
                       prose: a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
+                      links:
+                        - href: '#ac-2_smt.k'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.k'
+                      rel: assessment-for
                 - id: ac-2_obj.l
                   name: assessment-objective
                   props:
@@ -995,6 +1160,9 @@ catalog:
                           value: AC-02l.[01]
                           class: sp800-53a
                       prose: account management processes are aligned with personnel termination processes;
+                      links:
+                        - href: '#ac-2_smt.l'
+                          rel: assessment-for
                     - id: ac-2_obj.l-2
                       name: assessment-objective
                       props:
@@ -1002,6 +1170,15 @@ catalog:
                           value: AC-02l.[02]
                           class: sp800-53a
                       prose: account management processes are aligned with personnel transfer processes.
+                      links:
+                        - href: '#ac-2_smt.l'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.l'
+                      rel: assessment-for
+              links:
+                - href: '#ac-2_smt'
+                  rel: assessment-for
             - id: ac-2_asm-examine
               name: assessment-method
               props:
@@ -1158,6 +1335,8 @@ catalog:
               rel: related
             - href: '#ia-11'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-3'
               rel: related
             - href: '#ma-4'
@@ -1210,6 +1389,9 @@ catalog:
                   value: AC-03
                   class: sp800-53a
               prose: approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.
+              links:
+                - href: '#ac-3_smt'
+                  rel: assessment-for
             - id: ac-3_asm-examine
               name: assessment-method
               props:
@@ -1398,6 +1580,9 @@ catalog:
                       value: AC-07a.
                       class: sp800-53a
                   prose: 'a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;'
+                  links:
+                    - href: '#ac-7_smt.a'
+                      rel: assessment-for
                 - id: ac-7_obj.b
                   name: assessment-objective
                   props:
@@ -1405,6 +1590,12 @@ catalog:
                       value: AC-07b.
                       class: sp800-53a
                   prose: 'automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.'
+                  links:
+                    - href: '#ac-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-7_smt'
+                  rel: assessment-for
             - id: ac-7_asm-examine
               name: assessment-method
               props:
@@ -1598,6 +1789,9 @@ catalog:
                           value: AC-08a.01
                           class: sp800-53a
                       prose: the system use notification states that users are accessing a U.S. Government system;
+                      links:
+                        - href: '#ac-8_smt.a.1'
+                          rel: assessment-for
                     - id: ac-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -1605,6 +1799,9 @@ catalog:
                           value: AC-08a.02
                           class: sp800-53a
                       prose: the system use notification states that system usage may be monitored, recorded, and subject to audit;
+                      links:
+                        - href: '#ac-8_smt.a.2'
+                          rel: assessment-for
                     - id: ac-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -1612,6 +1809,9 @@ catalog:
                           value: AC-08a.03
                           class: sp800-53a
                       prose: the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
+                      links:
+                        - href: '#ac-8_smt.a.3'
+                          rel: assessment-for
                     - id: ac-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -1619,6 +1819,12 @@ catalog:
                           value: AC-08a.04
                           class: sp800-53a
                       prose: the system use notification states that use of the system indicates consent to monitoring and recording;
+                      links:
+                        - href: '#ac-8_smt.a.4'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-8_smt.a'
+                      rel: assessment-for
                 - id: ac-8_obj.b
                   name: assessment-objective
                   props:
@@ -1626,6 +1832,9 @@ catalog:
                       value: AC-08b.
                       class: sp800-53a
                   prose: the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;
+                  links:
+                    - href: '#ac-8_smt.b'
+                      rel: assessment-for
                 - id: ac-8_obj.c
                   name: assessment-objective
                   props:
@@ -1640,6 +1849,9 @@ catalog:
                           value: AC-08c.01
                           class: sp800-53a
                       prose: 'for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;'
+                      links:
+                        - href: '#ac-8_smt.c.1'
+                          rel: assessment-for
                     - id: ac-8_obj.c.2
                       name: assessment-objective
                       props:
@@ -1647,6 +1859,9 @@ catalog:
                           value: AC-08c.02
                           class: sp800-53a
                       prose: for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;
+                      links:
+                        - href: '#ac-8_smt.c.2'
+                          rel: assessment-for
                     - id: ac-8_obj.c.3
                       name: assessment-objective
                       props:
@@ -1654,6 +1869,15 @@ catalog:
                           value: AC-08c.03
                           class: sp800-53a
                       prose: for publicly accessible systems, a description of the authorized uses of the system is included.
+                      links:
+                        - href: '#ac-8_smt.c.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-8_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ac-8_smt'
+                  rel: assessment-for
             - id: ac-8_asm-examine
               name: assessment-method
               props:
@@ -1787,6 +2011,9 @@ catalog:
                       value: AC-14a.
                       class: sp800-53a
                   prose: ' {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;'
+                  links:
+                    - href: '#ac-14_smt.a'
+                      rel: assessment-for
                 - id: ac-14_obj.b
                   name: assessment-objective
                   props:
@@ -1801,6 +2028,9 @@ catalog:
                           value: AC-14b.[01]
                           class: sp800-53a
                       prose: user actions not requiring identification or authentication are documented in the security plan for the system;
+                      links:
+                        - href: '#ac-14_smt.b'
+                          rel: assessment-for
                     - id: ac-14_obj.b-2
                       name: assessment-objective
                       props:
@@ -1808,6 +2038,15 @@ catalog:
                           value: AC-14b.[02]
                           class: sp800-53a
                       prose: a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.
+                      links:
+                        - href: '#ac-14_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-14_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-14_smt'
+                  rel: assessment-for
             - id: ac-14_asm-examine
               name: assessment-method
               props:
@@ -1955,6 +2194,9 @@ catalog:
                           value: AC-17a.[01]
                           class: sp800-53a
                       prose: usage restrictions are established and documented for each type of remote access allowed;
+                      links:
+                        - href: '#ac-17_smt.a'
+                          rel: assessment-for
                     - id: ac-17_obj.a-2
                       name: assessment-objective
                       props:
@@ -1962,6 +2204,9 @@ catalog:
                           value: AC-17a.[02]
                           class: sp800-53a
                       prose: configuration/connection requirements are established and documented for each type of remote access allowed;
+                      links:
+                        - href: '#ac-17_smt.a'
+                          rel: assessment-for
                     - id: ac-17_obj.a-3
                       name: assessment-objective
                       props:
@@ -1969,6 +2214,12 @@ catalog:
                           value: AC-17a.[03]
                           class: sp800-53a
                       prose: implementation guidance is established and documented for each type of remote access allowed;
+                      links:
+                        - href: '#ac-17_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-17_smt.a'
+                      rel: assessment-for
                 - id: ac-17_obj.b
                   name: assessment-objective
                   props:
@@ -1976,6 +2227,12 @@ catalog:
                       value: AC-17b.
                       class: sp800-53a
                   prose: each type of remote access to the system is authorized prior to allowing such connections.
+                  links:
+                    - href: '#ac-17_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-17_smt'
+                  rel: assessment-for
             - id: ac-17_asm-examine
               name: assessment-method
               props:
@@ -2117,6 +2374,9 @@ catalog:
                           value: AC-18a.[01]
                           class: sp800-53a
                       prose: configuration requirements are established for each type of wireless access;
+                      links:
+                        - href: '#ac-18_smt.a'
+                          rel: assessment-for
                     - id: ac-18_obj.a-2
                       name: assessment-objective
                       props:
@@ -2124,6 +2384,9 @@ catalog:
                           value: AC-18a.[02]
                           class: sp800-53a
                       prose: connection requirements are established for each type of wireless access;
+                      links:
+                        - href: '#ac-18_smt.a'
+                          rel: assessment-for
                     - id: ac-18_obj.a-3
                       name: assessment-objective
                       props:
@@ -2131,6 +2394,12 @@ catalog:
                           value: AC-18a.[03]
                           class: sp800-53a
                       prose: implementation guidance is established for each type of wireless access;
+                      links:
+                        - href: '#ac-18_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-18_smt.a'
+                      rel: assessment-for
                 - id: ac-18_obj.b
                   name: assessment-objective
                   props:
@@ -2138,6 +2407,12 @@ catalog:
                       value: AC-18b.
                       class: sp800-53a
                   prose: each type of wireless access to the system is authorized prior to allowing such connections.
+                  links:
+                    - href: '#ac-18_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-18_smt'
+                  rel: assessment-for
             - id: ac-18_asm-examine
               name: assessment-method
               props:
@@ -2302,6 +2577,9 @@ catalog:
                           value: AC-19a.[01]
                           class: sp800-53a
                       prose: configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+                      links:
+                        - href: '#ac-19_smt.a'
+                          rel: assessment-for
                     - id: ac-19_obj.a-2
                       name: assessment-objective
                       props:
@@ -2309,6 +2587,9 @@ catalog:
                           value: AC-19a.[02]
                           class: sp800-53a
                       prose: connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+                      links:
+                        - href: '#ac-19_smt.a'
+                          rel: assessment-for
                     - id: ac-19_obj.a-3
                       name: assessment-objective
                       props:
@@ -2316,6 +2597,12 @@ catalog:
                           value: AC-19a.[03]
                           class: sp800-53a
                       prose: implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+                      links:
+                        - href: '#ac-19_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-19_smt.a'
+                      rel: assessment-for
                 - id: ac-19_obj.b
                   name: assessment-objective
                   props:
@@ -2323,6 +2610,12 @@ catalog:
                       value: AC-19b.
                       class: sp800-53a
                   prose: the connection of mobile devices to organizational systems is authorized.
+                  links:
+                    - href: '#ac-19_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-19_smt'
+                  rel: assessment-for
             - id: ac-19_asm-examine
               name: assessment-method
               props:
@@ -2527,16 +2820,25 @@ catalog:
                       name: assessment-objective
                       props:
                         - name: label
-                          value: AC-20a.1
+                          value: AC-20a.01
                           class: sp800-53a
                       prose: ' {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);'
+                      links:
+                        - href: '#ac-20_smt.a.1'
+                          rel: assessment-for
                     - id: ac-20_obj.a.2
                       name: assessment-objective
                       props:
                         - name: label
-                          value: AC-20a.2
+                          value: AC-20a.02
                           class: sp800-53a
                       prose: ' {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);'
+                      links:
+                        - href: '#ac-20_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-20_smt.a'
+                      rel: assessment-for
                 - id: ac-20_obj.b
                   name: assessment-objective
                   props:
@@ -2544,6 +2846,12 @@ catalog:
                       value: AC-20b.
                       class: sp800-53a
                   prose: 'the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).'
+                  links:
+                    - href: '#ac-20_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-20_smt'
+                  rel: assessment-for
             - id: ac-20_asm-examine
               name: assessment-method
               props:
@@ -2681,6 +2989,9 @@ catalog:
                       value: AC-22a.
                       class: sp800-53a
                   prose: designated individuals are authorized to make information publicly accessible;
+                  links:
+                    - href: '#ac-22_smt.a'
+                      rel: assessment-for
                 - id: ac-22_obj.b
                   name: assessment-objective
                   props:
@@ -2688,6 +2999,9 @@ catalog:
                       value: AC-22b.
                       class: sp800-53a
                   prose: authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;
+                  links:
+                    - href: '#ac-22_smt.b'
+                      rel: assessment-for
                 - id: ac-22_obj.c
                   name: assessment-objective
                   props:
@@ -2695,6 +3009,9 @@ catalog:
                       value: AC-22c.
                       class: sp800-53a
                   prose: the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;
+                  links:
+                    - href: '#ac-22_smt.c'
+                      rel: assessment-for
                 - id: ac-22_obj.d
                   name: assessment-objective
                   props:
@@ -2709,6 +3026,9 @@ catalog:
                           value: AC-22d.[01]
                           class: sp800-53a
                       prose: 'the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};'
+                      links:
+                        - href: '#ac-22_smt.d'
+                          rel: assessment-for
                     - id: ac-22_obj.d-2
                       name: assessment-objective
                       props:
@@ -2716,6 +3036,15 @@ catalog:
                           value: AC-22d.[02]
                           class: sp800-53a
                       prose: non-public information is removed from the publicly accessible system, if discovered.
+                      links:
+                        - href: '#ac-22_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-22_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ac-22_smt'
+                  rel: assessment-for
             - id: ac-22_asm-examine
               name: assessment-method
               props:
@@ -2988,6 +3317,9 @@ catalog:
                           value: AT-01a.[01]
                           class: sp800-53a
                       prose: 'an awareness and training policy is developed and documented; '
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -2995,6 +3327,9 @@ catalog:
                           value: AT-01a.[02]
                           class: sp800-53a
                       prose: 'the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};'
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -3002,6 +3337,9 @@ catalog:
                           value: AT-01a.[03]
                           class: sp800-53a
                       prose: awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -3009,6 +3347,9 @@ catalog:
                           value: AT-01a.[04]
                           class: sp800-53a
                       prose: 'the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.'
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -3030,6 +3371,9 @@ catalog:
                                   value: AT-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -3037,6 +3381,9 @@ catalog:
                                   value: AT-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -3044,6 +3391,9 @@ catalog:
                                   value: AT-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -3051,6 +3401,9 @@ catalog:
                                   value: AT-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -3058,6 +3411,9 @@ catalog:
                                   value: AT-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -3065,6 +3421,9 @@ catalog:
                                   value: AT-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -3072,6 +3431,12 @@ catalog:
                                   value: AT-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#at-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: at-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -3079,6 +3444,15 @@ catalog:
                               value: AT-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and'
+                          links:
+                            - href: '#at-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-1_smt.a'
+                      rel: assessment-for
                 - id: at-1_obj.b
                   name: assessment-objective
                   props:
@@ -3086,6 +3460,9 @@ catalog:
                       value: AT-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;'
+                  links:
+                    - href: '#at-1_smt.b'
+                      rel: assessment-for
                 - id: at-1_obj.c
                   name: assessment-objective
                   props:
@@ -3107,6 +3484,9 @@ catalog:
                               value: AT-01c.01[01]
                               class: sp800-53a
                           prose: 'the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; '
+                          links:
+                            - href: '#at-1_smt.c.1'
+                              rel: assessment-for
                         - id: at-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -3114,6 +3494,12 @@ catalog:
                               value: AT-01c.01[02]
                               class: sp800-53a
                           prose: 'the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};'
+                          links:
+                            - href: '#at-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.c.1'
+                          rel: assessment-for
                     - id: at-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -3128,6 +3514,9 @@ catalog:
                               value: AT-01c.02[01]
                               class: sp800-53a
                           prose: 'the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};'
+                          links:
+                            - href: '#at-1_smt.c.2'
+                              rel: assessment-for
                         - id: at-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -3135,6 +3524,18 @@ catalog:
                               value: AT-01c.02[02]
                               class: sp800-53a
                           prose: 'the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.'
+                          links:
+                            - href: '#at-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#at-1_smt'
+                  rel: assessment-for
             - id: at-1_asm-examine
               name: assessment-method
               props:
@@ -3387,6 +3788,9 @@ catalog:
                               value: AT-02a.01[01]
                               class: sp800-53a
                           prose: security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -3394,6 +3798,9 @@ catalog:
                               value: AT-02a.01[02]
                               class: sp800-53a
                           prose: privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -3401,6 +3808,9 @@ catalog:
                               value: AT-02a.01[03]
                               class: sp800-53a
                           prose: 'security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;'
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-4
                           name: assessment-objective
                           props:
@@ -3408,6 +3818,12 @@ catalog:
                               value: AT-02a.01[04]
                               class: sp800-53a
                           prose: 'privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;'
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-2_smt.a.1'
+                          rel: assessment-for
                     - id: at-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -3422,6 +3838,9 @@ catalog:
                               value: AT-02a.02[01]
                               class: sp800-53a
                           prose: 'security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};'
+                          links:
+                            - href: '#at-2_smt.a.2'
+                              rel: assessment-for
                         - id: at-2_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -3429,6 +3848,15 @@ catalog:
                               value: AT-02a.02[02]
                               class: sp800-53a
                           prose: 'privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};'
+                          links:
+                            - href: '#at-2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-2_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2_smt.a'
+                      rel: assessment-for
                 - id: at-2_obj.b
                   name: assessment-objective
                   props:
@@ -3436,6 +3864,9 @@ catalog:
                       value: AT-02b.
                       class: sp800-53a
                   prose: ' {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;'
+                  links:
+                    - href: '#at-2_smt.b'
+                      rel: assessment-for
                 - id: at-2_obj.c
                   name: assessment-objective
                   props:
@@ -3450,6 +3881,9 @@ catalog:
                           value: AT-02c.[01]
                           class: sp800-53a
                       prose: 'literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};'
+                      links:
+                        - href: '#at-2_smt.c'
+                          rel: assessment-for
                     - id: at-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -3457,6 +3891,12 @@ catalog:
                           value: AT-02c.[02]
                           class: sp800-53a
                       prose: 'literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};'
+                      links:
+                        - href: '#at-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2_smt.c'
+                      rel: assessment-for
                 - id: at-2_obj.d
                   name: assessment-objective
                   props:
@@ -3464,6 +3904,12 @@ catalog:
                       value: AT-02d.
                       class: sp800-53a
                   prose: lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.
+                  links:
+                    - href: '#at-2_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#at-2_smt'
+                  rel: assessment-for
             - id: at-2_asm-examine
               name: assessment-method
               props:
@@ -3566,6 +4012,9 @@ catalog:
                           value: AT-02(02)[01]
                           class: sp800-53a
                       prose: literacy training on recognizing potential indicators of insider threat is provided;
+                      links:
+                        - href: '#at-2.2_smt'
+                          rel: assessment-for
                     - id: at-2.2_obj-2
                       name: assessment-objective
                       props:
@@ -3573,6 +4022,12 @@ catalog:
                           value: AT-02(02)[02]
                           class: sp800-53a
                       prose: literacy training on reporting potential indicators of insider threat is provided.
+                      links:
+                        - href: '#at-2.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2.2_smt'
+                      rel: assessment-for
                 - id: at-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -3808,6 +4263,9 @@ catalog:
                               value: AT-03a.01[01]
                               class: sp800-53a
                           prose: 'role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -3815,6 +4273,9 @@ catalog:
                               value: AT-03a.01[02]
                               class: sp800-53a
                           prose: 'role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -3822,6 +4283,9 @@ catalog:
                               value: AT-03a.01[03]
                               class: sp800-53a
                           prose: 'role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-4
                           name: assessment-objective
                           props:
@@ -3829,6 +4293,12 @@ catalog:
                               value: AT-03a.01[04]
                               class: sp800-53a
                           prose: 'role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-3_smt.a.1'
+                          rel: assessment-for
                     - id: at-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -3843,6 +4313,9 @@ catalog:
                               value: AT-03a.02[01]
                               class: sp800-53a
                           prose: role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;
+                          links:
+                            - href: '#at-3_smt.a.2'
+                              rel: assessment-for
                         - id: at-3_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -3850,6 +4323,15 @@ catalog:
                               value: AT-03a.02[02]
                               class: sp800-53a
                           prose: role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;
+                          links:
+                            - href: '#at-3_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-3_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-3_smt.a'
+                      rel: assessment-for
                 - id: at-3_obj.b
                   name: assessment-objective
                   props:
@@ -3864,6 +4346,9 @@ catalog:
                           value: AT-03b.[01]
                           class: sp800-53a
                       prose: 'role-based training content is updated {{ insert: param, at-03_odp.04 }};'
+                      links:
+                        - href: '#at-3_smt.b'
+                          rel: assessment-for
                     - id: at-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -3871,6 +4356,12 @@ catalog:
                           value: AT-03b.[02]
                           class: sp800-53a
                       prose: 'role-based training content is updated following {{ insert: param, at-03_odp.05 }};'
+                      links:
+                        - href: '#at-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-3_smt.b'
+                      rel: assessment-for
                 - id: at-3_obj.c
                   name: assessment-objective
                   props:
@@ -3878,6 +4369,12 @@ catalog:
                       value: AT-03c.
                       class: sp800-53a
                   prose: lessons learned from internal or external security incidents or breaches are incorporated into role-based training.
+                  links:
+                    - href: '#at-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#at-3_smt'
+                  rel: assessment-for
             - id: at-3_asm-examine
               name: assessment-method
               props:
@@ -4017,6 +4514,9 @@ catalog:
                           value: AT-04a.[01]
                           class: sp800-53a
                       prose: information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;
+                      links:
+                        - href: '#at-4_smt.a'
+                          rel: assessment-for
                     - id: at-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -4024,6 +4524,12 @@ catalog:
                           value: AT-04a.[02]
                           class: sp800-53a
                       prose: information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;
+                      links:
+                        - href: '#at-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-4_smt.a'
+                      rel: assessment-for
                 - id: at-4_obj.b
                   name: assessment-objective
                   props:
@@ -4031,6 +4537,12 @@ catalog:
                       value: AT-04b.
                       class: sp800-53a
                   prose: 'individual training records are retained for {{ insert: param, at-04_odp }}.'
+                  links:
+                    - href: '#at-4_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#at-4_smt'
+                  rel: assessment-for
             - id: at-4_asm-examine
               name: assessment-method
               props:
@@ -4288,6 +4800,9 @@ catalog:
                           value: AU-01a.[01]
                           class: sp800-53a
                       prose: an audit and accountability policy is developed and documented;
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -4295,6 +4810,9 @@ catalog:
                           value: AU-01a.[02]
                           class: sp800-53a
                       prose: 'the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};'
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -4302,6 +4820,9 @@ catalog:
                           value: AU-01a.[03]
                           class: sp800-53a
                       prose: audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -4309,6 +4830,9 @@ catalog:
                           value: AU-01a.[04]
                           class: sp800-53a
                       prose: 'the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};'
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -4330,6 +4854,9 @@ catalog:
                                   value: AU-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -4337,6 +4864,9 @@ catalog:
                                   value: AU-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -4344,6 +4874,9 @@ catalog:
                                   value: AU-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -4351,6 +4884,9 @@ catalog:
                                   value: AU-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -4358,6 +4894,9 @@ catalog:
                                   value: AU-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -4365,6 +4904,9 @@ catalog:
                                   value: AU-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -4372,6 +4914,12 @@ catalog:
                                   value: AU-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#au-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: au-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -4379,6 +4927,15 @@ catalog:
                               value: AU-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#au-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-1_smt.a'
+                      rel: assessment-for
                 - id: au-1_obj.b
                   name: assessment-objective
                   props:
@@ -4386,6 +4943,9 @@ catalog:
                       value: AU-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;'
+                  links:
+                    - href: '#au-1_smt.b'
+                      rel: assessment-for
                 - id: au-1_obj.c
                   name: assessment-objective
                   props:
@@ -4407,6 +4967,9 @@ catalog:
                               value: AU-01c.01[01]
                               class: sp800-53a
                           prose: 'the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};'
+                          links:
+                            - href: '#au-1_smt.c.1'
+                              rel: assessment-for
                         - id: au-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -4414,6 +4977,12 @@ catalog:
                               value: AU-01c.01[02]
                               class: sp800-53a
                           prose: 'the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};'
+                          links:
+                            - href: '#au-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.c.1'
+                          rel: assessment-for
                     - id: au-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -4428,6 +4997,9 @@ catalog:
                               value: AU-01c.02[01]
                               class: sp800-53a
                           prose: 'the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};'
+                          links:
+                            - href: '#au-1_smt.c.2'
+                              rel: assessment-for
                         - id: au-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -4435,6 +5007,18 @@ catalog:
                               value: AU-01c.02[02]
                               class: sp800-53a
                           prose: 'the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.'
+                          links:
+                            - href: '#au-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#au-1_smt'
+                  rel: assessment-for
             - id: au-1_asm-examine
               name: assessment-method
               props:
@@ -4661,6 +5245,9 @@ catalog:
                       value: AU-02a.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;'
+                  links:
+                    - href: '#au-2_smt.a'
+                      rel: assessment-for
                 - id: au-2_obj.b
                   name: assessment-objective
                   props:
@@ -4668,6 +5255,9 @@ catalog:
                       value: AU-02b.
                       class: sp800-53a
                   prose: the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
+                  links:
+                    - href: '#au-2_smt.b'
+                      rel: assessment-for
                 - id: au-2_obj.c
                   name: assessment-objective
                   props:
@@ -4682,6 +5272,9 @@ catalog:
                           value: AU-02c.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, au-02_odp.02 }} are specified for logging within the system;'
+                      links:
+                        - href: '#au-2_smt.c'
+                          rel: assessment-for
                     - id: au-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -4689,6 +5282,12 @@ catalog:
                           value: AU-02c.[02]
                           class: sp800-53a
                       prose: 'the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};'
+                      links:
+                        - href: '#au-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-2_smt.c'
+                      rel: assessment-for
                 - id: au-2_obj.d
                   name: assessment-objective
                   props:
@@ -4696,6 +5295,9 @@ catalog:
                       value: AU-02d.
                       class: sp800-53a
                   prose: a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;
+                  links:
+                    - href: '#au-2_smt.d'
+                      rel: assessment-for
                 - id: au-2_obj.e
                   name: assessment-objective
                   props:
@@ -4703,6 +5305,12 @@ catalog:
                       value: AU-02e.
                       class: sp800-53a
                   prose: 'the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.'
+                  links:
+                    - href: '#au-2_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#au-2_smt'
+                  rel: assessment-for
             - id: au-2_asm-examine
               name: assessment-method
               props:
@@ -4856,6 +5464,9 @@ catalog:
                       value: AU-03a.
                       class: sp800-53a
                   prose: audit records contain information that establishes what type of event occurred;
+                  links:
+                    - href: '#au-3_smt.a'
+                      rel: assessment-for
                 - id: au-3_obj.b
                   name: assessment-objective
                   props:
@@ -4863,6 +5474,9 @@ catalog:
                       value: AU-03b.
                       class: sp800-53a
                   prose: audit records contain information that establishes when the event occurred;
+                  links:
+                    - href: '#au-3_smt.b'
+                      rel: assessment-for
                 - id: au-3_obj.c
                   name: assessment-objective
                   props:
@@ -4870,6 +5484,9 @@ catalog:
                       value: AU-03c.
                       class: sp800-53a
                   prose: audit records contain information that establishes where the event occurred;
+                  links:
+                    - href: '#au-3_smt.c'
+                      rel: assessment-for
                 - id: au-3_obj.d
                   name: assessment-objective
                   props:
@@ -4877,6 +5494,9 @@ catalog:
                       value: AU-03d.
                       class: sp800-53a
                   prose: audit records contain information that establishes the source of the event;
+                  links:
+                    - href: '#au-3_smt.d'
+                      rel: assessment-for
                 - id: au-3_obj.e
                   name: assessment-objective
                   props:
@@ -4884,6 +5504,9 @@ catalog:
                       value: AU-03e.
                       class: sp800-53a
                   prose: audit records contain information that establishes the outcome of the event;
+                  links:
+                    - href: '#au-3_smt.e'
+                      rel: assessment-for
                 - id: au-3_obj.f
                   name: assessment-objective
                   props:
@@ -4891,6 +5514,12 @@ catalog:
                       value: AU-03f.
                       class: sp800-53a
                   prose: audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.
+                  links:
+                    - href: '#au-3_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#au-3_smt'
+                  rel: assessment-for
             - id: au-3_asm-examine
               name: assessment-method
               props:
@@ -5012,6 +5641,9 @@ catalog:
                   value: AU-04
                   class: sp800-53a
               prose: 'audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.'
+              links:
+                - href: '#au-4_smt'
+                  rel: assessment-for
             - id: au-4_asm-examine
               name: assessment-method
               props:
@@ -5171,6 +5803,9 @@ catalog:
                       value: AU-05a.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};'
+                  links:
+                    - href: '#au-5_smt.a'
+                      rel: assessment-for
                 - id: au-5_obj.b
                   name: assessment-objective
                   props:
@@ -5178,6 +5813,12 @@ catalog:
                       value: AU-05b.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.'
+                  links:
+                    - href: '#au-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-5_smt'
+                  rel: assessment-for
             - id: au-5_asm-examine
               name: assessment-method
               props:
@@ -5390,6 +6031,9 @@ catalog:
                       value: AU-06a.
                       class: sp800-53a
                   prose: 'system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;'
+                  links:
+                    - href: '#au-6_smt.a'
+                      rel: assessment-for
                 - id: au-6_obj.b
                   name: assessment-objective
                   props:
@@ -5397,6 +6041,9 @@ catalog:
                       value: AU-06b.
                       class: sp800-53a
                   prose: 'findings are reported to {{ insert: param, au-06_odp.03 }};'
+                  links:
+                    - href: '#au-6_smt.b'
+                      rel: assessment-for
                 - id: au-6_obj.c
                   name: assessment-objective
                   props:
@@ -5404,6 +6051,12 @@ catalog:
                       value: AU-06c.
                       class: sp800-53a
                   prose: the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
+                  links:
+                    - href: '#au-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#au-6_smt'
+                  rel: assessment-for
             - id: au-6_asm-examine
               name: assessment-method
               props:
@@ -5511,6 +6164,9 @@ catalog:
                       value: AU-08a.
                       class: sp800-53a
                   prose: internal system clocks are used to generate timestamps for audit records;
+                  links:
+                    - href: '#au-8_smt.a'
+                      rel: assessment-for
                 - id: au-8_obj.b
                   name: assessment-objective
                   props:
@@ -5518,6 +6174,12 @@ catalog:
                       value: AU-08b.
                       class: sp800-53a
                   prose: 'timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.'
+                  links:
+                    - href: '#au-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-8_smt'
+                  rel: assessment-for
             - id: au-8_asm-examine
               name: assessment-method
               props:
@@ -5667,6 +6329,9 @@ catalog:
                       value: AU-09a.
                       class: sp800-53a
                   prose: audit information and audit logging tools are protected from unauthorized access, modification, and deletion;
+                  links:
+                    - href: '#au-9_smt.a'
+                      rel: assessment-for
                 - id: au-9_obj.b
                   name: assessment-objective
                   props:
@@ -5674,6 +6339,12 @@ catalog:
                       value: AU-09b.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.'
+                  links:
+                    - href: '#au-9_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-9_smt'
+                  rel: assessment-for
             - id: au-9_asm-examine
               name: assessment-method
               props:
@@ -5799,6 +6470,9 @@ catalog:
                   value: AU-11
                   class: sp800-53a
               prose: 'audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.'
+              links:
+                - href: '#au-11_smt'
+                  rel: assessment-for
             - id: au-11_asm-examine
               name: assessment-method
               props:
@@ -5960,6 +6634,9 @@ catalog:
                       value: AU-12a.
                       class: sp800-53a
                   prose: 'audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};'
+                  links:
+                    - href: '#au-12_smt.a'
+                      rel: assessment-for
                 - id: au-12_obj.b
                   name: assessment-objective
                   props:
@@ -5967,6 +6644,9 @@ catalog:
                       value: AU-12b.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;'
+                  links:
+                    - href: '#au-12_smt.b'
+                      rel: assessment-for
                 - id: au-12_obj.c
                   name: assessment-objective
                   props:
@@ -5974,6 +6654,12 @@ catalog:
                       value: AU-12c.
                       class: sp800-53a
                   prose: audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.
+                  links:
+                    - href: '#au-12_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#au-12_smt'
+                  rel: assessment-for
             - id: au-12_asm-examine
               name: assessment-method
               props:
@@ -6256,6 +6942,9 @@ catalog:
                           value: CA-01a.[01]
                           class: sp800-53a
                       prose: an assessment, authorization, and monitoring policy is developed and documented;
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -6263,6 +6952,9 @@ catalog:
                           value: CA-01a.[02]
                           class: sp800-53a
                       prose: 'the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};'
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -6270,6 +6962,9 @@ catalog:
                           value: CA-01a.[03]
                           class: sp800-53a
                       prose: assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -6277,6 +6972,9 @@ catalog:
                           value: CA-01a.[04]
                           class: sp800-53a
                       prose: 'the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};'
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -6298,6 +6996,9 @@ catalog:
                                   value: CA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -6305,6 +7006,9 @@ catalog:
                                   value: CA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -6312,6 +7016,9 @@ catalog:
                                   value: CA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -6319,6 +7026,9 @@ catalog:
                                   value: CA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -6326,6 +7036,9 @@ catalog:
                                   value: CA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -6333,6 +7046,9 @@ catalog:
                                   value: CA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -6340,6 +7056,12 @@ catalog:
                                   value: CA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ca-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ca-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -6347,6 +7069,15 @@ catalog:
                               value: CA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ca-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-1_smt.a'
+                      rel: assessment-for
                 - id: ca-1_obj.b
                   name: assessment-objective
                   props:
@@ -6354,6 +7085,9 @@ catalog:
                       value: CA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;'
+                  links:
+                    - href: '#ca-1_smt.b'
+                      rel: assessment-for
                 - id: ca-1_obj.c
                   name: assessment-objective
                   props:
@@ -6375,6 +7109,9 @@ catalog:
                               value: CA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; '
+                          links:
+                            - href: '#ca-1_smt.c.1'
+                              rel: assessment-for
                         - id: ca-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -6382,6 +7119,12 @@ catalog:
                               value: CA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};'
+                          links:
+                            - href: '#ca-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.c.1'
+                          rel: assessment-for
                     - id: ca-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -6396,6 +7139,9 @@ catalog:
                               value: CA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; '
+                          links:
+                            - href: '#ca-1_smt.c.2'
+                              rel: assessment-for
                         - id: ca-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -6403,6 +7149,18 @@ catalog:
                               value: CA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.'
+                          links:
+                            - href: '#ca-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ca-1_smt'
+                  rel: assessment-for
             - id: ca-1_asm-examine
               name: assessment-method
               props:
@@ -6610,6 +7368,9 @@ catalog:
                       value: CA-02a.
                       class: sp800-53a
                   prose: an appropriate assessor or assessment team is selected for the type of assessment to be conducted;
+                  links:
+                    - href: '#ca-2_smt.a'
+                      rel: assessment-for
                 - id: ca-2_obj.b
                   name: assessment-objective
                   props:
@@ -6624,6 +7385,9 @@ catalog:
                           value: CA-02b.01
                           class: sp800-53a
                       prose: a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;
+                      links:
+                        - href: '#ca-2_smt.b.1'
+                          rel: assessment-for
                     - id: ca-2_obj.b.2
                       name: assessment-objective
                       props:
@@ -6631,6 +7395,9 @@ catalog:
                           value: CA-02b.02
                           class: sp800-53a
                       prose: a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;
+                      links:
+                        - href: '#ca-2_smt.b.2'
+                          rel: assessment-for
                     - id: ca-2_obj.b.3
                       name: assessment-objective
                       props:
@@ -6645,6 +7412,9 @@ catalog:
                               value: CA-02b.03[01]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
                         - id: ca-2_obj.b.3-2
                           name: assessment-objective
                           props:
@@ -6652,6 +7422,9 @@ catalog:
                               value: CA-02b.03[02]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including the assessment team;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
                         - id: ca-2_obj.b.3-3
                           name: assessment-objective
                           props:
@@ -6659,6 +7432,15 @@ catalog:
                               value: CA-02b.03[03]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-2_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-2_smt.b'
+                      rel: assessment-for
                 - id: ca-2_obj.c
                   name: assessment-objective
                   props:
@@ -6666,6 +7448,9 @@ catalog:
                       value: CA-02c.
                       class: sp800-53a
                   prose: the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
+                  links:
+                    - href: '#ca-2_smt.c'
+                      rel: assessment-for
                 - id: ca-2_obj.d
                   name: assessment-objective
                   props:
@@ -6680,6 +7465,9 @@ catalog:
                           value: CA-02d.[01]
                           class: sp800-53a
                       prose: 'controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;'
+                      links:
+                        - href: '#ca-2_smt.d'
+                          rel: assessment-for
                     - id: ca-2_obj.d-2
                       name: assessment-objective
                       props:
@@ -6687,6 +7475,12 @@ catalog:
                           value: CA-02d.[02]
                           class: sp800-53a
                       prose: 'controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;'
+                      links:
+                        - href: '#ca-2_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-2_smt.d'
+                      rel: assessment-for
                 - id: ca-2_obj.e
                   name: assessment-objective
                   props:
@@ -6694,6 +7488,9 @@ catalog:
                       value: CA-02e.
                       class: sp800-53a
                   prose: a control assessment report is produced that documents the results of the assessment;
+                  links:
+                    - href: '#ca-2_smt.e'
+                      rel: assessment-for
                 - id: ca-2_obj.f
                   name: assessment-objective
                   props:
@@ -6701,6 +7498,12 @@ catalog:
                       value: CA-02f.
                       class: sp800-53a
                   prose: 'the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.'
+                  links:
+                    - href: '#ca-2_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ca-2_smt'
+                  rel: assessment-for
             - id: ca-2_asm-examine
               name: assessment-method
               props:
@@ -6883,6 +7686,9 @@ catalog:
                       value: CA-03a.
                       class: sp800-53a
                   prose: 'the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};'
+                  links:
+                    - href: '#ca-3_smt.a'
+                      rel: assessment-for
                 - id: ca-3_obj.b
                   name: assessment-objective
                   props:
@@ -6897,6 +7703,9 @@ catalog:
                           value: CA-03b.[01]
                           class: sp800-53a
                       prose: the interface characteristics are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -6904,6 +7713,9 @@ catalog:
                           value: CA-03b.[02]
                           class: sp800-53a
                       prose: security requirements are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-3
                       name: assessment-objective
                       props:
@@ -6911,6 +7723,9 @@ catalog:
                           value: CA-03b.[03]
                           class: sp800-53a
                       prose: privacy requirements are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-4
                       name: assessment-objective
                       props:
@@ -6918,6 +7733,9 @@ catalog:
                           value: CA-03b.[04]
                           class: sp800-53a
                       prose: controls are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-5
                       name: assessment-objective
                       props:
@@ -6925,6 +7743,9 @@ catalog:
                           value: CA-03b.[05]
                           class: sp800-53a
                       prose: responsibilities for each system are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-6
                       name: assessment-objective
                       props:
@@ -6932,6 +7753,12 @@ catalog:
                           value: CA-03b.[06]
                           class: sp800-53a
                       prose: the impact level of the information communicated is documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-3_smt.b'
+                      rel: assessment-for
                 - id: ca-3_obj.c
                   name: assessment-objective
                   props:
@@ -6939,6 +7766,12 @@ catalog:
                       value: CA-03c.
                       class: sp800-53a
                   prose: 'agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.'
+                  links:
+                    - href: '#ca-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ca-3_smt'
+                  rel: assessment-for
             - id: ca-3_asm-examine
               name: assessment-method
               props:
@@ -7077,6 +7910,9 @@ catalog:
                       value: CA-05a.
                       class: sp800-53a
                   prose: a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;
+                  links:
+                    - href: '#ca-5_smt.a'
+                      rel: assessment-for
                 - id: ca-5_obj.b
                   name: assessment-objective
                   props:
@@ -7084,6 +7920,12 @@ catalog:
                       value: CA-05b.
                       class: sp800-53a
                   prose: 'existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.'
+                  links:
+                    - href: '#ca-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ca-5_smt'
+                  rel: assessment-for
             - id: ca-5_asm-examine
               name: assessment-method
               props:
@@ -7258,6 +8100,9 @@ catalog:
                       value: CA-06a.
                       class: sp800-53a
                   prose: a senior official is assigned as the authorizing official for the system;
+                  links:
+                    - href: '#ca-6_smt.a'
+                      rel: assessment-for
                 - id: ca-6_obj.b
                   name: assessment-objective
                   props:
@@ -7265,6 +8110,9 @@ catalog:
                       value: CA-06b.
                       class: sp800-53a
                   prose: a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;
+                  links:
+                    - href: '#ca-6_smt.b'
+                      rel: assessment-for
                 - id: ca-6_obj.c
                   name: assessment-objective
                   props:
@@ -7279,6 +8127,9 @@ catalog:
                           value: CA-06c.01
                           class: sp800-53a
                       prose: before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;
+                      links:
+                        - href: '#ca-6_smt.c.1'
+                          rel: assessment-for
                     - id: ca-6_obj.c.2
                       name: assessment-objective
                       props:
@@ -7286,6 +8137,12 @@ catalog:
                           value: CA-06c.02
                           class: sp800-53a
                       prose: before commencing operations, the authorizing official for the system authorizes the system to operate;
+                      links:
+                        - href: '#ca-6_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-6_smt.c'
+                      rel: assessment-for
                 - id: ca-6_obj.d
                   name: assessment-objective
                   props:
@@ -7293,6 +8150,9 @@ catalog:
                       value: CA-06d.
                       class: sp800-53a
                   prose: the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
+                  links:
+                    - href: '#ca-6_smt.d'
+                      rel: assessment-for
                 - id: ca-6_obj.e
                   name: assessment-objective
                   props:
@@ -7300,6 +8160,12 @@ catalog:
                       value: CA-06e.
                       class: sp800-53a
                   prose: 'the authorizations are updated {{ insert: param, ca-06_odp }}.'
+                  links:
+                    - href: '#ca-6_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ca-6_smt'
+                  rel: assessment-for
             - id: ca-6_asm-examine
               name: assessment-method
               props:
@@ -7632,6 +8498,9 @@ catalog:
                       value: CA-07[01]
                       class: sp800-53a
                   prose: a system-level continuous monitoring strategy is developed;
+                  links:
+                    - href: '#ca-7_smt'
+                      rel: assessment-for
                 - id: ca-7_obj-2
                   name: assessment-objective
                   props:
@@ -7639,6 +8508,9 @@ catalog:
                       value: CA-07[02]
                       class: sp800-53a
                   prose: system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt'
+                      rel: assessment-for
                 - id: ca-7_obj.a
                   name: assessment-objective
                   props:
@@ -7646,6 +8518,9 @@ catalog:
                       value: CA-07a.
                       class: sp800-53a
                   prose: 'system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};'
+                  links:
+                    - href: '#ca-7_smt.a'
+                      rel: assessment-for
                 - id: ca-7_obj.b
                   name: assessment-objective
                   props:
@@ -7660,6 +8535,9 @@ catalog:
                           value: CA-07b.[01]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;'
+                      links:
+                        - href: '#ca-7_smt.b'
+                          rel: assessment-for
                     - id: ca-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -7667,6 +8545,12 @@ catalog:
                           value: CA-07b.[02]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;'
+                      links:
+                        - href: '#ca-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7_smt.b'
+                      rel: assessment-for
                 - id: ca-7_obj.c
                   name: assessment-objective
                   props:
@@ -7674,6 +8558,9 @@ catalog:
                       value: CA-07c.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt.c'
+                      rel: assessment-for
                 - id: ca-7_obj.d
                   name: assessment-objective
                   props:
@@ -7681,6 +8568,9 @@ catalog:
                       value: CA-07d.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt.d'
+                      rel: assessment-for
                 - id: ca-7_obj.e
                   name: assessment-objective
                   props:
@@ -7688,6 +8578,9 @@ catalog:
                       value: CA-07e.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;
+                  links:
+                    - href: '#ca-7_smt.e'
+                      rel: assessment-for
                 - id: ca-7_obj.f
                   name: assessment-objective
                   props:
@@ -7695,6 +8588,9 @@ catalog:
                       value: CA-07f.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;
+                  links:
+                    - href: '#ca-7_smt.f'
+                      rel: assessment-for
                 - id: ca-7_obj.g
                   name: assessment-objective
                   props:
@@ -7709,6 +8605,9 @@ catalog:
                           value: CA-07g.[01]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};'
+                      links:
+                        - href: '#ca-7_smt.g'
+                          rel: assessment-for
                     - id: ca-7_obj.g-2
                       name: assessment-objective
                       props:
@@ -7716,6 +8615,15 @@ catalog:
                           value: CA-07g.[02]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.'
+                      links:
+                        - href: '#ca-7_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#ca-7_smt'
+                  rel: assessment-for
             - id: ca-7_asm-examine
               name: assessment-method
               props:
@@ -7854,6 +8762,9 @@ catalog:
                           value: CA-07(04)(a)
                           class: sp800-53a
                       prose: effectiveness monitoring is included in risk monitoring;
+                      links:
+                        - href: '#ca-7.4_smt.a'
+                          rel: assessment-for
                     - id: ca-7.4_obj.b
                       name: assessment-objective
                       props:
@@ -7861,6 +8772,9 @@ catalog:
                           value: CA-07(04)(b)
                           class: sp800-53a
                       prose: compliance monitoring is included in risk monitoring;
+                      links:
+                        - href: '#ca-7.4_smt.b'
+                          rel: assessment-for
                     - id: ca-7.4_obj.c
                       name: assessment-objective
                       props:
@@ -7868,6 +8782,12 @@ catalog:
                           value: CA-07(04)(c)
                           class: sp800-53a
                       prose: change monitoring is included in risk monitoring.
+                      links:
+                        - href: '#ca-7.4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7.4_smt'
+                      rel: assessment-for
                 - id: ca-7.4_asm-examine
                   name: assessment-method
                   props:
@@ -8047,6 +8967,9 @@ catalog:
                       value: CA-09a.
                       class: sp800-53a
                   prose: 'internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;'
+                  links:
+                    - href: '#ca-9_smt.a'
+                      rel: assessment-for
                 - id: ca-9_obj.b
                   name: assessment-objective
                   props:
@@ -8061,6 +8984,9 @@ catalog:
                           value: CA-09b.[01]
                           class: sp800-53a
                       prose: for each internal connection, the interface characteristics are documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
                     - id: ca-9_obj.b-2
                       name: assessment-objective
                       props:
@@ -8068,6 +8994,9 @@ catalog:
                           value: CA-09b.[02]
                           class: sp800-53a
                       prose: for each internal connection, the security requirements are documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
                     - id: ca-9_obj.b-3
                       name: assessment-objective
                       props:
@@ -8075,6 +9004,9 @@ catalog:
                           value: CA-09b.[03]
                           class: sp800-53a
                       prose: for each internal connection, the privacy requirements are documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
                     - id: ca-9_obj.b-4
                       name: assessment-objective
                       props:
@@ -8082,6 +9014,12 @@ catalog:
                           value: CA-09b.[04]
                           class: sp800-53a
                       prose: for each internal connection, the nature of the information communicated is documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-9_smt.b'
+                      rel: assessment-for
                 - id: ca-9_obj.c
                   name: assessment-objective
                   props:
@@ -8089,6 +9027,9 @@ catalog:
                       value: CA-09c.
                       class: sp800-53a
                   prose: 'internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};'
+                  links:
+                    - href: '#ca-9_smt.c'
+                      rel: assessment-for
                 - id: ca-9_obj.d
                   name: assessment-objective
                   props:
@@ -8096,6 +9037,12 @@ catalog:
                       value: CA-09d.
                       class: sp800-53a
                   prose: 'the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.'
+                  links:
+                    - href: '#ca-9_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ca-9_smt'
+                  rel: assessment-for
             - id: ca-9_asm-examine
               name: assessment-method
               props:
@@ -8372,6 +9319,9 @@ catalog:
                           value: CM-01a.[01]
                           class: sp800-53a
                       prose: a configuration management policy is developed and documented;
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -8379,6 +9329,9 @@ catalog:
                           value: CM-01a.[02]
                           class: sp800-53a
                       prose: 'the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};'
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -8386,6 +9339,9 @@ catalog:
                           value: CM-01a.[03]
                           class: sp800-53a
                       prose: configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -8393,6 +9349,9 @@ catalog:
                           value: CM-01a.[04]
                           class: sp800-53a
                       prose: 'the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};'
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -8414,6 +9373,9 @@ catalog:
                                   value: CM-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -8421,6 +9383,9 @@ catalog:
                                   value: CM-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -8428,6 +9393,9 @@ catalog:
                                   value: CM-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -8435,6 +9403,9 @@ catalog:
                                   value: CM-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -8442,6 +9413,9 @@ catalog:
                                   value: CM-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -8449,6 +9423,9 @@ catalog:
                                   value: CM-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -8456,6 +9433,12 @@ catalog:
                                   value: CM-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#cm-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: cm-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -8463,6 +9446,15 @@ catalog:
                               value: CM-01a.01(b)
                               class: sp800-53a
                           prose: the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+                          links:
+                            - href: '#cm-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-1_smt.a'
+                      rel: assessment-for
                 - id: cm-1_obj.b
                   name: assessment-objective
                   props:
@@ -8470,6 +9462,9 @@ catalog:
                       value: CM-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;'
+                  links:
+                    - href: '#cm-1_smt.b'
+                      rel: assessment-for
                 - id: cm-1_obj.c
                   name: assessment-objective
                   props:
@@ -8491,6 +9486,9 @@ catalog:
                               value: CM-01c.01[01]
                               class: sp800-53a
                           prose: 'the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; '
+                          links:
+                            - href: '#cm-1_smt.c.1'
+                              rel: assessment-for
                         - id: cm-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -8498,6 +9496,12 @@ catalog:
                               value: CM-01c.01[02]
                               class: sp800-53a
                           prose: 'the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};'
+                          links:
+                            - href: '#cm-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.c.1'
+                          rel: assessment-for
                     - id: cm-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -8512,6 +9516,9 @@ catalog:
                               value: CM-01c.02[01]
                               class: sp800-53a
                           prose: 'the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; '
+                          links:
+                            - href: '#cm-1_smt.c.2'
+                              rel: assessment-for
                         - id: cm-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -8519,6 +9526,18 @@ catalog:
                               value: CM-01c.02[02]
                               class: sp800-53a
                           prose: 'the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.'
+                          links:
+                            - href: '#cm-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-1_smt'
+                  rel: assessment-for
             - id: cm-1_asm-examine
               name: assessment-method
               props:
@@ -8701,6 +9720,9 @@ catalog:
                           value: CM-02a.[01]
                           class: sp800-53a
                       prose: a current baseline configuration of the system is developed and documented;
+                      links:
+                        - href: '#cm-2_smt.a'
+                          rel: assessment-for
                     - id: cm-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -8708,6 +9730,12 @@ catalog:
                           value: CM-02a.[02]
                           class: sp800-53a
                       prose: a current baseline configuration of the system is maintained under configuration control;
+                      links:
+                        - href: '#cm-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2_smt.a'
+                      rel: assessment-for
                 - id: cm-2_obj.b
                   name: assessment-objective
                   props:
@@ -8722,6 +9750,9 @@ catalog:
                           value: CM-02b.01
                           class: sp800-53a
                       prose: 'the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};'
+                      links:
+                        - href: '#cm-2_smt.b.1'
+                          rel: assessment-for
                     - id: cm-2_obj.b.2
                       name: assessment-objective
                       props:
@@ -8729,6 +9760,9 @@ catalog:
                           value: CM-02b.02
                           class: sp800-53a
                       prose: 'the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};'
+                      links:
+                        - href: '#cm-2_smt.b.2'
+                          rel: assessment-for
                     - id: cm-2_obj.b.3
                       name: assessment-objective
                       props:
@@ -8736,6 +9770,15 @@ catalog:
                           value: CM-02b.03
                           class: sp800-53a
                       prose: the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.
+                      links:
+                        - href: '#cm-2_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cm-2_smt'
+                  rel: assessment-for
             - id: cm-2_asm-examine
               name: assessment-method
               props:
@@ -8868,6 +9911,9 @@ catalog:
                       value: CM-04[01]
                       class: sp800-53a
                   prose: changes to the system are analyzed to determine potential security impacts prior to change implementation;
+                  links:
+                    - href: '#cm-4_smt'
+                      rel: assessment-for
                 - id: cm-4_obj-2
                   name: assessment-objective
                   props:
@@ -8875,6 +9921,12 @@ catalog:
                       value: CM-04[02]
                       class: sp800-53a
                   prose: changes to the system are analyzed to determine potential privacy impacts prior to change implementation.
+                  links:
+                    - href: '#cm-4_smt'
+                      rel: assessment-for
+              links:
+                - href: '#cm-4_smt'
+                  rel: assessment-for
             - id: cm-4_asm-examine
               name: assessment-method
               props:
@@ -9012,6 +10064,9 @@ catalog:
                       value: CM-05[01]
                       class: sp800-53a
                   prose: physical access restrictions associated with changes to the system are defined and documented;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-2
                   name: assessment-objective
                   props:
@@ -9019,6 +10074,9 @@ catalog:
                       value: CM-05[02]
                       class: sp800-53a
                   prose: physical access restrictions associated with changes to the system are approved;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-3
                   name: assessment-objective
                   props:
@@ -9026,6 +10084,9 @@ catalog:
                       value: CM-05[03]
                       class: sp800-53a
                   prose: physical access restrictions associated with changes to the system are enforced;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-4
                   name: assessment-objective
                   props:
@@ -9033,6 +10094,9 @@ catalog:
                       value: CM-05[04]
                       class: sp800-53a
                   prose: logical access restrictions associated with changes to the system are defined and documented;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-5
                   name: assessment-objective
                   props:
@@ -9040,6 +10104,9 @@ catalog:
                       value: CM-05[05]
                       class: sp800-53a
                   prose: logical access restrictions associated with changes to the system are approved;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-6
                   name: assessment-objective
                   props:
@@ -9047,6 +10114,12 @@ catalog:
                       value: CM-05[06]
                       class: sp800-53a
                   prose: logical access restrictions associated with changes to the system are enforced.
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#cm-5_smt'
+                  rel: assessment-for
             - id: cm-5_asm-examine
               name: assessment-method
               props:
@@ -9285,6 +10358,9 @@ catalog:
                       value: CM-06a.
                       class: sp800-53a
                   prose: 'configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};'
+                  links:
+                    - href: '#cm-6_smt.a'
+                      rel: assessment-for
                 - id: cm-6_obj.b
                   name: assessment-objective
                   props:
@@ -9292,6 +10368,9 @@ catalog:
                       value: CM-06b.
                       class: sp800-53a
                   prose: the configuration settings documented in CM-06a are implemented;
+                  links:
+                    - href: '#cm-6_smt.b'
+                      rel: assessment-for
                 - id: cm-6_obj.c
                   name: assessment-objective
                   props:
@@ -9306,6 +10385,9 @@ catalog:
                           value: CM-06c.[01]
                           class: sp800-53a
                       prose: 'any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};'
+                      links:
+                        - href: '#cm-6_smt.c'
+                          rel: assessment-for
                     - id: cm-6_obj.c-2
                       name: assessment-objective
                       props:
@@ -9313,6 +10395,12 @@ catalog:
                           value: CM-06c.[02]
                           class: sp800-53a
                       prose: 'any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;'
+                      links:
+                        - href: '#cm-6_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-6_smt.c'
+                      rel: assessment-for
                 - id: cm-6_obj.d
                   name: assessment-objective
                   props:
@@ -9327,6 +10415,9 @@ catalog:
                           value: CM-06d.[01]
                           class: sp800-53a
                       prose: changes to the configuration settings are monitored in accordance with organizational policies and procedures;
+                      links:
+                        - href: '#cm-6_smt.d'
+                          rel: assessment-for
                     - id: cm-6_obj.d-2
                       name: assessment-objective
                       props:
@@ -9334,6 +10425,15 @@ catalog:
                           value: CM-06d.[02]
                           class: sp800-53a
                       prose: changes to the configuration settings are controlled in accordance with organizational policies and procedures.
+                      links:
+                        - href: '#cm-6_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-6_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#cm-6_smt'
+                  rel: assessment-for
             - id: cm-6_asm-examine
               name: assessment-method
               props:
@@ -9576,6 +10676,9 @@ catalog:
                       value: CM-07a.
                       class: sp800-53a
                   prose: 'the system is configured to provide only {{ insert: param, cm-07_odp.01 }};'
+                  links:
+                    - href: '#cm-7_smt.a'
+                      rel: assessment-for
                 - id: cm-7_obj.b
                   name: assessment-objective
                   props:
@@ -9590,6 +10693,9 @@ catalog:
                           value: CM-07b.[01]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -9597,6 +10703,9 @@ catalog:
                           value: CM-07b.[02]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-3
                       name: assessment-objective
                       props:
@@ -9604,6 +10713,9 @@ catalog:
                           value: CM-07b.[03]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-4
                       name: assessment-objective
                       props:
@@ -9611,6 +10723,9 @@ catalog:
                           value: CM-07b.[04]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-5
                       name: assessment-objective
                       props:
@@ -9618,6 +10733,15 @@ catalog:
                           value: CM-07b.[05]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cm-7_smt'
+                  rel: assessment-for
             - id: cm-7_asm-examine
               name: assessment-method
               props:
@@ -9845,6 +10969,9 @@ catalog:
                           value: CM-08a.01
                           class: sp800-53a
                       prose: an inventory of system components that accurately reflects the system is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.1'
+                          rel: assessment-for
                     - id: cm-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -9852,6 +10979,9 @@ catalog:
                           value: CM-08a.02
                           class: sp800-53a
                       prose: an inventory of system components that includes all components within the system is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.2'
+                          rel: assessment-for
                     - id: cm-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -9859,6 +10989,9 @@ catalog:
                           value: CM-08a.03
                           class: sp800-53a
                       prose: an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.3'
+                          rel: assessment-for
                     - id: cm-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -9866,6 +10999,9 @@ catalog:
                           value: CM-08a.04
                           class: sp800-53a
                       prose: an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.4'
+                          rel: assessment-for
                     - id: cm-8_obj.a.5
                       name: assessment-objective
                       props:
@@ -9873,6 +11009,12 @@ catalog:
                           value: CM-08a.05
                           class: sp800-53a
                       prose: 'an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;'
+                      links:
+                        - href: '#cm-8_smt.a.5'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-8_smt.a'
+                      rel: assessment-for
                 - id: cm-8_obj.b
                   name: assessment-objective
                   props:
@@ -9880,6 +11022,12 @@ catalog:
                       value: CM-08b.
                       class: sp800-53a
                   prose: 'the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.'
+                  links:
+                    - href: '#cm-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cm-8_smt'
+                  rel: assessment-for
             - id: cm-8_asm-examine
               name: assessment-method
               props:
@@ -10007,6 +11155,9 @@ catalog:
                       value: CM-10a.
                       class: sp800-53a
                   prose: software and associated documentation are used in accordance with contract agreements and copyright laws;
+                  links:
+                    - href: '#cm-10_smt.a'
+                      rel: assessment-for
                 - id: cm-10_obj.b
                   name: assessment-objective
                   props:
@@ -10014,6 +11165,9 @@ catalog:
                       value: CM-10b.
                       class: sp800-53a
                   prose: the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;
+                  links:
+                    - href: '#cm-10_smt.b'
+                      rel: assessment-for
                 - id: cm-10_obj.c
                   name: assessment-objective
                   props:
@@ -10021,6 +11175,12 @@ catalog:
                       value: CM-10c.
                       class: sp800-53a
                   prose: the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
+                  links:
+                    - href: '#cm-10_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-10_smt'
+                  rel: assessment-for
             - id: cm-10_asm-examine
               name: assessment-method
               props:
@@ -10197,6 +11357,9 @@ catalog:
                       value: CM-11a.
                       class: sp800-53a
                   prose: ' {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;'
+                  links:
+                    - href: '#cm-11_smt.a'
+                      rel: assessment-for
                 - id: cm-11_obj.b
                   name: assessment-objective
                   props:
@@ -10204,6 +11367,9 @@ catalog:
                       value: CM-11b.
                       class: sp800-53a
                   prose: 'software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};'
+                  links:
+                    - href: '#cm-11_smt.b'
+                      rel: assessment-for
                 - id: cm-11_obj.c
                   name: assessment-objective
                   props:
@@ -10211,6 +11377,12 @@ catalog:
                       value: CM-11c.
                       class: sp800-53a
                   prose: 'compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.'
+                  links:
+                    - href: '#cm-11_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-11_smt'
+                  rel: assessment-for
             - id: cm-11_asm-examine
               name: assessment-method
               props:
@@ -10498,6 +11670,9 @@ catalog:
                           value: CP-01a.[01]
                           class: sp800-53a
                       prose: a contingency planning policy is developed and documented;
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -10505,6 +11680,9 @@ catalog:
                           value: CP-01a.[02]
                           class: sp800-53a
                       prose: 'the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};'
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -10512,6 +11690,9 @@ catalog:
                           value: CP-01a.[03]
                           class: sp800-53a
                       prose: contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -10519,6 +11700,9 @@ catalog:
                           value: CP-01a.[04]
                           class: sp800-53a
                       prose: 'the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};'
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -10540,6 +11724,9 @@ catalog:
                                   value: CP-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -10547,6 +11734,9 @@ catalog:
                                   value: CP-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -10554,6 +11744,9 @@ catalog:
                                   value: CP-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -10561,6 +11754,9 @@ catalog:
                                   value: CP-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -10568,6 +11764,9 @@ catalog:
                                   value: CP-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -10575,6 +11774,9 @@ catalog:
                                   value: CP-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -10582,6 +11784,12 @@ catalog:
                                   value: CP-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#cp-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: cp-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -10589,6 +11797,15 @@ catalog:
                               value: CP-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#cp-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-1_smt.a'
+                      rel: assessment-for
                 - id: cp-1_obj.b
                   name: assessment-objective
                   props:
@@ -10596,6 +11813,9 @@ catalog:
                       value: CP-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;'
+                  links:
+                    - href: '#cp-1_smt.b'
+                      rel: assessment-for
                 - id: cp-1_obj.c
                   name: assessment-objective
                   props:
@@ -10617,6 +11837,9 @@ catalog:
                               value: CP-01c.01[01]
                               class: sp800-53a
                           prose: 'the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};'
+                          links:
+                            - href: '#cp-1_smt.c.1'
+                              rel: assessment-for
                         - id: cp-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -10624,6 +11847,12 @@ catalog:
                               value: CP-01c.01[02]
                               class: sp800-53a
                           prose: 'the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};'
+                          links:
+                            - href: '#cp-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-1_smt.c.1'
+                          rel: assessment-for
                     - id: cp-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -10638,6 +11867,9 @@ catalog:
                               value: CP-01c.02[01]
                               class: sp800-53a
                           prose: 'the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};'
+                          links:
+                            - href: '#cp-1_smt.c.2'
+                              rel: assessment-for
                         - id: cp-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -10645,6 +11877,18 @@ catalog:
                               value: CP-01c.02[02]
                               class: sp800-53a
                           prose: 'the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.'
+                          links:
+                            - href: '#cp-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cp-1_smt'
+                  rel: assessment-for
             - id: cp-1_asm-examine
               name: assessment-method
               props:
@@ -10956,6 +12200,9 @@ catalog:
                           value: CP-02a.01
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;
+                      links:
+                        - href: '#cp-2_smt.a.1'
+                          rel: assessment-for
                     - id: cp-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -10970,6 +12217,9 @@ catalog:
                               value: CP-02a.02[01]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that provides recovery objectives;
+                          links:
+                            - href: '#cp-2_smt.a.2'
+                              rel: assessment-for
                         - id: cp-2_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -10977,6 +12227,9 @@ catalog:
                               value: CP-02a.02[02]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that provides restoration priorities;
+                          links:
+                            - href: '#cp-2_smt.a.2'
+                              rel: assessment-for
                         - id: cp-2_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -10984,6 +12237,12 @@ catalog:
                               value: CP-02a.02[03]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that provides metrics;
+                          links:
+                            - href: '#cp-2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-2_smt.a.2'
+                          rel: assessment-for
                     - id: cp-2_obj.a.3
                       name: assessment-objective
                       props:
@@ -10998,6 +12257,9 @@ catalog:
                               value: CP-02a.03[01]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that addresses contingency roles;
+                          links:
+                            - href: '#cp-2_smt.a.3'
+                              rel: assessment-for
                         - id: cp-2_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -11005,6 +12267,9 @@ catalog:
                               value: CP-02a.03[02]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that addresses contingency responsibilities;
+                          links:
+                            - href: '#cp-2_smt.a.3'
+                              rel: assessment-for
                         - id: cp-2_obj.a.3-3
                           name: assessment-objective
                           props:
@@ -11012,6 +12277,12 @@ catalog:
                               value: CP-02a.03[03]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that addresses assigned individuals with contact information;
+                          links:
+                            - href: '#cp-2_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-2_smt.a.3'
+                          rel: assessment-for
                     - id: cp-2_obj.a.4
                       name: assessment-objective
                       props:
@@ -11019,6 +12290,9 @@ catalog:
                           value: CP-02a.04
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
+                      links:
+                        - href: '#cp-2_smt.a.4'
+                          rel: assessment-for
                     - id: cp-2_obj.a.5
                       name: assessment-objective
                       props:
@@ -11026,6 +12300,9 @@ catalog:
                           value: CP-02a.05
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;
+                      links:
+                        - href: '#cp-2_smt.a.5'
+                          rel: assessment-for
                     - id: cp-2_obj.a.6
                       name: assessment-objective
                       props:
@@ -11033,6 +12310,9 @@ catalog:
                           value: CP-02a.06
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that addresses the sharing of contingency information;
+                      links:
+                        - href: '#cp-2_smt.a.6'
+                          rel: assessment-for
                     - id: cp-2_obj.a.7
                       name: assessment-objective
                       props:
@@ -11047,6 +12327,9 @@ catalog:
                               value: CP-02a.07[01]
                               class: sp800-53a
                           prose: 'a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};'
+                          links:
+                            - href: '#cp-2_smt.a.7'
+                              rel: assessment-for
                         - id: cp-2_obj.a.7-2
                           name: assessment-objective
                           props:
@@ -11054,6 +12337,15 @@ catalog:
                               value: CP-02a.07[02]
                               class: sp800-53a
                           prose: 'a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};'
+                          links:
+                            - href: '#cp-2_smt.a.7'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-2_smt.a.7'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.a'
+                      rel: assessment-for
                 - id: cp-2_obj.b
                   name: assessment-objective
                   props:
@@ -11068,6 +12360,9 @@ catalog:
                           value: CP-02b.[01]
                           class: sp800-53a
                       prose: 'copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};'
+                      links:
+                        - href: '#cp-2_smt.b'
+                          rel: assessment-for
                     - id: cp-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -11075,6 +12370,12 @@ catalog:
                           value: CP-02b.[02]
                           class: sp800-53a
                       prose: 'copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};'
+                      links:
+                        - href: '#cp-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.b'
+                      rel: assessment-for
                 - id: cp-2_obj.c
                   name: assessment-objective
                   props:
@@ -11082,6 +12383,9 @@ catalog:
                       value: CP-02c.
                       class: sp800-53a
                   prose: contingency planning activities are coordinated with incident handling activities;
+                  links:
+                    - href: '#cp-2_smt.c'
+                      rel: assessment-for
                 - id: cp-2_obj.d
                   name: assessment-objective
                   props:
@@ -11089,6 +12393,9 @@ catalog:
                       value: CP-02d.
                       class: sp800-53a
                   prose: 'the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};'
+                  links:
+                    - href: '#cp-2_smt.d'
+                      rel: assessment-for
                 - id: cp-2_obj.e
                   name: assessment-objective
                   props:
@@ -11103,6 +12410,9 @@ catalog:
                           value: CP-02e.[01]
                           class: sp800-53a
                       prose: the contingency plan is updated to address changes to the organization, system, or environment of operation;
+                      links:
+                        - href: '#cp-2_smt.e'
+                          rel: assessment-for
                     - id: cp-2_obj.e-2
                       name: assessment-objective
                       props:
@@ -11110,6 +12420,12 @@ catalog:
                           value: CP-02e.[02]
                           class: sp800-53a
                       prose: the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;
+                      links:
+                        - href: '#cp-2_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.e'
+                      rel: assessment-for
                 - id: cp-2_obj.f
                   name: assessment-objective
                   props:
@@ -11124,6 +12440,9 @@ catalog:
                           value: CP-02f.[01]
                           class: sp800-53a
                       prose: 'contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};'
+                      links:
+                        - href: '#cp-2_smt.f'
+                          rel: assessment-for
                     - id: cp-2_obj.f-2
                       name: assessment-objective
                       props:
@@ -11131,6 +12450,12 @@ catalog:
                           value: CP-02f.[02]
                           class: sp800-53a
                       prose: 'contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};'
+                      links:
+                        - href: '#cp-2_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.f'
+                      rel: assessment-for
                 - id: cp-2_obj.g
                   name: assessment-objective
                   props:
@@ -11145,6 +12470,9 @@ catalog:
                           value: CP-02g.[01]
                           class: sp800-53a
                       prose: lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;
+                      links:
+                        - href: '#cp-2_smt.g'
+                          rel: assessment-for
                     - id: cp-2_obj.g-2
                       name: assessment-objective
                       props:
@@ -11152,6 +12480,12 @@ catalog:
                           value: CP-02g.[02]
                           class: sp800-53a
                       prose: lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;
+                      links:
+                        - href: '#cp-2_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.g'
+                      rel: assessment-for
                 - id: cp-2_obj.h
                   name: assessment-objective
                   props:
@@ -11166,6 +12500,9 @@ catalog:
                           value: CP-02h.[01]
                           class: sp800-53a
                       prose: the contingency plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#cp-2_smt.h'
+                          rel: assessment-for
                     - id: cp-2_obj.h-2
                       name: assessment-objective
                       props:
@@ -11173,6 +12510,15 @@ catalog:
                           value: CP-02h.[02]
                           class: sp800-53a
                       prose: the contingency plan is protected from unauthorized modification.
+                      links:
+                        - href: '#cp-2_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.h'
+                      rel: assessment-for
+              links:
+                - href: '#cp-2_smt'
+                  rel: assessment-for
             - id: cp-2_asm-examine
               name: assessment-method
               props:
@@ -11368,6 +12714,9 @@ catalog:
                           value: CP-03a.01
                           class: sp800-53a
                       prose: 'contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;'
+                      links:
+                        - href: '#cp-3_smt.a.1'
+                          rel: assessment-for
                     - id: cp-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -11375,6 +12724,9 @@ catalog:
                           value: CP-03a.02
                           class: sp800-53a
                       prose: contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;
+                      links:
+                        - href: '#cp-3_smt.a.2'
+                          rel: assessment-for
                     - id: cp-3_obj.a.3
                       name: assessment-objective
                       props:
@@ -11382,6 +12734,12 @@ catalog:
                           value: CP-03a.03
                           class: sp800-53a
                       prose: 'contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;'
+                      links:
+                        - href: '#cp-3_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-3_smt.a'
+                      rel: assessment-for
                 - id: cp-3_obj.b
                   name: assessment-objective
                   props:
@@ -11396,6 +12754,9 @@ catalog:
                           value: CP-03b.[01]
                           class: sp800-53a
                       prose: 'the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};'
+                      links:
+                        - href: '#cp-3_smt.b'
+                          rel: assessment-for
                     - id: cp-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -11403,6 +12764,15 @@ catalog:
                           value: CP-03b.[02]
                           class: sp800-53a
                       prose: 'the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.'
+                      links:
+                        - href: '#cp-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-3_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cp-3_smt'
+                  rel: assessment-for
             - id: cp-3_asm-examine
               name: assessment-method
               props:
@@ -11585,6 +12955,9 @@ catalog:
                           value: CP-04a.[01]
                           class: sp800-53a
                       prose: 'the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};'
+                      links:
+                        - href: '#cp-4_smt.a'
+                          rel: assessment-for
                     - id: cp-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -11592,6 +12965,9 @@ catalog:
                           value: CP-04a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;'
+                      links:
+                        - href: '#cp-4_smt.a'
+                          rel: assessment-for
                     - id: cp-4_obj.a-3
                       name: assessment-objective
                       props:
@@ -11599,6 +12975,12 @@ catalog:
                           value: CP-04a.[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;'
+                      links:
+                        - href: '#cp-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-4_smt.a'
+                      rel: assessment-for
                 - id: cp-4_obj.b
                   name: assessment-objective
                   props:
@@ -11606,6 +12988,9 @@ catalog:
                       value: CP-04b.
                       class: sp800-53a
                   prose: the contingency plan test results are reviewed;
+                  links:
+                    - href: '#cp-4_smt.b'
+                      rel: assessment-for
                 - id: cp-4_obj.c
                   name: assessment-objective
                   props:
@@ -11613,6 +12998,12 @@ catalog:
                       value: CP-04c.
                       class: sp800-53a
                   prose: corrective actions are initiated, if needed.
+                  links:
+                    - href: '#cp-4_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cp-4_smt'
+                  rel: assessment-for
             - id: cp-4_asm-examine
               name: assessment-method
               props:
@@ -11808,6 +13199,9 @@ catalog:
                       value: CP-09a.
                       class: sp800-53a
                   prose: 'backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};'
+                  links:
+                    - href: '#cp-9_smt.a'
+                      rel: assessment-for
                 - id: cp-9_obj.b
                   name: assessment-objective
                   props:
@@ -11815,6 +13209,9 @@ catalog:
                       value: CP-09b.
                       class: sp800-53a
                   prose: 'backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};'
+                  links:
+                    - href: '#cp-9_smt.b'
+                      rel: assessment-for
                 - id: cp-9_obj.c
                   name: assessment-objective
                   props:
@@ -11822,6 +13219,9 @@ catalog:
                       value: CP-09c.
                       class: sp800-53a
                   prose: 'backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};'
+                  links:
+                    - href: '#cp-9_smt.c'
+                      rel: assessment-for
                 - id: cp-9_obj.d
                   name: assessment-objective
                   props:
@@ -11836,6 +13236,9 @@ catalog:
                           value: CP-09d.[01]
                           class: sp800-53a
                       prose: the confidentiality of backup information is protected;
+                      links:
+                        - href: '#cp-9_smt.d'
+                          rel: assessment-for
                     - id: cp-9_obj.d-2
                       name: assessment-objective
                       props:
@@ -11843,6 +13246,9 @@ catalog:
                           value: CP-09d.[02]
                           class: sp800-53a
                       prose: the integrity of backup information is protected;
+                      links:
+                        - href: '#cp-9_smt.d'
+                          rel: assessment-for
                     - id: cp-9_obj.d-3
                       name: assessment-objective
                       props:
@@ -11850,6 +13256,15 @@ catalog:
                           value: CP-09d.[03]
                           class: sp800-53a
                       prose: the availability of backup information is protected.
+                      links:
+                        - href: '#cp-9_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-9_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#cp-9_smt'
+                  rel: assessment-for
             - id: cp-9_asm-examine
               name: assessment-method
               props:
@@ -11989,6 +13404,9 @@ catalog:
                       value: CP-10[01]
                       class: sp800-53a
                   prose: 'the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;'
+                  links:
+                    - href: '#cp-10_smt'
+                      rel: assessment-for
                 - id: cp-10_obj-2
                   name: assessment-objective
                   props:
@@ -11996,6 +13414,12 @@ catalog:
                       value: CP-10[02]
                       class: sp800-53a
                   prose: 'a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.'
+                  links:
+                    - href: '#cp-10_smt'
+                      rel: assessment-for
+              links:
+                - href: '#cp-10_smt'
+                  rel: assessment-for
             - id: cp-10_asm-examine
               name: assessment-method
               props:
@@ -12283,6 +13707,9 @@ catalog:
                           value: IA-01a.[01]
                           class: sp800-53a
                       prose: an identification and authentication policy is developed and documented;
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -12290,6 +13717,9 @@ catalog:
                           value: IA-01a.[02]
                           class: sp800-53a
                       prose: 'the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};'
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -12297,6 +13727,9 @@ catalog:
                           value: IA-01a.[03]
                           class: sp800-53a
                       prose: identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -12304,6 +13737,9 @@ catalog:
                           value: IA-01a.[04]
                           class: sp800-53a
                       prose: 'the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};'
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -12325,6 +13761,9 @@ catalog:
                                   value: IA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -12332,6 +13771,9 @@ catalog:
                                   value: IA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -12339,6 +13781,9 @@ catalog:
                                   value: IA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -12346,6 +13791,9 @@ catalog:
                                   value: IA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -12353,6 +13801,9 @@ catalog:
                                   value: IA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -12360,6 +13811,9 @@ catalog:
                                   value: IA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -12367,6 +13821,12 @@ catalog:
                                   value: IA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ia-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ia-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -12374,6 +13834,15 @@ catalog:
                               value: IA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ia-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-1_smt.a'
+                      rel: assessment-for
                 - id: ia-1_obj.b
                   name: assessment-objective
                   props:
@@ -12381,6 +13850,9 @@ catalog:
                       value: IA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;'
+                  links:
+                    - href: '#ia-1_smt.b'
+                      rel: assessment-for
                 - id: ia-1_obj.c
                   name: assessment-objective
                   props:
@@ -12402,6 +13874,9 @@ catalog:
                               value: IA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};'
+                          links:
+                            - href: '#ia-1_smt.c.1'
+                              rel: assessment-for
                         - id: ia-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -12409,6 +13884,12 @@ catalog:
                               value: IA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};'
+                          links:
+                            - href: '#ia-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-1_smt.c.1'
+                          rel: assessment-for
                     - id: ia-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -12423,6 +13904,9 @@ catalog:
                               value: IA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};'
+                          links:
+                            - href: '#ia-1_smt.c.2'
+                              rel: assessment-for
                         - id: ia-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -12430,6 +13914,18 @@ catalog:
                               value: IA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.'
+                          links:
+                            - href: '#ia-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ia-1_smt'
+                  rel: assessment-for
             - id: ia-1_asm-examine
               name: assessment-method
               props:
@@ -12542,6 +14038,8 @@ catalog:
               rel: related
             - href: '#ia-8'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-4'
               rel: related
             - href: '#ma-5'
@@ -12580,6 +14078,9 @@ catalog:
                       value: IA-02[01]
                       class: sp800-53a
                   prose: organizational users are uniquely identified and authenticated;
+                  links:
+                    - href: '#ia-2_smt'
+                      rel: assessment-for
                 - id: ia-2_obj-2
                   name: assessment-objective
                   props:
@@ -12587,6 +14088,12 @@ catalog:
                       value: IA-02[02]
                       class: sp800-53a
                   prose: the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.
+                  links:
+                    - href: '#ia-2_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ia-2_smt'
+                  rel: assessment-for
             - id: ia-2_asm-examine
               name: assessment-method
               props:
@@ -12684,6 +14191,9 @@ catalog:
                       value: IA-02(01)
                       class: sp800-53a
                   prose: multi-factor authentication is implemented for access to privileged accounts.
+                  links:
+                    - href: '#ia-2.1_smt'
+                      rel: assessment-for
                 - id: ia-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -12777,6 +14287,9 @@ catalog:
                       value: IA-02(02)
                       class: sp800-53a
                   prose: multi-factor authentication for access to non-privileged accounts is implemented.
+                  links:
+                    - href: '#ia-2.2_smt'
+                      rel: assessment-for
                 - id: ia-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -12881,6 +14394,9 @@ catalog:
                       value: IA-02(08)
                       class: sp800-53a
                   prose: 'replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.'
+                  links:
+                    - href: '#ia-2.8_smt'
+                      rel: assessment-for
                 - id: ia-2.8_asm-examine
                   name: assessment-method
                   props:
@@ -12975,6 +14491,9 @@ catalog:
                       value: IA-02(12)
                       class: sp800-53a
                   prose: Personal Identity Verification-compliant credentials are accepted and electronically verified.
+                  links:
+                    - href: '#ia-2.12_smt'
+                      rel: assessment-for
                 - id: ia-2.12_asm-examine
                   name: assessment-method
                   props:
@@ -13165,6 +14684,9 @@ catalog:
                       value: IA-04a.
                       class: sp800-53a
                   prose: 'system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;'
+                  links:
+                    - href: '#ia-4_smt.a'
+                      rel: assessment-for
                 - id: ia-4_obj.b
                   name: assessment-objective
                   props:
@@ -13172,6 +14694,9 @@ catalog:
                       value: IA-04b.
                       class: sp800-53a
                   prose: system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;
+                  links:
+                    - href: '#ia-4_smt.b'
+                      rel: assessment-for
                 - id: ia-4_obj.c
                   name: assessment-objective
                   props:
@@ -13179,6 +14704,9 @@ catalog:
                       value: IA-04c.
                       class: sp800-53a
                   prose: system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;
+                  links:
+                    - href: '#ia-4_smt.c'
+                      rel: assessment-for
                 - id: ia-4_obj.d
                   name: assessment-objective
                   props:
@@ -13186,6 +14714,12 @@ catalog:
                       value: IA-04d.
                       class: sp800-53a
                   prose: 'system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.'
+                  links:
+                    - href: '#ia-4_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ia-4_smt'
+                  rel: assessment-for
             - id: ia-4_asm-examine
               name: assessment-method
               props:
@@ -13416,6 +14950,9 @@ catalog:
                       value: IA-05a.
                       class: sp800-53a
                   prose: system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;
+                  links:
+                    - href: '#ia-5_smt.a'
+                      rel: assessment-for
                 - id: ia-5_obj.b
                   name: assessment-objective
                   props:
@@ -13423,6 +14960,9 @@ catalog:
                       value: IA-05b.
                       class: sp800-53a
                   prose: system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;
+                  links:
+                    - href: '#ia-5_smt.b'
+                      rel: assessment-for
                 - id: ia-5_obj.c
                   name: assessment-objective
                   props:
@@ -13430,6 +14970,9 @@ catalog:
                       value: IA-05c.
                       class: sp800-53a
                   prose: system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;
+                  links:
+                    - href: '#ia-5_smt.c'
+                      rel: assessment-for
                 - id: ia-5_obj.d
                   name: assessment-objective
                   props:
@@ -13437,6 +14980,9 @@ catalog:
                       value: IA-05d.
                       class: sp800-53a
                   prose: system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;
+                  links:
+                    - href: '#ia-5_smt.d'
+                      rel: assessment-for
                 - id: ia-5_obj.e
                   name: assessment-objective
                   props:
@@ -13444,6 +14990,9 @@ catalog:
                       value: IA-05e.
                       class: sp800-53a
                   prose: system authenticators are managed through the change of default authenticators prior to first use;
+                  links:
+                    - href: '#ia-5_smt.e'
+                      rel: assessment-for
                 - id: ia-5_obj.f
                   name: assessment-objective
                   props:
@@ -13451,6 +15000,9 @@ catalog:
                       value: IA-05f.
                       class: sp800-53a
                   prose: 'system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;'
+                  links:
+                    - href: '#ia-5_smt.f'
+                      rel: assessment-for
                 - id: ia-5_obj.g
                   name: assessment-objective
                   props:
@@ -13458,6 +15010,9 @@ catalog:
                       value: IA-05g.
                       class: sp800-53a
                   prose: system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;
+                  links:
+                    - href: '#ia-5_smt.g'
+                      rel: assessment-for
                 - id: ia-5_obj.h
                   name: assessment-objective
                   props:
@@ -13472,6 +15027,9 @@ catalog:
                           value: IA-05h.[01]
                           class: sp800-53a
                       prose: system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;
+                      links:
+                        - href: '#ia-5_smt.h'
+                          rel: assessment-for
                     - id: ia-5_obj.h-2
                       name: assessment-objective
                       props:
@@ -13479,6 +15037,12 @@ catalog:
                           value: IA-05h.[02]
                           class: sp800-53a
                       prose: system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;
+                      links:
+                        - href: '#ia-5_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-5_smt.h'
+                      rel: assessment-for
                 - id: ia-5_obj.i
                   name: assessment-objective
                   props:
@@ -13486,6 +15050,12 @@ catalog:
                       value: IA-05i.
                       class: sp800-53a
                   prose: system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.
+                  links:
+                    - href: '#ia-5_smt.i'
+                      rel: assessment-for
+              links:
+                - href: '#ia-5_smt'
+                  rel: assessment-for
             - id: ia-5_asm-examine
               name: assessment-method
               props:
@@ -13658,6 +15228,9 @@ catalog:
                           value: IA-05(01)(a)
                           class: sp800-53a
                       prose: 'for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;'
+                      links:
+                        - href: '#ia-5.1_smt.a'
+                          rel: assessment-for
                     - id: ia-5.1_obj.b
                       name: assessment-objective
                       props:
@@ -13665,6 +15238,9 @@ catalog:
                           value: IA-05(01)(b)
                           class: sp800-53a
                       prose: for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);
+                      links:
+                        - href: '#ia-5.1_smt.b'
+                          rel: assessment-for
                     - id: ia-5.1_obj.c
                       name: assessment-objective
                       props:
@@ -13672,6 +15248,9 @@ catalog:
                           value: IA-05(01)(c)
                           class: sp800-53a
                       prose: for password-based authentication, passwords are only transmitted over cryptographically protected channels;
+                      links:
+                        - href: '#ia-5.1_smt.c'
+                          rel: assessment-for
                     - id: ia-5.1_obj.d
                       name: assessment-objective
                       props:
@@ -13679,6 +15258,9 @@ catalog:
                           value: IA-05(01)(d)
                           class: sp800-53a
                       prose: for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;
+                      links:
+                        - href: '#ia-5.1_smt.d'
+                          rel: assessment-for
                     - id: ia-5.1_obj.e
                       name: assessment-objective
                       props:
@@ -13686,6 +15268,9 @@ catalog:
                           value: IA-05(01)(e)
                           class: sp800-53a
                       prose: for password-based authentication, immediate selection of a new password is required upon account recovery;
+                      links:
+                        - href: '#ia-5.1_smt.e'
+                          rel: assessment-for
                     - id: ia-5.1_obj.f
                       name: assessment-objective
                       props:
@@ -13693,6 +15278,9 @@ catalog:
                           value: IA-05(01)(f)
                           class: sp800-53a
                       prose: for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;
+                      links:
+                        - href: '#ia-5.1_smt.f'
+                          rel: assessment-for
                     - id: ia-5.1_obj.g
                       name: assessment-objective
                       props:
@@ -13700,6 +15288,9 @@ catalog:
                           value: IA-05(01)(g)
                           class: sp800-53a
                       prose: for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;
+                      links:
+                        - href: '#ia-5.1_smt.g'
+                          rel: assessment-for
                     - id: ia-5.1_obj.h
                       name: assessment-objective
                       props:
@@ -13707,6 +15298,12 @@ catalog:
                           value: IA-05(01)(h)
                           class: sp800-53a
                       prose: 'for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.'
+                      links:
+                        - href: '#ia-5.1_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-5.1_smt'
+                      rel: assessment-for
                 - id: ia-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -13796,6 +15393,9 @@ catalog:
                   value: IA-06
                   class: sp800-53a
               prose: the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.
+              links:
+                - href: '#ia-6_smt'
+                  rel: assessment-for
             - id: ia-6_asm-examine
               name: assessment-method
               props:
@@ -13891,6 +15491,9 @@ catalog:
                   value: IA-07
                   class: sp800-53a
               prose: mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.
+              links:
+                - href: '#ia-7_smt'
+                  rel: assessment-for
             - id: ia-7_asm-examine
               name: assessment-method
               props:
@@ -13998,6 +15601,8 @@ catalog:
               rel: related
             - href: '#ia-11'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-4'
               rel: related
             - href: '#ra-3'
@@ -14020,6 +15625,9 @@ catalog:
                   value: IA-08
                   class: sp800-53a
               prose: non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.
+              links:
+                - href: '#ia-8_smt'
+                  rel: assessment-for
             - id: ia-8_asm-examine
               name: assessment-method
               props:
@@ -14121,6 +15729,9 @@ catalog:
                           value: IA-08(01)[01]
                           class: sp800-53a
                       prose: Personal Identity Verification-compliant credentials from other federal agencies are accepted;
+                      links:
+                        - href: '#ia-8.1_smt'
+                          rel: assessment-for
                     - id: ia-8.1_obj-2
                       name: assessment-objective
                       props:
@@ -14128,6 +15739,12 @@ catalog:
                           value: IA-08(01)[02]
                           class: sp800-53a
                       prose: Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.
+                      links:
+                        - href: '#ia-8.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-8.1_smt'
+                      rel: assessment-for
                 - id: ia-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -14245,6 +15862,9 @@ catalog:
                           value: IA-08(02)(a)
                           class: sp800-53a
                       prose: only external authenticators that are NIST-compliant are accepted;
+                      links:
+                        - href: '#ia-8.2_smt.a'
+                          rel: assessment-for
                     - id: ia-8.2_obj.b
                       name: assessment-objective
                       props:
@@ -14259,6 +15879,9 @@ catalog:
                               value: IA-08(02)(b)[01]
                               class: sp800-53a
                           prose: a list of accepted external authenticators is documented;
+                          links:
+                            - href: '#ia-8.2_smt.b'
+                              rel: assessment-for
                         - id: ia-8.2_obj.b-2
                           name: assessment-objective
                           props:
@@ -14266,6 +15889,15 @@ catalog:
                               value: IA-08(02)(b)[02]
                               class: sp800-53a
                           prose: a list of accepted external authenticators is maintained.
+                          links:
+                            - href: '#ia-8.2_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-8.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-8.2_smt'
+                      rel: assessment-for
                 - id: ia-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -14377,6 +16009,9 @@ catalog:
                       value: IA-08(04)
                       class: sp800-53a
                   prose: 'there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.'
+                  links:
+                    - href: '#ia-8.4_smt'
+                      rel: assessment-for
                 - id: ia-8.4_asm-examine
                   name: assessment-method
                   props:
@@ -14494,6 +16129,9 @@ catalog:
                   value: IA-11
                   class: sp800-53a
               prose: 'users are required to re-authenticate when {{ insert: param, ia-11_odp }}.'
+              links:
+                - href: '#ia-11_smt'
+                  rel: assessment-for
             - id: ia-11_asm-examine
               name: assessment-method
               props:
@@ -14772,6 +16410,9 @@ catalog:
                           value: IR-01a.[01]
                           class: sp800-53a
                       prose: an incident response policy is developed and documented;
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -14779,6 +16420,9 @@ catalog:
                           value: IR-01a.[02]
                           class: sp800-53a
                       prose: 'the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};'
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -14786,6 +16430,9 @@ catalog:
                           value: IR-01a.[03]
                           class: sp800-53a
                       prose: incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -14793,6 +16440,9 @@ catalog:
                           value: IR-01a.[04]
                           class: sp800-53a
                       prose: 'the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};'
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -14814,6 +16464,9 @@ catalog:
                                   value: IR-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -14821,6 +16474,9 @@ catalog:
                                   value: IR-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -14828,6 +16484,9 @@ catalog:
                                   value: IR-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -14835,6 +16494,9 @@ catalog:
                                   value: IR-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -14842,6 +16504,9 @@ catalog:
                                   value: IR-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -14849,6 +16514,9 @@ catalog:
                                   value: IR-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -14856,6 +16524,12 @@ catalog:
                                   value: IR-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ir-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ir-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -14863,6 +16537,15 @@ catalog:
                               value: IR-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ir-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-1_smt.a'
+                      rel: assessment-for
                 - id: ir-1_obj.b
                   name: assessment-objective
                   props:
@@ -14870,6 +16553,9 @@ catalog:
                       value: IR-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;'
+                  links:
+                    - href: '#ir-1_smt.b'
+                      rel: assessment-for
                 - id: ir-1_obj.c
                   name: assessment-objective
                   props:
@@ -14891,6 +16577,9 @@ catalog:
                               value: IR-01c.01[01]
                               class: sp800-53a
                           prose: 'the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};'
+                          links:
+                            - href: '#ir-1_smt.c.1'
+                              rel: assessment-for
                         - id: ir-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -14898,6 +16587,12 @@ catalog:
                               value: IR-01c.01[02]
                               class: sp800-53a
                           prose: 'the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};'
+                          links:
+                            - href: '#ir-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.c.1'
+                          rel: assessment-for
                     - id: ir-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -14912,6 +16607,9 @@ catalog:
                               value: IR-01c.02[01]
                               class: sp800-53a
                           prose: 'the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};'
+                          links:
+                            - href: '#ir-1_smt.c.2'
+                              rel: assessment-for
                         - id: ir-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -14919,6 +16617,18 @@ catalog:
                               value: IR-01c.02[02]
                               class: sp800-53a
                           prose: 'the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.'
+                          links:
+                            - href: '#ir-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ir-1_smt'
+                  rel: assessment-for
             - id: ir-1_asm-examine
               name: assessment-method
               props:
@@ -15091,6 +16801,9 @@ catalog:
                           value: IR-02a.01
                           class: sp800-53a
                       prose: 'incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;'
+                      links:
+                        - href: '#ir-2_smt.a.1'
+                          rel: assessment-for
                     - id: ir-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -15098,6 +16811,9 @@ catalog:
                           value: IR-02a.02
                           class: sp800-53a
                       prose: incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;
+                      links:
+                        - href: '#ir-2_smt.a.2'
+                          rel: assessment-for
                     - id: ir-2_obj.a.3
                       name: assessment-objective
                       props:
@@ -15105,6 +16821,12 @@ catalog:
                           value: IR-02a.03
                           class: sp800-53a
                       prose: 'incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;'
+                      links:
+                        - href: '#ir-2_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-2_smt.a'
+                      rel: assessment-for
                 - id: ir-2_obj.b
                   name: assessment-objective
                   props:
@@ -15119,6 +16841,9 @@ catalog:
                           value: IR-02b.[01]
                           class: sp800-53a
                       prose: 'incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};'
+                      links:
+                        - href: '#ir-2_smt.b'
+                          rel: assessment-for
                     - id: ir-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -15126,6 +16851,15 @@ catalog:
                           value: IR-02b.[02]
                           class: sp800-53a
                       prose: 'incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.'
+                      links:
+                        - href: '#ir-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-2_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ir-2_smt'
+                  rel: assessment-for
             - id: ir-2_asm-examine
               name: assessment-method
               props:
@@ -15301,6 +17035,9 @@ catalog:
                           value: IR-04a.[01]
                           class: sp800-53a
                       prose: an incident handling capability for incidents is implemented that is consistent with the incident response plan;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -15308,6 +17045,9 @@ catalog:
                           value: IR-04a.[02]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes preparation;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-3
                       name: assessment-objective
                       props:
@@ -15315,6 +17055,9 @@ catalog:
                           value: IR-04a.[03]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes detection and analysis;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-4
                       name: assessment-objective
                       props:
@@ -15322,6 +17065,9 @@ catalog:
                           value: IR-04a.[04]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes containment;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-5
                       name: assessment-objective
                       props:
@@ -15329,6 +17075,9 @@ catalog:
                           value: IR-04a.[05]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes eradication;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-6
                       name: assessment-objective
                       props:
@@ -15336,6 +17085,12 @@ catalog:
                           value: IR-04a.[06]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes recovery;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.a'
+                      rel: assessment-for
                 - id: ir-4_obj.b
                   name: assessment-objective
                   props:
@@ -15343,6 +17098,9 @@ catalog:
                       value: IR-04b.
                       class: sp800-53a
                   prose: incident handling activities are coordinated with contingency planning activities;
+                  links:
+                    - href: '#ir-4_smt.b'
+                      rel: assessment-for
                 - id: ir-4_obj.c
                   name: assessment-objective
                   props:
@@ -15357,6 +17115,9 @@ catalog:
                           value: IR-04c.[01]
                           class: sp800-53a
                       prose: lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;
+                      links:
+                        - href: '#ir-4_smt.c'
+                          rel: assessment-for
                     - id: ir-4_obj.c-2
                       name: assessment-objective
                       props:
@@ -15364,6 +17125,12 @@ catalog:
                           value: IR-04c.[02]
                           class: sp800-53a
                       prose: the changes resulting from the incorporated lessons learned are implemented accordingly;
+                      links:
+                        - href: '#ir-4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.c'
+                      rel: assessment-for
                 - id: ir-4_obj.d
                   name: assessment-objective
                   props:
@@ -15378,6 +17145,9 @@ catalog:
                           value: IR-04d.[01]
                           class: sp800-53a
                       prose: the rigor of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-2
                       name: assessment-objective
                       props:
@@ -15385,6 +17155,9 @@ catalog:
                           value: IR-04d.[02]
                           class: sp800-53a
                       prose: the intensity of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-3
                       name: assessment-objective
                       props:
@@ -15392,6 +17165,9 @@ catalog:
                           value: IR-04d.[03]
                           class: sp800-53a
                       prose: the scope of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-4
                       name: assessment-objective
                       props:
@@ -15399,6 +17175,15 @@ catalog:
                           value: IR-04d.[04]
                           class: sp800-53a
                       prose: the results of incident handling activities are comparable and predictable across the organization.
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ir-4_smt'
+                  rel: assessment-for
             - id: ir-4_asm-examine
               name: assessment-method
               props:
@@ -15520,6 +17305,9 @@ catalog:
                       value: IR-05[01]
                       class: sp800-53a
                   prose: incidents are tracked;
+                  links:
+                    - href: '#ir-5_smt'
+                      rel: assessment-for
                 - id: ir-5_obj-2
                   name: assessment-objective
                   props:
@@ -15527,6 +17315,12 @@ catalog:
                       value: IR-05[02]
                       class: sp800-53a
                   prose: incidents are documented.
+                  links:
+                    - href: '#ir-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ir-5_smt'
+                  rel: assessment-for
             - id: ir-5_asm-examine
               name: assessment-method
               props:
@@ -15671,6 +17465,9 @@ catalog:
                       value: IR-06a.
                       class: sp800-53a
                   prose: 'personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};'
+                  links:
+                    - href: '#ir-6_smt.a'
+                      rel: assessment-for
                 - id: ir-6_obj.b
                   name: assessment-objective
                   props:
@@ -15678,6 +17475,12 @@ catalog:
                       value: IR-06b.
                       class: sp800-53a
                   prose: 'incident information is reported to {{ insert: param, ir-06_odp.02 }}.'
+                  links:
+                    - href: '#ir-6_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ir-6_smt'
+                  rel: assessment-for
             - id: ir-6_asm-examine
               name: assessment-method
               props:
@@ -15797,6 +17600,9 @@ catalog:
                       value: IR-07[01]
                       class: sp800-53a
                   prose: an incident response support resource, integral to the organizational incident response capability, is provided;
+                  links:
+                    - href: '#ir-7_smt'
+                      rel: assessment-for
                 - id: ir-7_obj-2
                   name: assessment-objective
                   props:
@@ -15804,6 +17610,12 @@ catalog:
                       value: IR-07[02]
                       class: sp800-53a
                   prose: the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.
+                  links:
+                    - href: '#ir-7_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ir-7_smt'
+                  rel: assessment-for
             - id: ir-7_asm-examine
               name: assessment-method
               props:
@@ -16101,6 +17913,9 @@ catalog:
                           value: IR-08a.01
                           class: sp800-53a
                       prose: an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.1'
+                          rel: assessment-for
                     - id: ir-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -16108,6 +17923,9 @@ catalog:
                           value: IR-08a.02
                           class: sp800-53a
                       prose: an incident response plan is developed that describes the structure and organization of the incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.2'
+                          rel: assessment-for
                     - id: ir-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -16115,6 +17933,9 @@ catalog:
                           value: IR-08a.03
                           class: sp800-53a
                       prose: an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;
+                      links:
+                        - href: '#ir-8_smt.a.3'
+                          rel: assessment-for
                     - id: ir-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -16122,6 +17943,9 @@ catalog:
                           value: IR-08a.04
                           class: sp800-53a
                       prose: an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;
+                      links:
+                        - href: '#ir-8_smt.a.4'
+                          rel: assessment-for
                     - id: ir-8_obj.a.5
                       name: assessment-objective
                       props:
@@ -16129,6 +17953,9 @@ catalog:
                           value: IR-08a.05
                           class: sp800-53a
                       prose: an incident response plan is developed that defines reportable incidents;
+                      links:
+                        - href: '#ir-8_smt.a.5'
+                          rel: assessment-for
                     - id: ir-8_obj.a.6
                       name: assessment-objective
                       props:
@@ -16136,6 +17963,9 @@ catalog:
                           value: IR-08a.06
                           class: sp800-53a
                       prose: an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;
+                      links:
+                        - href: '#ir-8_smt.a.6'
+                          rel: assessment-for
                     - id: ir-8_obj.a.7
                       name: assessment-objective
                       props:
@@ -16143,6 +17973,9 @@ catalog:
                           value: IR-08a.07
                           class: sp800-53a
                       prose: an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.7'
+                          rel: assessment-for
                     - id: ir-8_obj.a.8
                       name: assessment-objective
                       props:
@@ -16150,6 +17983,9 @@ catalog:
                           value: IR-08a.08
                           class: sp800-53a
                       prose: an incident response plan is developed that addresses the sharing of incident information;
+                      links:
+                        - href: '#ir-8_smt.a.8'
+                          rel: assessment-for
                     - id: ir-8_obj.a.9
                       name: assessment-objective
                       props:
@@ -16157,6 +17993,9 @@ catalog:
                           value: IR-08a.09
                           class: sp800-53a
                       prose: 'an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};'
+                      links:
+                        - href: '#ir-8_smt.a.9'
+                          rel: assessment-for
                     - id: ir-8_obj.a.10
                       name: assessment-objective
                       props:
@@ -16164,6 +18003,12 @@ catalog:
                           value: IR-08a.10
                           class: sp800-53a
                       prose: 'an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.'
+                      links:
+                        - href: '#ir-8_smt.a.10'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.a'
+                      rel: assessment-for
                 - id: ir-8_obj.b
                   name: assessment-objective
                   props:
@@ -16178,6 +18023,9 @@ catalog:
                           value: IR-08b.[01]
                           class: sp800-53a
                       prose: 'copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};'
+                      links:
+                        - href: '#ir-8_smt.b'
+                          rel: assessment-for
                     - id: ir-8_obj.b-2
                       name: assessment-objective
                       props:
@@ -16185,6 +18033,12 @@ catalog:
                           value: IR-08b.[02]
                           class: sp800-53a
                       prose: 'copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};'
+                      links:
+                        - href: '#ir-8_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.b'
+                      rel: assessment-for
                 - id: ir-8_obj.c
                   name: assessment-objective
                   props:
@@ -16192,6 +18046,9 @@ catalog:
                       value: IR-08c.
                       class: sp800-53a
                   prose: the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
+                  links:
+                    - href: '#ir-8_smt.c'
+                      rel: assessment-for
                 - id: ir-8_obj.d
                   name: assessment-objective
                   props:
@@ -16206,6 +18063,9 @@ catalog:
                           value: IR-08d.[01]
                           class: sp800-53a
                       prose: 'incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};'
+                      links:
+                        - href: '#ir-8_smt.d'
+                          rel: assessment-for
                     - id: ir-8_obj.d-2
                       name: assessment-objective
                       props:
@@ -16213,6 +18073,12 @@ catalog:
                           value: IR-08d.[02]
                           class: sp800-53a
                       prose: 'incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};'
+                      links:
+                        - href: '#ir-8_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.d'
+                      rel: assessment-for
                 - id: ir-8_obj.e
                   name: assessment-objective
                   props:
@@ -16227,6 +18093,9 @@ catalog:
                           value: IR-08e.[01]
                           class: sp800-53a
                       prose: the incident response plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#ir-8_smt.e'
+                          rel: assessment-for
                     - id: ir-8_obj.e-2
                       name: assessment-objective
                       props:
@@ -16234,6 +18103,15 @@ catalog:
                           value: IR-08e.[02]
                           class: sp800-53a
                       prose: the incident response plan is protected from unauthorized modification.
+                      links:
+                        - href: '#ir-8_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ir-8_smt'
+                  rel: assessment-for
             - id: ir-8_asm-examine
               name: assessment-method
               props:
@@ -16498,6 +18376,9 @@ catalog:
                           value: MA-01a.[01]
                           class: sp800-53a
                       prose: a maintenance policy is developed and documented;
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -16505,6 +18386,9 @@ catalog:
                           value: MA-01a.[02]
                           class: sp800-53a
                       prose: 'the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};'
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -16512,6 +18396,9 @@ catalog:
                           value: MA-01a.[03]
                           class: sp800-53a
                       prose: maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -16519,6 +18406,9 @@ catalog:
                           value: MA-01a.[04]
                           class: sp800-53a
                       prose: 'the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};'
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -16540,6 +18430,9 @@ catalog:
                                   value: MA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -16547,6 +18440,9 @@ catalog:
                                   value: MA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -16554,6 +18450,9 @@ catalog:
                                   value: MA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -16561,6 +18460,9 @@ catalog:
                                   value: MA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -16568,6 +18470,9 @@ catalog:
                                   value: MA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -16575,6 +18480,9 @@ catalog:
                                   value: MA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -16582,6 +18490,12 @@ catalog:
                                   value: MA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ma-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ma-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -16589,6 +18503,15 @@ catalog:
                               value: MA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ma-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-1_smt.a'
+                      rel: assessment-for
                 - id: ma-1_obj.b
                   name: assessment-objective
                   props:
@@ -16596,6 +18519,9 @@ catalog:
                       value: MA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;'
+                  links:
+                    - href: '#ma-1_smt.b'
+                      rel: assessment-for
                 - id: ma-1_obj.c
                   name: assessment-objective
                   props:
@@ -16617,6 +18543,9 @@ catalog:
                               value: MA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};'
+                          links:
+                            - href: '#ma-1_smt.c.1'
+                              rel: assessment-for
                         - id: ma-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -16624,6 +18553,12 @@ catalog:
                               value: MA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};'
+                          links:
+                            - href: '#ma-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-1_smt.c.1'
+                          rel: assessment-for
                     - id: ma-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -16638,6 +18573,9 @@ catalog:
                               value: MA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};'
+                          links:
+                            - href: '#ma-1_smt.c.2'
+                              rel: assessment-for
                         - id: ma-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -16645,6 +18583,18 @@ catalog:
                               value: MA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.'
+                          links:
+                            - href: '#ma-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ma-1_smt'
+                  rel: assessment-for
             - id: ma-1_asm-examine
               name: assessment-method
               props:
@@ -16819,6 +18769,9 @@ catalog:
                           value: MA-02a.[01]
                           class: sp800-53a
                       prose: maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;
+                      links:
+                        - href: '#ma-2_smt.a'
+                          rel: assessment-for
                     - id: ma-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -16826,6 +18779,9 @@ catalog:
                           value: MA-02a.[02]
                           class: sp800-53a
                       prose: maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;
+                      links:
+                        - href: '#ma-2_smt.a'
+                          rel: assessment-for
                     - id: ma-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -16833,6 +18789,12 @@ catalog:
                           value: MA-02a.[03]
                           class: sp800-53a
                       prose: records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;
+                      links:
+                        - href: '#ma-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-2_smt.a'
+                      rel: assessment-for
                 - id: ma-2_obj.b
                   name: assessment-objective
                   props:
@@ -16847,6 +18809,9 @@ catalog:
                           value: MA-02b.[01]
                           class: sp800-53a
                       prose: all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;
+                      links:
+                        - href: '#ma-2_smt.b'
+                          rel: assessment-for
                     - id: ma-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -16854,6 +18819,12 @@ catalog:
                           value: MA-02b.[02]
                           class: sp800-53a
                       prose: all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;
+                      links:
+                        - href: '#ma-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-2_smt.b'
+                      rel: assessment-for
                 - id: ma-2_obj.c
                   name: assessment-objective
                   props:
@@ -16861,6 +18832,9 @@ catalog:
                       value: MA-02c.
                       class: sp800-53a
                   prose: ' {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;'
+                  links:
+                    - href: '#ma-2_smt.c'
+                      rel: assessment-for
                 - id: ma-2_obj.d
                   name: assessment-objective
                   props:
@@ -16868,6 +18842,9 @@ catalog:
                       value: MA-02d.
                       class: sp800-53a
                   prose: 'equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;'
+                  links:
+                    - href: '#ma-2_smt.d'
+                      rel: assessment-for
                 - id: ma-2_obj.e
                   name: assessment-objective
                   props:
@@ -16875,6 +18852,9 @@ catalog:
                       value: MA-02e.
                       class: sp800-53a
                   prose: all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;
+                  links:
+                    - href: '#ma-2_smt.e'
+                      rel: assessment-for
                 - id: ma-2_obj.f
                   name: assessment-objective
                   props:
@@ -16882,6 +18862,12 @@ catalog:
                       value: MA-02f.
                       class: sp800-53a
                   prose: ' {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.'
+                  links:
+                    - href: '#ma-2_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ma-2_smt'
+                  rel: assessment-for
             - id: ma-2_asm-examine
               name: assessment-method
               props:
@@ -17060,6 +19046,9 @@ catalog:
                           value: MA-04a.[01]
                           class: sp800-53a
                       prose: nonlocal maintenance and diagnostic activities are approved;
+                      links:
+                        - href: '#ma-4_smt.a'
+                          rel: assessment-for
                     - id: ma-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -17067,6 +19056,12 @@ catalog:
                           value: MA-04a.[02]
                           class: sp800-53a
                       prose: nonlocal maintenance and diagnostic activities are monitored;
+                      links:
+                        - href: '#ma-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4_smt.a'
+                      rel: assessment-for
                 - id: ma-4_obj.b
                   name: assessment-objective
                   props:
@@ -17081,6 +19076,9 @@ catalog:
                           value: MA-04b.[01]
                           class: sp800-53a
                       prose: the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;
+                      links:
+                        - href: '#ma-4_smt.b'
+                          rel: assessment-for
                     - id: ma-4_obj.b-2
                       name: assessment-objective
                       props:
@@ -17088,6 +19086,12 @@ catalog:
                           value: MA-04b.[02]
                           class: sp800-53a
                       prose: the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;
+                      links:
+                        - href: '#ma-4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4_smt.b'
+                      rel: assessment-for
                 - id: ma-4_obj.c
                   name: assessment-objective
                   props:
@@ -17095,6 +19099,9 @@ catalog:
                       value: MA-04c.
                       class: sp800-53a
                   prose: strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;
+                  links:
+                    - href: '#ma-4_smt.c'
+                      rel: assessment-for
                 - id: ma-4_obj.d
                   name: assessment-objective
                   props:
@@ -17102,6 +19109,9 @@ catalog:
                       value: MA-04d.
                       class: sp800-53a
                   prose: records for nonlocal maintenance and diagnostic activities are maintained;
+                  links:
+                    - href: '#ma-4_smt.d'
+                      rel: assessment-for
                 - id: ma-4_obj.e
                   name: assessment-objective
                   props:
@@ -17116,6 +19126,9 @@ catalog:
                           value: MA-04e.[01]
                           class: sp800-53a
                       prose: session connections are terminated when nonlocal maintenance is completed;
+                      links:
+                        - href: '#ma-4_smt.e'
+                          rel: assessment-for
                     - id: ma-4_obj.e-2
                       name: assessment-objective
                       props:
@@ -17123,6 +19136,15 @@ catalog:
                           value: MA-04e.[02]
                           class: sp800-53a
                       prose: network connections are terminated when nonlocal maintenance is completed.
+                      links:
+                        - href: '#ma-4_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ma-4_smt'
+                  rel: assessment-for
             - id: ma-4_asm-examine
               name: assessment-method
               props:
@@ -17277,6 +19299,9 @@ catalog:
                           value: MA-05a.[01]
                           class: sp800-53a
                       prose: a process for maintenance personnel authorization is established;
+                      links:
+                        - href: '#ma-5_smt.a'
+                          rel: assessment-for
                     - id: ma-5_obj.a-2
                       name: assessment-objective
                       props:
@@ -17284,6 +19309,12 @@ catalog:
                           value: MA-05a.[02]
                           class: sp800-53a
                       prose: a list of authorized maintenance organizations or personnel is maintained;
+                      links:
+                        - href: '#ma-5_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-5_smt.a'
+                      rel: assessment-for
                 - id: ma-5_obj.b
                   name: assessment-objective
                   props:
@@ -17291,6 +19322,9 @@ catalog:
                       value: MA-05b.
                       class: sp800-53a
                   prose: non-escorted personnel performing maintenance on the system possess the required access authorizations;
+                  links:
+                    - href: '#ma-5_smt.b'
+                      rel: assessment-for
                 - id: ma-5_obj.c
                   name: assessment-objective
                   props:
@@ -17298,6 +19332,12 @@ catalog:
                       value: MA-05c.
                       class: sp800-53a
                   prose: organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.
+                  links:
+                    - href: '#ma-5_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ma-5_smt'
+                  rel: assessment-for
             - id: ma-5_asm-examine
               name: assessment-method
               props:
@@ -17569,6 +19609,9 @@ catalog:
                           value: MP-01a.[01]
                           class: sp800-53a
                       prose: a media protection policy is developed and documented;
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -17576,6 +19619,9 @@ catalog:
                           value: MP-01a.[02]
                           class: sp800-53a
                       prose: 'the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};'
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -17583,6 +19629,9 @@ catalog:
                           value: MP-01a.[03]
                           class: sp800-53a
                       prose: media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -17590,6 +19639,9 @@ catalog:
                           value: MP-01a.[04]
                           class: sp800-53a
                       prose: 'the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};'
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -17611,6 +19663,9 @@ catalog:
                                   value: MP-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -17618,6 +19673,9 @@ catalog:
                                   value: MP-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -17625,6 +19683,9 @@ catalog:
                                   value: MP-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -17632,6 +19693,9 @@ catalog:
                                   value: MP-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -17639,6 +19703,9 @@ catalog:
                                   value: MP-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -17646,6 +19713,9 @@ catalog:
                                   value: MP-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -17653,6 +19723,12 @@ catalog:
                                   value: MP-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#mp-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: mp-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -17660,6 +19736,15 @@ catalog:
                               value: MP-01a.01(b)
                               class: sp800-53a
                           prose: the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+                          links:
+                            - href: '#mp-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-1_smt.a'
+                      rel: assessment-for
                 - id: mp-1_obj.b
                   name: assessment-objective
                   props:
@@ -17667,6 +19752,9 @@ catalog:
                       value: MP-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.'
+                  links:
+                    - href: '#mp-1_smt.b'
+                      rel: assessment-for
                 - id: mp-1_obj.c
                   name: assessment-objective
                   props:
@@ -17688,6 +19776,9 @@ catalog:
                               value: MP-01c.01[01]
                               class: sp800-53a
                           prose: 'the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; '
+                          links:
+                            - href: '#mp-1_smt.c.1'
+                              rel: assessment-for
                         - id: mp-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -17695,6 +19786,12 @@ catalog:
                               value: MP-01c.01[02]
                               class: sp800-53a
                           prose: 'the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};'
+                          links:
+                            - href: '#mp-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.c.1'
+                          rel: assessment-for
                     - id: mp-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -17709,6 +19806,9 @@ catalog:
                               value: MP-01c.02[01]
                               class: sp800-53a
                           prose: 'the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; '
+                          links:
+                            - href: '#mp-1_smt.c.2'
+                              rel: assessment-for
                         - id: mp-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -17716,6 +19816,18 @@ catalog:
                               value: MP-01c.02[02]
                               class: sp800-53a
                           prose: 'the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.'
+                          links:
+                            - href: '#mp-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#mp-1_smt'
+                  rel: assessment-for
             - id: mp-1_asm-examine
               name: assessment-method
               props:
@@ -17873,6 +19985,9 @@ catalog:
                       value: MP-02[01]
                       class: sp800-53a
                   prose: 'access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};'
+                  links:
+                    - href: '#mp-2_smt'
+                      rel: assessment-for
                 - id: mp-2_obj-2
                   name: assessment-objective
                   props:
@@ -17880,6 +19995,12 @@ catalog:
                       value: MP-02[02]
                       class: sp800-53a
                   prose: 'access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.'
+                  links:
+                    - href: '#mp-2_smt'
+                      rel: assessment-for
+              links:
+                - href: '#mp-2_smt'
+                  rel: assessment-for
             - id: mp-2_asm-examine
               name: assessment-method
               props:
@@ -18111,6 +20232,9 @@ catalog:
                           value: MP-06a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
                     - id: mp-6_obj.a-2
                       name: assessment-objective
                       props:
@@ -18118,6 +20242,9 @@ catalog:
                           value: MP-06a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
                     - id: mp-6_obj.a-3
                       name: assessment-objective
                       props:
@@ -18125,6 +20252,12 @@ catalog:
                           value: MP-06a.[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-6_smt.a'
+                      rel: assessment-for
                 - id: mp-6_obj.b
                   name: assessment-objective
                   props:
@@ -18132,6 +20265,12 @@ catalog:
                       value: MP-06b.
                       class: sp800-53a
                   prose: sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.
+                  links:
+                    - href: '#mp-6_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-6_smt'
+                  rel: assessment-for
             - id: mp-6_asm-examine
               name: assessment-method
               props:
@@ -18307,6 +20446,9 @@ catalog:
                       value: MP-07a.
                       class: sp800-53a
                   prose: 'the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};'
+                  links:
+                    - href: '#mp-7_smt.a'
+                      rel: assessment-for
                 - id: mp-7_obj.b
                   name: assessment-objective
                   props:
@@ -18314,6 +20456,12 @@ catalog:
                       value: MP-07b.
                       class: sp800-53a
                   prose: the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.
+                  links:
+                    - href: '#mp-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-7_smt'
+                  rel: assessment-for
             - id: mp-7_asm-examine
               name: assessment-method
               props:
@@ -18587,6 +20735,9 @@ catalog:
                           value: PE-01a.[01]
                           class: sp800-53a
                       prose: a physical and environmental protection policy is developed and documented;
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -18594,6 +20745,9 @@ catalog:
                           value: PE-01a.[02]
                           class: sp800-53a
                       prose: 'the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};'
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -18601,6 +20755,9 @@ catalog:
                           value: PE-01a.[03]
                           class: sp800-53a
                       prose: physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -18608,6 +20765,9 @@ catalog:
                           value: PE-01a.[04]
                           class: sp800-53a
                       prose: 'the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};'
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -18629,6 +20789,9 @@ catalog:
                                   value: PE-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -18636,6 +20799,9 @@ catalog:
                                   value: PE-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -18643,6 +20809,9 @@ catalog:
                                   value: PE-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -18650,6 +20819,9 @@ catalog:
                                   value: PE-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -18657,6 +20829,9 @@ catalog:
                                   value: PE-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -18664,6 +20839,9 @@ catalog:
                                   value: PE-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -18671,6 +20849,12 @@ catalog:
                                   value: PE-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#pe-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: pe-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -18678,6 +20862,15 @@ catalog:
                               value: PE-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#pe-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#pe-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-1_smt.a'
+                      rel: assessment-for
                 - id: pe-1_obj.b
                   name: assessment-objective
                   props:
@@ -18685,6 +20878,9 @@ catalog:
                       value: PE-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;'
+                  links:
+                    - href: '#pe-1_smt.b'
+                      rel: assessment-for
                 - id: pe-1_obj.c
                   name: assessment-objective
                   props:
@@ -18706,6 +20902,9 @@ catalog:
                               value: PE-01c.01[01]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};'
+                          links:
+                            - href: '#pe-1_smt.c.1'
+                              rel: assessment-for
                         - id: pe-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -18713,6 +20912,12 @@ catalog:
                               value: PE-01c.01[02]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};'
+                          links:
+                            - href: '#pe-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pe-1_smt.c.1'
+                          rel: assessment-for
                     - id: pe-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -18727,6 +20932,9 @@ catalog:
                               value: PE-01c.02[01]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};'
+                          links:
+                            - href: '#pe-1_smt.c.2'
+                              rel: assessment-for
                         - id: pe-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -18734,6 +20942,18 @@ catalog:
                               value: PE-01c.02[02]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.'
+                          links:
+                            - href: '#pe-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pe-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-1_smt'
+                  rel: assessment-for
             - id: pe-1_asm-examine
               name: assessment-method
               props:
@@ -18884,6 +21104,9 @@ catalog:
                           value: PE-02a.[01]
                           class: sp800-53a
                       prose: a list of individuals with authorized access to the facility where the system resides has been developed;
+                      links:
+                        - href: '#pe-2_smt.a'
+                          rel: assessment-for
                     - id: pe-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -18891,6 +21114,9 @@ catalog:
                           value: PE-02a.[02]
                           class: sp800-53a
                       prose: the list of individuals with authorized access to the facility where the system resides has been approved;
+                      links:
+                        - href: '#pe-2_smt.a'
+                          rel: assessment-for
                     - id: pe-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -18898,6 +21124,12 @@ catalog:
                           value: PE-02a.[03]
                           class: sp800-53a
                       prose: the list of individuals with authorized access to the facility where the system resides has been maintained;
+                      links:
+                        - href: '#pe-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-2_smt.a'
+                      rel: assessment-for
                 - id: pe-2_obj.b
                   name: assessment-objective
                   props:
@@ -18905,6 +21137,9 @@ catalog:
                       value: PE-02b.
                       class: sp800-53a
                   prose: authorization credentials are issued for facility access;
+                  links:
+                    - href: '#pe-2_smt.b'
+                      rel: assessment-for
                 - id: pe-2_obj.c
                   name: assessment-objective
                   props:
@@ -18912,6 +21147,9 @@ catalog:
                       value: PE-02c.
                       class: sp800-53a
                   prose: 'the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};'
+                  links:
+                    - href: '#pe-2_smt.c'
+                      rel: assessment-for
                 - id: pe-2_obj.d
                   name: assessment-objective
                   props:
@@ -18919,6 +21157,12 @@ catalog:
                       value: PE-02d.
                       class: sp800-53a
                   prose: individuals are removed from the facility access list when access is no longer required.
+                  links:
+                    - href: '#pe-2_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pe-2_smt'
+                  rel: assessment-for
             - id: pe-2_asm-examine
               name: assessment-method
               props:
@@ -19249,6 +21493,9 @@ catalog:
                           value: PE-03a.01
                           class: sp800-53a
                       prose: 'physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;'
+                      links:
+                        - href: '#pe-3_smt.a.1'
+                          rel: assessment-for
                     - id: pe-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -19256,6 +21503,12 @@ catalog:
                           value: PE-03a.02
                           class: sp800-53a
                       prose: 'physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};'
+                      links:
+                        - href: '#pe-3_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.a'
+                      rel: assessment-for
                 - id: pe-3_obj.b
                   name: assessment-objective
                   props:
@@ -19263,6 +21516,9 @@ catalog:
                       value: PE-03b.
                       class: sp800-53a
                   prose: 'physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};'
+                  links:
+                    - href: '#pe-3_smt.b'
+                      rel: assessment-for
                 - id: pe-3_obj.c
                   name: assessment-objective
                   props:
@@ -19270,6 +21526,9 @@ catalog:
                       value: PE-03c.
                       class: sp800-53a
                   prose: 'access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};'
+                  links:
+                    - href: '#pe-3_smt.c'
+                      rel: assessment-for
                 - id: pe-3_obj.d
                   name: assessment-objective
                   props:
@@ -19284,6 +21543,9 @@ catalog:
                           value: PE-03d.[01]
                           class: sp800-53a
                       prose: visitors are escorted;
+                      links:
+                        - href: '#pe-3_smt.d'
+                          rel: assessment-for
                     - id: pe-3_obj.d-2
                       name: assessment-objective
                       props:
@@ -19291,6 +21553,12 @@ catalog:
                           value: PE-03d.[02]
                           class: sp800-53a
                       prose: 'visitor activity is controlled {{ insert: param, pe-03_odp.06 }};'
+                      links:
+                        - href: '#pe-3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.d'
+                      rel: assessment-for
                 - id: pe-3_obj.e
                   name: assessment-objective
                   props:
@@ -19305,6 +21573,9 @@ catalog:
                           value: PE-03e.[01]
                           class: sp800-53a
                       prose: keys are secured;
+                      links:
+                        - href: '#pe-3_smt.e'
+                          rel: assessment-for
                     - id: pe-3_obj.e-2
                       name: assessment-objective
                       props:
@@ -19312,6 +21583,9 @@ catalog:
                           value: PE-03e.[02]
                           class: sp800-53a
                       prose: combinations are secured;
+                      links:
+                        - href: '#pe-3_smt.e'
+                          rel: assessment-for
                     - id: pe-3_obj.e-3
                       name: assessment-objective
                       props:
@@ -19319,6 +21593,12 @@ catalog:
                           value: PE-03e.[03]
                           class: sp800-53a
                       prose: other physical access devices are secured;
+                      links:
+                        - href: '#pe-3_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.e'
+                      rel: assessment-for
                 - id: pe-3_obj.f
                   name: assessment-objective
                   props:
@@ -19326,6 +21606,9 @@ catalog:
                       value: PE-03f.
                       class: sp800-53a
                   prose: ' {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};'
+                  links:
+                    - href: '#pe-3_smt.f'
+                      rel: assessment-for
                 - id: pe-3_obj.g
                   name: assessment-objective
                   props:
@@ -19340,6 +21623,9 @@ catalog:
                           value: PE-03g.[01]
                           class: sp800-53a
                       prose: 'combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;'
+                      links:
+                        - href: '#pe-3_smt.g'
+                          rel: assessment-for
                     - id: pe-3_obj.g-2
                       name: assessment-objective
                       props:
@@ -19347,6 +21633,15 @@ catalog:
                           value: PE-03g.[02]
                           class: sp800-53a
                       prose: 'keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.'
+                      links:
+                        - href: '#pe-3_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#pe-3_smt'
+                  rel: assessment-for
             - id: pe-3_asm-examine
               name: assessment-method
               props:
@@ -19509,6 +21804,9 @@ catalog:
                       value: PE-06a.
                       class: sp800-53a
                   prose: physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;
+                  links:
+                    - href: '#pe-6_smt.a'
+                      rel: assessment-for
                 - id: pe-6_obj.b
                   name: assessment-objective
                   props:
@@ -19523,6 +21821,9 @@ catalog:
                           value: PE-06b.[01]
                           class: sp800-53a
                       prose: 'physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};'
+                      links:
+                        - href: '#pe-6_smt.b'
+                          rel: assessment-for
                     - id: pe-6_obj.b-2
                       name: assessment-objective
                       props:
@@ -19530,6 +21831,12 @@ catalog:
                           value: PE-06b.[02]
                           class: sp800-53a
                       prose: 'physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};'
+                      links:
+                        - href: '#pe-6_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-6_smt.b'
+                      rel: assessment-for
                 - id: pe-6_obj.c
                   name: assessment-objective
                   props:
@@ -19544,6 +21851,9 @@ catalog:
                           value: PE-06c.[01]
                           class: sp800-53a
                       prose: results of reviews are coordinated with organizational incident response capabilities;
+                      links:
+                        - href: '#pe-6_smt.c'
+                          rel: assessment-for
                     - id: pe-6_obj.c-2
                       name: assessment-objective
                       props:
@@ -19551,6 +21861,15 @@ catalog:
                           value: PE-06c.[02]
                           class: sp800-53a
                       prose: results of investigations are coordinated with organizational incident response capabilities.
+                      links:
+                        - href: '#pe-6_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-6_smt'
+                  rel: assessment-for
             - id: pe-6_asm-examine
               name: assessment-method
               props:
@@ -19704,6 +22023,9 @@ catalog:
                       value: PE-08a.
                       class: sp800-53a
                   prose: 'visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};'
+                  links:
+                    - href: '#pe-8_smt.a'
+                      rel: assessment-for
                 - id: pe-8_obj.b
                   name: assessment-objective
                   props:
@@ -19711,6 +22033,9 @@ catalog:
                       value: PE-08b.
                       class: sp800-53a
                   prose: 'visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};'
+                  links:
+                    - href: '#pe-8_smt.b'
+                      rel: assessment-for
                 - id: pe-8_obj.c
                   name: assessment-objective
                   props:
@@ -19718,6 +22043,12 @@ catalog:
                       value: PE-08c.
                       class: sp800-53a
                   prose: 'visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.'
+                  links:
+                    - href: '#pe-8_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-8_smt'
+                  rel: assessment-for
             - id: pe-8_asm-examine
               name: assessment-method
               props:
@@ -19817,6 +22148,9 @@ catalog:
                       value: PE-12[01]
                       class: sp800-53a
                   prose: automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
                 - id: pe-12_obj-2
                   name: assessment-objective
                   props:
@@ -19824,6 +22158,9 @@ catalog:
                       value: PE-12[02]
                       class: sp800-53a
                   prose: automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
                 - id: pe-12_obj-3
                   name: assessment-objective
                   props:
@@ -19831,6 +22168,9 @@ catalog:
                       value: PE-12[03]
                       class: sp800-53a
                   prose: automatic emergency lighting for the system covers emergency exits within the facility;
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
                 - id: pe-12_obj-4
                   name: assessment-objective
                   props:
@@ -19838,6 +22178,12 @@ catalog:
                       value: PE-12[04]
                       class: sp800-53a
                   prose: automatic emergency lighting for the system covers evacuation routes within the facility.
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-12_smt'
+                  rel: assessment-for
             - id: pe-12_asm-examine
               name: assessment-method
               props:
@@ -19928,6 +22274,9 @@ catalog:
                       value: PE-13[01]
                       class: sp800-53a
                   prose: fire detection systems are employed;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-2
                   name: assessment-objective
                   props:
@@ -19935,6 +22284,9 @@ catalog:
                       value: PE-13[02]
                       class: sp800-53a
                   prose: employed fire detection systems are supported by an independent energy source;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-3
                   name: assessment-objective
                   props:
@@ -19942,6 +22294,9 @@ catalog:
                       value: PE-13[03]
                       class: sp800-53a
                   prose: employed fire detection systems are maintained;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-4
                   name: assessment-objective
                   props:
@@ -19949,6 +22304,9 @@ catalog:
                       value: PE-13[04]
                       class: sp800-53a
                   prose: fire suppression systems are employed;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-5
                   name: assessment-objective
                   props:
@@ -19956,6 +22314,9 @@ catalog:
                       value: PE-13[05]
                       class: sp800-53a
                   prose: employed fire suppression systems are supported by an independent energy source;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-6
                   name: assessment-objective
                   props:
@@ -19963,6 +22324,12 @@ catalog:
                       value: PE-13[06]
                       class: sp800-53a
                   prose: employed fire suppression systems are maintained.
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-13_smt'
+                  rel: assessment-for
             - id: pe-13_asm-examine
               name: assessment-method
               props:
@@ -20113,6 +22480,9 @@ catalog:
                       value: PE-14a.
                       class: sp800-53a
                   prose: ' {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;'
+                  links:
+                    - href: '#pe-14_smt.a'
+                      rel: assessment-for
                 - id: pe-14_obj.b
                   name: assessment-objective
                   props:
@@ -20120,6 +22490,12 @@ catalog:
                       value: PE-14b.
                       class: sp800-53a
                   prose: 'environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.'
+                  links:
+                    - href: '#pe-14_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pe-14_smt'
+                  rel: assessment-for
             - id: pe-14_asm-examine
               name: assessment-method
               props:
@@ -20214,6 +22590,9 @@ catalog:
                       value: PE-15[01]
                       class: sp800-53a
                   prose: the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
                 - id: pe-15_obj-2
                   name: assessment-objective
                   props:
@@ -20221,6 +22600,9 @@ catalog:
                       value: PE-15[02]
                       class: sp800-53a
                   prose: the master shutoff or isolation valves are accessible;
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
                 - id: pe-15_obj-3
                   name: assessment-objective
                   props:
@@ -20228,6 +22610,9 @@ catalog:
                       value: PE-15[03]
                       class: sp800-53a
                   prose: the master shutoff or isolation valves are working properly;
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
                 - id: pe-15_obj-4
                   name: assessment-objective
                   props:
@@ -20235,6 +22620,12 @@ catalog:
                       value: PE-15[04]
                       class: sp800-53a
                   prose: the master shutoff or isolation valves are known to key personnel.
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-15_smt'
+                  rel: assessment-for
             - id: pe-15_asm-examine
               name: assessment-method
               props:
@@ -20393,6 +22784,9 @@ catalog:
                           value: PE-16a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
                     - id: pe-16_obj.a-2
                       name: assessment-objective
                       props:
@@ -20400,6 +22794,9 @@ catalog:
                           value: PE-16a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
                     - id: pe-16_obj.a-3
                       name: assessment-objective
                       props:
@@ -20407,6 +22804,9 @@ catalog:
                           value: PE-16a.[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
                     - id: pe-16_obj.a-4
                       name: assessment-objective
                       props:
@@ -20414,6 +22814,12 @@ catalog:
                           value: PE-16a.[04]
                           class: sp800-53a
                       prose: ' {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-16_smt.a'
+                      rel: assessment-for
                 - id: pe-16_obj.b
                   name: assessment-objective
                   props:
@@ -20421,6 +22827,12 @@ catalog:
                       value: PE-16b.
                       class: sp800-53a
                   prose: records of the system components are maintained.
+                  links:
+                    - href: '#pe-16_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pe-16_smt'
+                  rel: assessment-for
             - id: pe-16_asm-examine
               name: assessment-method
               props:
@@ -20688,6 +23100,9 @@ catalog:
                           value: PL-01a.[01]
                           class: sp800-53a
                       prose: a planning policy is developed and documented.
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -20695,6 +23110,9 @@ catalog:
                           value: PL-01a.[02]
                           class: sp800-53a
                       prose: 'the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};'
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -20702,6 +23120,9 @@ catalog:
                           value: PL-01a.[03]
                           class: sp800-53a
                       prose: planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -20709,6 +23130,9 @@ catalog:
                           value: PL-01a.[04]
                           class: sp800-53a
                       prose: 'the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};'
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -20730,6 +23154,9 @@ catalog:
                                   value: PL-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -20737,6 +23164,9 @@ catalog:
                                   value: PL-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -20744,6 +23174,9 @@ catalog:
                                   value: PL-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -20751,6 +23184,9 @@ catalog:
                                   value: PL-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -20758,6 +23194,9 @@ catalog:
                                   value: PL-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -20765,6 +23204,9 @@ catalog:
                                   value: PL-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -20772,6 +23214,12 @@ catalog:
                                   value: PL-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#pl-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: pl-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -20779,6 +23227,15 @@ catalog:
                               value: PL-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#pl-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-1_smt.a'
+                      rel: assessment-for
                 - id: pl-1_obj.b
                   name: assessment-objective
                   props:
@@ -20786,6 +23243,9 @@ catalog:
                       value: PL-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;'
+                  links:
+                    - href: '#pl-1_smt.b'
+                      rel: assessment-for
                 - id: pl-1_obj.c
                   name: assessment-objective
                   props:
@@ -20807,6 +23267,9 @@ catalog:
                               value: PL-01c.01[01]
                               class: sp800-53a
                           prose: 'the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};'
+                          links:
+                            - href: '#pl-1_smt.c.1'
+                              rel: assessment-for
                         - id: pl-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -20814,6 +23277,12 @@ catalog:
                               value: PL-01c.01[02]
                               class: sp800-53a
                           prose: 'the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};'
+                          links:
+                            - href: '#pl-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.c.1'
+                          rel: assessment-for
                     - id: pl-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -20828,6 +23297,9 @@ catalog:
                               value: PL-01c.02[01]
                               class: sp800-53a
                           prose: 'the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};'
+                          links:
+                            - href: '#pl-1_smt.c.2'
+                              rel: assessment-for
                         - id: pl-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -20835,6 +23307,18 @@ catalog:
                               value: PL-01c.02[02]
                               class: sp800-53a
                           prose: 'the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.'
+                          links:
+                            - href: '#pl-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pl-1_smt'
+                  rel: assessment-for
             - id: pl-1_asm-examine
               name: assessment-method
               props:
@@ -21165,6 +23649,9 @@ catalog:
                               value: PL-02a.01[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that is consistent with the organization’s enterprise architecture;
+                          links:
+                            - href: '#pl-2_smt.a.1'
+                              rel: assessment-for
                         - id: pl-2_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -21172,6 +23659,12 @@ catalog:
                               value: PL-02a.01[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;
+                          links:
+                            - href: '#pl-2_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.1'
+                          rel: assessment-for
                     - id: pl-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -21186,6 +23679,9 @@ catalog:
                               value: PL-02a.02[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that explicitly defines the constituent system components;
+                          links:
+                            - href: '#pl-2_smt.a.2'
+                              rel: assessment-for
                         - id: pl-2_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -21193,6 +23689,12 @@ catalog:
                               value: PL-02a.02[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that explicitly defines the constituent system components;
+                          links:
+                            - href: '#pl-2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.2'
+                          rel: assessment-for
                     - id: pl-2_obj.a.3
                       name: assessment-objective
                       props:
@@ -21207,6 +23709,9 @@ catalog:
                               value: PL-02a.03[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;
+                          links:
+                            - href: '#pl-2_smt.a.3'
+                              rel: assessment-for
                         - id: pl-2_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -21214,6 +23719,12 @@ catalog:
                               value: PL-02a.03[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;
+                          links:
+                            - href: '#pl-2_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.3'
+                          rel: assessment-for
                     - id: pl-2_obj.a.4
                       name: assessment-objective
                       props:
@@ -21228,6 +23739,9 @@ catalog:
                               value: PL-02a.04[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;
+                          links:
+                            - href: '#pl-2_smt.a.4'
+                              rel: assessment-for
                         - id: pl-2_obj.a.4-2
                           name: assessment-objective
                           props:
@@ -21235,6 +23749,12 @@ catalog:
                               value: PL-02a.04[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;
+                          links:
+                            - href: '#pl-2_smt.a.4'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.4'
+                          rel: assessment-for
                     - id: pl-2_obj.a.5
                       name: assessment-objective
                       props:
@@ -21249,6 +23769,9 @@ catalog:
                               value: PL-02a.05[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;
+                          links:
+                            - href: '#pl-2_smt.a.5'
+                              rel: assessment-for
                         - id: pl-2_obj.a.5-2
                           name: assessment-objective
                           props:
@@ -21256,6 +23779,12 @@ catalog:
                               value: PL-02a.05[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;
+                          links:
+                            - href: '#pl-2_smt.a.5'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.5'
+                          rel: assessment-for
                     - id: pl-2_obj.a.6
                       name: assessment-objective
                       props:
@@ -21270,6 +23799,9 @@ catalog:
                               value: PL-02a.06[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;
+                          links:
+                            - href: '#pl-2_smt.a.6'
+                              rel: assessment-for
                         - id: pl-2_obj.a.6-2
                           name: assessment-objective
                           props:
@@ -21277,6 +23809,12 @@ catalog:
                               value: PL-02a.06[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;
+                          links:
+                            - href: '#pl-2_smt.a.6'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.6'
+                          rel: assessment-for
                     - id: pl-2_obj.a.7
                       name: assessment-objective
                       props:
@@ -21291,6 +23829,9 @@ catalog:
                               value: PL-02a.07[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;
+                          links:
+                            - href: '#pl-2_smt.a.7'
+                              rel: assessment-for
                         - id: pl-2_obj.a.7-2
                           name: assessment-objective
                           props:
@@ -21298,6 +23839,12 @@ catalog:
                               value: PL-02a.07[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;
+                          links:
+                            - href: '#pl-2_smt.a.7'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.7'
+                          rel: assessment-for
                     - id: pl-2_obj.a.8
                       name: assessment-objective
                       props:
@@ -21312,6 +23859,9 @@ catalog:
                               value: PL-02a.08[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;
+                          links:
+                            - href: '#pl-2_smt.a.8'
+                              rel: assessment-for
                         - id: pl-2_obj.a.8-2
                           name: assessment-objective
                           props:
@@ -21319,6 +23869,12 @@ catalog:
                               value: PL-02a.08[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;
+                          links:
+                            - href: '#pl-2_smt.a.8'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.8'
+                          rel: assessment-for
                     - id: pl-2_obj.a.9
                       name: assessment-objective
                       props:
@@ -21333,6 +23889,9 @@ catalog:
                               value: PL-02a.09[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;
+                          links:
+                            - href: '#pl-2_smt.a.9'
+                              rel: assessment-for
                         - id: pl-2_obj.a.9-2
                           name: assessment-objective
                           props:
@@ -21340,6 +23899,12 @@ catalog:
                               value: PL-02a.09[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;
+                          links:
+                            - href: '#pl-2_smt.a.9'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.9'
+                          rel: assessment-for
                     - id: pl-2_obj.a.10
                       name: assessment-objective
                       props:
@@ -21354,6 +23919,9 @@ catalog:
                               value: PL-02a.10[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides an overview of the security requirements for the system;
+                          links:
+                            - href: '#pl-2_smt.a.10'
+                              rel: assessment-for
                         - id: pl-2_obj.a.10-2
                           name: assessment-objective
                           props:
@@ -21361,6 +23929,12 @@ catalog:
                               value: PL-02a.10[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;
+                          links:
+                            - href: '#pl-2_smt.a.10'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.10'
+                          rel: assessment-for
                     - id: pl-2_obj.a.11
                       name: assessment-objective
                       props:
@@ -21375,6 +23949,9 @@ catalog:
                               value: PL-02a.11[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;
+                          links:
+                            - href: '#pl-2_smt.a.11'
+                              rel: assessment-for
                         - id: pl-2_obj.a.11-2
                           name: assessment-objective
                           props:
@@ -21382,6 +23959,12 @@ catalog:
                               value: PL-02a.11[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;
+                          links:
+                            - href: '#pl-2_smt.a.11'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.11'
+                          rel: assessment-for
                     - id: pl-2_obj.a.12
                       name: assessment-objective
                       props:
@@ -21396,6 +23979,9 @@ catalog:
                               value: PL-02a.12[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;
+                          links:
+                            - href: '#pl-2_smt.a.12'
+                              rel: assessment-for
                         - id: pl-2_obj.a.12-2
                           name: assessment-objective
                           props:
@@ -21403,6 +23989,12 @@ catalog:
                               value: PL-02a.12[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;
+                          links:
+                            - href: '#pl-2_smt.a.12'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.12'
+                          rel: assessment-for
                     - id: pl-2_obj.a.13
                       name: assessment-objective
                       props:
@@ -21417,6 +24009,9 @@ catalog:
                               value: PL-02a.13[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that includes risk determinations for security architecture and design decisions;
+                          links:
+                            - href: '#pl-2_smt.a.13'
+                              rel: assessment-for
                         - id: pl-2_obj.a.13-2
                           name: assessment-objective
                           props:
@@ -21424,6 +24019,12 @@ catalog:
                               value: PL-02a.13[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;
+                          links:
+                            - href: '#pl-2_smt.a.13'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.13'
+                          rel: assessment-for
                     - id: pl-2_obj.a.14
                       name: assessment-objective
                       props:
@@ -21438,6 +24039,9 @@ catalog:
                               value: PL-02a.14[01]
                               class: sp800-53a
                           prose: 'a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};'
+                          links:
+                            - href: '#pl-2_smt.a.14'
+                              rel: assessment-for
                         - id: pl-2_obj.a.14-2
                           name: assessment-objective
                           props:
@@ -21445,6 +24049,12 @@ catalog:
                               value: PL-02a.14[02]
                               class: sp800-53a
                           prose: 'a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};'
+                          links:
+                            - href: '#pl-2_smt.a.14'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.14'
+                          rel: assessment-for
                     - id: pl-2_obj.a.15
                       name: assessment-objective
                       props:
@@ -21459,6 +24069,9 @@ catalog:
                               value: PL-02a.15[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
+                          links:
+                            - href: '#pl-2_smt.a.15'
+                              rel: assessment-for
                         - id: pl-2_obj.a.15-2
                           name: assessment-objective
                           props:
@@ -21466,6 +24079,15 @@ catalog:
                               value: PL-02a.15[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.
+                          links:
+                            - href: '#pl-2_smt.a.15'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.15'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.a'
+                      rel: assessment-for
                 - id: pl-2_obj.b
                   name: assessment-objective
                   props:
@@ -21480,6 +24102,9 @@ catalog:
                           value: PL-02b.[01]
                           class: sp800-53a
                       prose: 'copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};'
+                      links:
+                        - href: '#pl-2_smt.b'
+                          rel: assessment-for
                     - id: pl-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -21487,6 +24112,12 @@ catalog:
                           value: PL-02b.[02]
                           class: sp800-53a
                       prose: 'subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};'
+                      links:
+                        - href: '#pl-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.b'
+                      rel: assessment-for
                 - id: pl-2_obj.c
                   name: assessment-objective
                   props:
@@ -21494,6 +24125,9 @@ catalog:
                       value: PL-02c.
                       class: sp800-53a
                   prose: 'plans are reviewed {{ insert: param, pl-02_odp.03 }};'
+                  links:
+                    - href: '#pl-2_smt.c'
+                      rel: assessment-for
                 - id: pl-2_obj.d
                   name: assessment-objective
                   props:
@@ -21508,6 +24142,9 @@ catalog:
                           value: PL-02d.[01]
                           class: sp800-53a
                       prose: plans are updated to address changes to the system and environment of operations;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
                     - id: pl-2_obj.d-2
                       name: assessment-objective
                       props:
@@ -21515,6 +24152,9 @@ catalog:
                           value: PL-02d.[02]
                           class: sp800-53a
                       prose: plans are updated to address problems identified during the plan implementation;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
                     - id: pl-2_obj.d-3
                       name: assessment-objective
                       props:
@@ -21522,6 +24162,12 @@ catalog:
                           value: PL-02d.[03]
                           class: sp800-53a
                       prose: plans are updated to address problems identified during control assessments;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.d'
+                      rel: assessment-for
                 - id: pl-2_obj.e
                   name: assessment-objective
                   props:
@@ -21536,6 +24182,9 @@ catalog:
                           value: PL-02e.[01]
                           class: sp800-53a
                       prose: plans are protected from unauthorized disclosure;
+                      links:
+                        - href: '#pl-2_smt.e'
+                          rel: assessment-for
                     - id: pl-2_obj.e-2
                       name: assessment-objective
                       props:
@@ -21543,6 +24192,15 @@ catalog:
                           value: PL-02e.[02]
                           class: sp800-53a
                       prose: plans are protected from unauthorized modification.
+                      links:
+                        - href: '#pl-2_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#pl-2_smt'
+                  rel: assessment-for
             - id: pl-2_asm-examine
               name: assessment-method
               props:
@@ -21755,6 +24413,9 @@ catalog:
                           value: PL-04a.[01]
                           class: sp800-53a
                       prose: rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;
+                      links:
+                        - href: '#pl-4_smt.a'
+                          rel: assessment-for
                     - id: pl-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -21762,6 +24423,12 @@ catalog:
                           value: PL-04a.[02]
                           class: sp800-53a
                       prose: rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;
+                      links:
+                        - href: '#pl-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-4_smt.a'
+                      rel: assessment-for
                 - id: pl-4_obj.b
                   name: assessment-objective
                   props:
@@ -21769,6 +24436,9 @@ catalog:
                       value: PL-04b.
                       class: sp800-53a
                   prose: before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;
+                  links:
+                    - href: '#pl-4_smt.b'
+                      rel: assessment-for
                 - id: pl-4_obj.c
                   name: assessment-objective
                   props:
@@ -21776,6 +24446,9 @@ catalog:
                       value: PL-04c.
                       class: sp800-53a
                   prose: 'rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};'
+                  links:
+                    - href: '#pl-4_smt.c'
+                      rel: assessment-for
                 - id: pl-4_obj.d
                   name: assessment-objective
                   props:
@@ -21783,6 +24456,12 @@ catalog:
                       value: PL-04d.
                       class: sp800-53a
                   prose: 'individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.'
+                  links:
+                    - href: '#pl-4_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pl-4_smt'
+                  rel: assessment-for
             - id: pl-4_asm-examine
               name: assessment-method
               props:
@@ -21905,6 +24584,9 @@ catalog:
                           value: PL-04(01)(a)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;
+                      links:
+                        - href: '#pl-4.1_smt.a'
+                          rel: assessment-for
                     - id: pl-4.1_obj.b
                       name: assessment-objective
                       props:
@@ -21912,6 +24594,9 @@ catalog:
                           value: PL-04(01)(b)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on posting organizational information on public websites;
+                      links:
+                        - href: '#pl-4.1_smt.b'
+                          rel: assessment-for
                     - id: pl-4.1_obj.c
                       name: assessment-objective
                       props:
@@ -21919,6 +24604,12 @@ catalog:
                           value: PL-04(01)(c)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.
+                      links:
+                        - href: '#pl-4.1_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-4.1_smt'
+                      rel: assessment-for
                 - id: pl-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -22033,6 +24724,9 @@ catalog:
                   value: PL-10
                   class: sp800-53a
               prose: a control baseline for the system is selected.
+              links:
+                - href: '#pl-10_smt'
+                  rel: assessment-for
             - id: pl-10_asm-examine
               name: assessment-method
               props:
@@ -22158,6 +24852,9 @@ catalog:
                   value: PL-11
                   class: sp800-53a
               prose: the selected control baseline is tailored by applying specified tailoring actions.
+              links:
+                - href: '#pl-11_smt'
+                  rel: assessment-for
             - id: pl-11_asm-examine
               name: assessment-method
               props:
@@ -22432,6 +25129,9 @@ catalog:
                           value: PS-01a.[01]
                           class: sp800-53a
                       prose: a personnel security policy is developed and documented;
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -22439,6 +25139,9 @@ catalog:
                           value: PS-01a.[02]
                           class: sp800-53a
                       prose: 'the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};'
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -22446,6 +25149,9 @@ catalog:
                           value: PS-01a.[03]
                           class: sp800-53a
                       prose: personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -22453,6 +25159,9 @@ catalog:
                           value: PS-01a.[04]
                           class: sp800-53a
                       prose: 'the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};'
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -22474,6 +25183,9 @@ catalog:
                                   value: PS-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -22481,6 +25193,9 @@ catalog:
                                   value: PS-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -22488,6 +25203,9 @@ catalog:
                                   value: PS-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -22495,6 +25213,9 @@ catalog:
                                   value: PS-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -22502,6 +25223,9 @@ catalog:
                                   value: PS-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -22509,6 +25233,9 @@ catalog:
                                   value: PS-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -22516,6 +25243,12 @@ catalog:
                                   value: PS-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ps-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ps-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -22523,6 +25256,15 @@ catalog:
                               value: PS-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ps-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ps-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-1_smt.a'
+                      rel: assessment-for
                 - id: ps-1_obj.b
                   name: assessment-objective
                   props:
@@ -22530,6 +25272,9 @@ catalog:
                       value: PS-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;'
+                  links:
+                    - href: '#ps-1_smt.b'
+                      rel: assessment-for
                 - id: ps-1_obj.c
                   name: assessment-objective
                   props:
@@ -22551,6 +25296,9 @@ catalog:
                               value: PS-01c.01[01]
                               class: sp800-53a
                           prose: 'the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};'
+                          links:
+                            - href: '#ps-1_smt.c.1'
+                              rel: assessment-for
                         - id: ps-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -22558,6 +25306,12 @@ catalog:
                               value: PS-01c.01[02]
                               class: sp800-53a
                           prose: 'the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};'
+                          links:
+                            - href: '#ps-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ps-1_smt.c.1'
+                          rel: assessment-for
                     - id: ps-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -22572,6 +25326,9 @@ catalog:
                               value: PS-01c.02[01]
                               class: sp800-53a
                           prose: 'the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};'
+                          links:
+                            - href: '#ps-1_smt.c.2'
+                              rel: assessment-for
                         - id: ps-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -22579,6 +25336,18 @@ catalog:
                               value: PS-01c.02[02]
                               class: sp800-53a
                           prose: 'the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.'
+                          links:
+                            - href: '#ps-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ps-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ps-1_smt'
+                  rel: assessment-for
             - id: ps-1_asm-examine
               name: assessment-method
               props:
@@ -22708,6 +25477,9 @@ catalog:
                       value: PS-02a.
                       class: sp800-53a
                   prose: a risk designation is assigned to all organizational positions;
+                  links:
+                    - href: '#ps-2_smt.a'
+                      rel: assessment-for
                 - id: ps-2_obj.b
                   name: assessment-objective
                   props:
@@ -22715,6 +25487,9 @@ catalog:
                       value: PS-02b.
                       class: sp800-53a
                   prose: screening criteria are established for individuals filling organizational positions;
+                  links:
+                    - href: '#ps-2_smt.b'
+                      rel: assessment-for
                 - id: ps-2_obj.c
                   name: assessment-objective
                   props:
@@ -22722,6 +25497,12 @@ catalog:
                       value: PS-02c.
                       class: sp800-53a
                   prose: 'position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.'
+                  links:
+                    - href: '#ps-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ps-2_smt'
+                  rel: assessment-for
             - id: ps-2_asm-examine
               name: assessment-method
               props:
@@ -22887,6 +25668,9 @@ catalog:
                       value: PS-03a.
                       class: sp800-53a
                   prose: individuals are screened prior to authorizing access to the system;
+                  links:
+                    - href: '#ps-3_smt.a'
+                      rel: assessment-for
                 - id: ps-3_obj.b
                   name: assessment-objective
                   props:
@@ -22901,6 +25685,9 @@ catalog:
                           value: PS-03b.[01]
                           class: sp800-53a
                       prose: 'individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};'
+                      links:
+                        - href: '#ps-3_smt.b'
+                          rel: assessment-for
                     - id: ps-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -22908,6 +25695,15 @@ catalog:
                           value: PS-03b.[02]
                           class: sp800-53a
                       prose: 'where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.'
+                      links:
+                        - href: '#ps-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-3_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ps-3_smt'
+                  rel: assessment-for
             - id: ps-3_asm-examine
               name: assessment-method
               props:
@@ -23056,6 +25852,9 @@ catalog:
                       value: PS-04a.
                       class: sp800-53a
                   prose: 'upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};'
+                  links:
+                    - href: '#ps-4_smt.a'
+                      rel: assessment-for
                 - id: ps-4_obj.b
                   name: assessment-objective
                   props:
@@ -23063,6 +25862,9 @@ catalog:
                       value: PS-04b.
                       class: sp800-53a
                   prose: upon termination of individual employment, any authenticators and credentials are terminated or revoked;
+                  links:
+                    - href: '#ps-4_smt.b'
+                      rel: assessment-for
                 - id: ps-4_obj.c
                   name: assessment-objective
                   props:
@@ -23070,6 +25872,9 @@ catalog:
                       value: PS-04c.
                       class: sp800-53a
                   prose: 'upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;'
+                  links:
+                    - href: '#ps-4_smt.c'
+                      rel: assessment-for
                 - id: ps-4_obj.d
                   name: assessment-objective
                   props:
@@ -23077,6 +25882,9 @@ catalog:
                       value: PS-04d.
                       class: sp800-53a
                   prose: upon termination of individual employment, all security-related organizational system-related property is retrieved;
+                  links:
+                    - href: '#ps-4_smt.d'
+                      rel: assessment-for
                 - id: ps-4_obj.e
                   name: assessment-objective
                   props:
@@ -23084,6 +25892,12 @@ catalog:
                       value: PS-04e.
                       class: sp800-53a
                   prose: upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.
+                  links:
+                    - href: '#ps-4_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ps-4_smt'
+                  rel: assessment-for
             - id: ps-4_asm-examine
               name: assessment-method
               props:
@@ -23260,6 +26074,9 @@ catalog:
                       value: PS-05a.
                       class: sp800-53a
                   prose: the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;
+                  links:
+                    - href: '#ps-5_smt.a'
+                      rel: assessment-for
                 - id: ps-5_obj.b
                   name: assessment-objective
                   props:
@@ -23267,6 +26084,9 @@ catalog:
                       value: PS-05b.
                       class: sp800-53a
                   prose: ' {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};'
+                  links:
+                    - href: '#ps-5_smt.b'
+                      rel: assessment-for
                 - id: ps-5_obj.c
                   name: assessment-objective
                   props:
@@ -23274,6 +26094,9 @@ catalog:
                       value: PS-05c.
                       class: sp800-53a
                   prose: access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;
+                  links:
+                    - href: '#ps-5_smt.c'
+                      rel: assessment-for
                 - id: ps-5_obj.d
                   name: assessment-objective
                   props:
@@ -23281,6 +26104,12 @@ catalog:
                       value: PS-05d.
                       class: sp800-53a
                   prose: ' {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.'
+                  links:
+                    - href: '#ps-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ps-5_smt'
+                  rel: assessment-for
             - id: ps-5_asm-examine
               name: assessment-method
               props:
@@ -23451,6 +26280,9 @@ catalog:
                       value: PS-06a.
                       class: sp800-53a
                   prose: access agreements are developed and documented for organizational systems;
+                  links:
+                    - href: '#ps-6_smt.a'
+                      rel: assessment-for
                 - id: ps-6_obj.b
                   name: assessment-objective
                   props:
@@ -23458,6 +26290,9 @@ catalog:
                       value: PS-06b.
                       class: sp800-53a
                   prose: 'the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};'
+                  links:
+                    - href: '#ps-6_smt.b'
+                      rel: assessment-for
                 - id: ps-6_obj.c
                   name: assessment-objective
                   props:
@@ -23472,6 +26307,9 @@ catalog:
                           value: PS-06c.01
                           class: sp800-53a
                       prose: individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;
+                      links:
+                        - href: '#ps-6_smt.c.1'
+                          rel: assessment-for
                     - id: ps-6_obj.c.2
                       name: assessment-objective
                       props:
@@ -23479,6 +26317,15 @@ catalog:
                           value: PS-06c.02
                           class: sp800-53a
                       prose: 'individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.'
+                      links:
+                        - href: '#ps-6_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ps-6_smt'
+                  rel: assessment-for
             - id: ps-6_asm-examine
               name: assessment-method
               props:
@@ -23660,6 +26507,9 @@ catalog:
                       value: PS-07a.
                       class: sp800-53a
                   prose: personnel security requirements are established, including security roles and responsibilities for external providers;
+                  links:
+                    - href: '#ps-7_smt.a'
+                      rel: assessment-for
                 - id: ps-7_obj.b
                   name: assessment-objective
                   props:
@@ -23667,6 +26517,9 @@ catalog:
                       value: PS-07b.
                       class: sp800-53a
                   prose: external providers are required to comply with personnel security policies and procedures established by the organization;
+                  links:
+                    - href: '#ps-7_smt.b'
+                      rel: assessment-for
                 - id: ps-7_obj.c
                   name: assessment-objective
                   props:
@@ -23674,6 +26527,9 @@ catalog:
                       value: PS-07c.
                       class: sp800-53a
                   prose: personnel security requirements are documented;
+                  links:
+                    - href: '#ps-7_smt.c'
+                      rel: assessment-for
                 - id: ps-7_obj.d
                   name: assessment-objective
                   props:
@@ -23681,6 +26537,9 @@ catalog:
                       value: PS-07d.
                       class: sp800-53a
                   prose: 'external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};'
+                  links:
+                    - href: '#ps-7_smt.d'
+                      rel: assessment-for
                 - id: ps-7_obj.e
                   name: assessment-objective
                   props:
@@ -23688,6 +26547,12 @@ catalog:
                       value: PS-07e.
                       class: sp800-53a
                   prose: provider compliance with personnel security requirements is monitored.
+                  links:
+                    - href: '#ps-7_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ps-7_smt'
+                  rel: assessment-for
             - id: ps-7_asm-examine
               name: assessment-method
               props:
@@ -23828,6 +26693,9 @@ catalog:
                       value: PS-08a.
                       class: sp800-53a
                   prose: a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;
+                  links:
+                    - href: '#ps-8_smt.a'
+                      rel: assessment-for
                 - id: ps-8_obj.b
                   name: assessment-objective
                   props:
@@ -23835,6 +26703,12 @@ catalog:
                       value: PS-08b.
                       class: sp800-53a
                   prose: ' {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.'
+                  links:
+                    - href: '#ps-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ps-8_smt'
+                  rel: assessment-for
             - id: ps-8_asm-examine
               name: assessment-method
               props:
@@ -23936,6 +26810,9 @@ catalog:
                       value: PS-09[01]
                       class: sp800-53a
                   prose: security roles and responsibilities are incorporated into organizational position descriptions;
+                  links:
+                    - href: '#ps-9_smt'
+                      rel: assessment-for
                 - id: ps-9_obj-2
                   name: assessment-objective
                   props:
@@ -23943,6 +26820,12 @@ catalog:
                       value: PS-09[02]
                       class: sp800-53a
                   prose: privacy roles and responsibilities are incorporated into organizational position descriptions.
+                  links:
+                    - href: '#ps-9_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ps-9_smt'
+                  rel: assessment-for
             - id: ps-9_asm-examine
               name: assessment-method
               props:
@@ -24211,6 +27094,9 @@ catalog:
                           value: RA-01a.[01]
                           class: sp800-53a
                       prose: a risk assessment policy is developed and documented;
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -24218,6 +27104,9 @@ catalog:
                           value: RA-01a.[02]
                           class: sp800-53a
                       prose: 'the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};'
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -24225,6 +27114,9 @@ catalog:
                           value: RA-01a.[03]
                           class: sp800-53a
                       prose: risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -24232,6 +27124,9 @@ catalog:
                           value: RA-01a.[04]
                           class: sp800-53a
                       prose: 'the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};'
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -24253,6 +27148,9 @@ catalog:
                                   value: RA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -24260,6 +27158,9 @@ catalog:
                                   value: RA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -24267,6 +27168,9 @@ catalog:
                                   value: RA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -24274,6 +27178,9 @@ catalog:
                                   value: RA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -24281,6 +27188,9 @@ catalog:
                                   value: RA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -24288,6 +27198,9 @@ catalog:
                                   value: RA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -24295,6 +27208,12 @@ catalog:
                                   value: RA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ra-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ra-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -24302,6 +27221,15 @@ catalog:
                               value: RA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ra-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-1_smt.a'
+                      rel: assessment-for
                 - id: ra-1_obj.b
                   name: assessment-objective
                   props:
@@ -24309,6 +27237,9 @@ catalog:
                       value: RA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;'
+                  links:
+                    - href: '#ra-1_smt.b'
+                      rel: assessment-for
                 - id: ra-1_obj.c
                   name: assessment-objective
                   props:
@@ -24330,6 +27261,9 @@ catalog:
                               value: RA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};'
+                          links:
+                            - href: '#ra-1_smt.c.1'
+                              rel: assessment-for
                         - id: ra-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -24337,6 +27271,12 @@ catalog:
                               value: RA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};'
+                          links:
+                            - href: '#ra-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.c.1'
+                          rel: assessment-for
                     - id: ra-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -24351,6 +27291,9 @@ catalog:
                               value: RA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};'
+                          links:
+                            - href: '#ra-1_smt.c.2'
+                              rel: assessment-for
                         - id: ra-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -24358,6 +27301,18 @@ catalog:
                               value: RA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.'
+                          links:
+                            - href: '#ra-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ra-1_smt'
+                  rel: assessment-for
             - id: ra-1_asm-examine
               name: assessment-method
               props:
@@ -24499,6 +27454,9 @@ catalog:
                       value: RA-02a.
                       class: sp800-53a
                   prose: the system and the information it processes, stores, and transmits are categorized;
+                  links:
+                    - href: '#ra-2_smt.a'
+                      rel: assessment-for
                 - id: ra-2_obj.b
                   name: assessment-objective
                   props:
@@ -24506,6 +27464,9 @@ catalog:
                       value: RA-02b.
                       class: sp800-53a
                   prose: the security categorization results, including supporting rationale, are documented in the security plan for the system;
+                  links:
+                    - href: '#ra-2_smt.b'
+                      rel: assessment-for
                 - id: ra-2_obj.c
                   name: assessment-objective
                   props:
@@ -24513,6 +27474,12 @@ catalog:
                       value: RA-02c.
                       class: sp800-53a
                   prose: the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
+                  links:
+                    - href: '#ra-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ra-2_smt'
+                  rel: assessment-for
             - id: ra-2_asm-examine
               name: assessment-method
               props:
@@ -24790,6 +27757,9 @@ catalog:
                           value: RA-03a.01
                           class: sp800-53a
                       prose: a risk assessment is conducted to identify threats to and vulnerabilities in the system;
+                      links:
+                        - href: '#ra-3_smt.a.1'
+                          rel: assessment-for
                     - id: ra-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -24797,6 +27767,9 @@ catalog:
                           value: RA-03a.02
                           class: sp800-53a
                       prose: a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;
+                      links:
+                        - href: '#ra-3_smt.a.2'
+                          rel: assessment-for
                     - id: ra-3_obj.a.3
                       name: assessment-objective
                       props:
@@ -24804,6 +27777,12 @@ catalog:
                           value: RA-03a.03
                           class: sp800-53a
                       prose: a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
+                      links:
+                        - href: '#ra-3_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-3_smt.a'
+                      rel: assessment-for
                 - id: ra-3_obj.b
                   name: assessment-objective
                   props:
@@ -24811,6 +27790,9 @@ catalog:
                       value: RA-03b.
                       class: sp800-53a
                   prose: risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;
+                  links:
+                    - href: '#ra-3_smt.b'
+                      rel: assessment-for
                 - id: ra-3_obj.c
                   name: assessment-objective
                   props:
@@ -24818,6 +27800,9 @@ catalog:
                       value: RA-03c.
                       class: sp800-53a
                   prose: 'risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};'
+                  links:
+                    - href: '#ra-3_smt.c'
+                      rel: assessment-for
                 - id: ra-3_obj.d
                   name: assessment-objective
                   props:
@@ -24825,6 +27810,9 @@ catalog:
                       value: RA-03d.
                       class: sp800-53a
                   prose: 'risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};'
+                  links:
+                    - href: '#ra-3_smt.d'
+                      rel: assessment-for
                 - id: ra-3_obj.e
                   name: assessment-objective
                   props:
@@ -24832,6 +27820,9 @@ catalog:
                       value: RA-03e.
                       class: sp800-53a
                   prose: 'risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};'
+                  links:
+                    - href: '#ra-3_smt.e'
+                      rel: assessment-for
                 - id: ra-3_obj.f
                   name: assessment-objective
                   props:
@@ -24839,6 +27830,12 @@ catalog:
                       value: RA-03f.
                       class: sp800-53a
                   prose: 'the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.'
+                  links:
+                    - href: '#ra-3_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ra-3_smt'
+                  rel: assessment-for
             - id: ra-3_asm-examine
               name: assessment-method
               props:
@@ -24987,6 +27984,9 @@ catalog:
                           value: RA-03(01)(a)
                           class: sp800-53a
                       prose: 'supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;'
+                      links:
+                        - href: '#ra-3.1_smt.a'
+                          rel: assessment-for
                     - id: ra-3.1_obj.b
                       name: assessment-objective
                       props:
@@ -24994,6 +27994,12 @@ catalog:
                           value: RA-03(01)(b)
                           class: sp800-53a
                       prose: 'the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.'
+                      links:
+                        - href: '#ra-3.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-3.1_smt'
+                      rel: assessment-for
                 - id: ra-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -25269,6 +28275,9 @@ catalog:
                           value: RA-05a.[01]
                           class: sp800-53a
                       prose: 'systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;'
+                      links:
+                        - href: '#ra-5_smt.a'
+                          rel: assessment-for
                     - id: ra-5_obj.a-2
                       name: assessment-objective
                       props:
@@ -25276,6 +28285,12 @@ catalog:
                           value: RA-05a.[02]
                           class: sp800-53a
                       prose: 'systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;'
+                      links:
+                        - href: '#ra-5_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-5_smt.a'
+                      rel: assessment-for
                 - id: ra-5_obj.b
                   name: assessment-objective
                   props:
@@ -25291,6 +28306,9 @@ catalog:
                           value: RA-05b.01
                           class: sp800-53a
                       prose: vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;
+                      links:
+                        - href: '#ra-5_smt.b.1'
+                          rel: assessment-for
                     - id: ra-5_obj.b.2
                       name: assessment-objective
                       props:
@@ -25298,6 +28316,9 @@ catalog:
                           value: RA-05b.02
                           class: sp800-53a
                       prose: vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;
+                      links:
+                        - href: '#ra-5_smt.b.2'
+                          rel: assessment-for
                     - id: ra-5_obj.b.3
                       name: assessment-objective
                       props:
@@ -25305,6 +28326,12 @@ catalog:
                           value: RA-05b.03
                           class: sp800-53a
                       prose: vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;
+                      links:
+                        - href: '#ra-5_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-5_smt.b'
+                      rel: assessment-for
                 - id: ra-5_obj.c
                   name: assessment-objective
                   props:
@@ -25312,6 +28339,9 @@ catalog:
                       value: RA-05c.
                       class: sp800-53a
                   prose: vulnerability scan reports and results from vulnerability monitoring are analyzed;
+                  links:
+                    - href: '#ra-5_smt.c'
+                      rel: assessment-for
                 - id: ra-5_obj.d
                   name: assessment-objective
                   props:
@@ -25319,6 +28349,9 @@ catalog:
                       value: RA-05d.
                       class: sp800-53a
                   prose: 'legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;'
+                  links:
+                    - href: '#ra-5_smt.d'
+                      rel: assessment-for
                 - id: ra-5_obj.e
                   name: assessment-objective
                   props:
@@ -25326,6 +28359,9 @@ catalog:
                       value: RA-05e.
                       class: sp800-53a
                   prose: 'information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;'
+                  links:
+                    - href: '#ra-5_smt.e'
+                      rel: assessment-for
                 - id: ra-5_obj.f
                   name: assessment-objective
                   props:
@@ -25333,6 +28369,12 @@ catalog:
                       value: RA-05f.
                       class: sp800-53a
                   prose: vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.
+                  links:
+                    - href: '#ra-5_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ra-5_smt'
+                  rel: assessment-for
             - id: ra-5_asm-examine
               name: assessment-method
               props:
@@ -25459,6 +28501,9 @@ catalog:
                       value: RA-05(02)
                       class: sp800-53a
                   prose: 'the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.'
+                  links:
+                    - href: '#ra-5.2_smt'
+                      rel: assessment-for
                 - id: ra-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -25552,6 +28597,9 @@ catalog:
                       value: RA-05(11)
                       class: sp800-53a
                   prose: a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.
+                  links:
+                    - href: '#ra-5.11_smt'
+                      rel: assessment-for
                 - id: ra-5.11_asm-examine
                   name: assessment-method
                   props:
@@ -25682,6 +28730,9 @@ catalog:
                       value: RA-07[01]
                       class: sp800-53a
                   prose: findings from security assessments are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-2
                   name: assessment-objective
                   props:
@@ -25689,6 +28740,9 @@ catalog:
                       value: RA-07[02]
                       class: sp800-53a
                   prose: findings from privacy assessments are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-3
                   name: assessment-objective
                   props:
@@ -25696,6 +28750,9 @@ catalog:
                       value: RA-07[03]
                       class: sp800-53a
                   prose: findings from monitoring are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-4
                   name: assessment-objective
                   props:
@@ -25703,6 +28760,12 @@ catalog:
                       value: RA-07[04]
                       class: sp800-53a
                   prose: findings from audits are responded to in accordance with organizational risk tolerance.
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ra-7_smt'
+                  rel: assessment-for
             - id: ra-7_asm-examine
               name: assessment-method
               props:
@@ -25974,6 +29037,9 @@ catalog:
                           value: SA-01a.[01]
                           class: sp800-53a
                       prose: a system and services acquisition policy is developed and documented;
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -25981,6 +29047,9 @@ catalog:
                           value: SA-01a.[02]
                           class: sp800-53a
                       prose: 'the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};'
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -25988,6 +29057,9 @@ catalog:
                           value: SA-01a.[03]
                           class: sp800-53a
                       prose: system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -25995,6 +29067,9 @@ catalog:
                           value: SA-01a.[04]
                           class: sp800-53a
                       prose: 'the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};'
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -26016,6 +29091,9 @@ catalog:
                                   value: SA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -26023,6 +29101,9 @@ catalog:
                                   value: SA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -26030,6 +29111,9 @@ catalog:
                                   value: SA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -26037,6 +29121,9 @@ catalog:
                                   value: SA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -26044,6 +29131,9 @@ catalog:
                                   value: SA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -26051,6 +29141,9 @@ catalog:
                                   value: SA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -26058,6 +29151,12 @@ catalog:
                                   value: SA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#sa-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: sa-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -26065,6 +29164,15 @@ catalog:
                               value: SA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#sa-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-1_smt.a'
+                      rel: assessment-for
                 - id: sa-1_obj.b
                   name: assessment-objective
                   props:
@@ -26072,6 +29180,9 @@ catalog:
                       value: SA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;'
+                  links:
+                    - href: '#sa-1_smt.b'
+                      rel: assessment-for
                 - id: sa-1_obj.c
                   name: assessment-objective
                   props:
@@ -26093,6 +29204,9 @@ catalog:
                               value: SA-01c.01[01]
                               class: sp800-53a
                           prose: 'the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};'
+                          links:
+                            - href: '#sa-1_smt.c.1'
+                              rel: assessment-for
                         - id: sa-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -26100,6 +29214,12 @@ catalog:
                               value: SA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};'
+                          links:
+                            - href: '#sa-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.c.1'
+                          rel: assessment-for
                     - id: sa-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -26114,6 +29234,9 @@ catalog:
                               value: SA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};'
+                          links:
+                            - href: '#sa-1_smt.c.2'
+                              rel: assessment-for
                         - id: sa-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -26121,6 +29244,18 @@ catalog:
                               value: SA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.'
+                          links:
+                            - href: '#sa-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-1_smt'
+                  rel: assessment-for
             - id: sa-1_asm-examine
               name: assessment-method
               props:
@@ -26247,6 +29382,9 @@ catalog:
                           value: SA-02a.[01]
                           class: sp800-53a
                       prose: the high-level information security requirements for the system or system service are determined in mission and business process planning;
+                      links:
+                        - href: '#sa-2_smt.a'
+                          rel: assessment-for
                     - id: sa-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -26254,6 +29392,12 @@ catalog:
                           value: SA-02a.[02]
                           class: sp800-53a
                       prose: the high-level privacy requirements for the system or system service are determined in mission and business process planning;
+                      links:
+                        - href: '#sa-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.a'
+                      rel: assessment-for
                 - id: sa-2_obj.b
                   name: assessment-objective
                   props:
@@ -26268,6 +29412,9 @@ catalog:
                           value: SA-02b.[01]
                           class: sp800-53a
                       prose: the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;
+                      links:
+                        - href: '#sa-2_smt.b'
+                          rel: assessment-for
                     - id: sa-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -26275,6 +29422,12 @@ catalog:
                           value: SA-02b.[02]
                           class: sp800-53a
                       prose: the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;
+                      links:
+                        - href: '#sa-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.b'
+                      rel: assessment-for
                 - id: sa-2_obj.c
                   name: assessment-objective
                   props:
@@ -26289,6 +29442,9 @@ catalog:
                           value: SA-02c.[01]
                           class: sp800-53a
                       prose: a discrete line item for information security is established in organizational programming and budgeting documentation;
+                      links:
+                        - href: '#sa-2_smt.c'
+                          rel: assessment-for
                     - id: sa-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -26296,6 +29452,15 @@ catalog:
                           value: SA-02c.[02]
                           class: sp800-53a
                       prose: a discrete line item for privacy is established in organizational programming and budgeting documentation.
+                      links:
+                        - href: '#sa-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-2_smt'
+                  rel: assessment-for
             - id: sa-2_asm-examine
               name: assessment-method
               props:
@@ -26488,6 +29653,9 @@ catalog:
                           value: SA-03a.[01]
                           class: sp800-53a
                       prose: 'the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;'
+                      links:
+                        - href: '#sa-3_smt.a'
+                          rel: assessment-for
                     - id: sa-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -26495,6 +29663,12 @@ catalog:
                           value: SA-03a.[02]
                           class: sp800-53a
                       prose: 'the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;'
+                      links:
+                        - href: '#sa-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.a'
+                      rel: assessment-for
                 - id: sa-3_obj.b
                   name: assessment-objective
                   props:
@@ -26509,6 +29683,9 @@ catalog:
                           value: SA-03b.[01]
                           class: sp800-53a
                       prose: information security roles and responsibilities are defined and documented throughout the system development life cycle;
+                      links:
+                        - href: '#sa-3_smt.b'
+                          rel: assessment-for
                     - id: sa-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -26516,6 +29693,12 @@ catalog:
                           value: SA-03b.[02]
                           class: sp800-53a
                       prose: privacy roles and responsibilities are defined and documented throughout the system development life cycle;
+                      links:
+                        - href: '#sa-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.b'
+                      rel: assessment-for
                 - id: sa-3_obj.c
                   name: assessment-objective
                   props:
@@ -26530,6 +29713,9 @@ catalog:
                           value: SA-03c.[01]
                           class: sp800-53a
                       prose: individuals with information security roles and responsibilities are identified;
+                      links:
+                        - href: '#sa-3_smt.c'
+                          rel: assessment-for
                     - id: sa-3_obj.c-2
                       name: assessment-objective
                       props:
@@ -26537,6 +29723,12 @@ catalog:
                           value: SA-03c.[02]
                           class: sp800-53a
                       prose: individuals with privacy roles and responsibilities are identified;
+                      links:
+                        - href: '#sa-3_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.c'
+                      rel: assessment-for
                 - id: sa-3_obj.d
                   name: assessment-objective
                   props:
@@ -26551,6 +29743,9 @@ catalog:
                           value: SA-03d.[01]
                           class: sp800-53a
                       prose: organizational information security risk management processes are integrated into system development life cycle activities;
+                      links:
+                        - href: '#sa-3_smt.d'
+                          rel: assessment-for
                     - id: sa-3_obj.d-2
                       name: assessment-objective
                       props:
@@ -26558,6 +29753,15 @@ catalog:
                           value: SA-03d.[02]
                           class: sp800-53a
                       prose: organizational privacy risk management processes are integrated into system development life cycle activities.
+                      links:
+                        - href: '#sa-3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#sa-3_smt'
+                  rel: assessment-for
             - id: sa-3_asm-examine
               name: assessment-method
               props:
@@ -26830,6 +30034,9 @@ catalog:
                           value: SA-04a.[01]
                           class: sp800-53a
                       prose: 'security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.a'
+                          rel: assessment-for
                     - id: sa-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -26837,6 +30044,12 @@ catalog:
                           value: SA-04a.[02]
                           class: sp800-53a
                       prose: 'privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.a'
+                      rel: assessment-for
                 - id: sa-4_obj.b
                   name: assessment-objective
                   props:
@@ -26844,6 +30057,9 @@ catalog:
                       value: SA-04b.
                       class: sp800-53a
                   prose: 'strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                  links:
+                    - href: '#sa-4_smt.b'
+                      rel: assessment-for
                 - id: sa-4_obj.c
                   name: assessment-objective
                   props:
@@ -26858,6 +30074,9 @@ catalog:
                           value: SA-04c.[01]
                           class: sp800-53a
                       prose: 'security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.c'
+                          rel: assessment-for
                     - id: sa-4_obj.c-2
                       name: assessment-objective
                       props:
@@ -26865,6 +30084,12 @@ catalog:
                           value: SA-04c.[02]
                           class: sp800-53a
                       prose: 'privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.c'
+                      rel: assessment-for
                 - id: sa-4_obj.d
                   name: assessment-objective
                   props:
@@ -26879,6 +30104,9 @@ catalog:
                           value: SA-04d.[01]
                           class: sp800-53a
                       prose: 'controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.d'
+                          rel: assessment-for
                     - id: sa-4_obj.d-2
                       name: assessment-objective
                       props:
@@ -26886,6 +30114,12 @@ catalog:
                           value: SA-04d.[02]
                           class: sp800-53a
                       prose: 'controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.d'
+                      rel: assessment-for
                 - id: sa-4_obj.e
                   name: assessment-objective
                   props:
@@ -26900,6 +30134,9 @@ catalog:
                           value: SA-04e.[01]
                           class: sp800-53a
                       prose: 'security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.e'
+                          rel: assessment-for
                     - id: sa-4_obj.e-2
                       name: assessment-objective
                       props:
@@ -26907,6 +30144,12 @@ catalog:
                           value: SA-04e.[02]
                           class: sp800-53a
                       prose: 'privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.e'
+                      rel: assessment-for
                 - id: sa-4_obj.f
                   name: assessment-objective
                   props:
@@ -26921,6 +30164,9 @@ catalog:
                           value: SA-04f.[01]
                           class: sp800-53a
                       prose: 'requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.f'
+                          rel: assessment-for
                     - id: sa-4_obj.f-2
                       name: assessment-objective
                       props:
@@ -26928,6 +30174,12 @@ catalog:
                           value: SA-04f.[02]
                           class: sp800-53a
                       prose: 'requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.f'
+                      rel: assessment-for
                 - id: sa-4_obj.g
                   name: assessment-objective
                   props:
@@ -26935,6 +30187,9 @@ catalog:
                       value: SA-04g.
                       class: sp800-53a
                   prose: 'the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                  links:
+                    - href: '#sa-4_smt.g'
+                      rel: assessment-for
                 - id: sa-4_obj.h
                   name: assessment-objective
                   props:
@@ -26949,6 +30204,9 @@ catalog:
                           value: SA-04h.[01]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
                     - id: sa-4_obj.h-2
                       name: assessment-objective
                       props:
@@ -26956,6 +30214,9 @@ catalog:
                           value: SA-04h.[02]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
                     - id: sa-4_obj.h-3
                       name: assessment-objective
                       props:
@@ -26963,6 +30224,12 @@ catalog:
                           value: SA-04h.[03]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.h'
+                      rel: assessment-for
                 - id: sa-4_obj.i
                   name: assessment-objective
                   props:
@@ -26970,6 +30237,12 @@ catalog:
                       value: SA-04i.
                       class: sp800-53a
                   prose: 'acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.'
+                  links:
+                    - href: '#sa-4_smt.i'
+                      rel: assessment-for
+              links:
+                - href: '#sa-4_smt'
+                  rel: assessment-for
             - id: sa-4_asm-examine
               name: assessment-method
               props:
@@ -27078,6 +30351,9 @@ catalog:
                       value: SA-04(10)
                       class: sp800-53a
                   prose: only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.
+                  links:
+                    - href: '#sa-4.10_smt'
+                      rel: assessment-for
                 - id: sa-4.10_asm-examine
                   name: assessment-method
                   props:
@@ -27316,6 +30592,9 @@ catalog:
                               value: SA-05a.01[01]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.1'
+                              rel: assessment-for
                         - id: sa-5_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -27323,6 +30602,9 @@ catalog:
                               value: SA-05a.01[02]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.1'
+                              rel: assessment-for
                         - id: sa-5_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -27330,6 +30612,12 @@ catalog:
                               value: SA-05a.01[03]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.a.1'
+                          rel: assessment-for
                     - id: sa-5_obj.a.2
                       name: assessment-objective
                       props:
@@ -27344,6 +30632,9 @@ catalog:
                               value: SA-05a.02[01]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
                         - id: sa-5_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -27351,6 +30642,9 @@ catalog:
                               value: SA-05a.02[02]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
                         - id: sa-5_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -27358,6 +30652,9 @@ catalog:
                               value: SA-05a.02[03]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
                         - id: sa-5_obj.a.2-4
                           name: assessment-objective
                           props:
@@ -27365,6 +30662,12 @@ catalog:
                               value: SA-05a.02[04]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.a.2'
+                          rel: assessment-for
                     - id: sa-5_obj.a.3
                       name: assessment-objective
                       props:
@@ -27379,6 +30682,9 @@ catalog:
                               value: SA-05a.03[01]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.3'
+                              rel: assessment-for
                         - id: sa-5_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -27386,6 +30692,15 @@ catalog:
                               value: SA-05a.03[02]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-5_smt.a'
+                      rel: assessment-for
                 - id: sa-5_obj.b
                   name: assessment-objective
                   props:
@@ -27407,6 +30722,9 @@ catalog:
                               value: SA-05b.01[01]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
                         - id: sa-5_obj.b.1-2
                           name: assessment-objective
                           props:
@@ -27414,6 +30732,9 @@ catalog:
                               value: SA-05b.01[02]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
                         - id: sa-5_obj.b.1-3
                           name: assessment-objective
                           props:
@@ -27421,6 +30742,9 @@ catalog:
                               value: SA-05b.01[03]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
                         - id: sa-5_obj.b.1-4
                           name: assessment-objective
                           props:
@@ -27428,6 +30752,12 @@ catalog:
                               value: SA-05b.01[04]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.b.1'
+                          rel: assessment-for
                     - id: sa-5_obj.b.2
                       name: assessment-objective
                       props:
@@ -27442,6 +30772,9 @@ catalog:
                               value: SA-05b.02[01]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.2'
+                              rel: assessment-for
                         - id: sa-5_obj.b.2-2
                           name: assessment-objective
                           props:
@@ -27449,6 +30782,12 @@ catalog:
                               value: SA-05b.02[02]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.b.2'
+                          rel: assessment-for
                     - id: sa-5_obj.b.3
                       name: assessment-objective
                       props:
@@ -27463,6 +30802,9 @@ catalog:
                               value: SA-05b.03[01]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.3'
+                              rel: assessment-for
                         - id: sa-5_obj.b.3-2
                           name: assessment-objective
                           props:
@@ -27470,6 +30812,15 @@ catalog:
                               value: SA-05b.03[02]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-5_smt.b'
+                      rel: assessment-for
                 - id: sa-5_obj.c
                   name: assessment-objective
                   props:
@@ -27484,6 +30835,9 @@ catalog:
                           value: SA-05c.[01]
                           class: sp800-53a
                       prose: attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;
+                      links:
+                        - href: '#sa-5_smt.c'
+                          rel: assessment-for
                     - id: sa-5_obj.c-2
                       name: assessment-objective
                       props:
@@ -27491,6 +30845,12 @@ catalog:
                           value: SA-05c.[02]
                           class: sp800-53a
                       prose: 'after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;'
+                      links:
+                        - href: '#sa-5_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-5_smt.c'
+                      rel: assessment-for
                 - id: sa-5_obj.d
                   name: assessment-objective
                   props:
@@ -27498,6 +30858,12 @@ catalog:
                       value: SA-05d.
                       class: sp800-53a
                   prose: 'documentation is distributed to {{ insert: param, sa-05_odp.02 }}.'
+                  links:
+                    - href: '#sa-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#sa-5_smt'
+                  rel: assessment-for
             - id: sa-5_asm-examine
               name: assessment-method
               props:
@@ -27694,6 +31060,9 @@ catalog:
                       value: SA-08[01]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-2
                   name: assessment-objective
                   props:
@@ -27701,6 +31070,9 @@ catalog:
                       value: SA-08[02]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-3
                   name: assessment-objective
                   props:
@@ -27708,6 +31080,9 @@ catalog:
                       value: SA-08[03]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-4
                   name: assessment-objective
                   props:
@@ -27715,6 +31090,9 @@ catalog:
                       value: SA-08[04]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-5
                   name: assessment-objective
                   props:
@@ -27722,6 +31100,9 @@ catalog:
                       value: SA-08[05]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-6
                   name: assessment-objective
                   props:
@@ -27729,6 +31110,9 @@ catalog:
                       value: SA-08[06]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-7
                   name: assessment-objective
                   props:
@@ -27736,6 +31120,9 @@ catalog:
                       value: SA-08[07]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-8
                   name: assessment-objective
                   props:
@@ -27743,6 +31130,9 @@ catalog:
                       value: SA-08[08]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-9
                   name: assessment-objective
                   props:
@@ -27750,6 +31140,9 @@ catalog:
                       value: SA-08[09]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-10
                   name: assessment-objective
                   props:
@@ -27757,6 +31150,12 @@ catalog:
                       value: SA-08[10]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sa-8_smt'
+                  rel: assessment-for
             - id: sa-8_asm-examine
               name: assessment-method
               props:
@@ -27943,6 +31342,9 @@ catalog:
                           value: SA-09a.[01]
                           class: sp800-53a
                       prose: providers of external system services comply with organizational security requirements;
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
                     - id: sa-9_obj.a-2
                       name: assessment-objective
                       props:
@@ -27950,6 +31352,9 @@ catalog:
                           value: SA-09a.[02]
                           class: sp800-53a
                       prose: providers of external system services comply with organizational privacy requirements;
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
                     - id: sa-9_obj.a-3
                       name: assessment-objective
                       props:
@@ -27957,6 +31362,12 @@ catalog:
                           value: SA-09a.[03]
                           class: sp800-53a
                       prose: 'providers of external system services employ {{ insert: param, sa-09_odp.01 }};'
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-9_smt.a'
+                      rel: assessment-for
                 - id: sa-9_obj.b
                   name: assessment-objective
                   props:
@@ -27971,6 +31382,9 @@ catalog:
                           value: SA-09b.[01]
                           class: sp800-53a
                       prose: organizational oversight with regard to external system services are defined and documented;
+                      links:
+                        - href: '#sa-9_smt.b'
+                          rel: assessment-for
                     - id: sa-9_obj.b-2
                       name: assessment-objective
                       props:
@@ -27978,6 +31392,12 @@ catalog:
                           value: SA-09b.[02]
                           class: sp800-53a
                       prose: user roles and responsibilities with regard to external system services are defined and documented;
+                      links:
+                        - href: '#sa-9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-9_smt.b'
+                      rel: assessment-for
                 - id: sa-9_obj.c
                   name: assessment-objective
                   props:
@@ -27985,6 +31405,12 @@ catalog:
                       value: SA-09c.
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.'
+                  links:
+                    - href: '#sa-9_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-9_smt'
+                  rel: assessment-for
             - id: sa-9_asm-examine
               name: assessment-method
               props:
@@ -28139,6 +31565,9 @@ catalog:
                       value: SA-22a.
                       class: sp800-53a
                   prose: system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;
+                  links:
+                    - href: '#sa-22_smt.a'
+                      rel: assessment-for
                 - id: sa-22_obj.b
                   name: assessment-objective
                   props:
@@ -28146,6 +31575,12 @@ catalog:
                       value: SA-22b.
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.'
+                  links:
+                    - href: '#sa-22_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sa-22_smt'
+                  rel: assessment-for
             - id: sa-22_asm-examine
               name: assessment-method
               props:
@@ -28415,6 +31850,9 @@ catalog:
                           value: SC-01a.[01]
                           class: sp800-53a
                       prose: a system and communications protection policy is developed and documented;
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -28422,6 +31860,9 @@ catalog:
                           value: SC-01a.[02]
                           class: sp800-53a
                       prose: 'the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};'
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -28429,6 +31870,9 @@ catalog:
                           value: SC-01a.[03]
                           class: sp800-53a
                       prose: system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -28436,6 +31880,9 @@ catalog:
                           value: SC-01a.[04]
                           class: sp800-53a
                       prose: 'the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};'
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -28457,6 +31904,9 @@ catalog:
                                   value: SC-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -28464,6 +31914,9 @@ catalog:
                                   value: SC-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -28471,6 +31924,9 @@ catalog:
                                   value: SC-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -28478,6 +31934,9 @@ catalog:
                                   value: SC-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -28485,6 +31944,9 @@ catalog:
                                   value: SC-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -28492,6 +31954,9 @@ catalog:
                                   value: SC-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -28499,6 +31964,12 @@ catalog:
                                   value: SC-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#sc-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: sc-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -28506,6 +31977,15 @@ catalog:
                               value: SC-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#sc-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-1_smt.a'
+                      rel: assessment-for
                 - id: sc-1_obj.b
                   name: assessment-objective
                   props:
@@ -28513,6 +31993,9 @@ catalog:
                       value: SC-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;'
+                  links:
+                    - href: '#sc-1_smt.b'
+                      rel: assessment-for
                 - id: sc-1_obj.c
                   name: assessment-objective
                   props:
@@ -28534,6 +32017,9 @@ catalog:
                               value: SC-01c.01[01]
                               class: sp800-53a
                           prose: 'the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};'
+                          links:
+                            - href: '#sc-1_smt.c.1'
+                              rel: assessment-for
                         - id: sc-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -28541,6 +32027,12 @@ catalog:
                               value: SC-01c.01[02]
                               class: sp800-53a
                           prose: 'the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};'
+                          links:
+                            - href: '#sc-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-1_smt.c.1'
+                          rel: assessment-for
                     - id: sc-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -28555,6 +32047,9 @@ catalog:
                               value: SC-01c.02[01]
                               class: sp800-53a
                           prose: 'the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};'
+                          links:
+                            - href: '#sc-1_smt.c.2'
+                              rel: assessment-for
                         - id: sc-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -28562,6 +32057,18 @@ catalog:
                               value: SC-01c.02[02]
                               class: sp800-53a
                           prose: 'the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.'
+                          links:
+                            - href: '#sc-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sc-1_smt'
+                  rel: assessment-for
             - id: sc-1_asm-examine
               name: assessment-method
               props:
@@ -28694,6 +32201,9 @@ catalog:
                       value: SC-05a.
                       class: sp800-53a
                   prose: 'the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};'
+                  links:
+                    - href: '#sc-5_smt.a'
+                      rel: assessment-for
                 - id: sc-5_obj.b
                   name: assessment-objective
                   props:
@@ -28701,6 +32211,12 @@ catalog:
                       value: SC-05b.
                       class: sp800-53a
                   prose: ' {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.'
+                  links:
+                    - href: '#sc-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-5_smt'
+                  rel: assessment-for
             - id: sc-5_asm-examine
               name: assessment-method
               props:
@@ -28896,6 +32412,9 @@ catalog:
                           value: SC-07a.[01]
                           class: sp800-53a
                       prose: communications at external managed interfaces to the system are monitored;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-2
                       name: assessment-objective
                       props:
@@ -28903,6 +32422,9 @@ catalog:
                           value: SC-07a.[02]
                           class: sp800-53a
                       prose: communications at external managed interfaces to the system are controlled;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-3
                       name: assessment-objective
                       props:
@@ -28910,6 +32432,9 @@ catalog:
                           value: SC-07a.[03]
                           class: sp800-53a
                       prose: communications at key internal managed interfaces within the system are monitored;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-4
                       name: assessment-objective
                       props:
@@ -28917,6 +32442,12 @@ catalog:
                           value: SC-07a.[04]
                           class: sp800-53a
                       prose: communications at key internal managed interfaces within the system are controlled;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7_smt.a'
+                      rel: assessment-for
                 - id: sc-7_obj.b
                   name: assessment-objective
                   props:
@@ -28924,6 +32455,9 @@ catalog:
                       value: SC-07b.
                       class: sp800-53a
                   prose: 'subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;'
+                  links:
+                    - href: '#sc-7_smt.b'
+                      rel: assessment-for
                 - id: sc-7_obj.c
                   name: assessment-objective
                   props:
@@ -28931,6 +32465,12 @@ catalog:
                       value: SC-07c.
                       class: sp800-53a
                   prose: external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
+                  links:
+                    - href: '#sc-7_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sc-7_smt'
+                  rel: assessment-for
             - id: sc-7_asm-examine
               name: assessment-method
               props:
@@ -29057,6 +32597,8 @@ catalog:
               rel: related
             - href: '#ia-7'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#sa-4'
               rel: related
             - href: '#sa-8'
@@ -29104,6 +32646,9 @@ catalog:
                       value: SC-12[01]
                       class: sp800-53a
                   prose: 'cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};'
+                  links:
+                    - href: '#sc-12_smt'
+                      rel: assessment-for
                 - id: sc-12_obj-2
                   name: assessment-objective
                   props:
@@ -29111,6 +32656,12 @@ catalog:
                       value: SC-12[02]
                       class: sp800-53a
                   prose: 'cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.'
+                  links:
+                    - href: '#sc-12_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-12_smt'
+                  rel: assessment-for
             - id: sc-12_asm-examine
               name: assessment-method
               props:
@@ -29234,6 +32785,8 @@ catalog:
               rel: related
             - href: '#ia-7'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-4'
               rel: related
             - href: '#mp-2'
@@ -29297,6 +32850,9 @@ catalog:
                       value: SC-13a.
                       class: sp800-53a
                   prose: ' {{ insert: param, sc-13_odp.01 }} are identified;'
+                  links:
+                    - href: '#sc-13_smt.a'
+                      rel: assessment-for
                 - id: sc-13_obj.b
                   name: assessment-objective
                   props:
@@ -29304,6 +32860,12 @@ catalog:
                       value: SC-13b.
                       class: sp800-53a
                   prose: ' {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.'
+                  links:
+                    - href: '#sc-13_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-13_smt'
+                  rel: assessment-for
             - id: sc-13_asm-examine
               name: assessment-method
               props:
@@ -29427,6 +32989,9 @@ catalog:
                       value: SC-15a.
                       class: sp800-53a
                   prose: 'remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};'
+                  links:
+                    - href: '#sc-15_smt.a'
+                      rel: assessment-for
                 - id: sc-15_obj.b
                   name: assessment-objective
                   props:
@@ -29434,6 +32999,12 @@ catalog:
                       value: SC-15b.
                       class: sp800-53a
                   prose: an explicit indication of use is provided to users physically present at the devices.
+                  links:
+                    - href: '#sc-15_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-15_smt'
+                  rel: assessment-for
             - id: sc-15_asm-examine
               name: assessment-method
               props:
@@ -29568,6 +33139,9 @@ catalog:
                           value: SC-20a.[01]
                           class: sp800-53a
                       prose: additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;
+                      links:
+                        - href: '#sc-20_smt.a'
+                          rel: assessment-for
                     - id: sc-20_obj.a-2
                       name: assessment-objective
                       props:
@@ -29575,6 +33149,12 @@ catalog:
                           value: SC-20a.[02]
                           class: sp800-53a
                       prose: integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;
+                      links:
+                        - href: '#sc-20_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-20_smt.a'
+                      rel: assessment-for
                 - id: sc-20_obj.b
                   name: assessment-objective
                   props:
@@ -29589,6 +33169,9 @@ catalog:
                           value: SC-20b.[01]
                           class: sp800-53a
                       prose: the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;
+                      links:
+                        - href: '#sc-20_smt.b'
+                          rel: assessment-for
                     - id: sc-20_obj.b-2
                       name: assessment-objective
                       props:
@@ -29596,6 +33179,15 @@ catalog:
                           value: SC-20b.[02]
                           class: sp800-53a
                       prose: the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.
+                      links:
+                        - href: '#sc-20_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-20_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-20_smt'
+                  rel: assessment-for
             - id: sc-20_asm-examine
               name: assessment-method
               props:
@@ -29690,6 +33282,9 @@ catalog:
                       value: SC-21[01]
                       class: sp800-53a
                   prose: data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
                 - id: sc-21_obj-2
                   name: assessment-objective
                   props:
@@ -29697,6 +33292,9 @@ catalog:
                       value: SC-21[02]
                       class: sp800-53a
                   prose: data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
                 - id: sc-21_obj-3
                   name: assessment-objective
                   props:
@@ -29704,6 +33302,9 @@ catalog:
                       value: SC-21[03]
                       class: sp800-53a
                   prose: data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
                 - id: sc-21_obj-4
                   name: assessment-objective
                   props:
@@ -29711,6 +33312,12 @@ catalog:
                       value: SC-21[04]
                       class: sp800-53a
                   prose: data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-21_smt'
+                  rel: assessment-for
             - id: sc-21_asm-examine
               name: assessment-method
               props:
@@ -29811,6 +33418,9 @@ catalog:
                       value: SC-22[01]
                       class: sp800-53a
                   prose: the systems that collectively provide name/address resolution services for an organization are fault-tolerant;
+                  links:
+                    - href: '#sc-22_smt'
+                      rel: assessment-for
                 - id: sc-22_obj-2
                   name: assessment-objective
                   props:
@@ -29818,6 +33428,9 @@ catalog:
                       value: SC-22[02]
                       class: sp800-53a
                   prose: the systems that collectively provide name/address resolution services for an organization implement internal role separation;
+                  links:
+                    - href: '#sc-22_smt'
+                      rel: assessment-for
                 - id: sc-22_obj-3
                   name: assessment-objective
                   props:
@@ -29825,6 +33438,12 @@ catalog:
                       value: SC-22[03]
                       class: sp800-53a
                   prose: the systems that collectively provide name/address resolution services for an organization implement external role separation.
+                  links:
+                    - href: '#sc-22_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-22_smt'
+                  rel: assessment-for
             - id: sc-22_asm-examine
               name: assessment-method
               props:
@@ -29933,6 +33552,9 @@ catalog:
                   value: SC-39
                   class: sp800-53a
               prose: a separate execution domain is maintained for each executing system process.
+              links:
+                - href: '#sc-39_smt'
+                  rel: assessment-for
             - id: sc-39_asm-examine
               name: assessment-method
               props:
@@ -30191,6 +33813,9 @@ catalog:
                           value: SI-01a.[01]
                           class: sp800-53a
                       prose: a system and information integrity policy is developed and documented;
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -30198,6 +33823,9 @@ catalog:
                           value: SI-01a.[02]
                           class: sp800-53a
                       prose: 'the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};'
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -30205,6 +33833,9 @@ catalog:
                           value: SI-01a.[03]
                           class: sp800-53a
                       prose: system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -30212,6 +33843,9 @@ catalog:
                           value: SI-01a.[04]
                           class: sp800-53a
                       prose: 'the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};'
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -30233,6 +33867,9 @@ catalog:
                                   value: SI-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -30240,6 +33877,9 @@ catalog:
                                   value: SI-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -30247,6 +33887,9 @@ catalog:
                                   value: SI-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -30254,6 +33897,9 @@ catalog:
                                   value: SI-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -30261,6 +33907,9 @@ catalog:
                                   value: SI-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -30268,6 +33917,9 @@ catalog:
                                   value: SI-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -30275,6 +33927,12 @@ catalog:
                                   value: SI-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#si-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: si-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -30282,6 +33940,15 @@ catalog:
                               value: SI-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#si-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-1_smt.a'
+                      rel: assessment-for
                 - id: si-1_obj.b
                   name: assessment-objective
                   props:
@@ -30289,6 +33956,9 @@ catalog:
                       value: SI-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;'
+                  links:
+                    - href: '#si-1_smt.b'
+                      rel: assessment-for
                 - id: si-1_obj.c
                   name: assessment-objective
                   props:
@@ -30310,6 +33980,9 @@ catalog:
                               value: SI-01c.01[01]
                               class: sp800-53a
                           prose: 'the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};'
+                          links:
+                            - href: '#si-1_smt.c.1'
+                              rel: assessment-for
                         - id: si-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -30317,6 +33990,12 @@ catalog:
                               value: SI-01c.01[02]
                               class: sp800-53a
                           prose: 'the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};'
+                          links:
+                            - href: '#si-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.c.1'
+                          rel: assessment-for
                     - id: si-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -30331,6 +34010,9 @@ catalog:
                               value: SI-01c.02[01]
                               class: sp800-53a
                           prose: 'the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};'
+                          links:
+                            - href: '#si-1_smt.c.2'
+                              rel: assessment-for
                         - id: si-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -30338,6 +34020,18 @@ catalog:
                               value: SI-01c.02[02]
                               class: sp800-53a
                           prose: 'the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.'
+                          links:
+                            - href: '#si-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#si-1_smt'
+                  rel: assessment-for
             - id: si-1_asm-examine
               name: assessment-method
               props:
@@ -30499,6 +34193,9 @@ catalog:
                           value: SI-02a.[01]
                           class: sp800-53a
                       prose: system flaws are identified;
+                      links:
+                        - href: '#si-2_smt.a'
+                          rel: assessment-for
                     - id: si-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -30506,6 +34203,9 @@ catalog:
                           value: SI-02a.[02]
                           class: sp800-53a
                       prose: system flaws are reported;
+                      links:
+                        - href: '#si-2_smt.a'
+                          rel: assessment-for
                     - id: si-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -30513,6 +34213,12 @@ catalog:
                           value: SI-02a.[03]
                           class: sp800-53a
                       prose: system flaws are corrected;
+                      links:
+                        - href: '#si-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-2_smt.a'
+                      rel: assessment-for
                 - id: si-2_obj.b
                   name: assessment-objective
                   props:
@@ -30527,6 +34233,9 @@ catalog:
                           value: SI-02b.[01]
                           class: sp800-53a
                       prose: software updates related to flaw remediation are tested for effectiveness before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
                     - id: si-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -30534,6 +34243,9 @@ catalog:
                           value: SI-02b.[02]
                           class: sp800-53a
                       prose: software updates related to flaw remediation are tested for potential side effects before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
                     - id: si-2_obj.b-3
                       name: assessment-objective
                       props:
@@ -30541,6 +34253,9 @@ catalog:
                           value: SI-02b.[03]
                           class: sp800-53a
                       prose: firmware updates related to flaw remediation are tested for effectiveness before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
                     - id: si-2_obj.b-4
                       name: assessment-objective
                       props:
@@ -30548,6 +34263,12 @@ catalog:
                           value: SI-02b.[04]
                           class: sp800-53a
                       prose: firmware updates related to flaw remediation are tested for potential side effects before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-2_smt.b'
+                      rel: assessment-for
                 - id: si-2_obj.c
                   name: assessment-objective
                   props:
@@ -30562,6 +34283,9 @@ catalog:
                           value: SI-02c.[01]
                           class: sp800-53a
                       prose: 'security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;'
+                      links:
+                        - href: '#si-2_smt.c'
+                          rel: assessment-for
                     - id: si-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -30569,6 +34293,12 @@ catalog:
                           value: SI-02c.[02]
                           class: sp800-53a
                       prose: 'security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;'
+                      links:
+                        - href: '#si-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-2_smt.c'
+                      rel: assessment-for
                 - id: si-2_obj.d
                   name: assessment-objective
                   props:
@@ -30576,6 +34306,12 @@ catalog:
                       value: SI-02d.
                       class: sp800-53a
                   prose: flaw remediation is incorporated into the organizational configuration management process.
+                  links:
+                    - href: '#si-2_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#si-2_smt'
+                  rel: assessment-for
             - id: si-2_asm-examine
               name: assessment-method
               props:
@@ -30849,6 +34585,9 @@ catalog:
                           value: SI-03a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;'
+                      links:
+                        - href: '#si-3_smt.a'
+                          rel: assessment-for
                     - id: si-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -30856,6 +34595,12 @@ catalog:
                           value: SI-03a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;'
+                      links:
+                        - href: '#si-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-3_smt.a'
+                      rel: assessment-for
                 - id: si-3_obj.b
                   name: assessment-objective
                   props:
@@ -30863,6 +34608,9 @@ catalog:
                       value: SI-03b.
                       class: sp800-53a
                   prose: malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;
+                  links:
+                    - href: '#si-3_smt.b'
+                      rel: assessment-for
                 - id: si-3_obj.c
                   name: assessment-objective
                   props:
@@ -30884,6 +34632,9 @@ catalog:
                               value: SI-03c.01[01]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};'
+                          links:
+                            - href: '#si-3_smt.c.1'
+                              rel: assessment-for
                         - id: si-3_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -30891,6 +34642,12 @@ catalog:
                               value: SI-03c.01[02]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;'
+                          links:
+                            - href: '#si-3_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-3_smt.c.1'
+                          rel: assessment-for
                     - id: si-3_obj.c.2
                       name: assessment-objective
                       props:
@@ -30905,6 +34662,9 @@ catalog:
                               value: SI-03c.02[01]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;'
+                          links:
+                            - href: '#si-3_smt.c.2'
+                              rel: assessment-for
                         - id: si-3_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -30912,6 +34672,15 @@ catalog:
                               value: SI-03c.02[02]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;'
+                          links:
+                            - href: '#si-3_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-3_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-3_smt.c'
+                      rel: assessment-for
                 - id: si-3_obj.d
                   name: assessment-objective
                   props:
@@ -30919,6 +34688,12 @@ catalog:
                       value: SI-03d.
                       class: sp800-53a
                   prose: the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.
+                  links:
+                    - href: '#si-3_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#si-3_smt'
+                  rel: assessment-for
             - id: si-3_asm-examine
               name: assessment-method
               props:
@@ -31271,6 +35046,9 @@ catalog:
                           value: SI-04a.01
                           class: sp800-53a
                       prose: 'the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};'
+                      links:
+                        - href: '#si-4_smt.a.1'
+                          rel: assessment-for
                     - id: si-4_obj.a.2
                       name: assessment-objective
                       props:
@@ -31285,6 +35063,9 @@ catalog:
                               value: SI-04a.02[01]
                               class: sp800-53a
                           prose: the system is monitored to detect unauthorized local connections;
+                          links:
+                            - href: '#si-4_smt.a.2'
+                              rel: assessment-for
                         - id: si-4_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -31292,6 +35073,9 @@ catalog:
                               value: SI-04a.02[02]
                               class: sp800-53a
                           prose: the system is monitored to detect unauthorized network connections;
+                          links:
+                            - href: '#si-4_smt.a.2'
+                              rel: assessment-for
                         - id: si-4_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -31299,6 +35083,15 @@ catalog:
                               value: SI-04a.02[03]
                               class: sp800-53a
                           prose: the system is monitored to detect unauthorized remote connections;
+                          links:
+                            - href: '#si-4_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-4_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4_smt.a'
+                      rel: assessment-for
                 - id: si-4_obj.b
                   name: assessment-objective
                   props:
@@ -31306,6 +35099,9 @@ catalog:
                       value: SI-04b.
                       class: sp800-53a
                   prose: 'unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};'
+                  links:
+                    - href: '#si-4_smt.b'
+                      rel: assessment-for
                 - id: si-4_obj.c
                   name: assessment-objective
                   props:
@@ -31320,6 +35116,9 @@ catalog:
                           value: SI-04c.01
                           class: sp800-53a
                       prose: internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;
+                      links:
+                        - href: '#si-4_smt.c.1'
+                          rel: assessment-for
                     - id: si-4_obj.c.2
                       name: assessment-objective
                       props:
@@ -31327,6 +35126,12 @@ catalog:
                           value: SI-04c.02
                           class: sp800-53a
                       prose: internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;
+                      links:
+                        - href: '#si-4_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4_smt.c'
+                      rel: assessment-for
                 - id: si-4_obj.d
                   name: assessment-objective
                   props:
@@ -31341,6 +35146,9 @@ catalog:
                           value: SI-04d.[01]
                           class: sp800-53a
                       prose: detected events are analyzed;
+                      links:
+                        - href: '#si-4_smt.d'
+                          rel: assessment-for
                     - id: si-4_obj.d-2
                       name: assessment-objective
                       props:
@@ -31348,6 +35156,12 @@ catalog:
                           value: SI-04d.[02]
                           class: sp800-53a
                       prose: detected anomalies are analyzed;
+                      links:
+                        - href: '#si-4_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4_smt.d'
+                      rel: assessment-for
                 - id: si-4_obj.e
                   name: assessment-objective
                   props:
@@ -31355,6 +35169,9 @@ catalog:
                       value: SI-04e.
                       class: sp800-53a
                   prose: the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;
+                  links:
+                    - href: '#si-4_smt.e'
+                      rel: assessment-for
                 - id: si-4_obj.f
                   name: assessment-objective
                   props:
@@ -31362,6 +35179,9 @@ catalog:
                       value: SI-04f.
                       class: sp800-53a
                   prose: a legal opinion regarding system monitoring activities is obtained;
+                  links:
+                    - href: '#si-4_smt.f'
+                      rel: assessment-for
                 - id: si-4_obj.g
                   name: assessment-objective
                   props:
@@ -31369,6 +35189,12 @@ catalog:
                       value: SI-04g.
                       class: sp800-53a
                   prose: ' {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.'
+                  links:
+                    - href: '#si-4_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#si-4_smt'
+                  rel: assessment-for
             - id: si-4_asm-examine
               name: assessment-method
               props:
@@ -31564,6 +35390,9 @@ catalog:
                       value: SI-05a.
                       class: sp800-53a
                   prose: 'system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;'
+                  links:
+                    - href: '#si-5_smt.a'
+                      rel: assessment-for
                 - id: si-5_obj.b
                   name: assessment-objective
                   props:
@@ -31571,6 +35400,9 @@ catalog:
                       value: SI-05b.
                       class: sp800-53a
                   prose: internal security alerts, advisories, and directives are generated as deemed necessary;
+                  links:
+                    - href: '#si-5_smt.b'
+                      rel: assessment-for
                 - id: si-5_obj.c
                   name: assessment-objective
                   props:
@@ -31578,6 +35410,9 @@ catalog:
                       value: SI-05c.
                       class: sp800-53a
                   prose: 'security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};'
+                  links:
+                    - href: '#si-5_smt.c'
+                      rel: assessment-for
                 - id: si-5_obj.d
                   name: assessment-objective
                   props:
@@ -31585,6 +35420,12 @@ catalog:
                       value: SI-05d.
                       class: sp800-53a
                   prose: security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.
+                  links:
+                    - href: '#si-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#si-5_smt'
+                  rel: assessment-for
             - id: si-5_asm-examine
               name: assessment-method
               props:
@@ -31748,6 +35589,9 @@ catalog:
                       value: SI-12[01]
                       class: sp800-53a
                   prose: information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-2
                   name: assessment-objective
                   props:
@@ -31755,6 +35599,9 @@ catalog:
                       value: SI-12[02]
                       class: sp800-53a
                   prose: information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-3
                   name: assessment-objective
                   props:
@@ -31762,6 +35609,9 @@ catalog:
                       value: SI-12[03]
                       class: sp800-53a
                   prose: information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-4
                   name: assessment-objective
                   props:
@@ -31769,6 +35619,12 @@ catalog:
                       value: SI-12[04]
                       class: sp800-53a
                   prose: information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
+              links:
+                - href: '#si-12_smt'
+                  rel: assessment-for
             - id: si-12_asm-examine
               name: assessment-method
               props:
@@ -32066,6 +35922,9 @@ catalog:
                           value: SR-01a.[01]
                           class: sp800-53a
                       prose: a supply chain risk management policy is developed and documented;
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -32073,6 +35932,9 @@ catalog:
                           value: SR-01a.[02]
                           class: sp800-53a
                       prose: 'the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};'
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -32080,6 +35942,9 @@ catalog:
                           value: SR-01a.[03]
                           class: sp800-53a
                       prose: supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -32087,6 +35952,9 @@ catalog:
                           value: SR-01a.[04]
                           class: sp800-53a
                       prose: 'the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.'
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -32108,6 +35976,9 @@ catalog:
                                   value: SR-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -32115,6 +35986,9 @@ catalog:
                                   value: SR-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; '
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -32122,6 +35996,9 @@ catalog:
                                   value: SR-01a.01(a)[03]
                                   class: sp800-53a
                               prose: ' {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -32129,6 +36006,9 @@ catalog:
                                   value: SR-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -32136,6 +36016,9 @@ catalog:
                                   value: SR-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -32143,6 +36026,9 @@ catalog:
                                   value: SR-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -32150,6 +36036,12 @@ catalog:
                                   value: SR-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#sr-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: sr-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -32157,6 +36049,15 @@ catalog:
                               value: SR-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#sr-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sr-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-1_smt.a'
+                      rel: assessment-for
                 - id: sr-1_obj.b
                   name: assessment-objective
                   props:
@@ -32164,6 +36065,9 @@ catalog:
                       value: SR-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;'
+                  links:
+                    - href: '#sr-1_smt.b'
+                      rel: assessment-for
                 - id: sr-1_obj.c
                   name: assessment-objective
                   props:
@@ -32185,6 +36089,9 @@ catalog:
                               value: SR-01c.01[01]
                               class: sp800-53a
                           prose: 'the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};'
+                          links:
+                            - href: '#sr-1_smt.c.1'
+                              rel: assessment-for
                         - id: sr-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -32192,6 +36099,12 @@ catalog:
                               value: SR-01c.01[02]
                               class: sp800-53a
                           prose: 'the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};'
+                          links:
+                            - href: '#sr-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sr-1_smt.c.1'
+                          rel: assessment-for
                     - id: sr-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -32206,6 +36119,9 @@ catalog:
                               value: SR-01c.02[01]
                               class: sp800-53a
                           prose: 'the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};'
+                          links:
+                            - href: '#sr-1_smt.c.2'
+                              rel: assessment-for
                         - id: sr-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -32213,6 +36129,18 @@ catalog:
                               value: SR-01c.02[02]
                               class: sp800-53a
                           prose: 'the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.'
+                          links:
+                            - href: '#sr-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sr-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sr-1_smt'
+                  rel: assessment-for
             - id: sr-1_asm-examine
               name: assessment-method
               props:
@@ -32389,6 +36317,9 @@ catalog:
                           value: SR-02a.[01]
                           class: sp800-53a
                       prose: a plan for managing supply chain risks is developed;
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -32396,6 +36327,9 @@ catalog:
                           value: SR-02a.[02]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -32403,6 +36337,9 @@ catalog:
                           value: SR-02a.[03]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-4
                       name: assessment-objective
                       props:
@@ -32410,6 +36347,9 @@ catalog:
                           value: SR-02a.[04]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-5
                       name: assessment-objective
                       props:
@@ -32417,6 +36357,9 @@ catalog:
                           value: SR-02a.[05]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-6
                       name: assessment-objective
                       props:
@@ -32424,6 +36367,9 @@ catalog:
                           value: SR-02a.[06]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-7
                       name: assessment-objective
                       props:
@@ -32431,6 +36377,9 @@ catalog:
                           value: SR-02a.[07]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-8
                       name: assessment-objective
                       props:
@@ -32438,6 +36387,9 @@ catalog:
                           value: SR-02a.[08]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-9
                       name: assessment-objective
                       props:
@@ -32445,6 +36397,12 @@ catalog:
                           value: SR-02a.[09]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-2_smt.a'
+                      rel: assessment-for
                 - id: sr-2_obj.b
                   name: assessment-objective
                   props:
@@ -32452,6 +36410,9 @@ catalog:
                       value: SR-02b.
                       class: sp800-53a
                   prose: 'the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;'
+                  links:
+                    - href: '#sr-2_smt.b'
+                      rel: assessment-for
                 - id: sr-2_obj.c
                   name: assessment-objective
                   props:
@@ -32466,6 +36427,9 @@ catalog:
                           value: SR-02c.[01]
                           class: sp800-53a
                       prose: the supply chain risk management plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#sr-2_smt.c'
+                          rel: assessment-for
                     - id: sr-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -32473,6 +36437,15 @@ catalog:
                           value: SR-02c.[02]
                           class: sp800-53a
                       prose: the supply chain risk management plan is protected from unauthorized modification.
+                      links:
+                        - href: '#sr-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sr-2_smt'
+                  rel: assessment-for
             - id: sr-2_asm-examine
               name: assessment-method
               props:
@@ -32619,6 +36592,9 @@ catalog:
                       value: SR-02(01)
                       class: sp800-53a
                   prose: 'a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.'
+                  links:
+                    - href: '#sr-2.1_smt'
+                      rel: assessment-for
                 - id: sr-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -32852,6 +36828,9 @@ catalog:
                           value: SR-03a.[01]
                           class: sp800-53a
                       prose: 'a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};'
+                      links:
+                        - href: '#sr-3_smt.a'
+                          rel: assessment-for
                     - id: sr-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -32859,6 +36838,12 @@ catalog:
                           value: SR-03a.[02]
                           class: sp800-53a
                       prose: 'the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};'
+                      links:
+                        - href: '#sr-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-3_smt.a'
+                      rel: assessment-for
                 - id: sr-3_obj.b
                   name: assessment-objective
                   props:
@@ -32866,6 +36851,9 @@ catalog:
                       value: SR-03b.
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;'
+                  links:
+                    - href: '#sr-3_smt.b'
+                      rel: assessment-for
                 - id: sr-3_obj.c
                   name: assessment-objective
                   props:
@@ -32873,6 +36861,12 @@ catalog:
                       value: SR-03c.
                       class: sp800-53a
                   prose: 'the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.'
+                  links:
+                    - href: '#sr-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sr-3_smt'
+                  rel: assessment-for
             - id: sr-3_asm-examine
               name: assessment-method
               props:
@@ -33042,6 +37036,9 @@ catalog:
                       value: SR-05[01]
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;'
+                  links:
+                    - href: '#sr-5_smt'
+                      rel: assessment-for
                 - id: sr-5_obj-2
                   name: assessment-objective
                   props:
@@ -33049,6 +37046,9 @@ catalog:
                       value: SR-05[02]
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;'
+                  links:
+                    - href: '#sr-5_smt'
+                      rel: assessment-for
                 - id: sr-5_obj-3
                   name: assessment-objective
                   props:
@@ -33056,6 +37056,12 @@ catalog:
                       value: SR-05[03]
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.'
+                  links:
+                    - href: '#sr-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sr-5_smt'
+                  rel: assessment-for
             - id: sr-5_asm-examine
               name: assessment-method
               props:
@@ -33207,6 +37213,9 @@ catalog:
                   value: SR-08
                   class: sp800-53a
               prose: 'agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.'
+              links:
+                - href: '#sr-8_smt'
+                  rel: assessment-for
             - id: sr-8_asm-examine
               name: assessment-method
               props:
@@ -33363,6 +37372,9 @@ catalog:
                   value: SR-10
                   class: sp800-53a
               prose: ' {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.'
+              links:
+                - href: '#sr-10_smt'
+                  rel: assessment-for
             - id: sr-10_asm-examine
               name: assessment-method
               props:
@@ -33534,6 +37546,9 @@ catalog:
                           value: SR-11a.[01]
                           class: sp800-53a
                       prose: an anti-counterfeit policy is developed and implemented;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
                     - id: sr-11_obj.a-2
                       name: assessment-objective
                       props:
@@ -33541,6 +37556,9 @@ catalog:
                           value: SR-11a.[02]
                           class: sp800-53a
                       prose: anti-counterfeit procedures are developed and implemented;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
                     - id: sr-11_obj.a-3
                       name: assessment-objective
                       props:
@@ -33548,6 +37566,9 @@ catalog:
                           value: SR-11a.[03]
                           class: sp800-53a
                       prose: the anti-counterfeit procedures include the means to detect counterfeit components entering the system;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
                     - id: sr-11_obj.a-4
                       name: assessment-objective
                       props:
@@ -33555,6 +37576,12 @@ catalog:
                           value: SR-11a.[04]
                           class: sp800-53a
                       prose: the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-11_smt.a'
+                      rel: assessment-for
                 - id: sr-11_obj.b
                   name: assessment-objective
                   props:
@@ -33562,6 +37589,12 @@ catalog:
                       value: SR-11b.
                       class: sp800-53a
                   prose: 'counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.'
+                  links:
+                    - href: '#sr-11_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sr-11_smt'
+                  rel: assessment-for
             - id: sr-11_asm-examine
               name: assessment-method
               props:
@@ -33687,6 +37720,9 @@ catalog:
                       value: SR-11(01)
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).'
+                  links:
+                    - href: '#sr-11.1_smt'
+                      rel: assessment-for
                 - id: sr-11.1_asm-examine
                   name: assessment-method
                   props:
@@ -33811,6 +37847,9 @@ catalog:
                           value: SR-11(02)[01]
                           class: sp800-53a
                       prose: 'configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;'
+                      links:
+                        - href: '#sr-11.2_smt'
+                          rel: assessment-for
                     - id: sr-11.2_obj-2
                       name: assessment-objective
                       props:
@@ -33818,6 +37857,12 @@ catalog:
                           value: SR-11(02)[02]
                           class: sp800-53a
                       prose: 'configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.'
+                      links:
+                        - href: '#sr-11.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-11.2_smt'
+                      rel: assessment-for
                 - id: sr-11.2_asm-examine
                   name: assessment-method
                   props:
@@ -33934,6 +37979,9 @@ catalog:
                   value: SR-12
                   class: sp800-53a
               prose: ' {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.'
+              links:
+                - href: '#sr-12_smt'
+                  rel: assessment-for
             - id: sr-12_asm-examine
               name: assessment-method
               props:
diff --git a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_LOW-baseline_profile.yaml b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_LOW-baseline_profile.yaml
index 3a0eb947..0019fc14 100644
--- a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_LOW-baseline_profile.yaml
+++ b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_LOW-baseline_profile.yaml
@@ -1,9 +1,9 @@
 profile:
-  uuid: 8742196d-86ba-4e72-a411-28867dab43bb
+  uuid: b648ca9e-da6d-4159-b28d-f2df9a044137
   metadata:
-    title: NIST Special Publication 800-53 Revision 5 LOW IMPACT BASELINE
-    last-modified: "2023-10-12T00:00:00.000000-04:00"
-    version: Final
+    title: NIST Special Publication 800-53 Revision 5.1.1 LOW IMPACT BASELINE
+    last-modified: "2023-12-04T14:55:00.000000-04:00"
+    version: 5.1.1+u2
     oscal-version: 1.1.1
     roles:
       - id: creator
diff --git a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.yaml b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.yaml
index 40240208..9751921a 100644
--- a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.yaml
+++ b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_MODERATE-baseline-resolved-profile_catalog.yaml
@@ -1,9 +1,9 @@
 catalog:
-  uuid: 64dd932d-a3d3-4369-8fa3-09c7b202e580
+  uuid: 6ce800da-ce21-48b7-8da4-715337b033e6
   metadata:
-    title: NIST Special Publication 800-53 Revision 5 MODERATE IMPACT BASELINE
-    last-modified: "2023-11-02T11:49:44.380433-04:00"
-    version: Final
+    title: NIST Special Publication 800-53 Revision 5.1.1 MODERATE IMPACT BASELINE
+    last-modified: "2023-12-05T21:54:58.514658Z"
+    version: 5.1.1+u2
     oscal-version: 1.1.1
     props:
       - name: resolution-tool
@@ -257,6 +257,9 @@ catalog:
                           value: AC-01a.[01]
                           class: sp800-53a
                       prose: an access control policy is developed and documented;
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -264,6 +267,9 @@ catalog:
                           value: AC-01a.[02]
                           class: sp800-53a
                       prose: 'the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};'
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -271,6 +277,9 @@ catalog:
                           value: AC-01a.[03]
                           class: sp800-53a
                       prose: access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -278,6 +287,9 @@ catalog:
                           value: AC-01a.[04]
                           class: sp800-53a
                       prose: 'the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};'
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -299,6 +311,9 @@ catalog:
                                   value: AC-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -306,6 +321,9 @@ catalog:
                                   value: AC-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -313,6 +331,9 @@ catalog:
                                   value: AC-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -320,6 +341,9 @@ catalog:
                                   value: AC-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -327,6 +351,9 @@ catalog:
                                   value: AC-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -334,6 +361,9 @@ catalog:
                                   value: AC-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -341,6 +371,12 @@ catalog:
                                   value: AC-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ac-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ac-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -348,6 +384,15 @@ catalog:
                               value: AC-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ac-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-1_smt.a'
+                      rel: assessment-for
                 - id: ac-1_obj.b
                   name: assessment-objective
                   props:
@@ -355,6 +400,9 @@ catalog:
                       value: AC-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;'
+                  links:
+                    - href: '#ac-1_smt.b'
+                      rel: assessment-for
                 - id: ac-1_obj.c
                   name: assessment-objective
                   props:
@@ -376,6 +424,9 @@ catalog:
                               value: AC-01c.01[01]
                               class: sp800-53a
                           prose: 'the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};'
+                          links:
+                            - href: '#ac-1_smt.c.1'
+                              rel: assessment-for
                         - id: ac-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -383,6 +434,12 @@ catalog:
                               value: AC-01c.01[02]
                               class: sp800-53a
                           prose: 'the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};'
+                          links:
+                            - href: '#ac-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.c.1'
+                          rel: assessment-for
                     - id: ac-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -397,6 +454,9 @@ catalog:
                               value: AC-01c.02[01]
                               class: sp800-53a
                           prose: 'the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};'
+                          links:
+                            - href: '#ac-1_smt.c.2'
+                              rel: assessment-for
                         - id: ac-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -404,6 +464,18 @@ catalog:
                               value: AC-01c.02[02]
                               class: sp800-53a
                           prose: 'the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.'
+                          links:
+                            - href: '#ac-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ac-1_smt'
+                  rel: assessment-for
             - id: ac-1_asm-examine
               name: assessment-method
               props:
@@ -778,6 +850,9 @@ catalog:
                           value: AC-02a.[01]
                           class: sp800-53a
                       prose: account types allowed for use within the system are defined and documented;
+                      links:
+                        - href: '#ac-2_smt.a'
+                          rel: assessment-for
                     - id: ac-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -785,6 +860,12 @@ catalog:
                           value: AC-02a.[02]
                           class: sp800-53a
                       prose: account types specifically prohibited for use within the system are defined and documented;
+                      links:
+                        - href: '#ac-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.a'
+                      rel: assessment-for
                 - id: ac-2_obj.b
                   name: assessment-objective
                   props:
@@ -792,6 +873,9 @@ catalog:
                       value: AC-02b.
                       class: sp800-53a
                   prose: account managers are assigned;
+                  links:
+                    - href: '#ac-2_smt.b'
+                      rel: assessment-for
                 - id: ac-2_obj.c
                   name: assessment-objective
                   props:
@@ -799,6 +883,9 @@ catalog:
                       value: AC-02c.
                       class: sp800-53a
                   prose: ' {{ insert: param, ac-02_odp.01 }} for group and role membership are required;'
+                  links:
+                    - href: '#ac-2_smt.c'
+                      rel: assessment-for
                 - id: ac-2_obj.d
                   name: assessment-objective
                   props:
@@ -813,6 +900,9 @@ catalog:
                           value: AC-02d.01
                           class: sp800-53a
                       prose: authorized users of the system are specified;
+                      links:
+                        - href: '#ac-2_smt.d.1'
+                          rel: assessment-for
                     - id: ac-2_obj.d.2
                       name: assessment-objective
                       props:
@@ -820,6 +910,9 @@ catalog:
                           value: AC-02d.02
                           class: sp800-53a
                       prose: group and role membership are specified;
+                      links:
+                        - href: '#ac-2_smt.d.2'
+                          rel: assessment-for
                     - id: ac-2_obj.d.3
                       name: assessment-objective
                       props:
@@ -834,6 +927,9 @@ catalog:
                               value: AC-02d.03[01]
                               class: sp800-53a
                           prose: access authorizations (i.e., privileges) are specified for each account;
+                          links:
+                            - href: '#ac-2_smt.d.3'
+                              rel: assessment-for
                         - id: ac-2_obj.d.3-2
                           name: assessment-objective
                           props:
@@ -841,6 +937,15 @@ catalog:
                               value: AC-02d.03[02]
                               class: sp800-53a
                           prose: ' {{ insert: param, ac-02_odp.02 }} are specified for each account;'
+                          links:
+                            - href: '#ac-2_smt.d.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-2_smt.d.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.d'
+                      rel: assessment-for
                 - id: ac-2_obj.e
                   name: assessment-objective
                   props:
@@ -848,6 +953,9 @@ catalog:
                       value: AC-02e.
                       class: sp800-53a
                   prose: 'approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;'
+                  links:
+                    - href: '#ac-2_smt.e'
+                      rel: assessment-for
                 - id: ac-2_obj.f
                   name: assessment-objective
                   props:
@@ -862,6 +970,9 @@ catalog:
                           value: AC-02f.[01]
                           class: sp800-53a
                       prose: 'accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-2
                       name: assessment-objective
                       props:
@@ -869,6 +980,9 @@ catalog:
                           value: AC-02f.[02]
                           class: sp800-53a
                       prose: 'accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-3
                       name: assessment-objective
                       props:
@@ -876,6 +990,9 @@ catalog:
                           value: AC-02f.[03]
                           class: sp800-53a
                       prose: 'accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-4
                       name: assessment-objective
                       props:
@@ -883,6 +1000,9 @@ catalog:
                           value: AC-02f.[04]
                           class: sp800-53a
                       prose: 'accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-5
                       name: assessment-objective
                       props:
@@ -890,6 +1010,12 @@ catalog:
                           value: AC-02f.[05]
                           class: sp800-53a
                       prose: 'accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.f'
+                      rel: assessment-for
                 - id: ac-2_obj.g
                   name: assessment-objective
                   props:
@@ -897,6 +1023,9 @@ catalog:
                       value: AC-02g.
                       class: sp800-53a
                   prose: 'the use of accounts is monitored; '
+                  links:
+                    - href: '#ac-2_smt.g'
+                      rel: assessment-for
                 - id: ac-2_obj.h
                   name: assessment-objective
                   props:
@@ -911,6 +1040,9 @@ catalog:
                           value: AC-02h.01
                           class: sp800-53a
                       prose: 'account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;'
+                      links:
+                        - href: '#ac-2_smt.h.1'
+                          rel: assessment-for
                     - id: ac-2_obj.h.2
                       name: assessment-objective
                       props:
@@ -918,6 +1050,9 @@ catalog:
                           value: AC-02h.02
                           class: sp800-53a
                       prose: 'account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;'
+                      links:
+                        - href: '#ac-2_smt.h.2'
+                          rel: assessment-for
                     - id: ac-2_obj.h.3
                       name: assessment-objective
                       props:
@@ -925,6 +1060,12 @@ catalog:
                           value: AC-02h.03
                           class: sp800-53a
                       prose: 'account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;'
+                      links:
+                        - href: '#ac-2_smt.h.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.h'
+                      rel: assessment-for
                 - id: ac-2_obj.i
                   name: assessment-objective
                   props:
@@ -939,6 +1080,9 @@ catalog:
                           value: AC-02i.01
                           class: sp800-53a
                       prose: access to the system is authorized based on a valid access authorization;
+                      links:
+                        - href: '#ac-2_smt.i.1'
+                          rel: assessment-for
                     - id: ac-2_obj.i.2
                       name: assessment-objective
                       props:
@@ -946,6 +1090,9 @@ catalog:
                           value: AC-02i.02
                           class: sp800-53a
                       prose: access to the system is authorized based on intended system usage;
+                      links:
+                        - href: '#ac-2_smt.i.2'
+                          rel: assessment-for
                     - id: ac-2_obj.i.3
                       name: assessment-objective
                       props:
@@ -953,6 +1100,12 @@ catalog:
                           value: AC-02i.03
                           class: sp800-53a
                       prose: 'access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};'
+                      links:
+                        - href: '#ac-2_smt.i.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.i'
+                      rel: assessment-for
                 - id: ac-2_obj.j
                   name: assessment-objective
                   props:
@@ -960,6 +1113,9 @@ catalog:
                       value: AC-02j.
                       class: sp800-53a
                   prose: 'accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};'
+                  links:
+                    - href: '#ac-2_smt.j'
+                      rel: assessment-for
                 - id: ac-2_obj.k
                   name: assessment-objective
                   props:
@@ -974,6 +1130,9 @@ catalog:
                           value: AC-02k.[01]
                           class: sp800-53a
                       prose: a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
+                      links:
+                        - href: '#ac-2_smt.k'
+                          rel: assessment-for
                     - id: ac-2_obj.k-2
                       name: assessment-objective
                       props:
@@ -981,6 +1140,12 @@ catalog:
                           value: AC-02k.[02]
                           class: sp800-53a
                       prose: a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
+                      links:
+                        - href: '#ac-2_smt.k'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.k'
+                      rel: assessment-for
                 - id: ac-2_obj.l
                   name: assessment-objective
                   props:
@@ -995,6 +1160,9 @@ catalog:
                           value: AC-02l.[01]
                           class: sp800-53a
                       prose: account management processes are aligned with personnel termination processes;
+                      links:
+                        - href: '#ac-2_smt.l'
+                          rel: assessment-for
                     - id: ac-2_obj.l-2
                       name: assessment-objective
                       props:
@@ -1002,6 +1170,15 @@ catalog:
                           value: AC-02l.[02]
                           class: sp800-53a
                       prose: account management processes are aligned with personnel transfer processes.
+                      links:
+                        - href: '#ac-2_smt.l'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.l'
+                      rel: assessment-for
+              links:
+                - href: '#ac-2_smt'
+                  rel: assessment-for
             - id: ac-2_asm-examine
               name: assessment-method
               props:
@@ -1122,6 +1299,9 @@ catalog:
                       value: AC-02(01)
                       class: sp800-53a
                   prose: 'the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}.'
+                  links:
+                    - href: '#ac-2.1_smt'
+                      rel: assessment-for
                 - id: ac-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -1234,6 +1414,9 @@ catalog:
                       value: AC-02(02)
                       class: sp800-53a
                   prose: 'temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}.'
+                  links:
+                    - href: '#ac-2.2_smt'
+                      rel: assessment-for
                 - id: ac-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -1378,6 +1561,9 @@ catalog:
                           value: AC-02(03)(a)
                           class: sp800-53a
                       prose: 'accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;'
+                      links:
+                        - href: '#ac-2.3_smt.a'
+                          rel: assessment-for
                     - id: ac-2.3_obj.b
                       name: assessment-objective
                       props:
@@ -1385,6 +1571,9 @@ catalog:
                           value: AC-02(03)(b)
                           class: sp800-53a
                       prose: 'accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;'
+                      links:
+                        - href: '#ac-2.3_smt.b'
+                          rel: assessment-for
                     - id: ac-2.3_obj.c
                       name: assessment-objective
                       props:
@@ -1392,6 +1581,9 @@ catalog:
                           value: AC-02(03)(c)
                           class: sp800-53a
                       prose: 'accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;'
+                      links:
+                        - href: '#ac-2.3_smt.c'
+                          rel: assessment-for
                     - id: ac-2.3_obj.d
                       name: assessment-objective
                       props:
@@ -1399,6 +1591,12 @@ catalog:
                           value: AC-02(03)(d)
                           class: sp800-53a
                       prose: 'accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}.'
+                      links:
+                        - href: '#ac-2.3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2.3_smt'
+                      rel: assessment-for
                 - id: ac-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -1503,6 +1701,9 @@ catalog:
                           value: AC-02(04)[01]
                           class: sp800-53a
                       prose: account creation is automatically audited;
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
                     - id: ac-2.4_obj-2
                       name: assessment-objective
                       props:
@@ -1510,6 +1711,9 @@ catalog:
                           value: AC-02(04)[02]
                           class: sp800-53a
                       prose: account modification is automatically audited;
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
                     - id: ac-2.4_obj-3
                       name: assessment-objective
                       props:
@@ -1517,6 +1721,9 @@ catalog:
                           value: AC-02(04)[03]
                           class: sp800-53a
                       prose: account enabling is automatically audited;
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
                     - id: ac-2.4_obj-4
                       name: assessment-objective
                       props:
@@ -1524,6 +1731,9 @@ catalog:
                           value: AC-02(04)[04]
                           class: sp800-53a
                       prose: account disabling is automatically audited;
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
                     - id: ac-2.4_obj-5
                       name: assessment-objective
                       props:
@@ -1531,6 +1741,12 @@ catalog:
                           value: AC-02(04)[05]
                           class: sp800-53a
                       prose: account removal actions are automatically audited.
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2.4_smt'
+                      rel: assessment-for
                 - id: ac-2.4_asm-examine
                   name: assessment-method
                   props:
@@ -1634,6 +1850,9 @@ catalog:
                       value: AC-02(05)
                       class: sp800-53a
                   prose: 'users are required to log out when {{ insert: param, ac-02.05_odp }}.'
+                  links:
+                    - href: '#ac-2.5_smt'
+                      rel: assessment-for
                 - id: ac-2.5_asm-examine
                   name: assessment-method
                   props:
@@ -1736,6 +1955,9 @@ catalog:
                       value: AC-02(13)
                       class: sp800-53a
                   prose: 'accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.'
+                  links:
+                    - href: '#ac-2.13_smt'
+                      rel: assessment-for
                 - id: ac-2.13_asm-examine
                   name: assessment-method
                   props:
@@ -1873,6 +2095,8 @@ catalog:
               rel: related
             - href: '#ia-11'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-3'
               rel: related
             - href: '#ma-4'
@@ -1925,6 +2149,9 @@ catalog:
                   value: AC-03
                   class: sp800-53a
               prose: approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.
+              links:
+                - href: '#ac-3_smt'
+                  rel: assessment-for
             - id: ac-3_asm-examine
               name: assessment-method
               props:
@@ -2070,6 +2297,9 @@ catalog:
                   value: AC-04
                   class: sp800-53a
               prose: 'approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.'
+              links:
+                - href: '#ac-4_smt'
+                  rel: assessment-for
             - id: ac-4_asm-examine
               name: assessment-method
               props:
@@ -2232,6 +2462,9 @@ catalog:
                       value: AC-05a.
                       class: sp800-53a
                   prose: ' {{ insert: param, ac-05_odp }} are identified and documented;'
+                  links:
+                    - href: '#ac-5_smt.a'
+                      rel: assessment-for
                 - id: ac-5_obj.b
                   name: assessment-objective
                   props:
@@ -2239,6 +2472,12 @@ catalog:
                       value: AC-05b.
                       class: sp800-53a
                   prose: system access authorizations to support separation of duties are defined.
+                  links:
+                    - href: '#ac-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-5_smt'
+                  rel: assessment-for
             - id: ac-5_asm-examine
               name: assessment-method
               props:
@@ -2348,6 +2587,9 @@ catalog:
                   value: AC-06
                   class: sp800-53a
               prose: the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
+              links:
+                - href: '#ac-6_smt'
+                  rel: assessment-for
             - id: ac-6_asm-examine
               name: assessment-method
               props:
@@ -2531,6 +2773,9 @@ catalog:
                               value: AC-06(01)(a)[01]
                               class: sp800-53a
                           prose: 'access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};'
+                          links:
+                            - href: '#ac-6.1_smt.a'
+                              rel: assessment-for
                         - id: ac-6.1_obj.a-2
                           name: assessment-objective
                           props:
@@ -2538,6 +2783,9 @@ catalog:
                               value: AC-06(01)(a)[02]
                               class: sp800-53a
                           prose: 'access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};'
+                          links:
+                            - href: '#ac-6.1_smt.a'
+                              rel: assessment-for
                         - id: ac-6.1_obj.a-3
                           name: assessment-objective
                           props:
@@ -2545,6 +2793,12 @@ catalog:
                               value: AC-06(01)(a)[03]
                               class: sp800-53a
                           prose: 'access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};'
+                          links:
+                            - href: '#ac-6.1_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-6.1_smt.a'
+                          rel: assessment-for
                     - id: ac-6.1_obj.b
                       name: assessment-objective
                       props:
@@ -2552,6 +2806,12 @@ catalog:
                           value: AC-06(01)(b)
                           class: sp800-53a
                       prose: 'access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}.'
+                      links:
+                        - href: '#ac-6.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-6.1_smt'
+                      rel: assessment-for
                 - id: ac-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -2656,6 +2916,9 @@ catalog:
                       value: AC-06(02)
                       class: sp800-53a
                   prose: 'users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions.'
+                  links:
+                    - href: '#ac-6.2_smt'
+                      rel: assessment-for
                 - id: ac-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -2758,6 +3021,9 @@ catalog:
                       value: AC-06(05)
                       class: sp800-53a
                   prose: 'privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}.'
+                  links:
+                    - href: '#ac-6.5_smt'
+                      rel: assessment-for
                 - id: ac-6.5_asm-examine
                   name: assessment-method
                   props:
@@ -2890,6 +3156,9 @@ catalog:
                           value: AC-06(07)(a)
                           class: sp800-53a
                       prose: 'privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;'
+                      links:
+                        - href: '#ac-6.7_smt.a'
+                          rel: assessment-for
                     - id: ac-6.7_obj.b
                       name: assessment-objective
                       props:
@@ -2897,6 +3166,12 @@ catalog:
                           value: AC-06(07)(b)
                           class: sp800-53a
                       prose: privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.
+                      links:
+                        - href: '#ac-6.7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-6.7_smt'
+                      rel: assessment-for
                 - id: ac-6.7_asm-examine
                   name: assessment-method
                   props:
@@ -2994,6 +3269,9 @@ catalog:
                       value: AC-06(09)
                       class: sp800-53a
                   prose: the execution of privileged functions is logged.
+                  links:
+                    - href: '#ac-6.9_smt'
+                      rel: assessment-for
                 - id: ac-6.9_asm-examine
                   name: assessment-method
                   props:
@@ -3085,6 +3363,9 @@ catalog:
                       value: AC-06(10)
                       class: sp800-53a
                   prose: non-privileged users are prevented from executing privileged functions.
+                  links:
+                    - href: '#ac-6.10_smt'
+                      rel: assessment-for
                 - id: ac-6.10_asm-examine
                   name: assessment-method
                   props:
@@ -3269,6 +3550,9 @@ catalog:
                       value: AC-07a.
                       class: sp800-53a
                   prose: 'a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;'
+                  links:
+                    - href: '#ac-7_smt.a'
+                      rel: assessment-for
                 - id: ac-7_obj.b
                   name: assessment-objective
                   props:
@@ -3276,6 +3560,12 @@ catalog:
                       value: AC-07b.
                       class: sp800-53a
                   prose: 'automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.'
+                  links:
+                    - href: '#ac-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-7_smt'
+                  rel: assessment-for
             - id: ac-7_asm-examine
               name: assessment-method
               props:
@@ -3469,6 +3759,9 @@ catalog:
                           value: AC-08a.01
                           class: sp800-53a
                       prose: the system use notification states that users are accessing a U.S. Government system;
+                      links:
+                        - href: '#ac-8_smt.a.1'
+                          rel: assessment-for
                     - id: ac-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -3476,6 +3769,9 @@ catalog:
                           value: AC-08a.02
                           class: sp800-53a
                       prose: the system use notification states that system usage may be monitored, recorded, and subject to audit;
+                      links:
+                        - href: '#ac-8_smt.a.2'
+                          rel: assessment-for
                     - id: ac-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -3483,6 +3779,9 @@ catalog:
                           value: AC-08a.03
                           class: sp800-53a
                       prose: the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
+                      links:
+                        - href: '#ac-8_smt.a.3'
+                          rel: assessment-for
                     - id: ac-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -3490,6 +3789,12 @@ catalog:
                           value: AC-08a.04
                           class: sp800-53a
                       prose: the system use notification states that use of the system indicates consent to monitoring and recording;
+                      links:
+                        - href: '#ac-8_smt.a.4'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-8_smt.a'
+                      rel: assessment-for
                 - id: ac-8_obj.b
                   name: assessment-objective
                   props:
@@ -3497,6 +3802,9 @@ catalog:
                       value: AC-08b.
                       class: sp800-53a
                   prose: the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;
+                  links:
+                    - href: '#ac-8_smt.b'
+                      rel: assessment-for
                 - id: ac-8_obj.c
                   name: assessment-objective
                   props:
@@ -3511,6 +3819,9 @@ catalog:
                           value: AC-08c.01
                           class: sp800-53a
                       prose: 'for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;'
+                      links:
+                        - href: '#ac-8_smt.c.1'
+                          rel: assessment-for
                     - id: ac-8_obj.c.2
                       name: assessment-objective
                       props:
@@ -3518,6 +3829,9 @@ catalog:
                           value: AC-08c.02
                           class: sp800-53a
                       prose: for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;
+                      links:
+                        - href: '#ac-8_smt.c.2'
+                          rel: assessment-for
                     - id: ac-8_obj.c.3
                       name: assessment-objective
                       props:
@@ -3525,6 +3839,15 @@ catalog:
                           value: AC-08c.03
                           class: sp800-53a
                       prose: for publicly accessible systems, a description of the authorized uses of the system is included.
+                      links:
+                        - href: '#ac-8_smt.c.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-8_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ac-8_smt'
+                  rel: assessment-for
             - id: ac-8_asm-examine
               name: assessment-method
               props:
@@ -3672,6 +3995,9 @@ catalog:
                       value: AC-11a.
                       class: sp800-53a
                   prose: 'further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};'
+                  links:
+                    - href: '#ac-11_smt.a'
+                      rel: assessment-for
                 - id: ac-11_obj.b
                   name: assessment-objective
                   props:
@@ -3679,6 +4005,12 @@ catalog:
                       value: AC-11b.
                       class: sp800-53a
                   prose: device lock is retained until the user re-establishes access using established identification and authentication procedures.
+                  links:
+                    - href: '#ac-11_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-11_smt'
+                  rel: assessment-for
             - id: ac-11_asm-examine
               name: assessment-method
               props:
@@ -3767,6 +4099,9 @@ catalog:
                       value: AC-11(01)
                       class: sp800-53a
                   prose: information previously visible on the display is concealed, via device lock, with a publicly viewable image.
+                  links:
+                    - href: '#ac-11.1_smt'
+                      rel: assessment-for
                 - id: ac-11.1_asm-examine
                   name: assessment-method
                   props:
@@ -3870,6 +4205,9 @@ catalog:
                   value: AC-12
                   class: sp800-53a
               prose: 'a user session is automatically terminated after {{ insert: param, ac-12_odp }}.'
+              links:
+                - href: '#ac-12_smt'
+                  rel: assessment-for
             - id: ac-12_asm-examine
               name: assessment-method
               props:
@@ -3991,6 +4329,9 @@ catalog:
                       value: AC-14a.
                       class: sp800-53a
                   prose: ' {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;'
+                  links:
+                    - href: '#ac-14_smt.a'
+                      rel: assessment-for
                 - id: ac-14_obj.b
                   name: assessment-objective
                   props:
@@ -4005,6 +4346,9 @@ catalog:
                           value: AC-14b.[01]
                           class: sp800-53a
                       prose: user actions not requiring identification or authentication are documented in the security plan for the system;
+                      links:
+                        - href: '#ac-14_smt.b'
+                          rel: assessment-for
                     - id: ac-14_obj.b-2
                       name: assessment-objective
                       props:
@@ -4012,6 +4356,15 @@ catalog:
                           value: AC-14b.[02]
                           class: sp800-53a
                       prose: a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.
+                      links:
+                        - href: '#ac-14_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-14_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-14_smt'
+                  rel: assessment-for
             - id: ac-14_asm-examine
               name: assessment-method
               props:
@@ -4159,6 +4512,9 @@ catalog:
                           value: AC-17a.[01]
                           class: sp800-53a
                       prose: usage restrictions are established and documented for each type of remote access allowed;
+                      links:
+                        - href: '#ac-17_smt.a'
+                          rel: assessment-for
                     - id: ac-17_obj.a-2
                       name: assessment-objective
                       props:
@@ -4166,6 +4522,9 @@ catalog:
                           value: AC-17a.[02]
                           class: sp800-53a
                       prose: configuration/connection requirements are established and documented for each type of remote access allowed;
+                      links:
+                        - href: '#ac-17_smt.a'
+                          rel: assessment-for
                     - id: ac-17_obj.a-3
                       name: assessment-objective
                       props:
@@ -4173,6 +4532,12 @@ catalog:
                           value: AC-17a.[03]
                           class: sp800-53a
                       prose: implementation guidance is established and documented for each type of remote access allowed;
+                      links:
+                        - href: '#ac-17_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-17_smt.a'
+                      rel: assessment-for
                 - id: ac-17_obj.b
                   name: assessment-objective
                   props:
@@ -4180,6 +4545,12 @@ catalog:
                       value: AC-17b.
                       class: sp800-53a
                   prose: each type of remote access to the system is authorized prior to allowing such connections.
+                  links:
+                    - href: '#ac-17_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-17_smt'
+                  rel: assessment-for
             - id: ac-17_asm-examine
               name: assessment-method
               props:
@@ -4286,6 +4657,9 @@ catalog:
                           value: AC-17(01)[01]
                           class: sp800-53a
                       prose: automated mechanisms are employed to monitor remote access methods;
+                      links:
+                        - href: '#ac-17.1_smt'
+                          rel: assessment-for
                     - id: ac-17.1_obj-2
                       name: assessment-objective
                       props:
@@ -4293,6 +4667,12 @@ catalog:
                           value: AC-17(01)[02]
                           class: sp800-53a
                       prose: automated mechanisms are employed to control remote access methods.
+                      links:
+                        - href: '#ac-17.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-17.1_smt'
+                      rel: assessment-for
                 - id: ac-17.1_asm-examine
                   name: assessment-method
                   props:
@@ -4386,6 +4766,9 @@ catalog:
                       value: AC-17(02)
                       class: sp800-53a
                   prose: cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.
+                  links:
+                    - href: '#ac-17.2_smt'
+                      rel: assessment-for
                 - id: ac-17.2_asm-examine
                   name: assessment-method
                   props:
@@ -4475,6 +4858,9 @@ catalog:
                       value: AC-17(03)
                       class: sp800-53a
                   prose: remote accesses are routed through authorized and managed network access control points.
+                  links:
+                    - href: '#ac-17.3_smt'
+                      rel: assessment-for
                 - id: ac-17.3_asm-examine
                   name: assessment-method
                   props:
@@ -4618,6 +5004,9 @@ catalog:
                               value: AC-17(04)(a)[01]
                               class: sp800-53a
                           prose: the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;
+                          links:
+                            - href: '#ac-17.4_smt.a'
+                              rel: assessment-for
                         - id: ac-17.4_obj.a-2
                           name: assessment-objective
                           props:
@@ -4625,6 +5014,9 @@ catalog:
                               value: AC-17(04)(a)[02]
                               class: sp800-53a
                           prose: access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;
+                          links:
+                            - href: '#ac-17.4_smt.a'
+                              rel: assessment-for
                         - id: ac-17.4_obj.a-3
                           name: assessment-objective
                           props:
@@ -4632,6 +5024,9 @@ catalog:
                               value: AC-17(04)(a)[03]
                               class: sp800-53a
                           prose: 'the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};'
+                          links:
+                            - href: '#ac-17.4_smt.a'
+                              rel: assessment-for
                         - id: ac-17.4_obj.a-4
                           name: assessment-objective
                           props:
@@ -4639,6 +5034,12 @@ catalog:
                               value: AC-17(04)(a)[04]
                               class: sp800-53a
                           prose: 'access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};'
+                          links:
+                            - href: '#ac-17.4_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-17.4_smt.a'
+                          rel: assessment-for
                     - id: ac-17.4_obj.b
                       name: assessment-objective
                       props:
@@ -4646,6 +5047,12 @@ catalog:
                           value: AC-17(04)(b)
                           class: sp800-53a
                       prose: the rationale for remote access is documented in the security plan for the system.
+                      links:
+                        - href: '#ac-17.4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-17.4_smt'
+                      rel: assessment-for
                 - id: ac-17.4_asm-examine
                   name: assessment-method
                   props:
@@ -4783,6 +5190,9 @@ catalog:
                           value: AC-18a.[01]
                           class: sp800-53a
                       prose: configuration requirements are established for each type of wireless access;
+                      links:
+                        - href: '#ac-18_smt.a'
+                          rel: assessment-for
                     - id: ac-18_obj.a-2
                       name: assessment-objective
                       props:
@@ -4790,6 +5200,9 @@ catalog:
                           value: AC-18a.[02]
                           class: sp800-53a
                       prose: connection requirements are established for each type of wireless access;
+                      links:
+                        - href: '#ac-18_smt.a'
+                          rel: assessment-for
                     - id: ac-18_obj.a-3
                       name: assessment-objective
                       props:
@@ -4797,6 +5210,12 @@ catalog:
                           value: AC-18a.[03]
                           class: sp800-53a
                       prose: implementation guidance is established for each type of wireless access;
+                      links:
+                        - href: '#ac-18_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-18_smt.a'
+                      rel: assessment-for
                 - id: ac-18_obj.b
                   name: assessment-objective
                   props:
@@ -4804,6 +5223,12 @@ catalog:
                       value: AC-18b.
                       class: sp800-53a
                   prose: each type of wireless access to the system is authorized prior to allowing such connections.
+                  links:
+                    - href: '#ac-18_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-18_smt'
+                  rel: assessment-for
             - id: ac-18_asm-examine
               name: assessment-method
               props:
@@ -4918,6 +5343,9 @@ catalog:
                           value: AC-18(01)[01]
                           class: sp800-53a
                       prose: 'wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};'
+                      links:
+                        - href: '#ac-18.1_smt'
+                          rel: assessment-for
                     - id: ac-18.1_obj-2
                       name: assessment-objective
                       props:
@@ -4925,6 +5353,12 @@ catalog:
                           value: AC-18(01)[02]
                           class: sp800-53a
                       prose: wireless access to the system is protected using encryption.
+                      links:
+                        - href: '#ac-18.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-18.1_smt'
+                      rel: assessment-for
                 - id: ac-18.1_asm-examine
                   name: assessment-method
                   props:
@@ -5013,6 +5447,9 @@ catalog:
                       value: AC-18(03)
                       class: sp800-53a
                   prose: when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.
+                  links:
+                    - href: '#ac-18.3_smt'
+                      rel: assessment-for
                 - id: ac-18.3_asm-examine
                   name: assessment-method
                   props:
@@ -5173,6 +5610,9 @@ catalog:
                           value: AC-19a.[01]
                           class: sp800-53a
                       prose: configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+                      links:
+                        - href: '#ac-19_smt.a'
+                          rel: assessment-for
                     - id: ac-19_obj.a-2
                       name: assessment-objective
                       props:
@@ -5180,6 +5620,9 @@ catalog:
                           value: AC-19a.[02]
                           class: sp800-53a
                       prose: connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+                      links:
+                        - href: '#ac-19_smt.a'
+                          rel: assessment-for
                     - id: ac-19_obj.a-3
                       name: assessment-objective
                       props:
@@ -5187,6 +5630,12 @@ catalog:
                           value: AC-19a.[03]
                           class: sp800-53a
                       prose: implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+                      links:
+                        - href: '#ac-19_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-19_smt.a'
+                      rel: assessment-for
                 - id: ac-19_obj.b
                   name: assessment-objective
                   props:
@@ -5194,6 +5643,12 @@ catalog:
                       value: AC-19b.
                       class: sp800-53a
                   prose: the connection of mobile devices to organizational systems is authorized.
+                  links:
+                    - href: '#ac-19_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-19_smt'
+                  rel: assessment-for
             - id: ac-19_asm-examine
               name: assessment-method
               props:
@@ -5315,6 +5770,9 @@ catalog:
                       value: AC-19(05)
                       class: sp800-53a
                   prose: ' {{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.'
+                  links:
+                    - href: '#ac-19.5_smt'
+                      rel: assessment-for
                 - id: ac-19.5_asm-examine
                   name: assessment-method
                   props:
@@ -5514,16 +5972,25 @@ catalog:
                       name: assessment-objective
                       props:
                         - name: label
-                          value: AC-20a.1
+                          value: AC-20a.01
                           class: sp800-53a
                       prose: ' {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);'
+                      links:
+                        - href: '#ac-20_smt.a.1'
+                          rel: assessment-for
                     - id: ac-20_obj.a.2
                       name: assessment-objective
                       props:
                         - name: label
-                          value: AC-20a.2
+                          value: AC-20a.02
                           class: sp800-53a
                       prose: ' {{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);'
+                      links:
+                        - href: '#ac-20_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-20_smt.a'
+                      rel: assessment-for
                 - id: ac-20_obj.b
                   name: assessment-objective
                   props:
@@ -5531,6 +5998,12 @@ catalog:
                       value: AC-20b.
                       class: sp800-53a
                   prose: 'the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).'
+                  links:
+                    - href: '#ac-20_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-20_smt'
+                  rel: assessment-for
             - id: ac-20_asm-examine
               name: assessment-method
               props:
@@ -5641,6 +6114,9 @@ catalog:
                           value: AC-20(01)(a)
                           class: sp800-53a
                       prose: authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);
+                      links:
+                        - href: '#ac-20.1_smt.a'
+                          rel: assessment-for
                     - id: ac-20.1_obj.b
                       name: assessment-objective
                       props:
@@ -5648,6 +6124,12 @@ catalog:
                           value: AC-20(01)(b)
                           class: sp800-53a
                       prose: authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).
+                      links:
+                        - href: '#ac-20.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-20.1_smt'
+                      rel: assessment-for
                 - id: ac-20.1_asm-examine
                   name: assessment-method
                   props:
@@ -5744,6 +6226,9 @@ catalog:
                       value: AC-20(02)
                       class: sp800-53a
                   prose: 'the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}.'
+                  links:
+                    - href: '#ac-20.2_smt'
+                      rel: assessment-for
                 - id: ac-20.2_asm-examine
                   name: assessment-method
                   props:
@@ -5893,6 +6378,9 @@ catalog:
                       value: AC-21a.
                       class: sp800-53a
                   prose: 'authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};'
+                  links:
+                    - href: '#ac-21_smt.a'
+                      rel: assessment-for
                 - id: ac-21_obj.b
                   name: assessment-objective
                   props:
@@ -5900,6 +6388,12 @@ catalog:
                       value: AC-21b.
                       class: sp800-53a
                   prose: ' {{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions.'
+                  links:
+                    - href: '#ac-21_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-21_smt'
+                  rel: assessment-for
             - id: ac-21_asm-examine
               name: assessment-method
               props:
@@ -6049,6 +6543,9 @@ catalog:
                       value: AC-22a.
                       class: sp800-53a
                   prose: designated individuals are authorized to make information publicly accessible;
+                  links:
+                    - href: '#ac-22_smt.a'
+                      rel: assessment-for
                 - id: ac-22_obj.b
                   name: assessment-objective
                   props:
@@ -6056,6 +6553,9 @@ catalog:
                       value: AC-22b.
                       class: sp800-53a
                   prose: authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;
+                  links:
+                    - href: '#ac-22_smt.b'
+                      rel: assessment-for
                 - id: ac-22_obj.c
                   name: assessment-objective
                   props:
@@ -6063,6 +6563,9 @@ catalog:
                       value: AC-22c.
                       class: sp800-53a
                   prose: the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;
+                  links:
+                    - href: '#ac-22_smt.c'
+                      rel: assessment-for
                 - id: ac-22_obj.d
                   name: assessment-objective
                   props:
@@ -6077,6 +6580,9 @@ catalog:
                           value: AC-22d.[01]
                           class: sp800-53a
                       prose: 'the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};'
+                      links:
+                        - href: '#ac-22_smt.d'
+                          rel: assessment-for
                     - id: ac-22_obj.d-2
                       name: assessment-objective
                       props:
@@ -6084,6 +6590,15 @@ catalog:
                           value: AC-22d.[02]
                           class: sp800-53a
                       prose: non-public information is removed from the publicly accessible system, if discovered.
+                      links:
+                        - href: '#ac-22_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-22_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ac-22_smt'
+                  rel: assessment-for
             - id: ac-22_asm-examine
               name: assessment-method
               props:
@@ -6356,6 +6871,9 @@ catalog:
                           value: AT-01a.[01]
                           class: sp800-53a
                       prose: 'an awareness and training policy is developed and documented; '
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -6363,6 +6881,9 @@ catalog:
                           value: AT-01a.[02]
                           class: sp800-53a
                       prose: 'the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};'
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -6370,6 +6891,9 @@ catalog:
                           value: AT-01a.[03]
                           class: sp800-53a
                       prose: awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -6377,6 +6901,9 @@ catalog:
                           value: AT-01a.[04]
                           class: sp800-53a
                       prose: 'the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.'
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -6398,6 +6925,9 @@ catalog:
                                   value: AT-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -6405,6 +6935,9 @@ catalog:
                                   value: AT-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -6412,6 +6945,9 @@ catalog:
                                   value: AT-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -6419,6 +6955,9 @@ catalog:
                                   value: AT-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -6426,6 +6965,9 @@ catalog:
                                   value: AT-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -6433,6 +6975,9 @@ catalog:
                                   value: AT-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -6440,6 +6985,12 @@ catalog:
                                   value: AT-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#at-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: at-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -6447,6 +6998,15 @@ catalog:
                               value: AT-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and'
+                          links:
+                            - href: '#at-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-1_smt.a'
+                      rel: assessment-for
                 - id: at-1_obj.b
                   name: assessment-objective
                   props:
@@ -6454,6 +7014,9 @@ catalog:
                       value: AT-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;'
+                  links:
+                    - href: '#at-1_smt.b'
+                      rel: assessment-for
                 - id: at-1_obj.c
                   name: assessment-objective
                   props:
@@ -6475,6 +7038,9 @@ catalog:
                               value: AT-01c.01[01]
                               class: sp800-53a
                           prose: 'the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; '
+                          links:
+                            - href: '#at-1_smt.c.1'
+                              rel: assessment-for
                         - id: at-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -6482,6 +7048,12 @@ catalog:
                               value: AT-01c.01[02]
                               class: sp800-53a
                           prose: 'the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};'
+                          links:
+                            - href: '#at-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.c.1'
+                          rel: assessment-for
                     - id: at-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -6496,6 +7068,9 @@ catalog:
                               value: AT-01c.02[01]
                               class: sp800-53a
                           prose: 'the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};'
+                          links:
+                            - href: '#at-1_smt.c.2'
+                              rel: assessment-for
                         - id: at-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -6503,6 +7078,18 @@ catalog:
                               value: AT-01c.02[02]
                               class: sp800-53a
                           prose: 'the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.'
+                          links:
+                            - href: '#at-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#at-1_smt'
+                  rel: assessment-for
             - id: at-1_asm-examine
               name: assessment-method
               props:
@@ -6755,6 +7342,9 @@ catalog:
                               value: AT-02a.01[01]
                               class: sp800-53a
                           prose: security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -6762,6 +7352,9 @@ catalog:
                               value: AT-02a.01[02]
                               class: sp800-53a
                           prose: privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -6769,6 +7362,9 @@ catalog:
                               value: AT-02a.01[03]
                               class: sp800-53a
                           prose: 'security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;'
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-4
                           name: assessment-objective
                           props:
@@ -6776,6 +7372,12 @@ catalog:
                               value: AT-02a.01[04]
                               class: sp800-53a
                           prose: 'privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;'
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-2_smt.a.1'
+                          rel: assessment-for
                     - id: at-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -6790,6 +7392,9 @@ catalog:
                               value: AT-02a.02[01]
                               class: sp800-53a
                           prose: 'security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};'
+                          links:
+                            - href: '#at-2_smt.a.2'
+                              rel: assessment-for
                         - id: at-2_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -6797,6 +7402,15 @@ catalog:
                               value: AT-02a.02[02]
                               class: sp800-53a
                           prose: 'privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};'
+                          links:
+                            - href: '#at-2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-2_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2_smt.a'
+                      rel: assessment-for
                 - id: at-2_obj.b
                   name: assessment-objective
                   props:
@@ -6804,6 +7418,9 @@ catalog:
                       value: AT-02b.
                       class: sp800-53a
                   prose: ' {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;'
+                  links:
+                    - href: '#at-2_smt.b'
+                      rel: assessment-for
                 - id: at-2_obj.c
                   name: assessment-objective
                   props:
@@ -6818,6 +7435,9 @@ catalog:
                           value: AT-02c.[01]
                           class: sp800-53a
                       prose: 'literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};'
+                      links:
+                        - href: '#at-2_smt.c'
+                          rel: assessment-for
                     - id: at-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -6825,6 +7445,12 @@ catalog:
                           value: AT-02c.[02]
                           class: sp800-53a
                       prose: 'literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};'
+                      links:
+                        - href: '#at-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2_smt.c'
+                      rel: assessment-for
                 - id: at-2_obj.d
                   name: assessment-objective
                   props:
@@ -6832,6 +7458,12 @@ catalog:
                       value: AT-02d.
                       class: sp800-53a
                   prose: lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.
+                  links:
+                    - href: '#at-2_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#at-2_smt'
+                  rel: assessment-for
             - id: at-2_asm-examine
               name: assessment-method
               props:
@@ -6934,6 +7566,9 @@ catalog:
                           value: AT-02(02)[01]
                           class: sp800-53a
                       prose: literacy training on recognizing potential indicators of insider threat is provided;
+                      links:
+                        - href: '#at-2.2_smt'
+                          rel: assessment-for
                     - id: at-2.2_obj-2
                       name: assessment-objective
                       props:
@@ -6941,6 +7576,12 @@ catalog:
                           value: AT-02(02)[02]
                           class: sp800-53a
                       prose: literacy training on reporting potential indicators of insider threat is provided.
+                      links:
+                        - href: '#at-2.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2.2_smt'
+                      rel: assessment-for
                 - id: at-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -7024,6 +7665,9 @@ catalog:
                           value: AT-02(03)[01]
                           class: sp800-53a
                       prose: literacy training on recognizing potential and actual instances of social engineering is provided;
+                      links:
+                        - href: '#at-2.3_smt'
+                          rel: assessment-for
                     - id: at-2.3_obj-2
                       name: assessment-objective
                       props:
@@ -7031,6 +7675,9 @@ catalog:
                           value: AT-02(03)[02]
                           class: sp800-53a
                       prose: literacy training on reporting potential and actual instances of social engineering is provided;
+                      links:
+                        - href: '#at-2.3_smt'
+                          rel: assessment-for
                     - id: at-2.3_obj-3
                       name: assessment-objective
                       props:
@@ -7038,6 +7685,9 @@ catalog:
                           value: AT-02(03)[03]
                           class: sp800-53a
                       prose: literacy training on recognizing potential and actual instances of social mining is provided;
+                      links:
+                        - href: '#at-2.3_smt'
+                          rel: assessment-for
                     - id: at-2.3_obj-4
                       name: assessment-objective
                       props:
@@ -7045,6 +7695,12 @@ catalog:
                           value: AT-02(03)[04]
                           class: sp800-53a
                       prose: literacy training on reporting potential and actual instances of social mining is provided.
+                      links:
+                        - href: '#at-2.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2.3_smt'
+                      rel: assessment-for
                 - id: at-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -7280,6 +7936,9 @@ catalog:
                               value: AT-03a.01[01]
                               class: sp800-53a
                           prose: 'role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -7287,6 +7946,9 @@ catalog:
                               value: AT-03a.01[02]
                               class: sp800-53a
                           prose: 'role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -7294,6 +7956,9 @@ catalog:
                               value: AT-03a.01[03]
                               class: sp800-53a
                           prose: 'role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-4
                           name: assessment-objective
                           props:
@@ -7301,6 +7966,12 @@ catalog:
                               value: AT-03a.01[04]
                               class: sp800-53a
                           prose: 'role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-3_smt.a.1'
+                          rel: assessment-for
                     - id: at-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -7315,6 +7986,9 @@ catalog:
                               value: AT-03a.02[01]
                               class: sp800-53a
                           prose: role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;
+                          links:
+                            - href: '#at-3_smt.a.2'
+                              rel: assessment-for
                         - id: at-3_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -7322,6 +7996,15 @@ catalog:
                               value: AT-03a.02[02]
                               class: sp800-53a
                           prose: role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;
+                          links:
+                            - href: '#at-3_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-3_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-3_smt.a'
+                      rel: assessment-for
                 - id: at-3_obj.b
                   name: assessment-objective
                   props:
@@ -7336,6 +8019,9 @@ catalog:
                           value: AT-03b.[01]
                           class: sp800-53a
                       prose: 'role-based training content is updated {{ insert: param, at-03_odp.04 }};'
+                      links:
+                        - href: '#at-3_smt.b'
+                          rel: assessment-for
                     - id: at-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -7343,6 +8029,12 @@ catalog:
                           value: AT-03b.[02]
                           class: sp800-53a
                       prose: 'role-based training content is updated following {{ insert: param, at-03_odp.05 }};'
+                      links:
+                        - href: '#at-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-3_smt.b'
+                      rel: assessment-for
                 - id: at-3_obj.c
                   name: assessment-objective
                   props:
@@ -7350,6 +8042,12 @@ catalog:
                       value: AT-03c.
                       class: sp800-53a
                   prose: lessons learned from internal or external security incidents or breaches are incorporated into role-based training.
+                  links:
+                    - href: '#at-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#at-3_smt'
+                  rel: assessment-for
             - id: at-3_asm-examine
               name: assessment-method
               props:
@@ -7489,6 +8187,9 @@ catalog:
                           value: AT-04a.[01]
                           class: sp800-53a
                       prose: information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;
+                      links:
+                        - href: '#at-4_smt.a'
+                          rel: assessment-for
                     - id: at-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -7496,6 +8197,12 @@ catalog:
                           value: AT-04a.[02]
                           class: sp800-53a
                       prose: information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;
+                      links:
+                        - href: '#at-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-4_smt.a'
+                      rel: assessment-for
                 - id: at-4_obj.b
                   name: assessment-objective
                   props:
@@ -7503,6 +8210,12 @@ catalog:
                       value: AT-04b.
                       class: sp800-53a
                   prose: 'individual training records are retained for {{ insert: param, at-04_odp }}.'
+                  links:
+                    - href: '#at-4_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#at-4_smt'
+                  rel: assessment-for
             - id: at-4_asm-examine
               name: assessment-method
               props:
@@ -7760,6 +8473,9 @@ catalog:
                           value: AU-01a.[01]
                           class: sp800-53a
                       prose: an audit and accountability policy is developed and documented;
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -7767,6 +8483,9 @@ catalog:
                           value: AU-01a.[02]
                           class: sp800-53a
                       prose: 'the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};'
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -7774,6 +8493,9 @@ catalog:
                           value: AU-01a.[03]
                           class: sp800-53a
                       prose: audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -7781,6 +8503,9 @@ catalog:
                           value: AU-01a.[04]
                           class: sp800-53a
                       prose: 'the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};'
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -7802,6 +8527,9 @@ catalog:
                                   value: AU-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -7809,6 +8537,9 @@ catalog:
                                   value: AU-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -7816,6 +8547,9 @@ catalog:
                                   value: AU-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -7823,6 +8557,9 @@ catalog:
                                   value: AU-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -7830,6 +8567,9 @@ catalog:
                                   value: AU-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -7837,6 +8577,9 @@ catalog:
                                   value: AU-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -7844,6 +8587,12 @@ catalog:
                                   value: AU-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#au-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: au-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -7851,6 +8600,15 @@ catalog:
                               value: AU-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#au-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-1_smt.a'
+                      rel: assessment-for
                 - id: au-1_obj.b
                   name: assessment-objective
                   props:
@@ -7858,6 +8616,9 @@ catalog:
                       value: AU-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;'
+                  links:
+                    - href: '#au-1_smt.b'
+                      rel: assessment-for
                 - id: au-1_obj.c
                   name: assessment-objective
                   props:
@@ -7879,6 +8640,9 @@ catalog:
                               value: AU-01c.01[01]
                               class: sp800-53a
                           prose: 'the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};'
+                          links:
+                            - href: '#au-1_smt.c.1'
+                              rel: assessment-for
                         - id: au-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -7886,6 +8650,12 @@ catalog:
                               value: AU-01c.01[02]
                               class: sp800-53a
                           prose: 'the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};'
+                          links:
+                            - href: '#au-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.c.1'
+                          rel: assessment-for
                     - id: au-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -7900,6 +8670,9 @@ catalog:
                               value: AU-01c.02[01]
                               class: sp800-53a
                           prose: 'the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};'
+                          links:
+                            - href: '#au-1_smt.c.2'
+                              rel: assessment-for
                         - id: au-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -7907,6 +8680,18 @@ catalog:
                               value: AU-01c.02[02]
                               class: sp800-53a
                           prose: 'the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.'
+                          links:
+                            - href: '#au-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#au-1_smt'
+                  rel: assessment-for
             - id: au-1_asm-examine
               name: assessment-method
               props:
@@ -8133,6 +8918,9 @@ catalog:
                       value: AU-02a.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;'
+                  links:
+                    - href: '#au-2_smt.a'
+                      rel: assessment-for
                 - id: au-2_obj.b
                   name: assessment-objective
                   props:
@@ -8140,6 +8928,9 @@ catalog:
                       value: AU-02b.
                       class: sp800-53a
                   prose: the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
+                  links:
+                    - href: '#au-2_smt.b'
+                      rel: assessment-for
                 - id: au-2_obj.c
                   name: assessment-objective
                   props:
@@ -8154,6 +8945,9 @@ catalog:
                           value: AU-02c.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, au-02_odp.02 }} are specified for logging within the system;'
+                      links:
+                        - href: '#au-2_smt.c'
+                          rel: assessment-for
                     - id: au-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -8161,6 +8955,12 @@ catalog:
                           value: AU-02c.[02]
                           class: sp800-53a
                       prose: 'the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};'
+                      links:
+                        - href: '#au-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-2_smt.c'
+                      rel: assessment-for
                 - id: au-2_obj.d
                   name: assessment-objective
                   props:
@@ -8168,6 +8968,9 @@ catalog:
                       value: AU-02d.
                       class: sp800-53a
                   prose: a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;
+                  links:
+                    - href: '#au-2_smt.d'
+                      rel: assessment-for
                 - id: au-2_obj.e
                   name: assessment-objective
                   props:
@@ -8175,6 +8978,12 @@ catalog:
                       value: AU-02e.
                       class: sp800-53a
                   prose: 'the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.'
+                  links:
+                    - href: '#au-2_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#au-2_smt'
+                  rel: assessment-for
             - id: au-2_asm-examine
               name: assessment-method
               props:
@@ -8328,6 +9137,9 @@ catalog:
                       value: AU-03a.
                       class: sp800-53a
                   prose: audit records contain information that establishes what type of event occurred;
+                  links:
+                    - href: '#au-3_smt.a'
+                      rel: assessment-for
                 - id: au-3_obj.b
                   name: assessment-objective
                   props:
@@ -8335,6 +9147,9 @@ catalog:
                       value: AU-03b.
                       class: sp800-53a
                   prose: audit records contain information that establishes when the event occurred;
+                  links:
+                    - href: '#au-3_smt.b'
+                      rel: assessment-for
                 - id: au-3_obj.c
                   name: assessment-objective
                   props:
@@ -8342,6 +9157,9 @@ catalog:
                       value: AU-03c.
                       class: sp800-53a
                   prose: audit records contain information that establishes where the event occurred;
+                  links:
+                    - href: '#au-3_smt.c'
+                      rel: assessment-for
                 - id: au-3_obj.d
                   name: assessment-objective
                   props:
@@ -8349,6 +9167,9 @@ catalog:
                       value: AU-03d.
                       class: sp800-53a
                   prose: audit records contain information that establishes the source of the event;
+                  links:
+                    - href: '#au-3_smt.d'
+                      rel: assessment-for
                 - id: au-3_obj.e
                   name: assessment-objective
                   props:
@@ -8356,6 +9177,9 @@ catalog:
                       value: AU-03e.
                       class: sp800-53a
                   prose: audit records contain information that establishes the outcome of the event;
+                  links:
+                    - href: '#au-3_smt.e'
+                      rel: assessment-for
                 - id: au-3_obj.f
                   name: assessment-objective
                   props:
@@ -8363,6 +9187,12 @@ catalog:
                       value: AU-03f.
                       class: sp800-53a
                   prose: audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.
+                  links:
+                    - href: '#au-3_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#au-3_smt'
+                  rel: assessment-for
             - id: au-3_asm-examine
               name: assessment-method
               props:
@@ -8466,6 +9296,9 @@ catalog:
                       value: AU-03(01)
                       class: sp800-53a
                   prose: 'generated audit records contain the following {{ insert: param, au-03.01_odp }}.'
+                  links:
+                    - href: '#au-3.1_smt'
+                      rel: assessment-for
                 - id: au-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -8587,6 +9420,9 @@ catalog:
                   value: AU-04
                   class: sp800-53a
               prose: 'audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.'
+              links:
+                - href: '#au-4_smt'
+                  rel: assessment-for
             - id: au-4_asm-examine
               name: assessment-method
               props:
@@ -8746,6 +9582,9 @@ catalog:
                       value: AU-05a.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};'
+                  links:
+                    - href: '#au-5_smt.a'
+                      rel: assessment-for
                 - id: au-5_obj.b
                   name: assessment-objective
                   props:
@@ -8753,6 +9592,12 @@ catalog:
                       value: AU-05b.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.'
+                  links:
+                    - href: '#au-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-5_smt'
+                  rel: assessment-for
             - id: au-5_asm-examine
               name: assessment-method
               props:
@@ -8965,6 +9810,9 @@ catalog:
                       value: AU-06a.
                       class: sp800-53a
                   prose: 'system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;'
+                  links:
+                    - href: '#au-6_smt.a'
+                      rel: assessment-for
                 - id: au-6_obj.b
                   name: assessment-objective
                   props:
@@ -8972,6 +9820,9 @@ catalog:
                       value: AU-06b.
                       class: sp800-53a
                   prose: 'findings are reported to {{ insert: param, au-06_odp.03 }};'
+                  links:
+                    - href: '#au-6_smt.b'
+                      rel: assessment-for
                 - id: au-6_obj.c
                   name: assessment-objective
                   props:
@@ -8979,6 +9830,12 @@ catalog:
                       value: AU-06c.
                       class: sp800-53a
                   prose: the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
+                  links:
+                    - href: '#au-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#au-6_smt'
+                  rel: assessment-for
             - id: au-6_asm-examine
               name: assessment-method
               props:
@@ -9067,6 +9924,9 @@ catalog:
                       value: AU-06(01)
                       class: sp800-53a
                   prose: 'audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}.'
+                  links:
+                    - href: '#au-6.1_smt'
+                      rel: assessment-for
                 - id: au-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -9161,6 +10021,9 @@ catalog:
                       value: AU-06(03)
                       class: sp800-53a
                   prose: audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.
+                  links:
+                    - href: '#au-6.3_smt'
+                      rel: assessment-for
                 - id: au-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -9300,6 +10163,9 @@ catalog:
                           value: AU-07a.[01]
                           class: sp800-53a
                       prose: an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;
+                      links:
+                        - href: '#au-7_smt.a'
+                          rel: assessment-for
                     - id: au-7_obj.a-2
                       name: assessment-objective
                       props:
@@ -9307,6 +10173,12 @@ catalog:
                           value: AU-07a.[02]
                           class: sp800-53a
                       prose: an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;
+                      links:
+                        - href: '#au-7_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-7_smt.a'
+                      rel: assessment-for
                 - id: au-7_obj.b
                   name: assessment-objective
                   props:
@@ -9321,6 +10193,9 @@ catalog:
                           value: AU-07b.[01]
                           class: sp800-53a
                       prose: an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;
+                      links:
+                        - href: '#au-7_smt.b'
+                          rel: assessment-for
                     - id: au-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -9328,6 +10203,15 @@ catalog:
                           value: AU-07b.[02]
                           class: sp800-53a
                       prose: an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.
+                      links:
+                        - href: '#au-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-7_smt'
+                  rel: assessment-for
             - id: au-7_asm-examine
               name: assessment-method
               props:
@@ -9437,6 +10321,9 @@ catalog:
                           value: AU-07(01)[01]
                           class: sp800-53a
                       prose: 'the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;'
+                      links:
+                        - href: '#au-7.1_smt'
+                          rel: assessment-for
                     - id: au-7.1_obj-2
                       name: assessment-objective
                       props:
@@ -9444,6 +10331,12 @@ catalog:
                           value: AU-07(01)[02]
                           class: sp800-53a
                       prose: 'the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented.'
+                      links:
+                        - href: '#au-7.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-7.1_smt'
+                      rel: assessment-for
                 - id: au-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -9571,6 +10464,9 @@ catalog:
                       value: AU-08a.
                       class: sp800-53a
                   prose: internal system clocks are used to generate timestamps for audit records;
+                  links:
+                    - href: '#au-8_smt.a'
+                      rel: assessment-for
                 - id: au-8_obj.b
                   name: assessment-objective
                   props:
@@ -9578,6 +10474,12 @@ catalog:
                       value: AU-08b.
                       class: sp800-53a
                   prose: 'timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.'
+                  links:
+                    - href: '#au-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-8_smt'
+                  rel: assessment-for
             - id: au-8_asm-examine
               name: assessment-method
               props:
@@ -9727,6 +10629,9 @@ catalog:
                       value: AU-09a.
                       class: sp800-53a
                   prose: audit information and audit logging tools are protected from unauthorized access, modification, and deletion;
+                  links:
+                    - href: '#au-9_smt.a'
+                      rel: assessment-for
                 - id: au-9_obj.b
                   name: assessment-objective
                   props:
@@ -9734,6 +10639,12 @@ catalog:
                       value: AU-09b.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.'
+                  links:
+                    - href: '#au-9_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-9_smt'
+                  rel: assessment-for
             - id: au-9_asm-examine
               name: assessment-method
               props:
@@ -9841,6 +10752,9 @@ catalog:
                       value: AU-09(04)
                       class: sp800-53a
                   prose: 'access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}.'
+                  links:
+                    - href: '#au-9.4_smt'
+                      rel: assessment-for
                 - id: au-9.4_asm-examine
                   name: assessment-method
                   props:
@@ -9968,6 +10882,9 @@ catalog:
                   value: AU-11
                   class: sp800-53a
               prose: 'audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.'
+              links:
+                - href: '#au-11_smt'
+                  rel: assessment-for
             - id: au-11_asm-examine
               name: assessment-method
               props:
@@ -10129,6 +11046,9 @@ catalog:
                       value: AU-12a.
                       class: sp800-53a
                   prose: 'audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};'
+                  links:
+                    - href: '#au-12_smt.a'
+                      rel: assessment-for
                 - id: au-12_obj.b
                   name: assessment-objective
                   props:
@@ -10136,6 +11056,9 @@ catalog:
                       value: AU-12b.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;'
+                  links:
+                    - href: '#au-12_smt.b'
+                      rel: assessment-for
                 - id: au-12_obj.c
                   name: assessment-objective
                   props:
@@ -10143,6 +11066,12 @@ catalog:
                       value: AU-12c.
                       class: sp800-53a
                   prose: audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.
+                  links:
+                    - href: '#au-12_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#au-12_smt'
+                  rel: assessment-for
             - id: au-12_asm-examine
               name: assessment-method
               props:
@@ -10425,6 +11354,9 @@ catalog:
                           value: CA-01a.[01]
                           class: sp800-53a
                       prose: an assessment, authorization, and monitoring policy is developed and documented;
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -10432,6 +11364,9 @@ catalog:
                           value: CA-01a.[02]
                           class: sp800-53a
                       prose: 'the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};'
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -10439,6 +11374,9 @@ catalog:
                           value: CA-01a.[03]
                           class: sp800-53a
                       prose: assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -10446,6 +11384,9 @@ catalog:
                           value: CA-01a.[04]
                           class: sp800-53a
                       prose: 'the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};'
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -10467,6 +11408,9 @@ catalog:
                                   value: CA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -10474,6 +11418,9 @@ catalog:
                                   value: CA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -10481,6 +11428,9 @@ catalog:
                                   value: CA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -10488,6 +11438,9 @@ catalog:
                                   value: CA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -10495,6 +11448,9 @@ catalog:
                                   value: CA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -10502,6 +11458,9 @@ catalog:
                                   value: CA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -10509,6 +11468,12 @@ catalog:
                                   value: CA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ca-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ca-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -10516,6 +11481,15 @@ catalog:
                               value: CA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ca-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-1_smt.a'
+                      rel: assessment-for
                 - id: ca-1_obj.b
                   name: assessment-objective
                   props:
@@ -10523,6 +11497,9 @@ catalog:
                       value: CA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;'
+                  links:
+                    - href: '#ca-1_smt.b'
+                      rel: assessment-for
                 - id: ca-1_obj.c
                   name: assessment-objective
                   props:
@@ -10544,6 +11521,9 @@ catalog:
                               value: CA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; '
+                          links:
+                            - href: '#ca-1_smt.c.1'
+                              rel: assessment-for
                         - id: ca-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -10551,6 +11531,12 @@ catalog:
                               value: CA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};'
+                          links:
+                            - href: '#ca-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.c.1'
+                          rel: assessment-for
                     - id: ca-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -10565,6 +11551,9 @@ catalog:
                               value: CA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; '
+                          links:
+                            - href: '#ca-1_smt.c.2'
+                              rel: assessment-for
                         - id: ca-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -10572,6 +11561,18 @@ catalog:
                               value: CA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.'
+                          links:
+                            - href: '#ca-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ca-1_smt'
+                  rel: assessment-for
             - id: ca-1_asm-examine
               name: assessment-method
               props:
@@ -10779,6 +11780,9 @@ catalog:
                       value: CA-02a.
                       class: sp800-53a
                   prose: an appropriate assessor or assessment team is selected for the type of assessment to be conducted;
+                  links:
+                    - href: '#ca-2_smt.a'
+                      rel: assessment-for
                 - id: ca-2_obj.b
                   name: assessment-objective
                   props:
@@ -10793,6 +11797,9 @@ catalog:
                           value: CA-02b.01
                           class: sp800-53a
                       prose: a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;
+                      links:
+                        - href: '#ca-2_smt.b.1'
+                          rel: assessment-for
                     - id: ca-2_obj.b.2
                       name: assessment-objective
                       props:
@@ -10800,6 +11807,9 @@ catalog:
                           value: CA-02b.02
                           class: sp800-53a
                       prose: a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;
+                      links:
+                        - href: '#ca-2_smt.b.2'
+                          rel: assessment-for
                     - id: ca-2_obj.b.3
                       name: assessment-objective
                       props:
@@ -10814,6 +11824,9 @@ catalog:
                               value: CA-02b.03[01]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
                         - id: ca-2_obj.b.3-2
                           name: assessment-objective
                           props:
@@ -10821,6 +11834,9 @@ catalog:
                               value: CA-02b.03[02]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including the assessment team;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
                         - id: ca-2_obj.b.3-3
                           name: assessment-objective
                           props:
@@ -10828,6 +11844,15 @@ catalog:
                               value: CA-02b.03[03]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-2_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-2_smt.b'
+                      rel: assessment-for
                 - id: ca-2_obj.c
                   name: assessment-objective
                   props:
@@ -10835,6 +11860,9 @@ catalog:
                       value: CA-02c.
                       class: sp800-53a
                   prose: the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
+                  links:
+                    - href: '#ca-2_smt.c'
+                      rel: assessment-for
                 - id: ca-2_obj.d
                   name: assessment-objective
                   props:
@@ -10849,6 +11877,9 @@ catalog:
                           value: CA-02d.[01]
                           class: sp800-53a
                       prose: 'controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;'
+                      links:
+                        - href: '#ca-2_smt.d'
+                          rel: assessment-for
                     - id: ca-2_obj.d-2
                       name: assessment-objective
                       props:
@@ -10856,6 +11887,12 @@ catalog:
                           value: CA-02d.[02]
                           class: sp800-53a
                       prose: 'controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;'
+                      links:
+                        - href: '#ca-2_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-2_smt.d'
+                      rel: assessment-for
                 - id: ca-2_obj.e
                   name: assessment-objective
                   props:
@@ -10863,6 +11900,9 @@ catalog:
                       value: CA-02e.
                       class: sp800-53a
                   prose: a control assessment report is produced that documents the results of the assessment;
+                  links:
+                    - href: '#ca-2_smt.e'
+                      rel: assessment-for
                 - id: ca-2_obj.f
                   name: assessment-objective
                   props:
@@ -10870,6 +11910,12 @@ catalog:
                       value: CA-02f.
                       class: sp800-53a
                   prose: 'the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.'
+                  links:
+                    - href: '#ca-2_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ca-2_smt'
+                  rel: assessment-for
             - id: ca-2_asm-examine
               name: assessment-method
               props:
@@ -10964,6 +12010,9 @@ catalog:
                       value: CA-02(01)
                       class: sp800-53a
                   prose: independent assessors or assessment teams are employed to conduct control assessments.
+                  links:
+                    - href: '#ca-2.1_smt'
+                      rel: assessment-for
                 - id: ca-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -11136,6 +12185,9 @@ catalog:
                       value: CA-03a.
                       class: sp800-53a
                   prose: 'the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};'
+                  links:
+                    - href: '#ca-3_smt.a'
+                      rel: assessment-for
                 - id: ca-3_obj.b
                   name: assessment-objective
                   props:
@@ -11150,6 +12202,9 @@ catalog:
                           value: CA-03b.[01]
                           class: sp800-53a
                       prose: the interface characteristics are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -11157,6 +12212,9 @@ catalog:
                           value: CA-03b.[02]
                           class: sp800-53a
                       prose: security requirements are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-3
                       name: assessment-objective
                       props:
@@ -11164,6 +12222,9 @@ catalog:
                           value: CA-03b.[03]
                           class: sp800-53a
                       prose: privacy requirements are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-4
                       name: assessment-objective
                       props:
@@ -11171,6 +12232,9 @@ catalog:
                           value: CA-03b.[04]
                           class: sp800-53a
                       prose: controls are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-5
                       name: assessment-objective
                       props:
@@ -11178,6 +12242,9 @@ catalog:
                           value: CA-03b.[05]
                           class: sp800-53a
                       prose: responsibilities for each system are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-6
                       name: assessment-objective
                       props:
@@ -11185,6 +12252,12 @@ catalog:
                           value: CA-03b.[06]
                           class: sp800-53a
                       prose: the impact level of the information communicated is documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-3_smt.b'
+                      rel: assessment-for
                 - id: ca-3_obj.c
                   name: assessment-objective
                   props:
@@ -11192,6 +12265,12 @@ catalog:
                       value: CA-03c.
                       class: sp800-53a
                   prose: 'agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.'
+                  links:
+                    - href: '#ca-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ca-3_smt'
+                  rel: assessment-for
             - id: ca-3_asm-examine
               name: assessment-method
               props:
@@ -11330,6 +12409,9 @@ catalog:
                       value: CA-05a.
                       class: sp800-53a
                   prose: a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;
+                  links:
+                    - href: '#ca-5_smt.a'
+                      rel: assessment-for
                 - id: ca-5_obj.b
                   name: assessment-objective
                   props:
@@ -11337,6 +12419,12 @@ catalog:
                       value: CA-05b.
                       class: sp800-53a
                   prose: 'existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.'
+                  links:
+                    - href: '#ca-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ca-5_smt'
+                  rel: assessment-for
             - id: ca-5_asm-examine
               name: assessment-method
               props:
@@ -11511,6 +12599,9 @@ catalog:
                       value: CA-06a.
                       class: sp800-53a
                   prose: a senior official is assigned as the authorizing official for the system;
+                  links:
+                    - href: '#ca-6_smt.a'
+                      rel: assessment-for
                 - id: ca-6_obj.b
                   name: assessment-objective
                   props:
@@ -11518,6 +12609,9 @@ catalog:
                       value: CA-06b.
                       class: sp800-53a
                   prose: a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;
+                  links:
+                    - href: '#ca-6_smt.b'
+                      rel: assessment-for
                 - id: ca-6_obj.c
                   name: assessment-objective
                   props:
@@ -11532,6 +12626,9 @@ catalog:
                           value: CA-06c.01
                           class: sp800-53a
                       prose: before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;
+                      links:
+                        - href: '#ca-6_smt.c.1'
+                          rel: assessment-for
                     - id: ca-6_obj.c.2
                       name: assessment-objective
                       props:
@@ -11539,6 +12636,12 @@ catalog:
                           value: CA-06c.02
                           class: sp800-53a
                       prose: before commencing operations, the authorizing official for the system authorizes the system to operate;
+                      links:
+                        - href: '#ca-6_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-6_smt.c'
+                      rel: assessment-for
                 - id: ca-6_obj.d
                   name: assessment-objective
                   props:
@@ -11546,6 +12649,9 @@ catalog:
                       value: CA-06d.
                       class: sp800-53a
                   prose: the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
+                  links:
+                    - href: '#ca-6_smt.d'
+                      rel: assessment-for
                 - id: ca-6_obj.e
                   name: assessment-objective
                   props:
@@ -11553,6 +12659,12 @@ catalog:
                       value: CA-06e.
                       class: sp800-53a
                   prose: 'the authorizations are updated {{ insert: param, ca-06_odp }}.'
+                  links:
+                    - href: '#ca-6_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ca-6_smt'
+                  rel: assessment-for
             - id: ca-6_asm-examine
               name: assessment-method
               props:
@@ -11885,6 +12997,9 @@ catalog:
                       value: CA-07[01]
                       class: sp800-53a
                   prose: a system-level continuous monitoring strategy is developed;
+                  links:
+                    - href: '#ca-7_smt'
+                      rel: assessment-for
                 - id: ca-7_obj-2
                   name: assessment-objective
                   props:
@@ -11892,6 +13007,9 @@ catalog:
                       value: CA-07[02]
                       class: sp800-53a
                   prose: system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt'
+                      rel: assessment-for
                 - id: ca-7_obj.a
                   name: assessment-objective
                   props:
@@ -11899,6 +13017,9 @@ catalog:
                       value: CA-07a.
                       class: sp800-53a
                   prose: 'system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};'
+                  links:
+                    - href: '#ca-7_smt.a'
+                      rel: assessment-for
                 - id: ca-7_obj.b
                   name: assessment-objective
                   props:
@@ -11913,6 +13034,9 @@ catalog:
                           value: CA-07b.[01]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;'
+                      links:
+                        - href: '#ca-7_smt.b'
+                          rel: assessment-for
                     - id: ca-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -11920,6 +13044,12 @@ catalog:
                           value: CA-07b.[02]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;'
+                      links:
+                        - href: '#ca-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7_smt.b'
+                      rel: assessment-for
                 - id: ca-7_obj.c
                   name: assessment-objective
                   props:
@@ -11927,6 +13057,9 @@ catalog:
                       value: CA-07c.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt.c'
+                      rel: assessment-for
                 - id: ca-7_obj.d
                   name: assessment-objective
                   props:
@@ -11934,6 +13067,9 @@ catalog:
                       value: CA-07d.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt.d'
+                      rel: assessment-for
                 - id: ca-7_obj.e
                   name: assessment-objective
                   props:
@@ -11941,6 +13077,9 @@ catalog:
                       value: CA-07e.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;
+                  links:
+                    - href: '#ca-7_smt.e'
+                      rel: assessment-for
                 - id: ca-7_obj.f
                   name: assessment-objective
                   props:
@@ -11948,6 +13087,9 @@ catalog:
                       value: CA-07f.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;
+                  links:
+                    - href: '#ca-7_smt.f'
+                      rel: assessment-for
                 - id: ca-7_obj.g
                   name: assessment-objective
                   props:
@@ -11962,6 +13104,9 @@ catalog:
                           value: CA-07g.[01]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};'
+                      links:
+                        - href: '#ca-7_smt.g'
+                          rel: assessment-for
                     - id: ca-7_obj.g-2
                       name: assessment-objective
                       props:
@@ -11969,6 +13114,15 @@ catalog:
                           value: CA-07g.[02]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.'
+                      links:
+                        - href: '#ca-7_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#ca-7_smt'
+                  rel: assessment-for
             - id: ca-7_asm-examine
               name: assessment-method
               props:
@@ -12077,6 +13231,9 @@ catalog:
                       value: CA-07(01)
                       class: sp800-53a
                   prose: independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.
+                  links:
+                    - href: '#ca-7.1_smt'
+                      rel: assessment-for
                 - id: ca-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -12191,6 +13348,9 @@ catalog:
                           value: CA-07(04)(a)
                           class: sp800-53a
                       prose: effectiveness monitoring is included in risk monitoring;
+                      links:
+                        - href: '#ca-7.4_smt.a'
+                          rel: assessment-for
                     - id: ca-7.4_obj.b
                       name: assessment-objective
                       props:
@@ -12198,6 +13358,9 @@ catalog:
                           value: CA-07(04)(b)
                           class: sp800-53a
                       prose: compliance monitoring is included in risk monitoring;
+                      links:
+                        - href: '#ca-7.4_smt.b'
+                          rel: assessment-for
                     - id: ca-7.4_obj.c
                       name: assessment-objective
                       props:
@@ -12205,6 +13368,12 @@ catalog:
                           value: CA-07(04)(c)
                           class: sp800-53a
                       prose: change monitoring is included in risk monitoring.
+                      links:
+                        - href: '#ca-7.4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7.4_smt'
+                      rel: assessment-for
                 - id: ca-7.4_asm-examine
                   name: assessment-method
                   props:
@@ -12384,6 +13553,9 @@ catalog:
                       value: CA-09a.
                       class: sp800-53a
                   prose: 'internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;'
+                  links:
+                    - href: '#ca-9_smt.a'
+                      rel: assessment-for
                 - id: ca-9_obj.b
                   name: assessment-objective
                   props:
@@ -12398,6 +13570,9 @@ catalog:
                           value: CA-09b.[01]
                           class: sp800-53a
                       prose: for each internal connection, the interface characteristics are documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
                     - id: ca-9_obj.b-2
                       name: assessment-objective
                       props:
@@ -12405,6 +13580,9 @@ catalog:
                           value: CA-09b.[02]
                           class: sp800-53a
                       prose: for each internal connection, the security requirements are documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
                     - id: ca-9_obj.b-3
                       name: assessment-objective
                       props:
@@ -12412,6 +13590,9 @@ catalog:
                           value: CA-09b.[03]
                           class: sp800-53a
                       prose: for each internal connection, the privacy requirements are documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
                     - id: ca-9_obj.b-4
                       name: assessment-objective
                       props:
@@ -12419,6 +13600,12 @@ catalog:
                           value: CA-09b.[04]
                           class: sp800-53a
                       prose: for each internal connection, the nature of the information communicated is documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-9_smt.b'
+                      rel: assessment-for
                 - id: ca-9_obj.c
                   name: assessment-objective
                   props:
@@ -12426,6 +13613,9 @@ catalog:
                       value: CA-09c.
                       class: sp800-53a
                   prose: 'internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};'
+                  links:
+                    - href: '#ca-9_smt.c'
+                      rel: assessment-for
                 - id: ca-9_obj.d
                   name: assessment-objective
                   props:
@@ -12433,6 +13623,12 @@ catalog:
                       value: CA-09d.
                       class: sp800-53a
                   prose: 'the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.'
+                  links:
+                    - href: '#ca-9_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ca-9_smt'
+                  rel: assessment-for
             - id: ca-9_asm-examine
               name: assessment-method
               props:
@@ -12709,6 +13905,9 @@ catalog:
                           value: CM-01a.[01]
                           class: sp800-53a
                       prose: a configuration management policy is developed and documented;
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -12716,6 +13915,9 @@ catalog:
                           value: CM-01a.[02]
                           class: sp800-53a
                       prose: 'the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};'
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -12723,6 +13925,9 @@ catalog:
                           value: CM-01a.[03]
                           class: sp800-53a
                       prose: configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -12730,6 +13935,9 @@ catalog:
                           value: CM-01a.[04]
                           class: sp800-53a
                       prose: 'the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};'
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -12751,6 +13959,9 @@ catalog:
                                   value: CM-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -12758,6 +13969,9 @@ catalog:
                                   value: CM-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -12765,6 +13979,9 @@ catalog:
                                   value: CM-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -12772,6 +13989,9 @@ catalog:
                                   value: CM-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -12779,6 +13999,9 @@ catalog:
                                   value: CM-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -12786,6 +14009,9 @@ catalog:
                                   value: CM-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -12793,6 +14019,12 @@ catalog:
                                   value: CM-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#cm-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: cm-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -12800,6 +14032,15 @@ catalog:
                               value: CM-01a.01(b)
                               class: sp800-53a
                           prose: the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+                          links:
+                            - href: '#cm-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-1_smt.a'
+                      rel: assessment-for
                 - id: cm-1_obj.b
                   name: assessment-objective
                   props:
@@ -12807,6 +14048,9 @@ catalog:
                       value: CM-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;'
+                  links:
+                    - href: '#cm-1_smt.b'
+                      rel: assessment-for
                 - id: cm-1_obj.c
                   name: assessment-objective
                   props:
@@ -12828,6 +14072,9 @@ catalog:
                               value: CM-01c.01[01]
                               class: sp800-53a
                           prose: 'the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; '
+                          links:
+                            - href: '#cm-1_smt.c.1'
+                              rel: assessment-for
                         - id: cm-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -12835,6 +14082,12 @@ catalog:
                               value: CM-01c.01[02]
                               class: sp800-53a
                           prose: 'the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};'
+                          links:
+                            - href: '#cm-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.c.1'
+                          rel: assessment-for
                     - id: cm-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -12849,6 +14102,9 @@ catalog:
                               value: CM-01c.02[01]
                               class: sp800-53a
                           prose: 'the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; '
+                          links:
+                            - href: '#cm-1_smt.c.2'
+                              rel: assessment-for
                         - id: cm-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -12856,6 +14112,18 @@ catalog:
                               value: CM-01c.02[02]
                               class: sp800-53a
                           prose: 'the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.'
+                          links:
+                            - href: '#cm-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-1_smt'
+                  rel: assessment-for
             - id: cm-1_asm-examine
               name: assessment-method
               props:
@@ -13038,6 +14306,9 @@ catalog:
                           value: CM-02a.[01]
                           class: sp800-53a
                       prose: a current baseline configuration of the system is developed and documented;
+                      links:
+                        - href: '#cm-2_smt.a'
+                          rel: assessment-for
                     - id: cm-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -13045,6 +14316,12 @@ catalog:
                           value: CM-02a.[02]
                           class: sp800-53a
                       prose: a current baseline configuration of the system is maintained under configuration control;
+                      links:
+                        - href: '#cm-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2_smt.a'
+                      rel: assessment-for
                 - id: cm-2_obj.b
                   name: assessment-objective
                   props:
@@ -13059,6 +14336,9 @@ catalog:
                           value: CM-02b.01
                           class: sp800-53a
                       prose: 'the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};'
+                      links:
+                        - href: '#cm-2_smt.b.1'
+                          rel: assessment-for
                     - id: cm-2_obj.b.2
                       name: assessment-objective
                       props:
@@ -13066,6 +14346,9 @@ catalog:
                           value: CM-02b.02
                           class: sp800-53a
                       prose: 'the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};'
+                      links:
+                        - href: '#cm-2_smt.b.2'
+                          rel: assessment-for
                     - id: cm-2_obj.b.3
                       name: assessment-objective
                       props:
@@ -13073,6 +14356,15 @@ catalog:
                           value: CM-02b.03
                           class: sp800-53a
                       prose: the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.
+                      links:
+                        - href: '#cm-2_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cm-2_smt'
+                  rel: assessment-for
             - id: cm-2_asm-examine
               name: assessment-method
               props:
@@ -13199,6 +14491,9 @@ catalog:
                           value: CM-02(02)[01]
                           class: sp800-53a
                       prose: 'the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};'
+                      links:
+                        - href: '#cm-2.2_smt'
+                          rel: assessment-for
                     - id: cm-2.2_obj-2
                       name: assessment-objective
                       props:
@@ -13206,6 +14501,9 @@ catalog:
                           value: CM-02(02)[02]
                           class: sp800-53a
                       prose: 'the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};'
+                      links:
+                        - href: '#cm-2.2_smt'
+                          rel: assessment-for
                     - id: cm-2.2_obj-3
                       name: assessment-objective
                       props:
@@ -13213,6 +14511,9 @@ catalog:
                           value: CM-02(02)[03]
                           class: sp800-53a
                       prose: 'the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};'
+                      links:
+                        - href: '#cm-2.2_smt'
+                          rel: assessment-for
                     - id: cm-2.2_obj-4
                       name: assessment-objective
                       props:
@@ -13220,6 +14521,12 @@ catalog:
                           value: CM-02(02)[04]
                           class: sp800-53a
                       prose: 'the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}.'
+                      links:
+                        - href: '#cm-2.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2.2_smt'
+                      rel: assessment-for
                 - id: cm-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -13328,6 +14635,9 @@ catalog:
                       value: CM-02(03)
                       class: sp800-53a
                   prose: ' {{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is/are retained to support rollback.'
+                  links:
+                    - href: '#cm-2.3_smt'
+                      rel: assessment-for
                 - id: cm-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -13472,6 +14782,9 @@ catalog:
                           value: CM-02(07)(a)
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;'
+                      links:
+                        - href: '#cm-2.7_smt.a'
+                          rel: assessment-for
                     - id: cm-2.7_obj.b
                       name: assessment-objective
                       props:
@@ -13479,6 +14792,12 @@ catalog:
                           value: CM-02(07)(b)
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel.'
+                      links:
+                        - href: '#cm-2.7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2.7_smt'
+                      rel: assessment-for
                 - id: cm-2.7_asm-examine
                   name: assessment-method
                   props:
@@ -13729,6 +15048,9 @@ catalog:
                       value: CM-03a.
                       class: sp800-53a
                   prose: the types of changes to the system that are configuration-controlled are determined and documented;
+                  links:
+                    - href: '#cm-3_smt.a'
+                      rel: assessment-for
                 - id: cm-3_obj.b
                   name: assessment-objective
                   props:
@@ -13743,6 +15065,9 @@ catalog:
                           value: CM-03b.[01]
                           class: sp800-53a
                       prose: proposed configuration-controlled changes to the system are reviewed;
+                      links:
+                        - href: '#cm-3_smt.b'
+                          rel: assessment-for
                     - id: cm-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -13750,6 +15075,12 @@ catalog:
                           value: CM-03b.[02]
                           class: sp800-53a
                       prose: proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;
+                      links:
+                        - href: '#cm-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3_smt.b'
+                      rel: assessment-for
                 - id: cm-3_obj.c
                   name: assessment-objective
                   props:
@@ -13757,6 +15088,9 @@ catalog:
                       value: CM-03c.
                       class: sp800-53a
                   prose: configuration change decisions associated with the system are documented;
+                  links:
+                    - href: '#cm-3_smt.c'
+                      rel: assessment-for
                 - id: cm-3_obj.d
                   name: assessment-objective
                   props:
@@ -13764,6 +15098,9 @@ catalog:
                       value: CM-03d.
                       class: sp800-53a
                   prose: approved configuration-controlled changes to the system are implemented;
+                  links:
+                    - href: '#cm-3_smt.d'
+                      rel: assessment-for
                 - id: cm-3_obj.e
                   name: assessment-objective
                   props:
@@ -13771,6 +15108,9 @@ catalog:
                       value: CM-03e.
                       class: sp800-53a
                   prose: 'records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};'
+                  links:
+                    - href: '#cm-3_smt.e'
+                      rel: assessment-for
                 - id: cm-3_obj.f
                   name: assessment-objective
                   props:
@@ -13785,6 +15125,9 @@ catalog:
                           value: CM-03f.[01]
                           class: sp800-53a
                       prose: activities associated with configuration-controlled changes to the system are monitored;
+                      links:
+                        - href: '#cm-3_smt.f'
+                          rel: assessment-for
                     - id: cm-3_obj.f-2
                       name: assessment-objective
                       props:
@@ -13792,6 +15135,12 @@ catalog:
                           value: CM-03f.[02]
                           class: sp800-53a
                       prose: activities associated with configuration-controlled changes to the system are reviewed;
+                      links:
+                        - href: '#cm-3_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3_smt.f'
+                      rel: assessment-for
                 - id: cm-3_obj.g
                   name: assessment-objective
                   props:
@@ -13806,6 +15155,9 @@ catalog:
                           value: CM-03g.[01]
                           class: sp800-53a
                       prose: 'configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};'
+                      links:
+                        - href: '#cm-3_smt.g'
+                          rel: assessment-for
                     - id: cm-3_obj.g-2
                       name: assessment-objective
                       props:
@@ -13813,6 +15165,15 @@ catalog:
                           value: CM-03g.[02]
                           class: sp800-53a
                       prose: 'the configuration control element convenes {{ insert: param, cm-03_odp.03 }}.'
+                      links:
+                        - href: '#cm-3_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#cm-3_smt'
+                  rel: assessment-for
             - id: cm-3_asm-examine
               name: assessment-method
               props:
@@ -13926,6 +15287,9 @@ catalog:
                           value: CM-03(02)[01]
                           class: sp800-53a
                       prose: changes to the system are tested before finalizing the implementation of the changes;
+                      links:
+                        - href: '#cm-3.2_smt'
+                          rel: assessment-for
                     - id: cm-3.2_obj-2
                       name: assessment-objective
                       props:
@@ -13933,6 +15297,9 @@ catalog:
                           value: CM-03(02)[02]
                           class: sp800-53a
                       prose: changes to the system are validated before finalizing the implementation of the changes;
+                      links:
+                        - href: '#cm-3.2_smt'
+                          rel: assessment-for
                     - id: cm-3.2_obj-3
                       name: assessment-objective
                       props:
@@ -13940,6 +15307,12 @@ catalog:
                           value: CM-03(02)[03]
                           class: sp800-53a
                       prose: changes to the system are documented before finalizing the implementation of the changes.
+                      links:
+                        - href: '#cm-3.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3.2_smt'
+                      rel: assessment-for
                 - id: cm-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -14085,6 +15458,9 @@ catalog:
                           value: CM-03(04)[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};'
+                      links:
+                        - href: '#cm-3.4_smt'
+                          rel: assessment-for
                     - id: cm-3.4_obj-2
                       name: assessment-objective
                       props:
@@ -14092,6 +15468,12 @@ catalog:
                           value: CM-03(04)[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}.'
+                      links:
+                        - href: '#cm-3.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3.4_smt'
+                      rel: assessment-for
                 - id: cm-3.4_asm-examine
                   name: assessment-method
                   props:
@@ -14209,6 +15591,9 @@ catalog:
                       value: CM-04[01]
                       class: sp800-53a
                   prose: changes to the system are analyzed to determine potential security impacts prior to change implementation;
+                  links:
+                    - href: '#cm-4_smt'
+                      rel: assessment-for
                 - id: cm-4_obj-2
                   name: assessment-objective
                   props:
@@ -14216,6 +15601,12 @@ catalog:
                       value: CM-04[02]
                       class: sp800-53a
                   prose: changes to the system are analyzed to determine potential privacy impacts prior to change implementation.
+                  links:
+                    - href: '#cm-4_smt'
+                      rel: assessment-for
+              links:
+                - href: '#cm-4_smt'
+                  rel: assessment-for
             - id: cm-4_asm-examine
               name: assessment-method
               props:
@@ -14341,6 +15732,9 @@ catalog:
                           value: CM-04(02)[01]
                           class: sp800-53a
                       prose: the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-2
                       name: assessment-objective
                       props:
@@ -14348,6 +15742,9 @@ catalog:
                           value: CM-04(02)[02]
                           class: sp800-53a
                       prose: the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-3
                       name: assessment-objective
                       props:
@@ -14355,6 +15752,9 @@ catalog:
                           value: CM-04(02)[03]
                           class: sp800-53a
                       prose: the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-4
                       name: assessment-objective
                       props:
@@ -14362,6 +15762,9 @@ catalog:
                           value: CM-04(02)[04]
                           class: sp800-53a
                       prose: the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-5
                       name: assessment-objective
                       props:
@@ -14369,6 +15772,9 @@ catalog:
                           value: CM-04(02)[05]
                           class: sp800-53a
                       prose: the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-6
                       name: assessment-objective
                       props:
@@ -14376,6 +15782,12 @@ catalog:
                           value: CM-04(02)[06]
                           class: sp800-53a
                       prose: the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-4.2_smt'
+                      rel: assessment-for
                 - id: cm-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -14511,6 +15923,9 @@ catalog:
                       value: CM-05[01]
                       class: sp800-53a
                   prose: physical access restrictions associated with changes to the system are defined and documented;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-2
                   name: assessment-objective
                   props:
@@ -14518,6 +15933,9 @@ catalog:
                       value: CM-05[02]
                       class: sp800-53a
                   prose: physical access restrictions associated with changes to the system are approved;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-3
                   name: assessment-objective
                   props:
@@ -14525,6 +15943,9 @@ catalog:
                       value: CM-05[03]
                       class: sp800-53a
                   prose: physical access restrictions associated with changes to the system are enforced;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-4
                   name: assessment-objective
                   props:
@@ -14532,6 +15953,9 @@ catalog:
                       value: CM-05[04]
                       class: sp800-53a
                   prose: logical access restrictions associated with changes to the system are defined and documented;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-5
                   name: assessment-objective
                   props:
@@ -14539,6 +15963,9 @@ catalog:
                       value: CM-05[05]
                       class: sp800-53a
                   prose: logical access restrictions associated with changes to the system are approved;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-6
                   name: assessment-objective
                   props:
@@ -14546,6 +15973,12 @@ catalog:
                       value: CM-05[06]
                       class: sp800-53a
                   prose: logical access restrictions associated with changes to the system are enforced.
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#cm-5_smt'
+                  rel: assessment-for
             - id: cm-5_asm-examine
               name: assessment-method
               props:
@@ -14784,6 +16217,9 @@ catalog:
                       value: CM-06a.
                       class: sp800-53a
                   prose: 'configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};'
+                  links:
+                    - href: '#cm-6_smt.a'
+                      rel: assessment-for
                 - id: cm-6_obj.b
                   name: assessment-objective
                   props:
@@ -14791,6 +16227,9 @@ catalog:
                       value: CM-06b.
                       class: sp800-53a
                   prose: the configuration settings documented in CM-06a are implemented;
+                  links:
+                    - href: '#cm-6_smt.b'
+                      rel: assessment-for
                 - id: cm-6_obj.c
                   name: assessment-objective
                   props:
@@ -14805,6 +16244,9 @@ catalog:
                           value: CM-06c.[01]
                           class: sp800-53a
                       prose: 'any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};'
+                      links:
+                        - href: '#cm-6_smt.c'
+                          rel: assessment-for
                     - id: cm-6_obj.c-2
                       name: assessment-objective
                       props:
@@ -14812,6 +16254,12 @@ catalog:
                           value: CM-06c.[02]
                           class: sp800-53a
                       prose: 'any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;'
+                      links:
+                        - href: '#cm-6_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-6_smt.c'
+                      rel: assessment-for
                 - id: cm-6_obj.d
                   name: assessment-objective
                   props:
@@ -14826,6 +16274,9 @@ catalog:
                           value: CM-06d.[01]
                           class: sp800-53a
                       prose: changes to the configuration settings are monitored in accordance with organizational policies and procedures;
+                      links:
+                        - href: '#cm-6_smt.d'
+                          rel: assessment-for
                     - id: cm-6_obj.d-2
                       name: assessment-objective
                       props:
@@ -14833,6 +16284,15 @@ catalog:
                           value: CM-06d.[02]
                           class: sp800-53a
                       prose: changes to the configuration settings are controlled in accordance with organizational policies and procedures.
+                      links:
+                        - href: '#cm-6_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-6_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#cm-6_smt'
+                  rel: assessment-for
             - id: cm-6_asm-examine
               name: assessment-method
               props:
@@ -15075,6 +16535,9 @@ catalog:
                       value: CM-07a.
                       class: sp800-53a
                   prose: 'the system is configured to provide only {{ insert: param, cm-07_odp.01 }};'
+                  links:
+                    - href: '#cm-7_smt.a'
+                      rel: assessment-for
                 - id: cm-7_obj.b
                   name: assessment-objective
                   props:
@@ -15089,6 +16552,9 @@ catalog:
                           value: CM-07b.[01]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -15096,6 +16562,9 @@ catalog:
                           value: CM-07b.[02]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-3
                       name: assessment-objective
                       props:
@@ -15103,6 +16572,9 @@ catalog:
                           value: CM-07b.[03]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-4
                       name: assessment-objective
                       props:
@@ -15110,6 +16582,9 @@ catalog:
                           value: CM-07b.[04]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-5
                       name: assessment-objective
                       props:
@@ -15117,6 +16592,15 @@ catalog:
                           value: CM-07b.[05]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cm-7_smt'
+                  rel: assessment-for
             - id: cm-7_asm-examine
               name: assessment-method
               props:
@@ -15305,6 +16789,9 @@ catalog:
                           value: CM-07(01)(a)
                           class: sp800-53a
                       prose: 'the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:'
+                      links:
+                        - href: '#cm-7.1_smt.a'
+                          rel: assessment-for
                     - id: cm-7.1_obj.b
                       name: assessment-objective
                       props:
@@ -15319,6 +16806,9 @@ catalog:
                               value: CM-07(01)(b)[01]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and/or non-secure are disabled or removed;'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
                         - id: cm-7.1_obj.b-2
                           name: assessment-objective
                           props:
@@ -15326,6 +16816,9 @@ catalog:
                               value: CM-07(01)(b)[02]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and/or non-secure are disabled or removed;'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
                         - id: cm-7.1_obj.b-3
                           name: assessment-objective
                           props:
@@ -15333,6 +16826,9 @@ catalog:
                               value: CM-07(01)(b)[03]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and/or non-secure are disabled or removed;'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
                         - id: cm-7.1_obj.b-4
                           name: assessment-objective
                           props:
@@ -15340,6 +16836,9 @@ catalog:
                               value: CM-07(01)(b)[04]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and/or non-secure is disabled or removed;'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
                         - id: cm-7.1_obj.b-5
                           name: assessment-objective
                           props:
@@ -15347,6 +16846,15 @@ catalog:
                               value: CM-07(01)(b)[05]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and/or non-secure are disabled or removed.'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-7.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-7.1_smt'
+                      rel: assessment-for
                 - id: cm-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -15478,6 +16986,9 @@ catalog:
                       value: CM-07(02)
                       class: sp800-53a
                   prose: 'program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}.'
+                  links:
+                    - href: '#cm-7.2_smt'
+                      rel: assessment-for
                 - id: cm-7.2_asm-examine
                   name: assessment-method
                   props:
@@ -15650,6 +17161,9 @@ catalog:
                           value: CM-07(05)(a)
                           class: sp800-53a
                       prose: ' {{ insert: param, cm-07.05_odp.01 }} are identified;'
+                      links:
+                        - href: '#cm-7.5_smt.a'
+                          rel: assessment-for
                     - id: cm-7.5_obj.b
                       name: assessment-objective
                       props:
@@ -15657,6 +17171,9 @@ catalog:
                           value: CM-07(05)(b)
                           class: sp800-53a
                       prose: a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;
+                      links:
+                        - href: '#cm-7.5_smt.b'
+                          rel: assessment-for
                     - id: cm-7.5_obj.c
                       name: assessment-objective
                       props:
@@ -15664,6 +17181,12 @@ catalog:
                           value: CM-07(05)(c)
                           class: sp800-53a
                       prose: 'the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}.'
+                      links:
+                        - href: '#cm-7.5_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-7.5_smt'
+                      rel: assessment-for
                 - id: cm-7.5_asm-examine
                   name: assessment-method
                   props:
@@ -15899,6 +17422,9 @@ catalog:
                           value: CM-08a.01
                           class: sp800-53a
                       prose: an inventory of system components that accurately reflects the system is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.1'
+                          rel: assessment-for
                     - id: cm-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -15906,6 +17432,9 @@ catalog:
                           value: CM-08a.02
                           class: sp800-53a
                       prose: an inventory of system components that includes all components within the system is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.2'
+                          rel: assessment-for
                     - id: cm-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -15913,6 +17442,9 @@ catalog:
                           value: CM-08a.03
                           class: sp800-53a
                       prose: an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.3'
+                          rel: assessment-for
                     - id: cm-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -15920,6 +17452,9 @@ catalog:
                           value: CM-08a.04
                           class: sp800-53a
                       prose: an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.4'
+                          rel: assessment-for
                     - id: cm-8_obj.a.5
                       name: assessment-objective
                       props:
@@ -15927,6 +17462,12 @@ catalog:
                           value: CM-08a.05
                           class: sp800-53a
                       prose: 'an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;'
+                      links:
+                        - href: '#cm-8_smt.a.5'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-8_smt.a'
+                      rel: assessment-for
                 - id: cm-8_obj.b
                   name: assessment-objective
                   props:
@@ -15934,6 +17475,12 @@ catalog:
                       value: CM-08b.
                       class: sp800-53a
                   prose: 'the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.'
+                  links:
+                    - href: '#cm-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cm-8_smt'
+                  rel: assessment-for
             - id: cm-8_asm-examine
               name: assessment-method
               props:
@@ -16039,6 +17586,9 @@ catalog:
                           value: CM-08(01)[01]
                           class: sp800-53a
                       prose: the inventory of system components is updated as part of component installations;
+                      links:
+                        - href: '#cm-8.1_smt'
+                          rel: assessment-for
                     - id: cm-8.1_obj-2
                       name: assessment-objective
                       props:
@@ -16046,6 +17596,9 @@ catalog:
                           value: CM-08(01)[02]
                           class: sp800-53a
                       prose: the inventory of system components is updated as part of component removals;
+                      links:
+                        - href: '#cm-8.1_smt'
+                          rel: assessment-for
                     - id: cm-8.1_obj-3
                       name: assessment-objective
                       props:
@@ -16053,6 +17606,12 @@ catalog:
                           value: CM-08(01)[03]
                           class: sp800-53a
                       prose: the inventory of system components is updated as part of system updates.
+                      links:
+                        - href: '#cm-8.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-8.1_smt'
+                      rel: assessment-for
                 - id: cm-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -16266,6 +17825,9 @@ catalog:
                               value: CM-08(03)(a)[01]
                               class: sp800-53a
                           prose: 'the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};'
+                          links:
+                            - href: '#cm-8.3_smt.a'
+                              rel: assessment-for
                         - id: cm-8.3_obj.a-2
                           name: assessment-objective
                           props:
@@ -16273,6 +17835,9 @@ catalog:
                               value: CM-08(03)(a)[02]
                               class: sp800-53a
                           prose: 'the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};'
+                          links:
+                            - href: '#cm-8.3_smt.a'
+                              rel: assessment-for
                         - id: cm-8.3_obj.a-3
                           name: assessment-objective
                           props:
@@ -16280,6 +17845,12 @@ catalog:
                               value: CM-08(03)(a)[03]
                               class: sp800-53a
                           prose: 'the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};'
+                          links:
+                            - href: '#cm-8.3_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-8.3_smt.a'
+                          rel: assessment-for
                     - id: cm-8.3_obj.b
                       name: assessment-objective
                       props:
@@ -16294,6 +17865,9 @@ catalog:
                               value: CM-08(03)(b)[01]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;'
+                          links:
+                            - href: '#cm-8.3_smt.b'
+                              rel: assessment-for
                         - id: cm-8.3_obj.b-2
                           name: assessment-objective
                           props:
@@ -16301,6 +17875,9 @@ catalog:
                               value: CM-08(03)(b)[02]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;'
+                          links:
+                            - href: '#cm-8.3_smt.b'
+                              rel: assessment-for
                         - id: cm-8.3_obj.b-3
                           name: assessment-objective
                           props:
@@ -16308,6 +17885,15 @@ catalog:
                               value: CM-08(03)(b)[03]
                               class: sp800-53a
                           prose: ' {{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected.'
+                          links:
+                            - href: '#cm-8.3_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-8.3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-8.3_smt'
+                      rel: assessment-for
                 - id: cm-8.3_asm-examine
                   name: assessment-method
                   props:
@@ -16488,6 +18074,9 @@ catalog:
                       value: CM-09[01]
                       class: sp800-53a
                   prose: a configuration management plan for the system is developed and documented;
+                  links:
+                    - href: '#cm-9_smt'
+                      rel: assessment-for
                 - id: cm-9_obj-2
                   name: assessment-objective
                   props:
@@ -16495,6 +18084,9 @@ catalog:
                       value: CM-09[02]
                       class: sp800-53a
                   prose: a configuration management plan for the system is implemented;
+                  links:
+                    - href: '#cm-9_smt'
+                      rel: assessment-for
                 - id: cm-9_obj.a
                   name: assessment-objective
                   props:
@@ -16509,6 +18101,9 @@ catalog:
                           value: CM-09a.[01]
                           class: sp800-53a
                       prose: the configuration management plan addresses roles;
+                      links:
+                        - href: '#cm-9_smt.a'
+                          rel: assessment-for
                     - id: cm-9_obj.a-2
                       name: assessment-objective
                       props:
@@ -16516,6 +18111,9 @@ catalog:
                           value: CM-09a.[02]
                           class: sp800-53a
                       prose: the configuration management plan addresses responsibilities;
+                      links:
+                        - href: '#cm-9_smt.a'
+                          rel: assessment-for
                     - id: cm-9_obj.a-3
                       name: assessment-objective
                       props:
@@ -16523,6 +18121,12 @@ catalog:
                           value: CM-09a.[03]
                           class: sp800-53a
                       prose: the configuration management plan addresses configuration management processes and procedures;
+                      links:
+                        - href: '#cm-9_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-9_smt.a'
+                      rel: assessment-for
                 - id: cm-9_obj.b
                   name: assessment-objective
                   props:
@@ -16537,6 +18141,9 @@ catalog:
                           value: CM-09b.[01]
                           class: sp800-53a
                       prose: the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;
+                      links:
+                        - href: '#cm-9_smt.b'
+                          rel: assessment-for
                     - id: cm-9_obj.b-2
                       name: assessment-objective
                       props:
@@ -16544,6 +18151,12 @@ catalog:
                           value: CM-09b.[02]
                           class: sp800-53a
                       prose: the configuration management plan establishes a process for managing the configuration of the configuration items;
+                      links:
+                        - href: '#cm-9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-9_smt.b'
+                      rel: assessment-for
                 - id: cm-9_obj.c
                   name: assessment-objective
                   props:
@@ -16558,6 +18171,9 @@ catalog:
                           value: CM-09c.[01]
                           class: sp800-53a
                       prose: the configuration management plan defines the configuration items for the system;
+                      links:
+                        - href: '#cm-9_smt.c'
+                          rel: assessment-for
                     - id: cm-9_obj.c-2
                       name: assessment-objective
                       props:
@@ -16565,6 +18181,12 @@ catalog:
                           value: CM-09c.[02]
                           class: sp800-53a
                       prose: the configuration management plan places the configuration items under configuration management;
+                      links:
+                        - href: '#cm-9_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-9_smt.c'
+                      rel: assessment-for
                 - id: cm-9_obj.d
                   name: assessment-objective
                   props:
@@ -16572,6 +18194,9 @@ catalog:
                       value: CM-09d.
                       class: sp800-53a
                   prose: 'the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};'
+                  links:
+                    - href: '#cm-9_smt.d'
+                      rel: assessment-for
                 - id: cm-9_obj.e
                   name: assessment-objective
                   props:
@@ -16586,6 +18211,9 @@ catalog:
                           value: CM-09e.[01]
                           class: sp800-53a
                       prose: the configuration management plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#cm-9_smt.e'
+                          rel: assessment-for
                     - id: cm-9_obj.e-2
                       name: assessment-objective
                       props:
@@ -16593,6 +18221,15 @@ catalog:
                           value: CM-09e.[02]
                           class: sp800-53a
                       prose: the configuration management plan is protected from unauthorized modification.
+                      links:
+                        - href: '#cm-9_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-9_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#cm-9_smt'
+                  rel: assessment-for
             - id: cm-9_asm-examine
               name: assessment-method
               props:
@@ -16728,6 +18365,9 @@ catalog:
                       value: CM-10a.
                       class: sp800-53a
                   prose: software and associated documentation are used in accordance with contract agreements and copyright laws;
+                  links:
+                    - href: '#cm-10_smt.a'
+                      rel: assessment-for
                 - id: cm-10_obj.b
                   name: assessment-objective
                   props:
@@ -16735,6 +18375,9 @@ catalog:
                       value: CM-10b.
                       class: sp800-53a
                   prose: the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;
+                  links:
+                    - href: '#cm-10_smt.b'
+                      rel: assessment-for
                 - id: cm-10_obj.c
                   name: assessment-objective
                   props:
@@ -16742,6 +18385,12 @@ catalog:
                       value: CM-10c.
                       class: sp800-53a
                   prose: the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
+                  links:
+                    - href: '#cm-10_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-10_smt'
+                  rel: assessment-for
             - id: cm-10_asm-examine
               name: assessment-method
               props:
@@ -16918,6 +18567,9 @@ catalog:
                       value: CM-11a.
                       class: sp800-53a
                   prose: ' {{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;'
+                  links:
+                    - href: '#cm-11_smt.a'
+                      rel: assessment-for
                 - id: cm-11_obj.b
                   name: assessment-objective
                   props:
@@ -16925,6 +18577,9 @@ catalog:
                       value: CM-11b.
                       class: sp800-53a
                   prose: 'software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};'
+                  links:
+                    - href: '#cm-11_smt.b'
+                      rel: assessment-for
                 - id: cm-11_obj.c
                   name: assessment-objective
                   props:
@@ -16932,6 +18587,12 @@ catalog:
                       value: CM-11c.
                       class: sp800-53a
                   prose: 'compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.'
+                  links:
+                    - href: '#cm-11_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-11_smt'
+                  rel: assessment-for
             - id: cm-11_asm-examine
               name: assessment-method
               props:
@@ -17118,6 +18779,9 @@ catalog:
                           value: CM-12a.[01]
                           class: sp800-53a
                       prose: 'the location of {{ insert: param, cm-12_odp }} is identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.a'
+                          rel: assessment-for
                     - id: cm-12_obj.a-2
                       name: assessment-objective
                       props:
@@ -17125,6 +18789,9 @@ catalog:
                           value: CM-12a.[02]
                           class: sp800-53a
                       prose: 'the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.a'
+                          rel: assessment-for
                     - id: cm-12_obj.a-3
                       name: assessment-objective
                       props:
@@ -17132,6 +18799,12 @@ catalog:
                           value: CM-12a.[03]
                           class: sp800-53a
                       prose: 'the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-12_smt.a'
+                      rel: assessment-for
                 - id: cm-12_obj.b
                   name: assessment-objective
                   props:
@@ -17146,6 +18819,9 @@ catalog:
                           value: CM-12b.[01]
                           class: sp800-53a
                       prose: 'the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.b'
+                          rel: assessment-for
                     - id: cm-12_obj.b-2
                       name: assessment-objective
                       props:
@@ -17153,6 +18829,12 @@ catalog:
                           value: CM-12b.[02]
                           class: sp800-53a
                       prose: 'the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-12_smt.b'
+                      rel: assessment-for
                 - id: cm-12_obj.c
                   name: assessment-objective
                   props:
@@ -17167,6 +18849,9 @@ catalog:
                           value: CM-12c.[01]
                           class: sp800-53a
                       prose: 'changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;'
+                      links:
+                        - href: '#cm-12_smt.c'
+                          rel: assessment-for
                     - id: cm-12_obj.c-2
                       name: assessment-objective
                       props:
@@ -17174,6 +18859,15 @@ catalog:
                           value: CM-12c.[02]
                           class: sp800-53a
                       prose: 'changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented.'
+                      links:
+                        - href: '#cm-12_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-12_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-12_smt'
+                  rel: assessment-for
             - id: cm-12_asm-examine
               name: assessment-method
               props:
@@ -17305,6 +18999,9 @@ catalog:
                       value: CM-12(01)
                       class: sp800-53a
                   prose: 'automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy.'
+                  links:
+                    - href: '#cm-12.1_smt'
+                      rel: assessment-for
                 - id: cm-12.1_asm-examine
                   name: assessment-method
                   props:
@@ -17588,6 +19285,9 @@ catalog:
                           value: CP-01a.[01]
                           class: sp800-53a
                       prose: a contingency planning policy is developed and documented;
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -17595,6 +19295,9 @@ catalog:
                           value: CP-01a.[02]
                           class: sp800-53a
                       prose: 'the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};'
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -17602,6 +19305,9 @@ catalog:
                           value: CP-01a.[03]
                           class: sp800-53a
                       prose: contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -17609,6 +19315,9 @@ catalog:
                           value: CP-01a.[04]
                           class: sp800-53a
                       prose: 'the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};'
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -17630,6 +19339,9 @@ catalog:
                                   value: CP-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -17637,6 +19349,9 @@ catalog:
                                   value: CP-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -17644,6 +19359,9 @@ catalog:
                                   value: CP-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -17651,6 +19369,9 @@ catalog:
                                   value: CP-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -17658,6 +19379,9 @@ catalog:
                                   value: CP-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -17665,6 +19389,9 @@ catalog:
                                   value: CP-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -17672,6 +19399,12 @@ catalog:
                                   value: CP-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#cp-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: cp-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -17679,6 +19412,15 @@ catalog:
                               value: CP-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#cp-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-1_smt.a'
+                      rel: assessment-for
                 - id: cp-1_obj.b
                   name: assessment-objective
                   props:
@@ -17686,6 +19428,9 @@ catalog:
                       value: CP-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;'
+                  links:
+                    - href: '#cp-1_smt.b'
+                      rel: assessment-for
                 - id: cp-1_obj.c
                   name: assessment-objective
                   props:
@@ -17707,6 +19452,9 @@ catalog:
                               value: CP-01c.01[01]
                               class: sp800-53a
                           prose: 'the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};'
+                          links:
+                            - href: '#cp-1_smt.c.1'
+                              rel: assessment-for
                         - id: cp-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -17714,6 +19462,12 @@ catalog:
                               value: CP-01c.01[02]
                               class: sp800-53a
                           prose: 'the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};'
+                          links:
+                            - href: '#cp-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-1_smt.c.1'
+                          rel: assessment-for
                     - id: cp-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -17728,6 +19482,9 @@ catalog:
                               value: CP-01c.02[01]
                               class: sp800-53a
                           prose: 'the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};'
+                          links:
+                            - href: '#cp-1_smt.c.2'
+                              rel: assessment-for
                         - id: cp-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -17735,6 +19492,18 @@ catalog:
                               value: CP-01c.02[02]
                               class: sp800-53a
                           prose: 'the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.'
+                          links:
+                            - href: '#cp-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cp-1_smt'
+                  rel: assessment-for
             - id: cp-1_asm-examine
               name: assessment-method
               props:
@@ -18046,6 +19815,9 @@ catalog:
                           value: CP-02a.01
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;
+                      links:
+                        - href: '#cp-2_smt.a.1'
+                          rel: assessment-for
                     - id: cp-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -18060,6 +19832,9 @@ catalog:
                               value: CP-02a.02[01]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that provides recovery objectives;
+                          links:
+                            - href: '#cp-2_smt.a.2'
+                              rel: assessment-for
                         - id: cp-2_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -18067,6 +19842,9 @@ catalog:
                               value: CP-02a.02[02]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that provides restoration priorities;
+                          links:
+                            - href: '#cp-2_smt.a.2'
+                              rel: assessment-for
                         - id: cp-2_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -18074,6 +19852,12 @@ catalog:
                               value: CP-02a.02[03]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that provides metrics;
+                          links:
+                            - href: '#cp-2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-2_smt.a.2'
+                          rel: assessment-for
                     - id: cp-2_obj.a.3
                       name: assessment-objective
                       props:
@@ -18088,6 +19872,9 @@ catalog:
                               value: CP-02a.03[01]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that addresses contingency roles;
+                          links:
+                            - href: '#cp-2_smt.a.3'
+                              rel: assessment-for
                         - id: cp-2_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -18095,6 +19882,9 @@ catalog:
                               value: CP-02a.03[02]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that addresses contingency responsibilities;
+                          links:
+                            - href: '#cp-2_smt.a.3'
+                              rel: assessment-for
                         - id: cp-2_obj.a.3-3
                           name: assessment-objective
                           props:
@@ -18102,6 +19892,12 @@ catalog:
                               value: CP-02a.03[03]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that addresses assigned individuals with contact information;
+                          links:
+                            - href: '#cp-2_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-2_smt.a.3'
+                          rel: assessment-for
                     - id: cp-2_obj.a.4
                       name: assessment-objective
                       props:
@@ -18109,6 +19905,9 @@ catalog:
                           value: CP-02a.04
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
+                      links:
+                        - href: '#cp-2_smt.a.4'
+                          rel: assessment-for
                     - id: cp-2_obj.a.5
                       name: assessment-objective
                       props:
@@ -18116,6 +19915,9 @@ catalog:
                           value: CP-02a.05
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;
+                      links:
+                        - href: '#cp-2_smt.a.5'
+                          rel: assessment-for
                     - id: cp-2_obj.a.6
                       name: assessment-objective
                       props:
@@ -18123,6 +19925,9 @@ catalog:
                           value: CP-02a.06
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that addresses the sharing of contingency information;
+                      links:
+                        - href: '#cp-2_smt.a.6'
+                          rel: assessment-for
                     - id: cp-2_obj.a.7
                       name: assessment-objective
                       props:
@@ -18137,6 +19942,9 @@ catalog:
                               value: CP-02a.07[01]
                               class: sp800-53a
                           prose: 'a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};'
+                          links:
+                            - href: '#cp-2_smt.a.7'
+                              rel: assessment-for
                         - id: cp-2_obj.a.7-2
                           name: assessment-objective
                           props:
@@ -18144,6 +19952,15 @@ catalog:
                               value: CP-02a.07[02]
                               class: sp800-53a
                           prose: 'a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};'
+                          links:
+                            - href: '#cp-2_smt.a.7'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-2_smt.a.7'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.a'
+                      rel: assessment-for
                 - id: cp-2_obj.b
                   name: assessment-objective
                   props:
@@ -18158,6 +19975,9 @@ catalog:
                           value: CP-02b.[01]
                           class: sp800-53a
                       prose: 'copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};'
+                      links:
+                        - href: '#cp-2_smt.b'
+                          rel: assessment-for
                     - id: cp-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -18165,6 +19985,12 @@ catalog:
                           value: CP-02b.[02]
                           class: sp800-53a
                       prose: 'copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};'
+                      links:
+                        - href: '#cp-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.b'
+                      rel: assessment-for
                 - id: cp-2_obj.c
                   name: assessment-objective
                   props:
@@ -18172,6 +19998,9 @@ catalog:
                       value: CP-02c.
                       class: sp800-53a
                   prose: contingency planning activities are coordinated with incident handling activities;
+                  links:
+                    - href: '#cp-2_smt.c'
+                      rel: assessment-for
                 - id: cp-2_obj.d
                   name: assessment-objective
                   props:
@@ -18179,6 +20008,9 @@ catalog:
                       value: CP-02d.
                       class: sp800-53a
                   prose: 'the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};'
+                  links:
+                    - href: '#cp-2_smt.d'
+                      rel: assessment-for
                 - id: cp-2_obj.e
                   name: assessment-objective
                   props:
@@ -18193,6 +20025,9 @@ catalog:
                           value: CP-02e.[01]
                           class: sp800-53a
                       prose: the contingency plan is updated to address changes to the organization, system, or environment of operation;
+                      links:
+                        - href: '#cp-2_smt.e'
+                          rel: assessment-for
                     - id: cp-2_obj.e-2
                       name: assessment-objective
                       props:
@@ -18200,6 +20035,12 @@ catalog:
                           value: CP-02e.[02]
                           class: sp800-53a
                       prose: the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;
+                      links:
+                        - href: '#cp-2_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.e'
+                      rel: assessment-for
                 - id: cp-2_obj.f
                   name: assessment-objective
                   props:
@@ -18214,6 +20055,9 @@ catalog:
                           value: CP-02f.[01]
                           class: sp800-53a
                       prose: 'contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};'
+                      links:
+                        - href: '#cp-2_smt.f'
+                          rel: assessment-for
                     - id: cp-2_obj.f-2
                       name: assessment-objective
                       props:
@@ -18221,6 +20065,12 @@ catalog:
                           value: CP-02f.[02]
                           class: sp800-53a
                       prose: 'contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};'
+                      links:
+                        - href: '#cp-2_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.f'
+                      rel: assessment-for
                 - id: cp-2_obj.g
                   name: assessment-objective
                   props:
@@ -18235,6 +20085,9 @@ catalog:
                           value: CP-02g.[01]
                           class: sp800-53a
                       prose: lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;
+                      links:
+                        - href: '#cp-2_smt.g'
+                          rel: assessment-for
                     - id: cp-2_obj.g-2
                       name: assessment-objective
                       props:
@@ -18242,6 +20095,12 @@ catalog:
                           value: CP-02g.[02]
                           class: sp800-53a
                       prose: lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;
+                      links:
+                        - href: '#cp-2_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.g'
+                      rel: assessment-for
                 - id: cp-2_obj.h
                   name: assessment-objective
                   props:
@@ -18256,6 +20115,9 @@ catalog:
                           value: CP-02h.[01]
                           class: sp800-53a
                       prose: the contingency plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#cp-2_smt.h'
+                          rel: assessment-for
                     - id: cp-2_obj.h-2
                       name: assessment-objective
                       props:
@@ -18263,6 +20125,15 @@ catalog:
                           value: CP-02h.[02]
                           class: sp800-53a
                       prose: the contingency plan is protected from unauthorized modification.
+                      links:
+                        - href: '#cp-2_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.h'
+                      rel: assessment-for
+              links:
+                - href: '#cp-2_smt'
+                  rel: assessment-for
             - id: cp-2_asm-examine
               name: assessment-method
               props:
@@ -18352,6 +20223,9 @@ catalog:
                       value: CP-02(01)
                       class: sp800-53a
                   prose: contingency plan development is coordinated with organizational elements responsible for related plans.
+                  links:
+                    - href: '#cp-2.1_smt'
+                      rel: assessment-for
                 - id: cp-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -18459,6 +20333,9 @@ catalog:
                       value: CP-02(03)
                       class: sp800-53a
                   prose: 'the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.'
+                  links:
+                    - href: '#cp-2.3_smt'
+                      rel: assessment-for
                 - id: cp-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -18564,6 +20441,9 @@ catalog:
                       value: CP-02(08)
                       class: sp800-53a
                   prose: 'critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified.'
+                  links:
+                    - href: '#cp-2.8_smt'
+                      rel: assessment-for
                 - id: cp-2.8_asm-examine
                   name: assessment-method
                   props:
@@ -18742,6 +20622,9 @@ catalog:
                           value: CP-03a.01
                           class: sp800-53a
                       prose: 'contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;'
+                      links:
+                        - href: '#cp-3_smt.a.1'
+                          rel: assessment-for
                     - id: cp-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -18749,6 +20632,9 @@ catalog:
                           value: CP-03a.02
                           class: sp800-53a
                       prose: contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;
+                      links:
+                        - href: '#cp-3_smt.a.2'
+                          rel: assessment-for
                     - id: cp-3_obj.a.3
                       name: assessment-objective
                       props:
@@ -18756,6 +20642,12 @@ catalog:
                           value: CP-03a.03
                           class: sp800-53a
                       prose: 'contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;'
+                      links:
+                        - href: '#cp-3_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-3_smt.a'
+                      rel: assessment-for
                 - id: cp-3_obj.b
                   name: assessment-objective
                   props:
@@ -18770,6 +20662,9 @@ catalog:
                           value: CP-03b.[01]
                           class: sp800-53a
                       prose: 'the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};'
+                      links:
+                        - href: '#cp-3_smt.b'
+                          rel: assessment-for
                     - id: cp-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -18777,6 +20672,15 @@ catalog:
                           value: CP-03b.[02]
                           class: sp800-53a
                       prose: 'the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.'
+                      links:
+                        - href: '#cp-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-3_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cp-3_smt'
+                  rel: assessment-for
             - id: cp-3_asm-examine
               name: assessment-method
               props:
@@ -18959,6 +20863,9 @@ catalog:
                           value: CP-04a.[01]
                           class: sp800-53a
                       prose: 'the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};'
+                      links:
+                        - href: '#cp-4_smt.a'
+                          rel: assessment-for
                     - id: cp-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -18966,6 +20873,9 @@ catalog:
                           value: CP-04a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;'
+                      links:
+                        - href: '#cp-4_smt.a'
+                          rel: assessment-for
                     - id: cp-4_obj.a-3
                       name: assessment-objective
                       props:
@@ -18973,6 +20883,12 @@ catalog:
                           value: CP-04a.[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;'
+                      links:
+                        - href: '#cp-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-4_smt.a'
+                      rel: assessment-for
                 - id: cp-4_obj.b
                   name: assessment-objective
                   props:
@@ -18980,6 +20896,9 @@ catalog:
                       value: CP-04b.
                       class: sp800-53a
                   prose: the contingency plan test results are reviewed;
+                  links:
+                    - href: '#cp-4_smt.b'
+                      rel: assessment-for
                 - id: cp-4_obj.c
                   name: assessment-objective
                   props:
@@ -18987,6 +20906,12 @@ catalog:
                       value: CP-04c.
                       class: sp800-53a
                   prose: corrective actions are initiated, if needed.
+                  links:
+                    - href: '#cp-4_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cp-4_smt'
+                  rel: assessment-for
             - id: cp-4_asm-examine
               name: assessment-method
               props:
@@ -19081,6 +21006,9 @@ catalog:
                       value: CP-04(01)
                       class: sp800-53a
                   prose: contingency plan testing is coordinated with organizational elements responsible for related plans.
+                  links:
+                    - href: '#cp-4.1_smt'
+                      rel: assessment-for
                 - id: cp-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -19214,6 +21142,9 @@ catalog:
                           value: CP-06a.[01]
                           class: sp800-53a
                       prose: an alternate storage site is established;
+                      links:
+                        - href: '#cp-6_smt.a'
+                          rel: assessment-for
                     - id: cp-6_obj.a-2
                       name: assessment-objective
                       props:
@@ -19221,6 +21152,12 @@ catalog:
                           value: CP-06a.[02]
                           class: sp800-53a
                       prose: establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;
+                      links:
+                        - href: '#cp-6_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-6_smt.a'
+                      rel: assessment-for
                 - id: cp-6_obj.b
                   name: assessment-objective
                   props:
@@ -19228,6 +21165,12 @@ catalog:
                       value: CP-06b.
                       class: sp800-53a
                   prose: the alternate storage site provides controls equivalent to that of the primary site.
+                  links:
+                    - href: '#cp-6_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cp-6_smt'
+                  rel: assessment-for
             - id: cp-6_asm-examine
               name: assessment-method
               props:
@@ -19319,6 +21262,9 @@ catalog:
                       value: CP-06(01)
                       class: sp800-53a
                   prose: an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.
+                  links:
+                    - href: '#cp-6.1_smt'
+                      rel: assessment-for
                 - id: cp-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -19403,6 +21349,9 @@ catalog:
                           value: CP-06(03)[01]
                           class: sp800-53a
                       prose: potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;
+                      links:
+                        - href: '#cp-6.3_smt'
+                          rel: assessment-for
                     - id: cp-6.3_obj-2
                       name: assessment-objective
                       props:
@@ -19410,6 +21359,12 @@ catalog:
                           value: CP-06(03)[02]
                           class: sp800-53a
                       prose: explicit mitigation actions to address identified accessibility problems are outlined.
+                      links:
+                        - href: '#cp-6.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-6.3_smt'
+                      rel: assessment-for
                 - id: cp-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -19560,6 +21515,9 @@ catalog:
                       value: CP-07a.
                       class: sp800-53a
                   prose: 'an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;'
+                  links:
+                    - href: '#cp-7_smt.a'
+                      rel: assessment-for
                 - id: cp-7_obj.b
                   name: assessment-objective
                   props:
@@ -19574,6 +21532,9 @@ catalog:
                           value: CP-07b.[01]
                           class: sp800-53a
                       prose: 'the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;'
+                      links:
+                        - href: '#cp-7_smt.b'
+                          rel: assessment-for
                     - id: cp-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -19581,6 +21542,12 @@ catalog:
                           value: CP-07b.[02]
                           class: sp800-53a
                       prose: 'the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;'
+                      links:
+                        - href: '#cp-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-7_smt.b'
+                      rel: assessment-for
                 - id: cp-7_obj.c
                   name: assessment-objective
                   props:
@@ -19588,6 +21555,12 @@ catalog:
                       value: CP-07c.
                       class: sp800-53a
                   prose: controls provided at the alternate processing site are equivalent to those at the primary site.
+                  links:
+                    - href: '#cp-7_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cp-7_smt'
+                  rel: assessment-for
             - id: cp-7_asm-examine
               name: assessment-method
               props:
@@ -19683,6 +21656,9 @@ catalog:
                       value: CP-07(01)
                       class: sp800-53a
                   prose: an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.
+                  links:
+                    - href: '#cp-7.1_smt'
+                      rel: assessment-for
                 - id: cp-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -19767,6 +21743,9 @@ catalog:
                           value: CP-07(02)[01]
                           class: sp800-53a
                       prose: potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;
+                      links:
+                        - href: '#cp-7.2_smt'
+                          rel: assessment-for
                     - id: cp-7.2_obj-2
                       name: assessment-objective
                       props:
@@ -19774,6 +21753,12 @@ catalog:
                           value: CP-07(02)[02]
                           class: sp800-53a
                       prose: explicit mitigation actions to address identified accessibility problems are outlined.
+                      links:
+                        - href: '#cp-7.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-7.2_smt'
+                      rel: assessment-for
                 - id: cp-7.2_asm-examine
                   name: assessment-method
                   props:
@@ -19849,6 +21834,9 @@ catalog:
                       value: CP-07(03)
                       class: sp800-53a
                   prose: alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.
+                  links:
+                    - href: '#cp-7.3_smt'
+                      rel: assessment-for
                 - id: cp-7.3_asm-examine
                   name: assessment-method
                   props:
@@ -19955,6 +21943,9 @@ catalog:
                   value: CP-08
                   class: sp800-53a
               prose: 'alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.'
+              links:
+                - href: '#cp-8_smt'
+                  rel: assessment-for
             - id: cp-8_asm-examine
               name: assessment-method
               props:
@@ -20069,6 +22060,9 @@ catalog:
                               value: CP-08(01)(a)[01]
                               class: sp800-53a
                           prose: primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;
+                          links:
+                            - href: '#cp-8.1_smt.a'
+                              rel: assessment-for
                         - id: cp-8.1_obj.a-2
                           name: assessment-objective
                           props:
@@ -20076,6 +22070,12 @@ catalog:
                               value: CP-08(01)(a)[02]
                               class: sp800-53a
                           prose: alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;
+                          links:
+                            - href: '#cp-8.1_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-8.1_smt.a'
+                          rel: assessment-for
                     - id: cp-8.1_obj.b
                       name: assessment-objective
                       props:
@@ -20083,6 +22083,12 @@ catalog:
                           value: CP-08(01)(b)
                           class: sp800-53a
                       prose: Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.
+                      links:
+                        - href: '#cp-8.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-8.1_smt'
+                      rel: assessment-for
                 - id: cp-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -20170,6 +22176,9 @@ catalog:
                       value: CP-08(02)
                       class: sp800-53a
                   prose: alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.
+                  links:
+                    - href: '#cp-8.2_smt'
+                      rel: assessment-for
                 - id: cp-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -20352,6 +22361,9 @@ catalog:
                       value: CP-09a.
                       class: sp800-53a
                   prose: 'backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};'
+                  links:
+                    - href: '#cp-9_smt.a'
+                      rel: assessment-for
                 - id: cp-9_obj.b
                   name: assessment-objective
                   props:
@@ -20359,6 +22371,9 @@ catalog:
                       value: CP-09b.
                       class: sp800-53a
                   prose: 'backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};'
+                  links:
+                    - href: '#cp-9_smt.b'
+                      rel: assessment-for
                 - id: cp-9_obj.c
                   name: assessment-objective
                   props:
@@ -20366,6 +22381,9 @@ catalog:
                       value: CP-09c.
                       class: sp800-53a
                   prose: 'backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};'
+                  links:
+                    - href: '#cp-9_smt.c'
+                      rel: assessment-for
                 - id: cp-9_obj.d
                   name: assessment-objective
                   props:
@@ -20380,6 +22398,9 @@ catalog:
                           value: CP-09d.[01]
                           class: sp800-53a
                       prose: the confidentiality of backup information is protected;
+                      links:
+                        - href: '#cp-9_smt.d'
+                          rel: assessment-for
                     - id: cp-9_obj.d-2
                       name: assessment-objective
                       props:
@@ -20387,6 +22408,9 @@ catalog:
                           value: CP-09d.[02]
                           class: sp800-53a
                       prose: the integrity of backup information is protected;
+                      links:
+                        - href: '#cp-9_smt.d'
+                          rel: assessment-for
                     - id: cp-9_obj.d-3
                       name: assessment-objective
                       props:
@@ -20394,6 +22418,15 @@ catalog:
                           value: CP-09d.[03]
                           class: sp800-53a
                       prose: the availability of backup information is protected.
+                      links:
+                        - href: '#cp-9_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-9_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#cp-9_smt'
+                  rel: assessment-for
             - id: cp-9_asm-examine
               name: assessment-method
               props:
@@ -20518,6 +22551,9 @@ catalog:
                           value: CP-09(01)[01]
                           class: sp800-53a
                       prose: 'backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;'
+                      links:
+                        - href: '#cp-9.1_smt'
+                          rel: assessment-for
                     - id: cp-9.1_obj-2
                       name: assessment-objective
                       props:
@@ -20525,6 +22561,12 @@ catalog:
                           value: CP-09(01)[02]
                           class: sp800-53a
                       prose: 'backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity.'
+                      links:
+                        - href: '#cp-9.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-9.1_smt'
+                      rel: assessment-for
                 - id: cp-9.1_asm-examine
                   name: assessment-method
                   props:
@@ -20630,6 +22672,9 @@ catalog:
                       value: CP-09(08)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.'
+                  links:
+                    - href: '#cp-9.8_smt'
+                      rel: assessment-for
                 - id: cp-9.8_asm-examine
                   name: assessment-method
                   props:
@@ -20764,6 +22809,9 @@ catalog:
                       value: CP-10[01]
                       class: sp800-53a
                   prose: 'the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;'
+                  links:
+                    - href: '#cp-10_smt'
+                      rel: assessment-for
                 - id: cp-10_obj-2
                   name: assessment-objective
                   props:
@@ -20771,6 +22819,12 @@ catalog:
                       value: CP-10[02]
                       class: sp800-53a
                   prose: 'a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.'
+                  links:
+                    - href: '#cp-10_smt'
+                      rel: assessment-for
+              links:
+                - href: '#cp-10_smt'
+                  rel: assessment-for
             - id: cp-10_asm-examine
               name: assessment-method
               props:
@@ -20864,6 +22918,9 @@ catalog:
                       value: CP-10(02)
                       class: sp800-53a
                   prose: transaction recovery is implemented for systems that are transaction-based.
+                  links:
+                    - href: '#cp-10.2_smt'
+                      rel: assessment-for
                 - id: cp-10.2_asm-examine
                   name: assessment-method
                   props:
@@ -21150,6 +23207,9 @@ catalog:
                           value: IA-01a.[01]
                           class: sp800-53a
                       prose: an identification and authentication policy is developed and documented;
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -21157,6 +23217,9 @@ catalog:
                           value: IA-01a.[02]
                           class: sp800-53a
                       prose: 'the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};'
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -21164,6 +23227,9 @@ catalog:
                           value: IA-01a.[03]
                           class: sp800-53a
                       prose: identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -21171,6 +23237,9 @@ catalog:
                           value: IA-01a.[04]
                           class: sp800-53a
                       prose: 'the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};'
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -21192,6 +23261,9 @@ catalog:
                                   value: IA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -21199,6 +23271,9 @@ catalog:
                                   value: IA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -21206,6 +23281,9 @@ catalog:
                                   value: IA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -21213,6 +23291,9 @@ catalog:
                                   value: IA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -21220,6 +23301,9 @@ catalog:
                                   value: IA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -21227,6 +23311,9 @@ catalog:
                                   value: IA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -21234,6 +23321,12 @@ catalog:
                                   value: IA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ia-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ia-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -21241,6 +23334,15 @@ catalog:
                               value: IA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ia-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-1_smt.a'
+                      rel: assessment-for
                 - id: ia-1_obj.b
                   name: assessment-objective
                   props:
@@ -21248,6 +23350,9 @@ catalog:
                       value: IA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;'
+                  links:
+                    - href: '#ia-1_smt.b'
+                      rel: assessment-for
                 - id: ia-1_obj.c
                   name: assessment-objective
                   props:
@@ -21269,6 +23374,9 @@ catalog:
                               value: IA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};'
+                          links:
+                            - href: '#ia-1_smt.c.1'
+                              rel: assessment-for
                         - id: ia-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -21276,6 +23384,12 @@ catalog:
                               value: IA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};'
+                          links:
+                            - href: '#ia-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-1_smt.c.1'
+                          rel: assessment-for
                     - id: ia-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -21290,6 +23404,9 @@ catalog:
                               value: IA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};'
+                          links:
+                            - href: '#ia-1_smt.c.2'
+                              rel: assessment-for
                         - id: ia-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -21297,6 +23414,18 @@ catalog:
                               value: IA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.'
+                          links:
+                            - href: '#ia-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ia-1_smt'
+                  rel: assessment-for
             - id: ia-1_asm-examine
               name: assessment-method
               props:
@@ -21409,6 +23538,8 @@ catalog:
               rel: related
             - href: '#ia-8'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-4'
               rel: related
             - href: '#ma-5'
@@ -21447,6 +23578,9 @@ catalog:
                       value: IA-02[01]
                       class: sp800-53a
                   prose: organizational users are uniquely identified and authenticated;
+                  links:
+                    - href: '#ia-2_smt'
+                      rel: assessment-for
                 - id: ia-2_obj-2
                   name: assessment-objective
                   props:
@@ -21454,6 +23588,12 @@ catalog:
                       value: IA-02[02]
                       class: sp800-53a
                   prose: the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.
+                  links:
+                    - href: '#ia-2_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ia-2_smt'
+                  rel: assessment-for
             - id: ia-2_asm-examine
               name: assessment-method
               props:
@@ -21551,6 +23691,9 @@ catalog:
                       value: IA-02(01)
                       class: sp800-53a
                   prose: multi-factor authentication is implemented for access to privileged accounts.
+                  links:
+                    - href: '#ia-2.1_smt'
+                      rel: assessment-for
                 - id: ia-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -21644,6 +23787,9 @@ catalog:
                       value: IA-02(02)
                       class: sp800-53a
                   prose: multi-factor authentication for access to non-privileged accounts is implemented.
+                  links:
+                    - href: '#ia-2.2_smt'
+                      rel: assessment-for
                 - id: ia-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -21748,6 +23894,9 @@ catalog:
                       value: IA-02(08)
                       class: sp800-53a
                   prose: 'replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.'
+                  links:
+                    - href: '#ia-2.8_smt'
+                      rel: assessment-for
                 - id: ia-2.8_asm-examine
                   name: assessment-method
                   props:
@@ -21842,6 +23991,9 @@ catalog:
                       value: IA-02(12)
                       class: sp800-53a
                   prose: Personal Identity Verification-compliant credentials are accepted and electronically verified.
+                  links:
+                    - href: '#ia-2.12_smt'
+                      rel: assessment-for
                 - id: ia-2.12_asm-examine
                   name: assessment-method
                   props:
@@ -21965,6 +24117,8 @@ catalog:
               rel: related
             - href: '#ia-11'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#si-4'
               rel: related
           parts:
@@ -21981,6 +24135,9 @@ catalog:
                   value: IA-03
                   class: sp800-53a
               prose: ' {{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection.'
+              links:
+                - href: '#ia-3_smt'
+                  rel: assessment-for
             - id: ia-3_asm-examine
               name: assessment-method
               props:
@@ -22165,6 +24322,9 @@ catalog:
                       value: IA-04a.
                       class: sp800-53a
                   prose: 'system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;'
+                  links:
+                    - href: '#ia-4_smt.a'
+                      rel: assessment-for
                 - id: ia-4_obj.b
                   name: assessment-objective
                   props:
@@ -22172,6 +24332,9 @@ catalog:
                       value: IA-04b.
                       class: sp800-53a
                   prose: system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;
+                  links:
+                    - href: '#ia-4_smt.b'
+                      rel: assessment-for
                 - id: ia-4_obj.c
                   name: assessment-objective
                   props:
@@ -22179,6 +24342,9 @@ catalog:
                       value: IA-04c.
                       class: sp800-53a
                   prose: system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;
+                  links:
+                    - href: '#ia-4_smt.c'
+                      rel: assessment-for
                 - id: ia-4_obj.d
                   name: assessment-objective
                   props:
@@ -22186,6 +24352,12 @@ catalog:
                       value: IA-04d.
                       class: sp800-53a
                   prose: 'system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.'
+                  links:
+                    - href: '#ia-4_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ia-4_smt'
+                  rel: assessment-for
             - id: ia-4_asm-examine
               name: assessment-method
               props:
@@ -22292,6 +24464,9 @@ catalog:
                       value: IA-04(04)
                       class: sp800-53a
                   prose: 'individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.'
+                  links:
+                    - href: '#ia-4.4_smt'
+                      rel: assessment-for
                 - id: ia-4.4_asm-examine
                   name: assessment-method
                   props:
@@ -22514,6 +24689,9 @@ catalog:
                       value: IA-05a.
                       class: sp800-53a
                   prose: system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;
+                  links:
+                    - href: '#ia-5_smt.a'
+                      rel: assessment-for
                 - id: ia-5_obj.b
                   name: assessment-objective
                   props:
@@ -22521,6 +24699,9 @@ catalog:
                       value: IA-05b.
                       class: sp800-53a
                   prose: system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;
+                  links:
+                    - href: '#ia-5_smt.b'
+                      rel: assessment-for
                 - id: ia-5_obj.c
                   name: assessment-objective
                   props:
@@ -22528,6 +24709,9 @@ catalog:
                       value: IA-05c.
                       class: sp800-53a
                   prose: system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;
+                  links:
+                    - href: '#ia-5_smt.c'
+                      rel: assessment-for
                 - id: ia-5_obj.d
                   name: assessment-objective
                   props:
@@ -22535,6 +24719,9 @@ catalog:
                       value: IA-05d.
                       class: sp800-53a
                   prose: system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;
+                  links:
+                    - href: '#ia-5_smt.d'
+                      rel: assessment-for
                 - id: ia-5_obj.e
                   name: assessment-objective
                   props:
@@ -22542,6 +24729,9 @@ catalog:
                       value: IA-05e.
                       class: sp800-53a
                   prose: system authenticators are managed through the change of default authenticators prior to first use;
+                  links:
+                    - href: '#ia-5_smt.e'
+                      rel: assessment-for
                 - id: ia-5_obj.f
                   name: assessment-objective
                   props:
@@ -22549,6 +24739,9 @@ catalog:
                       value: IA-05f.
                       class: sp800-53a
                   prose: 'system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;'
+                  links:
+                    - href: '#ia-5_smt.f'
+                      rel: assessment-for
                 - id: ia-5_obj.g
                   name: assessment-objective
                   props:
@@ -22556,6 +24749,9 @@ catalog:
                       value: IA-05g.
                       class: sp800-53a
                   prose: system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;
+                  links:
+                    - href: '#ia-5_smt.g'
+                      rel: assessment-for
                 - id: ia-5_obj.h
                   name: assessment-objective
                   props:
@@ -22570,6 +24766,9 @@ catalog:
                           value: IA-05h.[01]
                           class: sp800-53a
                       prose: system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;
+                      links:
+                        - href: '#ia-5_smt.h'
+                          rel: assessment-for
                     - id: ia-5_obj.h-2
                       name: assessment-objective
                       props:
@@ -22577,6 +24776,12 @@ catalog:
                           value: IA-05h.[02]
                           class: sp800-53a
                       prose: system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;
+                      links:
+                        - href: '#ia-5_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-5_smt.h'
+                      rel: assessment-for
                 - id: ia-5_obj.i
                   name: assessment-objective
                   props:
@@ -22584,6 +24789,12 @@ catalog:
                       value: IA-05i.
                       class: sp800-53a
                   prose: system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.
+                  links:
+                    - href: '#ia-5_smt.i'
+                      rel: assessment-for
+              links:
+                - href: '#ia-5_smt'
+                  rel: assessment-for
             - id: ia-5_asm-examine
               name: assessment-method
               props:
@@ -22756,6 +24967,9 @@ catalog:
                           value: IA-05(01)(a)
                           class: sp800-53a
                       prose: 'for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;'
+                      links:
+                        - href: '#ia-5.1_smt.a'
+                          rel: assessment-for
                     - id: ia-5.1_obj.b
                       name: assessment-objective
                       props:
@@ -22763,6 +24977,9 @@ catalog:
                           value: IA-05(01)(b)
                           class: sp800-53a
                       prose: for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);
+                      links:
+                        - href: '#ia-5.1_smt.b'
+                          rel: assessment-for
                     - id: ia-5.1_obj.c
                       name: assessment-objective
                       props:
@@ -22770,6 +24987,9 @@ catalog:
                           value: IA-05(01)(c)
                           class: sp800-53a
                       prose: for password-based authentication, passwords are only transmitted over cryptographically protected channels;
+                      links:
+                        - href: '#ia-5.1_smt.c'
+                          rel: assessment-for
                     - id: ia-5.1_obj.d
                       name: assessment-objective
                       props:
@@ -22777,6 +24997,9 @@ catalog:
                           value: IA-05(01)(d)
                           class: sp800-53a
                       prose: for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;
+                      links:
+                        - href: '#ia-5.1_smt.d'
+                          rel: assessment-for
                     - id: ia-5.1_obj.e
                       name: assessment-objective
                       props:
@@ -22784,6 +25007,9 @@ catalog:
                           value: IA-05(01)(e)
                           class: sp800-53a
                       prose: for password-based authentication, immediate selection of a new password is required upon account recovery;
+                      links:
+                        - href: '#ia-5.1_smt.e'
+                          rel: assessment-for
                     - id: ia-5.1_obj.f
                       name: assessment-objective
                       props:
@@ -22791,6 +25017,9 @@ catalog:
                           value: IA-05(01)(f)
                           class: sp800-53a
                       prose: for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;
+                      links:
+                        - href: '#ia-5.1_smt.f'
+                          rel: assessment-for
                     - id: ia-5.1_obj.g
                       name: assessment-objective
                       props:
@@ -22798,6 +25027,9 @@ catalog:
                           value: IA-05(01)(g)
                           class: sp800-53a
                       prose: for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;
+                      links:
+                        - href: '#ia-5.1_smt.g'
+                          rel: assessment-for
                     - id: ia-5.1_obj.h
                       name: assessment-objective
                       props:
@@ -22805,6 +25037,12 @@ catalog:
                           value: IA-05(01)(h)
                           class: sp800-53a
                       prose: 'for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.'
+                      links:
+                        - href: '#ia-5.1_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-5.1_smt'
+                      rel: assessment-for
                 - id: ia-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -22950,6 +25188,9 @@ catalog:
                               value: IA-05(02)(a)(01)
                               class: sp800-53a
                           prose: authorized access to the corresponding private key is enforced for public key-based authentication;
+                          links:
+                            - href: '#ia-5.2_smt.a.1'
+                              rel: assessment-for
                         - id: ia-5.2_obj.a.2
                           name: assessment-objective
                           props:
@@ -22957,6 +25198,12 @@ catalog:
                               value: IA-05(02)(a)(02)
                               class: sp800-53a
                           prose: the authenticated identity is mapped to the account of the individual or group for public key-based authentication;
+                          links:
+                            - href: '#ia-5.2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-5.2_smt.a'
+                          rel: assessment-for
                     - id: ia-5.2_obj.b
                       name: assessment-objective
                       props:
@@ -22971,6 +25218,9 @@ catalog:
                               value: IA-05(02)(b)(01)
                               class: sp800-53a
                           prose: when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;
+                          links:
+                            - href: '#ia-5.2_smt.b.1'
+                              rel: assessment-for
                         - id: ia-5.2_obj.b.2
                           name: assessment-objective
                           props:
@@ -22978,6 +25228,15 @@ catalog:
                               value: IA-05(02)(b)(02)
                               class: sp800-53a
                           prose: when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.
+                          links:
+                            - href: '#ia-5.2_smt.b.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-5.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-5.2_smt'
+                      rel: assessment-for
                 - id: ia-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -23069,6 +25328,9 @@ catalog:
                       value: IA-05(06)
                       class: sp800-53a
                   prose: authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.
+                  links:
+                    - href: '#ia-5.6_smt'
+                      rel: assessment-for
                 - id: ia-5.6_asm-examine
                   name: assessment-method
                   props:
@@ -23159,6 +25421,9 @@ catalog:
                   value: IA-06
                   class: sp800-53a
               prose: the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.
+              links:
+                - href: '#ia-6_smt'
+                  rel: assessment-for
             - id: ia-6_asm-examine
               name: assessment-method
               props:
@@ -23254,6 +25519,9 @@ catalog:
                   value: IA-07
                   class: sp800-53a
               prose: mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.
+              links:
+                - href: '#ia-7_smt'
+                  rel: assessment-for
             - id: ia-7_asm-examine
               name: assessment-method
               props:
@@ -23361,6 +25629,8 @@ catalog:
               rel: related
             - href: '#ia-11'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-4'
               rel: related
             - href: '#ra-3'
@@ -23383,6 +25653,9 @@ catalog:
                   value: IA-08
                   class: sp800-53a
               prose: non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.
+              links:
+                - href: '#ia-8_smt'
+                  rel: assessment-for
             - id: ia-8_asm-examine
               name: assessment-method
               props:
@@ -23484,6 +25757,9 @@ catalog:
                           value: IA-08(01)[01]
                           class: sp800-53a
                       prose: Personal Identity Verification-compliant credentials from other federal agencies are accepted;
+                      links:
+                        - href: '#ia-8.1_smt'
+                          rel: assessment-for
                     - id: ia-8.1_obj-2
                       name: assessment-objective
                       props:
@@ -23491,6 +25767,12 @@ catalog:
                           value: IA-08(01)[02]
                           class: sp800-53a
                       prose: Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.
+                      links:
+                        - href: '#ia-8.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-8.1_smt'
+                      rel: assessment-for
                 - id: ia-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -23608,6 +25890,9 @@ catalog:
                           value: IA-08(02)(a)
                           class: sp800-53a
                       prose: only external authenticators that are NIST-compliant are accepted;
+                      links:
+                        - href: '#ia-8.2_smt.a'
+                          rel: assessment-for
                     - id: ia-8.2_obj.b
                       name: assessment-objective
                       props:
@@ -23622,6 +25907,9 @@ catalog:
                               value: IA-08(02)(b)[01]
                               class: sp800-53a
                           prose: a list of accepted external authenticators is documented;
+                          links:
+                            - href: '#ia-8.2_smt.b'
+                              rel: assessment-for
                         - id: ia-8.2_obj.b-2
                           name: assessment-objective
                           props:
@@ -23629,6 +25917,15 @@ catalog:
                               value: IA-08(02)(b)[02]
                               class: sp800-53a
                           prose: a list of accepted external authenticators is maintained.
+                          links:
+                            - href: '#ia-8.2_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-8.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-8.2_smt'
+                      rel: assessment-for
                 - id: ia-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -23740,6 +26037,9 @@ catalog:
                       value: IA-08(04)
                       class: sp800-53a
                   prose: 'there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.'
+                  links:
+                    - href: '#ia-8.4_smt'
+                      rel: assessment-for
                 - id: ia-8.4_asm-examine
                   name: assessment-method
                   props:
@@ -23857,6 +26157,9 @@ catalog:
                   value: IA-11
                   class: sp800-53a
               prose: 'users are required to re-authenticate when {{ insert: param, ia-11_odp }}.'
+              links:
+                - href: '#ia-11_smt'
+                  rel: assessment-for
             - id: ia-11_asm-examine
               name: assessment-method
               props:
@@ -23956,6 +26259,8 @@ catalog:
               rel: related
             - href: '#ia-8'
               rel: related
+            - href: '#ia-13'
+              rel: related
           parts:
             - id: ia-12_smt
               name: statement
@@ -23995,6 +26300,9 @@ catalog:
                       value: IA-12a.
                       class: sp800-53a
                   prose: users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;
+                  links:
+                    - href: '#ia-12_smt.a'
+                      rel: assessment-for
                 - id: ia-12_obj.b
                   name: assessment-objective
                   props:
@@ -24002,6 +26310,9 @@ catalog:
                       value: IA-12b.
                       class: sp800-53a
                   prose: user identities are resolved to a unique individual;
+                  links:
+                    - href: '#ia-12_smt.b'
+                      rel: assessment-for
                 - id: ia-12_obj.c
                   name: assessment-objective
                   props:
@@ -24016,6 +26327,9 @@ catalog:
                           value: IA-12c.[01]
                           class: sp800-53a
                       prose: identity evidence is collected;
+                      links:
+                        - href: '#ia-12_smt.c'
+                          rel: assessment-for
                     - id: ia-12_obj.c-2
                       name: assessment-objective
                       props:
@@ -24023,6 +26337,9 @@ catalog:
                           value: IA-12c.[02]
                           class: sp800-53a
                       prose: identity evidence is validated;
+                      links:
+                        - href: '#ia-12_smt.c'
+                          rel: assessment-for
                     - id: ia-12_obj.c-3
                       name: assessment-objective
                       props:
@@ -24030,6 +26347,15 @@ catalog:
                           value: IA-12c.[03]
                           class: sp800-53a
                       prose: identity evidence is verified.
+                      links:
+                        - href: '#ia-12_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-12_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ia-12_smt'
+                  rel: assessment-for
             - id: ia-12_asm-examine
               name: assessment-method
               props:
@@ -24118,6 +26444,9 @@ catalog:
                       value: IA-12(02)
                       class: sp800-53a
                   prose: evidence of individual identification is presented to the registration authority.
+                  links:
+                    - href: '#ia-12.2_smt'
+                      rel: assessment-for
                 - id: ia-12.2_asm-examine
                   name: assessment-method
                   props:
@@ -24215,6 +26544,9 @@ catalog:
                       value: IA-12(03)
                       class: sp800-53a
                   prose: 'the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}.'
+                  links:
+                    - href: '#ia-12.3_smt'
+                      rel: assessment-for
                 - id: ia-12.3_asm-examine
                   name: assessment-method
                   props:
@@ -24312,6 +26644,9 @@ catalog:
                       value: IA-12(05)
                       class: sp800-53a
                   prose: 'a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.'
+                  links:
+                    - href: '#ia-12.5_smt'
+                      rel: assessment-for
                 - id: ia-12.5_asm-examine
                   name: assessment-method
                   props:
@@ -24582,6 +26917,9 @@ catalog:
                           value: IR-01a.[01]
                           class: sp800-53a
                       prose: an incident response policy is developed and documented;
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -24589,6 +26927,9 @@ catalog:
                           value: IR-01a.[02]
                           class: sp800-53a
                       prose: 'the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};'
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -24596,6 +26937,9 @@ catalog:
                           value: IR-01a.[03]
                           class: sp800-53a
                       prose: incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -24603,6 +26947,9 @@ catalog:
                           value: IR-01a.[04]
                           class: sp800-53a
                       prose: 'the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};'
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -24624,6 +26971,9 @@ catalog:
                                   value: IR-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -24631,6 +26981,9 @@ catalog:
                                   value: IR-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -24638,6 +26991,9 @@ catalog:
                                   value: IR-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -24645,6 +27001,9 @@ catalog:
                                   value: IR-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -24652,6 +27011,9 @@ catalog:
                                   value: IR-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -24659,6 +27021,9 @@ catalog:
                                   value: IR-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -24666,6 +27031,12 @@ catalog:
                                   value: IR-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ir-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ir-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -24673,6 +27044,15 @@ catalog:
                               value: IR-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ir-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-1_smt.a'
+                      rel: assessment-for
                 - id: ir-1_obj.b
                   name: assessment-objective
                   props:
@@ -24680,6 +27060,9 @@ catalog:
                       value: IR-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;'
+                  links:
+                    - href: '#ir-1_smt.b'
+                      rel: assessment-for
                 - id: ir-1_obj.c
                   name: assessment-objective
                   props:
@@ -24701,6 +27084,9 @@ catalog:
                               value: IR-01c.01[01]
                               class: sp800-53a
                           prose: 'the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};'
+                          links:
+                            - href: '#ir-1_smt.c.1'
+                              rel: assessment-for
                         - id: ir-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -24708,6 +27094,12 @@ catalog:
                               value: IR-01c.01[02]
                               class: sp800-53a
                           prose: 'the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};'
+                          links:
+                            - href: '#ir-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.c.1'
+                          rel: assessment-for
                     - id: ir-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -24722,6 +27114,9 @@ catalog:
                               value: IR-01c.02[01]
                               class: sp800-53a
                           prose: 'the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};'
+                          links:
+                            - href: '#ir-1_smt.c.2'
+                              rel: assessment-for
                         - id: ir-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -24729,6 +27124,18 @@ catalog:
                               value: IR-01c.02[02]
                               class: sp800-53a
                           prose: 'the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.'
+                          links:
+                            - href: '#ir-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ir-1_smt'
+                  rel: assessment-for
             - id: ir-1_asm-examine
               name: assessment-method
               props:
@@ -24901,6 +27308,9 @@ catalog:
                           value: IR-02a.01
                           class: sp800-53a
                       prose: 'incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;'
+                      links:
+                        - href: '#ir-2_smt.a.1'
+                          rel: assessment-for
                     - id: ir-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -24908,6 +27318,9 @@ catalog:
                           value: IR-02a.02
                           class: sp800-53a
                       prose: incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;
+                      links:
+                        - href: '#ir-2_smt.a.2'
+                          rel: assessment-for
                     - id: ir-2_obj.a.3
                       name: assessment-objective
                       props:
@@ -24915,6 +27328,12 @@ catalog:
                           value: IR-02a.03
                           class: sp800-53a
                       prose: 'incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;'
+                      links:
+                        - href: '#ir-2_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-2_smt.a'
+                      rel: assessment-for
                 - id: ir-2_obj.b
                   name: assessment-objective
                   props:
@@ -24929,6 +27348,9 @@ catalog:
                           value: IR-02b.[01]
                           class: sp800-53a
                       prose: 'incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};'
+                      links:
+                        - href: '#ir-2_smt.b'
+                          rel: assessment-for
                     - id: ir-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -24936,6 +27358,15 @@ catalog:
                           value: IR-02b.[02]
                           class: sp800-53a
                       prose: 'incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.'
+                      links:
+                        - href: '#ir-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-2_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ir-2_smt'
+                  rel: assessment-for
             - id: ir-2_asm-examine
               name: assessment-method
               props:
@@ -25053,6 +27484,9 @@ catalog:
                   value: IR-03
                   class: sp800-53a
               prose: 'the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.'
+              links:
+                - href: '#ir-3_smt'
+                  rel: assessment-for
             - id: ir-3_asm-examine
               name: assessment-method
               props:
@@ -25138,6 +27572,9 @@ catalog:
                       value: IR-03(02)
                       class: sp800-53a
                   prose: incident response testing is coordinated with organizational elements responsible for related plans.
+                  links:
+                    - href: '#ir-3.2_smt'
+                      rel: assessment-for
                 - id: ir-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -25325,6 +27762,9 @@ catalog:
                           value: IR-04a.[01]
                           class: sp800-53a
                       prose: an incident handling capability for incidents is implemented that is consistent with the incident response plan;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -25332,6 +27772,9 @@ catalog:
                           value: IR-04a.[02]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes preparation;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-3
                       name: assessment-objective
                       props:
@@ -25339,6 +27782,9 @@ catalog:
                           value: IR-04a.[03]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes detection and analysis;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-4
                       name: assessment-objective
                       props:
@@ -25346,6 +27792,9 @@ catalog:
                           value: IR-04a.[04]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes containment;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-5
                       name: assessment-objective
                       props:
@@ -25353,6 +27802,9 @@ catalog:
                           value: IR-04a.[05]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes eradication;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-6
                       name: assessment-objective
                       props:
@@ -25360,6 +27812,12 @@ catalog:
                           value: IR-04a.[06]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes recovery;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.a'
+                      rel: assessment-for
                 - id: ir-4_obj.b
                   name: assessment-objective
                   props:
@@ -25367,6 +27825,9 @@ catalog:
                       value: IR-04b.
                       class: sp800-53a
                   prose: incident handling activities are coordinated with contingency planning activities;
+                  links:
+                    - href: '#ir-4_smt.b'
+                      rel: assessment-for
                 - id: ir-4_obj.c
                   name: assessment-objective
                   props:
@@ -25381,6 +27842,9 @@ catalog:
                           value: IR-04c.[01]
                           class: sp800-53a
                       prose: lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;
+                      links:
+                        - href: '#ir-4_smt.c'
+                          rel: assessment-for
                     - id: ir-4_obj.c-2
                       name: assessment-objective
                       props:
@@ -25388,6 +27852,12 @@ catalog:
                           value: IR-04c.[02]
                           class: sp800-53a
                       prose: the changes resulting from the incorporated lessons learned are implemented accordingly;
+                      links:
+                        - href: '#ir-4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.c'
+                      rel: assessment-for
                 - id: ir-4_obj.d
                   name: assessment-objective
                   props:
@@ -25402,6 +27872,9 @@ catalog:
                           value: IR-04d.[01]
                           class: sp800-53a
                       prose: the rigor of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-2
                       name: assessment-objective
                       props:
@@ -25409,6 +27882,9 @@ catalog:
                           value: IR-04d.[02]
                           class: sp800-53a
                       prose: the intensity of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-3
                       name: assessment-objective
                       props:
@@ -25416,6 +27892,9 @@ catalog:
                           value: IR-04d.[03]
                           class: sp800-53a
                       prose: the scope of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-4
                       name: assessment-objective
                       props:
@@ -25423,6 +27902,15 @@ catalog:
                           value: IR-04d.[04]
                           class: sp800-53a
                       prose: the results of incident handling activities are comparable and predictable across the organization.
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ir-4_smt'
+                  rel: assessment-for
             - id: ir-4_asm-examine
               name: assessment-method
               props:
@@ -25522,6 +28010,9 @@ catalog:
                       value: IR-04(01)
                       class: sp800-53a
                   prose: 'the incident handling process is supported using {{ insert: param, ir-04.01_odp }}.'
+                  links:
+                    - href: '#ir-4.1_smt'
+                      rel: assessment-for
                 - id: ir-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -25643,6 +28134,9 @@ catalog:
                       value: IR-05[01]
                       class: sp800-53a
                   prose: incidents are tracked;
+                  links:
+                    - href: '#ir-5_smt'
+                      rel: assessment-for
                 - id: ir-5_obj-2
                   name: assessment-objective
                   props:
@@ -25650,6 +28144,12 @@ catalog:
                       value: IR-05[02]
                       class: sp800-53a
                   prose: incidents are documented.
+                  links:
+                    - href: '#ir-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ir-5_smt'
+                  rel: assessment-for
             - id: ir-5_asm-examine
               name: assessment-method
               props:
@@ -25794,6 +28294,9 @@ catalog:
                       value: IR-06a.
                       class: sp800-53a
                   prose: 'personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};'
+                  links:
+                    - href: '#ir-6_smt.a'
+                      rel: assessment-for
                 - id: ir-6_obj.b
                   name: assessment-objective
                   props:
@@ -25801,6 +28304,12 @@ catalog:
                       value: IR-06b.
                       class: sp800-53a
                   prose: 'incident information is reported to {{ insert: param, ir-06_odp.02 }}.'
+                  links:
+                    - href: '#ir-6_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ir-6_smt'
+                  rel: assessment-for
             - id: ir-6_asm-examine
               name: assessment-method
               props:
@@ -25907,6 +28416,9 @@ catalog:
                       value: IR-06(01)
                       class: sp800-53a
                   prose: 'incidents are reported using {{ insert: param, ir-06.01_odp }}.'
+                  links:
+                    - href: '#ir-6.1_smt'
+                      rel: assessment-for
                 - id: ir-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -25997,6 +28509,9 @@ catalog:
                       value: IR-06(03)
                       class: sp800-53a
                   prose: incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.
+                  links:
+                    - href: '#ir-6.3_smt'
+                      rel: assessment-for
                 - id: ir-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -26122,6 +28637,9 @@ catalog:
                       value: IR-07[01]
                       class: sp800-53a
                   prose: an incident response support resource, integral to the organizational incident response capability, is provided;
+                  links:
+                    - href: '#ir-7_smt'
+                      rel: assessment-for
                 - id: ir-7_obj-2
                   name: assessment-objective
                   props:
@@ -26129,6 +28647,12 @@ catalog:
                       value: IR-07[02]
                       class: sp800-53a
                   prose: the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.
+                  links:
+                    - href: '#ir-7_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ir-7_smt'
+                  rel: assessment-for
             - id: ir-7_asm-examine
               name: assessment-method
               props:
@@ -26227,6 +28751,9 @@ catalog:
                       value: IR-07(01)
                       class: sp800-53a
                   prose: 'the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}.'
+                  links:
+                    - href: '#ir-7.1_smt'
+                      rel: assessment-for
                 - id: ir-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -26528,6 +29055,9 @@ catalog:
                           value: IR-08a.01
                           class: sp800-53a
                       prose: an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.1'
+                          rel: assessment-for
                     - id: ir-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -26535,6 +29065,9 @@ catalog:
                           value: IR-08a.02
                           class: sp800-53a
                       prose: an incident response plan is developed that describes the structure and organization of the incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.2'
+                          rel: assessment-for
                     - id: ir-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -26542,6 +29075,9 @@ catalog:
                           value: IR-08a.03
                           class: sp800-53a
                       prose: an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;
+                      links:
+                        - href: '#ir-8_smt.a.3'
+                          rel: assessment-for
                     - id: ir-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -26549,6 +29085,9 @@ catalog:
                           value: IR-08a.04
                           class: sp800-53a
                       prose: an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;
+                      links:
+                        - href: '#ir-8_smt.a.4'
+                          rel: assessment-for
                     - id: ir-8_obj.a.5
                       name: assessment-objective
                       props:
@@ -26556,6 +29095,9 @@ catalog:
                           value: IR-08a.05
                           class: sp800-53a
                       prose: an incident response plan is developed that defines reportable incidents;
+                      links:
+                        - href: '#ir-8_smt.a.5'
+                          rel: assessment-for
                     - id: ir-8_obj.a.6
                       name: assessment-objective
                       props:
@@ -26563,6 +29105,9 @@ catalog:
                           value: IR-08a.06
                           class: sp800-53a
                       prose: an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;
+                      links:
+                        - href: '#ir-8_smt.a.6'
+                          rel: assessment-for
                     - id: ir-8_obj.a.7
                       name: assessment-objective
                       props:
@@ -26570,6 +29115,9 @@ catalog:
                           value: IR-08a.07
                           class: sp800-53a
                       prose: an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.7'
+                          rel: assessment-for
                     - id: ir-8_obj.a.8
                       name: assessment-objective
                       props:
@@ -26577,6 +29125,9 @@ catalog:
                           value: IR-08a.08
                           class: sp800-53a
                       prose: an incident response plan is developed that addresses the sharing of incident information;
+                      links:
+                        - href: '#ir-8_smt.a.8'
+                          rel: assessment-for
                     - id: ir-8_obj.a.9
                       name: assessment-objective
                       props:
@@ -26584,6 +29135,9 @@ catalog:
                           value: IR-08a.09
                           class: sp800-53a
                       prose: 'an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};'
+                      links:
+                        - href: '#ir-8_smt.a.9'
+                          rel: assessment-for
                     - id: ir-8_obj.a.10
                       name: assessment-objective
                       props:
@@ -26591,6 +29145,12 @@ catalog:
                           value: IR-08a.10
                           class: sp800-53a
                       prose: 'an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.'
+                      links:
+                        - href: '#ir-8_smt.a.10'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.a'
+                      rel: assessment-for
                 - id: ir-8_obj.b
                   name: assessment-objective
                   props:
@@ -26605,6 +29165,9 @@ catalog:
                           value: IR-08b.[01]
                           class: sp800-53a
                       prose: 'copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};'
+                      links:
+                        - href: '#ir-8_smt.b'
+                          rel: assessment-for
                     - id: ir-8_obj.b-2
                       name: assessment-objective
                       props:
@@ -26612,6 +29175,12 @@ catalog:
                           value: IR-08b.[02]
                           class: sp800-53a
                       prose: 'copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};'
+                      links:
+                        - href: '#ir-8_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.b'
+                      rel: assessment-for
                 - id: ir-8_obj.c
                   name: assessment-objective
                   props:
@@ -26619,6 +29188,9 @@ catalog:
                       value: IR-08c.
                       class: sp800-53a
                   prose: the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
+                  links:
+                    - href: '#ir-8_smt.c'
+                      rel: assessment-for
                 - id: ir-8_obj.d
                   name: assessment-objective
                   props:
@@ -26633,6 +29205,9 @@ catalog:
                           value: IR-08d.[01]
                           class: sp800-53a
                       prose: 'incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};'
+                      links:
+                        - href: '#ir-8_smt.d'
+                          rel: assessment-for
                     - id: ir-8_obj.d-2
                       name: assessment-objective
                       props:
@@ -26640,6 +29215,12 @@ catalog:
                           value: IR-08d.[02]
                           class: sp800-53a
                       prose: 'incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};'
+                      links:
+                        - href: '#ir-8_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.d'
+                      rel: assessment-for
                 - id: ir-8_obj.e
                   name: assessment-objective
                   props:
@@ -26654,6 +29235,9 @@ catalog:
                           value: IR-08e.[01]
                           class: sp800-53a
                       prose: the incident response plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#ir-8_smt.e'
+                          rel: assessment-for
                     - id: ir-8_obj.e-2
                       name: assessment-objective
                       props:
@@ -26661,6 +29245,15 @@ catalog:
                           value: IR-08e.[02]
                           class: sp800-53a
                       prose: the incident response plan is protected from unauthorized modification.
+                      links:
+                        - href: '#ir-8_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ir-8_smt'
+                  rel: assessment-for
             - id: ir-8_asm-examine
               name: assessment-method
               props:
@@ -26925,6 +29518,9 @@ catalog:
                           value: MA-01a.[01]
                           class: sp800-53a
                       prose: a maintenance policy is developed and documented;
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -26932,6 +29528,9 @@ catalog:
                           value: MA-01a.[02]
                           class: sp800-53a
                       prose: 'the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};'
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -26939,6 +29538,9 @@ catalog:
                           value: MA-01a.[03]
                           class: sp800-53a
                       prose: maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -26946,6 +29548,9 @@ catalog:
                           value: MA-01a.[04]
                           class: sp800-53a
                       prose: 'the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};'
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -26967,6 +29572,9 @@ catalog:
                                   value: MA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -26974,6 +29582,9 @@ catalog:
                                   value: MA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -26981,6 +29592,9 @@ catalog:
                                   value: MA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -26988,6 +29602,9 @@ catalog:
                                   value: MA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -26995,6 +29612,9 @@ catalog:
                                   value: MA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -27002,6 +29622,9 @@ catalog:
                                   value: MA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -27009,6 +29632,12 @@ catalog:
                                   value: MA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ma-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ma-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -27016,6 +29645,15 @@ catalog:
                               value: MA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ma-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-1_smt.a'
+                      rel: assessment-for
                 - id: ma-1_obj.b
                   name: assessment-objective
                   props:
@@ -27023,6 +29661,9 @@ catalog:
                       value: MA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;'
+                  links:
+                    - href: '#ma-1_smt.b'
+                      rel: assessment-for
                 - id: ma-1_obj.c
                   name: assessment-objective
                   props:
@@ -27044,6 +29685,9 @@ catalog:
                               value: MA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};'
+                          links:
+                            - href: '#ma-1_smt.c.1'
+                              rel: assessment-for
                         - id: ma-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -27051,6 +29695,12 @@ catalog:
                               value: MA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};'
+                          links:
+                            - href: '#ma-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-1_smt.c.1'
+                          rel: assessment-for
                     - id: ma-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -27065,6 +29715,9 @@ catalog:
                               value: MA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};'
+                          links:
+                            - href: '#ma-1_smt.c.2'
+                              rel: assessment-for
                         - id: ma-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -27072,6 +29725,18 @@ catalog:
                               value: MA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.'
+                          links:
+                            - href: '#ma-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ma-1_smt'
+                  rel: assessment-for
             - id: ma-1_asm-examine
               name: assessment-method
               props:
@@ -27246,6 +29911,9 @@ catalog:
                           value: MA-02a.[01]
                           class: sp800-53a
                       prose: maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;
+                      links:
+                        - href: '#ma-2_smt.a'
+                          rel: assessment-for
                     - id: ma-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -27253,6 +29921,9 @@ catalog:
                           value: MA-02a.[02]
                           class: sp800-53a
                       prose: maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;
+                      links:
+                        - href: '#ma-2_smt.a'
+                          rel: assessment-for
                     - id: ma-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -27260,6 +29931,12 @@ catalog:
                           value: MA-02a.[03]
                           class: sp800-53a
                       prose: records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;
+                      links:
+                        - href: '#ma-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-2_smt.a'
+                      rel: assessment-for
                 - id: ma-2_obj.b
                   name: assessment-objective
                   props:
@@ -27274,6 +29951,9 @@ catalog:
                           value: MA-02b.[01]
                           class: sp800-53a
                       prose: all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;
+                      links:
+                        - href: '#ma-2_smt.b'
+                          rel: assessment-for
                     - id: ma-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -27281,6 +29961,12 @@ catalog:
                           value: MA-02b.[02]
                           class: sp800-53a
                       prose: all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;
+                      links:
+                        - href: '#ma-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-2_smt.b'
+                      rel: assessment-for
                 - id: ma-2_obj.c
                   name: assessment-objective
                   props:
@@ -27288,6 +29974,9 @@ catalog:
                       value: MA-02c.
                       class: sp800-53a
                   prose: ' {{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;'
+                  links:
+                    - href: '#ma-2_smt.c'
+                      rel: assessment-for
                 - id: ma-2_obj.d
                   name: assessment-objective
                   props:
@@ -27295,6 +29984,9 @@ catalog:
                       value: MA-02d.
                       class: sp800-53a
                   prose: 'equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;'
+                  links:
+                    - href: '#ma-2_smt.d'
+                      rel: assessment-for
                 - id: ma-2_obj.e
                   name: assessment-objective
                   props:
@@ -27302,6 +29994,9 @@ catalog:
                       value: MA-02e.
                       class: sp800-53a
                   prose: all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;
+                  links:
+                    - href: '#ma-2_smt.e'
+                      rel: assessment-for
                 - id: ma-2_obj.f
                   name: assessment-objective
                   props:
@@ -27309,6 +30004,12 @@ catalog:
                       value: MA-02f.
                       class: sp800-53a
                   prose: ' {{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.'
+                  links:
+                    - href: '#ma-2_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ma-2_smt'
+                  rel: assessment-for
             - id: ma-2_asm-examine
               name: assessment-method
               props:
@@ -27446,6 +30147,9 @@ catalog:
                           value: MA-03a.[01]
                           class: sp800-53a
                       prose: the use of system maintenance tools is approved;
+                      links:
+                        - href: '#ma-3_smt.a'
+                          rel: assessment-for
                     - id: ma-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -27453,6 +30157,9 @@ catalog:
                           value: MA-03a.[02]
                           class: sp800-53a
                       prose: the use of system maintenance tools is controlled;
+                      links:
+                        - href: '#ma-3_smt.a'
+                          rel: assessment-for
                     - id: ma-3_obj.a-3
                       name: assessment-objective
                       props:
@@ -27460,6 +30167,12 @@ catalog:
                           value: MA-03a.[03]
                           class: sp800-53a
                       prose: the use of system maintenance tools is monitored;
+                      links:
+                        - href: '#ma-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-3_smt.a'
+                      rel: assessment-for
                 - id: ma-3_obj.b
                   name: assessment-objective
                   props:
@@ -27467,6 +30180,12 @@ catalog:
                       value: MA-03b.
                       class: sp800-53a
                   prose: 'previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}.'
+                  links:
+                    - href: '#ma-3_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ma-3_smt'
+                  rel: assessment-for
             - id: ma-3_asm-examine
               name: assessment-method
               props:
@@ -27554,6 +30273,9 @@ catalog:
                       value: MA-03(01)
                       class: sp800-53a
                   prose: maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.
+                  links:
+                    - href: '#ma-3.1_smt'
+                      rel: assessment-for
                 - id: ma-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -27642,6 +30364,9 @@ catalog:
                       value: MA-03(02)
                       class: sp800-53a
                   prose: media containing diagnostic and test programs are checked for malicious code before the media are used in the system.
+                  links:
+                    - href: '#ma-3.2_smt'
+                      rel: assessment-for
                 - id: ma-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -27771,6 +30496,9 @@ catalog:
                           value: MA-03(03)(a)
                           class: sp800-53a
                       prose: the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or
+                      links:
+                        - href: '#ma-3.3_smt.a'
+                          rel: assessment-for
                     - id: ma-3.3_obj.b
                       name: assessment-objective
                       props:
@@ -27778,6 +30506,9 @@ catalog:
                           value: MA-03(03)(b)
                           class: sp800-53a
                       prose: the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or
+                      links:
+                        - href: '#ma-3.3_smt.b'
+                          rel: assessment-for
                     - id: ma-3.3_obj.c
                       name: assessment-objective
                       props:
@@ -27785,6 +30516,9 @@ catalog:
                           value: MA-03(03)(c)
                           class: sp800-53a
                       prose: the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or
+                      links:
+                        - href: '#ma-3.3_smt.c'
+                          rel: assessment-for
                     - id: ma-3.3_obj.d
                       name: assessment-objective
                       props:
@@ -27792,6 +30526,12 @@ catalog:
                           value: MA-03(03)(d)
                           class: sp800-53a
                       prose: 'the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.'
+                      links:
+                        - href: '#ma-3.3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-3.3_smt'
+                      rel: assessment-for
                 - id: ma-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -27968,6 +30708,9 @@ catalog:
                           value: MA-04a.[01]
                           class: sp800-53a
                       prose: nonlocal maintenance and diagnostic activities are approved;
+                      links:
+                        - href: '#ma-4_smt.a'
+                          rel: assessment-for
                     - id: ma-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -27975,6 +30718,12 @@ catalog:
                           value: MA-04a.[02]
                           class: sp800-53a
                       prose: nonlocal maintenance and diagnostic activities are monitored;
+                      links:
+                        - href: '#ma-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4_smt.a'
+                      rel: assessment-for
                 - id: ma-4_obj.b
                   name: assessment-objective
                   props:
@@ -27989,6 +30738,9 @@ catalog:
                           value: MA-04b.[01]
                           class: sp800-53a
                       prose: the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;
+                      links:
+                        - href: '#ma-4_smt.b'
+                          rel: assessment-for
                     - id: ma-4_obj.b-2
                       name: assessment-objective
                       props:
@@ -27996,6 +30748,12 @@ catalog:
                           value: MA-04b.[02]
                           class: sp800-53a
                       prose: the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;
+                      links:
+                        - href: '#ma-4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4_smt.b'
+                      rel: assessment-for
                 - id: ma-4_obj.c
                   name: assessment-objective
                   props:
@@ -28003,6 +30761,9 @@ catalog:
                       value: MA-04c.
                       class: sp800-53a
                   prose: strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;
+                  links:
+                    - href: '#ma-4_smt.c'
+                      rel: assessment-for
                 - id: ma-4_obj.d
                   name: assessment-objective
                   props:
@@ -28010,6 +30771,9 @@ catalog:
                       value: MA-04d.
                       class: sp800-53a
                   prose: records for nonlocal maintenance and diagnostic activities are maintained;
+                  links:
+                    - href: '#ma-4_smt.d'
+                      rel: assessment-for
                 - id: ma-4_obj.e
                   name: assessment-objective
                   props:
@@ -28024,6 +30788,9 @@ catalog:
                           value: MA-04e.[01]
                           class: sp800-53a
                       prose: session connections are terminated when nonlocal maintenance is completed;
+                      links:
+                        - href: '#ma-4_smt.e'
+                          rel: assessment-for
                     - id: ma-4_obj.e-2
                       name: assessment-objective
                       props:
@@ -28031,6 +30798,15 @@ catalog:
                           value: MA-04e.[02]
                           class: sp800-53a
                       prose: network connections are terminated when nonlocal maintenance is completed.
+                      links:
+                        - href: '#ma-4_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ma-4_smt'
+                  rel: assessment-for
             - id: ma-4_asm-examine
               name: assessment-method
               props:
@@ -28185,6 +30961,9 @@ catalog:
                           value: MA-05a.[01]
                           class: sp800-53a
                       prose: a process for maintenance personnel authorization is established;
+                      links:
+                        - href: '#ma-5_smt.a'
+                          rel: assessment-for
                     - id: ma-5_obj.a-2
                       name: assessment-objective
                       props:
@@ -28192,6 +30971,12 @@ catalog:
                           value: MA-05a.[02]
                           class: sp800-53a
                       prose: a list of authorized maintenance organizations or personnel is maintained;
+                      links:
+                        - href: '#ma-5_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-5_smt.a'
+                      rel: assessment-for
                 - id: ma-5_obj.b
                   name: assessment-objective
                   props:
@@ -28199,6 +30984,9 @@ catalog:
                       value: MA-05b.
                       class: sp800-53a
                   prose: non-escorted personnel performing maintenance on the system possess the required access authorizations;
+                  links:
+                    - href: '#ma-5_smt.b'
+                      rel: assessment-for
                 - id: ma-5_obj.c
                   name: assessment-objective
                   props:
@@ -28206,6 +30994,12 @@ catalog:
                       value: MA-05c.
                       class: sp800-53a
                   prose: organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.
+                  links:
+                    - href: '#ma-5_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ma-5_smt'
+                  rel: assessment-for
             - id: ma-5_asm-examine
               name: assessment-method
               props:
@@ -28333,6 +31127,9 @@ catalog:
                   value: MA-06
                   class: sp800-53a
               prose: 'maintenance support and/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.'
+              links:
+                - href: '#ma-6_smt'
+                  rel: assessment-for
             - id: ma-6_asm-examine
               name: assessment-method
               props:
@@ -28601,6 +31398,9 @@ catalog:
                           value: MP-01a.[01]
                           class: sp800-53a
                       prose: a media protection policy is developed and documented;
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -28608,6 +31408,9 @@ catalog:
                           value: MP-01a.[02]
                           class: sp800-53a
                       prose: 'the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};'
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -28615,6 +31418,9 @@ catalog:
                           value: MP-01a.[03]
                           class: sp800-53a
                       prose: media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -28622,6 +31428,9 @@ catalog:
                           value: MP-01a.[04]
                           class: sp800-53a
                       prose: 'the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};'
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -28643,6 +31452,9 @@ catalog:
                                   value: MP-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -28650,6 +31462,9 @@ catalog:
                                   value: MP-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -28657,6 +31472,9 @@ catalog:
                                   value: MP-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -28664,6 +31482,9 @@ catalog:
                                   value: MP-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -28671,6 +31492,9 @@ catalog:
                                   value: MP-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -28678,6 +31502,9 @@ catalog:
                                   value: MP-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -28685,6 +31512,12 @@ catalog:
                                   value: MP-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#mp-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: mp-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -28692,6 +31525,15 @@ catalog:
                               value: MP-01a.01(b)
                               class: sp800-53a
                           prose: the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+                          links:
+                            - href: '#mp-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-1_smt.a'
+                      rel: assessment-for
                 - id: mp-1_obj.b
                   name: assessment-objective
                   props:
@@ -28699,6 +31541,9 @@ catalog:
                       value: MP-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.'
+                  links:
+                    - href: '#mp-1_smt.b'
+                      rel: assessment-for
                 - id: mp-1_obj.c
                   name: assessment-objective
                   props:
@@ -28720,6 +31565,9 @@ catalog:
                               value: MP-01c.01[01]
                               class: sp800-53a
                           prose: 'the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; '
+                          links:
+                            - href: '#mp-1_smt.c.1'
+                              rel: assessment-for
                         - id: mp-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -28727,6 +31575,12 @@ catalog:
                               value: MP-01c.01[02]
                               class: sp800-53a
                           prose: 'the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};'
+                          links:
+                            - href: '#mp-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.c.1'
+                          rel: assessment-for
                     - id: mp-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -28741,6 +31595,9 @@ catalog:
                               value: MP-01c.02[01]
                               class: sp800-53a
                           prose: 'the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; '
+                          links:
+                            - href: '#mp-1_smt.c.2'
+                              rel: assessment-for
                         - id: mp-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -28748,6 +31605,18 @@ catalog:
                               value: MP-01c.02[02]
                               class: sp800-53a
                           prose: 'the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.'
+                          links:
+                            - href: '#mp-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#mp-1_smt'
+                  rel: assessment-for
             - id: mp-1_asm-examine
               name: assessment-method
               props:
@@ -28905,6 +31774,9 @@ catalog:
                       value: MP-02[01]
                       class: sp800-53a
                   prose: 'access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};'
+                  links:
+                    - href: '#mp-2_smt'
+                      rel: assessment-for
                 - id: mp-2_obj-2
                   name: assessment-objective
                   props:
@@ -28912,6 +31784,12 @@ catalog:
                       value: MP-02[02]
                       class: sp800-53a
                   prose: 'access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.'
+                  links:
+                    - href: '#mp-2_smt'
+                      rel: assessment-for
+              links:
+                - href: '#mp-2_smt'
+                  rel: assessment-for
             - id: mp-2_asm-examine
               name: assessment-method
               props:
@@ -29059,6 +31937,9 @@ catalog:
                       value: MP-03a.
                       class: sp800-53a
                   prose: system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;
+                  links:
+                    - href: '#mp-3_smt.a'
+                      rel: assessment-for
                 - id: mp-3_obj.b
                   name: assessment-objective
                   props:
@@ -29066,6 +31947,12 @@ catalog:
                       value: MP-03b.
                       class: sp800-53a
                   prose: ' {{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}.'
+                  links:
+                    - href: '#mp-3_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-3_smt'
+                  rel: assessment-for
             - id: mp-3_asm-examine
               name: assessment-method
               props:
@@ -29293,6 +32180,9 @@ catalog:
                           value: MP-04a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-04_odp.01 }} are physically controlled;'
+                      links:
+                        - href: '#mp-4_smt.a'
+                          rel: assessment-for
                     - id: mp-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -29300,6 +32190,9 @@ catalog:
                           value: MP-04a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-04_odp.02 }} are physically controlled;'
+                      links:
+                        - href: '#mp-4_smt.a'
+                          rel: assessment-for
                     - id: mp-4_obj.a-3
                       name: assessment-objective
                       props:
@@ -29307,6 +32200,9 @@ catalog:
                           value: MP-04a.[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};'
+                      links:
+                        - href: '#mp-4_smt.a'
+                          rel: assessment-for
                     - id: mp-4_obj.a-4
                       name: assessment-objective
                       props:
@@ -29314,6 +32210,12 @@ catalog:
                           value: MP-04a.[04]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};'
+                      links:
+                        - href: '#mp-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-4_smt.a'
+                      rel: assessment-for
                 - id: mp-4_obj.b
                   name: assessment-objective
                   props:
@@ -29321,6 +32223,12 @@ catalog:
                       value: MP-04b.
                       class: sp800-53a
                   prose: system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
+                  links:
+                    - href: '#mp-4_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-4_smt'
+                  rel: assessment-for
             - id: mp-4_asm-examine
               name: assessment-method
               props:
@@ -29511,6 +32419,9 @@ catalog:
                           value: MP-05a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};'
+                      links:
+                        - href: '#mp-5_smt.a'
+                          rel: assessment-for
                     - id: mp-5_obj.a-2
                       name: assessment-objective
                       props:
@@ -29518,6 +32429,12 @@ catalog:
                           value: MP-05a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};'
+                      links:
+                        - href: '#mp-5_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-5_smt.a'
+                      rel: assessment-for
                 - id: mp-5_obj.b
                   name: assessment-objective
                   props:
@@ -29525,6 +32442,9 @@ catalog:
                       value: MP-05b.
                       class: sp800-53a
                   prose: accountability for system media is maintained during transport outside of controlled areas;
+                  links:
+                    - href: '#mp-5_smt.b'
+                      rel: assessment-for
                 - id: mp-5_obj.c
                   name: assessment-objective
                   props:
@@ -29532,6 +32452,9 @@ catalog:
                       value: MP-05c.
                       class: sp800-53a
                   prose: activities associated with the transport of system media are documented;
+                  links:
+                    - href: '#mp-5_smt.c'
+                      rel: assessment-for
                 - id: mp-5_obj.d
                   name: assessment-objective
                   props:
@@ -29546,6 +32469,9 @@ catalog:
                           value: MP-05d.[01]
                           class: sp800-53a
                       prose: personnel authorized to conduct media transport activities is/are identified;
+                      links:
+                        - href: '#mp-5_smt.d'
+                          rel: assessment-for
                     - id: mp-5_obj.d-2
                       name: assessment-objective
                       props:
@@ -29553,6 +32479,15 @@ catalog:
                           value: MP-05d.[02]
                           class: sp800-53a
                       prose: activities associated with the transport of system media are restricted to identified authorized personnel.
+                      links:
+                        - href: '#mp-5_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#mp-5_smt'
+                  rel: assessment-for
             - id: mp-5_asm-examine
               name: assessment-method
               props:
@@ -29786,6 +32721,9 @@ catalog:
                           value: MP-06a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
                     - id: mp-6_obj.a-2
                       name: assessment-objective
                       props:
@@ -29793,6 +32731,9 @@ catalog:
                           value: MP-06a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
                     - id: mp-6_obj.a-3
                       name: assessment-objective
                       props:
@@ -29800,6 +32741,12 @@ catalog:
                           value: MP-06a.[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-6_smt.a'
+                      rel: assessment-for
                 - id: mp-6_obj.b
                   name: assessment-objective
                   props:
@@ -29807,6 +32754,12 @@ catalog:
                       value: MP-06b.
                       class: sp800-53a
                   prose: sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.
+                  links:
+                    - href: '#mp-6_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-6_smt'
+                  rel: assessment-for
             - id: mp-6_asm-examine
               name: assessment-method
               props:
@@ -29982,6 +32935,9 @@ catalog:
                       value: MP-07a.
                       class: sp800-53a
                   prose: 'the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};'
+                  links:
+                    - href: '#mp-7_smt.a'
+                      rel: assessment-for
                 - id: mp-7_obj.b
                   name: assessment-objective
                   props:
@@ -29989,6 +32945,12 @@ catalog:
                       value: MP-07b.
                       class: sp800-53a
                   prose: the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.
+                  links:
+                    - href: '#mp-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-7_smt'
+                  rel: assessment-for
             - id: mp-7_asm-examine
               name: assessment-method
               props:
@@ -30262,6 +33224,9 @@ catalog:
                           value: PE-01a.[01]
                           class: sp800-53a
                       prose: a physical and environmental protection policy is developed and documented;
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -30269,6 +33234,9 @@ catalog:
                           value: PE-01a.[02]
                           class: sp800-53a
                       prose: 'the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};'
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -30276,6 +33244,9 @@ catalog:
                           value: PE-01a.[03]
                           class: sp800-53a
                       prose: physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -30283,6 +33254,9 @@ catalog:
                           value: PE-01a.[04]
                           class: sp800-53a
                       prose: 'the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};'
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -30304,6 +33278,9 @@ catalog:
                                   value: PE-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -30311,6 +33288,9 @@ catalog:
                                   value: PE-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -30318,6 +33298,9 @@ catalog:
                                   value: PE-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -30325,6 +33308,9 @@ catalog:
                                   value: PE-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -30332,6 +33318,9 @@ catalog:
                                   value: PE-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -30339,6 +33328,9 @@ catalog:
                                   value: PE-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -30346,6 +33338,12 @@ catalog:
                                   value: PE-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#pe-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: pe-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -30353,6 +33351,15 @@ catalog:
                               value: PE-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#pe-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#pe-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-1_smt.a'
+                      rel: assessment-for
                 - id: pe-1_obj.b
                   name: assessment-objective
                   props:
@@ -30360,6 +33367,9 @@ catalog:
                       value: PE-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;'
+                  links:
+                    - href: '#pe-1_smt.b'
+                      rel: assessment-for
                 - id: pe-1_obj.c
                   name: assessment-objective
                   props:
@@ -30381,6 +33391,9 @@ catalog:
                               value: PE-01c.01[01]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};'
+                          links:
+                            - href: '#pe-1_smt.c.1'
+                              rel: assessment-for
                         - id: pe-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -30388,6 +33401,12 @@ catalog:
                               value: PE-01c.01[02]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};'
+                          links:
+                            - href: '#pe-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pe-1_smt.c.1'
+                          rel: assessment-for
                     - id: pe-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -30402,6 +33421,9 @@ catalog:
                               value: PE-01c.02[01]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};'
+                          links:
+                            - href: '#pe-1_smt.c.2'
+                              rel: assessment-for
                         - id: pe-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -30409,6 +33431,18 @@ catalog:
                               value: PE-01c.02[02]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.'
+                          links:
+                            - href: '#pe-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pe-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-1_smt'
+                  rel: assessment-for
             - id: pe-1_asm-examine
               name: assessment-method
               props:
@@ -30559,6 +33593,9 @@ catalog:
                           value: PE-02a.[01]
                           class: sp800-53a
                       prose: a list of individuals with authorized access to the facility where the system resides has been developed;
+                      links:
+                        - href: '#pe-2_smt.a'
+                          rel: assessment-for
                     - id: pe-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -30566,6 +33603,9 @@ catalog:
                           value: PE-02a.[02]
                           class: sp800-53a
                       prose: the list of individuals with authorized access to the facility where the system resides has been approved;
+                      links:
+                        - href: '#pe-2_smt.a'
+                          rel: assessment-for
                     - id: pe-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -30573,6 +33613,12 @@ catalog:
                           value: PE-02a.[03]
                           class: sp800-53a
                       prose: the list of individuals with authorized access to the facility where the system resides has been maintained;
+                      links:
+                        - href: '#pe-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-2_smt.a'
+                      rel: assessment-for
                 - id: pe-2_obj.b
                   name: assessment-objective
                   props:
@@ -30580,6 +33626,9 @@ catalog:
                       value: PE-02b.
                       class: sp800-53a
                   prose: authorization credentials are issued for facility access;
+                  links:
+                    - href: '#pe-2_smt.b'
+                      rel: assessment-for
                 - id: pe-2_obj.c
                   name: assessment-objective
                   props:
@@ -30587,6 +33636,9 @@ catalog:
                       value: PE-02c.
                       class: sp800-53a
                   prose: 'the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};'
+                  links:
+                    - href: '#pe-2_smt.c'
+                      rel: assessment-for
                 - id: pe-2_obj.d
                   name: assessment-objective
                   props:
@@ -30594,6 +33646,12 @@ catalog:
                       value: PE-02d.
                       class: sp800-53a
                   prose: individuals are removed from the facility access list when access is no longer required.
+                  links:
+                    - href: '#pe-2_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pe-2_smt'
+                  rel: assessment-for
             - id: pe-2_asm-examine
               name: assessment-method
               props:
@@ -30924,6 +33982,9 @@ catalog:
                           value: PE-03a.01
                           class: sp800-53a
                       prose: 'physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;'
+                      links:
+                        - href: '#pe-3_smt.a.1'
+                          rel: assessment-for
                     - id: pe-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -30931,6 +33992,12 @@ catalog:
                           value: PE-03a.02
                           class: sp800-53a
                       prose: 'physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};'
+                      links:
+                        - href: '#pe-3_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.a'
+                      rel: assessment-for
                 - id: pe-3_obj.b
                   name: assessment-objective
                   props:
@@ -30938,6 +34005,9 @@ catalog:
                       value: PE-03b.
                       class: sp800-53a
                   prose: 'physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};'
+                  links:
+                    - href: '#pe-3_smt.b'
+                      rel: assessment-for
                 - id: pe-3_obj.c
                   name: assessment-objective
                   props:
@@ -30945,6 +34015,9 @@ catalog:
                       value: PE-03c.
                       class: sp800-53a
                   prose: 'access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};'
+                  links:
+                    - href: '#pe-3_smt.c'
+                      rel: assessment-for
                 - id: pe-3_obj.d
                   name: assessment-objective
                   props:
@@ -30959,6 +34032,9 @@ catalog:
                           value: PE-03d.[01]
                           class: sp800-53a
                       prose: visitors are escorted;
+                      links:
+                        - href: '#pe-3_smt.d'
+                          rel: assessment-for
                     - id: pe-3_obj.d-2
                       name: assessment-objective
                       props:
@@ -30966,6 +34042,12 @@ catalog:
                           value: PE-03d.[02]
                           class: sp800-53a
                       prose: 'visitor activity is controlled {{ insert: param, pe-03_odp.06 }};'
+                      links:
+                        - href: '#pe-3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.d'
+                      rel: assessment-for
                 - id: pe-3_obj.e
                   name: assessment-objective
                   props:
@@ -30980,6 +34062,9 @@ catalog:
                           value: PE-03e.[01]
                           class: sp800-53a
                       prose: keys are secured;
+                      links:
+                        - href: '#pe-3_smt.e'
+                          rel: assessment-for
                     - id: pe-3_obj.e-2
                       name: assessment-objective
                       props:
@@ -30987,6 +34072,9 @@ catalog:
                           value: PE-03e.[02]
                           class: sp800-53a
                       prose: combinations are secured;
+                      links:
+                        - href: '#pe-3_smt.e'
+                          rel: assessment-for
                     - id: pe-3_obj.e-3
                       name: assessment-objective
                       props:
@@ -30994,6 +34082,12 @@ catalog:
                           value: PE-03e.[03]
                           class: sp800-53a
                       prose: other physical access devices are secured;
+                      links:
+                        - href: '#pe-3_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.e'
+                      rel: assessment-for
                 - id: pe-3_obj.f
                   name: assessment-objective
                   props:
@@ -31001,6 +34095,9 @@ catalog:
                       value: PE-03f.
                       class: sp800-53a
                   prose: ' {{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};'
+                  links:
+                    - href: '#pe-3_smt.f'
+                      rel: assessment-for
                 - id: pe-3_obj.g
                   name: assessment-objective
                   props:
@@ -31015,6 +34112,9 @@ catalog:
                           value: PE-03g.[01]
                           class: sp800-53a
                       prose: 'combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;'
+                      links:
+                        - href: '#pe-3_smt.g'
+                          rel: assessment-for
                     - id: pe-3_obj.g-2
                       name: assessment-objective
                       props:
@@ -31022,6 +34122,15 @@ catalog:
                           value: PE-03g.[02]
                           class: sp800-53a
                       prose: 'keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.'
+                      links:
+                        - href: '#pe-3_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#pe-3_smt'
+                  rel: assessment-for
             - id: pe-3_asm-examine
               name: assessment-method
               props:
@@ -31157,6 +34266,9 @@ catalog:
                   value: PE-04
                   class: sp800-53a
               prose: 'physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}.'
+              links:
+                - href: '#pe-4_smt'
+                  rel: assessment-for
             - id: pe-4_asm-examine
               name: assessment-method
               props:
@@ -31262,6 +34374,9 @@ catalog:
                   value: PE-05
                   class: sp800-53a
               prose: 'physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output.'
+              links:
+                - href: '#pe-5_smt'
+                  rel: assessment-for
             - id: pe-5_asm-examine
               name: assessment-method
               props:
@@ -31416,6 +34531,9 @@ catalog:
                       value: PE-06a.
                       class: sp800-53a
                   prose: physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;
+                  links:
+                    - href: '#pe-6_smt.a'
+                      rel: assessment-for
                 - id: pe-6_obj.b
                   name: assessment-objective
                   props:
@@ -31430,6 +34548,9 @@ catalog:
                           value: PE-06b.[01]
                           class: sp800-53a
                       prose: 'physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};'
+                      links:
+                        - href: '#pe-6_smt.b'
+                          rel: assessment-for
                     - id: pe-6_obj.b-2
                       name: assessment-objective
                       props:
@@ -31437,6 +34558,12 @@ catalog:
                           value: PE-06b.[02]
                           class: sp800-53a
                       prose: 'physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};'
+                      links:
+                        - href: '#pe-6_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-6_smt.b'
+                      rel: assessment-for
                 - id: pe-6_obj.c
                   name: assessment-objective
                   props:
@@ -31451,6 +34578,9 @@ catalog:
                           value: PE-06c.[01]
                           class: sp800-53a
                       prose: results of reviews are coordinated with organizational incident response capabilities;
+                      links:
+                        - href: '#pe-6_smt.c'
+                          rel: assessment-for
                     - id: pe-6_obj.c-2
                       name: assessment-objective
                       props:
@@ -31458,6 +34588,15 @@ catalog:
                           value: PE-06c.[02]
                           class: sp800-53a
                       prose: results of investigations are coordinated with organizational incident response capabilities.
+                      links:
+                        - href: '#pe-6_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-6_smt'
+                  rel: assessment-for
             - id: pe-6_asm-examine
               name: assessment-method
               props:
@@ -31559,6 +34698,9 @@ catalog:
                           value: PE-06(01)[01]
                           class: sp800-53a
                       prose: physical access to the facility where the system resides is monitored using physical intrusion alarms;
+                      links:
+                        - href: '#pe-6.1_smt'
+                          rel: assessment-for
                     - id: pe-6.1_obj-2
                       name: assessment-objective
                       props:
@@ -31566,6 +34708,12 @@ catalog:
                           value: PE-06(01)[02]
                           class: sp800-53a
                       prose: physical access to the facility where the system resides is monitored using physical surveillance equipment.
+                      links:
+                        - href: '#pe-6.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-6.1_smt'
+                      rel: assessment-for
                 - id: pe-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -31725,6 +34873,9 @@ catalog:
                       value: PE-08a.
                       class: sp800-53a
                   prose: 'visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};'
+                  links:
+                    - href: '#pe-8_smt.a'
+                      rel: assessment-for
                 - id: pe-8_obj.b
                   name: assessment-objective
                   props:
@@ -31732,6 +34883,9 @@ catalog:
                       value: PE-08b.
                       class: sp800-53a
                   prose: 'visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};'
+                  links:
+                    - href: '#pe-8_smt.b'
+                      rel: assessment-for
                 - id: pe-8_obj.c
                   name: assessment-objective
                   props:
@@ -31739,6 +34893,12 @@ catalog:
                       value: PE-08c.
                       class: sp800-53a
                   prose: 'visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.'
+                  links:
+                    - href: '#pe-8_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-8_smt'
+                  rel: assessment-for
             - id: pe-8_asm-examine
               name: assessment-method
               props:
@@ -31836,6 +34996,9 @@ catalog:
                       value: PE-09[01]
                       class: sp800-53a
                   prose: power equipment for the system is protected from damage and destruction;
+                  links:
+                    - href: '#pe-9_smt'
+                      rel: assessment-for
                 - id: pe-9_obj-2
                   name: assessment-objective
                   props:
@@ -31843,6 +35006,12 @@ catalog:
                       value: PE-09[02]
                       class: sp800-53a
                   prose: power cabling for the system is protected from damage and destruction.
+                  links:
+                    - href: '#pe-9_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-9_smt'
+                  rel: assessment-for
             - id: pe-9_asm-examine
               name: assessment-method
               props:
@@ -31971,6 +35140,9 @@ catalog:
                       value: PE-10a.
                       class: sp800-53a
                   prose: 'the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;'
+                  links:
+                    - href: '#pe-10_smt.a'
+                      rel: assessment-for
                 - id: pe-10_obj.b
                   name: assessment-objective
                   props:
@@ -31978,6 +35150,9 @@ catalog:
                       value: PE-10b.
                       class: sp800-53a
                   prose: 'emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;'
+                  links:
+                    - href: '#pe-10_smt.b'
+                      rel: assessment-for
                 - id: pe-10_obj.c
                   name: assessment-objective
                   props:
@@ -31985,6 +35160,12 @@ catalog:
                       value: PE-10c.
                       class: sp800-53a
                   prose: the emergency power shutoff capability is protected from unauthorized activation.
+                  links:
+                    - href: '#pe-10_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-10_smt'
+                  rel: assessment-for
             - id: pe-10_asm-examine
               name: assessment-method
               props:
@@ -32084,6 +35265,9 @@ catalog:
                   value: PE-11
                   class: sp800-53a
               prose: 'an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss.'
+              links:
+                - href: '#pe-11_smt'
+                  rel: assessment-for
             - id: pe-11_asm-examine
               name: assessment-method
               props:
@@ -32179,6 +35363,9 @@ catalog:
                       value: PE-12[01]
                       class: sp800-53a
                   prose: automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
                 - id: pe-12_obj-2
                   name: assessment-objective
                   props:
@@ -32186,6 +35373,9 @@ catalog:
                       value: PE-12[02]
                       class: sp800-53a
                   prose: automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
                 - id: pe-12_obj-3
                   name: assessment-objective
                   props:
@@ -32193,6 +35383,9 @@ catalog:
                       value: PE-12[03]
                       class: sp800-53a
                   prose: automatic emergency lighting for the system covers emergency exits within the facility;
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
                 - id: pe-12_obj-4
                   name: assessment-objective
                   props:
@@ -32200,6 +35393,12 @@ catalog:
                       value: PE-12[04]
                       class: sp800-53a
                   prose: automatic emergency lighting for the system covers evacuation routes within the facility.
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-12_smt'
+                  rel: assessment-for
             - id: pe-12_asm-examine
               name: assessment-method
               props:
@@ -32290,6 +35489,9 @@ catalog:
                       value: PE-13[01]
                       class: sp800-53a
                   prose: fire detection systems are employed;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-2
                   name: assessment-objective
                   props:
@@ -32297,6 +35499,9 @@ catalog:
                       value: PE-13[02]
                       class: sp800-53a
                   prose: employed fire detection systems are supported by an independent energy source;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-3
                   name: assessment-objective
                   props:
@@ -32304,6 +35509,9 @@ catalog:
                       value: PE-13[03]
                       class: sp800-53a
                   prose: employed fire detection systems are maintained;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-4
                   name: assessment-objective
                   props:
@@ -32311,6 +35519,9 @@ catalog:
                       value: PE-13[04]
                       class: sp800-53a
                   prose: fire suppression systems are employed;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-5
                   name: assessment-objective
                   props:
@@ -32318,6 +35529,9 @@ catalog:
                       value: PE-13[05]
                       class: sp800-53a
                   prose: employed fire suppression systems are supported by an independent energy source;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-6
                   name: assessment-objective
                   props:
@@ -32325,6 +35539,12 @@ catalog:
                       value: PE-13[06]
                       class: sp800-53a
                   prose: employed fire suppression systems are maintained.
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-13_smt'
+                  rel: assessment-for
             - id: pe-13_asm-examine
               name: assessment-method
               props:
@@ -32437,6 +35657,9 @@ catalog:
                           value: PE-13(01)[01]
                           class: sp800-53a
                       prose: fire detection systems that activate automatically are employed in the event of a fire;
+                      links:
+                        - href: '#pe-13.1_smt'
+                          rel: assessment-for
                     - id: pe-13.1_obj-2
                       name: assessment-objective
                       props:
@@ -32444,6 +35667,9 @@ catalog:
                           value: PE-13(01)[02]
                           class: sp800-53a
                       prose: 'fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;'
+                      links:
+                        - href: '#pe-13.1_smt'
+                          rel: assessment-for
                     - id: pe-13.1_obj-3
                       name: assessment-objective
                       props:
@@ -32451,6 +35677,12 @@ catalog:
                           value: PE-13(01)[03]
                           class: sp800-53a
                       prose: 'fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire.'
+                      links:
+                        - href: '#pe-13.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-13.1_smt'
+                      rel: assessment-for
                 - id: pe-13.1_asm-examine
                   name: assessment-method
                   props:
@@ -32612,6 +35844,9 @@ catalog:
                       value: PE-14a.
                       class: sp800-53a
                   prose: ' {{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;'
+                  links:
+                    - href: '#pe-14_smt.a'
+                      rel: assessment-for
                 - id: pe-14_obj.b
                   name: assessment-objective
                   props:
@@ -32619,6 +35854,12 @@ catalog:
                       value: PE-14b.
                       class: sp800-53a
                   prose: 'environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.'
+                  links:
+                    - href: '#pe-14_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pe-14_smt'
+                  rel: assessment-for
             - id: pe-14_asm-examine
               name: assessment-method
               props:
@@ -32713,6 +35954,9 @@ catalog:
                       value: PE-15[01]
                       class: sp800-53a
                   prose: the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
                 - id: pe-15_obj-2
                   name: assessment-objective
                   props:
@@ -32720,6 +35964,9 @@ catalog:
                       value: PE-15[02]
                       class: sp800-53a
                   prose: the master shutoff or isolation valves are accessible;
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
                 - id: pe-15_obj-3
                   name: assessment-objective
                   props:
@@ -32727,6 +35974,9 @@ catalog:
                       value: PE-15[03]
                       class: sp800-53a
                   prose: the master shutoff or isolation valves are working properly;
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
                 - id: pe-15_obj-4
                   name: assessment-objective
                   props:
@@ -32734,6 +35984,12 @@ catalog:
                       value: PE-15[04]
                       class: sp800-53a
                   prose: the master shutoff or isolation valves are known to key personnel.
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-15_smt'
+                  rel: assessment-for
             - id: pe-15_asm-examine
               name: assessment-method
               props:
@@ -32892,6 +36148,9 @@ catalog:
                           value: PE-16a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
                     - id: pe-16_obj.a-2
                       name: assessment-objective
                       props:
@@ -32899,6 +36158,9 @@ catalog:
                           value: PE-16a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
                     - id: pe-16_obj.a-3
                       name: assessment-objective
                       props:
@@ -32906,6 +36168,9 @@ catalog:
                           value: PE-16a.[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
                     - id: pe-16_obj.a-4
                       name: assessment-objective
                       props:
@@ -32913,6 +36178,12 @@ catalog:
                           value: PE-16a.[04]
                           class: sp800-53a
                       prose: ' {{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-16_smt.a'
+                      rel: assessment-for
                 - id: pe-16_obj.b
                   name: assessment-objective
                   props:
@@ -32920,6 +36191,12 @@ catalog:
                       value: PE-16b.
                       class: sp800-53a
                   prose: records of the system components are maintained.
+                  links:
+                    - href: '#pe-16_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pe-16_smt'
+                  rel: assessment-for
             - id: pe-16_asm-examine
               name: assessment-method
               props:
@@ -33062,6 +36339,9 @@ catalog:
                       value: PE-17a.
                       class: sp800-53a
                   prose: ' {{ insert: param, pe-17_odp.01 }} are determined and documented;'
+                  links:
+                    - href: '#pe-17_smt.a'
+                      rel: assessment-for
                 - id: pe-17_obj.b
                   name: assessment-objective
                   props:
@@ -33069,6 +36349,9 @@ catalog:
                       value: PE-17b.
                       class: sp800-53a
                   prose: ' {{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;'
+                  links:
+                    - href: '#pe-17_smt.b'
+                      rel: assessment-for
                 - id: pe-17_obj.c
                   name: assessment-objective
                   props:
@@ -33076,6 +36359,9 @@ catalog:
                       value: PE-17c.
                       class: sp800-53a
                   prose: the effectiveness of controls at alternate work sites is assessed;
+                  links:
+                    - href: '#pe-17_smt.c'
+                      rel: assessment-for
                 - id: pe-17_obj.d
                   name: assessment-objective
                   props:
@@ -33083,6 +36369,12 @@ catalog:
                       value: PE-17d.
                       class: sp800-53a
                   prose: a means for employees to communicate with information security and privacy personnel in case of incidents is provided.
+                  links:
+                    - href: '#pe-17_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pe-17_smt'
+                  rel: assessment-for
             - id: pe-17_asm-examine
               name: assessment-method
               props:
@@ -33360,6 +36652,9 @@ catalog:
                           value: PL-01a.[01]
                           class: sp800-53a
                       prose: a planning policy is developed and documented.
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -33367,6 +36662,9 @@ catalog:
                           value: PL-01a.[02]
                           class: sp800-53a
                       prose: 'the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};'
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -33374,6 +36672,9 @@ catalog:
                           value: PL-01a.[03]
                           class: sp800-53a
                       prose: planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -33381,6 +36682,9 @@ catalog:
                           value: PL-01a.[04]
                           class: sp800-53a
                       prose: 'the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};'
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -33402,6 +36706,9 @@ catalog:
                                   value: PL-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -33409,6 +36716,9 @@ catalog:
                                   value: PL-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -33416,6 +36726,9 @@ catalog:
                                   value: PL-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -33423,6 +36736,9 @@ catalog:
                                   value: PL-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -33430,6 +36746,9 @@ catalog:
                                   value: PL-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -33437,6 +36756,9 @@ catalog:
                                   value: PL-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -33444,6 +36766,12 @@ catalog:
                                   value: PL-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#pl-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: pl-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -33451,6 +36779,15 @@ catalog:
                               value: PL-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#pl-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-1_smt.a'
+                      rel: assessment-for
                 - id: pl-1_obj.b
                   name: assessment-objective
                   props:
@@ -33458,6 +36795,9 @@ catalog:
                       value: PL-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;'
+                  links:
+                    - href: '#pl-1_smt.b'
+                      rel: assessment-for
                 - id: pl-1_obj.c
                   name: assessment-objective
                   props:
@@ -33479,6 +36819,9 @@ catalog:
                               value: PL-01c.01[01]
                               class: sp800-53a
                           prose: 'the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};'
+                          links:
+                            - href: '#pl-1_smt.c.1'
+                              rel: assessment-for
                         - id: pl-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -33486,6 +36829,12 @@ catalog:
                               value: PL-01c.01[02]
                               class: sp800-53a
                           prose: 'the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};'
+                          links:
+                            - href: '#pl-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.c.1'
+                          rel: assessment-for
                     - id: pl-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -33500,6 +36849,9 @@ catalog:
                               value: PL-01c.02[01]
                               class: sp800-53a
                           prose: 'the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};'
+                          links:
+                            - href: '#pl-1_smt.c.2'
+                              rel: assessment-for
                         - id: pl-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -33507,6 +36859,18 @@ catalog:
                               value: PL-01c.02[02]
                               class: sp800-53a
                           prose: 'the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.'
+                          links:
+                            - href: '#pl-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pl-1_smt'
+                  rel: assessment-for
             - id: pl-1_asm-examine
               name: assessment-method
               props:
@@ -33837,6 +37201,9 @@ catalog:
                               value: PL-02a.01[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that is consistent with the organization’s enterprise architecture;
+                          links:
+                            - href: '#pl-2_smt.a.1'
+                              rel: assessment-for
                         - id: pl-2_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -33844,6 +37211,12 @@ catalog:
                               value: PL-02a.01[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;
+                          links:
+                            - href: '#pl-2_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.1'
+                          rel: assessment-for
                     - id: pl-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -33858,6 +37231,9 @@ catalog:
                               value: PL-02a.02[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that explicitly defines the constituent system components;
+                          links:
+                            - href: '#pl-2_smt.a.2'
+                              rel: assessment-for
                         - id: pl-2_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -33865,6 +37241,12 @@ catalog:
                               value: PL-02a.02[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that explicitly defines the constituent system components;
+                          links:
+                            - href: '#pl-2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.2'
+                          rel: assessment-for
                     - id: pl-2_obj.a.3
                       name: assessment-objective
                       props:
@@ -33879,6 +37261,9 @@ catalog:
                               value: PL-02a.03[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;
+                          links:
+                            - href: '#pl-2_smt.a.3'
+                              rel: assessment-for
                         - id: pl-2_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -33886,6 +37271,12 @@ catalog:
                               value: PL-02a.03[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;
+                          links:
+                            - href: '#pl-2_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.3'
+                          rel: assessment-for
                     - id: pl-2_obj.a.4
                       name: assessment-objective
                       props:
@@ -33900,6 +37291,9 @@ catalog:
                               value: PL-02a.04[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;
+                          links:
+                            - href: '#pl-2_smt.a.4'
+                              rel: assessment-for
                         - id: pl-2_obj.a.4-2
                           name: assessment-objective
                           props:
@@ -33907,6 +37301,12 @@ catalog:
                               value: PL-02a.04[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;
+                          links:
+                            - href: '#pl-2_smt.a.4'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.4'
+                          rel: assessment-for
                     - id: pl-2_obj.a.5
                       name: assessment-objective
                       props:
@@ -33921,6 +37321,9 @@ catalog:
                               value: PL-02a.05[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;
+                          links:
+                            - href: '#pl-2_smt.a.5'
+                              rel: assessment-for
                         - id: pl-2_obj.a.5-2
                           name: assessment-objective
                           props:
@@ -33928,6 +37331,12 @@ catalog:
                               value: PL-02a.05[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;
+                          links:
+                            - href: '#pl-2_smt.a.5'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.5'
+                          rel: assessment-for
                     - id: pl-2_obj.a.6
                       name: assessment-objective
                       props:
@@ -33942,6 +37351,9 @@ catalog:
                               value: PL-02a.06[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;
+                          links:
+                            - href: '#pl-2_smt.a.6'
+                              rel: assessment-for
                         - id: pl-2_obj.a.6-2
                           name: assessment-objective
                           props:
@@ -33949,6 +37361,12 @@ catalog:
                               value: PL-02a.06[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;
+                          links:
+                            - href: '#pl-2_smt.a.6'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.6'
+                          rel: assessment-for
                     - id: pl-2_obj.a.7
                       name: assessment-objective
                       props:
@@ -33963,6 +37381,9 @@ catalog:
                               value: PL-02a.07[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;
+                          links:
+                            - href: '#pl-2_smt.a.7'
+                              rel: assessment-for
                         - id: pl-2_obj.a.7-2
                           name: assessment-objective
                           props:
@@ -33970,6 +37391,12 @@ catalog:
                               value: PL-02a.07[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;
+                          links:
+                            - href: '#pl-2_smt.a.7'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.7'
+                          rel: assessment-for
                     - id: pl-2_obj.a.8
                       name: assessment-objective
                       props:
@@ -33984,6 +37411,9 @@ catalog:
                               value: PL-02a.08[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;
+                          links:
+                            - href: '#pl-2_smt.a.8'
+                              rel: assessment-for
                         - id: pl-2_obj.a.8-2
                           name: assessment-objective
                           props:
@@ -33991,6 +37421,12 @@ catalog:
                               value: PL-02a.08[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;
+                          links:
+                            - href: '#pl-2_smt.a.8'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.8'
+                          rel: assessment-for
                     - id: pl-2_obj.a.9
                       name: assessment-objective
                       props:
@@ -34005,6 +37441,9 @@ catalog:
                               value: PL-02a.09[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;
+                          links:
+                            - href: '#pl-2_smt.a.9'
+                              rel: assessment-for
                         - id: pl-2_obj.a.9-2
                           name: assessment-objective
                           props:
@@ -34012,6 +37451,12 @@ catalog:
                               value: PL-02a.09[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;
+                          links:
+                            - href: '#pl-2_smt.a.9'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.9'
+                          rel: assessment-for
                     - id: pl-2_obj.a.10
                       name: assessment-objective
                       props:
@@ -34026,6 +37471,9 @@ catalog:
                               value: PL-02a.10[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides an overview of the security requirements for the system;
+                          links:
+                            - href: '#pl-2_smt.a.10'
+                              rel: assessment-for
                         - id: pl-2_obj.a.10-2
                           name: assessment-objective
                           props:
@@ -34033,6 +37481,12 @@ catalog:
                               value: PL-02a.10[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;
+                          links:
+                            - href: '#pl-2_smt.a.10'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.10'
+                          rel: assessment-for
                     - id: pl-2_obj.a.11
                       name: assessment-objective
                       props:
@@ -34047,6 +37501,9 @@ catalog:
                               value: PL-02a.11[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;
+                          links:
+                            - href: '#pl-2_smt.a.11'
+                              rel: assessment-for
                         - id: pl-2_obj.a.11-2
                           name: assessment-objective
                           props:
@@ -34054,6 +37511,12 @@ catalog:
                               value: PL-02a.11[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;
+                          links:
+                            - href: '#pl-2_smt.a.11'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.11'
+                          rel: assessment-for
                     - id: pl-2_obj.a.12
                       name: assessment-objective
                       props:
@@ -34068,6 +37531,9 @@ catalog:
                               value: PL-02a.12[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;
+                          links:
+                            - href: '#pl-2_smt.a.12'
+                              rel: assessment-for
                         - id: pl-2_obj.a.12-2
                           name: assessment-objective
                           props:
@@ -34075,6 +37541,12 @@ catalog:
                               value: PL-02a.12[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;
+                          links:
+                            - href: '#pl-2_smt.a.12'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.12'
+                          rel: assessment-for
                     - id: pl-2_obj.a.13
                       name: assessment-objective
                       props:
@@ -34089,6 +37561,9 @@ catalog:
                               value: PL-02a.13[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that includes risk determinations for security architecture and design decisions;
+                          links:
+                            - href: '#pl-2_smt.a.13'
+                              rel: assessment-for
                         - id: pl-2_obj.a.13-2
                           name: assessment-objective
                           props:
@@ -34096,6 +37571,12 @@ catalog:
                               value: PL-02a.13[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;
+                          links:
+                            - href: '#pl-2_smt.a.13'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.13'
+                          rel: assessment-for
                     - id: pl-2_obj.a.14
                       name: assessment-objective
                       props:
@@ -34110,6 +37591,9 @@ catalog:
                               value: PL-02a.14[01]
                               class: sp800-53a
                           prose: 'a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};'
+                          links:
+                            - href: '#pl-2_smt.a.14'
+                              rel: assessment-for
                         - id: pl-2_obj.a.14-2
                           name: assessment-objective
                           props:
@@ -34117,6 +37601,12 @@ catalog:
                               value: PL-02a.14[02]
                               class: sp800-53a
                           prose: 'a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};'
+                          links:
+                            - href: '#pl-2_smt.a.14'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.14'
+                          rel: assessment-for
                     - id: pl-2_obj.a.15
                       name: assessment-objective
                       props:
@@ -34131,6 +37621,9 @@ catalog:
                               value: PL-02a.15[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
+                          links:
+                            - href: '#pl-2_smt.a.15'
+                              rel: assessment-for
                         - id: pl-2_obj.a.15-2
                           name: assessment-objective
                           props:
@@ -34138,6 +37631,15 @@ catalog:
                               value: PL-02a.15[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.
+                          links:
+                            - href: '#pl-2_smt.a.15'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.15'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.a'
+                      rel: assessment-for
                 - id: pl-2_obj.b
                   name: assessment-objective
                   props:
@@ -34152,6 +37654,9 @@ catalog:
                           value: PL-02b.[01]
                           class: sp800-53a
                       prose: 'copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};'
+                      links:
+                        - href: '#pl-2_smt.b'
+                          rel: assessment-for
                     - id: pl-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -34159,6 +37664,12 @@ catalog:
                           value: PL-02b.[02]
                           class: sp800-53a
                       prose: 'subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};'
+                      links:
+                        - href: '#pl-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.b'
+                      rel: assessment-for
                 - id: pl-2_obj.c
                   name: assessment-objective
                   props:
@@ -34166,6 +37677,9 @@ catalog:
                       value: PL-02c.
                       class: sp800-53a
                   prose: 'plans are reviewed {{ insert: param, pl-02_odp.03 }};'
+                  links:
+                    - href: '#pl-2_smt.c'
+                      rel: assessment-for
                 - id: pl-2_obj.d
                   name: assessment-objective
                   props:
@@ -34180,6 +37694,9 @@ catalog:
                           value: PL-02d.[01]
                           class: sp800-53a
                       prose: plans are updated to address changes to the system and environment of operations;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
                     - id: pl-2_obj.d-2
                       name: assessment-objective
                       props:
@@ -34187,6 +37704,9 @@ catalog:
                           value: PL-02d.[02]
                           class: sp800-53a
                       prose: plans are updated to address problems identified during the plan implementation;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
                     - id: pl-2_obj.d-3
                       name: assessment-objective
                       props:
@@ -34194,6 +37714,12 @@ catalog:
                           value: PL-02d.[03]
                           class: sp800-53a
                       prose: plans are updated to address problems identified during control assessments;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.d'
+                      rel: assessment-for
                 - id: pl-2_obj.e
                   name: assessment-objective
                   props:
@@ -34208,6 +37734,9 @@ catalog:
                           value: PL-02e.[01]
                           class: sp800-53a
                       prose: plans are protected from unauthorized disclosure;
+                      links:
+                        - href: '#pl-2_smt.e'
+                          rel: assessment-for
                     - id: pl-2_obj.e-2
                       name: assessment-objective
                       props:
@@ -34215,6 +37744,15 @@ catalog:
                           value: PL-02e.[02]
                           class: sp800-53a
                       prose: plans are protected from unauthorized modification.
+                      links:
+                        - href: '#pl-2_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#pl-2_smt'
+                  rel: assessment-for
             - id: pl-2_asm-examine
               name: assessment-method
               props:
@@ -34427,6 +37965,9 @@ catalog:
                           value: PL-04a.[01]
                           class: sp800-53a
                       prose: rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;
+                      links:
+                        - href: '#pl-4_smt.a'
+                          rel: assessment-for
                     - id: pl-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -34434,6 +37975,12 @@ catalog:
                           value: PL-04a.[02]
                           class: sp800-53a
                       prose: rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;
+                      links:
+                        - href: '#pl-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-4_smt.a'
+                      rel: assessment-for
                 - id: pl-4_obj.b
                   name: assessment-objective
                   props:
@@ -34441,6 +37988,9 @@ catalog:
                       value: PL-04b.
                       class: sp800-53a
                   prose: before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;
+                  links:
+                    - href: '#pl-4_smt.b'
+                      rel: assessment-for
                 - id: pl-4_obj.c
                   name: assessment-objective
                   props:
@@ -34448,6 +37998,9 @@ catalog:
                       value: PL-04c.
                       class: sp800-53a
                   prose: 'rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};'
+                  links:
+                    - href: '#pl-4_smt.c'
+                      rel: assessment-for
                 - id: pl-4_obj.d
                   name: assessment-objective
                   props:
@@ -34455,6 +38008,12 @@ catalog:
                       value: PL-04d.
                       class: sp800-53a
                   prose: 'individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.'
+                  links:
+                    - href: '#pl-4_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pl-4_smt'
+                  rel: assessment-for
             - id: pl-4_asm-examine
               name: assessment-method
               props:
@@ -34577,6 +38136,9 @@ catalog:
                           value: PL-04(01)(a)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;
+                      links:
+                        - href: '#pl-4.1_smt.a'
+                          rel: assessment-for
                     - id: pl-4.1_obj.b
                       name: assessment-objective
                       props:
@@ -34584,6 +38146,9 @@ catalog:
                           value: PL-04(01)(b)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on posting organizational information on public websites;
+                      links:
+                        - href: '#pl-4.1_smt.b'
+                          rel: assessment-for
                     - id: pl-4.1_obj.c
                       name: assessment-objective
                       props:
@@ -34591,6 +38156,12 @@ catalog:
                           value: PL-04(01)(c)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.
+                      links:
+                        - href: '#pl-4.1_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-4.1_smt'
+                      rel: assessment-for
                 - id: pl-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -34785,6 +38356,9 @@ catalog:
                           value: PL-08a.01
                           class: sp800-53a
                       prose: a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;
+                      links:
+                        - href: '#pl-8_smt.a.1'
+                          rel: assessment-for
                     - id: pl-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -34792,6 +38366,9 @@ catalog:
                           value: PL-08a.02
                           class: sp800-53a
                       prose: a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;
+                      links:
+                        - href: '#pl-8_smt.a.2'
+                          rel: assessment-for
                     - id: pl-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -34806,6 +38383,9 @@ catalog:
                               value: PL-08a.03[01]
                               class: sp800-53a
                           prose: a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;
+                          links:
+                            - href: '#pl-8_smt.a.3'
+                              rel: assessment-for
                         - id: pl-8_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -34813,6 +38393,12 @@ catalog:
                               value: PL-08a.03[02]
                               class: sp800-53a
                           prose: a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;
+                          links:
+                            - href: '#pl-8_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-8_smt.a.3'
+                          rel: assessment-for
                     - id: pl-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -34827,6 +38413,9 @@ catalog:
                               value: PL-08a.04[01]
                               class: sp800-53a
                           prose: a security architecture for the system describes any assumptions about and dependencies on external systems and services;
+                          links:
+                            - href: '#pl-8_smt.a.4'
+                              rel: assessment-for
                         - id: pl-8_obj.a.4-2
                           name: assessment-objective
                           props:
@@ -34834,6 +38423,15 @@ catalog:
                               value: PL-08a.04[02]
                               class: sp800-53a
                           prose: a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;
+                          links:
+                            - href: '#pl-8_smt.a.4'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-8_smt.a.4'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-8_smt.a'
+                      rel: assessment-for
                 - id: pl-8_obj.b
                   name: assessment-objective
                   props:
@@ -34841,6 +38439,9 @@ catalog:
                       value: PL-08b.
                       class: sp800-53a
                   prose: 'changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;'
+                  links:
+                    - href: '#pl-8_smt.b'
+                      rel: assessment-for
                 - id: pl-8_obj.c
                   name: assessment-objective
                   props:
@@ -34855,6 +38456,9 @@ catalog:
                           value: PL-08c.[01]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in the security plan;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-2
                       name: assessment-objective
                       props:
@@ -34862,6 +38466,9 @@ catalog:
                           value: PL-08c.[02]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in the privacy plan;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-3
                       name: assessment-objective
                       props:
@@ -34869,6 +38476,9 @@ catalog:
                           value: PL-08c.[03]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in the Concept of Operations (CONOPS);
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-4
                       name: assessment-objective
                       props:
@@ -34876,6 +38486,9 @@ catalog:
                           value: PL-08c.[04]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in criticality analysis;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-5
                       name: assessment-objective
                       props:
@@ -34883,6 +38496,9 @@ catalog:
                           value: PL-08c.[05]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in organizational procedures;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-6
                       name: assessment-objective
                       props:
@@ -34890,6 +38506,15 @@ catalog:
                           value: PL-08c.[06]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in procurements and acquisitions.
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-8_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pl-8_smt'
+                  rel: assessment-for
             - id: pl-8_asm-examine
               name: assessment-method
               props:
@@ -35012,6 +38637,9 @@ catalog:
                   value: PL-10
                   class: sp800-53a
               prose: a control baseline for the system is selected.
+              links:
+                - href: '#pl-10_smt'
+                  rel: assessment-for
             - id: pl-10_asm-examine
               name: assessment-method
               props:
@@ -35137,6 +38765,9 @@ catalog:
                   value: PL-11
                   class: sp800-53a
               prose: the selected control baseline is tailored by applying specified tailoring actions.
+              links:
+                - href: '#pl-11_smt'
+                  rel: assessment-for
             - id: pl-11_asm-examine
               name: assessment-method
               props:
@@ -35411,6 +39042,9 @@ catalog:
                           value: PS-01a.[01]
                           class: sp800-53a
                       prose: a personnel security policy is developed and documented;
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -35418,6 +39052,9 @@ catalog:
                           value: PS-01a.[02]
                           class: sp800-53a
                       prose: 'the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};'
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -35425,6 +39062,9 @@ catalog:
                           value: PS-01a.[03]
                           class: sp800-53a
                       prose: personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -35432,6 +39072,9 @@ catalog:
                           value: PS-01a.[04]
                           class: sp800-53a
                       prose: 'the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};'
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -35453,6 +39096,9 @@ catalog:
                                   value: PS-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -35460,6 +39106,9 @@ catalog:
                                   value: PS-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -35467,6 +39116,9 @@ catalog:
                                   value: PS-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -35474,6 +39126,9 @@ catalog:
                                   value: PS-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -35481,6 +39136,9 @@ catalog:
                                   value: PS-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -35488,6 +39146,9 @@ catalog:
                                   value: PS-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -35495,6 +39156,12 @@ catalog:
                                   value: PS-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ps-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ps-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -35502,6 +39169,15 @@ catalog:
                               value: PS-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ps-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ps-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-1_smt.a'
+                      rel: assessment-for
                 - id: ps-1_obj.b
                   name: assessment-objective
                   props:
@@ -35509,6 +39185,9 @@ catalog:
                       value: PS-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;'
+                  links:
+                    - href: '#ps-1_smt.b'
+                      rel: assessment-for
                 - id: ps-1_obj.c
                   name: assessment-objective
                   props:
@@ -35530,6 +39209,9 @@ catalog:
                               value: PS-01c.01[01]
                               class: sp800-53a
                           prose: 'the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};'
+                          links:
+                            - href: '#ps-1_smt.c.1'
+                              rel: assessment-for
                         - id: ps-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -35537,6 +39219,12 @@ catalog:
                               value: PS-01c.01[02]
                               class: sp800-53a
                           prose: 'the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};'
+                          links:
+                            - href: '#ps-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ps-1_smt.c.1'
+                          rel: assessment-for
                     - id: ps-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -35551,6 +39239,9 @@ catalog:
                               value: PS-01c.02[01]
                               class: sp800-53a
                           prose: 'the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};'
+                          links:
+                            - href: '#ps-1_smt.c.2'
+                              rel: assessment-for
                         - id: ps-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -35558,6 +39249,18 @@ catalog:
                               value: PS-01c.02[02]
                               class: sp800-53a
                           prose: 'the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.'
+                          links:
+                            - href: '#ps-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ps-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ps-1_smt'
+                  rel: assessment-for
             - id: ps-1_asm-examine
               name: assessment-method
               props:
@@ -35687,6 +39390,9 @@ catalog:
                       value: PS-02a.
                       class: sp800-53a
                   prose: a risk designation is assigned to all organizational positions;
+                  links:
+                    - href: '#ps-2_smt.a'
+                      rel: assessment-for
                 - id: ps-2_obj.b
                   name: assessment-objective
                   props:
@@ -35694,6 +39400,9 @@ catalog:
                       value: PS-02b.
                       class: sp800-53a
                   prose: screening criteria are established for individuals filling organizational positions;
+                  links:
+                    - href: '#ps-2_smt.b'
+                      rel: assessment-for
                 - id: ps-2_obj.c
                   name: assessment-objective
                   props:
@@ -35701,6 +39410,12 @@ catalog:
                       value: PS-02c.
                       class: sp800-53a
                   prose: 'position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.'
+                  links:
+                    - href: '#ps-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ps-2_smt'
+                  rel: assessment-for
             - id: ps-2_asm-examine
               name: assessment-method
               props:
@@ -35866,6 +39581,9 @@ catalog:
                       value: PS-03a.
                       class: sp800-53a
                   prose: individuals are screened prior to authorizing access to the system;
+                  links:
+                    - href: '#ps-3_smt.a'
+                      rel: assessment-for
                 - id: ps-3_obj.b
                   name: assessment-objective
                   props:
@@ -35880,6 +39598,9 @@ catalog:
                           value: PS-03b.[01]
                           class: sp800-53a
                       prose: 'individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};'
+                      links:
+                        - href: '#ps-3_smt.b'
+                          rel: assessment-for
                     - id: ps-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -35887,6 +39608,15 @@ catalog:
                           value: PS-03b.[02]
                           class: sp800-53a
                       prose: 'where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.'
+                      links:
+                        - href: '#ps-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-3_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ps-3_smt'
+                  rel: assessment-for
             - id: ps-3_asm-examine
               name: assessment-method
               props:
@@ -36035,6 +39765,9 @@ catalog:
                       value: PS-04a.
                       class: sp800-53a
                   prose: 'upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};'
+                  links:
+                    - href: '#ps-4_smt.a'
+                      rel: assessment-for
                 - id: ps-4_obj.b
                   name: assessment-objective
                   props:
@@ -36042,6 +39775,9 @@ catalog:
                       value: PS-04b.
                       class: sp800-53a
                   prose: upon termination of individual employment, any authenticators and credentials are terminated or revoked;
+                  links:
+                    - href: '#ps-4_smt.b'
+                      rel: assessment-for
                 - id: ps-4_obj.c
                   name: assessment-objective
                   props:
@@ -36049,6 +39785,9 @@ catalog:
                       value: PS-04c.
                       class: sp800-53a
                   prose: 'upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;'
+                  links:
+                    - href: '#ps-4_smt.c'
+                      rel: assessment-for
                 - id: ps-4_obj.d
                   name: assessment-objective
                   props:
@@ -36056,6 +39795,9 @@ catalog:
                       value: PS-04d.
                       class: sp800-53a
                   prose: upon termination of individual employment, all security-related organizational system-related property is retrieved;
+                  links:
+                    - href: '#ps-4_smt.d'
+                      rel: assessment-for
                 - id: ps-4_obj.e
                   name: assessment-objective
                   props:
@@ -36063,6 +39805,12 @@ catalog:
                       value: PS-04e.
                       class: sp800-53a
                   prose: upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.
+                  links:
+                    - href: '#ps-4_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ps-4_smt'
+                  rel: assessment-for
             - id: ps-4_asm-examine
               name: assessment-method
               props:
@@ -36239,6 +39987,9 @@ catalog:
                       value: PS-05a.
                       class: sp800-53a
                   prose: the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;
+                  links:
+                    - href: '#ps-5_smt.a'
+                      rel: assessment-for
                 - id: ps-5_obj.b
                   name: assessment-objective
                   props:
@@ -36246,6 +39997,9 @@ catalog:
                       value: PS-05b.
                       class: sp800-53a
                   prose: ' {{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};'
+                  links:
+                    - href: '#ps-5_smt.b'
+                      rel: assessment-for
                 - id: ps-5_obj.c
                   name: assessment-objective
                   props:
@@ -36253,6 +40007,9 @@ catalog:
                       value: PS-05c.
                       class: sp800-53a
                   prose: access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;
+                  links:
+                    - href: '#ps-5_smt.c'
+                      rel: assessment-for
                 - id: ps-5_obj.d
                   name: assessment-objective
                   props:
@@ -36260,6 +40017,12 @@ catalog:
                       value: PS-05d.
                       class: sp800-53a
                   prose: ' {{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.'
+                  links:
+                    - href: '#ps-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ps-5_smt'
+                  rel: assessment-for
             - id: ps-5_asm-examine
               name: assessment-method
               props:
@@ -36430,6 +40193,9 @@ catalog:
                       value: PS-06a.
                       class: sp800-53a
                   prose: access agreements are developed and documented for organizational systems;
+                  links:
+                    - href: '#ps-6_smt.a'
+                      rel: assessment-for
                 - id: ps-6_obj.b
                   name: assessment-objective
                   props:
@@ -36437,6 +40203,9 @@ catalog:
                       value: PS-06b.
                       class: sp800-53a
                   prose: 'the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};'
+                  links:
+                    - href: '#ps-6_smt.b'
+                      rel: assessment-for
                 - id: ps-6_obj.c
                   name: assessment-objective
                   props:
@@ -36451,6 +40220,9 @@ catalog:
                           value: PS-06c.01
                           class: sp800-53a
                       prose: individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;
+                      links:
+                        - href: '#ps-6_smt.c.1'
+                          rel: assessment-for
                     - id: ps-6_obj.c.2
                       name: assessment-objective
                       props:
@@ -36458,6 +40230,15 @@ catalog:
                           value: PS-06c.02
                           class: sp800-53a
                       prose: 'individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.'
+                      links:
+                        - href: '#ps-6_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ps-6_smt'
+                  rel: assessment-for
             - id: ps-6_asm-examine
               name: assessment-method
               props:
@@ -36639,6 +40420,9 @@ catalog:
                       value: PS-07a.
                       class: sp800-53a
                   prose: personnel security requirements are established, including security roles and responsibilities for external providers;
+                  links:
+                    - href: '#ps-7_smt.a'
+                      rel: assessment-for
                 - id: ps-7_obj.b
                   name: assessment-objective
                   props:
@@ -36646,6 +40430,9 @@ catalog:
                       value: PS-07b.
                       class: sp800-53a
                   prose: external providers are required to comply with personnel security policies and procedures established by the organization;
+                  links:
+                    - href: '#ps-7_smt.b'
+                      rel: assessment-for
                 - id: ps-7_obj.c
                   name: assessment-objective
                   props:
@@ -36653,6 +40440,9 @@ catalog:
                       value: PS-07c.
                       class: sp800-53a
                   prose: personnel security requirements are documented;
+                  links:
+                    - href: '#ps-7_smt.c'
+                      rel: assessment-for
                 - id: ps-7_obj.d
                   name: assessment-objective
                   props:
@@ -36660,6 +40450,9 @@ catalog:
                       value: PS-07d.
                       class: sp800-53a
                   prose: 'external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};'
+                  links:
+                    - href: '#ps-7_smt.d'
+                      rel: assessment-for
                 - id: ps-7_obj.e
                   name: assessment-objective
                   props:
@@ -36667,6 +40460,12 @@ catalog:
                       value: PS-07e.
                       class: sp800-53a
                   prose: provider compliance with personnel security requirements is monitored.
+                  links:
+                    - href: '#ps-7_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ps-7_smt'
+                  rel: assessment-for
             - id: ps-7_asm-examine
               name: assessment-method
               props:
@@ -36807,6 +40606,9 @@ catalog:
                       value: PS-08a.
                       class: sp800-53a
                   prose: a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;
+                  links:
+                    - href: '#ps-8_smt.a'
+                      rel: assessment-for
                 - id: ps-8_obj.b
                   name: assessment-objective
                   props:
@@ -36814,6 +40616,12 @@ catalog:
                       value: PS-08b.
                       class: sp800-53a
                   prose: ' {{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.'
+                  links:
+                    - href: '#ps-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ps-8_smt'
+                  rel: assessment-for
             - id: ps-8_asm-examine
               name: assessment-method
               props:
@@ -36915,6 +40723,9 @@ catalog:
                       value: PS-09[01]
                       class: sp800-53a
                   prose: security roles and responsibilities are incorporated into organizational position descriptions;
+                  links:
+                    - href: '#ps-9_smt'
+                      rel: assessment-for
                 - id: ps-9_obj-2
                   name: assessment-objective
                   props:
@@ -36922,6 +40733,12 @@ catalog:
                       value: PS-09[02]
                       class: sp800-53a
                   prose: privacy roles and responsibilities are incorporated into organizational position descriptions.
+                  links:
+                    - href: '#ps-9_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ps-9_smt'
+                  rel: assessment-for
             - id: ps-9_asm-examine
               name: assessment-method
               props:
@@ -37190,6 +41007,9 @@ catalog:
                           value: RA-01a.[01]
                           class: sp800-53a
                       prose: a risk assessment policy is developed and documented;
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -37197,6 +41017,9 @@ catalog:
                           value: RA-01a.[02]
                           class: sp800-53a
                       prose: 'the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};'
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -37204,6 +41027,9 @@ catalog:
                           value: RA-01a.[03]
                           class: sp800-53a
                       prose: risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -37211,6 +41037,9 @@ catalog:
                           value: RA-01a.[04]
                           class: sp800-53a
                       prose: 'the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};'
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -37232,6 +41061,9 @@ catalog:
                                   value: RA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -37239,6 +41071,9 @@ catalog:
                                   value: RA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -37246,6 +41081,9 @@ catalog:
                                   value: RA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -37253,6 +41091,9 @@ catalog:
                                   value: RA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -37260,6 +41101,9 @@ catalog:
                                   value: RA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -37267,6 +41111,9 @@ catalog:
                                   value: RA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -37274,6 +41121,12 @@ catalog:
                                   value: RA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ra-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ra-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -37281,6 +41134,15 @@ catalog:
                               value: RA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ra-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-1_smt.a'
+                      rel: assessment-for
                 - id: ra-1_obj.b
                   name: assessment-objective
                   props:
@@ -37288,6 +41150,9 @@ catalog:
                       value: RA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;'
+                  links:
+                    - href: '#ra-1_smt.b'
+                      rel: assessment-for
                 - id: ra-1_obj.c
                   name: assessment-objective
                   props:
@@ -37309,6 +41174,9 @@ catalog:
                               value: RA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};'
+                          links:
+                            - href: '#ra-1_smt.c.1'
+                              rel: assessment-for
                         - id: ra-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -37316,6 +41184,12 @@ catalog:
                               value: RA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};'
+                          links:
+                            - href: '#ra-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.c.1'
+                          rel: assessment-for
                     - id: ra-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -37330,6 +41204,9 @@ catalog:
                               value: RA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};'
+                          links:
+                            - href: '#ra-1_smt.c.2'
+                              rel: assessment-for
                         - id: ra-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -37337,6 +41214,18 @@ catalog:
                               value: RA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.'
+                          links:
+                            - href: '#ra-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ra-1_smt'
+                  rel: assessment-for
             - id: ra-1_asm-examine
               name: assessment-method
               props:
@@ -37478,6 +41367,9 @@ catalog:
                       value: RA-02a.
                       class: sp800-53a
                   prose: the system and the information it processes, stores, and transmits are categorized;
+                  links:
+                    - href: '#ra-2_smt.a'
+                      rel: assessment-for
                 - id: ra-2_obj.b
                   name: assessment-objective
                   props:
@@ -37485,6 +41377,9 @@ catalog:
                       value: RA-02b.
                       class: sp800-53a
                   prose: the security categorization results, including supporting rationale, are documented in the security plan for the system;
+                  links:
+                    - href: '#ra-2_smt.b'
+                      rel: assessment-for
                 - id: ra-2_obj.c
                   name: assessment-objective
                   props:
@@ -37492,6 +41387,12 @@ catalog:
                       value: RA-02c.
                       class: sp800-53a
                   prose: the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
+                  links:
+                    - href: '#ra-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ra-2_smt'
+                  rel: assessment-for
             - id: ra-2_asm-examine
               name: assessment-method
               props:
@@ -37769,6 +41670,9 @@ catalog:
                           value: RA-03a.01
                           class: sp800-53a
                       prose: a risk assessment is conducted to identify threats to and vulnerabilities in the system;
+                      links:
+                        - href: '#ra-3_smt.a.1'
+                          rel: assessment-for
                     - id: ra-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -37776,6 +41680,9 @@ catalog:
                           value: RA-03a.02
                           class: sp800-53a
                       prose: a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;
+                      links:
+                        - href: '#ra-3_smt.a.2'
+                          rel: assessment-for
                     - id: ra-3_obj.a.3
                       name: assessment-objective
                       props:
@@ -37783,6 +41690,12 @@ catalog:
                           value: RA-03a.03
                           class: sp800-53a
                       prose: a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
+                      links:
+                        - href: '#ra-3_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-3_smt.a'
+                      rel: assessment-for
                 - id: ra-3_obj.b
                   name: assessment-objective
                   props:
@@ -37790,6 +41703,9 @@ catalog:
                       value: RA-03b.
                       class: sp800-53a
                   prose: risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;
+                  links:
+                    - href: '#ra-3_smt.b'
+                      rel: assessment-for
                 - id: ra-3_obj.c
                   name: assessment-objective
                   props:
@@ -37797,6 +41713,9 @@ catalog:
                       value: RA-03c.
                       class: sp800-53a
                   prose: 'risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};'
+                  links:
+                    - href: '#ra-3_smt.c'
+                      rel: assessment-for
                 - id: ra-3_obj.d
                   name: assessment-objective
                   props:
@@ -37804,6 +41723,9 @@ catalog:
                       value: RA-03d.
                       class: sp800-53a
                   prose: 'risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};'
+                  links:
+                    - href: '#ra-3_smt.d'
+                      rel: assessment-for
                 - id: ra-3_obj.e
                   name: assessment-objective
                   props:
@@ -37811,6 +41733,9 @@ catalog:
                       value: RA-03e.
                       class: sp800-53a
                   prose: 'risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};'
+                  links:
+                    - href: '#ra-3_smt.e'
+                      rel: assessment-for
                 - id: ra-3_obj.f
                   name: assessment-objective
                   props:
@@ -37818,6 +41743,12 @@ catalog:
                       value: RA-03f.
                       class: sp800-53a
                   prose: 'the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.'
+                  links:
+                    - href: '#ra-3_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ra-3_smt'
+                  rel: assessment-for
             - id: ra-3_asm-examine
               name: assessment-method
               props:
@@ -37966,6 +41897,9 @@ catalog:
                           value: RA-03(01)(a)
                           class: sp800-53a
                       prose: 'supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;'
+                      links:
+                        - href: '#ra-3.1_smt.a'
+                          rel: assessment-for
                     - id: ra-3.1_obj.b
                       name: assessment-objective
                       props:
@@ -37973,6 +41907,12 @@ catalog:
                           value: RA-03(01)(b)
                           class: sp800-53a
                       prose: 'the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.'
+                      links:
+                        - href: '#ra-3.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-3.1_smt'
+                      rel: assessment-for
                 - id: ra-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -38248,6 +42188,9 @@ catalog:
                           value: RA-05a.[01]
                           class: sp800-53a
                       prose: 'systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;'
+                      links:
+                        - href: '#ra-5_smt.a'
+                          rel: assessment-for
                     - id: ra-5_obj.a-2
                       name: assessment-objective
                       props:
@@ -38255,6 +42198,12 @@ catalog:
                           value: RA-05a.[02]
                           class: sp800-53a
                       prose: 'systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;'
+                      links:
+                        - href: '#ra-5_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-5_smt.a'
+                      rel: assessment-for
                 - id: ra-5_obj.b
                   name: assessment-objective
                   props:
@@ -38270,6 +42219,9 @@ catalog:
                           value: RA-05b.01
                           class: sp800-53a
                       prose: vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;
+                      links:
+                        - href: '#ra-5_smt.b.1'
+                          rel: assessment-for
                     - id: ra-5_obj.b.2
                       name: assessment-objective
                       props:
@@ -38277,6 +42229,9 @@ catalog:
                           value: RA-05b.02
                           class: sp800-53a
                       prose: vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;
+                      links:
+                        - href: '#ra-5_smt.b.2'
+                          rel: assessment-for
                     - id: ra-5_obj.b.3
                       name: assessment-objective
                       props:
@@ -38284,6 +42239,12 @@ catalog:
                           value: RA-05b.03
                           class: sp800-53a
                       prose: vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;
+                      links:
+                        - href: '#ra-5_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-5_smt.b'
+                      rel: assessment-for
                 - id: ra-5_obj.c
                   name: assessment-objective
                   props:
@@ -38291,6 +42252,9 @@ catalog:
                       value: RA-05c.
                       class: sp800-53a
                   prose: vulnerability scan reports and results from vulnerability monitoring are analyzed;
+                  links:
+                    - href: '#ra-5_smt.c'
+                      rel: assessment-for
                 - id: ra-5_obj.d
                   name: assessment-objective
                   props:
@@ -38298,6 +42262,9 @@ catalog:
                       value: RA-05d.
                       class: sp800-53a
                   prose: 'legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;'
+                  links:
+                    - href: '#ra-5_smt.d'
+                      rel: assessment-for
                 - id: ra-5_obj.e
                   name: assessment-objective
                   props:
@@ -38305,6 +42272,9 @@ catalog:
                       value: RA-05e.
                       class: sp800-53a
                   prose: 'information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;'
+                  links:
+                    - href: '#ra-5_smt.e'
+                      rel: assessment-for
                 - id: ra-5_obj.f
                   name: assessment-objective
                   props:
@@ -38312,6 +42282,12 @@ catalog:
                       value: RA-05f.
                       class: sp800-53a
                   prose: vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.
+                  links:
+                    - href: '#ra-5_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ra-5_smt'
+                  rel: assessment-for
             - id: ra-5_asm-examine
               name: assessment-method
               props:
@@ -38438,6 +42414,9 @@ catalog:
                       value: RA-05(02)
                       class: sp800-53a
                   prose: 'the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.'
+                  links:
+                    - href: '#ra-5.2_smt'
+                      rel: assessment-for
                 - id: ra-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -38552,6 +42531,9 @@ catalog:
                       value: RA-05(05)
                       class: sp800-53a
                   prose: 'privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.'
+                  links:
+                    - href: '#ra-5.5_smt'
+                      rel: assessment-for
                 - id: ra-5.5_asm-examine
                   name: assessment-method
                   props:
@@ -38659,6 +42641,9 @@ catalog:
                       value: RA-05(11)
                       class: sp800-53a
                   prose: a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.
+                  links:
+                    - href: '#ra-5.11_smt'
+                      rel: assessment-for
                 - id: ra-5.11_asm-examine
                   name: assessment-method
                   props:
@@ -38789,6 +42774,9 @@ catalog:
                       value: RA-07[01]
                       class: sp800-53a
                   prose: findings from security assessments are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-2
                   name: assessment-objective
                   props:
@@ -38796,6 +42784,9 @@ catalog:
                       value: RA-07[02]
                       class: sp800-53a
                   prose: findings from privacy assessments are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-3
                   name: assessment-objective
                   props:
@@ -38803,6 +42794,9 @@ catalog:
                       value: RA-07[03]
                       class: sp800-53a
                   prose: findings from monitoring are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-4
                   name: assessment-objective
                   props:
@@ -38810,6 +42804,12 @@ catalog:
                       value: RA-07[04]
                       class: sp800-53a
                   prose: findings from audits are responded to in accordance with organizational risk tolerance.
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ra-7_smt'
+                  rel: assessment-for
             - id: ra-7_asm-examine
               name: assessment-method
               props:
@@ -38944,6 +42944,9 @@ catalog:
                   value: RA-09
                   class: sp800-53a
               prose: 'critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.'
+              links:
+                - href: '#ra-9_smt'
+                  rel: assessment-for
             - id: ra-9_asm-examine
               name: assessment-method
               props:
@@ -39219,6 +43222,9 @@ catalog:
                           value: SA-01a.[01]
                           class: sp800-53a
                       prose: a system and services acquisition policy is developed and documented;
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -39226,6 +43232,9 @@ catalog:
                           value: SA-01a.[02]
                           class: sp800-53a
                       prose: 'the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};'
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -39233,6 +43242,9 @@ catalog:
                           value: SA-01a.[03]
                           class: sp800-53a
                       prose: system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -39240,6 +43252,9 @@ catalog:
                           value: SA-01a.[04]
                           class: sp800-53a
                       prose: 'the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};'
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -39261,6 +43276,9 @@ catalog:
                                   value: SA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -39268,6 +43286,9 @@ catalog:
                                   value: SA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -39275,6 +43296,9 @@ catalog:
                                   value: SA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -39282,6 +43306,9 @@ catalog:
                                   value: SA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -39289,6 +43316,9 @@ catalog:
                                   value: SA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -39296,6 +43326,9 @@ catalog:
                                   value: SA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -39303,6 +43336,12 @@ catalog:
                                   value: SA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#sa-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: sa-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -39310,6 +43349,15 @@ catalog:
                               value: SA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#sa-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-1_smt.a'
+                      rel: assessment-for
                 - id: sa-1_obj.b
                   name: assessment-objective
                   props:
@@ -39317,6 +43365,9 @@ catalog:
                       value: SA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;'
+                  links:
+                    - href: '#sa-1_smt.b'
+                      rel: assessment-for
                 - id: sa-1_obj.c
                   name: assessment-objective
                   props:
@@ -39338,6 +43389,9 @@ catalog:
                               value: SA-01c.01[01]
                               class: sp800-53a
                           prose: 'the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};'
+                          links:
+                            - href: '#sa-1_smt.c.1'
+                              rel: assessment-for
                         - id: sa-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -39345,6 +43399,12 @@ catalog:
                               value: SA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};'
+                          links:
+                            - href: '#sa-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.c.1'
+                          rel: assessment-for
                     - id: sa-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -39359,6 +43419,9 @@ catalog:
                               value: SA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};'
+                          links:
+                            - href: '#sa-1_smt.c.2'
+                              rel: assessment-for
                         - id: sa-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -39366,6 +43429,18 @@ catalog:
                               value: SA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.'
+                          links:
+                            - href: '#sa-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-1_smt'
+                  rel: assessment-for
             - id: sa-1_asm-examine
               name: assessment-method
               props:
@@ -39492,6 +43567,9 @@ catalog:
                           value: SA-02a.[01]
                           class: sp800-53a
                       prose: the high-level information security requirements for the system or system service are determined in mission and business process planning;
+                      links:
+                        - href: '#sa-2_smt.a'
+                          rel: assessment-for
                     - id: sa-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -39499,6 +43577,12 @@ catalog:
                           value: SA-02a.[02]
                           class: sp800-53a
                       prose: the high-level privacy requirements for the system or system service are determined in mission and business process planning;
+                      links:
+                        - href: '#sa-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.a'
+                      rel: assessment-for
                 - id: sa-2_obj.b
                   name: assessment-objective
                   props:
@@ -39513,6 +43597,9 @@ catalog:
                           value: SA-02b.[01]
                           class: sp800-53a
                       prose: the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;
+                      links:
+                        - href: '#sa-2_smt.b'
+                          rel: assessment-for
                     - id: sa-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -39520,6 +43607,12 @@ catalog:
                           value: SA-02b.[02]
                           class: sp800-53a
                       prose: the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;
+                      links:
+                        - href: '#sa-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.b'
+                      rel: assessment-for
                 - id: sa-2_obj.c
                   name: assessment-objective
                   props:
@@ -39534,6 +43627,9 @@ catalog:
                           value: SA-02c.[01]
                           class: sp800-53a
                       prose: a discrete line item for information security is established in organizational programming and budgeting documentation;
+                      links:
+                        - href: '#sa-2_smt.c'
+                          rel: assessment-for
                     - id: sa-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -39541,6 +43637,15 @@ catalog:
                           value: SA-02c.[02]
                           class: sp800-53a
                       prose: a discrete line item for privacy is established in organizational programming and budgeting documentation.
+                      links:
+                        - href: '#sa-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-2_smt'
+                  rel: assessment-for
             - id: sa-2_asm-examine
               name: assessment-method
               props:
@@ -39733,6 +43838,9 @@ catalog:
                           value: SA-03a.[01]
                           class: sp800-53a
                       prose: 'the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;'
+                      links:
+                        - href: '#sa-3_smt.a'
+                          rel: assessment-for
                     - id: sa-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -39740,6 +43848,12 @@ catalog:
                           value: SA-03a.[02]
                           class: sp800-53a
                       prose: 'the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;'
+                      links:
+                        - href: '#sa-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.a'
+                      rel: assessment-for
                 - id: sa-3_obj.b
                   name: assessment-objective
                   props:
@@ -39754,6 +43868,9 @@ catalog:
                           value: SA-03b.[01]
                           class: sp800-53a
                       prose: information security roles and responsibilities are defined and documented throughout the system development life cycle;
+                      links:
+                        - href: '#sa-3_smt.b'
+                          rel: assessment-for
                     - id: sa-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -39761,6 +43878,12 @@ catalog:
                           value: SA-03b.[02]
                           class: sp800-53a
                       prose: privacy roles and responsibilities are defined and documented throughout the system development life cycle;
+                      links:
+                        - href: '#sa-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.b'
+                      rel: assessment-for
                 - id: sa-3_obj.c
                   name: assessment-objective
                   props:
@@ -39775,6 +43898,9 @@ catalog:
                           value: SA-03c.[01]
                           class: sp800-53a
                       prose: individuals with information security roles and responsibilities are identified;
+                      links:
+                        - href: '#sa-3_smt.c'
+                          rel: assessment-for
                     - id: sa-3_obj.c-2
                       name: assessment-objective
                       props:
@@ -39782,6 +43908,12 @@ catalog:
                           value: SA-03c.[02]
                           class: sp800-53a
                       prose: individuals with privacy roles and responsibilities are identified;
+                      links:
+                        - href: '#sa-3_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.c'
+                      rel: assessment-for
                 - id: sa-3_obj.d
                   name: assessment-objective
                   props:
@@ -39796,6 +43928,9 @@ catalog:
                           value: SA-03d.[01]
                           class: sp800-53a
                       prose: organizational information security risk management processes are integrated into system development life cycle activities;
+                      links:
+                        - href: '#sa-3_smt.d'
+                          rel: assessment-for
                     - id: sa-3_obj.d-2
                       name: assessment-objective
                       props:
@@ -39803,6 +43938,15 @@ catalog:
                           value: SA-03d.[02]
                           class: sp800-53a
                       prose: organizational privacy risk management processes are integrated into system development life cycle activities.
+                      links:
+                        - href: '#sa-3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#sa-3_smt'
+                  rel: assessment-for
             - id: sa-3_asm-examine
               name: assessment-method
               props:
@@ -40075,6 +44219,9 @@ catalog:
                           value: SA-04a.[01]
                           class: sp800-53a
                       prose: 'security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.a'
+                          rel: assessment-for
                     - id: sa-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -40082,6 +44229,12 @@ catalog:
                           value: SA-04a.[02]
                           class: sp800-53a
                       prose: 'privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.a'
+                      rel: assessment-for
                 - id: sa-4_obj.b
                   name: assessment-objective
                   props:
@@ -40089,6 +44242,9 @@ catalog:
                       value: SA-04b.
                       class: sp800-53a
                   prose: 'strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                  links:
+                    - href: '#sa-4_smt.b'
+                      rel: assessment-for
                 - id: sa-4_obj.c
                   name: assessment-objective
                   props:
@@ -40103,6 +44259,9 @@ catalog:
                           value: SA-04c.[01]
                           class: sp800-53a
                       prose: 'security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.c'
+                          rel: assessment-for
                     - id: sa-4_obj.c-2
                       name: assessment-objective
                       props:
@@ -40110,6 +44269,12 @@ catalog:
                           value: SA-04c.[02]
                           class: sp800-53a
                       prose: 'privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.c'
+                      rel: assessment-for
                 - id: sa-4_obj.d
                   name: assessment-objective
                   props:
@@ -40124,6 +44289,9 @@ catalog:
                           value: SA-04d.[01]
                           class: sp800-53a
                       prose: 'controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.d'
+                          rel: assessment-for
                     - id: sa-4_obj.d-2
                       name: assessment-objective
                       props:
@@ -40131,6 +44299,12 @@ catalog:
                           value: SA-04d.[02]
                           class: sp800-53a
                       prose: 'controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.d'
+                      rel: assessment-for
                 - id: sa-4_obj.e
                   name: assessment-objective
                   props:
@@ -40145,6 +44319,9 @@ catalog:
                           value: SA-04e.[01]
                           class: sp800-53a
                       prose: 'security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.e'
+                          rel: assessment-for
                     - id: sa-4_obj.e-2
                       name: assessment-objective
                       props:
@@ -40152,6 +44329,12 @@ catalog:
                           value: SA-04e.[02]
                           class: sp800-53a
                       prose: 'privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.e'
+                      rel: assessment-for
                 - id: sa-4_obj.f
                   name: assessment-objective
                   props:
@@ -40166,6 +44349,9 @@ catalog:
                           value: SA-04f.[01]
                           class: sp800-53a
                       prose: 'requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.f'
+                          rel: assessment-for
                     - id: sa-4_obj.f-2
                       name: assessment-objective
                       props:
@@ -40173,6 +44359,12 @@ catalog:
                           value: SA-04f.[02]
                           class: sp800-53a
                       prose: 'requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.f'
+                      rel: assessment-for
                 - id: sa-4_obj.g
                   name: assessment-objective
                   props:
@@ -40180,6 +44372,9 @@ catalog:
                       value: SA-04g.
                       class: sp800-53a
                   prose: 'the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                  links:
+                    - href: '#sa-4_smt.g'
+                      rel: assessment-for
                 - id: sa-4_obj.h
                   name: assessment-objective
                   props:
@@ -40194,6 +44389,9 @@ catalog:
                           value: SA-04h.[01]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
                     - id: sa-4_obj.h-2
                       name: assessment-objective
                       props:
@@ -40201,6 +44399,9 @@ catalog:
                           value: SA-04h.[02]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
                     - id: sa-4_obj.h-3
                       name: assessment-objective
                       props:
@@ -40208,6 +44409,12 @@ catalog:
                           value: SA-04h.[03]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.h'
+                      rel: assessment-for
                 - id: sa-4_obj.i
                   name: assessment-objective
                   props:
@@ -40215,6 +44422,12 @@ catalog:
                       value: SA-04i.
                       class: sp800-53a
                   prose: 'acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.'
+                  links:
+                    - href: '#sa-4_smt.i'
+                      rel: assessment-for
+              links:
+                - href: '#sa-4_smt'
+                  rel: assessment-for
             - id: sa-4_asm-examine
               name: assessment-method
               props:
@@ -40317,6 +44530,9 @@ catalog:
                       value: SA-04(01)
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.
+                  links:
+                    - href: '#sa-4.1_smt'
+                      rel: assessment-for
                 - id: sa-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -40450,6 +44666,9 @@ catalog:
                       value: SA-04(02)
                       class: sp800-53a
                   prose: 'the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}.'
+                  links:
+                    - href: '#sa-4.2_smt'
+                      rel: assessment-for
                 - id: sa-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -40560,6 +44779,9 @@ catalog:
                           value: SA-04(09)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to identify the functions intended for organizational use;
+                      links:
+                        - href: '#sa-4.9_smt'
+                          rel: assessment-for
                     - id: sa-4.9_obj-2
                       name: assessment-objective
                       props:
@@ -40567,6 +44789,9 @@ catalog:
                           value: SA-04(09)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to identify the ports intended for organizational use;
+                      links:
+                        - href: '#sa-4.9_smt'
+                          rel: assessment-for
                     - id: sa-4.9_obj-3
                       name: assessment-objective
                       props:
@@ -40574,6 +44799,9 @@ catalog:
                           value: SA-04(09)[03]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;
+                      links:
+                        - href: '#sa-4.9_smt'
+                          rel: assessment-for
                     - id: sa-4.9_obj-4
                       name: assessment-objective
                       props:
@@ -40581,6 +44809,12 @@ catalog:
                           value: SA-04(09)[04]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to identify the services intended for organizational use.
+                      links:
+                        - href: '#sa-4.9_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4.9_smt'
+                      rel: assessment-for
                 - id: sa-4.9_asm-examine
                   name: assessment-method
                   props:
@@ -40677,6 +44911,9 @@ catalog:
                       value: SA-04(10)
                       class: sp800-53a
                   prose: only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.
+                  links:
+                    - href: '#sa-4.10_smt'
+                      rel: assessment-for
                 - id: sa-4.10_asm-examine
                   name: assessment-method
                   props:
@@ -40915,6 +45152,9 @@ catalog:
                               value: SA-05a.01[01]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.1'
+                              rel: assessment-for
                         - id: sa-5_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -40922,6 +45162,9 @@ catalog:
                               value: SA-05a.01[02]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.1'
+                              rel: assessment-for
                         - id: sa-5_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -40929,6 +45172,12 @@ catalog:
                               value: SA-05a.01[03]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.a.1'
+                          rel: assessment-for
                     - id: sa-5_obj.a.2
                       name: assessment-objective
                       props:
@@ -40943,6 +45192,9 @@ catalog:
                               value: SA-05a.02[01]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
                         - id: sa-5_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -40950,6 +45202,9 @@ catalog:
                               value: SA-05a.02[02]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
                         - id: sa-5_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -40957,6 +45212,9 @@ catalog:
                               value: SA-05a.02[03]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
                         - id: sa-5_obj.a.2-4
                           name: assessment-objective
                           props:
@@ -40964,6 +45222,12 @@ catalog:
                               value: SA-05a.02[04]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.a.2'
+                          rel: assessment-for
                     - id: sa-5_obj.a.3
                       name: assessment-objective
                       props:
@@ -40978,6 +45242,9 @@ catalog:
                               value: SA-05a.03[01]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.3'
+                              rel: assessment-for
                         - id: sa-5_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -40985,6 +45252,15 @@ catalog:
                               value: SA-05a.03[02]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-5_smt.a'
+                      rel: assessment-for
                 - id: sa-5_obj.b
                   name: assessment-objective
                   props:
@@ -41006,6 +45282,9 @@ catalog:
                               value: SA-05b.01[01]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
                         - id: sa-5_obj.b.1-2
                           name: assessment-objective
                           props:
@@ -41013,6 +45292,9 @@ catalog:
                               value: SA-05b.01[02]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
                         - id: sa-5_obj.b.1-3
                           name: assessment-objective
                           props:
@@ -41020,6 +45302,9 @@ catalog:
                               value: SA-05b.01[03]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
                         - id: sa-5_obj.b.1-4
                           name: assessment-objective
                           props:
@@ -41027,6 +45312,12 @@ catalog:
                               value: SA-05b.01[04]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.b.1'
+                          rel: assessment-for
                     - id: sa-5_obj.b.2
                       name: assessment-objective
                       props:
@@ -41041,6 +45332,9 @@ catalog:
                               value: SA-05b.02[01]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.2'
+                              rel: assessment-for
                         - id: sa-5_obj.b.2-2
                           name: assessment-objective
                           props:
@@ -41048,6 +45342,12 @@ catalog:
                               value: SA-05b.02[02]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.b.2'
+                          rel: assessment-for
                     - id: sa-5_obj.b.3
                       name: assessment-objective
                       props:
@@ -41062,6 +45362,9 @@ catalog:
                               value: SA-05b.03[01]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.3'
+                              rel: assessment-for
                         - id: sa-5_obj.b.3-2
                           name: assessment-objective
                           props:
@@ -41069,6 +45372,15 @@ catalog:
                               value: SA-05b.03[02]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-5_smt.b'
+                      rel: assessment-for
                 - id: sa-5_obj.c
                   name: assessment-objective
                   props:
@@ -41083,6 +45395,9 @@ catalog:
                           value: SA-05c.[01]
                           class: sp800-53a
                       prose: attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;
+                      links:
+                        - href: '#sa-5_smt.c'
+                          rel: assessment-for
                     - id: sa-5_obj.c-2
                       name: assessment-objective
                       props:
@@ -41090,6 +45405,12 @@ catalog:
                           value: SA-05c.[02]
                           class: sp800-53a
                       prose: 'after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;'
+                      links:
+                        - href: '#sa-5_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-5_smt.c'
+                      rel: assessment-for
                 - id: sa-5_obj.d
                   name: assessment-objective
                   props:
@@ -41097,6 +45418,12 @@ catalog:
                       value: SA-05d.
                       class: sp800-53a
                   prose: 'documentation is distributed to {{ insert: param, sa-05_odp.02 }}.'
+                  links:
+                    - href: '#sa-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#sa-5_smt'
+                  rel: assessment-for
             - id: sa-5_asm-examine
               name: assessment-method
               props:
@@ -41293,6 +45620,9 @@ catalog:
                       value: SA-08[01]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-2
                   name: assessment-objective
                   props:
@@ -41300,6 +45630,9 @@ catalog:
                       value: SA-08[02]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-3
                   name: assessment-objective
                   props:
@@ -41307,6 +45640,9 @@ catalog:
                       value: SA-08[03]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-4
                   name: assessment-objective
                   props:
@@ -41314,6 +45650,9 @@ catalog:
                       value: SA-08[04]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-5
                   name: assessment-objective
                   props:
@@ -41321,6 +45660,9 @@ catalog:
                       value: SA-08[05]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-6
                   name: assessment-objective
                   props:
@@ -41328,6 +45670,9 @@ catalog:
                       value: SA-08[06]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-7
                   name: assessment-objective
                   props:
@@ -41335,6 +45680,9 @@ catalog:
                       value: SA-08[07]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-8
                   name: assessment-objective
                   props:
@@ -41342,6 +45690,9 @@ catalog:
                       value: SA-08[08]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-9
                   name: assessment-objective
                   props:
@@ -41349,6 +45700,9 @@ catalog:
                       value: SA-08[09]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-10
                   name: assessment-objective
                   props:
@@ -41356,6 +45710,12 @@ catalog:
                       value: SA-08[10]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sa-8_smt'
+                  rel: assessment-for
             - id: sa-8_asm-examine
               name: assessment-method
               props:
@@ -41542,6 +45902,9 @@ catalog:
                           value: SA-09a.[01]
                           class: sp800-53a
                       prose: providers of external system services comply with organizational security requirements;
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
                     - id: sa-9_obj.a-2
                       name: assessment-objective
                       props:
@@ -41549,6 +45912,9 @@ catalog:
                           value: SA-09a.[02]
                           class: sp800-53a
                       prose: providers of external system services comply with organizational privacy requirements;
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
                     - id: sa-9_obj.a-3
                       name: assessment-objective
                       props:
@@ -41556,6 +45922,12 @@ catalog:
                           value: SA-09a.[03]
                           class: sp800-53a
                       prose: 'providers of external system services employ {{ insert: param, sa-09_odp.01 }};'
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-9_smt.a'
+                      rel: assessment-for
                 - id: sa-9_obj.b
                   name: assessment-objective
                   props:
@@ -41570,6 +45942,9 @@ catalog:
                           value: SA-09b.[01]
                           class: sp800-53a
                       prose: organizational oversight with regard to external system services are defined and documented;
+                      links:
+                        - href: '#sa-9_smt.b'
+                          rel: assessment-for
                     - id: sa-9_obj.b-2
                       name: assessment-objective
                       props:
@@ -41577,6 +45952,12 @@ catalog:
                           value: SA-09b.[02]
                           class: sp800-53a
                       prose: user roles and responsibilities with regard to external system services are defined and documented;
+                      links:
+                        - href: '#sa-9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-9_smt.b'
+                      rel: assessment-for
                 - id: sa-9_obj.c
                   name: assessment-objective
                   props:
@@ -41584,6 +45965,12 @@ catalog:
                       value: SA-09c.
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.'
+                  links:
+                    - href: '#sa-9_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-9_smt'
+                  rel: assessment-for
             - id: sa-9_asm-examine
               name: assessment-method
               props:
@@ -41707,6 +46094,9 @@ catalog:
                       value: SA-09(02)
                       class: sp800-53a
                   prose: 'providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services.'
+                  links:
+                    - href: '#sa-9.2_smt'
+                      rel: assessment-for
                 - id: sa-9.2_asm-examine
                   name: assessment-method
                   props:
@@ -41909,6 +46299,9 @@ catalog:
                       value: SA-10a.
                       class: sp800-53a
                   prose: 'the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};'
+                  links:
+                    - href: '#sa-10_smt.a'
+                      rel: assessment-for
                 - id: sa-10_obj.b
                   name: assessment-objective
                   props:
@@ -41923,6 +46316,9 @@ catalog:
                           value: SA-10b.[01]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};'
+                      links:
+                        - href: '#sa-10_smt.b'
+                          rel: assessment-for
                     - id: sa-10_obj.b-2
                       name: assessment-objective
                       props:
@@ -41930,6 +46326,9 @@ catalog:
                           value: SA-10b.[02]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};'
+                      links:
+                        - href: '#sa-10_smt.b'
+                          rel: assessment-for
                     - id: sa-10_obj.b-3
                       name: assessment-objective
                       props:
@@ -41937,6 +46336,12 @@ catalog:
                           value: SA-10b.[03]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};'
+                      links:
+                        - href: '#sa-10_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-10_smt.b'
+                      rel: assessment-for
                 - id: sa-10_obj.c
                   name: assessment-objective
                   props:
@@ -41944,6 +46349,9 @@ catalog:
                       value: SA-10c.
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;
+                  links:
+                    - href: '#sa-10_smt.c'
+                      rel: assessment-for
                 - id: sa-10_obj.d
                   name: assessment-objective
                   props:
@@ -41958,6 +46366,9 @@ catalog:
                           value: SA-10d.[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;
+                      links:
+                        - href: '#sa-10_smt.d'
+                          rel: assessment-for
                     - id: sa-10_obj.d-2
                       name: assessment-objective
                       props:
@@ -41965,6 +46376,9 @@ catalog:
                           value: SA-10d.[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;
+                      links:
+                        - href: '#sa-10_smt.d'
+                          rel: assessment-for
                     - id: sa-10_obj.d-3
                       name: assessment-objective
                       props:
@@ -41972,6 +46386,12 @@ catalog:
                           value: SA-10d.[03]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;
+                      links:
+                        - href: '#sa-10_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-10_smt.d'
+                      rel: assessment-for
                 - id: sa-10_obj.e
                   name: assessment-objective
                   props:
@@ -41986,6 +46406,9 @@ catalog:
                           value: SA-10e.[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;
+                      links:
+                        - href: '#sa-10_smt.e'
+                          rel: assessment-for
                     - id: sa-10_obj.e-2
                       name: assessment-objective
                       props:
@@ -41993,6 +46416,9 @@ catalog:
                           value: SA-10e.[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;
+                      links:
+                        - href: '#sa-10_smt.e'
+                          rel: assessment-for
                     - id: sa-10_obj.e-3
                       name: assessment-objective
                       props:
@@ -42000,6 +46426,15 @@ catalog:
                           value: SA-10e.[03]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}.'
+                      links:
+                        - href: '#sa-10_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-10_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#sa-10_smt'
+                  rel: assessment-for
             - id: sa-10_asm-examine
               name: assessment-method
               props:
@@ -42225,6 +46660,9 @@ catalog:
                           value: SA-11a.[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
                     - id: sa-11_obj.a-2
                       name: assessment-objective
                       props:
@@ -42232,6 +46670,9 @@ catalog:
                           value: SA-11a.[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
                     - id: sa-11_obj.a-3
                       name: assessment-objective
                       props:
@@ -42239,6 +46680,9 @@ catalog:
                           value: SA-11a.[03]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
                     - id: sa-11_obj.a-4
                       name: assessment-objective
                       props:
@@ -42246,6 +46690,12 @@ catalog:
                           value: SA-11a.[04]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11_smt.a'
+                      rel: assessment-for
                 - id: sa-11_obj.b
                   name: assessment-objective
                   props:
@@ -42253,6 +46703,9 @@ catalog:
                       value: SA-11b.
                       class: sp800-53a
                   prose: 'the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};'
+                  links:
+                    - href: '#sa-11_smt.b'
+                      rel: assessment-for
                 - id: sa-11_obj.c
                   name: assessment-objective
                   props:
@@ -42267,6 +46720,9 @@ catalog:
                           value: SA-11c.[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;
+                      links:
+                        - href: '#sa-11_smt.c'
+                          rel: assessment-for
                     - id: sa-11_obj.c-2
                       name: assessment-objective
                       props:
@@ -42274,6 +46730,12 @@ catalog:
                           value: SA-11c.[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;
+                      links:
+                        - href: '#sa-11_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11_smt.c'
+                      rel: assessment-for
                 - id: sa-11_obj.d
                   name: assessment-objective
                   props:
@@ -42281,6 +46743,9 @@ catalog:
                       value: SA-11d.
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;
+                  links:
+                    - href: '#sa-11_smt.d'
+                      rel: assessment-for
                 - id: sa-11_obj.e
                   name: assessment-objective
                   props:
@@ -42288,6 +46753,12 @@ catalog:
                       value: SA-11e.
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.
+                  links:
+                    - href: '#sa-11_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#sa-11_smt'
+                  rel: assessment-for
             - id: sa-11_asm-examine
               name: assessment-method
               props:
@@ -42521,6 +46992,9 @@ catalog:
                               value: SA-15a.01[01]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;
+                          links:
+                            - href: '#sa-15_smt.a.1'
+                              rel: assessment-for
                         - id: sa-15_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -42528,6 +47002,12 @@ catalog:
                               value: SA-15a.01[02]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;
+                          links:
+                            - href: '#sa-15_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-15_smt.a.1'
+                          rel: assessment-for
                     - id: sa-15_obj.a.2
                       name: assessment-objective
                       props:
@@ -42542,6 +47022,9 @@ catalog:
                               value: SA-15a.02[01]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;
+                          links:
+                            - href: '#sa-15_smt.a.2'
+                              rel: assessment-for
                         - id: sa-15_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -42549,6 +47032,12 @@ catalog:
                               value: SA-15a.02[02]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;
+                          links:
+                            - href: '#sa-15_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-15_smt.a.2'
+                          rel: assessment-for
                     - id: sa-15_obj.a.3
                       name: assessment-objective
                       props:
@@ -42563,6 +47052,9 @@ catalog:
                               value: SA-15a.03[01]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;
+                          links:
+                            - href: '#sa-15_smt.a.3'
+                              rel: assessment-for
                         - id: sa-15_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -42570,6 +47062,12 @@ catalog:
                               value: SA-15a.03[02]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;
+                          links:
+                            - href: '#sa-15_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-15_smt.a.3'
+                          rel: assessment-for
                     - id: sa-15_obj.a.4
                       name: assessment-objective
                       props:
@@ -42577,6 +47075,12 @@ catalog:
                           value: SA-15a.04
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;
+                      links:
+                        - href: '#sa-15_smt.a.4'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-15_smt.a'
+                      rel: assessment-for
                 - id: sa-15_obj.b
                   name: assessment-objective
                   props:
@@ -42591,6 +47095,9 @@ catalog:
                           value: SA-15b.[01]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};'
+                      links:
+                        - href: '#sa-15_smt.b'
+                          rel: assessment-for
                     - id: sa-15_obj.b-2
                       name: assessment-objective
                       props:
@@ -42598,6 +47105,15 @@ catalog:
                           value: SA-15b.[02]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}.'
+                      links:
+                        - href: '#sa-15_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-15_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sa-15_smt'
+                  rel: assessment-for
             - id: sa-15_asm-examine
               name: assessment-method
               props:
@@ -42764,6 +47280,9 @@ catalog:
                           value: SA-15(03)(a)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;'
+                      links:
+                        - href: '#sa-15.3_smt.a'
+                          rel: assessment-for
                     - id: sa-15.3_obj.b
                       name: assessment-objective
                       props:
@@ -42778,6 +47297,9 @@ catalog:
                               value: SA-15(03)(b)[01]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};'
+                          links:
+                            - href: '#sa-15.3_smt.b'
+                              rel: assessment-for
                         - id: sa-15.3_obj.b-2
                           name: assessment-objective
                           props:
@@ -42785,6 +47307,15 @@ catalog:
                               value: SA-15(03)(b)[02]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} .'
+                          links:
+                            - href: '#sa-15.3_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-15.3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-15.3_smt'
+                      rel: assessment-for
                 - id: sa-15.3_asm-examine
                   name: assessment-method
                   props:
@@ -42939,6 +47470,9 @@ catalog:
                       value: SA-22a.
                       class: sp800-53a
                   prose: system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;
+                  links:
+                    - href: '#sa-22_smt.a'
+                      rel: assessment-for
                 - id: sa-22_obj.b
                   name: assessment-objective
                   props:
@@ -42946,6 +47480,12 @@ catalog:
                       value: SA-22b.
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.'
+                  links:
+                    - href: '#sa-22_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sa-22_smt'
+                  rel: assessment-for
             - id: sa-22_asm-examine
               name: assessment-method
               props:
@@ -43215,6 +47755,9 @@ catalog:
                           value: SC-01a.[01]
                           class: sp800-53a
                       prose: a system and communications protection policy is developed and documented;
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -43222,6 +47765,9 @@ catalog:
                           value: SC-01a.[02]
                           class: sp800-53a
                       prose: 'the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};'
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -43229,6 +47775,9 @@ catalog:
                           value: SC-01a.[03]
                           class: sp800-53a
                       prose: system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -43236,6 +47785,9 @@ catalog:
                           value: SC-01a.[04]
                           class: sp800-53a
                       prose: 'the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};'
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -43257,6 +47809,9 @@ catalog:
                                   value: SC-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -43264,6 +47819,9 @@ catalog:
                                   value: SC-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -43271,6 +47829,9 @@ catalog:
                                   value: SC-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -43278,6 +47839,9 @@ catalog:
                                   value: SC-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -43285,6 +47849,9 @@ catalog:
                                   value: SC-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -43292,6 +47859,9 @@ catalog:
                                   value: SC-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -43299,6 +47869,12 @@ catalog:
                                   value: SC-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#sc-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: sc-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -43306,6 +47882,15 @@ catalog:
                               value: SC-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#sc-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-1_smt.a'
+                      rel: assessment-for
                 - id: sc-1_obj.b
                   name: assessment-objective
                   props:
@@ -43313,6 +47898,9 @@ catalog:
                       value: SC-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;'
+                  links:
+                    - href: '#sc-1_smt.b'
+                      rel: assessment-for
                 - id: sc-1_obj.c
                   name: assessment-objective
                   props:
@@ -43334,6 +47922,9 @@ catalog:
                               value: SC-01c.01[01]
                               class: sp800-53a
                           prose: 'the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};'
+                          links:
+                            - href: '#sc-1_smt.c.1'
+                              rel: assessment-for
                         - id: sc-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -43341,6 +47932,12 @@ catalog:
                               value: SC-01c.01[02]
                               class: sp800-53a
                           prose: 'the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};'
+                          links:
+                            - href: '#sc-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-1_smt.c.1'
+                          rel: assessment-for
                     - id: sc-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -43355,6 +47952,9 @@ catalog:
                               value: SC-01c.02[01]
                               class: sp800-53a
                           prose: 'the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};'
+                          links:
+                            - href: '#sc-1_smt.c.2'
+                              rel: assessment-for
                         - id: sc-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -43362,6 +47962,18 @@ catalog:
                               value: SC-01c.02[02]
                               class: sp800-53a
                           prose: 'the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.'
+                          links:
+                            - href: '#sc-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sc-1_smt'
+                  rel: assessment-for
             - id: sc-1_asm-examine
               name: assessment-method
               props:
@@ -43450,6 +48062,9 @@ catalog:
                   value: SC-02
                   class: sp800-53a
               prose: user functionality, including user interface services, is separated from system management functionality.
+              links:
+                - href: '#sc-2_smt'
+                  rel: assessment-for
             - id: sc-2_asm-examine
               name: assessment-method
               props:
@@ -43546,6 +48161,9 @@ catalog:
                       value: SC-04[01]
                       class: sp800-53a
                   prose: unauthorized information transfer via shared system resources is prevented;
+                  links:
+                    - href: '#sc-4_smt'
+                      rel: assessment-for
                 - id: sc-4_obj-2
                   name: assessment-objective
                   props:
@@ -43553,6 +48171,12 @@ catalog:
                       value: SC-04[02]
                       class: sp800-53a
                   prose: unintended information transfer via shared system resources is prevented.
+                  links:
+                    - href: '#sc-4_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-4_smt'
+                  rel: assessment-for
             - id: sc-4_asm-examine
               name: assessment-method
               props:
@@ -43699,6 +48323,9 @@ catalog:
                       value: SC-05a.
                       class: sp800-53a
                   prose: 'the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};'
+                  links:
+                    - href: '#sc-5_smt.a'
+                      rel: assessment-for
                 - id: sc-5_obj.b
                   name: assessment-objective
                   props:
@@ -43706,6 +48333,12 @@ catalog:
                       value: SC-05b.
                       class: sp800-53a
                   prose: ' {{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.'
+                  links:
+                    - href: '#sc-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-5_smt'
+                  rel: assessment-for
             - id: sc-5_asm-examine
               name: assessment-method
               props:
@@ -43901,6 +48534,9 @@ catalog:
                           value: SC-07a.[01]
                           class: sp800-53a
                       prose: communications at external managed interfaces to the system are monitored;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-2
                       name: assessment-objective
                       props:
@@ -43908,6 +48544,9 @@ catalog:
                           value: SC-07a.[02]
                           class: sp800-53a
                       prose: communications at external managed interfaces to the system are controlled;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-3
                       name: assessment-objective
                       props:
@@ -43915,6 +48554,9 @@ catalog:
                           value: SC-07a.[03]
                           class: sp800-53a
                       prose: communications at key internal managed interfaces within the system are monitored;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-4
                       name: assessment-objective
                       props:
@@ -43922,6 +48564,12 @@ catalog:
                           value: SC-07a.[04]
                           class: sp800-53a
                       prose: communications at key internal managed interfaces within the system are controlled;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7_smt.a'
+                      rel: assessment-for
                 - id: sc-7_obj.b
                   name: assessment-objective
                   props:
@@ -43929,6 +48577,9 @@ catalog:
                       value: SC-07b.
                       class: sp800-53a
                   prose: 'subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;'
+                  links:
+                    - href: '#sc-7_smt.b'
+                      rel: assessment-for
                 - id: sc-7_obj.c
                   name: assessment-objective
                   props:
@@ -43936,6 +48587,12 @@ catalog:
                       value: SC-07c.
                       class: sp800-53a
                   prose: external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
+                  links:
+                    - href: '#sc-7_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sc-7_smt'
+                  rel: assessment-for
             - id: sc-7_asm-examine
               name: assessment-method
               props:
@@ -44030,6 +48687,9 @@ catalog:
                       value: SC-07(03)
                       class: sp800-53a
                   prose: the number of external network connections to the system is limited.
+                  links:
+                    - href: '#sc-7.3_smt'
+                      rel: assessment-for
                 - id: sc-7.3_asm-examine
                   name: assessment-method
                   props:
@@ -44200,6 +48860,9 @@ catalog:
                           value: SC-07(04)(a)
                           class: sp800-53a
                       prose: a managed interface is implemented for each external telecommunication service;
+                      links:
+                        - href: '#sc-7.4_smt.a'
+                          rel: assessment-for
                     - id: sc-7.4_obj.b
                       name: assessment-objective
                       props:
@@ -44207,6 +48870,9 @@ catalog:
                           value: SC-07(04)(b)
                           class: sp800-53a
                       prose: a traffic flow policy is established for each managed interface;
+                      links:
+                        - href: '#sc-7.4_smt.b'
+                          rel: assessment-for
                     - id: sc-7.4_obj.c
                       name: assessment-objective
                       props:
@@ -44221,6 +48887,9 @@ catalog:
                               value: SC-07(04)(c)[01]
                               class: sp800-53a
                           prose: the confidentiality of the information being transmitted across each interface is protected;
+                          links:
+                            - href: '#sc-7.4_smt.c'
+                              rel: assessment-for
                         - id: sc-7.4_obj.c-2
                           name: assessment-objective
                           props:
@@ -44228,6 +48897,12 @@ catalog:
                               value: SC-07(04)(c)[02]
                               class: sp800-53a
                           prose: the integrity of the information being transmitted across each interface is protected;
+                          links:
+                            - href: '#sc-7.4_smt.c'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-7.4_smt.c'
+                          rel: assessment-for
                     - id: sc-7.4_obj.d
                       name: assessment-objective
                       props:
@@ -44235,6 +48910,9 @@ catalog:
                           value: SC-07(04)(d)
                           class: sp800-53a
                       prose: each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;
+                      links:
+                        - href: '#sc-7.4_smt.d'
+                          rel: assessment-for
                     - id: sc-7.4_obj.e
                       name: assessment-objective
                       props:
@@ -44249,6 +48927,9 @@ catalog:
                               value: SC-07(04)(e)[01]
                               class: sp800-53a
                           prose: 'exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};'
+                          links:
+                            - href: '#sc-7.4_smt.e'
+                              rel: assessment-for
                         - id: sc-7.4_obj.e-2
                           name: assessment-objective
                           props:
@@ -44256,6 +48937,12 @@ catalog:
                               value: SC-07(04)(e)[02]
                               class: sp800-53a
                           prose: exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;
+                          links:
+                            - href: '#sc-7.4_smt.e'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-7.4_smt.e'
+                          rel: assessment-for
                     - id: sc-7.4_obj.f
                       name: assessment-objective
                       props:
@@ -44263,6 +48950,9 @@ catalog:
                           value: SC-07(04)(f)
                           class: sp800-53a
                       prose: unauthorized exchanges of control plan traffic with external networks are prevented;
+                      links:
+                        - href: '#sc-7.4_smt.f'
+                          rel: assessment-for
                     - id: sc-7.4_obj.g
                       name: assessment-objective
                       props:
@@ -44270,6 +48960,9 @@ catalog:
                           value: SC-07(04)(g)
                           class: sp800-53a
                       prose: information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;
+                      links:
+                        - href: '#sc-7.4_smt.g'
+                          rel: assessment-for
                     - id: sc-7.4_obj.h
                       name: assessment-objective
                       props:
@@ -44277,6 +48970,12 @@ catalog:
                           value: SC-07(04)(h)
                           class: sp800-53a
                       prose: unauthorized control plane traffic is filtered from external networks.
+                      links:
+                        - href: '#sc-7.4_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7.4_smt'
+                      rel: assessment-for
                 - id: sc-7.4_asm-examine
                   name: assessment-method
                   props:
@@ -44411,6 +49110,9 @@ catalog:
                           value: SC-07(05)[01]
                           class: sp800-53a
                       prose: 'network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};'
+                      links:
+                        - href: '#sc-7.5_smt'
+                          rel: assessment-for
                     - id: sc-7.5_obj-2
                       name: assessment-objective
                       props:
@@ -44418,6 +49120,12 @@ catalog:
                           value: SC-07(05)[02]
                           class: sp800-53a
                       prose: 'network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}.'
+                      links:
+                        - href: '#sc-7.5_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7.5_smt'
+                      rel: assessment-for
                 - id: sc-7.5_asm-examine
                   name: assessment-method
                   props:
@@ -44516,6 +49224,9 @@ catalog:
                       value: SC-07(07)
                       class: sp800-53a
                   prose: 'split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.'
+                  links:
+                    - href: '#sc-7.7_smt'
+                      rel: assessment-for
                 - id: sc-7.7_asm-examine
                   name: assessment-method
                   props:
@@ -44633,6 +49344,9 @@ catalog:
                       value: SC-07(08)
                       class: sp800-53a
                   prose: ' {{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.'
+                  links:
+                    - href: '#sc-7.8_smt'
+                      rel: assessment-for
                 - id: sc-7.8_asm-examine
                   name: assessment-method
                   props:
@@ -44784,6 +49498,9 @@ catalog:
                   value: SC-08
                   class: sp800-53a
               prose: 'the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.'
+              links:
+                - href: '#sc-8_smt'
+                  rel: assessment-for
             - id: sc-8_asm-examine
               name: assessment-method
               props:
@@ -44887,6 +49604,9 @@ catalog:
                       value: SC-08(01)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.'
+                  links:
+                    - href: '#sc-8.1_smt'
+                      rel: assessment-for
                 - id: sc-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -44990,6 +49710,9 @@ catalog:
                   value: SC-10
                   class: sp800-53a
               prose: 'the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.'
+              links:
+                - href: '#sc-10_smt'
+                  rel: assessment-for
             - id: sc-10_asm-examine
               name: assessment-method
               props:
@@ -45110,6 +49833,8 @@ catalog:
               rel: related
             - href: '#ia-7'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#sa-4'
               rel: related
             - href: '#sa-8'
@@ -45157,6 +49882,9 @@ catalog:
                       value: SC-12[01]
                       class: sp800-53a
                   prose: 'cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};'
+                  links:
+                    - href: '#sc-12_smt'
+                      rel: assessment-for
                 - id: sc-12_obj-2
                   name: assessment-objective
                   props:
@@ -45164,6 +49892,12 @@ catalog:
                       value: SC-12[02]
                       class: sp800-53a
                   prose: 'cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.'
+                  links:
+                    - href: '#sc-12_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-12_smt'
+                  rel: assessment-for
             - id: sc-12_asm-examine
               name: assessment-method
               props:
@@ -45287,6 +50021,8 @@ catalog:
               rel: related
             - href: '#ia-7'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-4'
               rel: related
             - href: '#mp-2'
@@ -45350,6 +50086,9 @@ catalog:
                       value: SC-13a.
                       class: sp800-53a
                   prose: ' {{ insert: param, sc-13_odp.01 }} are identified;'
+                  links:
+                    - href: '#sc-13_smt.a'
+                      rel: assessment-for
                 - id: sc-13_obj.b
                   name: assessment-objective
                   props:
@@ -45357,6 +50096,12 @@ catalog:
                       value: SC-13b.
                       class: sp800-53a
                   prose: ' {{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.'
+                  links:
+                    - href: '#sc-13_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-13_smt'
+                  rel: assessment-for
             - id: sc-13_asm-examine
               name: assessment-method
               props:
@@ -45480,6 +50225,9 @@ catalog:
                       value: SC-15a.
                       class: sp800-53a
                   prose: 'remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};'
+                  links:
+                    - href: '#sc-15_smt.a'
+                      rel: assessment-for
                 - id: sc-15_obj.b
                   name: assessment-objective
                   props:
@@ -45487,6 +50235,12 @@ catalog:
                       value: SC-15b.
                       class: sp800-53a
                   prose: an explicit indication of use is provided to users physically present at the devices.
+                  links:
+                    - href: '#sc-15_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-15_smt'
+                  rel: assessment-for
             - id: sc-15_asm-examine
               name: assessment-method
               props:
@@ -45626,6 +50380,9 @@ catalog:
                       value: SC-17a.
                       class: sp800-53a
                   prose: 'public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;'
+                  links:
+                    - href: '#sc-17_smt.a'
+                      rel: assessment-for
                 - id: sc-17_obj.b
                   name: assessment-objective
                   props:
@@ -45633,6 +50390,12 @@ catalog:
                       value: SC-17b.
                       class: sp800-53a
                   prose: only approved trust anchors are included in trust stores or certificate stores managed by the organization.
+                  links:
+                    - href: '#sc-17_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-17_smt'
+                  rel: assessment-for
             - id: sc-17_asm-examine
               name: assessment-method
               props:
@@ -45754,6 +50517,9 @@ catalog:
                           value: SC-18a.[01]
                           class: sp800-53a
                       prose: acceptable mobile code is defined;
+                      links:
+                        - href: '#sc-18_smt.a'
+                          rel: assessment-for
                     - id: sc-18_obj.a-2
                       name: assessment-objective
                       props:
@@ -45761,6 +50527,9 @@ catalog:
                           value: SC-18a.[02]
                           class: sp800-53a
                       prose: unacceptable mobile code is defined;
+                      links:
+                        - href: '#sc-18_smt.a'
+                          rel: assessment-for
                     - id: sc-18_obj.a-3
                       name: assessment-objective
                       props:
@@ -45768,6 +50537,9 @@ catalog:
                           value: SC-18a.[03]
                           class: sp800-53a
                       prose: acceptable mobile code technologies are defined;
+                      links:
+                        - href: '#sc-18_smt.a'
+                          rel: assessment-for
                     - id: sc-18_obj.a-4
                       name: assessment-objective
                       props:
@@ -45775,6 +50547,12 @@ catalog:
                           value: SC-18a.[04]
                           class: sp800-53a
                       prose: unacceptable mobile code technologies are defined;
+                      links:
+                        - href: '#sc-18_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-18_smt.a'
+                      rel: assessment-for
                 - id: sc-18_obj.b
                   name: assessment-objective
                   props:
@@ -45789,6 +50567,9 @@ catalog:
                           value: SC-18b.[01]
                           class: sp800-53a
                       prose: the use of mobile code is authorized within the system;
+                      links:
+                        - href: '#sc-18_smt.b'
+                          rel: assessment-for
                     - id: sc-18_obj.b-2
                       name: assessment-objective
                       props:
@@ -45796,6 +50577,9 @@ catalog:
                           value: SC-18b.[02]
                           class: sp800-53a
                       prose: the use of mobile code is monitored within the system;
+                      links:
+                        - href: '#sc-18_smt.b'
+                          rel: assessment-for
                     - id: sc-18_obj.b-3
                       name: assessment-objective
                       props:
@@ -45803,6 +50587,15 @@ catalog:
                           value: SC-18b.[03]
                           class: sp800-53a
                       prose: the use of mobile code is controlled within the system.
+                      links:
+                        - href: '#sc-18_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-18_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-18_smt'
+                  rel: assessment-for
             - id: sc-18_asm-examine
               name: assessment-method
               props:
@@ -45941,6 +50734,9 @@ catalog:
                           value: SC-20a.[01]
                           class: sp800-53a
                       prose: additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;
+                      links:
+                        - href: '#sc-20_smt.a'
+                          rel: assessment-for
                     - id: sc-20_obj.a-2
                       name: assessment-objective
                       props:
@@ -45948,6 +50744,12 @@ catalog:
                           value: SC-20a.[02]
                           class: sp800-53a
                       prose: integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;
+                      links:
+                        - href: '#sc-20_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-20_smt.a'
+                      rel: assessment-for
                 - id: sc-20_obj.b
                   name: assessment-objective
                   props:
@@ -45962,6 +50764,9 @@ catalog:
                           value: SC-20b.[01]
                           class: sp800-53a
                       prose: the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;
+                      links:
+                        - href: '#sc-20_smt.b'
+                          rel: assessment-for
                     - id: sc-20_obj.b-2
                       name: assessment-objective
                       props:
@@ -45969,6 +50774,15 @@ catalog:
                           value: SC-20b.[02]
                           class: sp800-53a
                       prose: the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.
+                      links:
+                        - href: '#sc-20_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-20_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-20_smt'
+                  rel: assessment-for
             - id: sc-20_asm-examine
               name: assessment-method
               props:
@@ -46063,6 +50877,9 @@ catalog:
                       value: SC-21[01]
                       class: sp800-53a
                   prose: data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
                 - id: sc-21_obj-2
                   name: assessment-objective
                   props:
@@ -46070,6 +50887,9 @@ catalog:
                       value: SC-21[02]
                       class: sp800-53a
                   prose: data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
                 - id: sc-21_obj-3
                   name: assessment-objective
                   props:
@@ -46077,6 +50897,9 @@ catalog:
                       value: SC-21[03]
                       class: sp800-53a
                   prose: data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
                 - id: sc-21_obj-4
                   name: assessment-objective
                   props:
@@ -46084,6 +50907,12 @@ catalog:
                       value: SC-21[04]
                       class: sp800-53a
                   prose: data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-21_smt'
+                  rel: assessment-for
             - id: sc-21_asm-examine
               name: assessment-method
               props:
@@ -46184,6 +51013,9 @@ catalog:
                       value: SC-22[01]
                       class: sp800-53a
                   prose: the systems that collectively provide name/address resolution services for an organization are fault-tolerant;
+                  links:
+                    - href: '#sc-22_smt'
+                      rel: assessment-for
                 - id: sc-22_obj-2
                   name: assessment-objective
                   props:
@@ -46191,6 +51023,9 @@ catalog:
                       value: SC-22[02]
                       class: sp800-53a
                   prose: the systems that collectively provide name/address resolution services for an organization implement internal role separation;
+                  links:
+                    - href: '#sc-22_smt'
+                      rel: assessment-for
                 - id: sc-22_obj-3
                   name: assessment-objective
                   props:
@@ -46198,6 +51033,12 @@ catalog:
                       value: SC-22[03]
                       class: sp800-53a
                   prose: the systems that collectively provide name/address resolution services for an organization implement external role separation.
+                  links:
+                    - href: '#sc-22_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-22_smt'
+                  rel: assessment-for
             - id: sc-22_asm-examine
               name: assessment-method
               props:
@@ -46301,6 +51142,9 @@ catalog:
                   value: SC-23
                   class: sp800-53a
               prose: the authenticity of communication sessions is protected.
+              links:
+                - href: '#sc-23_smt'
+                  rel: assessment-for
             - id: sc-23_asm-examine
               name: assessment-method
               props:
@@ -46461,6 +51305,9 @@ catalog:
                   value: SC-28
                   class: sp800-53a
               prose: 'the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.'
+              links:
+                - href: '#sc-28_smt'
+                  rel: assessment-for
             - id: sc-28_asm-examine
               name: assessment-method
               props:
@@ -46583,6 +51430,9 @@ catalog:
                           value: SC-28(01)[01]
                           class: sp800-53a
                       prose: 'cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};'
+                      links:
+                        - href: '#sc-28.1_smt'
+                          rel: assessment-for
                     - id: sc-28.1_obj-2
                       name: assessment-objective
                       props:
@@ -46590,6 +51440,12 @@ catalog:
                           value: SC-28(01)[02]
                           class: sp800-53a
                       prose: 'cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.'
+                      links:
+                        - href: '#sc-28.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-28.1_smt'
+                      rel: assessment-for
                 - id: sc-28.1_asm-examine
                   name: assessment-method
                   props:
@@ -46696,6 +51552,9 @@ catalog:
                   value: SC-39
                   class: sp800-53a
               prose: a separate execution domain is maintained for each executing system process.
+              links:
+                - href: '#sc-39_smt'
+                  rel: assessment-for
             - id: sc-39_asm-examine
               name: assessment-method
               props:
@@ -46954,6 +51813,9 @@ catalog:
                           value: SI-01a.[01]
                           class: sp800-53a
                       prose: a system and information integrity policy is developed and documented;
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -46961,6 +51823,9 @@ catalog:
                           value: SI-01a.[02]
                           class: sp800-53a
                       prose: 'the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};'
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -46968,6 +51833,9 @@ catalog:
                           value: SI-01a.[03]
                           class: sp800-53a
                       prose: system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -46975,6 +51843,9 @@ catalog:
                           value: SI-01a.[04]
                           class: sp800-53a
                       prose: 'the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};'
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -46996,6 +51867,9 @@ catalog:
                                   value: SI-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -47003,6 +51877,9 @@ catalog:
                                   value: SI-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -47010,6 +51887,9 @@ catalog:
                                   value: SI-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -47017,6 +51897,9 @@ catalog:
                                   value: SI-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -47024,6 +51907,9 @@ catalog:
                                   value: SI-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -47031,6 +51917,9 @@ catalog:
                                   value: SI-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -47038,6 +51927,12 @@ catalog:
                                   value: SI-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#si-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: si-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -47045,6 +51940,15 @@ catalog:
                               value: SI-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#si-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-1_smt.a'
+                      rel: assessment-for
                 - id: si-1_obj.b
                   name: assessment-objective
                   props:
@@ -47052,6 +51956,9 @@ catalog:
                       value: SI-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;'
+                  links:
+                    - href: '#si-1_smt.b'
+                      rel: assessment-for
                 - id: si-1_obj.c
                   name: assessment-objective
                   props:
@@ -47073,6 +51980,9 @@ catalog:
                               value: SI-01c.01[01]
                               class: sp800-53a
                           prose: 'the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};'
+                          links:
+                            - href: '#si-1_smt.c.1'
+                              rel: assessment-for
                         - id: si-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -47080,6 +51990,12 @@ catalog:
                               value: SI-01c.01[02]
                               class: sp800-53a
                           prose: 'the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};'
+                          links:
+                            - href: '#si-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.c.1'
+                          rel: assessment-for
                     - id: si-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -47094,6 +52010,9 @@ catalog:
                               value: SI-01c.02[01]
                               class: sp800-53a
                           prose: 'the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};'
+                          links:
+                            - href: '#si-1_smt.c.2'
+                              rel: assessment-for
                         - id: si-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -47101,6 +52020,18 @@ catalog:
                               value: SI-01c.02[02]
                               class: sp800-53a
                           prose: 'the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.'
+                          links:
+                            - href: '#si-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#si-1_smt'
+                  rel: assessment-for
             - id: si-1_asm-examine
               name: assessment-method
               props:
@@ -47262,6 +52193,9 @@ catalog:
                           value: SI-02a.[01]
                           class: sp800-53a
                       prose: system flaws are identified;
+                      links:
+                        - href: '#si-2_smt.a'
+                          rel: assessment-for
                     - id: si-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -47269,6 +52203,9 @@ catalog:
                           value: SI-02a.[02]
                           class: sp800-53a
                       prose: system flaws are reported;
+                      links:
+                        - href: '#si-2_smt.a'
+                          rel: assessment-for
                     - id: si-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -47276,6 +52213,12 @@ catalog:
                           value: SI-02a.[03]
                           class: sp800-53a
                       prose: system flaws are corrected;
+                      links:
+                        - href: '#si-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-2_smt.a'
+                      rel: assessment-for
                 - id: si-2_obj.b
                   name: assessment-objective
                   props:
@@ -47290,6 +52233,9 @@ catalog:
                           value: SI-02b.[01]
                           class: sp800-53a
                       prose: software updates related to flaw remediation are tested for effectiveness before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
                     - id: si-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -47297,6 +52243,9 @@ catalog:
                           value: SI-02b.[02]
                           class: sp800-53a
                       prose: software updates related to flaw remediation are tested for potential side effects before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
                     - id: si-2_obj.b-3
                       name: assessment-objective
                       props:
@@ -47304,6 +52253,9 @@ catalog:
                           value: SI-02b.[03]
                           class: sp800-53a
                       prose: firmware updates related to flaw remediation are tested for effectiveness before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
                     - id: si-2_obj.b-4
                       name: assessment-objective
                       props:
@@ -47311,6 +52263,12 @@ catalog:
                           value: SI-02b.[04]
                           class: sp800-53a
                       prose: firmware updates related to flaw remediation are tested for potential side effects before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-2_smt.b'
+                      rel: assessment-for
                 - id: si-2_obj.c
                   name: assessment-objective
                   props:
@@ -47325,6 +52283,9 @@ catalog:
                           value: SI-02c.[01]
                           class: sp800-53a
                       prose: 'security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;'
+                      links:
+                        - href: '#si-2_smt.c'
+                          rel: assessment-for
                     - id: si-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -47332,6 +52293,12 @@ catalog:
                           value: SI-02c.[02]
                           class: sp800-53a
                       prose: 'security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;'
+                      links:
+                        - href: '#si-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-2_smt.c'
+                      rel: assessment-for
                 - id: si-2_obj.d
                   name: assessment-objective
                   props:
@@ -47339,6 +52306,12 @@ catalog:
                       value: SI-02d.
                       class: sp800-53a
                   prose: flaw remediation is incorporated into the organizational configuration management process.
+                  links:
+                    - href: '#si-2_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#si-2_smt'
+                  rel: assessment-for
             - id: si-2_asm-examine
               name: assessment-method
               props:
@@ -47469,6 +52442,9 @@ catalog:
                       value: SI-02(02)
                       class: sp800-53a
                   prose: 'system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}.'
+                  links:
+                    - href: '#si-2.2_smt'
+                      rel: assessment-for
                 - id: si-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -47729,6 +52705,9 @@ catalog:
                           value: SI-03a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;'
+                      links:
+                        - href: '#si-3_smt.a'
+                          rel: assessment-for
                     - id: si-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -47736,6 +52715,12 @@ catalog:
                           value: SI-03a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;'
+                      links:
+                        - href: '#si-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-3_smt.a'
+                      rel: assessment-for
                 - id: si-3_obj.b
                   name: assessment-objective
                   props:
@@ -47743,6 +52728,9 @@ catalog:
                       value: SI-03b.
                       class: sp800-53a
                   prose: malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;
+                  links:
+                    - href: '#si-3_smt.b'
+                      rel: assessment-for
                 - id: si-3_obj.c
                   name: assessment-objective
                   props:
@@ -47764,6 +52752,9 @@ catalog:
                               value: SI-03c.01[01]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};'
+                          links:
+                            - href: '#si-3_smt.c.1'
+                              rel: assessment-for
                         - id: si-3_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -47771,6 +52762,12 @@ catalog:
                               value: SI-03c.01[02]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;'
+                          links:
+                            - href: '#si-3_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-3_smt.c.1'
+                          rel: assessment-for
                     - id: si-3_obj.c.2
                       name: assessment-objective
                       props:
@@ -47785,6 +52782,9 @@ catalog:
                               value: SI-03c.02[01]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;'
+                          links:
+                            - href: '#si-3_smt.c.2'
+                              rel: assessment-for
                         - id: si-3_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -47792,6 +52792,15 @@ catalog:
                               value: SI-03c.02[02]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;'
+                          links:
+                            - href: '#si-3_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-3_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-3_smt.c'
+                      rel: assessment-for
                 - id: si-3_obj.d
                   name: assessment-objective
                   props:
@@ -47799,6 +52808,12 @@ catalog:
                       value: SI-03d.
                       class: sp800-53a
                   prose: the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.
+                  links:
+                    - href: '#si-3_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#si-3_smt'
+                  rel: assessment-for
             - id: si-3_asm-examine
               name: assessment-method
               props:
@@ -48151,6 +53166,9 @@ catalog:
                           value: SI-04a.01
                           class: sp800-53a
                       prose: 'the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};'
+                      links:
+                        - href: '#si-4_smt.a.1'
+                          rel: assessment-for
                     - id: si-4_obj.a.2
                       name: assessment-objective
                       props:
@@ -48165,6 +53183,9 @@ catalog:
                               value: SI-04a.02[01]
                               class: sp800-53a
                           prose: the system is monitored to detect unauthorized local connections;
+                          links:
+                            - href: '#si-4_smt.a.2'
+                              rel: assessment-for
                         - id: si-4_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -48172,6 +53193,9 @@ catalog:
                               value: SI-04a.02[02]
                               class: sp800-53a
                           prose: the system is monitored to detect unauthorized network connections;
+                          links:
+                            - href: '#si-4_smt.a.2'
+                              rel: assessment-for
                         - id: si-4_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -48179,6 +53203,15 @@ catalog:
                               value: SI-04a.02[03]
                               class: sp800-53a
                           prose: the system is monitored to detect unauthorized remote connections;
+                          links:
+                            - href: '#si-4_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-4_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4_smt.a'
+                      rel: assessment-for
                 - id: si-4_obj.b
                   name: assessment-objective
                   props:
@@ -48186,6 +53219,9 @@ catalog:
                       value: SI-04b.
                       class: sp800-53a
                   prose: 'unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};'
+                  links:
+                    - href: '#si-4_smt.b'
+                      rel: assessment-for
                 - id: si-4_obj.c
                   name: assessment-objective
                   props:
@@ -48200,6 +53236,9 @@ catalog:
                           value: SI-04c.01
                           class: sp800-53a
                       prose: internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;
+                      links:
+                        - href: '#si-4_smt.c.1'
+                          rel: assessment-for
                     - id: si-4_obj.c.2
                       name: assessment-objective
                       props:
@@ -48207,6 +53246,12 @@ catalog:
                           value: SI-04c.02
                           class: sp800-53a
                       prose: internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;
+                      links:
+                        - href: '#si-4_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4_smt.c'
+                      rel: assessment-for
                 - id: si-4_obj.d
                   name: assessment-objective
                   props:
@@ -48221,6 +53266,9 @@ catalog:
                           value: SI-04d.[01]
                           class: sp800-53a
                       prose: detected events are analyzed;
+                      links:
+                        - href: '#si-4_smt.d'
+                          rel: assessment-for
                     - id: si-4_obj.d-2
                       name: assessment-objective
                       props:
@@ -48228,6 +53276,12 @@ catalog:
                           value: SI-04d.[02]
                           class: sp800-53a
                       prose: detected anomalies are analyzed;
+                      links:
+                        - href: '#si-4_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4_smt.d'
+                      rel: assessment-for
                 - id: si-4_obj.e
                   name: assessment-objective
                   props:
@@ -48235,6 +53289,9 @@ catalog:
                       value: SI-04e.
                       class: sp800-53a
                   prose: the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;
+                  links:
+                    - href: '#si-4_smt.e'
+                      rel: assessment-for
                 - id: si-4_obj.f
                   name: assessment-objective
                   props:
@@ -48242,6 +53299,9 @@ catalog:
                       value: SI-04f.
                       class: sp800-53a
                   prose: a legal opinion regarding system monitoring activities is obtained;
+                  links:
+                    - href: '#si-4_smt.f'
+                      rel: assessment-for
                 - id: si-4_obj.g
                   name: assessment-objective
                   props:
@@ -48249,6 +53309,12 @@ catalog:
                       value: SI-04g.
                       class: sp800-53a
                   prose: ' {{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.'
+                  links:
+                    - href: '#si-4_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#si-4_smt'
+                  rel: assessment-for
             - id: si-4_asm-examine
               name: assessment-method
               props:
@@ -48355,6 +53421,9 @@ catalog:
                       value: SI-04(02)
                       class: sp800-53a
                   prose: automated tools and mechanisms are employed to support a near real-time analysis of events.
+                  links:
+                    - href: '#si-4.2_smt'
+                      rel: assessment-for
                 - id: si-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -48543,6 +53612,9 @@ catalog:
                               value: SI-04(04)(a)[01]
                               class: sp800-53a
                           prose: criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;
+                          links:
+                            - href: '#si-4.4_smt.a'
+                              rel: assessment-for
                         - id: si-4.4_obj.a-2
                           name: assessment-objective
                           props:
@@ -48550,6 +53622,12 @@ catalog:
                               value: SI-04(04)(a)[02]
                               class: sp800-53a
                           prose: criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;
+                          links:
+                            - href: '#si-4.4_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-4.4_smt.a'
+                          rel: assessment-for
                     - id: si-4.4_obj.b
                       name: assessment-objective
                       props:
@@ -48564,6 +53642,9 @@ catalog:
                               value: SI-04(04)(b)[01]
                               class: sp800-53a
                           prose: 'inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};'
+                          links:
+                            - href: '#si-4.4_smt.b'
+                              rel: assessment-for
                         - id: si-4.4_obj.b-2
                           name: assessment-objective
                           props:
@@ -48571,6 +53652,15 @@ catalog:
                               value: SI-04(04)(b)[02]
                               class: sp800-53a
                           prose: 'outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}.'
+                          links:
+                            - href: '#si-4.4_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-4.4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.4_smt'
+                      rel: assessment-for
                 - id: si-4.4_asm-examine
                   name: assessment-method
                   props:
@@ -48701,6 +53791,9 @@ catalog:
                       value: SI-04(05)
                       class: sp800-53a
                   prose: ' {{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur.'
+                  links:
+                    - href: '#si-4.5_smt'
+                      rel: assessment-for
                 - id: si-4.5_asm-examine
                   name: assessment-method
                   props:
@@ -48904,6 +53997,9 @@ catalog:
                       value: SI-05a.
                       class: sp800-53a
                   prose: 'system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;'
+                  links:
+                    - href: '#si-5_smt.a'
+                      rel: assessment-for
                 - id: si-5_obj.b
                   name: assessment-objective
                   props:
@@ -48911,6 +54007,9 @@ catalog:
                       value: SI-05b.
                       class: sp800-53a
                   prose: internal security alerts, advisories, and directives are generated as deemed necessary;
+                  links:
+                    - href: '#si-5_smt.b'
+                      rel: assessment-for
                 - id: si-5_obj.c
                   name: assessment-objective
                   props:
@@ -48918,6 +54017,9 @@ catalog:
                       value: SI-05c.
                       class: sp800-53a
                   prose: 'security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};'
+                  links:
+                    - href: '#si-5_smt.c'
+                      rel: assessment-for
                 - id: si-5_obj.d
                   name: assessment-objective
                   props:
@@ -48925,6 +54027,12 @@ catalog:
                       value: SI-05d.
                       class: sp800-53a
                   prose: security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.
+                  links:
+                    - href: '#si-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#si-5_smt'
+                  rel: assessment-for
             - id: si-5_asm-examine
               name: assessment-method
               props:
@@ -49180,6 +54288,9 @@ catalog:
                           value: SI-07a.[01]
                           class: sp800-53a
                       prose: 'integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};'
+                      links:
+                        - href: '#si-7_smt.a'
+                          rel: assessment-for
                     - id: si-7_obj.a-2
                       name: assessment-objective
                       props:
@@ -49187,6 +54298,9 @@ catalog:
                           value: SI-07a.[02]
                           class: sp800-53a
                       prose: 'integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};'
+                      links:
+                        - href: '#si-7_smt.a'
+                          rel: assessment-for
                     - id: si-7_obj.a-3
                       name: assessment-objective
                       props:
@@ -49194,6 +54308,12 @@ catalog:
                           value: SI-07a.[03]
                           class: sp800-53a
                       prose: 'integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};'
+                      links:
+                        - href: '#si-7_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-7_smt.a'
+                      rel: assessment-for
                 - id: si-7_obj.b
                   name: assessment-objective
                   props:
@@ -49208,6 +54328,9 @@ catalog:
                           value: SI-07b.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;'
+                      links:
+                        - href: '#si-7_smt.b'
+                          rel: assessment-for
                     - id: si-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -49215,6 +54338,9 @@ catalog:
                           value: SI-07b.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;'
+                      links:
+                        - href: '#si-7_smt.b'
+                          rel: assessment-for
                     - id: si-7_obj.b-3
                       name: assessment-objective
                       props:
@@ -49222,6 +54348,15 @@ catalog:
                           value: SI-07b.[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected.'
+                      links:
+                        - href: '#si-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-7_smt'
+                  rel: assessment-for
             - id: si-7_asm-examine
               name: assessment-method
               props:
@@ -49487,6 +54622,9 @@ catalog:
                           value: SI-07(01)[01]
                           class: sp800-53a
                       prose: 'an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};'
+                      links:
+                        - href: '#si-7.1_smt'
+                          rel: assessment-for
                     - id: si-7.1_obj-2
                       name: assessment-objective
                       props:
@@ -49494,6 +54632,9 @@ catalog:
                           value: SI-07(01)[02]
                           class: sp800-53a
                       prose: 'an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};'
+                      links:
+                        - href: '#si-7.1_smt'
+                          rel: assessment-for
                     - id: si-7.1_obj-3
                       name: assessment-objective
                       props:
@@ -49501,6 +54642,12 @@ catalog:
                           value: SI-07(01)[03]
                           class: sp800-53a
                       prose: 'an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}.'
+                      links:
+                        - href: '#si-7.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-7.1_smt'
+                      rel: assessment-for
                 - id: si-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -49619,6 +54766,9 @@ catalog:
                       value: SI-07(07)
                       class: sp800-53a
                   prose: 'the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability.'
+                  links:
+                    - href: '#si-7.7_smt'
+                      rel: assessment-for
                 - id: si-7.7_asm-examine
                   name: assessment-method
                   props:
@@ -49755,6 +54905,9 @@ catalog:
                           value: SI-08a.[01]
                           class: sp800-53a
                       prose: spam protection mechanisms are employed at system entry points to detect unsolicited messages;
+                      links:
+                        - href: '#si-8_smt.a'
+                          rel: assessment-for
                     - id: si-8_obj.a-2
                       name: assessment-objective
                       props:
@@ -49762,6 +54915,9 @@ catalog:
                           value: SI-08a.[02]
                           class: sp800-53a
                       prose: spam protection mechanisms are employed at system exit points to detect unsolicited messages;
+                      links:
+                        - href: '#si-8_smt.a'
+                          rel: assessment-for
                     - id: si-8_obj.a-3
                       name: assessment-objective
                       props:
@@ -49769,6 +54925,9 @@ catalog:
                           value: SI-08a.[03]
                           class: sp800-53a
                       prose: spam protection mechanisms are employed at system entry points to act on unsolicited messages;
+                      links:
+                        - href: '#si-8_smt.a'
+                          rel: assessment-for
                     - id: si-8_obj.a-4
                       name: assessment-objective
                       props:
@@ -49776,6 +54935,12 @@ catalog:
                           value: SI-08a.[04]
                           class: sp800-53a
                       prose: spam protection mechanisms are employed at system exit points to act on unsolicited messages;
+                      links:
+                        - href: '#si-8_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-8_smt.a'
+                      rel: assessment-for
                 - id: si-8_obj.b
                   name: assessment-objective
                   props:
@@ -49783,6 +54948,12 @@ catalog:
                       value: SI-08b.
                       class: sp800-53a
                   prose: spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.
+                  links:
+                    - href: '#si-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-8_smt'
+                  rel: assessment-for
             - id: si-8_asm-examine
               name: assessment-method
               props:
@@ -49893,6 +55064,9 @@ catalog:
                       value: SI-08(02)
                       class: sp800-53a
                   prose: 'spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}.'
+                  links:
+                    - href: '#si-8.2_smt'
+                      rel: assessment-for
                 - id: si-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -50008,6 +55182,9 @@ catalog:
                   value: SI-10
                   class: sp800-53a
               prose: 'the validity of the {{ insert: param, si-10_odp }} is checked.'
+              links:
+                - href: '#si-10_smt'
+                  rel: assessment-for
             - id: si-10_asm-examine
               name: assessment-method
               props:
@@ -50143,6 +55320,9 @@ catalog:
                       value: SI-11a.
                       class: sp800-53a
                   prose: error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;
+                  links:
+                    - href: '#si-11_smt.a'
+                      rel: assessment-for
                 - id: si-11_obj.b
                   name: assessment-objective
                   props:
@@ -50150,6 +55330,12 @@ catalog:
                       value: SI-11b.
                       class: sp800-53a
                   prose: 'error messages are revealed only to {{ insert: param, si-11_odp }}.'
+                  links:
+                    - href: '#si-11_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-11_smt'
+                  rel: assessment-for
             - id: si-11_asm-examine
               name: assessment-method
               props:
@@ -50317,6 +55503,9 @@ catalog:
                       value: SI-12[01]
                       class: sp800-53a
                   prose: information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-2
                   name: assessment-objective
                   props:
@@ -50324,6 +55513,9 @@ catalog:
                       value: SI-12[02]
                       class: sp800-53a
                   prose: information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-3
                   name: assessment-objective
                   props:
@@ -50331,6 +55523,9 @@ catalog:
                       value: SI-12[03]
                       class: sp800-53a
                   prose: information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-4
                   name: assessment-objective
                   props:
@@ -50338,6 +55533,12 @@ catalog:
                       value: SI-12[04]
                       class: sp800-53a
                   prose: information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
+              links:
+                - href: '#si-12_smt'
+                  rel: assessment-for
             - id: si-12_asm-examine
               name: assessment-method
               props:
@@ -50462,6 +55663,9 @@ catalog:
                   value: SI-16
                   class: sp800-53a
               prose: ' {{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution.'
+              links:
+                - href: '#si-16_smt'
+                  rel: assessment-for
             - id: si-16_asm-examine
               name: assessment-method
               props:
@@ -50744,6 +55948,9 @@ catalog:
                           value: SR-01a.[01]
                           class: sp800-53a
                       prose: a supply chain risk management policy is developed and documented;
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -50751,6 +55958,9 @@ catalog:
                           value: SR-01a.[02]
                           class: sp800-53a
                       prose: 'the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};'
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -50758,6 +55968,9 @@ catalog:
                           value: SR-01a.[03]
                           class: sp800-53a
                       prose: supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -50765,6 +55978,9 @@ catalog:
                           value: SR-01a.[04]
                           class: sp800-53a
                       prose: 'the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.'
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -50786,6 +56002,9 @@ catalog:
                                   value: SR-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -50793,6 +56012,9 @@ catalog:
                                   value: SR-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; '
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -50800,6 +56022,9 @@ catalog:
                                   value: SR-01a.01(a)[03]
                                   class: sp800-53a
                               prose: ' {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -50807,6 +56032,9 @@ catalog:
                                   value: SR-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -50814,6 +56042,9 @@ catalog:
                                   value: SR-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -50821,6 +56052,9 @@ catalog:
                                   value: SR-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -50828,6 +56062,12 @@ catalog:
                                   value: SR-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#sr-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: sr-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -50835,6 +56075,15 @@ catalog:
                               value: SR-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#sr-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sr-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-1_smt.a'
+                      rel: assessment-for
                 - id: sr-1_obj.b
                   name: assessment-objective
                   props:
@@ -50842,6 +56091,9 @@ catalog:
                       value: SR-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;'
+                  links:
+                    - href: '#sr-1_smt.b'
+                      rel: assessment-for
                 - id: sr-1_obj.c
                   name: assessment-objective
                   props:
@@ -50863,6 +56115,9 @@ catalog:
                               value: SR-01c.01[01]
                               class: sp800-53a
                           prose: 'the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};'
+                          links:
+                            - href: '#sr-1_smt.c.1'
+                              rel: assessment-for
                         - id: sr-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -50870,6 +56125,12 @@ catalog:
                               value: SR-01c.01[02]
                               class: sp800-53a
                           prose: 'the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};'
+                          links:
+                            - href: '#sr-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sr-1_smt.c.1'
+                          rel: assessment-for
                     - id: sr-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -50884,6 +56145,9 @@ catalog:
                               value: SR-01c.02[01]
                               class: sp800-53a
                           prose: 'the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};'
+                          links:
+                            - href: '#sr-1_smt.c.2'
+                              rel: assessment-for
                         - id: sr-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -50891,6 +56155,18 @@ catalog:
                               value: SR-01c.02[02]
                               class: sp800-53a
                           prose: 'the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.'
+                          links:
+                            - href: '#sr-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sr-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sr-1_smt'
+                  rel: assessment-for
             - id: sr-1_asm-examine
               name: assessment-method
               props:
@@ -51067,6 +56343,9 @@ catalog:
                           value: SR-02a.[01]
                           class: sp800-53a
                       prose: a plan for managing supply chain risks is developed;
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -51074,6 +56353,9 @@ catalog:
                           value: SR-02a.[02]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -51081,6 +56363,9 @@ catalog:
                           value: SR-02a.[03]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-4
                       name: assessment-objective
                       props:
@@ -51088,6 +56373,9 @@ catalog:
                           value: SR-02a.[04]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-5
                       name: assessment-objective
                       props:
@@ -51095,6 +56383,9 @@ catalog:
                           value: SR-02a.[05]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-6
                       name: assessment-objective
                       props:
@@ -51102,6 +56393,9 @@ catalog:
                           value: SR-02a.[06]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-7
                       name: assessment-objective
                       props:
@@ -51109,6 +56403,9 @@ catalog:
                           value: SR-02a.[07]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-8
                       name: assessment-objective
                       props:
@@ -51116,6 +56413,9 @@ catalog:
                           value: SR-02a.[08]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-9
                       name: assessment-objective
                       props:
@@ -51123,6 +56423,12 @@ catalog:
                           value: SR-02a.[09]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-2_smt.a'
+                      rel: assessment-for
                 - id: sr-2_obj.b
                   name: assessment-objective
                   props:
@@ -51130,6 +56436,9 @@ catalog:
                       value: SR-02b.
                       class: sp800-53a
                   prose: 'the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;'
+                  links:
+                    - href: '#sr-2_smt.b'
+                      rel: assessment-for
                 - id: sr-2_obj.c
                   name: assessment-objective
                   props:
@@ -51144,6 +56453,9 @@ catalog:
                           value: SR-02c.[01]
                           class: sp800-53a
                       prose: the supply chain risk management plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#sr-2_smt.c'
+                          rel: assessment-for
                     - id: sr-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -51151,6 +56463,15 @@ catalog:
                           value: SR-02c.[02]
                           class: sp800-53a
                       prose: the supply chain risk management plan is protected from unauthorized modification.
+                      links:
+                        - href: '#sr-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sr-2_smt'
+                  rel: assessment-for
             - id: sr-2_asm-examine
               name: assessment-method
               props:
@@ -51297,6 +56618,9 @@ catalog:
                       value: SR-02(01)
                       class: sp800-53a
                   prose: 'a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.'
+                  links:
+                    - href: '#sr-2.1_smt'
+                      rel: assessment-for
                 - id: sr-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -51530,6 +56854,9 @@ catalog:
                           value: SR-03a.[01]
                           class: sp800-53a
                       prose: 'a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};'
+                      links:
+                        - href: '#sr-3_smt.a'
+                          rel: assessment-for
                     - id: sr-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -51537,6 +56864,12 @@ catalog:
                           value: SR-03a.[02]
                           class: sp800-53a
                       prose: 'the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};'
+                      links:
+                        - href: '#sr-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-3_smt.a'
+                      rel: assessment-for
                 - id: sr-3_obj.b
                   name: assessment-objective
                   props:
@@ -51544,6 +56877,9 @@ catalog:
                       value: SR-03b.
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;'
+                  links:
+                    - href: '#sr-3_smt.b'
+                      rel: assessment-for
                 - id: sr-3_obj.c
                   name: assessment-objective
                   props:
@@ -51551,6 +56887,12 @@ catalog:
                       value: SR-03c.
                       class: sp800-53a
                   prose: 'the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.'
+                  links:
+                    - href: '#sr-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sr-3_smt'
+                  rel: assessment-for
             - id: sr-3_asm-examine
               name: assessment-method
               props:
@@ -51720,6 +57062,9 @@ catalog:
                       value: SR-05[01]
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;'
+                  links:
+                    - href: '#sr-5_smt'
+                      rel: assessment-for
                 - id: sr-5_obj-2
                   name: assessment-objective
                   props:
@@ -51727,6 +57072,9 @@ catalog:
                       value: SR-05[02]
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-05_odp }} are employed to identify supply chain risks;'
+                  links:
+                    - href: '#sr-5_smt'
+                      rel: assessment-for
                 - id: sr-5_obj-3
                   name: assessment-objective
                   props:
@@ -51734,6 +57082,12 @@ catalog:
                       value: SR-05[03]
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.'
+                  links:
+                    - href: '#sr-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sr-5_smt'
+                  rel: assessment-for
             - id: sr-5_asm-examine
               name: assessment-method
               props:
@@ -51880,6 +57234,9 @@ catalog:
                   value: SR-06
                   class: sp800-53a
               prose: 'the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}.'
+              links:
+                - href: '#sr-6_smt'
+                  rel: assessment-for
             - id: sr-6_asm-examine
               name: assessment-method
               props:
@@ -52019,6 +57376,9 @@ catalog:
                   value: SR-08
                   class: sp800-53a
               prose: 'agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.'
+              links:
+                - href: '#sr-8_smt'
+                  rel: assessment-for
             - id: sr-8_asm-examine
               name: assessment-method
               props:
@@ -52175,6 +57535,9 @@ catalog:
                   value: SR-10
                   class: sp800-53a
               prose: ' {{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.'
+              links:
+                - href: '#sr-10_smt'
+                  rel: assessment-for
             - id: sr-10_asm-examine
               name: assessment-method
               props:
@@ -52346,6 +57709,9 @@ catalog:
                           value: SR-11a.[01]
                           class: sp800-53a
                       prose: an anti-counterfeit policy is developed and implemented;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
                     - id: sr-11_obj.a-2
                       name: assessment-objective
                       props:
@@ -52353,6 +57719,9 @@ catalog:
                           value: SR-11a.[02]
                           class: sp800-53a
                       prose: anti-counterfeit procedures are developed and implemented;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
                     - id: sr-11_obj.a-3
                       name: assessment-objective
                       props:
@@ -52360,6 +57729,9 @@ catalog:
                           value: SR-11a.[03]
                           class: sp800-53a
                       prose: the anti-counterfeit procedures include the means to detect counterfeit components entering the system;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
                     - id: sr-11_obj.a-4
                       name: assessment-objective
                       props:
@@ -52367,6 +57739,12 @@ catalog:
                           value: SR-11a.[04]
                           class: sp800-53a
                       prose: the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-11_smt.a'
+                      rel: assessment-for
                 - id: sr-11_obj.b
                   name: assessment-objective
                   props:
@@ -52374,6 +57752,12 @@ catalog:
                       value: SR-11b.
                       class: sp800-53a
                   prose: 'counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.'
+                  links:
+                    - href: '#sr-11_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sr-11_smt'
+                  rel: assessment-for
             - id: sr-11_asm-examine
               name: assessment-method
               props:
@@ -52499,6 +57883,9 @@ catalog:
                       value: SR-11(01)
                       class: sp800-53a
                   prose: ' {{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).'
+                  links:
+                    - href: '#sr-11.1_smt'
+                      rel: assessment-for
                 - id: sr-11.1_asm-examine
                   name: assessment-method
                   props:
@@ -52623,6 +58010,9 @@ catalog:
                           value: SR-11(02)[01]
                           class: sp800-53a
                       prose: 'configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;'
+                      links:
+                        - href: '#sr-11.2_smt'
+                          rel: assessment-for
                     - id: sr-11.2_obj-2
                       name: assessment-objective
                       props:
@@ -52630,6 +58020,12 @@ catalog:
                           value: SR-11(02)[02]
                           class: sp800-53a
                       prose: 'configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.'
+                      links:
+                        - href: '#sr-11.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-11.2_smt'
+                      rel: assessment-for
                 - id: sr-11.2_asm-examine
                   name: assessment-method
                   props:
@@ -52746,6 +58142,9 @@ catalog:
                   value: SR-12
                   class: sp800-53a
               prose: ' {{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.'
+              links:
+                - href: '#sr-12_smt'
+                  rel: assessment-for
             - id: sr-12_asm-examine
               name: assessment-method
               props:
diff --git a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.yaml b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.yaml
index 5cf517fb..0fcdb4c3 100644
--- a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.yaml
+++ b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_MODERATE-baseline_profile.yaml
@@ -1,9 +1,9 @@
 profile:
-  uuid: 1019f424-1556-4aa3-9df3-337b97c2c856
+  uuid: 49f45a95-20d1-450a-b4a5-c27ecc335a26
   metadata:
-    title: NIST Special Publication 800-53 Revision 5 MODERATE IMPACT BASELINE
-    last-modified: "2023-10-12T00:00:00.000000-04:00"
-    version: Final
+    title: NIST Special Publication 800-53 Revision 5.1.1 MODERATE IMPACT BASELINE
+    last-modified: "2023-12-04T14:55:00.000000-04:00"
+    version: 5.1.1+u2
     oscal-version: 1.1.1
     roles:
       - id: creator
diff --git a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.yaml b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.yaml
index 8f99bf6c..23699fcf 100644
--- a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.yaml
+++ b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_PRIVACY-baseline-resolved-profile_catalog.yaml
@@ -1,9 +1,9 @@
 catalog:
-  uuid: b59abead-41dd-4ba4-818d-b2ce8ca7b80e
+  uuid: f8f8bd60-df08-46cc-8083-cf001f43ea6a
   metadata:
-    title: NIST Special Publication 800-53 Revision 5 PRIVACY BASELINE
-    last-modified: "2023-11-02T11:49:42.694597-04:00"
-    version: Final
+    title: NIST Special Publication 800-53 Revision 5.1.1 PRIVACY BASELINE
+    last-modified: "2023-12-05T21:54:56.105295Z"
+    version: 5.1.1+u2
     oscal-version: 1.1.1
     props:
       - name: resolution-tool
@@ -257,6 +257,9 @@ catalog:
                           value: AC-01a.[01]
                           class: sp800-53a
                       prose: an access control policy is developed and documented;
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -264,6 +267,9 @@ catalog:
                           value: AC-01a.[02]
                           class: sp800-53a
                       prose: 'the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};'
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -271,6 +277,9 @@ catalog:
                           value: AC-01a.[03]
                           class: sp800-53a
                       prose: access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -278,6 +287,9 @@ catalog:
                           value: AC-01a.[04]
                           class: sp800-53a
                       prose: 'the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};'
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -299,6 +311,9 @@ catalog:
                                   value: AC-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -306,6 +321,9 @@ catalog:
                                   value: AC-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -313,6 +331,9 @@ catalog:
                                   value: AC-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -320,6 +341,9 @@ catalog:
                                   value: AC-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -327,6 +351,9 @@ catalog:
                                   value: AC-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -334,6 +361,9 @@ catalog:
                                   value: AC-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -341,6 +371,12 @@ catalog:
                                   value: AC-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ac-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ac-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -348,6 +384,15 @@ catalog:
                               value: AC-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ac-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-1_smt.a'
+                      rel: assessment-for
                 - id: ac-1_obj.b
                   name: assessment-objective
                   props:
@@ -355,6 +400,9 @@ catalog:
                       value: AC-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;'
+                  links:
+                    - href: '#ac-1_smt.b'
+                      rel: assessment-for
                 - id: ac-1_obj.c
                   name: assessment-objective
                   props:
@@ -376,6 +424,9 @@ catalog:
                               value: AC-01c.01[01]
                               class: sp800-53a
                           prose: 'the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};'
+                          links:
+                            - href: '#ac-1_smt.c.1'
+                              rel: assessment-for
                         - id: ac-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -383,6 +434,12 @@ catalog:
                               value: AC-01c.01[02]
                               class: sp800-53a
                           prose: 'the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};'
+                          links:
+                            - href: '#ac-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.c.1'
+                          rel: assessment-for
                     - id: ac-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -397,6 +454,9 @@ catalog:
                               value: AC-01c.02[01]
                               class: sp800-53a
                           prose: 'the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};'
+                          links:
+                            - href: '#ac-1_smt.c.2'
+                              rel: assessment-for
                         - id: ac-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -404,6 +464,18 @@ catalog:
                               value: AC-01c.02[02]
                               class: sp800-53a
                           prose: 'the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.'
+                          links:
+                            - href: '#ac-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ac-1_smt'
+                  rel: assessment-for
             - id: ac-1_asm-examine
               name: assessment-method
               props:
@@ -517,6 +589,8 @@ catalog:
               rel: related
             - href: '#ia-11'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-3'
               rel: related
             - href: '#ma-4'
@@ -569,6 +643,9 @@ catalog:
                   value: AC-03
                   class: sp800-53a
               prose: approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.
+              links:
+                - href: '#ac-3_smt'
+                  rel: assessment-for
             - id: ac-3_asm-examine
               name: assessment-method
               props:
@@ -692,6 +769,9 @@ catalog:
                       value: AC-03(14)
                       class: sp800-53a
                   prose: ' {{ insert: param, ac-03.14_odp.01 }} are provided to enable individuals to have access to {{ insert: param, ac-03.14_odp.02 }} of their personally identifiable information.'
+                  links:
+                    - href: '#ac-3.14_smt'
+                      rel: assessment-for
                 - id: ac-3.14_asm-examine
                   name: assessment-method
                   props:
@@ -975,6 +1055,9 @@ catalog:
                           value: AT-01a.[01]
                           class: sp800-53a
                       prose: 'an awareness and training policy is developed and documented; '
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -982,6 +1065,9 @@ catalog:
                           value: AT-01a.[02]
                           class: sp800-53a
                       prose: 'the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};'
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -989,6 +1075,9 @@ catalog:
                           value: AT-01a.[03]
                           class: sp800-53a
                       prose: awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -996,6 +1085,9 @@ catalog:
                           value: AT-01a.[04]
                           class: sp800-53a
                       prose: 'the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.'
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -1017,6 +1109,9 @@ catalog:
                                   value: AT-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -1024,6 +1119,9 @@ catalog:
                                   value: AT-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -1031,6 +1129,9 @@ catalog:
                                   value: AT-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -1038,6 +1139,9 @@ catalog:
                                   value: AT-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -1045,6 +1149,9 @@ catalog:
                                   value: AT-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -1052,6 +1159,9 @@ catalog:
                                   value: AT-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -1059,6 +1169,12 @@ catalog:
                                   value: AT-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#at-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: at-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -1066,6 +1182,15 @@ catalog:
                               value: AT-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and'
+                          links:
+                            - href: '#at-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-1_smt.a'
+                      rel: assessment-for
                 - id: at-1_obj.b
                   name: assessment-objective
                   props:
@@ -1073,6 +1198,9 @@ catalog:
                       value: AT-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;'
+                  links:
+                    - href: '#at-1_smt.b'
+                      rel: assessment-for
                 - id: at-1_obj.c
                   name: assessment-objective
                   props:
@@ -1094,6 +1222,9 @@ catalog:
                               value: AT-01c.01[01]
                               class: sp800-53a
                           prose: 'the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; '
+                          links:
+                            - href: '#at-1_smt.c.1'
+                              rel: assessment-for
                         - id: at-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -1101,6 +1232,12 @@ catalog:
                               value: AT-01c.01[02]
                               class: sp800-53a
                           prose: 'the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};'
+                          links:
+                            - href: '#at-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.c.1'
+                          rel: assessment-for
                     - id: at-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -1115,6 +1252,9 @@ catalog:
                               value: AT-01c.02[01]
                               class: sp800-53a
                           prose: 'the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};'
+                          links:
+                            - href: '#at-1_smt.c.2'
+                              rel: assessment-for
                         - id: at-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -1122,6 +1262,18 @@ catalog:
                               value: AT-01c.02[02]
                               class: sp800-53a
                           prose: 'the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.'
+                          links:
+                            - href: '#at-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#at-1_smt'
+                  rel: assessment-for
             - id: at-1_asm-examine
               name: assessment-method
               props:
@@ -1374,6 +1526,9 @@ catalog:
                               value: AT-02a.01[01]
                               class: sp800-53a
                           prose: security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -1381,6 +1536,9 @@ catalog:
                               value: AT-02a.01[02]
                               class: sp800-53a
                           prose: privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -1388,6 +1546,9 @@ catalog:
                               value: AT-02a.01[03]
                               class: sp800-53a
                           prose: 'security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;'
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-4
                           name: assessment-objective
                           props:
@@ -1395,6 +1556,12 @@ catalog:
                               value: AT-02a.01[04]
                               class: sp800-53a
                           prose: 'privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;'
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-2_smt.a.1'
+                          rel: assessment-for
                     - id: at-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -1409,6 +1576,9 @@ catalog:
                               value: AT-02a.02[01]
                               class: sp800-53a
                           prose: 'security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};'
+                          links:
+                            - href: '#at-2_smt.a.2'
+                              rel: assessment-for
                         - id: at-2_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -1416,6 +1586,15 @@ catalog:
                               value: AT-02a.02[02]
                               class: sp800-53a
                           prose: 'privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};'
+                          links:
+                            - href: '#at-2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-2_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2_smt.a'
+                      rel: assessment-for
                 - id: at-2_obj.b
                   name: assessment-objective
                   props:
@@ -1423,6 +1602,9 @@ catalog:
                       value: AT-02b.
                       class: sp800-53a
                   prose: ' {{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;'
+                  links:
+                    - href: '#at-2_smt.b'
+                      rel: assessment-for
                 - id: at-2_obj.c
                   name: assessment-objective
                   props:
@@ -1437,6 +1619,9 @@ catalog:
                           value: AT-02c.[01]
                           class: sp800-53a
                       prose: 'literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};'
+                      links:
+                        - href: '#at-2_smt.c'
+                          rel: assessment-for
                     - id: at-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -1444,6 +1629,12 @@ catalog:
                           value: AT-02c.[02]
                           class: sp800-53a
                       prose: 'literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};'
+                      links:
+                        - href: '#at-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2_smt.c'
+                      rel: assessment-for
                 - id: at-2_obj.d
                   name: assessment-objective
                   props:
@@ -1451,6 +1642,12 @@ catalog:
                       value: AT-02d.
                       class: sp800-53a
                   prose: lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.
+                  links:
+                    - href: '#at-2_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#at-2_smt'
+                  rel: assessment-for
             - id: at-2_asm-examine
               name: assessment-method
               props:
@@ -1702,6 +1899,9 @@ catalog:
                               value: AT-03a.01[01]
                               class: sp800-53a
                           prose: 'role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -1709,6 +1909,9 @@ catalog:
                               value: AT-03a.01[02]
                               class: sp800-53a
                           prose: 'role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -1716,6 +1919,9 @@ catalog:
                               value: AT-03a.01[03]
                               class: sp800-53a
                           prose: 'role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-4
                           name: assessment-objective
                           props:
@@ -1723,6 +1929,12 @@ catalog:
                               value: AT-03a.01[04]
                               class: sp800-53a
                           prose: 'role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-3_smt.a.1'
+                          rel: assessment-for
                     - id: at-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -1737,6 +1949,9 @@ catalog:
                               value: AT-03a.02[01]
                               class: sp800-53a
                           prose: role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;
+                          links:
+                            - href: '#at-3_smt.a.2'
+                              rel: assessment-for
                         - id: at-3_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -1744,6 +1959,15 @@ catalog:
                               value: AT-03a.02[02]
                               class: sp800-53a
                           prose: role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;
+                          links:
+                            - href: '#at-3_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-3_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-3_smt.a'
+                      rel: assessment-for
                 - id: at-3_obj.b
                   name: assessment-objective
                   props:
@@ -1758,6 +1982,9 @@ catalog:
                           value: AT-03b.[01]
                           class: sp800-53a
                       prose: 'role-based training content is updated {{ insert: param, at-03_odp.04 }};'
+                      links:
+                        - href: '#at-3_smt.b'
+                          rel: assessment-for
                     - id: at-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -1765,6 +1992,12 @@ catalog:
                           value: AT-03b.[02]
                           class: sp800-53a
                       prose: 'role-based training content is updated following {{ insert: param, at-03_odp.05 }};'
+                      links:
+                        - href: '#at-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-3_smt.b'
+                      rel: assessment-for
                 - id: at-3_obj.c
                   name: assessment-objective
                   props:
@@ -1772,6 +2005,12 @@ catalog:
                       value: AT-03c.
                       class: sp800-53a
                   prose: lessons learned from internal or external security incidents or breaches are incorporated into role-based training.
+                  links:
+                    - href: '#at-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#at-3_smt'
+                  rel: assessment-for
             - id: at-3_asm-examine
               name: assessment-method
               props:
@@ -1892,6 +2131,9 @@ catalog:
                       value: AT-03(05)
                       class: sp800-53a
                   prose: ' {{ insert: param, at-03.05_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.05_odp.02 }} in the employment and operation of personally identifiable information processing and transparency controls.'
+                  links:
+                    - href: '#at-3.5_smt'
+                      rel: assessment-for
                 - id: at-3.5_asm-examine
                   name: assessment-method
                   props:
@@ -2029,6 +2271,9 @@ catalog:
                           value: AT-04a.[01]
                           class: sp800-53a
                       prose: information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;
+                      links:
+                        - href: '#at-4_smt.a'
+                          rel: assessment-for
                     - id: at-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -2036,6 +2281,12 @@ catalog:
                           value: AT-04a.[02]
                           class: sp800-53a
                       prose: information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;
+                      links:
+                        - href: '#at-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-4_smt.a'
+                      rel: assessment-for
                 - id: at-4_obj.b
                   name: assessment-objective
                   props:
@@ -2043,6 +2294,12 @@ catalog:
                       value: AT-04b.
                       class: sp800-53a
                   prose: 'individual training records are retained for {{ insert: param, at-04_odp }}.'
+                  links:
+                    - href: '#at-4_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#at-4_smt'
+                  rel: assessment-for
             - id: at-4_asm-examine
               name: assessment-method
               props:
@@ -2300,6 +2557,9 @@ catalog:
                           value: AU-01a.[01]
                           class: sp800-53a
                       prose: an audit and accountability policy is developed and documented;
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -2307,6 +2567,9 @@ catalog:
                           value: AU-01a.[02]
                           class: sp800-53a
                       prose: 'the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};'
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -2314,6 +2577,9 @@ catalog:
                           value: AU-01a.[03]
                           class: sp800-53a
                       prose: audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -2321,6 +2587,9 @@ catalog:
                           value: AU-01a.[04]
                           class: sp800-53a
                       prose: 'the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};'
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -2342,6 +2611,9 @@ catalog:
                                   value: AU-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -2349,6 +2621,9 @@ catalog:
                                   value: AU-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -2356,6 +2631,9 @@ catalog:
                                   value: AU-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -2363,6 +2641,9 @@ catalog:
                                   value: AU-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -2370,6 +2651,9 @@ catalog:
                                   value: AU-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -2377,6 +2661,9 @@ catalog:
                                   value: AU-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -2384,6 +2671,12 @@ catalog:
                                   value: AU-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#au-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: au-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -2391,6 +2684,15 @@ catalog:
                               value: AU-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#au-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-1_smt.a'
+                      rel: assessment-for
                 - id: au-1_obj.b
                   name: assessment-objective
                   props:
@@ -2398,6 +2700,9 @@ catalog:
                       value: AU-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;'
+                  links:
+                    - href: '#au-1_smt.b'
+                      rel: assessment-for
                 - id: au-1_obj.c
                   name: assessment-objective
                   props:
@@ -2419,6 +2724,9 @@ catalog:
                               value: AU-01c.01[01]
                               class: sp800-53a
                           prose: 'the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};'
+                          links:
+                            - href: '#au-1_smt.c.1'
+                              rel: assessment-for
                         - id: au-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -2426,6 +2734,12 @@ catalog:
                               value: AU-01c.01[02]
                               class: sp800-53a
                           prose: 'the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};'
+                          links:
+                            - href: '#au-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.c.1'
+                          rel: assessment-for
                     - id: au-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -2440,6 +2754,9 @@ catalog:
                               value: AU-01c.02[01]
                               class: sp800-53a
                           prose: 'the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};'
+                          links:
+                            - href: '#au-1_smt.c.2'
+                              rel: assessment-for
                         - id: au-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -2447,6 +2764,18 @@ catalog:
                               value: AU-01c.02[02]
                               class: sp800-53a
                           prose: 'the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.'
+                          links:
+                            - href: '#au-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#au-1_smt'
+                  rel: assessment-for
             - id: au-1_asm-examine
               name: assessment-method
               props:
@@ -2673,6 +3002,9 @@ catalog:
                       value: AU-02a.
                       class: sp800-53a
                   prose: ' {{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;'
+                  links:
+                    - href: '#au-2_smt.a'
+                      rel: assessment-for
                 - id: au-2_obj.b
                   name: assessment-objective
                   props:
@@ -2680,6 +3012,9 @@ catalog:
                       value: AU-02b.
                       class: sp800-53a
                   prose: the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
+                  links:
+                    - href: '#au-2_smt.b'
+                      rel: assessment-for
                 - id: au-2_obj.c
                   name: assessment-objective
                   props:
@@ -2694,6 +3029,9 @@ catalog:
                           value: AU-02c.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, au-02_odp.02 }} are specified for logging within the system;'
+                      links:
+                        - href: '#au-2_smt.c'
+                          rel: assessment-for
                     - id: au-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -2701,6 +3039,12 @@ catalog:
                           value: AU-02c.[02]
                           class: sp800-53a
                       prose: 'the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};'
+                      links:
+                        - href: '#au-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-2_smt.c'
+                      rel: assessment-for
                 - id: au-2_obj.d
                   name: assessment-objective
                   props:
@@ -2708,6 +3052,9 @@ catalog:
                       value: AU-02d.
                       class: sp800-53a
                   prose: a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;
+                  links:
+                    - href: '#au-2_smt.d'
+                      rel: assessment-for
                 - id: au-2_obj.e
                   name: assessment-objective
                   props:
@@ -2715,6 +3062,12 @@ catalog:
                       value: AU-02e.
                       class: sp800-53a
                   prose: 'the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.'
+                  links:
+                    - href: '#au-2_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#au-2_smt'
+                  rel: assessment-for
             - id: au-2_asm-examine
               name: assessment-method
               props:
@@ -2868,6 +3221,9 @@ catalog:
                       value: AU-03a.
                       class: sp800-53a
                   prose: audit records contain information that establishes what type of event occurred;
+                  links:
+                    - href: '#au-3_smt.a'
+                      rel: assessment-for
                 - id: au-3_obj.b
                   name: assessment-objective
                   props:
@@ -2875,6 +3231,9 @@ catalog:
                       value: AU-03b.
                       class: sp800-53a
                   prose: audit records contain information that establishes when the event occurred;
+                  links:
+                    - href: '#au-3_smt.b'
+                      rel: assessment-for
                 - id: au-3_obj.c
                   name: assessment-objective
                   props:
@@ -2882,6 +3241,9 @@ catalog:
                       value: AU-03c.
                       class: sp800-53a
                   prose: audit records contain information that establishes where the event occurred;
+                  links:
+                    - href: '#au-3_smt.c'
+                      rel: assessment-for
                 - id: au-3_obj.d
                   name: assessment-objective
                   props:
@@ -2889,6 +3251,9 @@ catalog:
                       value: AU-03d.
                       class: sp800-53a
                   prose: audit records contain information that establishes the source of the event;
+                  links:
+                    - href: '#au-3_smt.d'
+                      rel: assessment-for
                 - id: au-3_obj.e
                   name: assessment-objective
                   props:
@@ -2896,6 +3261,9 @@ catalog:
                       value: AU-03e.
                       class: sp800-53a
                   prose: audit records contain information that establishes the outcome of the event;
+                  links:
+                    - href: '#au-3_smt.e'
+                      rel: assessment-for
                 - id: au-3_obj.f
                   name: assessment-objective
                   props:
@@ -2903,6 +3271,12 @@ catalog:
                       value: AU-03f.
                       class: sp800-53a
                   prose: audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.
+                  links:
+                    - href: '#au-3_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#au-3_smt'
+                  rel: assessment-for
             - id: au-3_asm-examine
               name: assessment-method
               props:
@@ -3008,6 +3382,9 @@ catalog:
                       value: AU-03(03)
                       class: sp800-53a
                   prose: 'personally identifiable information contained in audit records is limited to {{ insert: param, au-03.03_odp }} identified in the privacy risk assessment.'
+                  links:
+                    - href: '#au-3.3_smt'
+                      rel: assessment-for
                 - id: au-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -3137,6 +3514,9 @@ catalog:
                   value: AU-11
                   class: sp800-53a
               prose: 'audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.'
+              links:
+                - href: '#au-11_smt'
+                  rel: assessment-for
             - id: au-11_asm-examine
               name: assessment-method
               props:
@@ -3407,6 +3787,9 @@ catalog:
                           value: CA-01a.[01]
                           class: sp800-53a
                       prose: an assessment, authorization, and monitoring policy is developed and documented;
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -3414,6 +3797,9 @@ catalog:
                           value: CA-01a.[02]
                           class: sp800-53a
                       prose: 'the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};'
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -3421,6 +3807,9 @@ catalog:
                           value: CA-01a.[03]
                           class: sp800-53a
                       prose: assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -3428,6 +3817,9 @@ catalog:
                           value: CA-01a.[04]
                           class: sp800-53a
                       prose: 'the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};'
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -3449,6 +3841,9 @@ catalog:
                                   value: CA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -3456,6 +3851,9 @@ catalog:
                                   value: CA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -3463,6 +3861,9 @@ catalog:
                                   value: CA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -3470,6 +3871,9 @@ catalog:
                                   value: CA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -3477,6 +3881,9 @@ catalog:
                                   value: CA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -3484,6 +3891,9 @@ catalog:
                                   value: CA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -3491,6 +3901,12 @@ catalog:
                                   value: CA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ca-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ca-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -3498,6 +3914,15 @@ catalog:
                               value: CA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ca-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-1_smt.a'
+                      rel: assessment-for
                 - id: ca-1_obj.b
                   name: assessment-objective
                   props:
@@ -3505,6 +3930,9 @@ catalog:
                       value: CA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;'
+                  links:
+                    - href: '#ca-1_smt.b'
+                      rel: assessment-for
                 - id: ca-1_obj.c
                   name: assessment-objective
                   props:
@@ -3526,6 +3954,9 @@ catalog:
                               value: CA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; '
+                          links:
+                            - href: '#ca-1_smt.c.1'
+                              rel: assessment-for
                         - id: ca-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -3533,6 +3964,12 @@ catalog:
                               value: CA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};'
+                          links:
+                            - href: '#ca-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.c.1'
+                          rel: assessment-for
                     - id: ca-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -3547,6 +3984,9 @@ catalog:
                               value: CA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; '
+                          links:
+                            - href: '#ca-1_smt.c.2'
+                              rel: assessment-for
                         - id: ca-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -3554,6 +3994,18 @@ catalog:
                               value: CA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.'
+                          links:
+                            - href: '#ca-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ca-1_smt'
+                  rel: assessment-for
             - id: ca-1_asm-examine
               name: assessment-method
               props:
@@ -3761,6 +4213,9 @@ catalog:
                       value: CA-02a.
                       class: sp800-53a
                   prose: an appropriate assessor or assessment team is selected for the type of assessment to be conducted;
+                  links:
+                    - href: '#ca-2_smt.a'
+                      rel: assessment-for
                 - id: ca-2_obj.b
                   name: assessment-objective
                   props:
@@ -3775,6 +4230,9 @@ catalog:
                           value: CA-02b.01
                           class: sp800-53a
                       prose: a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;
+                      links:
+                        - href: '#ca-2_smt.b.1'
+                          rel: assessment-for
                     - id: ca-2_obj.b.2
                       name: assessment-objective
                       props:
@@ -3782,6 +4240,9 @@ catalog:
                           value: CA-02b.02
                           class: sp800-53a
                       prose: a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;
+                      links:
+                        - href: '#ca-2_smt.b.2'
+                          rel: assessment-for
                     - id: ca-2_obj.b.3
                       name: assessment-objective
                       props:
@@ -3796,6 +4257,9 @@ catalog:
                               value: CA-02b.03[01]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
                         - id: ca-2_obj.b.3-2
                           name: assessment-objective
                           props:
@@ -3803,6 +4267,9 @@ catalog:
                               value: CA-02b.03[02]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including the assessment team;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
                         - id: ca-2_obj.b.3-3
                           name: assessment-objective
                           props:
@@ -3810,6 +4277,15 @@ catalog:
                               value: CA-02b.03[03]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-2_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-2_smt.b'
+                      rel: assessment-for
                 - id: ca-2_obj.c
                   name: assessment-objective
                   props:
@@ -3817,6 +4293,9 @@ catalog:
                       value: CA-02c.
                       class: sp800-53a
                   prose: the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
+                  links:
+                    - href: '#ca-2_smt.c'
+                      rel: assessment-for
                 - id: ca-2_obj.d
                   name: assessment-objective
                   props:
@@ -3831,6 +4310,9 @@ catalog:
                           value: CA-02d.[01]
                           class: sp800-53a
                       prose: 'controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;'
+                      links:
+                        - href: '#ca-2_smt.d'
+                          rel: assessment-for
                     - id: ca-2_obj.d-2
                       name: assessment-objective
                       props:
@@ -3838,6 +4320,12 @@ catalog:
                           value: CA-02d.[02]
                           class: sp800-53a
                       prose: 'controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;'
+                      links:
+                        - href: '#ca-2_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-2_smt.d'
+                      rel: assessment-for
                 - id: ca-2_obj.e
                   name: assessment-objective
                   props:
@@ -3845,6 +4333,9 @@ catalog:
                       value: CA-02e.
                       class: sp800-53a
                   prose: a control assessment report is produced that documents the results of the assessment;
+                  links:
+                    - href: '#ca-2_smt.e'
+                      rel: assessment-for
                 - id: ca-2_obj.f
                   name: assessment-objective
                   props:
@@ -3852,6 +4343,12 @@ catalog:
                       value: CA-02f.
                       class: sp800-53a
                   prose: 'the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.'
+                  links:
+                    - href: '#ca-2_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ca-2_smt'
+                  rel: assessment-for
             - id: ca-2_asm-examine
               name: assessment-method
               props:
@@ -3986,6 +4483,9 @@ catalog:
                       value: CA-05a.
                       class: sp800-53a
                   prose: a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;
+                  links:
+                    - href: '#ca-5_smt.a'
+                      rel: assessment-for
                 - id: ca-5_obj.b
                   name: assessment-objective
                   props:
@@ -3993,6 +4493,12 @@ catalog:
                       value: CA-05b.
                       class: sp800-53a
                   prose: 'existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.'
+                  links:
+                    - href: '#ca-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ca-5_smt'
+                  rel: assessment-for
             - id: ca-5_asm-examine
               name: assessment-method
               props:
@@ -4167,6 +4673,9 @@ catalog:
                       value: CA-06a.
                       class: sp800-53a
                   prose: a senior official is assigned as the authorizing official for the system;
+                  links:
+                    - href: '#ca-6_smt.a'
+                      rel: assessment-for
                 - id: ca-6_obj.b
                   name: assessment-objective
                   props:
@@ -4174,6 +4683,9 @@ catalog:
                       value: CA-06b.
                       class: sp800-53a
                   prose: a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;
+                  links:
+                    - href: '#ca-6_smt.b'
+                      rel: assessment-for
                 - id: ca-6_obj.c
                   name: assessment-objective
                   props:
@@ -4188,6 +4700,9 @@ catalog:
                           value: CA-06c.01
                           class: sp800-53a
                       prose: before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;
+                      links:
+                        - href: '#ca-6_smt.c.1'
+                          rel: assessment-for
                     - id: ca-6_obj.c.2
                       name: assessment-objective
                       props:
@@ -4195,6 +4710,12 @@ catalog:
                           value: CA-06c.02
                           class: sp800-53a
                       prose: before commencing operations, the authorizing official for the system authorizes the system to operate;
+                      links:
+                        - href: '#ca-6_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-6_smt.c'
+                      rel: assessment-for
                 - id: ca-6_obj.d
                   name: assessment-objective
                   props:
@@ -4202,6 +4723,9 @@ catalog:
                       value: CA-06d.
                       class: sp800-53a
                   prose: the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
+                  links:
+                    - href: '#ca-6_smt.d'
+                      rel: assessment-for
                 - id: ca-6_obj.e
                   name: assessment-objective
                   props:
@@ -4209,6 +4733,12 @@ catalog:
                       value: CA-06e.
                       class: sp800-53a
                   prose: 'the authorizations are updated {{ insert: param, ca-06_odp }}.'
+                  links:
+                    - href: '#ca-6_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ca-6_smt'
+                  rel: assessment-for
             - id: ca-6_asm-examine
               name: assessment-method
               props:
@@ -4541,6 +5071,9 @@ catalog:
                       value: CA-07[01]
                       class: sp800-53a
                   prose: a system-level continuous monitoring strategy is developed;
+                  links:
+                    - href: '#ca-7_smt'
+                      rel: assessment-for
                 - id: ca-7_obj-2
                   name: assessment-objective
                   props:
@@ -4548,6 +5081,9 @@ catalog:
                       value: CA-07[02]
                       class: sp800-53a
                   prose: system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt'
+                      rel: assessment-for
                 - id: ca-7_obj.a
                   name: assessment-objective
                   props:
@@ -4555,6 +5091,9 @@ catalog:
                       value: CA-07a.
                       class: sp800-53a
                   prose: 'system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};'
+                  links:
+                    - href: '#ca-7_smt.a'
+                      rel: assessment-for
                 - id: ca-7_obj.b
                   name: assessment-objective
                   props:
@@ -4569,6 +5108,9 @@ catalog:
                           value: CA-07b.[01]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;'
+                      links:
+                        - href: '#ca-7_smt.b'
+                          rel: assessment-for
                     - id: ca-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -4576,6 +5118,12 @@ catalog:
                           value: CA-07b.[02]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;'
+                      links:
+                        - href: '#ca-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7_smt.b'
+                      rel: assessment-for
                 - id: ca-7_obj.c
                   name: assessment-objective
                   props:
@@ -4583,6 +5131,9 @@ catalog:
                       value: CA-07c.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt.c'
+                      rel: assessment-for
                 - id: ca-7_obj.d
                   name: assessment-objective
                   props:
@@ -4590,6 +5141,9 @@ catalog:
                       value: CA-07d.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt.d'
+                      rel: assessment-for
                 - id: ca-7_obj.e
                   name: assessment-objective
                   props:
@@ -4597,6 +5151,9 @@ catalog:
                       value: CA-07e.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;
+                  links:
+                    - href: '#ca-7_smt.e'
+                      rel: assessment-for
                 - id: ca-7_obj.f
                   name: assessment-objective
                   props:
@@ -4604,6 +5161,9 @@ catalog:
                       value: CA-07f.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;
+                  links:
+                    - href: '#ca-7_smt.f'
+                      rel: assessment-for
                 - id: ca-7_obj.g
                   name: assessment-objective
                   props:
@@ -4618,6 +5178,9 @@ catalog:
                           value: CA-07g.[01]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};'
+                      links:
+                        - href: '#ca-7_smt.g'
+                          rel: assessment-for
                     - id: ca-7_obj.g-2
                       name: assessment-objective
                       props:
@@ -4625,6 +5188,15 @@ catalog:
                           value: CA-07g.[02]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.'
+                      links:
+                        - href: '#ca-7_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#ca-7_smt'
+                  rel: assessment-for
             - id: ca-7_asm-examine
               name: assessment-method
               props:
@@ -4763,6 +5335,9 @@ catalog:
                           value: CA-07(04)(a)
                           class: sp800-53a
                       prose: effectiveness monitoring is included in risk monitoring;
+                      links:
+                        - href: '#ca-7.4_smt.a'
+                          rel: assessment-for
                     - id: ca-7.4_obj.b
                       name: assessment-objective
                       props:
@@ -4770,6 +5345,9 @@ catalog:
                           value: CA-07(04)(b)
                           class: sp800-53a
                       prose: compliance monitoring is included in risk monitoring;
+                      links:
+                        - href: '#ca-7.4_smt.b'
+                          rel: assessment-for
                     - id: ca-7.4_obj.c
                       name: assessment-objective
                       props:
@@ -4777,6 +5355,12 @@ catalog:
                           value: CA-07(04)(c)
                           class: sp800-53a
                       prose: change monitoring is included in risk monitoring.
+                      links:
+                        - href: '#ca-7.4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7.4_smt'
+                      rel: assessment-for
                 - id: ca-7.4_asm-examine
                   name: assessment-method
                   props:
@@ -5053,6 +5637,9 @@ catalog:
                           value: CM-01a.[01]
                           class: sp800-53a
                       prose: a configuration management policy is developed and documented;
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -5060,6 +5647,9 @@ catalog:
                           value: CM-01a.[02]
                           class: sp800-53a
                       prose: 'the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};'
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -5067,6 +5657,9 @@ catalog:
                           value: CM-01a.[03]
                           class: sp800-53a
                       prose: configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -5074,6 +5667,9 @@ catalog:
                           value: CM-01a.[04]
                           class: sp800-53a
                       prose: 'the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};'
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -5095,6 +5691,9 @@ catalog:
                                   value: CM-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -5102,6 +5701,9 @@ catalog:
                                   value: CM-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -5109,6 +5711,9 @@ catalog:
                                   value: CM-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -5116,6 +5721,9 @@ catalog:
                                   value: CM-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -5123,6 +5731,9 @@ catalog:
                                   value: CM-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -5130,6 +5741,9 @@ catalog:
                                   value: CM-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -5137,6 +5751,12 @@ catalog:
                                   value: CM-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#cm-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: cm-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -5144,6 +5764,15 @@ catalog:
                               value: CM-01a.01(b)
                               class: sp800-53a
                           prose: the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+                          links:
+                            - href: '#cm-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-1_smt.a'
+                      rel: assessment-for
                 - id: cm-1_obj.b
                   name: assessment-objective
                   props:
@@ -5151,6 +5780,9 @@ catalog:
                       value: CM-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;'
+                  links:
+                    - href: '#cm-1_smt.b'
+                      rel: assessment-for
                 - id: cm-1_obj.c
                   name: assessment-objective
                   props:
@@ -5172,6 +5804,9 @@ catalog:
                               value: CM-01c.01[01]
                               class: sp800-53a
                           prose: 'the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; '
+                          links:
+                            - href: '#cm-1_smt.c.1'
+                              rel: assessment-for
                         - id: cm-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -5179,6 +5814,12 @@ catalog:
                               value: CM-01c.01[02]
                               class: sp800-53a
                           prose: 'the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};'
+                          links:
+                            - href: '#cm-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.c.1'
+                          rel: assessment-for
                     - id: cm-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -5193,6 +5834,9 @@ catalog:
                               value: CM-01c.02[01]
                               class: sp800-53a
                           prose: 'the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; '
+                          links:
+                            - href: '#cm-1_smt.c.2'
+                              rel: assessment-for
                         - id: cm-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -5200,6 +5844,18 @@ catalog:
                               value: CM-01c.02[02]
                               class: sp800-53a
                           prose: 'the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.'
+                          links:
+                            - href: '#cm-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-1_smt'
+                  rel: assessment-for
             - id: cm-1_asm-examine
               name: assessment-method
               props:
@@ -5307,6 +5963,9 @@ catalog:
                       value: CM-04[01]
                       class: sp800-53a
                   prose: changes to the system are analyzed to determine potential security impacts prior to change implementation;
+                  links:
+                    - href: '#cm-4_smt'
+                      rel: assessment-for
                 - id: cm-4_obj-2
                   name: assessment-objective
                   props:
@@ -5314,6 +5973,12 @@ catalog:
                       value: CM-04[02]
                       class: sp800-53a
                   prose: changes to the system are analyzed to determine potential privacy impacts prior to change implementation.
+                  links:
+                    - href: '#cm-4_smt'
+                      rel: assessment-for
+              links:
+                - href: '#cm-4_smt'
+                  rel: assessment-for
             - id: cm-4_asm-examine
               name: assessment-method
               props:
@@ -5609,6 +6274,9 @@ catalog:
                           value: IR-01a.[01]
                           class: sp800-53a
                       prose: an incident response policy is developed and documented;
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -5616,6 +6284,9 @@ catalog:
                           value: IR-01a.[02]
                           class: sp800-53a
                       prose: 'the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};'
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -5623,6 +6294,9 @@ catalog:
                           value: IR-01a.[03]
                           class: sp800-53a
                       prose: incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -5630,6 +6304,9 @@ catalog:
                           value: IR-01a.[04]
                           class: sp800-53a
                       prose: 'the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};'
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -5651,6 +6328,9 @@ catalog:
                                   value: IR-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -5658,6 +6338,9 @@ catalog:
                                   value: IR-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -5665,6 +6348,9 @@ catalog:
                                   value: IR-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -5672,6 +6358,9 @@ catalog:
                                   value: IR-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -5679,6 +6368,9 @@ catalog:
                                   value: IR-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -5686,6 +6378,9 @@ catalog:
                                   value: IR-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -5693,6 +6388,12 @@ catalog:
                                   value: IR-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ir-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ir-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -5700,6 +6401,15 @@ catalog:
                               value: IR-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ir-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-1_smt.a'
+                      rel: assessment-for
                 - id: ir-1_obj.b
                   name: assessment-objective
                   props:
@@ -5707,6 +6417,9 @@ catalog:
                       value: IR-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;'
+                  links:
+                    - href: '#ir-1_smt.b'
+                      rel: assessment-for
                 - id: ir-1_obj.c
                   name: assessment-objective
                   props:
@@ -5728,6 +6441,9 @@ catalog:
                               value: IR-01c.01[01]
                               class: sp800-53a
                           prose: 'the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};'
+                          links:
+                            - href: '#ir-1_smt.c.1'
+                              rel: assessment-for
                         - id: ir-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -5735,6 +6451,12 @@ catalog:
                               value: IR-01c.01[02]
                               class: sp800-53a
                           prose: 'the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};'
+                          links:
+                            - href: '#ir-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.c.1'
+                          rel: assessment-for
                     - id: ir-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -5749,6 +6471,9 @@ catalog:
                               value: IR-01c.02[01]
                               class: sp800-53a
                           prose: 'the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};'
+                          links:
+                            - href: '#ir-1_smt.c.2'
+                              rel: assessment-for
                         - id: ir-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -5756,6 +6481,18 @@ catalog:
                               value: IR-01c.02[02]
                               class: sp800-53a
                           prose: 'the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.'
+                          links:
+                            - href: '#ir-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ir-1_smt'
+                  rel: assessment-for
             - id: ir-1_asm-examine
               name: assessment-method
               props:
@@ -5928,6 +6665,9 @@ catalog:
                           value: IR-02a.01
                           class: sp800-53a
                       prose: 'incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;'
+                      links:
+                        - href: '#ir-2_smt.a.1'
+                          rel: assessment-for
                     - id: ir-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -5935,6 +6675,9 @@ catalog:
                           value: IR-02a.02
                           class: sp800-53a
                       prose: incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;
+                      links:
+                        - href: '#ir-2_smt.a.2'
+                          rel: assessment-for
                     - id: ir-2_obj.a.3
                       name: assessment-objective
                       props:
@@ -5942,6 +6685,12 @@ catalog:
                           value: IR-02a.03
                           class: sp800-53a
                       prose: 'incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;'
+                      links:
+                        - href: '#ir-2_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-2_smt.a'
+                      rel: assessment-for
                 - id: ir-2_obj.b
                   name: assessment-objective
                   props:
@@ -5956,6 +6705,9 @@ catalog:
                           value: IR-02b.[01]
                           class: sp800-53a
                       prose: 'incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};'
+                      links:
+                        - href: '#ir-2_smt.b'
+                          rel: assessment-for
                     - id: ir-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -5963,6 +6715,15 @@ catalog:
                           value: IR-02b.[02]
                           class: sp800-53a
                       prose: 'incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.'
+                      links:
+                        - href: '#ir-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-2_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ir-2_smt'
+                  rel: assessment-for
             - id: ir-2_asm-examine
               name: assessment-method
               props:
@@ -6051,6 +6812,9 @@ catalog:
                           value: IR-02(03)[01]
                           class: sp800-53a
                       prose: incident response training on how to identify and respond to a breach is provided;
+                      links:
+                        - href: '#ir-2.3_smt'
+                          rel: assessment-for
                     - id: ir-2.3_obj-2
                       name: assessment-objective
                       props:
@@ -6058,6 +6822,12 @@ catalog:
                           value: IR-02(03)[02]
                           class: sp800-53a
                       prose: incident response training on the organization’s process for reporting a breach is provided.
+                      links:
+                        - href: '#ir-2.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-2.3_smt'
+                      rel: assessment-for
                 - id: ir-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -6179,6 +6949,9 @@ catalog:
                   value: IR-03
                   class: sp800-53a
               prose: 'the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.'
+              links:
+                - href: '#ir-3_smt'
+                  rel: assessment-for
             - id: ir-3_asm-examine
               name: assessment-method
               props:
@@ -6358,6 +7131,9 @@ catalog:
                           value: IR-04a.[01]
                           class: sp800-53a
                       prose: an incident handling capability for incidents is implemented that is consistent with the incident response plan;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -6365,6 +7141,9 @@ catalog:
                           value: IR-04a.[02]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes preparation;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-3
                       name: assessment-objective
                       props:
@@ -6372,6 +7151,9 @@ catalog:
                           value: IR-04a.[03]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes detection and analysis;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-4
                       name: assessment-objective
                       props:
@@ -6379,6 +7161,9 @@ catalog:
                           value: IR-04a.[04]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes containment;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-5
                       name: assessment-objective
                       props:
@@ -6386,6 +7171,9 @@ catalog:
                           value: IR-04a.[05]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes eradication;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-6
                       name: assessment-objective
                       props:
@@ -6393,6 +7181,12 @@ catalog:
                           value: IR-04a.[06]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes recovery;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.a'
+                      rel: assessment-for
                 - id: ir-4_obj.b
                   name: assessment-objective
                   props:
@@ -6400,6 +7194,9 @@ catalog:
                       value: IR-04b.
                       class: sp800-53a
                   prose: incident handling activities are coordinated with contingency planning activities;
+                  links:
+                    - href: '#ir-4_smt.b'
+                      rel: assessment-for
                 - id: ir-4_obj.c
                   name: assessment-objective
                   props:
@@ -6414,6 +7211,9 @@ catalog:
                           value: IR-04c.[01]
                           class: sp800-53a
                       prose: lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;
+                      links:
+                        - href: '#ir-4_smt.c'
+                          rel: assessment-for
                     - id: ir-4_obj.c-2
                       name: assessment-objective
                       props:
@@ -6421,6 +7221,12 @@ catalog:
                           value: IR-04c.[02]
                           class: sp800-53a
                       prose: the changes resulting from the incorporated lessons learned are implemented accordingly;
+                      links:
+                        - href: '#ir-4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.c'
+                      rel: assessment-for
                 - id: ir-4_obj.d
                   name: assessment-objective
                   props:
@@ -6435,6 +7241,9 @@ catalog:
                           value: IR-04d.[01]
                           class: sp800-53a
                       prose: the rigor of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-2
                       name: assessment-objective
                       props:
@@ -6442,6 +7251,9 @@ catalog:
                           value: IR-04d.[02]
                           class: sp800-53a
                       prose: the intensity of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-3
                       name: assessment-objective
                       props:
@@ -6449,6 +7261,9 @@ catalog:
                           value: IR-04d.[03]
                           class: sp800-53a
                       prose: the scope of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-4
                       name: assessment-objective
                       props:
@@ -6456,6 +7271,15 @@ catalog:
                           value: IR-04d.[04]
                           class: sp800-53a
                       prose: the results of incident handling activities are comparable and predictable across the organization.
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ir-4_smt'
+                  rel: assessment-for
             - id: ir-4_asm-examine
               name: assessment-method
               props:
@@ -6577,6 +7401,9 @@ catalog:
                       value: IR-05[01]
                       class: sp800-53a
                   prose: incidents are tracked;
+                  links:
+                    - href: '#ir-5_smt'
+                      rel: assessment-for
                 - id: ir-5_obj-2
                   name: assessment-objective
                   props:
@@ -6584,6 +7411,12 @@ catalog:
                       value: IR-05[02]
                       class: sp800-53a
                   prose: incidents are documented.
+                  links:
+                    - href: '#ir-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ir-5_smt'
+                  rel: assessment-for
             - id: ir-5_asm-examine
               name: assessment-method
               props:
@@ -6728,6 +7561,9 @@ catalog:
                       value: IR-06a.
                       class: sp800-53a
                   prose: 'personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};'
+                  links:
+                    - href: '#ir-6_smt.a'
+                      rel: assessment-for
                 - id: ir-6_obj.b
                   name: assessment-objective
                   props:
@@ -6735,6 +7571,12 @@ catalog:
                       value: IR-06b.
                       class: sp800-53a
                   prose: 'incident information is reported to {{ insert: param, ir-06_odp.02 }}.'
+                  links:
+                    - href: '#ir-6_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ir-6_smt'
+                  rel: assessment-for
             - id: ir-6_asm-examine
               name: assessment-method
               props:
@@ -6854,6 +7696,9 @@ catalog:
                       value: IR-07[01]
                       class: sp800-53a
                   prose: an incident response support resource, integral to the organizational incident response capability, is provided;
+                  links:
+                    - href: '#ir-7_smt'
+                      rel: assessment-for
                 - id: ir-7_obj-2
                   name: assessment-objective
                   props:
@@ -6861,6 +7706,12 @@ catalog:
                       value: IR-07[02]
                       class: sp800-53a
                   prose: the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.
+                  links:
+                    - href: '#ir-7_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ir-7_smt'
+                  rel: assessment-for
             - id: ir-7_asm-examine
               name: assessment-method
               props:
@@ -7158,6 +8009,9 @@ catalog:
                           value: IR-08a.01
                           class: sp800-53a
                       prose: an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.1'
+                          rel: assessment-for
                     - id: ir-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -7165,6 +8019,9 @@ catalog:
                           value: IR-08a.02
                           class: sp800-53a
                       prose: an incident response plan is developed that describes the structure and organization of the incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.2'
+                          rel: assessment-for
                     - id: ir-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -7172,6 +8029,9 @@ catalog:
                           value: IR-08a.03
                           class: sp800-53a
                       prose: an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;
+                      links:
+                        - href: '#ir-8_smt.a.3'
+                          rel: assessment-for
                     - id: ir-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -7179,6 +8039,9 @@ catalog:
                           value: IR-08a.04
                           class: sp800-53a
                       prose: an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;
+                      links:
+                        - href: '#ir-8_smt.a.4'
+                          rel: assessment-for
                     - id: ir-8_obj.a.5
                       name: assessment-objective
                       props:
@@ -7186,6 +8049,9 @@ catalog:
                           value: IR-08a.05
                           class: sp800-53a
                       prose: an incident response plan is developed that defines reportable incidents;
+                      links:
+                        - href: '#ir-8_smt.a.5'
+                          rel: assessment-for
                     - id: ir-8_obj.a.6
                       name: assessment-objective
                       props:
@@ -7193,6 +8059,9 @@ catalog:
                           value: IR-08a.06
                           class: sp800-53a
                       prose: an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;
+                      links:
+                        - href: '#ir-8_smt.a.6'
+                          rel: assessment-for
                     - id: ir-8_obj.a.7
                       name: assessment-objective
                       props:
@@ -7200,6 +8069,9 @@ catalog:
                           value: IR-08a.07
                           class: sp800-53a
                       prose: an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.7'
+                          rel: assessment-for
                     - id: ir-8_obj.a.8
                       name: assessment-objective
                       props:
@@ -7207,6 +8079,9 @@ catalog:
                           value: IR-08a.08
                           class: sp800-53a
                       prose: an incident response plan is developed that addresses the sharing of incident information;
+                      links:
+                        - href: '#ir-8_smt.a.8'
+                          rel: assessment-for
                     - id: ir-8_obj.a.9
                       name: assessment-objective
                       props:
@@ -7214,6 +8089,9 @@ catalog:
                           value: IR-08a.09
                           class: sp800-53a
                       prose: 'an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};'
+                      links:
+                        - href: '#ir-8_smt.a.9'
+                          rel: assessment-for
                     - id: ir-8_obj.a.10
                       name: assessment-objective
                       props:
@@ -7221,6 +8099,12 @@ catalog:
                           value: IR-08a.10
                           class: sp800-53a
                       prose: 'an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.'
+                      links:
+                        - href: '#ir-8_smt.a.10'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.a'
+                      rel: assessment-for
                 - id: ir-8_obj.b
                   name: assessment-objective
                   props:
@@ -7235,6 +8119,9 @@ catalog:
                           value: IR-08b.[01]
                           class: sp800-53a
                       prose: 'copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};'
+                      links:
+                        - href: '#ir-8_smt.b'
+                          rel: assessment-for
                     - id: ir-8_obj.b-2
                       name: assessment-objective
                       props:
@@ -7242,6 +8129,12 @@ catalog:
                           value: IR-08b.[02]
                           class: sp800-53a
                       prose: 'copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};'
+                      links:
+                        - href: '#ir-8_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.b'
+                      rel: assessment-for
                 - id: ir-8_obj.c
                   name: assessment-objective
                   props:
@@ -7249,6 +8142,9 @@ catalog:
                       value: IR-08c.
                       class: sp800-53a
                   prose: the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
+                  links:
+                    - href: '#ir-8_smt.c'
+                      rel: assessment-for
                 - id: ir-8_obj.d
                   name: assessment-objective
                   props:
@@ -7263,6 +8159,9 @@ catalog:
                           value: IR-08d.[01]
                           class: sp800-53a
                       prose: 'incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};'
+                      links:
+                        - href: '#ir-8_smt.d'
+                          rel: assessment-for
                     - id: ir-8_obj.d-2
                       name: assessment-objective
                       props:
@@ -7270,6 +8169,12 @@ catalog:
                           value: IR-08d.[02]
                           class: sp800-53a
                       prose: 'incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};'
+                      links:
+                        - href: '#ir-8_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.d'
+                      rel: assessment-for
                 - id: ir-8_obj.e
                   name: assessment-objective
                   props:
@@ -7284,6 +8189,9 @@ catalog:
                           value: IR-08e.[01]
                           class: sp800-53a
                       prose: the incident response plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#ir-8_smt.e'
+                          rel: assessment-for
                     - id: ir-8_obj.e-2
                       name: assessment-objective
                       props:
@@ -7291,6 +8199,15 @@ catalog:
                           value: IR-08e.[02]
                           class: sp800-53a
                       prose: the incident response plan is protected from unauthorized modification.
+                      links:
+                        - href: '#ir-8_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ir-8_smt'
+                  rel: assessment-for
             - id: ir-8_asm-examine
               name: assessment-method
               props:
@@ -7413,6 +8330,9 @@ catalog:
                           value: IR-08(01)(a)
                           class: sp800-53a
                       prose: the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;
+                      links:
+                        - href: '#ir-8.1_smt.a'
+                          rel: assessment-for
                     - id: ir-8.1_obj.b
                       name: assessment-objective
                       props:
@@ -7420,6 +8340,9 @@ catalog:
                           value: IR-08(01)(b)
                           class: sp800-53a
                       prose: the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;
+                      links:
+                        - href: '#ir-8.1_smt.b'
+                          rel: assessment-for
                     - id: ir-8.1_obj.c
                       name: assessment-objective
                       props:
@@ -7427,6 +8350,12 @@ catalog:
                           value: IR-08(01)(c)
                           class: sp800-53a
                       prose: the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements.
+                      links:
+                        - href: '#ir-8.1_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8.1_smt'
+                      rel: assessment-for
                 - id: ir-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -7691,6 +8620,9 @@ catalog:
                           value: MP-01a.[01]
                           class: sp800-53a
                       prose: a media protection policy is developed and documented;
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -7698,6 +8630,9 @@ catalog:
                           value: MP-01a.[02]
                           class: sp800-53a
                       prose: 'the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};'
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -7705,6 +8640,9 @@ catalog:
                           value: MP-01a.[03]
                           class: sp800-53a
                       prose: media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -7712,6 +8650,9 @@ catalog:
                           value: MP-01a.[04]
                           class: sp800-53a
                       prose: 'the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};'
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -7733,6 +8674,9 @@ catalog:
                                   value: MP-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -7740,6 +8684,9 @@ catalog:
                                   value: MP-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -7747,6 +8694,9 @@ catalog:
                                   value: MP-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -7754,6 +8704,9 @@ catalog:
                                   value: MP-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -7761,6 +8714,9 @@ catalog:
                                   value: MP-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -7768,6 +8724,9 @@ catalog:
                                   value: MP-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -7775,6 +8734,12 @@ catalog:
                                   value: MP-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#mp-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: mp-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -7782,6 +8747,15 @@ catalog:
                               value: MP-01a.01(b)
                               class: sp800-53a
                           prose: the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+                          links:
+                            - href: '#mp-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-1_smt.a'
+                      rel: assessment-for
                 - id: mp-1_obj.b
                   name: assessment-objective
                   props:
@@ -7789,6 +8763,9 @@ catalog:
                       value: MP-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.'
+                  links:
+                    - href: '#mp-1_smt.b'
+                      rel: assessment-for
                 - id: mp-1_obj.c
                   name: assessment-objective
                   props:
@@ -7810,6 +8787,9 @@ catalog:
                               value: MP-01c.01[01]
                               class: sp800-53a
                           prose: 'the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; '
+                          links:
+                            - href: '#mp-1_smt.c.1'
+                              rel: assessment-for
                         - id: mp-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -7817,6 +8797,12 @@ catalog:
                               value: MP-01c.01[02]
                               class: sp800-53a
                           prose: 'the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};'
+                          links:
+                            - href: '#mp-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.c.1'
+                          rel: assessment-for
                     - id: mp-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -7831,6 +8817,9 @@ catalog:
                               value: MP-01c.02[01]
                               class: sp800-53a
                           prose: 'the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; '
+                          links:
+                            - href: '#mp-1_smt.c.2'
+                              rel: assessment-for
                         - id: mp-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -7838,6 +8827,18 @@ catalog:
                               value: MP-01c.02[02]
                               class: sp800-53a
                           prose: 'the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.'
+                          links:
+                            - href: '#mp-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#mp-1_smt'
+                  rel: assessment-for
             - id: mp-1_asm-examine
               name: assessment-method
               props:
@@ -8046,6 +9047,9 @@ catalog:
                           value: MP-06a.[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
                     - id: mp-6_obj.a-2
                       name: assessment-objective
                       props:
@@ -8053,6 +9057,9 @@ catalog:
                           value: MP-06a.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
                     - id: mp-6_obj.a-3
                       name: assessment-objective
                       props:
@@ -8060,6 +9067,12 @@ catalog:
                           value: MP-06a.[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-6_smt.a'
+                      rel: assessment-for
                 - id: mp-6_obj.b
                   name: assessment-objective
                   props:
@@ -8067,6 +9080,12 @@ catalog:
                       value: MP-06b.
                       class: sp800-53a
                   prose: sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.
+                  links:
+                    - href: '#mp-6_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-6_smt'
+                  rel: assessment-for
             - id: mp-6_asm-examine
               name: assessment-method
               props:
@@ -8234,6 +9253,9 @@ catalog:
                       value: PE-08a.
                       class: sp800-53a
                   prose: 'visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};'
+                  links:
+                    - href: '#pe-8_smt.a'
+                      rel: assessment-for
                 - id: pe-8_obj.b
                   name: assessment-objective
                   props:
@@ -8241,6 +9263,9 @@ catalog:
                       value: PE-08b.
                       class: sp800-53a
                   prose: 'visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};'
+                  links:
+                    - href: '#pe-8_smt.b'
+                      rel: assessment-for
                 - id: pe-8_obj.c
                   name: assessment-objective
                   props:
@@ -8248,6 +9273,12 @@ catalog:
                       value: PE-08c.
                       class: sp800-53a
                   prose: 'visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.'
+                  links:
+                    - href: '#pe-8_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-8_smt'
+                  rel: assessment-for
             - id: pe-8_asm-examine
               name: assessment-method
               props:
@@ -8354,6 +9385,9 @@ catalog:
                       value: PE-08(03)
                       class: sp800-53a
                   prose: 'personally identifiable information contained in visitor access records is limited to {{ insert: param, pe-08.03_odp }} identified in the privacy risk assessment.'
+                  links:
+                    - href: '#pe-8.3_smt'
+                      rel: assessment-for
                 - id: pe-8.3_asm-examine
                   name: assessment-method
                   props:
@@ -8624,6 +9658,9 @@ catalog:
                           value: PL-01a.[01]
                           class: sp800-53a
                       prose: a planning policy is developed and documented.
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -8631,6 +9668,9 @@ catalog:
                           value: PL-01a.[02]
                           class: sp800-53a
                       prose: 'the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};'
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -8638,6 +9678,9 @@ catalog:
                           value: PL-01a.[03]
                           class: sp800-53a
                       prose: planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -8645,6 +9688,9 @@ catalog:
                           value: PL-01a.[04]
                           class: sp800-53a
                       prose: 'the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};'
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -8666,6 +9712,9 @@ catalog:
                                   value: PL-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -8673,6 +9722,9 @@ catalog:
                                   value: PL-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -8680,6 +9732,9 @@ catalog:
                                   value: PL-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -8687,6 +9742,9 @@ catalog:
                                   value: PL-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -8694,6 +9752,9 @@ catalog:
                                   value: PL-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -8701,6 +9762,9 @@ catalog:
                                   value: PL-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -8708,6 +9772,12 @@ catalog:
                                   value: PL-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#pl-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: pl-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -8715,6 +9785,15 @@ catalog:
                               value: PL-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#pl-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-1_smt.a'
+                      rel: assessment-for
                 - id: pl-1_obj.b
                   name: assessment-objective
                   props:
@@ -8722,6 +9801,9 @@ catalog:
                       value: PL-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;'
+                  links:
+                    - href: '#pl-1_smt.b'
+                      rel: assessment-for
                 - id: pl-1_obj.c
                   name: assessment-objective
                   props:
@@ -8743,6 +9825,9 @@ catalog:
                               value: PL-01c.01[01]
                               class: sp800-53a
                           prose: 'the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};'
+                          links:
+                            - href: '#pl-1_smt.c.1'
+                              rel: assessment-for
                         - id: pl-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -8750,6 +9835,12 @@ catalog:
                               value: PL-01c.01[02]
                               class: sp800-53a
                           prose: 'the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};'
+                          links:
+                            - href: '#pl-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.c.1'
+                          rel: assessment-for
                     - id: pl-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -8764,6 +9855,9 @@ catalog:
                               value: PL-01c.02[01]
                               class: sp800-53a
                           prose: 'the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};'
+                          links:
+                            - href: '#pl-1_smt.c.2'
+                              rel: assessment-for
                         - id: pl-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -8771,6 +9865,18 @@ catalog:
                               value: PL-01c.02[02]
                               class: sp800-53a
                           prose: 'the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.'
+                          links:
+                            - href: '#pl-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pl-1_smt'
+                  rel: assessment-for
             - id: pl-1_asm-examine
               name: assessment-method
               props:
@@ -9101,6 +10207,9 @@ catalog:
                               value: PL-02a.01[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that is consistent with the organization’s enterprise architecture;
+                          links:
+                            - href: '#pl-2_smt.a.1'
+                              rel: assessment-for
                         - id: pl-2_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -9108,6 +10217,12 @@ catalog:
                               value: PL-02a.01[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;
+                          links:
+                            - href: '#pl-2_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.1'
+                          rel: assessment-for
                     - id: pl-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -9122,6 +10237,9 @@ catalog:
                               value: PL-02a.02[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that explicitly defines the constituent system components;
+                          links:
+                            - href: '#pl-2_smt.a.2'
+                              rel: assessment-for
                         - id: pl-2_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -9129,6 +10247,12 @@ catalog:
                               value: PL-02a.02[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that explicitly defines the constituent system components;
+                          links:
+                            - href: '#pl-2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.2'
+                          rel: assessment-for
                     - id: pl-2_obj.a.3
                       name: assessment-objective
                       props:
@@ -9143,6 +10267,9 @@ catalog:
                               value: PL-02a.03[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;
+                          links:
+                            - href: '#pl-2_smt.a.3'
+                              rel: assessment-for
                         - id: pl-2_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -9150,6 +10277,12 @@ catalog:
                               value: PL-02a.03[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;
+                          links:
+                            - href: '#pl-2_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.3'
+                          rel: assessment-for
                     - id: pl-2_obj.a.4
                       name: assessment-objective
                       props:
@@ -9164,6 +10297,9 @@ catalog:
                               value: PL-02a.04[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;
+                          links:
+                            - href: '#pl-2_smt.a.4'
+                              rel: assessment-for
                         - id: pl-2_obj.a.4-2
                           name: assessment-objective
                           props:
@@ -9171,6 +10307,12 @@ catalog:
                               value: PL-02a.04[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;
+                          links:
+                            - href: '#pl-2_smt.a.4'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.4'
+                          rel: assessment-for
                     - id: pl-2_obj.a.5
                       name: assessment-objective
                       props:
@@ -9185,6 +10327,9 @@ catalog:
                               value: PL-02a.05[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;
+                          links:
+                            - href: '#pl-2_smt.a.5'
+                              rel: assessment-for
                         - id: pl-2_obj.a.5-2
                           name: assessment-objective
                           props:
@@ -9192,6 +10337,12 @@ catalog:
                               value: PL-02a.05[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;
+                          links:
+                            - href: '#pl-2_smt.a.5'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.5'
+                          rel: assessment-for
                     - id: pl-2_obj.a.6
                       name: assessment-objective
                       props:
@@ -9206,6 +10357,9 @@ catalog:
                               value: PL-02a.06[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;
+                          links:
+                            - href: '#pl-2_smt.a.6'
+                              rel: assessment-for
                         - id: pl-2_obj.a.6-2
                           name: assessment-objective
                           props:
@@ -9213,6 +10367,12 @@ catalog:
                               value: PL-02a.06[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;
+                          links:
+                            - href: '#pl-2_smt.a.6'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.6'
+                          rel: assessment-for
                     - id: pl-2_obj.a.7
                       name: assessment-objective
                       props:
@@ -9227,6 +10387,9 @@ catalog:
                               value: PL-02a.07[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;
+                          links:
+                            - href: '#pl-2_smt.a.7'
+                              rel: assessment-for
                         - id: pl-2_obj.a.7-2
                           name: assessment-objective
                           props:
@@ -9234,6 +10397,12 @@ catalog:
                               value: PL-02a.07[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;
+                          links:
+                            - href: '#pl-2_smt.a.7'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.7'
+                          rel: assessment-for
                     - id: pl-2_obj.a.8
                       name: assessment-objective
                       props:
@@ -9248,6 +10417,9 @@ catalog:
                               value: PL-02a.08[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;
+                          links:
+                            - href: '#pl-2_smt.a.8'
+                              rel: assessment-for
                         - id: pl-2_obj.a.8-2
                           name: assessment-objective
                           props:
@@ -9255,6 +10427,12 @@ catalog:
                               value: PL-02a.08[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;
+                          links:
+                            - href: '#pl-2_smt.a.8'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.8'
+                          rel: assessment-for
                     - id: pl-2_obj.a.9
                       name: assessment-objective
                       props:
@@ -9269,6 +10447,9 @@ catalog:
                               value: PL-02a.09[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;
+                          links:
+                            - href: '#pl-2_smt.a.9'
+                              rel: assessment-for
                         - id: pl-2_obj.a.9-2
                           name: assessment-objective
                           props:
@@ -9276,6 +10457,12 @@ catalog:
                               value: PL-02a.09[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;
+                          links:
+                            - href: '#pl-2_smt.a.9'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.9'
+                          rel: assessment-for
                     - id: pl-2_obj.a.10
                       name: assessment-objective
                       props:
@@ -9290,6 +10477,9 @@ catalog:
                               value: PL-02a.10[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides an overview of the security requirements for the system;
+                          links:
+                            - href: '#pl-2_smt.a.10'
+                              rel: assessment-for
                         - id: pl-2_obj.a.10-2
                           name: assessment-objective
                           props:
@@ -9297,6 +10487,12 @@ catalog:
                               value: PL-02a.10[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;
+                          links:
+                            - href: '#pl-2_smt.a.10'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.10'
+                          rel: assessment-for
                     - id: pl-2_obj.a.11
                       name: assessment-objective
                       props:
@@ -9311,6 +10507,9 @@ catalog:
                               value: PL-02a.11[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;
+                          links:
+                            - href: '#pl-2_smt.a.11'
+                              rel: assessment-for
                         - id: pl-2_obj.a.11-2
                           name: assessment-objective
                           props:
@@ -9318,6 +10517,12 @@ catalog:
                               value: PL-02a.11[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;
+                          links:
+                            - href: '#pl-2_smt.a.11'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.11'
+                          rel: assessment-for
                     - id: pl-2_obj.a.12
                       name: assessment-objective
                       props:
@@ -9332,6 +10537,9 @@ catalog:
                               value: PL-02a.12[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;
+                          links:
+                            - href: '#pl-2_smt.a.12'
+                              rel: assessment-for
                         - id: pl-2_obj.a.12-2
                           name: assessment-objective
                           props:
@@ -9339,6 +10547,12 @@ catalog:
                               value: PL-02a.12[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;
+                          links:
+                            - href: '#pl-2_smt.a.12'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.12'
+                          rel: assessment-for
                     - id: pl-2_obj.a.13
                       name: assessment-objective
                       props:
@@ -9353,6 +10567,9 @@ catalog:
                               value: PL-02a.13[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that includes risk determinations for security architecture and design decisions;
+                          links:
+                            - href: '#pl-2_smt.a.13'
+                              rel: assessment-for
                         - id: pl-2_obj.a.13-2
                           name: assessment-objective
                           props:
@@ -9360,6 +10577,12 @@ catalog:
                               value: PL-02a.13[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;
+                          links:
+                            - href: '#pl-2_smt.a.13'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.13'
+                          rel: assessment-for
                     - id: pl-2_obj.a.14
                       name: assessment-objective
                       props:
@@ -9374,6 +10597,9 @@ catalog:
                               value: PL-02a.14[01]
                               class: sp800-53a
                           prose: 'a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};'
+                          links:
+                            - href: '#pl-2_smt.a.14'
+                              rel: assessment-for
                         - id: pl-2_obj.a.14-2
                           name: assessment-objective
                           props:
@@ -9381,6 +10607,12 @@ catalog:
                               value: PL-02a.14[02]
                               class: sp800-53a
                           prose: 'a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};'
+                          links:
+                            - href: '#pl-2_smt.a.14'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.14'
+                          rel: assessment-for
                     - id: pl-2_obj.a.15
                       name: assessment-objective
                       props:
@@ -9395,6 +10627,9 @@ catalog:
                               value: PL-02a.15[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
+                          links:
+                            - href: '#pl-2_smt.a.15'
+                              rel: assessment-for
                         - id: pl-2_obj.a.15-2
                           name: assessment-objective
                           props:
@@ -9402,6 +10637,15 @@ catalog:
                               value: PL-02a.15[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.
+                          links:
+                            - href: '#pl-2_smt.a.15'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.15'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.a'
+                      rel: assessment-for
                 - id: pl-2_obj.b
                   name: assessment-objective
                   props:
@@ -9416,6 +10660,9 @@ catalog:
                           value: PL-02b.[01]
                           class: sp800-53a
                       prose: 'copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};'
+                      links:
+                        - href: '#pl-2_smt.b'
+                          rel: assessment-for
                     - id: pl-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -9423,6 +10670,12 @@ catalog:
                           value: PL-02b.[02]
                           class: sp800-53a
                       prose: 'subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};'
+                      links:
+                        - href: '#pl-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.b'
+                      rel: assessment-for
                 - id: pl-2_obj.c
                   name: assessment-objective
                   props:
@@ -9430,6 +10683,9 @@ catalog:
                       value: PL-02c.
                       class: sp800-53a
                   prose: 'plans are reviewed {{ insert: param, pl-02_odp.03 }};'
+                  links:
+                    - href: '#pl-2_smt.c'
+                      rel: assessment-for
                 - id: pl-2_obj.d
                   name: assessment-objective
                   props:
@@ -9444,6 +10700,9 @@ catalog:
                           value: PL-02d.[01]
                           class: sp800-53a
                       prose: plans are updated to address changes to the system and environment of operations;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
                     - id: pl-2_obj.d-2
                       name: assessment-objective
                       props:
@@ -9451,6 +10710,9 @@ catalog:
                           value: PL-02d.[02]
                           class: sp800-53a
                       prose: plans are updated to address problems identified during the plan implementation;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
                     - id: pl-2_obj.d-3
                       name: assessment-objective
                       props:
@@ -9458,6 +10720,12 @@ catalog:
                           value: PL-02d.[03]
                           class: sp800-53a
                       prose: plans are updated to address problems identified during control assessments;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.d'
+                      rel: assessment-for
                 - id: pl-2_obj.e
                   name: assessment-objective
                   props:
@@ -9472,6 +10740,9 @@ catalog:
                           value: PL-02e.[01]
                           class: sp800-53a
                       prose: plans are protected from unauthorized disclosure;
+                      links:
+                        - href: '#pl-2_smt.e'
+                          rel: assessment-for
                     - id: pl-2_obj.e-2
                       name: assessment-objective
                       props:
@@ -9479,6 +10750,15 @@ catalog:
                           value: PL-02e.[02]
                           class: sp800-53a
                       prose: plans are protected from unauthorized modification.
+                      links:
+                        - href: '#pl-2_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#pl-2_smt'
+                  rel: assessment-for
             - id: pl-2_asm-examine
               name: assessment-method
               props:
@@ -9691,6 +10971,9 @@ catalog:
                           value: PL-04a.[01]
                           class: sp800-53a
                       prose: rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;
+                      links:
+                        - href: '#pl-4_smt.a'
+                          rel: assessment-for
                     - id: pl-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -9698,6 +10981,12 @@ catalog:
                           value: PL-04a.[02]
                           class: sp800-53a
                       prose: rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;
+                      links:
+                        - href: '#pl-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-4_smt.a'
+                      rel: assessment-for
                 - id: pl-4_obj.b
                   name: assessment-objective
                   props:
@@ -9705,6 +10994,9 @@ catalog:
                       value: PL-04b.
                       class: sp800-53a
                   prose: before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;
+                  links:
+                    - href: '#pl-4_smt.b'
+                      rel: assessment-for
                 - id: pl-4_obj.c
                   name: assessment-objective
                   props:
@@ -9712,6 +11004,9 @@ catalog:
                       value: PL-04c.
                       class: sp800-53a
                   prose: 'rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};'
+                  links:
+                    - href: '#pl-4_smt.c'
+                      rel: assessment-for
                 - id: pl-4_obj.d
                   name: assessment-objective
                   props:
@@ -9719,6 +11014,12 @@ catalog:
                       value: PL-04d.
                       class: sp800-53a
                   prose: 'individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.'
+                  links:
+                    - href: '#pl-4_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pl-4_smt'
+                  rel: assessment-for
             - id: pl-4_asm-examine
               name: assessment-method
               props:
@@ -9841,6 +11142,9 @@ catalog:
                           value: PL-04(01)(a)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;
+                      links:
+                        - href: '#pl-4.1_smt.a'
+                          rel: assessment-for
                     - id: pl-4.1_obj.b
                       name: assessment-objective
                       props:
@@ -9848,6 +11152,9 @@ catalog:
                           value: PL-04(01)(b)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on posting organizational information on public websites;
+                      links:
+                        - href: '#pl-4.1_smt.b'
+                          rel: assessment-for
                     - id: pl-4.1_obj.c
                       name: assessment-objective
                       props:
@@ -9855,6 +11162,12 @@ catalog:
                           value: PL-04(01)(c)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.
+                      links:
+                        - href: '#pl-4.1_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-4.1_smt'
+                      rel: assessment-for
                 - id: pl-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -10049,6 +11362,9 @@ catalog:
                           value: PL-08a.01
                           class: sp800-53a
                       prose: a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;
+                      links:
+                        - href: '#pl-8_smt.a.1'
+                          rel: assessment-for
                     - id: pl-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -10056,6 +11372,9 @@ catalog:
                           value: PL-08a.02
                           class: sp800-53a
                       prose: a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;
+                      links:
+                        - href: '#pl-8_smt.a.2'
+                          rel: assessment-for
                     - id: pl-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -10070,6 +11389,9 @@ catalog:
                               value: PL-08a.03[01]
                               class: sp800-53a
                           prose: a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;
+                          links:
+                            - href: '#pl-8_smt.a.3'
+                              rel: assessment-for
                         - id: pl-8_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -10077,6 +11399,12 @@ catalog:
                               value: PL-08a.03[02]
                               class: sp800-53a
                           prose: a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;
+                          links:
+                            - href: '#pl-8_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-8_smt.a.3'
+                          rel: assessment-for
                     - id: pl-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -10091,6 +11419,9 @@ catalog:
                               value: PL-08a.04[01]
                               class: sp800-53a
                           prose: a security architecture for the system describes any assumptions about and dependencies on external systems and services;
+                          links:
+                            - href: '#pl-8_smt.a.4'
+                              rel: assessment-for
                         - id: pl-8_obj.a.4-2
                           name: assessment-objective
                           props:
@@ -10098,6 +11429,15 @@ catalog:
                               value: PL-08a.04[02]
                               class: sp800-53a
                           prose: a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;
+                          links:
+                            - href: '#pl-8_smt.a.4'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-8_smt.a.4'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-8_smt.a'
+                      rel: assessment-for
                 - id: pl-8_obj.b
                   name: assessment-objective
                   props:
@@ -10105,6 +11445,9 @@ catalog:
                       value: PL-08b.
                       class: sp800-53a
                   prose: 'changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;'
+                  links:
+                    - href: '#pl-8_smt.b'
+                      rel: assessment-for
                 - id: pl-8_obj.c
                   name: assessment-objective
                   props:
@@ -10119,6 +11462,9 @@ catalog:
                           value: PL-08c.[01]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in the security plan;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-2
                       name: assessment-objective
                       props:
@@ -10126,6 +11472,9 @@ catalog:
                           value: PL-08c.[02]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in the privacy plan;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-3
                       name: assessment-objective
                       props:
@@ -10133,6 +11482,9 @@ catalog:
                           value: PL-08c.[03]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in the Concept of Operations (CONOPS);
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-4
                       name: assessment-objective
                       props:
@@ -10140,6 +11492,9 @@ catalog:
                           value: PL-08c.[04]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in criticality analysis;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-5
                       name: assessment-objective
                       props:
@@ -10147,6 +11502,9 @@ catalog:
                           value: PL-08c.[05]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in organizational procedures;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-6
                       name: assessment-objective
                       props:
@@ -10154,6 +11512,15 @@ catalog:
                           value: PL-08c.[06]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in procurements and acquisitions.
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-8_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pl-8_smt'
+                  rel: assessment-for
             - id: pl-8_asm-examine
               name: assessment-method
               props:
@@ -10273,6 +11640,9 @@ catalog:
                   value: PL-09
                   class: sp800-53a
               prose: ' {{ insert: param, pl-09_odp }} are centrally managed.'
+              links:
+                - href: '#pl-9_smt'
+                  rel: assessment-for
             - id: pl-9_asm-examine
               name: assessment-method
               props:
@@ -10405,6 +11775,9 @@ catalog:
                           value: PM-03a.[01]
                           class: sp800-53a
                       prose: the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented;
+                      links:
+                        - href: '#pm-3_smt.a'
+                          rel: assessment-for
                     - id: pm-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -10412,6 +11785,12 @@ catalog:
                           value: PM-03a.[02]
                           class: sp800-53a
                       prose: the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented;
+                      links:
+                        - href: '#pm-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-3_smt.a'
+                      rel: assessment-for
                 - id: pm-3_obj.b
                   name: assessment-objective
                   props:
@@ -10426,6 +11805,9 @@ catalog:
                           value: PM-03b.[01]
                           class: sp800-53a
                       prose: the documentation required for addressing the information security program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;
+                      links:
+                        - href: '#pm-3_smt.b'
+                          rel: assessment-for
                     - id: pm-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -10433,6 +11815,12 @@ catalog:
                           value: PM-03b.[02]
                           class: sp800-53a
                       prose: the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;
+                      links:
+                        - href: '#pm-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-3_smt.b'
+                      rel: assessment-for
                 - id: pm-3_obj.c
                   name: assessment-objective
                   props:
@@ -10447,6 +11835,9 @@ catalog:
                           value: PM-03c.[01]
                           class: sp800-53a
                       prose: information security resources are made available for expenditure as planned;
+                      links:
+                        - href: '#pm-3_smt.c'
+                          rel: assessment-for
                     - id: pm-3_obj.c-2
                       name: assessment-objective
                       props:
@@ -10454,6 +11845,15 @@ catalog:
                           value: PM-03c.[02]
                           class: sp800-53a
                       prose: privacy resources are made available for expenditure as planned.
+                      links:
+                        - href: '#pm-3_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-3_smt'
+                  rel: assessment-for
             - id: pm-3_asm-examine
               name: assessment-method
               props:
@@ -10614,6 +12014,9 @@ catalog:
                               value: PM-04a.01[01]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed;
+                          links:
+                            - href: '#pm-4_smt.a.1'
+                              rel: assessment-for
                         - id: pm-4_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -10621,6 +12024,9 @@ catalog:
                               value: PM-04a.01[02]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the information security program and associated organizational systems are maintained;
+                          links:
+                            - href: '#pm-4_smt.a.1'
+                              rel: assessment-for
                         - id: pm-4_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -10628,6 +12034,9 @@ catalog:
                               value: PM-04a.01[03]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed;
+                          links:
+                            - href: '#pm-4_smt.a.1'
+                              rel: assessment-for
                         - id: pm-4_obj.a.1-4
                           name: assessment-objective
                           props:
@@ -10635,6 +12044,9 @@ catalog:
                               value: PM-04a.01[04]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained;
+                          links:
+                            - href: '#pm-4_smt.a.1'
+                              rel: assessment-for
                         - id: pm-4_obj.a.1-5
                           name: assessment-objective
                           props:
@@ -10642,6 +12054,9 @@ catalog:
                               value: PM-04a.01[05]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed;
+                          links:
+                            - href: '#pm-4_smt.a.1'
+                              rel: assessment-for
                         - id: pm-4_obj.a.1-6
                           name: assessment-objective
                           props:
@@ -10649,6 +12064,12 @@ catalog:
                               value: PM-04a.01[06]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained;
+                          links:
+                            - href: '#pm-4_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-4_smt.a.1'
+                          rel: assessment-for
                     - id: pm-4_obj.a.2
                       name: assessment-objective
                       props:
@@ -10663,6 +12084,9 @@ catalog:
                               value: PM-04a.02[01]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the information security program and associated organizational systems document remedial information security risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;
+                          links:
+                            - href: '#pm-4_smt.a.2'
+                              rel: assessment-for
                         - id: pm-4_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -10670,6 +12094,9 @@ catalog:
                               value: PM-04a.02[02]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;
+                          links:
+                            - href: '#pm-4_smt.a.2'
+                              rel: assessment-for
                         - id: pm-4_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -10677,6 +12104,12 @@ catalog:
                               value: PM-04a.02[03]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;
+                          links:
+                            - href: '#pm-4_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-4_smt.a.2'
+                          rel: assessment-for
                     - id: pm-4_obj.a.3
                       name: assessment-objective
                       props:
@@ -10691,6 +12124,9 @@ catalog:
                               value: PM-04a.03[01]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the information security risk management programs and associated organizational systems are reported in accordance with established reporting requirements;
+                          links:
+                            - href: '#pm-4_smt.a.3'
+                              rel: assessment-for
                         - id: pm-4_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -10698,6 +12134,9 @@ catalog:
                               value: PM-04a.03[02]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements;
+                          links:
+                            - href: '#pm-4_smt.a.3'
+                              rel: assessment-for
                         - id: pm-4_obj.a.3-3
                           name: assessment-objective
                           props:
@@ -10705,6 +12144,15 @@ catalog:
                               value: PM-04a.03[03]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements;
+                          links:
+                            - href: '#pm-4_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-4_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-4_smt.a'
+                      rel: assessment-for
                 - id: pm-4_obj.b
                   name: assessment-objective
                   props:
@@ -10719,6 +12167,9 @@ catalog:
                           value: PM-04b.[01]
                           class: sp800-53a
                       prose: plans of action and milestones are reviewed for consistency with the organizational risk management strategy;
+                      links:
+                        - href: '#pm-4_smt.b'
+                          rel: assessment-for
                     - id: pm-4_obj.b-2
                       name: assessment-objective
                       props:
@@ -10726,6 +12177,15 @@ catalog:
                           value: PM-04b.[02]
                           class: sp800-53a
                       prose: plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions.
+                      links:
+                        - href: '#pm-4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-4_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pm-4_smt'
+                  rel: assessment-for
             - id: pm-4_asm-examine
               name: assessment-method
               props:
@@ -10834,6 +12294,9 @@ catalog:
                       value: PM-05[01]
                       class: sp800-53a
                   prose: an inventory of organizational systems is developed;
+                  links:
+                    - href: '#pm-5_smt'
+                      rel: assessment-for
                 - id: pm-5_obj-2
                   name: assessment-objective
                   props:
@@ -10841,6 +12304,12 @@ catalog:
                       value: PM-05[02]
                       class: sp800-53a
                   prose: 'the inventory of organizational systems is updated {{ insert: param, pm-05_odp }}.'
+                  links:
+                    - href: '#pm-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pm-5_smt'
+                  rel: assessment-for
             - id: pm-5_asm-examine
               name: assessment-method
               props:
@@ -10964,6 +12433,9 @@ catalog:
                           value: PM-05(01)[01]
                           class: sp800-53a
                       prose: an inventory of all systems, applications, and projects that process personally identifiable information is established;
+                      links:
+                        - href: '#pm-5.1_smt'
+                          rel: assessment-for
                     - id: pm-5.1_obj-2
                       name: assessment-objective
                       props:
@@ -10971,6 +12443,9 @@ catalog:
                           value: PM-05(01)[02]
                           class: sp800-53a
                       prose: an inventory of all systems, applications, and projects that process personally identifiable information is maintained;
+                      links:
+                        - href: '#pm-5.1_smt'
+                          rel: assessment-for
                     - id: pm-5.1_obj-3
                       name: assessment-objective
                       props:
@@ -10978,6 +12453,12 @@ catalog:
                           value: PM-05(01)[03]
                           class: sp800-53a
                       prose: 'an inventory of all systems, applications, and projects that process personally identifiable information is updated {{ insert: param, pm-05.01_odp }}.'
+                      links:
+                        - href: '#pm-5.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-5.1_smt'
+                      rel: assessment-for
                 - id: pm-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -11092,6 +12573,9 @@ catalog:
                       value: PM-06[01]
                       class: sp800-53a
                   prose: information security measures of performance are developed;
+                  links:
+                    - href: '#pm-6_smt'
+                      rel: assessment-for
                 - id: pm-6_obj-2
                   name: assessment-objective
                   props:
@@ -11099,6 +12583,9 @@ catalog:
                       value: PM-06[02]
                       class: sp800-53a
                   prose: information security measures of performance are monitored;
+                  links:
+                    - href: '#pm-6_smt'
+                      rel: assessment-for
                 - id: pm-6_obj-3
                   name: assessment-objective
                   props:
@@ -11106,6 +12593,9 @@ catalog:
                       value: PM-06[03]
                       class: sp800-53a
                   prose: the results of information security measures of performance are reported;
+                  links:
+                    - href: '#pm-6_smt'
+                      rel: assessment-for
                 - id: pm-6_obj-4
                   name: assessment-objective
                   props:
@@ -11113,6 +12603,9 @@ catalog:
                       value: PM-06[04]
                       class: sp800-53a
                   prose: privacy measures of performance are developed;
+                  links:
+                    - href: '#pm-6_smt'
+                      rel: assessment-for
                 - id: pm-6_obj-5
                   name: assessment-objective
                   props:
@@ -11120,6 +12613,9 @@ catalog:
                       value: PM-06[05]
                       class: sp800-53a
                   prose: privacy measures of performance are monitored;
+                  links:
+                    - href: '#pm-6_smt'
+                      rel: assessment-for
                 - id: pm-6_obj-6
                   name: assessment-objective
                   props:
@@ -11127,6 +12623,12 @@ catalog:
                       value: PM-06[06]
                       class: sp800-53a
                   prose: the results of privacy measures of performance are reported.
+                  links:
+                    - href: '#pm-6_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pm-6_smt'
+                  rel: assessment-for
             - id: pm-6_asm-examine
               name: assessment-method
               props:
@@ -11246,6 +12748,9 @@ catalog:
                       value: PM-07[01]
                       class: sp800-53a
                   prose: an enterprise architecture is developed with consideration for information security;
+                  links:
+                    - href: '#pm-7_smt'
+                      rel: assessment-for
                 - id: pm-7_obj-2
                   name: assessment-objective
                   props:
@@ -11253,6 +12758,9 @@ catalog:
                       value: PM-07[02]
                       class: sp800-53a
                   prose: an enterprise architecture is maintained with consideration for information security;
+                  links:
+                    - href: '#pm-7_smt'
+                      rel: assessment-for
                 - id: pm-7_obj-3
                   name: assessment-objective
                   props:
@@ -11260,6 +12768,9 @@ catalog:
                       value: PM-07[03]
                       class: sp800-53a
                   prose: an enterprise architecture is developed with consideration for privacy;
+                  links:
+                    - href: '#pm-7_smt'
+                      rel: assessment-for
                 - id: pm-7_obj-4
                   name: assessment-objective
                   props:
@@ -11267,6 +12778,9 @@ catalog:
                       value: PM-07[04]
                       class: sp800-53a
                   prose: an enterprise architecture is maintained with consideration for privacy;
+                  links:
+                    - href: '#pm-7_smt'
+                      rel: assessment-for
                 - id: pm-7_obj-5
                   name: assessment-objective
                   props:
@@ -11274,6 +12788,9 @@ catalog:
                       value: PM-07[05]
                       class: sp800-53a
                   prose: an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation;
+                  links:
+                    - href: '#pm-7_smt'
+                      rel: assessment-for
                 - id: pm-7_obj-6
                   name: assessment-objective
                   props:
@@ -11281,6 +12798,12 @@ catalog:
                       value: PM-07[06]
                       class: sp800-53a
                   prose: an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.
+                  links:
+                    - href: '#pm-7_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pm-7_smt'
+                  rel: assessment-for
             - id: pm-7_asm-examine
               name: assessment-method
               props:
@@ -11400,6 +12923,9 @@ catalog:
                       value: PM-08[01]
                       class: sp800-53a
                   prose: information security issues are addressed in the development of a critical infrastructure and key resources protection plan;
+                  links:
+                    - href: '#pm-8_smt'
+                      rel: assessment-for
                 - id: pm-8_obj-2
                   name: assessment-objective
                   props:
@@ -11407,6 +12933,9 @@ catalog:
                       value: PM-08[02]
                       class: sp800-53a
                   prose: information security issues are addressed in the documentation of a critical infrastructure and key resources protection plan;
+                  links:
+                    - href: '#pm-8_smt'
+                      rel: assessment-for
                 - id: pm-8_obj-3
                   name: assessment-objective
                   props:
@@ -11414,6 +12943,9 @@ catalog:
                       value: PM-08[03]
                       class: sp800-53a
                   prose: information security issues are addressed in the update of a critical infrastructure and key resources protection plan;
+                  links:
+                    - href: '#pm-8_smt'
+                      rel: assessment-for
                 - id: pm-8_obj-4
                   name: assessment-objective
                   props:
@@ -11421,6 +12953,9 @@ catalog:
                       value: PM-08[04]
                       class: sp800-53a
                   prose: privacy issues are addressed in the development of a critical infrastructure and key resources protection plan;
+                  links:
+                    - href: '#pm-8_smt'
+                      rel: assessment-for
                 - id: pm-8_obj-5
                   name: assessment-objective
                   props:
@@ -11428,6 +12963,9 @@ catalog:
                       value: PM-08[05]
                       class: sp800-53a
                   prose: privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan;
+                  links:
+                    - href: '#pm-8_smt'
+                      rel: assessment-for
                 - id: pm-8_obj-6
                   name: assessment-objective
                   props:
@@ -11435,6 +12973,12 @@ catalog:
                       value: PM-08[06]
                       class: sp800-53a
                   prose: privacy issues are addressed in the update of a critical infrastructure and key resources protection plan.
+                  links:
+                    - href: '#pm-8_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pm-8_smt'
+                  rel: assessment-for
             - id: pm-8_asm-examine
               name: assessment-method
               props:
@@ -11666,6 +13210,9 @@ catalog:
                           value: PM-09a.01
                           class: sp800-53a
                       prose: a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems;
+                      links:
+                        - href: '#pm-9_smt.a.1'
+                          rel: assessment-for
                     - id: pm-9_obj.a.2
                       name: assessment-objective
                       props:
@@ -11673,6 +13220,12 @@ catalog:
                           value: PM-09a.02
                           class: sp800-53a
                       prose: a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information;
+                      links:
+                        - href: '#pm-9_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-9_smt.a'
+                      rel: assessment-for
                 - id: pm-9_obj.b
                   name: assessment-objective
                   props:
@@ -11680,6 +13233,9 @@ catalog:
                       value: PM-09b.
                       class: sp800-53a
                   prose: the risk management strategy is implemented consistently across the organization;
+                  links:
+                    - href: '#pm-9_smt.b'
+                      rel: assessment-for
                 - id: pm-9_obj.c
                   name: assessment-objective
                   props:
@@ -11687,6 +13243,12 @@ catalog:
                       value: PM-09c.
                       class: sp800-53a
                   prose: 'the risk management strategy is reviewed and updated {{ insert: param, pm-09_odp }} or as required to address organizational changes.'
+                  links:
+                    - href: '#pm-9_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-9_smt'
+                  rel: assessment-for
             - id: pm-9_asm-examine
               name: assessment-method
               props:
@@ -11820,6 +13382,9 @@ catalog:
                           value: PM-10a.[01]
                           class: sp800-53a
                       prose: the security state of organizational systems and the environments in which those systems operate are managed through authorization processes;
+                      links:
+                        - href: '#pm-10_smt.a'
+                          rel: assessment-for
                     - id: pm-10_obj.a-2
                       name: assessment-objective
                       props:
@@ -11827,6 +13392,12 @@ catalog:
                           value: PM-10a.[02]
                           class: sp800-53a
                       prose: the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes;
+                      links:
+                        - href: '#pm-10_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-10_smt.a'
+                      rel: assessment-for
                 - id: pm-10_obj.b
                   name: assessment-objective
                   props:
@@ -11834,6 +13405,9 @@ catalog:
                       value: PM-10b.
                       class: sp800-53a
                   prose: individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process;
+                  links:
+                    - href: '#pm-10_smt.b'
+                      rel: assessment-for
                 - id: pm-10_obj.c
                   name: assessment-objective
                   props:
@@ -11841,6 +13415,12 @@ catalog:
                       value: PM-10c.
                       class: sp800-53a
                   prose: the authorization processes are integrated into an organization-wide risk management program.
+                  links:
+                    - href: '#pm-10_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-10_smt'
+                  rel: assessment-for
             - id: pm-10_asm-examine
               name: assessment-method
               props:
@@ -12004,6 +13584,9 @@ catalog:
                           value: PM-11a.[01]
                           class: sp800-53a
                       prose: organizational mission and business processes are defined with consideration for information security;
+                      links:
+                        - href: '#pm-11_smt.a'
+                          rel: assessment-for
                     - id: pm-11_obj.a-2
                       name: assessment-objective
                       props:
@@ -12011,6 +13594,9 @@ catalog:
                           value: PM-11a.[02]
                           class: sp800-53a
                       prose: organizational mission and business processes are defined with consideration for privacy;
+                      links:
+                        - href: '#pm-11_smt.a'
+                          rel: assessment-for
                     - id: pm-11_obj.a-3
                       name: assessment-objective
                       props:
@@ -12018,6 +13604,12 @@ catalog:
                           value: PM-11a.[03]
                           class: sp800-53a
                       prose: organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;
+                      links:
+                        - href: '#pm-11_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-11_smt.a'
+                      rel: assessment-for
                 - id: pm-11_obj.b
                   name: assessment-objective
                   props:
@@ -12032,6 +13624,9 @@ catalog:
                           value: PM-11b.[01]
                           class: sp800-53a
                       prose: information protection needs arising from the defined mission and business processes are determined;
+                      links:
+                        - href: '#pm-11_smt.b'
+                          rel: assessment-for
                     - id: pm-11_obj.b-2
                       name: assessment-objective
                       props:
@@ -12039,6 +13634,12 @@ catalog:
                           value: PM-11b.[02]
                           class: sp800-53a
                       prose: personally identifiable information processing needs arising from the defined mission and business processes are determined;
+                      links:
+                        - href: '#pm-11_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-11_smt.b'
+                      rel: assessment-for
                 - id: pm-11_obj.c
                   name: assessment-objective
                   props:
@@ -12046,6 +13647,12 @@ catalog:
                       value: PM-11c.
                       class: sp800-53a
                   prose: 'the mission and business processes are reviewed and revised {{ insert: param, pm-11_odp }}.'
+                  links:
+                    - href: '#pm-11_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-11_smt'
+                  rel: assessment-for
             - id: pm-11_asm-examine
               name: assessment-method
               props:
@@ -12148,6 +13755,9 @@ catalog:
                       value: PM-13[01]
                       class: sp800-53a
                   prose: a security workforce development and improvement program is established;
+                  links:
+                    - href: '#pm-13_smt'
+                      rel: assessment-for
                 - id: pm-13_obj-2
                   name: assessment-objective
                   props:
@@ -12155,6 +13765,12 @@ catalog:
                       value: PM-13[02]
                       class: sp800-53a
                   prose: a privacy workforce development and improvement program is established.
+                  links:
+                    - href: '#pm-13_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pm-13_smt'
+                  rel: assessment-for
             - id: pm-13_asm-examine
               name: assessment-method
               props:
@@ -12314,6 +13930,9 @@ catalog:
                               value: PM-14a.01[01]
                               class: sp800-53a
                           prose: a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed;
+                          links:
+                            - href: '#pm-14_smt.a.1'
+                              rel: assessment-for
                         - id: pm-14_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -12321,6 +13940,9 @@ catalog:
                               value: PM-14a.01[02]
                               class: sp800-53a
                           prose: a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained;
+                          links:
+                            - href: '#pm-14_smt.a.1'
+                              rel: assessment-for
                         - id: pm-14_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -12328,6 +13950,9 @@ catalog:
                               value: PM-14a.01[03]
                               class: sp800-53a
                           prose: a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed;
+                          links:
+                            - href: '#pm-14_smt.a.1'
+                              rel: assessment-for
                         - id: pm-14_obj.a.1-4
                           name: assessment-objective
                           props:
@@ -12335,6 +13960,12 @@ catalog:
                               value: PM-14a.01[04]
                               class: sp800-53a
                           prose: a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained;
+                          links:
+                            - href: '#pm-14_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-14_smt.a.1'
+                          rel: assessment-for
                     - id: pm-14_obj.a.2
                       name: assessment-objective
                       props:
@@ -12349,6 +13980,9 @@ catalog:
                               value: PM-14a.02[01]
                               class: sp800-53a
                           prose: a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed;
+                          links:
+                            - href: '#pm-14_smt.a.2'
+                              rel: assessment-for
                         - id: pm-14_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -12356,6 +13990,15 @@ catalog:
                               value: PM-14a.02[02]
                               class: sp800-53a
                           prose: a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed;
+                          links:
+                            - href: '#pm-14_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-14_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-14_smt.a'
+                      rel: assessment-for
                 - id: pm-14_obj.b
                   name: assessment-objective
                   props:
@@ -12370,6 +14013,9 @@ catalog:
                           value: PM-14b.[01]
                           class: sp800-53a
                       prose: testing plans are reviewed for consistency with the organizational risk management strategy;
+                      links:
+                        - href: '#pm-14_smt.b'
+                          rel: assessment-for
                     - id: pm-14_obj.b-2
                       name: assessment-objective
                       props:
@@ -12377,6 +14023,9 @@ catalog:
                           value: PM-14b.[02]
                           class: sp800-53a
                       prose: training plans are reviewed for consistency with the organizational risk management strategy;
+                      links:
+                        - href: '#pm-14_smt.b'
+                          rel: assessment-for
                     - id: pm-14_obj.b-3
                       name: assessment-objective
                       props:
@@ -12384,6 +14033,9 @@ catalog:
                           value: PM-14b.[03]
                           class: sp800-53a
                       prose: monitoring plans are reviewed for consistency with the organizational risk management strategy;
+                      links:
+                        - href: '#pm-14_smt.b'
+                          rel: assessment-for
                     - id: pm-14_obj.b-4
                       name: assessment-objective
                       props:
@@ -12391,6 +14043,9 @@ catalog:
                           value: PM-14b.[04]
                           class: sp800-53a
                       prose: testing plans are reviewed for consistency with organization-wide priorities for risk response actions;
+                      links:
+                        - href: '#pm-14_smt.b'
+                          rel: assessment-for
                     - id: pm-14_obj.b-5
                       name: assessment-objective
                       props:
@@ -12398,6 +14053,9 @@ catalog:
                           value: PM-14b.[05]
                           class: sp800-53a
                       prose: training plans are reviewed for consistency with organization-wide priorities for risk response actions;
+                      links:
+                        - href: '#pm-14_smt.b'
+                          rel: assessment-for
                     - id: pm-14_obj.b-6
                       name: assessment-objective
                       props:
@@ -12405,6 +14063,15 @@ catalog:
                           value: PM-14b.[06]
                           class: sp800-53a
                       prose: monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions.
+                      links:
+                        - href: '#pm-14_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-14_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pm-14_smt'
+                  rel: assessment-for
             - id: pm-14_asm-examine
               name: assessment-method
               props:
@@ -12560,6 +14227,9 @@ catalog:
                           value: PM-17a.[01]
                           class: sp800-53a
                       prose: policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;
+                      links:
+                        - href: '#pm-17_smt.a'
+                          rel: assessment-for
                     - id: pm-17_obj.a-2
                       name: assessment-objective
                       props:
@@ -12567,6 +14237,12 @@ catalog:
                           value: PM-17a.[02]
                           class: sp800-53a
                       prose: procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;
+                      links:
+                        - href: '#pm-17_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-17_smt.a'
+                      rel: assessment-for
                 - id: pm-17_obj.b
                   name: assessment-objective
                   props:
@@ -12581,6 +14257,9 @@ catalog:
                           value: PM-17b.[01]
                           class: sp800-53a
                       prose: 'policy is reviewed and updated {{ insert: param, pm-17_odp.01 }};'
+                      links:
+                        - href: '#pm-17_smt.b'
+                          rel: assessment-for
                     - id: pm-17_obj.b-2
                       name: assessment-objective
                       props:
@@ -12588,6 +14267,15 @@ catalog:
                           value: PM-17b.[02]
                           class: sp800-53a
                       prose: 'procedures are reviewed and updated {{ insert: param, pm-17_odp.02 }} '
+                      links:
+                        - href: '#pm-17_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-17_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pm-17_smt'
+                  rel: assessment-for
             - id: pm-17_asm-examine
               name: assessment-method
               props:
@@ -12740,6 +14428,9 @@ catalog:
                           value: PM-18a.[01]
                           class: sp800-53a
                       prose: an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed;
+                      links:
+                        - href: '#pm-18_smt.a'
+                          rel: assessment-for
                     - id: pm-18_obj.a.1
                       name: assessment-objective
                       props:
@@ -12754,6 +14445,9 @@ catalog:
                               value: PM-18a.01[01]
                               class: sp800-53a
                           prose: the privacy program plan includes a description of the structure of the privacy program;
+                          links:
+                            - href: '#pm-18_smt.a.1'
+                              rel: assessment-for
                         - id: pm-18_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -12761,6 +14455,12 @@ catalog:
                               value: PM-18a.01[02]
                               class: sp800-53a
                           prose: the privacy program plan includes a description of the resources dedicated to the privacy program;
+                          links:
+                            - href: '#pm-18_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-18_smt.a.1'
+                          rel: assessment-for
                     - id: pm-18_obj.a.2
                       name: assessment-objective
                       props:
@@ -12775,6 +14475,9 @@ catalog:
                               value: PM-18a.02[01]
                               class: sp800-53a
                           prose: the privacy program plan provides an overview of the requirements for the privacy program;
+                          links:
+                            - href: '#pm-18_smt.a.2'
+                              rel: assessment-for
                         - id: pm-18_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -12782,6 +14485,9 @@ catalog:
                               value: PM-18a.02[02]
                               class: sp800-53a
                           prose: the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program;
+                          links:
+                            - href: '#pm-18_smt.a.2'
+                              rel: assessment-for
                         - id: pm-18_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -12789,6 +14495,12 @@ catalog:
                               value: PM-18a.02[03]
                               class: sp800-53a
                           prose: the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program;
+                          links:
+                            - href: '#pm-18_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-18_smt.a.2'
+                          rel: assessment-for
                     - id: pm-18_obj.a.3
                       name: assessment-objective
                       props:
@@ -12803,6 +14515,9 @@ catalog:
                               value: PM-18a.03[01]
                               class: sp800-53a
                           prose: the privacy program plan includes the role of the senior agency official for privacy;
+                          links:
+                            - href: '#pm-18_smt.a.3'
+                              rel: assessment-for
                         - id: pm-18_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -12810,6 +14525,12 @@ catalog:
                               value: PM-18a.03[02]
                               class: sp800-53a
                           prose: the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities;
+                          links:
+                            - href: '#pm-18_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-18_smt.a.3'
+                          rel: assessment-for
                     - id: pm-18_obj.a.4
                       name: assessment-objective
                       props:
@@ -12824,6 +14545,9 @@ catalog:
                               value: PM-18a.04[01]
                               class: sp800-53a
                           prose: the privacy program plan describes management commitment;
+                          links:
+                            - href: '#pm-18_smt.a.4'
+                              rel: assessment-for
                         - id: pm-18_obj.a.4-2
                           name: assessment-objective
                           props:
@@ -12831,6 +14555,9 @@ catalog:
                               value: PM-18a.04[02]
                               class: sp800-53a
                           prose: the privacy program plan describes compliance;
+                          links:
+                            - href: '#pm-18_smt.a.4'
+                              rel: assessment-for
                         - id: pm-18_obj.a.4-3
                           name: assessment-objective
                           props:
@@ -12838,6 +14565,12 @@ catalog:
                               value: PM-18a.04[03]
                               class: sp800-53a
                           prose: the privacy program plan describes the strategic goals and objectives of the privacy program;
+                          links:
+                            - href: '#pm-18_smt.a.4'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-18_smt.a.4'
+                          rel: assessment-for
                     - id: pm-18_obj.a.5
                       name: assessment-objective
                       props:
@@ -12845,6 +14578,9 @@ catalog:
                           value: PM-18a.05
                           class: sp800-53a
                       prose: the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy;
+                      links:
+                        - href: '#pm-18_smt.a.5'
+                          rel: assessment-for
                     - id: pm-18_obj.a.6
                       name: assessment-objective
                       props:
@@ -12852,6 +14588,9 @@ catalog:
                           value: PM-18a.06
                           class: sp800-53a
                       prose: the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
+                      links:
+                        - href: '#pm-18_smt.a.6'
+                          rel: assessment-for
                     - id: pm-18_obj.a-2
                       name: assessment-objective
                       props:
@@ -12859,6 +14598,12 @@ catalog:
                           value: PM-18a.[02]
                           class: sp800-53a
                       prose: the privacy program plan is disseminated;
+                      links:
+                        - href: '#pm-18_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-18_smt.a'
+                      rel: assessment-for
                 - id: pm-18_obj.b
                   name: assessment-objective
                   props:
@@ -12873,6 +14618,9 @@ catalog:
                           value: PM-18b.[01]
                           class: sp800-53a
                       prose: 'the privacy program plan is updated {{ insert: param, pm-18_odp }};'
+                      links:
+                        - href: '#pm-18_smt.b'
+                          rel: assessment-for
                     - id: pm-18_obj.b-2
                       name: assessment-objective
                       props:
@@ -12880,6 +14628,9 @@ catalog:
                           value: PM-18b.[02]
                           class: sp800-53a
                       prose: the privacy program plan is updated to address changes in federal privacy laws and policies;
+                      links:
+                        - href: '#pm-18_smt.b'
+                          rel: assessment-for
                     - id: pm-18_obj.b-3
                       name: assessment-objective
                       props:
@@ -12887,6 +14638,9 @@ catalog:
                           value: PM-18b.[03]
                           class: sp800-53a
                       prose: the privacy program plan is updated to address organizational changes;
+                      links:
+                        - href: '#pm-18_smt.b'
+                          rel: assessment-for
                     - id: pm-18_obj.b-4
                       name: assessment-objective
                       props:
@@ -12894,6 +14648,15 @@ catalog:
                           value: PM-18b.[04]
                           class: sp800-53a
                       prose: the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments.
+                      links:
+                        - href: '#pm-18_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-18_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pm-18_smt'
+                  rel: assessment-for
             - id: pm-18_asm-examine
               name: assessment-method
               props:
@@ -12980,6 +14743,9 @@ catalog:
                       value: PM-19[01]
                       class: sp800-53a
                   prose: a senior agency official for privacy with authority, mission, accountability, and resources is appointed;
+                  links:
+                    - href: '#pm-19_smt'
+                      rel: assessment-for
                 - id: pm-19_obj-2
                   name: assessment-objective
                   props:
@@ -12987,6 +14753,9 @@ catalog:
                       value: PM-19[02]
                       class: sp800-53a
                   prose: the senior agency official for privacy coordinates applicable privacy requirements;
+                  links:
+                    - href: '#pm-19_smt'
+                      rel: assessment-for
                 - id: pm-19_obj-3
                   name: assessment-objective
                   props:
@@ -12994,6 +14763,9 @@ catalog:
                       value: PM-19[03]
                       class: sp800-53a
                   prose: the senior agency official for privacy develops applicable privacy requirements;
+                  links:
+                    - href: '#pm-19_smt'
+                      rel: assessment-for
                 - id: pm-19_obj-4
                   name: assessment-objective
                   props:
@@ -13001,6 +14773,9 @@ catalog:
                       value: PM-19[04]
                       class: sp800-53a
                   prose: the senior agency official for privacy implements applicable privacy requirements;
+                  links:
+                    - href: '#pm-19_smt'
+                      rel: assessment-for
                 - id: pm-19_obj-5
                   name: assessment-objective
                   props:
@@ -13008,6 +14783,12 @@ catalog:
                       value: PM-19[05]
                       class: sp800-53a
                   prose: the senior agency official for privacy manages privacy risks through the organization-wide privacy program.
+                  links:
+                    - href: '#pm-19_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pm-19_smt'
+                  rel: assessment-for
             - id: pm-19_asm-examine
               name: assessment-method
               props:
@@ -13131,6 +14912,9 @@ catalog:
                       value: PM-20[01]
                       class: sp800-53a
                   prose: a central resource webpage is maintained on the organization’s principal public website;
+                  links:
+                    - href: '#pm-20_smt'
+                      rel: assessment-for
                 - id: pm-20_obj-2
                   name: assessment-objective
                   props:
@@ -13138,6 +14922,9 @@ catalog:
                       value: PM-20[02]
                       class: sp800-53a
                   prose: the webpage serves as a central source of information about the organization’s privacy program;
+                  links:
+                    - href: '#pm-20_smt'
+                      rel: assessment-for
                 - id: pm-20_obj.a
                   name: assessment-objective
                   props:
@@ -13152,6 +14939,9 @@ catalog:
                           value: PM-20a.[01]
                           class: sp800-53a
                       prose: the webpage ensures that the public has access to information about organizational privacy activities;
+                      links:
+                        - href: '#pm-20_smt.a'
+                          rel: assessment-for
                     - id: pm-20_obj.a-2
                       name: assessment-objective
                       props:
@@ -13159,6 +14949,12 @@ catalog:
                           value: PM-20a.[02]
                           class: sp800-53a
                       prose: the webpage ensures that the public can communicate with its senior agency official for privacy;
+                      links:
+                        - href: '#pm-20_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-20_smt.a'
+                      rel: assessment-for
                 - id: pm-20_obj.b
                   name: assessment-objective
                   props:
@@ -13173,6 +14969,9 @@ catalog:
                           value: PM-20b.[01]
                           class: sp800-53a
                       prose: the webpage ensures that organizational privacy practices are publicly available;
+                      links:
+                        - href: '#pm-20_smt.b'
+                          rel: assessment-for
                     - id: pm-20_obj.b-2
                       name: assessment-objective
                       props:
@@ -13180,6 +14979,12 @@ catalog:
                           value: PM-20b.[02]
                           class: sp800-53a
                       prose: the webpage ensures that organizational privacy reports are publicly available;
+                      links:
+                        - href: '#pm-20_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-20_smt.b'
+                      rel: assessment-for
                 - id: pm-20_obj.c
                   name: assessment-objective
                   props:
@@ -13187,6 +14992,12 @@ catalog:
                       value: PM-20c.
                       class: sp800-53a
                   prose: the webpage employs publicly facing email addresses and/or phone numbers to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.
+                  links:
+                    - href: '#pm-20_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-20_smt'
+                  rel: assessment-for
             - id: pm-20_asm-examine
               name: assessment-method
               props:
@@ -13304,6 +15115,9 @@ catalog:
                           value: PM-20(01)[01]
                           class: sp800-53a
                       prose: privacy policies are developed and posted on all external-facing websites;
+                      links:
+                        - href: '#pm-20.1_smt'
+                          rel: assessment-for
                     - id: pm-20.1_obj-2
                       name: assessment-objective
                       props:
@@ -13311,6 +15125,9 @@ catalog:
                           value: PM-20(01)[02]
                           class: sp800-53a
                       prose: privacy policies are developed and posted on all mobile applications;
+                      links:
+                        - href: '#pm-20.1_smt'
+                          rel: assessment-for
                     - id: pm-20.1_obj-3
                       name: assessment-objective
                       props:
@@ -13318,6 +15135,9 @@ catalog:
                           value: PM-20(01)[03]
                           class: sp800-53a
                       prose: privacy policies are developed and posted on all other digital services;
+                      links:
+                        - href: '#pm-20.1_smt'
+                          rel: assessment-for
                     - id: pm-20.1_obj.a
                       name: assessment-objective
                       props:
@@ -13332,6 +15152,9 @@ catalog:
                               value: PM-20(01)(a)[01]
                               class: sp800-53a
                           prose: the privacy policies are written in plain language;
+                          links:
+                            - href: '#pm-20.1_smt.a'
+                              rel: assessment-for
                         - id: pm-20.1_obj.a-2
                           name: assessment-objective
                           props:
@@ -13339,6 +15162,12 @@ catalog:
                               value: PM-20(01)(a)[02]
                               class: sp800-53a
                           prose: the privacy policies are organized in a way that is easy to understand and navigate;
+                          links:
+                            - href: '#pm-20.1_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-20.1_smt.a'
+                          rel: assessment-for
                     - id: pm-20.1_obj.b
                       name: assessment-objective
                       props:
@@ -13353,6 +15182,9 @@ catalog:
                               value: PM-20(01)(b)[01]
                               class: sp800-53a
                           prose: the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization;
+                          links:
+                            - href: '#pm-20.1_smt.b'
+                              rel: assessment-for
                         - id: pm-20.1_obj.b-2
                           name: assessment-objective
                           props:
@@ -13360,6 +15192,12 @@ catalog:
                               value: PM-20(01)(b)[02]
                               class: sp800-53a
                           prose: the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization;
+                          links:
+                            - href: '#pm-20.1_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-20.1_smt.b'
+                          rel: assessment-for
                     - id: pm-20.1_obj.c
                       name: assessment-objective
                       props:
@@ -13374,6 +15212,9 @@ catalog:
                               value: PM-20(01)(c)[01]
                               class: sp800-53a
                           prose: the privacy policies are updated whenever the organization makes a substantive change to the practices it describes;
+                          links:
+                            - href: '#pm-20.1_smt.c'
+                              rel: assessment-for
                         - id: pm-20.1_obj.c-2
                           name: assessment-objective
                           props:
@@ -13381,6 +15222,15 @@ catalog:
                               value: PM-20(01)(c)[02]
                               class: sp800-53a
                           prose: the privacy policies include a time/date stamp to inform the public of the date of the most recent changes.
+                          links:
+                            - href: '#pm-20.1_smt.c'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-20.1_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-20.1_smt'
+                      rel: assessment-for
                 - id: pm-20.1_asm-examine
                   name: assessment-method
                   props:
@@ -13523,6 +15373,9 @@ catalog:
                               value: PM-21a.01[01]
                               class: sp800-53a
                           prose: the accounting includes the date of each disclosure;
+                          links:
+                            - href: '#pm-21_smt.a.1'
+                              rel: assessment-for
                         - id: pm-21_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -13530,6 +15383,9 @@ catalog:
                               value: PM-21a.01[02]
                               class: sp800-53a
                           prose: the accounting includes the nature of each disclosure;
+                          links:
+                            - href: '#pm-21_smt.a.1'
+                              rel: assessment-for
                         - id: pm-21_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -13537,6 +15393,12 @@ catalog:
                               value: PM-21a.01[03]
                               class: sp800-53a
                           prose: the accounting includes the purpose of each disclosure;
+                          links:
+                            - href: '#pm-21_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-21_smt.a.1'
+                          rel: assessment-for
                     - id: pm-21_obj.a.2
                       name: assessment-objective
                       props:
@@ -13551,6 +15413,9 @@ catalog:
                               value: PM-21a.02[01]
                               class: sp800-53a
                           prose: the accounting includes the name of the individual or organization to whom the disclosure was made;
+                          links:
+                            - href: '#pm-21_smt.a.2'
+                              rel: assessment-for
                         - id: pm-21_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -13558,6 +15423,15 @@ catalog:
                               value: PM-21a.02[02]
                               class: sp800-53a
                           prose: the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made;
+                          links:
+                            - href: '#pm-21_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-21_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-21_smt.a'
+                      rel: assessment-for
                 - id: pm-21_obj.b
                   name: assessment-objective
                   props:
@@ -13565,6 +15439,9 @@ catalog:
                       value: PM-21b.
                       class: sp800-53a
                   prose: the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;
+                  links:
+                    - href: '#pm-21_smt.b'
+                      rel: assessment-for
                 - id: pm-21_obj.c
                   name: assessment-objective
                   props:
@@ -13572,6 +15449,12 @@ catalog:
                       value: PM-21c.
                       class: sp800-53a
                   prose: the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request.
+                  links:
+                    - href: '#pm-21_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-21_smt'
+                  rel: assessment-for
             - id: pm-21_asm-examine
               name: assessment-method
               props:
@@ -13706,6 +15589,9 @@ catalog:
                       value: PM-22[01]
                       class: sp800-53a
                   prose: organization-wide policies for personally identifiable information quality management are developed and documented;
+                  links:
+                    - href: '#pm-22_smt'
+                      rel: assessment-for
                 - id: pm-22_obj-2
                   name: assessment-objective
                   props:
@@ -13713,6 +15599,9 @@ catalog:
                       value: PM-22[02]
                       class: sp800-53a
                   prose: organization-wide procedures for personally identifiable information quality management are developed and documented;
+                  links:
+                    - href: '#pm-22_smt'
+                      rel: assessment-for
                 - id: pm-22_obj.a
                   name: assessment-objective
                   props:
@@ -13727,6 +15616,9 @@ catalog:
                           value: PM-22a.[01]
                           class: sp800-53a
                       prose: the policies address reviewing the accuracy of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
                     - id: pm-22_obj.a-2
                       name: assessment-objective
                       props:
@@ -13734,6 +15626,9 @@ catalog:
                           value: PM-22a.[02]
                           class: sp800-53a
                       prose: the policies address reviewing the relevance of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
                     - id: pm-22_obj.a-3
                       name: assessment-objective
                       props:
@@ -13741,6 +15636,9 @@ catalog:
                           value: PM-22a.[03]
                           class: sp800-53a
                       prose: the policies address reviewing the timeliness of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
                     - id: pm-22_obj.a-4
                       name: assessment-objective
                       props:
@@ -13748,6 +15646,9 @@ catalog:
                           value: PM-22a.[04]
                           class: sp800-53a
                       prose: the policies address reviewing the completeness of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
                     - id: pm-22_obj.a-5
                       name: assessment-objective
                       props:
@@ -13755,6 +15656,9 @@ catalog:
                           value: PM-22a.[05]
                           class: sp800-53a
                       prose: the procedures address reviewing the accuracy of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
                     - id: pm-22_obj.a-6
                       name: assessment-objective
                       props:
@@ -13762,6 +15666,9 @@ catalog:
                           value: PM-22a.[06]
                           class: sp800-53a
                       prose: the procedures address reviewing the relevance of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
                     - id: pm-22_obj.a-7
                       name: assessment-objective
                       props:
@@ -13769,6 +15676,9 @@ catalog:
                           value: PM-22a.[07]
                           class: sp800-53a
                       prose: the procedures address reviewing the timeliness of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
                     - id: pm-22_obj.a-8
                       name: assessment-objective
                       props:
@@ -13776,6 +15686,12 @@ catalog:
                           value: PM-22a.[08]
                           class: sp800-53a
                       prose: the procedures address reviewing the completeness of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-22_smt.a'
+                      rel: assessment-for
                 - id: pm-22_obj.b
                   name: assessment-objective
                   props:
@@ -13790,6 +15706,9 @@ catalog:
                           value: PM-22b.[01]
                           class: sp800-53a
                       prose: the policies address correcting or deleting inaccurate or outdated personally identifiable information;
+                      links:
+                        - href: '#pm-22_smt.b'
+                          rel: assessment-for
                     - id: pm-22_obj.b-2
                       name: assessment-objective
                       props:
@@ -13797,6 +15716,12 @@ catalog:
                           value: PM-22b.[02]
                           class: sp800-53a
                       prose: the procedures address correcting or deleting inaccurate or outdated personally identifiable information;
+                      links:
+                        - href: '#pm-22_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-22_smt.b'
+                      rel: assessment-for
                 - id: pm-22_obj.c
                   name: assessment-objective
                   props:
@@ -13811,6 +15736,9 @@ catalog:
                           value: PM-22c.[01]
                           class: sp800-53a
                       prose: the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;
+                      links:
+                        - href: '#pm-22_smt.c'
+                          rel: assessment-for
                     - id: pm-22_obj.c-2
                       name: assessment-objective
                       props:
@@ -13818,6 +15746,12 @@ catalog:
                           value: PM-22c.[02]
                           class: sp800-53a
                       prose: the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;
+                      links:
+                        - href: '#pm-22_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-22_smt.c'
+                      rel: assessment-for
                 - id: pm-22_obj.d
                   name: assessment-objective
                   props:
@@ -13832,6 +15766,9 @@ catalog:
                           value: PM-22d.[01]
                           class: sp800-53a
                       prose: the policies address appeals of adverse decisions on correction or deletion requests;
+                      links:
+                        - href: '#pm-22_smt.d'
+                          rel: assessment-for
                     - id: pm-22_obj.d-2
                       name: assessment-objective
                       props:
@@ -13839,6 +15776,15 @@ catalog:
                           value: PM-22d.[02]
                           class: sp800-53a
                       prose: the procedures address appeals of adverse decisions on correction or deletion requests.
+                      links:
+                        - href: '#pm-22_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-22_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pm-22_smt'
+                  rel: assessment-for
             - id: pm-22_asm-examine
               name: assessment-method
               props:
@@ -13957,6 +15903,9 @@ catalog:
                       value: PM-24a.
                       class: sp800-53a
                   prose: the Data Integrity Board reviews proposals to conduct or participate in a matching program;
+                  links:
+                    - href: '#pm-24_smt.a'
+                      rel: assessment-for
                 - id: pm-24_obj.b
                   name: assessment-objective
                   props:
@@ -13964,6 +15913,12 @@ catalog:
                       value: PM-24b.
                       class: sp800-53a
                   prose: the Data Integrity Board conducts an annual review of all matching programs in which the agency has participated.
+                  links:
+                    - href: '#pm-24_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pm-24_smt'
+                  rel: assessment-for
             - id: pm-24_asm-examine
               name: assessment-method
               props:
@@ -14128,6 +16083,9 @@ catalog:
                           value: PM-25a.[01]
                           class: sp800-53a
                       prose: policies that address the use of personally identifiable information for internal testing are developed and documented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-2
                       name: assessment-objective
                       props:
@@ -14135,6 +16093,9 @@ catalog:
                           value: PM-25a.[02]
                           class: sp800-53a
                       prose: policies that address the use of personally identifiable information for internal training are developed and documented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-3
                       name: assessment-objective
                       props:
@@ -14142,6 +16103,9 @@ catalog:
                           value: PM-25a.[03]
                           class: sp800-53a
                       prose: policies that address the use of personally identifiable information for internal research are developed and documented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-4
                       name: assessment-objective
                       props:
@@ -14149,6 +16113,9 @@ catalog:
                           value: PM-25a.[04]
                           class: sp800-53a
                       prose: procedures that address the use of personally identifiable information for internal testing are developed and documented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-5
                       name: assessment-objective
                       props:
@@ -14156,6 +16123,9 @@ catalog:
                           value: PM-25a.[05]
                           class: sp800-53a
                       prose: procedures that address the use of personally identifiable information for internal training are developed and documented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-6
                       name: assessment-objective
                       props:
@@ -14163,6 +16133,9 @@ catalog:
                           value: PM-25a.[06]
                           class: sp800-53a
                       prose: procedures that address the use of personally identifiable information for internal research are developed and documented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-7
                       name: assessment-objective
                       props:
@@ -14170,6 +16143,9 @@ catalog:
                           value: PM-25a.[07]
                           class: sp800-53a
                       prose: policies that address the use of personally identifiable information for internal testing, are implemented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-8
                       name: assessment-objective
                       props:
@@ -14177,6 +16153,9 @@ catalog:
                           value: PM-25a.[08]
                           class: sp800-53a
                       prose: policies that address the use of personally identifiable information for training are implemented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-9
                       name: assessment-objective
                       props:
@@ -14184,6 +16163,9 @@ catalog:
                           value: PM-25a.[09]
                           class: sp800-53a
                       prose: policies that address the use of personally identifiable information for research are implemented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-10
                       name: assessment-objective
                       props:
@@ -14191,6 +16173,9 @@ catalog:
                           value: PM-25a.[10]
                           class: sp800-53a
                       prose: procedures that address the use of personally identifiable information for internal testing are implemented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-11
                       name: assessment-objective
                       props:
@@ -14198,6 +16183,9 @@ catalog:
                           value: PM-25a.[11]
                           class: sp800-53a
                       prose: procedures that address the use of personally identifiable information for training are implemented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-12
                       name: assessment-objective
                       props:
@@ -14205,6 +16193,12 @@ catalog:
                           value: PM-25a.[12]
                           class: sp800-53a
                       prose: procedures that address the use of personally identifiable information for research are implemented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-25_smt.a'
+                      rel: assessment-for
                 - id: pm-25_obj.b
                   name: assessment-objective
                   props:
@@ -14219,6 +16213,9 @@ catalog:
                           value: PM-25b.[01]
                           class: sp800-53a
                       prose: the amount of personally identifiable information used for internal testing purposes is limited or minimized;
+                      links:
+                        - href: '#pm-25_smt.b'
+                          rel: assessment-for
                     - id: pm-25_obj.b-2
                       name: assessment-objective
                       props:
@@ -14226,6 +16223,9 @@ catalog:
                           value: PM-25b.[02]
                           class: sp800-53a
                       prose: the amount of personally identifiable information used for internal training purposes is limited or minimized;
+                      links:
+                        - href: '#pm-25_smt.b'
+                          rel: assessment-for
                     - id: pm-25_obj.b-3
                       name: assessment-objective
                       props:
@@ -14233,6 +16233,12 @@ catalog:
                           value: PM-25b.[03]
                           class: sp800-53a
                       prose: the amount of personally identifiable information used for internal research purposes is limited or minimized;
+                      links:
+                        - href: '#pm-25_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-25_smt.b'
+                      rel: assessment-for
                 - id: pm-25_obj.c
                   name: assessment-objective
                   props:
@@ -14247,6 +16253,9 @@ catalog:
                           value: PM-25c.[01]
                           class: sp800-53a
                       prose: the required use of personally identifiable information for internal testing is authorized;
+                      links:
+                        - href: '#pm-25_smt.c'
+                          rel: assessment-for
                     - id: pm-25_obj.c-2
                       name: assessment-objective
                       props:
@@ -14254,6 +16263,9 @@ catalog:
                           value: PM-25c.[02]
                           class: sp800-53a
                       prose: the required use of personally identifiable information for internal training is authorized;
+                      links:
+                        - href: '#pm-25_smt.c'
+                          rel: assessment-for
                     - id: pm-25_obj.c-3
                       name: assessment-objective
                       props:
@@ -14261,6 +16273,12 @@ catalog:
                           value: PM-25c.[03]
                           class: sp800-53a
                       prose: the required use of personally identifiable information for internal research is authorized;
+                      links:
+                        - href: '#pm-25_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-25_smt.c'
+                      rel: assessment-for
                 - id: pm-25_obj.d
                   name: assessment-objective
                   props:
@@ -14275,6 +16293,9 @@ catalog:
                           value: PM-25d.[01]
                           class: sp800-53a
                       prose: 'policies are reviewed {{ insert: param, pm-25_odp.01 }};'
+                      links:
+                        - href: '#pm-25_smt.d'
+                          rel: assessment-for
                     - id: pm-25_obj.d-2
                       name: assessment-objective
                       props:
@@ -14282,6 +16303,9 @@ catalog:
                           value: PM-25d.[02]
                           class: sp800-53a
                       prose: 'policies are updated {{ insert: param, pm-25_odp.02 }};'
+                      links:
+                        - href: '#pm-25_smt.d'
+                          rel: assessment-for
                     - id: pm-25_obj.d-3
                       name: assessment-objective
                       props:
@@ -14289,6 +16313,9 @@ catalog:
                           value: PM-25d.[03]
                           class: sp800-53a
                       prose: 'procedures are reviewed {{ insert: param, pm-25_odp.03 }};'
+                      links:
+                        - href: '#pm-25_smt.d'
+                          rel: assessment-for
                     - id: pm-25_obj.d-4
                       name: assessment-objective
                       props:
@@ -14296,6 +16323,15 @@ catalog:
                           value: PM-25d.[04]
                           class: sp800-53a
                       prose: 'procedures are updated {{ insert: param, pm-25_odp.04 }}.'
+                      links:
+                        - href: '#pm-25_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-25_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pm-25_smt'
+                  rel: assessment-for
             - id: pm-25_asm-examine
               name: assessment-method
               props:
@@ -14476,6 +16512,9 @@ catalog:
                       value: PM-26[01]
                       class: sp800-53a
                   prose: a process for receiving complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;
+                  links:
+                    - href: '#pm-26_smt'
+                      rel: assessment-for
                 - id: pm-26_obj-2
                   name: assessment-objective
                   props:
@@ -14483,6 +16522,9 @@ catalog:
                       value: PM-26[02]
                       class: sp800-53a
                   prose: a process for responding to complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;
+                  links:
+                    - href: '#pm-26_smt'
+                      rel: assessment-for
                 - id: pm-26_obj.a
                   name: assessment-objective
                   props:
@@ -14497,6 +16539,9 @@ catalog:
                           value: PM-26a.[01]
                           class: sp800-53a
                       prose: the complaint management process includes mechanisms that are easy to use by the public;
+                      links:
+                        - href: '#pm-26_smt.a'
+                          rel: assessment-for
                     - id: pm-26_obj.a-2
                       name: assessment-objective
                       props:
@@ -14504,6 +16549,12 @@ catalog:
                           value: PM-26a.[02]
                           class: sp800-53a
                       prose: the complaint management process includes mechanisms that are readily accessible by the public;
+                      links:
+                        - href: '#pm-26_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-26_smt.a'
+                      rel: assessment-for
                 - id: pm-26_obj.b
                   name: assessment-objective
                   props:
@@ -14511,6 +16562,9 @@ catalog:
                       value: PM-26b.
                       class: sp800-53a
                   prose: the complaint management process includes all information necessary for successfully filing complaints;
+                  links:
+                    - href: '#pm-26_smt.b'
+                      rel: assessment-for
                 - id: pm-26_obj.c
                   name: assessment-objective
                   props:
@@ -14525,6 +16579,9 @@ catalog:
                           value: PM-26c.[01]
                           class: sp800-53a
                       prose: 'the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within {{ insert: param, pm-26_odp.01 }};'
+                      links:
+                        - href: '#pm-26_smt.c'
+                          rel: assessment-for
                     - id: pm-26_obj.c-2
                       name: assessment-objective
                       props:
@@ -14532,6 +16589,12 @@ catalog:
                           value: PM-26c.[02]
                           class: sp800-53a
                       prose: 'the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within {{ insert: param, pm-26_odp.02 }};'
+                      links:
+                        - href: '#pm-26_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-26_smt.c'
+                      rel: assessment-for
                 - id: pm-26_obj.d
                   name: assessment-objective
                   props:
@@ -14539,6 +16602,9 @@ catalog:
                       value: PM-26d.
                       class: sp800-53a
                   prose: 'the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }};'
+                  links:
+                    - href: '#pm-26_smt.d'
+                      rel: assessment-for
                 - id: pm-26_obj.e
                   name: assessment-objective
                   props:
@@ -14546,6 +16612,12 @@ catalog:
                       value: PM-26e.
                       class: sp800-53a
                   prose: 'the complaint management process includes responding to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}.'
+                  links:
+                    - href: '#pm-26_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#pm-26_smt'
+                  rel: assessment-for
             - id: pm-26_asm-examine
               name: assessment-method
               props:
@@ -14719,6 +16791,9 @@ catalog:
                           value: PM-27a.01
                           class: sp800-53a
                       prose: 'the privacy reports are disseminated to {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates;'
+                      links:
+                        - href: '#pm-27_smt.a.1'
+                          rel: assessment-for
                     - id: pm-27_obj.a.2
                       name: assessment-objective
                       props:
@@ -14733,6 +16808,9 @@ catalog:
                               value: PM-27a.02[01]
                               class: sp800-53a
                           prose: 'the privacy reports are disseminated to {{ insert: param, pm-27_odp.03 }};'
+                          links:
+                            - href: '#pm-27_smt.a.2'
+                              rel: assessment-for
                         - id: pm-27_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -14740,6 +16818,15 @@ catalog:
                               value: PM-27a.02[02]
                               class: sp800-53a
                           prose: the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance;
+                          links:
+                            - href: '#pm-27_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-27_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-27_smt.a'
+                      rel: assessment-for
                 - id: pm-27_obj.b
                   name: assessment-objective
                   props:
@@ -14747,6 +16834,12 @@ catalog:
                       value: PM-27b.
                       class: sp800-53a
                   prose: 'the privacy reports are reviewed and updated {{ insert: param, pm-27_odp.04 }}.'
+                  links:
+                    - href: '#pm-27_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pm-27_smt'
+                  rel: assessment-for
             - id: pm-27_asm-examine
               name: assessment-method
               props:
@@ -14918,6 +17011,9 @@ catalog:
                               value: PM-28a.01[01]
                               class: sp800-53a
                           prose: assumptions affecting risk assessments are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.1'
+                              rel: assessment-for
                         - id: pm-28_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -14925,6 +17021,9 @@ catalog:
                               value: PM-28a.01[02]
                               class: sp800-53a
                           prose: assumptions affecting risk responses are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.1'
+                              rel: assessment-for
                         - id: pm-28_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -14932,6 +17031,12 @@ catalog:
                               value: PM-28a.01[03]
                               class: sp800-53a
                           prose: assumptions affecting risk monitoring are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-28_smt.a.1'
+                          rel: assessment-for
                     - id: pm-28_obj.a.2
                       name: assessment-objective
                       props:
@@ -14946,6 +17051,9 @@ catalog:
                               value: PM-28a.02[01]
                               class: sp800-53a
                           prose: constraints affecting risk assessments are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.2'
+                              rel: assessment-for
                         - id: pm-28_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -14953,6 +17061,9 @@ catalog:
                               value: PM-28a.02[02]
                               class: sp800-53a
                           prose: constraints affecting risk responses are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.2'
+                              rel: assessment-for
                         - id: pm-28_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -14960,6 +17071,12 @@ catalog:
                               value: PM-28a.02[03]
                               class: sp800-53a
                           prose: constraints affecting risk monitoring are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-28_smt.a.2'
+                          rel: assessment-for
                     - id: pm-28_obj.a.3
                       name: assessment-objective
                       props:
@@ -14974,6 +17091,9 @@ catalog:
                               value: PM-28a.03[01]
                               class: sp800-53a
                           prose: priorities considered by the organization for managing risk are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.3'
+                              rel: assessment-for
                         - id: pm-28_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -14981,6 +17101,12 @@ catalog:
                               value: PM-28a.03[02]
                               class: sp800-53a
                           prose: trade-offs considered by the organization for managing risk are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-28_smt.a.3'
+                          rel: assessment-for
                     - id: pm-28_obj.a.4
                       name: assessment-objective
                       props:
@@ -14988,6 +17114,12 @@ catalog:
                           value: PM-28a.04
                           class: sp800-53a
                       prose: organizational risk tolerance is identified and documented;
+                      links:
+                        - href: '#pm-28_smt.a.4'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-28_smt.a'
+                      rel: assessment-for
                 - id: pm-28_obj.b
                   name: assessment-objective
                   props:
@@ -14995,6 +17127,9 @@ catalog:
                       value: PM-28b.
                       class: sp800-53a
                   prose: 'the results of risk framing activities are distributed to {{ insert: param, pm-28_odp.01 }};'
+                  links:
+                    - href: '#pm-28_smt.b'
+                      rel: assessment-for
                 - id: pm-28_obj.c
                   name: assessment-objective
                   props:
@@ -15002,6 +17137,12 @@ catalog:
                       value: PM-28c.
                       class: sp800-53a
                   prose: 'risk framing considerations are reviewed and updated {{ insert: param, pm-28_odp.02 }}.'
+                  links:
+                    - href: '#pm-28_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-28_smt'
+                  rel: assessment-for
             - id: pm-28_asm-examine
               name: assessment-method
               props:
@@ -15105,9 +17246,9 @@ catalog:
                 - name: label
                   value: PM-31_ODP[02]
                   class: sp800-53a
-              label: frequency
+              label: monitoring frequencies
               guidelines:
-                - prose: the frequency for monitoring is defined;
+                - prose: the frequencies for monitoring are defined;
             - id: pm-31_odp.03
               props:
                 - name: alt-identifier
@@ -15118,9 +17259,9 @@ catalog:
                 - name: label
                   value: PM-31_ODP[03]
                   class: sp800-53a
-              label: frequency
+              label: assessment frequencies
               guidelines:
-                - prose: the frequency for assessing control effectiveness is defined;
+                - prose: the frequencies for assessing control effectiveness are defined;
             - id: pm-31_odp.04
               props:
                 - name: label
@@ -15289,7 +17430,7 @@ catalog:
                   props:
                     - name: label
                       value: b.
-                  prose: 'Establishing {{ insert: param, pm-31_odp.02 }} for monitoring and {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;'
+                  prose: 'Establishing {{ insert: param, pm-31_odp.02 }} and {{ insert: param, pm-31_odp.03 }} for control effectiveness;'
                 - id: pm-31_smt.c
                   name: item
                   props:
@@ -15332,6 +17473,9 @@ catalog:
                       value: PM-31a.
                       class: sp800-53a
                   prose: 'continuous monitoring programs are implemented that include establishing {{ insert: param, pm-31_odp.01 }} to be monitored;'
+                  links:
+                    - href: '#pm-31_smt.a'
+                      rel: assessment-for
                 - id: pm-31_obj.b
                   name: assessment-objective
                   props:
@@ -15346,6 +17490,9 @@ catalog:
                           value: PM-31b.[01]
                           class: sp800-53a
                       prose: 'continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.02 }} for monitoring;'
+                      links:
+                        - href: '#pm-31_smt.b'
+                          rel: assessment-for
                     - id: pm-31_obj.b-2
                       name: assessment-objective
                       props:
@@ -15353,6 +17500,12 @@ catalog:
                           value: PM-31b.[02]
                           class: sp800-53a
                       prose: 'continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;'
+                      links:
+                        - href: '#pm-31_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-31_smt.b'
+                      rel: assessment-for
                 - id: pm-31_obj.c
                   name: assessment-objective
                   props:
@@ -15360,6 +17513,9 @@ catalog:
                       value: PM-31c.
                       class: sp800-53a
                   prose: 'continuous monitoring programs are implemented that include monitoring {{ insert: param, pm-31_odp.01 }} on an ongoing basis in accordance with the continuous monitoring strategy;'
+                  links:
+                    - href: '#pm-31_smt.c'
+                      rel: assessment-for
                 - id: pm-31_obj.d
                   name: assessment-objective
                   props:
@@ -15374,6 +17530,9 @@ catalog:
                           value: PM-31d.[01]
                           class: sp800-53a
                       prose: continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring;
+                      links:
+                        - href: '#pm-31_smt.d'
+                          rel: assessment-for
                     - id: pm-31_obj.d-2
                       name: assessment-objective
                       props:
@@ -15381,6 +17540,12 @@ catalog:
                           value: PM-31d.[02]
                           class: sp800-53a
                       prose: continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring;
+                      links:
+                        - href: '#pm-31_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-31_smt.d'
+                      rel: assessment-for
                 - id: pm-31_obj.e
                   name: assessment-objective
                   props:
@@ -15395,6 +17560,9 @@ catalog:
                           value: PM-31e.[01]
                           class: sp800-53a
                       prose: continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information;
+                      links:
+                        - href: '#pm-31_smt.e'
+                          rel: assessment-for
                     - id: pm-31_obj.e-2
                       name: assessment-objective
                       props:
@@ -15402,6 +17570,12 @@ catalog:
                           value: PM-31e.[02]
                           class: sp800-53a
                       prose: continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information;
+                      links:
+                        - href: '#pm-31_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-31_smt.e'
+                      rel: assessment-for
                 - id: pm-31_obj.f
                   name: assessment-objective
                   props:
@@ -15416,6 +17590,9 @@ catalog:
                           value: PM-31f.[01]
                           class: sp800-53a
                       prose: 'continuous monitoring programs are implemented that include reporting the security status of organizational systems to {{ insert: param, pm-31_odp.04 }} {{ insert: param, pm-31_odp.06 }};'
+                      links:
+                        - href: '#pm-31_smt.f'
+                          rel: assessment-for
                     - id: pm-31_obj.f-2
                       name: assessment-objective
                       props:
@@ -15423,6 +17600,15 @@ catalog:
                           value: PM-31f.[02]
                           class: sp800-53a
                       prose: 'continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to {{ insert: param, pm-31_odp.05 }} {{ insert: param, pm-31_odp.07 }}.'
+                      links:
+                        - href: '#pm-31_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-31_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#pm-31_smt'
+                  rel: assessment-for
             - id: pm-31_asm-examine
               name: assessment-method
               props:
@@ -15610,6 +17796,9 @@ catalog:
                       value: PS-06a.
                       class: sp800-53a
                   prose: access agreements are developed and documented for organizational systems;
+                  links:
+                    - href: '#ps-6_smt.a'
+                      rel: assessment-for
                 - id: ps-6_obj.b
                   name: assessment-objective
                   props:
@@ -15617,6 +17806,9 @@ catalog:
                       value: PS-06b.
                       class: sp800-53a
                   prose: 'the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};'
+                  links:
+                    - href: '#ps-6_smt.b'
+                      rel: assessment-for
                 - id: ps-6_obj.c
                   name: assessment-objective
                   props:
@@ -15631,6 +17823,9 @@ catalog:
                           value: PS-06c.01
                           class: sp800-53a
                       prose: individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;
+                      links:
+                        - href: '#ps-6_smt.c.1'
+                          rel: assessment-for
                     - id: ps-6_obj.c.2
                       name: assessment-objective
                       props:
@@ -15638,6 +17833,15 @@ catalog:
                           value: PS-06c.02
                           class: sp800-53a
                       prose: 'individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.'
+                      links:
+                        - href: '#ps-6_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ps-6_smt'
+                  rel: assessment-for
             - id: ps-6_asm-examine
               name: assessment-method
               props:
@@ -15899,6 +18103,9 @@ catalog:
                           value: PT-01a.[01]
                           class: sp800-53a
                       prose: a personally identifiable information processing and transparency policy is developed and documented;
+                      links:
+                        - href: '#pt-1_smt.a'
+                          rel: assessment-for
                     - id: pt-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -15906,6 +18113,9 @@ catalog:
                           value: PT-01a.[02]
                           class: sp800-53a
                       prose: 'the personally identifiable information processing and transparency policy is disseminated to {{ insert: param, pt-01_odp.01 }};'
+                      links:
+                        - href: '#pt-1_smt.a'
+                          rel: assessment-for
                     - id: pt-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -15913,6 +18123,9 @@ catalog:
                           value: PT-01a.[03]
                           class: sp800-53a
                       prose: personally identifiable information processing and transparency procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and associated personally identifiable information processing and transparency controls are developed and documented;
+                      links:
+                        - href: '#pt-1_smt.a'
+                          rel: assessment-for
                     - id: pt-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -15920,6 +18133,9 @@ catalog:
                           value: PT-01a.[04]
                           class: sp800-53a
                       prose: 'the personally identifiable information processing and transparency procedures are disseminated to {{ insert: param, pt-01_odp.02 }};'
+                      links:
+                        - href: '#pt-1_smt.a'
+                          rel: assessment-for
                     - id: pt-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -15941,6 +18157,9 @@ catalog:
                                   value: PT-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses purpose;'
+                              links:
+                                - href: '#pt-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pt-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -15948,6 +18167,9 @@ catalog:
                                   value: PT-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses scope;'
+                              links:
+                                - href: '#pt-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pt-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -15955,6 +18177,9 @@ catalog:
                                   value: PT-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses roles;'
+                              links:
+                                - href: '#pt-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pt-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -15962,6 +18187,9 @@ catalog:
                                   value: PT-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses responsibilities;'
+                              links:
+                                - href: '#pt-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pt-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -15969,6 +18197,9 @@ catalog:
                                   value: PT-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses management commitment;'
+                              links:
+                                - href: '#pt-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pt-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -15976,6 +18207,9 @@ catalog:
                                   value: PT-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#pt-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pt-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -15983,6 +18217,12 @@ catalog:
                                   value: PT-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses compliance;'
+                              links:
+                                - href: '#pt-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#pt-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: pt-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -15990,6 +18230,15 @@ catalog:
                               value: PT-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#pt-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#pt-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-1_smt.a'
+                      rel: assessment-for
                 - id: pt-1_obj.b
                   name: assessment-objective
                   props:
@@ -15997,6 +18246,9 @@ catalog:
                       value: PT-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pt-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures;'
+                  links:
+                    - href: '#pt-1_smt.b'
+                      rel: assessment-for
                 - id: pt-1_obj.c
                   name: assessment-objective
                   props:
@@ -16018,6 +18270,9 @@ catalog:
                               value: PT-01c.01[01]
                               class: sp800-53a
                           prose: 'the current personally identifiable information processing and transparency policy is reviewed and updated {{ insert: param, pt-01_odp.05 }};'
+                          links:
+                            - href: '#pt-1_smt.c.1'
+                              rel: assessment-for
                         - id: pt-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -16025,6 +18280,12 @@ catalog:
                               value: PT-01c.01[02]
                               class: sp800-53a
                           prose: 'the current personally identifiable information processing and transparency policy is reviewed and updated following {{ insert: param, pt-01_odp.06 }};'
+                          links:
+                            - href: '#pt-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pt-1_smt.c.1'
+                          rel: assessment-for
                     - id: pt-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -16039,6 +18300,9 @@ catalog:
                               value: PT-01c.02[01]
                               class: sp800-53a
                           prose: 'the current personally identifiable information processing and transparency procedures are reviewed and updated {{ insert: param, pt-01_odp.07 }};'
+                          links:
+                            - href: '#pt-1_smt.c.2'
+                              rel: assessment-for
                         - id: pt-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -16046,6 +18310,18 @@ catalog:
                               value: PT-01c.02[02]
                               class: sp800-53a
                           prose: 'the current personally identifiable information processing and transparency procedures are reviewed and updated following {{ insert: param, pt-01_odp.08 }}.'
+                          links:
+                            - href: '#pt-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pt-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pt-1_smt'
+                  rel: assessment-for
             - id: pt-1_asm-examine
               name: assessment-method
               props:
@@ -16203,6 +18479,9 @@ catalog:
                       value: PT-02a.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information is determined and documented;'
+                  links:
+                    - href: '#pt-2_smt.a'
+                      rel: assessment-for
                 - id: pt-2_obj.b
                   name: assessment-objective
                   props:
@@ -16210,6 +18489,12 @@ catalog:
                       value: PT-02b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pt-02_odp.03 }} of personally identifiable information is restricted to only that which is authorized.'
+                  links:
+                    - href: '#pt-2_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pt-2_smt'
+                  rel: assessment-for
             - id: pt-2_asm-examine
               name: assessment-method
               props:
@@ -16399,6 +18684,9 @@ catalog:
                       value: PT-03a.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information is/are identified and documented;'
+                  links:
+                    - href: '#pt-3_smt.a'
+                      rel: assessment-for
                 - id: pt-3_obj.b
                   name: assessment-objective
                   props:
@@ -16413,6 +18701,9 @@ catalog:
                           value: PT-03b.[01]
                           class: sp800-53a
                       prose: the purpose(s) is/are described in the public privacy notices of the organization;
+                      links:
+                        - href: '#pt-3_smt.b'
+                          rel: assessment-for
                     - id: pt-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -16420,6 +18711,12 @@ catalog:
                           value: PT-03b.[02]
                           class: sp800-53a
                       prose: the purpose(s) is/are described in the policies of the organization;
+                      links:
+                        - href: '#pt-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-3_smt.b'
+                      rel: assessment-for
                 - id: pt-3_obj.c
                   name: assessment-objective
                   props:
@@ -16427,6 +18724,9 @@ catalog:
                       value: PT-03c.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pt-03_odp.02 }} of personally identifiable information are restricted to only that which is compatible with the identified purpose(s);'
+                  links:
+                    - href: '#pt-3_smt.c'
+                      rel: assessment-for
                 - id: pt-3_obj.d
                   name: assessment-objective
                   props:
@@ -16441,6 +18741,9 @@ catalog:
                           value: PT-03d.[01]
                           class: sp800-53a
                       prose: changes in the processing of personally identifiable information are monitored;
+                      links:
+                        - href: '#pt-3_smt.d'
+                          rel: assessment-for
                     - id: pt-3_obj.d-2
                       name: assessment-objective
                       props:
@@ -16448,6 +18751,15 @@ catalog:
                           value: PT-03d.[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, pt-03_odp.03 }} are implemented to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}.'
+                      links:
+                        - href: '#pt-3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-3_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pt-3_smt'
+                  rel: assessment-for
             - id: pt-3_asm-examine
               name: assessment-method
               props:
@@ -16563,6 +18875,9 @@ catalog:
                   value: PT-04
                   class: sp800-53a
               prose: 'the {{ insert: param, pt-04_odp }} are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.'
+              links:
+                - href: '#pt-4_smt'
+                  rel: assessment-for
             - id: pt-4_asm-examine
               name: assessment-method
               props:
@@ -16742,6 +19057,9 @@ catalog:
                           value: PT-05a.[01]
                           class: sp800-53a
                       prose: a notice to individuals about the processing of personally identifiable information is provided such that the notice is available to individuals upon first interacting with an organization;
+                      links:
+                        - href: '#pt-5_smt.a'
+                          rel: assessment-for
                     - id: pt-5_obj.a-2
                       name: assessment-objective
                       props:
@@ -16749,6 +19067,12 @@ catalog:
                           value: PT-05a.[02]
                           class: sp800-53a
                       prose: 'a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals {{ insert: param, pt-05_odp.01 }};'
+                      links:
+                        - href: '#pt-5_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-5_smt.a'
+                      rel: assessment-for
                 - id: pt-5_obj.b
                   name: assessment-objective
                   props:
@@ -16756,6 +19080,9 @@ catalog:
                       value: PT-05b.
                       class: sp800-53a
                   prose: a notice to individuals about the processing of personally identifiable information is provided that is clear, easy-to-understand, and expresses information about personally identifiable information processing in plain language;
+                  links:
+                    - href: '#pt-5_smt.b'
+                      rel: assessment-for
                 - id: pt-5_obj.c
                   name: assessment-objective
                   props:
@@ -16763,6 +19090,9 @@ catalog:
                       value: PT-05c.
                       class: sp800-53a
                   prose: a notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information is provided;
+                  links:
+                    - href: '#pt-5_smt.c'
+                      rel: assessment-for
                 - id: pt-5_obj.d
                   name: assessment-objective
                   props:
@@ -16770,6 +19100,9 @@ catalog:
                       value: PT-05d.
                       class: sp800-53a
                   prose: a notice to individuals about the processing of personally identifiable information that identifies the purpose for which personally identifiable information is to be processed is provided;
+                  links:
+                    - href: '#pt-5_smt.d'
+                      rel: assessment-for
                 - id: pt-5_obj.e
                   name: assessment-objective
                   props:
@@ -16777,6 +19110,12 @@ catalog:
                       value: PT-05e.
                       class: sp800-53a
                   prose: 'a notice to individuals about the processing of personally identifiable information which includes {{ insert: param, pt-05_odp.02 }} is provided.'
+                  links:
+                    - href: '#pt-5_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#pt-5_smt'
+                  rel: assessment-for
             - id: pt-5_asm-examine
               name: assessment-method
               props:
@@ -16864,6 +19203,9 @@ catalog:
                       value: PT-05(02)
                       class: sp800-53a
                   prose: Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or Privacy Act statements are provided on separate forms that can be retained by individuals.
+                  links:
+                    - href: '#pt-5.2_smt'
+                      rel: assessment-for
                 - id: pt-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -16990,6 +19332,9 @@ catalog:
                           value: PT-06a.[01]
                           class: sp800-53a
                       prose: system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records;
+                      links:
+                        - href: '#pt-6_smt.a'
+                          rel: assessment-for
                     - id: pt-6_obj.a-2
                       name: assessment-objective
                       props:
@@ -16997,6 +19342,12 @@ catalog:
                           value: PT-06a.[02]
                           class: sp800-53a
                       prose: new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records;
+                      links:
+                        - href: '#pt-6_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-6_smt.a'
+                      rel: assessment-for
                 - id: pt-6_obj.b
                   name: assessment-objective
                   props:
@@ -17004,6 +19355,9 @@ catalog:
                       value: PT-06b.
                       class: sp800-53a
                   prose: system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records;
+                  links:
+                    - href: '#pt-6_smt.b'
+                      rel: assessment-for
                 - id: pt-6_obj.c
                   name: assessment-objective
                   props:
@@ -17011,6 +19365,12 @@ catalog:
                       value: PT-06c.
                       class: sp800-53a
                   prose: system of records notices are kept accurate, up-to-date, and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records.
+                  links:
+                    - href: '#pt-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pt-6_smt'
+                  rel: assessment-for
             - id: pt-6_asm-examine
               name: assessment-method
               props:
@@ -17104,6 +19464,9 @@ catalog:
                       value: PT-06(01)
                       class: sp800-53a
                   prose: 'all routine uses published in the system of records notice are reviewed {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.'
+                  links:
+                    - href: '#pt-6.1_smt'
+                      rel: assessment-for
                 - id: pt-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -17201,6 +19564,9 @@ catalog:
                           value: PT-06(02)[01]
                           class: sp800-53a
                       prose: 'all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they remain appropriate and necessary in accordance with law;'
+                      links:
+                        - href: '#pt-6.2_smt'
+                          rel: assessment-for
                     - id: pt-6.2_obj-2
                       name: assessment-objective
                       props:
@@ -17208,6 +19574,9 @@ catalog:
                           value: PT-06(02)[02]
                           class: sp800-53a
                       prose: 'all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they have been promulgated as regulations;'
+                      links:
+                        - href: '#pt-6.2_smt'
+                          rel: assessment-for
                     - id: pt-6.2_obj-3
                       name: assessment-objective
                       props:
@@ -17215,6 +19584,12 @@ catalog:
                           value: PT-06(02)[03]
                           class: sp800-53a
                       prose: 'all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they are accurately described in the system of records notice.'
+                      links:
+                        - href: '#pt-6.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-6.2_smt'
+                      rel: assessment-for
                 - id: pt-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -17321,6 +19696,9 @@ catalog:
                   value: PT-07
                   class: sp800-53a
               prose: ' {{ insert: param, pt-07_odp }} are applied for specific categories of personally identifiable information.'
+              links:
+                - href: '#pt-7_smt'
+                  rel: assessment-for
             - id: pt-7_asm-examine
               name: assessment-method
               props:
@@ -17446,6 +19824,9 @@ catalog:
                               value: PT-07(01)(a)[01]
                               class: sp800-53a
                           prose: when a system processes Social Security numbers, the unnecessary collection, maintenance, and use of Social Security numbers are eliminated;
+                          links:
+                            - href: '#pt-7.1_smt.a'
+                              rel: assessment-for
                         - id: pt-7.1_obj.a-2
                           name: assessment-objective
                           props:
@@ -17453,6 +19834,12 @@ catalog:
                               value: PT-07(01)(a)[02]
                               class: sp800-53a
                           prose: when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored;
+                          links:
+                            - href: '#pt-7.1_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#pt-7.1_smt.a'
+                          rel: assessment-for
                     - id: pt-7.1_obj.b
                       name: assessment-objective
                       props:
@@ -17460,6 +19847,9 @@ catalog:
                           value: PT-07(01)(b)
                           class: sp800-53a
                       prose: when a system processes Social Security numbers, individual rights, benefits, or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number;
+                      links:
+                        - href: '#pt-7.1_smt.b'
+                          rel: assessment-for
                     - id: pt-7.1_obj.c
                       name: assessment-objective
                       props:
@@ -17474,6 +19864,9 @@ catalog:
                               value: PT-07(01)(c)[01]
                               class: sp800-53a
                           prose: when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it;
+                          links:
+                            - href: '#pt-7.1_smt.c'
+                              rel: assessment-for
                         - id: pt-7.1_obj.c-2
                           name: assessment-objective
                           props:
@@ -17481,6 +19874,9 @@ catalog:
                               value: PT-07(01)(c)[02]
                               class: sp800-53a
                           prose: when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited;
+                          links:
+                            - href: '#pt-7.1_smt.c'
+                              rel: assessment-for
                         - id: pt-7.1_obj.c-3
                           name: assessment-objective
                           props:
@@ -17488,6 +19884,15 @@ catalog:
                               value: PT-07(01)(c)[03]
                               class: sp800-53a
                           prose: when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it.
+                          links:
+                            - href: '#pt-7.1_smt.c'
+                              rel: assessment-for
+                      links:
+                        - href: '#pt-7.1_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-7.1_smt'
+                      rel: assessment-for
                 - id: pt-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -17574,6 +19979,9 @@ catalog:
                       value: PT-07(02)
                       class: sp800-53a
                   prose: the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.
+                  links:
+                    - href: '#pt-7.2_smt'
+                      rel: assessment-for
                 - id: pt-7.2_asm-examine
                   name: assessment-method
                   props:
@@ -17699,6 +20107,9 @@ catalog:
                       value: PT-08a.
                       class: sp800-53a
                   prose: approval to conduct the matching program is obtained from the Data Integrity Board when a system or organization processes information for the purpose of conducting a matching program;
+                  links:
+                    - href: '#pt-8_smt.a'
+                      rel: assessment-for
                 - id: pt-8_obj.b
                   name: assessment-objective
                   props:
@@ -17713,6 +20124,9 @@ catalog:
                           value: PT-08b.[01]
                           class: sp800-53a
                       prose: a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program;
+                      links:
+                        - href: '#pt-8_smt.b'
+                          rel: assessment-for
                     - id: pt-8_obj.b-2
                       name: assessment-objective
                       props:
@@ -17720,6 +20134,12 @@ catalog:
                           value: PT-08b.[02]
                           class: sp800-53a
                       prose: a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program;
+                      links:
+                        - href: '#pt-8_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-8_smt.b'
+                      rel: assessment-for
                 - id: pt-8_obj.c
                   name: assessment-objective
                   props:
@@ -17727,6 +20147,9 @@ catalog:
                       value: PT-08c.
                       class: sp800-53a
                   prose: a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program;
+                  links:
+                    - href: '#pt-8_smt.c'
+                      rel: assessment-for
                 - id: pt-8_obj.d
                   name: assessment-objective
                   props:
@@ -17734,6 +20157,9 @@ catalog:
                       value: PT-08d.
                       class: sp800-53a
                   prose: the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program;
+                  links:
+                    - href: '#pt-8_smt.d'
+                      rel: assessment-for
                 - id: pt-8_obj.e
                   name: assessment-objective
                   props:
@@ -17748,6 +20174,9 @@ catalog:
                           value: PT-08e.[01]
                           class: sp800-53a
                       prose: individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program;
+                      links:
+                        - href: '#pt-8_smt.e'
+                          rel: assessment-for
                     - id: pt-8_obj.e-2
                       name: assessment-objective
                       props:
@@ -17755,6 +20184,15 @@ catalog:
                           value: PT-08e.[02]
                           class: sp800-53a
                       prose: individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program.
+                      links:
+                        - href: '#pt-8_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-8_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#pt-8_smt'
+                  rel: assessment-for
             - id: pt-8_asm-examine
               name: assessment-method
               props:
@@ -18030,6 +20468,9 @@ catalog:
                           value: RA-01a.[01]
                           class: sp800-53a
                       prose: a risk assessment policy is developed and documented;
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -18037,6 +20478,9 @@ catalog:
                           value: RA-01a.[02]
                           class: sp800-53a
                       prose: 'the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};'
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -18044,6 +20488,9 @@ catalog:
                           value: RA-01a.[03]
                           class: sp800-53a
                       prose: risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -18051,6 +20498,9 @@ catalog:
                           value: RA-01a.[04]
                           class: sp800-53a
                       prose: 'the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};'
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -18072,6 +20522,9 @@ catalog:
                                   value: RA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -18079,6 +20532,9 @@ catalog:
                                   value: RA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -18086,6 +20542,9 @@ catalog:
                                   value: RA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -18093,6 +20552,9 @@ catalog:
                                   value: RA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -18100,6 +20562,9 @@ catalog:
                                   value: RA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -18107,6 +20572,9 @@ catalog:
                                   value: RA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -18114,6 +20582,12 @@ catalog:
                                   value: RA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ra-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ra-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -18121,6 +20595,15 @@ catalog:
                               value: RA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ra-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-1_smt.a'
+                      rel: assessment-for
                 - id: ra-1_obj.b
                   name: assessment-objective
                   props:
@@ -18128,6 +20611,9 @@ catalog:
                       value: RA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;'
+                  links:
+                    - href: '#ra-1_smt.b'
+                      rel: assessment-for
                 - id: ra-1_obj.c
                   name: assessment-objective
                   props:
@@ -18149,6 +20635,9 @@ catalog:
                               value: RA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};'
+                          links:
+                            - href: '#ra-1_smt.c.1'
+                              rel: assessment-for
                         - id: ra-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -18156,6 +20645,12 @@ catalog:
                               value: RA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};'
+                          links:
+                            - href: '#ra-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.c.1'
+                          rel: assessment-for
                     - id: ra-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -18170,6 +20665,9 @@ catalog:
                               value: RA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};'
+                          links:
+                            - href: '#ra-1_smt.c.2'
+                              rel: assessment-for
                         - id: ra-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -18177,6 +20675,18 @@ catalog:
                               value: RA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.'
+                          links:
+                            - href: '#ra-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ra-1_smt'
+                  rel: assessment-for
             - id: ra-1_asm-examine
               name: assessment-method
               props:
@@ -18436,6 +20946,9 @@ catalog:
                           value: RA-03a.01
                           class: sp800-53a
                       prose: a risk assessment is conducted to identify threats to and vulnerabilities in the system;
+                      links:
+                        - href: '#ra-3_smt.a.1'
+                          rel: assessment-for
                     - id: ra-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -18443,6 +20956,9 @@ catalog:
                           value: RA-03a.02
                           class: sp800-53a
                       prose: a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;
+                      links:
+                        - href: '#ra-3_smt.a.2'
+                          rel: assessment-for
                     - id: ra-3_obj.a.3
                       name: assessment-objective
                       props:
@@ -18450,6 +20966,12 @@ catalog:
                           value: RA-03a.03
                           class: sp800-53a
                       prose: a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
+                      links:
+                        - href: '#ra-3_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-3_smt.a'
+                      rel: assessment-for
                 - id: ra-3_obj.b
                   name: assessment-objective
                   props:
@@ -18457,6 +20979,9 @@ catalog:
                       value: RA-03b.
                       class: sp800-53a
                   prose: risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;
+                  links:
+                    - href: '#ra-3_smt.b'
+                      rel: assessment-for
                 - id: ra-3_obj.c
                   name: assessment-objective
                   props:
@@ -18464,6 +20989,9 @@ catalog:
                       value: RA-03c.
                       class: sp800-53a
                   prose: 'risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};'
+                  links:
+                    - href: '#ra-3_smt.c'
+                      rel: assessment-for
                 - id: ra-3_obj.d
                   name: assessment-objective
                   props:
@@ -18471,6 +20999,9 @@ catalog:
                       value: RA-03d.
                       class: sp800-53a
                   prose: 'risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};'
+                  links:
+                    - href: '#ra-3_smt.d'
+                      rel: assessment-for
                 - id: ra-3_obj.e
                   name: assessment-objective
                   props:
@@ -18478,6 +21009,9 @@ catalog:
                       value: RA-03e.
                       class: sp800-53a
                   prose: 'risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};'
+                  links:
+                    - href: '#ra-3_smt.e'
+                      rel: assessment-for
                 - id: ra-3_obj.f
                   name: assessment-objective
                   props:
@@ -18485,6 +21019,12 @@ catalog:
                       value: RA-03f.
                       class: sp800-53a
                   prose: 'the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.'
+                  links:
+                    - href: '#ra-3_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ra-3_smt'
+                  rel: assessment-for
             - id: ra-3_asm-examine
               name: assessment-method
               props:
@@ -18613,6 +21153,9 @@ catalog:
                       value: RA-07[01]
                       class: sp800-53a
                   prose: findings from security assessments are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-2
                   name: assessment-objective
                   props:
@@ -18620,6 +21163,9 @@ catalog:
                       value: RA-07[02]
                       class: sp800-53a
                   prose: findings from privacy assessments are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-3
                   name: assessment-objective
                   props:
@@ -18627,6 +21173,9 @@ catalog:
                       value: RA-07[03]
                       class: sp800-53a
                   prose: findings from monitoring are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-4
                   name: assessment-objective
                   props:
@@ -18634,6 +21183,12 @@ catalog:
                       value: RA-07[04]
                       class: sp800-53a
                   prose: findings from audits are responded to in accordance with organizational risk tolerance.
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ra-7_smt'
+                  rel: assessment-for
             - id: ra-7_asm-examine
               name: assessment-method
               props:
@@ -18785,6 +21340,9 @@ catalog:
                       value: RA-08a.
                       class: sp800-53a
                   prose: privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information;
+                  links:
+                    - href: '#ra-8_smt.a'
+                      rel: assessment-for
                 - id: ra-8_obj.b
                   name: assessment-objective
                   props:
@@ -18799,6 +21357,9 @@ catalog:
                           value: RA-08b.[01]
                           class: sp800-53a
                       prose: privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology;
+                      links:
+                        - href: '#ra-8_smt.b'
+                          rel: assessment-for
                     - id: ra-8_obj.b-2
                       name: assessment-objective
                       props:
@@ -18806,6 +21367,15 @@ catalog:
                           value: RA-08b.[02]
                           class: sp800-53a
                       prose: privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.
+                      links:
+                        - href: '#ra-8_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ra-8_smt'
+                  rel: assessment-for
             - id: ra-8_asm-examine
               name: assessment-method
               props:
@@ -19083,6 +21653,9 @@ catalog:
                           value: SA-01a.[01]
                           class: sp800-53a
                       prose: a system and services acquisition policy is developed and documented;
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -19090,6 +21663,9 @@ catalog:
                           value: SA-01a.[02]
                           class: sp800-53a
                       prose: 'the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};'
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -19097,6 +21673,9 @@ catalog:
                           value: SA-01a.[03]
                           class: sp800-53a
                       prose: system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -19104,6 +21683,9 @@ catalog:
                           value: SA-01a.[04]
                           class: sp800-53a
                       prose: 'the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};'
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -19125,6 +21707,9 @@ catalog:
                                   value: SA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -19132,6 +21717,9 @@ catalog:
                                   value: SA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -19139,6 +21727,9 @@ catalog:
                                   value: SA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -19146,6 +21737,9 @@ catalog:
                                   value: SA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -19153,6 +21747,9 @@ catalog:
                                   value: SA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -19160,6 +21757,9 @@ catalog:
                                   value: SA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -19167,6 +21767,12 @@ catalog:
                                   value: SA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#sa-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: sa-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -19174,6 +21780,15 @@ catalog:
                               value: SA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#sa-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-1_smt.a'
+                      rel: assessment-for
                 - id: sa-1_obj.b
                   name: assessment-objective
                   props:
@@ -19181,6 +21796,9 @@ catalog:
                       value: SA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;'
+                  links:
+                    - href: '#sa-1_smt.b'
+                      rel: assessment-for
                 - id: sa-1_obj.c
                   name: assessment-objective
                   props:
@@ -19202,6 +21820,9 @@ catalog:
                               value: SA-01c.01[01]
                               class: sp800-53a
                           prose: 'the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};'
+                          links:
+                            - href: '#sa-1_smt.c.1'
+                              rel: assessment-for
                         - id: sa-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -19209,6 +21830,12 @@ catalog:
                               value: SA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};'
+                          links:
+                            - href: '#sa-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.c.1'
+                          rel: assessment-for
                     - id: sa-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -19223,6 +21850,9 @@ catalog:
                               value: SA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};'
+                          links:
+                            - href: '#sa-1_smt.c.2'
+                              rel: assessment-for
                         - id: sa-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -19230,6 +21860,18 @@ catalog:
                               value: SA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.'
+                          links:
+                            - href: '#sa-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-1_smt'
+                  rel: assessment-for
             - id: sa-1_asm-examine
               name: assessment-method
               props:
@@ -19356,6 +21998,9 @@ catalog:
                           value: SA-02a.[01]
                           class: sp800-53a
                       prose: the high-level information security requirements for the system or system service are determined in mission and business process planning;
+                      links:
+                        - href: '#sa-2_smt.a'
+                          rel: assessment-for
                     - id: sa-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -19363,6 +22008,12 @@ catalog:
                           value: SA-02a.[02]
                           class: sp800-53a
                       prose: the high-level privacy requirements for the system or system service are determined in mission and business process planning;
+                      links:
+                        - href: '#sa-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.a'
+                      rel: assessment-for
                 - id: sa-2_obj.b
                   name: assessment-objective
                   props:
@@ -19377,6 +22028,9 @@ catalog:
                           value: SA-02b.[01]
                           class: sp800-53a
                       prose: the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;
+                      links:
+                        - href: '#sa-2_smt.b'
+                          rel: assessment-for
                     - id: sa-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -19384,6 +22038,12 @@ catalog:
                           value: SA-02b.[02]
                           class: sp800-53a
                       prose: the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;
+                      links:
+                        - href: '#sa-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.b'
+                      rel: assessment-for
                 - id: sa-2_obj.c
                   name: assessment-objective
                   props:
@@ -19398,6 +22058,9 @@ catalog:
                           value: SA-02c.[01]
                           class: sp800-53a
                       prose: a discrete line item for information security is established in organizational programming and budgeting documentation;
+                      links:
+                        - href: '#sa-2_smt.c'
+                          rel: assessment-for
                     - id: sa-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -19405,6 +22068,15 @@ catalog:
                           value: SA-02c.[02]
                           class: sp800-53a
                       prose: a discrete line item for privacy is established in organizational programming and budgeting documentation.
+                      links:
+                        - href: '#sa-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-2_smt'
+                  rel: assessment-for
             - id: sa-2_asm-examine
               name: assessment-method
               props:
@@ -19597,6 +22269,9 @@ catalog:
                           value: SA-03a.[01]
                           class: sp800-53a
                       prose: 'the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;'
+                      links:
+                        - href: '#sa-3_smt.a'
+                          rel: assessment-for
                     - id: sa-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -19604,6 +22279,12 @@ catalog:
                           value: SA-03a.[02]
                           class: sp800-53a
                       prose: 'the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;'
+                      links:
+                        - href: '#sa-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.a'
+                      rel: assessment-for
                 - id: sa-3_obj.b
                   name: assessment-objective
                   props:
@@ -19618,6 +22299,9 @@ catalog:
                           value: SA-03b.[01]
                           class: sp800-53a
                       prose: information security roles and responsibilities are defined and documented throughout the system development life cycle;
+                      links:
+                        - href: '#sa-3_smt.b'
+                          rel: assessment-for
                     - id: sa-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -19625,6 +22309,12 @@ catalog:
                           value: SA-03b.[02]
                           class: sp800-53a
                       prose: privacy roles and responsibilities are defined and documented throughout the system development life cycle;
+                      links:
+                        - href: '#sa-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.b'
+                      rel: assessment-for
                 - id: sa-3_obj.c
                   name: assessment-objective
                   props:
@@ -19639,6 +22329,9 @@ catalog:
                           value: SA-03c.[01]
                           class: sp800-53a
                       prose: individuals with information security roles and responsibilities are identified;
+                      links:
+                        - href: '#sa-3_smt.c'
+                          rel: assessment-for
                     - id: sa-3_obj.c-2
                       name: assessment-objective
                       props:
@@ -19646,6 +22339,12 @@ catalog:
                           value: SA-03c.[02]
                           class: sp800-53a
                       prose: individuals with privacy roles and responsibilities are identified;
+                      links:
+                        - href: '#sa-3_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.c'
+                      rel: assessment-for
                 - id: sa-3_obj.d
                   name: assessment-objective
                   props:
@@ -19660,6 +22359,9 @@ catalog:
                           value: SA-03d.[01]
                           class: sp800-53a
                       prose: organizational information security risk management processes are integrated into system development life cycle activities;
+                      links:
+                        - href: '#sa-3_smt.d'
+                          rel: assessment-for
                     - id: sa-3_obj.d-2
                       name: assessment-objective
                       props:
@@ -19667,6 +22369,15 @@ catalog:
                           value: SA-03d.[02]
                           class: sp800-53a
                       prose: organizational privacy risk management processes are integrated into system development life cycle activities.
+                      links:
+                        - href: '#sa-3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#sa-3_smt'
+                  rel: assessment-for
             - id: sa-3_asm-examine
               name: assessment-method
               props:
@@ -19939,6 +22650,9 @@ catalog:
                           value: SA-04a.[01]
                           class: sp800-53a
                       prose: 'security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.a'
+                          rel: assessment-for
                     - id: sa-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -19946,6 +22660,12 @@ catalog:
                           value: SA-04a.[02]
                           class: sp800-53a
                       prose: 'privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.a'
+                      rel: assessment-for
                 - id: sa-4_obj.b
                   name: assessment-objective
                   props:
@@ -19953,6 +22673,9 @@ catalog:
                       value: SA-04b.
                       class: sp800-53a
                   prose: 'strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                  links:
+                    - href: '#sa-4_smt.b'
+                      rel: assessment-for
                 - id: sa-4_obj.c
                   name: assessment-objective
                   props:
@@ -19967,6 +22690,9 @@ catalog:
                           value: SA-04c.[01]
                           class: sp800-53a
                       prose: 'security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.c'
+                          rel: assessment-for
                     - id: sa-4_obj.c-2
                       name: assessment-objective
                       props:
@@ -19974,6 +22700,12 @@ catalog:
                           value: SA-04c.[02]
                           class: sp800-53a
                       prose: 'privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.c'
+                      rel: assessment-for
                 - id: sa-4_obj.d
                   name: assessment-objective
                   props:
@@ -19988,6 +22720,9 @@ catalog:
                           value: SA-04d.[01]
                           class: sp800-53a
                       prose: 'controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.d'
+                          rel: assessment-for
                     - id: sa-4_obj.d-2
                       name: assessment-objective
                       props:
@@ -19995,6 +22730,12 @@ catalog:
                           value: SA-04d.[02]
                           class: sp800-53a
                       prose: 'controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.d'
+                      rel: assessment-for
                 - id: sa-4_obj.e
                   name: assessment-objective
                   props:
@@ -20009,6 +22750,9 @@ catalog:
                           value: SA-04e.[01]
                           class: sp800-53a
                       prose: 'security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.e'
+                          rel: assessment-for
                     - id: sa-4_obj.e-2
                       name: assessment-objective
                       props:
@@ -20016,6 +22760,12 @@ catalog:
                           value: SA-04e.[02]
                           class: sp800-53a
                       prose: 'privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.e'
+                      rel: assessment-for
                 - id: sa-4_obj.f
                   name: assessment-objective
                   props:
@@ -20030,6 +22780,9 @@ catalog:
                           value: SA-04f.[01]
                           class: sp800-53a
                       prose: 'requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.f'
+                          rel: assessment-for
                     - id: sa-4_obj.f-2
                       name: assessment-objective
                       props:
@@ -20037,6 +22790,12 @@ catalog:
                           value: SA-04f.[02]
                           class: sp800-53a
                       prose: 'requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.f'
+                      rel: assessment-for
                 - id: sa-4_obj.g
                   name: assessment-objective
                   props:
@@ -20044,6 +22803,9 @@ catalog:
                       value: SA-04g.
                       class: sp800-53a
                   prose: 'the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                  links:
+                    - href: '#sa-4_smt.g'
+                      rel: assessment-for
                 - id: sa-4_obj.h
                   name: assessment-objective
                   props:
@@ -20058,6 +22820,9 @@ catalog:
                           value: SA-04h.[01]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
                     - id: sa-4_obj.h-2
                       name: assessment-objective
                       props:
@@ -20065,6 +22830,9 @@ catalog:
                           value: SA-04h.[02]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
                     - id: sa-4_obj.h-3
                       name: assessment-objective
                       props:
@@ -20072,6 +22840,12 @@ catalog:
                           value: SA-04h.[03]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.h'
+                      rel: assessment-for
                 - id: sa-4_obj.i
                   name: assessment-objective
                   props:
@@ -20079,6 +22853,12 @@ catalog:
                       value: SA-04i.
                       class: sp800-53a
                   prose: 'acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.'
+                  links:
+                    - href: '#sa-4_smt.i'
+                      rel: assessment-for
+              links:
+                - href: '#sa-4_smt'
+                  rel: assessment-for
             - id: sa-4_asm-examine
               name: assessment-method
               props:
@@ -20272,6 +23052,9 @@ catalog:
                       value: SA-08[01]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-2
                   name: assessment-objective
                   props:
@@ -20279,6 +23062,9 @@ catalog:
                       value: SA-08[02]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-3
                   name: assessment-objective
                   props:
@@ -20286,6 +23072,9 @@ catalog:
                       value: SA-08[03]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-4
                   name: assessment-objective
                   props:
@@ -20293,6 +23082,9 @@ catalog:
                       value: SA-08[04]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-5
                   name: assessment-objective
                   props:
@@ -20300,6 +23092,9 @@ catalog:
                       value: SA-08[05]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-6
                   name: assessment-objective
                   props:
@@ -20307,6 +23102,9 @@ catalog:
                       value: SA-08[06]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-7
                   name: assessment-objective
                   props:
@@ -20314,6 +23112,9 @@ catalog:
                       value: SA-08[07]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-8
                   name: assessment-objective
                   props:
@@ -20321,6 +23122,9 @@ catalog:
                       value: SA-08[08]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-9
                   name: assessment-objective
                   props:
@@ -20328,6 +23132,9 @@ catalog:
                       value: SA-08[09]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-10
                   name: assessment-objective
                   props:
@@ -20335,6 +23142,12 @@ catalog:
                       value: SA-08[10]
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sa-8_smt'
+                  rel: assessment-for
             - id: sa-8_asm-examine
               name: assessment-method
               props:
@@ -20459,6 +23272,9 @@ catalog:
                       value: SA-08(33)
                       class: sp800-53a
                   prose: 'the privacy principle of minimization is implemented using {{ insert: param, sa-08.33_odp }}.'
+                  links:
+                    - href: '#sa-8.33_smt'
+                      rel: assessment-for
                 - id: sa-8.33_asm-examine
                   name: assessment-method
                   props:
@@ -20655,6 +23471,9 @@ catalog:
                           value: SA-09a.[01]
                           class: sp800-53a
                       prose: providers of external system services comply with organizational security requirements;
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
                     - id: sa-9_obj.a-2
                       name: assessment-objective
                       props:
@@ -20662,6 +23481,9 @@ catalog:
                           value: SA-09a.[02]
                           class: sp800-53a
                       prose: providers of external system services comply with organizational privacy requirements;
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
                     - id: sa-9_obj.a-3
                       name: assessment-objective
                       props:
@@ -20669,6 +23491,12 @@ catalog:
                           value: SA-09a.[03]
                           class: sp800-53a
                       prose: 'providers of external system services employ {{ insert: param, sa-09_odp.01 }};'
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-9_smt.a'
+                      rel: assessment-for
                 - id: sa-9_obj.b
                   name: assessment-objective
                   props:
@@ -20683,6 +23511,9 @@ catalog:
                           value: SA-09b.[01]
                           class: sp800-53a
                       prose: organizational oversight with regard to external system services are defined and documented;
+                      links:
+                        - href: '#sa-9_smt.b'
+                          rel: assessment-for
                     - id: sa-9_obj.b-2
                       name: assessment-objective
                       props:
@@ -20690,6 +23521,12 @@ catalog:
                           value: SA-09b.[02]
                           class: sp800-53a
                       prose: user roles and responsibilities with regard to external system services are defined and documented;
+                      links:
+                        - href: '#sa-9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-9_smt.b'
+                      rel: assessment-for
                 - id: sa-9_obj.c
                   name: assessment-objective
                   props:
@@ -20697,6 +23534,12 @@ catalog:
                       value: SA-09c.
                       class: sp800-53a
                   prose: ' {{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.'
+                  links:
+                    - href: '#sa-9_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-9_smt'
+                  rel: assessment-for
             - id: sa-9_asm-examine
               name: assessment-method
               props:
@@ -20924,6 +23767,9 @@ catalog:
                           value: SA-11a.[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
                     - id: sa-11_obj.a-2
                       name: assessment-objective
                       props:
@@ -20931,6 +23777,9 @@ catalog:
                           value: SA-11a.[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
                     - id: sa-11_obj.a-3
                       name: assessment-objective
                       props:
@@ -20938,6 +23787,9 @@ catalog:
                           value: SA-11a.[03]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
                     - id: sa-11_obj.a-4
                       name: assessment-objective
                       props:
@@ -20945,6 +23797,12 @@ catalog:
                           value: SA-11a.[04]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11_smt.a'
+                      rel: assessment-for
                 - id: sa-11_obj.b
                   name: assessment-objective
                   props:
@@ -20952,6 +23810,9 @@ catalog:
                       value: SA-11b.
                       class: sp800-53a
                   prose: 'the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};'
+                  links:
+                    - href: '#sa-11_smt.b'
+                      rel: assessment-for
                 - id: sa-11_obj.c
                   name: assessment-objective
                   props:
@@ -20966,6 +23827,9 @@ catalog:
                           value: SA-11c.[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;
+                      links:
+                        - href: '#sa-11_smt.c'
+                          rel: assessment-for
                     - id: sa-11_obj.c-2
                       name: assessment-objective
                       props:
@@ -20973,6 +23837,12 @@ catalog:
                           value: SA-11c.[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;
+                      links:
+                        - href: '#sa-11_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11_smt.c'
+                      rel: assessment-for
                 - id: sa-11_obj.d
                   name: assessment-objective
                   props:
@@ -20980,6 +23850,9 @@ catalog:
                       value: SA-11d.
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;
+                  links:
+                    - href: '#sa-11_smt.d'
+                      rel: assessment-for
                 - id: sa-11_obj.e
                   name: assessment-objective
                   props:
@@ -20987,6 +23860,12 @@ catalog:
                       value: SA-11e.
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.
+                  links:
+                    - href: '#sa-11_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#sa-11_smt'
+                  rel: assessment-for
             - id: sa-11_asm-examine
               name: assessment-method
               props:
@@ -21207,6 +24086,9 @@ catalog:
                           value: SC-07a.[01]
                           class: sp800-53a
                       prose: communications at external managed interfaces to the system are monitored;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-2
                       name: assessment-objective
                       props:
@@ -21214,6 +24096,9 @@ catalog:
                           value: SC-07a.[02]
                           class: sp800-53a
                       prose: communications at external managed interfaces to the system are controlled;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-3
                       name: assessment-objective
                       props:
@@ -21221,6 +24106,9 @@ catalog:
                           value: SC-07a.[03]
                           class: sp800-53a
                       prose: communications at key internal managed interfaces within the system are monitored;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-4
                       name: assessment-objective
                       props:
@@ -21228,6 +24116,12 @@ catalog:
                           value: SC-07a.[04]
                           class: sp800-53a
                       prose: communications at key internal managed interfaces within the system are controlled;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7_smt.a'
+                      rel: assessment-for
                 - id: sc-7_obj.b
                   name: assessment-objective
                   props:
@@ -21235,6 +24129,9 @@ catalog:
                       value: SC-07b.
                       class: sp800-53a
                   prose: 'subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;'
+                  links:
+                    - href: '#sc-7_smt.b'
+                      rel: assessment-for
                 - id: sc-7_obj.c
                   name: assessment-objective
                   props:
@@ -21242,6 +24139,12 @@ catalog:
                       value: SC-07c.
                       class: sp800-53a
                   prose: external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
+                  links:
+                    - href: '#sc-7_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sc-7_smt'
+                  rel: assessment-for
             - id: sc-7_asm-examine
               name: assessment-method
               props:
@@ -21386,6 +24289,9 @@ catalog:
                           value: SC-07(24)(a)
                           class: sp800-53a
                       prose: ' {{ insert: param, sc-07.24_odp }} are applied to data elements of personally identifiable information on systems that process personally identifiable information;'
+                      links:
+                        - href: '#sc-7.24_smt.a'
+                          rel: assessment-for
                     - id: sc-7.24_obj.b
                       name: assessment-objective
                       props:
@@ -21400,6 +24306,9 @@ catalog:
                               value: SC-07(24)(b)[01]
                               class: sp800-53a
                           prose: permitted processing is monitored at the external interfaces to the systems that process personally identifiable information;
+                          links:
+                            - href: '#sc-7.24_smt.b'
+                              rel: assessment-for
                         - id: sc-7.24_obj.b-2
                           name: assessment-objective
                           props:
@@ -21407,6 +24316,12 @@ catalog:
                               value: SC-07(24)(b)[02]
                               class: sp800-53a
                           prose: permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information;
+                          links:
+                            - href: '#sc-7.24_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-7.24_smt.b'
+                          rel: assessment-for
                     - id: sc-7.24_obj.c
                       name: assessment-objective
                       props:
@@ -21414,6 +24329,9 @@ catalog:
                           value: SC-07(24)(c)
                           class: sp800-53a
                       prose: each processing exception is documented for systems that process personally identifiable information;
+                      links:
+                        - href: '#sc-7.24_smt.c'
+                          rel: assessment-for
                     - id: sc-7.24_obj.d
                       name: assessment-objective
                       props:
@@ -21428,6 +24346,9 @@ catalog:
                               value: SC-07(24)(d)[01]
                               class: sp800-53a
                           prose: exceptions for systems that process personally identifiable information are reviewed;
+                          links:
+                            - href: '#sc-7.24_smt.d'
+                              rel: assessment-for
                         - id: sc-7.24_obj.d-2
                           name: assessment-objective
                           props:
@@ -21435,6 +24356,15 @@ catalog:
                               value: SC-07(24)(d)[02]
                               class: sp800-53a
                           prose: exceptions for systems that process personally identifiable information that are no longer supported are removed.
+                          links:
+                            - href: '#sc-7.24_smt.d'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-7.24_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7.24_smt'
+                      rel: assessment-for
                 - id: sc-7.24_asm-examine
                   name: assessment-method
                   props:
@@ -21713,6 +24643,9 @@ catalog:
                           value: SI-01a.[01]
                           class: sp800-53a
                       prose: a system and information integrity policy is developed and documented;
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -21720,6 +24653,9 @@ catalog:
                           value: SI-01a.[02]
                           class: sp800-53a
                       prose: 'the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};'
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -21727,6 +24663,9 @@ catalog:
                           value: SI-01a.[03]
                           class: sp800-53a
                       prose: system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -21734,6 +24673,9 @@ catalog:
                           value: SI-01a.[04]
                           class: sp800-53a
                       prose: 'the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};'
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -21755,6 +24697,9 @@ catalog:
                                   value: SI-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -21762,6 +24707,9 @@ catalog:
                                   value: SI-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -21769,6 +24717,9 @@ catalog:
                                   value: SI-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -21776,6 +24727,9 @@ catalog:
                                   value: SI-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -21783,6 +24737,9 @@ catalog:
                                   value: SI-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -21790,6 +24747,9 @@ catalog:
                                   value: SI-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -21797,6 +24757,12 @@ catalog:
                                   value: SI-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#si-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: si-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -21804,6 +24770,15 @@ catalog:
                               value: SI-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#si-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-1_smt.a'
+                      rel: assessment-for
                 - id: si-1_obj.b
                   name: assessment-objective
                   props:
@@ -21811,6 +24786,9 @@ catalog:
                       value: SI-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;'
+                  links:
+                    - href: '#si-1_smt.b'
+                      rel: assessment-for
                 - id: si-1_obj.c
                   name: assessment-objective
                   props:
@@ -21832,6 +24810,9 @@ catalog:
                               value: SI-01c.01[01]
                               class: sp800-53a
                           prose: 'the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};'
+                          links:
+                            - href: '#si-1_smt.c.1'
+                              rel: assessment-for
                         - id: si-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -21839,6 +24820,12 @@ catalog:
                               value: SI-01c.01[02]
                               class: sp800-53a
                           prose: 'the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};'
+                          links:
+                            - href: '#si-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.c.1'
+                          rel: assessment-for
                     - id: si-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -21853,6 +24840,9 @@ catalog:
                               value: SI-01c.02[01]
                               class: sp800-53a
                           prose: 'the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};'
+                          links:
+                            - href: '#si-1_smt.c.2'
+                              rel: assessment-for
                         - id: si-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -21860,6 +24850,18 @@ catalog:
                               value: SI-01c.02[02]
                               class: sp800-53a
                           prose: 'the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.'
+                          links:
+                            - href: '#si-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#si-1_smt'
+                  rel: assessment-for
             - id: si-1_asm-examine
               name: assessment-method
               props:
@@ -21998,6 +25000,9 @@ catalog:
                       value: SI-12[01]
                       class: sp800-53a
                   prose: information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-2
                   name: assessment-objective
                   props:
@@ -22005,6 +25010,9 @@ catalog:
                       value: SI-12[02]
                       class: sp800-53a
                   prose: information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-3
                   name: assessment-objective
                   props:
@@ -22012,6 +25020,9 @@ catalog:
                       value: SI-12[03]
                       class: sp800-53a
                   prose: information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-4
                   name: assessment-objective
                   props:
@@ -22019,6 +25030,12 @@ catalog:
                       value: SI-12[04]
                       class: sp800-53a
                   prose: information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
+              links:
+                - href: '#si-12_smt'
+                  rel: assessment-for
             - id: si-12_asm-examine
               name: assessment-method
               props:
@@ -22139,6 +25156,9 @@ catalog:
                       value: SI-12(01)
                       class: sp800-53a
                   prose: 'personally identifiable information being processed in the information life cycle is limited to {{ insert: param, si-12.01_odp }}.'
+                  links:
+                    - href: '#si-12.1_smt'
+                      rel: assessment-for
                 - id: si-12.1_asm-examine
                   name: assessment-method
                   props:
@@ -22297,6 +25317,9 @@ catalog:
                           value: SI-12(02)[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-12.02_odp.01 }} are used to minimize the use of personally identifiable information for research;'
+                      links:
+                        - href: '#si-12.2_smt'
+                          rel: assessment-for
                     - id: si-12.2_obj-2
                       name: assessment-objective
                       props:
@@ -22304,6 +25327,9 @@ catalog:
                           value: SI-12(02)[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-12.02_odp.02 }} are used to minimize the use of personally identifiable information for testing;'
+                      links:
+                        - href: '#si-12.2_smt'
+                          rel: assessment-for
                     - id: si-12.2_obj-3
                       name: assessment-objective
                       props:
@@ -22311,6 +25337,12 @@ catalog:
                           value: SI-12(02)[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-12.02_odp.03 }} are used to minimize the use of personally identifiable information for training.'
+                      links:
+                        - href: '#si-12.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-12.2_smt'
+                      rel: assessment-for
                 - id: si-12.2_asm-examine
                   name: assessment-method
                   props:
@@ -22461,6 +25493,9 @@ catalog:
                           value: SI-12(03)[01]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-12.03_odp.01 }} are used to dispose of information following the retention period;'
+                      links:
+                        - href: '#si-12.3_smt'
+                          rel: assessment-for
                     - id: si-12.3_obj-2
                       name: assessment-objective
                       props:
@@ -22468,6 +25503,9 @@ catalog:
                           value: SI-12(03)[02]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-12.03_odp.02 }} are used to destroy information following the retention period;'
+                      links:
+                        - href: '#si-12.3_smt'
+                          rel: assessment-for
                     - id: si-12.3_obj-3
                       name: assessment-objective
                       props:
@@ -22475,6 +25513,12 @@ catalog:
                           value: SI-12(03)[03]
                           class: sp800-53a
                       prose: ' {{ insert: param, si-12.03_odp.03 }} are used to erase information following the retention period.'
+                      links:
+                        - href: '#si-12.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-12.3_smt'
+                      rel: assessment-for
                 - id: si-12.3_asm-examine
                   name: assessment-method
                   props:
@@ -22672,6 +25716,9 @@ catalog:
                           value: SI-18a.[01]
                           class: sp800-53a
                       prose: 'the accuracy of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.01 }};'
+                      links:
+                        - href: '#si-18_smt.a'
+                          rel: assessment-for
                     - id: si-18_obj.a-2
                       name: assessment-objective
                       props:
@@ -22679,6 +25726,9 @@ catalog:
                           value: SI-18a.[02]
                           class: sp800-53a
                       prose: 'the relevance of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.02 }};'
+                      links:
+                        - href: '#si-18_smt.a'
+                          rel: assessment-for
                     - id: si-18_obj.a-3
                       name: assessment-objective
                       props:
@@ -22686,6 +25736,9 @@ catalog:
                           value: SI-18a.[03]
                           class: sp800-53a
                       prose: 'the timeliness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.03 }};'
+                      links:
+                        - href: '#si-18_smt.a'
+                          rel: assessment-for
                     - id: si-18_obj.a-4
                       name: assessment-objective
                       props:
@@ -22693,6 +25746,12 @@ catalog:
                           value: SI-18a.[04]
                           class: sp800-53a
                       prose: 'the completeness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.04 }};'
+                      links:
+                        - href: '#si-18_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-18_smt.a'
+                      rel: assessment-for
                 - id: si-18_obj.b
                   name: assessment-objective
                   props:
@@ -22700,6 +25759,12 @@ catalog:
                       value: SI-18b.
                       class: sp800-53a
                   prose: inaccurate or outdated personally identifiable information is corrected or deleted.
+                  links:
+                    - href: '#si-18_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-18_smt'
+                  rel: assessment-for
             - id: si-18_asm-examine
               name: assessment-method
               props:
@@ -22804,6 +25869,9 @@ catalog:
                       value: SI-18(04)
                       class: sp800-53a
                   prose: personally identifiable information is corrected or deleted upon request by individuals or their designated representatives.
+                  links:
+                    - href: '#si-18.4_smt'
+                      rel: assessment-for
                 - id: si-18.4_asm-examine
                   name: assessment-method
                   props:
@@ -22960,6 +26028,9 @@ catalog:
                       value: SI-19a.
                       class: sp800-53a
                   prose: ' {{ insert: param, si-19_odp.01 }} are removed from datasets;'
+                  links:
+                    - href: '#si-19_smt.a'
+                      rel: assessment-for
                 - id: si-19_obj.b
                   name: assessment-objective
                   props:
@@ -22967,6 +26038,12 @@ catalog:
                       value: SI-19b.
                       class: sp800-53a
                   prose: 'the effectiveness of de-identification is evaluated {{ insert: param, si-19_odp.02 }}.'
+                  links:
+                    - href: '#si-19_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-19_smt'
+                  rel: assessment-for
             - id: si-19_asm-examine
               name: assessment-method
               props:
diff --git a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.yaml b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.yaml
index 4a05fd9d..8cce5b1b 100644
--- a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.yaml
+++ b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_PRIVACY-baseline_profile.yaml
@@ -1,9 +1,9 @@
 profile:
-  uuid: 66b95dd9-650d-456f-b143-19ae7bb36944
+  uuid: c8485895-a2f7-46f1-843a-380668cd6fe8
   metadata:
-    title: NIST Special Publication 800-53 Revision 5 PRIVACY BASELINE
-    last-modified: "2023-10-12T00:00:00.000000-04:00"
-    version: Final
+    title: NIST Special Publication 800-53 Revision 5.1.1 PRIVACY BASELINE
+    last-modified: "2023-12-04T14:55:00.000000-04:00"
+    version: 5.1.1+u2
     oscal-version: 1.1.1
     roles:
       - id: creator
diff --git a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml
index c9693153..d26dc942 100644
--- a/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml
+++ b/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_catalog.yaml
@@ -1,10 +1,27 @@
 catalog:
-  uuid: 0e9e8558-4d93-4a7f-8c87-34d4d4f9e7bd
+  uuid: 1f2fcda3-408f-422c-aecd-b1717c3f7843
   metadata:
-    title: Electronic Version of NIST SP 800-53 Rev 5 Controls and SP 800-53A Rev 5 Assessment Procedures
-    last-modified: "2023-10-12T00:00:00.000000-04:00"
-    version: 5.1.1
+    title: Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures
+    last-modified: "2023-12-04T13:16:10.000000-04:00"
+    version: 5.1.1+u2
     oscal-version: 1.1.1
+    revisions:
+      - title: Electronic Version of NIST SP 800-53 Rev 5 Controls and SP 800-53A Rev 5 Assessment Procedures
+        last-modified: "2023-10-12T00:00:00.000000-04:00"
+        version: 5.1.1
+        oscal-version: 1.1.1
+        links:
+          - href: '#5a5ffcb9-2272-484e-8d47-4483a0585dec'
+            rel: version-history
+        remarks: This revison of the SP 800-53 Revision 5 Catalog includes metadata and tagging reflecting richer control semantics, such as organizational vs system-level controls as indicated in SP800-53 Rev 5.1 Appendix C, and minor bug fixes in its content.
+      - title: Electronic Version of NIST SP 800-53 Rev 5.1.1 Controls and SP 800-53A Rev 5.1.1 Assessment Procedures
+        last-modified: "2023-11-14T00:00:00.000000-04:00"
+        version: 5.1.1+u1
+        oscal-version: 1.1.1
+        links:
+          - href: '#5a5ffcb9-2272-484e-8d47-4483a0585dec'
+            rel: version-history
+        remarks: This revision of the SP 800-53 Revision 5 Catalog is the finalized changes to NIST SP 800-53 Revision 5.1.1 on November, 7, 2023.
     props:
       - name: keywords
         value: Assessment, assessment plan, assurance, availability, computer security, confidentiality, control, control assessment, cybersecurity, FISMA, information security, information system, integrity, personally identifiable information, OSCAL, Open Security Controls Assessment Language, Privacy Act, privacy controls, privacy functions, privacy requirements, Risk Management Framework, security controls, security functions, security requirements, system, system security
@@ -259,6 +276,9 @@ catalog:
                           value: AC-01a.[01]
                           class: sp800-53a
                       prose: an access control policy is developed and documented;
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -266,6 +286,9 @@ catalog:
                           value: AC-01a.[02]
                           class: sp800-53a
                       prose: 'the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};'
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -273,6 +296,9 @@ catalog:
                           value: AC-01a.[03]
                           class: sp800-53a
                       prose: access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -280,6 +306,9 @@ catalog:
                           value: AC-01a.[04]
                           class: sp800-53a
                       prose: 'the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};'
+                      links:
+                        - href: '#ac-1_smt.a'
+                          rel: assessment-for
                     - id: ac-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -301,6 +330,9 @@ catalog:
                                   value: AC-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -308,6 +340,9 @@ catalog:
                                   value: AC-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -315,6 +350,9 @@ catalog:
                                   value: AC-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -322,6 +360,9 @@ catalog:
                                   value: AC-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -329,6 +370,9 @@ catalog:
                                   value: AC-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -336,6 +380,9 @@ catalog:
                                   value: AC-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ac-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -343,6 +390,12 @@ catalog:
                                   value: AC-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;'
+                              links:
+                                - href: '#ac-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ac-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ac-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -350,6 +403,15 @@ catalog:
                               value: AC-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ac-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-1_smt.a'
+                      rel: assessment-for
                 - id: ac-1_obj.b
                   name: assessment-objective
                   props:
@@ -357,6 +419,9 @@ catalog:
                       value: AC-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;'
+                  links:
+                    - href: '#ac-1_smt.b'
+                      rel: assessment-for
                 - id: ac-1_obj.c
                   name: assessment-objective
                   props:
@@ -378,6 +443,9 @@ catalog:
                               value: AC-01c.01[01]
                               class: sp800-53a
                           prose: 'the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};'
+                          links:
+                            - href: '#ac-1_smt.c.1'
+                              rel: assessment-for
                         - id: ac-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -385,6 +453,12 @@ catalog:
                               value: AC-01c.01[02]
                               class: sp800-53a
                           prose: 'the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};'
+                          links:
+                            - href: '#ac-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.c.1'
+                          rel: assessment-for
                     - id: ac-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -399,6 +473,9 @@ catalog:
                               value: AC-01c.02[01]
                               class: sp800-53a
                           prose: 'the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};'
+                          links:
+                            - href: '#ac-1_smt.c.2'
+                              rel: assessment-for
                         - id: ac-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -406,6 +483,18 @@ catalog:
                               value: AC-01c.02[02]
                               class: sp800-53a
                           prose: 'the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.'
+                          links:
+                            - href: '#ac-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ac-1_smt'
+                  rel: assessment-for
             - id: ac-1_asm-examine
               name: assessment-method
               props:
@@ -780,6 +869,9 @@ catalog:
                           value: AC-02a.[01]
                           class: sp800-53a
                       prose: account types allowed for use within the system are defined and documented;
+                      links:
+                        - href: '#ac-2_smt.a'
+                          rel: assessment-for
                     - id: ac-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -787,6 +879,12 @@ catalog:
                           value: AC-02a.[02]
                           class: sp800-53a
                       prose: account types specifically prohibited for use within the system are defined and documented;
+                      links:
+                        - href: '#ac-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.a'
+                      rel: assessment-for
                 - id: ac-2_obj.b
                   name: assessment-objective
                   props:
@@ -794,6 +892,9 @@ catalog:
                       value: AC-02b.
                       class: sp800-53a
                   prose: account managers are assigned;
+                  links:
+                    - href: '#ac-2_smt.b'
+                      rel: assessment-for
                 - id: ac-2_obj.c
                   name: assessment-objective
                   props:
@@ -801,6 +902,9 @@ catalog:
                       value: AC-02c.
                       class: sp800-53a
                   prose: '{{ insert: param, ac-02_odp.01 }} for group and role membership are required;'
+                  links:
+                    - href: '#ac-2_smt.c'
+                      rel: assessment-for
                 - id: ac-2_obj.d
                   name: assessment-objective
                   props:
@@ -815,6 +919,9 @@ catalog:
                           value: AC-02d.01
                           class: sp800-53a
                       prose: authorized users of the system are specified;
+                      links:
+                        - href: '#ac-2_smt.d.1'
+                          rel: assessment-for
                     - id: ac-2_obj.d.2
                       name: assessment-objective
                       props:
@@ -822,6 +929,9 @@ catalog:
                           value: AC-02d.02
                           class: sp800-53a
                       prose: group and role membership are specified;
+                      links:
+                        - href: '#ac-2_smt.d.2'
+                          rel: assessment-for
                     - id: ac-2_obj.d.3
                       name: assessment-objective
                       props:
@@ -836,6 +946,9 @@ catalog:
                               value: AC-02d.03[01]
                               class: sp800-53a
                           prose: access authorizations (i.e., privileges) are specified for each account;
+                          links:
+                            - href: '#ac-2_smt.d.3'
+                              rel: assessment-for
                         - id: ac-2_obj.d.3-2
                           name: assessment-objective
                           props:
@@ -843,6 +956,15 @@ catalog:
                               value: AC-02d.03[02]
                               class: sp800-53a
                           prose: '{{ insert: param, ac-02_odp.02 }} are specified for each account;'
+                          links:
+                            - href: '#ac-2_smt.d.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-2_smt.d.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.d'
+                      rel: assessment-for
                 - id: ac-2_obj.e
                   name: assessment-objective
                   props:
@@ -850,6 +972,9 @@ catalog:
                       value: AC-02e.
                       class: sp800-53a
                   prose: 'approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;'
+                  links:
+                    - href: '#ac-2_smt.e'
+                      rel: assessment-for
                 - id: ac-2_obj.f
                   name: assessment-objective
                   props:
@@ -864,6 +989,9 @@ catalog:
                           value: AC-02f.[01]
                           class: sp800-53a
                       prose: 'accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-2
                       name: assessment-objective
                       props:
@@ -871,6 +999,9 @@ catalog:
                           value: AC-02f.[02]
                           class: sp800-53a
                       prose: 'accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-3
                       name: assessment-objective
                       props:
@@ -878,6 +1009,9 @@ catalog:
                           value: AC-02f.[03]
                           class: sp800-53a
                       prose: 'accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-4
                       name: assessment-objective
                       props:
@@ -885,6 +1019,9 @@ catalog:
                           value: AC-02f.[04]
                           class: sp800-53a
                       prose: 'accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
                     - id: ac-2_obj.f-5
                       name: assessment-objective
                       props:
@@ -892,6 +1029,12 @@ catalog:
                           value: AC-02f.[05]
                           class: sp800-53a
                       prose: 'accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};'
+                      links:
+                        - href: '#ac-2_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.f'
+                      rel: assessment-for
                 - id: ac-2_obj.g
                   name: assessment-objective
                   props:
@@ -899,6 +1042,9 @@ catalog:
                       value: AC-02g.
                       class: sp800-53a
                   prose: 'the use of accounts is monitored; '
+                  links:
+                    - href: '#ac-2_smt.g'
+                      rel: assessment-for
                 - id: ac-2_obj.h
                   name: assessment-objective
                   props:
@@ -913,6 +1059,9 @@ catalog:
                           value: AC-02h.01
                           class: sp800-53a
                       prose: 'account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;'
+                      links:
+                        - href: '#ac-2_smt.h.1'
+                          rel: assessment-for
                     - id: ac-2_obj.h.2
                       name: assessment-objective
                       props:
@@ -920,6 +1069,9 @@ catalog:
                           value: AC-02h.02
                           class: sp800-53a
                       prose: 'account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;'
+                      links:
+                        - href: '#ac-2_smt.h.2'
+                          rel: assessment-for
                     - id: ac-2_obj.h.3
                       name: assessment-objective
                       props:
@@ -927,6 +1079,12 @@ catalog:
                           value: AC-02h.03
                           class: sp800-53a
                       prose: 'account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;'
+                      links:
+                        - href: '#ac-2_smt.h.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.h'
+                      rel: assessment-for
                 - id: ac-2_obj.i
                   name: assessment-objective
                   props:
@@ -941,6 +1099,9 @@ catalog:
                           value: AC-02i.01
                           class: sp800-53a
                       prose: access to the system is authorized based on a valid access authorization;
+                      links:
+                        - href: '#ac-2_smt.i.1'
+                          rel: assessment-for
                     - id: ac-2_obj.i.2
                       name: assessment-objective
                       props:
@@ -948,6 +1109,9 @@ catalog:
                           value: AC-02i.02
                           class: sp800-53a
                       prose: access to the system is authorized based on intended system usage;
+                      links:
+                        - href: '#ac-2_smt.i.2'
+                          rel: assessment-for
                     - id: ac-2_obj.i.3
                       name: assessment-objective
                       props:
@@ -955,6 +1119,12 @@ catalog:
                           value: AC-02i.03
                           class: sp800-53a
                       prose: 'access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};'
+                      links:
+                        - href: '#ac-2_smt.i.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.i'
+                      rel: assessment-for
                 - id: ac-2_obj.j
                   name: assessment-objective
                   props:
@@ -962,6 +1132,9 @@ catalog:
                       value: AC-02j.
                       class: sp800-53a
                   prose: 'accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};'
+                  links:
+                    - href: '#ac-2_smt.j'
+                      rel: assessment-for
                 - id: ac-2_obj.k
                   name: assessment-objective
                   props:
@@ -976,6 +1149,9 @@ catalog:
                           value: AC-02k.[01]
                           class: sp800-53a
                       prose: a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
+                      links:
+                        - href: '#ac-2_smt.k'
+                          rel: assessment-for
                     - id: ac-2_obj.k-2
                       name: assessment-objective
                       props:
@@ -983,6 +1159,12 @@ catalog:
                           value: AC-02k.[02]
                           class: sp800-53a
                       prose: a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
+                      links:
+                        - href: '#ac-2_smt.k'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.k'
+                      rel: assessment-for
                 - id: ac-2_obj.l
                   name: assessment-objective
                   props:
@@ -997,6 +1179,9 @@ catalog:
                           value: AC-02l.[01]
                           class: sp800-53a
                       prose: account management processes are aligned with personnel termination processes;
+                      links:
+                        - href: '#ac-2_smt.l'
+                          rel: assessment-for
                     - id: ac-2_obj.l-2
                       name: assessment-objective
                       props:
@@ -1004,6 +1189,15 @@ catalog:
                           value: AC-02l.[02]
                           class: sp800-53a
                       prose: account management processes are aligned with personnel transfer processes.
+                      links:
+                        - href: '#ac-2_smt.l'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2_smt.l'
+                      rel: assessment-for
+              links:
+                - href: '#ac-2_smt'
+                  rel: assessment-for
             - id: ac-2_asm-examine
               name: assessment-method
               props:
@@ -1124,6 +1318,9 @@ catalog:
                       value: AC-02(01)
                       class: sp800-53a
                   prose: 'the management of system accounts is supported using {{ insert: param, ac-02.01_odp }}.'
+                  links:
+                    - href: '#ac-2.1_smt'
+                      rel: assessment-for
                 - id: ac-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -1236,6 +1433,9 @@ catalog:
                       value: AC-02(02)
                       class: sp800-53a
                   prose: 'temporary and emergency accounts are automatically {{ insert: param, ac-02.02_odp.01 }} after {{ insert: param, ac-02.02_odp.02 }}.'
+                  links:
+                    - href: '#ac-2.2_smt'
+                      rel: assessment-for
                 - id: ac-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -1380,6 +1580,9 @@ catalog:
                           value: AC-02(03)(a)
                           class: sp800-53a
                       prose: 'accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have expired;'
+                      links:
+                        - href: '#ac-2.3_smt.a'
+                          rel: assessment-for
                     - id: ac-2.3_obj.b
                       name: assessment-objective
                       props:
@@ -1387,6 +1590,9 @@ catalog:
                           value: AC-02(03)(b)
                           class: sp800-53a
                       prose: 'accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are no longer associated with a user or individual;'
+                      links:
+                        - href: '#ac-2.3_smt.b'
+                          rel: assessment-for
                     - id: ac-2.3_obj.c
                       name: assessment-objective
                       props:
@@ -1394,6 +1600,9 @@ catalog:
                           value: AC-02(03)(c)
                           class: sp800-53a
                       prose: 'accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts are in violation of organizational policy;'
+                      links:
+                        - href: '#ac-2.3_smt.c'
+                          rel: assessment-for
                     - id: ac-2.3_obj.d
                       name: assessment-objective
                       props:
@@ -1401,6 +1610,12 @@ catalog:
                           value: AC-02(03)(d)
                           class: sp800-53a
                       prose: 'accounts are disabled within {{ insert: param, ac-02.03_odp.01 }} when the accounts have been inactive for {{ insert: param, ac-02.03_odp.02 }}.'
+                      links:
+                        - href: '#ac-2.3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2.3_smt'
+                      rel: assessment-for
                 - id: ac-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -1505,6 +1720,9 @@ catalog:
                           value: AC-02(04)[01]
                           class: sp800-53a
                       prose: account creation is automatically audited;
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
                     - id: ac-2.4_obj-2
                       name: assessment-objective
                       props:
@@ -1512,6 +1730,9 @@ catalog:
                           value: AC-02(04)[02]
                           class: sp800-53a
                       prose: account modification is automatically audited;
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
                     - id: ac-2.4_obj-3
                       name: assessment-objective
                       props:
@@ -1519,6 +1740,9 @@ catalog:
                           value: AC-02(04)[03]
                           class: sp800-53a
                       prose: account enabling is automatically audited;
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
                     - id: ac-2.4_obj-4
                       name: assessment-objective
                       props:
@@ -1526,6 +1750,9 @@ catalog:
                           value: AC-02(04)[04]
                           class: sp800-53a
                       prose: account disabling is automatically audited;
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
                     - id: ac-2.4_obj-5
                       name: assessment-objective
                       props:
@@ -1533,6 +1760,12 @@ catalog:
                           value: AC-02(04)[05]
                           class: sp800-53a
                       prose: account removal actions are automatically audited.
+                      links:
+                        - href: '#ac-2.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2.4_smt'
+                      rel: assessment-for
                 - id: ac-2.4_asm-examine
                   name: assessment-method
                   props:
@@ -1636,6 +1869,9 @@ catalog:
                       value: AC-02(05)
                       class: sp800-53a
                   prose: 'users are required to log out when {{ insert: param, ac-02.05_odp }}.'
+                  links:
+                    - href: '#ac-2.5_smt'
+                      rel: assessment-for
                 - id: ac-2.5_asm-examine
                   name: assessment-method
                   props:
@@ -1726,6 +1962,9 @@ catalog:
                       value: AC-02(06)
                       class: sp800-53a
                   prose: '{{ insert: param, ac-02.06_odp }} are implemented.'
+                  links:
+                    - href: '#ac-2.6_smt'
+                      rel: assessment-for
                 - id: ac-2.6_asm-examine
                   name: assessment-method
                   props:
@@ -1858,6 +2097,9 @@ catalog:
                           value: AC-02(07)(a)
                           class: sp800-53a
                       prose: 'privileged user accounts are established and administered in accordance with {{ insert: param, ac-02.07_odp }};'
+                      links:
+                        - href: '#ac-2.7_smt.a'
+                          rel: assessment-for
                     - id: ac-2.7_obj.b
                       name: assessment-objective
                       props:
@@ -1865,6 +2107,9 @@ catalog:
                           value: AC-02(07)(b)
                           class: sp800-53a
                       prose: privileged role or attribute assignments are monitored;
+                      links:
+                        - href: '#ac-2.7_smt.b'
+                          rel: assessment-for
                     - id: ac-2.7_obj.c
                       name: assessment-objective
                       props:
@@ -1872,6 +2117,9 @@ catalog:
                           value: AC-02(07)(c)
                           class: sp800-53a
                       prose: changes to roles or attributes are monitored;
+                      links:
+                        - href: '#ac-2.7_smt.c'
+                          rel: assessment-for
                     - id: ac-2.7_obj.d
                       name: assessment-objective
                       props:
@@ -1879,6 +2127,12 @@ catalog:
                           value: AC-02(07)(d)
                           class: sp800-53a
                       prose: access is revoked when privileged role or attribute assignments are no longer appropriate.
+                      links:
+                        - href: '#ac-2.7_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2.7_smt'
+                      rel: assessment-for
                 - id: ac-2.7_asm-examine
                   name: assessment-method
                   props:
@@ -1995,6 +2249,9 @@ catalog:
                           value: AC-02(08)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, ac-02.08_odp }} are created dynamically;'
+                      links:
+                        - href: '#ac-2.8_smt'
+                          rel: assessment-for
                     - id: ac-2.8_obj-2
                       name: assessment-objective
                       props:
@@ -2002,6 +2259,9 @@ catalog:
                           value: AC-02(08)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, ac-02.08_odp }} are activated dynamically;'
+                      links:
+                        - href: '#ac-2.8_smt'
+                          rel: assessment-for
                     - id: ac-2.8_obj-3
                       name: assessment-objective
                       props:
@@ -2009,6 +2269,9 @@ catalog:
                           value: AC-02(08)[03]
                           class: sp800-53a
                       prose: '{{ insert: param, ac-02.08_odp }} are managed dynamically;'
+                      links:
+                        - href: '#ac-2.8_smt'
+                          rel: assessment-for
                     - id: ac-2.8_obj-4
                       name: assessment-objective
                       props:
@@ -2016,6 +2279,12 @@ catalog:
                           value: AC-02(08)[04]
                           class: sp800-53a
                       prose: '{{ insert: param, ac-02.08_odp }} are deactivated dynamically.'
+                      links:
+                        - href: '#ac-2.8_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2.8_smt'
+                      rel: assessment-for
                 - id: ac-2.8_asm-examine
                   name: assessment-method
                   props:
@@ -2119,6 +2388,9 @@ catalog:
                       value: AC-02(09)
                       class: sp800-53a
                   prose: 'the use of shared and group accounts is only permitted if {{ insert: param, ac-02.09_odp }} are met.'
+                  links:
+                    - href: '#ac-2.9_smt'
+                      rel: assessment-for
                 - id: ac-2.9_asm-examine
                   name: assessment-method
                   props:
@@ -2243,6 +2515,9 @@ catalog:
                       value: AC-02(11)
                       class: sp800-53a
                   prose: '{{ insert: param, ac-02.11_odp.01 }} for {{ insert: param, ac-02.11_odp.02 }} are enforced.'
+                  links:
+                    - href: '#ac-2.11_smt'
+                      rel: assessment-for
                 - id: ac-2.11_asm-examine
                   name: assessment-method
                   props:
@@ -2385,6 +2660,9 @@ catalog:
                           value: AC-02(12)(a)
                           class: sp800-53a
                       prose: 'system accounts are monitored for {{ insert: param, ac-02.12_odp.01 }}; '
+                      links:
+                        - href: '#ac-2.12_smt.a'
+                          rel: assessment-for
                     - id: ac-2.12_obj.b
                       name: assessment-objective
                       props:
@@ -2392,6 +2670,12 @@ catalog:
                           value: AC-02(12)(b)
                           class: sp800-53a
                       prose: 'atypical usage of system accounts is reported to {{ insert: param, ac-02.12_odp.02 }}.'
+                      links:
+                        - href: '#ac-2.12_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-2.12_smt'
+                      rel: assessment-for
                 - id: ac-2.12_asm-examine
                   name: assessment-method
                   props:
@@ -2510,6 +2794,9 @@ catalog:
                       value: AC-02(13)
                       class: sp800-53a
                   prose: 'accounts of individuals are disabled within {{ insert: param, ac-02.13_odp.01 }} of discovery of {{ insert: param, ac-02.13_odp.02 }}.'
+                  links:
+                    - href: '#ac-2.13_smt'
+                      rel: assessment-for
                 - id: ac-2.13_asm-examine
                   name: assessment-method
                   props:
@@ -2647,6 +2934,8 @@ catalog:
               rel: related
             - href: '#ia-11'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-3'
               rel: related
             - href: '#ma-4'
@@ -2699,6 +2988,9 @@ catalog:
                   value: AC-03
                   class: sp800-53a
               prose: approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.
+              links:
+                - href: '#ac-3_smt'
+                  rel: assessment-for
             - id: ac-3_asm-examine
               name: assessment-method
               props:
@@ -2825,6 +3117,9 @@ catalog:
                       value: AC-03(02)
                       class: sp800-53a
                   prose: 'dual authorization is enforced for {{ insert: param, ac-03.02_odp }}.'
+                  links:
+                    - href: '#ac-3.2_smt'
+                      rel: assessment-for
                 - id: ac-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -3024,6 +3319,9 @@ catalog:
                           value: AC-03(03)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, ac-03.03_odp.01 }} is enforced over the set of covered subjects specified in the policy;'
+                      links:
+                        - href: '#ac-3.3_smt'
+                          rel: assessment-for
                     - id: ac-3.3_obj-2
                       name: assessment-objective
                       props:
@@ -3031,6 +3329,9 @@ catalog:
                           value: AC-03(03)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, ac-03.03_odp.02 }} is enforced over the set of covered objects specified in the policy;'
+                      links:
+                        - href: '#ac-3.3_smt'
+                          rel: assessment-for
                     - id: ac-3.3_obj.a
                       name: assessment-objective
                       props:
@@ -3045,6 +3346,9 @@ catalog:
                               value: AC-03(03)(a)[01]
                               class: sp800-53a
                           prose: '{{ insert: param, ac-03.03_odp.01 }} is uniformly enforced across the covered subjects within the system;'
+                          links:
+                            - href: '#ac-3.3_smt.a'
+                              rel: assessment-for
                         - id: ac-3.3_obj.a-2
                           name: assessment-objective
                           props:
@@ -3052,6 +3356,12 @@ catalog:
                               value: AC-03(03)(a)[02]
                               class: sp800-53a
                           prose: '{{ insert: param, ac-03.03_odp.02 }} is uniformly enforced across the covered objects within the system;'
+                          links:
+                            - href: '#ac-3.3_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-3.3_smt.a'
+                          rel: assessment-for
                     - id: ac-3.3_obj.b
                       name: assessment-objective
                       props:
@@ -3066,6 +3376,9 @@ catalog:
                               value: AC-03(03)(b)(01)
                               class: sp800-53a
                           prose: '{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects are enforced;'
+                          links:
+                            - href: '#ac-3.3_smt.b.1'
+                              rel: assessment-for
                         - id: ac-3.3_obj.b.2
                           name: assessment-objective
                           props:
@@ -3073,6 +3386,9 @@ catalog:
                               value: AC-03(03)(b)(02)
                               class: sp800-53a
                           prose: '{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from granting its privileges to other subjects are enforced;'
+                          links:
+                            - href: '#ac-3.3_smt.b.2'
+                              rel: assessment-for
                         - id: ac-3.3_obj.b.3
                           name: assessment-objective
                           props:
@@ -3080,6 +3396,9 @@ catalog:
                               value: AC-03(03)(b)(03)
                               class: sp800-53a
                           prose: '{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from changing one of more security attributes (specified by the policy) on subjects, objects, the system, or system components are enforced;'
+                          links:
+                            - href: '#ac-3.3_smt.b.3'
+                              rel: assessment-for
                         - id: ac-3.3_obj.b.4
                           name: assessment-objective
                           props:
@@ -3087,6 +3406,9 @@ catalog:
                               value: AC-03(03)(b)(04)
                               class: sp800-53a
                           prose: '{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects are enforced;'
+                          links:
+                            - href: '#ac-3.3_smt.b.4'
+                              rel: assessment-for
                         - id: ac-3.3_obj.b.5
                           name: assessment-objective
                           props:
@@ -3094,6 +3416,12 @@ catalog:
                               value: AC-03(03)(b)(05)
                               class: sp800-53a
                           prose: '{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that a subject that has been granted access to information is constrained from changing the rules governing access control are enforced;'
+                          links:
+                            - href: '#ac-3.3_smt.b.5'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-3.3_smt.b'
+                          rel: assessment-for
                     - id: ac-3.3_obj.c
                       name: assessment-objective
                       props:
@@ -3101,6 +3429,12 @@ catalog:
                           value: AC-03(03)(c)
                           class: sp800-53a
                       prose: '{{ insert: param, ac-03.03_odp.01 }} and {{ insert: param, ac-03.03_odp.02 }} specifying that {{ insert: param, ac-03.03_odp.03 }} may explicitly be granted {{ insert: param, ac-03.03_odp.04 }} such that they are not limited by any defined subset (or all) of the above constraints are enforced.'
+                      links:
+                        - href: '#ac-3.3_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-3.3_smt'
+                      rel: assessment-for
                 - id: ac-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -3256,6 +3590,9 @@ catalog:
                           value: AC-03(04)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, ac-03.04_odp.01 }} is enforced over the set of covered subjects specified in the policy;'
+                      links:
+                        - href: '#ac-3.4_smt'
+                          rel: assessment-for
                     - id: ac-3.4_obj-2
                       name: assessment-objective
                       props:
@@ -3263,6 +3600,9 @@ catalog:
                           value: AC-03(04)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, ac-03.04_odp.02 }} is enforced over the set of covered objects specified in the policy;'
+                      links:
+                        - href: '#ac-3.4_smt'
+                          rel: assessment-for
                     - id: ac-3.4_obj.a
                       name: assessment-objective
                       props:
@@ -3270,6 +3610,9 @@ catalog:
                           value: AC-03(04)(a)
                           class: sp800-53a
                       prose: '{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can pass the information to any other subjects or objects;'
+                      links:
+                        - href: '#ac-3.4_smt.a'
+                          rel: assessment-for
                     - id: ac-3.4_obj.b
                       name: assessment-objective
                       props:
@@ -3277,6 +3620,9 @@ catalog:
                           value: AC-03(04)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects;'
+                      links:
+                        - href: '#ac-3.4_smt.b'
+                          rel: assessment-for
                     - id: ac-3.4_obj.c
                       name: assessment-objective
                       props:
@@ -3284,6 +3630,9 @@ catalog:
                           value: AC-03(04)(c)
                           class: sp800-53a
                       prose: '{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can change security attributes on subjects, objects, the system, or the system’s components;'
+                      links:
+                        - href: '#ac-3.4_smt.c'
+                          rel: assessment-for
                     - id: ac-3.4_obj.d
                       name: assessment-objective
                       props:
@@ -3291,6 +3640,9 @@ catalog:
                           value: AC-03(04)(d)
                           class: sp800-53a
                       prose: '{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can choose the security attributes to be associated with newly created or revised objects;'
+                      links:
+                        - href: '#ac-3.4_smt.d'
+                          rel: assessment-for
                     - id: ac-3.4_obj.e
                       name: assessment-objective
                       props:
@@ -3298,6 +3650,12 @@ catalog:
                           value: AC-03(04)(e)
                           class: sp800-53a
                       prose: '{{ insert: param, ac-03.04_odp.01 }} and {{ insert: param, ac-03.04_odp.02 }} are enforced where the policy specifies that a subject that has been granted access to information can change the rules governing access control.'
+                      links:
+                        - href: '#ac-3.4_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-3.4_smt'
+                      rel: assessment-for
                 - id: ac-3.4_asm-examine
                   name: assessment-method
                   props:
@@ -3404,6 +3762,9 @@ catalog:
                       value: AC-03(05)
                       class: sp800-53a
                   prose: 'access to {{ insert: param, ac-03.05_odp }} is prevented except during secure, non-operable system states.'
+                  links:
+                    - href: '#ac-3.5_smt'
+                      rel: assessment-for
                 - id: ac-3.5_asm-examine
                   name: assessment-method
                   props:
@@ -3545,6 +3906,9 @@ catalog:
                           value: AC-03(07)[01]
                           class: sp800-53a
                       prose: a role-based access control policy is enforced over defined subjects;
+                      links:
+                        - href: '#ac-3.7_smt'
+                          rel: assessment-for
                     - id: ac-3.7_obj-2
                       name: assessment-objective
                       props:
@@ -3552,6 +3916,9 @@ catalog:
                           value: AC-03(07)[02]
                           class: sp800-53a
                       prose: a role-based access control policy is enforced over defined objects;
+                      links:
+                        - href: '#ac-3.7_smt'
+                          rel: assessment-for
                     - id: ac-3.7_obj-3
                       name: assessment-objective
                       props:
@@ -3559,6 +3926,12 @@ catalog:
                           value: AC-03(07)[03]
                           class: sp800-53a
                       prose: 'access is controlled based on {{ insert: param, ac-03.07_odp.01 }} and {{ insert: param, ac-03.07_odp.02 }}.'
+                      links:
+                        - href: '#ac-3.7_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-3.7_smt'
+                      rel: assessment-for
                 - id: ac-3.7_asm-examine
                   name: assessment-method
                   props:
@@ -3676,6 +4049,9 @@ catalog:
                           value: AC-03(08)[01]
                           class: sp800-53a
                       prose: 'revocation of access authorizations is enforced, resulting from changes to the security attributes of subjects based on {{ insert: param, ac-03.08_odp }};'
+                      links:
+                        - href: '#ac-3.8_smt'
+                          rel: assessment-for
                     - id: ac-3.8_obj-2
                       name: assessment-objective
                       props:
@@ -3683,6 +4059,12 @@ catalog:
                           value: AC-03(08)[02]
                           class: sp800-53a
                       prose: 'revocation of access authorizations is enforced resulting from changes to the security attributes of objects based on {{ insert: param, ac-03.08_odp }}.'
+                      links:
+                        - href: '#ac-3.8_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-3.8_smt'
+                      rel: assessment-for
                 - id: ac-3.8_asm-examine
                   name: assessment-method
                   props:
@@ -3837,6 +4219,9 @@ catalog:
                           value: AC-03(09)(a)
                           class: sp800-53a
                       prose: 'information is released outside of the system only if the receiving {{ insert: param, ac-03.09_odp.01 }} provides {{ insert: param, ac-03.09_odp.02 }};'
+                      links:
+                        - href: '#ac-3.9_smt.a'
+                          rel: assessment-for
                     - id: ac-3.9_obj.b
                       name: assessment-objective
                       props:
@@ -3844,6 +4229,12 @@ catalog:
                           value: AC-03(09)(b)
                           class: sp800-53a
                       prose: 'information is released outside of the system only if {{ insert: param, ac-03.09_odp.03 }} are used to validate the appropriateness of the information designated for release.'
+                      links:
+                        - href: '#ac-3.9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-3.9_smt'
+                      rel: assessment-for
                 - id: ac-3.9_asm-examine
                   name: assessment-method
                   props:
@@ -3980,6 +4371,9 @@ catalog:
                       value: AC-03(10)
                       class: sp800-53a
                   prose: 'an audited override of automated access control mechanisms is employed under {{ insert: param, ac-03.10_odp.01 }} by {{ insert: param, ac-03.10_odp.02 }}.'
+                  links:
+                    - href: '#ac-3.10_smt'
+                      rel: assessment-for
                 - id: ac-3.10_asm-examine
                   name: assessment-method
                   props:
@@ -4086,6 +4480,9 @@ catalog:
                       value: AC-03(11)
                       class: sp800-53a
                   prose: 'access to data repositories containing {{ insert: param, ac-03.11_odp }} is restricted.'
+                  links:
+                    - href: '#ac-3.11_smt'
+                      rel: assessment-for
                 - id: ac-3.11_asm-examine
                   name: assessment-method
                   props:
@@ -4211,6 +4608,9 @@ catalog:
                           value: AC-03(12)(a)
                           class: sp800-53a
                       prose: 'as part of the installation process, applications are required to assert the access needed to the following system applications and functions: {{ insert: param, ac-03.12_odp }};'
+                      links:
+                        - href: '#ac-3.12_smt.a'
+                          rel: assessment-for
                     - id: ac-3.12_obj.b
                       name: assessment-objective
                       props:
@@ -4218,6 +4618,9 @@ catalog:
                           value: AC-03(12)(b)
                           class: sp800-53a
                       prose: 'an enforcement mechanism to prevent unauthorized access is provided; '
+                      links:
+                        - href: '#ac-3.12_smt.b'
+                          rel: assessment-for
                     - id: ac-3.12_obj.c
                       name: assessment-objective
                       props:
@@ -4225,6 +4628,12 @@ catalog:
                           value: AC-03(12)(c)
                           class: sp800-53a
                       prose: access changes after initial installation of the application are approved.
+                      links:
+                        - href: '#ac-3.12_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-3.12_smt'
+                      rel: assessment-for
                 - id: ac-3.12_asm-examine
                   name: assessment-method
                   props:
@@ -4331,6 +4740,9 @@ catalog:
                           value: AC-03(13)[01]
                           class: sp800-53a
                       prose: the attribute-based access control policy is enforced over defined subjects;
+                      links:
+                        - href: '#ac-3.13_smt'
+                          rel: assessment-for
                     - id: ac-3.13_obj-2
                       name: assessment-objective
                       props:
@@ -4338,6 +4750,9 @@ catalog:
                           value: AC-03(13)[02]
                           class: sp800-53a
                       prose: the attribute-based access control policy is enforced over defined objects;
+                      links:
+                        - href: '#ac-3.13_smt'
+                          rel: assessment-for
                     - id: ac-3.13_obj-3
                       name: assessment-objective
                       props:
@@ -4345,6 +4760,12 @@ catalog:
                           value: AC-03(13)[03]
                           class: sp800-53a
                       prose: 'access is controlled based on {{ insert: param, ac-03.13_odp }}.'
+                      links:
+                        - href: '#ac-3.13_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-3.13_smt'
+                      rel: assessment-for
                 - id: ac-3.13_asm-examine
                   name: assessment-method
                   props:
@@ -4463,6 +4884,9 @@ catalog:
                       value: AC-03(14)
                       class: sp800-53a
                   prose: '{{ insert: param, ac-03.14_odp.01 }} are provided to enable individuals to have access to {{ insert: param, ac-03.14_odp.02 }} of their personally identifiable information.'
+                  links:
+                    - href: '#ac-3.14_smt'
+                      rel: assessment-for
                 - id: ac-3.14_asm-examine
                   name: assessment-method
                   props:
@@ -4646,6 +5070,9 @@ catalog:
                               value: AC-03(15)(a)[01]
                               class: sp800-53a
                           prose: '{{ insert: param, ac-03.15_odp.01 }} is enforced over the set of covered subjects specified in the policy;'
+                          links:
+                            - href: '#ac-3.15_smt.a'
+                              rel: assessment-for
                         - id: ac-3.15_obj.a-2
                           name: assessment-objective
                           props:
@@ -4653,6 +5080,12 @@ catalog:
                               value: AC-03(15)(a)[02]
                               class: sp800-53a
                           prose: '{{ insert: param, ac-03.15_odp.02 }} is enforced over the set of covered objects specified in the policy;'
+                          links:
+                            - href: '#ac-3.15_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-3.15_smt.a'
+                          rel: assessment-for
                     - id: ac-3.15_obj.b
                       name: assessment-objective
                       props:
@@ -4667,6 +5100,9 @@ catalog:
                               value: AC-03(15)(b)[01]
                               class: sp800-53a
                           prose: '{{ insert: param, ac-03.15_odp.03 }} is enforced over the set of covered subjects specified in the policy;'
+                          links:
+                            - href: '#ac-3.15_smt.b'
+                              rel: assessment-for
                         - id: ac-3.15_obj.b-2
                           name: assessment-objective
                           props:
@@ -4674,6 +5110,15 @@ catalog:
                               value: AC-03(15)(b)[02]
                               class: sp800-53a
                           prose: '{{ insert: param, ac-03.15_odp.04 }} is enforced over the set of covered objects specified in the policy.'
+                          links:
+                            - href: '#ac-3.15_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-3.15_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-3.15_smt'
+                      rel: assessment-for
                 - id: ac-3.15_asm-examine
                   name: assessment-method
                   props:
@@ -4819,6 +5264,9 @@ catalog:
                   value: AC-04
                   class: sp800-53a
               prose: 'approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.'
+              links:
+                - href: '#ac-4_smt'
+                  rel: assessment-for
             - id: ac-4_asm-examine
               name: assessment-method
               props:
@@ -5031,6 +5479,9 @@ catalog:
                           value: AC-04(01)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, ac-04.01_odp.01 }} associated with {{ insert: param, ac-04.01_odp.03 }}, {{ insert: param, ac-04.01_odp.05 }} , and {{ insert: param, ac-04.01_odp.07 }} are used to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions;'
+                      links:
+                        - href: '#ac-4.1_smt'
+                          rel: assessment-for
                     - id: ac-4.1_obj-2
                       name: assessment-objective
                       props:
@@ -5038,6 +5489,12 @@ catalog:
                           value: AC-04(01)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, ac-04.01_odp.02 }} associated with {{ insert: param, ac-04.01_odp.04 }}, {{ insert: param, ac-04.01_odp.06 }} , and {{ insert: param, ac-04.01_odp.08 }} are used to enforce {{ insert: param, ac-04.01_odp.09 }} as a basis for flow control decisions.'
+                      links:
+                        - href: '#ac-4.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-4.1_smt'
+                      rel: assessment-for
                 - id: ac-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -5144,6 +5601,9 @@ catalog:
                       value: AC-04(02)
                       class: sp800-53a
                   prose: 'protected processing domains are used to enforce {{ insert: param, ac-04.02_odp }} as a basis for flow control decisions.'
+                  links:
+                    - href: '#ac-4.2_smt'
+                      rel: assessment-for
                 - id: ac-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -5244,6 +5704,9 @@ catalog:
                       value: AC-04(03)
                       class: sp800-53a
                   prose: '{{ insert: param, ac-04.03_odp }} are enforced.'
+                  links:
+                    - href: '#ac-4.3_smt'
+                      rel: assessment-for
                 - id: ac-4.3_asm-examine
                   name: assessment-method
                   props:
@@ -5373,6 +5836,9 @@ catalog:
                       value: AC-04(04)
                       class: sp800-53a
                   prose: 'encrypted information is prevented from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.'
+                  links:
+                    - href: '#ac-4.4_smt'
+                      rel: assessment-for
                 - id: ac-4.4_asm-examine
                   name: assessment-method
                   props:
@@ -5471,6 +5937,9 @@ catalog:
                       value: AC-04(05)
                       class: sp800-53a
                   prose: '{{ insert: param, ac-04.05_odp }} are enforced on embedding data types within other data types.'
+                  links:
+                    - href: '#ac-4.5_smt'
+                      rel: assessment-for
                 - id: ac-4.5_asm-examine
                   name: assessment-method
                   props:
@@ -5573,6 +6042,9 @@ catalog:
                       value: AC-04(06)
                       class: sp800-53a
                   prose: 'information flow control enforcement is based on {{ insert: param, ac-04.06_odp }}.'
+                  links:
+                    - href: '#ac-4.6_smt'
+                      rel: assessment-for
                 - id: ac-4.6_asm-examine
                   name: assessment-method
                   props:
@@ -5662,6 +6134,9 @@ catalog:
                       value: AC-04(07)
                       class: sp800-53a
                   prose: one-way information flows are enforced through hardware-based flow control mechanisms.
+                  links:
+                    - href: '#ac-4.7_smt'
+                      rel: assessment-for
                 - id: ac-4.7_asm-examine
                   name: assessment-method
                   props:
@@ -5867,6 +6342,9 @@ catalog:
                               value: AC-04(08)(a)[01]
                               class: sp800-53a
                           prose: 'information flow control is enforced using {{ insert: param, ac-04.08_odp.01 }} as a basis for flow control decisions for {{ insert: param, ac-04.08_odp.03 }};'
+                          links:
+                            - href: '#ac-4.8_smt.a'
+                              rel: assessment-for
                         - id: ac-4.8_obj.a-2
                           name: assessment-objective
                           props:
@@ -5874,6 +6352,12 @@ catalog:
                               value: AC-04(08)(a)[02]
                               class: sp800-53a
                           prose: 'information flow control is enforced using {{ insert: param, ac-04.08_odp.02 }} as a basis for flow control decisions for {{ insert: param, ac-04.08_odp.04 }};'
+                          links:
+                            - href: '#ac-4.8_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-4.8_smt.a'
+                          rel: assessment-for
                     - id: ac-4.8_obj.b
                       name: assessment-objective
                       props:
@@ -5884,6 +6368,12 @@ catalog:
                         {{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-04.08_odp.06 }};
 
                         {{ insert: param, ac-04.08_odp.05 }} data after a filter processing failure in accordance with {{ insert: param, ac-04.08_odp.07 }}.
+                      links:
+                        - href: '#ac-4.8_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-4.8_smt'
+                      rel: assessment-for
                 - id: ac-4.8_asm-examine
                   name: assessment-method
                   props:
@@ -6004,6 +6494,9 @@ catalog:
                       value: AC-04(09)
                       class: sp800-53a
                   prose: 'human reviews are used for {{ insert: param, ac-04.09_odp.01 }} under {{ insert: param, ac-04.09_odp.02 }}.'
+                  links:
+                    - href: '#ac-4.9_smt'
+                      rel: assessment-for
                 - id: ac-4.9_asm-examine
                   name: assessment-method
                   props:
@@ -6159,6 +6652,9 @@ catalog:
                           value: AC-04(10)[01]
                           class: sp800-53a
                       prose: 'capability is provided for privileged administrators to enable and disable {{ insert: param, ac-04.10_odp.01 }} under {{ insert: param, ac-04.10_odp.03 }};'
+                      links:
+                        - href: '#ac-4.10_smt'
+                          rel: assessment-for
                     - id: ac-4.10_obj-2
                       name: assessment-objective
                       props:
@@ -6166,6 +6662,12 @@ catalog:
                           value: AC-04(10)[02]
                           class: sp800-53a
                       prose: 'capability is provided for privileged administrators to enable and disable {{ insert: param, ac-04.10_odp.02 }} under {{ insert: param, ac-04.10_odp.04 }}.'
+                      links:
+                        - href: '#ac-4.10_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-4.10_smt'
+                      rel: assessment-for
                 - id: ac-4.10_asm-examine
                   name: assessment-method
                   props:
@@ -6299,6 +6801,9 @@ catalog:
                           value: AC-04(11)[01]
                           class: sp800-53a
                       prose: 'capability is provided for privileged administrators to configure {{ insert: param, ac-04.11_odp.01 }} to support different security or privacy policies;'
+                      links:
+                        - href: '#ac-4.11_smt'
+                          rel: assessment-for
                     - id: ac-4.11_obj-2
                       name: assessment-objective
                       props:
@@ -6306,6 +6811,12 @@ catalog:
                           value: AC-04(11)[02]
                           class: sp800-53a
                       prose: 'capability is provided for privileged administrators to configure {{ insert: param, ac-04.11_odp.02 }} to support different security or privacy policies.'
+                      links:
+                        - href: '#ac-4.11_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-4.11_smt'
+                      rel: assessment-for
                 - id: ac-4.11_asm-examine
                   name: assessment-method
                   props:
@@ -6415,6 +6926,9 @@ catalog:
                       value: AC-04(12)
                       class: sp800-53a
                   prose: 'when transferring information between different security domains, {{ insert: param, ac-04.12_odp }} are used to validate data essential for information flow decisions.'
+                  links:
+                    - href: '#ac-4.12_smt'
+                      rel: assessment-for
                 - id: ac-4.12_asm-examine
                   name: assessment-method
                   props:
@@ -6515,6 +7029,9 @@ catalog:
                       value: AC-04(13)
                       class: sp800-53a
                   prose: 'when transferring information between different security domains, information is decomposed into {{ insert: param, ac-04.13_odp }} for submission to policy enforcement mechanisms.'
+                  links:
+                    - href: '#ac-4.13_smt'
+                      rel: assessment-for
                 - id: ac-4.13_asm-examine
                   name: assessment-method
                   props:
@@ -6635,6 +7152,9 @@ catalog:
                           value: AC-04(14)[01]
                           class: sp800-53a
                       prose: 'when transferring information between different security domains, implemented {{ insert: param, ac-04.14_odp.01 }} require fully enumerated formats that restrict data structure and content;'
+                      links:
+                        - href: '#ac-4.14_smt'
+                          rel: assessment-for
                     - id: ac-4.14_obj-2
                       name: assessment-objective
                       props:
@@ -6642,6 +7162,12 @@ catalog:
                           value: AC-04(14)[02]
                           class: sp800-53a
                       prose: 'when transferring information between different security domains, implemented {{ insert: param, ac-04.14_odp.02 }} require fully enumerated formats that restrict data structure and content.'
+                      links:
+                        - href: '#ac-4.14_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-4.14_smt'
+                      rel: assessment-for
                 - id: ac-4.14_asm-examine
                   name: assessment-method
                   props:
@@ -6785,6 +7311,9 @@ catalog:
                           value: AC-04(15)[01]
                           class: sp800-53a
                       prose: 'when transferring information between different security domains, information is examined for the presence of {{ insert: param, ac-04.15_odp.01 }};'
+                      links:
+                        - href: '#ac-4.15_smt'
+                          rel: assessment-for
                     - id: ac-4.15_obj-2
                       name: assessment-objective
                       props:
@@ -6792,6 +7321,9 @@ catalog:
                           value: AC-04(15)[02]
                           class: sp800-53a
                       prose: 'when transferring information between different security domains, transfer of {{ insert: param, ac-04.15_odp.01 }} is prohibited in accordance with the {{ insert: param, ac-04.15_odp.02 }};'
+                      links:
+                        - href: '#ac-4.15_smt'
+                          rel: assessment-for
                     - id: ac-4.15_obj-3
                       name: assessment-objective
                       props:
@@ -6799,6 +7331,12 @@ catalog:
                           value: AC-04(15)[03]
                           class: sp800-53a
                       prose: 'when transferring information between different security domains, transfer of {{ insert: param, ac-04.15_odp.01 }} is prohibited in accordance with the {{ insert: param, ac-04.15_odp.03 }}.'
+                      links:
+                        - href: '#ac-4.15_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-4.15_smt'
+                      rel: assessment-for
                 - id: ac-4.15_asm-examine
                   name: assessment-method
                   props:
@@ -6924,6 +7462,9 @@ catalog:
                       value: AC-04(17)
                       class: sp800-53a
                   prose: 'source and destination points are uniquely identified and authenticated by {{ insert: param, ac-04.17_odp }} for information transfer.'
+                  links:
+                    - href: '#ac-4.17_smt'
+                      rel: assessment-for
                 - id: ac-4.17_asm-examine
                   name: assessment-method
                   props:
@@ -7066,6 +7607,9 @@ catalog:
                           value: AC-04(19)[01]
                           class: sp800-53a
                       prose: 'when transferring information between different security domains, {{ insert: param, ac-04.19_odp.01 }} are implemented on metadata;'
+                      links:
+                        - href: '#ac-4.19_smt'
+                          rel: assessment-for
                     - id: ac-4.19_obj-2
                       name: assessment-objective
                       props:
@@ -7073,6 +7617,12 @@ catalog:
                           value: AC-04(19)[02]
                           class: sp800-53a
                       prose: 'when transferring information between different security domains, {{ insert: param, ac-04.19_odp.02 }} are implemented on metadata.'
+                      links:
+                        - href: '#ac-4.19_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-4.19_smt'
+                      rel: assessment-for
                 - id: ac-4.19_asm-examine
                   name: assessment-method
                   props:
@@ -7192,6 +7742,9 @@ catalog:
                       value: AC-04(20)
                       class: sp800-53a
                   prose: '{{ insert: param, ac-04.20_odp.01 }} are employed to control the flow of {{ insert: param, ac-04.20_odp.02 }} across security domains.'
+                  links:
+                    - href: '#ac-4.20_smt'
+                      rel: assessment-for
                 - id: ac-4.20_asm-examine
                   name: assessment-method
                   props:
@@ -7334,6 +7887,9 @@ catalog:
                           value: AC-04(21)[01]
                           class: sp800-53a
                       prose: 'information flows are separated logically using {{ insert: param, ac-04.21_odp.01 }} to accomplish {{ insert: param, ac-04.21_odp.03 }};'
+                      links:
+                        - href: '#ac-4.21_smt'
+                          rel: assessment-for
                     - id: ac-4.21_obj-2
                       name: assessment-objective
                       props:
@@ -7341,6 +7897,12 @@ catalog:
                           value: AC-04(21)[02]
                           class: sp800-53a
                       prose: 'information flows are separated physically using {{ insert: param, ac-04.21_odp.02 }} to accomplish {{ insert: param, ac-04.21_odp.03 }}.'
+                      links:
+                        - href: '#ac-4.21_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-4.21_smt'
+                      rel: assessment-for
                 - id: ac-4.21_asm-examine
                   name: assessment-method
                   props:
@@ -7434,6 +7996,9 @@ catalog:
                       value: AC-04(22)
                       class: sp800-53a
                   prose: access is provided from a single device to computing platforms, applications, or data that reside in multiple different security domains while preventing information flow between the different security domains.
+                  links:
+                    - href: '#ac-4.22_smt'
+                      rel: assessment-for
                 - id: ac-4.22_asm-examine
                   name: assessment-method
                   props:
@@ -7533,6 +8098,9 @@ catalog:
                       value: AC-04(23)
                       class: sp800-53a
                   prose: 'when transferring information between security domains, non-releasable information is modified by implementing {{ insert: param, ac-04.23_odp }}.'
+                  links:
+                    - href: '#ac-4.23_smt'
+                      rel: assessment-for
                 - id: ac-4.23_asm-examine
                   name: assessment-method
                   props:
@@ -7625,6 +8193,9 @@ catalog:
                           value: AC-04(24)[01]
                           class: sp800-53a
                       prose: when transferring information between different security domains, incoming data is parsed into an internal, normalized format;
+                      links:
+                        - href: '#ac-4.24_smt'
+                          rel: assessment-for
                     - id: ac-4.24_obj-2
                       name: assessment-objective
                       props:
@@ -7632,6 +8203,12 @@ catalog:
                           value: AC-04(24)[02]
                           class: sp800-53a
                       prose: when transferring information between different security domains, the data is regenerated to be consistent with its intended specification.
+                      links:
+                        - href: '#ac-4.24_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-4.24_smt'
+                      rel: assessment-for
                 - id: ac-4.24_asm-examine
                   name: assessment-method
                   props:
@@ -7742,6 +8319,9 @@ catalog:
                       value: AC-04(25)
                       class: sp800-53a
                   prose: 'when transferring information between different security domains, data is sanitized to minimize {{ insert: param, ac-04.25_odp.01 }} in accordance with {{ insert: param, ac-04.25_odp.02 }}.'
+                  links:
+                    - href: '#ac-4.25_smt'
+                      rel: assessment-for
                 - id: ac-4.25_asm-examine
                   name: assessment-method
                   props:
@@ -7843,6 +8423,9 @@ catalog:
                           value: AC-04(26)[01]
                           class: sp800-53a
                       prose: when transferring information between different security domains, content-filtering actions are recorded and audited;
+                      links:
+                        - href: '#ac-4.26_smt'
+                          rel: assessment-for
                     - id: ac-4.26_obj-2
                       name: assessment-objective
                       props:
@@ -7850,6 +8433,12 @@ catalog:
                           value: AC-04(26)[02]
                           class: sp800-53a
                       prose: when transferring information between different security domains, results for the information being filtered are recorded and audited.
+                      links:
+                        - href: '#ac-4.26_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-4.26_smt'
+                      rel: assessment-for
                 - id: ac-4.26_asm-examine
                   name: assessment-method
                   props:
@@ -7940,6 +8529,9 @@ catalog:
                       value: AC-04(27)
                       class: sp800-53a
                   prose: when transferring information between security domains, implemented content filtering solutions provide redundant and independent filtering mechanisms for each data type.
+                  links:
+                    - href: '#ac-4.27_smt'
+                      rel: assessment-for
                 - id: ac-4.27_asm-examine
                   name: assessment-method
                   props:
@@ -8025,6 +8617,9 @@ catalog:
                       value: AC-04(28)
                       class: sp800-53a
                   prose: when transferring information between security domains, a linear content filter pipeline is implemented that is enforced with discretionary and mandatory access controls.
+                  links:
+                    - href: '#ac-4.28_smt'
+                      rel: assessment-for
                 - id: ac-4.28_asm-examine
                   name: assessment-method
                   props:
@@ -8147,6 +8742,9 @@ catalog:
                           value: AC-04(29)(a)
                           class: sp800-53a
                       prose: when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering mechanisms successfully complete execution without errors;
+                      links:
+                        - href: '#ac-4.29_smt.a'
+                          rel: assessment-for
                     - id: ac-4.29_obj.b
                       name: assessment-objective
                       props:
@@ -8161,6 +8759,9 @@ catalog:
                               value: AC-04(29)(b)[01]
                               class: sp800-53a
                           prose: when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions occur in the correct order;
+                          links:
+                            - href: '#ac-4.29_smt.b'
+                              rel: assessment-for
                         - id: ac-4.29_obj.b-2
                           name: assessment-objective
                           props:
@@ -8168,6 +8769,15 @@ catalog:
                               value: AC-04(29)(b)[02]
                               class: sp800-53a
                           prose: 'when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions comply with {{ insert: param, ac-04.29_odp }}.'
+                          links:
+                            - href: '#ac-4.29_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-4.29_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-4.29_smt'
+                      rel: assessment-for
                 - id: ac-4.29_asm-examine
                   name: assessment-method
                   props:
@@ -8256,6 +8866,9 @@ catalog:
                       value: AC-04(30)
                       class: sp800-53a
                   prose: when transferring information between security domains, content-filtering mechanisms using multiple processes are implemented.
+                  links:
+                    - href: '#ac-4.30_smt'
+                      rel: assessment-for
                 - id: ac-4.30_asm-examine
                   name: assessment-method
                   props:
@@ -8344,6 +8957,9 @@ catalog:
                       value: AC-04(31)
                       class: sp800-53a
                   prose: when transferring information between different security domains, the transfer of failed content to the receiving domain is prevented.
+                  links:
+                    - href: '#ac-4.31_smt'
+                      rel: assessment-for
                 - id: ac-4.31_asm-examine
                   name: assessment-method
                   props:
@@ -8461,6 +9077,9 @@ catalog:
                           value: AC-04(32)(a)
                           class: sp800-53a
                       prose: when transferring information between different security domains, the process that transfers information between filter pipelines does not filter message content;
+                      links:
+                        - href: '#ac-4.32_smt.a'
+                          rel: assessment-for
                     - id: ac-4.32_obj.b
                       name: assessment-objective
                       props:
@@ -8468,6 +9087,9 @@ catalog:
                           value: AC-04(32)(b)
                           class: sp800-53a
                       prose: when transferring information between different security domains, the process that transfers information between filter pipelines validates filtering metadata;
+                      links:
+                        - href: '#ac-4.32_smt.b'
+                          rel: assessment-for
                     - id: ac-4.32_obj.c
                       name: assessment-objective
                       props:
@@ -8475,6 +9097,9 @@ catalog:
                           value: AC-04(32)(c)
                           class: sp800-53a
                       prose: when transferring information between different security domains, the process that transfers information between filter pipelines ensures that the content with the filtering metadata has successfully completed filtering;
+                      links:
+                        - href: '#ac-4.32_smt.c'
+                          rel: assessment-for
                     - id: ac-4.32_obj.d
                       name: assessment-objective
                       props:
@@ -8482,6 +9107,12 @@ catalog:
                           value: AC-04(32)(d)
                           class: sp800-53a
                       prose: when transferring information between different security domains, the process that transfers information between filter pipelines transfers the content to the destination filter pipeline.
+                      links:
+                        - href: '#ac-4.32_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-4.32_smt'
+                      rel: assessment-for
                 - id: ac-4.32_asm-examine
                   name: assessment-method
                   props:
@@ -8633,6 +9264,9 @@ catalog:
                       value: AC-05a.
                       class: sp800-53a
                   prose: '{{ insert: param, ac-05_odp }} are identified and documented;'
+                  links:
+                    - href: '#ac-5_smt.a'
+                      rel: assessment-for
                 - id: ac-5_obj.b
                   name: assessment-objective
                   props:
@@ -8640,6 +9274,12 @@ catalog:
                       value: AC-05b.
                       class: sp800-53a
                   prose: system access authorizations to support separation of duties are defined.
+                  links:
+                    - href: '#ac-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-5_smt'
+                  rel: assessment-for
             - id: ac-5_asm-examine
               name: assessment-method
               props:
@@ -8749,6 +9389,9 @@ catalog:
                   value: AC-06
                   class: sp800-53a
               prose: the principle of least privilege is employed, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
+              links:
+                - href: '#ac-6_smt'
+                  rel: assessment-for
             - id: ac-6_asm-examine
               name: assessment-method
               props:
@@ -8932,6 +9575,9 @@ catalog:
                               value: AC-06(01)(a)[01]
                               class: sp800-53a
                           prose: 'access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.02 }};'
+                          links:
+                            - href: '#ac-6.1_smt.a'
+                              rel: assessment-for
                         - id: ac-6.1_obj.a-2
                           name: assessment-objective
                           props:
@@ -8939,6 +9585,9 @@ catalog:
                               value: AC-06(01)(a)[02]
                               class: sp800-53a
                           prose: 'access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.03 }};'
+                          links:
+                            - href: '#ac-6.1_smt.a'
+                              rel: assessment-for
                         - id: ac-6.1_obj.a-3
                           name: assessment-objective
                           props:
@@ -8946,6 +9595,12 @@ catalog:
                               value: AC-06(01)(a)[03]
                               class: sp800-53a
                           prose: 'access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.04 }};'
+                          links:
+                            - href: '#ac-6.1_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-6.1_smt.a'
+                          rel: assessment-for
                     - id: ac-6.1_obj.b
                       name: assessment-objective
                       props:
@@ -8953,6 +9608,12 @@ catalog:
                           value: AC-06(01)(b)
                           class: sp800-53a
                       prose: 'access is authorized for {{ insert: param, ac-06.01_odp.01 }} to {{ insert: param, ac-06.01_odp.05 }}.'
+                      links:
+                        - href: '#ac-6.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-6.1_smt'
+                      rel: assessment-for
                 - id: ac-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -9057,6 +9718,9 @@ catalog:
                       value: AC-06(02)
                       class: sp800-53a
                   prose: 'users of system accounts (or roles) with access to {{ insert: param, ac-06.02_odp }} are required to use non-privileged accounts or roles when accessing non-security functions.'
+                  links:
+                    - href: '#ac-6.2_smt'
+                      rel: assessment-for
                 - id: ac-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -9176,6 +9840,9 @@ catalog:
                           value: AC-06(03)[01]
                           class: sp800-53a
                       prose: 'network access to {{ insert: param, ac-06.03_odp.01 }} is authorized only for {{ insert: param, ac-06.03_odp.02 }};'
+                      links:
+                        - href: '#ac-6.3_smt'
+                          rel: assessment-for
                     - id: ac-6.3_obj-2
                       name: assessment-objective
                       props:
@@ -9183,6 +9850,12 @@ catalog:
                           value: AC-06(03)[02]
                           class: sp800-53a
                       prose: the rationale for authorizing network access to privileged commands is documented in the security plan for the system.
+                      links:
+                        - href: '#ac-6.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-6.3_smt'
+                      rel: assessment-for
                 - id: ac-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -9281,6 +9954,9 @@ catalog:
                       value: AC-06(04)
                       class: sp800-53a
                   prose: separate processing domains are provided to enable finer-grain allocation of user privileges.
+                  links:
+                    - href: '#ac-6.4_smt'
+                      rel: assessment-for
                 - id: ac-6.4_asm-examine
                   name: assessment-method
                   props:
@@ -9383,6 +10059,9 @@ catalog:
                       value: AC-06(05)
                       class: sp800-53a
                   prose: 'privileged accounts on the system are restricted to {{ insert: param, ac-06.05_odp }}.'
+                  links:
+                    - href: '#ac-6.5_smt'
+                      rel: assessment-for
                 - id: ac-6.5_asm-examine
                   name: assessment-method
                   props:
@@ -9478,6 +10157,9 @@ catalog:
                       value: AC-06(06)
                       class: sp800-53a
                   prose: privileged access to the system by non-organizational users is prohibited.
+                  links:
+                    - href: '#ac-6.6_smt'
+                      rel: assessment-for
                 - id: ac-6.6_asm-examine
                   name: assessment-method
                   props:
@@ -9610,6 +10292,9 @@ catalog:
                           value: AC-06(07)(a)
                           class: sp800-53a
                       prose: 'privileges assigned to {{ insert: param, ac-06.07_odp.02 }} are reviewed {{ insert: param, ac-06.07_odp.01 }} to validate the need for such privileges;'
+                      links:
+                        - href: '#ac-6.7_smt.a'
+                          rel: assessment-for
                     - id: ac-6.7_obj.b
                       name: assessment-objective
                       props:
@@ -9617,6 +10302,12 @@ catalog:
                           value: AC-06(07)(b)
                           class: sp800-53a
                       prose: privileges are reassigned or removed, if necessary, to correctly reflect organizational mission and business needs.
+                      links:
+                        - href: '#ac-6.7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-6.7_smt'
+                      rel: assessment-for
                 - id: ac-6.7_asm-examine
                   name: assessment-method
                   props:
@@ -9719,6 +10410,9 @@ catalog:
                       value: AC-06(08)
                       class: sp800-53a
                   prose: '{{ insert: param, ac-06.08_odp }} is prevented from executing at higher privilege levels than users executing the software.'
+                  links:
+                    - href: '#ac-6.8_smt'
+                      rel: assessment-for
                 - id: ac-6.8_asm-examine
                   name: assessment-method
                   props:
@@ -9814,6 +10508,9 @@ catalog:
                       value: AC-06(09)
                       class: sp800-53a
                   prose: the execution of privileged functions is logged.
+                  links:
+                    - href: '#ac-6.9_smt'
+                      rel: assessment-for
                 - id: ac-6.9_asm-examine
                   name: assessment-method
                   props:
@@ -9905,6 +10602,9 @@ catalog:
                       value: AC-06(10)
                       class: sp800-53a
                   prose: non-privileged users are prevented from executing privileged functions.
+                  links:
+                    - href: '#ac-6.10_smt'
+                      rel: assessment-for
                 - id: ac-6.10_asm-examine
                   name: assessment-method
                   props:
@@ -10089,6 +10789,9 @@ catalog:
                       value: AC-07a.
                       class: sp800-53a
                   prose: 'a limit of {{ insert: param, ac-07_odp.01 }} consecutive invalid logon attempts by a user during {{ insert: param, ac-07_odp.02 }} is enforced;'
+                  links:
+                    - href: '#ac-7_smt.a'
+                      rel: assessment-for
                 - id: ac-7_obj.b
                   name: assessment-objective
                   props:
@@ -10096,6 +10799,12 @@ catalog:
                       value: AC-07b.
                       class: sp800-53a
                   prose: 'automatically {{ insert: param, ac-07_odp.03 }} when the maximum number of unsuccessful attempts is exceeded.'
+                  links:
+                    - href: '#ac-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-7_smt'
+                  rel: assessment-for
             - id: ac-7_asm-examine
               name: assessment-method
               props:
@@ -10191,9 +10900,9 @@ catalog:
                     - name: label
                       value: AC-07(02)_ODP[02]
                       class: sp800-53a
-                  label: purging or wiping requirements or techniques
+                  label: purging or wiping requirements and techniques
                   guidelines:
-                    - prose: purging or wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined;
+                    - prose: purging and wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined;
                 - id: ac-07.02_odp.03
                   props:
                     - name: alt-identifier
@@ -10238,6 +10947,9 @@ catalog:
                       value: AC-07(02)
                       class: sp800-53a
                   prose: 'information is purged or wiped from {{ insert: param, ac-07.02_odp.01 }} based on {{ insert: param, ac-07.02_odp.02 }} after {{ insert: param, ac-07.02_odp.03 }} consecutive, unsuccessful device logon attempts.'
+                  links:
+                    - href: '#ac-7.2_smt'
+                      rel: assessment-for
                 - id: ac-7.2_asm-examine
                   name: assessment-method
                   props:
@@ -10338,6 +11050,9 @@ catalog:
                       value: AC-07(03)
                       class: sp800-53a
                   prose: 'unsuccessful biometric logon attempts are limited to {{ insert: param, ac-07.03_odp }}.'
+                  links:
+                    - href: '#ac-7.3_smt'
+                      rel: assessment-for
                 - id: ac-7.3_asm-examine
                   name: assessment-method
                   props:
@@ -10476,6 +11191,9 @@ catalog:
                           value: AC-07(04)(a)
                           class: sp800-53a
                       prose: '{{ insert: param, ac-07.04_odp.01 }} that are different from the primary authentication factors are allowed to be used after the number of organization-defined consecutive invalid logon attempts have been exceeded;'
+                      links:
+                        - href: '#ac-7.4_smt.a'
+                          rel: assessment-for
                     - id: ac-7.4_obj.b
                       name: assessment-objective
                       props:
@@ -10483,6 +11201,12 @@ catalog:
                           value: AC-07(04)(b)
                           class: sp800-53a
                       prose: 'a limit of {{ insert: param, ac-07.04_odp.02 }} consecutive invalid logon attempts through the use of the alternative factors by the user during a {{ insert: param, ac-07.04_odp.03 }} is enforced.'
+                      links:
+                        - href: '#ac-7.4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-7.4_smt'
+                      rel: assessment-for
                 - id: ac-7.4_asm-examine
                   name: assessment-method
                   props:
@@ -10674,6 +11398,9 @@ catalog:
                           value: AC-08a.01
                           class: sp800-53a
                       prose: the system use notification states that users are accessing a U.S. Government system;
+                      links:
+                        - href: '#ac-8_smt.a.1'
+                          rel: assessment-for
                     - id: ac-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -10681,6 +11408,9 @@ catalog:
                           value: AC-08a.02
                           class: sp800-53a
                       prose: the system use notification states that system usage may be monitored, recorded, and subject to audit;
+                      links:
+                        - href: '#ac-8_smt.a.2'
+                          rel: assessment-for
                     - id: ac-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -10688,6 +11418,9 @@ catalog:
                           value: AC-08a.03
                           class: sp800-53a
                       prose: the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
+                      links:
+                        - href: '#ac-8_smt.a.3'
+                          rel: assessment-for
                     - id: ac-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -10695,6 +11428,12 @@ catalog:
                           value: AC-08a.04
                           class: sp800-53a
                       prose: the system use notification states that use of the system indicates consent to monitoring and recording;
+                      links:
+                        - href: '#ac-8_smt.a.4'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-8_smt.a'
+                      rel: assessment-for
                 - id: ac-8_obj.b
                   name: assessment-objective
                   props:
@@ -10702,6 +11441,9 @@ catalog:
                       value: AC-08b.
                       class: sp800-53a
                   prose: the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;
+                  links:
+                    - href: '#ac-8_smt.b'
+                      rel: assessment-for
                 - id: ac-8_obj.c
                   name: assessment-objective
                   props:
@@ -10716,6 +11458,9 @@ catalog:
                           value: AC-08c.01
                           class: sp800-53a
                       prose: 'for publicly accessible systems, system use information {{ insert: param, ac-08_odp.02 }} is displayed before granting further access to the publicly accessible system;'
+                      links:
+                        - href: '#ac-8_smt.c.1'
+                          rel: assessment-for
                     - id: ac-8_obj.c.2
                       name: assessment-objective
                       props:
@@ -10723,6 +11468,9 @@ catalog:
                           value: AC-08c.02
                           class: sp800-53a
                       prose: for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;
+                      links:
+                        - href: '#ac-8_smt.c.2'
+                          rel: assessment-for
                     - id: ac-8_obj.c.3
                       name: assessment-objective
                       props:
@@ -10730,6 +11478,15 @@ catalog:
                           value: AC-08c.03
                           class: sp800-53a
                       prose: for publicly accessible systems, a description of the authorized uses of the system is included.
+                      links:
+                        - href: '#ac-8_smt.c.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-8_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ac-8_smt'
+                  rel: assessment-for
             - id: ac-8_asm-examine
               name: assessment-method
               props:
@@ -10831,6 +11588,9 @@ catalog:
                   value: AC-09
                   class: sp800-53a
               prose: the user is notified, upon successful logon to the system, of the date and time of the last logon.
+              links:
+                - href: '#ac-9_smt'
+                  rel: assessment-for
             - id: ac-9_asm-examine
               name: assessment-method
               props:
@@ -10917,6 +11677,9 @@ catalog:
                       value: AC-09(01)
                       class: sp800-53a
                   prose: the user is notified, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.
+                  links:
+                    - href: '#ac-9.1_smt'
+                      rel: assessment-for
                 - id: ac-9.1_asm-examine
                   name: assessment-method
                   props:
@@ -11025,6 +11788,9 @@ catalog:
                       value: AC-09(02)
                       class: sp800-53a
                   prose: 'the user is notified, upon successful logon, of the number of {{ insert: param, ac-09.02_odp.01 }} during {{ insert: param, ac-09.02_odp.02 }}.'
+                  links:
+                    - href: '#ac-9.2_smt'
+                      rel: assessment-for
                 - id: ac-9.2_asm-examine
                   name: assessment-method
                   props:
@@ -11134,6 +11900,9 @@ catalog:
                       value: AC-09(03)
                       class: sp800-53a
                   prose: 'the user is notified, upon successful logon, of changes to {{ insert: param, ac-09.03_odp.01 }} during {{ insert: param, ac-09.03_odp.02 }}.'
+                  links:
+                    - href: '#ac-9.3_smt'
+                      rel: assessment-for
                 - id: ac-9.3_asm-examine
                   name: assessment-method
                   props:
@@ -11230,6 +11999,9 @@ catalog:
                       value: AC-09(04)
                       class: sp800-53a
                   prose: 'the user is notified, upon successful logon, of {{ insert: param, ac-09.04_odp }}.'
+                  links:
+                    - href: '#ac-9.4_smt'
+                      rel: assessment-for
                 - id: ac-9.4_asm-examine
                   name: assessment-method
                   props:
@@ -11339,6 +12111,9 @@ catalog:
                   value: AC-10
                   class: sp800-53a
               prose: 'the number of concurrent sessions for each {{ insert: param, ac-10_odp.01 }} is limited to {{ insert: param, ac-10_odp.02 }}.'
+              links:
+                - href: '#ac-10_smt'
+                  rel: assessment-for
             - id: ac-10_asm-examine
               name: assessment-method
               props:
@@ -11472,6 +12247,9 @@ catalog:
                       value: AC-11a.
                       class: sp800-53a
                   prose: 'further access to the system is prevented by {{ insert: param, ac-11_odp.01 }};'
+                  links:
+                    - href: '#ac-11_smt.a'
+                      rel: assessment-for
                 - id: ac-11_obj.b
                   name: assessment-objective
                   props:
@@ -11479,6 +12257,12 @@ catalog:
                       value: AC-11b.
                       class: sp800-53a
                   prose: device lock is retained until the user re-establishes access using established identification and authentication procedures.
+                  links:
+                    - href: '#ac-11_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-11_smt'
+                  rel: assessment-for
             - id: ac-11_asm-examine
               name: assessment-method
               props:
@@ -11567,6 +12351,9 @@ catalog:
                       value: AC-11(01)
                       class: sp800-53a
                   prose: information previously visible on the display is concealed, via device lock, with a publicly viewable image.
+                  links:
+                    - href: '#ac-11.1_smt'
+                      rel: assessment-for
                 - id: ac-11.1_asm-examine
                   name: assessment-method
                   props:
@@ -11670,6 +12457,9 @@ catalog:
                   value: AC-12
                   class: sp800-53a
               prose: 'a user session is automatically terminated after {{ insert: param, ac-12_odp }}.'
+              links:
+                - href: '#ac-12_smt'
+                  rel: assessment-for
             - id: ac-12_asm-examine
               name: assessment-method
               props:
@@ -11772,6 +12562,9 @@ catalog:
                       value: AC-12(01)
                       class: sp800-53a
                   prose: 'a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to {{ insert: param, ac-12.01_odp }}.'
+                  links:
+                    - href: '#ac-12.1_smt'
+                      rel: assessment-for
                 - id: ac-12.1_asm-examine
                   name: assessment-method
                   props:
@@ -11862,6 +12655,9 @@ catalog:
                       value: AC-12(02)
                       class: sp800-53a
                   prose: an explicit logout message is displayed to users indicating the termination of authenticated communication sessions.
+                  links:
+                    - href: '#ac-12.2_smt'
+                      rel: assessment-for
                 - id: ac-12.2_asm-examine
                   name: assessment-method
                   props:
@@ -11966,6 +12762,9 @@ catalog:
                       value: AC-12(03)
                       class: sp800-53a
                   prose: 'an explicit message to users is displayed indicating that the session will end in {{ insert: param, ac-12.03_odp }}.'
+                  links:
+                    - href: '#ac-12.3_smt'
+                      rel: assessment-for
                 - id: ac-12.3_asm-examine
                   name: assessment-method
                   props:
@@ -12108,6 +12907,9 @@ catalog:
                       value: AC-14a.
                       class: sp800-53a
                   prose: '{{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;'
+                  links:
+                    - href: '#ac-14_smt.a'
+                      rel: assessment-for
                 - id: ac-14_obj.b
                   name: assessment-objective
                   props:
@@ -12122,6 +12924,9 @@ catalog:
                           value: AC-14b.[01]
                           class: sp800-53a
                       prose: user actions not requiring identification or authentication are documented in the security plan for the system;
+                      links:
+                        - href: '#ac-14_smt.b'
+                          rel: assessment-for
                     - id: ac-14_obj.b-2
                       name: assessment-objective
                       props:
@@ -12129,6 +12934,15 @@ catalog:
                           value: AC-14b.[02]
                           class: sp800-53a
                       prose: a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.
+                      links:
+                        - href: '#ac-14_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-14_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-14_smt'
+                  rel: assessment-for
             - id: ac-14_asm-examine
               name: assessment-method
               props:
@@ -12478,6 +13292,9 @@ catalog:
                           value: AC-16a.[01]
                           class: sp800-53a
                       prose: 'the means to associate {{ insert: param, ac-16_odp.01 }} with {{ insert: param, ac-16_odp.03 }} for information in storage, in process, and/or in transmission are provided;'
+                      links:
+                        - href: '#ac-16_smt.a'
+                          rel: assessment-for
                     - id: ac-16_obj.a-2
                       name: assessment-objective
                       props:
@@ -12485,6 +13302,12 @@ catalog:
                           value: AC-16a.[02]
                           class: sp800-53a
                       prose: 'the means to associate {{ insert: param, ac-16_odp.02 }} with {{ insert: param, ac-16_odp.04 }} for information in storage, in process, and/or in transmission are provided;'
+                      links:
+                        - href: '#ac-16_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-16_smt.a'
+                      rel: assessment-for
                 - id: ac-16_obj.b
                   name: assessment-objective
                   props:
@@ -12499,6 +13322,9 @@ catalog:
                           value: AC-16b.[01]
                           class: sp800-53a
                       prose: attribute associations are made;
+                      links:
+                        - href: '#ac-16_smt.b'
+                          rel: assessment-for
                     - id: ac-16_obj.b-2
                       name: assessment-objective
                       props:
@@ -12506,6 +13332,12 @@ catalog:
                           value: AC-16b.[02]
                           class: sp800-53a
                       prose: attribute associations are retained with the information;
+                      links:
+                        - href: '#ac-16_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-16_smt.b'
+                      rel: assessment-for
                 - id: ac-16_obj.c
                   name: assessment-objective
                   props:
@@ -12520,6 +13352,9 @@ catalog:
                           value: AC-16c.[01]
                           class: sp800-53a
                       prose: 'the following permitted security attributes are established from the attributes defined in AC-16_ODP[01] for {{ insert: param, ac-16_odp.05 }}: {{ insert: param, ac-16_odp.07 }};'
+                      links:
+                        - href: '#ac-16_smt.c'
+                          rel: assessment-for
                     - id: ac-16_obj.c-2
                       name: assessment-objective
                       props:
@@ -12527,6 +13362,12 @@ catalog:
                           value: AC-16c.[02]
                           class: sp800-53a
                       prose: 'the following permitted privacy attributes are established from the attributes defined in AC-16_ODP[02] for {{ insert: param, ac-16_odp.06 }}: {{ insert: param, ac-16_odp.08 }};'
+                      links:
+                        - href: '#ac-16_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-16_smt.c'
+                      rel: assessment-for
                 - id: ac-16_obj.d
                   name: assessment-objective
                   props:
@@ -12534,6 +13375,9 @@ catalog:
                       value: AC-16d.
                       class: sp800-53a
                   prose: 'the following permitted attribute values or ranges for each of the established attributes are determined: {{ insert: param, ac-16_odp.09 }};'
+                  links:
+                    - href: '#ac-16_smt.d'
+                      rel: assessment-for
                 - id: ac-16_obj.e
                   name: assessment-objective
                   props:
@@ -12541,6 +13385,9 @@ catalog:
                       value: AC-16e.
                       class: sp800-53a
                   prose: changes to attributes are audited;
+                  links:
+                    - href: '#ac-16_smt.e'
+                      rel: assessment-for
                 - id: ac-16_obj.f
                   name: assessment-objective
                   props:
@@ -12555,6 +13402,9 @@ catalog:
                           value: AC-16f.[01]
                           class: sp800-53a
                       prose: '{{ insert: param, ac-16_odp.07 }} are reviewed for applicability {{ insert: param, ac-16_odp.10 }};'
+                      links:
+                        - href: '#ac-16_smt.f'
+                          rel: assessment-for
                     - id: ac-16_obj.f-2
                       name: assessment-objective
                       props:
@@ -12562,6 +13412,15 @@ catalog:
                           value: AC-16f.[02]
                           class: sp800-53a
                       prose: '{{ insert: param, ac-16_odp.08 }} are reviewed for applicability {{ insert: param, ac-16_odp.11 }}.'
+                      links:
+                        - href: '#ac-16_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-16_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ac-16_smt'
+                  rel: assessment-for
             - id: ac-16_asm-examine
               name: assessment-method
               props:
@@ -12730,6 +13589,9 @@ catalog:
                           value: AC-16(01)[01]
                           class: sp800-53a
                       prose: 'security attributes are dynamically associated with {{ insert: param, ac-16.01_odp.01 }} in accordance with the following security policies as information is created and combined: {{ insert: param, ac-16.01_odp.05 }};'
+                      links:
+                        - href: '#ac-16.1_smt'
+                          rel: assessment-for
                     - id: ac-16.1_obj-2
                       name: assessment-objective
                       props:
@@ -12737,6 +13599,9 @@ catalog:
                           value: AC-16(01)[02]
                           class: sp800-53a
                       prose: 'security attributes are dynamically associated with {{ insert: param, ac-16.01_odp.02 }} in accordance with the following security policies as information is created and combined: {{ insert: param, ac-16.01_odp.05 }};'
+                      links:
+                        - href: '#ac-16.1_smt'
+                          rel: assessment-for
                     - id: ac-16.1_obj-3
                       name: assessment-objective
                       props:
@@ -12744,6 +13609,9 @@ catalog:
                           value: AC-16(01)[03]
                           class: sp800-53a
                       prose: 'privacy attributes are dynamically associated with {{ insert: param, ac-16.01_odp.03 }} in accordance with the following privacy policies as information is created and combined: {{ insert: param, ac-16.01_odp.06 }};'
+                      links:
+                        - href: '#ac-16.1_smt'
+                          rel: assessment-for
                     - id: ac-16.1_obj-4
                       name: assessment-objective
                       props:
@@ -12751,6 +13619,12 @@ catalog:
                           value: AC-16(01)[04]
                           class: sp800-53a
                       prose: 'privacy attributes are dynamically associated with {{ insert: param, ac-16.01_odp.04 }} in accordance with the following privacy policies as information is created and combined: {{ insert: param, ac-16.01_odp.06 }}.'
+                      links:
+                        - href: '#ac-16.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-16.1_smt'
+                      rel: assessment-for
                 - id: ac-16.1_asm-examine
                   name: assessment-method
                   props:
@@ -12845,6 +13719,9 @@ catalog:
                           value: AC-16(02)[01]
                           class: sp800-53a
                       prose: authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated security attributes;
+                      links:
+                        - href: '#ac-16.2_smt'
+                          rel: assessment-for
                     - id: ac-16.2_obj-2
                       name: assessment-objective
                       props:
@@ -12852,6 +13729,12 @@ catalog:
                           value: AC-16(02)[02]
                           class: sp800-53a
                       prose: authorized individuals (or processes acting on behalf of individuals) are provided with the capability to define or change the value of associated privacy attributes.
+                      links:
+                        - href: '#ac-16.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-16.2_smt'
+                      rel: assessment-for
                 - id: ac-16.2_asm-examine
                   name: assessment-method
                   props:
@@ -13021,6 +13904,9 @@ catalog:
                           value: AC-16(03)[01]
                           class: sp800-53a
                       prose: 'the association and integrity of {{ insert: param, ac-16.03_odp.01 }} to {{ insert: param, ac-16.03_odp.03 }} is maintained;'
+                      links:
+                        - href: '#ac-16.3_smt'
+                          rel: assessment-for
                     - id: ac-16.3_obj-2
                       name: assessment-objective
                       props:
@@ -13028,6 +13914,9 @@ catalog:
                           value: AC-16(03)[02]
                           class: sp800-53a
                       prose: 'the association and integrity of {{ insert: param, ac-16.03_odp.01 }} to {{ insert: param, ac-16.03_odp.04 }} is maintained.'
+                      links:
+                        - href: '#ac-16.3_smt'
+                          rel: assessment-for
                     - id: ac-16.3_obj-3
                       name: assessment-objective
                       props:
@@ -13035,6 +13924,9 @@ catalog:
                           value: AC-16(03)[03]
                           class: sp800-53a
                       prose: 'the association and integrity of {{ insert: param, ac-16.03_odp.02 }} to {{ insert: param, ac-16.03_odp.05 }} is maintained;'
+                      links:
+                        - href: '#ac-16.3_smt'
+                          rel: assessment-for
                     - id: ac-16.3_obj-4
                       name: assessment-objective
                       props:
@@ -13042,6 +13934,12 @@ catalog:
                           value: AC-16(03)[04]
                           class: sp800-53a
                       prose: 'the association and integrity of {{ insert: param, ac-16.03_odp.02 }} to {{ insert: param, ac-16.03_odp.06 }} is maintained.'
+                      links:
+                        - href: '#ac-16.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-16.3_smt'
+                      rel: assessment-for
                 - id: ac-16.3_asm-examine
                   name: assessment-method
                   props:
@@ -13229,6 +14127,9 @@ catalog:
                           value: AC-16(04)[01]
                           class: sp800-53a
                       prose: 'authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.01 }} with {{ insert: param, ac-16.04_odp.05 }};'
+                      links:
+                        - href: '#ac-16.4_smt'
+                          rel: assessment-for
                     - id: ac-16.4_obj-2
                       name: assessment-objective
                       props:
@@ -13236,6 +14137,9 @@ catalog:
                           value: AC-16(04)[02]
                           class: sp800-53a
                       prose: 'authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.02 }} with {{ insert: param, ac-16.04_odp.06 }};'
+                      links:
+                        - href: '#ac-16.4_smt'
+                          rel: assessment-for
                     - id: ac-16.4_obj-3
                       name: assessment-objective
                       props:
@@ -13243,6 +14147,9 @@ catalog:
                           value: AC-16(04)[03]
                           class: sp800-53a
                       prose: 'authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.03 }} with {{ insert: param, ac-16.04_odp.07 }};'
+                      links:
+                        - href: '#ac-16.4_smt'
+                          rel: assessment-for
                     - id: ac-16.4_obj-4
                       name: assessment-objective
                       props:
@@ -13250,6 +14157,12 @@ catalog:
                           value: AC-16(04)[04]
                           class: sp800-53a
                       prose: 'authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate {{ insert: param, ac-16.04_odp.04 }} with {{ insert: param, ac-16.04_odp.08 }}.'
+                      links:
+                        - href: '#ac-16.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-16.4_smt'
+                      rel: assessment-for
                 - id: ac-16.4_asm-examine
                   name: assessment-method
                   props:
@@ -13375,6 +14288,9 @@ catalog:
                           value: AC-16(05)[01]
                           class: sp800-53a
                       prose: 'security attributes are displayed in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }};'
+                      links:
+                        - href: '#ac-16.5_smt'
+                          rel: assessment-for
                     - id: ac-16.5_obj-2
                       name: assessment-objective
                       props:
@@ -13382,6 +14298,12 @@ catalog:
                           value: AC-16(05)[02]
                           class: sp800-53a
                       prose: 'privacy attributes are displayed in human-readable form on each object that the system transmits to output devices to identify {{ insert: param, ac-16.05_odp.01 }} using {{ insert: param, ac-16.05_odp.02 }}.'
+                      links:
+                        - href: '#ac-16.5_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-16.5_smt'
+                      rel: assessment-for
                 - id: ac-16.5_asm-examine
                   name: assessment-method
                   props:
@@ -13598,6 +14520,9 @@ catalog:
                           value: AC-16(06)[01]
                           class: sp800-53a
                       prose: 'personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.01 }} with {{ insert: param, ac-16.06_odp.05 }} in accordance with {{ insert: param, ac-16.06_odp.09 }};'
+                      links:
+                        - href: '#ac-16.6_smt'
+                          rel: assessment-for
                     - id: ac-16.6_obj-2
                       name: assessment-objective
                       props:
@@ -13605,6 +14530,9 @@ catalog:
                           value: AC-16(06)[02]
                           class: sp800-53a
                       prose: 'personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.02 }} with {{ insert: param, ac-16.06_odp.06 }} in accordance with {{ insert: param, ac-16.06_odp.09 }};'
+                      links:
+                        - href: '#ac-16.6_smt'
+                          rel: assessment-for
                     - id: ac-16.6_obj-3
                       name: assessment-objective
                       props:
@@ -13612,6 +14540,9 @@ catalog:
                           value: AC-16(06)[03]
                           class: sp800-53a
                       prose: 'personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.03 }} with {{ insert: param, ac-16.06_odp.07 }} in accordance with {{ insert: param, ac-16.06_odp.10 }};'
+                      links:
+                        - href: '#ac-16.6_smt'
+                          rel: assessment-for
                     - id: ac-16.6_obj-4
                       name: assessment-objective
                       props:
@@ -13619,6 +14550,12 @@ catalog:
                           value: AC-16(06)[04]
                           class: sp800-53a
                       prose: 'personnel are required to associate and maintain the association of {{ insert: param, ac-16.06_odp.04 }} with {{ insert: param, ac-16.06_odp.08 }} in accordance with {{ insert: param, ac-16.06_odp.10 }}.'
+                      links:
+                        - href: '#ac-16.6_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-16.6_smt'
+                      rel: assessment-for
                 - id: ac-16.6_asm-examine
                   name: assessment-method
                   props:
@@ -13707,6 +14644,9 @@ catalog:
                           value: AC-16(07)[01]
                           class: sp800-53a
                       prose: a consistent interpretation of security attributes transmitted between distributed system components is provided;
+                      links:
+                        - href: '#ac-16.7_smt'
+                          rel: assessment-for
                     - id: ac-16.7_obj-2
                       name: assessment-objective
                       props:
@@ -13714,6 +14654,12 @@ catalog:
                           value: AC-16(07)[02]
                           class: sp800-53a
                       prose: a consistent interpretation of privacy attributes transmitted between distributed system components is provided.
+                      links:
+                        - href: '#ac-16.7_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-16.7_smt'
+                      rel: assessment-for
                 - id: ac-16.7_asm-examine
                   name: assessment-method
                   props:
@@ -13842,6 +14788,9 @@ catalog:
                           value: AC-16(08)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, ac-16.08_odp.01 }} are implemented in associating security attributes to information;'
+                      links:
+                        - href: '#ac-16.8_smt'
+                          rel: assessment-for
                     - id: ac-16.8_obj-2
                       name: assessment-objective
                       props:
@@ -13849,6 +14798,12 @@ catalog:
                           value: AC-16(08)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, ac-16.08_odp.02 }} are implemented in associating privacy attributes to information.'
+                      links:
+                        - href: '#ac-16.8_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-16.8_smt'
+                      rel: assessment-for
                 - id: ac-16.8_asm-examine
                   name: assessment-method
                   props:
@@ -13969,6 +14924,9 @@ catalog:
                           value: AC-16(09)[01]
                           class: sp800-53a
                       prose: 'security attributes associated with information are changed only via regrading mechanisms validated using {{ insert: param, ac-16.09_odp.01 }};'
+                      links:
+                        - href: '#ac-16.9_smt'
+                          rel: assessment-for
                     - id: ac-16.9_obj-2
                       name: assessment-objective
                       props:
@@ -13976,6 +14934,12 @@ catalog:
                           value: AC-16(09)[02]
                           class: sp800-53a
                       prose: 'privacy attributes associated with information are changed only via regrading mechanisms validated using {{ insert: param, ac-16.09_odp.02 }}.'
+                      links:
+                        - href: '#ac-16.9_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-16.9_smt'
+                      rel: assessment-for
                 - id: ac-16.9_asm-examine
                   name: assessment-method
                   props:
@@ -14070,6 +15034,9 @@ catalog:
                           value: AC-16(10)[01]
                           class: sp800-53a
                       prose: authorized individuals are provided with the capability to define or change the type and value of security attributes available for association with subjects and objects;
+                      links:
+                        - href: '#ac-16.10_smt'
+                          rel: assessment-for
                     - id: ac-16.10_obj-2
                       name: assessment-objective
                       props:
@@ -14077,6 +15044,12 @@ catalog:
                           value: AC-16(10)[02]
                           class: sp800-53a
                       prose: authorized individuals are provided with the capability to define or change the type and value of privacy attributes available for association with subjects and objects.
+                      links:
+                        - href: '#ac-16.10_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-16.10_smt'
+                      rel: assessment-for
                 - id: ac-16.10_asm-examine
                   name: assessment-method
                   props:
@@ -14238,6 +15211,9 @@ catalog:
                           value: AC-17a.[01]
                           class: sp800-53a
                       prose: usage restrictions are established and documented for each type of remote access allowed;
+                      links:
+                        - href: '#ac-17_smt.a'
+                          rel: assessment-for
                     - id: ac-17_obj.a-2
                       name: assessment-objective
                       props:
@@ -14245,6 +15221,9 @@ catalog:
                           value: AC-17a.[02]
                           class: sp800-53a
                       prose: configuration/connection requirements are established and documented for each type of remote access allowed;
+                      links:
+                        - href: '#ac-17_smt.a'
+                          rel: assessment-for
                     - id: ac-17_obj.a-3
                       name: assessment-objective
                       props:
@@ -14252,6 +15231,12 @@ catalog:
                           value: AC-17a.[03]
                           class: sp800-53a
                       prose: implementation guidance is established and documented for each type of remote access allowed;
+                      links:
+                        - href: '#ac-17_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-17_smt.a'
+                      rel: assessment-for
                 - id: ac-17_obj.b
                   name: assessment-objective
                   props:
@@ -14259,6 +15244,12 @@ catalog:
                       value: AC-17b.
                       class: sp800-53a
                   prose: each type of remote access to the system is authorized prior to allowing such connections.
+                  links:
+                    - href: '#ac-17_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-17_smt'
+                  rel: assessment-for
             - id: ac-17_asm-examine
               name: assessment-method
               props:
@@ -14365,6 +15356,9 @@ catalog:
                           value: AC-17(01)[01]
                           class: sp800-53a
                       prose: automated mechanisms are employed to monitor remote access methods;
+                      links:
+                        - href: '#ac-17.1_smt'
+                          rel: assessment-for
                     - id: ac-17.1_obj-2
                       name: assessment-objective
                       props:
@@ -14372,6 +15366,12 @@ catalog:
                           value: AC-17(01)[02]
                           class: sp800-53a
                       prose: automated mechanisms are employed to control remote access methods.
+                      links:
+                        - href: '#ac-17.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-17.1_smt'
+                      rel: assessment-for
                 - id: ac-17.1_asm-examine
                   name: assessment-method
                   props:
@@ -14465,6 +15465,9 @@ catalog:
                       value: AC-17(02)
                       class: sp800-53a
                   prose: cryptographic mechanisms are implemented to protect the confidentiality and integrity of remote access sessions.
+                  links:
+                    - href: '#ac-17.2_smt'
+                      rel: assessment-for
                 - id: ac-17.2_asm-examine
                   name: assessment-method
                   props:
@@ -14554,6 +15557,9 @@ catalog:
                       value: AC-17(03)
                       class: sp800-53a
                   prose: remote accesses are routed through authorized and managed network access control points.
+                  links:
+                    - href: '#ac-17.3_smt'
+                      rel: assessment-for
                 - id: ac-17.3_asm-examine
                   name: assessment-method
                   props:
@@ -14697,6 +15703,9 @@ catalog:
                               value: AC-17(04)(a)[01]
                               class: sp800-53a
                           prose: the execution of privileged commands via remote access is authorized only in a format that provides assessable evidence;
+                          links:
+                            - href: '#ac-17.4_smt.a'
+                              rel: assessment-for
                         - id: ac-17.4_obj.a-2
                           name: assessment-objective
                           props:
@@ -14704,6 +15713,9 @@ catalog:
                               value: AC-17(04)(a)[02]
                               class: sp800-53a
                           prose: access to security-relevant information via remote access is authorized only in a format that provides assessable evidence;
+                          links:
+                            - href: '#ac-17.4_smt.a'
+                              rel: assessment-for
                         - id: ac-17.4_obj.a-3
                           name: assessment-objective
                           props:
@@ -14711,6 +15723,9 @@ catalog:
                               value: AC-17(04)(a)[03]
                               class: sp800-53a
                           prose: 'the execution of privileged commands via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.01 }};'
+                          links:
+                            - href: '#ac-17.4_smt.a'
+                              rel: assessment-for
                         - id: ac-17.4_obj.a-4
                           name: assessment-objective
                           props:
@@ -14718,6 +15733,12 @@ catalog:
                               value: AC-17(04)(a)[04]
                               class: sp800-53a
                           prose: 'access to security-relevant information via remote access is authorized only for the following needs: {{ insert: param, ac-17.04_odp.02 }};'
+                          links:
+                            - href: '#ac-17.4_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-17.4_smt.a'
+                          rel: assessment-for
                     - id: ac-17.4_obj.b
                       name: assessment-objective
                       props:
@@ -14725,6 +15746,12 @@ catalog:
                           value: AC-17(04)(b)
                           class: sp800-53a
                       prose: the rationale for remote access is documented in the security plan for the system.
+                      links:
+                        - href: '#ac-17.4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-17.4_smt'
+                      rel: assessment-for
                 - id: ac-17.4_asm-examine
                   name: assessment-method
                   props:
@@ -14830,6 +15857,9 @@ catalog:
                       value: AC-17(06)
                       class: sp800-53a
                   prose: information about remote access mechanisms is protected from unauthorized use and disclosure.
+                  links:
+                    - href: '#ac-17.6_smt'
+                      rel: assessment-for
                 - id: ac-17.6_asm-examine
                   name: assessment-method
                   props:
@@ -14940,6 +15970,9 @@ catalog:
                       value: AC-17(09)
                       class: sp800-53a
                   prose: 'the capability to disconnect or disable remote access to the system within {{ insert: param, ac-17.09_odp }} is provided.'
+                  links:
+                    - href: '#ac-17.9_smt'
+                      rel: assessment-for
                 - id: ac-17.9_asm-examine
                   name: assessment-method
                   props:
@@ -15052,6 +16085,9 @@ catalog:
                       value: AC-17(10)
                       class: sp800-53a
                   prose: '{{ insert: param, ac-17.10_odp.01 }} are implemented to authenticate {{ insert: param, ac-17.10_odp.02 }}.'
+                  links:
+                    - href: '#ac-17.10_smt'
+                      rel: assessment-for
                 - id: ac-17.10_asm-examine
                   name: assessment-method
                   props:
@@ -15191,6 +16227,9 @@ catalog:
                           value: AC-18a.[01]
                           class: sp800-53a
                       prose: configuration requirements are established for each type of wireless access;
+                      links:
+                        - href: '#ac-18_smt.a'
+                          rel: assessment-for
                     - id: ac-18_obj.a-2
                       name: assessment-objective
                       props:
@@ -15198,6 +16237,9 @@ catalog:
                           value: AC-18a.[02]
                           class: sp800-53a
                       prose: connection requirements are established for each type of wireless access;
+                      links:
+                        - href: '#ac-18_smt.a'
+                          rel: assessment-for
                     - id: ac-18_obj.a-3
                       name: assessment-objective
                       props:
@@ -15205,6 +16247,12 @@ catalog:
                           value: AC-18a.[03]
                           class: sp800-53a
                       prose: implementation guidance is established for each type of wireless access;
+                      links:
+                        - href: '#ac-18_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-18_smt.a'
+                      rel: assessment-for
                 - id: ac-18_obj.b
                   name: assessment-objective
                   props:
@@ -15212,6 +16260,12 @@ catalog:
                       value: AC-18b.
                       class: sp800-53a
                   prose: each type of wireless access to the system is authorized prior to allowing such connections.
+                  links:
+                    - href: '#ac-18_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-18_smt'
+                  rel: assessment-for
             - id: ac-18_asm-examine
               name: assessment-method
               props:
@@ -15326,6 +16380,9 @@ catalog:
                           value: AC-18(01)[01]
                           class: sp800-53a
                       prose: 'wireless access to the system is protected using authentication of {{ insert: param, ac-18.01_odp }};'
+                      links:
+                        - href: '#ac-18.1_smt'
+                          rel: assessment-for
                     - id: ac-18.1_obj-2
                       name: assessment-objective
                       props:
@@ -15333,6 +16390,12 @@ catalog:
                           value: AC-18(01)[02]
                           class: sp800-53a
                       prose: wireless access to the system is protected using encryption.
+                      links:
+                        - href: '#ac-18.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-18.1_smt'
+                      rel: assessment-for
                 - id: ac-18.1_asm-examine
                   name: assessment-method
                   props:
@@ -15437,6 +16500,9 @@ catalog:
                       value: AC-18(03)
                       class: sp800-53a
                   prose: when not intended for use, wireless networking capabilities embedded within system components are disabled prior to issuance and deployment.
+                  links:
+                    - href: '#ac-18.3_smt'
+                      rel: assessment-for
                 - id: ac-18.3_asm-examine
                   name: assessment-method
                   props:
@@ -15531,6 +16597,9 @@ catalog:
                           value: AC-18(04)[01]
                           class: sp800-53a
                       prose: users allowed to independently configure wireless networking capabilities are identified;
+                      links:
+                        - href: '#ac-18.4_smt'
+                          rel: assessment-for
                     - id: ac-18.4_obj-2
                       name: assessment-objective
                       props:
@@ -15538,6 +16607,12 @@ catalog:
                           value: AC-18(04)[02]
                           class: sp800-53a
                       prose: users allowed to independently configure wireless networking capabilities are explicitly authorized.
+                      links:
+                        - href: '#ac-18.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-18.4_smt'
+                      rel: assessment-for
                 - id: ac-18.4_asm-examine
                   name: assessment-method
                   props:
@@ -15630,6 +16705,9 @@ catalog:
                           value: AC-18(05)[01]
                           class: sp800-53a
                       prose: radio antennas are selected to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries;
+                      links:
+                        - href: '#ac-18.5_smt'
+                          rel: assessment-for
                     - id: ac-18.5_obj-2
                       name: assessment-objective
                       props:
@@ -15637,6 +16715,12 @@ catalog:
                           value: AC-18(05)[02]
                           class: sp800-53a
                       prose: transmission power levels are calibrated to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.
+                      links:
+                        - href: '#ac-18.5_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-18.5_smt'
+                      rel: assessment-for
                 - id: ac-18.5_asm-examine
                   name: assessment-method
                   props:
@@ -15802,6 +16886,9 @@ catalog:
                           value: AC-19a.[01]
                           class: sp800-53a
                       prose: configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+                      links:
+                        - href: '#ac-19_smt.a'
+                          rel: assessment-for
                     - id: ac-19_obj.a-2
                       name: assessment-objective
                       props:
@@ -15809,6 +16896,9 @@ catalog:
                           value: AC-19a.[02]
                           class: sp800-53a
                       prose: connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+                      links:
+                        - href: '#ac-19_smt.a'
+                          rel: assessment-for
                     - id: ac-19_obj.a-3
                       name: assessment-objective
                       props:
@@ -15816,6 +16906,12 @@ catalog:
                           value: AC-19a.[03]
                           class: sp800-53a
                       prose: implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;
+                      links:
+                        - href: '#ac-19_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-19_smt.a'
+                      rel: assessment-for
                 - id: ac-19_obj.b
                   name: assessment-objective
                   props:
@@ -15823,6 +16919,12 @@ catalog:
                       value: AC-19b.
                       class: sp800-53a
                   prose: the connection of mobile devices to organizational systems is authorized.
+                  links:
+                    - href: '#ac-19_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-19_smt'
+                  rel: assessment-for
             - id: ac-19_asm-examine
               name: assessment-method
               props:
@@ -16039,6 +17141,9 @@ catalog:
                           value: AC-19(04)(a)
                           class: sp800-53a
                       prose: the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information is prohibited unless specifically permitted by the authorizing official;
+                      links:
+                        - href: '#ac-19.4_smt.a'
+                          rel: assessment-for
                     - id: ac-19.4_obj.b
                       name: assessment-objective
                       props:
@@ -16053,6 +17158,9 @@ catalog:
                               value: AC-19(04)(b)(01)
                               class: sp800-53a
                           prose: prohibition of the connection of unclassified mobile devices to classified systems is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;
+                          links:
+                            - href: '#ac-19.4_smt.b.1'
+                              rel: assessment-for
                         - id: ac-19.4_obj.b.2
                           name: assessment-objective
                           props:
@@ -16060,6 +17168,9 @@ catalog:
                               value: AC-19(04)(b)(02)
                               class: sp800-53a
                           prose: approval by the authorizing official for the connection of unclassified mobile devices to unclassified systems is enforced on individuals permitted to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;
+                          links:
+                            - href: '#ac-19.4_smt.b.2'
+                              rel: assessment-for
                         - id: ac-19.4_obj.b.3
                           name: assessment-objective
                           props:
@@ -16067,6 +17178,9 @@ catalog:
                               value: AC-19(04)(b)(03)
                               class: sp800-53a
                           prose: prohibition of the use of internal or external modems or wireless interfaces within unclassified mobile devices is enforced on individuals permitted by an authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information;
+                          links:
+                            - href: '#ac-19.4_smt.b.3'
+                              rel: assessment-for
                         - id: ac-19.4_obj.b.4
                           name: assessment-objective
                           props:
@@ -16081,6 +17195,9 @@ catalog:
                                   value: AC-19(04)(b)(04)[01]
                                   class: sp800-53a
                               prose: 'random review and inspection of unclassified mobile devices and the information stored on those devices by {{ insert: param, ac-19.04_odp.01 }} are enforced;'
+                              links:
+                                - href: '#ac-19.4_smt.b.4'
+                                  rel: assessment-for
                             - id: ac-19.4_obj.b.4-2
                               name: assessment-objective
                               props:
@@ -16088,6 +17205,15 @@ catalog:
                                   value: AC-19(04)(b)(04)[02]
                                   class: sp800-53a
                               prose: following of the incident handling policy is enforced if classified information is found during a random review and inspection of unclassified mobile devices;
+                              links:
+                                - href: '#ac-19.4_smt.b.4'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ac-19.4_smt.b.4'
+                              rel: assessment-for
+                      links:
+                        - href: '#ac-19.4_smt.b'
+                          rel: assessment-for
                     - id: ac-19.4_obj.c
                       name: assessment-objective
                       props:
@@ -16095,6 +17221,12 @@ catalog:
                           value: AC-19(04)(c)
                           class: sp800-53a
                       prose: 'the connection of classified mobile devices to classified systems is restricted in accordance with {{ insert: param, ac-19.04_odp.02 }}.'
+                      links:
+                        - href: '#ac-19.4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-19.4_smt'
+                      rel: assessment-for
                 - id: ac-19.4_asm-examine
                   name: assessment-method
                   props:
@@ -16216,6 +17348,9 @@ catalog:
                       value: AC-19(05)
                       class: sp800-53a
                   prose: '{{ insert: param, ac-19.05_odp.01 }} is employed to protect the confidentiality and integrity of information on {{ insert: param, ac-19.05_odp.02 }}.'
+                  links:
+                    - href: '#ac-19.5_smt'
+                      rel: assessment-for
                 - id: ac-19.5_asm-examine
                   name: assessment-method
                   props:
@@ -16415,16 +17550,25 @@ catalog:
                       name: assessment-objective
                       props:
                         - name: label
-                          value: AC-20a.1
+                          value: AC-20a.01
                           class: sp800-53a
                       prose: '{{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);'
+                      links:
+                        - href: '#ac-20_smt.a.1'
+                          rel: assessment-for
                     - id: ac-20_obj.a.2
                       name: assessment-objective
                       props:
                         - name: label
-                          value: AC-20a.2
+                          value: AC-20a.02
                           class: sp800-53a
                       prose: '{{ insert: param, ac-20_odp.01 }} is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);'
+                      links:
+                        - href: '#ac-20_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-20_smt.a'
+                      rel: assessment-for
                 - id: ac-20_obj.b
                   name: assessment-objective
                   props:
@@ -16432,6 +17576,12 @@ catalog:
                       value: AC-20b.
                       class: sp800-53a
                   prose: 'the use of {{ insert: param, ac-20_odp.04 }} is prohibited (if applicable).'
+                  links:
+                    - href: '#ac-20_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-20_smt'
+                  rel: assessment-for
             - id: ac-20_asm-examine
               name: assessment-method
               props:
@@ -16542,6 +17692,9 @@ catalog:
                           value: AC-20(01)(a)
                           class: sp800-53a
                       prose: authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans (if applicable);
+                      links:
+                        - href: '#ac-20.1_smt.a'
+                          rel: assessment-for
                     - id: ac-20.1_obj.b
                       name: assessment-objective
                       props:
@@ -16549,6 +17702,12 @@ catalog:
                           value: AC-20(01)(b)
                           class: sp800-53a
                       prose: authorized individuals are permitted to use an external system to access the system or to process, store, or transmit organization-controlled information only after retention of approved system connection or processing agreements with the organizational entity hosting the external system (if applicable).
+                      links:
+                        - href: '#ac-20.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-20.1_smt'
+                      rel: assessment-for
                 - id: ac-20.1_asm-examine
                   name: assessment-method
                   props:
@@ -16645,6 +17804,9 @@ catalog:
                       value: AC-20(02)
                       class: sp800-53a
                   prose: 'the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using {{ insert: param, ac-20.02_odp }}.'
+                  links:
+                    - href: '#ac-20.2_smt'
+                      rel: assessment-for
                 - id: ac-20.2_asm-examine
                   name: assessment-method
                   props:
@@ -16741,6 +17903,9 @@ catalog:
                       value: AC-20(03)
                       class: sp800-53a
                   prose: 'the use of non-organizationally owned systems or system components to process, store, or transmit organizational information is restricted using {{ insert: param, ac-20.03_odp }}.'
+                  links:
+                    - href: '#ac-20.3_smt'
+                      rel: assessment-for
                 - id: ac-20.3_asm-examine
                   name: assessment-method
                   props:
@@ -16840,6 +18005,9 @@ catalog:
                       value: AC-20(04)
                       class: sp800-53a
                   prose: 'the use of {{ insert: param, ac-20.04_odp }} is prohibited in external systems.'
+                  links:
+                    - href: '#ac-20.4_smt'
+                      rel: assessment-for
                 - id: ac-20.4_asm-examine
                   name: assessment-method
                   props:
@@ -16937,6 +18105,9 @@ catalog:
                       value: AC-20(05)
                       class: sp800-53a
                   prose: the use of organization-controlled portable storage devices by authorized individuals is prohibited on external systems.
+                  links:
+                    - href: '#ac-20.5_smt'
+                      rel: assessment-for
                 - id: ac-20.5_asm-examine
                   name: assessment-method
                   props:
@@ -17076,6 +18247,9 @@ catalog:
                       value: AC-21a.
                       class: sp800-53a
                   prose: 'authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for {{ insert: param, ac-21_odp.01 }};'
+                  links:
+                    - href: '#ac-21_smt.a'
+                      rel: assessment-for
                 - id: ac-21_obj.b
                   name: assessment-objective
                   props:
@@ -17083,6 +18257,12 @@ catalog:
                       value: AC-21b.
                       class: sp800-53a
                   prose: '{{ insert: param, ac-21_odp.02 }} are employed to assist users in making information-sharing and collaboration decisions.'
+                  links:
+                    - href: '#ac-21_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ac-21_smt'
+                  rel: assessment-for
             - id: ac-21_asm-examine
               name: assessment-method
               props:
@@ -17194,6 +18374,9 @@ catalog:
                       value: AC-21(01)
                       class: sp800-53a
                   prose: '{{ insert: param, ac-21.01_odp }} are employed to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.'
+                  links:
+                    - href: '#ac-21.1_smt'
+                      rel: assessment-for
                 - id: ac-21.1_asm-examine
                   name: assessment-method
                   props:
@@ -17297,6 +18480,9 @@ catalog:
                       value: AC-21(02)
                       class: sp800-53a
                   prose: 'information search and retrieval services that enforce {{ insert: param, ac-21.02_odp }} are implemented.'
+                  links:
+                    - href: '#ac-21.2_smt'
+                      rel: assessment-for
                 - id: ac-21.2_asm-examine
                   name: assessment-method
                   props:
@@ -17438,6 +18624,9 @@ catalog:
                       value: AC-22a.
                       class: sp800-53a
                   prose: designated individuals are authorized to make information publicly accessible;
+                  links:
+                    - href: '#ac-22_smt.a'
+                      rel: assessment-for
                 - id: ac-22_obj.b
                   name: assessment-objective
                   props:
@@ -17445,6 +18634,9 @@ catalog:
                       value: AC-22b.
                       class: sp800-53a
                   prose: authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;
+                  links:
+                    - href: '#ac-22_smt.b'
+                      rel: assessment-for
                 - id: ac-22_obj.c
                   name: assessment-objective
                   props:
@@ -17452,6 +18644,9 @@ catalog:
                       value: AC-22c.
                       class: sp800-53a
                   prose: the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;
+                  links:
+                    - href: '#ac-22_smt.c'
+                      rel: assessment-for
                 - id: ac-22_obj.d
                   name: assessment-objective
                   props:
@@ -17466,6 +18661,9 @@ catalog:
                           value: AC-22d.[01]
                           class: sp800-53a
                       prose: 'the content on the publicly accessible system is reviewed for non-public information {{ insert: param, ac-22_odp }};'
+                      links:
+                        - href: '#ac-22_smt.d'
+                          rel: assessment-for
                     - id: ac-22_obj.d-2
                       name: assessment-objective
                       props:
@@ -17473,6 +18671,15 @@ catalog:
                           value: AC-22d.[02]
                           class: sp800-53a
                       prose: non-public information is removed from the publicly accessible system, if discovered.
+                      links:
+                        - href: '#ac-22_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-22_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ac-22_smt'
+                  rel: assessment-for
             - id: ac-22_asm-examine
               name: assessment-method
               props:
@@ -17595,6 +18802,9 @@ catalog:
                   value: AC-23
                   class: sp800-53a
               prose: '{{ insert: param, ac-23_odp.01 }} are employed for {{ insert: param, ac-23_odp.02 }} to detect and protect against unauthorized data mining.'
+              links:
+                - href: '#ac-23_smt'
+                  rel: assessment-for
             - id: ac-23_asm-examine
               name: assessment-method
               props:
@@ -17725,6 +18935,9 @@ catalog:
                   value: AC-24
                   class: sp800-53a
               prose: '{{ insert: param, ac-24_odp.01 }} are taken to ensure that {{ insert: param, ac-24_odp.02 }} are applied to each access request prior to access enforcement.'
+              links:
+                - href: '#ac-24_smt'
+                  rel: assessment-for
             - id: ac-24_asm-examine
               name: assessment-method
               props:
@@ -17842,6 +19055,9 @@ catalog:
                       value: AC-24(01)
                       class: sp800-53a
                   prose: '{{ insert: param, ac-24.01_odp.01 }} is transmitted using {{ insert: param, ac-24.01_odp.02 }} to {{ insert: param, ac-24.01_odp.03 }} that enforce access control decisions.'
+                  links:
+                    - href: '#ac-24.1_smt'
+                      rel: assessment-for
                 - id: ac-24.1_asm-examine
                   name: assessment-method
                   props:
@@ -17962,6 +19178,9 @@ catalog:
                           value: AC-24(02)[01]
                           class: sp800-53a
                       prose: 'access control decisions are enforced based on {{ insert: param, ac-24.02_odp.01 }} that do not include the identity of the user or process acting on behalf of the user (if selected);'
+                      links:
+                        - href: '#ac-24.2_smt'
+                          rel: assessment-for
                     - id: ac-24.2_obj-2
                       name: assessment-objective
                       props:
@@ -17969,6 +19188,12 @@ catalog:
                           value: AC-24(02)[02]
                           class: sp800-53a
                       prose: 'access control decisions are enforced based on {{ insert: param, ac-24.02_odp.02 }} that do not include the identity of the user or process acting on behalf of the user (if selected).'
+                      links:
+                        - href: '#ac-24.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ac-24.2_smt'
+                      rel: assessment-for
                 - id: ac-24.2_asm-examine
                   name: assessment-method
                   props:
@@ -18086,6 +19311,9 @@ catalog:
                   value: AC-25
                   class: sp800-53a
               prose: 'a reference monitor is implemented for {{ insert: param, ac-25_odp }} that is tamper-proof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.'
+              links:
+                - href: '#ac-25_smt'
+                  rel: assessment-for
             - id: ac-25_asm-examine
               name: assessment-method
               props:
@@ -18356,6 +19584,9 @@ catalog:
                           value: AT-01a.[01]
                           class: sp800-53a
                       prose: 'an awareness and training policy is developed and documented; '
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -18363,6 +19594,9 @@ catalog:
                           value: AT-01a.[02]
                           class: sp800-53a
                       prose: 'the awareness and training policy is disseminated to {{ insert: param, at-01_odp.01 }};'
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -18370,6 +19604,9 @@ catalog:
                           value: AT-01a.[03]
                           class: sp800-53a
                       prose: awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -18377,6 +19614,9 @@ catalog:
                           value: AT-01a.[04]
                           class: sp800-53a
                       prose: 'the awareness and training procedures are disseminated to {{ insert: param, at-01_odp.02 }}.'
+                      links:
+                        - href: '#at-1_smt.a'
+                          rel: assessment-for
                     - id: at-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -18398,6 +19638,9 @@ catalog:
                                   value: AT-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses purpose;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -18405,6 +19648,9 @@ catalog:
                                   value: AT-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses scope;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -18412,6 +19658,9 @@ catalog:
                                   value: AT-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses roles;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -18419,6 +19668,9 @@ catalog:
                                   value: AT-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses responsibilities;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -18426,6 +19678,9 @@ catalog:
                                   value: AT-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses management commitment;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -18433,6 +19688,9 @@ catalog:
                                   value: AT-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: at-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -18440,6 +19698,12 @@ catalog:
                                   value: AT-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy addresses compliance; and'
+                              links:
+                                - href: '#at-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#at-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: at-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -18447,6 +19711,15 @@ catalog:
                               value: AT-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, at-01_odp.03 }} awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and'
+                          links:
+                            - href: '#at-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-1_smt.a'
+                      rel: assessment-for
                 - id: at-1_obj.b
                   name: assessment-objective
                   props:
@@ -18454,6 +19727,9 @@ catalog:
                       value: AT-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, at-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;'
+                  links:
+                    - href: '#at-1_smt.b'
+                      rel: assessment-for
                 - id: at-1_obj.c
                   name: assessment-objective
                   props:
@@ -18475,6 +19751,9 @@ catalog:
                               value: AT-01c.01[01]
                               class: sp800-53a
                           prose: 'the current awareness and training policy is reviewed and updated {{ insert: param, at-01_odp.05 }}; '
+                          links:
+                            - href: '#at-1_smt.c.1'
+                              rel: assessment-for
                         - id: at-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -18482,6 +19761,12 @@ catalog:
                               value: AT-01c.01[02]
                               class: sp800-53a
                           prose: 'the current awareness and training policy is reviewed and updated following {{ insert: param, at-01_odp.06 }};'
+                          links:
+                            - href: '#at-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.c.1'
+                          rel: assessment-for
                     - id: at-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -18496,6 +19781,9 @@ catalog:
                               value: AT-01c.02[01]
                               class: sp800-53a
                           prose: 'the current awareness and training procedures are reviewed and updated {{ insert: param, at-01_odp.07 }};'
+                          links:
+                            - href: '#at-1_smt.c.2'
+                              rel: assessment-for
                         - id: at-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -18503,6 +19791,18 @@ catalog:
                               value: AT-01c.02[02]
                               class: sp800-53a
                           prose: 'the current awareness and training procedures are reviewed and updated following {{ insert: param, at-01_odp.08 }}.'
+                          links:
+                            - href: '#at-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#at-1_smt'
+                  rel: assessment-for
             - id: at-1_asm-examine
               name: assessment-method
               props:
@@ -18755,6 +20055,9 @@ catalog:
                               value: AT-02a.01[01]
                               class: sp800-53a
                           prose: security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -18762,6 +20065,9 @@ catalog:
                               value: AT-02a.01[02]
                               class: sp800-53a
                           prose: privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -18769,6 +20075,9 @@ catalog:
                               value: AT-02a.01[03]
                               class: sp800-53a
                           prose: 'security literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.01 }} thereafter;'
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
                         - id: at-2_obj.a.1-4
                           name: assessment-objective
                           props:
@@ -18776,6 +20085,12 @@ catalog:
                               value: AT-02a.01[04]
                               class: sp800-53a
                           prose: 'privacy literacy training is provided to system users (including managers, senior executives, and contractors) {{ insert: param, at-02_odp.02 }} thereafter;'
+                          links:
+                            - href: '#at-2_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-2_smt.a.1'
+                          rel: assessment-for
                     - id: at-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -18790,6 +20105,9 @@ catalog:
                               value: AT-02a.02[01]
                               class: sp800-53a
                           prose: 'security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.03 }};'
+                          links:
+                            - href: '#at-2_smt.a.2'
+                              rel: assessment-for
                         - id: at-2_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -18797,6 +20115,15 @@ catalog:
                               value: AT-02a.02[02]
                               class: sp800-53a
                           prose: 'privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following {{ insert: param, at-02_odp.04 }};'
+                          links:
+                            - href: '#at-2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-2_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2_smt.a'
+                      rel: assessment-for
                 - id: at-2_obj.b
                   name: assessment-objective
                   props:
@@ -18804,6 +20131,9 @@ catalog:
                       value: AT-02b.
                       class: sp800-53a
                   prose: '{{ insert: param, at-02_odp.05 }} are employed to increase the security and privacy awareness of system users;'
+                  links:
+                    - href: '#at-2_smt.b'
+                      rel: assessment-for
                 - id: at-2_obj.c
                   name: assessment-objective
                   props:
@@ -18818,6 +20148,9 @@ catalog:
                           value: AT-02c.[01]
                           class: sp800-53a
                       prose: 'literacy training and awareness content is updated {{ insert: param, at-02_odp.06 }};'
+                      links:
+                        - href: '#at-2_smt.c'
+                          rel: assessment-for
                     - id: at-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -18825,6 +20158,12 @@ catalog:
                           value: AT-02c.[02]
                           class: sp800-53a
                       prose: 'literacy training and awareness content is updated following {{ insert: param, at-02_odp.07 }};'
+                      links:
+                        - href: '#at-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2_smt.c'
+                      rel: assessment-for
                 - id: at-2_obj.d
                   name: assessment-objective
                   props:
@@ -18832,6 +20171,12 @@ catalog:
                       value: AT-02d.
                       class: sp800-53a
                   prose: lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.
+                  links:
+                    - href: '#at-2_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#at-2_smt'
+                  rel: assessment-for
             - id: at-2_asm-examine
               name: assessment-method
               props:
@@ -18933,6 +20278,9 @@ catalog:
                       value: AT-02(01)
                       class: sp800-53a
                   prose: practical exercises in literacy training that simulate events and incidents are provided.
+                  links:
+                    - href: '#at-2.1_smt'
+                      rel: assessment-for
                 - id: at-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -19030,6 +20378,9 @@ catalog:
                           value: AT-02(02)[01]
                           class: sp800-53a
                       prose: literacy training on recognizing potential indicators of insider threat is provided;
+                      links:
+                        - href: '#at-2.2_smt'
+                          rel: assessment-for
                     - id: at-2.2_obj-2
                       name: assessment-objective
                       props:
@@ -19037,6 +20388,12 @@ catalog:
                           value: AT-02(02)[02]
                           class: sp800-53a
                       prose: literacy training on reporting potential indicators of insider threat is provided.
+                      links:
+                        - href: '#at-2.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2.2_smt'
+                      rel: assessment-for
                 - id: at-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -19120,6 +20477,9 @@ catalog:
                           value: AT-02(03)[01]
                           class: sp800-53a
                       prose: literacy training on recognizing potential and actual instances of social engineering is provided;
+                      links:
+                        - href: '#at-2.3_smt'
+                          rel: assessment-for
                     - id: at-2.3_obj-2
                       name: assessment-objective
                       props:
@@ -19127,6 +20487,9 @@ catalog:
                           value: AT-02(03)[02]
                           class: sp800-53a
                       prose: literacy training on reporting potential and actual instances of social engineering is provided;
+                      links:
+                        - href: '#at-2.3_smt'
+                          rel: assessment-for
                     - id: at-2.3_obj-3
                       name: assessment-objective
                       props:
@@ -19134,6 +20497,9 @@ catalog:
                           value: AT-02(03)[03]
                           class: sp800-53a
                       prose: literacy training on recognizing potential and actual instances of social mining is provided;
+                      links:
+                        - href: '#at-2.3_smt'
+                          rel: assessment-for
                     - id: at-2.3_obj-4
                       name: assessment-objective
                       props:
@@ -19141,6 +20507,12 @@ catalog:
                           value: AT-02(03)[04]
                           class: sp800-53a
                       prose: literacy training on reporting potential and actual instances of social mining is provided.
+                      links:
+                        - href: '#at-2.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2.3_smt'
+                      rel: assessment-for
                 - id: at-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -19228,6 +20600,9 @@ catalog:
                       value: AT-02(04)
                       class: sp800-53a
                   prose: 'literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using {{ insert: param, at-02.04_odp }} is provided.'
+                  links:
+                    - href: '#at-2.4_smt'
+                      rel: assessment-for
                 - id: at-2.4_asm-examine
                   name: assessment-method
                   props:
@@ -19304,6 +20679,9 @@ catalog:
                       value: AT-02(05)
                       class: sp800-53a
                   prose: literacy training on the advanced persistent threat is provided.
+                  links:
+                    - href: '#at-2.5_smt'
+                      rel: assessment-for
                 - id: at-2.5_asm-examine
                   name: assessment-method
                   props:
@@ -19401,6 +20779,9 @@ catalog:
                           value: AT-02(06)(a)
                           class: sp800-53a
                       prose: literacy training on the cyber threat environment is provided;
+                      links:
+                        - href: '#at-2.6_smt.a'
+                          rel: assessment-for
                     - id: at-2.6_obj.b
                       name: assessment-objective
                       props:
@@ -19408,6 +20789,12 @@ catalog:
                           value: AT-02(06)(b)
                           class: sp800-53a
                       prose: system operations reflects current cyber threat information.
+                      links:
+                        - href: '#at-2.6_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-2.6_smt'
+                      rel: assessment-for
                 - id: at-2.6_asm-examine
                   name: assessment-method
                   props:
@@ -19643,6 +21030,9 @@ catalog:
                               value: AT-03a.01[01]
                               class: sp800-53a
                           prose: 'role-based security training is provided to {{ insert: param, at-03_odp.01 }} before authorizing access to the system, information, or performing assigned duties;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -19650,6 +21040,9 @@ catalog:
                               value: AT-03a.01[02]
                               class: sp800-53a
                           prose: 'role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} before authorizing access to the system, information, or performing assigned duties;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -19657,6 +21050,9 @@ catalog:
                               value: AT-03a.01[03]
                               class: sp800-53a
                           prose: 'role-based security training is provided to {{ insert: param, at-03_odp.01 }} {{ insert: param, at-03_odp.03 }} thereafter;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
                         - id: at-3_obj.a.1-4
                           name: assessment-objective
                           props:
@@ -19664,6 +21060,12 @@ catalog:
                               value: AT-03a.01[04]
                               class: sp800-53a
                           prose: 'role-based privacy training is provided to {{ insert: param, at-03_odp.02 }} {{ insert: param, at-03_odp.03 }} thereafter;'
+                          links:
+                            - href: '#at-3_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-3_smt.a.1'
+                          rel: assessment-for
                     - id: at-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -19678,6 +21080,9 @@ catalog:
                               value: AT-03a.02[01]
                               class: sp800-53a
                           prose: role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;
+                          links:
+                            - href: '#at-3_smt.a.2'
+                              rel: assessment-for
                         - id: at-3_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -19685,6 +21090,15 @@ catalog:
                               value: AT-03a.02[02]
                               class: sp800-53a
                           prose: role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;
+                          links:
+                            - href: '#at-3_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#at-3_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-3_smt.a'
+                      rel: assessment-for
                 - id: at-3_obj.b
                   name: assessment-objective
                   props:
@@ -19699,6 +21113,9 @@ catalog:
                           value: AT-03b.[01]
                           class: sp800-53a
                       prose: 'role-based training content is updated {{ insert: param, at-03_odp.04 }};'
+                      links:
+                        - href: '#at-3_smt.b'
+                          rel: assessment-for
                     - id: at-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -19706,6 +21123,12 @@ catalog:
                           value: AT-03b.[02]
                           class: sp800-53a
                       prose: 'role-based training content is updated following {{ insert: param, at-03_odp.05 }};'
+                      links:
+                        - href: '#at-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-3_smt.b'
+                      rel: assessment-for
                 - id: at-3_obj.c
                   name: assessment-objective
                   props:
@@ -19713,6 +21136,12 @@ catalog:
                       value: AT-03c.
                       class: sp800-53a
                   prose: lessons learned from internal or external security incidents or breaches are incorporated into role-based training.
+                  links:
+                    - href: '#at-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#at-3_smt'
+                  rel: assessment-for
             - id: at-3_asm-examine
               name: assessment-method
               props:
@@ -19835,6 +21264,9 @@ catalog:
                       value: AT-03(01)
                       class: sp800-53a
                   prose: '{{ insert: param, at-03.01_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.01_odp.02 }} in the employment and operation of environmental controls.'
+                  links:
+                    - href: '#at-3.1_smt'
+                      rel: assessment-for
                 - id: at-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -19938,6 +21370,9 @@ catalog:
                       value: AT-03(02)
                       class: sp800-53a
                   prose: '{{ insert: param, at-03.02_odp.01 }} is/are provided with initial and refresher training {{ insert: param, at-03.02_odp.02 }} in the employment and operation of physical security controls.'
+                  links:
+                    - href: '#at-3.2_smt'
+                      rel: assessment-for
                 - id: at-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -20021,6 +21456,9 @@ catalog:
                           value: AT-03(03)[01]
                           class: sp800-53a
                       prose: practical exercises in security training that reinforce training objectives are provided;
+                      links:
+                        - href: '#at-3.3_smt'
+                          rel: assessment-for
                     - id: at-3.3_obj-2
                       name: assessment-objective
                       props:
@@ -20028,6 +21466,12 @@ catalog:
                           value: AT-03(03)[02]
                           class: sp800-53a
                       prose: practical exercises in privacy training that reinforce training objectives are provided.
+                      links:
+                        - href: '#at-3.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-3.3_smt'
+                      rel: assessment-for
                 - id: at-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -20149,6 +21593,9 @@ catalog:
                       value: AT-03(05)
                       class: sp800-53a
                   prose: '{{ insert: param, at-03.05_odp.01 }} are provided with initial and refresher training {{ insert: param, at-03.05_odp.02 }} in the employment and operation of personally identifiable information processing and transparency controls.'
+                  links:
+                    - href: '#at-3.5_smt'
+                      rel: assessment-for
                 - id: at-3.5_asm-examine
                   name: assessment-method
                   props:
@@ -20286,6 +21733,9 @@ catalog:
                           value: AT-04a.[01]
                           class: sp800-53a
                       prose: information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;
+                      links:
+                        - href: '#at-4_smt.a'
+                          rel: assessment-for
                     - id: at-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -20293,6 +21743,12 @@ catalog:
                           value: AT-04a.[02]
                           class: sp800-53a
                       prose: information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;
+                      links:
+                        - href: '#at-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#at-4_smt.a'
+                      rel: assessment-for
                 - id: at-4_obj.b
                   name: assessment-objective
                   props:
@@ -20300,6 +21756,12 @@ catalog:
                       value: AT-04b.
                       class: sp800-53a
                   prose: 'individual training records are retained for {{ insert: param, at-04_odp }}.'
+                  links:
+                    - href: '#at-4_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#at-4_smt'
+                  rel: assessment-for
             - id: at-4_asm-examine
               name: assessment-method
               props:
@@ -20415,6 +21877,9 @@ catalog:
                   value: AT-06
                   class: sp800-53a
               prose: 'feedback on organizational training results is provided {{ insert: param, at-06_odp.01 }} to {{ insert: param, at-06_odp.02 }}.'
+              links:
+                - href: '#at-6_smt'
+                  rel: assessment-for
             - id: at-6_asm-examine
               name: assessment-method
               props:
@@ -20670,6 +22135,9 @@ catalog:
                           value: AU-01a.[01]
                           class: sp800-53a
                       prose: an audit and accountability policy is developed and documented;
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -20677,6 +22145,9 @@ catalog:
                           value: AU-01a.[02]
                           class: sp800-53a
                       prose: 'the audit and accountability policy is disseminated to {{ insert: param, au-01_odp.01 }};'
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -20684,6 +22155,9 @@ catalog:
                           value: AU-01a.[03]
                           class: sp800-53a
                       prose: audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -20691,6 +22165,9 @@ catalog:
                           value: AU-01a.[04]
                           class: sp800-53a
                       prose: 'the audit and accountability procedures are disseminated to {{ insert: param, au-01_odp.02 }};'
+                      links:
+                        - href: '#au-1_smt.a'
+                          rel: assessment-for
                     - id: au-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -20712,6 +22189,9 @@ catalog:
                                   value: AU-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses purpose;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -20719,6 +22199,9 @@ catalog:
                                   value: AU-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses scope;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -20726,6 +22209,9 @@ catalog:
                                   value: AU-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses roles;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -20733,6 +22219,9 @@ catalog:
                                   value: AU-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses responsibilities;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -20740,6 +22229,9 @@ catalog:
                                   value: AU-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses management commitment;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -20747,6 +22239,9 @@ catalog:
                                   value: AU-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: au-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -20754,6 +22249,12 @@ catalog:
                                   value: AU-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy addresses compliance;'
+                              links:
+                                - href: '#au-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#au-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: au-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -20761,6 +22262,15 @@ catalog:
                               value: AU-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, au-01_odp.03 }} of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#au-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-1_smt.a'
+                      rel: assessment-for
                 - id: au-1_obj.b
                   name: assessment-objective
                   props:
@@ -20768,6 +22278,9 @@ catalog:
                       value: AU-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, au-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;'
+                  links:
+                    - href: '#au-1_smt.b'
+                      rel: assessment-for
                 - id: au-1_obj.c
                   name: assessment-objective
                   props:
@@ -20789,6 +22302,9 @@ catalog:
                               value: AU-01c.01[01]
                               class: sp800-53a
                           prose: 'the current audit and accountability policy is reviewed and updated {{ insert: param, au-01_odp.05 }};'
+                          links:
+                            - href: '#au-1_smt.c.1'
+                              rel: assessment-for
                         - id: au-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -20796,6 +22312,12 @@ catalog:
                               value: AU-01c.01[02]
                               class: sp800-53a
                           prose: 'the current audit and accountability policy is reviewed and updated following {{ insert: param, au-01_odp.06 }};'
+                          links:
+                            - href: '#au-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.c.1'
+                          rel: assessment-for
                     - id: au-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -20810,6 +22332,9 @@ catalog:
                               value: AU-01c.02[01]
                               class: sp800-53a
                           prose: 'the current audit and accountability procedures are reviewed and updated {{ insert: param, au-01_odp.07 }};'
+                          links:
+                            - href: '#au-1_smt.c.2'
+                              rel: assessment-for
                         - id: au-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -20817,6 +22342,18 @@ catalog:
                               value: AU-01c.02[02]
                               class: sp800-53a
                           prose: 'the current audit and accountability procedures are reviewed and updated following {{ insert: param, au-01_odp.08 }}.'
+                          links:
+                            - href: '#au-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#au-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#au-1_smt'
+                  rel: assessment-for
             - id: au-1_asm-examine
               name: assessment-method
               props:
@@ -21043,6 +22580,9 @@ catalog:
                       value: AU-02a.
                       class: sp800-53a
                   prose: '{{ insert: param, au-02_odp.01 }} that the system is capable of logging are identified in support of the audit logging function;'
+                  links:
+                    - href: '#au-2_smt.a'
+                      rel: assessment-for
                 - id: au-2_obj.b
                   name: assessment-objective
                   props:
@@ -21050,6 +22590,9 @@ catalog:
                       value: AU-02b.
                       class: sp800-53a
                   prose: the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
+                  links:
+                    - href: '#au-2_smt.b'
+                      rel: assessment-for
                 - id: au-2_obj.c
                   name: assessment-objective
                   props:
@@ -21064,6 +22607,9 @@ catalog:
                           value: AU-02c.[01]
                           class: sp800-53a
                       prose: '{{ insert: param, au-02_odp.02 }} are specified for logging within the system;'
+                      links:
+                        - href: '#au-2_smt.c'
+                          rel: assessment-for
                     - id: au-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -21071,6 +22617,12 @@ catalog:
                           value: AU-02c.[02]
                           class: sp800-53a
                       prose: 'the specified event types are logged within the system {{ insert: param, au-02_odp.03 }};'
+                      links:
+                        - href: '#au-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-2_smt.c'
+                      rel: assessment-for
                 - id: au-2_obj.d
                   name: assessment-objective
                   props:
@@ -21078,6 +22630,9 @@ catalog:
                       value: AU-02d.
                       class: sp800-53a
                   prose: a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;
+                  links:
+                    - href: '#au-2_smt.d'
+                      rel: assessment-for
                 - id: au-2_obj.e
                   name: assessment-objective
                   props:
@@ -21085,6 +22640,12 @@ catalog:
                       value: AU-02e.
                       class: sp800-53a
                   prose: 'the event types selected for logging are reviewed and updated {{ insert: param, au-02_odp.04 }}.'
+                  links:
+                    - href: '#au-2_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#au-2_smt'
+                  rel: assessment-for
             - id: au-2_asm-examine
               name: assessment-method
               props:
@@ -21303,6 +22864,9 @@ catalog:
                       value: AU-03a.
                       class: sp800-53a
                   prose: audit records contain information that establishes what type of event occurred;
+                  links:
+                    - href: '#au-3_smt.a'
+                      rel: assessment-for
                 - id: au-3_obj.b
                   name: assessment-objective
                   props:
@@ -21310,6 +22874,9 @@ catalog:
                       value: AU-03b.
                       class: sp800-53a
                   prose: audit records contain information that establishes when the event occurred;
+                  links:
+                    - href: '#au-3_smt.b'
+                      rel: assessment-for
                 - id: au-3_obj.c
                   name: assessment-objective
                   props:
@@ -21317,6 +22884,9 @@ catalog:
                       value: AU-03c.
                       class: sp800-53a
                   prose: audit records contain information that establishes where the event occurred;
+                  links:
+                    - href: '#au-3_smt.c'
+                      rel: assessment-for
                 - id: au-3_obj.d
                   name: assessment-objective
                   props:
@@ -21324,6 +22894,9 @@ catalog:
                       value: AU-03d.
                       class: sp800-53a
                   prose: audit records contain information that establishes the source of the event;
+                  links:
+                    - href: '#au-3_smt.d'
+                      rel: assessment-for
                 - id: au-3_obj.e
                   name: assessment-objective
                   props:
@@ -21331,6 +22904,9 @@ catalog:
                       value: AU-03e.
                       class: sp800-53a
                   prose: audit records contain information that establishes the outcome of the event;
+                  links:
+                    - href: '#au-3_smt.e'
+                      rel: assessment-for
                 - id: au-3_obj.f
                   name: assessment-objective
                   props:
@@ -21338,6 +22914,12 @@ catalog:
                       value: AU-03f.
                       class: sp800-53a
                   prose: audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.
+                  links:
+                    - href: '#au-3_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#au-3_smt'
+                  rel: assessment-for
             - id: au-3_asm-examine
               name: assessment-method
               props:
@@ -21441,6 +23023,9 @@ catalog:
                       value: AU-03(01)
                       class: sp800-53a
                   prose: 'generated audit records contain the following {{ insert: param, au-03.01_odp }}.'
+                  links:
+                    - href: '#au-3.1_smt'
+                      rel: assessment-for
                 - id: au-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -21561,6 +23146,9 @@ catalog:
                       value: AU-03(03)
                       class: sp800-53a
                   prose: 'personally identifiable information contained in audit records is limited to {{ insert: param, au-03.03_odp }} identified in the privacy risk assessment.'
+                  links:
+                    - href: '#au-3.3_smt'
+                      rel: assessment-for
                 - id: au-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -21688,6 +23276,9 @@ catalog:
                   value: AU-04
                   class: sp800-53a
               prose: 'audit log storage capacity is allocated to accommodate {{ insert: param, au-04_odp }}.'
+              links:
+                - href: '#au-4_smt'
+                  rel: assessment-for
             - id: au-4_asm-examine
               name: assessment-method
               props:
@@ -21796,6 +23387,9 @@ catalog:
                       value: AU-04(01)
                       class: sp800-53a
                   prose: 'audit logs are transferred {{ insert: param, au-04.01_odp }} to a different system, system component, or media other than the system or system component conducting the logging.'
+                  links:
+                    - href: '#au-4.1_smt'
+                      rel: assessment-for
                 - id: au-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -21953,6 +23547,9 @@ catalog:
                       value: AU-05a.
                       class: sp800-53a
                   prose: '{{ insert: param, au-05_odp.01 }} are alerted in the event of an audit logging process failure within {{ insert: param, au-05_odp.02 }};'
+                  links:
+                    - href: '#au-5_smt.a'
+                      rel: assessment-for
                 - id: au-5_obj.b
                   name: assessment-objective
                   props:
@@ -21960,6 +23557,12 @@ catalog:
                       value: AU-05b.
                       class: sp800-53a
                   prose: '{{ insert: param, au-05_odp.03 }} are taken in the event of an audit logging process failure.'
+                  links:
+                    - href: '#au-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-5_smt'
+                  rel: assessment-for
             - id: au-5_asm-examine
               name: assessment-method
               props:
@@ -22083,6 +23686,9 @@ catalog:
                       value: AU-05(01)
                       class: sp800-53a
                   prose: 'a warning is provided to {{ insert: param, au-05.01_odp.01 }} within {{ insert: param, au-05.01_odp.02 }} when allocated audit log storage volume reaches {{ insert: param, au-05.01_odp.03 }} of repository maximum audit log storage capacity.'
+                  links:
+                    - href: '#au-5.1_smt'
+                      rel: assessment-for
                 - id: au-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -22201,6 +23807,9 @@ catalog:
                       value: AU-05(02)
                       class: sp800-53a
                   prose: 'an alert is provided within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when {{ insert: param, au-05.02_odp.03 }} occur.'
+                  links:
+                    - href: '#au-5.2_smt'
+                      rel: assessment-for
                 - id: au-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -22298,6 +23907,9 @@ catalog:
                           value: AU-05(03)[01]
                           class: sp800-53a
                       prose: configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity are enforced;
+                      links:
+                        - href: '#au-5.3_smt'
+                          rel: assessment-for
                     - id: au-5.3_obj-2
                       name: assessment-objective
                       props:
@@ -22305,6 +23917,12 @@ catalog:
                           value: AU-05(03)[02]
                           class: sp800-53a
                       prose: 'network traffic is {{ insert: param, au-05.03_odp }} if network traffic volume is above configured thresholds.'
+                      links:
+                        - href: '#au-5.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-5.3_smt'
+                      rel: assessment-for
                 - id: au-5.3_asm-examine
                   name: assessment-method
                   props:
@@ -22408,6 +24026,9 @@ catalog:
                       value: AU-05(04)
                       class: sp800-53a
                   prose: '{{ insert: param, au-05.04_odp.01 }} is/are invoked in the event of {{ insert: param, au-05.04_odp.02 }} , unless an alternate audit logging capability exists.'
+                  links:
+                    - href: '#au-5.4_smt'
+                      rel: assessment-for
                 - id: au-5.4_asm-examine
                   name: assessment-method
                   props:
@@ -22510,6 +24131,9 @@ catalog:
                       value: AU-05(05)
                       class: sp800-53a
                   prose: 'an alternate audit logging capability is provided in the event of a failure in primary audit logging capability that implements {{ insert: param, au-05.05_odp }}.'
+                  links:
+                    - href: '#au-5.5_smt'
+                      rel: assessment-for
                 - id: au-5.5_asm-examine
                   name: assessment-method
                   props:
@@ -22720,6 +24344,9 @@ catalog:
                       value: AU-06a.
                       class: sp800-53a
                   prose: 'system audit records are reviewed and analyzed {{ insert: param, au-06_odp.01 }} for indications of {{ insert: param, au-06_odp.02 }} and the potential impact of the inappropriate or unusual activity;'
+                  links:
+                    - href: '#au-6_smt.a'
+                      rel: assessment-for
                 - id: au-6_obj.b
                   name: assessment-objective
                   props:
@@ -22727,6 +24354,9 @@ catalog:
                       value: AU-06b.
                       class: sp800-53a
                   prose: 'findings are reported to {{ insert: param, au-06_odp.03 }};'
+                  links:
+                    - href: '#au-6_smt.b'
+                      rel: assessment-for
                 - id: au-6_obj.c
                   name: assessment-objective
                   props:
@@ -22734,6 +24364,12 @@ catalog:
                       value: AU-06c.
                       class: sp800-53a
                   prose: the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
+                  links:
+                    - href: '#au-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#au-6_smt'
+                  rel: assessment-for
             - id: au-6_asm-examine
               name: assessment-method
               props:
@@ -22822,6 +24458,9 @@ catalog:
                       value: AU-06(01)
                       class: sp800-53a
                   prose: 'audit record review, analysis, and reporting processes are integrated using {{ insert: param, au-06.01_odp }}.'
+                  links:
+                    - href: '#au-6.1_smt'
+                      rel: assessment-for
                 - id: au-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -22932,6 +24571,9 @@ catalog:
                       value: AU-06(03)
                       class: sp800-53a
                   prose: audit records across different repositories are analyzed and correlated to gain organization-wide situational awareness.
+                  links:
+                    - href: '#au-6.3_smt'
+                      rel: assessment-for
                 - id: au-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -23031,6 +24673,9 @@ catalog:
                           value: AU-06(04)[01]
                           class: sp800-53a
                       prose: the capability to centrally review and analyze audit records from multiple components within the system is provided;
+                      links:
+                        - href: '#au-6.4_smt'
+                          rel: assessment-for
                     - id: au-6.4_obj-2
                       name: assessment-objective
                       props:
@@ -23038,6 +24683,12 @@ catalog:
                           value: AU-06(04)[02]
                           class: sp800-53a
                       prose: the capability to centrally review and analyze audit records from multiple components within the system is implemented.
+                      links:
+                        - href: '#au-6.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-6.4_smt'
+                      rel: assessment-for
                 - id: au-6.4_asm-examine
                   name: assessment-method
                   props:
@@ -23157,6 +24808,9 @@ catalog:
                       value: AU-06(05)
                       class: sp800-53a
                   prose: 'analysis of audit records is integrated with analysis of {{ insert: param, au-06.05_odp.01 }} to further enhance the ability to identify inappropriate or unusual activity.'
+                  links:
+                    - href: '#au-6.5_smt'
+                      rel: assessment-for
                 - id: au-6.5_asm-examine
                   name: assessment-method
                   props:
@@ -23245,6 +24899,9 @@ catalog:
                       value: AU-06(06)
                       class: sp800-53a
                   prose: information from audit records is correlated with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.
+                  links:
+                    - href: '#au-6.6_smt'
+                      rel: assessment-for
                 - id: au-6.6_asm-examine
                   name: assessment-method
                   props:
@@ -23351,6 +25008,9 @@ catalog:
                       value: AU-06(07)
                       class: sp800-53a
                   prose: 'the permitted actions for each {{ insert: param, au-06.07_odp }} associated with the review, analysis, and reporting of audit record information are specified.'
+                  links:
+                    - href: '#au-6.7_smt'
+                      rel: assessment-for
                 - id: au-6.7_asm-examine
                   name: assessment-method
                   props:
@@ -23441,6 +25101,9 @@ catalog:
                       value: AU-06(08)
                       class: sp800-53a
                   prose: a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system or other system that is dedicated to that analysis is performed.
+                  links:
+                    - href: '#au-6.8_smt'
+                      rel: assessment-for
                 - id: au-6.8_asm-examine
                   name: assessment-method
                   props:
@@ -23533,6 +25196,9 @@ catalog:
                       value: AU-06(09)
                       class: sp800-53a
                   prose: information from non-technical sources is correlated with audit record information to enhance organization-wide situational awareness.
+                  links:
+                    - href: '#au-6.9_smt'
+                      rel: assessment-for
                 - id: au-6.9_asm-examine
                   name: assessment-method
                   props:
@@ -23690,6 +25356,9 @@ catalog:
                           value: AU-07a.[01]
                           class: sp800-53a
                       prose: an audit record reduction and report generation capability is provided that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;
+                      links:
+                        - href: '#au-7_smt.a'
+                          rel: assessment-for
                     - id: au-7_obj.a-2
                       name: assessment-objective
                       props:
@@ -23697,6 +25366,12 @@ catalog:
                           value: AU-07a.[02]
                           class: sp800-53a
                       prose: an audit record reduction and report generation capability is implemented that supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents;
+                      links:
+                        - href: '#au-7_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-7_smt.a'
+                      rel: assessment-for
                 - id: au-7_obj.b
                   name: assessment-objective
                   props:
@@ -23711,6 +25386,9 @@ catalog:
                           value: AU-07b.[01]
                           class: sp800-53a
                       prose: an audit record reduction and report generation capability is provided that does not alter the original content or time ordering of audit records;
+                      links:
+                        - href: '#au-7_smt.b'
+                          rel: assessment-for
                     - id: au-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -23718,6 +25396,15 @@ catalog:
                           value: AU-07b.[02]
                           class: sp800-53a
                       prose: an audit record reduction and report generation capability is implemented that does not alter the original content or time ordering of audit records.
+                      links:
+                        - href: '#au-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-7_smt'
+                  rel: assessment-for
             - id: au-7_asm-examine
               name: assessment-method
               props:
@@ -23827,6 +25514,9 @@ catalog:
                           value: AU-07(01)[01]
                           class: sp800-53a
                       prose: 'the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are provided;'
+                      links:
+                        - href: '#au-7.1_smt'
+                          rel: assessment-for
                     - id: au-7.1_obj-2
                       name: assessment-objective
                       props:
@@ -23834,6 +25524,12 @@ catalog:
                           value: AU-07(01)[02]
                           class: sp800-53a
                       prose: 'the capability to process, sort, and search audit records for events of interest based on {{ insert: param, au-07.01_odp }} are implemented.'
+                      links:
+                        - href: '#au-7.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-7.1_smt'
+                      rel: assessment-for
                 - id: au-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -23977,6 +25673,9 @@ catalog:
                       value: AU-08a.
                       class: sp800-53a
                   prose: internal system clocks are used to generate timestamps for audit records;
+                  links:
+                    - href: '#au-8_smt.a'
+                      rel: assessment-for
                 - id: au-8_obj.b
                   name: assessment-objective
                   props:
@@ -23984,6 +25683,12 @@ catalog:
                       value: AU-08b.
                       class: sp800-53a
                   prose: 'timestamps are recorded for audit records that meet {{ insert: param, au-08_odp }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.'
+                  links:
+                    - href: '#au-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-8_smt'
+                  rel: assessment-for
             - id: au-8_asm-examine
               name: assessment-method
               props:
@@ -24166,6 +25871,9 @@ catalog:
                       value: AU-09a.
                       class: sp800-53a
                   prose: audit information and audit logging tools are protected from unauthorized access, modification, and deletion;
+                  links:
+                    - href: '#au-9_smt.a'
+                      rel: assessment-for
                 - id: au-9_obj.b
                   name: assessment-objective
                   props:
@@ -24173,6 +25881,12 @@ catalog:
                       value: AU-09b.
                       class: sp800-53a
                   prose: '{{ insert: param, au-09_odp }} are alerted upon detection of unauthorized access, modification, or deletion of audit information.'
+                  links:
+                    - href: '#au-9_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-9_smt'
+                  rel: assessment-for
             - id: au-9_asm-examine
               name: assessment-method
               props:
@@ -24271,6 +25985,9 @@ catalog:
                       value: AU-09(01)
                       class: sp800-53a
                   prose: audit trails are written to hardware-enforced, write-once media.
+                  links:
+                    - href: '#au-9.1_smt'
+                      rel: assessment-for
                 - id: au-9.1_asm-examine
                   name: assessment-method
                   props:
@@ -24381,6 +26098,9 @@ catalog:
                       value: AU-09(02)
                       class: sp800-53a
                   prose: 'audit records are stored {{ insert: param, au-09.02_odp }} in a repository that is part of a physically different system or system component than the system or component being audited.'
+                  links:
+                    - href: '#au-9.2_smt'
+                      rel: assessment-for
                 - id: au-9.2_asm-examine
                   name: assessment-method
                   props:
@@ -24478,6 +26198,9 @@ catalog:
                       value: AU-09(03)
                       class: sp800-53a
                   prose: cryptographic mechanisms to protect the integrity of audit information and audit tools are implemented.
+                  links:
+                    - href: '#au-9.3_smt'
+                      rel: assessment-for
                 - id: au-9.3_asm-examine
                   name: assessment-method
                   props:
@@ -24584,6 +26307,9 @@ catalog:
                       value: AU-09(04)
                       class: sp800-53a
                   prose: 'access to management of audit logging functionality is authorized only to {{ insert: param, au-09.04_odp }}.'
+                  links:
+                    - href: '#au-9.4_smt'
+                      rel: assessment-for
                 - id: au-9.4_asm-examine
                   name: assessment-method
                   props:
@@ -24707,6 +26433,9 @@ catalog:
                       value: AU-09(05)
                       class: sp800-53a
                   prose: 'dual authorization is enforced for the {{ insert: param, au-09.05_odp.01 }} of {{ insert: param, au-09.05_odp.02 }}.'
+                  links:
+                    - href: '#au-9.5_smt'
+                      rel: assessment-for
                 - id: au-9.5_asm-examine
                   name: assessment-method
                   props:
@@ -24812,6 +26541,9 @@ catalog:
                       value: AU-09(06)
                       class: sp800-53a
                   prose: 'read-only access to audit information is authorized to {{ insert: param, au-09.06_odp }}.'
+                  links:
+                    - href: '#au-9.6_smt'
+                      rel: assessment-for
                 - id: au-9.6_asm-examine
                   name: assessment-method
                   props:
@@ -24915,6 +26647,9 @@ catalog:
                       value: AU-09(07)
                       class: sp800-53a
                   prose: audit information is stored on a component running a different operating system than the system or component being audited.
+                  links:
+                    - href: '#au-9.7_smt'
+                      rel: assessment-for
                 - id: au-9.7_asm-examine
                   name: assessment-method
                   props:
@@ -25050,6 +26785,9 @@ catalog:
                   value: AU-10
                   class: sp800-53a
               prose: 'irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed {{ insert: param, au-10_odp }}.'
+              links:
+                - href: '#au-10_smt'
+                  rel: assessment-for
             - id: au-10_asm-examine
               name: assessment-method
               props:
@@ -25175,6 +26913,9 @@ catalog:
                           value: AU-10(01)(a)
                           class: sp800-53a
                       prose: 'the identity of the information producer is bound with the information to {{ insert: param, au-10.01_odp }};'
+                      links:
+                        - href: '#au-10.1_smt.a'
+                          rel: assessment-for
                     - id: au-10.1_obj.b
                       name: assessment-objective
                       props:
@@ -25182,6 +26923,12 @@ catalog:
                           value: AU-10(01)(b)
                           class: sp800-53a
                       prose: the means for authorized individuals to determine the identity of the producer of the information is provided.
+                      links:
+                        - href: '#au-10.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-10.1_smt'
+                      rel: assessment-for
                 - id: au-10.1_asm-examine
                   name: assessment-method
                   props:
@@ -25318,6 +27065,9 @@ catalog:
                           value: AU-10(02)(a)
                           class: sp800-53a
                       prose: 'the binding of the information producer identity to the information is validated at {{ insert: param, au-10.02_odp.01 }};'
+                      links:
+                        - href: '#au-10.2_smt.a'
+                          rel: assessment-for
                     - id: au-10.2_obj.b
                       name: assessment-objective
                       props:
@@ -25325,6 +27075,12 @@ catalog:
                           value: AU-10(02)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, au-10.02_odp.02 }} in the event of a validation error are performed.'
+                      links:
+                        - href: '#au-10.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-10.2_smt'
+                      rel: assessment-for
                 - id: au-10.2_asm-examine
                   name: assessment-method
                   props:
@@ -25424,6 +27180,9 @@ catalog:
                       value: AU-10(03)
                       class: sp800-53a
                   prose: reviewer or releaser credentials are maintained within the established chain of custody for information reviewed or released.
+                  links:
+                    - href: '#au-10.3_smt'
+                      rel: assessment-for
                 - id: au-10.3_asm-examine
                   name: assessment-method
                   props:
@@ -25560,6 +27319,9 @@ catalog:
                           value: AU-10(04)(a)
                           class: sp800-53a
                       prose: 'the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between {{ insert: param, au-10.04_odp.01 }} is validated;'
+                      links:
+                        - href: '#au-10.4_smt.a'
+                          rel: assessment-for
                     - id: au-10.4_obj.b
                       name: assessment-objective
                       props:
@@ -25567,6 +27329,12 @@ catalog:
                           value: AU-10(04)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, au-10.04_odp.02 }} are performed in the event of a validation error.'
+                      links:
+                        - href: '#au-10.4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-10.4_smt'
+                      rel: assessment-for
                 - id: au-10.4_asm-examine
                   name: assessment-method
                   props:
@@ -25704,6 +27472,9 @@ catalog:
                   value: AU-11
                   class: sp800-53a
               prose: 'audit records are retained for {{ insert: param, au-11_odp }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.'
+              links:
+                - href: '#au-11_smt'
+                  rel: assessment-for
             - id: au-11_asm-examine
               name: assessment-method
               props:
@@ -25798,6 +27569,9 @@ catalog:
                       value: AU-11(01)
                       class: sp800-53a
                   prose: '{{ insert: param, au-11.01_odp }} are employed to ensure that long-term audit records generated by the system can be retrieved.'
+                  links:
+                    - href: '#au-11.1_smt'
+                      rel: assessment-for
                 - id: au-11.1_asm-examine
                   name: assessment-method
                   props:
@@ -25971,6 +27745,9 @@ catalog:
                       value: AU-12a.
                       class: sp800-53a
                   prose: 'audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by {{ insert: param, au-12_odp.01 }};'
+                  links:
+                    - href: '#au-12_smt.a'
+                      rel: assessment-for
                 - id: au-12_obj.b
                   name: assessment-objective
                   props:
@@ -25978,6 +27755,9 @@ catalog:
                       value: AU-12b.
                       class: sp800-53a
                   prose: '{{ insert: param, au-12_odp.02 }} is/are allowed to select the event types that are to be logged by specific components of the system;'
+                  links:
+                    - href: '#au-12_smt.b'
+                      rel: assessment-for
                 - id: au-12_obj.c
                   name: assessment-objective
                   props:
@@ -25985,6 +27765,12 @@ catalog:
                       value: AU-12c.
                       class: sp800-53a
                   prose: audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated.
+                  links:
+                    - href: '#au-12_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#au-12_smt'
+                  rel: assessment-for
             - id: au-12_asm-examine
               name: assessment-method
               props:
@@ -26105,6 +27891,9 @@ catalog:
                       value: AU-12(01)
                       class: sp800-53a
                   prose: 'audit records from {{ insert: param, au-12.01_odp.01 }} are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}.'
+                  links:
+                    - href: '#au-12.1_smt'
+                      rel: assessment-for
                 - id: au-12.1_asm-examine
                   name: assessment-method
                   props:
@@ -26196,6 +27985,9 @@ catalog:
                       value: AU-12(02)
                       class: sp800-53a
                   prose: a system-wide (logical or physical) audit trail composed of audit records is produced in a standardized format.
+                  links:
+                    - href: '#au-12.2_smt'
+                      rel: assessment-for
                 - id: au-12.2_asm-examine
                   name: assessment-method
                   props:
@@ -26337,6 +28129,9 @@ catalog:
                           value: AU-12(03)[01]
                           class: sp800-53a
                       prose: 'the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is provided;'
+                      links:
+                        - href: '#au-12.3_smt'
+                          rel: assessment-for
                     - id: au-12.3_obj-2
                       name: assessment-objective
                       props:
@@ -26344,6 +28139,12 @@ catalog:
                           value: AU-12(03)[02]
                           class: sp800-53a
                       prose: 'the capability for {{ insert: param, au-12.03_odp.01 }} to change the logging to be performed on {{ insert: param, au-12.03_odp.02 }} based on {{ insert: param, au-12.03_odp.03 }} within {{ insert: param, au-12.03_odp.04 }} is implemented.'
+                      links:
+                        - href: '#au-12.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-12.3_smt'
+                      rel: assessment-for
                 - id: au-12.3_asm-examine
                   name: assessment-method
                   props:
@@ -26442,6 +28243,9 @@ catalog:
                           value: AU-12(04)[01]
                           class: sp800-53a
                       prose: the capability to audit the parameters of user query events for data sets containing personally identifiable information is provided;
+                      links:
+                        - href: '#au-12.4_smt'
+                          rel: assessment-for
                     - id: au-12.4_obj-2
                       name: assessment-objective
                       props:
@@ -26449,6 +28253,12 @@ catalog:
                           value: AU-12(04)[02]
                           class: sp800-53a
                       prose: the capability to audit the parameters of user query events for data sets containing personally identifiable information is implemented.
+                      links:
+                        - href: '#au-12.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-12.4_smt'
+                      rel: assessment-for
                 - id: au-12.4_asm-examine
                   name: assessment-method
                   props:
@@ -26628,6 +28438,9 @@ catalog:
                       value: AU-13a.
                       class: sp800-53a
                   prose: '{{ insert: param, au-13_odp.01 }} is/are monitored {{ insert: param, au-13_odp.02 }} for evidence of unauthorized disclosure of organizational information;'
+                  links:
+                    - href: '#au-13_smt.a'
+                      rel: assessment-for
                 - id: au-13_obj.b
                   name: assessment-objective
                   props:
@@ -26642,6 +28455,9 @@ catalog:
                           value: AU-13b.01
                           class: sp800-53a
                       prose: '{{ insert: param, au-13_odp.03 }} are notified if an information disclosure is discovered;'
+                      links:
+                        - href: '#au-13_smt.b.1'
+                          rel: assessment-for
                     - id: au-13_obj.b.2
                       name: assessment-objective
                       props:
@@ -26649,6 +28465,15 @@ catalog:
                           value: AU-13b.02
                           class: sp800-53a
                       prose: '{{ insert: param, au-13_odp.04 }} are taken if an information disclosure is discovered.'
+                      links:
+                        - href: '#au-13_smt.b.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-13_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-13_smt'
+                  rel: assessment-for
             - id: au-13_asm-examine
               name: assessment-method
               props:
@@ -26754,6 +28579,9 @@ catalog:
                       value: AU-13(01)
                       class: sp800-53a
                   prose: 'open-source information and information sites are monitored using {{ insert: param, au-13.01_odp }}.'
+                  links:
+                    - href: '#au-13.1_smt'
+                      rel: assessment-for
                 - id: au-13.1_asm-examine
                   name: assessment-method
                   props:
@@ -26855,6 +28683,9 @@ catalog:
                       value: AU-13(02)
                       class: sp800-53a
                   prose: 'the list of open-source information sites being monitored is reviewed {{ insert: param, au-13.02_odp }}.'
+                  links:
+                    - href: '#au-13.2_smt'
+                      rel: assessment-for
                 - id: au-13.2_asm-examine
                   name: assessment-method
                   props:
@@ -26948,6 +28779,9 @@ catalog:
                       value: AU-13(03)
                       class: sp800-53a
                   prose: discovery techniques, processes, and tools are employed to determine if external entities are replicating organizational information in an unauthorized manner.
+                  links:
+                    - href: '#au-13.3_smt'
+                      rel: assessment-for
                 - id: au-13.3_asm-examine
                   name: assessment-method
                   props:
@@ -27119,6 +28953,9 @@ catalog:
                           value: AU-14a.[01]
                           class: sp800-53a
                       prose: '{{ insert: param, au-14_odp.01 }} are provided with the capability to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }};'
+                      links:
+                        - href: '#au-14_smt.a'
+                          rel: assessment-for
                     - id: au-14_obj.a-2
                       name: assessment-objective
                       props:
@@ -27126,6 +28963,12 @@ catalog:
                           value: AU-14a.[02]
                           class: sp800-53a
                       prose: 'the capability for {{ insert: param, au-14_odp.01 }} to {{ insert: param, au-14_odp.02 }} the content of a user session under {{ insert: param, au-14_odp.03 }} is implemented;'
+                      links:
+                        - href: '#au-14_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-14_smt.a'
+                      rel: assessment-for
                 - id: au-14_obj.b
                   name: assessment-objective
                   props:
@@ -27140,6 +28983,9 @@ catalog:
                           value: AU-14b.[01]
                           class: sp800-53a
                       prose: session auditing activities are developed in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
+                      links:
+                        - href: '#au-14_smt.b'
+                          rel: assessment-for
                     - id: au-14_obj.b-2
                       name: assessment-objective
                       props:
@@ -27147,6 +28993,9 @@ catalog:
                           value: AU-14b.[02]
                           class: sp800-53a
                       prose: session auditing activities are integrated in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
+                      links:
+                        - href: '#au-14_smt.b'
+                          rel: assessment-for
                     - id: au-14_obj.b-3
                       name: assessment-objective
                       props:
@@ -27154,6 +29003,15 @@ catalog:
                           value: AU-14b.[03]
                           class: sp800-53a
                       prose: session auditing activities are used in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;
+                      links:
+                        - href: '#au-14_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-14_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#au-14_smt'
+                  rel: assessment-for
             - id: au-14_asm-examine
               name: assessment-method
               props:
@@ -27249,6 +29107,9 @@ catalog:
                       value: AU-14(01)
                       class: sp800-53a
                   prose: session audits are initiated automatically at system start-up.
+                  links:
+                    - href: '#au-14.1_smt'
+                      rel: assessment-for
                 - id: au-14.1_asm-examine
                   name: assessment-method
                   props:
@@ -27364,6 +29225,9 @@ catalog:
                           value: AU-14(03)[01]
                           class: sp800-53a
                       prose: the capability for authorized users to remotely view and hear content related to an established user session in real time is provided;
+                      links:
+                        - href: '#au-14.3_smt'
+                          rel: assessment-for
                     - id: au-14.3_obj-2
                       name: assessment-objective
                       props:
@@ -27371,6 +29235,12 @@ catalog:
                           value: AU-14(03)[02]
                           class: sp800-53a
                       prose: the capability for authorized users to remotely view and hear content related to an established user session in real time is implemented.
+                      links:
+                        - href: '#au-14.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#au-14.3_smt'
+                      rel: assessment-for
                 - id: au-14.3_asm-examine
                   name: assessment-method
                   props:
@@ -27507,6 +29377,9 @@ catalog:
                   value: AU-16
                   class: sp800-53a
               prose: '{{ insert: param, au-16_odp.01 }} for coordinating {{ insert: param, au-16_odp.02 }} among external organizations when audit information is transmitted across organizational boundaries are employed.'
+              links:
+                - href: '#au-16_smt'
+                  rel: assessment-for
             - id: au-16_asm-examine
               name: assessment-method
               props:
@@ -27601,6 +29474,9 @@ catalog:
                       value: AU-16(01)
                       class: sp800-53a
                   prose: the identity of individuals in cross-organizational audit trails is preserved.
+                  links:
+                    - href: '#au-16.1_smt'
+                      rel: assessment-for
                 - id: au-16.1_asm-examine
                   name: assessment-method
                   props:
@@ -27711,6 +29587,9 @@ catalog:
                       value: AU-16(02)
                       class: sp800-53a
                   prose: 'cross-organizational audit information is provided to {{ insert: param, au-16.02_odp.01 }} based on {{ insert: param, au-16.02_odp.02 }}.'
+                  links:
+                    - href: '#au-16.2_smt'
+                      rel: assessment-for
                 - id: au-16.2_asm-examine
                   name: assessment-method
                   props:
@@ -27791,6 +29670,9 @@ catalog:
                       value: AU-16(03)
                       class: sp800-53a
                   prose: '{{ insert: param, au-16.03_odp }} are implemented to disassociate individuals from audit information transmitted across organizational boundaries.'
+                  links:
+                    - href: '#au-16.3_smt'
+                      rel: assessment-for
                 - id: au-16.3_asm-examine
                   name: assessment-method
                   props:
@@ -28069,6 +29951,9 @@ catalog:
                           value: CA-01a.[01]
                           class: sp800-53a
                       prose: an assessment, authorization, and monitoring policy is developed and documented;
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -28076,6 +29961,9 @@ catalog:
                           value: CA-01a.[02]
                           class: sp800-53a
                       prose: 'the assessment, authorization, and monitoring policy is disseminated to {{ insert: param, ca-01_odp.01 }};'
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -28083,6 +29971,9 @@ catalog:
                           value: CA-01a.[03]
                           class: sp800-53a
                       prose: assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -28090,6 +29981,9 @@ catalog:
                           value: CA-01a.[04]
                           class: sp800-53a
                       prose: 'the assessment, authorization, and monitoring procedures are disseminated to {{ insert: param, ca-01_odp.02 }};'
+                      links:
+                        - href: '#ca-1_smt.a'
+                          rel: assessment-for
                     - id: ca-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -28111,6 +30005,9 @@ catalog:
                                   value: CA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses purpose;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -28118,6 +30015,9 @@ catalog:
                                   value: CA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses scope;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -28125,6 +30025,9 @@ catalog:
                                   value: CA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses roles;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -28132,6 +30035,9 @@ catalog:
                                   value: CA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses responsibilities;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -28139,6 +30045,9 @@ catalog:
                                   value: CA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses management commitment;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -28146,6 +30055,9 @@ catalog:
                                   value: CA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ca-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -28153,6 +30065,12 @@ catalog:
                                   value: CA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy addresses compliance;'
+                              links:
+                                - href: '#ca-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ca-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ca-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -28160,6 +30078,15 @@ catalog:
                               value: CA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ca-01_odp.03 }} assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ca-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-1_smt.a'
+                      rel: assessment-for
                 - id: ca-1_obj.b
                   name: assessment-objective
                   props:
@@ -28167,6 +30094,9 @@ catalog:
                       value: CA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ca-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;'
+                  links:
+                    - href: '#ca-1_smt.b'
+                      rel: assessment-for
                 - id: ca-1_obj.c
                   name: assessment-objective
                   props:
@@ -28188,6 +30118,9 @@ catalog:
                               value: CA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring policy is reviewed and updated {{ insert: param, ca-01_odp.05 }}; '
+                          links:
+                            - href: '#ca-1_smt.c.1'
+                              rel: assessment-for
                         - id: ca-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -28195,6 +30128,12 @@ catalog:
                               value: CA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring policy is reviewed and updated following {{ insert: param, ca-01_odp.06 }};'
+                          links:
+                            - href: '#ca-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.c.1'
+                          rel: assessment-for
                     - id: ca-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -28209,6 +30148,9 @@ catalog:
                               value: CA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring procedures are reviewed and updated {{ insert: param, ca-01_odp.07 }}; '
+                          links:
+                            - href: '#ca-1_smt.c.2'
+                              rel: assessment-for
                         - id: ca-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -28216,6 +30158,18 @@ catalog:
                               value: CA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current assessment, authorization, and monitoring procedures are reviewed and updated following {{ insert: param, ca-01_odp.08 }}.'
+                          links:
+                            - href: '#ca-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ca-1_smt'
+                  rel: assessment-for
             - id: ca-1_asm-examine
               name: assessment-method
               props:
@@ -28423,6 +30377,9 @@ catalog:
                       value: CA-02a.
                       class: sp800-53a
                   prose: an appropriate assessor or assessment team is selected for the type of assessment to be conducted;
+                  links:
+                    - href: '#ca-2_smt.a'
+                      rel: assessment-for
                 - id: ca-2_obj.b
                   name: assessment-objective
                   props:
@@ -28437,6 +30394,9 @@ catalog:
                           value: CA-02b.01
                           class: sp800-53a
                       prose: a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;
+                      links:
+                        - href: '#ca-2_smt.b.1'
+                          rel: assessment-for
                     - id: ca-2_obj.b.2
                       name: assessment-objective
                       props:
@@ -28444,6 +30404,9 @@ catalog:
                           value: CA-02b.02
                           class: sp800-53a
                       prose: a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;
+                      links:
+                        - href: '#ca-2_smt.b.2'
+                          rel: assessment-for
                     - id: ca-2_obj.b.3
                       name: assessment-objective
                       props:
@@ -28458,6 +30421,9 @@ catalog:
                               value: CA-02b.03[01]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
                         - id: ca-2_obj.b.3-2
                           name: assessment-objective
                           props:
@@ -28465,6 +30431,9 @@ catalog:
                               value: CA-02b.03[02]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including the assessment team;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
                         - id: ca-2_obj.b.3-3
                           name: assessment-objective
                           props:
@@ -28472,6 +30441,15 @@ catalog:
                               value: CA-02b.03[03]
                               class: sp800-53a
                           prose: a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;
+                          links:
+                            - href: '#ca-2_smt.b.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#ca-2_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-2_smt.b'
+                      rel: assessment-for
                 - id: ca-2_obj.c
                   name: assessment-objective
                   props:
@@ -28479,6 +30457,9 @@ catalog:
                       value: CA-02c.
                       class: sp800-53a
                   prose: the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
+                  links:
+                    - href: '#ca-2_smt.c'
+                      rel: assessment-for
                 - id: ca-2_obj.d
                   name: assessment-objective
                   props:
@@ -28493,6 +30474,9 @@ catalog:
                           value: CA-02d.[01]
                           class: sp800-53a
                       prose: 'controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;'
+                      links:
+                        - href: '#ca-2_smt.d'
+                          rel: assessment-for
                     - id: ca-2_obj.d-2
                       name: assessment-objective
                       props:
@@ -28500,6 +30484,12 @@ catalog:
                           value: CA-02d.[02]
                           class: sp800-53a
                       prose: 'controls are assessed in the system and its environment of operation {{ insert: param, ca-02_odp.01 }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;'
+                      links:
+                        - href: '#ca-2_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-2_smt.d'
+                      rel: assessment-for
                 - id: ca-2_obj.e
                   name: assessment-objective
                   props:
@@ -28507,6 +30497,9 @@ catalog:
                       value: CA-02e.
                       class: sp800-53a
                   prose: a control assessment report is produced that documents the results of the assessment;
+                  links:
+                    - href: '#ca-2_smt.e'
+                      rel: assessment-for
                 - id: ca-2_obj.f
                   name: assessment-objective
                   props:
@@ -28514,6 +30507,12 @@ catalog:
                       value: CA-02f.
                       class: sp800-53a
                   prose: 'the results of the control assessment are provided to {{ insert: param, ca-02_odp.02 }}.'
+                  links:
+                    - href: '#ca-2_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ca-2_smt'
+                  rel: assessment-for
             - id: ca-2_asm-examine
               name: assessment-method
               props:
@@ -28608,6 +30607,9 @@ catalog:
                       value: CA-02(01)
                       class: sp800-53a
                   prose: independent assessors or assessment teams are employed to conduct control assessments.
+                  links:
+                    - href: '#ca-2.1_smt'
+                      rel: assessment-for
                 - id: ca-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -28744,6 +30746,9 @@ catalog:
                       value: CA-02(02)
                       class: sp800-53a
                   prose: '{{ insert: param, ca-02.02_odp.01 }} {{ insert: param, ca-02.02_odp.02 }} {{ insert: param, ca-02.02_odp.03 }} are included as part of control assessments.'
+                  links:
+                    - href: '#ca-2.2_smt'
+                      rel: assessment-for
                 - id: ca-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -28812,9 +30817,9 @@ catalog:
                     - name: label
                       value: CA-02(03)_ODP[01]
                       class: sp800-53a
-                  label: external organizations
+                  label: external organization(s)
                   guidelines:
-                    - prose: external organizations from which the results of control assessments are leveraged are defined;
+                    - prose: external organization(s) from which the results of control assessments are leveraged are defined;
                 - id: ca-02.03_odp.02
                   props:
                     - name: alt-identifier
@@ -28868,6 +30873,9 @@ catalog:
                       value: CA-02(03)
                       class: sp800-53a
                   prose: 'the results of control assessments performed by {{ insert: param, ca-02.03_odp.01 }} on {{ insert: param, ca-02.03_odp.02 }} are leveraged when the assessment meets {{ insert: param, ca-02.03_odp.03 }}.'
+                  links:
+                    - href: '#ca-2.3_smt'
+                      rel: assessment-for
                 - id: ca-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -29044,6 +31052,9 @@ catalog:
                       value: CA-03a.
                       class: sp800-53a
                   prose: 'the exchange of information between the system and other systems is approved and managed using {{ insert: param, ca-03_odp.01 }};'
+                  links:
+                    - href: '#ca-3_smt.a'
+                      rel: assessment-for
                 - id: ca-3_obj.b
                   name: assessment-objective
                   props:
@@ -29058,6 +31069,9 @@ catalog:
                           value: CA-03b.[01]
                           class: sp800-53a
                       prose: the interface characteristics are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -29065,6 +31079,9 @@ catalog:
                           value: CA-03b.[02]
                           class: sp800-53a
                       prose: security requirements are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-3
                       name: assessment-objective
                       props:
@@ -29072,6 +31089,9 @@ catalog:
                           value: CA-03b.[03]
                           class: sp800-53a
                       prose: privacy requirements are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-4
                       name: assessment-objective
                       props:
@@ -29079,6 +31099,9 @@ catalog:
                           value: CA-03b.[04]
                           class: sp800-53a
                       prose: controls are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-5
                       name: assessment-objective
                       props:
@@ -29086,6 +31109,9 @@ catalog:
                           value: CA-03b.[05]
                           class: sp800-53a
                       prose: responsibilities for each system are documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
                     - id: ca-3_obj.b-6
                       name: assessment-objective
                       props:
@@ -29093,6 +31119,12 @@ catalog:
                           value: CA-03b.[06]
                           class: sp800-53a
                       prose: the impact level of the information communicated is documented as part of each exchange agreement;
+                      links:
+                        - href: '#ca-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-3_smt.b'
+                      rel: assessment-for
                 - id: ca-3_obj.c
                   name: assessment-objective
                   props:
@@ -29100,6 +31132,12 @@ catalog:
                       value: CA-03c.
                       class: sp800-53a
                   prose: 'agreements are reviewed and updated {{ insert: param, ca-03_odp.03 }}.'
+                  links:
+                    - href: '#ca-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ca-3_smt'
+                  rel: assessment-for
             - id: ca-3_asm-examine
               name: assessment-method
               props:
@@ -29282,6 +31320,9 @@ catalog:
                       value: CA-03(06)
                       class: sp800-53a
                   prose: individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.
+                  links:
+                    - href: '#ca-3.6_smt'
+                      rel: assessment-for
                 - id: ca-3.6_asm-examine
                   name: assessment-method
                   props:
@@ -29410,6 +31451,9 @@ catalog:
                           value: CA-03(07)(a)
                           class: sp800-53a
                       prose: transitive (downstream) information exchanges with other systems through the systems identified in CA-03a are identified;
+                      links:
+                        - href: '#ca-3.7_smt.a'
+                          rel: assessment-for
                     - id: ca-3.7_obj.b
                       name: assessment-objective
                       props:
@@ -29417,6 +31461,12 @@ catalog:
                           value: CA-03(07)(b)
                           class: sp800-53a
                       prose: measures are taken to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated.
+                      links:
+                        - href: '#ca-3.7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-3.7_smt'
+                      rel: assessment-for
                 - id: ca-3.7_asm-examine
                   name: assessment-method
                   props:
@@ -29583,6 +31633,9 @@ catalog:
                       value: CA-05a.
                       class: sp800-53a
                   prose: a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;
+                  links:
+                    - href: '#ca-5_smt.a'
+                      rel: assessment-for
                 - id: ca-5_obj.b
                   name: assessment-objective
                   props:
@@ -29590,6 +31643,12 @@ catalog:
                       value: CA-05b.
                       class: sp800-53a
                   prose: 'existing plan of action and milestones are updated {{ insert: param, ca-05_odp }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.'
+                  links:
+                    - href: '#ca-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ca-5_smt'
+                  rel: assessment-for
             - id: ca-5_asm-examine
               name: assessment-method
               props:
@@ -29692,6 +31751,9 @@ catalog:
                       value: CA-05(01)
                       class: sp800-53a
                   prose: '{{ insert: param, ca-05.01_odp }} are used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system.'
+                  links:
+                    - href: '#ca-5.1_smt'
+                      rel: assessment-for
                 - id: ca-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -29866,6 +31928,9 @@ catalog:
                       value: CA-06a.
                       class: sp800-53a
                   prose: a senior official is assigned as the authorizing official for the system;
+                  links:
+                    - href: '#ca-6_smt.a'
+                      rel: assessment-for
                 - id: ca-6_obj.b
                   name: assessment-objective
                   props:
@@ -29873,6 +31938,9 @@ catalog:
                       value: CA-06b.
                       class: sp800-53a
                   prose: a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;
+                  links:
+                    - href: '#ca-6_smt.b'
+                      rel: assessment-for
                 - id: ca-6_obj.c
                   name: assessment-objective
                   props:
@@ -29887,6 +31955,9 @@ catalog:
                           value: CA-06c.01
                           class: sp800-53a
                       prose: before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;
+                      links:
+                        - href: '#ca-6_smt.c.1'
+                          rel: assessment-for
                     - id: ca-6_obj.c.2
                       name: assessment-objective
                       props:
@@ -29894,6 +31965,12 @@ catalog:
                           value: CA-06c.02
                           class: sp800-53a
                       prose: before commencing operations, the authorizing official for the system authorizes the system to operate;
+                      links:
+                        - href: '#ca-6_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-6_smt.c'
+                      rel: assessment-for
                 - id: ca-6_obj.d
                   name: assessment-objective
                   props:
@@ -29901,6 +31978,9 @@ catalog:
                       value: CA-06d.
                       class: sp800-53a
                   prose: the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
+                  links:
+                    - href: '#ca-6_smt.d'
+                      rel: assessment-for
                 - id: ca-6_obj.e
                   name: assessment-objective
                   props:
@@ -29908,6 +31988,12 @@ catalog:
                       value: CA-06e.
                       class: sp800-53a
                   prose: 'the authorizations are updated {{ insert: param, ca-06_odp }}.'
+                  links:
+                    - href: '#ca-6_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ca-6_smt'
+                  rel: assessment-for
             - id: ca-6_asm-examine
               name: assessment-method
               props:
@@ -30000,6 +32086,9 @@ catalog:
                           value: CA-06(01)[01]
                           class: sp800-53a
                       prose: a joint authorization process is employed for the system;
+                      links:
+                        - href: '#ca-6.1_smt'
+                          rel: assessment-for
                     - id: ca-6.1_obj-2
                       name: assessment-objective
                       props:
@@ -30007,6 +32096,12 @@ catalog:
                           value: CA-06(01)[02]
                           class: sp800-53a
                       prose: the joint authorization process employed for the system includes multiple authorizing officials from the same organization conducting the authorization.
+                      links:
+                        - href: '#ca-6.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-6.1_smt'
+                      rel: assessment-for
                 - id: ca-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -30104,6 +32199,9 @@ catalog:
                           value: CA-06(02)[01]
                           class: sp800-53a
                       prose: a joint authorization process is employed for the system;
+                      links:
+                        - href: '#ca-6.2_smt'
+                          rel: assessment-for
                     - id: ca-6.2_obj-2
                       name: assessment-objective
                       props:
@@ -30111,6 +32209,12 @@ catalog:
                           value: CA-06(02)[02]
                           class: sp800-53a
                       prose: the joint authorization process employed for the system includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization.
+                      links:
+                        - href: '#ca-6.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-6.2_smt'
+                      rel: assessment-for
                 - id: ca-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -30449,6 +32553,9 @@ catalog:
                       value: CA-07[01]
                       class: sp800-53a
                   prose: a system-level continuous monitoring strategy is developed;
+                  links:
+                    - href: '#ca-7_smt'
+                      rel: assessment-for
                 - id: ca-7_obj-2
                   name: assessment-objective
                   props:
@@ -30456,6 +32563,9 @@ catalog:
                       value: CA-07[02]
                       class: sp800-53a
                   prose: system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt'
+                      rel: assessment-for
                 - id: ca-7_obj.a
                   name: assessment-objective
                   props:
@@ -30463,6 +32573,9 @@ catalog:
                       value: CA-07a.
                       class: sp800-53a
                   prose: 'system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: {{ insert: param, ca-07_odp.01 }};'
+                  links:
+                    - href: '#ca-7_smt.a'
+                      rel: assessment-for
                 - id: ca-7_obj.b
                   name: assessment-objective
                   props:
@@ -30477,6 +32590,9 @@ catalog:
                           value: CA-07b.[01]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes established {{ insert: param, ca-07_odp.02 }} for monitoring;'
+                      links:
+                        - href: '#ca-7_smt.b'
+                          rel: assessment-for
                     - id: ca-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -30484,6 +32600,12 @@ catalog:
                           value: CA-07b.[02]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes established {{ insert: param, ca-07_odp.03 }} for assessment of control effectiveness;'
+                      links:
+                        - href: '#ca-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7_smt.b'
+                      rel: assessment-for
                 - id: ca-7_obj.c
                   name: assessment-objective
                   props:
@@ -30491,6 +32613,9 @@ catalog:
                       value: CA-07c.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt.c'
+                      rel: assessment-for
                 - id: ca-7_obj.d
                   name: assessment-objective
                   props:
@@ -30498,6 +32623,9 @@ catalog:
                       value: CA-07d.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
+                  links:
+                    - href: '#ca-7_smt.d'
+                      rel: assessment-for
                 - id: ca-7_obj.e
                   name: assessment-objective
                   props:
@@ -30505,6 +32633,9 @@ catalog:
                       value: CA-07e.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;
+                  links:
+                    - href: '#ca-7_smt.e'
+                      rel: assessment-for
                 - id: ca-7_obj.f
                   name: assessment-objective
                   props:
@@ -30512,6 +32643,9 @@ catalog:
                       value: CA-07f.
                       class: sp800-53a
                   prose: system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;
+                  links:
+                    - href: '#ca-7_smt.f'
+                      rel: assessment-for
                 - id: ca-7_obj.g
                   name: assessment-objective
                   props:
@@ -30526,6 +32660,9 @@ catalog:
                           value: CA-07g.[01]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes reporting the security status of the system to {{ insert: param, ca-07_odp.04 }} {{ insert: param, ca-07_odp.05 }};'
+                      links:
+                        - href: '#ca-7_smt.g'
+                          rel: assessment-for
                     - id: ca-7_obj.g-2
                       name: assessment-objective
                       props:
@@ -30533,6 +32670,15 @@ catalog:
                           value: CA-07g.[02]
                           class: sp800-53a
                       prose: 'system-level continuous monitoring includes reporting the privacy status of the system to {{ insert: param, ca-07_odp.06 }} {{ insert: param, ca-07_odp.07 }}.'
+                      links:
+                        - href: '#ca-7_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#ca-7_smt'
+                  rel: assessment-for
             - id: ca-7_asm-examine
               name: assessment-method
               props:
@@ -30641,6 +32787,9 @@ catalog:
                       value: CA-07(01)
                       class: sp800-53a
                   prose: independent assessors or assessment teams are employed to monitor the controls in the system on an ongoing basis.
+                  links:
+                    - href: '#ca-7.1_smt'
+                      rel: assessment-for
                 - id: ca-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -30748,6 +32897,9 @@ catalog:
                           value: CA-07(03)[01]
                           class: sp800-53a
                       prose: trend analysis is employed to determine if control implementations used in the continuous monitoring process need to be modified based on empirical data;
+                      links:
+                        - href: '#ca-7.3_smt'
+                          rel: assessment-for
                     - id: ca-7.3_obj-2
                       name: assessment-objective
                       props:
@@ -30755,6 +32907,9 @@ catalog:
                           value: CA-07(03)[02]
                           class: sp800-53a
                       prose: trend analysis is employed to determine if the frequency of continuous monitoring activities used in the continuous monitoring process needs to be modified based on empirical data;
+                      links:
+                        - href: '#ca-7.3_smt'
+                          rel: assessment-for
                     - id: ca-7.3_obj-3
                       name: assessment-objective
                       props:
@@ -30762,6 +32917,12 @@ catalog:
                           value: CA-07(03)[03]
                           class: sp800-53a
                       prose: trend analysis is employed to determine if the types of activities used in the continuous monitoring process need to be modified based on empirical data.
+                      links:
+                        - href: '#ca-7.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7.3_smt'
+                      rel: assessment-for
                 - id: ca-7.3_asm-examine
                   name: assessment-method
                   props:
@@ -30890,6 +33051,9 @@ catalog:
                           value: CA-07(04)(a)
                           class: sp800-53a
                       prose: effectiveness monitoring is included in risk monitoring;
+                      links:
+                        - href: '#ca-7.4_smt.a'
+                          rel: assessment-for
                     - id: ca-7.4_obj.b
                       name: assessment-objective
                       props:
@@ -30897,6 +33061,9 @@ catalog:
                           value: CA-07(04)(b)
                           class: sp800-53a
                       prose: compliance monitoring is included in risk monitoring;
+                      links:
+                        - href: '#ca-7.4_smt.b'
+                          rel: assessment-for
                     - id: ca-7.4_obj.c
                       name: assessment-objective
                       props:
@@ -30904,6 +33071,12 @@ catalog:
                           value: CA-07(04)(c)
                           class: sp800-53a
                       prose: change monitoring is included in risk monitoring.
+                      links:
+                        - href: '#ca-7.4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7.4_smt'
+                      rel: assessment-for
                 - id: ca-7.4_asm-examine
                   name: assessment-method
                   props:
@@ -31033,6 +33206,9 @@ catalog:
                           value: CA-07(05)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, ca-07.05_odp.01 }} are employed to validate that policies are established;'
+                      links:
+                        - href: '#ca-7.5_smt'
+                          rel: assessment-for
                     - id: ca-7.5_obj-2
                       name: assessment-objective
                       props:
@@ -31040,6 +33216,12 @@ catalog:
                           value: CA-07(05)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, ca-07.05_odp.02 }} are employed to validate that implemented controls are operating in a consistent manner.'
+                      links:
+                        - href: '#ca-7.5_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-7.5_smt'
+                      rel: assessment-for
                 - id: ca-7.5_asm-examine
                   name: assessment-method
                   props:
@@ -31148,6 +33330,9 @@ catalog:
                       value: CA-07(06)
                       class: sp800-53a
                   prose: '{{ insert: param, ca-07.06_odp }} are used to ensure the accuracy, currency, and availability of monitoring results for the system.'
+                  links:
+                    - href: '#ca-7.6_smt'
+                      rel: assessment-for
                 - id: ca-7.6_asm-examine
                   name: assessment-method
                   props:
@@ -31279,6 +33464,9 @@ catalog:
                   value: CA-08
                   class: sp800-53a
               prose: 'penetration testing is conducted {{ insert: param, ca-08_odp.01 }} on {{ insert: param, ca-08_odp.02 }}.'
+              links:
+                - href: '#ca-8_smt'
+                  rel: assessment-for
             - id: ca-8_asm-examine
               name: assessment-method
               props:
@@ -31374,6 +33562,9 @@ catalog:
                       value: CA-08(01)
                       class: sp800-53a
                   prose: an independent penetration testing agent or team is employed to perform penetration testing on the system or system components.
+                  links:
+                    - href: '#ca-8.1_smt'
+                      rel: assessment-for
                 - id: ca-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -31463,6 +33654,9 @@ catalog:
                       value: CA-08(02)
                       class: sp800-53a
                   prose: '{{ insert: param, ca-08.02_odp }} are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.'
+                  links:
+                    - href: '#ca-8.2_smt'
+                      rel: assessment-for
                 - id: ca-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -31588,6 +33782,9 @@ catalog:
                       value: CA-08(03)
                       class: sp800-53a
                   prose: 'the penetration testing process includes {{ insert: param, ca-08.03_odp.01 }} {{ insert: param, ca-08.03_odp.02 }} attempts to bypass or circumvent controls associated with physical access points to facility.'
+                  links:
+                    - href: '#ca-8.3_smt'
+                      rel: assessment-for
                 - id: ca-8.3_asm-examine
                   name: assessment-method
                   props:
@@ -31769,6 +33966,9 @@ catalog:
                       value: CA-09a.
                       class: sp800-53a
                   prose: 'internal connections of {{ insert: param, ca-09_odp.01 }} to the system are authorized;'
+                  links:
+                    - href: '#ca-9_smt.a'
+                      rel: assessment-for
                 - id: ca-9_obj.b
                   name: assessment-objective
                   props:
@@ -31783,6 +33983,9 @@ catalog:
                           value: CA-09b.[01]
                           class: sp800-53a
                       prose: for each internal connection, the interface characteristics are documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
                     - id: ca-9_obj.b-2
                       name: assessment-objective
                       props:
@@ -31790,6 +33993,9 @@ catalog:
                           value: CA-09b.[02]
                           class: sp800-53a
                       prose: for each internal connection, the security requirements are documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
                     - id: ca-9_obj.b-3
                       name: assessment-objective
                       props:
@@ -31797,6 +34003,9 @@ catalog:
                           value: CA-09b.[03]
                           class: sp800-53a
                       prose: for each internal connection, the privacy requirements are documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
                     - id: ca-9_obj.b-4
                       name: assessment-objective
                       props:
@@ -31804,6 +34013,12 @@ catalog:
                           value: CA-09b.[04]
                           class: sp800-53a
                       prose: for each internal connection, the nature of the information communicated is documented;
+                      links:
+                        - href: '#ca-9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-9_smt.b'
+                      rel: assessment-for
                 - id: ca-9_obj.c
                   name: assessment-objective
                   props:
@@ -31811,6 +34026,9 @@ catalog:
                       value: CA-09c.
                       class: sp800-53a
                   prose: 'internal system connections are terminated after {{ insert: param, ca-09_odp.02 }};'
+                  links:
+                    - href: '#ca-9_smt.c'
+                      rel: assessment-for
                 - id: ca-9_obj.d
                   name: assessment-objective
                   props:
@@ -31818,6 +34036,12 @@ catalog:
                       value: CA-09d.
                       class: sp800-53a
                   prose: 'the continued need for each internal connection is reviewed {{ insert: param, ca-09_odp.03 }}.'
+                  links:
+                    - href: '#ca-9_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ca-9_smt'
+                  rel: assessment-for
             - id: ca-9_asm-examine
               name: assessment-method
               props:
@@ -31927,6 +34151,9 @@ catalog:
                           value: CA-09(01)[01]
                           class: sp800-53a
                       prose: security compliance checks are performed on constituent system components prior to the establishment of the internal connection;
+                      links:
+                        - href: '#ca-9.1_smt'
+                          rel: assessment-for
                     - id: ca-9.1_obj-2
                       name: assessment-objective
                       props:
@@ -31934,6 +34161,12 @@ catalog:
                           value: CA-09(01)[02]
                           class: sp800-53a
                       prose: privacy compliance checks are performed on constituent system components prior to the establishment of the internal connection.
+                      links:
+                        - href: '#ca-9.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ca-9.1_smt'
+                      rel: assessment-for
                 - id: ca-9.1_asm-examine
                   name: assessment-method
                   props:
@@ -32210,6 +34443,9 @@ catalog:
                           value: CM-01a.[01]
                           class: sp800-53a
                       prose: a configuration management policy is developed and documented;
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -32217,6 +34453,9 @@ catalog:
                           value: CM-01a.[02]
                           class: sp800-53a
                       prose: 'the configuration management policy is disseminated to {{ insert: param, cm-01_odp.01 }};'
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -32224,6 +34463,9 @@ catalog:
                           value: CM-01a.[03]
                           class: sp800-53a
                       prose: configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -32231,6 +34473,9 @@ catalog:
                           value: CM-01a.[04]
                           class: sp800-53a
                       prose: 'the configuration management procedures are disseminated to {{ insert: param, cm-01_odp.02 }};'
+                      links:
+                        - href: '#cm-1_smt.a'
+                          rel: assessment-for
                     - id: cm-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -32252,6 +34497,9 @@ catalog:
                                   value: CM-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses purpose;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -32259,6 +34507,9 @@ catalog:
                                   value: CM-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses scope;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -32266,6 +34517,9 @@ catalog:
                                   value: CM-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses roles;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -32273,6 +34527,9 @@ catalog:
                                   value: CM-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses responsibilities;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -32280,6 +34537,9 @@ catalog:
                                   value: CM-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses management commitment;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -32287,6 +34547,9 @@ catalog:
                                   value: CM-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cm-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -32294,6 +34557,12 @@ catalog:
                                   value: CM-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cm-01_odp.03 }} of the configuration management policy addresses compliance;'
+                              links:
+                                - href: '#cm-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#cm-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: cm-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -32301,6 +34570,15 @@ catalog:
                               value: CM-01a.01(b)
                               class: sp800-53a
                           prose: the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+                          links:
+                            - href: '#cm-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-1_smt.a'
+                      rel: assessment-for
                 - id: cm-1_obj.b
                   name: assessment-objective
                   props:
@@ -32308,6 +34586,9 @@ catalog:
                       value: CM-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, cm-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;'
+                  links:
+                    - href: '#cm-1_smt.b'
+                      rel: assessment-for
                 - id: cm-1_obj.c
                   name: assessment-objective
                   props:
@@ -32329,6 +34610,9 @@ catalog:
                               value: CM-01c.01[01]
                               class: sp800-53a
                           prose: 'the current configuration management policy is reviewed and updated {{ insert: param, cm-01_odp.05 }}; '
+                          links:
+                            - href: '#cm-1_smt.c.1'
+                              rel: assessment-for
                         - id: cm-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -32336,6 +34620,12 @@ catalog:
                               value: CM-01c.01[02]
                               class: sp800-53a
                           prose: 'the current configuration management policy is reviewed and updated following {{ insert: param, cm-01_odp.06 }};'
+                          links:
+                            - href: '#cm-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.c.1'
+                          rel: assessment-for
                     - id: cm-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -32350,6 +34640,9 @@ catalog:
                               value: CM-01c.02[01]
                               class: sp800-53a
                           prose: 'the current configuration management procedures are reviewed and updated {{ insert: param, cm-01_odp.07 }}; '
+                          links:
+                            - href: '#cm-1_smt.c.2'
+                              rel: assessment-for
                         - id: cm-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -32357,6 +34650,18 @@ catalog:
                               value: CM-01c.02[02]
                               class: sp800-53a
                           prose: 'the current configuration management procedures are reviewed and updated following {{ insert: param, cm-01_odp.08 }}.'
+                          links:
+                            - href: '#cm-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-1_smt'
+                  rel: assessment-for
             - id: cm-1_asm-examine
               name: assessment-method
               props:
@@ -32539,6 +34844,9 @@ catalog:
                           value: CM-02a.[01]
                           class: sp800-53a
                       prose: a current baseline configuration of the system is developed and documented;
+                      links:
+                        - href: '#cm-2_smt.a'
+                          rel: assessment-for
                     - id: cm-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -32546,6 +34854,12 @@ catalog:
                           value: CM-02a.[02]
                           class: sp800-53a
                       prose: a current baseline configuration of the system is maintained under configuration control;
+                      links:
+                        - href: '#cm-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2_smt.a'
+                      rel: assessment-for
                 - id: cm-2_obj.b
                   name: assessment-objective
                   props:
@@ -32560,6 +34874,9 @@ catalog:
                           value: CM-02b.01
                           class: sp800-53a
                       prose: 'the baseline configuration of the system is reviewed and updated {{ insert: param, cm-02_odp.01 }};'
+                      links:
+                        - href: '#cm-2_smt.b.1'
+                          rel: assessment-for
                     - id: cm-2_obj.b.2
                       name: assessment-objective
                       props:
@@ -32567,6 +34884,9 @@ catalog:
                           value: CM-02b.02
                           class: sp800-53a
                       prose: 'the baseline configuration of the system is reviewed and updated when required due to {{ insert: param, cm-02_odp.02 }};'
+                      links:
+                        - href: '#cm-2_smt.b.2'
+                          rel: assessment-for
                     - id: cm-2_obj.b.3
                       name: assessment-objective
                       props:
@@ -32574,6 +34894,15 @@ catalog:
                           value: CM-02b.03
                           class: sp800-53a
                       prose: the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.
+                      links:
+                        - href: '#cm-2_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cm-2_smt'
+                  rel: assessment-for
             - id: cm-2_asm-examine
               name: assessment-method
               props:
@@ -32716,6 +35045,9 @@ catalog:
                           value: CM-02(02)[01]
                           class: sp800-53a
                       prose: 'the currency of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};'
+                      links:
+                        - href: '#cm-2.2_smt'
+                          rel: assessment-for
                     - id: cm-2.2_obj-2
                       name: assessment-objective
                       props:
@@ -32723,6 +35055,9 @@ catalog:
                           value: CM-02(02)[02]
                           class: sp800-53a
                       prose: 'the completeness of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};'
+                      links:
+                        - href: '#cm-2.2_smt'
+                          rel: assessment-for
                     - id: cm-2.2_obj-3
                       name: assessment-objective
                       props:
@@ -32730,6 +35065,9 @@ catalog:
                           value: CM-02(02)[03]
                           class: sp800-53a
                       prose: 'the accuracy of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }};'
+                      links:
+                        - href: '#cm-2.2_smt'
+                          rel: assessment-for
                     - id: cm-2.2_obj-4
                       name: assessment-objective
                       props:
@@ -32737,6 +35075,12 @@ catalog:
                           value: CM-02(02)[04]
                           class: sp800-53a
                       prose: 'the availability of the baseline configuration of the system is maintained using {{ insert: param, cm-02.02_odp }}.'
+                      links:
+                        - href: '#cm-2.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2.2_smt'
+                      rel: assessment-for
                 - id: cm-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -32845,6 +35189,9 @@ catalog:
                       value: CM-02(03)
                       class: sp800-53a
                   prose: '{{ insert: param, cm-02.03_odp }} of previous baseline configuration version(s) of the system is/are retained to support rollback.'
+                  links:
+                    - href: '#cm-2.3_smt'
+                      rel: assessment-for
                 - id: cm-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -32980,6 +35327,9 @@ catalog:
                           value: CM-02(06)[01]
                           class: sp800-53a
                       prose: a baseline configuration for system development environments that is managed separately from the operational baseline configuration is maintained;
+                      links:
+                        - href: '#cm-2.6_smt'
+                          rel: assessment-for
                     - id: cm-2.6_obj-2
                       name: assessment-objective
                       props:
@@ -32987,6 +35337,12 @@ catalog:
                           value: CM-02(06)[02]
                           class: sp800-53a
                       prose: a baseline configuration for test environments that is managed separately from the operational baseline configuration is maintained.
+                      links:
+                        - href: '#cm-2.6_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2.6_smt'
+                      rel: assessment-for
                 - id: cm-2.6_asm-examine
                   name: assessment-method
                   props:
@@ -33134,6 +35490,9 @@ catalog:
                           value: CM-02(07)(a)
                           class: sp800-53a
                       prose: '{{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} are issued to individuals traveling to locations that the organization deems to be of significant risk;'
+                      links:
+                        - href: '#cm-2.7_smt.a'
+                          rel: assessment-for
                     - id: cm-2.7_obj.b
                       name: assessment-objective
                       props:
@@ -33141,6 +35500,12 @@ catalog:
                           value: CM-02(07)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, cm-02.07_odp.03 }} are applied to the systems or system components when the individuals return from travel.'
+                      links:
+                        - href: '#cm-2.7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-2.7_smt'
+                      rel: assessment-for
                 - id: cm-2.7_asm-examine
                   name: assessment-method
                   props:
@@ -33391,6 +35756,9 @@ catalog:
                       value: CM-03a.
                       class: sp800-53a
                   prose: the types of changes to the system that are configuration-controlled are determined and documented;
+                  links:
+                    - href: '#cm-3_smt.a'
+                      rel: assessment-for
                 - id: cm-3_obj.b
                   name: assessment-objective
                   props:
@@ -33405,6 +35773,9 @@ catalog:
                           value: CM-03b.[01]
                           class: sp800-53a
                       prose: proposed configuration-controlled changes to the system are reviewed;
+                      links:
+                        - href: '#cm-3_smt.b'
+                          rel: assessment-for
                     - id: cm-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -33412,6 +35783,12 @@ catalog:
                           value: CM-03b.[02]
                           class: sp800-53a
                       prose: proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses;
+                      links:
+                        - href: '#cm-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3_smt.b'
+                      rel: assessment-for
                 - id: cm-3_obj.c
                   name: assessment-objective
                   props:
@@ -33419,6 +35796,9 @@ catalog:
                       value: CM-03c.
                       class: sp800-53a
                   prose: configuration change decisions associated with the system are documented;
+                  links:
+                    - href: '#cm-3_smt.c'
+                      rel: assessment-for
                 - id: cm-3_obj.d
                   name: assessment-objective
                   props:
@@ -33426,6 +35806,9 @@ catalog:
                       value: CM-03d.
                       class: sp800-53a
                   prose: approved configuration-controlled changes to the system are implemented;
+                  links:
+                    - href: '#cm-3_smt.d'
+                      rel: assessment-for
                 - id: cm-3_obj.e
                   name: assessment-objective
                   props:
@@ -33433,6 +35816,9 @@ catalog:
                       value: CM-03e.
                       class: sp800-53a
                   prose: 'records of configuration-controlled changes to the system are retained for {{ insert: param, cm-03_odp.01 }};'
+                  links:
+                    - href: '#cm-3_smt.e'
+                      rel: assessment-for
                 - id: cm-3_obj.f
                   name: assessment-objective
                   props:
@@ -33447,6 +35833,9 @@ catalog:
                           value: CM-03f.[01]
                           class: sp800-53a
                       prose: activities associated with configuration-controlled changes to the system are monitored;
+                      links:
+                        - href: '#cm-3_smt.f'
+                          rel: assessment-for
                     - id: cm-3_obj.f-2
                       name: assessment-objective
                       props:
@@ -33454,6 +35843,12 @@ catalog:
                           value: CM-03f.[02]
                           class: sp800-53a
                       prose: activities associated with configuration-controlled changes to the system are reviewed;
+                      links:
+                        - href: '#cm-3_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3_smt.f'
+                      rel: assessment-for
                 - id: cm-3_obj.g
                   name: assessment-objective
                   props:
@@ -33468,6 +35863,9 @@ catalog:
                           value: CM-03g.[01]
                           class: sp800-53a
                       prose: 'configuration change control activities are coordinated and overseen by {{ insert: param, cm-03_odp.02 }};'
+                      links:
+                        - href: '#cm-3_smt.g'
+                          rel: assessment-for
                     - id: cm-3_obj.g-2
                       name: assessment-objective
                       props:
@@ -33475,6 +35873,15 @@ catalog:
                           value: CM-03g.[02]
                           class: sp800-53a
                       prose: 'the configuration control element convenes {{ insert: param, cm-03_odp.03 }}.'
+                      links:
+                        - href: '#cm-3_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#cm-3_smt'
+                  rel: assessment-for
             - id: cm-3_asm-examine
               name: assessment-method
               props:
@@ -33666,6 +36073,9 @@ catalog:
                           value: CM-03(01)(a)
                           class: sp800-53a
                       prose: '{{ insert: param, cm-03.01_odp.01 }} are used to document proposed changes to the system;'
+                      links:
+                        - href: '#cm-3.1_smt.a'
+                          rel: assessment-for
                     - id: cm-3.1_obj.b
                       name: assessment-objective
                       props:
@@ -33673,6 +36083,9 @@ catalog:
                           value: CM-03(01)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;'
+                      links:
+                        - href: '#cm-3.1_smt.b'
+                          rel: assessment-for
                     - id: cm-3.1_obj.c
                       name: assessment-objective
                       props:
@@ -33680,6 +36093,9 @@ catalog:
                           value: CM-03(01)(c)
                           class: sp800-53a
                       prose: '{{ insert: param, cm-03.01_odp.01 }} are used to highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};'
+                      links:
+                        - href: '#cm-3.1_smt.c'
+                          rel: assessment-for
                     - id: cm-3.1_obj.d
                       name: assessment-objective
                       props:
@@ -33687,6 +36103,9 @@ catalog:
                           value: CM-03(01)(d)
                           class: sp800-53a
                       prose: '{{ insert: param, cm-03.01_odp.01 }} are used to prohibit changes to the system until designated approvals are received;'
+                      links:
+                        - href: '#cm-3.1_smt.d'
+                          rel: assessment-for
                     - id: cm-3.1_obj.e
                       name: assessment-objective
                       props:
@@ -33694,6 +36113,9 @@ catalog:
                           value: CM-03(01)(e)
                           class: sp800-53a
                       prose: '{{ insert: param, cm-03.01_odp.01 }} are used to document all changes to the system;'
+                      links:
+                        - href: '#cm-3.1_smt.e'
+                          rel: assessment-for
                     - id: cm-3.1_obj.f
                       name: assessment-objective
                       props:
@@ -33701,6 +36123,12 @@ catalog:
                           value: CM-03(01)(f)
                           class: sp800-53a
                       prose: '{{ insert: param, cm-03.01_odp.01 }} are used to notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed.'
+                      links:
+                        - href: '#cm-3.1_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3.1_smt'
+                      rel: assessment-for
                 - id: cm-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -33815,6 +36243,9 @@ catalog:
                           value: CM-03(02)[01]
                           class: sp800-53a
                       prose: changes to the system are tested before finalizing the implementation of the changes;
+                      links:
+                        - href: '#cm-3.2_smt'
+                          rel: assessment-for
                     - id: cm-3.2_obj-2
                       name: assessment-objective
                       props:
@@ -33822,6 +36253,9 @@ catalog:
                           value: CM-03(02)[02]
                           class: sp800-53a
                       prose: changes to the system are validated before finalizing the implementation of the changes;
+                      links:
+                        - href: '#cm-3.2_smt'
+                          rel: assessment-for
                     - id: cm-3.2_obj-3
                       name: assessment-objective
                       props:
@@ -33829,6 +36263,12 @@ catalog:
                           value: CM-03(02)[03]
                           class: sp800-53a
                       prose: changes to the system are documented before finalizing the implementation of the changes.
+                      links:
+                        - href: '#cm-3.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3.2_smt'
+                      rel: assessment-for
                 - id: cm-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -33949,6 +36389,9 @@ catalog:
                           value: CM-03(03)[01]
                           class: sp800-53a
                       prose: 'changes to the current system baseline are implemented using {{ insert: param, cm-03.03_odp }};'
+                      links:
+                        - href: '#cm-3.3_smt'
+                          rel: assessment-for
                     - id: cm-3.3_obj-2
                       name: assessment-objective
                       props:
@@ -33956,6 +36399,12 @@ catalog:
                           value: CM-03(03)[02]
                           class: sp800-53a
                       prose: 'the updated baseline is deployed across the installed base using {{ insert: param, cm-03.03_odp }}.'
+                      links:
+                        - href: '#cm-3.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3.3_smt'
+                      rel: assessment-for
                 - id: cm-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -34099,6 +36548,9 @@ catalog:
                           value: CM-03(04)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, cm-03.04_odp.01 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }};'
+                      links:
+                        - href: '#cm-3.4_smt'
+                          rel: assessment-for
                     - id: cm-3.4_obj-2
                       name: assessment-objective
                       props:
@@ -34106,6 +36558,12 @@ catalog:
                           value: CM-03(04)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, cm-03.04_odp.02 }} are required to be members of the {{ insert: param, cm-03.04_odp.03 }}.'
+                      links:
+                        - href: '#cm-3.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-3.4_smt'
+                      rel: assessment-for
                 - id: cm-3.4_asm-examine
                   name: assessment-method
                   props:
@@ -34200,6 +36658,9 @@ catalog:
                       value: CM-03(05)
                       class: sp800-53a
                   prose: '{{ insert: param, cm-03.05_odp }} are automatically implemented if baseline configurations are changed in an unauthorized manner.'
+                  links:
+                    - href: '#cm-3.5_smt'
+                      rel: assessment-for
                 - id: cm-3.5_asm-examine
                   name: assessment-method
                   props:
@@ -34311,6 +36772,9 @@ catalog:
                       value: CM-03(06)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms used to provide {{ insert: param, cm-03.06_odp }} are under configuration management.'
+                  links:
+                    - href: '#cm-3.6_smt'
+                      rel: assessment-for
                 - id: cm-3.6_asm-examine
                   name: assessment-method
                   props:
@@ -34432,6 +36896,9 @@ catalog:
                       value: CM-03(07)
                       class: sp800-53a
                   prose: 'changes to the system are reviewed {{ insert: param, cm-03.07_odp.01 }} or when {{ insert: param, cm-03.07_odp.02 }} to determine whether unauthorized changes have occurred.'
+                  links:
+                    - href: '#cm-3.7_smt'
+                      rel: assessment-for
                 - id: cm-3.7_asm-examine
                   name: assessment-method
                   props:
@@ -34539,6 +37006,9 @@ catalog:
                       value: CM-03(08)
                       class: sp800-53a
                   prose: 'changes to the configuration of the system are prevented or restricted under {{ insert: param, cm-03.08_odp }}.'
+                  links:
+                    - href: '#cm-3.8_smt'
+                      rel: assessment-for
                 - id: cm-3.8_asm-examine
                   name: assessment-method
                   props:
@@ -34635,6 +37105,9 @@ catalog:
                       value: CM-04[01]
                       class: sp800-53a
                   prose: changes to the system are analyzed to determine potential security impacts prior to change implementation;
+                  links:
+                    - href: '#cm-4_smt'
+                      rel: assessment-for
                 - id: cm-4_obj-2
                   name: assessment-objective
                   props:
@@ -34642,6 +37115,12 @@ catalog:
                       value: CM-04[02]
                       class: sp800-53a
                   prose: changes to the system are analyzed to determine potential privacy impacts prior to change implementation.
+                  links:
+                    - href: '#cm-4_smt'
+                      rel: assessment-for
+              links:
+                - href: '#cm-4_smt'
+                  rel: assessment-for
             - id: cm-4_asm-examine
               name: assessment-method
               props:
@@ -34765,6 +37244,9 @@ catalog:
                           value: CM-04(01)[01]
                           class: sp800-53a
                       prose: changes to the system are analyzed in a separate test environment before implementation in an operational environment;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-2
                       name: assessment-objective
                       props:
@@ -34772,6 +37254,9 @@ catalog:
                           value: CM-04(01)[02]
                           class: sp800-53a
                       prose: changes to the system are analyzed for security impacts due to flaws;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-3
                       name: assessment-objective
                       props:
@@ -34779,6 +37264,9 @@ catalog:
                           value: CM-04(01)[03]
                           class: sp800-53a
                       prose: changes to the system are analyzed for privacy impacts due to flaws;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-4
                       name: assessment-objective
                       props:
@@ -34786,6 +37274,9 @@ catalog:
                           value: CM-04(01)[04]
                           class: sp800-53a
                       prose: changes to the system are analyzed for security impacts due to weaknesses;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-5
                       name: assessment-objective
                       props:
@@ -34793,6 +37284,9 @@ catalog:
                           value: CM-04(01)[05]
                           class: sp800-53a
                       prose: changes to the system are analyzed for privacy impacts due to weaknesses;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-6
                       name: assessment-objective
                       props:
@@ -34800,6 +37294,9 @@ catalog:
                           value: CM-04(01)[06]
                           class: sp800-53a
                       prose: changes to the system are analyzed for security impacts due to incompatibility;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-7
                       name: assessment-objective
                       props:
@@ -34807,6 +37304,9 @@ catalog:
                           value: CM-04(01)[07]
                           class: sp800-53a
                       prose: changes to the system are analyzed for privacy impacts due to incompatibility;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-8
                       name: assessment-objective
                       props:
@@ -34814,6 +37314,9 @@ catalog:
                           value: CM-04(01)[08]
                           class: sp800-53a
                       prose: changes to the system are analyzed for security impacts due to intentional malice;
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
                     - id: cm-4.1_obj-9
                       name: assessment-objective
                       props:
@@ -34821,6 +37324,12 @@ catalog:
                           value: CM-04(01)[09]
                           class: sp800-53a
                       prose: changes to the system are analyzed for privacy impacts due to intentional malice.
+                      links:
+                        - href: '#cm-4.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-4.1_smt'
+                      rel: assessment-for
                 - id: cm-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -34947,6 +37456,9 @@ catalog:
                           value: CM-04(02)[01]
                           class: sp800-53a
                       prose: the impacted controls are implemented correctly with regard to meeting the security requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-2
                       name: assessment-objective
                       props:
@@ -34954,6 +37466,9 @@ catalog:
                           value: CM-04(02)[02]
                           class: sp800-53a
                       prose: the impacted controls are implemented correctly with regard to meeting the privacy requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-3
                       name: assessment-objective
                       props:
@@ -34961,6 +37476,9 @@ catalog:
                           value: CM-04(02)[03]
                           class: sp800-53a
                       prose: the impacted controls are operating as intended with regard to meeting the security requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-4
                       name: assessment-objective
                       props:
@@ -34968,6 +37486,9 @@ catalog:
                           value: CM-04(02)[04]
                           class: sp800-53a
                       prose: the impacted controls are operating as intended with regard to meeting the privacy requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-5
                       name: assessment-objective
                       props:
@@ -34975,6 +37496,9 @@ catalog:
                           value: CM-04(02)[05]
                           class: sp800-53a
                       prose: the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system after system changes;
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
                     - id: cm-4.2_obj-6
                       name: assessment-objective
                       props:
@@ -34982,6 +37506,12 @@ catalog:
                           value: CM-04(02)[06]
                           class: sp800-53a
                       prose: the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system after system changes.
+                      links:
+                        - href: '#cm-4.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-4.2_smt'
+                      rel: assessment-for
                 - id: cm-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -35117,6 +37647,9 @@ catalog:
                       value: CM-05[01]
                       class: sp800-53a
                   prose: physical access restrictions associated with changes to the system are defined and documented;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-2
                   name: assessment-objective
                   props:
@@ -35124,6 +37657,9 @@ catalog:
                       value: CM-05[02]
                       class: sp800-53a
                   prose: physical access restrictions associated with changes to the system are approved;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-3
                   name: assessment-objective
                   props:
@@ -35131,6 +37667,9 @@ catalog:
                       value: CM-05[03]
                       class: sp800-53a
                   prose: physical access restrictions associated with changes to the system are enforced;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-4
                   name: assessment-objective
                   props:
@@ -35138,6 +37677,9 @@ catalog:
                       value: CM-05[04]
                       class: sp800-53a
                   prose: logical access restrictions associated with changes to the system are defined and documented;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-5
                   name: assessment-objective
                   props:
@@ -35145,6 +37687,9 @@ catalog:
                       value: CM-05[05]
                       class: sp800-53a
                   prose: logical access restrictions associated with changes to the system are approved;
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
                 - id: cm-5_obj-6
                   name: assessment-objective
                   props:
@@ -35152,6 +37697,12 @@ catalog:
                       value: CM-05[06]
                       class: sp800-53a
                   prose: logical access restrictions associated with changes to the system are enforced.
+                  links:
+                    - href: '#cm-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#cm-5_smt'
+                  rel: assessment-for
             - id: cm-5_asm-examine
               name: assessment-method
               props:
@@ -35299,6 +37850,9 @@ catalog:
                           value: CM-05(01)(a)
                           class: sp800-53a
                       prose: 'access restrictions for change are enforced using {{ insert: param, cm-05.01_odp }};'
+                      links:
+                        - href: '#cm-5.1_smt.a'
+                          rel: assessment-for
                     - id: cm-5.1_obj.b
                       name: assessment-objective
                       props:
@@ -35306,6 +37860,12 @@ catalog:
                           value: CM-05(01)(b)
                           class: sp800-53a
                       prose: audit records of enforcement actions are automatically generated.
+                      links:
+                        - href: '#cm-5.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-5.1_smt'
+                      rel: assessment-for
                 - id: cm-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -35476,6 +38036,9 @@ catalog:
                           value: CM-05(04)[01]
                           class: sp800-53a
                       prose: 'dual authorization for implementing changes to {{ insert: param, cm-05.04_odp.01 }} is enforced;'
+                      links:
+                        - href: '#cm-5.4_smt'
+                          rel: assessment-for
                     - id: cm-5.4_obj-2
                       name: assessment-objective
                       props:
@@ -35483,6 +38046,12 @@ catalog:
                           value: CM-05(04)[02]
                           class: sp800-53a
                       prose: 'dual authorization for implementing changes to {{ insert: param, cm-05.04_odp.02 }} is enforced.'
+                      links:
+                        - href: '#cm-5.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-5.4_smt'
+                      rel: assessment-for
                 - id: cm-5.4_asm-examine
                   name: assessment-method
                   props:
@@ -35635,6 +38204,9 @@ catalog:
                               value: CM-05(05)(a)[01]
                               class: sp800-53a
                           prose: privileges to change system components within a production or operational environment are limited;
+                          links:
+                            - href: '#cm-5.5_smt.a'
+                              rel: assessment-for
                         - id: cm-5.5_obj.a-2
                           name: assessment-objective
                           props:
@@ -35642,6 +38214,12 @@ catalog:
                               value: CM-05(05)(a)[02]
                               class: sp800-53a
                           prose: privileges to change system-related information within a production or operational environment are limited;
+                          links:
+                            - href: '#cm-5.5_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-5.5_smt.a'
+                          rel: assessment-for
                     - id: cm-5.5_obj.b
                       name: assessment-objective
                       props:
@@ -35656,6 +38234,9 @@ catalog:
                               value: CM-05(05)(b)[01]
                               class: sp800-53a
                           prose: 'privileges are reviewed {{ insert: param, cm-05.05_odp.01 }};'
+                          links:
+                            - href: '#cm-5.5_smt.b'
+                              rel: assessment-for
                         - id: cm-5.5_obj.b-2
                           name: assessment-objective
                           props:
@@ -35663,6 +38244,15 @@ catalog:
                               value: CM-05(05)(b)[02]
                               class: sp800-53a
                           prose: 'privileges are reevaluated {{ insert: param, cm-05.05_odp.02 }}.'
+                          links:
+                            - href: '#cm-5.5_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-5.5_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-5.5_smt'
+                      rel: assessment-for
                 - id: cm-5.5_asm-examine
                   name: assessment-method
                   props:
@@ -35766,6 +38356,9 @@ catalog:
                       value: CM-05(06)
                       class: sp800-53a
                   prose: privileges to change software resident within software libraries are limited.
+                  links:
+                    - href: '#cm-5.6_smt'
+                      rel: assessment-for
                 - id: cm-5.6_asm-examine
                   name: assessment-method
                   props:
@@ -36012,6 +38605,9 @@ catalog:
                       value: CM-06a.
                       class: sp800-53a
                   prose: 'configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using {{ insert: param, cm-06_odp.01 }};'
+                  links:
+                    - href: '#cm-6_smt.a'
+                      rel: assessment-for
                 - id: cm-6_obj.b
                   name: assessment-objective
                   props:
@@ -36019,6 +38615,9 @@ catalog:
                       value: CM-06b.
                       class: sp800-53a
                   prose: the configuration settings documented in CM-06a are implemented;
+                  links:
+                    - href: '#cm-6_smt.b'
+                      rel: assessment-for
                 - id: cm-6_obj.c
                   name: assessment-objective
                   props:
@@ -36033,6 +38632,9 @@ catalog:
                           value: CM-06c.[01]
                           class: sp800-53a
                       prose: 'any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are identified and documented based on {{ insert: param, cm-06_odp.03 }};'
+                      links:
+                        - href: '#cm-6_smt.c'
+                          rel: assessment-for
                     - id: cm-6_obj.c-2
                       name: assessment-objective
                       props:
@@ -36040,6 +38642,12 @@ catalog:
                           value: CM-06c.[02]
                           class: sp800-53a
                       prose: 'any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} are approved;'
+                      links:
+                        - href: '#cm-6_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-6_smt.c'
+                      rel: assessment-for
                 - id: cm-6_obj.d
                   name: assessment-objective
                   props:
@@ -36054,6 +38662,9 @@ catalog:
                           value: CM-06d.[01]
                           class: sp800-53a
                       prose: changes to the configuration settings are monitored in accordance with organizational policies and procedures;
+                      links:
+                        - href: '#cm-6_smt.d'
+                          rel: assessment-for
                     - id: cm-6_obj.d-2
                       name: assessment-objective
                       props:
@@ -36061,6 +38672,15 @@ catalog:
                           value: CM-06d.[02]
                           class: sp800-53a
                       prose: changes to the configuration settings are controlled in accordance with organizational policies and procedures.
+                      links:
+                        - href: '#cm-6_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-6_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#cm-6_smt'
+                  rel: assessment-for
             - id: cm-6_asm-examine
               name: assessment-method
               props:
@@ -36224,6 +38844,9 @@ catalog:
                           value: CM-06(01)[01]
                           class: sp800-53a
                       prose: 'configuration settings for {{ insert: param, cm-06.01_odp.01 }} are managed using {{ insert: param, cm-06.01_odp.02 }};'
+                      links:
+                        - href: '#cm-6.1_smt'
+                          rel: assessment-for
                     - id: cm-6.1_obj-2
                       name: assessment-objective
                       props:
@@ -36231,6 +38854,9 @@ catalog:
                           value: CM-06(01)[02]
                           class: sp800-53a
                       prose: 'configuration settings for {{ insert: param, cm-06.01_odp.01 }} are applied using {{ insert: param, cm-06.01_odp.03 }};'
+                      links:
+                        - href: '#cm-6.1_smt'
+                          rel: assessment-for
                     - id: cm-6.1_obj-3
                       name: assessment-objective
                       props:
@@ -36238,6 +38864,12 @@ catalog:
                           value: CM-06(01)[03]
                           class: sp800-53a
                       prose: 'configuration settings for {{ insert: param, cm-06.01_odp.01 }} are verified using {{ insert: param, cm-06.01_odp.04 }}.'
+                      links:
+                        - href: '#cm-6.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-6.1_smt'
+                      rel: assessment-for
                 - id: cm-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -36365,6 +38997,9 @@ catalog:
                       value: CM-06(02)
                       class: sp800-53a
                   prose: '{{ insert: param, cm-06.02_odp.01 }} are taken in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}.'
+                  links:
+                    - href: '#cm-6.2_smt'
+                      rel: assessment-for
                 - id: cm-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -36633,6 +39268,9 @@ catalog:
                       value: CM-07a.
                       class: sp800-53a
                   prose: 'the system is configured to provide only {{ insert: param, cm-07_odp.01 }};'
+                  links:
+                    - href: '#cm-7_smt.a'
+                      rel: assessment-for
                 - id: cm-7_obj.b
                   name: assessment-objective
                   props:
@@ -36647,6 +39285,9 @@ catalog:
                           value: CM-07b.[01]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.02 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -36654,6 +39295,9 @@ catalog:
                           value: CM-07b.[02]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.03 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-3
                       name: assessment-objective
                       props:
@@ -36661,6 +39305,9 @@ catalog:
                           value: CM-07b.[03]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.04 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-4
                       name: assessment-objective
                       props:
@@ -36668,6 +39315,9 @@ catalog:
                           value: CM-07b.[04]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.05 }} is prohibited or restricted;'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
                     - id: cm-7_obj.b-5
                       name: assessment-objective
                       props:
@@ -36675,6 +39325,15 @@ catalog:
                           value: CM-07b.[05]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, cm-07_odp.06 }} is prohibited or restricted.'
+                      links:
+                        - href: '#cm-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cm-7_smt'
+                  rel: assessment-for
             - id: cm-7_asm-examine
               name: assessment-method
               props:
@@ -36863,6 +39522,9 @@ catalog:
                           value: CM-07(01)(a)
                           class: sp800-53a
                       prose: 'the system is reviewed {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:'
+                      links:
+                        - href: '#cm-7.1_smt.a'
+                          rel: assessment-for
                     - id: cm-7.1_obj.b
                       name: assessment-objective
                       props:
@@ -36877,6 +39539,9 @@ catalog:
                               value: CM-07(01)(b)[01]
                               class: sp800-53a
                           prose: '{{ insert: param, cm-07.01_odp.02 }} deemed to be unnecessary and/or non-secure are disabled or removed;'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
                         - id: cm-7.1_obj.b-2
                           name: assessment-objective
                           props:
@@ -36884,6 +39549,9 @@ catalog:
                               value: CM-07(01)(b)[02]
                               class: sp800-53a
                           prose: '{{ insert: param, cm-07.01_odp.03 }} deemed to be unnecessary and/or non-secure are disabled or removed;'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
                         - id: cm-7.1_obj.b-3
                           name: assessment-objective
                           props:
@@ -36891,6 +39559,9 @@ catalog:
                               value: CM-07(01)(b)[03]
                               class: sp800-53a
                           prose: '{{ insert: param, cm-07.01_odp.04 }} deemed to be unnecessary and/or non-secure are disabled or removed;'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
                         - id: cm-7.1_obj.b-4
                           name: assessment-objective
                           props:
@@ -36898,6 +39569,9 @@ catalog:
                               value: CM-07(01)(b)[04]
                               class: sp800-53a
                           prose: '{{ insert: param, cm-07.01_odp.05 }} deemed to be unnecessary and/or non-secure is disabled or removed;'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
                         - id: cm-7.1_obj.b-5
                           name: assessment-objective
                           props:
@@ -36905,6 +39579,15 @@ catalog:
                               value: CM-07(01)(b)[05]
                               class: sp800-53a
                           prose: '{{ insert: param, cm-07.01_odp.06 }} deemed to be unnecessary and/or non-secure are disabled or removed.'
+                          links:
+                            - href: '#cm-7.1_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-7.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-7.1_smt'
+                      rel: assessment-for
                 - id: cm-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -37036,6 +39719,9 @@ catalog:
                       value: CM-07(02)
                       class: sp800-53a
                   prose: 'program execution is prevented in accordance with {{ insert: param, cm-07.02_odp.01 }}.'
+                  links:
+                    - href: '#cm-7.2_smt'
+                      rel: assessment-for
                 - id: cm-7.2_asm-examine
                   name: assessment-method
                   props:
@@ -37152,6 +39838,9 @@ catalog:
                       value: CM-07(03)
                       class: sp800-53a
                   prose: '{{ insert: param, cm-07.03_odp }} are complied with.'
+                  links:
+                    - href: '#cm-7.3_smt'
+                      rel: assessment-for
                 - id: cm-7.3_asm-examine
                   name: assessment-method
                   props:
@@ -37306,6 +39995,9 @@ catalog:
                           value: CM-07(04)(a)
                           class: sp800-53a
                       prose: '{{ insert: param, cm-07.04_odp.01 }} are identified;'
+                      links:
+                        - href: '#cm-7.4_smt.a'
+                          rel: assessment-for
                     - id: cm-7.4_obj.b
                       name: assessment-objective
                       props:
@@ -37313,6 +40005,9 @@ catalog:
                           value: CM-07(04)(b)
                           class: sp800-53a
                       prose: an allow-all, deny-by-exception policy is employed to prohibit the execution of unauthorized software programs on the system;
+                      links:
+                        - href: '#cm-7.4_smt.b'
+                          rel: assessment-for
                     - id: cm-7.4_obj.c
                       name: assessment-objective
                       props:
@@ -37320,6 +40015,12 @@ catalog:
                           value: CM-07(04)(c)
                           class: sp800-53a
                       prose: 'the list of unauthorized software programs is reviewed and updated {{ insert: param, cm-07.04_odp.02 }}.'
+                      links:
+                        - href: '#cm-7.4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-7.4_smt'
+                      rel: assessment-for
                 - id: cm-7.4_asm-examine
                   name: assessment-method
                   props:
@@ -37492,6 +40193,9 @@ catalog:
                           value: CM-07(05)(a)
                           class: sp800-53a
                       prose: '{{ insert: param, cm-07.05_odp.01 }} are identified;'
+                      links:
+                        - href: '#cm-7.5_smt.a'
+                          rel: assessment-for
                     - id: cm-7.5_obj.b
                       name: assessment-objective
                       props:
@@ -37499,6 +40203,9 @@ catalog:
                           value: CM-07(05)(b)
                           class: sp800-53a
                       prose: a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system is employed;
+                      links:
+                        - href: '#cm-7.5_smt.b'
+                          rel: assessment-for
                     - id: cm-7.5_obj.c
                       name: assessment-objective
                       props:
@@ -37506,6 +40213,12 @@ catalog:
                           value: CM-07(05)(c)
                           class: sp800-53a
                       prose: 'the list of authorized software programs is reviewed and updated {{ insert: param, cm-07.05_odp.02 }}.'
+                      links:
+                        - href: '#cm-7.5_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-7.5_smt'
+                      rel: assessment-for
                 - id: cm-7.5_asm-examine
                   name: assessment-method
                   props:
@@ -37626,6 +40339,9 @@ catalog:
                       value: CM-07(06)
                       class: sp800-53a
                   prose: '{{ insert: param, cm-07.06_odp }} is required to be executed in a confined physical or virtual machine environment with limited privileges.'
+                  links:
+                    - href: '#cm-7.6_smt'
+                      rel: assessment-for
                 - id: cm-7.6_asm-examine
                   name: assessment-method
                   props:
@@ -37766,6 +40482,9 @@ catalog:
                           value: CM-07(07)(a)
                           class: sp800-53a
                       prose: 'the execution of binary or machine-executable code obtained from sources with limited or no warranty is only allowed with the explicit approval of {{ insert: param, cm-07.07_odp }};'
+                      links:
+                        - href: '#cm-7.7_smt.a'
+                          rel: assessment-for
                     - id: cm-7.7_obj.b
                       name: assessment-objective
                       props:
@@ -37773,6 +40492,12 @@ catalog:
                           value: CM-07(07)(b)
                           class: sp800-53a
                       prose: 'the execution of binary or machine-executable code without the provision of source code is only allowed with the explicit approval of {{ insert: param, cm-07.07_odp }}.'
+                      links:
+                        - href: '#cm-7.7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-7.7_smt'
+                      rel: assessment-for
                 - id: cm-7.7_asm-examine
                   name: assessment-method
                   props:
@@ -37904,6 +40629,9 @@ catalog:
                           value: CM-07(08)(a)
                           class: sp800-53a
                       prose: the use of binary or machine-executable code is prohibited when it originates from sources with limited or no warranty or without the provision of source code;
+                      links:
+                        - href: '#cm-7.8_smt.a'
+                          rel: assessment-for
                     - id: cm-7.8_obj.b
                       name: assessment-objective
                       props:
@@ -37918,6 +40646,9 @@ catalog:
                               value: CM-07(08)(b)[01]
                               class: sp800-53a
                           prose: exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only for compelling mission or operational requirements;
+                          links:
+                            - href: '#cm-7.8_smt.b'
+                              rel: assessment-for
                         - id: cm-7.8_obj.b-2
                           name: assessment-objective
                           props:
@@ -37925,6 +40656,15 @@ catalog:
                               value: CM-07(08)(b)[02]
                               class: sp800-53a
                           prose: exceptions to the prohibition of binary or machine-executable code from sources with limited or no warranty or without the provision of source code are allowed only with the approval of the authorizing official.
+                          links:
+                            - href: '#cm-7.8_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-7.8_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-7.8_smt'
+                      rel: assessment-for
                 - id: cm-7.8_asm-examine
                   name: assessment-method
                   props:
@@ -38082,6 +40822,9 @@ catalog:
                           value: CM-07(09)(a)
                           class: sp800-53a
                       prose: '{{ insert: param, cm-07.09_odp.01 }} are identified;'
+                      links:
+                        - href: '#cm-7.9_smt.a'
+                          rel: assessment-for
                     - id: cm-7.9_obj.b
                       name: assessment-objective
                       props:
@@ -38089,6 +40832,9 @@ catalog:
                           value: CM-07(09)(b)
                           class: sp800-53a
                       prose: the use or connection of unauthorized hardware components is prohibited;
+                      links:
+                        - href: '#cm-7.9_smt.b'
+                          rel: assessment-for
                     - id: cm-7.9_obj.c
                       name: assessment-objective
                       props:
@@ -38096,6 +40842,12 @@ catalog:
                           value: CM-07(09)(c)
                           class: sp800-53a
                       prose: 'the list of authorized hardware components is reviewed and updated {{ insert: param, cm-07.09_odp.02 }}.'
+                      links:
+                        - href: '#cm-7.9_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-7.9_smt'
+                      rel: assessment-for
                 - id: cm-7.9_asm-examine
                   name: assessment-method
                   props:
@@ -38321,6 +41073,9 @@ catalog:
                           value: CM-08a.01
                           class: sp800-53a
                       prose: an inventory of system components that accurately reflects the system is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.1'
+                          rel: assessment-for
                     - id: cm-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -38328,6 +41083,9 @@ catalog:
                           value: CM-08a.02
                           class: sp800-53a
                       prose: an inventory of system components that includes all components within the system is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.2'
+                          rel: assessment-for
                     - id: cm-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -38335,6 +41093,9 @@ catalog:
                           value: CM-08a.03
                           class: sp800-53a
                       prose: an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.3'
+                          rel: assessment-for
                     - id: cm-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -38342,6 +41103,9 @@ catalog:
                           value: CM-08a.04
                           class: sp800-53a
                       prose: an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;
+                      links:
+                        - href: '#cm-8_smt.a.4'
+                          rel: assessment-for
                     - id: cm-8_obj.a.5
                       name: assessment-objective
                       props:
@@ -38349,6 +41113,12 @@ catalog:
                           value: CM-08a.05
                           class: sp800-53a
                       prose: 'an inventory of system components that includes {{ insert: param, cm-08_odp.01 }} is developed and documented;'
+                      links:
+                        - href: '#cm-8_smt.a.5'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-8_smt.a'
+                      rel: assessment-for
                 - id: cm-8_obj.b
                   name: assessment-objective
                   props:
@@ -38356,6 +41126,12 @@ catalog:
                       value: CM-08b.
                       class: sp800-53a
                   prose: 'the system component inventory is reviewed and updated {{ insert: param, cm-08_odp.02 }}.'
+                  links:
+                    - href: '#cm-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cm-8_smt'
+                  rel: assessment-for
             - id: cm-8_asm-examine
               name: assessment-method
               props:
@@ -38461,6 +41237,9 @@ catalog:
                           value: CM-08(01)[01]
                           class: sp800-53a
                       prose: the inventory of system components is updated as part of component installations;
+                      links:
+                        - href: '#cm-8.1_smt'
+                          rel: assessment-for
                     - id: cm-8.1_obj-2
                       name: assessment-objective
                       props:
@@ -38468,6 +41247,9 @@ catalog:
                           value: CM-08(01)[02]
                           class: sp800-53a
                       prose: the inventory of system components is updated as part of component removals;
+                      links:
+                        - href: '#cm-8.1_smt'
+                          rel: assessment-for
                     - id: cm-8.1_obj-3
                       name: assessment-objective
                       props:
@@ -38475,6 +41257,12 @@ catalog:
                           value: CM-08(01)[03]
                           class: sp800-53a
                       prose: the inventory of system components is updated as part of system updates.
+                      links:
+                        - href: '#cm-8.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-8.1_smt'
+                      rel: assessment-for
                 - id: cm-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -38629,6 +41417,9 @@ catalog:
                           value: CM-08(02)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, cm-08.02_odp.01 }} are used to maintain the currency of the system component inventory;'
+                      links:
+                        - href: '#cm-8.2_smt'
+                          rel: assessment-for
                     - id: cm-8.2_obj-2
                       name: assessment-objective
                       props:
@@ -38636,6 +41427,9 @@ catalog:
                           value: CM-08(02)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, cm-08.02_odp.02 }} are used to maintain the completeness of the system component inventory;'
+                      links:
+                        - href: '#cm-8.2_smt'
+                          rel: assessment-for
                     - id: cm-8.2_obj-3
                       name: assessment-objective
                       props:
@@ -38643,6 +41437,9 @@ catalog:
                           value: CM-08(02)[03]
                           class: sp800-53a
                       prose: '{{ insert: param, cm-08.02_odp.03 }} are used to maintain the accuracy of the system component inventory;'
+                      links:
+                        - href: '#cm-8.2_smt'
+                          rel: assessment-for
                     - id: cm-8.2_obj-4
                       name: assessment-objective
                       props:
@@ -38650,6 +41447,12 @@ catalog:
                           value: CM-08(02)[04]
                           class: sp800-53a
                       prose: '{{ insert: param, cm-08.02_odp.04 }} are used to maintain the availability of the system component inventory.'
+                      links:
+                        - href: '#cm-8.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-8.2_smt'
+                      rel: assessment-for
                 - id: cm-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -38865,6 +41668,9 @@ catalog:
                               value: CM-08(03)(a)[01]
                               class: sp800-53a
                           prose: 'the presence of unauthorized hardware within the system is detected using {{ insert: param, cm-08.03_odp.01 }} {{ insert: param, cm-08.03_odp.04 }};'
+                          links:
+                            - href: '#cm-8.3_smt.a'
+                              rel: assessment-for
                         - id: cm-8.3_obj.a-2
                           name: assessment-objective
                           props:
@@ -38872,6 +41678,9 @@ catalog:
                               value: CM-08(03)(a)[02]
                               class: sp800-53a
                           prose: 'the presence of unauthorized software within the system is detected using {{ insert: param, cm-08.03_odp.02 }} {{ insert: param, cm-08.03_odp.04 }};'
+                          links:
+                            - href: '#cm-8.3_smt.a'
+                              rel: assessment-for
                         - id: cm-8.3_obj.a-3
                           name: assessment-objective
                           props:
@@ -38879,6 +41688,12 @@ catalog:
                               value: CM-08(03)(a)[03]
                               class: sp800-53a
                           prose: 'the presence of unauthorized firmware within the system is detected using {{ insert: param, cm-08.03_odp.03 }} {{ insert: param, cm-08.03_odp.04 }};'
+                          links:
+                            - href: '#cm-8.3_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-8.3_smt.a'
+                          rel: assessment-for
                     - id: cm-8.3_obj.b
                       name: assessment-objective
                       props:
@@ -38893,6 +41708,9 @@ catalog:
                               value: CM-08(03)(b)[01]
                               class: sp800-53a
                           prose: '{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized hardware is detected;'
+                          links:
+                            - href: '#cm-8.3_smt.b'
+                              rel: assessment-for
                         - id: cm-8.3_obj.b-2
                           name: assessment-objective
                           props:
@@ -38900,6 +41718,9 @@ catalog:
                               value: CM-08(03)(b)[02]
                               class: sp800-53a
                           prose: '{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized software is detected;'
+                          links:
+                            - href: '#cm-8.3_smt.b'
+                              rel: assessment-for
                         - id: cm-8.3_obj.b-3
                           name: assessment-objective
                           props:
@@ -38907,6 +41728,15 @@ catalog:
                               value: CM-08(03)(b)[03]
                               class: sp800-53a
                           prose: '{{ insert: param, cm-08.03_odp.05 }} are taken when unauthorized firmware is detected.'
+                          links:
+                            - href: '#cm-8.3_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cm-8.3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-8.3_smt'
+                      rel: assessment-for
                 - id: cm-8.3_asm-examine
                   name: assessment-method
                   props:
@@ -39034,6 +41864,9 @@ catalog:
                       value: CM-08(04)
                       class: sp800-53a
                   prose: 'individuals responsible and accountable for administering system components are identified by {{ insert: param, cm-08.04_odp }} in the system component inventory.'
+                  links:
+                    - href: '#cm-8.4_smt'
+                      rel: assessment-for
                 - id: cm-8.4_asm-examine
                   name: assessment-method
                   props:
@@ -39148,6 +41981,9 @@ catalog:
                           value: CM-08(06)[01]
                           class: sp800-53a
                       prose: assessed component configurations are included in the system component inventory;
+                      links:
+                        - href: '#cm-8.6_smt'
+                          rel: assessment-for
                     - id: cm-8.6_obj-2
                       name: assessment-objective
                       props:
@@ -39155,6 +41991,12 @@ catalog:
                           value: CM-08(06)[02]
                           class: sp800-53a
                       prose: any approved deviations to current deployed configurations are included in the system component inventory.
+                      links:
+                        - href: '#cm-8.6_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-8.6_smt'
+                      rel: assessment-for
                 - id: cm-8.6_asm-examine
                   name: assessment-method
                   props:
@@ -39254,6 +42096,9 @@ catalog:
                       value: CM-08(07)
                       class: sp800-53a
                   prose: a centralized repository for the system component inventory is provided.
+                  links:
+                    - href: '#cm-8.7_smt'
+                      rel: assessment-for
                 - id: cm-8.7_asm-examine
                   name: assessment-method
                   props:
@@ -39361,6 +42206,9 @@ catalog:
                       value: CM-08(08)
                       class: sp800-53a
                   prose: '{{ insert: param, cm-08.08_odp }} are used to support the tracking of system components by geographic location.'
+                  links:
+                    - href: '#cm-8.8_smt'
+                      rel: assessment-for
                 - id: cm-8.8_asm-examine
                   name: assessment-method
                   props:
@@ -39492,6 +42340,9 @@ catalog:
                           value: CM-08(09)(a)
                           class: sp800-53a
                       prose: system components are assigned to a system;
+                      links:
+                        - href: '#cm-8.9_smt.a'
+                          rel: assessment-for
                     - id: cm-8.9_obj.b
                       name: assessment-objective
                       props:
@@ -39499,6 +42350,12 @@ catalog:
                           value: CM-08(09)(b)
                           class: sp800-53a
                       prose: 'an acknowledgement of the component assignment is received from {{ insert: param, cm-08.09_odp }}.'
+                      links:
+                        - href: '#cm-8.9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-8.9_smt'
+                      rel: assessment-for
                 - id: cm-8.9_asm-examine
                   name: assessment-method
                   props:
@@ -39671,6 +42528,9 @@ catalog:
                       value: CM-09[01]
                       class: sp800-53a
                   prose: a configuration management plan for the system is developed and documented;
+                  links:
+                    - href: '#cm-9_smt'
+                      rel: assessment-for
                 - id: cm-9_obj-2
                   name: assessment-objective
                   props:
@@ -39678,6 +42538,9 @@ catalog:
                       value: CM-09[02]
                       class: sp800-53a
                   prose: a configuration management plan for the system is implemented;
+                  links:
+                    - href: '#cm-9_smt'
+                      rel: assessment-for
                 - id: cm-9_obj.a
                   name: assessment-objective
                   props:
@@ -39692,6 +42555,9 @@ catalog:
                           value: CM-09a.[01]
                           class: sp800-53a
                       prose: the configuration management plan addresses roles;
+                      links:
+                        - href: '#cm-9_smt.a'
+                          rel: assessment-for
                     - id: cm-9_obj.a-2
                       name: assessment-objective
                       props:
@@ -39699,6 +42565,9 @@ catalog:
                           value: CM-09a.[02]
                           class: sp800-53a
                       prose: the configuration management plan addresses responsibilities;
+                      links:
+                        - href: '#cm-9_smt.a'
+                          rel: assessment-for
                     - id: cm-9_obj.a-3
                       name: assessment-objective
                       props:
@@ -39706,6 +42575,12 @@ catalog:
                           value: CM-09a.[03]
                           class: sp800-53a
                       prose: the configuration management plan addresses configuration management processes and procedures;
+                      links:
+                        - href: '#cm-9_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-9_smt.a'
+                      rel: assessment-for
                 - id: cm-9_obj.b
                   name: assessment-objective
                   props:
@@ -39720,6 +42595,9 @@ catalog:
                           value: CM-09b.[01]
                           class: sp800-53a
                       prose: the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle;
+                      links:
+                        - href: '#cm-9_smt.b'
+                          rel: assessment-for
                     - id: cm-9_obj.b-2
                       name: assessment-objective
                       props:
@@ -39727,6 +42605,12 @@ catalog:
                           value: CM-09b.[02]
                           class: sp800-53a
                       prose: the configuration management plan establishes a process for managing the configuration of the configuration items;
+                      links:
+                        - href: '#cm-9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-9_smt.b'
+                      rel: assessment-for
                 - id: cm-9_obj.c
                   name: assessment-objective
                   props:
@@ -39741,6 +42625,9 @@ catalog:
                           value: CM-09c.[01]
                           class: sp800-53a
                       prose: the configuration management plan defines the configuration items for the system;
+                      links:
+                        - href: '#cm-9_smt.c'
+                          rel: assessment-for
                     - id: cm-9_obj.c-2
                       name: assessment-objective
                       props:
@@ -39748,6 +42635,12 @@ catalog:
                           value: CM-09c.[02]
                           class: sp800-53a
                       prose: the configuration management plan places the configuration items under configuration management;
+                      links:
+                        - href: '#cm-9_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-9_smt.c'
+                      rel: assessment-for
                 - id: cm-9_obj.d
                   name: assessment-objective
                   props:
@@ -39755,6 +42648,9 @@ catalog:
                       value: CM-09d.
                       class: sp800-53a
                   prose: 'the configuration management plan is reviewed and approved by {{ insert: param, cm-09_odp }};'
+                  links:
+                    - href: '#cm-9_smt.d'
+                      rel: assessment-for
                 - id: cm-9_obj.e
                   name: assessment-objective
                   props:
@@ -39769,6 +42665,9 @@ catalog:
                           value: CM-09e.[01]
                           class: sp800-53a
                       prose: the configuration management plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#cm-9_smt.e'
+                          rel: assessment-for
                     - id: cm-9_obj.e-2
                       name: assessment-objective
                       props:
@@ -39776,6 +42675,15 @@ catalog:
                           value: CM-09e.[02]
                           class: sp800-53a
                       prose: the configuration management plan is protected from unauthorized modification.
+                      links:
+                        - href: '#cm-9_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-9_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#cm-9_smt'
+                  rel: assessment-for
             - id: cm-9_asm-examine
               name: assessment-method
               props:
@@ -39877,6 +42785,9 @@ catalog:
                       value: CM-09(01)
                       class: sp800-53a
                   prose: the responsibility for developing the configuration management process is assigned to organizational personnel who are not directly involved in system development.
+                  links:
+                    - href: '#cm-9.1_smt'
+                      rel: assessment-for
                 - id: cm-9.1_asm-examine
                   name: assessment-method
                   props:
@@ -39981,6 +42892,9 @@ catalog:
                       value: CM-10a.
                       class: sp800-53a
                   prose: software and associated documentation are used in accordance with contract agreements and copyright laws;
+                  links:
+                    - href: '#cm-10_smt.a'
+                      rel: assessment-for
                 - id: cm-10_obj.b
                   name: assessment-objective
                   props:
@@ -39988,6 +42902,9 @@ catalog:
                       value: CM-10b.
                       class: sp800-53a
                   prose: the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;
+                  links:
+                    - href: '#cm-10_smt.b'
+                      rel: assessment-for
                 - id: cm-10_obj.c
                   name: assessment-objective
                   props:
@@ -39995,6 +42912,12 @@ catalog:
                       value: CM-10c.
                       class: sp800-53a
                   prose: the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
+                  links:
+                    - href: '#cm-10_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-10_smt'
+                  rel: assessment-for
             - id: cm-10_asm-examine
               name: assessment-method
               props:
@@ -40109,6 +43032,9 @@ catalog:
                       value: CM-10(01)
                       class: sp800-53a
                   prose: '{{ insert: param, cm-10.01_odp }} are established for the use of open-source software.'
+                  links:
+                    - href: '#cm-10.1_smt'
+                      rel: assessment-for
                 - id: cm-10.1_asm-examine
                   name: assessment-method
                   props:
@@ -40285,6 +43211,9 @@ catalog:
                       value: CM-11a.
                       class: sp800-53a
                   prose: '{{ insert: param, cm-11_odp.01 }} governing the installation of software by users are established;'
+                  links:
+                    - href: '#cm-11_smt.a'
+                      rel: assessment-for
                 - id: cm-11_obj.b
                   name: assessment-objective
                   props:
@@ -40292,6 +43221,9 @@ catalog:
                       value: CM-11b.
                       class: sp800-53a
                   prose: 'software installation policies are enforced through {{ insert: param, cm-11_odp.02 }};'
+                  links:
+                    - href: '#cm-11_smt.b'
+                      rel: assessment-for
                 - id: cm-11_obj.c
                   name: assessment-objective
                   props:
@@ -40299,6 +43231,12 @@ catalog:
                       value: CM-11c.
                       class: sp800-53a
                   prose: 'compliance with {{ insert: param, cm-11_odp.01 }} is monitored {{ insert: param, cm-11_odp.03 }}.'
+                  links:
+                    - href: '#cm-11_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-11_smt'
+                  rel: assessment-for
             - id: cm-11_asm-examine
               name: assessment-method
               props:
@@ -40424,6 +43362,9 @@ catalog:
                       value: CM-11(02)
                       class: sp800-53a
                   prose: user installation of software is allowed only with explicit privileged status.
+                  links:
+                    - href: '#cm-11.2_smt'
+                      rel: assessment-for
                 - id: cm-11.2_asm-examine
                   name: assessment-method
                   props:
@@ -40558,6 +43499,9 @@ catalog:
                           value: CM-11(03)[01]
                           class: sp800-53a
                       prose: 'compliance with software installation policies is enforced using {{ insert: param, cm-11.03_odp.01 }};'
+                      links:
+                        - href: '#cm-11.3_smt'
+                          rel: assessment-for
                     - id: cm-11.3_obj-2
                       name: assessment-objective
                       props:
@@ -40565,6 +43509,12 @@ catalog:
                           value: CM-11(03)[02]
                           class: sp800-53a
                       prose: 'compliance with software installation policies is monitored using {{ insert: param, cm-11.03_odp.02 }}.'
+                      links:
+                        - href: '#cm-11.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-11.3_smt'
+                      rel: assessment-for
                 - id: cm-11.3_asm-examine
                   name: assessment-method
                   props:
@@ -40751,6 +43701,9 @@ catalog:
                           value: CM-12a.[01]
                           class: sp800-53a
                       prose: 'the location of {{ insert: param, cm-12_odp }} is identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.a'
+                          rel: assessment-for
                     - id: cm-12_obj.a-2
                       name: assessment-objective
                       props:
@@ -40758,6 +43711,9 @@ catalog:
                           value: CM-12a.[02]
                           class: sp800-53a
                       prose: 'the specific system components on which {{ insert: param, cm-12_odp }} is processed are identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.a'
+                          rel: assessment-for
                     - id: cm-12_obj.a-3
                       name: assessment-objective
                       props:
@@ -40765,6 +43721,12 @@ catalog:
                           value: CM-12a.[03]
                           class: sp800-53a
                       prose: 'the specific system components on which {{ insert: param, cm-12_odp }} is stored are identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-12_smt.a'
+                      rel: assessment-for
                 - id: cm-12_obj.b
                   name: assessment-objective
                   props:
@@ -40779,6 +43741,9 @@ catalog:
                           value: CM-12b.[01]
                           class: sp800-53a
                       prose: 'the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is processed are identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.b'
+                          rel: assessment-for
                     - id: cm-12_obj.b-2
                       name: assessment-objective
                       props:
@@ -40786,6 +43751,12 @@ catalog:
                           value: CM-12b.[02]
                           class: sp800-53a
                       prose: 'the users who have access to the system and system components where {{ insert: param, cm-12_odp }} is stored are identified and documented;'
+                      links:
+                        - href: '#cm-12_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-12_smt.b'
+                      rel: assessment-for
                 - id: cm-12_obj.c
                   name: assessment-objective
                   props:
@@ -40800,6 +43771,9 @@ catalog:
                           value: CM-12c.[01]
                           class: sp800-53a
                       prose: 'changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is processed are documented;'
+                      links:
+                        - href: '#cm-12_smt.c'
+                          rel: assessment-for
                     - id: cm-12_obj.c-2
                       name: assessment-objective
                       props:
@@ -40807,6 +43781,15 @@ catalog:
                           value: CM-12c.[02]
                           class: sp800-53a
                       prose: 'changes to the location (i.e., system or system components) where {{ insert: param, cm-12_odp }} is stored are documented.'
+                      links:
+                        - href: '#cm-12_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cm-12_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cm-12_smt'
+                  rel: assessment-for
             - id: cm-12_asm-examine
               name: assessment-method
               props:
@@ -40938,6 +43921,9 @@ catalog:
                       value: CM-12(01)
                       class: sp800-53a
                   prose: 'automated tools are used to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure that controls are in place to protect organizational information and individual privacy.'
+                  links:
+                    - href: '#cm-12.1_smt'
+                      rel: assessment-for
                 - id: cm-12.1_asm-examine
                   name: assessment-method
                   props:
@@ -41054,6 +44040,9 @@ catalog:
                   value: CM-13
                   class: sp800-53a
               prose: a map of system data actions is developed and documented.
+              links:
+                - href: '#cm-13_smt'
+                  rel: assessment-for
             - id: cm-13_asm-examine
               name: assessment-method
               props:
@@ -41203,6 +44192,9 @@ catalog:
                       value: CM-14[01]
                       class: sp800-53a
                   prose: 'the installation of {{ insert: param, cm-14_odp.01 }} is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization;'
+                  links:
+                    - href: '#cm-14_smt'
+                      rel: assessment-for
                 - id: cm-14_obj-2
                   name: assessment-objective
                   props:
@@ -41210,6 +44202,12 @@ catalog:
                       value: CM-14[02]
                       class: sp800-53a
                   prose: 'the installation of {{ insert: param, cm-14_odp.02 }} is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization.'
+                  links:
+                    - href: '#cm-14_smt'
+                      rel: assessment-for
+              links:
+                - href: '#cm-14_smt'
+                  rel: assessment-for
             - id: cm-14_asm-examine
               name: assessment-method
               props:
@@ -41491,6 +44489,9 @@ catalog:
                           value: CP-01a.[01]
                           class: sp800-53a
                       prose: a contingency planning policy is developed and documented;
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -41498,6 +44499,9 @@ catalog:
                           value: CP-01a.[02]
                           class: sp800-53a
                       prose: 'the contingency planning policy is disseminated to {{ insert: param, cp-01_odp.01 }};'
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -41505,6 +44509,9 @@ catalog:
                           value: CP-01a.[03]
                           class: sp800-53a
                       prose: contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -41512,6 +44519,9 @@ catalog:
                           value: CP-01a.[04]
                           class: sp800-53a
                       prose: 'the contingency planning procedures are disseminated to {{ insert: param, cp-01_odp.02 }};'
+                      links:
+                        - href: '#cp-1_smt.a'
+                          rel: assessment-for
                     - id: cp-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -41533,6 +44543,9 @@ catalog:
                                   value: CP-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses purpose;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -41540,6 +44553,9 @@ catalog:
                                   value: CP-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses scope;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -41547,6 +44563,9 @@ catalog:
                                   value: CP-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses roles;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -41554,6 +44573,9 @@ catalog:
                                   value: CP-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses responsibilities;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -41561,6 +44583,9 @@ catalog:
                                   value: CP-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses management commitment;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -41568,6 +44593,9 @@ catalog:
                                   value: CP-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: cp-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -41575,6 +44603,12 @@ catalog:
                                   value: CP-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy addresses compliance;'
+                              links:
+                                - href: '#cp-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#cp-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: cp-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -41582,6 +44616,15 @@ catalog:
                               value: CP-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, cp-01_odp.03 }} contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#cp-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-1_smt.a'
+                      rel: assessment-for
                 - id: cp-1_obj.b
                   name: assessment-objective
                   props:
@@ -41589,6 +44632,9 @@ catalog:
                       value: CP-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, cp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;'
+                  links:
+                    - href: '#cp-1_smt.b'
+                      rel: assessment-for
                 - id: cp-1_obj.c
                   name: assessment-objective
                   props:
@@ -41610,6 +44656,9 @@ catalog:
                               value: CP-01c.01[01]
                               class: sp800-53a
                           prose: 'the current contingency planning policy is reviewed and updated {{ insert: param, cp-01_odp.05 }};'
+                          links:
+                            - href: '#cp-1_smt.c.1'
+                              rel: assessment-for
                         - id: cp-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -41617,6 +44666,12 @@ catalog:
                               value: CP-01c.01[02]
                               class: sp800-53a
                           prose: 'the current contingency planning policy is reviewed and updated following {{ insert: param, cp-01_odp.06 }};'
+                          links:
+                            - href: '#cp-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-1_smt.c.1'
+                          rel: assessment-for
                     - id: cp-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -41631,6 +44686,9 @@ catalog:
                               value: CP-01c.02[01]
                               class: sp800-53a
                           prose: 'the current contingency planning procedures are reviewed and updated {{ insert: param, cp-01_odp.07 }};'
+                          links:
+                            - href: '#cp-1_smt.c.2'
+                              rel: assessment-for
                         - id: cp-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -41638,6 +44696,18 @@ catalog:
                               value: CP-01c.02[02]
                               class: sp800-53a
                           prose: 'the current contingency planning procedures are reviewed and updated following {{ insert: param, cp-01_odp.08 }}.'
+                          links:
+                            - href: '#cp-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cp-1_smt'
+                  rel: assessment-for
             - id: cp-1_asm-examine
               name: assessment-method
               props:
@@ -41949,6 +45019,9 @@ catalog:
                           value: CP-02a.01
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;
+                      links:
+                        - href: '#cp-2_smt.a.1'
+                          rel: assessment-for
                     - id: cp-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -41963,6 +45036,9 @@ catalog:
                               value: CP-02a.02[01]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that provides recovery objectives;
+                          links:
+                            - href: '#cp-2_smt.a.2'
+                              rel: assessment-for
                         - id: cp-2_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -41970,6 +45046,9 @@ catalog:
                               value: CP-02a.02[02]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that provides restoration priorities;
+                          links:
+                            - href: '#cp-2_smt.a.2'
+                              rel: assessment-for
                         - id: cp-2_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -41977,6 +45056,12 @@ catalog:
                               value: CP-02a.02[03]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that provides metrics;
+                          links:
+                            - href: '#cp-2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-2_smt.a.2'
+                          rel: assessment-for
                     - id: cp-2_obj.a.3
                       name: assessment-objective
                       props:
@@ -41991,6 +45076,9 @@ catalog:
                               value: CP-02a.03[01]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that addresses contingency roles;
+                          links:
+                            - href: '#cp-2_smt.a.3'
+                              rel: assessment-for
                         - id: cp-2_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -41998,6 +45086,9 @@ catalog:
                               value: CP-02a.03[02]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that addresses contingency responsibilities;
+                          links:
+                            - href: '#cp-2_smt.a.3'
+                              rel: assessment-for
                         - id: cp-2_obj.a.3-3
                           name: assessment-objective
                           props:
@@ -42005,6 +45096,12 @@ catalog:
                               value: CP-02a.03[03]
                               class: sp800-53a
                           prose: a contingency plan for the system is developed that addresses assigned individuals with contact information;
+                          links:
+                            - href: '#cp-2_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-2_smt.a.3'
+                          rel: assessment-for
                     - id: cp-2_obj.a.4
                       name: assessment-objective
                       props:
@@ -42012,6 +45109,9 @@ catalog:
                           value: CP-02a.04
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
+                      links:
+                        - href: '#cp-2_smt.a.4'
+                          rel: assessment-for
                     - id: cp-2_obj.a.5
                       name: assessment-objective
                       props:
@@ -42019,6 +45119,9 @@ catalog:
                           value: CP-02a.05
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;
+                      links:
+                        - href: '#cp-2_smt.a.5'
+                          rel: assessment-for
                     - id: cp-2_obj.a.6
                       name: assessment-objective
                       props:
@@ -42026,6 +45129,9 @@ catalog:
                           value: CP-02a.06
                           class: sp800-53a
                       prose: a contingency plan for the system is developed that addresses the sharing of contingency information;
+                      links:
+                        - href: '#cp-2_smt.a.6'
+                          rel: assessment-for
                     - id: cp-2_obj.a.7
                       name: assessment-objective
                       props:
@@ -42040,6 +45146,9 @@ catalog:
                               value: CP-02a.07[01]
                               class: sp800-53a
                           prose: 'a contingency plan for the system is developed that is reviewed by {{ insert: param, cp-02_odp.01 }};'
+                          links:
+                            - href: '#cp-2_smt.a.7'
+                              rel: assessment-for
                         - id: cp-2_obj.a.7-2
                           name: assessment-objective
                           props:
@@ -42047,6 +45156,15 @@ catalog:
                               value: CP-02a.07[02]
                               class: sp800-53a
                           prose: 'a contingency plan for the system is developed that is approved by {{ insert: param, cp-02_odp.02 }};'
+                          links:
+                            - href: '#cp-2_smt.a.7'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-2_smt.a.7'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.a'
+                      rel: assessment-for
                 - id: cp-2_obj.b
                   name: assessment-objective
                   props:
@@ -42061,6 +45179,9 @@ catalog:
                           value: CP-02b.[01]
                           class: sp800-53a
                       prose: 'copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.03 }};'
+                      links:
+                        - href: '#cp-2_smt.b'
+                          rel: assessment-for
                     - id: cp-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -42068,6 +45189,12 @@ catalog:
                           value: CP-02b.[02]
                           class: sp800-53a
                       prose: 'copies of the contingency plan are distributed to {{ insert: param, cp-02_odp.04 }};'
+                      links:
+                        - href: '#cp-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.b'
+                      rel: assessment-for
                 - id: cp-2_obj.c
                   name: assessment-objective
                   props:
@@ -42075,6 +45202,9 @@ catalog:
                       value: CP-02c.
                       class: sp800-53a
                   prose: contingency planning activities are coordinated with incident handling activities;
+                  links:
+                    - href: '#cp-2_smt.c'
+                      rel: assessment-for
                 - id: cp-2_obj.d
                   name: assessment-objective
                   props:
@@ -42082,6 +45212,9 @@ catalog:
                       value: CP-02d.
                       class: sp800-53a
                   prose: 'the contingency plan for the system is reviewed {{ insert: param, cp-02_odp.05 }};'
+                  links:
+                    - href: '#cp-2_smt.d'
+                      rel: assessment-for
                 - id: cp-2_obj.e
                   name: assessment-objective
                   props:
@@ -42096,6 +45229,9 @@ catalog:
                           value: CP-02e.[01]
                           class: sp800-53a
                       prose: the contingency plan is updated to address changes to the organization, system, or environment of operation;
+                      links:
+                        - href: '#cp-2_smt.e'
+                          rel: assessment-for
                     - id: cp-2_obj.e-2
                       name: assessment-objective
                       props:
@@ -42103,6 +45239,12 @@ catalog:
                           value: CP-02e.[02]
                           class: sp800-53a
                       prose: the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;
+                      links:
+                        - href: '#cp-2_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.e'
+                      rel: assessment-for
                 - id: cp-2_obj.f
                   name: assessment-objective
                   props:
@@ -42117,6 +45259,9 @@ catalog:
                           value: CP-02f.[01]
                           class: sp800-53a
                       prose: 'contingency plan changes are communicated to {{ insert: param, cp-02_odp.06 }};'
+                      links:
+                        - href: '#cp-2_smt.f'
+                          rel: assessment-for
                     - id: cp-2_obj.f-2
                       name: assessment-objective
                       props:
@@ -42124,6 +45269,12 @@ catalog:
                           value: CP-02f.[02]
                           class: sp800-53a
                       prose: 'contingency plan changes are communicated to {{ insert: param, cp-02_odp.07 }};'
+                      links:
+                        - href: '#cp-2_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.f'
+                      rel: assessment-for
                 - id: cp-2_obj.g
                   name: assessment-objective
                   props:
@@ -42138,6 +45289,9 @@ catalog:
                           value: CP-02g.[01]
                           class: sp800-53a
                       prose: lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;
+                      links:
+                        - href: '#cp-2_smt.g'
+                          rel: assessment-for
                     - id: cp-2_obj.g-2
                       name: assessment-objective
                       props:
@@ -42145,6 +45299,12 @@ catalog:
                           value: CP-02g.[02]
                           class: sp800-53a
                       prose: lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;
+                      links:
+                        - href: '#cp-2_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.g'
+                      rel: assessment-for
                 - id: cp-2_obj.h
                   name: assessment-objective
                   props:
@@ -42159,6 +45319,9 @@ catalog:
                           value: CP-02h.[01]
                           class: sp800-53a
                       prose: the contingency plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#cp-2_smt.h'
+                          rel: assessment-for
                     - id: cp-2_obj.h-2
                       name: assessment-objective
                       props:
@@ -42166,6 +45329,15 @@ catalog:
                           value: CP-02h.[02]
                           class: sp800-53a
                       prose: the contingency plan is protected from unauthorized modification.
+                      links:
+                        - href: '#cp-2_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2_smt.h'
+                      rel: assessment-for
+              links:
+                - href: '#cp-2_smt'
+                  rel: assessment-for
             - id: cp-2_asm-examine
               name: assessment-method
               props:
@@ -42255,6 +45427,9 @@ catalog:
                       value: CP-02(01)
                       class: sp800-53a
                   prose: contingency plan development is coordinated with organizational elements responsible for related plans.
+                  links:
+                    - href: '#cp-2.1_smt'
+                      rel: assessment-for
                 - id: cp-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -42359,6 +45534,9 @@ catalog:
                           value: CP-02(02)[01]
                           class: sp800-53a
                       prose: capacity planning is conducted so that the necessary capacity exists during contingency operations for information processing;
+                      links:
+                        - href: '#cp-2.2_smt'
+                          rel: assessment-for
                     - id: cp-2.2_obj-2
                       name: assessment-objective
                       props:
@@ -42366,6 +45544,9 @@ catalog:
                           value: CP-02(02)[02]
                           class: sp800-53a
                       prose: capacity planning is conducted so that the necessary capacity exists during contingency operations for telecommunications;
+                      links:
+                        - href: '#cp-2.2_smt'
+                          rel: assessment-for
                     - id: cp-2.2_obj-3
                       name: assessment-objective
                       props:
@@ -42373,6 +45554,12 @@ catalog:
                           value: CP-02(02)[03]
                           class: sp800-53a
                       prose: capacity planning is conducted so that the necessary capacity exists during contingency operations for environmental support.
+                      links:
+                        - href: '#cp-2.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2.2_smt'
+                      rel: assessment-for
                 - id: cp-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -42466,6 +45653,9 @@ catalog:
                       value: CP-02(03)
                       class: sp800-53a
                   prose: 'the resumption of {{ insert: param, cp-02.03_odp.01 }} mission and business functions are planned for within {{ insert: param, cp-02.03_odp.02 }} of contingency plan activation.'
+                  links:
+                    - href: '#cp-2.3_smt'
+                      rel: assessment-for
                 - id: cp-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -42590,6 +45780,9 @@ catalog:
                           value: CP-02(05)[01]
                           class: sp800-53a
                       prose: 'the continuance of {{ insert: param, cp-02.05_odp }} mission and business functions with minimal or no loss of operational continuity is planned for;'
+                      links:
+                        - href: '#cp-2.5_smt'
+                          rel: assessment-for
                     - id: cp-2.5_obj-2
                       name: assessment-objective
                       props:
@@ -42597,6 +45790,12 @@ catalog:
                           value: CP-02(05)[02]
                           class: sp800-53a
                       prose: continuity is sustained until full system restoration at primary processing and/or storage sites.
+                      links:
+                        - href: '#cp-2.5_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2.5_smt'
+                      rel: assessment-for
                 - id: cp-2.5_asm-examine
                   name: assessment-method
                   props:
@@ -42711,6 +45910,9 @@ catalog:
                           value: CP-02(06)[01]
                           class: sp800-53a
                       prose: 'the transfer of {{ insert: param, cp-02.06_odp }} mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity is planned for;'
+                      links:
+                        - href: '#cp-2.6_smt'
+                          rel: assessment-for
                     - id: cp-2.6_obj-2
                       name: assessment-objective
                       props:
@@ -42718,6 +45920,12 @@ catalog:
                           value: CP-02(06)[02]
                           class: sp800-53a
                       prose: operational continuity is sustained until full system restoration at primary processing and/or storage sites.
+                      links:
+                        - href: '#cp-2.6_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-2.6_smt'
+                      rel: assessment-for
                 - id: cp-2.6_asm-examine
                   name: assessment-method
                   props:
@@ -42811,6 +46019,9 @@ catalog:
                       value: CP-02(07)
                       class: sp800-53a
                   prose: the contingency plan is coordinated with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.
+                  links:
+                    - href: '#cp-2.7_smt'
+                      rel: assessment-for
                 - id: cp-2.7_asm-examine
                   name: assessment-method
                   props:
@@ -42904,6 +46115,9 @@ catalog:
                       value: CP-02(08)
                       class: sp800-53a
                   prose: 'critical system assets supporting {{ insert: param, cp-02.08_odp }} mission and business functions are identified.'
+                  links:
+                    - href: '#cp-2.8_smt'
+                      rel: assessment-for
                 - id: cp-2.8_asm-examine
                   name: assessment-method
                   props:
@@ -43082,6 +46296,9 @@ catalog:
                           value: CP-03a.01
                           class: sp800-53a
                       prose: 'contingency training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, cp-03_odp.01 }} of assuming a contingency role or responsibility;'
+                      links:
+                        - href: '#cp-3_smt.a.1'
+                          rel: assessment-for
                     - id: cp-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -43089,6 +46306,9 @@ catalog:
                           value: CP-03a.02
                           class: sp800-53a
                       prose: contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;
+                      links:
+                        - href: '#cp-3_smt.a.2'
+                          rel: assessment-for
                     - id: cp-3_obj.a.3
                       name: assessment-objective
                       props:
@@ -43096,6 +46316,12 @@ catalog:
                           value: CP-03a.03
                           class: sp800-53a
                       prose: 'contingency training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, cp-03_odp.02 }} thereafter;'
+                      links:
+                        - href: '#cp-3_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-3_smt.a'
+                      rel: assessment-for
                 - id: cp-3_obj.b
                   name: assessment-objective
                   props:
@@ -43110,6 +46336,9 @@ catalog:
                           value: CP-03b.[01]
                           class: sp800-53a
                       prose: 'the contingency plan training content is reviewed and updated {{ insert: param, cp-03_odp.03 }};'
+                      links:
+                        - href: '#cp-3_smt.b'
+                          rel: assessment-for
                     - id: cp-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -43117,6 +46346,15 @@ catalog:
                           value: CP-03b.[02]
                           class: sp800-53a
                       prose: 'the contingency plan training content is reviewed and updated following {{ insert: param, cp-03_odp.04 }}.'
+                      links:
+                        - href: '#cp-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-3_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cp-3_smt'
+                  rel: assessment-for
             - id: cp-3_asm-examine
               name: assessment-method
               props:
@@ -43206,6 +46444,9 @@ catalog:
                       value: CP-03(01)
                       class: sp800-53a
                   prose: simulated events are incorporated into contingency training to facilitate effective response by personnel in crisis situations.
+                  links:
+                    - href: '#cp-3.1_smt'
+                      rel: assessment-for
                 - id: cp-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -43295,6 +46536,9 @@ catalog:
                       value: CP-03(02)
                       class: sp800-53a
                   prose: mechanisms used in operations are employed to provide a more thorough and realistic contingency training environment.
+                  links:
+                    - href: '#cp-3.2_smt'
+                      rel: assessment-for
                 - id: cp-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -43478,6 +46722,9 @@ catalog:
                           value: CP-04a.[01]
                           class: sp800-53a
                       prose: 'the contingency plan for the system is tested {{ insert: param, cp-04_odp.01 }};'
+                      links:
+                        - href: '#cp-4_smt.a'
+                          rel: assessment-for
                     - id: cp-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -43485,6 +46732,9 @@ catalog:
                           value: CP-04a.[02]
                           class: sp800-53a
                       prose: '{{ insert: param, cp-04_odp.02 }} are used to determine the effectiveness of the plan;'
+                      links:
+                        - href: '#cp-4_smt.a'
+                          rel: assessment-for
                     - id: cp-4_obj.a-3
                       name: assessment-objective
                       props:
@@ -43492,6 +46742,12 @@ catalog:
                           value: CP-04a.[03]
                           class: sp800-53a
                       prose: '{{ insert: param, cp-04_odp.03 }} are used to determine the readiness to execute the plan;'
+                      links:
+                        - href: '#cp-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-4_smt.a'
+                      rel: assessment-for
                 - id: cp-4_obj.b
                   name: assessment-objective
                   props:
@@ -43499,6 +46755,9 @@ catalog:
                       value: CP-04b.
                       class: sp800-53a
                   prose: the contingency plan test results are reviewed;
+                  links:
+                    - href: '#cp-4_smt.b'
+                      rel: assessment-for
                 - id: cp-4_obj.c
                   name: assessment-objective
                   props:
@@ -43506,6 +46765,12 @@ catalog:
                       value: CP-04c.
                       class: sp800-53a
                   prose: corrective actions are initiated, if needed.
+                  links:
+                    - href: '#cp-4_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cp-4_smt'
+                  rel: assessment-for
             - id: cp-4_asm-examine
               name: assessment-method
               props:
@@ -43600,6 +46865,9 @@ catalog:
                       value: CP-04(01)
                       class: sp800-53a
                   prose: contingency plan testing is coordinated with organizational elements responsible for related plans.
+                  links:
+                    - href: '#cp-4.1_smt'
+                      rel: assessment-for
                 - id: cp-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -43712,6 +46980,9 @@ catalog:
                           value: CP-04(02)(a)
                           class: sp800-53a
                       prose: the contingency plan is tested at the alternate processing site to familiarize contingency personnel with the facility and available resources;
+                      links:
+                        - href: '#cp-4.2_smt.a'
+                          rel: assessment-for
                     - id: cp-4.2_obj.b
                       name: assessment-objective
                       props:
@@ -43719,6 +46990,12 @@ catalog:
                           value: CP-04(02)(b)
                           class: sp800-53a
                       prose: the contingency plan is tested at the alternate processing site to evaluate the capabilities of the alternate processing site to support contingency operations.
+                      links:
+                        - href: '#cp-4.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-4.2_smt'
+                      rel: assessment-for
                 - id: cp-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -43823,6 +47100,9 @@ catalog:
                       value: CP-04(03)
                       class: sp800-53a
                   prose: 'the contingency plan is tested using {{ insert: param, cp-04.03_odp }}.'
+                  links:
+                    - href: '#cp-4.3_smt'
+                      rel: assessment-for
                 - id: cp-4.3_asm-examine
                   name: assessment-method
                   props:
@@ -43925,6 +47205,9 @@ catalog:
                           value: CP-04(04)[01]
                           class: sp800-53a
                       prose: a full recovery of the system to a known state is included as part of contingency plan testing;
+                      links:
+                        - href: '#cp-4.4_smt'
+                          rel: assessment-for
                     - id: cp-4.4_obj-2
                       name: assessment-objective
                       props:
@@ -43932,6 +47215,12 @@ catalog:
                           value: CP-04(04)[02]
                           class: sp800-53a
                       prose: a full reconstitution of the system to a known state is included as part of contingency plan testing.
+                      links:
+                        - href: '#cp-4.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-4.4_smt'
+                      rel: assessment-for
                 - id: cp-4.4_asm-examine
                   name: assessment-method
                   props:
@@ -44049,6 +47338,9 @@ catalog:
                       value: CP-04(05)
                       class: sp800-53a
                   prose: '{{ insert: param, cp-04.05_odp.01 }} are employed to disrupt and adversely affect the {{ insert: param, cp-04.05_odp.02 }}.'
+                  links:
+                    - href: '#cp-4.5_smt'
+                      rel: assessment-for
                 - id: cp-4.5_asm-examine
                   name: assessment-method
                   props:
@@ -44199,6 +47491,9 @@ catalog:
                           value: CP-06a.[01]
                           class: sp800-53a
                       prose: an alternate storage site is established;
+                      links:
+                        - href: '#cp-6_smt.a'
+                          rel: assessment-for
                     - id: cp-6_obj.a-2
                       name: assessment-objective
                       props:
@@ -44206,6 +47501,12 @@ catalog:
                           value: CP-06a.[02]
                           class: sp800-53a
                       prose: establishment of the alternate storage site includes necessary agreements to permit the storage and retrieval of system backup information;
+                      links:
+                        - href: '#cp-6_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-6_smt.a'
+                      rel: assessment-for
                 - id: cp-6_obj.b
                   name: assessment-objective
                   props:
@@ -44213,6 +47514,12 @@ catalog:
                       value: CP-06b.
                       class: sp800-53a
                   prose: the alternate storage site provides controls equivalent to that of the primary site.
+                  links:
+                    - href: '#cp-6_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#cp-6_smt'
+                  rel: assessment-for
             - id: cp-6_asm-examine
               name: assessment-method
               props:
@@ -44304,6 +47611,9 @@ catalog:
                       value: CP-06(01)
                       class: sp800-53a
                   prose: an alternate storage site that is sufficiently separated from the primary storage site is identified to reduce susceptibility to the same threats.
+                  links:
+                    - href: '#cp-6.1_smt'
+                      rel: assessment-for
                 - id: cp-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -44386,6 +47696,9 @@ catalog:
                           value: CP-06(02)[01]
                           class: sp800-53a
                       prose: the alternate storage site is configured to facilitate recovery operations in accordance with recovery time objectives;
+                      links:
+                        - href: '#cp-6.2_smt'
+                          rel: assessment-for
                     - id: cp-6.2_obj-2
                       name: assessment-objective
                       props:
@@ -44393,6 +47706,12 @@ catalog:
                           value: CP-06(02)[02]
                           class: sp800-53a
                       prose: the alternate storage site is configured to facilitate recovery operations in accordance with recovery point objectives.
+                      links:
+                        - href: '#cp-6.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-6.2_smt'
+                      rel: assessment-for
                 - id: cp-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -44492,6 +47811,9 @@ catalog:
                           value: CP-06(03)[01]
                           class: sp800-53a
                       prose: potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster are identified;
+                      links:
+                        - href: '#cp-6.3_smt'
+                          rel: assessment-for
                     - id: cp-6.3_obj-2
                       name: assessment-objective
                       props:
@@ -44499,6 +47821,12 @@ catalog:
                           value: CP-06(03)[02]
                           class: sp800-53a
                       prose: explicit mitigation actions to address identified accessibility problems are outlined.
+                      links:
+                        - href: '#cp-6.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-6.3_smt'
+                      rel: assessment-for
                 - id: cp-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -44649,6 +47977,9 @@ catalog:
                       value: CP-07a.
                       class: sp800-53a
                   prose: 'an alternate processing site, including necessary agreements to permit the transfer and resumption of {{ insert: param, cp-07_odp.01 }} for essential mission and business functions, is established within {{ insert: param, cp-07_odp.02 }} when the primary processing capabilities are unavailable;'
+                  links:
+                    - href: '#cp-7_smt.a'
+                      rel: assessment-for
                 - id: cp-7_obj.b
                   name: assessment-objective
                   props:
@@ -44663,6 +47994,9 @@ catalog:
                           value: CP-07b.[01]
                           class: sp800-53a
                       prose: 'the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for transfer;'
+                      links:
+                        - href: '#cp-7_smt.b'
+                          rel: assessment-for
                     - id: cp-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -44670,6 +48004,12 @@ catalog:
                           value: CP-07b.[02]
                           class: sp800-53a
                       prose: 'the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within {{ insert: param, cp-07_odp.02 }} for resumption;'
+                      links:
+                        - href: '#cp-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-7_smt.b'
+                      rel: assessment-for
                 - id: cp-7_obj.c
                   name: assessment-objective
                   props:
@@ -44677,6 +48017,12 @@ catalog:
                       value: CP-07c.
                       class: sp800-53a
                   prose: controls provided at the alternate processing site are equivalent to those at the primary site.
+                  links:
+                    - href: '#cp-7_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#cp-7_smt'
+                  rel: assessment-for
             - id: cp-7_asm-examine
               name: assessment-method
               props:
@@ -44772,6 +48118,9 @@ catalog:
                       value: CP-07(01)
                       class: sp800-53a
                   prose: an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats is identified.
+                  links:
+                    - href: '#cp-7.1_smt'
+                      rel: assessment-for
                 - id: cp-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -44856,6 +48205,9 @@ catalog:
                           value: CP-07(02)[01]
                           class: sp800-53a
                       prose: potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster are identified;
+                      links:
+                        - href: '#cp-7.2_smt'
+                          rel: assessment-for
                     - id: cp-7.2_obj-2
                       name: assessment-objective
                       props:
@@ -44863,6 +48215,12 @@ catalog:
                           value: CP-07(02)[02]
                           class: sp800-53a
                       prose: explicit mitigation actions to address identified accessibility problems are outlined.
+                      links:
+                        - href: '#cp-7.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-7.2_smt'
+                      rel: assessment-for
                 - id: cp-7.2_asm-examine
                   name: assessment-method
                   props:
@@ -44938,6 +48296,9 @@ catalog:
                       value: CP-07(03)
                       class: sp800-53a
                   prose: alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed.
+                  links:
+                    - href: '#cp-7.3_smt'
+                      rel: assessment-for
                 - id: cp-7.3_asm-examine
                   name: assessment-method
                   props:
@@ -45019,6 +48380,9 @@ catalog:
                       value: CP-07(04)
                       class: sp800-53a
                   prose: the alternate processing site is prepared so that the site can serve as the operational site supporting essential mission and business functions.
+                  links:
+                    - href: '#cp-7.4_smt'
+                      rel: assessment-for
                 - id: cp-7.4_asm-examine
                   name: assessment-method
                   props:
@@ -45129,6 +48493,9 @@ catalog:
                           value: CP-07(06)[01]
                           class: sp800-53a
                       prose: circumstances that preclude returning to the primary processing site are planned for;
+                      links:
+                        - href: '#cp-7.6_smt'
+                          rel: assessment-for
                     - id: cp-7.6_obj-2
                       name: assessment-objective
                       props:
@@ -45136,6 +48503,12 @@ catalog:
                           value: CP-07(06)[02]
                           class: sp800-53a
                       prose: circumstances that preclude returning to the primary processing site are prepared for.
+                      links:
+                        - href: '#cp-7.6_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-7.6_smt'
+                      rel: assessment-for
                 - id: cp-7.6_asm-examine
                   name: assessment-method
                   props:
@@ -45240,6 +48613,9 @@ catalog:
                   value: CP-08
                   class: sp800-53a
               prose: 'alternate telecommunications services, including necessary agreements to permit the resumption of {{ insert: param, cp-08_odp.01 }} , are established for essential mission and business functions within {{ insert: param, cp-08_odp.02 }} when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.'
+              links:
+                - href: '#cp-8_smt'
+                  rel: assessment-for
             - id: cp-8_asm-examine
               name: assessment-method
               props:
@@ -45354,6 +48730,9 @@ catalog:
                               value: CP-08(01)(a)[01]
                               class: sp800-53a
                           prose: primary telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;
+                          links:
+                            - href: '#cp-8.1_smt.a'
+                              rel: assessment-for
                         - id: cp-8.1_obj.a-2
                           name: assessment-objective
                           props:
@@ -45361,6 +48740,12 @@ catalog:
                               value: CP-08(01)(a)[02]
                               class: sp800-53a
                           prose: alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives) are developed;
+                          links:
+                            - href: '#cp-8.1_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-8.1_smt.a'
+                          rel: assessment-for
                     - id: cp-8.1_obj.b
                       name: assessment-objective
                       props:
@@ -45368,6 +48753,12 @@ catalog:
                           value: CP-08(01)(b)
                           class: sp800-53a
                       prose: Telecommunications Service Priority is requested for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.
+                      links:
+                        - href: '#cp-8.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-8.1_smt'
+                      rel: assessment-for
                 - id: cp-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -45455,6 +48846,9 @@ catalog:
                       value: CP-08(02)
                       class: sp800-53a
                   prose: alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services are obtained.
+                  links:
+                    - href: '#cp-8.2_smt'
+                      rel: assessment-for
                 - id: cp-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -45528,6 +48922,9 @@ catalog:
                       value: CP-08(03)
                       class: sp800-53a
                   prose: alternate telecommunications services from providers that are separated from primary service providers are obtained to reduce susceptibility to the same threats.
+                  links:
+                    - href: '#cp-8.3_smt'
+                      rel: assessment-for
                 - id: cp-8.3_asm-examine
                   name: assessment-method
                   props:
@@ -45665,6 +49062,9 @@ catalog:
                               value: CP-08(04)(a)[01]
                               class: sp800-53a
                           prose: primary telecommunications service providers are required to have contingency plans;
+                          links:
+                            - href: '#cp-8.4_smt.a'
+                              rel: assessment-for
                         - id: cp-8.4_obj.a-2
                           name: assessment-objective
                           props:
@@ -45672,6 +49072,12 @@ catalog:
                               value: CP-08(04)(a)[02]
                               class: sp800-53a
                           prose: alternate telecommunications service providers are required to have contingency plans;
+                          links:
+                            - href: '#cp-8.4_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-8.4_smt.a'
+                          rel: assessment-for
                     - id: cp-8.4_obj.b
                       name: assessment-objective
                       props:
@@ -45679,6 +49085,9 @@ catalog:
                           value: CP-08(04)(b)
                           class: sp800-53a
                       prose: provider contingency plans are reviewed to ensure that the plans meet organizational contingency requirements;
+                      links:
+                        - href: '#cp-8.4_smt.b'
+                          rel: assessment-for
                     - id: cp-8.4_obj.c
                       name: assessment-objective
                       props:
@@ -45693,6 +49102,9 @@ catalog:
                               value: CP-08(04)(c)[01]
                               class: sp800-53a
                           prose: 'evidence of contingency testing by providers is obtained {{ insert: param, cp-08.04_odp.01 }}.'
+                          links:
+                            - href: '#cp-8.4_smt.c'
+                              rel: assessment-for
                         - id: cp-8.4_obj.c-2
                           name: assessment-objective
                           props:
@@ -45700,6 +49112,15 @@ catalog:
                               value: CP-08(04)(c)[02]
                               class: sp800-53a
                           prose: 'evidence of contingency training by providers is obtained {{ insert: param, cp-08.04_odp.02 }}.'
+                          links:
+                            - href: '#cp-8.4_smt.c'
+                              rel: assessment-for
+                      links:
+                        - href: '#cp-8.4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-8.4_smt'
+                      rel: assessment-for
                 - id: cp-8.4_asm-examine
                   name: assessment-method
                   props:
@@ -45790,6 +49211,9 @@ catalog:
                       value: CP-08(05)
                       class: sp800-53a
                   prose: 'alternate telecommunications services are tested {{ insert: param, cp-08.05_odp }}.'
+                  links:
+                    - href: '#cp-8.5_smt'
+                      rel: assessment-for
                 - id: cp-8.5_asm-examine
                   name: assessment-method
                   props:
@@ -45984,6 +49408,9 @@ catalog:
                       value: CP-09a.
                       class: sp800-53a
                   prose: 'backups of user-level information contained in {{ insert: param, cp-09_odp.01 }} are conducted {{ insert: param, cp-09_odp.02 }};'
+                  links:
+                    - href: '#cp-9_smt.a'
+                      rel: assessment-for
                 - id: cp-9_obj.b
                   name: assessment-objective
                   props:
@@ -45991,6 +49418,9 @@ catalog:
                       value: CP-09b.
                       class: sp800-53a
                   prose: 'backups of system-level information contained in the system are conducted {{ insert: param, cp-09_odp.03 }};'
+                  links:
+                    - href: '#cp-9_smt.b'
+                      rel: assessment-for
                 - id: cp-9_obj.c
                   name: assessment-objective
                   props:
@@ -45998,6 +49428,9 @@ catalog:
                       value: CP-09c.
                       class: sp800-53a
                   prose: 'backups of system documentation, including security- and privacy-related documentation are conducted {{ insert: param, cp-09_odp.04 }};'
+                  links:
+                    - href: '#cp-9_smt.c'
+                      rel: assessment-for
                 - id: cp-9_obj.d
                   name: assessment-objective
                   props:
@@ -46012,6 +49445,9 @@ catalog:
                           value: CP-09d.[01]
                           class: sp800-53a
                       prose: the confidentiality of backup information is protected;
+                      links:
+                        - href: '#cp-9_smt.d'
+                          rel: assessment-for
                     - id: cp-9_obj.d-2
                       name: assessment-objective
                       props:
@@ -46019,6 +49455,9 @@ catalog:
                           value: CP-09d.[02]
                           class: sp800-53a
                       prose: the integrity of backup information is protected;
+                      links:
+                        - href: '#cp-9_smt.d'
+                          rel: assessment-for
                     - id: cp-9_obj.d-3
                       name: assessment-objective
                       props:
@@ -46026,6 +49465,15 @@ catalog:
                           value: CP-09d.[03]
                           class: sp800-53a
                       prose: the availability of backup information is protected.
+                      links:
+                        - href: '#cp-9_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-9_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#cp-9_smt'
+                  rel: assessment-for
             - id: cp-9_asm-examine
               name: assessment-method
               props:
@@ -46150,6 +49598,9 @@ catalog:
                           value: CP-09(01)[01]
                           class: sp800-53a
                       prose: 'backup information is tested {{ insert: param, cp-09.01_odp.01 }} to verify media reliability;'
+                      links:
+                        - href: '#cp-9.1_smt'
+                          rel: assessment-for
                     - id: cp-9.1_obj-2
                       name: assessment-objective
                       props:
@@ -46157,6 +49608,12 @@ catalog:
                           value: CP-09(01)[02]
                           class: sp800-53a
                       prose: 'backup information is tested {{ insert: param, cp-09.01_odp.02 }} to verify information integrity.'
+                      links:
+                        - href: '#cp-9.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-9.1_smt'
+                      rel: assessment-for
                 - id: cp-9.1_asm-examine
                   name: assessment-method
                   props:
@@ -46247,6 +49704,9 @@ catalog:
                       value: CP-09(02)
                       class: sp800-53a
                   prose: a sample of backup information in the restoration of selected system functions is used as part of contingency plan testing.
+                  links:
+                    - href: '#cp-9.2_smt'
+                      rel: assessment-for
                 - id: cp-9.2_asm-examine
                   name: assessment-method
                   props:
@@ -46354,6 +49814,9 @@ catalog:
                       value: CP-09(03)
                       class: sp800-53a
                   prose: 'backup copies of {{ insert: param, cp-09.03_odp }} are stored in a separate facility or in a fire rated container that is not collocated with the operational system.'
+                  links:
+                    - href: '#cp-9.3_smt'
+                      rel: assessment-for
                 - id: cp-9.3_asm-examine
                   name: assessment-method
                   props:
@@ -46486,6 +49949,9 @@ catalog:
                           value: CP-09(05)[01]
                           class: sp800-53a
                       prose: 'system backup information is transferred to the alternate storage site for {{ insert: param, cp-09.05_odp.01 }};'
+                      links:
+                        - href: '#cp-9.5_smt'
+                          rel: assessment-for
                     - id: cp-9.5_obj-2
                       name: assessment-objective
                       props:
@@ -46493,6 +49959,12 @@ catalog:
                           value: CP-09(05)[02]
                           class: sp800-53a
                       prose: 'system backup information is transferred to the alternate storage site {{ insert: param, cp-09.05_odp.02 }}.'
+                      links:
+                        - href: '#cp-9.5_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-9.5_smt'
+                      rel: assessment-for
                 - id: cp-9.5_asm-examine
                   name: assessment-method
                   props:
@@ -46592,6 +50064,9 @@ catalog:
                           value: CP-09(06)[01]
                           class: sp800-53a
                       prose: system backup is conducted by maintaining a redundant secondary system that is not collocated with the primary system;
+                      links:
+                        - href: '#cp-9.6_smt'
+                          rel: assessment-for
                     - id: cp-9.6_obj-2
                       name: assessment-objective
                       props:
@@ -46599,6 +50074,12 @@ catalog:
                           value: CP-09(06)[02]
                           class: sp800-53a
                       prose: system backup is conducted by maintaining a redundant secondary system that can be activated without loss of information or disruption to operations.
+                      links:
+                        - href: '#cp-9.6_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#cp-9.6_smt'
+                      rel: assessment-for
                 - id: cp-9.6_asm-examine
                   name: assessment-method
                   props:
@@ -46712,6 +50193,9 @@ catalog:
                       value: CP-09(07)
                       class: sp800-53a
                   prose: 'dual authorization for the deletion or destruction of {{ insert: param, cp-09.07_odp }} is enforced.'
+                  links:
+                    - href: '#cp-9.7_smt'
+                      rel: assessment-for
                 - id: cp-9.7_asm-examine
                   name: assessment-method
                   props:
@@ -46819,6 +50303,9 @@ catalog:
                       value: CP-09(08)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of {{ insert: param, cp-09.08_odp }}.'
+                  links:
+                    - href: '#cp-9.8_smt'
+                      rel: assessment-for
                 - id: cp-9.8_asm-examine
                   name: assessment-method
                   props:
@@ -46953,6 +50440,9 @@ catalog:
                       value: CP-10[01]
                       class: sp800-53a
                   prose: 'the recovery of the system to a known state is provided within {{ insert: param, cp-10_odp.01 }} after a disruption, compromise, or failure;'
+                  links:
+                    - href: '#cp-10_smt'
+                      rel: assessment-for
                 - id: cp-10_obj-2
                   name: assessment-objective
                   props:
@@ -46960,6 +50450,12 @@ catalog:
                       value: CP-10[02]
                       class: sp800-53a
                   prose: 'a reconstitution of the system to a known state is provided within {{ insert: param, cp-10_odp.02 }} after a disruption, compromise, or failure.'
+                  links:
+                    - href: '#cp-10_smt'
+                      rel: assessment-for
+              links:
+                - href: '#cp-10_smt'
+                  rel: assessment-for
             - id: cp-10_asm-examine
               name: assessment-method
               props:
@@ -47069,6 +50565,9 @@ catalog:
                       value: CP-10(02)
                       class: sp800-53a
                   prose: transaction recovery is implemented for systems that are transaction-based.
+                  links:
+                    - href: '#cp-10.2_smt'
+                      rel: assessment-for
                 - id: cp-10.2_asm-examine
                   name: assessment-method
                   props:
@@ -47192,6 +50691,9 @@ catalog:
                       value: CP-10(04)
                       class: sp800-53a
                   prose: 'the capability to restore system components within {{ insert: param, cp-10.04_odp }} from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.'
+                  links:
+                    - href: '#cp-10.4_smt'
+                      rel: assessment-for
                 - id: cp-10.4_asm-examine
                   name: assessment-method
                   props:
@@ -47309,6 +50811,9 @@ catalog:
                       value: CP-10(06)
                       class: sp800-53a
                   prose: system components used for recovery and reconstitution are protected.
+                  links:
+                    - href: '#cp-10.6_smt'
+                      rel: assessment-for
                 - id: cp-10.6_asm-examine
                   name: assessment-method
                   props:
@@ -47418,6 +50923,9 @@ catalog:
                   value: CP-11
                   class: sp800-53a
               prose: 'the capability to employ {{ insert: param, cp-11_odp }} are provided in support of maintaining continuity of operations.'
+              links:
+                - href: '#cp-11_smt'
+                  rel: assessment-for
             - id: cp-11_asm-examine
               name: assessment-method
               props:
@@ -47546,6 +51054,9 @@ catalog:
                   value: CP-12
                   class: sp800-53a
               prose: 'a safe mode of operation is entered with {{ insert: param, cp-12_odp.01 }} when {{ insert: param, cp-12_odp.02 }} are detected.'
+              links:
+                - href: '#cp-12_smt'
+                  rel: assessment-for
             - id: cp-12_asm-examine
               name: assessment-method
               props:
@@ -47673,6 +51184,9 @@ catalog:
                   value: CP-13
                   class: sp800-53a
               prose: '{{ insert: param, cp-13_odp.01 }} are employed for satisfying {{ insert: param, cp-13_odp.02 }} when the primary means of implementing the security function is unavailable or compromised.'
+              links:
+                - href: '#cp-13_smt'
+                  rel: assessment-for
             - id: cp-13_asm-examine
               name: assessment-method
               props:
@@ -47957,6 +51471,9 @@ catalog:
                           value: IA-01a.[01]
                           class: sp800-53a
                       prose: an identification and authentication policy is developed and documented;
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -47964,6 +51481,9 @@ catalog:
                           value: IA-01a.[02]
                           class: sp800-53a
                       prose: 'the identification and authentication policy is disseminated to {{ insert: param, ia-01_odp.01 }};'
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -47971,6 +51491,9 @@ catalog:
                           value: IA-01a.[03]
                           class: sp800-53a
                       prose: identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -47978,6 +51501,9 @@ catalog:
                           value: IA-01a.[04]
                           class: sp800-53a
                       prose: 'the identification and authentication procedures are disseminated to {{ insert: param, ia-01_odp.02 }};'
+                      links:
+                        - href: '#ia-1_smt.a'
+                          rel: assessment-for
                     - id: ia-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -47999,6 +51525,9 @@ catalog:
                                   value: IA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses purpose;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -48006,6 +51535,9 @@ catalog:
                                   value: IA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses scope;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -48013,6 +51545,9 @@ catalog:
                                   value: IA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses roles;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -48020,6 +51555,9 @@ catalog:
                                   value: IA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses responsibilities;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -48027,6 +51565,9 @@ catalog:
                                   value: IA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses management commitment;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -48034,6 +51575,9 @@ catalog:
                                   value: IA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ia-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -48041,6 +51585,12 @@ catalog:
                                   value: IA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy addresses compliance;'
+                              links:
+                                - href: '#ia-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ia-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ia-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -48048,6 +51598,15 @@ catalog:
                               value: IA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ia-01_odp.03 }} identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ia-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-1_smt.a'
+                      rel: assessment-for
                 - id: ia-1_obj.b
                   name: assessment-objective
                   props:
@@ -48055,6 +51614,9 @@ catalog:
                       value: IA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ia-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;'
+                  links:
+                    - href: '#ia-1_smt.b'
+                      rel: assessment-for
                 - id: ia-1_obj.c
                   name: assessment-objective
                   props:
@@ -48076,6 +51638,9 @@ catalog:
                               value: IA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current identification and authentication policy is reviewed and updated {{ insert: param, ia-01_odp.05 }};'
+                          links:
+                            - href: '#ia-1_smt.c.1'
+                              rel: assessment-for
                         - id: ia-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -48083,6 +51648,12 @@ catalog:
                               value: IA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current identification and authentication policy is reviewed and updated following {{ insert: param, ia-01_odp.06 }};'
+                          links:
+                            - href: '#ia-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-1_smt.c.1'
+                          rel: assessment-for
                     - id: ia-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -48097,6 +51668,9 @@ catalog:
                               value: IA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current identification and authentication procedures are reviewed and updated {{ insert: param, ia-01_odp.07 }};'
+                          links:
+                            - href: '#ia-1_smt.c.2'
+                              rel: assessment-for
                         - id: ia-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -48104,6 +51678,18 @@ catalog:
                               value: IA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current identification and authentication procedures are reviewed and updated following {{ insert: param, ia-01_odp.08 }}.'
+                          links:
+                            - href: '#ia-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ia-1_smt'
+                  rel: assessment-for
             - id: ia-1_asm-examine
               name: assessment-method
               props:
@@ -48216,6 +51802,8 @@ catalog:
               rel: related
             - href: '#ia-8'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-4'
               rel: related
             - href: '#ma-5'
@@ -48254,6 +51842,9 @@ catalog:
                       value: IA-02[01]
                       class: sp800-53a
                   prose: organizational users are uniquely identified and authenticated;
+                  links:
+                    - href: '#ia-2_smt'
+                      rel: assessment-for
                 - id: ia-2_obj-2
                   name: assessment-objective
                   props:
@@ -48261,6 +51852,12 @@ catalog:
                       value: IA-02[02]
                       class: sp800-53a
                   prose: the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.
+                  links:
+                    - href: '#ia-2_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ia-2_smt'
+                  rel: assessment-for
             - id: ia-2_asm-examine
               name: assessment-method
               props:
@@ -48358,6 +51955,9 @@ catalog:
                       value: IA-02(01)
                       class: sp800-53a
                   prose: multi-factor authentication is implemented for access to privileged accounts.
+                  links:
+                    - href: '#ia-2.1_smt'
+                      rel: assessment-for
                 - id: ia-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -48451,6 +52051,9 @@ catalog:
                       value: IA-02(02)
                       class: sp800-53a
                   prose: multi-factor authentication for access to non-privileged accounts is implemented.
+                  links:
+                    - href: '#ia-2.2_smt'
+                      rel: assessment-for
                 - id: ia-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -48577,6 +52180,9 @@ catalog:
                       value: IA-02(05)
                       class: sp800-53a
                   prose: users are required to be individually authenticated before granting access to the shared accounts or resources when shared accounts or authenticators are employed.
+                  links:
+                    - href: '#ia-2.5_smt'
+                      rel: assessment-for
                 - id: ia-2.5_asm-examine
                   name: assessment-method
                   props:
@@ -48726,6 +52332,9 @@ catalog:
                           value: IA-02(06)(a)
                           class: sp800-53a
                       prose: 'multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that one of the factors is provided by a device separate from the system gaining access;'
+                      links:
+                        - href: '#ia-2.6_smt.a'
+                          rel: assessment-for
                     - id: ia-2.6_obj.b
                       name: assessment-objective
                       props:
@@ -48733,6 +52342,12 @@ catalog:
                           value: IA-02(06)(b)
                           class: sp800-53a
                       prose: 'multi-factor authentication is implemented for {{ insert: param, ia-02.06_odp.01 }} access to {{ insert: param, ia-02.06_odp.02 }} such that the device meets {{ insert: param, ia-02.06_odp.03 }}.'
+                      links:
+                        - href: '#ia-2.6_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-2.6_smt'
+                      rel: assessment-for
                 - id: ia-2.6_asm-examine
                   name: assessment-method
                   props:
@@ -48853,6 +52468,9 @@ catalog:
                       value: IA-02(08)
                       class: sp800-53a
                   prose: 'replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }} are implemented.'
+                  links:
+                    - href: '#ia-2.8_smt'
+                      rel: assessment-for
                 - id: ia-2.8_asm-examine
                   name: assessment-method
                   props:
@@ -48974,6 +52592,9 @@ catalog:
                       value: IA-02(10)
                       class: sp800-53a
                   prose: 'a single sign-on capability is provided for {{ insert: param, ia-02.10_odp }}.'
+                  links:
+                    - href: '#ia-2.10_smt'
+                      rel: assessment-for
                 - id: ia-2.10_asm-examine
                   name: assessment-method
                   props:
@@ -49086,6 +52707,9 @@ catalog:
                       value: IA-02(12)
                       class: sp800-53a
                   prose: Personal Identity Verification-compliant credentials are accepted and electronically verified.
+                  links:
+                    - href: '#ia-2.12_smt'
+                      rel: assessment-for
                 - id: ia-2.12_asm-examine
                   name: assessment-method
                   props:
@@ -49208,6 +52832,9 @@ catalog:
                       value: IA-02(13)
                       class: sp800-53a
                   prose: '{{ insert: param, ia-02.13_odp.01 }} mechanisms are implemented under {{ insert: param, ia-02.13_odp.02 }}.'
+                  links:
+                    - href: '#ia-2.13_smt'
+                      rel: assessment-for
                 - id: ia-2.13_asm-examine
                   name: assessment-method
                   props:
@@ -49327,6 +52954,8 @@ catalog:
               rel: related
             - href: '#ia-11'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#si-4'
               rel: related
           parts:
@@ -49343,6 +52972,9 @@ catalog:
                   value: IA-03
                   class: sp800-53a
               prose: '{{ insert: param, ia-03_odp.01 }} are uniquely identified and authenticated before establishing a {{ insert: param, ia-03_odp.02 }} connection.'
+              links:
+                - href: '#ia-3_smt'
+                  rel: assessment-for
             - id: ia-3_asm-examine
               name: assessment-method
               props:
@@ -49463,6 +53095,9 @@ catalog:
                       value: IA-03(01)
                       class: sp800-53a
                   prose: '{{ insert: param, ia-03.01_odp.01 }} are authenticated before establishing {{ insert: param, ia-03.01_odp.02 }} connection using bidirectional authentication that is cryptographically based.'
+                  links:
+                    - href: '#ia-3.1_smt'
+                      rel: assessment-for
                 - id: ia-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -49625,6 +53260,9 @@ catalog:
                               value: IA-03(03)(a)[01]
                               class: sp800-53a
                           prose: 'dynamic address allocation lease information assigned to devices where addresses are allocated dynamically are standardized in accordance with {{ insert: param, ia-03.03_odp.01 }};'
+                          links:
+                            - href: '#ia-3.3_smt.a'
+                              rel: assessment-for
                         - id: ia-3.3_obj.a-2
                           name: assessment-objective
                           props:
@@ -49632,6 +53270,12 @@ catalog:
                               value: IA-03(03)(a)[02]
                               class: sp800-53a
                           prose: 'dynamic address allocation lease duration assigned to devices where addresses are allocated dynamically are standardized in accordance with {{ insert: param, ia-03.03_odp.02 }};'
+                          links:
+                            - href: '#ia-3.3_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-3.3_smt.a'
+                          rel: assessment-for
                     - id: ia-3.3_obj.b
                       name: assessment-objective
                       props:
@@ -49639,6 +53283,12 @@ catalog:
                           value: IA-03(03)(b)
                           class: sp800-53a
                       prose: lease information is audited when assigned to a device.
+                      links:
+                        - href: '#ia-3.3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-3.3_smt'
+                      rel: assessment-for
                 - id: ia-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -49752,6 +53402,9 @@ catalog:
                       value: IA-03(04)
                       class: sp800-53a
                   prose: 'device identification and authentication are handled based on attestation by {{ insert: param, ia-03.04_odp }}.'
+                  links:
+                    - href: '#ia-3.4_smt'
+                      rel: assessment-for
                 - id: ia-3.4_asm-examine
                   name: assessment-method
                   props:
@@ -49943,6 +53596,9 @@ catalog:
                       value: IA-04a.
                       class: sp800-53a
                   prose: 'system identifiers are managed by receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign to an individual, group, role, or device identifier;'
+                  links:
+                    - href: '#ia-4_smt.a'
+                      rel: assessment-for
                 - id: ia-4_obj.b
                   name: assessment-objective
                   props:
@@ -49950,6 +53606,9 @@ catalog:
                       value: IA-04b.
                       class: sp800-53a
                   prose: system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;
+                  links:
+                    - href: '#ia-4_smt.b'
+                      rel: assessment-for
                 - id: ia-4_obj.c
                   name: assessment-objective
                   props:
@@ -49957,6 +53616,9 @@ catalog:
                       value: IA-04c.
                       class: sp800-53a
                   prose: system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;
+                  links:
+                    - href: '#ia-4_smt.c'
+                      rel: assessment-for
                 - id: ia-4_obj.d
                   name: assessment-objective
                   props:
@@ -49964,6 +53626,12 @@ catalog:
                       value: IA-04d.
                       class: sp800-53a
                   prose: 'system identifiers are managed by preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.'
+                  links:
+                    - href: '#ia-4_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ia-4_smt'
+                  rel: assessment-for
             - id: ia-4_asm-examine
               name: assessment-method
               props:
@@ -50060,6 +53728,9 @@ catalog:
                       value: IA-04(01)
                       class: sp800-53a
                   prose: the use of system account identifiers that are the same as public identifiers is prohibited for individual accounts.
+                  links:
+                    - href: '#ia-4.1_smt'
+                      rel: assessment-for
                 - id: ia-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -50193,6 +53864,9 @@ catalog:
                       value: IA-04(04)
                       class: sp800-53a
                   prose: 'individual identifiers are managed by uniquely identifying each individual as {{ insert: param, ia-04.04_odp }}.'
+                  links:
+                    - href: '#ia-4.4_smt'
+                      rel: assessment-for
                 - id: ia-4.4_asm-examine
                   name: assessment-method
                   props:
@@ -50289,6 +53963,9 @@ catalog:
                       value: IA-04(05)
                       class: sp800-53a
                   prose: 'individual identifiers are dynamically managed in accordance with {{ insert: param, ia-04.05_odp }}.'
+                  links:
+                    - href: '#ia-4.5_smt'
+                      rel: assessment-for
                 - id: ia-4.5_asm-examine
                   name: assessment-method
                   props:
@@ -50395,6 +54072,9 @@ catalog:
                       value: IA-04(06)
                       class: sp800-53a
                   prose: 'cross-organization management of identifiers is coordinated with {{ insert: param, ia-04.06_odp }}.'
+                  links:
+                    - href: '#ia-4.6_smt'
+                      rel: assessment-for
                 - id: ia-4.6_asm-examine
                   name: assessment-method
                   props:
@@ -50492,6 +54172,9 @@ catalog:
                       value: IA-04(08)
                       class: sp800-53a
                   prose: pairwise pseudonymous identifiers are generated.
+                  links:
+                    - href: '#ia-4.8_smt'
+                      rel: assessment-for
                 - id: ia-4.8_asm-examine
                   name: assessment-method
                   props:
@@ -50591,6 +54274,9 @@ catalog:
                       value: IA-04(09)
                       class: sp800-53a
                   prose: 'the attributes for each uniquely identified individual, device, or service are maintained in {{ insert: param, ia-04.09_odp }}.'
+                  links:
+                    - href: '#ia-4.9_smt'
+                      rel: assessment-for
                 - id: ia-4.9_asm-examine
                   name: assessment-method
                   props:
@@ -50815,6 +54501,9 @@ catalog:
                       value: IA-05a.
                       class: sp800-53a
                   prose: system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;
+                  links:
+                    - href: '#ia-5_smt.a'
+                      rel: assessment-for
                 - id: ia-5_obj.b
                   name: assessment-objective
                   props:
@@ -50822,6 +54511,9 @@ catalog:
                       value: IA-05b.
                       class: sp800-53a
                   prose: system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;
+                  links:
+                    - href: '#ia-5_smt.b'
+                      rel: assessment-for
                 - id: ia-5_obj.c
                   name: assessment-objective
                   props:
@@ -50829,6 +54521,9 @@ catalog:
                       value: IA-05c.
                       class: sp800-53a
                   prose: system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;
+                  links:
+                    - href: '#ia-5_smt.c'
+                      rel: assessment-for
                 - id: ia-5_obj.d
                   name: assessment-objective
                   props:
@@ -50836,6 +54531,9 @@ catalog:
                       value: IA-05d.
                       class: sp800-53a
                   prose: system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;
+                  links:
+                    - href: '#ia-5_smt.d'
+                      rel: assessment-for
                 - id: ia-5_obj.e
                   name: assessment-objective
                   props:
@@ -50843,6 +54541,9 @@ catalog:
                       value: IA-05e.
                       class: sp800-53a
                   prose: system authenticators are managed through the change of default authenticators prior to first use;
+                  links:
+                    - href: '#ia-5_smt.e'
+                      rel: assessment-for
                 - id: ia-5_obj.f
                   name: assessment-objective
                   props:
@@ -50850,6 +54551,9 @@ catalog:
                       value: IA-05f.
                       class: sp800-53a
                   prose: 'system authenticators are managed through the change or refreshment of authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur;'
+                  links:
+                    - href: '#ia-5_smt.f'
+                      rel: assessment-for
                 - id: ia-5_obj.g
                   name: assessment-objective
                   props:
@@ -50857,6 +54561,9 @@ catalog:
                       value: IA-05g.
                       class: sp800-53a
                   prose: system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;
+                  links:
+                    - href: '#ia-5_smt.g'
+                      rel: assessment-for
                 - id: ia-5_obj.h
                   name: assessment-objective
                   props:
@@ -50871,6 +54578,9 @@ catalog:
                           value: IA-05h.[01]
                           class: sp800-53a
                       prose: system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;
+                      links:
+                        - href: '#ia-5_smt.h'
+                          rel: assessment-for
                     - id: ia-5_obj.h-2
                       name: assessment-objective
                       props:
@@ -50878,6 +54588,12 @@ catalog:
                           value: IA-05h.[02]
                           class: sp800-53a
                       prose: system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;
+                      links:
+                        - href: '#ia-5_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-5_smt.h'
+                      rel: assessment-for
                 - id: ia-5_obj.i
                   name: assessment-objective
                   props:
@@ -50885,6 +54601,12 @@ catalog:
                       value: IA-05i.
                       class: sp800-53a
                   prose: system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.
+                  links:
+                    - href: '#ia-5_smt.i'
+                      rel: assessment-for
+              links:
+                - href: '#ia-5_smt'
+                  rel: assessment-for
             - id: ia-5_asm-examine
               name: assessment-method
               props:
@@ -51057,6 +54779,9 @@ catalog:
                           value: IA-05(01)(a)
                           class: sp800-53a
                       prose: 'for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly;'
+                      links:
+                        - href: '#ia-5.1_smt.a'
+                          rel: assessment-for
                     - id: ia-5.1_obj.b
                       name: assessment-objective
                       props:
@@ -51064,6 +54789,9 @@ catalog:
                           value: IA-05(01)(b)
                           class: sp800-53a
                       prose: for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in IA-05(01)(a);
+                      links:
+                        - href: '#ia-5.1_smt.b'
+                          rel: assessment-for
                     - id: ia-5.1_obj.c
                       name: assessment-objective
                       props:
@@ -51071,6 +54799,9 @@ catalog:
                           value: IA-05(01)(c)
                           class: sp800-53a
                       prose: for password-based authentication, passwords are only transmitted over cryptographically protected channels;
+                      links:
+                        - href: '#ia-5.1_smt.c'
+                          rel: assessment-for
                     - id: ia-5.1_obj.d
                       name: assessment-objective
                       props:
@@ -51078,6 +54809,9 @@ catalog:
                           value: IA-05(01)(d)
                           class: sp800-53a
                       prose: for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;
+                      links:
+                        - href: '#ia-5.1_smt.d'
+                          rel: assessment-for
                     - id: ia-5.1_obj.e
                       name: assessment-objective
                       props:
@@ -51085,6 +54819,9 @@ catalog:
                           value: IA-05(01)(e)
                           class: sp800-53a
                       prose: for password-based authentication, immediate selection of a new password is required upon account recovery;
+                      links:
+                        - href: '#ia-5.1_smt.e'
+                          rel: assessment-for
                     - id: ia-5.1_obj.f
                       name: assessment-objective
                       props:
@@ -51092,6 +54829,9 @@ catalog:
                           value: IA-05(01)(f)
                           class: sp800-53a
                       prose: for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;
+                      links:
+                        - href: '#ia-5.1_smt.f'
+                          rel: assessment-for
                     - id: ia-5.1_obj.g
                       name: assessment-objective
                       props:
@@ -51099,6 +54839,9 @@ catalog:
                           value: IA-05(01)(g)
                           class: sp800-53a
                       prose: for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;
+                      links:
+                        - href: '#ia-5.1_smt.g'
+                          rel: assessment-for
                     - id: ia-5.1_obj.h
                       name: assessment-objective
                       props:
@@ -51106,6 +54849,12 @@ catalog:
                           value: IA-05(01)(h)
                           class: sp800-53a
                       prose: 'for password-based authentication, {{ insert: param, ia-05.01_odp.02 }} are enforced.'
+                      links:
+                        - href: '#ia-5.1_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-5.1_smt'
+                      rel: assessment-for
                 - id: ia-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -51251,6 +55000,9 @@ catalog:
                               value: IA-05(02)(a)(01)
                               class: sp800-53a
                           prose: authorized access to the corresponding private key is enforced for public key-based authentication;
+                          links:
+                            - href: '#ia-5.2_smt.a.1'
+                              rel: assessment-for
                         - id: ia-5.2_obj.a.2
                           name: assessment-objective
                           props:
@@ -51258,6 +55010,12 @@ catalog:
                               value: IA-05(02)(a)(02)
                               class: sp800-53a
                           prose: the authenticated identity is mapped to the account of the individual or group for public key-based authentication;
+                          links:
+                            - href: '#ia-5.2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-5.2_smt.a'
+                          rel: assessment-for
                     - id: ia-5.2_obj.b
                       name: assessment-objective
                       props:
@@ -51272,6 +55030,9 @@ catalog:
                               value: IA-05(02)(b)(01)
                               class: sp800-53a
                           prose: when public key infrastructure (PKI) is used, certificates are validated by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information;
+                          links:
+                            - href: '#ia-5.2_smt.b.1'
+                              rel: assessment-for
                         - id: ia-5.2_obj.b.2
                           name: assessment-objective
                           props:
@@ -51279,6 +55040,15 @@ catalog:
                               value: IA-05(02)(b)(02)
                               class: sp800-53a
                           prose: when public key infrastructure (PKI) is used, a local cache of revocation data is implemented to support path discovery and validation.
+                          links:
+                            - href: '#ia-5.2_smt.b.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-5.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-5.2_smt'
+                      rel: assessment-for
                 - id: ia-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -51400,6 +55170,9 @@ catalog:
                       value: IA-05(05)
                       class: sp800-53a
                   prose: developers and installers of system components are required to provide unique authenticators or change default authenticators prior to delivery and installation.
+                  links:
+                    - href: '#ia-5.5_smt'
+                      rel: assessment-for
                 - id: ia-5.5_asm-examine
                   name: assessment-method
                   props:
@@ -51489,6 +55262,9 @@ catalog:
                       value: IA-05(06)
                       class: sp800-53a
                   prose: authenticators are protected commensurate with the security category of the information to which use of the authenticator permits access.
+                  links:
+                    - href: '#ia-5.6_smt'
+                      rel: assessment-for
                 - id: ia-5.6_asm-examine
                   name: assessment-method
                   props:
@@ -51579,6 +55355,9 @@ catalog:
                       value: IA-05(07)
                       class: sp800-53a
                   prose: unencrypted static authenticators are not embedded in applications or other forms of static storage.
+                  links:
+                    - href: '#ia-5.7_smt'
+                      rel: assessment-for
                 - id: ia-5.7_asm-examine
                   name: assessment-method
                   props:
@@ -51684,6 +55463,9 @@ catalog:
                       value: IA-05(08)
                       class: sp800-53a
                   prose: '{{ insert: param, ia-05.08_odp }} are implemented to manage the risk of compromise due to individuals having accounts on multiple systems.'
+                  links:
+                    - href: '#ia-5.8_smt'
+                      rel: assessment-for
                 - id: ia-5.8_asm-examine
                   name: assessment-method
                   props:
@@ -51782,6 +55564,9 @@ catalog:
                       value: IA-05(09)
                       class: sp800-53a
                   prose: '{{ insert: param, ia-05.09_odp }} are used to federate credentials.'
+                  links:
+                    - href: '#ia-5.9_smt'
+                      rel: assessment-for
                 - id: ia-5.9_asm-examine
                   name: assessment-method
                   props:
@@ -51880,6 +55665,9 @@ catalog:
                       value: IA-05(10)
                       class: sp800-53a
                   prose: 'identities and authenticators are dynamically bound using {{ insert: param, ia-05.10_odp }}.'
+                  links:
+                    - href: '#ia-5.10_smt'
+                      rel: assessment-for
                 - id: ia-5.10_asm-examine
                   name: assessment-method
                   props:
@@ -52001,6 +55789,9 @@ catalog:
                       value: IA-05(12)
                       class: sp800-53a
                   prose: 'mechanisms that satisfy {{ insert: param, ia-05.12_odp }} are employed for biometric-based authentication.'
+                  links:
+                    - href: '#ia-5.12_smt'
+                      rel: assessment-for
                 - id: ia-5.12_asm-examine
                   name: assessment-method
                   props:
@@ -52103,6 +55894,9 @@ catalog:
                       value: IA-05(13)
                       class: sp800-53a
                   prose: 'the use of cached authenticators is prohibited after {{ insert: param, ia-05.13_odp }}.'
+                  links:
+                    - href: '#ia-5.13_smt'
+                      rel: assessment-for
                 - id: ia-5.13_asm-examine
                   name: assessment-method
                   props:
@@ -52190,6 +55984,9 @@ catalog:
                       value: IA-05(14)
                       class: sp800-53a
                   prose: an organization-wide methodology for managing the content of PKI trust stores is employed across all platforms, including networks, operating systems, browsers, and applications for PKI-based authentication.
+                  links:
+                    - href: '#ia-5.14_smt'
+                      rel: assessment-for
                 - id: ia-5.14_asm-examine
                   name: assessment-method
                   props:
@@ -52284,6 +56081,9 @@ catalog:
                       value: IA-05(15)
                       class: sp800-53a
                   prose: only General Services Administration-approved products and services are used for identity, credential, and access management.
+                  links:
+                    - href: '#ia-5.15_smt'
+                      rel: assessment-for
                 - id: ia-5.15_asm-examine
                   name: assessment-method
                   props:
@@ -52418,6 +56218,9 @@ catalog:
                       value: IA-05(16)
                       class: sp800-53a
                   prose: 'the issuance of {{ insert: param, ia-05.16_odp.01 }} is required to be conducted {{ insert: param, ia-05.16_odp.02 }} before {{ insert: param, ia-05.16_odp.03 }} with authorization by {{ insert: param, ia-05.16_odp.04 }}.'
+                  links:
+                    - href: '#ia-5.16_smt'
+                      rel: assessment-for
                 - id: ia-5.16_asm-examine
                   name: assessment-method
                   props:
@@ -52510,6 +56313,9 @@ catalog:
                       value: IA-05(17)
                       class: sp800-53a
                   prose: presentation attack detection mechanisms are employed for biometric-based authentication.
+                  links:
+                    - href: '#ia-5.17_smt'
+                      rel: assessment-for
                 - id: ia-5.17_asm-examine
                   name: assessment-method
                   props:
@@ -52640,6 +56446,9 @@ catalog:
                           value: IA-05(18)(a)
                           class: sp800-53a
                       prose: '{{ insert: param, ia-05.18_odp.01 }} are employed to generate and manage passwords;'
+                      links:
+                        - href: '#ia-5.18_smt.a'
+                          rel: assessment-for
                     - id: ia-5.18_obj.b
                       name: assessment-objective
                       props:
@@ -52647,6 +56456,12 @@ catalog:
                           value: IA-05(18)(b)
                           class: sp800-53a
                       prose: 'the passwords are protected using {{ insert: param, ia-05.18_odp.02 }}.'
+                      links:
+                        - href: '#ia-5.18_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-5.18_smt'
+                      rel: assessment-for
                 - id: ia-5.18_asm-examine
                   name: assessment-method
                   props:
@@ -52737,6 +56552,9 @@ catalog:
                   value: IA-06
                   class: sp800-53a
               prose: the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.
+              links:
+                - href: '#ia-6_smt'
+                  rel: assessment-for
             - id: ia-6_asm-examine
               name: assessment-method
               props:
@@ -52832,6 +56650,9 @@ catalog:
                   value: IA-07
                   class: sp800-53a
               prose: mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.
+              links:
+                - href: '#ia-7_smt'
+                  rel: assessment-for
             - id: ia-7_asm-examine
               name: assessment-method
               props:
@@ -52939,6 +56760,8 @@ catalog:
               rel: related
             - href: '#ia-11'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-4'
               rel: related
             - href: '#ra-3'
@@ -52961,6 +56784,9 @@ catalog:
                   value: IA-08
                   class: sp800-53a
               prose: non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.
+              links:
+                - href: '#ia-8_smt'
+                  rel: assessment-for
             - id: ia-8_asm-examine
               name: assessment-method
               props:
@@ -53062,6 +56888,9 @@ catalog:
                           value: IA-08(01)[01]
                           class: sp800-53a
                       prose: Personal Identity Verification-compliant credentials from other federal agencies are accepted;
+                      links:
+                        - href: '#ia-8.1_smt'
+                          rel: assessment-for
                     - id: ia-8.1_obj-2
                       name: assessment-objective
                       props:
@@ -53069,6 +56898,12 @@ catalog:
                           value: IA-08(01)[02]
                           class: sp800-53a
                       prose: Personal Identity Verification-compliant credentials from other federal agencies are electronically verified.
+                      links:
+                        - href: '#ia-8.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-8.1_smt'
+                      rel: assessment-for
                 - id: ia-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -53186,6 +57021,9 @@ catalog:
                           value: IA-08(02)(a)
                           class: sp800-53a
                       prose: only external authenticators that are NIST-compliant are accepted;
+                      links:
+                        - href: '#ia-8.2_smt.a'
+                          rel: assessment-for
                     - id: ia-8.2_obj.b
                       name: assessment-objective
                       props:
@@ -53200,6 +57038,9 @@ catalog:
                               value: IA-08(02)(b)[01]
                               class: sp800-53a
                           prose: a list of accepted external authenticators is documented;
+                          links:
+                            - href: '#ia-8.2_smt.b'
+                              rel: assessment-for
                         - id: ia-8.2_obj.b-2
                           name: assessment-objective
                           props:
@@ -53207,6 +57048,15 @@ catalog:
                               value: IA-08(02)(b)[02]
                               class: sp800-53a
                           prose: a list of accepted external authenticators is maintained.
+                          links:
+                            - href: '#ia-8.2_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ia-8.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-8.2_smt'
+                      rel: assessment-for
                 - id: ia-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -53334,6 +57184,9 @@ catalog:
                       value: IA-08(04)
                       class: sp800-53a
                   prose: 'there is conformance with {{ insert: param, ia-08.04_odp }} for identity management.'
+                  links:
+                    - href: '#ia-8.4_smt'
+                      rel: assessment-for
                 - id: ia-8.4_asm-examine
                   name: assessment-method
                   props:
@@ -53442,6 +57295,9 @@ catalog:
                           value: IA-08(05)[01]
                           class: sp800-53a
                       prose: 'federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }} are accepted;'
+                      links:
+                        - href: '#ia-8.5_smt'
+                          rel: assessment-for
                     - id: ia-8.5_obj-2
                       name: assessment-objective
                       props:
@@ -53449,6 +57305,12 @@ catalog:
                           value: IA-08(05)[02]
                           class: sp800-53a
                       prose: 'federated or PKI credentials that meet {{ insert: param, ia-08.05_odp }} are verified.'
+                      links:
+                        - href: '#ia-8.5_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-8.5_smt'
+                      rel: assessment-for
                 - id: ia-8.5_asm-examine
                   name: assessment-method
                   props:
@@ -53558,6 +57420,9 @@ catalog:
                       value: IA-08(06)
                       class: sp800-53a
                   prose: '{{ insert: param, ia-08.06_odp }} to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties are implemented.'
+                  links:
+                    - href: '#ia-8.6_smt'
+                      rel: assessment-for
                 - id: ia-8.6_asm-examine
                   name: assessment-method
                   props:
@@ -53653,6 +57518,8 @@ catalog:
               rel: related
             - href: '#ia-5'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#sc-8'
               rel: related
           parts:
@@ -53669,6 +57536,9 @@ catalog:
                   value: IA-09
                   class: sp800-53a
               prose: '{{ insert: param, ia-09_odp }} are uniquely identified and authenticated before establishing communications with devices, users, or other services or applications.'
+              links:
+                - href: '#ia-9_smt'
+                  rel: assessment-for
             - id: ia-9_asm-examine
               name: assessment-method
               props:
@@ -53818,6 +57688,9 @@ catalog:
                   value: IA-10
                   class: sp800-53a
               prose: 'individuals accessing the system are required to employ {{ insert: param, ia-10_odp.01 }} under specific {{ insert: param, ia-10_odp.02 }}.'
+              links:
+                - href: '#ia-10_smt'
+                  rel: assessment-for
             - id: ia-10_asm-examine
               name: assessment-method
               props:
@@ -53936,6 +57809,9 @@ catalog:
                   value: IA-11
                   class: sp800-53a
               prose: 'users are required to re-authenticate when {{ insert: param, ia-11_odp }}.'
+              links:
+                - href: '#ia-11_smt'
+                  rel: assessment-for
             - id: ia-11_asm-examine
               name: assessment-method
               props:
@@ -54035,6 +57911,8 @@ catalog:
               rel: related
             - href: '#ia-8'
               rel: related
+            - href: '#ia-13'
+              rel: related
           parts:
             - id: ia-12_smt
               name: statement
@@ -54074,6 +57952,9 @@ catalog:
                       value: IA-12a.
                       class: sp800-53a
                   prose: users who require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines are identity proofed;
+                  links:
+                    - href: '#ia-12_smt.a'
+                      rel: assessment-for
                 - id: ia-12_obj.b
                   name: assessment-objective
                   props:
@@ -54081,6 +57962,9 @@ catalog:
                       value: IA-12b.
                       class: sp800-53a
                   prose: user identities are resolved to a unique individual;
+                  links:
+                    - href: '#ia-12_smt.b'
+                      rel: assessment-for
                 - id: ia-12_obj.c
                   name: assessment-objective
                   props:
@@ -54095,6 +57979,9 @@ catalog:
                           value: IA-12c.[01]
                           class: sp800-53a
                       prose: identity evidence is collected;
+                      links:
+                        - href: '#ia-12_smt.c'
+                          rel: assessment-for
                     - id: ia-12_obj.c-2
                       name: assessment-objective
                       props:
@@ -54102,6 +57989,9 @@ catalog:
                           value: IA-12c.[02]
                           class: sp800-53a
                       prose: identity evidence is validated;
+                      links:
+                        - href: '#ia-12_smt.c'
+                          rel: assessment-for
                     - id: ia-12_obj.c-3
                       name: assessment-objective
                       props:
@@ -54109,6 +57999,15 @@ catalog:
                           value: IA-12c.[03]
                           class: sp800-53a
                       prose: identity evidence is verified.
+                      links:
+                        - href: '#ia-12_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ia-12_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ia-12_smt'
+                  rel: assessment-for
             - id: ia-12_asm-examine
               name: assessment-method
               props:
@@ -54197,6 +58096,9 @@ catalog:
                       value: IA-12(01)
                       class: sp800-53a
                   prose: the registration process to receive an account for logical access includes supervisor or sponsor authorization.
+                  links:
+                    - href: '#ia-12.1_smt'
+                      rel: assessment-for
                 - id: ia-12.1_asm-examine
                   name: assessment-method
                   props:
@@ -54280,6 +58182,9 @@ catalog:
                       value: IA-12(02)
                       class: sp800-53a
                   prose: evidence of individual identification is presented to the registration authority.
+                  links:
+                    - href: '#ia-12.2_smt'
+                      rel: assessment-for
                 - id: ia-12.2_asm-examine
                   name: assessment-method
                   props:
@@ -54377,6 +58282,9 @@ catalog:
                       value: IA-12(03)
                       class: sp800-53a
                   prose: 'the presented identity evidence is validated and verified through {{ insert: param, ia-12.03_odp }}.'
+                  links:
+                    - href: '#ia-12.3_smt'
+                      rel: assessment-for
                 - id: ia-12.3_asm-examine
                   name: assessment-method
                   props:
@@ -54460,6 +58368,9 @@ catalog:
                       value: IA-12(04)
                       class: sp800-53a
                   prose: the validation and verification of identity evidence is conducted in person before a designated registration authority.
+                  links:
+                    - href: '#ia-12.4_smt'
+                      rel: assessment-for
                 - id: ia-12.4_asm-examine
                   name: assessment-method
                   props:
@@ -54557,6 +58468,9 @@ catalog:
                       value: IA-12(05)
                       class: sp800-53a
                   prose: 'a {{ insert: param, ia-12.05_odp }} is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.'
+                  links:
+                    - href: '#ia-12.5_smt'
+                      rel: assessment-for
                 - id: ia-12.5_asm-examine
                   name: assessment-method
                   props:
@@ -54659,6 +58573,9 @@ catalog:
                       value: IA-12(06)
                       class: sp800-53a
                   prose: 'externally proofed identities are accepted {{ insert: param, ia-12.06_odp }}.'
+                  links:
+                    - href: '#ia-12.6_smt'
+                      rel: assessment-for
                 - id: ia-12.6_asm-examine
                   name: assessment-method
                   props:
@@ -54711,6 +58628,696 @@ catalog:
                   parts:
                     - name: assessment-objects
                       prose: Mechanisms supporting and/or implementing identification and authentication capabilities
+        - id: ia-13
+          class: SP800-53
+          title: Identity Providers and Authorization Servers
+          params:
+            - id: ia-13_prm_1
+              props:
+                - name: aggregates
+                  ns: http://csrc.nist.gov/ns/rmf
+                  value: ia-13_odp.01
+              label: organization-defined identification and authentication policy
+            - id: ia-13_prm_2
+              props:
+                - name: aggregates
+                  ns: http://csrc.nist.gov/ns/rmf
+                  value: ia-13_odp.02
+              label: organization-defined mechanisms
+            - id: ia-13_odp.01
+              props:
+                - name: label
+                  value: IA-13_ODP[01]
+                  class: sp800-53a
+              label: policy
+              guidelines:
+                - prose: identification and authentication policy is defined;
+            - id: ia-13_odp.02
+              props:
+                - name: label
+                  value: IA-13_ODP[02]
+                  class: sp800-53a
+              label: mechanisms
+              guidelines:
+                - prose: mechanisms supporting authentication and authorization decisions are defined;
+          props:
+            - name: label
+              value: IA-13
+            - name: label
+              value: IA-13
+              class: sp800-53a
+            - name: sort-id
+              value: ia-13
+            - name: implementation-level
+              ns: http://csrc.nist.gov/ns/rmf
+              value: organization
+            - name: implementation-level
+              ns: http://csrc.nist.gov/ns/rmf
+              value: system
+          links:
+            - href: '#ac-3'
+              rel: related
+            - href: '#ia-2'
+              rel: related
+            - href: '#ia-3'
+              rel: related
+            - href: '#ia-8'
+              rel: related
+            - href: '#ia-9'
+              rel: related
+            - href: '#ia-12'
+              rel: related
+          parts:
+            - id: ia-13_smt
+              name: statement
+              prose: 'Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions in accordance with {{ insert: param, ia-13_prm_1 }} using {{ insert: param, ia-13_prm_2 }}.'
+            - id: ia-13_gdn
+              name: guidance
+              prose: Identity providers, both internal and external to the organization, manage the user, device, and NPE authenticators and issue statements, often called identity assertions, attesting to identities of other systems or systems components. Authorization servers create and issue access tokens to identified and authenticated users and devices that can be used to gain access to system or information resources. For example, single sign-on (SSO) provides identity provider and authorization server functions. Authenticator management (to include credential management) is covered by IA-05.
+            - id: ia-13_obj
+              name: assessment-objective
+              props:
+                - name: label
+                  value: IA-13
+                  class: sp800-53a
+              parts:
+                - id: ia-13_obj-1
+                  name: assessment-objective
+                  props:
+                    - name: label
+                      value: IA-13[01]
+                      class: sp800-53a
+                  prose: 'identity providers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authentication decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};'
+                  links:
+                    - href: '#ia-13_smt'
+                      rel: assessment-for
+                - id: ia-13_obj-2
+                  name: assessment-objective
+                  props:
+                    - name: label
+                      value: IA-13[02]
+                      class: sp800-53a
+                  prose: 'identity providers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authorization decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};'
+                  links:
+                    - href: '#ia-13_smt'
+                      rel: assessment-for
+                - id: ia-13_obj-3
+                  name: assessment-objective
+                  props:
+                    - name: label
+                      value: IA-13[03]
+                      class: sp800-53a
+                  prose: 'authorization servers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authentication decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};'
+                  links:
+                    - href: '#ia-13_smt'
+                      rel: assessment-for
+                - id: ia-13_obj-4
+                  name: assessment-objective
+                  props:
+                    - name: label
+                      value: IA-13[04]
+                      class: sp800-53a
+                  prose: 'authorization servers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authorization decisions in accordance with {{ insert: param, ia-13_odp.02 }} using {{ insert: param, ia-13_odp.02 }};'
+                  links:
+                    - href: '#ia-13_smt'
+                      rel: assessment-for
+            - id: ia-13_asm-examine
+              name: assessment-method
+              props:
+                - name: method
+                  ns: http://csrc.nist.gov/ns/rmf
+                  value: EXAMINE
+                - name: label
+                  value: IA-13-Examine
+                  class: sp800-53a
+              parts:
+                - name: assessment-objects
+                  prose: |2-
+                     Identification and authentication policy;
+
+                    procedures addressing user and device identification and authentication;
+
+                    system security plan;
+
+                    system design documentation;
+
+                    system configuration settings and associated documentation;
+
+                    other relevant documents or records
+            - id: ia-13_asm-interview
+              name: assessment-method
+              props:
+                - name: method
+                  ns: http://csrc.nist.gov/ns/rmf
+                  value: INTERVIEW
+                - name: label
+                  value: IA-13-Interview
+                  class: sp800-53a
+              parts:
+                - name: assessment-objects
+                  prose: |-
+                    Organizational personnel with system operations responsibilities;
+
+                    organizational personnel with information security responsibilities;
+
+                    system/network administrators;
+
+                    organizational personnel with account management responsibilities;
+
+                    system developers
+            - id: ia-13_asm-test
+              name: assessment-method
+              props:
+                - name: method
+                  ns: http://csrc.nist.gov/ns/rmf
+                  value: TEST
+                - name: label
+                  value: IA-13-Test
+                  class: sp800-53a
+              parts:
+                - name: assessment-objects
+                  prose: Mechanisms supporting and/or implementing identification and authentication capabilities and access rights
+          controls:
+            - id: ia-13.1
+              class: SP800-53-enhancement
+              title: Protection of Cryptographic Keys
+              props:
+                - name: label
+                  value: IA-13(1)
+                - name: label
+                  value: IA-13(01)
+                  class: sp800-53a
+                - name: sort-id
+                  value: ia-13.01
+                - name: implementation-level
+                  ns: http://csrc.nist.gov/ns/rmf
+                  value: organization
+                - name: implementation-level
+                  ns: http://csrc.nist.gov/ns/rmf
+                  value: system
+              links:
+                - href: '#ia-13'
+                  rel: required
+                - href: '#ia-13'
+                  rel: related
+                - href: '#sc-12'
+                  rel: related
+                - href: '#sc-13'
+                  rel: related
+              parts:
+                - id: ia-13.1_smt
+                  name: statement
+                  prose: Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse.
+                - id: ia-13.1_gdn
+                  name: guidance
+                  prose: 'Identity assertions and access tokens are typically digitally signed. The private keys used to sign these assertions and tokens are protected commensurate with the impact of the system and information resources that can be accessed. '
+                - id: ia-13.1_obj
+                  name: assessment-objective
+                  props:
+                    - name: label
+                      value: IA-13(01)
+                      class: sp800-53a
+                  parts:
+                    - id: ia-13.1_obj-1
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(01)[01]
+                          class: sp800-53a
+                      prose: cryptographic keys that protect access tokens are generated;
+                      links:
+                        - href: '#ia-13.1_smt'
+                          rel: assessment-for
+                    - id: ia-13.1_obj-2
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(01)[02]
+                          class: sp800-53a
+                      prose: cryptographic keys that protect access tokens are managed;
+                      links:
+                        - href: '#ia-13.1_smt'
+                          rel: assessment-for
+                    - id: ia-13.1_obj-3
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(01)[03]
+                          class: sp800-53a
+                      prose: cryptographic keys that protect access tokens are protected from disclosure; and
+                      links:
+                        - href: '#ia-13.1_smt'
+                          rel: assessment-for
+                    - id: ia-13.1_obj-4
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(01)[04]
+                          class: sp800-53a
+                      prose: cryptographic keys that protect access tokens are protected from disclosure and misuse
+                      links:
+                        - href: '#ia-13.1_smt'
+                          rel: assessment-for
+                - id: ia-13.1_asm-examine
+                  name: assessment-method
+                  props:
+                    - name: method
+                      ns: http://csrc.nist.gov/ns/rmf
+                      value: EXAMINE
+                    - name: label
+                      value: IA-13(01)-Examine
+                      class: sp800-53a
+                  parts:
+                    - name: assessment-objects
+                      prose: |-
+                        Identification and authentication policy;
+
+                        procedures addressing cryptographic key establishment and management;
+
+                        system design documentation;
+
+                        cryptographic mechanisms;
+
+                        system configuration settings and associated documentation;
+
+                        system security plan;
+
+                        other relevant documents or records
+                - id: ia-13.1_asm-interview
+                  name: assessment-method
+                  props:
+                    - name: method
+                      ns: http://csrc.nist.gov/ns/rmf
+                      value: INTERVIEW
+                    - name: label
+                      value: IA-13(01)-Interview
+                      class: sp800-53a
+                  parts:
+                    - name: assessment-objects
+                      prose: |-
+                        System/network administrators;
+
+                        organizational personnel with information security responsibilities;
+
+                        organizational personnel with responsibilities for cryptographic key establishment and/or management
+                - id: ia-13.1_asm-test
+                  name: assessment-method
+                  props:
+                    - name: method
+                      ns: http://csrc.nist.gov/ns/rmf
+                      value: TEST
+                    - name: label
+                      value: IA-13(01)-Test
+                      class: sp800-53a
+                  parts:
+                    - name: assessment-objects
+                      prose: |-
+                        Organizational processes for cryptographic key management;
+
+                        cryptographic modules generating, storing, and using cryptographic keys
+            - id: ia-13.2
+              class: SP800-53-enhancement
+              title: Verification of Identity Assertions and Access Tokens
+              props:
+                - name: label
+                  value: IA-13(2)
+                - name: label
+                  value: IA-13(02)
+                  class: sp800-53a
+                - name: sort-id
+                  value: ia-13.02
+                - name: implementation-level
+                  ns: http://csrc.nist.gov/ns/rmf
+                  value: organization
+                - name: implementation-level
+                  ns: http://csrc.nist.gov/ns/rmf
+                  value: system
+              links:
+                - href: '#ia-13'
+                  rel: required
+                - href: '#ia-13'
+                  rel: related
+              parts:
+                - id: ia-13.2_smt
+                  name: statement
+                  prose: The source and integrity of identity assertions and access tokens are verified before granting access to system and information resources.
+                - id: ia-13.2_gdn
+                  name: guidance
+                  prose: This includes verification of digital signatures protecting identity assertions and access tokens, as well as included metadata. Metadata includes information about the access request such as information unique to user, system or information resource being accessed, or the transaction itself such as time. Protected system and information resources could include connected networks, applications, and APIs.
+                - id: ia-13.2_obj
+                  name: assessment-objective
+                  props:
+                    - name: label
+                      value: IA-13(02)
+                      class: sp800-53a
+                  parts:
+                    - id: ia-13.2_obj-1
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(02)[01]
+                          class: sp800-53a
+                      prose: the source of identity assertions is verified before granting access to system and information resources;
+                      links:
+                        - href: '#ia-13.2_smt'
+                          rel: assessment-for
+                    - id: ia-13.2_obj-2
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(02)[02]
+                          class: sp800-53a
+                      prose: the source of access tokens is verified before granting access to system and information resources;
+                      links:
+                        - href: '#ia-13.2_smt'
+                          rel: assessment-for
+                    - id: ia-13.2_obj-3
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(02)[03]
+                          class: sp800-53a
+                      prose: the integrity of identity assertions is verified before granting access to system and information resources;
+                      links:
+                        - href: '#ia-13.2_smt'
+                          rel: assessment-for
+                    - id: ia-13.2_obj-4
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(02)[04]
+                          class: sp800-53a
+                      prose: the integrity of access tokens is verified before granting access to system and information resources
+                      links:
+                        - href: '#ia-13.2_smt'
+                          rel: assessment-for
+                - id: ia-13.2_asm-examine
+                  name: assessment-method
+                  props:
+                    - name: method
+                      ns: http://csrc.nist.gov/ns/rmf
+                      value: EXAMINE
+                    - name: label
+                      value: IA-13(02)-Examine
+                      class: sp800-53a
+                  parts:
+                    - name: assessment-objects
+                      prose: |-
+                        Identification and authentication policy;
+
+                        system security plan; system design documentation;
+
+                        system configuration settings and associated documentation;
+
+                        other relevant documents or records
+                - id: ia-13.2_asm-interview
+                  name: assessment-method
+                  props:
+                    - name: method
+                      ns: http://csrc.nist.gov/ns/rmf
+                      value: INTERVIEW
+                    - name: label
+                      value: IA-13(02)-Interview
+                      class: sp800-53a
+                  parts:
+                    - name: assessment-objects
+                      prose: |-
+                        Organizational personnel with system operations responsibilities;
+
+                        organizational personnel with information security responsibilities;
+
+                        system/ network administrators;
+
+                        organizational personnel with account management responsibilities;
+
+                        system developers
+                - id: ia-13.2_asm-test
+                  name: assessment-method
+                  props:
+                    - name: method
+                      ns: http://csrc.nist.gov/ns/rmf
+                      value: TEST
+                    - name: label
+                      value: IA-13(02)-Test
+                      class: sp800-53a
+                  parts:
+                    - name: assessment-objects
+                      prose: Identity provider mechanisms supporting and/or implementing identification and authentication capabilities and access rights
+            - id: ia-13.3
+              class: SP800-53-enhancement
+              title: Token Management
+              props:
+                - name: label
+                  value: IA-13(3)
+                - name: label
+                  value: IA-13(03)
+                  class: sp800-53a
+                - name: sort-id
+                  value: ia-13.03
+                - name: implementation-level
+                  ns: http://csrc.nist.gov/ns/rmf
+                  value: organization
+                - name: implementation-level
+                  ns: http://csrc.nist.gov/ns/rmf
+                  value: system
+              links:
+                - href: '#737513fa-6758-403f-831d-5ddab5e23cb3'
+                  rel: reference
+                - href: '#ff989cdc-649d-4f45-8f61-9309c9680933'
+                  rel: reference
+                - href: '#e9d6c5f2-b3aa-4a28-8bea-a0135718d453'
+                  rel: reference
+                - href: '#ia-13'
+                  rel: required
+                - href: '#ia-13'
+                  rel: related
+              parts:
+                - id: ia-13.3_smt
+                  name: statement
+                  prose: 'In accordance with {{ insert: param, ia-13_prm_1 }}, assertions and access tokens are:'
+                  parts:
+                    - id: ac-13.3_smt.a
+                      name: item
+                      props:
+                        - name: label
+                          value: (a)
+                      prose: generated;
+                    - id: ac-13.3_smt.b
+                      name: item
+                      props:
+                        - name: label
+                          value: (b)
+                      prose: issued;
+                    - id: ac-13.3_smt.c
+                      name: item
+                      props:
+                        - name: label
+                          value: (c)
+                      prose: refreshed;
+                    - id: ac-13.3_smt.d
+                      name: item
+                      props:
+                        - name: label
+                          value: (d)
+                      prose: revoked;
+                    - id: ac-13.3_smt.e
+                      name: item
+                      props:
+                        - name: label
+                          value: (e)
+                      prose: time-restricted; and
+                    - id: ac-13.3_smt.f
+                      name: item
+                      props:
+                        - name: label
+                          value: (f)
+                      prose: audience-restricted.
+                - id: ia-13.3_gdn
+                  name: guidance
+                  prose: An access token is a piece of data that represents the authorization granted to a user or NPE to access specific systems or information resources. Access tokens enable controlled access to services and resources. Properly managing the lifecycle of access tokens, including their issuance, validation, and revocation, is crucial to maintaining confidentiality of data and systems. Restricting token validity to a specific audience, e.g., an application or security domain, and restricting token validity lifetimes are important practices. Access tokens are revoked or invalidated if they are compromised, lost, or are no longer needed to mitigate the risks associated with stolen or misused tokens.
+                - id: ia-13.3_obj
+                  name: assessment-objective
+                  props:
+                    - name: label
+                      value: IA-13(03)
+                      class: sp800-53a
+                  parts:
+                    - id: ia-13.3_obj.a-1
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(03)(a)[01]
+                          class: sp800-53a
+                      prose: 'assertions are generated in accordance with {{ insert: param, ia-13_odp.01 }};'
+                      links:
+                        - href: '#ia-13.3_smt.a'
+                          rel: assessment-for
+                    - id: ia-13.3_obj.a-2
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(03)(a)[02]
+                          class: sp800-53a
+                      prose: 'access tokens are generated in accordance with {{ insert: param, ia-13_odp.01 }};'
+                      links:
+                        - href: '#ia-13.3_smt.a'
+                          rel: assessment-for
+                    - id: ia-13.3_obj.b-1
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(03)(b)[01]
+                          class: sp800-53a
+                      prose: 'assertions are issued in accordance with {{ insert: param, ia-13_odp.01 }};'
+                      links:
+                        - href: '#ia-13.3_smt.b'
+                          rel: assessment-for
+                    - id: ia-13.3_obj.b-2
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(03)(b)[02]
+                          class: sp800-53a
+                      prose: 'access tokens are issued in accordance with {{ insert: param, ia-13_odp.01 }};'
+                      links:
+                        - href: '#ia-13.3_smt.b'
+                          rel: assessment-for
+                    - id: ia-13.3_obj.c-1
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(03)(c)[01]
+                          class: sp800-53a
+                      prose: 'assertions are refreshed in accordance with {{ insert: param, ia-13_odp.01 }};'
+                      links:
+                        - href: '#ia-13.3_smt.c'
+                          rel: assessment-for
+                    - id: ia-13.3_obj.c-2
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(03)(c)[02]
+                          class: sp800-53a
+                      prose: 'access tokens are refreshed in accordance with {{ insert: param, ia-13_odp.01 }};'
+                      links:
+                        - href: '#ia-13.3_smt.c'
+                          rel: assessment-for
+                    - id: ia-13.3_obj.d-1
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(03)(d)[01]
+                          class: sp800-53a
+                      prose: 'assertions are revoked in accordance with {{ insert: param, ia-13_odp.01 }};'
+                      links:
+                        - href: '#ia-13.3_smt.d'
+                          rel: assessment-for
+                    - id: ia-13.3_obj.d-2
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(03)(d)[02]
+                          class: sp800-53a
+                      prose: 'access tokens are revoked in accordance with {{ insert: param, ia-13_odp.01 }};'
+                      links:
+                        - href: '#ia-13.3_smt.d'
+                          rel: assessment-for
+                    - id: ia-13.3_obj.e-1
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(03)(e)[01]
+                          class: sp800-53a
+                      prose: 'assertions are time-restricted in accordance with {{ insert: param, ia-13_odp.01 }};'
+                      links:
+                        - href: '#ia-13.3_smt.e'
+                          rel: assessment-for
+                    - id: ia-13.3_obj.e-2
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(03)(e)[02]
+                          class: sp800-53a
+                      prose: 'access tokens are time-restricted in accordance with {{ insert: param, ia-13_odp.01 }};'
+                      links:
+                        - href: '#ia-13.3_smt.e'
+                          rel: assessment-for
+                    - id: ia-13.3_obj.f-1
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(03)(f)[01]
+                          class: sp800-53a
+                      prose: 'assertions are audience-restricted in accordance with {{ insert: param, ia-13_odp.01 }};'
+                      links:
+                        - href: '#ia-13.3_smt.f'
+                          rel: assessment-for
+                    - id: ia-13.3_obj.f-2
+                      name: assessment-objective
+                      props:
+                        - name: label
+                          value: IA-13(03)(f)[02]
+                          class: sp800-53a
+                      prose: 'access tokens are audience-restricted in accordance with {{ insert: param, ia-13_odp.01 }};'
+                      links:
+                        - href: '#ia-13.3_smt.f'
+                          rel: assessment-for
+                - id: ia-13.3_asm-examine
+                  name: assessment-method
+                  props:
+                    - name: method
+                      ns: http://csrc.nist.gov/ns/rmf
+                      value: EXAMINE
+                    - name: label
+                      value: IA-13(03)-Examine
+                      class: sp800-53a
+                  parts:
+                    - name: assessment-objects
+                      prose: |-
+                        Identification and authentication policy;
+
+                        access control policy;
+
+                        procedures for assertion and token management;
+
+                        system design documentation;
+
+                        system configuration settings and associated documentation;
+
+                        other relevant documents or records
+                - id: ia-13.3_asm-interview
+                  name: assessment-method
+                  props:
+                    - name: method
+                      ns: http://csrc.nist.gov/ns/rmf
+                      value: INTERVIEW
+                    - name: label
+                      value: IA-13(03)-Interview
+                      class: sp800-53a
+                  parts:
+                    - name: assessment-objects
+                      prose: |-
+                        Organizational personnel with system operations responsibilities;
+
+                        organizational personnel with information security responsibilities;
+
+                        system/ network administrators;
+
+                        organizational personnel with account management responsibilities;
+
+                        system developers
+                - id: ia-13.3_asm-test
+                  name: assessment-method
+                  props:
+                    - name: method
+                      ns: http://csrc.nist.gov/ns/rmf
+                      value: TEST
+                    - name: label
+                      value: IA-13(03)-Test
+                      class: sp800-53a
+                  parts:
+                    - name: assessment-objects
+                      prose: Mechanisms and software supporting and/or implementing token generation
     - id: ir
       class: family
       title: Incident Response
@@ -54929,6 +59536,9 @@ catalog:
                           value: IR-01a.[01]
                           class: sp800-53a
                       prose: an incident response policy is developed and documented;
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -54936,6 +59546,9 @@ catalog:
                           value: IR-01a.[02]
                           class: sp800-53a
                       prose: 'the incident response policy is disseminated to {{ insert: param, ir-01_odp.01 }};'
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -54943,6 +59556,9 @@ catalog:
                           value: IR-01a.[03]
                           class: sp800-53a
                       prose: incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -54950,6 +59566,9 @@ catalog:
                           value: IR-01a.[04]
                           class: sp800-53a
                       prose: 'the incident response procedures are disseminated to {{ insert: param, ir-01_odp.02 }};'
+                      links:
+                        - href: '#ir-1_smt.a'
+                          rel: assessment-for
                     - id: ir-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -54971,6 +59590,9 @@ catalog:
                                   value: IR-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses purpose;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -54978,6 +59600,9 @@ catalog:
                                   value: IR-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses scope;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -54985,6 +59610,9 @@ catalog:
                                   value: IR-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses roles;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -54992,6 +59620,9 @@ catalog:
                                   value: IR-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses responsibilities;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -54999,6 +59630,9 @@ catalog:
                                   value: IR-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses management commitment;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -55006,6 +59640,9 @@ catalog:
                                   value: IR-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ir-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -55013,6 +59650,12 @@ catalog:
                                   value: IR-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy addresses compliance;'
+                              links:
+                                - href: '#ir-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ir-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ir-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -55020,6 +59663,15 @@ catalog:
                               value: IR-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ir-01_odp.03 }} incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ir-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-1_smt.a'
+                      rel: assessment-for
                 - id: ir-1_obj.b
                   name: assessment-objective
                   props:
@@ -55027,6 +59679,9 @@ catalog:
                       value: IR-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ir-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;'
+                  links:
+                    - href: '#ir-1_smt.b'
+                      rel: assessment-for
                 - id: ir-1_obj.c
                   name: assessment-objective
                   props:
@@ -55048,6 +59703,9 @@ catalog:
                               value: IR-01c.01[01]
                               class: sp800-53a
                           prose: 'the current incident response policy is reviewed and updated {{ insert: param, ir-01_odp.05 }};'
+                          links:
+                            - href: '#ir-1_smt.c.1'
+                              rel: assessment-for
                         - id: ir-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -55055,6 +59713,12 @@ catalog:
                               value: IR-01c.01[02]
                               class: sp800-53a
                           prose: 'the current incident response policy is reviewed and updated following {{ insert: param, ir-01_odp.06 }};'
+                          links:
+                            - href: '#ir-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.c.1'
+                          rel: assessment-for
                     - id: ir-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -55069,6 +59733,9 @@ catalog:
                               value: IR-01c.02[01]
                               class: sp800-53a
                           prose: 'the current incident response procedures are reviewed and updated {{ insert: param, ir-01_odp.07 }};'
+                          links:
+                            - href: '#ir-1_smt.c.2'
+                              rel: assessment-for
                         - id: ir-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -55076,6 +59743,18 @@ catalog:
                               value: IR-01c.02[02]
                               class: sp800-53a
                           prose: 'the current incident response procedures are reviewed and updated following {{ insert: param, ir-01_odp.08 }}.'
+                          links:
+                            - href: '#ir-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ir-1_smt'
+                  rel: assessment-for
             - id: ir-1_asm-examine
               name: assessment-method
               props:
@@ -55248,6 +59927,9 @@ catalog:
                           value: IR-02a.01
                           class: sp800-53a
                       prose: 'incident response training is provided to system users consistent with assigned roles and responsibilities within {{ insert: param, ir-02_odp.01 }} of assuming an incident response role or responsibility or acquiring system access;'
+                      links:
+                        - href: '#ir-2_smt.a.1'
+                          rel: assessment-for
                     - id: ir-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -55255,6 +59937,9 @@ catalog:
                           value: IR-02a.02
                           class: sp800-53a
                       prose: incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;
+                      links:
+                        - href: '#ir-2_smt.a.2'
+                          rel: assessment-for
                     - id: ir-2_obj.a.3
                       name: assessment-objective
                       props:
@@ -55262,6 +59947,12 @@ catalog:
                           value: IR-02a.03
                           class: sp800-53a
                       prose: 'incident response training is provided to system users consistent with assigned roles and responsibilities {{ insert: param, ir-02_odp.02 }} thereafter;'
+                      links:
+                        - href: '#ir-2_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-2_smt.a'
+                      rel: assessment-for
                 - id: ir-2_obj.b
                   name: assessment-objective
                   props:
@@ -55276,6 +59967,9 @@ catalog:
                           value: IR-02b.[01]
                           class: sp800-53a
                       prose: 'incident response training content is reviewed and updated {{ insert: param, ir-02_odp.03 }};'
+                      links:
+                        - href: '#ir-2_smt.b'
+                          rel: assessment-for
                     - id: ir-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -55283,6 +59977,15 @@ catalog:
                           value: IR-02b.[02]
                           class: sp800-53a
                       prose: 'incident response training content is reviewed and updated following {{ insert: param, ir-02_odp.04 }}.'
+                      links:
+                        - href: '#ir-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-2_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ir-2_smt'
+                  rel: assessment-for
             - id: ir-2_asm-examine
               name: assessment-method
               props:
@@ -55364,6 +60067,9 @@ catalog:
                       value: IR-02(01)
                       class: sp800-53a
                   prose: simulated events are incorporated into incident response training to facilitate the required response by personnel in crisis situations.
+                  links:
+                    - href: '#ir-2.1_smt'
+                      rel: assessment-for
                 - id: ir-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -55463,6 +60169,9 @@ catalog:
                       value: IR-02(02)
                       class: sp800-53a
                   prose: 'an incident response training environment is provided using {{ insert: param, ir-02.02_odp }}.'
+                  links:
+                    - href: '#ir-2.2_smt'
+                      rel: assessment-for
                 - id: ir-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -55560,6 +60269,9 @@ catalog:
                           value: IR-02(03)[01]
                           class: sp800-53a
                       prose: incident response training on how to identify and respond to a breach is provided;
+                      links:
+                        - href: '#ir-2.3_smt'
+                          rel: assessment-for
                     - id: ir-2.3_obj-2
                       name: assessment-objective
                       props:
@@ -55567,6 +60279,12 @@ catalog:
                           value: IR-02(03)[02]
                           class: sp800-53a
                       prose: incident response training on the organization’s process for reporting a breach is provided.
+                      links:
+                        - href: '#ir-2.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-2.3_smt'
+                      rel: assessment-for
                 - id: ir-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -55688,6 +60406,9 @@ catalog:
                   value: IR-03
                   class: sp800-53a
               prose: 'the effectiveness of the incident response capability for the system is tested {{ insert: param, ir-03_odp.01 }} using {{ insert: param, ir-03_odp.02 }}.'
+              links:
+                - href: '#ir-3_smt'
+                  rel: assessment-for
             - id: ir-3_asm-examine
               name: assessment-method
               props:
@@ -55784,6 +60505,9 @@ catalog:
                       value: IR-03(01)
                       class: sp800-53a
                   prose: 'the incident response capability is tested using {{ insert: param, ir-03.01_odp }}.'
+                  links:
+                    - href: '#ir-3.1_smt'
+                      rel: assessment-for
                 - id: ir-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -55880,6 +60604,9 @@ catalog:
                       value: IR-03(02)
                       class: sp800-53a
                   prose: incident response testing is coordinated with organizational elements responsible for related plans.
+                  links:
+                    - href: '#ir-3.2_smt'
+                      rel: assessment-for
                 - id: ir-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -56005,6 +60732,9 @@ catalog:
                               value: IR-03(03)(a)[01]
                               class: sp800-53a
                           prose: qualitative data from testing are used to determine the effectiveness of incident response processes;
+                          links:
+                            - href: '#ir-3.3_smt.a'
+                              rel: assessment-for
                         - id: ir-3.3_obj.a-2
                           name: assessment-objective
                           props:
@@ -56012,6 +60742,12 @@ catalog:
                               value: IR-03(03)(a)[02]
                               class: sp800-53a
                           prose: quantitative data from testing are used to determine the effectiveness of incident response processes;
+                          links:
+                            - href: '#ir-3.3_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-3.3_smt.a'
+                          rel: assessment-for
                     - id: ir-3.3_obj.b
                       name: assessment-objective
                       props:
@@ -56026,6 +60762,9 @@ catalog:
                               value: IR-03(03)(b)[01]
                               class: sp800-53a
                           prose: qualitative data from testing are used to continuously improve incident response processes;
+                          links:
+                            - href: '#ir-3.3_smt.b'
+                              rel: assessment-for
                         - id: ir-3.3_obj.b-2
                           name: assessment-objective
                           props:
@@ -56033,6 +60772,12 @@ catalog:
                               value: IR-03(03)(b)[02]
                               class: sp800-53a
                           prose: quantitative data from testing are used to continuously improve incident response processes;
+                          links:
+                            - href: '#ir-3.3_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-3.3_smt.b'
+                          rel: assessment-for
                     - id: ir-3.3_obj.c
                       name: assessment-objective
                       props:
@@ -56047,6 +60792,9 @@ catalog:
                               value: IR-03(03)(c)[01]
                               class: sp800-53a
                           prose: qualitative data from testing are used to provide incident response measures and metrics that are accurate;
+                          links:
+                            - href: '#ir-3.3_smt.c'
+                              rel: assessment-for
                         - id: ir-3.3_obj.c-2
                           name: assessment-objective
                           props:
@@ -56054,6 +60802,9 @@ catalog:
                               value: IR-03(03)(c)[02]
                               class: sp800-53a
                           prose: quantitative data from testing are used to provide incident response measures and metrics that are accurate;
+                          links:
+                            - href: '#ir-3.3_smt.c'
+                              rel: assessment-for
                         - id: ir-3.3_obj.c-3
                           name: assessment-objective
                           props:
@@ -56061,6 +60812,9 @@ catalog:
                               value: IR-03(03)(c)[03]
                               class: sp800-53a
                           prose: qualitative data from testing are used to provide incident response measures and metrics that are consistent;
+                          links:
+                            - href: '#ir-3.3_smt.c'
+                              rel: assessment-for
                         - id: ir-3.3_obj.c-4
                           name: assessment-objective
                           props:
@@ -56068,6 +60822,9 @@ catalog:
                               value: IR-03(03)(c)[04]
                               class: sp800-53a
                           prose: quantitative data from testing are used to provide incident response measures and metrics that are consistent;
+                          links:
+                            - href: '#ir-3.3_smt.c'
+                              rel: assessment-for
                         - id: ir-3.3_obj.c-5
                           name: assessment-objective
                           props:
@@ -56075,6 +60832,9 @@ catalog:
                               value: IR-03(03)(c)[05]
                               class: sp800-53a
                           prose: qualitative data from testing are used to provide incident response measures and metrics in a reproducible format;
+                          links:
+                            - href: '#ir-3.3_smt.c'
+                              rel: assessment-for
                         - id: ir-3.3_obj.c-6
                           name: assessment-objective
                           props:
@@ -56082,6 +60842,15 @@ catalog:
                               value: IR-03(03)(c)[06]
                               class: sp800-53a
                           prose: quantitative data from testing are used to provide incident response measures and metrics in a reproducible format.
+                          links:
+                            - href: '#ir-3.3_smt.c'
+                              rel: assessment-for
+                      links:
+                        - href: '#ir-3.3_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-3.3_smt'
+                      rel: assessment-for
                 - id: ir-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -56269,6 +61038,9 @@ catalog:
                           value: IR-04a.[01]
                           class: sp800-53a
                       prose: an incident handling capability for incidents is implemented that is consistent with the incident response plan;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -56276,6 +61048,9 @@ catalog:
                           value: IR-04a.[02]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes preparation;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-3
                       name: assessment-objective
                       props:
@@ -56283,6 +61058,9 @@ catalog:
                           value: IR-04a.[03]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes detection and analysis;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-4
                       name: assessment-objective
                       props:
@@ -56290,6 +61068,9 @@ catalog:
                           value: IR-04a.[04]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes containment;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-5
                       name: assessment-objective
                       props:
@@ -56297,6 +61078,9 @@ catalog:
                           value: IR-04a.[05]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes eradication;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
                     - id: ir-4_obj.a-6
                       name: assessment-objective
                       props:
@@ -56304,6 +61088,12 @@ catalog:
                           value: IR-04a.[06]
                           class: sp800-53a
                       prose: the incident handling capability for incidents includes recovery;
+                      links:
+                        - href: '#ir-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.a'
+                      rel: assessment-for
                 - id: ir-4_obj.b
                   name: assessment-objective
                   props:
@@ -56311,6 +61101,9 @@ catalog:
                       value: IR-04b.
                       class: sp800-53a
                   prose: incident handling activities are coordinated with contingency planning activities;
+                  links:
+                    - href: '#ir-4_smt.b'
+                      rel: assessment-for
                 - id: ir-4_obj.c
                   name: assessment-objective
                   props:
@@ -56325,6 +61118,9 @@ catalog:
                           value: IR-04c.[01]
                           class: sp800-53a
                       prose: lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;
+                      links:
+                        - href: '#ir-4_smt.c'
+                          rel: assessment-for
                     - id: ir-4_obj.c-2
                       name: assessment-objective
                       props:
@@ -56332,6 +61128,12 @@ catalog:
                           value: IR-04c.[02]
                           class: sp800-53a
                       prose: the changes resulting from the incorporated lessons learned are implemented accordingly;
+                      links:
+                        - href: '#ir-4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.c'
+                      rel: assessment-for
                 - id: ir-4_obj.d
                   name: assessment-objective
                   props:
@@ -56346,6 +61148,9 @@ catalog:
                           value: IR-04d.[01]
                           class: sp800-53a
                       prose: the rigor of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-2
                       name: assessment-objective
                       props:
@@ -56353,6 +61158,9 @@ catalog:
                           value: IR-04d.[02]
                           class: sp800-53a
                       prose: the intensity of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-3
                       name: assessment-objective
                       props:
@@ -56360,6 +61168,9 @@ catalog:
                           value: IR-04d.[03]
                           class: sp800-53a
                       prose: the scope of incident handling activities is comparable and predictable across the organization;
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
                     - id: ir-4_obj.d-4
                       name: assessment-objective
                       props:
@@ -56367,6 +61178,15 @@ catalog:
                           value: IR-04d.[04]
                           class: sp800-53a
                       prose: the results of incident handling activities are comparable and predictable across the organization.
+                      links:
+                        - href: '#ir-4_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ir-4_smt'
+                  rel: assessment-for
             - id: ir-4_asm-examine
               name: assessment-method
               props:
@@ -56466,6 +61286,9 @@ catalog:
                       value: IR-04(01)
                       class: sp800-53a
                   prose: 'the incident handling process is supported using {{ insert: param, ir-04.01_odp }}.'
+                  links:
+                    - href: '#ir-4.1_smt'
+                      rel: assessment-for
                 - id: ir-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -56580,6 +61403,9 @@ catalog:
                       value: IR-04(02)
                       class: sp800-53a
                   prose: '{{ insert: param, ir-04.02_odp.01 }} for {{ insert: param, ir-04.02_odp.02 }} are included as part of the incident response capability.'
+                  links:
+                    - href: '#ir-4.2_smt'
+                      rel: assessment-for
                 - id: ir-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -56700,6 +61526,9 @@ catalog:
                           value: IR-04(03)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, ir-04.03_odp.01 }} are identified;'
+                      links:
+                        - href: '#ir-4.3_smt'
+                          rel: assessment-for
                     - id: ir-4.3_obj-2
                       name: assessment-objective
                       props:
@@ -56707,6 +61536,12 @@ catalog:
                           value: IR-04(03)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, ir-04.03_odp.02 }} are taken in response to those incidents (defined in IR-04(03)_ODP[01]) to ensure the continuation of organizational mission and business functions.'
+                      links:
+                        - href: '#ir-4.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4.3_smt'
+                      rel: assessment-for
                 - id: ir-4.3_asm-examine
                   name: assessment-method
                   props:
@@ -56792,6 +61627,9 @@ catalog:
                       value: IR-04(04)
                       class: sp800-53a
                   prose: incident information and individual incident responses are correlated to achieve an organization-wide perspective on incident awareness and response.
+                  links:
+                    - href: '#ir-4.4_smt'
+                      rel: assessment-for
                 - id: ir-4.4_asm-examine
                   name: assessment-method
                   props:
@@ -56914,6 +61752,9 @@ catalog:
                       value: IR-04(05)
                       class: sp800-53a
                   prose: 'a configurable capability is implemented to automatically disable the system if {{ insert: param, ir-04.05_odp }} are detected.'
+                  links:
+                    - href: '#ir-4.5_smt'
+                      rel: assessment-for
                 - id: ir-4.5_asm-examine
                   name: assessment-method
                   props:
@@ -57006,6 +61847,9 @@ catalog:
                       value: IR-04(06)
                       class: sp800-53a
                   prose: an incident handling capability is implemented for incidents involving insider threats.
+                  links:
+                    - href: '#ir-4.6_smt'
+                      rel: assessment-for
                 - id: ir-4.6_asm-examine
                   name: assessment-method
                   props:
@@ -57111,6 +61955,9 @@ catalog:
                           value: IR-04(07)[01]
                           class: sp800-53a
                       prose: an incident handling capability is coordinated for insider threats;
+                      links:
+                        - href: '#ir-4.7_smt'
+                          rel: assessment-for
                     - id: ir-4.7_obj-2
                       name: assessment-objective
                       props:
@@ -57118,6 +61965,12 @@ catalog:
                           value: IR-04(07)[02]
                           class: sp800-53a
                       prose: 'the coordinated incident handling capability includes {{ insert: param, ir-04.07_odp }}.'
+                      links:
+                        - href: '#ir-4.7_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4.7_smt'
+                      rel: assessment-for
                 - id: ir-4.7_asm-examine
                   name: assessment-method
                   props:
@@ -57230,6 +62083,9 @@ catalog:
                       value: IR-04(08)
                       class: sp800-53a
                   prose: 'there is coordination with {{ insert: param, ir-04.08_odp.01 }} to correlate and share {{ insert: param, ir-04.08_odp.02 }} to achieve a cross-organization perspective on incident awareness and more effective incident responses.'
+                  links:
+                    - href: '#ir-4.8_smt'
+                      rel: assessment-for
                 - id: ir-4.8_asm-examine
                   name: assessment-method
                   props:
@@ -57328,6 +62184,9 @@ catalog:
                       value: IR-04(09)
                       class: sp800-53a
                   prose: '{{ insert: param, ir-04.09_odp }} are employed to respond to incidents.'
+                  links:
+                    - href: '#ir-4.9_smt'
+                      rel: assessment-for
                 - id: ir-4.9_asm-examine
                   name: assessment-method
                   props:
@@ -57426,6 +62285,9 @@ catalog:
                       value: IR-04(10)
                       class: sp800-53a
                   prose: incident handling activities involving supply chain events are coordinated with other organizations involved in the supply chain.
+                  links:
+                    - href: '#ir-4.10_smt'
+                      rel: assessment-for
                 - id: ir-4.10_asm-examine
                   name: assessment-method
                   props:
@@ -57532,6 +62394,9 @@ catalog:
                           value: IR-04(11)[01]
                           class: sp800-53a
                       prose: an integrated incident response team is established and maintained;
+                      links:
+                        - href: '#ir-4.11_smt'
+                          rel: assessment-for
                     - id: ir-4.11_obj-2
                       name: assessment-objective
                       props:
@@ -57539,6 +62404,12 @@ catalog:
                           value: IR-04(11)[02]
                           class: sp800-53a
                       prose: 'the integrated incident response team can be deployed to any location identified by the organization in {{ insert: param, ir-04.11_odp }}.'
+                      links:
+                        - href: '#ir-4.11_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4.11_smt'
+                      rel: assessment-for
                 - id: ir-4.11_asm-examine
                   name: assessment-method
                   props:
@@ -57619,6 +62490,9 @@ catalog:
                           value: IR-04(12)[01]
                           class: sp800-53a
                       prose: malicious code remaining in the system is analyzed after the incident;
+                      links:
+                        - href: '#ir-4.12_smt'
+                          rel: assessment-for
                     - id: ir-4.12_obj-2
                       name: assessment-objective
                       props:
@@ -57626,6 +62500,12 @@ catalog:
                           value: IR-04(12)[02]
                           class: sp800-53a
                       prose: other residual artifacts remaining in the system (if any) are analyzed after the incident.
+                      links:
+                        - href: '#ir-4.12_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4.12_smt'
+                      rel: assessment-for
                 - id: ir-4.12_asm-examine
                   name: assessment-method
                   props:
@@ -57739,6 +62619,9 @@ catalog:
                       value: IR-04(13)
                       class: sp800-53a
                   prose: 'anomalous or suspected adversarial behavior in or related to {{ insert: param, ir-04.13_odp }} are analyzed.'
+                  links:
+                    - href: '#ir-4.13_smt'
+                      rel: assessment-for
                 - id: ir-4.13_asm-examine
                   name: assessment-method
                   props:
@@ -57844,6 +62727,9 @@ catalog:
                           value: IR-04(14)[01]
                           class: sp800-53a
                       prose: a security operations center is established;
+                      links:
+                        - href: '#ir-4.14_smt'
+                          rel: assessment-for
                     - id: ir-4.14_obj-2
                       name: assessment-objective
                       props:
@@ -57851,6 +62737,12 @@ catalog:
                           value: IR-04(14)[02]
                           class: sp800-53a
                       prose: a security operations center is maintained.
+                      links:
+                        - href: '#ir-4.14_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4.14_smt'
+                      rel: assessment-for
                 - id: ir-4.14_asm-examine
                   name: assessment-method
                   props:
@@ -57964,6 +62856,9 @@ catalog:
                           value: IR-04(15)(a)
                           class: sp800-53a
                       prose: public relations associated with an incident are managed;
+                      links:
+                        - href: '#ir-4.15_smt.a'
+                          rel: assessment-for
                     - id: ir-4.15_obj.b
                       name: assessment-objective
                       props:
@@ -57971,6 +62866,12 @@ catalog:
                           value: IR-04(15)(b)
                           class: sp800-53a
                       prose: measures are employed to repair the reputation of the organization.
+                      links:
+                        - href: '#ir-4.15_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-4.15_smt'
+                      rel: assessment-for
                 - id: ir-4.15_asm-examine
                   name: assessment-method
                   props:
@@ -58076,6 +62977,9 @@ catalog:
                       value: IR-05[01]
                       class: sp800-53a
                   prose: incidents are tracked;
+                  links:
+                    - href: '#ir-5_smt'
+                      rel: assessment-for
                 - id: ir-5_obj-2
                   name: assessment-objective
                   props:
@@ -58083,6 +62987,12 @@ catalog:
                       value: IR-05[02]
                       class: sp800-53a
                   prose: incidents are documented.
+                  links:
+                    - href: '#ir-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ir-5_smt'
+                  rel: assessment-for
             - id: ir-5_asm-examine
               name: assessment-method
               props:
@@ -58217,6 +63127,9 @@ catalog:
                           value: IR-05(01)[01]
                           class: sp800-53a
                       prose: 'incidents are tracked using {{ insert: param, ir-05.01_odp.01 }};'
+                      links:
+                        - href: '#ir-5.1_smt'
+                          rel: assessment-for
                     - id: ir-5.1_obj-2
                       name: assessment-objective
                       props:
@@ -58224,6 +63137,9 @@ catalog:
                           value: IR-05(01)[02]
                           class: sp800-53a
                       prose: 'incident information is collected using {{ insert: param, ir-05.01_odp.02 }};'
+                      links:
+                        - href: '#ir-5.1_smt'
+                          rel: assessment-for
                     - id: ir-5.1_obj-3
                       name: assessment-objective
                       props:
@@ -58231,6 +63147,12 @@ catalog:
                           value: IR-05(01)[03]
                           class: sp800-53a
                       prose: 'incident information is analyzed using {{ insert: param, ir-05.01_odp.03 }}.'
+                      links:
+                        - href: '#ir-5.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-5.1_smt'
+                      rel: assessment-for
                 - id: ir-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -58373,6 +63295,9 @@ catalog:
                       value: IR-06a.
                       class: sp800-53a
                   prose: 'personnel is/are required to report suspected incidents to the organizational incident response capability within {{ insert: param, ir-06_odp.01 }};'
+                  links:
+                    - href: '#ir-6_smt.a'
+                      rel: assessment-for
                 - id: ir-6_obj.b
                   name: assessment-objective
                   props:
@@ -58380,6 +63305,12 @@ catalog:
                       value: IR-06b.
                       class: sp800-53a
                   prose: 'incident information is reported to {{ insert: param, ir-06_odp.02 }}.'
+                  links:
+                    - href: '#ir-6_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ir-6_smt'
+                  rel: assessment-for
             - id: ir-6_asm-examine
               name: assessment-method
               props:
@@ -58486,6 +63417,9 @@ catalog:
                       value: IR-06(01)
                       class: sp800-53a
                   prose: 'incidents are reported using {{ insert: param, ir-06.01_odp }}.'
+                  links:
+                    - href: '#ir-6.1_smt'
+                      rel: assessment-for
                 - id: ir-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -58585,6 +63519,9 @@ catalog:
                       value: IR-06(02)
                       class: sp800-53a
                   prose: 'system vulnerabilities associated with reported incidents are reported to {{ insert: param, ir-06.02_odp }}.'
+                  links:
+                    - href: '#ir-6.2_smt'
+                      rel: assessment-for
                 - id: ir-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -58677,6 +63614,9 @@ catalog:
                       value: IR-06(03)
                       class: sp800-53a
                   prose: incident information is provided to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the incident.
+                  links:
+                    - href: '#ir-6.3_smt'
+                      rel: assessment-for
                 - id: ir-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -58802,6 +63742,9 @@ catalog:
                       value: IR-07[01]
                       class: sp800-53a
                   prose: an incident response support resource, integral to the organizational incident response capability, is provided;
+                  links:
+                    - href: '#ir-7_smt'
+                      rel: assessment-for
                 - id: ir-7_obj-2
                   name: assessment-objective
                   props:
@@ -58809,6 +63752,12 @@ catalog:
                       value: IR-07[02]
                       class: sp800-53a
                   prose: the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.
+                  links:
+                    - href: '#ir-7_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ir-7_smt'
+                  rel: assessment-for
             - id: ir-7_asm-examine
               name: assessment-method
               props:
@@ -58907,6 +63856,9 @@ catalog:
                       value: IR-07(01)
                       class: sp800-53a
                   prose: 'the availability of incident response information and support is increased using {{ insert: param, ir-07.01_odp }}.'
+                  links:
+                    - href: '#ir-7.1_smt'
+                      rel: assessment-for
                 - id: ir-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -59016,6 +63968,9 @@ catalog:
                           value: IR-07(02)(a)
                           class: sp800-53a
                       prose: a direct, cooperative relationship is established between its incident response capability and external providers of the system protection capability;
+                      links:
+                        - href: '#ir-7.2_smt.a'
+                          rel: assessment-for
                     - id: ir-7.2_obj.b
                       name: assessment-objective
                       props:
@@ -59023,6 +63978,12 @@ catalog:
                           value: IR-07(02)(b)
                           class: sp800-53a
                       prose: organizational incident response team members are identified to the external providers.
+                      links:
+                        - href: '#ir-7.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-7.2_smt'
+                      rel: assessment-for
                 - id: ir-7.2_asm-examine
                   name: assessment-method
                   props:
@@ -59305,6 +64266,9 @@ catalog:
                           value: IR-08a.01
                           class: sp800-53a
                       prose: an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.1'
+                          rel: assessment-for
                     - id: ir-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -59312,6 +64276,9 @@ catalog:
                           value: IR-08a.02
                           class: sp800-53a
                       prose: an incident response plan is developed that describes the structure and organization of the incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.2'
+                          rel: assessment-for
                     - id: ir-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -59319,6 +64286,9 @@ catalog:
                           value: IR-08a.03
                           class: sp800-53a
                       prose: an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;
+                      links:
+                        - href: '#ir-8_smt.a.3'
+                          rel: assessment-for
                     - id: ir-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -59326,6 +64296,9 @@ catalog:
                           value: IR-08a.04
                           class: sp800-53a
                       prose: an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;
+                      links:
+                        - href: '#ir-8_smt.a.4'
+                          rel: assessment-for
                     - id: ir-8_obj.a.5
                       name: assessment-objective
                       props:
@@ -59333,6 +64306,9 @@ catalog:
                           value: IR-08a.05
                           class: sp800-53a
                       prose: an incident response plan is developed that defines reportable incidents;
+                      links:
+                        - href: '#ir-8_smt.a.5'
+                          rel: assessment-for
                     - id: ir-8_obj.a.6
                       name: assessment-objective
                       props:
@@ -59340,6 +64316,9 @@ catalog:
                           value: IR-08a.06
                           class: sp800-53a
                       prose: an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;
+                      links:
+                        - href: '#ir-8_smt.a.6'
+                          rel: assessment-for
                     - id: ir-8_obj.a.7
                       name: assessment-objective
                       props:
@@ -59347,6 +64326,9 @@ catalog:
                           value: IR-08a.07
                           class: sp800-53a
                       prose: an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;
+                      links:
+                        - href: '#ir-8_smt.a.7'
+                          rel: assessment-for
                     - id: ir-8_obj.a.8
                       name: assessment-objective
                       props:
@@ -59354,6 +64336,9 @@ catalog:
                           value: IR-08a.08
                           class: sp800-53a
                       prose: an incident response plan is developed that addresses the sharing of incident information;
+                      links:
+                        - href: '#ir-8_smt.a.8'
+                          rel: assessment-for
                     - id: ir-8_obj.a.9
                       name: assessment-objective
                       props:
@@ -59361,6 +64346,9 @@ catalog:
                           value: IR-08a.09
                           class: sp800-53a
                       prose: 'an incident response plan is developed that is reviewed and approved by {{ insert: param, ir-08_odp.01 }} {{ insert: param, ir-08_odp.02 }};'
+                      links:
+                        - href: '#ir-8_smt.a.9'
+                          rel: assessment-for
                     - id: ir-8_obj.a.10
                       name: assessment-objective
                       props:
@@ -59368,6 +64356,12 @@ catalog:
                           value: IR-08a.10
                           class: sp800-53a
                       prose: 'an incident response plan is developed that explicitly designates responsibility for incident response to {{ insert: param, ir-08_odp.03 }}.'
+                      links:
+                        - href: '#ir-8_smt.a.10'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.a'
+                      rel: assessment-for
                 - id: ir-8_obj.b
                   name: assessment-objective
                   props:
@@ -59382,6 +64376,9 @@ catalog:
                           value: IR-08b.[01]
                           class: sp800-53a
                       prose: 'copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.04 }};'
+                      links:
+                        - href: '#ir-8_smt.b'
+                          rel: assessment-for
                     - id: ir-8_obj.b-2
                       name: assessment-objective
                       props:
@@ -59389,6 +64386,12 @@ catalog:
                           value: IR-08b.[02]
                           class: sp800-53a
                       prose: 'copies of the incident response plan are distributed to {{ insert: param, ir-08_odp.05 }};'
+                      links:
+                        - href: '#ir-8_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.b'
+                      rel: assessment-for
                 - id: ir-8_obj.c
                   name: assessment-objective
                   props:
@@ -59396,6 +64399,9 @@ catalog:
                       value: IR-08c.
                       class: sp800-53a
                   prose: the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;
+                  links:
+                    - href: '#ir-8_smt.c'
+                      rel: assessment-for
                 - id: ir-8_obj.d
                   name: assessment-objective
                   props:
@@ -59410,6 +64416,9 @@ catalog:
                           value: IR-08d.[01]
                           class: sp800-53a
                       prose: 'incident response plan changes are communicated to {{ insert: param, ir-08_odp.06 }};'
+                      links:
+                        - href: '#ir-8_smt.d'
+                          rel: assessment-for
                     - id: ir-8_obj.d-2
                       name: assessment-objective
                       props:
@@ -59417,6 +64426,12 @@ catalog:
                           value: IR-08d.[02]
                           class: sp800-53a
                       prose: 'incident response plan changes are communicated to {{ insert: param, ir-08_odp.07 }};'
+                      links:
+                        - href: '#ir-8_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.d'
+                      rel: assessment-for
                 - id: ir-8_obj.e
                   name: assessment-objective
                   props:
@@ -59431,6 +64446,9 @@ catalog:
                           value: IR-08e.[01]
                           class: sp800-53a
                       prose: the incident response plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#ir-8_smt.e'
+                          rel: assessment-for
                     - id: ir-8_obj.e-2
                       name: assessment-objective
                       props:
@@ -59438,6 +64456,15 @@ catalog:
                           value: IR-08e.[02]
                           class: sp800-53a
                       prose: the incident response plan is protected from unauthorized modification.
+                      links:
+                        - href: '#ir-8_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ir-8_smt'
+                  rel: assessment-for
             - id: ir-8_asm-examine
               name: assessment-method
               props:
@@ -59560,6 +64587,9 @@ catalog:
                           value: IR-08(01)(a)
                           class: sp800-53a
                       prose: the incident response plan for breaches involving personally identifiable information includes a process to determine if notice to individuals or other organizations, including oversight organizations, is needed;
+                      links:
+                        - href: '#ir-8.1_smt.a'
+                          rel: assessment-for
                     - id: ir-8.1_obj.b
                       name: assessment-objective
                       props:
@@ -59567,6 +64597,9 @@ catalog:
                           value: IR-08(01)(b)
                           class: sp800-53a
                       prose: the incident response plan for breaches involving personally identifiable information includes an assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms;
+                      links:
+                        - href: '#ir-8.1_smt.b'
+                          rel: assessment-for
                     - id: ir-8.1_obj.c
                       name: assessment-objective
                       props:
@@ -59574,6 +64607,12 @@ catalog:
                           value: IR-08(01)(c)
                           class: sp800-53a
                       prose: the incident response plan for breaches involving personally identifiable information includes the identification of applicable privacy requirements.
+                      links:
+                        - href: '#ir-8.1_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ir-8.1_smt'
+                      rel: assessment-for
                 - id: ir-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -59752,6 +64791,9 @@ catalog:
                       value: IR-09a.
                       class: sp800-53a
                   prose: '{{ insert: param, ir-09_odp.01 }} is/are assigned the responsibility to respond to information spills;'
+                  links:
+                    - href: '#ir-9_smt.a'
+                      rel: assessment-for
                 - id: ir-9_obj.b
                   name: assessment-objective
                   props:
@@ -59759,6 +64801,9 @@ catalog:
                       value: IR-09b.
                       class: sp800-53a
                   prose: the specific information involved in the system contamination is identified in response to information spills;
+                  links:
+                    - href: '#ir-9_smt.b'
+                      rel: assessment-for
                 - id: ir-9_obj.c
                   name: assessment-objective
                   props:
@@ -59766,6 +64811,9 @@ catalog:
                       value: IR-09c.
                       class: sp800-53a
                   prose: '{{ insert: param, ir-09_odp.02 }} is/are alerted of the information spill using a method of communication not associated with the spill;'
+                  links:
+                    - href: '#ir-9_smt.c'
+                      rel: assessment-for
                 - id: ir-9_obj.d
                   name: assessment-objective
                   props:
@@ -59773,6 +64821,9 @@ catalog:
                       value: IR-09d.
                       class: sp800-53a
                   prose: the contaminated system or system component is isolated in response to information spills;
+                  links:
+                    - href: '#ir-9_smt.d'
+                      rel: assessment-for
                 - id: ir-9_obj.e
                   name: assessment-objective
                   props:
@@ -59780,6 +64831,9 @@ catalog:
                       value: IR-09e.
                       class: sp800-53a
                   prose: the information is eradicated from the contaminated system or component in response to information spills;
+                  links:
+                    - href: '#ir-9_smt.e'
+                      rel: assessment-for
                 - id: ir-9_obj.f
                   name: assessment-objective
                   props:
@@ -59787,6 +64841,9 @@ catalog:
                       value: IR-09f.
                       class: sp800-53a
                   prose: other systems or system components that may have been subsequently contaminated are identified in response to information spills;
+                  links:
+                    - href: '#ir-9_smt.f'
+                      rel: assessment-for
                 - id: ir-9_obj.g
                   name: assessment-objective
                   props:
@@ -59794,6 +64851,12 @@ catalog:
                       value: IR-09g.
                       class: sp800-53a
                   prose: '{{ insert: param, ir-09_odp.03 }} are performed in response to information spills.'
+                  links:
+                    - href: '#ir-9_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#ir-9_smt'
+                  rel: assessment-for
             - id: ir-9_asm-examine
               name: assessment-method
               props:
@@ -59918,6 +64981,9 @@ catalog:
                       value: IR-09(02)
                       class: sp800-53a
                   prose: 'information spillage response training is provided {{ insert: param, ir-09.02_odp }}.'
+                  links:
+                    - href: '#ir-9.2_smt'
+                      rel: assessment-for
                 - id: ir-9.2_asm-examine
                   name: assessment-method
                   props:
@@ -60002,6 +65068,9 @@ catalog:
                       value: IR-09(03)
                       class: sp800-53a
                   prose: '{{ insert: param, ir-09.03_odp }} are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.'
+                  links:
+                    - href: '#ir-9.3_smt'
+                      rel: assessment-for
                 - id: ir-9.3_asm-examine
                   name: assessment-method
                   props:
@@ -60094,6 +65163,9 @@ catalog:
                       value: IR-09(04)
                       class: sp800-53a
                   prose: '{{ insert: param, ir-09.04_odp }} are employed for personnel exposed to information not within assigned access authorizations.'
+                  links:
+                    - href: '#ir-9.4_smt'
+                      rel: assessment-for
                 - id: ir-9.4_asm-examine
                   name: assessment-method
                   props:
@@ -60377,6 +65449,9 @@ catalog:
                           value: MA-01a.[01]
                           class: sp800-53a
                       prose: a maintenance policy is developed and documented;
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -60384,6 +65459,9 @@ catalog:
                           value: MA-01a.[02]
                           class: sp800-53a
                       prose: 'the maintenance policy is disseminated to {{ insert: param, ma-01_odp.01 }};'
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -60391,6 +65469,9 @@ catalog:
                           value: MA-01a.[03]
                           class: sp800-53a
                       prose: maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -60398,6 +65479,9 @@ catalog:
                           value: MA-01a.[04]
                           class: sp800-53a
                       prose: 'the maintenance procedures are disseminated to {{ insert: param, ma-01_odp.02 }};'
+                      links:
+                        - href: '#ma-1_smt.a'
+                          rel: assessment-for
                     - id: ma-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -60419,6 +65503,9 @@ catalog:
                                   value: MA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses purpose;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -60426,6 +65513,9 @@ catalog:
                                   value: MA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses scope;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -60433,6 +65523,9 @@ catalog:
                                   value: MA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses roles;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -60440,6 +65533,9 @@ catalog:
                                   value: MA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses responsibilities;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -60447,6 +65543,9 @@ catalog:
                                   value: MA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses management commitment;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -60454,6 +65553,9 @@ catalog:
                                   value: MA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ma-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -60461,6 +65563,12 @@ catalog:
                                   value: MA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy addresses compliance;'
+                              links:
+                                - href: '#ma-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ma-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ma-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -60468,6 +65576,15 @@ catalog:
                               value: MA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ma-01_odp.03 }} maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ma-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-1_smt.a'
+                      rel: assessment-for
                 - id: ma-1_obj.b
                   name: assessment-objective
                   props:
@@ -60475,6 +65592,9 @@ catalog:
                       value: MA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ma-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;'
+                  links:
+                    - href: '#ma-1_smt.b'
+                      rel: assessment-for
                 - id: ma-1_obj.c
                   name: assessment-objective
                   props:
@@ -60496,6 +65616,9 @@ catalog:
                               value: MA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current maintenance policy is reviewed and updated {{ insert: param, ma-01_odp.05 }};'
+                          links:
+                            - href: '#ma-1_smt.c.1'
+                              rel: assessment-for
                         - id: ma-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -60503,6 +65626,12 @@ catalog:
                               value: MA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current maintenance policy is reviewed and updated following {{ insert: param, ma-01_odp.06 }};'
+                          links:
+                            - href: '#ma-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-1_smt.c.1'
+                          rel: assessment-for
                     - id: ma-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -60517,6 +65646,9 @@ catalog:
                               value: MA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current maintenance procedures are reviewed and updated {{ insert: param, ma-01_odp.07 }};'
+                          links:
+                            - href: '#ma-1_smt.c.2'
+                              rel: assessment-for
                         - id: ma-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -60524,6 +65656,18 @@ catalog:
                               value: MA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current maintenance procedures are reviewed and updated following {{ insert: param, ma-01_odp.08 }}.'
+                          links:
+                            - href: '#ma-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ma-1_smt'
+                  rel: assessment-for
             - id: ma-1_asm-examine
               name: assessment-method
               props:
@@ -60698,6 +65842,9 @@ catalog:
                           value: MA-02a.[01]
                           class: sp800-53a
                       prose: maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;
+                      links:
+                        - href: '#ma-2_smt.a'
+                          rel: assessment-for
                     - id: ma-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -60705,6 +65852,9 @@ catalog:
                           value: MA-02a.[02]
                           class: sp800-53a
                       prose: maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;
+                      links:
+                        - href: '#ma-2_smt.a'
+                          rel: assessment-for
                     - id: ma-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -60712,6 +65862,12 @@ catalog:
                           value: MA-02a.[03]
                           class: sp800-53a
                       prose: records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;
+                      links:
+                        - href: '#ma-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-2_smt.a'
+                      rel: assessment-for
                 - id: ma-2_obj.b
                   name: assessment-objective
                   props:
@@ -60726,6 +65882,9 @@ catalog:
                           value: MA-02b.[01]
                           class: sp800-53a
                       prose: all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;
+                      links:
+                        - href: '#ma-2_smt.b'
+                          rel: assessment-for
                     - id: ma-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -60733,6 +65892,12 @@ catalog:
                           value: MA-02b.[02]
                           class: sp800-53a
                       prose: all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;
+                      links:
+                        - href: '#ma-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-2_smt.b'
+                      rel: assessment-for
                 - id: ma-2_obj.c
                   name: assessment-objective
                   props:
@@ -60740,6 +65905,9 @@ catalog:
                       value: MA-02c.
                       class: sp800-53a
                   prose: '{{ insert: param, ma-02_odp.01 }} is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;'
+                  links:
+                    - href: '#ma-2_smt.c'
+                      rel: assessment-for
                 - id: ma-2_obj.d
                   name: assessment-objective
                   props:
@@ -60747,6 +65915,9 @@ catalog:
                       value: MA-02d.
                       class: sp800-53a
                   prose: 'equipment is sanitized to remove {{ insert: param, ma-02_odp.02 }} from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;'
+                  links:
+                    - href: '#ma-2_smt.d'
+                      rel: assessment-for
                 - id: ma-2_obj.e
                   name: assessment-objective
                   props:
@@ -60754,6 +65925,9 @@ catalog:
                       value: MA-02e.
                       class: sp800-53a
                   prose: all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;
+                  links:
+                    - href: '#ma-2_smt.e'
+                      rel: assessment-for
                 - id: ma-2_obj.f
                   name: assessment-objective
                   props:
@@ -60761,6 +65935,12 @@ catalog:
                       value: MA-02f.
                       class: sp800-53a
                   prose: '{{ insert: param, ma-02_odp.03 }} is included in organizational maintenance records.'
+                  links:
+                    - href: '#ma-2_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ma-2_smt'
+                  rel: assessment-for
             - id: ma-2_asm-examine
               name: assessment-method
               props:
@@ -60939,6 +66119,9 @@ catalog:
                               value: MA-02(02)(a)[01]
                               class: sp800-53a
                           prose: '{{ insert: param, ma-02.02_odp.01 }} are used to schedule maintenance, repair, and replacement actions for the system;'
+                          links:
+                            - href: '#ma-2.2_smt.a'
+                              rel: assessment-for
                         - id: ma-2.2_obj.a-2
                           name: assessment-objective
                           props:
@@ -60946,6 +66129,9 @@ catalog:
                               value: MA-02(02)(a)[02]
                               class: sp800-53a
                           prose: '{{ insert: param, ma-02.02_odp.02 }} are used to conduct maintenance, repair, and replacement actions for the system;'
+                          links:
+                            - href: '#ma-2.2_smt.a'
+                              rel: assessment-for
                         - id: ma-2.2_obj.a-3
                           name: assessment-objective
                           props:
@@ -60953,6 +66139,12 @@ catalog:
                               value: MA-02(02)(a)[03]
                               class: sp800-53a
                           prose: '{{ insert: param, ma-02.02_odp.03 }} are used to document maintenance, repair, and replacement actions for the system;'
+                          links:
+                            - href: '#ma-2.2_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-2.2_smt.a'
+                          rel: assessment-for
                     - id: ma-2.2_obj.b
                       name: assessment-objective
                       props:
@@ -60967,6 +66159,9 @@ catalog:
                               value: MA-02(02)(b)[01]
                               class: sp800-53a
                           prose: up-to date, accurate, and complete records of all maintenance actions requested, scheduled, in process, and completed are produced.
+                          links:
+                            - href: '#ma-2.2_smt.b'
+                              rel: assessment-for
                         - id: ma-2.2_obj.b-2
                           name: assessment-objective
                           props:
@@ -60974,6 +66169,9 @@ catalog:
                               value: MA-02(02)(b)[02]
                               class: sp800-53a
                           prose: up-to date, accurate, and complete records of all repair actions requested, scheduled, in process, and completed are produced.
+                          links:
+                            - href: '#ma-2.2_smt.b'
+                              rel: assessment-for
                         - id: ma-2.2_obj.b-3
                           name: assessment-objective
                           props:
@@ -60981,6 +66179,15 @@ catalog:
                               value: MA-02(02)(b)[03]
                               class: sp800-53a
                           prose: up-to date, accurate, and complete records of all replacement actions requested, scheduled, in process, and completed are produced.
+                          links:
+                            - href: '#ma-2.2_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-2.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-2.2_smt'
+                      rel: assessment-for
                 - id: ma-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -61110,6 +66317,9 @@ catalog:
                           value: MA-03a.[01]
                           class: sp800-53a
                       prose: the use of system maintenance tools is approved;
+                      links:
+                        - href: '#ma-3_smt.a'
+                          rel: assessment-for
                     - id: ma-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -61117,6 +66327,9 @@ catalog:
                           value: MA-03a.[02]
                           class: sp800-53a
                       prose: the use of system maintenance tools is controlled;
+                      links:
+                        - href: '#ma-3_smt.a'
+                          rel: assessment-for
                     - id: ma-3_obj.a-3
                       name: assessment-objective
                       props:
@@ -61124,6 +66337,12 @@ catalog:
                           value: MA-03a.[03]
                           class: sp800-53a
                       prose: the use of system maintenance tools is monitored;
+                      links:
+                        - href: '#ma-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-3_smt.a'
+                      rel: assessment-for
                 - id: ma-3_obj.b
                   name: assessment-objective
                   props:
@@ -61131,6 +66350,12 @@ catalog:
                       value: MA-03b.
                       class: sp800-53a
                   prose: 'previously approved system maintenance tools are reviewed {{ insert: param, ma-03_odp }}.'
+                  links:
+                    - href: '#ma-3_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ma-3_smt'
+                  rel: assessment-for
             - id: ma-3_asm-examine
               name: assessment-method
               props:
@@ -61218,6 +66443,9 @@ catalog:
                       value: MA-03(01)
                       class: sp800-53a
                   prose: maintenance tools used by maintenance personnel are inspected for improper or unauthorized modifications.
+                  links:
+                    - href: '#ma-3.1_smt'
+                      rel: assessment-for
                 - id: ma-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -61306,6 +66534,9 @@ catalog:
                       value: MA-03(02)
                       class: sp800-53a
                   prose: media containing diagnostic and test programs are checked for malicious code before the media are used in the system.
+                  links:
+                    - href: '#ma-3.2_smt'
+                      rel: assessment-for
                 - id: ma-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -61435,6 +66666,9 @@ catalog:
                           value: MA-03(03)(a)
                           class: sp800-53a
                       prose: the removal of maintenance equipment containing organizational information is prevented by verifying that there is no organizational information contained on the equipment; or
+                      links:
+                        - href: '#ma-3.3_smt.a'
+                          rel: assessment-for
                     - id: ma-3.3_obj.b
                       name: assessment-objective
                       props:
@@ -61442,6 +66676,9 @@ catalog:
                           value: MA-03(03)(b)
                           class: sp800-53a
                       prose: the removal of maintenance equipment containing organizational information is prevented by sanitizing or destroying the equipment; or
+                      links:
+                        - href: '#ma-3.3_smt.b'
+                          rel: assessment-for
                     - id: ma-3.3_obj.c
                       name: assessment-objective
                       props:
@@ -61449,6 +66686,9 @@ catalog:
                           value: MA-03(03)(c)
                           class: sp800-53a
                       prose: the removal of maintenance equipment containing organizational information is prevented by retaining the equipment within the facility; or
+                      links:
+                        - href: '#ma-3.3_smt.c'
+                          rel: assessment-for
                     - id: ma-3.3_obj.d
                       name: assessment-objective
                       props:
@@ -61456,6 +66696,12 @@ catalog:
                           value: MA-03(03)(d)
                           class: sp800-53a
                       prose: 'the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from {{ insert: param, ma-03.03_odp }} explicitly authorizing removal of the equipment from the facility.'
+                      links:
+                        - href: '#ma-3.3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-3.3_smt'
+                      rel: assessment-for
                 - id: ma-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -61559,6 +66805,9 @@ catalog:
                       value: MA-03(04)
                       class: sp800-53a
                   prose: the use of maintenance tools is restricted to authorized personnel only.
+                  links:
+                    - href: '#ma-3.4_smt'
+                      rel: assessment-for
                 - id: ma-3.4_asm-examine
                   name: assessment-method
                   props:
@@ -61654,6 +66903,9 @@ catalog:
                       value: MA-03(05)
                       class: sp800-53a
                   prose: the use of maintenance tools that execute with increased privilege is monitored.
+                  links:
+                    - href: '#ma-3.5_smt'
+                      rel: assessment-for
                 - id: ma-3.5_asm-examine
                   name: assessment-method
                   props:
@@ -61751,6 +67003,9 @@ catalog:
                       value: MA-03(06)
                       class: sp800-53a
                   prose: maintenance tools are inspected to ensure that the latest software updates and patches are installed.
+                  links:
+                    - href: '#ma-3.6_smt'
+                      rel: assessment-for
                 - id: ma-3.6_asm-examine
                   name: assessment-method
                   props:
@@ -61925,6 +67180,9 @@ catalog:
                           value: MA-04a.[01]
                           class: sp800-53a
                       prose: nonlocal maintenance and diagnostic activities are approved;
+                      links:
+                        - href: '#ma-4_smt.a'
+                          rel: assessment-for
                     - id: ma-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -61932,6 +67190,12 @@ catalog:
                           value: MA-04a.[02]
                           class: sp800-53a
                       prose: nonlocal maintenance and diagnostic activities are monitored;
+                      links:
+                        - href: '#ma-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4_smt.a'
+                      rel: assessment-for
                 - id: ma-4_obj.b
                   name: assessment-objective
                   props:
@@ -61946,6 +67210,9 @@ catalog:
                           value: MA-04b.[01]
                           class: sp800-53a
                       prose: the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;
+                      links:
+                        - href: '#ma-4_smt.b'
+                          rel: assessment-for
                     - id: ma-4_obj.b-2
                       name: assessment-objective
                       props:
@@ -61953,6 +67220,12 @@ catalog:
                           value: MA-04b.[02]
                           class: sp800-53a
                       prose: the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;
+                      links:
+                        - href: '#ma-4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4_smt.b'
+                      rel: assessment-for
                 - id: ma-4_obj.c
                   name: assessment-objective
                   props:
@@ -61960,6 +67233,9 @@ catalog:
                       value: MA-04c.
                       class: sp800-53a
                   prose: strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;
+                  links:
+                    - href: '#ma-4_smt.c'
+                      rel: assessment-for
                 - id: ma-4_obj.d
                   name: assessment-objective
                   props:
@@ -61967,6 +67243,9 @@ catalog:
                       value: MA-04d.
                       class: sp800-53a
                   prose: records for nonlocal maintenance and diagnostic activities are maintained;
+                  links:
+                    - href: '#ma-4_smt.d'
+                      rel: assessment-for
                 - id: ma-4_obj.e
                   name: assessment-objective
                   props:
@@ -61981,6 +67260,9 @@ catalog:
                           value: MA-04e.[01]
                           class: sp800-53a
                       prose: session connections are terminated when nonlocal maintenance is completed;
+                      links:
+                        - href: '#ma-4_smt.e'
+                          rel: assessment-for
                     - id: ma-4_obj.e-2
                       name: assessment-objective
                       props:
@@ -61988,6 +67270,15 @@ catalog:
                           value: MA-04e.[02]
                           class: sp800-53a
                       prose: network connections are terminated when nonlocal maintenance is completed.
+                      links:
+                        - href: '#ma-4_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ma-4_smt'
+                  rel: assessment-for
             - id: ma-4_asm-examine
               name: assessment-method
               props:
@@ -62145,6 +67436,9 @@ catalog:
                               value: MA-04(01)(a)[01]
                               class: sp800-53a
                           prose: '{{ insert: param, ma-04.01_odp.01 }} are logged for nonlocal maintenance sessions;'
+                          links:
+                            - href: '#ma-4.1_smt.a'
+                              rel: assessment-for
                         - id: ma-4.1_obj.a-2
                           name: assessment-objective
                           props:
@@ -62152,6 +67446,12 @@ catalog:
                               value: MA-04(01)(a)[02]
                               class: sp800-53a
                           prose: '{{ insert: param, ma-04.01_odp.02 }} are logged for nonlocal diagnostic sessions;'
+                          links:
+                            - href: '#ma-4.1_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-4.1_smt.a'
+                          rel: assessment-for
                     - id: ma-4.1_obj.b
                       name: assessment-objective
                       props:
@@ -62166,6 +67466,9 @@ catalog:
                               value: MA-04(01)(b)[01]
                               class: sp800-53a
                           prose: the audit records of the maintenance sessions are reviewed to detect anomalous behavior;
+                          links:
+                            - href: '#ma-4.1_smt.b'
+                              rel: assessment-for
                         - id: ma-4.1_obj.b-2
                           name: assessment-objective
                           props:
@@ -62173,6 +67476,15 @@ catalog:
                               value: MA-04(01)(b)[02]
                               class: sp800-53a
                           prose: the audit records of the diagnostic sessions are reviewed to detect anomalous behavior.
+                          links:
+                            - href: '#ma-4.1_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-4.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4.1_smt'
+                      rel: assessment-for
                 - id: ma-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -62319,6 +67631,9 @@ catalog:
                               value: MA-04(03)(a)[01]
                               class: sp800-53a
                           prose: nonlocal maintenance services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced;
+                          links:
+                            - href: '#ma-4.3_smt.a'
+                              rel: assessment-for
                         - id: ma-4.3_obj.a-2
                           name: assessment-objective
                           props:
@@ -62326,6 +67641,12 @@ catalog:
                               value: MA-04(03)(a)[02]
                               class: sp800-53a
                           prose: nonlocal diagnostic services are required to be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or
+                          links:
+                            - href: '#ma-4.3_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-4.3_smt.a'
+                          rel: assessment-for
                     - id: ma-4.3_obj.b
                       name: assessment-objective
                       props:
@@ -62340,6 +67661,9 @@ catalog:
                               value: MA-04(03)(b)[01]
                               class: sp800-53a
                           prose: the component to be serviced is removed from the system prior to nonlocal maintenance or diagnostic services;
+                          links:
+                            - href: '#ma-4.3_smt.b'
+                              rel: assessment-for
                         - id: ma-4.3_obj.b-2
                           name: assessment-objective
                           props:
@@ -62347,6 +67671,9 @@ catalog:
                               value: MA-04(03)(b)[02]
                               class: sp800-53a
                           prose: the component to be serviced is sanitized (for organizational information);
+                          links:
+                            - href: '#ma-4.3_smt.b'
+                              rel: assessment-for
                         - id: ma-4.3_obj.b-3
                           name: assessment-objective
                           props:
@@ -62354,6 +67681,15 @@ catalog:
                               value: MA-04(03)(b)[03]
                               class: sp800-53a
                           prose: the component is inspected and sanitized (for potentially malicious software) after the service is performed and before reconnecting the component to the system.
+                          links:
+                            - href: '#ma-4.3_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-4.3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4.3_smt'
+                      rel: assessment-for
                 - id: ma-4.3_asm-examine
                   name: assessment-method
                   props:
@@ -62498,6 +67834,9 @@ catalog:
                           value: MA-04(04)(a)
                           class: sp800-53a
                       prose: 'nonlocal maintenance sessions are protected by employing {{ insert: param, ma-04.04_odp }};'
+                      links:
+                        - href: '#ma-4.4_smt.a'
+                          rel: assessment-for
                     - id: ma-4.4_obj.b
                       name: assessment-objective
                       props:
@@ -62512,6 +67851,9 @@ catalog:
                               value: MA-04(04)(b)(01)
                               class: sp800-53a
                           prose: nonlocal maintenance sessions are protected by separating maintenance sessions from other network sessions with the system by physically separated communication paths; or
+                          links:
+                            - href: '#ma-4.4_smt.b.1'
+                              rel: assessment-for
                         - id: ma-4.4_obj.b.2
                           name: assessment-objective
                           props:
@@ -62519,6 +67861,15 @@ catalog:
                               value: MA-04(04)(b)(02)
                               class: sp800-53a
                           prose: nonlocal maintenance sessions are protected by logically separated communication paths.
+                          links:
+                            - href: '#ma-4.4_smt.b.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-4.4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4.4_smt'
+                      rel: assessment-for
                 - id: ma-4.4_asm-examine
                   name: assessment-method
                   props:
@@ -62656,6 +68007,9 @@ catalog:
                           value: MA-04(05)(a)
                           class: sp800-53a
                       prose: 'the approval of each nonlocal maintenance session is required by {{ insert: param, ma-04.05_odp.01 }};'
+                      links:
+                        - href: '#ma-4.5_smt.a'
+                          rel: assessment-for
                     - id: ma-4.5_obj.b
                       name: assessment-objective
                       props:
@@ -62663,6 +68017,12 @@ catalog:
                           value: MA-04(05)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, ma-04.05_odp.02 }} is/are notified of the date and time of planned nonlocal maintenance.'
+                      links:
+                        - href: '#ma-4.5_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4.5_smt'
+                      rel: assessment-for
                 - id: ma-4.5_asm-examine
                   name: assessment-method
                   props:
@@ -62780,6 +68140,9 @@ catalog:
                           value: MA-04(06)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, ma-04.06_odp }} are implemented to protect the integrity of nonlocal maintenance and diagnostic communications;'
+                      links:
+                        - href: '#ma-4.6_smt'
+                          rel: assessment-for
                     - id: ma-4.6_obj-2
                       name: assessment-objective
                       props:
@@ -62787,6 +68150,12 @@ catalog:
                           value: MA-04(06)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, ma-04.06_odp }} are implemented to protect the confidentiality of nonlocal maintenance and diagnostic communications.'
+                      links:
+                        - href: '#ma-4.6_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4.6_smt'
+                      rel: assessment-for
                 - id: ma-4.6_asm-examine
                   name: assessment-method
                   props:
@@ -62889,6 +68258,9 @@ catalog:
                           value: MA-04(07)[01]
                           class: sp800-53a
                       prose: session connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions;
+                      links:
+                        - href: '#ma-4.7_smt'
+                          rel: assessment-for
                     - id: ma-4.7_obj-2
                       name: assessment-objective
                       props:
@@ -62896,6 +68268,12 @@ catalog:
                           value: MA-04(07)[02]
                           class: sp800-53a
                       prose: network connection termination is verified after the completion of nonlocal maintenance and diagnostic sessions.
+                      links:
+                        - href: '#ma-4.7_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-4.7_smt'
+                      rel: assessment-for
                 - id: ma-4.7_asm-examine
                   name: assessment-method
                   props:
@@ -63045,6 +68423,9 @@ catalog:
                           value: MA-05a.[01]
                           class: sp800-53a
                       prose: a process for maintenance personnel authorization is established;
+                      links:
+                        - href: '#ma-5_smt.a'
+                          rel: assessment-for
                     - id: ma-5_obj.a-2
                       name: assessment-objective
                       props:
@@ -63052,6 +68433,12 @@ catalog:
                           value: MA-05a.[02]
                           class: sp800-53a
                       prose: a list of authorized maintenance organizations or personnel is maintained;
+                      links:
+                        - href: '#ma-5_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-5_smt.a'
+                      rel: assessment-for
                 - id: ma-5_obj.b
                   name: assessment-objective
                   props:
@@ -63059,6 +68446,9 @@ catalog:
                       value: MA-05b.
                       class: sp800-53a
                   prose: non-escorted personnel performing maintenance on the system possess the required access authorizations;
+                  links:
+                    - href: '#ma-5_smt.b'
+                      rel: assessment-for
                 - id: ma-5_obj.c
                   name: assessment-objective
                   props:
@@ -63066,6 +68456,12 @@ catalog:
                       value: MA-05c.
                       class: sp800-53a
                   prose: organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.
+                  links:
+                    - href: '#ma-5_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ma-5_smt'
+                  rel: assessment-for
             - id: ma-5_asm-examine
               name: assessment-method
               props:
@@ -63211,6 +68607,9 @@ catalog:
                               value: MA-05(01)(a)(01)
                               class: sp800-53a
                           prose: procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified escorting and supervising maintenance personnel without the needed access authorization during the performance of maintenance and diagnostic activities;
+                          links:
+                            - href: '#ma-5.1_smt.a.1'
+                              rel: assessment-for
                         - id: ma-5.1_obj.a.2
                           name: assessment-objective
                           props:
@@ -63218,6 +68617,12 @@ catalog:
                               value: MA-05(01)(a)(02)
                               class: sp800-53a
                           prose: procedures for the use of maintenance personnel who lack appropriate security clearances or are not U.S. citizens are implemented and include all volatile information storage components within the system being sanitized and all non-volatile storage media being removed or physically disconnected from the system and secured prior to initiating maintenance or diagnostic activities;
+                          links:
+                            - href: '#ma-5.1_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-5.1_smt.a'
+                          rel: assessment-for
                     - id: ma-5.1_obj.b
                       name: assessment-objective
                       props:
@@ -63225,6 +68630,12 @@ catalog:
                           value: MA-05(01)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, ma-05.01_odp }} are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.'
+                      links:
+                        - href: '#ma-5.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-5.1_smt'
+                      rel: assessment-for
                 - id: ma-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -63334,6 +68745,9 @@ catalog:
                           value: MA-05(02)[01]
                           class: sp800-53a
                       prose: personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances for at least the highest classification level and for compartments of information on the system;
+                      links:
+                        - href: '#ma-5.2_smt'
+                          rel: assessment-for
                     - id: ma-5.2_obj-2
                       name: assessment-objective
                       props:
@@ -63341,6 +68755,12 @@ catalog:
                           value: MA-05(02)[02]
                           class: sp800-53a
                       prose: personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess formal access approvals for at least the highest classification level and for compartments of information on the system.
+                      links:
+                        - href: '#ma-5.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-5.2_smt'
+                      rel: assessment-for
                 - id: ma-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -63434,6 +68854,9 @@ catalog:
                       value: MA-05(03)
                       class: sp800-53a
                   prose: personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens.
+                  links:
+                    - href: '#ma-5.3_smt'
+                      rel: assessment-for
                 - id: ma-5.3_asm-examine
                   name: assessment-method
                   props:
@@ -63533,6 +68956,9 @@ catalog:
                           value: MA-05(04)(a)
                           class: sp800-53a
                       prose: foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated by the United States and foreign allied governments or owned and operated solely by foreign allied governments;
+                      links:
+                        - href: '#ma-5.4_smt.a'
+                          rel: assessment-for
                     - id: ma-5.4_obj.b
                       name: assessment-objective
                       props:
@@ -63547,6 +68973,9 @@ catalog:
                               value: MA-05(04)(b)[01]
                               class: sp800-53a
                           prose: approvals regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;
+                          links:
+                            - href: '#ma-5.4_smt.b'
+                              rel: assessment-for
                         - id: ma-5.4_obj.b-2
                           name: assessment-objective
                           props:
@@ -63554,6 +68983,9 @@ catalog:
                               value: MA-05(04)(b)[02]
                               class: sp800-53a
                           prose: consents regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements;
+                          links:
+                            - href: '#ma-5.4_smt.b'
+                              rel: assessment-for
                         - id: ma-5.4_obj.b-3
                           name: assessment-objective
                           props:
@@ -63561,6 +68993,15 @@ catalog:
                               value: MA-05(04)(b)[03]
                               class: sp800-53a
                           prose: detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified systems are fully documented within Memoranda of Agreements.
+                          links:
+                            - href: '#ma-5.4_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ma-5.4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ma-5.4_smt'
+                      rel: assessment-for
                 - id: ma-5.4_asm-examine
                   name: assessment-method
                   props:
@@ -63656,6 +69097,9 @@ catalog:
                       value: MA-05(05)
                       class: sp800-53a
                   prose: non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system have required access authorizations.
+                  links:
+                    - href: '#ma-5.5_smt'
+                      rel: assessment-for
                 - id: ma-5.5_asm-examine
                   name: assessment-method
                   props:
@@ -63774,6 +69218,9 @@ catalog:
                   value: MA-06
                   class: sp800-53a
               prose: 'maintenance support and/or spare parts are obtained for {{ insert: param, ma-06_odp.01 }} within {{ insert: param, ma-06_odp.02 }} of failure.'
+              links:
+                - href: '#ma-6_smt'
+                  rel: assessment-for
             - id: ma-6_asm-examine
               name: assessment-method
               props:
@@ -63883,6 +69330,9 @@ catalog:
                       value: MA-06(01)
                       class: sp800-53a
                   prose: 'preventive maintenance is performed on {{ insert: param, ma-06.01_odp.01 }} at {{ insert: param, ma-06.01_odp.02 }}.'
+                  links:
+                    - href: '#ma-6.1_smt'
+                      rel: assessment-for
                 - id: ma-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -63994,6 +69444,9 @@ catalog:
                       value: MA-06(02)
                       class: sp800-53a
                   prose: 'predictive maintenance is performed on {{ insert: param, ma-06.02_odp.01 }} at {{ insert: param, ma-06.02_odp.02 }}.'
+                  links:
+                    - href: '#ma-6.2_smt'
+                      rel: assessment-for
                 - id: ma-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -64095,6 +69548,9 @@ catalog:
                       value: MA-06(03)
                       class: sp800-53a
                   prose: 'predictive maintenance data is transferred to a maintenance management system using {{ insert: param, ma-06.03_odp }}.'
+                  links:
+                    - href: '#ma-6.3_smt'
+                      rel: assessment-for
                 - id: ma-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -64210,6 +69666,9 @@ catalog:
                   value: MA-07
                   class: sp800-53a
               prose: 'field maintenance on {{ insert: param, ma-07_odp.01 }} are restricted or prohibited to {{ insert: param, ma-07_odp.02 }}.'
+              links:
+                - href: '#ma-7_smt'
+                  rel: assessment-for
             - id: ma-7_asm-examine
               name: assessment-method
               props:
@@ -64485,6 +69944,9 @@ catalog:
                           value: MP-01a.[01]
                           class: sp800-53a
                       prose: a media protection policy is developed and documented;
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -64492,6 +69954,9 @@ catalog:
                           value: MP-01a.[02]
                           class: sp800-53a
                       prose: 'the media protection policy is disseminated to {{ insert: param, mp-01_odp.01 }};'
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -64499,6 +69964,9 @@ catalog:
                           value: MP-01a.[03]
                           class: sp800-53a
                       prose: media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -64506,6 +69974,9 @@ catalog:
                           value: MP-01a.[04]
                           class: sp800-53a
                       prose: 'the media protection procedures are disseminated to {{ insert: param, mp-01_odp.02 }};'
+                      links:
+                        - href: '#mp-1_smt.a'
+                          rel: assessment-for
                     - id: mp-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -64527,6 +69998,9 @@ catalog:
                                   value: MP-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses purpose;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -64534,6 +70008,9 @@ catalog:
                                   value: MP-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses scope;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -64541,6 +70018,9 @@ catalog:
                                   value: MP-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses roles;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -64548,6 +70028,9 @@ catalog:
                                   value: MP-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses responsibilities;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -64555,6 +70038,9 @@ catalog:
                                   value: MP-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses management commitment;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -64562,6 +70048,9 @@ catalog:
                                   value: MP-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: mp-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -64569,6 +70058,12 @@ catalog:
                                   value: MP-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, mp-01_odp.03 }} media protection policy compliance;'
+                              links:
+                                - href: '#mp-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#mp-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: mp-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -64576,6 +70071,15 @@ catalog:
                               value: MP-01a.01(b)
                               class: sp800-53a
                           prose: the media protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+                          links:
+                            - href: '#mp-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-1_smt.a'
+                      rel: assessment-for
                 - id: mp-1_obj.b
                   name: assessment-objective
                   props:
@@ -64583,6 +70087,9 @@ catalog:
                       value: MP-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, mp-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.'
+                  links:
+                    - href: '#mp-1_smt.b'
+                      rel: assessment-for
                 - id: mp-1_obj.c
                   name: assessment-objective
                   props:
@@ -64604,6 +70111,9 @@ catalog:
                               value: MP-01c.01[01]
                               class: sp800-53a
                           prose: 'the current media protection policy is reviewed and updated {{ insert: param, mp-01_odp.05 }}; '
+                          links:
+                            - href: '#mp-1_smt.c.1'
+                              rel: assessment-for
                         - id: mp-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -64611,6 +70121,12 @@ catalog:
                               value: MP-01c.01[02]
                               class: sp800-53a
                           prose: 'the current media protection policy is reviewed and updated following {{ insert: param, mp-01_odp.06 }};'
+                          links:
+                            - href: '#mp-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.c.1'
+                          rel: assessment-for
                     - id: mp-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -64625,6 +70141,9 @@ catalog:
                               value: MP-01c.02[01]
                               class: sp800-53a
                           prose: 'the current media protection procedures are reviewed and updated {{ insert: param, mp-01_odp.07 }}; '
+                          links:
+                            - href: '#mp-1_smt.c.2'
+                              rel: assessment-for
                         - id: mp-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -64632,6 +70151,18 @@ catalog:
                               value: MP-01c.02[02]
                               class: sp800-53a
                           prose: 'the current media protection procedures are reviewed and updated following {{ insert: param, mp-01_odp.08 }}.'
+                          links:
+                            - href: '#mp-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#mp-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#mp-1_smt'
+                  rel: assessment-for
             - id: mp-1_asm-examine
               name: assessment-method
               props:
@@ -64789,6 +70320,9 @@ catalog:
                       value: MP-02[01]
                       class: sp800-53a
                   prose: 'access to {{ insert: param, mp-02_odp.01 }} is restricted to {{ insert: param, mp-02_odp.02 }};'
+                  links:
+                    - href: '#mp-2_smt'
+                      rel: assessment-for
                 - id: mp-2_obj-2
                   name: assessment-objective
                   props:
@@ -64796,6 +70330,12 @@ catalog:
                       value: MP-02[02]
                       class: sp800-53a
                   prose: 'access to {{ insert: param, mp-02_odp.03 }} is restricted to {{ insert: param, mp-02_odp.04 }}.'
+                  links:
+                    - href: '#mp-2_smt'
+                      rel: assessment-for
+              links:
+                - href: '#mp-2_smt'
+                  rel: assessment-for
             - id: mp-2_asm-examine
               name: assessment-method
               props:
@@ -64976,6 +70516,9 @@ catalog:
                       value: MP-03a.
                       class: sp800-53a
                   prose: system media is marked to indicate distribution limitations, handling caveats, and applicable security markings (if any) of the information;
+                  links:
+                    - href: '#mp-3_smt.a'
+                      rel: assessment-for
                 - id: mp-3_obj.b
                   name: assessment-objective
                   props:
@@ -64983,6 +70526,12 @@ catalog:
                       value: MP-03b.
                       class: sp800-53a
                   prose: '{{ insert: param, mp-03_odp.01 }} remain within {{ insert: param, mp-03_odp.02 }}.'
+                  links:
+                    - href: '#mp-3_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-3_smt'
+                  rel: assessment-for
             - id: mp-3_asm-examine
               name: assessment-method
               props:
@@ -65210,6 +70759,9 @@ catalog:
                           value: MP-04a.[01]
                           class: sp800-53a
                       prose: '{{ insert: param, mp-04_odp.01 }} are physically controlled;'
+                      links:
+                        - href: '#mp-4_smt.a'
+                          rel: assessment-for
                     - id: mp-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -65217,6 +70769,9 @@ catalog:
                           value: MP-04a.[02]
                           class: sp800-53a
                       prose: '{{ insert: param, mp-04_odp.02 }} are physically controlled;'
+                      links:
+                        - href: '#mp-4_smt.a'
+                          rel: assessment-for
                     - id: mp-4_obj.a-3
                       name: assessment-objective
                       props:
@@ -65224,6 +70779,9 @@ catalog:
                           value: MP-04a.[03]
                           class: sp800-53a
                       prose: '{{ insert: param, mp-04_odp.03 }} are securely stored within {{ insert: param, mp-04_odp.05 }};'
+                      links:
+                        - href: '#mp-4_smt.a'
+                          rel: assessment-for
                     - id: mp-4_obj.a-4
                       name: assessment-objective
                       props:
@@ -65231,6 +70789,12 @@ catalog:
                           value: MP-04a.[04]
                           class: sp800-53a
                       prose: '{{ insert: param, mp-04_odp.04 }} are securely stored within {{ insert: param, mp-04_odp.06 }};'
+                      links:
+                        - href: '#mp-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-4_smt.a'
+                      rel: assessment-for
                 - id: mp-4_obj.b
                   name: assessment-objective
                   props:
@@ -65238,6 +70802,12 @@ catalog:
                       value: MP-04b.
                       class: sp800-53a
                   prose: system media types (defined in MP-04_ODP[01], MP-04_ODP[02], MP-04_ODP[03], MP-04_ODP[04]) are protected until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
+                  links:
+                    - href: '#mp-4_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-4_smt'
+                  rel: assessment-for
             - id: mp-4_asm-examine
               name: assessment-method
               props:
@@ -65399,6 +70969,9 @@ catalog:
                           value: MP-04(02)[01]
                           class: sp800-53a
                       prose: 'access to media storage areas is restricted using {{ insert: param, mp-04.02_odp.01 }};'
+                      links:
+                        - href: '#mp-4.2_smt'
+                          rel: assessment-for
                     - id: mp-4.2_obj-2
                       name: assessment-objective
                       props:
@@ -65406,6 +70979,9 @@ catalog:
                           value: MP-04(02)[02]
                           class: sp800-53a
                       prose: 'access attempts to media storage areas are logged using {{ insert: param, mp-04.02_odp.02 }};'
+                      links:
+                        - href: '#mp-4.2_smt'
+                          rel: assessment-for
                     - id: mp-4.2_obj-3
                       name: assessment-objective
                       props:
@@ -65413,6 +70989,12 @@ catalog:
                           value: MP-04(02)[03]
                           class: sp800-53a
                       prose: 'access granted to media storage areas is logged using {{ insert: param, mp-04.02_odp.03 }}.'
+                      links:
+                        - href: '#mp-4.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-4.2_smt'
+                      rel: assessment-for
                 - id: mp-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -65613,6 +71195,9 @@ catalog:
                           value: MP-05a.[01]
                           class: sp800-53a
                       prose: '{{ insert: param, mp-05_odp.01 }} are protected during transport outside of controlled areas using {{ insert: param, mp-05_odp.02 }};'
+                      links:
+                        - href: '#mp-5_smt.a'
+                          rel: assessment-for
                     - id: mp-5_obj.a-2
                       name: assessment-objective
                       props:
@@ -65620,6 +71205,12 @@ catalog:
                           value: MP-05a.[02]
                           class: sp800-53a
                       prose: '{{ insert: param, mp-05_odp.01 }} are controlled during transport outside of controlled areas using {{ insert: param, mp-05_odp.03 }};'
+                      links:
+                        - href: '#mp-5_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-5_smt.a'
+                      rel: assessment-for
                 - id: mp-5_obj.b
                   name: assessment-objective
                   props:
@@ -65627,6 +71218,9 @@ catalog:
                       value: MP-05b.
                       class: sp800-53a
                   prose: accountability for system media is maintained during transport outside of controlled areas;
+                  links:
+                    - href: '#mp-5_smt.b'
+                      rel: assessment-for
                 - id: mp-5_obj.c
                   name: assessment-objective
                   props:
@@ -65634,6 +71228,9 @@ catalog:
                       value: MP-05c.
                       class: sp800-53a
                   prose: activities associated with the transport of system media are documented;
+                  links:
+                    - href: '#mp-5_smt.c'
+                      rel: assessment-for
                 - id: mp-5_obj.d
                   name: assessment-objective
                   props:
@@ -65648,6 +71245,9 @@ catalog:
                           value: MP-05d.[01]
                           class: sp800-53a
                       prose: personnel authorized to conduct media transport activities is/are identified;
+                      links:
+                        - href: '#mp-5_smt.d'
+                          rel: assessment-for
                     - id: mp-5_obj.d-2
                       name: assessment-objective
                       props:
@@ -65655,6 +71255,15 @@ catalog:
                           value: MP-05d.[02]
                           class: sp800-53a
                       prose: activities associated with the transport of system media are restricted to identified authorized personnel.
+                      links:
+                        - href: '#mp-5_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#mp-5_smt'
+                  rel: assessment-for
             - id: mp-5_asm-examine
               name: assessment-method
               props:
@@ -65787,6 +71396,9 @@ catalog:
                           value: MP-05(03)[01]
                           class: sp800-53a
                       prose: a custodian to transport system media outside of controlled areas is identified;
+                      links:
+                        - href: '#mp-5.3_smt'
+                          rel: assessment-for
                     - id: mp-5.3_obj-2
                       name: assessment-objective
                       props:
@@ -65794,6 +71406,12 @@ catalog:
                           value: MP-05(03)[02]
                           class: sp800-53a
                       prose: the identified custodian is employed during the transport of system media outside of controlled areas.
+                      links:
+                        - href: '#mp-5.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-5.3_smt'
+                      rel: assessment-for
                 - id: mp-5.3_asm-examine
                   name: assessment-method
                   props:
@@ -66034,6 +71652,9 @@ catalog:
                           value: MP-06a.[01]
                           class: sp800-53a
                       prose: '{{ insert: param, mp-06_odp.01 }} is sanitized using {{ insert: param, mp-06_odp.04 }} prior to disposal;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
                     - id: mp-6_obj.a-2
                       name: assessment-objective
                       props:
@@ -66041,6 +71662,9 @@ catalog:
                           value: MP-06a.[02]
                           class: sp800-53a
                       prose: '{{ insert: param, mp-06_odp.02 }} is sanitized using {{ insert: param, mp-06_odp.05 }} prior to release from organizational control;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
                     - id: mp-6_obj.a-3
                       name: assessment-objective
                       props:
@@ -66048,6 +71672,12 @@ catalog:
                           value: MP-06a.[03]
                           class: sp800-53a
                       prose: '{{ insert: param, mp-06_odp.03 }} is sanitized using {{ insert: param, mp-06_odp.06 }} prior to release for reuse;'
+                      links:
+                        - href: '#mp-6_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-6_smt.a'
+                      rel: assessment-for
                 - id: mp-6_obj.b
                   name: assessment-objective
                   props:
@@ -66055,6 +71685,12 @@ catalog:
                       value: MP-06b.
                       class: sp800-53a
                   prose: sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.
+                  links:
+                    - href: '#mp-6_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-6_smt'
+                  rel: assessment-for
             - id: mp-6_asm-examine
               name: assessment-method
               props:
@@ -66163,6 +71799,9 @@ catalog:
                           value: MP-06(01)[01]
                           class: sp800-53a
                       prose: media sanitization and disposal actions are reviewed;
+                      links:
+                        - href: '#mp-6.1_smt'
+                          rel: assessment-for
                     - id: mp-6.1_obj-2
                       name: assessment-objective
                       props:
@@ -66170,6 +71809,9 @@ catalog:
                           value: MP-06(01)[02]
                           class: sp800-53a
                       prose: media sanitization and disposal actions are approved;
+                      links:
+                        - href: '#mp-6.1_smt'
+                          rel: assessment-for
                     - id: mp-6.1_obj-3
                       name: assessment-objective
                       props:
@@ -66177,6 +71819,9 @@ catalog:
                           value: MP-06(01)[03]
                           class: sp800-53a
                       prose: media sanitization and disposal actions are tracked;
+                      links:
+                        - href: '#mp-6.1_smt'
+                          rel: assessment-for
                     - id: mp-6.1_obj-4
                       name: assessment-objective
                       props:
@@ -66184,6 +71829,9 @@ catalog:
                           value: MP-06(01)[04]
                           class: sp800-53a
                       prose: media sanitization and disposal actions are documented;
+                      links:
+                        - href: '#mp-6.1_smt'
+                          rel: assessment-for
                     - id: mp-6.1_obj-5
                       name: assessment-objective
                       props:
@@ -66191,6 +71839,12 @@ catalog:
                           value: MP-06(01)[05]
                           class: sp800-53a
                       prose: media sanitization and disposal actions are verified.
+                      links:
+                        - href: '#mp-6.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-6.1_smt'
+                      rel: assessment-for
                 - id: mp-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -66328,6 +71982,9 @@ catalog:
                           value: MP-06(02)[01]
                           class: sp800-53a
                       prose: 'sanitization equipment is tested {{ insert: param, mp-06.02_odp.01 }} to ensure that the intended sanitization is being achieved;'
+                      links:
+                        - href: '#mp-6.2_smt'
+                          rel: assessment-for
                     - id: mp-6.2_obj-2
                       name: assessment-objective
                       props:
@@ -66335,6 +71992,12 @@ catalog:
                           value: MP-06(02)[02]
                           class: sp800-53a
                       prose: 'sanitization procedures are tested {{ insert: param, mp-06.02_odp.02 }} to ensure that the intended sanitization is being achieved.'
+                      links:
+                        - href: '#mp-6.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-6.2_smt'
+                      rel: assessment-for
                 - id: mp-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -66447,6 +72110,9 @@ catalog:
                       value: MP-06(03)
                       class: sp800-53a
                   prose: 'non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under {{ insert: param, mp-06.03_odp }}.'
+                  links:
+                    - href: '#mp-6.3_smt'
+                      rel: assessment-for
                 - id: mp-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -66598,6 +72264,9 @@ catalog:
                       value: MP-06(07)
                       class: sp800-53a
                   prose: 'dual authorization for sanitization of {{ insert: param, mp-06.07_odp }} is enforced.'
+                  links:
+                    - href: '#mp-6.7_smt'
+                      rel: assessment-for
                 - id: mp-6.7_asm-examine
                   name: assessment-method
                   props:
@@ -66724,6 +72393,9 @@ catalog:
                       value: MP-06(08)
                       class: sp800-53a
                   prose: 'the capability to purge or wipe information from {{ insert: param, mp-06.08_odp.01 }} {{ insert: param, mp-06.08_odp.02 }} is provided.'
+                  links:
+                    - href: '#mp-6.8_smt'
+                      rel: assessment-for
                 - id: mp-6.8_asm-examine
                   name: assessment-method
                   props:
@@ -66891,6 +72563,9 @@ catalog:
                       value: MP-07a.
                       class: sp800-53a
                   prose: 'the use of {{ insert: param, mp-07_odp.01 }} is {{ insert: param, mp-07_odp.02 }} on {{ insert: param, mp-07_odp.03 }} using {{ insert: param, mp-07_odp.04 }};'
+                  links:
+                    - href: '#mp-7_smt.a'
+                      rel: assessment-for
                 - id: mp-7_obj.b
                   name: assessment-objective
                   props:
@@ -66898,6 +72573,12 @@ catalog:
                       value: MP-07b.
                       class: sp800-53a
                   prose: the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.
+                  links:
+                    - href: '#mp-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#mp-7_smt'
+                  rel: assessment-for
             - id: mp-7_asm-examine
               name: assessment-method
               props:
@@ -67016,6 +72697,9 @@ catalog:
                           value: MP-07(02)[01]
                           class: sp800-53a
                       prose: sanitization-resistant media is identified;
+                      links:
+                        - href: '#mp-7.2_smt'
+                          rel: assessment-for
                     - id: mp-7.2_obj-2
                       name: assessment-objective
                       props:
@@ -67023,6 +72707,12 @@ catalog:
                           value: MP-07(02)[02]
                           class: sp800-53a
                       prose: the use of sanitization-resistant media in organizational systems is prohibited.
+                      links:
+                        - href: '#mp-7.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-7.2_smt'
+                      rel: assessment-for
                 - id: mp-7.2_asm-examine
                   name: assessment-method
                   props:
@@ -67172,6 +72862,9 @@ catalog:
                           value: MP-08a.[01]
                           class: sp800-53a
                       prose: 'a {{ insert: param, mp-08_odp.01 }} is established;'
+                      links:
+                        - href: '#mp-8_smt.a'
+                          rel: assessment-for
                     - id: mp-8_obj.a-2
                       name: assessment-objective
                       props:
@@ -67179,6 +72872,12 @@ catalog:
                           value: MP-08a.[02]
                           class: sp800-53a
                       prose: 'the {{ insert: param, mp-08_odp.01 }} includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;'
+                      links:
+                        - href: '#mp-8_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-8_smt.a'
+                      rel: assessment-for
                 - id: mp-8_obj.b
                   name: assessment-objective
                   props:
@@ -67193,6 +72892,9 @@ catalog:
                           value: MP-08b.[01]
                           class: sp800-53a
                       prose: there is verification that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed;
+                      links:
+                        - href: '#mp-8_smt.b'
+                          rel: assessment-for
                     - id: mp-8_obj.b-2
                       name: assessment-objective
                       props:
@@ -67200,6 +72902,12 @@ catalog:
                           value: MP-08b.[02]
                           class: sp800-53a
                       prose: there is verification that the system media downgrading process is commensurate with the access authorizations of the potential recipients of the downgraded information;
+                      links:
+                        - href: '#mp-8_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-8_smt.b'
+                      rel: assessment-for
                 - id: mp-8_obj.c
                   name: assessment-objective
                   props:
@@ -67207,6 +72915,9 @@ catalog:
                       value: MP-08c.
                       class: sp800-53a
                   prose: '{{ insert: param, mp-08_odp.02 }} is identified;'
+                  links:
+                    - href: '#mp-8_smt.c'
+                      rel: assessment-for
                 - id: mp-8_obj.d
                   name: assessment-objective
                   props:
@@ -67214,6 +72925,12 @@ catalog:
                       value: MP-08d.
                       class: sp800-53a
                   prose: 'the identified system media is downgraded using the {{ insert: param, mp-08_odp.01 }}.'
+                  links:
+                    - href: '#mp-8_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#mp-8_smt'
+                  rel: assessment-for
             - id: mp-8_asm-examine
               name: assessment-method
               props:
@@ -67305,6 +73022,9 @@ catalog:
                       value: MP-08(01)
                       class: sp800-53a
                   prose: system media downgrading actions are documented.
+                  links:
+                    - href: '#mp-8.1_smt'
+                      rel: assessment-for
                 - id: mp-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -67428,6 +73148,9 @@ catalog:
                           value: MP-08(02)[01]
                           class: sp800-53a
                       prose: 'downgrading equipment is tested {{ insert: param, mp-08.02_odp.01 }} to ensure that downgrading actions are being achieved;'
+                      links:
+                        - href: '#mp-8.2_smt'
+                          rel: assessment-for
                     - id: mp-8.2_obj-2
                       name: assessment-objective
                       props:
@@ -67435,6 +73158,12 @@ catalog:
                           value: MP-08(02)[02]
                           class: sp800-53a
                       prose: 'downgrading procedures are tested {{ insert: param, mp-08.02_odp.02 }} to ensure that downgrading actions are being achieved.'
+                      links:
+                        - href: '#mp-8.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-8.2_smt'
+                      rel: assessment-for
                 - id: mp-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -67530,6 +73259,9 @@ catalog:
                           value: MP-08(03)[01]
                           class: sp800-53a
                       prose: system media containing controlled unclassified information is identified;
+                      links:
+                        - href: '#mp-8.3_smt'
+                          rel: assessment-for
                     - id: mp-8.3_obj-2
                       name: assessment-objective
                       props:
@@ -67537,6 +73269,12 @@ catalog:
                           value: MP-08(03)[02]
                           class: sp800-53a
                       prose: system media containing controlled unclassified information is downgraded prior to public release.
+                      links:
+                        - href: '#mp-8.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-8.3_smt'
+                      rel: assessment-for
                 - id: mp-8.3_asm-examine
                   name: assessment-method
                   props:
@@ -67630,6 +73368,9 @@ catalog:
                           value: MP-08(04)[01]
                           class: sp800-53a
                       prose: system media containing classified information is identified;
+                      links:
+                        - href: '#mp-8.4_smt'
+                          rel: assessment-for
                     - id: mp-8.4_obj-2
                       name: assessment-objective
                       props:
@@ -67637,6 +73378,12 @@ catalog:
                           value: MP-08(04)[02]
                           class: sp800-53a
                       prose: system media containing classified information is downgraded prior to release to individuals without required access authorizations.
+                      links:
+                        - href: '#mp-8.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#mp-8.4_smt'
+                      rel: assessment-for
                 - id: mp-8.4_asm-examine
                   name: assessment-method
                   props:
@@ -67906,6 +73653,9 @@ catalog:
                           value: PE-01a.[01]
                           class: sp800-53a
                       prose: a physical and environmental protection policy is developed and documented;
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -67913,6 +73663,9 @@ catalog:
                           value: PE-01a.[02]
                           class: sp800-53a
                       prose: 'the physical and environmental protection policy is disseminated to {{ insert: param, pe-01_odp.01 }};'
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -67920,6 +73673,9 @@ catalog:
                           value: PE-01a.[03]
                           class: sp800-53a
                       prose: physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -67927,6 +73683,9 @@ catalog:
                           value: PE-01a.[04]
                           class: sp800-53a
                       prose: 'the physical and environmental protection procedures are disseminated to {{ insert: param, pe-01_odp.02 }};'
+                      links:
+                        - href: '#pe-1_smt.a'
+                          rel: assessment-for
                     - id: pe-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -67948,6 +73707,9 @@ catalog:
                                   value: PE-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses purpose;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -67955,6 +73717,9 @@ catalog:
                                   value: PE-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses scope;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -67962,6 +73727,9 @@ catalog:
                                   value: PE-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses roles;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -67969,6 +73737,9 @@ catalog:
                                   value: PE-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses responsibilities;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -67976,6 +73747,9 @@ catalog:
                                   value: PE-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses management commitment;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -67983,6 +73757,9 @@ catalog:
                                   value: PE-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pe-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -67990,6 +73767,12 @@ catalog:
                                   value: PE-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy addresses compliance;'
+                              links:
+                                - href: '#pe-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#pe-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: pe-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -67997,6 +73780,15 @@ catalog:
                               value: PE-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, pe-01_odp.03 }} physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#pe-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#pe-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-1_smt.a'
+                      rel: assessment-for
                 - id: pe-1_obj.b
                   name: assessment-objective
                   props:
@@ -68004,6 +73796,9 @@ catalog:
                       value: PE-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pe-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;'
+                  links:
+                    - href: '#pe-1_smt.b'
+                      rel: assessment-for
                 - id: pe-1_obj.c
                   name: assessment-objective
                   props:
@@ -68025,6 +73820,9 @@ catalog:
                               value: PE-01c.01[01]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection policy is reviewed and updated {{ insert: param, pe-01_odp.05 }};'
+                          links:
+                            - href: '#pe-1_smt.c.1'
+                              rel: assessment-for
                         - id: pe-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -68032,6 +73830,12 @@ catalog:
                               value: PE-01c.01[02]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection policy is reviewed and updated following {{ insert: param, pe-01_odp.06 }};'
+                          links:
+                            - href: '#pe-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pe-1_smt.c.1'
+                          rel: assessment-for
                     - id: pe-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -68046,6 +73850,9 @@ catalog:
                               value: PE-01c.02[01]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection procedures are reviewed and updated {{ insert: param, pe-01_odp.07 }};'
+                          links:
+                            - href: '#pe-1_smt.c.2'
+                              rel: assessment-for
                         - id: pe-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -68053,6 +73860,18 @@ catalog:
                               value: PE-01c.02[02]
                               class: sp800-53a
                           prose: 'the current physical and environmental protection procedures are reviewed and updated following {{ insert: param, pe-01_odp.08 }}.'
+                          links:
+                            - href: '#pe-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pe-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-1_smt'
+                  rel: assessment-for
             - id: pe-1_asm-examine
               name: assessment-method
               props:
@@ -68203,6 +74022,9 @@ catalog:
                           value: PE-02a.[01]
                           class: sp800-53a
                       prose: a list of individuals with authorized access to the facility where the system resides has been developed;
+                      links:
+                        - href: '#pe-2_smt.a'
+                          rel: assessment-for
                     - id: pe-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -68210,6 +74032,9 @@ catalog:
                           value: PE-02a.[02]
                           class: sp800-53a
                       prose: the list of individuals with authorized access to the facility where the system resides has been approved;
+                      links:
+                        - href: '#pe-2_smt.a'
+                          rel: assessment-for
                     - id: pe-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -68217,6 +74042,12 @@ catalog:
                           value: PE-02a.[03]
                           class: sp800-53a
                       prose: the list of individuals with authorized access to the facility where the system resides has been maintained;
+                      links:
+                        - href: '#pe-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-2_smt.a'
+                      rel: assessment-for
                 - id: pe-2_obj.b
                   name: assessment-objective
                   props:
@@ -68224,6 +74055,9 @@ catalog:
                       value: PE-02b.
                       class: sp800-53a
                   prose: authorization credentials are issued for facility access;
+                  links:
+                    - href: '#pe-2_smt.b'
+                      rel: assessment-for
                 - id: pe-2_obj.c
                   name: assessment-objective
                   props:
@@ -68231,6 +74065,9 @@ catalog:
                       value: PE-02c.
                       class: sp800-53a
                   prose: 'the access list detailing authorized facility access by individuals is reviewed {{ insert: param, pe-02_odp }};'
+                  links:
+                    - href: '#pe-2_smt.c'
+                      rel: assessment-for
                 - id: pe-2_obj.d
                   name: assessment-objective
                   props:
@@ -68238,6 +74075,12 @@ catalog:
                       value: PE-02d.
                       class: sp800-53a
                   prose: individuals are removed from the facility access list when access is no longer required.
+                  links:
+                    - href: '#pe-2_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pe-2_smt'
+                  rel: assessment-for
             - id: pe-2_asm-examine
               name: assessment-method
               props:
@@ -68335,6 +74178,9 @@ catalog:
                       value: PE-02(01)
                       class: sp800-53a
                   prose: physical access to the facility where the system resides is authorized based on position or role.
+                  links:
+                    - href: '#pe-2.1_smt'
+                      rel: assessment-for
                 - id: pe-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -68440,6 +74286,9 @@ catalog:
                       value: PE-02(02)
                       class: sp800-53a
                   prose: 'two forms of identification are required from {{ insert: param, pe-02.02_odp }} for visitor access to the facility where the system resides.'
+                  links:
+                    - href: '#pe-2.2_smt'
+                      rel: assessment-for
                 - id: pe-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -68559,6 +74408,9 @@ catalog:
                       value: PE-02(03)
                       class: sp800-53a
                   prose: 'unescorted access to the facility where the system resides is restricted to personnel with {{ insert: param, pe-02.03_odp.01 }}.'
+                  links:
+                    - href: '#pe-2.3_smt'
+                      rel: assessment-for
                 - id: pe-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -68891,6 +74743,9 @@ catalog:
                           value: PE-03a.01
                           class: sp800-53a
                       prose: 'physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by verifying individual access authorizations before granting access to the facility;'
+                      links:
+                        - href: '#pe-3_smt.a.1'
+                          rel: assessment-for
                     - id: pe-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -68898,6 +74753,12 @@ catalog:
                           value: PE-03a.02
                           class: sp800-53a
                       prose: 'physical access authorizations are enforced at {{ insert: param, pe-03_odp.01 }} by controlling ingress and egress to the facility using {{ insert: param, pe-03_odp.02 }};'
+                      links:
+                        - href: '#pe-3_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.a'
+                      rel: assessment-for
                 - id: pe-3_obj.b
                   name: assessment-objective
                   props:
@@ -68905,6 +74766,9 @@ catalog:
                       value: PE-03b.
                       class: sp800-53a
                   prose: 'physical access audit logs are maintained for {{ insert: param, pe-03_odp.04 }};'
+                  links:
+                    - href: '#pe-3_smt.b'
+                      rel: assessment-for
                 - id: pe-3_obj.c
                   name: assessment-objective
                   props:
@@ -68912,6 +74776,9 @@ catalog:
                       value: PE-03c.
                       class: sp800-53a
                   prose: 'access to areas within the facility designated as publicly accessible are maintained by implementing {{ insert: param, pe-03_odp.05 }};'
+                  links:
+                    - href: '#pe-3_smt.c'
+                      rel: assessment-for
                 - id: pe-3_obj.d
                   name: assessment-objective
                   props:
@@ -68926,6 +74793,9 @@ catalog:
                           value: PE-03d.[01]
                           class: sp800-53a
                       prose: visitors are escorted;
+                      links:
+                        - href: '#pe-3_smt.d'
+                          rel: assessment-for
                     - id: pe-3_obj.d-2
                       name: assessment-objective
                       props:
@@ -68933,6 +74803,12 @@ catalog:
                           value: PE-03d.[02]
                           class: sp800-53a
                       prose: 'visitor activity is controlled {{ insert: param, pe-03_odp.06 }};'
+                      links:
+                        - href: '#pe-3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.d'
+                      rel: assessment-for
                 - id: pe-3_obj.e
                   name: assessment-objective
                   props:
@@ -68947,6 +74823,9 @@ catalog:
                           value: PE-03e.[01]
                           class: sp800-53a
                       prose: keys are secured;
+                      links:
+                        - href: '#pe-3_smt.e'
+                          rel: assessment-for
                     - id: pe-3_obj.e-2
                       name: assessment-objective
                       props:
@@ -68954,6 +74833,9 @@ catalog:
                           value: PE-03e.[02]
                           class: sp800-53a
                       prose: combinations are secured;
+                      links:
+                        - href: '#pe-3_smt.e'
+                          rel: assessment-for
                     - id: pe-3_obj.e-3
                       name: assessment-objective
                       props:
@@ -68961,6 +74843,12 @@ catalog:
                           value: PE-03e.[03]
                           class: sp800-53a
                       prose: other physical access devices are secured;
+                      links:
+                        - href: '#pe-3_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.e'
+                      rel: assessment-for
                 - id: pe-3_obj.f
                   name: assessment-objective
                   props:
@@ -68968,6 +74856,9 @@ catalog:
                       value: PE-03f.
                       class: sp800-53a
                   prose: '{{ insert: param, pe-03_odp.07 }} are inventoried {{ insert: param, pe-03_odp.08 }};'
+                  links:
+                    - href: '#pe-3_smt.f'
+                      rel: assessment-for
                 - id: pe-3_obj.g
                   name: assessment-objective
                   props:
@@ -68982,6 +74873,9 @@ catalog:
                           value: PE-03g.[01]
                           class: sp800-53a
                       prose: 'combinations are changed {{ insert: param, pe-03_odp.09 }} , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;'
+                      links:
+                        - href: '#pe-3_smt.g'
+                          rel: assessment-for
                     - id: pe-3_obj.g-2
                       name: assessment-objective
                       props:
@@ -68989,6 +74883,15 @@ catalog:
                           value: PE-03g.[02]
                           class: sp800-53a
                       prose: 'keys are changed {{ insert: param, pe-03_odp.10 }} , when keys are lost, or when individuals possessing the keys are transferred or terminated.'
+                      links:
+                        - href: '#pe-3_smt.g'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#pe-3_smt'
+                  rel: assessment-for
             - id: pe-3_asm-examine
               name: assessment-method
               props:
@@ -69107,6 +75010,9 @@ catalog:
                           value: PE-03(01)[01]
                           class: sp800-53a
                       prose: physical access authorizations to the system are enforced;
+                      links:
+                        - href: '#pe-3.1_smt'
+                          rel: assessment-for
                     - id: pe-3.1_obj.2
                       name: assessment-objective
                       props:
@@ -69114,6 +75020,12 @@ catalog:
                           value: PE-03(01)[02]
                           class: sp800-53a
                       prose: 'physical access controls are enforced for the facility at {{ insert: param, pe-03.01_odp }}.'
+                      links:
+                        - href: '#pe-3.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-3.1_smt'
+                      rel: assessment-for
                 - id: pe-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -69221,6 +75133,9 @@ catalog:
                       value: PE-03(02)
                       class: sp800-53a
                   prose: 'security checks are performed {{ insert: param, pe-03.02_odp }} at the physical perimeter of the facility or system for exfiltration of information or removal of system components.'
+                  links:
+                    - href: '#pe-3.2_smt'
+                      rel: assessment-for
                 - id: pe-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -69332,6 +75247,9 @@ catalog:
                       value: PE-03(03)
                       class: sp800-53a
                   prose: 'guards are employed to control {{ insert: param, pe-03.03_odp }} to the facility where the system resides 24 hours per day, 7 days per week.'
+                  links:
+                    - href: '#pe-3.3_smt'
+                      rel: assessment-for
                 - id: pe-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -69433,6 +75351,9 @@ catalog:
                       value: PE-03(04)
                       class: sp800-53a
                   prose: 'lockable physical casings are used to protect {{ insert: param, pe-03.04_odp }} from unauthorized access.'
+                  links:
+                    - href: '#pe-3.4_smt'
+                      rel: assessment-for
                 - id: pe-3.4_asm-examine
                   name: assessment-method
                   props:
@@ -69553,6 +75474,9 @@ catalog:
                       value: PE-03(05)
                       class: sp800-53a
                   prose: '{{ insert: param, pe-03.05_odp.01 }} are employed to {{ insert: param, pe-03.05_odp.02 }} physical tampering or alteration of {{ insert: param, pe-03.05_odp.03 }} within the system.'
+                  links:
+                    - href: '#pe-3.5_smt'
+                      rel: assessment-for
                 - id: pe-3.5_asm-examine
                   name: assessment-method
                   props:
@@ -69651,6 +75575,9 @@ catalog:
                       value: PE-03(07)
                       class: sp800-53a
                   prose: physical barriers are used to limit access.
+                  links:
+                    - href: '#pe-3.7_smt'
+                      rel: assessment-for
                 - id: pe-3.7_asm-examine
                   name: assessment-method
                   props:
@@ -69732,6 +75659,9 @@ catalog:
                       value: PE-03(08)
                       class: sp800-53a
                   prose: 'access control vestibules are employed at {{ insert: param, pe-03.08_odp }}.'
+                  links:
+                    - href: '#pe-3.8_smt'
+                      rel: assessment-for
                 - id: pe-3.8_asm-examine
                   name: assessment-method
                   props:
@@ -69850,6 +75780,9 @@ catalog:
                   value: PE-04
                   class: sp800-53a
               prose: 'physical access to {{ insert: param, pe-04_odp.01 }} within organizational facilities is controlled using {{ insert: param, pe-04_odp.02 }}.'
+              links:
+                - href: '#pe-4_smt'
+                  rel: assessment-for
             - id: pe-4_asm-examine
               name: assessment-method
               props:
@@ -69955,6 +75888,9 @@ catalog:
                   value: PE-05
                   class: sp800-53a
               prose: 'physical access to output from {{ insert: param, pe-05_odp }} is controlled to prevent unauthorized individuals from obtaining the output.'
+              links:
+                - href: '#pe-5_smt'
+                  rel: assessment-for
             - id: pe-5_asm-examine
               name: assessment-method
               props:
@@ -70060,6 +75996,9 @@ catalog:
                       value: PE-05(02)
                       class: sp800-53a
                   prose: individual identity is linked to the receipt of output from output devices.
+                  links:
+                    - href: '#pe-5.2_smt'
+                      rel: assessment-for
                 - id: pe-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -70242,6 +76181,9 @@ catalog:
                       value: PE-06a.
                       class: sp800-53a
                   prose: physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;
+                  links:
+                    - href: '#pe-6_smt.a'
+                      rel: assessment-for
                 - id: pe-6_obj.b
                   name: assessment-objective
                   props:
@@ -70256,6 +76198,9 @@ catalog:
                           value: PE-06b.[01]
                           class: sp800-53a
                       prose: 'physical access logs are reviewed {{ insert: param, pe-06_odp.01 }};'
+                      links:
+                        - href: '#pe-6_smt.b'
+                          rel: assessment-for
                     - id: pe-6_obj.b-2
                       name: assessment-objective
                       props:
@@ -70263,6 +76208,12 @@ catalog:
                           value: PE-06b.[02]
                           class: sp800-53a
                       prose: 'physical access logs are reviewed upon occurrence of {{ insert: param, pe-06_odp.02 }};'
+                      links:
+                        - href: '#pe-6_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-6_smt.b'
+                      rel: assessment-for
                 - id: pe-6_obj.c
                   name: assessment-objective
                   props:
@@ -70277,6 +76228,9 @@ catalog:
                           value: PE-06c.[01]
                           class: sp800-53a
                       prose: results of reviews are coordinated with organizational incident response capabilities;
+                      links:
+                        - href: '#pe-6_smt.c'
+                          rel: assessment-for
                     - id: pe-6_obj.c-2
                       name: assessment-objective
                       props:
@@ -70284,6 +76238,15 @@ catalog:
                           value: PE-06c.[02]
                           class: sp800-53a
                       prose: results of investigations are coordinated with organizational incident response capabilities.
+                      links:
+                        - href: '#pe-6_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-6_smt'
+                  rel: assessment-for
             - id: pe-6_asm-examine
               name: assessment-method
               props:
@@ -70385,6 +76348,9 @@ catalog:
                           value: PE-06(01)[01]
                           class: sp800-53a
                       prose: physical access to the facility where the system resides is monitored using physical intrusion alarms;
+                      links:
+                        - href: '#pe-6.1_smt'
+                          rel: assessment-for
                     - id: pe-6.1_obj-2
                       name: assessment-objective
                       props:
@@ -70392,6 +76358,12 @@ catalog:
                           value: PE-06(01)[02]
                           class: sp800-53a
                       prose: physical access to the facility where the system resides is monitored using physical surveillance equipment.
+                      links:
+                        - href: '#pe-6.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-6.1_smt'
+                      rel: assessment-for
                 - id: pe-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -70531,6 +76503,9 @@ catalog:
                           value: PE-06(02)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, pe-06.02_odp.01 }} are recognized;'
+                      links:
+                        - href: '#pe-6.2_smt'
+                          rel: assessment-for
                     - id: pe-6.2_obj-2
                       name: assessment-objective
                       props:
@@ -70538,6 +76513,12 @@ catalog:
                           value: PE-06(02)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, pe-06.02_odp.02 }} are initiated using {{ insert: param, pe-06.02_odp.03 }}.'
+                      links:
+                        - href: '#pe-6.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-6.2_smt'
+                      rel: assessment-for
                 - id: pe-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -70689,6 +76670,9 @@ catalog:
                           value: PE-06(03)(a)
                           class: sp800-53a
                       prose: 'video surveillance of {{ insert: param, pe-06.03_odp.01 }} is employed;'
+                      links:
+                        - href: '#pe-6.3_smt.a'
+                          rel: assessment-for
                     - id: pe-6.3_obj.b
                       name: assessment-objective
                       props:
@@ -70696,6 +76680,9 @@ catalog:
                           value: PE-06(03)(b)
                           class: sp800-53a
                       prose: 'video recordings are reviewed {{ insert: param, pe-06.03_odp.02 }};'
+                      links:
+                        - href: '#pe-6.3_smt.b'
+                          rel: assessment-for
                     - id: pe-6.3_obj.c
                       name: assessment-objective
                       props:
@@ -70703,6 +76690,12 @@ catalog:
                           value: PE-06(03)(c)
                           class: sp800-53a
                       prose: 'video recordings are retained for {{ insert: param, pe-06.03_odp.03 }}.'
+                      links:
+                        - href: '#pe-6.3_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-6.3_smt'
+                      rel: assessment-for
                 - id: pe-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -70814,6 +76807,9 @@ catalog:
                       value: PE-06(04)
                       class: sp800-53a
                   prose: 'physical access to the system is monitored in addition to the physical access monitoring of the facility at {{ insert: param, pe-06.04_odp }}.'
+                  links:
+                    - href: '#pe-6.4_smt'
+                      rel: assessment-for
                 - id: pe-6.4_asm-examine
                   name: assessment-method
                   props:
@@ -70991,6 +76987,9 @@ catalog:
                       value: PE-08a.
                       class: sp800-53a
                   prose: 'visitor access records for the facility where the system resides are maintained for {{ insert: param, pe-08_odp.01 }};'
+                  links:
+                    - href: '#pe-8_smt.a'
+                      rel: assessment-for
                 - id: pe-8_obj.b
                   name: assessment-objective
                   props:
@@ -70998,6 +76997,9 @@ catalog:
                       value: PE-08b.
                       class: sp800-53a
                   prose: 'visitor access records are reviewed {{ insert: param, pe-08_odp.02 }};'
+                  links:
+                    - href: '#pe-8_smt.b'
+                      rel: assessment-for
                 - id: pe-8_obj.c
                   name: assessment-objective
                   props:
@@ -71005,6 +77007,12 @@ catalog:
                       value: PE-08c.
                       class: sp800-53a
                   prose: 'visitor access records anomalies are reported to {{ insert: param, pe-08_odp.03 }}.'
+                  links:
+                    - href: '#pe-8_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-8_smt'
+                  rel: assessment-for
             - id: pe-8_asm-examine
               name: assessment-method
               props:
@@ -71129,6 +77137,9 @@ catalog:
                           value: PE-08(01)[01]
                           class: sp800-53a
                       prose: 'visitor access records are maintained using {{ insert: param, pe-08.01_odp.01 }};'
+                      links:
+                        - href: '#pe-8.1_smt'
+                          rel: assessment-for
                     - id: pe-8.1_obj-2
                       name: assessment-objective
                       props:
@@ -71136,6 +77147,12 @@ catalog:
                           value: PE-08(01)[02]
                           class: sp800-53a
                       prose: 'visitor access records are reviewed using {{ insert: param, pe-08.01_odp.02 }}.'
+                      links:
+                        - href: '#pe-8.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-8.1_smt'
+                      rel: assessment-for
                 - id: pe-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -71253,6 +77270,9 @@ catalog:
                       value: PE-08(03)
                       class: sp800-53a
                   prose: 'personally identifiable information contained in visitor access records is limited to {{ insert: param, pe-08.03_odp }} identified in the privacy risk assessment.'
+                  links:
+                    - href: '#pe-8.3_smt'
+                      rel: assessment-for
                 - id: pe-8.3_asm-examine
                   name: assessment-method
                   props:
@@ -71347,6 +77367,9 @@ catalog:
                       value: PE-09[01]
                       class: sp800-53a
                   prose: power equipment for the system is protected from damage and destruction;
+                  links:
+                    - href: '#pe-9_smt'
+                      rel: assessment-for
                 - id: pe-9_obj-2
                   name: assessment-objective
                   props:
@@ -71354,6 +77377,12 @@ catalog:
                       value: PE-09[02]
                       class: sp800-53a
                   prose: power cabling for the system is protected from damage and destruction.
+                  links:
+                    - href: '#pe-9_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-9_smt'
+                  rel: assessment-for
             - id: pe-9_asm-examine
               name: assessment-method
               props:
@@ -71445,6 +77474,9 @@ catalog:
                       value: PE-09(01)
                       class: sp800-53a
                   prose: 'redundant power cabling paths that are physically separated by {{ insert: param, pe-09.01_odp }} are employed.'
+                  links:
+                    - href: '#pe-9.1_smt'
+                      rel: assessment-for
                 - id: pe-9.1_asm-examine
                   name: assessment-method
                   props:
@@ -71535,6 +77567,9 @@ catalog:
                       value: PE-09(02)
                       class: sp800-53a
                   prose: 'automatic voltage controls for {{ insert: param, pe-09.02_odp }} are employed.'
+                  links:
+                    - href: '#pe-9.2_smt'
+                      rel: assessment-for
                 - id: pe-9.2_asm-examine
                   name: assessment-method
                   props:
@@ -71667,6 +77702,9 @@ catalog:
                       value: PE-10a.
                       class: sp800-53a
                   prose: 'the capability to shut off power to {{ insert: param, pe-10_odp.01 }} in emergency situations is provided;'
+                  links:
+                    - href: '#pe-10_smt.a'
+                      rel: assessment-for
                 - id: pe-10_obj.b
                   name: assessment-objective
                   props:
@@ -71674,6 +77712,9 @@ catalog:
                       value: PE-10b.
                       class: sp800-53a
                   prose: 'emergency shutoff switches or devices are placed in {{ insert: param, pe-10_odp.02 }} to facilitate access for authorized personnel;'
+                  links:
+                    - href: '#pe-10_smt.b'
+                      rel: assessment-for
                 - id: pe-10_obj.c
                   name: assessment-objective
                   props:
@@ -71681,6 +77722,12 @@ catalog:
                       value: PE-10c.
                       class: sp800-53a
                   prose: the emergency power shutoff capability is protected from unauthorized activation.
+                  links:
+                    - href: '#pe-10_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pe-10_smt'
+                  rel: assessment-for
             - id: pe-10_asm-examine
               name: assessment-method
               props:
@@ -71797,6 +77844,9 @@ catalog:
                   value: PE-11
                   class: sp800-53a
               prose: 'an uninterruptible power supply is provided to facilitate {{ insert: param, pe-11_odp }} in the event of a primary power source loss.'
+              links:
+                - href: '#pe-11_smt'
+                  rel: assessment-for
             - id: pe-11_asm-examine
               name: assessment-method
               props:
@@ -71903,6 +77953,9 @@ catalog:
                           value: PE-11(01)[01]
                           class: sp800-53a
                       prose: 'an alternate power supply provided for the system is activated {{ insert: param, pe-11.01_odp }};'
+                      links:
+                        - href: '#pe-11.1_smt'
+                          rel: assessment-for
                     - id: pe-11.1_obj-2
                       name: assessment-objective
                       props:
@@ -71910,6 +77963,12 @@ catalog:
                           value: PE-11(01)[02]
                           class: sp800-53a
                       prose: the alternate power supply provided for the system can maintain minimally required operational capability in the event of an extended loss of the primary power source.
+                      links:
+                        - href: '#pe-11.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-11.1_smt'
+                      rel: assessment-for
                 - id: pe-11.1_asm-examine
                   name: assessment-method
                   props:
@@ -72046,6 +78105,9 @@ catalog:
                           value: PE-11(02)(a)
                           class: sp800-53a
                       prose: the alternate power supply provided for the system is self-contained;
+                      links:
+                        - href: '#pe-11.2_smt.a'
+                          rel: assessment-for
                     - id: pe-11.2_obj.b
                       name: assessment-objective
                       props:
@@ -72053,6 +78115,9 @@ catalog:
                           value: PE-11(02)(b)
                           class: sp800-53a
                       prose: the alternate power supply provided for the system is not reliant on external power generation;
+                      links:
+                        - href: '#pe-11.2_smt.b'
+                          rel: assessment-for
                     - id: pe-11.2_obj.c
                       name: assessment-objective
                       props:
@@ -72060,6 +78125,12 @@ catalog:
                           value: PE-11(02)(c)
                           class: sp800-53a
                       prose: 'the alternate power supply provided for the system is capable of maintaining {{ insert: param, pe-11.02_odp.02 }} in the event of an extended loss of the primary power source.'
+                      links:
+                        - href: '#pe-11.2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-11.2_smt'
+                      rel: assessment-for
                 - id: pe-11.2_asm-examine
                   name: assessment-method
                   props:
@@ -72155,6 +78226,9 @@ catalog:
                       value: PE-12[01]
                       class: sp800-53a
                   prose: automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
                 - id: pe-12_obj-2
                   name: assessment-objective
                   props:
@@ -72162,6 +78236,9 @@ catalog:
                       value: PE-12[02]
                       class: sp800-53a
                   prose: automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
                 - id: pe-12_obj-3
                   name: assessment-objective
                   props:
@@ -72169,6 +78246,9 @@ catalog:
                       value: PE-12[03]
                       class: sp800-53a
                   prose: automatic emergency lighting for the system covers emergency exits within the facility;
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
                 - id: pe-12_obj-4
                   name: assessment-objective
                   props:
@@ -72176,6 +78256,12 @@ catalog:
                       value: PE-12[04]
                       class: sp800-53a
                   prose: automatic emergency lighting for the system covers evacuation routes within the facility.
+                  links:
+                    - href: '#pe-12_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-12_smt'
+                  rel: assessment-for
             - id: pe-12_asm-examine
               name: assessment-method
               props:
@@ -72260,6 +78346,9 @@ catalog:
                       value: PE-12(01)
                       class: sp800-53a
                   prose: emergency lighting is provided for all areas within the facility supporting essential mission and business functions.
+                  links:
+                    - href: '#pe-12.1_smt'
+                      rel: assessment-for
                 - id: pe-12.1_asm-examine
                   name: assessment-method
                   props:
@@ -72352,6 +78441,9 @@ catalog:
                       value: PE-13[01]
                       class: sp800-53a
                   prose: fire detection systems are employed;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-2
                   name: assessment-objective
                   props:
@@ -72359,6 +78451,9 @@ catalog:
                       value: PE-13[02]
                       class: sp800-53a
                   prose: employed fire detection systems are supported by an independent energy source;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-3
                   name: assessment-objective
                   props:
@@ -72366,6 +78461,9 @@ catalog:
                       value: PE-13[03]
                       class: sp800-53a
                   prose: employed fire detection systems are maintained;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-4
                   name: assessment-objective
                   props:
@@ -72373,6 +78471,9 @@ catalog:
                       value: PE-13[04]
                       class: sp800-53a
                   prose: fire suppression systems are employed;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-5
                   name: assessment-objective
                   props:
@@ -72380,6 +78481,9 @@ catalog:
                       value: PE-13[05]
                       class: sp800-53a
                   prose: employed fire suppression systems are supported by an independent energy source;
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
                 - id: pe-13_obj-6
                   name: assessment-objective
                   props:
@@ -72387,6 +78491,12 @@ catalog:
                       value: PE-13[06]
                       class: sp800-53a
                   prose: employed fire suppression systems are maintained.
+                  links:
+                    - href: '#pe-13_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-13_smt'
+                  rel: assessment-for
             - id: pe-13_asm-examine
               name: assessment-method
               props:
@@ -72499,6 +78609,9 @@ catalog:
                           value: PE-13(01)[01]
                           class: sp800-53a
                       prose: fire detection systems that activate automatically are employed in the event of a fire;
+                      links:
+                        - href: '#pe-13.1_smt'
+                          rel: assessment-for
                     - id: pe-13.1_obj-2
                       name: assessment-objective
                       props:
@@ -72506,6 +78619,9 @@ catalog:
                           value: PE-13(01)[02]
                           class: sp800-53a
                       prose: 'fire detection systems that notify {{ insert: param, pe-13.01_odp.01 }} automatically are employed in the event of a fire;'
+                      links:
+                        - href: '#pe-13.1_smt'
+                          rel: assessment-for
                     - id: pe-13.1_obj-3
                       name: assessment-objective
                       props:
@@ -72513,6 +78629,12 @@ catalog:
                           value: PE-13(01)[03]
                           class: sp800-53a
                       prose: 'fire detection systems that notify {{ insert: param, pe-13.01_odp.02 }} automatically are employed in the event of a fire.'
+                      links:
+                        - href: '#pe-13.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-13.1_smt'
+                      rel: assessment-for
                 - id: pe-13.1_asm-examine
                   name: assessment-method
                   props:
@@ -72654,6 +78776,9 @@ catalog:
                               value: PE-13(02)(a)[01]
                               class: sp800-53a
                           prose: fire suppression systems that activate automatically are employed;
+                          links:
+                            - href: '#pe-13.2_smt.a'
+                              rel: assessment-for
                         - id: pe-13.2_obj.a-2
                           name: assessment-objective
                           props:
@@ -72661,6 +78786,9 @@ catalog:
                               value: PE-13(02)(a)[02]
                               class: sp800-53a
                           prose: 'fire suppression systems that notify {{ insert: param, pe-13.02_odp.01 }} automatically are employed;'
+                          links:
+                            - href: '#pe-13.2_smt.a'
+                              rel: assessment-for
                         - id: pe-13.2_obj.a-3
                           name: assessment-objective
                           props:
@@ -72668,6 +78796,12 @@ catalog:
                               value: PE-13(02)(a)[03]
                               class: sp800-53a
                           prose: 'fire suppression systems that notify {{ insert: param, pe-13.02_odp.02 }} automatically are employed;'
+                          links:
+                            - href: '#pe-13.2_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#pe-13.2_smt.a'
+                          rel: assessment-for
                     - id: pe-13.2_obj.b
                       name: assessment-objective
                       props:
@@ -72675,6 +78809,12 @@ catalog:
                           value: PE-13(02)(b)
                           class: sp800-53a
                       prose: an automatic fire suppression capability is employed when the facility is not staffed on a continuous basis.
+                      links:
+                        - href: '#pe-13.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-13.2_smt'
+                      rel: assessment-for
                 - id: pe-13.2_asm-examine
                   name: assessment-method
                   props:
@@ -72811,6 +78951,9 @@ catalog:
                           value: PE-13(04)[01]
                           class: sp800-53a
                       prose: 'the facility undergoes fire protection inspections {{ insert: param, pe-13.04_odp.01 }} by authorized and qualified inspectors;'
+                      links:
+                        - href: '#pe-13.4_smt'
+                          rel: assessment-for
                     - id: pe-13.4_obj-2
                       name: assessment-objective
                       props:
@@ -72818,6 +78961,12 @@ catalog:
                           value: PE-13(04)[02]
                           class: sp800-53a
                       prose: 'the identified deficiencies from fire protection inspections are resolved within {{ insert: param, pe-13.04_odp.02 }}.'
+                      links:
+                        - href: '#pe-13.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-13.4_smt'
+                      rel: assessment-for
                 - id: pe-13.4_asm-examine
                   name: assessment-method
                   props:
@@ -72960,6 +79109,9 @@ catalog:
                       value: PE-14a.
                       class: sp800-53a
                   prose: '{{ insert: param, pe-14_odp.01 }} levels are maintained at {{ insert: param, pe-14_odp.03 }} within the facility where the system resides;'
+                  links:
+                    - href: '#pe-14_smt.a'
+                      rel: assessment-for
                 - id: pe-14_obj.b
                   name: assessment-objective
                   props:
@@ -72967,6 +79119,12 @@ catalog:
                       value: PE-14b.
                       class: sp800-53a
                   prose: 'environmental control levels are monitored {{ insert: param, pe-14_odp.04 }}.'
+                  links:
+                    - href: '#pe-14_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pe-14_smt'
+                  rel: assessment-for
             - id: pe-14_asm-examine
               name: assessment-method
               props:
@@ -73064,6 +79222,9 @@ catalog:
                       value: PE-14(01)
                       class: sp800-53a
                   prose: '{{ insert: param, pe-14.01_odp }} are employed in the facility to prevent fluctuations that are potentially harmful to the system.'
+                  links:
+                    - href: '#pe-14.1_smt'
+                      rel: assessment-for
                 - id: pe-14.1_asm-examine
                   name: assessment-method
                   props:
@@ -73167,6 +79328,9 @@ catalog:
                           value: PE-14(02)[01]
                           class: sp800-53a
                       prose: environmental control monitoring is employed;
+                      links:
+                        - href: '#pe-14.2_smt'
+                          rel: assessment-for
                     - id: pe-14.2_obj-2
                       name: assessment-objective
                       props:
@@ -73174,6 +79338,12 @@ catalog:
                           value: PE-14(02)[02]
                           class: sp800-53a
                       prose: 'the environmental control monitoring capability provides an alarm or notification to {{ insert: param, pe-14.02_odp }} when changes are potentially harmful to personnel or equipment.'
+                      links:
+                        - href: '#pe-14.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-14.2_smt'
+                      rel: assessment-for
                 - id: pe-14.2_asm-examine
                   name: assessment-method
                   props:
@@ -73266,6 +79436,9 @@ catalog:
                       value: PE-15[01]
                       class: sp800-53a
                   prose: the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
                 - id: pe-15_obj-2
                   name: assessment-objective
                   props:
@@ -73273,6 +79446,9 @@ catalog:
                       value: PE-15[02]
                       class: sp800-53a
                   prose: the master shutoff or isolation valves are accessible;
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
                 - id: pe-15_obj-3
                   name: assessment-objective
                   props:
@@ -73280,6 +79456,9 @@ catalog:
                       value: PE-15[03]
                       class: sp800-53a
                   prose: the master shutoff or isolation valves are working properly;
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
                 - id: pe-15_obj-4
                   name: assessment-objective
                   props:
@@ -73287,6 +79466,12 @@ catalog:
                       value: PE-15[04]
                       class: sp800-53a
                   prose: the master shutoff or isolation valves are known to key personnel.
+                  links:
+                    - href: '#pe-15_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pe-15_smt'
+                  rel: assessment-for
             - id: pe-15_asm-examine
               name: assessment-method
               props:
@@ -73404,6 +79589,9 @@ catalog:
                           value: PE-15(01)[01]
                           class: sp800-53a
                       prose: the presence of water near the system can be detected automatically;
+                      links:
+                        - href: '#pe-15.1_smt'
+                          rel: assessment-for
                     - id: pe-15.1_obj-2
                       name: assessment-objective
                       props:
@@ -73411,6 +79599,12 @@ catalog:
                           value: PE-15(01)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, pe-15.01_odp.01 }} is/are alerted using {{ insert: param, pe-15.01_odp.02 }}.'
+                      links:
+                        - href: '#pe-15.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-15.1_smt'
+                      rel: assessment-for
                 - id: pe-15.1_asm-examine
                   name: assessment-method
                   props:
@@ -73566,6 +79760,9 @@ catalog:
                           value: PE-16a.[01]
                           class: sp800-53a
                       prose: '{{ insert: param, pe-16_odp.01 }} are authorized when entering the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
                     - id: pe-16_obj.a-2
                       name: assessment-objective
                       props:
@@ -73573,6 +79770,9 @@ catalog:
                           value: PE-16a.[02]
                           class: sp800-53a
                       prose: '{{ insert: param, pe-16_odp.01 }} are controlled when entering the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
                     - id: pe-16_obj.a-3
                       name: assessment-objective
                       props:
@@ -73580,6 +79780,9 @@ catalog:
                           value: PE-16a.[03]
                           class: sp800-53a
                       prose: '{{ insert: param, pe-16_odp.02 }} are authorized when exiting the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
                     - id: pe-16_obj.a-4
                       name: assessment-objective
                       props:
@@ -73587,6 +79790,12 @@ catalog:
                           value: PE-16a.[04]
                           class: sp800-53a
                       prose: '{{ insert: param, pe-16_odp.02 }} are controlled when exiting the facility;'
+                      links:
+                        - href: '#pe-16_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-16_smt.a'
+                      rel: assessment-for
                 - id: pe-16_obj.b
                   name: assessment-objective
                   props:
@@ -73594,6 +79803,12 @@ catalog:
                       value: PE-16b.
                       class: sp800-53a
                   prose: records of the system components are maintained.
+                  links:
+                    - href: '#pe-16_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pe-16_smt'
+                  rel: assessment-for
             - id: pe-16_asm-examine
               name: assessment-method
               props:
@@ -73736,6 +79951,9 @@ catalog:
                       value: PE-17a.
                       class: sp800-53a
                   prose: '{{ insert: param, pe-17_odp.01 }} are determined and documented;'
+                  links:
+                    - href: '#pe-17_smt.a'
+                      rel: assessment-for
                 - id: pe-17_obj.b
                   name: assessment-objective
                   props:
@@ -73743,6 +79961,9 @@ catalog:
                       value: PE-17b.
                       class: sp800-53a
                   prose: '{{ insert: param, pe-17_odp.02 }} are employed at alternate work sites;'
+                  links:
+                    - href: '#pe-17_smt.b'
+                      rel: assessment-for
                 - id: pe-17_obj.c
                   name: assessment-objective
                   props:
@@ -73750,6 +79971,9 @@ catalog:
                       value: PE-17c.
                       class: sp800-53a
                   prose: the effectiveness of controls at alternate work sites is assessed;
+                  links:
+                    - href: '#pe-17_smt.c'
+                      rel: assessment-for
                 - id: pe-17_obj.d
                   name: assessment-objective
                   props:
@@ -73757,6 +79981,12 @@ catalog:
                       value: PE-17d.
                       class: sp800-53a
                   prose: a means for employees to communicate with information security and privacy personnel in case of incidents is provided.
+                  links:
+                    - href: '#pe-17_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pe-17_smt'
+                  rel: assessment-for
             - id: pe-17_asm-examine
               name: assessment-method
               props:
@@ -73870,6 +80100,9 @@ catalog:
                   value: PE-18
                   class: sp800-53a
               prose: 'system components are positioned within the facility to minimize potential damage from {{ insert: param, pe-18_odp }} and to minimize the opportunity for unauthorized access.'
+              links:
+                - href: '#pe-18_smt'
+                  rel: assessment-for
             - id: pe-18_asm-examine
               name: assessment-method
               props:
@@ -73976,6 +80209,9 @@ catalog:
                   value: PE-19
                   class: sp800-53a
               prose: the system is protected from information leakage due to electromagnetic signal emanations.
+              links:
+                - href: '#pe-19_smt'
+                  rel: assessment-for
             - id: pe-19_asm-examine
               name: assessment-method
               props:
@@ -74067,6 +80303,9 @@ catalog:
                           value: PE-19(01)[01]
                           class: sp800-53a
                       prose: system components are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;
+                      links:
+                        - href: '#pe-19.1_smt'
+                          rel: assessment-for
                     - id: pe-19.1_obj-2
                       name: assessment-objective
                       props:
@@ -74074,6 +80313,9 @@ catalog:
                           value: PE-19(01)[02]
                           class: sp800-53a
                       prose: associated data communications are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information;
+                      links:
+                        - href: '#pe-19.1_smt'
+                          rel: assessment-for
                     - id: pe-19.1_obj-3
                       name: assessment-objective
                       props:
@@ -74081,6 +80323,12 @@ catalog:
                           value: PE-19(01)[03]
                           class: sp800-53a
                       prose: networks are protected in accordance with national emissions security policies and procedures based on the security category or classification of the information.
+                      links:
+                        - href: '#pe-19.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pe-19.1_smt'
+                      rel: assessment-for
                 - id: pe-19.1_asm-examine
                   name: assessment-method
                   props:
@@ -74195,6 +80443,9 @@ catalog:
                   value: PE-20
                   class: sp800-53a
               prose: '{{ insert: param, pe-20_odp.01 }} are employed to track and monitor the location and movement of {{ insert: param, pe-20_odp.02 }} within {{ insert: param, pe-20_odp.03 }}.'
+              links:
+                - href: '#pe-20_smt'
+                  rel: assessment-for
             - id: pe-20_asm-examine
               name: assessment-method
               props:
@@ -74313,6 +80564,9 @@ catalog:
                   value: PE-21
                   class: sp800-53a
               prose: '{{ insert: param, pe-21_odp.01 }} are employed against electromagnetic pulse damage for {{ insert: param, pe-21_odp.02 }}.'
+              links:
+                - href: '#pe-21_smt'
+                  rel: assessment-for
             - id: pe-21_asm-examine
               name: assessment-method
               props:
@@ -74415,6 +80669,9 @@ catalog:
                   value: PE-22
                   class: sp800-53a
               prose: '{{ insert: param, pe-22_odp }} are marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.'
+              links:
+                - href: '#pe-22_smt'
+                  rel: assessment-for
             - id: pe-22_asm-examine
               name: assessment-method
               props:
@@ -74534,6 +80791,9 @@ catalog:
                       value: PE-23a.
                       class: sp800-53a
                   prose: the location or site of the facility where the system resides is planned considering physical and environmental hazards;
+                  links:
+                    - href: '#pe-23_smt.a'
+                      rel: assessment-for
                 - id: pe-23_obj.b
                   name: assessment-objective
                   props:
@@ -74541,6 +80801,12 @@ catalog:
                       value: PE-23b.
                       class: sp800-53a
                   prose: for existing facilities, physical and environmental hazards are considered in the organizational risk management strategy.
+                  links:
+                    - href: '#pe-23_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pe-23_smt'
+                  rel: assessment-for
             - id: pe-23_asm-examine
               name: assessment-method
               props:
@@ -74809,6 +81075,9 @@ catalog:
                           value: PL-01a.[01]
                           class: sp800-53a
                       prose: a planning policy is developed and documented.
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -74816,6 +81085,9 @@ catalog:
                           value: PL-01a.[02]
                           class: sp800-53a
                       prose: 'the planning policy is disseminated to {{ insert: param, pl-01_odp.01 }};'
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -74823,6 +81095,9 @@ catalog:
                           value: PL-01a.[03]
                           class: sp800-53a
                       prose: planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -74830,6 +81105,9 @@ catalog:
                           value: PL-01a.[04]
                           class: sp800-53a
                       prose: 'the planning procedures are disseminated to {{ insert: param, pl-01_odp.02 }};'
+                      links:
+                        - href: '#pl-1_smt.a'
+                          rel: assessment-for
                     - id: pl-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -74851,6 +81129,9 @@ catalog:
                                   value: PL-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses purpose;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -74858,6 +81139,9 @@ catalog:
                                   value: PL-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses scope;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -74865,6 +81149,9 @@ catalog:
                                   value: PL-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses roles;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -74872,6 +81159,9 @@ catalog:
                                   value: PL-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses responsibilities;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -74879,6 +81169,9 @@ catalog:
                                   value: PL-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses management commitment;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -74886,6 +81179,9 @@ catalog:
                                   value: PL-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pl-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -74893,6 +81189,12 @@ catalog:
                                   value: PL-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy addresses compliance;'
+                              links:
+                                - href: '#pl-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#pl-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: pl-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -74900,6 +81202,15 @@ catalog:
                               value: PL-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, pl-01_odp.03 }} planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#pl-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-1_smt.a'
+                      rel: assessment-for
                 - id: pl-1_obj.b
                   name: assessment-objective
                   props:
@@ -74907,6 +81218,9 @@ catalog:
                       value: PL-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pl-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the planning policy and procedures;'
+                  links:
+                    - href: '#pl-1_smt.b'
+                      rel: assessment-for
                 - id: pl-1_obj.c
                   name: assessment-objective
                   props:
@@ -74928,6 +81242,9 @@ catalog:
                               value: PL-01c.01[01]
                               class: sp800-53a
                           prose: 'the current planning policy is reviewed and updated {{ insert: param, pl-01_odp.05 }};'
+                          links:
+                            - href: '#pl-1_smt.c.1'
+                              rel: assessment-for
                         - id: pl-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -74935,6 +81252,12 @@ catalog:
                               value: PL-01c.01[02]
                               class: sp800-53a
                           prose: 'the current planning policy is reviewed and updated following {{ insert: param, pl-01_odp.06 }};'
+                          links:
+                            - href: '#pl-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.c.1'
+                          rel: assessment-for
                     - id: pl-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -74949,6 +81272,9 @@ catalog:
                               value: PL-01c.02[01]
                               class: sp800-53a
                           prose: 'the current planning procedures are reviewed and updated {{ insert: param, pl-01_odp.07 }};'
+                          links:
+                            - href: '#pl-1_smt.c.2'
+                              rel: assessment-for
                         - id: pl-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -74956,6 +81282,18 @@ catalog:
                               value: PL-01c.02[02]
                               class: sp800-53a
                           prose: 'the current planning procedures are reviewed and updated following {{ insert: param, pl-01_odp.08 }}.'
+                          links:
+                            - href: '#pl-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pl-1_smt'
+                  rel: assessment-for
             - id: pl-1_asm-examine
               name: assessment-method
               props:
@@ -75286,6 +81624,9 @@ catalog:
                               value: PL-02a.01[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that is consistent with the organization’s enterprise architecture;
+                          links:
+                            - href: '#pl-2_smt.a.1'
+                              rel: assessment-for
                         - id: pl-2_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -75293,6 +81634,12 @@ catalog:
                               value: PL-02a.01[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that is consistent with the organization’s enterprise architecture;
+                          links:
+                            - href: '#pl-2_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.1'
+                          rel: assessment-for
                     - id: pl-2_obj.a.2
                       name: assessment-objective
                       props:
@@ -75307,6 +81654,9 @@ catalog:
                               value: PL-02a.02[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that explicitly defines the constituent system components;
+                          links:
+                            - href: '#pl-2_smt.a.2'
+                              rel: assessment-for
                         - id: pl-2_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -75314,6 +81664,12 @@ catalog:
                               value: PL-02a.02[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that explicitly defines the constituent system components;
+                          links:
+                            - href: '#pl-2_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.2'
+                          rel: assessment-for
                     - id: pl-2_obj.a.3
                       name: assessment-objective
                       props:
@@ -75328,6 +81684,9 @@ catalog:
                               value: PL-02a.03[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;
+                          links:
+                            - href: '#pl-2_smt.a.3'
+                              rel: assessment-for
                         - id: pl-2_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -75335,6 +81694,12 @@ catalog:
                               value: PL-02a.03[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;
+                          links:
+                            - href: '#pl-2_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.3'
+                          rel: assessment-for
                     - id: pl-2_obj.a.4
                       name: assessment-objective
                       props:
@@ -75349,6 +81714,9 @@ catalog:
                               value: PL-02a.04[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;
+                          links:
+                            - href: '#pl-2_smt.a.4'
+                              rel: assessment-for
                         - id: pl-2_obj.a.4-2
                           name: assessment-objective
                           props:
@@ -75356,6 +81724,12 @@ catalog:
                               value: PL-02a.04[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;
+                          links:
+                            - href: '#pl-2_smt.a.4'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.4'
+                          rel: assessment-for
                     - id: pl-2_obj.a.5
                       name: assessment-objective
                       props:
@@ -75370,6 +81744,9 @@ catalog:
                               value: PL-02a.05[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;
+                          links:
+                            - href: '#pl-2_smt.a.5'
+                              rel: assessment-for
                         - id: pl-2_obj.a.5-2
                           name: assessment-objective
                           props:
@@ -75377,6 +81754,12 @@ catalog:
                               value: PL-02a.05[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;
+                          links:
+                            - href: '#pl-2_smt.a.5'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.5'
+                          rel: assessment-for
                     - id: pl-2_obj.a.6
                       name: assessment-objective
                       props:
@@ -75391,6 +81774,9 @@ catalog:
                               value: PL-02a.06[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;
+                          links:
+                            - href: '#pl-2_smt.a.6'
+                              rel: assessment-for
                         - id: pl-2_obj.a.6-2
                           name: assessment-objective
                           props:
@@ -75398,6 +81784,12 @@ catalog:
                               value: PL-02a.06[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;
+                          links:
+                            - href: '#pl-2_smt.a.6'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.6'
+                          rel: assessment-for
                     - id: pl-2_obj.a.7
                       name: assessment-objective
                       props:
@@ -75412,6 +81804,9 @@ catalog:
                               value: PL-02a.07[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;
+                          links:
+                            - href: '#pl-2_smt.a.7'
+                              rel: assessment-for
                         - id: pl-2_obj.a.7-2
                           name: assessment-objective
                           props:
@@ -75419,6 +81814,12 @@ catalog:
                               value: PL-02a.07[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;
+                          links:
+                            - href: '#pl-2_smt.a.7'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.7'
+                          rel: assessment-for
                     - id: pl-2_obj.a.8
                       name: assessment-objective
                       props:
@@ -75433,6 +81834,9 @@ catalog:
                               value: PL-02a.08[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;
+                          links:
+                            - href: '#pl-2_smt.a.8'
+                              rel: assessment-for
                         - id: pl-2_obj.a.8-2
                           name: assessment-objective
                           props:
@@ -75440,6 +81844,12 @@ catalog:
                               value: PL-02a.08[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;
+                          links:
+                            - href: '#pl-2_smt.a.8'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.8'
+                          rel: assessment-for
                     - id: pl-2_obj.a.9
                       name: assessment-objective
                       props:
@@ -75454,6 +81864,9 @@ catalog:
                               value: PL-02a.09[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;
+                          links:
+                            - href: '#pl-2_smt.a.9'
+                              rel: assessment-for
                         - id: pl-2_obj.a.9-2
                           name: assessment-objective
                           props:
@@ -75461,6 +81874,12 @@ catalog:
                               value: PL-02a.09[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;
+                          links:
+                            - href: '#pl-2_smt.a.9'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.9'
+                          rel: assessment-for
                     - id: pl-2_obj.a.10
                       name: assessment-objective
                       props:
@@ -75475,6 +81894,9 @@ catalog:
                               value: PL-02a.10[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that provides an overview of the security requirements for the system;
+                          links:
+                            - href: '#pl-2_smt.a.10'
+                              rel: assessment-for
                         - id: pl-2_obj.a.10-2
                           name: assessment-objective
                           props:
@@ -75482,6 +81904,12 @@ catalog:
                               value: PL-02a.10[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;
+                          links:
+                            - href: '#pl-2_smt.a.10'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.10'
+                          rel: assessment-for
                     - id: pl-2_obj.a.11
                       name: assessment-objective
                       props:
@@ -75496,6 +81924,9 @@ catalog:
                               value: PL-02a.11[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;
+                          links:
+                            - href: '#pl-2_smt.a.11'
+                              rel: assessment-for
                         - id: pl-2_obj.a.11-2
                           name: assessment-objective
                           props:
@@ -75503,6 +81934,12 @@ catalog:
                               value: PL-02a.11[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;
+                          links:
+                            - href: '#pl-2_smt.a.11'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.11'
+                          rel: assessment-for
                     - id: pl-2_obj.a.12
                       name: assessment-objective
                       props:
@@ -75517,6 +81954,9 @@ catalog:
                               value: PL-02a.12[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;
+                          links:
+                            - href: '#pl-2_smt.a.12'
+                              rel: assessment-for
                         - id: pl-2_obj.a.12-2
                           name: assessment-objective
                           props:
@@ -75524,6 +81964,12 @@ catalog:
                               value: PL-02a.12[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;
+                          links:
+                            - href: '#pl-2_smt.a.12'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.12'
+                          rel: assessment-for
                     - id: pl-2_obj.a.13
                       name: assessment-objective
                       props:
@@ -75538,6 +81984,9 @@ catalog:
                               value: PL-02a.13[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that includes risk determinations for security architecture and design decisions;
+                          links:
+                            - href: '#pl-2_smt.a.13'
+                              rel: assessment-for
                         - id: pl-2_obj.a.13-2
                           name: assessment-objective
                           props:
@@ -75545,6 +81994,12 @@ catalog:
                               value: PL-02a.13[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;
+                          links:
+                            - href: '#pl-2_smt.a.13'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.13'
+                          rel: assessment-for
                     - id: pl-2_obj.a.14
                       name: assessment-objective
                       props:
@@ -75559,6 +82014,9 @@ catalog:
                               value: PL-02a.14[01]
                               class: sp800-53a
                           prose: 'a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};'
+                          links:
+                            - href: '#pl-2_smt.a.14'
+                              rel: assessment-for
                         - id: pl-2_obj.a.14-2
                           name: assessment-objective
                           props:
@@ -75566,6 +82024,12 @@ catalog:
                               value: PL-02a.14[02]
                               class: sp800-53a
                           prose: 'a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with {{ insert: param, pl-02_odp.01 }};'
+                          links:
+                            - href: '#pl-2_smt.a.14'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.14'
+                          rel: assessment-for
                     - id: pl-2_obj.a.15
                       name: assessment-objective
                       props:
@@ -75580,6 +82044,9 @@ catalog:
                               value: PL-02a.15[01]
                               class: sp800-53a
                           prose: a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
+                          links:
+                            - href: '#pl-2_smt.a.15'
+                              rel: assessment-for
                         - id: pl-2_obj.a.15-2
                           name: assessment-objective
                           props:
@@ -75587,6 +82054,15 @@ catalog:
                               value: PL-02a.15[02]
                               class: sp800-53a
                           prose: a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.
+                          links:
+                            - href: '#pl-2_smt.a.15'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-2_smt.a.15'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.a'
+                      rel: assessment-for
                 - id: pl-2_obj.b
                   name: assessment-objective
                   props:
@@ -75601,6 +82077,9 @@ catalog:
                           value: PL-02b.[01]
                           class: sp800-53a
                       prose: 'copies of the plans are distributed to {{ insert: param, pl-02_odp.02 }};'
+                      links:
+                        - href: '#pl-2_smt.b'
+                          rel: assessment-for
                     - id: pl-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -75608,6 +82087,12 @@ catalog:
                           value: PL-02b.[02]
                           class: sp800-53a
                       prose: 'subsequent changes to the plans are communicated to {{ insert: param, pl-02_odp.02 }};'
+                      links:
+                        - href: '#pl-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.b'
+                      rel: assessment-for
                 - id: pl-2_obj.c
                   name: assessment-objective
                   props:
@@ -75615,6 +82100,9 @@ catalog:
                       value: PL-02c.
                       class: sp800-53a
                   prose: 'plans are reviewed {{ insert: param, pl-02_odp.03 }};'
+                  links:
+                    - href: '#pl-2_smt.c'
+                      rel: assessment-for
                 - id: pl-2_obj.d
                   name: assessment-objective
                   props:
@@ -75629,6 +82117,9 @@ catalog:
                           value: PL-02d.[01]
                           class: sp800-53a
                       prose: plans are updated to address changes to the system and environment of operations;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
                     - id: pl-2_obj.d-2
                       name: assessment-objective
                       props:
@@ -75636,6 +82127,9 @@ catalog:
                           value: PL-02d.[02]
                           class: sp800-53a
                       prose: plans are updated to address problems identified during the plan implementation;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
                     - id: pl-2_obj.d-3
                       name: assessment-objective
                       props:
@@ -75643,6 +82137,12 @@ catalog:
                           value: PL-02d.[03]
                           class: sp800-53a
                       prose: plans are updated to address problems identified during control assessments;
+                      links:
+                        - href: '#pl-2_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.d'
+                      rel: assessment-for
                 - id: pl-2_obj.e
                   name: assessment-objective
                   props:
@@ -75657,6 +82157,9 @@ catalog:
                           value: PL-02e.[01]
                           class: sp800-53a
                       prose: plans are protected from unauthorized disclosure;
+                      links:
+                        - href: '#pl-2_smt.e'
+                          rel: assessment-for
                     - id: pl-2_obj.e-2
                       name: assessment-objective
                       props:
@@ -75664,6 +82167,15 @@ catalog:
                           value: PL-02e.[02]
                           class: sp800-53a
                       prose: plans are protected from unauthorized modification.
+                      links:
+                        - href: '#pl-2_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-2_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#pl-2_smt'
+                  rel: assessment-for
             - id: pl-2_asm-examine
               name: assessment-method
               props:
@@ -75941,6 +82453,9 @@ catalog:
                           value: PL-04a.[01]
                           class: sp800-53a
                       prose: rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;
+                      links:
+                        - href: '#pl-4_smt.a'
+                          rel: assessment-for
                     - id: pl-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -75948,6 +82463,12 @@ catalog:
                           value: PL-04a.[02]
                           class: sp800-53a
                       prose: rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;
+                      links:
+                        - href: '#pl-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-4_smt.a'
+                      rel: assessment-for
                 - id: pl-4_obj.b
                   name: assessment-objective
                   props:
@@ -75955,6 +82476,9 @@ catalog:
                       value: PL-04b.
                       class: sp800-53a
                   prose: before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;
+                  links:
+                    - href: '#pl-4_smt.b'
+                      rel: assessment-for
                 - id: pl-4_obj.c
                   name: assessment-objective
                   props:
@@ -75962,6 +82486,9 @@ catalog:
                       value: PL-04c.
                       class: sp800-53a
                   prose: 'rules of behavior are reviewed and updated {{ insert: param, pl-04_odp.01 }};'
+                  links:
+                    - href: '#pl-4_smt.c'
+                      rel: assessment-for
                 - id: pl-4_obj.d
                   name: assessment-objective
                   props:
@@ -75969,6 +82496,12 @@ catalog:
                       value: PL-04d.
                       class: sp800-53a
                   prose: 'individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge {{ insert: param, pl-04_odp.02 }}.'
+                  links:
+                    - href: '#pl-4_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pl-4_smt'
+                  rel: assessment-for
             - id: pl-4_asm-examine
               name: assessment-method
               props:
@@ -76091,6 +82624,9 @@ catalog:
                           value: PL-04(01)(a)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;
+                      links:
+                        - href: '#pl-4.1_smt.a'
+                          rel: assessment-for
                     - id: pl-4.1_obj.b
                       name: assessment-objective
                       props:
@@ -76098,6 +82634,9 @@ catalog:
                           value: PL-04(01)(b)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on posting organizational information on public websites;
+                      links:
+                        - href: '#pl-4.1_smt.b'
+                          rel: assessment-for
                     - id: pl-4.1_obj.c
                       name: assessment-objective
                       props:
@@ -76105,6 +82644,12 @@ catalog:
                           value: PL-04(01)(c)
                           class: sp800-53a
                       prose: the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.
+                      links:
+                        - href: '#pl-4.1_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-4.1_smt'
+                      rel: assessment-for
                 - id: pl-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -76259,6 +82804,9 @@ catalog:
                       value: PL-07a.
                       class: sp800-53a
                   prose: a CONOPS for the system describing how the organization intends to operate the system from the perspective of information security and privacy is developed;
+                  links:
+                    - href: '#pl-7_smt.a'
+                      rel: assessment-for
                 - id: pl-7_obj.b
                   name: assessment-objective
                   props:
@@ -76266,6 +82814,12 @@ catalog:
                       value: PL-07b.
                       class: sp800-53a
                   prose: 'the CONOPS is reviewed and updated {{ insert: param, pl-07_odp }}.'
+                  links:
+                    - href: '#pl-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pl-7_smt'
+                  rel: assessment-for
             - id: pl-7_asm-examine
               name: assessment-method
               props:
@@ -76462,6 +83016,9 @@ catalog:
                           value: PL-08a.01
                           class: sp800-53a
                       prose: a security architecture for the system describes the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;
+                      links:
+                        - href: '#pl-8_smt.a.1'
+                          rel: assessment-for
                     - id: pl-8_obj.a.2
                       name: assessment-objective
                       props:
@@ -76469,6 +83026,9 @@ catalog:
                           value: PL-08a.02
                           class: sp800-53a
                       prose: a privacy architecture describes the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;
+                      links:
+                        - href: '#pl-8_smt.a.2'
+                          rel: assessment-for
                     - id: pl-8_obj.a.3
                       name: assessment-objective
                       props:
@@ -76483,6 +83043,9 @@ catalog:
                               value: PL-08a.03[01]
                               class: sp800-53a
                           prose: a security architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;
+                          links:
+                            - href: '#pl-8_smt.a.3'
+                              rel: assessment-for
                         - id: pl-8_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -76490,6 +83053,12 @@ catalog:
                               value: PL-08a.03[02]
                               class: sp800-53a
                           prose: a privacy architecture for the system describes how the architecture is integrated into and supports the enterprise architecture;
+                          links:
+                            - href: '#pl-8_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-8_smt.a.3'
+                          rel: assessment-for
                     - id: pl-8_obj.a.4
                       name: assessment-objective
                       props:
@@ -76504,6 +83073,9 @@ catalog:
                               value: PL-08a.04[01]
                               class: sp800-53a
                           prose: a security architecture for the system describes any assumptions about and dependencies on external systems and services;
+                          links:
+                            - href: '#pl-8_smt.a.4'
+                              rel: assessment-for
                         - id: pl-8_obj.a.4-2
                           name: assessment-objective
                           props:
@@ -76511,6 +83083,15 @@ catalog:
                               value: PL-08a.04[02]
                               class: sp800-53a
                           prose: a privacy architecture for the system describes any assumptions about and dependencies on external systems and services;
+                          links:
+                            - href: '#pl-8_smt.a.4'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-8_smt.a.4'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-8_smt.a'
+                      rel: assessment-for
                 - id: pl-8_obj.b
                   name: assessment-objective
                   props:
@@ -76518,6 +83099,9 @@ catalog:
                       value: PL-08b.
                       class: sp800-53a
                   prose: 'changes in the enterprise architecture are reviewed and updated {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture;'
+                  links:
+                    - href: '#pl-8_smt.b'
+                      rel: assessment-for
                 - id: pl-8_obj.c
                   name: assessment-objective
                   props:
@@ -76532,6 +83116,9 @@ catalog:
                           value: PL-08c.[01]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in the security plan;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-2
                       name: assessment-objective
                       props:
@@ -76539,6 +83126,9 @@ catalog:
                           value: PL-08c.[02]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in the privacy plan;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-3
                       name: assessment-objective
                       props:
@@ -76546,6 +83136,9 @@ catalog:
                           value: PL-08c.[03]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in the Concept of Operations (CONOPS);
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-4
                       name: assessment-objective
                       props:
@@ -76553,6 +83146,9 @@ catalog:
                           value: PL-08c.[04]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in criticality analysis;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-5
                       name: assessment-objective
                       props:
@@ -76560,6 +83156,9 @@ catalog:
                           value: PL-08c.[05]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in organizational procedures;
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
                     - id: pl-8_obj.c-6
                       name: assessment-objective
                       props:
@@ -76567,6 +83166,15 @@ catalog:
                           value: PL-08c.[06]
                           class: sp800-53a
                       prose: planned architecture changes are reflected in procurements and acquisitions.
+                      links:
+                        - href: '#pl-8_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-8_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pl-8_smt'
+                  rel: assessment-for
             - id: pl-8_asm-examine
               name: assessment-method
               props:
@@ -76721,6 +83329,9 @@ catalog:
                               value: PL-08(01)(a)[01]
                               class: sp800-53a
                           prose: 'the security architecture for the system is designed using a defense-in-depth approach that allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }};'
+                          links:
+                            - href: '#pl-8.1_smt.a'
+                              rel: assessment-for
                         - id: pl-8.1_obj.a-2
                           name: assessment-objective
                           props:
@@ -76728,6 +83339,12 @@ catalog:
                               value: PL-08(01)(a)[02]
                               class: sp800-53a
                           prose: 'the privacy architecture for the system is designed using a defense-in-depth approach that allocates {{ insert: param, pl-08.01_odp.01 }} to {{ insert: param, pl-08.01_odp.02 }};'
+                          links:
+                            - href: '#pl-8.1_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-8.1_smt.a'
+                          rel: assessment-for
                     - id: pl-8.1_obj.b
                       name: assessment-objective
                       props:
@@ -76742,6 +83359,9 @@ catalog:
                               value: PL-08(01)(b)[01]
                               class: sp800-53a
                           prose: the security architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner;
+                          links:
+                            - href: '#pl-8.1_smt.b'
+                              rel: assessment-for
                         - id: pl-8.1_obj.b-2
                           name: assessment-objective
                           props:
@@ -76749,6 +83369,15 @@ catalog:
                               value: PL-08(01)(b)[02]
                               class: sp800-53a
                           prose: the privacy architecture for the system is designed using a defense-in-depth approach that ensures the allocated controls operate in a coordinated and mutually reinforcing manner.
+                          links:
+                            - href: '#pl-8.1_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#pl-8.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pl-8.1_smt'
+                      rel: assessment-for
                 - id: pl-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -76867,6 +83496,9 @@ catalog:
                       value: PL-08(02)
                       class: sp800-53a
                   prose: '{{ insert: param, pl-08.02_odp.01 }} that are allocated to {{ insert: param, pl-08.02_odp.02 }} are required to be obtained from different suppliers.'
+                  links:
+                    - href: '#pl-8.2_smt'
+                      rel: assessment-for
                 - id: pl-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -76983,6 +83615,9 @@ catalog:
                   value: PL-09
                   class: sp800-53a
               prose: '{{ insert: param, pl-09_odp }} are centrally managed.'
+              links:
+                - href: '#pl-9_smt'
+                  rel: assessment-for
             - id: pl-9_asm-examine
               name: assessment-method
               props:
@@ -77095,6 +83730,9 @@ catalog:
                   value: PL-10
                   class: sp800-53a
               prose: a control baseline for the system is selected.
+              links:
+                - href: '#pl-10_smt'
+                  rel: assessment-for
             - id: pl-10_asm-examine
               name: assessment-method
               props:
@@ -77220,6 +83858,9 @@ catalog:
                   value: PL-11
                   class: sp800-53a
               prose: the selected control baseline is tailored by applying specified tailoring actions.
+              links:
+                - href: '#pl-11_smt'
+                  rel: assessment-for
             - id: pl-11_asm-examine
               name: assessment-method
               props:
@@ -77432,6 +84073,9 @@ catalog:
                           value: PM-01a.[01]
                           class: sp800-53a
                       prose: an organization-wide information security program plan is developed;
+                      links:
+                        - href: '#pm-1_smt.a'
+                          rel: assessment-for
                     - id: pm-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -77439,6 +84083,9 @@ catalog:
                           value: PM-01a.[02]
                           class: sp800-53a
                       prose: the information security program plan is disseminated;
+                      links:
+                        - href: '#pm-1_smt.a'
+                          rel: assessment-for
                     - id: pm-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -77453,6 +84100,9 @@ catalog:
                               value: PM-01a.01[01]
                               class: sp800-53a
                           prose: the information security program plan provides an overview of the requirements for the security program;
+                          links:
+                            - href: '#pm-1_smt.a.1'
+                              rel: assessment-for
                         - id: pm-1_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -77460,6 +84110,9 @@ catalog:
                               value: PM-01a.01[02]
                               class: sp800-53a
                           prose: the information security program plan provides a description of the security program management controls in place or planned for meeting those requirements;
+                          links:
+                            - href: '#pm-1_smt.a.1'
+                              rel: assessment-for
                         - id: pm-1_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -77467,6 +84120,12 @@ catalog:
                               value: PM-01a.01[03]
                               class: sp800-53a
                           prose: the information security program plan provides a description of the common controls in place or planned for meeting those requirements;
+                          links:
+                            - href: '#pm-1_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-1_smt.a.1'
+                          rel: assessment-for
                     - id: pm-1_obj.a.2
                       name: assessment-objective
                       props:
@@ -77481,6 +84140,9 @@ catalog:
                               value: PM-01a.02[01]
                               class: sp800-53a
                           prose: the information security program plan includes the identification and assignment of roles;
+                          links:
+                            - href: '#pm-1_smt.a.2'
+                              rel: assessment-for
                         - id: pm-1_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -77488,6 +84150,9 @@ catalog:
                               value: PM-01a.02[02]
                               class: sp800-53a
                           prose: the information security program plan includes the identification and assignment of responsibilities;
+                          links:
+                            - href: '#pm-1_smt.a.2'
+                              rel: assessment-for
                         - id: pm-1_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -77495,6 +84160,9 @@ catalog:
                               value: PM-01a.02[03]
                               class: sp800-53a
                           prose: the information security program plan addresses management commitment;
+                          links:
+                            - href: '#pm-1_smt.a.2'
+                              rel: assessment-for
                         - id: pm-1_obj.a.2-4
                           name: assessment-objective
                           props:
@@ -77502,6 +84170,9 @@ catalog:
                               value: PM-01a.02[04]
                               class: sp800-53a
                           prose: the information security program plan addresses coordination among organizational entities;
+                          links:
+                            - href: '#pm-1_smt.a.2'
+                              rel: assessment-for
                         - id: pm-1_obj.a.2-5
                           name: assessment-objective
                           props:
@@ -77509,6 +84180,12 @@ catalog:
                               value: PM-01a.02[05]
                               class: sp800-53a
                           prose: the information security program plan addresses compliance;
+                          links:
+                            - href: '#pm-1_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-1_smt.a.2'
+                          rel: assessment-for
                     - id: pm-1_obj.a.3
                       name: assessment-objective
                       props:
@@ -77516,6 +84193,9 @@ catalog:
                           value: PM-01a.03
                           class: sp800-53a
                       prose: the information security program plan reflects the coordination among the organizational entities responsible for information security;
+                      links:
+                        - href: '#pm-1_smt.a.3'
+                          rel: assessment-for
                     - id: pm-1_obj.a.4
                       name: assessment-objective
                       props:
@@ -77523,6 +84203,12 @@ catalog:
                           value: PM-01a.04
                           class: sp800-53a
                       prose: the information security program plan is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
+                      links:
+                        - href: '#pm-1_smt.a.4'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-1_smt.a'
+                      rel: assessment-for
                 - id: pm-1_obj.b
                   name: assessment-objective
                   props:
@@ -77537,6 +84223,9 @@ catalog:
                           value: PM-01b.[01]
                           class: sp800-53a
                       prose: 'the information security program plan is reviewed and updated {{ insert: param, pm-01_odp.01 }};'
+                      links:
+                        - href: '#pm-1_smt.b'
+                          rel: assessment-for
                     - id: pm-1_obj.b-2
                       name: assessment-objective
                       props:
@@ -77544,6 +84233,12 @@ catalog:
                           value: PM-01b.[02]
                           class: sp800-53a
                       prose: 'the information security program plan is reviewed and updated following {{ insert: param, pm-01_odp.02 }};'
+                      links:
+                        - href: '#pm-1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-1_smt.b'
+                      rel: assessment-for
                 - id: pm-1_obj.c
                   name: assessment-objective
                   props:
@@ -77558,6 +84253,9 @@ catalog:
                           value: PM-01c.[01]
                           class: sp800-53a
                       prose: the information security program plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#pm-1_smt.c'
+                          rel: assessment-for
                     - id: pm-1_obj.c-2
                       name: assessment-objective
                       props:
@@ -77565,6 +84263,15 @@ catalog:
                           value: PM-01c.[02]
                           class: sp800-53a
                       prose: the information security program plan is protected from unauthorized modification.
+                      links:
+                        - href: '#pm-1_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-1_smt'
+                  rel: assessment-for
             - id: pm-1_asm-examine
               name: assessment-method
               props:
@@ -77664,6 +84371,9 @@ catalog:
                       value: PM-02[01]
                       class: sp800-53a
                   prose: a senior agency information security officer is appointed;
+                  links:
+                    - href: '#pm-2_smt'
+                      rel: assessment-for
                 - id: pm-2_obj-2
                   name: assessment-objective
                   props:
@@ -77671,6 +84381,9 @@ catalog:
                       value: PM-02[02]
                       class: sp800-53a
                   prose: the senior agency information security officer is provided with the mission and resources to coordinate an organization-wide information security program;
+                  links:
+                    - href: '#pm-2_smt'
+                      rel: assessment-for
                 - id: pm-2_obj-3
                   name: assessment-objective
                   props:
@@ -77678,6 +84391,9 @@ catalog:
                       value: PM-02[03]
                       class: sp800-53a
                   prose: the senior agency information security officer is provided with the mission and resources to develop an organization-wide information security program;
+                  links:
+                    - href: '#pm-2_smt'
+                      rel: assessment-for
                 - id: pm-2_obj-4
                   name: assessment-objective
                   props:
@@ -77685,6 +84401,9 @@ catalog:
                       value: PM-02[04]
                       class: sp800-53a
                   prose: the senior agency information security officer is provided with the mission and resources to implement an organization-wide information security program;
+                  links:
+                    - href: '#pm-2_smt'
+                      rel: assessment-for
                 - id: pm-2_obj-5
                   name: assessment-objective
                   props:
@@ -77692,6 +84411,12 @@ catalog:
                       value: PM-02[05]
                       class: sp800-53a
                   prose: the senior agency information security officer is provided with the mission and resources to maintain an organization-wide information security program.
+                  links:
+                    - href: '#pm-2_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pm-2_smt'
+                  rel: assessment-for
             - id: pm-2_asm-examine
               name: assessment-method
               props:
@@ -77797,6 +84522,9 @@ catalog:
                           value: PM-03a.[01]
                           class: sp800-53a
                       prose: the resources needed to implement the information security program are included in capital planning and investment requests, and all exceptions are documented;
+                      links:
+                        - href: '#pm-3_smt.a'
+                          rel: assessment-for
                     - id: pm-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -77804,6 +84532,12 @@ catalog:
                           value: PM-03a.[02]
                           class: sp800-53a
                       prose: the resources needed to implement the privacy program are included in capital planning and investment requests, and all exceptions are documented;
+                      links:
+                        - href: '#pm-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-3_smt.a'
+                      rel: assessment-for
                 - id: pm-3_obj.b
                   name: assessment-objective
                   props:
@@ -77818,6 +84552,9 @@ catalog:
                           value: PM-03b.[01]
                           class: sp800-53a
                       prose: the documentation required for addressing the information security program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;
+                      links:
+                        - href: '#pm-3_smt.b'
+                          rel: assessment-for
                     - id: pm-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -77825,6 +84562,12 @@ catalog:
                           value: PM-03b.[02]
                           class: sp800-53a
                       prose: the documentation required for addressing the privacy program in capital planning and investment requests is prepared in accordance with applicable laws, executive orders, directives, policies, regulations, standards;
+                      links:
+                        - href: '#pm-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-3_smt.b'
+                      rel: assessment-for
                 - id: pm-3_obj.c
                   name: assessment-objective
                   props:
@@ -77839,6 +84582,9 @@ catalog:
                           value: PM-03c.[01]
                           class: sp800-53a
                       prose: information security resources are made available for expenditure as planned;
+                      links:
+                        - href: '#pm-3_smt.c'
+                          rel: assessment-for
                     - id: pm-3_obj.c-2
                       name: assessment-objective
                       props:
@@ -77846,6 +84592,15 @@ catalog:
                           value: PM-03c.[02]
                           class: sp800-53a
                       prose: privacy resources are made available for expenditure as planned.
+                      links:
+                        - href: '#pm-3_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-3_smt'
+                  rel: assessment-for
             - id: pm-3_asm-examine
               name: assessment-method
               props:
@@ -78006,6 +84761,9 @@ catalog:
                               value: PM-04a.01[01]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the information security program and associated organizational systems are developed;
+                          links:
+                            - href: '#pm-4_smt.a.1'
+                              rel: assessment-for
                         - id: pm-4_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -78013,6 +84771,9 @@ catalog:
                               value: PM-04a.01[02]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the information security program and associated organizational systems are maintained;
+                          links:
+                            - href: '#pm-4_smt.a.1'
+                              rel: assessment-for
                         - id: pm-4_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -78020,6 +84781,9 @@ catalog:
                               value: PM-04a.01[03]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are developed;
+                          links:
+                            - href: '#pm-4_smt.a.1'
+                              rel: assessment-for
                         - id: pm-4_obj.a.1-4
                           name: assessment-objective
                           props:
@@ -78027,6 +84791,9 @@ catalog:
                               value: PM-04a.01[04]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the privacy program and associated organizational systems are maintained;
+                          links:
+                            - href: '#pm-4_smt.a.1'
+                              rel: assessment-for
                         - id: pm-4_obj.a.1-5
                           name: assessment-objective
                           props:
@@ -78034,6 +84801,9 @@ catalog:
                               value: PM-04a.01[05]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are developed;
+                          links:
+                            - href: '#pm-4_smt.a.1'
+                              rel: assessment-for
                         - id: pm-4_obj.a.1-6
                           name: assessment-objective
                           props:
@@ -78041,6 +84811,12 @@ catalog:
                               value: PM-04a.01[06]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems are maintained;
+                          links:
+                            - href: '#pm-4_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-4_smt.a.1'
+                          rel: assessment-for
                     - id: pm-4_obj.a.2
                       name: assessment-objective
                       props:
@@ -78055,6 +84831,9 @@ catalog:
                               value: PM-04a.02[01]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the information security program and associated organizational systems document remedial information security risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;
+                          links:
+                            - href: '#pm-4_smt.a.2'
+                              rel: assessment-for
                         - id: pm-4_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -78062,6 +84841,9 @@ catalog:
                               value: PM-04a.02[02]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the privacy program and associated organizational systems document remedial privacy risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;
+                          links:
+                            - href: '#pm-4_smt.a.2'
+                              rel: assessment-for
                         - id: pm-4_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -78069,6 +84851,12 @@ catalog:
                               value: PM-04a.02[03]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the supply chain risk management program and associated organizational systems document remedial supply chain risk management actions to adequately respond to risks to organizational operations and assets, individuals, other organizations, and the Nation;
+                          links:
+                            - href: '#pm-4_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-4_smt.a.2'
+                          rel: assessment-for
                     - id: pm-4_obj.a.3
                       name: assessment-objective
                       props:
@@ -78083,6 +84871,9 @@ catalog:
                               value: PM-04a.03[01]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the information security risk management programs and associated organizational systems are reported in accordance with established reporting requirements;
+                          links:
+                            - href: '#pm-4_smt.a.3'
+                              rel: assessment-for
                         - id: pm-4_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -78090,6 +84881,9 @@ catalog:
                               value: PM-04a.03[02]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the privacy risk management programs and associated organizational systems are reported in accordance with established reporting requirements;
+                          links:
+                            - href: '#pm-4_smt.a.3'
+                              rel: assessment-for
                         - id: pm-4_obj.a.3-3
                           name: assessment-objective
                           props:
@@ -78097,6 +84891,15 @@ catalog:
                               value: PM-04a.03[03]
                               class: sp800-53a
                           prose: a process to ensure that plans of action and milestones for the supply chain risk management programs and associated organizational systems are reported in accordance with established reporting requirements;
+                          links:
+                            - href: '#pm-4_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-4_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-4_smt.a'
+                      rel: assessment-for
                 - id: pm-4_obj.b
                   name: assessment-objective
                   props:
@@ -78111,6 +84914,9 @@ catalog:
                           value: PM-04b.[01]
                           class: sp800-53a
                       prose: plans of action and milestones are reviewed for consistency with the organizational risk management strategy;
+                      links:
+                        - href: '#pm-4_smt.b'
+                          rel: assessment-for
                     - id: pm-4_obj.b-2
                       name: assessment-objective
                       props:
@@ -78118,6 +84924,15 @@ catalog:
                           value: PM-04b.[02]
                           class: sp800-53a
                       prose: plans of action and milestones are reviewed for consistency with organization-wide priorities for risk response actions.
+                      links:
+                        - href: '#pm-4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-4_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pm-4_smt'
+                  rel: assessment-for
             - id: pm-4_asm-examine
               name: assessment-method
               props:
@@ -78226,6 +85041,9 @@ catalog:
                       value: PM-05[01]
                       class: sp800-53a
                   prose: an inventory of organizational systems is developed;
+                  links:
+                    - href: '#pm-5_smt'
+                      rel: assessment-for
                 - id: pm-5_obj-2
                   name: assessment-objective
                   props:
@@ -78233,6 +85051,12 @@ catalog:
                       value: PM-05[02]
                       class: sp800-53a
                   prose: 'the inventory of organizational systems is updated {{ insert: param, pm-05_odp }}.'
+                  links:
+                    - href: '#pm-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pm-5_smt'
+                  rel: assessment-for
             - id: pm-5_asm-examine
               name: assessment-method
               props:
@@ -78356,6 +85180,9 @@ catalog:
                           value: PM-05(01)[01]
                           class: sp800-53a
                       prose: an inventory of all systems, applications, and projects that process personally identifiable information is established;
+                      links:
+                        - href: '#pm-5.1_smt'
+                          rel: assessment-for
                     - id: pm-5.1_obj-2
                       name: assessment-objective
                       props:
@@ -78363,6 +85190,9 @@ catalog:
                           value: PM-05(01)[02]
                           class: sp800-53a
                       prose: an inventory of all systems, applications, and projects that process personally identifiable information is maintained;
+                      links:
+                        - href: '#pm-5.1_smt'
+                          rel: assessment-for
                     - id: pm-5.1_obj-3
                       name: assessment-objective
                       props:
@@ -78370,6 +85200,12 @@ catalog:
                           value: PM-05(01)[03]
                           class: sp800-53a
                       prose: 'an inventory of all systems, applications, and projects that process personally identifiable information is updated {{ insert: param, pm-05.01_odp }}.'
+                      links:
+                        - href: '#pm-5.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-5.1_smt'
+                      rel: assessment-for
                 - id: pm-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -78484,6 +85320,9 @@ catalog:
                       value: PM-06[01]
                       class: sp800-53a
                   prose: information security measures of performance are developed;
+                  links:
+                    - href: '#pm-6_smt'
+                      rel: assessment-for
                 - id: pm-6_obj-2
                   name: assessment-objective
                   props:
@@ -78491,6 +85330,9 @@ catalog:
                       value: PM-06[02]
                       class: sp800-53a
                   prose: information security measures of performance are monitored;
+                  links:
+                    - href: '#pm-6_smt'
+                      rel: assessment-for
                 - id: pm-6_obj-3
                   name: assessment-objective
                   props:
@@ -78498,6 +85340,9 @@ catalog:
                       value: PM-06[03]
                       class: sp800-53a
                   prose: the results of information security measures of performance are reported;
+                  links:
+                    - href: '#pm-6_smt'
+                      rel: assessment-for
                 - id: pm-6_obj-4
                   name: assessment-objective
                   props:
@@ -78505,6 +85350,9 @@ catalog:
                       value: PM-06[04]
                       class: sp800-53a
                   prose: privacy measures of performance are developed;
+                  links:
+                    - href: '#pm-6_smt'
+                      rel: assessment-for
                 - id: pm-6_obj-5
                   name: assessment-objective
                   props:
@@ -78512,6 +85360,9 @@ catalog:
                       value: PM-06[05]
                       class: sp800-53a
                   prose: privacy measures of performance are monitored;
+                  links:
+                    - href: '#pm-6_smt'
+                      rel: assessment-for
                 - id: pm-6_obj-6
                   name: assessment-objective
                   props:
@@ -78519,6 +85370,12 @@ catalog:
                       value: PM-06[06]
                       class: sp800-53a
                   prose: the results of privacy measures of performance are reported.
+                  links:
+                    - href: '#pm-6_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pm-6_smt'
+                  rel: assessment-for
             - id: pm-6_asm-examine
               name: assessment-method
               props:
@@ -78638,6 +85495,9 @@ catalog:
                       value: PM-07[01]
                       class: sp800-53a
                   prose: an enterprise architecture is developed with consideration for information security;
+                  links:
+                    - href: '#pm-7_smt'
+                      rel: assessment-for
                 - id: pm-7_obj-2
                   name: assessment-objective
                   props:
@@ -78645,6 +85505,9 @@ catalog:
                       value: PM-07[02]
                       class: sp800-53a
                   prose: an enterprise architecture is maintained with consideration for information security;
+                  links:
+                    - href: '#pm-7_smt'
+                      rel: assessment-for
                 - id: pm-7_obj-3
                   name: assessment-objective
                   props:
@@ -78652,6 +85515,9 @@ catalog:
                       value: PM-07[03]
                       class: sp800-53a
                   prose: an enterprise architecture is developed with consideration for privacy;
+                  links:
+                    - href: '#pm-7_smt'
+                      rel: assessment-for
                 - id: pm-7_obj-4
                   name: assessment-objective
                   props:
@@ -78659,6 +85525,9 @@ catalog:
                       value: PM-07[04]
                       class: sp800-53a
                   prose: an enterprise architecture is maintained with consideration for privacy;
+                  links:
+                    - href: '#pm-7_smt'
+                      rel: assessment-for
                 - id: pm-7_obj-5
                   name: assessment-objective
                   props:
@@ -78666,6 +85535,9 @@ catalog:
                       value: PM-07[05]
                       class: sp800-53a
                   prose: an enterprise architecture is developed with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation;
+                  links:
+                    - href: '#pm-7_smt'
+                      rel: assessment-for
                 - id: pm-7_obj-6
                   name: assessment-objective
                   props:
@@ -78673,6 +85545,12 @@ catalog:
                       value: PM-07[06]
                       class: sp800-53a
                   prose: an enterprise architecture is maintained with consideration for the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.
+                  links:
+                    - href: '#pm-7_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pm-7_smt'
+                  rel: assessment-for
             - id: pm-7_asm-examine
               name: assessment-method
               props:
@@ -78775,6 +85653,9 @@ catalog:
                       value: PM-07(01)
                       class: sp800-53a
                   prose: '{{ insert: param, pm-07.01_odp }} are offloaded to other systems, system components, or an external provider.'
+                  links:
+                    - href: '#pm-7.1_smt'
+                      rel: assessment-for
                 - id: pm-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -78898,6 +85779,9 @@ catalog:
                       value: PM-08[01]
                       class: sp800-53a
                   prose: information security issues are addressed in the development of a critical infrastructure and key resources protection plan;
+                  links:
+                    - href: '#pm-8_smt'
+                      rel: assessment-for
                 - id: pm-8_obj-2
                   name: assessment-objective
                   props:
@@ -78905,6 +85789,9 @@ catalog:
                       value: PM-08[02]
                       class: sp800-53a
                   prose: information security issues are addressed in the documentation of a critical infrastructure and key resources protection plan;
+                  links:
+                    - href: '#pm-8_smt'
+                      rel: assessment-for
                 - id: pm-8_obj-3
                   name: assessment-objective
                   props:
@@ -78912,6 +85799,9 @@ catalog:
                       value: PM-08[03]
                       class: sp800-53a
                   prose: information security issues are addressed in the update of a critical infrastructure and key resources protection plan;
+                  links:
+                    - href: '#pm-8_smt'
+                      rel: assessment-for
                 - id: pm-8_obj-4
                   name: assessment-objective
                   props:
@@ -78919,6 +85809,9 @@ catalog:
                       value: PM-08[04]
                       class: sp800-53a
                   prose: privacy issues are addressed in the development of a critical infrastructure and key resources protection plan;
+                  links:
+                    - href: '#pm-8_smt'
+                      rel: assessment-for
                 - id: pm-8_obj-5
                   name: assessment-objective
                   props:
@@ -78926,6 +85819,9 @@ catalog:
                       value: PM-08[05]
                       class: sp800-53a
                   prose: privacy issues are addressed in the documentation of a critical infrastructure and key resources protection plan;
+                  links:
+                    - href: '#pm-8_smt'
+                      rel: assessment-for
                 - id: pm-8_obj-6
                   name: assessment-objective
                   props:
@@ -78933,6 +85829,12 @@ catalog:
                       value: PM-08[06]
                       class: sp800-53a
                   prose: privacy issues are addressed in the update of a critical infrastructure and key resources protection plan.
+                  links:
+                    - href: '#pm-8_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pm-8_smt'
+                  rel: assessment-for
             - id: pm-8_asm-examine
               name: assessment-method
               props:
@@ -79164,6 +86066,9 @@ catalog:
                           value: PM-09a.01
                           class: sp800-53a
                       prose: a comprehensive strategy is developed to manage security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizational systems;
+                      links:
+                        - href: '#pm-9_smt.a.1'
+                          rel: assessment-for
                     - id: pm-9_obj.a.2
                       name: assessment-objective
                       props:
@@ -79171,6 +86076,12 @@ catalog:
                           value: PM-09a.02
                           class: sp800-53a
                       prose: a comprehensive strategy is developed to manage privacy risk to individuals resulting from the authorized processing of personally identifiable information;
+                      links:
+                        - href: '#pm-9_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-9_smt.a'
+                      rel: assessment-for
                 - id: pm-9_obj.b
                   name: assessment-objective
                   props:
@@ -79178,6 +86089,9 @@ catalog:
                       value: PM-09b.
                       class: sp800-53a
                   prose: the risk management strategy is implemented consistently across the organization;
+                  links:
+                    - href: '#pm-9_smt.b'
+                      rel: assessment-for
                 - id: pm-9_obj.c
                   name: assessment-objective
                   props:
@@ -79185,6 +86099,12 @@ catalog:
                       value: PM-09c.
                       class: sp800-53a
                   prose: 'the risk management strategy is reviewed and updated {{ insert: param, pm-09_odp }} or as required to address organizational changes.'
+                  links:
+                    - href: '#pm-9_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-9_smt'
+                  rel: assessment-for
             - id: pm-9_asm-examine
               name: assessment-method
               props:
@@ -79318,6 +86238,9 @@ catalog:
                           value: PM-10a.[01]
                           class: sp800-53a
                       prose: the security state of organizational systems and the environments in which those systems operate are managed through authorization processes;
+                      links:
+                        - href: '#pm-10_smt.a'
+                          rel: assessment-for
                     - id: pm-10_obj.a-2
                       name: assessment-objective
                       props:
@@ -79325,6 +86248,12 @@ catalog:
                           value: PM-10a.[02]
                           class: sp800-53a
                       prose: the privacy state of organizational systems and the environments in which those systems operate are managed through authorization processes;
+                      links:
+                        - href: '#pm-10_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-10_smt.a'
+                      rel: assessment-for
                 - id: pm-10_obj.b
                   name: assessment-objective
                   props:
@@ -79332,6 +86261,9 @@ catalog:
                       value: PM-10b.
                       class: sp800-53a
                   prose: individuals are designated to fulfill specific roles and responsibilities within the organizational risk management process;
+                  links:
+                    - href: '#pm-10_smt.b'
+                      rel: assessment-for
                 - id: pm-10_obj.c
                   name: assessment-objective
                   props:
@@ -79339,6 +86271,12 @@ catalog:
                       value: PM-10c.
                       class: sp800-53a
                   prose: the authorization processes are integrated into an organization-wide risk management program.
+                  links:
+                    - href: '#pm-10_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-10_smt'
+                  rel: assessment-for
             - id: pm-10_asm-examine
               name: assessment-method
               props:
@@ -79502,6 +86440,9 @@ catalog:
                           value: PM-11a.[01]
                           class: sp800-53a
                       prose: organizational mission and business processes are defined with consideration for information security;
+                      links:
+                        - href: '#pm-11_smt.a'
+                          rel: assessment-for
                     - id: pm-11_obj.a-2
                       name: assessment-objective
                       props:
@@ -79509,6 +86450,9 @@ catalog:
                           value: PM-11a.[02]
                           class: sp800-53a
                       prose: organizational mission and business processes are defined with consideration for privacy;
+                      links:
+                        - href: '#pm-11_smt.a'
+                          rel: assessment-for
                     - id: pm-11_obj.a-3
                       name: assessment-objective
                       props:
@@ -79516,6 +86460,12 @@ catalog:
                           value: PM-11a.[03]
                           class: sp800-53a
                       prose: organizational mission and business processes are defined with consideration for the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation;
+                      links:
+                        - href: '#pm-11_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-11_smt.a'
+                      rel: assessment-for
                 - id: pm-11_obj.b
                   name: assessment-objective
                   props:
@@ -79530,6 +86480,9 @@ catalog:
                           value: PM-11b.[01]
                           class: sp800-53a
                       prose: information protection needs arising from the defined mission and business processes are determined;
+                      links:
+                        - href: '#pm-11_smt.b'
+                          rel: assessment-for
                     - id: pm-11_obj.b-2
                       name: assessment-objective
                       props:
@@ -79537,6 +86490,12 @@ catalog:
                           value: PM-11b.[02]
                           class: sp800-53a
                       prose: personally identifiable information processing needs arising from the defined mission and business processes are determined;
+                      links:
+                        - href: '#pm-11_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-11_smt.b'
+                      rel: assessment-for
                 - id: pm-11_obj.c
                   name: assessment-objective
                   props:
@@ -79544,6 +86503,12 @@ catalog:
                       value: PM-11c.
                       class: sp800-53a
                   prose: 'the mission and business processes are reviewed and revised {{ insert: param, pm-11_odp }}.'
+                  links:
+                    - href: '#pm-11_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-11_smt'
+                  rel: assessment-for
             - id: pm-11_asm-examine
               name: assessment-method
               props:
@@ -79687,6 +86652,9 @@ catalog:
                   value: PM-12
                   class: sp800-53a
               prose: an insider threat program that includes a cross-discipline insider threat incident handling team is implemented.
+              links:
+                - href: '#pm-12_smt'
+                  rel: assessment-for
             - id: pm-12_asm-interview
               name: assessment-method
               props:
@@ -79767,6 +86735,9 @@ catalog:
                       value: PM-13[01]
                       class: sp800-53a
                   prose: a security workforce development and improvement program is established;
+                  links:
+                    - href: '#pm-13_smt'
+                      rel: assessment-for
                 - id: pm-13_obj-2
                   name: assessment-objective
                   props:
@@ -79774,6 +86745,12 @@ catalog:
                       value: PM-13[02]
                       class: sp800-53a
                   prose: a privacy workforce development and improvement program is established.
+                  links:
+                    - href: '#pm-13_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pm-13_smt'
+                  rel: assessment-for
             - id: pm-13_asm-examine
               name: assessment-method
               props:
@@ -79933,6 +86910,9 @@ catalog:
                               value: PM-14a.01[01]
                               class: sp800-53a
                           prose: a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed;
+                          links:
+                            - href: '#pm-14_smt.a.1'
+                              rel: assessment-for
                         - id: pm-14_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -79940,6 +86920,9 @@ catalog:
                               value: PM-14a.01[02]
                               class: sp800-53a
                           prose: a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained;
+                          links:
+                            - href: '#pm-14_smt.a.1'
+                              rel: assessment-for
                         - id: pm-14_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -79947,6 +86930,9 @@ catalog:
                               value: PM-14a.01[03]
                               class: sp800-53a
                           prose: a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed;
+                          links:
+                            - href: '#pm-14_smt.a.1'
+                              rel: assessment-for
                         - id: pm-14_obj.a.1-4
                           name: assessment-objective
                           props:
@@ -79954,6 +86940,12 @@ catalog:
                               value: PM-14a.01[04]
                               class: sp800-53a
                           prose: a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained;
+                          links:
+                            - href: '#pm-14_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-14_smt.a.1'
+                          rel: assessment-for
                     - id: pm-14_obj.a.2
                       name: assessment-objective
                       props:
@@ -79968,6 +86960,9 @@ catalog:
                               value: PM-14a.02[01]
                               class: sp800-53a
                           prose: a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed;
+                          links:
+                            - href: '#pm-14_smt.a.2'
+                              rel: assessment-for
                         - id: pm-14_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -79975,6 +86970,15 @@ catalog:
                               value: PM-14a.02[02]
                               class: sp800-53a
                           prose: a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed;
+                          links:
+                            - href: '#pm-14_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-14_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-14_smt.a'
+                      rel: assessment-for
                 - id: pm-14_obj.b
                   name: assessment-objective
                   props:
@@ -79989,6 +86993,9 @@ catalog:
                           value: PM-14b.[01]
                           class: sp800-53a
                       prose: testing plans are reviewed for consistency with the organizational risk management strategy;
+                      links:
+                        - href: '#pm-14_smt.b'
+                          rel: assessment-for
                     - id: pm-14_obj.b-2
                       name: assessment-objective
                       props:
@@ -79996,6 +87003,9 @@ catalog:
                           value: PM-14b.[02]
                           class: sp800-53a
                       prose: training plans are reviewed for consistency with the organizational risk management strategy;
+                      links:
+                        - href: '#pm-14_smt.b'
+                          rel: assessment-for
                     - id: pm-14_obj.b-3
                       name: assessment-objective
                       props:
@@ -80003,6 +87013,9 @@ catalog:
                           value: PM-14b.[03]
                           class: sp800-53a
                       prose: monitoring plans are reviewed for consistency with the organizational risk management strategy;
+                      links:
+                        - href: '#pm-14_smt.b'
+                          rel: assessment-for
                     - id: pm-14_obj.b-4
                       name: assessment-objective
                       props:
@@ -80010,6 +87023,9 @@ catalog:
                           value: PM-14b.[04]
                           class: sp800-53a
                       prose: testing plans are reviewed for consistency with organization-wide priorities for risk response actions;
+                      links:
+                        - href: '#pm-14_smt.b'
+                          rel: assessment-for
                     - id: pm-14_obj.b-5
                       name: assessment-objective
                       props:
@@ -80017,6 +87033,9 @@ catalog:
                           value: PM-14b.[05]
                           class: sp800-53a
                       prose: training plans are reviewed for consistency with organization-wide priorities for risk response actions;
+                      links:
+                        - href: '#pm-14_smt.b'
+                          rel: assessment-for
                     - id: pm-14_obj.b-6
                       name: assessment-objective
                       props:
@@ -80024,6 +87043,15 @@ catalog:
                           value: PM-14b.[06]
                           class: sp800-53a
                       prose: monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions.
+                      links:
+                        - href: '#pm-14_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-14_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pm-14_smt'
+                  rel: assessment-for
             - id: pm-14_asm-examine
               name: assessment-method
               props:
@@ -80151,6 +87179,9 @@ catalog:
                           value: PM-15a.[01]
                           class: sp800-53a
                       prose: contact is established and institutionalized with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel;
+                      links:
+                        - href: '#pm-15_smt.a'
+                          rel: assessment-for
                     - id: pm-15_obj.a-2
                       name: assessment-objective
                       props:
@@ -80158,6 +87189,12 @@ catalog:
                           value: PM-15a.[02]
                           class: sp800-53a
                       prose: contact is established and institutionalized with selected groups and associations within the privacy community to facilitate ongoing privacy education and training for organizational personnel;
+                      links:
+                        - href: '#pm-15_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-15_smt.a'
+                      rel: assessment-for
                 - id: pm-15_obj.b
                   name: assessment-objective
                   props:
@@ -80172,6 +87209,9 @@ catalog:
                           value: PM-15b.[01]
                           class: sp800-53a
                       prose: contact is established and institutionalized with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies;
+                      links:
+                        - href: '#pm-15_smt.b'
+                          rel: assessment-for
                     - id: pm-15_obj.b-2
                       name: assessment-objective
                       props:
@@ -80179,6 +87219,12 @@ catalog:
                           value: PM-15b.[02]
                           class: sp800-53a
                       prose: contact is established and institutionalized with selected groups and associations within the privacy community to maintain currency with recommended privacy practices, techniques, and technologies;
+                      links:
+                        - href: '#pm-15_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-15_smt.b'
+                      rel: assessment-for
                 - id: pm-15_obj.c
                   name: assessment-objective
                   props:
@@ -80193,6 +87239,9 @@ catalog:
                           value: PM-15c.[01]
                           class: sp800-53a
                       prose: contact is established and institutionalized with selected groups and associations within the security community to share current security information, including threats, vulnerabilities, and incidents;
+                      links:
+                        - href: '#pm-15_smt.c'
+                          rel: assessment-for
                     - id: pm-15_obj.c-2
                       name: assessment-objective
                       props:
@@ -80200,6 +87249,15 @@ catalog:
                           value: PM-15c.[02]
                           class: sp800-53a
                       prose: contact is established and institutionalized with selected groups and associations within the privacy community to share current privacy information, including threats, vulnerabilities, and incidents.
+                      links:
+                        - href: '#pm-15_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-15_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-15_smt'
+                  rel: assessment-for
             - id: pm-15_asm-examine
               name: assessment-method
               props:
@@ -80293,6 +87351,9 @@ catalog:
                   value: PM-16
                   class: sp800-53a
               prose: a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence is implemented.
+              links:
+                - href: '#pm-16_smt'
+                  rel: assessment-for
             - id: pm-16_asm-examine
               name: assessment-method
               props:
@@ -80393,6 +87454,9 @@ catalog:
                       value: PM-16(01)
                       class: sp800-53a
                   prose: automated mechanisms are employed to maximize the effectiveness of sharing threat intelligence information.
+                  links:
+                    - href: '#pm-16.1_smt'
+                      rel: assessment-for
                 - id: pm-16.1_asm-examine
                   name: assessment-method
                   props:
@@ -80554,6 +87618,9 @@ catalog:
                           value: PM-17a.[01]
                           class: sp800-53a
                       prose: policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;
+                      links:
+                        - href: '#pm-17_smt.a'
+                          rel: assessment-for
                     - id: pm-17_obj.a-2
                       name: assessment-objective
                       props:
@@ -80561,6 +87628,12 @@ catalog:
                           value: PM-17a.[02]
                           class: sp800-53a
                       prose: procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;
+                      links:
+                        - href: '#pm-17_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-17_smt.a'
+                      rel: assessment-for
                 - id: pm-17_obj.b
                   name: assessment-objective
                   props:
@@ -80575,6 +87648,9 @@ catalog:
                           value: PM-17b.[01]
                           class: sp800-53a
                       prose: 'policy is reviewed and updated {{ insert: param, pm-17_odp.01 }};'
+                      links:
+                        - href: '#pm-17_smt.b'
+                          rel: assessment-for
                     - id: pm-17_obj.b-2
                       name: assessment-objective
                       props:
@@ -80582,6 +87658,15 @@ catalog:
                           value: PM-17b.[02]
                           class: sp800-53a
                       prose: 'procedures are reviewed and updated {{ insert: param, pm-17_odp.02 }} '
+                      links:
+                        - href: '#pm-17_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-17_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pm-17_smt'
+                  rel: assessment-for
             - id: pm-17_asm-examine
               name: assessment-method
               props:
@@ -80734,6 +87819,9 @@ catalog:
                           value: PM-18a.[01]
                           class: sp800-53a
                       prose: an organization-wide privacy program plan that provides an overview of the agency’s privacy program is developed;
+                      links:
+                        - href: '#pm-18_smt.a'
+                          rel: assessment-for
                     - id: pm-18_obj.a.1
                       name: assessment-objective
                       props:
@@ -80748,6 +87836,9 @@ catalog:
                               value: PM-18a.01[01]
                               class: sp800-53a
                           prose: the privacy program plan includes a description of the structure of the privacy program;
+                          links:
+                            - href: '#pm-18_smt.a.1'
+                              rel: assessment-for
                         - id: pm-18_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -80755,6 +87846,12 @@ catalog:
                               value: PM-18a.01[02]
                               class: sp800-53a
                           prose: the privacy program plan includes a description of the resources dedicated to the privacy program;
+                          links:
+                            - href: '#pm-18_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-18_smt.a.1'
+                          rel: assessment-for
                     - id: pm-18_obj.a.2
                       name: assessment-objective
                       props:
@@ -80769,6 +87866,9 @@ catalog:
                               value: PM-18a.02[01]
                               class: sp800-53a
                           prose: the privacy program plan provides an overview of the requirements for the privacy program;
+                          links:
+                            - href: '#pm-18_smt.a.2'
+                              rel: assessment-for
                         - id: pm-18_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -80776,6 +87876,9 @@ catalog:
                               value: PM-18a.02[02]
                               class: sp800-53a
                           prose: the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program;
+                          links:
+                            - href: '#pm-18_smt.a.2'
+                              rel: assessment-for
                         - id: pm-18_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -80783,6 +87886,12 @@ catalog:
                               value: PM-18a.02[03]
                               class: sp800-53a
                           prose: the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program;
+                          links:
+                            - href: '#pm-18_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-18_smt.a.2'
+                          rel: assessment-for
                     - id: pm-18_obj.a.3
                       name: assessment-objective
                       props:
@@ -80797,6 +87906,9 @@ catalog:
                               value: PM-18a.03[01]
                               class: sp800-53a
                           prose: the privacy program plan includes the role of the senior agency official for privacy;
+                          links:
+                            - href: '#pm-18_smt.a.3'
+                              rel: assessment-for
                         - id: pm-18_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -80804,6 +87916,12 @@ catalog:
                               value: PM-18a.03[02]
                               class: sp800-53a
                           prose: the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities;
+                          links:
+                            - href: '#pm-18_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-18_smt.a.3'
+                          rel: assessment-for
                     - id: pm-18_obj.a.4
                       name: assessment-objective
                       props:
@@ -80818,6 +87936,9 @@ catalog:
                               value: PM-18a.04[01]
                               class: sp800-53a
                           prose: the privacy program plan describes management commitment;
+                          links:
+                            - href: '#pm-18_smt.a.4'
+                              rel: assessment-for
                         - id: pm-18_obj.a.4-2
                           name: assessment-objective
                           props:
@@ -80825,6 +87946,9 @@ catalog:
                               value: PM-18a.04[02]
                               class: sp800-53a
                           prose: the privacy program plan describes compliance;
+                          links:
+                            - href: '#pm-18_smt.a.4'
+                              rel: assessment-for
                         - id: pm-18_obj.a.4-3
                           name: assessment-objective
                           props:
@@ -80832,6 +87956,12 @@ catalog:
                               value: PM-18a.04[03]
                               class: sp800-53a
                           prose: the privacy program plan describes the strategic goals and objectives of the privacy program;
+                          links:
+                            - href: '#pm-18_smt.a.4'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-18_smt.a.4'
+                          rel: assessment-for
                     - id: pm-18_obj.a.5
                       name: assessment-objective
                       props:
@@ -80839,6 +87969,9 @@ catalog:
                           value: PM-18a.05
                           class: sp800-53a
                       prose: the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy;
+                      links:
+                        - href: '#pm-18_smt.a.5'
+                          rel: assessment-for
                     - id: pm-18_obj.a.6
                       name: assessment-objective
                       props:
@@ -80846,6 +87979,9 @@ catalog:
                           value: PM-18a.06
                           class: sp800-53a
                       prose: the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation;
+                      links:
+                        - href: '#pm-18_smt.a.6'
+                          rel: assessment-for
                     - id: pm-18_obj.a-2
                       name: assessment-objective
                       props:
@@ -80853,6 +87989,12 @@ catalog:
                           value: PM-18a.[02]
                           class: sp800-53a
                       prose: the privacy program plan is disseminated;
+                      links:
+                        - href: '#pm-18_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-18_smt.a'
+                      rel: assessment-for
                 - id: pm-18_obj.b
                   name: assessment-objective
                   props:
@@ -80867,6 +88009,9 @@ catalog:
                           value: PM-18b.[01]
                           class: sp800-53a
                       prose: 'the privacy program plan is updated {{ insert: param, pm-18_odp }};'
+                      links:
+                        - href: '#pm-18_smt.b'
+                          rel: assessment-for
                     - id: pm-18_obj.b-2
                       name: assessment-objective
                       props:
@@ -80874,6 +88019,9 @@ catalog:
                           value: PM-18b.[02]
                           class: sp800-53a
                       prose: the privacy program plan is updated to address changes in federal privacy laws and policies;
+                      links:
+                        - href: '#pm-18_smt.b'
+                          rel: assessment-for
                     - id: pm-18_obj.b-3
                       name: assessment-objective
                       props:
@@ -80881,6 +88029,9 @@ catalog:
                           value: PM-18b.[03]
                           class: sp800-53a
                       prose: the privacy program plan is updated to address organizational changes;
+                      links:
+                        - href: '#pm-18_smt.b'
+                          rel: assessment-for
                     - id: pm-18_obj.b-4
                       name: assessment-objective
                       props:
@@ -80888,6 +88039,15 @@ catalog:
                           value: PM-18b.[04]
                           class: sp800-53a
                       prose: the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments.
+                      links:
+                        - href: '#pm-18_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-18_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pm-18_smt'
+                  rel: assessment-for
             - id: pm-18_asm-examine
               name: assessment-method
               props:
@@ -80974,6 +88134,9 @@ catalog:
                       value: PM-19[01]
                       class: sp800-53a
                   prose: a senior agency official for privacy with authority, mission, accountability, and resources is appointed;
+                  links:
+                    - href: '#pm-19_smt'
+                      rel: assessment-for
                 - id: pm-19_obj-2
                   name: assessment-objective
                   props:
@@ -80981,6 +88144,9 @@ catalog:
                       value: PM-19[02]
                       class: sp800-53a
                   prose: the senior agency official for privacy coordinates applicable privacy requirements;
+                  links:
+                    - href: '#pm-19_smt'
+                      rel: assessment-for
                 - id: pm-19_obj-3
                   name: assessment-objective
                   props:
@@ -80988,6 +88154,9 @@ catalog:
                       value: PM-19[03]
                       class: sp800-53a
                   prose: the senior agency official for privacy develops applicable privacy requirements;
+                  links:
+                    - href: '#pm-19_smt'
+                      rel: assessment-for
                 - id: pm-19_obj-4
                   name: assessment-objective
                   props:
@@ -80995,6 +88164,9 @@ catalog:
                       value: PM-19[04]
                       class: sp800-53a
                   prose: the senior agency official for privacy implements applicable privacy requirements;
+                  links:
+                    - href: '#pm-19_smt'
+                      rel: assessment-for
                 - id: pm-19_obj-5
                   name: assessment-objective
                   props:
@@ -81002,6 +88174,12 @@ catalog:
                       value: PM-19[05]
                       class: sp800-53a
                   prose: the senior agency official for privacy manages privacy risks through the organization-wide privacy program.
+                  links:
+                    - href: '#pm-19_smt'
+                      rel: assessment-for
+              links:
+                - href: '#pm-19_smt'
+                  rel: assessment-for
             - id: pm-19_asm-examine
               name: assessment-method
               props:
@@ -81125,6 +88303,9 @@ catalog:
                       value: PM-20[01]
                       class: sp800-53a
                   prose: a central resource webpage is maintained on the organization’s principal public website;
+                  links:
+                    - href: '#pm-20_smt'
+                      rel: assessment-for
                 - id: pm-20_obj-2
                   name: assessment-objective
                   props:
@@ -81132,6 +88313,9 @@ catalog:
                       value: PM-20[02]
                       class: sp800-53a
                   prose: the webpage serves as a central source of information about the organization’s privacy program;
+                  links:
+                    - href: '#pm-20_smt'
+                      rel: assessment-for
                 - id: pm-20_obj.a
                   name: assessment-objective
                   props:
@@ -81146,6 +88330,9 @@ catalog:
                           value: PM-20a.[01]
                           class: sp800-53a
                       prose: the webpage ensures that the public has access to information about organizational privacy activities;
+                      links:
+                        - href: '#pm-20_smt.a'
+                          rel: assessment-for
                     - id: pm-20_obj.a-2
                       name: assessment-objective
                       props:
@@ -81153,6 +88340,12 @@ catalog:
                           value: PM-20a.[02]
                           class: sp800-53a
                       prose: the webpage ensures that the public can communicate with its senior agency official for privacy;
+                      links:
+                        - href: '#pm-20_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-20_smt.a'
+                      rel: assessment-for
                 - id: pm-20_obj.b
                   name: assessment-objective
                   props:
@@ -81167,6 +88360,9 @@ catalog:
                           value: PM-20b.[01]
                           class: sp800-53a
                       prose: the webpage ensures that organizational privacy practices are publicly available;
+                      links:
+                        - href: '#pm-20_smt.b'
+                          rel: assessment-for
                     - id: pm-20_obj.b-2
                       name: assessment-objective
                       props:
@@ -81174,6 +88370,12 @@ catalog:
                           value: PM-20b.[02]
                           class: sp800-53a
                       prose: the webpage ensures that organizational privacy reports are publicly available;
+                      links:
+                        - href: '#pm-20_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-20_smt.b'
+                      rel: assessment-for
                 - id: pm-20_obj.c
                   name: assessment-objective
                   props:
@@ -81181,6 +88383,12 @@ catalog:
                       value: PM-20c.
                       class: sp800-53a
                   prose: the webpage employs publicly facing email addresses and/or phone numbers to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.
+                  links:
+                    - href: '#pm-20_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-20_smt'
+                  rel: assessment-for
             - id: pm-20_asm-examine
               name: assessment-method
               props:
@@ -81298,6 +88506,9 @@ catalog:
                           value: PM-20(01)[01]
                           class: sp800-53a
                       prose: privacy policies are developed and posted on all external-facing websites;
+                      links:
+                        - href: '#pm-20.1_smt'
+                          rel: assessment-for
                     - id: pm-20.1_obj-2
                       name: assessment-objective
                       props:
@@ -81305,6 +88516,9 @@ catalog:
                           value: PM-20(01)[02]
                           class: sp800-53a
                       prose: privacy policies are developed and posted on all mobile applications;
+                      links:
+                        - href: '#pm-20.1_smt'
+                          rel: assessment-for
                     - id: pm-20.1_obj-3
                       name: assessment-objective
                       props:
@@ -81312,6 +88526,9 @@ catalog:
                           value: PM-20(01)[03]
                           class: sp800-53a
                       prose: privacy policies are developed and posted on all other digital services;
+                      links:
+                        - href: '#pm-20.1_smt'
+                          rel: assessment-for
                     - id: pm-20.1_obj.a
                       name: assessment-objective
                       props:
@@ -81326,6 +88543,9 @@ catalog:
                               value: PM-20(01)(a)[01]
                               class: sp800-53a
                           prose: the privacy policies are written in plain language;
+                          links:
+                            - href: '#pm-20.1_smt.a'
+                              rel: assessment-for
                         - id: pm-20.1_obj.a-2
                           name: assessment-objective
                           props:
@@ -81333,6 +88553,12 @@ catalog:
                               value: PM-20(01)(a)[02]
                               class: sp800-53a
                           prose: the privacy policies are organized in a way that is easy to understand and navigate;
+                          links:
+                            - href: '#pm-20.1_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-20.1_smt.a'
+                          rel: assessment-for
                     - id: pm-20.1_obj.b
                       name: assessment-objective
                       props:
@@ -81347,6 +88573,9 @@ catalog:
                               value: PM-20(01)(b)[01]
                               class: sp800-53a
                           prose: the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization;
+                          links:
+                            - href: '#pm-20.1_smt.b'
+                              rel: assessment-for
                         - id: pm-20.1_obj.b-2
                           name: assessment-objective
                           props:
@@ -81354,6 +88583,12 @@ catalog:
                               value: PM-20(01)(b)[02]
                               class: sp800-53a
                           prose: the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization;
+                          links:
+                            - href: '#pm-20.1_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-20.1_smt.b'
+                          rel: assessment-for
                     - id: pm-20.1_obj.c
                       name: assessment-objective
                       props:
@@ -81368,6 +88603,9 @@ catalog:
                               value: PM-20(01)(c)[01]
                               class: sp800-53a
                           prose: the privacy policies are updated whenever the organization makes a substantive change to the practices it describes;
+                          links:
+                            - href: '#pm-20.1_smt.c'
+                              rel: assessment-for
                         - id: pm-20.1_obj.c-2
                           name: assessment-objective
                           props:
@@ -81375,6 +88613,15 @@ catalog:
                               value: PM-20(01)(c)[02]
                               class: sp800-53a
                           prose: the privacy policies include a time/date stamp to inform the public of the date of the most recent changes.
+                          links:
+                            - href: '#pm-20.1_smt.c'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-20.1_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-20.1_smt'
+                      rel: assessment-for
                 - id: pm-20.1_asm-examine
                   name: assessment-method
                   props:
@@ -81517,6 +88764,9 @@ catalog:
                               value: PM-21a.01[01]
                               class: sp800-53a
                           prose: the accounting includes the date of each disclosure;
+                          links:
+                            - href: '#pm-21_smt.a.1'
+                              rel: assessment-for
                         - id: pm-21_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -81524,6 +88774,9 @@ catalog:
                               value: PM-21a.01[02]
                               class: sp800-53a
                           prose: the accounting includes the nature of each disclosure;
+                          links:
+                            - href: '#pm-21_smt.a.1'
+                              rel: assessment-for
                         - id: pm-21_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -81531,6 +88784,12 @@ catalog:
                               value: PM-21a.01[03]
                               class: sp800-53a
                           prose: the accounting includes the purpose of each disclosure;
+                          links:
+                            - href: '#pm-21_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-21_smt.a.1'
+                          rel: assessment-for
                     - id: pm-21_obj.a.2
                       name: assessment-objective
                       props:
@@ -81545,6 +88804,9 @@ catalog:
                               value: PM-21a.02[01]
                               class: sp800-53a
                           prose: the accounting includes the name of the individual or organization to whom the disclosure was made;
+                          links:
+                            - href: '#pm-21_smt.a.2'
+                              rel: assessment-for
                         - id: pm-21_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -81552,6 +88814,15 @@ catalog:
                               value: PM-21a.02[02]
                               class: sp800-53a
                           prose: the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made;
+                          links:
+                            - href: '#pm-21_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-21_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-21_smt.a'
+                      rel: assessment-for
                 - id: pm-21_obj.b
                   name: assessment-objective
                   props:
@@ -81559,6 +88830,9 @@ catalog:
                       value: PM-21b.
                       class: sp800-53a
                   prose: the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;
+                  links:
+                    - href: '#pm-21_smt.b'
+                      rel: assessment-for
                 - id: pm-21_obj.c
                   name: assessment-objective
                   props:
@@ -81566,6 +88840,12 @@ catalog:
                       value: PM-21c.
                       class: sp800-53a
                   prose: the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request.
+                  links:
+                    - href: '#pm-21_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-21_smt'
+                  rel: assessment-for
             - id: pm-21_asm-examine
               name: assessment-method
               props:
@@ -81700,6 +88980,9 @@ catalog:
                       value: PM-22[01]
                       class: sp800-53a
                   prose: organization-wide policies for personally identifiable information quality management are developed and documented;
+                  links:
+                    - href: '#pm-22_smt'
+                      rel: assessment-for
                 - id: pm-22_obj-2
                   name: assessment-objective
                   props:
@@ -81707,6 +88990,9 @@ catalog:
                       value: PM-22[02]
                       class: sp800-53a
                   prose: organization-wide procedures for personally identifiable information quality management are developed and documented;
+                  links:
+                    - href: '#pm-22_smt'
+                      rel: assessment-for
                 - id: pm-22_obj.a
                   name: assessment-objective
                   props:
@@ -81721,6 +89007,9 @@ catalog:
                           value: PM-22a.[01]
                           class: sp800-53a
                       prose: the policies address reviewing the accuracy of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
                     - id: pm-22_obj.a-2
                       name: assessment-objective
                       props:
@@ -81728,6 +89017,9 @@ catalog:
                           value: PM-22a.[02]
                           class: sp800-53a
                       prose: the policies address reviewing the relevance of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
                     - id: pm-22_obj.a-3
                       name: assessment-objective
                       props:
@@ -81735,6 +89027,9 @@ catalog:
                           value: PM-22a.[03]
                           class: sp800-53a
                       prose: the policies address reviewing the timeliness of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
                     - id: pm-22_obj.a-4
                       name: assessment-objective
                       props:
@@ -81742,6 +89037,9 @@ catalog:
                           value: PM-22a.[04]
                           class: sp800-53a
                       prose: the policies address reviewing the completeness of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
                     - id: pm-22_obj.a-5
                       name: assessment-objective
                       props:
@@ -81749,6 +89047,9 @@ catalog:
                           value: PM-22a.[05]
                           class: sp800-53a
                       prose: the procedures address reviewing the accuracy of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
                     - id: pm-22_obj.a-6
                       name: assessment-objective
                       props:
@@ -81756,6 +89057,9 @@ catalog:
                           value: PM-22a.[06]
                           class: sp800-53a
                       prose: the procedures address reviewing the relevance of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
                     - id: pm-22_obj.a-7
                       name: assessment-objective
                       props:
@@ -81763,6 +89067,9 @@ catalog:
                           value: PM-22a.[07]
                           class: sp800-53a
                       prose: the procedures address reviewing the timeliness of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
                     - id: pm-22_obj.a-8
                       name: assessment-objective
                       props:
@@ -81770,6 +89077,12 @@ catalog:
                           value: PM-22a.[08]
                           class: sp800-53a
                       prose: the procedures address reviewing the completeness of personally identifiable information across the information life cycle;
+                      links:
+                        - href: '#pm-22_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-22_smt.a'
+                      rel: assessment-for
                 - id: pm-22_obj.b
                   name: assessment-objective
                   props:
@@ -81784,6 +89097,9 @@ catalog:
                           value: PM-22b.[01]
                           class: sp800-53a
                       prose: the policies address correcting or deleting inaccurate or outdated personally identifiable information;
+                      links:
+                        - href: '#pm-22_smt.b'
+                          rel: assessment-for
                     - id: pm-22_obj.b-2
                       name: assessment-objective
                       props:
@@ -81791,6 +89107,12 @@ catalog:
                           value: PM-22b.[02]
                           class: sp800-53a
                       prose: the procedures address correcting or deleting inaccurate or outdated personally identifiable information;
+                      links:
+                        - href: '#pm-22_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-22_smt.b'
+                      rel: assessment-for
                 - id: pm-22_obj.c
                   name: assessment-objective
                   props:
@@ -81805,6 +89127,9 @@ catalog:
                           value: PM-22c.[01]
                           class: sp800-53a
                       prose: the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;
+                      links:
+                        - href: '#pm-22_smt.c'
+                          rel: assessment-for
                     - id: pm-22_obj.c-2
                       name: assessment-objective
                       props:
@@ -81812,6 +89137,12 @@ catalog:
                           value: PM-22c.[02]
                           class: sp800-53a
                       prose: the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;
+                      links:
+                        - href: '#pm-22_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-22_smt.c'
+                      rel: assessment-for
                 - id: pm-22_obj.d
                   name: assessment-objective
                   props:
@@ -81826,6 +89157,9 @@ catalog:
                           value: PM-22d.[01]
                           class: sp800-53a
                       prose: the policies address appeals of adverse decisions on correction or deletion requests;
+                      links:
+                        - href: '#pm-22_smt.d'
+                          rel: assessment-for
                     - id: pm-22_obj.d-2
                       name: assessment-objective
                       props:
@@ -81833,6 +89167,15 @@ catalog:
                           value: PM-22d.[02]
                           class: sp800-53a
                       prose: the procedures address appeals of adverse decisions on correction or deletion requests.
+                      links:
+                        - href: '#pm-22_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-22_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pm-22_smt'
+                  rel: assessment-for
             - id: pm-22_asm-examine
               name: assessment-method
               props:
@@ -81959,6 +89302,9 @@ catalog:
                   value: PM-23
                   class: sp800-53a
               prose: 'a Data Governance Body consisting of {{ insert: param, pm-23_odp.01 }} with {{ insert: param, pm-23_odp.02 }} is established.'
+              links:
+                - href: '#pm-23_smt'
+                  rel: assessment-for
             - id: pm-23_asm-examine
               name: assessment-method
               props:
@@ -82061,6 +89407,9 @@ catalog:
                       value: PM-24a.
                       class: sp800-53a
                   prose: the Data Integrity Board reviews proposals to conduct or participate in a matching program;
+                  links:
+                    - href: '#pm-24_smt.a'
+                      rel: assessment-for
                 - id: pm-24_obj.b
                   name: assessment-objective
                   props:
@@ -82068,6 +89417,12 @@ catalog:
                       value: PM-24b.
                       class: sp800-53a
                   prose: the Data Integrity Board conducts an annual review of all matching programs in which the agency has participated.
+                  links:
+                    - href: '#pm-24_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pm-24_smt'
+                  rel: assessment-for
             - id: pm-24_asm-examine
               name: assessment-method
               props:
@@ -82232,6 +89587,9 @@ catalog:
                           value: PM-25a.[01]
                           class: sp800-53a
                       prose: policies that address the use of personally identifiable information for internal testing are developed and documented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-2
                       name: assessment-objective
                       props:
@@ -82239,6 +89597,9 @@ catalog:
                           value: PM-25a.[02]
                           class: sp800-53a
                       prose: policies that address the use of personally identifiable information for internal training are developed and documented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-3
                       name: assessment-objective
                       props:
@@ -82246,6 +89607,9 @@ catalog:
                           value: PM-25a.[03]
                           class: sp800-53a
                       prose: policies that address the use of personally identifiable information for internal research are developed and documented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-4
                       name: assessment-objective
                       props:
@@ -82253,6 +89617,9 @@ catalog:
                           value: PM-25a.[04]
                           class: sp800-53a
                       prose: procedures that address the use of personally identifiable information for internal testing are developed and documented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-5
                       name: assessment-objective
                       props:
@@ -82260,6 +89627,9 @@ catalog:
                           value: PM-25a.[05]
                           class: sp800-53a
                       prose: procedures that address the use of personally identifiable information for internal training are developed and documented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-6
                       name: assessment-objective
                       props:
@@ -82267,6 +89637,9 @@ catalog:
                           value: PM-25a.[06]
                           class: sp800-53a
                       prose: procedures that address the use of personally identifiable information for internal research are developed and documented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-7
                       name: assessment-objective
                       props:
@@ -82274,6 +89647,9 @@ catalog:
                           value: PM-25a.[07]
                           class: sp800-53a
                       prose: policies that address the use of personally identifiable information for internal testing, are implemented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-8
                       name: assessment-objective
                       props:
@@ -82281,6 +89657,9 @@ catalog:
                           value: PM-25a.[08]
                           class: sp800-53a
                       prose: policies that address the use of personally identifiable information for training are implemented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-9
                       name: assessment-objective
                       props:
@@ -82288,6 +89667,9 @@ catalog:
                           value: PM-25a.[09]
                           class: sp800-53a
                       prose: policies that address the use of personally identifiable information for research are implemented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-10
                       name: assessment-objective
                       props:
@@ -82295,6 +89677,9 @@ catalog:
                           value: PM-25a.[10]
                           class: sp800-53a
                       prose: procedures that address the use of personally identifiable information for internal testing are implemented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-11
                       name: assessment-objective
                       props:
@@ -82302,6 +89687,9 @@ catalog:
                           value: PM-25a.[11]
                           class: sp800-53a
                       prose: procedures that address the use of personally identifiable information for training are implemented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
                     - id: pm-25_obj.a-12
                       name: assessment-objective
                       props:
@@ -82309,6 +89697,12 @@ catalog:
                           value: PM-25a.[12]
                           class: sp800-53a
                       prose: procedures that address the use of personally identifiable information for research are implemented;
+                      links:
+                        - href: '#pm-25_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-25_smt.a'
+                      rel: assessment-for
                 - id: pm-25_obj.b
                   name: assessment-objective
                   props:
@@ -82323,6 +89717,9 @@ catalog:
                           value: PM-25b.[01]
                           class: sp800-53a
                       prose: the amount of personally identifiable information used for internal testing purposes is limited or minimized;
+                      links:
+                        - href: '#pm-25_smt.b'
+                          rel: assessment-for
                     - id: pm-25_obj.b-2
                       name: assessment-objective
                       props:
@@ -82330,6 +89727,9 @@ catalog:
                           value: PM-25b.[02]
                           class: sp800-53a
                       prose: the amount of personally identifiable information used for internal training purposes is limited or minimized;
+                      links:
+                        - href: '#pm-25_smt.b'
+                          rel: assessment-for
                     - id: pm-25_obj.b-3
                       name: assessment-objective
                       props:
@@ -82337,6 +89737,12 @@ catalog:
                           value: PM-25b.[03]
                           class: sp800-53a
                       prose: the amount of personally identifiable information used for internal research purposes is limited or minimized;
+                      links:
+                        - href: '#pm-25_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-25_smt.b'
+                      rel: assessment-for
                 - id: pm-25_obj.c
                   name: assessment-objective
                   props:
@@ -82351,6 +89757,9 @@ catalog:
                           value: PM-25c.[01]
                           class: sp800-53a
                       prose: the required use of personally identifiable information for internal testing is authorized;
+                      links:
+                        - href: '#pm-25_smt.c'
+                          rel: assessment-for
                     - id: pm-25_obj.c-2
                       name: assessment-objective
                       props:
@@ -82358,6 +89767,9 @@ catalog:
                           value: PM-25c.[02]
                           class: sp800-53a
                       prose: the required use of personally identifiable information for internal training is authorized;
+                      links:
+                        - href: '#pm-25_smt.c'
+                          rel: assessment-for
                     - id: pm-25_obj.c-3
                       name: assessment-objective
                       props:
@@ -82365,6 +89777,12 @@ catalog:
                           value: PM-25c.[03]
                           class: sp800-53a
                       prose: the required use of personally identifiable information for internal research is authorized;
+                      links:
+                        - href: '#pm-25_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-25_smt.c'
+                      rel: assessment-for
                 - id: pm-25_obj.d
                   name: assessment-objective
                   props:
@@ -82379,6 +89797,9 @@ catalog:
                           value: PM-25d.[01]
                           class: sp800-53a
                       prose: 'policies are reviewed {{ insert: param, pm-25_odp.01 }};'
+                      links:
+                        - href: '#pm-25_smt.d'
+                          rel: assessment-for
                     - id: pm-25_obj.d-2
                       name: assessment-objective
                       props:
@@ -82386,6 +89807,9 @@ catalog:
                           value: PM-25d.[02]
                           class: sp800-53a
                       prose: 'policies are updated {{ insert: param, pm-25_odp.02 }};'
+                      links:
+                        - href: '#pm-25_smt.d'
+                          rel: assessment-for
                     - id: pm-25_obj.d-3
                       name: assessment-objective
                       props:
@@ -82393,6 +89817,9 @@ catalog:
                           value: PM-25d.[03]
                           class: sp800-53a
                       prose: 'procedures are reviewed {{ insert: param, pm-25_odp.03 }};'
+                      links:
+                        - href: '#pm-25_smt.d'
+                          rel: assessment-for
                     - id: pm-25_obj.d-4
                       name: assessment-objective
                       props:
@@ -82400,6 +89827,15 @@ catalog:
                           value: PM-25d.[04]
                           class: sp800-53a
                       prose: 'procedures are updated {{ insert: param, pm-25_odp.04 }}.'
+                      links:
+                        - href: '#pm-25_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-25_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pm-25_smt'
+                  rel: assessment-for
             - id: pm-25_asm-examine
               name: assessment-method
               props:
@@ -82580,6 +90016,9 @@ catalog:
                       value: PM-26[01]
                       class: sp800-53a
                   prose: a process for receiving complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;
+                  links:
+                    - href: '#pm-26_smt'
+                      rel: assessment-for
                 - id: pm-26_obj-2
                   name: assessment-objective
                   props:
@@ -82587,6 +90026,9 @@ catalog:
                       value: PM-26[02]
                       class: sp800-53a
                   prose: a process for responding to complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;
+                  links:
+                    - href: '#pm-26_smt'
+                      rel: assessment-for
                 - id: pm-26_obj.a
                   name: assessment-objective
                   props:
@@ -82601,6 +90043,9 @@ catalog:
                           value: PM-26a.[01]
                           class: sp800-53a
                       prose: the complaint management process includes mechanisms that are easy to use by the public;
+                      links:
+                        - href: '#pm-26_smt.a'
+                          rel: assessment-for
                     - id: pm-26_obj.a-2
                       name: assessment-objective
                       props:
@@ -82608,6 +90053,12 @@ catalog:
                           value: PM-26a.[02]
                           class: sp800-53a
                       prose: the complaint management process includes mechanisms that are readily accessible by the public;
+                      links:
+                        - href: '#pm-26_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-26_smt.a'
+                      rel: assessment-for
                 - id: pm-26_obj.b
                   name: assessment-objective
                   props:
@@ -82615,6 +90066,9 @@ catalog:
                       value: PM-26b.
                       class: sp800-53a
                   prose: the complaint management process includes all information necessary for successfully filing complaints;
+                  links:
+                    - href: '#pm-26_smt.b'
+                      rel: assessment-for
                 - id: pm-26_obj.c
                   name: assessment-objective
                   props:
@@ -82629,6 +90083,9 @@ catalog:
                           value: PM-26c.[01]
                           class: sp800-53a
                       prose: 'the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within {{ insert: param, pm-26_odp.01 }};'
+                      links:
+                        - href: '#pm-26_smt.c'
+                          rel: assessment-for
                     - id: pm-26_obj.c-2
                       name: assessment-objective
                       props:
@@ -82636,6 +90093,12 @@ catalog:
                           value: PM-26c.[02]
                           class: sp800-53a
                       prose: 'the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within {{ insert: param, pm-26_odp.02 }};'
+                      links:
+                        - href: '#pm-26_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-26_smt.c'
+                      rel: assessment-for
                 - id: pm-26_obj.d
                   name: assessment-objective
                   props:
@@ -82643,6 +90106,9 @@ catalog:
                       value: PM-26d.
                       class: sp800-53a
                   prose: 'the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }};'
+                  links:
+                    - href: '#pm-26_smt.d'
+                      rel: assessment-for
                 - id: pm-26_obj.e
                   name: assessment-objective
                   props:
@@ -82650,6 +90116,12 @@ catalog:
                       value: PM-26e.
                       class: sp800-53a
                   prose: 'the complaint management process includes responding to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}.'
+                  links:
+                    - href: '#pm-26_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#pm-26_smt'
+                  rel: assessment-for
             - id: pm-26_asm-examine
               name: assessment-method
               props:
@@ -82823,6 +90295,9 @@ catalog:
                           value: PM-27a.01
                           class: sp800-53a
                       prose: 'the privacy reports are disseminated to {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates;'
+                      links:
+                        - href: '#pm-27_smt.a.1'
+                          rel: assessment-for
                     - id: pm-27_obj.a.2
                       name: assessment-objective
                       props:
@@ -82837,6 +90312,9 @@ catalog:
                               value: PM-27a.02[01]
                               class: sp800-53a
                           prose: 'the privacy reports are disseminated to {{ insert: param, pm-27_odp.03 }};'
+                          links:
+                            - href: '#pm-27_smt.a.2'
+                              rel: assessment-for
                         - id: pm-27_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -82844,6 +90322,15 @@ catalog:
                               value: PM-27a.02[02]
                               class: sp800-53a
                           prose: the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance;
+                          links:
+                            - href: '#pm-27_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-27_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-27_smt.a'
+                      rel: assessment-for
                 - id: pm-27_obj.b
                   name: assessment-objective
                   props:
@@ -82851,6 +90338,12 @@ catalog:
                       value: PM-27b.
                       class: sp800-53a
                   prose: 'the privacy reports are reviewed and updated {{ insert: param, pm-27_odp.04 }}.'
+                  links:
+                    - href: '#pm-27_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pm-27_smt'
+                  rel: assessment-for
             - id: pm-27_asm-examine
               name: assessment-method
               props:
@@ -83022,6 +90515,9 @@ catalog:
                               value: PM-28a.01[01]
                               class: sp800-53a
                           prose: assumptions affecting risk assessments are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.1'
+                              rel: assessment-for
                         - id: pm-28_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -83029,6 +90525,9 @@ catalog:
                               value: PM-28a.01[02]
                               class: sp800-53a
                           prose: assumptions affecting risk responses are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.1'
+                              rel: assessment-for
                         - id: pm-28_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -83036,6 +90535,12 @@ catalog:
                               value: PM-28a.01[03]
                               class: sp800-53a
                           prose: assumptions affecting risk monitoring are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-28_smt.a.1'
+                          rel: assessment-for
                     - id: pm-28_obj.a.2
                       name: assessment-objective
                       props:
@@ -83050,6 +90555,9 @@ catalog:
                               value: PM-28a.02[01]
                               class: sp800-53a
                           prose: constraints affecting risk assessments are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.2'
+                              rel: assessment-for
                         - id: pm-28_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -83057,6 +90565,9 @@ catalog:
                               value: PM-28a.02[02]
                               class: sp800-53a
                           prose: constraints affecting risk responses are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.2'
+                              rel: assessment-for
                         - id: pm-28_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -83064,6 +90575,12 @@ catalog:
                               value: PM-28a.02[03]
                               class: sp800-53a
                           prose: constraints affecting risk monitoring are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-28_smt.a.2'
+                          rel: assessment-for
                     - id: pm-28_obj.a.3
                       name: assessment-objective
                       props:
@@ -83078,6 +90595,9 @@ catalog:
                               value: PM-28a.03[01]
                               class: sp800-53a
                           prose: priorities considered by the organization for managing risk are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.3'
+                              rel: assessment-for
                         - id: pm-28_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -83085,6 +90605,12 @@ catalog:
                               value: PM-28a.03[02]
                               class: sp800-53a
                           prose: trade-offs considered by the organization for managing risk are identified and documented;
+                          links:
+                            - href: '#pm-28_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#pm-28_smt.a.3'
+                          rel: assessment-for
                     - id: pm-28_obj.a.4
                       name: assessment-objective
                       props:
@@ -83092,6 +90618,12 @@ catalog:
                           value: PM-28a.04
                           class: sp800-53a
                       prose: organizational risk tolerance is identified and documented;
+                      links:
+                        - href: '#pm-28_smt.a.4'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-28_smt.a'
+                      rel: assessment-for
                 - id: pm-28_obj.b
                   name: assessment-objective
                   props:
@@ -83099,6 +90631,9 @@ catalog:
                       value: PM-28b.
                       class: sp800-53a
                   prose: 'the results of risk framing activities are distributed to {{ insert: param, pm-28_odp.01 }};'
+                  links:
+                    - href: '#pm-28_smt.b'
+                      rel: assessment-for
                 - id: pm-28_obj.c
                   name: assessment-objective
                   props:
@@ -83106,6 +90641,12 @@ catalog:
                       value: PM-28c.
                       class: sp800-53a
                   prose: 'risk framing considerations are reviewed and updated {{ insert: param, pm-28_odp.02 }}.'
+                  links:
+                    - href: '#pm-28_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-28_smt'
+                  rel: assessment-for
             - id: pm-28_asm-examine
               name: assessment-method
               props:
@@ -83230,6 +90771,9 @@ catalog:
                           value: PM-29a.[01]
                           class: sp800-53a
                       prose: a Senior Accountable Official for Risk Management is appointed;
+                      links:
+                        - href: '#pm-29_smt.a'
+                          rel: assessment-for
                     - id: pm-29_obj.a-2
                       name: assessment-objective
                       props:
@@ -83237,6 +90781,12 @@ catalog:
                           value: PM-29a.[02]
                           class: sp800-53a
                       prose: a Senior Accountable Official for Risk Management aligns information security and privacy management processes with strategic, operational, and budgetary planning processes;
+                      links:
+                        - href: '#pm-29_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-29_smt.a'
+                      rel: assessment-for
                 - id: pm-29_obj.b
                   name: assessment-objective
                   props:
@@ -83251,6 +90801,9 @@ catalog:
                           value: PM-29b.[01]
                           class: sp800-53a
                       prose: a Risk Executive (function) is established;
+                      links:
+                        - href: '#pm-29_smt.b'
+                          rel: assessment-for
                     - id: pm-29_obj.b-2
                       name: assessment-objective
                       props:
@@ -83258,6 +90811,9 @@ catalog:
                           value: PM-29b.[02]
                           class: sp800-53a
                       prose: a Risk Executive (function) views and analyzes risk from an organization-wide perspective;
+                      links:
+                        - href: '#pm-29_smt.b'
+                          rel: assessment-for
                     - id: pm-29_obj.b-3
                       name: assessment-objective
                       props:
@@ -83265,6 +90821,15 @@ catalog:
                           value: PM-29b.[03]
                           class: sp800-53a
                       prose: a Risk Executive (function) ensures that the management of risk is consistent across the organization.
+                      links:
+                        - href: '#pm-29_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-29_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pm-29_smt'
+                  rel: assessment-for
             - id: pm-29_asm-examine
               name: assessment-method
               props:
@@ -83432,6 +90997,9 @@ catalog:
                           value: PM-30a.[01]
                           class: sp800-53a
                       prose: an organization-wide strategy for managing supply chain risks is developed;
+                      links:
+                        - href: '#pm-30_smt.a'
+                          rel: assessment-for
                     - id: pm-30_obj.a-2
                       name: assessment-objective
                       props:
@@ -83439,6 +91007,9 @@ catalog:
                           value: PM-30a.[02]
                           class: sp800-53a
                       prose: the supply chain risk management strategy addresses risks associated with the development of systems;
+                      links:
+                        - href: '#pm-30_smt.a'
+                          rel: assessment-for
                     - id: pm-30_obj.a-3
                       name: assessment-objective
                       props:
@@ -83446,6 +91017,9 @@ catalog:
                           value: PM-30a.[03]
                           class: sp800-53a
                       prose: the supply chain risk management strategy addresses risks associated with the development of system components;
+                      links:
+                        - href: '#pm-30_smt.a'
+                          rel: assessment-for
                     - id: pm-30_obj.a-4
                       name: assessment-objective
                       props:
@@ -83453,6 +91027,9 @@ catalog:
                           value: PM-30a.[04]
                           class: sp800-53a
                       prose: the supply chain risk management strategy addresses risks associated with the development of system services;
+                      links:
+                        - href: '#pm-30_smt.a'
+                          rel: assessment-for
                     - id: pm-30_obj.a-5
                       name: assessment-objective
                       props:
@@ -83460,6 +91037,9 @@ catalog:
                           value: PM-30a.[05]
                           class: sp800-53a
                       prose: the supply chain risk management strategy addresses risks associated with the acquisition of systems;
+                      links:
+                        - href: '#pm-30_smt.a'
+                          rel: assessment-for
                     - id: pm-30_obj.a-6
                       name: assessment-objective
                       props:
@@ -83467,6 +91047,9 @@ catalog:
                           value: PM-30a.[06]
                           class: sp800-53a
                       prose: the supply chain risk management strategy addresses risks associated with the acquisition of system components;
+                      links:
+                        - href: '#pm-30_smt.a'
+                          rel: assessment-for
                     - id: pm-30_obj.a-7
                       name: assessment-objective
                       props:
@@ -83474,6 +91057,9 @@ catalog:
                           value: PM-30a.[07]
                           class: sp800-53a
                       prose: the supply chain risk management strategy addresses risks associated with the acquisition of system services;
+                      links:
+                        - href: '#pm-30_smt.a'
+                          rel: assessment-for
                     - id: pm-30_obj.a-8
                       name: assessment-objective
                       props:
@@ -83481,6 +91067,9 @@ catalog:
                           value: PM-30a.[08]
                           class: sp800-53a
                       prose: the supply chain risk management strategy addresses risks associated with the maintenance of systems;
+                      links:
+                        - href: '#pm-30_smt.a'
+                          rel: assessment-for
                     - id: pm-30_obj.a-9
                       name: assessment-objective
                       props:
@@ -83488,6 +91077,9 @@ catalog:
                           value: PM-30a.[09]
                           class: sp800-53a
                       prose: the supply chain risk management strategy addresses risks associated with the maintenance of system components;
+                      links:
+                        - href: '#pm-30_smt.a'
+                          rel: assessment-for
                     - id: pm-30_obj.a-10
                       name: assessment-objective
                       props:
@@ -83495,6 +91087,9 @@ catalog:
                           value: PM-30a.[10]
                           class: sp800-53a
                       prose: the supply chain risk management strategy addresses risks associated with the maintenance of system services;
+                      links:
+                        - href: '#pm-30_smt.a'
+                          rel: assessment-for
                     - id: pm-30_obj.a-11
                       name: assessment-objective
                       props:
@@ -83502,6 +91097,9 @@ catalog:
                           value: PM-30a.[11]
                           class: sp800-53a
                       prose: the supply chain risk management strategy addresses risks associated with the disposal of systems;
+                      links:
+                        - href: '#pm-30_smt.a'
+                          rel: assessment-for
                     - id: pm-30_obj.a-12
                       name: assessment-objective
                       props:
@@ -83509,6 +91107,9 @@ catalog:
                           value: PM-30a.[12]
                           class: sp800-53a
                       prose: the supply chain risk management strategy addresses risks associated with the disposal of system components;
+                      links:
+                        - href: '#pm-30_smt.a'
+                          rel: assessment-for
                     - id: pm-30_obj.a-13
                       name: assessment-objective
                       props:
@@ -83516,6 +91117,12 @@ catalog:
                           value: PM-30a.[13]
                           class: sp800-53a
                       prose: the supply chain risk management strategy addresses risks associated with the disposal of system services;
+                      links:
+                        - href: '#pm-30_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-30_smt.a'
+                      rel: assessment-for
                 - id: pm-30_obj.b
                   name: assessment-objective
                   props:
@@ -83523,6 +91130,9 @@ catalog:
                       value: PM-30b.
                       class: sp800-53a
                   prose: the supply chain risk management strategy is implemented consistently across the organization;
+                  links:
+                    - href: '#pm-30_smt.b'
+                      rel: assessment-for
                 - id: pm-30_obj.c
                   name: assessment-objective
                   props:
@@ -83530,6 +91140,12 @@ catalog:
                       value: PM-30c.
                       class: sp800-53a
                   prose: 'the supply chain risk management strategy is reviewed and updated {{ insert: param, pm-30_odp }} or as required to address organizational changes.'
+                  links:
+                    - href: '#pm-30_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pm-30_smt'
+                  rel: assessment-for
             - id: pm-30_asm-examine
               name: assessment-method
               props:
@@ -83614,6 +91230,9 @@ catalog:
                           value: PM-30(01)[01]
                           class: sp800-53a
                       prose: suppliers of critical or mission-essential technologies, products, and services are identified;
+                      links:
+                        - href: '#pm-30.1_smt'
+                          rel: assessment-for
                     - id: pm-30.1_obj-2
                       name: assessment-objective
                       props:
@@ -83621,6 +91240,9 @@ catalog:
                           value: PM-30(01)[02]
                           class: sp800-53a
                       prose: suppliers of critical or mission-essential technologies, products, and services are prioritized;
+                      links:
+                        - href: '#pm-30.1_smt'
+                          rel: assessment-for
                     - id: pm-30.1_obj-3
                       name: assessment-objective
                       props:
@@ -83628,6 +91250,12 @@ catalog:
                           value: PM-30(01)[03]
                           class: sp800-53a
                       prose: suppliers of critical or mission-essential technologies, products, and services are assessed.
+                      links:
+                        - href: '#pm-30.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-30.1_smt'
+                      rel: assessment-for
                 - id: pm-30.1_asm-examine
                   name: assessment-method
                   props:
@@ -83731,9 +91359,9 @@ catalog:
                 - name: label
                   value: PM-31_ODP[02]
                   class: sp800-53a
-              label: frequency
+              label: monitoring frequencies
               guidelines:
-                - prose: the frequency for monitoring is defined;
+                - prose: the frequencies for monitoring are defined;
             - id: pm-31_odp.03
               props:
                 - name: alt-identifier
@@ -83744,9 +91372,9 @@ catalog:
                 - name: label
                   value: PM-31_ODP[03]
                   class: sp800-53a
-              label: frequency
+              label: assessment frequencies
               guidelines:
-                - prose: the frequency for assessing control effectiveness is defined;
+                - prose: the frequencies for assessing control effectiveness are defined;
             - id: pm-31_odp.04
               props:
                 - name: label
@@ -83915,7 +91543,7 @@ catalog:
                   props:
                     - name: label
                       value: b.
-                  prose: 'Establishing {{ insert: param, pm-31_odp.02 }} for monitoring and {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;'
+                  prose: 'Establishing {{ insert: param, pm-31_odp.02 }} and {{ insert: param, pm-31_odp.03 }} for control effectiveness;'
                 - id: pm-31_smt.c
                   name: item
                   props:
@@ -83958,6 +91586,9 @@ catalog:
                       value: PM-31a.
                       class: sp800-53a
                   prose: 'continuous monitoring programs are implemented that include establishing {{ insert: param, pm-31_odp.01 }} to be monitored;'
+                  links:
+                    - href: '#pm-31_smt.a'
+                      rel: assessment-for
                 - id: pm-31_obj.b
                   name: assessment-objective
                   props:
@@ -83972,6 +91603,9 @@ catalog:
                           value: PM-31b.[01]
                           class: sp800-53a
                       prose: 'continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.02 }} for monitoring;'
+                      links:
+                        - href: '#pm-31_smt.b'
+                          rel: assessment-for
                     - id: pm-31_obj.b-2
                       name: assessment-objective
                       props:
@@ -83979,6 +91613,12 @@ catalog:
                           value: PM-31b.[02]
                           class: sp800-53a
                       prose: 'continuous monitoring programs are implemented that establish {{ insert: param, pm-31_odp.03 }} for assessment of control effectiveness;'
+                      links:
+                        - href: '#pm-31_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-31_smt.b'
+                      rel: assessment-for
                 - id: pm-31_obj.c
                   name: assessment-objective
                   props:
@@ -83986,6 +91626,9 @@ catalog:
                       value: PM-31c.
                       class: sp800-53a
                   prose: 'continuous monitoring programs are implemented that include monitoring {{ insert: param, pm-31_odp.01 }} on an ongoing basis in accordance with the continuous monitoring strategy;'
+                  links:
+                    - href: '#pm-31_smt.c'
+                      rel: assessment-for
                 - id: pm-31_obj.d
                   name: assessment-objective
                   props:
@@ -84000,6 +91643,9 @@ catalog:
                           value: PM-31d.[01]
                           class: sp800-53a
                       prose: continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring;
+                      links:
+                        - href: '#pm-31_smt.d'
+                          rel: assessment-for
                     - id: pm-31_obj.d-2
                       name: assessment-objective
                       props:
@@ -84007,6 +91653,12 @@ catalog:
                           value: PM-31d.[02]
                           class: sp800-53a
                       prose: continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring;
+                      links:
+                        - href: '#pm-31_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-31_smt.d'
+                      rel: assessment-for
                 - id: pm-31_obj.e
                   name: assessment-objective
                   props:
@@ -84021,6 +91673,9 @@ catalog:
                           value: PM-31e.[01]
                           class: sp800-53a
                       prose: continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information;
+                      links:
+                        - href: '#pm-31_smt.e'
+                          rel: assessment-for
                     - id: pm-31_obj.e-2
                       name: assessment-objective
                       props:
@@ -84028,6 +91683,12 @@ catalog:
                           value: PM-31e.[02]
                           class: sp800-53a
                       prose: continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information;
+                      links:
+                        - href: '#pm-31_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-31_smt.e'
+                      rel: assessment-for
                 - id: pm-31_obj.f
                   name: assessment-objective
                   props:
@@ -84042,6 +91703,9 @@ catalog:
                           value: PM-31f.[01]
                           class: sp800-53a
                       prose: 'continuous monitoring programs are implemented that include reporting the security status of organizational systems to {{ insert: param, pm-31_odp.04 }} {{ insert: param, pm-31_odp.06 }};'
+                      links:
+                        - href: '#pm-31_smt.f'
+                          rel: assessment-for
                     - id: pm-31_obj.f-2
                       name: assessment-objective
                       props:
@@ -84049,6 +91713,15 @@ catalog:
                           value: PM-31f.[02]
                           class: sp800-53a
                       prose: 'continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to {{ insert: param, pm-31_odp.05 }} {{ insert: param, pm-31_odp.07 }}.'
+                      links:
+                        - href: '#pm-31_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#pm-31_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#pm-31_smt'
+                  rel: assessment-for
             - id: pm-31_asm-examine
               name: assessment-method
               props:
@@ -84179,6 +91852,9 @@ catalog:
                   value: PM-32
                   class: sp800-53a
               prose: '{{ insert: param, pm-32_odp }} supporting mission-essential services or functions are analyzed to ensure that the information resources are being used in a manner that is consistent with their intended purpose.'
+              links:
+                - href: '#pm-32_smt'
+                  rel: assessment-for
             - id: pm-32_asm-examine
               name: assessment-method
               props:
@@ -84424,6 +92100,9 @@ catalog:
                           value: PS-01a.[01]
                           class: sp800-53a
                       prose: a personnel security policy is developed and documented;
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -84431,6 +92110,9 @@ catalog:
                           value: PS-01a.[02]
                           class: sp800-53a
                       prose: 'the personnel security policy is disseminated to {{ insert: param, ps-01_odp.01 }};'
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -84438,6 +92120,9 @@ catalog:
                           value: PS-01a.[03]
                           class: sp800-53a
                       prose: personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -84445,6 +92130,9 @@ catalog:
                           value: PS-01a.[04]
                           class: sp800-53a
                       prose: 'the personnel security procedures are disseminated to {{ insert: param, ps-01_odp.02 }};'
+                      links:
+                        - href: '#ps-1_smt.a'
+                          rel: assessment-for
                     - id: ps-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -84466,6 +92154,9 @@ catalog:
                                   value: PS-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses purpose;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -84473,6 +92164,9 @@ catalog:
                                   value: PS-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses scope;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -84480,6 +92174,9 @@ catalog:
                                   value: PS-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses roles;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -84487,6 +92184,9 @@ catalog:
                                   value: PS-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses responsibilities;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -84494,6 +92194,9 @@ catalog:
                                   value: PS-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses management commitment;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -84501,6 +92204,9 @@ catalog:
                                   value: PS-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ps-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -84508,6 +92214,12 @@ catalog:
                                   value: PS-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy addresses compliance;'
+                              links:
+                                - href: '#ps-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ps-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ps-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -84515,6 +92227,15 @@ catalog:
                               value: PS-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ps-01_odp.03 }} personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ps-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ps-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-1_smt.a'
+                      rel: assessment-for
                 - id: ps-1_obj.b
                   name: assessment-objective
                   props:
@@ -84522,6 +92243,9 @@ catalog:
                       value: PS-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ps-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;'
+                  links:
+                    - href: '#ps-1_smt.b'
+                      rel: assessment-for
                 - id: ps-1_obj.c
                   name: assessment-objective
                   props:
@@ -84543,6 +92267,9 @@ catalog:
                               value: PS-01c.01[01]
                               class: sp800-53a
                           prose: 'the current personnel security policy is reviewed and updated {{ insert: param, ps-01_odp.05 }};'
+                          links:
+                            - href: '#ps-1_smt.c.1'
+                              rel: assessment-for
                         - id: ps-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -84550,6 +92277,12 @@ catalog:
                               value: PS-01c.01[02]
                               class: sp800-53a
                           prose: 'the current personnel security policy is reviewed and updated following {{ insert: param, ps-01_odp.06 }};'
+                          links:
+                            - href: '#ps-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ps-1_smt.c.1'
+                          rel: assessment-for
                     - id: ps-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -84564,6 +92297,9 @@ catalog:
                               value: PS-01c.02[01]
                               class: sp800-53a
                           prose: 'the current personnel security procedures are reviewed and updated {{ insert: param, ps-01_odp.07 }};'
+                          links:
+                            - href: '#ps-1_smt.c.2'
+                              rel: assessment-for
                         - id: ps-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -84571,6 +92307,18 @@ catalog:
                               value: PS-01c.02[02]
                               class: sp800-53a
                           prose: 'the current personnel security procedures are reviewed and updated following {{ insert: param, ps-01_odp.08 }}.'
+                          links:
+                            - href: '#ps-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ps-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ps-1_smt'
+                  rel: assessment-for
             - id: ps-1_asm-examine
               name: assessment-method
               props:
@@ -84700,6 +92448,9 @@ catalog:
                       value: PS-02a.
                       class: sp800-53a
                   prose: a risk designation is assigned to all organizational positions;
+                  links:
+                    - href: '#ps-2_smt.a'
+                      rel: assessment-for
                 - id: ps-2_obj.b
                   name: assessment-objective
                   props:
@@ -84707,6 +92458,9 @@ catalog:
                       value: PS-02b.
                       class: sp800-53a
                   prose: screening criteria are established for individuals filling organizational positions;
+                  links:
+                    - href: '#ps-2_smt.b'
+                      rel: assessment-for
                 - id: ps-2_obj.c
                   name: assessment-objective
                   props:
@@ -84714,6 +92468,12 @@ catalog:
                       value: PS-02c.
                       class: sp800-53a
                   prose: 'position risk designations are reviewed and updated {{ insert: param, ps-02_odp }}.'
+                  links:
+                    - href: '#ps-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ps-2_smt'
+                  rel: assessment-for
             - id: ps-2_asm-examine
               name: assessment-method
               props:
@@ -84879,6 +92639,9 @@ catalog:
                       value: PS-03a.
                       class: sp800-53a
                   prose: individuals are screened prior to authorizing access to the system;
+                  links:
+                    - href: '#ps-3_smt.a'
+                      rel: assessment-for
                 - id: ps-3_obj.b
                   name: assessment-objective
                   props:
@@ -84893,6 +92656,9 @@ catalog:
                           value: PS-03b.[01]
                           class: sp800-53a
                       prose: 'individuals are rescreened in accordance with {{ insert: param, ps-03_odp.01 }};'
+                      links:
+                        - href: '#ps-3_smt.b'
+                          rel: assessment-for
                     - id: ps-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -84900,6 +92666,15 @@ catalog:
                           value: PS-03b.[02]
                           class: sp800-53a
                       prose: 'where rescreening is so indicated, individuals are rescreened {{ insert: param, ps-03_odp.02 }}.'
+                      links:
+                        - href: '#ps-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-3_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ps-3_smt'
+                  rel: assessment-for
             - id: ps-3_asm-examine
               name: assessment-method
               props:
@@ -84991,6 +92766,9 @@ catalog:
                           value: PS-03(01)[01]
                           class: sp800-53a
                       prose: individuals accessing a system processing, storing, or transmitting classified information are cleared;
+                      links:
+                        - href: '#ps-3.1_smt'
+                          rel: assessment-for
                     - id: ps-3.1_obj-2
                       name: assessment-objective
                       props:
@@ -84998,6 +92776,12 @@ catalog:
                           value: PS-03(01)[02]
                           class: sp800-53a
                       prose: individuals accessing a system processing, storing, or transmitting classified information are indoctrinated to the highest classification level of the information to which they have access on the system.
+                      links:
+                        - href: '#ps-3.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-3.1_smt'
+                      rel: assessment-for
                 - id: ps-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -85081,6 +92865,9 @@ catalog:
                       value: PS-03(02)
                       class: sp800-53a
                   prose: individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination are formally indoctrinated for all of the relevant types of information to which they have access on the system.
+                  links:
+                    - href: '#ps-3.2_smt'
+                      rel: assessment-for
                 - id: ps-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -85193,6 +92980,9 @@ catalog:
                           value: PS-03(03)(a)
                           class: sp800-53a
                       prose: individuals accessing a system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties;
+                      links:
+                        - href: '#ps-3.3_smt.a'
+                          rel: assessment-for
                     - id: ps-3.3_obj.b
                       name: assessment-objective
                       props:
@@ -85200,6 +92990,12 @@ catalog:
                           value: PS-03(03)(b)
                           class: sp800-53a
                       prose: 'individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy {{ insert: param, ps-03.03_odp }}.'
+                      links:
+                        - href: '#ps-3.3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-3.3_smt'
+                      rel: assessment-for
                 - id: ps-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -85307,6 +93103,9 @@ catalog:
                       value: PS-03(04)
                       class: sp800-53a
                   prose: 'individuals accessing a system processing, storing, or transmitting {{ insert: param, ps-03.04_odp.01 }} meet {{ insert: param, ps-03.04_odp.02 }}.'
+                  links:
+                    - href: '#ps-3.4_smt'
+                      rel: assessment-for
                 - id: ps-3.4_asm-examine
                   name: assessment-method
                   props:
@@ -85462,6 +93261,9 @@ catalog:
                       value: PS-04a.
                       class: sp800-53a
                   prose: 'upon termination of individual employment, system access is disabled within {{ insert: param, ps-04_odp.01 }};'
+                  links:
+                    - href: '#ps-4_smt.a'
+                      rel: assessment-for
                 - id: ps-4_obj.b
                   name: assessment-objective
                   props:
@@ -85469,6 +93271,9 @@ catalog:
                       value: PS-04b.
                       class: sp800-53a
                   prose: upon termination of individual employment, any authenticators and credentials are terminated or revoked;
+                  links:
+                    - href: '#ps-4_smt.b'
+                      rel: assessment-for
                 - id: ps-4_obj.c
                   name: assessment-objective
                   props:
@@ -85476,6 +93281,9 @@ catalog:
                       value: PS-04c.
                       class: sp800-53a
                   prose: 'upon termination of individual employment, exit interviews that include a discussion of {{ insert: param, ps-04_odp.02 }} are conducted;'
+                  links:
+                    - href: '#ps-4_smt.c'
+                      rel: assessment-for
                 - id: ps-4_obj.d
                   name: assessment-objective
                   props:
@@ -85483,6 +93291,9 @@ catalog:
                       value: PS-04d.
                       class: sp800-53a
                   prose: upon termination of individual employment, all security-related organizational system-related property is retrieved;
+                  links:
+                    - href: '#ps-4_smt.d'
+                      rel: assessment-for
                 - id: ps-4_obj.e
                   name: assessment-objective
                   props:
@@ -85490,6 +93301,12 @@ catalog:
                       value: PS-04e.
                       class: sp800-53a
                   prose: upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.
+                  links:
+                    - href: '#ps-4_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ps-4_smt'
+                  rel: assessment-for
             - id: ps-4_asm-examine
               name: assessment-method
               props:
@@ -85604,6 +93421,9 @@ catalog:
                           value: PS-04(01)(a)
                           class: sp800-53a
                       prose: terminated individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information;
+                      links:
+                        - href: '#ps-4.1_smt.a'
+                          rel: assessment-for
                     - id: ps-4.1_obj.b
                       name: assessment-objective
                       props:
@@ -85611,6 +93431,12 @@ catalog:
                           value: PS-04(01)(b)
                           class: sp800-53a
                       prose: terminated individuals are required to sign an acknowledgement of post-employment requirements as part of the organizational termination process.
+                      links:
+                        - href: '#ps-4.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-4.1_smt'
+                      rel: assessment-for
                 - id: ps-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -85725,6 +93551,9 @@ catalog:
                       value: PS-04(02)
                       class: sp800-53a
                   prose: '{{ insert: param, ps-04.02_odp.01 }} are used to {{ insert: param, ps-04.02_odp.02 }}.'
+                  links:
+                    - href: '#ps-4.2_smt'
+                      rel: assessment-for
                 - id: ps-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -85895,6 +93724,9 @@ catalog:
                       value: PS-05a.
                       class: sp800-53a
                   prose: the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;
+                  links:
+                    - href: '#ps-5_smt.a'
+                      rel: assessment-for
                 - id: ps-5_obj.b
                   name: assessment-objective
                   props:
@@ -85902,6 +93734,9 @@ catalog:
                       value: PS-05b.
                       class: sp800-53a
                   prose: '{{ insert: param, ps-05_odp.01 }} are initiated within {{ insert: param, ps-05_odp.02 }};'
+                  links:
+                    - href: '#ps-5_smt.b'
+                      rel: assessment-for
                 - id: ps-5_obj.c
                   name: assessment-objective
                   props:
@@ -85909,6 +93744,9 @@ catalog:
                       value: PS-05c.
                       class: sp800-53a
                   prose: access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;
+                  links:
+                    - href: '#ps-5_smt.c'
+                      rel: assessment-for
                 - id: ps-5_obj.d
                   name: assessment-objective
                   props:
@@ -85916,6 +93754,12 @@ catalog:
                       value: PS-05d.
                       class: sp800-53a
                   prose: '{{ insert: param, ps-05_odp.03 }} are notified within {{ insert: param, ps-05_odp.04 }}.'
+                  links:
+                    - href: '#ps-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#ps-5_smt'
+                  rel: assessment-for
             - id: ps-5_asm-examine
               name: assessment-method
               props:
@@ -86086,6 +93930,9 @@ catalog:
                       value: PS-06a.
                       class: sp800-53a
                   prose: access agreements are developed and documented for organizational systems;
+                  links:
+                    - href: '#ps-6_smt.a'
+                      rel: assessment-for
                 - id: ps-6_obj.b
                   name: assessment-objective
                   props:
@@ -86093,6 +93940,9 @@ catalog:
                       value: PS-06b.
                       class: sp800-53a
                   prose: 'the access agreements are reviewed and updated {{ insert: param, ps-06_odp.01 }};'
+                  links:
+                    - href: '#ps-6_smt.b'
+                      rel: assessment-for
                 - id: ps-6_obj.c
                   name: assessment-objective
                   props:
@@ -86107,6 +93957,9 @@ catalog:
                           value: PS-06c.01
                           class: sp800-53a
                       prose: individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;
+                      links:
+                        - href: '#ps-6_smt.c.1'
+                          rel: assessment-for
                     - id: ps-6_obj.c.2
                       name: assessment-objective
                       props:
@@ -86114,6 +93967,15 @@ catalog:
                           value: PS-06c.02
                           class: sp800-53a
                       prose: 'individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, ps-06_odp.02 }}.'
+                      links:
+                        - href: '#ps-6_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ps-6_smt'
+                  rel: assessment-for
             - id: ps-6_asm-examine
               name: assessment-method
               props:
@@ -86254,6 +94116,9 @@ catalog:
                           value: PS-06(02)(a)
                           class: sp800-53a
                       prose: access to classified information requiring special protection is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties;
+                      links:
+                        - href: '#ps-6.2_smt.a'
+                          rel: assessment-for
                     - id: ps-6.2_obj.b
                       name: assessment-objective
                       props:
@@ -86261,6 +94126,9 @@ catalog:
                           value: PS-06(02)(b)
                           class: sp800-53a
                       prose: access to classified information requiring special protection is granted only to individuals who satisfy associated personnel security criteria;
+                      links:
+                        - href: '#ps-6.2_smt.b'
+                          rel: assessment-for
                     - id: ps-6.2_obj.c
                       name: assessment-objective
                       props:
@@ -86268,6 +94136,12 @@ catalog:
                           value: PS-06(02)(c)
                           class: sp800-53a
                       prose: access to classified information requiring special protection is granted only to individuals who have read, understood, and signed a non-disclosure agreement.
+                      links:
+                        - href: '#ps-6.2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-6.2_smt'
+                      rel: assessment-for
                 - id: ps-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -86379,6 +94253,9 @@ catalog:
                           value: PS-06(03)(a)
                           class: sp800-53a
                       prose: individuals are notified of applicable, legally binding post-employment requirements for the protection of organizational information;
+                      links:
+                        - href: '#ps-6.3_smt.a'
+                          rel: assessment-for
                     - id: ps-6.3_obj.b
                       name: assessment-objective
                       props:
@@ -86386,6 +94263,12 @@ catalog:
                           value: PS-06(03)(b)
                           class: sp800-53a
                       prose: individuals are required to sign an acknowledgement of applicable, legally binding post-employment requirements as part of being granted initial access to covered information.
+                      links:
+                        - href: '#ps-6.3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ps-6.3_smt'
+                      rel: assessment-for
                 - id: ps-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -86561,6 +94444,9 @@ catalog:
                       value: PS-07a.
                       class: sp800-53a
                   prose: personnel security requirements are established, including security roles and responsibilities for external providers;
+                  links:
+                    - href: '#ps-7_smt.a'
+                      rel: assessment-for
                 - id: ps-7_obj.b
                   name: assessment-objective
                   props:
@@ -86568,6 +94454,9 @@ catalog:
                       value: PS-07b.
                       class: sp800-53a
                   prose: external providers are required to comply with personnel security policies and procedures established by the organization;
+                  links:
+                    - href: '#ps-7_smt.b'
+                      rel: assessment-for
                 - id: ps-7_obj.c
                   name: assessment-objective
                   props:
@@ -86575,6 +94464,9 @@ catalog:
                       value: PS-07c.
                       class: sp800-53a
                   prose: personnel security requirements are documented;
+                  links:
+                    - href: '#ps-7_smt.c'
+                      rel: assessment-for
                 - id: ps-7_obj.d
                   name: assessment-objective
                   props:
@@ -86582,6 +94474,9 @@ catalog:
                       value: PS-07d.
                       class: sp800-53a
                   prose: 'external providers are required to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within {{ insert: param, ps-07_odp.02 }};'
+                  links:
+                    - href: '#ps-7_smt.d'
+                      rel: assessment-for
                 - id: ps-7_obj.e
                   name: assessment-objective
                   props:
@@ -86589,6 +94484,12 @@ catalog:
                       value: PS-07e.
                       class: sp800-53a
                   prose: provider compliance with personnel security requirements is monitored.
+                  links:
+                    - href: '#ps-7_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#ps-7_smt'
+                  rel: assessment-for
             - id: ps-7_asm-examine
               name: assessment-method
               props:
@@ -86729,6 +94630,9 @@ catalog:
                       value: PS-08a.
                       class: sp800-53a
                   prose: a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;
+                  links:
+                    - href: '#ps-8_smt.a'
+                      rel: assessment-for
                 - id: ps-8_obj.b
                   name: assessment-objective
                   props:
@@ -86736,6 +94640,12 @@ catalog:
                       value: PS-08b.
                       class: sp800-53a
                   prose: '{{ insert: param, ps-08_odp.01 }} is/are notified within {{ insert: param, ps-08_odp.02 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.'
+                  links:
+                    - href: '#ps-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ps-8_smt'
+                  rel: assessment-for
             - id: ps-8_asm-examine
               name: assessment-method
               props:
@@ -86837,6 +94747,9 @@ catalog:
                       value: PS-09[01]
                       class: sp800-53a
                   prose: security roles and responsibilities are incorporated into organizational position descriptions;
+                  links:
+                    - href: '#ps-9_smt'
+                      rel: assessment-for
                 - id: ps-9_obj-2
                   name: assessment-objective
                   props:
@@ -86844,6 +94757,12 @@ catalog:
                       value: PS-09[02]
                       class: sp800-53a
                   prose: privacy roles and responsibilities are incorporated into organizational position descriptions.
+                  links:
+                    - href: '#ps-9_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ps-9_smt'
+                  rel: assessment-for
             - id: ps-9_asm-examine
               name: assessment-method
               props:
@@ -87098,6 +95017,9 @@ catalog:
                           value: PT-01a.[01]
                           class: sp800-53a
                       prose: a personally identifiable information processing and transparency policy is developed and documented;
+                      links:
+                        - href: '#pt-1_smt.a'
+                          rel: assessment-for
                     - id: pt-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -87105,6 +95027,9 @@ catalog:
                           value: PT-01a.[02]
                           class: sp800-53a
                       prose: 'the personally identifiable information processing and transparency policy is disseminated to {{ insert: param, pt-01_odp.01 }};'
+                      links:
+                        - href: '#pt-1_smt.a'
+                          rel: assessment-for
                     - id: pt-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -87112,6 +95037,9 @@ catalog:
                           value: PT-01a.[03]
                           class: sp800-53a
                       prose: personally identifiable information processing and transparency procedures to facilitate the implementation of the personally identifiable information processing and transparency policy and associated personally identifiable information processing and transparency controls are developed and documented;
+                      links:
+                        - href: '#pt-1_smt.a'
+                          rel: assessment-for
                     - id: pt-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -87119,6 +95047,9 @@ catalog:
                           value: PT-01a.[04]
                           class: sp800-53a
                       prose: 'the personally identifiable information processing and transparency procedures are disseminated to {{ insert: param, pt-01_odp.02 }};'
+                      links:
+                        - href: '#pt-1_smt.a'
+                          rel: assessment-for
                     - id: pt-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -87140,6 +95071,9 @@ catalog:
                                   value: PT-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses purpose;'
+                              links:
+                                - href: '#pt-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pt-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -87147,6 +95081,9 @@ catalog:
                                   value: PT-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses scope;'
+                              links:
+                                - href: '#pt-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pt-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -87154,6 +95091,9 @@ catalog:
                                   value: PT-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses roles;'
+                              links:
+                                - href: '#pt-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pt-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -87161,6 +95101,9 @@ catalog:
                                   value: PT-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses responsibilities;'
+                              links:
+                                - href: '#pt-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pt-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -87168,6 +95111,9 @@ catalog:
                                   value: PT-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses management commitment;'
+                              links:
+                                - href: '#pt-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pt-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -87175,6 +95121,9 @@ catalog:
                                   value: PT-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#pt-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: pt-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -87182,6 +95131,12 @@ catalog:
                                   value: PT-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy addresses compliance;'
+                              links:
+                                - href: '#pt-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#pt-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: pt-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -87189,6 +95144,15 @@ catalog:
                               value: PT-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, pt-01_odp.03 }} personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#pt-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#pt-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-1_smt.a'
+                      rel: assessment-for
                 - id: pt-1_obj.b
                   name: assessment-objective
                   props:
@@ -87196,6 +95160,9 @@ catalog:
                       value: PT-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pt-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures;'
+                  links:
+                    - href: '#pt-1_smt.b'
+                      rel: assessment-for
                 - id: pt-1_obj.c
                   name: assessment-objective
                   props:
@@ -87217,6 +95184,9 @@ catalog:
                               value: PT-01c.01[01]
                               class: sp800-53a
                           prose: 'the current personally identifiable information processing and transparency policy is reviewed and updated {{ insert: param, pt-01_odp.05 }};'
+                          links:
+                            - href: '#pt-1_smt.c.1'
+                              rel: assessment-for
                         - id: pt-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -87224,6 +95194,12 @@ catalog:
                               value: PT-01c.01[02]
                               class: sp800-53a
                           prose: 'the current personally identifiable information processing and transparency policy is reviewed and updated following {{ insert: param, pt-01_odp.06 }};'
+                          links:
+                            - href: '#pt-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#pt-1_smt.c.1'
+                          rel: assessment-for
                     - id: pt-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -87238,6 +95214,9 @@ catalog:
                               value: PT-01c.02[01]
                               class: sp800-53a
                           prose: 'the current personally identifiable information processing and transparency procedures are reviewed and updated {{ insert: param, pt-01_odp.07 }};'
+                          links:
+                            - href: '#pt-1_smt.c.2'
+                              rel: assessment-for
                         - id: pt-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -87245,6 +95224,18 @@ catalog:
                               value: PT-01c.02[02]
                               class: sp800-53a
                           prose: 'the current personally identifiable information processing and transparency procedures are reviewed and updated following {{ insert: param, pt-01_odp.08 }}.'
+                          links:
+                            - href: '#pt-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#pt-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pt-1_smt'
+                  rel: assessment-for
             - id: pt-1_asm-examine
               name: assessment-method
               props:
@@ -87402,6 +95393,9 @@ catalog:
                       value: PT-02a.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pt-02_odp.01 }} that permits the {{ insert: param, pt-02_odp.02 }} of personally identifiable information is determined and documented;'
+                  links:
+                    - href: '#pt-2_smt.a'
+                      rel: assessment-for
                 - id: pt-2_obj.b
                   name: assessment-objective
                   props:
@@ -87409,6 +95403,12 @@ catalog:
                       value: PT-02b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pt-02_odp.03 }} of personally identifiable information is restricted to only that which is authorized.'
+                  links:
+                    - href: '#pt-2_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#pt-2_smt'
+                  rel: assessment-for
             - id: pt-2_asm-examine
               name: assessment-method
               props:
@@ -87534,6 +95534,9 @@ catalog:
                       value: PT-02(01)
                       class: sp800-53a
                   prose: 'data tags containing {{ insert: param, pt-02.01_odp.01 }} are attached to {{ insert: param, pt-02.01_odp.02 }}.'
+                  links:
+                    - href: '#pt-2.1_smt'
+                      rel: assessment-for
                 - id: pt-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -87656,6 +95659,9 @@ catalog:
                       value: PT-02(02)
                       class: sp800-53a
                   prose: 'enforcement of the authorized processing of personally identifiable information is managed using {{ insert: param, pt-02.02_odp }}.'
+                  links:
+                    - href: '#pt-2.2_smt'
+                      rel: assessment-for
                 - id: pt-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -87845,6 +95851,9 @@ catalog:
                       value: PT-03a.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pt-03_odp.01 }} for processing personally identifiable information is/are identified and documented;'
+                  links:
+                    - href: '#pt-3_smt.a'
+                      rel: assessment-for
                 - id: pt-3_obj.b
                   name: assessment-objective
                   props:
@@ -87859,6 +95868,9 @@ catalog:
                           value: PT-03b.[01]
                           class: sp800-53a
                       prose: the purpose(s) is/are described in the public privacy notices of the organization;
+                      links:
+                        - href: '#pt-3_smt.b'
+                          rel: assessment-for
                     - id: pt-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -87866,6 +95878,12 @@ catalog:
                           value: PT-03b.[02]
                           class: sp800-53a
                       prose: the purpose(s) is/are described in the policies of the organization;
+                      links:
+                        - href: '#pt-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-3_smt.b'
+                      rel: assessment-for
                 - id: pt-3_obj.c
                   name: assessment-objective
                   props:
@@ -87873,6 +95891,9 @@ catalog:
                       value: PT-03c.
                       class: sp800-53a
                   prose: 'the {{ insert: param, pt-03_odp.02 }} of personally identifiable information are restricted to only that which is compatible with the identified purpose(s);'
+                  links:
+                    - href: '#pt-3_smt.c'
+                      rel: assessment-for
                 - id: pt-3_obj.d
                   name: assessment-objective
                   props:
@@ -87887,6 +95908,9 @@ catalog:
                           value: PT-03d.[01]
                           class: sp800-53a
                       prose: changes in the processing of personally identifiable information are monitored;
+                      links:
+                        - href: '#pt-3_smt.d'
+                          rel: assessment-for
                     - id: pt-3_obj.d-2
                       name: assessment-objective
                       props:
@@ -87894,6 +95918,15 @@ catalog:
                           value: PT-03d.[02]
                           class: sp800-53a
                       prose: '{{ insert: param, pt-03_odp.03 }} are implemented to ensure that any changes are made in accordance with {{ insert: param, pt-03_odp.04 }}.'
+                      links:
+                        - href: '#pt-3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-3_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#pt-3_smt'
+                  rel: assessment-for
             - id: pt-3_asm-examine
               name: assessment-method
               props:
@@ -88031,6 +96064,9 @@ catalog:
                       value: PT-03(01)
                       class: sp800-53a
                   prose: 'data tags containing {{ insert: param, pt-03.01_odp.01 }} are attached to {{ insert: param, pt-03.01_odp.02 }}.'
+                  links:
+                    - href: '#pt-3.1_smt'
+                      rel: assessment-for
                 - id: pt-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -88149,6 +96185,9 @@ catalog:
                       value: PT-03(02)
                       class: sp800-53a
                   prose: 'the processing purposes of personally identifiable information are tracked using {{ insert: param, pt-03.02_odp }}.'
+                  links:
+                    - href: '#pt-3.2_smt'
+                      rel: assessment-for
                 - id: pt-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -88250,6 +96289,9 @@ catalog:
                   value: PT-04
                   class: sp800-53a
               prose: 'the {{ insert: param, pt-04_odp }} are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.'
+              links:
+                - href: '#pt-4_smt'
+                  rel: assessment-for
             - id: pt-4_asm-examine
               name: assessment-method
               props:
@@ -88352,6 +96394,9 @@ catalog:
                       value: PT-04(01)
                       class: sp800-53a
                   prose: '{{ insert: param, pt-04.01_odp }} are provided to allow individuals to tailor processing permissions to selected elements of personally identifiable information.'
+                  links:
+                    - href: '#pt-4.1_smt'
+                      rel: assessment-for
                 - id: pt-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -88473,6 +96518,9 @@ catalog:
                       value: PT-04(02)
                       class: sp800-53a
                   prose: '{{ insert: param, pt-04.02_odp.01 }} are presented to individuals {{ insert: param, pt-04.02_odp.02 }} and in conjunction with {{ insert: param, pt-04.02_odp.03 }}.'
+                  links:
+                    - href: '#pt-4.2_smt'
+                      rel: assessment-for
                 - id: pt-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -88570,6 +96618,9 @@ catalog:
                       value: PT-04(03)
                       class: sp800-53a
                   prose: 'the {{ insert: param, pt-04.03_odp }} are implemented for individuals to revoke consent to the processing of their personally identifiable information.'
+                  links:
+                    - href: '#pt-4.3_smt'
+                      rel: assessment-for
                 - id: pt-4.3_asm-examine
                   name: assessment-method
                   props:
@@ -88745,6 +96796,9 @@ catalog:
                           value: PT-05a.[01]
                           class: sp800-53a
                       prose: a notice to individuals about the processing of personally identifiable information is provided such that the notice is available to individuals upon first interacting with an organization;
+                      links:
+                        - href: '#pt-5_smt.a'
+                          rel: assessment-for
                     - id: pt-5_obj.a-2
                       name: assessment-objective
                       props:
@@ -88752,6 +96806,12 @@ catalog:
                           value: PT-05a.[02]
                           class: sp800-53a
                       prose: 'a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals {{ insert: param, pt-05_odp.01 }};'
+                      links:
+                        - href: '#pt-5_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-5_smt.a'
+                      rel: assessment-for
                 - id: pt-5_obj.b
                   name: assessment-objective
                   props:
@@ -88759,6 +96819,9 @@ catalog:
                       value: PT-05b.
                       class: sp800-53a
                   prose: a notice to individuals about the processing of personally identifiable information is provided that is clear, easy-to-understand, and expresses information about personally identifiable information processing in plain language;
+                  links:
+                    - href: '#pt-5_smt.b'
+                      rel: assessment-for
                 - id: pt-5_obj.c
                   name: assessment-objective
                   props:
@@ -88766,6 +96829,9 @@ catalog:
                       value: PT-05c.
                       class: sp800-53a
                   prose: a notice to individuals about the processing of personally identifiable information that identifies the authority that authorizes the processing of personally identifiable information is provided;
+                  links:
+                    - href: '#pt-5_smt.c'
+                      rel: assessment-for
                 - id: pt-5_obj.d
                   name: assessment-objective
                   props:
@@ -88773,6 +96839,9 @@ catalog:
                       value: PT-05d.
                       class: sp800-53a
                   prose: a notice to individuals about the processing of personally identifiable information that identifies the purpose for which personally identifiable information is to be processed is provided;
+                  links:
+                    - href: '#pt-5_smt.d'
+                      rel: assessment-for
                 - id: pt-5_obj.e
                   name: assessment-objective
                   props:
@@ -88780,6 +96849,12 @@ catalog:
                       value: PT-05e.
                       class: sp800-53a
                   prose: 'a notice to individuals about the processing of personally identifiable information which includes {{ insert: param, pt-05_odp.02 }} is provided.'
+                  links:
+                    - href: '#pt-5_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#pt-5_smt'
+                  rel: assessment-for
             - id: pt-5_asm-examine
               name: assessment-method
               props:
@@ -88875,6 +96950,9 @@ catalog:
                       value: PT-05(01)
                       class: sp800-53a
                   prose: 'a notice of personally identifiable information processing is presented to individuals at a time and location where the individual provides personally identifiable information, in conjunction with a data action, or {{ insert: param, pt-05.01_odp }}.'
+                  links:
+                    - href: '#pt-5.1_smt'
+                      rel: assessment-for
                 - id: pt-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -88959,6 +97037,9 @@ catalog:
                       value: PT-05(02)
                       class: sp800-53a
                   prose: Privacy Act statements are included on forms that collect information that will be maintained in a Privacy Act system of records, or Privacy Act statements are provided on separate forms that can be retained by individuals.
+                  links:
+                    - href: '#pt-5.2_smt'
+                      rel: assessment-for
                 - id: pt-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -89085,6 +97166,9 @@ catalog:
                           value: PT-06a.[01]
                           class: sp800-53a
                       prose: system of records notices are drafted in accordance with OMB guidance for systems that process information that will be maintained in a Privacy Act system of records;
+                      links:
+                        - href: '#pt-6_smt.a'
+                          rel: assessment-for
                     - id: pt-6_obj.a-2
                       name: assessment-objective
                       props:
@@ -89092,6 +97176,12 @@ catalog:
                           value: PT-06a.[02]
                           class: sp800-53a
                       prose: new and significantly modified system of records notices are submitted to the OMB and appropriate congressional committees for advance review for systems that process information that will be maintained in a Privacy Act system of records;
+                      links:
+                        - href: '#pt-6_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-6_smt.a'
+                      rel: assessment-for
                 - id: pt-6_obj.b
                   name: assessment-objective
                   props:
@@ -89099,6 +97189,9 @@ catalog:
                       value: PT-06b.
                       class: sp800-53a
                   prose: system of records notices are published in the Federal Register for systems that process information that will be maintained in a Privacy Act system of records;
+                  links:
+                    - href: '#pt-6_smt.b'
+                      rel: assessment-for
                 - id: pt-6_obj.c
                   name: assessment-objective
                   props:
@@ -89106,6 +97199,12 @@ catalog:
                       value: PT-06c.
                       class: sp800-53a
                   prose: system of records notices are kept accurate, up-to-date, and scoped in accordance with policy for systems that process information that will be maintained in a Privacy Act system of records.
+                  links:
+                    - href: '#pt-6_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#pt-6_smt'
+                  rel: assessment-for
             - id: pt-6_asm-examine
               name: assessment-method
               props:
@@ -89199,6 +97298,9 @@ catalog:
                       value: PT-06(01)
                       class: sp800-53a
                   prose: 'all routine uses published in the system of records notice are reviewed {{ insert: param, pt-06.01_odp }} to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.'
+                  links:
+                    - href: '#pt-6.1_smt'
+                      rel: assessment-for
                 - id: pt-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -89296,6 +97398,9 @@ catalog:
                           value: PT-06(02)[01]
                           class: sp800-53a
                       prose: 'all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they remain appropriate and necessary in accordance with law;'
+                      links:
+                        - href: '#pt-6.2_smt'
+                          rel: assessment-for
                     - id: pt-6.2_obj-2
                       name: assessment-objective
                       props:
@@ -89303,6 +97408,9 @@ catalog:
                           value: PT-06(02)[02]
                           class: sp800-53a
                       prose: 'all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they have been promulgated as regulations;'
+                      links:
+                        - href: '#pt-6.2_smt'
+                          rel: assessment-for
                     - id: pt-6.2_obj-3
                       name: assessment-objective
                       props:
@@ -89310,6 +97418,12 @@ catalog:
                           value: PT-06(02)[03]
                           class: sp800-53a
                       prose: 'all Privacy Act exemptions claimed for the system of records are reviewed {{ insert: param, pt-06.02_odp }} to ensure that they are accurately described in the system of records notice.'
+                      links:
+                        - href: '#pt-6.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-6.2_smt'
+                      rel: assessment-for
                 - id: pt-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -89416,6 +97530,9 @@ catalog:
                   value: PT-07
                   class: sp800-53a
               prose: '{{ insert: param, pt-07_odp }} are applied for specific categories of personally identifiable information.'
+              links:
+                - href: '#pt-7_smt'
+                  rel: assessment-for
             - id: pt-7_asm-examine
               name: assessment-method
               props:
@@ -89541,6 +97658,9 @@ catalog:
                               value: PT-07(01)(a)[01]
                               class: sp800-53a
                           prose: when a system processes Social Security numbers, the unnecessary collection, maintenance, and use of Social Security numbers are eliminated;
+                          links:
+                            - href: '#pt-7.1_smt.a'
+                              rel: assessment-for
                         - id: pt-7.1_obj.a-2
                           name: assessment-objective
                           props:
@@ -89548,6 +97668,12 @@ catalog:
                               value: PT-07(01)(a)[02]
                               class: sp800-53a
                           prose: when a system processes Social Security numbers, alternatives to the use of Social Security Numbers as a personal identifier are explored;
+                          links:
+                            - href: '#pt-7.1_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#pt-7.1_smt.a'
+                          rel: assessment-for
                     - id: pt-7.1_obj.b
                       name: assessment-objective
                       props:
@@ -89555,6 +97681,9 @@ catalog:
                           value: PT-07(01)(b)
                           class: sp800-53a
                       prose: when a system processes Social Security numbers, individual rights, benefits, or privileges provided by law are not denied because of an individual’s refusal to disclose their Social Security number;
+                      links:
+                        - href: '#pt-7.1_smt.b'
+                          rel: assessment-for
                     - id: pt-7.1_obj.c
                       name: assessment-objective
                       props:
@@ -89569,6 +97698,9 @@ catalog:
                               value: PT-07(01)(c)[01]
                               class: sp800-53a
                           prose: when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it;
+                          links:
+                            - href: '#pt-7.1_smt.c'
+                              rel: assessment-for
                         - id: pt-7.1_obj.c-2
                           name: assessment-objective
                           props:
@@ -89576,6 +97708,9 @@ catalog:
                               value: PT-07(01)(c)[02]
                               class: sp800-53a
                           prose: when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed by what statutory or other authority the number is solicited;
+                          links:
+                            - href: '#pt-7.1_smt.c'
+                              rel: assessment-for
                         - id: pt-7.1_obj.c-3
                           name: assessment-objective
                           props:
@@ -89583,6 +97718,15 @@ catalog:
                               value: PT-07(01)(c)[03]
                               class: sp800-53a
                           prose: when a system processes Social Security numbers, any individual who is asked to disclose their Social Security number is informed what uses will be made of it.
+                          links:
+                            - href: '#pt-7.1_smt.c'
+                              rel: assessment-for
+                      links:
+                        - href: '#pt-7.1_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-7.1_smt'
+                      rel: assessment-for
                 - id: pt-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -89669,6 +97813,9 @@ catalog:
                       value: PT-07(02)
                       class: sp800-53a
                   prose: the processing of information describing how any individual exercises rights guaranteed by the First Amendment is prohibited unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.
+                  links:
+                    - href: '#pt-7.2_smt'
+                      rel: assessment-for
                 - id: pt-7.2_asm-examine
                   name: assessment-method
                   props:
@@ -89794,6 +97941,9 @@ catalog:
                       value: PT-08a.
                       class: sp800-53a
                   prose: approval to conduct the matching program is obtained from the Data Integrity Board when a system or organization processes information for the purpose of conducting a matching program;
+                  links:
+                    - href: '#pt-8_smt.a'
+                      rel: assessment-for
                 - id: pt-8_obj.b
                   name: assessment-objective
                   props:
@@ -89808,6 +97958,9 @@ catalog:
                           value: PT-08b.[01]
                           class: sp800-53a
                       prose: a computer matching agreement is developed when a system or organization processes information for the purpose of conducting a matching program;
+                      links:
+                        - href: '#pt-8_smt.b'
+                          rel: assessment-for
                     - id: pt-8_obj.b-2
                       name: assessment-objective
                       props:
@@ -89815,6 +97968,12 @@ catalog:
                           value: PT-08b.[02]
                           class: sp800-53a
                       prose: a computer matching agreement is entered into when a system or organization processes information for the purpose of conducting a matching program;
+                      links:
+                        - href: '#pt-8_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-8_smt.b'
+                      rel: assessment-for
                 - id: pt-8_obj.c
                   name: assessment-objective
                   props:
@@ -89822,6 +97981,9 @@ catalog:
                       value: PT-08c.
                       class: sp800-53a
                   prose: a matching notice is published in the Federal Register when a system or organization processes information for the purpose of conducting a matching program;
+                  links:
+                    - href: '#pt-8_smt.c'
+                      rel: assessment-for
                 - id: pt-8_obj.d
                   name: assessment-objective
                   props:
@@ -89829,6 +97991,9 @@ catalog:
                       value: PT-08d.
                       class: sp800-53a
                   prose: the information produced by the matching program is independently verified before taking adverse action against an individual, if required, when a system or organization processes information for the purpose of conducting a matching program;
+                  links:
+                    - href: '#pt-8_smt.d'
+                      rel: assessment-for
                 - id: pt-8_obj.e
                   name: assessment-objective
                   props:
@@ -89843,6 +98008,9 @@ catalog:
                           value: PT-08e.[01]
                           class: sp800-53a
                       prose: individuals are provided with notice when a system or organization processes information for the purpose of conducting a matching program;
+                      links:
+                        - href: '#pt-8_smt.e'
+                          rel: assessment-for
                     - id: pt-8_obj.e-2
                       name: assessment-objective
                       props:
@@ -89850,6 +98018,15 @@ catalog:
                           value: PT-08e.[02]
                           class: sp800-53a
                       prose: individuals are provided with an opportunity to contest the findings before adverse action is taken against them when a system or organization processes information for the purpose of conducting a matching program.
+                      links:
+                        - href: '#pt-8_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#pt-8_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#pt-8_smt'
+                  rel: assessment-for
             - id: pt-8_asm-examine
               name: assessment-method
               props:
@@ -90125,6 +98302,9 @@ catalog:
                           value: RA-01a.[01]
                           class: sp800-53a
                       prose: a risk assessment policy is developed and documented;
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -90132,6 +98312,9 @@ catalog:
                           value: RA-01a.[02]
                           class: sp800-53a
                       prose: 'the risk assessment policy is disseminated to {{ insert: param, ra-01_odp.01 }};'
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -90139,6 +98322,9 @@ catalog:
                           value: RA-01a.[03]
                           class: sp800-53a
                       prose: risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -90146,6 +98332,9 @@ catalog:
                           value: RA-01a.[04]
                           class: sp800-53a
                       prose: 'the risk assessment procedures are disseminated to {{ insert: param, ra-01_odp.02 }};'
+                      links:
+                        - href: '#ra-1_smt.a'
+                          rel: assessment-for
                     - id: ra-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -90167,6 +98356,9 @@ catalog:
                                   value: RA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses purpose;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -90174,6 +98366,9 @@ catalog:
                                   value: RA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses scope;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -90181,6 +98376,9 @@ catalog:
                                   value: RA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses roles;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -90188,6 +98386,9 @@ catalog:
                                   value: RA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses responsibilities;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -90195,6 +98396,9 @@ catalog:
                                   value: RA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses management commitment;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -90202,6 +98406,9 @@ catalog:
                                   value: RA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: ra-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -90209,6 +98416,12 @@ catalog:
                                   value: RA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy addresses compliance;'
+                              links:
+                                - href: '#ra-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#ra-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: ra-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -90216,6 +98429,15 @@ catalog:
                               value: RA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, ra-01_odp.03 }} risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#ra-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-1_smt.a'
+                      rel: assessment-for
                 - id: ra-1_obj.b
                   name: assessment-objective
                   props:
@@ -90223,6 +98445,9 @@ catalog:
                       value: RA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, ra-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;'
+                  links:
+                    - href: '#ra-1_smt.b'
+                      rel: assessment-for
                 - id: ra-1_obj.c
                   name: assessment-objective
                   props:
@@ -90244,6 +98469,9 @@ catalog:
                               value: RA-01c.01[01]
                               class: sp800-53a
                           prose: 'the current risk assessment policy is reviewed and updated {{ insert: param, ra-01_odp.05 }};'
+                          links:
+                            - href: '#ra-1_smt.c.1'
+                              rel: assessment-for
                         - id: ra-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -90251,6 +98479,12 @@ catalog:
                               value: RA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current risk assessment policy is reviewed and updated following {{ insert: param, ra-01_odp.06 }};'
+                          links:
+                            - href: '#ra-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.c.1'
+                          rel: assessment-for
                     - id: ra-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -90265,6 +98499,9 @@ catalog:
                               value: RA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current risk assessment procedures are reviewed and updated {{ insert: param, ra-01_odp.07 }};'
+                          links:
+                            - href: '#ra-1_smt.c.2'
+                              rel: assessment-for
                         - id: ra-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -90272,6 +98509,18 @@ catalog:
                               value: RA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current risk assessment procedures are reviewed and updated following {{ insert: param, ra-01_odp.08 }}.'
+                          links:
+                            - href: '#ra-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#ra-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ra-1_smt'
+                  rel: assessment-for
             - id: ra-1_asm-examine
               name: assessment-method
               props:
@@ -90413,6 +98662,9 @@ catalog:
                       value: RA-02a.
                       class: sp800-53a
                   prose: the system and the information it processes, stores, and transmits are categorized;
+                  links:
+                    - href: '#ra-2_smt.a'
+                      rel: assessment-for
                 - id: ra-2_obj.b
                   name: assessment-objective
                   props:
@@ -90420,6 +98672,9 @@ catalog:
                       value: RA-02b.
                       class: sp800-53a
                   prose: the security categorization results, including supporting rationale, are documented in the security plan for the system;
+                  links:
+                    - href: '#ra-2_smt.b'
+                      rel: assessment-for
                 - id: ra-2_obj.c
                   name: assessment-objective
                   props:
@@ -90427,6 +98682,12 @@ catalog:
                       value: RA-02c.
                       class: sp800-53a
                   prose: the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
+                  links:
+                    - href: '#ra-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#ra-2_smt'
+                  rel: assessment-for
             - id: ra-2_asm-examine
               name: assessment-method
               props:
@@ -90511,6 +98772,9 @@ catalog:
                       value: RA-02(01)
                       class: sp800-53a
                   prose: an impact-level prioritization of organizational systems is conducted to obtain additional granularity on system impact levels.
+                  links:
+                    - href: '#ra-2.1_smt'
+                      rel: assessment-for
                 - id: ra-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -90788,6 +99052,9 @@ catalog:
                           value: RA-03a.01
                           class: sp800-53a
                       prose: a risk assessment is conducted to identify threats to and vulnerabilities in the system;
+                      links:
+                        - href: '#ra-3_smt.a.1'
+                          rel: assessment-for
                     - id: ra-3_obj.a.2
                       name: assessment-objective
                       props:
@@ -90795,6 +99062,9 @@ catalog:
                           value: RA-03a.02
                           class: sp800-53a
                       prose: a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;
+                      links:
+                        - href: '#ra-3_smt.a.2'
+                          rel: assessment-for
                     - id: ra-3_obj.a.3
                       name: assessment-objective
                       props:
@@ -90802,6 +99072,12 @@ catalog:
                           value: RA-03a.03
                           class: sp800-53a
                       prose: a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;
+                      links:
+                        - href: '#ra-3_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-3_smt.a'
+                      rel: assessment-for
                 - id: ra-3_obj.b
                   name: assessment-objective
                   props:
@@ -90809,6 +99085,9 @@ catalog:
                       value: RA-03b.
                       class: sp800-53a
                   prose: risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;
+                  links:
+                    - href: '#ra-3_smt.b'
+                      rel: assessment-for
                 - id: ra-3_obj.c
                   name: assessment-objective
                   props:
@@ -90816,6 +99095,9 @@ catalog:
                       value: RA-03c.
                       class: sp800-53a
                   prose: 'risk assessment results are documented in {{ insert: param, ra-03_odp.01 }};'
+                  links:
+                    - href: '#ra-3_smt.c'
+                      rel: assessment-for
                 - id: ra-3_obj.d
                   name: assessment-objective
                   props:
@@ -90823,6 +99105,9 @@ catalog:
                       value: RA-03d.
                       class: sp800-53a
                   prose: 'risk assessment results are reviewed {{ insert: param, ra-03_odp.03 }};'
+                  links:
+                    - href: '#ra-3_smt.d'
+                      rel: assessment-for
                 - id: ra-3_obj.e
                   name: assessment-objective
                   props:
@@ -90830,6 +99115,9 @@ catalog:
                       value: RA-03e.
                       class: sp800-53a
                   prose: 'risk assessment results are disseminated to {{ insert: param, ra-03_odp.04 }};'
+                  links:
+                    - href: '#ra-3_smt.e'
+                      rel: assessment-for
                 - id: ra-3_obj.f
                   name: assessment-objective
                   props:
@@ -90837,6 +99125,12 @@ catalog:
                       value: RA-03f.
                       class: sp800-53a
                   prose: 'the risk assessment is updated {{ insert: param, ra-03_odp.05 }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.'
+                  links:
+                    - href: '#ra-3_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ra-3_smt'
+                  rel: assessment-for
             - id: ra-3_asm-examine
               name: assessment-method
               props:
@@ -90985,6 +99279,9 @@ catalog:
                           value: RA-03(01)(a)
                           class: sp800-53a
                       prose: 'supply chain risks associated with {{ insert: param, ra-03.01_odp.01 }} are assessed;'
+                      links:
+                        - href: '#ra-3.1_smt.a'
+                          rel: assessment-for
                     - id: ra-3.1_obj.b
                       name: assessment-objective
                       props:
@@ -90992,6 +99289,12 @@ catalog:
                           value: RA-03(01)(b)
                           class: sp800-53a
                       prose: 'the supply chain risk assessment is updated {{ insert: param, ra-03.01_odp.02 }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.'
+                      links:
+                        - href: '#ra-3.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-3.1_smt'
+                      rel: assessment-for
                 - id: ra-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -91095,6 +99398,9 @@ catalog:
                       value: RA-03(02)
                       class: sp800-53a
                   prose: all-source intelligence is used to assist in the analysis of risk.
+                  links:
+                    - href: '#ra-3.2_smt'
+                      rel: assessment-for
                 - id: ra-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -91203,6 +99509,9 @@ catalog:
                       value: RA-03(03)
                       class: sp800-53a
                   prose: 'the current cyber threat environment is determined on an ongoing basis using {{ insert: param, ra-03.03_odp }}.'
+                  links:
+                    - href: '#ra-3.3_smt'
+                      rel: assessment-for
                 - id: ra-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -91341,6 +99650,9 @@ catalog:
                           value: RA-03(04)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, ra-03.04_odp.01 }} are employed to predict and identify risks to {{ insert: param, ra-03.04_odp.02 }};'
+                      links:
+                        - href: '#ra-3.4_smt'
+                          rel: assessment-for
                     - id: ra-3.4_obj-2
                       name: assessment-objective
                       props:
@@ -91348,6 +99660,12 @@ catalog:
                           value: RA-03(04)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, ra-03.04_odp.03 }} are employed to predict and identify risks to {{ insert: param, ra-03.04_odp.02 }}.'
+                      links:
+                        - href: '#ra-3.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-3.4_smt'
+                      rel: assessment-for
                 - id: ra-3.4_asm-examine
                   name: assessment-method
                   props:
@@ -91631,6 +99949,9 @@ catalog:
                           value: RA-05a.[01]
                           class: sp800-53a
                       prose: 'systems and hosted applications are monitored for vulnerabilities {{ insert: param, ra-05_odp.01 }} and when new vulnerabilities potentially affecting the system are identified and reported;'
+                      links:
+                        - href: '#ra-5_smt.a'
+                          rel: assessment-for
                     - id: ra-5_obj.a-2
                       name: assessment-objective
                       props:
@@ -91638,6 +99959,12 @@ catalog:
                           value: RA-05a.[02]
                           class: sp800-53a
                       prose: 'systems and hosted applications are scanned for vulnerabilities {{ insert: param, ra-05_odp.02 }} and when new vulnerabilities potentially affecting the system are identified and reported;'
+                      links:
+                        - href: '#ra-5_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-5_smt.a'
+                      rel: assessment-for
                 - id: ra-5_obj.b
                   name: assessment-objective
                   props:
@@ -91653,6 +99980,9 @@ catalog:
                           value: RA-05b.01
                           class: sp800-53a
                       prose: vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;
+                      links:
+                        - href: '#ra-5_smt.b.1'
+                          rel: assessment-for
                     - id: ra-5_obj.b.2
                       name: assessment-objective
                       props:
@@ -91660,6 +99990,9 @@ catalog:
                           value: RA-05b.02
                           class: sp800-53a
                       prose: vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;
+                      links:
+                        - href: '#ra-5_smt.b.2'
+                          rel: assessment-for
                     - id: ra-5_obj.b.3
                       name: assessment-objective
                       props:
@@ -91667,6 +100000,12 @@ catalog:
                           value: RA-05b.03
                           class: sp800-53a
                       prose: vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;
+                      links:
+                        - href: '#ra-5_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-5_smt.b'
+                      rel: assessment-for
                 - id: ra-5_obj.c
                   name: assessment-objective
                   props:
@@ -91674,6 +100013,9 @@ catalog:
                       value: RA-05c.
                       class: sp800-53a
                   prose: vulnerability scan reports and results from vulnerability monitoring are analyzed;
+                  links:
+                    - href: '#ra-5_smt.c'
+                      rel: assessment-for
                 - id: ra-5_obj.d
                   name: assessment-objective
                   props:
@@ -91681,6 +100023,9 @@ catalog:
                       value: RA-05d.
                       class: sp800-53a
                   prose: 'legitimate vulnerabilities are remediated {{ insert: param, ra-05_odp.03 }} in accordance with an organizational assessment of risk;'
+                  links:
+                    - href: '#ra-5_smt.d'
+                      rel: assessment-for
                 - id: ra-5_obj.e
                   name: assessment-objective
                   props:
@@ -91688,6 +100033,9 @@ catalog:
                       value: RA-05e.
                       class: sp800-53a
                   prose: 'information obtained from the vulnerability monitoring process and control assessments is shared with {{ insert: param, ra-05_odp.04 }} to help eliminate similar vulnerabilities in other systems;'
+                  links:
+                    - href: '#ra-5_smt.e'
+                      rel: assessment-for
                 - id: ra-5_obj.f
                   name: assessment-objective
                   props:
@@ -91695,6 +100043,12 @@ catalog:
                       value: RA-05f.
                       class: sp800-53a
                   prose: vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.
+                  links:
+                    - href: '#ra-5_smt.f'
+                      rel: assessment-for
+              links:
+                - href: '#ra-5_smt'
+                  rel: assessment-for
             - id: ra-5_asm-examine
               name: assessment-method
               props:
@@ -91837,6 +100191,9 @@ catalog:
                       value: RA-05(02)
                       class: sp800-53a
                   prose: 'the system vulnerabilities to be scanned are updated {{ insert: param, ra-05.02_odp.01 }}.'
+                  links:
+                    - href: '#ra-5.2_smt'
+                      rel: assessment-for
                 - id: ra-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -91930,6 +100287,9 @@ catalog:
                       value: RA-05(03)
                       class: sp800-53a
                   prose: the breadth and depth of vulnerability scanning coverage are defined.
+                  links:
+                    - href: '#ra-5.3_smt'
+                      rel: assessment-for
                 - id: ra-5.3_asm-examine
                   name: assessment-method
                   props:
@@ -92043,6 +100403,9 @@ catalog:
                           value: RA-05(04)[01]
                           class: sp800-53a
                       prose: information about the system is discoverable;
+                      links:
+                        - href: '#ra-5.4_smt'
+                          rel: assessment-for
                     - id: ra-5.4_obj-2
                       name: assessment-objective
                       props:
@@ -92050,6 +100413,12 @@ catalog:
                           value: RA-05(04)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, ra-05.04_odp }} are taken when information about the system is confirmed as discoverable.'
+                      links:
+                        - href: '#ra-5.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-5.4_smt'
+                      rel: assessment-for
                 - id: ra-5.4_asm-examine
                   name: assessment-method
                   props:
@@ -92180,6 +100549,9 @@ catalog:
                       value: RA-05(05)
                       class: sp800-53a
                   prose: 'privileged access authorization is implemented to {{ insert: param, ra-05.05_odp.01 }} for {{ insert: param, ra-05.05_odp.02 }}.'
+                  links:
+                    - href: '#ra-5.5_smt'
+                      rel: assessment-for
                 - id: ra-5.5_asm-examine
                   name: assessment-method
                   props:
@@ -92298,6 +100670,9 @@ catalog:
                       value: RA-05(06)
                       class: sp800-53a
                   prose: 'the results of multiple vulnerability scans are compared using {{ insert: param, ra-05.06_odp }}.'
+                  links:
+                    - href: '#ra-5.6_smt'
+                      rel: assessment-for
                 - id: ra-5.6_asm-examine
                   name: assessment-method
                   props:
@@ -92432,6 +100807,9 @@ catalog:
                       value: RA-05(08)
                       class: sp800-53a
                   prose: 'historic audit logs are reviewed to determine if a vulnerability identified in a {{ insert: param, ra-05.08_odp.01 }} has been previously exploited within {{ insert: param, ra-05.08_odp.02 }}.'
+                  links:
+                    - href: '#ra-5.8_smt'
+                      rel: assessment-for
                 - id: ra-5.8_asm-examine
                   name: assessment-method
                   props:
@@ -92549,6 +100927,9 @@ catalog:
                       value: RA-05(10)
                       class: sp800-53a
                   prose: the output from vulnerability scanning tools is correlated to determine the presence of multi-vulnerability and multi-hop attack vectors.
+                  links:
+                    - href: '#ra-5.10_smt'
+                      rel: assessment-for
                 - id: ra-5.10_asm-examine
                   name: assessment-method
                   props:
@@ -92648,6 +101029,9 @@ catalog:
                       value: RA-05(11)
                       class: sp800-53a
                   prose: a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.
+                  links:
+                    - href: '#ra-5.11_smt'
+                      rel: assessment-for
                 - id: ra-5.11_asm-examine
                   name: assessment-method
                   props:
@@ -92787,6 +101171,9 @@ catalog:
                   value: RA-06
                   class: sp800-53a
               prose: 'a technical surveillance countermeasures survey is employed at {{ insert: param, ra-06_odp.01 }} {{ insert: param, ra-06_odp.02 }}.'
+              links:
+                - href: '#ra-6_smt'
+                  rel: assessment-for
             - id: ra-6_asm-examine
               name: assessment-method
               props:
@@ -92905,6 +101292,9 @@ catalog:
                       value: RA-07[01]
                       class: sp800-53a
                   prose: findings from security assessments are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-2
                   name: assessment-objective
                   props:
@@ -92912,6 +101302,9 @@ catalog:
                       value: RA-07[02]
                       class: sp800-53a
                   prose: findings from privacy assessments are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-3
                   name: assessment-objective
                   props:
@@ -92919,6 +101312,9 @@ catalog:
                       value: RA-07[03]
                       class: sp800-53a
                   prose: findings from monitoring are responded to in accordance with organizational risk tolerance;
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
                 - id: ra-7_obj-4
                   name: assessment-objective
                   props:
@@ -92926,6 +101322,12 @@ catalog:
                       value: RA-07[04]
                       class: sp800-53a
                   prose: findings from audits are responded to in accordance with organizational risk tolerance.
+                  links:
+                    - href: '#ra-7_smt'
+                      rel: assessment-for
+              links:
+                - href: '#ra-7_smt'
+                  rel: assessment-for
             - id: ra-7_asm-examine
               name: assessment-method
               props:
@@ -93077,6 +101479,9 @@ catalog:
                       value: RA-08a.
                       class: sp800-53a
                   prose: privacy impact assessments are conducted for systems, programs, or other activities before developing or procuring information technology that processes personally identifiable information;
+                  links:
+                    - href: '#ra-8_smt.a'
+                      rel: assessment-for
                 - id: ra-8_obj.b
                   name: assessment-objective
                   props:
@@ -93091,6 +101496,9 @@ catalog:
                           value: RA-08b.[01]
                           class: sp800-53a
                       prose: privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that will be processed using information technology;
+                      links:
+                        - href: '#ra-8_smt.b'
+                          rel: assessment-for
                     - id: ra-8_obj.b-2
                       name: assessment-objective
                       props:
@@ -93098,6 +101506,15 @@ catalog:
                           value: RA-08b.[02]
                           class: sp800-53a
                       prose: privacy impact assessments are conducted for systems, programs, or other activities before initiating a collection of personally identifiable information that includes personally identifiable information permitting the physical or virtual (online) contacting of a specific individual, if identical questions have been posed to, or identical reporting requirements imposed on, ten or more individuals, other than agencies, instrumentalities, or employees of the federal government.
+                      links:
+                        - href: '#ra-8_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ra-8_smt'
+                  rel: assessment-for
             - id: ra-8_asm-examine
               name: assessment-method
               props:
@@ -93238,6 +101655,9 @@ catalog:
                   value: RA-09
                   class: sp800-53a
               prose: 'critical system components and functions are identified by performing a criticality analysis for {{ insert: param, ra-09_odp.01 }} at {{ insert: param, ra-09_odp.02 }}.'
+              links:
+                - href: '#ra-9_smt'
+                  rel: assessment-for
             - id: ra-9_asm-examine
               name: assessment-method
               props:
@@ -93398,6 +101818,9 @@ catalog:
                           value: RA-10a.01
                           class: sp800-53a
                       prose: a cyber threat capability is established and maintained to search for indicators of compromise in organizational systems;
+                      links:
+                        - href: '#ra-10_smt.a.1'
+                          rel: assessment-for
                     - id: ra-10_obj.a.2
                       name: assessment-objective
                       props:
@@ -93405,6 +101828,12 @@ catalog:
                           value: RA-10a.02
                           class: sp800-53a
                       prose: a cyber threat capability is established and maintained to detect, track, and disrupt threats that evade existing controls;
+                      links:
+                        - href: '#ra-10_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#ra-10_smt.a'
+                      rel: assessment-for
                 - id: ra-10_obj.b
                   name: assessment-objective
                   props:
@@ -93412,6 +101841,12 @@ catalog:
                       value: RA-10b.
                       class: sp800-53a
                   prose: 'the threat hunting capability is employed {{ insert: param, ra-10_odp }}.'
+                  links:
+                    - href: '#ra-10_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#ra-10_smt'
+                  rel: assessment-for
             - id: ra-10_asm-examine
               name: assessment-method
               props:
@@ -93683,6 +102118,9 @@ catalog:
                           value: SA-01a.[01]
                           class: sp800-53a
                       prose: a system and services acquisition policy is developed and documented;
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -93690,6 +102128,9 @@ catalog:
                           value: SA-01a.[02]
                           class: sp800-53a
                       prose: 'the system and services acquisition policy is disseminated to {{ insert: param, sa-01_odp.01 }};'
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -93697,6 +102138,9 @@ catalog:
                           value: SA-01a.[03]
                           class: sp800-53a
                       prose: system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -93704,6 +102148,9 @@ catalog:
                           value: SA-01a.[04]
                           class: sp800-53a
                       prose: 'the system and services acquisition procedures are disseminated to {{ insert: param, sa-01_odp.02 }};'
+                      links:
+                        - href: '#sa-1_smt.a'
+                          rel: assessment-for
                     - id: sa-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -93725,6 +102172,9 @@ catalog:
                                   value: SA-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses purpose;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -93732,6 +102182,9 @@ catalog:
                                   value: SA-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses scope;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -93739,6 +102192,9 @@ catalog:
                                   value: SA-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses roles;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -93746,6 +102202,9 @@ catalog:
                                   value: SA-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses responsibilities;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -93753,6 +102212,9 @@ catalog:
                                   value: SA-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses management commitment;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -93760,6 +102222,9 @@ catalog:
                                   value: SA-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sa-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -93767,6 +102232,12 @@ catalog:
                                   value: SA-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy addresses compliance;'
+                              links:
+                                - href: '#sa-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#sa-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: sa-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -93774,6 +102245,15 @@ catalog:
                               value: SA-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, sa-01_odp.03 }} system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#sa-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-1_smt.a'
+                      rel: assessment-for
                 - id: sa-1_obj.b
                   name: assessment-objective
                   props:
@@ -93781,6 +102261,9 @@ catalog:
                       value: SA-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, sa-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;'
+                  links:
+                    - href: '#sa-1_smt.b'
+                      rel: assessment-for
                 - id: sa-1_obj.c
                   name: assessment-objective
                   props:
@@ -93802,6 +102285,9 @@ catalog:
                               value: SA-01c.01[01]
                               class: sp800-53a
                           prose: 'the system and services acquisition policy is reviewed and updated {{ insert: param, sa-01_odp.05 }};'
+                          links:
+                            - href: '#sa-1_smt.c.1'
+                              rel: assessment-for
                         - id: sa-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -93809,6 +102295,12 @@ catalog:
                               value: SA-01c.01[02]
                               class: sp800-53a
                           prose: 'the current system and services acquisition policy is reviewed and updated following {{ insert: param, sa-01_odp.06 }};'
+                          links:
+                            - href: '#sa-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.c.1'
+                          rel: assessment-for
                     - id: sa-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -93823,6 +102315,9 @@ catalog:
                               value: SA-01c.02[01]
                               class: sp800-53a
                           prose: 'the current system and services acquisition procedures are reviewed and updated {{ insert: param, sa-01_odp.07 }};'
+                          links:
+                            - href: '#sa-1_smt.c.2'
+                              rel: assessment-for
                         - id: sa-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -93830,6 +102325,18 @@ catalog:
                               value: SA-01c.02[02]
                               class: sp800-53a
                           prose: 'the current system and services acquisition procedures are reviewed and updated following {{ insert: param, sa-01_odp.08 }}.'
+                          links:
+                            - href: '#sa-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-1_smt'
+                  rel: assessment-for
             - id: sa-1_asm-examine
               name: assessment-method
               props:
@@ -93956,6 +102463,9 @@ catalog:
                           value: SA-02a.[01]
                           class: sp800-53a
                       prose: the high-level information security requirements for the system or system service are determined in mission and business process planning;
+                      links:
+                        - href: '#sa-2_smt.a'
+                          rel: assessment-for
                     - id: sa-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -93963,6 +102473,12 @@ catalog:
                           value: SA-02a.[02]
                           class: sp800-53a
                       prose: the high-level privacy requirements for the system or system service are determined in mission and business process planning;
+                      links:
+                        - href: '#sa-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.a'
+                      rel: assessment-for
                 - id: sa-2_obj.b
                   name: assessment-objective
                   props:
@@ -93977,6 +102493,9 @@ catalog:
                           value: SA-02b.[01]
                           class: sp800-53a
                       prose: the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;
+                      links:
+                        - href: '#sa-2_smt.b'
+                          rel: assessment-for
                     - id: sa-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -93984,6 +102503,12 @@ catalog:
                           value: SA-02b.[02]
                           class: sp800-53a
                       prose: the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;
+                      links:
+                        - href: '#sa-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.b'
+                      rel: assessment-for
                 - id: sa-2_obj.c
                   name: assessment-objective
                   props:
@@ -93998,6 +102523,9 @@ catalog:
                           value: SA-02c.[01]
                           class: sp800-53a
                       prose: a discrete line item for information security is established in organizational programming and budgeting documentation;
+                      links:
+                        - href: '#sa-2_smt.c'
+                          rel: assessment-for
                     - id: sa-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -94005,6 +102533,15 @@ catalog:
                           value: SA-02c.[02]
                           class: sp800-53a
                       prose: a discrete line item for privacy is established in organizational programming and budgeting documentation.
+                      links:
+                        - href: '#sa-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-2_smt'
+                  rel: assessment-for
             - id: sa-2_asm-examine
               name: assessment-method
               props:
@@ -94197,6 +102734,9 @@ catalog:
                           value: SA-03a.[01]
                           class: sp800-53a
                       prose: 'the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates information security considerations;'
+                      links:
+                        - href: '#sa-3_smt.a'
+                          rel: assessment-for
                     - id: sa-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -94204,6 +102744,12 @@ catalog:
                           value: SA-03a.[02]
                           class: sp800-53a
                       prose: 'the system is acquired, developed, and managed using {{ insert: param, sa-03_odp }} that incorporates privacy considerations;'
+                      links:
+                        - href: '#sa-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.a'
+                      rel: assessment-for
                 - id: sa-3_obj.b
                   name: assessment-objective
                   props:
@@ -94218,6 +102764,9 @@ catalog:
                           value: SA-03b.[01]
                           class: sp800-53a
                       prose: information security roles and responsibilities are defined and documented throughout the system development life cycle;
+                      links:
+                        - href: '#sa-3_smt.b'
+                          rel: assessment-for
                     - id: sa-3_obj.b-2
                       name: assessment-objective
                       props:
@@ -94225,6 +102774,12 @@ catalog:
                           value: SA-03b.[02]
                           class: sp800-53a
                       prose: privacy roles and responsibilities are defined and documented throughout the system development life cycle;
+                      links:
+                        - href: '#sa-3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.b'
+                      rel: assessment-for
                 - id: sa-3_obj.c
                   name: assessment-objective
                   props:
@@ -94239,6 +102794,9 @@ catalog:
                           value: SA-03c.[01]
                           class: sp800-53a
                       prose: individuals with information security roles and responsibilities are identified;
+                      links:
+                        - href: '#sa-3_smt.c'
+                          rel: assessment-for
                     - id: sa-3_obj.c-2
                       name: assessment-objective
                       props:
@@ -94246,6 +102804,12 @@ catalog:
                           value: SA-03c.[02]
                           class: sp800-53a
                       prose: individuals with privacy roles and responsibilities are identified;
+                      links:
+                        - href: '#sa-3_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.c'
+                      rel: assessment-for
                 - id: sa-3_obj.d
                   name: assessment-objective
                   props:
@@ -94260,6 +102824,9 @@ catalog:
                           value: SA-03d.[01]
                           class: sp800-53a
                       prose: organizational information security risk management processes are integrated into system development life cycle activities;
+                      links:
+                        - href: '#sa-3_smt.d'
+                          rel: assessment-for
                     - id: sa-3_obj.d-2
                       name: assessment-objective
                       props:
@@ -94267,6 +102834,15 @@ catalog:
                           value: SA-03d.[02]
                           class: sp800-53a
                       prose: organizational privacy risk management processes are integrated into system development life cycle activities.
+                      links:
+                        - href: '#sa-3_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#sa-3_smt'
+                  rel: assessment-for
             - id: sa-3_asm-examine
               name: assessment-method
               props:
@@ -94385,6 +102961,9 @@ catalog:
                       value: SA-03(01)
                       class: sp800-53a
                   prose: system pre-production environments are protected commensurate with risk throughout the system development life cycle for the system, system component, or system service.
+                  links:
+                    - href: '#sa-3.1_smt'
+                      rel: assessment-for
                 - id: sa-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -94512,6 +103091,9 @@ catalog:
                               value: SA-03(02)a.[01]
                               class: sp800-53a
                           prose: the use of live data in pre-production environments is approved for the system, system component, or system service;
+                          links:
+                            - href: '#sa-3.2_smt.a'
+                              rel: assessment-for
                         - id: sa-3.2_obj.a-2
                           name: assessment-objective
                           props:
@@ -94519,6 +103101,9 @@ catalog:
                               value: SA-03(02)a.[02]
                               class: sp800-53a
                           prose: the use of live data in pre-production environments is documented for the system, system component, or system service;
+                          links:
+                            - href: '#sa-3.2_smt.a'
+                              rel: assessment-for
                         - id: sa-3.2_obj.a-3
                           name: assessment-objective
                           props:
@@ -94526,6 +103111,12 @@ catalog:
                               value: SA-03(02)a.[03]
                               class: sp800-53a
                           prose: the use of live data in pre-production environments is controlled for the system, system component, or system service;
+                          links:
+                            - href: '#sa-3.2_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-3.2_smt.a'
+                          rel: assessment-for
                     - id: sa-3.2_obj.b
                       name: assessment-objective
                       props:
@@ -94533,6 +103124,12 @@ catalog:
                           value: SA-03(02)b.
                           class: sp800-53a
                       prose: pre-production environments for the system, system component, or system service are protected at the same impact or classification level as any live data in use within the pre-production environments.
+                      links:
+                        - href: '#sa-3.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3.2_smt'
+                      rel: assessment-for
                 - id: sa-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -94645,6 +103242,9 @@ catalog:
                           value: SA-03(03)[01]
                           class: sp800-53a
                       prose: a technology refresh schedule is planned for the system throughout the system development life cycle;
+                      links:
+                        - href: '#sa-3.3_smt'
+                          rel: assessment-for
                     - id: sa-3.3_obj-2
                       name: assessment-objective
                       props:
@@ -94652,6 +103252,12 @@ catalog:
                           value: SA-03(03)[02]
                           class: sp800-53a
                       prose: a technology refresh schedule is implemented for the system throughout the system development life cycle.
+                      links:
+                        - href: '#sa-3.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-3.3_smt'
+                      rel: assessment-for
                 - id: sa-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -94918,6 +103524,9 @@ catalog:
                           value: SA-04a.[01]
                           class: sp800-53a
                       prose: 'security functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.a'
+                          rel: assessment-for
                     - id: sa-4_obj.a-2
                       name: assessment-objective
                       props:
@@ -94925,6 +103534,12 @@ catalog:
                           value: SA-04a.[02]
                           class: sp800-53a
                       prose: 'privacy functional requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.a'
+                      rel: assessment-for
                 - id: sa-4_obj.b
                   name: assessment-objective
                   props:
@@ -94932,6 +103547,9 @@ catalog:
                       value: SA-04b.
                       class: sp800-53a
                   prose: 'strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                  links:
+                    - href: '#sa-4_smt.b'
+                      rel: assessment-for
                 - id: sa-4_obj.c
                   name: assessment-objective
                   props:
@@ -94946,6 +103564,9 @@ catalog:
                           value: SA-04c.[01]
                           class: sp800-53a
                       prose: 'security assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.c'
+                          rel: assessment-for
                     - id: sa-4_obj.c-2
                       name: assessment-objective
                       props:
@@ -94953,6 +103574,12 @@ catalog:
                           value: SA-04c.[02]
                           class: sp800-53a
                       prose: 'privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.c'
+                      rel: assessment-for
                 - id: sa-4_obj.d
                   name: assessment-objective
                   props:
@@ -94967,6 +103594,9 @@ catalog:
                           value: SA-04d.[01]
                           class: sp800-53a
                       prose: 'controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.d'
+                          rel: assessment-for
                     - id: sa-4_obj.d-2
                       name: assessment-objective
                       props:
@@ -94974,6 +103604,12 @@ catalog:
                           value: SA-04d.[02]
                           class: sp800-53a
                       prose: 'controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.d'
+                      rel: assessment-for
                 - id: sa-4_obj.e
                   name: assessment-objective
                   props:
@@ -94988,6 +103624,9 @@ catalog:
                           value: SA-04e.[01]
                           class: sp800-53a
                       prose: 'security documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.e'
+                          rel: assessment-for
                     - id: sa-4_obj.e-2
                       name: assessment-objective
                       props:
@@ -94995,6 +103634,12 @@ catalog:
                           value: SA-04e.[02]
                           class: sp800-53a
                       prose: 'privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.e'
+                      rel: assessment-for
                 - id: sa-4_obj.f
                   name: assessment-objective
                   props:
@@ -95009,6 +103654,9 @@ catalog:
                           value: SA-04f.[01]
                           class: sp800-53a
                       prose: 'requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.f'
+                          rel: assessment-for
                     - id: sa-4_obj.f-2
                       name: assessment-objective
                       props:
@@ -95016,6 +103664,12 @@ catalog:
                           value: SA-04f.[02]
                           class: sp800-53a
                       prose: 'requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.f'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.f'
+                      rel: assessment-for
                 - id: sa-4_obj.g
                   name: assessment-objective
                   props:
@@ -95023,6 +103677,9 @@ catalog:
                       value: SA-04g.
                       class: sp800-53a
                   prose: 'the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                  links:
+                    - href: '#sa-4_smt.g'
+                      rel: assessment-for
                 - id: sa-4_obj.h
                   name: assessment-objective
                   props:
@@ -95037,6 +103694,9 @@ catalog:
                           value: SA-04h.[01]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service;'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
                     - id: sa-4_obj.h-2
                       name: assessment-objective
                       props:
@@ -95044,6 +103704,9 @@ catalog:
                           value: SA-04h.[02]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
                     - id: sa-4_obj.h-3
                       name: assessment-objective
                       props:
@@ -95051,6 +103714,12 @@ catalog:
                           value: SA-04h.[03]
                           class: sp800-53a
                       prose: 'the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }};'
+                      links:
+                        - href: '#sa-4_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4_smt.h'
+                      rel: assessment-for
                 - id: sa-4_obj.i
                   name: assessment-objective
                   props:
@@ -95058,6 +103727,12 @@ catalog:
                       value: SA-04i.
                       class: sp800-53a
                   prose: 'acceptance criteria requirements and descriptions are included explicitly or by reference using {{ insert: param, sa-04_odp.01 }} in the acquisition contract for the system, system component, or system service.'
+                  links:
+                    - href: '#sa-4_smt.i'
+                      rel: assessment-for
+              links:
+                - href: '#sa-4_smt'
+                  rel: assessment-for
             - id: sa-4_asm-examine
               name: assessment-method
               props:
@@ -95160,6 +103835,9 @@ catalog:
                       value: SA-04(01)
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to provide a description of the functional properties of the controls to be implemented.
+                  links:
+                    - href: '#sa-4.1_smt'
+                      rel: assessment-for
                 - id: sa-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -95293,6 +103971,9 @@ catalog:
                       value: SA-04(02)
                       class: sp800-53a
                   prose: 'the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using {{ insert: param, sa-04.02_odp.01 }} at {{ insert: param, sa-04.02_odp.03 }}.'
+                  links:
+                    - href: '#sa-4.2_smt'
+                      rel: assessment-for
                 - id: sa-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -95500,6 +104181,9 @@ catalog:
                           value: SA-04(03)(a)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.01 }};'
+                      links:
+                        - href: '#sa-4.3_smt.a'
+                          rel: assessment-for
                     - id: sa-4.3_obj.b
                       name: assessment-objective
                       props:
@@ -95507,6 +104191,9 @@ catalog:
                           value: SA-04(03)(b)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.02 }};'
+                      links:
+                        - href: '#sa-4.3_smt.b'
+                          rel: assessment-for
                     - id: sa-4.3_obj.c
                       name: assessment-objective
                       props:
@@ -95514,6 +104201,12 @@ catalog:
                           value: SA-04(03)(c)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes {{ insert: param, sa-04.03_odp.05 }}.'
+                      links:
+                        - href: '#sa-4.3_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4.3_smt'
+                      rel: assessment-for
                 - id: sa-4.3_asm-examine
                   name: assessment-method
                   props:
@@ -95663,6 +104356,9 @@ catalog:
                           value: SA-04(05)(a)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to deliver the system, component, or service with {{ insert: param, sa-04.05_odp }} implemented;'
+                      links:
+                        - href: '#sa-4.5_smt.a'
+                          rel: assessment-for
                     - id: sa-4.5_obj.b
                       name: assessment-objective
                       props:
@@ -95670,6 +104366,12 @@ catalog:
                           value: SA-04(05)(b)
                           class: sp800-53a
                       prose: the configurations are used as the default for any subsequent system, component, or service reinstallation or upgrade.
+                      links:
+                        - href: '#sa-4.5_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4.5_smt'
+                      rel: assessment-for
                 - id: sa-4.5_asm-examine
                   name: assessment-method
                   props:
@@ -95789,6 +104491,9 @@ catalog:
                           value: SA-04(06)(a)
                           class: sp800-53a
                       prose: only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted are employed;
+                      links:
+                        - href: '#sa-4.6_smt.a'
+                          rel: assessment-for
                     - id: sa-4.6_obj.b
                       name: assessment-objective
                       props:
@@ -95796,6 +104501,12 @@ catalog:
                           value: SA-04(06)(b)
                           class: sp800-53a
                       prose: these products have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.
+                      links:
+                        - href: '#sa-4.6_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4.6_smt'
+                      rel: assessment-for
                 - id: sa-4.6_asm-examine
                   name: assessment-method
                   props:
@@ -95921,6 +104632,9 @@ catalog:
                           value: SA-04(07)(a)
                           class: sp800-53a
                       prose: the use of commercially provided information assurance and information assurance-enabled information technology products is limited to those products that have been successfully evaluated against a National Information Assurance partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists;
+                      links:
+                        - href: '#sa-4.7_smt.a'
+                          rel: assessment-for
                     - id: sa-4.7_obj.b
                       name: assessment-objective
                       props:
@@ -95928,6 +104642,12 @@ catalog:
                           value: SA-04(07)(b)
                           class: sp800-53a
                       prose: if no NIAP-approved Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, that cryptographic module is required to be FIPS-validated or NSA-approved.
+                      links:
+                        - href: '#sa-4.7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4.7_smt'
+                      rel: assessment-for
                 - id: sa-4.7_asm-examine
                   name: assessment-method
                   props:
@@ -96028,6 +104748,9 @@ catalog:
                       value: SA-04(08)
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to produce a plan for the continuous monitoring of control effectiveness that is consistent with the continuous monitoring program of the organization.
+                  links:
+                    - href: '#sa-4.8_smt'
+                      rel: assessment-for
                 - id: sa-4.8_asm-examine
                   name: assessment-method
                   props:
@@ -96140,6 +104863,9 @@ catalog:
                           value: SA-04(09)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to identify the functions intended for organizational use;
+                      links:
+                        - href: '#sa-4.9_smt'
+                          rel: assessment-for
                     - id: sa-4.9_obj-2
                       name: assessment-objective
                       props:
@@ -96147,6 +104873,9 @@ catalog:
                           value: SA-04(09)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to identify the ports intended for organizational use;
+                      links:
+                        - href: '#sa-4.9_smt'
+                          rel: assessment-for
                     - id: sa-4.9_obj-3
                       name: assessment-objective
                       props:
@@ -96154,6 +104883,9 @@ catalog:
                           value: SA-04(09)[03]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to identify the protocols intended for organizational use;
+                      links:
+                        - href: '#sa-4.9_smt'
+                          rel: assessment-for
                     - id: sa-4.9_obj-4
                       name: assessment-objective
                       props:
@@ -96161,6 +104893,12 @@ catalog:
                           value: SA-04(09)[04]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to identify the services intended for organizational use.
+                      links:
+                        - href: '#sa-4.9_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4.9_smt'
+                      rel: assessment-for
                 - id: sa-4.9_asm-examine
                   name: assessment-method
                   props:
@@ -96257,6 +104995,9 @@ catalog:
                       value: SA-04(10)
                       class: sp800-53a
                   prose: only information technology products on the FIPS 201-approved products list for the Personal Identity Verification (PIV) capability implemented within organizational systems are employed.
+                  links:
+                    - href: '#sa-4.10_smt'
+                      rel: assessment-for
                 - id: sa-4.10_asm-examine
                   name: assessment-method
                   props:
@@ -96366,6 +105107,9 @@ catalog:
                       value: SA-04(11)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-04.11_odp }} are defined in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.'
+                  links:
+                    - href: '#sa-4.11_smt'
+                      rel: assessment-for
                 - id: sa-4.11_asm-examine
                   name: assessment-method
                   props:
@@ -96499,6 +105243,9 @@ catalog:
                           value: SA-04(12)(a)
                           class: sp800-53a
                       prose: organizational data ownership requirements are included in the acquisition contract;
+                      links:
+                        - href: '#sa-4.12_smt.a'
+                          rel: assessment-for
                     - id: sa-4.12_obj.b
                       name: assessment-objective
                       props:
@@ -96506,6 +105253,12 @@ catalog:
                           value: SA-04(12)(b)
                           class: sp800-53a
                       prose: 'all data to be removed from the contractor’s system and returned to the organization is required within {{ insert: param, sa-04.12_odp }}.'
+                      links:
+                        - href: '#sa-4.12_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-4.12_smt'
+                      rel: assessment-for
                 - id: sa-4.12_asm-examine
                   name: assessment-method
                   props:
@@ -96759,6 +105512,9 @@ catalog:
                               value: SA-05a.01[01]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.1'
+                              rel: assessment-for
                         - id: sa-5_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -96766,6 +105522,9 @@ catalog:
                               value: SA-05a.01[02]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.1'
+                              rel: assessment-for
                         - id: sa-5_obj.a.1-3
                           name: assessment-objective
                           props:
@@ -96773,6 +105532,12 @@ catalog:
                               value: SA-05a.01[03]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.a.1'
+                          rel: assessment-for
                     - id: sa-5_obj.a.2
                       name: assessment-objective
                       props:
@@ -96787,6 +105552,9 @@ catalog:
                               value: SA-05a.02[01]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
                         - id: sa-5_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -96794,6 +105562,9 @@ catalog:
                               value: SA-05a.02[02]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
                         - id: sa-5_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -96801,6 +105572,9 @@ catalog:
                               value: SA-05a.02[03]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
                         - id: sa-5_obj.a.2-4
                           name: assessment-objective
                           props:
@@ -96808,6 +105582,12 @@ catalog:
                               value: SA-05a.02[04]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.a.2'
+                          rel: assessment-for
                     - id: sa-5_obj.a.3
                       name: assessment-objective
                       props:
@@ -96822,6 +105602,9 @@ catalog:
                               value: SA-05a.03[01]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.3'
+                              rel: assessment-for
                         - id: sa-5_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -96829,6 +105612,15 @@ catalog:
                               value: SA-05a.03[02]
                               class: sp800-53a
                           prose: administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.a.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-5_smt.a'
+                      rel: assessment-for
                 - id: sa-5_obj.b
                   name: assessment-objective
                   props:
@@ -96850,6 +105642,9 @@ catalog:
                               value: SA-05b.01[01]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
                         - id: sa-5_obj.b.1-2
                           name: assessment-objective
                           props:
@@ -96857,6 +105652,9 @@ catalog:
                               value: SA-05b.01[02]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
                         - id: sa-5_obj.b.1-3
                           name: assessment-objective
                           props:
@@ -96864,6 +105662,9 @@ catalog:
                               value: SA-05b.01[03]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
                         - id: sa-5_obj.b.1-4
                           name: assessment-objective
                           props:
@@ -96871,6 +105672,12 @@ catalog:
                               value: SA-05b.01[04]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.b.1'
+                          rel: assessment-for
                     - id: sa-5_obj.b.2
                       name: assessment-objective
                       props:
@@ -96885,6 +105692,9 @@ catalog:
                               value: SA-05b.02[01]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.2'
+                              rel: assessment-for
                         - id: sa-5_obj.b.2-2
                           name: assessment-objective
                           props:
@@ -96892,6 +105702,12 @@ catalog:
                               value: SA-05b.02[02]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.b.2'
+                          rel: assessment-for
                     - id: sa-5_obj.b.3
                       name: assessment-objective
                       props:
@@ -96906,6 +105722,9 @@ catalog:
                               value: SA-05b.03[01]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.3'
+                              rel: assessment-for
                         - id: sa-5_obj.b.3-2
                           name: assessment-objective
                           props:
@@ -96913,6 +105732,15 @@ catalog:
                               value: SA-05b.03[02]
                               class: sp800-53a
                           prose: user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;
+                          links:
+                            - href: '#sa-5_smt.b.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-5_smt.b.3'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-5_smt.b'
+                      rel: assessment-for
                 - id: sa-5_obj.c
                   name: assessment-objective
                   props:
@@ -96927,6 +105755,9 @@ catalog:
                           value: SA-05c.[01]
                           class: sp800-53a
                       prose: attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;
+                      links:
+                        - href: '#sa-5_smt.c'
+                          rel: assessment-for
                     - id: sa-5_obj.c-2
                       name: assessment-objective
                       props:
@@ -96934,6 +105765,12 @@ catalog:
                           value: SA-05c.[02]
                           class: sp800-53a
                       prose: 'after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, {{ insert: param, sa-05_odp.01 }} are taken in response;'
+                      links:
+                        - href: '#sa-5_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-5_smt.c'
+                      rel: assessment-for
                 - id: sa-5_obj.d
                   name: assessment-objective
                   props:
@@ -96941,6 +105778,12 @@ catalog:
                       value: SA-05d.
                       class: sp800-53a
                   prose: 'documentation is distributed to {{ insert: param, sa-05_odp.02 }}.'
+                  links:
+                    - href: '#sa-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#sa-5_smt'
+                  rel: assessment-for
             - id: sa-5_asm-examine
               name: assessment-method
               props:
@@ -97254,6 +106097,9 @@ catalog:
                       value: SA-08[01]
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08_odp.01 }} are applied in the specification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-2
                   name: assessment-objective
                   props:
@@ -97261,6 +106107,9 @@ catalog:
                       value: SA-08[02]
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08_odp.01 }} are applied in the design of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-3
                   name: assessment-objective
                   props:
@@ -97268,6 +106117,9 @@ catalog:
                       value: SA-08[03]
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08_odp.01 }} are applied in the development of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-4
                   name: assessment-objective
                   props:
@@ -97275,6 +106127,9 @@ catalog:
                       value: SA-08[04]
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08_odp.01 }} are applied in the implementation of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-5
                   name: assessment-objective
                   props:
@@ -97282,6 +106137,9 @@ catalog:
                       value: SA-08[05]
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08_odp.01 }} are applied in the modification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-6
                   name: assessment-objective
                   props:
@@ -97289,6 +106147,9 @@ catalog:
                       value: SA-08[06]
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08_odp.02 }} are applied in the specification of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-7
                   name: assessment-objective
                   props:
@@ -97296,6 +106157,9 @@ catalog:
                       value: SA-08[07]
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08_odp.02 }} are applied in the design of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-8
                   name: assessment-objective
                   props:
@@ -97303,6 +106167,9 @@ catalog:
                       value: SA-08[08]
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08_odp.02 }} are applied in the development of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-9
                   name: assessment-objective
                   props:
@@ -97310,6 +106177,9 @@ catalog:
                       value: SA-08[09]
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08_odp.02 }} are applied in the implementation of the system and system components;'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
                 - id: sa-8_obj-10
                   name: assessment-objective
                   props:
@@ -97317,6 +106187,12 @@ catalog:
                       value: SA-08[10]
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08_odp.02 }} are applied in the modification of the system and system components.'
+                  links:
+                    - href: '#sa-8_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sa-8_smt'
+                  rel: assessment-for
             - id: sa-8_asm-examine
               name: assessment-method
               props:
@@ -97422,6 +106298,9 @@ catalog:
                       value: SA-08(01)
                       class: sp800-53a
                   prose: the security design principle of clear abstractions is implemented.
+                  links:
+                    - href: '#sa-8.1_smt'
+                      rel: assessment-for
                 - id: sa-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -97529,6 +106408,9 @@ catalog:
                       value: SA-08(02)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.02_odp }} implement the security design principle of least common mechanism.'
+                  links:
+                    - href: '#sa-8.2_smt'
+                      rel: assessment-for
                 - id: sa-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -97662,6 +106544,9 @@ catalog:
                           value: SA-08(03)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, sa-08.03_odp.01 }} implement the security design principle of modularity;'
+                      links:
+                        - href: '#sa-8.3_smt'
+                          rel: assessment-for
                     - id: sa-8.3_obj-2
                       name: assessment-objective
                       props:
@@ -97669,6 +106554,12 @@ catalog:
                           value: SA-08(03)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, sa-08.03_odp.02 }} implement the security design principle of layering.'
+                      links:
+                        - href: '#sa-8.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-8.3_smt'
+                      rel: assessment-for
                 - id: sa-8.3_asm-examine
                   name: assessment-method
                   props:
@@ -97778,6 +106669,9 @@ catalog:
                       value: SA-08(04)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.04_odp }} implement the security design principle of partially ordered dependencies.'
+                  links:
+                    - href: '#sa-8.4_smt'
+                      rel: assessment-for
                 - id: sa-8.4_asm-examine
                   name: assessment-method
                   props:
@@ -97887,6 +106781,9 @@ catalog:
                       value: SA-08(05)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.05_odp }} implement the security design principle of efficiently mediated access.'
+                  links:
+                    - href: '#sa-8.5_smt'
+                      rel: assessment-for
                 - id: sa-8.5_asm-examine
                   name: assessment-method
                   props:
@@ -97998,6 +106895,9 @@ catalog:
                       value: SA-08(06)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.06_odp }} implement the security design principle of minimized sharing.'
+                  links:
+                    - href: '#sa-8.6_smt'
+                      rel: assessment-for
                 - id: sa-8.6_asm-examine
                   name: assessment-method
                   props:
@@ -98105,6 +107005,9 @@ catalog:
                       value: SA-08(07)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.07_odp }} implement the security design principle of reduced complexity.'
+                  links:
+                    - href: '#sa-8.7_smt'
+                      rel: assessment-for
                 - id: sa-8.7_asm-examine
                   name: assessment-method
                   props:
@@ -98214,6 +107117,9 @@ catalog:
                       value: SA-08(08)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.08_odp }} implement the security design principle of secure evolvability.'
+                  links:
+                    - href: '#sa-8.8_smt'
+                      rel: assessment-for
                 - id: sa-8.8_asm-examine
                   name: assessment-method
                   props:
@@ -98324,6 +107230,9 @@ catalog:
                       value: SA-08(09)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.09_odp }} implement the security design principle of trusted components.'
+                  links:
+                    - href: '#sa-8.9_smt'
+                      rel: assessment-for
                 - id: sa-8.9_asm-examine
                   name: assessment-method
                   props:
@@ -98437,6 +107346,9 @@ catalog:
                       value: SA-08(10)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.10_odp }} implement the security design principle of hierarchical trust.'
+                  links:
+                    - href: '#sa-8.10_smt'
+                      rel: assessment-for
                 - id: sa-8.10_asm-examine
                   name: assessment-method
                   props:
@@ -98544,6 +107456,9 @@ catalog:
                       value: SA-08(11)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.11_odp }} implement the security design principle of inverse modification threshold.'
+                  links:
+                    - href: '#sa-8.11_smt'
+                      rel: assessment-for
                 - id: sa-8.11_asm-examine
                   name: assessment-method
                   props:
@@ -98651,6 +107566,9 @@ catalog:
                       value: SA-08(12)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.12_odp }} implement the security design principle of hierarchical protection.'
+                  links:
+                    - href: '#sa-8.12_smt'
+                      rel: assessment-for
                 - id: sa-8.12_asm-examine
                   name: assessment-method
                   props:
@@ -98758,6 +107676,9 @@ catalog:
                       value: SA-08(13)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.13_odp }} implement the security design principle of minimized security elements.'
+                  links:
+                    - href: '#sa-8.13_smt'
+                      rel: assessment-for
                 - id: sa-8.13_asm-examine
                   name: assessment-method
                   props:
@@ -98872,6 +107793,9 @@ catalog:
                       value: SA-08(14)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.14_odp }} implement the security design principle of least privilege.'
+                  links:
+                    - href: '#sa-8.14_smt'
+                      rel: assessment-for
                 - id: sa-8.14_asm-examine
                   name: assessment-method
                   props:
@@ -98981,6 +107905,9 @@ catalog:
                       value: SA-08(15)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.15_odp }} implement the security design principle of predicate permission.'
+                  links:
+                    - href: '#sa-8.15_smt'
+                      rel: assessment-for
                 - id: sa-8.15_asm-examine
                   name: assessment-method
                   props:
@@ -99088,6 +108015,9 @@ catalog:
                       value: SA-08(16)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.16_odp }} implement the security design principle of self-reliant trustworthiness.'
+                  links:
+                    - href: '#sa-8.16_smt'
+                      rel: assessment-for
                 - id: sa-8.16_asm-examine
                   name: assessment-method
                   props:
@@ -99195,6 +108125,9 @@ catalog:
                       value: SA-08(17)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.17_odp }} implement the security design principle of secure distributed composition.'
+                  links:
+                    - href: '#sa-8.17_smt'
+                      rel: assessment-for
                 - id: sa-8.17_asm-examine
                   name: assessment-method
                   props:
@@ -99308,6 +108241,9 @@ catalog:
                       value: SA-08(18)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.18_odp }} implement the security design principle of trusted communications channels.'
+                  links:
+                    - href: '#sa-8.18_smt'
+                      rel: assessment-for
                 - id: sa-8.18_asm-examine
                   name: assessment-method
                   props:
@@ -99420,6 +108356,9 @@ catalog:
                       value: SA-08(19)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.19_odp }} implement the security design principle of continuous protection.'
+                  links:
+                    - href: '#sa-8.19_smt'
+                      rel: assessment-for
                 - id: sa-8.19_asm-examine
                   name: assessment-method
                   props:
@@ -99548,6 +108487,9 @@ catalog:
                       value: SA-08(20)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.20_odp }} implement the security design principle of secure metadata management.'
+                  links:
+                    - href: '#sa-8.20_smt'
+                      rel: assessment-for
                 - id: sa-8.20_asm-examine
                   name: assessment-method
                   props:
@@ -99657,6 +108599,9 @@ catalog:
                       value: SA-08(21)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.21_odp }} implement the security design principle of self-analysis.'
+                  links:
+                    - href: '#sa-8.21_smt'
+                      rel: assessment-for
                 - id: sa-8.21_asm-examine
                   name: assessment-method
                   props:
@@ -99804,6 +108749,9 @@ catalog:
                           value: SA-08(22)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, sa-08.22_odp.01 }} implement the security design principle of accountability;'
+                      links:
+                        - href: '#sa-8.22_smt'
+                          rel: assessment-for
                     - id: sa-8.22_obj-2
                       name: assessment-objective
                       props:
@@ -99811,6 +108759,12 @@ catalog:
                           value: SA-08(22)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, sa-08.22_odp.02 }} implement the security design principle of traceability.'
+                      links:
+                        - href: '#sa-8.22_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-8.22_smt'
+                      rel: assessment-for
                 - id: sa-8.22_asm-examine
                   name: assessment-method
                   props:
@@ -99953,6 +108907,9 @@ catalog:
                       value: SA-08(23)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.23_odp }} implement the security design principle of secure defaults.'
+                  links:
+                    - href: '#sa-8.23_smt'
+                      rel: assessment-for
                 - id: sa-8.23_asm-examine
                   name: assessment-method
                   props:
@@ -100119,6 +109076,9 @@ catalog:
                           value: SA-08(24)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, sa-08.24_odp.01 }} implement the security design principle of secure failure;'
+                      links:
+                        - href: '#sa-8.24_smt'
+                          rel: assessment-for
                     - id: sa-8.24_obj-2
                       name: assessment-objective
                       props:
@@ -100126,6 +109086,12 @@ catalog:
                           value: SA-08(24)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, sa-08.24_odp.02 }} implement the security design principle of secure recovery.'
+                      links:
+                        - href: '#sa-8.24_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-8.24_smt'
+                      rel: assessment-for
                 - id: sa-8.24_asm-examine
                   name: assessment-method
                   props:
@@ -100267,6 +109233,9 @@ catalog:
                       value: SA-08(25)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.25_odp }} implement the security design principle of economic security.'
+                  links:
+                    - href: '#sa-8.25_smt'
+                      rel: assessment-for
                 - id: sa-8.25_asm-examine
                   name: assessment-method
                   props:
@@ -100387,6 +109356,9 @@ catalog:
                       value: SA-08(26)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.26_odp }} implement the security design principle of performance security.'
+                  links:
+                    - href: '#sa-8.26_smt'
+                      rel: assessment-for
                 - id: sa-8.26_asm-examine
                   name: assessment-method
                   props:
@@ -100496,6 +109468,9 @@ catalog:
                       value: SA-08(27)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.27_odp }} implement the security design principle of human factored security.'
+                  links:
+                    - href: '#sa-8.27_smt'
+                      rel: assessment-for
                 - id: sa-8.27_asm-examine
                   name: assessment-method
                   props:
@@ -100609,6 +109584,9 @@ catalog:
                       value: SA-08(28)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.28_odp }} implement the security design principle of acceptable security.'
+                  links:
+                    - href: '#sa-8.28_smt'
+                      rel: assessment-for
                 - id: sa-8.28_asm-examine
                   name: assessment-method
                   props:
@@ -100744,6 +109722,9 @@ catalog:
                       value: SA-08(29)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.29_odp }} implement the security design principle of repeatable and documented procedures.'
+                  links:
+                    - href: '#sa-8.29_smt'
+                      rel: assessment-for
                 - id: sa-8.29_asm-examine
                   name: assessment-method
                   props:
@@ -100858,6 +109839,9 @@ catalog:
                       value: SA-08(30)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.30_odp }} implement the security design principle of procedural rigor.'
+                  links:
+                    - href: '#sa-8.30_smt'
+                      rel: assessment-for
                 - id: sa-8.30_asm-examine
                   name: assessment-method
                   props:
@@ -100971,6 +109955,9 @@ catalog:
                       value: SA-08(31)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.31_odp }} implement the security design principle of secure system modification.'
+                  links:
+                    - href: '#sa-8.31_smt'
+                      rel: assessment-for
                 - id: sa-8.31_asm-examine
                   name: assessment-method
                   props:
@@ -101096,6 +110083,9 @@ catalog:
                       value: SA-08(32)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-08.32_odp }} implement the security design principle of sufficient documentation.'
+                  links:
+                    - href: '#sa-8.32_smt'
+                      rel: assessment-for
                 - id: sa-8.32_asm-examine
                   name: assessment-method
                   props:
@@ -101223,6 +110213,9 @@ catalog:
                       value: SA-08(33)
                       class: sp800-53a
                   prose: 'the privacy principle of minimization is implemented using {{ insert: param, sa-08.33_odp }}.'
+                  links:
+                    - href: '#sa-8.33_smt'
+                      rel: assessment-for
                 - id: sa-8.33_asm-examine
                   name: assessment-method
                   props:
@@ -101419,6 +110412,9 @@ catalog:
                           value: SA-09a.[01]
                           class: sp800-53a
                       prose: providers of external system services comply with organizational security requirements;
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
                     - id: sa-9_obj.a-2
                       name: assessment-objective
                       props:
@@ -101426,6 +110422,9 @@ catalog:
                           value: SA-09a.[02]
                           class: sp800-53a
                       prose: providers of external system services comply with organizational privacy requirements;
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
                     - id: sa-9_obj.a-3
                       name: assessment-objective
                       props:
@@ -101433,6 +110432,12 @@ catalog:
                           value: SA-09a.[03]
                           class: sp800-53a
                       prose: 'providers of external system services employ {{ insert: param, sa-09_odp.01 }};'
+                      links:
+                        - href: '#sa-9_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-9_smt.a'
+                      rel: assessment-for
                 - id: sa-9_obj.b
                   name: assessment-objective
                   props:
@@ -101447,6 +110452,9 @@ catalog:
                           value: SA-09b.[01]
                           class: sp800-53a
                       prose: organizational oversight with regard to external system services are defined and documented;
+                      links:
+                        - href: '#sa-9_smt.b'
+                          rel: assessment-for
                     - id: sa-9_obj.b-2
                       name: assessment-objective
                       props:
@@ -101454,6 +110462,12 @@ catalog:
                           value: SA-09b.[02]
                           class: sp800-53a
                       prose: user roles and responsibilities with regard to external system services are defined and documented;
+                      links:
+                        - href: '#sa-9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-9_smt.b'
+                      rel: assessment-for
                 - id: sa-9_obj.c
                   name: assessment-objective
                   props:
@@ -101461,6 +110475,12 @@ catalog:
                       value: SA-09c.
                       class: sp800-53a
                   prose: '{{ insert: param, sa-09_odp.02 }} are employed to monitor control compliance by external service providers on an ongoing basis.'
+                  links:
+                    - href: '#sa-9_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-9_smt'
+                  rel: assessment-for
             - id: sa-9_asm-examine
               name: assessment-method
               props:
@@ -101605,6 +110625,9 @@ catalog:
                           value: SA-09(01)(a)
                           class: sp800-53a
                       prose: an organizational assessment of risk is conducted prior to the acquisition or outsourcing of information security services;
+                      links:
+                        - href: '#sa-9.1_smt.a'
+                          rel: assessment-for
                     - id: sa-9.1_obj.b
                       name: assessment-objective
                       props:
@@ -101612,6 +110635,12 @@ catalog:
                           value: SA-09(01)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, sa-09.01_odp }} approve the acquisition or outsourcing of dedicated information security services.'
+                      links:
+                        - href: '#sa-9.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-9.1_smt'
+                      rel: assessment-for
                 - id: sa-9.1_asm-examine
                   name: assessment-method
                   props:
@@ -101732,6 +110761,9 @@ catalog:
                       value: SA-09(02)
                       class: sp800-53a
                   prose: 'providers of {{ insert: param, sa-09.02_odp }} are required to identify the functions, ports, protocols, and other services required for the use of such services.'
+                  links:
+                    - href: '#sa-9.2_smt'
+                      rel: assessment-for
                 - id: sa-9.2_asm-examine
                   name: assessment-method
                   props:
@@ -101853,6 +110885,9 @@ catalog:
                           value: SA-09(03)[01]
                           class: sp800-53a
                       prose: 'trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.01 }} are established and documented;'
+                      links:
+                        - href: '#sa-9.3_smt'
+                          rel: assessment-for
                     - id: sa-9.3_obj-2
                       name: assessment-objective
                       props:
@@ -101860,6 +110895,9 @@ catalog:
                           value: SA-09(03)[02]
                           class: sp800-53a
                       prose: 'trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.01 }} are maintained;'
+                      links:
+                        - href: '#sa-9.3_smt'
+                          rel: assessment-for
                     - id: sa-9.3_obj-3
                       name: assessment-objective
                       props:
@@ -101867,6 +110905,9 @@ catalog:
                           value: SA-09(03)[03]
                           class: sp800-53a
                       prose: 'trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.02 }} are established and documented;'
+                      links:
+                        - href: '#sa-9.3_smt'
+                          rel: assessment-for
                     - id: sa-9.3_obj-4
                       name: assessment-objective
                       props:
@@ -101874,6 +110915,12 @@ catalog:
                           value: SA-09(03)[04]
                           class: sp800-53a
                       prose: 'trust relationships with external service provides based on {{ insert: param, sa-09.03_odp.02 }} are maintained.'
+                      links:
+                        - href: '#sa-9.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-9.3_smt'
+                      rel: assessment-for
                 - id: sa-9.3_asm-examine
                   name: assessment-method
                   props:
@@ -101987,6 +111034,9 @@ catalog:
                       value: SA-09(04)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-09.04_odp.02 }} are taken to verify that the interests of {{ insert: param, sa-09.04_odp.01 }} are consistent with and reflect organizational interests.'
+                  links:
+                    - href: '#sa-9.4_smt'
+                      rel: assessment-for
                 - id: sa-9.4_asm-examine
                   name: assessment-method
                   props:
@@ -102131,6 +111181,9 @@ catalog:
                       value: SA-09(05)
                       class: sp800-53a
                   prose: 'based on {{ insert: param, sa-09.05_odp.03 }}, {{ insert: param, sa-09.05_odp.01 }} is/are restricted to {{ insert: param, sa-09.05_odp.02 }}.'
+                  links:
+                    - href: '#sa-9.5_smt'
+                      rel: assessment-for
                 - id: sa-9.5_asm-examine
                   name: assessment-method
                   props:
@@ -102242,6 +111295,9 @@ catalog:
                       value: SA-09(06)
                       class: sp800-53a
                   prose: exclusive control of cryptographic keys is maintained for encrypted material stored or transmitted through an external system.
+                  links:
+                    - href: '#sa-9.6_smt'
+                      rel: assessment-for
                 - id: sa-9.6_asm-examine
                   name: assessment-method
                   props:
@@ -102347,6 +111403,9 @@ catalog:
                       value: SA-09(07)
                       class: sp800-53a
                   prose: the capability is provided to check the integrity of information while it resides in the external system.
+                  links:
+                    - href: '#sa-9.7_smt'
+                      rel: assessment-for
                 - id: sa-9.7_asm-examine
                   name: assessment-method
                   props:
@@ -102456,6 +111515,9 @@ catalog:
                       value: SA-09(08)
                       class: sp800-53a
                   prose: the geographic location of information processing and data storage is restricted to facilities located within the legal jurisdictional boundary of the United States.
+                  links:
+                    - href: '#sa-9.8_smt'
+                      rel: assessment-for
                 - id: sa-9.8_asm-examine
                   name: assessment-method
                   props:
@@ -102674,6 +111736,9 @@ catalog:
                       value: SA-10a.
                       class: sp800-53a
                   prose: 'the developer of the system, system component, or system service is required to perform configuration management during system, component, or service {{ insert: param, sa-10_odp.01 }};'
+                  links:
+                    - href: '#sa-10_smt.a'
+                      rel: assessment-for
                 - id: sa-10_obj.b
                   name: assessment-objective
                   props:
@@ -102688,6 +111753,9 @@ catalog:
                           value: SA-10b.[01]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to document the integrity of changes to {{ insert: param, sa-10_odp.02 }};'
+                      links:
+                        - href: '#sa-10_smt.b'
+                          rel: assessment-for
                     - id: sa-10_obj.b-2
                       name: assessment-objective
                       props:
@@ -102695,6 +111763,9 @@ catalog:
                           value: SA-10b.[02]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to manage the integrity of changes to {{ insert: param, sa-10_odp.02 }};'
+                      links:
+                        - href: '#sa-10_smt.b'
+                          rel: assessment-for
                     - id: sa-10_obj.b-3
                       name: assessment-objective
                       props:
@@ -102702,6 +111773,12 @@ catalog:
                           value: SA-10b.[03]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to control the integrity of changes to {{ insert: param, sa-10_odp.02 }};'
+                      links:
+                        - href: '#sa-10_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-10_smt.b'
+                      rel: assessment-for
                 - id: sa-10_obj.c
                   name: assessment-objective
                   props:
@@ -102709,6 +111786,9 @@ catalog:
                       value: SA-10c.
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to implement only organization-approved changes to the system, component, or service;
+                  links:
+                    - href: '#sa-10_smt.c'
+                      rel: assessment-for
                 - id: sa-10_obj.d
                   name: assessment-objective
                   props:
@@ -102723,6 +111803,9 @@ catalog:
                           value: SA-10d.[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to document approved changes to the system, component, or service;
+                      links:
+                        - href: '#sa-10_smt.d'
+                          rel: assessment-for
                     - id: sa-10_obj.d-2
                       name: assessment-objective
                       props:
@@ -102730,6 +111813,9 @@ catalog:
                           value: SA-10d.[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to document the potential security impacts of approved changes;
+                      links:
+                        - href: '#sa-10_smt.d'
+                          rel: assessment-for
                     - id: sa-10_obj.d-3
                       name: assessment-objective
                       props:
@@ -102737,6 +111823,12 @@ catalog:
                           value: SA-10d.[03]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to document the potential privacy impacts of approved changes;
+                      links:
+                        - href: '#sa-10_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-10_smt.d'
+                      rel: assessment-for
                 - id: sa-10_obj.e
                   name: assessment-objective
                   props:
@@ -102751,6 +111843,9 @@ catalog:
                           value: SA-10e.[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to track security flaws within the system, component, or service;
+                      links:
+                        - href: '#sa-10_smt.e'
+                          rel: assessment-for
                     - id: sa-10_obj.e-2
                       name: assessment-objective
                       props:
@@ -102758,6 +111853,9 @@ catalog:
                           value: SA-10e.[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to track security flaw resolutions within the system, component, or service;
+                      links:
+                        - href: '#sa-10_smt.e'
+                          rel: assessment-for
                     - id: sa-10_obj.e-3
                       name: assessment-objective
                       props:
@@ -102765,6 +111863,15 @@ catalog:
                           value: SA-10e.[03]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to report findings to {{ insert: param, sa-10_odp.03 }}.'
+                      links:
+                        - href: '#sa-10_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-10_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#sa-10_smt'
+                  rel: assessment-for
             - id: sa-10_asm-examine
               name: assessment-method
               props:
@@ -102875,6 +111982,9 @@ catalog:
                       value: SA-10(01)
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to enable integrity verification of software and firmware components.
+                  links:
+                    - href: '#sa-10.1_smt'
+                      rel: assessment-for
                 - id: sa-10.1_asm-examine
                   name: assessment-method
                   props:
@@ -102984,6 +112094,9 @@ catalog:
                       value: SA-10(02)
                       class: sp800-53a
                   prose: an alternate configuration management process has been provided using organizational personnel in the absence of a dedicated developer configuration management team.
+                  links:
+                    - href: '#sa-10.2_smt'
+                      rel: assessment-for
                 - id: sa-10.2_asm-examine
                   name: assessment-method
                   props:
@@ -103097,6 +112210,9 @@ catalog:
                       value: SA-10(03)
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to enable integrity verification of hardware components.
+                  links:
+                    - href: '#sa-10.3_smt'
+                      rel: assessment-for
                 - id: sa-10.3_asm-examine
                   name: assessment-method
                   props:
@@ -103207,6 +112323,9 @@ catalog:
                           value: SA-10(04)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of security-relevant hardware descriptions with previous versions;
+                      links:
+                        - href: '#sa-10.4_smt'
+                          rel: assessment-for
                     - id: sa-10.4_obj-2
                       name: assessment-objective
                       props:
@@ -103214,6 +112333,9 @@ catalog:
                           value: SA-10(04)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of source code with previous versions;
+                      links:
+                        - href: '#sa-10.4_smt'
+                          rel: assessment-for
                     - id: sa-10.4_obj-3
                       name: assessment-objective
                       props:
@@ -103221,6 +112343,12 @@ catalog:
                           value: SA-10(04)[03]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to employ tools for comparing newly generated versions of object code with previous versions.
+                      links:
+                        - href: '#sa-10.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-10.4_smt'
+                      rel: assessment-for
                 - id: sa-10.4_asm-examine
                   name: assessment-method
                   props:
@@ -103305,6 +112433,9 @@ catalog:
                       value: SA-10(05)
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.
+                  links:
+                    - href: '#sa-10.5_smt'
+                      rel: assessment-for
                 - id: sa-10.5_asm-examine
                   name: assessment-method
                   props:
@@ -103410,6 +112541,9 @@ catalog:
                       value: SA-10(06)
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.
+                  links:
+                    - href: '#sa-10.6_smt'
+                      rel: assessment-for
                 - id: sa-10.6_asm-examine
                   name: assessment-method
                   props:
@@ -103569,6 +112703,9 @@ catalog:
                           value: SA-10(07)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, sa-10.07_odp.01 }} are required to be included in the {{ insert: param, sa-10.07_odp.03 }};'
+                      links:
+                        - href: '#sa-10.7_smt'
+                          rel: assessment-for
                     - id: sa-10.7_obj-2
                       name: assessment-objective
                       props:
@@ -103576,6 +112713,12 @@ catalog:
                           value: SA-10(07)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, sa-10.07_odp.02 }} are required to be included in the {{ insert: param, sa-10.07_odp.04 }}.'
+                      links:
+                        - href: '#sa-10.7_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-10.7_smt'
+                      rel: assessment-for
                 - id: sa-10.7_asm-examine
                   name: assessment-method
                   props:
@@ -103786,6 +112929,9 @@ catalog:
                           value: SA-11a.[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for ongoing security assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
                     - id: sa-11_obj.a-2
                       name: assessment-objective
                       props:
@@ -103793,6 +112939,9 @@ catalog:
                           value: SA-11a.[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing security assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
                     - id: sa-11_obj.a-3
                       name: assessment-objective
                       props:
@@ -103800,6 +112949,9 @@ catalog:
                           value: SA-11a.[03]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to develop a plan for privacy assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
                     - id: sa-11_obj.a-4
                       name: assessment-objective
                       props:
@@ -103807,6 +112959,12 @@ catalog:
                           value: SA-11a.[04]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a plan for ongoing privacy assessments;
+                      links:
+                        - href: '#sa-11_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11_smt.a'
+                      rel: assessment-for
                 - id: sa-11_obj.b
                   name: assessment-objective
                   props:
@@ -103814,6 +112972,9 @@ catalog:
                       value: SA-11b.
                       class: sp800-53a
                   prose: 'the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform {{ insert: param, sa-11_odp.01 }} testing/evaluation {{ insert: param, sa-11_odp.02 }} at {{ insert: param, sa-11_odp.03 }};'
+                  links:
+                    - href: '#sa-11_smt.b'
+                      rel: assessment-for
                 - id: sa-11_obj.c
                   name: assessment-objective
                   props:
@@ -103828,6 +112989,9 @@ catalog:
                           value: SA-11c.[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce evidence of the execution of the assessment plan;
+                      links:
+                        - href: '#sa-11_smt.c'
+                          rel: assessment-for
                     - id: sa-11_obj.c-2
                       name: assessment-objective
                       props:
@@ -103835,6 +112999,12 @@ catalog:
                           value: SA-11c.[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to produce the results of the testing and evaluation;
+                      links:
+                        - href: '#sa-11_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11_smt.c'
+                      rel: assessment-for
                 - id: sa-11_obj.d
                   name: assessment-objective
                   props:
@@ -103842,6 +113012,9 @@ catalog:
                       value: SA-11d.
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to implement a verifiable flaw remediation process;
+                  links:
+                    - href: '#sa-11_smt.d'
+                      rel: assessment-for
                 - id: sa-11_obj.e
                   name: assessment-objective
                   props:
@@ -103849,6 +113022,12 @@ catalog:
                       value: SA-11e.
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to correct flaws identified during testing and evaluation.
+                  links:
+                    - href: '#sa-11_smt.e'
+                      rel: assessment-for
+              links:
+                - href: '#sa-11_smt'
+                  rel: assessment-for
             - id: sa-11_asm-examine
               name: assessment-method
               props:
@@ -103972,6 +113151,9 @@ catalog:
                           value: SA-11(01)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to employ static code analysis tools to identify common flaws;
+                      links:
+                        - href: '#sa-11.1_smt'
+                          rel: assessment-for
                     - id: sa-11.1_obj-2
                       name: assessment-objective
                       props:
@@ -103979,6 +113161,12 @@ catalog:
                           value: SA-11(01)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to employ static code analysis tools to document the results of the analysis.
+                      links:
+                        - href: '#sa-11.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11.1_smt'
+                      rel: assessment-for
                 - id: sa-11.1_asm-examine
                   name: assessment-method
                   props:
@@ -104217,6 +113405,9 @@ catalog:
                               value: SA-11(02)(a)[01]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};'
+                          links:
+                            - href: '#sa-11.2_smt.a'
+                              rel: assessment-for
                         - id: sa-11.2_obj.a-2
                           name: assessment-objective
                           props:
@@ -104224,6 +113415,9 @@ catalog:
                               value: SA-11(02)(a)[02]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};'
+                          links:
+                            - href: '#sa-11.2_smt.a'
+                              rel: assessment-for
                         - id: sa-11.2_obj.a-3
                           name: assessment-objective
                           props:
@@ -104231,6 +113425,9 @@ catalog:
                               value: SA-11(02)(a)[03]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};'
+                          links:
+                            - href: '#sa-11.2_smt.a'
+                              rel: assessment-for
                         - id: sa-11.2_obj.a-4
                           name: assessment-objective
                           props:
@@ -104238,6 +113435,12 @@ catalog:
                               value: SA-11(02)(a)[04]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses {{ insert: param, sa-11.02_odp.01 }};'
+                          links:
+                            - href: '#sa-11.2_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-11.2_smt.a'
+                          rel: assessment-for
                     - id: sa-11.2_obj.b
                       name: assessment-objective
                       props:
@@ -104252,6 +113455,9 @@ catalog:
                               value: SA-11(02)(b)[01]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};'
+                          links:
+                            - href: '#sa-11.2_smt.b'
+                              rel: assessment-for
                         - id: sa-11.2_obj.b-2
                           name: assessment-objective
                           props:
@@ -104259,6 +113465,9 @@ catalog:
                               value: SA-11(02)(b)[02]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};'
+                          links:
+                            - href: '#sa-11.2_smt.b'
+                              rel: assessment-for
                         - id: sa-11.2_obj.b-3
                           name: assessment-objective
                           props:
@@ -104266,6 +113475,9 @@ catalog:
                               value: SA-11(02)(b)[03]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};'
+                          links:
+                            - href: '#sa-11.2_smt.b'
+                              rel: assessment-for
                         - id: sa-11.2_obj.b-4
                           name: assessment-objective
                           props:
@@ -104273,6 +113485,12 @@ catalog:
                               value: SA-11(02)(b)[04]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs {{ insert: param, sa-11.02_odp.02 }};'
+                          links:
+                            - href: '#sa-11.2_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-11.2_smt.b'
+                          rel: assessment-for
                     - id: sa-11.2_obj.c
                       name: assessment-objective
                       props:
@@ -104287,6 +113505,9 @@ catalog:
                               value: SA-11(02)(c)[01]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform threat modeling at {{ insert: param, sa-11.02_odp.03 }} during development of the system, component, or service;'
+                          links:
+                            - href: '#sa-11.2_smt.c'
+                              rel: assessment-for
                         - id: sa-11.2_obj.c-2
                           name: assessment-objective
                           props:
@@ -104294,6 +113515,12 @@ catalog:
                               value: SA-11(02)(c)[02]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at {{ insert: param, sa-11.02_odp.04 }};'
+                          links:
+                            - href: '#sa-11.2_smt.c'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-11.2_smt.c'
+                          rel: assessment-for
                     - id: sa-11.2_obj.d
                       name: assessment-objective
                       props:
@@ -104308,6 +113535,9 @@ catalog:
                               value: SA-11(02)(d)[01]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};'
+                          links:
+                            - href: '#sa-11.2_smt.d'
+                              rel: assessment-for
                         - id: sa-11.2_obj.d-2
                           name: assessment-objective
                           props:
@@ -104315,6 +113545,9 @@ catalog:
                               value: SA-11(02)(d)[02]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.05 }};'
+                          links:
+                            - href: '#sa-11.2_smt.d'
+                              rel: assessment-for
                         - id: sa-11.2_obj.d-3
                           name: assessment-objective
                           props:
@@ -104322,6 +113555,9 @@ catalog:
                               value: SA-11(02)(d)[03]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }};'
+                          links:
+                            - href: '#sa-11.2_smt.d'
+                              rel: assessment-for
                         - id: sa-11.2_obj.d-4
                           name: assessment-objective
                           props:
@@ -104329,6 +113565,15 @@ catalog:
                               value: SA-11(02)(d)[04]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets {{ insert: param, sa-11.02_odp.06 }}.'
+                          links:
+                            - href: '#sa-11.2_smt.d'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-11.2_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11.2_smt'
+                      rel: assessment-for
                 - id: sa-11.2_asm-examine
                   name: assessment-method
                   props:
@@ -104479,6 +113724,9 @@ catalog:
                               value: SA-11(03)(a)[01]
                               class: sp800-53a
                           prose: 'an independent agent is required to satisfy {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer security assessment plan and the evidence produced during testing and evaluation;'
+                          links:
+                            - href: '#sa-11.3_smt.a'
+                              rel: assessment-for
                         - id: sa-11.3_obj.a-2
                           name: assessment-objective
                           props:
@@ -104486,6 +113734,12 @@ catalog:
                               value: SA-11(03)(a)[02]
                               class: sp800-53a
                           prose: 'an independent agent is required to satisfy {{ insert: param, sa-11.03_odp }} to verify the correct implementation of the developer privacy assessment plan and the evidence produced during testing and evaluation;'
+                          links:
+                            - href: '#sa-11.3_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-11.3_smt.a'
+                          rel: assessment-for
                     - id: sa-11.3_obj.b
                       name: assessment-objective
                       props:
@@ -104493,6 +113747,12 @@ catalog:
                           value: SA-11(03)(b)
                           class: sp800-53a
                       prose: the independent agent is provided with sufficient information to complete the verification process or granted the authority to obtain such information.
+                      links:
+                        - href: '#sa-11.3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11.3_smt'
+                      rel: assessment-for
                 - id: sa-11.3_asm-examine
                   name: assessment-method
                   props:
@@ -104623,6 +113883,9 @@ catalog:
                       value: SA-11(04)
                       class: sp800-53a
                   prose: 'the developer of the system, system component, or system service is required to perform a manual code review of {{ insert: param, sa-11.04_odp.01 }} using {{ insert: param, sa-11.04_odp.02 }}.'
+                  links:
+                    - href: '#sa-11.4_smt'
+                      rel: assessment-for
                 - id: sa-11.4_asm-examine
                   name: assessment-method
                   props:
@@ -104807,6 +114070,9 @@ catalog:
                               value: SA-11(05)(a)[01]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: {{ insert: param, sa-11.05_odp.01 }};'
+                          links:
+                            - href: '#sa-11.5_smt.a'
+                              rel: assessment-for
                         - id: sa-11.5_obj.a-2
                           name: assessment-objective
                           props:
@@ -104814,6 +114080,12 @@ catalog:
                               value: SA-11(05)(a)[02]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: {{ insert: param, sa-11.05_odp.02 }};'
+                          links:
+                            - href: '#sa-11.5_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-11.5_smt.a'
+                          rel: assessment-for
                     - id: sa-11.5_obj.b
                       name: assessment-objective
                       props:
@@ -104821,6 +114093,12 @@ catalog:
                           value: SA-11(05)(b)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to perform penetration testing under {{ insert: param, sa-11.05_odp.03 }}.'
+                      links:
+                        - href: '#sa-11.5_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11.5_smt'
+                      rel: assessment-for
                 - id: sa-11.5_asm-examine
                   name: assessment-method
                   props:
@@ -104930,6 +114208,9 @@ catalog:
                       value: SA-11(06)
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to perform attack surface reviews.
+                  links:
+                    - href: '#sa-11.6_smt'
+                      rel: assessment-for
                 - id: sa-11.6_asm-examine
                   name: assessment-method
                   props:
@@ -105068,6 +114349,9 @@ catalog:
                           value: SA-11(07)[01]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at {{ insert: param, sa-11.07_odp.01 }};'
+                      links:
+                        - href: '#sa-11.7_smt'
+                          rel: assessment-for
                     - id: sa-11.7_obj-2
                       name: assessment-objective
                       props:
@@ -105075,6 +114359,12 @@ catalog:
                           value: SA-11(07)[02]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at {{ insert: param, sa-11.07_odp.02 }}.'
+                      links:
+                        - href: '#sa-11.7_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11.7_smt'
+                      rel: assessment-for
                 - id: sa-11.7_asm-examine
                   name: assessment-method
                   props:
@@ -105183,6 +114473,9 @@ catalog:
                           value: SA-11(08)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to employ dynamic code analysis tools to identify common flaws;
+                      links:
+                        - href: '#sa-11.8_smt'
+                          rel: assessment-for
                     - id: sa-11.8_obj-2
                       name: assessment-objective
                       props:
@@ -105190,6 +114483,12 @@ catalog:
                           value: SA-11(08)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to document the results of the analysis.
+                      links:
+                        - href: '#sa-11.8_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11.8_smt'
+                      rel: assessment-for
                 - id: sa-11.8_asm-examine
                   name: assessment-method
                   props:
@@ -105302,6 +114601,9 @@ catalog:
                           value: SA-11(09)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to employ interactive application security testing tools to identify flaws;
+                      links:
+                        - href: '#sa-11.9_smt'
+                          rel: assessment-for
                     - id: sa-11.9_obj-2
                       name: assessment-objective
                       props:
@@ -105309,6 +114611,12 @@ catalog:
                           value: SA-11(09)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to document the results of flaw identification.
+                      links:
+                        - href: '#sa-11.9_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-11.9_smt'
+                      rel: assessment-for
                 - id: sa-11.9_asm-examine
                   name: assessment-method
                   props:
@@ -105842,6 +115150,9 @@ catalog:
                               value: SA-15a.01[01]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses security requirements;
+                          links:
+                            - href: '#sa-15_smt.a.1'
+                              rel: assessment-for
                         - id: sa-15_obj.a.1-2
                           name: assessment-objective
                           props:
@@ -105849,6 +115160,12 @@ catalog:
                               value: SA-15a.01[02]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that explicitly addresses privacy requirements;
+                          links:
+                            - href: '#sa-15_smt.a.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-15_smt.a.1'
+                          rel: assessment-for
                     - id: sa-15_obj.a.2
                       name: assessment-objective
                       props:
@@ -105863,6 +115180,9 @@ catalog:
                               value: SA-15a.02[01]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that identifies the standards used in the development process;
+                          links:
+                            - href: '#sa-15_smt.a.2'
+                              rel: assessment-for
                         - id: sa-15_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -105870,6 +115190,12 @@ catalog:
                               value: SA-15a.02[02]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that identifies the tools used in the development process;
+                          links:
+                            - href: '#sa-15_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-15_smt.a.2'
+                          rel: assessment-for
                     - id: sa-15_obj.a.3
                       name: assessment-objective
                       props:
@@ -105884,6 +115210,9 @@ catalog:
                               value: SA-15a.03[01]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool used in the development process;
+                          links:
+                            - href: '#sa-15_smt.a.3'
+                              rel: assessment-for
                         - id: sa-15_obj.a.3-2
                           name: assessment-objective
                           props:
@@ -105891,6 +115220,12 @@ catalog:
                               value: SA-15a.03[02]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to follow a documented development process that documents the specific tool configurations used in the development process;
+                          links:
+                            - href: '#sa-15_smt.a.3'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-15_smt.a.3'
+                          rel: assessment-for
                     - id: sa-15_obj.a.4
                       name: assessment-objective
                       props:
@@ -105898,6 +115233,12 @@ catalog:
                           value: SA-15a.04
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to follow a documented development process that documents, manages, and ensures the integrity of changes to the process and/or tools used in development;
+                      links:
+                        - href: '#sa-15_smt.a.4'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-15_smt.a'
+                      rel: assessment-for
                 - id: sa-15_obj.b
                   name: assessment-objective
                   props:
@@ -105912,6 +115253,9 @@ catalog:
                           value: SA-15b.[01]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.02 }};'
+                      links:
+                        - href: '#sa-15_smt.b'
+                          rel: assessment-for
                     - id: sa-15_obj.b-2
                       name: assessment-objective
                       props:
@@ -105919,6 +115263,15 @@ catalog:
                           value: SA-15b.[02]
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed {{ insert: param, sa-15_odp.01 }} to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy {{ insert: param, sa-15_odp.03 }}.'
+                      links:
+                        - href: '#sa-15_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-15_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sa-15_smt'
+                  rel: assessment-for
             - id: sa-15_asm-examine
               name: assessment-method
               props:
@@ -106081,6 +115434,9 @@ catalog:
                           value: SA-15(01)(a)
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to define quality metrics at the beginning of the development process;
+                      links:
+                        - href: '#sa-15.1_smt.a'
+                          rel: assessment-for
                     - id: sa-15.1_obj.b
                       name: assessment-objective
                       props:
@@ -106088,6 +115444,12 @@ catalog:
                           value: SA-15(01)(b)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to provide evidence of meeting the quality metrics {{ insert: param, sa-15.01_odp.01 }}.'
+                      links:
+                        - href: '#sa-15.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-15.1_smt'
+                      rel: assessment-for
                 - id: sa-15.1_asm-examine
                   name: assessment-method
                   props:
@@ -106181,6 +115543,9 @@ catalog:
                           value: SA-15(02)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to select and employ security tracking tools for use during the development process;
+                      links:
+                        - href: '#sa-15.2_smt'
+                          rel: assessment-for
                     - id: sa-15.2_obj-2
                       name: assessment-objective
                       props:
@@ -106188,6 +115553,12 @@ catalog:
                           value: SA-15(02)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to select and employ privacy tracking tools for use during the development process.
+                      links:
+                        - href: '#sa-15.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-15.2_smt'
+                      rel: assessment-for
                 - id: sa-15.2_asm-examine
                   name: assessment-method
                   props:
@@ -106343,6 +115714,9 @@ catalog:
                           value: SA-15(03)(a)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to perform a criticality analysis at {{ insert: param, sa-15.03_odp.01 }} in the system development life cycle;'
+                      links:
+                        - href: '#sa-15.3_smt.a'
+                          rel: assessment-for
                     - id: sa-15.3_obj.b
                       name: assessment-objective
                       props:
@@ -106357,6 +115731,9 @@ catalog:
                               value: SA-15(03)(b)[01]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.02 }};'
+                          links:
+                            - href: '#sa-15.3_smt.b'
+                              rel: assessment-for
                         - id: sa-15.3_obj.b-2
                           name: assessment-objective
                           props:
@@ -106364,6 +115741,15 @@ catalog:
                               value: SA-15(03)(b)[02]
                               class: sp800-53a
                           prose: 'the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: {{ insert: param, sa-15.03_odp.03 }} .'
+                          links:
+                            - href: '#sa-15.3_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-15.3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-15.3_smt'
+                      rel: assessment-for
                 - id: sa-15.3_asm-examine
                   name: assessment-method
                   props:
@@ -106506,6 +115892,9 @@ catalog:
                       value: SA-15(05)
                       class: sp800-53a
                   prose: 'the developer of the system, system component, or system service is required to reduce attack surfaces to {{ insert: param, sa-15.05_odp }}.'
+                  links:
+                    - href: '#sa-15.5_smt'
+                      rel: assessment-for
                 - id: sa-15.5_asm-examine
                   name: assessment-method
                   props:
@@ -106608,6 +115997,9 @@ catalog:
                       value: SA-15(06)
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to implement an explicit process to continuously improve the development process.
+                  links:
+                    - href: '#sa-15.6_smt'
+                      rel: assessment-for
                 - id: sa-15.6_asm-examine
                   name: assessment-method
                   props:
@@ -106769,6 +116161,9 @@ catalog:
                           value: SA-15(07)(a)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to perform automated vulnerability analysis {{ insert: param, sa-15.07_odp.01 }} using {{ insert: param, sa-15.07_odp.02 }};'
+                      links:
+                        - href: '#sa-15.7_smt.a'
+                          rel: assessment-for
                     - id: sa-15.7_obj.b
                       name: assessment-objective
                       props:
@@ -106776,6 +116171,9 @@ catalog:
                           value: SA-15(07)(b)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to determine the exploitation potential for discovered vulnerabilities {{ insert: param, sa-15.07_odp.01 }};'
+                      links:
+                        - href: '#sa-15.7_smt.b'
+                          rel: assessment-for
                     - id: sa-15.7_obj.c
                       name: assessment-objective
                       props:
@@ -106783,6 +116181,9 @@ catalog:
                           value: SA-15(07)(c)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to determine potential risk mitigations {{ insert: param, sa-15.07_odp.01 }} for delivered vulnerabilities;'
+                      links:
+                        - href: '#sa-15.7_smt.c'
+                          rel: assessment-for
                     - id: sa-15.7_obj.d
                       name: assessment-objective
                       props:
@@ -106790,6 +116191,12 @@ catalog:
                           value: SA-15(07)(d)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to deliver the outputs of the tools and results of the analysis {{ insert: param, sa-15.07_odp.01 }} to {{ insert: param, sa-15.07_odp.03 }}.'
+                      links:
+                        - href: '#sa-15.7_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-15.7_smt'
+                      rel: assessment-for
                 - id: sa-15.7_asm-examine
                   name: assessment-method
                   props:
@@ -106902,6 +116309,9 @@ catalog:
                           value: SA-15(08)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to use threat modeling from similar systems, components, or services to inform the current development process;
+                      links:
+                        - href: '#sa-15.8_smt'
+                          rel: assessment-for
                     - id: sa-15.8_obj-2
                       name: assessment-objective
                       props:
@@ -106909,6 +116319,12 @@ catalog:
                           value: SA-15(08)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to use vulnerability analyses from similar systems, components, or services to inform the current development process.
+                      links:
+                        - href: '#sa-15.8_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-15.8_smt'
+                      rel: assessment-for
                 - id: sa-15.8_asm-examine
                   name: assessment-method
                   props:
@@ -107018,6 +116434,9 @@ catalog:
                           value: SA-15(10)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to provide an incident response plan;
+                      links:
+                        - href: '#sa-15.10_smt'
+                          rel: assessment-for
                     - id: sa-15.10_obj-2
                       name: assessment-objective
                       props:
@@ -107025,6 +116444,9 @@ catalog:
                           value: SA-15(10)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to implement an incident response plan;
+                      links:
+                        - href: '#sa-15.10_smt'
+                          rel: assessment-for
                     - id: sa-15.10_obj-3
                       name: assessment-objective
                       props:
@@ -107032,6 +116454,12 @@ catalog:
                           value: SA-15(10)[03]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to test an incident response plan.
+                      links:
+                        - href: '#sa-15.10_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-15.10_smt'
+                      rel: assessment-for
                 - id: sa-15.10_asm-examine
                   name: assessment-method
                   props:
@@ -107126,6 +116554,9 @@ catalog:
                       value: SA-15(11)
                       class: sp800-53a
                   prose: the developer of the system or system component is required to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privacy review.
+                  links:
+                    - href: '#sa-15.11_smt'
+                      rel: assessment-for
                 - id: sa-15.11_asm-examine
                   name: assessment-method
                   props:
@@ -107216,6 +116647,9 @@ catalog:
                       value: SA-15(12)
                       class: sp800-53a
                   prose: the developer of the system or system component is required to minimize the use of personally identifiable information in development and test environments.
+                  links:
+                    - href: '#sa-15.12_smt'
+                      rel: assessment-for
                 - id: sa-15.12_asm-examine
                   name: assessment-method
                   props:
@@ -107338,6 +116772,9 @@ catalog:
                   value: SA-16
                   class: sp800-53a
               prose: 'the developer of the system, system component, or system service is required to provide {{ insert: param, sa-16_odp }} on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.'
+              links:
+                - href: '#sa-16_smt'
+                  rel: assessment-for
             - id: sa-16_asm-examine
               name: assessment-method
               props:
@@ -107483,6 +116920,9 @@ catalog:
                           value: SA-17(a)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to produce a design specification and security architecture that are consistent with the organization’s security architecture, which is an integral part the organization’s enterprise architecture;
+                      links:
+                        - href: '#sa-17_smt.a'
+                          rel: assessment-for
                     - id: sa-17_obj.a-2
                       name: assessment-objective
                       props:
@@ -107490,6 +116930,12 @@ catalog:
                           value: SA-17(a)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that are consistent with the organization’s privacy architecture, which is an integral part the organization’s enterprise architecture;
+                      links:
+                        - href: '#sa-17_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-17_smt.a'
+                      rel: assessment-for
                 - id: sa-17_obj.b
                   name: assessment-objective
                   props:
@@ -107504,6 +116950,9 @@ catalog:
                           value: SA-17(b)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to produce a design specification and security architecture that accurately and completely describe the required security functionality and the allocation of controls among physical and logical components;
+                      links:
+                        - href: '#sa-17_smt.b'
+                          rel: assessment-for
                     - id: sa-17_obj.b-2
                       name: assessment-objective
                       props:
@@ -107511,6 +116960,12 @@ catalog:
                           value: SA-17(b)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that accurately and completely describe the required privacy functionality and the allocation of controls among physical and logical components;
+                      links:
+                        - href: '#sa-17_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-17_smt.b'
+                      rel: assessment-for
                 - id: sa-17_obj.c
                   name: assessment-objective
                   props:
@@ -107525,6 +116980,9 @@ catalog:
                           value: SA-17(c)[01]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to produce a design specification and security architecture that express how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection;
+                      links:
+                        - href: '#sa-17_smt.c'
+                          rel: assessment-for
                     - id: sa-17_obj.c-2
                       name: assessment-objective
                       props:
@@ -107532,6 +116990,15 @@ catalog:
                           value: SA-17(c)[02]
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to produce a design specification and privacy architecture that express how individual privacy functions, mechanisms, and services work together to provide required privacy capabilities and a unified approach to protection.
+                      links:
+                        - href: '#sa-17_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-17_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sa-17_smt'
+                  rel: assessment-for
             - id: sa-17_asm-examine
               name: assessment-method
               props:
@@ -107682,6 +117149,9 @@ catalog:
                               value: SA-17(01)(a)[01]
                               class: sp800-53a
                           prose: 'as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the {{ insert: param, sa-17.01_odp.01 }} to be enforced;'
+                          links:
+                            - href: '#sa-17.1_smt.a'
+                              rel: assessment-for
                         - id: sa-17.1_obj.a-2
                           name: assessment-objective
                           props:
@@ -107689,6 +117159,12 @@ catalog:
                               value: SA-17(01)(a)[02]
                               class: sp800-53a
                           prose: 'as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the {{ insert: param, sa-17.01_odp.02 }} to be enforced;'
+                          links:
+                            - href: '#sa-17.1_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-17.1_smt.a'
+                          rel: assessment-for
                     - id: sa-17.1_obj.b
                       name: assessment-objective
                       props:
@@ -107703,6 +117179,9 @@ catalog:
                               value: SA-17(01)(b)[01]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational security policy when implemented;
+                          links:
+                            - href: '#sa-17.1_smt.b'
+                              rel: assessment-for
                         - id: sa-17.1_obj.b-2
                           name: assessment-objective
                           props:
@@ -107710,6 +117189,15 @@ catalog:
                               value: SA-17(01)(b)[02]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to prove that the formal policy model is internally consistent and sufficient to enforce the defined elements of the organizational privacy policy when implemented.
+                          links:
+                            - href: '#sa-17.1_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-17.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-17.1_smt'
+                      rel: assessment-for
                 - id: sa-17.1_asm-examine
                   name: assessment-method
                   props:
@@ -107831,6 +117319,9 @@ catalog:
                               value: SA-17(02)(a)[01]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to define security-relevant hardware;
+                          links:
+                            - href: '#sa-17.2_smt.a'
+                              rel: assessment-for
                         - id: sa-17.2_obj.a-2
                           name: assessment-objective
                           props:
@@ -107838,6 +117329,9 @@ catalog:
                               value: SA-17(02)(a)[02]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to define security-relevant software;
+                          links:
+                            - href: '#sa-17.2_smt.a'
+                              rel: assessment-for
                         - id: sa-17.2_obj.a-3
                           name: assessment-objective
                           props:
@@ -107845,6 +117339,12 @@ catalog:
                               value: SA-17(02)(a)[03]
                               class: sp800-53a
                           prose: the developer of the system, system component, or system service is required to define security-relevant firmware;
+                          links:
+                            - href: '#sa-17.2_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-17.2_smt.a'
+                          rel: assessment-for
                     - id: sa-17.2_obj.b
                       name: assessment-objective
                       props:
@@ -107852,6 +117352,12 @@ catalog:
                           value: SA-17(02)(b)
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to provide a rationale that the definition for security-relevant hardware, software, and firmware is complete.
+                      links:
+                        - href: '#sa-17.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-17.2_smt'
+                      rel: assessment-for
                 - id: sa-17.2_asm-examine
                   name: assessment-method
                   props:
@@ -107993,6 +117499,9 @@ catalog:
                               value: SA-17(03)(a)[01]
                               class: sp800-53a
                           prose: as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions;
+                          links:
+                            - href: '#sa-17.3_smt.a'
+                              rel: assessment-for
                         - id: sa-17.3_obj.a-2
                           name: assessment-objective
                           props:
@@ -108000,6 +117509,9 @@ catalog:
                               value: SA-17(03)(a)[02]
                               class: sp800-53a
                           prose: as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages;
+                          links:
+                            - href: '#sa-17.3_smt.a'
+                              rel: assessment-for
                         - id: sa-17.3_obj.a-3
                           name: assessment-objective
                           props:
@@ -108007,6 +117519,12 @@ catalog:
                               value: SA-17(03)(a)[03]
                               class: sp800-53a
                           prose: as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects;
+                          links:
+                            - href: '#sa-17.3_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-17.3_smt.a'
+                          rel: assessment-for
                     - id: sa-17.3_obj.b
                       name: assessment-objective
                       props:
@@ -108014,6 +117532,9 @@ catalog:
                           value: SA-17(03)(b)
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to show proof that the formal top-level specification is consistent with the formal policy model to the extent feasible with additional informal demonstration as necessary;
+                      links:
+                        - href: '#sa-17.3_smt.b'
+                          rel: assessment-for
                     - id: sa-17.3_obj.c
                       name: assessment-objective
                       props:
@@ -108021,6 +117542,9 @@ catalog:
                           value: SA-17(03)(c)
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to show via informal demonstration that the formal top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
+                      links:
+                        - href: '#sa-17.3_smt.c'
+                          rel: assessment-for
                     - id: sa-17.3_obj.d
                       name: assessment-objective
                       props:
@@ -108028,6 +117552,9 @@ catalog:
                           value: SA-17(03)(d)
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to show that the formal top-level specification is an accurate description of the implemented security-relevant hardware, software, and firmware;
+                      links:
+                        - href: '#sa-17.3_smt.d'
+                          rel: assessment-for
                     - id: sa-17.3_obj.e
                       name: assessment-objective
                       props:
@@ -108035,6 +117562,12 @@ catalog:
                           value: SA-17(03)(e)
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the formal top-level specification but are strictly internal to the security-relevant hardware, software, and firmware.
+                      links:
+                        - href: '#sa-17.3_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-17.3_smt'
+                      rel: assessment-for
                 - id: sa-17.3_asm-examine
                   name: assessment-method
                   props:
@@ -108195,6 +117728,9 @@ catalog:
                               value: SA-17(04)(a)[01]
                               class: sp800-53a
                           prose: as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of exceptions;
+                          links:
+                            - href: '#sa-17.4_smt.a'
+                              rel: assessment-for
                         - id: sa-17.4_obj.a-2
                           name: assessment-objective
                           props:
@@ -108202,6 +117738,9 @@ catalog:
                               value: SA-17(04)(a)[02]
                               class: sp800-53a
                           prose: as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of error messages;
+                          links:
+                            - href: '#sa-17.4_smt.a'
+                              rel: assessment-for
                         - id: sa-17.4_obj.a-3
                           name: assessment-objective
                           props:
@@ -108209,6 +117748,12 @@ catalog:
                               value: SA-17(04)(a)[03]
                               class: sp800-53a
                           prose: as an integral part of the development process, the developer of the system, system component, or system service is required to produce an informal, descriptive top-level specification that specifies the interfaces to security-relevant hardware, software, and firmware in terms of effects;
+                          links:
+                            - href: '#sa-17.4_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#sa-17.4_smt.a'
+                          rel: assessment-for
                     - id: sa-17.4_obj.b
                       name: assessment-objective
                       props:
@@ -108216,6 +117761,9 @@ catalog:
                           value: SA-17(04)(b)
                           class: sp800-53a
                       prose: 'the developer of the system, system component, or system service is required to show via {{ insert: param, sa-17.04_odp }} that the descriptive top-level specification is consistent with the formal policy model;'
+                      links:
+                        - href: '#sa-17.4_smt.b'
+                          rel: assessment-for
                     - id: sa-17.4_obj.c
                       name: assessment-objective
                       props:
@@ -108223,6 +117771,9 @@ catalog:
                           value: SA-17(04)(c)
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to show via informal demonstration that the descriptive top-level specification completely covers the interfaces to security-relevant hardware, software, and firmware;
+                      links:
+                        - href: '#sa-17.4_smt.c'
+                          rel: assessment-for
                     - id: sa-17.4_obj.d
                       name: assessment-objective
                       props:
@@ -108230,6 +117781,9 @@ catalog:
                           value: SA-17(04)(d)
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to show that the descriptive top-level specification is an accurate description of the interfaces to security-relevant hardware, software, and firmware;
+                      links:
+                        - href: '#sa-17.4_smt.d'
+                          rel: assessment-for
                     - id: sa-17.4_obj.e
                       name: assessment-objective
                       props:
@@ -108237,6 +117791,12 @@ catalog:
                           value: SA-17(04)(e)
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to describe the security-relevant hardware, software, and firmware mechanisms that are not addressed in the descriptive top-level specification but are strictly internal to the security-relevant hardware, software, and firmware.
+                      links:
+                        - href: '#sa-17.4_smt.e'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-17.4_smt'
+                      rel: assessment-for
                 - id: sa-17.4_asm-examine
                   name: assessment-method
                   props:
@@ -108357,6 +117917,9 @@ catalog:
                           value: SA-17(05)(a)
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics;
+                      links:
+                        - href: '#sa-17.5_smt.a'
+                          rel: assessment-for
                     - id: sa-17.5_obj.b
                       name: assessment-objective
                       props:
@@ -108364,6 +117927,12 @@ catalog:
                           value: SA-17(05)(b)
                           class: sp800-53a
                       prose: the developer of the system, system component, or system service is required to internally structure the security-relevant hardware, software, and firmware with specific regard for this mechanism.
+                      links:
+                        - href: '#sa-17.5_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sa-17.5_smt'
+                      rel: assessment-for
                 - id: sa-17.5_asm-examine
                   name: assessment-method
                   props:
@@ -108458,6 +118027,9 @@ catalog:
                       value: SA-17(06)
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate testing.
+                  links:
+                    - href: '#sa-17.6_smt'
+                      rel: assessment-for
                 - id: sa-17.6_asm-examine
                   name: assessment-method
                   props:
@@ -108561,6 +118133,9 @@ catalog:
                       value: SA-17(07)
                       class: sp800-53a
                   prose: the developer of the system, system component, or system service is required to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.
+                  links:
+                    - href: '#sa-17.7_smt'
+                      rel: assessment-for
                 - id: sa-17.7_asm-examine
                   name: assessment-method
                   props:
@@ -108678,6 +118253,9 @@ catalog:
                       value: SA-17(08)
                       class: sp800-53a
                   prose: '{{ insert: param, sa-17.08_odp.01 }} are designed with coordinated behavior to implement {{ insert: param, sa-17.08_odp.02 }}.'
+                  links:
+                    - href: '#sa-17.8_smt'
+                      rel: assessment-for
                 - id: sa-17.8_asm-examine
                   name: assessment-method
                   props:
@@ -108786,6 +118364,9 @@ catalog:
                       value: SA-17(09)
                       class: sp800-53a
                   prose: 'different designs are used for {{ insert: param, sa-17.09_odp }} to satisfy a common set of requirements or to provide equivalent functionality.'
+                  links:
+                    - href: '#sa-17.9_smt'
+                      rel: assessment-for
                 - id: sa-17.9_asm-examine
                   name: assessment-method
                   props:
@@ -109023,6 +118604,9 @@ catalog:
                   value: SA-20
                   class: sp800-53a
               prose: '{{ insert: param, sa-20_odp }} are reimplemented or custom-developed.'
+              links:
+                - href: '#sa-20_smt'
+                  rel: assessment-for
             - id: sa-20_asm-examine
               name: assessment-method
               props:
@@ -109184,6 +118768,9 @@ catalog:
                       value: SA-21a.
                       class: sp800-53a
                   prose: 'the developer of {{ insert: param, sa-21_odp.01 }} is required to have appropriate access authorizations as determined by assigned {{ insert: param, sa-21_odp.02 }};'
+                  links:
+                    - href: '#sa-21_smt.a'
+                      rel: assessment-for
                 - id: sa-21_obj.b
                   name: assessment-objective
                   props:
@@ -109191,6 +118778,12 @@ catalog:
                       value: SA-21b.
                       class: sp800-53a
                   prose: 'the developer of {{ insert: param, sa-21_odp.01 }} is required to satisfy {{ insert: param, sa-21_odp.03 }}.'
+                  links:
+                    - href: '#sa-21_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sa-21_smt'
+                  rel: assessment-for
             - id: sa-21_asm-examine
               name: assessment-method
               props:
@@ -109358,6 +118951,9 @@ catalog:
                       value: SA-22a.
                       class: sp800-53a
                   prose: system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;
+                  links:
+                    - href: '#sa-22_smt.a'
+                      rel: assessment-for
                 - id: sa-22_obj.b
                   name: assessment-objective
                   props:
@@ -109365,6 +118961,12 @@ catalog:
                       value: SA-22b.
                       class: sp800-53a
                   prose: '{{ insert: param, sa-22_odp.01 }} provide options for alternative sources for continued support for unsupported components.'
+                  links:
+                    - href: '#sa-22_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sa-22_smt'
+                  rel: assessment-for
             - id: sa-22_asm-examine
               name: assessment-method
               props:
@@ -109505,6 +119107,9 @@ catalog:
                   value: SA-23
                   class: sp800-53a
               prose: '{{ insert: param, sa-23_odp.01 }} is employed on {{ insert: param, sa-23_odp.02 }} supporting essential services or functions to increase the trustworthiness in those systems or components.'
+              links:
+                - href: '#sa-23_smt'
+                  rel: assessment-for
             - id: sa-23_asm-examine
               name: assessment-method
               props:
@@ -109772,6 +119377,9 @@ catalog:
                           value: SC-01a.[01]
                           class: sp800-53a
                       prose: a system and communications protection policy is developed and documented;
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -109779,6 +119387,9 @@ catalog:
                           value: SC-01a.[02]
                           class: sp800-53a
                       prose: 'the system and communications protection policy is disseminated to {{ insert: param, sc-01_odp.01 }};'
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -109786,6 +119397,9 @@ catalog:
                           value: SC-01a.[03]
                           class: sp800-53a
                       prose: system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -109793,6 +119407,9 @@ catalog:
                           value: SC-01a.[04]
                           class: sp800-53a
                       prose: 'the system and communications protection procedures are disseminated to {{ insert: param, sc-01_odp.02 }};'
+                      links:
+                        - href: '#sc-1_smt.a'
+                          rel: assessment-for
                     - id: sc-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -109814,6 +119431,9 @@ catalog:
                                   value: SC-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses purpose;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -109821,6 +119441,9 @@ catalog:
                                   value: SC-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses scope;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -109828,6 +119451,9 @@ catalog:
                                   value: SC-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses roles;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -109835,6 +119461,9 @@ catalog:
                                   value: SC-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses responsibilities;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -109842,6 +119471,9 @@ catalog:
                                   value: SC-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses management commitment;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -109849,6 +119481,9 @@ catalog:
                                   value: SC-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sc-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -109856,6 +119491,12 @@ catalog:
                                   value: SC-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy addresses compliance;'
+                              links:
+                                - href: '#sc-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#sc-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: sc-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -109863,6 +119504,15 @@ catalog:
                               value: SC-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, sc-01_odp.03 }} system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#sc-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-1_smt.a'
+                      rel: assessment-for
                 - id: sc-1_obj.b
                   name: assessment-objective
                   props:
@@ -109870,6 +119520,9 @@ catalog:
                       value: SC-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, sc-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;'
+                  links:
+                    - href: '#sc-1_smt.b'
+                      rel: assessment-for
                 - id: sc-1_obj.c
                   name: assessment-objective
                   props:
@@ -109891,6 +119544,9 @@ catalog:
                               value: SC-01c.01[01]
                               class: sp800-53a
                           prose: 'the current system and communications protection policy is reviewed and updated {{ insert: param, sc-01_odp.05 }};'
+                          links:
+                            - href: '#sc-1_smt.c.1'
+                              rel: assessment-for
                         - id: sc-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -109898,6 +119554,12 @@ catalog:
                               value: SC-01c.01[02]
                               class: sp800-53a
                           prose: 'the current system and communications protection policy is reviewed and updated following {{ insert: param, sc-01_odp.06 }};'
+                          links:
+                            - href: '#sc-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-1_smt.c.1'
+                          rel: assessment-for
                     - id: sc-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -109912,6 +119574,9 @@ catalog:
                               value: SC-01c.02[01]
                               class: sp800-53a
                           prose: 'the current system and communications protection procedures are reviewed and updated {{ insert: param, sc-01_odp.07 }};'
+                          links:
+                            - href: '#sc-1_smt.c.2'
+                              rel: assessment-for
                         - id: sc-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -109919,6 +119584,18 @@ catalog:
                               value: SC-01c.02[02]
                               class: sp800-53a
                           prose: 'the current system and communications protection procedures are reviewed and updated following {{ insert: param, sc-01_odp.08 }}.'
+                          links:
+                            - href: '#sc-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sc-1_smt'
+                  rel: assessment-for
             - id: sc-1_asm-examine
               name: assessment-method
               props:
@@ -110007,6 +119684,9 @@ catalog:
                   value: SC-02
                   class: sp800-53a
               prose: user functionality, including user interface services, is separated from system management functionality.
+              links:
+                - href: '#sc-2_smt'
+                  rel: assessment-for
             - id: sc-2_asm-examine
               name: assessment-method
               props:
@@ -110098,6 +119778,9 @@ catalog:
                       value: SC-02(01)
                       class: sp800-53a
                   prose: the presentation of system management functionality is prevented at interfaces to non-privileged users.
+                  links:
+                    - href: '#sc-2.1_smt'
+                      rel: assessment-for
                 - id: sc-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -110188,6 +119871,9 @@ catalog:
                       value: SC-02(02)
                       class: sp800-53a
                   prose: state information is stored separately from applications and software.
+                  links:
+                    - href: '#sc-2.2_smt'
+                      rel: assessment-for
                 - id: sc-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -110306,6 +119992,9 @@ catalog:
                   value: SC-03
                   class: sp800-53a
               prose: security functions are isolated from non-security functions.
+              links:
+                - href: '#sc-3_smt'
+                  rel: assessment-for
             - id: sc-3_asm-examine
               name: assessment-method
               props:
@@ -110397,6 +120086,9 @@ catalog:
                       value: SC-03(01)
                       class: sp800-53a
                   prose: hardware separation mechanisms are employed to implement security function isolation.
+                  links:
+                    - href: '#sc-3.1_smt'
+                      rel: assessment-for
                 - id: sc-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -110494,6 +120186,9 @@ catalog:
                           value: SC-03(02)[01]
                           class: sp800-53a
                       prose: security functions enforcing access control are isolated from non-security functions;
+                      links:
+                        - href: '#sc-3.2_smt'
+                          rel: assessment-for
                     - id: sc-3.2_obj-2
                       name: assessment-objective
                       props:
@@ -110501,6 +120196,9 @@ catalog:
                           value: SC-03(02)[02]
                           class: sp800-53a
                       prose: security functions enforcing access control are isolated from other security functions;
+                      links:
+                        - href: '#sc-3.2_smt'
+                          rel: assessment-for
                     - id: sc-3.2_obj-3
                       name: assessment-objective
                       props:
@@ -110508,6 +120206,9 @@ catalog:
                           value: SC-03(02)[03]
                           class: sp800-53a
                       prose: security functions enforcing information flow control are isolated from non-security functions;
+                      links:
+                        - href: '#sc-3.2_smt'
+                          rel: assessment-for
                     - id: sc-3.2_obj-4
                       name: assessment-objective
                       props:
@@ -110515,6 +120216,12 @@ catalog:
                           value: SC-03(02)[04]
                           class: sp800-53a
                       prose: security functions enforcing information flow control are isolated from other security functions.
+                      links:
+                        - href: '#sc-3.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-3.2_smt'
+                      rel: assessment-for
                 - id: sc-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -110606,6 +120313,9 @@ catalog:
                       value: SC-03(03)
                       class: sp800-53a
                   prose: the number of non-security functions included within the isolation boundary containing security functions is minimized.
+                  links:
+                    - href: '#sc-3.3_smt'
+                      rel: assessment-for
                 - id: sc-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -110702,6 +120412,9 @@ catalog:
                           value: SC-03(04)[01]
                           class: sp800-53a
                       prose: security functions are implemented as largely independent modules that maximize internal cohesiveness within modules;
+                      links:
+                        - href: '#sc-3.4_smt'
+                          rel: assessment-for
                     - id: sc-3.4_obj-2
                       name: assessment-objective
                       props:
@@ -110709,6 +120422,12 @@ catalog:
                           value: SC-03(04)[02]
                           class: sp800-53a
                       prose: security functions are implemented as largely independent modules that minimize coupling between modules.
+                      links:
+                        - href: '#sc-3.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-3.4_smt'
+                      rel: assessment-for
                 - id: sc-3.4_asm-examine
                   name: assessment-method
                   props:
@@ -110801,6 +120520,9 @@ catalog:
                       value: SC-03(05)
                       class: sp800-53a
                   prose: security functions are implemented as a layered structure, minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
+                  links:
+                    - href: '#sc-3.5_smt'
+                      rel: assessment-for
                 - id: sc-3.5_asm-examine
                   name: assessment-method
                   props:
@@ -110898,6 +120620,9 @@ catalog:
                       value: SC-04[01]
                       class: sp800-53a
                   prose: unauthorized information transfer via shared system resources is prevented;
+                  links:
+                    - href: '#sc-4_smt'
+                      rel: assessment-for
                 - id: sc-4_obj-2
                   name: assessment-objective
                   props:
@@ -110905,6 +120630,12 @@ catalog:
                       value: SC-04[02]
                       class: sp800-53a
                   prose: unintended information transfer via shared system resources is prevented.
+                  links:
+                    - href: '#sc-4_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-4_smt'
+                  rel: assessment-for
             - id: sc-4_asm-examine
               name: assessment-method
               props:
@@ -111018,6 +120749,9 @@ catalog:
                       value: SC-04(02)
                       class: sp800-53a
                   prose: 'unauthorized information transfer via shared resources is prevented in accordance with {{ insert: param, sc-04.02_odp }} when system processing explicitly switches between different information classification levels or security categories.'
+                  links:
+                    - href: '#sc-4.2_smt'
+                      rel: assessment-for
                 - id: sc-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -111164,6 +120898,9 @@ catalog:
                       value: SC-05a.
                       class: sp800-53a
                   prose: 'the effects of {{ insert: param, sc-05_odp.01 }} are {{ insert: param, sc-05_odp.02 }};'
+                  links:
+                    - href: '#sc-5_smt.a'
+                      rel: assessment-for
                 - id: sc-5_obj.b
                   name: assessment-objective
                   props:
@@ -111171,6 +120908,12 @@ catalog:
                       value: SC-05b.
                       class: sp800-53a
                   prose: '{{ insert: param, sc-05_odp.03 }} are employed to achieve the denial-of-service protection objective.'
+                  links:
+                    - href: '#sc-5_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-5_smt'
+                  rel: assessment-for
             - id: sc-5_asm-examine
               name: assessment-method
               props:
@@ -111274,6 +121017,9 @@ catalog:
                       value: SC-05(01)
                       class: sp800-53a
                   prose: 'the ability of individuals to launch {{ insert: param, sc-05.01_odp }} against other systems is restricted.'
+                  links:
+                    - href: '#sc-5.1_smt'
+                      rel: assessment-for
                 - id: sc-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -111363,6 +121109,9 @@ catalog:
                       value: SC-05(02)
                       class: sp800-53a
                   prose: capacity, bandwidth, or other redundancies to limit the effects of information flooding denial-of-service attacks are managed.
+                  links:
+                    - href: '#sc-5.2_smt'
+                      rel: assessment-for
                 - id: sc-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -111494,6 +121243,9 @@ catalog:
                           value: SC-05(03)(a)
                           class: sp800-53a
                       prose: '{{ insert: param, sc-05.03_odp.01 }} are employed to detect indicators of denial-of-service attacks against or launched from the system;'
+                      links:
+                        - href: '#sc-5.3_smt.a'
+                          rel: assessment-for
                     - id: sc-5.3_obj.b
                       name: assessment-objective
                       props:
@@ -111501,6 +121253,12 @@ catalog:
                           value: SC-05(03)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, sc-05.03_odp.02 }} are monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks.'
+                      links:
+                        - href: '#sc-5.3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-5.3_smt'
+                      rel: assessment-for
                 - id: sc-5.3_asm-examine
                   name: assessment-method
                   props:
@@ -111629,6 +121387,9 @@ catalog:
                   value: SC-06
                   class: sp800-53a
               prose: 'the availability of resources is protected by allocating {{ insert: param, sc-06_odp.01 }} by {{ insert: param, sc-06_odp.02 }}.'
+              links:
+                - href: '#sc-6_smt'
+                  rel: assessment-for
             - id: sc-6_asm-examine
               name: assessment-method
               props:
@@ -111821,6 +121582,9 @@ catalog:
                           value: SC-07a.[01]
                           class: sp800-53a
                       prose: communications at external managed interfaces to the system are monitored;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-2
                       name: assessment-objective
                       props:
@@ -111828,6 +121592,9 @@ catalog:
                           value: SC-07a.[02]
                           class: sp800-53a
                       prose: communications at external managed interfaces to the system are controlled;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-3
                       name: assessment-objective
                       props:
@@ -111835,6 +121602,9 @@ catalog:
                           value: SC-07a.[03]
                           class: sp800-53a
                       prose: communications at key internal managed interfaces within the system are monitored;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
                     - id: sc-7_obj.a-4
                       name: assessment-objective
                       props:
@@ -111842,6 +121612,12 @@ catalog:
                           value: SC-07a.[04]
                           class: sp800-53a
                       prose: communications at key internal managed interfaces within the system are controlled;
+                      links:
+                        - href: '#sc-7_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7_smt.a'
+                      rel: assessment-for
                 - id: sc-7_obj.b
                   name: assessment-objective
                   props:
@@ -111849,6 +121625,9 @@ catalog:
                       value: SC-07b.
                       class: sp800-53a
                   prose: 'subnetworks for publicly accessible system components are {{ insert: param, sc-07_odp }} separated from internal organizational networks;'
+                  links:
+                    - href: '#sc-7_smt.b'
+                      rel: assessment-for
                 - id: sc-7_obj.c
                   name: assessment-objective
                   props:
@@ -111856,6 +121635,12 @@ catalog:
                       value: SC-07c.
                       class: sp800-53a
                   prose: external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
+                  links:
+                    - href: '#sc-7_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sc-7_smt'
+                  rel: assessment-for
             - id: sc-7_asm-examine
               name: assessment-method
               props:
@@ -111982,6 +121767,9 @@ catalog:
                       value: SC-07(03)
                       class: sp800-53a
                   prose: the number of external network connections to the system is limited.
+                  links:
+                    - href: '#sc-7.3_smt'
+                      rel: assessment-for
                 - id: sc-7.3_asm-examine
                   name: assessment-method
                   props:
@@ -112152,6 +121940,9 @@ catalog:
                           value: SC-07(04)(a)
                           class: sp800-53a
                       prose: a managed interface is implemented for each external telecommunication service;
+                      links:
+                        - href: '#sc-7.4_smt.a'
+                          rel: assessment-for
                     - id: sc-7.4_obj.b
                       name: assessment-objective
                       props:
@@ -112159,6 +121950,9 @@ catalog:
                           value: SC-07(04)(b)
                           class: sp800-53a
                       prose: a traffic flow policy is established for each managed interface;
+                      links:
+                        - href: '#sc-7.4_smt.b'
+                          rel: assessment-for
                     - id: sc-7.4_obj.c
                       name: assessment-objective
                       props:
@@ -112173,6 +121967,9 @@ catalog:
                               value: SC-07(04)(c)[01]
                               class: sp800-53a
                           prose: the confidentiality of the information being transmitted across each interface is protected;
+                          links:
+                            - href: '#sc-7.4_smt.c'
+                              rel: assessment-for
                         - id: sc-7.4_obj.c-2
                           name: assessment-objective
                           props:
@@ -112180,6 +121977,12 @@ catalog:
                               value: SC-07(04)(c)[02]
                               class: sp800-53a
                           prose: the integrity of the information being transmitted across each interface is protected;
+                          links:
+                            - href: '#sc-7.4_smt.c'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-7.4_smt.c'
+                          rel: assessment-for
                     - id: sc-7.4_obj.d
                       name: assessment-objective
                       props:
@@ -112187,6 +121990,9 @@ catalog:
                           value: SC-07(04)(d)
                           class: sp800-53a
                       prose: each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need;
+                      links:
+                        - href: '#sc-7.4_smt.d'
+                          rel: assessment-for
                     - id: sc-7.4_obj.e
                       name: assessment-objective
                       props:
@@ -112201,6 +122007,9 @@ catalog:
                               value: SC-07(04)(e)[01]
                               class: sp800-53a
                           prose: 'exceptions to the traffic flow policy are reviewed {{ insert: param, sc-07.04_odp }};'
+                          links:
+                            - href: '#sc-7.4_smt.e'
+                              rel: assessment-for
                         - id: sc-7.4_obj.e-2
                           name: assessment-objective
                           props:
@@ -112208,6 +122017,12 @@ catalog:
                               value: SC-07(04)(e)[02]
                               class: sp800-53a
                           prose: exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed;
+                          links:
+                            - href: '#sc-7.4_smt.e'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-7.4_smt.e'
+                          rel: assessment-for
                     - id: sc-7.4_obj.f
                       name: assessment-objective
                       props:
@@ -112215,6 +122030,9 @@ catalog:
                           value: SC-07(04)(f)
                           class: sp800-53a
                       prose: unauthorized exchanges of control plan traffic with external networks are prevented;
+                      links:
+                        - href: '#sc-7.4_smt.f'
+                          rel: assessment-for
                     - id: sc-7.4_obj.g
                       name: assessment-objective
                       props:
@@ -112222,6 +122040,9 @@ catalog:
                           value: SC-07(04)(g)
                           class: sp800-53a
                       prose: information is published to enable remote networks to detect unauthorized control plane traffic from internal networks;
+                      links:
+                        - href: '#sc-7.4_smt.g'
+                          rel: assessment-for
                     - id: sc-7.4_obj.h
                       name: assessment-objective
                       props:
@@ -112229,6 +122050,12 @@ catalog:
                           value: SC-07(04)(h)
                           class: sp800-53a
                       prose: unauthorized control plane traffic is filtered from external networks.
+                      links:
+                        - href: '#sc-7.4_smt.h'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7.4_smt'
+                      rel: assessment-for
                 - id: sc-7.4_asm-examine
                   name: assessment-method
                   props:
@@ -112363,6 +122190,9 @@ catalog:
                           value: SC-07(05)[01]
                           class: sp800-53a
                       prose: 'network communications traffic is denied by default {{ insert: param, sc-07.05_odp.01 }};'
+                      links:
+                        - href: '#sc-7.5_smt'
+                          rel: assessment-for
                     - id: sc-7.5_obj-2
                       name: assessment-objective
                       props:
@@ -112370,6 +122200,12 @@ catalog:
                           value: SC-07(05)[02]
                           class: sp800-53a
                       prose: 'network communications traffic is allowed by exception {{ insert: param, sc-07.05_odp.01 }}.'
+                      links:
+                        - href: '#sc-7.5_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7.5_smt'
+                      rel: assessment-for
                 - id: sc-7.5_asm-examine
                   name: assessment-method
                   props:
@@ -112484,6 +122320,9 @@ catalog:
                       value: SC-07(07)
                       class: sp800-53a
                   prose: 'split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.'
+                  links:
+                    - href: '#sc-7.7_smt'
+                      rel: assessment-for
                 - id: sc-7.7_asm-examine
                   name: assessment-method
                   props:
@@ -112601,6 +122440,9 @@ catalog:
                       value: SC-07(08)
                       class: sp800-53a
                   prose: '{{ insert: param, sc-07.08_odp.01 }} is routed to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.'
+                  links:
+                    - href: '#sc-7.8_smt'
+                      rel: assessment-for
                 - id: sc-7.8_asm-examine
                   name: assessment-method
                   props:
@@ -112732,6 +122574,9 @@ catalog:
                               value: SC-07(09)(a)[01]
                               class: sp800-53a
                           prose: outgoing communications traffic posing a threat to external systems is detected;
+                          links:
+                            - href: '#sc-7.9_smt.a'
+                              rel: assessment-for
                         - id: sc-7.9_obj.a-2
                           name: assessment-objective
                           props:
@@ -112739,6 +122584,12 @@ catalog:
                               value: SC-07(09)(a)[02]
                               class: sp800-53a
                           prose: outgoing communications traffic posing a threat to external systems is denied;
+                          links:
+                            - href: '#sc-7.9_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-7.9_smt.a'
+                          rel: assessment-for
                     - id: sc-7.9_obj.b
                       name: assessment-objective
                       props:
@@ -112746,6 +122597,12 @@ catalog:
                           value: SC-07(09)(b)
                           class: sp800-53a
                       prose: the identity of internal users associated with denied communications is audited.
+                      links:
+                        - href: '#sc-7.9_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7.9_smt'
+                      rel: assessment-for
                 - id: sc-7.9_asm-examine
                   name: assessment-method
                   props:
@@ -112878,6 +122735,9 @@ catalog:
                           value: SC-07(10)(a)
                           class: sp800-53a
                       prose: the exfiltration of information is prevented;
+                      links:
+                        - href: '#sc-7.10_smt.a'
+                          rel: assessment-for
                     - id: sc-7.10_obj.b
                       name: assessment-objective
                       props:
@@ -112885,6 +122745,12 @@ catalog:
                           value: SC-07(10)(b)
                           class: sp800-53a
                       prose: 'exfiltration tests are conducted {{ insert: param, sc-07.10_odp }}.'
+                      links:
+                        - href: '#sc-7.10_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7.10_smt'
+                      rel: assessment-for
                 - id: sc-7.10_asm-examine
                   name: assessment-method
                   props:
@@ -112993,6 +122859,9 @@ catalog:
                       value: SC-07(11)
                       class: sp800-53a
                   prose: 'only incoming communications from {{ insert: param, sc-07.11_odp.01 }} are allowed to be routed to {{ insert: param, sc-07.11_odp.02 }}.'
+                  links:
+                    - href: '#sc-7.11_smt'
+                      rel: assessment-for
                 - id: sc-7.11_asm-examine
                   name: assessment-method
                   props:
@@ -113101,6 +122970,9 @@ catalog:
                       value: SC-07(12)
                       class: sp800-53a
                   prose: '{{ insert: param, sc-07.12_odp.01 }} are implemented at {{ insert: param, sc-07.12_odp.02 }}.'
+                  links:
+                    - href: '#sc-7.12_smt'
+                      rel: assessment-for
                 - id: sc-7.12_asm-examine
                   name: assessment-method
                   props:
@@ -113205,6 +123077,9 @@ catalog:
                       value: SC-07(13)
                       class: sp800-53a
                   prose: '{{ insert: param, sc-07.13_odp }} are isolated from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.'
+                  links:
+                    - href: '#sc-7.13_smt'
+                      rel: assessment-for
                 - id: sc-7.13_asm-examine
                   name: assessment-method
                   props:
@@ -113311,6 +123186,9 @@ catalog:
                       value: SC-07(14)
                       class: sp800-53a
                   prose: '{{ insert: param, sc-07.14_odp }} are protected against unauthorized physical connections.'
+                  links:
+                    - href: '#sc-7.14_smt'
+                      rel: assessment-for
                 - id: sc-7.14_asm-examine
                   name: assessment-method
                   props:
@@ -113413,6 +123291,9 @@ catalog:
                           value: SC-07(15)[01]
                           class: sp800-53a
                       prose: networked, privileged accesses are routed through a dedicated, managed interface for purposes of access control;
+                      links:
+                        - href: '#sc-7.15_smt'
+                          rel: assessment-for
                     - id: sc-7.15_obj-2
                       name: assessment-objective
                       props:
@@ -113420,6 +123301,12 @@ catalog:
                           value: SC-07(15)[02]
                           class: sp800-53a
                       prose: networked, privileged accesses are routed through a dedicated, managed interface for purposes of auditing.
+                      links:
+                        - href: '#sc-7.15_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7.15_smt'
+                      rel: assessment-for
                 - id: sc-7.15_asm-examine
                   name: assessment-method
                   props:
@@ -113511,6 +123398,9 @@ catalog:
                       value: SC-07(16)
                       class: sp800-53a
                   prose: the discovery of specific system components that represent a managed interface is prevented.
+                  links:
+                    - href: '#sc-7.16_smt'
+                      rel: assessment-for
                 - id: sc-7.16_asm-examine
                   name: assessment-method
                   props:
@@ -113604,6 +123494,9 @@ catalog:
                       value: SC-07(17)
                       class: sp800-53a
                   prose: adherence to protocol formats is enforced.
+                  links:
+                    - href: '#sc-7.17_smt'
+                      rel: assessment-for
                 - id: sc-7.17_asm-examine
                   name: assessment-method
                   props:
@@ -113702,6 +123595,9 @@ catalog:
                       value: SC-07(18)
                       class: sp800-53a
                   prose: systems are prevented from entering unsecure states in the event of an operational failure of a boundary protection device.
+                  links:
+                    - href: '#sc-7.18_smt'
+                      rel: assessment-for
                 - id: sc-7.18_asm-examine
                   name: assessment-method
                   props:
@@ -113809,6 +123705,9 @@ catalog:
                           value: SC-07(19)[01]
                           class: sp800-53a
                       prose: 'inbound communications traffic is blocked between {{ insert: param, sc-07.19_odp }} that are independently configured by end users and external service providers;'
+                      links:
+                        - href: '#sc-7.19_smt'
+                          rel: assessment-for
                     - id: sc-7.19_obj-2
                       name: assessment-objective
                       props:
@@ -113816,6 +123715,12 @@ catalog:
                           value: SC-07(19)[02]
                           class: sp800-53a
                       prose: 'outbound communications traffic is blocked between {{ insert: param, sc-07.19_odp }} that are independently configured by end users and external service providers.'
+                      links:
+                        - href: '#sc-7.19_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7.19_smt'
+                      rel: assessment-for
                 - id: sc-7.19_asm-examine
                   name: assessment-method
                   props:
@@ -113918,6 +123823,9 @@ catalog:
                       value: SC-07(20)
                       class: sp800-53a
                   prose: 'the capability to dynamically isolate {{ insert: param, sc-07.20_odp }} from other system components is provided.'
+                  links:
+                    - href: '#sc-7.20_smt'
+                      rel: assessment-for
                 - id: sc-7.20_asm-examine
                   name: assessment-method
                   props:
@@ -114040,6 +123948,9 @@ catalog:
                       value: SC-07(21)
                       class: sp800-53a
                   prose: 'boundary protection mechanisms are employed to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}.'
+                  links:
+                    - href: '#sc-7.21_smt'
+                      rel: assessment-for
                 - id: sc-7.21_asm-examine
                   name: assessment-method
                   props:
@@ -114134,6 +124045,9 @@ catalog:
                       value: SC-07(22)
                       class: sp800-53a
                   prose: separate network addresses are implemented to connect to systems in different security domains.
+                  links:
+                    - href: '#sc-7.22_smt'
+                      rel: assessment-for
                 - id: sc-7.22_asm-examine
                   name: assessment-method
                   props:
@@ -114225,6 +124139,9 @@ catalog:
                       value: SC-07(23)
                       class: sp800-53a
                   prose: feedback to senders is disabled on protocol format validation failure.
+                  links:
+                    - href: '#sc-7.23_smt'
+                      rel: assessment-for
                 - id: sc-7.23_asm-examine
                   name: assessment-method
                   props:
@@ -114366,6 +124283,9 @@ catalog:
                           value: SC-07(24)(a)
                           class: sp800-53a
                       prose: '{{ insert: param, sc-07.24_odp }} are applied to data elements of personally identifiable information on systems that process personally identifiable information;'
+                      links:
+                        - href: '#sc-7.24_smt.a'
+                          rel: assessment-for
                     - id: sc-7.24_obj.b
                       name: assessment-objective
                       props:
@@ -114380,6 +124300,9 @@ catalog:
                               value: SC-07(24)(b)[01]
                               class: sp800-53a
                           prose: permitted processing is monitored at the external interfaces to the systems that process personally identifiable information;
+                          links:
+                            - href: '#sc-7.24_smt.b'
+                              rel: assessment-for
                         - id: sc-7.24_obj.b-2
                           name: assessment-objective
                           props:
@@ -114387,6 +124310,12 @@ catalog:
                               value: SC-07(24)(b)[02]
                               class: sp800-53a
                           prose: permitted processing is monitored at key internal boundaries within the systems that process personally identifiable information;
+                          links:
+                            - href: '#sc-7.24_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-7.24_smt.b'
+                          rel: assessment-for
                     - id: sc-7.24_obj.c
                       name: assessment-objective
                       props:
@@ -114394,6 +124323,9 @@ catalog:
                           value: SC-07(24)(c)
                           class: sp800-53a
                       prose: each processing exception is documented for systems that process personally identifiable information;
+                      links:
+                        - href: '#sc-7.24_smt.c'
+                          rel: assessment-for
                     - id: sc-7.24_obj.d
                       name: assessment-objective
                       props:
@@ -114408,6 +124340,9 @@ catalog:
                               value: SC-07(24)(d)[01]
                               class: sp800-53a
                           prose: exceptions for systems that process personally identifiable information are reviewed;
+                          links:
+                            - href: '#sc-7.24_smt.d'
+                              rel: assessment-for
                         - id: sc-7.24_obj.d-2
                           name: assessment-objective
                           props:
@@ -114415,6 +124350,15 @@ catalog:
                               value: SC-07(24)(d)[02]
                               class: sp800-53a
                           prose: exceptions for systems that process personally identifiable information that are no longer supported are removed.
+                          links:
+                            - href: '#sc-7.24_smt.d'
+                              rel: assessment-for
+                      links:
+                        - href: '#sc-7.24_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-7.24_smt'
+                      rel: assessment-for
                 - id: sc-7.24_asm-examine
                   name: assessment-method
                   props:
@@ -114535,6 +124479,9 @@ catalog:
                       value: SC-07(25)
                       class: sp800-53a
                   prose: 'the direct connection of {{ insert: param, sc-07.25_odp.01 }} to an external network without the use of {{ insert: param, sc-07.25_odp.02 }} is prohibited.'
+                  links:
+                    - href: '#sc-7.25_smt'
+                      rel: assessment-for
                 - id: sc-7.25_asm-examine
                   name: assessment-method
                   props:
@@ -114637,6 +124584,9 @@ catalog:
                       value: SC-07(26)
                       class: sp800-53a
                   prose: 'the direct connection of classified national security system to an external network without the use of a {{ insert: param, sc-07.26_odp }} is prohibited.'
+                  links:
+                    - href: '#sc-7.26_smt'
+                      rel: assessment-for
                 - id: sc-7.26_asm-examine
                   name: assessment-method
                   props:
@@ -114752,6 +124702,9 @@ catalog:
                       value: SC-07(27)
                       class: sp800-53a
                   prose: 'the direct connection of {{ insert: param, sc-07.27_odp.01 }} to an external network without the use of a {{ insert: param, sc-07.27_odp.02 }} is prohibited.'
+                  links:
+                    - href: '#sc-7.27_smt'
+                      rel: assessment-for
                 - id: sc-7.27_asm-examine
                   name: assessment-method
                   props:
@@ -114854,6 +124807,9 @@ catalog:
                       value: SC-07(28)
                       class: sp800-53a
                   prose: 'the direct connection of the {{ insert: param, sc-07.28_odp }} to a public network is prohibited.'
+                  links:
+                    - href: '#sc-7.28_smt'
+                      rel: assessment-for
                 - id: sc-7.28_asm-examine
                   name: assessment-method
                   props:
@@ -114967,6 +124923,9 @@ catalog:
                       value: SC-07(29)
                       class: sp800-53a
                   prose: 'subnetworks are separated {{ insert: param, sc-07.29_odp.01 }} to isolate {{ insert: param, sc-07.29_odp.02 }}.'
+                  links:
+                    - href: '#sc-7.29_smt'
+                      rel: assessment-for
                 - id: sc-7.29_asm-examine
                   name: assessment-method
                   props:
@@ -115120,6 +125079,9 @@ catalog:
                   value: SC-08
                   class: sp800-53a
               prose: 'the {{ insert: param, sc-08_odp }} of transmitted information is/are protected.'
+              links:
+                - href: '#sc-8_smt'
+                  rel: assessment-for
             - id: sc-8_asm-examine
               name: assessment-method
               props:
@@ -115223,6 +125185,9 @@ catalog:
                       value: SC-08(01)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms are implemented to {{ insert: param, sc-08.01_odp }} during transmission.'
+                  links:
+                    - href: '#sc-8.1_smt'
+                      rel: assessment-for
                 - id: sc-8.1_asm-examine
                   name: assessment-method
                   props:
@@ -115333,6 +125298,9 @@ catalog:
                           value: SC-08(02)[01]
                           class: sp800-53a
                       prose: 'information {{ insert: param, sc-08.02_odp }} is/are maintained during preparation for transmission;'
+                      links:
+                        - href: '#sc-8.2_smt'
+                          rel: assessment-for
                     - id: sc-8.2_obj-2
                       name: assessment-objective
                       props:
@@ -115340,6 +125308,12 @@ catalog:
                           value: SC-08(02)[02]
                           class: sp800-53a
                       prose: 'information {{ insert: param, sc-08.02_odp }} is/are maintained during reception.'
+                      links:
+                        - href: '#sc-8.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-8.2_smt'
+                      rel: assessment-for
                 - id: sc-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -115440,6 +125414,9 @@ catalog:
                       value: SC-08(03)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms are implemented to protect message externals unless otherwise protected by {{ insert: param, sc-08.03_odp }}.'
+                  links:
+                    - href: '#sc-8.3_smt'
+                      rel: assessment-for
                 - id: sc-8.3_asm-examine
                   name: assessment-method
                   props:
@@ -115545,6 +125522,9 @@ catalog:
                       value: SC-08(04)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms are implemented to conceal or randomize communication patterns unless otherwise protected by {{ insert: param, sc-08.04_odp }}.'
+                  links:
+                    - href: '#sc-8.4_smt'
+                      rel: assessment-for
                 - id: sc-8.4_asm-examine
                   name: assessment-method
                   props:
@@ -115658,6 +125638,9 @@ catalog:
                       value: SC-08(05)
                       class: sp800-53a
                   prose: 'the {{ insert: param, sc-08.05_odp.01 }} is implemented to {{ insert: param, sc-08.05_odp.02 }} during transmission.'
+                  links:
+                    - href: '#sc-8.5_smt'
+                      rel: assessment-for
                 - id: sc-8.5_asm-examine
                   name: assessment-method
                   props:
@@ -115775,6 +125758,9 @@ catalog:
                   value: SC-10
                   class: sp800-53a
               prose: 'the network connection associated with a communication session is terminated at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.'
+              links:
+                - href: '#sc-10_smt'
+                  rel: assessment-for
             - id: sc-10_asm-examine
               name: assessment-method
               props:
@@ -115914,6 +125900,9 @@ catalog:
                       value: SC-11a.
                       class: sp800-53a
                   prose: 'a {{ insert: param, sc-11_odp.01 }} isolated trusted communication path is provided for communications between the user and the trusted components of the system;'
+                  links:
+                    - href: '#sc-11_smt.a'
+                      rel: assessment-for
                 - id: sc-11_obj.b
                   name: assessment-objective
                   props:
@@ -115921,6 +125910,12 @@ catalog:
                       value: SC-11b.
                       class: sp800-53a
                   prose: 'users are permitted to invoke the trusted communication path for communications between the user and the {{ insert: param, sc-11_odp.02 }} of the system, including authentication and re-authentication, at a minimum.'
+                  links:
+                    - href: '#sc-11_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-11_smt'
+                  rel: assessment-for
             - id: sc-11_asm-examine
               name: assessment-method
               props:
@@ -116044,6 +126039,9 @@ catalog:
                           value: SC-11(01)(a)
                           class: sp800-53a
                       prose: a trusted communication path that is irrefutably distinguishable from other communication paths is provided;
+                      links:
+                        - href: '#sc-11.1_smt.a'
+                          rel: assessment-for
                     - id: sc-11.1_obj.b
                       name: assessment-objective
                       props:
@@ -116051,6 +126049,12 @@ catalog:
                           value: SC-11(01)(b)
                           class: sp800-53a
                       prose: 'the trusted communication path for communications between the {{ insert: param, sc-11.01_odp }} of the system and the user is initiated.'
+                      links:
+                        - href: '#sc-11.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-11.1_smt'
+                      rel: assessment-for
                 - id: sc-11.1_asm-examine
                   name: assessment-method
                   props:
@@ -116173,6 +126177,8 @@ catalog:
               rel: related
             - href: '#ia-7'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#sa-4'
               rel: related
             - href: '#sa-8'
@@ -116220,6 +126226,9 @@ catalog:
                       value: SC-12[01]
                       class: sp800-53a
                   prose: 'cryptographic keys are established when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }};'
+                  links:
+                    - href: '#sc-12_smt'
+                      rel: assessment-for
                 - id: sc-12_obj-2
                   name: assessment-objective
                   props:
@@ -116227,6 +126236,12 @@ catalog:
                       value: SC-12[02]
                       class: sp800-53a
                   prose: 'cryptographic keys are managed when cryptography is employed within the system in accordance with {{ insert: param, sc-12_odp }}.'
+                  links:
+                    - href: '#sc-12_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-12_smt'
+                  rel: assessment-for
             - id: sc-12_asm-examine
               name: assessment-method
               props:
@@ -116318,6 +126333,9 @@ catalog:
                       value: SC-12(01)
                       class: sp800-53a
                   prose: information availability is maintained in the event of the loss of cryptographic keys by users.
+                  links:
+                    - href: '#sc-12.1_smt'
+                      rel: assessment-for
                 - id: sc-12.1_asm-examine
                   name: assessment-method
                   props:
@@ -116425,6 +126443,9 @@ catalog:
                           value: SC-12(02)[01]
                           class: sp800-53a
                       prose: 'symmetric cryptographic keys are produced using {{ insert: param, sc-12.02_odp }} key management technology and processes;'
+                      links:
+                        - href: '#sc-12.2_smt'
+                          rel: assessment-for
                     - id: sc-12.2_obj-2
                       name: assessment-objective
                       props:
@@ -116432,6 +126453,9 @@ catalog:
                           value: SC-12(02)[02]
                           class: sp800-53a
                       prose: 'symmetric cryptographic keys are controlled using {{ insert: param, sc-12.02_odp }} key management technology and processes;'
+                      links:
+                        - href: '#sc-12.2_smt'
+                          rel: assessment-for
                     - id: sc-12.2_obj-3
                       name: assessment-objective
                       props:
@@ -116439,6 +126463,12 @@ catalog:
                           value: SC-12(02)[03]
                           class: sp800-53a
                       prose: 'symmetric cryptographic keys are distributed using {{ insert: param, sc-12.02_odp }} key management technology and processes.'
+                      links:
+                        - href: '#sc-12.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-12.2_smt'
+                      rel: assessment-for
                 - id: sc-12.2_asm-examine
                   name: assessment-method
                   props:
@@ -116555,6 +126585,9 @@ catalog:
                           value: SC-12(03)[01]
                           class: sp800-53a
                       prose: 'asymmetric cryptographic keys are produced using {{ insert: param, sc-12.03_odp }};'
+                      links:
+                        - href: '#sc-12.3_smt'
+                          rel: assessment-for
                     - id: sc-12.3_obj-2
                       name: assessment-objective
                       props:
@@ -116562,6 +126595,9 @@ catalog:
                           value: SC-12(03)[02]
                           class: sp800-53a
                       prose: 'asymmetric cryptographic keys are controlled using {{ insert: param, sc-12.03_odp }};'
+                      links:
+                        - href: '#sc-12.3_smt'
+                          rel: assessment-for
                     - id: sc-12.3_obj-3
                       name: assessment-objective
                       props:
@@ -116569,6 +126605,12 @@ catalog:
                           value: SC-12(03)[03]
                           class: sp800-53a
                       prose: 'asymmetric cryptographic keys are distributed using {{ insert: param, sc-12.03_odp }}.'
+                      links:
+                        - href: '#sc-12.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-12.3_smt'
+                      rel: assessment-for
                 - id: sc-12.3_asm-examine
                   name: assessment-method
                   props:
@@ -116697,6 +126739,9 @@ catalog:
                       value: SC-12(06)
                       class: sp800-53a
                   prose: physical control of cryptographic keys is maintained when stored information is encrypted by external service providers.
+                  links:
+                    - href: '#sc-12.6_smt'
+                      rel: assessment-for
                 - id: sc-12.6_asm-examine
                   name: assessment-method
                   props:
@@ -116818,6 +126863,8 @@ catalog:
               rel: related
             - href: '#ia-7'
               rel: related
+            - href: '#ia-13'
+              rel: related
             - href: '#ma-4'
               rel: related
             - href: '#mp-2'
@@ -116881,6 +126928,9 @@ catalog:
                       value: SC-13a.
                       class: sp800-53a
                   prose: '{{ insert: param, sc-13_odp.01 }} are identified;'
+                  links:
+                    - href: '#sc-13_smt.a'
+                      rel: assessment-for
                 - id: sc-13_obj.b
                   name: assessment-objective
                   props:
@@ -116888,6 +126938,12 @@ catalog:
                       value: SC-13b.
                       class: sp800-53a
                   prose: '{{ insert: param, sc-13_odp.02 }} for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.'
+                  links:
+                    - href: '#sc-13_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-13_smt'
+                  rel: assessment-for
             - id: sc-13_asm-examine
               name: assessment-method
               props:
@@ -117108,6 +127164,9 @@ catalog:
                       value: SC-15a.
                       class: sp800-53a
                   prose: 'remote activation of collaborative computing devices and applications is prohibited except {{ insert: param, sc-15_odp }};'
+                  links:
+                    - href: '#sc-15_smt.a'
+                      rel: assessment-for
                 - id: sc-15_obj.b
                   name: assessment-objective
                   props:
@@ -117115,6 +127174,12 @@ catalog:
                       value: SC-15b.
                       class: sp800-53a
                   prose: an explicit indication of use is provided to users physically present at the devices.
+                  links:
+                    - href: '#sc-15_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-15_smt'
+                  rel: assessment-for
             - id: sc-15_asm-examine
               name: assessment-method
               props:
@@ -117221,6 +127286,9 @@ catalog:
                       value: SC-15(01)
                       class: sp800-53a
                   prose: 'the {{ insert: param, sc-15.01_odp }} disconnect of collaborative computing devices is/are provided in a manner that supports ease of use.'
+                  links:
+                    - href: '#sc-15.1_smt'
+                      rel: assessment-for
                 - id: sc-15.1_asm-examine
                   name: assessment-method
                   props:
@@ -117347,6 +127415,9 @@ catalog:
                       value: SC-15(03)
                       class: sp800-53a
                   prose: 'collaborative computing devices and applications are disabled or removed from {{ insert: param, sc-15.03_odp.01 }} in {{ insert: param, sc-15.03_odp.02 }}.'
+                  links:
+                    - href: '#sc-15.3_smt'
+                      rel: assessment-for
                 - id: sc-15.3_asm-examine
                   name: assessment-method
                   props:
@@ -117449,6 +127520,9 @@ catalog:
                       value: SC-15(04)
                       class: sp800-53a
                   prose: 'an explicit indication of current participants in {{ insert: param, sc-15.04_odp }} is provided.'
+                  links:
+                    - href: '#sc-15.4_smt'
+                      rel: assessment-for
                 - id: sc-15.4_asm-examine
                   name: assessment-method
                   props:
@@ -117577,6 +127651,9 @@ catalog:
                       value: SC-16[01]
                       class: sp800-53a
                   prose: '{{ insert: param, sc-16_odp.01 }} are associated with information exchanged between systems;'
+                  links:
+                    - href: '#sc-16_smt'
+                      rel: assessment-for
                 - id: sc-16_obj-2
                   name: assessment-objective
                   props:
@@ -117584,6 +127661,9 @@ catalog:
                       value: SC-16[02]
                       class: sp800-53a
                   prose: '{{ insert: param, sc-16_odp.01 }} are associated with information exchanged between system components;'
+                  links:
+                    - href: '#sc-16_smt'
+                      rel: assessment-for
                 - id: sc-16_obj-3
                   name: assessment-objective
                   props:
@@ -117591,6 +127671,9 @@ catalog:
                       value: SC-16[03]
                       class: sp800-53a
                   prose: '{{ insert: param, sc-16_odp.02 }} are associated with information exchanged between systems;'
+                  links:
+                    - href: '#sc-16_smt'
+                      rel: assessment-for
                 - id: sc-16_obj-4
                   name: assessment-objective
                   props:
@@ -117598,6 +127681,12 @@ catalog:
                       value: SC-16[04]
                       class: sp800-53a
                   prose: '{{ insert: param, sc-16_odp.02 }} are associated with information exchanged between system components.'
+                  links:
+                    - href: '#sc-16_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-16_smt'
+                  rel: assessment-for
             - id: sc-16_asm-examine
               name: assessment-method
               props:
@@ -117699,6 +127788,9 @@ catalog:
                           value: SC-16(01)[01]
                           class: sp800-53a
                       prose: the integrity of transmitted security attributes is verified;
+                      links:
+                        - href: '#sc-16.1_smt'
+                          rel: assessment-for
                     - id: sc-16.1_obj-2
                       name: assessment-objective
                       props:
@@ -117706,6 +127798,12 @@ catalog:
                           value: SC-16(01)[02]
                           class: sp800-53a
                       prose: the integrity of transmitted privacy attributes is verified.
+                      links:
+                        - href: '#sc-16.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-16.1_smt'
+                      rel: assessment-for
                 - id: sc-16.1_asm-examine
                   name: assessment-method
                   props:
@@ -117799,6 +127897,9 @@ catalog:
                       value: SC-16(02)
                       class: sp800-53a
                   prose: anti-spoofing mechanisms are implemented to prevent adversaries from falsifying the security attributes indicating the successful application of the security process.
+                  links:
+                    - href: '#sc-16.2_smt'
+                      rel: assessment-for
                 - id: sc-16.2_asm-examine
                   name: assessment-method
                   props:
@@ -117901,6 +128002,9 @@ catalog:
                       value: SC-16(03)
                       class: sp800-53a
                   prose: '{{ insert: param, sc-16.03_odp }} are implemented to bind security and privacy attributes to transmitted information.'
+                  links:
+                    - href: '#sc-16.3_smt'
+                      rel: assessment-for
                 - id: sc-16.3_asm-examine
                   name: assessment-method
                   props:
@@ -118033,6 +128137,9 @@ catalog:
                       value: SC-17a.
                       class: sp800-53a
                   prose: 'public key certificates are issued under {{ insert: param, sc-17_odp }} , or public key certificates are obtained from an approved service provider;'
+                  links:
+                    - href: '#sc-17_smt.a'
+                      rel: assessment-for
                 - id: sc-17_obj.b
                   name: assessment-objective
                   props:
@@ -118040,6 +128147,12 @@ catalog:
                       value: SC-17b.
                       class: sp800-53a
                   prose: only approved trust anchors are included in trust stores or certificate stores managed by the organization.
+                  links:
+                    - href: '#sc-17_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-17_smt'
+                  rel: assessment-for
             - id: sc-17_asm-examine
               name: assessment-method
               props:
@@ -118161,6 +128274,9 @@ catalog:
                           value: SC-18a.[01]
                           class: sp800-53a
                       prose: acceptable mobile code is defined;
+                      links:
+                        - href: '#sc-18_smt.a'
+                          rel: assessment-for
                     - id: sc-18_obj.a-2
                       name: assessment-objective
                       props:
@@ -118168,6 +128284,9 @@ catalog:
                           value: SC-18a.[02]
                           class: sp800-53a
                       prose: unacceptable mobile code is defined;
+                      links:
+                        - href: '#sc-18_smt.a'
+                          rel: assessment-for
                     - id: sc-18_obj.a-3
                       name: assessment-objective
                       props:
@@ -118175,6 +128294,9 @@ catalog:
                           value: SC-18a.[03]
                           class: sp800-53a
                       prose: acceptable mobile code technologies are defined;
+                      links:
+                        - href: '#sc-18_smt.a'
+                          rel: assessment-for
                     - id: sc-18_obj.a-4
                       name: assessment-objective
                       props:
@@ -118182,6 +128304,12 @@ catalog:
                           value: SC-18a.[04]
                           class: sp800-53a
                       prose: unacceptable mobile code technologies are defined;
+                      links:
+                        - href: '#sc-18_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-18_smt.a'
+                      rel: assessment-for
                 - id: sc-18_obj.b
                   name: assessment-objective
                   props:
@@ -118196,6 +128324,9 @@ catalog:
                           value: SC-18b.[01]
                           class: sp800-53a
                       prose: the use of mobile code is authorized within the system;
+                      links:
+                        - href: '#sc-18_smt.b'
+                          rel: assessment-for
                     - id: sc-18_obj.b-2
                       name: assessment-objective
                       props:
@@ -118203,6 +128334,9 @@ catalog:
                           value: SC-18b.[02]
                           class: sp800-53a
                       prose: the use of mobile code is monitored within the system;
+                      links:
+                        - href: '#sc-18_smt.b'
+                          rel: assessment-for
                     - id: sc-18_obj.b-3
                       name: assessment-objective
                       props:
@@ -118210,6 +128344,15 @@ catalog:
                           value: SC-18b.[03]
                           class: sp800-53a
                       prose: the use of mobile code is controlled within the system.
+                      links:
+                        - href: '#sc-18_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-18_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-18_smt'
+                  rel: assessment-for
             - id: sc-18_asm-examine
               name: assessment-method
               props:
@@ -118335,6 +128478,9 @@ catalog:
                           value: SC-18(01)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, sc-18.01_odp.01 }} is identified;'
+                      links:
+                        - href: '#sc-18.1_smt'
+                          rel: assessment-for
                     - id: sc-18.1_obj-2
                       name: assessment-objective
                       props:
@@ -118342,6 +128488,12 @@ catalog:
                           value: SC-18(01)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, sc-18.01_odp.02 }} are taken if unacceptable mobile code is identified.'
+                      links:
+                        - href: '#sc-18.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-18.1_smt'
+                      rel: assessment-for
                 - id: sc-18.1_asm-examine
                   name: assessment-method
                   props:
@@ -118457,6 +128609,9 @@ catalog:
                           value: SC-18(02)[01]
                           class: sp800-53a
                       prose: 'the acquisition of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }};'
+                      links:
+                        - href: '#sc-18.2_smt'
+                          rel: assessment-for
                     - id: sc-18.2_obj-2
                       name: assessment-objective
                       props:
@@ -118464,6 +128619,9 @@ catalog:
                           value: SC-18(02)[02]
                           class: sp800-53a
                       prose: 'the development of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }};'
+                      links:
+                        - href: '#sc-18.2_smt'
+                          rel: assessment-for
                     - id: sc-18.2_obj-3
                       name: assessment-objective
                       props:
@@ -118471,6 +128629,12 @@ catalog:
                           value: SC-18(02)[03]
                           class: sp800-53a
                       prose: 'the use of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }}.'
+                      links:
+                        - href: '#sc-18.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-18.2_smt'
+                      rel: assessment-for
                 - id: sc-18.2_asm-examine
                   name: assessment-method
                   props:
@@ -118582,6 +128746,9 @@ catalog:
                           value: SC-18(03)[01]
                           class: sp800-53a
                       prose: 'the download of {{ insert: param, sc-18.03_odp }} is prevented;'
+                      links:
+                        - href: '#sc-18.3_smt'
+                          rel: assessment-for
                     - id: sc-18.3_obj-2
                       name: assessment-objective
                       props:
@@ -118589,6 +128756,12 @@ catalog:
                           value: SC-18(03)[02]
                           class: sp800-53a
                       prose: 'the execution of {{ insert: param, sc-18.03_odp }} is prevented.'
+                      links:
+                        - href: '#sc-18.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-18.3_smt'
+                      rel: assessment-for
                 - id: sc-18.3_asm-examine
                   name: assessment-method
                   props:
@@ -118708,6 +128881,9 @@ catalog:
                           value: SC-18(04)[01]
                           class: sp800-53a
                       prose: 'the automatic execution of mobile code in {{ insert: param, sc-18.04_odp.01 }} is prevented;'
+                      links:
+                        - href: '#sc-18.4_smt'
+                          rel: assessment-for
                     - id: sc-18.4_obj-2
                       name: assessment-objective
                       props:
@@ -118715,6 +128891,12 @@ catalog:
                           value: SC-18(04)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, sc-18.04_odp.02 }} are enforced prior to executing mobile code.'
+                      links:
+                        - href: '#sc-18.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-18.4_smt'
+                      rel: assessment-for
                 - id: sc-18.4_asm-examine
                   name: assessment-method
                   props:
@@ -118815,6 +128997,9 @@ catalog:
                       value: SC-18(05)
                       class: sp800-53a
                   prose: execution of permitted mobile code is allowed only in confined virtual machine environments.
+                  links:
+                    - href: '#sc-18.5_smt'
+                      rel: assessment-for
                 - id: sc-18.5_asm-examine
                   name: assessment-method
                   props:
@@ -118967,6 +129152,9 @@ catalog:
                           value: SC-20a.[01]
                           class: sp800-53a
                       prose: additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;
+                      links:
+                        - href: '#sc-20_smt.a'
+                          rel: assessment-for
                     - id: sc-20_obj.a-2
                       name: assessment-objective
                       props:
@@ -118974,6 +129162,12 @@ catalog:
                           value: SC-20a.[02]
                           class: sp800-53a
                       prose: integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;
+                      links:
+                        - href: '#sc-20_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-20_smt.a'
+                      rel: assessment-for
                 - id: sc-20_obj.b
                   name: assessment-objective
                   props:
@@ -118988,6 +129182,9 @@ catalog:
                           value: SC-20b.[01]
                           class: sp800-53a
                       prose: the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;
+                      links:
+                        - href: '#sc-20_smt.b'
+                          rel: assessment-for
                     - id: sc-20_obj.b-2
                       name: assessment-objective
                       props:
@@ -118995,6 +129192,15 @@ catalog:
                           value: SC-20b.[02]
                           class: sp800-53a
                       prose: the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.
+                      links:
+                        - href: '#sc-20_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-20_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-20_smt'
+                  rel: assessment-for
             - id: sc-20_asm-examine
               name: assessment-method
               props:
@@ -119102,6 +129308,9 @@ catalog:
                           value: SC-20(02)[01]
                           class: sp800-53a
                       prose: data origin artifacts are provided for internal name/address resolution queries;
+                      links:
+                        - href: '#sc-20.2_smt'
+                          rel: assessment-for
                     - id: sc-20.2_obj-2
                       name: assessment-objective
                       props:
@@ -119109,6 +129318,12 @@ catalog:
                           value: SC-20(02)[02]
                           class: sp800-53a
                       prose: integrity protection artifacts are provided for internal name/address resolution queries.
+                      links:
+                        - href: '#sc-20.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-20.2_smt'
+                      rel: assessment-for
                 - id: sc-20.2_asm-examine
                   name: assessment-method
                   props:
@@ -119205,6 +129420,9 @@ catalog:
                       value: SC-21[01]
                       class: sp800-53a
                   prose: data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
                 - id: sc-21_obj-2
                   name: assessment-objective
                   props:
@@ -119212,6 +129430,9 @@ catalog:
                       value: SC-21[02]
                       class: sp800-53a
                   prose: data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
                 - id: sc-21_obj-3
                   name: assessment-objective
                   props:
@@ -119219,6 +129440,9 @@ catalog:
                       value: SC-21[03]
                       class: sp800-53a
                   prose: data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
                 - id: sc-21_obj-4
                   name: assessment-objective
                   props:
@@ -119226,6 +129450,12 @@ catalog:
                       value: SC-21[04]
                       class: sp800-53a
                   prose: data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.
+                  links:
+                    - href: '#sc-21_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-21_smt'
+                  rel: assessment-for
             - id: sc-21_asm-examine
               name: assessment-method
               props:
@@ -119343,6 +129573,9 @@ catalog:
                       value: SC-22[01]
                       class: sp800-53a
                   prose: the systems that collectively provide name/address resolution services for an organization are fault-tolerant;
+                  links:
+                    - href: '#sc-22_smt'
+                      rel: assessment-for
                 - id: sc-22_obj-2
                   name: assessment-objective
                   props:
@@ -119350,6 +129583,9 @@ catalog:
                       value: SC-22[02]
                       class: sp800-53a
                   prose: the systems that collectively provide name/address resolution services for an organization implement internal role separation;
+                  links:
+                    - href: '#sc-22_smt'
+                      rel: assessment-for
                 - id: sc-22_obj-3
                   name: assessment-objective
                   props:
@@ -119357,6 +129593,12 @@ catalog:
                       value: SC-22[03]
                       class: sp800-53a
                   prose: the systems that collectively provide name/address resolution services for an organization implement external role separation.
+                  links:
+                    - href: '#sc-22_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-22_smt'
+                  rel: assessment-for
             - id: sc-22_asm-examine
               name: assessment-method
               props:
@@ -119460,6 +129702,9 @@ catalog:
                   value: SC-23
                   class: sp800-53a
               prose: the authenticity of communication sessions is protected.
+              links:
+                - href: '#sc-23_smt'
+                  rel: assessment-for
             - id: sc-23_asm-examine
               name: assessment-method
               props:
@@ -119544,6 +129789,9 @@ catalog:
                       value: SC-23(01)
                       class: sp800-53a
                   prose: session identifiers are invalidated upon user logout or other session termination.
+                  links:
+                    - href: '#sc-23.1_smt'
+                      rel: assessment-for
                 - id: sc-23.1_asm-examine
                   name: assessment-method
                   props:
@@ -119667,6 +129915,9 @@ catalog:
                           value: SC-23(03)[01]
                           class: sp800-53a
                       prose: 'a unique session identifier is generated for each session with {{ insert: param, sc-23.03_odp }};'
+                      links:
+                        - href: '#sc-23.3_smt'
+                          rel: assessment-for
                     - id: sc-23.3_obj-2
                       name: assessment-objective
                       props:
@@ -119674,6 +129925,12 @@ catalog:
                           value: SC-23(03)[02]
                           class: sp800-53a
                       prose: only system-generated session identifiers are recognized.
+                      links:
+                        - href: '#sc-23.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-23.3_smt'
+                      rel: assessment-for
                 - id: sc-23.3_asm-examine
                   name: assessment-method
                   props:
@@ -119794,6 +130051,9 @@ catalog:
                       value: SC-23(05)
                       class: sp800-53a
                   prose: 'only the use of {{ insert: param, sc-23.05_odp }} for verification of the establishment of protected sessions is allowed.'
+                  links:
+                    - href: '#sc-23.5_smt'
+                      rel: assessment-for
                 - id: sc-23.5_asm-examine
                   name: assessment-method
                   props:
@@ -119930,6 +130190,9 @@ catalog:
                   value: SC-24
                   class: sp800-53a
               prose: '{{ insert: param, sc-24_odp.01 }} fail to a {{ insert: param, sc-24_odp.02 }} while preserving {{ insert: param, sc-24_odp.03 }} in failure.'
+              links:
+                - href: '#sc-24_smt'
+                  rel: assessment-for
             - id: sc-24_asm-examine
               name: assessment-method
               props:
@@ -120042,6 +130305,9 @@ catalog:
                       value: SC-25[01]
                       class: sp800-53a
                   prose: 'minimal functionality for {{ insert: param, sc-25_odp }} is employed;'
+                  links:
+                    - href: '#sc-25_smt'
+                      rel: assessment-for
                 - id: sc-25_obj-2
                   name: assessment-objective
                   props:
@@ -120049,6 +130315,12 @@ catalog:
                       value: SC-25[02]
                       class: sp800-53a
                   prose: 'minimal information storage on {{ insert: param, sc-25_odp }} is allocated.'
+                  links:
+                    - href: '#sc-25_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-25_smt'
+                  rel: assessment-for
             - id: sc-25_asm-examine
               name: assessment-method
               props:
@@ -120151,6 +130423,9 @@ catalog:
                       value: SC-26[01]
                       class: sp800-53a
                   prose: components within organizational systems specifically designed to be the target of malicious attacks are included to detect such attacks;
+                  links:
+                    - href: '#sc-26_smt'
+                      rel: assessment-for
                 - id: sc-26_obj-2
                   name: assessment-objective
                   props:
@@ -120158,6 +130433,9 @@ catalog:
                       value: SC-26[02]
                       class: sp800-53a
                   prose: components within organizational systems specifically designed to be the target of malicious attacks are included to deflect such attacks;
+                  links:
+                    - href: '#sc-26_smt'
+                      rel: assessment-for
                 - id: sc-26_obj-3
                   name: assessment-objective
                   props:
@@ -120165,6 +130443,12 @@ catalog:
                       value: SC-26[03]
                       class: sp800-53a
                   prose: components within organizational systems specifically designed to be the target of malicious attacks are included to analyze such attacks.
+                  links:
+                    - href: '#sc-26_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-26_smt'
+                  rel: assessment-for
             - id: sc-26_asm-examine
               name: assessment-method
               props:
@@ -120278,6 +130562,9 @@ catalog:
                   value: SC-27
                   class: sp800-53a
               prose: '{{ insert: param, sc-27_odp }} are included within organizational systems.'
+              links:
+                - href: '#sc-27_smt'
+                  rel: assessment-for
             - id: sc-27_asm-examine
               name: assessment-method
               props:
@@ -120442,6 +130729,9 @@ catalog:
                   value: SC-28
                   class: sp800-53a
               prose: 'the {{ insert: param, sc-28_odp.01 }} of {{ insert: param, sc-28_odp.02 }} is/are protected.'
+              links:
+                - href: '#sc-28_smt'
+                  rel: assessment-for
             - id: sc-28_asm-examine
               name: assessment-method
               props:
@@ -120564,6 +130854,9 @@ catalog:
                           value: SC-28(01)[01]
                           class: sp800-53a
                       prose: 'cryptographic mechanisms are implemented to prevent unauthorized disclosure of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }};'
+                      links:
+                        - href: '#sc-28.1_smt'
+                          rel: assessment-for
                     - id: sc-28.1_obj-2
                       name: assessment-objective
                       props:
@@ -120571,6 +130864,12 @@ catalog:
                           value: SC-28(01)[02]
                           class: sp800-53a
                       prose: 'cryptographic mechanisms are implemented to prevent unauthorized modification of {{ insert: param, sc-28.01_odp.01 }} at rest on {{ insert: param, sc-28.01_odp.02 }}.'
+                      links:
+                        - href: '#sc-28.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-28.1_smt'
+                      rel: assessment-for
                 - id: sc-28.1_asm-examine
                   name: assessment-method
                   props:
@@ -120676,6 +130975,9 @@ catalog:
                           value: SC-28(02)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, sc-28.02_odp }} is removed from online storage;'
+                      links:
+                        - href: '#sc-28.2_smt'
+                          rel: assessment-for
                     - id: sc-28.2_obj-2
                       name: assessment-objective
                       props:
@@ -120683,6 +130985,12 @@ catalog:
                           value: SC-28(02)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, sc-28.02_odp }} is stored offline in a secure location.'
+                      links:
+                        - href: '#sc-28.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-28.2_smt'
+                      rel: assessment-for
                 - id: sc-28.2_asm-examine
                   name: assessment-method
                   props:
@@ -120802,6 +131110,9 @@ catalog:
                       value: SC-28(03)
                       class: sp800-53a
                   prose: 'protected storage for cryptographic keys is provided using {{ insert: param, sc-28.03_odp.01 }}.'
+                  links:
+                    - href: '#sc-28.3_smt'
+                      rel: assessment-for
                 - id: sc-28.3_asm-examine
                   name: assessment-method
                   props:
@@ -120909,6 +131220,9 @@ catalog:
                   value: SC-29
                   class: sp800-53a
               prose: 'a diverse set of information technologies is employed for {{ insert: param, sc-29_odp }} in the implementation of the system.'
+              links:
+                - href: '#sc-29_smt'
+                  rel: assessment-for
             - id: sc-29_asm-examine
               name: assessment-method
               props:
@@ -121011,6 +131325,9 @@ catalog:
                       value: SC-29(01)
                       class: sp800-53a
                   prose: 'virtualization techniques are employed to support the deployment of a diverse range of operating systems and applications that are changed {{ insert: param, sc-29.01_odp }}.'
+                  links:
+                    - href: '#sc-29.1_smt'
+                      rel: assessment-for
                 - id: sc-29.1_asm-examine
                   name: assessment-method
                   props:
@@ -121151,6 +131468,9 @@ catalog:
                   value: SC-30
                   class: sp800-53a
               prose: '{{ insert: param, sc-30_odp.01 }} are employed for {{ insert: param, sc-30_odp.02 }} for {{ insert: param, sc-30_odp.03 }} to confuse and mislead adversaries.'
+              links:
+                - href: '#sc-30_smt'
+                  rel: assessment-for
             - id: sc-30_asm-examine
               name: assessment-method
               props:
@@ -121271,6 +131591,9 @@ catalog:
                       value: SC-30(02)
                       class: sp800-53a
                   prose: '{{ insert: param, sc-30.02_odp }} are employed to introduce randomness into organizational operations and assets.'
+                  links:
+                    - href: '#sc-30.2_smt'
+                      rel: assessment-for
                 - id: sc-30.2_asm-examine
                   name: assessment-method
                   props:
@@ -121395,6 +131718,9 @@ catalog:
                       value: SC-30(03)
                       class: sp800-53a
                   prose: 'the location of {{ insert: param, sc-30.03_odp.01 }} is changed {{ insert: param, sc-30.03_odp.02 }}.'
+                  links:
+                    - href: '#sc-30.3_smt'
+                      rel: assessment-for
                 - id: sc-30.3_asm-examine
                   name: assessment-method
                   props:
@@ -121498,6 +131824,9 @@ catalog:
                       value: SC-30(04)
                       class: sp800-53a
                   prose: 'realistic but misleading information about the security state or posture of {{ insert: param, sc-30.04_odp }} is employed.'
+                  links:
+                    - href: '#sc-30.4_smt'
+                      rel: assessment-for
                 - id: sc-30.4_asm-examine
                   name: assessment-method
                   props:
@@ -121609,6 +131938,9 @@ catalog:
                       value: SC-30(05)
                       class: sp800-53a
                   prose: '{{ insert: param, sc-30.05_odp.01 }} are employed to hide or conceal {{ insert: param, sc-30.05_odp.02 }}.'
+                  links:
+                    - href: '#sc-30.5_smt'
+                      rel: assessment-for
                 - id: sc-30.5_asm-examine
                   name: assessment-method
                   props:
@@ -121739,6 +132071,9 @@ catalog:
                       value: SC-31a.
                       class: sp800-53a
                   prose: 'a covert channel analysis is performed to identify those aspects of communications within the system that are potential avenues for covert {{ insert: param, sc-31_odp }} channels;'
+                  links:
+                    - href: '#sc-31_smt.a'
+                      rel: assessment-for
                 - id: sc-31_obj.b
                   name: assessment-objective
                   props:
@@ -121746,6 +132081,12 @@ catalog:
                       value: SC-31b.
                       class: sp800-53a
                   prose: the maximum bandwidth of those channels is estimated.
+                  links:
+                    - href: '#sc-31_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-31_smt'
+                  rel: assessment-for
             - id: sc-31_asm-examine
               name: assessment-method
               props:
@@ -121844,6 +132185,9 @@ catalog:
                       value: SC-31(01)
                       class: sp800-53a
                   prose: a subset of the identified covert channels is tested to determine the channels that are exploitable.
+                  links:
+                    - href: '#sc-31.1_smt'
+                      rel: assessment-for
                 - id: sc-31.1_asm-examine
                   name: assessment-method
                   props:
@@ -121962,6 +132306,9 @@ catalog:
                       value: SC-31(02)
                       class: sp800-53a
                   prose: 'the maximum bandwidth for identified covert {{ insert: param, sc-31.02_odp.01 }} channels is reduced to {{ insert: param, sc-31.02_odp.02 }}.'
+                  links:
+                    - href: '#sc-31.2_smt'
+                      rel: assessment-for
                 - id: sc-31.2_asm-examine
                   name: assessment-method
                   props:
@@ -122074,6 +132421,9 @@ catalog:
                       value: SC-31(03)
                       class: sp800-53a
                   prose: 'the bandwidth of {{ insert: param, sc-31.03_odp }} is measured in the operational environment of the system.'
+                  links:
+                    - href: '#sc-31.3_smt'
+                      rel: assessment-for
                 - id: sc-31.3_asm-examine
                   name: assessment-method
                   props:
@@ -122225,6 +132575,9 @@ catalog:
                   value: SC-32
                   class: sp800-53a
               prose: 'the system is partitioned into {{ insert: param, sc-32_odp.01 }} residing in separate {{ insert: param, sc-32_odp.02 }} domains or environments based on {{ insert: param, sc-32_odp.03 }}.'
+              links:
+                - href: '#sc-32_smt'
+                  rel: assessment-for
             - id: sc-32_asm-examine
               name: assessment-method
               props:
@@ -122325,6 +132678,9 @@ catalog:
                       value: SC-32(01)
                       class: sp800-53a
                   prose: privileged functions are partitioned into separate physical domains.
+                  links:
+                    - href: '#sc-32.1_smt'
+                      rel: assessment-for
                 - id: sc-32.1_asm-examine
                   name: assessment-method
                   props:
@@ -122482,6 +132838,9 @@ catalog:
                       value: SC-34a.
                       class: sp800-53a
                   prose: 'the operating environment for {{ insert: param, sc-34_odp.01 }} is loaded and executed from hardware-enforced, read-only media;'
+                  links:
+                    - href: '#sc-34_smt.a'
+                      rel: assessment-for
                 - id: sc-34_obj.b
                   name: assessment-objective
                   props:
@@ -122489,6 +132848,12 @@ catalog:
                       value: SC-34b.
                       class: sp800-53a
                   prose: '{{ insert: param, sc-34_odp.02 }} for {{ insert: param, sc-34_odp.01 }} are loaded and executed from hardware-enforced, read-only media.'
+                  links:
+                    - href: '#sc-34_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-34_smt'
+                  rel: assessment-for
             - id: sc-34_asm-examine
               name: assessment-method
               props:
@@ -122610,6 +132975,9 @@ catalog:
                       value: SC-34(01)
                       class: sp800-53a
                   prose: '{{ insert: param, sc-34.01_odp }} are employed with no writeable storage that is persistent across component restart or power on/off.'
+                  links:
+                    - href: '#sc-34.1_smt'
+                      rel: assessment-for
                 - id: sc-34.1_asm-examine
                   name: assessment-method
                   props:
@@ -122730,6 +133098,9 @@ catalog:
                           value: SC-34(02)[01]
                           class: sp800-53a
                       prose: the integrity of information is protected prior to storage on read-only media;
+                      links:
+                        - href: '#sc-34.2_smt'
+                          rel: assessment-for
                     - id: sc-34.2_obj-2
                       name: assessment-objective
                       props:
@@ -122737,6 +133108,12 @@ catalog:
                           value: SC-34(02)[02]
                           class: sp800-53a
                       prose: the media is controlled after such information has been recorded onto the media;
+                      links:
+                        - href: '#sc-34.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-34.2_smt'
+                      rel: assessment-for
                 - id: sc-34.2_asm-examine
                   name: assessment-method
                   props:
@@ -122850,6 +133227,9 @@ catalog:
                   value: SC-35
                   class: sp800-53a
               prose: system components that proactively seek to identify network-based malicious code or malicious websites are included.
+              links:
+                - href: '#sc-35_smt'
+                  rel: assessment-for
             - id: sc-35_asm-examine
               name: assessment-method
               props:
@@ -123013,6 +133393,9 @@ catalog:
                       value: SC-36[01]
                       class: sp800-53a
                   prose: '{{ insert: param, sc-36_odp.01 }} are distributed across {{ insert: param, sc-36_odp.02 }};'
+                  links:
+                    - href: '#sc-36_smt'
+                      rel: assessment-for
                 - id: sc-36_obj-2
                   name: assessment-objective
                   props:
@@ -123020,6 +133403,12 @@ catalog:
                       value: SC-36[02]
                       class: sp800-53a
                   prose: '{{ insert: param, sc-36_odp.03 }} are distributed across {{ insert: param, sc-36_odp.04 }}.'
+                  links:
+                    - href: '#sc-36_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-36_smt'
+                  rel: assessment-for
             - id: sc-36_asm-examine
               name: assessment-method
               props:
@@ -123168,6 +133557,9 @@ catalog:
                           value: SC-36(01)(a)
                           class: sp800-53a
                       prose: 'polling techniques are employed to identify potential faults, errors, or compromises to {{ insert: param, sc-36.01_odp.01 }};'
+                      links:
+                        - href: '#sc-36.1_smt.a'
+                          rel: assessment-for
                     - id: sc-36.1_obj.b
                       name: assessment-objective
                       props:
@@ -123175,6 +133567,12 @@ catalog:
                           value: SC-36(01)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, sc-36.01_odp.02 }} are taken in response to identified faults, errors, or compromise.'
+                      links:
+                        - href: '#sc-36.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-36.1_smt'
+                      rel: assessment-for
                 - id: sc-36.1_asm-examine
                   name: assessment-method
                   props:
@@ -123282,6 +133680,9 @@ catalog:
                       value: SC-36(02)
                       class: sp800-53a
                   prose: '{{ insert: param, sc-36.02_odp }} are synchronized.'
+                  links:
+                    - href: '#sc-36.2_smt'
+                      rel: assessment-for
                 - id: sc-36.2_asm-examine
                   name: assessment-method
                   props:
@@ -123427,7 +133828,7 @@ catalog:
               prose: 'Employ the following out-of-band channels for the physical delivery or electronic transmission of {{ insert: param, sc-37_odp.02 }} to {{ insert: param, sc-37_odp.03 }}: {{ insert: param, sc-37_odp.01 }}.'
             - id: sc-37_gdn
               name: guidance
-              prose: Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates.
+              prose: Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates. For example, cryptographic keys for encrypted files are delivered using a different channel than the file.
             - id: sc-37_obj
               name: assessment-objective
               props:
@@ -123435,6 +133836,9 @@ catalog:
                   value: SC-37
                   class: sp800-53a
               prose: '{{ insert: param, sc-37_odp.01 }} are employed for the physical delivery or electronic transmission of {{ insert: param, sc-37_odp.02 }} to {{ insert: param, sc-37_odp.03 }}.'
+              links:
+                - href: '#sc-37_smt'
+                  rel: assessment-for
             - id: sc-37_asm-examine
               name: assessment-method
               props:
@@ -123576,6 +133980,9 @@ catalog:
                       value: SC-37(01)
                       class: sp800-53a
                   prose: '{{ insert: param, sc-37.01_odp.01 }} are employed to ensure that only {{ insert: param, sc-37.01_odp.02 }} receive {{ insert: param, sc-37.01_odp.03 }}.'
+                  links:
+                    - href: '#sc-37.1_smt'
+                      rel: assessment-for
                 - id: sc-37.1_asm-examine
                   name: assessment-method
                   props:
@@ -123716,6 +134123,9 @@ catalog:
                   value: SC-38
                   class: sp800-53a
               prose: '{{ insert: param, sc-38_odp }} are employed to protect key organizational information throughout the system development life cycle.'
+              links:
+                - href: '#sc-38_smt'
+                  rel: assessment-for
             - id: sc-38_asm-examine
               name: assessment-method
               props:
@@ -123833,6 +134243,9 @@ catalog:
                   value: SC-39
                   class: sp800-53a
               prose: a separate execution domain is maintained for each executing system process.
+              links:
+                - href: '#sc-39_smt'
+                  rel: assessment-for
             - id: sc-39_asm-examine
               name: assessment-method
               props:
@@ -123916,6 +134329,9 @@ catalog:
                       value: SC-39(01)
                       class: sp800-53a
                   prose: hardware separation is implemented to facilitate process isolation.
+                  links:
+                    - href: '#sc-39.1_smt'
+                      rel: assessment-for
                 - id: sc-39.1_asm-examine
                   name: assessment-method
                   props:
@@ -124021,6 +134437,9 @@ catalog:
                       value: SC-39(02)
                       class: sp800-53a
                   prose: 'a separate execution domain is maintained for each thread in {{ insert: param, sc-39.02_odp }}.'
+                  links:
+                    - href: '#sc-39.2_smt'
+                      rel: assessment-for
                 - id: sc-39.2_asm-examine
                   name: assessment-method
                   props:
@@ -124176,6 +134595,9 @@ catalog:
                       value: SC-40[01]
                       class: sp800-53a
                   prose: 'external {{ insert: param, sc-40_odp.01 }} are protected from {{ insert: param, sc-40_odp.02 }}.'
+                  links:
+                    - href: '#sc-40_smt'
+                      rel: assessment-for
                 - id: sc-40_obj-2
                   name: assessment-objective
                   props:
@@ -124183,6 +134605,12 @@ catalog:
                       value: SC-40[02]
                       class: sp800-53a
                   prose: 'internal {{ insert: param, sc-40_odp.03 }} are protected from {{ insert: param, sc-40_odp.04 }}.'
+                  links:
+                    - href: '#sc-40_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sc-40_smt'
+                  rel: assessment-for
             - id: sc-40_asm-examine
               name: assessment-method
               props:
@@ -124300,6 +134728,9 @@ catalog:
                       value: SC-40(01)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms that achieve {{ insert: param, sc-40.01_odp }} against the effects of intentional electromagnetic interference are implemented.'
+                  links:
+                    - href: '#sc-40.1_smt'
+                      rel: assessment-for
                 - id: sc-40.1_asm-examine
                   name: assessment-method
                   props:
@@ -124414,6 +134845,9 @@ catalog:
                       value: SC-40(02)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms to reduce the detection potential of wireless links to {{ insert: param, sc-40.02_odp }} are implemented.'
+                  links:
+                    - href: '#sc-40.2_smt'
+                      rel: assessment-for
                 - id: sc-40.2_asm-examine
                   name: assessment-method
                   props:
@@ -124519,6 +134953,9 @@ catalog:
                       value: SC-40(03)
                       class: sp800-53a
                   prose: cryptographic mechanisms are implemented to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.
+                  links:
+                    - href: '#sc-40.3_smt'
+                      rel: assessment-for
                 - id: sc-40.3_asm-examine
                   name: assessment-method
                   props:
@@ -124629,6 +135066,9 @@ catalog:
                       value: SC-40(04)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms are implemented to prevent the identification of {{ insert: param, sc-40.04_odp }} by using the transmitter signal parameters.'
+                  links:
+                    - href: '#sc-40.4_smt'
+                      rel: assessment-for
                 - id: sc-40.4_asm-examine
                   name: assessment-method
                   props:
@@ -124761,6 +135201,9 @@ catalog:
                   value: SC-41
                   class: sp800-53a
               prose: '{{ insert: param, sc-41_odp.01 }} are {{ insert: param, sc-41_odp.02 }} disabled or removed on {{ insert: param, sc-41_odp.03 }}.'
+              links:
+                - href: '#sc-41_smt'
+                  rel: assessment-for
             - id: sc-41_asm-examine
               name: assessment-method
               props:
@@ -124928,6 +135371,9 @@ catalog:
                       value: SC-42a.
                       class: sp800-53a
                   prose: '{{ insert: param, sc-42_odp.01 }} is/are prohibited;'
+                  links:
+                    - href: '#sc-42_smt.a'
+                      rel: assessment-for
                 - id: sc-42_obj.b
                   name: assessment-objective
                   props:
@@ -124935,6 +135381,12 @@ catalog:
                       value: SC-42b.
                       class: sp800-53a
                   prose: 'an explicit indication of sensor use is provided to {{ insert: param, sc-42_odp.05 }}.'
+                  links:
+                    - href: '#sc-42_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-42_smt'
+                  rel: assessment-for
             - id: sc-42_asm-examine
               name: assessment-method
               props:
@@ -125045,6 +135497,9 @@ catalog:
                       value: SC-42(01)
                       class: sp800-53a
                   prose: 'the system is configured so that data or information collected by the {{ insert: param, sc-42.01_odp }} is only reported to authorized individuals or roles.'
+                  links:
+                    - href: '#sc-42.1_smt'
+                      rel: assessment-for
                 - id: sc-42.1_asm-examine
                   name: assessment-method
                   props:
@@ -125160,6 +135615,9 @@ catalog:
                       value: SC-42(02)
                       class: sp800-53a
                   prose: '{{ insert: param, sc-42.02_odp }} are employed so that data or information collected by {{ insert: param, sc-42.01_odp }} is only used for authorized purposes.'
+                  links:
+                    - href: '#sc-42.2_smt'
+                      rel: assessment-for
                 - id: sc-42.2_asm-examine
                   name: assessment-method
                   props:
@@ -125303,6 +135761,9 @@ catalog:
                       value: SC-42(04)
                       class: sp800-53a
                   prose: '{{ insert: param, sc-42.04_odp.01 }} are employed to facilitate an individual’s awareness that personally identifiable information is being collected by {{ insert: param, sc-42.04_odp.02 }} '
+                  links:
+                    - href: '#sc-42.4_smt'
+                      rel: assessment-for
                 - id: sc-42.4_asm-examine
                   name: assessment-method
                   props:
@@ -125424,6 +135885,9 @@ catalog:
                       value: SC-42(05)
                       class: sp800-53a
                   prose: 'the {{ insert: param, sc-42.05_odp }} configured to minimize the collection of information about individuals that is not needed are employed.'
+                  links:
+                    - href: '#sc-42.5_smt'
+                      rel: assessment-for
                 - id: sc-42.5_asm-examine
                   name: assessment-method
                   props:
@@ -125578,6 +136042,9 @@ catalog:
                       value: SC-43a.
                       class: sp800-53a
                   prose: 'usage restrictions and implementation guidelines are established for {{ insert: param, sc-43_odp }};'
+                  links:
+                    - href: '#sc-43_smt.a'
+                      rel: assessment-for
                 - id: sc-43_obj.b
                   name: assessment-objective
                   props:
@@ -125592,6 +136059,9 @@ catalog:
                           value: SC-43b.[01]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, sc-43_odp }} is authorized within the system;'
+                      links:
+                        - href: '#sc-43_smt.b'
+                          rel: assessment-for
                     - id: sc-43_obj.b-2
                       name: assessment-objective
                       props:
@@ -125599,6 +136069,9 @@ catalog:
                           value: SC-43b.[02]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, sc-43_odp }} is monitored within the system;'
+                      links:
+                        - href: '#sc-43_smt.b'
+                          rel: assessment-for
                     - id: sc-43_obj.b-3
                       name: assessment-objective
                       props:
@@ -125606,6 +136079,15 @@ catalog:
                           value: SC-43b.[03]
                           class: sp800-53a
                       prose: 'the use of {{ insert: param, sc-43_odp }} is controlled within the system.'
+                      links:
+                        - href: '#sc-43_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-43_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-43_smt'
+                  rel: assessment-for
             - id: sc-43_asm-examine
               name: assessment-method
               props:
@@ -125727,6 +136209,9 @@ catalog:
                   value: SC-44
                   class: sp800-53a
               prose: 'a detonation chamber capability is employed within the {{ insert: param, sc-44_odp }}.'
+              links:
+                - href: '#sc-44_smt'
+                  rel: assessment-for
             - id: sc-44_asm-examine
               name: assessment-method
               props:
@@ -125820,6 +136305,9 @@ catalog:
                   value: SC-45
                   class: sp800-53a
               prose: system clocks are synchronized within and between systems and system components.
+              links:
+                - href: '#sc-45_smt'
+                  rel: assessment-for
             - id: sc-45_asm-examine
               name: assessment-method
               props:
@@ -125956,6 +136444,9 @@ catalog:
                           value: SC-45(01)(a)
                           class: sp800-53a
                       prose: 'the internal system clocks are compared {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }};'
+                      links:
+                        - href: '#sc-45.1_smt.a'
+                          rel: assessment-for
                     - id: sc-45.1_obj.b
                       name: assessment-objective
                       props:
@@ -125963,6 +136454,12 @@ catalog:
                           value: SC-45(01)(b)
                           class: sp800-53a
                       prose: 'the internal system clocks are synchronized with the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}.'
+                      links:
+                        - href: '#sc-45.1_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-45.1_smt'
+                      rel: assessment-for
                 - id: sc-45.1_asm-examine
                   name: assessment-method
                   props:
@@ -126067,6 +136564,9 @@ catalog:
                           value: SC-45(02)(a)
                           class: sp800-53a
                       prose: a secondary authoritative time source is identified that is in a different geographic region than the primary authoritative time source;
+                      links:
+                        - href: '#sc-45.2_smt.a'
+                          rel: assessment-for
                     - id: sc-45.2_obj.b
                       name: assessment-objective
                       props:
@@ -126074,6 +136574,12 @@ catalog:
                           value: SC-45(02)(b)
                           class: sp800-53a
                       prose: the internal system clocks are synchronized to the secondary authoritative time source if the primary authoritative time source is unavailable.
+                      links:
+                        - href: '#sc-45.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-45.2_smt'
+                      rel: assessment-for
                 - id: sc-45.2_asm-examine
                   name: assessment-method
                   props:
@@ -126175,6 +136681,9 @@ catalog:
                   value: SC-46
                   class: sp800-53a
               prose: 'a policy enforcement mechanism is {{ insert: param, sc-46_odp }} implemented between the physical and/or network interfaces for the connecting security domains.'
+              links:
+                - href: '#sc-46_smt'
+                  rel: assessment-for
             - id: sc-46_asm-examine
               name: assessment-method
               props:
@@ -126285,6 +136794,9 @@ catalog:
                   value: SC-47
                   class: sp800-53a
               prose: '{{ insert: param, sc-47_odp }} are established for system operations and operational command and control.'
+              links:
+                - href: '#sc-47_smt'
+                  rel: assessment-for
             - id: sc-47_asm-examine
               name: assessment-method
               props:
@@ -126410,6 +136922,9 @@ catalog:
                   value: SC-48
                   class: sp800-53a
               prose: '{{ insert: param, sc-48_odp.01 }} are relocated to {{ insert: param, sc-48_odp.02 }} under {{ insert: param, sc-48_odp.03 }}.'
+              links:
+                - href: '#sc-48_smt'
+                  rel: assessment-for
             - id: sc-48_asm-examine
               name: assessment-method
               props:
@@ -126536,6 +137051,9 @@ catalog:
                       value: SC-48(01)
                       class: sp800-53a
                   prose: '{{ insert: param, sc-48.01_odp.01 }} are dynamically relocated to {{ insert: param, sc-48.01_odp.02 }} under {{ insert: param, sc-48.01_odp.03 }}.'
+                  links:
+                    - href: '#sc-48.1_smt'
+                      rel: assessment-for
                 - id: sc-48.1_asm-examine
                   name: assessment-method
                   props:
@@ -126650,6 +137168,9 @@ catalog:
                   value: SC-49
                   class: sp800-53a
               prose: 'hardware-enforced separation and policy enforcement mechanisms are implemented between {{ insert: param, sc-49_odp }}.'
+              links:
+                - href: '#sc-49_smt'
+                  rel: assessment-for
             - id: sc-49_asm-examine
               name: assessment-method
               props:
@@ -126764,6 +137285,9 @@ catalog:
                   value: SC-50
                   class: sp800-53a
               prose: 'software-enforced separation and policy enforcement mechanisms are implemented between {{ insert: param, sc-50_odp }}.'
+              links:
+                - href: '#sc-50_smt'
+                  rel: assessment-for
             - id: sc-50_asm-examine
               name: assessment-method
               props:
@@ -126892,6 +137416,9 @@ catalog:
                       value: SC-51a.
                       class: sp800-53a
                   prose: 'hardware-based write-protect for {{ insert: param, sc-51_odp.01 }} is employed;'
+                  links:
+                    - href: '#sc-51_smt.a'
+                      rel: assessment-for
                 - id: sc-51_obj.b
                   name: assessment-objective
                   props:
@@ -126906,6 +137433,9 @@ catalog:
                           value: SC-51b.[01]
                           class: sp800-53a
                       prose: 'specific procedures are implemented for {{ insert: param, sc-51_odp.02 }} to manually disable hardware write-protect for firmware modifications;'
+                      links:
+                        - href: '#sc-51_smt.b'
+                          rel: assessment-for
                     - id: sc-51_obj.b-2
                       name: assessment-objective
                       props:
@@ -126913,6 +137443,15 @@ catalog:
                           value: SC-51b.[02]
                           class: sp800-53a
                       prose: 'specific procedures are implemented for {{ insert: param, sc-51_odp.02 }} to re-enable the write-protect prior to returning to operational mode.'
+                      links:
+                        - href: '#sc-51_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#sc-51_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sc-51_smt'
+                  rel: assessment-for
             - id: sc-51_asm-examine
               name: assessment-method
               props:
@@ -127184,6 +137723,9 @@ catalog:
                           value: SI-01a.[01]
                           class: sp800-53a
                       prose: a system and information integrity policy is developed and documented;
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -127191,6 +137733,9 @@ catalog:
                           value: SI-01a.[02]
                           class: sp800-53a
                       prose: 'the system and information integrity policy is disseminated to {{ insert: param, si-01_odp.01 }};'
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -127198,6 +137743,9 @@ catalog:
                           value: SI-01a.[03]
                           class: sp800-53a
                       prose: system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -127205,6 +137753,9 @@ catalog:
                           value: SI-01a.[04]
                           class: sp800-53a
                       prose: 'the system and information integrity procedures are disseminated to {{ insert: param, si-01_odp.02 }};'
+                      links:
+                        - href: '#si-1_smt.a'
+                          rel: assessment-for
                     - id: si-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -127226,6 +137777,9 @@ catalog:
                                   value: SI-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses purpose;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -127233,6 +137787,9 @@ catalog:
                                   value: SI-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses scope;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -127240,6 +137797,9 @@ catalog:
                                   value: SI-01a.01(a)[03]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses roles;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -127247,6 +137807,9 @@ catalog:
                                   value: SI-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses responsibilities;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -127254,6 +137817,9 @@ catalog:
                                   value: SI-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses management commitment;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -127261,6 +137827,9 @@ catalog:
                                   value: SI-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: si-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -127268,6 +137837,12 @@ catalog:
                                   value: SI-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy addresses compliance;'
+                              links:
+                                - href: '#si-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#si-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: si-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -127275,6 +137850,15 @@ catalog:
                               value: SI-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, si-01_odp.03 }} system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#si-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-1_smt.a'
+                      rel: assessment-for
                 - id: si-1_obj.b
                   name: assessment-objective
                   props:
@@ -127282,6 +137866,9 @@ catalog:
                       value: SI-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, si-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;'
+                  links:
+                    - href: '#si-1_smt.b'
+                      rel: assessment-for
                 - id: si-1_obj.c
                   name: assessment-objective
                   props:
@@ -127303,6 +137890,9 @@ catalog:
                               value: SI-01c.01[01]
                               class: sp800-53a
                           prose: 'the current system and information integrity policy is reviewed and updated {{ insert: param, si-01_odp.05 }};'
+                          links:
+                            - href: '#si-1_smt.c.1'
+                              rel: assessment-for
                         - id: si-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -127310,6 +137900,12 @@ catalog:
                               value: SI-01c.01[02]
                               class: sp800-53a
                           prose: 'the current system and information integrity policy is reviewed and updated following {{ insert: param, si-01_odp.06 }};'
+                          links:
+                            - href: '#si-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.c.1'
+                          rel: assessment-for
                     - id: si-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -127324,6 +137920,9 @@ catalog:
                               value: SI-01c.02[01]
                               class: sp800-53a
                           prose: 'the current system and information integrity procedures are reviewed and updated {{ insert: param, si-01_odp.07 }};'
+                          links:
+                            - href: '#si-1_smt.c.2'
+                              rel: assessment-for
                         - id: si-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -127331,6 +137930,18 @@ catalog:
                               value: SI-01c.02[02]
                               class: sp800-53a
                           prose: 'the current system and information integrity procedures are reviewed and updated following {{ insert: param, si-01_odp.08 }}.'
+                          links:
+                            - href: '#si-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#si-1_smt'
+                  rel: assessment-for
             - id: si-1_asm-examine
               name: assessment-method
               props:
@@ -127492,6 +138103,9 @@ catalog:
                           value: SI-02a.[01]
                           class: sp800-53a
                       prose: system flaws are identified;
+                      links:
+                        - href: '#si-2_smt.a'
+                          rel: assessment-for
                     - id: si-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -127499,6 +138113,9 @@ catalog:
                           value: SI-02a.[02]
                           class: sp800-53a
                       prose: system flaws are reported;
+                      links:
+                        - href: '#si-2_smt.a'
+                          rel: assessment-for
                     - id: si-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -127506,6 +138123,12 @@ catalog:
                           value: SI-02a.[03]
                           class: sp800-53a
                       prose: system flaws are corrected;
+                      links:
+                        - href: '#si-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-2_smt.a'
+                      rel: assessment-for
                 - id: si-2_obj.b
                   name: assessment-objective
                   props:
@@ -127520,6 +138143,9 @@ catalog:
                           value: SI-02b.[01]
                           class: sp800-53a
                       prose: software updates related to flaw remediation are tested for effectiveness before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
                     - id: si-2_obj.b-2
                       name: assessment-objective
                       props:
@@ -127527,6 +138153,9 @@ catalog:
                           value: SI-02b.[02]
                           class: sp800-53a
                       prose: software updates related to flaw remediation are tested for potential side effects before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
                     - id: si-2_obj.b-3
                       name: assessment-objective
                       props:
@@ -127534,6 +138163,9 @@ catalog:
                           value: SI-02b.[03]
                           class: sp800-53a
                       prose: firmware updates related to flaw remediation are tested for effectiveness before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
                     - id: si-2_obj.b-4
                       name: assessment-objective
                       props:
@@ -127541,6 +138173,12 @@ catalog:
                           value: SI-02b.[04]
                           class: sp800-53a
                       prose: firmware updates related to flaw remediation are tested for potential side effects before installation;
+                      links:
+                        - href: '#si-2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-2_smt.b'
+                      rel: assessment-for
                 - id: si-2_obj.c
                   name: assessment-objective
                   props:
@@ -127555,6 +138193,9 @@ catalog:
                           value: SI-02c.[01]
                           class: sp800-53a
                       prose: 'security-relevant software updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;'
+                      links:
+                        - href: '#si-2_smt.c'
+                          rel: assessment-for
                     - id: si-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -127562,6 +138203,12 @@ catalog:
                           value: SI-02c.[02]
                           class: sp800-53a
                       prose: 'security-relevant firmware updates are installed within {{ insert: param, si-02_odp }} of the release of the updates;'
+                      links:
+                        - href: '#si-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-2_smt.c'
+                      rel: assessment-for
                 - id: si-2_obj.d
                   name: assessment-objective
                   props:
@@ -127569,6 +138216,12 @@ catalog:
                       value: SI-02d.
                       class: sp800-53a
                   prose: flaw remediation is incorporated into the organizational configuration management process.
+                  links:
+                    - href: '#si-2_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#si-2_smt'
+                  rel: assessment-for
             - id: si-2_asm-examine
               name: assessment-method
               props:
@@ -127715,6 +138368,9 @@ catalog:
                       value: SI-02(02)
                       class: sp800-53a
                   prose: 'system components have applicable security-relevant software and firmware updates installed {{ insert: param, si-02.02_odp.02 }} using {{ insert: param, si-02.02_odp.01 }}.'
+                  links:
+                    - href: '#si-2.2_smt'
+                      rel: assessment-for
                 - id: si-2.2_asm-examine
                   name: assessment-method
                   props:
@@ -127836,6 +138492,9 @@ catalog:
                           value: SI-02(03)(a)
                           class: sp800-53a
                       prose: the time between flaw identification and flaw remediation is measured;
+                      links:
+                        - href: '#si-2.3_smt.a'
+                          rel: assessment-for
                     - id: si-2.3_obj.b
                       name: assessment-objective
                       props:
@@ -127843,6 +138502,12 @@ catalog:
                           value: SI-02(03)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, si-02.03_odp }} for taking corrective actions have been established.'
+                      links:
+                        - href: '#si-2.3_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-2.3_smt'
+                      rel: assessment-for
                 - id: si-2.3_asm-examine
                   name: assessment-method
                   props:
@@ -127954,6 +138619,9 @@ catalog:
                       value: SI-02(04)
                       class: sp800-53a
                   prose: 'automated patch management tools are employed to facilitate flaw remediation to {{ insert: param, si-02.04_odp }}.'
+                  links:
+                    - href: '#si-2.4_smt'
+                      rel: assessment-for
                 - id: si-2.4_asm-examine
                   name: assessment-method
                   props:
@@ -128078,6 +138746,9 @@ catalog:
                       value: SI-02(05)
                       class: sp800-53a
                   prose: '{{ insert: param, si-02.05_odp.01 }} are installed automatically to {{ insert: param, si-02.05_odp.02 }}.'
+                  links:
+                    - href: '#si-2.5_smt'
+                      rel: assessment-for
                 - id: si-2.5_asm-examine
                   name: assessment-method
                   props:
@@ -128185,6 +138856,9 @@ catalog:
                       value: SI-02(06)
                       class: sp800-53a
                   prose: 'previous versions of {{ insert: param, si-02.06_odp }} are removed after updated versions have been installed.'
+                  links:
+                    - href: '#si-2.6_smt'
+                      rel: assessment-for
                 - id: si-2.6_asm-examine
                   name: assessment-method
                   props:
@@ -128447,6 +139121,9 @@ catalog:
                           value: SI-03a.[01]
                           class: sp800-53a
                       prose: '{{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;'
+                      links:
+                        - href: '#si-3_smt.a'
+                          rel: assessment-for
                     - id: si-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -128454,6 +139131,12 @@ catalog:
                           value: SI-03a.[02]
                           class: sp800-53a
                       prose: '{{ insert: param, si-03_odp.01 }} malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;'
+                      links:
+                        - href: '#si-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-3_smt.a'
+                      rel: assessment-for
                 - id: si-3_obj.b
                   name: assessment-objective
                   props:
@@ -128461,6 +139144,9 @@ catalog:
                       value: SI-03b.
                       class: sp800-53a
                   prose: malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;
+                  links:
+                    - href: '#si-3_smt.b'
+                      rel: assessment-for
                 - id: si-3_obj.c
                   name: assessment-objective
                   props:
@@ -128482,6 +139168,9 @@ catalog:
                               value: SI-03c.01[01]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to perform periodic scans of the system {{ insert: param, si-03_odp.02 }};'
+                          links:
+                            - href: '#si-3_smt.c.1'
+                              rel: assessment-for
                         - id: si-3_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -128489,6 +139178,12 @@ catalog:
                               value: SI-03c.01[02]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to perform real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy;'
+                          links:
+                            - href: '#si-3_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-3_smt.c.1'
+                          rel: assessment-for
                     - id: si-3_obj.c.2
                       name: assessment-objective
                       props:
@@ -128503,6 +139198,9 @@ catalog:
                               value: SI-03c.02[01]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to {{ insert: param, si-03_odp.04 }} in response to malicious code detection;'
+                          links:
+                            - href: '#si-3_smt.c.2'
+                              rel: assessment-for
                         - id: si-3_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -128510,6 +139208,15 @@ catalog:
                               value: SI-03c.02[02]
                               class: sp800-53a
                           prose: 'malicious code protection mechanisms are configured to send alerts to {{ insert: param, si-03_odp.06 }} in response to malicious code detection;'
+                          links:
+                            - href: '#si-3_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-3_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-3_smt.c'
+                      rel: assessment-for
                 - id: si-3_obj.d
                   name: assessment-objective
                   props:
@@ -128517,6 +139224,12 @@ catalog:
                       value: SI-03d.
                       class: sp800-53a
                   prose: the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.
+                  links:
+                    - href: '#si-3_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#si-3_smt'
+                  rel: assessment-for
             - id: si-3_asm-examine
               name: assessment-method
               props:
@@ -128679,6 +139392,9 @@ catalog:
                       value: SI-03(04)
                       class: sp800-53a
                   prose: malicious code protection mechanisms are updated only when directed by a privileged user.
+                  links:
+                    - href: '#si-3.4_smt'
+                      rel: assessment-for
                 - id: si-3.4_asm-examine
                   name: assessment-method
                   props:
@@ -128828,6 +139544,9 @@ catalog:
                           value: SI-03(06)(a)
                           class: sp800-53a
                       prose: 'malicious code protection mechanisms are tested {{ insert: param, si-03.06_odp }} by introducing known benign code into the system;'
+                      links:
+                        - href: '#si-3.6_smt.a'
+                          rel: assessment-for
                     - id: si-3.6_obj.b
                       name: assessment-objective
                       props:
@@ -128842,6 +139561,9 @@ catalog:
                               value: SI-03(06)(b)[01]
                               class: sp800-53a
                           prose: the detection of (benign test) code occurs;
+                          links:
+                            - href: '#si-3.6_smt.b'
+                              rel: assessment-for
                         - id: si-3.6_obj.b-2
                           name: assessment-objective
                           props:
@@ -128849,6 +139571,15 @@ catalog:
                               value: SI-03(06)(b)[02]
                               class: sp800-53a
                           prose: the associated incident reporting occurs.
+                          links:
+                            - href: '#si-3.6_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-3.6_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-3.6_smt'
+                      rel: assessment-for
                 - id: si-3.6_asm-examine
                   name: assessment-method
                   props:
@@ -129017,6 +139748,9 @@ catalog:
                           value: SI-03(08)(a)
                           class: sp800-53a
                       prose: '{{ insert: param, si-03.08_odp.01 }} are detected through the kernel application programming interface on {{ insert: param, si-03.08_odp.02 }};'
+                      links:
+                        - href: '#si-3.8_smt.a'
+                          rel: assessment-for
                     - id: si-3.8_obj.b
                       name: assessment-objective
                       props:
@@ -129024,6 +139758,12 @@ catalog:
                           value: SI-03(08)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, si-03.08_odp.03 }} is/are performed.'
+                      links:
+                        - href: '#si-3.8_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-3.8_smt'
+                      rel: assessment-for
                 - id: si-3.8_asm-examine
                   name: assessment-method
                   props:
@@ -129168,6 +139908,9 @@ catalog:
                           value: SI-03(10)(a)
                           class: sp800-53a
                       prose: '{{ insert: param, si-03.10_odp }} are employed to analyze the characteristics and behavior of malicious code;'
+                      links:
+                        - href: '#si-3.10_smt.a'
+                          rel: assessment-for
                     - id: si-3.10_obj.b
                       name: assessment-objective
                       props:
@@ -129182,6 +139925,9 @@ catalog:
                               value: SI-03(10)(b)[01]
                               class: sp800-53a
                           prose: the results from malicious code analysis are incorporated into organizational incident response processes;
+                          links:
+                            - href: '#si-3.10_smt.b'
+                              rel: assessment-for
                         - id: si-3.10_obj.b-2
                           name: assessment-objective
                           props:
@@ -129189,6 +139935,15 @@ catalog:
                               value: SI-03(10)(b)[02]
                               class: sp800-53a
                           prose: the results from malicious code analysis are incorporated into organizational flaw remediation processes.
+                          links:
+                            - href: '#si-3.10_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-3.10_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-3.10_smt'
+                      rel: assessment-for
                 - id: si-3.10_asm-examine
                   name: assessment-method
                   props:
@@ -129543,6 +140298,9 @@ catalog:
                           value: SI-04a.01
                           class: sp800-53a
                       prose: 'the system is monitored to detect attacks and indicators of potential attacks in accordance with {{ insert: param, si-04_odp.01 }};'
+                      links:
+                        - href: '#si-4_smt.a.1'
+                          rel: assessment-for
                     - id: si-4_obj.a.2
                       name: assessment-objective
                       props:
@@ -129557,6 +140315,9 @@ catalog:
                               value: SI-04a.02[01]
                               class: sp800-53a
                           prose: the system is monitored to detect unauthorized local connections;
+                          links:
+                            - href: '#si-4_smt.a.2'
+                              rel: assessment-for
                         - id: si-4_obj.a.2-2
                           name: assessment-objective
                           props:
@@ -129564,6 +140325,9 @@ catalog:
                               value: SI-04a.02[02]
                               class: sp800-53a
                           prose: the system is monitored to detect unauthorized network connections;
+                          links:
+                            - href: '#si-4_smt.a.2'
+                              rel: assessment-for
                         - id: si-4_obj.a.2-3
                           name: assessment-objective
                           props:
@@ -129571,6 +140335,15 @@ catalog:
                               value: SI-04a.02[03]
                               class: sp800-53a
                           prose: the system is monitored to detect unauthorized remote connections;
+                          links:
+                            - href: '#si-4_smt.a.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-4_smt.a.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4_smt.a'
+                      rel: assessment-for
                 - id: si-4_obj.b
                   name: assessment-objective
                   props:
@@ -129578,6 +140351,9 @@ catalog:
                       value: SI-04b.
                       class: sp800-53a
                   prose: 'unauthorized use of the system is identified through {{ insert: param, si-04_odp.02 }};'
+                  links:
+                    - href: '#si-4_smt.b'
+                      rel: assessment-for
                 - id: si-4_obj.c
                   name: assessment-objective
                   props:
@@ -129592,6 +140368,9 @@ catalog:
                           value: SI-04c.01
                           class: sp800-53a
                       prose: internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;
+                      links:
+                        - href: '#si-4_smt.c.1'
+                          rel: assessment-for
                     - id: si-4_obj.c.2
                       name: assessment-objective
                       props:
@@ -129599,6 +140378,12 @@ catalog:
                           value: SI-04c.02
                           class: sp800-53a
                       prose: internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;
+                      links:
+                        - href: '#si-4_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4_smt.c'
+                      rel: assessment-for
                 - id: si-4_obj.d
                   name: assessment-objective
                   props:
@@ -129613,6 +140398,9 @@ catalog:
                           value: SI-04d.[01]
                           class: sp800-53a
                       prose: detected events are analyzed;
+                      links:
+                        - href: '#si-4_smt.d'
+                          rel: assessment-for
                     - id: si-4_obj.d-2
                       name: assessment-objective
                       props:
@@ -129620,6 +140408,12 @@ catalog:
                           value: SI-04d.[02]
                           class: sp800-53a
                       prose: detected anomalies are analyzed;
+                      links:
+                        - href: '#si-4_smt.d'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4_smt.d'
+                      rel: assessment-for
                 - id: si-4_obj.e
                   name: assessment-objective
                   props:
@@ -129627,6 +140421,9 @@ catalog:
                       value: SI-04e.
                       class: sp800-53a
                   prose: the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;
+                  links:
+                    - href: '#si-4_smt.e'
+                      rel: assessment-for
                 - id: si-4_obj.f
                   name: assessment-objective
                   props:
@@ -129634,6 +140431,9 @@ catalog:
                       value: SI-04f.
                       class: sp800-53a
                   prose: a legal opinion regarding system monitoring activities is obtained;
+                  links:
+                    - href: '#si-4_smt.f'
+                      rel: assessment-for
                 - id: si-4_obj.g
                   name: assessment-objective
                   props:
@@ -129641,6 +140441,12 @@ catalog:
                       value: SI-04g.
                       class: sp800-53a
                   prose: '{{ insert: param, si-04_odp.03 }} is provided to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.'
+                  links:
+                    - href: '#si-4_smt.g'
+                      rel: assessment-for
+              links:
+                - href: '#si-4_smt'
+                  rel: assessment-for
             - id: si-4_asm-examine
               name: assessment-method
               props:
@@ -129753,6 +140559,9 @@ catalog:
                           value: SI-04(01)[01]
                           class: sp800-53a
                       prose: individual intrusion detection tools are connected to a system-wide intrusion detection system;
+                      links:
+                        - href: '#si-4.1_smt'
+                          rel: assessment-for
                     - id: si-4.1_obj-2
                       name: assessment-objective
                       props:
@@ -129760,6 +140569,12 @@ catalog:
                           value: SI-04(01)[02]
                           class: sp800-53a
                       prose: individual intrusion detection tools are configured into a system-wide intrusion detection system.
+                      links:
+                        - href: '#si-4.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.1_smt'
+                      rel: assessment-for
                 - id: si-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -129863,6 +140678,9 @@ catalog:
                       value: SI-04(02)
                       class: sp800-53a
                   prose: automated tools and mechanisms are employed to support a near real-time analysis of events.
+                  links:
+                    - href: '#si-4.2_smt'
+                      rel: assessment-for
                 - id: si-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -129985,6 +140803,9 @@ catalog:
                           value: SI-04(03)[01]
                           class: sp800-53a
                       prose: automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into access control mechanisms;
+                      links:
+                        - href: '#si-4.3_smt'
+                          rel: assessment-for
                     - id: si-4.3_obj-2
                       name: assessment-objective
                       props:
@@ -129992,6 +140813,12 @@ catalog:
                           value: SI-04(03)[02]
                           class: sp800-53a
                       prose: automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into flow control mechanisms.
+                      links:
+                        - href: '#si-4.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.3_smt'
+                      rel: assessment-for
                 - id: si-4.3_asm-examine
                   name: assessment-method
                   props:
@@ -130174,6 +141001,9 @@ catalog:
                               value: SI-04(04)(a)[01]
                               class: sp800-53a
                           prose: criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;
+                          links:
+                            - href: '#si-4.4_smt.a'
+                              rel: assessment-for
                         - id: si-4.4_obj.a-2
                           name: assessment-objective
                           props:
@@ -130181,6 +141011,12 @@ catalog:
                               value: SI-04(04)(a)[02]
                               class: sp800-53a
                           prose: criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;
+                          links:
+                            - href: '#si-4.4_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-4.4_smt.a'
+                          rel: assessment-for
                     - id: si-4.4_obj.b
                       name: assessment-objective
                       props:
@@ -130195,6 +141031,9 @@ catalog:
                               value: SI-04(04)(b)[01]
                               class: sp800-53a
                           prose: 'inbound communications traffic is monitored {{ insert: param, si-04.04_odp.01 }} for {{ insert: param, si-04.04_odp.02 }};'
+                          links:
+                            - href: '#si-4.4_smt.b'
+                              rel: assessment-for
                         - id: si-4.4_obj.b-2
                           name: assessment-objective
                           props:
@@ -130202,6 +141041,15 @@ catalog:
                               value: SI-04(04)(b)[02]
                               class: sp800-53a
                           prose: 'outbound communications traffic is monitored {{ insert: param, si-04.04_odp.03 }} for {{ insert: param, si-04.04_odp.04 }}.'
+                          links:
+                            - href: '#si-4.4_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-4.4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.4_smt'
+                      rel: assessment-for
                 - id: si-4.4_asm-examine
                   name: assessment-method
                   props:
@@ -130332,6 +141180,9 @@ catalog:
                       value: SI-04(05)
                       class: sp800-53a
                   prose: '{{ insert: param, si-04.05_odp.01 }} are alerted when system-generated {{ insert: param, si-04.05_odp.02 }} occur.'
+                  links:
+                    - href: '#si-4.5_smt'
+                      rel: assessment-for
                 - id: si-4.5_asm-examine
                   name: assessment-method
                   props:
@@ -130503,6 +141354,9 @@ catalog:
                           value: SI-04(07)(a)
                           class: sp800-53a
                       prose: '{{ insert: param, si-04.07_odp.01 }} are notified of detected suspicious events;'
+                      links:
+                        - href: '#si-4.7_smt.a'
+                          rel: assessment-for
                     - id: si-4.7_obj.b
                       name: assessment-objective
                       props:
@@ -130510,6 +141364,12 @@ catalog:
                           value: SI-04(07)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, si-04.07_odp.02 }} are taken upon the detection of suspicious events.'
+                      links:
+                        - href: '#si-4.7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.7_smt'
+                      rel: assessment-for
                 - id: si-4.7_asm-examine
                   name: assessment-method
                   props:
@@ -130646,6 +141506,9 @@ catalog:
                       value: SI-04(09)
                       class: sp800-53a
                   prose: 'intrusion-monitoring tools and mechanisms are tested {{ insert: param, si-04.09_odp }}.'
+                  links:
+                    - href: '#si-4.9_smt'
+                      rel: assessment-for
                 - id: si-4.9_asm-examine
                   name: assessment-method
                   props:
@@ -130762,6 +141625,9 @@ catalog:
                       value: SI-04(10)
                       class: sp800-53a
                   prose: 'provisions are made so that {{ insert: param, si-04.10_odp.01 }} is visible to {{ insert: param, si-04.10_odp.02 }}.'
+                  links:
+                    - href: '#si-4.10_smt'
+                      rel: assessment-for
                 - id: si-4.10_asm-examine
                   name: assessment-method
                   props:
@@ -130887,6 +141753,9 @@ catalog:
                           value: SI-04(11)[01]
                           class: sp800-53a
                       prose: outbound communications traffic at the external interfaces to the system is analyzed to discover anomalies;
+                      links:
+                        - href: '#si-4.11_smt'
+                          rel: assessment-for
                     - id: si-4.11_obj-2
                       name: assessment-objective
                       props:
@@ -130894,6 +141763,12 @@ catalog:
                           value: SI-04(11)[02]
                           class: sp800-53a
                       prose: 'outbound communications traffic at {{ insert: param, si-04.11_odp }} is analyzed to discover anomalies.'
+                      links:
+                        - href: '#si-4.11_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.11_smt'
+                      rel: assessment-for
                 - id: si-4.11_asm-examine
                   name: assessment-method
                   props:
@@ -131033,6 +141908,9 @@ catalog:
                       value: SI-04(12)
                       class: sp800-53a
                   prose: '{{ insert: param, si-04.12_odp.01 }} is/are alerted using {{ insert: param, si-04.12_odp.02 }} when {{ insert: param, si-04.12_odp.03 }} indicate inappropriate or unusual activities with security or privacy implications.'
+                  links:
+                    - href: '#si-4.12_smt'
+                      rel: assessment-for
                 - id: si-4.12_asm-examine
                   name: assessment-method
                   props:
@@ -131181,6 +142059,9 @@ catalog:
                               value: SI-04(13)(a)[01]
                               class: sp800-53a
                           prose: communications traffic for the system is analyzed;
+                          links:
+                            - href: '#si-4.13_smt.a'
+                              rel: assessment-for
                         - id: si-4.13_obj.a-2
                           name: assessment-objective
                           props:
@@ -131188,6 +142069,12 @@ catalog:
                               value: SI-04(13)(a)[02]
                               class: sp800-53a
                           prose: event patterns for the system are analyzed;
+                          links:
+                            - href: '#si-4.13_smt.a'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-4.13_smt.a'
+                          rel: assessment-for
                     - id: si-4.13_obj.b
                       name: assessment-objective
                       props:
@@ -131202,6 +142089,9 @@ catalog:
                               value: SI-04(13)(b)[01]
                               class: sp800-53a
                           prose: profiles representing common traffic are developed;
+                          links:
+                            - href: '#si-4.13_smt.b'
+                              rel: assessment-for
                         - id: si-4.13_obj.b-2
                           name: assessment-objective
                           props:
@@ -131209,6 +142099,12 @@ catalog:
                               value: SI-04(13)(b)[02]
                               class: sp800-53a
                           prose: profiles representing event patterns are developed;
+                          links:
+                            - href: '#si-4.13_smt.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-4.13_smt.b'
+                          rel: assessment-for
                     - id: si-4.13_obj.c
                       name: assessment-objective
                       props:
@@ -131223,6 +142119,9 @@ catalog:
                               value: SI-04(13)(c)[01]
                               class: sp800-53a
                           prose: traffic profiles are used in tuning system-monitoring devices;
+                          links:
+                            - href: '#si-4.13_smt.c'
+                              rel: assessment-for
                         - id: si-4.13_obj.c-2
                           name: assessment-objective
                           props:
@@ -131230,6 +142129,15 @@ catalog:
                               value: SI-04(13)(c)[02]
                               class: sp800-53a
                           prose: event profiles are used in tuning system-monitoring devices.
+                          links:
+                            - href: '#si-4.13_smt.c'
+                              rel: assessment-for
+                      links:
+                        - href: '#si-4.13_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.13_smt'
+                      rel: assessment-for
                 - id: si-4.13_asm-examine
                   name: assessment-method
                   props:
@@ -131346,6 +142254,9 @@ catalog:
                           value: SI-04(14)[01]
                           class: sp800-53a
                       prose: a wireless intrusion detection system is employed to identify rogue wireless devices;
+                      links:
+                        - href: '#si-4.14_smt'
+                          rel: assessment-for
                     - id: si-4.14_obj-2
                       name: assessment-objective
                       props:
@@ -131353,6 +142264,9 @@ catalog:
                           value: SI-04(14)[02]
                           class: sp800-53a
                       prose: a wireless intrusion detection system is employed to detect attack attempts on the system;
+                      links:
+                        - href: '#si-4.14_smt'
+                          rel: assessment-for
                     - id: si-4.14_obj-3
                       name: assessment-objective
                       props:
@@ -131360,6 +142274,12 @@ catalog:
                           value: SI-04(14)[03]
                           class: sp800-53a
                       prose: a wireless intrusion detection system is employed to detect potential compromises or breaches to the system.
+                      links:
+                        - href: '#si-4.14_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.14_smt'
+                      rel: assessment-for
                 - id: si-4.14_asm-examine
                   name: assessment-method
                   props:
@@ -131463,6 +142383,9 @@ catalog:
                       value: SI-04(15)
                       class: sp800-53a
                   prose: an intrusion detection system is employed to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
+                  links:
+                    - href: '#si-4.15_smt'
+                      rel: assessment-for
                 - id: si-4.15_asm-examine
                   name: assessment-method
                   props:
@@ -131571,6 +142494,9 @@ catalog:
                       value: SI-04(16)
                       class: sp800-53a
                   prose: information from monitoring tools and mechanisms employed throughout the system is correlated.
+                  links:
+                    - href: '#si-4.16_smt'
+                      rel: assessment-for
                 - id: si-4.16_asm-examine
                   name: assessment-method
                   props:
@@ -131684,6 +142610,9 @@ catalog:
                       value: SI-04(17)
                       class: sp800-53a
                   prose: information from monitoring physical, cyber, and supply chain activities are correlated to achieve integrated, organization-wide situational awareness.
+                  links:
+                    - href: '#si-4.17_smt'
+                      rel: assessment-for
                 - id: si-4.17_asm-examine
                   name: assessment-method
                   props:
@@ -131813,6 +142742,9 @@ catalog:
                           value: SI-04(18)[01]
                           class: sp800-53a
                       prose: outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information;
+                      links:
+                        - href: '#si-4.18_smt'
+                          rel: assessment-for
                     - id: si-4.18_obj-2
                       name: assessment-objective
                       props:
@@ -131820,6 +142752,12 @@ catalog:
                           value: SI-04(18)[02]
                           class: sp800-53a
                       prose: 'outbound communications traffic is analyzed at {{ insert: param, si-04.18_odp }} to detect covert exfiltration of information.'
+                      links:
+                        - href: '#si-4.18_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.18_smt'
+                      rel: assessment-for
                 - id: si-4.18_asm-examine
                   name: assessment-method
                   props:
@@ -131946,6 +142884,9 @@ catalog:
                       value: SI-04(19)
                       class: sp800-53a
                   prose: '{{ insert: param, si-04.19_odp.01 }} is implemented on individuals who have been identified by {{ insert: param, si-04.19_odp.02 }} as posing an increased level of risk.'
+                  links:
+                    - href: '#si-4.19_smt'
+                      rel: assessment-for
                 - id: si-4.19_asm-examine
                   name: assessment-method
                   props:
@@ -132064,6 +143005,9 @@ catalog:
                       value: SI-04(20)
                       class: sp800-53a
                   prose: '{{ insert: param, si-04.20_odp }} of privileged users is implemented.'
+                  links:
+                    - href: '#si-4.20_smt'
+                      rel: assessment-for
                 - id: si-4.20_asm-examine
                   name: assessment-method
                   props:
@@ -132186,6 +143130,9 @@ catalog:
                       value: SI-04(21)
                       class: sp800-53a
                   prose: '{{ insert: param, si-04.21_odp.01 }} of individuals is implemented during {{ insert: param, si-04.21_odp.02 }}.'
+                  links:
+                    - href: '#si-4.21_smt'
+                      rel: assessment-for
                 - id: si-4.21_asm-examine
                   name: assessment-method
                   props:
@@ -132339,6 +143286,9 @@ catalog:
                           value: SI-04(22)(a)
                           class: sp800-53a
                       prose: 'network services that have not been authorized or approved by {{ insert: param, si-04.22_odp.01 }} are detected;'
+                      links:
+                        - href: '#si-4.22_smt.a'
+                          rel: assessment-for
                     - id: si-4.22_obj.b
                       name: assessment-objective
                       props:
@@ -132346,6 +143296,12 @@ catalog:
                           value: SI-04(22)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, si-04.22_odp.02 }} is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.'
+                      links:
+                        - href: '#si-4.22_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.22_smt'
+                      rel: assessment-for
                 - id: si-4.22_asm-examine
                   name: assessment-method
                   props:
@@ -132480,6 +143436,9 @@ catalog:
                       value: SI-04(23)
                       class: sp800-53a
                   prose: '{{ insert: param, si-04.23_odp.01 }} are implemented on {{ insert: param, si-04.23_odp.02 }}.'
+                  links:
+                    - href: '#si-4.23_smt'
+                      rel: assessment-for
                 - id: si-4.23_asm-examine
                   name: assessment-method
                   props:
@@ -132613,6 +143572,9 @@ catalog:
                           value: SI-04(24)[01]
                           class: sp800-53a
                       prose: 'indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are discovered;'
+                      links:
+                        - href: '#si-4.24_smt'
+                          rel: assessment-for
                     - id: si-4.24_obj-2
                       name: assessment-objective
                       props:
@@ -132620,6 +143582,9 @@ catalog:
                           value: SI-04(24)[02]
                           class: sp800-53a
                       prose: 'indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are collected;'
+                      links:
+                        - href: '#si-4.24_smt'
+                          rel: assessment-for
                     - id: si-4.24_obj-3
                       name: assessment-objective
                       props:
@@ -132627,6 +143592,12 @@ catalog:
                           value: SI-04(24)[03]
                           class: sp800-53a
                       prose: 'indicators of compromise provided by {{ insert: param, si-04.24_odp.01 }} are distributed to {{ insert: param, si-04.24_odp.02 }}.'
+                      links:
+                        - href: '#si-4.24_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.24_smt'
+                      rel: assessment-for
                 - id: si-4.24_asm-examine
                   name: assessment-method
                   props:
@@ -132739,6 +143710,9 @@ catalog:
                           value: SI-04(25)[01]
                           class: sp800-53a
                       prose: visibility into network traffic at external system interfaces is provided to optimize the effectiveness of monitoring devices;
+                      links:
+                        - href: '#si-4.25_smt'
+                          rel: assessment-for
                     - id: si-4.25_obj-2
                       name: assessment-objective
                       props:
@@ -132746,6 +143720,12 @@ catalog:
                           value: SI-04(25)[02]
                           class: sp800-53a
                       prose: visibility into network traffic at key internal system interfaces is provided to optimize the effectiveness of monitoring devices.
+                      links:
+                        - href: '#si-4.25_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-4.25_smt'
+                      rel: assessment-for
                 - id: si-4.25_asm-examine
                   name: assessment-method
                   props:
@@ -132949,6 +143929,9 @@ catalog:
                       value: SI-05a.
                       class: sp800-53a
                   prose: 'system security alerts, advisories, and directives are received from {{ insert: param, si-05_odp.01 }} on an ongoing basis;'
+                  links:
+                    - href: '#si-5_smt.a'
+                      rel: assessment-for
                 - id: si-5_obj.b
                   name: assessment-objective
                   props:
@@ -132956,6 +143939,9 @@ catalog:
                       value: SI-05b.
                       class: sp800-53a
                   prose: internal security alerts, advisories, and directives are generated as deemed necessary;
+                  links:
+                    - href: '#si-5_smt.b'
+                      rel: assessment-for
                 - id: si-5_obj.c
                   name: assessment-objective
                   props:
@@ -132963,6 +143949,9 @@ catalog:
                       value: SI-05c.
                       class: sp800-53a
                   prose: 'security alerts, advisories, and directives are disseminated to {{ insert: param, si-05_odp.02 }};'
+                  links:
+                    - href: '#si-5_smt.c'
+                      rel: assessment-for
                 - id: si-5_obj.d
                   name: assessment-objective
                   props:
@@ -132970,6 +143959,12 @@ catalog:
                       value: SI-05d.
                       class: sp800-53a
                   prose: security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.
+                  links:
+                    - href: '#si-5_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#si-5_smt'
+                  rel: assessment-for
             - id: si-5_asm-examine
               name: assessment-method
               props:
@@ -133077,6 +144072,9 @@ catalog:
                       value: SI-05(01)
                       class: sp800-53a
                   prose: '{{ insert: param, si-05.01_odp }} are used to broadcast security alert and advisory information throughout the organization.'
+                  links:
+                    - href: '#si-5.1_smt'
+                      rel: assessment-for
                 - id: si-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -133316,6 +144314,9 @@ catalog:
                           value: SI-06a.[01]
                           class: sp800-53a
                       prose: '{{ insert: param, si-06_odp.01 }} are verified to be operating correctly;'
+                      links:
+                        - href: '#si-6_smt.a'
+                          rel: assessment-for
                     - id: si-6_obj.a-2
                       name: assessment-objective
                       props:
@@ -133323,6 +144324,12 @@ catalog:
                           value: SI-06a.[02]
                           class: sp800-53a
                       prose: '{{ insert: param, si-06_odp.02 }} are verified to be operating correctly;'
+                      links:
+                        - href: '#si-6_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-6_smt.a'
+                      rel: assessment-for
                 - id: si-6_obj.b
                   name: assessment-objective
                   props:
@@ -133337,6 +144344,9 @@ catalog:
                           value: SI-06b.[01]
                           class: sp800-53a
                       prose: '{{ insert: param, si-06_odp.01 }} are verified {{ insert: param, si-06_odp.03 }};'
+                      links:
+                        - href: '#si-6_smt.b'
+                          rel: assessment-for
                     - id: si-6_obj.b-2
                       name: assessment-objective
                       props:
@@ -133344,6 +144354,12 @@ catalog:
                           value: SI-06b.[02]
                           class: sp800-53a
                       prose: '{{ insert: param, si-06_odp.02 }} are verified {{ insert: param, si-06_odp.03 }};'
+                      links:
+                        - href: '#si-6_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-6_smt.b'
+                      rel: assessment-for
                 - id: si-6_obj.c
                   name: assessment-objective
                   props:
@@ -133358,6 +144374,9 @@ catalog:
                           value: SI-06c.[01]
                           class: sp800-53a
                       prose: '{{ insert: param, si-06_odp.06 }} is/are alerted to failed security verification tests;'
+                      links:
+                        - href: '#si-6_smt.c'
+                          rel: assessment-for
                     - id: si-6_obj.c-2
                       name: assessment-objective
                       props:
@@ -133365,6 +144384,12 @@ catalog:
                           value: SI-06c.[02]
                           class: sp800-53a
                       prose: '{{ insert: param, si-06_odp.06 }} is/are alerted to failed privacy verification tests;'
+                      links:
+                        - href: '#si-6_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-6_smt.c'
+                      rel: assessment-for
                 - id: si-6_obj.d
                   name: assessment-objective
                   props:
@@ -133372,6 +144397,12 @@ catalog:
                       value: SI-06d.
                       class: sp800-53a
                   prose: '{{ insert: param, si-06_odp.07 }} is/are initiated when anomalies are discovered.'
+                  links:
+                    - href: '#si-6_smt.d'
+                      rel: assessment-for
+              links:
+                - href: '#si-6_smt'
+                  rel: assessment-for
             - id: si-6_asm-examine
               name: assessment-method
               props:
@@ -133498,6 +144529,9 @@ catalog:
                           value: SI-06(02)[01]
                           class: sp800-53a
                       prose: automated mechanisms are implemented to support the management of distributed security function testing;
+                      links:
+                        - href: '#si-6.2_smt'
+                          rel: assessment-for
                     - id: si-6.2_obj-2
                       name: assessment-objective
                       props:
@@ -133505,6 +144539,12 @@ catalog:
                           value: SI-06(02)[02]
                           class: sp800-53a
                       prose: automated mechanisms are implemented to support the management of distributed privacy function testing.
+                      links:
+                        - href: '#si-6.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-6.2_smt'
+                      rel: assessment-for
                 - id: si-6.2_asm-examine
                   name: assessment-method
                   props:
@@ -133623,6 +144663,9 @@ catalog:
                           value: SI-06(03)[01]
                           class: sp800-53a
                       prose: 'the results of security function verification are reported to {{ insert: param, si-06.03_odp }};'
+                      links:
+                        - href: '#si-6.3_smt'
+                          rel: assessment-for
                     - id: si-6.3_obj-2
                       name: assessment-objective
                       props:
@@ -133630,6 +144673,12 @@ catalog:
                           value: SI-06(03)[02]
                           class: sp800-53a
                       prose: 'the results of privacy function verification are reported to {{ insert: param, si-06.03_odp }}.'
+                      links:
+                        - href: '#si-6.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-6.3_smt'
+                      rel: assessment-for
                 - id: si-6.3_asm-examine
                   name: assessment-method
                   props:
@@ -133887,6 +144936,9 @@ catalog:
                           value: SI-07a.[01]
                           class: sp800-53a
                       prose: 'integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.01 }};'
+                      links:
+                        - href: '#si-7_smt.a'
+                          rel: assessment-for
                     - id: si-7_obj.a-2
                       name: assessment-objective
                       props:
@@ -133894,6 +144946,9 @@ catalog:
                           value: SI-07a.[02]
                           class: sp800-53a
                       prose: 'integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.02 }};'
+                      links:
+                        - href: '#si-7_smt.a'
+                          rel: assessment-for
                     - id: si-7_obj.a-3
                       name: assessment-objective
                       props:
@@ -133901,6 +144956,12 @@ catalog:
                           value: SI-07a.[03]
                           class: sp800-53a
                       prose: 'integrity verification tools are employed to detect unauthorized changes to {{ insert: param, si-07_odp.03 }};'
+                      links:
+                        - href: '#si-7_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-7_smt.a'
+                      rel: assessment-for
                 - id: si-7_obj.b
                   name: assessment-objective
                   props:
@@ -133915,6 +144976,9 @@ catalog:
                           value: SI-07b.[01]
                           class: sp800-53a
                       prose: '{{ insert: param, si-07_odp.04 }} are taken when unauthorized changes to the software, are detected;'
+                      links:
+                        - href: '#si-7_smt.b'
+                          rel: assessment-for
                     - id: si-7_obj.b-2
                       name: assessment-objective
                       props:
@@ -133922,6 +144986,9 @@ catalog:
                           value: SI-07b.[02]
                           class: sp800-53a
                       prose: '{{ insert: param, si-07_odp.05 }} are taken when unauthorized changes to the firmware are detected;'
+                      links:
+                        - href: '#si-7_smt.b'
+                          rel: assessment-for
                     - id: si-7_obj.b-3
                       name: assessment-objective
                       props:
@@ -133929,6 +144996,15 @@ catalog:
                           value: SI-07b.[03]
                           class: sp800-53a
                       prose: '{{ insert: param, si-07_odp.06 }} are taken when unauthorized changes to the information are detected.'
+                      links:
+                        - href: '#si-7_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-7_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-7_smt'
+                  rel: assessment-for
             - id: si-7_asm-examine
               name: assessment-method
               props:
@@ -134194,6 +145270,9 @@ catalog:
                           value: SI-07(01)[01]
                           class: sp800-53a
                       prose: 'an integrity check of {{ insert: param, si-07.01_odp.01 }} is performed {{ insert: param, si-07.01_odp.02 }};'
+                      links:
+                        - href: '#si-7.1_smt'
+                          rel: assessment-for
                     - id: si-7.1_obj-2
                       name: assessment-objective
                       props:
@@ -134201,6 +145280,9 @@ catalog:
                           value: SI-07(01)[02]
                           class: sp800-53a
                       prose: 'an integrity check of {{ insert: param, si-07.01_odp.05 }} is performed {{ insert: param, si-07.01_odp.06 }};'
+                      links:
+                        - href: '#si-7.1_smt'
+                          rel: assessment-for
                     - id: si-7.1_obj-3
                       name: assessment-objective
                       props:
@@ -134208,6 +145290,12 @@ catalog:
                           value: SI-07(01)[03]
                           class: sp800-53a
                       prose: 'an integrity check of {{ insert: param, si-07.01_odp.09 }} is performed {{ insert: param, si-07.01_odp.10 }}.'
+                      links:
+                        - href: '#si-7.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-7.1_smt'
+                      rel: assessment-for
                 - id: si-7.1_asm-examine
                   name: assessment-method
                   props:
@@ -134313,6 +145401,9 @@ catalog:
                       value: SI-07(02)
                       class: sp800-53a
                   prose: 'automated tools that provide notification to {{ insert: param, si-07.02_odp }} upon discovering discrepancies during integrity verification are employed.'
+                  links:
+                    - href: '#si-7.2_smt'
+                      rel: assessment-for
                 - id: si-7.2_asm-examine
                   name: assessment-method
                   props:
@@ -134426,6 +145517,9 @@ catalog:
                       value: SI-07(03)
                       class: sp800-53a
                   prose: centrally managed integrity verification tools are employed.
+                  links:
+                    - href: '#si-7.3_smt'
+                      rel: assessment-for
                 - id: si-7.3_asm-examine
                   name: assessment-method
                   props:
@@ -134556,6 +145650,9 @@ catalog:
                       value: SI-07(05)
                       class: sp800-53a
                   prose: '{{ insert: param, si-07.05_odp.01 }} are automatically performed when integrity violations are discovered.'
+                  links:
+                    - href: '#si-7.5_smt'
+                      rel: assessment-for
                 - id: si-7.5_asm-examine
                   name: assessment-method
                   props:
@@ -134670,6 +145767,9 @@ catalog:
                           value: SI-07(06)[01]
                           class: sp800-53a
                       prose: cryptographic mechanisms are implemented to detect unauthorized changes to software;
+                      links:
+                        - href: '#si-7.6_smt'
+                          rel: assessment-for
                     - id: si-7.6_obj-2
                       name: assessment-objective
                       props:
@@ -134677,6 +145777,9 @@ catalog:
                           value: SI-07(06)[02]
                           class: sp800-53a
                       prose: cryptographic mechanisms are implemented to detect unauthorized changes to firmware;
+                      links:
+                        - href: '#si-7.6_smt'
+                          rel: assessment-for
                     - id: si-7.6_obj-3
                       name: assessment-objective
                       props:
@@ -134684,6 +145787,12 @@ catalog:
                           value: SI-07(06)[03]
                           class: sp800-53a
                       prose: cryptographic mechanisms are implemented to detect unauthorized changes to information.
+                      links:
+                        - href: '#si-7.6_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-7.6_smt'
+                      rel: assessment-for
                 - id: si-7.6_asm-examine
                   name: assessment-method
                   props:
@@ -134807,6 +145916,9 @@ catalog:
                       value: SI-07(07)
                       class: sp800-53a
                   prose: 'the detection of {{ insert: param, si-07.07_odp }} are incorporated into the organizational incident response capability.'
+                  links:
+                    - href: '#si-7.7_smt'
+                      rel: assessment-for
                 - id: si-7.7_asm-examine
                   name: assessment-method
                   props:
@@ -134954,6 +146066,9 @@ catalog:
                           value: SI-07(08)[01]
                           class: sp800-53a
                       prose: the capability to audit an event upon the detection of a potential integrity violation is provided;
+                      links:
+                        - href: '#si-7.8_smt'
+                          rel: assessment-for
                     - id: si-7.8_obj-2
                       name: assessment-objective
                       props:
@@ -134961,6 +146076,12 @@ catalog:
                           value: SI-07(08)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, si-07.08_odp.01 }} is/are initiated upon the detection of a potential integrity violation.'
+                      links:
+                        - href: '#si-7.8_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-7.8_smt'
+                      rel: assessment-for
                 - id: si-7.8_asm-examine
                   name: assessment-method
                   props:
@@ -135081,6 +146202,9 @@ catalog:
                       value: SI-07(09)
                       class: sp800-53a
                   prose: 'the integrity of the boot process of {{ insert: param, si-07.09_odp }} is verified.'
+                  links:
+                    - href: '#si-7.9_smt'
+                      rel: assessment-for
                 - id: si-7.9_asm-examine
                   name: assessment-method
                   props:
@@ -135203,6 +146327,9 @@ catalog:
                       value: SI-07(10)
                       class: sp800-53a
                   prose: '{{ insert: param, si-07.10_odp.01 }} are implemented to protect the integrity of boot firmware in {{ insert: param, si-07.10_odp.02 }}.'
+                  links:
+                    - href: '#si-7.10_smt'
+                      rel: assessment-for
                 - id: si-7.10_asm-examine
                   name: assessment-method
                   props:
@@ -135336,6 +146463,9 @@ catalog:
                       value: SI-07(12)
                       class: sp800-53a
                   prose: 'the integrity of {{ insert: param, si-07.12_odp }} is verified prior to execution.'
+                  links:
+                    - href: '#si-7.12_smt'
+                      rel: assessment-for
                 - id: si-7.12_asm-examine
                   name: assessment-method
                   props:
@@ -135478,6 +146608,9 @@ catalog:
                       value: SI-07(15)
                       class: sp800-53a
                   prose: 'cryptographic mechanisms are implemented to authenticate {{ insert: param, si-07.15_odp }} prior to installation.'
+                  links:
+                    - href: '#si-7.15_smt'
+                      rel: assessment-for
                 - id: si-7.15_asm-examine
                   name: assessment-method
                   props:
@@ -135583,6 +146716,9 @@ catalog:
                       value: SI-07(16)
                       class: sp800-53a
                   prose: 'processes are prohibited from executing without supervision for more than {{ insert: param, si-07.16_odp }}.'
+                  links:
+                    - href: '#si-7.16_smt'
+                      rel: assessment-for
                 - id: si-7.16_asm-examine
                   name: assessment-method
                   props:
@@ -135694,6 +146830,9 @@ catalog:
                       value: SI-07(17)
                       class: sp800-53a
                   prose: '{{ insert: param, si-07.17_odp }} are implemented for application self-protection at runtime.'
+                  links:
+                    - href: '#si-7.17_smt'
+                      rel: assessment-for
                 - id: si-7.17_asm-examine
                   name: assessment-method
                   props:
@@ -135826,6 +146965,9 @@ catalog:
                           value: SI-08a.[01]
                           class: sp800-53a
                       prose: spam protection mechanisms are employed at system entry points to detect unsolicited messages;
+                      links:
+                        - href: '#si-8_smt.a'
+                          rel: assessment-for
                     - id: si-8_obj.a-2
                       name: assessment-objective
                       props:
@@ -135833,6 +146975,9 @@ catalog:
                           value: SI-08a.[02]
                           class: sp800-53a
                       prose: spam protection mechanisms are employed at system exit points to detect unsolicited messages;
+                      links:
+                        - href: '#si-8_smt.a'
+                          rel: assessment-for
                     - id: si-8_obj.a-3
                       name: assessment-objective
                       props:
@@ -135840,6 +146985,9 @@ catalog:
                           value: SI-08a.[03]
                           class: sp800-53a
                       prose: spam protection mechanisms are employed at system entry points to act on unsolicited messages;
+                      links:
+                        - href: '#si-8_smt.a'
+                          rel: assessment-for
                     - id: si-8_obj.a-4
                       name: assessment-objective
                       props:
@@ -135847,6 +146995,12 @@ catalog:
                           value: SI-08a.[04]
                           class: sp800-53a
                       prose: spam protection mechanisms are employed at system exit points to act on unsolicited messages;
+                      links:
+                        - href: '#si-8_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-8_smt.a'
+                      rel: assessment-for
                 - id: si-8_obj.b
                   name: assessment-objective
                   props:
@@ -135854,6 +147008,12 @@ catalog:
                       value: SI-08b.
                       class: sp800-53a
                   prose: spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.
+                  links:
+                    - href: '#si-8_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-8_smt'
+                  rel: assessment-for
             - id: si-8_asm-examine
               name: assessment-method
               props:
@@ -135980,6 +147140,9 @@ catalog:
                       value: SI-08(02)
                       class: sp800-53a
                   prose: 'spam protection mechanisms are automatically updated {{ insert: param, si-08.02_odp }}.'
+                  links:
+                    - href: '#si-8.2_smt'
+                      rel: assessment-for
                 - id: si-8.2_asm-examine
                   name: assessment-method
                   props:
@@ -136076,6 +147239,9 @@ catalog:
                       value: SI-08(03)
                       class: sp800-53a
                   prose: spam protection mechanisms with a learning capability are implemented to more effectively identify legitimate communications traffic.
+                  links:
+                    - href: '#si-8.3_smt'
+                      rel: assessment-for
                 - id: si-8.3_asm-examine
                   name: assessment-method
                   props:
@@ -136211,6 +147377,9 @@ catalog:
                   value: SI-10
                   class: sp800-53a
               prose: 'the validity of the {{ insert: param, si-10_odp }} is checked.'
+              links:
+                - href: '#si-10_smt'
+                  rel: assessment-for
             - id: si-10_asm-examine
               name: assessment-method
               props:
@@ -136357,6 +147526,9 @@ catalog:
                           value: SI-10(01)(a)
                           class: sp800-53a
                       prose: 'a manual override capability for the validation of {{ insert: param, si-10_odp }} is provided;'
+                      links:
+                        - href: '#si-10.1_smt.a'
+                          rel: assessment-for
                     - id: si-10.1_obj.b
                       name: assessment-objective
                       props:
@@ -136364,6 +147536,9 @@ catalog:
                           value: SI-10(01)(b)
                           class: sp800-53a
                       prose: 'the use of the manual override capability is restricted to only {{ insert: param, si-10.01_odp }};'
+                      links:
+                        - href: '#si-10.1_smt.b'
+                          rel: assessment-for
                     - id: si-10.1_obj.c
                       name: assessment-objective
                       props:
@@ -136371,6 +147546,12 @@ catalog:
                           value: SI-10(01)(c)
                           class: sp800-53a
                       prose: the use of the manual override capability is audited.
+                      links:
+                        - href: '#si-10.1_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-10.1_smt'
+                      rel: assessment-for
                 - id: si-10.1_asm-examine
                   name: assessment-method
                   props:
@@ -136505,6 +147686,9 @@ catalog:
                           value: SI-10(02)[01]
                           class: sp800-53a
                       prose: 'input validation errors are reviewed within {{ insert: param, si-10.02_odp.01 }};'
+                      links:
+                        - href: '#si-10.2_smt'
+                          rel: assessment-for
                     - id: si-10.2_obj-2
                       name: assessment-objective
                       props:
@@ -136512,6 +147696,12 @@ catalog:
                           value: SI-10(02)[02]
                           class: sp800-53a
                       prose: 'input validation errors are resolved within {{ insert: param, si-10.02_odp.02 }}.'
+                      links:
+                        - href: '#si-10.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-10.2_smt'
+                      rel: assessment-for
                 - id: si-10.2_asm-examine
                   name: assessment-method
                   props:
@@ -136619,6 +147809,9 @@ catalog:
                           value: SI-10(03)[01]
                           class: sp800-53a
                       prose: the system behaves in a predictable manner when invalid inputs are received;
+                      links:
+                        - href: '#si-10.3_smt'
+                          rel: assessment-for
                     - id: si-10.3_obj-2
                       name: assessment-objective
                       props:
@@ -136626,6 +147819,12 @@ catalog:
                           value: SI-10(03)[02]
                           class: sp800-53a
                       prose: the system behaves in a documented manner when invalid inputs are received.
+                      links:
+                        - href: '#si-10.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-10.3_smt'
+                      rel: assessment-for
                 - id: si-10.3_asm-examine
                   name: assessment-method
                   props:
@@ -136718,6 +147917,9 @@ catalog:
                       value: SI-10(04)
                       class: sp800-53a
                   prose: timing interactions among system components are accounted for in determining appropriate responses for invalid inputs.
+                  links:
+                    - href: '#si-10.4_smt'
+                      rel: assessment-for
                 - id: si-10.4_asm-examine
                   name: assessment-method
                   props:
@@ -136838,6 +148040,9 @@ catalog:
                       value: SI-10(05)
                       class: sp800-53a
                   prose: 'the use of information inputs is restricted to {{ insert: param, si-10.05_odp.01 }} and/or {{ insert: param, si-10.05_odp.02 }}.'
+                  links:
+                    - href: '#si-10.5_smt'
+                      rel: assessment-for
                 - id: si-10.5_asm-examine
                   name: assessment-method
                   props:
@@ -136941,6 +148146,9 @@ catalog:
                       value: SI-10(06)
                       class: sp800-53a
                   prose: untrusted data injections are prevented.
+                  links:
+                    - href: '#si-10.6_smt'
+                      rel: assessment-for
                 - id: si-10.6_asm-examine
                   name: assessment-method
                   props:
@@ -137075,6 +148283,9 @@ catalog:
                       value: SI-11a.
                       class: sp800-53a
                   prose: error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;
+                  links:
+                    - href: '#si-11_smt.a'
+                      rel: assessment-for
                 - id: si-11_obj.b
                   name: assessment-objective
                   props:
@@ -137082,6 +148293,12 @@ catalog:
                       value: SI-11b.
                       class: sp800-53a
                   prose: 'error messages are revealed only to {{ insert: param, si-11_odp }}.'
+                  links:
+                    - href: '#si-11_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-11_smt'
+                  rel: assessment-for
             - id: si-11_asm-examine
               name: assessment-method
               props:
@@ -137249,6 +148466,9 @@ catalog:
                       value: SI-12[01]
                       class: sp800-53a
                   prose: information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-2
                   name: assessment-objective
                   props:
@@ -137256,6 +148476,9 @@ catalog:
                       value: SI-12[02]
                       class: sp800-53a
                   prose: information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-3
                   name: assessment-objective
                   props:
@@ -137263,6 +148486,9 @@ catalog:
                       value: SI-12[03]
                       class: sp800-53a
                   prose: information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
                 - id: si-12_obj-4
                   name: assessment-objective
                   props:
@@ -137270,6 +148496,12 @@ catalog:
                       value: SI-12[04]
                       class: sp800-53a
                   prose: information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.
+                  links:
+                    - href: '#si-12_smt'
+                      rel: assessment-for
+              links:
+                - href: '#si-12_smt'
+                  rel: assessment-for
             - id: si-12_asm-examine
               name: assessment-method
               props:
@@ -137390,6 +148622,9 @@ catalog:
                       value: SI-12(01)
                       class: sp800-53a
                   prose: 'personally identifiable information being processed in the information life cycle is limited to {{ insert: param, si-12.01_odp }}.'
+                  links:
+                    - href: '#si-12.1_smt'
+                      rel: assessment-for
                 - id: si-12.1_asm-examine
                   name: assessment-method
                   props:
@@ -137548,6 +148783,9 @@ catalog:
                           value: SI-12(02)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, si-12.02_odp.01 }} are used to minimize the use of personally identifiable information for research;'
+                      links:
+                        - href: '#si-12.2_smt'
+                          rel: assessment-for
                     - id: si-12.2_obj-2
                       name: assessment-objective
                       props:
@@ -137555,6 +148793,9 @@ catalog:
                           value: SI-12(02)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, si-12.02_odp.02 }} are used to minimize the use of personally identifiable information for testing;'
+                      links:
+                        - href: '#si-12.2_smt'
+                          rel: assessment-for
                     - id: si-12.2_obj-3
                       name: assessment-objective
                       props:
@@ -137562,6 +148803,12 @@ catalog:
                           value: SI-12(02)[03]
                           class: sp800-53a
                       prose: '{{ insert: param, si-12.02_odp.03 }} are used to minimize the use of personally identifiable information for training.'
+                      links:
+                        - href: '#si-12.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-12.2_smt'
+                      rel: assessment-for
                 - id: si-12.2_asm-examine
                   name: assessment-method
                   props:
@@ -137712,6 +148959,9 @@ catalog:
                           value: SI-12(03)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, si-12.03_odp.01 }} are used to dispose of information following the retention period;'
+                      links:
+                        - href: '#si-12.3_smt'
+                          rel: assessment-for
                     - id: si-12.3_obj-2
                       name: assessment-objective
                       props:
@@ -137719,6 +148969,9 @@ catalog:
                           value: SI-12(03)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, si-12.03_odp.02 }} are used to destroy information following the retention period;'
+                      links:
+                        - href: '#si-12.3_smt'
+                          rel: assessment-for
                     - id: si-12.3_obj-3
                       name: assessment-objective
                       props:
@@ -137726,6 +148979,12 @@ catalog:
                           value: SI-12(03)[03]
                           class: sp800-53a
                       prose: '{{ insert: param, si-12.03_odp.03 }} are used to erase information following the retention period.'
+                      links:
+                        - href: '#si-12.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-12.3_smt'
+                      rel: assessment-for
                 - id: si-12.3_asm-examine
                   name: assessment-method
                   props:
@@ -137892,6 +149151,9 @@ catalog:
                       value: SI-13a.
                       class: sp800-53a
                   prose: 'mean time to failure (MTTF) is determined for {{ insert: param, si-13_odp.01 }} in specific environments of operation;'
+                  links:
+                    - href: '#si-13_smt.a'
+                      rel: assessment-for
                 - id: si-13_obj.b
                   name: assessment-objective
                   props:
@@ -137899,6 +149161,12 @@ catalog:
                       value: SI-13b.
                       class: sp800-53a
                   prose: 'substitute system components and a means to exchange active and standby components are provided in accordance with {{ insert: param, si-13_odp.02 }}.'
+                  links:
+                    - href: '#si-13_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-13_smt'
+                  rel: assessment-for
             - id: si-13_asm-examine
               name: assessment-method
               props:
@@ -138005,6 +149273,9 @@ catalog:
                       value: SI-13(01)
                       class: sp800-53a
                   prose: 'system components are taken out of service by transferring component responsibilities to substitute components no later than {{ insert: param, si-13.01_odp }} of mean time to failure.'
+                  links:
+                    - href: '#si-13.1_smt'
+                      rel: assessment-for
                 - id: si-13.1_asm-examine
                   name: assessment-method
                   props:
@@ -138127,6 +149398,9 @@ catalog:
                       value: SI-13(03)
                       class: sp800-53a
                   prose: 'transfers are initiated manually between active and standby system components when the use of the active component reaches {{ insert: param, si-13.03_odp }} of the mean time to failure.'
+                  links:
+                    - href: '#si-13.3_smt'
+                      rel: assessment-for
                 - id: si-13.3_asm-examine
                   name: assessment-method
                   props:
@@ -138286,6 +149560,9 @@ catalog:
                           value: SI-13(04)(a)
                           class: sp800-53a
                       prose: 'the standby components are successfully and transparently installed within {{ insert: param, si-13.04_odp.01 }} if system component failures are detected;'
+                      links:
+                        - href: '#si-13.4_smt.a'
+                          rel: assessment-for
                     - id: si-13.4_obj.b
                       name: assessment-objective
                       props:
@@ -138293,6 +149570,12 @@ catalog:
                           value: SI-13(04)(b)
                           class: sp800-53a
                       prose: '{{ insert: param, si-13.04_odp.02 }} are performed if system component failures are detected.'
+                      links:
+                        - href: '#si-13.4_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-13.4_smt'
+                      rel: assessment-for
                 - id: si-13.4_asm-examine
                   name: assessment-method
                   props:
@@ -138420,6 +149703,9 @@ catalog:
                       value: SI-13(05)
                       class: sp800-53a
                   prose: '{{ insert: param, si-13.05_odp.01 }} {{ insert: param, si-13.05_odp.02 }} is provided for the system.'
+                  links:
+                    - href: '#si-13.5_smt'
+                      rel: assessment-for
                 - id: si-13.5_asm-examine
                   name: assessment-method
                   props:
@@ -138564,6 +149850,9 @@ catalog:
                       value: SI-14[01]
                       class: sp800-53a
                   prose: 'non-persistent {{ insert: param, si-14_odp.01 }} that are initiated in a known state are implemented;'
+                  links:
+                    - href: '#si-14_smt'
+                      rel: assessment-for
                 - id: si-14_obj-2
                   name: assessment-objective
                   props:
@@ -138571,6 +149860,12 @@ catalog:
                       value: SI-14[02]
                       class: sp800-53a
                   prose: 'non-persistent {{ insert: param, si-14_odp.01 }} are terminated {{ insert: param, si-14_odp.02 }}.'
+                  links:
+                    - href: '#si-14_smt'
+                      rel: assessment-for
+              links:
+                - href: '#si-14_smt'
+                  rel: assessment-for
             - id: si-14_asm-examine
               name: assessment-method
               props:
@@ -138675,6 +149970,9 @@ catalog:
                       value: SI-14(01)
                       class: sp800-53a
                   prose: 'the software and data employed during system component and service refreshes are obtained from {{ insert: param, si-14.01_odp }}.'
+                  links:
+                    - href: '#si-14.1_smt'
+                      rel: assessment-for
                 - id: si-14.1_asm-examine
                   name: assessment-method
                   props:
@@ -138827,6 +150125,9 @@ catalog:
                           value: SI-14(02)(a)
                           class: sp800-53a
                       prose: '{{ insert: param, si-14.02_odp.01 }} is performed;'
+                      links:
+                        - href: '#si-14.2_smt.a'
+                          rel: assessment-for
                     - id: si-14.2_obj.b
                       name: assessment-objective
                       props:
@@ -138834,6 +150135,12 @@ catalog:
                           value: SI-14(02)(b)
                           class: sp800-53a
                       prose: information is deleted when no longer needed.
+                      links:
+                        - href: '#si-14.2_smt.b'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-14.2_smt'
+                      rel: assessment-for
                 - id: si-14.2_asm-examine
                   name: assessment-method
                   props:
@@ -138946,6 +150253,9 @@ catalog:
                           value: SI-14(03)[01]
                           class: sp800-53a
                       prose: connections to the system are established on demand;
+                      links:
+                        - href: '#si-14.3_smt'
+                          rel: assessment-for
                     - id: si-14.3_obj-2
                       name: assessment-objective
                       props:
@@ -138953,6 +150263,12 @@ catalog:
                           value: SI-14(03)[02]
                           class: sp800-53a
                       prose: 'connections to the system are terminated after {{ insert: param, si-14.03_odp }}.'
+                      links:
+                        - href: '#si-14.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-14.3_smt'
+                      rel: assessment-for
                 - id: si-14.3_asm-examine
                   name: assessment-method
                   props:
@@ -139059,6 +150375,9 @@ catalog:
                   value: SI-15
                   class: sp800-53a
               prose: 'information output from {{ insert: param, si-15_odp }} is validated to ensure that the information is consistent with the expected content.'
+              links:
+                - href: '#si-15_smt'
+                  rel: assessment-for
             - id: si-15_asm-examine
               name: assessment-method
               props:
@@ -139169,6 +150488,9 @@ catalog:
                   value: SI-16
                   class: sp800-53a
               prose: '{{ insert: param, si-16_odp }} are implemented to protect the system memory from unauthorized code execution.'
+              links:
+                - href: '#si-16_smt'
+                  rel: assessment-for
             - id: si-16_asm-examine
               name: assessment-method
               props:
@@ -139295,6 +150617,9 @@ catalog:
                   value: SI-17
                   class: sp800-53a
               prose: '{{ insert: param, si-17_odp.01 }} are implemented when {{ insert: param, si-17_odp.02 }} occur.'
+              links:
+                - href: '#si-17_smt'
+                  rel: assessment-for
             - id: si-17_asm-examine
               name: assessment-method
               props:
@@ -139478,6 +150803,9 @@ catalog:
                           value: SI-18a.[01]
                           class: sp800-53a
                       prose: 'the accuracy of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.01 }};'
+                      links:
+                        - href: '#si-18_smt.a'
+                          rel: assessment-for
                     - id: si-18_obj.a-2
                       name: assessment-objective
                       props:
@@ -139485,6 +150813,9 @@ catalog:
                           value: SI-18a.[02]
                           class: sp800-53a
                       prose: 'the relevance of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.02 }};'
+                      links:
+                        - href: '#si-18_smt.a'
+                          rel: assessment-for
                     - id: si-18_obj.a-3
                       name: assessment-objective
                       props:
@@ -139492,6 +150823,9 @@ catalog:
                           value: SI-18a.[03]
                           class: sp800-53a
                       prose: 'the timeliness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.03 }};'
+                      links:
+                        - href: '#si-18_smt.a'
+                          rel: assessment-for
                     - id: si-18_obj.a-4
                       name: assessment-objective
                       props:
@@ -139499,6 +150833,12 @@ catalog:
                           value: SI-18a.[04]
                           class: sp800-53a
                       prose: 'the completeness of personally identifiable information across the information life cycle is checked {{ insert: param, si-18_odp.04 }};'
+                      links:
+                        - href: '#si-18_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-18_smt.a'
+                      rel: assessment-for
                 - id: si-18_obj.b
                   name: assessment-objective
                   props:
@@ -139506,6 +150846,12 @@ catalog:
                       value: SI-18b.
                       class: sp800-53a
                   prose: inaccurate or outdated personally identifiable information is corrected or deleted.
+                  links:
+                    - href: '#si-18_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-18_smt'
+                  rel: assessment-for
             - id: si-18_asm-examine
               name: assessment-method
               props:
@@ -139628,6 +150974,9 @@ catalog:
                       value: SI-18(01)
                       class: sp800-53a
                   prose: '{{ insert: param, si-18.01_odp }} are used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified.'
+                  links:
+                    - href: '#si-18.1_smt'
+                      rel: assessment-for
                 - id: si-18.1_asm-examine
                   name: assessment-method
                   props:
@@ -139735,6 +151084,9 @@ catalog:
                       value: SI-18(02)
                       class: sp800-53a
                   prose: data tags are employed to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems.
+                  links:
+                    - href: '#si-18.2_smt'
+                      rel: assessment-for
                 - id: si-18.2_asm-examine
                   name: assessment-method
                   props:
@@ -139834,6 +151186,9 @@ catalog:
                       value: SI-18(03)
                       class: sp800-53a
                   prose: personally identifiable information is collected directly from the individual.
+                  links:
+                    - href: '#si-18.3_smt'
+                      rel: assessment-for
                 - id: si-18.3_asm-examine
                   name: assessment-method
                   props:
@@ -139931,6 +151286,9 @@ catalog:
                       value: SI-18(04)
                       class: sp800-53a
                   prose: personally identifiable information is corrected or deleted upon request by individuals or their designated representatives.
+                  links:
+                    - href: '#si-18.4_smt'
+                      rel: assessment-for
                 - id: si-18.4_asm-examine
                   name: assessment-method
                   props:
@@ -140044,6 +151402,9 @@ catalog:
                       value: SI-18(05)
                       class: sp800-53a
                   prose: '{{ insert: param, si-18.05_odp }} and individuals are notified when the personally identifiable information has been corrected or deleted.'
+                  links:
+                    - href: '#si-18.5_smt'
+                      rel: assessment-for
                 - id: si-18.5_asm-examine
                   name: assessment-method
                   props:
@@ -140200,6 +151561,9 @@ catalog:
                       value: SI-19a.
                       class: sp800-53a
                   prose: '{{ insert: param, si-19_odp.01 }} are removed from datasets;'
+                  links:
+                    - href: '#si-19_smt.a'
+                      rel: assessment-for
                 - id: si-19_obj.b
                   name: assessment-objective
                   props:
@@ -140207,6 +151571,12 @@ catalog:
                       value: SI-19b.
                       class: sp800-53a
                   prose: 'the effectiveness of de-identification is evaluated {{ insert: param, si-19_odp.02 }}.'
+                  links:
+                    - href: '#si-19_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-19_smt'
+                  rel: assessment-for
             - id: si-19_asm-examine
               name: assessment-method
               props:
@@ -140304,6 +151674,9 @@ catalog:
                       value: SI-19(01)
                       class: sp800-53a
                   prose: the dataset is de-identified upon collection by not collecting personally identifiable information.
+                  links:
+                    - href: '#si-19.1_smt'
+                      rel: assessment-for
                 - id: si-19.1_asm-examine
                   name: assessment-method
                   props:
@@ -140400,6 +151773,9 @@ catalog:
                       value: SI-19(02)
                       class: sp800-53a
                   prose: the archiving of personally identifiable information elements is prohibited if those elements in a dataset will not be needed after the dataset is archived.
+                  links:
+                    - href: '#si-19.2_smt'
+                      rel: assessment-for
                 - id: si-19.2_asm-examine
                   name: assessment-method
                   props:
@@ -140496,6 +151872,9 @@ catalog:
                       value: SI-19(03)
                       class: sp800-53a
                   prose: personally identifiable information elements are removed from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.
+                  links:
+                    - href: '#si-19.3_smt'
+                      rel: assessment-for
                 - id: si-19.3_asm-examine
                   name: assessment-method
                   props:
@@ -140593,6 +151972,9 @@ catalog:
                       value: SI-19(04)
                       class: sp800-53a
                   prose: direct identifiers in a dataset are removed, masked, encrypted, hashed, or replaced.
+                  links:
+                    - href: '#si-19.4_smt'
+                      rel: assessment-for
                 - id: si-19.4_asm-examine
                   name: assessment-method
                   props:
@@ -140696,6 +152078,9 @@ catalog:
                           value: SI-19(05)[01]
                           class: sp800-53a
                       prose: numerical data is manipulated so that no individual or organization is identifiable in the results of the analysis;
+                      links:
+                        - href: '#si-19.5_smt'
+                          rel: assessment-for
                     - id: si-19.5_obj-2
                       name: assessment-objective
                       props:
@@ -140703,6 +152088,9 @@ catalog:
                           value: SI-19(05)[02]
                           class: sp800-53a
                       prose: contingency tables are manipulated so that no individual or organization is identifiable in the results of the analysis;
+                      links:
+                        - href: '#si-19.5_smt'
+                          rel: assessment-for
                     - id: si-19.5_obj-3
                       name: assessment-objective
                       props:
@@ -140710,6 +152098,12 @@ catalog:
                           value: SI-19(05)[03]
                           class: sp800-53a
                       prose: statistical findings are manipulated so that no individual or organization is identifiable in the results of the analysis.
+                      links:
+                        - href: '#si-19.5_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-19.5_smt'
+                      rel: assessment-for
                 - id: si-19.5_asm-examine
                   name: assessment-method
                   props:
@@ -140812,6 +152206,9 @@ catalog:
                       value: SI-19(06)
                       class: sp800-53a
                   prose: the disclosure of personally identifiable information is prevented by adding non-deterministic noise to the results of mathematical operations before the results are reported.
+                  links:
+                    - href: '#si-19.6_smt'
+                      rel: assessment-for
                 - id: si-19.6_asm-examine
                   name: assessment-method
                   props:
@@ -140915,6 +152312,9 @@ catalog:
                           value: SI-19(07)[01]
                           class: sp800-53a
                       prose: de-identification is performed using validated algorithms;
+                      links:
+                        - href: '#si-19.7_smt'
+                          rel: assessment-for
                     - id: si-19.7_obj-2
                       name: assessment-objective
                       props:
@@ -140922,6 +152322,12 @@ catalog:
                           value: SI-19(07)[02]
                           class: sp800-53a
                       prose: de-identification is performed using software that is validated to implement the algorithms.
+                      links:
+                        - href: '#si-19.7_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#si-19.7_smt'
+                      rel: assessment-for
                 - id: si-19.7_asm-examine
                   name: assessment-method
                   props:
@@ -141018,6 +152424,9 @@ catalog:
                       value: SI-19(08)
                       class: sp800-53a
                   prose: a motivated intruder test is performed on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.
+                  links:
+                    - href: '#si-19.8_smt'
+                      rel: assessment-for
                 - id: si-19.8_asm-examine
                   name: assessment-method
                   props:
@@ -141132,6 +152541,9 @@ catalog:
                   value: SI-20
                   class: sp800-53a
               prose: 'data or capabilities are embedded in {{ insert: param, si-20_odp }} to determine if organizational data has been exfiltrated or improperly removed from the organization.'
+              links:
+                - href: '#si-20_smt'
+                  rel: assessment-for
             - id: si-20_asm-examine
               name: assessment-method
               props:
@@ -141259,6 +152671,9 @@ catalog:
                   value: SI-21
                   class: sp800-53a
               prose: 'the {{ insert: param, si-21_odp.01 }} is refreshed {{ insert: param, si-21_odp.02 }} or is generated on demand and deleted when no longer needed.'
+              links:
+                - href: '#si-21_smt'
+                  rel: assessment-for
             - id: si-21_asm-examine
               name: assessment-method
               props:
@@ -141413,6 +152828,9 @@ catalog:
                       value: SI-22a.
                       class: sp800-53a
                   prose: '{{ insert: param, si-22_odp.01 }} for {{ insert: param, si-22_odp.02 }} are identified;'
+                  links:
+                    - href: '#si-22_smt.a'
+                      rel: assessment-for
                 - id: si-22_obj.b
                   name: assessment-objective
                   props:
@@ -141420,6 +152838,12 @@ catalog:
                       value: SI-22b.
                       class: sp800-53a
                   prose: 'an alternative information source is used for the execution of essential functions or services on {{ insert: param, si-22_odp.03 }} when the primary source of information is corrupted or unavailable.'
+                  links:
+                    - href: '#si-22_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-22_smt'
+                  rel: assessment-for
             - id: si-22_asm-examine
               name: assessment-method
               props:
@@ -141566,6 +152990,9 @@ catalog:
                       value: SI-23a.
                       class: sp800-53a
                   prose: 'under {{ insert: param, si-23_odp.01 }}, {{ insert: param, si-23_odp.02 }} is fragmented;'
+                  links:
+                    - href: '#si-23_smt.a'
+                      rel: assessment-for
                 - id: si-23_obj.b
                   name: assessment-objective
                   props:
@@ -141573,6 +153000,12 @@ catalog:
                       value: SI-23b.
                       class: sp800-53a
                   prose: 'under {{ insert: param, si-23_odp.01 }} , the fragmented information is distributed across {{ insert: param, si-23_odp.03 }}.'
+                  links:
+                    - href: '#si-23_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#si-23_smt'
+                  rel: assessment-for
             - id: si-23_asm-examine
               name: assessment-method
               props:
@@ -141868,6 +153301,9 @@ catalog:
                           value: SR-01a.[01]
                           class: sp800-53a
                       prose: a supply chain risk management policy is developed and documented;
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a-2
                       name: assessment-objective
                       props:
@@ -141875,6 +153311,9 @@ catalog:
                           value: SR-01a.[02]
                           class: sp800-53a
                       prose: 'the supply chain risk management policy is disseminated to {{ insert: param, sr-01_odp.01 }};'
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a-3
                       name: assessment-objective
                       props:
@@ -141882,6 +153321,9 @@ catalog:
                           value: SR-01a.[03]
                           class: sp800-53a
                       prose: supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a-4
                       name: assessment-objective
                       props:
@@ -141889,6 +153331,9 @@ catalog:
                           value: SR-01a.[04]
                           class: sp800-53a
                       prose: 'the supply chain risk management procedures are disseminated to {{ insert: param, sr-01_odp.02 }}.'
+                      links:
+                        - href: '#sr-1_smt.a'
+                          rel: assessment-for
                     - id: sr-1_obj.a.1
                       name: assessment-objective
                       props:
@@ -141910,6 +153355,9 @@ catalog:
                                   value: SR-01a.01(a)[01]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses purpose;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-2
                               name: assessment-objective
                               props:
@@ -141917,6 +153365,9 @@ catalog:
                                   value: SR-01a.01(a)[02]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses scope; '
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-3
                               name: assessment-objective
                               props:
@@ -141924,6 +153375,9 @@ catalog:
                                   value: SR-01a.01(a)[03]
                                   class: sp800-53a
                               prose: '{{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses roles;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-4
                               name: assessment-objective
                               props:
@@ -141931,6 +153385,9 @@ catalog:
                                   value: SR-01a.01(a)[04]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses responsibilities;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-5
                               name: assessment-objective
                               props:
@@ -141938,6 +153395,9 @@ catalog:
                                   value: SR-01a.01(a)[05]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses management commitment;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-6
                               name: assessment-objective
                               props:
@@ -141945,6 +153405,9 @@ catalog:
                                   value: SR-01a.01(a)[06]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses coordination among organizational entities;'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
                             - id: sr-1_obj.a.1.a-7
                               name: assessment-objective
                               props:
@@ -141952,6 +153415,12 @@ catalog:
                                   value: SR-01a.01(a)[07]
                                   class: sp800-53a
                               prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy addresses compliance.'
+                              links:
+                                - href: '#sr-1_smt.a.1.a'
+                                  rel: assessment-for
+                          links:
+                            - href: '#sr-1_smt.a.1.a'
+                              rel: assessment-for
                         - id: sr-1_obj.a.1.b
                           name: assessment-objective
                           props:
@@ -141959,6 +153428,15 @@ catalog:
                               value: SR-01a.01(b)
                               class: sp800-53a
                           prose: 'the {{ insert: param, sr-01_odp.03 }} supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;'
+                          links:
+                            - href: '#sr-1_smt.a.1.b'
+                              rel: assessment-for
+                      links:
+                        - href: '#sr-1_smt.a.1'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-1_smt.a'
+                      rel: assessment-for
                 - id: sr-1_obj.b
                   name: assessment-objective
                   props:
@@ -141966,6 +153444,9 @@ catalog:
                       value: SR-01b.
                       class: sp800-53a
                   prose: 'the {{ insert: param, sr-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;'
+                  links:
+                    - href: '#sr-1_smt.b'
+                      rel: assessment-for
                 - id: sr-1_obj.c
                   name: assessment-objective
                   props:
@@ -141987,6 +153468,9 @@ catalog:
                               value: SR-01c.01[01]
                               class: sp800-53a
                           prose: 'the current supply chain risk management policy is reviewed and updated {{ insert: param, sr-01_odp.05 }};'
+                          links:
+                            - href: '#sr-1_smt.c.1'
+                              rel: assessment-for
                         - id: sr-1_obj.c.1-2
                           name: assessment-objective
                           props:
@@ -141994,6 +153478,12 @@ catalog:
                               value: SR-01c.01[02]
                               class: sp800-53a
                           prose: 'the current supply chain risk management policy is reviewed and updated following {{ insert: param, sr-01_odp.06 }};'
+                          links:
+                            - href: '#sr-1_smt.c.1'
+                              rel: assessment-for
+                      links:
+                        - href: '#sr-1_smt.c.1'
+                          rel: assessment-for
                     - id: sr-1_obj.c.2
                       name: assessment-objective
                       props:
@@ -142008,6 +153498,9 @@ catalog:
                               value: SR-01c.02[01]
                               class: sp800-53a
                           prose: 'the current supply chain risk management procedures are reviewed and updated {{ insert: param, sr-01_odp.07 }};'
+                          links:
+                            - href: '#sr-1_smt.c.2'
+                              rel: assessment-for
                         - id: sr-1_obj.c.2-2
                           name: assessment-objective
                           props:
@@ -142015,6 +153508,18 @@ catalog:
                               value: SR-01c.02[02]
                               class: sp800-53a
                           prose: 'the current supply chain risk management procedures are reviewed and updated following {{ insert: param, sr-01_odp.08 }}.'
+                          links:
+                            - href: '#sr-1_smt.c.2'
+                              rel: assessment-for
+                      links:
+                        - href: '#sr-1_smt.c.2'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-1_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sr-1_smt'
+                  rel: assessment-for
             - id: sr-1_asm-examine
               name: assessment-method
               props:
@@ -142191,6 +153696,9 @@ catalog:
                           value: SR-02a.[01]
                           class: sp800-53a
                       prose: a plan for managing supply chain risks is developed;
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-2
                       name: assessment-objective
                       props:
@@ -142198,6 +153706,9 @@ catalog:
                           value: SR-02a.[02]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the research and development of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-3
                       name: assessment-objective
                       props:
@@ -142205,6 +153716,9 @@ catalog:
                           value: SR-02a.[03]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the design of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-4
                       name: assessment-objective
                       props:
@@ -142212,6 +153726,9 @@ catalog:
                           value: SR-02a.[04]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the manufacturing of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-5
                       name: assessment-objective
                       props:
@@ -142219,6 +153736,9 @@ catalog:
                           value: SR-02a.[05]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the acquisition of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-6
                       name: assessment-objective
                       props:
@@ -142226,6 +153746,9 @@ catalog:
                           value: SR-02a.[06]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the delivery of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-7
                       name: assessment-objective
                       props:
@@ -142233,6 +153756,9 @@ catalog:
                           value: SR-02a.[07]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the integration of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-8
                       name: assessment-objective
                       props:
@@ -142240,6 +153766,9 @@ catalog:
                           value: SR-02a.[08]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the operation and maintenance of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
                     - id: sr-2_obj.a-9
                       name: assessment-objective
                       props:
@@ -142247,6 +153776,12 @@ catalog:
                           value: SR-02a.[09]
                           class: sp800-53a
                       prose: 'the supply chain risk management plan addresses risks associated with the disposal of {{ insert: param, sr-02_odp.01 }};'
+                      links:
+                        - href: '#sr-2_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-2_smt.a'
+                      rel: assessment-for
                 - id: sr-2_obj.b
                   name: assessment-objective
                   props:
@@ -142254,6 +153789,9 @@ catalog:
                       value: SR-02b.
                       class: sp800-53a
                   prose: 'the supply chain risk management plan is reviewed and updated {{ insert: param, sr-02_odp.02 }} or as required to address threat, organizational, or environmental changes;'
+                  links:
+                    - href: '#sr-2_smt.b'
+                      rel: assessment-for
                 - id: sr-2_obj.c
                   name: assessment-objective
                   props:
@@ -142268,6 +153806,9 @@ catalog:
                           value: SR-02c.[01]
                           class: sp800-53a
                       prose: the supply chain risk management plan is protected from unauthorized disclosure;
+                      links:
+                        - href: '#sr-2_smt.c'
+                          rel: assessment-for
                     - id: sr-2_obj.c-2
                       name: assessment-objective
                       props:
@@ -142275,6 +153816,15 @@ catalog:
                           value: SR-02c.[02]
                           class: sp800-53a
                       prose: the supply chain risk management plan is protected from unauthorized modification.
+                      links:
+                        - href: '#sr-2_smt.c'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-2_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sr-2_smt'
+                  rel: assessment-for
             - id: sr-2_asm-examine
               name: assessment-method
               props:
@@ -142421,6 +153971,9 @@ catalog:
                       value: SR-02(01)
                       class: sp800-53a
                   prose: 'a supply chain risk management team consisting of {{ insert: param, sr-02.01_odp.01 }} is established to lead and support {{ insert: param, sr-02.01_odp.02 }}.'
+                  links:
+                    - href: '#sr-2.1_smt'
+                      rel: assessment-for
                 - id: sr-2.1_asm-examine
                   name: assessment-method
                   props:
@@ -142654,6 +154207,9 @@ catalog:
                           value: SR-03a.[01]
                           class: sp800-53a
                       prose: 'a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }};'
+                      links:
+                        - href: '#sr-3_smt.a'
+                          rel: assessment-for
                     - id: sr-3_obj.a-2
                       name: assessment-objective
                       props:
@@ -142661,6 +154217,12 @@ catalog:
                           value: SR-03a.[02]
                           class: sp800-53a
                       prose: 'the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, sr-03_odp.01 }} is/are coordinated with {{ insert: param, sr-03_odp.02 }};'
+                      links:
+                        - href: '#sr-3_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-3_smt.a'
+                      rel: assessment-for
                 - id: sr-3_obj.b
                   name: assessment-objective
                   props:
@@ -142668,6 +154230,9 @@ catalog:
                       value: SR-03b.
                       class: sp800-53a
                   prose: '{{ insert: param, sr-03_odp.03 }} are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;'
+                  links:
+                    - href: '#sr-3_smt.b'
+                      rel: assessment-for
                 - id: sr-3_obj.c
                   name: assessment-objective
                   props:
@@ -142675,6 +154240,12 @@ catalog:
                       value: SR-03c.
                       class: sp800-53a
                   prose: 'the selected and implemented supply chain processes and controls are documented in {{ insert: param, sr-03_odp.04 }}.'
+                  links:
+                    - href: '#sr-3_smt.c'
+                      rel: assessment-for
+              links:
+                - href: '#sr-3_smt'
+                  rel: assessment-for
             - id: sr-3_asm-examine
               name: assessment-method
               props:
@@ -142815,6 +154386,9 @@ catalog:
                           value: SR-03(01)[01]
                           class: sp800-53a
                       prose: 'a diverse set of sources is employed for {{ insert: param, sr-03.01_odp.01 }};'
+                      links:
+                        - href: '#sr-3.1_smt'
+                          rel: assessment-for
                     - id: sr-3.1_obj-2
                       name: assessment-objective
                       props:
@@ -142822,6 +154396,12 @@ catalog:
                           value: SR-03(01)[02]
                           class: sp800-53a
                       prose: 'a diverse set of sources is employed for {{ insert: param, sr-03.01_odp.02 }}.'
+                      links:
+                        - href: '#sr-3.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-3.1_smt'
+                      rel: assessment-for
                 - id: sr-3.1_asm-examine
                   name: assessment-method
                   props:
@@ -142932,6 +154512,9 @@ catalog:
                       value: SR-03(02)
                       class: sp800-53a
                   prose: '{{ insert: param, sr-03.02_odp }} are employed to limit harm from potential adversaries identifying and targeting the organizational supply chain.'
+                  links:
+                    - href: '#sr-3.2_smt'
+                      rel: assessment-for
                 - id: sr-3.2_asm-examine
                   name: assessment-method
                   props:
@@ -143049,6 +154632,9 @@ catalog:
                       value: SR-03(03)
                       class: sp800-53a
                   prose: the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.
+                  links:
+                    - href: '#sr-3.3_smt'
+                      rel: assessment-for
                 - id: sr-3.3_asm-examine
                   name: assessment-method
                   props:
@@ -143193,6 +154779,9 @@ catalog:
                       value: SR-04[01]
                       class: sp800-53a
                   prose: 'valid provenance is documented for {{ insert: param, sr-04_odp }};'
+                  links:
+                    - href: '#sr-4_smt'
+                      rel: assessment-for
                 - id: sr-4_obj-2
                   name: assessment-objective
                   props:
@@ -143200,6 +154789,9 @@ catalog:
                       value: SR-04[02]
                       class: sp800-53a
                   prose: 'valid provenance is monitored for {{ insert: param, sr-04_odp }};'
+                  links:
+                    - href: '#sr-4_smt'
+                      rel: assessment-for
                 - id: sr-4_obj-3
                   name: assessment-objective
                   props:
@@ -143207,6 +154799,12 @@ catalog:
                       value: SR-04[03]
                       class: sp800-53a
                   prose: 'valid provenance is maintained for {{ insert: param, sr-04_odp }}.'
+                  links:
+                    - href: '#sr-4_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sr-4_smt'
+                  rel: assessment-for
             - id: sr-4_asm-examine
               name: assessment-method
               props:
@@ -143336,6 +154934,9 @@ catalog:
                           value: SR-04(01)[01]
                           class: sp800-53a
                       prose: 'unique identification of {{ insert: param, sr-04.01_odp }} is established;'
+                      links:
+                        - href: '#sr-4.1_smt'
+                          rel: assessment-for
                     - id: sr-4.1_obj-2
                       name: assessment-objective
                       props:
@@ -143343,6 +154944,12 @@ catalog:
                           value: SR-04(01)[02]
                           class: sp800-53a
                       prose: 'unique identification of {{ insert: param, sr-04.01_odp }} is maintained.'
+                      links:
+                        - href: '#sr-4.1_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-4.1_smt'
+                      rel: assessment-for
                 - id: sr-4.1_asm-examine
                   name: assessment-method
                   props:
@@ -143464,6 +155071,9 @@ catalog:
                           value: SR-04(02)[01]
                           class: sp800-53a
                       prose: 'the unique identification of {{ insert: param, sr-04.02_odp }} is established for tracking through the supply chain;'
+                      links:
+                        - href: '#sr-4.2_smt'
+                          rel: assessment-for
                     - id: sr-4.2_obj-2
                       name: assessment-objective
                       props:
@@ -143471,6 +155081,12 @@ catalog:
                           value: SR-04(02)[02]
                           class: sp800-53a
                       prose: 'the unique identification of {{ insert: param, sr-04.02_odp }} is maintained for tracking through the supply chain.'
+                      links:
+                        - href: '#sr-4.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-4.2_smt'
+                      rel: assessment-for
                 - id: sr-4.2_asm-examine
                   name: assessment-method
                   props:
@@ -143607,6 +155223,9 @@ catalog:
                           value: SR-04(03)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, sr-04.03_odp.01 }} are employed to validate that the system or system component received is genuine;'
+                      links:
+                        - href: '#sr-4.3_smt'
+                          rel: assessment-for
                     - id: sr-4.3_obj-2
                       name: assessment-objective
                       props:
@@ -143614,6 +155233,12 @@ catalog:
                           value: SR-04(03)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, sr-04.03_odp.02 }} are employed to validate that the system or system component received has not been altered.'
+                      links:
+                        - href: '#sr-4.3_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-4.3_smt'
+                      rel: assessment-for
                 - id: sr-4.3_asm-examine
                   name: assessment-method
                   props:
@@ -143754,6 +155379,9 @@ catalog:
                           value: SR-04(04)[01]
                           class: sp800-53a
                       prose: '{{ insert: param, sr-04.04_odp.01 }} are employed to ensure the integrity of the system and system components;'
+                      links:
+                        - href: '#sr-4.4_smt'
+                          rel: assessment-for
                     - id: sr-4.4_obj-2
                       name: assessment-objective
                       props:
@@ -143761,6 +155389,12 @@ catalog:
                           value: SR-04(04)[02]
                           class: sp800-53a
                       prose: '{{ insert: param, sr-04.04_odp.02 }} is conducted to ensure the integrity of the system and system components.'
+                      links:
+                        - href: '#sr-4.4_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-4.4_smt'
+                      rel: assessment-for
                 - id: sr-4.4_asm-examine
                   name: assessment-method
                   props:
@@ -143923,6 +155557,9 @@ catalog:
                       value: SR-05[01]
                       class: sp800-53a
                   prose: '{{ insert: param, sr-05_odp }} are employed to protect against supply chain risks;'
+                  links:
+                    - href: '#sr-5_smt'
+                      rel: assessment-for
                 - id: sr-5_obj-2
                   name: assessment-objective
                   props:
@@ -143930,6 +155567,9 @@ catalog:
                       value: SR-05[02]
                       class: sp800-53a
                   prose: '{{ insert: param, sr-05_odp }} are employed to identify supply chain risks;'
+                  links:
+                    - href: '#sr-5_smt'
+                      rel: assessment-for
                 - id: sr-5_obj-3
                   name: assessment-objective
                   props:
@@ -143937,6 +155577,12 @@ catalog:
                       value: SR-05[03]
                       class: sp800-53a
                   prose: '{{ insert: param, sr-05_odp }} are employed to mitigate supply chain risks.'
+                  links:
+                    - href: '#sr-5_smt'
+                      rel: assessment-for
+              links:
+                - href: '#sr-5_smt'
+                  rel: assessment-for
             - id: sr-5_asm-examine
               name: assessment-method
               props:
@@ -144068,6 +155714,9 @@ catalog:
                       value: SR-05(01)
                       class: sp800-53a
                   prose: '{{ insert: param, sr-05.01_odp.01 }} are employed to ensure an adequate supply of {{ insert: param, sr-05.01_odp.02 }}.'
+                  links:
+                    - href: '#sr-5.1_smt'
+                      rel: assessment-for
                 - id: sr-5.1_asm-examine
                   name: assessment-method
                   props:
@@ -144194,6 +155843,9 @@ catalog:
                           value: SR-05(02)[01]
                           class: sp800-53a
                       prose: the system, system component, or system service is assessed prior to selection;
+                      links:
+                        - href: '#sr-5.2_smt'
+                          rel: assessment-for
                     - id: sr-5.2_obj-2
                       name: assessment-objective
                       props:
@@ -144201,6 +155853,9 @@ catalog:
                           value: SR-05(02)[02]
                           class: sp800-53a
                       prose: the system, system component, or system service is assessed prior to acceptance;
+                      links:
+                        - href: '#sr-5.2_smt'
+                          rel: assessment-for
                     - id: sr-5.2_obj-3
                       name: assessment-objective
                       props:
@@ -144208,6 +155863,9 @@ catalog:
                           value: SR-05(02)[03]
                           class: sp800-53a
                       prose: the system, system component, or system service is assessed prior to modification;
+                      links:
+                        - href: '#sr-5.2_smt'
+                          rel: assessment-for
                     - id: sr-5.2_obj-4
                       name: assessment-objective
                       props:
@@ -144215,6 +155873,12 @@ catalog:
                           value: SR-05(02)[04]
                           class: sp800-53a
                       prose: the system, system component, or system service is assessed prior to update.
+                      links:
+                        - href: '#sr-5.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-5.2_smt'
+                      rel: assessment-for
                 - id: sr-5.2_asm-examine
                   name: assessment-method
                   props:
@@ -144351,6 +156015,9 @@ catalog:
                   value: SR-06
                   class: sp800-53a
               prose: 'the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed {{ insert: param, sr-06_odp }}.'
+              links:
+                - href: '#sr-6_smt'
+                  rel: assessment-for
             - id: sr-6_asm-examine
               name: assessment-method
               props:
@@ -144476,6 +156143,9 @@ catalog:
                       value: SR-06(01)
                       class: sp800-53a
                   prose: '{{ insert: param, sr-06.01_odp.01 }} is/are employed on {{ insert: param, sr-06.01_odp.02 }} associated with the system, system component, or system service.'
+                  links:
+                    - href: '#sr-6.1_smt'
+                      rel: assessment-for
                 - id: sr-6.1_asm-examine
                   name: assessment-method
                   props:
@@ -144595,6 +156265,9 @@ catalog:
                   value: SR-07
                   class: sp800-53a
               prose: '{{ insert: param, sr-07_odp }} are employed to protect supply chain-related information for the system, system component, or system service.'
+              links:
+                - href: '#sr-7_smt'
+                  rel: assessment-for
             - id: sr-7_asm-examine
               name: assessment-method
               props:
@@ -144744,6 +156417,9 @@ catalog:
                   value: SR-08
                   class: sp800-53a
               prose: 'agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for {{ insert: param, sr-08_odp.01 }}.'
+              links:
+                - href: '#sr-8_smt'
+                  rel: assessment-for
             - id: sr-8_asm-examine
               name: assessment-method
               props:
@@ -144858,6 +156534,9 @@ catalog:
                   value: SR-09
                   class: sp800-53a
               prose: a tamper protection program is implemented for the system, system component, or system service.
+              links:
+                - href: '#sr-9_smt'
+                  rel: assessment-for
             - id: sr-9_asm-examine
               name: assessment-method
               props:
@@ -144964,6 +156643,9 @@ catalog:
                       value: SR-09(01)
                       class: sp800-53a
                   prose: anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle.
+                  links:
+                    - href: '#sr-9.1_smt'
+                      rel: assessment-for
                 - id: sr-9.1_asm-examine
                   name: assessment-method
                   props:
@@ -145137,6 +156819,9 @@ catalog:
                   value: SR-10
                   class: sp800-53a
               prose: '{{ insert: param, sr-10_odp.01 }} are inspected {{ insert: param, sr-10_odp.02 }} to detect tampering.'
+              links:
+                - href: '#sr-10_smt'
+                  rel: assessment-for
             - id: sr-10_asm-examine
               name: assessment-method
               props:
@@ -145308,6 +156993,9 @@ catalog:
                           value: SR-11a.[01]
                           class: sp800-53a
                       prose: an anti-counterfeit policy is developed and implemented;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
                     - id: sr-11_obj.a-2
                       name: assessment-objective
                       props:
@@ -145315,6 +157003,9 @@ catalog:
                           value: SR-11a.[02]
                           class: sp800-53a
                       prose: anti-counterfeit procedures are developed and implemented;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
                     - id: sr-11_obj.a-3
                       name: assessment-objective
                       props:
@@ -145322,6 +157013,9 @@ catalog:
                           value: SR-11a.[03]
                           class: sp800-53a
                       prose: the anti-counterfeit procedures include the means to detect counterfeit components entering the system;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
                     - id: sr-11_obj.a-4
                       name: assessment-objective
                       props:
@@ -145329,6 +157023,12 @@ catalog:
                           value: SR-11a.[04]
                           class: sp800-53a
                       prose: the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;
+                      links:
+                        - href: '#sr-11_smt.a'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-11_smt.a'
+                      rel: assessment-for
                 - id: sr-11_obj.b
                   name: assessment-objective
                   props:
@@ -145336,6 +157036,12 @@ catalog:
                       value: SR-11b.
                       class: sp800-53a
                   prose: 'counterfeit system components are reported to {{ insert: param, sr-11_odp.01 }}.'
+                  links:
+                    - href: '#sr-11_smt.b'
+                      rel: assessment-for
+              links:
+                - href: '#sr-11_smt'
+                  rel: assessment-for
             - id: sr-11_asm-examine
               name: assessment-method
               props:
@@ -145461,6 +157167,9 @@ catalog:
                       value: SR-11(01)
                       class: sp800-53a
                   prose: '{{ insert: param, sr-11.01_odp }} are trained to detect counterfeit system components (including hardware, software, and firmware).'
+                  links:
+                    - href: '#sr-11.1_smt'
+                      rel: assessment-for
                 - id: sr-11.1_asm-examine
                   name: assessment-method
                   props:
@@ -145585,6 +157294,9 @@ catalog:
                           value: SR-11(02)[01]
                           class: sp800-53a
                       prose: 'configuration control over {{ insert: param, sr-11.02_odp }} awaiting service or repair is maintained;'
+                      links:
+                        - href: '#sr-11.2_smt'
+                          rel: assessment-for
                     - id: sr-11.2_obj-2
                       name: assessment-objective
                       props:
@@ -145592,6 +157304,12 @@ catalog:
                           value: SR-11(02)[02]
                           class: sp800-53a
                       prose: 'configuration control over serviced or repaired {{ insert: param, sr-11.02_odp }} awaiting return to service is maintained.'
+                      links:
+                        - href: '#sr-11.2_smt'
+                          rel: assessment-for
+                  links:
+                    - href: '#sr-11.2_smt'
+                      rel: assessment-for
                 - id: sr-11.2_asm-examine
                   name: assessment-method
                   props:
@@ -145700,6 +157418,9 @@ catalog:
                       value: SR-11(03)
                       class: sp800-53a
                   prose: 'scanning for counterfeit system components is conducted {{ insert: param, sr-11.03_odp }}.'
+                  links:
+                    - href: '#sr-11.3_smt'
+                      rel: assessment-for
                 - id: sr-11.3_asm-examine
                   name: assessment-method
                   props:
@@ -145826,6 +157547,9 @@ catalog:
                   value: SR-12
                   class: sp800-53a
               prose: '{{ insert: param, sr-12_odp.01 }} are disposed of using {{ insert: param, sr-12_odp.02 }}.'
+              links:
+                - href: '#sr-12_smt'
+                  rel: assessment-for
             - id: sr-12_asm-examine
               name: assessment-method
               props:
@@ -146059,12 +157783,24 @@ catalog:
           text: National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4.
         rlinks:
           - href: https://doi.org/10.6028/NIST.FIPS.186-4
+      - uuid: ff989cdc-649d-4f45-8f61-9309c9680933
+        title: FIPS 196
+        citation:
+          text: National Institute of Standards and Technology (1997) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 196.
+        rlinks:
+          - href: https://doi.org/10.6028/NIST.FIPS.196
       - uuid: 736d6310-e403-4b57-a79d-9967970c66d7
         title: FIPS 197
         citation:
           text: National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197.
         rlinks:
           - href: https://doi.org/10.6028/NIST.FIPS.197
+      - uuid: e9d6c5f2-b3aa-4a28-8bea-a0135718d453
+        title: FIPS 198-1
+        citation:
+          text: National Institute of Standards and Technology (2008) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 198-1.
+        rlinks:
+          - href: https://doi.org/10.6028/NIST.FIPS.198-1
       - uuid: 628d22a1-6a11-4784-bc59-5cd9497b5445
         title: FIPS 199
         citation:
@@ -147035,3 +158771,7 @@ catalog:
         rlinks:
           - href: https://doi.org/10.6028/NIST.SP.800-53r5
             media-type: application/pdf
+      - uuid: 5a5ffcb9-2272-484e-8d47-4483a0585dec
+        title: NIST SP 800-53 content and other OSCAL content examples
+        rlinks:
+          - href: https://github.com/usnistgov/oscal-content/releases/